From d7ceaf0e4d8001cd35cdc12e42cdd281e9e564e8 Mon Sep 17 00:00:00 2001 From: Cory Benfield Date: Wed, 9 Oct 2024 18:11:48 +0100 Subject: [PATCH] Update BoringSSL to d0a175601b9e180ce58cb1e33649057f5c484146 (#483) This patch has 3 parts: a commit to update the vendoring script, a commit that contains the results of running the script, and then a fixup for the API breaks we got. --- Package.swift | 2 +- Sources/CNIOBoringSSL/crypto/asn1/a_gentm.c | 2 +- Sources/CNIOBoringSSL/crypto/asn1/a_strex.c | 19 +- Sources/CNIOBoringSSL/crypto/asn1/a_time.c | 2 +- Sources/CNIOBoringSSL/crypto/asn1/a_type.c | 20 +- Sources/CNIOBoringSSL/crypto/asn1/a_utctm.c | 2 +- Sources/CNIOBoringSSL/crypto/asn1/asn1_lib.c | 14 +- Sources/CNIOBoringSSL/crypto/asn1/internal.h | 12 +- .../CNIOBoringSSL/crypto/asn1/posix_time.c | 91 +- Sources/CNIOBoringSSL/crypto/base64/base64.c | 4 + .../rand/fork_detect.h => bcm_support.h} | 66 +- Sources/CNIOBoringSSL/crypto/bio/bio.c | 48 +- Sources/CNIOBoringSSL/crypto/bio/file.c | 35 +- Sources/CNIOBoringSSL/crypto/bytestring/ber.c | 15 +- Sources/CNIOBoringSSL/crypto/bytestring/cbs.c | 21 +- .../CNIOBoringSSL/crypto/bytestring/unicode.c | 5 +- .../crypto/chacha/chacha-armv4-ios.ios.arm.S | 1497 ----- Sources/CNIOBoringSSL/crypto/chacha/chacha.c | 35 +- .../CNIOBoringSSL/crypto/chacha/internal.h | 66 +- .../crypto/cipher_extra/e_aesgcmsiv.c | 72 +- .../CNIOBoringSSL/crypto/cipher_extra/e_des.c | 157 +- .../crypto/cipher_extra/e_null.c | 10 +- .../CNIOBoringSSL/crypto/cipher_extra/e_rc2.c | 48 +- .../CNIOBoringSSL/crypto/cipher_extra/e_rc4.c | 13 +- .../CNIOBoringSSL/crypto/cipher_extra/e_tls.c | 1 + .../crypto/cipher_extra/internal.h | 43 + .../crypto/cipher_extra/tls_cbc.c | 4 +- Sources/CNIOBoringSSL/crypto/conf/conf.c | 281 +- Sources/CNIOBoringSSL/crypto/conf/conf_def.h | 122 - Sources/CNIOBoringSSL/crypto/conf/internal.h | 6 +- .../CNIOBoringSSL/crypto/cpu_aarch64_apple.c | 2 +- .../crypto/cpu_aarch64_fuchsia.c | 2 +- .../CNIOBoringSSL/crypto/cpu_aarch64_linux.c | 2 +- .../crypto/cpu_aarch64_openbsd.c | 8 +- .../CNIOBoringSSL/crypto/cpu_aarch64_sysreg.c | 3 +- .../CNIOBoringSSL/crypto/cpu_aarch64_win.c | 2 +- Sources/CNIOBoringSSL/crypto/cpu_arm_linux.c | 5 +- Sources/CNIOBoringSSL/crypto/cpu_intel.c | 106 +- Sources/CNIOBoringSSL/crypto/crypto.c | 73 +- .../crypto/curve25519/curve25519.c | 18 +- .../crypto/curve25519/internal.h | 2 +- Sources/CNIOBoringSSL/crypto/des/des.c | 213 +- Sources/CNIOBoringSSL/crypto/des/internal.h | 119 +- .../crypto/digest_extra/digest_extra.c | 90 + .../crypto/dilithium/dilithium.c | 1539 +++++ .../CNIOBoringSSL/crypto/dilithium/internal.h | 58 + Sources/CNIOBoringSSL/crypto/dsa/dsa.c | 56 +- Sources/CNIOBoringSSL/crypto/dsa/dsa_asn1.c | 7 +- .../CNIOBoringSSL/crypto/ec_extra/ec_asn1.c | 35 + .../crypto/ecdsa_extra/ecdsa_asn1.c | 174 +- Sources/CNIOBoringSSL/crypto/err/err.c | 141 +- Sources/CNIOBoringSSL/crypto/evp/evp.c | 161 +- Sources/CNIOBoringSSL/crypto/evp/evp_asn1.c | 26 +- Sources/CNIOBoringSSL/crypto/evp/internal.h | 7 + Sources/CNIOBoringSSL/crypto/evp/p_dh.c | 137 + Sources/CNIOBoringSSL/crypto/evp/p_dh_asn1.c | 120 + Sources/CNIOBoringSSL/crypto/evp/p_dsa_asn1.c | 30 + Sources/CNIOBoringSSL/crypto/evp/p_ec.c | 7 +- Sources/CNIOBoringSSL/crypto/evp/p_ec_asn1.c | 30 + Sources/CNIOBoringSSL/crypto/evp/p_ed25519.c | 5 +- Sources/CNIOBoringSSL/crypto/evp/p_rsa_asn1.c | 30 + Sources/CNIOBoringSSL/crypto/evp/p_x25519.c | 5 +- Sources/CNIOBoringSSL/crypto/ex_data.c | 13 +- .../fipsmodule/aes/{aes.c => aes.c.inc} | 21 + .../aes/{aes_nohw.c => aes_nohw.c.inc} | 0 .../crypto/fipsmodule/aes/internal.h | 40 +- .../aes/{key_wrap.c => key_wrap.c.inc} | 0 .../{mode_wrappers.c => mode_wrappers.c.inc} | 0 .../fipsmodule/aesv8-armv7-ios.ios.arm.S | 808 --- .../fipsmodule/armv4-mont-ios.ios.arm.S | 981 --- Sources/CNIOBoringSSL/crypto/fipsmodule/bcm.c | 278 + .../crypto/fipsmodule/bcm_interface.h | 244 + .../crypto/fipsmodule/bn/{add.c => add.c.inc} | 10 +- .../bn/asm/{x86_64-gcc.c => x86_64-gcc.c.inc} | 0 .../crypto/fipsmodule/bn/{bn.c => bn.c.inc} | 0 .../fipsmodule/bn/{bytes.c => bytes.c.inc} | 39 +- .../crypto/fipsmodule/bn/{cmp.c => cmp.c.inc} | 0 .../crypto/fipsmodule/bn/{ctx.c => ctx.c.inc} | 0 .../crypto/fipsmodule/bn/{div.c => div.c.inc} | 331 +- .../bn/{div_extra.c => div_extra.c.inc} | 2 +- ...{exponentiation.c => exponentiation.c.inc} | 52 +- .../crypto/fipsmodule/bn/{gcd.c => gcd.c.inc} | 31 +- .../bn/{gcd_extra.c => gcd_extra.c.inc} | 13 +- .../bn/{generic.c => generic.c.inc} | 51 +- .../crypto/fipsmodule/bn/internal.h | 107 +- .../fipsmodule/bn/{jacobi.c => jacobi.c.inc} | 0 .../bn/{montgomery.c => montgomery.c.inc} | 26 + ...{montgomery_inv.c => montgomery_inv.c.inc} | 55 +- .../crypto/fipsmodule/bn/{mul.c => mul.c.inc} | 12 +- .../fipsmodule/bn/{prime.c => prime.c.inc} | 21 +- .../fipsmodule/bn/{random.c => random.c.inc} | 27 +- .../bn/{rsaz_exp.c => rsaz_exp.c.inc} | 0 .../fipsmodule/bn/{shift.c => shift.c.inc} | 0 .../fipsmodule/bn/{sqrt.c => sqrt.c.inc} | 2 +- .../fipsmodule/bsaes-armv7-ios.ios.arm.S | 1534 ----- .../fipsmodule/cipher/{aead.c => aead.c.inc} | 1 + .../cipher/{cipher.c => cipher.c.inc} | 0 .../cipher/{e_aes.c => e_aes.c.inc} | 48 +- .../cipher/{e_aesccm.c => e_aesccm.c.inc} | 91 +- .../crypto/fipsmodule/cipher/internal.h | 3 - .../fipsmodule/cmac/{cmac.c => cmac.c.inc} | 0 .../fipsmodule/dh/{check.c => check.c.inc} | 0 .../crypto/fipsmodule/dh/{dh.c => dh.c.inc} | 0 .../crypto/fipsmodule/dh/internal.h | 2 - .../digest/{digest.c => digest.c.inc} | 4 + .../digest/{digests.c => digests.c.inc} | 134 +- .../{digestsign.c => digestsign.c.inc} | 0 .../crypto/fipsmodule/ec/{ec.c => ec.c.inc} | 0 .../fipsmodule/ec/{ec_key.c => ec_key.c.inc} | 53 +- .../{ec_montgomery.c => ec_montgomery.c.inc} | 0 .../fipsmodule/ec/{felem.c => felem.c.inc} | 0 .../crypto/fipsmodule/ec/{oct.c => oct.c.inc} | 0 .../ec/{p224-64.c => p224-64.c.inc} | 13 +- .../ec/{p256-nistz.c => p256-nistz.c.inc} | 111 +- .../crypto/fipsmodule/ec/p256-nistz.h | 73 +- .../fipsmodule/ec/{p256.c => p256.c.inc} | 0 .../fipsmodule/ec/{scalar.c => scalar.c.inc} | 6 +- .../fipsmodule/ec/{simple.c => simple.c.inc} | 0 .../ec/{simple_mul.c => simple_mul.c.inc} | 0 .../fipsmodule/ec/{util.c => util.c.inc} | 0 .../fipsmodule/ec/{wnaf.c => wnaf.c.inc} | 0 .../fipsmodule/ecdh/{ecdh.c => ecdh.c.inc} | 19 +- .../fipsmodule/ecdsa/{ecdsa.c => ecdsa.c.inc} | 172 +- .../crypto/fipsmodule/ecdsa/internal.h | 39 +- .../crypto/fipsmodule/fips_shared_support.c | 9 +- .../fipsmodule/ghash-armv4-ios.ios.arm.S | 257 - .../fipsmodule/ghashv8-armv7-ios.ios.arm.S | 259 - .../fipsmodule/hkdf/{hkdf.c => hkdf.c.inc} | 0 .../fipsmodule/hmac/{hmac.c => hmac.c.inc} | 0 .../fipsmodule/modes/{cbc.c => cbc.c.inc} | 0 .../fipsmodule/modes/{cfb.c => cfb.c.inc} | 0 .../fipsmodule/modes/{ctr.c => ctr.c.inc} | 0 .../fipsmodule/modes/{gcm.c => gcm.c.inc} | 0 .../modes/{gcm_nohw.c => gcm_nohw.c.inc} | 0 .../fipsmodule/modes/{ofb.c => ofb.c.inc} | 0 .../modes/{polyval.c => polyval.c.inc} | 0 .../rand/{ctrdrbg.c => ctrdrbg.c.inc} | 0 .../crypto/fipsmodule/rand/internal.h | 81 +- .../fipsmodule/rand/{rand.c => rand.c.inc} | 77 +- .../rsa/{blinding.c => blinding.c.inc} | 0 .../rsa/{padding.c => padding.c.inc} | 8 +- .../fipsmodule/rsa/{rsa.c => rsa.c.inc} | 33 +- .../rsa/{rsa_impl.c => rsa_impl.c.inc} | 45 +- .../self_check/{fips.c => fips.c.inc} | 10 +- .../{self_check.c => self_check.c.inc} | 100 +- .../fipsmodule/service_indicator/internal.h | 4 +- ...ce_indicator.c => service_indicator.c.inc} | 20 +- .../crypto/fipsmodule/sha/internal.h | 220 +- .../fipsmodule/sha/{sha1.c => sha1.c.inc} | 124 +- .../fipsmodule/sha/{sha256.c => sha256.c.inc} | 135 +- .../fipsmodule/sha/{sha512.c => sha512.c.inc} | 165 +- .../fipsmodule/sha1-armv4-large-ios.ios.arm.S | 1517 ----- .../fipsmodule/sha256-armv4-ios.ios.arm.S | 2845 --------- .../fipsmodule/sha512-armv4-ios.ios.arm.S | 1897 ------ .../fipsmodule/tls/{kdf.c => kdf.c.inc} | 7 + .../fipsmodule/vpaes-armv7-ios.ios.arm.S | 1264 ---- .../fipsmodule/x86-mont-linux.linux.x86.S | 489 -- Sources/CNIOBoringSSL/crypto/hpke/hpke.c | 297 +- Sources/CNIOBoringSSL/crypto/internal.h | 388 +- Sources/CNIOBoringSSL/crypto/keccak/keccak.c | 54 +- Sources/CNIOBoringSSL/crypto/kyber/internal.h | 18 +- Sources/CNIOBoringSSL/crypto/kyber/kyber.c | 64 +- .../crypto/{fipsmodule => }/md4/md4.c | 11 +- .../crypto/{fipsmodule => }/md5/internal.h | 0 .../crypto/{fipsmodule => }/md5/md5.c | 4 +- Sources/CNIOBoringSSL/crypto/mem.c | 37 +- Sources/CNIOBoringSSL/crypto/mldsa/internal.h | 73 + Sources/CNIOBoringSSL/crypto/mldsa/mldsa.c | 1687 +++++ Sources/CNIOBoringSSL/crypto/mlkem/internal.h | 90 + Sources/CNIOBoringSSL/crypto/mlkem/mlkem.cc | 1097 ++++ Sources/CNIOBoringSSL/crypto/obj/obj_dat.h | 5 +- Sources/CNIOBoringSSL/crypto/pem/pem_info.c | 31 + Sources/CNIOBoringSSL/crypto/pem/pem_lib.c | 38 +- Sources/CNIOBoringSSL/crypto/pem/pem_pk8.c | 84 +- Sources/CNIOBoringSSL/crypto/pem/pem_pkey.c | 25 +- Sources/CNIOBoringSSL/crypto/pkcs8/internal.h | 1 + .../CNIOBoringSSL/crypto/pkcs8/pkcs8_x509.c | 3 +- .../crypto/poly1305/poly1305_vec.c | 23 +- .../crypto/rand_extra/deterministic.c | 10 +- .../rand => rand_extra}/fork_detect.c | 54 +- .../crypto/rand_extra/getentropy.c | 10 +- .../rand => rand_extra}/getrandom_fillin.h | 0 Sources/CNIOBoringSSL/crypto/rand_extra/ios.c | 10 +- .../CNIOBoringSSL/crypto/rand_extra/passive.c | 22 +- .../crypto/rand_extra/rand_extra.c | 49 +- .../crypto/rand_extra/sysrand_internal.h | 37 + .../CNIOBoringSSL/crypto/rand_extra/trusty.c | 10 +- .../{fipsmodule/rand => rand_extra}/urandom.c | 38 +- .../CNIOBoringSSL/crypto/rand_extra/windows.c | 9 +- .../CNIOBoringSSL/crypto/rsa_extra/internal.h | 2 + .../crypto/rsa_extra/rsa_crypt.c | 4 +- .../crypto/rsa_extra/rsa_extra.c | 17 + Sources/CNIOBoringSSL/crypto/sha/sha1.c | 52 + Sources/CNIOBoringSSL/crypto/sha/sha256.c | 87 + Sources/CNIOBoringSSL/crypto/sha/sha512.c | 104 + Sources/CNIOBoringSSL/crypto/slhdsa/address.h | 123 + Sources/CNIOBoringSSL/crypto/slhdsa/fors.c | 169 + Sources/CNIOBoringSSL/crypto/slhdsa/fors.h | 58 + .../CNIOBoringSSL/crypto/slhdsa/internal.h | 63 + Sources/CNIOBoringSSL/crypto/slhdsa/merkle.c | 161 + Sources/CNIOBoringSSL/crypto/slhdsa/merkle.h | 70 + Sources/CNIOBoringSSL/crypto/slhdsa/params.h | 83 + Sources/CNIOBoringSSL/crypto/slhdsa/slhdsa.c | 206 + Sources/CNIOBoringSSL/crypto/slhdsa/thash.c | 173 + Sources/CNIOBoringSSL/crypto/slhdsa/thash.h | 85 + Sources/CNIOBoringSSL/crypto/slhdsa/wots.c | 171 + Sources/CNIOBoringSSL/crypto/slhdsa/wots.h | 50 + Sources/CNIOBoringSSL/crypto/spx/spx.c | 140 + .../CNIOBoringSSL/crypto/spx/spx_address.c | 101 + .../CNIOBoringSSL/crypto/spx/spx_address.h | 50 + Sources/CNIOBoringSSL/crypto/spx/spx_fors.c | 133 + Sources/CNIOBoringSSL/crypto/spx/spx_fors.h | 54 + Sources/CNIOBoringSSL/crypto/spx/spx_merkle.c | 150 + Sources/CNIOBoringSSL/crypto/spx/spx_merkle.h | 61 + Sources/CNIOBoringSSL/crypto/spx/spx_params.h | 71 + Sources/CNIOBoringSSL/crypto/spx/spx_thash.c | 136 + Sources/CNIOBoringSSL/crypto/spx/spx_thash.h | 70 + Sources/CNIOBoringSSL/crypto/spx/spx_util.c | 53 + Sources/CNIOBoringSSL/crypto/spx/spx_util.h | 44 + Sources/CNIOBoringSSL/crypto/spx/spx_wots.c | 135 + Sources/CNIOBoringSSL/crypto/spx/spx_wots.h | 45 + Sources/CNIOBoringSSL/crypto/x509/asn1_gen.c | 2 - Sources/CNIOBoringSSL/crypto/x509/by_dir.c | 82 +- Sources/CNIOBoringSSL/crypto/x509/by_file.c | 58 +- .../crypto/{x509v3 => x509}/ext_dat.h | 0 Sources/CNIOBoringSSL/crypto/x509/internal.h | 281 +- Sources/CNIOBoringSSL/crypto/x509/policy.c | 2 - Sources/CNIOBoringSSL/crypto/x509/rsa_pss.c | 6 +- Sources/CNIOBoringSSL/crypto/x509/t_crl.c | 2 +- Sources/CNIOBoringSSL/crypto/x509/t_req.c | 5 +- Sources/CNIOBoringSSL/crypto/x509/t_x509.c | 4 +- .../crypto/{x509v3 => x509}/v3_akey.c | 2 +- .../crypto/{x509v3 => x509}/v3_akeya.c | 4 +- .../crypto/{x509v3 => x509}/v3_alt.c | 11 +- .../crypto/{x509v3 => x509}/v3_bcons.c | 2 +- .../crypto/{x509v3 => x509}/v3_bitst.c | 2 +- .../crypto/{x509v3 => x509}/v3_conf.c | 2 - .../crypto/{x509v3 => x509}/v3_cpols.c | 15 +- .../crypto/{x509v3 => x509}/v3_crld.c | 7 +- .../crypto/{x509v3 => x509}/v3_enum.c | 1 + .../crypto/{x509v3 => x509}/v3_extku.c | 2 +- .../crypto/{x509v3 => x509}/v3_genn.c | 24 +- .../crypto/{x509v3 => x509}/v3_ia5.c | 2 +- .../crypto/{x509v3 => x509}/v3_info.c | 12 +- .../crypto/{x509v3 => x509}/v3_int.c | 2 +- .../crypto/{x509v3 => x509}/v3_lib.c | 7 +- .../crypto/{x509v3 => x509}/v3_ncons.c | 4 +- .../crypto/{x509v3 => x509}/v3_ocsp.c | 2 +- .../crypto/{x509v3 => x509}/v3_pcons.c | 2 +- .../crypto/{x509v3 => x509}/v3_pmaps.c | 2 +- .../crypto/{x509v3 => x509}/v3_prn.c | 7 +- .../crypto/{x509v3 => x509}/v3_purp.c | 496 +- .../crypto/{x509v3 => x509}/v3_skey.c | 3 +- .../crypto/{x509v3 => x509}/v3_utl.c | 103 +- Sources/CNIOBoringSSL/crypto/x509/x509_att.c | 67 +- Sources/CNIOBoringSSL/crypto/x509/x509_cmp.c | 103 +- Sources/CNIOBoringSSL/crypto/x509/x509_ext.c | 1 - Sources/CNIOBoringSSL/crypto/x509/x509_lu.c | 402 +- Sources/CNIOBoringSSL/crypto/x509/x509_req.c | 52 +- Sources/CNIOBoringSSL/crypto/x509/x509_trs.c | 256 +- Sources/CNIOBoringSSL/crypto/x509/x509_v3.c | 1 - Sources/CNIOBoringSSL/crypto/x509/x509_vfy.c | 1295 +--- Sources/CNIOBoringSSL/crypto/x509/x509_vpm.c | 319 +- Sources/CNIOBoringSSL/crypto/x509/x509spki.c | 2 +- Sources/CNIOBoringSSL/crypto/x509/x_algor.c | 4 +- Sources/CNIOBoringSSL/crypto/x509/x_crl.c | 164 +- Sources/CNIOBoringSSL/crypto/x509/x_info.c | 100 - Sources/CNIOBoringSSL/crypto/x509/x_name.c | 14 +- Sources/CNIOBoringSSL/crypto/x509/x_pkey.c | 110 - Sources/CNIOBoringSSL/crypto/x509/x_pubkey.c | 96 +- Sources/CNIOBoringSSL/crypto/x509/x_spki.c | 2 + Sources/CNIOBoringSSL/crypto/x509/x_x509.c | 8 +- Sources/CNIOBoringSSL/crypto/x509/x_x509a.c | 12 +- .../CNIOBoringSSL/crypto/x509v3/internal.h | 197 - .../bcm/aesni-gcm-x86_64-apple.S} | 2 - .../bcm/aesni-gcm-x86_64-linux.S} | 2 - .../CNIOBoringSSL/gen/bcm/aesni-x86-apple.S | 2495 ++++++++ .../bcm/aesni-x86-linux.S} | 439 +- .../bcm/aesni-x86_64-apple.S} | 561 +- .../bcm/aesni-x86_64-linux.S} | 574 +- .../bcm/aesv8-armv7-linux.S} | 7 - .../bcm/aesv8-armv8-apple.S} | 7 - .../bcm/aesv8-armv8-linux.S} | 7 - .../CNIOBoringSSL/gen/bcm/aesv8-armv8-win.S | 803 +++ .../bcm/aesv8-gcm-armv8-apple.S} | 2 - .../bcm/aesv8-gcm-armv8-linux.S} | 2 - .../gen/bcm/aesv8-gcm-armv8-win.S | 1564 +++++ .../bcm/armv4-mont-linux.S} | 43 +- .../bcm/armv8-mont-apple.S} | 2 - .../bcm/armv8-mont-linux.S} | 2 - .../CNIOBoringSSL/gen/bcm/armv8-mont-win.S | 1436 +++++ Sources/CNIOBoringSSL/gen/bcm/bn-586-apple.S | 536 ++ .../bcm/bn-586-linux.S} | 526 +- .../bcm/bn-armv8-apple.S} | 2 - .../bcm/bn-armv8-linux.S} | 2 - Sources/CNIOBoringSSL/gen/bcm/bn-armv8-win.S | 94 + .../bcm/bsaes-armv7-linux.S} | 2 - Sources/CNIOBoringSSL/gen/bcm/co-586-apple.S | 1261 ++++ .../bcm/co-586-linux.S} | 2 - .../bcm/ghash-armv4-linux.S} | 2 - .../bcm/ghash-neon-armv8-apple.S} | 2 - .../bcm/ghash-neon-armv8-linux.S} | 2 - .../gen/bcm/ghash-neon-armv8-win.S | 346 + .../gen/bcm/ghash-ssse3-x86-apple.S | 293 + .../bcm/ghash-ssse3-x86-linux.S} | 2 - .../bcm/ghash-ssse3-x86_64-apple.S} | 2 - .../bcm/ghash-ssse3-x86_64-linux.S} | 2 - .../CNIOBoringSSL/gen/bcm/ghash-x86-apple.S | 327 + .../bcm/ghash-x86-linux.S} | 2 - .../bcm/ghash-x86_64-apple.S} | 11 +- .../bcm/ghash-x86_64-linux.S} | 12 +- .../bcm/ghashv8-armv7-linux.S} | 2 - .../bcm/ghashv8-armv8-apple.S} | 2 - .../bcm/ghashv8-armv8-linux.S} | 2 - .../CNIOBoringSSL/gen/bcm/ghashv8-armv8-win.S | 578 ++ .../bcm/p256-armv8-asm-apple.S} | 2 - .../bcm/p256-armv8-asm-linux.S} | 2 - .../gen/bcm/p256-armv8-asm-win.S | 1771 ++++++ .../bcm/p256-x86_64-asm-apple.S} | 274 +- .../bcm/p256-x86_64-asm-linux.S} | 351 +- .../bcm/p256_beeu-armv8-asm-apple.S} | 2 - .../bcm/p256_beeu-armv8-asm-linux.S} | 2 - .../gen/bcm/p256_beeu-armv8-asm-win.S | 314 + .../bcm/p256_beeu-x86_64-asm-apple.S} | 2 - .../bcm/p256_beeu-x86_64-asm-linux.S} | 2 - .../bcm/rdrand-x86_64-apple.S} | 2 - .../bcm/rdrand-x86_64-linux.S} | 2 - .../bcm/rsaz-avx2-apple.S} | 2 - .../bcm/rsaz-avx2-linux.S} | 2 - .../CNIOBoringSSL/gen/bcm/sha1-586-apple.S | 3787 +++++++++++ .../bcm/sha1-586-linux.S} | 94 +- .../bcm/sha1-armv4-large-linux.S} | 45 +- .../bcm/sha1-armv8-apple.S} | 23 +- .../bcm/sha1-armv8-linux.S} | 31 +- .../CNIOBoringSSL/gen/bcm/sha1-armv8-win.S | 1227 ++++ .../bcm/sha1-x86_64-apple.S} | 53 +- .../bcm/sha1-x86_64-linux.S} | 56 +- .../bcm/sha256-586-apple.S} | 168 +- .../CNIOBoringSSL/gen/bcm/sha256-586-linux.S | 5604 +++++++++++++++++ .../bcm/sha256-armv4-linux.S} | 89 +- .../bcm/sha256-armv8-apple.S} | 27 +- .../bcm/sha256-armv8-linux.S} | 35 +- .../CNIOBoringSSL/gen/bcm/sha256-armv8-win.S | 1202 ++++ .../bcm/sha256-x86_64-apple.S} | 40 +- .../bcm/sha256-x86_64-linux.S} | 45 +- .../CNIOBoringSSL/gen/bcm/sha512-586-apple.S | 2411 +++++++ .../bcm/sha512-586-linux.S} | 541 +- .../bcm/sha512-armv4-linux.S} | 41 +- .../bcm/sha512-armv8-apple.S} | 28 +- .../bcm/sha512-armv8-linux.S} | 36 +- .../CNIOBoringSSL/gen/bcm/sha512-armv8-win.S | 1605 +++++ .../bcm/sha512-x86_64-apple.S} | 24 +- .../bcm/sha512-x86_64-linux.S} | 27 +- .../bcm/vpaes-armv7-linux.S} | 2 - .../bcm/vpaes-armv8-apple.S} | 2 - .../bcm/vpaes-armv8-linux.S} | 2 - .../CNIOBoringSSL/gen/bcm/vpaes-armv8-win.S | 1267 ++++ .../CNIOBoringSSL/gen/bcm/vpaes-x86-apple.S | 685 ++ .../bcm/vpaes-x86-linux.S} | 14 +- .../bcm/vpaes-x86_64-apple.S} | 2 - .../bcm/vpaes-x86_64-linux.S} | 2 - .../CNIOBoringSSL/gen/bcm/x86-mont-apple.S | 226 + .../CNIOBoringSSL/gen/bcm/x86-mont-linux.S | 228 + .../bcm/x86_64-mont-apple.S} | 53 +- .../bcm/x86_64-mont-linux.S} | 52 +- .../bcm/x86_64-mont5-apple.S} | 64 +- .../bcm/x86_64-mont5-linux.S} | 67 +- .../crypto/aes128gcmsiv-x86_64-apple.S} | 16 +- .../crypto/aes128gcmsiv-x86_64-linux.S} | 16 +- .../crypto/chacha-armv4-linux.S} | 55 +- .../crypto/chacha-armv8-apple.S} | 30 +- .../crypto/chacha-armv8-linux.S} | 38 +- .../gen/crypto/chacha-armv8-win.S | 1979 ++++++ .../gen/crypto/chacha-x86-apple.S | 962 +++ .../crypto/chacha-x86-linux.S} | 110 +- .../crypto/chacha-x86_64-apple.S} | 50 +- .../crypto/chacha-x86_64-linux.S} | 67 +- .../crypto/chacha20_poly1305_armv8-apple.S} | 2 - .../crypto/chacha20_poly1305_armv8-linux.S} | 2 - .../gen/crypto/chacha20_poly1305_armv8-win.S | 3020 +++++++++ .../crypto/chacha20_poly1305_x86_64-apple.S} | 71 +- .../crypto/chacha20_poly1305_x86_64-linux.S} | 84 +- .../{crypto/err => gen/crypto}/err_data.c | 972 +-- .../CNIOBoringSSL/gen/crypto/md5-586-apple.S | 689 ++ .../crypto/md5-586-linux.S} | 2 - .../crypto/md5-x86_64-apple.S} | 2 - .../crypto/md5-x86_64-linux.S} | 2 - Sources/CNIOBoringSSL/hash.txt | 2 +- Sources/CNIOBoringSSL/include/CNIOBoringSSL.h | 9 +- .../include/CNIOBoringSSL_asn1.h | 35 +- .../include/CNIOBoringSSL_base.h | 17 +- .../include/CNIOBoringSSL_bcm_public.h | 82 + .../CNIOBoringSSL/include/CNIOBoringSSL_bio.h | 157 +- .../CNIOBoringSSL/include/CNIOBoringSSL_bn.h | 29 +- .../CNIOBoringSSL_boringssl_prefix_symbols.h | 955 +-- ...IOBoringSSL_boringssl_prefix_symbols_asm.h | 342 +- .../include/CNIOBoringSSL_bytestring.h | 16 +- .../include/CNIOBoringSSL_conf.h | 5 +- .../include/CNIOBoringSSL_crypto.h | 34 +- .../include/CNIOBoringSSL_curve25519.h | 4 +- .../CNIOBoringSSL/include/CNIOBoringSSL_des.h | 13 - .../CNIOBoringSSL/include/CNIOBoringSSL_dh.h | 22 +- .../CNIOBoringSSL/include/CNIOBoringSSL_dsa.h | 17 +- .../CNIOBoringSSL/include/CNIOBoringSSL_ec.h | 44 +- .../include/CNIOBoringSSL_ec_key.h | 18 +- .../CNIOBoringSSL/include/CNIOBoringSSL_err.h | 13 + .../CNIOBoringSSL/include/CNIOBoringSSL_evp.h | 39 +- .../include/CNIOBoringSSL_evp_errors.h | 1 + .../include/CNIOBoringSSL_ex_data.h | 25 +- .../include/CNIOBoringSSL_hpke.h | 14 +- .../include/CNIOBoringSSL_mldsa.h | 136 + .../include/CNIOBoringSSL_mlkem.h | 246 + .../CNIOBoringSSL/include/CNIOBoringSSL_nid.h | 3 + .../CNIOBoringSSL/include/CNIOBoringSSL_obj.h | 4 +- .../CNIOBoringSSL/include/CNIOBoringSSL_pem.h | 147 +- .../include/CNIOBoringSSL_posix_time.h | 51 + .../include/CNIOBoringSSL_rand.h | 29 +- .../CNIOBoringSSL/include/CNIOBoringSSL_rsa.h | 44 +- .../include/CNIOBoringSSL_service_indicator.h | 4 +- .../CNIOBoringSSL/include/CNIOBoringSSL_sha.h | 55 +- .../include/CNIOBoringSSL_slhdsa.h | 79 + .../include/CNIOBoringSSL_span.h | 113 +- .../CNIOBoringSSL/include/CNIOBoringSSL_ssl.h | 643 +- .../include/CNIOBoringSSL_stack.h | 13 +- .../include/CNIOBoringSSL_target.h | 31 +- .../include/CNIOBoringSSL_time.h | 25 +- .../include/CNIOBoringSSL_tls1.h | 4 +- .../include/CNIOBoringSSL_x509.h | 5034 +++++++++++---- .../include/CNIOBoringSSL_x509v3.h | 1063 +--- .../include/CNIOBoringSSL_x509v3_errors.h | 124 + .../include/boringssl_prefix_symbols_nasm.inc | 686 +- .../experimental/CNIOBoringSSL_dilithium.h | 129 + .../{ => experimental}/CNIOBoringSSL_kyber.h | 54 +- .../include/experimental/CNIOBoringSSL_spx.h | 90 + .../CNIOBoringSSL/include/module.modulemap | 4 + Sources/CNIOBoringSSL/ssl/d1_both.cc | 75 +- Sources/CNIOBoringSSL/ssl/d1_lib.cc | 18 +- Sources/CNIOBoringSSL/ssl/d1_pkt.cc | 15 +- Sources/CNIOBoringSSL/ssl/dtls_method.cc | 20 +- Sources/CNIOBoringSSL/ssl/dtls_record.cc | 388 +- .../ssl/encrypted_client_hello.cc | 12 +- Sources/CNIOBoringSSL/ssl/extensions.cc | 195 +- Sources/CNIOBoringSSL/ssl/handoff.cc | 20 +- Sources/CNIOBoringSSL/ssl/handshake.cc | 65 +- Sources/CNIOBoringSSL/ssl/handshake_client.cc | 363 +- Sources/CNIOBoringSSL/ssl/handshake_server.cc | 323 +- Sources/CNIOBoringSSL/ssl/internal.h | 1024 ++- Sources/CNIOBoringSSL/ssl/s3_both.cc | 62 +- Sources/CNIOBoringSSL/ssl/s3_lib.cc | 13 +- Sources/CNIOBoringSSL/ssl/s3_pkt.cc | 22 +- Sources/CNIOBoringSSL/ssl/ssl_aead_ctx.cc | 224 +- Sources/CNIOBoringSSL/ssl/ssl_asn1.cc | 74 +- Sources/CNIOBoringSSL/ssl/ssl_buffer.cc | 11 +- Sources/CNIOBoringSSL/ssl/ssl_cert.cc | 455 +- Sources/CNIOBoringSSL/ssl/ssl_cipher.cc | 57 +- Sources/CNIOBoringSSL/ssl/ssl_credential.cc | 423 ++ Sources/CNIOBoringSSL/ssl/ssl_file.cc | 4 +- Sources/CNIOBoringSSL/ssl/ssl_key_share.cc | 120 +- Sources/CNIOBoringSSL/ssl/ssl_lib.cc | 297 +- Sources/CNIOBoringSSL/ssl/ssl_privkey.cc | 209 +- Sources/CNIOBoringSSL/ssl/ssl_session.cc | 92 +- Sources/CNIOBoringSSL/ssl/ssl_transcript.cc | 3 +- Sources/CNIOBoringSSL/ssl/ssl_versions.cc | 27 +- Sources/CNIOBoringSSL/ssl/ssl_x509.cc | 167 +- Sources/CNIOBoringSSL/ssl/t1_enc.cc | 36 +- Sources/CNIOBoringSSL/ssl/tls13_both.cc | 48 +- Sources/CNIOBoringSSL/ssl/tls13_client.cc | 95 +- Sources/CNIOBoringSSL/ssl/tls13_enc.cc | 205 +- Sources/CNIOBoringSSL/ssl/tls13_server.cc | 122 +- Sources/CNIOBoringSSL/ssl/tls_record.cc | 73 +- .../third_party/fiat/asm/fiat_p256_adx_mul.S | 279 +- .../third_party/fiat/asm/fiat_p256_adx_sqr.S | 251 +- .../third_party/fiat/curve25519_64_adx.h | 6 +- .../CNIOBoringSSL/third_party/fiat/p256_64.h | 1 + Sources/NIOSSL/SSLCertificate.swift | 2 +- scripts/vendor-boringssl.sh | 58 +- 476 files changed, 63282 insertions(+), 28660 deletions(-) rename Sources/CNIOBoringSSL/crypto/{fipsmodule/rand/fork_detect.h => bcm_support.h} (53%) delete mode 100644 Sources/CNIOBoringSSL/crypto/chacha/chacha-armv4-ios.ios.arm.S delete mode 100644 Sources/CNIOBoringSSL/crypto/conf/conf_def.h create mode 100644 Sources/CNIOBoringSSL/crypto/dilithium/dilithium.c create mode 100644 Sources/CNIOBoringSSL/crypto/dilithium/internal.h create mode 100644 Sources/CNIOBoringSSL/crypto/evp/p_dh.c create mode 100644 Sources/CNIOBoringSSL/crypto/evp/p_dh_asn1.c rename Sources/CNIOBoringSSL/crypto/fipsmodule/aes/{aes.c => aes.c.inc} (85%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/aes/{aes_nohw.c => aes_nohw.c.inc} (100%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/aes/{key_wrap.c => key_wrap.c.inc} (100%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/aes/{mode_wrappers.c => mode_wrappers.c.inc} (100%) delete mode 100644 Sources/CNIOBoringSSL/crypto/fipsmodule/aesv8-armv7-ios.ios.arm.S delete mode 100644 Sources/CNIOBoringSSL/crypto/fipsmodule/armv4-mont-ios.ios.arm.S create mode 100644 Sources/CNIOBoringSSL/crypto/fipsmodule/bcm.c create mode 100644 Sources/CNIOBoringSSL/crypto/fipsmodule/bcm_interface.h rename Sources/CNIOBoringSSL/crypto/fipsmodule/bn/{add.c => add.c.inc} (96%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/bn/asm/{x86_64-gcc.c => x86_64-gcc.c.inc} (100%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/bn/{bn.c => bn.c.inc} (100%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/bn/{bytes.c => bytes.c.inc} (91%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/bn/{cmp.c => cmp.c.inc} (100%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/bn/{ctx.c => ctx.c.inc} (100%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/bn/{div.c => div.c.inc} (75%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/bn/{div_extra.c => div_extra.c.inc} (99%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/bn/{exponentiation.c => exponentiation.c.inc} (94%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/bn/{gcd.c => gcd.c.inc} (90%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/bn/{gcd_extra.c => gcd_extra.c.inc} (96%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/bn/{generic.c => generic.c.inc} (91%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/bn/{jacobi.c => jacobi.c.inc} (100%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/bn/{montgomery.c => montgomery.c.inc} (94%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/bn/{montgomery_inv.c => montgomery_inv.c.inc} (82%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/bn/{mul.c => mul.c.inc} (99%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/bn/{prime.c => prime.c.inc} (97%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/bn/{random.c => random.c.inc} (93%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/bn/{rsaz_exp.c => rsaz_exp.c.inc} (100%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/bn/{shift.c => shift.c.inc} (100%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/bn/{sqrt.c => sqrt.c.inc} (99%) delete mode 100644 Sources/CNIOBoringSSL/crypto/fipsmodule/bsaes-armv7-ios.ios.arm.S rename Sources/CNIOBoringSSL/crypto/fipsmodule/cipher/{aead.c => aead.c.inc} (99%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/cipher/{cipher.c => cipher.c.inc} (100%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/cipher/{e_aes.c => e_aes.c.inc} (97%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/cipher/{e_aesccm.c => e_aesccm.c.inc} (86%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/cmac/{cmac.c => cmac.c.inc} (100%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/dh/{check.c => check.c.inc} (100%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/dh/{dh.c => dh.c.inc} (100%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/digest/{digest.c => digest.c.inc} (96%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/digest/{digests.c => digests.c.inc} (65%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/digestsign/{digestsign.c => digestsign.c.inc} (100%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/ec/{ec.c => ec.c.inc} (100%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/ec/{ec_key.c => ec_key.c.inc} (91%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/ec/{ec_montgomery.c => ec_montgomery.c.inc} (100%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/ec/{felem.c => felem.c.inc} (100%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/ec/{oct.c => oct.c.inc} (100%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/ec/{p224-64.c => p224-64.c.inc} (99%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/ec/{p256-nistz.c => p256-nistz.c.inc} (85%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/ec/{p256.c => p256.c.inc} (100%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/ec/{scalar.c => scalar.c.inc} (95%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/ec/{simple.c => simple.c.inc} (100%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/ec/{simple_mul.c => simple_mul.c.inc} (100%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/ec/{util.c => util.c.inc} (100%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/ec/{wnaf.c => wnaf.c.inc} (100%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/ecdh/{ecdh.c => ecdh.c.inc} (90%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/ecdsa/{ecdsa.c => ecdsa.c.inc} (71%) delete mode 100644 Sources/CNIOBoringSSL/crypto/fipsmodule/ghash-armv4-ios.ios.arm.S delete mode 100644 Sources/CNIOBoringSSL/crypto/fipsmodule/ghashv8-armv7-ios.ios.arm.S rename Sources/CNIOBoringSSL/crypto/fipsmodule/hkdf/{hkdf.c => hkdf.c.inc} (100%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/hmac/{hmac.c => hmac.c.inc} (100%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/modes/{cbc.c => cbc.c.inc} (100%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/modes/{cfb.c => cfb.c.inc} (100%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/modes/{ctr.c => ctr.c.inc} (100%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/modes/{gcm.c => gcm.c.inc} (100%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/modes/{gcm_nohw.c => gcm_nohw.c.inc} (100%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/modes/{ofb.c => ofb.c.inc} (100%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/modes/{polyval.c => polyval.c.inc} (100%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/rand/{ctrdrbg.c => ctrdrbg.c.inc} (100%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/rand/{rand.c => rand.c.inc} (91%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/rsa/{blinding.c => blinding.c.inc} (100%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/rsa/{padding.c => padding.c.inc} (98%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/rsa/{rsa.c => rsa.c.inc} (97%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/rsa/{rsa_impl.c => rsa_impl.c.inc} (97%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/self_check/{fips.c => fips.c.inc} (94%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/self_check/{self_check.c => self_check.c.inc} (94%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/service_indicator/{service_indicator.c => service_indicator.c.inc} (93%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/sha/{sha1.c => sha1.c.inc} (82%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/sha/{sha256.c => sha256.c.inc} (77%) rename Sources/CNIOBoringSSL/crypto/fipsmodule/sha/{sha512.c => sha512.c.inc} (80%) delete mode 100644 Sources/CNIOBoringSSL/crypto/fipsmodule/sha1-armv4-large-ios.ios.arm.S delete mode 100644 Sources/CNIOBoringSSL/crypto/fipsmodule/sha256-armv4-ios.ios.arm.S delete mode 100644 Sources/CNIOBoringSSL/crypto/fipsmodule/sha512-armv4-ios.ios.arm.S rename Sources/CNIOBoringSSL/crypto/fipsmodule/tls/{kdf.c => kdf.c.inc} (97%) delete mode 100644 Sources/CNIOBoringSSL/crypto/fipsmodule/vpaes-armv7-ios.ios.arm.S delete mode 100644 Sources/CNIOBoringSSL/crypto/fipsmodule/x86-mont-linux.linux.x86.S rename Sources/CNIOBoringSSL/crypto/{fipsmodule => }/md4/md4.c (98%) rename Sources/CNIOBoringSSL/crypto/{fipsmodule => }/md5/internal.h (100%) rename Sources/CNIOBoringSSL/crypto/{fipsmodule => }/md5/md5.c (99%) create mode 100644 Sources/CNIOBoringSSL/crypto/mldsa/internal.h create mode 100644 Sources/CNIOBoringSSL/crypto/mldsa/mldsa.c create mode 100644 Sources/CNIOBoringSSL/crypto/mlkem/internal.h create mode 100644 Sources/CNIOBoringSSL/crypto/mlkem/mlkem.cc rename Sources/CNIOBoringSSL/crypto/{fipsmodule/rand => rand_extra}/fork_detect.c (81%) rename Sources/CNIOBoringSSL/crypto/{fipsmodule/rand => rand_extra}/getrandom_fillin.h (100%) create mode 100644 Sources/CNIOBoringSSL/crypto/rand_extra/sysrand_internal.h rename Sources/CNIOBoringSSL/crypto/{fipsmodule/rand => rand_extra}/urandom.c (91%) create mode 100644 Sources/CNIOBoringSSL/crypto/rsa_extra/rsa_extra.c create mode 100644 Sources/CNIOBoringSSL/crypto/sha/sha1.c create mode 100644 Sources/CNIOBoringSSL/crypto/sha/sha256.c create mode 100644 Sources/CNIOBoringSSL/crypto/sha/sha512.c create mode 100644 Sources/CNIOBoringSSL/crypto/slhdsa/address.h create mode 100644 Sources/CNIOBoringSSL/crypto/slhdsa/fors.c create mode 100644 Sources/CNIOBoringSSL/crypto/slhdsa/fors.h create mode 100644 Sources/CNIOBoringSSL/crypto/slhdsa/internal.h create mode 100644 Sources/CNIOBoringSSL/crypto/slhdsa/merkle.c create mode 100644 Sources/CNIOBoringSSL/crypto/slhdsa/merkle.h create mode 100644 Sources/CNIOBoringSSL/crypto/slhdsa/params.h create mode 100644 Sources/CNIOBoringSSL/crypto/slhdsa/slhdsa.c create mode 100644 Sources/CNIOBoringSSL/crypto/slhdsa/thash.c create mode 100644 Sources/CNIOBoringSSL/crypto/slhdsa/thash.h create mode 100644 Sources/CNIOBoringSSL/crypto/slhdsa/wots.c create mode 100644 Sources/CNIOBoringSSL/crypto/slhdsa/wots.h create mode 100644 Sources/CNIOBoringSSL/crypto/spx/spx.c create mode 100644 Sources/CNIOBoringSSL/crypto/spx/spx_address.c create mode 100644 Sources/CNIOBoringSSL/crypto/spx/spx_address.h create mode 100644 Sources/CNIOBoringSSL/crypto/spx/spx_fors.c create mode 100644 Sources/CNIOBoringSSL/crypto/spx/spx_fors.h create mode 100644 Sources/CNIOBoringSSL/crypto/spx/spx_merkle.c create mode 100644 Sources/CNIOBoringSSL/crypto/spx/spx_merkle.h create mode 100644 Sources/CNIOBoringSSL/crypto/spx/spx_params.h create mode 100644 Sources/CNIOBoringSSL/crypto/spx/spx_thash.c create mode 100644 Sources/CNIOBoringSSL/crypto/spx/spx_thash.h create mode 100644 Sources/CNIOBoringSSL/crypto/spx/spx_util.c create mode 100644 Sources/CNIOBoringSSL/crypto/spx/spx_util.h create mode 100644 Sources/CNIOBoringSSL/crypto/spx/spx_wots.c create mode 100644 Sources/CNIOBoringSSL/crypto/spx/spx_wots.h rename Sources/CNIOBoringSSL/crypto/{x509v3 => x509}/ext_dat.h (100%) rename Sources/CNIOBoringSSL/crypto/{x509v3 => x509}/v3_akey.c (99%) rename Sources/CNIOBoringSSL/crypto/{x509v3 => x509}/v3_akeya.c (98%) rename Sources/CNIOBoringSSL/crypto/{x509v3 => x509}/v3_alt.c (98%) rename Sources/CNIOBoringSSL/crypto/{x509v3 => x509}/v3_bcons.c (99%) rename Sources/CNIOBoringSSL/crypto/{x509v3 => x509}/v3_bitst.c (99%) rename Sources/CNIOBoringSSL/crypto/{x509v3 => x509}/v3_conf.c (99%) rename Sources/CNIOBoringSSL/crypto/{x509v3 => x509}/v3_cpols.c (97%) rename Sources/CNIOBoringSSL/crypto/{x509v3 => x509}/v3_crld.c (99%) rename Sources/CNIOBoringSSL/crypto/{x509v3 => x509}/v3_enum.c (99%) rename Sources/CNIOBoringSSL/crypto/{x509v3 => x509}/v3_extku.c (99%) rename Sources/CNIOBoringSSL/crypto/{x509v3 => x509}/v3_genn.c (94%) rename Sources/CNIOBoringSSL/crypto/{x509v3 => x509}/v3_ia5.c (99%) rename Sources/CNIOBoringSSL/crypto/{x509v3 => x509}/v3_info.c (97%) rename Sources/CNIOBoringSSL/crypto/{x509v3 => x509}/v3_int.c (99%) rename Sources/CNIOBoringSSL/crypto/{x509v3 => x509}/v3_lib.c (99%) rename Sources/CNIOBoringSSL/crypto/{x509v3 => x509}/v3_ncons.c (99%) rename Sources/CNIOBoringSSL/crypto/{x509v3 => x509}/v3_ocsp.c (98%) rename Sources/CNIOBoringSSL/crypto/{x509v3 => x509}/v3_pcons.c (99%) rename Sources/CNIOBoringSSL/crypto/{x509v3 => x509}/v3_pmaps.c (99%) rename Sources/CNIOBoringSSL/crypto/{x509v3 => x509}/v3_prn.c (97%) rename Sources/CNIOBoringSSL/crypto/{x509v3 => x509}/v3_purp.c (57%) rename Sources/CNIOBoringSSL/crypto/{x509v3 => x509}/v3_skey.c (98%) rename Sources/CNIOBoringSSL/crypto/{x509v3 => x509}/v3_utl.c (92%) delete mode 100644 Sources/CNIOBoringSSL/crypto/x509/x_info.c delete mode 100644 Sources/CNIOBoringSSL/crypto/x509/x_pkey.c delete mode 100644 Sources/CNIOBoringSSL/crypto/x509v3/internal.h rename Sources/CNIOBoringSSL/{crypto/fipsmodule/aesni-gcm-x86_64-mac.mac.x86_64.S => gen/bcm/aesni-gcm-x86_64-apple.S} (99%) rename Sources/CNIOBoringSSL/{crypto/fipsmodule/aesni-gcm-x86_64-linux.linux.x86_64.S => gen/bcm/aesni-gcm-x86_64-linux.S} (99%) create mode 100644 Sources/CNIOBoringSSL/gen/bcm/aesni-x86-apple.S rename Sources/CNIOBoringSSL/{crypto/fipsmodule/aesni-x86-linux.linux.x86.S => gen/bcm/aesni-x86-linux.S} (93%) rename Sources/CNIOBoringSSL/{crypto/fipsmodule/aesni-x86_64-mac.mac.x86_64.S => gen/bcm/aesni-x86_64-apple.S} (91%) rename Sources/CNIOBoringSSL/{crypto/fipsmodule/aesni-x86_64-linux.linux.x86_64.S => gen/bcm/aesni-x86_64-linux.S} (91%) rename Sources/CNIOBoringSSL/{crypto/fipsmodule/aesv8-armv7-linux.linux.arm.S => gen/bcm/aesv8-armv7-linux.S} (99%) rename Sources/CNIOBoringSSL/{crypto/fipsmodule/aesv8-armv8-ios.ios.aarch64.S => gen/bcm/aesv8-armv8-apple.S} (98%) rename Sources/CNIOBoringSSL/{crypto/fipsmodule/aesv8-armv8-linux.linux.aarch64.S => gen/bcm/aesv8-armv8-linux.S} (98%) create mode 100644 Sources/CNIOBoringSSL/gen/bcm/aesv8-armv8-win.S rename Sources/CNIOBoringSSL/{crypto/fipsmodule/aesv8-gcm-armv8-ios.ios.aarch64.S => gen/bcm/aesv8-gcm-armv8-apple.S} (99%) rename Sources/CNIOBoringSSL/{crypto/fipsmodule/aesv8-gcm-armv8-linux.linux.aarch64.S => gen/bcm/aesv8-gcm-armv8-linux.S} (99%) create mode 100644 Sources/CNIOBoringSSL/gen/bcm/aesv8-gcm-armv8-win.S rename Sources/CNIOBoringSSL/{crypto/fipsmodule/armv4-mont-linux.linux.arm.S => gen/bcm/armv4-mont-linux.S} (96%) rename Sources/CNIOBoringSSL/{crypto/fipsmodule/armv8-mont-ios.ios.aarch64.S => gen/bcm/armv8-mont-apple.S} (99%) rename Sources/CNIOBoringSSL/{crypto/fipsmodule/armv8-mont-linux.linux.aarch64.S => gen/bcm/armv8-mont-linux.S} (99%) create mode 100644 Sources/CNIOBoringSSL/gen/bcm/armv8-mont-win.S create mode 100644 Sources/CNIOBoringSSL/gen/bcm/bn-586-apple.S rename Sources/CNIOBoringSSL/{crypto/fipsmodule/bn-586-linux.linux.x86.S => gen/bcm/bn-586-linux.S} (53%) rename Sources/CNIOBoringSSL/{crypto/fipsmodule/bn-armv8-ios.ios.aarch64.S => gen/bcm/bn-armv8-apple.S} (95%) rename Sources/CNIOBoringSSL/{crypto/fipsmodule/bn-armv8-linux.linux.aarch64.S => gen/bcm/bn-armv8-linux.S} (95%) create mode 100644 Sources/CNIOBoringSSL/gen/bcm/bn-armv8-win.S rename Sources/CNIOBoringSSL/{crypto/fipsmodule/bsaes-armv7-linux.linux.arm.S => gen/bcm/bsaes-armv7-linux.S} (99%) create mode 100644 Sources/CNIOBoringSSL/gen/bcm/co-586-apple.S rename Sources/CNIOBoringSSL/{crypto/fipsmodule/co-586-linux.linux.x86.S => gen/bcm/co-586-linux.S} (99%) rename Sources/CNIOBoringSSL/{crypto/fipsmodule/ghash-armv4-linux.linux.arm.S => gen/bcm/ghash-armv4-linux.S} (98%) rename Sources/CNIOBoringSSL/{crypto/fipsmodule/ghash-neon-armv8-ios.ios.aarch64.S => gen/bcm/ghash-neon-armv8-apple.S} (99%) rename Sources/CNIOBoringSSL/{crypto/fipsmodule/ghash-neon-armv8-linux.linux.aarch64.S => gen/bcm/ghash-neon-armv8-linux.S} (99%) create mode 100644 Sources/CNIOBoringSSL/gen/bcm/ghash-neon-armv8-win.S create mode 100644 Sources/CNIOBoringSSL/gen/bcm/ghash-ssse3-x86-apple.S rename Sources/CNIOBoringSSL/{crypto/fipsmodule/ghash-ssse3-x86-linux.linux.x86.S => gen/bcm/ghash-ssse3-x86-linux.S} (98%) rename Sources/CNIOBoringSSL/{crypto/fipsmodule/ghash-ssse3-x86_64-mac.mac.x86_64.S => gen/bcm/ghash-ssse3-x86_64-apple.S} (98%) rename Sources/CNIOBoringSSL/{crypto/fipsmodule/ghash-ssse3-x86_64-linux.linux.x86_64.S => gen/bcm/ghash-ssse3-x86_64-linux.S} (98%) create mode 100644 Sources/CNIOBoringSSL/gen/bcm/ghash-x86-apple.S rename Sources/CNIOBoringSSL/{crypto/fipsmodule/ghash-x86-linux.linux.x86.S => gen/bcm/ghash-x86-linux.S} (98%) rename Sources/CNIOBoringSSL/{crypto/fipsmodule/ghash-x86_64-mac.mac.x86_64.S => gen/bcm/ghash-x86_64-apple.S} (99%) rename Sources/CNIOBoringSSL/{crypto/fipsmodule/ghash-x86_64-linux.linux.x86_64.S => gen/bcm/ghash-x86_64-linux.S} (98%) rename Sources/CNIOBoringSSL/{crypto/fipsmodule/ghashv8-armv7-linux.linux.arm.S => gen/bcm/ghashv8-armv7-linux.S} (98%) rename Sources/CNIOBoringSSL/{crypto/fipsmodule/ghashv8-armv8-ios.ios.aarch64.S => gen/bcm/ghashv8-armv8-apple.S} (99%) rename Sources/CNIOBoringSSL/{crypto/fipsmodule/ghashv8-armv8-linux.linux.aarch64.S => gen/bcm/ghashv8-armv8-linux.S} (99%) create mode 100644 Sources/CNIOBoringSSL/gen/bcm/ghashv8-armv8-win.S rename Sources/CNIOBoringSSL/{crypto/fipsmodule/p256-armv8-asm-ios.ios.aarch64.S => gen/bcm/p256-armv8-asm-apple.S} (99%) rename Sources/CNIOBoringSSL/{crypto/fipsmodule/p256-armv8-asm-linux.linux.aarch64.S => gen/bcm/p256-armv8-asm-linux.S} (99%) create mode 100644 Sources/CNIOBoringSSL/gen/bcm/p256-armv8-asm-win.S rename Sources/CNIOBoringSSL/{crypto/fipsmodule/p256-x86_64-asm-mac.mac.x86_64.S => gen/bcm/p256-x86_64-asm-apple.S} (95%) rename Sources/CNIOBoringSSL/{crypto/fipsmodule/p256-x86_64-asm-linux.linux.x86_64.S => gen/bcm/p256-x86_64-asm-linux.S} (92%) rename Sources/CNIOBoringSSL/{crypto/fipsmodule/p256_beeu-armv8-asm-ios.ios.aarch64.S => gen/bcm/p256_beeu-armv8-asm-apple.S} (98%) rename Sources/CNIOBoringSSL/{crypto/fipsmodule/p256_beeu-armv8-asm-linux.linux.aarch64.S => gen/bcm/p256_beeu-armv8-asm-linux.S} (98%) create mode 100644 Sources/CNIOBoringSSL/gen/bcm/p256_beeu-armv8-asm-win.S rename Sources/CNIOBoringSSL/{crypto/fipsmodule/p256_beeu-x86_64-asm-mac.mac.x86_64.S => gen/bcm/p256_beeu-x86_64-asm-apple.S} (97%) rename Sources/CNIOBoringSSL/{crypto/fipsmodule/p256_beeu-x86_64-asm-linux.linux.x86_64.S => gen/bcm/p256_beeu-x86_64-asm-linux.S} (98%) rename Sources/CNIOBoringSSL/{crypto/fipsmodule/rdrand-x86_64-mac.mac.x86_64.S => gen/bcm/rdrand-x86_64-apple.S} (89%) rename Sources/CNIOBoringSSL/{crypto/fipsmodule/rdrand-x86_64-linux.linux.x86_64.S => gen/bcm/rdrand-x86_64-linux.S} (91%) rename Sources/CNIOBoringSSL/{crypto/fipsmodule/rsaz-avx2-mac.mac.x86_64.S => gen/bcm/rsaz-avx2-apple.S} (99%) rename Sources/CNIOBoringSSL/{crypto/fipsmodule/rsaz-avx2-linux.linux.x86_64.S => gen/bcm/rsaz-avx2-linux.S} (99%) create mode 100644 Sources/CNIOBoringSSL/gen/bcm/sha1-586-apple.S rename Sources/CNIOBoringSSL/{crypto/fipsmodule/sha1-586-linux.linux.x86.S => gen/bcm/sha1-586-linux.S} (97%) rename Sources/CNIOBoringSSL/{crypto/fipsmodule/sha1-armv4-large-linux.linux.arm.S => gen/bcm/sha1-armv4-large-linux.S} (97%) rename Sources/CNIOBoringSSL/{crypto/fipsmodule/sha1-armv8-ios.ios.aarch64.S => gen/bcm/sha1-armv8-apple.S} (98%) rename Sources/CNIOBoringSSL/{crypto/fipsmodule/sha1-armv8-linux.linux.aarch64.S => gen/bcm/sha1-armv8-linux.S} (97%) create mode 100644 Sources/CNIOBoringSSL/gen/bcm/sha1-armv8-win.S rename Sources/CNIOBoringSSL/{crypto/fipsmodule/sha1-x86_64-mac.mac.x86_64.S => gen/bcm/sha1-x86_64-apple.S} (99%) rename Sources/CNIOBoringSSL/{crypto/fipsmodule/sha1-x86_64-linux.linux.x86_64.S => gen/bcm/sha1-x86_64-linux.S} (99%) rename Sources/CNIOBoringSSL/{crypto/fipsmodule/sha256-586-linux.linux.x86.S => gen/bcm/sha256-586-apple.S} (98%) create mode 100644 Sources/CNIOBoringSSL/gen/bcm/sha256-586-linux.S rename Sources/CNIOBoringSSL/{crypto/fipsmodule/sha256-armv4-linux.linux.arm.S => gen/bcm/sha256-armv4-linux.S} (97%) rename Sources/CNIOBoringSSL/{crypto/fipsmodule/sha256-armv8-ios.ios.aarch64.S => gen/bcm/sha256-armv8-apple.S} (98%) rename Sources/CNIOBoringSSL/{crypto/fipsmodule/sha256-armv8-linux.linux.aarch64.S => gen/bcm/sha256-armv8-linux.S} (98%) create mode 100644 Sources/CNIOBoringSSL/gen/bcm/sha256-armv8-win.S rename Sources/CNIOBoringSSL/{crypto/fipsmodule/sha256-x86_64-mac.mac.x86_64.S => gen/bcm/sha256-x86_64-apple.S} (99%) rename Sources/CNIOBoringSSL/{crypto/fipsmodule/sha256-x86_64-linux.linux.x86_64.S => gen/bcm/sha256-x86_64-linux.S} (98%) create mode 100644 Sources/CNIOBoringSSL/gen/bcm/sha512-586-apple.S rename Sources/CNIOBoringSSL/{crypto/fipsmodule/sha512-586-linux.linux.x86.S => gen/bcm/sha512-586-linux.S} (83%) rename Sources/CNIOBoringSSL/{crypto/fipsmodule/sha512-armv4-linux.linux.arm.S => gen/bcm/sha512-armv4-linux.S} (97%) rename Sources/CNIOBoringSSL/{crypto/fipsmodule/sha512-armv8-ios.ios.aarch64.S => gen/bcm/sha512-armv8-apple.S} (98%) rename Sources/CNIOBoringSSL/{crypto/fipsmodule/sha512-armv8-linux.linux.aarch64.S => gen/bcm/sha512-armv8-linux.S} (98%) create mode 100644 Sources/CNIOBoringSSL/gen/bcm/sha512-armv8-win.S rename Sources/CNIOBoringSSL/{crypto/fipsmodule/sha512-x86_64-mac.mac.x86_64.S => gen/bcm/sha512-x86_64-apple.S} (99%) rename Sources/CNIOBoringSSL/{crypto/fipsmodule/sha512-x86_64-linux.linux.x86_64.S => gen/bcm/sha512-x86_64-linux.S} (98%) rename Sources/CNIOBoringSSL/{crypto/fipsmodule/vpaes-armv7-linux.linux.arm.S => gen/bcm/vpaes-armv7-linux.S} (99%) rename Sources/CNIOBoringSSL/{crypto/fipsmodule/vpaes-armv8-ios.ios.aarch64.S => gen/bcm/vpaes-armv8-apple.S} (99%) rename Sources/CNIOBoringSSL/{crypto/fipsmodule/vpaes-armv8-linux.linux.aarch64.S => gen/bcm/vpaes-armv8-linux.S} (99%) create mode 100644 Sources/CNIOBoringSSL/gen/bcm/vpaes-armv8-win.S create mode 100644 Sources/CNIOBoringSSL/gen/bcm/vpaes-x86-apple.S rename Sources/CNIOBoringSSL/{crypto/fipsmodule/vpaes-x86-linux.linux.x86.S => gen/bcm/vpaes-x86-linux.S} (98%) rename Sources/CNIOBoringSSL/{crypto/fipsmodule/vpaes-x86_64-mac.mac.x86_64.S => gen/bcm/vpaes-x86_64-apple.S} (99%) rename Sources/CNIOBoringSSL/{crypto/fipsmodule/vpaes-x86_64-linux.linux.x86_64.S => gen/bcm/vpaes-x86_64-linux.S} (99%) create mode 100644 Sources/CNIOBoringSSL/gen/bcm/x86-mont-apple.S create mode 100644 Sources/CNIOBoringSSL/gen/bcm/x86-mont-linux.S rename Sources/CNIOBoringSSL/{crypto/fipsmodule/x86_64-mont-mac.mac.x86_64.S => gen/bcm/x86_64-mont-apple.S} (96%) rename Sources/CNIOBoringSSL/{crypto/fipsmodule/x86_64-mont-linux.linux.x86_64.S => gen/bcm/x86_64-mont-linux.S} (96%) rename Sources/CNIOBoringSSL/{crypto/fipsmodule/x86_64-mont5-mac.mac.x86_64.S => gen/bcm/x86_64-mont5-apple.S} (98%) rename Sources/CNIOBoringSSL/{crypto/fipsmodule/x86_64-mont5-linux.linux.x86_64.S => gen/bcm/x86_64-mont5-linux.S} (98%) rename Sources/CNIOBoringSSL/{crypto/cipher_extra/aes128gcmsiv-x86_64-mac.mac.x86_64.S => gen/crypto/aes128gcmsiv-x86_64-apple.S} (99%) rename Sources/CNIOBoringSSL/{crypto/cipher_extra/aes128gcmsiv-x86_64-linux.linux.x86_64.S => gen/crypto/aes128gcmsiv-x86_64-linux.S} (99%) rename Sources/CNIOBoringSSL/{crypto/chacha/chacha-armv4-linux.linux.arm.S => gen/crypto/chacha-armv4-linux.S} (96%) rename Sources/CNIOBoringSSL/{crypto/chacha/chacha-armv8-ios.ios.aarch64.S => gen/crypto/chacha-armv8-apple.S} (98%) rename Sources/CNIOBoringSSL/{crypto/chacha/chacha-armv8-linux.linux.aarch64.S => gen/crypto/chacha-armv8-linux.S} (98%) create mode 100644 Sources/CNIOBoringSSL/gen/crypto/chacha-armv8-win.S create mode 100644 Sources/CNIOBoringSSL/gen/crypto/chacha-x86-apple.S rename Sources/CNIOBoringSSL/{crypto/chacha/chacha-x86-linux.linux.x86.S => gen/crypto/chacha-x86-linux.S} (94%) rename Sources/CNIOBoringSSL/{crypto/chacha/chacha-x86_64-mac.mac.x86_64.S => gen/crypto/chacha-x86_64-apple.S} (98%) rename Sources/CNIOBoringSSL/{crypto/chacha/chacha-x86_64-linux.linux.x86_64.S => gen/crypto/chacha-x86_64-linux.S} (97%) rename Sources/CNIOBoringSSL/{crypto/cipher_extra/chacha20_poly1305_armv8-ios.ios.aarch64.S => gen/crypto/chacha20_poly1305_armv8-apple.S} (99%) rename Sources/CNIOBoringSSL/{crypto/cipher_extra/chacha20_poly1305_armv8-linux.linux.aarch64.S => gen/crypto/chacha20_poly1305_armv8-linux.S} (99%) create mode 100644 Sources/CNIOBoringSSL/gen/crypto/chacha20_poly1305_armv8-win.S rename Sources/CNIOBoringSSL/{crypto/cipher_extra/chacha20_poly1305_x86_64-mac.mac.x86_64.S => gen/crypto/chacha20_poly1305_x86_64-apple.S} (99%) rename Sources/CNIOBoringSSL/{crypto/cipher_extra/chacha20_poly1305_x86_64-linux.linux.x86_64.S => gen/crypto/chacha20_poly1305_x86_64-linux.S} (99%) rename Sources/CNIOBoringSSL/{crypto/err => gen/crypto}/err_data.c (78%) create mode 100644 Sources/CNIOBoringSSL/gen/crypto/md5-586-apple.S rename Sources/CNIOBoringSSL/{crypto/fipsmodule/md5-586-linux.linux.x86.S => gen/crypto/md5-586-linux.S} (99%) rename Sources/CNIOBoringSSL/{crypto/fipsmodule/md5-x86_64-mac.mac.x86_64.S => gen/crypto/md5-x86_64-apple.S} (99%) rename Sources/CNIOBoringSSL/{crypto/fipsmodule/md5-x86_64-linux.linux.x86_64.S => gen/crypto/md5-x86_64-linux.S} (99%) create mode 100644 Sources/CNIOBoringSSL/include/CNIOBoringSSL_bcm_public.h create mode 100644 Sources/CNIOBoringSSL/include/CNIOBoringSSL_mldsa.h create mode 100644 Sources/CNIOBoringSSL/include/CNIOBoringSSL_mlkem.h create mode 100644 Sources/CNIOBoringSSL/include/CNIOBoringSSL_posix_time.h create mode 100644 Sources/CNIOBoringSSL/include/CNIOBoringSSL_slhdsa.h create mode 100644 Sources/CNIOBoringSSL/include/CNIOBoringSSL_x509v3_errors.h create mode 100644 Sources/CNIOBoringSSL/include/experimental/CNIOBoringSSL_dilithium.h rename Sources/CNIOBoringSSL/include/{ => experimental}/CNIOBoringSSL_kyber.h (67%) create mode 100644 Sources/CNIOBoringSSL/include/experimental/CNIOBoringSSL_spx.h create mode 100644 Sources/CNIOBoringSSL/include/module.modulemap create mode 100644 Sources/CNIOBoringSSL/ssl/ssl_credential.cc diff --git a/Package.swift b/Package.swift index 69ff9c018..c061ebe5d 100644 --- a/Package.swift +++ b/Package.swift @@ -26,7 +26,7 @@ import class Foundation.ProcessInfo // Sources/CNIOBoringSSL directory. The source repository is at // https://boringssl.googlesource.com/boringssl. // -// BoringSSL Commit: 3309ca66385ecb0c37f1ac1be9f88712e25aa8ec +// BoringSSL Commit: d0a175601b9e180ce58cb1e33649057f5c484146 /// This function generates the dependencies we want to express. /// diff --git a/Sources/CNIOBoringSSL/crypto/asn1/a_gentm.c b/Sources/CNIOBoringSSL/crypto/asn1/a_gentm.c index 32e870eed..851ae8121 100644 --- a/Sources/CNIOBoringSSL/crypto/asn1/a_gentm.c +++ b/Sources/CNIOBoringSSL/crypto/asn1/a_gentm.c @@ -58,7 +58,7 @@ #include #include #include -#include +#include #include #include diff --git a/Sources/CNIOBoringSSL/crypto/asn1/a_strex.c b/Sources/CNIOBoringSSL/crypto/asn1/a_strex.c index 7c59d3a54..1ca560bf9 100644 --- a/Sources/CNIOBoringSSL/crypto/asn1/a_strex.c +++ b/Sources/CNIOBoringSSL/crypto/asn1/a_strex.c @@ -68,6 +68,7 @@ #include #include "../bytestring/internal.h" +#include "../internal.h" #include "internal.h" @@ -238,22 +239,8 @@ static int do_dump(unsigned long flags, BIO *out, const ASN1_STRING *str) { // Placing the ASN1_STRING in a temporary ASN1_TYPE allows the DER encoding // to readily obtained. ASN1_TYPE t; - t.type = str->type; - // Negative INTEGER and ENUMERATED values are the only case where - // |ASN1_STRING| and |ASN1_TYPE| types do not match. - // - // TODO(davidben): There are also some type fields which, in |ASN1_TYPE|, do - // not correspond to |ASN1_STRING|. It is unclear whether those are allowed - // in |ASN1_STRING| at all, or what the space of allowed types is. - // |ASN1_item_ex_d2i| will never produce such a value so, for now, we say - // this is an invalid input. But this corner of the library in general - // should be more robust. - if (t.type == V_ASN1_NEG_INTEGER) { - t.type = V_ASN1_INTEGER; - } else if (t.type == V_ASN1_NEG_ENUMERATED) { - t.type = V_ASN1_ENUMERATED; - } - t.value.asn1_string = (ASN1_STRING *)str; + OPENSSL_memset(&t, 0, sizeof(ASN1_TYPE)); + asn1_type_set0_string(&t, (ASN1_STRING *)str); unsigned char *der_buf = NULL; int der_len = i2d_ASN1_TYPE(&t, &der_buf); if (der_len < 0) { diff --git a/Sources/CNIOBoringSSL/crypto/asn1/a_time.c b/Sources/CNIOBoringSSL/crypto/asn1/a_time.c index e5b17dce9..b7a18e036 100644 --- a/Sources/CNIOBoringSSL/crypto/asn1/a_time.c +++ b/Sources/CNIOBoringSSL/crypto/asn1/a_time.c @@ -55,7 +55,7 @@ * [including the GNU Public Licence.] */ #include -#include +#include #include #include diff --git a/Sources/CNIOBoringSSL/crypto/asn1/a_type.c b/Sources/CNIOBoringSSL/crypto/asn1/a_type.c index 0fdc2a920..1c7cf1312 100644 --- a/Sources/CNIOBoringSSL/crypto/asn1/a_type.c +++ b/Sources/CNIOBoringSSL/crypto/asn1/a_type.c @@ -56,7 +56,8 @@ #include -#include +#include + #include #include #include @@ -89,6 +90,23 @@ const void *asn1_type_value_as_pointer(const ASN1_TYPE *a) { } } +void asn1_type_set0_string(ASN1_TYPE *a, ASN1_STRING *str) { + // |ASN1_STRING| types are almost the same as |ASN1_TYPE| types, except that + // the negative flag is not reflected into |ASN1_TYPE|. + int type = str->type; + if (type == V_ASN1_NEG_INTEGER) { + type = V_ASN1_INTEGER; + } else if (type == V_ASN1_NEG_ENUMERATED) { + type = V_ASN1_ENUMERATED; + } + + // These types are not |ASN1_STRING| types and use a different + // representation when stored in |ASN1_TYPE|. + assert(type != V_ASN1_NULL && type != V_ASN1_OBJECT && + type != V_ASN1_BOOLEAN); + ASN1_TYPE_set(a, type, str); +} + void asn1_type_cleanup(ASN1_TYPE *a) { switch (a->type) { case V_ASN1_NULL: diff --git a/Sources/CNIOBoringSSL/crypto/asn1/a_utctm.c b/Sources/CNIOBoringSSL/crypto/asn1/a_utctm.c index f60a5c2bf..cfe49dfb0 100644 --- a/Sources/CNIOBoringSSL/crypto/asn1/a_utctm.c +++ b/Sources/CNIOBoringSSL/crypto/asn1/a_utctm.c @@ -58,7 +58,7 @@ #include #include #include -#include +#include #include #include diff --git a/Sources/CNIOBoringSSL/crypto/asn1/asn1_lib.c b/Sources/CNIOBoringSSL/crypto/asn1/asn1_lib.c index a92ac4314..b15745712 100644 --- a/Sources/CNIOBoringSSL/crypto/asn1/asn1_lib.c +++ b/Sources/CNIOBoringSSL/crypto/asn1/asn1_lib.c @@ -102,6 +102,15 @@ OPENSSL_DECLARE_ERROR_REASON(ASN1, UNKNOWN_FORMAT) OPENSSL_DECLARE_ERROR_REASON(ASN1, UNKNOWN_TAG) OPENSSL_DECLARE_ERROR_REASON(ASN1, UNSUPPORTED_TYPE) +// Limit |ASN1_STRING|s to 64 MiB of data. Most of this module, as well as +// downstream code, does not correctly handle overflow. We cap string fields +// more tightly than strictly necessary to fit in |int|. This is not expected to +// impact real world uses of this field. +// +// In particular, this limit is small enough that the bit count of a BIT STRING +// comfortably fits in an |int|, with room for arithmetic. +#define ASN1_STRING_MAX (64 * 1024 * 1024) + static void asn1_put_length(unsigned char **pp, int length); int ASN1_get_object(const unsigned char **inp, long *out_len, int *out_tag, @@ -273,9 +282,8 @@ int ASN1_STRING_set(ASN1_STRING *str, const void *_data, ossl_ssize_t len_s) { len = (size_t)len_s; } - // |ASN1_STRING| cannot represent strings that exceed |int|, and we must - // reserve space for a trailing NUL below. - if (len > INT_MAX || len + 1 < len) { + static_assert(ASN1_STRING_MAX < INT_MAX, "len will not overflow int"); + if (len > ASN1_STRING_MAX) { OPENSSL_PUT_ERROR(ASN1, ERR_R_OVERFLOW); return 0; } diff --git a/Sources/CNIOBoringSSL/crypto/asn1/internal.h b/Sources/CNIOBoringSSL/crypto/asn1/internal.h index 9eb613a8f..d0a342340 100644 --- a/Sources/CNIOBoringSSL/crypto/asn1/internal.h +++ b/Sources/CNIOBoringSSL/crypto/asn1/internal.h @@ -76,18 +76,12 @@ extern "C" { // returned. On failure NULL is returned. OPENSSL_EXPORT struct tm *OPENSSL_gmtime(const time_t *time, struct tm *result); -// OPENSSL_timegm converts a time value between the years 0 and 9999 in |tm| to -// a time_t value in |out|. One is returned on success, zero is returned on -// failure. It is a failure if the converted time can not be represented in a -// time_t, or if the tm contains out of range values. -OPENSSL_EXPORT int OPENSSL_timegm(const struct tm *tm, time_t *out); - // OPENSSL_gmtime_adj returns one on success, and updates |tm| by adding // |offset_day| days and |offset_sec| seconds. It returns zero on failure. |tm| // must be in the range of year 0000 to 9999 both before and after the update or // a failure will be returned. OPENSSL_EXPORT int OPENSSL_gmtime_adj(struct tm *tm, int offset_day, - long offset_sec); + int64_t offset_sec); // OPENSSL_gmtime_diff calculates the difference between |from| and |to|. It // returns one, and outputs the difference as a number of days and seconds in @@ -210,6 +204,10 @@ void asn1_encoding_clear(ASN1_ENCODING *enc); // a pointer. const void *asn1_type_value_as_pointer(const ASN1_TYPE *a); +// asn1_type_set0_string sets |a|'s value to the object represented by |str| and +// takes ownership of |str|. +void asn1_type_set0_string(ASN1_TYPE *a, ASN1_STRING *str); + // asn1_type_cleanup releases memory associated with |a|'s value, without // freeing |a| itself. void asn1_type_cleanup(ASN1_TYPE *a); diff --git a/Sources/CNIOBoringSSL/crypto/asn1/posix_time.c b/Sources/CNIOBoringSSL/crypto/asn1/posix_time.c index a553af0db..d747fae89 100644 --- a/Sources/CNIOBoringSSL/crypto/asn1/posix_time.c +++ b/Sources/CNIOBoringSSL/crypto/asn1/posix_time.c @@ -15,7 +15,7 @@ // Time conversion to/from POSIX time_t and struct tm, with no support // for time zones other than UTC -#include +#include #include #include @@ -26,12 +26,12 @@ #include "internal.h" #define SECS_PER_HOUR (60 * 60) -#define SECS_PER_DAY (24 * SECS_PER_HOUR) +#define SECS_PER_DAY (INT64_C(24) * SECS_PER_HOUR) // Is a year/month/day combination valid, in the range from year 0000 // to 9999? -static int is_valid_date(int year, int month, int day) { +static int is_valid_date(int64_t year, int64_t month, int64_t day) { if (day < 1 || month < 1 || year < 0 || year > 9999) { return 0; } @@ -62,7 +62,7 @@ static int is_valid_date(int year, int month, int day) { // Is a time valid? Leap seconds of 60 are not considered valid, as // the POSIX time in seconds does not include them. -static int is_valid_time(int hours, int minutes, int seconds) { +static int is_valid_time(int64_t hours, int64_t minutes, int64_t seconds) { if (hours < 0 || minutes < 0 || seconds < 0 || hours > 23 || minutes > 59 || seconds > 59) { return 0; @@ -70,17 +70,22 @@ static int is_valid_time(int hours, int minutes, int seconds) { return 1; } -// Is a int64 time representing a time within our expected range? -static int is_valid_epoch_time(int64_t time) { - // 0000-01-01 00:00:00 UTC to 9999-12-31 23:59:59 UTC - return (int64_t)-62167219200 <= time && time <= (int64_t)253402300799; +// 0000-01-01 00:00:00 UTC +#define MIN_POSIX_TIME INT64_C(-62167219200) +// 9999-12-31 23:59:59 UTC +#define MAX_POSIX_TIME INT64_C(253402300799) + +// Is an int64 time within our expected range? +static int is_valid_posix_time(int64_t time) { + return MIN_POSIX_TIME <= time && time <= MAX_POSIX_TIME; } // Inspired by algorithms presented in // https://howardhinnant.github.io/date_algorithms.html // (Public Domain) -static int posix_time_from_utc(int year, int month, int day, int hours, - int minutes, int seconds, int64_t *out_time) { +static int posix_time_from_utc(int64_t year, int64_t month, int64_t day, + int64_t hours, int64_t minutes, int64_t seconds, + int64_t *out_time) { if (!is_valid_date(year, month, day) || !is_valid_time(hours, minutes, seconds)) { return 0; @@ -108,7 +113,7 @@ static int posix_time_from_utc(int year, int month, int day, int hours, static int utc_from_posix_time(int64_t time, int *out_year, int *out_month, int *out_day, int *out_hours, int *out_minutes, int *out_seconds) { - if (!is_valid_epoch_time(time)) { + if (!is_valid_posix_time(time)) { return 0; } int64_t days = time / SECS_PER_DAY; @@ -143,19 +148,21 @@ static int utc_from_posix_time(int64_t time, int *out_year, int *out_month, } int OPENSSL_tm_to_posix(const struct tm *tm, int64_t *out) { - return posix_time_from_utc(tm->tm_year + 1900, tm->tm_mon + 1, tm->tm_mday, - tm->tm_hour, tm->tm_min, tm->tm_sec, out); + return posix_time_from_utc(tm->tm_year + INT64_C(1900), + tm->tm_mon + INT64_C(1), tm->tm_mday, tm->tm_hour, + tm->tm_min, tm->tm_sec, out); } int OPENSSL_posix_to_tm(int64_t time, struct tm *out_tm) { - memset(out_tm, 0, sizeof(struct tm)); - if (!utc_from_posix_time(time, &out_tm->tm_year, &out_tm->tm_mon, - &out_tm->tm_mday, &out_tm->tm_hour, &out_tm->tm_min, - &out_tm->tm_sec)) { + struct tm tmp_tm = {0}; + if (!utc_from_posix_time(time, &tmp_tm.tm_year, &tmp_tm.tm_mon, + &tmp_tm.tm_mday, &tmp_tm.tm_hour, &tmp_tm.tm_min, + &tmp_tm.tm_sec)) { return 0; } - out_tm->tm_year -= 1900; - out_tm->tm_mon -= 1; + tmp_tm.tm_year -= 1900; + tmp_tm.tm_mon -= 1; + *out_tm = tmp_tm; return 1; } @@ -187,43 +194,47 @@ struct tm *OPENSSL_gmtime(const time_t *time, struct tm *out_tm) { return out_tm; } -int OPENSSL_gmtime_adj(struct tm *tm, int off_day, long offset_sec) { +int OPENSSL_gmtime_adj(struct tm *tm, int offset_day, int64_t offset_sec) { int64_t posix_time; - if (!posix_time_from_utc(tm->tm_year + 1900, tm->tm_mon + 1, tm->tm_mday, - tm->tm_hour, tm->tm_min, tm->tm_sec, &posix_time)) { + if (!OPENSSL_tm_to_posix(tm, &posix_time)) { + return 0; + } + static_assert(INT_MAX <= INT64_MAX / SECS_PER_DAY, + "day offset in seconds cannot overflow"); + static_assert(MAX_POSIX_TIME <= INT64_MAX - INT_MAX * SECS_PER_DAY, + "addition cannot overflow"); + static_assert(MIN_POSIX_TIME >= INT64_MIN - INT_MIN * SECS_PER_DAY, + "addition cannot underflow"); + posix_time += offset_day * SECS_PER_DAY; + if (posix_time > 0 && offset_sec > INT64_MAX - posix_time) { return 0; } - if (!utc_from_posix_time( - posix_time + (int64_t)off_day * SECS_PER_DAY + offset_sec, - &tm->tm_year, &tm->tm_mon, &tm->tm_mday, &tm->tm_hour, &tm->tm_min, - &tm->tm_sec)) { + if (posix_time < 0 && offset_sec < INT64_MIN - posix_time) { + return 0; + } + posix_time += offset_sec; + + if (!OPENSSL_posix_to_tm(posix_time, tm)) { return 0; } - tm->tm_year -= 1900; - tm->tm_mon -= 1; return 1; } int OPENSSL_gmtime_diff(int *out_days, int *out_secs, const struct tm *from, const struct tm *to) { - int64_t time_to; - if (!posix_time_from_utc(to->tm_year + 1900, to->tm_mon + 1, to->tm_mday, - to->tm_hour, to->tm_min, to->tm_sec, &time_to)) { - return 0; - } - int64_t time_from; - if (!posix_time_from_utc(from->tm_year + 1900, from->tm_mon + 1, - from->tm_mday, from->tm_hour, from->tm_min, - from->tm_sec, &time_from)) { + int64_t time_to, time_from; + if (!OPENSSL_tm_to_posix(to, &time_to) || + !OPENSSL_tm_to_posix(from, &time_from)) { return 0; } + // Times are in range, so these calculations can not overflow. + static_assert(SECS_PER_DAY <= INT_MAX, "seconds per day does not fit in int"); + static_assert((MAX_POSIX_TIME - MIN_POSIX_TIME) / SECS_PER_DAY <= INT_MAX, + "range of valid POSIX times, in days, does not fit in int"); int64_t timediff = time_to - time_from; int64_t daydiff = timediff / SECS_PER_DAY; timediff %= SECS_PER_DAY; - if (daydiff > INT_MAX || daydiff < INT_MIN) { - return 0; - } *out_secs = (int)timediff; *out_days = (int)daydiff; return 1; diff --git a/Sources/CNIOBoringSSL/crypto/base64/base64.c b/Sources/CNIOBoringSSL/crypto/base64/base64.c index 5c355f83f..00e21894e 100644 --- a/Sources/CNIOBoringSSL/crypto/base64/base64.c +++ b/Sources/CNIOBoringSSL/crypto/base64/base64.c @@ -307,6 +307,10 @@ static int base64_decode_quad(uint8_t *out, size_t *out_num_bytes, (in[2] == '=') << 1 | (in[3] == '='); + // In presence of padding, the lowest bits of v are unused. Canonical encoding + // (RFC 4648, section 3.5) requires that these bits all be set to zero. Common + // PEM parsers accept noncanonical base64, adding to the malleability of the + // format. This decoder follows OpenSSL's and Go's PEM parsers and accepts it. switch (padding_pattern) { case 0: // The common case of no padding. diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/rand/fork_detect.h b/Sources/CNIOBoringSSL/crypto/bcm_support.h similarity index 53% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/rand/fork_detect.h rename to Sources/CNIOBoringSSL/crypto/bcm_support.h index 9a6796f71..e9ec9364d 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/rand/fork_detect.h +++ b/Sources/CNIOBoringSSL/crypto/bcm_support.h @@ -1,4 +1,4 @@ -/* Copyright (c) 2020, Google Inc. +/* Copyright (c) 2024, Google Inc. * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -12,11 +12,19 @@ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -#ifndef OPENSSL_HEADER_CRYPTO_FORK_DETECT_H -#define OPENSSL_HEADER_CRYPTO_FORK_DETECT_H +#ifndef OPENSSL_HEADER_CRYPTO_BCM_SUPPORT_H +#define OPENSSL_HEADER_CRYPTO_BCM_SUPPORT_H #include +#include + +// Provided by libcrypto, called from BCM + +#if defined(__cplusplus) +extern "C" { +#endif + #if defined(OPENSSL_LINUX) // On linux we use MADVISE instead of pthread_atfork(), due // to concerns about clone() being used for address space @@ -29,15 +37,54 @@ // iOS doesn't normally allow fork in apps, but it's there. #define OPENSSL_FORK_DETECTION #define OPENSSL_FORK_DETECTION_PTHREAD_ATFORK -#elif defined(OPENSSL_WINDOWS) || defined(OPENSSL_TRUSTY) +#elif defined(OPENSSL_WINDOWS) || defined(OPENSSL_TRUSTY) || \ + defined(__ZEPHYR__) || defined(CROS_EC) // These platforms do not fork. #define OPENSSL_DOES_NOT_FORK #endif -#if defined(__cplusplus) -extern "C" { +#if defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE) +#define OPENSSL_RAND_DETERMINISTIC +#elif defined(OPENSSL_TRUSTY) +#define OPENSSL_RAND_TRUSTY +#elif defined(OPENSSL_WINDOWS) +#define OPENSSL_RAND_WINDOWS +#elif defined(OPENSSL_LINUX) +#define OPENSSL_RAND_URANDOM +#elif defined(OPENSSL_APPLE) && !defined(OPENSSL_MACOS) +// Unlike macOS, iOS and similar hide away getentropy(). +#define OPENSSL_RAND_IOS +#else +// By default if you are integrating BoringSSL we expect you to +// provide getentropy from the header file. +#define OPENSSL_RAND_GETENTROPY #endif +// Provided by libcrypto, called from BCM + +// CRYPTO_init_sysrand initializes long-lived resources needed to draw entropy +// from the operating system, if the operating system requires initialization. +void CRYPTO_init_sysrand(void); + +// CRYPTO_sysrand fills |len| bytes at |buf| with entropy from the operating +// system. +void CRYPTO_sysrand(uint8_t *buf, size_t len); + +// CRYPTO_sysrand_if_available fills |len| bytes at |buf| with entropy from the +// operating system, or early /dev/urandom data, and returns 1, _if_ the entropy +// pool is initialized or if getrandom() is not available and not in FIPS mode. +// Otherwise it will not block and will instead fill |buf| with all zeros and +// return 0. +int CRYPTO_sysrand_if_available(uint8_t *buf, size_t len); + +// CRYPTO_sysrand_for_seed fills |len| bytes at |buf| with entropy from the +// operating system. It may draw from the |GRND_RANDOM| pool on Android, +// depending on the vendor's configuration. +void CRYPTO_sysrand_for_seed(uint8_t *buf, size_t len); + +// RAND_need_entropy is called whenever the BCM module has stopped because it +// has run out of entropy. +void RAND_need_entropy(size_t bytes_needed); // crypto_get_fork_generation returns the fork generation number for the current // process, or zero if not supported on the platform. The fork generation number @@ -60,8 +107,13 @@ OPENSSL_EXPORT uint64_t CRYPTO_get_fork_generation(void); OPENSSL_EXPORT void CRYPTO_fork_detect_force_madv_wipeonfork_for_testing( int on); +// CRYPTO_get_stderr returns stderr. This function exists to avoid BCM needing +// a data dependency on libc. +FILE *CRYPTO_get_stderr(void); + + #if defined(__cplusplus) } // extern C #endif -#endif // OPENSSL_HEADER_CRYPTO_FORK_DETECT_H +#endif // OPENSSL_HEADER_CRYPTO_BCM_SUPPORT_H diff --git a/Sources/CNIOBoringSSL/crypto/bio/bio.c b/Sources/CNIOBoringSSL/crypto/bio/bio.c index 87d104fa4..ea7d14ce8 100644 --- a/Sources/CNIOBoringSSL/crypto/bio/bio.c +++ b/Sources/CNIOBoringSSL/crypto/bio/bio.c @@ -69,6 +69,9 @@ #include "../internal.h" +static CRYPTO_EX_DATA_CLASS g_ex_data_class = + CRYPTO_EX_DATA_CLASS_INIT_WITH_APP_DATA; + BIO *BIO_new(const BIO_METHOD *method) { BIO *ret = OPENSSL_zalloc(sizeof(BIO)); if (ret == NULL) { @@ -78,6 +81,7 @@ BIO *BIO_new(const BIO_METHOD *method) { ret->method = method; ret->shutdown = 1; ret->references = 1; + CRYPTO_new_ex_data(&ret->ex_data); if (method->create != NULL && !method->create(ret)) { OPENSSL_free(ret); @@ -101,6 +105,7 @@ int BIO_free(BIO *bio) { bio->method->destroy(bio); } + CRYPTO_free_ex_data(&g_ex_data_class, bio, &bio->ex_data); OPENSSL_free(bio); } return 1; @@ -340,11 +345,11 @@ int BIO_set_close(BIO *bio, int close_flag) { return (int)BIO_ctrl(bio, BIO_CTRL_SET_CLOSE, close_flag, NULL); } -OPENSSL_EXPORT size_t BIO_number_read(const BIO *bio) { +OPENSSL_EXPORT uint64_t BIO_number_read(const BIO *bio) { return bio->num_read; } -OPENSSL_EXPORT size_t BIO_number_written(const BIO *bio) { +OPENSSL_EXPORT uint64_t BIO_number_written(const BIO *bio) { return bio->num_write; } @@ -653,38 +658,38 @@ void BIO_meth_free(BIO_METHOD *method) { } int BIO_meth_set_create(BIO_METHOD *method, - int (*create)(BIO *)) { - method->create = create; + int (*create_func)(BIO *)) { + method->create = create_func; return 1; } int BIO_meth_set_destroy(BIO_METHOD *method, - int (*destroy)(BIO *)) { - method->destroy = destroy; + int (*destroy_func)(BIO *)) { + method->destroy = destroy_func; return 1; } int BIO_meth_set_write(BIO_METHOD *method, - int (*write)(BIO *, const char *, int)) { - method->bwrite = write; + int (*write_func)(BIO *, const char *, int)) { + method->bwrite = write_func; return 1; } int BIO_meth_set_read(BIO_METHOD *method, - int (*read)(BIO *, char *, int)) { - method->bread = read; + int (*read_func)(BIO *, char *, int)) { + method->bread = read_func; return 1; } int BIO_meth_set_gets(BIO_METHOD *method, - int (*gets)(BIO *, char *, int)) { - method->bgets = gets; + int (*gets_func)(BIO *, char *, int)) { + method->bgets = gets_func; return 1; } int BIO_meth_set_ctrl(BIO_METHOD *method, - long (*ctrl)(BIO *, int, long, void *)) { - method->ctrl = ctrl; + long (*ctrl_func)(BIO *, int, long, void *)) { + method->ctrl = ctrl_func; return 1; } @@ -704,3 +709,18 @@ int BIO_meth_set_puts(BIO_METHOD *method, int (*puts)(BIO *, const char *)) { // Ignore the parameter. We implement |BIO_puts| using |BIO_write|. return 1; } + +int BIO_get_ex_new_index(long argl, void *argp, + CRYPTO_EX_unused *unused, + CRYPTO_EX_dup *dup_unused, + CRYPTO_EX_free *free_func) { + return CRYPTO_get_ex_new_index_ex(&g_ex_data_class, argl, argp, free_func); +} + +int BIO_set_ex_data(BIO *bio, int idx, void *data) { + return CRYPTO_set_ex_data(&bio->ex_data, idx, data); +} + +void *BIO_get_ex_data(const BIO *bio, int idx) { + return CRYPTO_get_ex_data(&bio->ex_data, idx); +} diff --git a/Sources/CNIOBoringSSL/crypto/bio/file.c b/Sources/CNIOBoringSSL/crypto/bio/file.c index 3f7d94406..5935d837e 100644 --- a/Sources/CNIOBoringSSL/crypto/bio/file.c +++ b/Sources/CNIOBoringSSL/crypto/bio/file.c @@ -73,6 +73,7 @@ #include +#include #include #include #include @@ -82,6 +83,10 @@ #include "../internal.h" +#if defined(OPENSSL_WINDOWS) +#include +#include +#endif #define BIO_FP_READ 0x02 #define BIO_FP_WRITE 0x04 @@ -122,14 +127,13 @@ BIO *BIO_new_file(const char *filename, const char *mode) { return ret; } -BIO *BIO_new_fp(FILE *stream, int close_flag) { +BIO *BIO_new_fp(FILE *stream, int flags) { BIO *ret = BIO_new(BIO_s_file()); - if (ret == NULL) { return NULL; } - BIO_set_fp(ret, stream, close_flag); + BIO_set_fp(ret, stream, flags); return ret; } @@ -196,6 +200,17 @@ static long file_ctrl(BIO *b, int cmd, long num, void *ptr) { break; case BIO_C_SET_FILE_PTR: file_free(b); + static_assert((BIO_CLOSE & BIO_FP_TEXT) == 0, + "BIO_CLOSE and BIO_FP_TEXT must not collide"); +#if defined(OPENSSL_WINDOWS) + // If |BIO_FP_TEXT| is not set, OpenSSL will switch the file to binary + // mode. BoringSSL intentionally diverges here because it means code + // tested under POSIX will inadvertently change the state of |FILE| + // objects when wrapping them in a |BIO|. + if (num & BIO_FP_TEXT) { + _setmode(_fileno(ptr), _O_TEXT); + } +#endif b->shutdown = (int)num & BIO_CLOSE; b->ptr = ptr; b->init = 1; @@ -206,16 +221,16 @@ static long file_ctrl(BIO *b, int cmd, long num, void *ptr) { const char *mode; if (num & BIO_FP_APPEND) { if (num & BIO_FP_READ) { - mode = "a+"; + mode = "ab+"; } else { - mode = "a"; + mode = "ab"; } } else if ((num & BIO_FP_READ) && (num & BIO_FP_WRITE)) { - mode = "r+"; + mode = "rb+"; } else if (num & BIO_FP_WRITE) { - mode = "w"; + mode = "wb"; } else if (num & BIO_FP_READ) { - mode = "r"; + mode = "rb"; } else { OPENSSL_PUT_ERROR(BIO, BIO_R_BAD_FOPEN_MODE); ret = 0; @@ -287,8 +302,8 @@ int BIO_get_fp(BIO *bio, FILE **out_file) { return (int)BIO_ctrl(bio, BIO_C_GET_FILE_PTR, 0, (char *)out_file); } -int BIO_set_fp(BIO *bio, FILE *file, int close_flag) { - return (int)BIO_ctrl(bio, BIO_C_SET_FILE_PTR, close_flag, (char *)file); +int BIO_set_fp(BIO *bio, FILE *file, int flags) { + return (int)BIO_ctrl(bio, BIO_C_SET_FILE_PTR, flags, (char *)file); } int BIO_read_filename(BIO *bio, const char *filename) { diff --git a/Sources/CNIOBoringSSL/crypto/bytestring/ber.c b/Sources/CNIOBoringSSL/crypto/bytestring/ber.c index d5db4861a..55f3f91bc 100644 --- a/Sources/CNIOBoringSSL/crypto/bytestring/ber.c +++ b/Sources/CNIOBoringSSL/crypto/bytestring/ber.c @@ -18,13 +18,10 @@ #include #include "internal.h" -#include "../internal.h" -// kMaxDepth is a just a sanity limit. The code should be such that the length -// of the input being processes always decreases. None the less, a very large -// input could otherwise cause the stack to overflow. -static const uint32_t kMaxDepth = 2048; +// kMaxDepth limits the recursion depth to avoid overflowing the stack. +static const uint32_t kMaxDepth = 128; // is_string_type returns one if |tag| is a string type and zero otherwise. It // ignores the constructed bit. @@ -56,13 +53,11 @@ static int is_string_type(CBS_ASN1_TAG tag) { // found. The value of |orig_in| is not changed. It returns one on success (i.e. // |*ber_found| was set) and zero on error. static int cbs_find_ber(const CBS *orig_in, int *ber_found, uint32_t depth) { - CBS in; - if (depth > kMaxDepth) { return 0; } - CBS_init(&in, CBS_data(orig_in), CBS_len(orig_in)); + CBS in = *orig_in; *ber_found = 0; while (CBS_len(&in) > 0) { @@ -87,6 +82,10 @@ static int cbs_find_ber(const CBS *orig_in, int *ber_found, uint32_t depth) { !cbs_find_ber(&contents, ber_found, depth + 1)) { return 0; } + if (*ber_found) { + // We already found BER. No need to continue parsing. + return 1; + } } } diff --git a/Sources/CNIOBoringSSL/crypto/bytestring/cbs.c b/Sources/CNIOBoringSSL/crypto/bytestring/cbs.c index cd960db14..5b41b0cb5 100644 --- a/Sources/CNIOBoringSSL/crypto/bytestring/cbs.c +++ b/Sources/CNIOBoringSSL/crypto/bytestring/cbs.c @@ -26,11 +26,6 @@ #include "internal.h" -void CBS_init(CBS *cbs, const uint8_t *data, size_t len) { - cbs->data = data; - cbs->len = len; -} - static int cbs_get(CBS *cbs, const uint8_t **p, size_t n) { if (cbs->len < n) { return 0; @@ -47,14 +42,6 @@ int CBS_skip(CBS *cbs, size_t len) { return cbs_get(cbs, &dummy, len); } -const uint8_t *CBS_data(const CBS *cbs) { - return cbs->data; -} - -size_t CBS_len(const CBS *cbs) { - return cbs->len; -} - int CBS_stow(const CBS *cbs, uint8_t **out_ptr, size_t *out_len) { OPENSSL_free(*out_ptr); *out_ptr = NULL; @@ -520,11 +507,9 @@ int CBS_get_asn1_int64(CBS *cbs, int64_t *out) { return 0; } uint8_t sign_extend[sizeof(int64_t)]; - memset(sign_extend, is_negative ? 0xff : 0, sizeof(sign_extend)); - for (size_t i = 0; i < len; i++) { - sign_extend[i] = data[len - i - 1]; - } - memcpy(out, sign_extend, sizeof(sign_extend)); + OPENSSL_memset(sign_extend, is_negative ? 0xff : 0, sizeof(sign_extend)); + OPENSSL_memcpy(sign_extend + sizeof(int64_t) - len, data, len); + *out = CRYPTO_load_u64_be(sign_extend); return 1; } diff --git a/Sources/CNIOBoringSSL/crypto/bytestring/unicode.c b/Sources/CNIOBoringSSL/crypto/bytestring/unicode.c index 87a7bf6ac..99c8d176d 100644 --- a/Sources/CNIOBoringSSL/crypto/bytestring/unicode.c +++ b/Sources/CNIOBoringSSL/crypto/bytestring/unicode.c @@ -18,11 +18,12 @@ static int is_valid_code_point(uint32_t v) { - // References in the following are to Unicode 9.0.0. + // References in the following are to Unicode 15.0.0. if (// The Unicode space runs from zero to 0x10ffff (3.4 D9). v > 0x10ffff || // Values 0x...fffe, 0x...ffff, and 0xfdd0-0xfdef are permanently reserved - // (3.4 D14) + // as noncharacters (3.4 D14). See also 23.7. As our APIs are intended for + // "open interchange", such as ASN.1, we reject them. (v & 0xfffe) == 0xfffe || (v >= 0xfdd0 && v <= 0xfdef) || // Surrogate code points are invalid (3.2 C1). diff --git a/Sources/CNIOBoringSSL/crypto/chacha/chacha-armv4-ios.ios.arm.S b/Sources/CNIOBoringSSL/crypto/chacha/chacha-armv4-ios.ios.arm.S deleted file mode 100644 index 91822499a..000000000 --- a/Sources/CNIOBoringSSL/crypto/chacha/chacha-armv4-ios.ios.arm.S +++ /dev/null @@ -1,1497 +0,0 @@ -#define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__arm__) && defined(__APPLE__) -// This file is generated from a similarly-named Perl script in the BoringSSL -// source tree. Do not edit by hand. - -#include - -#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_ARM) && defined(__APPLE__) -#include - -@ Silence ARMv8 deprecated IT instruction warnings. This file is used by both -@ ARMv7 and ARMv8 processors and does not use ARMv8 instructions. - - -.text -#if defined(__thumb2__) || defined(__clang__) -.syntax unified -#endif -#if defined(__thumb2__) -.thumb -#else -.code 32 -#endif - -#if defined(__thumb2__) || defined(__clang__) -#define ldrhsb ldrbhs -#endif - -.align 5 -Lsigma: -.long 0x61707865,0x3320646e,0x79622d32,0x6b206574 @ endian-neutral -Lone: -.long 1,0,0,0 -#if __ARM_MAX_ARCH__>=7 -LOPENSSL_armcap: -.word OPENSSL_armcap_P-LChaCha20_ctr32 -#else -.word -1 -#endif - -.globl _ChaCha20_ctr32 -.private_extern _ChaCha20_ctr32 -#ifdef __thumb2__ -.thumb_func _ChaCha20_ctr32 -#endif -.align 5 -_ChaCha20_ctr32: -LChaCha20_ctr32: - ldr r12,[sp,#0] @ pull pointer to counter and nonce - stmdb sp!,{r0,r1,r2,r4-r11,lr} -#if __ARM_ARCH<7 && !defined(__thumb2__) - sub r14,pc,#16 @ _ChaCha20_ctr32 -#else - adr r14,LChaCha20_ctr32 -#endif - cmp r2,#0 @ len==0? -#ifdef __thumb2__ - itt eq -#endif - addeq sp,sp,#4*3 - beq Lno_data -#if __ARM_MAX_ARCH__>=7 - cmp r2,#192 @ test len - bls Lshort - ldr r4,[r14,#-32] - ldr r4,[r14,r4] -# ifdef __APPLE__ - ldr r4,[r4] -# endif - tst r4,#ARMV7_NEON - bne LChaCha20_neon -Lshort: -#endif - ldmia r12,{r4,r5,r6,r7} @ load counter and nonce - sub sp,sp,#4*(16) @ off-load area - sub r14,r14,#64 @ Lsigma - stmdb sp!,{r4,r5,r6,r7} @ copy counter and nonce - ldmia r3,{r4,r5,r6,r7,r8,r9,r10,r11} @ load key - ldmia r14,{r0,r1,r2,r3} @ load sigma - stmdb sp!,{r4,r5,r6,r7,r8,r9,r10,r11} @ copy key - stmdb sp!,{r0,r1,r2,r3} @ copy sigma - str r10,[sp,#4*(16+10)] @ off-load "rx" - str r11,[sp,#4*(16+11)] @ off-load "rx" - b Loop_outer_enter - -.align 4 -Loop_outer: - ldmia sp,{r0,r1,r2,r3,r4,r5,r6,r7,r8,r9} @ load key material - str r11,[sp,#4*(32+2)] @ save len - str r12, [sp,#4*(32+1)] @ save inp - str r14, [sp,#4*(32+0)] @ save out -Loop_outer_enter: - ldr r11, [sp,#4*(15)] - ldr r12,[sp,#4*(12)] @ modulo-scheduled load - ldr r10, [sp,#4*(13)] - ldr r14,[sp,#4*(14)] - str r11, [sp,#4*(16+15)] - mov r11,#10 - b Loop - -.align 4 -Loop: - subs r11,r11,#1 - add r0,r0,r4 - mov r12,r12,ror#16 - add r1,r1,r5 - mov r10,r10,ror#16 - eor r12,r12,r0,ror#16 - eor r10,r10,r1,ror#16 - add r8,r8,r12 - mov r4,r4,ror#20 - add r9,r9,r10 - mov r5,r5,ror#20 - eor r4,r4,r8,ror#20 - eor r5,r5,r9,ror#20 - add r0,r0,r4 - mov r12,r12,ror#24 - add r1,r1,r5 - mov r10,r10,ror#24 - eor r12,r12,r0,ror#24 - eor r10,r10,r1,ror#24 - add r8,r8,r12 - mov r4,r4,ror#25 - add r9,r9,r10 - mov r5,r5,ror#25 - str r10,[sp,#4*(16+13)] - ldr r10,[sp,#4*(16+15)] - eor r4,r4,r8,ror#25 - eor r5,r5,r9,ror#25 - str r8,[sp,#4*(16+8)] - ldr r8,[sp,#4*(16+10)] - add r2,r2,r6 - mov r14,r14,ror#16 - str r9,[sp,#4*(16+9)] - ldr r9,[sp,#4*(16+11)] - add r3,r3,r7 - mov r10,r10,ror#16 - eor r14,r14,r2,ror#16 - eor r10,r10,r3,ror#16 - add r8,r8,r14 - mov r6,r6,ror#20 - add r9,r9,r10 - mov r7,r7,ror#20 - eor r6,r6,r8,ror#20 - eor r7,r7,r9,ror#20 - add r2,r2,r6 - mov r14,r14,ror#24 - add r3,r3,r7 - mov r10,r10,ror#24 - eor r14,r14,r2,ror#24 - eor r10,r10,r3,ror#24 - add r8,r8,r14 - mov r6,r6,ror#25 - add r9,r9,r10 - mov r7,r7,ror#25 - eor r6,r6,r8,ror#25 - eor r7,r7,r9,ror#25 - add r0,r0,r5 - mov r10,r10,ror#16 - add r1,r1,r6 - mov r12,r12,ror#16 - eor r10,r10,r0,ror#16 - eor r12,r12,r1,ror#16 - add r8,r8,r10 - mov r5,r5,ror#20 - add r9,r9,r12 - mov r6,r6,ror#20 - eor r5,r5,r8,ror#20 - eor r6,r6,r9,ror#20 - add r0,r0,r5 - mov r10,r10,ror#24 - add r1,r1,r6 - mov r12,r12,ror#24 - eor r10,r10,r0,ror#24 - eor r12,r12,r1,ror#24 - add r8,r8,r10 - mov r5,r5,ror#25 - str r10,[sp,#4*(16+15)] - ldr r10,[sp,#4*(16+13)] - add r9,r9,r12 - mov r6,r6,ror#25 - eor r5,r5,r8,ror#25 - eor r6,r6,r9,ror#25 - str r8,[sp,#4*(16+10)] - ldr r8,[sp,#4*(16+8)] - add r2,r2,r7 - mov r10,r10,ror#16 - str r9,[sp,#4*(16+11)] - ldr r9,[sp,#4*(16+9)] - add r3,r3,r4 - mov r14,r14,ror#16 - eor r10,r10,r2,ror#16 - eor r14,r14,r3,ror#16 - add r8,r8,r10 - mov r7,r7,ror#20 - add r9,r9,r14 - mov r4,r4,ror#20 - eor r7,r7,r8,ror#20 - eor r4,r4,r9,ror#20 - add r2,r2,r7 - mov r10,r10,ror#24 - add r3,r3,r4 - mov r14,r14,ror#24 - eor r10,r10,r2,ror#24 - eor r14,r14,r3,ror#24 - add r8,r8,r10 - mov r7,r7,ror#25 - add r9,r9,r14 - mov r4,r4,ror#25 - eor r7,r7,r8,ror#25 - eor r4,r4,r9,ror#25 - bne Loop - - ldr r11,[sp,#4*(32+2)] @ load len - - str r8, [sp,#4*(16+8)] @ modulo-scheduled store - str r9, [sp,#4*(16+9)] - str r12,[sp,#4*(16+12)] - str r10, [sp,#4*(16+13)] - str r14,[sp,#4*(16+14)] - - @ at this point we have first half of 512-bit result in - @ rx and second half at sp+4*(16+8) - - cmp r11,#64 @ done yet? -#ifdef __thumb2__ - itete lo -#endif - addlo r12,sp,#4*(0) @ shortcut or ... - ldrhs r12,[sp,#4*(32+1)] @ ... load inp - addlo r14,sp,#4*(0) @ shortcut or ... - ldrhs r14,[sp,#4*(32+0)] @ ... load out - - ldr r8,[sp,#4*(0)] @ load key material - ldr r9,[sp,#4*(1)] - -#if __ARM_ARCH>=6 || !defined(__ARMEB__) -# if __ARM_ARCH<7 - orr r10,r12,r14 - tst r10,#3 @ are input and output aligned? - ldr r10,[sp,#4*(2)] - bne Lunaligned - cmp r11,#64 @ restore flags -# else - ldr r10,[sp,#4*(2)] -# endif - ldr r11,[sp,#4*(3)] - - add r0,r0,r8 @ accumulate key material - add r1,r1,r9 -# ifdef __thumb2__ - itt hs -# endif - ldrhs r8,[r12],#16 @ load input - ldrhs r9,[r12,#-12] - - add r2,r2,r10 - add r3,r3,r11 -# ifdef __thumb2__ - itt hs -# endif - ldrhs r10,[r12,#-8] - ldrhs r11,[r12,#-4] -# if __ARM_ARCH>=6 && defined(__ARMEB__) - rev r0,r0 - rev r1,r1 - rev r2,r2 - rev r3,r3 -# endif -# ifdef __thumb2__ - itt hs -# endif - eorhs r0,r0,r8 @ xor with input - eorhs r1,r1,r9 - add r8,sp,#4*(4) - str r0,[r14],#16 @ store output -# ifdef __thumb2__ - itt hs -# endif - eorhs r2,r2,r10 - eorhs r3,r3,r11 - ldmia r8,{r8,r9,r10,r11} @ load key material - str r1,[r14,#-12] - str r2,[r14,#-8] - str r3,[r14,#-4] - - add r4,r4,r8 @ accumulate key material - add r5,r5,r9 -# ifdef __thumb2__ - itt hs -# endif - ldrhs r8,[r12],#16 @ load input - ldrhs r9,[r12,#-12] - add r6,r6,r10 - add r7,r7,r11 -# ifdef __thumb2__ - itt hs -# endif - ldrhs r10,[r12,#-8] - ldrhs r11,[r12,#-4] -# if __ARM_ARCH>=6 && defined(__ARMEB__) - rev r4,r4 - rev r5,r5 - rev r6,r6 - rev r7,r7 -# endif -# ifdef __thumb2__ - itt hs -# endif - eorhs r4,r4,r8 - eorhs r5,r5,r9 - add r8,sp,#4*(8) - str r4,[r14],#16 @ store output -# ifdef __thumb2__ - itt hs -# endif - eorhs r6,r6,r10 - eorhs r7,r7,r11 - str r5,[r14,#-12] - ldmia r8,{r8,r9,r10,r11} @ load key material - str r6,[r14,#-8] - add r0,sp,#4*(16+8) - str r7,[r14,#-4] - - ldmia r0,{r0,r1,r2,r3,r4,r5,r6,r7} @ load second half - - add r0,r0,r8 @ accumulate key material - add r1,r1,r9 -# ifdef __thumb2__ - itt hs -# endif - ldrhs r8,[r12],#16 @ load input - ldrhs r9,[r12,#-12] -# ifdef __thumb2__ - itt hi -# endif - strhi r10,[sp,#4*(16+10)] @ copy "rx" while at it - strhi r11,[sp,#4*(16+11)] @ copy "rx" while at it - add r2,r2,r10 - add r3,r3,r11 -# ifdef __thumb2__ - itt hs -# endif - ldrhs r10,[r12,#-8] - ldrhs r11,[r12,#-4] -# if __ARM_ARCH>=6 && defined(__ARMEB__) - rev r0,r0 - rev r1,r1 - rev r2,r2 - rev r3,r3 -# endif -# ifdef __thumb2__ - itt hs -# endif - eorhs r0,r0,r8 - eorhs r1,r1,r9 - add r8,sp,#4*(12) - str r0,[r14],#16 @ store output -# ifdef __thumb2__ - itt hs -# endif - eorhs r2,r2,r10 - eorhs r3,r3,r11 - str r1,[r14,#-12] - ldmia r8,{r8,r9,r10,r11} @ load key material - str r2,[r14,#-8] - str r3,[r14,#-4] - - add r4,r4,r8 @ accumulate key material - add r5,r5,r9 -# ifdef __thumb2__ - itt hi -# endif - addhi r8,r8,#1 @ next counter value - strhi r8,[sp,#4*(12)] @ save next counter value -# ifdef __thumb2__ - itt hs -# endif - ldrhs r8,[r12],#16 @ load input - ldrhs r9,[r12,#-12] - add r6,r6,r10 - add r7,r7,r11 -# ifdef __thumb2__ - itt hs -# endif - ldrhs r10,[r12,#-8] - ldrhs r11,[r12,#-4] -# if __ARM_ARCH>=6 && defined(__ARMEB__) - rev r4,r4 - rev r5,r5 - rev r6,r6 - rev r7,r7 -# endif -# ifdef __thumb2__ - itt hs -# endif - eorhs r4,r4,r8 - eorhs r5,r5,r9 -# ifdef __thumb2__ - it ne -# endif - ldrne r8,[sp,#4*(32+2)] @ re-load len -# ifdef __thumb2__ - itt hs -# endif - eorhs r6,r6,r10 - eorhs r7,r7,r11 - str r4,[r14],#16 @ store output - str r5,[r14,#-12] -# ifdef __thumb2__ - it hs -# endif - subhs r11,r8,#64 @ len-=64 - str r6,[r14,#-8] - str r7,[r14,#-4] - bhi Loop_outer - - beq Ldone -# if __ARM_ARCH<7 - b Ltail - -.align 4 -Lunaligned:@ unaligned endian-neutral path - cmp r11,#64 @ restore flags -# endif -#endif -#if __ARM_ARCH<7 - ldr r11,[sp,#4*(3)] - add r0,r0,r8 @ accumulate key material - add r1,r1,r9 - add r2,r2,r10 -# ifdef __thumb2__ - itete lo -# endif - eorlo r8,r8,r8 @ zero or ... - ldrhsb r8,[r12],#16 @ ... load input - eorlo r9,r9,r9 - ldrhsb r9,[r12,#-12] - - add r3,r3,r11 -# ifdef __thumb2__ - itete lo -# endif - eorlo r10,r10,r10 - ldrhsb r10,[r12,#-8] - eorlo r11,r11,r11 - ldrhsb r11,[r12,#-4] - - eor r0,r8,r0 @ xor with input (or zero) - eor r1,r9,r1 -# ifdef __thumb2__ - itt hs -# endif - ldrhsb r8,[r12,#-15] @ load more input - ldrhsb r9,[r12,#-11] - eor r2,r10,r2 - strb r0,[r14],#16 @ store output - eor r3,r11,r3 -# ifdef __thumb2__ - itt hs -# endif - ldrhsb r10,[r12,#-7] - ldrhsb r11,[r12,#-3] - strb r1,[r14,#-12] - eor r0,r8,r0,lsr#8 - strb r2,[r14,#-8] - eor r1,r9,r1,lsr#8 -# ifdef __thumb2__ - itt hs -# endif - ldrhsb r8,[r12,#-14] @ load more input - ldrhsb r9,[r12,#-10] - strb r3,[r14,#-4] - eor r2,r10,r2,lsr#8 - strb r0,[r14,#-15] - eor r3,r11,r3,lsr#8 -# ifdef __thumb2__ - itt hs -# endif - ldrhsb r10,[r12,#-6] - ldrhsb r11,[r12,#-2] - strb r1,[r14,#-11] - eor r0,r8,r0,lsr#8 - strb r2,[r14,#-7] - eor r1,r9,r1,lsr#8 -# ifdef __thumb2__ - itt hs -# endif - ldrhsb r8,[r12,#-13] @ load more input - ldrhsb r9,[r12,#-9] - strb r3,[r14,#-3] - eor r2,r10,r2,lsr#8 - strb r0,[r14,#-14] - eor r3,r11,r3,lsr#8 -# ifdef __thumb2__ - itt hs -# endif - ldrhsb r10,[r12,#-5] - ldrhsb r11,[r12,#-1] - strb r1,[r14,#-10] - strb r2,[r14,#-6] - eor r0,r8,r0,lsr#8 - strb r3,[r14,#-2] - eor r1,r9,r1,lsr#8 - strb r0,[r14,#-13] - eor r2,r10,r2,lsr#8 - strb r1,[r14,#-9] - eor r3,r11,r3,lsr#8 - strb r2,[r14,#-5] - strb r3,[r14,#-1] - add r8,sp,#4*(4+0) - ldmia r8,{r8,r9,r10,r11} @ load key material - add r0,sp,#4*(16+8) - add r4,r4,r8 @ accumulate key material - add r5,r5,r9 - add r6,r6,r10 -# ifdef __thumb2__ - itete lo -# endif - eorlo r8,r8,r8 @ zero or ... - ldrhsb r8,[r12],#16 @ ... load input - eorlo r9,r9,r9 - ldrhsb r9,[r12,#-12] - - add r7,r7,r11 -# ifdef __thumb2__ - itete lo -# endif - eorlo r10,r10,r10 - ldrhsb r10,[r12,#-8] - eorlo r11,r11,r11 - ldrhsb r11,[r12,#-4] - - eor r4,r8,r4 @ xor with input (or zero) - eor r5,r9,r5 -# ifdef __thumb2__ - itt hs -# endif - ldrhsb r8,[r12,#-15] @ load more input - ldrhsb r9,[r12,#-11] - eor r6,r10,r6 - strb r4,[r14],#16 @ store output - eor r7,r11,r7 -# ifdef __thumb2__ - itt hs -# endif - ldrhsb r10,[r12,#-7] - ldrhsb r11,[r12,#-3] - strb r5,[r14,#-12] - eor r4,r8,r4,lsr#8 - strb r6,[r14,#-8] - eor r5,r9,r5,lsr#8 -# ifdef __thumb2__ - itt hs -# endif - ldrhsb r8,[r12,#-14] @ load more input - ldrhsb r9,[r12,#-10] - strb r7,[r14,#-4] - eor r6,r10,r6,lsr#8 - strb r4,[r14,#-15] - eor r7,r11,r7,lsr#8 -# ifdef __thumb2__ - itt hs -# endif - ldrhsb r10,[r12,#-6] - ldrhsb r11,[r12,#-2] - strb r5,[r14,#-11] - eor r4,r8,r4,lsr#8 - strb r6,[r14,#-7] - eor r5,r9,r5,lsr#8 -# ifdef __thumb2__ - itt hs -# endif - ldrhsb r8,[r12,#-13] @ load more input - ldrhsb r9,[r12,#-9] - strb r7,[r14,#-3] - eor r6,r10,r6,lsr#8 - strb r4,[r14,#-14] - eor r7,r11,r7,lsr#8 -# ifdef __thumb2__ - itt hs -# endif - ldrhsb r10,[r12,#-5] - ldrhsb r11,[r12,#-1] - strb r5,[r14,#-10] - strb r6,[r14,#-6] - eor r4,r8,r4,lsr#8 - strb r7,[r14,#-2] - eor r5,r9,r5,lsr#8 - strb r4,[r14,#-13] - eor r6,r10,r6,lsr#8 - strb r5,[r14,#-9] - eor r7,r11,r7,lsr#8 - strb r6,[r14,#-5] - strb r7,[r14,#-1] - add r8,sp,#4*(4+4) - ldmia r8,{r8,r9,r10,r11} @ load key material - ldmia r0,{r0,r1,r2,r3,r4,r5,r6,r7} @ load second half -# ifdef __thumb2__ - itt hi -# endif - strhi r10,[sp,#4*(16+10)] @ copy "rx" - strhi r11,[sp,#4*(16+11)] @ copy "rx" - add r0,r0,r8 @ accumulate key material - add r1,r1,r9 - add r2,r2,r10 -# ifdef __thumb2__ - itete lo -# endif - eorlo r8,r8,r8 @ zero or ... - ldrhsb r8,[r12],#16 @ ... load input - eorlo r9,r9,r9 - ldrhsb r9,[r12,#-12] - - add r3,r3,r11 -# ifdef __thumb2__ - itete lo -# endif - eorlo r10,r10,r10 - ldrhsb r10,[r12,#-8] - eorlo r11,r11,r11 - ldrhsb r11,[r12,#-4] - - eor r0,r8,r0 @ xor with input (or zero) - eor r1,r9,r1 -# ifdef __thumb2__ - itt hs -# endif - ldrhsb r8,[r12,#-15] @ load more input - ldrhsb r9,[r12,#-11] - eor r2,r10,r2 - strb r0,[r14],#16 @ store output - eor r3,r11,r3 -# ifdef __thumb2__ - itt hs -# endif - ldrhsb r10,[r12,#-7] - ldrhsb r11,[r12,#-3] - strb r1,[r14,#-12] - eor r0,r8,r0,lsr#8 - strb r2,[r14,#-8] - eor r1,r9,r1,lsr#8 -# ifdef __thumb2__ - itt hs -# endif - ldrhsb r8,[r12,#-14] @ load more input - ldrhsb r9,[r12,#-10] - strb r3,[r14,#-4] - eor r2,r10,r2,lsr#8 - strb r0,[r14,#-15] - eor r3,r11,r3,lsr#8 -# ifdef __thumb2__ - itt hs -# endif - ldrhsb r10,[r12,#-6] - ldrhsb r11,[r12,#-2] - strb r1,[r14,#-11] - eor r0,r8,r0,lsr#8 - strb r2,[r14,#-7] - eor r1,r9,r1,lsr#8 -# ifdef __thumb2__ - itt hs -# endif - ldrhsb r8,[r12,#-13] @ load more input - ldrhsb r9,[r12,#-9] - strb r3,[r14,#-3] - eor r2,r10,r2,lsr#8 - strb r0,[r14,#-14] - eor r3,r11,r3,lsr#8 -# ifdef __thumb2__ - itt hs -# endif - ldrhsb r10,[r12,#-5] - ldrhsb r11,[r12,#-1] - strb r1,[r14,#-10] - strb r2,[r14,#-6] - eor r0,r8,r0,lsr#8 - strb r3,[r14,#-2] - eor r1,r9,r1,lsr#8 - strb r0,[r14,#-13] - eor r2,r10,r2,lsr#8 - strb r1,[r14,#-9] - eor r3,r11,r3,lsr#8 - strb r2,[r14,#-5] - strb r3,[r14,#-1] - add r8,sp,#4*(4+8) - ldmia r8,{r8,r9,r10,r11} @ load key material - add r4,r4,r8 @ accumulate key material -# ifdef __thumb2__ - itt hi -# endif - addhi r8,r8,#1 @ next counter value - strhi r8,[sp,#4*(12)] @ save next counter value - add r5,r5,r9 - add r6,r6,r10 -# ifdef __thumb2__ - itete lo -# endif - eorlo r8,r8,r8 @ zero or ... - ldrhsb r8,[r12],#16 @ ... load input - eorlo r9,r9,r9 - ldrhsb r9,[r12,#-12] - - add r7,r7,r11 -# ifdef __thumb2__ - itete lo -# endif - eorlo r10,r10,r10 - ldrhsb r10,[r12,#-8] - eorlo r11,r11,r11 - ldrhsb r11,[r12,#-4] - - eor r4,r8,r4 @ xor with input (or zero) - eor r5,r9,r5 -# ifdef __thumb2__ - itt hs -# endif - ldrhsb r8,[r12,#-15] @ load more input - ldrhsb r9,[r12,#-11] - eor r6,r10,r6 - strb r4,[r14],#16 @ store output - eor r7,r11,r7 -# ifdef __thumb2__ - itt hs -# endif - ldrhsb r10,[r12,#-7] - ldrhsb r11,[r12,#-3] - strb r5,[r14,#-12] - eor r4,r8,r4,lsr#8 - strb r6,[r14,#-8] - eor r5,r9,r5,lsr#8 -# ifdef __thumb2__ - itt hs -# endif - ldrhsb r8,[r12,#-14] @ load more input - ldrhsb r9,[r12,#-10] - strb r7,[r14,#-4] - eor r6,r10,r6,lsr#8 - strb r4,[r14,#-15] - eor r7,r11,r7,lsr#8 -# ifdef __thumb2__ - itt hs -# endif - ldrhsb r10,[r12,#-6] - ldrhsb r11,[r12,#-2] - strb r5,[r14,#-11] - eor r4,r8,r4,lsr#8 - strb r6,[r14,#-7] - eor r5,r9,r5,lsr#8 -# ifdef __thumb2__ - itt hs -# endif - ldrhsb r8,[r12,#-13] @ load more input - ldrhsb r9,[r12,#-9] - strb r7,[r14,#-3] - eor r6,r10,r6,lsr#8 - strb r4,[r14,#-14] - eor r7,r11,r7,lsr#8 -# ifdef __thumb2__ - itt hs -# endif - ldrhsb r10,[r12,#-5] - ldrhsb r11,[r12,#-1] - strb r5,[r14,#-10] - strb r6,[r14,#-6] - eor r4,r8,r4,lsr#8 - strb r7,[r14,#-2] - eor r5,r9,r5,lsr#8 - strb r4,[r14,#-13] - eor r6,r10,r6,lsr#8 - strb r5,[r14,#-9] - eor r7,r11,r7,lsr#8 - strb r6,[r14,#-5] - strb r7,[r14,#-1] -# ifdef __thumb2__ - it ne -# endif - ldrne r8,[sp,#4*(32+2)] @ re-load len -# ifdef __thumb2__ - it hs -# endif - subhs r11,r8,#64 @ len-=64 - bhi Loop_outer - - beq Ldone -#endif - -Ltail: - ldr r12,[sp,#4*(32+1)] @ load inp - add r9,sp,#4*(0) - ldr r14,[sp,#4*(32+0)] @ load out - -Loop_tail: - ldrb r10,[r9],#1 @ read buffer on stack - ldrb r11,[r12],#1 @ read input - subs r8,r8,#1 - eor r11,r11,r10 - strb r11,[r14],#1 @ store output - bne Loop_tail - -Ldone: - add sp,sp,#4*(32+3) -Lno_data: - ldmia sp!,{r4,r5,r6,r7,r8,r9,r10,r11,pc} - -#if __ARM_MAX_ARCH__>=7 - - - -#ifdef __thumb2__ -.thumb_func ChaCha20_neon -#endif -.align 5 -ChaCha20_neon: - ldr r12,[sp,#0] @ pull pointer to counter and nonce - stmdb sp!,{r0,r1,r2,r4-r11,lr} -LChaCha20_neon: - adr r14,Lsigma - vstmdb sp!,{d8,d9,d10,d11,d12,d13,d14,d15} @ ABI spec says so - stmdb sp!,{r0,r1,r2,r3} - - vld1.32 {q1,q2},[r3] @ load key - ldmia r3,{r4,r5,r6,r7,r8,r9,r10,r11} @ load key - - sub sp,sp,#4*(16+16) - vld1.32 {q3},[r12] @ load counter and nonce - add r12,sp,#4*8 - ldmia r14,{r0,r1,r2,r3} @ load sigma - vld1.32 {q0},[r14]! @ load sigma - vld1.32 {q12},[r14] @ one - vst1.32 {q2,q3},[r12] @ copy 1/2key|counter|nonce - vst1.32 {q0,q1},[sp] @ copy sigma|1/2key - - str r10,[sp,#4*(16+10)] @ off-load "rx" - str r11,[sp,#4*(16+11)] @ off-load "rx" - vshl.i32 d26,d24,#1 @ two - vstr d24,[sp,#4*(16+0)] - vshl.i32 d28,d24,#2 @ four - vstr d26,[sp,#4*(16+2)] - vmov q4,q0 - vstr d28,[sp,#4*(16+4)] - vmov q8,q0 - vmov q5,q1 - vmov q9,q1 - b Loop_neon_enter - -.align 4 -Loop_neon_outer: - ldmia sp,{r0,r1,r2,r3,r4,r5,r6,r7,r8,r9} @ load key material - cmp r11,#64*2 @ if len<=64*2 - bls Lbreak_neon @ switch to integer-only - vmov q4,q0 - str r11,[sp,#4*(32+2)] @ save len - vmov q8,q0 - str r12, [sp,#4*(32+1)] @ save inp - vmov q5,q1 - str r14, [sp,#4*(32+0)] @ save out - vmov q9,q1 -Loop_neon_enter: - ldr r11, [sp,#4*(15)] - vadd.i32 q7,q3,q12 @ counter+1 - ldr r12,[sp,#4*(12)] @ modulo-scheduled load - vmov q6,q2 - ldr r10, [sp,#4*(13)] - vmov q10,q2 - ldr r14,[sp,#4*(14)] - vadd.i32 q11,q7,q12 @ counter+2 - str r11, [sp,#4*(16+15)] - mov r11,#10 - add r12,r12,#3 @ counter+3 - b Loop_neon - -.align 4 -Loop_neon: - subs r11,r11,#1 - vadd.i32 q0,q0,q1 - add r0,r0,r4 - vadd.i32 q4,q4,q5 - mov r12,r12,ror#16 - vadd.i32 q8,q8,q9 - add r1,r1,r5 - veor q3,q3,q0 - mov r10,r10,ror#16 - veor q7,q7,q4 - eor r12,r12,r0,ror#16 - veor q11,q11,q8 - eor r10,r10,r1,ror#16 - vrev32.16 q3,q3 - add r8,r8,r12 - vrev32.16 q7,q7 - mov r4,r4,ror#20 - vrev32.16 q11,q11 - add r9,r9,r10 - vadd.i32 q2,q2,q3 - mov r5,r5,ror#20 - vadd.i32 q6,q6,q7 - eor r4,r4,r8,ror#20 - vadd.i32 q10,q10,q11 - eor r5,r5,r9,ror#20 - veor q12,q1,q2 - add r0,r0,r4 - veor q13,q5,q6 - mov r12,r12,ror#24 - veor q14,q9,q10 - add r1,r1,r5 - vshr.u32 q1,q12,#20 - mov r10,r10,ror#24 - vshr.u32 q5,q13,#20 - eor r12,r12,r0,ror#24 - vshr.u32 q9,q14,#20 - eor r10,r10,r1,ror#24 - vsli.32 q1,q12,#12 - add r8,r8,r12 - vsli.32 q5,q13,#12 - mov r4,r4,ror#25 - vsli.32 q9,q14,#12 - add r9,r9,r10 - vadd.i32 q0,q0,q1 - mov r5,r5,ror#25 - vadd.i32 q4,q4,q5 - str r10,[sp,#4*(16+13)] - vadd.i32 q8,q8,q9 - ldr r10,[sp,#4*(16+15)] - veor q12,q3,q0 - eor r4,r4,r8,ror#25 - veor q13,q7,q4 - eor r5,r5,r9,ror#25 - veor q14,q11,q8 - str r8,[sp,#4*(16+8)] - vshr.u32 q3,q12,#24 - ldr r8,[sp,#4*(16+10)] - vshr.u32 q7,q13,#24 - add r2,r2,r6 - vshr.u32 q11,q14,#24 - mov r14,r14,ror#16 - vsli.32 q3,q12,#8 - str r9,[sp,#4*(16+9)] - vsli.32 q7,q13,#8 - ldr r9,[sp,#4*(16+11)] - vsli.32 q11,q14,#8 - add r3,r3,r7 - vadd.i32 q2,q2,q3 - mov r10,r10,ror#16 - vadd.i32 q6,q6,q7 - eor r14,r14,r2,ror#16 - vadd.i32 q10,q10,q11 - eor r10,r10,r3,ror#16 - veor q12,q1,q2 - add r8,r8,r14 - veor q13,q5,q6 - mov r6,r6,ror#20 - veor q14,q9,q10 - add r9,r9,r10 - vshr.u32 q1,q12,#25 - mov r7,r7,ror#20 - vshr.u32 q5,q13,#25 - eor r6,r6,r8,ror#20 - vshr.u32 q9,q14,#25 - eor r7,r7,r9,ror#20 - vsli.32 q1,q12,#7 - add r2,r2,r6 - vsli.32 q5,q13,#7 - mov r14,r14,ror#24 - vsli.32 q9,q14,#7 - add r3,r3,r7 - vext.8 q2,q2,q2,#8 - mov r10,r10,ror#24 - vext.8 q6,q6,q6,#8 - eor r14,r14,r2,ror#24 - vext.8 q10,q10,q10,#8 - eor r10,r10,r3,ror#24 - vext.8 q1,q1,q1,#4 - add r8,r8,r14 - vext.8 q5,q5,q5,#4 - mov r6,r6,ror#25 - vext.8 q9,q9,q9,#4 - add r9,r9,r10 - vext.8 q3,q3,q3,#12 - mov r7,r7,ror#25 - vext.8 q7,q7,q7,#12 - eor r6,r6,r8,ror#25 - vext.8 q11,q11,q11,#12 - eor r7,r7,r9,ror#25 - vadd.i32 q0,q0,q1 - add r0,r0,r5 - vadd.i32 q4,q4,q5 - mov r10,r10,ror#16 - vadd.i32 q8,q8,q9 - add r1,r1,r6 - veor q3,q3,q0 - mov r12,r12,ror#16 - veor q7,q7,q4 - eor r10,r10,r0,ror#16 - veor q11,q11,q8 - eor r12,r12,r1,ror#16 - vrev32.16 q3,q3 - add r8,r8,r10 - vrev32.16 q7,q7 - mov r5,r5,ror#20 - vrev32.16 q11,q11 - add r9,r9,r12 - vadd.i32 q2,q2,q3 - mov r6,r6,ror#20 - vadd.i32 q6,q6,q7 - eor r5,r5,r8,ror#20 - vadd.i32 q10,q10,q11 - eor r6,r6,r9,ror#20 - veor q12,q1,q2 - add r0,r0,r5 - veor q13,q5,q6 - mov r10,r10,ror#24 - veor q14,q9,q10 - add r1,r1,r6 - vshr.u32 q1,q12,#20 - mov r12,r12,ror#24 - vshr.u32 q5,q13,#20 - eor r10,r10,r0,ror#24 - vshr.u32 q9,q14,#20 - eor r12,r12,r1,ror#24 - vsli.32 q1,q12,#12 - add r8,r8,r10 - vsli.32 q5,q13,#12 - mov r5,r5,ror#25 - vsli.32 q9,q14,#12 - str r10,[sp,#4*(16+15)] - vadd.i32 q0,q0,q1 - ldr r10,[sp,#4*(16+13)] - vadd.i32 q4,q4,q5 - add r9,r9,r12 - vadd.i32 q8,q8,q9 - mov r6,r6,ror#25 - veor q12,q3,q0 - eor r5,r5,r8,ror#25 - veor q13,q7,q4 - eor r6,r6,r9,ror#25 - veor q14,q11,q8 - str r8,[sp,#4*(16+10)] - vshr.u32 q3,q12,#24 - ldr r8,[sp,#4*(16+8)] - vshr.u32 q7,q13,#24 - add r2,r2,r7 - vshr.u32 q11,q14,#24 - mov r10,r10,ror#16 - vsli.32 q3,q12,#8 - str r9,[sp,#4*(16+11)] - vsli.32 q7,q13,#8 - ldr r9,[sp,#4*(16+9)] - vsli.32 q11,q14,#8 - add r3,r3,r4 - vadd.i32 q2,q2,q3 - mov r14,r14,ror#16 - vadd.i32 q6,q6,q7 - eor r10,r10,r2,ror#16 - vadd.i32 q10,q10,q11 - eor r14,r14,r3,ror#16 - veor q12,q1,q2 - add r8,r8,r10 - veor q13,q5,q6 - mov r7,r7,ror#20 - veor q14,q9,q10 - add r9,r9,r14 - vshr.u32 q1,q12,#25 - mov r4,r4,ror#20 - vshr.u32 q5,q13,#25 - eor r7,r7,r8,ror#20 - vshr.u32 q9,q14,#25 - eor r4,r4,r9,ror#20 - vsli.32 q1,q12,#7 - add r2,r2,r7 - vsli.32 q5,q13,#7 - mov r10,r10,ror#24 - vsli.32 q9,q14,#7 - add r3,r3,r4 - vext.8 q2,q2,q2,#8 - mov r14,r14,ror#24 - vext.8 q6,q6,q6,#8 - eor r10,r10,r2,ror#24 - vext.8 q10,q10,q10,#8 - eor r14,r14,r3,ror#24 - vext.8 q1,q1,q1,#12 - add r8,r8,r10 - vext.8 q5,q5,q5,#12 - mov r7,r7,ror#25 - vext.8 q9,q9,q9,#12 - add r9,r9,r14 - vext.8 q3,q3,q3,#4 - mov r4,r4,ror#25 - vext.8 q7,q7,q7,#4 - eor r7,r7,r8,ror#25 - vext.8 q11,q11,q11,#4 - eor r4,r4,r9,ror#25 - bne Loop_neon - - add r11,sp,#32 - vld1.32 {q12,q13},[sp] @ load key material - vld1.32 {q14,q15},[r11] - - ldr r11,[sp,#4*(32+2)] @ load len - - str r8, [sp,#4*(16+8)] @ modulo-scheduled store - str r9, [sp,#4*(16+9)] - str r12,[sp,#4*(16+12)] - str r10, [sp,#4*(16+13)] - str r14,[sp,#4*(16+14)] - - @ at this point we have first half of 512-bit result in - @ rx and second half at sp+4*(16+8) - - ldr r12,[sp,#4*(32+1)] @ load inp - ldr r14,[sp,#4*(32+0)] @ load out - - vadd.i32 q0,q0,q12 @ accumulate key material - vadd.i32 q4,q4,q12 - vadd.i32 q8,q8,q12 - vldr d24,[sp,#4*(16+0)] @ one - - vadd.i32 q1,q1,q13 - vadd.i32 q5,q5,q13 - vadd.i32 q9,q9,q13 - vldr d26,[sp,#4*(16+2)] @ two - - vadd.i32 q2,q2,q14 - vadd.i32 q6,q6,q14 - vadd.i32 q10,q10,q14 - vadd.i32 d14,d14,d24 @ counter+1 - vadd.i32 d22,d22,d26 @ counter+2 - - vadd.i32 q3,q3,q15 - vadd.i32 q7,q7,q15 - vadd.i32 q11,q11,q15 - - cmp r11,#64*4 - blo Ltail_neon - - vld1.8 {q12,q13},[r12]! @ load input - mov r11,sp - vld1.8 {q14,q15},[r12]! - veor q0,q0,q12 @ xor with input - veor q1,q1,q13 - vld1.8 {q12,q13},[r12]! - veor q2,q2,q14 - veor q3,q3,q15 - vld1.8 {q14,q15},[r12]! - - veor q4,q4,q12 - vst1.8 {q0,q1},[r14]! @ store output - veor q5,q5,q13 - vld1.8 {q12,q13},[r12]! - veor q6,q6,q14 - vst1.8 {q2,q3},[r14]! - veor q7,q7,q15 - vld1.8 {q14,q15},[r12]! - - veor q8,q8,q12 - vld1.32 {q0,q1},[r11]! @ load for next iteration - veor d25,d25,d25 - vldr d24,[sp,#4*(16+4)] @ four - veor q9,q9,q13 - vld1.32 {q2,q3},[r11] - veor q10,q10,q14 - vst1.8 {q4,q5},[r14]! - veor q11,q11,q15 - vst1.8 {q6,q7},[r14]! - - vadd.i32 d6,d6,d24 @ next counter value - vldr d24,[sp,#4*(16+0)] @ one - - ldmia sp,{r8,r9,r10,r11} @ load key material - add r0,r0,r8 @ accumulate key material - ldr r8,[r12],#16 @ load input - vst1.8 {q8,q9},[r14]! - add r1,r1,r9 - ldr r9,[r12,#-12] - vst1.8 {q10,q11},[r14]! - add r2,r2,r10 - ldr r10,[r12,#-8] - add r3,r3,r11 - ldr r11,[r12,#-4] -# ifdef __ARMEB__ - rev r0,r0 - rev r1,r1 - rev r2,r2 - rev r3,r3 -# endif - eor r0,r0,r8 @ xor with input - add r8,sp,#4*(4) - eor r1,r1,r9 - str r0,[r14],#16 @ store output - eor r2,r2,r10 - str r1,[r14,#-12] - eor r3,r3,r11 - ldmia r8,{r8,r9,r10,r11} @ load key material - str r2,[r14,#-8] - str r3,[r14,#-4] - - add r4,r4,r8 @ accumulate key material - ldr r8,[r12],#16 @ load input - add r5,r5,r9 - ldr r9,[r12,#-12] - add r6,r6,r10 - ldr r10,[r12,#-8] - add r7,r7,r11 - ldr r11,[r12,#-4] -# ifdef __ARMEB__ - rev r4,r4 - rev r5,r5 - rev r6,r6 - rev r7,r7 -# endif - eor r4,r4,r8 - add r8,sp,#4*(8) - eor r5,r5,r9 - str r4,[r14],#16 @ store output - eor r6,r6,r10 - str r5,[r14,#-12] - eor r7,r7,r11 - ldmia r8,{r8,r9,r10,r11} @ load key material - str r6,[r14,#-8] - add r0,sp,#4*(16+8) - str r7,[r14,#-4] - - ldmia r0,{r0,r1,r2,r3,r4,r5,r6,r7} @ load second half - - add r0,r0,r8 @ accumulate key material - ldr r8,[r12],#16 @ load input - add r1,r1,r9 - ldr r9,[r12,#-12] -# ifdef __thumb2__ - it hi -# endif - strhi r10,[sp,#4*(16+10)] @ copy "rx" while at it - add r2,r2,r10 - ldr r10,[r12,#-8] -# ifdef __thumb2__ - it hi -# endif - strhi r11,[sp,#4*(16+11)] @ copy "rx" while at it - add r3,r3,r11 - ldr r11,[r12,#-4] -# ifdef __ARMEB__ - rev r0,r0 - rev r1,r1 - rev r2,r2 - rev r3,r3 -# endif - eor r0,r0,r8 - add r8,sp,#4*(12) - eor r1,r1,r9 - str r0,[r14],#16 @ store output - eor r2,r2,r10 - str r1,[r14,#-12] - eor r3,r3,r11 - ldmia r8,{r8,r9,r10,r11} @ load key material - str r2,[r14,#-8] - str r3,[r14,#-4] - - add r4,r4,r8 @ accumulate key material - add r8,r8,#4 @ next counter value - add r5,r5,r9 - str r8,[sp,#4*(12)] @ save next counter value - ldr r8,[r12],#16 @ load input - add r6,r6,r10 - add r4,r4,#3 @ counter+3 - ldr r9,[r12,#-12] - add r7,r7,r11 - ldr r10,[r12,#-8] - ldr r11,[r12,#-4] -# ifdef __ARMEB__ - rev r4,r4 - rev r5,r5 - rev r6,r6 - rev r7,r7 -# endif - eor r4,r4,r8 -# ifdef __thumb2__ - it hi -# endif - ldrhi r8,[sp,#4*(32+2)] @ re-load len - eor r5,r5,r9 - eor r6,r6,r10 - str r4,[r14],#16 @ store output - eor r7,r7,r11 - str r5,[r14,#-12] - sub r11,r8,#64*4 @ len-=64*4 - str r6,[r14,#-8] - str r7,[r14,#-4] - bhi Loop_neon_outer - - b Ldone_neon - -.align 4 -Lbreak_neon: - @ harmonize NEON and integer-only stack frames: load data - @ from NEON frame, but save to integer-only one; distance - @ between the two is 4*(32+4+16-32)=4*(20). - - str r11, [sp,#4*(20+32+2)] @ save len - add r11,sp,#4*(32+4) - str r12, [sp,#4*(20+32+1)] @ save inp - str r14, [sp,#4*(20+32+0)] @ save out - - ldr r12,[sp,#4*(16+10)] - ldr r14,[sp,#4*(16+11)] - vldmia r11,{d8,d9,d10,d11,d12,d13,d14,d15} @ fulfill ABI requirement - str r12,[sp,#4*(20+16+10)] @ copy "rx" - str r14,[sp,#4*(20+16+11)] @ copy "rx" - - ldr r11, [sp,#4*(15)] - ldr r12,[sp,#4*(12)] @ modulo-scheduled load - ldr r10, [sp,#4*(13)] - ldr r14,[sp,#4*(14)] - str r11, [sp,#4*(20+16+15)] - add r11,sp,#4*(20) - vst1.32 {q0,q1},[r11]! @ copy key - add sp,sp,#4*(20) @ switch frame - vst1.32 {q2,q3},[r11] - mov r11,#10 - b Loop @ go integer-only - -.align 4 -Ltail_neon: - cmp r11,#64*3 - bhs L192_or_more_neon - cmp r11,#64*2 - bhs L128_or_more_neon - cmp r11,#64*1 - bhs L64_or_more_neon - - add r8,sp,#4*(8) - vst1.8 {q0,q1},[sp] - add r10,sp,#4*(0) - vst1.8 {q2,q3},[r8] - b Loop_tail_neon - -.align 4 -L64_or_more_neon: - vld1.8 {q12,q13},[r12]! - vld1.8 {q14,q15},[r12]! - veor q0,q0,q12 - veor q1,q1,q13 - veor q2,q2,q14 - veor q3,q3,q15 - vst1.8 {q0,q1},[r14]! - vst1.8 {q2,q3},[r14]! - - beq Ldone_neon - - add r8,sp,#4*(8) - vst1.8 {q4,q5},[sp] - add r10,sp,#4*(0) - vst1.8 {q6,q7},[r8] - sub r11,r11,#64*1 @ len-=64*1 - b Loop_tail_neon - -.align 4 -L128_or_more_neon: - vld1.8 {q12,q13},[r12]! - vld1.8 {q14,q15},[r12]! - veor q0,q0,q12 - veor q1,q1,q13 - vld1.8 {q12,q13},[r12]! - veor q2,q2,q14 - veor q3,q3,q15 - vld1.8 {q14,q15},[r12]! - - veor q4,q4,q12 - veor q5,q5,q13 - vst1.8 {q0,q1},[r14]! - veor q6,q6,q14 - vst1.8 {q2,q3},[r14]! - veor q7,q7,q15 - vst1.8 {q4,q5},[r14]! - vst1.8 {q6,q7},[r14]! - - beq Ldone_neon - - add r8,sp,#4*(8) - vst1.8 {q8,q9},[sp] - add r10,sp,#4*(0) - vst1.8 {q10,q11},[r8] - sub r11,r11,#64*2 @ len-=64*2 - b Loop_tail_neon - -.align 4 -L192_or_more_neon: - vld1.8 {q12,q13},[r12]! - vld1.8 {q14,q15},[r12]! - veor q0,q0,q12 - veor q1,q1,q13 - vld1.8 {q12,q13},[r12]! - veor q2,q2,q14 - veor q3,q3,q15 - vld1.8 {q14,q15},[r12]! - - veor q4,q4,q12 - veor q5,q5,q13 - vld1.8 {q12,q13},[r12]! - veor q6,q6,q14 - vst1.8 {q0,q1},[r14]! - veor q7,q7,q15 - vld1.8 {q14,q15},[r12]! - - veor q8,q8,q12 - vst1.8 {q2,q3},[r14]! - veor q9,q9,q13 - vst1.8 {q4,q5},[r14]! - veor q10,q10,q14 - vst1.8 {q6,q7},[r14]! - veor q11,q11,q15 - vst1.8 {q8,q9},[r14]! - vst1.8 {q10,q11},[r14]! - - beq Ldone_neon - - ldmia sp,{r8,r9,r10,r11} @ load key material - add r0,r0,r8 @ accumulate key material - add r8,sp,#4*(4) - add r1,r1,r9 - add r2,r2,r10 - add r3,r3,r11 - ldmia r8,{r8,r9,r10,r11} @ load key material - - add r4,r4,r8 @ accumulate key material - add r8,sp,#4*(8) - add r5,r5,r9 - add r6,r6,r10 - add r7,r7,r11 - ldmia r8,{r8,r9,r10,r11} @ load key material -# ifdef __ARMEB__ - rev r0,r0 - rev r1,r1 - rev r2,r2 - rev r3,r3 - rev r4,r4 - rev r5,r5 - rev r6,r6 - rev r7,r7 -# endif - stmia sp,{r0,r1,r2,r3,r4,r5,r6,r7} - add r0,sp,#4*(16+8) - - ldmia r0,{r0,r1,r2,r3,r4,r5,r6,r7} @ load second half - - add r0,r0,r8 @ accumulate key material - add r8,sp,#4*(12) - add r1,r1,r9 - add r2,r2,r10 - add r3,r3,r11 - ldmia r8,{r8,r9,r10,r11} @ load key material - - add r4,r4,r8 @ accumulate key material - add r8,sp,#4*(8) - add r5,r5,r9 - add r4,r4,#3 @ counter+3 - add r6,r6,r10 - add r7,r7,r11 - ldr r11,[sp,#4*(32+2)] @ re-load len -# ifdef __ARMEB__ - rev r0,r0 - rev r1,r1 - rev r2,r2 - rev r3,r3 - rev r4,r4 - rev r5,r5 - rev r6,r6 - rev r7,r7 -# endif - stmia r8,{r0,r1,r2,r3,r4,r5,r6,r7} - add r10,sp,#4*(0) - sub r11,r11,#64*3 @ len-=64*3 - -Loop_tail_neon: - ldrb r8,[r10],#1 @ read buffer on stack - ldrb r9,[r12],#1 @ read input - subs r11,r11,#1 - eor r8,r8,r9 - strb r8,[r14],#1 @ store output - bne Loop_tail_neon - -Ldone_neon: - add sp,sp,#4*(32+4) - vldmia sp,{d8,d9,d10,d11,d12,d13,d14,d15} - add sp,sp,#4*(16+3) - ldmia sp!,{r4,r5,r6,r7,r8,r9,r10,r11,pc} - -.comm _OPENSSL_armcap_P,4 -.non_lazy_symbol_pointer -OPENSSL_armcap_P: -.indirect_symbol _OPENSSL_armcap_P -.long 0 -#endif -#endif // !OPENSSL_NO_ASM && defined(OPENSSL_ARM) && defined(__APPLE__) -#endif // defined(__arm__) && defined(__APPLE__) -#if defined(__linux__) && defined(__ELF__) -.section .note.GNU-stack,"",%progbits -#endif - diff --git a/Sources/CNIOBoringSSL/crypto/chacha/chacha.c b/Sources/CNIOBoringSSL/crypto/chacha/chacha.c index d740304f5..0b7b97574 100644 --- a/Sources/CNIOBoringSSL/crypto/chacha/chacha.c +++ b/Sources/CNIOBoringSSL/crypto/chacha/chacha.c @@ -60,7 +60,40 @@ void CRYPTO_hchacha20(uint8_t out[32], const uint8_t key[32], OPENSSL_memcpy(&out[16], &x[12], sizeof(uint32_t) * 4); } -#if defined(CHACHA20_ASM) +#if defined(CHACHA20_ASM_NOHW) +static void ChaCha20_ctr32(uint8_t *out, const uint8_t *in, size_t in_len, + const uint32_t key[8], const uint32_t counter[4]) { +#if defined(CHACHA20_ASM_NEON) + if (ChaCha20_ctr32_neon_capable(in_len)) { + ChaCha20_ctr32_neon(out, in, in_len, key, counter); + return; + } +#endif +#if defined(CHACHA20_ASM_AVX2) + if (ChaCha20_ctr32_avx2_capable(in_len)) { + ChaCha20_ctr32_avx2(out, in, in_len, key, counter); + return; + } +#endif +#if defined(CHACHA20_ASM_SSSE3_4X) + if (ChaCha20_ctr32_ssse3_4x_capable(in_len)) { + ChaCha20_ctr32_ssse3_4x(out, in, in_len, key, counter); + return; + } +#endif +#if defined(CHACHA20_ASM_SSSE3) + if (ChaCha20_ctr32_ssse3_capable(in_len)) { + ChaCha20_ctr32_ssse3(out, in, in_len, key, counter); + return; + } +#endif + if (in_len > 0) { + ChaCha20_ctr32_nohw(out, in, in_len, key, counter); + } +} +#endif + +#if defined(CHACHA20_ASM_NOHW) void CRYPTO_chacha_20(uint8_t *out, const uint8_t *in, size_t in_len, const uint8_t key[32], const uint8_t nonce[12], diff --git a/Sources/CNIOBoringSSL/crypto/chacha/internal.h b/Sources/CNIOBoringSSL/crypto/chacha/internal.h index 7b2fc3f84..b4384470e 100644 --- a/Sources/CNIOBoringSSL/crypto/chacha/internal.h +++ b/Sources/CNIOBoringSSL/crypto/chacha/internal.h @@ -17,6 +17,8 @@ #include +#include "../internal.h" + #if defined(__cplusplus) extern "C" { #endif @@ -27,21 +29,69 @@ extern "C" { void CRYPTO_hchacha20(uint8_t out[32], const uint8_t key[32], const uint8_t nonce[16]); -#if !defined(OPENSSL_NO_ASM) && \ - (defined(OPENSSL_X86) || defined(OPENSSL_X86_64) || \ - defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)) -#define CHACHA20_ASM +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) + +#define CHACHA20_ASM_NOHW + +#define CHACHA20_ASM_SSSE3 +OPENSSL_INLINE int ChaCha20_ctr32_ssse3_capable(size_t len) { + // Unlike the x86_64 version, the x86 SSSE3 routine runs for all non-zero + // lengths. + return len > 0 && CRYPTO_is_SSSE3_capable() && CRYPTO_is_FXSR_capable(); +} +void ChaCha20_ctr32_ssse3(uint8_t *out, const uint8_t *in, size_t in_len, + const uint32_t key[8], const uint32_t counter[4]); + +#elif !defined(OPENSSL_NO_ASM) && \ + (defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)) + +#define CHACHA20_ASM_NOHW + +#define CHACHA20_ASM_NEON +OPENSSL_INLINE int ChaCha20_ctr32_neon_capable(size_t len) { + return len >= 192 && CRYPTO_is_NEON_capable(); +} +void ChaCha20_ctr32_neon(uint8_t *out, const uint8_t *in, size_t in_len, + const uint32_t key[8], const uint32_t counter[4]); +#elif !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) +#define CHACHA20_ASM_NOHW + +#define CHACHA20_ASM_AVX2 +OPENSSL_INLINE int ChaCha20_ctr32_avx2_capable(size_t len) { + return len > 128 && CRYPTO_is_AVX2_capable(); +} +void ChaCha20_ctr32_avx2(uint8_t *out, const uint8_t *in, size_t in_len, + const uint32_t key[8], const uint32_t counter[4]); + +#define CHACHA20_ASM_SSSE3_4X +OPENSSL_INLINE int ChaCha20_ctr32_ssse3_4x_capable(size_t len) { + int capable = len > 128 && CRYPTO_is_SSSE3_capable(); + int faster = len > 192 || !CRYPTO_cpu_perf_is_like_silvermont(); + return capable && faster; +} +void ChaCha20_ctr32_ssse3_4x(uint8_t *out, const uint8_t *in, size_t in_len, + const uint32_t key[8], const uint32_t counter[4]); + +#define CHACHA20_ASM_SSSE3 +OPENSSL_INLINE int ChaCha20_ctr32_ssse3_capable(size_t len) { + return len > 128 && CRYPTO_is_SSSE3_capable(); +} +void ChaCha20_ctr32_ssse3(uint8_t *out, const uint8_t *in, size_t in_len, + const uint32_t key[8], const uint32_t counter[4]); +#endif -// ChaCha20_ctr32 encrypts |in_len| bytes from |in| and writes the result to -// |out|. If |in| and |out| alias, they must be equal. +#if defined(CHACHA20_ASM_NOHW) +// ChaCha20_ctr32_nohw encrypts |in_len| bytes from |in| and writes the result +// to |out|. If |in| and |out| alias, they must be equal. |in_len| may not be +// zero. // // |counter[0]| is the initial 32-bit block counter, and the remainder is the // 96-bit nonce. If the counter overflows, the output is undefined. The function // will produce output, but the output may vary by machine and may not be // self-consistent. (On some architectures, the assembly implements a mix of // 64-bit and 32-bit counters.) -void ChaCha20_ctr32(uint8_t *out, const uint8_t *in, size_t in_len, - const uint32_t key[8], const uint32_t counter[4]); +void ChaCha20_ctr32_nohw(uint8_t *out, const uint8_t *in, size_t in_len, + const uint32_t key[8], const uint32_t counter[4]); #endif diff --git a/Sources/CNIOBoringSSL/crypto/cipher_extra/e_aesgcmsiv.c b/Sources/CNIOBoringSSL/crypto/cipher_extra/e_aesgcmsiv.c index 9e9e07f2e..fbd4c9144 100644 --- a/Sources/CNIOBoringSSL/crypto/cipher_extra/e_aesgcmsiv.c +++ b/Sources/CNIOBoringSSL/crypto/cipher_extra/e_aesgcmsiv.c @@ -126,16 +126,16 @@ extern void aesgcmsiv_htable_polyval(const uint8_t htable[16 * 8], uint8_t in_out_poly[16]); // aes128gcmsiv_dec decrypts |in_len| & ~15 bytes from |out| and writes them to -// |in|. (The full value of |in_len| is still used to find the authentication -// tag appended to the ciphertext, however, so must not be pre-masked.) +// |in|. |in| and |out| may be equal, but must not otherwise alias. // -// |in| and |out| may be equal, but must not otherwise overlap. +// |in_out_calculated_tag_and_scratch|, on entry, must contain: +// 1. The current value of the calculated tag, which will be updated during +// decryption and written back to the beginning of this buffer on exit. +// 2. The claimed tag, which is needed to derive counter values. // -// While decrypting, it updates the POLYVAL value found at the beginning of -// |in_out_calculated_tag_and_scratch| and writes the updated value back before -// return. During executation, it may use the whole of this space for other -// purposes. In order to decrypt and update the POLYVAL value, it uses the -// expanded key from |key| and the table of powers in |htable|. +// While decrypting, the whole of |in_out_calculated_tag_and_scratch| may be +// used for other purposes. In order to decrypt and update the POLYVAL value, it +// uses the expanded key from |key| and the table of powers in |htable|. extern void aes128gcmsiv_dec(const uint8_t *in, uint8_t *out, uint8_t in_out_calculated_tag_and_scratch[16 * 8], const uint8_t htable[16 * 6], @@ -393,14 +393,10 @@ static int aead_aes_gcm_siv_asm_seal_scatter( return 1; } -// TODO(martinkr): Add aead_aes_gcm_siv_asm_open_gather. N.B. aes128gcmsiv_dec -// expects ciphertext and tag in a contiguous buffer. - -static int aead_aes_gcm_siv_asm_open(const EVP_AEAD_CTX *ctx, uint8_t *out, - size_t *out_len, size_t max_out_len, - const uint8_t *nonce, size_t nonce_len, - const uint8_t *in, size_t in_len, - const uint8_t *ad, size_t ad_len) { +static int aead_aes_gcm_siv_asm_open_gather( + const EVP_AEAD_CTX *ctx, uint8_t *out, const uint8_t *nonce, + size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *in_tag, + size_t in_tag_len, const uint8_t *ad, size_t ad_len) { const uint64_t ad_len_64 = ad_len; if (ad_len_64 >= (UINT64_C(1) << 61)) { OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); @@ -408,8 +404,8 @@ static int aead_aes_gcm_siv_asm_open(const EVP_AEAD_CTX *ctx, uint8_t *out, } const uint64_t in_len_64 = in_len; - if (in_len < EVP_AEAD_AES_GCM_SIV_TAG_LEN || - in_len_64 > (UINT64_C(1) << 36) + AES_BLOCK_SIZE) { + if (in_len_64 > UINT64_C(1) << 36 || + in_tag_len != EVP_AEAD_AES_GCM_SIV_TAG_LEN) { OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); return 0; } @@ -420,13 +416,6 @@ static int aead_aes_gcm_siv_asm_open(const EVP_AEAD_CTX *ctx, uint8_t *out, } const struct aead_aes_gcm_siv_asm_ctx *gcm_siv_ctx = asm_ctx_from_ctx(ctx); - const size_t plaintext_len = in_len - EVP_AEAD_AES_GCM_SIV_TAG_LEN; - const uint8_t *const given_tag = in + plaintext_len; - - if (max_out_len < plaintext_len) { - OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); - return 0; - } alignas(16) uint64_t record_auth_key[2]; alignas(16) uint64_t record_enc_key[4]; @@ -459,27 +448,27 @@ static int aead_aes_gcm_siv_asm_open(const EVP_AEAD_CTX *ctx, uint8_t *out, alignas(16) uint8_t htable[16 * 6]; aesgcmsiv_htable6_init(htable, (const uint8_t *)record_auth_key); + // aes[128|256]gcmsiv_dec needs access to the claimed tag. So it's put into + // its scratch space. + memcpy(calculated_tag + 16, in_tag, EVP_AEAD_AES_GCM_SIV_TAG_LEN); if (gcm_siv_ctx->is_128_bit) { - aes128gcmsiv_dec(in, out, calculated_tag, htable, &expanded_key, - plaintext_len); + aes128gcmsiv_dec(in, out, calculated_tag, htable, &expanded_key, in_len); } else { - aes256gcmsiv_dec(in, out, calculated_tag, htable, &expanded_key, - plaintext_len); + aes256gcmsiv_dec(in, out, calculated_tag, htable, &expanded_key, in_len); } - if (plaintext_len & 15) { + if (in_len & 15) { aead_aes_gcm_siv_asm_crypt_last_block(gcm_siv_ctx->is_128_bit, out, in, - plaintext_len, given_tag, - &expanded_key); + in_len, in_tag, &expanded_key); OPENSSL_memset(scratch, 0, sizeof(scratch)); - OPENSSL_memcpy(scratch, out + (plaintext_len & ~15), plaintext_len & 15); + OPENSSL_memcpy(scratch, out + (in_len & ~15), in_len & 15); aesgcmsiv_polyval_horner(calculated_tag, (const uint8_t *)record_auth_key, scratch, 1); } uint8_t length_block[16]; CRYPTO_store_u64_le(length_block, ad_len * 8); - CRYPTO_store_u64_le(length_block + 8, plaintext_len * 8); + CRYPTO_store_u64_le(length_block + 8, in_len * 8); aesgcmsiv_polyval_horner(calculated_tag, (const uint8_t *)record_auth_key, length_block, 1); @@ -495,13 +484,12 @@ static int aead_aes_gcm_siv_asm_open(const EVP_AEAD_CTX *ctx, uint8_t *out, aes256gcmsiv_ecb_enc_block(calculated_tag, calculated_tag, &expanded_key); } - if (CRYPTO_memcmp(calculated_tag, given_tag, EVP_AEAD_AES_GCM_SIV_TAG_LEN) != + if (CRYPTO_memcmp(calculated_tag, in_tag, EVP_AEAD_AES_GCM_SIV_TAG_LEN) != 0) { OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); return 0; } - *out_len = in_len - EVP_AEAD_AES_GCM_SIV_TAG_LEN; return 1; } @@ -515,9 +503,9 @@ static const EVP_AEAD aead_aes_128_gcm_siv_asm = { aead_aes_gcm_siv_asm_init, NULL /* init_with_direction */, aead_aes_gcm_siv_asm_cleanup, - aead_aes_gcm_siv_asm_open, + NULL /* open */, aead_aes_gcm_siv_asm_seal_scatter, - NULL /* open_gather */, + aead_aes_gcm_siv_asm_open_gather, NULL /* get_iv */, NULL /* tag_len */, }; @@ -532,9 +520,9 @@ static const EVP_AEAD aead_aes_256_gcm_siv_asm = { aead_aes_gcm_siv_asm_init, NULL /* init_with_direction */, aead_aes_gcm_siv_asm_cleanup, - aead_aes_gcm_siv_asm_open, + NULL /* open */, aead_aes_gcm_siv_asm_seal_scatter, - NULL /* open_gather */, + aead_aes_gcm_siv_asm_open_gather, NULL /* get_iv */, NULL /* tag_len */, }; @@ -647,8 +635,8 @@ static void gcm_siv_polyval( } uint8_t length_block[16]; - CRYPTO_store_u64_le(length_block, ad_len * 8); - CRYPTO_store_u64_le(length_block + 8, in_len * 8); + CRYPTO_store_u64_le(length_block, ((uint64_t) ad_len) * 8); + CRYPTO_store_u64_le(length_block + 8, ((uint64_t) in_len) * 8); CRYPTO_POLYVAL_update_blocks(&polyval_ctx, length_block, sizeof(length_block)); diff --git a/Sources/CNIOBoringSSL/crypto/cipher_extra/e_des.c b/Sources/CNIOBoringSSL/crypto/cipher_extra/e_des.c index 4791f384e..82d3419a2 100644 --- a/Sources/CNIOBoringSSL/crypto/cipher_extra/e_des.c +++ b/Sources/CNIOBoringSSL/crypto/cipher_extra/e_des.c @@ -58,6 +58,7 @@ #include #include +#include "../des/internal.h" #include "../fipsmodule/cipher/internal.h" #include "internal.h" @@ -71,35 +72,27 @@ typedef struct { static int des_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key, const uint8_t *iv, int enc) { - DES_cblock *deskey = (DES_cblock *)key; EVP_DES_KEY *dat = (EVP_DES_KEY *)ctx->cipher_data; - - DES_set_key(deskey, &dat->ks.ks); + DES_set_key_ex(key, &dat->ks.ks); return 1; } static int des_cbc_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in, size_t in_len) { EVP_DES_KEY *dat = (EVP_DES_KEY *)ctx->cipher_data; - - DES_ncbc_encrypt(in, out, in_len, &dat->ks.ks, (DES_cblock *)ctx->iv, - ctx->encrypt); - + DES_ncbc_encrypt_ex(in, out, in_len, &dat->ks.ks, ctx->iv, ctx->encrypt); return 1; } static const EVP_CIPHER evp_des_cbc = { - /* nid = */ NID_des_cbc, - /* block_size = */ 8, - /* key_len = */ 8, - /* iv_len = */ 8, - /* ctx_size = */ sizeof(EVP_DES_KEY), - /* flags = */ EVP_CIPH_CBC_MODE, - /* app_data = */ NULL, - /* init = */ des_init_key, - /* cipher = */ des_cbc_cipher, - /* cleanup = */ NULL, - /* ctrl = */ NULL, + .nid = NID_des_cbc, + .block_size = 8, + .key_len = 8, + .iv_len = 8, + .ctx_size = sizeof(EVP_DES_KEY), + .flags = EVP_CIPH_CBC_MODE, + .init = des_init_key, + .cipher = des_cbc_cipher, }; const EVP_CIPHER *EVP_des_cbc(void) { return &evp_des_cbc; } @@ -113,24 +106,20 @@ static int des_ecb_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in, EVP_DES_KEY *dat = (EVP_DES_KEY *)ctx->cipher_data; for (size_t i = 0; i <= in_len; i += ctx->cipher->block_size) { - DES_ecb_encrypt((DES_cblock *)(in + i), (DES_cblock *)(out + i), - &dat->ks.ks, ctx->encrypt); + DES_ecb_encrypt_ex(in + i, out + i, &dat->ks.ks, ctx->encrypt); } return 1; } static const EVP_CIPHER evp_des_ecb = { - /* nid = */ NID_des_ecb, - /* block_size = */ 8, - /* key_len = */ 8, - /* iv_len = */ 0, - /* ctx_size = */ sizeof(EVP_DES_KEY), - /* flags = */ EVP_CIPH_ECB_MODE, - /* app_data = */ NULL, - /* init = */ des_init_key, - /* cipher = */ des_ecb_cipher, - /* cleanup = */ NULL, - /* ctrl = */ NULL, + .nid = NID_des_ecb, + .block_size = 8, + .key_len = 8, + .iv_len = 0, + .ctx_size = sizeof(EVP_DES_KEY), + .flags = EVP_CIPH_ECB_MODE, + .init = des_init_key, + .cipher = des_ecb_cipher, }; const EVP_CIPHER *EVP_des_ecb(void) { return &evp_des_ecb; } @@ -144,66 +133,53 @@ typedef struct { static int des_ede3_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key, const uint8_t *iv, int enc) { - DES_cblock *deskey = (DES_cblock *)key; DES_EDE_KEY *dat = (DES_EDE_KEY *)ctx->cipher_data; - - DES_set_key(&deskey[0], &dat->ks.ks[0]); - DES_set_key(&deskey[1], &dat->ks.ks[1]); - DES_set_key(&deskey[2], &dat->ks.ks[2]); - + DES_set_key_ex(key, &dat->ks.ks[0]); + DES_set_key_ex(key + 8, &dat->ks.ks[1]); + DES_set_key_ex(key + 16, &dat->ks.ks[2]); return 1; } static int des_ede3_cbc_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in, size_t in_len) { DES_EDE_KEY *dat = (DES_EDE_KEY *)ctx->cipher_data; - - DES_ede3_cbc_encrypt(in, out, in_len, &dat->ks.ks[0], &dat->ks.ks[1], - &dat->ks.ks[2], (DES_cblock *)ctx->iv, ctx->encrypt); - + DES_ede3_cbc_encrypt_ex(in, out, in_len, &dat->ks.ks[0], &dat->ks.ks[1], + &dat->ks.ks[2], ctx->iv, ctx->encrypt); return 1; } static const EVP_CIPHER evp_des_ede3_cbc = { - /* nid = */ NID_des_ede3_cbc, - /* block_size = */ 8, - /* key_len = */ 24, - /* iv_len = */ 8, - /* ctx_size = */ sizeof(DES_EDE_KEY), - /* flags = */ EVP_CIPH_CBC_MODE, - /* app_data = */ NULL, - /* init = */ des_ede3_init_key, - /* cipher = */ des_ede3_cbc_cipher, - /* cleanup = */ NULL, - /* ctrl = */ NULL, + .nid = NID_des_ede3_cbc, + .block_size = 8, + .key_len = 24, + .iv_len = 8, + .ctx_size = sizeof(DES_EDE_KEY), + .flags = EVP_CIPH_CBC_MODE, + .init = des_ede3_init_key, + .cipher = des_ede3_cbc_cipher, }; const EVP_CIPHER *EVP_des_ede3_cbc(void) { return &evp_des_ede3_cbc; } static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key, const uint8_t *iv, int enc) { - DES_cblock *deskey = (DES_cblock *)key; DES_EDE_KEY *dat = (DES_EDE_KEY *)ctx->cipher_data; - - DES_set_key(&deskey[0], &dat->ks.ks[0]); - DES_set_key(&deskey[1], &dat->ks.ks[1]); - DES_set_key(&deskey[0], &dat->ks.ks[2]); - + // 2-DES is 3-DES with the first key used twice. + DES_set_key_ex(key, &dat->ks.ks[0]); + DES_set_key_ex(key + 8, &dat->ks.ks[1]); + DES_set_key_ex(key, &dat->ks.ks[2]); return 1; } static const EVP_CIPHER evp_des_ede_cbc = { - /* nid = */ NID_des_ede_cbc, - /* block_size = */ 8, - /* key_len = */ 16, - /* iv_len = */ 8, - /* ctx_size = */ sizeof(DES_EDE_KEY), - /* flags = */ EVP_CIPH_CBC_MODE, - /* app_data = */ NULL, - /* init = */ des_ede_init_key, - /* cipher = */ des_ede3_cbc_cipher, - /* cleanup = */ NULL, - /* ctrl = */ NULL, + .nid = NID_des_ede_cbc, + .block_size = 8, + .key_len = 16, + .iv_len = 8, + .ctx_size = sizeof(DES_EDE_KEY), + .flags = EVP_CIPH_CBC_MODE, + .init = des_ede_init_key, + .cipher = des_ede3_cbc_cipher, }; const EVP_CIPHER *EVP_des_ede_cbc(void) { return &evp_des_ede_cbc; } @@ -217,41 +193,34 @@ static int des_ede_ecb_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, DES_EDE_KEY *dat = (DES_EDE_KEY *) ctx->cipher_data; for (size_t i = 0; i <= in_len; i += ctx->cipher->block_size) { - DES_ecb3_encrypt((DES_cblock *) (in + i), (DES_cblock *) (out + i), - &dat->ks.ks[0], &dat->ks.ks[1], &dat->ks.ks[2], - ctx->encrypt); + DES_ecb3_encrypt_ex(in + i, out + i, &dat->ks.ks[0], &dat->ks.ks[1], + &dat->ks.ks[2], ctx->encrypt); } return 1; } static const EVP_CIPHER evp_des_ede = { - /* nid = */ NID_des_ede_ecb, - /* block_size = */ 8, - /* key_len = */ 16, - /* iv_len = */ 0, - /* ctx_size = */ sizeof(DES_EDE_KEY), - /* flags = */ EVP_CIPH_ECB_MODE, - /* app_data = */ NULL, - /* init = */ des_ede_init_key, - /* cipher = */ des_ede_ecb_cipher, - /* cleanup = */ NULL, - /* ctrl = */ NULL, + .nid = NID_des_ede_ecb, + .block_size = 8, + .key_len = 16, + .iv_len = 0, + .ctx_size = sizeof(DES_EDE_KEY), + .flags = EVP_CIPH_ECB_MODE, + .init = des_ede_init_key, + .cipher = des_ede_ecb_cipher, }; const EVP_CIPHER *EVP_des_ede(void) { return &evp_des_ede; } static const EVP_CIPHER evp_des_ede3 = { - /* nid = */ NID_des_ede3_ecb, - /* block_size = */ 8, - /* key_len = */ 24, - /* iv_len = */ 0, - /* ctx_size = */ sizeof(DES_EDE_KEY), - /* flags = */ EVP_CIPH_ECB_MODE, - /* app_data = */ NULL, - /* init = */ des_ede3_init_key, - /* cipher = */ des_ede_ecb_cipher, - /* cleanup = */ NULL, - /* ctrl = */ NULL, + .nid = NID_des_ede3_ecb, + .block_size = 8, + .key_len = 24, + .iv_len = 0, + .ctx_size = sizeof(DES_EDE_KEY), + .flags = EVP_CIPH_ECB_MODE, + .init = des_ede3_init_key, + .cipher = des_ede_ecb_cipher, }; const EVP_CIPHER *EVP_des_ede3(void) { return &evp_des_ede3; } diff --git a/Sources/CNIOBoringSSL/crypto/cipher_extra/e_null.c b/Sources/CNIOBoringSSL/crypto/cipher_extra/e_null.c index 877f4232b..9912a593f 100644 --- a/Sources/CNIOBoringSSL/crypto/cipher_extra/e_null.c +++ b/Sources/CNIOBoringSSL/crypto/cipher_extra/e_null.c @@ -78,9 +78,13 @@ static int null_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, } static const EVP_CIPHER n_cipher = { - NID_undef, 1 /* block size */, 0 /* key_len */, 0 /* iv_len */, - 0 /* ctx_size */, 0 /* flags */, NULL /* app_data */, null_init_key, - null_cipher, NULL /* cleanup */, NULL /* ctrl */, + .nid = NID_undef, + .block_size = 1, + .key_len = 0, + .iv_len = 0, + .ctx_size = 0, + .init = null_init_key, + .cipher = null_cipher, }; const EVP_CIPHER *EVP_enc_null(void) { return &n_cipher; } diff --git a/Sources/CNIOBoringSSL/crypto/cipher_extra/e_rc2.c b/Sources/CNIOBoringSSL/crypto/cipher_extra/e_rc2.c index 4e6111b54..5061b5ea3 100644 --- a/Sources/CNIOBoringSSL/crypto/cipher_extra/e_rc2.c +++ b/Sources/CNIOBoringSSL/crypto/cipher_extra/e_rc2.c @@ -427,37 +427,29 @@ static int rc2_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr) { } static const EVP_CIPHER rc2_40_cbc = { - NID_rc2_40_cbc, - 8 /* block size */, - 5 /* 40 bit */, - 8 /* iv len */, - sizeof(EVP_RC2_KEY), - EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CTRL_INIT, - NULL /* app_data */, - rc2_init_key, - rc2_cbc_cipher, - NULL, - rc2_ctrl, + .nid = NID_rc2_40_cbc, + .block_size = 8, + .key_len = 5 /* 40 bit */, + .iv_len = 8, + .ctx_size = sizeof(EVP_RC2_KEY), + .flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CTRL_INIT, + .init = rc2_init_key, + .cipher = rc2_cbc_cipher, + .ctrl = rc2_ctrl, }; -const EVP_CIPHER *EVP_rc2_40_cbc(void) { - return &rc2_40_cbc; -} +const EVP_CIPHER *EVP_rc2_40_cbc(void) { return &rc2_40_cbc; } static const EVP_CIPHER rc2_cbc = { - NID_rc2_cbc, - 8 /* block size */, - 16 /* 128 bit */, - 8 /* iv len */, - sizeof(EVP_RC2_KEY), - EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CTRL_INIT, - NULL /* app_data */, - rc2_init_key, - rc2_cbc_cipher, - NULL, - rc2_ctrl, + .nid = NID_rc2_cbc, + .block_size = 8, + .key_len = 16 /* 128 bit */, + .iv_len = 8, + .ctx_size = sizeof(EVP_RC2_KEY), + .flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CTRL_INIT, + .init = rc2_init_key, + .cipher = rc2_cbc_cipher, + .ctrl = rc2_ctrl, }; -const EVP_CIPHER *EVP_rc2_cbc(void) { - return &rc2_cbc; -} +const EVP_CIPHER *EVP_rc2_cbc(void) { return &rc2_cbc; } diff --git a/Sources/CNIOBoringSSL/crypto/cipher_extra/e_rc4.c b/Sources/CNIOBoringSSL/crypto/cipher_extra/e_rc4.c index 5d251e535..fe7eb96b4 100644 --- a/Sources/CNIOBoringSSL/crypto/cipher_extra/e_rc4.c +++ b/Sources/CNIOBoringSSL/crypto/cipher_extra/e_rc4.c @@ -81,9 +81,14 @@ static int rc4_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in, } static const EVP_CIPHER rc4 = { - NID_rc4, 1 /* block_size */, 16 /* key_size */, - 0 /* iv_len */, sizeof(RC4_KEY), EVP_CIPH_VARIABLE_LENGTH, - NULL /* app_data */, rc4_init_key, rc4_cipher, - NULL /* cleanup */, NULL /* ctrl */, }; + .nid = NID_rc4, + .block_size = 1, + .key_len = 16, + .iv_len = 0, + .ctx_size = sizeof(RC4_KEY), + .flags = EVP_CIPH_VARIABLE_LENGTH, + .init = rc4_init_key, + .cipher = rc4_cipher, +}; const EVP_CIPHER *EVP_rc4(void) { return &rc4; } diff --git a/Sources/CNIOBoringSSL/crypto/cipher_extra/e_tls.c b/Sources/CNIOBoringSSL/crypto/cipher_extra/e_tls.c index 8382f18ba..1e0d5573e 100644 --- a/Sources/CNIOBoringSSL/crypto/cipher_extra/e_tls.c +++ b/Sources/CNIOBoringSSL/crypto/cipher_extra/e_tls.c @@ -442,6 +442,7 @@ static int aead_tls_get_iv(const EVP_AEAD_CTX *ctx, const uint8_t **out_iv, const AEAD_TLS_CTX *tls_ctx = (AEAD_TLS_CTX *)&ctx->state; const size_t iv_len = EVP_CIPHER_CTX_iv_length(&tls_ctx->cipher_ctx); if (iv_len <= 1) { + OPENSSL_PUT_ERROR(CIPHER, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } diff --git a/Sources/CNIOBoringSSL/crypto/cipher_extra/internal.h b/Sources/CNIOBoringSSL/crypto/cipher_extra/internal.h index b7463972d..2e36cdbc7 100644 --- a/Sources/CNIOBoringSSL/crypto/cipher_extra/internal.h +++ b/Sources/CNIOBoringSSL/crypto/cipher_extra/internal.h @@ -192,22 +192,65 @@ OPENSSL_INLINE int chacha20_poly1305_asm_capable(void) { // Additional input parameters are passed in |aead_data->in|. On exit, it will // write calculated tag value to |aead_data->out.tag|, which the caller must // check. +#if defined(OPENSSL_X86_64) +extern void chacha20_poly1305_open_nohw( + uint8_t *out_plaintext, const uint8_t *ciphertext, size_t plaintext_len, + const uint8_t *ad, size_t ad_len, union chacha20_poly1305_open_data *data); +extern void chacha20_poly1305_open_avx2( + uint8_t *out_plaintext, const uint8_t *ciphertext, size_t plaintext_len, + const uint8_t *ad, size_t ad_len, union chacha20_poly1305_open_data *data); +OPENSSL_INLINE void chacha20_poly1305_open(uint8_t *out_plaintext, + const uint8_t *ciphertext, + size_t plaintext_len, const uint8_t *ad, + size_t ad_len, + union chacha20_poly1305_open_data *data) { + if (CRYPTO_is_AVX2_capable() && CRYPTO_is_BMI2_capable()) { + chacha20_poly1305_open_avx2(out_plaintext, ciphertext, plaintext_len, ad, + ad_len, data); + } else { + chacha20_poly1305_open_nohw(out_plaintext, ciphertext, plaintext_len, ad, + ad_len, data); + } +} +#else extern void chacha20_poly1305_open(uint8_t *out_plaintext, const uint8_t *ciphertext, size_t plaintext_len, const uint8_t *ad, size_t ad_len, union chacha20_poly1305_open_data *data); +#endif // chacha20_poly1305_open is defined in chacha20_poly1305_*.pl. It encrypts // |plaintext_len| bytes from |plaintext| and writes them to |out_ciphertext|. // Additional input parameters are passed in |aead_data->in|. The calculated tag // value is over the computed ciphertext concatenated with |extra_ciphertext| // and written to |aead_data->out.tag|. +#if defined(OPENSSL_X86_64) +extern void chacha20_poly1305_seal_nohw( + uint8_t *out_ciphertext, const uint8_t *plaintext, size_t plaintext_len, + const uint8_t *ad, size_t ad_len, union chacha20_poly1305_seal_data *data); +extern void chacha20_poly1305_seal_avx2( + uint8_t *out_ciphertext, const uint8_t *plaintext, size_t plaintext_len, + const uint8_t *ad, size_t ad_len, union chacha20_poly1305_seal_data *data); +OPENSSL_INLINE void chacha20_poly1305_seal( + uint8_t *out_ciphertext, const uint8_t *plaintext, size_t plaintext_len, + const uint8_t *ad, size_t ad_len, union chacha20_poly1305_seal_data *data) { + if (CRYPTO_is_AVX2_capable() && CRYPTO_is_BMI2_capable()) { + chacha20_poly1305_seal_avx2(out_ciphertext, plaintext, plaintext_len, ad, + ad_len, data); + } else { + chacha20_poly1305_seal_nohw(out_ciphertext, plaintext, plaintext_len, ad, + ad_len, data); + } +} +#else extern void chacha20_poly1305_seal(uint8_t *out_ciphertext, const uint8_t *plaintext, size_t plaintext_len, const uint8_t *ad, size_t ad_len, union chacha20_poly1305_seal_data *data); +#endif + #else OPENSSL_INLINE int chacha20_poly1305_asm_capable(void) { return 0; } diff --git a/Sources/CNIOBoringSSL/crypto/cipher_extra/tls_cbc.c b/Sources/CNIOBoringSSL/crypto/cipher_extra/tls_cbc.c index e0735106d..d998a7f25 100644 --- a/Sources/CNIOBoringSSL/crypto/cipher_extra/tls_cbc.c +++ b/Sources/CNIOBoringSSL/crypto/cipher_extra/tls_cbc.c @@ -121,8 +121,8 @@ void EVP_tls_cbc_copy_mac(uint8_t *out, size_t md_size, const uint8_t *in, size_t mac_end = in_len; size_t mac_start = mac_end - md_size; - assert(orig_len >= in_len); - assert(in_len >= md_size); + declassify_assert(orig_len >= in_len); + declassify_assert(in_len >= md_size); assert(md_size <= EVP_MAX_MD_SIZE); assert(md_size > 0); diff --git a/Sources/CNIOBoringSSL/crypto/conf/conf.c b/Sources/CNIOBoringSSL/crypto/conf/conf.c index 9a5e5760c..701c87bb5 100644 --- a/Sources/CNIOBoringSSL/crypto/conf/conf.c +++ b/Sources/CNIOBoringSSL/crypto/conf/conf.c @@ -56,6 +56,7 @@ #include +#include #include #include @@ -65,53 +66,55 @@ #include #include -#include "conf_def.h" #include "internal.h" #include "../internal.h" +struct conf_section_st { + char *name; + // values contains non-owning pointers to the values in the section. + STACK_OF(CONF_VALUE) *values; +}; + static const char kDefaultSectionName[] = "default"; +static uint32_t conf_section_hash(const CONF_SECTION *s) { + return OPENSSL_strhash(s->name); +} + +static int conf_section_cmp(const CONF_SECTION *a, const CONF_SECTION *b) { + return strcmp(a->name, b->name); +} + static uint32_t conf_value_hash(const CONF_VALUE *v) { - const uint32_t section_hash = v->section ? OPENSSL_strhash(v->section) : 0; - const uint32_t name_hash = v->name ? OPENSSL_strhash(v->name) : 0; + const uint32_t section_hash = OPENSSL_strhash(v->section); + const uint32_t name_hash = OPENSSL_strhash(v->name); return (section_hash << 2) ^ name_hash; } static int conf_value_cmp(const CONF_VALUE *a, const CONF_VALUE *b) { - int i; - - if (a->section != b->section) { - i = strcmp(a->section, b->section); - if (i) { - return i; - } + int cmp = strcmp(a->section, b->section); + if (cmp != 0) { + return cmp; } - if (a->name != NULL && b->name != NULL) { - return strcmp(a->name, b->name); - } else if (a->name == b->name) { - return 0; - } else { - return (a->name == NULL) ? -1 : 1; - } + return strcmp(a->name, b->name); } CONF *NCONF_new(void *method) { - CONF *conf; - if (method != NULL) { return NULL; } - conf = OPENSSL_malloc(sizeof(CONF)); + CONF *conf = OPENSSL_malloc(sizeof(CONF)); if (conf == NULL) { return NULL; } - conf->data = lh_CONF_VALUE_new(conf_value_hash, conf_value_cmp); - if (conf->data == NULL) { - OPENSSL_free(conf); + conf->sections = lh_CONF_SECTION_new(conf_section_hash, conf_section_cmp); + conf->values = lh_CONF_VALUE_new(conf_value_hash, conf_value_cmp); + if (conf->sections == NULL || conf->values == NULL) { + NCONF_free(conf); return NULL; } @@ -120,69 +123,84 @@ CONF *NCONF_new(void *method) { CONF_VALUE *CONF_VALUE_new(void) { return OPENSSL_zalloc(sizeof(CONF_VALUE)); } -static void value_free_contents(CONF_VALUE *value) { - OPENSSL_free(value->section); - if (value->name) { - OPENSSL_free(value->name); - OPENSSL_free(value->value); - } else { - // TODO(davidben): When |value->name| is NULL, |CONF_VALUE| is actually an - // entirely different structure. This is fragile and confusing. Make a - // proper |CONF_SECTION| type that doesn't require this. - sk_CONF_VALUE_free((STACK_OF(CONF_VALUE) *)value->value); +static void value_free(CONF_VALUE *value) { + if (value == NULL) { + return; } + OPENSSL_free(value->section); + OPENSSL_free(value->name); + OPENSSL_free(value->value); + OPENSSL_free(value); } -static void value_free(CONF_VALUE *value) { - if (value != NULL) { - value_free_contents(value); - OPENSSL_free(value); +static void section_free(CONF_SECTION *section) { + if (section == NULL) { + return; } + OPENSSL_free(section->name); + sk_CONF_VALUE_free(section->values); + OPENSSL_free(section); } static void value_free_arg(CONF_VALUE *value, void *arg) { value_free(value); } +static void section_free_arg(CONF_SECTION *section, void *arg) { + section_free(section); +} + void NCONF_free(CONF *conf) { - if (conf == NULL || conf->data == NULL) { + if (conf == NULL) { return; } - lh_CONF_VALUE_doall_arg(conf->data, value_free_arg, NULL); - lh_CONF_VALUE_free(conf->data); + lh_CONF_SECTION_doall_arg(conf->sections, section_free_arg, NULL); + lh_CONF_SECTION_free(conf->sections); + lh_CONF_VALUE_doall_arg(conf->values, value_free_arg, NULL); + lh_CONF_VALUE_free(conf->values); OPENSSL_free(conf); } -static CONF_VALUE *NCONF_new_section(const CONF *conf, const char *section) { - STACK_OF(CONF_VALUE) *sk = NULL; - int ok = 0; - CONF_VALUE *v = NULL, *old_value; - - sk = sk_CONF_VALUE_new_null(); - v = CONF_VALUE_new(); - if (sk == NULL || v == NULL) { - goto err; +static CONF_SECTION *NCONF_new_section(const CONF *conf, const char *section) { + CONF_SECTION *s = OPENSSL_malloc(sizeof(CONF_SECTION)); + if (!s) { + return NULL; } - v->section = OPENSSL_strdup(section); - if (v->section == NULL) { + s->name = OPENSSL_strdup(section); + s->values = sk_CONF_VALUE_new_null(); + if (s->name == NULL || s->values == NULL) { goto err; } - v->name = NULL; - v->value = (char *)sk; - - if (!lh_CONF_VALUE_insert(conf->data, &old_value, v)) { + CONF_SECTION *old_section; + if (!lh_CONF_SECTION_insert(conf->sections, &old_section, s)) { goto err; } - value_free(old_value); - ok = 1; + section_free(old_section); + return s; err: - if (!ok) { - sk_CONF_VALUE_free(sk); - OPENSSL_free(v); - v = NULL; - } - return v; + section_free(s); + return NULL; +} + +static int is_comment(char c) { return c == '#'; } + +static int is_quote(char c) { return c == '"' || c == '\'' || c == '`'; } + +static int is_esc(char c) { return c == '\\'; } + +static int is_conf_ws(char c) { + // This differs from |OPENSSL_isspace| in that CONF does not accept '\v' and + // '\f' as whitespace. + return c == ' ' || c == '\t' || c == '\r' || c == '\n'; +} + +static int is_name_char(char c) { + // Alphanumeric characters, and a handful of symbols, may appear in value and + // section names without escaping. + return OPENSSL_isalnum(c) || c == '_' || c == '!' || c == '.' || c == '%' || + c == '&' || c == '*' || c == '+' || c == ',' || c == '/' || c == ';' || + c == '?' || c == '@' || c == '^' || c == '~' || c == '|' || c == '-'; } static int str_copy(CONF *conf, char *section, char **pto, char *from) { @@ -201,13 +219,13 @@ static int str_copy(CONF *conf, char *section, char **pto, char *from) { } for (;;) { - if (IS_QUOTE(conf, *from)) { + if (is_quote(*from)) { q = *from; from++; - while (!IS_EOF(conf, *from) && (*from != q)) { - if (IS_ESC(conf, *from)) { + while (*from != '\0' && *from != q) { + if (is_esc(*from)) { from++; - if (IS_EOF(conf, *from)) { + if (*from == '\0') { break; } } @@ -216,10 +234,10 @@ static int str_copy(CONF *conf, char *section, char **pto, char *from) { if (*from == q) { from++; } - } else if (IS_ESC(conf, *from)) { + } else if (is_esc(*from)) { from++; v = *(from++); - if (IS_EOF(conf, v)) { + if (v == '\0') { break; } else if (v == 'r') { v = '\r'; @@ -231,11 +249,13 @@ static int str_copy(CONF *conf, char *section, char **pto, char *from) { v = '\t'; } buf->data[to++] = v; - } else if (IS_EOF(conf, *from)) { + } else if (*from == '\0') { break; } else if (*from == '$') { // Historically, $foo would expand to a previously-parsed value. This - // feature has been removed as it was unused and is a DoS vector. + // feature has been removed as it was unused and is a DoS vector. If + // trying to embed '$' in a line, either escape it or wrap the value in + // quotes. OPENSSL_PUT_ERROR(CONF, CONF_R_VARIABLE_EXPANSION_NOT_SUPPORTED); goto err; } else { @@ -254,21 +274,20 @@ static int str_copy(CONF *conf, char *section, char **pto, char *from) { return 0; } -static CONF_VALUE *get_section(const CONF *conf, const char *section) { - CONF_VALUE template; - +static CONF_SECTION *get_section(const CONF *conf, const char *section) { + CONF_SECTION template; OPENSSL_memset(&template, 0, sizeof(template)); - template.section = (char *) section; - return lh_CONF_VALUE_retrieve(conf->data, &template); + template.name = (char *) section; + return lh_CONF_SECTION_retrieve(conf->sections, &template); } const STACK_OF(CONF_VALUE) *NCONF_get_section(const CONF *conf, const char *section) { - const CONF_VALUE *section_value = get_section(conf, section); - if (section_value == NULL) { + const CONF_SECTION *section_obj = get_section(conf, section); + if (section_obj == NULL) { return NULL; } - return (STACK_OF(CONF_VALUE)*) section_value->value; + return section_obj->values; } const char *NCONF_get_string(const CONF *conf, const char *section, @@ -280,66 +299,74 @@ const char *NCONF_get_string(const CONF *conf, const char *section, } OPENSSL_memset(&template, 0, sizeof(template)); - template.section = (char *) section; - template.name = (char *) name; - value = lh_CONF_VALUE_retrieve(conf->data, &template); + template.section = (char *)section; + template.name = (char *)name; + value = lh_CONF_VALUE_retrieve(conf->values, &template); if (value == NULL) { return NULL; } return value->value; } -static int add_string(const CONF *conf, CONF_VALUE *section, +static int add_string(const CONF *conf, CONF_SECTION *section, CONF_VALUE *value) { - STACK_OF(CONF_VALUE) *section_stack = (STACK_OF(CONF_VALUE)*) section->value; - CONF_VALUE *old_value; + value->section = OPENSSL_strdup(section->name); + if (value->section == NULL) { + return 0; + } - value->section = OPENSSL_strdup(section->section); - if (!sk_CONF_VALUE_push(section_stack, value)) { + if (!sk_CONF_VALUE_push(section->values, value)) { return 0; } - if (!lh_CONF_VALUE_insert(conf->data, &old_value, value)) { + CONF_VALUE *old_value; + if (!lh_CONF_VALUE_insert(conf->values, &old_value, value)) { + // Remove |value| from |section->values|, so we do not leave a dangling + // pointer. + sk_CONF_VALUE_pop(section->values); return 0; } if (old_value != NULL) { - (void)sk_CONF_VALUE_delete_ptr(section_stack, old_value); + (void)sk_CONF_VALUE_delete_ptr(section->values, old_value); value_free(old_value); } return 1; } -static char *eat_ws(CONF *conf, char *p) { - while (IS_WS(conf, *p) && !IS_EOF(conf, *p)) { +static char *eat_ws(char *p) { + while (*p != '\0' && is_conf_ws(*p)) { p++; } return p; } -#define scan_esc(conf, p) (((IS_EOF((conf), (p)[1])) ? ((p) + 1) : ((p) + 2))) +static char *scan_esc(char *p) { + assert(p[0] == '\\'); + return p[1] == '\0' ? p + 1 : p + 2; +} -static char *eat_alpha_numeric(CONF *conf, char *p) { +static char *eat_name(char *p) { for (;;) { - if (IS_ESC(conf, *p)) { - p = scan_esc(conf, p); + if (is_esc(*p)) { + p = scan_esc(p); continue; } - if (!IS_ALPHA_NUMERIC_PUNCT(conf, *p)) { + if (!is_name_char(*p)) { return p; } p++; } } -static char *scan_quote(CONF *conf, char *p) { +static char *scan_quote(char *p) { int q = *p; p++; - while (!IS_EOF(conf, *p) && *p != q) { - if (IS_ESC(conf, *p)) { + while (*p != '\0' && *p != q) { + if (is_esc(*p)) { p++; - if (IS_EOF(conf, *p)) { + if (*p == '\0') { return p; } } @@ -351,28 +378,28 @@ static char *scan_quote(CONF *conf, char *p) { return p; } -static void clear_comments(CONF *conf, char *p) { +static void clear_comments(char *p) { for (;;) { - if (!IS_WS(conf, *p)) { + if (!is_conf_ws(*p)) { break; } p++; } for (;;) { - if (IS_COMMENT(conf, *p)) { + if (is_comment(*p)) { *p = '\0'; return; } - if (IS_QUOTE(conf, *p)) { - p = scan_quote(conf, p); + if (is_quote(*p)) { + p = scan_quote(p); continue; } - if (IS_ESC(conf, *p)) { - p = scan_esc(conf, p); + if (is_esc(*p)) { + p = scan_esc(p); continue; } - if (IS_EOF(conf, *p)) { + if (*p == '\0') { return; } else { p++; @@ -388,8 +415,8 @@ int NCONF_load_bio(CONF *conf, BIO *in, long *out_error_line) { int again; long eline = 0; char btmp[DECIMAL_SIZE(eline) + 1]; - CONF_VALUE *v = NULL, *tv; - CONF_VALUE *sv = NULL; + CONF_VALUE *v = NULL; + CONF_SECTION *sv = NULL; char *section = NULL, *buf; char *start, *psection, *pname; @@ -452,7 +479,7 @@ int NCONF_load_bio(CONF *conf, BIO *in, long *out_error_line) { // If we have bytes and the last char '\\' and // second last char is not '\\' p = &(buff->data[bufnum - 1]); - if (IS_ESC(conf, p[0]) && ((bufnum <= 1) || !IS_ESC(conf, p[-1]))) { + if (is_esc(p[0]) && ((bufnum <= 1) || !is_esc(p[-1]))) { bufnum--; again = 1; } @@ -463,20 +490,20 @@ int NCONF_load_bio(CONF *conf, BIO *in, long *out_error_line) { bufnum = 0; buf = buff->data; - clear_comments(conf, buf); - s = eat_ws(conf, buf); - if (IS_EOF(conf, *s)) { + clear_comments(buf); + s = eat_ws(buf); + if (*s == '\0') { continue; // blank line } if (*s == '[') { char *ss; s++; - start = eat_ws(conf, s); + start = eat_ws(s); ss = start; again: - end = eat_alpha_numeric(conf, ss); - p = eat_ws(conf, end); + end = eat_name(ss); + p = eat_ws(end); if (*p != ']') { if (*p != '\0' && ss != p) { ss = p; @@ -500,27 +527,27 @@ int NCONF_load_bio(CONF *conf, BIO *in, long *out_error_line) { } else { pname = s; psection = NULL; - end = eat_alpha_numeric(conf, s); + end = eat_name(s); if ((end[0] == ':') && (end[1] == ':')) { *end = '\0'; end += 2; psection = pname; pname = end; - end = eat_alpha_numeric(conf, end); + end = eat_name(end); } - p = eat_ws(conf, end); + p = eat_ws(end); if (*p != '=') { OPENSSL_PUT_ERROR(CONF, CONF_R_MISSING_EQUAL_SIGN); goto err; } *end = '\0'; p++; - start = eat_ws(conf, p); - while (!IS_EOF(conf, *p)) { + start = eat_ws(p); + while (*p != '\0') { p++; } p--; - while ((p != start) && (IS_WS(conf, *p))) { + while (p != start && is_conf_ws(*p)) { p--; } p++; @@ -540,6 +567,7 @@ int NCONF_load_bio(CONF *conf, BIO *in, long *out_error_line) { goto err; } + CONF_SECTION *tv; if (strcmp(psection, section) != 0) { if ((tv = get_section(conf, psection)) == NULL) { tv = NCONF_new_section(conf, psection); @@ -569,12 +597,7 @@ int NCONF_load_bio(CONF *conf, BIO *in, long *out_error_line) { } snprintf(btmp, sizeof btmp, "%ld", eline); ERR_add_error_data(2, "line ", btmp); - - if (v != NULL) { - OPENSSL_free(v->name); - OPENSSL_free(v->value); - OPENSSL_free(v); - } + value_free(v); return 0; } diff --git a/Sources/CNIOBoringSSL/crypto/conf/conf_def.h b/Sources/CNIOBoringSSL/crypto/conf/conf_def.h deleted file mode 100644 index d2c285aef..000000000 --- a/Sources/CNIOBoringSSL/crypto/conf/conf_def.h +++ /dev/null @@ -1,122 +0,0 @@ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -// This file was historically generated by keysets.pl in OpenSSL. -// -// TODO(davidben): Replace it with something more readable. - -#define CONF_NUMBER 1 -#define CONF_UPPER 2 -#define CONF_LOWER 4 -#define CONF_UNDER 256 -#define CONF_PUNCTUATION 512 -#define CONF_WS 16 -#define CONF_ESC 32 -#define CONF_QUOTE 64 -#define CONF_COMMENT 128 -#define CONF_EOF 8 -#define CONF_HIGHBIT 4096 -#define CONF_ALPHA (CONF_UPPER|CONF_LOWER) -#define CONF_ALPHA_NUMERIC (CONF_ALPHA|CONF_NUMBER|CONF_UNDER) -#define CONF_ALPHA_NUMERIC_PUNCT (CONF_ALPHA|CONF_NUMBER|CONF_UNDER| \ - CONF_PUNCTUATION) - -#define KEYTYPES(c) CONF_type_default -#define IS_COMMENT(c,a) (KEYTYPES(c)[(a)&0xff]&CONF_COMMENT) -#define IS_EOF(c,a) (KEYTYPES(c)[(a)&0xff]&CONF_EOF) -#define IS_ESC(c,a) (KEYTYPES(c)[(a)&0xff]&CONF_ESC) -#define IS_NUMBER(c,a) (KEYTYPES(c)[(a)&0xff]&CONF_NUMBER) -#define IS_WS(c,a) (KEYTYPES(c)[(a)&0xff]&CONF_WS) -#define IS_ALPHA_NUMERIC(c,a) (KEYTYPES(c)[(a)&0xff]&CONF_ALPHA_NUMERIC) -#define IS_ALPHA_NUMERIC_PUNCT(c,a) \ - (KEYTYPES(c)[(a)&0xff]&CONF_ALPHA_NUMERIC_PUNCT) -#define IS_QUOTE(c,a) (KEYTYPES(c)[(a)&0xff]&CONF_QUOTE) - -static const unsigned short CONF_type_default[256]={ - 0x0008,0x0000,0x0000,0x0000,0x0000,0x0000,0x0000,0x0000, - 0x0000,0x0010,0x0010,0x0000,0x0000,0x0010,0x0000,0x0000, - 0x0000,0x0000,0x0000,0x0000,0x0000,0x0000,0x0000,0x0000, - 0x0000,0x0000,0x0000,0x0000,0x0000,0x0000,0x0000,0x0000, - 0x0010,0x0200,0x0040,0x0080,0x0000,0x0200,0x0200,0x0040, - 0x0000,0x0000,0x0200,0x0200,0x0200,0x0200,0x0200,0x0200, - 0x0001,0x0001,0x0001,0x0001,0x0001,0x0001,0x0001,0x0001, - 0x0001,0x0001,0x0000,0x0200,0x0000,0x0000,0x0000,0x0200, - 0x0200,0x0002,0x0002,0x0002,0x0002,0x0002,0x0002,0x0002, - 0x0002,0x0002,0x0002,0x0002,0x0002,0x0002,0x0002,0x0002, - 0x0002,0x0002,0x0002,0x0002,0x0002,0x0002,0x0002,0x0002, - 0x0002,0x0002,0x0002,0x0000,0x0020,0x0000,0x0200,0x0100, - 0x0040,0x0004,0x0004,0x0004,0x0004,0x0004,0x0004,0x0004, - 0x0004,0x0004,0x0004,0x0004,0x0004,0x0004,0x0004,0x0004, - 0x0004,0x0004,0x0004,0x0004,0x0004,0x0004,0x0004,0x0004, - 0x0004,0x0004,0x0004,0x0000,0x0200,0x0000,0x0200,0x0000, - 0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000, - 0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000, - 0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000, - 0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000, - 0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000, - 0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000, - 0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000, - 0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000, - 0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000, - 0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000, - 0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000, - 0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000, - 0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000, - 0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000, - 0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000, - 0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000,0x1000, - }; diff --git a/Sources/CNIOBoringSSL/crypto/conf/internal.h b/Sources/CNIOBoringSSL/crypto/conf/internal.h index 55135fbc8..274f78dfe 100644 --- a/Sources/CNIOBoringSSL/crypto/conf/internal.h +++ b/Sources/CNIOBoringSSL/crypto/conf/internal.h @@ -24,10 +24,14 @@ extern "C" { #endif +typedef struct conf_section_st CONF_SECTION; + +DEFINE_LHASH_OF(CONF_SECTION) DEFINE_LHASH_OF(CONF_VALUE) struct conf_st { - LHASH_OF(CONF_VALUE) *data; + LHASH_OF(CONF_VALUE) *values; + LHASH_OF(CONF_SECTION) *sections; }; // CONF_VALUE_new returns a freshly allocated and zeroed |CONF_VALUE|. diff --git a/Sources/CNIOBoringSSL/crypto/cpu_aarch64_apple.c b/Sources/CNIOBoringSSL/crypto/cpu_aarch64_apple.c index 90a4b6a75..3e00d7757 100644 --- a/Sources/CNIOBoringSSL/crypto/cpu_aarch64_apple.c +++ b/Sources/CNIOBoringSSL/crypto/cpu_aarch64_apple.c @@ -15,7 +15,7 @@ #include "internal.h" #if defined(OPENSSL_AARCH64) && defined(OPENSSL_APPLE) && \ - !defined(OPENSSL_STATIC_ARMCAP) + !defined(OPENSSL_STATIC_ARMCAP) && !defined(OPENSSL_NO_ASM) #include #include diff --git a/Sources/CNIOBoringSSL/crypto/cpu_aarch64_fuchsia.c b/Sources/CNIOBoringSSL/crypto/cpu_aarch64_fuchsia.c index 424ad6525..ce219dd23 100644 --- a/Sources/CNIOBoringSSL/crypto/cpu_aarch64_fuchsia.c +++ b/Sources/CNIOBoringSSL/crypto/cpu_aarch64_fuchsia.c @@ -15,7 +15,7 @@ #include "internal.h" #if defined(OPENSSL_AARCH64) && defined(OPENSSL_FUCHSIA) && \ - !defined(OPENSSL_STATIC_ARMCAP) + !defined(OPENSSL_STATIC_ARMCAP) && !defined(OPENSSL_NO_ASM) #include #include diff --git a/Sources/CNIOBoringSSL/crypto/cpu_aarch64_linux.c b/Sources/CNIOBoringSSL/crypto/cpu_aarch64_linux.c index 80f4ac09f..728684f46 100644 --- a/Sources/CNIOBoringSSL/crypto/cpu_aarch64_linux.c +++ b/Sources/CNIOBoringSSL/crypto/cpu_aarch64_linux.c @@ -15,7 +15,7 @@ #include "internal.h" #if defined(OPENSSL_AARCH64) && defined(OPENSSL_LINUX) && \ - !defined(OPENSSL_STATIC_ARMCAP) + !defined(OPENSSL_STATIC_ARMCAP) && !defined(OPENSSL_NO_ASM) #include diff --git a/Sources/CNIOBoringSSL/crypto/cpu_aarch64_openbsd.c b/Sources/CNIOBoringSSL/crypto/cpu_aarch64_openbsd.c index d6543a594..2a2692719 100644 --- a/Sources/CNIOBoringSSL/crypto/cpu_aarch64_openbsd.c +++ b/Sources/CNIOBoringSSL/crypto/cpu_aarch64_openbsd.c @@ -15,11 +15,11 @@ #include #if defined(OPENSSL_AARCH64) && defined(OPENSSL_OPENBSD) && \ - !defined(OPENSSL_STATIC_ARMCAP) + !defined(OPENSSL_STATIC_ARMCAP) && !defined(OPENSSL_NO_ASM) -#include -#include #include +#include +#include #include @@ -27,7 +27,7 @@ void OPENSSL_cpuid_setup(void) { - int isar0_mib[] = { CTL_MACHDEP, CPU_ID_AA64ISAR0 }; + int isar0_mib[] = {CTL_MACHDEP, CPU_ID_AA64ISAR0}; uint64_t cpu_id = 0; size_t len = sizeof(cpu_id); diff --git a/Sources/CNIOBoringSSL/crypto/cpu_aarch64_sysreg.c b/Sources/CNIOBoringSSL/crypto/cpu_aarch64_sysreg.c index 4563a76f5..4572aa5e8 100644 --- a/Sources/CNIOBoringSSL/crypto/cpu_aarch64_sysreg.c +++ b/Sources/CNIOBoringSSL/crypto/cpu_aarch64_sysreg.c @@ -18,7 +18,8 @@ // expects userspace to simply read them. It traps the reads and fills in CPU // capabilities. #if defined(OPENSSL_AARCH64) && !defined(OPENSSL_STATIC_ARMCAP) && \ - (defined(ANDROID_BAREMETAL) || defined(OPENSSL_FREEBSD)) + (defined(ANDROID_BAREMETAL) || defined(OPENSSL_FREEBSD)) && \ + !defined(OPENSSL_NO_ASM) #include diff --git a/Sources/CNIOBoringSSL/crypto/cpu_aarch64_win.c b/Sources/CNIOBoringSSL/crypto/cpu_aarch64_win.c index 30855ae4f..14d55d69e 100644 --- a/Sources/CNIOBoringSSL/crypto/cpu_aarch64_win.c +++ b/Sources/CNIOBoringSSL/crypto/cpu_aarch64_win.c @@ -16,7 +16,7 @@ #include "internal.h" #if defined(OPENSSL_AARCH64) && defined(OPENSSL_WINDOWS) && \ - !defined(OPENSSL_STATIC_ARMCAP) + !defined(OPENSSL_STATIC_ARMCAP) && !defined(OPENSSL_NO_ASM) #include diff --git a/Sources/CNIOBoringSSL/crypto/cpu_arm_linux.c b/Sources/CNIOBoringSSL/crypto/cpu_arm_linux.c index 902b84370..5db4b9be2 100644 --- a/Sources/CNIOBoringSSL/crypto/cpu_arm_linux.c +++ b/Sources/CNIOBoringSSL/crypto/cpu_arm_linux.c @@ -143,6 +143,9 @@ void OPENSSL_cpuid_setup(void) { int CRYPTO_has_broken_NEON(void) { return 0; } -int CRYPTO_needs_hwcap2_workaround(void) { return g_needs_hwcap2_workaround; } +int CRYPTO_needs_hwcap2_workaround(void) { + OPENSSL_init_cpuid(); + return g_needs_hwcap2_workaround; +} #endif // OPENSSL_ARM && OPENSSL_LINUX && !OPENSSL_STATIC_ARMCAP diff --git a/Sources/CNIOBoringSSL/crypto/cpu_intel.c b/Sources/CNIOBoringSSL/crypto/cpu_intel.c index f74ef4b29..17b5943aa 100644 --- a/Sources/CNIOBoringSSL/crypto/cpu_intel.c +++ b/Sources/CNIOBoringSSL/crypto/cpu_intel.c @@ -173,20 +173,21 @@ void OPENSSL_cpuid_setup(void) { OPENSSL_cpuid(&eax, &ebx, &ecx, &edx, 1); - if (is_amd) { - // See https://www.amd.com/system/files/TechDocs/25481.pdf, page 10. - const uint32_t base_family = (eax >> 8) & 15; - const uint32_t base_model = (eax >> 4) & 15; - - uint32_t family = base_family; - uint32_t model = base_model; - if (base_family == 0xf) { - const uint32_t ext_family = (eax >> 20) & 255; - family += ext_family; - const uint32_t ext_model = (eax >> 16) & 15; - model |= ext_model << 4; - } + const uint32_t base_family = (eax >> 8) & 15; + const uint32_t base_model = (eax >> 4) & 15; + + uint32_t family = base_family; + uint32_t model = base_model; + if (base_family == 15) { + const uint32_t ext_family = (eax >> 20) & 255; + family += ext_family; + } + if (base_family == 6 || base_family == 15) { + const uint32_t ext_model = (eax >> 16) & 15; + model |= ext_model << 4; + } + if (is_amd) { if (family < 0x17 || (family == 0x17 && 0x70 <= model && model <= 0x7f)) { // Disable RDRAND on AMD families before 0x17 (Zen) due to reported // failures after suspend. @@ -208,14 +209,6 @@ void OPENSSL_cpuid_setup(void) { // Reserved bit #30 is repurposed to signal an Intel CPU. if (is_intel) { edx |= (1u << 30); - - // Clear the XSAVE bit on Knights Landing to mimic Silvermont. This enables - // some Silvermont-specific codepaths which perform better. See OpenSSL - // commit 64d92d74985ebb3d0be58a9718f9e080a14a8e7f. - if ((eax & 0x0fff0ff0) == 0x00050670 /* Knights Landing */ || - (eax & 0x0fff0ff0) == 0x00080650 /* Knights Mill (per SDE) */) { - ecx &= ~(1u << 26); - } } else { edx &= ~(1u << 30); } @@ -235,24 +228,67 @@ void OPENSSL_cpuid_setup(void) { ecx &= ~(1u << 28); // AVX ecx &= ~(1u << 12); // FMA ecx &= ~(1u << 11); // AMD XOP - // Clear AVX2 and AVX512* bits. - // - // TODO(davidben): Should bits 17 and 26-28 also be cleared? Upstream - // doesn't clear those. - extended_features[0] &= - ~((1u << 5) | (1u << 16) | (1u << 21) | (1u << 30) | (1u << 31)); + extended_features[0] &= ~(1u << 5); // AVX2 + extended_features[1] &= ~(1u << 9); // VAES + extended_features[1] &= ~(1u << 10); // VPCLMULQDQ } - // See Intel manual, volume 1, section 15.2. + // See Intel manual, volume 1, sections 15.2 ("Detection of AVX-512 Foundation + // Instructions") through 15.4 ("Detection of Intel AVX-512 Instruction Groups + // Operating at 256 and 128-bit Vector Lengths"). if ((xcr0 & 0xe6) != 0xe6) { - // Clear AVX512F. Note we don't touch other AVX512 extensions because they - // can be used with YMM. - extended_features[0] &= ~(1u << 16); + // Without XCR0.111xx11x, no AVX512 feature can be used. This includes ZMM + // registers, masking, SIMD registers 16-31 (even if accessed as YMM or + // XMM), and EVEX-coded instructions (even on YMM or XMM). Even if only + // XCR0.ZMM_Hi256 is missing, it isn't valid to use AVX512 features on + // shorter vectors, since AVX512 ties everything to the availability of + // 512-bit vectors. See the above-mentioned sections of the Intel manual, + // which say that *all* these XCR0 bits must be checked even when just using + // 128-bit or 256-bit vectors, and also volume 2a section 2.7.11 ("#UD + // Equations for EVEX") which says that all EVEX-coded instructions raise an + // undefined-instruction exception if any of these XCR0 bits is zero. + // + // AVX10 fixes this by reorganizing the features that used to be part of + // "AVX512" and allowing them to be used independently of 512-bit support. + // TODO: add AVX10 detection. + extended_features[0] &= ~(1u << 16); // AVX512F + extended_features[0] &= ~(1u << 17); // AVX512DQ + extended_features[0] &= ~(1u << 21); // AVX512IFMA + extended_features[0] &= ~(1u << 26); // AVX512PF + extended_features[0] &= ~(1u << 27); // AVX512ER + extended_features[0] &= ~(1u << 28); // AVX512CD + extended_features[0] &= ~(1u << 30); // AVX512BW + extended_features[0] &= ~(1u << 31); // AVX512VL + extended_features[1] &= ~(1u << 1); // AVX512VBMI + extended_features[1] &= ~(1u << 6); // AVX512VBMI2 + extended_features[1] &= ~(1u << 11); // AVX512VNNI + extended_features[1] &= ~(1u << 12); // AVX512BITALG + extended_features[1] &= ~(1u << 14); // AVX512VPOPCNTDQ } - // Disable ADX instructions on Knights Landing. See OpenSSL commit - // 64d92d74985ebb3d0be58a9718f9e080a14a8e7f. - if ((ecx & (1u << 26)) == 0) { - extended_features[0] &= ~(1u << 19); + // Repurpose the bit for the removed MPX feature to indicate when using zmm + // registers should be avoided even when they are supported. (When set, AVX512 + // features can still be used, but only using ymm or xmm registers.) Skylake + // suffered from severe downclocking when zmm registers were used, which + // affected unrelated code running on the system, making zmm registers not too + // useful outside of benchmarks. The situation improved significantly by Ice + // Lake, but a small amount of downclocking remained. (See + // https://lore.kernel.org/linux-crypto/e8ce1146-3952-6977-1d0e-a22758e58914@intel.com/) + // We take a conservative approach of not allowing zmm registers until after + // Ice Lake and Tiger Lake, i.e. until Sapphire Rapids on the server side. + // + // AMD CPUs, which support AVX512 starting with Zen 4, have not been reported + // to have any downclocking problem when zmm registers are used. + if (is_intel && family == 6 && + (model == 85 || // Skylake, Cascade Lake, Cooper Lake (server) + model == 106 || // Ice Lake (server) + model == 108 || // Ice Lake (micro server) + model == 125 || // Ice Lake (client) + model == 126 || // Ice Lake (mobile) + model == 140 || // Tiger Lake (mobile) + model == 141)) { // Tiger Lake (client) + extended_features[0] |= 1u << 14; + } else { + extended_features[0] &= ~(1u << 14); } OPENSSL_ia32cap_P[0] = edx; diff --git a/Sources/CNIOBoringSSL/crypto/crypto.c b/Sources/CNIOBoringSSL/crypto/crypto.c index a50438c8f..4d8b859b8 100644 --- a/Sources/CNIOBoringSSL/crypto/crypto.c +++ b/Sources/CNIOBoringSSL/crypto/crypto.c @@ -15,32 +15,16 @@ #include #include +#include -#include "fipsmodule/rand/fork_detect.h" #include "fipsmodule/rand/internal.h" +#include "bcm_support.h" #include "internal.h" static_assert(sizeof(ossl_ssize_t) == sizeof(size_t), "ossl_ssize_t should be the same size as size_t"); -#if !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_STATIC_ARMCAP) && \ - (defined(OPENSSL_X86) || defined(OPENSSL_X86_64) || \ - defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)) -// x86, x86_64, and the ARMs need to record the result of a cpuid/getauxval call -// for the asm to work correctly, unless compiled without asm code. -#define NEED_CPUID - -#else - -// Otherwise, don't emit a static initialiser. - -#if !defined(BORINGSSL_NO_STATIC_INITIALIZER) -#define BORINGSSL_NO_STATIC_INITIALIZER -#endif - -#endif // !NO_ASM && !STATIC_ARMCAP && (X86 || X86_64 || ARM || AARCH64) - // Our assembly does not use the GOT to reference symbols, which means // references to visible symbols will often require a TEXTREL. This is @@ -79,7 +63,7 @@ HIDDEN uint8_t BORINGSSL_function_hit[7] = {0}; HIDDEN uint32_t OPENSSL_ia32cap_P[4] = {0}; uint32_t OPENSSL_get_ia32cap(int idx) { - CRYPTO_library_init(); + OPENSSL_init_cpuid(); return OPENSSL_ia32cap_P[idx]; } @@ -121,60 +105,24 @@ HIDDEN uint32_t OPENSSL_armcap_P = HIDDEN uint32_t OPENSSL_armcap_P = 0; uint32_t *OPENSSL_get_armcap_pointer_for_test(void) { - CRYPTO_library_init(); + OPENSSL_init_cpuid(); return &OPENSSL_armcap_P; } #endif uint32_t OPENSSL_get_armcap(void) { - CRYPTO_library_init(); + OPENSSL_init_cpuid(); return OPENSSL_armcap_P; } #endif -#if defined(BORINGSSL_FIPS) -// In FIPS mode, the power-on self-test function calls |CRYPTO_library_init| -// because we have to ensure that CPUID detection occurs first. -#define BORINGSSL_NO_STATIC_INITIALIZER -#endif - -#if defined(OPENSSL_WINDOWS) && !defined(BORINGSSL_NO_STATIC_INITIALIZER) -#define OPENSSL_CDECL __cdecl -#else -#define OPENSSL_CDECL -#endif - -#if defined(BORINGSSL_NO_STATIC_INITIALIZER) -static CRYPTO_once_t once = CRYPTO_ONCE_INIT; -#elif defined(_MSC_VER) -#pragma section(".CRT$XCU", read) -static void __cdecl do_library_init(void); -__declspec(allocate(".CRT$XCU")) void(*library_init_constructor)(void) = - do_library_init; -#else -static void do_library_init(void) __attribute__ ((constructor)); -#endif - -// do_library_init is the actual initialization function. If -// BORINGSSL_NO_STATIC_INITIALIZER isn't defined, this is set as a static -// initializer. Otherwise, it is called by CRYPTO_library_init. -static void OPENSSL_CDECL do_library_init(void) { - // WARNING: this function may only configure the capability variables. See the - // note above about the linker bug. #if defined(NEED_CPUID) - OPENSSL_cpuid_setup(); +static CRYPTO_once_t once = CRYPTO_ONCE_INIT; +void OPENSSL_init_cpuid(void) { CRYPTO_once(&once, OPENSSL_cpuid_setup); } #endif -} -void CRYPTO_library_init(void) { - // TODO(davidben): It would be tidier if this build knob could be replaced - // with an internal lazy-init mechanism that would handle things correctly - // in-library. https://crbug.com/542879 -#if defined(BORINGSSL_NO_STATIC_INITIALIZER) - CRYPTO_once(&once, do_library_init); -#endif -} +void CRYPTO_library_init(void) {} int CRYPTO_is_confidential_build(void) { #if defined(BORINGSSL_CONFIDENTIAL) @@ -194,7 +142,7 @@ int CRYPTO_has_asm(void) { void CRYPTO_pre_sandbox_init(void) { // Read from /proc/cpuinfo if needed. - CRYPTO_library_init(); + OPENSSL_init_cpuid(); // Open /dev/urandom if needed. CRYPTO_init_sysrand(); // Set up MADV_WIPEONFORK state if needed. @@ -235,8 +183,9 @@ int ENGINE_register_all_complete(void) { return 1; } void OPENSSL_load_builtin_modules(void) {} int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings) { - CRYPTO_library_init(); return 1; } void OPENSSL_cleanup(void) {} + +FILE *CRYPTO_get_stderr(void) { return stderr; } diff --git a/Sources/CNIOBoringSSL/crypto/curve25519/curve25519.c b/Sources/CNIOBoringSSL/crypto/curve25519/curve25519.c index efd573d5c..265a926e9 100644 --- a/Sources/CNIOBoringSSL/crypto/curve25519/curve25519.c +++ b/Sources/CNIOBoringSSL/crypto/curve25519/curve25519.c @@ -81,7 +81,7 @@ typedef uint64_t fe_limb_t; #define assert_fe(f) \ do { \ for (unsigned _assert_fe_i = 0; _assert_fe_i < 5; _assert_fe_i++) { \ - assert(f[_assert_fe_i] <= UINT64_C(0x8cccccccccccc)); \ + declassify_assert(f[_assert_fe_i] <= UINT64_C(0x8cccccccccccc)); \ } \ } while (0) @@ -98,7 +98,7 @@ typedef uint64_t fe_limb_t; #define assert_fe_loose(f) \ do { \ for (unsigned _assert_fe_i = 0; _assert_fe_i < 5; _assert_fe_i++) { \ - assert(f[_assert_fe_i] <= UINT64_C(0x1a666666666664)); \ + declassify_assert(f[_assert_fe_i] <= UINT64_C(0x1a666666666664)); \ } \ } while (0) @@ -120,8 +120,8 @@ typedef uint32_t fe_limb_t; #define assert_fe(f) \ do { \ for (unsigned _assert_fe_i = 0; _assert_fe_i < 10; _assert_fe_i++) { \ - assert(f[_assert_fe_i] <= \ - ((_assert_fe_i & 1) ? 0x2333333u : 0x4666666u)); \ + declassify_assert(f[_assert_fe_i] <= \ + ((_assert_fe_i & 1) ? 0x2333333u : 0x4666666u)); \ } \ } while (0) @@ -138,8 +138,8 @@ typedef uint32_t fe_limb_t; #define assert_fe_loose(f) \ do { \ for (unsigned _assert_fe_i = 0; _assert_fe_i < 10; _assert_fe_i++) { \ - assert(f[_assert_fe_i] <= \ - ((_assert_fe_i & 1) ? 0x6999999u : 0xd333332u)); \ + declassify_assert(f[_assert_fe_i] <= \ + ((_assert_fe_i & 1) ? 0x6999999u : 0xd333332u)); \ } \ } while (0) @@ -150,7 +150,7 @@ static_assert(sizeof(fe) == sizeof(fe_limb_t) * FE_NUM_LIMBS, static void fe_frombytes_strict(fe *h, const uint8_t s[32]) { // |fiat_25519_from_bytes| requires the top-most bit be clear. - assert((s[31] & 0x80) == 0); + declassify_assert((s[31] & 0x80) == 0); fiat_25519_from_bytes(h->v, s); assert_fe(h->v); } @@ -1906,6 +1906,8 @@ int ED25519_sign(uint8_t out_sig[64], const uint8_t *message, x25519_sc_reduce(hram); sc_muladd(out_sig + 32, hram, az, nonce); + // The signature is computed from the private key, but is public. + CONSTTIME_DECLASSIFY(out_sig, 64); return 1; } @@ -1983,6 +1985,8 @@ void ED25519_keypair_from_seed(uint8_t out_public_key[32], ge_p3 A; x25519_ge_scalarmult_base(&A, az); ge_p3_tobytes(out_public_key, &A); + // The public key is derived from the private key, but it is public. + CONSTTIME_DECLASSIFY(out_public_key, 32); OPENSSL_memcpy(out_private_key, seed, 32); OPENSSL_memcpy(out_private_key + 32, out_public_key, 32); diff --git a/Sources/CNIOBoringSSL/crypto/curve25519/internal.h b/Sources/CNIOBoringSSL/crypto/curve25519/internal.h index c20cdbaee..b58539f9c 100644 --- a/Sources/CNIOBoringSSL/crypto/curve25519/internal.h +++ b/Sources/CNIOBoringSSL/crypto/curve25519/internal.h @@ -32,7 +32,7 @@ void x25519_NEON(uint8_t out[32], const uint8_t scalar[32], #endif #if !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_SMALL) && \ - defined(__GNUC__) && defined(__x86_64__) + defined(__GNUC__) && defined(__x86_64__) && !defined(OPENSSL_WINDOWS) #define BORINGSSL_FE25519_ADX // fiat_curve25519_adx_mul is defined in diff --git a/Sources/CNIOBoringSSL/crypto/des/des.c b/Sources/CNIOBoringSSL/crypto/des/des.c index 748d96dcf..85a2488ca 100644 --- a/Sources/CNIOBoringSSL/crypto/des/des.c +++ b/Sources/CNIOBoringSSL/crypto/des/des.c @@ -61,6 +61,91 @@ #include "internal.h" +/* IP and FP + * The problem is more of a geometric problem that random bit fiddling. + 0 1 2 3 4 5 6 7 62 54 46 38 30 22 14 6 + 8 9 10 11 12 13 14 15 60 52 44 36 28 20 12 4 +16 17 18 19 20 21 22 23 58 50 42 34 26 18 10 2 +24 25 26 27 28 29 30 31 to 56 48 40 32 24 16 8 0 + +32 33 34 35 36 37 38 39 63 55 47 39 31 23 15 7 +40 41 42 43 44 45 46 47 61 53 45 37 29 21 13 5 +48 49 50 51 52 53 54 55 59 51 43 35 27 19 11 3 +56 57 58 59 60 61 62 63 57 49 41 33 25 17 9 1 + +The output has been subject to swaps of the form +0 1 -> 3 1 but the odd and even bits have been put into +2 3 2 0 +different words. The main trick is to remember that +t=((l>>size)^r)&(mask); +r^=t; +l^=(t<> (n)) ^ (b)) & (m)); \ + (b) ^= (t); \ + (a) ^= ((t) << (n)); \ + } while (0) + +#define IP(l, r) \ + do { \ + uint32_t tt; \ + PERM_OP(r, l, tt, 4, 0x0f0f0f0fL); \ + PERM_OP(l, r, tt, 16, 0x0000ffffL); \ + PERM_OP(r, l, tt, 2, 0x33333333L); \ + PERM_OP(l, r, tt, 8, 0x00ff00ffL); \ + PERM_OP(r, l, tt, 1, 0x55555555L); \ + } while (0) + +#define FP(l, r) \ + do { \ + uint32_t tt; \ + PERM_OP(l, r, tt, 1, 0x55555555L); \ + PERM_OP(r, l, tt, 8, 0x00ff00ffL); \ + PERM_OP(l, r, tt, 2, 0x33333333L); \ + PERM_OP(r, l, tt, 16, 0x0000ffffL); \ + PERM_OP(l, r, tt, 4, 0x0f0f0f0fL); \ + } while (0) + +#define LOAD_DATA(ks, R, S, u, t, E0, E1) \ + do { \ + (u) = (R) ^ (ks)->subkeys[S][0]; \ + (t) = (R) ^ (ks)->subkeys[S][1]; \ + } while (0) + +#define D_ENCRYPT(ks, LL, R, S) \ + do { \ + LOAD_DATA(ks, R, S, u, t, E0, E1); \ + t = CRYPTO_rotr_u32(t, 4); \ + (LL) ^= \ + DES_SPtrans[0][(u >> 2L) & 0x3f] ^ DES_SPtrans[2][(u >> 10L) & 0x3f] ^ \ + DES_SPtrans[4][(u >> 18L) & 0x3f] ^ \ + DES_SPtrans[6][(u >> 26L) & 0x3f] ^ DES_SPtrans[1][(t >> 2L) & 0x3f] ^ \ + DES_SPtrans[3][(t >> 10L) & 0x3f] ^ \ + DES_SPtrans[5][(t >> 18L) & 0x3f] ^ DES_SPtrans[7][(t >> 26L) & 0x3f]; \ + } while (0) + +#define ITERATIONS 16 +#define HALF_ITERATIONS 8 + static const uint32_t des_skb[8][64] = { { // for C bits (numbered as per FIPS 46) 1 2 3 4 5 6 0x00000000, 0x00000010, 0x20000000, 0x20000010, 0x00010000, @@ -294,13 +379,17 @@ static const uint32_t DES_SPtrans[8][64] = { (a) = (a) ^ (t) ^ ((t) >> (16 - (n)))) void DES_set_key(const DES_cblock *key, DES_key_schedule *schedule) { + DES_set_key_ex(key->bytes, schedule); +} + +void DES_set_key_ex(const uint8_t key[8], DES_key_schedule *schedule) { static const int shifts2[16] = {0, 0, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 0}; uint32_t c, d, t, s, t2; const uint8_t *in; int i; - in = key->bytes; + in = key; c2l(in, c); c2l(in, d); @@ -378,7 +467,8 @@ void DES_set_odd_parity(DES_cblock *key) { } } -static void DES_encrypt1(uint32_t *data, const DES_key_schedule *ks, int enc) { +static void DES_encrypt1(uint32_t data[2], const DES_key_schedule *ks, + int enc) { uint32_t l, r, t, u; r = data[0]; @@ -442,7 +532,8 @@ static void DES_encrypt1(uint32_t *data, const DES_key_schedule *ks, int enc) { data[1] = r; } -static void DES_encrypt2(uint32_t *data, const DES_key_schedule *ks, int enc) { +static void DES_encrypt2(uint32_t data[2], const DES_key_schedule *ks, + int enc) { uint32_t l, r, t, u; r = data[0]; @@ -499,7 +590,7 @@ static void DES_encrypt2(uint32_t *data, const DES_key_schedule *ks, int enc) { data[1] = CRYPTO_rotr_u32(r, 3); } -void DES_encrypt3(uint32_t *data, const DES_key_schedule *ks1, +void DES_encrypt3(uint32_t data[2], const DES_key_schedule *ks1, const DES_key_schedule *ks2, const DES_key_schedule *ks3) { uint32_t l, r; @@ -508,9 +599,9 @@ void DES_encrypt3(uint32_t *data, const DES_key_schedule *ks1, IP(l, r); data[0] = l; data[1] = r; - DES_encrypt2((uint32_t *)data, ks1, DES_ENCRYPT); - DES_encrypt2((uint32_t *)data, ks2, DES_DECRYPT); - DES_encrypt2((uint32_t *)data, ks3, DES_ENCRYPT); + DES_encrypt2(data, ks1, DES_ENCRYPT); + DES_encrypt2(data, ks2, DES_DECRYPT); + DES_encrypt2(data, ks3, DES_ENCRYPT); l = data[0]; r = data[1]; FP(r, l); @@ -518,7 +609,7 @@ void DES_encrypt3(uint32_t *data, const DES_key_schedule *ks1, data[1] = r; } -void DES_decrypt3(uint32_t *data, const DES_key_schedule *ks1, +void DES_decrypt3(uint32_t data[2], const DES_key_schedule *ks1, const DES_key_schedule *ks2, const DES_key_schedule *ks3) { uint32_t l, r; @@ -527,9 +618,9 @@ void DES_decrypt3(uint32_t *data, const DES_key_schedule *ks1, IP(l, r); data[0] = l; data[1] = r; - DES_encrypt2((uint32_t *)data, ks3, DES_DECRYPT); - DES_encrypt2((uint32_t *)data, ks2, DES_ENCRYPT); - DES_encrypt2((uint32_t *)data, ks1, DES_DECRYPT); + DES_encrypt2(data, ks3, DES_DECRYPT); + DES_encrypt2(data, ks2, DES_ENCRYPT); + DES_encrypt2(data, ks1, DES_DECRYPT); l = data[0]; r = data[1]; FP(r, l); @@ -539,32 +630,34 @@ void DES_decrypt3(uint32_t *data, const DES_key_schedule *ks1, void DES_ecb_encrypt(const DES_cblock *in_block, DES_cblock *out_block, const DES_key_schedule *schedule, int is_encrypt) { - uint32_t l; - uint32_t ll[2]; - const uint8_t *in = in_block->bytes; - uint8_t *out = out_block->bytes; + DES_ecb_encrypt_ex(in_block->bytes, out_block->bytes, schedule, is_encrypt); +} - c2l(in, l); - ll[0] = l; - c2l(in, l); - ll[1] = l; +void DES_ecb_encrypt_ex(const uint8_t in[8], uint8_t out[8], + const DES_key_schedule *schedule, int is_encrypt) { + uint32_t ll[2]; + ll[0] = CRYPTO_load_u32_le(in); + ll[1] = CRYPTO_load_u32_le(in + 4); DES_encrypt1(ll, schedule, is_encrypt); - l = ll[0]; - l2c(l, out); - l = ll[1]; - l2c(l, out); - ll[0] = ll[1] = 0; + CRYPTO_store_u32_le(out, ll[0]); + CRYPTO_store_u32_le(out + 4, ll[1]); } void DES_ncbc_encrypt(const uint8_t *in, uint8_t *out, size_t len, const DES_key_schedule *schedule, DES_cblock *ivec, int enc) { + DES_ncbc_encrypt_ex(in, out, len, schedule, ivec->bytes, enc); +} + +void DES_ncbc_encrypt_ex(const uint8_t *in, uint8_t *out, size_t len, + const DES_key_schedule *schedule, uint8_t ivec[8], + int enc) { uint32_t tin0, tin1; uint32_t tout0, tout1, xor0, xor1; uint32_t tin[2]; unsigned char *iv; - iv = ivec->bytes; + iv = ivec; if (enc) { c2l(iv, tout0); @@ -576,7 +669,7 @@ void DES_ncbc_encrypt(const uint8_t *in, uint8_t *out, size_t len, tin[0] = tin0; tin1 ^= tout1; tin[1] = tin1; - DES_encrypt1((uint32_t *)tin, schedule, DES_ENCRYPT); + DES_encrypt1(tin, schedule, DES_ENCRYPT); tout0 = tin[0]; l2c(tout0, out); tout1 = tin[1]; @@ -588,13 +681,13 @@ void DES_ncbc_encrypt(const uint8_t *in, uint8_t *out, size_t len, tin[0] = tin0; tin1 ^= tout1; tin[1] = tin1; - DES_encrypt1((uint32_t *)tin, schedule, DES_ENCRYPT); + DES_encrypt1(tin, schedule, DES_ENCRYPT); tout0 = tin[0]; l2c(tout0, out); tout1 = tin[1]; l2c(tout1, out); } - iv = ivec->bytes; + iv = ivec; l2c(tout0, iv); l2c(tout1, iv); } else { @@ -605,7 +698,7 @@ void DES_ncbc_encrypt(const uint8_t *in, uint8_t *out, size_t len, tin[0] = tin0; c2l(in, tin1); tin[1] = tin1; - DES_encrypt1((uint32_t *)tin, schedule, DES_DECRYPT); + DES_encrypt1(tin, schedule, DES_DECRYPT); tout0 = tin[0] ^ xor0; tout1 = tin[1] ^ xor1; l2c(tout0, out); @@ -618,14 +711,14 @@ void DES_ncbc_encrypt(const uint8_t *in, uint8_t *out, size_t len, tin[0] = tin0; c2l(in, tin1); tin[1] = tin1; - DES_encrypt1((uint32_t *)tin, schedule, DES_DECRYPT); + DES_encrypt1(tin, schedule, DES_DECRYPT); tout0 = tin[0] ^ xor0; tout1 = tin[1] ^ xor1; l2cn(tout0, tout1, out, len); xor0 = tin0; xor1 = tin1; } - iv = ivec->bytes; + iv = ivec; l2c(xor0, iv); l2c(xor1, iv); } @@ -635,24 +728,23 @@ void DES_ncbc_encrypt(const uint8_t *in, uint8_t *out, size_t len, void DES_ecb3_encrypt(const DES_cblock *input, DES_cblock *output, const DES_key_schedule *ks1, const DES_key_schedule *ks2, const DES_key_schedule *ks3, int enc) { - uint32_t l0, l1; - uint32_t ll[2]; - const uint8_t *in = input->bytes; - uint8_t *out = output->bytes; + DES_ecb3_encrypt_ex(input->bytes, output->bytes, ks1, ks2, ks3, enc); +} - c2l(in, l0); - c2l(in, l1); - ll[0] = l0; - ll[1] = l1; +void DES_ecb3_encrypt_ex(const uint8_t in[8], uint8_t out[8], + const DES_key_schedule *ks1, + const DES_key_schedule *ks2, + const DES_key_schedule *ks3, int enc) { + uint32_t ll[2]; + ll[0] = CRYPTO_load_u32_le(in); + ll[1] = CRYPTO_load_u32_le(in + 4); if (enc) { DES_encrypt3(ll, ks1, ks2, ks3); } else { DES_decrypt3(ll, ks1, ks2, ks3); } - l0 = ll[0]; - l1 = ll[1]; - l2c(l0, out); - l2c(l1, out); + CRYPTO_store_u32_le(out, ll[0]); + CRYPTO_store_u32_le(out + 4, ll[1]); } void DES_ede3_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t len, @@ -660,12 +752,20 @@ void DES_ede3_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t len, const DES_key_schedule *ks2, const DES_key_schedule *ks3, DES_cblock *ivec, int enc) { + DES_ede3_cbc_encrypt_ex(in, out, len, ks1, ks2, ks3, ivec->bytes, enc); +} + +void DES_ede3_cbc_encrypt_ex(const uint8_t *in, uint8_t *out, size_t len, + const DES_key_schedule *ks1, + const DES_key_schedule *ks2, + const DES_key_schedule *ks3, uint8_t ivec[8], + int enc) { uint32_t tin0, tin1; uint32_t tout0, tout1, xor0, xor1; uint32_t tin[2]; uint8_t *iv; - iv = ivec->bytes; + iv = ivec; if (enc) { c2l(iv, tout0); @@ -678,7 +778,7 @@ void DES_ede3_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t len, tin[0] = tin0; tin[1] = tin1; - DES_encrypt3((uint32_t *)tin, ks1, ks2, ks3); + DES_encrypt3(tin, ks1, ks2, ks3); tout0 = tin[0]; tout1 = tin[1]; @@ -692,14 +792,14 @@ void DES_ede3_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t len, tin[0] = tin0; tin[1] = tin1; - DES_encrypt3((uint32_t *)tin, ks1, ks2, ks3); + DES_encrypt3(tin, ks1, ks2, ks3); tout0 = tin[0]; tout1 = tin[1]; l2c(tout0, out); l2c(tout1, out); } - iv = ivec->bytes; + iv = ivec; l2c(tout0, iv); l2c(tout1, iv); } else { @@ -716,7 +816,7 @@ void DES_ede3_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t len, tin[0] = tin0; tin[1] = tin1; - DES_decrypt3((uint32_t *)tin, ks1, ks2, ks3); + DES_decrypt3(tin, ks1, ks2, ks3); tout0 = tin[0]; tout1 = tin[1]; @@ -736,7 +836,7 @@ void DES_ede3_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t len, tin[0] = tin0; tin[1] = tin1; - DES_decrypt3((uint32_t *)tin, ks1, ks2, ks3); + DES_decrypt3(tin, ks1, ks2, ks3); tout0 = tin[0]; tout1 = tin[1]; @@ -747,7 +847,7 @@ void DES_ede3_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t len, xor1 = t1; } - iv = ivec->bytes; + iv = ivec; l2c(xor0, iv); l2c(xor1, iv); } @@ -769,16 +869,3 @@ void DES_ede2_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t len, void DES_set_key_unchecked(const DES_cblock *key, DES_key_schedule *schedule) { DES_set_key(key, schedule); } - -#undef HPERM_OP -#undef c2l -#undef l2c -#undef c2ln -#undef l2cn -#undef PERM_OP -#undef IP -#undef FP -#undef LOAD_DATA -#undef D_ENCRYPT -#undef ITERATIONS -#undef HALF_ITERATIONS diff --git a/Sources/CNIOBoringSSL/crypto/des/internal.h b/Sources/CNIOBoringSSL/crypto/des/internal.h index 918943f94..b573a15a5 100644 --- a/Sources/CNIOBoringSSL/crypto/des/internal.h +++ b/Sources/CNIOBoringSSL/crypto/des/internal.h @@ -58,6 +58,7 @@ #define OPENSSL_HEADER_DES_INTERNAL_H #include +#include #include "../internal.h" @@ -66,6 +67,9 @@ extern "C" { #endif +// TODO(davidben): Ideally these macros would be replaced with +// |CRYPTO_load_u32_le| and |CRYPTO_store_u32_le|. + #define c2l(c, l) \ do { \ (l) = ((uint32_t)(*((c)++))); \ @@ -145,90 +149,39 @@ extern "C" { } \ } while (0) -/* IP and FP - * The problem is more of a geometric problem that random bit fiddling. - 0 1 2 3 4 5 6 7 62 54 46 38 30 22 14 6 - 8 9 10 11 12 13 14 15 60 52 44 36 28 20 12 4 -16 17 18 19 20 21 22 23 58 50 42 34 26 18 10 2 -24 25 26 27 28 29 30 31 to 56 48 40 32 24 16 8 0 - -32 33 34 35 36 37 38 39 63 55 47 39 31 23 15 7 -40 41 42 43 44 45 46 47 61 53 45 37 29 21 13 5 -48 49 50 51 52 53 54 55 59 51 43 35 27 19 11 3 -56 57 58 59 60 61 62 63 57 49 41 33 25 17 9 1 - -The output has been subject to swaps of the form -0 1 -> 3 1 but the odd and even bits have been put into -2 3 2 0 -different words. The main trick is to remember that -t=((l>>size)^r)&(mask); -r^=t; -l^=(t<> (n)) ^ (b)) & (m)); \ - (b) ^= (t); \ - (a) ^= ((t) << (n)); \ - } while (0) - -#define IP(l, r) \ - do { \ - uint32_t tt; \ - PERM_OP(r, l, tt, 4, 0x0f0f0f0fL); \ - PERM_OP(l, r, tt, 16, 0x0000ffffL); \ - PERM_OP(r, l, tt, 2, 0x33333333L); \ - PERM_OP(l, r, tt, 8, 0x00ff00ffL); \ - PERM_OP(r, l, tt, 1, 0x55555555L); \ - } while (0) - -#define FP(l, r) \ - do { \ - uint32_t tt; \ - PERM_OP(l, r, tt, 1, 0x55555555L); \ - PERM_OP(r, l, tt, 8, 0x00ff00ffL); \ - PERM_OP(l, r, tt, 2, 0x33333333L); \ - PERM_OP(r, l, tt, 16, 0x0000ffffL); \ - PERM_OP(l, r, tt, 4, 0x0f0f0f0fL); \ - } while (0) - -#define LOAD_DATA(ks, R, S, u, t, E0, E1) \ - do { \ - (u) = (R) ^ (ks)->subkeys[S][0]; \ - (t) = (R) ^ (ks)->subkeys[S][1]; \ - } while (0) - -#define D_ENCRYPT(ks, LL, R, S) \ - do { \ - LOAD_DATA(ks, R, S, u, t, E0, E1); \ - t = CRYPTO_rotr_u32(t, 4); \ - (LL) ^= \ - DES_SPtrans[0][(u >> 2L) & 0x3f] ^ DES_SPtrans[2][(u >> 10L) & 0x3f] ^ \ - DES_SPtrans[4][(u >> 18L) & 0x3f] ^ \ - DES_SPtrans[6][(u >> 26L) & 0x3f] ^ DES_SPtrans[1][(t >> 2L) & 0x3f] ^ \ - DES_SPtrans[3][(t >> 10L) & 0x3f] ^ \ - DES_SPtrans[5][(t >> 18L) & 0x3f] ^ DES_SPtrans[7][(t >> 26L) & 0x3f]; \ - } while (0) -#define ITERATIONS 16 -#define HALF_ITERATIONS 8 +// Correctly-typed versions of DES functions. +// +// See https://crbug.com/boringssl/683. + +void DES_set_key_ex(const uint8_t key[8], DES_key_schedule *schedule); +void DES_ecb_encrypt_ex(const uint8_t in[8], uint8_t out[8], + const DES_key_schedule *schedule, int is_encrypt); +void DES_ncbc_encrypt_ex(const uint8_t *in, uint8_t *out, size_t len, + const DES_key_schedule *schedule, uint8_t ivec[8], + int enc); +void DES_ecb3_encrypt_ex(const uint8_t input[8], uint8_t output[8], + const DES_key_schedule *ks1, + const DES_key_schedule *ks2, + const DES_key_schedule *ks3, int enc); +void DES_ede3_cbc_encrypt_ex(const uint8_t *in, uint8_t *out, size_t len, + const DES_key_schedule *ks1, + const DES_key_schedule *ks2, + const DES_key_schedule *ks3, uint8_t ivec[8], + int enc); + + +// Private functions. +// +// These functions are only exported for use in |decrepit|. + +OPENSSL_EXPORT void DES_decrypt3(uint32_t data[2], const DES_key_schedule *ks1, + const DES_key_schedule *ks2, + const DES_key_schedule *ks3); + +OPENSSL_EXPORT void DES_encrypt3(uint32_t data[2], const DES_key_schedule *ks1, + const DES_key_schedule *ks2, + const DES_key_schedule *ks3); #if defined(__cplusplus) diff --git a/Sources/CNIOBoringSSL/crypto/digest_extra/digest_extra.c b/Sources/CNIOBoringSSL/crypto/digest_extra/digest_extra.c index e5c44ff2e..fe7e55199 100644 --- a/Sources/CNIOBoringSSL/crypto/digest_extra/digest_extra.c +++ b/Sources/CNIOBoringSSL/crypto/digest_extra/digest_extra.c @@ -61,6 +61,8 @@ #include #include #include +#include +#include #include #include "../asn1/internal.h" @@ -220,6 +222,7 @@ int EVP_marshal_digest_algorithm(CBB *cbb, const EVP_MD *md) { return 0; } + // TODO(crbug.com/boringssl/710): Is this correct? See RFC 4055, section 2.1. if (!CBB_add_asn1(&algorithm, &null, CBS_ASN1_NULL) || !CBB_flush(cbb)) { return 0; @@ -263,3 +266,90 @@ static const EVP_MD evp_md_blake2b256 = { }; const EVP_MD *EVP_blake2b256(void) { return &evp_md_blake2b256; } + + +static void md4_init(EVP_MD_CTX *ctx) { + BSSL_CHECK(MD4_Init(ctx->md_data)); +} + +static void md4_update(EVP_MD_CTX *ctx, const void *data, size_t count) { + BSSL_CHECK(MD4_Update(ctx->md_data, data, count)); +} + +static void md4_final(EVP_MD_CTX *ctx, uint8_t *out) { + BSSL_CHECK(MD4_Final(out, ctx->md_data)); +} + +static const EVP_MD evp_md_md4 = { + NID_md4, + MD4_DIGEST_LENGTH, + 0, + md4_init, + md4_update, + md4_final, + 64, + sizeof(MD4_CTX), +}; + +const EVP_MD *EVP_md4(void) { return &evp_md_md4; } + +static void md5_init(EVP_MD_CTX *ctx) { + BSSL_CHECK(MD5_Init(ctx->md_data)); +} + +static void md5_update(EVP_MD_CTX *ctx, const void *data, size_t count) { + BSSL_CHECK(MD5_Update(ctx->md_data, data, count)); +} + +static void md5_final(EVP_MD_CTX *ctx, uint8_t *out) { + BSSL_CHECK(MD5_Final(out, ctx->md_data)); +} + +static const EVP_MD evp_md_md5 = { + NID_md5, + MD5_DIGEST_LENGTH, + 0, + md5_init, + md5_update, + md5_final, + 64, + sizeof(MD5_CTX), +}; + +const EVP_MD *EVP_md5(void) { return &evp_md_md5; } + +typedef struct { + MD5_CTX md5; + SHA_CTX sha1; +} MD5_SHA1_CTX; + +static void md5_sha1_init(EVP_MD_CTX *md_ctx) { + MD5_SHA1_CTX *ctx = md_ctx->md_data; + BSSL_CHECK(MD5_Init(&ctx->md5) && SHA1_Init(&ctx->sha1)); +} + +static void md5_sha1_update(EVP_MD_CTX *md_ctx, const void *data, + size_t count) { + MD5_SHA1_CTX *ctx = md_ctx->md_data; + BSSL_CHECK(MD5_Update(&ctx->md5, data, count) && + SHA1_Update(&ctx->sha1, data, count)); +} + +static void md5_sha1_final(EVP_MD_CTX *md_ctx, uint8_t *out) { + MD5_SHA1_CTX *ctx = md_ctx->md_data; + BSSL_CHECK(MD5_Final(out, &ctx->md5) && + SHA1_Final(out + MD5_DIGEST_LENGTH, &ctx->sha1)); +} + +const EVP_MD evp_md_md5_sha1 = { + NID_md5_sha1, + MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, + 0, + md5_sha1_init, + md5_sha1_update, + md5_sha1_final, + 64, + sizeof(MD5_SHA1_CTX), +}; + +const EVP_MD *EVP_md5_sha1(void) { return &evp_md_md5_sha1; } diff --git a/Sources/CNIOBoringSSL/crypto/dilithium/dilithium.c b/Sources/CNIOBoringSSL/crypto/dilithium/dilithium.c new file mode 100644 index 000000000..d681f8999 --- /dev/null +++ b/Sources/CNIOBoringSSL/crypto/dilithium/dilithium.c @@ -0,0 +1,1539 @@ +/* Copyright (c) 2023, Google LLC + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#define OPENSSL_UNSTABLE_EXPERIMENTAL_DILITHIUM +#include + +#include +#include + +#include +#include + +#include "../internal.h" +#include "../keccak/internal.h" +#include "./internal.h" + +#define DEGREE 256 +#define K 6 +#define L 5 +#define ETA 4 +#define TAU 49 +#define BETA 196 +#define OMEGA 55 + +#define RHO_BYTES 32 +#define SIGMA_BYTES 64 +#define K_BYTES 32 +#define TR_BYTES 64 +#define MU_BYTES 64 +#define RHO_PRIME_BYTES 64 +#define LAMBDA_BITS 192 +#define LAMBDA_BYTES (LAMBDA_BITS / 8) + +// 2^23 - 2^13 + 1 +static const uint32_t kPrime = 8380417; +// Inverse of -kPrime modulo 2^32 +static const uint32_t kPrimeNegInverse = 4236238847; +static const int kDroppedBits = 13; +static const uint32_t kHalfPrime = (8380417 - 1) / 2; +static const uint32_t kGamma1 = 1 << 19; +static const uint32_t kGamma2 = (8380417 - 1) / 32; +// 256^-1 mod kPrime, in Montgomery form. +static const uint32_t kInverseDegreeMontgomery = 41978; + +typedef struct scalar { + uint32_t c[DEGREE]; +} scalar; + +typedef struct vectork { + scalar v[K]; +} vectork; + +typedef struct vectorl { + scalar v[L]; +} vectorl; + +typedef struct matrix { + scalar v[K][L]; +} matrix; + +/* Arithmetic */ + +// This bit of Python will be referenced in some of the following comments: +// +// q = 8380417 +// # Inverse of -q modulo 2^32 +// q_neg_inverse = 4236238847 +// # 2^64 modulo q +// montgomery_square = 2365951 +// +// def bitreverse(i): +// ret = 0 +// for n in range(8): +// bit = i & 1 +// ret <<= 1 +// ret |= bit +// i >>= 1 +// return ret +// +// def montgomery_reduce(x): +// a = (x * q_neg_inverse) % 2**32 +// b = x + a * q +// assert b & 0xFFFF_FFFF == 0 +// c = b >> 32 +// assert c < q +// return c +// +// def montgomery_transform(x): +// return montgomery_reduce(x * montgomery_square) + +// kNTTRootsMontgomery = [ +// montgomery_transform(pow(1753, bitreverse(i), q)) for i in range(256) +// ] +static const uint32_t kNTTRootsMontgomery[256] = { + 4193792, 25847, 5771523, 7861508, 237124, 7602457, 7504169, 466468, + 1826347, 2353451, 8021166, 6288512, 3119733, 5495562, 3111497, 2680103, + 2725464, 1024112, 7300517, 3585928, 7830929, 7260833, 2619752, 6271868, + 6262231, 4520680, 6980856, 5102745, 1757237, 8360995, 4010497, 280005, + 2706023, 95776, 3077325, 3530437, 6718724, 4788269, 5842901, 3915439, + 4519302, 5336701, 3574422, 5512770, 3539968, 8079950, 2348700, 7841118, + 6681150, 6736599, 3505694, 4558682, 3507263, 6239768, 6779997, 3699596, + 811944, 531354, 954230, 3881043, 3900724, 5823537, 2071892, 5582638, + 4450022, 6851714, 4702672, 5339162, 6927966, 3475950, 2176455, 6795196, + 7122806, 1939314, 4296819, 7380215, 5190273, 5223087, 4747489, 126922, + 3412210, 7396998, 2147896, 2715295, 5412772, 4686924, 7969390, 5903370, + 7709315, 7151892, 8357436, 7072248, 7998430, 1349076, 1852771, 6949987, + 5037034, 264944, 508951, 3097992, 44288, 7280319, 904516, 3958618, + 4656075, 8371839, 1653064, 5130689, 2389356, 8169440, 759969, 7063561, + 189548, 4827145, 3159746, 6529015, 5971092, 8202977, 1315589, 1341330, + 1285669, 6795489, 7567685, 6940675, 5361315, 4499357, 4751448, 3839961, + 2091667, 3407706, 2316500, 3817976, 5037939, 2244091, 5933984, 4817955, + 266997, 2434439, 7144689, 3513181, 4860065, 4621053, 7183191, 5187039, + 900702, 1859098, 909542, 819034, 495491, 6767243, 8337157, 7857917, + 7725090, 5257975, 2031748, 3207046, 4823422, 7855319, 7611795, 4784579, + 342297, 286988, 5942594, 4108315, 3437287, 5038140, 1735879, 203044, + 2842341, 2691481, 5790267, 1265009, 4055324, 1247620, 2486353, 1595974, + 4613401, 1250494, 2635921, 4832145, 5386378, 1869119, 1903435, 7329447, + 7047359, 1237275, 5062207, 6950192, 7929317, 1312455, 3306115, 6417775, + 7100756, 1917081, 5834105, 7005614, 1500165, 777191, 2235880, 3406031, + 7838005, 5548557, 6709241, 6533464, 5796124, 4656147, 594136, 4603424, + 6366809, 2432395, 2454455, 8215696, 1957272, 3369112, 185531, 7173032, + 5196991, 162844, 1616392, 3014001, 810149, 1652634, 4686184, 6581310, + 5341501, 3523897, 3866901, 269760, 2213111, 7404533, 1717735, 472078, + 7953734, 1723600, 6577327, 1910376, 6712985, 7276084, 8119771, 4546524, + 5441381, 6144432, 7959518, 6094090, 183443, 7403526, 1612842, 4834730, + 7826001, 3919660, 8332111, 7018208, 3937738, 1400424, 7534263, 1976782}; + +// Reduces x mod kPrime in constant time, where 0 <= x < 2*kPrime. +static uint32_t reduce_once(uint32_t x) { + declassify_assert(x < 2 * kPrime); + // return x < kPrime ? x : x - kPrime; + return constant_time_select_int(constant_time_lt_w(x, kPrime), x, x - kPrime); +} + +// Returns the absolute value in constant time. +static uint32_t abs_signed(uint32_t x) { + // return is_positive(x) ? x : -x; + // Note: MSVC doesn't like applying the unary minus operator to unsigned types + // (warning C4146), so we write the negation as a bitwise not plus one + // (assuming two's complement representation). + return constant_time_select_int(constant_time_lt_w(x, 0x80000000), x, ~x + 1); +} + +// Returns the absolute value modulo kPrime. +static uint32_t abs_mod_prime(uint32_t x) { + declassify_assert(x < kPrime); + // return x > kHalfPrime ? kPrime - x : x; + return constant_time_select_int(constant_time_lt_w(kHalfPrime, x), kPrime - x, + x); +} + +// Returns the maximum of two values in constant time. +static uint32_t maximum(uint32_t x, uint32_t y) { + // return x < y ? y : x; + return constant_time_select_int(constant_time_lt_w(x, y), y, x); +} + +static void scalar_add(scalar *out, const scalar *lhs, const scalar *rhs) { + for (int i = 0; i < DEGREE; i++) { + out->c[i] = reduce_once(lhs->c[i] + rhs->c[i]); + } +} + +static void scalar_sub(scalar *out, const scalar *lhs, const scalar *rhs) { + for (int i = 0; i < DEGREE; i++) { + out->c[i] = reduce_once(kPrime + lhs->c[i] - rhs->c[i]); + } +} + +static uint32_t reduce_montgomery(uint64_t x) { + uint64_t a = (uint32_t)x * kPrimeNegInverse; + uint64_t b = x + a * kPrime; + declassify_assert((b & 0xffffffff) == 0); + uint32_t c = b >> 32; + return reduce_once(c); +} + +// Multiply two scalars in the number theoretically transformed state. +static void scalar_mult(scalar *out, const scalar *lhs, const scalar *rhs) { + for (int i = 0; i < DEGREE; i++) { + out->c[i] = reduce_montgomery((uint64_t)lhs->c[i] * (uint64_t)rhs->c[i]); + } +} + +// In place number theoretic transform of a given scalar. +// +// FIPS 204, Algorithm 35 (`NTT`). +static void scalar_ntt(scalar *s) { + // Step: 1, 2, 4, 8, ..., 128 + // Offset: 128, 64, 32, 16, ..., 1 + int offset = DEGREE; + for (int step = 1; step < DEGREE; step <<= 1) { + offset >>= 1; + int k = 0; + for (int i = 0; i < step; i++) { + assert(k == 2 * offset * i); + const uint32_t step_root = kNTTRootsMontgomery[step + i]; + for (int j = k; j < k + offset; j++) { + uint32_t even = s->c[j]; + uint32_t odd = + reduce_montgomery((uint64_t)step_root * (uint64_t)s->c[j + offset]); + s->c[j] = reduce_once(odd + even); + s->c[j + offset] = reduce_once(kPrime + even - odd); + } + k += 2 * offset; + } + } +} + +// In place inverse number theoretic transform of a given scalar. +// +// FIPS 204, Algorithm 36 (`NTT^-1`). +static void scalar_inverse_ntt(scalar *s) { + // Step: 128, 64, 32, 16, ..., 1 + // Offset: 1, 2, 4, 8, ..., 128 + int step = DEGREE; + for (int offset = 1; offset < DEGREE; offset <<= 1) { + step >>= 1; + int k = 0; + for (int i = 0; i < step; i++) { + assert(k == 2 * offset * i); + const uint32_t step_root = + kPrime - kNTTRootsMontgomery[step + (step - 1 - i)]; + for (int j = k; j < k + offset; j++) { + uint32_t even = s->c[j]; + uint32_t odd = s->c[j + offset]; + s->c[j] = reduce_once(odd + even); + s->c[j + offset] = reduce_montgomery((uint64_t)step_root * + (uint64_t)(kPrime + even - odd)); + } + k += 2 * offset; + } + } + for (int i = 0; i < DEGREE; i++) { + s->c[i] = reduce_montgomery((uint64_t)s->c[i] * + (uint64_t)kInverseDegreeMontgomery); + } +} + +static void vectork_zero(vectork *out) { OPENSSL_memset(out, 0, sizeof(*out)); } + +static void vectork_add(vectork *out, const vectork *lhs, const vectork *rhs) { + for (int i = 0; i < K; i++) { + scalar_add(&out->v[i], &lhs->v[i], &rhs->v[i]); + } +} + +static void vectork_sub(vectork *out, const vectork *lhs, const vectork *rhs) { + for (int i = 0; i < K; i++) { + scalar_sub(&out->v[i], &lhs->v[i], &rhs->v[i]); + } +} + +static void vectork_mult_scalar(vectork *out, const vectork *lhs, + const scalar *rhs) { + for (int i = 0; i < K; i++) { + scalar_mult(&out->v[i], &lhs->v[i], rhs); + } +} + +static void vectork_ntt(vectork *a) { + for (int i = 0; i < K; i++) { + scalar_ntt(&a->v[i]); + } +} + +static void vectork_inverse_ntt(vectork *a) { + for (int i = 0; i < K; i++) { + scalar_inverse_ntt(&a->v[i]); + } +} + +static void vectorl_add(vectorl *out, const vectorl *lhs, const vectorl *rhs) { + for (int i = 0; i < L; i++) { + scalar_add(&out->v[i], &lhs->v[i], &rhs->v[i]); + } +} + +static void vectorl_mult_scalar(vectorl *out, const vectorl *lhs, + const scalar *rhs) { + for (int i = 0; i < L; i++) { + scalar_mult(&out->v[i], &lhs->v[i], rhs); + } +} + +static void vectorl_ntt(vectorl *a) { + for (int i = 0; i < L; i++) { + scalar_ntt(&a->v[i]); + } +} + +static void vectorl_inverse_ntt(vectorl *a) { + for (int i = 0; i < L; i++) { + scalar_inverse_ntt(&a->v[i]); + } +} + +static void matrix_mult(vectork *out, const matrix *m, const vectorl *a) { + vectork_zero(out); + for (int i = 0; i < K; i++) { + for (int j = 0; j < L; j++) { + scalar product; + scalar_mult(&product, &m->v[i][j], &a->v[j]); + scalar_add(&out->v[i], &out->v[i], &product); + } + } +} + +/* Rounding & hints */ + +// FIPS 204, Algorithm 29 (`Power2Round`). +static void power2_round(uint32_t *r1, uint32_t *r0, uint32_t r) { + *r1 = r >> kDroppedBits; + *r0 = r - (*r1 << kDroppedBits); + + uint32_t r0_adjusted = reduce_once(kPrime + *r0 - (1 << kDroppedBits)); + uint32_t r1_adjusted = *r1 + 1; + + // Mask is set iff r0 > 2^(dropped_bits - 1). + crypto_word_t mask = + constant_time_lt_w((uint32_t)(1 << (kDroppedBits - 1)), *r0); + // r0 = mask ? r0_adjusted : r0 + *r0 = constant_time_select_int(mask, r0_adjusted, *r0); + // r1 = mask ? r1_adjusted : r1 + *r1 = constant_time_select_int(mask, r1_adjusted, *r1); +} + +// Scale back previously rounded value. +static void scale_power2_round(uint32_t *out, uint32_t r1) { + // Pre-condition: 0 <= r1 <= 2^10 - 1 + *out = r1 << kDroppedBits; + // Post-condition: 0 <= out <= 2^23 - 2^13 = kPrime - 1 + assert(*out < kPrime); +} + +// FIPS 204, Algorithm 31 (`HighBits`). +static uint32_t high_bits(uint32_t x) { + // Reference description (given 0 <= x < q): + // + // ``` + // int32_t r0 = x mod+- (2 * kGamma2); + // if (x - r0 == q - 1) { + // return 0; + // } else { + // return (x - r0) / (2 * kGamma2); + // } + // ``` + // + // Below is the formula taken from the reference implementation. + // + // Here, kGamma2 == 2^18 - 2^8 + // This returns ((ceil(x / 2^7) * (2^10 + 1) + 2^21) / 2^22) mod 2^4 + uint32_t r1 = (x + 127) >> 7; + r1 = (r1 * 1025 + (1 << 21)) >> 22; + r1 &= 15; + return r1; +} + +// FIPS 204, Algorithm 30 (`Decompose`). +static void decompose(uint32_t *r1, int32_t *r0, uint32_t r) { + *r1 = high_bits(r); + + *r0 = r; + *r0 -= *r1 * 2 * (int32_t)kGamma2; + *r0 -= (((int32_t)kHalfPrime - *r0) >> 31) & (int32_t)kPrime; +} + +// FIPS 204, Algorithm 32 (`LowBits`). +static int32_t low_bits(uint32_t x) { + uint32_t r1; + int32_t r0; + decompose(&r1, &r0, x); + return r0; +} + +// FIPS 204, Algorithm 33 (`MakeHint`). +static int32_t make_hint(uint32_t ct0, uint32_t cs2, uint32_t w) { + uint32_t r_plus_z = reduce_once(kPrime + w - cs2); + uint32_t r = reduce_once(r_plus_z + ct0); + return high_bits(r) != high_bits(r_plus_z); +} + +// FIPS 204, Algorithm 34 (`UseHint`). +static uint32_t use_hint_vartime(uint32_t h, uint32_t r) { + uint32_t r1; + int32_t r0; + decompose(&r1, &r0, r); + + if (h) { + if (r0 > 0) { + return (r1 + 1) & 15; + } else { + return (r1 - 1) & 15; + } + } else { + return r1; + } +} + +static void scalar_power2_round(scalar *s1, scalar *s0, const scalar *s) { + for (int i = 0; i < DEGREE; i++) { + power2_round(&s1->c[i], &s0->c[i], s->c[i]); + } +} + +static void scalar_scale_power2_round(scalar *out, const scalar *in) { + for (int i = 0; i < DEGREE; i++) { + scale_power2_round(&out->c[i], in->c[i]); + } +} + +static void scalar_high_bits(scalar *out, const scalar *in) { + for (int i = 0; i < DEGREE; i++) { + out->c[i] = high_bits(in->c[i]); + } +} + +static void scalar_low_bits(scalar *out, const scalar *in) { + for (int i = 0; i < DEGREE; i++) { + out->c[i] = low_bits(in->c[i]); + } +} + +static void scalar_max(uint32_t *max, const scalar *s) { + for (int i = 0; i < DEGREE; i++) { + uint32_t abs = abs_mod_prime(s->c[i]); + *max = maximum(*max, abs); + } +} + +static void scalar_max_signed(uint32_t *max, const scalar *s) { + for (int i = 0; i < DEGREE; i++) { + uint32_t abs = abs_signed(s->c[i]); + *max = maximum(*max, abs); + } +} + +static void scalar_make_hint(scalar *out, const scalar *ct0, const scalar *cs2, + const scalar *w) { + for (int i = 0; i < DEGREE; i++) { + out->c[i] = make_hint(ct0->c[i], cs2->c[i], w->c[i]); + } +} + +static void scalar_use_hint_vartime(scalar *out, const scalar *h, + const scalar *r) { + for (int i = 0; i < DEGREE; i++) { + out->c[i] = use_hint_vartime(h->c[i], r->c[i]); + } +} + +static void vectork_power2_round(vectork *t1, vectork *t0, const vectork *t) { + for (int i = 0; i < K; i++) { + scalar_power2_round(&t1->v[i], &t0->v[i], &t->v[i]); + } +} + +static void vectork_scale_power2_round(vectork *out, const vectork *in) { + for (int i = 0; i < K; i++) { + scalar_scale_power2_round(&out->v[i], &in->v[i]); + } +} + +static void vectork_high_bits(vectork *out, const vectork *in) { + for (int i = 0; i < K; i++) { + scalar_high_bits(&out->v[i], &in->v[i]); + } +} + +static void vectork_low_bits(vectork *out, const vectork *in) { + for (int i = 0; i < K; i++) { + scalar_low_bits(&out->v[i], &in->v[i]); + } +} + +static uint32_t vectork_max(const vectork *a) { + uint32_t max = 0; + for (int i = 0; i < K; i++) { + scalar_max(&max, &a->v[i]); + } + return max; +} + +static uint32_t vectork_max_signed(const vectork *a) { + uint32_t max = 0; + for (int i = 0; i < K; i++) { + scalar_max_signed(&max, &a->v[i]); + } + return max; +} + +// The input vector contains only zeroes and ones. +static size_t vectork_count_ones(const vectork *a) { + size_t count = 0; + for (int i = 0; i < K; i++) { + for (int j = 0; j < DEGREE; j++) { + count += a->v[i].c[j]; + } + } + return count; +} + +static void vectork_make_hint(vectork *out, const vectork *ct0, + const vectork *cs2, const vectork *w) { + for (int i = 0; i < K; i++) { + scalar_make_hint(&out->v[i], &ct0->v[i], &cs2->v[i], &w->v[i]); + } +} + +static void vectork_use_hint_vartime(vectork *out, const vectork *h, + const vectork *r) { + for (int i = 0; i < K; i++) { + scalar_use_hint_vartime(&out->v[i], &h->v[i], &r->v[i]); + } +} + +static uint32_t vectorl_max(const vectorl *a) { + uint32_t max = 0; + for (int i = 0; i < L; i++) { + scalar_max(&max, &a->v[i]); + } + return max; +} + +/* Bit packing */ + +static const uint8_t kMasks[8] = {0x01, 0x03, 0x07, 0x0f, + 0x1f, 0x3f, 0x7f, 0xff}; + +// FIPS 204, Algorithm 10 (`SimpleBitPack`). +static void scalar_encode(uint8_t *out, const scalar *s, int bits) { + assert(bits <= (int)sizeof(*s->c) * 8 && bits != 1); + + uint8_t out_byte = 0; + int out_byte_bits = 0; + + for (int i = 0; i < DEGREE; i++) { + uint32_t element = s->c[i]; + int element_bits_done = 0; + + while (element_bits_done < bits) { + int chunk_bits = bits - element_bits_done; + int out_bits_remaining = 8 - out_byte_bits; + if (chunk_bits >= out_bits_remaining) { + chunk_bits = out_bits_remaining; + out_byte |= (element & kMasks[chunk_bits - 1]) << out_byte_bits; + *out = out_byte; + out++; + out_byte_bits = 0; + out_byte = 0; + } else { + out_byte |= (element & kMasks[chunk_bits - 1]) << out_byte_bits; + out_byte_bits += chunk_bits; + } + + element_bits_done += chunk_bits; + element >>= chunk_bits; + } + } + + if (out_byte_bits > 0) { + *out = out_byte; + } +} + +// FIPS 204, Algorithm 11 (`BitPack`). +static void scalar_encode_signed(uint8_t *out, const scalar *s, int bits, + uint32_t max) { + assert(bits <= (int)sizeof(*s->c) * 8 && bits != 1); + + uint8_t out_byte = 0; + int out_byte_bits = 0; + + for (int i = 0; i < DEGREE; i++) { + uint32_t element = reduce_once(kPrime + max - s->c[i]); + declassify_assert(element <= 2 * max); + int element_bits_done = 0; + + while (element_bits_done < bits) { + int chunk_bits = bits - element_bits_done; + int out_bits_remaining = 8 - out_byte_bits; + if (chunk_bits >= out_bits_remaining) { + chunk_bits = out_bits_remaining; + out_byte |= (element & kMasks[chunk_bits - 1]) << out_byte_bits; + *out = out_byte; + out++; + out_byte_bits = 0; + out_byte = 0; + } else { + out_byte |= (element & kMasks[chunk_bits - 1]) << out_byte_bits; + out_byte_bits += chunk_bits; + } + + element_bits_done += chunk_bits; + element >>= chunk_bits; + } + } + + if (out_byte_bits > 0) { + *out = out_byte; + } +} + +// FIPS 204, Algorithm 12 (`SimpleBitUnpack`). +static void scalar_decode(scalar *out, const uint8_t *in, int bits) { + assert(bits <= (int)sizeof(*out->c) * 8 && bits != 1); + + uint8_t in_byte = 0; + int in_byte_bits_left = 0; + + for (int i = 0; i < DEGREE; i++) { + uint32_t element = 0; + int element_bits_done = 0; + + while (element_bits_done < bits) { + if (in_byte_bits_left == 0) { + in_byte = *in; + in++; + in_byte_bits_left = 8; + } + + int chunk_bits = bits - element_bits_done; + if (chunk_bits > in_byte_bits_left) { + chunk_bits = in_byte_bits_left; + } + + element |= (in_byte & kMasks[chunk_bits - 1]) << element_bits_done; + in_byte_bits_left -= chunk_bits; + in_byte >>= chunk_bits; + + element_bits_done += chunk_bits; + } + + out->c[i] = element; + } +} + +// FIPS 204, Algorithm 13 (`BitUnpack`). +static int scalar_decode_signed(scalar *out, const uint8_t *in, int bits, + uint32_t max) { + assert(bits <= (int)sizeof(*out->c) * 8 && bits != 1); + + uint8_t in_byte = 0; + int in_byte_bits_left = 0; + + for (int i = 0; i < DEGREE; i++) { + uint32_t element = 0; + int element_bits_done = 0; + + while (element_bits_done < bits) { + if (in_byte_bits_left == 0) { + in_byte = *in; + in++; + in_byte_bits_left = 8; + } + + int chunk_bits = bits - element_bits_done; + if (chunk_bits > in_byte_bits_left) { + chunk_bits = in_byte_bits_left; + } + + element |= (in_byte & kMasks[chunk_bits - 1]) << element_bits_done; + in_byte_bits_left -= chunk_bits; + in_byte >>= chunk_bits; + + element_bits_done += chunk_bits; + } + + // This may be only out of range in cases of invalid input, in which case it + // is okay to leak the value. This function is also called with secret + // input during signing, in |scalar_sample_mask|. However, in that case + // (and in any case when |max| is a power of two), this case is impossible. + if (constant_time_declassify_int(element > 2 * max)) { + return 0; + } + out->c[i] = reduce_once(kPrime + max - element); + } + + return 1; +} + +/* Expansion functions */ + +// FIPS 204, Algorithm 24 (`RejNTTPoly`). +// +// Rejection samples a Keccak stream to get uniformly distributed elements. This +// is used for matrix expansion and only operates on public inputs. +static void scalar_from_keccak_vartime( + scalar *out, const uint8_t derived_seed[RHO_BYTES + 2]) { + struct BORINGSSL_keccak_st keccak_ctx; + BORINGSSL_keccak_init(&keccak_ctx, boringssl_shake128); + BORINGSSL_keccak_absorb(&keccak_ctx, derived_seed, RHO_BYTES + 2); + assert(keccak_ctx.squeeze_offset == 0); + assert(keccak_ctx.rate_bytes == 168); + static_assert(168 % 3 == 0, "block and coefficient boundaries do not align"); + + int done = 0; + while (done < DEGREE) { + uint8_t block[168]; + BORINGSSL_keccak_squeeze(&keccak_ctx, block, sizeof(block)); + for (size_t i = 0; i < sizeof(block) && done < DEGREE; i += 3) { + // FIPS 204, Algorithm 8 (`CoeffFromThreeBytes`). + uint32_t value = (uint32_t)block[i] | ((uint32_t)block[i + 1] << 8) | + (((uint32_t)block[i + 2] & 0x7f) << 16); + if (value < kPrime) { + out->c[done++] = value; + } + } + } +} + +// FIPS 204, Algorithm 25 (`RejBoundedPoly`). +static void scalar_uniform_eta_4(scalar *out, + const uint8_t derived_seed[SIGMA_BYTES + 2]) { + static_assert(ETA == 4, "This implementation is specialized for ETA == 4"); + + struct BORINGSSL_keccak_st keccak_ctx; + BORINGSSL_keccak_init(&keccak_ctx, boringssl_shake256); + BORINGSSL_keccak_absorb(&keccak_ctx, derived_seed, SIGMA_BYTES + 2); + assert(keccak_ctx.squeeze_offset == 0); + assert(keccak_ctx.rate_bytes == 136); + + int done = 0; + while (done < DEGREE) { + uint8_t block[136]; + BORINGSSL_keccak_squeeze(&keccak_ctx, block, sizeof(block)); + for (size_t i = 0; i < sizeof(block) && done < DEGREE; ++i) { + uint32_t t0 = block[i] & 0x0F; + uint32_t t1 = block[i] >> 4; + // FIPS 204, Algorithm 9 (`CoefFromHalfByte`). Although both the input and + // output here are secret, it is OK to leak when we rejected a byte. + // Individual bytes of the SHAKE-256 stream are (indistiguishable from) + // independent of each other and the original seed, so leaking information + // about the rejected bytes does not reveal the input or output. + if (constant_time_declassify_int(t0 < 9)) { + out->c[done++] = reduce_once(kPrime + ETA - t0); + } + if (done < DEGREE && constant_time_declassify_int(t1 < 9)) { + out->c[done++] = reduce_once(kPrime + ETA - t1); + } + } + } +} + +// FIPS 204, Algorithm 28 (`ExpandMask`). +static void scalar_sample_mask( + scalar *out, const uint8_t derived_seed[RHO_PRIME_BYTES + 2]) { + uint8_t buf[640]; + BORINGSSL_keccak(buf, sizeof(buf), derived_seed, RHO_PRIME_BYTES + 2, + boringssl_shake256); + + // Note: Decoding 20 bits into (-2^19, 2^19] cannot fail. + scalar_decode_signed(out, buf, 20, 1 << 19); +} + +// FIPS 204, Algorithm 23 (`SampleInBall`). +static void scalar_sample_in_ball_vartime(scalar *out, const uint8_t *seed, + int len) { + assert(len == 32); + + struct BORINGSSL_keccak_st keccak_ctx; + BORINGSSL_keccak_init(&keccak_ctx, boringssl_shake256); + BORINGSSL_keccak_absorb(&keccak_ctx, seed, len); + assert(keccak_ctx.squeeze_offset == 0); + assert(keccak_ctx.rate_bytes == 136); + + uint8_t block[136]; + BORINGSSL_keccak_squeeze(&keccak_ctx, block, sizeof(block)); + + uint64_t signs = CRYPTO_load_u64_le(block); + int offset = 8; + // SampleInBall implements a Fisher–Yates shuffle, which unavoidably leaks + // where the zeros are by memory access pattern. Although this leak happens + // before bad signatures are rejected, this is safe. See + // https://boringssl-review.googlesource.com/c/boringssl/+/67747/comment/8d8f01ac_70af3f21/ + CONSTTIME_DECLASSIFY(block + offset, sizeof(block) - offset); + + OPENSSL_memset(out, 0, sizeof(*out)); + for (size_t i = DEGREE - TAU; i < DEGREE; i++) { + size_t byte; + for (;;) { + if (offset == 136) { + BORINGSSL_keccak_squeeze(&keccak_ctx, block, sizeof(block)); + // See above. + CONSTTIME_DECLASSIFY(block, sizeof(block)); + offset = 0; + } + + byte = block[offset++]; + if (byte <= i) { + break; + } + } + + out->c[i] = out->c[byte]; + out->c[byte] = reduce_once(kPrime + 1 - 2 * (signs & 1)); + signs >>= 1; + } +} + +// FIPS 204, Algorithm 26 (`ExpandA`). +static void matrix_expand(matrix *out, const uint8_t rho[RHO_BYTES]) { + static_assert(K <= 0x100, "K must fit in 8 bits"); + static_assert(L <= 0x100, "L must fit in 8 bits"); + + uint8_t derived_seed[RHO_BYTES + 2]; + OPENSSL_memcpy(derived_seed, rho, RHO_BYTES); + for (int i = 0; i < K; i++) { + for (int j = 0; j < L; j++) { + derived_seed[RHO_BYTES + 1] = i; + derived_seed[RHO_BYTES] = j; + scalar_from_keccak_vartime(&out->v[i][j], derived_seed); + } + } +} + +// FIPS 204, Algorithm 27 (`ExpandS`). +static void vector_expand_short(vectorl *s1, vectork *s2, + const uint8_t sigma[SIGMA_BYTES]) { + static_assert(K <= 0x100, "K must fit in 8 bits"); + static_assert(L <= 0x100, "L must fit in 8 bits"); + static_assert(K + L <= 0x100, "K+L must fit in 8 bits"); + + uint8_t derived_seed[SIGMA_BYTES + 2]; + OPENSSL_memcpy(derived_seed, sigma, SIGMA_BYTES); + derived_seed[SIGMA_BYTES] = 0; + derived_seed[SIGMA_BYTES + 1] = 0; + for (int i = 0; i < L; i++) { + scalar_uniform_eta_4(&s1->v[i], derived_seed); + ++derived_seed[SIGMA_BYTES]; + } + for (int i = 0; i < K; i++) { + scalar_uniform_eta_4(&s2->v[i], derived_seed); + ++derived_seed[SIGMA_BYTES]; + } +} + +// FIPS 204, Algorithm 28 (`ExpandMask`). +static void vectorl_expand_mask(vectorl *out, + const uint8_t seed[RHO_PRIME_BYTES], + size_t kappa) { + assert(kappa + L <= 0x10000); + + uint8_t derived_seed[RHO_PRIME_BYTES + 2]; + OPENSSL_memcpy(derived_seed, seed, RHO_PRIME_BYTES); + for (int i = 0; i < L; i++) { + size_t index = kappa + i; + derived_seed[RHO_PRIME_BYTES] = index & 0xFF; + derived_seed[RHO_PRIME_BYTES + 1] = (index >> 8) & 0xFF; + scalar_sample_mask(&out->v[i], derived_seed); + } +} + +/* Encoding */ + +// FIPS 204, Algorithm 10 (`SimpleBitPack`). +// +// Encodes an entire vector into 32*K*|bits| bytes. Note that since 256 (DEGREE) +// is divisible by 8, the individual vector entries will always fill a whole +// number of bytes, so we do not need to worry about bit packing here. +static void vectork_encode(uint8_t *out, const vectork *a, int bits) { + for (int i = 0; i < K; i++) { + scalar_encode(out + i * bits * DEGREE / 8, &a->v[i], bits); + } +} + +// FIPS 204, Algorithm 12 (`SimpleBitUnpack`). +static void vectork_decode(vectork *out, const uint8_t *in, int bits) { + for (int i = 0; i < K; i++) { + scalar_decode(&out->v[i], in + i * bits * DEGREE / 8, bits); + } +} + +static void vectork_encode_signed(uint8_t *out, const vectork *a, int bits, + uint32_t max) { + for (int i = 0; i < K; i++) { + scalar_encode_signed(out + i * bits * DEGREE / 8, &a->v[i], bits, max); + } +} + +static int vectork_decode_signed(vectork *out, const uint8_t *in, int bits, + uint32_t max) { + for (int i = 0; i < K; i++) { + if (!scalar_decode_signed(&out->v[i], in + i * bits * DEGREE / 8, bits, + max)) { + return 0; + } + } + return 1; +} + +// FIPS 204, Algorithm 11 (`BitPack`). +// +// Encodes an entire vector into 32*L*|bits| bytes. Note that since 256 (DEGREE) +// is divisible by 8, the individual vector entries will always fill a whole +// number of bytes, so we do not need to worry about bit packing here. +static void vectorl_encode_signed(uint8_t *out, const vectorl *a, int bits, + uint32_t max) { + for (int i = 0; i < L; i++) { + scalar_encode_signed(out + i * bits * DEGREE / 8, &a->v[i], bits, max); + } +} + +static int vectorl_decode_signed(vectorl *out, const uint8_t *in, int bits, + uint32_t max) { + for (int i = 0; i < L; i++) { + if (!scalar_decode_signed(&out->v[i], in + i * bits * DEGREE / 8, bits, + max)) { + return 0; + } + } + return 1; +} + +// FIPS 204, Algorithm 22 (`w1Encode`). +// +// The output must point to an array of 128*K bytes. +static void w1_encode(uint8_t *out, const vectork *w1) { + vectork_encode(out, w1, 4); +} + +// FIPS 204, Algorithm 14 (`HintBitPack`). +static void hint_bit_pack(uint8_t *out, const vectork *h) { + OPENSSL_memset(out, 0, OMEGA + K); + int index = 0; + for (int i = 0; i < K; i++) { + for (int j = 0; j < DEGREE; j++) { + if (h->v[i].c[j]) { + out[index++] = j; + } + } + out[OMEGA + i] = index; + } +} + +// FIPS 204, Algorithm 15 (`HintBitUnpack`). +static int hint_bit_unpack(vectork *h, const uint8_t *in) { + vectork_zero(h); + int index = 0; + for (int i = 0; i < K; i++) { + int limit = in[OMEGA + i]; + if (limit < index || limit > OMEGA) { + return 0; + } + + int last = -1; + while (index < limit) { + int byte = in[index++]; + if (last >= 0 && byte <= last) { + return 0; + } + last = byte; + h->v[i].c[byte] = 1; + } + } + for (; index < OMEGA; index++) { + if (in[index] != 0) { + return 0; + } + } + return 1; +} + +struct public_key { + uint8_t rho[RHO_BYTES]; + vectork t1; + // Pre-cached value(s). + uint8_t public_key_hash[TR_BYTES]; +}; + +struct private_key { + uint8_t rho[RHO_BYTES]; + uint8_t k[K_BYTES]; + uint8_t public_key_hash[TR_BYTES]; + vectorl s1; + vectork s2; + vectork t0; +}; + +struct signature { + uint8_t c_tilde[2 * LAMBDA_BYTES]; + vectorl z; + vectork h; +}; + +// FIPS 204, Algorithm 16 (`pkEncode`). +static int dilithium_marshal_public_key(CBB *out, + const struct public_key *pub) { + if (!CBB_add_bytes(out, pub->rho, sizeof(pub->rho))) { + return 0; + } + + uint8_t *vectork_output; + if (!CBB_add_space(out, &vectork_output, 320 * K)) { + return 0; + } + vectork_encode(vectork_output, &pub->t1, 10); + + return 1; +} + +// FIPS 204, Algorithm 17 (`pkDecode`). +static int dilithium_parse_public_key(struct public_key *pub, CBS *in) { + if (!CBS_copy_bytes(in, pub->rho, sizeof(pub->rho))) { + return 0; + } + + CBS t1_bytes; + if (!CBS_get_bytes(in, &t1_bytes, 320 * K)) { + return 0; + } + vectork_decode(&pub->t1, CBS_data(&t1_bytes), 10); + + return 1; +} + +// FIPS 204, Algorithm 18 (`skEncode`). +static int dilithium_marshal_private_key(CBB *out, + const struct private_key *priv) { + if (!CBB_add_bytes(out, priv->rho, sizeof(priv->rho)) || + !CBB_add_bytes(out, priv->k, sizeof(priv->k)) || + !CBB_add_bytes(out, priv->public_key_hash, + sizeof(priv->public_key_hash))) { + return 0; + } + + uint8_t *vectorl_output; + if (!CBB_add_space(out, &vectorl_output, 128 * L)) { + return 0; + } + vectorl_encode_signed(vectorl_output, &priv->s1, 4, ETA); + + uint8_t *vectork_output; + if (!CBB_add_space(out, &vectork_output, 128 * K)) { + return 0; + } + vectork_encode_signed(vectork_output, &priv->s2, 4, ETA); + + if (!CBB_add_space(out, &vectork_output, 416 * K)) { + return 0; + } + vectork_encode_signed(vectork_output, &priv->t0, 13, 1 << 12); + + return 1; +} + +// FIPS 204, Algorithm 19 (`skDecode`). +static int dilithium_parse_private_key(struct private_key *priv, CBS *in) { + CBS s1_bytes; + CBS s2_bytes; + CBS t0_bytes; + if (!CBS_copy_bytes(in, priv->rho, sizeof(priv->rho)) || + !CBS_copy_bytes(in, priv->k, sizeof(priv->k)) || + !CBS_copy_bytes(in, priv->public_key_hash, + sizeof(priv->public_key_hash)) || + !CBS_get_bytes(in, &s1_bytes, 128 * L) || + !vectorl_decode_signed(&priv->s1, CBS_data(&s1_bytes), 4, ETA) || + !CBS_get_bytes(in, &s2_bytes, 128 * K) || + !vectork_decode_signed(&priv->s2, CBS_data(&s2_bytes), 4, ETA) || + !CBS_get_bytes(in, &t0_bytes, 416 * K) || + // Note: Decoding 13 bits into (-2^12, 2^12] cannot fail. + !vectork_decode_signed(&priv->t0, CBS_data(&t0_bytes), 13, 1 << 12)) { + return 0; + } + + return 1; +} + +// FIPS 204, Algorithm 20 (`sigEncode`). +static int dilithium_marshal_signature(CBB *out, const struct signature *sign) { + if (!CBB_add_bytes(out, sign->c_tilde, sizeof(sign->c_tilde))) { + return 0; + } + + uint8_t *vectorl_output; + if (!CBB_add_space(out, &vectorl_output, 640 * L)) { + return 0; + } + vectorl_encode_signed(vectorl_output, &sign->z, 20, 1 << 19); + + uint8_t *hint_output; + if (!CBB_add_space(out, &hint_output, OMEGA + K)) { + return 0; + } + hint_bit_pack(hint_output, &sign->h); + + return 1; +} + +// FIPS 204, Algorithm 21 (`sigDecode`). +static int dilithium_parse_signature(struct signature *sign, CBS *in) { + CBS z_bytes; + CBS hint_bytes; + if (!CBS_copy_bytes(in, sign->c_tilde, sizeof(sign->c_tilde)) || + !CBS_get_bytes(in, &z_bytes, 640 * L) || + // Note: Decoding 20 bits into (-2^19, 2^19] cannot fail. + !vectorl_decode_signed(&sign->z, CBS_data(&z_bytes), 20, 1 << 19) || + !CBS_get_bytes(in, &hint_bytes, OMEGA + K) || + !hint_bit_unpack(&sign->h, CBS_data(&hint_bytes))) { + return 0; + }; + + return 1; +} + +static struct private_key *private_key_from_external( + const struct DILITHIUM_private_key *external) { + static_assert( + sizeof(struct DILITHIUM_private_key) == sizeof(struct private_key), + "Kyber private key size incorrect"); + static_assert( + alignof(struct DILITHIUM_private_key) == alignof(struct private_key), + "Kyber private key align incorrect"); + return (struct private_key *)external; +} + +static struct public_key *public_key_from_external( + const struct DILITHIUM_public_key *external) { + static_assert( + sizeof(struct DILITHIUM_public_key) == sizeof(struct public_key), + "Dilithium public key size incorrect"); + static_assert( + alignof(struct DILITHIUM_public_key) == alignof(struct public_key), + "Dilithium public key align incorrect"); + return (struct public_key *)external; +} + +/* API */ + +// Calls |DILITHIUM_generate_key_external_entropy| with random bytes from +// |RAND_bytes|. Returns 1 on success and 0 on failure. +int DILITHIUM_generate_key( + uint8_t out_encoded_public_key[DILITHIUM_PUBLIC_KEY_BYTES], + struct DILITHIUM_private_key *out_private_key) { + uint8_t entropy[DILITHIUM_GENERATE_KEY_ENTROPY]; + RAND_bytes(entropy, sizeof(entropy)); + return DILITHIUM_generate_key_external_entropy(out_encoded_public_key, + out_private_key, entropy); +} + +// FIPS 204, Algorithm 1 (`ML-DSA.KeyGen`). Returns 1 on success and 0 on +// failure. +int DILITHIUM_generate_key_external_entropy( + uint8_t out_encoded_public_key[DILITHIUM_PUBLIC_KEY_BYTES], + struct DILITHIUM_private_key *out_private_key, + const uint8_t entropy[DILITHIUM_GENERATE_KEY_ENTROPY]) { + int ret = 0; + + // Intermediate values, allocated on the heap to allow use when there is a + // limited amount of stack. + struct values_st { + struct public_key pub; + matrix a_ntt; + vectorl s1_ntt; + vectork t; + }; + struct values_st *values = OPENSSL_malloc(sizeof(*values)); + if (values == NULL) { + goto err; + } + + struct private_key *priv = private_key_from_external(out_private_key); + + uint8_t expanded_seed[RHO_BYTES + SIGMA_BYTES + K_BYTES]; + BORINGSSL_keccak(expanded_seed, sizeof(expanded_seed), entropy, + DILITHIUM_GENERATE_KEY_ENTROPY, boringssl_shake256); + const uint8_t *const rho = expanded_seed; + const uint8_t *const sigma = expanded_seed + RHO_BYTES; + const uint8_t *const k = expanded_seed + RHO_BYTES + SIGMA_BYTES; + // rho is public. + CONSTTIME_DECLASSIFY(rho, RHO_BYTES); + OPENSSL_memcpy(values->pub.rho, rho, sizeof(values->pub.rho)); + OPENSSL_memcpy(priv->rho, rho, sizeof(priv->rho)); + OPENSSL_memcpy(priv->k, k, sizeof(priv->k)); + + matrix_expand(&values->a_ntt, rho); + vector_expand_short(&priv->s1, &priv->s2, sigma); + + OPENSSL_memcpy(&values->s1_ntt, &priv->s1, sizeof(values->s1_ntt)); + vectorl_ntt(&values->s1_ntt); + + matrix_mult(&values->t, &values->a_ntt, &values->s1_ntt); + vectork_inverse_ntt(&values->t); + vectork_add(&values->t, &values->t, &priv->s2); + + vectork_power2_round(&values->pub.t1, &priv->t0, &values->t); + // t1 is public. + CONSTTIME_DECLASSIFY(&values->pub.t1, sizeof(values->pub.t1)); + + CBB cbb; + CBB_init_fixed(&cbb, out_encoded_public_key, DILITHIUM_PUBLIC_KEY_BYTES); + if (!dilithium_marshal_public_key(&cbb, &values->pub)) { + goto err; + } + + BORINGSSL_keccak(priv->public_key_hash, sizeof(priv->public_key_hash), + out_encoded_public_key, DILITHIUM_PUBLIC_KEY_BYTES, + boringssl_shake256); + + ret = 1; +err: + OPENSSL_free(values); + return ret; +} + +int DILITHIUM_public_from_private( + struct DILITHIUM_public_key *out_public_key, + const struct DILITHIUM_private_key *private_key) { + int ret = 0; + + // Intermediate values, allocated on the heap to allow use when there is a + // limited amount of stack. + struct values_st { + matrix a_ntt; + vectorl s1_ntt; + vectork t; + vectork t0; + }; + struct values_st *values = OPENSSL_malloc(sizeof(*values)); + if (values == NULL) { + goto err; + } + + const struct private_key *priv = private_key_from_external(private_key); + struct public_key *pub = public_key_from_external(out_public_key); + + OPENSSL_memcpy(pub->rho, priv->rho, sizeof(pub->rho)); + OPENSSL_memcpy(pub->public_key_hash, priv->public_key_hash, + sizeof(pub->public_key_hash)); + + matrix_expand(&values->a_ntt, priv->rho); + + OPENSSL_memcpy(&values->s1_ntt, &priv->s1, sizeof(values->s1_ntt)); + vectorl_ntt(&values->s1_ntt); + + matrix_mult(&values->t, &values->a_ntt, &values->s1_ntt); + vectork_inverse_ntt(&values->t); + vectork_add(&values->t, &values->t, &priv->s2); + + vectork_power2_round(&pub->t1, &values->t0, &values->t); + + ret = 1; +err: + OPENSSL_free(values); + return ret; +} + +// FIPS 204, Algorithm 2 (`ML-DSA.Sign`). Returns 1 on success and 0 on failure. +static int dilithium_sign_with_randomizer( + uint8_t out_encoded_signature[DILITHIUM_SIGNATURE_BYTES], + const struct DILITHIUM_private_key *private_key, const uint8_t *msg, + size_t msg_len, + const uint8_t randomizer[DILITHIUM_SIGNATURE_RANDOMIZER_BYTES]) { + int ret = 0; + + const struct private_key *priv = private_key_from_external(private_key); + + uint8_t mu[MU_BYTES]; + struct BORINGSSL_keccak_st keccak_ctx; + BORINGSSL_keccak_init(&keccak_ctx, boringssl_shake256); + BORINGSSL_keccak_absorb(&keccak_ctx, priv->public_key_hash, + sizeof(priv->public_key_hash)); + BORINGSSL_keccak_absorb(&keccak_ctx, msg, msg_len); + BORINGSSL_keccak_squeeze(&keccak_ctx, mu, MU_BYTES); + + uint8_t rho_prime[RHO_PRIME_BYTES]; + BORINGSSL_keccak_init(&keccak_ctx, boringssl_shake256); + BORINGSSL_keccak_absorb(&keccak_ctx, priv->k, sizeof(priv->k)); + BORINGSSL_keccak_absorb(&keccak_ctx, randomizer, + DILITHIUM_SIGNATURE_RANDOMIZER_BYTES); + BORINGSSL_keccak_absorb(&keccak_ctx, mu, MU_BYTES); + BORINGSSL_keccak_squeeze(&keccak_ctx, rho_prime, RHO_PRIME_BYTES); + + // Intermediate values, allocated on the heap to allow use when there is a + // limited amount of stack. + struct values_st { + struct signature sign; + vectorl s1_ntt; + vectork s2_ntt; + vectork t0_ntt; + matrix a_ntt; + vectorl y; + vectorl y_ntt; + vectork w; + vectork w1; + vectorl cs1; + vectork cs2; + vectork r0; + vectork ct0; + }; + struct values_st *values = OPENSSL_malloc(sizeof(*values)); + if (values == NULL) { + goto err; + } + OPENSSL_memcpy(&values->s1_ntt, &priv->s1, sizeof(values->s1_ntt)); + vectorl_ntt(&values->s1_ntt); + + OPENSSL_memcpy(&values->s2_ntt, &priv->s2, sizeof(values->s2_ntt)); + vectork_ntt(&values->s2_ntt); + + OPENSSL_memcpy(&values->t0_ntt, &priv->t0, sizeof(values->t0_ntt)); + vectork_ntt(&values->t0_ntt); + + matrix_expand(&values->a_ntt, priv->rho); + + for (size_t kappa = 0;; kappa += L) { + // TODO(bbe): y only lives long enough to compute y_ntt. + // consider using another vectorl to save memory. + vectorl_expand_mask(&values->y, rho_prime, kappa); + + OPENSSL_memcpy(&values->y_ntt, &values->y, sizeof(values->y_ntt)); + vectorl_ntt(&values->y_ntt); + + // TODO(bbe): w only lives long enough to compute y_ntt. + // consider using another vectork to save memory. + matrix_mult(&values->w, &values->a_ntt, &values->y_ntt); + vectork_inverse_ntt(&values->w); + + vectork_high_bits(&values->w1, &values->w); + uint8_t w1_encoded[128 * K]; + w1_encode(w1_encoded, &values->w1); + + BORINGSSL_keccak_init(&keccak_ctx, boringssl_shake256); + BORINGSSL_keccak_absorb(&keccak_ctx, mu, MU_BYTES); + BORINGSSL_keccak_absorb(&keccak_ctx, w1_encoded, 128 * K); + BORINGSSL_keccak_squeeze(&keccak_ctx, values->sign.c_tilde, + 2 * LAMBDA_BYTES); + + scalar c_ntt; + scalar_sample_in_ball_vartime(&c_ntt, values->sign.c_tilde, 32); + scalar_ntt(&c_ntt); + + vectorl_mult_scalar(&values->cs1, &values->s1_ntt, &c_ntt); + vectorl_inverse_ntt(&values->cs1); + vectork_mult_scalar(&values->cs2, &values->s2_ntt, &c_ntt); + vectork_inverse_ntt(&values->cs2); + + vectorl_add(&values->sign.z, &values->y, &values->cs1); + + vectork_sub(&values->r0, &values->w, &values->cs2); + vectork_low_bits(&values->r0, &values->r0); + + // Leaking the fact that a signature was rejected is fine as the next + // attempt at a signature will be (indistinguishable from) independent of + // this one. Note, however, that we additionally leak which of the two + // branches rejected the signature. Section 5.5 of + // https://pq-crystals.org/dilithium/data/dilithium-specification-round3.pdf + // describes this leak as OK. Note we leak less than what is described by + // the paper; we do not reveal which coefficient violated the bound, and we + // hide which of the |z_max| or |r0_max| bound failed. See also + // https://boringssl-review.googlesource.com/c/boringssl/+/67747/comment/2bbab0fa_d241d35a/ + uint32_t z_max = vectorl_max(&values->sign.z); + uint32_t r0_max = vectork_max_signed(&values->r0); + if (constant_time_declassify_w( + constant_time_ge_w(z_max, kGamma1 - BETA) | + constant_time_ge_w(r0_max, kGamma2 - BETA))) { + continue; + } + + vectork_mult_scalar(&values->ct0, &values->t0_ntt, &c_ntt); + vectork_inverse_ntt(&values->ct0); + vectork_make_hint(&values->sign.h, &values->ct0, &values->cs2, &values->w); + + // See above. + uint32_t ct0_max = vectork_max(&values->ct0); + size_t h_ones = vectork_count_ones(&values->sign.h); + if (constant_time_declassify_w(constant_time_ge_w(ct0_max, kGamma2) | + constant_time_lt_w(OMEGA, h_ones))) { + continue; + } + + // Although computed with the private key, the signature is public. + CONSTTIME_DECLASSIFY(values->sign.c_tilde, sizeof(values->sign.c_tilde)); + CONSTTIME_DECLASSIFY(&values->sign.z, sizeof(values->sign.z)); + CONSTTIME_DECLASSIFY(&values->sign.h, sizeof(values->sign.h)); + + CBB cbb; + CBB_init_fixed(&cbb, out_encoded_signature, DILITHIUM_SIGNATURE_BYTES); + if (!dilithium_marshal_signature(&cbb, &values->sign)) { + goto err; + } + + BSSL_CHECK(CBB_len(&cbb) == DILITHIUM_SIGNATURE_BYTES); + ret = 1; + break; + } + +err: + OPENSSL_free(values); + return ret; +} + +// Dilithium signature in deterministic mode. Returns 1 on success and 0 on +// failure. +int DILITHIUM_sign_deterministic( + uint8_t out_encoded_signature[DILITHIUM_SIGNATURE_BYTES], + const struct DILITHIUM_private_key *private_key, const uint8_t *msg, + size_t msg_len) { + uint8_t randomizer[DILITHIUM_SIGNATURE_RANDOMIZER_BYTES]; + OPENSSL_memset(randomizer, 0, sizeof(randomizer)); + return dilithium_sign_with_randomizer(out_encoded_signature, private_key, msg, + msg_len, randomizer); +} + +// Dilithium signature in randomized mode, filling the random bytes with +// |RAND_bytes|. Returns 1 on success and 0 on failure. +int DILITHIUM_sign(uint8_t out_encoded_signature[DILITHIUM_SIGNATURE_BYTES], + const struct DILITHIUM_private_key *private_key, + const uint8_t *msg, size_t msg_len) { + uint8_t randomizer[DILITHIUM_SIGNATURE_RANDOMIZER_BYTES]; + RAND_bytes(randomizer, sizeof(randomizer)); + return dilithium_sign_with_randomizer(out_encoded_signature, private_key, msg, + msg_len, randomizer); +} + +// FIPS 204, Algorithm 3 (`ML-DSA.Verify`). +int DILITHIUM_verify(const struct DILITHIUM_public_key *public_key, + const uint8_t encoded_signature[DILITHIUM_SIGNATURE_BYTES], + const uint8_t *msg, size_t msg_len) { + int ret = 0; + + // Intermediate values, allocated on the heap to allow use when there is a + // limited amount of stack. + struct values_st { + struct signature sign; + matrix a_ntt; + vectorl z_ntt; + vectork az_ntt; + vectork t1_ntt; + vectork ct1_ntt; + vectork w_approx; + vectork w1; + }; + struct values_st *values = OPENSSL_malloc(sizeof(*values)); + if (values == NULL) { + goto err; + } + + const struct public_key *pub = public_key_from_external(public_key); + + CBS cbs; + CBS_init(&cbs, encoded_signature, DILITHIUM_SIGNATURE_BYTES); + if (!dilithium_parse_signature(&values->sign, &cbs)) { + goto err; + } + + matrix_expand(&values->a_ntt, pub->rho); + + uint8_t mu[MU_BYTES]; + struct BORINGSSL_keccak_st keccak_ctx; + BORINGSSL_keccak_init(&keccak_ctx, boringssl_shake256); + BORINGSSL_keccak_absorb(&keccak_ctx, pub->public_key_hash, + sizeof(pub->public_key_hash)); + BORINGSSL_keccak_absorb(&keccak_ctx, msg, msg_len); + BORINGSSL_keccak_squeeze(&keccak_ctx, mu, MU_BYTES); + + scalar c_ntt; + scalar_sample_in_ball_vartime(&c_ntt, values->sign.c_tilde, 32); + scalar_ntt(&c_ntt); + + OPENSSL_memcpy(&values->z_ntt, &values->sign.z, sizeof(values->z_ntt)); + vectorl_ntt(&values->z_ntt); + + matrix_mult(&values->az_ntt, &values->a_ntt, &values->z_ntt); + + vectork_scale_power2_round(&values->t1_ntt, &pub->t1); + vectork_ntt(&values->t1_ntt); + + vectork_mult_scalar(&values->ct1_ntt, &values->t1_ntt, &c_ntt); + + vectork_sub(&values->w_approx, &values->az_ntt, &values->ct1_ntt); + vectork_inverse_ntt(&values->w_approx); + + vectork_use_hint_vartime(&values->w1, &values->sign.h, &values->w_approx); + uint8_t w1_encoded[128 * K]; + w1_encode(w1_encoded, &values->w1); + + uint8_t c_tilde[2 * LAMBDA_BYTES]; + BORINGSSL_keccak_init(&keccak_ctx, boringssl_shake256); + BORINGSSL_keccak_absorb(&keccak_ctx, mu, MU_BYTES); + BORINGSSL_keccak_absorb(&keccak_ctx, w1_encoded, 128 * K); + BORINGSSL_keccak_squeeze(&keccak_ctx, c_tilde, 2 * LAMBDA_BYTES); + + uint32_t z_max = vectorl_max(&values->sign.z); + size_t h_ones = vectork_count_ones(&values->sign.h); + if (z_max < kGamma1 - BETA && h_ones <= OMEGA && + OPENSSL_memcmp(c_tilde, values->sign.c_tilde, 2 * LAMBDA_BYTES) == 0) { + ret = 1; + } + +err: + OPENSSL_free(values); + return ret; +} + +/* Serialization of keys. */ + +int DILITHIUM_marshal_public_key( + CBB *out, const struct DILITHIUM_public_key *public_key) { + return dilithium_marshal_public_key(out, + public_key_from_external(public_key)); +} + +int DILITHIUM_parse_public_key(struct DILITHIUM_public_key *public_key, + CBS *in) { + struct public_key *pub = public_key_from_external(public_key); + CBS orig_in = *in; + if (!dilithium_parse_public_key(pub, in) || CBS_len(in) != 0) { + return 0; + } + + // Compute pre-cached values. + BORINGSSL_keccak(pub->public_key_hash, sizeof(pub->public_key_hash), + CBS_data(&orig_in), CBS_len(&orig_in), boringssl_shake256); + return 1; +} + +int DILITHIUM_marshal_private_key( + CBB *out, const struct DILITHIUM_private_key *private_key) { + return dilithium_marshal_private_key(out, + private_key_from_external(private_key)); +} + +int DILITHIUM_parse_private_key(struct DILITHIUM_private_key *private_key, + CBS *in) { + struct private_key *priv = private_key_from_external(private_key); + return dilithium_parse_private_key(priv, in) && CBS_len(in) == 0; +} diff --git a/Sources/CNIOBoringSSL/crypto/dilithium/internal.h b/Sources/CNIOBoringSSL/crypto/dilithium/internal.h new file mode 100644 index 000000000..029306910 --- /dev/null +++ b/Sources/CNIOBoringSSL/crypto/dilithium/internal.h @@ -0,0 +1,58 @@ +/* Copyright (c) 2023, Google LLC + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#ifndef OPENSSL_HEADER_CRYPTO_DILITHIUM_INTERNAL_H +#define OPENSSL_HEADER_CRYPTO_DILITHIUM_INTERNAL_H + +#include +#include + +#if defined(__cplusplus) +extern "C" { +#endif + + +// DILITHIUM_GENERATE_KEY_ENTROPY is the number of bytes of uniformly random +// entropy necessary to generate a key pair. +#define DILITHIUM_GENERATE_KEY_ENTROPY 32 + +// DILITHIUM_SIGNATURE_RANDOMIZER_BYTES is the number of bytes of uniformly +// random entropy necessary to generate a signature in randomized mode. +#define DILITHIUM_SIGNATURE_RANDOMIZER_BYTES 32 + +// DILITHIUM_generate_key_external_entropy generates a public/private key pair +// using the given seed, writes the encoded public key to +// |out_encoded_public_key| and sets |out_private_key| to the private key, +// returning 1 on success and 0 on failure. Returns 1 on success and 0 on +// failure. +OPENSSL_EXPORT int DILITHIUM_generate_key_external_entropy( + uint8_t out_encoded_public_key[DILITHIUM_PUBLIC_KEY_BYTES], + struct DILITHIUM_private_key *out_private_key, + const uint8_t entropy[DILITHIUM_GENERATE_KEY_ENTROPY]); + +// DILITHIUM_sign_deterministic generates a signature for the message |msg| of +// length |msg_len| using |private_key| following the deterministic algorithm, +// and writes the encoded signature to |out_encoded_signature|. Returns 1 on +// success and 0 on failure. +OPENSSL_EXPORT int DILITHIUM_sign_deterministic( + uint8_t out_encoded_signature[DILITHIUM_SIGNATURE_BYTES], + const struct DILITHIUM_private_key *private_key, const uint8_t *msg, + size_t msg_len); + + +#if defined(__cplusplus) +} // extern C +#endif + +#endif // OPENSSL_HEADER_CRYPTO_DILITHIUM_INTERNAL_H diff --git a/Sources/CNIOBoringSSL/crypto/dsa/dsa.c b/Sources/CNIOBoringSSL/crypto/dsa/dsa.c index 92e2e7874..dd176455a 100644 --- a/Sources/CNIOBoringSSL/crypto/dsa/dsa.c +++ b/Sources/CNIOBoringSSL/crypto/dsa/dsa.c @@ -208,6 +208,11 @@ int DSA_set0_pqg(DSA *dsa, BIGNUM *p, BIGNUM *q, BIGNUM *g) { int DSA_generate_parameters_ex(DSA *dsa, unsigned bits, const uint8_t *seed_in, size_t seed_len, int *out_counter, unsigned long *out_h, BN_GENCB *cb) { + if (bits > OPENSSL_DSA_MAX_MODULUS_BITS) { + OPENSSL_PUT_ERROR(DSA, DSA_R_INVALID_PARAMETERS); + return 0; + } + int ok = 0; unsigned char seed[SHA256_DIGEST_LENGTH]; unsigned char md[SHA256_DIGEST_LENGTH]; @@ -274,6 +279,8 @@ int DSA_generate_parameters_ex(DSA *dsa, unsigned bits, const uint8_t *seed_in, if (!RAND_bytes(seed, qsize)) { goto err; } + // DSA parameters are public. + CONSTTIME_DECLASSIFY(seed, qsize); } else { // If we come back through, use random seed next time. seed_in = NULL; @@ -477,11 +484,13 @@ DSA *DSAparams_dup(const DSA *dsa) { } int DSA_generate_key(DSA *dsa) { + if (!dsa_check_key(dsa)) { + return 0; + } + int ok = 0; - BN_CTX *ctx = NULL; BIGNUM *pub_key = NULL, *priv_key = NULL; - - ctx = BN_CTX_new(); + BN_CTX *ctx = BN_CTX_new(); if (ctx == NULL) { goto err; } @@ -513,6 +522,9 @@ int DSA_generate_key(DSA *dsa) { goto err; } + // The public key is computed from the private key, but is public. + bn_declassify(pub_key); + dsa->priv_key = priv_key; dsa->pub_key = pub_key; ok = 1; @@ -649,6 +661,10 @@ DSA_SIG *DSA_do_sign(const uint8_t *digest, size_t digest_len, const DSA *dsa) { goto err; } + // The signature is computed from the private key, but is public. + bn_declassify(r); + bn_declassify(s); + // Redo if r or s is zero as required by FIPS 186-3: this is // very unlikely. if (BN_is_zero(r) || BN_is_zero(s)) { @@ -681,7 +697,7 @@ DSA_SIG *DSA_do_sign(const uint8_t *digest, size_t digest_len, const DSA *dsa) { return ret; } -int DSA_do_verify(const uint8_t *digest, size_t digest_len, DSA_SIG *sig, +int DSA_do_verify(const uint8_t *digest, size_t digest_len, const DSA_SIG *sig, const DSA *dsa) { int valid; if (!DSA_do_check_signature(&valid, digest, digest_len, sig, dsa)) { @@ -691,7 +707,8 @@ int DSA_do_verify(const uint8_t *digest, size_t digest_len, DSA_SIG *sig, } int DSA_do_check_signature(int *out_valid, const uint8_t *digest, - size_t digest_len, DSA_SIG *sig, const DSA *dsa) { + size_t digest_len, const DSA_SIG *sig, + const DSA *dsa) { *out_valid = 0; if (!dsa_check_key(dsa)) { return 0; @@ -899,15 +916,19 @@ static int dsa_sign_setup(const DSA *dsa, BN_CTX *ctx, BIGNUM **out_kinv, ctx) || // Compute r = (g^k mod p) mod q !BN_mod_exp_mont_consttime(r, dsa->g, &k, dsa->p, ctx, - dsa->method_mont_p) || - // Note |BN_mod| below is not constant-time and may leak information about - // |r|. |dsa->p| may be significantly larger than |dsa->q|, so this is not - // easily performed in constant-time with Montgomery reduction. - // - // However, |r| at this point is g^k (mod p). It is almost the value of - // |r| revealed in the signature anyway (g^k (mod p) (mod q)), going from - // it to |k| would require computing a discrete log. - !BN_mod(r, r, dsa->q, ctx) || + dsa->method_mont_p)) { + OPENSSL_PUT_ERROR(DSA, ERR_R_BN_LIB); + goto err; + } + // Note |BN_mod| below is not constant-time and may leak information about + // |r|. |dsa->p| may be significantly larger than |dsa->q|, so this is not + // easily performed in constant-time with Montgomery reduction. + // + // However, |r| at this point is g^k (mod p). It is almost the value of |r| + // revealed in the signature anyway (g^k (mod p) (mod q)), going from it to + // |k| would require computing a discrete log. + bn_declassify(r); + if (!BN_mod(r, r, dsa->q, ctx) || // Compute part of 's = inv(k) (m + xr) mod q' using Fermat's Little // Theorem. !bn_mod_inverse_prime(kinv, &k, dsa->q, ctx, dsa->method_mont_q)) { @@ -934,12 +955,7 @@ static int dsa_sign_setup(const DSA *dsa, BN_CTX *ctx, BIGNUM **out_kinv, int DSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused, CRYPTO_EX_dup *dup_unused, CRYPTO_EX_free *free_func) { - int index; - if (!CRYPTO_get_ex_new_index(&g_ex_data_class, &index, argl, argp, - free_func)) { - return -1; - } - return index; + return CRYPTO_get_ex_new_index_ex(&g_ex_data_class, argl, argp, free_func); } int DSA_set_ex_data(DSA *dsa, int idx, void *arg) { diff --git a/Sources/CNIOBoringSSL/crypto/dsa/dsa_asn1.c b/Sources/CNIOBoringSSL/crypto/dsa/dsa_asn1.c index f1428675e..108c94b37 100644 --- a/Sources/CNIOBoringSSL/crypto/dsa/dsa_asn1.c +++ b/Sources/CNIOBoringSSL/crypto/dsa/dsa_asn1.c @@ -65,8 +65,6 @@ #include "../bytestring/internal.h" -#define OPENSSL_DSA_MAX_MODULUS_BITS 10000 - // This function is in dsa_asn1.c rather than dsa.c because it is reachable from // |EVP_PKEY| parsers. This makes it easier for the static linker to drop most // of the DSA implementation. @@ -119,8 +117,9 @@ int dsa_check_key(const DSA *dsa) { if (dsa->priv_key != NULL) { // The private key is a non-zero element of the scalar field, determined by // |q|. - if (BN_is_negative(dsa->priv_key) || BN_is_zero(dsa->priv_key) || - BN_cmp(dsa->priv_key, dsa->q) >= 0) { + if (BN_is_negative(dsa->priv_key) || + constant_time_declassify_int(BN_is_zero(dsa->priv_key)) || + constant_time_declassify_int(BN_cmp(dsa->priv_key, dsa->q) >= 0)) { OPENSSL_PUT_ERROR(DSA, DSA_R_INVALID_PARAMETERS); return 0; } diff --git a/Sources/CNIOBoringSSL/crypto/ec_extra/ec_asn1.c b/Sources/CNIOBoringSSL/crypto/ec_extra/ec_asn1.c index 79c5db246..fd9516807 100644 --- a/Sources/CNIOBoringSSL/crypto/ec_extra/ec_asn1.c +++ b/Sources/CNIOBoringSSL/crypto/ec_extra/ec_asn1.c @@ -478,6 +478,41 @@ int i2d_ECPrivateKey(const EC_KEY *key, uint8_t **outp) { return CBB_finish_i2d(&cbb, outp); } +EC_GROUP *d2i_ECPKParameters(EC_GROUP **out, const uint8_t **inp, long len) { + if (len < 0) { + return NULL; + } + + CBS cbs; + CBS_init(&cbs, *inp, (size_t)len); + EC_GROUP *ret = EC_KEY_parse_parameters(&cbs); + if (ret == NULL) { + return NULL; + } + + if (out != NULL) { + EC_GROUP_free(*out); + *out = ret; + } + *inp = CBS_data(&cbs); + return ret; +} + +int i2d_ECPKParameters(const EC_GROUP *group, uint8_t **outp) { + if (group == NULL) { + OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER); + return -1; + } + + CBB cbb; + if (!CBB_init(&cbb, 0) || // + !EC_KEY_marshal_curve_name(&cbb, group)) { + CBB_cleanup(&cbb); + return -1; + } + return CBB_finish_i2d(&cbb, outp); +} + EC_KEY *d2i_ECParameters(EC_KEY **out_key, const uint8_t **inp, long len) { if (len < 0) { return NULL; diff --git a/Sources/CNIOBoringSSL/crypto/ecdsa_extra/ecdsa_asn1.c b/Sources/CNIOBoringSSL/crypto/ecdsa_extra/ecdsa_asn1.c index ce38274f6..e9e875c46 100644 --- a/Sources/CNIOBoringSSL/crypto/ecdsa_extra/ecdsa_asn1.c +++ b/Sources/CNIOBoringSSL/crypto/ecdsa_extra/ecdsa_asn1.c @@ -62,34 +62,87 @@ #include #include "../bytestring/internal.h" -#include "../fipsmodule/ec/internal.h" +#include "../fipsmodule/ecdsa/internal.h" #include "../internal.h" +static ECDSA_SIG *ecdsa_sig_from_fixed(const EC_KEY *key, const uint8_t *in, + size_t len) { + const EC_GROUP *group = EC_KEY_get0_group(key); + if (group == NULL) { + OPENSSL_PUT_ERROR(ECDSA, ERR_R_PASSED_NULL_PARAMETER); + return NULL; + } + size_t scalar_len = BN_num_bytes(EC_GROUP_get0_order(group)); + if (len != 2 * scalar_len) { + OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_BAD_SIGNATURE); + return NULL; + } + ECDSA_SIG *ret = ECDSA_SIG_new(); + if (ret == NULL || + !BN_bin2bn(in, scalar_len, ret->r) || + !BN_bin2bn(in + scalar_len, scalar_len, ret->s)) { + ECDSA_SIG_free(ret); + return NULL; + } + return ret; +} + +static int ecdsa_sig_to_fixed(const EC_KEY *key, uint8_t *out, size_t *out_len, + size_t max_out, const ECDSA_SIG *sig) { + const EC_GROUP *group = EC_KEY_get0_group(key); + if (group == NULL) { + OPENSSL_PUT_ERROR(ECDSA, ERR_R_PASSED_NULL_PARAMETER); + return 0; + } + size_t scalar_len = BN_num_bytes(EC_GROUP_get0_order(group)); + if (max_out < 2 * scalar_len) { + OPENSSL_PUT_ERROR(EC, EC_R_BUFFER_TOO_SMALL); + return 0; + } + if (BN_is_negative(sig->r) || + !BN_bn2bin_padded(out, scalar_len, sig->r) || + BN_is_negative(sig->s) || + !BN_bn2bin_padded(out + scalar_len, scalar_len, sig->s)) { + OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_BAD_SIGNATURE); + return 0; + } + *out_len = 2 * scalar_len; + return 1; +} + int ECDSA_sign(int type, const uint8_t *digest, size_t digest_len, uint8_t *sig, - unsigned int *sig_len, const EC_KEY *eckey) { + unsigned int *out_sig_len, const EC_KEY *eckey) { if (eckey->ecdsa_meth && eckey->ecdsa_meth->sign) { - return eckey->ecdsa_meth->sign(digest, digest_len, sig, sig_len, + return eckey->ecdsa_meth->sign(digest, digest_len, sig, out_sig_len, (EC_KEY*) eckey /* cast away const */); } - int ret = 0; - ECDSA_SIG *s = ECDSA_do_sign(digest, digest_len, eckey); + *out_sig_len = 0; + uint8_t fixed[ECDSA_MAX_FIXED_LEN]; + size_t fixed_len; + if (!ecdsa_sign_fixed(digest, digest_len, fixed, &fixed_len, sizeof(fixed), + eckey)) { + return 0; + } + + // TODO(davidben): We can actually do better and go straight from the DER + // format to the fixed-width format without a malloc. + ECDSA_SIG *s = ecdsa_sig_from_fixed(eckey, fixed, fixed_len); if (s == NULL) { - *sig_len = 0; - goto err; + return 0; } + int ret = 0; CBB cbb; CBB_init_fixed(&cbb, sig, ECDSA_size(eckey)); size_t len; if (!ECDSA_SIG_marshal(&cbb, s) || !CBB_finish(&cbb, NULL, &len)) { OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_ENCODE_ERROR); - *sig_len = 0; goto err; } - *sig_len = (unsigned)len; + *out_sig_len = (unsigned)len; ret = 1; err: @@ -99,12 +152,13 @@ int ECDSA_sign(int type, const uint8_t *digest, size_t digest_len, uint8_t *sig, int ECDSA_verify(int type, const uint8_t *digest, size_t digest_len, const uint8_t *sig, size_t sig_len, const EC_KEY *eckey) { - ECDSA_SIG *s; + // Decode the ECDSA signature. + // + // TODO(davidben): We can actually do better and go straight from the DER + // format to the fixed-width format without a malloc. int ret = 0; uint8_t *der = NULL; - - // Decode the ECDSA signature. - s = ECDSA_SIG_from_bytes(sig, sig_len); + ECDSA_SIG *s = ECDSA_SIG_from_bytes(sig, sig_len); if (s == NULL) { goto err; } @@ -118,7 +172,10 @@ int ECDSA_verify(int type, const uint8_t *digest, size_t digest_len, goto err; } - ret = ECDSA_do_verify(digest, digest_len, s, eckey); + uint8_t fixed[ECDSA_MAX_FIXED_LEN]; + size_t fixed_len; + ret = ecdsa_sig_to_fixed(eckey, fixed, &fixed_len, sizeof(fixed), s) && + ecdsa_verify_fixed(digest, digest_len, fixed, fixed_len, eckey); err: OPENSSL_free(der); @@ -147,6 +204,95 @@ size_t ECDSA_size(const EC_KEY *key) { return ECDSA_SIG_max_len(group_order_size); } +ECDSA_SIG *ECDSA_SIG_new(void) { + ECDSA_SIG *sig = OPENSSL_malloc(sizeof(ECDSA_SIG)); + if (sig == NULL) { + return NULL; + } + sig->r = BN_new(); + sig->s = BN_new(); + if (sig->r == NULL || sig->s == NULL) { + ECDSA_SIG_free(sig); + return NULL; + } + return sig; +} + +void ECDSA_SIG_free(ECDSA_SIG *sig) { + if (sig == NULL) { + return; + } + + BN_free(sig->r); + BN_free(sig->s); + OPENSSL_free(sig); +} + +const BIGNUM *ECDSA_SIG_get0_r(const ECDSA_SIG *sig) { + return sig->r; +} + +const BIGNUM *ECDSA_SIG_get0_s(const ECDSA_SIG *sig) { + return sig->s; +} + +void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **out_r, + const BIGNUM **out_s) { + if (out_r != NULL) { + *out_r = sig->r; + } + if (out_s != NULL) { + *out_s = sig->s; + } +} + +int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) { + if (r == NULL || s == NULL) { + return 0; + } + BN_free(sig->r); + BN_free(sig->s); + sig->r = r; + sig->s = s; + return 1; +} + +int ECDSA_do_verify(const uint8_t *digest, size_t digest_len, + const ECDSA_SIG *sig, const EC_KEY *eckey) { + uint8_t fixed[ECDSA_MAX_FIXED_LEN]; + size_t fixed_len; + return ecdsa_sig_to_fixed(eckey, fixed, &fixed_len, sizeof(fixed), sig) && + ecdsa_verify_fixed(digest, digest_len, fixed, fixed_len, eckey); +} + +// This function is only exported for testing and is not called in production +// code. +ECDSA_SIG *ECDSA_sign_with_nonce_and_leak_private_key_for_testing( + const uint8_t *digest, size_t digest_len, const EC_KEY *eckey, + const uint8_t *nonce, size_t nonce_len) { + uint8_t sig[ECDSA_MAX_FIXED_LEN]; + size_t sig_len; + if (!ecdsa_sign_fixed_with_nonce_for_known_answer_test( + digest, digest_len, sig, &sig_len, sizeof(sig), eckey, nonce, + nonce_len)) { + return NULL; + } + + return ecdsa_sig_from_fixed(eckey, sig, sig_len); +} + +ECDSA_SIG *ECDSA_do_sign(const uint8_t *digest, size_t digest_len, + const EC_KEY *eckey) { + uint8_t sig[ECDSA_MAX_FIXED_LEN]; + size_t sig_len; + if (!ecdsa_sign_fixed(digest, digest_len, sig, &sig_len, sizeof(sig), + eckey)) { + return NULL; + } + + return ecdsa_sig_from_fixed(eckey, sig, sig_len); +} + ECDSA_SIG *ECDSA_SIG_parse(CBS *cbs) { ECDSA_SIG *ret = ECDSA_SIG_new(); if (ret == NULL) { diff --git a/Sources/CNIOBoringSSL/crypto/err/err.c b/Sources/CNIOBoringSSL/crypto/err/err.c index 3963f1e3e..309aa5c63 100644 --- a/Sources/CNIOBoringSSL/crypto/err/err.c +++ b/Sources/CNIOBoringSSL/crypto/err/err.c @@ -164,6 +164,17 @@ extern const uint32_t kOpenSSLReasonValues[]; extern const size_t kOpenSSLReasonValuesLen; extern const char kOpenSSLReasonStringData[]; +static char *strdup_libc_malloc(const char *str) { + // |strdup| is not in C until C23, so MSVC triggers deprecation warnings, and + // glibc and musl gate it on a feature macro. Reimplementing it is easier. + size_t len = strlen(str); + char *ret = malloc(len + 1); + if (ret != NULL) { + memcpy(ret, str, len + 1); + } + return ret; +} + // err_clear clears the given queued error. static void err_clear(struct err_error_st *error) { free(error->data); @@ -174,13 +185,9 @@ static void err_copy(struct err_error_st *dst, const struct err_error_st *src) { err_clear(dst); dst->file = src->file; if (src->data != NULL) { - // Disable deprecated functions on msvc so it doesn't complain about strdup. - OPENSSL_MSVC_PRAGMA(warning(push)) - OPENSSL_MSVC_PRAGMA(warning(disable : 4996)) // We can't use OPENSSL_strdup because we don't want to call OPENSSL_malloc, // which can affect the error stack. - dst->data = strdup(src->data); - OPENSSL_MSVC_PRAGMA(warning(pop)) + dst->data = strdup_libc_malloc(src->data); } dst->packed = src->packed; dst->line = src->line; @@ -428,50 +435,52 @@ static const char *err_string_lookup(uint32_t lib, uint32_t key, return &string_data[(*result) & 0x7fff]; } -static const char *const kLibraryNames[ERR_NUM_LIBS] = { - "invalid library (0)", - "unknown library", // ERR_LIB_NONE - "system library", // ERR_LIB_SYS - "bignum routines", // ERR_LIB_BN - "RSA routines", // ERR_LIB_RSA - "Diffie-Hellman routines", // ERR_LIB_DH - "public key routines", // ERR_LIB_EVP - "memory buffer routines", // ERR_LIB_BUF - "object identifier routines", // ERR_LIB_OBJ - "PEM routines", // ERR_LIB_PEM - "DSA routines", // ERR_LIB_DSA - "X.509 certificate routines", // ERR_LIB_X509 - "ASN.1 encoding routines", // ERR_LIB_ASN1 - "configuration file routines", // ERR_LIB_CONF - "common libcrypto routines", // ERR_LIB_CRYPTO - "elliptic curve routines", // ERR_LIB_EC - "SSL routines", // ERR_LIB_SSL - "BIO routines", // ERR_LIB_BIO - "PKCS7 routines", // ERR_LIB_PKCS7 - "PKCS8 routines", // ERR_LIB_PKCS8 - "X509 V3 routines", // ERR_LIB_X509V3 - "random number generator", // ERR_LIB_RAND - "ENGINE routines", // ERR_LIB_ENGINE - "OCSP routines", // ERR_LIB_OCSP - "UI routines", // ERR_LIB_UI - "COMP routines", // ERR_LIB_COMP - "ECDSA routines", // ERR_LIB_ECDSA - "ECDH routines", // ERR_LIB_ECDH - "HMAC routines", // ERR_LIB_HMAC - "Digest functions", // ERR_LIB_DIGEST - "Cipher functions", // ERR_LIB_CIPHER - "HKDF functions", // ERR_LIB_HKDF - "Trust Token functions", // ERR_LIB_TRUST_TOKEN - "User defined functions", // ERR_LIB_USER +typedef struct library_name_st { + const char *str; + const char *symbol; + const char *reason_symbol; +} LIBRARY_NAME; + +static const LIBRARY_NAME kLibraryNames[ERR_NUM_LIBS] = { + {"invalid library (0)", NULL, NULL}, + {"unknown library", "NONE", "NONE_LIB"}, + {"system library", "SYS", "SYS_LIB"}, + {"bignum routines", "BN", "BN_LIB"}, + {"RSA routines", "RSA", "RSA_LIB"}, + {"Diffie-Hellman routines", "DH", "DH_LIB"}, + {"public key routines", "EVP", "EVP_LIB"}, + {"memory buffer routines", "BUF", "BUF_LIB"}, + {"object identifier routines", "OBJ", "OBJ_LIB"}, + {"PEM routines", "PEM", "PEM_LIB"}, + {"DSA routines", "DSA", "DSA_LIB"}, + {"X.509 certificate routines", "X509", "X509_LIB"}, + {"ASN.1 encoding routines", "ASN1", "ASN1_LIB"}, + {"configuration file routines", "CONF", "CONF_LIB"}, + {"common libcrypto routines", "CRYPTO", "CRYPTO_LIB"}, + {"elliptic curve routines", "EC", "EC_LIB"}, + {"SSL routines", "SSL", "SSL_LIB"}, + {"BIO routines", "BIO", "BIO_LIB"}, + {"PKCS7 routines", "PKCS7", "PKCS7_LIB"}, + {"PKCS8 routines", "PKCS8", "PKCS8_LIB"}, + {"X509 V3 routines", "X509V3", "X509V3_LIB"}, + {"random number generator", "RAND", "RAND_LIB"}, + {"ENGINE routines", "ENGINE", "ENGINE_LIB"}, + {"OCSP routines", "OCSP", "OCSP_LIB"}, + {"UI routines", "UI", "UI_LIB"}, + {"COMP routines", "COMP", "COMP_LIB"}, + {"ECDSA routines", "ECDSA", "ECDSA_LIB"}, + {"ECDH routines", "ECDH", "ECDH_LIB"}, + {"HMAC routines", "HMAC", "HMAC_LIB"}, + {"Digest functions", "DIGEST", "DIGEST_LIB"}, + {"Cipher functions", "CIPHER", "CIPHER_LIB"}, + {"HKDF functions", "HKDF", "HKDF_LIB"}, + {"Trust Token functions", "TRUST_TOKEN", "TRUST_TOKEN_LIB"}, + {"User defined functions", "USER", "USER_LIB"}, }; static const char *err_lib_error_string(uint32_t packed_error) { const uint32_t lib = ERR_GET_LIB(packed_error); - - if (lib >= ERR_NUM_LIBS) { - return NULL; - } - return kLibraryNames[lib]; + return lib >= ERR_NUM_LIBS ? NULL : kLibraryNames[lib].str; } const char *ERR_lib_error_string(uint32_t packed_error) { @@ -479,51 +488,67 @@ const char *ERR_lib_error_string(uint32_t packed_error) { return ret == NULL ? "unknown library" : ret; } +const char *ERR_lib_symbol_name(uint32_t packed_error) { + const uint32_t lib = ERR_GET_LIB(packed_error); + return lib >= ERR_NUM_LIBS ? NULL : kLibraryNames[lib].symbol; +} + const char *ERR_func_error_string(uint32_t packed_error) { return "OPENSSL_internal"; } -static const char *err_reason_error_string(uint32_t packed_error) { +static const char *err_reason_error_string(uint32_t packed_error, int symbol) { const uint32_t lib = ERR_GET_LIB(packed_error); const uint32_t reason = ERR_GET_REASON(packed_error); if (lib == ERR_LIB_SYS) { - if (reason < 127) { + if (!symbol && reason < 127) { return strerror(reason); } return NULL; } if (reason < ERR_NUM_LIBS) { - return kLibraryNames[reason]; + return symbol ? kLibraryNames[reason].reason_symbol + : kLibraryNames[reason].str; } if (reason < 100) { + // TODO(davidben): All our other reason strings match the symbol name. Only + // the common ones differ. Should we just consistently return the symbol + // name? switch (reason) { case ERR_R_MALLOC_FAILURE: - return "malloc failure"; + return symbol ? "MALLOC_FAILURE" : "malloc failure"; case ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED: - return "function should not have been called"; + return symbol ? "SHOULD_NOT_HAVE_BEEN_CALLED" + : "function should not have been called"; case ERR_R_PASSED_NULL_PARAMETER: - return "passed a null parameter"; + return symbol ? "PASSED_NULL_PARAMETER" : "passed a null parameter"; case ERR_R_INTERNAL_ERROR: - return "internal error"; + return symbol ? "INTERNAL_ERROR" : "internal error"; case ERR_R_OVERFLOW: - return "overflow"; + return symbol ? "OVERFLOW" : "overflow"; default: return NULL; } } + // Unlike OpenSSL, BoringSSL's reason strings already match symbol name, so we + // do not need to check |symbol|. return err_string_lookup(lib, reason, kOpenSSLReasonValues, kOpenSSLReasonValuesLen, kOpenSSLReasonStringData); } const char *ERR_reason_error_string(uint32_t packed_error) { - const char *ret = err_reason_error_string(packed_error); + const char *ret = err_reason_error_string(packed_error, /*symbol=*/0); return ret == NULL ? "unknown error" : ret; } +const char *ERR_reason_symbol_name(uint32_t packed_error) { + return err_reason_error_string(packed_error, /*symbol=*/1); +} + char *ERR_error_string(uint32_t packed_error, char *ret) { static char buf[ERR_ERROR_STRING_BUF_LEN]; @@ -550,7 +575,7 @@ char *ERR_error_string_n(uint32_t packed_error, char *buf, size_t len) { unsigned reason = ERR_GET_REASON(packed_error); const char *lib_str = err_lib_error_string(packed_error); - const char *reason_str = err_reason_error_string(packed_error); + const char *reason_str = err_reason_error_string(packed_error, /*symbol=*/0); char lib_buf[32], reason_buf[32]; if (lib_str == NULL) { @@ -749,13 +774,9 @@ void ERR_set_error_data(char *data, int flags) { assert(0); return; } - // Disable deprecated functions on msvc so it doesn't complain about strdup. - OPENSSL_MSVC_PRAGMA(warning(push)) - OPENSSL_MSVC_PRAGMA(warning(disable : 4996)) // We can not use OPENSSL_strdup because we don't want to call OPENSSL_malloc, // which can affect the error stack. - char *copy = strdup(data); - OPENSSL_MSVC_PRAGMA(warning(pop)) + char *copy = strdup_libc_malloc(data); if (copy != NULL) { err_set_error_data(copy); } diff --git a/Sources/CNIOBoringSSL/crypto/evp/evp.c b/Sources/CNIOBoringSSL/crypto/evp/evp.c index cd47ada69..8a102aa57 100644 --- a/Sources/CNIOBoringSSL/crypto/evp/evp.c +++ b/Sources/CNIOBoringSSL/crypto/evp/evp.c @@ -59,12 +59,9 @@ #include #include -#include -#include #include #include #include -#include #include #include "internal.h" @@ -149,9 +146,7 @@ int EVP_PKEY_cmp(const EVP_PKEY *a, const EVP_PKEY *b) { int EVP_PKEY_copy_parameters(EVP_PKEY *to, const EVP_PKEY *from) { if (to->type == EVP_PKEY_NONE) { - if (!EVP_PKEY_set_type(to, from->type)) { - return 0; - } + evp_pkey_set_method(to, from->ameth); } else if (to->type != from->type) { OPENSSL_PUT_ERROR(EVP, EVP_R_DIFFERENT_KEY_TYPES); return 0; @@ -225,117 +220,21 @@ static const EVP_PKEY_ASN1_METHOD *evp_pkey_asn1_find(int nid) { } } -static void evp_pkey_set_method(EVP_PKEY *pkey, - const EVP_PKEY_ASN1_METHOD *method) { +void evp_pkey_set_method(EVP_PKEY *pkey, const EVP_PKEY_ASN1_METHOD *method) { free_it(pkey); pkey->ameth = method; pkey->type = pkey->ameth->pkey_id; } int EVP_PKEY_type(int nid) { - const EVP_PKEY_ASN1_METHOD *meth = evp_pkey_asn1_find(nid); - if (meth == NULL) { - return NID_undef; - } - return meth->pkey_id; -} - -int EVP_PKEY_set1_RSA(EVP_PKEY *pkey, RSA *key) { - if (EVP_PKEY_assign_RSA(pkey, key)) { - RSA_up_ref(key); - return 1; - } - return 0; -} - -int EVP_PKEY_assign_RSA(EVP_PKEY *pkey, RSA *key) { - evp_pkey_set_method(pkey, &rsa_asn1_meth); - pkey->pkey = key; - return key != NULL; -} - -RSA *EVP_PKEY_get0_RSA(const EVP_PKEY *pkey) { - if (pkey->type != EVP_PKEY_RSA) { - OPENSSL_PUT_ERROR(EVP, EVP_R_EXPECTING_AN_RSA_KEY); - return NULL; - } - return pkey->pkey; -} - -RSA *EVP_PKEY_get1_RSA(const EVP_PKEY *pkey) { - RSA *rsa = EVP_PKEY_get0_RSA(pkey); - if (rsa != NULL) { - RSA_up_ref(rsa); - } - return rsa; + // In OpenSSL, this was used to map between type aliases. BoringSSL supports + // no type aliases, so this function is just the identity. + return nid; } -int EVP_PKEY_set1_DSA(EVP_PKEY *pkey, DSA *key) { - if (EVP_PKEY_assign_DSA(pkey, key)) { - DSA_up_ref(key); - return 1; - } - return 0; -} - -int EVP_PKEY_assign_DSA(EVP_PKEY *pkey, DSA *key) { - evp_pkey_set_method(pkey, &dsa_asn1_meth); - pkey->pkey = key; - return key != NULL; -} - -DSA *EVP_PKEY_get0_DSA(const EVP_PKEY *pkey) { - if (pkey->type != EVP_PKEY_DSA) { - OPENSSL_PUT_ERROR(EVP, EVP_R_EXPECTING_A_DSA_KEY); - return NULL; - } - return pkey->pkey; -} - -DSA *EVP_PKEY_get1_DSA(const EVP_PKEY *pkey) { - DSA *dsa = EVP_PKEY_get0_DSA(pkey); - if (dsa != NULL) { - DSA_up_ref(dsa); - } - return dsa; -} - -int EVP_PKEY_set1_EC_KEY(EVP_PKEY *pkey, EC_KEY *key) { - if (EVP_PKEY_assign_EC_KEY(pkey, key)) { - EC_KEY_up_ref(key); - return 1; - } - return 0; -} - -int EVP_PKEY_assign_EC_KEY(EVP_PKEY *pkey, EC_KEY *key) { - evp_pkey_set_method(pkey, &ec_asn1_meth); - pkey->pkey = key; - return key != NULL; -} - -EC_KEY *EVP_PKEY_get0_EC_KEY(const EVP_PKEY *pkey) { - if (pkey->type != EVP_PKEY_EC) { - OPENSSL_PUT_ERROR(EVP, EVP_R_EXPECTING_AN_EC_KEY_KEY); - return NULL; - } - return pkey->pkey; -} - -EC_KEY *EVP_PKEY_get1_EC_KEY(const EVP_PKEY *pkey) { - EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(pkey); - if (ec_key != NULL) { - EC_KEY_up_ref(ec_key); - } - return ec_key; -} - -DH *EVP_PKEY_get0_DH(const EVP_PKEY *pkey) { return NULL; } -DH *EVP_PKEY_get1_DH(const EVP_PKEY *pkey) { return NULL; } - int EVP_PKEY_assign(EVP_PKEY *pkey, int type, void *key) { - // This function can only be used to assign RSA, DSA, and EC keys. Other key - // types have internal representations which are not exposed through the + // This function can only be used to assign RSA, DSA, EC, and DH keys. Other + // key types have internal representations which are not exposed through the // public API. switch (type) { case EVP_PKEY_RSA: @@ -344,6 +243,8 @@ int EVP_PKEY_assign(EVP_PKEY *pkey, int type, void *key) { return EVP_PKEY_assign_DSA(pkey, key); case EVP_PKEY_EC: return EVP_PKEY_assign_EC_KEY(pkey, key); + case EVP_PKEY_DH: + return EVP_PKEY_assign_DH(pkey, key); } OPENSSL_PUT_ERROR(EVP, EVP_R_UNSUPPORTED_ALGORITHM); @@ -375,16 +276,26 @@ int EVP_PKEY_set_type(EVP_PKEY *pkey, int type) { EVP_PKEY *EVP_PKEY_new_raw_private_key(int type, ENGINE *unused, const uint8_t *in, size_t len) { - EVP_PKEY *ret = EVP_PKEY_new(); - if (ret == NULL || - !EVP_PKEY_set_type(ret, type)) { - goto err; + // To avoid pulling in all key types, look for specifically the key types that + // support |set_priv_raw|. + const EVP_PKEY_ASN1_METHOD *method; + switch (type) { + case EVP_PKEY_X25519: + method = &x25519_asn1_meth; + break; + case EVP_PKEY_ED25519: + method = &ed25519_asn1_meth; + break; + default: + OPENSSL_PUT_ERROR(EVP, EVP_R_UNSUPPORTED_ALGORITHM); + return 0; } - if (ret->ameth->set_priv_raw == NULL) { - OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); + EVP_PKEY *ret = EVP_PKEY_new(); + if (ret == NULL) { goto err; } + evp_pkey_set_method(ret, method); if (!ret->ameth->set_priv_raw(ret, in, len)) { goto err; @@ -399,16 +310,26 @@ EVP_PKEY *EVP_PKEY_new_raw_private_key(int type, ENGINE *unused, EVP_PKEY *EVP_PKEY_new_raw_public_key(int type, ENGINE *unused, const uint8_t *in, size_t len) { - EVP_PKEY *ret = EVP_PKEY_new(); - if (ret == NULL || - !EVP_PKEY_set_type(ret, type)) { - goto err; + // To avoid pulling in all key types, look for specifically the key types that + // support |set_pub_raw|. + const EVP_PKEY_ASN1_METHOD *method; + switch (type) { + case EVP_PKEY_X25519: + method = &x25519_asn1_meth; + break; + case EVP_PKEY_ED25519: + method = &ed25519_asn1_meth; + break; + default: + OPENSSL_PUT_ERROR(EVP, EVP_R_UNSUPPORTED_ALGORITHM); + return 0; } - if (ret->ameth->set_pub_raw == NULL) { - OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); + EVP_PKEY *ret = EVP_PKEY_new(); + if (ret == NULL) { goto err; } + evp_pkey_set_method(ret, method); if (!ret->ameth->set_pub_raw(ret, in, len)) { goto err; diff --git a/Sources/CNIOBoringSSL/crypto/evp/evp_asn1.c b/Sources/CNIOBoringSSL/crypto/evp/evp_asn1.c index 8bafb3672..059ff7823 100644 --- a/Sources/CNIOBoringSSL/crypto/evp/evp_asn1.c +++ b/Sources/CNIOBoringSSL/crypto/evp/evp_asn1.c @@ -69,6 +69,7 @@ #include "../internal.h" +// We intentionally omit |dh_asn1_meth| from this list. It is not serializable. static const EVP_PKEY_ASN1_METHOD *const kASN1Methods[] = { &rsa_asn1_meth, &ec_asn1_meth, @@ -77,28 +78,26 @@ static const EVP_PKEY_ASN1_METHOD *const kASN1Methods[] = { &x25519_asn1_meth, }; -static int parse_key_type(CBS *cbs, int *out_type) { +static const EVP_PKEY_ASN1_METHOD *parse_key_type(CBS *cbs) { CBS oid; if (!CBS_get_asn1(cbs, &oid, CBS_ASN1_OBJECT)) { - return 0; + return NULL; } for (unsigned i = 0; i < OPENSSL_ARRAY_SIZE(kASN1Methods); i++) { const EVP_PKEY_ASN1_METHOD *method = kASN1Methods[i]; if (CBS_len(&oid) == method->oid_len && OPENSSL_memcmp(CBS_data(&oid), method->oid, method->oid_len) == 0) { - *out_type = method->pkey_id; - return 1; + return method; } } - return 0; + return NULL; } EVP_PKEY *EVP_parse_public_key(CBS *cbs) { // Parse the SubjectPublicKeyInfo. CBS spki, algorithm, key; - int type; uint8_t padding; if (!CBS_get_asn1(cbs, &spki, CBS_ASN1_SEQUENCE) || !CBS_get_asn1(&spki, &algorithm, CBS_ASN1_SEQUENCE) || @@ -107,7 +106,8 @@ EVP_PKEY *EVP_parse_public_key(CBS *cbs) { OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR); return NULL; } - if (!parse_key_type(&algorithm, &type)) { + const EVP_PKEY_ASN1_METHOD *method = parse_key_type(&algorithm); + if (method == NULL) { OPENSSL_PUT_ERROR(EVP, EVP_R_UNSUPPORTED_ALGORITHM); return NULL; } @@ -121,10 +121,10 @@ EVP_PKEY *EVP_parse_public_key(CBS *cbs) { // Set up an |EVP_PKEY| of the appropriate type. EVP_PKEY *ret = EVP_PKEY_new(); - if (ret == NULL || - !EVP_PKEY_set_type(ret, type)) { + if (ret == NULL) { goto err; } + evp_pkey_set_method(ret, method); // Call into the type-specific SPKI decoding function. if (ret->ameth->pub_decode == NULL) { @@ -155,7 +155,6 @@ EVP_PKEY *EVP_parse_private_key(CBS *cbs) { // Parse the PrivateKeyInfo. CBS pkcs8, algorithm, key; uint64_t version; - int type; if (!CBS_get_asn1(cbs, &pkcs8, CBS_ASN1_SEQUENCE) || !CBS_get_asn1_uint64(&pkcs8, &version) || version != 0 || @@ -164,7 +163,8 @@ EVP_PKEY *EVP_parse_private_key(CBS *cbs) { OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR); return NULL; } - if (!parse_key_type(&algorithm, &type)) { + const EVP_PKEY_ASN1_METHOD *method = parse_key_type(&algorithm); + if (method == NULL) { OPENSSL_PUT_ERROR(EVP, EVP_R_UNSUPPORTED_ALGORITHM); return NULL; } @@ -173,10 +173,10 @@ EVP_PKEY *EVP_parse_private_key(CBS *cbs) { // Set up an |EVP_PKEY| of the appropriate type. EVP_PKEY *ret = EVP_PKEY_new(); - if (ret == NULL || - !EVP_PKEY_set_type(ret, type)) { + if (ret == NULL) { goto err; } + evp_pkey_set_method(ret, method); // Call into the type-specific PrivateKeyInfo decoding function. if (ret->ameth->priv_decode == NULL) { diff --git a/Sources/CNIOBoringSSL/crypto/evp/internal.h b/Sources/CNIOBoringSSL/crypto/evp/internal.h index 1fc5e7fc7..190518764 100644 --- a/Sources/CNIOBoringSSL/crypto/evp/internal.h +++ b/Sources/CNIOBoringSSL/crypto/evp/internal.h @@ -213,6 +213,7 @@ OPENSSL_EXPORT int EVP_PKEY_CTX_ctrl(EVP_PKEY_CTX *ctx, int keytype, int optype, #define EVP_PKEY_CTRL_HKDF_KEY (EVP_PKEY_ALG_CTRL + 16) #define EVP_PKEY_CTRL_HKDF_SALT (EVP_PKEY_ALG_CTRL + 17) #define EVP_PKEY_CTRL_HKDF_INFO (EVP_PKEY_ALG_CTRL + 18) +#define EVP_PKEY_CTRL_DH_PAD (EVP_PKEY_ALG_CTRL + 19) struct evp_pkey_ctx_st { // Method associated with this operation @@ -288,12 +289,18 @@ extern const EVP_PKEY_ASN1_METHOD ec_asn1_meth; extern const EVP_PKEY_ASN1_METHOD rsa_asn1_meth; extern const EVP_PKEY_ASN1_METHOD ed25519_asn1_meth; extern const EVP_PKEY_ASN1_METHOD x25519_asn1_meth; +extern const EVP_PKEY_ASN1_METHOD dh_asn1_meth; extern const EVP_PKEY_METHOD rsa_pkey_meth; extern const EVP_PKEY_METHOD ec_pkey_meth; extern const EVP_PKEY_METHOD ed25519_pkey_meth; extern const EVP_PKEY_METHOD x25519_pkey_meth; extern const EVP_PKEY_METHOD hkdf_pkey_meth; +extern const EVP_PKEY_METHOD dh_pkey_meth; + +// evp_pkey_set_method behaves like |EVP_PKEY_set_type|, but takes a pointer to +// a method table. This avoids depending on every |EVP_PKEY_ASN1_METHOD|. +void evp_pkey_set_method(EVP_PKEY *pkey, const EVP_PKEY_ASN1_METHOD *method); #if defined(__cplusplus) diff --git a/Sources/CNIOBoringSSL/crypto/evp/p_dh.c b/Sources/CNIOBoringSSL/crypto/evp/p_dh.c new file mode 100644 index 000000000..fd7d14e43 --- /dev/null +++ b/Sources/CNIOBoringSSL/crypto/evp/p_dh.c @@ -0,0 +1,137 @@ +/* + * Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include + +#include + +#include +#include +#include + +#include "internal.h" + + +typedef struct dh_pkey_ctx_st { + int pad; +} DH_PKEY_CTX; + +static int pkey_dh_init(EVP_PKEY_CTX *ctx) { + DH_PKEY_CTX *dctx = OPENSSL_zalloc(sizeof(DH_PKEY_CTX)); + if (dctx == NULL) { + return 0; + } + + ctx->data = dctx; + return 1; +} + +static int pkey_dh_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src) { + if (!pkey_dh_init(dst)) { + return 0; + } + + const DH_PKEY_CTX *sctx = src->data; + DH_PKEY_CTX *dctx = dst->data; + dctx->pad = sctx->pad; + return 1; +} + +static void pkey_dh_cleanup(EVP_PKEY_CTX *ctx) { + OPENSSL_free(ctx->data); + ctx->data = NULL; +} + +static int pkey_dh_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) { + DH *dh = DH_new(); + if (dh == NULL || !EVP_PKEY_assign_DH(pkey, dh)) { + DH_free(dh); + return 0; + } + + if (ctx->pkey != NULL && !EVP_PKEY_copy_parameters(pkey, ctx->pkey)) { + return 0; + } + + return DH_generate_key(dh); +} + +static int pkey_dh_derive(EVP_PKEY_CTX *ctx, uint8_t *out, size_t *out_len) { + DH_PKEY_CTX *dctx = ctx->data; + if (ctx->pkey == NULL || ctx->peerkey == NULL) { + OPENSSL_PUT_ERROR(EVP, EVP_R_KEYS_NOT_SET); + return 0; + } + + DH *our_key = ctx->pkey->pkey; + DH *peer_key = ctx->peerkey->pkey; + if (our_key == NULL || peer_key == NULL) { + OPENSSL_PUT_ERROR(EVP, EVP_R_KEYS_NOT_SET); + return 0; + } + + const BIGNUM *pub_key = DH_get0_pub_key(peer_key); + if (pub_key == NULL) { + OPENSSL_PUT_ERROR(EVP, EVP_R_KEYS_NOT_SET); + return 0; + } + + if (out == NULL) { + *out_len = DH_size(our_key); + return 1; + } + + if (*out_len < (size_t)DH_size(our_key)) { + OPENSSL_PUT_ERROR(EVP, EVP_R_BUFFER_TOO_SMALL); + return 0; + } + + int ret = dctx->pad ? DH_compute_key_padded(out, pub_key, our_key) + : DH_compute_key(out, pub_key, our_key); + if (ret < 0) { + return 0; + } + + assert(ret <= DH_size(our_key)); + *out_len = (size_t)ret; + return 1; +} + +static int pkey_dh_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) { + DH_PKEY_CTX *dctx = ctx->data; + switch (type) { + case EVP_PKEY_CTRL_PEER_KEY: + // |EVP_PKEY_derive_set_peer| requires the key implement this command, + // even if it is a no-op. + return 1; + + case EVP_PKEY_CTRL_DH_PAD: + dctx->pad = p1; + return 1; + + default: + OPENSSL_PUT_ERROR(EVP, EVP_R_COMMAND_NOT_SUPPORTED); + return 0; + } +} + +const EVP_PKEY_METHOD dh_pkey_meth = { + .pkey_id = EVP_PKEY_DH, + .init = pkey_dh_init, + .copy = pkey_dh_copy, + .cleanup = pkey_dh_cleanup, + .keygen = pkey_dh_keygen, + .derive = pkey_dh_derive, + .ctrl = pkey_dh_ctrl, +}; + +int EVP_PKEY_CTX_set_dh_pad(EVP_PKEY_CTX *ctx, int pad) { + return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DH, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_DH_PAD, pad, NULL); +} diff --git a/Sources/CNIOBoringSSL/crypto/evp/p_dh_asn1.c b/Sources/CNIOBoringSSL/crypto/evp/p_dh_asn1.c new file mode 100644 index 000000000..5945846f5 --- /dev/null +++ b/Sources/CNIOBoringSSL/crypto/evp/p_dh_asn1.c @@ -0,0 +1,120 @@ +/* + * Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include + +#include +#include +#include + +#include "internal.h" +#include "../internal.h" + + +static void dh_free(EVP_PKEY *pkey) { + DH_free(pkey->pkey); + pkey->pkey = NULL; +} + +static int dh_size(const EVP_PKEY *pkey) { return DH_size(pkey->pkey); } + +static int dh_bits(const EVP_PKEY *pkey) { return DH_bits(pkey->pkey); } + +static int dh_param_missing(const EVP_PKEY *pkey) { + const DH *dh = pkey->pkey; + return dh == NULL || DH_get0_p(dh) == NULL || DH_get0_g(dh) == NULL; +} + +static int dh_param_copy(EVP_PKEY *to, const EVP_PKEY *from) { + if (dh_param_missing(from)) { + OPENSSL_PUT_ERROR(EVP, EVP_R_MISSING_PARAMETERS); + return 0; + } + + const DH *dh = from->pkey; + const BIGNUM *q_old = DH_get0_q(dh); + BIGNUM *p = BN_dup(DH_get0_p(dh)); + BIGNUM *q = q_old == NULL ? NULL : BN_dup(q_old); + BIGNUM *g = BN_dup(DH_get0_g(dh)); + if (p == NULL || (q_old != NULL && q == NULL) || g == NULL || + !DH_set0_pqg(to->pkey, p, q, g)) { + BN_free(p); + BN_free(q); + BN_free(g); + return 0; + } + + // |DH_set0_pqg| took ownership of |p|, |q|, and |g|. + return 1; +} + +static int dh_param_cmp(const EVP_PKEY *a, const EVP_PKEY *b) { + if (dh_param_missing(a) || dh_param_missing(b)) { + return -2; + } + + // Matching OpenSSL, only compare p and g for PKCS#3-style Diffie-Hellman. + // OpenSSL only checks q in X9.42-style Diffie-Hellman ("DHX"). + const DH *a_dh = a->pkey; + const DH *b_dh = b->pkey; + return BN_cmp(DH_get0_p(a_dh), DH_get0_p(b_dh)) == 0 && + BN_cmp(DH_get0_g(a_dh), DH_get0_g(b_dh)) == 0; +} + +static int dh_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b) { + if (dh_param_cmp(a, b) <= 0) { + return 0; + } + + const DH *a_dh = a->pkey; + const DH *b_dh = b->pkey; + return BN_cmp(DH_get0_pub_key(a_dh), DH_get0_pub_key(b_dh)) == 0; +} + +const EVP_PKEY_ASN1_METHOD dh_asn1_meth = { + .pkey_id = EVP_PKEY_DH, + .pkey_method = &dh_pkey_meth, + .pub_cmp = dh_pub_cmp, + .pkey_size = dh_size, + .pkey_bits = dh_bits, + .param_missing = dh_param_missing, + .param_copy = dh_param_copy, + .param_cmp = dh_param_cmp, + .pkey_free = dh_free, +}; + +int EVP_PKEY_set1_DH(EVP_PKEY *pkey, DH *key) { + if (EVP_PKEY_assign_DH(pkey, key)) { + DH_up_ref(key); + return 1; + } + return 0; +} + +int EVP_PKEY_assign_DH(EVP_PKEY *pkey, DH *key) { + evp_pkey_set_method(pkey, &dh_asn1_meth); + pkey->pkey = key; + return key != NULL; +} + +DH *EVP_PKEY_get0_DH(const EVP_PKEY *pkey) { + if (pkey->type != EVP_PKEY_DH) { + OPENSSL_PUT_ERROR(EVP, EVP_R_EXPECTING_A_DH_KEY); + return NULL; + } + return pkey->pkey; +} + +DH *EVP_PKEY_get1_DH(const EVP_PKEY *pkey) { + DH *dh = EVP_PKEY_get0_DH(pkey); + if (dh != NULL) { + DH_up_ref(dh); + } + return dh; +} diff --git a/Sources/CNIOBoringSSL/crypto/evp/p_dsa_asn1.c b/Sources/CNIOBoringSSL/crypto/evp/p_dsa_asn1.c index 7d40547af..84bb6ea49 100644 --- a/Sources/CNIOBoringSSL/crypto/evp/p_dsa_asn1.c +++ b/Sources/CNIOBoringSSL/crypto/evp/p_dsa_asn1.c @@ -306,3 +306,33 @@ int EVP_PKEY_CTX_set_dsa_paramgen_q_bits(EVP_PKEY_CTX *ctx, int qbits) { OPENSSL_PUT_ERROR(EVP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } + +int EVP_PKEY_set1_DSA(EVP_PKEY *pkey, DSA *key) { + if (EVP_PKEY_assign_DSA(pkey, key)) { + DSA_up_ref(key); + return 1; + } + return 0; +} + +int EVP_PKEY_assign_DSA(EVP_PKEY *pkey, DSA *key) { + evp_pkey_set_method(pkey, &dsa_asn1_meth); + pkey->pkey = key; + return key != NULL; +} + +DSA *EVP_PKEY_get0_DSA(const EVP_PKEY *pkey) { + if (pkey->type != EVP_PKEY_DSA) { + OPENSSL_PUT_ERROR(EVP, EVP_R_EXPECTING_A_DSA_KEY); + return NULL; + } + return pkey->pkey; +} + +DSA *EVP_PKEY_get1_DSA(const EVP_PKEY *pkey) { + DSA *dsa = EVP_PKEY_get0_DSA(pkey); + if (dsa != NULL) { + DSA_up_ref(dsa); + } + return dsa; +} diff --git a/Sources/CNIOBoringSSL/crypto/evp/p_ec.c b/Sources/CNIOBoringSSL/crypto/evp/p_ec.c index f641477da..8ce59b601 100644 --- a/Sources/CNIOBoringSSL/crypto/evp/p_ec.c +++ b/Sources/CNIOBoringSSL/crypto/evp/p_ec.c @@ -90,15 +90,14 @@ static int pkey_ec_init(EVP_PKEY_CTX *ctx) { } static int pkey_ec_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src) { - EC_PKEY_CTX *dctx, *sctx; if (!pkey_ec_init(dst)) { return 0; } - sctx = src->data; - dctx = dst->data; + const EC_PKEY_CTX *sctx = src->data; + EC_PKEY_CTX *dctx = dst->data; dctx->md = sctx->md; - + dctx->gen_group = sctx->gen_group; return 1; } diff --git a/Sources/CNIOBoringSSL/crypto/evp/p_ec_asn1.c b/Sources/CNIOBoringSSL/crypto/evp/p_ec_asn1.c index e536617f9..e6e352dd0 100644 --- a/Sources/CNIOBoringSSL/crypto/evp/p_ec_asn1.c +++ b/Sources/CNIOBoringSSL/crypto/evp/p_ec_asn1.c @@ -300,3 +300,33 @@ const EVP_PKEY_ASN1_METHOD ec_asn1_meth = { int_ec_free, }; + +int EVP_PKEY_set1_EC_KEY(EVP_PKEY *pkey, EC_KEY *key) { + if (EVP_PKEY_assign_EC_KEY(pkey, key)) { + EC_KEY_up_ref(key); + return 1; + } + return 0; +} + +int EVP_PKEY_assign_EC_KEY(EVP_PKEY *pkey, EC_KEY *key) { + evp_pkey_set_method(pkey, &ec_asn1_meth); + pkey->pkey = key; + return key != NULL; +} + +EC_KEY *EVP_PKEY_get0_EC_KEY(const EVP_PKEY *pkey) { + if (pkey->type != EVP_PKEY_EC) { + OPENSSL_PUT_ERROR(EVP, EVP_R_EXPECTING_AN_EC_KEY_KEY); + return NULL; + } + return pkey->pkey; +} + +EC_KEY *EVP_PKEY_get1_EC_KEY(const EVP_PKEY *pkey) { + EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(pkey); + if (ec_key != NULL) { + EC_KEY_up_ref(ec_key); + } + return ec_key; +} diff --git a/Sources/CNIOBoringSSL/crypto/evp/p_ed25519.c b/Sources/CNIOBoringSSL/crypto/evp/p_ed25519.c index 33acd5c5e..4acb67fc1 100644 --- a/Sources/CNIOBoringSSL/crypto/evp/p_ed25519.c +++ b/Sources/CNIOBoringSSL/crypto/evp/p_ed25519.c @@ -30,10 +30,7 @@ static int pkey_ed25519_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) { return 0; } - if (!EVP_PKEY_set_type(pkey, EVP_PKEY_ED25519)) { - OPENSSL_free(key); - return 0; - } + evp_pkey_set_method(pkey, &ed25519_asn1_meth); uint8_t pubkey_unused[32]; ED25519_keypair(pubkey_unused, key->key); diff --git a/Sources/CNIOBoringSSL/crypto/evp/p_rsa_asn1.c b/Sources/CNIOBoringSSL/crypto/evp/p_rsa_asn1.c index dfe3d9d32..b509aa0d3 100644 --- a/Sources/CNIOBoringSSL/crypto/evp/p_rsa_asn1.c +++ b/Sources/CNIOBoringSSL/crypto/evp/p_rsa_asn1.c @@ -209,3 +209,33 @@ const EVP_PKEY_ASN1_METHOD rsa_asn1_meth = { int_rsa_free, }; + +int EVP_PKEY_set1_RSA(EVP_PKEY *pkey, RSA *key) { + if (EVP_PKEY_assign_RSA(pkey, key)) { + RSA_up_ref(key); + return 1; + } + return 0; +} + +int EVP_PKEY_assign_RSA(EVP_PKEY *pkey, RSA *key) { + evp_pkey_set_method(pkey, &rsa_asn1_meth); + pkey->pkey = key; + return key != NULL; +} + +RSA *EVP_PKEY_get0_RSA(const EVP_PKEY *pkey) { + if (pkey->type != EVP_PKEY_RSA) { + OPENSSL_PUT_ERROR(EVP, EVP_R_EXPECTING_AN_RSA_KEY); + return NULL; + } + return pkey->pkey; +} + +RSA *EVP_PKEY_get1_RSA(const EVP_PKEY *pkey) { + RSA *rsa = EVP_PKEY_get0_RSA(pkey); + if (rsa != NULL) { + RSA_up_ref(rsa); + } + return rsa; +} diff --git a/Sources/CNIOBoringSSL/crypto/evp/p_x25519.c b/Sources/CNIOBoringSSL/crypto/evp/p_x25519.c index 7297862b2..c1d8fad4d 100644 --- a/Sources/CNIOBoringSSL/crypto/evp/p_x25519.c +++ b/Sources/CNIOBoringSSL/crypto/evp/p_x25519.c @@ -30,10 +30,7 @@ static int pkey_x25519_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) { return 0; } - if (!EVP_PKEY_set_type(pkey, EVP_PKEY_X25519)) { - OPENSSL_free(key); - return 0; - } + evp_pkey_set_method(pkey, &x25519_asn1_meth); X25519_keypair(key->pub, key->priv); key->has_private = 1; diff --git a/Sources/CNIOBoringSSL/crypto/ex_data.c b/Sources/CNIOBoringSSL/crypto/ex_data.c index c18244e55..3480722bc 100644 --- a/Sources/CNIOBoringSSL/crypto/ex_data.c +++ b/Sources/CNIOBoringSSL/crypto/ex_data.c @@ -132,11 +132,11 @@ struct crypto_ex_data_func_st { CRYPTO_EX_DATA_FUNCS *next; }; -int CRYPTO_get_ex_new_index(CRYPTO_EX_DATA_CLASS *ex_data_class, int *out_index, - long argl, void *argp, CRYPTO_EX_free *free_func) { +int CRYPTO_get_ex_new_index_ex(CRYPTO_EX_DATA_CLASS *ex_data_class, long argl, + void *argp, CRYPTO_EX_free *free_func) { CRYPTO_EX_DATA_FUNCS *funcs = OPENSSL_malloc(sizeof(CRYPTO_EX_DATA_FUNCS)); if (funcs == NULL) { - return 0; + return -1; } funcs->argl = argl; @@ -151,7 +151,7 @@ int CRYPTO_get_ex_new_index(CRYPTO_EX_DATA_CLASS *ex_data_class, int *out_index, if (num_funcs > (size_t)(INT_MAX - ex_data_class->num_reserved)) { OPENSSL_PUT_ERROR(CRYPTO, ERR_R_OVERFLOW); CRYPTO_MUTEX_unlock_write(&ex_data_class->lock); - return 0; + return -1; } // Append |funcs| to the linked list. @@ -166,8 +166,7 @@ int CRYPTO_get_ex_new_index(CRYPTO_EX_DATA_CLASS *ex_data_class, int *out_index, CRYPTO_atomic_store_u32(&ex_data_class->num_funcs, num_funcs + 1); CRYPTO_MUTEX_unlock_write(&ex_data_class->lock); - *out_index = (int)num_funcs + ex_data_class->num_reserved; - return 1; + return (int)num_funcs + ex_data_class->num_reserved; } int CRYPTO_set_ex_data(CRYPTO_EX_DATA *ad, int index, void *val) { @@ -215,7 +214,7 @@ void CRYPTO_free_ex_data(CRYPTO_EX_DATA_CLASS *ex_data_class, void *obj, } uint32_t num_funcs = CRYPTO_atomic_load_u32(&ex_data_class->num_funcs); - // |CRYPTO_get_ex_new_index| will not allocate indices beyond |INT_MAX|. + // |CRYPTO_get_ex_new_index_ex| will not allocate indices beyond |INT_MAX|. assert(num_funcs <= (size_t)(INT_MAX - ex_data_class->num_reserved)); // Defer dereferencing |ex_data_class->funcs| and |funcs->next|. It must come diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/aes/aes.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/aes/aes.c.inc similarity index 85% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/aes/aes.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/aes/aes.c.inc index 39053138d..fe14bca9f 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/aes/aes.c +++ b/Sources/CNIOBoringSSL/crypto/fipsmodule/aes/aes.c.inc @@ -104,3 +104,24 @@ int AES_set_decrypt_key(const uint8_t *key, unsigned bits, AES_KEY *aeskey) { return aes_nohw_set_decrypt_key(key, bits, aeskey); } } + +#if defined(HWAES) && (defined(OPENSSL_X86) || defined(OPENSSL_X86_64)) +// On x86 and x86_64, |aes_hw_set_decrypt_key|, we implement +// |aes_hw_encrypt_key_to_decrypt_key| in assembly and rely on C code to combine +// the operations. +int aes_hw_set_decrypt_key(const uint8_t *user_key, int bits, AES_KEY *key) { + int ret = aes_hw_set_encrypt_key(user_key, bits, key); + if (ret == 0) { + aes_hw_encrypt_key_to_decrypt_key(key); + } + return ret; +} + +int aes_hw_set_encrypt_key(const uint8_t *user_key, int bits, AES_KEY *key) { + if (aes_hw_set_encrypt_key_alt_preferred()) { + return aes_hw_set_encrypt_key_alt(user_key, bits, key); + } else { + return aes_hw_set_encrypt_key_base(user_key, bits, key); + } +} +#endif diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/aes/aes_nohw.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/aes/aes_nohw.c.inc similarity index 100% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/aes/aes_nohw.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/aes/aes_nohw.c.inc diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/aes/internal.h b/Sources/CNIOBoringSSL/crypto/fipsmodule/aes/internal.h index 98b2a14d8..2061cc811 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/aes/internal.h +++ b/Sources/CNIOBoringSSL/crypto/fipsmodule/aes/internal.h @@ -17,6 +17,8 @@ #include +#include + #include "../../internal.h" #if defined(__cplusplus) @@ -66,17 +68,41 @@ OPENSSL_INLINE int vpaes_capable(void) { return CRYPTO_is_NEON_capable(); } #if defined(HWAES) -int aes_hw_set_encrypt_key(const uint8_t *user_key, const int bits, - AES_KEY *key); -int aes_hw_set_decrypt_key(const uint8_t *user_key, const int bits, - AES_KEY *key); +int aes_hw_set_encrypt_key(const uint8_t *user_key, int bits, AES_KEY *key); +int aes_hw_set_decrypt_key(const uint8_t *user_key, int bits, AES_KEY *key); void aes_hw_encrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key); void aes_hw_decrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key); void aes_hw_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t length, - const AES_KEY *key, uint8_t *ivec, const int enc); + const AES_KEY *key, uint8_t *ivec, int enc); void aes_hw_ctr32_encrypt_blocks(const uint8_t *in, uint8_t *out, size_t len, const AES_KEY *key, const uint8_t ivec[16]); +#if defined(OPENSSL_X86) || defined(OPENSSL_X86_64) +// On x86 and x86_64, |aes_hw_set_decrypt_key| is implemented in terms of +// |aes_hw_set_encrypt_key| and a conversion function. +void aes_hw_encrypt_key_to_decrypt_key(AES_KEY *key); + +// There are two variants of this function, one which uses aeskeygenassist +// ("base") and one which uses aesenclast + pshufb ("alt"). aesenclast is +// overall faster but is slower on some older processors. It doesn't use AVX, +// but AVX is used as a proxy to detecting this. See +// https://groups.google.com/g/mailing.openssl.dev/c/OuFXwW4NfO8/m/7d2ZXVjkxVkJ +// +// TODO(davidben): It is unclear if the aeskeygenassist version is still +// worthwhile. However, the aesenclast version requires SSSE3. SSSE3 long +// predates AES-NI, but it's not clear if AES-NI implies SSSE3. In OpenSSL, the +// CCM AES-NI assembly seems to assume it does. +OPENSSL_INLINE int aes_hw_set_encrypt_key_alt_capable(void) { + return hwaes_capable() && CRYPTO_is_SSSE3_capable(); +} +OPENSSL_INLINE int aes_hw_set_encrypt_key_alt_preferred(void) { + return hwaes_capable() && CRYPTO_is_AVX_capable(); +} +int aes_hw_set_encrypt_key_base(const uint8_t *user_key, int bits, + AES_KEY *key); +int aes_hw_set_encrypt_key_alt(const uint8_t *user_key, int bits, AES_KEY *key); +#endif // OPENSSL_X86 || OPENSSL_X86_64 + #else // If HWAES isn't defined then we provide dummy functions for each of the hwaes @@ -120,7 +146,7 @@ OPENSSL_INLINE void aes_hw_ctr32_encrypt_blocks(const uint8_t *in, uint8_t *out, #if defined(HWAES_ECB) void aes_hw_ecb_encrypt(const uint8_t *in, uint8_t *out, size_t length, - const AES_KEY *key, const int enc); + const AES_KEY *key, int enc); #endif // HWAES_ECB @@ -218,7 +244,7 @@ void aes_nohw_ctr32_encrypt_blocks(const uint8_t *in, uint8_t *out, size_t blocks, const AES_KEY *key, const uint8_t ivec[16]); void aes_nohw_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t len, - const AES_KEY *key, uint8_t *ivec, const int enc); + const AES_KEY *key, uint8_t *ivec, int enc); #if defined(__cplusplus) diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/aes/key_wrap.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/aes/key_wrap.c.inc similarity index 100% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/aes/key_wrap.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/aes/key_wrap.c.inc diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/aes/mode_wrappers.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/aes/mode_wrappers.c.inc similarity index 100% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/aes/mode_wrappers.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/aes/mode_wrappers.c.inc diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/aesv8-armv7-ios.ios.arm.S b/Sources/CNIOBoringSSL/crypto/fipsmodule/aesv8-armv7-ios.ios.arm.S deleted file mode 100644 index 12b469ce2..000000000 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/aesv8-armv7-ios.ios.arm.S +++ /dev/null @@ -1,808 +0,0 @@ -#define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__arm__) && defined(__APPLE__) -// This file is generated from a similarly-named Perl script in the BoringSSL -// source tree. Do not edit by hand. - -#include - -#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_ARM) && defined(__APPLE__) -#include - -#if __ARM_MAX_ARCH__>=7 -.text - - -.code 32 -#undef __thumb2__ -.align 5 -Lrcon: -.long 0x01,0x01,0x01,0x01 -.long 0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d @ rotate-n-splat -.long 0x1b,0x1b,0x1b,0x1b - -.text - -.globl _aes_hw_set_encrypt_key -.private_extern _aes_hw_set_encrypt_key -#ifdef __thumb2__ -.thumb_func _aes_hw_set_encrypt_key -#endif -.align 5 -_aes_hw_set_encrypt_key: -Lenc_key: - mov r3,#-1 - cmp r0,#0 - beq Lenc_key_abort - cmp r2,#0 - beq Lenc_key_abort - mov r3,#-2 - cmp r1,#128 - blt Lenc_key_abort - cmp r1,#256 - bgt Lenc_key_abort - tst r1,#0x3f - bne Lenc_key_abort - - adr r3,Lrcon - cmp r1,#192 - - veor q0,q0,q0 - vld1.8 {q3},[r0]! - mov r1,#8 @ reuse r1 - vld1.32 {q1,q2},[r3]! - - blt Loop128 - beq L192 - b L256 - -.align 4 -Loop128: - vtbl.8 d20,{q3},d4 - vtbl.8 d21,{q3},d5 - vext.8 q9,q0,q3,#12 - vst1.32 {q3},[r2]! -.byte 0x00,0x43,0xf0,0xf3 @ aese q10,q0 - subs r1,r1,#1 - - veor q3,q3,q9 - vext.8 q9,q0,q9,#12 - veor q3,q3,q9 - vext.8 q9,q0,q9,#12 - veor q10,q10,q1 - veor q3,q3,q9 - vshl.u8 q1,q1,#1 - veor q3,q3,q10 - bne Loop128 - - vld1.32 {q1},[r3] - - vtbl.8 d20,{q3},d4 - vtbl.8 d21,{q3},d5 - vext.8 q9,q0,q3,#12 - vst1.32 {q3},[r2]! -.byte 0x00,0x43,0xf0,0xf3 @ aese q10,q0 - - veor q3,q3,q9 - vext.8 q9,q0,q9,#12 - veor q3,q3,q9 - vext.8 q9,q0,q9,#12 - veor q10,q10,q1 - veor q3,q3,q9 - vshl.u8 q1,q1,#1 - veor q3,q3,q10 - - vtbl.8 d20,{q3},d4 - vtbl.8 d21,{q3},d5 - vext.8 q9,q0,q3,#12 - vst1.32 {q3},[r2]! -.byte 0x00,0x43,0xf0,0xf3 @ aese q10,q0 - - veor q3,q3,q9 - vext.8 q9,q0,q9,#12 - veor q3,q3,q9 - vext.8 q9,q0,q9,#12 - veor q10,q10,q1 - veor q3,q3,q9 - veor q3,q3,q10 - vst1.32 {q3},[r2] - add r2,r2,#0x50 - - mov r12,#10 - b Ldone - -.align 4 -L192: - vld1.8 {d16},[r0]! - vmov.i8 q10,#8 @ borrow q10 - vst1.32 {q3},[r2]! - vsub.i8 q2,q2,q10 @ adjust the mask - -Loop192: - vtbl.8 d20,{q8},d4 - vtbl.8 d21,{q8},d5 - vext.8 q9,q0,q3,#12 - vst1.32 {d16},[r2]! -.byte 0x00,0x43,0xf0,0xf3 @ aese q10,q0 - subs r1,r1,#1 - - veor q3,q3,q9 - vext.8 q9,q0,q9,#12 - veor q3,q3,q9 - vext.8 q9,q0,q9,#12 - veor q3,q3,q9 - - vdup.32 q9,d7[1] - veor q9,q9,q8 - veor q10,q10,q1 - vext.8 q8,q0,q8,#12 - vshl.u8 q1,q1,#1 - veor q8,q8,q9 - veor q3,q3,q10 - veor q8,q8,q10 - vst1.32 {q3},[r2]! - bne Loop192 - - mov r12,#12 - add r2,r2,#0x20 - b Ldone - -.align 4 -L256: - vld1.8 {q8},[r0] - mov r1,#7 - mov r12,#14 - vst1.32 {q3},[r2]! - -Loop256: - vtbl.8 d20,{q8},d4 - vtbl.8 d21,{q8},d5 - vext.8 q9,q0,q3,#12 - vst1.32 {q8},[r2]! -.byte 0x00,0x43,0xf0,0xf3 @ aese q10,q0 - subs r1,r1,#1 - - veor q3,q3,q9 - vext.8 q9,q0,q9,#12 - veor q3,q3,q9 - vext.8 q9,q0,q9,#12 - veor q10,q10,q1 - veor q3,q3,q9 - vshl.u8 q1,q1,#1 - veor q3,q3,q10 - vst1.32 {q3},[r2]! - beq Ldone - - vdup.32 q10,d7[1] - vext.8 q9,q0,q8,#12 -.byte 0x00,0x43,0xf0,0xf3 @ aese q10,q0 - - veor q8,q8,q9 - vext.8 q9,q0,q9,#12 - veor q8,q8,q9 - vext.8 q9,q0,q9,#12 - veor q8,q8,q9 - - veor q8,q8,q10 - b Loop256 - -Ldone: - str r12,[r2] - mov r3,#0 - -Lenc_key_abort: - mov r0,r3 @ return value - - bx lr - - -.globl _aes_hw_set_decrypt_key -.private_extern _aes_hw_set_decrypt_key -#ifdef __thumb2__ -.thumb_func _aes_hw_set_decrypt_key -#endif -.align 5 -_aes_hw_set_decrypt_key: - stmdb sp!,{r4,lr} - bl Lenc_key - - cmp r0,#0 - bne Ldec_key_abort - - sub r2,r2,#240 @ restore original r2 - mov r4,#-16 - add r0,r2,r12,lsl#4 @ end of key schedule - - vld1.32 {q0},[r2] - vld1.32 {q1},[r0] - vst1.32 {q0},[r0],r4 - vst1.32 {q1},[r2]! - -Loop_imc: - vld1.32 {q0},[r2] - vld1.32 {q1},[r0] -.byte 0xc0,0x03,0xb0,0xf3 @ aesimc q0,q0 -.byte 0xc2,0x23,0xb0,0xf3 @ aesimc q1,q1 - vst1.32 {q0},[r0],r4 - vst1.32 {q1},[r2]! - cmp r0,r2 - bhi Loop_imc - - vld1.32 {q0},[r2] -.byte 0xc0,0x03,0xb0,0xf3 @ aesimc q0,q0 - vst1.32 {q0},[r0] - - eor r0,r0,r0 @ return value -Ldec_key_abort: - ldmia sp!,{r4,pc} - -.globl _aes_hw_encrypt -.private_extern _aes_hw_encrypt -#ifdef __thumb2__ -.thumb_func _aes_hw_encrypt -#endif -.align 5 -_aes_hw_encrypt: - AARCH64_VALID_CALL_TARGET - ldr r3,[r2,#240] - vld1.32 {q0},[r2]! - vld1.8 {q2},[r0] - sub r3,r3,#2 - vld1.32 {q1},[r2]! - -Loop_enc: -.byte 0x00,0x43,0xb0,0xf3 @ aese q2,q0 -.byte 0x84,0x43,0xb0,0xf3 @ aesmc q2,q2 - vld1.32 {q0},[r2]! - subs r3,r3,#2 -.byte 0x02,0x43,0xb0,0xf3 @ aese q2,q1 -.byte 0x84,0x43,0xb0,0xf3 @ aesmc q2,q2 - vld1.32 {q1},[r2]! - bgt Loop_enc - -.byte 0x00,0x43,0xb0,0xf3 @ aese q2,q0 -.byte 0x84,0x43,0xb0,0xf3 @ aesmc q2,q2 - vld1.32 {q0},[r2] -.byte 0x02,0x43,0xb0,0xf3 @ aese q2,q1 - veor q2,q2,q0 - - vst1.8 {q2},[r1] - bx lr - -.globl _aes_hw_decrypt -.private_extern _aes_hw_decrypt -#ifdef __thumb2__ -.thumb_func _aes_hw_decrypt -#endif -.align 5 -_aes_hw_decrypt: - AARCH64_VALID_CALL_TARGET - ldr r3,[r2,#240] - vld1.32 {q0},[r2]! - vld1.8 {q2},[r0] - sub r3,r3,#2 - vld1.32 {q1},[r2]! - -Loop_dec: -.byte 0x40,0x43,0xb0,0xf3 @ aesd q2,q0 -.byte 0xc4,0x43,0xb0,0xf3 @ aesimc q2,q2 - vld1.32 {q0},[r2]! - subs r3,r3,#2 -.byte 0x42,0x43,0xb0,0xf3 @ aesd q2,q1 -.byte 0xc4,0x43,0xb0,0xf3 @ aesimc q2,q2 - vld1.32 {q1},[r2]! - bgt Loop_dec - -.byte 0x40,0x43,0xb0,0xf3 @ aesd q2,q0 -.byte 0xc4,0x43,0xb0,0xf3 @ aesimc q2,q2 - vld1.32 {q0},[r2] -.byte 0x42,0x43,0xb0,0xf3 @ aesd q2,q1 - veor q2,q2,q0 - - vst1.8 {q2},[r1] - bx lr - -.globl _aes_hw_cbc_encrypt -.private_extern _aes_hw_cbc_encrypt -#ifdef __thumb2__ -.thumb_func _aes_hw_cbc_encrypt -#endif -.align 5 -_aes_hw_cbc_encrypt: - mov ip,sp - stmdb sp!,{r4,r5,r6,r7,r8,lr} - vstmdb sp!,{d8,d9,d10,d11,d12,d13,d14,d15} @ ABI specification says so - ldmia ip,{r4,r5} @ load remaining args - subs r2,r2,#16 - mov r8,#16 - blo Lcbc_abort - moveq r8,#0 - - cmp r5,#0 @ en- or decrypting? - ldr r5,[r3,#240] - and r2,r2,#-16 - vld1.8 {q6},[r4] - vld1.8 {q0},[r0],r8 - - vld1.32 {q8,q9},[r3] @ load key schedule... - sub r5,r5,#6 - add r7,r3,r5,lsl#4 @ pointer to last 7 round keys - sub r5,r5,#2 - vld1.32 {q10,q11},[r7]! - vld1.32 {q12,q13},[r7]! - vld1.32 {q14,q15},[r7]! - vld1.32 {q7},[r7] - - add r7,r3,#32 - mov r6,r5 - beq Lcbc_dec - - cmp r5,#2 - veor q0,q0,q6 - veor q5,q8,q7 - beq Lcbc_enc128 - - vld1.32 {q2,q3},[r7] - add r7,r3,#16 - add r6,r3,#16*4 - add r12,r3,#16*5 -.byte 0x20,0x03,0xb0,0xf3 @ aese q0,q8 -.byte 0x80,0x03,0xb0,0xf3 @ aesmc q0,q0 - add r14,r3,#16*6 - add r3,r3,#16*7 - b Lenter_cbc_enc - -.align 4 -Loop_cbc_enc: -.byte 0x20,0x03,0xb0,0xf3 @ aese q0,q8 -.byte 0x80,0x03,0xb0,0xf3 @ aesmc q0,q0 - vst1.8 {q6},[r1]! -Lenter_cbc_enc: -.byte 0x22,0x03,0xb0,0xf3 @ aese q0,q9 -.byte 0x80,0x03,0xb0,0xf3 @ aesmc q0,q0 -.byte 0x04,0x03,0xb0,0xf3 @ aese q0,q2 -.byte 0x80,0x03,0xb0,0xf3 @ aesmc q0,q0 - vld1.32 {q8},[r6] - cmp r5,#4 -.byte 0x06,0x03,0xb0,0xf3 @ aese q0,q3 -.byte 0x80,0x03,0xb0,0xf3 @ aesmc q0,q0 - vld1.32 {q9},[r12] - beq Lcbc_enc192 - -.byte 0x20,0x03,0xb0,0xf3 @ aese q0,q8 -.byte 0x80,0x03,0xb0,0xf3 @ aesmc q0,q0 - vld1.32 {q8},[r14] -.byte 0x22,0x03,0xb0,0xf3 @ aese q0,q9 -.byte 0x80,0x03,0xb0,0xf3 @ aesmc q0,q0 - vld1.32 {q9},[r3] - nop - -Lcbc_enc192: -.byte 0x20,0x03,0xb0,0xf3 @ aese q0,q8 -.byte 0x80,0x03,0xb0,0xf3 @ aesmc q0,q0 - subs r2,r2,#16 -.byte 0x22,0x03,0xb0,0xf3 @ aese q0,q9 -.byte 0x80,0x03,0xb0,0xf3 @ aesmc q0,q0 - moveq r8,#0 -.byte 0x24,0x03,0xb0,0xf3 @ aese q0,q10 -.byte 0x80,0x03,0xb0,0xf3 @ aesmc q0,q0 -.byte 0x26,0x03,0xb0,0xf3 @ aese q0,q11 -.byte 0x80,0x03,0xb0,0xf3 @ aesmc q0,q0 - vld1.8 {q8},[r0],r8 -.byte 0x28,0x03,0xb0,0xf3 @ aese q0,q12 -.byte 0x80,0x03,0xb0,0xf3 @ aesmc q0,q0 - veor q8,q8,q5 -.byte 0x2a,0x03,0xb0,0xf3 @ aese q0,q13 -.byte 0x80,0x03,0xb0,0xf3 @ aesmc q0,q0 - vld1.32 {q9},[r7] @ re-pre-load rndkey[1] -.byte 0x2c,0x03,0xb0,0xf3 @ aese q0,q14 -.byte 0x80,0x03,0xb0,0xf3 @ aesmc q0,q0 -.byte 0x2e,0x03,0xb0,0xf3 @ aese q0,q15 - veor q6,q0,q7 - bhs Loop_cbc_enc - - vst1.8 {q6},[r1]! - b Lcbc_done - -.align 5 -Lcbc_enc128: - vld1.32 {q2,q3},[r7] -.byte 0x20,0x03,0xb0,0xf3 @ aese q0,q8 -.byte 0x80,0x03,0xb0,0xf3 @ aesmc q0,q0 - b Lenter_cbc_enc128 -Loop_cbc_enc128: -.byte 0x20,0x03,0xb0,0xf3 @ aese q0,q8 -.byte 0x80,0x03,0xb0,0xf3 @ aesmc q0,q0 - vst1.8 {q6},[r1]! -Lenter_cbc_enc128: -.byte 0x22,0x03,0xb0,0xf3 @ aese q0,q9 -.byte 0x80,0x03,0xb0,0xf3 @ aesmc q0,q0 - subs r2,r2,#16 -.byte 0x04,0x03,0xb0,0xf3 @ aese q0,q2 -.byte 0x80,0x03,0xb0,0xf3 @ aesmc q0,q0 - moveq r8,#0 -.byte 0x06,0x03,0xb0,0xf3 @ aese q0,q3 -.byte 0x80,0x03,0xb0,0xf3 @ aesmc q0,q0 -.byte 0x24,0x03,0xb0,0xf3 @ aese q0,q10 -.byte 0x80,0x03,0xb0,0xf3 @ aesmc q0,q0 -.byte 0x26,0x03,0xb0,0xf3 @ aese q0,q11 -.byte 0x80,0x03,0xb0,0xf3 @ aesmc q0,q0 - vld1.8 {q8},[r0],r8 -.byte 0x28,0x03,0xb0,0xf3 @ aese q0,q12 -.byte 0x80,0x03,0xb0,0xf3 @ aesmc q0,q0 -.byte 0x2a,0x03,0xb0,0xf3 @ aese q0,q13 -.byte 0x80,0x03,0xb0,0xf3 @ aesmc q0,q0 -.byte 0x2c,0x03,0xb0,0xf3 @ aese q0,q14 -.byte 0x80,0x03,0xb0,0xf3 @ aesmc q0,q0 - veor q8,q8,q5 -.byte 0x2e,0x03,0xb0,0xf3 @ aese q0,q15 - veor q6,q0,q7 - bhs Loop_cbc_enc128 - - vst1.8 {q6},[r1]! - b Lcbc_done -.align 5 -Lcbc_dec: - vld1.8 {q10},[r0]! - subs r2,r2,#32 @ bias - add r6,r5,#2 - vorr q3,q0,q0 - vorr q1,q0,q0 - vorr q11,q10,q10 - blo Lcbc_dec_tail - - vorr q1,q10,q10 - vld1.8 {q10},[r0]! - vorr q2,q0,q0 - vorr q3,q1,q1 - vorr q11,q10,q10 - -Loop3x_cbc_dec: -.byte 0x60,0x03,0xb0,0xf3 @ aesd q0,q8 -.byte 0xc0,0x03,0xb0,0xf3 @ aesimc q0,q0 -.byte 0x60,0x23,0xb0,0xf3 @ aesd q1,q8 -.byte 0xc2,0x23,0xb0,0xf3 @ aesimc q1,q1 -.byte 0x60,0x43,0xf0,0xf3 @ aesd q10,q8 -.byte 0xe4,0x43,0xf0,0xf3 @ aesimc q10,q10 - vld1.32 {q8},[r7]! - subs r6,r6,#2 -.byte 0x62,0x03,0xb0,0xf3 @ aesd q0,q9 -.byte 0xc0,0x03,0xb0,0xf3 @ aesimc q0,q0 -.byte 0x62,0x23,0xb0,0xf3 @ aesd q1,q9 -.byte 0xc2,0x23,0xb0,0xf3 @ aesimc q1,q1 -.byte 0x62,0x43,0xf0,0xf3 @ aesd q10,q9 -.byte 0xe4,0x43,0xf0,0xf3 @ aesimc q10,q10 - vld1.32 {q9},[r7]! - bgt Loop3x_cbc_dec - -.byte 0x60,0x03,0xb0,0xf3 @ aesd q0,q8 -.byte 0xc0,0x03,0xb0,0xf3 @ aesimc q0,q0 -.byte 0x60,0x23,0xb0,0xf3 @ aesd q1,q8 -.byte 0xc2,0x23,0xb0,0xf3 @ aesimc q1,q1 -.byte 0x60,0x43,0xf0,0xf3 @ aesd q10,q8 -.byte 0xe4,0x43,0xf0,0xf3 @ aesimc q10,q10 - veor q4,q6,q7 - subs r2,r2,#0x30 - veor q5,q2,q7 - movlo r6,r2 @ r6, r6, is zero at this point -.byte 0x62,0x03,0xb0,0xf3 @ aesd q0,q9 -.byte 0xc0,0x03,0xb0,0xf3 @ aesimc q0,q0 -.byte 0x62,0x23,0xb0,0xf3 @ aesd q1,q9 -.byte 0xc2,0x23,0xb0,0xf3 @ aesimc q1,q1 -.byte 0x62,0x43,0xf0,0xf3 @ aesd q10,q9 -.byte 0xe4,0x43,0xf0,0xf3 @ aesimc q10,q10 - veor q9,q3,q7 - add r0,r0,r6 @ r0 is adjusted in such way that - @ at exit from the loop q1-q10 - @ are loaded with last "words" - vorr q6,q11,q11 - mov r7,r3 -.byte 0x68,0x03,0xb0,0xf3 @ aesd q0,q12 -.byte 0xc0,0x03,0xb0,0xf3 @ aesimc q0,q0 -.byte 0x68,0x23,0xb0,0xf3 @ aesd q1,q12 -.byte 0xc2,0x23,0xb0,0xf3 @ aesimc q1,q1 -.byte 0x68,0x43,0xf0,0xf3 @ aesd q10,q12 -.byte 0xe4,0x43,0xf0,0xf3 @ aesimc q10,q10 - vld1.8 {q2},[r0]! -.byte 0x6a,0x03,0xb0,0xf3 @ aesd q0,q13 -.byte 0xc0,0x03,0xb0,0xf3 @ aesimc q0,q0 -.byte 0x6a,0x23,0xb0,0xf3 @ aesd q1,q13 -.byte 0xc2,0x23,0xb0,0xf3 @ aesimc q1,q1 -.byte 0x6a,0x43,0xf0,0xf3 @ aesd q10,q13 -.byte 0xe4,0x43,0xf0,0xf3 @ aesimc q10,q10 - vld1.8 {q3},[r0]! -.byte 0x6c,0x03,0xb0,0xf3 @ aesd q0,q14 -.byte 0xc0,0x03,0xb0,0xf3 @ aesimc q0,q0 -.byte 0x6c,0x23,0xb0,0xf3 @ aesd q1,q14 -.byte 0xc2,0x23,0xb0,0xf3 @ aesimc q1,q1 -.byte 0x6c,0x43,0xf0,0xf3 @ aesd q10,q14 -.byte 0xe4,0x43,0xf0,0xf3 @ aesimc q10,q10 - vld1.8 {q11},[r0]! -.byte 0x6e,0x03,0xb0,0xf3 @ aesd q0,q15 -.byte 0x6e,0x23,0xb0,0xf3 @ aesd q1,q15 -.byte 0x6e,0x43,0xf0,0xf3 @ aesd q10,q15 - vld1.32 {q8},[r7]! @ re-pre-load rndkey[0] - add r6,r5,#2 - veor q4,q4,q0 - veor q5,q5,q1 - veor q10,q10,q9 - vld1.32 {q9},[r7]! @ re-pre-load rndkey[1] - vst1.8 {q4},[r1]! - vorr q0,q2,q2 - vst1.8 {q5},[r1]! - vorr q1,q3,q3 - vst1.8 {q10},[r1]! - vorr q10,q11,q11 - bhs Loop3x_cbc_dec - - cmn r2,#0x30 - beq Lcbc_done - nop - -Lcbc_dec_tail: -.byte 0x60,0x23,0xb0,0xf3 @ aesd q1,q8 -.byte 0xc2,0x23,0xb0,0xf3 @ aesimc q1,q1 -.byte 0x60,0x43,0xf0,0xf3 @ aesd q10,q8 -.byte 0xe4,0x43,0xf0,0xf3 @ aesimc q10,q10 - vld1.32 {q8},[r7]! - subs r6,r6,#2 -.byte 0x62,0x23,0xb0,0xf3 @ aesd q1,q9 -.byte 0xc2,0x23,0xb0,0xf3 @ aesimc q1,q1 -.byte 0x62,0x43,0xf0,0xf3 @ aesd q10,q9 -.byte 0xe4,0x43,0xf0,0xf3 @ aesimc q10,q10 - vld1.32 {q9},[r7]! - bgt Lcbc_dec_tail - -.byte 0x60,0x23,0xb0,0xf3 @ aesd q1,q8 -.byte 0xc2,0x23,0xb0,0xf3 @ aesimc q1,q1 -.byte 0x60,0x43,0xf0,0xf3 @ aesd q10,q8 -.byte 0xe4,0x43,0xf0,0xf3 @ aesimc q10,q10 -.byte 0x62,0x23,0xb0,0xf3 @ aesd q1,q9 -.byte 0xc2,0x23,0xb0,0xf3 @ aesimc q1,q1 -.byte 0x62,0x43,0xf0,0xf3 @ aesd q10,q9 -.byte 0xe4,0x43,0xf0,0xf3 @ aesimc q10,q10 -.byte 0x68,0x23,0xb0,0xf3 @ aesd q1,q12 -.byte 0xc2,0x23,0xb0,0xf3 @ aesimc q1,q1 -.byte 0x68,0x43,0xf0,0xf3 @ aesd q10,q12 -.byte 0xe4,0x43,0xf0,0xf3 @ aesimc q10,q10 - cmn r2,#0x20 -.byte 0x6a,0x23,0xb0,0xf3 @ aesd q1,q13 -.byte 0xc2,0x23,0xb0,0xf3 @ aesimc q1,q1 -.byte 0x6a,0x43,0xf0,0xf3 @ aesd q10,q13 -.byte 0xe4,0x43,0xf0,0xf3 @ aesimc q10,q10 - veor q5,q6,q7 -.byte 0x6c,0x23,0xb0,0xf3 @ aesd q1,q14 -.byte 0xc2,0x23,0xb0,0xf3 @ aesimc q1,q1 -.byte 0x6c,0x43,0xf0,0xf3 @ aesd q10,q14 -.byte 0xe4,0x43,0xf0,0xf3 @ aesimc q10,q10 - veor q9,q3,q7 -.byte 0x6e,0x23,0xb0,0xf3 @ aesd q1,q15 -.byte 0x6e,0x43,0xf0,0xf3 @ aesd q10,q15 - beq Lcbc_dec_one - veor q5,q5,q1 - veor q9,q9,q10 - vorr q6,q11,q11 - vst1.8 {q5},[r1]! - vst1.8 {q9},[r1]! - b Lcbc_done - -Lcbc_dec_one: - veor q5,q5,q10 - vorr q6,q11,q11 - vst1.8 {q5},[r1]! - -Lcbc_done: - vst1.8 {q6},[r4] -Lcbc_abort: - vldmia sp!,{d8,d9,d10,d11,d12,d13,d14,d15} - ldmia sp!,{r4,r5,r6,r7,r8,pc} - -.globl _aes_hw_ctr32_encrypt_blocks -.private_extern _aes_hw_ctr32_encrypt_blocks -#ifdef __thumb2__ -.thumb_func _aes_hw_ctr32_encrypt_blocks -#endif -.align 5 -_aes_hw_ctr32_encrypt_blocks: - mov ip,sp - stmdb sp!,{r4,r5,r6,r7,r8,r9,r10,lr} - vstmdb sp!,{d8,d9,d10,d11,d12,d13,d14,d15} @ ABI specification says so - ldr r4, [ip] @ load remaining arg - ldr r5,[r3,#240] - - ldr r8, [r4, #12] - vld1.32 {q0},[r4] - - vld1.32 {q8,q9},[r3] @ load key schedule... - sub r5,r5,#4 - mov r12,#16 - cmp r2,#2 - add r7,r3,r5,lsl#4 @ pointer to last 5 round keys - sub r5,r5,#2 - vld1.32 {q12,q13},[r7]! - vld1.32 {q14,q15},[r7]! - vld1.32 {q7},[r7] - add r7,r3,#32 - mov r6,r5 - movlo r12,#0 - - @ ARM Cortex-A57 and Cortex-A72 cores running in 32-bit mode are - @ affected by silicon errata #1742098 [0] and #1655431 [1], - @ respectively, where the second instruction of an aese/aesmc - @ instruction pair may execute twice if an interrupt is taken right - @ after the first instruction consumes an input register of which a - @ single 32-bit lane has been updated the last time it was modified. - @ - @ This function uses a counter in one 32-bit lane. The - @ could write to q1 and q10 directly, but that trips this bugs. - @ We write to q6 and copy to the final register as a workaround. - @ - @ [0] ARM-EPM-049219 v23 Cortex-A57 MPCore Software Developers Errata Notice - @ [1] ARM-EPM-012079 v11.0 Cortex-A72 MPCore Software Developers Errata Notice -#ifndef __ARMEB__ - rev r8, r8 -#endif - add r10, r8, #1 - vorr q6,q0,q0 - rev r10, r10 - vmov.32 d13[1],r10 - add r8, r8, #2 - vorr q1,q6,q6 - bls Lctr32_tail - rev r12, r8 - vmov.32 d13[1],r12 - sub r2,r2,#3 @ bias - vorr q10,q6,q6 - b Loop3x_ctr32 - -.align 4 -Loop3x_ctr32: -.byte 0x20,0x03,0xb0,0xf3 @ aese q0,q8 -.byte 0x80,0x03,0xb0,0xf3 @ aesmc q0,q0 -.byte 0x20,0x23,0xb0,0xf3 @ aese q1,q8 -.byte 0x82,0x23,0xb0,0xf3 @ aesmc q1,q1 -.byte 0x20,0x43,0xf0,0xf3 @ aese q10,q8 -.byte 0xa4,0x43,0xf0,0xf3 @ aesmc q10,q10 - vld1.32 {q8},[r7]! - subs r6,r6,#2 -.byte 0x22,0x03,0xb0,0xf3 @ aese q0,q9 -.byte 0x80,0x03,0xb0,0xf3 @ aesmc q0,q0 -.byte 0x22,0x23,0xb0,0xf3 @ aese q1,q9 -.byte 0x82,0x23,0xb0,0xf3 @ aesmc q1,q1 -.byte 0x22,0x43,0xf0,0xf3 @ aese q10,q9 -.byte 0xa4,0x43,0xf0,0xf3 @ aesmc q10,q10 - vld1.32 {q9},[r7]! - bgt Loop3x_ctr32 - -.byte 0x20,0x03,0xb0,0xf3 @ aese q0,q8 -.byte 0x80,0x83,0xb0,0xf3 @ aesmc q4,q0 -.byte 0x20,0x23,0xb0,0xf3 @ aese q1,q8 -.byte 0x82,0xa3,0xb0,0xf3 @ aesmc q5,q1 - vld1.8 {q2},[r0]! - add r9,r8,#1 -.byte 0x20,0x43,0xf0,0xf3 @ aese q10,q8 -.byte 0xa4,0x43,0xf0,0xf3 @ aesmc q10,q10 - vld1.8 {q3},[r0]! - rev r9,r9 -.byte 0x22,0x83,0xb0,0xf3 @ aese q4,q9 -.byte 0x88,0x83,0xb0,0xf3 @ aesmc q4,q4 -.byte 0x22,0xa3,0xb0,0xf3 @ aese q5,q9 -.byte 0x8a,0xa3,0xb0,0xf3 @ aesmc q5,q5 - vld1.8 {q11},[r0]! - mov r7,r3 -.byte 0x22,0x43,0xf0,0xf3 @ aese q10,q9 -.byte 0xa4,0x23,0xf0,0xf3 @ aesmc q9,q10 -.byte 0x28,0x83,0xb0,0xf3 @ aese q4,q12 -.byte 0x88,0x83,0xb0,0xf3 @ aesmc q4,q4 -.byte 0x28,0xa3,0xb0,0xf3 @ aese q5,q12 -.byte 0x8a,0xa3,0xb0,0xf3 @ aesmc q5,q5 - veor q2,q2,q7 - add r10,r8,#2 -.byte 0x28,0x23,0xf0,0xf3 @ aese q9,q12 -.byte 0xa2,0x23,0xf0,0xf3 @ aesmc q9,q9 - veor q3,q3,q7 - add r8,r8,#3 -.byte 0x2a,0x83,0xb0,0xf3 @ aese q4,q13 -.byte 0x88,0x83,0xb0,0xf3 @ aesmc q4,q4 -.byte 0x2a,0xa3,0xb0,0xf3 @ aese q5,q13 -.byte 0x8a,0xa3,0xb0,0xf3 @ aesmc q5,q5 - @ Note the logic to update q0, q1, and q1 is written to work - @ around a bug in ARM Cortex-A57 and Cortex-A72 cores running in - @ 32-bit mode. See the comment above. - veor q11,q11,q7 - vmov.32 d13[1], r9 -.byte 0x2a,0x23,0xf0,0xf3 @ aese q9,q13 -.byte 0xa2,0x23,0xf0,0xf3 @ aesmc q9,q9 - vorr q0,q6,q6 - rev r10,r10 -.byte 0x2c,0x83,0xb0,0xf3 @ aese q4,q14 -.byte 0x88,0x83,0xb0,0xf3 @ aesmc q4,q4 - vmov.32 d13[1], r10 - rev r12,r8 -.byte 0x2c,0xa3,0xb0,0xf3 @ aese q5,q14 -.byte 0x8a,0xa3,0xb0,0xf3 @ aesmc q5,q5 - vorr q1,q6,q6 - vmov.32 d13[1], r12 -.byte 0x2c,0x23,0xf0,0xf3 @ aese q9,q14 -.byte 0xa2,0x23,0xf0,0xf3 @ aesmc q9,q9 - vorr q10,q6,q6 - subs r2,r2,#3 -.byte 0x2e,0x83,0xb0,0xf3 @ aese q4,q15 -.byte 0x2e,0xa3,0xb0,0xf3 @ aese q5,q15 -.byte 0x2e,0x23,0xf0,0xf3 @ aese q9,q15 - - veor q2,q2,q4 - vld1.32 {q8},[r7]! @ re-pre-load rndkey[0] - vst1.8 {q2},[r1]! - veor q3,q3,q5 - mov r6,r5 - vst1.8 {q3},[r1]! - veor q11,q11,q9 - vld1.32 {q9},[r7]! @ re-pre-load rndkey[1] - vst1.8 {q11},[r1]! - bhs Loop3x_ctr32 - - adds r2,r2,#3 - beq Lctr32_done - cmp r2,#1 - mov r12,#16 - moveq r12,#0 - -Lctr32_tail: -.byte 0x20,0x03,0xb0,0xf3 @ aese q0,q8 -.byte 0x80,0x03,0xb0,0xf3 @ aesmc q0,q0 -.byte 0x20,0x23,0xb0,0xf3 @ aese q1,q8 -.byte 0x82,0x23,0xb0,0xf3 @ aesmc q1,q1 - vld1.32 {q8},[r7]! - subs r6,r6,#2 -.byte 0x22,0x03,0xb0,0xf3 @ aese q0,q9 -.byte 0x80,0x03,0xb0,0xf3 @ aesmc q0,q0 -.byte 0x22,0x23,0xb0,0xf3 @ aese q1,q9 -.byte 0x82,0x23,0xb0,0xf3 @ aesmc q1,q1 - vld1.32 {q9},[r7]! - bgt Lctr32_tail - -.byte 0x20,0x03,0xb0,0xf3 @ aese q0,q8 -.byte 0x80,0x03,0xb0,0xf3 @ aesmc q0,q0 -.byte 0x20,0x23,0xb0,0xf3 @ aese q1,q8 -.byte 0x82,0x23,0xb0,0xf3 @ aesmc q1,q1 -.byte 0x22,0x03,0xb0,0xf3 @ aese q0,q9 -.byte 0x80,0x03,0xb0,0xf3 @ aesmc q0,q0 -.byte 0x22,0x23,0xb0,0xf3 @ aese q1,q9 -.byte 0x82,0x23,0xb0,0xf3 @ aesmc q1,q1 - vld1.8 {q2},[r0],r12 -.byte 0x28,0x03,0xb0,0xf3 @ aese q0,q12 -.byte 0x80,0x03,0xb0,0xf3 @ aesmc q0,q0 -.byte 0x28,0x23,0xb0,0xf3 @ aese q1,q12 -.byte 0x82,0x23,0xb0,0xf3 @ aesmc q1,q1 - vld1.8 {q3},[r0] -.byte 0x2a,0x03,0xb0,0xf3 @ aese q0,q13 -.byte 0x80,0x03,0xb0,0xf3 @ aesmc q0,q0 -.byte 0x2a,0x23,0xb0,0xf3 @ aese q1,q13 -.byte 0x82,0x23,0xb0,0xf3 @ aesmc q1,q1 - veor q2,q2,q7 -.byte 0x2c,0x03,0xb0,0xf3 @ aese q0,q14 -.byte 0x80,0x03,0xb0,0xf3 @ aesmc q0,q0 -.byte 0x2c,0x23,0xb0,0xf3 @ aese q1,q14 -.byte 0x82,0x23,0xb0,0xf3 @ aesmc q1,q1 - veor q3,q3,q7 -.byte 0x2e,0x03,0xb0,0xf3 @ aese q0,q15 -.byte 0x2e,0x23,0xb0,0xf3 @ aese q1,q15 - - cmp r2,#1 - veor q2,q2,q0 - veor q3,q3,q1 - vst1.8 {q2},[r1]! - beq Lctr32_done - vst1.8 {q3},[r1] - -Lctr32_done: - vldmia sp!,{d8,d9,d10,d11,d12,d13,d14,d15} - ldmia sp!,{r4,r5,r6,r7,r8,r9,r10,pc} - -#endif -#endif // !OPENSSL_NO_ASM && defined(OPENSSL_ARM) && defined(__APPLE__) -#endif // defined(__arm__) && defined(__APPLE__) -#if defined(__linux__) && defined(__ELF__) -.section .note.GNU-stack,"",%progbits -#endif - diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/armv4-mont-ios.ios.arm.S b/Sources/CNIOBoringSSL/crypto/fipsmodule/armv4-mont-ios.ios.arm.S deleted file mode 100644 index 4b9fa8070..000000000 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/armv4-mont-ios.ios.arm.S +++ /dev/null @@ -1,981 +0,0 @@ -#define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__arm__) && defined(__APPLE__) -// This file is generated from a similarly-named Perl script in the BoringSSL -// source tree. Do not edit by hand. - -#include - -#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_ARM) && defined(__APPLE__) -#include - -@ Silence ARMv8 deprecated IT instruction warnings. This file is used by both -@ ARMv7 and ARMv8 processors and does not use ARMv8 instructions. - - -.text -#if defined(__thumb2__) -.syntax unified -.thumb -#else -.code 32 -#endif - -#if __ARM_MAX_ARCH__>=7 -.align 5 -LOPENSSL_armcap: -.word OPENSSL_armcap_P-Lbn_mul_mont -#endif - -.globl _bn_mul_mont -.private_extern _bn_mul_mont -#ifdef __thumb2__ -.thumb_func _bn_mul_mont -#endif - -.align 5 -_bn_mul_mont: -Lbn_mul_mont: - ldr ip,[sp,#4] @ load num - stmdb sp!,{r0,r2} @ sp points at argument block -#if __ARM_MAX_ARCH__>=7 - tst ip,#7 - bne Lialu - adr r0,Lbn_mul_mont - ldr r2,LOPENSSL_armcap - ldr r0,[r0,r2] -#ifdef __APPLE__ - ldr r0,[r0] -#endif - tst r0,#ARMV7_NEON @ NEON available? - ldmia sp, {r0,r2} - beq Lialu - add sp,sp,#8 - b bn_mul8x_mont_neon -.align 4 -Lialu: -#endif - cmp ip,#2 - mov r0,ip @ load num -#ifdef __thumb2__ - ittt lt -#endif - movlt r0,#0 - addlt sp,sp,#2*4 - blt Labrt - - stmdb sp!,{r4,r5,r6,r7,r8,r9,r10,r11,r12,lr} @ save 10 registers - - mov r0,r0,lsl#2 @ rescale r0 for byte count - sub sp,sp,r0 @ alloca(4*num) - sub sp,sp,#4 @ +extra dword - sub r0,r0,#4 @ "num=num-1" - add r4,r2,r0 @ &bp[num-1] - - add r0,sp,r0 @ r0 to point at &tp[num-1] - ldr r8,[r0,#14*4] @ &n0 - ldr r2,[r2] @ bp[0] - ldr r5,[r1],#4 @ ap[0],ap++ - ldr r6,[r3],#4 @ np[0],np++ - ldr r8,[r8] @ *n0 - str r4,[r0,#15*4] @ save &bp[num] - - umull r10,r11,r5,r2 @ ap[0]*bp[0] - str r8,[r0,#14*4] @ save n0 value - mul r8,r10,r8 @ "tp[0]"*n0 - mov r12,#0 - umlal r10,r12,r6,r8 @ np[0]*n0+"t[0]" - mov r4,sp - -L1st: - ldr r5,[r1],#4 @ ap[j],ap++ - mov r10,r11 - ldr r6,[r3],#4 @ np[j],np++ - mov r11,#0 - umlal r10,r11,r5,r2 @ ap[j]*bp[0] - mov r14,#0 - umlal r12,r14,r6,r8 @ np[j]*n0 - adds r12,r12,r10 - str r12,[r4],#4 @ tp[j-1]=,tp++ - adc r12,r14,#0 - cmp r4,r0 - bne L1st - - adds r12,r12,r11 - ldr r4,[r0,#13*4] @ restore bp - mov r14,#0 - ldr r8,[r0,#14*4] @ restore n0 - adc r14,r14,#0 - str r12,[r0] @ tp[num-1]= - mov r7,sp - str r14,[r0,#4] @ tp[num]= - -Louter: - sub r7,r0,r7 @ "original" r0-1 value - sub r1,r1,r7 @ "rewind" ap to &ap[1] - ldr r2,[r4,#4]! @ *(++bp) - sub r3,r3,r7 @ "rewind" np to &np[1] - ldr r5,[r1,#-4] @ ap[0] - ldr r10,[sp] @ tp[0] - ldr r6,[r3,#-4] @ np[0] - ldr r7,[sp,#4] @ tp[1] - - mov r11,#0 - umlal r10,r11,r5,r2 @ ap[0]*bp[i]+tp[0] - str r4,[r0,#13*4] @ save bp - mul r8,r10,r8 - mov r12,#0 - umlal r10,r12,r6,r8 @ np[0]*n0+"tp[0]" - mov r4,sp - -Linner: - ldr r5,[r1],#4 @ ap[j],ap++ - adds r10,r11,r7 @ +=tp[j] - ldr r6,[r3],#4 @ np[j],np++ - mov r11,#0 - umlal r10,r11,r5,r2 @ ap[j]*bp[i] - mov r14,#0 - umlal r12,r14,r6,r8 @ np[j]*n0 - adc r11,r11,#0 - ldr r7,[r4,#8] @ tp[j+1] - adds r12,r12,r10 - str r12,[r4],#4 @ tp[j-1]=,tp++ - adc r12,r14,#0 - cmp r4,r0 - bne Linner - - adds r12,r12,r11 - mov r14,#0 - ldr r4,[r0,#13*4] @ restore bp - adc r14,r14,#0 - ldr r8,[r0,#14*4] @ restore n0 - adds r12,r12,r7 - ldr r7,[r0,#15*4] @ restore &bp[num] - adc r14,r14,#0 - str r12,[r0] @ tp[num-1]= - str r14,[r0,#4] @ tp[num]= - - cmp r4,r7 -#ifdef __thumb2__ - itt ne -#endif - movne r7,sp - bne Louter - - ldr r2,[r0,#12*4] @ pull rp - mov r5,sp - add r0,r0,#4 @ r0 to point at &tp[num] - sub r5,r0,r5 @ "original" num value - mov r4,sp @ "rewind" r4 - mov r1,r4 @ "borrow" r1 - sub r3,r3,r5 @ "rewind" r3 to &np[0] - - subs r7,r7,r7 @ "clear" carry flag -Lsub: ldr r7,[r4],#4 - ldr r6,[r3],#4 - sbcs r7,r7,r6 @ tp[j]-np[j] - str r7,[r2],#4 @ rp[j]= - teq r4,r0 @ preserve carry - bne Lsub - sbcs r14,r14,#0 @ upmost carry - mov r4,sp @ "rewind" r4 - sub r2,r2,r5 @ "rewind" r2 - -Lcopy: ldr r7,[r4] @ conditional copy - ldr r5,[r2] - str sp,[r4],#4 @ zap tp -#ifdef __thumb2__ - it cc -#endif - movcc r5,r7 - str r5,[r2],#4 - teq r4,r0 @ preserve carry - bne Lcopy - - mov sp,r0 - add sp,sp,#4 @ skip over tp[num+1] - ldmia sp!,{r4,r5,r6,r7,r8,r9,r10,r11,r12,lr} @ restore registers - add sp,sp,#2*4 @ skip over {r0,r2} - mov r0,#1 -Labrt: -#if __ARM_ARCH>=5 - bx lr @ bx lr -#else - tst lr,#1 - moveq pc,lr @ be binary compatible with V4, yet -.word 0xe12fff1e @ interoperable with Thumb ISA:-) -#endif - -#if __ARM_MAX_ARCH__>=7 - - - -#ifdef __thumb2__ -.thumb_func bn_mul8x_mont_neon -#endif -.align 5 -bn_mul8x_mont_neon: - mov ip,sp - stmdb sp!,{r4,r5,r6,r7,r8,r9,r10,r11} - vstmdb sp!,{d8,d9,d10,d11,d12,d13,d14,d15} @ ABI specification says so - ldmia ip,{r4,r5} @ load rest of parameter block - mov ip,sp - - cmp r5,#8 - bhi LNEON_8n - - @ special case for r5==8, everything is in register bank... - - vld1.32 {d28[0]}, [r2,:32]! - veor d8,d8,d8 - sub r7,sp,r5,lsl#4 - vld1.32 {d0,d1,d2,d3}, [r1]! @ can't specify :32 :-( - and r7,r7,#-64 - vld1.32 {d30[0]}, [r4,:32] - mov sp,r7 @ alloca - vzip.16 d28,d8 - - vmull.u32 q6,d28,d0[0] - vmull.u32 q7,d28,d0[1] - vmull.u32 q8,d28,d1[0] - vshl.i64 d29,d13,#16 - vmull.u32 q9,d28,d1[1] - - vadd.u64 d29,d29,d12 - veor d8,d8,d8 - vmul.u32 d29,d29,d30 - - vmull.u32 q10,d28,d2[0] - vld1.32 {d4,d5,d6,d7}, [r3]! - vmull.u32 q11,d28,d2[1] - vmull.u32 q12,d28,d3[0] - vzip.16 d29,d8 - vmull.u32 q13,d28,d3[1] - - vmlal.u32 q6,d29,d4[0] - sub r9,r5,#1 - vmlal.u32 q7,d29,d4[1] - vmlal.u32 q8,d29,d5[0] - vmlal.u32 q9,d29,d5[1] - - vmlal.u32 q10,d29,d6[0] - vmov q5,q6 - vmlal.u32 q11,d29,d6[1] - vmov q6,q7 - vmlal.u32 q12,d29,d7[0] - vmov q7,q8 - vmlal.u32 q13,d29,d7[1] - vmov q8,q9 - vmov q9,q10 - vshr.u64 d10,d10,#16 - vmov q10,q11 - vmov q11,q12 - vadd.u64 d10,d10,d11 - vmov q12,q13 - veor q13,q13 - vshr.u64 d10,d10,#16 - - b LNEON_outer8 - -.align 4 -LNEON_outer8: - vld1.32 {d28[0]}, [r2,:32]! - veor d8,d8,d8 - vzip.16 d28,d8 - vadd.u64 d12,d12,d10 - - vmlal.u32 q6,d28,d0[0] - vmlal.u32 q7,d28,d0[1] - vmlal.u32 q8,d28,d1[0] - vshl.i64 d29,d13,#16 - vmlal.u32 q9,d28,d1[1] - - vadd.u64 d29,d29,d12 - veor d8,d8,d8 - subs r9,r9,#1 - vmul.u32 d29,d29,d30 - - vmlal.u32 q10,d28,d2[0] - vmlal.u32 q11,d28,d2[1] - vmlal.u32 q12,d28,d3[0] - vzip.16 d29,d8 - vmlal.u32 q13,d28,d3[1] - - vmlal.u32 q6,d29,d4[0] - vmlal.u32 q7,d29,d4[1] - vmlal.u32 q8,d29,d5[0] - vmlal.u32 q9,d29,d5[1] - - vmlal.u32 q10,d29,d6[0] - vmov q5,q6 - vmlal.u32 q11,d29,d6[1] - vmov q6,q7 - vmlal.u32 q12,d29,d7[0] - vmov q7,q8 - vmlal.u32 q13,d29,d7[1] - vmov q8,q9 - vmov q9,q10 - vshr.u64 d10,d10,#16 - vmov q10,q11 - vmov q11,q12 - vadd.u64 d10,d10,d11 - vmov q12,q13 - veor q13,q13 - vshr.u64 d10,d10,#16 - - bne LNEON_outer8 - - vadd.u64 d12,d12,d10 - mov r7,sp - vshr.u64 d10,d12,#16 - mov r8,r5 - vadd.u64 d13,d13,d10 - add r6,sp,#96 - vshr.u64 d10,d13,#16 - vzip.16 d12,d13 - - b LNEON_tail_entry - -.align 4 -LNEON_8n: - veor q6,q6,q6 - sub r7,sp,#128 - veor q7,q7,q7 - sub r7,r7,r5,lsl#4 - veor q8,q8,q8 - and r7,r7,#-64 - veor q9,q9,q9 - mov sp,r7 @ alloca - veor q10,q10,q10 - add r7,r7,#256 - veor q11,q11,q11 - sub r8,r5,#8 - veor q12,q12,q12 - veor q13,q13,q13 - -LNEON_8n_init: - vst1.64 {q6,q7},[r7,:256]! - subs r8,r8,#8 - vst1.64 {q8,q9},[r7,:256]! - vst1.64 {q10,q11},[r7,:256]! - vst1.64 {q12,q13},[r7,:256]! - bne LNEON_8n_init - - add r6,sp,#256 - vld1.32 {d0,d1,d2,d3},[r1]! - add r10,sp,#8 - vld1.32 {d30[0]},[r4,:32] - mov r9,r5 - b LNEON_8n_outer - -.align 4 -LNEON_8n_outer: - vld1.32 {d28[0]},[r2,:32]! @ *b++ - veor d8,d8,d8 - vzip.16 d28,d8 - add r7,sp,#128 - vld1.32 {d4,d5,d6,d7},[r3]! - - vmlal.u32 q6,d28,d0[0] - vmlal.u32 q7,d28,d0[1] - veor d8,d8,d8 - vmlal.u32 q8,d28,d1[0] - vshl.i64 d29,d13,#16 - vmlal.u32 q9,d28,d1[1] - vadd.u64 d29,d29,d12 - vmlal.u32 q10,d28,d2[0] - vmul.u32 d29,d29,d30 - vmlal.u32 q11,d28,d2[1] - vst1.32 {d28},[sp,:64] @ put aside smashed b[8*i+0] - vmlal.u32 q12,d28,d3[0] - vzip.16 d29,d8 - vmlal.u32 q13,d28,d3[1] - vld1.32 {d28[0]},[r2,:32]! @ *b++ - vmlal.u32 q6,d29,d4[0] - veor d10,d10,d10 - vmlal.u32 q7,d29,d4[1] - vzip.16 d28,d10 - vmlal.u32 q8,d29,d5[0] - vshr.u64 d12,d12,#16 - vmlal.u32 q9,d29,d5[1] - vmlal.u32 q10,d29,d6[0] - vadd.u64 d12,d12,d13 - vmlal.u32 q11,d29,d6[1] - vshr.u64 d12,d12,#16 - vmlal.u32 q12,d29,d7[0] - vmlal.u32 q13,d29,d7[1] - vadd.u64 d14,d14,d12 - vst1.32 {d29},[r10,:64]! @ put aside smashed m[8*i+0] - vmlal.u32 q7,d28,d0[0] - vld1.64 {q6},[r6,:128]! - vmlal.u32 q8,d28,d0[1] - veor d8,d8,d8 - vmlal.u32 q9,d28,d1[0] - vshl.i64 d29,d15,#16 - vmlal.u32 q10,d28,d1[1] - vadd.u64 d29,d29,d14 - vmlal.u32 q11,d28,d2[0] - vmul.u32 d29,d29,d30 - vmlal.u32 q12,d28,d2[1] - vst1.32 {d28},[r10,:64]! @ put aside smashed b[8*i+1] - vmlal.u32 q13,d28,d3[0] - vzip.16 d29,d8 - vmlal.u32 q6,d28,d3[1] - vld1.32 {d28[0]},[r2,:32]! @ *b++ - vmlal.u32 q7,d29,d4[0] - veor d10,d10,d10 - vmlal.u32 q8,d29,d4[1] - vzip.16 d28,d10 - vmlal.u32 q9,d29,d5[0] - vshr.u64 d14,d14,#16 - vmlal.u32 q10,d29,d5[1] - vmlal.u32 q11,d29,d6[0] - vadd.u64 d14,d14,d15 - vmlal.u32 q12,d29,d6[1] - vshr.u64 d14,d14,#16 - vmlal.u32 q13,d29,d7[0] - vmlal.u32 q6,d29,d7[1] - vadd.u64 d16,d16,d14 - vst1.32 {d29},[r10,:64]! @ put aside smashed m[8*i+1] - vmlal.u32 q8,d28,d0[0] - vld1.64 {q7},[r6,:128]! - vmlal.u32 q9,d28,d0[1] - veor d8,d8,d8 - vmlal.u32 q10,d28,d1[0] - vshl.i64 d29,d17,#16 - vmlal.u32 q11,d28,d1[1] - vadd.u64 d29,d29,d16 - vmlal.u32 q12,d28,d2[0] - vmul.u32 d29,d29,d30 - vmlal.u32 q13,d28,d2[1] - vst1.32 {d28},[r10,:64]! @ put aside smashed b[8*i+2] - vmlal.u32 q6,d28,d3[0] - vzip.16 d29,d8 - vmlal.u32 q7,d28,d3[1] - vld1.32 {d28[0]},[r2,:32]! @ *b++ - vmlal.u32 q8,d29,d4[0] - veor d10,d10,d10 - vmlal.u32 q9,d29,d4[1] - vzip.16 d28,d10 - vmlal.u32 q10,d29,d5[0] - vshr.u64 d16,d16,#16 - vmlal.u32 q11,d29,d5[1] - vmlal.u32 q12,d29,d6[0] - vadd.u64 d16,d16,d17 - vmlal.u32 q13,d29,d6[1] - vshr.u64 d16,d16,#16 - vmlal.u32 q6,d29,d7[0] - vmlal.u32 q7,d29,d7[1] - vadd.u64 d18,d18,d16 - vst1.32 {d29},[r10,:64]! @ put aside smashed m[8*i+2] - vmlal.u32 q9,d28,d0[0] - vld1.64 {q8},[r6,:128]! - vmlal.u32 q10,d28,d0[1] - veor d8,d8,d8 - vmlal.u32 q11,d28,d1[0] - vshl.i64 d29,d19,#16 - vmlal.u32 q12,d28,d1[1] - vadd.u64 d29,d29,d18 - vmlal.u32 q13,d28,d2[0] - vmul.u32 d29,d29,d30 - vmlal.u32 q6,d28,d2[1] - vst1.32 {d28},[r10,:64]! @ put aside smashed b[8*i+3] - vmlal.u32 q7,d28,d3[0] - vzip.16 d29,d8 - vmlal.u32 q8,d28,d3[1] - vld1.32 {d28[0]},[r2,:32]! @ *b++ - vmlal.u32 q9,d29,d4[0] - veor d10,d10,d10 - vmlal.u32 q10,d29,d4[1] - vzip.16 d28,d10 - vmlal.u32 q11,d29,d5[0] - vshr.u64 d18,d18,#16 - vmlal.u32 q12,d29,d5[1] - vmlal.u32 q13,d29,d6[0] - vadd.u64 d18,d18,d19 - vmlal.u32 q6,d29,d6[1] - vshr.u64 d18,d18,#16 - vmlal.u32 q7,d29,d7[0] - vmlal.u32 q8,d29,d7[1] - vadd.u64 d20,d20,d18 - vst1.32 {d29},[r10,:64]! @ put aside smashed m[8*i+3] - vmlal.u32 q10,d28,d0[0] - vld1.64 {q9},[r6,:128]! - vmlal.u32 q11,d28,d0[1] - veor d8,d8,d8 - vmlal.u32 q12,d28,d1[0] - vshl.i64 d29,d21,#16 - vmlal.u32 q13,d28,d1[1] - vadd.u64 d29,d29,d20 - vmlal.u32 q6,d28,d2[0] - vmul.u32 d29,d29,d30 - vmlal.u32 q7,d28,d2[1] - vst1.32 {d28},[r10,:64]! @ put aside smashed b[8*i+4] - vmlal.u32 q8,d28,d3[0] - vzip.16 d29,d8 - vmlal.u32 q9,d28,d3[1] - vld1.32 {d28[0]},[r2,:32]! @ *b++ - vmlal.u32 q10,d29,d4[0] - veor d10,d10,d10 - vmlal.u32 q11,d29,d4[1] - vzip.16 d28,d10 - vmlal.u32 q12,d29,d5[0] - vshr.u64 d20,d20,#16 - vmlal.u32 q13,d29,d5[1] - vmlal.u32 q6,d29,d6[0] - vadd.u64 d20,d20,d21 - vmlal.u32 q7,d29,d6[1] - vshr.u64 d20,d20,#16 - vmlal.u32 q8,d29,d7[0] - vmlal.u32 q9,d29,d7[1] - vadd.u64 d22,d22,d20 - vst1.32 {d29},[r10,:64]! @ put aside smashed m[8*i+4] - vmlal.u32 q11,d28,d0[0] - vld1.64 {q10},[r6,:128]! - vmlal.u32 q12,d28,d0[1] - veor d8,d8,d8 - vmlal.u32 q13,d28,d1[0] - vshl.i64 d29,d23,#16 - vmlal.u32 q6,d28,d1[1] - vadd.u64 d29,d29,d22 - vmlal.u32 q7,d28,d2[0] - vmul.u32 d29,d29,d30 - vmlal.u32 q8,d28,d2[1] - vst1.32 {d28},[r10,:64]! @ put aside smashed b[8*i+5] - vmlal.u32 q9,d28,d3[0] - vzip.16 d29,d8 - vmlal.u32 q10,d28,d3[1] - vld1.32 {d28[0]},[r2,:32]! @ *b++ - vmlal.u32 q11,d29,d4[0] - veor d10,d10,d10 - vmlal.u32 q12,d29,d4[1] - vzip.16 d28,d10 - vmlal.u32 q13,d29,d5[0] - vshr.u64 d22,d22,#16 - vmlal.u32 q6,d29,d5[1] - vmlal.u32 q7,d29,d6[0] - vadd.u64 d22,d22,d23 - vmlal.u32 q8,d29,d6[1] - vshr.u64 d22,d22,#16 - vmlal.u32 q9,d29,d7[0] - vmlal.u32 q10,d29,d7[1] - vadd.u64 d24,d24,d22 - vst1.32 {d29},[r10,:64]! @ put aside smashed m[8*i+5] - vmlal.u32 q12,d28,d0[0] - vld1.64 {q11},[r6,:128]! - vmlal.u32 q13,d28,d0[1] - veor d8,d8,d8 - vmlal.u32 q6,d28,d1[0] - vshl.i64 d29,d25,#16 - vmlal.u32 q7,d28,d1[1] - vadd.u64 d29,d29,d24 - vmlal.u32 q8,d28,d2[0] - vmul.u32 d29,d29,d30 - vmlal.u32 q9,d28,d2[1] - vst1.32 {d28},[r10,:64]! @ put aside smashed b[8*i+6] - vmlal.u32 q10,d28,d3[0] - vzip.16 d29,d8 - vmlal.u32 q11,d28,d3[1] - vld1.32 {d28[0]},[r2,:32]! @ *b++ - vmlal.u32 q12,d29,d4[0] - veor d10,d10,d10 - vmlal.u32 q13,d29,d4[1] - vzip.16 d28,d10 - vmlal.u32 q6,d29,d5[0] - vshr.u64 d24,d24,#16 - vmlal.u32 q7,d29,d5[1] - vmlal.u32 q8,d29,d6[0] - vadd.u64 d24,d24,d25 - vmlal.u32 q9,d29,d6[1] - vshr.u64 d24,d24,#16 - vmlal.u32 q10,d29,d7[0] - vmlal.u32 q11,d29,d7[1] - vadd.u64 d26,d26,d24 - vst1.32 {d29},[r10,:64]! @ put aside smashed m[8*i+6] - vmlal.u32 q13,d28,d0[0] - vld1.64 {q12},[r6,:128]! - vmlal.u32 q6,d28,d0[1] - veor d8,d8,d8 - vmlal.u32 q7,d28,d1[0] - vshl.i64 d29,d27,#16 - vmlal.u32 q8,d28,d1[1] - vadd.u64 d29,d29,d26 - vmlal.u32 q9,d28,d2[0] - vmul.u32 d29,d29,d30 - vmlal.u32 q10,d28,d2[1] - vst1.32 {d28},[r10,:64]! @ put aside smashed b[8*i+7] - vmlal.u32 q11,d28,d3[0] - vzip.16 d29,d8 - vmlal.u32 q12,d28,d3[1] - vld1.32 {d28},[sp,:64] @ pull smashed b[8*i+0] - vmlal.u32 q13,d29,d4[0] - vld1.32 {d0,d1,d2,d3},[r1]! - vmlal.u32 q6,d29,d4[1] - vmlal.u32 q7,d29,d5[0] - vshr.u64 d26,d26,#16 - vmlal.u32 q8,d29,d5[1] - vmlal.u32 q9,d29,d6[0] - vadd.u64 d26,d26,d27 - vmlal.u32 q10,d29,d6[1] - vshr.u64 d26,d26,#16 - vmlal.u32 q11,d29,d7[0] - vmlal.u32 q12,d29,d7[1] - vadd.u64 d12,d12,d26 - vst1.32 {d29},[r10,:64] @ put aside smashed m[8*i+7] - add r10,sp,#8 @ rewind - sub r8,r5,#8 - b LNEON_8n_inner - -.align 4 -LNEON_8n_inner: - subs r8,r8,#8 - vmlal.u32 q6,d28,d0[0] - vld1.64 {q13},[r6,:128] - vmlal.u32 q7,d28,d0[1] - vld1.32 {d29},[r10,:64]! @ pull smashed m[8*i+0] - vmlal.u32 q8,d28,d1[0] - vld1.32 {d4,d5,d6,d7},[r3]! - vmlal.u32 q9,d28,d1[1] - it ne - addne r6,r6,#16 @ don't advance in last iteration - vmlal.u32 q10,d28,d2[0] - vmlal.u32 q11,d28,d2[1] - vmlal.u32 q12,d28,d3[0] - vmlal.u32 q13,d28,d3[1] - vld1.32 {d28},[r10,:64]! @ pull smashed b[8*i+1] - vmlal.u32 q6,d29,d4[0] - vmlal.u32 q7,d29,d4[1] - vmlal.u32 q8,d29,d5[0] - vmlal.u32 q9,d29,d5[1] - vmlal.u32 q10,d29,d6[0] - vmlal.u32 q11,d29,d6[1] - vmlal.u32 q12,d29,d7[0] - vmlal.u32 q13,d29,d7[1] - vst1.64 {q6},[r7,:128]! - vmlal.u32 q7,d28,d0[0] - vld1.64 {q6},[r6,:128] - vmlal.u32 q8,d28,d0[1] - vld1.32 {d29},[r10,:64]! @ pull smashed m[8*i+1] - vmlal.u32 q9,d28,d1[0] - it ne - addne r6,r6,#16 @ don't advance in last iteration - vmlal.u32 q10,d28,d1[1] - vmlal.u32 q11,d28,d2[0] - vmlal.u32 q12,d28,d2[1] - vmlal.u32 q13,d28,d3[0] - vmlal.u32 q6,d28,d3[1] - vld1.32 {d28},[r10,:64]! @ pull smashed b[8*i+2] - vmlal.u32 q7,d29,d4[0] - vmlal.u32 q8,d29,d4[1] - vmlal.u32 q9,d29,d5[0] - vmlal.u32 q10,d29,d5[1] - vmlal.u32 q11,d29,d6[0] - vmlal.u32 q12,d29,d6[1] - vmlal.u32 q13,d29,d7[0] - vmlal.u32 q6,d29,d7[1] - vst1.64 {q7},[r7,:128]! - vmlal.u32 q8,d28,d0[0] - vld1.64 {q7},[r6,:128] - vmlal.u32 q9,d28,d0[1] - vld1.32 {d29},[r10,:64]! @ pull smashed m[8*i+2] - vmlal.u32 q10,d28,d1[0] - it ne - addne r6,r6,#16 @ don't advance in last iteration - vmlal.u32 q11,d28,d1[1] - vmlal.u32 q12,d28,d2[0] - vmlal.u32 q13,d28,d2[1] - vmlal.u32 q6,d28,d3[0] - vmlal.u32 q7,d28,d3[1] - vld1.32 {d28},[r10,:64]! @ pull smashed b[8*i+3] - vmlal.u32 q8,d29,d4[0] - vmlal.u32 q9,d29,d4[1] - vmlal.u32 q10,d29,d5[0] - vmlal.u32 q11,d29,d5[1] - vmlal.u32 q12,d29,d6[0] - vmlal.u32 q13,d29,d6[1] - vmlal.u32 q6,d29,d7[0] - vmlal.u32 q7,d29,d7[1] - vst1.64 {q8},[r7,:128]! - vmlal.u32 q9,d28,d0[0] - vld1.64 {q8},[r6,:128] - vmlal.u32 q10,d28,d0[1] - vld1.32 {d29},[r10,:64]! @ pull smashed m[8*i+3] - vmlal.u32 q11,d28,d1[0] - it ne - addne r6,r6,#16 @ don't advance in last iteration - vmlal.u32 q12,d28,d1[1] - vmlal.u32 q13,d28,d2[0] - vmlal.u32 q6,d28,d2[1] - vmlal.u32 q7,d28,d3[0] - vmlal.u32 q8,d28,d3[1] - vld1.32 {d28},[r10,:64]! @ pull smashed b[8*i+4] - vmlal.u32 q9,d29,d4[0] - vmlal.u32 q10,d29,d4[1] - vmlal.u32 q11,d29,d5[0] - vmlal.u32 q12,d29,d5[1] - vmlal.u32 q13,d29,d6[0] - vmlal.u32 q6,d29,d6[1] - vmlal.u32 q7,d29,d7[0] - vmlal.u32 q8,d29,d7[1] - vst1.64 {q9},[r7,:128]! - vmlal.u32 q10,d28,d0[0] - vld1.64 {q9},[r6,:128] - vmlal.u32 q11,d28,d0[1] - vld1.32 {d29},[r10,:64]! @ pull smashed m[8*i+4] - vmlal.u32 q12,d28,d1[0] - it ne - addne r6,r6,#16 @ don't advance in last iteration - vmlal.u32 q13,d28,d1[1] - vmlal.u32 q6,d28,d2[0] - vmlal.u32 q7,d28,d2[1] - vmlal.u32 q8,d28,d3[0] - vmlal.u32 q9,d28,d3[1] - vld1.32 {d28},[r10,:64]! @ pull smashed b[8*i+5] - vmlal.u32 q10,d29,d4[0] - vmlal.u32 q11,d29,d4[1] - vmlal.u32 q12,d29,d5[0] - vmlal.u32 q13,d29,d5[1] - vmlal.u32 q6,d29,d6[0] - vmlal.u32 q7,d29,d6[1] - vmlal.u32 q8,d29,d7[0] - vmlal.u32 q9,d29,d7[1] - vst1.64 {q10},[r7,:128]! - vmlal.u32 q11,d28,d0[0] - vld1.64 {q10},[r6,:128] - vmlal.u32 q12,d28,d0[1] - vld1.32 {d29},[r10,:64]! @ pull smashed m[8*i+5] - vmlal.u32 q13,d28,d1[0] - it ne - addne r6,r6,#16 @ don't advance in last iteration - vmlal.u32 q6,d28,d1[1] - vmlal.u32 q7,d28,d2[0] - vmlal.u32 q8,d28,d2[1] - vmlal.u32 q9,d28,d3[0] - vmlal.u32 q10,d28,d3[1] - vld1.32 {d28},[r10,:64]! @ pull smashed b[8*i+6] - vmlal.u32 q11,d29,d4[0] - vmlal.u32 q12,d29,d4[1] - vmlal.u32 q13,d29,d5[0] - vmlal.u32 q6,d29,d5[1] - vmlal.u32 q7,d29,d6[0] - vmlal.u32 q8,d29,d6[1] - vmlal.u32 q9,d29,d7[0] - vmlal.u32 q10,d29,d7[1] - vst1.64 {q11},[r7,:128]! - vmlal.u32 q12,d28,d0[0] - vld1.64 {q11},[r6,:128] - vmlal.u32 q13,d28,d0[1] - vld1.32 {d29},[r10,:64]! @ pull smashed m[8*i+6] - vmlal.u32 q6,d28,d1[0] - it ne - addne r6,r6,#16 @ don't advance in last iteration - vmlal.u32 q7,d28,d1[1] - vmlal.u32 q8,d28,d2[0] - vmlal.u32 q9,d28,d2[1] - vmlal.u32 q10,d28,d3[0] - vmlal.u32 q11,d28,d3[1] - vld1.32 {d28},[r10,:64]! @ pull smashed b[8*i+7] - vmlal.u32 q12,d29,d4[0] - vmlal.u32 q13,d29,d4[1] - vmlal.u32 q6,d29,d5[0] - vmlal.u32 q7,d29,d5[1] - vmlal.u32 q8,d29,d6[0] - vmlal.u32 q9,d29,d6[1] - vmlal.u32 q10,d29,d7[0] - vmlal.u32 q11,d29,d7[1] - vst1.64 {q12},[r7,:128]! - vmlal.u32 q13,d28,d0[0] - vld1.64 {q12},[r6,:128] - vmlal.u32 q6,d28,d0[1] - vld1.32 {d29},[r10,:64]! @ pull smashed m[8*i+7] - vmlal.u32 q7,d28,d1[0] - it ne - addne r6,r6,#16 @ don't advance in last iteration - vmlal.u32 q8,d28,d1[1] - vmlal.u32 q9,d28,d2[0] - vmlal.u32 q10,d28,d2[1] - vmlal.u32 q11,d28,d3[0] - vmlal.u32 q12,d28,d3[1] - it eq - subeq r1,r1,r5,lsl#2 @ rewind - vmlal.u32 q13,d29,d4[0] - vld1.32 {d28},[sp,:64] @ pull smashed b[8*i+0] - vmlal.u32 q6,d29,d4[1] - vld1.32 {d0,d1,d2,d3},[r1]! - vmlal.u32 q7,d29,d5[0] - add r10,sp,#8 @ rewind - vmlal.u32 q8,d29,d5[1] - vmlal.u32 q9,d29,d6[0] - vmlal.u32 q10,d29,d6[1] - vmlal.u32 q11,d29,d7[0] - vst1.64 {q13},[r7,:128]! - vmlal.u32 q12,d29,d7[1] - - bne LNEON_8n_inner - add r6,sp,#128 - vst1.64 {q6,q7},[r7,:256]! - veor q2,q2,q2 @ d4-d5 - vst1.64 {q8,q9},[r7,:256]! - veor q3,q3,q3 @ d6-d7 - vst1.64 {q10,q11},[r7,:256]! - vst1.64 {q12},[r7,:128] - - subs r9,r9,#8 - vld1.64 {q6,q7},[r6,:256]! - vld1.64 {q8,q9},[r6,:256]! - vld1.64 {q10,q11},[r6,:256]! - vld1.64 {q12,q13},[r6,:256]! - - itt ne - subne r3,r3,r5,lsl#2 @ rewind - bne LNEON_8n_outer - - add r7,sp,#128 - vst1.64 {q2,q3}, [sp,:256]! @ start wiping stack frame - vshr.u64 d10,d12,#16 - vst1.64 {q2,q3},[sp,:256]! - vadd.u64 d13,d13,d10 - vst1.64 {q2,q3}, [sp,:256]! - vshr.u64 d10,d13,#16 - vst1.64 {q2,q3}, [sp,:256]! - vzip.16 d12,d13 - - mov r8,r5 - b LNEON_tail_entry - -.align 4 -LNEON_tail: - vadd.u64 d12,d12,d10 - vshr.u64 d10,d12,#16 - vld1.64 {q8,q9}, [r6, :256]! - vadd.u64 d13,d13,d10 - vld1.64 {q10,q11}, [r6, :256]! - vshr.u64 d10,d13,#16 - vld1.64 {q12,q13}, [r6, :256]! - vzip.16 d12,d13 - -LNEON_tail_entry: - vadd.u64 d14,d14,d10 - vst1.32 {d12[0]}, [r7, :32]! - vshr.u64 d10,d14,#16 - vadd.u64 d15,d15,d10 - vshr.u64 d10,d15,#16 - vzip.16 d14,d15 - vadd.u64 d16,d16,d10 - vst1.32 {d14[0]}, [r7, :32]! - vshr.u64 d10,d16,#16 - vadd.u64 d17,d17,d10 - vshr.u64 d10,d17,#16 - vzip.16 d16,d17 - vadd.u64 d18,d18,d10 - vst1.32 {d16[0]}, [r7, :32]! - vshr.u64 d10,d18,#16 - vadd.u64 d19,d19,d10 - vshr.u64 d10,d19,#16 - vzip.16 d18,d19 - vadd.u64 d20,d20,d10 - vst1.32 {d18[0]}, [r7, :32]! - vshr.u64 d10,d20,#16 - vadd.u64 d21,d21,d10 - vshr.u64 d10,d21,#16 - vzip.16 d20,d21 - vadd.u64 d22,d22,d10 - vst1.32 {d20[0]}, [r7, :32]! - vshr.u64 d10,d22,#16 - vadd.u64 d23,d23,d10 - vshr.u64 d10,d23,#16 - vzip.16 d22,d23 - vadd.u64 d24,d24,d10 - vst1.32 {d22[0]}, [r7, :32]! - vshr.u64 d10,d24,#16 - vadd.u64 d25,d25,d10 - vshr.u64 d10,d25,#16 - vzip.16 d24,d25 - vadd.u64 d26,d26,d10 - vst1.32 {d24[0]}, [r7, :32]! - vshr.u64 d10,d26,#16 - vadd.u64 d27,d27,d10 - vshr.u64 d10,d27,#16 - vzip.16 d26,d27 - vld1.64 {q6,q7}, [r6, :256]! - subs r8,r8,#8 - vst1.32 {d26[0]}, [r7, :32]! - bne LNEON_tail - - vst1.32 {d10[0]}, [r7, :32] @ top-most bit - sub r3,r3,r5,lsl#2 @ rewind r3 - subs r1,sp,#0 @ clear carry flag - add r2,sp,r5,lsl#2 - -LNEON_sub: - ldmia r1!, {r4,r5,r6,r7} - ldmia r3!, {r8,r9,r10,r11} - sbcs r8, r4,r8 - sbcs r9, r5,r9 - sbcs r10,r6,r10 - sbcs r11,r7,r11 - teq r1,r2 @ preserves carry - stmia r0!, {r8,r9,r10,r11} - bne LNEON_sub - - ldr r10, [r1] @ load top-most bit - mov r11,sp - veor q0,q0,q0 - sub r11,r2,r11 @ this is num*4 - veor q1,q1,q1 - mov r1,sp - sub r0,r0,r11 @ rewind r0 - mov r3,r2 @ second 3/4th of frame - sbcs r10,r10,#0 @ result is carry flag - -LNEON_copy_n_zap: - ldmia r1!, {r4,r5,r6,r7} - ldmia r0, {r8,r9,r10,r11} - it cc - movcc r8, r4 - vst1.64 {q0,q1}, [r3,:256]! @ wipe - itt cc - movcc r9, r5 - movcc r10,r6 - vst1.64 {q0,q1}, [r3,:256]! @ wipe - it cc - movcc r11,r7 - ldmia r1, {r4,r5,r6,r7} - stmia r0!, {r8,r9,r10,r11} - sub r1,r1,#16 - ldmia r0, {r8,r9,r10,r11} - it cc - movcc r8, r4 - vst1.64 {q0,q1}, [r1,:256]! @ wipe - itt cc - movcc r9, r5 - movcc r10,r6 - vst1.64 {q0,q1}, [r3,:256]! @ wipe - it cc - movcc r11,r7 - teq r1,r2 @ preserves carry - stmia r0!, {r8,r9,r10,r11} - bne LNEON_copy_n_zap - - mov sp,ip - vldmia sp!,{d8,d9,d10,d11,d12,d13,d14,d15} - ldmia sp!,{r4,r5,r6,r7,r8,r9,r10,r11} - bx lr @ bx lr - -#endif -.byte 77,111,110,116,103,111,109,101,114,121,32,109,117,108,116,105,112,108,105,99,97,116,105,111,110,32,102,111,114,32,65,82,77,118,52,47,78,69,79,78,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 -.align 2 -.align 2 -#if __ARM_MAX_ARCH__>=7 -.comm _OPENSSL_armcap_P,4 -.non_lazy_symbol_pointer -OPENSSL_armcap_P: -.indirect_symbol _OPENSSL_armcap_P -.long 0 -.private_extern _OPENSSL_armcap_P -#endif -#endif // !OPENSSL_NO_ASM && defined(OPENSSL_ARM) && defined(__APPLE__) -#endif // defined(__arm__) && defined(__APPLE__) -#if defined(__linux__) && defined(__ELF__) -.section .note.GNU-stack,"",%progbits -#endif - diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/bcm.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/bcm.c new file mode 100644 index 000000000..65f97c6f4 --- /dev/null +++ b/Sources/CNIOBoringSSL/crypto/fipsmodule/bcm.c @@ -0,0 +1,278 @@ +/* Copyright (c) 2017, Google Inc. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#if !defined(_GNU_SOURCE) +#define _GNU_SOURCE // needed for syscall() on Linux. +#endif + +#include + +#include +#if defined(BORINGSSL_FIPS) +#include +#include +#endif + +#include +#include +#include + +#include "bcm_interface.h" +#include "../bcm_support.h" +#include "../internal.h" + +// TODO(crbug.com/362530616): When delocate is removed, build these files as +// separate compilation units again. +#include "aes/aes.c.inc" +#include "aes/aes_nohw.c.inc" +#include "aes/key_wrap.c.inc" +#include "aes/mode_wrappers.c.inc" +#include "bn/add.c.inc" +#include "bn/asm/x86_64-gcc.c.inc" +#include "bn/bn.c.inc" +#include "bn/bytes.c.inc" +#include "bn/cmp.c.inc" +#include "bn/ctx.c.inc" +#include "bn/div.c.inc" +#include "bn/div_extra.c.inc" +#include "bn/exponentiation.c.inc" +#include "bn/gcd.c.inc" +#include "bn/gcd_extra.c.inc" +#include "bn/generic.c.inc" +#include "bn/jacobi.c.inc" +#include "bn/montgomery.c.inc" +#include "bn/montgomery_inv.c.inc" +#include "bn/mul.c.inc" +#include "bn/prime.c.inc" +#include "bn/random.c.inc" +#include "bn/rsaz_exp.c.inc" +#include "bn/shift.c.inc" +#include "bn/sqrt.c.inc" +#include "cipher/aead.c.inc" +#include "cipher/cipher.c.inc" +#include "cipher/e_aes.c.inc" +#include "cipher/e_aesccm.c.inc" +#include "cmac/cmac.c.inc" +#include "dh/check.c.inc" +#include "dh/dh.c.inc" +#include "digest/digest.c.inc" +#include "digest/digests.c.inc" +#include "digestsign/digestsign.c.inc" +#include "ecdh/ecdh.c.inc" +#include "ecdsa/ecdsa.c.inc" +#include "ec/ec.c.inc" +#include "ec/ec_key.c.inc" +#include "ec/ec_montgomery.c.inc" +#include "ec/felem.c.inc" +#include "ec/oct.c.inc" +#include "ec/p224-64.c.inc" +#include "ec/p256.c.inc" +#include "ec/p256-nistz.c.inc" +#include "ec/scalar.c.inc" +#include "ec/simple.c.inc" +#include "ec/simple_mul.c.inc" +#include "ec/util.c.inc" +#include "ec/wnaf.c.inc" +#include "hkdf/hkdf.c.inc" +#include "hmac/hmac.c.inc" +#include "modes/cbc.c.inc" +#include "modes/cfb.c.inc" +#include "modes/ctr.c.inc" +#include "modes/gcm.c.inc" +#include "modes/gcm_nohw.c.inc" +#include "modes/ofb.c.inc" +#include "modes/polyval.c.inc" +#include "rand/ctrdrbg.c.inc" +#include "rand/rand.c.inc" +#include "rsa/blinding.c.inc" +#include "rsa/padding.c.inc" +#include "rsa/rsa.c.inc" +#include "rsa/rsa_impl.c.inc" +#include "self_check/fips.c.inc" +#include "self_check/self_check.c.inc" +#include "service_indicator/service_indicator.c.inc" +#include "sha/sha1.c.inc" +#include "sha/sha256.c.inc" +#include "sha/sha512.c.inc" +#include "tls/kdf.c.inc" + + +#if defined(BORINGSSL_FIPS) + +#if !defined(OPENSSL_ASAN) + +// These symbols are filled in by delocate.go (in static builds) or a linker +// script (in shared builds). They point to the start and end of the module, and +// the location of the integrity hash, respectively. +extern const uint8_t BORINGSSL_bcm_text_start[]; +extern const uint8_t BORINGSSL_bcm_text_end[]; +extern const uint8_t BORINGSSL_bcm_text_hash[]; +#if defined(BORINGSSL_SHARED_LIBRARY) +extern const uint8_t BORINGSSL_bcm_rodata_start[]; +extern const uint8_t BORINGSSL_bcm_rodata_end[]; +#endif + +// assert_within is used to sanity check that certain symbols are within the +// bounds of the integrity check. It checks that start <= symbol < end and +// aborts otherwise. +static void assert_within(const void *start, const void *symbol, + const void *end) { + const uintptr_t start_val = (uintptr_t) start; + const uintptr_t symbol_val = (uintptr_t) symbol; + const uintptr_t end_val = (uintptr_t) end; + + if (start_val <= symbol_val && symbol_val < end_val) { + return; + } + + fprintf( + CRYPTO_get_stderr(), + "FIPS module doesn't span expected symbol. Expected %p <= %p < %p\n", + start, symbol, end); + BORINGSSL_FIPS_abort(); +} + +#if defined(OPENSSL_ANDROID) && defined(OPENSSL_AARCH64) +static void BORINGSSL_maybe_set_module_text_permissions(int permission) { + // Android may be compiled in execute-only-memory mode, in which case the + // .text segment cannot be read. That conflicts with the need for a FIPS + // module to hash its own contents, therefore |mprotect| is used to make + // the module's .text readable for the duration of the hashing process. In + // other build configurations this is a no-op. + const uintptr_t page_size = getpagesize(); + const uintptr_t page_start = + ((uintptr_t)BORINGSSL_bcm_text_start) & ~(page_size - 1); + + if (mprotect((void *)page_start, + ((uintptr_t)BORINGSSL_bcm_text_end) - page_start, + permission) != 0) { + perror("BoringSSL: mprotect"); + } +} +#else +static void BORINGSSL_maybe_set_module_text_permissions(int permission) {} +#endif // !ANDROID + +#endif // !ASAN + +static void __attribute__((constructor)) +BORINGSSL_bcm_power_on_self_test(void) { +#if !defined(OPENSSL_ASAN) + // Integrity tests cannot run under ASAN because it involves reading the full + // .text section, which triggers the global-buffer overflow detection. + if (!BORINGSSL_integrity_test()) { + goto err; + } +#endif // OPENSSL_ASAN + + if (!boringssl_self_test_startup()) { + goto err; + } + + return; + +err: + BORINGSSL_FIPS_abort(); +} + +#if !defined(OPENSSL_ASAN) +int BORINGSSL_integrity_test(void) { + const uint8_t *const start = BORINGSSL_bcm_text_start; + const uint8_t *const end = BORINGSSL_bcm_text_end; + + assert_within(start, AES_encrypt, end); + assert_within(start, RSA_sign, end); + assert_within(start, BCM_rand_bytes, end); + assert_within(start, EC_GROUP_cmp, end); + assert_within(start, BCM_sha256_update, end); + assert_within(start, ecdsa_verify_fixed, end); + assert_within(start, EVP_AEAD_CTX_seal, end); + +#if defined(BORINGSSL_SHARED_LIBRARY) + const uint8_t *const rodata_start = BORINGSSL_bcm_rodata_start; + const uint8_t *const rodata_end = BORINGSSL_bcm_rodata_end; +#else + // In the static build, read-only data is placed within the .text segment. + const uint8_t *const rodata_start = BORINGSSL_bcm_text_start; + const uint8_t *const rodata_end = BORINGSSL_bcm_text_end; +#endif + + assert_within(rodata_start, kPrimes, rodata_end); + assert_within(rodata_start, kP256Field, rodata_end); + assert_within(rodata_start, kPKCS1SigPrefixes, rodata_end); + + uint8_t result[SHA256_DIGEST_LENGTH]; + const EVP_MD *const kHashFunction = EVP_sha256(); + if (!boringssl_self_test_sha256() || + !boringssl_self_test_hmac_sha256()) { + return 0; + } + + static const uint8_t kHMACKey[64] = {0}; + unsigned result_len; + HMAC_CTX hmac_ctx; + HMAC_CTX_init(&hmac_ctx); + if (!HMAC_Init_ex(&hmac_ctx, kHMACKey, sizeof(kHMACKey), kHashFunction, + NULL /* no ENGINE */)) { + fprintf(CRYPTO_get_stderr(), "HMAC_Init_ex failed.\n"); + return 0; + } + + BORINGSSL_maybe_set_module_text_permissions(PROT_READ | PROT_EXEC); +#if defined(BORINGSSL_SHARED_LIBRARY) + uint64_t length = end - start; + HMAC_Update(&hmac_ctx, (const uint8_t *) &length, sizeof(length)); + HMAC_Update(&hmac_ctx, start, length); + + length = rodata_end - rodata_start; + HMAC_Update(&hmac_ctx, (const uint8_t *) &length, sizeof(length)); + HMAC_Update(&hmac_ctx, rodata_start, length); +#else + HMAC_Update(&hmac_ctx, start, end - start); +#endif + BORINGSSL_maybe_set_module_text_permissions(PROT_EXEC); + + if (!HMAC_Final(&hmac_ctx, result, &result_len) || + result_len != sizeof(result)) { + fprintf(CRYPTO_get_stderr(), "HMAC failed.\n"); + return 0; + } + HMAC_CTX_cleanse(&hmac_ctx); // FIPS 140-3, AS05.10. + + const uint8_t *expected = BORINGSSL_bcm_text_hash; + + if (!check_test(expected, result, sizeof(result), "FIPS integrity test")) { +#if !defined(BORINGSSL_FIPS_BREAK_TESTS) + return 0; +#endif + } + + OPENSSL_cleanse(result, sizeof(result)); // FIPS 140-3, AS05.10. + return 1; +} + +const uint8_t* FIPS_module_hash(void) { + return BORINGSSL_bcm_text_hash; +} + +#endif // OPENSSL_ASAN + +void BORINGSSL_FIPS_abort(void) { + for (;;) { + abort(); + exit(1); + } +} + +#endif // BORINGSSL_FIPS diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/bcm_interface.h b/Sources/CNIOBoringSSL/crypto/fipsmodule/bcm_interface.h new file mode 100644 index 000000000..9acb093cd --- /dev/null +++ b/Sources/CNIOBoringSSL/crypto/fipsmodule/bcm_interface.h @@ -0,0 +1,244 @@ +/* Copyright (c) 2024, Google Inc. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#ifndef OPENSSL_HEADER_CRYPTO_BCM_INTERFACE_H +#define OPENSSL_HEADER_CRYPTO_BCM_INTERFACE_H + +#include + +// This header will eventually become the interface between BCM and the +// rest of libcrypto. More cleanly separating the two is still a work in +// progress (see https://crbug.com/boringssl/722) so, at the moment, we +// consider this no different from any other header in BCM. +// +// Over time, calls from libcrypto to BCM will all move to this header +// and the separation will become more meaningful. + +#if defined(__cplusplus) +extern "C" { +#endif + +// Enumerated types for return values from bcm functions, both infallible +// and fallible functions. Two success values are used to correspond to the +// FIPS service indicator. For the moment, the official service indicator +// remains the counter, not these values. Once we fully transition to +// these return values from bcm we will change that. +enum bcm_infallible_t { + bcm_infallible_approved, + bcm_infallible_not_approved, +}; + +enum bcm_status_t { + bcm_status_approved, + bcm_status_not_approved, + + // Failure codes, which must all be negative. + bcm_status_failure, +}; +typedef enum bcm_status_t bcm_status; +typedef enum bcm_infallible_t bcm_infallible; + +OPENSSL_INLINE int bcm_success(bcm_status status) { + return status == bcm_status_approved || status == bcm_status_not_approved; +} + + +// Random number generator. + +#if defined(BORINGSSL_FIPS) + +// We overread from /dev/urandom or RDRAND by a factor of 10 and XOR to whiten. +// TODO(bbe): disentangle this value which is used to calculate the size of the +// stack buffer in RAND_need entropy based on a calculation. +#define BORINGSSL_FIPS_OVERREAD 10 + +#endif // BORINGSSL_FIPS + +// BCM_rand_load_entropy supplies |entropy_len| bytes of entropy to the BCM +// module. The |want_additional_input| parameter is true iff the entropy was +// obtained from a source other than the system, e.g. directly from the CPU. +bcm_infallible BCM_rand_load_entropy(const uint8_t *entropy, size_t entropy_len, + int want_additional_input); + +// BCM_rand_bytes is the same as the public |RAND_bytes| function, other +// than returning a bcm_infallible status indicator. +OPENSSL_EXPORT bcm_infallible BCM_rand_bytes(uint8_t *out, size_t out_len); + +// BCM_rand_bytes_hwrng attempts to fill |out| with |len| bytes of entropy from +// the CPU hardware random number generator if one is present. +// bcm_status_approved is returned on success, and a failure status is +// returned otherwise. +bcm_status BCM_rand_bytes_hwrng(uint8_t *out, size_t len); + +// BCM_rand_bytes_with_additional_data samples from the RNG after mixing 32 +// bytes from |user_additional_data| in. +bcm_infallible BCM_rand_bytes_with_additional_data( + uint8_t *out, size_t out_len, const uint8_t user_additional_data[32]); + + +// SHA-1 + +// BCM_SHA_DIGEST_LENGTH is the length of a SHA-1 digest. +#define BCM_SHA_DIGEST_LENGTH 20 + +// BCM_sha1_init initialises |sha|. +bcm_infallible BCM_sha1_init(SHA_CTX *sha); + +// BCM_SHA1_transform is a low-level function that performs a single, SHA-1 +// block transformation using the state from |sha| and |SHA_CBLOCK| bytes from +// |block|. +bcm_infallible BCM_sha1_transform(SHA_CTX *c, + const uint8_t data[BCM_SHA_CBLOCK]); + +// BCM_sha1_update adds |len| bytes from |data| to |sha|. +bcm_infallible BCM_sha1_update(SHA_CTX *c, const void *data, size_t len); + +// BCM_sha1_final adds the final padding to |sha| and writes the resulting +// digest to |out|, which must have at least |SHA_DIGEST_LENGTH| bytes of space. +bcm_infallible BCM_sha1_final(uint8_t out[BCM_SHA_DIGEST_LENGTH], SHA_CTX *c); + + +// BCM_fips_186_2_prf derives |out_len| bytes from |xkey| using the PRF +// defined in FIPS 186-2, Appendix 3.1, with change notice 1 applied. The b +// parameter is 160 and seed, XKEY, is also 160 bits. The optional XSEED user +// input is all zeros. +// +// The PRF generates a sequence of 320-bit numbers. Each number is encoded as a +// 40-byte string in big-endian and then concatenated to form |out|. If +// |out_len| is not a multiple of 40, the result is truncated. This matches the +// construction used in Section 7 of RFC 4186 and Section 7 of RFC 4187. +// +// This PRF is based on SHA-1, a weak hash function, and should not be used +// in new protocols. It is provided for compatibility with some legacy EAP +// methods. +bcm_infallible BCM_fips_186_2_prf(uint8_t *out, size_t out_len, + const uint8_t xkey[BCM_SHA_DIGEST_LENGTH]); + + +// SHA-224 + +// SHA224_DIGEST_LENGTH is the length of a SHA-224 digest. +#define BCM_SHA224_DIGEST_LENGTH 28 + +// BCM_sha224_unit initialises |sha|. +bcm_infallible BCM_sha224_init(SHA256_CTX *sha); + +// BCM_sha224_update adds |len| bytes from |data| to |sha|. +bcm_infallible BCM_sha224_update(SHA256_CTX *sha, const void *data, size_t len); + +// BCM_sha224_final adds the final padding to |sha| and writes the resulting +// digest to |out|, which must have at least |SHA224_DIGEST_LENGTH| bytes of +// space. It aborts on programmer error. +bcm_infallible BCM_sha224_final(uint8_t out[BCM_SHA224_DIGEST_LENGTH], + SHA256_CTX *sha); + + +// SHA-256 + +// BCM_SHA256_DIGEST_LENGTH is the length of a SHA-256 digest. +#define BCM_SHA256_DIGEST_LENGTH 32 + +// BCM_sha256_init initialises |sha|. +bcm_infallible BCM_sha256_init(SHA256_CTX *sha); + +// BCM_sha256_update adds |len| bytes from |data| to |sha|. +bcm_infallible BCM_sha256_update(SHA256_CTX *sha, const void *data, size_t len); + +// BCM_sha256_final adds the final padding to |sha| and writes the resulting +// digest to |out|, which must have at least |BCM_SHA256_DIGEST_LENGTH| bytes of +// space. It aborts on programmer error. +bcm_infallible BCM_sha256_final(uint8_t out[BCM_SHA256_DIGEST_LENGTH], + SHA256_CTX *sha); + +// BCM_sha256_transform is a low-level function that performs a single, SHA-256 +// block transformation using the state from |sha| and |BCM_SHA256_CBLOCK| bytes +// from |block|. +bcm_infallible BCM_sha256_transform(SHA256_CTX *sha, + const uint8_t block[BCM_SHA256_CBLOCK]); + +// BCM_sha256_transform_blocks is a low-level function that takes |num_blocks| * +// |BCM_SHA256_CBLOCK| bytes of data and performs SHA-256 transforms on it to +// update |state|. +bcm_infallible BCM_sha256_transform_blocks(uint32_t state[8], + const uint8_t *data, + size_t num_blocks); + + +// SHA-384. + +// BCM_SHA384_DIGEST_LENGTH is the length of a SHA-384 digest. +#define BCM_SHA384_DIGEST_LENGTH 48 + +// BCM_sha384_init initialises |sha|. +bcm_infallible BCM_sha384_init(SHA512_CTX *sha); + +// BCM_sha384_update adds |len| bytes from |data| to |sha|. +bcm_infallible BCM_sha384_update(SHA512_CTX *sha, const void *data, size_t len); + +// BCM_sha384_final adds the final padding to |sha| and writes the resulting +// digest to |out|, which must have at least |BCM_sha384_DIGEST_LENGTH| bytes of +// space. It may abort on programmer error. +bcm_infallible BCM_sha384_final(uint8_t out[BCM_SHA384_DIGEST_LENGTH], + SHA512_CTX *sha); + + +// SHA-512. + +// BCM_SHA512_DIGEST_LENGTH is the length of a SHA-512 digest. +#define BCM_SHA512_DIGEST_LENGTH 64 + +// BCM_sha512_init initialises |sha|. +bcm_infallible BCM_sha512_init(SHA512_CTX *sha); + +// BCM_sha512_update adds |len| bytes from |data| to |sha|. +bcm_infallible BCM_sha512_update(SHA512_CTX *sha, const void *data, size_t len); + +// BCM_sha512_final adds the final padding to |sha| and writes the resulting +// digest to |out|, which must have at least |BCM_sha512_DIGEST_LENGTH| bytes of +// space. +bcm_infallible BCM_sha512_final(uint8_t out[BCM_SHA512_DIGEST_LENGTH], + SHA512_CTX *sha); + +// BCM_sha512_transform is a low-level function that performs a single, SHA-512 +// block transformation using the state from |sha| and |BCM_sha512_CBLOCK| bytes +// from |block|. +bcm_infallible BCM_sha512_transform(SHA512_CTX *sha, + const uint8_t block[BCM_SHA512_CBLOCK]); + + +// SHA-512-256 +// +// See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf section 5.3.6 + +#define BCM_SHA512_256_DIGEST_LENGTH 32 + +// BCM_sha512_256_init initialises |sha|. +bcm_infallible BCM_sha512_256_init(SHA512_CTX *sha); + +// BCM_sha512_256_update adds |len| bytes from |data| to |sha|. +bcm_infallible BCM_sha512_256_update(SHA512_CTX *sha, const void *data, + size_t len); + +// BCM_sha512_256_final adds the final padding to |sha| and writes the resulting +// digest to |out|, which must have at least |BCM_sha512_256_DIGEST_LENGTH| +// bytes of space. It may abort on programmer error. +bcm_infallible BCM_sha512_256_final(uint8_t out[BCM_SHA512_256_DIGEST_LENGTH], + SHA512_CTX *sha); + + +#if defined(__cplusplus) +} // extern C +#endif + +#endif // OPENSSL_HEADER_CRYPTO_BCM_INTERFACE_H diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/add.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/add.c.inc similarity index 96% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/bn/add.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/bn/add.c.inc index 35a55255e..fdbcd118b 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/add.c +++ b/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/add.c.inc @@ -117,10 +117,7 @@ int bn_uadd_consttime(BIGNUM *r, const BIGNUM *a, const BIGNUM *b) { BN_ULONG carry = bn_add_words(r->d, a->d, b->d, min); for (int i = min; i < max; i++) { - // |r| and |a| may alias, so use a temporary. - BN_ULONG tmp = carry + a->d[i]; - carry = tmp < a->d[i]; - r->d[i] = tmp; + r->d[i] = CRYPTO_addc_w(a->d[i], 0, carry, &carry); } r->d[max] = carry; @@ -241,10 +238,7 @@ int bn_usub_consttime(BIGNUM *r, const BIGNUM *a, const BIGNUM *b) { BN_ULONG borrow = bn_sub_words(r->d, a->d, b->d, b_width); for (int i = b_width; i < a->width; i++) { - // |r| and |a| may alias, so use a temporary. - BN_ULONG tmp = a->d[i]; - r->d[i] = a->d[i] - borrow; - borrow = tmp < r->d[i]; + r->d[i] = CRYPTO_subc_w(a->d[i], 0, borrow, &borrow); } if (borrow) { diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/asm/x86_64-gcc.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/asm/x86_64-gcc.c.inc similarity index 100% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/bn/asm/x86_64-gcc.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/bn/asm/x86_64-gcc.c.inc diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/bn.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/bn.c.inc similarity index 100% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/bn/bn.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/bn/bn.c.inc diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/bytes.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/bytes.c.inc similarity index 91% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/bn/bytes.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/bn/bytes.c.inc index 0358214fd..75f04c1f5 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/bytes.c +++ b/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/bytes.c.inc @@ -63,26 +63,31 @@ void bn_big_endian_to_words(BN_ULONG *out, size_t out_len, const uint8_t *in, size_t in_len) { - for (size_t i = 0; i < out_len; i++) { - if (in_len < sizeof(BN_ULONG)) { - // Load the last partial word. - BN_ULONG word = 0; - for (size_t j = 0; j < in_len; j++) { - word = (word << 8) | in[j]; - } - in_len = 0; - out[i] = word; - // Fill the remainder with zeros. - OPENSSL_memset(out + i + 1, 0, (out_len - i - 1) * sizeof(BN_ULONG)); - break; - } + // The caller should have sized |out| to fit |in| without truncating. This + // condition ensures we do not overflow |out|, so use a runtime check. + BSSL_CHECK(in_len <= out_len * sizeof(BN_ULONG)); + // Load whole words. + while (in_len >= sizeof(BN_ULONG)) { in_len -= sizeof(BN_ULONG); - out[i] = CRYPTO_load_word_be(in + in_len); + out[0] = CRYPTO_load_word_be(in + in_len); + out++; + out_len--; + } + + // Load the last partial word. + if (in_len != 0) { + BN_ULONG word = 0; + for (size_t i = 0; i < in_len; i++) { + word = (word << 8) | in[i]; + } + out[0] = word; + out++; + out_len--; } - // The caller should have sized the output to avoid truncation. - assert(in_len == 0); + // Fill the remainder with zeros. + OPENSSL_memset(out, 0, out_len * sizeof(BN_ULONG)); } BIGNUM *BN_bin2bn(const uint8_t *in, size_t len, BIGNUM *ret) { @@ -181,7 +186,7 @@ void bn_assert_fits_in_bytes(const BIGNUM *bn, size_t num) { void bn_words_to_big_endian(uint8_t *out, size_t out_len, const BN_ULONG *in, size_t in_len) { // The caller should have selected an output length without truncation. - assert(fits_in_bytes(in, in_len, out_len)); + declassify_assert(fits_in_bytes(in, in_len, out_len)); // We only support little-endian platforms, so the internal representation is // also little-endian as bytes. We can simply copy it in reverse. diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/cmp.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/cmp.c.inc similarity index 100% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/bn/cmp.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/bn/cmp.c.inc diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/ctx.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/ctx.c.inc similarity index 100% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/bn/ctx.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/bn/ctx.c.inc diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/div.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/div.c.inc similarity index 75% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/bn/div.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/bn/div.c.inc index 53e0427da..dcd0e23b7 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/div.c +++ b/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/div.c.inc @@ -149,11 +149,11 @@ static inline void bn_div_rem_words(BN_ULONG *quotient_out, BN_ULONG *rem_out, // * https://gcc.gnu.org/bugzilla/show_bug.cgi?id=65668 // // Clang bugs: - // * https://llvm.org/bugs/show_bug.cgi?id=6397 - // * https://llvm.org/bugs/show_bug.cgi?id=12418 + // * https://github.com/llvm/llvm-project/issues/6769 + // * https://github.com/llvm/llvm-project/issues/12790 // - // These issues aren't specific to x86 and x86_64, so it might be worthwhile - // to add more assembly language implementations. + // These is specific to x86 and x86_64; Arm and RISC-V do not have double-wide + // division instructions. #if defined(BN_CAN_USE_INLINE_ASM) && defined(OPENSSL_X86) __asm__ volatile("divl %4" : "=a"(*quotient_out), "=d"(*rem_out) @@ -175,44 +175,16 @@ static inline void bn_div_rem_words(BN_ULONG *quotient_out, BN_ULONG *rem_out, #endif } -// BN_div computes "quotient := numerator / divisor", rounding towards zero, -// and sets up |rem| such that "quotient * divisor + rem = numerator" holds. -// -// Thus: -// -// quotient->neg == numerator->neg ^ divisor->neg -// (unless the result is zero) -// rem->neg == numerator->neg -// (unless the remainder is zero) -// -// If |quotient| or |rem| is NULL, the respective value is not returned. -// -// This was specifically designed to contain fewer branches that may leak -// sensitive information; see "New Branch Prediction Vulnerabilities in OpenSSL -// and Necessary Software Countermeasures" by Onur Acıçmez, Shay Gueron, and -// Jean-Pierre Seifert. int BN_div(BIGNUM *quotient, BIGNUM *rem, const BIGNUM *numerator, const BIGNUM *divisor, BN_CTX *ctx) { - int norm_shift, loop; - BIGNUM wnum; - BN_ULONG *resp, *wnump; - BN_ULONG d0, d1; - int num_n, div_n; - - // This function relies on the historical minimal-width |BIGNUM| invariant. - // It is already not constant-time (constant-time reductions should use - // Montgomery logic), so we shrink all inputs and intermediate values to - // retain the previous behavior. - - // Invalid zero-padding would have particularly bad consequences. - int numerator_width = bn_minimal_width(numerator); - int divisor_width = bn_minimal_width(divisor); - if ((numerator_width > 0 && numerator->d[numerator_width - 1] == 0) || - (divisor_width > 0 && divisor->d[divisor_width - 1] == 0)) { - OPENSSL_PUT_ERROR(BN, BN_R_NOT_INITIALIZED); - return 0; - } - + // This function implements long division, per Knuth, The Art of Computer + // Programming, Volume 2, Chapter 4.3.1, Algorithm D. This algorithm only + // divides non-negative integers, but we round towards zero, so we divide + // absolute values and adjust the signs separately. + // + // Inputs to this function are assumed public and may be leaked by timing and + // cache side channels. Division with secret inputs should use other + // implementation strategies such as Montgomery reduction. if (BN_is_zero(divisor)) { OPENSSL_PUT_ERROR(BN, BN_R_DIV_BY_ZERO); return 0; @@ -222,174 +194,168 @@ int BN_div(BIGNUM *quotient, BIGNUM *rem, const BIGNUM *numerator, BIGNUM *tmp = BN_CTX_get(ctx); BIGNUM *snum = BN_CTX_get(ctx); BIGNUM *sdiv = BN_CTX_get(ctx); - BIGNUM *res = NULL; - if (quotient == NULL) { - res = BN_CTX_get(ctx); - } else { - res = quotient; - } - if (sdiv == NULL || res == NULL) { + BIGNUM *res = quotient == NULL ? BN_CTX_get(ctx) : quotient; + if (tmp == NULL || snum == NULL || sdiv == NULL || res == NULL) { goto err; } - // First we normalise the numbers - norm_shift = BN_BITS2 - (BN_num_bits(divisor) % BN_BITS2); - if (!BN_lshift(sdiv, divisor, norm_shift)) { + // Knuth step D1: Normalise the numbers such that the divisor's MSB is set. + // This ensures, in Knuth's terminology, that v1 >= b/2, needed for the + // quotient estimation step. + int norm_shift = BN_BITS2 - (BN_num_bits(divisor) % BN_BITS2); + if (!BN_lshift(sdiv, divisor, norm_shift) || + !BN_lshift(snum, numerator, norm_shift)) { goto err; } + + // This algorithm relies on |sdiv| being minimal width. We do not use this + // function on secret inputs, so leaking this is fine. Also minimize |snum| to + // avoid looping on leading zeros, as we're not trying to be leak-free. bn_set_minimal_width(sdiv); - sdiv->neg = 0; - norm_shift += BN_BITS2; - if (!BN_lshift(snum, numerator, norm_shift)) { - goto err; - } bn_set_minimal_width(snum); - snum->neg = 0; - - // Since we don't want to have special-case logic for the case where snum is - // larger than sdiv, we pad snum with enough zeroes without changing its - // value. - if (snum->width <= sdiv->width + 1) { - if (!bn_wexpand(snum, sdiv->width + 2)) { - goto err; - } - for (int i = snum->width; i < sdiv->width + 2; i++) { - snum->d[i] = 0; - } - snum->width = sdiv->width + 2; - } else { - if (!bn_wexpand(snum, snum->width + 1)) { - goto err; - } - snum->d[snum->width] = 0; - snum->width++; - } - - div_n = sdiv->width; - num_n = snum->width; - loop = num_n - div_n; - // Lets setup a 'window' into snum - // This is the part that corresponds to the current - // 'area' being divided - wnum.neg = 0; - wnum.d = &(snum->d[loop]); - wnum.width = div_n; - // only needed when BN_ucmp messes up the values between width and max - wnum.dmax = snum->dmax - loop; // so we don't step out of bounds - - // Get the top 2 words of sdiv - // div_n=sdiv->width; - d0 = sdiv->d[div_n - 1]; - d1 = (div_n == 1) ? 0 : sdiv->d[div_n - 2]; - - // pointer to the 'top' of snum - wnump = &(snum->d[num_n - 1]); - - // Setup |res|. |numerator| and |res| may alias, so we save |numerator->neg| - // for later. - const int numerator_neg = numerator->neg; - res->neg = (numerator_neg ^ divisor->neg); - if (!bn_wexpand(res, loop + 1)) { + int div_n = sdiv->width; + const BN_ULONG d0 = sdiv->d[div_n - 1]; + const BN_ULONG d1 = (div_n == 1) ? 0 : sdiv->d[div_n - 2]; + assert(d0 & (((BN_ULONG)1) << (BN_BITS2 - 1))); + + // Extend |snum| with zeros to satisfy the long division invariants: + // - |snum| must have at least |div_n| + 1 words. + // - |snum|'s most significant word must be zero to guarantee the first loop + // iteration works with a prefix greater than |sdiv|. (This is the extra u0 + // digit in Knuth step D1.) + int num_n = snum->width <= div_n ? div_n + 1 : snum->width + 1; + if (!bn_resize_words(snum, num_n)) { goto err; } - res->width = loop - 1; - resp = &(res->d[loop - 1]); - // space for temp - if (!bn_wexpand(tmp, div_n + 1)) { + // Knuth step D2: The quotient's width is the difference between numerator and + // denominator. Also set up its sign and size a temporary for the loop. + int loop = num_n - div_n; + res->neg = snum->neg ^ sdiv->neg; + if (!bn_wexpand(res, loop) || // + !bn_wexpand(tmp, div_n + 1)) { goto err; } - - // if res->width == 0 then clear the neg value otherwise decrease - // the resp pointer - if (res->width == 0) { - res->neg = 0; - } else { - resp--; - } - - for (int i = 0; i < loop - 1; i++, wnump--, resp--) { - BN_ULONG q, l0; - // the first part of the loop uses the top two words of snum and sdiv to - // calculate a BN_ULONG q such that | wnum - sdiv * q | < sdiv - BN_ULONG n0, n1, rm = 0; - - n0 = wnump[0]; - n1 = wnump[-1]; + res->width = loop; + + // Knuth steps D2 through D7: Compute the quotient with a word-by-word long + // division. Note that Knuth indexes words from most to least significant, so + // our index is reversed. Each loop iteration computes res->d[i] of the + // quotient and updates snum with the running remainder. Before each loop + // iteration, the div_n words beginning at snum->d[i+1] must be less than + // snum. + for (int i = loop - 1; i >= 0; i--) { + // The next word of the quotient, q, is floor(wnum / sdiv), where wnum is + // the div_n + 1 words beginning at snum->d[i]. i starts at + // num_n - div_n - 1, so there are at least div_n + 1 words available. + // + // Knuth step D3: Compute q', an estimate of q by looking at the top words + // of wnum and sdiv. We must estimate such that q' = q or q' = q + 1. + BN_ULONG q, rm = 0; + BN_ULONG *wnum = snum->d + i; + BN_ULONG n0 = wnum[div_n]; + BN_ULONG n1 = wnum[div_n - 1]; if (n0 == d0) { + // Estimate q' = b - 1, where b is the base. q = BN_MASK2; + // Knuth also runs the fixup routine in this case, but this would require + // computing rm and is unnecessary. q' is already close enough. That is, + // the true quotient, q is either b - 1 or b - 2. + // + // By the loop invariant, q <= b - 1, so we must show that q >= b - 2. We + // do this by showing wnum / sdiv >= b - 2. Suppose wnum / sdiv < b - 2. + // wnum and sdiv have the same most significant word, so: + // + // wnum >= n0 * b^div_n + // sdiv < (n0 + 1) * b^(d_div - 1) + // + // Thus: + // + // b - 2 > wnum / sdiv + // > (n0 * b^div_n) / (n0 + 1) * b^(div_n - 1) + // = (n0 * b) / (n0 + 1) + // + // (n0 + 1) * (b - 2) > n0 * b + // n0 * b + b - 2 * n0 - 2 > n0 * b + // b - 2 > 2 * n0 + // b/2 - 1 > n0 + // + // This contradicts the normalization condition, so q >= b - 2 and our + // estimate is close enough. } else { - // n0 < d0 + // Estimate q' = floor(n0n1 / d0). Per Theorem B, q' - 2 <= q <= q', which + // is slightly outside of our bounds. + assert(n0 < d0); bn_div_rem_words(&q, &rm, n0, n1, d0); + // Fix the estimate by examining one more word and adjusting q' as needed. + // This is the second half of step D3 and is sufficient per exercises 19, + // 20, and 21. Although only one iteration is needed to correct q + 2 to + // q + 1, Knuth uses a loop. A loop will often also correct q + 1 to q, + // saving the slightly more expensive underflow handling below. + if (div_n > 1) { + BN_ULONG n2 = wnum[div_n - 2]; #ifdef BN_ULLONG - BN_ULLONG t2 = (BN_ULLONG)d1 * q; - for (;;) { - if (t2 <= ((((BN_ULLONG)rm) << BN_BITS2) | wnump[-2])) { - break; + BN_ULLONG t2 = (BN_ULLONG)d1 * q; + for (;;) { + if (t2 <= ((((BN_ULLONG)rm) << BN_BITS2) | n2)) { + break; + } + q--; + rm += d0; + if (rm < d0) { + // If rm overflows, the true value exceeds BN_ULONG and the next + // t2 comparison should exit the loop. + break; + } + t2 -= d1; } - q--; - rm += d0; - if (rm < d0) { - break; // don't let rm overflow - } - t2 -= d1; - } -#else // !BN_ULLONG - BN_ULONG t2l, t2h; - BN_UMULT_LOHI(t2l, t2h, d1, q); - for (;;) { - if (t2h < rm || - (t2h == rm && t2l <= wnump[-2])) { - break; +#else // !BN_ULLONG + BN_ULONG t2l, t2h; + BN_UMULT_LOHI(t2l, t2h, d1, q); + for (;;) { + if (t2h < rm || (t2h == rm && t2l <= n2)) { + break; + } + q--; + rm += d0; + if (rm < d0) { + // If rm overflows, the true value exceeds BN_ULONG and the next + // t2 comparison should exit the loop. + break; + } + if (t2l < d1) { + t2h--; + } + t2l -= d1; } - q--; - rm += d0; - if (rm < d0) { - break; // don't let rm overflow - } - if (t2l < d1) { - t2h--; - } - t2l -= d1; - } #endif // !BN_ULLONG + } } - l0 = bn_mul_words(tmp->d, sdiv->d, div_n, q); - tmp->d[div_n] = l0; - wnum.d--; - // ingore top values of the bignums just sub the two - // BN_ULONG arrays with bn_sub_words - if (bn_sub_words(wnum.d, wnum.d, tmp->d, div_n + 1)) { - // Note: As we have considered only the leading - // two BN_ULONGs in the calculation of q, sdiv * q - // might be greater than wnum (but then (q-1) * sdiv - // is less or equal than wnum) + // Knuth step D4 through D6: Now q' = q or q' = q + 1, and + // -sdiv < wnum - sdiv * q < sdiv. If q' = q + 1, the subtraction will + // underflow, and we fix it up below. + tmp->d[div_n] = bn_mul_words(tmp->d, sdiv->d, div_n, q); + if (bn_sub_words(wnum, wnum, tmp->d, div_n + 1)) { q--; - if (bn_add_words(wnum.d, wnum.d, sdiv->d, div_n)) { - // we can't have an overflow here (assuming - // that q != 0, but if q == 0 then tmp is - // zero anyway) - (*wnump)++; - } + // The final addition is expected to overflow, canceling the underflow. + wnum[div_n] += bn_add_words(wnum, wnum, sdiv->d, div_n); } - // store part of the result - *resp = q; + + // q is now correct, and wnum has been updated to the running remainder. + res->d[i] = q; } + // Trim leading zeros and correct any negative zeros. bn_set_minimal_width(snum); + bn_set_minimal_width(res); - if (rem != NULL) { - if (!BN_rshift(rem, snum, norm_shift)) { - goto err; - } - if (!BN_is_zero(rem)) { - rem->neg = numerator_neg; - } + // Knuth step D8: Unnormalize. snum now contains the remainder. + if (rem != NULL && !BN_rshift(rem, snum, norm_shift)) { + goto err; } - bn_set_minimal_width(res); BN_CTX_end(ctx); return 1; @@ -406,8 +372,9 @@ int BN_nnmod(BIGNUM *r, const BIGNUM *m, const BIGNUM *d, BN_CTX *ctx) { return 1; } - // now -|d| < r < 0, so we have to set r := r + |d|. - return (d->neg ? BN_sub : BN_add)(r, r, d); + // now -d < r < 0, so we have to set r := r + d. Ignoring the sign bits, this + // is r = d - r. + return BN_usub(r, d, r); } BN_ULONG bn_reduce_once(BN_ULONG *r, const BN_ULONG *a, BN_ULONG carry, @@ -425,7 +392,7 @@ BN_ULONG bn_reduce_once(BN_ULONG *r, const BN_ULONG *a, BN_ULONG carry, // // Although |carry| may be one if it was one on input and |bn_sub_words| // returns zero, this would give |r| > |m|, violating our input assumptions. - assert(carry == 0 || carry == (BN_ULONG)-1); + declassify_assert(carry + 1 <= 1); bn_select_words(r, carry, a /* r < 0 */, r /* r >= 0 */, num); return carry; } @@ -434,7 +401,7 @@ BN_ULONG bn_reduce_once_in_place(BN_ULONG *r, BN_ULONG carry, const BN_ULONG *m, BN_ULONG *tmp, size_t num) { // See |bn_reduce_once| for why this logic works. carry -= bn_sub_words(tmp, r, m, num); - assert(carry == 0 || carry == (BN_ULONG)-1); + declassify_assert(carry + 1 <= 1); bn_select_words(r, carry, r /* tmp < 0 */, tmp /* tmp >= 0 */, num); return carry; } @@ -504,7 +471,7 @@ int bn_div_consttime(BIGNUM *quotient, BIGNUM *remainder, // |divisor_min_bits| bits, the top |divisor_min_bits - 1| can be incorporated // without reductions. This significantly speeds up |RSA_check_key|. For // simplicity, we round down to a whole number of words. - assert(divisor_min_bits <= BN_num_bits(divisor)); + declassify_assert(divisor_min_bits <= BN_num_bits(divisor)); int initial_words = 0; if (divisor_min_bits > 0) { initial_words = (divisor_min_bits - 1) / BN_BITS2; diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/div_extra.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/div_extra.c.inc similarity index 99% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/bn/div_extra.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/bn/div_extra.c.inc index d23a3ae97..2358003a9 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/div_extra.c +++ b/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/div_extra.c.inc @@ -39,7 +39,7 @@ static uint16_t mod_u16(uint32_t n, uint16_t d, uint32_t p, uint32_t m) { // Multiply and subtract to get the remainder. n -= d * t; - assert(n < d); + declassify_assert(n < d); return n; } diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/exponentiation.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/exponentiation.c.inc similarity index 94% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/bn/exponentiation.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/bn/exponentiation.c.inc index eee185037..58a0dfa92 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/exponentiation.c +++ b/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/exponentiation.c.inc @@ -119,6 +119,50 @@ #include "internal.h" #include "rsaz_exp.h" +#if defined(OPENSSL_BN_ASM_MONT5) + +// bn_mul_mont_gather5 multiples loads index |power| of |table|, multiplies it +// by |ap| modulo |np|, and stores the result in |rp|. The values are |num| +// words long and represented in Montgomery form. |n0| is a pointer to the +// corresponding field in |BN_MONT_CTX|. |table| must be aligned to at least +// 16 bytes. |power| must be less than 32 and is treated as secret. +// +// WARNING: This function implements Almost Montgomery Multiplication from +// https://eprint.iacr.org/2011/239. The inputs do not need to be fully reduced. +// However, even if they are fully reduced, the output may not be. +static void bn_mul_mont_gather5( + BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *table, const BN_ULONG *np, + const BN_ULONG *n0, int num, int power) { + if (bn_mulx4x_mont_gather5_capable(num)) { + bn_mulx4x_mont_gather5(rp, ap, table, np, n0, num, power); + } else if (bn_mul4x_mont_gather5_capable(num)) { + bn_mul4x_mont_gather5(rp, ap, table, np, n0, num, power); + } else { + bn_mul_mont_gather5_nohw(rp, ap, table, np, n0, num, power); + } +} + +// bn_power5 squares |ap| five times and multiplies it by the value stored at +// index |power| of |table|, modulo |np|. It stores the result in |rp|. The +// values are |num| words long and represented in Montgomery form. |n0| is a +// pointer to the corresponding field in |BN_MONT_CTX|. |num| must be divisible +// by 8. |power| must be less than 32 and is treated as secret. +// +// WARNING: This function implements Almost Montgomery Multiplication from +// https://eprint.iacr.org/2011/239. The inputs do not need to be fully reduced. +// However, even if they are fully reduced, the output may not be. +static void bn_power5(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *table, + const BN_ULONG *np, const BN_ULONG *n0, int num, + int power) { + assert(bn_power5_capable(num)); + if (bn_powerx5_capable(num)) { + bn_powerx5(rp, ap, table, np, n0, num, power); + } else { + bn_power5_nohw(rp, ap, table, np, n0, num, power); + } +} + +#endif // defined(OPENSSL_BN_ASM_MONT5) int BN_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) { int i, bits, ret = 0; @@ -898,7 +942,9 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, OPENSSL_PUT_ERROR(BN, BN_R_NEGATIVE_NUMBER); return 0; } - if (a->neg || BN_ucmp(a, m) >= 0) { + // |a| is secret, but it is required to be in range, so these comparisons may + // be leaked. + if (a->neg || constant_time_declassify_int(BN_ucmp(a, m) >= 0)) { OPENSSL_PUT_ERROR(BN, BN_R_INPUT_NOT_REDUCED); return 0; } @@ -1011,7 +1057,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, // Prepare a^1 in the Montgomery domain. assert(!a->neg); - assert(BN_ucmp(a, m) < 0); + declassify_assert(BN_ucmp(a, m) < 0); if (!BN_to_montgomery(&am, a, mont, ctx) || !bn_resize_words(&am, top)) { goto err; @@ -1077,7 +1123,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, // Scan the exponent one window at a time starting from the most // significant bits. - if (top & 7) { + if (!bn_power5_capable(top)) { while (bits >= 0) { for (wvalue = 0, i = 0; i < 5; i++, bits--) { wvalue = (wvalue << 1) + BN_is_bit_set(p, bits); diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/gcd.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/gcd.c.inc similarity index 90% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/bn/gcd.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/bn/gcd.c.inc index 98878163f..dca76e13c 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/gcd.c +++ b/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/gcd.c.inc @@ -327,7 +327,10 @@ int BN_mod_inverse_blinded(BIGNUM *out, int *out_no_inverse, const BIGNUM *a, const BN_MONT_CTX *mont, BN_CTX *ctx) { *out_no_inverse = 0; - if (BN_is_negative(a) || BN_cmp(a, &mont->N) >= 0) { + // |a| is secret, but it is required to be in range, so these comparisons may + // be leaked. + if (BN_is_negative(a) || + constant_time_declassify_int(BN_cmp(a, &mont->N) >= 0)) { OPENSSL_PUT_ERROR(BN, BN_R_INPUT_NOT_REDUCED); return 0; } @@ -336,11 +339,29 @@ int BN_mod_inverse_blinded(BIGNUM *out, int *out_no_inverse, const BIGNUM *a, BIGNUM blinding_factor; BN_init(&blinding_factor); - if (!BN_rand_range_ex(&blinding_factor, 1, &mont->N) || - !BN_mod_mul_montgomery(out, &blinding_factor, a, mont, ctx) || - !BN_mod_inverse_odd(out, out_no_inverse, out, &mont->N, ctx) || + // |BN_mod_inverse_odd| is leaky, so generate a secret blinding factor and + // blind |a|. This works because (ar)^-1 * r = a^-1, supposing r is + // invertible. If r is not invertible, this function will fail. However, we + // only use this in RSA, where stumbling on an uninvertible element means + // stumbling on the key's factorization. That is, if this function fails, the + // RSA key was not actually a product of two large primes. + // + // TODO(crbug.com/boringssl/677): When the PRNG output is marked secret by + // default, the explicit |bn_secret| call can be removed. + if (!BN_rand_range_ex(&blinding_factor, 1, &mont->N)) { + goto err; + } + bn_secret(&blinding_factor); + if (!BN_mod_mul_montgomery(out, &blinding_factor, a, mont, ctx)) { + goto err; + } + + // Once blinded, |out| is no longer secret, so it may be passed to a leaky + // mod inverse function. Note |blinding_factor| is secret, so |out| will be + // secret again after multiplying. + bn_declassify(out); + if (!BN_mod_inverse_odd(out, out_no_inverse, out, &mont->N, ctx) || !BN_mod_mul_montgomery(out, &blinding_factor, out, mont, ctx)) { - OPENSSL_PUT_ERROR(BN, ERR_R_BN_LIB); goto err; } diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/gcd_extra.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/gcd_extra.c.inc similarity index 96% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/bn/gcd_extra.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/bn/gcd_extra.c.inc index 80219a82f..3f10001b4 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/gcd_extra.c +++ b/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/gcd_extra.c.inc @@ -93,7 +93,7 @@ static int bn_gcd_consttime(BIGNUM *r, unsigned *out_shift, const BIGNUM *x, // At least one of |u| and |v| is now even. BN_ULONG u_is_odd = word_is_odd_mask(u->d[0]); BN_ULONG v_is_odd = word_is_odd_mask(v->d[0]); - assert(!(u_is_odd & v_is_odd)); + declassify_assert(!(u_is_odd & v_is_odd)); // If both are even, the final GCD gains a factor of two. shift += 1 & (~u_is_odd & ~v_is_odd); @@ -106,7 +106,7 @@ static int bn_gcd_consttime(BIGNUM *r, unsigned *out_shift, const BIGNUM *x, // One of |u| or |v| is zero at this point. The algorithm usually makes |u| // zero, unless |y| was already zero on input. Fix this by combining the // values. - assert(BN_is_zero(u) || BN_is_zero(v)); + declassify_assert(BN_is_zero(u) | BN_is_zero(v)); for (size_t i = 0; i < width; i++) { v->d[i] |= u->d[i]; } @@ -289,7 +289,7 @@ int bn_mod_inverse_consttime(BIGNUM *r, int *out_no_inverse, const BIGNUM *a, // and |v| is now even. BN_ULONG u_is_even = ~word_is_odd_mask(u->d[0]); BN_ULONG v_is_even = ~word_is_odd_mask(v->d[0]); - assert(u_is_even != v_is_even); + declassify_assert(u_is_even != v_is_even); // Halve the even one and adjust the corresponding coefficient. maybe_rshift1_words(u->d, u_is_even, tmp->d, n_width); @@ -313,8 +313,11 @@ int bn_mod_inverse_consttime(BIGNUM *r, int *out_no_inverse, const BIGNUM *a, maybe_rshift1_words_carry(D->d, D_carry, v_is_even, tmp->d, a_width); } - assert(BN_is_zero(v)); - if (!BN_is_one(u)) { + declassify_assert(BN_is_zero(v)); + // While the inputs and output are secret, this function considers whether the + // input was invertible to be public. It is used as part of RSA key + // generation, where inputs are chosen to already be invertible. + if (constant_time_declassify_int(!BN_is_one(u))) { *out_no_inverse = 1; OPENSSL_PUT_ERROR(BN, BN_R_NO_INVERSE); goto err; diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/generic.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/generic.c.inc similarity index 91% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/bn/generic.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/bn/generic.c.inc index 214516129..27790939e 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/generic.c +++ b/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/generic.c.inc @@ -567,37 +567,6 @@ void bn_sqr_comba4(BN_ULONG r[8], const BN_ULONG a[4]) { #if !defined(BN_ADD_ASM) -// bn_add_with_carry returns |x + y + carry|, and sets |*out_carry| to the -// carry bit. |carry| must be zero or one. -static inline BN_ULONG bn_add_with_carry(BN_ULONG x, BN_ULONG y, BN_ULONG carry, - BN_ULONG *out_carry) { - assert(carry == 0 || carry == 1); -#if defined(BN_ULLONG) - BN_ULLONG ret = carry; - ret += (BN_ULLONG)x + y; - *out_carry = (BN_ULONG)(ret >> BN_BITS2); - return (BN_ULONG)ret; -#else - x += carry; - carry = x < carry; - BN_ULONG ret = x + y; - carry += ret < x; - *out_carry = carry; - return ret; -#endif -} - -// bn_sub_with_borrow returns |x - y - borrow|, and sets |*out_borrow| to the -// borrow bit. |borrow| must be zero or one. -static inline BN_ULONG bn_sub_with_borrow(BN_ULONG x, BN_ULONG y, - BN_ULONG borrow, - BN_ULONG *out_borrow) { - assert(borrow == 0 || borrow == 1); - BN_ULONG ret = x - y - borrow; - *out_borrow = (x < y) | ((x == y) & borrow); - return ret; -} - BN_ULONG bn_add_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, size_t n) { if (n == 0) { @@ -606,17 +575,17 @@ BN_ULONG bn_add_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, BN_ULONG carry = 0; while (n & ~3) { - r[0] = bn_add_with_carry(a[0], b[0], carry, &carry); - r[1] = bn_add_with_carry(a[1], b[1], carry, &carry); - r[2] = bn_add_with_carry(a[2], b[2], carry, &carry); - r[3] = bn_add_with_carry(a[3], b[3], carry, &carry); + r[0] = CRYPTO_addc_w(a[0], b[0], carry, &carry); + r[1] = CRYPTO_addc_w(a[1], b[1], carry, &carry); + r[2] = CRYPTO_addc_w(a[2], b[2], carry, &carry); + r[3] = CRYPTO_addc_w(a[3], b[3], carry, &carry); a += 4; b += 4; r += 4; n -= 4; } while (n) { - r[0] = bn_add_with_carry(a[0], b[0], carry, &carry); + r[0] = CRYPTO_addc_w(a[0], b[0], carry, &carry); a++; b++; r++; @@ -633,17 +602,17 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, BN_ULONG borrow = 0; while (n & ~3) { - r[0] = bn_sub_with_borrow(a[0], b[0], borrow, &borrow); - r[1] = bn_sub_with_borrow(a[1], b[1], borrow, &borrow); - r[2] = bn_sub_with_borrow(a[2], b[2], borrow, &borrow); - r[3] = bn_sub_with_borrow(a[3], b[3], borrow, &borrow); + r[0] = CRYPTO_subc_w(a[0], b[0], borrow, &borrow); + r[1] = CRYPTO_subc_w(a[1], b[1], borrow, &borrow); + r[2] = CRYPTO_subc_w(a[2], b[2], borrow, &borrow); + r[3] = CRYPTO_subc_w(a[3], b[3], borrow, &borrow); a += 4; b += 4; r += 4; n -= 4; } while (n) { - r[0] = bn_sub_with_borrow(a[0], b[0], borrow, &borrow); + r[0] = CRYPTO_subc_w(a[0], b[0], borrow, &borrow); a++; b++; r++; diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/internal.h b/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/internal.h index 526aaf716..d6e18946a 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/internal.h +++ b/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/internal.h @@ -149,6 +149,7 @@ extern "C" { #endif #define BN_BITS2 64 +#define BN_BITS2_LG 6 #define BN_BYTES 8 #define BN_BITS4 32 #define BN_MASK2 (0xffffffffffffffffUL) @@ -165,6 +166,7 @@ extern "C" { #define BN_ULLONG uint64_t #define BN_CAN_DIVIDE_ULLONG #define BN_BITS2 32 +#define BN_BITS2_LG 5 #define BN_BYTES 4 #define BN_BITS4 16 #define BN_MASK2 (0xffffffffUL) @@ -269,6 +271,18 @@ int bn_copy_words(BN_ULONG *out, size_t num, const BIGNUM *bn); // validation. void bn_assert_fits_in_bytes(const BIGNUM *bn, size_t num); +// bn_secret marks |bn|'s contents, but not its width or sign, as secret. See +// |CONSTTIME_SECRET| for details. +OPENSSL_INLINE void bn_secret(BIGNUM *bn) { + CONSTTIME_SECRET(bn->d, bn->width * sizeof(BN_ULONG)); +} + +// bn_declassify marks |bn|'s value as public. See |CONSTTIME_DECLASSIFY| for +// details. +OPENSSL_INLINE void bn_declassify(BIGNUM *bn) { + CONSTTIME_DECLASSIFY(bn->d, bn->width * sizeof(BN_ULONG)); +} + // bn_mul_add_words multiples |ap| by |w|, adds the result to |rp|, and places // the result in |rp|. |ap| and |rp| must both be |num| words long. It returns // the carry word of the operation. |ap| and |rp| may be equal but otherwise may @@ -386,23 +400,64 @@ int bn_rand_secret_range(BIGNUM *r, int *out_is_uniform, BN_ULONG min_inclusive, // inputs. int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, const BN_ULONG *np, const BN_ULONG *n0, size_t num); + +#if defined(OPENSSL_X86_64) +OPENSSL_INLINE int bn_mulx_adx_capable(void) { + // MULX is in BMI2. + return CRYPTO_is_BMI2_capable() && CRYPTO_is_ADX_capable(); +} +int bn_mul_mont_nohw(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, + const BN_ULONG *np, const BN_ULONG *n0, size_t num); +OPENSSL_INLINE int bn_mul4x_mont_capable(size_t num) { + return num >= 8 && (num & 3) == 0; +} +int bn_mul4x_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, + const BN_ULONG *np, const BN_ULONG *n0, size_t num); +OPENSSL_INLINE int bn_mulx4x_mont_capable(size_t num) { + return bn_mul4x_mont_capable(num) && bn_mulx_adx_capable(); +} +int bn_mulx4x_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, + const BN_ULONG *np, const BN_ULONG *n0, size_t num); +OPENSSL_INLINE int bn_sqr8x_mont_capable(size_t num) { + return num >= 8 && (num & 7) == 0; +} +int bn_sqr8x_mont(BN_ULONG *rp, const BN_ULONG *ap, BN_ULONG mulx_adx_capable, + const BN_ULONG *np, const BN_ULONG *n0, size_t num); +#elif defined(OPENSSL_ARM) +OPENSSL_INLINE int bn_mul8x_mont_neon_capable(size_t num) { + return (num & 7) == 0 && CRYPTO_is_NEON_capable(); +} +int bn_mul8x_mont_neon(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, + const BN_ULONG *np, const BN_ULONG *n0, size_t num); +int bn_mul_mont_nohw(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, + const BN_ULONG *np, const BN_ULONG *n0, size_t num); #endif +#endif // OPENSSL_BN_ASM_MONT + #if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) #define OPENSSL_BN_ASM_MONT5 -// bn_mul_mont_gather5 multiples loads index |power| of |table|, multiplies it -// by |ap| modulo |np|, and stores the result in |rp|. The values are |num| -// words long and represented in Montgomery form. |n0| is a pointer to the -// corresponding field in |BN_MONT_CTX|. |table| must be aligned to at least -// 16 bytes. |power| must be less than 32 and is treated as secret. -// -// WARNING: This function implements Almost Montgomery Multiplication from -// https://eprint.iacr.org/2011/239. The inputs do not need to be fully reduced. -// However, even if they are fully reduced, the output may not be. -void bn_mul_mont_gather5(BN_ULONG *rp, const BN_ULONG *ap, - const BN_ULONG *table, const BN_ULONG *np, - const BN_ULONG *n0, int num, int power); +// The following functions implement |bn_mul_mont_gather5|. See +// |bn_mul_mont_gather5| for details. +OPENSSL_INLINE int bn_mul4x_mont_gather5_capable(int num) { + return (num & 7) == 0; +} +void bn_mul4x_mont_gather5(BN_ULONG *rp, const BN_ULONG *ap, + const BN_ULONG *table, const BN_ULONG *np, + const BN_ULONG *n0, int num, int power); + +OPENSSL_INLINE int bn_mulx4x_mont_gather5_capable(int num) { + return bn_mul4x_mont_gather5_capable(num) && CRYPTO_is_ADX_capable() && + CRYPTO_is_BMI1_capable() && CRYPTO_is_BMI2_capable(); +} +void bn_mulx4x_mont_gather5(BN_ULONG *rp, const BN_ULONG *ap, + const BN_ULONG *table, const BN_ULONG *np, + const BN_ULONG *n0, int num, int power); + +void bn_mul_mont_gather5_nohw(BN_ULONG *rp, const BN_ULONG *ap, + const BN_ULONG *table, const BN_ULONG *np, + const BN_ULONG *n0, int num, int power); // bn_scatter5 stores |inp| to index |power| of |table|. |inp| and each entry of // |table| are |num| words long. |power| must be less than 32 and is treated as @@ -416,17 +471,19 @@ void bn_scatter5(const BN_ULONG *inp, size_t num, BN_ULONG *table, // is treated as secret. |table| must be aligned to at least 16 bytes. void bn_gather5(BN_ULONG *out, size_t num, const BN_ULONG *table, size_t power); -// bn_power5 squares |ap| five times and multiplies it by the value stored at -// index |power| of |table|, modulo |np|. It stores the result in |rp|. The -// values are |num| words long and represented in Montgomery form. |n0| is a -// pointer to the corresponding field in |BN_MONT_CTX|. |num| must be divisible -// by 8. |power| must be less than 32 and is treated as secret. -// -// WARNING: This function implements Almost Montgomery Multiplication from -// https://eprint.iacr.org/2011/239. The inputs do not need to be fully reduced. -// However, even if they are fully reduced, the output may not be. -void bn_power5(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *table, - const BN_ULONG *np, const BN_ULONG *n0, int num, int power); +// The following functions implement |bn_power5|. See |bn_power5| for details. +void bn_power5_nohw(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *table, + const BN_ULONG *np, const BN_ULONG *n0, int num, int power); + +OPENSSL_INLINE int bn_power5_capable(int num) { return (num & 7) == 0; } + +OPENSSL_INLINE int bn_powerx5_capable(int num) { + return bn_power5_capable(num) && CRYPTO_is_ADX_capable() && + CRYPTO_is_BMI1_capable() && CRYPTO_is_BMI2_capable(); +} +void bn_powerx5(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *table, + const BN_ULONG *np, const BN_ULONG *n0, int num, int power); + #endif // !OPENSSL_NO_ASM && OPENSSL_X86_64 uint64_t bn_mont_n0(const BIGNUM *n); @@ -754,8 +811,8 @@ void bn_mod_inverse0_prime_mont_small(BN_ULONG *r, const BN_ULONG *a, // bn_big_endian_to_words interprets |in_len| bytes from |in| as a big-endian, // unsigned integer and writes the result to |out_len| words in |out|. |out_len| -// must be large enough to represent any |in_len|-byte value. That is, |out_len| -// must be at least |BN_BYTES * in_len|. +// must be large enough to represent any |in_len|-byte value. That is, |in_len| +// must be at most |BN_BYTES * out_len|. void bn_big_endian_to_words(BN_ULONG *out, size_t out_len, const uint8_t *in, size_t in_len); diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/jacobi.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/jacobi.c.inc similarity index 100% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/bn/jacobi.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/bn/jacobi.c.inc diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/montgomery.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/montgomery.c.inc similarity index 94% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/bn/montgomery.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/bn/montgomery.c.inc index 4a15b7acc..135b351d9 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/montgomery.c +++ b/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/montgomery.c.inc @@ -504,3 +504,29 @@ void bn_mod_mul_montgomery_small(BN_ULONG *r, const BN_ULONG *a, } OPENSSL_cleanse(tmp, 2 * num * sizeof(BN_ULONG)); } + +#if defined(OPENSSL_BN_ASM_MONT) && defined(OPENSSL_X86_64) +int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, + const BN_ULONG *np, const BN_ULONG *n0, size_t num) { + if (ap == bp && bn_sqr8x_mont_capable(num)) { + return bn_sqr8x_mont(rp, ap, bn_mulx_adx_capable(), np, n0, num); + } + if (bn_mulx4x_mont_capable(num)) { + return bn_mulx4x_mont(rp, ap, bp, np, n0, num); + } + if (bn_mul4x_mont_capable(num)) { + return bn_mul4x_mont(rp, ap, bp, np, n0, num); + } + return bn_mul_mont_nohw(rp, ap, bp, np, n0, num); +} +#endif + +#if defined(OPENSSL_BN_ASM_MONT) && defined(OPENSSL_ARM) +int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, + const BN_ULONG *np, const BN_ULONG *n0, size_t num) { + if (bn_mul8x_mont_neon_capable(num)) { + return bn_mul8x_mont_neon(rp, ap, bp, np, n0, num); + } + return bn_mul_mont_nohw(rp, ap, bp, np, n0, num); +} +#endif diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/montgomery_inv.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/montgomery_inv.c.inc similarity index 82% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/bn/montgomery_inv.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/bn/montgomery_inv.c.inc index 620dca546..16423edc2 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/montgomery_inv.c +++ b/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/montgomery_inv.c.inc @@ -153,7 +153,7 @@ static uint64_t bn_neg_inv_mod_r_u64(uint64_t n) { // The invariant now shows that u*r - v*n == 1 since r == 2 * alpha. #if BN_BITS2 == 64 && defined(BN_ULLONG) - assert(1 == ((BN_ULLONG)u * 2 * alpha) - ((BN_ULLONG)v * beta)); + declassify_assert(1 == ((BN_ULLONG)u * 2 * alpha) - ((BN_ULLONG)v * beta)); #endif return v; @@ -179,42 +179,43 @@ int bn_mont_ctx_set_RR_consttime(BN_MONT_CTX *mont, BN_CTX *ctx) { // Montgomery domain, 2R or 2^(lgBigR+1), and then use Montgomery // square-and-multiply to exponentiate. // - // The multiply steps take 2^n R to 2^(n+1) R. It is faster to double - // the value instead. The square steps take 2^n R to 2^(2n) R. This is - // equivalent to doubling n times. When n is below some threshold, doubling is - // faster. When above, squaring is faster. + // The square steps take 2^n R to (2^n)*(2^n) R = 2^2n R. This is the same as + // doubling 2^n R, n times (doubling any x, n times, computes 2^n * x). When n + // is below some threshold, doubling is faster; when above, squaring is + // faster. From benchmarking various 32-bit and 64-bit architectures, the word + // count seems to work well as a threshold. (Doubling scales linearly and + // Montgomery reduction scales quadratically, so the threshold should scale + // roughly linearly.) // - // We double to this threshold, then switch to Montgomery squaring. From - // benchmarking various 32-bit and 64-bit architectures, the word count seems - // to work well as a threshold. (Doubling scales linearly and Montgomery - // reduction scales quadratically, so the threshold should scale roughly - // linearly.) - unsigned threshold = mont->N.width; - unsigned iters; - for (iters = 0; iters < sizeof(lgBigR) * 8; iters++) { - if ((lgBigR >> iters) <= threshold) { - break; - } - } - - // Compute 2^(lgBigR >> iters) R, or 2^((lgBigR >> iters) + lgBigR), by - // doubling. The first n_bits - 1 doubles can be skipped because we don't need - // to reduce. + // The multiply steps take 2^n R to 2*2^n R = 2^(n+1) R. It is faster to + // double the value instead, so the square-and-multiply exponentiation would + // become square-and-double. However, when using the word count as the + // threshold, it turns out that no multiply/double steps will be needed at + // all, because squaring any x, i times, computes x^(2^i): + // + // (2^threshold)^(2^BN_BITS2_LG) R + // (2^mont->N.width)^BN_BITS2 R + // = 2^(mont->N.width*BN_BITS2) R + // = 2^lgBigR R + // = RR + int threshold = mont->N.width; + + // Calculate 2^threshold R = 2^(threshold + lgBigR) by doubling. The + // first n_bits - 1 doubles can be skipped because we don't need to reduce. if (!BN_set_bit(&mont->RR, n_bits - 1) || !bn_mod_lshift_consttime(&mont->RR, &mont->RR, - (lgBigR >> iters) + lgBigR - (n_bits - 1), + threshold + (lgBigR - (n_bits - 1)), &mont->N, ctx)) { return 0; } - for (unsigned i = iters - 1; i < iters; i--) { + // The above steps are the same regardless of the threshold. The steps below + // need to be modified if the threshold changes. + assert(threshold == mont->N.width); + for (unsigned i = 0; i < BN_BITS2_LG; i++) { if (!BN_mod_mul_montgomery(&mont->RR, &mont->RR, &mont->RR, mont, ctx)) { return 0; } - if ((lgBigR & (1u << i)) != 0 && - !bn_mod_lshift1_consttime(&mont->RR, &mont->RR, &mont->N, ctx)) { - return 0; - } } return bn_resize_words(&mont->RR, mont->N.width); diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/mul.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/mul.c.inc similarity index 99% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/bn/mul.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/bn/mul.c.inc index 4896c464b..28aa3e79c 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/mul.c +++ b/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/mul.c.inc @@ -143,17 +143,13 @@ static BN_ULONG bn_sub_part_words(BN_ULONG *r, const BN_ULONG *a, // in |a| were zeros. dl = -dl; for (int i = 0; i < dl; i++) { - r[i] = 0u - b[i] - borrow; - borrow |= r[i] != 0; + r[i] = CRYPTO_subc_w(0, b[i], borrow, &borrow); } } else { // |b| is shorter than |a|. Complete the subtraction as if the excess words // in |b| were zeros. for (int i = 0; i < dl; i++) { - // |r| and |a| may alias, so use a temporary. - BN_ULONG tmp = a[i]; - r[i] = a[i] - borrow; - borrow = tmp < r[i]; + r[i] = CRYPTO_subc_w(a[i], 0, borrow, &borrow); } } @@ -296,7 +292,7 @@ static void bn_mul_recursive(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, } // The product should fit without carries. - assert(c == 0); + declassify_assert(c == 0); } // bn_mul_part_recursive sets |r| to |a| * |b|, using |t| as scratch space. |r| @@ -410,7 +406,7 @@ static void bn_mul_part_recursive(BN_ULONG *r, const BN_ULONG *a, } // The product should fit without carries. - assert(c == 0); + declassify_assert(c == 0); } // bn_mul_impl implements |BN_mul| and |bn_mul_consttime|. Note this function diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/prime.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/prime.c.inc similarity index 97% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/bn/prime.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/bn/prime.c.inc index 1c763f59a..411c6bc68 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/prime.c +++ b/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/prime.c.inc @@ -487,7 +487,10 @@ int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe, const BIGNUM *add, static int bn_trial_division(uint16_t *out, const BIGNUM *bn) { const size_t num_primes = num_trial_division_primes(bn); for (size_t i = 1; i < num_primes; i++) { - if (bn_mod_u16_consttime(bn, kPrimes[i]) == 0) { + // During RSA key generation, |bn| may be secret, but only if |bn| was + // prime, so it is safe to leak failed trial divisions. + if (constant_time_declassify_int(bn_mod_u16_consttime(bn, kPrimes[i]) == + 0)) { *out = kPrimes[i]; return 1; } @@ -573,7 +576,8 @@ int bn_miller_rabin_iteration(const BN_MILLER_RABIN *miller_rabin, // To avoid leaking |a|, we run the loop to |w_bits| and mask off all // iterations once |j| = |a|. for (int j = 1; j < miller_rabin->w_bits; j++) { - if (constant_time_eq_int(j, miller_rabin->a) & ~is_possibly_prime) { + if (constant_time_declassify_w(constant_time_eq_int(j, miller_rabin->a) & + ~is_possibly_prime)) { // If the loop is done and we haven't seen z = 1 or z = w-1 yet, the // value is composite and we can break in variable time. break; @@ -593,12 +597,14 @@ int bn_miller_rabin_iteration(const BN_MILLER_RABIN *miller_rabin, // Step 4.5.3. If z = 1 and the loop is not done, the previous value of z // was not -1. There are no non-trivial square roots of 1 modulo a prime, so // w is composite and we may exit in variable time. - if (BN_equal_consttime(z, miller_rabin->one_mont) & ~is_possibly_prime) { + if (constant_time_declassify_w( + BN_equal_consttime(z, miller_rabin->one_mont) & + ~is_possibly_prime)) { break; } } - *out_is_possibly_prime = is_possibly_prime & 1; + *out_is_possibly_prime = constant_time_declassify_w(is_possibly_prime) & 1; ret = 1; err: @@ -736,8 +742,9 @@ int BN_primality_test(int *out_is_probably_prime, const BIGNUM *w, int checks, crypto_word_t uniform_iterations = 0; // Using |constant_time_lt_w| seems to prevent the compiler from optimizing // this into two jumps. - for (int i = 1; (i <= BN_PRIME_CHECKS_BLINDED) | - constant_time_lt_w(uniform_iterations, checks); + for (int i = 1; constant_time_declassify_w( + (i <= BN_PRIME_CHECKS_BLINDED) | + constant_time_lt_w(uniform_iterations, checks)); i++) { // Step 4.1-4.2 int is_uniform; @@ -766,7 +773,7 @@ int BN_primality_test(int *out_is_probably_prime, const BIGNUM *w, int checks, } } - assert(uniform_iterations >= (crypto_word_t)checks); + declassify_assert(uniform_iterations >= (crypto_word_t)checks); *out_is_probably_prime = 1; ret = 1; diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/random.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/random.c.inc similarity index 93% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/bn/random.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/bn/random.c.inc index ea03c8a5c..53956e7b0 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/random.c +++ b/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/random.c.inc @@ -113,10 +113,9 @@ #include #include -#include #include "../../internal.h" -#include "../rand/internal.h" +#include "../bcm_interface.h" #include "../service_indicator/internal.h" #include "internal.h" @@ -157,7 +156,7 @@ int BN_rand(BIGNUM *rnd, int bits, int top, int bottom) { } FIPS_service_indicator_lock_state(); - RAND_bytes((uint8_t *)rnd->d, words * sizeof(BN_ULONG)); + BCM_rand_bytes((uint8_t *)rnd->d, words * sizeof(BN_ULONG)); FIPS_service_indicator_unlock_state(); rnd->d[words - 1] &= mask; @@ -225,8 +224,7 @@ static int bn_range_to_mask(size_t *out_words, BN_ULONG *out_mask, while (words > 0 && max_exclusive[words - 1] == 0) { words--; } - if (words == 0 || - (words == 1 && max_exclusive[0] <= min_inclusive)) { + if (words == 0 || (words == 1 && max_exclusive[0] <= min_inclusive)) { OPENSSL_PUT_ERROR(BN, BN_R_INVALID_RANGE); return 0; } @@ -275,14 +273,20 @@ int bn_rand_range_words(BN_ULONG *out, BN_ULONG min_inclusive, // Steps 4 and 5. Use |words| and |mask| together to obtain a string of N // bits, where N is the bit length of |max_exclusive|. FIPS_service_indicator_lock_state(); - RAND_bytes_with_additional_data((uint8_t *)out, words * sizeof(BN_ULONG), - additional_data); + BCM_rand_bytes_with_additional_data( + (uint8_t *)out, words * sizeof(BN_ULONG), additional_data); FIPS_service_indicator_unlock_state(); out[words - 1] &= mask; // If out >= max_exclusive or out < min_inclusive, retry. This implements - // the equivalent of steps 6 and 7 without leaking the value of |out|. - } while (!bn_in_range_words(out, min_inclusive, max_exclusive, words)); + // the equivalent of steps 6 and 7 without leaking the value of |out|. The + // result of this comparison may be treated as public. It only reveals how + // many attempts were needed before we found a value in range. This is + // independent of the final secret output, and has a distribution that + // depends only on |min_inclusive| and |max_exclusive|, both of which are + // public. + } while (!constant_time_declassify_int( + bn_in_range_words(out, min_inclusive, max_exclusive, words))); return 1; } @@ -320,7 +324,7 @@ int bn_rand_secret_range(BIGNUM *r, int *out_is_uniform, BN_ULONG min_inclusive, // Select a uniform random number with num_bits(max_exclusive) bits. FIPS_service_indicator_lock_state(); - RAND_bytes((uint8_t *)r->d, words * sizeof(BN_ULONG)); + BCM_rand_bytes((uint8_t *)r->d, words * sizeof(BN_ULONG)); FIPS_service_indicator_unlock_state(); r->d[words - 1] &= mask; @@ -333,7 +337,8 @@ int bn_rand_secret_range(BIGNUM *r, int *out_is_uniform, BN_ULONG min_inclusive, // If the value is not in range, force it to be in range. r->d[0] |= constant_time_select_w(in_range, 0, min_inclusive); r->d[words - 1] &= constant_time_select_w(in_range, BN_MASK2, mask >> 1); - assert(bn_in_range_words(r->d, min_inclusive, max_exclusive->d, words)); + declassify_assert( + bn_in_range_words(r->d, min_inclusive, max_exclusive->d, words)); r->neg = 0; r->width = (int)words; diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/rsaz_exp.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/rsaz_exp.c.inc similarity index 100% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/bn/rsaz_exp.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/bn/rsaz_exp.c.inc diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/shift.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/shift.c.inc similarity index 100% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/bn/shift.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/bn/shift.c.inc diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/sqrt.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/sqrt.c.inc similarity index 99% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/bn/sqrt.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/bn/sqrt.c.inc index f9ebade20..882e6700a 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/sqrt.c +++ b/Sources/CNIOBoringSSL/crypto/fipsmodule/bn/sqrt.c.inc @@ -236,7 +236,7 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) { goto end; } if (BN_ucmp(y, p) >= 0) { - if (!(p->neg ? BN_add : BN_sub)(y, y, p)) { + if (BN_usub(y, y, p)) { goto end; } } diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/bsaes-armv7-ios.ios.arm.S b/Sources/CNIOBoringSSL/crypto/fipsmodule/bsaes-armv7-ios.ios.arm.S deleted file mode 100644 index d7da1c953..000000000 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/bsaes-armv7-ios.ios.arm.S +++ /dev/null @@ -1,1534 +0,0 @@ -#define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__arm__) && defined(__APPLE__) -// This file is generated from a similarly-named Perl script in the BoringSSL -// source tree. Do not edit by hand. - -#include - -#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_ARM) && defined(__APPLE__) -@ Copyright 2012-2016 The OpenSSL Project Authors. All Rights Reserved. -@ -@ Licensed under the OpenSSL license (the "License"). You may not use -@ this file except in compliance with the License. You can obtain a copy -@ in the file LICENSE in the source distribution or at -@ https://www.openssl.org/source/license.html - - -@ ==================================================================== -@ Written by Andy Polyakov for the OpenSSL -@ project. The module is, however, dual licensed under OpenSSL and -@ CRYPTOGAMS licenses depending on where you obtain it. For further -@ details see http://www.openssl.org/~appro/cryptogams/. -@ -@ Specific modes and adaptation for Linux kernel by Ard Biesheuvel -@ of Linaro. Permission to use under GPL terms is granted. -@ ==================================================================== - -@ Bit-sliced AES for ARM NEON -@ -@ February 2012. -@ -@ This implementation is direct adaptation of bsaes-x86_64 module for -@ ARM NEON. Except that this module is endian-neutral [in sense that -@ it can be compiled for either endianness] by courtesy of vld1.8's -@ neutrality. Initial version doesn't implement interface to OpenSSL, -@ only low-level primitives and unsupported entry points, just enough -@ to collect performance results, which for Cortex-A8 core are: -@ -@ encrypt 19.5 cycles per byte processed with 128-bit key -@ decrypt 22.1 cycles per byte processed with 128-bit key -@ key conv. 440 cycles per 128-bit key/0.18 of 8x block -@ -@ Snapdragon S4 encrypts byte in 17.6 cycles and decrypts in 19.7, -@ which is [much] worse than anticipated (for further details see -@ http://www.openssl.org/~appro/Snapdragon-S4.html). -@ -@ Cortex-A15 manages in 14.2/16.1 cycles [when integer-only code -@ manages in 20.0 cycles]. -@ -@ When comparing to x86_64 results keep in mind that NEON unit is -@ [mostly] single-issue and thus can't [fully] benefit from -@ instruction-level parallelism. And when comparing to aes-armv4 -@ results keep in mind key schedule conversion overhead (see -@ bsaes-x86_64.pl for further details)... -@ -@ - -@ April-August 2013 -@ Add CBC, CTR and XTS subroutines and adapt for kernel use; courtesy of Ard. - -#ifndef __KERNEL__ -# include - -# define VFP_ABI_PUSH vstmdb sp!,{d8-d15} -# define VFP_ABI_POP vldmia sp!,{d8-d15} -# define VFP_ABI_FRAME 0x40 -#else -# define VFP_ABI_PUSH -# define VFP_ABI_POP -# define VFP_ABI_FRAME 0 -# define BSAES_ASM_EXTENDED_KEY -# define XTS_CHAIN_TWEAK -# define __ARM_MAX_ARCH__ 7 -#endif - -#ifdef __thumb__ -# define adrl adr -#endif - -#if __ARM_MAX_ARCH__>=7 - - - -.text -.syntax unified @ ARMv7-capable assembler is expected to handle this -#if defined(__thumb2__) && !defined(__APPLE__) -.thumb -#else -.code 32 -# undef __thumb2__ -#endif - -#ifdef __thumb2__ -.thumb_func _bsaes_decrypt8 -#endif -.align 4 -_bsaes_decrypt8: - adr r6,. - vldmia r4!, {q9} @ round 0 key -#if defined(__thumb2__) || defined(__APPLE__) - adr r6,LM0ISR -#else - add r6,r6,#LM0ISR-_bsaes_decrypt8 -#endif - - vldmia r6!, {q8} @ LM0ISR - veor q10, q0, q9 @ xor with round0 key - veor q11, q1, q9 - vtbl.8 d0, {q10}, d16 - vtbl.8 d1, {q10}, d17 - veor q12, q2, q9 - vtbl.8 d2, {q11}, d16 - vtbl.8 d3, {q11}, d17 - veor q13, q3, q9 - vtbl.8 d4, {q12}, d16 - vtbl.8 d5, {q12}, d17 - veor q14, q4, q9 - vtbl.8 d6, {q13}, d16 - vtbl.8 d7, {q13}, d17 - veor q15, q5, q9 - vtbl.8 d8, {q14}, d16 - vtbl.8 d9, {q14}, d17 - veor q10, q6, q9 - vtbl.8 d10, {q15}, d16 - vtbl.8 d11, {q15}, d17 - veor q11, q7, q9 - vtbl.8 d12, {q10}, d16 - vtbl.8 d13, {q10}, d17 - vtbl.8 d14, {q11}, d16 - vtbl.8 d15, {q11}, d17 - vmov.i8 q8,#0x55 @ compose LBS0 - vmov.i8 q9,#0x33 @ compose LBS1 - vshr.u64 q10, q6, #1 - vshr.u64 q11, q4, #1 - veor q10, q10, q7 - veor q11, q11, q5 - vand q10, q10, q8 - vand q11, q11, q8 - veor q7, q7, q10 - vshl.u64 q10, q10, #1 - veor q5, q5, q11 - vshl.u64 q11, q11, #1 - veor q6, q6, q10 - veor q4, q4, q11 - vshr.u64 q10, q2, #1 - vshr.u64 q11, q0, #1 - veor q10, q10, q3 - veor q11, q11, q1 - vand q10, q10, q8 - vand q11, q11, q8 - veor q3, q3, q10 - vshl.u64 q10, q10, #1 - veor q1, q1, q11 - vshl.u64 q11, q11, #1 - veor q2, q2, q10 - veor q0, q0, q11 - vmov.i8 q8,#0x0f @ compose LBS2 - vshr.u64 q10, q5, #2 - vshr.u64 q11, q4, #2 - veor q10, q10, q7 - veor q11, q11, q6 - vand q10, q10, q9 - vand q11, q11, q9 - veor q7, q7, q10 - vshl.u64 q10, q10, #2 - veor q6, q6, q11 - vshl.u64 q11, q11, #2 - veor q5, q5, q10 - veor q4, q4, q11 - vshr.u64 q10, q1, #2 - vshr.u64 q11, q0, #2 - veor q10, q10, q3 - veor q11, q11, q2 - vand q10, q10, q9 - vand q11, q11, q9 - veor q3, q3, q10 - vshl.u64 q10, q10, #2 - veor q2, q2, q11 - vshl.u64 q11, q11, #2 - veor q1, q1, q10 - veor q0, q0, q11 - vshr.u64 q10, q3, #4 - vshr.u64 q11, q2, #4 - veor q10, q10, q7 - veor q11, q11, q6 - vand q10, q10, q8 - vand q11, q11, q8 - veor q7, q7, q10 - vshl.u64 q10, q10, #4 - veor q6, q6, q11 - vshl.u64 q11, q11, #4 - veor q3, q3, q10 - veor q2, q2, q11 - vshr.u64 q10, q1, #4 - vshr.u64 q11, q0, #4 - veor q10, q10, q5 - veor q11, q11, q4 - vand q10, q10, q8 - vand q11, q11, q8 - veor q5, q5, q10 - vshl.u64 q10, q10, #4 - veor q4, q4, q11 - vshl.u64 q11, q11, #4 - veor q1, q1, q10 - veor q0, q0, q11 - sub r5,r5,#1 - b Ldec_sbox -.align 4 -Ldec_loop: - vldmia r4!, {q8,q9,q10,q11} - veor q8, q8, q0 - veor q9, q9, q1 - vtbl.8 d0, {q8}, d24 - vtbl.8 d1, {q8}, d25 - vldmia r4!, {q8} - veor q10, q10, q2 - vtbl.8 d2, {q9}, d24 - vtbl.8 d3, {q9}, d25 - vldmia r4!, {q9} - veor q11, q11, q3 - vtbl.8 d4, {q10}, d24 - vtbl.8 d5, {q10}, d25 - vldmia r4!, {q10} - vtbl.8 d6, {q11}, d24 - vtbl.8 d7, {q11}, d25 - vldmia r4!, {q11} - veor q8, q8, q4 - veor q9, q9, q5 - vtbl.8 d8, {q8}, d24 - vtbl.8 d9, {q8}, d25 - veor q10, q10, q6 - vtbl.8 d10, {q9}, d24 - vtbl.8 d11, {q9}, d25 - veor q11, q11, q7 - vtbl.8 d12, {q10}, d24 - vtbl.8 d13, {q10}, d25 - vtbl.8 d14, {q11}, d24 - vtbl.8 d15, {q11}, d25 -Ldec_sbox: - veor q1, q1, q4 - veor q3, q3, q4 - - veor q4, q4, q7 - veor q1, q1, q6 - veor q2, q2, q7 - veor q6, q6, q4 - - veor q0, q0, q1 - veor q2, q2, q5 - veor q7, q7, q6 - veor q3, q3, q0 - veor q5, q5, q0 - veor q1, q1, q3 - veor q11, q3, q0 - veor q10, q7, q4 - veor q9, q1, q6 - veor q13, q4, q0 - vmov q8, q10 - veor q12, q5, q2 - - vorr q10, q10, q9 - veor q15, q11, q8 - vand q14, q11, q12 - vorr q11, q11, q12 - veor q12, q12, q9 - vand q8, q8, q9 - veor q9, q6, q2 - vand q15, q15, q12 - vand q13, q13, q9 - veor q9, q3, q7 - veor q12, q1, q5 - veor q11, q11, q13 - veor q10, q10, q13 - vand q13, q9, q12 - vorr q9, q9, q12 - veor q11, q11, q15 - veor q8, q8, q13 - veor q10, q10, q14 - veor q9, q9, q15 - veor q8, q8, q14 - vand q12, q4, q6 - veor q9, q9, q14 - vand q13, q0, q2 - vand q14, q7, q1 - vorr q15, q3, q5 - veor q11, q11, q12 - veor q9, q9, q14 - veor q8, q8, q15 - veor q10, q10, q13 - - @ Inv_GF16 0, 1, 2, 3, s0, s1, s2, s3 - - @ new smaller inversion - - vand q14, q11, q9 - vmov q12, q8 - - veor q13, q10, q14 - veor q15, q8, q14 - veor q14, q8, q14 @ q14=q15 - - vbsl q13, q9, q8 - vbsl q15, q11, q10 - veor q11, q11, q10 - - vbsl q12, q13, q14 - vbsl q8, q14, q13 - - vand q14, q12, q15 - veor q9, q9, q8 - - veor q14, q14, q11 - veor q12, q5, q2 - veor q8, q1, q6 - veor q10, q15, q14 - vand q10, q10, q5 - veor q5, q5, q1 - vand q11, q1, q15 - vand q5, q5, q14 - veor q1, q11, q10 - veor q5, q5, q11 - veor q15, q15, q13 - veor q14, q14, q9 - veor q11, q15, q14 - veor q10, q13, q9 - vand q11, q11, q12 - vand q10, q10, q2 - veor q12, q12, q8 - veor q2, q2, q6 - vand q8, q8, q15 - vand q6, q6, q13 - vand q12, q12, q14 - vand q2, q2, q9 - veor q8, q8, q12 - veor q2, q2, q6 - veor q12, q12, q11 - veor q6, q6, q10 - veor q5, q5, q12 - veor q2, q2, q12 - veor q1, q1, q8 - veor q6, q6, q8 - - veor q12, q3, q0 - veor q8, q7, q4 - veor q11, q15, q14 - veor q10, q13, q9 - vand q11, q11, q12 - vand q10, q10, q0 - veor q12, q12, q8 - veor q0, q0, q4 - vand q8, q8, q15 - vand q4, q4, q13 - vand q12, q12, q14 - vand q0, q0, q9 - veor q8, q8, q12 - veor q0, q0, q4 - veor q12, q12, q11 - veor q4, q4, q10 - veor q15, q15, q13 - veor q14, q14, q9 - veor q10, q15, q14 - vand q10, q10, q3 - veor q3, q3, q7 - vand q11, q7, q15 - vand q3, q3, q14 - veor q7, q11, q10 - veor q3, q3, q11 - veor q3, q3, q12 - veor q0, q0, q12 - veor q7, q7, q8 - veor q4, q4, q8 - veor q1, q1, q7 - veor q6, q6, q5 - - veor q4, q4, q1 - veor q2, q2, q7 - veor q5, q5, q7 - veor q4, q4, q2 - veor q7, q7, q0 - veor q4, q4, q5 - veor q3, q3, q6 - veor q6, q6, q1 - veor q3, q3, q4 - - veor q4, q4, q0 - veor q7, q7, q3 - subs r5,r5,#1 - bcc Ldec_done - @ multiplication by 0x05-0x00-0x04-0x00 - vext.8 q8, q0, q0, #8 - vext.8 q14, q3, q3, #8 - vext.8 q15, q5, q5, #8 - veor q8, q8, q0 - vext.8 q9, q1, q1, #8 - veor q14, q14, q3 - vext.8 q10, q6, q6, #8 - veor q15, q15, q5 - vext.8 q11, q4, q4, #8 - veor q9, q9, q1 - vext.8 q12, q2, q2, #8 - veor q10, q10, q6 - vext.8 q13, q7, q7, #8 - veor q11, q11, q4 - veor q12, q12, q2 - veor q13, q13, q7 - - veor q0, q0, q14 - veor q1, q1, q14 - veor q6, q6, q8 - veor q2, q2, q10 - veor q4, q4, q9 - veor q1, q1, q15 - veor q6, q6, q15 - veor q2, q2, q14 - veor q7, q7, q11 - veor q4, q4, q14 - veor q3, q3, q12 - veor q2, q2, q15 - veor q7, q7, q15 - veor q5, q5, q13 - vext.8 q8, q0, q0, #12 @ x0 <<< 32 - vext.8 q9, q1, q1, #12 - veor q0, q0, q8 @ x0 ^ (x0 <<< 32) - vext.8 q10, q6, q6, #12 - veor q1, q1, q9 - vext.8 q11, q4, q4, #12 - veor q6, q6, q10 - vext.8 q12, q2, q2, #12 - veor q4, q4, q11 - vext.8 q13, q7, q7, #12 - veor q2, q2, q12 - vext.8 q14, q3, q3, #12 - veor q7, q7, q13 - vext.8 q15, q5, q5, #12 - veor q3, q3, q14 - - veor q9, q9, q0 - veor q5, q5, q15 - vext.8 q0, q0, q0, #8 @ (x0 ^ (x0 <<< 32)) <<< 64) - veor q10, q10, q1 - veor q8, q8, q5 - veor q9, q9, q5 - vext.8 q1, q1, q1, #8 - veor q13, q13, q2 - veor q0, q0, q8 - veor q14, q14, q7 - veor q1, q1, q9 - vext.8 q8, q2, q2, #8 - veor q12, q12, q4 - vext.8 q9, q7, q7, #8 - veor q15, q15, q3 - vext.8 q2, q4, q4, #8 - veor q11, q11, q6 - vext.8 q7, q5, q5, #8 - veor q12, q12, q5 - vext.8 q4, q3, q3, #8 - veor q11, q11, q5 - vext.8 q3, q6, q6, #8 - veor q5, q9, q13 - veor q11, q11, q2 - veor q7, q7, q15 - veor q6, q4, q14 - veor q4, q8, q12 - veor q2, q3, q10 - vmov q3, q11 - @ vmov q5, q9 - vldmia r6, {q12} @ LISR - ite eq @ Thumb2 thing, sanity check in ARM - addeq r6,r6,#0x10 - bne Ldec_loop - vldmia r6, {q12} @ LISRM0 - b Ldec_loop -.align 4 -Ldec_done: - vmov.i8 q8,#0x55 @ compose LBS0 - vmov.i8 q9,#0x33 @ compose LBS1 - vshr.u64 q10, q3, #1 - vshr.u64 q11, q2, #1 - veor q10, q10, q5 - veor q11, q11, q7 - vand q10, q10, q8 - vand q11, q11, q8 - veor q5, q5, q10 - vshl.u64 q10, q10, #1 - veor q7, q7, q11 - vshl.u64 q11, q11, #1 - veor q3, q3, q10 - veor q2, q2, q11 - vshr.u64 q10, q6, #1 - vshr.u64 q11, q0, #1 - veor q10, q10, q4 - veor q11, q11, q1 - vand q10, q10, q8 - vand q11, q11, q8 - veor q4, q4, q10 - vshl.u64 q10, q10, #1 - veor q1, q1, q11 - vshl.u64 q11, q11, #1 - veor q6, q6, q10 - veor q0, q0, q11 - vmov.i8 q8,#0x0f @ compose LBS2 - vshr.u64 q10, q7, #2 - vshr.u64 q11, q2, #2 - veor q10, q10, q5 - veor q11, q11, q3 - vand q10, q10, q9 - vand q11, q11, q9 - veor q5, q5, q10 - vshl.u64 q10, q10, #2 - veor q3, q3, q11 - vshl.u64 q11, q11, #2 - veor q7, q7, q10 - veor q2, q2, q11 - vshr.u64 q10, q1, #2 - vshr.u64 q11, q0, #2 - veor q10, q10, q4 - veor q11, q11, q6 - vand q10, q10, q9 - vand q11, q11, q9 - veor q4, q4, q10 - vshl.u64 q10, q10, #2 - veor q6, q6, q11 - vshl.u64 q11, q11, #2 - veor q1, q1, q10 - veor q0, q0, q11 - vshr.u64 q10, q4, #4 - vshr.u64 q11, q6, #4 - veor q10, q10, q5 - veor q11, q11, q3 - vand q10, q10, q8 - vand q11, q11, q8 - veor q5, q5, q10 - vshl.u64 q10, q10, #4 - veor q3, q3, q11 - vshl.u64 q11, q11, #4 - veor q4, q4, q10 - veor q6, q6, q11 - vshr.u64 q10, q1, #4 - vshr.u64 q11, q0, #4 - veor q10, q10, q7 - veor q11, q11, q2 - vand q10, q10, q8 - vand q11, q11, q8 - veor q7, q7, q10 - vshl.u64 q10, q10, #4 - veor q2, q2, q11 - vshl.u64 q11, q11, #4 - veor q1, q1, q10 - veor q0, q0, q11 - vldmia r4, {q8} @ last round key - veor q6, q6, q8 - veor q4, q4, q8 - veor q2, q2, q8 - veor q7, q7, q8 - veor q3, q3, q8 - veor q5, q5, q8 - veor q0, q0, q8 - veor q1, q1, q8 - bx lr - - - -.align 6 -_bsaes_const: -LM0ISR:@ InvShiftRows constants -.quad 0x0a0e0206070b0f03, 0x0004080c0d010509 -LISR: -.quad 0x0504070602010003, 0x0f0e0d0c080b0a09 -LISRM0: -.quad 0x01040b0e0205080f, 0x0306090c00070a0d -LM0SR:@ ShiftRows constants -.quad 0x0a0e02060f03070b, 0x0004080c05090d01 -LSR: -.quad 0x0504070600030201, 0x0f0e0d0c0a09080b -LSRM0: -.quad 0x0304090e00050a0f, 0x01060b0c0207080d -LM0: -.quad 0x02060a0e03070b0f, 0x0004080c0105090d -LREVM0SR: -.quad 0x090d01050c000408, 0x03070b0f060a0e02 -.byte 66,105,116,45,115,108,105,99,101,100,32,65,69,83,32,102,111,114,32,78,69,79,78,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 -.align 2 -.align 6 - - -#ifdef __thumb2__ -.thumb_func _bsaes_encrypt8 -#endif -.align 4 -_bsaes_encrypt8: - adr r6,. - vldmia r4!, {q9} @ round 0 key -#if defined(__thumb2__) || defined(__APPLE__) - adr r6,LM0SR -#else - sub r6,r6,#_bsaes_encrypt8-LM0SR -#endif - - vldmia r6!, {q8} @ LM0SR -_bsaes_encrypt8_alt: - veor q10, q0, q9 @ xor with round0 key - veor q11, q1, q9 - vtbl.8 d0, {q10}, d16 - vtbl.8 d1, {q10}, d17 - veor q12, q2, q9 - vtbl.8 d2, {q11}, d16 - vtbl.8 d3, {q11}, d17 - veor q13, q3, q9 - vtbl.8 d4, {q12}, d16 - vtbl.8 d5, {q12}, d17 - veor q14, q4, q9 - vtbl.8 d6, {q13}, d16 - vtbl.8 d7, {q13}, d17 - veor q15, q5, q9 - vtbl.8 d8, {q14}, d16 - vtbl.8 d9, {q14}, d17 - veor q10, q6, q9 - vtbl.8 d10, {q15}, d16 - vtbl.8 d11, {q15}, d17 - veor q11, q7, q9 - vtbl.8 d12, {q10}, d16 - vtbl.8 d13, {q10}, d17 - vtbl.8 d14, {q11}, d16 - vtbl.8 d15, {q11}, d17 -_bsaes_encrypt8_bitslice: - vmov.i8 q8,#0x55 @ compose LBS0 - vmov.i8 q9,#0x33 @ compose LBS1 - vshr.u64 q10, q6, #1 - vshr.u64 q11, q4, #1 - veor q10, q10, q7 - veor q11, q11, q5 - vand q10, q10, q8 - vand q11, q11, q8 - veor q7, q7, q10 - vshl.u64 q10, q10, #1 - veor q5, q5, q11 - vshl.u64 q11, q11, #1 - veor q6, q6, q10 - veor q4, q4, q11 - vshr.u64 q10, q2, #1 - vshr.u64 q11, q0, #1 - veor q10, q10, q3 - veor q11, q11, q1 - vand q10, q10, q8 - vand q11, q11, q8 - veor q3, q3, q10 - vshl.u64 q10, q10, #1 - veor q1, q1, q11 - vshl.u64 q11, q11, #1 - veor q2, q2, q10 - veor q0, q0, q11 - vmov.i8 q8,#0x0f @ compose LBS2 - vshr.u64 q10, q5, #2 - vshr.u64 q11, q4, #2 - veor q10, q10, q7 - veor q11, q11, q6 - vand q10, q10, q9 - vand q11, q11, q9 - veor q7, q7, q10 - vshl.u64 q10, q10, #2 - veor q6, q6, q11 - vshl.u64 q11, q11, #2 - veor q5, q5, q10 - veor q4, q4, q11 - vshr.u64 q10, q1, #2 - vshr.u64 q11, q0, #2 - veor q10, q10, q3 - veor q11, q11, q2 - vand q10, q10, q9 - vand q11, q11, q9 - veor q3, q3, q10 - vshl.u64 q10, q10, #2 - veor q2, q2, q11 - vshl.u64 q11, q11, #2 - veor q1, q1, q10 - veor q0, q0, q11 - vshr.u64 q10, q3, #4 - vshr.u64 q11, q2, #4 - veor q10, q10, q7 - veor q11, q11, q6 - vand q10, q10, q8 - vand q11, q11, q8 - veor q7, q7, q10 - vshl.u64 q10, q10, #4 - veor q6, q6, q11 - vshl.u64 q11, q11, #4 - veor q3, q3, q10 - veor q2, q2, q11 - vshr.u64 q10, q1, #4 - vshr.u64 q11, q0, #4 - veor q10, q10, q5 - veor q11, q11, q4 - vand q10, q10, q8 - vand q11, q11, q8 - veor q5, q5, q10 - vshl.u64 q10, q10, #4 - veor q4, q4, q11 - vshl.u64 q11, q11, #4 - veor q1, q1, q10 - veor q0, q0, q11 - sub r5,r5,#1 - b Lenc_sbox -.align 4 -Lenc_loop: - vldmia r4!, {q8,q9,q10,q11} - veor q8, q8, q0 - veor q9, q9, q1 - vtbl.8 d0, {q8}, d24 - vtbl.8 d1, {q8}, d25 - vldmia r4!, {q8} - veor q10, q10, q2 - vtbl.8 d2, {q9}, d24 - vtbl.8 d3, {q9}, d25 - vldmia r4!, {q9} - veor q11, q11, q3 - vtbl.8 d4, {q10}, d24 - vtbl.8 d5, {q10}, d25 - vldmia r4!, {q10} - vtbl.8 d6, {q11}, d24 - vtbl.8 d7, {q11}, d25 - vldmia r4!, {q11} - veor q8, q8, q4 - veor q9, q9, q5 - vtbl.8 d8, {q8}, d24 - vtbl.8 d9, {q8}, d25 - veor q10, q10, q6 - vtbl.8 d10, {q9}, d24 - vtbl.8 d11, {q9}, d25 - veor q11, q11, q7 - vtbl.8 d12, {q10}, d24 - vtbl.8 d13, {q10}, d25 - vtbl.8 d14, {q11}, d24 - vtbl.8 d15, {q11}, d25 -Lenc_sbox: - veor q2, q2, q1 - veor q5, q5, q6 - veor q3, q3, q0 - veor q6, q6, q2 - veor q5, q5, q0 - - veor q6, q6, q3 - veor q3, q3, q7 - veor q7, q7, q5 - veor q3, q3, q4 - veor q4, q4, q5 - - veor q2, q2, q7 - veor q3, q3, q1 - veor q1, q1, q5 - veor q11, q7, q4 - veor q10, q1, q2 - veor q9, q5, q3 - veor q13, q2, q4 - vmov q8, q10 - veor q12, q6, q0 - - vorr q10, q10, q9 - veor q15, q11, q8 - vand q14, q11, q12 - vorr q11, q11, q12 - veor q12, q12, q9 - vand q8, q8, q9 - veor q9, q3, q0 - vand q15, q15, q12 - vand q13, q13, q9 - veor q9, q7, q1 - veor q12, q5, q6 - veor q11, q11, q13 - veor q10, q10, q13 - vand q13, q9, q12 - vorr q9, q9, q12 - veor q11, q11, q15 - veor q8, q8, q13 - veor q10, q10, q14 - veor q9, q9, q15 - veor q8, q8, q14 - vand q12, q2, q3 - veor q9, q9, q14 - vand q13, q4, q0 - vand q14, q1, q5 - vorr q15, q7, q6 - veor q11, q11, q12 - veor q9, q9, q14 - veor q8, q8, q15 - veor q10, q10, q13 - - @ Inv_GF16 0, 1, 2, 3, s0, s1, s2, s3 - - @ new smaller inversion - - vand q14, q11, q9 - vmov q12, q8 - - veor q13, q10, q14 - veor q15, q8, q14 - veor q14, q8, q14 @ q14=q15 - - vbsl q13, q9, q8 - vbsl q15, q11, q10 - veor q11, q11, q10 - - vbsl q12, q13, q14 - vbsl q8, q14, q13 - - vand q14, q12, q15 - veor q9, q9, q8 - - veor q14, q14, q11 - veor q12, q6, q0 - veor q8, q5, q3 - veor q10, q15, q14 - vand q10, q10, q6 - veor q6, q6, q5 - vand q11, q5, q15 - vand q6, q6, q14 - veor q5, q11, q10 - veor q6, q6, q11 - veor q15, q15, q13 - veor q14, q14, q9 - veor q11, q15, q14 - veor q10, q13, q9 - vand q11, q11, q12 - vand q10, q10, q0 - veor q12, q12, q8 - veor q0, q0, q3 - vand q8, q8, q15 - vand q3, q3, q13 - vand q12, q12, q14 - vand q0, q0, q9 - veor q8, q8, q12 - veor q0, q0, q3 - veor q12, q12, q11 - veor q3, q3, q10 - veor q6, q6, q12 - veor q0, q0, q12 - veor q5, q5, q8 - veor q3, q3, q8 - - veor q12, q7, q4 - veor q8, q1, q2 - veor q11, q15, q14 - veor q10, q13, q9 - vand q11, q11, q12 - vand q10, q10, q4 - veor q12, q12, q8 - veor q4, q4, q2 - vand q8, q8, q15 - vand q2, q2, q13 - vand q12, q12, q14 - vand q4, q4, q9 - veor q8, q8, q12 - veor q4, q4, q2 - veor q12, q12, q11 - veor q2, q2, q10 - veor q15, q15, q13 - veor q14, q14, q9 - veor q10, q15, q14 - vand q10, q10, q7 - veor q7, q7, q1 - vand q11, q1, q15 - vand q7, q7, q14 - veor q1, q11, q10 - veor q7, q7, q11 - veor q7, q7, q12 - veor q4, q4, q12 - veor q1, q1, q8 - veor q2, q2, q8 - veor q7, q7, q0 - veor q1, q1, q6 - veor q6, q6, q0 - veor q4, q4, q7 - veor q0, q0, q1 - - veor q1, q1, q5 - veor q5, q5, q2 - veor q2, q2, q3 - veor q3, q3, q5 - veor q4, q4, q5 - - veor q6, q6, q3 - subs r5,r5,#1 - bcc Lenc_done - vext.8 q8, q0, q0, #12 @ x0 <<< 32 - vext.8 q9, q1, q1, #12 - veor q0, q0, q8 @ x0 ^ (x0 <<< 32) - vext.8 q10, q4, q4, #12 - veor q1, q1, q9 - vext.8 q11, q6, q6, #12 - veor q4, q4, q10 - vext.8 q12, q3, q3, #12 - veor q6, q6, q11 - vext.8 q13, q7, q7, #12 - veor q3, q3, q12 - vext.8 q14, q2, q2, #12 - veor q7, q7, q13 - vext.8 q15, q5, q5, #12 - veor q2, q2, q14 - - veor q9, q9, q0 - veor q5, q5, q15 - vext.8 q0, q0, q0, #8 @ (x0 ^ (x0 <<< 32)) <<< 64) - veor q10, q10, q1 - veor q8, q8, q5 - veor q9, q9, q5 - vext.8 q1, q1, q1, #8 - veor q13, q13, q3 - veor q0, q0, q8 - veor q14, q14, q7 - veor q1, q1, q9 - vext.8 q8, q3, q3, #8 - veor q12, q12, q6 - vext.8 q9, q7, q7, #8 - veor q15, q15, q2 - vext.8 q3, q6, q6, #8 - veor q11, q11, q4 - vext.8 q7, q5, q5, #8 - veor q12, q12, q5 - vext.8 q6, q2, q2, #8 - veor q11, q11, q5 - vext.8 q2, q4, q4, #8 - veor q5, q9, q13 - veor q4, q8, q12 - veor q3, q3, q11 - veor q7, q7, q15 - veor q6, q6, q14 - @ vmov q4, q8 - veor q2, q2, q10 - @ vmov q5, q9 - vldmia r6, {q12} @ LSR - ite eq @ Thumb2 thing, samity check in ARM - addeq r6,r6,#0x10 - bne Lenc_loop - vldmia r6, {q12} @ LSRM0 - b Lenc_loop -.align 4 -Lenc_done: - vmov.i8 q8,#0x55 @ compose LBS0 - vmov.i8 q9,#0x33 @ compose LBS1 - vshr.u64 q10, q2, #1 - vshr.u64 q11, q3, #1 - veor q10, q10, q5 - veor q11, q11, q7 - vand q10, q10, q8 - vand q11, q11, q8 - veor q5, q5, q10 - vshl.u64 q10, q10, #1 - veor q7, q7, q11 - vshl.u64 q11, q11, #1 - veor q2, q2, q10 - veor q3, q3, q11 - vshr.u64 q10, q4, #1 - vshr.u64 q11, q0, #1 - veor q10, q10, q6 - veor q11, q11, q1 - vand q10, q10, q8 - vand q11, q11, q8 - veor q6, q6, q10 - vshl.u64 q10, q10, #1 - veor q1, q1, q11 - vshl.u64 q11, q11, #1 - veor q4, q4, q10 - veor q0, q0, q11 - vmov.i8 q8,#0x0f @ compose LBS2 - vshr.u64 q10, q7, #2 - vshr.u64 q11, q3, #2 - veor q10, q10, q5 - veor q11, q11, q2 - vand q10, q10, q9 - vand q11, q11, q9 - veor q5, q5, q10 - vshl.u64 q10, q10, #2 - veor q2, q2, q11 - vshl.u64 q11, q11, #2 - veor q7, q7, q10 - veor q3, q3, q11 - vshr.u64 q10, q1, #2 - vshr.u64 q11, q0, #2 - veor q10, q10, q6 - veor q11, q11, q4 - vand q10, q10, q9 - vand q11, q11, q9 - veor q6, q6, q10 - vshl.u64 q10, q10, #2 - veor q4, q4, q11 - vshl.u64 q11, q11, #2 - veor q1, q1, q10 - veor q0, q0, q11 - vshr.u64 q10, q6, #4 - vshr.u64 q11, q4, #4 - veor q10, q10, q5 - veor q11, q11, q2 - vand q10, q10, q8 - vand q11, q11, q8 - veor q5, q5, q10 - vshl.u64 q10, q10, #4 - veor q2, q2, q11 - vshl.u64 q11, q11, #4 - veor q6, q6, q10 - veor q4, q4, q11 - vshr.u64 q10, q1, #4 - vshr.u64 q11, q0, #4 - veor q10, q10, q7 - veor q11, q11, q3 - vand q10, q10, q8 - vand q11, q11, q8 - veor q7, q7, q10 - vshl.u64 q10, q10, #4 - veor q3, q3, q11 - vshl.u64 q11, q11, #4 - veor q1, q1, q10 - veor q0, q0, q11 - vldmia r4, {q8} @ last round key - veor q4, q4, q8 - veor q6, q6, q8 - veor q3, q3, q8 - veor q7, q7, q8 - veor q2, q2, q8 - veor q5, q5, q8 - veor q0, q0, q8 - veor q1, q1, q8 - bx lr - -#ifdef __thumb2__ -.thumb_func _bsaes_key_convert -#endif -.align 4 -_bsaes_key_convert: - adr r6,. - vld1.8 {q7}, [r4]! @ load round 0 key -#if defined(__thumb2__) || defined(__APPLE__) - adr r6,LM0 -#else - sub r6,r6,#_bsaes_key_convert-LM0 -#endif - vld1.8 {q15}, [r4]! @ load round 1 key - - vmov.i8 q8, #0x01 @ bit masks - vmov.i8 q9, #0x02 - vmov.i8 q10, #0x04 - vmov.i8 q11, #0x08 - vmov.i8 q12, #0x10 - vmov.i8 q13, #0x20 - vldmia r6, {q14} @ LM0 - -#ifdef __ARMEL__ - vrev32.8 q7, q7 - vrev32.8 q15, q15 -#endif - sub r5,r5,#1 - vstmia r12!, {q7} @ save round 0 key - b Lkey_loop - -.align 4 -Lkey_loop: - vtbl.8 d14,{q15},d28 - vtbl.8 d15,{q15},d29 - vmov.i8 q6, #0x40 - vmov.i8 q15, #0x80 - - vtst.8 q0, q7, q8 - vtst.8 q1, q7, q9 - vtst.8 q2, q7, q10 - vtst.8 q3, q7, q11 - vtst.8 q4, q7, q12 - vtst.8 q5, q7, q13 - vtst.8 q6, q7, q6 - vtst.8 q7, q7, q15 - vld1.8 {q15}, [r4]! @ load next round key - vmvn q0, q0 @ "pnot" - vmvn q1, q1 - vmvn q5, q5 - vmvn q6, q6 -#ifdef __ARMEL__ - vrev32.8 q15, q15 -#endif - subs r5,r5,#1 - vstmia r12!,{q0,q1,q2,q3,q4,q5,q6,q7} @ write bit-sliced round key - bne Lkey_loop - - vmov.i8 q7,#0x63 @ compose L63 - @ don't save last round key - bx lr - -.globl _bsaes_cbc_encrypt -.private_extern _bsaes_cbc_encrypt -#ifdef __thumb2__ -.thumb_func _bsaes_cbc_encrypt -#endif -.align 5 -_bsaes_cbc_encrypt: - @ In OpenSSL, this function had a fallback to aes_nohw_cbc_encrypt for - @ short inputs. We patch this out, using bsaes for all input sizes. - - @ it is up to the caller to make sure we are called with enc == 0 - - mov ip, sp - stmdb sp!, {r4,r5,r6,r7,r8,r9,r10, lr} - VFP_ABI_PUSH - ldr r8, [ip] @ IV is 1st arg on the stack - mov r2, r2, lsr#4 @ len in 16 byte blocks - sub sp, #0x10 @ scratch space to carry over the IV - mov r9, sp @ save sp - - ldr r10, [r3, #240] @ get # of rounds -#ifndef BSAES_ASM_EXTENDED_KEY - @ allocate the key schedule on the stack - sub r12, sp, r10, lsl#7 @ 128 bytes per inner round key - add r12, #96 @ sifze of bit-slices key schedule - - @ populate the key schedule - mov r4, r3 @ pass key - mov r5, r10 @ pass # of rounds - mov sp, r12 @ sp is sp - bl _bsaes_key_convert - vldmia sp, {q6} - vstmia r12, {q15} @ save last round key - veor q7, q7, q6 @ fix up round 0 key - vstmia sp, {q7} -#else - ldr r12, [r3, #244] - eors r12, #1 - beq 0f - - @ populate the key schedule - str r12, [r3, #244] - mov r4, r3 @ pass key - mov r5, r10 @ pass # of rounds - add r12, r3, #248 @ pass key schedule - bl _bsaes_key_convert - add r4, r3, #248 - vldmia r4, {q6} - vstmia r12, {q15} @ save last round key - veor q7, q7, q6 @ fix up round 0 key - vstmia r4, {q7} - -.align 2 - -#endif - - vld1.8 {q15}, [r8] @ load IV - b Lcbc_dec_loop - -.align 4 -Lcbc_dec_loop: - subs r2, r2, #0x8 - bmi Lcbc_dec_loop_finish - - vld1.8 {q0,q1}, [r0]! @ load input - vld1.8 {q2,q3}, [r0]! -#ifndef BSAES_ASM_EXTENDED_KEY - mov r4, sp @ pass the key -#else - add r4, r3, #248 -#endif - vld1.8 {q4,q5}, [r0]! - mov r5, r10 - vld1.8 {q6,q7}, [r0] - sub r0, r0, #0x60 - vstmia r9, {q15} @ put aside IV - - bl _bsaes_decrypt8 - - vldmia r9, {q14} @ reload IV - vld1.8 {q8,q9}, [r0]! @ reload input - veor q0, q0, q14 @ ^= IV - vld1.8 {q10,q11}, [r0]! - veor q1, q1, q8 - veor q6, q6, q9 - vld1.8 {q12,q13}, [r0]! - veor q4, q4, q10 - veor q2, q2, q11 - vld1.8 {q14,q15}, [r0]! - veor q7, q7, q12 - vst1.8 {q0,q1}, [r1]! @ write output - veor q3, q3, q13 - vst1.8 {q6}, [r1]! - veor q5, q5, q14 - vst1.8 {q4}, [r1]! - vst1.8 {q2}, [r1]! - vst1.8 {q7}, [r1]! - vst1.8 {q3}, [r1]! - vst1.8 {q5}, [r1]! - - b Lcbc_dec_loop - -Lcbc_dec_loop_finish: - adds r2, r2, #8 - beq Lcbc_dec_done - - @ Set up most parameters for the _bsaes_decrypt8 call. -#ifndef BSAES_ASM_EXTENDED_KEY - mov r4, sp @ pass the key -#else - add r4, r3, #248 -#endif - mov r5, r10 - vstmia r9, {q15} @ put aside IV - - vld1.8 {q0}, [r0]! @ load input - cmp r2, #2 - blo Lcbc_dec_one - vld1.8 {q1}, [r0]! - beq Lcbc_dec_two - vld1.8 {q2}, [r0]! - cmp r2, #4 - blo Lcbc_dec_three - vld1.8 {q3}, [r0]! - beq Lcbc_dec_four - vld1.8 {q4}, [r0]! - cmp r2, #6 - blo Lcbc_dec_five - vld1.8 {q5}, [r0]! - beq Lcbc_dec_six - vld1.8 {q6}, [r0]! - sub r0, r0, #0x70 - - bl _bsaes_decrypt8 - - vldmia r9, {q14} @ reload IV - vld1.8 {q8,q9}, [r0]! @ reload input - veor q0, q0, q14 @ ^= IV - vld1.8 {q10,q11}, [r0]! - veor q1, q1, q8 - veor q6, q6, q9 - vld1.8 {q12,q13}, [r0]! - veor q4, q4, q10 - veor q2, q2, q11 - vld1.8 {q15}, [r0]! - veor q7, q7, q12 - vst1.8 {q0,q1}, [r1]! @ write output - veor q3, q3, q13 - vst1.8 {q6}, [r1]! - vst1.8 {q4}, [r1]! - vst1.8 {q2}, [r1]! - vst1.8 {q7}, [r1]! - vst1.8 {q3}, [r1]! - b Lcbc_dec_done -.align 4 -Lcbc_dec_six: - sub r0, r0, #0x60 - bl _bsaes_decrypt8 - vldmia r9,{q14} @ reload IV - vld1.8 {q8,q9}, [r0]! @ reload input - veor q0, q0, q14 @ ^= IV - vld1.8 {q10,q11}, [r0]! - veor q1, q1, q8 - veor q6, q6, q9 - vld1.8 {q12}, [r0]! - veor q4, q4, q10 - veor q2, q2, q11 - vld1.8 {q15}, [r0]! - veor q7, q7, q12 - vst1.8 {q0,q1}, [r1]! @ write output - vst1.8 {q6}, [r1]! - vst1.8 {q4}, [r1]! - vst1.8 {q2}, [r1]! - vst1.8 {q7}, [r1]! - b Lcbc_dec_done -.align 4 -Lcbc_dec_five: - sub r0, r0, #0x50 - bl _bsaes_decrypt8 - vldmia r9, {q14} @ reload IV - vld1.8 {q8,q9}, [r0]! @ reload input - veor q0, q0, q14 @ ^= IV - vld1.8 {q10,q11}, [r0]! - veor q1, q1, q8 - veor q6, q6, q9 - vld1.8 {q15}, [r0]! - veor q4, q4, q10 - vst1.8 {q0,q1}, [r1]! @ write output - veor q2, q2, q11 - vst1.8 {q6}, [r1]! - vst1.8 {q4}, [r1]! - vst1.8 {q2}, [r1]! - b Lcbc_dec_done -.align 4 -Lcbc_dec_four: - sub r0, r0, #0x40 - bl _bsaes_decrypt8 - vldmia r9, {q14} @ reload IV - vld1.8 {q8,q9}, [r0]! @ reload input - veor q0, q0, q14 @ ^= IV - vld1.8 {q10}, [r0]! - veor q1, q1, q8 - veor q6, q6, q9 - vld1.8 {q15}, [r0]! - veor q4, q4, q10 - vst1.8 {q0,q1}, [r1]! @ write output - vst1.8 {q6}, [r1]! - vst1.8 {q4}, [r1]! - b Lcbc_dec_done -.align 4 -Lcbc_dec_three: - sub r0, r0, #0x30 - bl _bsaes_decrypt8 - vldmia r9, {q14} @ reload IV - vld1.8 {q8,q9}, [r0]! @ reload input - veor q0, q0, q14 @ ^= IV - vld1.8 {q15}, [r0]! - veor q1, q1, q8 - veor q6, q6, q9 - vst1.8 {q0,q1}, [r1]! @ write output - vst1.8 {q6}, [r1]! - b Lcbc_dec_done -.align 4 -Lcbc_dec_two: - sub r0, r0, #0x20 - bl _bsaes_decrypt8 - vldmia r9, {q14} @ reload IV - vld1.8 {q8}, [r0]! @ reload input - veor q0, q0, q14 @ ^= IV - vld1.8 {q15}, [r0]! @ reload input - veor q1, q1, q8 - vst1.8 {q0,q1}, [r1]! @ write output - b Lcbc_dec_done -.align 4 -Lcbc_dec_one: - sub r0, r0, #0x10 - bl _bsaes_decrypt8 - vldmia r9, {q14} @ reload IV - vld1.8 {q15}, [r0]! @ reload input - veor q0, q0, q14 @ ^= IV - vst1.8 {q0}, [r1]! @ write output - -Lcbc_dec_done: -#ifndef BSAES_ASM_EXTENDED_KEY - vmov.i32 q0, #0 - vmov.i32 q1, #0 -Lcbc_dec_bzero:@ wipe key schedule [if any] - vstmia sp!, {q0,q1} - cmp sp, r9 - bne Lcbc_dec_bzero -#endif - - mov sp, r9 - add sp, #0x10 @ add sp,r9,#0x10 is no good for thumb - vst1.8 {q15}, [r8] @ return IV - VFP_ABI_POP - ldmia sp!, {r4,r5,r6,r7,r8,r9,r10, pc} - -.globl _bsaes_ctr32_encrypt_blocks -.private_extern _bsaes_ctr32_encrypt_blocks -#ifdef __thumb2__ -.thumb_func _bsaes_ctr32_encrypt_blocks -#endif -.align 5 -_bsaes_ctr32_encrypt_blocks: - @ In OpenSSL, short inputs fall back to aes_nohw_* here. We patch this - @ out to retain a constant-time implementation. - mov ip, sp - stmdb sp!, {r4,r5,r6,r7,r8,r9,r10, lr} - VFP_ABI_PUSH - ldr r8, [ip] @ ctr is 1st arg on the stack - sub sp, sp, #0x10 @ scratch space to carry over the ctr - mov r9, sp @ save sp - - ldr r10, [r3, #240] @ get # of rounds -#ifndef BSAES_ASM_EXTENDED_KEY - @ allocate the key schedule on the stack - sub r12, sp, r10, lsl#7 @ 128 bytes per inner round key - add r12, #96 @ size of bit-sliced key schedule - - @ populate the key schedule - mov r4, r3 @ pass key - mov r5, r10 @ pass # of rounds - mov sp, r12 @ sp is sp - bl _bsaes_key_convert - veor q7,q7,q15 @ fix up last round key - vstmia r12, {q7} @ save last round key - - vld1.8 {q0}, [r8] @ load counter -#ifdef __APPLE__ - mov r8, #:lower16:(LREVM0SR-LM0) - add r8, r6, r8 -#else - add r8, r6, #LREVM0SR-LM0 @ borrow r8 -#endif - vldmia sp, {q4} @ load round0 key -#else - ldr r12, [r3, #244] - eors r12, #1 - beq 0f - - @ populate the key schedule - str r12, [r3, #244] - mov r4, r3 @ pass key - mov r5, r10 @ pass # of rounds - add r12, r3, #248 @ pass key schedule - bl _bsaes_key_convert - veor q7,q7,q15 @ fix up last round key - vstmia r12, {q7} @ save last round key - -.align 2 - add r12, r3, #248 - vld1.8 {q0}, [r8] @ load counter - adrl r8, LREVM0SR @ borrow r8 - vldmia r12, {q4} @ load round0 key - sub sp, #0x10 @ place for adjusted round0 key -#endif - - vmov.i32 q8,#1 @ compose 1<<96 - veor q9,q9,q9 - vrev32.8 q0,q0 - vext.8 q8,q9,q8,#4 - vrev32.8 q4,q4 - vadd.u32 q9,q8,q8 @ compose 2<<96 - vstmia sp, {q4} @ save adjusted round0 key - b Lctr_enc_loop - -.align 4 -Lctr_enc_loop: - vadd.u32 q10, q8, q9 @ compose 3<<96 - vadd.u32 q1, q0, q8 @ +1 - vadd.u32 q2, q0, q9 @ +2 - vadd.u32 q3, q0, q10 @ +3 - vadd.u32 q4, q1, q10 - vadd.u32 q5, q2, q10 - vadd.u32 q6, q3, q10 - vadd.u32 q7, q4, q10 - vadd.u32 q10, q5, q10 @ next counter - - @ Borrow prologue from _bsaes_encrypt8 to use the opportunity - @ to flip byte order in 32-bit counter - - vldmia sp, {q9} @ load round0 key -#ifndef BSAES_ASM_EXTENDED_KEY - add r4, sp, #0x10 @ pass next round key -#else - add r4, r3, #264 -#endif - vldmia r8, {q8} @ LREVM0SR - mov r5, r10 @ pass rounds - vstmia r9, {q10} @ save next counter -#ifdef __APPLE__ - mov r6, #:lower16:(LREVM0SR-LSR) - sub r6, r8, r6 -#else - sub r6, r8, #LREVM0SR-LSR @ pass constants -#endif - - bl _bsaes_encrypt8_alt - - subs r2, r2, #8 - blo Lctr_enc_loop_done - - vld1.8 {q8,q9}, [r0]! @ load input - vld1.8 {q10,q11}, [r0]! - veor q0, q8 - veor q1, q9 - vld1.8 {q12,q13}, [r0]! - veor q4, q10 - veor q6, q11 - vld1.8 {q14,q15}, [r0]! - veor q3, q12 - vst1.8 {q0,q1}, [r1]! @ write output - veor q7, q13 - veor q2, q14 - vst1.8 {q4}, [r1]! - veor q5, q15 - vst1.8 {q6}, [r1]! - vmov.i32 q8, #1 @ compose 1<<96 - vst1.8 {q3}, [r1]! - veor q9, q9, q9 - vst1.8 {q7}, [r1]! - vext.8 q8, q9, q8, #4 - vst1.8 {q2}, [r1]! - vadd.u32 q9,q8,q8 @ compose 2<<96 - vst1.8 {q5}, [r1]! - vldmia r9, {q0} @ load counter - - bne Lctr_enc_loop - b Lctr_enc_done - -.align 4 -Lctr_enc_loop_done: - add r2, r2, #8 - vld1.8 {q8}, [r0]! @ load input - veor q0, q8 - vst1.8 {q0}, [r1]! @ write output - cmp r2, #2 - blo Lctr_enc_done - vld1.8 {q9}, [r0]! - veor q1, q9 - vst1.8 {q1}, [r1]! - beq Lctr_enc_done - vld1.8 {q10}, [r0]! - veor q4, q10 - vst1.8 {q4}, [r1]! - cmp r2, #4 - blo Lctr_enc_done - vld1.8 {q11}, [r0]! - veor q6, q11 - vst1.8 {q6}, [r1]! - beq Lctr_enc_done - vld1.8 {q12}, [r0]! - veor q3, q12 - vst1.8 {q3}, [r1]! - cmp r2, #6 - blo Lctr_enc_done - vld1.8 {q13}, [r0]! - veor q7, q13 - vst1.8 {q7}, [r1]! - beq Lctr_enc_done - vld1.8 {q14}, [r0] - veor q2, q14 - vst1.8 {q2}, [r1]! - -Lctr_enc_done: - vmov.i32 q0, #0 - vmov.i32 q1, #0 -#ifndef BSAES_ASM_EXTENDED_KEY -Lctr_enc_bzero:@ wipe key schedule [if any] - vstmia sp!, {q0,q1} - cmp sp, r9 - bne Lctr_enc_bzero -#else - vstmia sp, {q0,q1} -#endif - - mov sp, r9 - add sp, #0x10 @ add sp,r9,#0x10 is no good for thumb - VFP_ABI_POP - ldmia sp!, {r4,r5,r6,r7,r8,r9,r10, pc} @ return - - @ OpenSSL contains aes_nohw_* fallback code here. We patch this - @ out to retain a constant-time implementation. - -#endif -#endif // !OPENSSL_NO_ASM && defined(OPENSSL_ARM) && defined(__APPLE__) -#endif // defined(__arm__) && defined(__APPLE__) -#if defined(__linux__) && defined(__ELF__) -.section .note.GNU-stack,"",%progbits -#endif - diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/cipher/aead.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/cipher/aead.c.inc similarity index 99% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/cipher/aead.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/cipher/aead.c.inc index fbaccca8f..4ac434f3b 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/cipher/aead.c +++ b/Sources/CNIOBoringSSL/crypto/fipsmodule/cipher/aead.c.inc @@ -262,6 +262,7 @@ const EVP_AEAD *EVP_AEAD_CTX_aead(const EVP_AEAD_CTX *ctx) { return ctx->aead; } int EVP_AEAD_CTX_get_iv(const EVP_AEAD_CTX *ctx, const uint8_t **out_iv, size_t *out_len) { if (ctx->aead->get_iv == NULL) { + OPENSSL_PUT_ERROR(CIPHER, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/cipher/cipher.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/cipher/cipher.c.inc similarity index 100% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/cipher/cipher.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/cipher/cipher.c.inc diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/cipher/e_aes.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/cipher/e_aes.c.inc similarity index 97% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/cipher/e_aes.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/cipher/e_aes.c.inc index 387cb0c57..2485942ae 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/cipher/e_aes.c +++ b/Sources/CNIOBoringSSL/crypto/fipsmodule/cipher/e_aes.c.inc @@ -56,11 +56,11 @@ #include #include #include -#include #include "internal.h" #include "../../internal.h" #include "../aes/internal.h" +#include "../bcm_interface.h" #include "../modes/internal.h" #include "../service_indicator/internal.h" #include "../delocate.h" @@ -408,22 +408,6 @@ static void aes_gcm_cleanup(EVP_CIPHER_CTX *c) { } } -// increment counter (64-bit int) by 1 -static void ctr64_inc(uint8_t *counter) { - int n = 8; - uint8_t c; - - do { - --n; - c = counter[n]; - ++c; - counter[n] = c; - if (c) { - return; - } - } while (n); -} - static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) { EVP_AES_GCM_CTX *gctx = aes_gcm_from_cipher_ctx(c); switch (type) { @@ -485,21 +469,19 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) { if (arg < 4 || (gctx->ivlen - arg) < 8) { return 0; } - if (arg) { - OPENSSL_memcpy(gctx->iv, ptr, arg); - } + OPENSSL_memcpy(gctx->iv, ptr, arg); if (c->encrypt) { - // |RAND_bytes| calls within the fipsmodule should be wrapped with state - // lock functions to avoid updating the service indicator with the DRBG - // functions. + // |BCM_rand_bytes| calls within the fipsmodule should be wrapped with + // state lock functions to avoid updating the service indicator with the + // DRBG functions. FIPS_service_indicator_lock_state(); - RAND_bytes(gctx->iv + arg, gctx->ivlen - arg); + BCM_rand_bytes(gctx->iv + arg, gctx->ivlen - arg); FIPS_service_indicator_unlock_state(); } gctx->iv_gen = 1; return 1; - case EVP_CTRL_GCM_IV_GEN: + case EVP_CTRL_GCM_IV_GEN: { if (gctx->iv_gen == 0 || gctx->key_set == 0) { return 0; } @@ -508,12 +490,13 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) { arg = gctx->ivlen; } OPENSSL_memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg); - // Invocation field will be at least 8 bytes in size and - // so no need to check wrap around or increment more than - // last 8 bytes. - ctr64_inc(gctx->iv + gctx->ivlen - 8); + // Invocation field will be at least 8 bytes in size, so no need to check + // wrap around or increment more than last 8 bytes. + uint8_t *ctr = gctx->iv + gctx->ivlen - 8; + CRYPTO_store_u64_be(ctr, CRYPTO_load_u64_be(ctr) + 1); gctx->iv_set = 1; return 1; + } case EVP_CTRL_GCM_SET_IV_INV: if (gctx->iv_gen == 0 || gctx->key_set == 0 || c->encrypt) { @@ -1184,10 +1167,11 @@ static int aead_aes_gcm_seal_scatter_randnonce( return 0; } - // |RAND_bytes| calls within the fipsmodule should be wrapped with state lock - // functions to avoid updating the service indicator with the DRBG functions. + // |BCM_rand_bytes| calls within the fipsmodule should be wrapped with state + // lock functions to avoid updating the service indicator with the DRBG + // functions. FIPS_service_indicator_lock_state(); - RAND_bytes(nonce, sizeof(nonce)); + BCM_rand_bytes(nonce, sizeof(nonce)); FIPS_service_indicator_unlock_state(); const struct aead_aes_gcm_ctx *gcm_ctx = diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/cipher/e_aesccm.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/cipher/e_aesccm.c.inc similarity index 86% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/cipher/e_aesccm.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/cipher/e_aesccm.c.inc index ab3eafd5b..0adba46db 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/cipher/e_aesccm.c +++ b/Sources/CNIOBoringSSL/crypto/fipsmodule/cipher/e_aesccm.c.inc @@ -55,6 +55,7 @@ #include #include "../delocate.h" +#include "../modes/internal.h" #include "../service_indicator/internal.h" #include "internal.h" @@ -66,10 +67,8 @@ struct ccm128_context { }; struct ccm128_state { - union { - uint64_t u[2]; - uint8_t c[16]; - } nonce, cmac; + alignas(16) uint8_t nonce[16]; + alignas(16) uint8_t cmac[16]; }; static int CRYPTO_ccm128_init(struct ccm128_context *ctx, const AES_KEY *key, @@ -107,16 +106,16 @@ static int ccm128_init_state(const struct ccm128_context *ctx, // Assemble the first block for computing the MAC. OPENSSL_memset(state, 0, sizeof(*state)); - state->nonce.c[0] = (uint8_t)((L - 1) | ((M - 2) / 2) << 3); + state->nonce[0] = (uint8_t)((L - 1) | ((M - 2) / 2) << 3); if (aad_len != 0) { - state->nonce.c[0] |= 0x40; // Set AAD Flag + state->nonce[0] |= 0x40; // Set AAD Flag } - OPENSSL_memcpy(&state->nonce.c[1], nonce, nonce_len); + OPENSSL_memcpy(&state->nonce[1], nonce, nonce_len); for (unsigned i = 0; i < L; i++) { - state->nonce.c[15 - i] = (uint8_t)(plaintext_len >> (8 * i)); + state->nonce[15 - i] = (uint8_t)(plaintext_len >> (8 * i)); } - (*block)(state->nonce.c, state->cmac.c, key); + (*block)(state->nonce, state->cmac, key); size_t blocks = 1; if (aad_len != 0) { @@ -124,38 +123,38 @@ static int ccm128_init_state(const struct ccm128_context *ctx, // Cast to u64 to avoid the compiler complaining about invalid shifts. uint64_t aad_len_u64 = aad_len; if (aad_len_u64 < 0x10000 - 0x100) { - state->cmac.c[0] ^= (uint8_t)(aad_len_u64 >> 8); - state->cmac.c[1] ^= (uint8_t)aad_len_u64; + state->cmac[0] ^= (uint8_t)(aad_len_u64 >> 8); + state->cmac[1] ^= (uint8_t)aad_len_u64; i = 2; } else if (aad_len_u64 <= 0xffffffff) { - state->cmac.c[0] ^= 0xff; - state->cmac.c[1] ^= 0xfe; - state->cmac.c[2] ^= (uint8_t)(aad_len_u64 >> 24); - state->cmac.c[3] ^= (uint8_t)(aad_len_u64 >> 16); - state->cmac.c[4] ^= (uint8_t)(aad_len_u64 >> 8); - state->cmac.c[5] ^= (uint8_t)aad_len_u64; + state->cmac[0] ^= 0xff; + state->cmac[1] ^= 0xfe; + state->cmac[2] ^= (uint8_t)(aad_len_u64 >> 24); + state->cmac[3] ^= (uint8_t)(aad_len_u64 >> 16); + state->cmac[4] ^= (uint8_t)(aad_len_u64 >> 8); + state->cmac[5] ^= (uint8_t)aad_len_u64; i = 6; } else { - state->cmac.c[0] ^= 0xff; - state->cmac.c[1] ^= 0xff; - state->cmac.c[2] ^= (uint8_t)(aad_len_u64 >> 56); - state->cmac.c[3] ^= (uint8_t)(aad_len_u64 >> 48); - state->cmac.c[4] ^= (uint8_t)(aad_len_u64 >> 40); - state->cmac.c[5] ^= (uint8_t)(aad_len_u64 >> 32); - state->cmac.c[6] ^= (uint8_t)(aad_len_u64 >> 24); - state->cmac.c[7] ^= (uint8_t)(aad_len_u64 >> 16); - state->cmac.c[8] ^= (uint8_t)(aad_len_u64 >> 8); - state->cmac.c[9] ^= (uint8_t)aad_len_u64; + state->cmac[0] ^= 0xff; + state->cmac[1] ^= 0xff; + state->cmac[2] ^= (uint8_t)(aad_len_u64 >> 56); + state->cmac[3] ^= (uint8_t)(aad_len_u64 >> 48); + state->cmac[4] ^= (uint8_t)(aad_len_u64 >> 40); + state->cmac[5] ^= (uint8_t)(aad_len_u64 >> 32); + state->cmac[6] ^= (uint8_t)(aad_len_u64 >> 24); + state->cmac[7] ^= (uint8_t)(aad_len_u64 >> 16); + state->cmac[8] ^= (uint8_t)(aad_len_u64 >> 8); + state->cmac[9] ^= (uint8_t)aad_len_u64; i = 10; } do { for (; i < 16 && aad_len != 0; i++) { - state->cmac.c[i] ^= *aad; + state->cmac[i] ^= *aad; aad++; aad_len--; } - (*block)(state->cmac.c, state->cmac.c, key); + (*block)(state->cmac, state->cmac, key); blocks++; i = 0; } while (aad_len != 0); @@ -174,7 +173,7 @@ static int ccm128_init_state(const struct ccm128_context *ctx, // Assemble the first block for encrypting and decrypting. The bottom |L| // bytes are replaced with a counter and all bit the encoding of |L| is // cleared in the first byte. - state->nonce.c[0] &= 7; + state->nonce[0] &= 7; return 1; } @@ -183,17 +182,17 @@ static int ccm128_encrypt(const struct ccm128_context *ctx, uint8_t *out, const uint8_t *in, size_t len) { // The counter for encryption begins at one. for (unsigned i = 0; i < ctx->L; i++) { - state->nonce.c[15 - i] = 0; + state->nonce[15 - i] = 0; } - state->nonce.c[15] = 1; + state->nonce[15] = 1; uint8_t partial_buf[16]; unsigned num = 0; if (ctx->ctr != NULL) { - CRYPTO_ctr128_encrypt_ctr32(in, out, len, key, state->nonce.c, partial_buf, + CRYPTO_ctr128_encrypt_ctr32(in, out, len, key, state->nonce, partial_buf, &num, ctx->ctr); } else { - CRYPTO_ctr128_encrypt(in, out, len, key, state->nonce.c, partial_buf, &num, + CRYPTO_ctr128_encrypt(in, out, len, key, state->nonce, partial_buf, &num, ctx->block); } return 1; @@ -209,34 +208,28 @@ static int ccm128_compute_mac(const struct ccm128_context *ctx, } // Incorporate |in| into the MAC. - union { - uint64_t u[2]; - uint8_t c[16]; - } tmp; while (len >= 16) { - OPENSSL_memcpy(tmp.c, in, 16); - state->cmac.u[0] ^= tmp.u[0]; - state->cmac.u[1] ^= tmp.u[1]; - (*block)(state->cmac.c, state->cmac.c, key); + CRYPTO_xor16(state->cmac, state->cmac, in); + (*block)(state->cmac, state->cmac, key); in += 16; len -= 16; } if (len > 0) { for (size_t i = 0; i < len; i++) { - state->cmac.c[i] ^= in[i]; + state->cmac[i] ^= in[i]; } - (*block)(state->cmac.c, state->cmac.c, key); + (*block)(state->cmac, state->cmac, key); } // Encrypt the MAC with counter zero. for (unsigned i = 0; i < ctx->L; i++) { - state->nonce.c[15 - i] = 0; + state->nonce[15 - i] = 0; } - (*block)(state->nonce.c, tmp.c, key); - state->cmac.u[0] ^= tmp.u[0]; - state->cmac.u[1] ^= tmp.u[1]; + alignas(16) uint8_t tmp[16]; + (*block)(state->nonce, tmp, key); + CRYPTO_xor16(state->cmac, state->cmac, tmp); - OPENSSL_memcpy(out_tag, state->cmac.c, tag_len); + OPENSSL_memcpy(out_tag, state->cmac, tag_len); return 1; } diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/cipher/internal.h b/Sources/CNIOBoringSSL/crypto/fipsmodule/cipher/internal.h index 57a5d03c0..5190e0096 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/cipher/internal.h +++ b/Sources/CNIOBoringSSL/crypto/fipsmodule/cipher/internal.h @@ -134,9 +134,6 @@ struct evp_cipher_st { // flags contains the OR of a number of flags. See |EVP_CIPH_*|. uint32_t flags; - // app_data is a pointer to opaque, user data. - void *app_data; - int (*init)(EVP_CIPHER_CTX *ctx, const uint8_t *key, const uint8_t *iv, int enc); diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/cmac/cmac.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/cmac/cmac.c.inc similarity index 100% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/cmac/cmac.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/cmac/cmac.c.inc diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/dh/check.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/dh/check.c.inc similarity index 100% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/dh/check.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/dh/check.c.inc diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/dh/dh.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/dh/dh.c.inc similarity index 100% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/dh/dh.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/dh/dh.c.inc diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/dh/internal.h b/Sources/CNIOBoringSSL/crypto/fipsmodule/dh/internal.h index 41730d84f..81a7a0219 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/dh/internal.h +++ b/Sources/CNIOBoringSSL/crypto/fipsmodule/dh/internal.h @@ -26,8 +26,6 @@ extern "C" { #endif -#define OPENSSL_DH_MAX_MODULUS_BITS 10000 - struct dh_st { BIGNUM *p; BIGNUM *g; diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/digest/digest.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/digest/digest.c.inc similarity index 96% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/digest/digest.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/digest/digest.c.inc index 14a118c4a..301862c0a 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/digest/digest.c +++ b/Sources/CNIOBoringSSL/crypto/fipsmodule/digest/digest.c.inc @@ -185,6 +185,10 @@ int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in) { void EVP_MD_CTX_move(EVP_MD_CTX *out, EVP_MD_CTX *in) { EVP_MD_CTX_cleanup(out); // While not guaranteed, |EVP_MD_CTX| is currently safe to move with |memcpy|. + // bssl-crypto currently relies on this, however, so if we change this, we + // need to box the |HMAC_CTX|. (Relying on this is only fine because we assume + // BoringSSL and bssl-crypto will always be updated atomically. We do not + // allow any version skew between the two.) OPENSSL_memcpy(out, in, sizeof(EVP_MD_CTX)); EVP_MD_CTX_init(in); } diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/digest/digests.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/digest/digests.c.inc similarity index 65% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/digest/digests.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/digest/digests.c.inc index fcc5d9e97..3f7a769d2 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/digest/digests.c +++ b/Sources/CNIOBoringSSL/crypto/fipsmodule/digest/digests.c.inc @@ -59,10 +59,7 @@ #include #include -#include -#include #include -#include #include "internal.h" #include "../delocate.h" @@ -75,69 +72,21 @@ #endif -static void md4_init(EVP_MD_CTX *ctx) { - CHECK(MD4_Init(ctx->md_data)); -} - -static void md4_update(EVP_MD_CTX *ctx, const void *data, size_t count) { - CHECK(MD4_Update(ctx->md_data, data, count)); -} - -static void md4_final(EVP_MD_CTX *ctx, uint8_t *out) { - CHECK(MD4_Final(out, ctx->md_data)); -} - -DEFINE_METHOD_FUNCTION(EVP_MD, EVP_md4) { - out->type = NID_md4; - out->md_size = MD4_DIGEST_LENGTH; - out->flags = 0; - out->init = md4_init; - out->update = md4_update; - out->final = md4_final; - out->block_size = 64; - out->ctx_size = sizeof(MD4_CTX); -} - - -static void md5_init(EVP_MD_CTX *ctx) { - CHECK(MD5_Init(ctx->md_data)); -} - -static void md5_update(EVP_MD_CTX *ctx, const void *data, size_t count) { - CHECK(MD5_Update(ctx->md_data, data, count)); -} - -static void md5_final(EVP_MD_CTX *ctx, uint8_t *out) { - CHECK(MD5_Final(out, ctx->md_data)); -} - -DEFINE_METHOD_FUNCTION(EVP_MD, EVP_md5) { - out->type = NID_md5; - out->md_size = MD5_DIGEST_LENGTH; - out->flags = 0; - out->init = md5_init; - out->update = md5_update; - out->final = md5_final; - out->block_size = 64; - out->ctx_size = sizeof(MD5_CTX); -} - - static void sha1_init(EVP_MD_CTX *ctx) { - CHECK(SHA1_Init(ctx->md_data)); + BCM_sha1_init(ctx->md_data); } static void sha1_update(EVP_MD_CTX *ctx, const void *data, size_t count) { - CHECK(SHA1_Update(ctx->md_data, data, count)); + BCM_sha1_update(ctx->md_data, data, count); } static void sha1_final(EVP_MD_CTX *ctx, uint8_t *md) { - CHECK(SHA1_Final(md, ctx->md_data)); + BCM_sha1_final(md, ctx->md_data); } DEFINE_METHOD_FUNCTION(EVP_MD, EVP_sha1) { out->type = NID_sha1; - out->md_size = SHA_DIGEST_LENGTH; + out->md_size = BCM_SHA_DIGEST_LENGTH; out->flags = 0; out->init = sha1_init; out->update = sha1_update; @@ -148,20 +97,20 @@ DEFINE_METHOD_FUNCTION(EVP_MD, EVP_sha1) { static void sha224_init(EVP_MD_CTX *ctx) { - CHECK(SHA224_Init(ctx->md_data)); + BCM_sha224_init(ctx->md_data); } static void sha224_update(EVP_MD_CTX *ctx, const void *data, size_t count) { - CHECK(SHA224_Update(ctx->md_data, data, count)); + BCM_sha224_update(ctx->md_data, data, count); } static void sha224_final(EVP_MD_CTX *ctx, uint8_t *md) { - CHECK(SHA224_Final(md, ctx->md_data)); + BCM_sha224_final(md, ctx->md_data); } DEFINE_METHOD_FUNCTION(EVP_MD, EVP_sha224) { out->type = NID_sha224; - out->md_size = SHA224_DIGEST_LENGTH; + out->md_size = BCM_SHA224_DIGEST_LENGTH; out->flags = 0; out->init = sha224_init; out->update = sha224_update; @@ -172,20 +121,20 @@ DEFINE_METHOD_FUNCTION(EVP_MD, EVP_sha224) { static void sha256_init(EVP_MD_CTX *ctx) { - CHECK(SHA256_Init(ctx->md_data)); + BCM_sha256_init(ctx->md_data); } static void sha256_update(EVP_MD_CTX *ctx, const void *data, size_t count) { - CHECK(SHA256_Update(ctx->md_data, data, count)); + BCM_sha256_update(ctx->md_data, data, count); } static void sha256_final(EVP_MD_CTX *ctx, uint8_t *md) { - CHECK(SHA256_Final(md, ctx->md_data)); + BCM_sha256_final(md, ctx->md_data); } DEFINE_METHOD_FUNCTION(EVP_MD, EVP_sha256) { out->type = NID_sha256; - out->md_size = SHA256_DIGEST_LENGTH; + out->md_size = BCM_SHA256_DIGEST_LENGTH; out->flags = 0; out->init = sha256_init; out->update = sha256_update; @@ -196,20 +145,20 @@ DEFINE_METHOD_FUNCTION(EVP_MD, EVP_sha256) { static void sha384_init(EVP_MD_CTX *ctx) { - CHECK(SHA384_Init(ctx->md_data)); + BCM_sha384_init(ctx->md_data); } static void sha384_update(EVP_MD_CTX *ctx, const void *data, size_t count) { - CHECK(SHA384_Update(ctx->md_data, data, count)); + BCM_sha384_update(ctx->md_data, data, count); } static void sha384_final(EVP_MD_CTX *ctx, uint8_t *md) { - CHECK(SHA384_Final(md, ctx->md_data)); + BCM_sha384_final(md, ctx->md_data); } DEFINE_METHOD_FUNCTION(EVP_MD, EVP_sha384) { out->type = NID_sha384; - out->md_size = SHA384_DIGEST_LENGTH; + out->md_size = BCM_SHA384_DIGEST_LENGTH; out->flags = 0; out->init = sha384_init; out->update = sha384_update; @@ -220,20 +169,20 @@ DEFINE_METHOD_FUNCTION(EVP_MD, EVP_sha384) { static void sha512_init(EVP_MD_CTX *ctx) { - CHECK(SHA512_Init(ctx->md_data)); + BCM_sha512_init(ctx->md_data); } static void sha512_update(EVP_MD_CTX *ctx, const void *data, size_t count) { - CHECK(SHA512_Update(ctx->md_data, data, count)); + BCM_sha512_update(ctx->md_data, data, count); } static void sha512_final(EVP_MD_CTX *ctx, uint8_t *md) { - CHECK(SHA512_Final(md, ctx->md_data)); + BCM_sha512_final(md, ctx->md_data); } DEFINE_METHOD_FUNCTION(EVP_MD, EVP_sha512) { out->type = NID_sha512; - out->md_size = SHA512_DIGEST_LENGTH; + out->md_size = BCM_SHA512_DIGEST_LENGTH; out->flags = 0; out->init = sha512_init; out->update = sha512_update; @@ -244,20 +193,20 @@ DEFINE_METHOD_FUNCTION(EVP_MD, EVP_sha512) { static void sha512_256_init(EVP_MD_CTX *ctx) { - CHECK(SHA512_256_Init(ctx->md_data)); + BCM_sha512_256_init(ctx->md_data); } static void sha512_256_update(EVP_MD_CTX *ctx, const void *data, size_t count) { - CHECK(SHA512_256_Update(ctx->md_data, data, count)); + BCM_sha512_256_update(ctx->md_data, data, count); } static void sha512_256_final(EVP_MD_CTX *ctx, uint8_t *md) { - CHECK(SHA512_256_Final(md, ctx->md_data)); + BCM_sha512_256_final(md, ctx->md_data); } DEFINE_METHOD_FUNCTION(EVP_MD, EVP_sha512_256) { out->type = NID_sha512_256; - out->md_size = SHA512_256_DIGEST_LENGTH; + out->md_size = BCM_SHA512_256_DIGEST_LENGTH; out->flags = 0; out->init = sha512_256_init; out->update = sha512_256_update; @@ -266,39 +215,4 @@ DEFINE_METHOD_FUNCTION(EVP_MD, EVP_sha512_256) { out->ctx_size = sizeof(SHA512_CTX); } - -typedef struct { - MD5_CTX md5; - SHA_CTX sha1; -} MD5_SHA1_CTX; - -static void md5_sha1_init(EVP_MD_CTX *md_ctx) { - MD5_SHA1_CTX *ctx = md_ctx->md_data; - CHECK(MD5_Init(&ctx->md5) && SHA1_Init(&ctx->sha1)); -} - -static void md5_sha1_update(EVP_MD_CTX *md_ctx, const void *data, - size_t count) { - MD5_SHA1_CTX *ctx = md_ctx->md_data; - CHECK(MD5_Update(&ctx->md5, data, count) && - SHA1_Update(&ctx->sha1, data, count)); -} - -static void md5_sha1_final(EVP_MD_CTX *md_ctx, uint8_t *out) { - MD5_SHA1_CTX *ctx = md_ctx->md_data; - CHECK(MD5_Final(out, &ctx->md5) && - SHA1_Final(out + MD5_DIGEST_LENGTH, &ctx->sha1)); -} - -DEFINE_METHOD_FUNCTION(EVP_MD, EVP_md5_sha1) { - out->type = NID_md5_sha1; - out->md_size = MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH; - out->flags = 0; - out->init = md5_sha1_init; - out->update = md5_sha1_update; - out->final = md5_sha1_final; - out->block_size = 64; - out->ctx_size = sizeof(MD5_SHA1_CTX); -} - #undef CHECK diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/digestsign/digestsign.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/digestsign/digestsign.c.inc similarity index 100% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/digestsign/digestsign.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/digestsign/digestsign.c.inc diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/ec/ec.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/ec/ec.c.inc similarity index 100% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/ec/ec.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/ec/ec.c.inc diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/ec/ec_key.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/ec/ec_key.c.inc similarity index 91% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/ec/ec_key.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/ec/ec_key.c.inc index 54140dd19..bf85c508e 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/ec/ec_key.c +++ b/Sources/CNIOBoringSSL/crypto/fipsmodule/ec/ec_key.c.inc @@ -79,6 +79,7 @@ #include "internal.h" #include "../delocate.h" +#include "../ecdsa/internal.h" #include "../service_indicator/internal.h" #include "../../internal.h" @@ -163,12 +164,12 @@ void EC_KEY_free(EC_KEY *r) { METHOD_unref(r->ecdsa_meth); } + CRYPTO_free_ex_data(g_ec_ex_data_class_bss_get(), r, &r->ex_data); + EC_GROUP_free(r->group); EC_POINT_free(r->pub_key); ec_wrapped_scalar_free(r->priv_key); - CRYPTO_free_ex_data(g_ec_ex_data_class_bss_get(), r, &r->ex_data); - OPENSSL_free(r); } @@ -242,7 +243,10 @@ int EC_KEY_set_private_key(EC_KEY *key, const BIGNUM *priv_key) { return 0; } if (!ec_bignum_to_scalar(key->group, &scalar->scalar, priv_key) || - ec_scalar_is_zero(key->group, &scalar->scalar)) { + // Zero is not a valid private key, so it is safe to leak the result of + // this comparison. + constant_time_declassify_int( + ec_scalar_is_zero(key->group, &scalar->scalar))) { OPENSSL_PUT_ERROR(EC, EC_R_INVALID_PRIVATE_KEY); ec_wrapped_scalar_free(scalar); return 0; @@ -314,8 +318,10 @@ int EC_KEY_check_key(const EC_KEY *eckey) { OPENSSL_PUT_ERROR(EC, ERR_R_EC_LIB); return 0; } - if (!ec_GFp_simple_points_equal(eckey->group, &point, - &eckey->pub_key->raw)) { + // Leaking this comparison only leaks whether |eckey|'s public key was + // correct. + if (!constant_time_declassify_int(ec_GFp_simple_points_equal( + eckey->group, &point, &eckey->pub_key->raw))) { OPENSSL_PUT_ERROR(EC, EC_R_INVALID_PRIVATE_KEY); return 0; } @@ -339,15 +345,17 @@ int EC_KEY_check_fips(const EC_KEY *key) { } if (key->priv_key) { - uint8_t data[16] = {0}; - ECDSA_SIG *sig = ECDSA_do_sign(data, sizeof(data), key); + uint8_t digest[BCM_SHA256_DIGEST_LENGTH] = {0}; + uint8_t sig[ECDSA_MAX_FIXED_LEN]; + size_t sig_len; + if (!ecdsa_sign_fixed(digest, sizeof(digest), sig, &sig_len, sizeof(sig), + key)) { + goto end; + } if (boringssl_fips_break_test("ECDSA_PWCT")) { - data[0] = ~data[0]; + digest[0] = ~digest[0]; } - int ok = sig != NULL && - ECDSA_do_verify(data, sizeof(data), sig, key); - ECDSA_SIG_free(sig); - if (!ok) { + if (!ecdsa_verify_fixed(digest, sizeof(digest), sig, sig_len, key)) { OPENSSL_PUT_ERROR(EC, EC_R_PUBLIC_KEY_VALIDATION_FAILED); goto end; } @@ -500,6 +508,14 @@ int EC_KEY_generate_key(EC_KEY *key) { return 0; } + // The public key is derived from the private key, but it is public. + // + // TODO(crbug.com/boringssl/677): This isn't quite right. While |pub_key| + // represents a public point, it is still in Jacobian form and the exact + // Jacobian representation is secret. We need to make it affine first. See + // discussion in the bug. + CONSTTIME_DECLASSIFY(&pub_key->raw, sizeof(pub_key->raw)); + ec_wrapped_scalar_free(key->priv_key); key->priv_key = priv_key; EC_POINT_free(key->pub_key); @@ -508,6 +524,11 @@ int EC_KEY_generate_key(EC_KEY *key) { } int EC_KEY_generate_key_fips(EC_KEY *eckey) { + if (eckey == NULL || eckey->group == NULL) { + OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER); + return 0; + } + boringssl_ensure_ecc_self_test(); if (EC_KEY_generate_key(eckey) && EC_KEY_check_fips(eckey)) { @@ -524,12 +545,8 @@ int EC_KEY_generate_key_fips(EC_KEY *eckey) { int EC_KEY_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused, CRYPTO_EX_dup *dup_unused, CRYPTO_EX_free *free_func) { - int index; - if (!CRYPTO_get_ex_new_index(g_ec_ex_data_class_bss_get(), &index, argl, argp, - free_func)) { - return -1; - } - return index; + return CRYPTO_get_ex_new_index_ex(g_ec_ex_data_class_bss_get(), argl, argp, + free_func); } int EC_KEY_set_ex_data(EC_KEY *d, int idx, void *arg) { diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/ec/ec_montgomery.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/ec/ec_montgomery.c.inc similarity index 100% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/ec/ec_montgomery.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/ec/ec_montgomery.c.inc diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/ec/felem.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/ec/felem.c.inc similarity index 100% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/ec/felem.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/ec/felem.c.inc diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/ec/oct.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/ec/oct.c.inc similarity index 100% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/ec/oct.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/ec/oct.c.inc diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/ec/p224-64.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/ec/p224-64.c.inc similarity index 99% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/ec/p224-64.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/ec/p224-64.c.inc index 007d93080..f1003bce1 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/ec/p224-64.c +++ b/Sources/CNIOBoringSSL/crypto/fipsmodule/ec/p224-64.c.inc @@ -24,6 +24,7 @@ #include #include +#include #include #include "internal.h" @@ -836,12 +837,12 @@ static void p224_select_point(const uint64_t idx, size_t size, for (size_t i = 0; i < size; i++) { const p224_limb *inlimbs = &pre_comp[i][0][0]; - uint64_t mask = i ^ idx; - mask |= mask >> 4; - mask |= mask >> 2; - mask |= mask >> 1; - mask &= 1; - mask--; + static_assert(sizeof(uint64_t) <= sizeof(crypto_word_t), + "crypto_word_t too small"); + static_assert(sizeof(size_t) <= sizeof(crypto_word_t), + "crypto_word_t too small"); + // Without a value barrier, Clang adds a branch here. + uint64_t mask = value_barrier_w(constant_time_eq_w(i, idx)); for (size_t j = 0; j < 4 * 3; j++) { outlimbs[j] |= inlimbs[j] & mask; } diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/ec/p256-nistz.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/ec/p256-nistz.c.inc similarity index 85% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/ec/p256-nistz.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/ec/p256-nistz.c.inc index 75a32e769..c0daccd67 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/ec/p256-nistz.c +++ b/Sources/CNIOBoringSSL/crypto/fipsmodule/ec/p256-nistz.c.inc @@ -39,7 +39,7 @@ typedef P256_POINT_AFFINE PRECOMP256_ROW[64]; // One converted into the Montgomery domain -static const BN_ULONG ONE[P256_LIMBS] = { +static const BN_ULONG ONE_MONT[P256_LIMBS] = { TOBN(0x00000000, 0x00000001), TOBN(0xffffffff, 0x00000000), TOBN(0xffffffff, 0xffffffff), TOBN(0x00000000, 0xfffffffe), }; @@ -116,6 +116,103 @@ static BN_ULONG is_not_zero(BN_ULONG in) { return in; } +#if defined(OPENSSL_X86_64) +// Dispatch between CPU variations. The "_adx" suffixed functions use MULX in +// addition to ADCX/ADOX. MULX is part of BMI2, not ADX, so we must check both +// capabilities. +static void ecp_nistz256_mul_mont(BN_ULONG res[P256_LIMBS], + const BN_ULONG a[P256_LIMBS], + const BN_ULONG b[P256_LIMBS]) { + if (CRYPTO_is_BMI2_capable() && CRYPTO_is_ADX_capable()) { + ecp_nistz256_mul_mont_adx(res, a, b); + } else { + ecp_nistz256_mul_mont_nohw(res, a, b); + } +} + +static void ecp_nistz256_sqr_mont(BN_ULONG res[P256_LIMBS], + const BN_ULONG a[P256_LIMBS]) { + if (CRYPTO_is_BMI2_capable() && CRYPTO_is_ADX_capable()) { + ecp_nistz256_sqr_mont_adx(res, a); + } else { + ecp_nistz256_sqr_mont_nohw(res, a); + } +} + +static void ecp_nistz256_ord_mul_mont(BN_ULONG res[P256_LIMBS], + const BN_ULONG a[P256_LIMBS], + const BN_ULONG b[P256_LIMBS]) { + if (CRYPTO_is_BMI2_capable() && CRYPTO_is_ADX_capable()) { + ecp_nistz256_ord_mul_mont_adx(res, a, b); + } else { + ecp_nistz256_ord_mul_mont_nohw(res, a, b); + } +} + +static void ecp_nistz256_ord_sqr_mont(BN_ULONG res[P256_LIMBS], + const BN_ULONG a[P256_LIMBS], + BN_ULONG rep) { + if (CRYPTO_is_BMI2_capable() && CRYPTO_is_ADX_capable()) { + ecp_nistz256_ord_sqr_mont_adx(res, a, rep); + } else { + ecp_nistz256_ord_sqr_mont_nohw(res, a, rep); + } +} + +static void ecp_nistz256_select_w5(P256_POINT *val, const P256_POINT in_t[16], + int index) { + if (CRYPTO_is_AVX2_capable()) { + ecp_nistz256_select_w5_avx2(val, in_t, index); + } else { + ecp_nistz256_select_w5_nohw(val, in_t, index); + } +} + +static void ecp_nistz256_select_w7(P256_POINT_AFFINE *val, + const P256_POINT_AFFINE in_t[64], + int index) { + if (CRYPTO_is_AVX2_capable()) { + ecp_nistz256_select_w7_avx2(val, in_t, index); + } else { + ecp_nistz256_select_w7_nohw(val, in_t, index); + } +} + +static void ecp_nistz256_point_double(P256_POINT *r, const P256_POINT *a) { + if (CRYPTO_is_BMI2_capable() && CRYPTO_is_ADX_capable()) { + ecp_nistz256_point_double_adx(r, a); + } else { + ecp_nistz256_point_double_nohw(r, a); + } +} + +static void ecp_nistz256_point_add(P256_POINT *r, const P256_POINT *a, + const P256_POINT *b) { + if (CRYPTO_is_BMI2_capable() && CRYPTO_is_ADX_capable()) { + ecp_nistz256_point_add_adx(r, a, b); + } else { + ecp_nistz256_point_add_nohw(r, a, b); + } +} + +static void ecp_nistz256_point_add_affine(P256_POINT *r, const P256_POINT *a, + const P256_POINT_AFFINE *b) { + if (CRYPTO_is_BMI2_capable() && CRYPTO_is_ADX_capable()) { + ecp_nistz256_point_add_affine_adx(r, a, b); + } else { + ecp_nistz256_point_add_affine_nohw(r, a, b); + } +} +#endif // OPENSSL_X86_64 + +// ecp_nistz256_from_mont sets |res| to |in|, converted from Montgomery domain +// by multiplying with 1. +static void ecp_nistz256_from_mont(BN_ULONG res[P256_LIMBS], + const BN_ULONG in[P256_LIMBS]) { + static const BN_ULONG ONE[P256_LIMBS] = {1}; + ecp_nistz256_mul_mont(res, in, ONE); +} + // ecp_nistz256_mod_inverse_sqr_mont sets |r| to (|in| * 2^-256)^-2 * 2^256 mod // p. That is, |r| is the modular inverse square of |in| for input and output in // the Montgomery domain. @@ -328,12 +425,12 @@ static void ecp_nistz256_point_mul_base(const EC_GROUP *group, EC_JACOBIAN *r, copy_conditional(t.Y, p.Z, wvalue & 1); // Convert |t| from affine to Jacobian coordinates. We set Z to zero if |t| - // is infinity and |ONE| otherwise. |t| was computed from the table, so it - // is infinity iff |wvalue >> 1| is zero. + // is infinity and |ONE_MONT| otherwise. |t| was computed from the table, so + // it is infinity iff |wvalue >> 1| is zero. OPENSSL_memcpy(p.X, t.X, sizeof(p.X)); OPENSSL_memcpy(p.Y, t.Y, sizeof(p.Y)); OPENSSL_memset(p.Z, 0, sizeof(p.Z)); - copy_conditional(p.Z, ONE, is_not_zero(wvalue >> 1)); + copy_conditional(p.Z, ONE_MONT, is_not_zero(wvalue >> 1)); for (int i = 1; i < 37; i++) { wvalue = calc_wvalue(&index, p_str); @@ -372,14 +469,14 @@ static void ecp_nistz256_points_mul_public(const EC_GROUP *group, size_t wvalue = calc_first_wvalue(&index, p_str); // Convert |p| from affine to Jacobian coordinates. We set Z to zero if |p| - // is infinity and |ONE| otherwise. |p| was computed from the table, so it - // is infinity iff |wvalue >> 1| is zero. + // is infinity and |ONE_MONT| otherwise. |p| was computed from the table, so + // it is infinity iff |wvalue >> 1| is zero. if ((wvalue >> 1) != 0) { OPENSSL_memcpy(p.X, &ecp_nistz256_precomputed[0][(wvalue >> 1) - 1].X, sizeof(p.X)); OPENSSL_memcpy(p.Y, &ecp_nistz256_precomputed[0][(wvalue >> 1) - 1].Y, sizeof(p.Y)); - OPENSSL_memcpy(p.Z, ONE, sizeof(p.Z)); + OPENSSL_memcpy(p.Z, ONE_MONT, sizeof(p.Z)); } else { OPENSSL_memset(p.X, 0, sizeof(p.X)); OPENSSL_memset(p.Y, 0, sizeof(p.Y)); diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/ec/p256-nistz.h b/Sources/CNIOBoringSSL/crypto/fipsmodule/ec/p256-nistz.h index e61d18fe9..1c542b0ba 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/ec/p256-nistz.h +++ b/Sources/CNIOBoringSSL/crypto/fipsmodule/ec/p256-nistz.h @@ -48,21 +48,29 @@ extern "C" { void ecp_nistz256_neg(BN_ULONG res[P256_LIMBS], const BN_ULONG a[P256_LIMBS]); // ecp_nistz256_mul_mont sets |res| to |a| * |b| * 2^-256 mod P. +#if defined(OPENSSL_X86_64) +void ecp_nistz256_mul_mont_nohw(BN_ULONG res[P256_LIMBS], + const BN_ULONG a[P256_LIMBS], + const BN_ULONG b[P256_LIMBS]); +void ecp_nistz256_mul_mont_adx(BN_ULONG res[P256_LIMBS], + const BN_ULONG a[P256_LIMBS], + const BN_ULONG b[P256_LIMBS]); +#else void ecp_nistz256_mul_mont(BN_ULONG res[P256_LIMBS], const BN_ULONG a[P256_LIMBS], const BN_ULONG b[P256_LIMBS]); +#endif // ecp_nistz256_sqr_mont sets |res| to |a| * |a| * 2^-256 mod P. +#if defined(OPENSSL_X86_64) +void ecp_nistz256_sqr_mont_nohw(BN_ULONG res[P256_LIMBS], + const BN_ULONG a[P256_LIMBS]); +void ecp_nistz256_sqr_mont_adx(BN_ULONG res[P256_LIMBS], + const BN_ULONG a[P256_LIMBS]); +#else void ecp_nistz256_sqr_mont(BN_ULONG res[P256_LIMBS], const BN_ULONG a[P256_LIMBS]); - -// ecp_nistz256_from_mont sets |res| to |in|, converted from Montgomery domain -// by multiplying with 1. -static inline void ecp_nistz256_from_mont(BN_ULONG res[P256_LIMBS], - const BN_ULONG in[P256_LIMBS]) { - static const BN_ULONG ONE[P256_LIMBS] = { 1 }; - ecp_nistz256_mul_mont(res, in, ONE); -} +#endif // P-256 scalar operations. @@ -72,15 +80,31 @@ static inline void ecp_nistz256_from_mont(BN_ULONG res[P256_LIMBS], // ecp_nistz256_ord_mul_mont sets |res| to |a| * |b| where inputs and outputs // are in Montgomery form. That is, |res| is |a| * |b| * 2^-256 mod N. +#if defined(OPENSSL_X86_64) +void ecp_nistz256_ord_mul_mont_nohw(BN_ULONG res[P256_LIMBS], + const BN_ULONG a[P256_LIMBS], + const BN_ULONG b[P256_LIMBS]); +void ecp_nistz256_ord_mul_mont_adx(BN_ULONG res[P256_LIMBS], + const BN_ULONG a[P256_LIMBS], + const BN_ULONG b[P256_LIMBS]); +#else void ecp_nistz256_ord_mul_mont(BN_ULONG res[P256_LIMBS], const BN_ULONG a[P256_LIMBS], const BN_ULONG b[P256_LIMBS]); +#endif // ecp_nistz256_ord_sqr_mont sets |res| to |a|^(2*|rep|) where inputs and // outputs are in Montgomery form. That is, |res| is // (|a| * 2^-256)^(2*|rep|) * 2^256 mod N. +#if defined(OPENSSL_X86_64) +void ecp_nistz256_ord_sqr_mont_nohw(BN_ULONG res[P256_LIMBS], + const BN_ULONG a[P256_LIMBS], BN_ULONG rep); +void ecp_nistz256_ord_sqr_mont_adx(BN_ULONG res[P256_LIMBS], + const BN_ULONG a[P256_LIMBS], BN_ULONG rep); +#else void ecp_nistz256_ord_sqr_mont(BN_ULONG res[P256_LIMBS], const BN_ULONG a[P256_LIMBS], BN_ULONG rep); +#endif // beeu_mod_inverse_vartime sets out = a^-1 mod p using a Euclidean algorithm. // Assumption: 0 < a < p < 2^(256) and p is odd. @@ -111,27 +135,60 @@ typedef struct { // ecp_nistz256_select_w5 sets |*val| to |in_t[index-1]| if 1 <= |index| <= 16 // and all zeros (the point at infinity) if |index| is 0. This is done in // constant time. +#if defined(OPENSSL_X86_64) +void ecp_nistz256_select_w5_nohw(P256_POINT *val, const P256_POINT in_t[16], + int index); +void ecp_nistz256_select_w5_avx2(P256_POINT *val, const P256_POINT in_t[16], + int index); +#else void ecp_nistz256_select_w5(P256_POINT *val, const P256_POINT in_t[16], int index); +#endif // ecp_nistz256_select_w7 sets |*val| to |in_t[index-1]| if 1 <= |index| <= 64 // and all zeros (the point at infinity) if |index| is 0. This is done in // constant time. +#if defined(OPENSSL_X86_64) +void ecp_nistz256_select_w7_nohw(P256_POINT_AFFINE *val, + const P256_POINT_AFFINE in_t[64], int index); +void ecp_nistz256_select_w7_avx2(P256_POINT_AFFINE *val, + const P256_POINT_AFFINE in_t[64], int index); +#else void ecp_nistz256_select_w7(P256_POINT_AFFINE *val, const P256_POINT_AFFINE in_t[64], int index); +#endif // ecp_nistz256_point_double sets |r| to |a| doubled. +#if defined(OPENSSL_X86_64) +void ecp_nistz256_point_double_nohw(P256_POINT *r, const P256_POINT *a); +void ecp_nistz256_point_double_adx(P256_POINT *r, const P256_POINT *a); +#else void ecp_nistz256_point_double(P256_POINT *r, const P256_POINT *a); +#endif // ecp_nistz256_point_add adds |a| to |b| and places the result in |r|. +#if defined(OPENSSL_X86_64) +void ecp_nistz256_point_add_nohw(P256_POINT *r, const P256_POINT *a, + const P256_POINT *b); +void ecp_nistz256_point_add_adx(P256_POINT *r, const P256_POINT *a, + const P256_POINT *b); +#else void ecp_nistz256_point_add(P256_POINT *r, const P256_POINT *a, const P256_POINT *b); +#endif // ecp_nistz256_point_add_affine adds |a| to |b| and places the result in // |r|. |a| and |b| must not represent the same point unless they are both // infinity. +#if defined(OPENSSL_X86_64) +void ecp_nistz256_point_add_affine_adx(P256_POINT *r, const P256_POINT *a, + const P256_POINT_AFFINE *b); +void ecp_nistz256_point_add_affine_nohw(P256_POINT *r, const P256_POINT *a, + const P256_POINT_AFFINE *b); +#else void ecp_nistz256_point_add_affine(P256_POINT *r, const P256_POINT *a, const P256_POINT_AFFINE *b); +#endif #endif /* !defined(OPENSSL_NO_ASM) && \ (defined(OPENSSL_X86_64) || defined(OPENSSL_AARCH64)) && \ diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/ec/p256.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/ec/p256.c.inc similarity index 100% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/ec/p256.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/ec/p256.c.inc diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/ec/scalar.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/ec/scalar.c.inc similarity index 95% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/ec/scalar.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/ec/scalar.c.inc index 67d20c165..2ade3b143 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/ec/scalar.c +++ b/Sources/CNIOBoringSSL/crypto/fipsmodule/ec/scalar.c.inc @@ -23,8 +23,12 @@ int ec_bignum_to_scalar(const EC_GROUP *group, EC_SCALAR *out, const BIGNUM *in) { + // Scalars, which are often secret, must be reduced modulo the order. Those + // that are not will be discarded, so leaking the result of the comparison is + // safe. if (!bn_copy_words(out->words, group->order.N.width, in) || - !bn_less_than_words(out->words, group->order.N.d, group->order.N.width)) { + !constant_time_declassify_int(bn_less_than_words( + out->words, group->order.N.d, group->order.N.width))) { OPENSSL_PUT_ERROR(EC, EC_R_INVALID_SCALAR); return 0; } diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/ec/simple.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/ec/simple.c.inc similarity index 100% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/ec/simple.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/ec/simple.c.inc diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/ec/simple_mul.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/ec/simple_mul.c.inc similarity index 100% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/ec/simple_mul.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/ec/simple_mul.c.inc diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/ec/util.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/ec/util.c.inc similarity index 100% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/ec/util.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/ec/util.c.inc diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/ec/wnaf.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/ec/wnaf.c.inc similarity index 100% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/ec/wnaf.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/ec/wnaf.c.inc diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/ecdh/ecdh.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/ecdh/ecdh.c.inc similarity index 90% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/ecdh/ecdh.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/ecdh/ecdh.c.inc index 17cb416ea..8b0c750cb 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/ecdh/ecdh.c +++ b/Sources/CNIOBoringSSL/crypto/fipsmodule/ecdh/ecdh.c.inc @@ -72,7 +72,6 @@ #include #include #include -#include #include "../../internal.h" #include "../ec/internal.h" @@ -105,18 +104,28 @@ int ECDH_compute_key_fips(uint8_t *out, size_t out_len, const EC_POINT *pub_key, } FIPS_service_indicator_lock_state(); + SHA256_CTX ctx; + SHA512_CTX ctx_512; switch (out_len) { case SHA224_DIGEST_LENGTH: - SHA224(buf, buflen, out); + BCM_sha224_init(&ctx); + BCM_sha224_update(&ctx, buf, buflen); + BCM_sha224_final(out, &ctx); break; case SHA256_DIGEST_LENGTH: - SHA256(buf, buflen, out); + BCM_sha256_init(&ctx); + BCM_sha256_update(&ctx, buf, buflen); + BCM_sha256_final(out, &ctx); break; case SHA384_DIGEST_LENGTH: - SHA384(buf, buflen, out); + BCM_sha384_init(&ctx_512); + BCM_sha384_update(&ctx_512, buf, buflen); + BCM_sha384_final(out, &ctx_512); break; case SHA512_DIGEST_LENGTH: - SHA512(buf, buflen, out); + BCM_sha512_init(&ctx_512); + BCM_sha512_update(&ctx_512, buf, buflen); + BCM_sha512_final(out, &ctx_512); break; default: OPENSSL_PUT_ERROR(ECDH, ECDH_R_UNKNOWN_DIGEST_LENGTH); diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/ecdsa/ecdsa.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/ecdsa/ecdsa.c.inc similarity index 71% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/ecdsa/ecdsa.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/ecdsa/ecdsa.c.inc index 4266d3ebb..98ff37ef7 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/ecdsa/ecdsa.c +++ b/Sources/CNIOBoringSSL/crypto/fipsmodule/ecdsa/ecdsa.c.inc @@ -58,7 +58,6 @@ #include #include #include -#include #include "../../internal.h" #include "../bn/internal.h" @@ -95,61 +94,9 @@ static void digest_to_scalar(const EC_GROUP *group, EC_SCALAR *out, order->width); } -ECDSA_SIG *ECDSA_SIG_new(void) { - ECDSA_SIG *sig = OPENSSL_malloc(sizeof(ECDSA_SIG)); - if (sig == NULL) { - return NULL; - } - sig->r = BN_new(); - sig->s = BN_new(); - if (sig->r == NULL || sig->s == NULL) { - ECDSA_SIG_free(sig); - return NULL; - } - return sig; -} - -void ECDSA_SIG_free(ECDSA_SIG *sig) { - if (sig == NULL) { - return; - } - - BN_free(sig->r); - BN_free(sig->s); - OPENSSL_free(sig); -} - -const BIGNUM *ECDSA_SIG_get0_r(const ECDSA_SIG *sig) { - return sig->r; -} - -const BIGNUM *ECDSA_SIG_get0_s(const ECDSA_SIG *sig) { - return sig->s; -} - -void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **out_r, - const BIGNUM **out_s) { - if (out_r != NULL) { - *out_r = sig->r; - } - if (out_s != NULL) { - *out_s = sig->s; - } -} - -int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) { - if (r == NULL || s == NULL) { - return 0; - } - BN_free(sig->r); - BN_free(sig->s); - sig->r = r; - sig->s = s; - return 1; -} - -int ecdsa_do_verify_no_self_test(const uint8_t *digest, size_t digest_len, - const ECDSA_SIG *sig, const EC_KEY *eckey) { +int ecdsa_verify_fixed_no_self_test(const uint8_t *digest, size_t digest_len, + const uint8_t *sig, size_t sig_len, + const EC_KEY *eckey) { const EC_GROUP *group = EC_KEY_get0_group(eckey); const EC_POINT *pub_key = EC_KEY_get0_public_key(eckey); if (group == NULL || pub_key == NULL || sig == NULL) { @@ -157,11 +104,13 @@ int ecdsa_do_verify_no_self_test(const uint8_t *digest, size_t digest_len, return 0; } + size_t scalar_len = BN_num_bytes(EC_GROUP_get0_order(group)); EC_SCALAR r, s, u1, u2, s_inv_mont, m; - if (BN_is_zero(sig->r) || - !ec_bignum_to_scalar(group, &r, sig->r) || - BN_is_zero(sig->s) || - !ec_bignum_to_scalar(group, &s, sig->s)) { + if (sig_len != 2 * scalar_len || + !ec_scalar_from_bytes(group, &r, sig, scalar_len) || + ec_scalar_is_zero(group, &r) || + !ec_scalar_from_bytes(group, &s, sig + scalar_len, scalar_len) || + ec_scalar_is_zero(group, &s)) { OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_BAD_SIGNATURE); return 0; } @@ -195,24 +144,31 @@ int ecdsa_do_verify_no_self_test(const uint8_t *digest, size_t digest_len, return 1; } -int ECDSA_do_verify(const uint8_t *digest, size_t digest_len, - const ECDSA_SIG *sig, const EC_KEY *eckey) { +int ecdsa_verify_fixed(const uint8_t *digest, size_t digest_len, + const uint8_t *sig, size_t sig_len, const EC_KEY *key) { boringssl_ensure_ecc_self_test(); - return ecdsa_do_verify_no_self_test(digest, digest_len, sig, eckey); + return ecdsa_verify_fixed_no_self_test(digest, digest_len, sig, sig_len, key); } -static ECDSA_SIG *ecdsa_sign_impl(const EC_GROUP *group, int *out_retry, - const EC_SCALAR *priv_key, const EC_SCALAR *k, - const uint8_t *digest, size_t digest_len) { +static int ecdsa_sign_impl(const EC_GROUP *group, int *out_retry, uint8_t *sig, + size_t *out_sig_len, size_t max_sig_len, + const EC_SCALAR *priv_key, const EC_SCALAR *k, + const uint8_t *digest, size_t digest_len) { *out_retry = 0; // Check that the size of the group order is FIPS compliant (FIPS 186-4 // B.5.2). const BIGNUM *order = EC_GROUP_get0_order(group); if (BN_num_bits(order) < 160) { - OPENSSL_PUT_ERROR(ECDSA, EC_R_INVALID_GROUP_ORDER); - return NULL; + OPENSSL_PUT_ERROR(EC, EC_R_INVALID_GROUP_ORDER); + return 0; + } + + size_t sig_len = 2 * BN_num_bytes(order); + if (sig_len > max_sig_len) { + OPENSSL_PUT_ERROR(EC, EC_R_BUFFER_TOO_SMALL); + return 0; } // Compute r, the x-coordinate of k * generator. @@ -220,12 +176,12 @@ static ECDSA_SIG *ecdsa_sign_impl(const EC_GROUP *group, int *out_retry, EC_SCALAR r; if (!ec_point_mul_scalar_base(group, &tmp_point, k) || !ec_get_x_coordinate_as_scalar(group, &r, &tmp_point)) { - return NULL; + return 0; } if (constant_time_declassify_int(ec_scalar_is_zero(group, &r))) { *out_retry = 1; - return NULL; + return 0; } // s = priv_key * r. Note if only one parameter is in the Montgomery domain, @@ -252,100 +208,87 @@ static ECDSA_SIG *ecdsa_sign_impl(const EC_GROUP *group, int *out_retry, ec_scalar_mul_montgomery(group, &s, &s, &tmp); if (constant_time_declassify_int(ec_scalar_is_zero(group, &s))) { *out_retry = 1; - return NULL; + return 0; } CONSTTIME_DECLASSIFY(r.words, sizeof(r.words)); CONSTTIME_DECLASSIFY(s.words, sizeof(r.words)); - ECDSA_SIG *ret = ECDSA_SIG_new(); - if (ret == NULL || // - !bn_set_words(ret->r, r.words, order->width) || - !bn_set_words(ret->s, s.words, order->width)) { - ECDSA_SIG_free(ret); - return NULL; - } - return ret; + size_t len; + ec_scalar_to_bytes(group, sig, &len, &r); + assert(len == sig_len / 2); + ec_scalar_to_bytes(group, sig + len, &len, &s); + assert(len == sig_len / 2); + *out_sig_len = sig_len; + return 1; } -ECDSA_SIG *ecdsa_sign_with_nonce_for_known_answer_test(const uint8_t *digest, - size_t digest_len, - const EC_KEY *eckey, - const uint8_t *nonce, - size_t nonce_len) { +int ecdsa_sign_fixed_with_nonce_for_known_answer_test( + const uint8_t *digest, size_t digest_len, uint8_t *sig, size_t *out_sig_len, + size_t max_sig_len, const EC_KEY *eckey, const uint8_t *nonce, + size_t nonce_len) { if (eckey->ecdsa_meth && eckey->ecdsa_meth->sign) { OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_NOT_IMPLEMENTED); - return NULL; + return 0; } const EC_GROUP *group = EC_KEY_get0_group(eckey); if (group == NULL || eckey->priv_key == NULL) { OPENSSL_PUT_ERROR(ECDSA, ERR_R_PASSED_NULL_PARAMETER); - return NULL; + return 0; } const EC_SCALAR *priv_key = &eckey->priv_key->scalar; EC_SCALAR k; if (!ec_scalar_from_bytes(group, &k, nonce, nonce_len)) { - return NULL; + return 0; } int retry_ignored; - return ecdsa_sign_impl(group, &retry_ignored, priv_key, &k, digest, - digest_len); -} - -// This function is only exported for testing and is not called in production -// code. -ECDSA_SIG *ECDSA_sign_with_nonce_and_leak_private_key_for_testing( - const uint8_t *digest, size_t digest_len, const EC_KEY *eckey, - const uint8_t *nonce, size_t nonce_len) { - boringssl_ensure_ecc_self_test(); - - return ecdsa_sign_with_nonce_for_known_answer_test(digest, digest_len, eckey, - nonce, nonce_len); + return ecdsa_sign_impl(group, &retry_ignored, sig, out_sig_len, max_sig_len, + priv_key, &k, digest, digest_len); } -ECDSA_SIG *ECDSA_do_sign(const uint8_t *digest, size_t digest_len, - const EC_KEY *eckey) { +int ecdsa_sign_fixed(const uint8_t *digest, size_t digest_len, uint8_t *sig, + size_t *out_sig_len, size_t max_sig_len, + const EC_KEY *eckey) { boringssl_ensure_ecc_self_test(); if (eckey->ecdsa_meth && eckey->ecdsa_meth->sign) { OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_NOT_IMPLEMENTED); - return NULL; + return 0; } const EC_GROUP *group = EC_KEY_get0_group(eckey); if (group == NULL || eckey->priv_key == NULL) { OPENSSL_PUT_ERROR(ECDSA, ERR_R_PASSED_NULL_PARAMETER); - return NULL; + return 0; } const BIGNUM *order = EC_GROUP_get0_order(group); const EC_SCALAR *priv_key = &eckey->priv_key->scalar; // Pass a SHA512 hash of the private key and digest as additional data // into the RBG. This is a hardening measure against entropy failure. - static_assert(SHA512_DIGEST_LENGTH >= 32, + static_assert(BCM_SHA512_DIGEST_LENGTH >= 32, "additional_data is too large for SHA-512"); FIPS_service_indicator_lock_state(); SHA512_CTX sha; - uint8_t additional_data[SHA512_DIGEST_LENGTH]; - SHA512_Init(&sha); - SHA512_Update(&sha, priv_key->words, order->width * sizeof(BN_ULONG)); - SHA512_Update(&sha, digest, digest_len); - SHA512_Final(additional_data, &sha); + uint8_t additional_data[BCM_SHA512_DIGEST_LENGTH]; + BCM_sha512_init(&sha); + BCM_sha512_update(&sha, priv_key->words, order->width * sizeof(BN_ULONG)); + BCM_sha512_update(&sha, digest, digest_len); + BCM_sha512_final(additional_data, &sha); // Cap iterations so callers who supply invalid values as custom groups do not // infinite loop. This does not impact valid parameters (e.g. those covered by // FIPS) because the probability of requiring even one retry is negligible, // let alone 32. static const int kMaxIterations = 32; - ECDSA_SIG *ret = NULL; + int ret = 0; int iters = 0; for (;;) { EC_SCALAR k; if (!ec_random_nonzero_scalar(group, &k, additional_data)) { - ret = NULL; goto out; } @@ -354,8 +297,9 @@ ECDSA_SIG *ECDSA_do_sign(const uint8_t *digest, size_t digest_len, CONSTTIME_SECRET(k.words, sizeof(k.words)); int retry; - ret = ecdsa_sign_impl(group, &retry, priv_key, &k, digest, digest_len); - if (ret != NULL || !retry) { + ret = ecdsa_sign_impl(group, &retry, sig, out_sig_len, max_sig_len, + priv_key, &k, digest, digest_len); + if (ret || !retry) { goto out; } diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/ecdsa/internal.h b/Sources/CNIOBoringSSL/crypto/fipsmodule/ecdsa/internal.h index 58d100103..e0169f4c7 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/ecdsa/internal.h +++ b/Sources/CNIOBoringSSL/crypto/fipsmodule/ecdsa/internal.h @@ -17,25 +17,42 @@ #include +#include "../ec/internal.h" + #if defined(__cplusplus) extern "C" { #endif -// ecdsa_sign_with_nonce_for_known_answer_test behaves like |ECDSA_do_sign| but -// takes a fixed nonce. This function is used as part of known-answer tests in -// the FIPS module. -ECDSA_SIG *ecdsa_sign_with_nonce_for_known_answer_test(const uint8_t *digest, - size_t digest_len, - const EC_KEY *eckey, - const uint8_t *nonce, - size_t nonce_len); +// ECDSA_MAX_FIXED_LEN is the maximum length of an ECDSA signature in the +// fixed-width, big-endian format from IEEE P1363. +#define ECDSA_MAX_FIXED_LEN (2 * EC_MAX_BYTES) + +// ecdsa_sign_fixed behaves like |ECDSA_sign| but uses the fixed-width, +// big-endian format from IEEE P1363. +int ecdsa_sign_fixed(const uint8_t *digest, size_t digest_len, uint8_t *sig, + size_t *out_sig_len, size_t max_sig_len, + const EC_KEY *key); + +// ecdsa_sign_fixed_with_nonce_for_known_answer_test behaves like +// |ecdsa_sign_fixed| but takes a caller-supplied nonce. This function is used +// as part of known-answer tests in the FIPS module. +int ecdsa_sign_fixed_with_nonce_for_known_answer_test( + const uint8_t *digest, size_t digest_len, uint8_t *sig, size_t *out_sig_len, + size_t max_sig_len, const EC_KEY *key, const uint8_t *nonce, + size_t nonce_len); + +// ecdsa_verify_fixed behaves like |ECDSA_verify| but uses the fixed-width, +// big-endian format from IEEE P1363. +int ecdsa_verify_fixed(const uint8_t *digest, size_t digest_len, + const uint8_t *sig, size_t sig_len, const EC_KEY *key); -// ecdsa_do_verify_no_self_test does the same as |ECDSA_do_verify|, but doesn't +// ecdsa_verify_fixed_no_self_test behaves like ecdsa_verify_fixed, but doesn't // try to run the self-test first. This is for use in the self tests themselves, // to prevent an infinite loop. -int ecdsa_do_verify_no_self_test(const uint8_t *digest, size_t digest_len, - const ECDSA_SIG *sig, const EC_KEY *eckey); +int ecdsa_verify_fixed_no_self_test(const uint8_t *digest, size_t digest_len, + const uint8_t *sig, size_t sig_len, + const EC_KEY *key); #if defined(__cplusplus) diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/fips_shared_support.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/fips_shared_support.c index 2a66a1f06..74b35f016 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/fips_shared_support.c +++ b/Sources/CNIOBoringSSL/crypto/fipsmodule/fips_shared_support.c @@ -20,13 +20,10 @@ // that must be replaced with the real value during the build process. This // value need only be distinct, i.e. so that we can safely search-and-replace it // in an object file. -const uint8_t BORINGSSL_bcm_text_hash[64]; -const uint8_t BORINGSSL_bcm_text_hash[64] = { +const uint8_t BORINGSSL_bcm_text_hash[32]; +const uint8_t BORINGSSL_bcm_text_hash[32] = { 0xae, 0x2c, 0xea, 0x2a, 0xbd, 0xa6, 0xf3, 0xec, 0x97, 0x7f, 0x9b, 0xf6, 0x94, 0x9a, 0xfc, 0x83, 0x68, 0x27, 0xcb, 0xa0, 0xa0, 0x9f, - 0x6b, 0x6f, 0xde, 0x52, 0xcd, 0xe2, 0xcd, 0xff, 0x31, 0x80, 0xa2, - 0xd4, 0xc3, 0x66, 0x0f, 0xc2, 0x6a, 0x7b, 0xf4, 0xbe, 0x39, 0xa2, - 0xd7, 0x25, 0xdb, 0x21, 0x98, 0xe9, 0xd5, 0x53, 0xbf, 0x5c, 0x32, - 0x06, 0x83, 0x34, 0x0c, 0x65, 0x89, 0x52, 0xbd, 0x1f, + 0x6b, 0x6f, 0xde, 0x52, 0xcd, 0xe2, 0xcd, 0xff, 0x31, 0x80, }; #endif // FIPS && SHARED_LIBRARY diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/ghash-armv4-ios.ios.arm.S b/Sources/CNIOBoringSSL/crypto/fipsmodule/ghash-armv4-ios.ios.arm.S deleted file mode 100644 index f79a338a3..000000000 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/ghash-armv4-ios.ios.arm.S +++ /dev/null @@ -1,257 +0,0 @@ -#define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__arm__) && defined(__APPLE__) -// This file is generated from a similarly-named Perl script in the BoringSSL -// source tree. Do not edit by hand. - -#include - -#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_ARM) && defined(__APPLE__) -#include - -@ Silence ARMv8 deprecated IT instruction warnings. This file is used by both -@ ARMv7 and ARMv8 processors and does not use ARMv8 instructions. (ARMv8 PMULL -@ instructions are in aesv8-armx.pl.) - - -.text -#if defined(__thumb2__) || defined(__clang__) -.syntax unified -#define ldrplb ldrbpl -#define ldrneb ldrbne -#endif -#if defined(__thumb2__) -.thumb -#else -.code 32 -#endif -#if __ARM_MAX_ARCH__>=7 - - - -.globl _gcm_init_neon -.private_extern _gcm_init_neon -#ifdef __thumb2__ -.thumb_func _gcm_init_neon -#endif -.align 4 -_gcm_init_neon: - vld1.64 d7,[r1]! @ load H - vmov.i8 q8,#0xe1 - vld1.64 d6,[r1] - vshl.i64 d17,#57 - vshr.u64 d16,#63 @ t0=0xc2....01 - vdup.8 q9,d7[7] - vshr.u64 d26,d6,#63 - vshr.s8 q9,#7 @ broadcast carry bit - vshl.i64 q3,q3,#1 - vand q8,q8,q9 - vorr d7,d26 @ H<<<=1 - veor q3,q3,q8 @ twisted H - vstmia r0,{q3} - - bx lr @ bx lr - - -.globl _gcm_gmult_neon -.private_extern _gcm_gmult_neon -#ifdef __thumb2__ -.thumb_func _gcm_gmult_neon -#endif -.align 4 -_gcm_gmult_neon: - vld1.64 d7,[r0]! @ load Xi - vld1.64 d6,[r0]! - vmov.i64 d29,#0x0000ffffffffffff - vldmia r1,{d26,d27} @ load twisted H - vmov.i64 d30,#0x00000000ffffffff -#ifdef __ARMEL__ - vrev64.8 q3,q3 -#endif - vmov.i64 d31,#0x000000000000ffff - veor d28,d26,d27 @ Karatsuba pre-processing - mov r3,#16 - b Lgmult_neon - - -.globl _gcm_ghash_neon -.private_extern _gcm_ghash_neon -#ifdef __thumb2__ -.thumb_func _gcm_ghash_neon -#endif -.align 4 -_gcm_ghash_neon: - vld1.64 d1,[r0]! @ load Xi - vld1.64 d0,[r0]! - vmov.i64 d29,#0x0000ffffffffffff - vldmia r1,{d26,d27} @ load twisted H - vmov.i64 d30,#0x00000000ffffffff -#ifdef __ARMEL__ - vrev64.8 q0,q0 -#endif - vmov.i64 d31,#0x000000000000ffff - veor d28,d26,d27 @ Karatsuba pre-processing - -Loop_neon: - vld1.64 d7,[r2]! @ load inp - vld1.64 d6,[r2]! -#ifdef __ARMEL__ - vrev64.8 q3,q3 -#endif - veor q3,q0 @ inp^=Xi -Lgmult_neon: - vext.8 d16, d26, d26, #1 @ A1 - vmull.p8 q8, d16, d6 @ F = A1*B - vext.8 d0, d6, d6, #1 @ B1 - vmull.p8 q0, d26, d0 @ E = A*B1 - vext.8 d18, d26, d26, #2 @ A2 - vmull.p8 q9, d18, d6 @ H = A2*B - vext.8 d22, d6, d6, #2 @ B2 - vmull.p8 q11, d26, d22 @ G = A*B2 - vext.8 d20, d26, d26, #3 @ A3 - veor q8, q8, q0 @ L = E + F - vmull.p8 q10, d20, d6 @ J = A3*B - vext.8 d0, d6, d6, #3 @ B3 - veor q9, q9, q11 @ M = G + H - vmull.p8 q0, d26, d0 @ I = A*B3 - veor d16, d16, d17 @ t0 = (L) (P0 + P1) << 8 - vand d17, d17, d29 - vext.8 d22, d6, d6, #4 @ B4 - veor d18, d18, d19 @ t1 = (M) (P2 + P3) << 16 - vand d19, d19, d30 - vmull.p8 q11, d26, d22 @ K = A*B4 - veor q10, q10, q0 @ N = I + J - veor d16, d16, d17 - veor d18, d18, d19 - veor d20, d20, d21 @ t2 = (N) (P4 + P5) << 24 - vand d21, d21, d31 - vext.8 q8, q8, q8, #15 - veor d22, d22, d23 @ t3 = (K) (P6 + P7) << 32 - vmov.i64 d23, #0 - vext.8 q9, q9, q9, #14 - veor d20, d20, d21 - vmull.p8 q0, d26, d6 @ D = A*B - vext.8 q11, q11, q11, #12 - vext.8 q10, q10, q10, #13 - veor q8, q8, q9 - veor q10, q10, q11 - veor q0, q0, q8 - veor q0, q0, q10 - veor d6,d6,d7 @ Karatsuba pre-processing - vext.8 d16, d28, d28, #1 @ A1 - vmull.p8 q8, d16, d6 @ F = A1*B - vext.8 d2, d6, d6, #1 @ B1 - vmull.p8 q1, d28, d2 @ E = A*B1 - vext.8 d18, d28, d28, #2 @ A2 - vmull.p8 q9, d18, d6 @ H = A2*B - vext.8 d22, d6, d6, #2 @ B2 - vmull.p8 q11, d28, d22 @ G = A*B2 - vext.8 d20, d28, d28, #3 @ A3 - veor q8, q8, q1 @ L = E + F - vmull.p8 q10, d20, d6 @ J = A3*B - vext.8 d2, d6, d6, #3 @ B3 - veor q9, q9, q11 @ M = G + H - vmull.p8 q1, d28, d2 @ I = A*B3 - veor d16, d16, d17 @ t0 = (L) (P0 + P1) << 8 - vand d17, d17, d29 - vext.8 d22, d6, d6, #4 @ B4 - veor d18, d18, d19 @ t1 = (M) (P2 + P3) << 16 - vand d19, d19, d30 - vmull.p8 q11, d28, d22 @ K = A*B4 - veor q10, q10, q1 @ N = I + J - veor d16, d16, d17 - veor d18, d18, d19 - veor d20, d20, d21 @ t2 = (N) (P4 + P5) << 24 - vand d21, d21, d31 - vext.8 q8, q8, q8, #15 - veor d22, d22, d23 @ t3 = (K) (P6 + P7) << 32 - vmov.i64 d23, #0 - vext.8 q9, q9, q9, #14 - veor d20, d20, d21 - vmull.p8 q1, d28, d6 @ D = A*B - vext.8 q11, q11, q11, #12 - vext.8 q10, q10, q10, #13 - veor q8, q8, q9 - veor q10, q10, q11 - veor q1, q1, q8 - veor q1, q1, q10 - vext.8 d16, d27, d27, #1 @ A1 - vmull.p8 q8, d16, d7 @ F = A1*B - vext.8 d4, d7, d7, #1 @ B1 - vmull.p8 q2, d27, d4 @ E = A*B1 - vext.8 d18, d27, d27, #2 @ A2 - vmull.p8 q9, d18, d7 @ H = A2*B - vext.8 d22, d7, d7, #2 @ B2 - vmull.p8 q11, d27, d22 @ G = A*B2 - vext.8 d20, d27, d27, #3 @ A3 - veor q8, q8, q2 @ L = E + F - vmull.p8 q10, d20, d7 @ J = A3*B - vext.8 d4, d7, d7, #3 @ B3 - veor q9, q9, q11 @ M = G + H - vmull.p8 q2, d27, d4 @ I = A*B3 - veor d16, d16, d17 @ t0 = (L) (P0 + P1) << 8 - vand d17, d17, d29 - vext.8 d22, d7, d7, #4 @ B4 - veor d18, d18, d19 @ t1 = (M) (P2 + P3) << 16 - vand d19, d19, d30 - vmull.p8 q11, d27, d22 @ K = A*B4 - veor q10, q10, q2 @ N = I + J - veor d16, d16, d17 - veor d18, d18, d19 - veor d20, d20, d21 @ t2 = (N) (P4 + P5) << 24 - vand d21, d21, d31 - vext.8 q8, q8, q8, #15 - veor d22, d22, d23 @ t3 = (K) (P6 + P7) << 32 - vmov.i64 d23, #0 - vext.8 q9, q9, q9, #14 - veor d20, d20, d21 - vmull.p8 q2, d27, d7 @ D = A*B - vext.8 q11, q11, q11, #12 - vext.8 q10, q10, q10, #13 - veor q8, q8, q9 - veor q10, q10, q11 - veor q2, q2, q8 - veor q2, q2, q10 - veor q1,q1,q0 @ Karatsuba post-processing - veor q1,q1,q2 - veor d1,d1,d2 - veor d4,d4,d3 @ Xh|Xl - 256-bit result - - @ equivalent of reduction_avx from ghash-x86_64.pl - vshl.i64 q9,q0,#57 @ 1st phase - vshl.i64 q10,q0,#62 - veor q10,q10,q9 @ - vshl.i64 q9,q0,#63 - veor q10, q10, q9 @ - veor d1,d1,d20 @ - veor d4,d4,d21 - - vshr.u64 q10,q0,#1 @ 2nd phase - veor q2,q2,q0 - veor q0,q0,q10 @ - vshr.u64 q10,q10,#6 - vshr.u64 q0,q0,#1 @ - veor q0,q0,q2 @ - veor q0,q0,q10 @ - - subs r3,#16 - bne Loop_neon - -#ifdef __ARMEL__ - vrev64.8 q0,q0 -#endif - sub r0,#16 - vst1.64 d1,[r0]! @ write out Xi - vst1.64 d0,[r0] - - bx lr @ bx lr - -#endif -.byte 71,72,65,83,72,32,102,111,114,32,65,82,77,118,52,47,78,69,79,78,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 -.align 2 -.align 2 -#endif // !OPENSSL_NO_ASM && defined(OPENSSL_ARM) && defined(__APPLE__) -#endif // defined(__arm__) && defined(__APPLE__) -#if defined(__linux__) && defined(__ELF__) -.section .note.GNU-stack,"",%progbits -#endif - diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/ghashv8-armv7-ios.ios.arm.S b/Sources/CNIOBoringSSL/crypto/fipsmodule/ghashv8-armv7-ios.ios.arm.S deleted file mode 100644 index f59b1565f..000000000 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/ghashv8-armv7-ios.ios.arm.S +++ /dev/null @@ -1,259 +0,0 @@ -#define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__arm__) && defined(__APPLE__) -// This file is generated from a similarly-named Perl script in the BoringSSL -// source tree. Do not edit by hand. - -#include - -#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_ARM) && defined(__APPLE__) -#include - -#if __ARM_MAX_ARCH__>=7 -.text - -.code 32 -#undef __thumb2__ -.globl _gcm_init_v8 -.private_extern _gcm_init_v8 -#ifdef __thumb2__ -.thumb_func _gcm_init_v8 -#endif -.align 4 -_gcm_init_v8: - AARCH64_VALID_CALL_TARGET - vld1.64 {q9},[r1] @ load input H - vmov.i8 q11,#0xe1 - vshl.i64 q11,q11,#57 @ 0xc2.0 - vext.8 q3,q9,q9,#8 - vshr.u64 q10,q11,#63 - vdup.32 q9,d18[1] - vext.8 q8,q10,q11,#8 @ t0=0xc2....01 - vshr.u64 q10,q3,#63 - vshr.s32 q9,q9,#31 @ broadcast carry bit - vand q10,q10,q8 - vshl.i64 q3,q3,#1 - vext.8 q10,q10,q10,#8 - vand q8,q8,q9 - vorr q3,q3,q10 @ H<<<=1 - veor q12,q3,q8 @ twisted H - vst1.64 {q12},[r0]! @ store Htable[0] - - @ calculate H^2 - vext.8 q8,q12,q12,#8 @ Karatsuba pre-processing -.byte 0xa8,0x0e,0xa8,0xf2 @ pmull q0,q12,q12 - veor q8,q8,q12 -.byte 0xa9,0x4e,0xa9,0xf2 @ pmull2 q2,q12,q12 -.byte 0xa0,0x2e,0xa0,0xf2 @ pmull q1,q8,q8 - - vext.8 q9,q0,q2,#8 @ Karatsuba post-processing - veor q10,q0,q2 - veor q1,q1,q9 - veor q1,q1,q10 -.byte 0x26,0x4e,0xe0,0xf2 @ pmull q10,q0,q11 @ 1st phase - - vmov d4,d3 @ Xh|Xm - 256-bit result - vmov d3,d0 @ Xm is rotated Xl - veor q0,q1,q10 - - vext.8 q10,q0,q0,#8 @ 2nd phase -.byte 0x26,0x0e,0xa0,0xf2 @ pmull q0,q0,q11 - veor q10,q10,q2 - veor q14,q0,q10 - - vext.8 q9,q14,q14,#8 @ Karatsuba pre-processing - veor q9,q9,q14 - vext.8 q13,q8,q9,#8 @ pack Karatsuba pre-processed - vst1.64 {q13,q14},[r0]! @ store Htable[1..2] - bx lr - -.globl _gcm_gmult_v8 -.private_extern _gcm_gmult_v8 -#ifdef __thumb2__ -.thumb_func _gcm_gmult_v8 -#endif -.align 4 -_gcm_gmult_v8: - AARCH64_VALID_CALL_TARGET - vld1.64 {q9},[r0] @ load Xi - vmov.i8 q11,#0xe1 - vld1.64 {q12,q13},[r1] @ load twisted H, ... - vshl.u64 q11,q11,#57 -#ifndef __ARMEB__ - vrev64.8 q9,q9 -#endif - vext.8 q3,q9,q9,#8 - -.byte 0x86,0x0e,0xa8,0xf2 @ pmull q0,q12,q3 @ H.lo·Xi.lo - veor q9,q9,q3 @ Karatsuba pre-processing -.byte 0x87,0x4e,0xa9,0xf2 @ pmull2 q2,q12,q3 @ H.hi·Xi.hi -.byte 0xa2,0x2e,0xaa,0xf2 @ pmull q1,q13,q9 @ (H.lo+H.hi)·(Xi.lo+Xi.hi) - - vext.8 q9,q0,q2,#8 @ Karatsuba post-processing - veor q10,q0,q2 - veor q1,q1,q9 - veor q1,q1,q10 -.byte 0x26,0x4e,0xe0,0xf2 @ pmull q10,q0,q11 @ 1st phase of reduction - - vmov d4,d3 @ Xh|Xm - 256-bit result - vmov d3,d0 @ Xm is rotated Xl - veor q0,q1,q10 - - vext.8 q10,q0,q0,#8 @ 2nd phase of reduction -.byte 0x26,0x0e,0xa0,0xf2 @ pmull q0,q0,q11 - veor q10,q10,q2 - veor q0,q0,q10 - -#ifndef __ARMEB__ - vrev64.8 q0,q0 -#endif - vext.8 q0,q0,q0,#8 - vst1.64 {q0},[r0] @ write out Xi - - bx lr - -.globl _gcm_ghash_v8 -.private_extern _gcm_ghash_v8 -#ifdef __thumb2__ -.thumb_func _gcm_ghash_v8 -#endif -.align 4 -_gcm_ghash_v8: - AARCH64_VALID_CALL_TARGET - vstmdb sp!,{d8,d9,d10,d11,d12,d13,d14,d15} @ 32-bit ABI says so - vld1.64 {q0},[r0] @ load [rotated] Xi - @ "[rotated]" means that - @ loaded value would have - @ to be rotated in order to - @ make it appear as in - @ algorithm specification - subs r3,r3,#32 @ see if r3 is 32 or larger - mov r12,#16 @ r12 is used as post- - @ increment for input pointer; - @ as loop is modulo-scheduled - @ r12 is zeroed just in time - @ to preclude overstepping - @ inp[len], which means that - @ last block[s] are actually - @ loaded twice, but last - @ copy is not processed - vld1.64 {q12,q13},[r1]! @ load twisted H, ..., H^2 - vmov.i8 q11,#0xe1 - vld1.64 {q14},[r1] - moveq r12,#0 @ is it time to zero r12? - vext.8 q0,q0,q0,#8 @ rotate Xi - vld1.64 {q8},[r2]! @ load [rotated] I[0] - vshl.u64 q11,q11,#57 @ compose 0xc2.0 constant -#ifndef __ARMEB__ - vrev64.8 q8,q8 - vrev64.8 q0,q0 -#endif - vext.8 q3,q8,q8,#8 @ rotate I[0] - blo Lodd_tail_v8 @ r3 was less than 32 - vld1.64 {q9},[r2],r12 @ load [rotated] I[1] -#ifndef __ARMEB__ - vrev64.8 q9,q9 -#endif - vext.8 q7,q9,q9,#8 - veor q3,q3,q0 @ I[i]^=Xi -.byte 0x8e,0x8e,0xa8,0xf2 @ pmull q4,q12,q7 @ H·Ii+1 - veor q9,q9,q7 @ Karatsuba pre-processing -.byte 0x8f,0xce,0xa9,0xf2 @ pmull2 q6,q12,q7 - b Loop_mod2x_v8 - -.align 4 -Loop_mod2x_v8: - vext.8 q10,q3,q3,#8 - subs r3,r3,#32 @ is there more data? -.byte 0x86,0x0e,0xac,0xf2 @ pmull q0,q14,q3 @ H^2.lo·Xi.lo - movlo r12,#0 @ is it time to zero r12? - -.byte 0xa2,0xae,0xaa,0xf2 @ pmull q5,q13,q9 - veor q10,q10,q3 @ Karatsuba pre-processing -.byte 0x87,0x4e,0xad,0xf2 @ pmull2 q2,q14,q3 @ H^2.hi·Xi.hi - veor q0,q0,q4 @ accumulate -.byte 0xa5,0x2e,0xab,0xf2 @ pmull2 q1,q13,q10 @ (H^2.lo+H^2.hi)·(Xi.lo+Xi.hi) - vld1.64 {q8},[r2],r12 @ load [rotated] I[i+2] - - veor q2,q2,q6 - moveq r12,#0 @ is it time to zero r12? - veor q1,q1,q5 - - vext.8 q9,q0,q2,#8 @ Karatsuba post-processing - veor q10,q0,q2 - veor q1,q1,q9 - vld1.64 {q9},[r2],r12 @ load [rotated] I[i+3] -#ifndef __ARMEB__ - vrev64.8 q8,q8 -#endif - veor q1,q1,q10 -.byte 0x26,0x4e,0xe0,0xf2 @ pmull q10,q0,q11 @ 1st phase of reduction - -#ifndef __ARMEB__ - vrev64.8 q9,q9 -#endif - vmov d4,d3 @ Xh|Xm - 256-bit result - vmov d3,d0 @ Xm is rotated Xl - vext.8 q7,q9,q9,#8 - vext.8 q3,q8,q8,#8 - veor q0,q1,q10 -.byte 0x8e,0x8e,0xa8,0xf2 @ pmull q4,q12,q7 @ H·Ii+1 - veor q3,q3,q2 @ accumulate q3 early - - vext.8 q10,q0,q0,#8 @ 2nd phase of reduction -.byte 0x26,0x0e,0xa0,0xf2 @ pmull q0,q0,q11 - veor q3,q3,q10 - veor q9,q9,q7 @ Karatsuba pre-processing - veor q3,q3,q0 -.byte 0x8f,0xce,0xa9,0xf2 @ pmull2 q6,q12,q7 - bhs Loop_mod2x_v8 @ there was at least 32 more bytes - - veor q2,q2,q10 - vext.8 q3,q8,q8,#8 @ re-construct q3 - adds r3,r3,#32 @ re-construct r3 - veor q0,q0,q2 @ re-construct q0 - beq Ldone_v8 @ is r3 zero? -Lodd_tail_v8: - vext.8 q10,q0,q0,#8 - veor q3,q3,q0 @ inp^=Xi - veor q9,q8,q10 @ q9 is rotated inp^Xi - -.byte 0x86,0x0e,0xa8,0xf2 @ pmull q0,q12,q3 @ H.lo·Xi.lo - veor q9,q9,q3 @ Karatsuba pre-processing -.byte 0x87,0x4e,0xa9,0xf2 @ pmull2 q2,q12,q3 @ H.hi·Xi.hi -.byte 0xa2,0x2e,0xaa,0xf2 @ pmull q1,q13,q9 @ (H.lo+H.hi)·(Xi.lo+Xi.hi) - - vext.8 q9,q0,q2,#8 @ Karatsuba post-processing - veor q10,q0,q2 - veor q1,q1,q9 - veor q1,q1,q10 -.byte 0x26,0x4e,0xe0,0xf2 @ pmull q10,q0,q11 @ 1st phase of reduction - - vmov d4,d3 @ Xh|Xm - 256-bit result - vmov d3,d0 @ Xm is rotated Xl - veor q0,q1,q10 - - vext.8 q10,q0,q0,#8 @ 2nd phase of reduction -.byte 0x26,0x0e,0xa0,0xf2 @ pmull q0,q0,q11 - veor q10,q10,q2 - veor q0,q0,q10 - -Ldone_v8: -#ifndef __ARMEB__ - vrev64.8 q0,q0 -#endif - vext.8 q0,q0,q0,#8 - vst1.64 {q0},[r0] @ write out Xi - - vldmia sp!,{d8,d9,d10,d11,d12,d13,d14,d15} @ 32-bit ABI says so - bx lr - -.byte 71,72,65,83,72,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 -.align 2 -.align 2 -#endif -#endif // !OPENSSL_NO_ASM && defined(OPENSSL_ARM) && defined(__APPLE__) -#endif // defined(__arm__) && defined(__APPLE__) -#if defined(__linux__) && defined(__ELF__) -.section .note.GNU-stack,"",%progbits -#endif - diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/hkdf/hkdf.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/hkdf/hkdf.c.inc similarity index 100% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/hkdf/hkdf.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/hkdf/hkdf.c.inc diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/hmac/hmac.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/hmac/hmac.c.inc similarity index 100% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/hmac/hmac.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/hmac/hmac.c.inc diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/modes/cbc.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/modes/cbc.c.inc similarity index 100% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/modes/cbc.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/modes/cbc.c.inc diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/modes/cfb.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/modes/cfb.c.inc similarity index 100% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/modes/cfb.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/modes/cfb.c.inc diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/modes/ctr.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/modes/ctr.c.inc similarity index 100% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/modes/ctr.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/modes/ctr.c.inc diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/modes/gcm.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/modes/gcm.c.inc similarity index 100% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/modes/gcm.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/modes/gcm.c.inc diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/modes/gcm_nohw.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/modes/gcm_nohw.c.inc similarity index 100% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/modes/gcm_nohw.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/modes/gcm_nohw.c.inc diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/modes/ofb.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/modes/ofb.c.inc similarity index 100% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/modes/ofb.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/modes/ofb.c.inc diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/modes/polyval.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/modes/polyval.c.inc similarity index 100% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/modes/polyval.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/modes/polyval.c.inc diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/rand/ctrdrbg.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/rand/ctrdrbg.c.inc similarity index 100% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/rand/ctrdrbg.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/rand/ctrdrbg.c.inc diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/rand/internal.h b/Sources/CNIOBoringSSL/crypto/fipsmodule/rand/internal.h index cea6fd68c..7ebbf5687 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/rand/internal.h +++ b/Sources/CNIOBoringSSL/crypto/fipsmodule/rand/internal.h @@ -18,92 +18,13 @@ #include #include -#include "../../internal.h" +#include "../../bcm_support.h" #include "../modes/internal.h" #if defined(__cplusplus) extern "C" { #endif - -#if defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE) -#define OPENSSL_RAND_DETERMINISTIC -#elif defined(OPENSSL_TRUSTY) -#define OPENSSL_RAND_TRUSTY -#elif defined(OPENSSL_WINDOWS) -#define OPENSSL_RAND_WINDOWS -#elif defined(OPENSSL_LINUX) -#define OPENSSL_RAND_URANDOM -#elif defined(OPENSSL_APPLE) && !defined(OPENSSL_MACOS) -// Unlike macOS, iOS and similar hide away getentropy(). -#define OPENSSL_RAND_IOS -#else -// By default if you are integrating BoringSSL we expect you to -// provide getentropy from the header file. -#define OPENSSL_RAND_GETENTROPY -#endif - -// RAND_bytes_with_additional_data samples from the RNG after mixing 32 bytes -// from |user_additional_data| in. -void RAND_bytes_with_additional_data(uint8_t *out, size_t out_len, - const uint8_t user_additional_data[32]); - -#if defined(BORINGSSL_FIPS) - -// We overread from /dev/urandom or RDRAND by a factor of 10 and XOR to whiten. -#define BORINGSSL_FIPS_OVERREAD 10 - -// CRYPTO_get_seed_entropy writes |out_entropy_len| bytes of entropy, suitable -// for seeding a DRBG, to |out_entropy|. It sets |*out_used_cpu| to one if the -// entropy came directly from the CPU and zero if it came from the OS. It -// actively obtains entropy from the CPU/OS and so should not be called from -// within the FIPS module. -void CRYPTO_get_seed_entropy(uint8_t *out_entropy, size_t out_entropy_len, - int *out_used_cpu); - -// RAND_load_entropy supplies |entropy_len| bytes of entropy to the module. The -// |want_additional_input| parameter is true iff the entropy was obtained from -// a source other than the system, e.g. directly from the CPU. -void RAND_load_entropy(const uint8_t *entropy, size_t entropy_len, - int want_additional_input); - -// RAND_need_entropy is implemented outside of the FIPS module and is called -// when the module has stopped because it has run out of entropy. -void RAND_need_entropy(size_t bytes_needed); - -#endif // BORINGSSL_FIPS - -// CRYPTO_sysrand fills |len| bytes at |buf| with entropy from the operating -// system. -void CRYPTO_sysrand(uint8_t *buf, size_t len); - -// CRYPTO_sysrand_for_seed fills |len| bytes at |buf| with entropy from the -// operating system. It may draw from the |GRND_RANDOM| pool on Android, -// depending on the vendor's configuration. -void CRYPTO_sysrand_for_seed(uint8_t *buf, size_t len); - -#if defined(OPENSSL_RAND_URANDOM) || defined(OPENSSL_RAND_WINDOWS) -// CRYPTO_init_sysrand initializes long-lived resources needed to draw entropy -// from the operating system. -void CRYPTO_init_sysrand(void); -#else -OPENSSL_INLINE void CRYPTO_init_sysrand(void) {} -#endif // defined(OPENSSL_RAND_URANDOM) || defined(OPENSSL_RAND_WINDOWS) - -#if defined(OPENSSL_RAND_URANDOM) -// CRYPTO_sysrand_if_available fills |len| bytes at |buf| with entropy from the -// operating system, or early /dev/urandom data, and returns 1, _if_ the entropy -// pool is initialized or if getrandom() is not available and not in FIPS mode. -// Otherwise it will not block and will instead fill |buf| with all zeros and -// return 0. -int CRYPTO_sysrand_if_available(uint8_t *buf, size_t len); -#else -OPENSSL_INLINE int CRYPTO_sysrand_if_available(uint8_t *buf, size_t len) { - CRYPTO_sysrand(buf, len); - return 1; -} -#endif // defined(OPENSSL_RAND_URANDOM) - // rand_fork_unsafe_buffering_enabled returns whether fork-unsafe buffering has // been enabled via |RAND_enable_fork_unsafe_buffering|. int rand_fork_unsafe_buffering_enabled(void); diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/rand/rand.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/rand/rand.c.inc similarity index 91% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/rand/rand.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/rand/rand.c.inc index 978cf04f3..c6a00da50 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/rand/rand.c +++ b/Sources/CNIOBoringSSL/crypto/fipsmodule/rand/rand.c.inc @@ -12,8 +12,6 @@ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -#include - #include #include #include @@ -26,10 +24,10 @@ #include #include -#include "internal.h" -#include "fork_detect.h" -#include "../../internal.h" +#include "../../bcm_support.h" +#include "../bcm_interface.h" #include "../delocate.h" +#include "internal.h" // It's assumed that the operating system always has an unfailing source of @@ -99,7 +97,7 @@ static void rand_thread_state_clear_all(void) { CTR_DRBG_clear(&cur->drbg); } // The locks are deliberately left locked so that any threads that are still - // running will hang if they try to call |RAND_bytes|. It also ensures + // running will hang if they try to call |BCM_rand_bytes|. It also ensures // |rand_thread_state_free| cannot free any thread state while we've taken the // lock. } @@ -119,7 +117,10 @@ static void rand_thread_state_free(void *state_in) { if (state->prev != NULL) { state->prev->next = state->next; - } else { + } else if (*thread_states_list_bss_get() == state) { + // |state->prev| may be NULL either if it is the head of the list, + // or if |state| is freed before it was added to the list at all. + // Compare against the head of the list to distinguish these cases. *thread_states_list_bss_get() = state->next; } @@ -161,26 +162,24 @@ static int rdrand(uint8_t *buf, const size_t len) { #else -static int rdrand(uint8_t *buf, size_t len) { - return 0; -} +static int rdrand(uint8_t *buf, size_t len) { return 0; } #endif -#if defined(BORINGSSL_FIPS) - -void CRYPTO_get_seed_entropy(uint8_t *out_entropy, size_t out_entropy_len, - int *out_want_additional_input) { - *out_want_additional_input = 0; - if (have_rdrand() && rdrand(out_entropy, out_entropy_len)) { - *out_want_additional_input = 1; - } else { - CRYPTO_sysrand_for_seed(out_entropy, out_entropy_len); +bcm_status BCM_rand_bytes_hwrng(uint8_t *buf, const size_t len) { + if (!have_rdrand()) { + return bcm_status_failure; + } + if (rdrand(buf, len)) { + return bcm_status_not_approved; } + return bcm_status_failure; } +#if defined(BORINGSSL_FIPS) + // In passive entropy mode, entropy is supplied from outside of the module via -// |RAND_load_entropy| and is stored in global instance of the following +// |BCM_rand_load_entropy| and is stored in global instance of the following // structure. struct entropy_buffer { @@ -199,8 +198,8 @@ struct entropy_buffer { DEFINE_BSS_GET(struct entropy_buffer, entropy_buffer); DEFINE_STATIC_MUTEX(entropy_buffer_lock); -void RAND_load_entropy(const uint8_t *entropy, size_t entropy_len, - int want_additional_input) { +bcm_infallible BCM_rand_load_entropy(const uint8_t *entropy, size_t entropy_len, + int want_additional_input) { struct entropy_buffer *const buffer = entropy_buffer_bss_get(); CRYPTO_MUTEX_lock_write(entropy_buffer_lock_bss_get()); @@ -211,9 +210,9 @@ void RAND_load_entropy(const uint8_t *entropy, size_t entropy_len, OPENSSL_memcpy(&buffer->bytes[buffer->bytes_valid], entropy, entropy_len); buffer->bytes_valid += entropy_len; - buffer->want_additional_input |= - want_additional_input && (entropy_len != 0); + buffer->want_additional_input |= want_additional_input && (entropy_len != 0); CRYPTO_MUTEX_unlock_write(entropy_buffer_lock_bss_get()); + return bcm_infallible_not_approved; } // get_seed_entropy fills |out_entropy_len| bytes of |out_entropy| from the @@ -276,7 +275,7 @@ static void rand_get_seed(struct rand_thread_state *state, // rate of failure is small enough not to be a problem in practice. if (CRYPTO_memcmp(state->last_block, entropy, sizeof(state->last_block)) == 0) { - fprintf(stderr, "CRNGT failed.\n"); + fprintf(CRYPTO_get_stderr(), "CRNGT failed.\n"); BORINGSSL_FIPS_abort(); } @@ -284,7 +283,7 @@ static void rand_get_seed(struct rand_thread_state *state, for (size_t i = CRNGT_BLOCK_SIZE; i < entropy_len; i += CRNGT_BLOCK_SIZE) { if (CRYPTO_memcmp(entropy + i - CRNGT_BLOCK_SIZE, entropy + i, CRNGT_BLOCK_SIZE) == 0) { - fprintf(stderr, "CRNGT failed.\n"); + fprintf(CRYPTO_get_stderr(), "CRNGT failed.\n"); BORINGSSL_FIPS_abort(); } } @@ -327,10 +326,10 @@ static void rand_get_seed(struct rand_thread_state *state, #endif -void RAND_bytes_with_additional_data(uint8_t *out, size_t out_len, - const uint8_t user_additional_data[32]) { +bcm_infallible BCM_rand_bytes_with_additional_data( + uint8_t *out, size_t out_len, const uint8_t user_additional_data[32]) { if (out_len == 0) { - return; + return bcm_infallible_approved; } const uint64_t fork_generation = CRYPTO_get_fork_generation(); @@ -371,7 +370,7 @@ void RAND_bytes_with_additional_data(uint8_t *out, size_t out_len, CRYPTO_get_thread_local(OPENSSL_THREAD_LOCAL_RAND); if (state == NULL) { - state = OPENSSL_malloc(sizeof(struct rand_thread_state)); + state = OPENSSL_zalloc(sizeof(struct rand_thread_state)); if (state == NULL || !CRYPTO_set_thread_local(OPENSSL_THREAD_LOCAL_RAND, state, rand_thread_state_free)) { @@ -470,21 +469,11 @@ void RAND_bytes_with_additional_data(uint8_t *out, size_t out_len, #if defined(BORINGSSL_FIPS) CRYPTO_MUTEX_unlock_read(&state->clear_drbg_lock); #endif + return bcm_infallible_approved; } -int RAND_bytes(uint8_t *out, size_t out_len) { +bcm_infallible BCM_rand_bytes(uint8_t *out, size_t out_len) { static const uint8_t kZeroAdditionalData[32] = {0}; - RAND_bytes_with_additional_data(out, out_len, kZeroAdditionalData); - return 1; -} - -int RAND_pseudo_bytes(uint8_t *buf, size_t len) { - return RAND_bytes(buf, len); -} - -void RAND_get_system_entropy_for_custom_prng(uint8_t *buf, size_t len) { - if (len > 256) { - abort(); - } - CRYPTO_sysrand_for_seed(buf, len); + BCM_rand_bytes_with_additional_data(out, out_len, kZeroAdditionalData); + return bcm_infallible_approved; } diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/rsa/blinding.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/rsa/blinding.c.inc similarity index 100% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/rsa/blinding.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/rsa/blinding.c.inc diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/rsa/padding.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/rsa/padding.c.inc similarity index 98% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/rsa/padding.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/rsa/padding.c.inc index bc4a377f1..87fc8d270 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/rsa/padding.c +++ b/Sources/CNIOBoringSSL/crypto/fipsmodule/rsa/padding.c.inc @@ -63,11 +63,10 @@ #include #include #include -#include -#include #include "internal.h" #include "../service_indicator/internal.h" +#include "../bcm_interface.h" #include "../../internal.h" @@ -369,9 +368,7 @@ int RSA_padding_add_PKCS1_PSS_mgf1(const RSA *rsa, unsigned char *EM, if (!salt) { goto err; } - if (!RAND_bytes(salt, sLen)) { - goto err; - } + BCM_rand_bytes(salt, sLen); } maskedDBLen = emLen - hLen - 1; H = EM + maskedDBLen; @@ -394,7 +391,6 @@ int RSA_padding_add_PKCS1_PSS_mgf1(const RSA *rsa, unsigned char *EM, } p = EM; - // Initial PS XORs with all zeroes which is a NOP so just update // pointer. Note from a test above this value is guaranteed to // be non-negative. diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/rsa/rsa.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/rsa/rsa.c.inc similarity index 97% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/rsa/rsa.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/rsa/rsa.c.inc index 7958688c3..130f220f7 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/rsa/rsa.c +++ b/Sources/CNIOBoringSSL/crypto/fipsmodule/rsa/rsa.c.inc @@ -68,7 +68,6 @@ #include #include #include -#include #include #include "../bn/internal.h" @@ -439,12 +438,8 @@ int RSA_is_opaque(const RSA *rsa) { int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused, CRYPTO_EX_dup *dup_unused, CRYPTO_EX_free *free_func) { - int index; - if (!CRYPTO_get_ex_new_index(g_rsa_ex_data_class_bss_get(), &index, argl, - argp, free_func)) { - return -1; - } - return index; + return CRYPTO_get_ex_new_index_ex(g_rsa_ex_data_class_bss_get(), argl, argp, + free_func); } int RSA_set_ex_data(RSA *rsa, int idx, void *arg) { @@ -484,35 +479,35 @@ static const struct pkcs1_sig_prefix kPKCS1SigPrefixes[] = { }, { NID_sha1, - SHA_DIGEST_LENGTH, + BCM_SHA_DIGEST_LENGTH, 15, {0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14}, }, { NID_sha224, - SHA224_DIGEST_LENGTH, + BCM_SHA224_DIGEST_LENGTH, 19, {0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1c}, }, { NID_sha256, - SHA256_DIGEST_LENGTH, + BCM_SHA256_DIGEST_LENGTH, 19, {0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20}, }, { NID_sha384, - SHA384_DIGEST_LENGTH, + BCM_SHA384_DIGEST_LENGTH, 19, {0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30}, }, { NID_sha512, - SHA512_DIGEST_LENGTH, + BCM_SHA512_DIGEST_LENGTH, 19, {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40}, @@ -762,7 +757,8 @@ int RSA_verify_pss_mgf1(RSA *rsa, const uint8_t *digest, size_t digest_len, static int check_mod_inverse(int *out_ok, const BIGNUM *a, const BIGNUM *ainv, const BIGNUM *m, unsigned m_min_bits, BN_CTX *ctx) { - if (BN_is_negative(ainv) || BN_cmp(ainv, m) >= 0) { + if (BN_is_negative(ainv) || + constant_time_declassify_int(BN_cmp(ainv, m) >= 0)) { *out_ok = 0; return 1; } @@ -776,7 +772,7 @@ static int check_mod_inverse(int *out_ok, const BIGNUM *a, const BIGNUM *ainv, bn_mul_consttime(tmp, a, ainv, ctx) && bn_div_consttime(NULL, tmp, tmp, m, m_min_bits, ctx); if (ret) { - *out_ok = BN_is_one(tmp); + *out_ok = constant_time_declassify_int(BN_is_one(tmp)); } BN_CTX_end(ctx); return ret; @@ -835,8 +831,10 @@ int RSA_check_key(const RSA *key) { // bounds, to avoid a DoS vector in |bn_mul_consttime| below. Note that // n was bound by |rsa_check_public_key|. This also implicitly checks p and q // are odd, which is a necessary condition for Montgomery reduction. - if (BN_is_negative(key->p) || BN_cmp(key->p, key->n) >= 0 || - BN_is_negative(key->q) || BN_cmp(key->q, key->n) >= 0) { + if (BN_is_negative(key->p) || + constant_time_declassify_int(BN_cmp(key->p, key->n) >= 0) || + BN_is_negative(key->q) || + constant_time_declassify_int(BN_cmp(key->q, key->n) >= 0)) { OPENSSL_PUT_ERROR(RSA, RSA_R_N_NOT_EQUAL_P_Q); goto out; } @@ -867,7 +865,8 @@ int RSA_check_key(const RSA *key) { goto out; } - if (!BN_is_one(&tmp) || !BN_is_one(&de)) { + if (constant_time_declassify_int(!BN_is_one(&tmp)) || + constant_time_declassify_int(!BN_is_one(&de))) { OPENSSL_PUT_ERROR(RSA, RSA_R_D_E_NOT_CONGRUENT_TO_1); goto out; } diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/rsa/rsa_impl.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/rsa/rsa_impl.c.inc similarity index 97% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/rsa/rsa_impl.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/rsa/rsa_impl.c.inc index ab1f28adc..66d7aeb56 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/rsa/rsa_impl.c +++ b/Sources/CNIOBoringSSL/crypto/fipsmodule/rsa/rsa_impl.c.inc @@ -65,10 +65,10 @@ #include #include +#include "../../bcm_support.h" #include "../../internal.h" #include "../bn/internal.h" #include "../delocate.h" -#include "../rand/fork_detect.h" #include "../service_indicator/internal.h" #include "internal.h" @@ -79,10 +79,8 @@ int rsa_check_public_key(const RSA *rsa) { return 0; } - // TODO(davidben): 16384-bit RSA is huge. Can we bring this down to a limit of - // 8192-bit? unsigned n_bits = BN_num_bits(rsa->n); - if (n_bits > 16 * 1024) { + if (n_bits > OPENSSL_RSA_MAX_MODULUS_BITS) { OPENSSL_PUT_ERROR(RSA, RSA_R_MODULUS_TOO_LARGE); return 0; } @@ -155,7 +153,7 @@ static int ensure_fixed_copy(BIGNUM **out, const BIGNUM *in, int width) { return 0; } *out = copy; - CONSTTIME_SECRET(copy->d, sizeof(BN_ULONG) * width); + bn_secret(copy); return 1; } @@ -259,8 +257,7 @@ static int freeze_private_key(RSA *rsa, BN_CTX *ctx) { goto err; } rsa->iqmp_mont = iqmp_mont; - CONSTTIME_SECRET(rsa->iqmp_mont->d, - sizeof(BN_ULONG) * rsa->iqmp_mont->width); + bn_secret(rsa->iqmp_mont); } } } @@ -622,7 +619,9 @@ int rsa_default_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in, goto err; } - if (BN_ucmp(f, rsa->n) >= 0) { + // The input to the RSA private transform may be secret, but padding is + // expected to construct a value within range, so we can leak this comparison. + if (constant_time_declassify_int(BN_ucmp(f, rsa->n) >= 0)) { // Usually the padding functions would catch this. OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE_FOR_MODULUS); goto err; @@ -794,7 +793,7 @@ static int mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) { // This is a pre-condition for |mod_montgomery|. It was already checked by the // caller. - assert(BN_ucmp(I, n) < 0); + declassify_assert(BN_ucmp(I, n) < 0); if (// |m1| is the result modulo |q|. !mod_montgomery(r1, I, q, rsa->mont_q, p, ctx) || @@ -830,7 +829,7 @@ static int mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) { // bound the width slightly higher, so fix it. This trips constant-time checks // because a naive data flow analysis does not realize the excess words are // publicly zero. - assert(BN_cmp(r0, n) < 0); + declassify_assert(BN_cmp(r0, n) < 0); bn_assert_fits_in_bytes(r0, BN_num_bytes(n)); if (!bn_resize_words(r0, n->width)) { goto err; @@ -1002,20 +1001,25 @@ static int generate_prime(BIGNUM *out, int bits, const BIGNUM *e, // retrying. That is, we reject a negligible fraction of primes that are // within the FIPS bound, but we will never accept a prime outside the // bound, ensuring the resulting RSA key is the right size. - if (BN_cmp(out, sqrt2) <= 0) { + // + // Values over the threshold are discarded, so it is safe to leak this + // comparison. + if (constant_time_declassify_int(BN_cmp(out, sqrt2) <= 0)) { continue; } // RSA key generation's bottleneck is discarding composites. If it fails // trial division, do not bother computing a GCD or performing Miller-Rabin. if (!bn_odd_number_is_obviously_composite(out)) { - // Check gcd(out-1, e) is one (steps 4.5 and 5.6). + // Check gcd(out-1, e) is one (steps 4.5 and 5.6). Leaking the final + // result of this comparison is safe because, if not relatively prime, the + // value will be discarded. int relatively_prime; - if (!BN_sub(tmp, out, BN_value_one()) || + if (!bn_usub_consttime(tmp, out, BN_value_one()) || !bn_is_relatively_prime(&relatively_prime, tmp, e, ctx)) { goto err; } - if (relatively_prime) { + if (constant_time_declassify_int(relatively_prime)) { // Test |out| for primality (steps 4.5.1 and 5.6.1). int is_probable_prime; if (!BN_primality_test(&is_probable_prime, out, @@ -1173,8 +1177,9 @@ static int rsa_generate_key_impl(RSA *rsa, int bits, const BIGNUM *e_value, } // Retry if |rsa->d| <= 2^|prime_bits|. See appendix B.3.1's guidance on - // values for d. - } while (BN_cmp(rsa->d, pow2_prime_bits) <= 0); + // values for d. When we retry, p and q are discarded, so it is safe to leak + // this comparison. + } while (constant_time_declassify_int(BN_cmp(rsa->d, pow2_prime_bits) <= 0)); assert(BN_num_bits(pm1) == (unsigned)prime_bits); assert(BN_num_bits(qm1) == (unsigned)prime_bits); @@ -1188,6 +1193,9 @@ static int rsa_generate_key_impl(RSA *rsa, int bits, const BIGNUM *e_value, } bn_set_minimal_width(rsa->n); + // |rsa->n| is computed from the private key, but is public. + bn_declassify(rsa->n); + // Sanity-check that |rsa->n| has the specified size. This is implied by // |generate_prime|'s bounds. if (BN_num_bits(rsa->n) != (unsigned)bits) { @@ -1240,6 +1248,11 @@ static int RSA_generate_key_ex_maybe_fips(RSA *rsa, int bits, int check_fips) { boringssl_ensure_rsa_self_test(); + if (rsa == NULL) { + OPENSSL_PUT_ERROR(EC, ERR_R_PASSED_NULL_PARAMETER); + return 0; + } + RSA *tmp = NULL; uint32_t err; int ret = 0; diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/self_check/fips.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/self_check/fips.c.inc similarity index 94% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/self_check/fips.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/self_check/fips.c.inc index 184e9420c..3755067e8 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/self_check/fips.c +++ b/Sources/CNIOBoringSSL/crypto/fipsmodule/self_check/fips.c.inc @@ -72,7 +72,8 @@ int FIPS_query_algorithm_status(const char *algorithm) { #if defined(BORINGSSL_FIPS_COUNTERS) size_t FIPS_read_counter(enum fips_counter_t counter) { - if (counter < 0 || counter > fips_counter_max) { + size_t index = (size_t)counter; + if (index > fips_counter_max) { abort(); } @@ -82,11 +83,12 @@ size_t FIPS_read_counter(enum fips_counter_t counter) { return 0; } - return array[counter]; + return array[index]; } void boringssl_fips_inc_counter(enum fips_counter_t counter) { - if (counter < 0 || counter > fips_counter_max) { + size_t index = (size_t)counter; + if (index > fips_counter_max) { abort(); } @@ -106,7 +108,7 @@ void boringssl_fips_inc_counter(enum fips_counter_t counter) { } } - array[counter]++; + array[index]++; } #else diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/self_check/self_check.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/self_check/self_check.c.inc similarity index 94% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/self_check/self_check.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/self_check/self_check.c.inc index c2312d9c0..d24fcb402 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/self_check/self_check.c +++ b/Sources/CNIOBoringSSL/crypto/fipsmodule/self_check/self_check.c.inc @@ -26,15 +26,15 @@ #include #include #include - -#include #include #include #include #include #include +#include "../../bcm_support.h" #include "../../internal.h" +#include "../delocate.h" #include "../dh/internal.h" #include "../ec/internal.h" #include "../ecdsa/internal.h" @@ -54,21 +54,22 @@ int BORINGSSL_self_test(void) { #else -static void hexdump(const uint8_t *in, size_t len) { +static void hexdump(FILE *out, const uint8_t *in, size_t len) { for (size_t i = 0; i < len; i++) { - fprintf(stderr, "%02x", in[i]); + fprintf(out, "%02x", in[i]); } } static int check_test(const void *expected, const void *actual, size_t expected_len, const char *name) { if (OPENSSL_memcmp(actual, expected, expected_len) != 0) { - fprintf(stderr, "%s failed.\nExpected: ", name); - hexdump(expected, expected_len); - fprintf(stderr, "\nCalculated: "); - hexdump(actual, expected_len); - fprintf(stderr, "\n"); - fflush(stderr); + FILE *err = CRYPTO_get_stderr(); + fprintf(err, "%s failed.\nExpected: ", name); + hexdump(err, expected, expected_len); + fprintf(err, "\nCalculated: "); + hexdump(err, actual, expected_len); + fprintf(err, "\n"); + fflush(err); return 0; } return 1; @@ -79,28 +80,6 @@ static int set_bignum(BIGNUM **out, const uint8_t *in, size_t len) { return *out != NULL; } -static int serialize_ecdsa_sig(uint8_t *out, size_t out_len, - const ECDSA_SIG *sig) { - if ((out_len & 1) || // - !BN_bn2bin_padded(out, out_len / 2, sig->r) || - !BN_bn2bin_padded(out + out_len / 2, out_len / 2, sig->s)) { - return 0; - } - return 1; -} - -static ECDSA_SIG *parse_ecdsa_sig(const uint8_t *in, size_t in_len) { - ECDSA_SIG *ret = ECDSA_SIG_new(); - if (!ret || // - (in_len & 1) || - BN_bin2bn(in, in_len/2, ret->r) == NULL || - BN_bin2bn(in + in_len/2, in_len/2, ret->s) == NULL) { - ECDSA_SIG_free(ret); - ret = NULL; - } - return ret; -} - static RSA *self_test_rsa_key(void) { static const uint8_t kN[] = { 0xd3, 0x3a, 0x62, 0x9f, 0x07, 0x77, 0xb0, 0x18, 0xf3, 0xff, 0xfe, 0xcc, @@ -317,7 +296,7 @@ static int boringssl_self_test_rsa(void) { RSA *const rsa_key = self_test_rsa_key(); if (rsa_key == NULL) { - fprintf(stderr, "RSA key construction failed\n"); + fprintf(CRYPTO_get_stderr(), "RSA key construction failed\n"); goto err; } // Disable blinding for the power-on tests because it's not needed and @@ -361,7 +340,7 @@ static int boringssl_self_test_rsa(void) { output, &sig_len, rsa_key) || !check_test(kRSASignSignature, output, sizeof(kRSASignSignature), "RSA-sign KAT")) { - fprintf(stderr, "RSA signing test failed.\n"); + fprintf(CRYPTO_get_stderr(), "RSA signing test failed.\n"); goto err; } @@ -399,7 +378,7 @@ static int boringssl_self_test_rsa(void) { if (!rsa_verify_no_self_test(NID_sha256, kRSAVerifyDigest, sizeof(kRSAVerifyDigest), kRSAVerifySignature, sizeof(kRSAVerifySignature), rsa_key)) { - fprintf(stderr, "RSA-verify KAT failed.\n"); + fprintf(CRYPTO_get_stderr(), "RSA-verify KAT failed.\n"); goto err; } @@ -417,11 +396,10 @@ static int boringssl_self_test_ecc(void) { EC_POINT *ec_point_in = NULL; EC_POINT *ec_point_out = NULL; BIGNUM *ec_scalar = NULL; - ECDSA_SIG *sig = NULL; ec_key = self_test_ecdsa_key(); if (ec_key == NULL) { - fprintf(stderr, "ECDSA KeyGen failed\n"); + fprintf(CRYPTO_get_stderr(), "ECDSA KeyGen failed\n"); goto err; } @@ -445,16 +423,15 @@ static int boringssl_self_test_ecc(void) { uint8_t ecdsa_k[32] = {0}; ecdsa_k[31] = 42; - sig = ecdsa_sign_with_nonce_for_known_answer_test( - kECDSASignDigest, sizeof(kECDSASignDigest), ec_key, ecdsa_k, - sizeof(ecdsa_k)); - uint8_t ecdsa_sign_output[64]; - if (sig == NULL || - !serialize_ecdsa_sig(ecdsa_sign_output, sizeof(ecdsa_sign_output), sig) || + size_t ecdsa_sign_output_len; + if (!ecdsa_sign_fixed_with_nonce_for_known_answer_test( + kECDSASignDigest, sizeof(kECDSASignDigest), ecdsa_sign_output, + &ecdsa_sign_output_len, sizeof(ecdsa_sign_output), ec_key, ecdsa_k, + sizeof(ecdsa_k)) || !check_test(kECDSASignSig, ecdsa_sign_output, sizeof(ecdsa_sign_output), "ECDSA-sign signature")) { - fprintf(stderr, "ECDSA-sign KAT failed.\n"); + fprintf(CRYPTO_get_stderr(), "ECDSA-sign KAT failed.\n"); goto err; } @@ -472,12 +449,10 @@ static int boringssl_self_test_ecc(void) { 0x8e, 0x5f, 0x64, 0xc3, 0x7e, 0xa2, 0xcf, 0x05, 0x29, }; - ECDSA_SIG_free(sig); - sig = parse_ecdsa_sig(kECDSAVerifySig, sizeof(kECDSAVerifySig)); - if (!sig || - !ecdsa_do_verify_no_self_test(kECDSAVerifyDigest, - sizeof(kECDSAVerifyDigest), sig, ec_key)) { - fprintf(stderr, "ECDSA-verify KAT failed.\n"); + if (!ecdsa_verify_fixed_no_self_test( + kECDSAVerifyDigest, sizeof(kECDSAVerifyDigest), kECDSAVerifySig, + sizeof(kECDSAVerifySig), ec_key)) { + fprintf(CRYPTO_get_stderr(), "ECDSA-verify KAT failed.\n"); goto err; } @@ -523,7 +498,7 @@ static int boringssl_self_test_ecc(void) { z_comp_result, sizeof(z_comp_result), NULL) || !check_test(kP256PointResult, z_comp_result, sizeof(z_comp_result), "Z Computation Result")) { - fprintf(stderr, "Z-computation KAT failed.\n"); + fprintf(CRYPTO_get_stderr(), "Z-computation KAT failed.\n"); goto err; } @@ -534,7 +509,6 @@ static int boringssl_self_test_ecc(void) { EC_POINT_free(ec_point_in); EC_POINT_free(ec_point_out); BN_free(ec_scalar); - ECDSA_SIG_free(sig); return ret; } @@ -603,7 +577,7 @@ static int boringssl_self_test_ffdh(void) { dh_compute_key_padded_no_self_test(dh_out, ffdhe2048_value, dh) != sizeof(dh_out) || !check_test(kDHOutput, dh_out, sizeof(dh_out), "FFC DH")) { - fprintf(stderr, "FFDH failed.\n"); + fprintf(CRYPTO_get_stderr(), "FFDH failed.\n"); goto err; } @@ -751,7 +725,7 @@ static int boringssl_self_test_fast(void) { }; memcpy(aes_iv, kAESIV, sizeof(kAESIV)); if (AES_set_encrypt_key(kAESKey, 8 * sizeof(kAESKey), &aes_key) != 0) { - fprintf(stderr, "AES_set_encrypt_key failed.\n"); + fprintf(CRYPTO_get_stderr(), "AES_set_encrypt_key failed.\n"); goto err; } AES_cbc_encrypt(kAESCBCEncPlaintext, output, sizeof(kAESCBCEncPlaintext), @@ -774,7 +748,7 @@ static int boringssl_self_test_fast(void) { }; memcpy(aes_iv, kAESIV, sizeof(kAESIV)); if (AES_set_decrypt_key(kAESKey, 8 * sizeof(kAESKey), &aes_key) != 0) { - fprintf(stderr, "AES_set_decrypt_key failed.\n"); + fprintf(CRYPTO_get_stderr(), "AES_set_decrypt_key failed.\n"); goto err; } AES_cbc_encrypt(kAESCBCDecCiphertext, output, sizeof(kAESCBCDecCiphertext), @@ -789,7 +763,7 @@ static int boringssl_self_test_fast(void) { OPENSSL_memset(nonce, 0, sizeof(nonce)); if (!EVP_AEAD_CTX_init(&aead_ctx, EVP_aead_aes_128_gcm(), kAESKey, sizeof(kAESKey), 0, NULL)) { - fprintf(stderr, "EVP_AEAD_CTX_init for AES-128-GCM failed.\n"); + fprintf(CRYPTO_get_stderr(), "EVP_AEAD_CTX_init for AES-128-GCM failed.\n"); goto err; } @@ -811,7 +785,7 @@ static int boringssl_self_test_fast(void) { 0) || !check_test(kAESGCMCiphertext, output, sizeof(kAESGCMCiphertext), "AES-GCM-encrypt KAT")) { - fprintf(stderr, "EVP_AEAD_CTX_seal for AES-128-GCM failed.\n"); + fprintf(CRYPTO_get_stderr(), "EVP_AEAD_CTX_seal for AES-128-GCM failed.\n"); goto err; } @@ -834,7 +808,7 @@ static int boringssl_self_test_fast(void) { NULL, 0) || !check_test(kAESGCMDecPlaintext, output, sizeof(kAESGCMDecPlaintext), "AES-GCM-decrypt KAT")) { - fprintf(stderr, + fprintf(CRYPTO_get_stderr(), "AES-GCM-decrypt KAT failed because EVP_AEAD_CTX_open failed.\n"); goto err; } @@ -903,7 +877,7 @@ static int boringssl_self_test_fast(void) { sizeof(kDRBGAD)) || !check_test(kDRBGReseedOutput, output, sizeof(kDRBGReseedOutput), "DRBG-reseed KAT")) { - fprintf(stderr, "CTR-DRBG failed.\n"); + fprintf(CRYPTO_get_stderr(), "CTR-DRBG failed.\n"); goto err; } CTR_DRBG_clear(&drbg); @@ -942,7 +916,7 @@ static int boringssl_self_test_fast(void) { kTLSSeed2, sizeof(kTLSSeed2)) || !check_test(kTLS10Output, tls10_output, sizeof(kTLS10Output), "TLS10-KDF KAT")) { - fprintf(stderr, "TLS KDF failed.\n"); + fprintf(CRYPTO_get_stderr(), "TLS KDF failed.\n"); goto err; } @@ -963,7 +937,7 @@ static int boringssl_self_test_fast(void) { kTLSSeed2, sizeof(kTLSSeed2)) || !check_test(kTLS12Output, tls12_output, sizeof(kTLS12Output), "TLS12-KDF KAT")) { - fprintf(stderr, "TLS KDF failed.\n"); + fprintf(CRYPTO_get_stderr(), "TLS KDF failed.\n"); goto err; } @@ -1003,7 +977,7 @@ static int boringssl_self_test_fast(void) { !check_test(kTLS13ExpandLabelOutput, tls13_expand_label_output, sizeof(kTLS13ExpandLabelOutput), "CRYPTO_tls13_hkdf_expand_label")) { - fprintf(stderr, "TLS13-KDF failed.\n"); + fprintf(CRYPTO_get_stderr(), "TLS13-KDF failed.\n"); goto err; } @@ -1033,7 +1007,7 @@ static int boringssl_self_test_fast(void) { sizeof(kHKDFSecret), kHKDFSalt, sizeof(kHKDFSalt), kHKDFInfo, sizeof(kHKDFInfo)) || !check_test(kHKDFOutput, hkdf_output, sizeof(kHKDFOutput), "HKDF")) { - fprintf(stderr, "HKDF failed.\n"); + fprintf(CRYPTO_get_stderr(), "HKDF failed.\n"); goto err; } diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/service_indicator/internal.h b/Sources/CNIOBoringSSL/crypto/fipsmodule/service_indicator/internal.h index 86a3caf6d..268419069 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/service_indicator/internal.h +++ b/Sources/CNIOBoringSSL/crypto/fipsmodule/service_indicator/internal.h @@ -28,8 +28,8 @@ void FIPS_service_indicator_update_state(void); // stop |FIPS_service_indicator_update_state| from actually updating the service // indicator. This is used when a primitive calls a potentially approved // primitive to avoid false positives. For example, just because a key -// generation calls |RAND_bytes| (and thus the approved DRBG) doesn't mean that -// the key generation operation itself is approved. +// generation calls |BCM_rand_bytes| (and thus the approved DRBG) doesn't mean +// that the key generation operation itself is approved. // // This lock nests: i.e. locking twice is fine so long as each lock is paired // with an unlock. If the (64-bit) counter overflows, the process aborts. diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/service_indicator/service_indicator.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/service_indicator/service_indicator.c.inc similarity index 93% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/service_indicator/service_indicator.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/service_indicator/service_indicator.c.inc index e18ed67e3..7c33274aa 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/service_indicator/service_indicator.c +++ b/Sources/CNIOBoringSSL/crypto/fipsmodule/service_indicator/service_indicator.c.inc @@ -171,7 +171,6 @@ static int is_md_fips_approved_for_signing(int md_type) { // type is FIPS approved for verifying, and zero otherwise. static int is_md_fips_approved_for_verifying(int md_type) { switch (md_type) { - case NID_sha1: case NID_sha224: case NID_sha256: case NID_sha384: @@ -184,7 +183,6 @@ static int is_md_fips_approved_for_verifying(int md_type) { } static void evp_md_ctx_verify_service_indicator(const EVP_MD_CTX *ctx, - int rsa_1024_ok, int (*md_ok)(int md_type)) { if (EVP_MD_CTX_md(ctx) == NULL) { // Signature schemes without a prehash are currently never FIPS approved. @@ -232,8 +230,7 @@ static void evp_md_ctx_verify_service_indicator(const EVP_MD_CTX *ctx, // Check if the MD type and the RSA key size are approved. if (md_ok(md_type) && - ((rsa_1024_ok && pkey_size == 128) || pkey_size == 256 || - pkey_size == 384 || pkey_size == 512)) { + (pkey_size == 256 || pkey_size == 384 || pkey_size == 512)) { FIPS_service_indicator_update_state(); } } else if (pkey_type == EVP_PKEY_EC) { @@ -251,7 +248,7 @@ static void evp_md_ctx_verify_service_indicator(const EVP_MD_CTX *ctx, } void EC_KEY_keygen_verify_service_indicator(const EC_KEY *eckey) { - if (is_ec_fips_approved(EC_GROUP_get_curve_name(eckey->group))) { + if (is_ec_fips_approved(EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey)))) { FIPS_service_indicator_update_state(); } } @@ -280,17 +277,17 @@ void EVP_Cipher_verify_service_indicator(const EVP_CIPHER_CTX *ctx) { } void EVP_DigestVerify_verify_service_indicator(const EVP_MD_CTX *ctx) { - return evp_md_ctx_verify_service_indicator(ctx, /*rsa_1024_ok=*/1, + return evp_md_ctx_verify_service_indicator(ctx, is_md_fips_approved_for_verifying); } void EVP_DigestSign_verify_service_indicator(const EVP_MD_CTX *ctx) { - return evp_md_ctx_verify_service_indicator(ctx, /*rsa_1024_ok=*/0, + return evp_md_ctx_verify_service_indicator(ctx, is_md_fips_approved_for_signing); } void HMAC_verify_service_indicator(const EVP_MD *evp_md) { - switch (evp_md->type) { + switch (EVP_MD_type(evp_md)) { case NID_sha1: case NID_sha224: case NID_sha256: @@ -303,12 +300,9 @@ void HMAC_verify_service_indicator(const EVP_MD *evp_md) { } void TLSKDF_verify_service_indicator(const EVP_MD *md) { - // HMAC-MD5/HMAC-SHA1 (both used concurrently) is approved for use in the KDF - // in TLS 1.0/1.1. HMAC-SHA{256, 384, 512} are approved for use in the KDF in - // TLS 1.2. These Key Derivation functions are to be used in the context of - // the TLS protocol. + // HMAC-SHA{256, 384, 512} are approved for use in the KDF in TLS 1.2. These + // Key Derivation functions are to be used in the context of the TLS protocol. switch (EVP_MD_type(md)) { - case NID_md5_sha1: case NID_sha256: case NID_sha384: case NID_sha512: diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/sha/internal.h b/Sources/CNIOBoringSSL/crypto/fipsmodule/sha/internal.h index eff74dcf9..f074cae6f 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/sha/internal.h +++ b/Sources/CNIOBoringSSL/crypto/fipsmodule/sha/internal.h @@ -17,25 +17,221 @@ #include +#include "../../internal.h" + #if defined(__cplusplus) extern "C" { #endif +// Define SHA{n}[_{variant}]_ASM if sha{n}_block_data_order[_{variant}] is +// defined in assembly. + +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_ARM) + +#define SHA1_ASM_NOHW +#define SHA256_ASM_NOHW +#define SHA512_ASM_NOHW + +#define SHA1_ASM_HW +OPENSSL_INLINE int sha1_hw_capable(void) { + return CRYPTO_is_ARMv8_SHA1_capable(); +} + +#define SHA1_ASM_NEON +void sha1_block_data_order_neon(uint32_t state[5], const uint8_t *data, + size_t num); + +#define SHA256_ASM_HW +OPENSSL_INLINE int sha256_hw_capable(void) { + return CRYPTO_is_ARMv8_SHA256_capable(); +} + +#define SHA256_ASM_NEON +void sha256_block_data_order_neon(uint32_t state[8], const uint8_t *data, + size_t num); + +// Armv8.2 SHA-512 instructions are not available in 32-bit. +#define SHA512_ASM_NEON +void sha512_block_data_order_neon(uint64_t state[8], const uint8_t *data, + size_t num); + +#elif !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) + +#define SHA1_ASM_NOHW +#define SHA256_ASM_NOHW +#define SHA512_ASM_NOHW + +#define SHA1_ASM_HW +OPENSSL_INLINE int sha1_hw_capable(void) { + return CRYPTO_is_ARMv8_SHA1_capable(); +} + +#define SHA256_ASM_HW +OPENSSL_INLINE int sha256_hw_capable(void) { + return CRYPTO_is_ARMv8_SHA256_capable(); +} + +#define SHA512_ASM_HW +OPENSSL_INLINE int sha512_hw_capable(void) { + return CRYPTO_is_ARMv8_SHA512_capable(); +} + +#elif !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) + +#define SHA1_ASM_NOHW +#define SHA256_ASM_NOHW +#define SHA512_ASM_NOHW + +#define SHA1_ASM_SSSE3 +OPENSSL_INLINE int sha1_ssse3_capable(void) { + // TODO(davidben): Do we need to check the FXSR bit? The Intel manual does not + // say to. + return CRYPTO_is_SSSE3_capable() && CRYPTO_is_FXSR_capable(); +} +void sha1_block_data_order_ssse3(uint32_t state[5], const uint8_t *data, + size_t num); + +#define SHA1_ASM_AVX +OPENSSL_INLINE int sha1_avx_capable(void) { + // Pre-Zen AMD CPUs had slow SHLD/SHRD; Zen added the SHA extension; see the + // discussion in sha1-586.pl. + // + // TODO(davidben): Should we enable SHAEXT on 32-bit x86? + // TODO(davidben): Do we need to check the FXSR bit? The Intel manual does not + // say to. + return CRYPTO_is_AVX_capable() && CRYPTO_is_intel_cpu() && + CRYPTO_is_FXSR_capable(); +} +void sha1_block_data_order_avx(uint32_t state[5], const uint8_t *data, + size_t num); + +#define SHA256_ASM_SSSE3 +OPENSSL_INLINE int sha256_ssse3_capable(void) { + // TODO(davidben): Do we need to check the FXSR bit? The Intel manual does not + // say to. + return CRYPTO_is_SSSE3_capable() && CRYPTO_is_FXSR_capable(); +} +void sha256_block_data_order_ssse3(uint32_t state[8], const uint8_t *data, + size_t num); + +#define SHA256_ASM_AVX +OPENSSL_INLINE int sha256_avx_capable(void) { + // Pre-Zen AMD CPUs had slow SHLD/SHRD; Zen added the SHA extension; see the + // discussion in sha1-586.pl. + // + // TODO(davidben): Should we enable SHAEXT on 32-bit x86? + // TODO(davidben): Do we need to check the FXSR bit? The Intel manual does not + // say to. + return CRYPTO_is_AVX_capable() && CRYPTO_is_intel_cpu() && + CRYPTO_is_FXSR_capable(); +} +void sha256_block_data_order_avx(uint32_t state[8], const uint8_t *data, + size_t num); + +#define SHA512_ASM_SSSE3 +OPENSSL_INLINE int sha512_ssse3_capable(void) { + // TODO(davidben): Do we need to check the FXSR bit? The Intel manual does not + // say to. + return CRYPTO_is_SSSE3_capable() && CRYPTO_is_FXSR_capable(); +} +void sha512_block_data_order_ssse3(uint64_t state[8], const uint8_t *data, + size_t num); + +#elif !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) + +#define SHA1_ASM_NOHW +#define SHA256_ASM_NOHW +#define SHA512_ASM_NOHW + +#define SHA1_ASM_HW +OPENSSL_INLINE int sha1_hw_capable(void) { + return CRYPTO_is_x86_SHA_capable() && CRYPTO_is_SSSE3_capable(); +} + +#define SHA1_ASM_AVX2 +OPENSSL_INLINE int sha1_avx2_capable(void) { + return CRYPTO_is_AVX2_capable() && CRYPTO_is_BMI2_capable() && + CRYPTO_is_BMI1_capable(); +} +void sha1_block_data_order_avx2(uint32_t state[5], const uint8_t *data, + size_t num); + +#define SHA1_ASM_AVX +OPENSSL_INLINE int sha1_avx_capable(void) { + // Pre-Zen AMD CPUs had slow SHLD/SHRD; Zen added the SHA extension; see the + // discussion in sha1-586.pl. + return CRYPTO_is_AVX_capable() && CRYPTO_is_intel_cpu(); +} +void sha1_block_data_order_avx(uint32_t state[5], const uint8_t *data, + size_t num); + +#define SHA1_ASM_SSSE3 +OPENSSL_INLINE int sha1_ssse3_capable(void) { + return CRYPTO_is_SSSE3_capable(); +} +void sha1_block_data_order_ssse3(uint32_t state[5], const uint8_t *data, + size_t num); + +#define SHA256_ASM_HW +OPENSSL_INLINE int sha256_hw_capable(void) { + // Note that the original assembly did not check SSSE3. + return CRYPTO_is_x86_SHA_capable() && CRYPTO_is_SSSE3_capable(); +} + +#define SHA256_ASM_AVX +OPENSSL_INLINE int sha256_avx_capable(void) { + // Pre-Zen AMD CPUs had slow SHLD/SHRD; Zen added the SHA extension; see the + // discussion in sha1-586.pl. + return CRYPTO_is_AVX_capable() && CRYPTO_is_intel_cpu(); +} +void sha256_block_data_order_avx(uint32_t state[8], const uint8_t *data, + size_t num); + +#define SHA256_ASM_SSSE3 +OPENSSL_INLINE int sha256_ssse3_capable(void) { + return CRYPTO_is_SSSE3_capable(); +} +void sha256_block_data_order_ssse3(uint32_t state[8], const uint8_t *data, + size_t num); + +#define SHA512_ASM_AVX +OPENSSL_INLINE int sha512_avx_capable(void) { + // Pre-Zen AMD CPUs had slow SHLD/SHRD; Zen added the SHA extension; see the + // discussion in sha1-586.pl. + return CRYPTO_is_AVX_capable() && CRYPTO_is_intel_cpu(); +} +void sha512_block_data_order_avx(uint64_t state[8], const uint8_t *data, + size_t num); -#if !defined(OPENSSL_NO_ASM) && \ - (defined(OPENSSL_X86) || defined(OPENSSL_X86_64) || \ - defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)) -#define SHA1_ASM -#define SHA256_ASM -#define SHA512_ASM -void sha1_block_data_order(uint32_t *state, const uint8_t *in, - size_t num_blocks); -void sha256_block_data_order(uint32_t *state, const uint8_t *in, - size_t num_blocks); -void sha512_block_data_order(uint64_t *state, const uint8_t *in, - size_t num_blocks); #endif +#if defined(SHA1_ASM_HW) +void sha1_block_data_order_hw(uint32_t state[5], const uint8_t *data, + size_t num); +#endif +#if defined(SHA1_ASM_NOHW) +void sha1_block_data_order_nohw(uint32_t state[5], const uint8_t *data, + size_t num); +#endif + +#if defined(SHA256_ASM_HW) +void sha256_block_data_order_hw(uint32_t state[8], const uint8_t *data, + size_t num); +#endif +#if defined(SHA256_ASM_NOHW) +void sha256_block_data_order_nohw(uint32_t state[8], const uint8_t *data, + size_t num); +#endif + +#if defined(SHA512_ASM_HW) +void sha512_block_data_order_hw(uint64_t state[8], const uint8_t *data, + size_t num); +#endif + +#if defined(SHA512_ASM_NOHW) +void sha512_block_data_order_nohw(uint64_t state[8], const uint8_t *data, + size_t num); +#endif #if defined(__cplusplus) } // extern "C" diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/sha/sha1.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/sha/sha1.c.inc similarity index 82% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/sha/sha1.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/sha/sha1.c.inc index 591bfce7e..b5831f40a 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/sha/sha1.c +++ b/Sources/CNIOBoringSSL/crypto/fipsmodule/sha/sha1.c.inc @@ -54,63 +54,96 @@ * copied and put under another distribution licence * [including the GNU Public Licence.] */ -#include - #include #include +#include "../bcm_interface.h" #include "../../internal.h" #include "../digest/md32_common.h" #include "../service_indicator/internal.h" #include "internal.h" -int SHA1_Init(SHA_CTX *sha) { +bcm_infallible BCM_sha1_init(SHA_CTX *sha) { OPENSSL_memset(sha, 0, sizeof(SHA_CTX)); sha->h[0] = 0x67452301UL; sha->h[1] = 0xefcdab89UL; sha->h[2] = 0x98badcfeUL; sha->h[3] = 0x10325476UL; sha->h[4] = 0xc3d2e1f0UL; - return 1; -} - -uint8_t *SHA1(const uint8_t *data, size_t len, uint8_t out[SHA_DIGEST_LENGTH]) { - SHA_CTX ctx; - SHA1_Init(&ctx); - SHA1_Update(&ctx, data, len); - SHA1_Final(out, &ctx); - OPENSSL_cleanse(&ctx, sizeof(ctx)); - return out; + return bcm_infallible_approved; } #if !defined(SHA1_ASM) -static void sha1_block_data_order(uint32_t *state, const uint8_t *data, +static void sha1_block_data_order(uint32_t state[5], const uint8_t *data, size_t num); #endif -void SHA1_Transform(SHA_CTX *c, const uint8_t data[SHA_CBLOCK]) { +bcm_infallible BCM_sha1_transform(SHA_CTX *c, const uint8_t data[SHA_CBLOCK]) { sha1_block_data_order(c->h, data, 1); + return bcm_infallible_approved; } -int SHA1_Update(SHA_CTX *c, const void *data, size_t len) { +bcm_infallible BCM_sha1_update(SHA_CTX *c, const void *data, size_t len) { crypto_md32_update(&sha1_block_data_order, c->h, c->data, SHA_CBLOCK, &c->num, &c->Nh, &c->Nl, data, len); - return 1; + return bcm_infallible_approved; } -int SHA1_Final(uint8_t out[SHA_DIGEST_LENGTH], SHA_CTX *c) { +static void sha1_output_state(uint8_t out[SHA_DIGEST_LENGTH], + const SHA_CTX *ctx) { + CRYPTO_store_u32_be(out, ctx->h[0]); + CRYPTO_store_u32_be(out + 4, ctx->h[1]); + CRYPTO_store_u32_be(out + 8, ctx->h[2]); + CRYPTO_store_u32_be(out + 12, ctx->h[3]); + CRYPTO_store_u32_be(out + 16, ctx->h[4]); +} + +bcm_infallible BCM_sha1_final(uint8_t out[SHA_DIGEST_LENGTH], SHA_CTX *c) { crypto_md32_final(&sha1_block_data_order, c->h, c->data, SHA_CBLOCK, &c->num, c->Nh, c->Nl, /*is_big_endian=*/1); - CRYPTO_store_u32_be(out, c->h[0]); - CRYPTO_store_u32_be(out + 4, c->h[1]); - CRYPTO_store_u32_be(out + 8, c->h[2]); - CRYPTO_store_u32_be(out + 12, c->h[3]); - CRYPTO_store_u32_be(out + 16, c->h[4]); + sha1_output_state(out, c); FIPS_service_indicator_update_state(); - return 1; + return bcm_infallible_approved; +} + +bcm_infallible BCM_fips_186_2_prf(uint8_t *out, size_t out_len, + const uint8_t xkey[SHA_DIGEST_LENGTH]) { + // XKEY and XVAL are 160-bit values, but are internally right-padded up to + // block size. See FIPS 186-2, Appendix 3.3. This buffer maintains both the + // current value of XKEY and the padding. + uint8_t block[SHA_CBLOCK] = {0}; + OPENSSL_memcpy(block, xkey, SHA_DIGEST_LENGTH); + + while (out_len != 0) { + // We always use a zero XSEED, so we can merge the inner and outer loops. + // XVAL is also always equal to XKEY. + SHA_CTX ctx; + BCM_sha1_init(&ctx); + BCM_sha1_transform(&ctx, block); + + // XKEY = (1 + XKEY + w_i) mod 2^b + uint32_t carry = 1; + for (int i = 4; i >= 0; i--) { + uint32_t tmp = CRYPTO_load_u32_be(block + i * 4); + tmp = CRYPTO_addc_u32(tmp, ctx.h[i], carry, &carry); + CRYPTO_store_u32_be(block + i * 4, tmp); + } + + // Output w_i. + if (out_len < SHA_DIGEST_LENGTH) { + uint8_t buf[SHA_DIGEST_LENGTH]; + sha1_output_state(buf, &ctx); + OPENSSL_memcpy(out, buf, out_len); + break; + } + sha1_output_state(out, &ctx); + out += SHA_DIGEST_LENGTH; + out_len -= SHA_DIGEST_LENGTH; + } + return bcm_infallible_not_approved; } #define Xupdate(a, ix, ia, ib, ic, id) \ @@ -191,8 +224,10 @@ int SHA1_Final(uint8_t out[SHA_DIGEST_LENGTH], SHA_CTX *c) { #define X(i) XX##i #if !defined(SHA1_ASM) -static void sha1_block_data_order(uint32_t *state, const uint8_t *data, - size_t num) { + +#if !defined(SHA1_ASM_NOHW) +static void sha1_block_data_order_nohw(uint32_t state[5], const uint8_t *data, + size_t num) { register uint32_t A, B, C, D, E, T; uint32_t XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7, XX8, XX9, XX10, XX11, XX12, XX13, XX14, XX15; @@ -339,7 +374,44 @@ static void sha1_block_data_order(uint32_t *state, const uint8_t *data, E = state[4]; } } +#endif // !SHA1_ASM_NOHW + +static void sha1_block_data_order(uint32_t state[5], const uint8_t *data, + size_t num) { +#if defined(SHA1_ASM_HW) + if (sha1_hw_capable()) { + sha1_block_data_order_hw(state, data, num); + return; + } +#endif +#if defined(SHA1_ASM_AVX2) + if (sha1_avx2_capable()) { + sha1_block_data_order_avx2(state, data, num); + return; + } +#endif +#if defined(SHA1_ASM_AVX) + if (sha1_avx_capable()) { + sha1_block_data_order_avx(state, data, num); + return; + } #endif +#if defined(SHA1_ASM_SSSE3) + if (sha1_ssse3_capable()) { + sha1_block_data_order_ssse3(state, data, num); + return; + } +#endif +#if defined(SHA1_ASM_NEON) + if (CRYPTO_is_NEON_capable()) { + sha1_block_data_order_neon(state, data, num); + return; + } +#endif + sha1_block_data_order_nohw(state, data, num); +} + +#endif // !SHA1_ASM #undef Xupdate #undef K_00_19 diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/sha/sha256.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/sha/sha256.c.inc similarity index 77% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/sha/sha256.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/sha/sha256.c.inc index 31e7f9abc..69f364693 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/sha/sha256.c +++ b/Sources/CNIOBoringSSL/crypto/fipsmodule/sha/sha256.c.inc @@ -54,19 +54,18 @@ * copied and put under another distribution licence * [including the GNU Public Licence.] */ -#include - #include #include #include "../../internal.h" +#include "../bcm_interface.h" #include "../digest/md32_common.h" #include "../service_indicator/internal.h" #include "internal.h" -int SHA224_Init(SHA256_CTX *sha) { +bcm_infallible BCM_sha224_init(SHA256_CTX *sha) { OPENSSL_memset(sha, 0, sizeof(SHA256_CTX)); sha->h[0] = 0xc1059ed8UL; sha->h[1] = 0x367cd507UL; @@ -76,11 +75,11 @@ int SHA224_Init(SHA256_CTX *sha) { sha->h[5] = 0x68581511UL; sha->h[6] = 0x64f98fa7UL; sha->h[7] = 0xbefa4fa4UL; - sha->md_len = SHA224_DIGEST_LENGTH; - return 1; + sha->md_len = BCM_SHA224_DIGEST_LENGTH; + return bcm_infallible_approved; } -int SHA256_Init(SHA256_CTX *sha) { +bcm_infallible BCM_sha256_init(SHA256_CTX *sha) { OPENSSL_memset(sha, 0, sizeof(SHA256_CTX)); sha->h[0] = 0x6a09e667UL; sha->h[1] = 0xbb67ae85UL; @@ -90,60 +89,37 @@ int SHA256_Init(SHA256_CTX *sha) { sha->h[5] = 0x9b05688cUL; sha->h[6] = 0x1f83d9abUL; sha->h[7] = 0x5be0cd19UL; - sha->md_len = SHA256_DIGEST_LENGTH; - return 1; -} - -uint8_t *SHA224(const uint8_t *data, size_t len, - uint8_t out[SHA224_DIGEST_LENGTH]) { - SHA256_CTX ctx; - SHA224_Init(&ctx); - SHA224_Update(&ctx, data, len); - SHA224_Final(out, &ctx); - OPENSSL_cleanse(&ctx, sizeof(ctx)); - return out; + sha->md_len = BCM_SHA256_DIGEST_LENGTH; + return bcm_infallible_approved; } -uint8_t *SHA256(const uint8_t *data, size_t len, - uint8_t out[SHA256_DIGEST_LENGTH]) { - SHA256_CTX ctx; - SHA256_Init(&ctx); - SHA256_Update(&ctx, data, len); - SHA256_Final(out, &ctx); - OPENSSL_cleanse(&ctx, sizeof(ctx)); - return out; -} - -#ifndef SHA256_ASM -static void sha256_block_data_order(uint32_t *state, const uint8_t *in, +#if !defined(SHA256_ASM) +static void sha256_block_data_order(uint32_t state[8], const uint8_t *in, size_t num); #endif -void SHA256_Transform(SHA256_CTX *c, const uint8_t data[SHA256_CBLOCK]) { +bcm_infallible BCM_sha256_transform(SHA256_CTX *c, + const uint8_t data[BCM_SHA256_CBLOCK]) { sha256_block_data_order(c->h, data, 1); + return bcm_infallible_approved; } -int SHA256_Update(SHA256_CTX *c, const void *data, size_t len) { - crypto_md32_update(&sha256_block_data_order, c->h, c->data, SHA256_CBLOCK, +bcm_infallible BCM_sha256_update(SHA256_CTX *c, const void *data, size_t len) { + crypto_md32_update(&sha256_block_data_order, c->h, c->data, BCM_SHA256_CBLOCK, &c->num, &c->Nh, &c->Nl, data, len); - return 1; + return bcm_infallible_approved; } -int SHA224_Update(SHA256_CTX *ctx, const void *data, size_t len) { - return SHA256_Update(ctx, data, len); +bcm_infallible BCM_sha224_update(SHA256_CTX *ctx, const void *data, + size_t len) { + return BCM_sha256_update(ctx, data, len); } -static int sha256_final_impl(uint8_t *out, size_t md_len, SHA256_CTX *c) { - crypto_md32_final(&sha256_block_data_order, c->h, c->data, SHA256_CBLOCK, +static void sha256_final_impl(uint8_t *out, size_t md_len, SHA256_CTX *c) { + crypto_md32_final(&sha256_block_data_order, c->h, c->data, BCM_SHA256_CBLOCK, &c->num, c->Nh, c->Nl, /*is_big_endian=*/1); - // TODO(davidben): This overflow check one of the few places a low-level hash - // 'final' function can fail. SHA-512 does not have a corresponding check. - // These functions already misbehave if the caller arbitrarily mutates |c|, so - // can we assume one of |SHA256_Init| or |SHA224_Init| was used? - if (md_len > SHA256_DIGEST_LENGTH) { - return 0; - } + BSSL_CHECK(md_len <= BCM_SHA256_DIGEST_LENGTH); assert(md_len % 4 == 0); const size_t out_words = md_len / 4; @@ -153,26 +129,31 @@ static int sha256_final_impl(uint8_t *out, size_t md_len, SHA256_CTX *c) { } FIPS_service_indicator_update_state(); - return 1; } -int SHA256_Final(uint8_t out[SHA256_DIGEST_LENGTH], SHA256_CTX *c) { - // Ideally we would assert |sha->md_len| is |SHA256_DIGEST_LENGTH| to match - // the size hint, but calling code often pairs |SHA224_Init| with +bcm_infallible BCM_sha256_final(uint8_t out[BCM_SHA256_DIGEST_LENGTH], + SHA256_CTX *c) { + // Ideally we would assert |sha->md_len| is |BCM_SHA256_DIGEST_LENGTH| to + // match the size hint, but calling code often pairs |SHA224_Init| with // |SHA256_Final| and expects |sha->md_len| to carry the size over. // // TODO(davidben): Add an assert and fix code to match them up. - return sha256_final_impl(out, c->md_len, c); + sha256_final_impl(out, c->md_len, c); + return bcm_infallible_approved; } -int SHA224_Final(uint8_t out[SHA224_DIGEST_LENGTH], SHA256_CTX *ctx) { +bcm_infallible BCM_sha224_final(uint8_t out[BCM_SHA224_DIGEST_LENGTH], + SHA256_CTX *ctx) { // This function must be paired with |SHA224_Init|, which sets |ctx->md_len| - // to |SHA224_DIGEST_LENGTH|. - assert(ctx->md_len == SHA224_DIGEST_LENGTH); - return sha256_final_impl(out, SHA224_DIGEST_LENGTH, ctx); + // to |BCM_SHA224_DIGEST_LENGTH|. + assert(ctx->md_len == BCM_SHA224_DIGEST_LENGTH); + sha256_final_impl(out, BCM_SHA224_DIGEST_LENGTH, ctx); + return bcm_infallible_approved; } -#ifndef SHA256_ASM +#if !defined(SHA256_ASM) + +#if !defined(SHA256_ASM_NOHW) static const uint32_t K256[64] = { 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 0xd807aa98UL, 0x12835b01UL, @@ -221,8 +202,8 @@ static const uint32_t K256[64] = { ROUND_00_15(i, a, b, c, d, e, f, g, h); \ } while (0) -static void sha256_block_data_order(uint32_t *state, const uint8_t *data, - size_t num) { +static void sha256_block_data_order_nohw(uint32_t state[8], const uint8_t *data, + size_t num) { uint32_t a, b, c, d, e, f, g, h, s0, s1, T1; uint32_t X[16]; int i; @@ -308,11 +289,45 @@ static void sha256_block_data_order(uint32_t *state, const uint8_t *data, } } -#endif // !SHA256_ASM +#endif // !defined(SHA256_ASM_NOHW) + +static void sha256_block_data_order(uint32_t state[8], const uint8_t *data, + size_t num) { +#if defined(SHA256_ASM_HW) + if (sha256_hw_capable()) { + sha256_block_data_order_hw(state, data, num); + return; + } +#endif +#if defined(SHA256_ASM_AVX) + if (sha256_avx_capable()) { + sha256_block_data_order_avx(state, data, num); + return; + } +#endif +#if defined(SHA256_ASM_SSSE3) + if (sha256_ssse3_capable()) { + sha256_block_data_order_ssse3(state, data, num); + return; + } +#endif +#if defined(SHA256_ASM_NEON) + if (CRYPTO_is_NEON_capable()) { + sha256_block_data_order_neon(state, data, num); + return; + } +#endif + sha256_block_data_order_nohw(state, data, num); +} + +#endif // !defined(SHA256_ASM) + -void SHA256_TransformBlocks(uint32_t state[8], const uint8_t *data, - size_t num_blocks) { +bcm_infallible BCM_sha256_transform_blocks(uint32_t state[8], + const uint8_t *data, + size_t num_blocks) { sha256_block_data_order(state, data, num_blocks); + return bcm_infallible_approved; } #undef Sigma0 diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/sha/sha512.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/sha/sha512.c.inc similarity index 80% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/sha/sha512.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/sha/sha512.c.inc index a42915df7..cf1fdebe6 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/sha/sha512.c +++ b/Sources/CNIOBoringSSL/crypto/fipsmodule/sha/sha512.c.inc @@ -54,13 +54,12 @@ * copied and put under another distribution licence * [including the GNU Public Licence.] */ -#include - #include #include #include "../../internal.h" +#include "../bcm_interface.h" #include "../service_indicator/internal.h" #include "internal.h" @@ -71,9 +70,9 @@ // this writing, so there is no need for a common collector/padding // implementation yet. -static int sha512_final_impl(uint8_t *out, size_t md_len, SHA512_CTX *sha); +static void sha512_final_impl(uint8_t *out, size_t md_len, SHA512_CTX *sha); -int SHA384_Init(SHA512_CTX *sha) { +bcm_infallible BCM_sha384_init(SHA512_CTX *sha) { sha->h[0] = UINT64_C(0xcbbb9d5dc1059ed8); sha->h[1] = UINT64_C(0x629a292a367cd507); sha->h[2] = UINT64_C(0x9159015a3070dd17); @@ -86,12 +85,12 @@ int SHA384_Init(SHA512_CTX *sha) { sha->Nl = 0; sha->Nh = 0; sha->num = 0; - sha->md_len = SHA384_DIGEST_LENGTH; - return 1; + sha->md_len = BCM_SHA384_DIGEST_LENGTH; + return bcm_infallible_approved; } -int SHA512_Init(SHA512_CTX *sha) { +bcm_infallible BCM_sha512_init(SHA512_CTX *sha) { sha->h[0] = UINT64_C(0x6a09e667f3bcc908); sha->h[1] = UINT64_C(0xbb67ae8584caa73b); sha->h[2] = UINT64_C(0x3c6ef372fe94f82b); @@ -104,11 +103,11 @@ int SHA512_Init(SHA512_CTX *sha) { sha->Nl = 0; sha->Nh = 0; sha->num = 0; - sha->md_len = SHA512_DIGEST_LENGTH; - return 1; + sha->md_len = BCM_SHA512_DIGEST_LENGTH; + return bcm_infallible_approved; } -int SHA512_256_Init(SHA512_CTX *sha) { +bcm_infallible BCM_sha512_256_init(SHA512_CTX *sha) { sha->h[0] = UINT64_C(0x22312194fc2bf72c); sha->h[1] = UINT64_C(0x9f555fa3c84c64c2); sha->h[2] = UINT64_C(0x2393b86b6f53b151); @@ -121,79 +120,58 @@ int SHA512_256_Init(SHA512_CTX *sha) { sha->Nl = 0; sha->Nh = 0; sha->num = 0; - sha->md_len = SHA512_256_DIGEST_LENGTH; - return 1; -} - -uint8_t *SHA384(const uint8_t *data, size_t len, - uint8_t out[SHA384_DIGEST_LENGTH]) { - SHA512_CTX ctx; - SHA384_Init(&ctx); - SHA384_Update(&ctx, data, len); - SHA384_Final(out, &ctx); - OPENSSL_cleanse(&ctx, sizeof(ctx)); - return out; -} - -uint8_t *SHA512(const uint8_t *data, size_t len, - uint8_t out[SHA512_DIGEST_LENGTH]) { - SHA512_CTX ctx; - SHA512_Init(&ctx); - SHA512_Update(&ctx, data, len); - SHA512_Final(out, &ctx); - OPENSSL_cleanse(&ctx, sizeof(ctx)); - return out; -} - -uint8_t *SHA512_256(const uint8_t *data, size_t len, - uint8_t out[SHA512_256_DIGEST_LENGTH]) { - SHA512_CTX ctx; - SHA512_256_Init(&ctx); - SHA512_256_Update(&ctx, data, len); - SHA512_256_Final(out, &ctx); - OPENSSL_cleanse(&ctx, sizeof(ctx)); - return out; + sha->md_len = BCM_SHA512_256_DIGEST_LENGTH; + return bcm_infallible_approved; } #if !defined(SHA512_ASM) -static void sha512_block_data_order(uint64_t *state, const uint8_t *in, +static void sha512_block_data_order(uint64_t state[8], const uint8_t *in, size_t num_blocks); #endif -int SHA384_Final(uint8_t out[SHA384_DIGEST_LENGTH], SHA512_CTX *sha) { - // This function must be paired with |SHA384_Init|, which sets |sha->md_len| - // to |SHA384_DIGEST_LENGTH|. - assert(sha->md_len == SHA384_DIGEST_LENGTH); - return sha512_final_impl(out, SHA384_DIGEST_LENGTH, sha); +bcm_infallible BCM_sha384_final(uint8_t out[BCM_SHA384_DIGEST_LENGTH], + SHA512_CTX *sha) { + // This function must be paired with |BCM_sha384_init|, which sets + // |sha->md_len| to |BCM_SHA384_DIGEST_LENGTH|. + assert(sha->md_len == BCM_SHA384_DIGEST_LENGTH); + sha512_final_impl(out, BCM_SHA384_DIGEST_LENGTH, sha); + return bcm_infallible_approved; } -int SHA384_Update(SHA512_CTX *sha, const void *data, size_t len) { - return SHA512_Update(sha, data, len); +bcm_infallible BCM_sha384_update(SHA512_CTX *sha, const void *data, + size_t len) { + return BCM_sha512_update(sha, data, len); } -int SHA512_256_Update(SHA512_CTX *sha, const void *data, size_t len) { - return SHA512_Update(sha, data, len); +bcm_infallible BCM_sha512_256_update(SHA512_CTX *sha, const void *data, + size_t len) { + return BCM_sha512_update(sha, data, len); } -int SHA512_256_Final(uint8_t out[SHA512_256_DIGEST_LENGTH], SHA512_CTX *sha) { - // This function must be paired with |SHA512_256_Init|, which sets - // |sha->md_len| to |SHA512_256_DIGEST_LENGTH|. - assert(sha->md_len == SHA512_256_DIGEST_LENGTH); - return sha512_final_impl(out, SHA512_256_DIGEST_LENGTH, sha); +bcm_infallible BCM_sha512_256_final(uint8_t out[BCM_SHA512_256_DIGEST_LENGTH], + SHA512_CTX *sha) { + // This function must be paired with |BCM_sha512_256_init|, which sets + // |sha->md_len| to |BCM_SHA512_256_DIGEST_LENGTH|. + assert(sha->md_len == BCM_SHA512_256_DIGEST_LENGTH); + sha512_final_impl(out, BCM_SHA512_256_DIGEST_LENGTH, sha); + return bcm_infallible_approved; } -void SHA512_Transform(SHA512_CTX *c, const uint8_t block[SHA512_CBLOCK]) { +bcm_infallible BCM_sha512_transform(SHA512_CTX *c, + const uint8_t block[SHA512_CBLOCK]) { sha512_block_data_order(c->h, block, 1); + return bcm_infallible_approved; } -int SHA512_Update(SHA512_CTX *c, const void *in_data, size_t len) { +bcm_infallible BCM_sha512_update(SHA512_CTX *c, const void *in_data, + size_t len) { uint64_t l; uint8_t *p = c->p; const uint8_t *data = in_data; if (len == 0) { - return 1; + return bcm_infallible_approved; } l = (c->Nl + (((uint64_t)len) << 3)) & UINT64_C(0xffffffffffffffff); @@ -232,19 +210,21 @@ int SHA512_Update(SHA512_CTX *c, const void *in_data, size_t len) { c->num = (int)len; } - return 1; + return bcm_infallible_approved; } -int SHA512_Final(uint8_t out[SHA512_DIGEST_LENGTH], SHA512_CTX *sha) { - // Ideally we would assert |sha->md_len| is |SHA512_DIGEST_LENGTH| to match - // the size hint, but calling code often pairs |SHA384_Init| with - // |SHA512_Final| and expects |sha->md_len| to carry the size over. +bcm_infallible BCM_sha512_final(uint8_t out[BCM_SHA512_DIGEST_LENGTH], + SHA512_CTX *sha) { + // Ideally we would assert |sha->md_len| is |BCM_SHA512_DIGEST_LENGTH| to + // match the size hint, but calling code often pairs |BCM_sha384_init| with + // |BCM_sha512_final| and expects |sha->md_len| to carry the size over. // // TODO(davidben): Add an assert and fix code to match them up. - return sha512_final_impl(out, sha->md_len, sha); + sha512_final_impl(out, sha->md_len, sha); + return bcm_infallible_approved; } -static int sha512_final_impl(uint8_t *out, size_t md_len, SHA512_CTX *sha) { +static void sha512_final_impl(uint8_t *out, size_t md_len, SHA512_CTX *sha) { uint8_t *p = sha->p; size_t n = sha->num; @@ -262,12 +242,6 @@ static int sha512_final_impl(uint8_t *out, size_t md_len, SHA512_CTX *sha) { sha512_block_data_order(sha->h, p, 1); - if (out == NULL) { - // TODO(davidben): This NULL check is absent in other low-level hash 'final' - // functions and is one of the few places one can fail. - return 0; - } - assert(md_len % 8 == 0); const size_t out_words = md_len / 8; for (size_t i = 0; i < out_words; i++) { @@ -276,10 +250,11 @@ static int sha512_final_impl(uint8_t *out, size_t md_len, SHA512_CTX *sha) { } FIPS_service_indicator_update_state(); - return 1; } -#ifndef SHA512_ASM +#if !defined(SHA512_ASM) + +#if !defined(SHA512_ASM_NOHW) static const uint64_t K512[80] = { UINT64_C(0x428a2f98d728ae22), UINT64_C(0x7137449123ef65cd), UINT64_C(0xb5c0fbcfec4d3b2f), UINT64_C(0xe9b5dba58189dbbc), @@ -341,8 +316,8 @@ static const uint64_t K512[80] = { #if defined(__i386) || defined(__i386__) || defined(_M_IX86) // This code should give better results on 32-bit CPU with less than // ~24 registers, both size and performance wise... -static void sha512_block_data_order(uint64_t *state, const uint8_t *in, - size_t num) { +static void sha512_block_data_order_nohw(uint64_t state[8], const uint8_t *in, + size_t num) { uint64_t A, E, T; uint64_t X[9 + 80], *F; int i; @@ -414,14 +389,13 @@ static void sha512_block_data_order(uint64_t *state, const uint8_t *in, ROUND_00_15(i + j, a, b, c, d, e, f, g, h); \ } while (0) -static void sha512_block_data_order(uint64_t *state, const uint8_t *in, - size_t num) { +static void sha512_block_data_order_nohw(uint64_t state[8], const uint8_t *in, + size_t num) { uint64_t a, b, c, d, e, f, g, h, s0, s1, T1; uint64_t X[16]; int i; while (num--) { - a = state[0]; b = state[1]; c = state[2]; @@ -498,6 +472,37 @@ static void sha512_block_data_order(uint64_t *state, const uint8_t *in, #endif +#endif // !SHA512_ASM_NOHW + +static void sha512_block_data_order(uint64_t state[8], const uint8_t *data, + size_t num) { +#if defined(SHA512_ASM_HW) + if (sha512_hw_capable()) { + sha512_block_data_order_hw(state, data, num); + return; + } +#endif +#if defined(SHA512_ASM_AVX) + if (sha512_avx_capable()) { + sha512_block_data_order_avx(state, data, num); + return; + } +#endif +#if defined(SHA512_ASM_SSSE3) + if (sha512_ssse3_capable()) { + sha512_block_data_order_ssse3(state, data, num); + return; + } +#endif +#if defined(SHA512_ASM_NEON) + if (CRYPTO_is_NEON_capable()) { + sha512_block_data_order_neon(state, data, num); + return; + } +#endif + sha512_block_data_order_nohw(state, data, num); +} + #endif // !SHA512_ASM #undef Sigma0 diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/sha1-armv4-large-ios.ios.arm.S b/Sources/CNIOBoringSSL/crypto/fipsmodule/sha1-armv4-large-ios.ios.arm.S deleted file mode 100644 index 2f73432ef..000000000 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/sha1-armv4-large-ios.ios.arm.S +++ /dev/null @@ -1,1517 +0,0 @@ -#define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__arm__) && defined(__APPLE__) -// This file is generated from a similarly-named Perl script in the BoringSSL -// source tree. Do not edit by hand. - -#include - -#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_ARM) && defined(__APPLE__) -#include - -.text -#if defined(__thumb2__) -.syntax unified -.thumb -#else -.code 32 -#endif - -.globl _sha1_block_data_order -.private_extern _sha1_block_data_order -#ifdef __thumb2__ -.thumb_func _sha1_block_data_order -#endif - -.align 5 -_sha1_block_data_order: -#if __ARM_MAX_ARCH__>=7 -Lsha1_block: - adr r3,Lsha1_block - ldr r12,LOPENSSL_armcap - ldr r12,[r3,r12] @ OPENSSL_armcap_P -#ifdef __APPLE__ - ldr r12,[r12] -#endif - tst r12,#ARMV8_SHA1 - bne LARMv8 - tst r12,#ARMV7_NEON - bne LNEON -#endif - stmdb sp!,{r4,r5,r6,r7,r8,r9,r10,r11,r12,lr} - add r2,r1,r2,lsl#6 @ r2 to point at the end of r1 - ldmia r0,{r3,r4,r5,r6,r7} -Lloop: - ldr r8,LK_00_19 - mov r14,sp - sub sp,sp,#15*4 - mov r5,r5,ror#30 - mov r6,r6,ror#30 - mov r7,r7,ror#30 @ [6] -L_00_15: -#if __ARM_ARCH<7 - ldrb r10,[r1,#2] - ldrb r9,[r1,#3] - ldrb r11,[r1,#1] - add r7,r8,r7,ror#2 @ E+=K_00_19 - ldrb r12,[r1],#4 - orr r9,r9,r10,lsl#8 - eor r10,r5,r6 @ F_xx_xx - orr r9,r9,r11,lsl#16 - add r7,r7,r3,ror#27 @ E+=ROR(A,27) - orr r9,r9,r12,lsl#24 -#else - ldr r9,[r1],#4 @ handles unaligned - add r7,r8,r7,ror#2 @ E+=K_00_19 - eor r10,r5,r6 @ F_xx_xx - add r7,r7,r3,ror#27 @ E+=ROR(A,27) -#ifdef __ARMEL__ - rev r9,r9 @ byte swap -#endif -#endif - and r10,r4,r10,ror#2 - add r7,r7,r9 @ E+=X[i] - eor r10,r10,r6,ror#2 @ F_00_19(B,C,D) - str r9,[r14,#-4]! - add r7,r7,r10 @ E+=F_00_19(B,C,D) -#if __ARM_ARCH<7 - ldrb r10,[r1,#2] - ldrb r9,[r1,#3] - ldrb r11,[r1,#1] - add r6,r8,r6,ror#2 @ E+=K_00_19 - ldrb r12,[r1],#4 - orr r9,r9,r10,lsl#8 - eor r10,r4,r5 @ F_xx_xx - orr r9,r9,r11,lsl#16 - add r6,r6,r7,ror#27 @ E+=ROR(A,27) - orr r9,r9,r12,lsl#24 -#else - ldr r9,[r1],#4 @ handles unaligned - add r6,r8,r6,ror#2 @ E+=K_00_19 - eor r10,r4,r5 @ F_xx_xx - add r6,r6,r7,ror#27 @ E+=ROR(A,27) -#ifdef __ARMEL__ - rev r9,r9 @ byte swap -#endif -#endif - and r10,r3,r10,ror#2 - add r6,r6,r9 @ E+=X[i] - eor r10,r10,r5,ror#2 @ F_00_19(B,C,D) - str r9,[r14,#-4]! - add r6,r6,r10 @ E+=F_00_19(B,C,D) -#if __ARM_ARCH<7 - ldrb r10,[r1,#2] - ldrb r9,[r1,#3] - ldrb r11,[r1,#1] - add r5,r8,r5,ror#2 @ E+=K_00_19 - ldrb r12,[r1],#4 - orr r9,r9,r10,lsl#8 - eor r10,r3,r4 @ F_xx_xx - orr r9,r9,r11,lsl#16 - add r5,r5,r6,ror#27 @ E+=ROR(A,27) - orr r9,r9,r12,lsl#24 -#else - ldr r9,[r1],#4 @ handles unaligned - add r5,r8,r5,ror#2 @ E+=K_00_19 - eor r10,r3,r4 @ F_xx_xx - add r5,r5,r6,ror#27 @ E+=ROR(A,27) -#ifdef __ARMEL__ - rev r9,r9 @ byte swap -#endif -#endif - and r10,r7,r10,ror#2 - add r5,r5,r9 @ E+=X[i] - eor r10,r10,r4,ror#2 @ F_00_19(B,C,D) - str r9,[r14,#-4]! - add r5,r5,r10 @ E+=F_00_19(B,C,D) -#if __ARM_ARCH<7 - ldrb r10,[r1,#2] - ldrb r9,[r1,#3] - ldrb r11,[r1,#1] - add r4,r8,r4,ror#2 @ E+=K_00_19 - ldrb r12,[r1],#4 - orr r9,r9,r10,lsl#8 - eor r10,r7,r3 @ F_xx_xx - orr r9,r9,r11,lsl#16 - add r4,r4,r5,ror#27 @ E+=ROR(A,27) - orr r9,r9,r12,lsl#24 -#else - ldr r9,[r1],#4 @ handles unaligned - add r4,r8,r4,ror#2 @ E+=K_00_19 - eor r10,r7,r3 @ F_xx_xx - add r4,r4,r5,ror#27 @ E+=ROR(A,27) -#ifdef __ARMEL__ - rev r9,r9 @ byte swap -#endif -#endif - and r10,r6,r10,ror#2 - add r4,r4,r9 @ E+=X[i] - eor r10,r10,r3,ror#2 @ F_00_19(B,C,D) - str r9,[r14,#-4]! - add r4,r4,r10 @ E+=F_00_19(B,C,D) -#if __ARM_ARCH<7 - ldrb r10,[r1,#2] - ldrb r9,[r1,#3] - ldrb r11,[r1,#1] - add r3,r8,r3,ror#2 @ E+=K_00_19 - ldrb r12,[r1],#4 - orr r9,r9,r10,lsl#8 - eor r10,r6,r7 @ F_xx_xx - orr r9,r9,r11,lsl#16 - add r3,r3,r4,ror#27 @ E+=ROR(A,27) - orr r9,r9,r12,lsl#24 -#else - ldr r9,[r1],#4 @ handles unaligned - add r3,r8,r3,ror#2 @ E+=K_00_19 - eor r10,r6,r7 @ F_xx_xx - add r3,r3,r4,ror#27 @ E+=ROR(A,27) -#ifdef __ARMEL__ - rev r9,r9 @ byte swap -#endif -#endif - and r10,r5,r10,ror#2 - add r3,r3,r9 @ E+=X[i] - eor r10,r10,r7,ror#2 @ F_00_19(B,C,D) - str r9,[r14,#-4]! - add r3,r3,r10 @ E+=F_00_19(B,C,D) -#if defined(__thumb2__) - mov r12,sp - teq r14,r12 -#else - teq r14,sp -#endif - bne L_00_15 @ [((11+4)*5+2)*3] - sub sp,sp,#25*4 -#if __ARM_ARCH<7 - ldrb r10,[r1,#2] - ldrb r9,[r1,#3] - ldrb r11,[r1,#1] - add r7,r8,r7,ror#2 @ E+=K_00_19 - ldrb r12,[r1],#4 - orr r9,r9,r10,lsl#8 - eor r10,r5,r6 @ F_xx_xx - orr r9,r9,r11,lsl#16 - add r7,r7,r3,ror#27 @ E+=ROR(A,27) - orr r9,r9,r12,lsl#24 -#else - ldr r9,[r1],#4 @ handles unaligned - add r7,r8,r7,ror#2 @ E+=K_00_19 - eor r10,r5,r6 @ F_xx_xx - add r7,r7,r3,ror#27 @ E+=ROR(A,27) -#ifdef __ARMEL__ - rev r9,r9 @ byte swap -#endif -#endif - and r10,r4,r10,ror#2 - add r7,r7,r9 @ E+=X[i] - eor r10,r10,r6,ror#2 @ F_00_19(B,C,D) - str r9,[r14,#-4]! - add r7,r7,r10 @ E+=F_00_19(B,C,D) - ldr r9,[r14,#15*4] - ldr r10,[r14,#13*4] - ldr r11,[r14,#7*4] - add r6,r8,r6,ror#2 @ E+=K_xx_xx - ldr r12,[r14,#2*4] - eor r9,r9,r10 - eor r11,r11,r12 @ 1 cycle stall - eor r10,r4,r5 @ F_xx_xx - mov r9,r9,ror#31 - add r6,r6,r7,ror#27 @ E+=ROR(A,27) - eor r9,r9,r11,ror#31 - str r9,[r14,#-4]! - and r10,r3,r10,ror#2 @ F_xx_xx - @ F_xx_xx - add r6,r6,r9 @ E+=X[i] - eor r10,r10,r5,ror#2 @ F_00_19(B,C,D) - add r6,r6,r10 @ E+=F_00_19(B,C,D) - ldr r9,[r14,#15*4] - ldr r10,[r14,#13*4] - ldr r11,[r14,#7*4] - add r5,r8,r5,ror#2 @ E+=K_xx_xx - ldr r12,[r14,#2*4] - eor r9,r9,r10 - eor r11,r11,r12 @ 1 cycle stall - eor r10,r3,r4 @ F_xx_xx - mov r9,r9,ror#31 - add r5,r5,r6,ror#27 @ E+=ROR(A,27) - eor r9,r9,r11,ror#31 - str r9,[r14,#-4]! - and r10,r7,r10,ror#2 @ F_xx_xx - @ F_xx_xx - add r5,r5,r9 @ E+=X[i] - eor r10,r10,r4,ror#2 @ F_00_19(B,C,D) - add r5,r5,r10 @ E+=F_00_19(B,C,D) - ldr r9,[r14,#15*4] - ldr r10,[r14,#13*4] - ldr r11,[r14,#7*4] - add r4,r8,r4,ror#2 @ E+=K_xx_xx - ldr r12,[r14,#2*4] - eor r9,r9,r10 - eor r11,r11,r12 @ 1 cycle stall - eor r10,r7,r3 @ F_xx_xx - mov r9,r9,ror#31 - add r4,r4,r5,ror#27 @ E+=ROR(A,27) - eor r9,r9,r11,ror#31 - str r9,[r14,#-4]! - and r10,r6,r10,ror#2 @ F_xx_xx - @ F_xx_xx - add r4,r4,r9 @ E+=X[i] - eor r10,r10,r3,ror#2 @ F_00_19(B,C,D) - add r4,r4,r10 @ E+=F_00_19(B,C,D) - ldr r9,[r14,#15*4] - ldr r10,[r14,#13*4] - ldr r11,[r14,#7*4] - add r3,r8,r3,ror#2 @ E+=K_xx_xx - ldr r12,[r14,#2*4] - eor r9,r9,r10 - eor r11,r11,r12 @ 1 cycle stall - eor r10,r6,r7 @ F_xx_xx - mov r9,r9,ror#31 - add r3,r3,r4,ror#27 @ E+=ROR(A,27) - eor r9,r9,r11,ror#31 - str r9,[r14,#-4]! - and r10,r5,r10,ror#2 @ F_xx_xx - @ F_xx_xx - add r3,r3,r9 @ E+=X[i] - eor r10,r10,r7,ror#2 @ F_00_19(B,C,D) - add r3,r3,r10 @ E+=F_00_19(B,C,D) - - ldr r8,LK_20_39 @ [+15+16*4] - cmn sp,#0 @ [+3], clear carry to denote 20_39 -L_20_39_or_60_79: - ldr r9,[r14,#15*4] - ldr r10,[r14,#13*4] - ldr r11,[r14,#7*4] - add r7,r8,r7,ror#2 @ E+=K_xx_xx - ldr r12,[r14,#2*4] - eor r9,r9,r10 - eor r11,r11,r12 @ 1 cycle stall - eor r10,r5,r6 @ F_xx_xx - mov r9,r9,ror#31 - add r7,r7,r3,ror#27 @ E+=ROR(A,27) - eor r9,r9,r11,ror#31 - str r9,[r14,#-4]! - eor r10,r4,r10,ror#2 @ F_xx_xx - @ F_xx_xx - add r7,r7,r9 @ E+=X[i] - add r7,r7,r10 @ E+=F_20_39(B,C,D) - ldr r9,[r14,#15*4] - ldr r10,[r14,#13*4] - ldr r11,[r14,#7*4] - add r6,r8,r6,ror#2 @ E+=K_xx_xx - ldr r12,[r14,#2*4] - eor r9,r9,r10 - eor r11,r11,r12 @ 1 cycle stall - eor r10,r4,r5 @ F_xx_xx - mov r9,r9,ror#31 - add r6,r6,r7,ror#27 @ E+=ROR(A,27) - eor r9,r9,r11,ror#31 - str r9,[r14,#-4]! - eor r10,r3,r10,ror#2 @ F_xx_xx - @ F_xx_xx - add r6,r6,r9 @ E+=X[i] - add r6,r6,r10 @ E+=F_20_39(B,C,D) - ldr r9,[r14,#15*4] - ldr r10,[r14,#13*4] - ldr r11,[r14,#7*4] - add r5,r8,r5,ror#2 @ E+=K_xx_xx - ldr r12,[r14,#2*4] - eor r9,r9,r10 - eor r11,r11,r12 @ 1 cycle stall - eor r10,r3,r4 @ F_xx_xx - mov r9,r9,ror#31 - add r5,r5,r6,ror#27 @ E+=ROR(A,27) - eor r9,r9,r11,ror#31 - str r9,[r14,#-4]! - eor r10,r7,r10,ror#2 @ F_xx_xx - @ F_xx_xx - add r5,r5,r9 @ E+=X[i] - add r5,r5,r10 @ E+=F_20_39(B,C,D) - ldr r9,[r14,#15*4] - ldr r10,[r14,#13*4] - ldr r11,[r14,#7*4] - add r4,r8,r4,ror#2 @ E+=K_xx_xx - ldr r12,[r14,#2*4] - eor r9,r9,r10 - eor r11,r11,r12 @ 1 cycle stall - eor r10,r7,r3 @ F_xx_xx - mov r9,r9,ror#31 - add r4,r4,r5,ror#27 @ E+=ROR(A,27) - eor r9,r9,r11,ror#31 - str r9,[r14,#-4]! - eor r10,r6,r10,ror#2 @ F_xx_xx - @ F_xx_xx - add r4,r4,r9 @ E+=X[i] - add r4,r4,r10 @ E+=F_20_39(B,C,D) - ldr r9,[r14,#15*4] - ldr r10,[r14,#13*4] - ldr r11,[r14,#7*4] - add r3,r8,r3,ror#2 @ E+=K_xx_xx - ldr r12,[r14,#2*4] - eor r9,r9,r10 - eor r11,r11,r12 @ 1 cycle stall - eor r10,r6,r7 @ F_xx_xx - mov r9,r9,ror#31 - add r3,r3,r4,ror#27 @ E+=ROR(A,27) - eor r9,r9,r11,ror#31 - str r9,[r14,#-4]! - eor r10,r5,r10,ror#2 @ F_xx_xx - @ F_xx_xx - add r3,r3,r9 @ E+=X[i] - add r3,r3,r10 @ E+=F_20_39(B,C,D) -#if defined(__thumb2__) - mov r12,sp - teq r14,r12 -#else - teq r14,sp @ preserve carry -#endif - bne L_20_39_or_60_79 @ [+((12+3)*5+2)*4] - bcs L_done @ [+((12+3)*5+2)*4], spare 300 bytes - - ldr r8,LK_40_59 - sub sp,sp,#20*4 @ [+2] -L_40_59: - ldr r9,[r14,#15*4] - ldr r10,[r14,#13*4] - ldr r11,[r14,#7*4] - add r7,r8,r7,ror#2 @ E+=K_xx_xx - ldr r12,[r14,#2*4] - eor r9,r9,r10 - eor r11,r11,r12 @ 1 cycle stall - eor r10,r5,r6 @ F_xx_xx - mov r9,r9,ror#31 - add r7,r7,r3,ror#27 @ E+=ROR(A,27) - eor r9,r9,r11,ror#31 - str r9,[r14,#-4]! - and r10,r4,r10,ror#2 @ F_xx_xx - and r11,r5,r6 @ F_xx_xx - add r7,r7,r9 @ E+=X[i] - add r7,r7,r10 @ E+=F_40_59(B,C,D) - add r7,r7,r11,ror#2 - ldr r9,[r14,#15*4] - ldr r10,[r14,#13*4] - ldr r11,[r14,#7*4] - add r6,r8,r6,ror#2 @ E+=K_xx_xx - ldr r12,[r14,#2*4] - eor r9,r9,r10 - eor r11,r11,r12 @ 1 cycle stall - eor r10,r4,r5 @ F_xx_xx - mov r9,r9,ror#31 - add r6,r6,r7,ror#27 @ E+=ROR(A,27) - eor r9,r9,r11,ror#31 - str r9,[r14,#-4]! - and r10,r3,r10,ror#2 @ F_xx_xx - and r11,r4,r5 @ F_xx_xx - add r6,r6,r9 @ E+=X[i] - add r6,r6,r10 @ E+=F_40_59(B,C,D) - add r6,r6,r11,ror#2 - ldr r9,[r14,#15*4] - ldr r10,[r14,#13*4] - ldr r11,[r14,#7*4] - add r5,r8,r5,ror#2 @ E+=K_xx_xx - ldr r12,[r14,#2*4] - eor r9,r9,r10 - eor r11,r11,r12 @ 1 cycle stall - eor r10,r3,r4 @ F_xx_xx - mov r9,r9,ror#31 - add r5,r5,r6,ror#27 @ E+=ROR(A,27) - eor r9,r9,r11,ror#31 - str r9,[r14,#-4]! - and r10,r7,r10,ror#2 @ F_xx_xx - and r11,r3,r4 @ F_xx_xx - add r5,r5,r9 @ E+=X[i] - add r5,r5,r10 @ E+=F_40_59(B,C,D) - add r5,r5,r11,ror#2 - ldr r9,[r14,#15*4] - ldr r10,[r14,#13*4] - ldr r11,[r14,#7*4] - add r4,r8,r4,ror#2 @ E+=K_xx_xx - ldr r12,[r14,#2*4] - eor r9,r9,r10 - eor r11,r11,r12 @ 1 cycle stall - eor r10,r7,r3 @ F_xx_xx - mov r9,r9,ror#31 - add r4,r4,r5,ror#27 @ E+=ROR(A,27) - eor r9,r9,r11,ror#31 - str r9,[r14,#-4]! - and r10,r6,r10,ror#2 @ F_xx_xx - and r11,r7,r3 @ F_xx_xx - add r4,r4,r9 @ E+=X[i] - add r4,r4,r10 @ E+=F_40_59(B,C,D) - add r4,r4,r11,ror#2 - ldr r9,[r14,#15*4] - ldr r10,[r14,#13*4] - ldr r11,[r14,#7*4] - add r3,r8,r3,ror#2 @ E+=K_xx_xx - ldr r12,[r14,#2*4] - eor r9,r9,r10 - eor r11,r11,r12 @ 1 cycle stall - eor r10,r6,r7 @ F_xx_xx - mov r9,r9,ror#31 - add r3,r3,r4,ror#27 @ E+=ROR(A,27) - eor r9,r9,r11,ror#31 - str r9,[r14,#-4]! - and r10,r5,r10,ror#2 @ F_xx_xx - and r11,r6,r7 @ F_xx_xx - add r3,r3,r9 @ E+=X[i] - add r3,r3,r10 @ E+=F_40_59(B,C,D) - add r3,r3,r11,ror#2 -#if defined(__thumb2__) - mov r12,sp - teq r14,r12 -#else - teq r14,sp -#endif - bne L_40_59 @ [+((12+5)*5+2)*4] - - ldr r8,LK_60_79 - sub sp,sp,#20*4 - cmp sp,#0 @ set carry to denote 60_79 - b L_20_39_or_60_79 @ [+4], spare 300 bytes -L_done: - add sp,sp,#80*4 @ "deallocate" stack frame - ldmia r0,{r8,r9,r10,r11,r12} - add r3,r8,r3 - add r4,r9,r4 - add r5,r10,r5,ror#2 - add r6,r11,r6,ror#2 - add r7,r12,r7,ror#2 - stmia r0,{r3,r4,r5,r6,r7} - teq r1,r2 - bne Lloop @ [+18], total 1307 - -#if __ARM_ARCH>=5 - ldmia sp!,{r4,r5,r6,r7,r8,r9,r10,r11,r12,pc} -#else - ldmia sp!,{r4,r5,r6,r7,r8,r9,r10,r11,r12,lr} - tst lr,#1 - moveq pc,lr @ be binary compatible with V4, yet -.word 0xe12fff1e @ interoperable with Thumb ISA:-) -#endif - - -.align 5 -LK_00_19:.word 0x5a827999 -LK_20_39:.word 0x6ed9eba1 -LK_40_59:.word 0x8f1bbcdc -LK_60_79:.word 0xca62c1d6 -#if __ARM_MAX_ARCH__>=7 -LOPENSSL_armcap: -.word OPENSSL_armcap_P-Lsha1_block -#endif -.byte 83,72,65,49,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,65,82,77,118,52,47,78,69,79,78,47,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 -.align 2 -.align 5 -#if __ARM_MAX_ARCH__>=7 - - - -#ifdef __thumb2__ -.thumb_func sha1_block_data_order_neon -#endif -.align 4 -sha1_block_data_order_neon: -LNEON: - stmdb sp!,{r4,r5,r6,r7,r8,r9,r10,r11,r12,lr} - add r2,r1,r2,lsl#6 @ r2 to point at the end of r1 - @ dmb @ errata #451034 on early Cortex A8 - @ vstmdb sp!,{d8-d15} @ ABI specification says so - mov r14,sp - sub r12,sp,#64 - adr r8,LK_00_19 - bic r12,r12,#15 @ align for 128-bit stores - - ldmia r0,{r3,r4,r5,r6,r7} @ load context - mov sp,r12 @ alloca - - vld1.8 {q0,q1},[r1]! @ handles unaligned - veor q15,q15,q15 - vld1.8 {q2,q3},[r1]! - vld1.32 {d28[],d29[]},[r8,:32]! @ load K_00_19 - vrev32.8 q0,q0 @ yes, even on - vrev32.8 q1,q1 @ big-endian... - vrev32.8 q2,q2 - vadd.i32 q8,q0,q14 - vrev32.8 q3,q3 - vadd.i32 q9,q1,q14 - vst1.32 {q8},[r12,:128]! - vadd.i32 q10,q2,q14 - vst1.32 {q9},[r12,:128]! - vst1.32 {q10},[r12,:128]! - ldr r9,[sp] @ big RAW stall - -Loop_neon: - vext.8 q8,q0,q1,#8 - bic r10,r6,r4 - add r7,r7,r9 - and r11,r5,r4 - vadd.i32 q13,q3,q14 - ldr r9,[sp,#4] - add r7,r7,r3,ror#27 - vext.8 q12,q3,q15,#4 - eor r11,r11,r10 - mov r4,r4,ror#2 - add r7,r7,r11 - veor q8,q8,q0 - bic r10,r5,r3 - add r6,r6,r9 - veor q12,q12,q2 - and r11,r4,r3 - ldr r9,[sp,#8] - veor q12,q12,q8 - add r6,r6,r7,ror#27 - eor r11,r11,r10 - vst1.32 {q13},[r12,:128]! - sub r12,r12,#64 - mov r3,r3,ror#2 - add r6,r6,r11 - vext.8 q13,q15,q12,#4 - bic r10,r4,r7 - add r5,r5,r9 - vadd.i32 q8,q12,q12 - and r11,r3,r7 - ldr r9,[sp,#12] - vsri.32 q8,q12,#31 - add r5,r5,r6,ror#27 - eor r11,r11,r10 - mov r7,r7,ror#2 - vshr.u32 q12,q13,#30 - add r5,r5,r11 - bic r10,r3,r6 - vshl.u32 q13,q13,#2 - add r4,r4,r9 - and r11,r7,r6 - veor q8,q8,q12 - ldr r9,[sp,#16] - add r4,r4,r5,ror#27 - veor q8,q8,q13 - eor r11,r11,r10 - mov r6,r6,ror#2 - add r4,r4,r11 - vext.8 q9,q1,q2,#8 - bic r10,r7,r5 - add r3,r3,r9 - and r11,r6,r5 - vadd.i32 q13,q8,q14 - ldr r9,[sp,#20] - vld1.32 {d28[],d29[]},[r8,:32]! - add r3,r3,r4,ror#27 - vext.8 q12,q8,q15,#4 - eor r11,r11,r10 - mov r5,r5,ror#2 - add r3,r3,r11 - veor q9,q9,q1 - bic r10,r6,r4 - add r7,r7,r9 - veor q12,q12,q3 - and r11,r5,r4 - ldr r9,[sp,#24] - veor q12,q12,q9 - add r7,r7,r3,ror#27 - eor r11,r11,r10 - vst1.32 {q13},[r12,:128]! - mov r4,r4,ror#2 - add r7,r7,r11 - vext.8 q13,q15,q12,#4 - bic r10,r5,r3 - add r6,r6,r9 - vadd.i32 q9,q12,q12 - and r11,r4,r3 - ldr r9,[sp,#28] - vsri.32 q9,q12,#31 - add r6,r6,r7,ror#27 - eor r11,r11,r10 - mov r3,r3,ror#2 - vshr.u32 q12,q13,#30 - add r6,r6,r11 - bic r10,r4,r7 - vshl.u32 q13,q13,#2 - add r5,r5,r9 - and r11,r3,r7 - veor q9,q9,q12 - ldr r9,[sp,#32] - add r5,r5,r6,ror#27 - veor q9,q9,q13 - eor r11,r11,r10 - mov r7,r7,ror#2 - add r5,r5,r11 - vext.8 q10,q2,q3,#8 - bic r10,r3,r6 - add r4,r4,r9 - and r11,r7,r6 - vadd.i32 q13,q9,q14 - ldr r9,[sp,#36] - add r4,r4,r5,ror#27 - vext.8 q12,q9,q15,#4 - eor r11,r11,r10 - mov r6,r6,ror#2 - add r4,r4,r11 - veor q10,q10,q2 - bic r10,r7,r5 - add r3,r3,r9 - veor q12,q12,q8 - and r11,r6,r5 - ldr r9,[sp,#40] - veor q12,q12,q10 - add r3,r3,r4,ror#27 - eor r11,r11,r10 - vst1.32 {q13},[r12,:128]! - mov r5,r5,ror#2 - add r3,r3,r11 - vext.8 q13,q15,q12,#4 - bic r10,r6,r4 - add r7,r7,r9 - vadd.i32 q10,q12,q12 - and r11,r5,r4 - ldr r9,[sp,#44] - vsri.32 q10,q12,#31 - add r7,r7,r3,ror#27 - eor r11,r11,r10 - mov r4,r4,ror#2 - vshr.u32 q12,q13,#30 - add r7,r7,r11 - bic r10,r5,r3 - vshl.u32 q13,q13,#2 - add r6,r6,r9 - and r11,r4,r3 - veor q10,q10,q12 - ldr r9,[sp,#48] - add r6,r6,r7,ror#27 - veor q10,q10,q13 - eor r11,r11,r10 - mov r3,r3,ror#2 - add r6,r6,r11 - vext.8 q11,q3,q8,#8 - bic r10,r4,r7 - add r5,r5,r9 - and r11,r3,r7 - vadd.i32 q13,q10,q14 - ldr r9,[sp,#52] - add r5,r5,r6,ror#27 - vext.8 q12,q10,q15,#4 - eor r11,r11,r10 - mov r7,r7,ror#2 - add r5,r5,r11 - veor q11,q11,q3 - bic r10,r3,r6 - add r4,r4,r9 - veor q12,q12,q9 - and r11,r7,r6 - ldr r9,[sp,#56] - veor q12,q12,q11 - add r4,r4,r5,ror#27 - eor r11,r11,r10 - vst1.32 {q13},[r12,:128]! - mov r6,r6,ror#2 - add r4,r4,r11 - vext.8 q13,q15,q12,#4 - bic r10,r7,r5 - add r3,r3,r9 - vadd.i32 q11,q12,q12 - and r11,r6,r5 - ldr r9,[sp,#60] - vsri.32 q11,q12,#31 - add r3,r3,r4,ror#27 - eor r11,r11,r10 - mov r5,r5,ror#2 - vshr.u32 q12,q13,#30 - add r3,r3,r11 - bic r10,r6,r4 - vshl.u32 q13,q13,#2 - add r7,r7,r9 - and r11,r5,r4 - veor q11,q11,q12 - ldr r9,[sp,#0] - add r7,r7,r3,ror#27 - veor q11,q11,q13 - eor r11,r11,r10 - mov r4,r4,ror#2 - add r7,r7,r11 - vext.8 q12,q10,q11,#8 - bic r10,r5,r3 - add r6,r6,r9 - and r11,r4,r3 - veor q0,q0,q8 - ldr r9,[sp,#4] - add r6,r6,r7,ror#27 - veor q0,q0,q1 - eor r11,r11,r10 - mov r3,r3,ror#2 - vadd.i32 q13,q11,q14 - add r6,r6,r11 - bic r10,r4,r7 - veor q12,q12,q0 - add r5,r5,r9 - and r11,r3,r7 - vshr.u32 q0,q12,#30 - ldr r9,[sp,#8] - add r5,r5,r6,ror#27 - vst1.32 {q13},[r12,:128]! - sub r12,r12,#64 - eor r11,r11,r10 - mov r7,r7,ror#2 - vsli.32 q0,q12,#2 - add r5,r5,r11 - bic r10,r3,r6 - add r4,r4,r9 - and r11,r7,r6 - ldr r9,[sp,#12] - add r4,r4,r5,ror#27 - eor r11,r11,r10 - mov r6,r6,ror#2 - add r4,r4,r11 - bic r10,r7,r5 - add r3,r3,r9 - and r11,r6,r5 - ldr r9,[sp,#16] - add r3,r3,r4,ror#27 - eor r11,r11,r10 - mov r5,r5,ror#2 - add r3,r3,r11 - vext.8 q12,q11,q0,#8 - eor r10,r4,r6 - add r7,r7,r9 - ldr r9,[sp,#20] - veor q1,q1,q9 - eor r11,r10,r5 - add r7,r7,r3,ror#27 - veor q1,q1,q2 - mov r4,r4,ror#2 - add r7,r7,r11 - vadd.i32 q13,q0,q14 - eor r10,r3,r5 - add r6,r6,r9 - veor q12,q12,q1 - ldr r9,[sp,#24] - eor r11,r10,r4 - vshr.u32 q1,q12,#30 - add r6,r6,r7,ror#27 - mov r3,r3,ror#2 - vst1.32 {q13},[r12,:128]! - add r6,r6,r11 - eor r10,r7,r4 - vsli.32 q1,q12,#2 - add r5,r5,r9 - ldr r9,[sp,#28] - eor r11,r10,r3 - add r5,r5,r6,ror#27 - mov r7,r7,ror#2 - add r5,r5,r11 - eor r10,r6,r3 - add r4,r4,r9 - ldr r9,[sp,#32] - eor r11,r10,r7 - add r4,r4,r5,ror#27 - mov r6,r6,ror#2 - add r4,r4,r11 - vext.8 q12,q0,q1,#8 - eor r10,r5,r7 - add r3,r3,r9 - ldr r9,[sp,#36] - veor q2,q2,q10 - eor r11,r10,r6 - add r3,r3,r4,ror#27 - veor q2,q2,q3 - mov r5,r5,ror#2 - add r3,r3,r11 - vadd.i32 q13,q1,q14 - eor r10,r4,r6 - vld1.32 {d28[],d29[]},[r8,:32]! - add r7,r7,r9 - veor q12,q12,q2 - ldr r9,[sp,#40] - eor r11,r10,r5 - vshr.u32 q2,q12,#30 - add r7,r7,r3,ror#27 - mov r4,r4,ror#2 - vst1.32 {q13},[r12,:128]! - add r7,r7,r11 - eor r10,r3,r5 - vsli.32 q2,q12,#2 - add r6,r6,r9 - ldr r9,[sp,#44] - eor r11,r10,r4 - add r6,r6,r7,ror#27 - mov r3,r3,ror#2 - add r6,r6,r11 - eor r10,r7,r4 - add r5,r5,r9 - ldr r9,[sp,#48] - eor r11,r10,r3 - add r5,r5,r6,ror#27 - mov r7,r7,ror#2 - add r5,r5,r11 - vext.8 q12,q1,q2,#8 - eor r10,r6,r3 - add r4,r4,r9 - ldr r9,[sp,#52] - veor q3,q3,q11 - eor r11,r10,r7 - add r4,r4,r5,ror#27 - veor q3,q3,q8 - mov r6,r6,ror#2 - add r4,r4,r11 - vadd.i32 q13,q2,q14 - eor r10,r5,r7 - add r3,r3,r9 - veor q12,q12,q3 - ldr r9,[sp,#56] - eor r11,r10,r6 - vshr.u32 q3,q12,#30 - add r3,r3,r4,ror#27 - mov r5,r5,ror#2 - vst1.32 {q13},[r12,:128]! - add r3,r3,r11 - eor r10,r4,r6 - vsli.32 q3,q12,#2 - add r7,r7,r9 - ldr r9,[sp,#60] - eor r11,r10,r5 - add r7,r7,r3,ror#27 - mov r4,r4,ror#2 - add r7,r7,r11 - eor r10,r3,r5 - add r6,r6,r9 - ldr r9,[sp,#0] - eor r11,r10,r4 - add r6,r6,r7,ror#27 - mov r3,r3,ror#2 - add r6,r6,r11 - vext.8 q12,q2,q3,#8 - eor r10,r7,r4 - add r5,r5,r9 - ldr r9,[sp,#4] - veor q8,q8,q0 - eor r11,r10,r3 - add r5,r5,r6,ror#27 - veor q8,q8,q9 - mov r7,r7,ror#2 - add r5,r5,r11 - vadd.i32 q13,q3,q14 - eor r10,r6,r3 - add r4,r4,r9 - veor q12,q12,q8 - ldr r9,[sp,#8] - eor r11,r10,r7 - vshr.u32 q8,q12,#30 - add r4,r4,r5,ror#27 - mov r6,r6,ror#2 - vst1.32 {q13},[r12,:128]! - sub r12,r12,#64 - add r4,r4,r11 - eor r10,r5,r7 - vsli.32 q8,q12,#2 - add r3,r3,r9 - ldr r9,[sp,#12] - eor r11,r10,r6 - add r3,r3,r4,ror#27 - mov r5,r5,ror#2 - add r3,r3,r11 - eor r10,r4,r6 - add r7,r7,r9 - ldr r9,[sp,#16] - eor r11,r10,r5 - add r7,r7,r3,ror#27 - mov r4,r4,ror#2 - add r7,r7,r11 - vext.8 q12,q3,q8,#8 - eor r10,r3,r5 - add r6,r6,r9 - ldr r9,[sp,#20] - veor q9,q9,q1 - eor r11,r10,r4 - add r6,r6,r7,ror#27 - veor q9,q9,q10 - mov r3,r3,ror#2 - add r6,r6,r11 - vadd.i32 q13,q8,q14 - eor r10,r7,r4 - add r5,r5,r9 - veor q12,q12,q9 - ldr r9,[sp,#24] - eor r11,r10,r3 - vshr.u32 q9,q12,#30 - add r5,r5,r6,ror#27 - mov r7,r7,ror#2 - vst1.32 {q13},[r12,:128]! - add r5,r5,r11 - eor r10,r6,r3 - vsli.32 q9,q12,#2 - add r4,r4,r9 - ldr r9,[sp,#28] - eor r11,r10,r7 - add r4,r4,r5,ror#27 - mov r6,r6,ror#2 - add r4,r4,r11 - eor r10,r5,r7 - add r3,r3,r9 - ldr r9,[sp,#32] - eor r11,r10,r6 - add r3,r3,r4,ror#27 - mov r5,r5,ror#2 - add r3,r3,r11 - vext.8 q12,q8,q9,#8 - add r7,r7,r9 - and r10,r5,r6 - ldr r9,[sp,#36] - veor q10,q10,q2 - add r7,r7,r3,ror#27 - eor r11,r5,r6 - veor q10,q10,q11 - add r7,r7,r10 - and r11,r11,r4 - vadd.i32 q13,q9,q14 - mov r4,r4,ror#2 - add r7,r7,r11 - veor q12,q12,q10 - add r6,r6,r9 - and r10,r4,r5 - vshr.u32 q10,q12,#30 - ldr r9,[sp,#40] - add r6,r6,r7,ror#27 - vst1.32 {q13},[r12,:128]! - eor r11,r4,r5 - add r6,r6,r10 - vsli.32 q10,q12,#2 - and r11,r11,r3 - mov r3,r3,ror#2 - add r6,r6,r11 - add r5,r5,r9 - and r10,r3,r4 - ldr r9,[sp,#44] - add r5,r5,r6,ror#27 - eor r11,r3,r4 - add r5,r5,r10 - and r11,r11,r7 - mov r7,r7,ror#2 - add r5,r5,r11 - add r4,r4,r9 - and r10,r7,r3 - ldr r9,[sp,#48] - add r4,r4,r5,ror#27 - eor r11,r7,r3 - add r4,r4,r10 - and r11,r11,r6 - mov r6,r6,ror#2 - add r4,r4,r11 - vext.8 q12,q9,q10,#8 - add r3,r3,r9 - and r10,r6,r7 - ldr r9,[sp,#52] - veor q11,q11,q3 - add r3,r3,r4,ror#27 - eor r11,r6,r7 - veor q11,q11,q0 - add r3,r3,r10 - and r11,r11,r5 - vadd.i32 q13,q10,q14 - mov r5,r5,ror#2 - vld1.32 {d28[],d29[]},[r8,:32]! - add r3,r3,r11 - veor q12,q12,q11 - add r7,r7,r9 - and r10,r5,r6 - vshr.u32 q11,q12,#30 - ldr r9,[sp,#56] - add r7,r7,r3,ror#27 - vst1.32 {q13},[r12,:128]! - eor r11,r5,r6 - add r7,r7,r10 - vsli.32 q11,q12,#2 - and r11,r11,r4 - mov r4,r4,ror#2 - add r7,r7,r11 - add r6,r6,r9 - and r10,r4,r5 - ldr r9,[sp,#60] - add r6,r6,r7,ror#27 - eor r11,r4,r5 - add r6,r6,r10 - and r11,r11,r3 - mov r3,r3,ror#2 - add r6,r6,r11 - add r5,r5,r9 - and r10,r3,r4 - ldr r9,[sp,#0] - add r5,r5,r6,ror#27 - eor r11,r3,r4 - add r5,r5,r10 - and r11,r11,r7 - mov r7,r7,ror#2 - add r5,r5,r11 - vext.8 q12,q10,q11,#8 - add r4,r4,r9 - and r10,r7,r3 - ldr r9,[sp,#4] - veor q0,q0,q8 - add r4,r4,r5,ror#27 - eor r11,r7,r3 - veor q0,q0,q1 - add r4,r4,r10 - and r11,r11,r6 - vadd.i32 q13,q11,q14 - mov r6,r6,ror#2 - add r4,r4,r11 - veor q12,q12,q0 - add r3,r3,r9 - and r10,r6,r7 - vshr.u32 q0,q12,#30 - ldr r9,[sp,#8] - add r3,r3,r4,ror#27 - vst1.32 {q13},[r12,:128]! - sub r12,r12,#64 - eor r11,r6,r7 - add r3,r3,r10 - vsli.32 q0,q12,#2 - and r11,r11,r5 - mov r5,r5,ror#2 - add r3,r3,r11 - add r7,r7,r9 - and r10,r5,r6 - ldr r9,[sp,#12] - add r7,r7,r3,ror#27 - eor r11,r5,r6 - add r7,r7,r10 - and r11,r11,r4 - mov r4,r4,ror#2 - add r7,r7,r11 - add r6,r6,r9 - and r10,r4,r5 - ldr r9,[sp,#16] - add r6,r6,r7,ror#27 - eor r11,r4,r5 - add r6,r6,r10 - and r11,r11,r3 - mov r3,r3,ror#2 - add r6,r6,r11 - vext.8 q12,q11,q0,#8 - add r5,r5,r9 - and r10,r3,r4 - ldr r9,[sp,#20] - veor q1,q1,q9 - add r5,r5,r6,ror#27 - eor r11,r3,r4 - veor q1,q1,q2 - add r5,r5,r10 - and r11,r11,r7 - vadd.i32 q13,q0,q14 - mov r7,r7,ror#2 - add r5,r5,r11 - veor q12,q12,q1 - add r4,r4,r9 - and r10,r7,r3 - vshr.u32 q1,q12,#30 - ldr r9,[sp,#24] - add r4,r4,r5,ror#27 - vst1.32 {q13},[r12,:128]! - eor r11,r7,r3 - add r4,r4,r10 - vsli.32 q1,q12,#2 - and r11,r11,r6 - mov r6,r6,ror#2 - add r4,r4,r11 - add r3,r3,r9 - and r10,r6,r7 - ldr r9,[sp,#28] - add r3,r3,r4,ror#27 - eor r11,r6,r7 - add r3,r3,r10 - and r11,r11,r5 - mov r5,r5,ror#2 - add r3,r3,r11 - add r7,r7,r9 - and r10,r5,r6 - ldr r9,[sp,#32] - add r7,r7,r3,ror#27 - eor r11,r5,r6 - add r7,r7,r10 - and r11,r11,r4 - mov r4,r4,ror#2 - add r7,r7,r11 - vext.8 q12,q0,q1,#8 - add r6,r6,r9 - and r10,r4,r5 - ldr r9,[sp,#36] - veor q2,q2,q10 - add r6,r6,r7,ror#27 - eor r11,r4,r5 - veor q2,q2,q3 - add r6,r6,r10 - and r11,r11,r3 - vadd.i32 q13,q1,q14 - mov r3,r3,ror#2 - add r6,r6,r11 - veor q12,q12,q2 - add r5,r5,r9 - and r10,r3,r4 - vshr.u32 q2,q12,#30 - ldr r9,[sp,#40] - add r5,r5,r6,ror#27 - vst1.32 {q13},[r12,:128]! - eor r11,r3,r4 - add r5,r5,r10 - vsli.32 q2,q12,#2 - and r11,r11,r7 - mov r7,r7,ror#2 - add r5,r5,r11 - add r4,r4,r9 - and r10,r7,r3 - ldr r9,[sp,#44] - add r4,r4,r5,ror#27 - eor r11,r7,r3 - add r4,r4,r10 - and r11,r11,r6 - mov r6,r6,ror#2 - add r4,r4,r11 - add r3,r3,r9 - and r10,r6,r7 - ldr r9,[sp,#48] - add r3,r3,r4,ror#27 - eor r11,r6,r7 - add r3,r3,r10 - and r11,r11,r5 - mov r5,r5,ror#2 - add r3,r3,r11 - vext.8 q12,q1,q2,#8 - eor r10,r4,r6 - add r7,r7,r9 - ldr r9,[sp,#52] - veor q3,q3,q11 - eor r11,r10,r5 - add r7,r7,r3,ror#27 - veor q3,q3,q8 - mov r4,r4,ror#2 - add r7,r7,r11 - vadd.i32 q13,q2,q14 - eor r10,r3,r5 - add r6,r6,r9 - veor q12,q12,q3 - ldr r9,[sp,#56] - eor r11,r10,r4 - vshr.u32 q3,q12,#30 - add r6,r6,r7,ror#27 - mov r3,r3,ror#2 - vst1.32 {q13},[r12,:128]! - add r6,r6,r11 - eor r10,r7,r4 - vsli.32 q3,q12,#2 - add r5,r5,r9 - ldr r9,[sp,#60] - eor r11,r10,r3 - add r5,r5,r6,ror#27 - mov r7,r7,ror#2 - add r5,r5,r11 - eor r10,r6,r3 - add r4,r4,r9 - ldr r9,[sp,#0] - eor r11,r10,r7 - add r4,r4,r5,ror#27 - mov r6,r6,ror#2 - add r4,r4,r11 - vadd.i32 q13,q3,q14 - eor r10,r5,r7 - add r3,r3,r9 - vst1.32 {q13},[r12,:128]! - sub r12,r12,#64 - teq r1,r2 - sub r8,r8,#16 - it eq - subeq r1,r1,#64 - vld1.8 {q0,q1},[r1]! - ldr r9,[sp,#4] - eor r11,r10,r6 - vld1.8 {q2,q3},[r1]! - add r3,r3,r4,ror#27 - mov r5,r5,ror#2 - vld1.32 {d28[],d29[]},[r8,:32]! - add r3,r3,r11 - eor r10,r4,r6 - vrev32.8 q0,q0 - add r7,r7,r9 - ldr r9,[sp,#8] - eor r11,r10,r5 - add r7,r7,r3,ror#27 - mov r4,r4,ror#2 - add r7,r7,r11 - eor r10,r3,r5 - add r6,r6,r9 - ldr r9,[sp,#12] - eor r11,r10,r4 - add r6,r6,r7,ror#27 - mov r3,r3,ror#2 - add r6,r6,r11 - eor r10,r7,r4 - add r5,r5,r9 - ldr r9,[sp,#16] - eor r11,r10,r3 - add r5,r5,r6,ror#27 - mov r7,r7,ror#2 - add r5,r5,r11 - vrev32.8 q1,q1 - eor r10,r6,r3 - add r4,r4,r9 - vadd.i32 q8,q0,q14 - ldr r9,[sp,#20] - eor r11,r10,r7 - vst1.32 {q8},[r12,:128]! - add r4,r4,r5,ror#27 - mov r6,r6,ror#2 - add r4,r4,r11 - eor r10,r5,r7 - add r3,r3,r9 - ldr r9,[sp,#24] - eor r11,r10,r6 - add r3,r3,r4,ror#27 - mov r5,r5,ror#2 - add r3,r3,r11 - eor r10,r4,r6 - add r7,r7,r9 - ldr r9,[sp,#28] - eor r11,r10,r5 - add r7,r7,r3,ror#27 - mov r4,r4,ror#2 - add r7,r7,r11 - eor r10,r3,r5 - add r6,r6,r9 - ldr r9,[sp,#32] - eor r11,r10,r4 - add r6,r6,r7,ror#27 - mov r3,r3,ror#2 - add r6,r6,r11 - vrev32.8 q2,q2 - eor r10,r7,r4 - add r5,r5,r9 - vadd.i32 q9,q1,q14 - ldr r9,[sp,#36] - eor r11,r10,r3 - vst1.32 {q9},[r12,:128]! - add r5,r5,r6,ror#27 - mov r7,r7,ror#2 - add r5,r5,r11 - eor r10,r6,r3 - add r4,r4,r9 - ldr r9,[sp,#40] - eor r11,r10,r7 - add r4,r4,r5,ror#27 - mov r6,r6,ror#2 - add r4,r4,r11 - eor r10,r5,r7 - add r3,r3,r9 - ldr r9,[sp,#44] - eor r11,r10,r6 - add r3,r3,r4,ror#27 - mov r5,r5,ror#2 - add r3,r3,r11 - eor r10,r4,r6 - add r7,r7,r9 - ldr r9,[sp,#48] - eor r11,r10,r5 - add r7,r7,r3,ror#27 - mov r4,r4,ror#2 - add r7,r7,r11 - vrev32.8 q3,q3 - eor r10,r3,r5 - add r6,r6,r9 - vadd.i32 q10,q2,q14 - ldr r9,[sp,#52] - eor r11,r10,r4 - vst1.32 {q10},[r12,:128]! - add r6,r6,r7,ror#27 - mov r3,r3,ror#2 - add r6,r6,r11 - eor r10,r7,r4 - add r5,r5,r9 - ldr r9,[sp,#56] - eor r11,r10,r3 - add r5,r5,r6,ror#27 - mov r7,r7,ror#2 - add r5,r5,r11 - eor r10,r6,r3 - add r4,r4,r9 - ldr r9,[sp,#60] - eor r11,r10,r7 - add r4,r4,r5,ror#27 - mov r6,r6,ror#2 - add r4,r4,r11 - eor r10,r5,r7 - add r3,r3,r9 - eor r11,r10,r6 - add r3,r3,r4,ror#27 - mov r5,r5,ror#2 - add r3,r3,r11 - ldmia r0,{r9,r10,r11,r12} @ accumulate context - add r3,r3,r9 - ldr r9,[r0,#16] - add r4,r4,r10 - add r5,r5,r11 - add r6,r6,r12 - it eq - moveq sp,r14 - add r7,r7,r9 - it ne - ldrne r9,[sp] - stmia r0,{r3,r4,r5,r6,r7} - itt ne - addne r12,sp,#3*16 - bne Loop_neon - - @ vldmia sp!,{d8-d15} - ldmia sp!,{r4,r5,r6,r7,r8,r9,r10,r11,r12,pc} - -#endif -#if __ARM_MAX_ARCH__>=7 - -# if defined(__thumb2__) -# define INST(a,b,c,d) .byte c,d|0xf,a,b -# else -# define INST(a,b,c,d) .byte a,b,c,d|0x10 -# endif - -#ifdef __thumb2__ -.thumb_func sha1_block_data_order_armv8 -#endif -.align 5 -sha1_block_data_order_armv8: -LARMv8: - vstmdb sp!,{d8,d9,d10,d11,d12,d13,d14,d15} @ ABI specification says so - - veor q1,q1,q1 - adr r3,LK_00_19 - vld1.32 {q0},[r0]! - vld1.32 {d2[0]},[r0] - sub r0,r0,#16 - vld1.32 {d16[],d17[]},[r3,:32]! - vld1.32 {d18[],d19[]},[r3,:32]! - vld1.32 {d20[],d21[]},[r3,:32]! - vld1.32 {d22[],d23[]},[r3,:32] - -Loop_v8: - vld1.8 {q4,q5},[r1]! - vld1.8 {q6,q7},[r1]! - vrev32.8 q4,q4 - vrev32.8 q5,q5 - - vadd.i32 q12,q8,q4 - vrev32.8 q6,q6 - vmov q14,q0 @ offload - subs r2,r2,#1 - - vadd.i32 q13,q8,q5 - vrev32.8 q7,q7 - INST(0xc0,0x62,0xb9,0xf3) @ sha1h q3,q0 @ 0 - INST(0x68,0x0c,0x02,0xe2) @ sha1c q0,q1,q12 - vadd.i32 q12,q8,q6 - INST(0x4c,0x8c,0x3a,0xe2) @ sha1su0 q4,q5,q6 - INST(0xc0,0x42,0xb9,0xf3) @ sha1h q2,q0 @ 1 - INST(0x6a,0x0c,0x06,0xe2) @ sha1c q0,q3,q13 - vadd.i32 q13,q8,q7 - INST(0x8e,0x83,0xba,0xf3) @ sha1su1 q4,q7 - INST(0x4e,0xac,0x3c,0xe2) @ sha1su0 q5,q6,q7 - INST(0xc0,0x62,0xb9,0xf3) @ sha1h q3,q0 @ 2 - INST(0x68,0x0c,0x04,0xe2) @ sha1c q0,q2,q12 - vadd.i32 q12,q8,q4 - INST(0x88,0xa3,0xba,0xf3) @ sha1su1 q5,q4 - INST(0x48,0xcc,0x3e,0xe2) @ sha1su0 q6,q7,q4 - INST(0xc0,0x42,0xb9,0xf3) @ sha1h q2,q0 @ 3 - INST(0x6a,0x0c,0x06,0xe2) @ sha1c q0,q3,q13 - vadd.i32 q13,q9,q5 - INST(0x8a,0xc3,0xba,0xf3) @ sha1su1 q6,q5 - INST(0x4a,0xec,0x38,0xe2) @ sha1su0 q7,q4,q5 - INST(0xc0,0x62,0xb9,0xf3) @ sha1h q3,q0 @ 4 - INST(0x68,0x0c,0x04,0xe2) @ sha1c q0,q2,q12 - vadd.i32 q12,q9,q6 - INST(0x8c,0xe3,0xba,0xf3) @ sha1su1 q7,q6 - INST(0x4c,0x8c,0x3a,0xe2) @ sha1su0 q4,q5,q6 - INST(0xc0,0x42,0xb9,0xf3) @ sha1h q2,q0 @ 5 - INST(0x6a,0x0c,0x16,0xe2) @ sha1p q0,q3,q13 - vadd.i32 q13,q9,q7 - INST(0x8e,0x83,0xba,0xf3) @ sha1su1 q4,q7 - INST(0x4e,0xac,0x3c,0xe2) @ sha1su0 q5,q6,q7 - INST(0xc0,0x62,0xb9,0xf3) @ sha1h q3,q0 @ 6 - INST(0x68,0x0c,0x14,0xe2) @ sha1p q0,q2,q12 - vadd.i32 q12,q9,q4 - INST(0x88,0xa3,0xba,0xf3) @ sha1su1 q5,q4 - INST(0x48,0xcc,0x3e,0xe2) @ sha1su0 q6,q7,q4 - INST(0xc0,0x42,0xb9,0xf3) @ sha1h q2,q0 @ 7 - INST(0x6a,0x0c,0x16,0xe2) @ sha1p q0,q3,q13 - vadd.i32 q13,q9,q5 - INST(0x8a,0xc3,0xba,0xf3) @ sha1su1 q6,q5 - INST(0x4a,0xec,0x38,0xe2) @ sha1su0 q7,q4,q5 - INST(0xc0,0x62,0xb9,0xf3) @ sha1h q3,q0 @ 8 - INST(0x68,0x0c,0x14,0xe2) @ sha1p q0,q2,q12 - vadd.i32 q12,q10,q6 - INST(0x8c,0xe3,0xba,0xf3) @ sha1su1 q7,q6 - INST(0x4c,0x8c,0x3a,0xe2) @ sha1su0 q4,q5,q6 - INST(0xc0,0x42,0xb9,0xf3) @ sha1h q2,q0 @ 9 - INST(0x6a,0x0c,0x16,0xe2) @ sha1p q0,q3,q13 - vadd.i32 q13,q10,q7 - INST(0x8e,0x83,0xba,0xf3) @ sha1su1 q4,q7 - INST(0x4e,0xac,0x3c,0xe2) @ sha1su0 q5,q6,q7 - INST(0xc0,0x62,0xb9,0xf3) @ sha1h q3,q0 @ 10 - INST(0x68,0x0c,0x24,0xe2) @ sha1m q0,q2,q12 - vadd.i32 q12,q10,q4 - INST(0x88,0xa3,0xba,0xf3) @ sha1su1 q5,q4 - INST(0x48,0xcc,0x3e,0xe2) @ sha1su0 q6,q7,q4 - INST(0xc0,0x42,0xb9,0xf3) @ sha1h q2,q0 @ 11 - INST(0x6a,0x0c,0x26,0xe2) @ sha1m q0,q3,q13 - vadd.i32 q13,q10,q5 - INST(0x8a,0xc3,0xba,0xf3) @ sha1su1 q6,q5 - INST(0x4a,0xec,0x38,0xe2) @ sha1su0 q7,q4,q5 - INST(0xc0,0x62,0xb9,0xf3) @ sha1h q3,q0 @ 12 - INST(0x68,0x0c,0x24,0xe2) @ sha1m q0,q2,q12 - vadd.i32 q12,q10,q6 - INST(0x8c,0xe3,0xba,0xf3) @ sha1su1 q7,q6 - INST(0x4c,0x8c,0x3a,0xe2) @ sha1su0 q4,q5,q6 - INST(0xc0,0x42,0xb9,0xf3) @ sha1h q2,q0 @ 13 - INST(0x6a,0x0c,0x26,0xe2) @ sha1m q0,q3,q13 - vadd.i32 q13,q11,q7 - INST(0x8e,0x83,0xba,0xf3) @ sha1su1 q4,q7 - INST(0x4e,0xac,0x3c,0xe2) @ sha1su0 q5,q6,q7 - INST(0xc0,0x62,0xb9,0xf3) @ sha1h q3,q0 @ 14 - INST(0x68,0x0c,0x24,0xe2) @ sha1m q0,q2,q12 - vadd.i32 q12,q11,q4 - INST(0x88,0xa3,0xba,0xf3) @ sha1su1 q5,q4 - INST(0x48,0xcc,0x3e,0xe2) @ sha1su0 q6,q7,q4 - INST(0xc0,0x42,0xb9,0xf3) @ sha1h q2,q0 @ 15 - INST(0x6a,0x0c,0x16,0xe2) @ sha1p q0,q3,q13 - vadd.i32 q13,q11,q5 - INST(0x8a,0xc3,0xba,0xf3) @ sha1su1 q6,q5 - INST(0x4a,0xec,0x38,0xe2) @ sha1su0 q7,q4,q5 - INST(0xc0,0x62,0xb9,0xf3) @ sha1h q3,q0 @ 16 - INST(0x68,0x0c,0x14,0xe2) @ sha1p q0,q2,q12 - vadd.i32 q12,q11,q6 - INST(0x8c,0xe3,0xba,0xf3) @ sha1su1 q7,q6 - INST(0xc0,0x42,0xb9,0xf3) @ sha1h q2,q0 @ 17 - INST(0x6a,0x0c,0x16,0xe2) @ sha1p q0,q3,q13 - vadd.i32 q13,q11,q7 - - INST(0xc0,0x62,0xb9,0xf3) @ sha1h q3,q0 @ 18 - INST(0x68,0x0c,0x14,0xe2) @ sha1p q0,q2,q12 - - INST(0xc0,0x42,0xb9,0xf3) @ sha1h q2,q0 @ 19 - INST(0x6a,0x0c,0x16,0xe2) @ sha1p q0,q3,q13 - - vadd.i32 q1,q1,q2 - vadd.i32 q0,q0,q14 - bne Loop_v8 - - vst1.32 {q0},[r0]! - vst1.32 {d2[0]},[r0] - - vldmia sp!,{d8,d9,d10,d11,d12,d13,d14,d15} - bx lr @ bx lr - -#endif -#if __ARM_MAX_ARCH__>=7 -.comm _OPENSSL_armcap_P,4 -.non_lazy_symbol_pointer -OPENSSL_armcap_P: -.indirect_symbol _OPENSSL_armcap_P -.long 0 -.private_extern _OPENSSL_armcap_P -#endif -#endif // !OPENSSL_NO_ASM && defined(OPENSSL_ARM) && defined(__APPLE__) -#endif // defined(__arm__) && defined(__APPLE__) -#if defined(__linux__) && defined(__ELF__) -.section .note.GNU-stack,"",%progbits -#endif - diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/sha256-armv4-ios.ios.arm.S b/Sources/CNIOBoringSSL/crypto/fipsmodule/sha256-armv4-ios.ios.arm.S deleted file mode 100644 index 9fcde4ff0..000000000 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/sha256-armv4-ios.ios.arm.S +++ /dev/null @@ -1,2845 +0,0 @@ -#define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__arm__) && defined(__APPLE__) -// This file is generated from a similarly-named Perl script in the BoringSSL -// source tree. Do not edit by hand. - -#include - -#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_ARM) && defined(__APPLE__) -@ Copyright 2007-2016 The OpenSSL Project Authors. All Rights Reserved. -@ -@ Licensed under the OpenSSL license (the "License"). You may not use -@ this file except in compliance with the License. You can obtain a copy -@ in the file LICENSE in the source distribution or at -@ https://www.openssl.org/source/license.html - - -@ ==================================================================== -@ Written by Andy Polyakov for the OpenSSL -@ project. The module is, however, dual licensed under OpenSSL and -@ CRYPTOGAMS licenses depending on where you obtain it. For further -@ details see http://www.openssl.org/~appro/cryptogams/. -@ -@ Permission to use under GPL terms is granted. -@ ==================================================================== - -@ SHA256 block procedure for ARMv4. May 2007. - -@ Performance is ~2x better than gcc 3.4 generated code and in "abso- -@ lute" terms is ~2250 cycles per 64-byte block or ~35 cycles per -@ byte [on single-issue Xscale PXA250 core]. - -@ July 2010. -@ -@ Rescheduling for dual-issue pipeline resulted in 22% improvement on -@ Cortex A8 core and ~20 cycles per processed byte. - -@ February 2011. -@ -@ Profiler-assisted and platform-specific optimization resulted in 16% -@ improvement on Cortex A8 core and ~15.4 cycles per processed byte. - -@ September 2013. -@ -@ Add NEON implementation. On Cortex A8 it was measured to process one -@ byte in 12.5 cycles or 23% faster than integer-only code. Snapdragon -@ S4 does it in 12.5 cycles too, but it's 50% faster than integer-only -@ code (meaning that latter performs sub-optimally, nothing was done -@ about it). - -@ May 2014. -@ -@ Add ARMv8 code path performing at 2.0 cpb on Apple A7. - -#ifndef __KERNEL__ -# include -#else -# define __ARM_ARCH __LINUX_ARM_ARCH__ -# define __ARM_MAX_ARCH__ 7 -#endif - -@ Silence ARMv8 deprecated IT instruction warnings. This file is used by both -@ ARMv7 and ARMv8 processors. It does have ARMv8-only code, but those -@ instructions are manually-encoded. (See unsha256.) - - -.text -#if defined(__thumb2__) -.syntax unified -.thumb -#else -.code 32 -#endif - - -.align 5 -K256: -.word 0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5 -.word 0x3956c25b,0x59f111f1,0x923f82a4,0xab1c5ed5 -.word 0xd807aa98,0x12835b01,0x243185be,0x550c7dc3 -.word 0x72be5d74,0x80deb1fe,0x9bdc06a7,0xc19bf174 -.word 0xe49b69c1,0xefbe4786,0x0fc19dc6,0x240ca1cc -.word 0x2de92c6f,0x4a7484aa,0x5cb0a9dc,0x76f988da -.word 0x983e5152,0xa831c66d,0xb00327c8,0xbf597fc7 -.word 0xc6e00bf3,0xd5a79147,0x06ca6351,0x14292967 -.word 0x27b70a85,0x2e1b2138,0x4d2c6dfc,0x53380d13 -.word 0x650a7354,0x766a0abb,0x81c2c92e,0x92722c85 -.word 0xa2bfe8a1,0xa81a664b,0xc24b8b70,0xc76c51a3 -.word 0xd192e819,0xd6990624,0xf40e3585,0x106aa070 -.word 0x19a4c116,0x1e376c08,0x2748774c,0x34b0bcb5 -.word 0x391c0cb3,0x4ed8aa4a,0x5b9cca4f,0x682e6ff3 -.word 0x748f82ee,0x78a5636f,0x84c87814,0x8cc70208 -.word 0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2 - -.word 0 @ terminator -#if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__) -LOPENSSL_armcap: -.word OPENSSL_armcap_P-Lsha256_block_data_order -#endif -.align 5 - -.globl _sha256_block_data_order -.private_extern _sha256_block_data_order -#ifdef __thumb2__ -.thumb_func _sha256_block_data_order -#endif -_sha256_block_data_order: -Lsha256_block_data_order: -#if __ARM_ARCH<7 && !defined(__thumb2__) - sub r3,pc,#8 @ _sha256_block_data_order -#else - adr r3,Lsha256_block_data_order -#endif -#if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__) - ldr r12,LOPENSSL_armcap - ldr r12,[r3,r12] @ OPENSSL_armcap_P -#ifdef __APPLE__ - ldr r12,[r12] -#endif - tst r12,#ARMV8_SHA256 - bne LARMv8 - tst r12,#ARMV7_NEON - bne LNEON -#endif - add r2,r1,r2,lsl#6 @ len to point at the end of inp - stmdb sp!,{r0,r1,r2,r4-r11,lr} - ldmia r0,{r4,r5,r6,r7,r8,r9,r10,r11} - sub r14,r3,#256+32 @ K256 - sub sp,sp,#16*4 @ alloca(X[16]) -Loop: -# if __ARM_ARCH>=7 - ldr r2,[r1],#4 -# else - ldrb r2,[r1,#3] -# endif - eor r3,r5,r6 @ magic - eor r12,r12,r12 -#if __ARM_ARCH>=7 - @ ldr r2,[r1],#4 @ 0 -# if 0==15 - str r1,[sp,#17*4] @ make room for r1 -# endif - eor r0,r8,r8,ror#5 - add r4,r4,r12 @ h+=Maj(a,b,c) from the past - eor r0,r0,r8,ror#19 @ Sigma1(e) -# ifndef __ARMEB__ - rev r2,r2 -# endif -#else - @ ldrb r2,[r1,#3] @ 0 - add r4,r4,r12 @ h+=Maj(a,b,c) from the past - ldrb r12,[r1,#2] - ldrb r0,[r1,#1] - orr r2,r2,r12,lsl#8 - ldrb r12,[r1],#4 - orr r2,r2,r0,lsl#16 -# if 0==15 - str r1,[sp,#17*4] @ make room for r1 -# endif - eor r0,r8,r8,ror#5 - orr r2,r2,r12,lsl#24 - eor r0,r0,r8,ror#19 @ Sigma1(e) -#endif - ldr r12,[r14],#4 @ *K256++ - add r11,r11,r2 @ h+=X[i] - str r2,[sp,#0*4] - eor r2,r9,r10 - add r11,r11,r0,ror#6 @ h+=Sigma1(e) - and r2,r2,r8 - add r11,r11,r12 @ h+=K256[i] - eor r2,r2,r10 @ Ch(e,f,g) - eor r0,r4,r4,ror#11 - add r11,r11,r2 @ h+=Ch(e,f,g) -#if 0==31 - and r12,r12,#0xff - cmp r12,#0xf2 @ done? -#endif -#if 0<15 -# if __ARM_ARCH>=7 - ldr r2,[r1],#4 @ prefetch -# else - ldrb r2,[r1,#3] -# endif - eor r12,r4,r5 @ a^b, b^c in next round -#else - ldr r2,[sp,#2*4] @ from future BODY_16_xx - eor r12,r4,r5 @ a^b, b^c in next round - ldr r1,[sp,#15*4] @ from future BODY_16_xx -#endif - eor r0,r0,r4,ror#20 @ Sigma0(a) - and r3,r3,r12 @ (b^c)&=(a^b) - add r7,r7,r11 @ d+=h - eor r3,r3,r5 @ Maj(a,b,c) - add r11,r11,r0,ror#2 @ h+=Sigma0(a) - @ add r11,r11,r3 @ h+=Maj(a,b,c) -#if __ARM_ARCH>=7 - @ ldr r2,[r1],#4 @ 1 -# if 1==15 - str r1,[sp,#17*4] @ make room for r1 -# endif - eor r0,r7,r7,ror#5 - add r11,r11,r3 @ h+=Maj(a,b,c) from the past - eor r0,r0,r7,ror#19 @ Sigma1(e) -# ifndef __ARMEB__ - rev r2,r2 -# endif -#else - @ ldrb r2,[r1,#3] @ 1 - add r11,r11,r3 @ h+=Maj(a,b,c) from the past - ldrb r3,[r1,#2] - ldrb r0,[r1,#1] - orr r2,r2,r3,lsl#8 - ldrb r3,[r1],#4 - orr r2,r2,r0,lsl#16 -# if 1==15 - str r1,[sp,#17*4] @ make room for r1 -# endif - eor r0,r7,r7,ror#5 - orr r2,r2,r3,lsl#24 - eor r0,r0,r7,ror#19 @ Sigma1(e) -#endif - ldr r3,[r14],#4 @ *K256++ - add r10,r10,r2 @ h+=X[i] - str r2,[sp,#1*4] - eor r2,r8,r9 - add r10,r10,r0,ror#6 @ h+=Sigma1(e) - and r2,r2,r7 - add r10,r10,r3 @ h+=K256[i] - eor r2,r2,r9 @ Ch(e,f,g) - eor r0,r11,r11,ror#11 - add r10,r10,r2 @ h+=Ch(e,f,g) -#if 1==31 - and r3,r3,#0xff - cmp r3,#0xf2 @ done? -#endif -#if 1<15 -# if __ARM_ARCH>=7 - ldr r2,[r1],#4 @ prefetch -# else - ldrb r2,[r1,#3] -# endif - eor r3,r11,r4 @ a^b, b^c in next round -#else - ldr r2,[sp,#3*4] @ from future BODY_16_xx - eor r3,r11,r4 @ a^b, b^c in next round - ldr r1,[sp,#0*4] @ from future BODY_16_xx -#endif - eor r0,r0,r11,ror#20 @ Sigma0(a) - and r12,r12,r3 @ (b^c)&=(a^b) - add r6,r6,r10 @ d+=h - eor r12,r12,r4 @ Maj(a,b,c) - add r10,r10,r0,ror#2 @ h+=Sigma0(a) - @ add r10,r10,r12 @ h+=Maj(a,b,c) -#if __ARM_ARCH>=7 - @ ldr r2,[r1],#4 @ 2 -# if 2==15 - str r1,[sp,#17*4] @ make room for r1 -# endif - eor r0,r6,r6,ror#5 - add r10,r10,r12 @ h+=Maj(a,b,c) from the past - eor r0,r0,r6,ror#19 @ Sigma1(e) -# ifndef __ARMEB__ - rev r2,r2 -# endif -#else - @ ldrb r2,[r1,#3] @ 2 - add r10,r10,r12 @ h+=Maj(a,b,c) from the past - ldrb r12,[r1,#2] - ldrb r0,[r1,#1] - orr r2,r2,r12,lsl#8 - ldrb r12,[r1],#4 - orr r2,r2,r0,lsl#16 -# if 2==15 - str r1,[sp,#17*4] @ make room for r1 -# endif - eor r0,r6,r6,ror#5 - orr r2,r2,r12,lsl#24 - eor r0,r0,r6,ror#19 @ Sigma1(e) -#endif - ldr r12,[r14],#4 @ *K256++ - add r9,r9,r2 @ h+=X[i] - str r2,[sp,#2*4] - eor r2,r7,r8 - add r9,r9,r0,ror#6 @ h+=Sigma1(e) - and r2,r2,r6 - add r9,r9,r12 @ h+=K256[i] - eor r2,r2,r8 @ Ch(e,f,g) - eor r0,r10,r10,ror#11 - add r9,r9,r2 @ h+=Ch(e,f,g) -#if 2==31 - and r12,r12,#0xff - cmp r12,#0xf2 @ done? -#endif -#if 2<15 -# if __ARM_ARCH>=7 - ldr r2,[r1],#4 @ prefetch -# else - ldrb r2,[r1,#3] -# endif - eor r12,r10,r11 @ a^b, b^c in next round -#else - ldr r2,[sp,#4*4] @ from future BODY_16_xx - eor r12,r10,r11 @ a^b, b^c in next round - ldr r1,[sp,#1*4] @ from future BODY_16_xx -#endif - eor r0,r0,r10,ror#20 @ Sigma0(a) - and r3,r3,r12 @ (b^c)&=(a^b) - add r5,r5,r9 @ d+=h - eor r3,r3,r11 @ Maj(a,b,c) - add r9,r9,r0,ror#2 @ h+=Sigma0(a) - @ add r9,r9,r3 @ h+=Maj(a,b,c) -#if __ARM_ARCH>=7 - @ ldr r2,[r1],#4 @ 3 -# if 3==15 - str r1,[sp,#17*4] @ make room for r1 -# endif - eor r0,r5,r5,ror#5 - add r9,r9,r3 @ h+=Maj(a,b,c) from the past - eor r0,r0,r5,ror#19 @ Sigma1(e) -# ifndef __ARMEB__ - rev r2,r2 -# endif -#else - @ ldrb r2,[r1,#3] @ 3 - add r9,r9,r3 @ h+=Maj(a,b,c) from the past - ldrb r3,[r1,#2] - ldrb r0,[r1,#1] - orr r2,r2,r3,lsl#8 - ldrb r3,[r1],#4 - orr r2,r2,r0,lsl#16 -# if 3==15 - str r1,[sp,#17*4] @ make room for r1 -# endif - eor r0,r5,r5,ror#5 - orr r2,r2,r3,lsl#24 - eor r0,r0,r5,ror#19 @ Sigma1(e) -#endif - ldr r3,[r14],#4 @ *K256++ - add r8,r8,r2 @ h+=X[i] - str r2,[sp,#3*4] - eor r2,r6,r7 - add r8,r8,r0,ror#6 @ h+=Sigma1(e) - and r2,r2,r5 - add r8,r8,r3 @ h+=K256[i] - eor r2,r2,r7 @ Ch(e,f,g) - eor r0,r9,r9,ror#11 - add r8,r8,r2 @ h+=Ch(e,f,g) -#if 3==31 - and r3,r3,#0xff - cmp r3,#0xf2 @ done? -#endif -#if 3<15 -# if __ARM_ARCH>=7 - ldr r2,[r1],#4 @ prefetch -# else - ldrb r2,[r1,#3] -# endif - eor r3,r9,r10 @ a^b, b^c in next round -#else - ldr r2,[sp,#5*4] @ from future BODY_16_xx - eor r3,r9,r10 @ a^b, b^c in next round - ldr r1,[sp,#2*4] @ from future BODY_16_xx -#endif - eor r0,r0,r9,ror#20 @ Sigma0(a) - and r12,r12,r3 @ (b^c)&=(a^b) - add r4,r4,r8 @ d+=h - eor r12,r12,r10 @ Maj(a,b,c) - add r8,r8,r0,ror#2 @ h+=Sigma0(a) - @ add r8,r8,r12 @ h+=Maj(a,b,c) -#if __ARM_ARCH>=7 - @ ldr r2,[r1],#4 @ 4 -# if 4==15 - str r1,[sp,#17*4] @ make room for r1 -# endif - eor r0,r4,r4,ror#5 - add r8,r8,r12 @ h+=Maj(a,b,c) from the past - eor r0,r0,r4,ror#19 @ Sigma1(e) -# ifndef __ARMEB__ - rev r2,r2 -# endif -#else - @ ldrb r2,[r1,#3] @ 4 - add r8,r8,r12 @ h+=Maj(a,b,c) from the past - ldrb r12,[r1,#2] - ldrb r0,[r1,#1] - orr r2,r2,r12,lsl#8 - ldrb r12,[r1],#4 - orr r2,r2,r0,lsl#16 -# if 4==15 - str r1,[sp,#17*4] @ make room for r1 -# endif - eor r0,r4,r4,ror#5 - orr r2,r2,r12,lsl#24 - eor r0,r0,r4,ror#19 @ Sigma1(e) -#endif - ldr r12,[r14],#4 @ *K256++ - add r7,r7,r2 @ h+=X[i] - str r2,[sp,#4*4] - eor r2,r5,r6 - add r7,r7,r0,ror#6 @ h+=Sigma1(e) - and r2,r2,r4 - add r7,r7,r12 @ h+=K256[i] - eor r2,r2,r6 @ Ch(e,f,g) - eor r0,r8,r8,ror#11 - add r7,r7,r2 @ h+=Ch(e,f,g) -#if 4==31 - and r12,r12,#0xff - cmp r12,#0xf2 @ done? -#endif -#if 4<15 -# if __ARM_ARCH>=7 - ldr r2,[r1],#4 @ prefetch -# else - ldrb r2,[r1,#3] -# endif - eor r12,r8,r9 @ a^b, b^c in next round -#else - ldr r2,[sp,#6*4] @ from future BODY_16_xx - eor r12,r8,r9 @ a^b, b^c in next round - ldr r1,[sp,#3*4] @ from future BODY_16_xx -#endif - eor r0,r0,r8,ror#20 @ Sigma0(a) - and r3,r3,r12 @ (b^c)&=(a^b) - add r11,r11,r7 @ d+=h - eor r3,r3,r9 @ Maj(a,b,c) - add r7,r7,r0,ror#2 @ h+=Sigma0(a) - @ add r7,r7,r3 @ h+=Maj(a,b,c) -#if __ARM_ARCH>=7 - @ ldr r2,[r1],#4 @ 5 -# if 5==15 - str r1,[sp,#17*4] @ make room for r1 -# endif - eor r0,r11,r11,ror#5 - add r7,r7,r3 @ h+=Maj(a,b,c) from the past - eor r0,r0,r11,ror#19 @ Sigma1(e) -# ifndef __ARMEB__ - rev r2,r2 -# endif -#else - @ ldrb r2,[r1,#3] @ 5 - add r7,r7,r3 @ h+=Maj(a,b,c) from the past - ldrb r3,[r1,#2] - ldrb r0,[r1,#1] - orr r2,r2,r3,lsl#8 - ldrb r3,[r1],#4 - orr r2,r2,r0,lsl#16 -# if 5==15 - str r1,[sp,#17*4] @ make room for r1 -# endif - eor r0,r11,r11,ror#5 - orr r2,r2,r3,lsl#24 - eor r0,r0,r11,ror#19 @ Sigma1(e) -#endif - ldr r3,[r14],#4 @ *K256++ - add r6,r6,r2 @ h+=X[i] - str r2,[sp,#5*4] - eor r2,r4,r5 - add r6,r6,r0,ror#6 @ h+=Sigma1(e) - and r2,r2,r11 - add r6,r6,r3 @ h+=K256[i] - eor r2,r2,r5 @ Ch(e,f,g) - eor r0,r7,r7,ror#11 - add r6,r6,r2 @ h+=Ch(e,f,g) -#if 5==31 - and r3,r3,#0xff - cmp r3,#0xf2 @ done? -#endif -#if 5<15 -# if __ARM_ARCH>=7 - ldr r2,[r1],#4 @ prefetch -# else - ldrb r2,[r1,#3] -# endif - eor r3,r7,r8 @ a^b, b^c in next round -#else - ldr r2,[sp,#7*4] @ from future BODY_16_xx - eor r3,r7,r8 @ a^b, b^c in next round - ldr r1,[sp,#4*4] @ from future BODY_16_xx -#endif - eor r0,r0,r7,ror#20 @ Sigma0(a) - and r12,r12,r3 @ (b^c)&=(a^b) - add r10,r10,r6 @ d+=h - eor r12,r12,r8 @ Maj(a,b,c) - add r6,r6,r0,ror#2 @ h+=Sigma0(a) - @ add r6,r6,r12 @ h+=Maj(a,b,c) -#if __ARM_ARCH>=7 - @ ldr r2,[r1],#4 @ 6 -# if 6==15 - str r1,[sp,#17*4] @ make room for r1 -# endif - eor r0,r10,r10,ror#5 - add r6,r6,r12 @ h+=Maj(a,b,c) from the past - eor r0,r0,r10,ror#19 @ Sigma1(e) -# ifndef __ARMEB__ - rev r2,r2 -# endif -#else - @ ldrb r2,[r1,#3] @ 6 - add r6,r6,r12 @ h+=Maj(a,b,c) from the past - ldrb r12,[r1,#2] - ldrb r0,[r1,#1] - orr r2,r2,r12,lsl#8 - ldrb r12,[r1],#4 - orr r2,r2,r0,lsl#16 -# if 6==15 - str r1,[sp,#17*4] @ make room for r1 -# endif - eor r0,r10,r10,ror#5 - orr r2,r2,r12,lsl#24 - eor r0,r0,r10,ror#19 @ Sigma1(e) -#endif - ldr r12,[r14],#4 @ *K256++ - add r5,r5,r2 @ h+=X[i] - str r2,[sp,#6*4] - eor r2,r11,r4 - add r5,r5,r0,ror#6 @ h+=Sigma1(e) - and r2,r2,r10 - add r5,r5,r12 @ h+=K256[i] - eor r2,r2,r4 @ Ch(e,f,g) - eor r0,r6,r6,ror#11 - add r5,r5,r2 @ h+=Ch(e,f,g) -#if 6==31 - and r12,r12,#0xff - cmp r12,#0xf2 @ done? -#endif -#if 6<15 -# if __ARM_ARCH>=7 - ldr r2,[r1],#4 @ prefetch -# else - ldrb r2,[r1,#3] -# endif - eor r12,r6,r7 @ a^b, b^c in next round -#else - ldr r2,[sp,#8*4] @ from future BODY_16_xx - eor r12,r6,r7 @ a^b, b^c in next round - ldr r1,[sp,#5*4] @ from future BODY_16_xx -#endif - eor r0,r0,r6,ror#20 @ Sigma0(a) - and r3,r3,r12 @ (b^c)&=(a^b) - add r9,r9,r5 @ d+=h - eor r3,r3,r7 @ Maj(a,b,c) - add r5,r5,r0,ror#2 @ h+=Sigma0(a) - @ add r5,r5,r3 @ h+=Maj(a,b,c) -#if __ARM_ARCH>=7 - @ ldr r2,[r1],#4 @ 7 -# if 7==15 - str r1,[sp,#17*4] @ make room for r1 -# endif - eor r0,r9,r9,ror#5 - add r5,r5,r3 @ h+=Maj(a,b,c) from the past - eor r0,r0,r9,ror#19 @ Sigma1(e) -# ifndef __ARMEB__ - rev r2,r2 -# endif -#else - @ ldrb r2,[r1,#3] @ 7 - add r5,r5,r3 @ h+=Maj(a,b,c) from the past - ldrb r3,[r1,#2] - ldrb r0,[r1,#1] - orr r2,r2,r3,lsl#8 - ldrb r3,[r1],#4 - orr r2,r2,r0,lsl#16 -# if 7==15 - str r1,[sp,#17*4] @ make room for r1 -# endif - eor r0,r9,r9,ror#5 - orr r2,r2,r3,lsl#24 - eor r0,r0,r9,ror#19 @ Sigma1(e) -#endif - ldr r3,[r14],#4 @ *K256++ - add r4,r4,r2 @ h+=X[i] - str r2,[sp,#7*4] - eor r2,r10,r11 - add r4,r4,r0,ror#6 @ h+=Sigma1(e) - and r2,r2,r9 - add r4,r4,r3 @ h+=K256[i] - eor r2,r2,r11 @ Ch(e,f,g) - eor r0,r5,r5,ror#11 - add r4,r4,r2 @ h+=Ch(e,f,g) -#if 7==31 - and r3,r3,#0xff - cmp r3,#0xf2 @ done? -#endif -#if 7<15 -# if __ARM_ARCH>=7 - ldr r2,[r1],#4 @ prefetch -# else - ldrb r2,[r1,#3] -# endif - eor r3,r5,r6 @ a^b, b^c in next round -#else - ldr r2,[sp,#9*4] @ from future BODY_16_xx - eor r3,r5,r6 @ a^b, b^c in next round - ldr r1,[sp,#6*4] @ from future BODY_16_xx -#endif - eor r0,r0,r5,ror#20 @ Sigma0(a) - and r12,r12,r3 @ (b^c)&=(a^b) - add r8,r8,r4 @ d+=h - eor r12,r12,r6 @ Maj(a,b,c) - add r4,r4,r0,ror#2 @ h+=Sigma0(a) - @ add r4,r4,r12 @ h+=Maj(a,b,c) -#if __ARM_ARCH>=7 - @ ldr r2,[r1],#4 @ 8 -# if 8==15 - str r1,[sp,#17*4] @ make room for r1 -# endif - eor r0,r8,r8,ror#5 - add r4,r4,r12 @ h+=Maj(a,b,c) from the past - eor r0,r0,r8,ror#19 @ Sigma1(e) -# ifndef __ARMEB__ - rev r2,r2 -# endif -#else - @ ldrb r2,[r1,#3] @ 8 - add r4,r4,r12 @ h+=Maj(a,b,c) from the past - ldrb r12,[r1,#2] - ldrb r0,[r1,#1] - orr r2,r2,r12,lsl#8 - ldrb r12,[r1],#4 - orr r2,r2,r0,lsl#16 -# if 8==15 - str r1,[sp,#17*4] @ make room for r1 -# endif - eor r0,r8,r8,ror#5 - orr r2,r2,r12,lsl#24 - eor r0,r0,r8,ror#19 @ Sigma1(e) -#endif - ldr r12,[r14],#4 @ *K256++ - add r11,r11,r2 @ h+=X[i] - str r2,[sp,#8*4] - eor r2,r9,r10 - add r11,r11,r0,ror#6 @ h+=Sigma1(e) - and r2,r2,r8 - add r11,r11,r12 @ h+=K256[i] - eor r2,r2,r10 @ Ch(e,f,g) - eor r0,r4,r4,ror#11 - add r11,r11,r2 @ h+=Ch(e,f,g) -#if 8==31 - and r12,r12,#0xff - cmp r12,#0xf2 @ done? -#endif -#if 8<15 -# if __ARM_ARCH>=7 - ldr r2,[r1],#4 @ prefetch -# else - ldrb r2,[r1,#3] -# endif - eor r12,r4,r5 @ a^b, b^c in next round -#else - ldr r2,[sp,#10*4] @ from future BODY_16_xx - eor r12,r4,r5 @ a^b, b^c in next round - ldr r1,[sp,#7*4] @ from future BODY_16_xx -#endif - eor r0,r0,r4,ror#20 @ Sigma0(a) - and r3,r3,r12 @ (b^c)&=(a^b) - add r7,r7,r11 @ d+=h - eor r3,r3,r5 @ Maj(a,b,c) - add r11,r11,r0,ror#2 @ h+=Sigma0(a) - @ add r11,r11,r3 @ h+=Maj(a,b,c) -#if __ARM_ARCH>=7 - @ ldr r2,[r1],#4 @ 9 -# if 9==15 - str r1,[sp,#17*4] @ make room for r1 -# endif - eor r0,r7,r7,ror#5 - add r11,r11,r3 @ h+=Maj(a,b,c) from the past - eor r0,r0,r7,ror#19 @ Sigma1(e) -# ifndef __ARMEB__ - rev r2,r2 -# endif -#else - @ ldrb r2,[r1,#3] @ 9 - add r11,r11,r3 @ h+=Maj(a,b,c) from the past - ldrb r3,[r1,#2] - ldrb r0,[r1,#1] - orr r2,r2,r3,lsl#8 - ldrb r3,[r1],#4 - orr r2,r2,r0,lsl#16 -# if 9==15 - str r1,[sp,#17*4] @ make room for r1 -# endif - eor r0,r7,r7,ror#5 - orr r2,r2,r3,lsl#24 - eor r0,r0,r7,ror#19 @ Sigma1(e) -#endif - ldr r3,[r14],#4 @ *K256++ - add r10,r10,r2 @ h+=X[i] - str r2,[sp,#9*4] - eor r2,r8,r9 - add r10,r10,r0,ror#6 @ h+=Sigma1(e) - and r2,r2,r7 - add r10,r10,r3 @ h+=K256[i] - eor r2,r2,r9 @ Ch(e,f,g) - eor r0,r11,r11,ror#11 - add r10,r10,r2 @ h+=Ch(e,f,g) -#if 9==31 - and r3,r3,#0xff - cmp r3,#0xf2 @ done? -#endif -#if 9<15 -# if __ARM_ARCH>=7 - ldr r2,[r1],#4 @ prefetch -# else - ldrb r2,[r1,#3] -# endif - eor r3,r11,r4 @ a^b, b^c in next round -#else - ldr r2,[sp,#11*4] @ from future BODY_16_xx - eor r3,r11,r4 @ a^b, b^c in next round - ldr r1,[sp,#8*4] @ from future BODY_16_xx -#endif - eor r0,r0,r11,ror#20 @ Sigma0(a) - and r12,r12,r3 @ (b^c)&=(a^b) - add r6,r6,r10 @ d+=h - eor r12,r12,r4 @ Maj(a,b,c) - add r10,r10,r0,ror#2 @ h+=Sigma0(a) - @ add r10,r10,r12 @ h+=Maj(a,b,c) -#if __ARM_ARCH>=7 - @ ldr r2,[r1],#4 @ 10 -# if 10==15 - str r1,[sp,#17*4] @ make room for r1 -# endif - eor r0,r6,r6,ror#5 - add r10,r10,r12 @ h+=Maj(a,b,c) from the past - eor r0,r0,r6,ror#19 @ Sigma1(e) -# ifndef __ARMEB__ - rev r2,r2 -# endif -#else - @ ldrb r2,[r1,#3] @ 10 - add r10,r10,r12 @ h+=Maj(a,b,c) from the past - ldrb r12,[r1,#2] - ldrb r0,[r1,#1] - orr r2,r2,r12,lsl#8 - ldrb r12,[r1],#4 - orr r2,r2,r0,lsl#16 -# if 10==15 - str r1,[sp,#17*4] @ make room for r1 -# endif - eor r0,r6,r6,ror#5 - orr r2,r2,r12,lsl#24 - eor r0,r0,r6,ror#19 @ Sigma1(e) -#endif - ldr r12,[r14],#4 @ *K256++ - add r9,r9,r2 @ h+=X[i] - str r2,[sp,#10*4] - eor r2,r7,r8 - add r9,r9,r0,ror#6 @ h+=Sigma1(e) - and r2,r2,r6 - add r9,r9,r12 @ h+=K256[i] - eor r2,r2,r8 @ Ch(e,f,g) - eor r0,r10,r10,ror#11 - add r9,r9,r2 @ h+=Ch(e,f,g) -#if 10==31 - and r12,r12,#0xff - cmp r12,#0xf2 @ done? -#endif -#if 10<15 -# if __ARM_ARCH>=7 - ldr r2,[r1],#4 @ prefetch -# else - ldrb r2,[r1,#3] -# endif - eor r12,r10,r11 @ a^b, b^c in next round -#else - ldr r2,[sp,#12*4] @ from future BODY_16_xx - eor r12,r10,r11 @ a^b, b^c in next round - ldr r1,[sp,#9*4] @ from future BODY_16_xx -#endif - eor r0,r0,r10,ror#20 @ Sigma0(a) - and r3,r3,r12 @ (b^c)&=(a^b) - add r5,r5,r9 @ d+=h - eor r3,r3,r11 @ Maj(a,b,c) - add r9,r9,r0,ror#2 @ h+=Sigma0(a) - @ add r9,r9,r3 @ h+=Maj(a,b,c) -#if __ARM_ARCH>=7 - @ ldr r2,[r1],#4 @ 11 -# if 11==15 - str r1,[sp,#17*4] @ make room for r1 -# endif - eor r0,r5,r5,ror#5 - add r9,r9,r3 @ h+=Maj(a,b,c) from the past - eor r0,r0,r5,ror#19 @ Sigma1(e) -# ifndef __ARMEB__ - rev r2,r2 -# endif -#else - @ ldrb r2,[r1,#3] @ 11 - add r9,r9,r3 @ h+=Maj(a,b,c) from the past - ldrb r3,[r1,#2] - ldrb r0,[r1,#1] - orr r2,r2,r3,lsl#8 - ldrb r3,[r1],#4 - orr r2,r2,r0,lsl#16 -# if 11==15 - str r1,[sp,#17*4] @ make room for r1 -# endif - eor r0,r5,r5,ror#5 - orr r2,r2,r3,lsl#24 - eor r0,r0,r5,ror#19 @ Sigma1(e) -#endif - ldr r3,[r14],#4 @ *K256++ - add r8,r8,r2 @ h+=X[i] - str r2,[sp,#11*4] - eor r2,r6,r7 - add r8,r8,r0,ror#6 @ h+=Sigma1(e) - and r2,r2,r5 - add r8,r8,r3 @ h+=K256[i] - eor r2,r2,r7 @ Ch(e,f,g) - eor r0,r9,r9,ror#11 - add r8,r8,r2 @ h+=Ch(e,f,g) -#if 11==31 - and r3,r3,#0xff - cmp r3,#0xf2 @ done? -#endif -#if 11<15 -# if __ARM_ARCH>=7 - ldr r2,[r1],#4 @ prefetch -# else - ldrb r2,[r1,#3] -# endif - eor r3,r9,r10 @ a^b, b^c in next round -#else - ldr r2,[sp,#13*4] @ from future BODY_16_xx - eor r3,r9,r10 @ a^b, b^c in next round - ldr r1,[sp,#10*4] @ from future BODY_16_xx -#endif - eor r0,r0,r9,ror#20 @ Sigma0(a) - and r12,r12,r3 @ (b^c)&=(a^b) - add r4,r4,r8 @ d+=h - eor r12,r12,r10 @ Maj(a,b,c) - add r8,r8,r0,ror#2 @ h+=Sigma0(a) - @ add r8,r8,r12 @ h+=Maj(a,b,c) -#if __ARM_ARCH>=7 - @ ldr r2,[r1],#4 @ 12 -# if 12==15 - str r1,[sp,#17*4] @ make room for r1 -# endif - eor r0,r4,r4,ror#5 - add r8,r8,r12 @ h+=Maj(a,b,c) from the past - eor r0,r0,r4,ror#19 @ Sigma1(e) -# ifndef __ARMEB__ - rev r2,r2 -# endif -#else - @ ldrb r2,[r1,#3] @ 12 - add r8,r8,r12 @ h+=Maj(a,b,c) from the past - ldrb r12,[r1,#2] - ldrb r0,[r1,#1] - orr r2,r2,r12,lsl#8 - ldrb r12,[r1],#4 - orr r2,r2,r0,lsl#16 -# if 12==15 - str r1,[sp,#17*4] @ make room for r1 -# endif - eor r0,r4,r4,ror#5 - orr r2,r2,r12,lsl#24 - eor r0,r0,r4,ror#19 @ Sigma1(e) -#endif - ldr r12,[r14],#4 @ *K256++ - add r7,r7,r2 @ h+=X[i] - str r2,[sp,#12*4] - eor r2,r5,r6 - add r7,r7,r0,ror#6 @ h+=Sigma1(e) - and r2,r2,r4 - add r7,r7,r12 @ h+=K256[i] - eor r2,r2,r6 @ Ch(e,f,g) - eor r0,r8,r8,ror#11 - add r7,r7,r2 @ h+=Ch(e,f,g) -#if 12==31 - and r12,r12,#0xff - cmp r12,#0xf2 @ done? -#endif -#if 12<15 -# if __ARM_ARCH>=7 - ldr r2,[r1],#4 @ prefetch -# else - ldrb r2,[r1,#3] -# endif - eor r12,r8,r9 @ a^b, b^c in next round -#else - ldr r2,[sp,#14*4] @ from future BODY_16_xx - eor r12,r8,r9 @ a^b, b^c in next round - ldr r1,[sp,#11*4] @ from future BODY_16_xx -#endif - eor r0,r0,r8,ror#20 @ Sigma0(a) - and r3,r3,r12 @ (b^c)&=(a^b) - add r11,r11,r7 @ d+=h - eor r3,r3,r9 @ Maj(a,b,c) - add r7,r7,r0,ror#2 @ h+=Sigma0(a) - @ add r7,r7,r3 @ h+=Maj(a,b,c) -#if __ARM_ARCH>=7 - @ ldr r2,[r1],#4 @ 13 -# if 13==15 - str r1,[sp,#17*4] @ make room for r1 -# endif - eor r0,r11,r11,ror#5 - add r7,r7,r3 @ h+=Maj(a,b,c) from the past - eor r0,r0,r11,ror#19 @ Sigma1(e) -# ifndef __ARMEB__ - rev r2,r2 -# endif -#else - @ ldrb r2,[r1,#3] @ 13 - add r7,r7,r3 @ h+=Maj(a,b,c) from the past - ldrb r3,[r1,#2] - ldrb r0,[r1,#1] - orr r2,r2,r3,lsl#8 - ldrb r3,[r1],#4 - orr r2,r2,r0,lsl#16 -# if 13==15 - str r1,[sp,#17*4] @ make room for r1 -# endif - eor r0,r11,r11,ror#5 - orr r2,r2,r3,lsl#24 - eor r0,r0,r11,ror#19 @ Sigma1(e) -#endif - ldr r3,[r14],#4 @ *K256++ - add r6,r6,r2 @ h+=X[i] - str r2,[sp,#13*4] - eor r2,r4,r5 - add r6,r6,r0,ror#6 @ h+=Sigma1(e) - and r2,r2,r11 - add r6,r6,r3 @ h+=K256[i] - eor r2,r2,r5 @ Ch(e,f,g) - eor r0,r7,r7,ror#11 - add r6,r6,r2 @ h+=Ch(e,f,g) -#if 13==31 - and r3,r3,#0xff - cmp r3,#0xf2 @ done? -#endif -#if 13<15 -# if __ARM_ARCH>=7 - ldr r2,[r1],#4 @ prefetch -# else - ldrb r2,[r1,#3] -# endif - eor r3,r7,r8 @ a^b, b^c in next round -#else - ldr r2,[sp,#15*4] @ from future BODY_16_xx - eor r3,r7,r8 @ a^b, b^c in next round - ldr r1,[sp,#12*4] @ from future BODY_16_xx -#endif - eor r0,r0,r7,ror#20 @ Sigma0(a) - and r12,r12,r3 @ (b^c)&=(a^b) - add r10,r10,r6 @ d+=h - eor r12,r12,r8 @ Maj(a,b,c) - add r6,r6,r0,ror#2 @ h+=Sigma0(a) - @ add r6,r6,r12 @ h+=Maj(a,b,c) -#if __ARM_ARCH>=7 - @ ldr r2,[r1],#4 @ 14 -# if 14==15 - str r1,[sp,#17*4] @ make room for r1 -# endif - eor r0,r10,r10,ror#5 - add r6,r6,r12 @ h+=Maj(a,b,c) from the past - eor r0,r0,r10,ror#19 @ Sigma1(e) -# ifndef __ARMEB__ - rev r2,r2 -# endif -#else - @ ldrb r2,[r1,#3] @ 14 - add r6,r6,r12 @ h+=Maj(a,b,c) from the past - ldrb r12,[r1,#2] - ldrb r0,[r1,#1] - orr r2,r2,r12,lsl#8 - ldrb r12,[r1],#4 - orr r2,r2,r0,lsl#16 -# if 14==15 - str r1,[sp,#17*4] @ make room for r1 -# endif - eor r0,r10,r10,ror#5 - orr r2,r2,r12,lsl#24 - eor r0,r0,r10,ror#19 @ Sigma1(e) -#endif - ldr r12,[r14],#4 @ *K256++ - add r5,r5,r2 @ h+=X[i] - str r2,[sp,#14*4] - eor r2,r11,r4 - add r5,r5,r0,ror#6 @ h+=Sigma1(e) - and r2,r2,r10 - add r5,r5,r12 @ h+=K256[i] - eor r2,r2,r4 @ Ch(e,f,g) - eor r0,r6,r6,ror#11 - add r5,r5,r2 @ h+=Ch(e,f,g) -#if 14==31 - and r12,r12,#0xff - cmp r12,#0xf2 @ done? -#endif -#if 14<15 -# if __ARM_ARCH>=7 - ldr r2,[r1],#4 @ prefetch -# else - ldrb r2,[r1,#3] -# endif - eor r12,r6,r7 @ a^b, b^c in next round -#else - ldr r2,[sp,#0*4] @ from future BODY_16_xx - eor r12,r6,r7 @ a^b, b^c in next round - ldr r1,[sp,#13*4] @ from future BODY_16_xx -#endif - eor r0,r0,r6,ror#20 @ Sigma0(a) - and r3,r3,r12 @ (b^c)&=(a^b) - add r9,r9,r5 @ d+=h - eor r3,r3,r7 @ Maj(a,b,c) - add r5,r5,r0,ror#2 @ h+=Sigma0(a) - @ add r5,r5,r3 @ h+=Maj(a,b,c) -#if __ARM_ARCH>=7 - @ ldr r2,[r1],#4 @ 15 -# if 15==15 - str r1,[sp,#17*4] @ make room for r1 -# endif - eor r0,r9,r9,ror#5 - add r5,r5,r3 @ h+=Maj(a,b,c) from the past - eor r0,r0,r9,ror#19 @ Sigma1(e) -# ifndef __ARMEB__ - rev r2,r2 -# endif -#else - @ ldrb r2,[r1,#3] @ 15 - add r5,r5,r3 @ h+=Maj(a,b,c) from the past - ldrb r3,[r1,#2] - ldrb r0,[r1,#1] - orr r2,r2,r3,lsl#8 - ldrb r3,[r1],#4 - orr r2,r2,r0,lsl#16 -# if 15==15 - str r1,[sp,#17*4] @ make room for r1 -# endif - eor r0,r9,r9,ror#5 - orr r2,r2,r3,lsl#24 - eor r0,r0,r9,ror#19 @ Sigma1(e) -#endif - ldr r3,[r14],#4 @ *K256++ - add r4,r4,r2 @ h+=X[i] - str r2,[sp,#15*4] - eor r2,r10,r11 - add r4,r4,r0,ror#6 @ h+=Sigma1(e) - and r2,r2,r9 - add r4,r4,r3 @ h+=K256[i] - eor r2,r2,r11 @ Ch(e,f,g) - eor r0,r5,r5,ror#11 - add r4,r4,r2 @ h+=Ch(e,f,g) -#if 15==31 - and r3,r3,#0xff - cmp r3,#0xf2 @ done? -#endif -#if 15<15 -# if __ARM_ARCH>=7 - ldr r2,[r1],#4 @ prefetch -# else - ldrb r2,[r1,#3] -# endif - eor r3,r5,r6 @ a^b, b^c in next round -#else - ldr r2,[sp,#1*4] @ from future BODY_16_xx - eor r3,r5,r6 @ a^b, b^c in next round - ldr r1,[sp,#14*4] @ from future BODY_16_xx -#endif - eor r0,r0,r5,ror#20 @ Sigma0(a) - and r12,r12,r3 @ (b^c)&=(a^b) - add r8,r8,r4 @ d+=h - eor r12,r12,r6 @ Maj(a,b,c) - add r4,r4,r0,ror#2 @ h+=Sigma0(a) - @ add r4,r4,r12 @ h+=Maj(a,b,c) -Lrounds_16_xx: - @ ldr r2,[sp,#1*4] @ 16 - @ ldr r1,[sp,#14*4] - mov r0,r2,ror#7 - add r4,r4,r12 @ h+=Maj(a,b,c) from the past - mov r12,r1,ror#17 - eor r0,r0,r2,ror#18 - eor r12,r12,r1,ror#19 - eor r0,r0,r2,lsr#3 @ sigma0(X[i+1]) - ldr r2,[sp,#0*4] - eor r12,r12,r1,lsr#10 @ sigma1(X[i+14]) - ldr r1,[sp,#9*4] - - add r12,r12,r0 - eor r0,r8,r8,ror#5 @ from BODY_00_15 - add r2,r2,r12 - eor r0,r0,r8,ror#19 @ Sigma1(e) - add r2,r2,r1 @ X[i] - ldr r12,[r14],#4 @ *K256++ - add r11,r11,r2 @ h+=X[i] - str r2,[sp,#0*4] - eor r2,r9,r10 - add r11,r11,r0,ror#6 @ h+=Sigma1(e) - and r2,r2,r8 - add r11,r11,r12 @ h+=K256[i] - eor r2,r2,r10 @ Ch(e,f,g) - eor r0,r4,r4,ror#11 - add r11,r11,r2 @ h+=Ch(e,f,g) -#if 16==31 - and r12,r12,#0xff - cmp r12,#0xf2 @ done? -#endif -#if 16<15 -# if __ARM_ARCH>=7 - ldr r2,[r1],#4 @ prefetch -# else - ldrb r2,[r1,#3] -# endif - eor r12,r4,r5 @ a^b, b^c in next round -#else - ldr r2,[sp,#2*4] @ from future BODY_16_xx - eor r12,r4,r5 @ a^b, b^c in next round - ldr r1,[sp,#15*4] @ from future BODY_16_xx -#endif - eor r0,r0,r4,ror#20 @ Sigma0(a) - and r3,r3,r12 @ (b^c)&=(a^b) - add r7,r7,r11 @ d+=h - eor r3,r3,r5 @ Maj(a,b,c) - add r11,r11,r0,ror#2 @ h+=Sigma0(a) - @ add r11,r11,r3 @ h+=Maj(a,b,c) - @ ldr r2,[sp,#2*4] @ 17 - @ ldr r1,[sp,#15*4] - mov r0,r2,ror#7 - add r11,r11,r3 @ h+=Maj(a,b,c) from the past - mov r3,r1,ror#17 - eor r0,r0,r2,ror#18 - eor r3,r3,r1,ror#19 - eor r0,r0,r2,lsr#3 @ sigma0(X[i+1]) - ldr r2,[sp,#1*4] - eor r3,r3,r1,lsr#10 @ sigma1(X[i+14]) - ldr r1,[sp,#10*4] - - add r3,r3,r0 - eor r0,r7,r7,ror#5 @ from BODY_00_15 - add r2,r2,r3 - eor r0,r0,r7,ror#19 @ Sigma1(e) - add r2,r2,r1 @ X[i] - ldr r3,[r14],#4 @ *K256++ - add r10,r10,r2 @ h+=X[i] - str r2,[sp,#1*4] - eor r2,r8,r9 - add r10,r10,r0,ror#6 @ h+=Sigma1(e) - and r2,r2,r7 - add r10,r10,r3 @ h+=K256[i] - eor r2,r2,r9 @ Ch(e,f,g) - eor r0,r11,r11,ror#11 - add r10,r10,r2 @ h+=Ch(e,f,g) -#if 17==31 - and r3,r3,#0xff - cmp r3,#0xf2 @ done? -#endif -#if 17<15 -# if __ARM_ARCH>=7 - ldr r2,[r1],#4 @ prefetch -# else - ldrb r2,[r1,#3] -# endif - eor r3,r11,r4 @ a^b, b^c in next round -#else - ldr r2,[sp,#3*4] @ from future BODY_16_xx - eor r3,r11,r4 @ a^b, b^c in next round - ldr r1,[sp,#0*4] @ from future BODY_16_xx -#endif - eor r0,r0,r11,ror#20 @ Sigma0(a) - and r12,r12,r3 @ (b^c)&=(a^b) - add r6,r6,r10 @ d+=h - eor r12,r12,r4 @ Maj(a,b,c) - add r10,r10,r0,ror#2 @ h+=Sigma0(a) - @ add r10,r10,r12 @ h+=Maj(a,b,c) - @ ldr r2,[sp,#3*4] @ 18 - @ ldr r1,[sp,#0*4] - mov r0,r2,ror#7 - add r10,r10,r12 @ h+=Maj(a,b,c) from the past - mov r12,r1,ror#17 - eor r0,r0,r2,ror#18 - eor r12,r12,r1,ror#19 - eor r0,r0,r2,lsr#3 @ sigma0(X[i+1]) - ldr r2,[sp,#2*4] - eor r12,r12,r1,lsr#10 @ sigma1(X[i+14]) - ldr r1,[sp,#11*4] - - add r12,r12,r0 - eor r0,r6,r6,ror#5 @ from BODY_00_15 - add r2,r2,r12 - eor r0,r0,r6,ror#19 @ Sigma1(e) - add r2,r2,r1 @ X[i] - ldr r12,[r14],#4 @ *K256++ - add r9,r9,r2 @ h+=X[i] - str r2,[sp,#2*4] - eor r2,r7,r8 - add r9,r9,r0,ror#6 @ h+=Sigma1(e) - and r2,r2,r6 - add r9,r9,r12 @ h+=K256[i] - eor r2,r2,r8 @ Ch(e,f,g) - eor r0,r10,r10,ror#11 - add r9,r9,r2 @ h+=Ch(e,f,g) -#if 18==31 - and r12,r12,#0xff - cmp r12,#0xf2 @ done? -#endif -#if 18<15 -# if __ARM_ARCH>=7 - ldr r2,[r1],#4 @ prefetch -# else - ldrb r2,[r1,#3] -# endif - eor r12,r10,r11 @ a^b, b^c in next round -#else - ldr r2,[sp,#4*4] @ from future BODY_16_xx - eor r12,r10,r11 @ a^b, b^c in next round - ldr r1,[sp,#1*4] @ from future BODY_16_xx -#endif - eor r0,r0,r10,ror#20 @ Sigma0(a) - and r3,r3,r12 @ (b^c)&=(a^b) - add r5,r5,r9 @ d+=h - eor r3,r3,r11 @ Maj(a,b,c) - add r9,r9,r0,ror#2 @ h+=Sigma0(a) - @ add r9,r9,r3 @ h+=Maj(a,b,c) - @ ldr r2,[sp,#4*4] @ 19 - @ ldr r1,[sp,#1*4] - mov r0,r2,ror#7 - add r9,r9,r3 @ h+=Maj(a,b,c) from the past - mov r3,r1,ror#17 - eor r0,r0,r2,ror#18 - eor r3,r3,r1,ror#19 - eor r0,r0,r2,lsr#3 @ sigma0(X[i+1]) - ldr r2,[sp,#3*4] - eor r3,r3,r1,lsr#10 @ sigma1(X[i+14]) - ldr r1,[sp,#12*4] - - add r3,r3,r0 - eor r0,r5,r5,ror#5 @ from BODY_00_15 - add r2,r2,r3 - eor r0,r0,r5,ror#19 @ Sigma1(e) - add r2,r2,r1 @ X[i] - ldr r3,[r14],#4 @ *K256++ - add r8,r8,r2 @ h+=X[i] - str r2,[sp,#3*4] - eor r2,r6,r7 - add r8,r8,r0,ror#6 @ h+=Sigma1(e) - and r2,r2,r5 - add r8,r8,r3 @ h+=K256[i] - eor r2,r2,r7 @ Ch(e,f,g) - eor r0,r9,r9,ror#11 - add r8,r8,r2 @ h+=Ch(e,f,g) -#if 19==31 - and r3,r3,#0xff - cmp r3,#0xf2 @ done? -#endif -#if 19<15 -# if __ARM_ARCH>=7 - ldr r2,[r1],#4 @ prefetch -# else - ldrb r2,[r1,#3] -# endif - eor r3,r9,r10 @ a^b, b^c in next round -#else - ldr r2,[sp,#5*4] @ from future BODY_16_xx - eor r3,r9,r10 @ a^b, b^c in next round - ldr r1,[sp,#2*4] @ from future BODY_16_xx -#endif - eor r0,r0,r9,ror#20 @ Sigma0(a) - and r12,r12,r3 @ (b^c)&=(a^b) - add r4,r4,r8 @ d+=h - eor r12,r12,r10 @ Maj(a,b,c) - add r8,r8,r0,ror#2 @ h+=Sigma0(a) - @ add r8,r8,r12 @ h+=Maj(a,b,c) - @ ldr r2,[sp,#5*4] @ 20 - @ ldr r1,[sp,#2*4] - mov r0,r2,ror#7 - add r8,r8,r12 @ h+=Maj(a,b,c) from the past - mov r12,r1,ror#17 - eor r0,r0,r2,ror#18 - eor r12,r12,r1,ror#19 - eor r0,r0,r2,lsr#3 @ sigma0(X[i+1]) - ldr r2,[sp,#4*4] - eor r12,r12,r1,lsr#10 @ sigma1(X[i+14]) - ldr r1,[sp,#13*4] - - add r12,r12,r0 - eor r0,r4,r4,ror#5 @ from BODY_00_15 - add r2,r2,r12 - eor r0,r0,r4,ror#19 @ Sigma1(e) - add r2,r2,r1 @ X[i] - ldr r12,[r14],#4 @ *K256++ - add r7,r7,r2 @ h+=X[i] - str r2,[sp,#4*4] - eor r2,r5,r6 - add r7,r7,r0,ror#6 @ h+=Sigma1(e) - and r2,r2,r4 - add r7,r7,r12 @ h+=K256[i] - eor r2,r2,r6 @ Ch(e,f,g) - eor r0,r8,r8,ror#11 - add r7,r7,r2 @ h+=Ch(e,f,g) -#if 20==31 - and r12,r12,#0xff - cmp r12,#0xf2 @ done? -#endif -#if 20<15 -# if __ARM_ARCH>=7 - ldr r2,[r1],#4 @ prefetch -# else - ldrb r2,[r1,#3] -# endif - eor r12,r8,r9 @ a^b, b^c in next round -#else - ldr r2,[sp,#6*4] @ from future BODY_16_xx - eor r12,r8,r9 @ a^b, b^c in next round - ldr r1,[sp,#3*4] @ from future BODY_16_xx -#endif - eor r0,r0,r8,ror#20 @ Sigma0(a) - and r3,r3,r12 @ (b^c)&=(a^b) - add r11,r11,r7 @ d+=h - eor r3,r3,r9 @ Maj(a,b,c) - add r7,r7,r0,ror#2 @ h+=Sigma0(a) - @ add r7,r7,r3 @ h+=Maj(a,b,c) - @ ldr r2,[sp,#6*4] @ 21 - @ ldr r1,[sp,#3*4] - mov r0,r2,ror#7 - add r7,r7,r3 @ h+=Maj(a,b,c) from the past - mov r3,r1,ror#17 - eor r0,r0,r2,ror#18 - eor r3,r3,r1,ror#19 - eor r0,r0,r2,lsr#3 @ sigma0(X[i+1]) - ldr r2,[sp,#5*4] - eor r3,r3,r1,lsr#10 @ sigma1(X[i+14]) - ldr r1,[sp,#14*4] - - add r3,r3,r0 - eor r0,r11,r11,ror#5 @ from BODY_00_15 - add r2,r2,r3 - eor r0,r0,r11,ror#19 @ Sigma1(e) - add r2,r2,r1 @ X[i] - ldr r3,[r14],#4 @ *K256++ - add r6,r6,r2 @ h+=X[i] - str r2,[sp,#5*4] - eor r2,r4,r5 - add r6,r6,r0,ror#6 @ h+=Sigma1(e) - and r2,r2,r11 - add r6,r6,r3 @ h+=K256[i] - eor r2,r2,r5 @ Ch(e,f,g) - eor r0,r7,r7,ror#11 - add r6,r6,r2 @ h+=Ch(e,f,g) -#if 21==31 - and r3,r3,#0xff - cmp r3,#0xf2 @ done? -#endif -#if 21<15 -# if __ARM_ARCH>=7 - ldr r2,[r1],#4 @ prefetch -# else - ldrb r2,[r1,#3] -# endif - eor r3,r7,r8 @ a^b, b^c in next round -#else - ldr r2,[sp,#7*4] @ from future BODY_16_xx - eor r3,r7,r8 @ a^b, b^c in next round - ldr r1,[sp,#4*4] @ from future BODY_16_xx -#endif - eor r0,r0,r7,ror#20 @ Sigma0(a) - and r12,r12,r3 @ (b^c)&=(a^b) - add r10,r10,r6 @ d+=h - eor r12,r12,r8 @ Maj(a,b,c) - add r6,r6,r0,ror#2 @ h+=Sigma0(a) - @ add r6,r6,r12 @ h+=Maj(a,b,c) - @ ldr r2,[sp,#7*4] @ 22 - @ ldr r1,[sp,#4*4] - mov r0,r2,ror#7 - add r6,r6,r12 @ h+=Maj(a,b,c) from the past - mov r12,r1,ror#17 - eor r0,r0,r2,ror#18 - eor r12,r12,r1,ror#19 - eor r0,r0,r2,lsr#3 @ sigma0(X[i+1]) - ldr r2,[sp,#6*4] - eor r12,r12,r1,lsr#10 @ sigma1(X[i+14]) - ldr r1,[sp,#15*4] - - add r12,r12,r0 - eor r0,r10,r10,ror#5 @ from BODY_00_15 - add r2,r2,r12 - eor r0,r0,r10,ror#19 @ Sigma1(e) - add r2,r2,r1 @ X[i] - ldr r12,[r14],#4 @ *K256++ - add r5,r5,r2 @ h+=X[i] - str r2,[sp,#6*4] - eor r2,r11,r4 - add r5,r5,r0,ror#6 @ h+=Sigma1(e) - and r2,r2,r10 - add r5,r5,r12 @ h+=K256[i] - eor r2,r2,r4 @ Ch(e,f,g) - eor r0,r6,r6,ror#11 - add r5,r5,r2 @ h+=Ch(e,f,g) -#if 22==31 - and r12,r12,#0xff - cmp r12,#0xf2 @ done? -#endif -#if 22<15 -# if __ARM_ARCH>=7 - ldr r2,[r1],#4 @ prefetch -# else - ldrb r2,[r1,#3] -# endif - eor r12,r6,r7 @ a^b, b^c in next round -#else - ldr r2,[sp,#8*4] @ from future BODY_16_xx - eor r12,r6,r7 @ a^b, b^c in next round - ldr r1,[sp,#5*4] @ from future BODY_16_xx -#endif - eor r0,r0,r6,ror#20 @ Sigma0(a) - and r3,r3,r12 @ (b^c)&=(a^b) - add r9,r9,r5 @ d+=h - eor r3,r3,r7 @ Maj(a,b,c) - add r5,r5,r0,ror#2 @ h+=Sigma0(a) - @ add r5,r5,r3 @ h+=Maj(a,b,c) - @ ldr r2,[sp,#8*4] @ 23 - @ ldr r1,[sp,#5*4] - mov r0,r2,ror#7 - add r5,r5,r3 @ h+=Maj(a,b,c) from the past - mov r3,r1,ror#17 - eor r0,r0,r2,ror#18 - eor r3,r3,r1,ror#19 - eor r0,r0,r2,lsr#3 @ sigma0(X[i+1]) - ldr r2,[sp,#7*4] - eor r3,r3,r1,lsr#10 @ sigma1(X[i+14]) - ldr r1,[sp,#0*4] - - add r3,r3,r0 - eor r0,r9,r9,ror#5 @ from BODY_00_15 - add r2,r2,r3 - eor r0,r0,r9,ror#19 @ Sigma1(e) - add r2,r2,r1 @ X[i] - ldr r3,[r14],#4 @ *K256++ - add r4,r4,r2 @ h+=X[i] - str r2,[sp,#7*4] - eor r2,r10,r11 - add r4,r4,r0,ror#6 @ h+=Sigma1(e) - and r2,r2,r9 - add r4,r4,r3 @ h+=K256[i] - eor r2,r2,r11 @ Ch(e,f,g) - eor r0,r5,r5,ror#11 - add r4,r4,r2 @ h+=Ch(e,f,g) -#if 23==31 - and r3,r3,#0xff - cmp r3,#0xf2 @ done? -#endif -#if 23<15 -# if __ARM_ARCH>=7 - ldr r2,[r1],#4 @ prefetch -# else - ldrb r2,[r1,#3] -# endif - eor r3,r5,r6 @ a^b, b^c in next round -#else - ldr r2,[sp,#9*4] @ from future BODY_16_xx - eor r3,r5,r6 @ a^b, b^c in next round - ldr r1,[sp,#6*4] @ from future BODY_16_xx -#endif - eor r0,r0,r5,ror#20 @ Sigma0(a) - and r12,r12,r3 @ (b^c)&=(a^b) - add r8,r8,r4 @ d+=h - eor r12,r12,r6 @ Maj(a,b,c) - add r4,r4,r0,ror#2 @ h+=Sigma0(a) - @ add r4,r4,r12 @ h+=Maj(a,b,c) - @ ldr r2,[sp,#9*4] @ 24 - @ ldr r1,[sp,#6*4] - mov r0,r2,ror#7 - add r4,r4,r12 @ h+=Maj(a,b,c) from the past - mov r12,r1,ror#17 - eor r0,r0,r2,ror#18 - eor r12,r12,r1,ror#19 - eor r0,r0,r2,lsr#3 @ sigma0(X[i+1]) - ldr r2,[sp,#8*4] - eor r12,r12,r1,lsr#10 @ sigma1(X[i+14]) - ldr r1,[sp,#1*4] - - add r12,r12,r0 - eor r0,r8,r8,ror#5 @ from BODY_00_15 - add r2,r2,r12 - eor r0,r0,r8,ror#19 @ Sigma1(e) - add r2,r2,r1 @ X[i] - ldr r12,[r14],#4 @ *K256++ - add r11,r11,r2 @ h+=X[i] - str r2,[sp,#8*4] - eor r2,r9,r10 - add r11,r11,r0,ror#6 @ h+=Sigma1(e) - and r2,r2,r8 - add r11,r11,r12 @ h+=K256[i] - eor r2,r2,r10 @ Ch(e,f,g) - eor r0,r4,r4,ror#11 - add r11,r11,r2 @ h+=Ch(e,f,g) -#if 24==31 - and r12,r12,#0xff - cmp r12,#0xf2 @ done? -#endif -#if 24<15 -# if __ARM_ARCH>=7 - ldr r2,[r1],#4 @ prefetch -# else - ldrb r2,[r1,#3] -# endif - eor r12,r4,r5 @ a^b, b^c in next round -#else - ldr r2,[sp,#10*4] @ from future BODY_16_xx - eor r12,r4,r5 @ a^b, b^c in next round - ldr r1,[sp,#7*4] @ from future BODY_16_xx -#endif - eor r0,r0,r4,ror#20 @ Sigma0(a) - and r3,r3,r12 @ (b^c)&=(a^b) - add r7,r7,r11 @ d+=h - eor r3,r3,r5 @ Maj(a,b,c) - add r11,r11,r0,ror#2 @ h+=Sigma0(a) - @ add r11,r11,r3 @ h+=Maj(a,b,c) - @ ldr r2,[sp,#10*4] @ 25 - @ ldr r1,[sp,#7*4] - mov r0,r2,ror#7 - add r11,r11,r3 @ h+=Maj(a,b,c) from the past - mov r3,r1,ror#17 - eor r0,r0,r2,ror#18 - eor r3,r3,r1,ror#19 - eor r0,r0,r2,lsr#3 @ sigma0(X[i+1]) - ldr r2,[sp,#9*4] - eor r3,r3,r1,lsr#10 @ sigma1(X[i+14]) - ldr r1,[sp,#2*4] - - add r3,r3,r0 - eor r0,r7,r7,ror#5 @ from BODY_00_15 - add r2,r2,r3 - eor r0,r0,r7,ror#19 @ Sigma1(e) - add r2,r2,r1 @ X[i] - ldr r3,[r14],#4 @ *K256++ - add r10,r10,r2 @ h+=X[i] - str r2,[sp,#9*4] - eor r2,r8,r9 - add r10,r10,r0,ror#6 @ h+=Sigma1(e) - and r2,r2,r7 - add r10,r10,r3 @ h+=K256[i] - eor r2,r2,r9 @ Ch(e,f,g) - eor r0,r11,r11,ror#11 - add r10,r10,r2 @ h+=Ch(e,f,g) -#if 25==31 - and r3,r3,#0xff - cmp r3,#0xf2 @ done? -#endif -#if 25<15 -# if __ARM_ARCH>=7 - ldr r2,[r1],#4 @ prefetch -# else - ldrb r2,[r1,#3] -# endif - eor r3,r11,r4 @ a^b, b^c in next round -#else - ldr r2,[sp,#11*4] @ from future BODY_16_xx - eor r3,r11,r4 @ a^b, b^c in next round - ldr r1,[sp,#8*4] @ from future BODY_16_xx -#endif - eor r0,r0,r11,ror#20 @ Sigma0(a) - and r12,r12,r3 @ (b^c)&=(a^b) - add r6,r6,r10 @ d+=h - eor r12,r12,r4 @ Maj(a,b,c) - add r10,r10,r0,ror#2 @ h+=Sigma0(a) - @ add r10,r10,r12 @ h+=Maj(a,b,c) - @ ldr r2,[sp,#11*4] @ 26 - @ ldr r1,[sp,#8*4] - mov r0,r2,ror#7 - add r10,r10,r12 @ h+=Maj(a,b,c) from the past - mov r12,r1,ror#17 - eor r0,r0,r2,ror#18 - eor r12,r12,r1,ror#19 - eor r0,r0,r2,lsr#3 @ sigma0(X[i+1]) - ldr r2,[sp,#10*4] - eor r12,r12,r1,lsr#10 @ sigma1(X[i+14]) - ldr r1,[sp,#3*4] - - add r12,r12,r0 - eor r0,r6,r6,ror#5 @ from BODY_00_15 - add r2,r2,r12 - eor r0,r0,r6,ror#19 @ Sigma1(e) - add r2,r2,r1 @ X[i] - ldr r12,[r14],#4 @ *K256++ - add r9,r9,r2 @ h+=X[i] - str r2,[sp,#10*4] - eor r2,r7,r8 - add r9,r9,r0,ror#6 @ h+=Sigma1(e) - and r2,r2,r6 - add r9,r9,r12 @ h+=K256[i] - eor r2,r2,r8 @ Ch(e,f,g) - eor r0,r10,r10,ror#11 - add r9,r9,r2 @ h+=Ch(e,f,g) -#if 26==31 - and r12,r12,#0xff - cmp r12,#0xf2 @ done? -#endif -#if 26<15 -# if __ARM_ARCH>=7 - ldr r2,[r1],#4 @ prefetch -# else - ldrb r2,[r1,#3] -# endif - eor r12,r10,r11 @ a^b, b^c in next round -#else - ldr r2,[sp,#12*4] @ from future BODY_16_xx - eor r12,r10,r11 @ a^b, b^c in next round - ldr r1,[sp,#9*4] @ from future BODY_16_xx -#endif - eor r0,r0,r10,ror#20 @ Sigma0(a) - and r3,r3,r12 @ (b^c)&=(a^b) - add r5,r5,r9 @ d+=h - eor r3,r3,r11 @ Maj(a,b,c) - add r9,r9,r0,ror#2 @ h+=Sigma0(a) - @ add r9,r9,r3 @ h+=Maj(a,b,c) - @ ldr r2,[sp,#12*4] @ 27 - @ ldr r1,[sp,#9*4] - mov r0,r2,ror#7 - add r9,r9,r3 @ h+=Maj(a,b,c) from the past - mov r3,r1,ror#17 - eor r0,r0,r2,ror#18 - eor r3,r3,r1,ror#19 - eor r0,r0,r2,lsr#3 @ sigma0(X[i+1]) - ldr r2,[sp,#11*4] - eor r3,r3,r1,lsr#10 @ sigma1(X[i+14]) - ldr r1,[sp,#4*4] - - add r3,r3,r0 - eor r0,r5,r5,ror#5 @ from BODY_00_15 - add r2,r2,r3 - eor r0,r0,r5,ror#19 @ Sigma1(e) - add r2,r2,r1 @ X[i] - ldr r3,[r14],#4 @ *K256++ - add r8,r8,r2 @ h+=X[i] - str r2,[sp,#11*4] - eor r2,r6,r7 - add r8,r8,r0,ror#6 @ h+=Sigma1(e) - and r2,r2,r5 - add r8,r8,r3 @ h+=K256[i] - eor r2,r2,r7 @ Ch(e,f,g) - eor r0,r9,r9,ror#11 - add r8,r8,r2 @ h+=Ch(e,f,g) -#if 27==31 - and r3,r3,#0xff - cmp r3,#0xf2 @ done? -#endif -#if 27<15 -# if __ARM_ARCH>=7 - ldr r2,[r1],#4 @ prefetch -# else - ldrb r2,[r1,#3] -# endif - eor r3,r9,r10 @ a^b, b^c in next round -#else - ldr r2,[sp,#13*4] @ from future BODY_16_xx - eor r3,r9,r10 @ a^b, b^c in next round - ldr r1,[sp,#10*4] @ from future BODY_16_xx -#endif - eor r0,r0,r9,ror#20 @ Sigma0(a) - and r12,r12,r3 @ (b^c)&=(a^b) - add r4,r4,r8 @ d+=h - eor r12,r12,r10 @ Maj(a,b,c) - add r8,r8,r0,ror#2 @ h+=Sigma0(a) - @ add r8,r8,r12 @ h+=Maj(a,b,c) - @ ldr r2,[sp,#13*4] @ 28 - @ ldr r1,[sp,#10*4] - mov r0,r2,ror#7 - add r8,r8,r12 @ h+=Maj(a,b,c) from the past - mov r12,r1,ror#17 - eor r0,r0,r2,ror#18 - eor r12,r12,r1,ror#19 - eor r0,r0,r2,lsr#3 @ sigma0(X[i+1]) - ldr r2,[sp,#12*4] - eor r12,r12,r1,lsr#10 @ sigma1(X[i+14]) - ldr r1,[sp,#5*4] - - add r12,r12,r0 - eor r0,r4,r4,ror#5 @ from BODY_00_15 - add r2,r2,r12 - eor r0,r0,r4,ror#19 @ Sigma1(e) - add r2,r2,r1 @ X[i] - ldr r12,[r14],#4 @ *K256++ - add r7,r7,r2 @ h+=X[i] - str r2,[sp,#12*4] - eor r2,r5,r6 - add r7,r7,r0,ror#6 @ h+=Sigma1(e) - and r2,r2,r4 - add r7,r7,r12 @ h+=K256[i] - eor r2,r2,r6 @ Ch(e,f,g) - eor r0,r8,r8,ror#11 - add r7,r7,r2 @ h+=Ch(e,f,g) -#if 28==31 - and r12,r12,#0xff - cmp r12,#0xf2 @ done? -#endif -#if 28<15 -# if __ARM_ARCH>=7 - ldr r2,[r1],#4 @ prefetch -# else - ldrb r2,[r1,#3] -# endif - eor r12,r8,r9 @ a^b, b^c in next round -#else - ldr r2,[sp,#14*4] @ from future BODY_16_xx - eor r12,r8,r9 @ a^b, b^c in next round - ldr r1,[sp,#11*4] @ from future BODY_16_xx -#endif - eor r0,r0,r8,ror#20 @ Sigma0(a) - and r3,r3,r12 @ (b^c)&=(a^b) - add r11,r11,r7 @ d+=h - eor r3,r3,r9 @ Maj(a,b,c) - add r7,r7,r0,ror#2 @ h+=Sigma0(a) - @ add r7,r7,r3 @ h+=Maj(a,b,c) - @ ldr r2,[sp,#14*4] @ 29 - @ ldr r1,[sp,#11*4] - mov r0,r2,ror#7 - add r7,r7,r3 @ h+=Maj(a,b,c) from the past - mov r3,r1,ror#17 - eor r0,r0,r2,ror#18 - eor r3,r3,r1,ror#19 - eor r0,r0,r2,lsr#3 @ sigma0(X[i+1]) - ldr r2,[sp,#13*4] - eor r3,r3,r1,lsr#10 @ sigma1(X[i+14]) - ldr r1,[sp,#6*4] - - add r3,r3,r0 - eor r0,r11,r11,ror#5 @ from BODY_00_15 - add r2,r2,r3 - eor r0,r0,r11,ror#19 @ Sigma1(e) - add r2,r2,r1 @ X[i] - ldr r3,[r14],#4 @ *K256++ - add r6,r6,r2 @ h+=X[i] - str r2,[sp,#13*4] - eor r2,r4,r5 - add r6,r6,r0,ror#6 @ h+=Sigma1(e) - and r2,r2,r11 - add r6,r6,r3 @ h+=K256[i] - eor r2,r2,r5 @ Ch(e,f,g) - eor r0,r7,r7,ror#11 - add r6,r6,r2 @ h+=Ch(e,f,g) -#if 29==31 - and r3,r3,#0xff - cmp r3,#0xf2 @ done? -#endif -#if 29<15 -# if __ARM_ARCH>=7 - ldr r2,[r1],#4 @ prefetch -# else - ldrb r2,[r1,#3] -# endif - eor r3,r7,r8 @ a^b, b^c in next round -#else - ldr r2,[sp,#15*4] @ from future BODY_16_xx - eor r3,r7,r8 @ a^b, b^c in next round - ldr r1,[sp,#12*4] @ from future BODY_16_xx -#endif - eor r0,r0,r7,ror#20 @ Sigma0(a) - and r12,r12,r3 @ (b^c)&=(a^b) - add r10,r10,r6 @ d+=h - eor r12,r12,r8 @ Maj(a,b,c) - add r6,r6,r0,ror#2 @ h+=Sigma0(a) - @ add r6,r6,r12 @ h+=Maj(a,b,c) - @ ldr r2,[sp,#15*4] @ 30 - @ ldr r1,[sp,#12*4] - mov r0,r2,ror#7 - add r6,r6,r12 @ h+=Maj(a,b,c) from the past - mov r12,r1,ror#17 - eor r0,r0,r2,ror#18 - eor r12,r12,r1,ror#19 - eor r0,r0,r2,lsr#3 @ sigma0(X[i+1]) - ldr r2,[sp,#14*4] - eor r12,r12,r1,lsr#10 @ sigma1(X[i+14]) - ldr r1,[sp,#7*4] - - add r12,r12,r0 - eor r0,r10,r10,ror#5 @ from BODY_00_15 - add r2,r2,r12 - eor r0,r0,r10,ror#19 @ Sigma1(e) - add r2,r2,r1 @ X[i] - ldr r12,[r14],#4 @ *K256++ - add r5,r5,r2 @ h+=X[i] - str r2,[sp,#14*4] - eor r2,r11,r4 - add r5,r5,r0,ror#6 @ h+=Sigma1(e) - and r2,r2,r10 - add r5,r5,r12 @ h+=K256[i] - eor r2,r2,r4 @ Ch(e,f,g) - eor r0,r6,r6,ror#11 - add r5,r5,r2 @ h+=Ch(e,f,g) -#if 30==31 - and r12,r12,#0xff - cmp r12,#0xf2 @ done? -#endif -#if 30<15 -# if __ARM_ARCH>=7 - ldr r2,[r1],#4 @ prefetch -# else - ldrb r2,[r1,#3] -# endif - eor r12,r6,r7 @ a^b, b^c in next round -#else - ldr r2,[sp,#0*4] @ from future BODY_16_xx - eor r12,r6,r7 @ a^b, b^c in next round - ldr r1,[sp,#13*4] @ from future BODY_16_xx -#endif - eor r0,r0,r6,ror#20 @ Sigma0(a) - and r3,r3,r12 @ (b^c)&=(a^b) - add r9,r9,r5 @ d+=h - eor r3,r3,r7 @ Maj(a,b,c) - add r5,r5,r0,ror#2 @ h+=Sigma0(a) - @ add r5,r5,r3 @ h+=Maj(a,b,c) - @ ldr r2,[sp,#0*4] @ 31 - @ ldr r1,[sp,#13*4] - mov r0,r2,ror#7 - add r5,r5,r3 @ h+=Maj(a,b,c) from the past - mov r3,r1,ror#17 - eor r0,r0,r2,ror#18 - eor r3,r3,r1,ror#19 - eor r0,r0,r2,lsr#3 @ sigma0(X[i+1]) - ldr r2,[sp,#15*4] - eor r3,r3,r1,lsr#10 @ sigma1(X[i+14]) - ldr r1,[sp,#8*4] - - add r3,r3,r0 - eor r0,r9,r9,ror#5 @ from BODY_00_15 - add r2,r2,r3 - eor r0,r0,r9,ror#19 @ Sigma1(e) - add r2,r2,r1 @ X[i] - ldr r3,[r14],#4 @ *K256++ - add r4,r4,r2 @ h+=X[i] - str r2,[sp,#15*4] - eor r2,r10,r11 - add r4,r4,r0,ror#6 @ h+=Sigma1(e) - and r2,r2,r9 - add r4,r4,r3 @ h+=K256[i] - eor r2,r2,r11 @ Ch(e,f,g) - eor r0,r5,r5,ror#11 - add r4,r4,r2 @ h+=Ch(e,f,g) -#if 31==31 - and r3,r3,#0xff - cmp r3,#0xf2 @ done? -#endif -#if 31<15 -# if __ARM_ARCH>=7 - ldr r2,[r1],#4 @ prefetch -# else - ldrb r2,[r1,#3] -# endif - eor r3,r5,r6 @ a^b, b^c in next round -#else - ldr r2,[sp,#1*4] @ from future BODY_16_xx - eor r3,r5,r6 @ a^b, b^c in next round - ldr r1,[sp,#14*4] @ from future BODY_16_xx -#endif - eor r0,r0,r5,ror#20 @ Sigma0(a) - and r12,r12,r3 @ (b^c)&=(a^b) - add r8,r8,r4 @ d+=h - eor r12,r12,r6 @ Maj(a,b,c) - add r4,r4,r0,ror#2 @ h+=Sigma0(a) - @ add r4,r4,r12 @ h+=Maj(a,b,c) -#if __ARM_ARCH>=7 - ite eq @ Thumb2 thing, sanity check in ARM -#endif - ldreq r3,[sp,#16*4] @ pull ctx - bne Lrounds_16_xx - - add r4,r4,r12 @ h+=Maj(a,b,c) from the past - ldr r0,[r3,#0] - ldr r2,[r3,#4] - ldr r12,[r3,#8] - add r4,r4,r0 - ldr r0,[r3,#12] - add r5,r5,r2 - ldr r2,[r3,#16] - add r6,r6,r12 - ldr r12,[r3,#20] - add r7,r7,r0 - ldr r0,[r3,#24] - add r8,r8,r2 - ldr r2,[r3,#28] - add r9,r9,r12 - ldr r1,[sp,#17*4] @ pull inp - ldr r12,[sp,#18*4] @ pull inp+len - add r10,r10,r0 - add r11,r11,r2 - stmia r3,{r4,r5,r6,r7,r8,r9,r10,r11} - cmp r1,r12 - sub r14,r14,#256 @ rewind Ktbl - bne Loop - - add sp,sp,#19*4 @ destroy frame -#if __ARM_ARCH>=5 - ldmia sp!,{r4,r5,r6,r7,r8,r9,r10,r11,pc} -#else - ldmia sp!,{r4,r5,r6,r7,r8,r9,r10,r11,lr} - tst lr,#1 - moveq pc,lr @ be binary compatible with V4, yet -.word 0xe12fff1e @ interoperable with Thumb ISA:-) -#endif - -#if __ARM_MAX_ARCH__>=7 - - - -.globl _sha256_block_data_order_neon -.private_extern _sha256_block_data_order_neon -#ifdef __thumb2__ -.thumb_func _sha256_block_data_order_neon -#endif -.align 5 -.skip 16 -_sha256_block_data_order_neon: -LNEON: - stmdb sp!,{r4,r5,r6,r7,r8,r9,r10,r11,r12,lr} - - sub r11,sp,#16*4+16 - adr r14,K256 - bic r11,r11,#15 @ align for 128-bit stores - mov r12,sp - mov sp,r11 @ alloca - add r2,r1,r2,lsl#6 @ len to point at the end of inp - - vld1.8 {q0},[r1]! - vld1.8 {q1},[r1]! - vld1.8 {q2},[r1]! - vld1.8 {q3},[r1]! - vld1.32 {q8},[r14,:128]! - vld1.32 {q9},[r14,:128]! - vld1.32 {q10},[r14,:128]! - vld1.32 {q11},[r14,:128]! - vrev32.8 q0,q0 @ yes, even on - str r0,[sp,#64] - vrev32.8 q1,q1 @ big-endian - str r1,[sp,#68] - mov r1,sp - vrev32.8 q2,q2 - str r2,[sp,#72] - vrev32.8 q3,q3 - str r12,[sp,#76] @ save original sp - vadd.i32 q8,q8,q0 - vadd.i32 q9,q9,q1 - vst1.32 {q8},[r1,:128]! - vadd.i32 q10,q10,q2 - vst1.32 {q9},[r1,:128]! - vadd.i32 q11,q11,q3 - vst1.32 {q10},[r1,:128]! - vst1.32 {q11},[r1,:128]! - - ldmia r0,{r4,r5,r6,r7,r8,r9,r10,r11} - sub r1,r1,#64 - ldr r2,[sp,#0] - eor r12,r12,r12 - eor r3,r5,r6 - b L_00_48 - -.align 4 -L_00_48: - vext.8 q8,q0,q1,#4 - add r11,r11,r2 - eor r2,r9,r10 - eor r0,r8,r8,ror#5 - vext.8 q9,q2,q3,#4 - add r4,r4,r12 - and r2,r2,r8 - eor r12,r0,r8,ror#19 - vshr.u32 q10,q8,#7 - eor r0,r4,r4,ror#11 - eor r2,r2,r10 - vadd.i32 q0,q0,q9 - add r11,r11,r12,ror#6 - eor r12,r4,r5 - vshr.u32 q9,q8,#3 - eor r0,r0,r4,ror#20 - add r11,r11,r2 - vsli.32 q10,q8,#25 - ldr r2,[sp,#4] - and r3,r3,r12 - vshr.u32 q11,q8,#18 - add r7,r7,r11 - add r11,r11,r0,ror#2 - eor r3,r3,r5 - veor q9,q9,q10 - add r10,r10,r2 - vsli.32 q11,q8,#14 - eor r2,r8,r9 - eor r0,r7,r7,ror#5 - vshr.u32 d24,d7,#17 - add r11,r11,r3 - and r2,r2,r7 - veor q9,q9,q11 - eor r3,r0,r7,ror#19 - eor r0,r11,r11,ror#11 - vsli.32 d24,d7,#15 - eor r2,r2,r9 - add r10,r10,r3,ror#6 - vshr.u32 d25,d7,#10 - eor r3,r11,r4 - eor r0,r0,r11,ror#20 - vadd.i32 q0,q0,q9 - add r10,r10,r2 - ldr r2,[sp,#8] - veor d25,d25,d24 - and r12,r12,r3 - add r6,r6,r10 - vshr.u32 d24,d7,#19 - add r10,r10,r0,ror#2 - eor r12,r12,r4 - vsli.32 d24,d7,#13 - add r9,r9,r2 - eor r2,r7,r8 - veor d25,d25,d24 - eor r0,r6,r6,ror#5 - add r10,r10,r12 - vadd.i32 d0,d0,d25 - and r2,r2,r6 - eor r12,r0,r6,ror#19 - vshr.u32 d24,d0,#17 - eor r0,r10,r10,ror#11 - eor r2,r2,r8 - vsli.32 d24,d0,#15 - add r9,r9,r12,ror#6 - eor r12,r10,r11 - vshr.u32 d25,d0,#10 - eor r0,r0,r10,ror#20 - add r9,r9,r2 - veor d25,d25,d24 - ldr r2,[sp,#12] - and r3,r3,r12 - vshr.u32 d24,d0,#19 - add r5,r5,r9 - add r9,r9,r0,ror#2 - eor r3,r3,r11 - vld1.32 {q8},[r14,:128]! - add r8,r8,r2 - vsli.32 d24,d0,#13 - eor r2,r6,r7 - eor r0,r5,r5,ror#5 - veor d25,d25,d24 - add r9,r9,r3 - and r2,r2,r5 - vadd.i32 d1,d1,d25 - eor r3,r0,r5,ror#19 - eor r0,r9,r9,ror#11 - vadd.i32 q8,q8,q0 - eor r2,r2,r7 - add r8,r8,r3,ror#6 - eor r3,r9,r10 - eor r0,r0,r9,ror#20 - add r8,r8,r2 - ldr r2,[sp,#16] - and r12,r12,r3 - add r4,r4,r8 - vst1.32 {q8},[r1,:128]! - add r8,r8,r0,ror#2 - eor r12,r12,r10 - vext.8 q8,q1,q2,#4 - add r7,r7,r2 - eor r2,r5,r6 - eor r0,r4,r4,ror#5 - vext.8 q9,q3,q0,#4 - add r8,r8,r12 - and r2,r2,r4 - eor r12,r0,r4,ror#19 - vshr.u32 q10,q8,#7 - eor r0,r8,r8,ror#11 - eor r2,r2,r6 - vadd.i32 q1,q1,q9 - add r7,r7,r12,ror#6 - eor r12,r8,r9 - vshr.u32 q9,q8,#3 - eor r0,r0,r8,ror#20 - add r7,r7,r2 - vsli.32 q10,q8,#25 - ldr r2,[sp,#20] - and r3,r3,r12 - vshr.u32 q11,q8,#18 - add r11,r11,r7 - add r7,r7,r0,ror#2 - eor r3,r3,r9 - veor q9,q9,q10 - add r6,r6,r2 - vsli.32 q11,q8,#14 - eor r2,r4,r5 - eor r0,r11,r11,ror#5 - vshr.u32 d24,d1,#17 - add r7,r7,r3 - and r2,r2,r11 - veor q9,q9,q11 - eor r3,r0,r11,ror#19 - eor r0,r7,r7,ror#11 - vsli.32 d24,d1,#15 - eor r2,r2,r5 - add r6,r6,r3,ror#6 - vshr.u32 d25,d1,#10 - eor r3,r7,r8 - eor r0,r0,r7,ror#20 - vadd.i32 q1,q1,q9 - add r6,r6,r2 - ldr r2,[sp,#24] - veor d25,d25,d24 - and r12,r12,r3 - add r10,r10,r6 - vshr.u32 d24,d1,#19 - add r6,r6,r0,ror#2 - eor r12,r12,r8 - vsli.32 d24,d1,#13 - add r5,r5,r2 - eor r2,r11,r4 - veor d25,d25,d24 - eor r0,r10,r10,ror#5 - add r6,r6,r12 - vadd.i32 d2,d2,d25 - and r2,r2,r10 - eor r12,r0,r10,ror#19 - vshr.u32 d24,d2,#17 - eor r0,r6,r6,ror#11 - eor r2,r2,r4 - vsli.32 d24,d2,#15 - add r5,r5,r12,ror#6 - eor r12,r6,r7 - vshr.u32 d25,d2,#10 - eor r0,r0,r6,ror#20 - add r5,r5,r2 - veor d25,d25,d24 - ldr r2,[sp,#28] - and r3,r3,r12 - vshr.u32 d24,d2,#19 - add r9,r9,r5 - add r5,r5,r0,ror#2 - eor r3,r3,r7 - vld1.32 {q8},[r14,:128]! - add r4,r4,r2 - vsli.32 d24,d2,#13 - eor r2,r10,r11 - eor r0,r9,r9,ror#5 - veor d25,d25,d24 - add r5,r5,r3 - and r2,r2,r9 - vadd.i32 d3,d3,d25 - eor r3,r0,r9,ror#19 - eor r0,r5,r5,ror#11 - vadd.i32 q8,q8,q1 - eor r2,r2,r11 - add r4,r4,r3,ror#6 - eor r3,r5,r6 - eor r0,r0,r5,ror#20 - add r4,r4,r2 - ldr r2,[sp,#32] - and r12,r12,r3 - add r8,r8,r4 - vst1.32 {q8},[r1,:128]! - add r4,r4,r0,ror#2 - eor r12,r12,r6 - vext.8 q8,q2,q3,#4 - add r11,r11,r2 - eor r2,r9,r10 - eor r0,r8,r8,ror#5 - vext.8 q9,q0,q1,#4 - add r4,r4,r12 - and r2,r2,r8 - eor r12,r0,r8,ror#19 - vshr.u32 q10,q8,#7 - eor r0,r4,r4,ror#11 - eor r2,r2,r10 - vadd.i32 q2,q2,q9 - add r11,r11,r12,ror#6 - eor r12,r4,r5 - vshr.u32 q9,q8,#3 - eor r0,r0,r4,ror#20 - add r11,r11,r2 - vsli.32 q10,q8,#25 - ldr r2,[sp,#36] - and r3,r3,r12 - vshr.u32 q11,q8,#18 - add r7,r7,r11 - add r11,r11,r0,ror#2 - eor r3,r3,r5 - veor q9,q9,q10 - add r10,r10,r2 - vsli.32 q11,q8,#14 - eor r2,r8,r9 - eor r0,r7,r7,ror#5 - vshr.u32 d24,d3,#17 - add r11,r11,r3 - and r2,r2,r7 - veor q9,q9,q11 - eor r3,r0,r7,ror#19 - eor r0,r11,r11,ror#11 - vsli.32 d24,d3,#15 - eor r2,r2,r9 - add r10,r10,r3,ror#6 - vshr.u32 d25,d3,#10 - eor r3,r11,r4 - eor r0,r0,r11,ror#20 - vadd.i32 q2,q2,q9 - add r10,r10,r2 - ldr r2,[sp,#40] - veor d25,d25,d24 - and r12,r12,r3 - add r6,r6,r10 - vshr.u32 d24,d3,#19 - add r10,r10,r0,ror#2 - eor r12,r12,r4 - vsli.32 d24,d3,#13 - add r9,r9,r2 - eor r2,r7,r8 - veor d25,d25,d24 - eor r0,r6,r6,ror#5 - add r10,r10,r12 - vadd.i32 d4,d4,d25 - and r2,r2,r6 - eor r12,r0,r6,ror#19 - vshr.u32 d24,d4,#17 - eor r0,r10,r10,ror#11 - eor r2,r2,r8 - vsli.32 d24,d4,#15 - add r9,r9,r12,ror#6 - eor r12,r10,r11 - vshr.u32 d25,d4,#10 - eor r0,r0,r10,ror#20 - add r9,r9,r2 - veor d25,d25,d24 - ldr r2,[sp,#44] - and r3,r3,r12 - vshr.u32 d24,d4,#19 - add r5,r5,r9 - add r9,r9,r0,ror#2 - eor r3,r3,r11 - vld1.32 {q8},[r14,:128]! - add r8,r8,r2 - vsli.32 d24,d4,#13 - eor r2,r6,r7 - eor r0,r5,r5,ror#5 - veor d25,d25,d24 - add r9,r9,r3 - and r2,r2,r5 - vadd.i32 d5,d5,d25 - eor r3,r0,r5,ror#19 - eor r0,r9,r9,ror#11 - vadd.i32 q8,q8,q2 - eor r2,r2,r7 - add r8,r8,r3,ror#6 - eor r3,r9,r10 - eor r0,r0,r9,ror#20 - add r8,r8,r2 - ldr r2,[sp,#48] - and r12,r12,r3 - add r4,r4,r8 - vst1.32 {q8},[r1,:128]! - add r8,r8,r0,ror#2 - eor r12,r12,r10 - vext.8 q8,q3,q0,#4 - add r7,r7,r2 - eor r2,r5,r6 - eor r0,r4,r4,ror#5 - vext.8 q9,q1,q2,#4 - add r8,r8,r12 - and r2,r2,r4 - eor r12,r0,r4,ror#19 - vshr.u32 q10,q8,#7 - eor r0,r8,r8,ror#11 - eor r2,r2,r6 - vadd.i32 q3,q3,q9 - add r7,r7,r12,ror#6 - eor r12,r8,r9 - vshr.u32 q9,q8,#3 - eor r0,r0,r8,ror#20 - add r7,r7,r2 - vsli.32 q10,q8,#25 - ldr r2,[sp,#52] - and r3,r3,r12 - vshr.u32 q11,q8,#18 - add r11,r11,r7 - add r7,r7,r0,ror#2 - eor r3,r3,r9 - veor q9,q9,q10 - add r6,r6,r2 - vsli.32 q11,q8,#14 - eor r2,r4,r5 - eor r0,r11,r11,ror#5 - vshr.u32 d24,d5,#17 - add r7,r7,r3 - and r2,r2,r11 - veor q9,q9,q11 - eor r3,r0,r11,ror#19 - eor r0,r7,r7,ror#11 - vsli.32 d24,d5,#15 - eor r2,r2,r5 - add r6,r6,r3,ror#6 - vshr.u32 d25,d5,#10 - eor r3,r7,r8 - eor r0,r0,r7,ror#20 - vadd.i32 q3,q3,q9 - add r6,r6,r2 - ldr r2,[sp,#56] - veor d25,d25,d24 - and r12,r12,r3 - add r10,r10,r6 - vshr.u32 d24,d5,#19 - add r6,r6,r0,ror#2 - eor r12,r12,r8 - vsli.32 d24,d5,#13 - add r5,r5,r2 - eor r2,r11,r4 - veor d25,d25,d24 - eor r0,r10,r10,ror#5 - add r6,r6,r12 - vadd.i32 d6,d6,d25 - and r2,r2,r10 - eor r12,r0,r10,ror#19 - vshr.u32 d24,d6,#17 - eor r0,r6,r6,ror#11 - eor r2,r2,r4 - vsli.32 d24,d6,#15 - add r5,r5,r12,ror#6 - eor r12,r6,r7 - vshr.u32 d25,d6,#10 - eor r0,r0,r6,ror#20 - add r5,r5,r2 - veor d25,d25,d24 - ldr r2,[sp,#60] - and r3,r3,r12 - vshr.u32 d24,d6,#19 - add r9,r9,r5 - add r5,r5,r0,ror#2 - eor r3,r3,r7 - vld1.32 {q8},[r14,:128]! - add r4,r4,r2 - vsli.32 d24,d6,#13 - eor r2,r10,r11 - eor r0,r9,r9,ror#5 - veor d25,d25,d24 - add r5,r5,r3 - and r2,r2,r9 - vadd.i32 d7,d7,d25 - eor r3,r0,r9,ror#19 - eor r0,r5,r5,ror#11 - vadd.i32 q8,q8,q3 - eor r2,r2,r11 - add r4,r4,r3,ror#6 - eor r3,r5,r6 - eor r0,r0,r5,ror#20 - add r4,r4,r2 - ldr r2,[r14] - and r12,r12,r3 - add r8,r8,r4 - vst1.32 {q8},[r1,:128]! - add r4,r4,r0,ror#2 - eor r12,r12,r6 - teq r2,#0 @ check for K256 terminator - ldr r2,[sp,#0] - sub r1,r1,#64 - bne L_00_48 - - ldr r1,[sp,#68] - ldr r0,[sp,#72] - sub r14,r14,#256 @ rewind r14 - teq r1,r0 - it eq - subeq r1,r1,#64 @ avoid SEGV - vld1.8 {q0},[r1]! @ load next input block - vld1.8 {q1},[r1]! - vld1.8 {q2},[r1]! - vld1.8 {q3},[r1]! - it ne - strne r1,[sp,#68] - mov r1,sp - add r11,r11,r2 - eor r2,r9,r10 - eor r0,r8,r8,ror#5 - add r4,r4,r12 - vld1.32 {q8},[r14,:128]! - and r2,r2,r8 - eor r12,r0,r8,ror#19 - eor r0,r4,r4,ror#11 - eor r2,r2,r10 - vrev32.8 q0,q0 - add r11,r11,r12,ror#6 - eor r12,r4,r5 - eor r0,r0,r4,ror#20 - add r11,r11,r2 - vadd.i32 q8,q8,q0 - ldr r2,[sp,#4] - and r3,r3,r12 - add r7,r7,r11 - add r11,r11,r0,ror#2 - eor r3,r3,r5 - add r10,r10,r2 - eor r2,r8,r9 - eor r0,r7,r7,ror#5 - add r11,r11,r3 - and r2,r2,r7 - eor r3,r0,r7,ror#19 - eor r0,r11,r11,ror#11 - eor r2,r2,r9 - add r10,r10,r3,ror#6 - eor r3,r11,r4 - eor r0,r0,r11,ror#20 - add r10,r10,r2 - ldr r2,[sp,#8] - and r12,r12,r3 - add r6,r6,r10 - add r10,r10,r0,ror#2 - eor r12,r12,r4 - add r9,r9,r2 - eor r2,r7,r8 - eor r0,r6,r6,ror#5 - add r10,r10,r12 - and r2,r2,r6 - eor r12,r0,r6,ror#19 - eor r0,r10,r10,ror#11 - eor r2,r2,r8 - add r9,r9,r12,ror#6 - eor r12,r10,r11 - eor r0,r0,r10,ror#20 - add r9,r9,r2 - ldr r2,[sp,#12] - and r3,r3,r12 - add r5,r5,r9 - add r9,r9,r0,ror#2 - eor r3,r3,r11 - add r8,r8,r2 - eor r2,r6,r7 - eor r0,r5,r5,ror#5 - add r9,r9,r3 - and r2,r2,r5 - eor r3,r0,r5,ror#19 - eor r0,r9,r9,ror#11 - eor r2,r2,r7 - add r8,r8,r3,ror#6 - eor r3,r9,r10 - eor r0,r0,r9,ror#20 - add r8,r8,r2 - ldr r2,[sp,#16] - and r12,r12,r3 - add r4,r4,r8 - add r8,r8,r0,ror#2 - eor r12,r12,r10 - vst1.32 {q8},[r1,:128]! - add r7,r7,r2 - eor r2,r5,r6 - eor r0,r4,r4,ror#5 - add r8,r8,r12 - vld1.32 {q8},[r14,:128]! - and r2,r2,r4 - eor r12,r0,r4,ror#19 - eor r0,r8,r8,ror#11 - eor r2,r2,r6 - vrev32.8 q1,q1 - add r7,r7,r12,ror#6 - eor r12,r8,r9 - eor r0,r0,r8,ror#20 - add r7,r7,r2 - vadd.i32 q8,q8,q1 - ldr r2,[sp,#20] - and r3,r3,r12 - add r11,r11,r7 - add r7,r7,r0,ror#2 - eor r3,r3,r9 - add r6,r6,r2 - eor r2,r4,r5 - eor r0,r11,r11,ror#5 - add r7,r7,r3 - and r2,r2,r11 - eor r3,r0,r11,ror#19 - eor r0,r7,r7,ror#11 - eor r2,r2,r5 - add r6,r6,r3,ror#6 - eor r3,r7,r8 - eor r0,r0,r7,ror#20 - add r6,r6,r2 - ldr r2,[sp,#24] - and r12,r12,r3 - add r10,r10,r6 - add r6,r6,r0,ror#2 - eor r12,r12,r8 - add r5,r5,r2 - eor r2,r11,r4 - eor r0,r10,r10,ror#5 - add r6,r6,r12 - and r2,r2,r10 - eor r12,r0,r10,ror#19 - eor r0,r6,r6,ror#11 - eor r2,r2,r4 - add r5,r5,r12,ror#6 - eor r12,r6,r7 - eor r0,r0,r6,ror#20 - add r5,r5,r2 - ldr r2,[sp,#28] - and r3,r3,r12 - add r9,r9,r5 - add r5,r5,r0,ror#2 - eor r3,r3,r7 - add r4,r4,r2 - eor r2,r10,r11 - eor r0,r9,r9,ror#5 - add r5,r5,r3 - and r2,r2,r9 - eor r3,r0,r9,ror#19 - eor r0,r5,r5,ror#11 - eor r2,r2,r11 - add r4,r4,r3,ror#6 - eor r3,r5,r6 - eor r0,r0,r5,ror#20 - add r4,r4,r2 - ldr r2,[sp,#32] - and r12,r12,r3 - add r8,r8,r4 - add r4,r4,r0,ror#2 - eor r12,r12,r6 - vst1.32 {q8},[r1,:128]! - add r11,r11,r2 - eor r2,r9,r10 - eor r0,r8,r8,ror#5 - add r4,r4,r12 - vld1.32 {q8},[r14,:128]! - and r2,r2,r8 - eor r12,r0,r8,ror#19 - eor r0,r4,r4,ror#11 - eor r2,r2,r10 - vrev32.8 q2,q2 - add r11,r11,r12,ror#6 - eor r12,r4,r5 - eor r0,r0,r4,ror#20 - add r11,r11,r2 - vadd.i32 q8,q8,q2 - ldr r2,[sp,#36] - and r3,r3,r12 - add r7,r7,r11 - add r11,r11,r0,ror#2 - eor r3,r3,r5 - add r10,r10,r2 - eor r2,r8,r9 - eor r0,r7,r7,ror#5 - add r11,r11,r3 - and r2,r2,r7 - eor r3,r0,r7,ror#19 - eor r0,r11,r11,ror#11 - eor r2,r2,r9 - add r10,r10,r3,ror#6 - eor r3,r11,r4 - eor r0,r0,r11,ror#20 - add r10,r10,r2 - ldr r2,[sp,#40] - and r12,r12,r3 - add r6,r6,r10 - add r10,r10,r0,ror#2 - eor r12,r12,r4 - add r9,r9,r2 - eor r2,r7,r8 - eor r0,r6,r6,ror#5 - add r10,r10,r12 - and r2,r2,r6 - eor r12,r0,r6,ror#19 - eor r0,r10,r10,ror#11 - eor r2,r2,r8 - add r9,r9,r12,ror#6 - eor r12,r10,r11 - eor r0,r0,r10,ror#20 - add r9,r9,r2 - ldr r2,[sp,#44] - and r3,r3,r12 - add r5,r5,r9 - add r9,r9,r0,ror#2 - eor r3,r3,r11 - add r8,r8,r2 - eor r2,r6,r7 - eor r0,r5,r5,ror#5 - add r9,r9,r3 - and r2,r2,r5 - eor r3,r0,r5,ror#19 - eor r0,r9,r9,ror#11 - eor r2,r2,r7 - add r8,r8,r3,ror#6 - eor r3,r9,r10 - eor r0,r0,r9,ror#20 - add r8,r8,r2 - ldr r2,[sp,#48] - and r12,r12,r3 - add r4,r4,r8 - add r8,r8,r0,ror#2 - eor r12,r12,r10 - vst1.32 {q8},[r1,:128]! - add r7,r7,r2 - eor r2,r5,r6 - eor r0,r4,r4,ror#5 - add r8,r8,r12 - vld1.32 {q8},[r14,:128]! - and r2,r2,r4 - eor r12,r0,r4,ror#19 - eor r0,r8,r8,ror#11 - eor r2,r2,r6 - vrev32.8 q3,q3 - add r7,r7,r12,ror#6 - eor r12,r8,r9 - eor r0,r0,r8,ror#20 - add r7,r7,r2 - vadd.i32 q8,q8,q3 - ldr r2,[sp,#52] - and r3,r3,r12 - add r11,r11,r7 - add r7,r7,r0,ror#2 - eor r3,r3,r9 - add r6,r6,r2 - eor r2,r4,r5 - eor r0,r11,r11,ror#5 - add r7,r7,r3 - and r2,r2,r11 - eor r3,r0,r11,ror#19 - eor r0,r7,r7,ror#11 - eor r2,r2,r5 - add r6,r6,r3,ror#6 - eor r3,r7,r8 - eor r0,r0,r7,ror#20 - add r6,r6,r2 - ldr r2,[sp,#56] - and r12,r12,r3 - add r10,r10,r6 - add r6,r6,r0,ror#2 - eor r12,r12,r8 - add r5,r5,r2 - eor r2,r11,r4 - eor r0,r10,r10,ror#5 - add r6,r6,r12 - and r2,r2,r10 - eor r12,r0,r10,ror#19 - eor r0,r6,r6,ror#11 - eor r2,r2,r4 - add r5,r5,r12,ror#6 - eor r12,r6,r7 - eor r0,r0,r6,ror#20 - add r5,r5,r2 - ldr r2,[sp,#60] - and r3,r3,r12 - add r9,r9,r5 - add r5,r5,r0,ror#2 - eor r3,r3,r7 - add r4,r4,r2 - eor r2,r10,r11 - eor r0,r9,r9,ror#5 - add r5,r5,r3 - and r2,r2,r9 - eor r3,r0,r9,ror#19 - eor r0,r5,r5,ror#11 - eor r2,r2,r11 - add r4,r4,r3,ror#6 - eor r3,r5,r6 - eor r0,r0,r5,ror#20 - add r4,r4,r2 - ldr r2,[sp,#64] - and r12,r12,r3 - add r8,r8,r4 - add r4,r4,r0,ror#2 - eor r12,r12,r6 - vst1.32 {q8},[r1,:128]! - ldr r0,[r2,#0] - add r4,r4,r12 @ h+=Maj(a,b,c) from the past - ldr r12,[r2,#4] - ldr r3,[r2,#8] - ldr r1,[r2,#12] - add r4,r4,r0 @ accumulate - ldr r0,[r2,#16] - add r5,r5,r12 - ldr r12,[r2,#20] - add r6,r6,r3 - ldr r3,[r2,#24] - add r7,r7,r1 - ldr r1,[r2,#28] - add r8,r8,r0 - str r4,[r2],#4 - add r9,r9,r12 - str r5,[r2],#4 - add r10,r10,r3 - str r6,[r2],#4 - add r11,r11,r1 - str r7,[r2],#4 - stmia r2,{r8,r9,r10,r11} - - ittte ne - movne r1,sp - ldrne r2,[sp,#0] - eorne r12,r12,r12 - ldreq sp,[sp,#76] @ restore original sp - itt ne - eorne r3,r5,r6 - bne L_00_48 - - ldmia sp!,{r4,r5,r6,r7,r8,r9,r10,r11,r12,pc} - -#endif -#if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__) - -# if defined(__thumb2__) -# define INST(a,b,c,d) .byte c,d|0xc,a,b -# else -# define INST(a,b,c,d) .byte a,b,c,d -# endif - -#ifdef __thumb2__ -.thumb_func sha256_block_data_order_armv8 -#endif -.align 5 -sha256_block_data_order_armv8: -LARMv8: - vld1.32 {q0,q1},[r0] - sub r3,r3,#256+32 - add r2,r1,r2,lsl#6 @ len to point at the end of inp - b Loop_v8 - -.align 4 -Loop_v8: - vld1.8 {q8,q9},[r1]! - vld1.8 {q10,q11},[r1]! - vld1.32 {q12},[r3]! - vrev32.8 q8,q8 - vrev32.8 q9,q9 - vrev32.8 q10,q10 - vrev32.8 q11,q11 - vmov q14,q0 @ offload - vmov q15,q1 - teq r1,r2 - vld1.32 {q13},[r3]! - vadd.i32 q12,q12,q8 - INST(0xe2,0x03,0xfa,0xf3) @ sha256su0 q8,q9 - vmov q2,q0 - INST(0x68,0x0c,0x02,0xf3) @ sha256h q0,q1,q12 - INST(0x68,0x2c,0x14,0xf3) @ sha256h2 q1,q2,q12 - INST(0xe6,0x0c,0x64,0xf3) @ sha256su1 q8,q10,q11 - vld1.32 {q12},[r3]! - vadd.i32 q13,q13,q9 - INST(0xe4,0x23,0xfa,0xf3) @ sha256su0 q9,q10 - vmov q2,q0 - INST(0x6a,0x0c,0x02,0xf3) @ sha256h q0,q1,q13 - INST(0x6a,0x2c,0x14,0xf3) @ sha256h2 q1,q2,q13 - INST(0xe0,0x2c,0x66,0xf3) @ sha256su1 q9,q11,q8 - vld1.32 {q13},[r3]! - vadd.i32 q12,q12,q10 - INST(0xe6,0x43,0xfa,0xf3) @ sha256su0 q10,q11 - vmov q2,q0 - INST(0x68,0x0c,0x02,0xf3) @ sha256h q0,q1,q12 - INST(0x68,0x2c,0x14,0xf3) @ sha256h2 q1,q2,q12 - INST(0xe2,0x4c,0x60,0xf3) @ sha256su1 q10,q8,q9 - vld1.32 {q12},[r3]! - vadd.i32 q13,q13,q11 - INST(0xe0,0x63,0xfa,0xf3) @ sha256su0 q11,q8 - vmov q2,q0 - INST(0x6a,0x0c,0x02,0xf3) @ sha256h q0,q1,q13 - INST(0x6a,0x2c,0x14,0xf3) @ sha256h2 q1,q2,q13 - INST(0xe4,0x6c,0x62,0xf3) @ sha256su1 q11,q9,q10 - vld1.32 {q13},[r3]! - vadd.i32 q12,q12,q8 - INST(0xe2,0x03,0xfa,0xf3) @ sha256su0 q8,q9 - vmov q2,q0 - INST(0x68,0x0c,0x02,0xf3) @ sha256h q0,q1,q12 - INST(0x68,0x2c,0x14,0xf3) @ sha256h2 q1,q2,q12 - INST(0xe6,0x0c,0x64,0xf3) @ sha256su1 q8,q10,q11 - vld1.32 {q12},[r3]! - vadd.i32 q13,q13,q9 - INST(0xe4,0x23,0xfa,0xf3) @ sha256su0 q9,q10 - vmov q2,q0 - INST(0x6a,0x0c,0x02,0xf3) @ sha256h q0,q1,q13 - INST(0x6a,0x2c,0x14,0xf3) @ sha256h2 q1,q2,q13 - INST(0xe0,0x2c,0x66,0xf3) @ sha256su1 q9,q11,q8 - vld1.32 {q13},[r3]! - vadd.i32 q12,q12,q10 - INST(0xe6,0x43,0xfa,0xf3) @ sha256su0 q10,q11 - vmov q2,q0 - INST(0x68,0x0c,0x02,0xf3) @ sha256h q0,q1,q12 - INST(0x68,0x2c,0x14,0xf3) @ sha256h2 q1,q2,q12 - INST(0xe2,0x4c,0x60,0xf3) @ sha256su1 q10,q8,q9 - vld1.32 {q12},[r3]! - vadd.i32 q13,q13,q11 - INST(0xe0,0x63,0xfa,0xf3) @ sha256su0 q11,q8 - vmov q2,q0 - INST(0x6a,0x0c,0x02,0xf3) @ sha256h q0,q1,q13 - INST(0x6a,0x2c,0x14,0xf3) @ sha256h2 q1,q2,q13 - INST(0xe4,0x6c,0x62,0xf3) @ sha256su1 q11,q9,q10 - vld1.32 {q13},[r3]! - vadd.i32 q12,q12,q8 - INST(0xe2,0x03,0xfa,0xf3) @ sha256su0 q8,q9 - vmov q2,q0 - INST(0x68,0x0c,0x02,0xf3) @ sha256h q0,q1,q12 - INST(0x68,0x2c,0x14,0xf3) @ sha256h2 q1,q2,q12 - INST(0xe6,0x0c,0x64,0xf3) @ sha256su1 q8,q10,q11 - vld1.32 {q12},[r3]! - vadd.i32 q13,q13,q9 - INST(0xe4,0x23,0xfa,0xf3) @ sha256su0 q9,q10 - vmov q2,q0 - INST(0x6a,0x0c,0x02,0xf3) @ sha256h q0,q1,q13 - INST(0x6a,0x2c,0x14,0xf3) @ sha256h2 q1,q2,q13 - INST(0xe0,0x2c,0x66,0xf3) @ sha256su1 q9,q11,q8 - vld1.32 {q13},[r3]! - vadd.i32 q12,q12,q10 - INST(0xe6,0x43,0xfa,0xf3) @ sha256su0 q10,q11 - vmov q2,q0 - INST(0x68,0x0c,0x02,0xf3) @ sha256h q0,q1,q12 - INST(0x68,0x2c,0x14,0xf3) @ sha256h2 q1,q2,q12 - INST(0xe2,0x4c,0x60,0xf3) @ sha256su1 q10,q8,q9 - vld1.32 {q12},[r3]! - vadd.i32 q13,q13,q11 - INST(0xe0,0x63,0xfa,0xf3) @ sha256su0 q11,q8 - vmov q2,q0 - INST(0x6a,0x0c,0x02,0xf3) @ sha256h q0,q1,q13 - INST(0x6a,0x2c,0x14,0xf3) @ sha256h2 q1,q2,q13 - INST(0xe4,0x6c,0x62,0xf3) @ sha256su1 q11,q9,q10 - vld1.32 {q13},[r3]! - vadd.i32 q12,q12,q8 - vmov q2,q0 - INST(0x68,0x0c,0x02,0xf3) @ sha256h q0,q1,q12 - INST(0x68,0x2c,0x14,0xf3) @ sha256h2 q1,q2,q12 - - vld1.32 {q12},[r3]! - vadd.i32 q13,q13,q9 - vmov q2,q0 - INST(0x6a,0x0c,0x02,0xf3) @ sha256h q0,q1,q13 - INST(0x6a,0x2c,0x14,0xf3) @ sha256h2 q1,q2,q13 - - vld1.32 {q13},[r3] - vadd.i32 q12,q12,q10 - sub r3,r3,#256-16 @ rewind - vmov q2,q0 - INST(0x68,0x0c,0x02,0xf3) @ sha256h q0,q1,q12 - INST(0x68,0x2c,0x14,0xf3) @ sha256h2 q1,q2,q12 - - vadd.i32 q13,q13,q11 - vmov q2,q0 - INST(0x6a,0x0c,0x02,0xf3) @ sha256h q0,q1,q13 - INST(0x6a,0x2c,0x14,0xf3) @ sha256h2 q1,q2,q13 - - vadd.i32 q0,q0,q14 - vadd.i32 q1,q1,q15 - it ne - bne Loop_v8 - - vst1.32 {q0,q1},[r0] - - bx lr @ bx lr - -#endif -.byte 83,72,65,50,53,54,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,65,82,77,118,52,47,78,69,79,78,47,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 -.align 2 -.align 2 -#if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__) -.comm _OPENSSL_armcap_P,4 -.non_lazy_symbol_pointer -OPENSSL_armcap_P: -.indirect_symbol _OPENSSL_armcap_P -.long 0 -.private_extern _OPENSSL_armcap_P -#endif -#endif // !OPENSSL_NO_ASM && defined(OPENSSL_ARM) && defined(__APPLE__) -#endif // defined(__arm__) && defined(__APPLE__) -#if defined(__linux__) && defined(__ELF__) -.section .note.GNU-stack,"",%progbits -#endif - diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/sha512-armv4-ios.ios.arm.S b/Sources/CNIOBoringSSL/crypto/fipsmodule/sha512-armv4-ios.ios.arm.S deleted file mode 100644 index 5d456cb4f..000000000 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/sha512-armv4-ios.ios.arm.S +++ /dev/null @@ -1,1897 +0,0 @@ -#define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__arm__) && defined(__APPLE__) -// This file is generated from a similarly-named Perl script in the BoringSSL -// source tree. Do not edit by hand. - -#include - -#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_ARM) && defined(__APPLE__) -@ Copyright 2007-2016 The OpenSSL Project Authors. All Rights Reserved. -@ -@ Licensed under the OpenSSL license (the "License"). You may not use -@ this file except in compliance with the License. You can obtain a copy -@ in the file LICENSE in the source distribution or at -@ https://www.openssl.org/source/license.html - - -@ ==================================================================== -@ Written by Andy Polyakov for the OpenSSL -@ project. The module is, however, dual licensed under OpenSSL and -@ CRYPTOGAMS licenses depending on where you obtain it. For further -@ details see http://www.openssl.org/~appro/cryptogams/. -@ -@ Permission to use under GPL terms is granted. -@ ==================================================================== - -@ SHA512 block procedure for ARMv4. September 2007. - -@ This code is ~4.5 (four and a half) times faster than code generated -@ by gcc 3.4 and it spends ~72 clock cycles per byte [on single-issue -@ Xscale PXA250 core]. -@ -@ July 2010. -@ -@ Rescheduling for dual-issue pipeline resulted in 6% improvement on -@ Cortex A8 core and ~40 cycles per processed byte. - -@ February 2011. -@ -@ Profiler-assisted and platform-specific optimization resulted in 7% -@ improvement on Coxtex A8 core and ~38 cycles per byte. - -@ March 2011. -@ -@ Add NEON implementation. On Cortex A8 it was measured to process -@ one byte in 23.3 cycles or ~60% faster than integer-only code. - -@ August 2012. -@ -@ Improve NEON performance by 12% on Snapdragon S4. In absolute -@ terms it's 22.6 cycles per byte, which is disappointing result. -@ Technical writers asserted that 3-way S4 pipeline can sustain -@ multiple NEON instructions per cycle, but dual NEON issue could -@ not be observed, see http://www.openssl.org/~appro/Snapdragon-S4.html -@ for further details. On side note Cortex-A15 processes one byte in -@ 16 cycles. - -@ Byte order [in]dependence. ========================================= -@ -@ Originally caller was expected to maintain specific *dword* order in -@ h[0-7], namely with most significant dword at *lower* address, which -@ was reflected in below two parameters as 0 and 4. Now caller is -@ expected to maintain native byte order for whole 64-bit values. -#ifndef __KERNEL__ -# include -# define VFP_ABI_PUSH vstmdb sp!,{d8-d15} -# define VFP_ABI_POP vldmia sp!,{d8-d15} -#else -# define __ARM_MAX_ARCH__ 7 -# define VFP_ABI_PUSH -# define VFP_ABI_POP -#endif - -@ Silence ARMv8 deprecated IT instruction warnings. This file is used by both -@ ARMv7 and ARMv8 processors and does not use ARMv8 instructions. - - -#ifdef __ARMEL__ -# define LO 0 -# define HI 4 -# define WORD64(hi0,lo0,hi1,lo1) .word lo0,hi0, lo1,hi1 -#else -# define HI 0 -# define LO 4 -# define WORD64(hi0,lo0,hi1,lo1) .word hi0,lo0, hi1,lo1 -#endif - -.text -#if defined(__thumb2__) -.syntax unified -.thumb -# define adrl adr -#else -.code 32 -#endif - - -.align 5 -K512: - WORD64(0x428a2f98,0xd728ae22, 0x71374491,0x23ef65cd) - WORD64(0xb5c0fbcf,0xec4d3b2f, 0xe9b5dba5,0x8189dbbc) - WORD64(0x3956c25b,0xf348b538, 0x59f111f1,0xb605d019) - WORD64(0x923f82a4,0xaf194f9b, 0xab1c5ed5,0xda6d8118) - WORD64(0xd807aa98,0xa3030242, 0x12835b01,0x45706fbe) - WORD64(0x243185be,0x4ee4b28c, 0x550c7dc3,0xd5ffb4e2) - WORD64(0x72be5d74,0xf27b896f, 0x80deb1fe,0x3b1696b1) - WORD64(0x9bdc06a7,0x25c71235, 0xc19bf174,0xcf692694) - WORD64(0xe49b69c1,0x9ef14ad2, 0xefbe4786,0x384f25e3) - WORD64(0x0fc19dc6,0x8b8cd5b5, 0x240ca1cc,0x77ac9c65) - WORD64(0x2de92c6f,0x592b0275, 0x4a7484aa,0x6ea6e483) - WORD64(0x5cb0a9dc,0xbd41fbd4, 0x76f988da,0x831153b5) - WORD64(0x983e5152,0xee66dfab, 0xa831c66d,0x2db43210) - WORD64(0xb00327c8,0x98fb213f, 0xbf597fc7,0xbeef0ee4) - WORD64(0xc6e00bf3,0x3da88fc2, 0xd5a79147,0x930aa725) - WORD64(0x06ca6351,0xe003826f, 0x14292967,0x0a0e6e70) - WORD64(0x27b70a85,0x46d22ffc, 0x2e1b2138,0x5c26c926) - WORD64(0x4d2c6dfc,0x5ac42aed, 0x53380d13,0x9d95b3df) - WORD64(0x650a7354,0x8baf63de, 0x766a0abb,0x3c77b2a8) - WORD64(0x81c2c92e,0x47edaee6, 0x92722c85,0x1482353b) - WORD64(0xa2bfe8a1,0x4cf10364, 0xa81a664b,0xbc423001) - WORD64(0xc24b8b70,0xd0f89791, 0xc76c51a3,0x0654be30) - WORD64(0xd192e819,0xd6ef5218, 0xd6990624,0x5565a910) - WORD64(0xf40e3585,0x5771202a, 0x106aa070,0x32bbd1b8) - WORD64(0x19a4c116,0xb8d2d0c8, 0x1e376c08,0x5141ab53) - WORD64(0x2748774c,0xdf8eeb99, 0x34b0bcb5,0xe19b48a8) - WORD64(0x391c0cb3,0xc5c95a63, 0x4ed8aa4a,0xe3418acb) - WORD64(0x5b9cca4f,0x7763e373, 0x682e6ff3,0xd6b2b8a3) - WORD64(0x748f82ee,0x5defb2fc, 0x78a5636f,0x43172f60) - WORD64(0x84c87814,0xa1f0ab72, 0x8cc70208,0x1a6439ec) - WORD64(0x90befffa,0x23631e28, 0xa4506ceb,0xde82bde9) - WORD64(0xbef9a3f7,0xb2c67915, 0xc67178f2,0xe372532b) - WORD64(0xca273ece,0xea26619c, 0xd186b8c7,0x21c0c207) - WORD64(0xeada7dd6,0xcde0eb1e, 0xf57d4f7f,0xee6ed178) - WORD64(0x06f067aa,0x72176fba, 0x0a637dc5,0xa2c898a6) - WORD64(0x113f9804,0xbef90dae, 0x1b710b35,0x131c471b) - WORD64(0x28db77f5,0x23047d84, 0x32caab7b,0x40c72493) - WORD64(0x3c9ebe0a,0x15c9bebc, 0x431d67c4,0x9c100d4c) - WORD64(0x4cc5d4be,0xcb3e42b6, 0x597f299c,0xfc657e2a) - WORD64(0x5fcb6fab,0x3ad6faec, 0x6c44198c,0x4a475817) - -#if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__) -LOPENSSL_armcap: -.word OPENSSL_armcap_P-Lsha512_block_data_order -.skip 32-4 -#else -.skip 32 -#endif - -.globl _sha512_block_data_order -.private_extern _sha512_block_data_order -#ifdef __thumb2__ -.thumb_func _sha512_block_data_order -#endif -_sha512_block_data_order: -Lsha512_block_data_order: -#if __ARM_ARCH<7 && !defined(__thumb2__) - sub r3,pc,#8 @ _sha512_block_data_order -#else - adr r3,Lsha512_block_data_order -#endif -#if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__) - ldr r12,LOPENSSL_armcap - ldr r12,[r3,r12] @ OPENSSL_armcap_P -#ifdef __APPLE__ - ldr r12,[r12] -#endif - tst r12,#ARMV7_NEON - bne LNEON -#endif - add r2,r1,r2,lsl#7 @ len to point at the end of inp - stmdb sp!,{r4,r5,r6,r7,r8,r9,r10,r11,r12,lr} - sub r14,r3,#672 @ K512 - sub sp,sp,#9*8 - - ldr r7,[r0,#32+LO] - ldr r8,[r0,#32+HI] - ldr r9, [r0,#48+LO] - ldr r10, [r0,#48+HI] - ldr r11, [r0,#56+LO] - ldr r12, [r0,#56+HI] -Loop: - str r9, [sp,#48+0] - str r10, [sp,#48+4] - str r11, [sp,#56+0] - str r12, [sp,#56+4] - ldr r5,[r0,#0+LO] - ldr r6,[r0,#0+HI] - ldr r3,[r0,#8+LO] - ldr r4,[r0,#8+HI] - ldr r9, [r0,#16+LO] - ldr r10, [r0,#16+HI] - ldr r11, [r0,#24+LO] - ldr r12, [r0,#24+HI] - str r3,[sp,#8+0] - str r4,[sp,#8+4] - str r9, [sp,#16+0] - str r10, [sp,#16+4] - str r11, [sp,#24+0] - str r12, [sp,#24+4] - ldr r3,[r0,#40+LO] - ldr r4,[r0,#40+HI] - str r3,[sp,#40+0] - str r4,[sp,#40+4] - -L00_15: -#if __ARM_ARCH<7 - ldrb r3,[r1,#7] - ldrb r9, [r1,#6] - ldrb r10, [r1,#5] - ldrb r11, [r1,#4] - ldrb r4,[r1,#3] - ldrb r12, [r1,#2] - orr r3,r3,r9,lsl#8 - ldrb r9, [r1,#1] - orr r3,r3,r10,lsl#16 - ldrb r10, [r1],#8 - orr r3,r3,r11,lsl#24 - orr r4,r4,r12,lsl#8 - orr r4,r4,r9,lsl#16 - orr r4,r4,r10,lsl#24 -#else - ldr r3,[r1,#4] - ldr r4,[r1],#8 -#ifdef __ARMEL__ - rev r3,r3 - rev r4,r4 -#endif -#endif - @ Sigma1(x) (ROTR((x),14) ^ ROTR((x),18) ^ ROTR((x),41)) - @ LO lo>>14^hi<<18 ^ lo>>18^hi<<14 ^ hi>>9^lo<<23 - @ HI hi>>14^lo<<18 ^ hi>>18^lo<<14 ^ lo>>9^hi<<23 - mov r9,r7,lsr#14 - str r3,[sp,#64+0] - mov r10,r8,lsr#14 - str r4,[sp,#64+4] - eor r9,r9,r8,lsl#18 - ldr r11,[sp,#56+0] @ h.lo - eor r10,r10,r7,lsl#18 - ldr r12,[sp,#56+4] @ h.hi - eor r9,r9,r7,lsr#18 - eor r10,r10,r8,lsr#18 - eor r9,r9,r8,lsl#14 - eor r10,r10,r7,lsl#14 - eor r9,r9,r8,lsr#9 - eor r10,r10,r7,lsr#9 - eor r9,r9,r7,lsl#23 - eor r10,r10,r8,lsl#23 @ Sigma1(e) - adds r3,r3,r9 - ldr r9,[sp,#40+0] @ f.lo - adc r4,r4,r10 @ T += Sigma1(e) - ldr r10,[sp,#40+4] @ f.hi - adds r3,r3,r11 - ldr r11,[sp,#48+0] @ g.lo - adc r4,r4,r12 @ T += h - ldr r12,[sp,#48+4] @ g.hi - - eor r9,r9,r11 - str r7,[sp,#32+0] - eor r10,r10,r12 - str r8,[sp,#32+4] - and r9,r9,r7 - str r5,[sp,#0+0] - and r10,r10,r8 - str r6,[sp,#0+4] - eor r9,r9,r11 - ldr r11,[r14,#LO] @ K[i].lo - eor r10,r10,r12 @ Ch(e,f,g) - ldr r12,[r14,#HI] @ K[i].hi - - adds r3,r3,r9 - ldr r7,[sp,#24+0] @ d.lo - adc r4,r4,r10 @ T += Ch(e,f,g) - ldr r8,[sp,#24+4] @ d.hi - adds r3,r3,r11 - and r9,r11,#0xff - adc r4,r4,r12 @ T += K[i] - adds r7,r7,r3 - ldr r11,[sp,#8+0] @ b.lo - adc r8,r8,r4 @ d += T - teq r9,#148 - - ldr r12,[sp,#16+0] @ c.lo -#if __ARM_ARCH>=7 - it eq @ Thumb2 thing, sanity check in ARM -#endif - orreq r14,r14,#1 - @ Sigma0(x) (ROTR((x),28) ^ ROTR((x),34) ^ ROTR((x),39)) - @ LO lo>>28^hi<<4 ^ hi>>2^lo<<30 ^ hi>>7^lo<<25 - @ HI hi>>28^lo<<4 ^ lo>>2^hi<<30 ^ lo>>7^hi<<25 - mov r9,r5,lsr#28 - mov r10,r6,lsr#28 - eor r9,r9,r6,lsl#4 - eor r10,r10,r5,lsl#4 - eor r9,r9,r6,lsr#2 - eor r10,r10,r5,lsr#2 - eor r9,r9,r5,lsl#30 - eor r10,r10,r6,lsl#30 - eor r9,r9,r6,lsr#7 - eor r10,r10,r5,lsr#7 - eor r9,r9,r5,lsl#25 - eor r10,r10,r6,lsl#25 @ Sigma0(a) - adds r3,r3,r9 - and r9,r5,r11 - adc r4,r4,r10 @ T += Sigma0(a) - - ldr r10,[sp,#8+4] @ b.hi - orr r5,r5,r11 - ldr r11,[sp,#16+4] @ c.hi - and r5,r5,r12 - and r12,r6,r10 - orr r6,r6,r10 - orr r5,r5,r9 @ Maj(a,b,c).lo - and r6,r6,r11 - adds r5,r5,r3 - orr r6,r6,r12 @ Maj(a,b,c).hi - sub sp,sp,#8 - adc r6,r6,r4 @ h += T - tst r14,#1 - add r14,r14,#8 - tst r14,#1 - beq L00_15 - ldr r9,[sp,#184+0] - ldr r10,[sp,#184+4] - bic r14,r14,#1 -L16_79: - @ sigma0(x) (ROTR((x),1) ^ ROTR((x),8) ^ ((x)>>7)) - @ LO lo>>1^hi<<31 ^ lo>>8^hi<<24 ^ lo>>7^hi<<25 - @ HI hi>>1^lo<<31 ^ hi>>8^lo<<24 ^ hi>>7 - mov r3,r9,lsr#1 - ldr r11,[sp,#80+0] - mov r4,r10,lsr#1 - ldr r12,[sp,#80+4] - eor r3,r3,r10,lsl#31 - eor r4,r4,r9,lsl#31 - eor r3,r3,r9,lsr#8 - eor r4,r4,r10,lsr#8 - eor r3,r3,r10,lsl#24 - eor r4,r4,r9,lsl#24 - eor r3,r3,r9,lsr#7 - eor r4,r4,r10,lsr#7 - eor r3,r3,r10,lsl#25 - - @ sigma1(x) (ROTR((x),19) ^ ROTR((x),61) ^ ((x)>>6)) - @ LO lo>>19^hi<<13 ^ hi>>29^lo<<3 ^ lo>>6^hi<<26 - @ HI hi>>19^lo<<13 ^ lo>>29^hi<<3 ^ hi>>6 - mov r9,r11,lsr#19 - mov r10,r12,lsr#19 - eor r9,r9,r12,lsl#13 - eor r10,r10,r11,lsl#13 - eor r9,r9,r12,lsr#29 - eor r10,r10,r11,lsr#29 - eor r9,r9,r11,lsl#3 - eor r10,r10,r12,lsl#3 - eor r9,r9,r11,lsr#6 - eor r10,r10,r12,lsr#6 - ldr r11,[sp,#120+0] - eor r9,r9,r12,lsl#26 - - ldr r12,[sp,#120+4] - adds r3,r3,r9 - ldr r9,[sp,#192+0] - adc r4,r4,r10 - - ldr r10,[sp,#192+4] - adds r3,r3,r11 - adc r4,r4,r12 - adds r3,r3,r9 - adc r4,r4,r10 - @ Sigma1(x) (ROTR((x),14) ^ ROTR((x),18) ^ ROTR((x),41)) - @ LO lo>>14^hi<<18 ^ lo>>18^hi<<14 ^ hi>>9^lo<<23 - @ HI hi>>14^lo<<18 ^ hi>>18^lo<<14 ^ lo>>9^hi<<23 - mov r9,r7,lsr#14 - str r3,[sp,#64+0] - mov r10,r8,lsr#14 - str r4,[sp,#64+4] - eor r9,r9,r8,lsl#18 - ldr r11,[sp,#56+0] @ h.lo - eor r10,r10,r7,lsl#18 - ldr r12,[sp,#56+4] @ h.hi - eor r9,r9,r7,lsr#18 - eor r10,r10,r8,lsr#18 - eor r9,r9,r8,lsl#14 - eor r10,r10,r7,lsl#14 - eor r9,r9,r8,lsr#9 - eor r10,r10,r7,lsr#9 - eor r9,r9,r7,lsl#23 - eor r10,r10,r8,lsl#23 @ Sigma1(e) - adds r3,r3,r9 - ldr r9,[sp,#40+0] @ f.lo - adc r4,r4,r10 @ T += Sigma1(e) - ldr r10,[sp,#40+4] @ f.hi - adds r3,r3,r11 - ldr r11,[sp,#48+0] @ g.lo - adc r4,r4,r12 @ T += h - ldr r12,[sp,#48+4] @ g.hi - - eor r9,r9,r11 - str r7,[sp,#32+0] - eor r10,r10,r12 - str r8,[sp,#32+4] - and r9,r9,r7 - str r5,[sp,#0+0] - and r10,r10,r8 - str r6,[sp,#0+4] - eor r9,r9,r11 - ldr r11,[r14,#LO] @ K[i].lo - eor r10,r10,r12 @ Ch(e,f,g) - ldr r12,[r14,#HI] @ K[i].hi - - adds r3,r3,r9 - ldr r7,[sp,#24+0] @ d.lo - adc r4,r4,r10 @ T += Ch(e,f,g) - ldr r8,[sp,#24+4] @ d.hi - adds r3,r3,r11 - and r9,r11,#0xff - adc r4,r4,r12 @ T += K[i] - adds r7,r7,r3 - ldr r11,[sp,#8+0] @ b.lo - adc r8,r8,r4 @ d += T - teq r9,#23 - - ldr r12,[sp,#16+0] @ c.lo -#if __ARM_ARCH>=7 - it eq @ Thumb2 thing, sanity check in ARM -#endif - orreq r14,r14,#1 - @ Sigma0(x) (ROTR((x),28) ^ ROTR((x),34) ^ ROTR((x),39)) - @ LO lo>>28^hi<<4 ^ hi>>2^lo<<30 ^ hi>>7^lo<<25 - @ HI hi>>28^lo<<4 ^ lo>>2^hi<<30 ^ lo>>7^hi<<25 - mov r9,r5,lsr#28 - mov r10,r6,lsr#28 - eor r9,r9,r6,lsl#4 - eor r10,r10,r5,lsl#4 - eor r9,r9,r6,lsr#2 - eor r10,r10,r5,lsr#2 - eor r9,r9,r5,lsl#30 - eor r10,r10,r6,lsl#30 - eor r9,r9,r6,lsr#7 - eor r10,r10,r5,lsr#7 - eor r9,r9,r5,lsl#25 - eor r10,r10,r6,lsl#25 @ Sigma0(a) - adds r3,r3,r9 - and r9,r5,r11 - adc r4,r4,r10 @ T += Sigma0(a) - - ldr r10,[sp,#8+4] @ b.hi - orr r5,r5,r11 - ldr r11,[sp,#16+4] @ c.hi - and r5,r5,r12 - and r12,r6,r10 - orr r6,r6,r10 - orr r5,r5,r9 @ Maj(a,b,c).lo - and r6,r6,r11 - adds r5,r5,r3 - orr r6,r6,r12 @ Maj(a,b,c).hi - sub sp,sp,#8 - adc r6,r6,r4 @ h += T - tst r14,#1 - add r14,r14,#8 -#if __ARM_ARCH>=7 - ittt eq @ Thumb2 thing, sanity check in ARM -#endif - ldreq r9,[sp,#184+0] - ldreq r10,[sp,#184+4] - beq L16_79 - bic r14,r14,#1 - - ldr r3,[sp,#8+0] - ldr r4,[sp,#8+4] - ldr r9, [r0,#0+LO] - ldr r10, [r0,#0+HI] - ldr r11, [r0,#8+LO] - ldr r12, [r0,#8+HI] - adds r9,r5,r9 - str r9, [r0,#0+LO] - adc r10,r6,r10 - str r10, [r0,#0+HI] - adds r11,r3,r11 - str r11, [r0,#8+LO] - adc r12,r4,r12 - str r12, [r0,#8+HI] - - ldr r5,[sp,#16+0] - ldr r6,[sp,#16+4] - ldr r3,[sp,#24+0] - ldr r4,[sp,#24+4] - ldr r9, [r0,#16+LO] - ldr r10, [r0,#16+HI] - ldr r11, [r0,#24+LO] - ldr r12, [r0,#24+HI] - adds r9,r5,r9 - str r9, [r0,#16+LO] - adc r10,r6,r10 - str r10, [r0,#16+HI] - adds r11,r3,r11 - str r11, [r0,#24+LO] - adc r12,r4,r12 - str r12, [r0,#24+HI] - - ldr r3,[sp,#40+0] - ldr r4,[sp,#40+4] - ldr r9, [r0,#32+LO] - ldr r10, [r0,#32+HI] - ldr r11, [r0,#40+LO] - ldr r12, [r0,#40+HI] - adds r7,r7,r9 - str r7,[r0,#32+LO] - adc r8,r8,r10 - str r8,[r0,#32+HI] - adds r11,r3,r11 - str r11, [r0,#40+LO] - adc r12,r4,r12 - str r12, [r0,#40+HI] - - ldr r5,[sp,#48+0] - ldr r6,[sp,#48+4] - ldr r3,[sp,#56+0] - ldr r4,[sp,#56+4] - ldr r9, [r0,#48+LO] - ldr r10, [r0,#48+HI] - ldr r11, [r0,#56+LO] - ldr r12, [r0,#56+HI] - adds r9,r5,r9 - str r9, [r0,#48+LO] - adc r10,r6,r10 - str r10, [r0,#48+HI] - adds r11,r3,r11 - str r11, [r0,#56+LO] - adc r12,r4,r12 - str r12, [r0,#56+HI] - - add sp,sp,#640 - sub r14,r14,#640 - - teq r1,r2 - bne Loop - - add sp,sp,#8*9 @ destroy frame -#if __ARM_ARCH>=5 - ldmia sp!,{r4,r5,r6,r7,r8,r9,r10,r11,r12,pc} -#else - ldmia sp!,{r4,r5,r6,r7,r8,r9,r10,r11,r12,lr} - tst lr,#1 - moveq pc,lr @ be binary compatible with V4, yet -.word 0xe12fff1e @ interoperable with Thumb ISA:-) -#endif - -#if __ARM_MAX_ARCH__>=7 - - - -.globl _sha512_block_data_order_neon -.private_extern _sha512_block_data_order_neon -#ifdef __thumb2__ -.thumb_func _sha512_block_data_order_neon -#endif -.align 4 -_sha512_block_data_order_neon: -LNEON: - dmb @ errata #451034 on early Cortex A8 - add r2,r1,r2,lsl#7 @ len to point at the end of inp - adr r3,K512 - VFP_ABI_PUSH - vldmia r0,{d16,d17,d18,d19,d20,d21,d22,d23} @ load context -Loop_neon: - vshr.u64 d24,d20,#14 @ 0 -#if 0<16 - vld1.64 {d0},[r1]! @ handles unaligned -#endif - vshr.u64 d25,d20,#18 -#if 0>0 - vadd.i64 d16,d30 @ h+=Maj from the past -#endif - vshr.u64 d26,d20,#41 - vld1.64 {d28},[r3,:64]! @ K[i++] - vsli.64 d24,d20,#50 - vsli.64 d25,d20,#46 - vmov d29,d20 - vsli.64 d26,d20,#23 -#if 0<16 && defined(__ARMEL__) - vrev64.8 d0,d0 -#endif - veor d25,d24 - vbsl d29,d21,d22 @ Ch(e,f,g) - vshr.u64 d24,d16,#28 - veor d26,d25 @ Sigma1(e) - vadd.i64 d27,d29,d23 - vshr.u64 d25,d16,#34 - vsli.64 d24,d16,#36 - vadd.i64 d27,d26 - vshr.u64 d26,d16,#39 - vadd.i64 d28,d0 - vsli.64 d25,d16,#30 - veor d30,d16,d17 - vsli.64 d26,d16,#25 - veor d23,d24,d25 - vadd.i64 d27,d28 - vbsl d30,d18,d17 @ Maj(a,b,c) - veor d23,d26 @ Sigma0(a) - vadd.i64 d19,d27 - vadd.i64 d30,d27 - @ vadd.i64 d23,d30 - vshr.u64 d24,d19,#14 @ 1 -#if 1<16 - vld1.64 {d1},[r1]! @ handles unaligned -#endif - vshr.u64 d25,d19,#18 -#if 1>0 - vadd.i64 d23,d30 @ h+=Maj from the past -#endif - vshr.u64 d26,d19,#41 - vld1.64 {d28},[r3,:64]! @ K[i++] - vsli.64 d24,d19,#50 - vsli.64 d25,d19,#46 - vmov d29,d19 - vsli.64 d26,d19,#23 -#if 1<16 && defined(__ARMEL__) - vrev64.8 d1,d1 -#endif - veor d25,d24 - vbsl d29,d20,d21 @ Ch(e,f,g) - vshr.u64 d24,d23,#28 - veor d26,d25 @ Sigma1(e) - vadd.i64 d27,d29,d22 - vshr.u64 d25,d23,#34 - vsli.64 d24,d23,#36 - vadd.i64 d27,d26 - vshr.u64 d26,d23,#39 - vadd.i64 d28,d1 - vsli.64 d25,d23,#30 - veor d30,d23,d16 - vsli.64 d26,d23,#25 - veor d22,d24,d25 - vadd.i64 d27,d28 - vbsl d30,d17,d16 @ Maj(a,b,c) - veor d22,d26 @ Sigma0(a) - vadd.i64 d18,d27 - vadd.i64 d30,d27 - @ vadd.i64 d22,d30 - vshr.u64 d24,d18,#14 @ 2 -#if 2<16 - vld1.64 {d2},[r1]! @ handles unaligned -#endif - vshr.u64 d25,d18,#18 -#if 2>0 - vadd.i64 d22,d30 @ h+=Maj from the past -#endif - vshr.u64 d26,d18,#41 - vld1.64 {d28},[r3,:64]! @ K[i++] - vsli.64 d24,d18,#50 - vsli.64 d25,d18,#46 - vmov d29,d18 - vsli.64 d26,d18,#23 -#if 2<16 && defined(__ARMEL__) - vrev64.8 d2,d2 -#endif - veor d25,d24 - vbsl d29,d19,d20 @ Ch(e,f,g) - vshr.u64 d24,d22,#28 - veor d26,d25 @ Sigma1(e) - vadd.i64 d27,d29,d21 - vshr.u64 d25,d22,#34 - vsli.64 d24,d22,#36 - vadd.i64 d27,d26 - vshr.u64 d26,d22,#39 - vadd.i64 d28,d2 - vsli.64 d25,d22,#30 - veor d30,d22,d23 - vsli.64 d26,d22,#25 - veor d21,d24,d25 - vadd.i64 d27,d28 - vbsl d30,d16,d23 @ Maj(a,b,c) - veor d21,d26 @ Sigma0(a) - vadd.i64 d17,d27 - vadd.i64 d30,d27 - @ vadd.i64 d21,d30 - vshr.u64 d24,d17,#14 @ 3 -#if 3<16 - vld1.64 {d3},[r1]! @ handles unaligned -#endif - vshr.u64 d25,d17,#18 -#if 3>0 - vadd.i64 d21,d30 @ h+=Maj from the past -#endif - vshr.u64 d26,d17,#41 - vld1.64 {d28},[r3,:64]! @ K[i++] - vsli.64 d24,d17,#50 - vsli.64 d25,d17,#46 - vmov d29,d17 - vsli.64 d26,d17,#23 -#if 3<16 && defined(__ARMEL__) - vrev64.8 d3,d3 -#endif - veor d25,d24 - vbsl d29,d18,d19 @ Ch(e,f,g) - vshr.u64 d24,d21,#28 - veor d26,d25 @ Sigma1(e) - vadd.i64 d27,d29,d20 - vshr.u64 d25,d21,#34 - vsli.64 d24,d21,#36 - vadd.i64 d27,d26 - vshr.u64 d26,d21,#39 - vadd.i64 d28,d3 - vsli.64 d25,d21,#30 - veor d30,d21,d22 - vsli.64 d26,d21,#25 - veor d20,d24,d25 - vadd.i64 d27,d28 - vbsl d30,d23,d22 @ Maj(a,b,c) - veor d20,d26 @ Sigma0(a) - vadd.i64 d16,d27 - vadd.i64 d30,d27 - @ vadd.i64 d20,d30 - vshr.u64 d24,d16,#14 @ 4 -#if 4<16 - vld1.64 {d4},[r1]! @ handles unaligned -#endif - vshr.u64 d25,d16,#18 -#if 4>0 - vadd.i64 d20,d30 @ h+=Maj from the past -#endif - vshr.u64 d26,d16,#41 - vld1.64 {d28},[r3,:64]! @ K[i++] - vsli.64 d24,d16,#50 - vsli.64 d25,d16,#46 - vmov d29,d16 - vsli.64 d26,d16,#23 -#if 4<16 && defined(__ARMEL__) - vrev64.8 d4,d4 -#endif - veor d25,d24 - vbsl d29,d17,d18 @ Ch(e,f,g) - vshr.u64 d24,d20,#28 - veor d26,d25 @ Sigma1(e) - vadd.i64 d27,d29,d19 - vshr.u64 d25,d20,#34 - vsli.64 d24,d20,#36 - vadd.i64 d27,d26 - vshr.u64 d26,d20,#39 - vadd.i64 d28,d4 - vsli.64 d25,d20,#30 - veor d30,d20,d21 - vsli.64 d26,d20,#25 - veor d19,d24,d25 - vadd.i64 d27,d28 - vbsl d30,d22,d21 @ Maj(a,b,c) - veor d19,d26 @ Sigma0(a) - vadd.i64 d23,d27 - vadd.i64 d30,d27 - @ vadd.i64 d19,d30 - vshr.u64 d24,d23,#14 @ 5 -#if 5<16 - vld1.64 {d5},[r1]! @ handles unaligned -#endif - vshr.u64 d25,d23,#18 -#if 5>0 - vadd.i64 d19,d30 @ h+=Maj from the past -#endif - vshr.u64 d26,d23,#41 - vld1.64 {d28},[r3,:64]! @ K[i++] - vsli.64 d24,d23,#50 - vsli.64 d25,d23,#46 - vmov d29,d23 - vsli.64 d26,d23,#23 -#if 5<16 && defined(__ARMEL__) - vrev64.8 d5,d5 -#endif - veor d25,d24 - vbsl d29,d16,d17 @ Ch(e,f,g) - vshr.u64 d24,d19,#28 - veor d26,d25 @ Sigma1(e) - vadd.i64 d27,d29,d18 - vshr.u64 d25,d19,#34 - vsli.64 d24,d19,#36 - vadd.i64 d27,d26 - vshr.u64 d26,d19,#39 - vadd.i64 d28,d5 - vsli.64 d25,d19,#30 - veor d30,d19,d20 - vsli.64 d26,d19,#25 - veor d18,d24,d25 - vadd.i64 d27,d28 - vbsl d30,d21,d20 @ Maj(a,b,c) - veor d18,d26 @ Sigma0(a) - vadd.i64 d22,d27 - vadd.i64 d30,d27 - @ vadd.i64 d18,d30 - vshr.u64 d24,d22,#14 @ 6 -#if 6<16 - vld1.64 {d6},[r1]! @ handles unaligned -#endif - vshr.u64 d25,d22,#18 -#if 6>0 - vadd.i64 d18,d30 @ h+=Maj from the past -#endif - vshr.u64 d26,d22,#41 - vld1.64 {d28},[r3,:64]! @ K[i++] - vsli.64 d24,d22,#50 - vsli.64 d25,d22,#46 - vmov d29,d22 - vsli.64 d26,d22,#23 -#if 6<16 && defined(__ARMEL__) - vrev64.8 d6,d6 -#endif - veor d25,d24 - vbsl d29,d23,d16 @ Ch(e,f,g) - vshr.u64 d24,d18,#28 - veor d26,d25 @ Sigma1(e) - vadd.i64 d27,d29,d17 - vshr.u64 d25,d18,#34 - vsli.64 d24,d18,#36 - vadd.i64 d27,d26 - vshr.u64 d26,d18,#39 - vadd.i64 d28,d6 - vsli.64 d25,d18,#30 - veor d30,d18,d19 - vsli.64 d26,d18,#25 - veor d17,d24,d25 - vadd.i64 d27,d28 - vbsl d30,d20,d19 @ Maj(a,b,c) - veor d17,d26 @ Sigma0(a) - vadd.i64 d21,d27 - vadd.i64 d30,d27 - @ vadd.i64 d17,d30 - vshr.u64 d24,d21,#14 @ 7 -#if 7<16 - vld1.64 {d7},[r1]! @ handles unaligned -#endif - vshr.u64 d25,d21,#18 -#if 7>0 - vadd.i64 d17,d30 @ h+=Maj from the past -#endif - vshr.u64 d26,d21,#41 - vld1.64 {d28},[r3,:64]! @ K[i++] - vsli.64 d24,d21,#50 - vsli.64 d25,d21,#46 - vmov d29,d21 - vsli.64 d26,d21,#23 -#if 7<16 && defined(__ARMEL__) - vrev64.8 d7,d7 -#endif - veor d25,d24 - vbsl d29,d22,d23 @ Ch(e,f,g) - vshr.u64 d24,d17,#28 - veor d26,d25 @ Sigma1(e) - vadd.i64 d27,d29,d16 - vshr.u64 d25,d17,#34 - vsli.64 d24,d17,#36 - vadd.i64 d27,d26 - vshr.u64 d26,d17,#39 - vadd.i64 d28,d7 - vsli.64 d25,d17,#30 - veor d30,d17,d18 - vsli.64 d26,d17,#25 - veor d16,d24,d25 - vadd.i64 d27,d28 - vbsl d30,d19,d18 @ Maj(a,b,c) - veor d16,d26 @ Sigma0(a) - vadd.i64 d20,d27 - vadd.i64 d30,d27 - @ vadd.i64 d16,d30 - vshr.u64 d24,d20,#14 @ 8 -#if 8<16 - vld1.64 {d8},[r1]! @ handles unaligned -#endif - vshr.u64 d25,d20,#18 -#if 8>0 - vadd.i64 d16,d30 @ h+=Maj from the past -#endif - vshr.u64 d26,d20,#41 - vld1.64 {d28},[r3,:64]! @ K[i++] - vsli.64 d24,d20,#50 - vsli.64 d25,d20,#46 - vmov d29,d20 - vsli.64 d26,d20,#23 -#if 8<16 && defined(__ARMEL__) - vrev64.8 d8,d8 -#endif - veor d25,d24 - vbsl d29,d21,d22 @ Ch(e,f,g) - vshr.u64 d24,d16,#28 - veor d26,d25 @ Sigma1(e) - vadd.i64 d27,d29,d23 - vshr.u64 d25,d16,#34 - vsli.64 d24,d16,#36 - vadd.i64 d27,d26 - vshr.u64 d26,d16,#39 - vadd.i64 d28,d8 - vsli.64 d25,d16,#30 - veor d30,d16,d17 - vsli.64 d26,d16,#25 - veor d23,d24,d25 - vadd.i64 d27,d28 - vbsl d30,d18,d17 @ Maj(a,b,c) - veor d23,d26 @ Sigma0(a) - vadd.i64 d19,d27 - vadd.i64 d30,d27 - @ vadd.i64 d23,d30 - vshr.u64 d24,d19,#14 @ 9 -#if 9<16 - vld1.64 {d9},[r1]! @ handles unaligned -#endif - vshr.u64 d25,d19,#18 -#if 9>0 - vadd.i64 d23,d30 @ h+=Maj from the past -#endif - vshr.u64 d26,d19,#41 - vld1.64 {d28},[r3,:64]! @ K[i++] - vsli.64 d24,d19,#50 - vsli.64 d25,d19,#46 - vmov d29,d19 - vsli.64 d26,d19,#23 -#if 9<16 && defined(__ARMEL__) - vrev64.8 d9,d9 -#endif - veor d25,d24 - vbsl d29,d20,d21 @ Ch(e,f,g) - vshr.u64 d24,d23,#28 - veor d26,d25 @ Sigma1(e) - vadd.i64 d27,d29,d22 - vshr.u64 d25,d23,#34 - vsli.64 d24,d23,#36 - vadd.i64 d27,d26 - vshr.u64 d26,d23,#39 - vadd.i64 d28,d9 - vsli.64 d25,d23,#30 - veor d30,d23,d16 - vsli.64 d26,d23,#25 - veor d22,d24,d25 - vadd.i64 d27,d28 - vbsl d30,d17,d16 @ Maj(a,b,c) - veor d22,d26 @ Sigma0(a) - vadd.i64 d18,d27 - vadd.i64 d30,d27 - @ vadd.i64 d22,d30 - vshr.u64 d24,d18,#14 @ 10 -#if 10<16 - vld1.64 {d10},[r1]! @ handles unaligned -#endif - vshr.u64 d25,d18,#18 -#if 10>0 - vadd.i64 d22,d30 @ h+=Maj from the past -#endif - vshr.u64 d26,d18,#41 - vld1.64 {d28},[r3,:64]! @ K[i++] - vsli.64 d24,d18,#50 - vsli.64 d25,d18,#46 - vmov d29,d18 - vsli.64 d26,d18,#23 -#if 10<16 && defined(__ARMEL__) - vrev64.8 d10,d10 -#endif - veor d25,d24 - vbsl d29,d19,d20 @ Ch(e,f,g) - vshr.u64 d24,d22,#28 - veor d26,d25 @ Sigma1(e) - vadd.i64 d27,d29,d21 - vshr.u64 d25,d22,#34 - vsli.64 d24,d22,#36 - vadd.i64 d27,d26 - vshr.u64 d26,d22,#39 - vadd.i64 d28,d10 - vsli.64 d25,d22,#30 - veor d30,d22,d23 - vsli.64 d26,d22,#25 - veor d21,d24,d25 - vadd.i64 d27,d28 - vbsl d30,d16,d23 @ Maj(a,b,c) - veor d21,d26 @ Sigma0(a) - vadd.i64 d17,d27 - vadd.i64 d30,d27 - @ vadd.i64 d21,d30 - vshr.u64 d24,d17,#14 @ 11 -#if 11<16 - vld1.64 {d11},[r1]! @ handles unaligned -#endif - vshr.u64 d25,d17,#18 -#if 11>0 - vadd.i64 d21,d30 @ h+=Maj from the past -#endif - vshr.u64 d26,d17,#41 - vld1.64 {d28},[r3,:64]! @ K[i++] - vsli.64 d24,d17,#50 - vsli.64 d25,d17,#46 - vmov d29,d17 - vsli.64 d26,d17,#23 -#if 11<16 && defined(__ARMEL__) - vrev64.8 d11,d11 -#endif - veor d25,d24 - vbsl d29,d18,d19 @ Ch(e,f,g) - vshr.u64 d24,d21,#28 - veor d26,d25 @ Sigma1(e) - vadd.i64 d27,d29,d20 - vshr.u64 d25,d21,#34 - vsli.64 d24,d21,#36 - vadd.i64 d27,d26 - vshr.u64 d26,d21,#39 - vadd.i64 d28,d11 - vsli.64 d25,d21,#30 - veor d30,d21,d22 - vsli.64 d26,d21,#25 - veor d20,d24,d25 - vadd.i64 d27,d28 - vbsl d30,d23,d22 @ Maj(a,b,c) - veor d20,d26 @ Sigma0(a) - vadd.i64 d16,d27 - vadd.i64 d30,d27 - @ vadd.i64 d20,d30 - vshr.u64 d24,d16,#14 @ 12 -#if 12<16 - vld1.64 {d12},[r1]! @ handles unaligned -#endif - vshr.u64 d25,d16,#18 -#if 12>0 - vadd.i64 d20,d30 @ h+=Maj from the past -#endif - vshr.u64 d26,d16,#41 - vld1.64 {d28},[r3,:64]! @ K[i++] - vsli.64 d24,d16,#50 - vsli.64 d25,d16,#46 - vmov d29,d16 - vsli.64 d26,d16,#23 -#if 12<16 && defined(__ARMEL__) - vrev64.8 d12,d12 -#endif - veor d25,d24 - vbsl d29,d17,d18 @ Ch(e,f,g) - vshr.u64 d24,d20,#28 - veor d26,d25 @ Sigma1(e) - vadd.i64 d27,d29,d19 - vshr.u64 d25,d20,#34 - vsli.64 d24,d20,#36 - vadd.i64 d27,d26 - vshr.u64 d26,d20,#39 - vadd.i64 d28,d12 - vsli.64 d25,d20,#30 - veor d30,d20,d21 - vsli.64 d26,d20,#25 - veor d19,d24,d25 - vadd.i64 d27,d28 - vbsl d30,d22,d21 @ Maj(a,b,c) - veor d19,d26 @ Sigma0(a) - vadd.i64 d23,d27 - vadd.i64 d30,d27 - @ vadd.i64 d19,d30 - vshr.u64 d24,d23,#14 @ 13 -#if 13<16 - vld1.64 {d13},[r1]! @ handles unaligned -#endif - vshr.u64 d25,d23,#18 -#if 13>0 - vadd.i64 d19,d30 @ h+=Maj from the past -#endif - vshr.u64 d26,d23,#41 - vld1.64 {d28},[r3,:64]! @ K[i++] - vsli.64 d24,d23,#50 - vsli.64 d25,d23,#46 - vmov d29,d23 - vsli.64 d26,d23,#23 -#if 13<16 && defined(__ARMEL__) - vrev64.8 d13,d13 -#endif - veor d25,d24 - vbsl d29,d16,d17 @ Ch(e,f,g) - vshr.u64 d24,d19,#28 - veor d26,d25 @ Sigma1(e) - vadd.i64 d27,d29,d18 - vshr.u64 d25,d19,#34 - vsli.64 d24,d19,#36 - vadd.i64 d27,d26 - vshr.u64 d26,d19,#39 - vadd.i64 d28,d13 - vsli.64 d25,d19,#30 - veor d30,d19,d20 - vsli.64 d26,d19,#25 - veor d18,d24,d25 - vadd.i64 d27,d28 - vbsl d30,d21,d20 @ Maj(a,b,c) - veor d18,d26 @ Sigma0(a) - vadd.i64 d22,d27 - vadd.i64 d30,d27 - @ vadd.i64 d18,d30 - vshr.u64 d24,d22,#14 @ 14 -#if 14<16 - vld1.64 {d14},[r1]! @ handles unaligned -#endif - vshr.u64 d25,d22,#18 -#if 14>0 - vadd.i64 d18,d30 @ h+=Maj from the past -#endif - vshr.u64 d26,d22,#41 - vld1.64 {d28},[r3,:64]! @ K[i++] - vsli.64 d24,d22,#50 - vsli.64 d25,d22,#46 - vmov d29,d22 - vsli.64 d26,d22,#23 -#if 14<16 && defined(__ARMEL__) - vrev64.8 d14,d14 -#endif - veor d25,d24 - vbsl d29,d23,d16 @ Ch(e,f,g) - vshr.u64 d24,d18,#28 - veor d26,d25 @ Sigma1(e) - vadd.i64 d27,d29,d17 - vshr.u64 d25,d18,#34 - vsli.64 d24,d18,#36 - vadd.i64 d27,d26 - vshr.u64 d26,d18,#39 - vadd.i64 d28,d14 - vsli.64 d25,d18,#30 - veor d30,d18,d19 - vsli.64 d26,d18,#25 - veor d17,d24,d25 - vadd.i64 d27,d28 - vbsl d30,d20,d19 @ Maj(a,b,c) - veor d17,d26 @ Sigma0(a) - vadd.i64 d21,d27 - vadd.i64 d30,d27 - @ vadd.i64 d17,d30 - vshr.u64 d24,d21,#14 @ 15 -#if 15<16 - vld1.64 {d15},[r1]! @ handles unaligned -#endif - vshr.u64 d25,d21,#18 -#if 15>0 - vadd.i64 d17,d30 @ h+=Maj from the past -#endif - vshr.u64 d26,d21,#41 - vld1.64 {d28},[r3,:64]! @ K[i++] - vsli.64 d24,d21,#50 - vsli.64 d25,d21,#46 - vmov d29,d21 - vsli.64 d26,d21,#23 -#if 15<16 && defined(__ARMEL__) - vrev64.8 d15,d15 -#endif - veor d25,d24 - vbsl d29,d22,d23 @ Ch(e,f,g) - vshr.u64 d24,d17,#28 - veor d26,d25 @ Sigma1(e) - vadd.i64 d27,d29,d16 - vshr.u64 d25,d17,#34 - vsli.64 d24,d17,#36 - vadd.i64 d27,d26 - vshr.u64 d26,d17,#39 - vadd.i64 d28,d15 - vsli.64 d25,d17,#30 - veor d30,d17,d18 - vsli.64 d26,d17,#25 - veor d16,d24,d25 - vadd.i64 d27,d28 - vbsl d30,d19,d18 @ Maj(a,b,c) - veor d16,d26 @ Sigma0(a) - vadd.i64 d20,d27 - vadd.i64 d30,d27 - @ vadd.i64 d16,d30 - mov r12,#4 -L16_79_neon: - subs r12,#1 - vshr.u64 q12,q7,#19 - vshr.u64 q13,q7,#61 - vadd.i64 d16,d30 @ h+=Maj from the past - vshr.u64 q15,q7,#6 - vsli.64 q12,q7,#45 - vext.8 q14,q0,q1,#8 @ X[i+1] - vsli.64 q13,q7,#3 - veor q15,q12 - vshr.u64 q12,q14,#1 - veor q15,q13 @ sigma1(X[i+14]) - vshr.u64 q13,q14,#8 - vadd.i64 q0,q15 - vshr.u64 q15,q14,#7 - vsli.64 q12,q14,#63 - vsli.64 q13,q14,#56 - vext.8 q14,q4,q5,#8 @ X[i+9] - veor q15,q12 - vshr.u64 d24,d20,#14 @ from NEON_00_15 - vadd.i64 q0,q14 - vshr.u64 d25,d20,#18 @ from NEON_00_15 - veor q15,q13 @ sigma0(X[i+1]) - vshr.u64 d26,d20,#41 @ from NEON_00_15 - vadd.i64 q0,q15 - vld1.64 {d28},[r3,:64]! @ K[i++] - vsli.64 d24,d20,#50 - vsli.64 d25,d20,#46 - vmov d29,d20 - vsli.64 d26,d20,#23 -#if 16<16 && defined(__ARMEL__) - vrev64.8 , -#endif - veor d25,d24 - vbsl d29,d21,d22 @ Ch(e,f,g) - vshr.u64 d24,d16,#28 - veor d26,d25 @ Sigma1(e) - vadd.i64 d27,d29,d23 - vshr.u64 d25,d16,#34 - vsli.64 d24,d16,#36 - vadd.i64 d27,d26 - vshr.u64 d26,d16,#39 - vadd.i64 d28,d0 - vsli.64 d25,d16,#30 - veor d30,d16,d17 - vsli.64 d26,d16,#25 - veor d23,d24,d25 - vadd.i64 d27,d28 - vbsl d30,d18,d17 @ Maj(a,b,c) - veor d23,d26 @ Sigma0(a) - vadd.i64 d19,d27 - vadd.i64 d30,d27 - @ vadd.i64 d23,d30 - vshr.u64 d24,d19,#14 @ 17 -#if 17<16 - vld1.64 {d1},[r1]! @ handles unaligned -#endif - vshr.u64 d25,d19,#18 -#if 17>0 - vadd.i64 d23,d30 @ h+=Maj from the past -#endif - vshr.u64 d26,d19,#41 - vld1.64 {d28},[r3,:64]! @ K[i++] - vsli.64 d24,d19,#50 - vsli.64 d25,d19,#46 - vmov d29,d19 - vsli.64 d26,d19,#23 -#if 17<16 && defined(__ARMEL__) - vrev64.8 , -#endif - veor d25,d24 - vbsl d29,d20,d21 @ Ch(e,f,g) - vshr.u64 d24,d23,#28 - veor d26,d25 @ Sigma1(e) - vadd.i64 d27,d29,d22 - vshr.u64 d25,d23,#34 - vsli.64 d24,d23,#36 - vadd.i64 d27,d26 - vshr.u64 d26,d23,#39 - vadd.i64 d28,d1 - vsli.64 d25,d23,#30 - veor d30,d23,d16 - vsli.64 d26,d23,#25 - veor d22,d24,d25 - vadd.i64 d27,d28 - vbsl d30,d17,d16 @ Maj(a,b,c) - veor d22,d26 @ Sigma0(a) - vadd.i64 d18,d27 - vadd.i64 d30,d27 - @ vadd.i64 d22,d30 - vshr.u64 q12,q0,#19 - vshr.u64 q13,q0,#61 - vadd.i64 d22,d30 @ h+=Maj from the past - vshr.u64 q15,q0,#6 - vsli.64 q12,q0,#45 - vext.8 q14,q1,q2,#8 @ X[i+1] - vsli.64 q13,q0,#3 - veor q15,q12 - vshr.u64 q12,q14,#1 - veor q15,q13 @ sigma1(X[i+14]) - vshr.u64 q13,q14,#8 - vadd.i64 q1,q15 - vshr.u64 q15,q14,#7 - vsli.64 q12,q14,#63 - vsli.64 q13,q14,#56 - vext.8 q14,q5,q6,#8 @ X[i+9] - veor q15,q12 - vshr.u64 d24,d18,#14 @ from NEON_00_15 - vadd.i64 q1,q14 - vshr.u64 d25,d18,#18 @ from NEON_00_15 - veor q15,q13 @ sigma0(X[i+1]) - vshr.u64 d26,d18,#41 @ from NEON_00_15 - vadd.i64 q1,q15 - vld1.64 {d28},[r3,:64]! @ K[i++] - vsli.64 d24,d18,#50 - vsli.64 d25,d18,#46 - vmov d29,d18 - vsli.64 d26,d18,#23 -#if 18<16 && defined(__ARMEL__) - vrev64.8 , -#endif - veor d25,d24 - vbsl d29,d19,d20 @ Ch(e,f,g) - vshr.u64 d24,d22,#28 - veor d26,d25 @ Sigma1(e) - vadd.i64 d27,d29,d21 - vshr.u64 d25,d22,#34 - vsli.64 d24,d22,#36 - vadd.i64 d27,d26 - vshr.u64 d26,d22,#39 - vadd.i64 d28,d2 - vsli.64 d25,d22,#30 - veor d30,d22,d23 - vsli.64 d26,d22,#25 - veor d21,d24,d25 - vadd.i64 d27,d28 - vbsl d30,d16,d23 @ Maj(a,b,c) - veor d21,d26 @ Sigma0(a) - vadd.i64 d17,d27 - vadd.i64 d30,d27 - @ vadd.i64 d21,d30 - vshr.u64 d24,d17,#14 @ 19 -#if 19<16 - vld1.64 {d3},[r1]! @ handles unaligned -#endif - vshr.u64 d25,d17,#18 -#if 19>0 - vadd.i64 d21,d30 @ h+=Maj from the past -#endif - vshr.u64 d26,d17,#41 - vld1.64 {d28},[r3,:64]! @ K[i++] - vsli.64 d24,d17,#50 - vsli.64 d25,d17,#46 - vmov d29,d17 - vsli.64 d26,d17,#23 -#if 19<16 && defined(__ARMEL__) - vrev64.8 , -#endif - veor d25,d24 - vbsl d29,d18,d19 @ Ch(e,f,g) - vshr.u64 d24,d21,#28 - veor d26,d25 @ Sigma1(e) - vadd.i64 d27,d29,d20 - vshr.u64 d25,d21,#34 - vsli.64 d24,d21,#36 - vadd.i64 d27,d26 - vshr.u64 d26,d21,#39 - vadd.i64 d28,d3 - vsli.64 d25,d21,#30 - veor d30,d21,d22 - vsli.64 d26,d21,#25 - veor d20,d24,d25 - vadd.i64 d27,d28 - vbsl d30,d23,d22 @ Maj(a,b,c) - veor d20,d26 @ Sigma0(a) - vadd.i64 d16,d27 - vadd.i64 d30,d27 - @ vadd.i64 d20,d30 - vshr.u64 q12,q1,#19 - vshr.u64 q13,q1,#61 - vadd.i64 d20,d30 @ h+=Maj from the past - vshr.u64 q15,q1,#6 - vsli.64 q12,q1,#45 - vext.8 q14,q2,q3,#8 @ X[i+1] - vsli.64 q13,q1,#3 - veor q15,q12 - vshr.u64 q12,q14,#1 - veor q15,q13 @ sigma1(X[i+14]) - vshr.u64 q13,q14,#8 - vadd.i64 q2,q15 - vshr.u64 q15,q14,#7 - vsli.64 q12,q14,#63 - vsli.64 q13,q14,#56 - vext.8 q14,q6,q7,#8 @ X[i+9] - veor q15,q12 - vshr.u64 d24,d16,#14 @ from NEON_00_15 - vadd.i64 q2,q14 - vshr.u64 d25,d16,#18 @ from NEON_00_15 - veor q15,q13 @ sigma0(X[i+1]) - vshr.u64 d26,d16,#41 @ from NEON_00_15 - vadd.i64 q2,q15 - vld1.64 {d28},[r3,:64]! @ K[i++] - vsli.64 d24,d16,#50 - vsli.64 d25,d16,#46 - vmov d29,d16 - vsli.64 d26,d16,#23 -#if 20<16 && defined(__ARMEL__) - vrev64.8 , -#endif - veor d25,d24 - vbsl d29,d17,d18 @ Ch(e,f,g) - vshr.u64 d24,d20,#28 - veor d26,d25 @ Sigma1(e) - vadd.i64 d27,d29,d19 - vshr.u64 d25,d20,#34 - vsli.64 d24,d20,#36 - vadd.i64 d27,d26 - vshr.u64 d26,d20,#39 - vadd.i64 d28,d4 - vsli.64 d25,d20,#30 - veor d30,d20,d21 - vsli.64 d26,d20,#25 - veor d19,d24,d25 - vadd.i64 d27,d28 - vbsl d30,d22,d21 @ Maj(a,b,c) - veor d19,d26 @ Sigma0(a) - vadd.i64 d23,d27 - vadd.i64 d30,d27 - @ vadd.i64 d19,d30 - vshr.u64 d24,d23,#14 @ 21 -#if 21<16 - vld1.64 {d5},[r1]! @ handles unaligned -#endif - vshr.u64 d25,d23,#18 -#if 21>0 - vadd.i64 d19,d30 @ h+=Maj from the past -#endif - vshr.u64 d26,d23,#41 - vld1.64 {d28},[r3,:64]! @ K[i++] - vsli.64 d24,d23,#50 - vsli.64 d25,d23,#46 - vmov d29,d23 - vsli.64 d26,d23,#23 -#if 21<16 && defined(__ARMEL__) - vrev64.8 , -#endif - veor d25,d24 - vbsl d29,d16,d17 @ Ch(e,f,g) - vshr.u64 d24,d19,#28 - veor d26,d25 @ Sigma1(e) - vadd.i64 d27,d29,d18 - vshr.u64 d25,d19,#34 - vsli.64 d24,d19,#36 - vadd.i64 d27,d26 - vshr.u64 d26,d19,#39 - vadd.i64 d28,d5 - vsli.64 d25,d19,#30 - veor d30,d19,d20 - vsli.64 d26,d19,#25 - veor d18,d24,d25 - vadd.i64 d27,d28 - vbsl d30,d21,d20 @ Maj(a,b,c) - veor d18,d26 @ Sigma0(a) - vadd.i64 d22,d27 - vadd.i64 d30,d27 - @ vadd.i64 d18,d30 - vshr.u64 q12,q2,#19 - vshr.u64 q13,q2,#61 - vadd.i64 d18,d30 @ h+=Maj from the past - vshr.u64 q15,q2,#6 - vsli.64 q12,q2,#45 - vext.8 q14,q3,q4,#8 @ X[i+1] - vsli.64 q13,q2,#3 - veor q15,q12 - vshr.u64 q12,q14,#1 - veor q15,q13 @ sigma1(X[i+14]) - vshr.u64 q13,q14,#8 - vadd.i64 q3,q15 - vshr.u64 q15,q14,#7 - vsli.64 q12,q14,#63 - vsli.64 q13,q14,#56 - vext.8 q14,q7,q0,#8 @ X[i+9] - veor q15,q12 - vshr.u64 d24,d22,#14 @ from NEON_00_15 - vadd.i64 q3,q14 - vshr.u64 d25,d22,#18 @ from NEON_00_15 - veor q15,q13 @ sigma0(X[i+1]) - vshr.u64 d26,d22,#41 @ from NEON_00_15 - vadd.i64 q3,q15 - vld1.64 {d28},[r3,:64]! @ K[i++] - vsli.64 d24,d22,#50 - vsli.64 d25,d22,#46 - vmov d29,d22 - vsli.64 d26,d22,#23 -#if 22<16 && defined(__ARMEL__) - vrev64.8 , -#endif - veor d25,d24 - vbsl d29,d23,d16 @ Ch(e,f,g) - vshr.u64 d24,d18,#28 - veor d26,d25 @ Sigma1(e) - vadd.i64 d27,d29,d17 - vshr.u64 d25,d18,#34 - vsli.64 d24,d18,#36 - vadd.i64 d27,d26 - vshr.u64 d26,d18,#39 - vadd.i64 d28,d6 - vsli.64 d25,d18,#30 - veor d30,d18,d19 - vsli.64 d26,d18,#25 - veor d17,d24,d25 - vadd.i64 d27,d28 - vbsl d30,d20,d19 @ Maj(a,b,c) - veor d17,d26 @ Sigma0(a) - vadd.i64 d21,d27 - vadd.i64 d30,d27 - @ vadd.i64 d17,d30 - vshr.u64 d24,d21,#14 @ 23 -#if 23<16 - vld1.64 {d7},[r1]! @ handles unaligned -#endif - vshr.u64 d25,d21,#18 -#if 23>0 - vadd.i64 d17,d30 @ h+=Maj from the past -#endif - vshr.u64 d26,d21,#41 - vld1.64 {d28},[r3,:64]! @ K[i++] - vsli.64 d24,d21,#50 - vsli.64 d25,d21,#46 - vmov d29,d21 - vsli.64 d26,d21,#23 -#if 23<16 && defined(__ARMEL__) - vrev64.8 , -#endif - veor d25,d24 - vbsl d29,d22,d23 @ Ch(e,f,g) - vshr.u64 d24,d17,#28 - veor d26,d25 @ Sigma1(e) - vadd.i64 d27,d29,d16 - vshr.u64 d25,d17,#34 - vsli.64 d24,d17,#36 - vadd.i64 d27,d26 - vshr.u64 d26,d17,#39 - vadd.i64 d28,d7 - vsli.64 d25,d17,#30 - veor d30,d17,d18 - vsli.64 d26,d17,#25 - veor d16,d24,d25 - vadd.i64 d27,d28 - vbsl d30,d19,d18 @ Maj(a,b,c) - veor d16,d26 @ Sigma0(a) - vadd.i64 d20,d27 - vadd.i64 d30,d27 - @ vadd.i64 d16,d30 - vshr.u64 q12,q3,#19 - vshr.u64 q13,q3,#61 - vadd.i64 d16,d30 @ h+=Maj from the past - vshr.u64 q15,q3,#6 - vsli.64 q12,q3,#45 - vext.8 q14,q4,q5,#8 @ X[i+1] - vsli.64 q13,q3,#3 - veor q15,q12 - vshr.u64 q12,q14,#1 - veor q15,q13 @ sigma1(X[i+14]) - vshr.u64 q13,q14,#8 - vadd.i64 q4,q15 - vshr.u64 q15,q14,#7 - vsli.64 q12,q14,#63 - vsli.64 q13,q14,#56 - vext.8 q14,q0,q1,#8 @ X[i+9] - veor q15,q12 - vshr.u64 d24,d20,#14 @ from NEON_00_15 - vadd.i64 q4,q14 - vshr.u64 d25,d20,#18 @ from NEON_00_15 - veor q15,q13 @ sigma0(X[i+1]) - vshr.u64 d26,d20,#41 @ from NEON_00_15 - vadd.i64 q4,q15 - vld1.64 {d28},[r3,:64]! @ K[i++] - vsli.64 d24,d20,#50 - vsli.64 d25,d20,#46 - vmov d29,d20 - vsli.64 d26,d20,#23 -#if 24<16 && defined(__ARMEL__) - vrev64.8 , -#endif - veor d25,d24 - vbsl d29,d21,d22 @ Ch(e,f,g) - vshr.u64 d24,d16,#28 - veor d26,d25 @ Sigma1(e) - vadd.i64 d27,d29,d23 - vshr.u64 d25,d16,#34 - vsli.64 d24,d16,#36 - vadd.i64 d27,d26 - vshr.u64 d26,d16,#39 - vadd.i64 d28,d8 - vsli.64 d25,d16,#30 - veor d30,d16,d17 - vsli.64 d26,d16,#25 - veor d23,d24,d25 - vadd.i64 d27,d28 - vbsl d30,d18,d17 @ Maj(a,b,c) - veor d23,d26 @ Sigma0(a) - vadd.i64 d19,d27 - vadd.i64 d30,d27 - @ vadd.i64 d23,d30 - vshr.u64 d24,d19,#14 @ 25 -#if 25<16 - vld1.64 {d9},[r1]! @ handles unaligned -#endif - vshr.u64 d25,d19,#18 -#if 25>0 - vadd.i64 d23,d30 @ h+=Maj from the past -#endif - vshr.u64 d26,d19,#41 - vld1.64 {d28},[r3,:64]! @ K[i++] - vsli.64 d24,d19,#50 - vsli.64 d25,d19,#46 - vmov d29,d19 - vsli.64 d26,d19,#23 -#if 25<16 && defined(__ARMEL__) - vrev64.8 , -#endif - veor d25,d24 - vbsl d29,d20,d21 @ Ch(e,f,g) - vshr.u64 d24,d23,#28 - veor d26,d25 @ Sigma1(e) - vadd.i64 d27,d29,d22 - vshr.u64 d25,d23,#34 - vsli.64 d24,d23,#36 - vadd.i64 d27,d26 - vshr.u64 d26,d23,#39 - vadd.i64 d28,d9 - vsli.64 d25,d23,#30 - veor d30,d23,d16 - vsli.64 d26,d23,#25 - veor d22,d24,d25 - vadd.i64 d27,d28 - vbsl d30,d17,d16 @ Maj(a,b,c) - veor d22,d26 @ Sigma0(a) - vadd.i64 d18,d27 - vadd.i64 d30,d27 - @ vadd.i64 d22,d30 - vshr.u64 q12,q4,#19 - vshr.u64 q13,q4,#61 - vadd.i64 d22,d30 @ h+=Maj from the past - vshr.u64 q15,q4,#6 - vsli.64 q12,q4,#45 - vext.8 q14,q5,q6,#8 @ X[i+1] - vsli.64 q13,q4,#3 - veor q15,q12 - vshr.u64 q12,q14,#1 - veor q15,q13 @ sigma1(X[i+14]) - vshr.u64 q13,q14,#8 - vadd.i64 q5,q15 - vshr.u64 q15,q14,#7 - vsli.64 q12,q14,#63 - vsli.64 q13,q14,#56 - vext.8 q14,q1,q2,#8 @ X[i+9] - veor q15,q12 - vshr.u64 d24,d18,#14 @ from NEON_00_15 - vadd.i64 q5,q14 - vshr.u64 d25,d18,#18 @ from NEON_00_15 - veor q15,q13 @ sigma0(X[i+1]) - vshr.u64 d26,d18,#41 @ from NEON_00_15 - vadd.i64 q5,q15 - vld1.64 {d28},[r3,:64]! @ K[i++] - vsli.64 d24,d18,#50 - vsli.64 d25,d18,#46 - vmov d29,d18 - vsli.64 d26,d18,#23 -#if 26<16 && defined(__ARMEL__) - vrev64.8 , -#endif - veor d25,d24 - vbsl d29,d19,d20 @ Ch(e,f,g) - vshr.u64 d24,d22,#28 - veor d26,d25 @ Sigma1(e) - vadd.i64 d27,d29,d21 - vshr.u64 d25,d22,#34 - vsli.64 d24,d22,#36 - vadd.i64 d27,d26 - vshr.u64 d26,d22,#39 - vadd.i64 d28,d10 - vsli.64 d25,d22,#30 - veor d30,d22,d23 - vsli.64 d26,d22,#25 - veor d21,d24,d25 - vadd.i64 d27,d28 - vbsl d30,d16,d23 @ Maj(a,b,c) - veor d21,d26 @ Sigma0(a) - vadd.i64 d17,d27 - vadd.i64 d30,d27 - @ vadd.i64 d21,d30 - vshr.u64 d24,d17,#14 @ 27 -#if 27<16 - vld1.64 {d11},[r1]! @ handles unaligned -#endif - vshr.u64 d25,d17,#18 -#if 27>0 - vadd.i64 d21,d30 @ h+=Maj from the past -#endif - vshr.u64 d26,d17,#41 - vld1.64 {d28},[r3,:64]! @ K[i++] - vsli.64 d24,d17,#50 - vsli.64 d25,d17,#46 - vmov d29,d17 - vsli.64 d26,d17,#23 -#if 27<16 && defined(__ARMEL__) - vrev64.8 , -#endif - veor d25,d24 - vbsl d29,d18,d19 @ Ch(e,f,g) - vshr.u64 d24,d21,#28 - veor d26,d25 @ Sigma1(e) - vadd.i64 d27,d29,d20 - vshr.u64 d25,d21,#34 - vsli.64 d24,d21,#36 - vadd.i64 d27,d26 - vshr.u64 d26,d21,#39 - vadd.i64 d28,d11 - vsli.64 d25,d21,#30 - veor d30,d21,d22 - vsli.64 d26,d21,#25 - veor d20,d24,d25 - vadd.i64 d27,d28 - vbsl d30,d23,d22 @ Maj(a,b,c) - veor d20,d26 @ Sigma0(a) - vadd.i64 d16,d27 - vadd.i64 d30,d27 - @ vadd.i64 d20,d30 - vshr.u64 q12,q5,#19 - vshr.u64 q13,q5,#61 - vadd.i64 d20,d30 @ h+=Maj from the past - vshr.u64 q15,q5,#6 - vsli.64 q12,q5,#45 - vext.8 q14,q6,q7,#8 @ X[i+1] - vsli.64 q13,q5,#3 - veor q15,q12 - vshr.u64 q12,q14,#1 - veor q15,q13 @ sigma1(X[i+14]) - vshr.u64 q13,q14,#8 - vadd.i64 q6,q15 - vshr.u64 q15,q14,#7 - vsli.64 q12,q14,#63 - vsli.64 q13,q14,#56 - vext.8 q14,q2,q3,#8 @ X[i+9] - veor q15,q12 - vshr.u64 d24,d16,#14 @ from NEON_00_15 - vadd.i64 q6,q14 - vshr.u64 d25,d16,#18 @ from NEON_00_15 - veor q15,q13 @ sigma0(X[i+1]) - vshr.u64 d26,d16,#41 @ from NEON_00_15 - vadd.i64 q6,q15 - vld1.64 {d28},[r3,:64]! @ K[i++] - vsli.64 d24,d16,#50 - vsli.64 d25,d16,#46 - vmov d29,d16 - vsli.64 d26,d16,#23 -#if 28<16 && defined(__ARMEL__) - vrev64.8 , -#endif - veor d25,d24 - vbsl d29,d17,d18 @ Ch(e,f,g) - vshr.u64 d24,d20,#28 - veor d26,d25 @ Sigma1(e) - vadd.i64 d27,d29,d19 - vshr.u64 d25,d20,#34 - vsli.64 d24,d20,#36 - vadd.i64 d27,d26 - vshr.u64 d26,d20,#39 - vadd.i64 d28,d12 - vsli.64 d25,d20,#30 - veor d30,d20,d21 - vsli.64 d26,d20,#25 - veor d19,d24,d25 - vadd.i64 d27,d28 - vbsl d30,d22,d21 @ Maj(a,b,c) - veor d19,d26 @ Sigma0(a) - vadd.i64 d23,d27 - vadd.i64 d30,d27 - @ vadd.i64 d19,d30 - vshr.u64 d24,d23,#14 @ 29 -#if 29<16 - vld1.64 {d13},[r1]! @ handles unaligned -#endif - vshr.u64 d25,d23,#18 -#if 29>0 - vadd.i64 d19,d30 @ h+=Maj from the past -#endif - vshr.u64 d26,d23,#41 - vld1.64 {d28},[r3,:64]! @ K[i++] - vsli.64 d24,d23,#50 - vsli.64 d25,d23,#46 - vmov d29,d23 - vsli.64 d26,d23,#23 -#if 29<16 && defined(__ARMEL__) - vrev64.8 , -#endif - veor d25,d24 - vbsl d29,d16,d17 @ Ch(e,f,g) - vshr.u64 d24,d19,#28 - veor d26,d25 @ Sigma1(e) - vadd.i64 d27,d29,d18 - vshr.u64 d25,d19,#34 - vsli.64 d24,d19,#36 - vadd.i64 d27,d26 - vshr.u64 d26,d19,#39 - vadd.i64 d28,d13 - vsli.64 d25,d19,#30 - veor d30,d19,d20 - vsli.64 d26,d19,#25 - veor d18,d24,d25 - vadd.i64 d27,d28 - vbsl d30,d21,d20 @ Maj(a,b,c) - veor d18,d26 @ Sigma0(a) - vadd.i64 d22,d27 - vadd.i64 d30,d27 - @ vadd.i64 d18,d30 - vshr.u64 q12,q6,#19 - vshr.u64 q13,q6,#61 - vadd.i64 d18,d30 @ h+=Maj from the past - vshr.u64 q15,q6,#6 - vsli.64 q12,q6,#45 - vext.8 q14,q7,q0,#8 @ X[i+1] - vsli.64 q13,q6,#3 - veor q15,q12 - vshr.u64 q12,q14,#1 - veor q15,q13 @ sigma1(X[i+14]) - vshr.u64 q13,q14,#8 - vadd.i64 q7,q15 - vshr.u64 q15,q14,#7 - vsli.64 q12,q14,#63 - vsli.64 q13,q14,#56 - vext.8 q14,q3,q4,#8 @ X[i+9] - veor q15,q12 - vshr.u64 d24,d22,#14 @ from NEON_00_15 - vadd.i64 q7,q14 - vshr.u64 d25,d22,#18 @ from NEON_00_15 - veor q15,q13 @ sigma0(X[i+1]) - vshr.u64 d26,d22,#41 @ from NEON_00_15 - vadd.i64 q7,q15 - vld1.64 {d28},[r3,:64]! @ K[i++] - vsli.64 d24,d22,#50 - vsli.64 d25,d22,#46 - vmov d29,d22 - vsli.64 d26,d22,#23 -#if 30<16 && defined(__ARMEL__) - vrev64.8 , -#endif - veor d25,d24 - vbsl d29,d23,d16 @ Ch(e,f,g) - vshr.u64 d24,d18,#28 - veor d26,d25 @ Sigma1(e) - vadd.i64 d27,d29,d17 - vshr.u64 d25,d18,#34 - vsli.64 d24,d18,#36 - vadd.i64 d27,d26 - vshr.u64 d26,d18,#39 - vadd.i64 d28,d14 - vsli.64 d25,d18,#30 - veor d30,d18,d19 - vsli.64 d26,d18,#25 - veor d17,d24,d25 - vadd.i64 d27,d28 - vbsl d30,d20,d19 @ Maj(a,b,c) - veor d17,d26 @ Sigma0(a) - vadd.i64 d21,d27 - vadd.i64 d30,d27 - @ vadd.i64 d17,d30 - vshr.u64 d24,d21,#14 @ 31 -#if 31<16 - vld1.64 {d15},[r1]! @ handles unaligned -#endif - vshr.u64 d25,d21,#18 -#if 31>0 - vadd.i64 d17,d30 @ h+=Maj from the past -#endif - vshr.u64 d26,d21,#41 - vld1.64 {d28},[r3,:64]! @ K[i++] - vsli.64 d24,d21,#50 - vsli.64 d25,d21,#46 - vmov d29,d21 - vsli.64 d26,d21,#23 -#if 31<16 && defined(__ARMEL__) - vrev64.8 , -#endif - veor d25,d24 - vbsl d29,d22,d23 @ Ch(e,f,g) - vshr.u64 d24,d17,#28 - veor d26,d25 @ Sigma1(e) - vadd.i64 d27,d29,d16 - vshr.u64 d25,d17,#34 - vsli.64 d24,d17,#36 - vadd.i64 d27,d26 - vshr.u64 d26,d17,#39 - vadd.i64 d28,d15 - vsli.64 d25,d17,#30 - veor d30,d17,d18 - vsli.64 d26,d17,#25 - veor d16,d24,d25 - vadd.i64 d27,d28 - vbsl d30,d19,d18 @ Maj(a,b,c) - veor d16,d26 @ Sigma0(a) - vadd.i64 d20,d27 - vadd.i64 d30,d27 - @ vadd.i64 d16,d30 - bne L16_79_neon - - vadd.i64 d16,d30 @ h+=Maj from the past - vldmia r0,{d24,d25,d26,d27,d28,d29,d30,d31} @ load context to temp - vadd.i64 q8,q12 @ vectorized accumulate - vadd.i64 q9,q13 - vadd.i64 q10,q14 - vadd.i64 q11,q15 - vstmia r0,{d16,d17,d18,d19,d20,d21,d22,d23} @ save context - teq r1,r2 - sub r3,#640 @ rewind K512 - bne Loop_neon - - VFP_ABI_POP - bx lr @ .word 0xe12fff1e - -#endif -.byte 83,72,65,53,49,50,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,65,82,77,118,52,47,78,69,79,78,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 -.align 2 -.align 2 -#if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__) -.comm _OPENSSL_armcap_P,4 -.non_lazy_symbol_pointer -OPENSSL_armcap_P: -.indirect_symbol _OPENSSL_armcap_P -.long 0 -.private_extern _OPENSSL_armcap_P -#endif -#endif // !OPENSSL_NO_ASM && defined(OPENSSL_ARM) && defined(__APPLE__) -#endif // defined(__arm__) && defined(__APPLE__) -#if defined(__linux__) && defined(__ELF__) -.section .note.GNU-stack,"",%progbits -#endif - diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/tls/kdf.c b/Sources/CNIOBoringSSL/crypto/fipsmodule/tls/kdf.c.inc similarity index 97% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/tls/kdf.c rename to Sources/CNIOBoringSSL/crypto/fipsmodule/tls/kdf.c.inc index 13cfe759d..5ded4a2ed 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/tls/kdf.c +++ b/Sources/CNIOBoringSSL/crypto/fipsmodule/tls/kdf.c.inc @@ -189,6 +189,7 @@ int CRYPTO_tls13_hkdf_expand_label(uint8_t *out, size_t out_len, uint8_t *hkdf_label = NULL; size_t hkdf_label_len; + FIPS_service_indicator_lock_state(); CBB_zero(&cbb); if (!CBB_init(&cbb, 2 + 1 + sizeof(kProtocolLabel) - 1 + label_len + 1 + hash_len) || @@ -200,12 +201,18 @@ int CRYPTO_tls13_hkdf_expand_label(uint8_t *out, size_t out_len, !CBB_add_bytes(&child, hash, hash_len) || !CBB_finish(&cbb, &hkdf_label, &hkdf_label_len)) { CBB_cleanup(&cbb); + FIPS_service_indicator_unlock_state(); return 0; } const int ret = HKDF_expand(out, out_len, digest, secret, secret_len, hkdf_label, hkdf_label_len); OPENSSL_free(hkdf_label); + + FIPS_service_indicator_unlock_state(); + if (ret) { + TLSKDF_verify_service_indicator(digest); + } return ret; } diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/vpaes-armv7-ios.ios.arm.S b/Sources/CNIOBoringSSL/crypto/fipsmodule/vpaes-armv7-ios.ios.arm.S deleted file mode 100644 index 256f03111..000000000 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/vpaes-armv7-ios.ios.arm.S +++ /dev/null @@ -1,1264 +0,0 @@ -#define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__arm__) && defined(__APPLE__) -// This file is generated from a similarly-named Perl script in the BoringSSL -// source tree. Do not edit by hand. - -#include - -#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_ARM) && defined(__APPLE__) -.syntax unified - - - - -#if defined(__thumb2__) -.thumb -#else -.code 32 -#endif - -.text - - -.align 7 @ totally strategic alignment -_vpaes_consts: -Lk_mc_forward:@ mc_forward -.quad 0x0407060500030201, 0x0C0F0E0D080B0A09 -.quad 0x080B0A0904070605, 0x000302010C0F0E0D -.quad 0x0C0F0E0D080B0A09, 0x0407060500030201 -.quad 0x000302010C0F0E0D, 0x080B0A0904070605 -Lk_mc_backward:@ mc_backward -.quad 0x0605040702010003, 0x0E0D0C0F0A09080B -.quad 0x020100030E0D0C0F, 0x0A09080B06050407 -.quad 0x0E0D0C0F0A09080B, 0x0605040702010003 -.quad 0x0A09080B06050407, 0x020100030E0D0C0F -Lk_sr:@ sr -.quad 0x0706050403020100, 0x0F0E0D0C0B0A0908 -.quad 0x030E09040F0A0500, 0x0B06010C07020D08 -.quad 0x0F060D040B020900, 0x070E050C030A0108 -.quad 0x0B0E0104070A0D00, 0x0306090C0F020508 - -@ -@ "Hot" constants -@ -Lk_inv:@ inv, inva -.quad 0x0E05060F0D080180, 0x040703090A0B0C02 -.quad 0x01040A060F0B0780, 0x030D0E0C02050809 -Lk_ipt:@ input transform (lo, hi) -.quad 0xC2B2E8985A2A7000, 0xCABAE09052227808 -.quad 0x4C01307D317C4D00, 0xCD80B1FCB0FDCC81 -Lk_sbo:@ sbou, sbot -.quad 0xD0D26D176FBDC700, 0x15AABF7AC502A878 -.quad 0xCFE474A55FBB6A00, 0x8E1E90D1412B35FA -Lk_sb1:@ sb1u, sb1t -.quad 0x3618D415FAE22300, 0x3BF7CCC10D2ED9EF -.quad 0xB19BE18FCB503E00, 0xA5DF7A6E142AF544 -Lk_sb2:@ sb2u, sb2t -.quad 0x69EB88400AE12900, 0xC2A163C8AB82234A -.quad 0xE27A93C60B712400, 0x5EB7E955BC982FCD - -.byte 86,101,99,116,111,114,32,80,101,114,109,117,116,97,116,105,111,110,32,65,69,83,32,102,111,114,32,65,82,77,118,55,32,78,69,79,78,44,32,77,105,107,101,32,72,97,109,98,117,114,103,32,40,83,116,97,110,102,111,114,100,32,85,110,105,118,101,114,115,105,116,121,41,0 -.align 2 - -.align 6 -@@ -@@ _aes_preheat -@@ -@@ Fills q9-q15 as specified below. -@@ -#ifdef __thumb2__ -.thumb_func _vpaes_preheat -#endif -.align 4 -_vpaes_preheat: - adr r10, Lk_inv - vmov.i8 q9, #0x0f @ Lk_s0F - vld1.64 {q10,q11}, [r10]! @ Lk_inv - add r10, r10, #64 @ Skip Lk_ipt, Lk_sbo - vld1.64 {q12,q13}, [r10]! @ Lk_sb1 - vld1.64 {q14,q15}, [r10] @ Lk_sb2 - bx lr - -@@ -@@ _aes_encrypt_core -@@ -@@ AES-encrypt q0. -@@ -@@ Inputs: -@@ q0 = input -@@ q9-q15 as in _vpaes_preheat -@@ [r2] = scheduled keys -@@ -@@ Output in q0 -@@ Clobbers q1-q5, r8-r11 -@@ Preserves q6-q8 so you get some local vectors -@@ -@@ -#ifdef __thumb2__ -.thumb_func _vpaes_encrypt_core -#endif -.align 4 -_vpaes_encrypt_core: - mov r9, r2 - ldr r8, [r2,#240] @ pull rounds - adr r11, Lk_ipt - @ vmovdqa .Lk_ipt(%rip), %xmm2 # iptlo - @ vmovdqa .Lk_ipt+16(%rip), %xmm3 # ipthi - vld1.64 {q2, q3}, [r11] - adr r11, Lk_mc_forward+16 - vld1.64 {q5}, [r9]! @ vmovdqu (%r9), %xmm5 # round0 key - vand q1, q0, q9 @ vpand %xmm9, %xmm0, %xmm1 - vshr.u8 q0, q0, #4 @ vpsrlb $4, %xmm0, %xmm0 - vtbl.8 d2, {q2}, d2 @ vpshufb %xmm1, %xmm2, %xmm1 - vtbl.8 d3, {q2}, d3 - vtbl.8 d4, {q3}, d0 @ vpshufb %xmm0, %xmm3, %xmm2 - vtbl.8 d5, {q3}, d1 - veor q0, q1, q5 @ vpxor %xmm5, %xmm1, %xmm0 - veor q0, q0, q2 @ vpxor %xmm2, %xmm0, %xmm0 - - @ .Lenc_entry ends with a bnz instruction which is normally paired with - @ subs in .Lenc_loop. - tst r8, r8 - b Lenc_entry - -.align 4 -Lenc_loop: - @ middle of middle round - add r10, r11, #0x40 - vtbl.8 d8, {q13}, d4 @ vpshufb %xmm2, %xmm13, %xmm4 # 4 = sb1u - vtbl.8 d9, {q13}, d5 - vld1.64 {q1}, [r11]! @ vmovdqa -0x40(%r11,%r10), %xmm1 # Lk_mc_forward[] - vtbl.8 d0, {q12}, d6 @ vpshufb %xmm3, %xmm12, %xmm0 # 0 = sb1t - vtbl.8 d1, {q12}, d7 - veor q4, q4, q5 @ vpxor %xmm5, %xmm4, %xmm4 # 4 = sb1u + k - vtbl.8 d10, {q15}, d4 @ vpshufb %xmm2, %xmm15, %xmm5 # 4 = sb2u - vtbl.8 d11, {q15}, d5 - veor q0, q0, q4 @ vpxor %xmm4, %xmm0, %xmm0 # 0 = A - vtbl.8 d4, {q14}, d6 @ vpshufb %xmm3, %xmm14, %xmm2 # 2 = sb2t - vtbl.8 d5, {q14}, d7 - vld1.64 {q4}, [r10] @ vmovdqa (%r11,%r10), %xmm4 # Lk_mc_backward[] - vtbl.8 d6, {q0}, d2 @ vpshufb %xmm1, %xmm0, %xmm3 # 0 = B - vtbl.8 d7, {q0}, d3 - veor q2, q2, q5 @ vpxor %xmm5, %xmm2, %xmm2 # 2 = 2A - @ Write to q5 instead of q0, so the table and destination registers do - @ not overlap. - vtbl.8 d10, {q0}, d8 @ vpshufb %xmm4, %xmm0, %xmm0 # 3 = D - vtbl.8 d11, {q0}, d9 - veor q3, q3, q2 @ vpxor %xmm2, %xmm3, %xmm3 # 0 = 2A+B - vtbl.8 d8, {q3}, d2 @ vpshufb %xmm1, %xmm3, %xmm4 # 0 = 2B+C - vtbl.8 d9, {q3}, d3 - @ Here we restore the original q0/q5 usage. - veor q0, q5, q3 @ vpxor %xmm3, %xmm0, %xmm0 # 3 = 2A+B+D - and r11, r11, #~(1<<6) @ and $0x30, %r11 # ... mod 4 - veor q0, q0, q4 @ vpxor %xmm4, %xmm0, %xmm0 # 0 = 2A+3B+C+D - subs r8, r8, #1 @ nr-- - -Lenc_entry: - @ top of round - vand q1, q0, q9 @ vpand %xmm0, %xmm9, %xmm1 # 0 = k - vshr.u8 q0, q0, #4 @ vpsrlb $4, %xmm0, %xmm0 # 1 = i - vtbl.8 d10, {q11}, d2 @ vpshufb %xmm1, %xmm11, %xmm5 # 2 = a/k - vtbl.8 d11, {q11}, d3 - veor q1, q1, q0 @ vpxor %xmm0, %xmm1, %xmm1 # 0 = j - vtbl.8 d6, {q10}, d0 @ vpshufb %xmm0, %xmm10, %xmm3 # 3 = 1/i - vtbl.8 d7, {q10}, d1 - vtbl.8 d8, {q10}, d2 @ vpshufb %xmm1, %xmm10, %xmm4 # 4 = 1/j - vtbl.8 d9, {q10}, d3 - veor q3, q3, q5 @ vpxor %xmm5, %xmm3, %xmm3 # 3 = iak = 1/i + a/k - veor q4, q4, q5 @ vpxor %xmm5, %xmm4, %xmm4 # 4 = jak = 1/j + a/k - vtbl.8 d4, {q10}, d6 @ vpshufb %xmm3, %xmm10, %xmm2 # 2 = 1/iak - vtbl.8 d5, {q10}, d7 - vtbl.8 d6, {q10}, d8 @ vpshufb %xmm4, %xmm10, %xmm3 # 3 = 1/jak - vtbl.8 d7, {q10}, d9 - veor q2, q2, q1 @ vpxor %xmm1, %xmm2, %xmm2 # 2 = io - veor q3, q3, q0 @ vpxor %xmm0, %xmm3, %xmm3 # 3 = jo - vld1.64 {q5}, [r9]! @ vmovdqu (%r9), %xmm5 - bne Lenc_loop - - @ middle of last round - add r10, r11, #0x80 - - adr r11, Lk_sbo - @ Read to q1 instead of q4, so the vtbl.8 instruction below does not - @ overlap table and destination registers. - vld1.64 {q1}, [r11]! @ vmovdqa -0x60(%r10), %xmm4 # 3 : sbou - vld1.64 {q0}, [r11] @ vmovdqa -0x50(%r10), %xmm0 # 0 : sbot Lk_sbo+16 - vtbl.8 d8, {q1}, d4 @ vpshufb %xmm2, %xmm4, %xmm4 # 4 = sbou - vtbl.8 d9, {q1}, d5 - vld1.64 {q1}, [r10] @ vmovdqa 0x40(%r11,%r10), %xmm1 # Lk_sr[] - @ Write to q2 instead of q0 below, to avoid overlapping table and - @ destination registers. - vtbl.8 d4, {q0}, d6 @ vpshufb %xmm3, %xmm0, %xmm0 # 0 = sb1t - vtbl.8 d5, {q0}, d7 - veor q4, q4, q5 @ vpxor %xmm5, %xmm4, %xmm4 # 4 = sb1u + k - veor q2, q2, q4 @ vpxor %xmm4, %xmm0, %xmm0 # 0 = A - @ Here we restore the original q0/q2 usage. - vtbl.8 d0, {q2}, d2 @ vpshufb %xmm1, %xmm0, %xmm0 - vtbl.8 d1, {q2}, d3 - bx lr - - -.globl _vpaes_encrypt -.private_extern _vpaes_encrypt -#ifdef __thumb2__ -.thumb_func _vpaes_encrypt -#endif -.align 4 -_vpaes_encrypt: - @ _vpaes_encrypt_core uses r8-r11. Round up to r7-r11 to maintain stack - @ alignment. - stmdb sp!, {r7,r8,r9,r10,r11,lr} - @ _vpaes_encrypt_core uses q4-q5 (d8-d11), which are callee-saved. - vstmdb sp!, {d8,d9,d10,d11} - - vld1.64 {q0}, [r0] - bl _vpaes_preheat - bl _vpaes_encrypt_core - vst1.64 {q0}, [r1] - - vldmia sp!, {d8,d9,d10,d11} - ldmia sp!, {r7,r8,r9,r10,r11, pc} @ return - - -@ -@ Decryption stuff -@ - -.align 4 -_vpaes_decrypt_consts: -Lk_dipt:@ decryption input transform -.quad 0x0F505B040B545F00, 0x154A411E114E451A -.quad 0x86E383E660056500, 0x12771772F491F194 -Lk_dsbo:@ decryption sbox final output -.quad 0x1387EA537EF94000, 0xC7AA6DB9D4943E2D -.quad 0x12D7560F93441D00, 0xCA4B8159D8C58E9C -Lk_dsb9:@ decryption sbox output *9*u, *9*t -.quad 0x851C03539A86D600, 0xCAD51F504F994CC9 -.quad 0xC03B1789ECD74900, 0x725E2C9EB2FBA565 -Lk_dsbd:@ decryption sbox output *D*u, *D*t -.quad 0x7D57CCDFE6B1A200, 0xF56E9B13882A4439 -.quad 0x3CE2FAF724C6CB00, 0x2931180D15DEEFD3 -Lk_dsbb:@ decryption sbox output *B*u, *B*t -.quad 0xD022649296B44200, 0x602646F6B0F2D404 -.quad 0xC19498A6CD596700, 0xF3FF0C3E3255AA6B -Lk_dsbe:@ decryption sbox output *E*u, *E*t -.quad 0x46F2929626D4D000, 0x2242600464B4F6B0 -.quad 0x0C55A6CDFFAAC100, 0x9467F36B98593E32 - - -@@ -@@ Decryption core -@@ -@@ Same API as encryption core, except it clobbers q12-q15 rather than using -@@ the values from _vpaes_preheat. q9-q11 must still be set from -@@ _vpaes_preheat. -@@ -#ifdef __thumb2__ -.thumb_func _vpaes_decrypt_core -#endif -.align 4 -_vpaes_decrypt_core: - mov r9, r2 - ldr r8, [r2,#240] @ pull rounds - - @ This function performs shuffles with various constants. The x86_64 - @ version loads them on-demand into %xmm0-%xmm5. This does not work well - @ for ARMv7 because those registers are shuffle destinations. The ARMv8 - @ version preloads those constants into registers, but ARMv7 has half - @ the registers to work with. Instead, we load them on-demand into - @ q12-q15, registers normally use for preloaded constants. This is fine - @ because decryption doesn't use those constants. The values are - @ constant, so this does not interfere with potential 2x optimizations. - adr r7, Lk_dipt - - vld1.64 {q12,q13}, [r7] @ vmovdqa Lk_dipt(%rip), %xmm2 # iptlo - lsl r11, r8, #4 @ mov %rax, %r11; shl $4, %r11 - eor r11, r11, #0x30 @ xor $0x30, %r11 - adr r10, Lk_sr - and r11, r11, #0x30 @ and $0x30, %r11 - add r11, r11, r10 - adr r10, Lk_mc_forward+48 - - vld1.64 {q4}, [r9]! @ vmovdqu (%r9), %xmm4 # round0 key - vand q1, q0, q9 @ vpand %xmm9, %xmm0, %xmm1 - vshr.u8 q0, q0, #4 @ vpsrlb $4, %xmm0, %xmm0 - vtbl.8 d4, {q12}, d2 @ vpshufb %xmm1, %xmm2, %xmm2 - vtbl.8 d5, {q12}, d3 - vld1.64 {q5}, [r10] @ vmovdqa Lk_mc_forward+48(%rip), %xmm5 - @ vmovdqa .Lk_dipt+16(%rip), %xmm1 # ipthi - vtbl.8 d0, {q13}, d0 @ vpshufb %xmm0, %xmm1, %xmm0 - vtbl.8 d1, {q13}, d1 - veor q2, q2, q4 @ vpxor %xmm4, %xmm2, %xmm2 - veor q0, q0, q2 @ vpxor %xmm2, %xmm0, %xmm0 - - @ .Ldec_entry ends with a bnz instruction which is normally paired with - @ subs in .Ldec_loop. - tst r8, r8 - b Ldec_entry - -.align 4 -Ldec_loop: -@ -@ Inverse mix columns -@ - - @ We load .Lk_dsb* into q12-q15 on-demand. See the comment at the top of - @ the function. - adr r10, Lk_dsb9 - vld1.64 {q12,q13}, [r10]! @ vmovdqa -0x20(%r10),%xmm4 # 4 : sb9u - @ vmovdqa -0x10(%r10),%xmm1 # 0 : sb9t - @ Load sbd* ahead of time. - vld1.64 {q14,q15}, [r10]! @ vmovdqa 0x00(%r10),%xmm4 # 4 : sbdu - @ vmovdqa 0x10(%r10),%xmm1 # 0 : sbdt - vtbl.8 d8, {q12}, d4 @ vpshufb %xmm2, %xmm4, %xmm4 # 4 = sb9u - vtbl.8 d9, {q12}, d5 - vtbl.8 d2, {q13}, d6 @ vpshufb %xmm3, %xmm1, %xmm1 # 0 = sb9t - vtbl.8 d3, {q13}, d7 - veor q0, q4, q0 @ vpxor %xmm4, %xmm0, %xmm0 - - veor q0, q0, q1 @ vpxor %xmm1, %xmm0, %xmm0 # 0 = ch - - @ Load sbb* ahead of time. - vld1.64 {q12,q13}, [r10]! @ vmovdqa 0x20(%r10),%xmm4 # 4 : sbbu - @ vmovdqa 0x30(%r10),%xmm1 # 0 : sbbt - - vtbl.8 d8, {q14}, d4 @ vpshufb %xmm2, %xmm4, %xmm4 # 4 = sbdu - vtbl.8 d9, {q14}, d5 - @ Write to q1 instead of q0, so the table and destination registers do - @ not overlap. - vtbl.8 d2, {q0}, d10 @ vpshufb %xmm5, %xmm0, %xmm0 # MC ch - vtbl.8 d3, {q0}, d11 - @ Here we restore the original q0/q1 usage. This instruction is - @ reordered from the ARMv8 version so we do not clobber the vtbl.8 - @ below. - veor q0, q1, q4 @ vpxor %xmm4, %xmm0, %xmm0 # 4 = ch - vtbl.8 d2, {q15}, d6 @ vpshufb %xmm3, %xmm1, %xmm1 # 0 = sbdt - vtbl.8 d3, {q15}, d7 - @ vmovdqa 0x20(%r10), %xmm4 # 4 : sbbu - veor q0, q0, q1 @ vpxor %xmm1, %xmm0, %xmm0 # 0 = ch - @ vmovdqa 0x30(%r10), %xmm1 # 0 : sbbt - - @ Load sbd* ahead of time. - vld1.64 {q14,q15}, [r10]! @ vmovdqa 0x40(%r10),%xmm4 # 4 : sbeu - @ vmovdqa 0x50(%r10),%xmm1 # 0 : sbet - - vtbl.8 d8, {q12}, d4 @ vpshufb %xmm2, %xmm4, %xmm4 # 4 = sbbu - vtbl.8 d9, {q12}, d5 - @ Write to q1 instead of q0, so the table and destination registers do - @ not overlap. - vtbl.8 d2, {q0}, d10 @ vpshufb %xmm5, %xmm0, %xmm0 # MC ch - vtbl.8 d3, {q0}, d11 - @ Here we restore the original q0/q1 usage. This instruction is - @ reordered from the ARMv8 version so we do not clobber the vtbl.8 - @ below. - veor q0, q1, q4 @ vpxor %xmm4, %xmm0, %xmm0 # 4 = ch - vtbl.8 d2, {q13}, d6 @ vpshufb %xmm3, %xmm1, %xmm1 # 0 = sbbt - vtbl.8 d3, {q13}, d7 - veor q0, q0, q1 @ vpxor %xmm1, %xmm0, %xmm0 # 0 = ch - - vtbl.8 d8, {q14}, d4 @ vpshufb %xmm2, %xmm4, %xmm4 # 4 = sbeu - vtbl.8 d9, {q14}, d5 - @ Write to q1 instead of q0, so the table and destination registers do - @ not overlap. - vtbl.8 d2, {q0}, d10 @ vpshufb %xmm5, %xmm0, %xmm0 # MC ch - vtbl.8 d3, {q0}, d11 - @ Here we restore the original q0/q1 usage. This instruction is - @ reordered from the ARMv8 version so we do not clobber the vtbl.8 - @ below. - veor q0, q1, q4 @ vpxor %xmm4, %xmm0, %xmm0 # 4 = ch - vtbl.8 d2, {q15}, d6 @ vpshufb %xmm3, %xmm1, %xmm1 # 0 = sbet - vtbl.8 d3, {q15}, d7 - vext.8 q5, q5, q5, #12 @ vpalignr $12, %xmm5, %xmm5, %xmm5 - veor q0, q0, q1 @ vpxor %xmm1, %xmm0, %xmm0 # 0 = ch - subs r8, r8, #1 @ sub $1,%rax # nr-- - -Ldec_entry: - @ top of round - vand q1, q0, q9 @ vpand %xmm9, %xmm0, %xmm1 # 0 = k - vshr.u8 q0, q0, #4 @ vpsrlb $4, %xmm0, %xmm0 # 1 = i - vtbl.8 d4, {q11}, d2 @ vpshufb %xmm1, %xmm11, %xmm2 # 2 = a/k - vtbl.8 d5, {q11}, d3 - veor q1, q1, q0 @ vpxor %xmm0, %xmm1, %xmm1 # 0 = j - vtbl.8 d6, {q10}, d0 @ vpshufb %xmm0, %xmm10, %xmm3 # 3 = 1/i - vtbl.8 d7, {q10}, d1 - vtbl.8 d8, {q10}, d2 @ vpshufb %xmm1, %xmm10, %xmm4 # 4 = 1/j - vtbl.8 d9, {q10}, d3 - veor q3, q3, q2 @ vpxor %xmm2, %xmm3, %xmm3 # 3 = iak = 1/i + a/k - veor q4, q4, q2 @ vpxor %xmm2, %xmm4, %xmm4 # 4 = jak = 1/j + a/k - vtbl.8 d4, {q10}, d6 @ vpshufb %xmm3, %xmm10, %xmm2 # 2 = 1/iak - vtbl.8 d5, {q10}, d7 - vtbl.8 d6, {q10}, d8 @ vpshufb %xmm4, %xmm10, %xmm3 # 3 = 1/jak - vtbl.8 d7, {q10}, d9 - veor q2, q2, q1 @ vpxor %xmm1, %xmm2, %xmm2 # 2 = io - veor q3, q3, q0 @ vpxor %xmm0, %xmm3, %xmm3 # 3 = jo - vld1.64 {q0}, [r9]! @ vmovdqu (%r9), %xmm0 - bne Ldec_loop - - @ middle of last round - - adr r10, Lk_dsbo - - @ Write to q1 rather than q4 to avoid overlapping table and destination. - vld1.64 {q1}, [r10]! @ vmovdqa 0x60(%r10), %xmm4 # 3 : sbou - vtbl.8 d8, {q1}, d4 @ vpshufb %xmm2, %xmm4, %xmm4 # 4 = sbou - vtbl.8 d9, {q1}, d5 - @ Write to q2 rather than q1 to avoid overlapping table and destination. - vld1.64 {q2}, [r10] @ vmovdqa 0x70(%r10), %xmm1 # 0 : sbot - vtbl.8 d2, {q2}, d6 @ vpshufb %xmm3, %xmm1, %xmm1 # 0 = sb1t - vtbl.8 d3, {q2}, d7 - vld1.64 {q2}, [r11] @ vmovdqa -0x160(%r11), %xmm2 # Lk_sr-Lk_dsbd=-0x160 - veor q4, q4, q0 @ vpxor %xmm0, %xmm4, %xmm4 # 4 = sb1u + k - @ Write to q1 rather than q0 so the table and destination registers - @ below do not overlap. - veor q1, q1, q4 @ vpxor %xmm4, %xmm1, %xmm0 # 0 = A - vtbl.8 d0, {q1}, d4 @ vpshufb %xmm2, %xmm0, %xmm0 - vtbl.8 d1, {q1}, d5 - bx lr - - -.globl _vpaes_decrypt -.private_extern _vpaes_decrypt -#ifdef __thumb2__ -.thumb_func _vpaes_decrypt -#endif -.align 4 -_vpaes_decrypt: - @ _vpaes_decrypt_core uses r7-r11. - stmdb sp!, {r7,r8,r9,r10,r11,lr} - @ _vpaes_decrypt_core uses q4-q5 (d8-d11), which are callee-saved. - vstmdb sp!, {d8,d9,d10,d11} - - vld1.64 {q0}, [r0] - bl _vpaes_preheat - bl _vpaes_decrypt_core - vst1.64 {q0}, [r1] - - vldmia sp!, {d8,d9,d10,d11} - ldmia sp!, {r7,r8,r9,r10,r11, pc} @ return - -@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ -@@ @@ -@@ AES key schedule @@ -@@ @@ -@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ - -@ This function diverges from both x86_64 and armv7 in which constants are -@ pinned. x86_64 has a common preheat function for all operations. aarch64 -@ separates them because it has enough registers to pin nearly all constants. -@ armv7 does not have enough registers, but needing explicit loads and stores -@ also complicates using x86_64's register allocation directly. -@ -@ We pin some constants for convenience and leave q14 and q15 free to load -@ others on demand. - -@ -@ Key schedule constants -@ - -.align 4 -_vpaes_key_consts: -Lk_dksd:@ decryption key schedule: invskew x*D -.quad 0xFEB91A5DA3E44700, 0x0740E3A45A1DBEF9 -.quad 0x41C277F4B5368300, 0x5FDC69EAAB289D1E -Lk_dksb:@ decryption key schedule: invskew x*B -.quad 0x9A4FCA1F8550D500, 0x03D653861CC94C99 -.quad 0x115BEDA7B6FC4A00, 0xD993256F7E3482C8 -Lk_dkse:@ decryption key schedule: invskew x*E + 0x63 -.quad 0xD5031CCA1FC9D600, 0x53859A4C994F5086 -.quad 0xA23196054FDC7BE8, 0xCD5EF96A20B31487 -Lk_dks9:@ decryption key schedule: invskew x*9 -.quad 0xB6116FC87ED9A700, 0x4AED933482255BFC -.quad 0x4576516227143300, 0x8BB89FACE9DAFDCE - -Lk_rcon:@ rcon -.quad 0x1F8391B9AF9DEEB6, 0x702A98084D7C7D81 - -Lk_opt:@ output transform -.quad 0xFF9F4929D6B66000, 0xF7974121DEBE6808 -.quad 0x01EDBD5150BCEC00, 0xE10D5DB1B05C0CE0 -Lk_deskew:@ deskew tables: inverts the sbox's "skew" -.quad 0x07E4A34047A4E300, 0x1DFEB95A5DBEF91A -.quad 0x5F36B5DC83EA6900, 0x2841C2ABF49D1E77 - - -#ifdef __thumb2__ -.thumb_func _vpaes_key_preheat -#endif -.align 4 -_vpaes_key_preheat: - adr r11, Lk_rcon - vmov.i8 q12, #0x5b @ Lk_s63 - adr r10, Lk_inv @ Must be aligned to 8 mod 16. - vmov.i8 q9, #0x0f @ Lk_s0F - vld1.64 {q10,q11}, [r10] @ Lk_inv - vld1.64 {q8}, [r11] @ Lk_rcon - bx lr - - -#ifdef __thumb2__ -.thumb_func _vpaes_schedule_core -#endif -.align 4 -_vpaes_schedule_core: - @ We only need to save lr, but ARM requires an 8-byte stack alignment, - @ so save an extra register. - stmdb sp!, {r3,lr} - - bl _vpaes_key_preheat @ load the tables - - adr r11, Lk_ipt @ Must be aligned to 8 mod 16. - vld1.64 {q0}, [r0]! @ vmovdqu (%rdi), %xmm0 # load key (unaligned) - - @ input transform - @ Use q4 here rather than q3 so .Lschedule_am_decrypting does not - @ overlap table and destination. - vmov q4, q0 @ vmovdqa %xmm0, %xmm3 - bl _vpaes_schedule_transform - adr r10, Lk_sr @ Must be aligned to 8 mod 16. - vmov q7, q0 @ vmovdqa %xmm0, %xmm7 - - add r8, r8, r10 - tst r3, r3 - bne Lschedule_am_decrypting - - @ encrypting, output zeroth round key after transform - vst1.64 {q0}, [r2] @ vmovdqu %xmm0, (%rdx) - b Lschedule_go - -Lschedule_am_decrypting: - @ decrypting, output zeroth round key after shiftrows - vld1.64 {q1}, [r8] @ vmovdqa (%r8,%r10), %xmm1 - vtbl.8 d6, {q4}, d2 @ vpshufb %xmm1, %xmm3, %xmm3 - vtbl.8 d7, {q4}, d3 - vst1.64 {q3}, [r2] @ vmovdqu %xmm3, (%rdx) - eor r8, r8, #0x30 @ xor $0x30, %r8 - -Lschedule_go: - cmp r1, #192 @ cmp $192, %esi - bhi Lschedule_256 - beq Lschedule_192 - @ 128: fall though - -@@ -@@ .schedule_128 -@@ -@@ 128-bit specific part of key schedule. -@@ -@@ This schedule is really simple, because all its parts -@@ are accomplished by the subroutines. -@@ -Lschedule_128: - mov r0, #10 @ mov $10, %esi - -Loop_schedule_128: - bl _vpaes_schedule_round - subs r0, r0, #1 @ dec %esi - beq Lschedule_mangle_last - bl _vpaes_schedule_mangle @ write output - b Loop_schedule_128 - -@@ -@@ .aes_schedule_192 -@@ -@@ 192-bit specific part of key schedule. -@@ -@@ The main body of this schedule is the same as the 128-bit -@@ schedule, but with more smearing. The long, high side is -@@ stored in q7 as before, and the short, low side is in -@@ the high bits of q6. -@@ -@@ This schedule is somewhat nastier, however, because each -@@ round produces 192 bits of key material, or 1.5 round keys. -@@ Therefore, on each cycle we do 2 rounds and produce 3 round -@@ keys. -@@ -.align 4 -Lschedule_192: - sub r0, r0, #8 - vld1.64 {q0}, [r0] @ vmovdqu 8(%rdi),%xmm0 # load key part 2 (very unaligned) - bl _vpaes_schedule_transform @ input transform - vmov q6, q0 @ vmovdqa %xmm0, %xmm6 # save short part - vmov.i8 d12, #0 @ vpxor %xmm4, %xmm4, %xmm4 # clear 4 - @ vmovhlps %xmm4, %xmm6, %xmm6 # clobber low side with zeros - mov r0, #4 @ mov $4, %esi - -Loop_schedule_192: - bl _vpaes_schedule_round - vext.8 q0, q6, q0, #8 @ vpalignr $8,%xmm6,%xmm0,%xmm0 - bl _vpaes_schedule_mangle @ save key n - bl _vpaes_schedule_192_smear - bl _vpaes_schedule_mangle @ save key n+1 - bl _vpaes_schedule_round - subs r0, r0, #1 @ dec %esi - beq Lschedule_mangle_last - bl _vpaes_schedule_mangle @ save key n+2 - bl _vpaes_schedule_192_smear - b Loop_schedule_192 - -@@ -@@ .aes_schedule_256 -@@ -@@ 256-bit specific part of key schedule. -@@ -@@ The structure here is very similar to the 128-bit -@@ schedule, but with an additional "low side" in -@@ q6. The low side's rounds are the same as the -@@ high side's, except no rcon and no rotation. -@@ -.align 4 -Lschedule_256: - vld1.64 {q0}, [r0] @ vmovdqu 16(%rdi),%xmm0 # load key part 2 (unaligned) - bl _vpaes_schedule_transform @ input transform - mov r0, #7 @ mov $7, %esi - -Loop_schedule_256: - bl _vpaes_schedule_mangle @ output low result - vmov q6, q0 @ vmovdqa %xmm0, %xmm6 # save cur_lo in xmm6 - - @ high round - bl _vpaes_schedule_round - subs r0, r0, #1 @ dec %esi - beq Lschedule_mangle_last - bl _vpaes_schedule_mangle - - @ low round. swap xmm7 and xmm6 - vdup.32 q0, d1[1] @ vpshufd $0xFF, %xmm0, %xmm0 - vmov.i8 q4, #0 - vmov q5, q7 @ vmovdqa %xmm7, %xmm5 - vmov q7, q6 @ vmovdqa %xmm6, %xmm7 - bl _vpaes_schedule_low_round - vmov q7, q5 @ vmovdqa %xmm5, %xmm7 - - b Loop_schedule_256 - -@@ -@@ .aes_schedule_mangle_last -@@ -@@ Mangler for last round of key schedule -@@ Mangles q0 -@@ when encrypting, outputs out(q0) ^ 63 -@@ when decrypting, outputs unskew(q0) -@@ -@@ Always called right before return... jumps to cleanup and exits -@@ -.align 4 -Lschedule_mangle_last: - @ schedule last round key from xmm0 - adr r11, Lk_deskew @ lea Lk_deskew(%rip),%r11 # prepare to deskew - tst r3, r3 - bne Lschedule_mangle_last_dec - - @ encrypting - vld1.64 {q1}, [r8] @ vmovdqa (%r8,%r10),%xmm1 - adr r11, Lk_opt @ lea Lk_opt(%rip), %r11 # prepare to output transform - add r2, r2, #32 @ add $32, %rdx - vmov q2, q0 - vtbl.8 d0, {q2}, d2 @ vpshufb %xmm1, %xmm0, %xmm0 # output permute - vtbl.8 d1, {q2}, d3 - -Lschedule_mangle_last_dec: - sub r2, r2, #16 @ add $-16, %rdx - veor q0, q0, q12 @ vpxor Lk_s63(%rip), %xmm0, %xmm0 - bl _vpaes_schedule_transform @ output transform - vst1.64 {q0}, [r2] @ vmovdqu %xmm0, (%rdx) # save last key - - @ cleanup - veor q0, q0, q0 @ vpxor %xmm0, %xmm0, %xmm0 - veor q1, q1, q1 @ vpxor %xmm1, %xmm1, %xmm1 - veor q2, q2, q2 @ vpxor %xmm2, %xmm2, %xmm2 - veor q3, q3, q3 @ vpxor %xmm3, %xmm3, %xmm3 - veor q4, q4, q4 @ vpxor %xmm4, %xmm4, %xmm4 - veor q5, q5, q5 @ vpxor %xmm5, %xmm5, %xmm5 - veor q6, q6, q6 @ vpxor %xmm6, %xmm6, %xmm6 - veor q7, q7, q7 @ vpxor %xmm7, %xmm7, %xmm7 - ldmia sp!, {r3,pc} @ return - - -@@ -@@ .aes_schedule_192_smear -@@ -@@ Smear the short, low side in the 192-bit key schedule. -@@ -@@ Inputs: -@@ q7: high side, b a x y -@@ q6: low side, d c 0 0 -@@ -@@ Outputs: -@@ q6: b+c+d b+c 0 0 -@@ q0: b+c+d b+c b a -@@ -#ifdef __thumb2__ -.thumb_func _vpaes_schedule_192_smear -#endif -.align 4 -_vpaes_schedule_192_smear: - vmov.i8 q1, #0 - vdup.32 q0, d15[1] - vshl.i64 q1, q6, #32 @ vpshufd $0x80, %xmm6, %xmm1 # d c 0 0 -> c 0 0 0 - vmov d0, d15 @ vpshufd $0xFE, %xmm7, %xmm0 # b a _ _ -> b b b a - veor q6, q6, q1 @ vpxor %xmm1, %xmm6, %xmm6 # -> c+d c 0 0 - veor q1, q1, q1 @ vpxor %xmm1, %xmm1, %xmm1 - veor q6, q6, q0 @ vpxor %xmm0, %xmm6, %xmm6 # -> b+c+d b+c b a - vmov q0, q6 @ vmovdqa %xmm6, %xmm0 - vmov d12, d2 @ vmovhlps %xmm1, %xmm6, %xmm6 # clobber low side with zeros - bx lr - - -@@ -@@ .aes_schedule_round -@@ -@@ Runs one main round of the key schedule on q0, q7 -@@ -@@ Specifically, runs subbytes on the high dword of q0 -@@ then rotates it by one byte and xors into the low dword of -@@ q7. -@@ -@@ Adds rcon from low byte of q8, then rotates q8 for -@@ next rcon. -@@ -@@ Smears the dwords of q7 by xoring the low into the -@@ second low, result into third, result into highest. -@@ -@@ Returns results in q7 = q0. -@@ Clobbers q1-q4, r11. -@@ -#ifdef __thumb2__ -.thumb_func _vpaes_schedule_round -#endif -.align 4 -_vpaes_schedule_round: - @ extract rcon from xmm8 - vmov.i8 q4, #0 @ vpxor %xmm4, %xmm4, %xmm4 - vext.8 q1, q8, q4, #15 @ vpalignr $15, %xmm8, %xmm4, %xmm1 - vext.8 q8, q8, q8, #15 @ vpalignr $15, %xmm8, %xmm8, %xmm8 - veor q7, q7, q1 @ vpxor %xmm1, %xmm7, %xmm7 - - @ rotate - vdup.32 q0, d1[1] @ vpshufd $0xFF, %xmm0, %xmm0 - vext.8 q0, q0, q0, #1 @ vpalignr $1, %xmm0, %xmm0, %xmm0 - - @ fall through... - - @ low round: same as high round, but no rotation and no rcon. -_vpaes_schedule_low_round: - @ The x86_64 version pins .Lk_sb1 in %xmm13 and .Lk_sb1+16 in %xmm12. - @ We pin other values in _vpaes_key_preheat, so load them now. - adr r11, Lk_sb1 - vld1.64 {q14,q15}, [r11] - - @ smear xmm7 - vext.8 q1, q4, q7, #12 @ vpslldq $4, %xmm7, %xmm1 - veor q7, q7, q1 @ vpxor %xmm1, %xmm7, %xmm7 - vext.8 q4, q4, q7, #8 @ vpslldq $8, %xmm7, %xmm4 - - @ subbytes - vand q1, q0, q9 @ vpand %xmm9, %xmm0, %xmm1 # 0 = k - vshr.u8 q0, q0, #4 @ vpsrlb $4, %xmm0, %xmm0 # 1 = i - veor q7, q7, q4 @ vpxor %xmm4, %xmm7, %xmm7 - vtbl.8 d4, {q11}, d2 @ vpshufb %xmm1, %xmm11, %xmm2 # 2 = a/k - vtbl.8 d5, {q11}, d3 - veor q1, q1, q0 @ vpxor %xmm0, %xmm1, %xmm1 # 0 = j - vtbl.8 d6, {q10}, d0 @ vpshufb %xmm0, %xmm10, %xmm3 # 3 = 1/i - vtbl.8 d7, {q10}, d1 - veor q3, q3, q2 @ vpxor %xmm2, %xmm3, %xmm3 # 3 = iak = 1/i + a/k - vtbl.8 d8, {q10}, d2 @ vpshufb %xmm1, %xmm10, %xmm4 # 4 = 1/j - vtbl.8 d9, {q10}, d3 - veor q7, q7, q12 @ vpxor Lk_s63(%rip), %xmm7, %xmm7 - vtbl.8 d6, {q10}, d6 @ vpshufb %xmm3, %xmm10, %xmm3 # 2 = 1/iak - vtbl.8 d7, {q10}, d7 - veor q4, q4, q2 @ vpxor %xmm2, %xmm4, %xmm4 # 4 = jak = 1/j + a/k - vtbl.8 d4, {q10}, d8 @ vpshufb %xmm4, %xmm10, %xmm2 # 3 = 1/jak - vtbl.8 d5, {q10}, d9 - veor q3, q3, q1 @ vpxor %xmm1, %xmm3, %xmm3 # 2 = io - veor q2, q2, q0 @ vpxor %xmm0, %xmm2, %xmm2 # 3 = jo - vtbl.8 d8, {q15}, d6 @ vpshufb %xmm3, %xmm13, %xmm4 # 4 = sbou - vtbl.8 d9, {q15}, d7 - vtbl.8 d2, {q14}, d4 @ vpshufb %xmm2, %xmm12, %xmm1 # 0 = sb1t - vtbl.8 d3, {q14}, d5 - veor q1, q1, q4 @ vpxor %xmm4, %xmm1, %xmm1 # 0 = sbox output - - @ add in smeared stuff - veor q0, q1, q7 @ vpxor %xmm7, %xmm1, %xmm0 - veor q7, q1, q7 @ vmovdqa %xmm0, %xmm7 - bx lr - - -@@ -@@ .aes_schedule_transform -@@ -@@ Linear-transform q0 according to tables at [r11] -@@ -@@ Requires that q9 = 0x0F0F... as in preheat -@@ Output in q0 -@@ Clobbers q1, q2, q14, q15 -@@ -#ifdef __thumb2__ -.thumb_func _vpaes_schedule_transform -#endif -.align 4 -_vpaes_schedule_transform: - vld1.64 {q14,q15}, [r11] @ vmovdqa (%r11), %xmm2 # lo - @ vmovdqa 16(%r11), %xmm1 # hi - vand q1, q0, q9 @ vpand %xmm9, %xmm0, %xmm1 - vshr.u8 q0, q0, #4 @ vpsrlb $4, %xmm0, %xmm0 - vtbl.8 d4, {q14}, d2 @ vpshufb %xmm1, %xmm2, %xmm2 - vtbl.8 d5, {q14}, d3 - vtbl.8 d0, {q15}, d0 @ vpshufb %xmm0, %xmm1, %xmm0 - vtbl.8 d1, {q15}, d1 - veor q0, q0, q2 @ vpxor %xmm2, %xmm0, %xmm0 - bx lr - - -@@ -@@ .aes_schedule_mangle -@@ -@@ Mangles q0 from (basis-transformed) standard version -@@ to our version. -@@ -@@ On encrypt, -@@ xor with 0x63 -@@ multiply by circulant 0,1,1,1 -@@ apply shiftrows transform -@@ -@@ On decrypt, -@@ xor with 0x63 -@@ multiply by "inverse mixcolumns" circulant E,B,D,9 -@@ deskew -@@ apply shiftrows transform -@@ -@@ -@@ Writes out to [r2], and increments or decrements it -@@ Keeps track of round number mod 4 in r8 -@@ Preserves q0 -@@ Clobbers q1-q5 -@@ -#ifdef __thumb2__ -.thumb_func _vpaes_schedule_mangle -#endif -.align 4 -_vpaes_schedule_mangle: - tst r3, r3 - vmov q4, q0 @ vmovdqa %xmm0, %xmm4 # save xmm0 for later - adr r11, Lk_mc_forward @ Must be aligned to 8 mod 16. - vld1.64 {q5}, [r11] @ vmovdqa Lk_mc_forward(%rip),%xmm5 - bne Lschedule_mangle_dec - - @ encrypting - @ Write to q2 so we do not overlap table and destination below. - veor q2, q0, q12 @ vpxor Lk_s63(%rip), %xmm0, %xmm4 - add r2, r2, #16 @ add $16, %rdx - vtbl.8 d8, {q2}, d10 @ vpshufb %xmm5, %xmm4, %xmm4 - vtbl.8 d9, {q2}, d11 - vtbl.8 d2, {q4}, d10 @ vpshufb %xmm5, %xmm4, %xmm1 - vtbl.8 d3, {q4}, d11 - vtbl.8 d6, {q1}, d10 @ vpshufb %xmm5, %xmm1, %xmm3 - vtbl.8 d7, {q1}, d11 - veor q4, q4, q1 @ vpxor %xmm1, %xmm4, %xmm4 - vld1.64 {q1}, [r8] @ vmovdqa (%r8,%r10), %xmm1 - veor q3, q3, q4 @ vpxor %xmm4, %xmm3, %xmm3 - - b Lschedule_mangle_both -.align 4 -Lschedule_mangle_dec: - @ inverse mix columns - adr r11, Lk_dksd @ lea Lk_dksd(%rip),%r11 - vshr.u8 q1, q4, #4 @ vpsrlb $4, %xmm4, %xmm1 # 1 = hi - vand q4, q4, q9 @ vpand %xmm9, %xmm4, %xmm4 # 4 = lo - - vld1.64 {q14,q15}, [r11]! @ vmovdqa 0x00(%r11), %xmm2 - @ vmovdqa 0x10(%r11), %xmm3 - vtbl.8 d4, {q14}, d8 @ vpshufb %xmm4, %xmm2, %xmm2 - vtbl.8 d5, {q14}, d9 - vtbl.8 d6, {q15}, d2 @ vpshufb %xmm1, %xmm3, %xmm3 - vtbl.8 d7, {q15}, d3 - @ Load .Lk_dksb ahead of time. - vld1.64 {q14,q15}, [r11]! @ vmovdqa 0x20(%r11), %xmm2 - @ vmovdqa 0x30(%r11), %xmm3 - @ Write to q13 so we do not overlap table and destination. - veor q13, q3, q2 @ vpxor %xmm2, %xmm3, %xmm3 - vtbl.8 d6, {q13}, d10 @ vpshufb %xmm5, %xmm3, %xmm3 - vtbl.8 d7, {q13}, d11 - - vtbl.8 d4, {q14}, d8 @ vpshufb %xmm4, %xmm2, %xmm2 - vtbl.8 d5, {q14}, d9 - veor q2, q2, q3 @ vpxor %xmm3, %xmm2, %xmm2 - vtbl.8 d6, {q15}, d2 @ vpshufb %xmm1, %xmm3, %xmm3 - vtbl.8 d7, {q15}, d3 - @ Load .Lk_dkse ahead of time. - vld1.64 {q14,q15}, [r11]! @ vmovdqa 0x40(%r11), %xmm2 - @ vmovdqa 0x50(%r11), %xmm3 - @ Write to q13 so we do not overlap table and destination. - veor q13, q3, q2 @ vpxor %xmm2, %xmm3, %xmm3 - vtbl.8 d6, {q13}, d10 @ vpshufb %xmm5, %xmm3, %xmm3 - vtbl.8 d7, {q13}, d11 - - vtbl.8 d4, {q14}, d8 @ vpshufb %xmm4, %xmm2, %xmm2 - vtbl.8 d5, {q14}, d9 - veor q2, q2, q3 @ vpxor %xmm3, %xmm2, %xmm2 - vtbl.8 d6, {q15}, d2 @ vpshufb %xmm1, %xmm3, %xmm3 - vtbl.8 d7, {q15}, d3 - @ Load .Lk_dkse ahead of time. - vld1.64 {q14,q15}, [r11]! @ vmovdqa 0x60(%r11), %xmm2 - @ vmovdqa 0x70(%r11), %xmm4 - @ Write to q13 so we do not overlap table and destination. - veor q13, q3, q2 @ vpxor %xmm2, %xmm3, %xmm3 - - vtbl.8 d4, {q14}, d8 @ vpshufb %xmm4, %xmm2, %xmm2 - vtbl.8 d5, {q14}, d9 - vtbl.8 d6, {q13}, d10 @ vpshufb %xmm5, %xmm3, %xmm3 - vtbl.8 d7, {q13}, d11 - vtbl.8 d8, {q15}, d2 @ vpshufb %xmm1, %xmm4, %xmm4 - vtbl.8 d9, {q15}, d3 - vld1.64 {q1}, [r8] @ vmovdqa (%r8,%r10), %xmm1 - veor q2, q2, q3 @ vpxor %xmm3, %xmm2, %xmm2 - veor q3, q4, q2 @ vpxor %xmm2, %xmm4, %xmm3 - - sub r2, r2, #16 @ add $-16, %rdx - -Lschedule_mangle_both: - @ Write to q2 so table and destination do not overlap. - vtbl.8 d4, {q3}, d2 @ vpshufb %xmm1, %xmm3, %xmm3 - vtbl.8 d5, {q3}, d3 - add r8, r8, #64-16 @ add $-16, %r8 - and r8, r8, #~(1<<6) @ and $0x30, %r8 - vst1.64 {q2}, [r2] @ vmovdqu %xmm3, (%rdx) - bx lr - - -.globl _vpaes_set_encrypt_key -.private_extern _vpaes_set_encrypt_key -#ifdef __thumb2__ -.thumb_func _vpaes_set_encrypt_key -#endif -.align 4 -_vpaes_set_encrypt_key: - stmdb sp!, {r7,r8,r9,r10,r11, lr} - vstmdb sp!, {d8,d9,d10,d11,d12,d13,d14,d15} - - lsr r9, r1, #5 @ shr $5,%eax - add r9, r9, #5 @ $5,%eax - str r9, [r2,#240] @ mov %eax,240(%rdx) # AES_KEY->rounds = nbits/32+5; - - mov r3, #0 @ mov $0,%ecx - mov r8, #0x30 @ mov $0x30,%r8d - bl _vpaes_schedule_core - eor r0, r0, r0 - - vldmia sp!, {d8,d9,d10,d11,d12,d13,d14,d15} - ldmia sp!, {r7,r8,r9,r10,r11, pc} @ return - - -.globl _vpaes_set_decrypt_key -.private_extern _vpaes_set_decrypt_key -#ifdef __thumb2__ -.thumb_func _vpaes_set_decrypt_key -#endif -.align 4 -_vpaes_set_decrypt_key: - stmdb sp!, {r7,r8,r9,r10,r11, lr} - vstmdb sp!, {d8,d9,d10,d11,d12,d13,d14,d15} - - lsr r9, r1, #5 @ shr $5,%eax - add r9, r9, #5 @ $5,%eax - str r9, [r2,#240] @ mov %eax,240(%rdx) # AES_KEY->rounds = nbits/32+5; - lsl r9, r9, #4 @ shl $4,%eax - add r2, r2, #16 @ lea 16(%rdx,%rax),%rdx - add r2, r2, r9 - - mov r3, #1 @ mov $1,%ecx - lsr r8, r1, #1 @ shr $1,%r8d - and r8, r8, #32 @ and $32,%r8d - eor r8, r8, #32 @ xor $32,%r8d # nbits==192?0:32 - bl _vpaes_schedule_core - - vldmia sp!, {d8,d9,d10,d11,d12,d13,d14,d15} - ldmia sp!, {r7,r8,r9,r10,r11, pc} @ return - - -@ Additional constants for converting to bsaes. - -.align 4 -_vpaes_convert_consts: -@ .Lk_opt_then_skew applies skew(opt(x)) XOR 0x63, where skew is the linear -@ transform in the AES S-box. 0x63 is incorporated into the low half of the -@ table. This was computed with the following script: -@ -@ def u64s_to_u128(x, y): -@ return x | (y << 64) -@ def u128_to_u64s(w): -@ return w & ((1<<64)-1), w >> 64 -@ def get_byte(w, i): -@ return (w >> (i*8)) & 0xff -@ def apply_table(table, b): -@ lo = b & 0xf -@ hi = b >> 4 -@ return get_byte(table[0], lo) ^ get_byte(table[1], hi) -@ def opt(b): -@ table = [ -@ u64s_to_u128(0xFF9F4929D6B66000, 0xF7974121DEBE6808), -@ u64s_to_u128(0x01EDBD5150BCEC00, 0xE10D5DB1B05C0CE0), -@ ] -@ return apply_table(table, b) -@ def rot_byte(b, n): -@ return 0xff & ((b << n) | (b >> (8-n))) -@ def skew(x): -@ return (x ^ rot_byte(x, 1) ^ rot_byte(x, 2) ^ rot_byte(x, 3) ^ -@ rot_byte(x, 4)) -@ table = [0, 0] -@ for i in range(16): -@ table[0] |= (skew(opt(i)) ^ 0x63) << (i*8) -@ table[1] |= skew(opt(i<<4)) << (i*8) -@ print(" .quad 0x%016x, 0x%016x" % u128_to_u64s(table[0])) -@ print(" .quad 0x%016x, 0x%016x" % u128_to_u64s(table[1])) -Lk_opt_then_skew: -.quad 0x9cb8436798bc4763, 0x6440bb9f6044bf9b -.quad 0x1f30062936192f00, 0xb49bad829db284ab - -@ .Lk_decrypt_transform is a permutation which performs an 8-bit left-rotation -@ followed by a byte-swap on each 32-bit word of a vector. E.g., 0x11223344 -@ becomes 0x22334411 and then 0x11443322. -Lk_decrypt_transform: -.quad 0x0704050603000102, 0x0f0c0d0e0b08090a - - -@ void vpaes_encrypt_key_to_bsaes(AES_KEY *bsaes, const AES_KEY *vpaes); -.globl _vpaes_encrypt_key_to_bsaes -.private_extern _vpaes_encrypt_key_to_bsaes -#ifdef __thumb2__ -.thumb_func _vpaes_encrypt_key_to_bsaes -#endif -.align 4 -_vpaes_encrypt_key_to_bsaes: - stmdb sp!, {r11, lr} - - @ See _vpaes_schedule_core for the key schedule logic. In particular, - @ _vpaes_schedule_transform(.Lk_ipt) (section 2.2 of the paper), - @ _vpaes_schedule_mangle (section 4.3), and .Lschedule_mangle_last - @ contain the transformations not in the bsaes representation. This - @ function inverts those transforms. - @ - @ Note also that bsaes-armv7.pl expects aes-armv4.pl's key - @ representation, which does not match the other aes_nohw_* - @ implementations. The ARM aes_nohw_* stores each 32-bit word - @ byteswapped, as a convenience for (unsupported) big-endian ARM, at the - @ cost of extra REV and VREV32 operations in little-endian ARM. - - vmov.i8 q9, #0x0f @ Required by _vpaes_schedule_transform - adr r2, Lk_mc_forward @ Must be aligned to 8 mod 16. - add r3, r2, 0x90 @ Lk_sr+0x10-Lk_mc_forward = 0x90 (Apple's toolchain doesn't support the expression) - - vld1.64 {q12}, [r2] - vmov.i8 q10, #0x5b @ Lk_s63 from vpaes-x86_64 - adr r11, Lk_opt @ Must be aligned to 8 mod 16. - vmov.i8 q11, #0x63 @ LK_s63 without Lk_ipt applied - - @ vpaes stores one fewer round count than bsaes, but the number of keys - @ is the same. - ldr r2, [r1,#240] - add r2, r2, #1 - str r2, [r0,#240] - - @ The first key is transformed with _vpaes_schedule_transform(.Lk_ipt). - @ Invert this with .Lk_opt. - vld1.64 {q0}, [r1]! - bl _vpaes_schedule_transform - vrev32.8 q0, q0 - vst1.64 {q0}, [r0]! - - @ The middle keys have _vpaes_schedule_transform(.Lk_ipt) applied, - @ followed by _vpaes_schedule_mangle. _vpaes_schedule_mangle XORs 0x63, - @ multiplies by the circulant 0,1,1,1, then applies ShiftRows. -Loop_enc_key_to_bsaes: - vld1.64 {q0}, [r1]! - - @ Invert the ShiftRows step (see .Lschedule_mangle_both). Note we cycle - @ r3 in the opposite direction and start at .Lk_sr+0x10 instead of 0x30. - @ We use r3 rather than r8 to avoid a callee-saved register. - vld1.64 {q1}, [r3] - vtbl.8 d4, {q0}, d2 - vtbl.8 d5, {q0}, d3 - add r3, r3, #16 - and r3, r3, #~(1<<6) - vmov q0, q2 - - @ Handle the last key differently. - subs r2, r2, #1 - beq Loop_enc_key_to_bsaes_last - - @ Multiply by the circulant. This is its own inverse. - vtbl.8 d2, {q0}, d24 - vtbl.8 d3, {q0}, d25 - vmov q0, q1 - vtbl.8 d4, {q1}, d24 - vtbl.8 d5, {q1}, d25 - veor q0, q0, q2 - vtbl.8 d2, {q2}, d24 - vtbl.8 d3, {q2}, d25 - veor q0, q0, q1 - - @ XOR and finish. - veor q0, q0, q10 - bl _vpaes_schedule_transform - vrev32.8 q0, q0 - vst1.64 {q0}, [r0]! - b Loop_enc_key_to_bsaes - -Loop_enc_key_to_bsaes_last: - @ The final key does not have a basis transform (note - @ .Lschedule_mangle_last inverts the original transform). It only XORs - @ 0x63 and applies ShiftRows. The latter was already inverted in the - @ loop. Note that, because we act on the original representation, we use - @ q11, not q10. - veor q0, q0, q11 - vrev32.8 q0, q0 - vst1.64 {q0}, [r0] - - @ Wipe registers which contained key material. - veor q0, q0, q0 - veor q1, q1, q1 - veor q2, q2, q2 - - ldmia sp!, {r11, pc} @ return - - -@ void vpaes_decrypt_key_to_bsaes(AES_KEY *vpaes, const AES_KEY *bsaes); -.globl _vpaes_decrypt_key_to_bsaes -.private_extern _vpaes_decrypt_key_to_bsaes -#ifdef __thumb2__ -.thumb_func _vpaes_decrypt_key_to_bsaes -#endif -.align 4 -_vpaes_decrypt_key_to_bsaes: - stmdb sp!, {r11, lr} - - @ See _vpaes_schedule_core for the key schedule logic. Note vpaes - @ computes the decryption key schedule in reverse. Additionally, - @ aes-x86_64.pl shares some transformations, so we must only partially - @ invert vpaes's transformations. In general, vpaes computes in a - @ different basis (.Lk_ipt and .Lk_opt) and applies the inverses of - @ MixColumns, ShiftRows, and the affine part of the AES S-box (which is - @ split into a linear skew and XOR of 0x63). We undo all but MixColumns. - @ - @ Note also that bsaes-armv7.pl expects aes-armv4.pl's key - @ representation, which does not match the other aes_nohw_* - @ implementations. The ARM aes_nohw_* stores each 32-bit word - @ byteswapped, as a convenience for (unsupported) big-endian ARM, at the - @ cost of extra REV and VREV32 operations in little-endian ARM. - - adr r2, Lk_decrypt_transform - adr r3, Lk_sr+0x30 - adr r11, Lk_opt_then_skew @ Input to _vpaes_schedule_transform. - vld1.64 {q12}, [r2] @ Reuse q12 from encryption. - vmov.i8 q9, #0x0f @ Required by _vpaes_schedule_transform - - @ vpaes stores one fewer round count than bsaes, but the number of keys - @ is the same. - ldr r2, [r1,#240] - add r2, r2, #1 - str r2, [r0,#240] - - @ Undo the basis change and reapply the S-box affine transform. See - @ .Lschedule_mangle_last. - vld1.64 {q0}, [r1]! - bl _vpaes_schedule_transform - vrev32.8 q0, q0 - vst1.64 {q0}, [r0]! - - @ See _vpaes_schedule_mangle for the transform on the middle keys. Note - @ it simultaneously inverts MixColumns and the S-box affine transform. - @ See .Lk_dksd through .Lk_dks9. -Loop_dec_key_to_bsaes: - vld1.64 {q0}, [r1]! - - @ Invert the ShiftRows step (see .Lschedule_mangle_both). Note going - @ forwards cancels inverting for which direction we cycle r3. We use r3 - @ rather than r8 to avoid a callee-saved register. - vld1.64 {q1}, [r3] - vtbl.8 d4, {q0}, d2 - vtbl.8 d5, {q0}, d3 - add r3, r3, #64-16 - and r3, r3, #~(1<<6) - vmov q0, q2 - - @ Handle the last key differently. - subs r2, r2, #1 - beq Loop_dec_key_to_bsaes_last - - @ Undo the basis change and reapply the S-box affine transform. - bl _vpaes_schedule_transform - - @ Rotate each word by 8 bytes (cycle the rows) and then byte-swap. We - @ combine the two operations in .Lk_decrypt_transform. - @ - @ TODO(davidben): Where does the rotation come from? - vtbl.8 d2, {q0}, d24 - vtbl.8 d3, {q0}, d25 - - vst1.64 {q1}, [r0]! - b Loop_dec_key_to_bsaes - -Loop_dec_key_to_bsaes_last: - @ The final key only inverts ShiftRows (already done in the loop). See - @ .Lschedule_am_decrypting. Its basis is not transformed. - vrev32.8 q0, q0 - vst1.64 {q0}, [r0]! - - @ Wipe registers which contained key material. - veor q0, q0, q0 - veor q1, q1, q1 - veor q2, q2, q2 - - ldmia sp!, {r11, pc} @ return - -.globl _vpaes_ctr32_encrypt_blocks -.private_extern _vpaes_ctr32_encrypt_blocks -#ifdef __thumb2__ -.thumb_func _vpaes_ctr32_encrypt_blocks -#endif -.align 4 -_vpaes_ctr32_encrypt_blocks: - mov ip, sp - stmdb sp!, {r7,r8,r9,r10,r11, lr} - @ This function uses q4-q7 (d8-d15), which are callee-saved. - vstmdb sp!, {d8,d9,d10,d11,d12,d13,d14,d15} - - cmp r2, #0 - @ r8 is passed on the stack. - ldr r8, [ip] - beq Lctr32_done - - @ _vpaes_encrypt_core expects the key in r2, so swap r2 and r3. - mov r9, r3 - mov r3, r2 - mov r2, r9 - - @ Load the IV and counter portion. - ldr r7, [r8, #12] - vld1.8 {q7}, [r8] - - bl _vpaes_preheat - rev r7, r7 @ The counter is big-endian. - -Lctr32_loop: - vmov q0, q7 - vld1.8 {q6}, [r0]! @ Load input ahead of time - bl _vpaes_encrypt_core - veor q0, q0, q6 @ XOR input and result - vst1.8 {q0}, [r1]! - subs r3, r3, #1 - @ Update the counter. - add r7, r7, #1 - rev r9, r7 - vmov.32 d15[1], r9 - bne Lctr32_loop - -Lctr32_done: - vldmia sp!, {d8,d9,d10,d11,d12,d13,d14,d15} - ldmia sp!, {r7,r8,r9,r10,r11, pc} @ return - -#endif // !OPENSSL_NO_ASM && defined(OPENSSL_ARM) && defined(__APPLE__) -#endif // defined(__arm__) && defined(__APPLE__) -#if defined(__linux__) && defined(__ELF__) -.section .note.GNU-stack,"",%progbits -#endif - diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/x86-mont-linux.linux.x86.S b/Sources/CNIOBoringSSL/crypto/fipsmodule/x86-mont-linux.linux.x86.S deleted file mode 100644 index 27e46abcd..000000000 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/x86-mont-linux.linux.x86.S +++ /dev/null @@ -1,489 +0,0 @@ -#define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__i386__) && defined(__linux__) -// This file is generated from a similarly-named Perl script in the BoringSSL -// source tree. Do not edit by hand. - -#include - -#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__) -.text -.globl bn_mul_mont -.hidden bn_mul_mont -.type bn_mul_mont,@function -.align 16 -bn_mul_mont: -.L_bn_mul_mont_begin: - pushl %ebp - pushl %ebx - pushl %esi - pushl %edi - xorl %eax,%eax - movl 40(%esp),%edi - cmpl $4,%edi - jl .L000just_leave - leal 20(%esp),%esi - leal 24(%esp),%edx - addl $2,%edi - negl %edi - leal -32(%esp,%edi,4),%ebp - negl %edi - movl %ebp,%eax - subl %edx,%eax - andl $2047,%eax - subl %eax,%ebp - xorl %ebp,%edx - andl $2048,%edx - xorl $2048,%edx - subl %edx,%ebp - andl $-64,%ebp - movl %esp,%eax - subl %ebp,%eax - andl $-4096,%eax - movl %esp,%edx - leal (%ebp,%eax,1),%esp - movl (%esp),%eax - cmpl %ebp,%esp - ja .L001page_walk - jmp .L002page_walk_done -.align 16 -.L001page_walk: - leal -4096(%esp),%esp - movl (%esp),%eax - cmpl %ebp,%esp - ja .L001page_walk -.L002page_walk_done: - movl (%esi),%eax - movl 4(%esi),%ebx - movl 8(%esi),%ecx - movl 12(%esi),%ebp - movl 16(%esi),%esi - movl (%esi),%esi - movl %eax,4(%esp) - movl %ebx,8(%esp) - movl %ecx,12(%esp) - movl %ebp,16(%esp) - movl %esi,20(%esp) - leal -3(%edi),%ebx - movl %edx,24(%esp) - call .L003PIC_me_up -.L003PIC_me_up: - popl %eax - leal OPENSSL_ia32cap_P-.L003PIC_me_up(%eax),%eax - btl $26,(%eax) - jnc .L004non_sse2 - movl $-1,%eax - movd %eax,%mm7 - movl 8(%esp),%esi - movl 12(%esp),%edi - movl 16(%esp),%ebp - xorl %edx,%edx - xorl %ecx,%ecx - movd (%edi),%mm4 - movd (%esi),%mm5 - movd (%ebp),%mm3 - pmuludq %mm4,%mm5 - movq %mm5,%mm2 - movq %mm5,%mm0 - pand %mm7,%mm0 - pmuludq 20(%esp),%mm5 - pmuludq %mm5,%mm3 - paddq %mm0,%mm3 - movd 4(%ebp),%mm1 - movd 4(%esi),%mm0 - psrlq $32,%mm2 - psrlq $32,%mm3 - incl %ecx -.align 16 -.L0051st: - pmuludq %mm4,%mm0 - pmuludq %mm5,%mm1 - paddq %mm0,%mm2 - paddq %mm1,%mm3 - movq %mm2,%mm0 - pand %mm7,%mm0 - movd 4(%ebp,%ecx,4),%mm1 - paddq %mm0,%mm3 - movd 4(%esi,%ecx,4),%mm0 - psrlq $32,%mm2 - movd %mm3,28(%esp,%ecx,4) - psrlq $32,%mm3 - leal 1(%ecx),%ecx - cmpl %ebx,%ecx - jl .L0051st - pmuludq %mm4,%mm0 - pmuludq %mm5,%mm1 - paddq %mm0,%mm2 - paddq %mm1,%mm3 - movq %mm2,%mm0 - pand %mm7,%mm0 - paddq %mm0,%mm3 - movd %mm3,28(%esp,%ecx,4) - psrlq $32,%mm2 - psrlq $32,%mm3 - paddq %mm2,%mm3 - movq %mm3,32(%esp,%ebx,4) - incl %edx -.L006outer: - xorl %ecx,%ecx - movd (%edi,%edx,4),%mm4 - movd (%esi),%mm5 - movd 32(%esp),%mm6 - movd (%ebp),%mm3 - pmuludq %mm4,%mm5 - paddq %mm6,%mm5 - movq %mm5,%mm0 - movq %mm5,%mm2 - pand %mm7,%mm0 - pmuludq 20(%esp),%mm5 - pmuludq %mm5,%mm3 - paddq %mm0,%mm3 - movd 36(%esp),%mm6 - movd 4(%ebp),%mm1 - movd 4(%esi),%mm0 - psrlq $32,%mm2 - psrlq $32,%mm3 - paddq %mm6,%mm2 - incl %ecx - decl %ebx -.L007inner: - pmuludq %mm4,%mm0 - pmuludq %mm5,%mm1 - paddq %mm0,%mm2 - paddq %mm1,%mm3 - movq %mm2,%mm0 - movd 36(%esp,%ecx,4),%mm6 - pand %mm7,%mm0 - movd 4(%ebp,%ecx,4),%mm1 - paddq %mm0,%mm3 - movd 4(%esi,%ecx,4),%mm0 - psrlq $32,%mm2 - movd %mm3,28(%esp,%ecx,4) - psrlq $32,%mm3 - paddq %mm6,%mm2 - decl %ebx - leal 1(%ecx),%ecx - jnz .L007inner - movl %ecx,%ebx - pmuludq %mm4,%mm0 - pmuludq %mm5,%mm1 - paddq %mm0,%mm2 - paddq %mm1,%mm3 - movq %mm2,%mm0 - pand %mm7,%mm0 - paddq %mm0,%mm3 - movd %mm3,28(%esp,%ecx,4) - psrlq $32,%mm2 - psrlq $32,%mm3 - movd 36(%esp,%ebx,4),%mm6 - paddq %mm2,%mm3 - paddq %mm6,%mm3 - movq %mm3,32(%esp,%ebx,4) - leal 1(%edx),%edx - cmpl %ebx,%edx - jle .L006outer - emms - jmp .L008common_tail -.align 16 -.L004non_sse2: - movl 8(%esp),%esi - leal 1(%ebx),%ebp - movl 12(%esp),%edi - xorl %ecx,%ecx - movl %esi,%edx - andl $1,%ebp - subl %edi,%edx - leal 4(%edi,%ebx,4),%eax - orl %edx,%ebp - movl (%edi),%edi - jz .L009bn_sqr_mont - movl %eax,28(%esp) - movl (%esi),%eax - xorl %edx,%edx -.align 16 -.L010mull: - movl %edx,%ebp - mull %edi - addl %eax,%ebp - leal 1(%ecx),%ecx - adcl $0,%edx - movl (%esi,%ecx,4),%eax - cmpl %ebx,%ecx - movl %ebp,28(%esp,%ecx,4) - jl .L010mull - movl %edx,%ebp - mull %edi - movl 20(%esp),%edi - addl %ebp,%eax - movl 16(%esp),%esi - adcl $0,%edx - imull 32(%esp),%edi - movl %eax,32(%esp,%ebx,4) - xorl %ecx,%ecx - movl %edx,36(%esp,%ebx,4) - movl %ecx,40(%esp,%ebx,4) - movl (%esi),%eax - mull %edi - addl 32(%esp),%eax - movl 4(%esi),%eax - adcl $0,%edx - incl %ecx - jmp .L0112ndmadd -.align 16 -.L0121stmadd: - movl %edx,%ebp - mull %edi - addl 32(%esp,%ecx,4),%ebp - leal 1(%ecx),%ecx - adcl $0,%edx - addl %eax,%ebp - movl (%esi,%ecx,4),%eax - adcl $0,%edx - cmpl %ebx,%ecx - movl %ebp,28(%esp,%ecx,4) - jl .L0121stmadd - movl %edx,%ebp - mull %edi - addl 32(%esp,%ebx,4),%eax - movl 20(%esp),%edi - adcl $0,%edx - movl 16(%esp),%esi - addl %eax,%ebp - adcl $0,%edx - imull 32(%esp),%edi - xorl %ecx,%ecx - addl 36(%esp,%ebx,4),%edx - movl %ebp,32(%esp,%ebx,4) - adcl $0,%ecx - movl (%esi),%eax - movl %edx,36(%esp,%ebx,4) - movl %ecx,40(%esp,%ebx,4) - mull %edi - addl 32(%esp),%eax - movl 4(%esi),%eax - adcl $0,%edx - movl $1,%ecx -.align 16 -.L0112ndmadd: - movl %edx,%ebp - mull %edi - addl 32(%esp,%ecx,4),%ebp - leal 1(%ecx),%ecx - adcl $0,%edx - addl %eax,%ebp - movl (%esi,%ecx,4),%eax - adcl $0,%edx - cmpl %ebx,%ecx - movl %ebp,24(%esp,%ecx,4) - jl .L0112ndmadd - movl %edx,%ebp - mull %edi - addl 32(%esp,%ebx,4),%ebp - adcl $0,%edx - addl %eax,%ebp - adcl $0,%edx - movl %ebp,28(%esp,%ebx,4) - xorl %eax,%eax - movl 12(%esp),%ecx - addl 36(%esp,%ebx,4),%edx - adcl 40(%esp,%ebx,4),%eax - leal 4(%ecx),%ecx - movl %edx,32(%esp,%ebx,4) - cmpl 28(%esp),%ecx - movl %eax,36(%esp,%ebx,4) - je .L008common_tail - movl (%ecx),%edi - movl 8(%esp),%esi - movl %ecx,12(%esp) - xorl %ecx,%ecx - xorl %edx,%edx - movl (%esi),%eax - jmp .L0121stmadd -.align 16 -.L009bn_sqr_mont: - movl %ebx,(%esp) - movl %ecx,12(%esp) - movl %edi,%eax - mull %edi - movl %eax,32(%esp) - movl %edx,%ebx - shrl $1,%edx - andl $1,%ebx - incl %ecx -.align 16 -.L013sqr: - movl (%esi,%ecx,4),%eax - movl %edx,%ebp - mull %edi - addl %ebp,%eax - leal 1(%ecx),%ecx - adcl $0,%edx - leal (%ebx,%eax,2),%ebp - shrl $31,%eax - cmpl (%esp),%ecx - movl %eax,%ebx - movl %ebp,28(%esp,%ecx,4) - jl .L013sqr - movl (%esi,%ecx,4),%eax - movl %edx,%ebp - mull %edi - addl %ebp,%eax - movl 20(%esp),%edi - adcl $0,%edx - movl 16(%esp),%esi - leal (%ebx,%eax,2),%ebp - imull 32(%esp),%edi - shrl $31,%eax - movl %ebp,32(%esp,%ecx,4) - leal (%eax,%edx,2),%ebp - movl (%esi),%eax - shrl $31,%edx - movl %ebp,36(%esp,%ecx,4) - movl %edx,40(%esp,%ecx,4) - mull %edi - addl 32(%esp),%eax - movl %ecx,%ebx - adcl $0,%edx - movl 4(%esi),%eax - movl $1,%ecx -.align 16 -.L0143rdmadd: - movl %edx,%ebp - mull %edi - addl 32(%esp,%ecx,4),%ebp - adcl $0,%edx - addl %eax,%ebp - movl 4(%esi,%ecx,4),%eax - adcl $0,%edx - movl %ebp,28(%esp,%ecx,4) - movl %edx,%ebp - mull %edi - addl 36(%esp,%ecx,4),%ebp - leal 2(%ecx),%ecx - adcl $0,%edx - addl %eax,%ebp - movl (%esi,%ecx,4),%eax - adcl $0,%edx - cmpl %ebx,%ecx - movl %ebp,24(%esp,%ecx,4) - jl .L0143rdmadd - movl %edx,%ebp - mull %edi - addl 32(%esp,%ebx,4),%ebp - adcl $0,%edx - addl %eax,%ebp - adcl $0,%edx - movl %ebp,28(%esp,%ebx,4) - movl 12(%esp),%ecx - xorl %eax,%eax - movl 8(%esp),%esi - addl 36(%esp,%ebx,4),%edx - adcl 40(%esp,%ebx,4),%eax - movl %edx,32(%esp,%ebx,4) - cmpl %ebx,%ecx - movl %eax,36(%esp,%ebx,4) - je .L008common_tail - movl 4(%esi,%ecx,4),%edi - leal 1(%ecx),%ecx - movl %edi,%eax - movl %ecx,12(%esp) - mull %edi - addl 32(%esp,%ecx,4),%eax - adcl $0,%edx - movl %eax,32(%esp,%ecx,4) - xorl %ebp,%ebp - cmpl %ebx,%ecx - leal 1(%ecx),%ecx - je .L015sqrlast - movl %edx,%ebx - shrl $1,%edx - andl $1,%ebx -.align 16 -.L016sqradd: - movl (%esi,%ecx,4),%eax - movl %edx,%ebp - mull %edi - addl %ebp,%eax - leal (%eax,%eax,1),%ebp - adcl $0,%edx - shrl $31,%eax - addl 32(%esp,%ecx,4),%ebp - leal 1(%ecx),%ecx - adcl $0,%eax - addl %ebx,%ebp - adcl $0,%eax - cmpl (%esp),%ecx - movl %ebp,28(%esp,%ecx,4) - movl %eax,%ebx - jle .L016sqradd - movl %edx,%ebp - addl %edx,%edx - shrl $31,%ebp - addl %ebx,%edx - adcl $0,%ebp -.L015sqrlast: - movl 20(%esp),%edi - movl 16(%esp),%esi - imull 32(%esp),%edi - addl 32(%esp,%ecx,4),%edx - movl (%esi),%eax - adcl $0,%ebp - movl %edx,32(%esp,%ecx,4) - movl %ebp,36(%esp,%ecx,4) - mull %edi - addl 32(%esp),%eax - leal -1(%ecx),%ebx - adcl $0,%edx - movl $1,%ecx - movl 4(%esi),%eax - jmp .L0143rdmadd -.align 16 -.L008common_tail: - movl 16(%esp),%ebp - movl 4(%esp),%edi - leal 32(%esp),%esi - movl (%esi),%eax - movl %ebx,%ecx - xorl %edx,%edx -.align 16 -.L017sub: - sbbl (%ebp,%edx,4),%eax - movl %eax,(%edi,%edx,4) - decl %ecx - movl 4(%esi,%edx,4),%eax - leal 1(%edx),%edx - jge .L017sub - sbbl $0,%eax - movl $-1,%edx - xorl %eax,%edx - jmp .L018copy -.align 16 -.L018copy: - movl 32(%esp,%ebx,4),%esi - movl (%edi,%ebx,4),%ebp - movl %ecx,32(%esp,%ebx,4) - andl %eax,%esi - andl %edx,%ebp - orl %esi,%ebp - movl %ebp,(%edi,%ebx,4) - decl %ebx - jge .L018copy - movl 24(%esp),%esp - movl $1,%eax -.L000just_leave: - popl %edi - popl %esi - popl %ebx - popl %ebp - ret -.size bn_mul_mont,.-.L_bn_mul_mont_begin -.byte 77,111,110,116,103,111,109,101,114,121,32,77,117,108,116,105 -.byte 112,108,105,99,97,116,105,111,110,32,102,111,114,32,120,56 -.byte 54,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121 -.byte 32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46 -.byte 111,114,103,62,0 -#endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__) -#endif // defined(__i386__) && defined(__linux__) -#if defined(__linux__) && defined(__ELF__) -.section .note.GNU-stack,"",%progbits -#endif - diff --git a/Sources/CNIOBoringSSL/crypto/hpke/hpke.c b/Sources/CNIOBoringSSL/crypto/hpke/hpke.c index a402fa9e9..692780796 100644 --- a/Sources/CNIOBoringSSL/crypto/hpke/hpke.c +++ b/Sources/CNIOBoringSSL/crypto/hpke/hpke.c @@ -21,12 +21,15 @@ #include #include #include +#include #include #include #include +#include #include #include +#include "../fipsmodule/ec/internal.h" #include "../internal.h" @@ -111,7 +114,7 @@ static int hpke_labeled_expand(const EVP_MD *hkdf_md, uint8_t *out_key, const uint8_t *info, size_t info_len) { // labeledInfo = concat(I2OSP(L, 2), "HPKE-v1", suite_id, label, info) CBB labeled_info; - int ok = CBB_init(&labeled_info, 0) && + int ok = CBB_init(&labeled_info, 0) && // CBB_add_u16(&labeled_info, out_len) && add_label_string(&labeled_info, kHpkeVersionId) && CBB_add_bytes(&labeled_info, suite_id, suite_id_len) && @@ -309,6 +312,294 @@ const EVP_HPKE_KEM *EVP_hpke_x25519_hkdf_sha256(void) { return &kKEM; } +#define P256_PRIVATE_KEY_LEN 32 +#define P256_PUBLIC_KEY_LEN 65 +#define P256_PUBLIC_VALUE_LEN 65 +#define P256_SEED_LEN 32 +#define P256_SHARED_KEY_LEN 32 + +static int p256_public_from_private(uint8_t out_pub[P256_PUBLIC_VALUE_LEN], + const uint8_t priv[P256_PRIVATE_KEY_LEN]) { + const EC_GROUP *const group = EC_group_p256(); + const uint8_t kAllZeros[P256_PRIVATE_KEY_LEN] = {0}; + EC_SCALAR private_scalar; + EC_JACOBIAN public_point; + EC_AFFINE public_point_affine; + + if (CRYPTO_memcmp(kAllZeros, priv, sizeof(kAllZeros)) == 0) { + OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR); + return 0; + } + + if (!ec_scalar_from_bytes(group, &private_scalar, priv, + P256_PRIVATE_KEY_LEN) || + !ec_point_mul_scalar_base(group, &public_point, &private_scalar) || + !ec_jacobian_to_affine(group, &public_point_affine, &public_point)) { + return 0; + } + + size_t out_len_x, out_len_y; + out_pub[0] = POINT_CONVERSION_UNCOMPRESSED; + ec_felem_to_bytes(group, &out_pub[1], &out_len_x, &public_point_affine.X); + ec_felem_to_bytes(group, &out_pub[33], &out_len_y, &public_point_affine.Y); + return 1; +} + +static int p256_init_key(EVP_HPKE_KEY *key, const uint8_t *priv_key, + size_t priv_key_len) { + if (priv_key_len != P256_PRIVATE_KEY_LEN) { + OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR); + return 0; + } + + if (!p256_public_from_private(key->public_key, priv_key)) { + return 0; + } + + OPENSSL_memcpy(key->private_key, priv_key, priv_key_len); + return 1; +} + +static int p256_private_key_from_seed(uint8_t out_priv[P256_PRIVATE_KEY_LEN], + const uint8_t seed[P256_SEED_LEN]) { + // https://www.rfc-editor.org/rfc/rfc9180.html#name-derivekeypair + const uint8_t suite_id[5] = {'K', 'E', 'M', + EVP_HPKE_DHKEM_P256_HKDF_SHA256 >> 8, + EVP_HPKE_DHKEM_P256_HKDF_SHA256 & 0xff}; + + uint8_t dkp_prk[32]; + size_t dkp_prk_len; + if (!hpke_labeled_extract(EVP_sha256(), dkp_prk, &dkp_prk_len, NULL, 0, + suite_id, sizeof(suite_id), "dkp_prk", seed, + P256_SEED_LEN)) { + return 0; + } + assert(dkp_prk_len == sizeof(dkp_prk)); + + const EC_GROUP *const group = EC_group_p256(); + EC_SCALAR private_scalar; + + for (unsigned counter = 0; counter < 256; counter++) { + const uint8_t counter_byte = counter & 0xff; + if (!hpke_labeled_expand(EVP_sha256(), out_priv, P256_PRIVATE_KEY_LEN, + dkp_prk, sizeof(dkp_prk), suite_id, + sizeof(suite_id), "candidate", &counter_byte, + sizeof(counter_byte))) { + return 0; + } + + // This checks that the scalar is less than the order. + if (ec_scalar_from_bytes(group, &private_scalar, out_priv, + P256_PRIVATE_KEY_LEN)) { + return 1; + } + } + + // This happens with probability of 2^-(32*256). + OPENSSL_PUT_ERROR(EVP, ERR_R_INTERNAL_ERROR); + return 0; +} + +static int p256_generate_key(EVP_HPKE_KEY *key) { + uint8_t seed[P256_SEED_LEN]; + RAND_bytes(seed, sizeof(seed)); + if (!p256_private_key_from_seed(key->private_key, seed) || + !p256_public_from_private(key->public_key, key->private_key)) { + return 0; + } + return 1; +} + +static int p256(uint8_t out_dh[P256_SHARED_KEY_LEN], + const uint8_t my_private[P256_PRIVATE_KEY_LEN], + const uint8_t their_public[P256_PUBLIC_VALUE_LEN]) { + const EC_GROUP *const group = EC_group_p256(); + EC_SCALAR private_scalar; + EC_FELEM x, y; + EC_JACOBIAN shared_point, their_point; + EC_AFFINE their_point_affine, shared_point_affine; + + if (their_public[0] != POINT_CONVERSION_UNCOMPRESSED || + !ec_felem_from_bytes(group, &x, &their_public[1], 32) || + !ec_felem_from_bytes(group, &y, &their_public[33], 32) || + !ec_point_set_affine_coordinates(group, &their_point_affine, &x, &y) || + !ec_scalar_from_bytes(group, &private_scalar, my_private, + P256_PRIVATE_KEY_LEN)) { + OPENSSL_PUT_ERROR(EVP, ERR_R_INTERNAL_ERROR); + return 0; + } + + ec_affine_to_jacobian(group, &their_point, &their_point_affine); + if (!ec_point_mul_scalar(group, &shared_point, &their_point, + &private_scalar) || + !ec_jacobian_to_affine(group, &shared_point_affine, &shared_point)) { + OPENSSL_PUT_ERROR(EVP, ERR_R_INTERNAL_ERROR); + return 0; + } + + size_t out_len; + ec_felem_to_bytes(group, out_dh, &out_len, &shared_point_affine.X); + assert(out_len == P256_SHARED_KEY_LEN); + return 1; +} + +static int p256_encap_with_seed(const EVP_HPKE_KEM *kem, + uint8_t *out_shared_secret, + size_t *out_shared_secret_len, uint8_t *out_enc, + size_t *out_enc_len, size_t max_enc, + const uint8_t *peer_public_key, + size_t peer_public_key_len, const uint8_t *seed, + size_t seed_len) { + if (max_enc < P256_PUBLIC_VALUE_LEN) { + OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_BUFFER_SIZE); + return 0; + } + if (seed_len != P256_SEED_LEN) { + OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR); + return 0; + } + uint8_t private_key[P256_PRIVATE_KEY_LEN]; + if (!p256_private_key_from_seed(private_key, seed)) { + return 0; + } + p256_public_from_private(out_enc, private_key); + + uint8_t dh[P256_SHARED_KEY_LEN]; + if (peer_public_key_len != P256_PUBLIC_VALUE_LEN || + !p256(dh, private_key, peer_public_key)) { + OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PEER_KEY); + return 0; + } + + uint8_t kem_context[2 * P256_PUBLIC_VALUE_LEN]; + OPENSSL_memcpy(kem_context, out_enc, P256_PUBLIC_VALUE_LEN); + OPENSSL_memcpy(kem_context + P256_PUBLIC_VALUE_LEN, peer_public_key, + P256_PUBLIC_VALUE_LEN); + if (!dhkem_extract_and_expand(kem->id, EVP_sha256(), out_shared_secret, + SHA256_DIGEST_LENGTH, dh, sizeof(dh), + kem_context, sizeof(kem_context))) { + return 0; + } + + *out_enc_len = P256_PUBLIC_VALUE_LEN; + *out_shared_secret_len = SHA256_DIGEST_LENGTH; + return 1; +} + +static int p256_decap(const EVP_HPKE_KEY *key, uint8_t *out_shared_secret, + size_t *out_shared_secret_len, const uint8_t *enc, + size_t enc_len) { + uint8_t dh[P256_SHARED_KEY_LEN]; + if (enc_len != P256_PUBLIC_VALUE_LEN || // + !p256(dh, key->private_key, enc)) { + OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PEER_KEY); + return 0; + } + + uint8_t kem_context[2 * P256_PUBLIC_VALUE_LEN]; + OPENSSL_memcpy(kem_context, enc, P256_PUBLIC_VALUE_LEN); + OPENSSL_memcpy(kem_context + P256_PUBLIC_VALUE_LEN, key->public_key, + P256_PUBLIC_VALUE_LEN); + if (!dhkem_extract_and_expand(key->kem->id, EVP_sha256(), out_shared_secret, + SHA256_DIGEST_LENGTH, dh, sizeof(dh), + kem_context, sizeof(kem_context))) { + return 0; + } + + *out_shared_secret_len = SHA256_DIGEST_LENGTH; + return 1; +} + +static int p256_auth_encap_with_seed( + const EVP_HPKE_KEY *key, uint8_t *out_shared_secret, + size_t *out_shared_secret_len, uint8_t *out_enc, size_t *out_enc_len, + size_t max_enc, const uint8_t *peer_public_key, size_t peer_public_key_len, + const uint8_t *seed, size_t seed_len) { + if (max_enc < P256_PUBLIC_VALUE_LEN) { + OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_BUFFER_SIZE); + return 0; + } + if (seed_len != P256_SEED_LEN) { + OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR); + return 0; + } + uint8_t private_key[P256_PRIVATE_KEY_LEN]; + if (!p256_private_key_from_seed(private_key, seed)) { + return 0; + } + p256_public_from_private(out_enc, private_key); + + uint8_t dh[2 * P256_SHARED_KEY_LEN]; + if (peer_public_key_len != P256_PUBLIC_VALUE_LEN || + !p256(dh, private_key, peer_public_key) || + !p256(dh + P256_SHARED_KEY_LEN, key->private_key, peer_public_key)) { + OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PEER_KEY); + return 0; + } + + uint8_t kem_context[3 * P256_PUBLIC_VALUE_LEN]; + OPENSSL_memcpy(kem_context, out_enc, P256_PUBLIC_VALUE_LEN); + OPENSSL_memcpy(kem_context + P256_PUBLIC_VALUE_LEN, peer_public_key, + P256_PUBLIC_VALUE_LEN); + OPENSSL_memcpy(kem_context + 2 * P256_PUBLIC_VALUE_LEN, key->public_key, + P256_PUBLIC_VALUE_LEN); + if (!dhkem_extract_and_expand(key->kem->id, EVP_sha256(), out_shared_secret, + SHA256_DIGEST_LENGTH, dh, sizeof(dh), + kem_context, sizeof(kem_context))) { + return 0; + } + + *out_enc_len = P256_PUBLIC_VALUE_LEN; + *out_shared_secret_len = SHA256_DIGEST_LENGTH; + return 1; +} + +static int p256_auth_decap(const EVP_HPKE_KEY *key, uint8_t *out_shared_secret, + size_t *out_shared_secret_len, const uint8_t *enc, + size_t enc_len, const uint8_t *peer_public_key, + size_t peer_public_key_len) { + uint8_t dh[2 * P256_SHARED_KEY_LEN]; + if (enc_len != P256_PUBLIC_VALUE_LEN || + peer_public_key_len != P256_PUBLIC_VALUE_LEN || + !p256(dh, key->private_key, enc) || + !p256(dh + P256_SHARED_KEY_LEN, key->private_key, peer_public_key)) { + OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PEER_KEY); + return 0; + } + + uint8_t kem_context[3 * P256_PUBLIC_VALUE_LEN]; + OPENSSL_memcpy(kem_context, enc, P256_PUBLIC_VALUE_LEN); + OPENSSL_memcpy(kem_context + P256_PUBLIC_VALUE_LEN, key->public_key, + P256_PUBLIC_VALUE_LEN); + OPENSSL_memcpy(kem_context + 2 * P256_PUBLIC_VALUE_LEN, peer_public_key, + P256_PUBLIC_VALUE_LEN); + if (!dhkem_extract_and_expand(key->kem->id, EVP_sha256(), out_shared_secret, + SHA256_DIGEST_LENGTH, dh, sizeof(dh), + kem_context, sizeof(kem_context))) { + return 0; + } + + *out_shared_secret_len = SHA256_DIGEST_LENGTH; + return 1; +} + +const EVP_HPKE_KEM *EVP_hpke_p256_hkdf_sha256(void) { + static const EVP_HPKE_KEM kKEM = { + /*id=*/EVP_HPKE_DHKEM_P256_HKDF_SHA256, + /*public_key_len=*/P256_PUBLIC_KEY_LEN, + /*private_key_len=*/P256_PRIVATE_KEY_LEN, + /*seed_len=*/P256_SEED_LEN, + /*enc_len=*/P256_PUBLIC_VALUE_LEN, + p256_init_key, + p256_generate_key, + p256_encap_with_seed, + p256_decap, + p256_auth_encap_with_seed, + p256_auth_decap, + }; + return &kKEM; +} + uint16_t EVP_HPKE_KEM_id(const EVP_HPKE_KEM *kem) { return kem->id; } size_t EVP_HPKE_KEM_public_key_len(const EVP_HPKE_KEM *kem) { @@ -355,6 +646,8 @@ int EVP_HPKE_KEY_copy(EVP_HPKE_KEY *dst, const EVP_HPKE_KEY *src) { void EVP_HPKE_KEY_move(EVP_HPKE_KEY *out, EVP_HPKE_KEY *in) { EVP_HPKE_KEY_cleanup(out); // For now, |EVP_HPKE_KEY| is trivially movable. + // Note that Rust may move this structure. See + // bssl-crypto/src/scoped.rs:EvpHpkeKey. OPENSSL_memcpy(out, in, sizeof(EVP_HPKE_KEY)); EVP_HPKE_KEY_zero(in); } @@ -396,7 +689,7 @@ int EVP_HPKE_KEY_public_key(const EVP_HPKE_KEY *key, uint8_t *out, } int EVP_HPKE_KEY_private_key(const EVP_HPKE_KEY *key, uint8_t *out, - size_t *out_len, size_t max_out) { + size_t *out_len, size_t max_out) { if (max_out < key->kem->private_key_len) { OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_BUFFER_SIZE); return 0; diff --git a/Sources/CNIOBoringSSL/crypto/internal.h b/Sources/CNIOBoringSSL/crypto/internal.h index a59a69d92..94375c2d6 100644 --- a/Sources/CNIOBoringSSL/crypto/internal.h +++ b/Sources/CNIOBoringSSL/crypto/internal.h @@ -180,17 +180,29 @@ extern "C" { #endif -#if defined(OPENSSL_X86) || defined(OPENSSL_X86_64) || defined(OPENSSL_ARM) || \ - defined(OPENSSL_AARCH64) -// OPENSSL_cpuid_setup initializes the platform-specific feature cache. +#if !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_STATIC_ARMCAP) && \ + (defined(OPENSSL_X86) || defined(OPENSSL_X86_64) || \ + defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)) +// x86, x86_64, and the ARMs need to record the result of a cpuid/getauxval call +// for the asm to work correctly, unless compiled without asm code. +#define NEED_CPUID + +// OPENSSL_cpuid_setup initializes the platform-specific feature cache. This +// function should not be called directly. Call |OPENSSL_init_cpuid| instead. void OPENSSL_cpuid_setup(void); + +// OPENSSL_init_cpuid initializes the platform-specific feature cache, if +// needed. This function is idempotent and may be called concurrently. +void OPENSSL_init_cpuid(void); +#else +OPENSSL_INLINE void OPENSSL_init_cpuid(void) {} #endif #if (defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)) && \ !defined(OPENSSL_STATIC_ARMCAP) // OPENSSL_get_armcap_pointer_for_test returns a pointer to |OPENSSL_armcap_P| -// for unit tests. Any modifications to the value must be made after -// |CRYPTO_library_init| but before any other function call in BoringSSL. +// for unit tests. Any modifications to the value must be made before any other +// function call in BoringSSL. OPENSSL_EXPORT uint32_t *OPENSSL_get_armcap_pointer_for_test(void); #endif @@ -205,7 +217,9 @@ typedef __uint128_t uint128_t; // __uint128_t division depends on intrinsics in the compiler runtime. Those // intrinsics are missing in clang-cl (https://crbug.com/787617) and nanolibc. // These may be bugs in the toolchain definition, but just disable it for now. -#if !defined(_MSC_VER) && !defined(OPENSSL_NANOLIBC) +// EDK2's toolchain is missing __udivti3 (b/339380897) so cannot support +// 128-bit division currently. +#if !defined(_MSC_VER) && !defined(OPENSSL_NANOLIBC) && !defined(__EDK2_BORINGSSL__) #define BORINGSSL_CAN_DIVIDE_UINT128 #endif #endif @@ -235,18 +249,34 @@ typedef __uint128_t uint128_t; #define OPENSSL_FALLTHROUGH #endif -// For convenience in testing 64-bit generic code, we allow disabling SSE2 -// intrinsics via |OPENSSL_NO_SSE2_FOR_TESTING|. x86_64 always has SSE2 -// available, so we would otherwise need to test such code on a non-x86_64 -// platform. -#if defined(__SSE2__) && !defined(OPENSSL_NO_SSE2_FOR_TESTING) +// GCC-like compilers indicate SSE2 with |__SSE2__|. MSVC leaves the caller to +// know that x86_64 has SSE2, and uses _M_IX86_FP to indicate SSE2 on x86. +// https://learn.microsoft.com/en-us/cpp/preprocessor/predefined-macros?view=msvc-170 +#if defined(__SSE2__) || defined(_M_AMD64) || defined(_M_X64) || \ + (defined(_M_IX86_FP) && _M_IX86_FP >= 2) #define OPENSSL_SSE2 #endif +#if defined(OPENSSL_X86) && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_SSE2) +#error \ + "x86 assembly requires SSE2. Build with -msse2 (recommended), or disable assembly optimizations with -DOPENSSL_NO_ASM." +#endif + +// For convenience in testing the fallback code, we allow disabling SSE2 +// intrinsics via |OPENSSL_NO_SSE2_FOR_TESTING|. We require SSE2 on x86 and +// x86_64, so we would otherwise need to test such code on a non-x86 platform. +// +// This does not remove the above requirement for SSE2 support with assembly +// optimizations. It only disables some intrinsics-based optimizations so that +// we can test the fallback code on CI. +#if defined(OPENSSL_SSE2) && defined(OPENSSL_NO_SSE2_FOR_TESTING) +#undef OPENSSL_SSE2 +#endif + #if defined(__GNUC__) || defined(__clang__) -#define OPENSSL_ATTR_PURE __attribute__((pure)) +#define OPENSSL_ATTR_CONST __attribute__((const)) #else -#define OPENSSL_ATTR_PURE +#define OPENSSL_ATTR_CONST #endif #if defined(BORINGSSL_MALLOC_FAILURE_TESTING) @@ -255,8 +285,26 @@ typedef __uint128_t uint128_t; // should be called in between independent tests, at a point where failure from // a previous test will not impact subsequent ones. OPENSSL_EXPORT void OPENSSL_reset_malloc_counter_for_testing(void); + +// OPENSSL_disable_malloc_failures_for_testing, when malloc testing is enabled, +// disables simulated malloc failures. Calls to |OPENSSL_malloc| will not +// increment the malloc counter or synthesize failures. This may be used to skip +// simulating malloc failures in some region of code. +OPENSSL_EXPORT void OPENSSL_disable_malloc_failures_for_testing(void); + +// OPENSSL_enable_malloc_failures_for_testing, when malloc testing is enabled, +// re-enables simulated malloc failures. +OPENSSL_EXPORT void OPENSSL_enable_malloc_failures_for_testing(void); #else OPENSSL_INLINE void OPENSSL_reset_malloc_counter_for_testing(void) {} +OPENSSL_INLINE void OPENSSL_disable_malloc_failures_for_testing(void) {} +OPENSSL_INLINE void OPENSSL_enable_malloc_failures_for_testing(void) {} +#endif + +#if defined(__has_builtin) +#define OPENSSL_HAS_BUILTIN(x) __has_builtin(x) +#else +#define OPENSSL_HAS_BUILTIN(x) 0 #endif @@ -521,11 +569,22 @@ static inline void constant_time_conditional_memcpy(void *dst, const void *src, // |mask| is 0xff..ff and does nothing if |mask| is 0. The |n|-byte memory // ranges at |dst| and |src| must not overlap, as when calling |memcpy|. static inline void constant_time_conditional_memxor(void *dst, const void *src, - const size_t n, + size_t n, const crypto_word_t mask) { assert(!buffers_alias(dst, n, src, n)); uint8_t *out = (uint8_t *)dst; const uint8_t *in = (const uint8_t *)src; +#if defined(__GNUC__) && !defined(__clang__) + // gcc 13.2.0 doesn't automatically vectorize this loop regardless of barrier + typedef uint8_t v32u8 __attribute__((vector_size(32), aligned(1), may_alias)); + size_t n_vec = n&~(size_t)31; + v32u8 masks = ((uint8_t)mask-(v32u8){}); // broadcast + for (size_t i = 0; i < n_vec; i += 32) { + *(v32u8*)&out[i] ^= masks & *(v32u8*)&in[i]; + } + out += n_vec; + n -= n_vec; +#endif for (size_t i = 0; i < n; i++) { out[i] ^= value_barrier_w(mask) & in[i]; } @@ -575,6 +634,12 @@ static inline int constant_time_declassify_int(int v) { return value_barrier_u32(v); } +// declassify_assert behaves like |assert| but declassifies the result of +// evaluating |expr|. This allows the assertion to branch on the (presumably +// public) result, but still ensures that values leading up to the computation +// were secret. +#define declassify_assert(expr) assert(constant_time_declassify_int(expr)) + // Thread-safe initialisation. @@ -871,14 +936,12 @@ typedef struct { #define CRYPTO_EX_DATA_CLASS_INIT_WITH_APP_DATA \ {CRYPTO_MUTEX_INIT, NULL, NULL, 0, 1} -// CRYPTO_get_ex_new_index allocates a new index for |ex_data_class| and writes -// it to |*out_index|. Each class of object should provide a wrapper function -// that uses the correct |CRYPTO_EX_DATA_CLASS|. It returns one on success and -// zero otherwise. -OPENSSL_EXPORT int CRYPTO_get_ex_new_index(CRYPTO_EX_DATA_CLASS *ex_data_class, - int *out_index, long argl, - void *argp, - CRYPTO_EX_free *free_func); +// CRYPTO_get_ex_new_index_ex allocates a new index for |ex_data_class|. Each +// class of object should provide a wrapper function that uses the correct +// |CRYPTO_EX_DATA_CLASS|. It returns the new index on success and -1 on error. +OPENSSL_EXPORT int CRYPTO_get_ex_new_index_ex( + CRYPTO_EX_DATA_CLASS *ex_data_class, long argl, void *argp, + CRYPTO_EX_free *free_func); // CRYPTO_set_ex_data sets an extra data pointer on a given object. Each class // of object should provide a wrapper function. @@ -1030,6 +1093,17 @@ static inline void *OPENSSL_memset(void *dst, int c, size_t n) { // endianness. They use |memcpy|, and so avoid alignment or strict aliasing // requirements on the input and output pointers. +static inline uint16_t CRYPTO_load_u16_be(const void *in) { + uint16_t v; + OPENSSL_memcpy(&v, in, sizeof(v)); + return CRYPTO_bswap2(v); +} + +static inline void CRYPTO_store_u16_be(void *out, uint16_t v) { + v = CRYPTO_bswap2(v); + OPENSSL_memcpy(out, &v, sizeof(v)); +} + static inline uint32_t CRYPTO_load_u32_le(const void *in) { uint32_t v; OPENSSL_memcpy(&v, in, sizeof(v)); @@ -1134,6 +1208,117 @@ static inline uint64_t CRYPTO_rotr_u64(uint64_t value, int shift) { } +// Arithmetic functions. + +// The most efficient versions of these functions on GCC and Clang depend on C11 +// |_Generic|. If we ever need to call these from C++, we'll need to add a +// variant that uses C++ overloads instead. +#if !defined(__cplusplus) + +// CRYPTO_addc_* returns |x + y + carry|, and sets |*out_carry| to the carry +// bit. |carry| must be zero or one. +#if OPENSSL_HAS_BUILTIN(__builtin_addc) + +#define CRYPTO_GENERIC_ADDC(x, y, carry, out_carry) \ + (_Generic((x), \ + unsigned: __builtin_addc, \ + unsigned long: __builtin_addcl, \ + unsigned long long: __builtin_addcll))((x), (y), (carry), (out_carry)) + +static inline uint32_t CRYPTO_addc_u32(uint32_t x, uint32_t y, uint32_t carry, + uint32_t *out_carry) { + declassify_assert(carry <= 1); + return CRYPTO_GENERIC_ADDC(x, y, carry, out_carry); +} + +static inline uint64_t CRYPTO_addc_u64(uint64_t x, uint64_t y, uint64_t carry, + uint64_t *out_carry) { + declassify_assert(carry <= 1); + return CRYPTO_GENERIC_ADDC(x, y, carry, out_carry); +} + +#else + +static inline uint32_t CRYPTO_addc_u32(uint32_t x, uint32_t y, uint32_t carry, + uint32_t *out_carry) { + declassify_assert(carry <= 1); + uint64_t ret = carry; + ret += (uint64_t)x + y; + *out_carry = (uint32_t)(ret >> 32); + return (uint32_t)ret; +} + +static inline uint64_t CRYPTO_addc_u64(uint64_t x, uint64_t y, uint64_t carry, + uint64_t *out_carry) { + declassify_assert(carry <= 1); +#if defined(BORINGSSL_HAS_UINT128) + uint128_t ret = carry; + ret += (uint128_t)x + y; + *out_carry = (uint64_t)(ret >> 64); + return (uint64_t)ret; +#else + x += carry; + carry = x < carry; + uint64_t ret = x + y; + carry += ret < x; + *out_carry = carry; + return ret; +#endif +} +#endif + +// CRYPTO_subc_* returns |x - y - borrow|, and sets |*out_borrow| to the borrow +// bit. |borrow| must be zero or one. +#if OPENSSL_HAS_BUILTIN(__builtin_subc) + +#define CRYPTO_GENERIC_SUBC(x, y, borrow, out_borrow) \ + (_Generic((x), \ + unsigned: __builtin_subc, \ + unsigned long: __builtin_subcl, \ + unsigned long long: __builtin_subcll))((x), (y), (borrow), (out_borrow)) + +static inline uint32_t CRYPTO_subc_u32(uint32_t x, uint32_t y, uint32_t borrow, + uint32_t *out_borrow) { + declassify_assert(borrow <= 1); + return CRYPTO_GENERIC_SUBC(x, y, borrow, out_borrow); +} + +static inline uint64_t CRYPTO_subc_u64(uint64_t x, uint64_t y, uint64_t borrow, + uint64_t *out_borrow) { + declassify_assert(borrow <= 1); + return CRYPTO_GENERIC_SUBC(x, y, borrow, out_borrow); +} + +#else + +static inline uint32_t CRYPTO_subc_u32(uint32_t x, uint32_t y, uint32_t borrow, + uint32_t *out_borrow) { + declassify_assert(borrow <= 1); + uint32_t ret = x - y - borrow; + *out_borrow = (x < y) | ((x == y) & borrow); + return ret; +} + +static inline uint64_t CRYPTO_subc_u64(uint64_t x, uint64_t y, uint64_t borrow, + uint64_t *out_borrow) { + declassify_assert(borrow <= 1); + uint64_t ret = x - y - borrow; + *out_borrow = (x < y) | ((x == y) & borrow); + return ret; +} +#endif + +#if defined(OPENSSL_64_BIT) +#define CRYPTO_addc_w CRYPTO_addc_u64 +#define CRYPTO_subc_w CRYPTO_subc_u64 +#else +#define CRYPTO_addc_w CRYPTO_addc_u32 +#define CRYPTO_subc_w CRYPTO_subc_u32 +#endif + +#endif // !__cplusplus + + // FIPS functions. #if defined(BORINGSSL_FIPS) @@ -1216,20 +1401,23 @@ OPENSSL_INLINE int boringssl_fips_break_test(const char *test) { // ECX for CPUID where EAX = 1 // Bit 11 is used to indicate AMD XOP support, not SDBG // Index 2: -// EBX for CPUID where EAX = 7 +// EBX for CPUID where EAX = 7, ECX = 0 +// Bit 14 (for removed feature MPX) is used to indicate a preference for ymm +// registers over zmm even when zmm registers are supported // Index 3: -// ECX for CPUID where EAX = 7 +// ECX for CPUID where EAX = 7, ECX = 0 // -// Note: the CPUID bits are pre-adjusted for the OSXSAVE bit and the YMM and XMM -// bits in XCR0, so it is not necessary to check those. +// Note: the CPUID bits are pre-adjusted for the OSXSAVE bit and the XMM, YMM, +// and AVX512 bits in XCR0, so it is not necessary to check those. (WARNING: See +// caveats in cpu_intel.c.) // // From C, this symbol should only be accessed with |OPENSSL_get_ia32cap|. extern uint32_t OPENSSL_ia32cap_P[4]; // OPENSSL_get_ia32cap initializes the library if needed and returns the |idx|th -// entry of |OPENSSL_ia32cap_P|. It is marked as a pure function so duplicate +// entry of |OPENSSL_ia32cap_P|. It is marked as a const function so duplicate // calls can be merged by the compiler, at least when indices match. -OPENSSL_ATTR_PURE uint32_t OPENSSL_get_ia32cap(int idx); +OPENSSL_ATTR_CONST uint32_t OPENSSL_get_ia32cap(int idx); // See Intel manual, volume 2A, table 3-11. @@ -1288,6 +1476,9 @@ OPENSSL_INLINE int CRYPTO_is_AESNI_capable(void) { #endif } +// We intentionally avoid defining a |CRYPTO_is_XSAVE_capable| function. See +// |CRYPTO_cpu_perf_is_like_silvermont|. + OPENSSL_INLINE int CRYPTO_is_AVX_capable(void) { #if defined(__AVX__) return 1; @@ -1297,19 +1488,16 @@ OPENSSL_INLINE int CRYPTO_is_AVX_capable(void) { } OPENSSL_INLINE int CRYPTO_is_RDRAND_capable(void) { - // The GCC/Clang feature name and preprocessor symbol for RDRAND are "rdrnd" - // and |__RDRND__|, respectively. -#if defined(__RDRND__) - return 1; -#else + // We intentionally do not check |__RDRND__| here. On some AMD processors, we + // will act as if the hardware is RDRAND-incapable, even it actually supports + // it. See cpu_intel.c. return (OPENSSL_get_ia32cap(1) & (1u << 30)) != 0; -#endif } // See Intel manual, volume 2A, table 3-8. OPENSSL_INLINE int CRYPTO_is_BMI1_capable(void) { -#if defined(__BMI1__) +#if defined(__BMI__) return 1; #else return (OPENSSL_get_ia32cap(2) & (1u << 3)) != 0; @@ -1340,6 +1528,95 @@ OPENSSL_INLINE int CRYPTO_is_ADX_capable(void) { #endif } +// SHA-1 and SHA-256 are defined as a single extension. +OPENSSL_INLINE int CRYPTO_is_x86_SHA_capable(void) { + // We should check __SHA__ here, but for now we ignore it. We've run into a + // few places where projects build with -march=goldmont, but need a build that + // does not require SHA extensions: + // + // - Some CrOS toolchain definitions are incorrect and build with + // -march=goldmont when targetting boards that are not Goldmont. b/320482539 + // tracks fixing this. + // + // - Sometimes projects build with -march=goldmont as a rough optimized + // baseline. However, Intel CPU capabilities are not strictly linear, so + // this does not quite work. Some combination of -mtune and + // -march=x86-64-v{1,2,3,4} would be a better strategy here. + // + // - QEMU versions before 8.2 do not support SHA extensions and disable it + // with a warning. Projects that target Goldmont and test on QEMU will + // break. The long-term fix is to update to 8.2. A principled short-term fix + // would be -march=goldmont -mno-sha, to reflect that the binary needs to + // run on both QEMU-8.1-Goldmont and actual-Goldmont. + // + // TODO(b/320482539): Once the CrOS toolchain is fixed, try this again. + return (OPENSSL_get_ia32cap(2) & (1u << 29)) != 0; +} + +// CRYPTO_cpu_perf_is_like_silvermont returns one if, based on a heuristic, the +// CPU has Silvermont-like performance characteristics. It is often faster to +// run different codepaths on these CPUs than the available instructions would +// otherwise select. See chacha-x86_64.pl. +// +// Bonnell, Silvermont's predecessor in the Atom lineup, will also be matched by +// this. Goldmont (Silvermont's successor in the Atom lineup) added XSAVE so it +// isn't matched by this. Various sources indicate AMD first implemented MOVBE +// and XSAVE at the same time in Jaguar, so it seems like AMD chips will not be +// matched by this. That seems to be the case for other x86(-64) CPUs. +OPENSSL_INLINE int CRYPTO_cpu_perf_is_like_silvermont(void) { + // WARNING: This MUST NOT be used to guard the execution of the XSAVE + // instruction. This is the "hardware supports XSAVE" bit, not the OSXSAVE bit + // that indicates whether we can safely execute XSAVE. This bit may be set + // even when XSAVE is disabled (by the operating system). See how the users of + // this bit use it. + // + // Historically, the XSAVE bit was artificially cleared on Knights Landing + // and Knights Mill chips, but as Intel has removed all support from GCC, + // LLVM, and SDE, we assume they are no longer worth special-casing. + int hardware_supports_xsave = (OPENSSL_get_ia32cap(1) & (1u << 26)) != 0; + return !hardware_supports_xsave && CRYPTO_is_MOVBE_capable(); +} + +OPENSSL_INLINE int CRYPTO_is_AVX512BW_capable(void) { +#if defined(__AVX512BW__) + return 1; +#else + return (OPENSSL_get_ia32cap(2) & (1u << 30)) != 0; +#endif +} + +OPENSSL_INLINE int CRYPTO_is_AVX512VL_capable(void) { +#if defined(__AVX512VL__) + return 1; +#else + return (OPENSSL_get_ia32cap(2) & (1u << 31)) != 0; +#endif +} + +// CRYPTO_cpu_avoid_zmm_registers returns 1 if zmm registers (512-bit vectors) +// should not be used even if the CPU supports them. +// +// Note that this reuses the bit for the removed MPX feature. +OPENSSL_INLINE int CRYPTO_cpu_avoid_zmm_registers(void) { + return (OPENSSL_get_ia32cap(2) & (1u << 14)) != 0; +} + +OPENSSL_INLINE int CRYPTO_is_VAES_capable(void) { +#if defined(__VAES__) + return 1; +#else + return (OPENSSL_get_ia32cap(3) & (1u << 9)) != 0; +#endif +} + +OPENSSL_INLINE int CRYPTO_is_VPCLMULQDQ_capable(void) { +#if defined(__VPCLMULQDQ__) + return 1; +#else + return (OPENSSL_get_ia32cap(3) & (1u << 10)) != 0; +#endif +} + #endif // OPENSSL_X86 || OPENSSL_X86_64 #if defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64) @@ -1349,9 +1626,9 @@ OPENSSL_INLINE int CRYPTO_is_ADX_capable(void) { extern uint32_t OPENSSL_armcap_P; // OPENSSL_get_armcap initializes the library if needed and returns ARM CPU -// capabilities. It is marked as a pure function so duplicate calls can be -// merged by the compiler, at least when indices match. -OPENSSL_ATTR_PURE uint32_t OPENSSL_get_armcap(void); +// capabilities. It is marked as a const function so duplicate calls can be +// merged by the compiler. +OPENSSL_ATTR_CONST uint32_t OPENSSL_get_armcap(void); // We do not detect any features at runtime on several 32-bit Arm platforms. // Apple platforms and OpenBSD require NEON and moved to 64-bit to pick up Armv8 @@ -1409,6 +1686,41 @@ OPENSSL_INLINE int CRYPTO_is_ARMv8_PMULL_capable(void) { #endif } +OPENSSL_INLINE int CRYPTO_is_ARMv8_SHA1_capable(void) { + // SHA-1 and SHA-2 (only) share |__ARM_FEATURE_SHA2| but otherwise + // are dealt with independently. +#if defined(OPENSSL_STATIC_ARMCAP_SHA1) || defined(__ARM_FEATURE_SHA2) + return 1; +#elif defined(OPENSSL_STATIC_ARMCAP) + return 0; +#else + return (OPENSSL_get_armcap() & ARMV8_SHA1) != 0; +#endif +} + +OPENSSL_INLINE int CRYPTO_is_ARMv8_SHA256_capable(void) { + // SHA-1 and SHA-2 (only) share |__ARM_FEATURE_SHA2| but otherwise + // are dealt with independently. +#if defined(OPENSSL_STATIC_ARMCAP_SHA256) || defined(__ARM_FEATURE_SHA2) + return 1; +#elif defined(OPENSSL_STATIC_ARMCAP) + return 0; +#else + return (OPENSSL_get_armcap() & ARMV8_SHA256) != 0; +#endif +} + +OPENSSL_INLINE int CRYPTO_is_ARMv8_SHA512_capable(void) { + // There is no |OPENSSL_STATIC_ARMCAP_SHA512|. +#if defined(__ARM_FEATURE_SHA512) + return 1; +#elif defined(OPENSSL_STATIC_ARMCAP) + return 0; +#else + return (OPENSSL_get_armcap() & ARMV8_SHA512) != 0; +#endif +} + #endif // OPENSSL_ARM || OPENSSL_AARCH64 #if defined(BORINGSSL_DISPATCH_TEST) diff --git a/Sources/CNIOBoringSSL/crypto/keccak/keccak.c b/Sources/CNIOBoringSSL/crypto/keccak/keccak.c index 8d8d849e4..f19861500 100644 --- a/Sources/CNIOBoringSSL/crypto/keccak/keccak.c +++ b/Sources/CNIOBoringSSL/crypto/keccak/keccak.c @@ -56,19 +56,40 @@ static void keccak_f(uint64_t state[25]) { // and the sequence will repeat. All that remains is to handle the element // at (0, 0), but the rotation for that element is zero, and it goes to (0, // 0), so we can ignore it. - static const uint8_t kIndexes[24] = {10, 7, 11, 17, 18, 3, 5, 16, - 8, 21, 24, 4, 15, 23, 19, 13, - 12, 2, 20, 14, 22, 9, 6, 1}; - static const uint8_t kRotations[24] = {1, 3, 6, 10, 15, 21, 28, 36, - 45, 55, 2, 14, 27, 41, 56, 8, - 25, 43, 62, 18, 39, 61, 20, 44}; uint64_t prev_value = state[1]; - for (int i = 0; i < 24; i++) { - const uint64_t value = CRYPTO_rotl_u64(prev_value, kRotations[i]); - const size_t index = kIndexes[i]; - prev_value = state[index]; - state[index] = value; - } +#define PI_RHO_STEP(index, rotation) \ + do { \ + const uint64_t value = CRYPTO_rotl_u64(prev_value, rotation); \ + prev_value = state[index]; \ + state[index] = value; \ + } while (0) + + PI_RHO_STEP(10, 1); + PI_RHO_STEP(7, 3); + PI_RHO_STEP(11, 6); + PI_RHO_STEP(17, 10); + PI_RHO_STEP(18, 15); + PI_RHO_STEP(3, 21); + PI_RHO_STEP(5, 28); + PI_RHO_STEP(16, 36); + PI_RHO_STEP(8, 45); + PI_RHO_STEP(21, 55); + PI_RHO_STEP(24, 2); + PI_RHO_STEP(4, 14); + PI_RHO_STEP(15, 27); + PI_RHO_STEP(23, 41); + PI_RHO_STEP(19, 56); + PI_RHO_STEP(13, 8); + PI_RHO_STEP(12, 25); + PI_RHO_STEP(2, 43); + PI_RHO_STEP(20, 62); + PI_RHO_STEP(14, 18); + PI_RHO_STEP(22, 39); + PI_RHO_STEP(9, 61); + PI_RHO_STEP(6, 20); + PI_RHO_STEP(1, 44); + +#undef PI_RHO_STEP // χ step for (int y = 0; y < 5; y++) { @@ -240,6 +261,11 @@ void BORINGSSL_keccak_squeeze(struct BORINGSSL_keccak_st *ctx, uint8_t *out, // because we require |uint8_t| to be a character type. const uint8_t *state_bytes = (const uint8_t *)ctx->state; while (out_len) { + if (ctx->squeeze_offset == ctx->rate_bytes) { + keccak_f(ctx->state); + ctx->squeeze_offset = 0; + } + size_t remaining = ctx->rate_bytes - ctx->squeeze_offset; size_t todo = out_len; if (todo > remaining) { @@ -249,9 +275,5 @@ void BORINGSSL_keccak_squeeze(struct BORINGSSL_keccak_st *ctx, uint8_t *out, out += todo; out_len -= todo; ctx->squeeze_offset += todo; - if (ctx->squeeze_offset == ctx->rate_bytes) { - keccak_f(ctx->state); - ctx->squeeze_offset = 0; - } } } diff --git a/Sources/CNIOBoringSSL/crypto/kyber/internal.h b/Sources/CNIOBoringSSL/crypto/kyber/internal.h index e3adb5367..5737e1226 100644 --- a/Sources/CNIOBoringSSL/crypto/kyber/internal.h +++ b/Sources/CNIOBoringSSL/crypto/kyber/internal.h @@ -16,7 +16,7 @@ #define OPENSSL_HEADER_CRYPTO_KYBER_INTERNAL_H #include -#include +#include #if defined(__cplusplus) extern "C" { @@ -42,15 +42,15 @@ OPENSSL_EXPORT void KYBER_generate_key_external_entropy( struct KYBER_private_key *out_private_key, const uint8_t entropy[KYBER_GENERATE_KEY_ENTROPY]); -// KYBER_encap_external_entropy is a deterministic function to encapsulate -// |out_shared_secret_len| bytes of |out_shared_secret| to |ciphertext|, using -// |KYBER_ENCAP_ENTROPY| bytes of |entropy| for randomization. The -// decapsulating side will be able to recover |entropy| in full. This -// function is should only be used for tests, regular callers should use the -// non-deterministic |KYBER_encap| directly. +// KYBER_encap_external_entropy behaves like |KYBER_encap|, but uses +// |KYBER_ENCAP_ENTROPY| bytes of |entropy| for randomization. The decapsulating +// side will be able to recover |entropy| in full. This function should only be +// used for tests, regular callers should use the non-deterministic +// |KYBER_encap| directly. OPENSSL_EXPORT void KYBER_encap_external_entropy( - uint8_t out_ciphertext[KYBER_CIPHERTEXT_BYTES], uint8_t *out_shared_secret, - size_t out_shared_secret_len, const struct KYBER_public_key *public_key, + uint8_t out_ciphertext[KYBER_CIPHERTEXT_BYTES], + uint8_t out_shared_secret[KYBER_SHARED_SECRET_BYTES], + const struct KYBER_public_key *public_key, const uint8_t entropy[KYBER_ENCAP_ENTROPY]); #if defined(__cplusplus) diff --git a/Sources/CNIOBoringSSL/crypto/kyber/kyber.c b/Sources/CNIOBoringSSL/crypto/kyber/kyber.c index 2d83e4d01..b8a9b04a3 100644 --- a/Sources/CNIOBoringSSL/crypto/kyber/kyber.c +++ b/Sources/CNIOBoringSSL/crypto/kyber/kyber.c @@ -12,7 +12,8 @@ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -#include +#define OPENSSL_UNSTABLE_EXPERIMENTAL_KYBER +#include #include #include @@ -28,6 +29,22 @@ // See // https://pq-crystals.org/kyber/data/kyber-specification-round3-20210804.pdf +static void prf(uint8_t *out, size_t out_len, const uint8_t in[33]) { + BORINGSSL_keccak(out, out_len, in, 33, boringssl_shake256); +} + +static void hash_h(uint8_t out[32], const uint8_t *in, size_t len) { + BORINGSSL_keccak(out, 32, in, len, boringssl_sha3_256); +} + +static void hash_g(uint8_t out[64], const uint8_t *in, size_t len) { + BORINGSSL_keccak(out, 64, in, len, boringssl_sha3_512); +} + +static void kdf(uint8_t *out, size_t out_len, const uint8_t *in, size_t len) { + BORINGSSL_keccak(out, out_len, in, len, boringssl_shake256); +} + #define DEGREE 256 #define RANK 3 @@ -315,7 +332,7 @@ static void scalar_centered_binomial_distribution_eta_2_with_prf( scalar *out, const uint8_t input[33]) { uint8_t entropy[128]; static_assert(sizeof(entropy) == 2 * /*kEta=*/2 * DEGREE / 8, ""); - BORINGSSL_keccak(entropy, sizeof(entropy), input, 33, boringssl_shake256); + prf(entropy, sizeof(entropy), input); for (int i = 0; i < DEGREE; i += 2) { uint8_t byte = entropy[i / 2]; @@ -611,7 +628,7 @@ void KYBER_generate_key_external_entropy( const uint8_t entropy[KYBER_GENERATE_KEY_ENTROPY]) { struct private_key *priv = private_key_from_external(out_private_key); uint8_t hashed[64]; - BORINGSSL_keccak(hashed, sizeof(hashed), entropy, 32, boringssl_sha3_512); + hash_g(hashed, entropy, 32); const uint8_t *const rho = hashed; const uint8_t *const sigma = hashed + 32; OPENSSL_memcpy(priv->pub.rho, hashed, sizeof(priv->pub.rho)); @@ -631,9 +648,8 @@ void KYBER_generate_key_external_entropy( abort(); } - BORINGSSL_keccak(priv->pub.public_key_hash, sizeof(priv->pub.public_key_hash), - out_encoded_public_key, KYBER_PUBLIC_KEY_BYTES, - boringssl_sha3_256); + hash_h(priv->pub.public_key_hash, out_encoded_public_key, + KYBER_PUBLIC_KEY_BYTES); OPENSSL_memcpy(priv->fo_failure_secret, entropy + 32, 32); } @@ -682,12 +698,12 @@ static void encrypt_cpa(uint8_t out[KYBER_CIPHERTEXT_BYTES], // Calls KYBER_encap_external_entropy| with random bytes from |RAND_bytes| void KYBER_encap(uint8_t out_ciphertext[KYBER_CIPHERTEXT_BYTES], - uint8_t *out_shared_secret, size_t out_shared_secret_len, + uint8_t out_shared_secret[KYBER_SHARED_SECRET_BYTES], const struct KYBER_public_key *public_key) { uint8_t entropy[KYBER_ENCAP_ENTROPY]; RAND_bytes(entropy, KYBER_ENCAP_ENTROPY); - KYBER_encap_external_entropy(out_ciphertext, out_shared_secret, - out_shared_secret_len, public_key, entropy); + KYBER_encap_external_entropy(out_ciphertext, out_shared_secret, public_key, + entropy); } // Algorithm 8 of the Kyber spec, safe for line 2 of the spec. The spec there @@ -697,8 +713,9 @@ void KYBER_encap(uint8_t out_ciphertext[KYBER_CIPHERTEXT_BYTES], // number generator is used, the caller should switch to a secure one before // calling this method. void KYBER_encap_external_entropy( - uint8_t out_ciphertext[KYBER_CIPHERTEXT_BYTES], uint8_t *out_shared_secret, - size_t out_shared_secret_len, const struct KYBER_public_key *public_key, + uint8_t out_ciphertext[KYBER_CIPHERTEXT_BYTES], + uint8_t out_shared_secret[KYBER_SHARED_SECRET_BYTES], + const struct KYBER_public_key *public_key, const uint8_t entropy[KYBER_ENCAP_ENTROPY]) { const struct public_key *pub = public_key_from_external(public_key); uint8_t input[64]; @@ -706,14 +723,11 @@ void KYBER_encap_external_entropy( OPENSSL_memcpy(input + KYBER_ENCAP_ENTROPY, pub->public_key_hash, sizeof(input) - KYBER_ENCAP_ENTROPY); uint8_t prekey_and_randomness[64]; - BORINGSSL_keccak(prekey_and_randomness, sizeof(prekey_and_randomness), input, - sizeof(input), boringssl_sha3_512); + hash_g(prekey_and_randomness, input, sizeof(input)); encrypt_cpa(out_ciphertext, pub, entropy, prekey_and_randomness + 32); - BORINGSSL_keccak(prekey_and_randomness + 32, 32, out_ciphertext, - KYBER_CIPHERTEXT_BYTES, boringssl_sha3_256); - BORINGSSL_keccak(out_shared_secret, out_shared_secret_len, - prekey_and_randomness, sizeof(prekey_and_randomness), - boringssl_shake256); + hash_h(prekey_and_randomness + 32, out_ciphertext, KYBER_CIPHERTEXT_BYTES); + kdf(out_shared_secret, KYBER_SHARED_SECRET_BYTES, prekey_and_randomness, + sizeof(prekey_and_randomness)); } // Algorithm 6 of the Kyber spec. @@ -739,7 +753,7 @@ static void decrypt_cpa(uint8_t out[32], const struct private_key *priv, // failure to be passed on to the caller, and instead returns a result that is // deterministic but unpredictable to anyone without knowledge of the private // key. -void KYBER_decap(uint8_t *out_shared_secret, size_t out_shared_secret_len, +void KYBER_decap(uint8_t out_shared_secret[KYBER_SHARED_SECRET_BYTES], const uint8_t ciphertext[KYBER_CIPHERTEXT_BYTES], const struct KYBER_private_key *private_key) { const struct private_key *priv = private_key_from_external(private_key); @@ -748,8 +762,7 @@ void KYBER_decap(uint8_t *out_shared_secret, size_t out_shared_secret_len, OPENSSL_memcpy(decrypted + 32, priv->pub.public_key_hash, sizeof(decrypted) - 32); uint8_t prekey_and_randomness[64]; - BORINGSSL_keccak(prekey_and_randomness, sizeof(prekey_and_randomness), - decrypted, sizeof(decrypted), boringssl_sha3_512); + hash_g(prekey_and_randomness, decrypted, sizeof(decrypted)); uint8_t expected_ciphertext[KYBER_CIPHERTEXT_BYTES]; encrypt_cpa(expected_ciphertext, &priv->pub, decrypted, prekey_and_randomness + 32); @@ -762,10 +775,8 @@ void KYBER_decap(uint8_t *out_shared_secret, size_t out_shared_secret_len, input[i] = constant_time_select_8(mask, prekey_and_randomness[i], priv->fo_failure_secret[i]); } - BORINGSSL_keccak(input + 32, 32, ciphertext, KYBER_CIPHERTEXT_BYTES, - boringssl_sha3_256); - BORINGSSL_keccak(out_shared_secret, out_shared_secret_len, input, - sizeof(input), boringssl_shake256); + hash_h(input + 32, ciphertext, KYBER_CIPHERTEXT_BYTES); + kdf(out_shared_secret, KYBER_SHARED_SECRET_BYTES, input, sizeof(input)); } int KYBER_marshal_public_key(CBB *out, @@ -793,8 +804,7 @@ int KYBER_parse_public_key(struct KYBER_public_key *public_key, CBS *in) { CBS_len(in) != 0) { return 0; } - BORINGSSL_keccak(pub->public_key_hash, sizeof(pub->public_key_hash), - CBS_data(&orig_in), CBS_len(&orig_in), boringssl_sha3_256); + hash_h(pub->public_key_hash, CBS_data(&orig_in), CBS_len(&orig_in)); return 1; } diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/md4/md4.c b/Sources/CNIOBoringSSL/crypto/md4/md4.c similarity index 98% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/md4/md4.c rename to Sources/CNIOBoringSSL/crypto/md4/md4.c index aa418307f..a39c0b77d 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/md4/md4.c +++ b/Sources/CNIOBoringSSL/crypto/md4/md4.c @@ -59,8 +59,8 @@ #include #include -#include "../../internal.h" -#include "../digest/md32_common.h" +#include "../internal.h" +#include "../crypto/fipsmodule/digest/md32_common.h" uint8_t *MD4(const uint8_t *data, size_t len, uint8_t out[MD4_DIGEST_LENGTH]) { @@ -231,10 +231,3 @@ void md4_block_data_order(uint32_t *state, const uint8_t *data, size_t num) { D = state[3] += D; } } - -#undef F -#undef G -#undef H -#undef R0 -#undef R1 -#undef R2 diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/md5/internal.h b/Sources/CNIOBoringSSL/crypto/md5/internal.h similarity index 100% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/md5/internal.h rename to Sources/CNIOBoringSSL/crypto/md5/internal.h diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/md5/md5.c b/Sources/CNIOBoringSSL/crypto/md5/md5.c similarity index 99% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/md5/md5.c rename to Sources/CNIOBoringSSL/crypto/md5/md5.c index 7c57cdc6f..e459188e9 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/md5/md5.c +++ b/Sources/CNIOBoringSSL/crypto/md5/md5.c @@ -60,8 +60,8 @@ #include -#include "../../internal.h" -#include "../digest/md32_common.h" +#include "../internal.h" +#include "../fipsmodule/digest/md32_common.h" #include "internal.h" diff --git a/Sources/CNIOBoringSSL/crypto/mem.c b/Sources/CNIOBoringSSL/crypto/mem.c index e220607e3..e904f5fb0 100644 --- a/Sources/CNIOBoringSSL/crypto/mem.c +++ b/Sources/CNIOBoringSSL/crypto/mem.c @@ -94,7 +94,11 @@ static void __asan_unpoison_memory_region(const void *addr, size_t size) {} // Windows doesn't really support weak symbols as of May 2019, and Clang on // Windows will emit strong symbols instead. See // https://bugs.llvm.org/show_bug.cgi?id=37598 -#if defined(__ELF__) && defined(__GNUC__) +// +// EDK2 targets UEFI but builds as ELF and then translates the binary to +// COFF(!). Thus it builds with __ELF__ defined but cannot actually cope with +// weak symbols. +#if !defined(__EDK2_BORINGSSL__) && defined(__ELF__) && defined(__GNUC__) #define WEAK_SYMBOL_FUNC(rettype, name, args) \ rettype name args __attribute__((weak)); #else @@ -138,7 +142,7 @@ static CRYPTO_MUTEX malloc_failure_lock = CRYPTO_MUTEX_INIT; static uint64_t current_malloc_count = 0; static uint64_t malloc_number_to_fail = 0; static int malloc_failure_enabled = 0, break_on_malloc_fail = 0, - any_malloc_failed = 0; + any_malloc_failed = 0, disable_malloc_failures = 0; static void malloc_exit_handler(void) { CRYPTO_MUTEX_lock_read(&malloc_failure_lock); @@ -168,7 +172,7 @@ static void init_malloc_failure(void) { static int should_fail_allocation() { static CRYPTO_once_t once = CRYPTO_ONCE_INIT; CRYPTO_once(&once, init_malloc_failure); - if (!malloc_failure_enabled) { + if (!malloc_failure_enabled || disable_malloc_failures) { return 0; } @@ -195,6 +199,20 @@ void OPENSSL_reset_malloc_counter_for_testing(void) { CRYPTO_MUTEX_unlock_write(&malloc_failure_lock); } +void OPENSSL_disable_malloc_failures_for_testing(void) { + CRYPTO_MUTEX_lock_write(&malloc_failure_lock); + BSSL_CHECK(!disable_malloc_failures); + disable_malloc_failures = 1; + CRYPTO_MUTEX_unlock_write(&malloc_failure_lock); +} + +void OPENSSL_enable_malloc_failures_for_testing(void) { + CRYPTO_MUTEX_lock_write(&malloc_failure_lock); + BSSL_CHECK(disable_malloc_failures); + disable_malloc_failures = 0; + CRYPTO_MUTEX_unlock_write(&malloc_failure_lock); +} + #else static int should_fail_allocation(void) { return 0; } #endif @@ -228,7 +246,7 @@ void *OPENSSL_malloc(size_t size) { __asan_poison_memory_region(ptr, OPENSSL_MALLOC_PREFIX); return ((uint8_t *)ptr) + OPENSSL_MALLOC_PREFIX; - err: +err: // This only works because ERR does not call OPENSSL_malloc. OPENSSL_PUT_ERROR(CRYPTO, ERR_R_MALLOC_FAILURE); return NULL; @@ -384,13 +402,8 @@ char *OPENSSL_strdup(const char *s) { if (s == NULL) { return NULL; } - const size_t len = strlen(s) + 1; - char *ret = OPENSSL_malloc(len); - if (ret == NULL) { - return NULL; - } - OPENSSL_memcpy(ret, s, len); - return ret; + // Copy the NUL terminator. + return OPENSSL_memdup(s, strlen(s) + 1); } int OPENSSL_isalpha(int c) { @@ -514,7 +527,7 @@ int OPENSSL_vasprintf_internal(char **str, const char *format, va_list args, *str = candidate; return ret; - err: +err: deallocate(candidate); *str = NULL; errno = ENOMEM; diff --git a/Sources/CNIOBoringSSL/crypto/mldsa/internal.h b/Sources/CNIOBoringSSL/crypto/mldsa/internal.h new file mode 100644 index 000000000..59844b218 --- /dev/null +++ b/Sources/CNIOBoringSSL/crypto/mldsa/internal.h @@ -0,0 +1,73 @@ +/* Copyright (c) 2024, Google LLC + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#ifndef OPENSSL_HEADER_CRYPTO_MLDSA_INTERNAL_H +#define OPENSSL_HEADER_CRYPTO_MLDSA_INTERNAL_H + +#include +#include + +#if defined(__cplusplus) +extern "C" { +#endif + + +// MLDSA_SIGNATURE_RANDOMIZER_BYTES is the number of bytes of uniformly +// random entropy necessary to generate a signature in randomized mode. +#define MLDSA_SIGNATURE_RANDOMIZER_BYTES 32 + +// MLDSA65_generate_key_external_entropy generates a public/private key pair +// using the given seed, writes the encoded public key to +// |out_encoded_public_key| and sets |out_private_key| to the private key. +// It returns 1 on success and 0 on failure. +OPENSSL_EXPORT int MLDSA65_generate_key_external_entropy( + uint8_t out_encoded_public_key[MLDSA65_PUBLIC_KEY_BYTES], + struct MLDSA65_private_key *out_private_key, + const uint8_t entropy[MLDSA_SEED_BYTES]); + +// MLDSA65_sign_internal signs |msg| using |private_key| and writes the +// signature to |out_encoded_signature|. The |context_prefix| and |context| are +// prefixed to the message, in that order, before signing. The |randomizer| +// value can be set to zero bytes in order to make a deterministic signature, or +// else filled with entropy for the usual |MLDSA_sign| behavior. It returns 1 on +// success and 0 on error. +OPENSSL_EXPORT int MLDSA65_sign_internal( + uint8_t out_encoded_signature[MLDSA65_SIGNATURE_BYTES], + const struct MLDSA65_private_key *private_key, const uint8_t *msg, + size_t msg_len, const uint8_t *context_prefix, size_t context_prefix_len, + const uint8_t *context, size_t context_len, + const uint8_t randomizer[MLDSA_SIGNATURE_RANDOMIZER_BYTES]); + +// MLDSA65_verify_internal verifies that |encoded_signature| is a valid +// signature of |msg| by |public_key|. The |context_prefix| and |context| are +// prefixed to the message before verification, in that order. It returns 1 on +// success and 0 on error. +OPENSSL_EXPORT int MLDSA65_verify_internal( + const struct MLDSA65_public_key *public_key, + const uint8_t encoded_signature[MLDSA65_SIGNATURE_BYTES], + const uint8_t *msg, size_t msg_len, const uint8_t *context_prefix, + size_t context_prefix_len, const uint8_t *context, size_t context_len); + +// MLDSA65_marshal_private_key serializes |private_key| to |out| in the +// NIST format for ML-DSA-65 private keys. It returns 1 on success or 0 +// on allocation error. +OPENSSL_EXPORT int MLDSA65_marshal_private_key( + CBB *out, const struct MLDSA65_private_key *private_key); + + +#if defined(__cplusplus) +} // extern C +#endif + +#endif // OPENSSL_HEADER_CRYPTO_MLDSA_INTERNAL_H diff --git a/Sources/CNIOBoringSSL/crypto/mldsa/mldsa.c b/Sources/CNIOBoringSSL/crypto/mldsa/mldsa.c new file mode 100644 index 000000000..d2b91c1b7 --- /dev/null +++ b/Sources/CNIOBoringSSL/crypto/mldsa/mldsa.c @@ -0,0 +1,1687 @@ +/* Copyright (c) 2024, Google LLC + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#include + +#include +#include + +#include +#include +#include + +#include "../internal.h" +#include "../keccak/internal.h" +#include "./internal.h" + +#define DEGREE 256 +#define K 6 +#define L 5 +#define ETA 4 +#define TAU 49 +#define BETA 196 +#define OMEGA 55 + +#define RHO_BYTES 32 +#define SIGMA_BYTES 64 +#define K_BYTES 32 +#define TR_BYTES 64 +#define MU_BYTES 64 +#define RHO_PRIME_BYTES 64 +#define LAMBDA_BITS 192 +#define LAMBDA_BYTES (LAMBDA_BITS / 8) + +// 2^23 - 2^13 + 1 +static const uint32_t kPrime = 8380417; +// Inverse of -kPrime modulo 2^32 +static const uint32_t kPrimeNegInverse = 4236238847; +static const int kDroppedBits = 13; +static const uint32_t kHalfPrime = (8380417 - 1) / 2; +static const uint32_t kGamma1 = 1 << 19; +static const uint32_t kGamma2 = (8380417 - 1) / 32; +// 256^-1 mod kPrime, in Montgomery form. +static const uint32_t kInverseDegreeMontgomery = 41978; + +typedef struct scalar { + uint32_t c[DEGREE]; +} scalar; + +typedef struct vectork { + scalar v[K]; +} vectork; + +typedef struct vectorl { + scalar v[L]; +} vectorl; + +typedef struct matrix { + scalar v[K][L]; +} matrix; + +/* Arithmetic */ + +// This bit of Python will be referenced in some of the following comments: +// +// q = 8380417 +// # Inverse of -q modulo 2^32 +// q_neg_inverse = 4236238847 +// # 2^64 modulo q +// montgomery_square = 2365951 +// +// def bitreverse(i): +// ret = 0 +// for n in range(8): +// bit = i & 1 +// ret <<= 1 +// ret |= bit +// i >>= 1 +// return ret +// +// def montgomery_reduce(x): +// a = (x * q_neg_inverse) % 2**32 +// b = x + a * q +// assert b & 0xFFFF_FFFF == 0 +// c = b >> 32 +// assert c < q +// return c +// +// def montgomery_transform(x): +// return montgomery_reduce(x * montgomery_square) + +// kNTTRootsMontgomery = [ +// montgomery_transform(pow(1753, bitreverse(i), q)) for i in range(256) +// ] +static const uint32_t kNTTRootsMontgomery[256] = { + 4193792, 25847, 5771523, 7861508, 237124, 7602457, 7504169, 466468, + 1826347, 2353451, 8021166, 6288512, 3119733, 5495562, 3111497, 2680103, + 2725464, 1024112, 7300517, 3585928, 7830929, 7260833, 2619752, 6271868, + 6262231, 4520680, 6980856, 5102745, 1757237, 8360995, 4010497, 280005, + 2706023, 95776, 3077325, 3530437, 6718724, 4788269, 5842901, 3915439, + 4519302, 5336701, 3574422, 5512770, 3539968, 8079950, 2348700, 7841118, + 6681150, 6736599, 3505694, 4558682, 3507263, 6239768, 6779997, 3699596, + 811944, 531354, 954230, 3881043, 3900724, 5823537, 2071892, 5582638, + 4450022, 6851714, 4702672, 5339162, 6927966, 3475950, 2176455, 6795196, + 7122806, 1939314, 4296819, 7380215, 5190273, 5223087, 4747489, 126922, + 3412210, 7396998, 2147896, 2715295, 5412772, 4686924, 7969390, 5903370, + 7709315, 7151892, 8357436, 7072248, 7998430, 1349076, 1852771, 6949987, + 5037034, 264944, 508951, 3097992, 44288, 7280319, 904516, 3958618, + 4656075, 8371839, 1653064, 5130689, 2389356, 8169440, 759969, 7063561, + 189548, 4827145, 3159746, 6529015, 5971092, 8202977, 1315589, 1341330, + 1285669, 6795489, 7567685, 6940675, 5361315, 4499357, 4751448, 3839961, + 2091667, 3407706, 2316500, 3817976, 5037939, 2244091, 5933984, 4817955, + 266997, 2434439, 7144689, 3513181, 4860065, 4621053, 7183191, 5187039, + 900702, 1859098, 909542, 819034, 495491, 6767243, 8337157, 7857917, + 7725090, 5257975, 2031748, 3207046, 4823422, 7855319, 7611795, 4784579, + 342297, 286988, 5942594, 4108315, 3437287, 5038140, 1735879, 203044, + 2842341, 2691481, 5790267, 1265009, 4055324, 1247620, 2486353, 1595974, + 4613401, 1250494, 2635921, 4832145, 5386378, 1869119, 1903435, 7329447, + 7047359, 1237275, 5062207, 6950192, 7929317, 1312455, 3306115, 6417775, + 7100756, 1917081, 5834105, 7005614, 1500165, 777191, 2235880, 3406031, + 7838005, 5548557, 6709241, 6533464, 5796124, 4656147, 594136, 4603424, + 6366809, 2432395, 2454455, 8215696, 1957272, 3369112, 185531, 7173032, + 5196991, 162844, 1616392, 3014001, 810149, 1652634, 4686184, 6581310, + 5341501, 3523897, 3866901, 269760, 2213111, 7404533, 1717735, 472078, + 7953734, 1723600, 6577327, 1910376, 6712985, 7276084, 8119771, 4546524, + 5441381, 6144432, 7959518, 6094090, 183443, 7403526, 1612842, 4834730, + 7826001, 3919660, 8332111, 7018208, 3937738, 1400424, 7534263, 1976782}; + +// Reduces x mod kPrime in constant time, where 0 <= x < 2*kPrime. +static uint32_t reduce_once(uint32_t x) { + declassify_assert(x < 2 * kPrime); + // return x < kPrime ? x : x - kPrime; + return constant_time_select_int(constant_time_lt_w(x, kPrime), x, x - kPrime); +} + +// Returns the absolute value in constant time. +static uint32_t abs_signed(uint32_t x) { + // return is_positive(x) ? x : -x; + // Note: MSVC doesn't like applying the unary minus operator to unsigned types + // (warning C4146), so we write the negation as a bitwise not plus one + // (assuming two's complement representation). + return constant_time_select_int(constant_time_lt_w(x, 0x80000000), x, 0u - x); +} + +// Returns the absolute value modulo kPrime. +static uint32_t abs_mod_prime(uint32_t x) { + declassify_assert(x < kPrime); + // return x > kHalfPrime ? kPrime - x : x; + return constant_time_select_int(constant_time_lt_w(kHalfPrime, x), kPrime - x, + x); +} + +// Returns the maximum of two values in constant time. +static uint32_t maximum(uint32_t x, uint32_t y) { + // return x < y ? y : x; + return constant_time_select_int(constant_time_lt_w(x, y), y, x); +} + +static uint32_t mod_sub(uint32_t a, uint32_t b) { + declassify_assert(a < kPrime); + declassify_assert(b < kPrime); + return reduce_once(kPrime + a - b); +} + +static void scalar_add(scalar *out, const scalar *lhs, const scalar *rhs) { + for (int i = 0; i < DEGREE; i++) { + out->c[i] = reduce_once(lhs->c[i] + rhs->c[i]); + } +} + +static void scalar_sub(scalar *out, const scalar *lhs, const scalar *rhs) { + for (int i = 0; i < DEGREE; i++) { + out->c[i] = mod_sub(lhs->c[i], rhs->c[i]); + } +} + +static uint32_t reduce_montgomery(uint64_t x) { + declassify_assert(x <= ((uint64_t)kPrime << 32)); + uint64_t a = (uint32_t)x * kPrimeNegInverse; + uint64_t b = x + a * kPrime; + declassify_assert((b & 0xffffffff) == 0); + uint32_t c = b >> 32; + return reduce_once(c); +} + +// Multiply two scalars in the number theoretically transformed state. +static void scalar_mult(scalar *out, const scalar *lhs, const scalar *rhs) { + for (int i = 0; i < DEGREE; i++) { + out->c[i] = reduce_montgomery((uint64_t)lhs->c[i] * (uint64_t)rhs->c[i]); + } +} + +// In place number theoretic transform of a given scalar. +// +// FIPS 204, Algorithm 41 (`NTT`). +static void scalar_ntt(scalar *s) { + // Step: 1, 2, 4, 8, ..., 128 + // Offset: 128, 64, 32, 16, ..., 1 + int offset = DEGREE; + for (int step = 1; step < DEGREE; step <<= 1) { + offset >>= 1; + int k = 0; + for (int i = 0; i < step; i++) { + assert(k == 2 * offset * i); + const uint32_t step_root = kNTTRootsMontgomery[step + i]; + for (int j = k; j < k + offset; j++) { + uint32_t even = s->c[j]; + // |reduce_montgomery| works on values up to kPrime*R and R > 2*kPrime. + // |step_root| < kPrime because it's static data. |s->c[...]| is < + // kPrime by the invariants of that struct. + uint32_t odd = + reduce_montgomery((uint64_t)step_root * (uint64_t)s->c[j + offset]); + s->c[j] = reduce_once(odd + even); + s->c[j + offset] = mod_sub(even, odd); + } + k += 2 * offset; + } + } +} + +// In place inverse number theoretic transform of a given scalar. +// +// FIPS 204, Algorithm 42 (`NTT^-1`). +static void scalar_inverse_ntt(scalar *s) { + // Step: 128, 64, 32, 16, ..., 1 + // Offset: 1, 2, 4, 8, ..., 128 + int step = DEGREE; + for (int offset = 1; offset < DEGREE; offset <<= 1) { + step >>= 1; + int k = 0; + for (int i = 0; i < step; i++) { + assert(k == 2 * offset * i); + const uint32_t step_root = + kPrime - kNTTRootsMontgomery[step + (step - 1 - i)]; + for (int j = k; j < k + offset; j++) { + uint32_t even = s->c[j]; + uint32_t odd = s->c[j + offset]; + s->c[j] = reduce_once(odd + even); + + // |reduce_montgomery| works on values up to kPrime*R and R > 2*kPrime. + // kPrime + even < 2*kPrime because |even| < kPrime, by the invariants + // of that structure. Thus kPrime + even - odd < 2*kPrime because odd >= + // 0, because it's unsigned and less than kPrime. Lastly step_root < + // kPrime, because |kNTTRootsMontgomery| is static data. + s->c[j + offset] = reduce_montgomery((uint64_t)step_root * + (uint64_t)(kPrime + even - odd)); + } + k += 2 * offset; + } + } + for (int i = 0; i < DEGREE; i++) { + s->c[i] = reduce_montgomery((uint64_t)s->c[i] * + (uint64_t)kInverseDegreeMontgomery); + } +} + +static void vectork_zero(vectork *out) { OPENSSL_memset(out, 0, sizeof(*out)); } + +static void vectork_add(vectork *out, const vectork *lhs, const vectork *rhs) { + for (int i = 0; i < K; i++) { + scalar_add(&out->v[i], &lhs->v[i], &rhs->v[i]); + } +} + +static void vectork_sub(vectork *out, const vectork *lhs, const vectork *rhs) { + for (int i = 0; i < K; i++) { + scalar_sub(&out->v[i], &lhs->v[i], &rhs->v[i]); + } +} + +static void vectork_mult_scalar(vectork *out, const vectork *lhs, + const scalar *rhs) { + for (int i = 0; i < K; i++) { + scalar_mult(&out->v[i], &lhs->v[i], rhs); + } +} + +static void vectork_ntt(vectork *a) { + for (int i = 0; i < K; i++) { + scalar_ntt(&a->v[i]); + } +} + +static void vectork_inverse_ntt(vectork *a) { + for (int i = 0; i < K; i++) { + scalar_inverse_ntt(&a->v[i]); + } +} + +static void vectorl_add(vectorl *out, const vectorl *lhs, const vectorl *rhs) { + for (int i = 0; i < L; i++) { + scalar_add(&out->v[i], &lhs->v[i], &rhs->v[i]); + } +} + +static void vectorl_mult_scalar(vectorl *out, const vectorl *lhs, + const scalar *rhs) { + for (int i = 0; i < L; i++) { + scalar_mult(&out->v[i], &lhs->v[i], rhs); + } +} + +static void vectorl_ntt(vectorl *a) { + for (int i = 0; i < L; i++) { + scalar_ntt(&a->v[i]); + } +} + +static void vectorl_inverse_ntt(vectorl *a) { + for (int i = 0; i < L; i++) { + scalar_inverse_ntt(&a->v[i]); + } +} + +static void matrix_mult(vectork *out, const matrix *m, const vectorl *a) { + vectork_zero(out); + for (int i = 0; i < K; i++) { + for (int j = 0; j < L; j++) { + scalar product; + scalar_mult(&product, &m->v[i][j], &a->v[j]); + scalar_add(&out->v[i], &out->v[i], &product); + } + } +} + +/* Rounding & hints */ + +// FIPS 204, Algorithm 35 (`Power2Round`). +static void power2_round(uint32_t *r1, uint32_t *r0, uint32_t r) { + *r1 = r >> kDroppedBits; + *r0 = r - (*r1 << kDroppedBits); + + uint32_t r0_adjusted = mod_sub(*r0, 1 << kDroppedBits); + uint32_t r1_adjusted = *r1 + 1; + + // Mask is set iff r0 > 2^(dropped_bits - 1). + crypto_word_t mask = + constant_time_lt_w((uint32_t)(1 << (kDroppedBits - 1)), *r0); + // r0 = mask ? r0_adjusted : r0 + *r0 = constant_time_select_int(mask, r0_adjusted, *r0); + // r1 = mask ? r1_adjusted : r1 + *r1 = constant_time_select_int(mask, r1_adjusted, *r1); +} + +// Scale back previously rounded value. +static void scale_power2_round(uint32_t *out, uint32_t r1) { + // Pre-condition: 0 <= r1 <= 2^10 - 1 + assert(r1 < (1u << 10)); + + *out = r1 << kDroppedBits; + + // Post-condition: 0 <= out <= 2^23 - 2^13 = kPrime - 1 + assert(*out < kPrime); +} + +// FIPS 204, Algorithm 37 (`HighBits`). +static uint32_t high_bits(uint32_t x) { + // Reference description (given 0 <= x < q): + // + // ``` + // int32_t r0 = x mod+- (2 * kGamma2); + // if (x - r0 == q - 1) { + // return 0; + // } else { + // return (x - r0) / (2 * kGamma2); + // } + // ``` + // + // Below is the formula taken from the reference implementation. + // + // Here, kGamma2 == 2^18 - 2^8 + // This returns ((ceil(x / 2^7) * (2^10 + 1) + 2^21) / 2^22) mod 2^4 + uint32_t r1 = (x + 127) >> 7; + r1 = (r1 * 1025 + (1 << 21)) >> 22; + r1 &= 15; + return r1; +} + +// FIPS 204, Algorithm 36 (`Decompose`). +static void decompose(uint32_t *r1, int32_t *r0, uint32_t r) { + *r1 = high_bits(r); + + *r0 = r; + *r0 -= *r1 * 2 * (int32_t)kGamma2; + *r0 -= (((int32_t)kHalfPrime - *r0) >> 31) & (int32_t)kPrime; +} + +// FIPS 204, Algorithm 38 (`LowBits`). +static int32_t low_bits(uint32_t x) { + uint32_t r1; + int32_t r0; + decompose(&r1, &r0, x); + return r0; +} + +// FIPS 204, Algorithm 39 (`MakeHint`). +// +// In the spec this takes two arguments, z and r, and is called with +// z = -ct0 +// r = w - cs2 + ct0 +// +// It then computes HighBits (algorithm 37) of z and z+r. But z+r is just w - +// cs2, so this takes three arguments and saves an addition. +static int32_t make_hint(uint32_t ct0, uint32_t cs2, uint32_t w) { + uint32_t r_plus_z = mod_sub(w, cs2); + uint32_t r = reduce_once(r_plus_z + ct0); + return high_bits(r) != high_bits(r_plus_z); +} + +// FIPS 204, Algorithm 40 (`UseHint`). +static uint32_t use_hint_vartime(uint32_t h, uint32_t r) { + uint32_t r1; + int32_t r0; + decompose(&r1, &r0, r); + + if (h) { + if (r0 > 0) { + // m = 16, thus |mod m| in the spec turns into |& 15|. + return (r1 + 1) & 15; + } else { + return (r1 - 1) & 15; + } + } + return r1; +} + +static void scalar_power2_round(scalar *s1, scalar *s0, const scalar *s) { + for (int i = 0; i < DEGREE; i++) { + power2_round(&s1->c[i], &s0->c[i], s->c[i]); + } +} + +static void scalar_scale_power2_round(scalar *out, const scalar *in) { + for (int i = 0; i < DEGREE; i++) { + scale_power2_round(&out->c[i], in->c[i]); + } +} + +static void scalar_high_bits(scalar *out, const scalar *in) { + for (int i = 0; i < DEGREE; i++) { + out->c[i] = high_bits(in->c[i]); + } +} + +static void scalar_low_bits(scalar *out, const scalar *in) { + for (int i = 0; i < DEGREE; i++) { + out->c[i] = low_bits(in->c[i]); + } +} + +static void scalar_max(uint32_t *max, const scalar *s) { + for (int i = 0; i < DEGREE; i++) { + uint32_t abs = abs_mod_prime(s->c[i]); + *max = maximum(*max, abs); + } +} + +static void scalar_max_signed(uint32_t *max, const scalar *s) { + for (int i = 0; i < DEGREE; i++) { + uint32_t abs = abs_signed(s->c[i]); + *max = maximum(*max, abs); + } +} + +static void scalar_make_hint(scalar *out, const scalar *ct0, const scalar *cs2, + const scalar *w) { + for (int i = 0; i < DEGREE; i++) { + out->c[i] = make_hint(ct0->c[i], cs2->c[i], w->c[i]); + } +} + +static void scalar_use_hint_vartime(scalar *out, const scalar *h, + const scalar *r) { + for (int i = 0; i < DEGREE; i++) { + out->c[i] = use_hint_vartime(h->c[i], r->c[i]); + } +} + +static void vectork_power2_round(vectork *t1, vectork *t0, const vectork *t) { + for (int i = 0; i < K; i++) { + scalar_power2_round(&t1->v[i], &t0->v[i], &t->v[i]); + } +} + +static void vectork_scale_power2_round(vectork *out, const vectork *in) { + for (int i = 0; i < K; i++) { + scalar_scale_power2_round(&out->v[i], &in->v[i]); + } +} + +static void vectork_high_bits(vectork *out, const vectork *in) { + for (int i = 0; i < K; i++) { + scalar_high_bits(&out->v[i], &in->v[i]); + } +} + +static void vectork_low_bits(vectork *out, const vectork *in) { + for (int i = 0; i < K; i++) { + scalar_low_bits(&out->v[i], &in->v[i]); + } +} + +static uint32_t vectork_max(const vectork *a) { + uint32_t max = 0; + for (int i = 0; i < K; i++) { + scalar_max(&max, &a->v[i]); + } + return max; +} + +static uint32_t vectork_max_signed(const vectork *a) { + uint32_t max = 0; + for (int i = 0; i < K; i++) { + scalar_max_signed(&max, &a->v[i]); + } + return max; +} + +// The input vector contains only zeroes and ones. +static size_t vectork_count_ones(const vectork *a) { + size_t count = 0; + for (int i = 0; i < K; i++) { + for (int j = 0; j < DEGREE; j++) { + count += a->v[i].c[j]; + } + } + return count; +} + +static void vectork_make_hint(vectork *out, const vectork *ct0, + const vectork *cs2, const vectork *w) { + for (int i = 0; i < K; i++) { + scalar_make_hint(&out->v[i], &ct0->v[i], &cs2->v[i], &w->v[i]); + } +} + +static void vectork_use_hint_vartime(vectork *out, const vectork *h, + const vectork *r) { + for (int i = 0; i < K; i++) { + scalar_use_hint_vartime(&out->v[i], &h->v[i], &r->v[i]); + } +} + +static uint32_t vectorl_max(const vectorl *a) { + uint32_t max = 0; + for (int i = 0; i < L; i++) { + scalar_max(&max, &a->v[i]); + } + return max; +} + +/* Bit packing */ + +// FIPS 204, Algorithm 16 (`SimpleBitPack`). Specialized to bitlen(b) = 4. +static void scalar_encode_4(uint8_t out[128], const scalar *s) { + // Every two elements lands on a byte boundary. + static_assert(DEGREE % 2 == 0, "DEGREE must be a multiple of 2"); + for (int i = 0; i < DEGREE / 2; i++) { + uint32_t a = s->c[2 * i]; + uint32_t b = s->c[2 * i + 1]; + declassify_assert(a < 16); + declassify_assert(b < 16); + out[i] = a | (b << 4); + } +} + +// FIPS 204, Algorithm 16 (`SimpleBitPack`). Specialized to bitlen(b) = 10. +static void scalar_encode_10(uint8_t out[320], const scalar *s) { + // Every four elements lands on a byte boundary. + static_assert(DEGREE % 4 == 0, "DEGREE must be a multiple of 4"); + for (int i = 0; i < DEGREE / 4; i++) { + uint32_t a = s->c[4 * i]; + uint32_t b = s->c[4 * i + 1]; + uint32_t c = s->c[4 * i + 2]; + uint32_t d = s->c[4 * i + 3]; + declassify_assert(a < 1024); + declassify_assert(b < 1024); + declassify_assert(c < 1024); + declassify_assert(d < 1024); + out[5 * i] = (uint8_t)a; + out[5 * i + 1] = (uint8_t)((a >> 8) | (b << 2)); + out[5 * i + 2] = (uint8_t)((b >> 6) | (c << 4)); + out[5 * i + 3] = (uint8_t)((c >> 4) | (d << 6)); + out[5 * i + 4] = (uint8_t)(d >> 2); + } +} + +// FIPS 204, Algorithm 17 (`BitPack`). Specialized to bitlen(b) = 4 and b = +// 2^19. +static void scalar_encode_signed_4_eta(uint8_t out[128], const scalar *s) { + // Every two elements lands on a byte boundary. + static_assert(DEGREE % 2 == 0, "DEGREE must be a multiple of 2"); + for (int i = 0; i < DEGREE / 2; i++) { + uint32_t a = mod_sub(ETA, s->c[2 * i]); + uint32_t b = mod_sub(ETA, s->c[2 * i + 1]); + declassify_assert(a < 16); + declassify_assert(b < 16); + out[i] = a | (b << 4); + } +} + +// FIPS 204, Algorithm 17 (`BitPack`). Specialized to bitlen(b) = 13 and b = +// 2^12. +static void scalar_encode_signed_13_12(uint8_t out[416], const scalar *s) { + static const uint32_t kMax = 1u << 12; + // Every two elements lands on a byte boundary. + static_assert(DEGREE % 8 == 0, "DEGREE must be a multiple of 8"); + for (int i = 0; i < DEGREE / 8; i++) { + uint32_t a = mod_sub(kMax, s->c[8 * i]); + uint32_t b = mod_sub(kMax, s->c[8 * i + 1]); + uint32_t c = mod_sub(kMax, s->c[8 * i + 2]); + uint32_t d = mod_sub(kMax, s->c[8 * i + 3]); + uint32_t e = mod_sub(kMax, s->c[8 * i + 4]); + uint32_t f = mod_sub(kMax, s->c[8 * i + 5]); + uint32_t g = mod_sub(kMax, s->c[8 * i + 6]); + uint32_t h = mod_sub(kMax, s->c[8 * i + 7]); + declassify_assert(a < (1u << 13)); + declassify_assert(b < (1u << 13)); + declassify_assert(c < (1u << 13)); + declassify_assert(d < (1u << 13)); + declassify_assert(e < (1u << 13)); + declassify_assert(f < (1u << 13)); + declassify_assert(g < (1u << 13)); + declassify_assert(h < (1u << 13)); + a |= b << 13; + a |= c << 26; + c >>= 6; + c |= d << 7; + c |= e << 20; + e >>= 12; + e |= f << 1; + e |= g << 14; + e |= h << 27; + h >>= 5; + OPENSSL_memcpy(&out[13 * i], &a, sizeof(a)); + OPENSSL_memcpy(&out[13 * i + 4], &c, sizeof(c)); + OPENSSL_memcpy(&out[13 * i + 8], &e, sizeof(e)); + OPENSSL_memcpy(&out[13 * i + 12], &h, 1); + } +} + +// FIPS 204, Algorithm 17 (`BitPack`). Specialized to bitlen(b) = 20 and b = +// 2^19. +static void scalar_encode_signed_20_19(uint8_t out[640], const scalar *s) { + static const uint32_t kMax = 1u << 19; + // Every two elements lands on a byte boundary. + static_assert(DEGREE % 4 == 0, "DEGREE must be a multiple of 4"); + for (int i = 0; i < DEGREE / 4; i++) { + uint32_t a = mod_sub(kMax, s->c[4 * i]); + uint32_t b = mod_sub(kMax, s->c[4 * i + 1]); + uint32_t c = mod_sub(kMax, s->c[4 * i + 2]); + uint32_t d = mod_sub(kMax, s->c[4 * i + 3]); + declassify_assert(a < (1u << 20)); + declassify_assert(b < (1u << 20)); + declassify_assert(c < (1u << 20)); + declassify_assert(d < (1u << 20)); + a |= b << 20; + b >>= 12; + b |= c << 8; + b |= d << 28; + d >>= 4; + OPENSSL_memcpy(&out[10 * i], &a, sizeof(a)); + OPENSSL_memcpy(&out[10 * i + 4], &b, sizeof(b)); + OPENSSL_memcpy(&out[10 * i + 8], &d, 2); + } +} + +// FIPS 204, Algorithm 17 (`BitPack`). +static void scalar_encode_signed(uint8_t *out, const scalar *s, int bits, + uint32_t max) { + if (bits == 4) { + assert(max == ETA); + scalar_encode_signed_4_eta(out, s); + } else if (bits == 20) { + assert(max == 1u << 19); + scalar_encode_signed_20_19(out, s); + } else { + assert(bits == 13); + assert(max == 1u << 12); + scalar_encode_signed_13_12(out, s); + } +} + +// FIPS 204, Algorithm 18 (`SimpleBitUnpack`). Specialized for bitlen(b) == 10. +static void scalar_decode_10(scalar *out, const uint8_t in[320]) { + uint32_t v; + static_assert(DEGREE % 4 == 0, "DEGREE must be a multiple of 4"); + for (int i = 0; i < DEGREE / 4; i++) { + OPENSSL_memcpy(&v, &in[5 * i], sizeof(v)); + out->c[4 * i] = v & 0x3ff; + out->c[4 * i + 1] = (v >> 10) & 0x3ff; + out->c[4 * i + 2] = (v >> 20) & 0x3ff; + out->c[4 * i + 3] = (v >> 30) | (((uint32_t)in[5 * i + 4]) << 2); + } +} + +// FIPS 204, Algorithm 19 (`BitUnpack`). Specialized to bitlen(a+b) = 4 and b = +// eta. +static int scalar_decode_signed_4_eta(scalar *out, const uint8_t in[128]) { + uint32_t v; + static_assert(DEGREE % 8 == 0, "DEGREE must be a multiple of 8"); + for (int i = 0; i < DEGREE / 8; i++) { + OPENSSL_memcpy(&v, &in[4 * i], sizeof(v)); + static_assert(ETA == 4, "ETA must be 4"); + // None of the nibbles may be >= 9. So if the MSB of any nibble is set, none + // of the other bits may be set. First, select all the MSBs. + const uint32_t msbs = v & 0x88888888u; + // For each nibble where the MSB is set, form a mask of all the other bits. + const uint32_t mask = (msbs >> 1) | (msbs >> 2) | (msbs >> 3); + // A nibble is only out of range in the case of invalid input, in which case + // it is okay to leak the value. + if (constant_time_declassify_int((mask & v) != 0)) { + return 0; + } + + out->c[i * 8] = mod_sub(ETA, v & 15); + out->c[i * 8 + 1] = mod_sub(ETA, (v >> 4) & 15); + out->c[i * 8 + 2] = mod_sub(ETA, (v >> 8) & 15); + out->c[i * 8 + 3] = mod_sub(ETA, (v >> 12) & 15); + out->c[i * 8 + 4] = mod_sub(ETA, (v >> 16) & 15); + out->c[i * 8 + 5] = mod_sub(ETA, (v >> 20) & 15); + out->c[i * 8 + 6] = mod_sub(ETA, (v >> 24) & 15); + out->c[i * 8 + 7] = mod_sub(ETA, v >> 28); + } + return 1; +} + +// FIPS 204, Algorithm 19 (`BitUnpack`). Specialized to bitlen(a+b) = 13 and b = +// 2^12. +static void scalar_decode_signed_13_12(scalar *out, const uint8_t in[416]) { + static const uint32_t kMax = 1u << 12; + static const uint32_t k13Bits = (1u << 13) - 1; + static const uint32_t k7Bits = (1u << 7) - 1; + + uint32_t a, b, c; + uint8_t d; + static_assert(DEGREE % 8 == 0, "DEGREE must be a multiple of 8"); + for (int i = 0; i < DEGREE / 8; i++) { + OPENSSL_memcpy(&a, &in[13 * i], sizeof(a)); + OPENSSL_memcpy(&b, &in[13 * i + 4], sizeof(b)); + OPENSSL_memcpy(&c, &in[13 * i + 8], sizeof(c)); + d = in[13 * i + 12]; + + // It's not possible for a 13-bit number to be out of range when the max is + // 2^12. + out->c[i * 8] = mod_sub(kMax, a & k13Bits); + out->c[i * 8 + 1] = mod_sub(kMax, (a >> 13) & k13Bits); + out->c[i * 8 + 2] = mod_sub(kMax, (a >> 26) | ((b & k7Bits) << 6)); + out->c[i * 8 + 3] = mod_sub(kMax, (b >> 7) & k13Bits); + out->c[i * 8 + 4] = mod_sub(kMax, (b >> 20) | ((c & 1) << 12)); + out->c[i * 8 + 5] = mod_sub(kMax, (c >> 1) & k13Bits); + out->c[i * 8 + 6] = mod_sub(kMax, (c >> 14) & k13Bits); + out->c[i * 8 + 7] = mod_sub(kMax, (c >> 27) | ((uint32_t)d) << 5); + } +} + +// FIPS 204, Algorithm 19 (`BitUnpack`). Specialized to bitlen(a+b) = 20 and b = +// 2^19. +static void scalar_decode_signed_20_19(scalar *out, const uint8_t in[640]) { + static const uint32_t kMax = 1u << 19; + static const uint32_t k20Bits = (1u << 20) - 1; + + uint32_t a, b; + uint16_t c; + static_assert(DEGREE % 4 == 0, "DEGREE must be a multiple of 4"); + for (int i = 0; i < DEGREE / 4; i++) { + OPENSSL_memcpy(&a, &in[10 * i], sizeof(a)); + OPENSSL_memcpy(&b, &in[10 * i + 4], sizeof(b)); + OPENSSL_memcpy(&c, &in[10 * i + 8], sizeof(c)); + + // It's not possible for a 20-bit number to be out of range when the max is + // 2^19. + out->c[i * 4] = mod_sub(kMax, a & k20Bits); + out->c[i * 4 + 1] = mod_sub(kMax, (a >> 20) | ((b & 0xff) << 12)); + out->c[i * 4 + 2] = mod_sub(kMax, (b >> 8) & k20Bits); + out->c[i * 4 + 3] = mod_sub(kMax, (b >> 28) | ((uint32_t)c) << 4); + } +} + +// FIPS 204, Algorithm 19 (`BitUnpack`). +static int scalar_decode_signed(scalar *out, const uint8_t *in, int bits, + uint32_t max) { + if (bits == 4) { + assert(max == ETA); + return scalar_decode_signed_4_eta(out, in); + } else if (bits == 13) { + assert(max == (1u << 12)); + scalar_decode_signed_13_12(out, in); + return 1; + } else if (bits == 20) { + assert(max == (1u << 19)); + scalar_decode_signed_20_19(out, in); + return 1; + } else { + abort(); + } +} + +/* Expansion functions */ + +// FIPS 204, Algorithm 30 (`RejNTTPoly`). +// +// Rejection samples a Keccak stream to get uniformly distributed elements. This +// is used for matrix expansion and only operates on public inputs. +static void scalar_from_keccak_vartime( + scalar *out, const uint8_t derived_seed[RHO_BYTES + 2]) { + struct BORINGSSL_keccak_st keccak_ctx; + BORINGSSL_keccak_init(&keccak_ctx, boringssl_shake128); + BORINGSSL_keccak_absorb(&keccak_ctx, derived_seed, RHO_BYTES + 2); + assert(keccak_ctx.squeeze_offset == 0); + assert(keccak_ctx.rate_bytes == 168); + static_assert(168 % 3 == 0, "block and coefficient boundaries do not align"); + + int done = 0; + while (done < DEGREE) { + uint8_t block[168]; + BORINGSSL_keccak_squeeze(&keccak_ctx, block, sizeof(block)); + for (size_t i = 0; i < sizeof(block) && done < DEGREE; i += 3) { + // FIPS 204, Algorithm 14 (`CoeffFromThreeBytes`). + uint32_t value = (uint32_t)block[i] | ((uint32_t)block[i + 1] << 8) | + (((uint32_t)block[i + 2] & 0x7f) << 16); + if (value < kPrime) { + out->c[done++] = value; + } + } + } +} + +// FIPS 204, Algorithm 31 (`RejBoundedPoly`). +static void scalar_uniform_eta_4(scalar *out, + const uint8_t derived_seed[SIGMA_BYTES + 2]) { + static_assert(ETA == 4, "This implementation is specialized for ETA == 4"); + + struct BORINGSSL_keccak_st keccak_ctx; + BORINGSSL_keccak_init(&keccak_ctx, boringssl_shake256); + BORINGSSL_keccak_absorb(&keccak_ctx, derived_seed, SIGMA_BYTES + 2); + assert(keccak_ctx.squeeze_offset == 0); + assert(keccak_ctx.rate_bytes == 136); + + int done = 0; + while (done < DEGREE) { + uint8_t block[136]; + BORINGSSL_keccak_squeeze(&keccak_ctx, block, sizeof(block)); + for (size_t i = 0; i < sizeof(block) && done < DEGREE; ++i) { + uint32_t t0 = block[i] & 0x0F; + uint32_t t1 = block[i] >> 4; + // FIPS 204, Algorithm 15 (`CoefFromHalfByte`). Although both the input + // and output here are secret, it is OK to leak when we rejected a byte. + // Individual bytes of the SHAKE-256 stream are (indistiguishable from) + // independent of each other and the original seed, so leaking information + // about the rejected bytes does not reveal the input or output. + if (constant_time_declassify_int(t0 < 9)) { + out->c[done++] = mod_sub(ETA, t0); + } + if (done < DEGREE && constant_time_declassify_int(t1 < 9)) { + out->c[done++] = mod_sub(ETA, t1); + } + } + } +} + +// FIPS 204, Algorithm 34 (`ExpandMask`), but just a single step. +static void scalar_sample_mask( + scalar *out, const uint8_t derived_seed[RHO_PRIME_BYTES + 2]) { + uint8_t buf[640]; + BORINGSSL_keccak(buf, sizeof(buf), derived_seed, RHO_PRIME_BYTES + 2, + boringssl_shake256); + + scalar_decode_signed_20_19(out, buf); +} + +// FIPS 204, Algorithm 29 (`SampleInBall`). +static void scalar_sample_in_ball_vartime(scalar *out, const uint8_t *seed, + int len) { + assert(len == 2 * LAMBDA_BYTES); + + struct BORINGSSL_keccak_st keccak_ctx; + BORINGSSL_keccak_init(&keccak_ctx, boringssl_shake256); + BORINGSSL_keccak_absorb(&keccak_ctx, seed, len); + assert(keccak_ctx.squeeze_offset == 0); + assert(keccak_ctx.rate_bytes == 136); + + uint8_t block[136]; + BORINGSSL_keccak_squeeze(&keccak_ctx, block, sizeof(block)); + + uint64_t signs = CRYPTO_load_u64_le(block); + int offset = 8; + // SampleInBall implements a Fisher–Yates shuffle, which unavoidably leaks + // where the zeros are by memory access pattern. Although this leak happens + // before bad signatures are rejected, this is safe. See + // https://boringssl-review.googlesource.com/c/boringssl/+/67747/comment/8d8f01ac_70af3f21/ + CONSTTIME_DECLASSIFY(block + offset, sizeof(block) - offset); + + OPENSSL_memset(out, 0, sizeof(*out)); + for (size_t i = DEGREE - TAU; i < DEGREE; i++) { + size_t byte; + for (;;) { + if (offset == 136) { + BORINGSSL_keccak_squeeze(&keccak_ctx, block, sizeof(block)); + // See above. + CONSTTIME_DECLASSIFY(block, sizeof(block)); + offset = 0; + } + + byte = block[offset++]; + if (byte <= i) { + break; + } + } + + out->c[i] = out->c[byte]; + out->c[byte] = mod_sub(1, 2 * (signs & 1)); + signs >>= 1; + } +} + +// FIPS 204, Algorithm 32 (`ExpandA`). +static void matrix_expand(matrix *out, const uint8_t rho[RHO_BYTES]) { + static_assert(K <= 0x100, "K must fit in 8 bits"); + static_assert(L <= 0x100, "L must fit in 8 bits"); + + uint8_t derived_seed[RHO_BYTES + 2]; + OPENSSL_memcpy(derived_seed, rho, RHO_BYTES); + for (int i = 0; i < K; i++) { + for (int j = 0; j < L; j++) { + derived_seed[RHO_BYTES + 1] = (uint8_t)i; + derived_seed[RHO_BYTES] = (uint8_t)j; + scalar_from_keccak_vartime(&out->v[i][j], derived_seed); + } + } +} + +// FIPS 204, Algorithm 33 (`ExpandS`). +static void vector_expand_short(vectorl *s1, vectork *s2, + const uint8_t sigma[SIGMA_BYTES]) { + static_assert(K <= 0x100, "K must fit in 8 bits"); + static_assert(L <= 0x100, "L must fit in 8 bits"); + static_assert(K + L <= 0x100, "K+L must fit in 8 bits"); + + uint8_t derived_seed[SIGMA_BYTES + 2]; + OPENSSL_memcpy(derived_seed, sigma, SIGMA_BYTES); + derived_seed[SIGMA_BYTES] = 0; + derived_seed[SIGMA_BYTES + 1] = 0; + for (int i = 0; i < L; i++) { + scalar_uniform_eta_4(&s1->v[i], derived_seed); + ++derived_seed[SIGMA_BYTES]; + } + for (int i = 0; i < K; i++) { + scalar_uniform_eta_4(&s2->v[i], derived_seed); + ++derived_seed[SIGMA_BYTES]; + } +} + +// FIPS 204, Algorithm 34 (`ExpandMask`). +static void vectorl_expand_mask(vectorl *out, + const uint8_t seed[RHO_PRIME_BYTES], + size_t kappa) { + assert(kappa + L <= 0x10000); + + uint8_t derived_seed[RHO_PRIME_BYTES + 2]; + OPENSSL_memcpy(derived_seed, seed, RHO_PRIME_BYTES); + for (int i = 0; i < L; i++) { + size_t index = kappa + i; + derived_seed[RHO_PRIME_BYTES] = index & 0xFF; + derived_seed[RHO_PRIME_BYTES + 1] = (index >> 8) & 0xFF; + scalar_sample_mask(&out->v[i], derived_seed); + } +} + +/* Encoding */ + +// FIPS 204, Algorithm 16 (`SimpleBitPack`). +// +// Encodes an entire vector into 32*K*|bits| bytes. Note that since 256 (DEGREE) +// is divisible by 8, the individual vector entries will always fill a whole +// number of bytes, so we do not need to worry about bit packing here. +static void vectork_encode(uint8_t *out, const vectork *a, int bits) { + if (bits == 4) { + for (int i = 0; i < K; i++) { + scalar_encode_4(out + i * bits * DEGREE / 8, &a->v[i]); + } + } else { + assert(bits == 10); + for (int i = 0; i < K; i++) { + scalar_encode_10(out + i * bits * DEGREE / 8, &a->v[i]); + } + } +} + +// FIPS 204, Algorithm 18 (`SimpleBitUnpack`). +static void vectork_decode_10(vectork *out, const uint8_t *in) { + for (int i = 0; i < K; i++) { + scalar_decode_10(&out->v[i], in + i * 10 * DEGREE / 8); + } +} + +static void vectork_encode_signed(uint8_t *out, const vectork *a, int bits, + uint32_t max) { + for (int i = 0; i < K; i++) { + scalar_encode_signed(out + i * bits * DEGREE / 8, &a->v[i], bits, max); + } +} + +static int vectork_decode_signed(vectork *out, const uint8_t *in, int bits, + uint32_t max) { + for (int i = 0; i < K; i++) { + if (!scalar_decode_signed(&out->v[i], in + i * bits * DEGREE / 8, bits, + max)) { + return 0; + } + } + return 1; +} + +// FIPS 204, Algorithm 17 (`BitPack`). +// +// Encodes an entire vector into 32*L*|bits| bytes. Note that since 256 (DEGREE) +// is divisible by 8, the individual vector entries will always fill a whole +// number of bytes, so we do not need to worry about bit packing here. +static void vectorl_encode_signed(uint8_t *out, const vectorl *a, int bits, + uint32_t max) { + for (int i = 0; i < L; i++) { + scalar_encode_signed(out + i * bits * DEGREE / 8, &a->v[i], bits, max); + } +} + +static int vectorl_decode_signed(vectorl *out, const uint8_t *in, int bits, + uint32_t max) { + for (int i = 0; i < L; i++) { + if (!scalar_decode_signed(&out->v[i], in + i * bits * DEGREE / 8, bits, + max)) { + return 0; + } + } + return 1; +} + +// FIPS 204, Algorithm 28 (`w1Encode`). +static void w1_encode(uint8_t out[128 * K], const vectork *w1) { + vectork_encode(out, w1, 4); +} + +// FIPS 204, Algorithm 20 (`HintBitPack`). +static void hint_bit_pack(uint8_t out[OMEGA + K], const vectork *h) { + OPENSSL_memset(out, 0, OMEGA + K); + int index = 0; + for (int i = 0; i < K; i++) { + for (int j = 0; j < DEGREE; j++) { + if (h->v[i].c[j]) { + // h must have at most OMEGA non-zero coefficients. + BSSL_CHECK(index < OMEGA); + out[index++] = j; + } + } + out[OMEGA + i] = index; + } +} + +// FIPS 204, Algorithm 21 (`HintBitUnpack`). +static int hint_bit_unpack(vectork *h, const uint8_t in[OMEGA + K]) { + vectork_zero(h); + int index = 0; + for (int i = 0; i < K; i++) { + const int limit = in[OMEGA + i]; + if (limit < index || limit > OMEGA) { + return 0; + } + + int last = -1; + while (index < limit) { + int byte = in[index++]; + if (last >= 0 && byte <= last) { + return 0; + } + last = byte; + static_assert(DEGREE == 256, + "DEGREE must be 256 for this write to be in bounds"); + h->v[i].c[byte] = 1; + } + } + for (; index < OMEGA; index++) { + if (in[index] != 0) { + return 0; + } + } + return 1; +} + +struct public_key { + uint8_t rho[RHO_BYTES]; + vectork t1; + // Pre-cached value(s). + uint8_t public_key_hash[TR_BYTES]; +}; + +struct private_key { + uint8_t rho[RHO_BYTES]; + uint8_t k[K_BYTES]; + uint8_t public_key_hash[TR_BYTES]; + vectorl s1; + vectork s2; + vectork t0; +}; + +struct signature { + uint8_t c_tilde[2 * LAMBDA_BYTES]; + vectorl z; + vectork h; +}; + +// FIPS 204, Algorithm 22 (`pkEncode`). +static int mldsa_marshal_public_key(CBB *out, const struct public_key *pub) { + if (!CBB_add_bytes(out, pub->rho, sizeof(pub->rho))) { + return 0; + } + + uint8_t *vectork_output; + if (!CBB_add_space(out, &vectork_output, 320 * K)) { + return 0; + } + vectork_encode(vectork_output, &pub->t1, 10); + + return 1; +} + +// FIPS 204, Algorithm 23 (`pkDecode`). +static int mldsa_parse_public_key(struct public_key *pub, CBS *in) { + if (!CBS_copy_bytes(in, pub->rho, sizeof(pub->rho))) { + return 0; + } + + CBS t1_bytes; + if (!CBS_get_bytes(in, &t1_bytes, 320 * K)) { + return 0; + } + vectork_decode_10(&pub->t1, CBS_data(&t1_bytes)); + + return 1; +} + +// FIPS 204, Algorithm 24 (`skEncode`). +static int mldsa_marshal_private_key(CBB *out, const struct private_key *priv) { + if (!CBB_add_bytes(out, priv->rho, sizeof(priv->rho)) || + !CBB_add_bytes(out, priv->k, sizeof(priv->k)) || + !CBB_add_bytes(out, priv->public_key_hash, + sizeof(priv->public_key_hash))) { + return 0; + } + + uint8_t *vectorl_output; + if (!CBB_add_space(out, &vectorl_output, 128 * L)) { + return 0; + } + vectorl_encode_signed(vectorl_output, &priv->s1, 4, ETA); + + uint8_t *vectork_output; + if (!CBB_add_space(out, &vectork_output, 128 * K)) { + return 0; + } + vectork_encode_signed(vectork_output, &priv->s2, 4, ETA); + + if (!CBB_add_space(out, &vectork_output, 416 * K)) { + return 0; + } + vectork_encode_signed(vectork_output, &priv->t0, 13, 1 << 12); + + return 1; +} + +// FIPS 204, Algorithm 25 (`skDecode`). +static int mldsa_parse_private_key(struct private_key *priv, CBS *in) { + CBS s1_bytes; + CBS s2_bytes; + CBS t0_bytes; + if (!CBS_copy_bytes(in, priv->rho, sizeof(priv->rho)) || + !CBS_copy_bytes(in, priv->k, sizeof(priv->k)) || + !CBS_copy_bytes(in, priv->public_key_hash, + sizeof(priv->public_key_hash)) || + !CBS_get_bytes(in, &s1_bytes, 128 * L) || + !vectorl_decode_signed(&priv->s1, CBS_data(&s1_bytes), 4, ETA) || + !CBS_get_bytes(in, &s2_bytes, 128 * K) || + !vectork_decode_signed(&priv->s2, CBS_data(&s2_bytes), 4, ETA) || + !CBS_get_bytes(in, &t0_bytes, 416 * K) || + // Note: Decoding 13 bits into (-2^12, 2^12] cannot fail. + !vectork_decode_signed(&priv->t0, CBS_data(&t0_bytes), 13, 1 << 12)) { + return 0; + } + + return 1; +} + +// FIPS 204, Algorithm 26 (`sigEncode`). +static int mldsa_marshal_signature(CBB *out, const struct signature *sign) { + if (!CBB_add_bytes(out, sign->c_tilde, sizeof(sign->c_tilde))) { + return 0; + } + + uint8_t *vectorl_output; + if (!CBB_add_space(out, &vectorl_output, 640 * L)) { + return 0; + } + vectorl_encode_signed(vectorl_output, &sign->z, 20, 1 << 19); + + uint8_t *hint_output; + if (!CBB_add_space(out, &hint_output, OMEGA + K)) { + return 0; + } + hint_bit_pack(hint_output, &sign->h); + + return 1; +} + +// FIPS 204, Algorithm 27 (`sigDecode`). +static int mldsa_parse_signature(struct signature *sign, CBS *in) { + CBS z_bytes; + CBS hint_bytes; + if (!CBS_copy_bytes(in, sign->c_tilde, sizeof(sign->c_tilde)) || + !CBS_get_bytes(in, &z_bytes, 640 * L) || + // Note: Decoding 20 bits into (-2^19, 2^19] cannot fail. + !vectorl_decode_signed(&sign->z, CBS_data(&z_bytes), 20, 1 << 19) || + !CBS_get_bytes(in, &hint_bytes, OMEGA + K) || + !hint_bit_unpack(&sign->h, CBS_data(&hint_bytes))) { + return 0; + }; + + return 1; +} + +static struct private_key *private_key_from_external( + const struct MLDSA65_private_key *external) { + static_assert( + sizeof(struct MLDSA65_private_key) == sizeof(struct private_key), + "Kyber private key size incorrect"); + static_assert( + alignof(struct MLDSA65_private_key) == alignof(struct private_key), + "Kyber private key align incorrect"); + return (struct private_key *)external; +} + +static struct public_key *public_key_from_external( + const struct MLDSA65_public_key *external) { + static_assert(sizeof(struct MLDSA65_public_key) == sizeof(struct public_key), + "mldsa public key size incorrect"); + static_assert( + alignof(struct MLDSA65_public_key) == alignof(struct public_key), + "mldsa public key align incorrect"); + return (struct public_key *)external; +} + +/* API */ + +// Calls |MLDSA_generate_key_external_entropy| with random bytes from +// |RAND_bytes|. Returns 1 on success and 0 on failure. +int MLDSA65_generate_key( + uint8_t out_encoded_public_key[MLDSA65_PUBLIC_KEY_BYTES], + uint8_t out_seed[MLDSA_SEED_BYTES], + struct MLDSA65_private_key *out_private_key) { + RAND_bytes(out_seed, MLDSA_SEED_BYTES); + return MLDSA65_generate_key_external_entropy(out_encoded_public_key, + out_private_key, out_seed); +} + +int MLDSA65_private_key_from_seed(struct MLDSA65_private_key *out_private_key, + const uint8_t *seed, size_t seed_len) { + if (seed_len != MLDSA_SEED_BYTES) { + return 0; + } + uint8_t public_key[MLDSA65_PUBLIC_KEY_BYTES]; + return MLDSA65_generate_key_external_entropy(public_key, out_private_key, + seed); +} + +// FIPS 204, Algorithm 6 (`ML-DSA.KeyGen_internal`). Returns 1 on success and 0 +// on failure. +int MLDSA65_generate_key_external_entropy( + uint8_t out_encoded_public_key[MLDSA65_PUBLIC_KEY_BYTES], + struct MLDSA65_private_key *out_private_key, + const uint8_t entropy[MLDSA_SEED_BYTES]) { + int ret = 0; + + // Intermediate values, allocated on the heap to allow use when there is a + // limited amount of stack. + struct values_st { + struct public_key pub; + matrix a_ntt; + vectorl s1_ntt; + vectork t; + }; + struct values_st *values = OPENSSL_malloc(sizeof(*values)); + if (values == NULL) { + goto err; + } + + struct private_key *priv = private_key_from_external(out_private_key); + + uint8_t augmented_entropy[MLDSA_SEED_BYTES + 2]; + OPENSSL_memcpy(augmented_entropy, entropy, MLDSA_SEED_BYTES); + // The k and l parameters are appended to the seed. + augmented_entropy[MLDSA_SEED_BYTES] = K; + augmented_entropy[MLDSA_SEED_BYTES + 1] = L; + uint8_t expanded_seed[RHO_BYTES + SIGMA_BYTES + K_BYTES]; + BORINGSSL_keccak(expanded_seed, sizeof(expanded_seed), augmented_entropy, + sizeof(augmented_entropy), boringssl_shake256); + const uint8_t *const rho = expanded_seed; + const uint8_t *const sigma = expanded_seed + RHO_BYTES; + const uint8_t *const k = expanded_seed + RHO_BYTES + SIGMA_BYTES; + // rho is public. + CONSTTIME_DECLASSIFY(rho, RHO_BYTES); + OPENSSL_memcpy(values->pub.rho, rho, sizeof(values->pub.rho)); + OPENSSL_memcpy(priv->rho, rho, sizeof(priv->rho)); + OPENSSL_memcpy(priv->k, k, sizeof(priv->k)); + + matrix_expand(&values->a_ntt, rho); + vector_expand_short(&priv->s1, &priv->s2, sigma); + + OPENSSL_memcpy(&values->s1_ntt, &priv->s1, sizeof(values->s1_ntt)); + vectorl_ntt(&values->s1_ntt); + + matrix_mult(&values->t, &values->a_ntt, &values->s1_ntt); + vectork_inverse_ntt(&values->t); + vectork_add(&values->t, &values->t, &priv->s2); + + vectork_power2_round(&values->pub.t1, &priv->t0, &values->t); + // t1 is public. + CONSTTIME_DECLASSIFY(&values->pub.t1, sizeof(values->pub.t1)); + + CBB cbb; + CBB_init_fixed(&cbb, out_encoded_public_key, MLDSA65_PUBLIC_KEY_BYTES); + if (!mldsa_marshal_public_key(&cbb, &values->pub)) { + goto err; + } + assert(CBB_len(&cbb) == MLDSA65_PUBLIC_KEY_BYTES); + + BORINGSSL_keccak(priv->public_key_hash, sizeof(priv->public_key_hash), + out_encoded_public_key, MLDSA65_PUBLIC_KEY_BYTES, + boringssl_shake256); + + ret = 1; +err: + OPENSSL_free(values); + return ret; +} + +int MLDSA65_public_from_private(struct MLDSA65_public_key *out_public_key, + const struct MLDSA65_private_key *private_key) { + int ret = 0; + + // Intermediate values, allocated on the heap to allow use when there is a + // limited amount of stack. + struct values_st { + matrix a_ntt; + vectorl s1_ntt; + vectork t; + vectork t0; + }; + struct values_st *values = OPENSSL_malloc(sizeof(*values)); + if (values == NULL) { + goto err; + } + + const struct private_key *priv = private_key_from_external(private_key); + struct public_key *pub = public_key_from_external(out_public_key); + + OPENSSL_memcpy(pub->rho, priv->rho, sizeof(pub->rho)); + OPENSSL_memcpy(pub->public_key_hash, priv->public_key_hash, + sizeof(pub->public_key_hash)); + + matrix_expand(&values->a_ntt, priv->rho); + + OPENSSL_memcpy(&values->s1_ntt, &priv->s1, sizeof(values->s1_ntt)); + vectorl_ntt(&values->s1_ntt); + + matrix_mult(&values->t, &values->a_ntt, &values->s1_ntt); + vectork_inverse_ntt(&values->t); + vectork_add(&values->t, &values->t, &priv->s2); + + vectork_power2_round(&pub->t1, &values->t0, &values->t); + + ret = 1; +err: + OPENSSL_free(values); + return ret; +} + +// FIPS 204, Algorithm 7 (`ML-DSA.Sign_internal`). Returns 1 on success and 0 on +// failure. +int MLDSA65_sign_internal( + uint8_t out_encoded_signature[MLDSA65_SIGNATURE_BYTES], + const struct MLDSA65_private_key *private_key, const uint8_t *msg, + size_t msg_len, const uint8_t *context_prefix, size_t context_prefix_len, + const uint8_t *context, size_t context_len, + const uint8_t randomizer[MLDSA_SIGNATURE_RANDOMIZER_BYTES]) { + int ret = 0; + const struct private_key *priv = private_key_from_external(private_key); + + uint8_t mu[MU_BYTES]; + struct BORINGSSL_keccak_st keccak_ctx; + BORINGSSL_keccak_init(&keccak_ctx, boringssl_shake256); + BORINGSSL_keccak_absorb(&keccak_ctx, priv->public_key_hash, + sizeof(priv->public_key_hash)); + BORINGSSL_keccak_absorb(&keccak_ctx, context_prefix, context_prefix_len); + BORINGSSL_keccak_absorb(&keccak_ctx, context, context_len); + BORINGSSL_keccak_absorb(&keccak_ctx, msg, msg_len); + BORINGSSL_keccak_squeeze(&keccak_ctx, mu, MU_BYTES); + + uint8_t rho_prime[RHO_PRIME_BYTES]; + BORINGSSL_keccak_init(&keccak_ctx, boringssl_shake256); + BORINGSSL_keccak_absorb(&keccak_ctx, priv->k, sizeof(priv->k)); + BORINGSSL_keccak_absorb(&keccak_ctx, randomizer, + MLDSA_SIGNATURE_RANDOMIZER_BYTES); + BORINGSSL_keccak_absorb(&keccak_ctx, mu, MU_BYTES); + BORINGSSL_keccak_squeeze(&keccak_ctx, rho_prime, RHO_PRIME_BYTES); + + // Intermediate values, allocated on the heap to allow use when there is a + // limited amount of stack. + struct values_st { + struct signature sign; + vectorl s1_ntt; + vectork s2_ntt; + vectork t0_ntt; + matrix a_ntt; + vectorl y; + vectork w; + vectork w1; + vectorl cs1; + vectork cs2; + }; + struct values_st *values = OPENSSL_malloc(sizeof(*values)); + if (values == NULL) { + goto err; + } + OPENSSL_memcpy(&values->s1_ntt, &priv->s1, sizeof(values->s1_ntt)); + vectorl_ntt(&values->s1_ntt); + + OPENSSL_memcpy(&values->s2_ntt, &priv->s2, sizeof(values->s2_ntt)); + vectork_ntt(&values->s2_ntt); + + OPENSSL_memcpy(&values->t0_ntt, &priv->t0, sizeof(values->t0_ntt)); + vectork_ntt(&values->t0_ntt); + + matrix_expand(&values->a_ntt, priv->rho); + + // kappa must not exceed 2**16/L = 13107. But the probability of it exceeding + // even 1000 iterations is vanishingly small. + for (size_t kappa = 0;; kappa += L) { + vectorl_expand_mask(&values->y, rho_prime, kappa); + + vectorl *y_ntt = &values->cs1; + OPENSSL_memcpy(y_ntt, &values->y, sizeof(*y_ntt)); + vectorl_ntt(y_ntt); + + matrix_mult(&values->w, &values->a_ntt, y_ntt); + vectork_inverse_ntt(&values->w); + + vectork_high_bits(&values->w1, &values->w); + uint8_t w1_encoded[128 * K]; + w1_encode(w1_encoded, &values->w1); + + BORINGSSL_keccak_init(&keccak_ctx, boringssl_shake256); + BORINGSSL_keccak_absorb(&keccak_ctx, mu, MU_BYTES); + BORINGSSL_keccak_absorb(&keccak_ctx, w1_encoded, 128 * K); + BORINGSSL_keccak_squeeze(&keccak_ctx, values->sign.c_tilde, + 2 * LAMBDA_BYTES); + + scalar c_ntt; + scalar_sample_in_ball_vartime(&c_ntt, values->sign.c_tilde, + sizeof(values->sign.c_tilde)); + scalar_ntt(&c_ntt); + + vectorl_mult_scalar(&values->cs1, &values->s1_ntt, &c_ntt); + vectorl_inverse_ntt(&values->cs1); + vectork_mult_scalar(&values->cs2, &values->s2_ntt, &c_ntt); + vectork_inverse_ntt(&values->cs2); + + vectorl_add(&values->sign.z, &values->y, &values->cs1); + + vectork *r0 = &values->w1; + vectork_sub(r0, &values->w, &values->cs2); + vectork_low_bits(r0, r0); + + // Leaking the fact that a signature was rejected is fine as the next + // attempt at a signature will be (indistinguishable from) independent of + // this one. Note, however, that we additionally leak which of the two + // branches rejected the signature. Section 5.5 of + // https://pq-crystals.org/dilithium/data/dilithium-specification-round3.pdf + // describes this leak as OK. Note we leak less than what is described by + // the paper; we do not reveal which coefficient violated the bound, and we + // hide which of the |z_max| or |r0_max| bound failed. See also + // https://boringssl-review.googlesource.com/c/boringssl/+/67747/comment/2bbab0fa_d241d35a/ + uint32_t z_max = vectorl_max(&values->sign.z); + uint32_t r0_max = vectork_max_signed(r0); + if (constant_time_declassify_w( + constant_time_ge_w(z_max, kGamma1 - BETA) | + constant_time_ge_w(r0_max, kGamma2 - BETA))) { + continue; + } + + vectork *ct0 = &values->w1; + vectork_mult_scalar(ct0, &values->t0_ntt, &c_ntt); + vectork_inverse_ntt(ct0); + vectork_make_hint(&values->sign.h, ct0, &values->cs2, &values->w); + + // See above. + uint32_t ct0_max = vectork_max(ct0); + size_t h_ones = vectork_count_ones(&values->sign.h); + if (constant_time_declassify_w(constant_time_ge_w(ct0_max, kGamma2) | + constant_time_lt_w(OMEGA, h_ones))) { + continue; + } + + // Although computed with the private key, the signature is public. + CONSTTIME_DECLASSIFY(values->sign.c_tilde, sizeof(values->sign.c_tilde)); + CONSTTIME_DECLASSIFY(&values->sign.z, sizeof(values->sign.z)); + CONSTTIME_DECLASSIFY(&values->sign.h, sizeof(values->sign.h)); + + CBB cbb; + CBB_init_fixed(&cbb, out_encoded_signature, MLDSA65_SIGNATURE_BYTES); + if (!mldsa_marshal_signature(&cbb, &values->sign)) { + goto err; + } + + BSSL_CHECK(CBB_len(&cbb) == MLDSA65_SIGNATURE_BYTES); + ret = 1; + break; + } + +err: + OPENSSL_free(values); + return ret; +} + +// mldsa signature in randomized mode, filling the random bytes with +// |RAND_bytes|. Returns 1 on success and 0 on failure. +int MLDSA65_sign(uint8_t out_encoded_signature[MLDSA65_SIGNATURE_BYTES], + const struct MLDSA65_private_key *private_key, + const uint8_t *msg, size_t msg_len, const uint8_t *context, + size_t context_len) { + if (context_len > 255) { + return 0; + } + + uint8_t randomizer[MLDSA_SIGNATURE_RANDOMIZER_BYTES]; + RAND_bytes(randomizer, sizeof(randomizer)); + + const uint8_t context_prefix[2] = {0, context_len}; + return MLDSA65_sign_internal(out_encoded_signature, private_key, msg, msg_len, + context_prefix, sizeof(context_prefix), context, + context_len, randomizer); +} + +// FIPS 204, Algorithm 3 (`ML-DSA.Verify`). +int MLDSA65_verify(const struct MLDSA65_public_key *public_key, + const uint8_t *signature, size_t signature_len, + const uint8_t *msg, size_t msg_len, const uint8_t *context, + size_t context_len) { + if (context_len > 255 || signature_len != MLDSA65_SIGNATURE_BYTES) { + return 0; + } + + const uint8_t context_prefix[2] = {0, context_len}; + return MLDSA65_verify_internal(public_key, signature, msg, msg_len, + context_prefix, sizeof(context_prefix), + context, context_len); +} + +// FIPS 204, Algorithm 8 (`ML-DSA.Verify_internal`). +int MLDSA65_verify_internal( + const struct MLDSA65_public_key *public_key, + const uint8_t encoded_signature[MLDSA65_SIGNATURE_BYTES], + const uint8_t *msg, size_t msg_len, const uint8_t *context_prefix, + size_t context_prefix_len, const uint8_t *context, size_t context_len) { + int ret = 0; + + // Intermediate values, allocated on the heap to allow use when there is a + // limited amount of stack. + struct values_st { + struct signature sign; + matrix a_ntt; + vectorl z_ntt; + vectork az_ntt; + vectork ct1_ntt; + }; + struct values_st *values = OPENSSL_malloc(sizeof(*values)); + if (values == NULL) { + goto err; + } + + const struct public_key *pub = public_key_from_external(public_key); + + CBS cbs; + CBS_init(&cbs, encoded_signature, MLDSA65_SIGNATURE_BYTES); + if (!mldsa_parse_signature(&values->sign, &cbs)) { + goto err; + } + + matrix_expand(&values->a_ntt, pub->rho); + + uint8_t mu[MU_BYTES]; + struct BORINGSSL_keccak_st keccak_ctx; + BORINGSSL_keccak_init(&keccak_ctx, boringssl_shake256); + BORINGSSL_keccak_absorb(&keccak_ctx, pub->public_key_hash, + sizeof(pub->public_key_hash)); + BORINGSSL_keccak_absorb(&keccak_ctx, context_prefix, context_prefix_len); + BORINGSSL_keccak_absorb(&keccak_ctx, context, context_len); + BORINGSSL_keccak_absorb(&keccak_ctx, msg, msg_len); + BORINGSSL_keccak_squeeze(&keccak_ctx, mu, MU_BYTES); + + scalar c_ntt; + scalar_sample_in_ball_vartime(&c_ntt, values->sign.c_tilde, + sizeof(values->sign.c_tilde)); + scalar_ntt(&c_ntt); + + OPENSSL_memcpy(&values->z_ntt, &values->sign.z, sizeof(values->z_ntt)); + vectorl_ntt(&values->z_ntt); + + matrix_mult(&values->az_ntt, &values->a_ntt, &values->z_ntt); + + vectork_scale_power2_round(&values->ct1_ntt, &pub->t1); + vectork_ntt(&values->ct1_ntt); + + vectork_mult_scalar(&values->ct1_ntt, &values->ct1_ntt, &c_ntt); + + vectork *const w1 = &values->az_ntt; + vectork_sub(w1, &values->az_ntt, &values->ct1_ntt); + vectork_inverse_ntt(w1); + + vectork_use_hint_vartime(w1, &values->sign.h, w1); + uint8_t w1_encoded[128 * K]; + w1_encode(w1_encoded, w1); + + uint8_t c_tilde[2 * LAMBDA_BYTES]; + BORINGSSL_keccak_init(&keccak_ctx, boringssl_shake256); + BORINGSSL_keccak_absorb(&keccak_ctx, mu, MU_BYTES); + BORINGSSL_keccak_absorb(&keccak_ctx, w1_encoded, 128 * K); + BORINGSSL_keccak_squeeze(&keccak_ctx, c_tilde, 2 * LAMBDA_BYTES); + + uint32_t z_max = vectorl_max(&values->sign.z); + if (z_max < kGamma1 - BETA && + OPENSSL_memcmp(c_tilde, values->sign.c_tilde, 2 * LAMBDA_BYTES) == 0) { + ret = 1; + } + +err: + OPENSSL_free(values); + return ret; +} + +/* Serialization of keys. */ + +int MLDSA65_marshal_public_key(CBB *out, + const struct MLDSA65_public_key *public_key) { + return mldsa_marshal_public_key(out, public_key_from_external(public_key)); +} + +int MLDSA65_parse_public_key(struct MLDSA65_public_key *public_key, CBS *in) { + struct public_key *pub = public_key_from_external(public_key); + CBS orig_in = *in; + if (!mldsa_parse_public_key(pub, in) || CBS_len(in) != 0) { + return 0; + } + + // Compute pre-cached values. + BORINGSSL_keccak(pub->public_key_hash, sizeof(pub->public_key_hash), + CBS_data(&orig_in), CBS_len(&orig_in), boringssl_shake256); + return 1; +} + +int MLDSA65_marshal_private_key(CBB *out, + const struct MLDSA65_private_key *private_key) { + return mldsa_marshal_private_key(out, private_key_from_external(private_key)); +} + +int MLDSA65_parse_private_key(struct MLDSA65_private_key *private_key, + CBS *in) { + struct private_key *priv = private_key_from_external(private_key); + return mldsa_parse_private_key(priv, in) && CBS_len(in) == 0; +} diff --git a/Sources/CNIOBoringSSL/crypto/mlkem/internal.h b/Sources/CNIOBoringSSL/crypto/mlkem/internal.h new file mode 100644 index 000000000..a1222c308 --- /dev/null +++ b/Sources/CNIOBoringSSL/crypto/mlkem/internal.h @@ -0,0 +1,90 @@ +/* Copyright (c) 2023, Google Inc. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#ifndef OPENSSL_HEADER_CRYPTO_MLKEM_INTERNAL_H +#define OPENSSL_HEADER_CRYPTO_MLKEM_INTERNAL_H + +#include +#include + +#if defined(__cplusplus) +extern "C" { +#endif + + +// MLKEM_ENCAP_ENTROPY is the number of bytes of uniformly random entropy +// necessary to encapsulate a secret. The entropy will be leaked to the +// decapsulating party. +#define MLKEM_ENCAP_ENTROPY 32 + +// MLKEM768_generate_key_external_seed is a deterministic function to create a +// pair of ML-KEM-768 keys, using the supplied seed. The seed needs to be +// uniformly random. This function is should only be used for tests, regular +// callers should use the non-deterministic |MLKEM768_generate_key| directly. +OPENSSL_EXPORT void MLKEM768_generate_key_external_seed( + uint8_t out_encoded_public_key[MLKEM768_PUBLIC_KEY_BYTES], + struct MLKEM768_private_key *out_private_key, + const uint8_t seed[MLKEM_SEED_BYTES]); + +// MLKEM768_encap_external_entropy behaves like |MLKEM768_encap|, but uses +// |MLKEM_ENCAP_ENTROPY| bytes of |entropy| for randomization. The decapsulating +// side will be able to recover |entropy| in full. This function should only be +// used for tests, regular callers should use the non-deterministic +// |MLKEM768_encap| directly. +OPENSSL_EXPORT void MLKEM768_encap_external_entropy( + uint8_t out_ciphertext[MLKEM768_CIPHERTEXT_BYTES], + uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES], + const struct MLKEM768_public_key *public_key, + const uint8_t entropy[MLKEM_ENCAP_ENTROPY]); + +// MLKEM768_marshal_private_key serializes |private_key| to |out| in the +// NIST format for ML-KEM-768 private keys. It returns one on success or +// zero on allocation error. (Note that one can also save just the seed value +// produced by |MLKEM768_generate_key|, which is significantly smaller.) +OPENSSL_EXPORT int MLKEM768_marshal_private_key( + CBB *out, const struct MLKEM768_private_key *private_key); + +// MLKEM1024_generate_key_external_seed is a deterministic function to create a +// pair of ML-KEM-1024 keys, using the supplied seed. The seed needs to be +// uniformly random. This function is should only be used for tests, regular +// callers should use the non-deterministic |MLKEM1024_generate_key| directly. +OPENSSL_EXPORT void MLKEM1024_generate_key_external_seed( + uint8_t out_encoded_public_key[MLKEM1024_PUBLIC_KEY_BYTES], + struct MLKEM1024_private_key *out_private_key, + const uint8_t seed[MLKEM_SEED_BYTES]); + +// MLKEM1024_encap_external_entropy behaves like |MLKEM1024_encap|, but uses +// |MLKEM_ENCAP_ENTROPY| bytes of |entropy| for randomization. The +// decapsulating side will be able to recover |entropy| in full. This function +// should only be used for tests, regular callers should use the +// non-deterministic |MLKEM1024_encap| directly. +OPENSSL_EXPORT void MLKEM1024_encap_external_entropy( + uint8_t out_ciphertext[MLKEM1024_CIPHERTEXT_BYTES], + uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES], + const struct MLKEM1024_public_key *public_key, + const uint8_t entropy[MLKEM_ENCAP_ENTROPY]); + +// MLKEM1024_marshal_private_key serializes |private_key| to |out| in the +// NIST format for ML-KEM-1024 private keys. It returns one on success or +// zero on allocation error. (Note that one can also save just the seed value +// produced by |MLKEM1024_generate_key|, which is significantly smaller.) +OPENSSL_EXPORT int MLKEM1024_marshal_private_key( + CBB *out, const struct MLKEM1024_private_key *private_key); + + +#if defined(__cplusplus) +} +#endif + +#endif // OPENSSL_HEADER_CRYPTO_MLKEM_INTERNAL_H diff --git a/Sources/CNIOBoringSSL/crypto/mlkem/mlkem.cc b/Sources/CNIOBoringSSL/crypto/mlkem/mlkem.cc new file mode 100644 index 000000000..07ad62e4f --- /dev/null +++ b/Sources/CNIOBoringSSL/crypto/mlkem/mlkem.cc @@ -0,0 +1,1097 @@ +/* Copyright (c) 2024, Google Inc. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#include + +#include +#include +#include +#include + +#include +#include +#include +#include + +#include "../internal.h" +#include "../keccak/internal.h" +#include "./internal.h" + + +// See +// https://csrc.nist.gov/pubs/fips/203/final + +static void prf(uint8_t *out, size_t out_len, const uint8_t in[33]) { + BORINGSSL_keccak(out, out_len, in, 33, boringssl_shake256); +} + +// Section 4.1 +static void hash_h(uint8_t out[32], const uint8_t *in, size_t len) { + BORINGSSL_keccak(out, 32, in, len, boringssl_sha3_256); +} + +static void hash_g(uint8_t out[64], const uint8_t *in, size_t len) { + BORINGSSL_keccak(out, 64, in, len, boringssl_sha3_512); +} + +// This is called `J` in the spec. +static void kdf(uint8_t out[MLKEM_SHARED_SECRET_BYTES], + const uint8_t failure_secret[32], const uint8_t *ciphertext, + size_t ciphertext_len) { + struct BORINGSSL_keccak_st st; + BORINGSSL_keccak_init(&st, boringssl_shake256); + BORINGSSL_keccak_absorb(&st, failure_secret, 32); + BORINGSSL_keccak_absorb(&st, ciphertext, ciphertext_len); + BORINGSSL_keccak_squeeze(&st, out, MLKEM_SHARED_SECRET_BYTES); +} + +// Constants that are common across all sizes. +#define DEGREE 256 +static const size_t kBarrettMultiplier = 5039; +static const unsigned kBarrettShift = 24; +static const uint16_t kPrime = 3329; +static const int kLog2Prime = 12; +static const uint16_t kHalfPrime = (/*kPrime=*/3329 - 1) / 2; +// kInverseDegree is 128^-1 mod 3329; 128 because kPrime does not have a 512th +// root of unity. +static const uint16_t kInverseDegree = 3303; + +// Rank-specific constants. +#define RANK768 3 +static const int kDU768 = 10; +static const int kDV768 = 4; +#define RANK1024 4 +static const int kDU1024 = 11; +static const int kDV1024 = 5; + +constexpr size_t encoded_vector_size(int rank) { + return (kLog2Prime * DEGREE / 8) * static_cast(rank); +} + +constexpr size_t encoded_public_key_size(int rank) { + return encoded_vector_size(rank) + /*sizeof(rho)=*/32; +} + +static_assert(encoded_public_key_size(RANK768) == MLKEM768_PUBLIC_KEY_BYTES, + ""); +static_assert(encoded_public_key_size(RANK1024) == MLKEM1024_PUBLIC_KEY_BYTES, + ""); + +constexpr size_t compressed_vector_size(int rank) { + // `if constexpr` isn't available in C++17. + return (rank == RANK768 ? kDU768 : kDU1024) * static_cast(rank) * + DEGREE / 8; +} + +constexpr size_t ciphertext_size(int rank) { + return compressed_vector_size(rank) + + (rank == RANK768 ? kDV768 : kDV1024) * DEGREE / 8; +} + +static_assert(ciphertext_size(RANK768) == MLKEM768_CIPHERTEXT_BYTES, ""); +static_assert(ciphertext_size(RANK1024) == MLKEM1024_CIPHERTEXT_BYTES, ""); + +typedef struct scalar { + // On every function entry and exit, 0 <= c < kPrime. + uint16_t c[DEGREE]; +} scalar; + +template +struct vector { + scalar v[RANK]; +}; + +template +struct matrix { + scalar v[RANK][RANK]; +}; + +// This bit of Python will be referenced in some of the following comments: +// +// p = 3329 +// +// def bitreverse(i): +// ret = 0 +// for n in range(7): +// bit = i & 1 +// ret <<= 1 +// ret |= bit +// i >>= 1 +// return ret + +// kNTTRoots = [pow(17, bitreverse(i), p) for i in range(128)] +static const uint16_t kNTTRoots[128] = { + 1, 1729, 2580, 3289, 2642, 630, 1897, 848, 1062, 1919, 193, 797, + 2786, 3260, 569, 1746, 296, 2447, 1339, 1476, 3046, 56, 2240, 1333, + 1426, 2094, 535, 2882, 2393, 2879, 1974, 821, 289, 331, 3253, 1756, + 1197, 2304, 2277, 2055, 650, 1977, 2513, 632, 2865, 33, 1320, 1915, + 2319, 1435, 807, 452, 1438, 2868, 1534, 2402, 2647, 2617, 1481, 648, + 2474, 3110, 1227, 910, 17, 2761, 583, 2649, 1637, 723, 2288, 1100, + 1409, 2662, 3281, 233, 756, 2156, 3015, 3050, 1703, 1651, 2789, 1789, + 1847, 952, 1461, 2687, 939, 2308, 2437, 2388, 733, 2337, 268, 641, + 1584, 2298, 2037, 3220, 375, 2549, 2090, 1645, 1063, 319, 2773, 757, + 2099, 561, 2466, 2594, 2804, 1092, 403, 1026, 1143, 2150, 2775, 886, + 1722, 1212, 1874, 1029, 2110, 2935, 885, 2154, +}; + +// kInverseNTTRoots = [pow(17, -bitreverse(i), p) for i in range(128)] +static const uint16_t kInverseNTTRoots[128] = { + 1, 1600, 40, 749, 2481, 1432, 2699, 687, 1583, 2760, 69, 543, + 2532, 3136, 1410, 2267, 2508, 1355, 450, 936, 447, 2794, 1235, 1903, + 1996, 1089, 3273, 283, 1853, 1990, 882, 3033, 2419, 2102, 219, 855, + 2681, 1848, 712, 682, 927, 1795, 461, 1891, 2877, 2522, 1894, 1010, + 1414, 2009, 3296, 464, 2697, 816, 1352, 2679, 1274, 1052, 1025, 2132, + 1573, 76, 2998, 3040, 1175, 2444, 394, 1219, 2300, 1455, 2117, 1607, + 2443, 554, 1179, 2186, 2303, 2926, 2237, 525, 735, 863, 2768, 1230, + 2572, 556, 3010, 2266, 1684, 1239, 780, 2954, 109, 1292, 1031, 1745, + 2688, 3061, 992, 2596, 941, 892, 1021, 2390, 642, 1868, 2377, 1482, + 1540, 540, 1678, 1626, 279, 314, 1173, 2573, 3096, 48, 667, 1920, + 2229, 1041, 2606, 1692, 680, 2746, 568, 3312, +}; + +// kModRoots = [pow(17, 2*bitreverse(i) + 1, p) for i in range(128)] +static const uint16_t kModRoots[128] = { + 17, 3312, 2761, 568, 583, 2746, 2649, 680, 1637, 1692, 723, 2606, + 2288, 1041, 1100, 2229, 1409, 1920, 2662, 667, 3281, 48, 233, 3096, + 756, 2573, 2156, 1173, 3015, 314, 3050, 279, 1703, 1626, 1651, 1678, + 2789, 540, 1789, 1540, 1847, 1482, 952, 2377, 1461, 1868, 2687, 642, + 939, 2390, 2308, 1021, 2437, 892, 2388, 941, 733, 2596, 2337, 992, + 268, 3061, 641, 2688, 1584, 1745, 2298, 1031, 2037, 1292, 3220, 109, + 375, 2954, 2549, 780, 2090, 1239, 1645, 1684, 1063, 2266, 319, 3010, + 2773, 556, 757, 2572, 2099, 1230, 561, 2768, 2466, 863, 2594, 735, + 2804, 525, 1092, 2237, 403, 2926, 1026, 2303, 1143, 2186, 2150, 1179, + 2775, 554, 886, 2443, 1722, 1607, 1212, 2117, 1874, 1455, 1029, 2300, + 2110, 1219, 2935, 394, 885, 2444, 2154, 1175, +}; + +// reduce_once reduces 0 <= x < 2*kPrime, mod kPrime. +static uint16_t reduce_once(uint16_t x) { + assert(x < 2 * kPrime); + const uint16_t subtracted = x - kPrime; + uint16_t mask = 0u - (subtracted >> 15); + // On Aarch64, omitting a |value_barrier_u16| results in a 2x speedup of + // ML-KEM overall and Clang still produces constant-time code using `csel`. On + // other platforms & compilers on godbolt that we care about, this code also + // produces constant-time output. + return (mask & x) | (~mask & subtracted); +} + +// constant time reduce x mod kPrime using Barrett reduction. x must be less +// than kPrime + 2×kPrime². +static uint16_t reduce(uint32_t x) { + assert(x < kPrime + 2u * kPrime * kPrime); + uint64_t product = (uint64_t)x * kBarrettMultiplier; + uint32_t quotient = (uint32_t)(product >> kBarrettShift); + uint32_t remainder = x - quotient * kPrime; + return reduce_once(remainder); +} + +static void scalar_zero(scalar *out) { OPENSSL_memset(out, 0, sizeof(*out)); } + +template +static void vector_zero(vector *out) { + OPENSSL_memset(out->v, 0, sizeof(scalar) * RANK); +} + +// In place number theoretic transform of a given scalar. +// Note that MLKEM's kPrime 3329 does not have a 512th root of unity, so this +// transform leaves off the last iteration of the usual FFT code, with the 128 +// relevant roots of unity being stored in |kNTTRoots|. This means the output +// should be seen as 128 elements in GF(3329^2), with the coefficients of the +// elements being consecutive entries in |s->c|. +static void scalar_ntt(scalar *s) { + int offset = DEGREE; + // `int` is used here because using `size_t` throughout caused a ~5% slowdown + // with Clang 14 on Aarch64. + for (int step = 1; step < DEGREE / 2; step <<= 1) { + offset >>= 1; + int k = 0; + for (int i = 0; i < step; i++) { + const uint32_t step_root = kNTTRoots[i + step]; + for (int j = k; j < k + offset; j++) { + uint16_t odd = reduce(step_root * s->c[j + offset]); + uint16_t even = s->c[j]; + s->c[j] = reduce_once(odd + even); + s->c[j + offset] = reduce_once(even - odd + kPrime); + } + k += 2 * offset; + } + } +} + +template +static void vector_ntt(vector *a) { + for (int i = 0; i < RANK; i++) { + scalar_ntt(&a->v[i]); + } +} + +// In place inverse number theoretic transform of a given scalar, with pairs of +// entries of s->v being interpreted as elements of GF(3329^2). Just as with the +// number theoretic transform, this leaves off the first step of the normal iFFT +// to account for the fact that 3329 does not have a 512th root of unity, using +// the precomputed 128 roots of unity stored in |kInverseNTTRoots|. +static void scalar_inverse_ntt(scalar *s) { + int step = DEGREE / 2; + // `int` is used here because using `size_t` throughout caused a ~5% slowdown + // with Clang 14 on Aarch64. + for (int offset = 2; offset < DEGREE; offset <<= 1) { + step >>= 1; + int k = 0; + for (int i = 0; i < step; i++) { + uint32_t step_root = kInverseNTTRoots[i + step]; + for (int j = k; j < k + offset; j++) { + uint16_t odd = s->c[j + offset]; + uint16_t even = s->c[j]; + s->c[j] = reduce_once(odd + even); + s->c[j + offset] = reduce(step_root * (even - odd + kPrime)); + } + k += 2 * offset; + } + } + for (int i = 0; i < DEGREE; i++) { + s->c[i] = reduce(s->c[i] * kInverseDegree); + } +} + +template +static void vector_inverse_ntt(vector *a) { + for (int i = 0; i < RANK; i++) { + scalar_inverse_ntt(&a->v[i]); + } +} + +static void scalar_add(scalar *lhs, const scalar *rhs) { + for (int i = 0; i < DEGREE; i++) { + lhs->c[i] = reduce_once(lhs->c[i] + rhs->c[i]); + } +} + +static void scalar_sub(scalar *lhs, const scalar *rhs) { + for (int i = 0; i < DEGREE; i++) { + lhs->c[i] = reduce_once(lhs->c[i] - rhs->c[i] + kPrime); + } +} + +// Multiplying two scalars in the number theoretically transformed state. Since +// 3329 does not have a 512th root of unity, this means we have to interpret +// the 2*ith and (2*i+1)th entries of the scalar as elements of GF(3329)[X]/(X^2 +// - 17^(2*bitreverse(i)+1)) The value of 17^(2*bitreverse(i)+1) mod 3329 is +// stored in the precomputed |kModRoots| table. Note that our Barrett transform +// only allows us to multipy two reduced numbers together, so we need some +// intermediate reduction steps, even if an uint64_t could hold 3 multiplied +// numbers. +static void scalar_mult(scalar *out, const scalar *lhs, const scalar *rhs) { + for (int i = 0; i < DEGREE / 2; i++) { + uint32_t real_real = (uint32_t)lhs->c[2 * i] * rhs->c[2 * i]; + uint32_t img_img = (uint32_t)lhs->c[2 * i + 1] * rhs->c[2 * i + 1]; + uint32_t real_img = (uint32_t)lhs->c[2 * i] * rhs->c[2 * i + 1]; + uint32_t img_real = (uint32_t)lhs->c[2 * i + 1] * rhs->c[2 * i]; + out->c[2 * i] = + reduce(real_real + (uint32_t)reduce(img_img) * kModRoots[i]); + out->c[2 * i + 1] = reduce(img_real + real_img); + } +} + +template +static void vector_add(vector *lhs, const vector *rhs) { + for (int i = 0; i < RANK; i++) { + scalar_add(&lhs->v[i], &rhs->v[i]); + } +} + +template +static void matrix_mult(vector *out, const matrix *m, + const vector *a) { + vector_zero(out); + for (int i = 0; i < RANK; i++) { + for (int j = 0; j < RANK; j++) { + scalar product; + scalar_mult(&product, &m->v[i][j], &a->v[j]); + scalar_add(&out->v[i], &product); + } + } +} + +template +static void matrix_mult_transpose(vector *out, const matrix *m, + const vector *a) { + vector_zero(out); + for (int i = 0; i < RANK; i++) { + for (int j = 0; j < RANK; j++) { + scalar product; + scalar_mult(&product, &m->v[j][i], &a->v[j]); + scalar_add(&out->v[i], &product); + } + } +} + +template +static void scalar_inner_product(scalar *out, const vector *lhs, + const vector *rhs) { + scalar_zero(out); + for (int i = 0; i < RANK; i++) { + scalar product; + scalar_mult(&product, &lhs->v[i], &rhs->v[i]); + scalar_add(out, &product); + } +} + +// Algorithm 6 from the spec. Rejection samples a Keccak stream to get +// uniformly distributed elements. This is used for matrix expansion and only +// operates on public inputs. +static void scalar_from_keccak_vartime(scalar *out, + struct BORINGSSL_keccak_st *keccak_ctx) { + assert(keccak_ctx->squeeze_offset == 0); + assert(keccak_ctx->rate_bytes == 168); + static_assert(168 % 3 == 0, "block and coefficient boundaries do not align"); + + int done = 0; + while (done < DEGREE) { + uint8_t block[168]; + BORINGSSL_keccak_squeeze(keccak_ctx, block, sizeof(block)); + for (size_t i = 0; i < sizeof(block) && done < DEGREE; i += 3) { + uint16_t d1 = block[i] + 256 * (block[i + 1] % 16); + uint16_t d2 = block[i + 1] / 16 + 16 * block[i + 2]; + if (d1 < kPrime) { + out->c[done++] = d1; + } + if (d2 < kPrime && done < DEGREE) { + out->c[done++] = d2; + } + } + } +} + +// Algorithm 7 from the spec, with eta fixed to two and the PRF call +// included. Creates binominally distributed elements by sampling 2*|eta| bits, +// and setting the coefficient to the count of the first bits minus the count of +// the second bits, resulting in a centered binomial distribution. Since eta is +// two this gives -2/2 with a probability of 1/16, -1/1 with probability 1/4, +// and 0 with probability 3/8. +static void scalar_centered_binomial_distribution_eta_2_with_prf( + scalar *out, const uint8_t input[33]) { + uint8_t entropy[128]; + static_assert(sizeof(entropy) == 2 * /*kEta=*/2 * DEGREE / 8, ""); + prf(entropy, sizeof(entropy), input); + + for (int i = 0; i < DEGREE; i += 2) { + uint8_t byte = entropy[i / 2]; + + uint16_t value = kPrime; + value += (byte & 1) + ((byte >> 1) & 1); + value -= ((byte >> 2) & 1) + ((byte >> 3) & 1); + out->c[i] = reduce_once(value); + + byte >>= 4; + value = kPrime; + value += (byte & 1) + ((byte >> 1) & 1); + value -= ((byte >> 2) & 1) + ((byte >> 3) & 1); + out->c[i + 1] = reduce_once(value); + } +} + +// Generates a secret vector by using +// |scalar_centered_binomial_distribution_eta_2_with_prf|, using the given seed +// appending and incrementing |counter| for entry of the vector. +template +static void vector_generate_secret_eta_2(vector *out, uint8_t *counter, + const uint8_t seed[32]) { + uint8_t input[33]; + OPENSSL_memcpy(input, seed, 32); + for (int i = 0; i < RANK; i++) { + input[32] = (*counter)++; + scalar_centered_binomial_distribution_eta_2_with_prf(&out->v[i], input); + } +} + +// Expands the matrix of a seed for key generation and for encaps-CPA. +template +static void matrix_expand(matrix *out, const uint8_t rho[32]) { + uint8_t input[34]; + OPENSSL_memcpy(input, rho, 32); + for (int i = 0; i < RANK; i++) { + for (int j = 0; j < RANK; j++) { + input[32] = i; + input[33] = j; + struct BORINGSSL_keccak_st keccak_ctx; + BORINGSSL_keccak_init(&keccak_ctx, boringssl_shake128); + BORINGSSL_keccak_absorb(&keccak_ctx, input, sizeof(input)); + scalar_from_keccak_vartime(&out->v[i][j], &keccak_ctx); + } + } +} + +static const uint8_t kMasks[8] = {0x01, 0x03, 0x07, 0x0f, + 0x1f, 0x3f, 0x7f, 0xff}; + +static void scalar_encode(uint8_t *out, const scalar *s, int bits) { + assert(bits <= (int)sizeof(*s->c) * 8 && bits != 1); + + uint8_t out_byte = 0; + int out_byte_bits = 0; + + for (int i = 0; i < DEGREE; i++) { + uint16_t element = s->c[i]; + int element_bits_done = 0; + + while (element_bits_done < bits) { + int chunk_bits = bits - element_bits_done; + int out_bits_remaining = 8 - out_byte_bits; + if (chunk_bits >= out_bits_remaining) { + chunk_bits = out_bits_remaining; + out_byte |= (element & kMasks[chunk_bits - 1]) << out_byte_bits; + *out = out_byte; + out++; + out_byte_bits = 0; + out_byte = 0; + } else { + out_byte |= (element & kMasks[chunk_bits - 1]) << out_byte_bits; + out_byte_bits += chunk_bits; + } + + element_bits_done += chunk_bits; + element >>= chunk_bits; + } + } + + if (out_byte_bits > 0) { + *out = out_byte; + } +} + +// scalar_encode_1 is |scalar_encode| specialised for |bits| == 1. +static void scalar_encode_1(uint8_t out[32], const scalar *s) { + for (int i = 0; i < DEGREE; i += 8) { + uint8_t out_byte = 0; + for (int j = 0; j < 8; j++) { + out_byte |= (s->c[i + j] & 1) << j; + } + *out = out_byte; + out++; + } +} + +// Encodes an entire vector into 32*|RANK|*|bits| bytes. Note that since 256 +// (DEGREE) is divisible by 8, the individual vector entries will always fill a +// whole number of bytes, so we do not need to worry about bit packing here. +template +static void vector_encode(uint8_t *out, const vector *a, int bits) { + for (int i = 0; i < RANK; i++) { + scalar_encode(out + i * bits * DEGREE / 8, &a->v[i], bits); + } +} + +// scalar_decode parses |DEGREE * bits| bits from |in| into |DEGREE| values in +// |out|. It returns one on success and zero if any parsed value is >= +// |kPrime|. +static int scalar_decode(scalar *out, const uint8_t *in, int bits) { + assert(bits <= (int)sizeof(*out->c) * 8 && bits != 1); + + uint8_t in_byte = 0; + int in_byte_bits_left = 0; + + for (int i = 0; i < DEGREE; i++) { + uint16_t element = 0; + int element_bits_done = 0; + + while (element_bits_done < bits) { + if (in_byte_bits_left == 0) { + in_byte = *in; + in++; + in_byte_bits_left = 8; + } + + int chunk_bits = bits - element_bits_done; + if (chunk_bits > in_byte_bits_left) { + chunk_bits = in_byte_bits_left; + } + + element |= (in_byte & kMasks[chunk_bits - 1]) << element_bits_done; + in_byte_bits_left -= chunk_bits; + in_byte >>= chunk_bits; + + element_bits_done += chunk_bits; + } + + if (element >= kPrime) { + return 0; + } + out->c[i] = element; + } + + return 1; +} + +// scalar_decode_1 is |scalar_decode| specialised for |bits| == 1. +static void scalar_decode_1(scalar *out, const uint8_t in[32]) { + for (int i = 0; i < DEGREE; i += 8) { + uint8_t in_byte = *in; + in++; + for (int j = 0; j < 8; j++) { + out->c[i + j] = in_byte & 1; + in_byte >>= 1; + } + } +} + +// Decodes 32*|RANK|*|bits| bytes from |in| into |out|. It returns one on +// success or zero if any parsed value is >= |kPrime|. +template +static int vector_decode(vector *out, const uint8_t *in, int bits) { + for (int i = 0; i < RANK; i++) { + if (!scalar_decode(&out->v[i], in + i * bits * DEGREE / 8, bits)) { + return 0; + } + } + return 1; +} + +// Compresses (lossily) an input |x| mod 3329 into |bits| many bits by grouping +// numbers close to each other together. The formula used is +// round(2^|bits|/kPrime*x) mod 2^|bits|. +// Uses Barrett reduction to achieve constant time. Since we need both the +// remainder (for rounding) and the quotient (as the result), we cannot use +// |reduce| here, but need to do the Barrett reduction directly. +static uint16_t compress(uint16_t x, int bits) { + uint32_t shifted = (uint32_t)x << bits; + uint64_t product = (uint64_t)shifted * kBarrettMultiplier; + uint32_t quotient = (uint32_t)(product >> kBarrettShift); + uint32_t remainder = shifted - quotient * kPrime; + + // Adjust the quotient to round correctly: + // 0 <= remainder <= kHalfPrime round to 0 + // kHalfPrime < remainder <= kPrime + kHalfPrime round to 1 + // kPrime + kHalfPrime < remainder < 2 * kPrime round to 2 + assert(remainder < 2u * kPrime); + quotient += 1 & constant_time_lt_w(kHalfPrime, remainder); + quotient += 1 & constant_time_lt_w(kPrime + kHalfPrime, remainder); + return quotient & ((1 << bits) - 1); +} + +// Decompresses |x| by using an equi-distant representative. The formula is +// round(kPrime/2^|bits|*x). Note that 2^|bits| being the divisor allows us to +// implement this logic using only bit operations. +static uint16_t decompress(uint16_t x, int bits) { + uint32_t product = (uint32_t)x * kPrime; + uint32_t power = 1 << bits; + // This is |product| % power, since |power| is a power of 2. + uint32_t remainder = product & (power - 1); + // This is |product| / power, since |power| is a power of 2. + uint32_t lower = product >> bits; + // The rounding logic works since the first half of numbers mod |power| have a + // 0 as first bit, and the second half has a 1 as first bit, since |power| is + // a power of 2. As a 12 bit number, |remainder| is always positive, so we + // will shift in 0s for a right shift. + return lower + (remainder >> (bits - 1)); +} + +static void scalar_compress(scalar *s, int bits) { + for (int i = 0; i < DEGREE; i++) { + s->c[i] = compress(s->c[i], bits); + } +} + +static void scalar_decompress(scalar *s, int bits) { + for (int i = 0; i < DEGREE; i++) { + s->c[i] = decompress(s->c[i], bits); + } +} + +template +static void vector_compress(vector *a, int bits) { + for (int i = 0; i < RANK; i++) { + scalar_compress(&a->v[i], bits); + } +} + +template +static void vector_decompress(vector *a, int bits) { + for (int i = 0; i < RANK; i++) { + scalar_decompress(&a->v[i], bits); + } +} + +template +struct public_key { + vector t; + uint8_t rho[32]; + uint8_t public_key_hash[32]; + matrix m; +}; + +static struct public_key *public_key_768_from_external( + const struct MLKEM768_public_key *external) { + static_assert(sizeof(struct MLKEM768_public_key) >= + sizeof(struct public_key), + "MLKEM public key is too small"); + static_assert(alignof(struct MLKEM768_public_key) >= + alignof(struct public_key), + "MLKEM public key alignment incorrect"); + return (struct public_key *)external; +} + +static struct public_key * +public_key_1024_from_external(const struct MLKEM1024_public_key *external) { + static_assert(sizeof(struct MLKEM1024_public_key) >= + sizeof(struct public_key), + "MLKEM1024 public key is too small"); + static_assert(alignof(struct MLKEM1024_public_key) >= + alignof(struct public_key), + "MLKEM1024 public key alignment incorrect"); + return (struct public_key *)external; +} + +template +struct private_key { + struct public_key pub; + vector s; + uint8_t fo_failure_secret[32]; +}; + +static struct private_key *private_key_768_from_external( + const struct MLKEM768_private_key *external) { + static_assert(sizeof(struct MLKEM768_private_key) >= + sizeof(struct private_key), + "MLKEM private key too small"); + static_assert(alignof(struct MLKEM768_private_key) >= + alignof(struct private_key), + "MLKEM private key alignment incorrect"); + return (struct private_key *)external; +} + +static struct private_key * +private_key_1024_from_external(const struct MLKEM1024_private_key *external) { + static_assert(sizeof(struct MLKEM1024_private_key) >= + sizeof(struct private_key), + "MLKEM1024 private key too small"); + static_assert(alignof(struct MLKEM1024_private_key) >= + alignof(struct private_key), + "MLKEM1024 private key alignment incorrect"); + return (struct private_key *)external; +} + +void MLKEM768_generate_key(uint8_t out_encoded_public_key[MLKEM768_PUBLIC_KEY_BYTES], + uint8_t optional_out_seed[MLKEM_SEED_BYTES], + struct MLKEM768_private_key *out_private_key) { + uint8_t seed[MLKEM_SEED_BYTES]; + RAND_bytes(seed, sizeof(seed)); + if (optional_out_seed) { + OPENSSL_memcpy(optional_out_seed, seed, sizeof(seed)); + } + MLKEM768_generate_key_external_seed(out_encoded_public_key, out_private_key, + seed); +} + +int MLKEM768_private_key_from_seed(struct MLKEM768_private_key *out_private_key, + const uint8_t *seed, size_t seed_len) { + if (seed_len != MLKEM_SEED_BYTES) { + return 0; + } + uint8_t public_key_bytes[MLKEM768_PUBLIC_KEY_BYTES]; + MLKEM768_generate_key_external_seed(public_key_bytes, out_private_key, seed); + return 1; +} + +void MLKEM1024_generate_key( + uint8_t out_encoded_public_key[MLKEM1024_PUBLIC_KEY_BYTES], + uint8_t optional_out_seed[MLKEM_SEED_BYTES], + struct MLKEM1024_private_key *out_private_key) { + uint8_t seed[MLKEM_SEED_BYTES]; + RAND_bytes(seed, sizeof(seed)); + if (optional_out_seed) { + OPENSSL_memcpy(optional_out_seed, seed, sizeof(seed)); + } + MLKEM1024_generate_key_external_seed(out_encoded_public_key, out_private_key, + seed); +} + +int MLKEM1024_private_key_from_seed( + struct MLKEM1024_private_key *out_private_key, const uint8_t *seed, + size_t seed_len) { + if (seed_len != MLKEM_SEED_BYTES) { + return 0; + } + uint8_t public_key_bytes[MLKEM1024_PUBLIC_KEY_BYTES]; + MLKEM1024_generate_key_external_seed(public_key_bytes, out_private_key, seed); + return 1; +} + +template +static int mlkem_marshal_public_key(CBB *out, + const struct public_key *pub) { + uint8_t *vector_output; + if (!CBB_add_space(out, &vector_output, encoded_vector_size(RANK))) { + return 0; + } + vector_encode(vector_output, &pub->t, kLog2Prime); + if (!CBB_add_bytes(out, pub->rho, sizeof(pub->rho))) { + return 0; + } + return 1; +} + +template +void mlkem_generate_key_external_seed(uint8_t *out_encoded_public_key, + private_key *priv, + const uint8_t seed[MLKEM_SEED_BYTES]) { + uint8_t augmented_seed[33]; + OPENSSL_memcpy(augmented_seed, seed, 32); + augmented_seed[32] = RANK; + + uint8_t hashed[64]; + hash_g(hashed, augmented_seed, sizeof(augmented_seed)); + const uint8_t *const rho = hashed; + const uint8_t *const sigma = hashed + 32; + OPENSSL_memcpy(priv->pub.rho, hashed, sizeof(priv->pub.rho)); + matrix_expand(&priv->pub.m, rho); + uint8_t counter = 0; + vector_generate_secret_eta_2(&priv->s, &counter, sigma); + vector_ntt(&priv->s); + vector error; + vector_generate_secret_eta_2(&error, &counter, sigma); + vector_ntt(&error); + matrix_mult_transpose(&priv->pub.t, &priv->pub.m, &priv->s); + vector_add(&priv->pub.t, &error); + + CBB cbb; + CBB_init_fixed(&cbb, out_encoded_public_key, encoded_public_key_size(RANK)); + if (!mlkem_marshal_public_key(&cbb, &priv->pub)) { + abort(); + } + + hash_h(priv->pub.public_key_hash, out_encoded_public_key, + encoded_public_key_size(RANK)); + OPENSSL_memcpy(priv->fo_failure_secret, seed + 32, 32); +} + +void MLKEM768_generate_key_external_seed( + uint8_t out_encoded_public_key[MLKEM768_PUBLIC_KEY_BYTES], + struct MLKEM768_private_key *out_private_key, + const uint8_t seed[MLKEM_SEED_BYTES]) { + private_key *priv = private_key_768_from_external(out_private_key); + mlkem_generate_key_external_seed(out_encoded_public_key, priv, seed); +} + +void MLKEM1024_generate_key_external_seed( + uint8_t out_encoded_public_key[MLKEM1024_PUBLIC_KEY_BYTES], + struct MLKEM1024_private_key *out_private_key, + const uint8_t seed[MLKEM_SEED_BYTES]) { + private_key *priv = private_key_1024_from_external(out_private_key); + mlkem_generate_key_external_seed(out_encoded_public_key, priv, seed); +} + +void MLKEM768_public_from_private( + struct MLKEM768_public_key *out_public_key, + const struct MLKEM768_private_key *private_key) { + struct public_key *const pub = + public_key_768_from_external(out_public_key); + const struct ::private_key *const priv = + private_key_768_from_external(private_key); + *pub = priv->pub; +} + +void MLKEM1024_public_from_private( + struct MLKEM1024_public_key *out_public_key, + const struct MLKEM1024_private_key *private_key) { + struct public_key *const pub = + public_key_1024_from_external(out_public_key); + const struct ::private_key *const priv = + private_key_1024_from_external(private_key); + *pub = priv->pub; +} + +// Encrypts a message with given randomness to +// the ciphertext in |out|. Without applying the Fujisaki-Okamoto transform this +// would not result in a CCA secure scheme, since lattice schemes are vulnerable +// to decryption failure oracles. +template +static void encrypt_cpa(uint8_t *out, const struct public_key *pub, + const uint8_t message[32], + const uint8_t randomness[32]) { + constexpr int du = RANK == RANK768 ? kDU768 : kDU1024; + constexpr int dv = RANK == RANK768 ? kDV768 : kDV1024; + + uint8_t counter = 0; + vector secret; + vector_generate_secret_eta_2(&secret, &counter, randomness); + vector_ntt(&secret); + vector error; + vector_generate_secret_eta_2(&error, &counter, randomness); + uint8_t input[33]; + OPENSSL_memcpy(input, randomness, 32); + input[32] = counter; + scalar scalar_error; + scalar_centered_binomial_distribution_eta_2_with_prf(&scalar_error, input); + vector u; + matrix_mult(&u, &pub->m, &secret); + vector_inverse_ntt(&u); + vector_add(&u, &error); + scalar v; + scalar_inner_product(&v, &pub->t, &secret); + scalar_inverse_ntt(&v); + scalar_add(&v, &scalar_error); + scalar expanded_message; + scalar_decode_1(&expanded_message, message); + scalar_decompress(&expanded_message, 1); + scalar_add(&v, &expanded_message); + vector_compress(&u, du); + vector_encode(out, &u, du); + scalar_compress(&v, dv); + scalar_encode(out + compressed_vector_size(RANK), &v, dv); +} + +// Calls |MLKEM768_encap_external_entropy| with random bytes from |RAND_bytes| +void MLKEM768_encap(uint8_t out_ciphertext[MLKEM768_CIPHERTEXT_BYTES], + uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES], + const struct MLKEM768_public_key *public_key) { + uint8_t entropy[MLKEM_ENCAP_ENTROPY]; + RAND_bytes(entropy, MLKEM_ENCAP_ENTROPY); + MLKEM768_encap_external_entropy(out_ciphertext, out_shared_secret, public_key, + entropy); +} + +void MLKEM1024_encap(uint8_t out_ciphertext[MLKEM1024_CIPHERTEXT_BYTES], + uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES], + const struct MLKEM1024_public_key *public_key) { + uint8_t entropy[MLKEM_ENCAP_ENTROPY]; + RAND_bytes(entropy, MLKEM_ENCAP_ENTROPY); + MLKEM1024_encap_external_entropy(out_ciphertext, out_shared_secret, + public_key, entropy); +} + +// See section 6.2. +template +static void mlkem_encap_external_entropy( + uint8_t *out_ciphertext, + uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES], + const struct public_key *pub, + const uint8_t entropy[MLKEM_ENCAP_ENTROPY]) { + uint8_t input[64]; + OPENSSL_memcpy(input, entropy, MLKEM_ENCAP_ENTROPY); + OPENSSL_memcpy(input + MLKEM_ENCAP_ENTROPY, pub->public_key_hash, + sizeof(input) - MLKEM_ENCAP_ENTROPY); + uint8_t key_and_randomness[64]; + hash_g(key_and_randomness, input, sizeof(input)); + encrypt_cpa(out_ciphertext, pub, entropy, key_and_randomness + 32); + static_assert(MLKEM_SHARED_SECRET_BYTES == 32, ""); + memcpy(out_shared_secret, key_and_randomness, 32); +} + +void MLKEM768_encap_external_entropy( + uint8_t out_ciphertext[MLKEM768_CIPHERTEXT_BYTES], + uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES], + const struct MLKEM768_public_key *public_key, + const uint8_t entropy[MLKEM_ENCAP_ENTROPY]) { + const struct ::public_key *pub = + public_key_768_from_external(public_key); + mlkem_encap_external_entropy(out_ciphertext, out_shared_secret, pub, entropy); +} + +void MLKEM1024_encap_external_entropy( + uint8_t out_ciphertext[MLKEM1024_CIPHERTEXT_BYTES], + uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES], + const struct MLKEM1024_public_key *public_key, + const uint8_t entropy[MLKEM_ENCAP_ENTROPY]) { + const struct ::public_key *pub = + public_key_1024_from_external(public_key); + mlkem_encap_external_entropy(out_ciphertext, out_shared_secret, pub, entropy); +} + +template +static void decrypt_cpa(uint8_t out[32], const struct private_key *priv, + const uint8_t ciphertext[MLKEM768_CIPHERTEXT_BYTES]) { + constexpr int du = RANK == RANK768 ? kDU768 : kDU1024; + constexpr int dv = RANK == RANK768 ? kDV768 : kDV1024; + + vector u; + vector_decode(&u, ciphertext, du); + vector_decompress(&u, du); + vector_ntt(&u); + scalar v; + scalar_decode(&v, ciphertext + compressed_vector_size(RANK), dv); + scalar_decompress(&v, dv); + scalar mask; + scalar_inner_product(&mask, &priv->s, &u); + scalar_inverse_ntt(&mask); + scalar_sub(&v, &mask); + scalar_compress(&v, 1); + scalar_encode_1(out, &v); +} + +// See section 6.3 +template +static void mlkem_decap(uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES], + const uint8_t *ciphertext, + const struct private_key *priv) { + uint8_t decrypted[64]; + decrypt_cpa(decrypted, priv, ciphertext); + OPENSSL_memcpy(decrypted + 32, priv->pub.public_key_hash, + sizeof(decrypted) - 32); + uint8_t key_and_randomness[64]; + hash_g(key_and_randomness, decrypted, sizeof(decrypted)); + constexpr size_t ciphertext_len = ciphertext_size(RANK); + uint8_t expected_ciphertext[MLKEM1024_CIPHERTEXT_BYTES]; + static_assert(ciphertext_len <= sizeof(expected_ciphertext), ""); + encrypt_cpa(expected_ciphertext, &priv->pub, decrypted, + key_and_randomness + 32); + + uint8_t failure_key[32]; + kdf(failure_key, priv->fo_failure_secret, ciphertext, ciphertext_len); + + uint8_t mask = constant_time_eq_int_8( + CRYPTO_memcmp(ciphertext, expected_ciphertext, ciphertext_len), 0); + for (int i = 0; i < MLKEM_SHARED_SECRET_BYTES; i++) { + out_shared_secret[i] = + constant_time_select_8(mask, key_and_randomness[i], failure_key[i]); + } +} + +int MLKEM768_decap(uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES], + const uint8_t *ciphertext, size_t ciphertext_len, + const struct MLKEM768_private_key *private_key) { + if (ciphertext_len != MLKEM768_CIPHERTEXT_BYTES) { + RAND_bytes(out_shared_secret, MLKEM_SHARED_SECRET_BYTES); + return 0; + } + const struct ::private_key *priv = + private_key_768_from_external(private_key); + mlkem_decap(out_shared_secret, ciphertext, priv); + return 1; +} + +int MLKEM1024_decap(uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES], + const uint8_t *ciphertext, size_t ciphertext_len, + const struct MLKEM1024_private_key *private_key) { + if (ciphertext_len != MLKEM1024_CIPHERTEXT_BYTES) { + RAND_bytes(out_shared_secret, MLKEM_SHARED_SECRET_BYTES); + return 0; + } + const struct ::private_key *priv = + private_key_1024_from_external(private_key); + mlkem_decap(out_shared_secret, ciphertext, priv); + return 1; +} + +int MLKEM768_marshal_public_key(CBB *out, + const struct MLKEM768_public_key *public_key) { + return mlkem_marshal_public_key(out, + public_key_768_from_external(public_key)); +} + +int MLKEM1024_marshal_public_key( + CBB *out, const struct MLKEM1024_public_key *public_key) { + return mlkem_marshal_public_key(out, + public_key_1024_from_external(public_key)); +} + +// mlkem_parse_public_key_no_hash parses |in| into |pub| but doesn't calculate +// the value of |pub->public_key_hash|. +template +static int mlkem_parse_public_key_no_hash(struct public_key *pub, + CBS *in) { + CBS t_bytes; + if (!CBS_get_bytes(in, &t_bytes, encoded_vector_size(RANK)) || + !vector_decode(&pub->t, CBS_data(&t_bytes), kLog2Prime) || + !CBS_copy_bytes(in, pub->rho, sizeof(pub->rho))) { + return 0; + } + matrix_expand(&pub->m, pub->rho); + return 1; +} + +template +static int mlkem_parse_public_key(struct public_key *pub, CBS *in) { + CBS orig_in = *in; + if (!mlkem_parse_public_key_no_hash(pub, in) || // + CBS_len(in) != 0) { + return 0; + } + hash_h(pub->public_key_hash, CBS_data(&orig_in), CBS_len(&orig_in)); + return 1; +} + +int MLKEM768_parse_public_key(struct MLKEM768_public_key *public_key, CBS *in) { + struct ::public_key *pub = public_key_768_from_external(public_key); + return mlkem_parse_public_key(pub, in); +} + +int MLKEM1024_parse_public_key(struct MLKEM1024_public_key *public_key, + CBS *in) { + struct ::public_key *pub = + public_key_1024_from_external(public_key); + return mlkem_parse_public_key(pub, in); +} + +template +static int mlkem_marshal_private_key(CBB *out, + const struct private_key *priv) { + uint8_t *s_output; + if (!CBB_add_space(out, &s_output, encoded_vector_size(RANK))) { + return 0; + } + vector_encode(s_output, &priv->s, kLog2Prime); + if (!mlkem_marshal_public_key(out, &priv->pub) || + !CBB_add_bytes(out, priv->pub.public_key_hash, + sizeof(priv->pub.public_key_hash)) || + !CBB_add_bytes(out, priv->fo_failure_secret, + sizeof(priv->fo_failure_secret))) { + return 0; + } + return 1; +} + +int MLKEM768_marshal_private_key( + CBB *out, const struct MLKEM768_private_key *private_key) { + const struct ::private_key *const priv = + private_key_768_from_external(private_key); + return mlkem_marshal_private_key(out, priv); +} + +int MLKEM1024_marshal_private_key( + CBB *out, const struct MLKEM1024_private_key *private_key) { + const struct ::private_key *const priv = + private_key_1024_from_external(private_key); + return mlkem_marshal_private_key(out, priv); +} + +template +static int mlkem_parse_private_key(struct private_key *priv, CBS *in) { + CBS s_bytes; + if (!CBS_get_bytes(in, &s_bytes, encoded_vector_size(RANK)) || + !vector_decode(&priv->s, CBS_data(&s_bytes), kLog2Prime) || + !mlkem_parse_public_key_no_hash(&priv->pub, in) || + !CBS_copy_bytes(in, priv->pub.public_key_hash, + sizeof(priv->pub.public_key_hash)) || + !CBS_copy_bytes(in, priv->fo_failure_secret, + sizeof(priv->fo_failure_secret)) || + CBS_len(in) != 0) { + return 0; + } + return 1; +} + +int MLKEM768_parse_private_key(struct MLKEM768_private_key *out_private_key, + CBS *in) { + struct private_key *const priv = + private_key_768_from_external(out_private_key); + return mlkem_parse_private_key(priv, in); +} + +int MLKEM1024_parse_private_key(struct MLKEM1024_private_key *out_private_key, + CBS *in) { + struct private_key *const priv = + private_key_1024_from_external(out_private_key); + return mlkem_parse_private_key(priv, in); +} diff --git a/Sources/CNIOBoringSSL/crypto/obj/obj_dat.h b/Sources/CNIOBoringSSL/crypto/obj/obj_dat.h index 71ef2d2bd..f1b706391 100644 --- a/Sources/CNIOBoringSSL/crypto/obj/obj_dat.h +++ b/Sources/CNIOBoringSSL/crypto/obj/obj_dat.h @@ -57,7 +57,7 @@ /* This file is generated by crypto/obj/objects.go. */ -#define NUM_NID 965 +#define NUM_NID 966 static const uint8_t kObjectData[] = { /* NID_rsadsi */ @@ -8783,6 +8783,7 @@ static const ASN1_OBJECT kObjects[NUM_NID] = { {"HKDF", "hkdf", NID_hkdf, 0, NULL, 0}, {"X25519Kyber768Draft00", "X25519Kyber768Draft00", NID_X25519Kyber768Draft00, 0, NULL, 0}, + {"X25519MLKEM768", "X25519MLKEM768", NID_X25519MLKEM768, 0, NULL, 0}, }; static const uint16_t kNIDsInShortNameOrder[] = { @@ -8981,6 +8982,7 @@ static const uint16_t kNIDsInShortNameOrder[] = { 458 /* UID */, 948 /* X25519 */, 964 /* X25519Kyber768Draft00 */, + 965 /* X25519MLKEM768 */, 961 /* X448 */, 11 /* X500 */, 378 /* X500algorithms */, @@ -9852,6 +9854,7 @@ static const uint16_t kNIDsInLongNameOrder[] = { 375 /* Trust Root */, 948 /* X25519 */, 964 /* X25519Kyber768Draft00 */, + 965 /* X25519MLKEM768 */, 961 /* X448 */, 12 /* X509 */, 402 /* X509v3 AC Targeting */, diff --git a/Sources/CNIOBoringSSL/crypto/pem/pem_info.c b/Sources/CNIOBoringSSL/crypto/pem/pem_info.c index 042c3dec1..20460a0bc 100644 --- a/Sources/CNIOBoringSSL/crypto/pem/pem_info.c +++ b/Sources/CNIOBoringSSL/crypto/pem/pem_info.c @@ -69,6 +69,37 @@ #include #include + +static X509_PKEY *X509_PKEY_new(void) { + return OPENSSL_zalloc(sizeof(X509_PKEY)); +} + +static void X509_PKEY_free(X509_PKEY *x) { + if (x == NULL) { + return; + } + + EVP_PKEY_free(x->dec_pkey); + OPENSSL_free(x); +} + +static X509_INFO *X509_INFO_new(void) { + return OPENSSL_zalloc(sizeof(X509_INFO)); +} + +void X509_INFO_free(X509_INFO *x) { + if (x == NULL) { + return; + } + + X509_free(x->x509); + X509_CRL_free(x->crl); + X509_PKEY_free(x->x_pkey); + OPENSSL_free(x->enc_data); + OPENSSL_free(x); +} + + STACK_OF(X509_INFO) *PEM_X509_INFO_read(FILE *fp, STACK_OF(X509_INFO) *sk, pem_password_cb *cb, void *u) { BIO *b = BIO_new_fp(fp, BIO_NOCLOSE); diff --git a/Sources/CNIOBoringSSL/crypto/pem/pem_lib.c b/Sources/CNIOBoringSSL/crypto/pem/pem_lib.c index 6f9bb6952..1f37375c9 100644 --- a/Sources/CNIOBoringSSL/crypto/pem/pem_lib.c +++ b/Sources/CNIOBoringSSL/crypto/pem/pem_lib.c @@ -261,21 +261,22 @@ int PEM_bytes_read_bio(unsigned char **pdata, long *plen, char **pnm, } int PEM_ASN1_write(i2d_of_void *i2d, const char *name, FILE *fp, void *x, - const EVP_CIPHER *enc, unsigned char *kstr, int klen, - pem_password_cb *callback, void *u) { + const EVP_CIPHER *enc, const unsigned char *pass, + int pass_len, pem_password_cb *callback, void *u) { BIO *b = BIO_new_fp(fp, BIO_NOCLOSE); if (b == NULL) { OPENSSL_PUT_ERROR(PEM, ERR_R_BUF_LIB); return 0; } - int ret = PEM_ASN1_write_bio(i2d, name, b, x, enc, kstr, klen, callback, u); + int ret = + PEM_ASN1_write_bio(i2d, name, b, x, enc, pass, pass_len, callback, u); BIO_free(b); return ret; } int PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp, void *x, - const EVP_CIPHER *enc, unsigned char *kstr, int klen, - pem_password_cb *callback, void *u) { + const EVP_CIPHER *enc, const unsigned char *pass, + int pass_len, pem_password_cb *callback, void *u) { EVP_CIPHER_CTX ctx; int dsize = 0, i, j, ret = 0; unsigned char *p, *data = NULL; @@ -310,17 +311,16 @@ int PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp, void *x, if (enc != NULL) { const unsigned iv_len = EVP_CIPHER_iv_length(enc); - if (kstr == NULL) { - klen = 0; + if (pass == NULL) { if (!callback) { callback = PEM_def_callback; } - klen = (*callback)(buf, PEM_BUFSIZE, 1, u); - if (klen <= 0) { + pass_len = (*callback)(buf, PEM_BUFSIZE, 1, u); + if (pass_len < 0) { OPENSSL_PUT_ERROR(PEM, PEM_R_READ_KEY); goto err; } - kstr = (unsigned char *)buf; + pass = (const unsigned char *)buf; } assert(iv_len <= sizeof(iv)); if (!RAND_bytes(iv, iv_len)) { // Generate a salt @@ -328,11 +328,11 @@ int PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp, void *x, } // The 'iv' is used as the iv and as a salt. It is NOT taken from // the BytesToKey function - if (!EVP_BytesToKey(enc, EVP_md5(), iv, kstr, klen, 1, key, NULL)) { + if (!EVP_BytesToKey(enc, EVP_md5(), iv, pass, pass_len, 1, key, NULL)) { goto err; } - if (kstr == (unsigned char *)buf) { + if (pass == (const unsigned char *)buf) { OPENSSL_cleanse(buf, PEM_BUFSIZE); } @@ -375,7 +375,7 @@ int PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp, void *x, int PEM_do_header(EVP_CIPHER_INFO *cipher, unsigned char *data, long *plen, pem_password_cb *callback, void *u) { - int i = 0, j, o, klen; + int i = 0, j, o, pass_len; long len; EVP_CIPHER_CTX ctx; unsigned char key[EVP_MAX_KEY_LENGTH]; @@ -387,18 +387,18 @@ int PEM_do_header(EVP_CIPHER_INFO *cipher, unsigned char *data, long *plen, return 1; } - klen = 0; + pass_len = 0; if (!callback) { callback = PEM_def_callback; } - klen = callback(buf, PEM_BUFSIZE, 0, u); - if (klen <= 0) { + pass_len = callback(buf, PEM_BUFSIZE, 0, u); + if (pass_len < 0) { OPENSSL_PUT_ERROR(PEM, PEM_R_BAD_PASSWORD_READ); return 0; } if (!EVP_BytesToKey(cipher->cipher, EVP_md5(), &(cipher->iv[0]), - (unsigned char *)buf, klen, 1, key, NULL)) { + (unsigned char *)buf, pass_len, 1, key, NULL)) { return 0; } @@ -778,11 +778,11 @@ int PEM_read_bio(BIO *bp, char **name, char **header, unsigned char **data, int PEM_def_callback(char *buf, int size, int rwflag, void *userdata) { if (!buf || !userdata || size < 0) { - return 0; + return -1; } size_t len = strlen((char *)userdata); if (len >= (size_t)size) { - return 0; + return -1; } OPENSSL_strlcpy(buf, userdata, (size_t)size); return (int)len; diff --git a/Sources/CNIOBoringSSL/crypto/pem/pem_pk8.c b/Sources/CNIOBoringSSL/crypto/pem/pem_pk8.c index a8dbc4878..93b37d24b 100644 --- a/Sources/CNIOBoringSSL/crypto/pem/pem_pk8.c +++ b/Sources/CNIOBoringSSL/crypto/pem/pem_pk8.c @@ -65,10 +65,10 @@ #include static int do_pk8pkey(BIO *bp, const EVP_PKEY *x, int isder, int nid, - const EVP_CIPHER *enc, char *kstr, int klen, + const EVP_CIPHER *enc, const char *pass, int pass_len, pem_password_cb *cb, void *u); static int do_pk8pkey_fp(FILE *bp, const EVP_PKEY *x, int isder, int nid, - const EVP_CIPHER *enc, char *kstr, int klen, + const EVP_CIPHER *enc, const char *pass, int pass_len, pem_password_cb *cb, void *u); // These functions write a private key in PKCS#8 format: it is a "drop in" @@ -77,30 +77,31 @@ static int do_pk8pkey_fp(FILE *bp, const EVP_PKEY *x, int isder, int nid, // uses PKCS#5 v1.5 PBE algorithms whereas the others use PKCS#5 v2.0. int PEM_write_bio_PKCS8PrivateKey_nid(BIO *bp, const EVP_PKEY *x, int nid, - char *kstr, int klen, pem_password_cb *cb, - void *u) { - return do_pk8pkey(bp, x, 0, nid, NULL, kstr, klen, cb, u); + const char *pass, int pass_len, + pem_password_cb *cb, void *u) { + return do_pk8pkey(bp, x, 0, nid, NULL, pass, pass_len, cb, u); } int PEM_write_bio_PKCS8PrivateKey(BIO *bp, const EVP_PKEY *x, - const EVP_CIPHER *enc, char *kstr, int klen, - pem_password_cb *cb, void *u) { - return do_pk8pkey(bp, x, 0, -1, enc, kstr, klen, cb, u); + const EVP_CIPHER *enc, const char *pass, + int pass_len, pem_password_cb *cb, void *u) { + return do_pk8pkey(bp, x, 0, -1, enc, pass, pass_len, cb, u); } int i2d_PKCS8PrivateKey_bio(BIO *bp, const EVP_PKEY *x, const EVP_CIPHER *enc, - char *kstr, int klen, pem_password_cb *cb, + const char *pass, int pass_len, pem_password_cb *cb, void *u) { - return do_pk8pkey(bp, x, 1, -1, enc, kstr, klen, cb, u); + return do_pk8pkey(bp, x, 1, -1, enc, pass, pass_len, cb, u); } -int i2d_PKCS8PrivateKey_nid_bio(BIO *bp, const EVP_PKEY *x, int nid, char *kstr, - int klen, pem_password_cb *cb, void *u) { - return do_pk8pkey(bp, x, 1, nid, NULL, kstr, klen, cb, u); +int i2d_PKCS8PrivateKey_nid_bio(BIO *bp, const EVP_PKEY *x, int nid, + const char *pass, int pass_len, + pem_password_cb *cb, void *u) { + return do_pk8pkey(bp, x, 1, nid, NULL, pass, pass_len, cb, u); } static int do_pk8pkey(BIO *bp, const EVP_PKEY *x, int isder, int nid, - const EVP_CIPHER *enc, char *kstr, int klen, + const EVP_CIPHER *enc, const char *pass, int pass_len, pem_password_cb *cb, void *u) { X509_SIG *p8; PKCS8_PRIV_KEY_INFO *p8inf; @@ -111,23 +112,22 @@ static int do_pk8pkey(BIO *bp, const EVP_PKEY *x, int isder, int nid, return 0; } if (enc || (nid != -1)) { - if (!kstr) { - klen = 0; + if (!pass) { if (!cb) { cb = PEM_def_callback; } - klen = cb(buf, PEM_BUFSIZE, 1, u); - if (klen <= 0) { + pass_len = cb(buf, PEM_BUFSIZE, 1, u); + if (pass_len < 0) { OPENSSL_PUT_ERROR(PEM, PEM_R_READ_KEY); PKCS8_PRIV_KEY_INFO_free(p8inf); return 0; } - kstr = buf; + pass = buf; } - p8 = PKCS8_encrypt(nid, enc, kstr, klen, NULL, 0, 0, p8inf); - if (kstr == buf) { - OPENSSL_cleanse(buf, klen); + p8 = PKCS8_encrypt(nid, enc, pass, pass_len, NULL, 0, 0, p8inf); + if (pass == buf) { + OPENSSL_cleanse(buf, pass_len); } PKCS8_PRIV_KEY_INFO_free(p8inf); if (isder) { @@ -152,7 +152,7 @@ EVP_PKEY *d2i_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, void *u) { PKCS8_PRIV_KEY_INFO *p8inf = NULL; X509_SIG *p8 = NULL; - int klen; + int pass_len; EVP_PKEY *ret; char psbuf[PEM_BUFSIZE]; p8 = d2i_PKCS8_bio(bp, NULL); @@ -160,19 +160,19 @@ EVP_PKEY *d2i_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, return NULL; } - klen = 0; + pass_len = 0; if (!cb) { cb = PEM_def_callback; } - klen = cb(psbuf, PEM_BUFSIZE, 0, u); - if (klen <= 0) { + pass_len = cb(psbuf, PEM_BUFSIZE, 0, u); + if (pass_len < 0) { OPENSSL_PUT_ERROR(PEM, PEM_R_BAD_PASSWORD_READ); X509_SIG_free(p8); return NULL; } - p8inf = PKCS8_decrypt(p8, psbuf, klen); + p8inf = PKCS8_decrypt(p8, psbuf, pass_len); X509_SIG_free(p8); - OPENSSL_cleanse(psbuf, klen); + OPENSSL_cleanse(psbuf, pass_len); if (!p8inf) { return NULL; } @@ -192,29 +192,31 @@ EVP_PKEY *d2i_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, int i2d_PKCS8PrivateKey_fp(FILE *fp, const EVP_PKEY *x, const EVP_CIPHER *enc, - char *kstr, int klen, pem_password_cb *cb, void *u) { - return do_pk8pkey_fp(fp, x, 1, -1, enc, kstr, klen, cb, u); + const char *pass, int pass_len, pem_password_cb *cb, + void *u) { + return do_pk8pkey_fp(fp, x, 1, -1, enc, pass, pass_len, cb, u); } -int i2d_PKCS8PrivateKey_nid_fp(FILE *fp, const EVP_PKEY *x, int nid, char *kstr, - int klen, pem_password_cb *cb, void *u) { - return do_pk8pkey_fp(fp, x, 1, nid, NULL, kstr, klen, cb, u); +int i2d_PKCS8PrivateKey_nid_fp(FILE *fp, const EVP_PKEY *x, int nid, + const char *pass, int pass_len, + pem_password_cb *cb, void *u) { + return do_pk8pkey_fp(fp, x, 1, nid, NULL, pass, pass_len, cb, u); } int PEM_write_PKCS8PrivateKey_nid(FILE *fp, const EVP_PKEY *x, int nid, - char *kstr, int klen, pem_password_cb *cb, - void *u) { - return do_pk8pkey_fp(fp, x, 0, nid, NULL, kstr, klen, cb, u); + const char *pass, int pass_len, + pem_password_cb *cb, void *u) { + return do_pk8pkey_fp(fp, x, 0, nid, NULL, pass, pass_len, cb, u); } int PEM_write_PKCS8PrivateKey(FILE *fp, const EVP_PKEY *x, - const EVP_CIPHER *enc, char *kstr, int klen, - pem_password_cb *cb, void *u) { - return do_pk8pkey_fp(fp, x, 0, -1, enc, kstr, klen, cb, u); + const EVP_CIPHER *enc, const char *pass, + int pass_len, pem_password_cb *cb, void *u) { + return do_pk8pkey_fp(fp, x, 0, -1, enc, pass, pass_len, cb, u); } static int do_pk8pkey_fp(FILE *fp, const EVP_PKEY *x, int isder, int nid, - const EVP_CIPHER *enc, char *kstr, int klen, + const EVP_CIPHER *enc, const char *pass, int pass_len, pem_password_cb *cb, void *u) { BIO *bp; int ret; @@ -222,7 +224,7 @@ static int do_pk8pkey_fp(FILE *fp, const EVP_PKEY *x, int isder, int nid, OPENSSL_PUT_ERROR(PEM, ERR_R_BUF_LIB); return 0; } - ret = do_pk8pkey(bp, x, isder, nid, enc, kstr, klen, cb, u); + ret = do_pk8pkey(bp, x, isder, nid, enc, pass, pass_len, cb, u); BIO_free(bp); return ret; } diff --git a/Sources/CNIOBoringSSL/crypto/pem/pem_pkey.c b/Sources/CNIOBoringSSL/crypto/pem/pem_pkey.c index 878c73adf..420254491 100644 --- a/Sources/CNIOBoringSSL/crypto/pem/pem_pkey.c +++ b/Sources/CNIOBoringSSL/crypto/pem/pem_pkey.c @@ -98,26 +98,26 @@ EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, } else if (strcmp(nm, PEM_STRING_PKCS8) == 0) { PKCS8_PRIV_KEY_INFO *p8inf; X509_SIG *p8; - int klen; + int pass_len; char psbuf[PEM_BUFSIZE]; p8 = d2i_X509_SIG(NULL, &p, len); if (!p8) { goto p8err; } - klen = 0; + pass_len = 0; if (!cb) { cb = PEM_def_callback; } - klen = cb(psbuf, PEM_BUFSIZE, 0, u); - if (klen <= 0) { + pass_len = cb(psbuf, PEM_BUFSIZE, 0, u); + if (pass_len < 0) { OPENSSL_PUT_ERROR(PEM, PEM_R_BAD_PASSWORD_READ); X509_SIG_free(p8); goto err; } - p8inf = PKCS8_decrypt(p8, psbuf, klen); + p8inf = PKCS8_decrypt(p8, psbuf, pass_len); X509_SIG_free(p8); - OPENSSL_cleanse(psbuf, klen); + OPENSSL_cleanse(psbuf, pass_len); if (!p8inf) { goto p8err; } @@ -151,9 +151,10 @@ EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, } int PEM_write_bio_PrivateKey(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc, - unsigned char *kstr, int klen, pem_password_cb *cb, - void *u) { - return PEM_write_bio_PKCS8PrivateKey(bp, x, enc, (char *)kstr, klen, cb, u); + const unsigned char *pass, int pass_len, + pem_password_cb *cb, void *u) { + return PEM_write_bio_PKCS8PrivateKey(bp, x, enc, (const char *)pass, pass_len, + cb, u); } EVP_PKEY *PEM_read_PrivateKey(FILE *fp, EVP_PKEY **x, pem_password_cb *cb, @@ -169,14 +170,14 @@ EVP_PKEY *PEM_read_PrivateKey(FILE *fp, EVP_PKEY **x, pem_password_cb *cb, } int PEM_write_PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc, - unsigned char *kstr, int klen, pem_password_cb *cb, - void *u) { + const unsigned char *pass, int pass_len, + pem_password_cb *cb, void *u) { BIO *b = BIO_new_fp(fp, BIO_NOCLOSE); if (b == NULL) { OPENSSL_PUT_ERROR(PEM, ERR_R_BUF_LIB); return 0; } - int ret = PEM_write_bio_PrivateKey(b, x, enc, kstr, klen, cb, u); + int ret = PEM_write_bio_PrivateKey(b, x, enc, pass, pass_len, cb, u); BIO_free(b); return ret; } diff --git a/Sources/CNIOBoringSSL/crypto/pkcs8/internal.h b/Sources/CNIOBoringSSL/crypto/pkcs8/internal.h index ba6a926d2..ac2af3985 100644 --- a/Sources/CNIOBoringSSL/crypto/pkcs8/internal.h +++ b/Sources/CNIOBoringSSL/crypto/pkcs8/internal.h @@ -57,6 +57,7 @@ #define OPENSSL_HEADER_PKCS8_INTERNAL_H #include +#include #if defined(__cplusplus) extern "C" { diff --git a/Sources/CNIOBoringSSL/crypto/pkcs8/pkcs8_x509.c b/Sources/CNIOBoringSSL/crypto/pkcs8/pkcs8_x509.c index 56cd8a9ec..024b72bdf 100644 --- a/Sources/CNIOBoringSSL/crypto/pkcs8/pkcs8_x509.c +++ b/Sources/CNIOBoringSSL/crypto/pkcs8/pkcs8_x509.c @@ -70,9 +70,10 @@ #include #include -#include "internal.h" #include "../bytestring/internal.h" #include "../internal.h" +#include "../x509/internal.h" +#include "internal.h" int pkcs12_iterations_acceptable(uint64_t iterations) { diff --git a/Sources/CNIOBoringSSL/crypto/poly1305/poly1305_vec.c b/Sources/CNIOBoringSSL/crypto/poly1305/poly1305_vec.c index 62c082bd2..1af7b9721 100644 --- a/Sources/CNIOBoringSSL/crypto/poly1305/poly1305_vec.c +++ b/Sources/CNIOBoringSSL/crypto/poly1305/poly1305_vec.c @@ -31,11 +31,11 @@ typedef __m128i xmmi; -static const alignas(16) uint32_t poly1305_x64_sse2_message_mask[4] = { +alignas(16) static const uint32_t poly1305_x64_sse2_message_mask[4] = { (1 << 26) - 1, 0, (1 << 26) - 1, 0}; -static const alignas(16) uint32_t poly1305_x64_sse2_5[4] = {5, 0, 5, 0}; -static const alignas(16) uint32_t poly1305_x64_sse2_1shl128[4] = { - (1 << 24), 0, (1 << 24), 0}; +alignas(16) static const uint32_t poly1305_x64_sse2_5[4] = {5, 0, 5, 0}; +alignas(16) static const uint32_t poly1305_x64_sse2_1shl128[4] = {(1 << 24), 0, + (1 << 24), 0}; static inline uint128_t add128(uint128_t a, uint128_t b) { return a + b; } @@ -136,7 +136,8 @@ void CRYPTO_poly1305_init(poly1305_state *state, const uint8_t key[32]) { static void poly1305_first_block(poly1305_state_internal *st, const uint8_t *m) { - const xmmi MMASK = _mm_load_si128((const xmmi *)poly1305_x64_sse2_message_mask); + const xmmi MMASK = + _mm_load_si128((const xmmi *)poly1305_x64_sse2_message_mask); const xmmi FIVE = _mm_load_si128((const xmmi *)poly1305_x64_sse2_5); const xmmi HIBIT = _mm_load_si128((const xmmi *)poly1305_x64_sse2_1shl128); xmmi T5, T6; @@ -181,7 +182,7 @@ static void poly1305_first_block(poly1305_state_internal *st, r20 = r20 & 0xfffffffffff; r21 += c; - p->R20.v = _mm_shuffle_epi32(_mm_cvtsi32_si128((uint32_t)(r20)&0x3ffffff), + p->R20.v = _mm_shuffle_epi32(_mm_cvtsi32_si128((uint32_t)(r20) & 0x3ffffff), _MM_SHUFFLE(1, 0, 1, 0)); p->R21.v = _mm_shuffle_epi32( _mm_cvtsi32_si128((uint32_t)((r20 >> 26) | (r21 << 18)) & 0x3ffffff), @@ -229,7 +230,8 @@ static void poly1305_first_block(poly1305_state_internal *st, static void poly1305_blocks(poly1305_state_internal *st, const uint8_t *m, size_t bytes) { - const xmmi MMASK = _mm_load_si128((const xmmi *)poly1305_x64_sse2_message_mask); + const xmmi MMASK = + _mm_load_si128((const xmmi *)poly1305_x64_sse2_message_mask); const xmmi FIVE = _mm_load_si128((const xmmi *)poly1305_x64_sse2_5); const xmmi HIBIT = _mm_load_si128((const xmmi *)poly1305_x64_sse2_1shl128); @@ -419,7 +421,8 @@ static void poly1305_blocks(poly1305_state_internal *st, const uint8_t *m, static size_t poly1305_combine(poly1305_state_internal *st, const uint8_t *m, size_t bytes) { - const xmmi MMASK = _mm_load_si128((const xmmi *)poly1305_x64_sse2_message_mask); + const xmmi MMASK = + _mm_load_si128((const xmmi *)poly1305_x64_sse2_message_mask); const xmmi HIBIT = _mm_load_si128((const xmmi *)poly1305_x64_sse2_1shl128); const xmmi FIVE = _mm_load_si128((const xmmi *)poly1305_x64_sse2_5); @@ -547,7 +550,7 @@ static size_t poly1305_combine(poly1305_state_internal *st, const uint8_t *m, r1 = ((uint64_t)p->R21.d[3] << 32) | (uint64_t)p->R21.d[1]; r2 = ((uint64_t)p->R22.d[3] << 32) | (uint64_t)p->R22.d[1]; - p->R20.d[2] = (uint32_t)(r0)&0x3ffffff; + p->R20.d[2] = (uint32_t)(r0) & 0x3ffffff; p->R21.d[2] = (uint32_t)((r0 >> 26) | (r1 << 18)) & 0x3ffffff; p->R22.d[2] = (uint32_t)((r1 >> 8)) & 0x3ffffff; p->R23.d[2] = (uint32_t)((r1 >> 34) | (r2 << 10)) & 0x3ffffff; @@ -838,7 +841,7 @@ void CRYPTO_poly1305_finish(poly1305_state *state, uint8_t mac[16]) { c = (h1 >> 44); h1 &= 0xfffffffffff; t1 = (t1 >> 24); - h2 += (t1)+c; + h2 += (t1) + c; CRYPTO_store_u64_le(mac + 0, ((h0) | (h1 << 44))); CRYPTO_store_u64_le(mac + 8, ((h1 >> 20) | (h2 << 24))); diff --git a/Sources/CNIOBoringSSL/crypto/rand_extra/deterministic.c b/Sources/CNIOBoringSSL/crypto/rand_extra/deterministic.c index db46f5562..44efdc522 100644 --- a/Sources/CNIOBoringSSL/crypto/rand_extra/deterministic.c +++ b/Sources/CNIOBoringSSL/crypto/rand_extra/deterministic.c @@ -14,7 +14,8 @@ #include -#include "../fipsmodule/rand/internal.h" +#include "../bcm_support.h" +#include "sysrand_internal.h" #if defined(OPENSSL_RAND_DETERMINISTIC) @@ -35,6 +36,8 @@ static CRYPTO_MUTEX g_num_calls_lock = CRYPTO_MUTEX_INIT; void RAND_reset_for_fuzzing(void) { g_num_calls = 0; } +void CRYPTO_init_sysrand(void) {} + void CRYPTO_sysrand(uint8_t *out, size_t requested) { static const uint8_t kZeroKey[32]; @@ -50,6 +53,11 @@ void CRYPTO_sysrand(uint8_t *out, size_t requested) { CRYPTO_chacha_20(out, out, requested, kZeroKey, nonce, 0); } +int CRYPTO_sysrand_if_available(uint8_t *buf, size_t len) { + CRYPTO_sysrand(buf, len); + return 1; +} + void CRYPTO_sysrand_for_seed(uint8_t *out, size_t requested) { CRYPTO_sysrand(out, requested); } diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/rand/fork_detect.c b/Sources/CNIOBoringSSL/crypto/rand_extra/fork_detect.c similarity index 81% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/rand/fork_detect.c rename to Sources/CNIOBoringSSL/crypto/rand_extra/fork_detect.c index 24807596d..99be497aa 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/rand/fork_detect.c +++ b/Sources/CNIOBoringSSL/crypto/rand_extra/fork_detect.c @@ -16,8 +16,7 @@ #define _GNU_SOURCE // needed for madvise() and MAP_ANONYMOUS on Linux. #endif -#include -#include "fork_detect.h" +#include "../bcm_support.h" #if defined(OPENSSL_FORK_DETECTION_MADVISE) #include @@ -35,19 +34,18 @@ static_assert(MADV_WIPEONFORK == 18, "MADV_WIPEONFORK is not 18"); #include #endif // OPENSSL_FORK_DETECTION_MADVISE -#include "../delocate.h" -#include "../../internal.h" +#include "../internal.h" #if defined(OPENSSL_FORK_DETECTION_MADVISE) -DEFINE_BSS_GET(int, g_force_madv_wipeonfork); -DEFINE_BSS_GET(int, g_force_madv_wipeonfork_enabled); -DEFINE_STATIC_ONCE(g_fork_detect_once); -DEFINE_STATIC_MUTEX(g_fork_detect_lock); -DEFINE_BSS_GET(CRYPTO_atomic_u32 *, g_fork_detect_addr); -DEFINE_BSS_GET(uint64_t, g_fork_generation); +static int g_force_madv_wipeonfork; +static int g_force_madv_wipeonfork_enabled; +static CRYPTO_once_t g_fork_detect_once = CRYPTO_ONCE_INIT; +static CRYPTO_MUTEX g_fork_detect_lock = CRYPTO_MUTEX_INIT; +static CRYPTO_atomic_u32 * g_fork_detect_addr; +static uint64_t g_fork_generation; static void init_fork_detect(void) { - if (*g_force_madv_wipeonfork_bss_get()) { + if (g_force_madv_wipeonfork) { return; } @@ -74,13 +72,13 @@ static void init_fork_detect(void) { } CRYPTO_atomic_store_u32(addr, 1); - *g_fork_detect_addr_bss_get() = addr; - *g_fork_generation_bss_get() = 1; + g_fork_detect_addr = addr; + g_fork_generation = 1; } uint64_t CRYPTO_get_fork_generation(void) { - CRYPTO_once(g_fork_detect_once_bss_get(), init_fork_detect); + CRYPTO_once(&g_fork_detect_once, init_fork_detect); // In a single-threaded process, there are obviously no races because there's // only a single mutator in the address space. @@ -93,12 +91,12 @@ uint64_t CRYPTO_get_fork_generation(void) { // child process is single-threaded, the child may become multi-threaded // before it observes this. Therefore, we must synchronize the logic below. - CRYPTO_atomic_u32 *const flag_ptr = *g_fork_detect_addr_bss_get(); + CRYPTO_atomic_u32 *const flag_ptr = g_fork_detect_addr; if (flag_ptr == NULL) { // Our kernel is too old to support |MADV_WIPEONFORK| or // |g_force_madv_wipeonfork| is set. - if (*g_force_madv_wipeonfork_bss_get() && - *g_force_madv_wipeonfork_enabled_bss_get()) { + if (g_force_madv_wipeonfork && + g_force_madv_wipeonfork_enabled) { // A constant generation number to simulate support, even if the kernel // doesn't support it. return 42; @@ -114,7 +112,7 @@ uint64_t CRYPTO_get_fork_generation(void) { // In the common case, try to observe the flag without taking a lock. This // avoids cacheline contention in the PRNG. - uint64_t *const generation_ptr = g_fork_generation_bss_get(); + uint64_t *const generation_ptr = &g_fork_generation; if (CRYPTO_atomic_load_u32(flag_ptr) != 0) { // If we observe a non-zero flag, it is safe to read |generation_ptr| // without a lock. The flag and generation number are fixed for this copy of @@ -125,7 +123,7 @@ uint64_t CRYPTO_get_fork_generation(void) { // The flag was zero. The generation number must be incremented, but other // threads may have concurrently observed the zero, so take a lock before // incrementing. - CRYPTO_MUTEX *const lock = g_fork_detect_lock_bss_get(); + CRYPTO_MUTEX *const lock = &g_fork_detect_lock; CRYPTO_MUTEX_lock_write(lock); uint64_t current_generation = *generation_ptr; if (CRYPTO_atomic_load_u32(flag_ptr) == 0) { @@ -147,35 +145,35 @@ uint64_t CRYPTO_get_fork_generation(void) { } void CRYPTO_fork_detect_force_madv_wipeonfork_for_testing(int on) { - *g_force_madv_wipeonfork_bss_get() = 1; - *g_force_madv_wipeonfork_enabled_bss_get() = on; + g_force_madv_wipeonfork = 1; + g_force_madv_wipeonfork_enabled = on; } #elif defined(OPENSSL_FORK_DETECTION_PTHREAD_ATFORK) -DEFINE_STATIC_ONCE(g_pthread_fork_detection_once); -DEFINE_BSS_GET(uint64_t, g_atfork_fork_generation); +static CRYPTO_once_t g_pthread_fork_detection_once = CRYPTO_ONCE_INIT; +static uint64_t g_atfork_fork_generation; static void we_are_forked(void) { // Immediately after a fork, the process must be single-threaded. - uint64_t value = *g_atfork_fork_generation_bss_get() + 1; + uint64_t value = g_atfork_fork_generation + 1; if (value == 0) { value = 1; } - *g_atfork_fork_generation_bss_get() = value; + g_atfork_fork_generation = value; } static void init_pthread_fork_detection(void) { if (pthread_atfork(NULL, NULL, we_are_forked) != 0) { abort(); } - *g_atfork_fork_generation_bss_get() = 1; + g_atfork_fork_generation = 1; } uint64_t CRYPTO_get_fork_generation(void) { - CRYPTO_once(g_pthread_fork_detection_once_bss_get(), init_pthread_fork_detection); + CRYPTO_once(&g_pthread_fork_detection_once, init_pthread_fork_detection); - return *g_atfork_fork_generation_bss_get(); + return g_atfork_fork_generation; } #elif defined(OPENSSL_DOES_NOT_FORK) diff --git a/Sources/CNIOBoringSSL/crypto/rand_extra/getentropy.c b/Sources/CNIOBoringSSL/crypto/rand_extra/getentropy.c index 4dc33e471..b94bb8d80 100644 --- a/Sources/CNIOBoringSSL/crypto/rand_extra/getentropy.c +++ b/Sources/CNIOBoringSSL/crypto/rand_extra/getentropy.c @@ -18,7 +18,8 @@ #include -#include "../fipsmodule/rand/internal.h" +#include "../bcm_support.h" +#include "sysrand_internal.h" #if defined(OPENSSL_RAND_GETENTROPY) @@ -30,6 +31,8 @@ #include #endif +void CRYPTO_init_sysrand(void) {} + // CRYPTO_sysrand puts |requested| random bytes into |out|. void CRYPTO_sysrand(uint8_t *out, size_t requested) { while (requested > 0) { @@ -45,6 +48,11 @@ void CRYPTO_sysrand(uint8_t *out, size_t requested) { } } +int CRYPTO_sysrand_if_available(uint8_t *buf, size_t len) { + CRYPTO_sysrand(buf, len); + return 1; +} + void CRYPTO_sysrand_for_seed(uint8_t *out, size_t requested) { CRYPTO_sysrand(out, requested); } diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/rand/getrandom_fillin.h b/Sources/CNIOBoringSSL/crypto/rand_extra/getrandom_fillin.h similarity index 100% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/rand/getrandom_fillin.h rename to Sources/CNIOBoringSSL/crypto/rand_extra/getrandom_fillin.h diff --git a/Sources/CNIOBoringSSL/crypto/rand_extra/ios.c b/Sources/CNIOBoringSSL/crypto/rand_extra/ios.c index aa61afe36..c765bef55 100644 --- a/Sources/CNIOBoringSSL/crypto/rand_extra/ios.c +++ b/Sources/CNIOBoringSSL/crypto/rand_extra/ios.c @@ -14,19 +14,27 @@ #include -#include "../fipsmodule/rand/internal.h" +#include "../bcm_support.h" +#include "sysrand_internal.h" #if defined(OPENSSL_RAND_IOS) #include #include +void CRYPTO_init_sysrand(void) {} + void CRYPTO_sysrand(uint8_t *out, size_t requested) { if (CCRandomGenerateBytes(out, requested) != kCCSuccess) { abort(); } } +int CRYPTO_sysrand_if_available(uint8_t *buf, size_t len) { + CRYPTO_sysrand(buf, len); + return 1; +} + void CRYPTO_sysrand_for_seed(uint8_t *out, size_t requested) { CRYPTO_sysrand(out, requested); } diff --git a/Sources/CNIOBoringSSL/crypto/rand_extra/passive.c b/Sources/CNIOBoringSSL/crypto/rand_extra/passive.c index e3c527be8..cf080c25d 100644 --- a/Sources/CNIOBoringSSL/crypto/rand_extra/passive.c +++ b/Sources/CNIOBoringSSL/crypto/rand_extra/passive.c @@ -14,11 +14,27 @@ #include -#include "../fipsmodule/rand/internal.h" +#include "../fipsmodule/bcm_interface.h" +#include "../bcm_support.h" #include "../internal.h" #if defined(BORINGSSL_FIPS) +// passive_get_seed_entropy writes |out_entropy_len| bytes of entropy, suitable +// for seeding a DRBG, to |out_entropy|. It sets |*out_used_cpu| to one if the +// entropy came directly from the CPU and zero if it came from the OS. It +// actively obtains entropy from the CPU/OS +static void passive_get_seed_entropy(uint8_t *out_entropy, + size_t out_entropy_len, + int *out_want_additional_input) { + *out_want_additional_input = 0; + if (bcm_success(BCM_rand_bytes_hwrng(out_entropy, out_entropy_len))) { + *out_want_additional_input = 1; + } else { + CRYPTO_sysrand_for_seed(out_entropy, out_entropy_len); + } +} + #define ENTROPY_READ_LEN \ (/* last_block size */ 16 + CTR_DRBG_ENTROPY_LEN * BORINGSSL_FIPS_OVERREAD) @@ -143,7 +159,7 @@ void RAND_need_entropy(size_t bytes_needed) { if (get_seed_from_daemon(buf, todo)) { want_additional_input = 1; } else { - CRYPTO_get_seed_entropy(buf, todo, &want_additional_input); + passive_get_seed_entropy(buf, todo, &want_additional_input); } if (boringssl_fips_break_test("CRNG")) { @@ -152,7 +168,7 @@ void RAND_need_entropy(size_t bytes_needed) { OPENSSL_memset(buf, 0, todo); } - RAND_load_entropy(buf, todo, want_additional_input); + BCM_rand_load_entropy(buf, todo, want_additional_input); } #endif // FIPS diff --git a/Sources/CNIOBoringSSL/crypto/rand_extra/rand_extra.c b/Sources/CNIOBoringSSL/crypto/rand_extra/rand_extra.c index d98a83d92..d842d7ba8 100644 --- a/Sources/CNIOBoringSSL/crypto/rand_extra/rand_extra.c +++ b/Sources/CNIOBoringSSL/crypto/rand_extra/rand_extra.c @@ -12,11 +12,21 @@ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ +#include + #include -#include +#include "../bcm_support.h" +#include "../fipsmodule/bcm_interface.h" +int RAND_bytes(uint8_t *buf, size_t len) { + BCM_rand_bytes(buf, len); + return 1; +} + +int RAND_pseudo_bytes(uint8_t *buf, size_t len) { return RAND_bytes(buf, len); } + void RAND_seed(const void *buf, int num) { // OpenSSH calls |RAND_seed| before jailing on the assumption that any needed // file descriptors etc will be opened. @@ -28,7 +38,7 @@ int RAND_load_file(const char *path, long num) { if (num < 0) { // read the "whole file" return 1; } else if (num <= INT_MAX) { - return (int) num; + return (int)num; } else { return INT_MAX; } @@ -38,37 +48,30 @@ const char *RAND_file_name(char *buf, size_t num) { return NULL; } void RAND_add(const void *buf, int num, double entropy) {} -int RAND_egd(const char *path) { - return 255; -} +int RAND_egd(const char *path) { return 255; } -int RAND_poll(void) { - return 1; -} +int RAND_poll(void) { return 1; } -int RAND_status(void) { - return 1; -} +int RAND_status(void) { return 1; } static const struct rand_meth_st kSSLeayMethod = { - RAND_seed, - RAND_bytes, - RAND_cleanup, - RAND_add, - RAND_pseudo_bytes, - RAND_status, + RAND_seed, RAND_bytes, RAND_cleanup, + RAND_add, RAND_pseudo_bytes, RAND_status, }; -RAND_METHOD *RAND_SSLeay(void) { - return (RAND_METHOD*) &kSSLeayMethod; -} +RAND_METHOD *RAND_SSLeay(void) { return (RAND_METHOD *)&kSSLeayMethod; } -RAND_METHOD *RAND_OpenSSL(void) { - return RAND_SSLeay(); -} +RAND_METHOD *RAND_OpenSSL(void) { return RAND_SSLeay(); } const RAND_METHOD *RAND_get_rand_method(void) { return RAND_SSLeay(); } int RAND_set_rand_method(const RAND_METHOD *method) { return 1; } void RAND_cleanup(void) {} + +void RAND_get_system_entropy_for_custom_prng(uint8_t *buf, size_t len) { + if (len > 256) { + abort(); + } + CRYPTO_sysrand_for_seed(buf, len); +} diff --git a/Sources/CNIOBoringSSL/crypto/rand_extra/sysrand_internal.h b/Sources/CNIOBoringSSL/crypto/rand_extra/sysrand_internal.h new file mode 100644 index 000000000..6c505cfde --- /dev/null +++ b/Sources/CNIOBoringSSL/crypto/rand_extra/sysrand_internal.h @@ -0,0 +1,37 @@ +/* Copyright (c) 2024, Google Inc. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#ifndef OPENSSL_HEADER_CRYPTO_SYSRAND_INTERNAL_H +#define OPENSSL_HEADER_CRYPTO_SYSRAND_INTERNAL_H + +#include + +#if defined(BORINGSSL_UNSAFE_DETERMINISTIC_MODE) +#define OPENSSL_RAND_DETERMINISTIC +#elif defined(OPENSSL_TRUSTY) +#define OPENSSL_RAND_TRUSTY +#elif defined(OPENSSL_WINDOWS) +#define OPENSSL_RAND_WINDOWS +#elif defined(OPENSSL_LINUX) +#define OPENSSL_RAND_URANDOM +#elif defined(OPENSSL_APPLE) && !defined(OPENSSL_MACOS) +// Unlike macOS, iOS and similar hide away getentropy(). +#define OPENSSL_RAND_IOS +#else +// By default if you are integrating BoringSSL we expect you to +// provide getentropy from the header file. +#define OPENSSL_RAND_GETENTROPY +#endif + +#endif // OPENSSL_HEADER_CRYPTO__SYSRAND_INTERNAL_H diff --git a/Sources/CNIOBoringSSL/crypto/rand_extra/trusty.c b/Sources/CNIOBoringSSL/crypto/rand_extra/trusty.c index 6e0e0bc28..70d7dc7a7 100644 --- a/Sources/CNIOBoringSSL/crypto/rand_extra/trusty.c +++ b/Sources/CNIOBoringSSL/crypto/rand_extra/trusty.c @@ -14,7 +14,8 @@ #include -#include "../fipsmodule/rand/internal.h" +#include "../bcm_support.h" +#include "sysrand_internal.h" #if defined(OPENSSL_RAND_TRUSTY) #include @@ -25,12 +26,19 @@ #include +void CRYPTO_init_sysrand(void) {} + void CRYPTO_sysrand(uint8_t *out, size_t requested) { if (trusty_rng_hw_rand(out, requested) != NO_ERROR) { abort(); } } +int CRYPTO_sysrand_if_available(uint8_t *buf, size_t len) { + CRYPTO_sysrand(buf, len); + return 1; +} + void CRYPTO_sysrand_for_seed(uint8_t *out, size_t requested) { CRYPTO_sysrand(out, requested); } diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/rand/urandom.c b/Sources/CNIOBoringSSL/crypto/rand_extra/urandom.c similarity index 91% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/rand/urandom.c rename to Sources/CNIOBoringSSL/crypto/rand_extra/urandom.c index 4d8fbf372..4ae65422d 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/rand/urandom.c +++ b/Sources/CNIOBoringSSL/crypto/rand_extra/urandom.c @@ -18,7 +18,8 @@ #include -#include "internal.h" +#include "../bcm_support.h" +#include "sysrand_internal.h" #if defined(OPENSSL_RAND_URANDOM) @@ -62,8 +63,7 @@ #include #include "getrandom_fillin.h" -#include "../delocate.h" -#include "../../internal.h" +#include "../internal.h" #if defined(USE_NR_getrandom) @@ -96,17 +96,17 @@ static ssize_t boringssl_getrandom(void *buf, size_t buf_len, unsigned flags) { static const int kHaveGetrandom = -3; // urandom_fd is a file descriptor to /dev/urandom. It's protected by |once|. -DEFINE_BSS_GET(int, urandom_fd) +static int urandom_fd; #if defined(USE_NR_getrandom) // getrandom_ready is one if |getrandom| had been initialized by the time // |init_once| was called and zero otherwise. -DEFINE_BSS_GET(int, getrandom_ready) +static int getrandom_ready; // extra_getrandom_flags_for_seed contains a value that is ORed into the flags // for getrandom() when reading entropy for a seed. -DEFINE_BSS_GET(int, extra_getrandom_flags_for_seed) +static int extra_getrandom_flags_for_seed; // On Android, check a system property to decide whether to set // |extra_getrandom_flags_for_seed| otherwise they will default to zero. If @@ -123,14 +123,14 @@ static void maybe_set_extra_getrandom_flags(void) { value[length] = 0; if (OPENSSL_strcasecmp(value, "true") == 0) { - *extra_getrandom_flags_for_seed_bss_get() = GRND_RANDOM; + extra_getrandom_flags_for_seed = GRND_RANDOM; } #endif } #endif // USE_NR_getrandom -DEFINE_STATIC_ONCE(rand_once) +static CRYPTO_once_t rand_once = CRYPTO_ONCE_INIT; // init_once initializes the state of this module to values previously // requested. This is the only function that modifies |urandom_fd|, which may be @@ -142,7 +142,7 @@ static void init_once(void) { ssize_t getrandom_ret = boringssl_getrandom(&dummy, sizeof(dummy), GRND_NONBLOCK); if (getrandom_ret == 1) { - *getrandom_ready_bss_get() = 1; + getrandom_ready = 1; have_getrandom = 1; } else if (getrandom_ret == -1 && errno == EAGAIN) { // We have getrandom, but the entropy pool has not been initialized yet. @@ -157,7 +157,7 @@ static void init_once(void) { } if (have_getrandom) { - *urandom_fd_bss_get() = kHaveGetrandom; + urandom_fd = kHaveGetrandom; maybe_set_extra_getrandom_flags(); return; } @@ -185,19 +185,19 @@ static void init_once(void) { abort(); } - *urandom_fd_bss_get() = fd; + urandom_fd = fd; } -DEFINE_STATIC_ONCE(wait_for_entropy_once) +static CRYPTO_once_t wait_for_entropy_once = CRYPTO_ONCE_INIT; static void wait_for_entropy(void) { - int fd = *urandom_fd_bss_get(); + int fd = urandom_fd; if (fd == kHaveGetrandom) { // |getrandom| and |getentropy| support blocking in |fill_with_entropy| // directly. For |getrandom|, we first probe with a non-blocking call to aid // debugging. #if defined(USE_NR_getrandom) - if (*getrandom_ready_bss_get()) { + if (getrandom_ready) { // The entropy pool was already initialized in |init_once|. return; } @@ -256,13 +256,13 @@ static int fill_with_entropy(uint8_t *out, size_t len, int block, int seed) { #if defined (USE_NR_getrandom) if (seed) { - getrandom_flags |= *extra_getrandom_flags_for_seed_bss_get(); + getrandom_flags |= extra_getrandom_flags_for_seed; } #endif CRYPTO_init_sysrand(); if (block) { - CRYPTO_once(wait_for_entropy_once_bss_get(), wait_for_entropy); + CRYPTO_once(&wait_for_entropy_once, wait_for_entropy); } // Clear |errno| so it has defined value if |read| or |getrandom| @@ -271,7 +271,7 @@ static int fill_with_entropy(uint8_t *out, size_t len, int block, int seed) { while (len > 0) { ssize_t r; - if (*urandom_fd_bss_get() == kHaveGetrandom) { + if (urandom_fd == kHaveGetrandom) { #if defined(USE_NR_getrandom) r = boringssl_getrandom(out, len, getrandom_flags); #else // USE_NR_getrandom @@ -280,7 +280,7 @@ static int fill_with_entropy(uint8_t *out, size_t len, int block, int seed) { #endif } else { do { - r = read(*urandom_fd_bss_get(), out, len); + r = read(urandom_fd, out, len); } while (r == -1 && errno == EINTR); } @@ -295,7 +295,7 @@ static int fill_with_entropy(uint8_t *out, size_t len, int block, int seed) { } void CRYPTO_init_sysrand(void) { - CRYPTO_once(rand_once_bss_get(), init_once); + CRYPTO_once(&rand_once, init_once); } // CRYPTO_sysrand puts |requested| random bytes into |out|. diff --git a/Sources/CNIOBoringSSL/crypto/rand_extra/windows.c b/Sources/CNIOBoringSSL/crypto/rand_extra/windows.c index 37ea7c84d..6bffab457 100644 --- a/Sources/CNIOBoringSSL/crypto/rand_extra/windows.c +++ b/Sources/CNIOBoringSSL/crypto/rand_extra/windows.c @@ -14,7 +14,9 @@ #include -#include "../fipsmodule/rand/internal.h" +#include "../bcm_support.h" +#include "../internal.h" +#include "sysrand_internal.h" #if defined(OPENSSL_RAND_WINDOWS) @@ -88,6 +90,11 @@ void CRYPTO_sysrand(uint8_t *out, size_t requested) { #endif // WINAPI_PARTITION_APP && !WINAPI_PARTITION_DESKTOP +int CRYPTO_sysrand_if_available(uint8_t *buf, size_t len) { + CRYPTO_sysrand(buf, len); + return 1; +} + void CRYPTO_sysrand_for_seed(uint8_t *out, size_t requested) { CRYPTO_sysrand(out, requested); } diff --git a/Sources/CNIOBoringSSL/crypto/rsa_extra/internal.h b/Sources/CNIOBoringSSL/crypto/rsa_extra/internal.h index 6317cfc01..8528ce18a 100644 --- a/Sources/CNIOBoringSSL/crypto/rsa_extra/internal.h +++ b/Sources/CNIOBoringSSL/crypto/rsa_extra/internal.h @@ -58,6 +58,8 @@ #ifndef OPENSSL_HEADER_RSA_EXTRA_INTERNAL_H #define OPENSSL_HEADER_RSA_EXTRA_INTERNAL_H +#include + #if defined(__cplusplus) extern "C" { #endif diff --git a/Sources/CNIOBoringSSL/crypto/rsa_extra/rsa_crypt.c b/Sources/CNIOBoringSSL/crypto/rsa_extra/rsa_crypt.c index 1b16bc4f6..6b1101d4a 100644 --- a/Sources/CNIOBoringSSL/crypto/rsa_extra/rsa_crypt.c +++ b/Sources/CNIOBoringSSL/crypto/rsa_extra/rsa_crypt.c @@ -75,7 +75,9 @@ static void rand_nonzero(uint8_t *out, size_t len) { RAND_bytes(out, len); for (size_t i = 0; i < len; i++) { - while (out[i] == 0) { + // Zero values are replaced, and the distribution of zero and non-zero bytes + // is public, so leaking this is safe. + while (constant_time_declassify_int(out[i] == 0)) { RAND_bytes(out + i, 1); } } diff --git a/Sources/CNIOBoringSSL/crypto/rsa_extra/rsa_extra.c b/Sources/CNIOBoringSSL/crypto/rsa_extra/rsa_extra.c new file mode 100644 index 000000000..fe21df747 --- /dev/null +++ b/Sources/CNIOBoringSSL/crypto/rsa_extra/rsa_extra.c @@ -0,0 +1,17 @@ +/* Copyright (c) 2024, Google Inc. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#include + +void RSA_blinding_off(RSA *rsa) {} diff --git a/Sources/CNIOBoringSSL/crypto/sha/sha1.c b/Sources/CNIOBoringSSL/crypto/sha/sha1.c new file mode 100644 index 000000000..2855ee145 --- /dev/null +++ b/Sources/CNIOBoringSSL/crypto/sha/sha1.c @@ -0,0 +1,52 @@ +/* Copyright (c) 2024, Google Inc. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#include + +#include + +#include "../fipsmodule/bcm_interface.h" + +int SHA1_Init(SHA_CTX *sha) { + BCM_sha1_init(sha); + return 1; +} + +int SHA1_Update(SHA_CTX *sha, const void *data, size_t len) { + BCM_sha1_update(sha, data, len); + return 1; +} + +int SHA1_Final(uint8_t out[SHA_DIGEST_LENGTH], SHA_CTX *sha) { + BCM_sha1_final(out, sha); + return 1; +} + +uint8_t *SHA1(const uint8_t *data, size_t len, uint8_t out[SHA_DIGEST_LENGTH]) { + SHA_CTX ctx; + BCM_sha1_init(&ctx); + BCM_sha1_update(&ctx, data, len); + BCM_sha1_final(out, &ctx); + OPENSSL_cleanse(&ctx, sizeof(ctx)); + return out; +} + +void SHA1_Transform(SHA_CTX *sha, const uint8_t block[SHA_CBLOCK]) { + BCM_sha1_transform(sha, block); +} + +void CRYPTO_fips_186_2_prf(uint8_t *out, size_t out_len, + const uint8_t xkey[SHA_DIGEST_LENGTH]) { + BCM_fips_186_2_prf(out, out_len, xkey); +} diff --git a/Sources/CNIOBoringSSL/crypto/sha/sha256.c b/Sources/CNIOBoringSSL/crypto/sha/sha256.c new file mode 100644 index 000000000..1cb5dd9f7 --- /dev/null +++ b/Sources/CNIOBoringSSL/crypto/sha/sha256.c @@ -0,0 +1,87 @@ +/* Copyright (c) 2024, Google Inc. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#include + +#include + +#include "../fipsmodule/bcm_interface.h" + + +int SHA224_Init(SHA256_CTX *sha) { + BCM_sha224_init(sha); + return 1; +} + +int SHA224_Update(SHA256_CTX *sha, const void *data, size_t len) { + BCM_sha224_update(sha, data, len); + return 1; +} + +int SHA224_Final(uint8_t out[SHA224_DIGEST_LENGTH], SHA256_CTX *sha) { + BCM_sha224_final(out, sha); + return 1; +} + +uint8_t *SHA224(const uint8_t *data, size_t len, + uint8_t out[SHA224_DIGEST_LENGTH]) { + SHA256_CTX ctx; + BCM_sha224_init(&ctx); + BCM_sha224_update(&ctx, data, len); + BCM_sha224_final(out, &ctx); + OPENSSL_cleanse(&ctx, sizeof(ctx)); + return out; +} + +int SHA256_Init(SHA256_CTX *sha) { + BCM_sha256_init(sha); + return 1; +} + +int SHA256_Update(SHA256_CTX *sha, const void *data, size_t len) { + BCM_sha256_update(sha, data, len); + return 1; +} + +int SHA256_Final(uint8_t out[SHA256_DIGEST_LENGTH], SHA256_CTX *sha) { + // TODO(bbe): This overflow check one of the few places a low-level hash + // 'final' function can fail. SHA-512 does not have a corresponding check. + // The BCM function is infallible and will abort if this is done incorrectly. + // we should verify nothing crashes with this removed and eliminate the 0 + // return. + if (sha->md_len > SHA256_DIGEST_LENGTH) { + return 0; + } + BCM_sha256_final(out, sha); + return 1; +} + +uint8_t *SHA256(const uint8_t *data, size_t len, + uint8_t out[SHA256_DIGEST_LENGTH]) { + SHA256_CTX ctx; + BCM_sha256_init(&ctx); + BCM_sha256_update(&ctx, data, len); + BCM_sha256_final(out, &ctx); + OPENSSL_cleanse(&ctx, sizeof(ctx)); + return out; +} + +void SHA256_Transform(SHA256_CTX *sha, const uint8_t block[SHA256_CBLOCK]) { + BCM_sha256_transform(sha, block); +} + +void SHA256_TransformBlocks(uint32_t state[8], const uint8_t *data, + size_t num_blocks) { + BCM_sha256_transform_blocks(state, data, num_blocks); +} diff --git a/Sources/CNIOBoringSSL/crypto/sha/sha512.c b/Sources/CNIOBoringSSL/crypto/sha/sha512.c new file mode 100644 index 000000000..22192c004 --- /dev/null +++ b/Sources/CNIOBoringSSL/crypto/sha/sha512.c @@ -0,0 +1,104 @@ +/* Copyright (c) 2024, Google Inc. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#include + +#include + +#include "../fipsmodule/bcm_interface.h" + + +int SHA384_Init(SHA512_CTX *sha) { + BCM_sha384_init(sha); + return 1; +} + +int SHA384_Update(SHA512_CTX *sha, const void *data, size_t len) { + BCM_sha384_update(sha, data, len); + return 1; +} + +int SHA384_Final(uint8_t out[SHA384_DIGEST_LENGTH], SHA512_CTX *sha) { + BCM_sha384_final(out, sha); + return 1; +} + +uint8_t *SHA384(const uint8_t *data, size_t len, + uint8_t out[SHA384_DIGEST_LENGTH]) { + SHA512_CTX ctx; + BCM_sha384_init(&ctx); + BCM_sha384_update(&ctx, data, len); + BCM_sha384_final(out, &ctx); + OPENSSL_cleanse(&ctx, sizeof(ctx)); + return out; +} + +int SHA512_256_Init(SHA512_CTX *sha) { + BCM_sha512_256_init(sha); + return 1; +} + +int SHA512_256_Update(SHA512_CTX *sha, const void *data, size_t len) { + BCM_sha512_256_update(sha, data, len); + return 1; +} + +int SHA512_256_Final(uint8_t out[SHA512_256_DIGEST_LENGTH], SHA512_CTX *sha) { + BCM_sha512_256_final(out, sha); + return 1; +} + +uint8_t *SHA512_256(const uint8_t *data, size_t len, + uint8_t out[SHA512_256_DIGEST_LENGTH]) { + SHA512_CTX ctx; + BCM_sha512_256_init(&ctx); + BCM_sha512_256_update(&ctx, data, len); + BCM_sha512_256_final(out, &ctx); + OPENSSL_cleanse(&ctx, sizeof(ctx)); + return out; +} + +int SHA512_Init(SHA512_CTX *sha) { + BCM_sha512_init(sha); + return 1; +} + +int SHA512_Update(SHA512_CTX *sha, const void *data, size_t len) { + BCM_sha512_update(sha, data, len); + return 1; +} + +int SHA512_Final(uint8_t out[SHA512_DIGEST_LENGTH], SHA512_CTX *sha) { + // Historically this function retured failure if passed NULL, even + // though other final functions do not. + if (out == NULL) { + return 0; + } + BCM_sha512_final(out, sha); + return 1; +} + +uint8_t *SHA512(const uint8_t *data, size_t len, + uint8_t out[SHA512_DIGEST_LENGTH]) { + SHA512_CTX ctx; + BCM_sha512_init(&ctx); + BCM_sha512_update(&ctx, data, len); + BCM_sha512_final(out, &ctx); + OPENSSL_cleanse(&ctx, sizeof(ctx)); + return out; +} + +void SHA512_Transform(SHA512_CTX *sha, const uint8_t block[SHA512_CBLOCK]) { + BCM_sha512_transform(sha, block); +} diff --git a/Sources/CNIOBoringSSL/crypto/slhdsa/address.h b/Sources/CNIOBoringSSL/crypto/slhdsa/address.h new file mode 100644 index 000000000..44e9871f5 --- /dev/null +++ b/Sources/CNIOBoringSSL/crypto/slhdsa/address.h @@ -0,0 +1,123 @@ +/* Copyright (c) 2024, Google LLC + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#ifndef OPENSSL_HEADER_CRYPTO_SLHDSA_ADDRESS_H +#define OPENSSL_HEADER_CRYPTO_SLHDSA_ADDRESS_H + +#include + +#include "../internal.h" + +#if defined(__cplusplus) +extern "C" { +#endif + + +// Offsets of various fields in the address structure for SLH-DSA-SHA2-128s. + +// The byte used to specify the Merkle tree layer. +#define SLHDSA_SHA2_128S_OFFSET_LAYER 0 + +// The start of the 8 byte field used to specify the tree. +#define SLHDSA_SHA2_128S_OFFSET_TREE 1 + +// The byte used to specify the hash type (reason). +#define SLHDSA_SHA2_128S_OFFSET_TYPE 9 + +// The high byte used to specify the key pair (which one-time signature). +#define SLHDSA_SHA2_128S_OFFSET_KP_ADDR2 12 + +// The low byte used to specific the key pair. +#define SLHDSA_SHA2_128S_OFFSET_KP_ADDR1 13 + +// The byte used to specify the chain address (which Winternitz chain). +#define SLHDSA_SHA2_128S_OFFSET_CHAIN_ADDR 17 + +// The byte used to specify the hash address (where in the Winternitz chain). +#define SLHDSA_SHA2_128S_OFFSET_HASH_ADDR 21 + +// The byte used to specify the height of this node in the FORS or Merkle tree. +#define SLHDSA_SHA2_128S_OFFSET_TREE_HGT 17 + +// The start of the 4 byte field used to specify the node in the FORS or Merkle +// tree. +#define SLHDSA_SHA2_128S_OFFSET_TREE_INDEX 18 + + +OPENSSL_INLINE void slhdsa_set_chain_addr(uint8_t addr[32], uint32_t chain) { + addr[SLHDSA_SHA2_128S_OFFSET_CHAIN_ADDR] = (uint8_t)chain; +} + +OPENSSL_INLINE void slhdsa_set_hash_addr(uint8_t addr[32], uint32_t hash) { + addr[SLHDSA_SHA2_128S_OFFSET_HASH_ADDR] = (uint8_t)hash; +} + +OPENSSL_INLINE void slhdsa_set_keypair_addr(uint8_t addr[32], + uint32_t keypair) { + addr[SLHDSA_SHA2_128S_OFFSET_KP_ADDR2] = (uint8_t)(keypair >> 8); + addr[SLHDSA_SHA2_128S_OFFSET_KP_ADDR1] = (uint8_t)keypair; +} + +OPENSSL_INLINE void slhdsa_copy_keypair_addr(uint8_t out[32], + const uint8_t in[32]) { + OPENSSL_memcpy(out, in, SLHDSA_SHA2_128S_OFFSET_TREE + 8); + out[SLHDSA_SHA2_128S_OFFSET_KP_ADDR2] = in[SLHDSA_SHA2_128S_OFFSET_KP_ADDR2]; + out[SLHDSA_SHA2_128S_OFFSET_KP_ADDR1] = in[SLHDSA_SHA2_128S_OFFSET_KP_ADDR1]; +} + +OPENSSL_INLINE void slhdsa_set_layer_addr(uint8_t addr[32], uint32_t layer) { + addr[SLHDSA_SHA2_128S_OFFSET_LAYER] = (uint8_t)layer; +} + +OPENSSL_INLINE void slhdsa_set_tree_addr(uint8_t addr[32], uint64_t tree) { + CRYPTO_store_u64_be(&addr[SLHDSA_SHA2_128S_OFFSET_TREE], tree); +} + +#define SLHDSA_SHA2_128S_ADDR_TYPE_WOTS 0 +#define SLHDSA_SHA2_128S_ADDR_TYPE_WOTSPK 1 +#define SLHDSA_SHA2_128S_ADDR_TYPE_HASHTREE 2 +#define SLHDSA_SHA2_128S_ADDR_TYPE_FORSTREE 3 +#define SLHDSA_SHA2_128S_ADDR_TYPE_FORSPK 4 +#define SLHDSA_SHA2_128S_ADDR_TYPE_WOTSPRF 5 +#define SLHDSA_SHA2_128S_ADDR_TYPE_FORSPRF 6 + +OPENSSL_INLINE void slhdsa_set_type(uint8_t addr[32], uint32_t type) { + // FIPS 205 relies on this setting parts of the address to 0, so we do it + // here to avoid confusion. + // + // The behavior here is only correct for the SHA-2 instantiations. + OPENSSL_memset(addr + 10, 0, 12); + addr[SLHDSA_SHA2_128S_OFFSET_TYPE] = (uint8_t)type; +} + +OPENSSL_INLINE void slhdsa_set_tree_height(uint8_t addr[32], + uint32_t tree_height) { + addr[SLHDSA_SHA2_128S_OFFSET_TREE_HGT] = (uint8_t)tree_height; +} + +OPENSSL_INLINE void slhdsa_set_tree_index(uint8_t addr[32], + uint32_t tree_index) { + CRYPTO_store_u32_be(&addr[SLHDSA_SHA2_128S_OFFSET_TREE_INDEX], tree_index); +} + +OPENSSL_INLINE uint32_t slhdsa_get_tree_index(uint8_t addr[32]) { + return CRYPTO_load_u32_be(addr + SLHDSA_SHA2_128S_OFFSET_TREE_INDEX); +} + + +#if defined(__cplusplus) +} // extern C +#endif + +#endif // OPENSSL_HEADER_CRYPTO_SLHDSA_ADDRESS_H diff --git a/Sources/CNIOBoringSSL/crypto/slhdsa/fors.c b/Sources/CNIOBoringSSL/crypto/slhdsa/fors.c new file mode 100644 index 000000000..abbcb744c --- /dev/null +++ b/Sources/CNIOBoringSSL/crypto/slhdsa/fors.c @@ -0,0 +1,169 @@ +/* Copyright (c) 2024, Google LLC + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#include + +#include +#include + +#include "../internal.h" +#include "./address.h" +#include "./fors.h" +#include "./params.h" +#include "./thash.h" + +// Compute the base 2^12 representation of `message` (algorithm 4, page 16). +static void fors_base_b( + uint16_t indices[SLHDSA_SHA2_128S_FORS_TREES], + const uint8_t message[SLHDSA_SHA2_128S_FORS_MSG_BYTES]) { + static_assert(SLHDSA_SHA2_128S_FORS_HEIGHT == 12, ""); + static_assert((SLHDSA_SHA2_128S_FORS_TREES & 1) == 0, ""); + + const uint8_t *msg = message; + for (size_t i = 0; i < SLHDSA_SHA2_128S_FORS_TREES; i += 2) { + uint32_t val = ((uint32_t)msg[0] << 16) | ((uint32_t)msg[1] << 8) | msg[2]; + indices[i] = (val >> 12) & 0xFFF; + indices[i + 1] = val & 0xFFF; + msg += 3; + } +} + +// Implements Algorithm 14: fors_skGen function (page 29) +void slhdsa_fors_sk_gen(uint8_t fors_sk[SLHDSA_SHA2_128S_N], uint32_t idx, + const uint8_t sk_seed[SLHDSA_SHA2_128S_N], + const uint8_t pk_seed[SLHDSA_SHA2_128S_N], + uint8_t addr[32]) { + uint8_t sk_addr[32]; + OPENSSL_memcpy(sk_addr, addr, sizeof(sk_addr)); + + slhdsa_set_type(sk_addr, SLHDSA_SHA2_128S_ADDR_TYPE_FORSPRF); + slhdsa_copy_keypair_addr(sk_addr, addr); + slhdsa_set_tree_index(sk_addr, idx); + slhdsa_thash_prf(fors_sk, pk_seed, sk_seed, sk_addr); +} + +// Implements Algorithm 15: fors_node function (page 30) +void slhdsa_fors_treehash(uint8_t root_node[SLHDSA_SHA2_128S_N], + const uint8_t sk_seed[SLHDSA_SHA2_128S_N], + uint32_t i /*target node index*/, + uint32_t z /*target node height*/, + const uint8_t pk_seed[SLHDSA_SHA2_128S_N], + uint8_t addr[32]) { + BSSL_CHECK(z <= SLHDSA_SHA2_128S_FORS_HEIGHT); + BSSL_CHECK(i < (uint32_t)(SLHDSA_SHA2_128S_FORS_TREES * + (1 << (SLHDSA_SHA2_128S_FORS_HEIGHT - z)))); + + if (z == 0) { + uint8_t sk[SLHDSA_SHA2_128S_N]; + slhdsa_set_tree_height(addr, 0); + slhdsa_set_tree_index(addr, i); + slhdsa_fors_sk_gen(sk, i, sk_seed, pk_seed, addr); + slhdsa_thash_f(root_node, sk, pk_seed, addr); + } else { + // Stores left node and right node. + uint8_t nodes[2 * SLHDSA_SHA2_128S_N]; + slhdsa_fors_treehash(nodes, sk_seed, 2 * i, z - 1, pk_seed, addr); + slhdsa_fors_treehash(nodes + SLHDSA_SHA2_128S_N, sk_seed, 2 * i + 1, z - 1, + pk_seed, addr); + slhdsa_set_tree_height(addr, z); + slhdsa_set_tree_index(addr, i); + slhdsa_thash_h(root_node, nodes, pk_seed, addr); + } +} + +// Implements Algorithm 16: fors_sign function (page 31) +void slhdsa_fors_sign(uint8_t fors_sig[SLHDSA_SHA2_128S_FORS_BYTES], + const uint8_t message[SLHDSA_SHA2_128S_FORS_MSG_BYTES], + const uint8_t sk_seed[SLHDSA_SHA2_128S_N], + const uint8_t pk_seed[SLHDSA_SHA2_128S_N], + uint8_t addr[32]) { + uint16_t indices[SLHDSA_SHA2_128S_FORS_TREES]; + + // Derive FORS indices compatible with the NIST changes. + fors_base_b(indices, message); + + for (size_t i = 0; i < SLHDSA_SHA2_128S_FORS_TREES; ++i) { + slhdsa_set_tree_height(addr, 0); + // Write the FORS secret key element to the correct position. + slhdsa_fors_sk_gen( + fors_sig + i * SLHDSA_SHA2_128S_N * (SLHDSA_SHA2_128S_FORS_HEIGHT + 1), + i * (1 << SLHDSA_SHA2_128S_FORS_HEIGHT) + indices[i], sk_seed, pk_seed, + addr); + for (size_t j = 0; j < SLHDSA_SHA2_128S_FORS_HEIGHT; ++j) { + size_t s = (indices[i] / (1 << j)) ^ 1; + // Write the FORS auth path element to the correct position. + slhdsa_fors_treehash( + fors_sig + SLHDSA_SHA2_128S_N * + (i * (SLHDSA_SHA2_128S_FORS_HEIGHT + 1) + j + 1), + sk_seed, i * (1ULL << (SLHDSA_SHA2_128S_FORS_HEIGHT - j)) + s, j, + pk_seed, addr); + } + } +} + +// Implements Algorithm 17: fors_pkFromSig function (page 32) +void slhdsa_fors_pk_from_sig( + uint8_t fors_pk[SLHDSA_SHA2_128S_N], + const uint8_t fors_sig[SLHDSA_SHA2_128S_FORS_BYTES], + const uint8_t message[SLHDSA_SHA2_128S_FORS_MSG_BYTES], + const uint8_t pk_seed[SLHDSA_SHA2_128S_N], uint8_t addr[32]) { + uint16_t indices[SLHDSA_SHA2_128S_FORS_TREES]; + uint8_t tmp[2 * SLHDSA_SHA2_128S_N]; + uint8_t roots[SLHDSA_SHA2_128S_FORS_TREES * SLHDSA_SHA2_128S_N]; + + // Derive FORS indices compatible with the NIST changes. + fors_base_b(indices, message); + + for (size_t i = 0; i < SLHDSA_SHA2_128S_FORS_TREES; ++i) { + // Pointer to current sk and authentication path + const uint8_t *sk = + fors_sig + i * SLHDSA_SHA2_128S_N * (SLHDSA_SHA2_128S_FORS_HEIGHT + 1); + const uint8_t *auth = + fors_sig + i * SLHDSA_SHA2_128S_N * (SLHDSA_SHA2_128S_FORS_HEIGHT + 1) + + SLHDSA_SHA2_128S_N; + uint8_t nodes[2 * SLHDSA_SHA2_128S_N]; + + slhdsa_set_tree_height(addr, 0); + slhdsa_set_tree_index( + addr, (i * (1 << SLHDSA_SHA2_128S_FORS_HEIGHT)) + indices[i]); + + slhdsa_thash_f(nodes, sk, pk_seed, addr); + + for (size_t j = 0; j < SLHDSA_SHA2_128S_FORS_HEIGHT; ++j) { + slhdsa_set_tree_height(addr, j + 1); + + // Even node + if (((indices[i] / (1 << j)) % 2) == 0) { + slhdsa_set_tree_index(addr, slhdsa_get_tree_index(addr) / 2); + OPENSSL_memcpy(tmp, nodes, SLHDSA_SHA2_128S_N); + OPENSSL_memcpy(tmp + SLHDSA_SHA2_128S_N, auth + j * SLHDSA_SHA2_128S_N, + SLHDSA_SHA2_128S_N); + slhdsa_thash_h(nodes + SLHDSA_SHA2_128S_N, tmp, pk_seed, addr); + } else { + slhdsa_set_tree_index(addr, (slhdsa_get_tree_index(addr) - 1) / 2); + OPENSSL_memcpy(tmp, auth + j * SLHDSA_SHA2_128S_N, SLHDSA_SHA2_128S_N); + OPENSSL_memcpy(tmp + SLHDSA_SHA2_128S_N, nodes, SLHDSA_SHA2_128S_N); + slhdsa_thash_h(nodes + SLHDSA_SHA2_128S_N, tmp, pk_seed, addr); + } + OPENSSL_memcpy(nodes, nodes + SLHDSA_SHA2_128S_N, SLHDSA_SHA2_128S_N); + } + OPENSSL_memcpy(roots + i * SLHDSA_SHA2_128S_N, nodes, SLHDSA_SHA2_128S_N); + } + + uint8_t forspk_addr[32]; + OPENSSL_memcpy(forspk_addr, addr, sizeof(forspk_addr)); + slhdsa_set_type(forspk_addr, SLHDSA_SHA2_128S_ADDR_TYPE_FORSPK); + slhdsa_copy_keypair_addr(forspk_addr, addr); + slhdsa_thash_tk(fors_pk, roots, pk_seed, forspk_addr); +} diff --git a/Sources/CNIOBoringSSL/crypto/slhdsa/fors.h b/Sources/CNIOBoringSSL/crypto/slhdsa/fors.h new file mode 100644 index 000000000..194a126a8 --- /dev/null +++ b/Sources/CNIOBoringSSL/crypto/slhdsa/fors.h @@ -0,0 +1,58 @@ +/* Copyright (c) 2024, Google LLC + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#ifndef OPENSSL_HEADER_CRYPTO_SLHDSA_FORS_H +#define OPENSSL_HEADER_CRYPTO_SLHDSA_FORS_H + +#include "./params.h" + +#if defined(__cplusplus) +extern "C" { +#endif + + +// Implements Algorithm 14: fors_skGen function (page 29) +void slhdsa_fors_sk_gen(uint8_t fors_sk[SLHDSA_SHA2_128S_N], uint32_t idx, + const uint8_t sk_seed[SLHDSA_SHA2_128S_N], + const uint8_t pk_seed[SLHDSA_SHA2_128S_N], + uint8_t addr[32]); + +// Implements Algorithm 15: fors_node function (page 30) +void slhdsa_fors_treehash(uint8_t root_node[SLHDSA_SHA2_128S_N], + const uint8_t sk_seed[SLHDSA_SHA2_128S_N], + uint32_t i /*target node index*/, + uint32_t z /*target node height*/, + const uint8_t pk_seed[SLHDSA_SHA2_128S_N], + uint8_t addr[32]); + +// Implements Algorithm 16: fors_sign function (page 31) +void slhdsa_fors_sign(uint8_t fors_sig[SLHDSA_SHA2_128S_FORS_BYTES], + const uint8_t message[SLHDSA_SHA2_128S_FORS_MSG_BYTES], + const uint8_t sk_seed[SLHDSA_SHA2_128S_N], + const uint8_t pk_seed[SLHDSA_SHA2_128S_N], + uint8_t addr[32]); + +// Implements Algorithm 17: fors_pkFromSig function (page 32) +void slhdsa_fors_pk_from_sig( + uint8_t fors_pk[SLHDSA_SHA2_128S_N], + const uint8_t fors_sig[SLHDSA_SHA2_128S_FORS_BYTES], + const uint8_t message[SLHDSA_SHA2_128S_FORS_MSG_BYTES], + const uint8_t pk_seed[SLHDSA_SHA2_128S_N], uint8_t addr[32]); + + +#if defined(__cplusplus) +} // extern C +#endif + +#endif // OPENSSL_HEADER_CRYPTO_SLHDSA_FORS_H diff --git a/Sources/CNIOBoringSSL/crypto/slhdsa/internal.h b/Sources/CNIOBoringSSL/crypto/slhdsa/internal.h new file mode 100644 index 000000000..6e1a90b52 --- /dev/null +++ b/Sources/CNIOBoringSSL/crypto/slhdsa/internal.h @@ -0,0 +1,63 @@ +/* Copyright (c) 2024, Google LLC + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#ifndef OPENSSL_HEADER_CRYPTO_SLHDSA_INTERNAL_H +#define OPENSSL_HEADER_CRYPTO_SLHDSA_INTERNAL_H + +#include + +#include "params.h" + +#if defined(__cplusplus) +extern "C" { +#endif + + +// SLHDSA_SHA2_128S_generate_key_from_seed generates an SLH-DSA-SHA2-128s key +// pair from a 48-byte seed and writes the result to |out_public_key| and +// |out_secret_key|. +OPENSSL_EXPORT void SLHDSA_SHA2_128S_generate_key_from_seed( + uint8_t out_public_key[SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES], + uint8_t out_secret_key[SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES], + const uint8_t seed[3 * SLHDSA_SHA2_128S_N]); + +// SLHDSA_SHA2_128S_sign_internal acts like |SLHDSA_SHA2_128S_sign| but +// accepts an explicit entropy input, which can be PK.seed (bytes 32..48 of +// the private key) to generate deterministic signatures. It also takes the +// input message in three parts so that the "internal" version of the signing +// function, from section 9.2, can be implemented. The |header| argument may be +// NULL to omit it. +OPENSSL_EXPORT void SLHDSA_SHA2_128S_sign_internal( + uint8_t out_signature[SLHDSA_SHA2_128S_SIGNATURE_BYTES], + const uint8_t secret_key[SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES], + const uint8_t header[SLHDSA_M_PRIME_HEADER_LEN], const uint8_t *context, + size_t context_len, const uint8_t *msg, size_t msg_len, + const uint8_t entropy[SLHDSA_SHA2_128S_N]); + +// SLHDSA_SHA2_128S_verify_internal acts like |SLHDSA_SHA2_128S_verify| but +// takes the input message in three parts so that the "internal" version of the +// verification function, from section 9.3, can be implemented. The |header| +// argument may be NULL to omit it. +OPENSSL_EXPORT int SLHDSA_SHA2_128S_verify_internal( + const uint8_t *signature, size_t signature_len, + const uint8_t public_key[SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES], + const uint8_t header[SLHDSA_M_PRIME_HEADER_LEN], const uint8_t *context, + size_t context_len, const uint8_t *msg, size_t msg_len); + + +#if defined(__cplusplus) +} // extern C +#endif + +#endif // OPENSSL_HEADER_CRYPTO_SLHDSA_INTERNAL_H diff --git a/Sources/CNIOBoringSSL/crypto/slhdsa/merkle.c b/Sources/CNIOBoringSSL/crypto/slhdsa/merkle.c new file mode 100644 index 000000000..556b80ba7 --- /dev/null +++ b/Sources/CNIOBoringSSL/crypto/slhdsa/merkle.c @@ -0,0 +1,161 @@ +/* Copyright (c) 2024, Google LLC + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#include + +#include + +#include "../internal.h" +#include "./address.h" +#include "./merkle.h" +#include "./params.h" +#include "./thash.h" +#include "./wots.h" + + +// Implements Algorithm 9: xmss_node function (page 23) +void slhdsa_treehash(uint8_t out_pk[SLHDSA_SHA2_128S_N], + const uint8_t sk_seed[SLHDSA_SHA2_128S_N], + uint32_t i /*target node index*/, + uint32_t z /*target node height*/, + const uint8_t pk_seed[SLHDSA_SHA2_128S_N], + uint8_t addr[32]) { + BSSL_CHECK(z <= SLHDSA_SHA2_128S_TREE_HEIGHT); + BSSL_CHECK(i < (uint32_t)(1 << (SLHDSA_SHA2_128S_TREE_HEIGHT - z))); + + if (z == 0) { + slhdsa_set_type(addr, SLHDSA_SHA2_128S_ADDR_TYPE_WOTS); + slhdsa_set_keypair_addr(addr, i); + slhdsa_wots_pk_gen(out_pk, sk_seed, pk_seed, addr); + } else { + // Stores left node and right node. + uint8_t nodes[2 * SLHDSA_SHA2_128S_N]; + slhdsa_treehash(nodes, sk_seed, 2 * i, z - 1, pk_seed, addr); + slhdsa_treehash(nodes + SLHDSA_SHA2_128S_N, sk_seed, 2 * i + 1, z - 1, + pk_seed, addr); + slhdsa_set_type(addr, SLHDSA_SHA2_128S_ADDR_TYPE_HASHTREE); + slhdsa_set_tree_height(addr, z); + slhdsa_set_tree_index(addr, i); + slhdsa_thash_h(out_pk, nodes, pk_seed, addr); + } +} + +// Implements Algorithm 10: xmss_sign function (page 24) +void slhdsa_xmss_sign(uint8_t sig[SLHDSA_SHA2_128S_XMSS_BYTES], + const uint8_t msg[SLHDSA_SHA2_128S_N], unsigned int idx, + const uint8_t sk_seed[SLHDSA_SHA2_128S_N], + const uint8_t pk_seed[SLHDSA_SHA2_128S_N], + uint8_t addr[32]) { + // Build authentication path + for (size_t j = 0; j < SLHDSA_SHA2_128S_TREE_HEIGHT; ++j) { + unsigned int k = (idx >> j) ^ 1; + slhdsa_treehash(sig + SLHDSA_SHA2_128S_WOTS_BYTES + j * SLHDSA_SHA2_128S_N, + sk_seed, k, j, pk_seed, addr); + } + + // Compute WOTS+ signature + slhdsa_set_type(addr, SLHDSA_SHA2_128S_ADDR_TYPE_WOTS); + slhdsa_set_keypair_addr(addr, idx); + slhdsa_wots_sign(sig, msg, sk_seed, pk_seed, addr); +} + +// Implements Algorithm 11: xmss_pkFromSig function (page 25) +void slhdsa_xmss_pk_from_sig( + uint8_t root[SLHDSA_SHA2_128S_N], + const uint8_t xmss_sig[SLHDSA_SHA2_128S_XMSS_BYTES], unsigned int idx, + const uint8_t msg[SLHDSA_SHA2_128S_N], + const uint8_t pk_seed[SLHDSA_SHA2_128S_N], uint8_t addr[32]) { + // Stores node[0] and node[1] from Algorithm 11 + slhdsa_set_type(addr, SLHDSA_SHA2_128S_ADDR_TYPE_WOTS); + slhdsa_set_keypair_addr(addr, idx); + uint8_t node[2 * SLHDSA_SHA2_128S_N]; + slhdsa_wots_pk_from_sig(node, xmss_sig, msg, pk_seed, addr); + + slhdsa_set_type(addr, SLHDSA_SHA2_128S_ADDR_TYPE_HASHTREE); + slhdsa_set_tree_index(addr, idx); + + uint8_t tmp[2 * SLHDSA_SHA2_128S_N]; + const uint8_t *const auth = xmss_sig + SLHDSA_SHA2_128S_WOTS_BYTES; + for (size_t k = 0; k < SLHDSA_SHA2_128S_TREE_HEIGHT; ++k) { + slhdsa_set_tree_height(addr, k + 1); + if (((idx >> k) & 1) == 0) { + slhdsa_set_tree_index(addr, slhdsa_get_tree_index(addr) >> 1); + OPENSSL_memcpy(tmp, node, SLHDSA_SHA2_128S_N); + OPENSSL_memcpy(tmp + SLHDSA_SHA2_128S_N, auth + k * SLHDSA_SHA2_128S_N, + SLHDSA_SHA2_128S_N); + slhdsa_thash_h(node + SLHDSA_SHA2_128S_N, tmp, pk_seed, addr); + } else { + slhdsa_set_tree_index(addr, (slhdsa_get_tree_index(addr) - 1) >> 1); + OPENSSL_memcpy(tmp, auth + k * SLHDSA_SHA2_128S_N, SLHDSA_SHA2_128S_N); + OPENSSL_memcpy(tmp + SLHDSA_SHA2_128S_N, node, SLHDSA_SHA2_128S_N); + slhdsa_thash_h(node + SLHDSA_SHA2_128S_N, tmp, pk_seed, addr); + } + OPENSSL_memcpy(node, node + SLHDSA_SHA2_128S_N, SLHDSA_SHA2_128S_N); + } + OPENSSL_memcpy(root, node, SLHDSA_SHA2_128S_N); +} + +// Implements Algorithm 12: ht_sign function (page 27) +void slhdsa_ht_sign( + uint8_t sig[SLHDSA_SHA2_128S_XMSS_BYTES * SLHDSA_SHA2_128S_D], + const uint8_t message[SLHDSA_SHA2_128S_N], uint64_t idx_tree, + uint32_t idx_leaf, const uint8_t sk_seed[SLHDSA_SHA2_128S_N], + const uint8_t pk_seed[SLHDSA_SHA2_128S_N]) { + uint8_t addr[32] = {0}; + slhdsa_set_tree_addr(addr, idx_tree); + + // Layer 0 + slhdsa_xmss_sign(sig, message, idx_leaf, sk_seed, pk_seed, addr); + uint8_t root[SLHDSA_SHA2_128S_N]; + slhdsa_xmss_pk_from_sig(root, sig, idx_leaf, message, pk_seed, addr); + sig += SLHDSA_SHA2_128S_XMSS_BYTES; + + // All other layers + for (size_t j = 1; j < SLHDSA_SHA2_128S_D; ++j) { + idx_leaf = idx_tree % (1 << SLHDSA_SHA2_128S_TREE_HEIGHT); + idx_tree = idx_tree >> SLHDSA_SHA2_128S_TREE_HEIGHT; + slhdsa_set_layer_addr(addr, j); + slhdsa_set_tree_addr(addr, idx_tree); + slhdsa_xmss_sign(sig, root, idx_leaf, sk_seed, pk_seed, addr); + if (j < (SLHDSA_SHA2_128S_D - 1)) { + slhdsa_xmss_pk_from_sig(root, sig, idx_leaf, root, pk_seed, addr); + } + + sig += SLHDSA_SHA2_128S_XMSS_BYTES; + } +} + +// Implements Algorithm 13: ht_verify function (page 28) +int slhdsa_ht_verify( + const uint8_t sig[SLHDSA_SHA2_128S_D * SLHDSA_SHA2_128S_XMSS_BYTES], + const uint8_t message[SLHDSA_SHA2_128S_N], uint64_t idx_tree, + uint32_t idx_leaf, const uint8_t pk_root[SLHDSA_SHA2_128S_N], + const uint8_t pk_seed[SLHDSA_SHA2_128S_N]) { + uint8_t addr[32] = {0}; + slhdsa_set_tree_addr(addr, idx_tree); + + uint8_t node[SLHDSA_SHA2_128S_N]; + slhdsa_xmss_pk_from_sig(node, sig, idx_leaf, message, pk_seed, addr); + + for (size_t j = 1; j < SLHDSA_SHA2_128S_D; ++j) { + idx_leaf = idx_tree % (1 << SLHDSA_SHA2_128S_TREE_HEIGHT); + idx_tree = idx_tree >> SLHDSA_SHA2_128S_TREE_HEIGHT; + slhdsa_set_layer_addr(addr, j); + slhdsa_set_tree_addr(addr, idx_tree); + + slhdsa_xmss_pk_from_sig(node, sig + j * SLHDSA_SHA2_128S_XMSS_BYTES, + idx_leaf, node, pk_seed, addr); + } + return memcmp(node, pk_root, SLHDSA_SHA2_128S_N) == 0; +} diff --git a/Sources/CNIOBoringSSL/crypto/slhdsa/merkle.h b/Sources/CNIOBoringSSL/crypto/slhdsa/merkle.h new file mode 100644 index 000000000..0731a33e1 --- /dev/null +++ b/Sources/CNIOBoringSSL/crypto/slhdsa/merkle.h @@ -0,0 +1,70 @@ +/* Copyright (c) 2024, Google LLC + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#ifndef OPENSSL_HEADER_CRYPTO_SLHDSA_MERKLE_H +#define OPENSSL_HEADER_CRYPTO_SLHDSA_MERKLE_H + +#include + +#include + +#include "./params.h" + +#if defined(__cplusplus) +extern "C" { +#endif + + +// Implements Algorithm 9: xmss_node function (page 23) +void slhdsa_treehash(uint8_t out_pk[SLHDSA_SHA2_128S_N], + const uint8_t sk_seed[SLHDSA_SHA2_128S_N], + uint32_t i /*target node index*/, + uint32_t z /*target node height*/, + const uint8_t pk_seed[SLHDSA_SHA2_128S_N], + uint8_t addr[32]); + +// Implements Algorithm 10: xmss_sign function (page 24) +void slhdsa_xmss_sign(uint8_t sig[SLHDSA_SHA2_128S_XMSS_BYTES], + const uint8_t msg[SLHDSA_SHA2_128S_N], unsigned int idx, + const uint8_t sk_seed[SLHDSA_SHA2_128S_N], + const uint8_t pk_seed[SLHDSA_SHA2_128S_N], + uint8_t addr[32]); + +// Implements Algorithm 11: xmss_pkFromSig function (page 25) +void slhdsa_xmss_pk_from_sig( + uint8_t root[SLHDSA_SHA2_128S_N], + const uint8_t xmss_sig[SLHDSA_SHA2_128S_XMSS_BYTES], unsigned int idx, + const uint8_t msg[SLHDSA_SHA2_128S_N], + const uint8_t pk_seed[SLHDSA_SHA2_128S_N], uint8_t addr[32]); + +// Implements Algorithm 12: ht_sign function (page 27) +void slhdsa_ht_sign( + uint8_t sig[SLHDSA_SHA2_128S_D * SLHDSA_SHA2_128S_XMSS_BYTES], + const uint8_t message[SLHDSA_SHA2_128S_N], uint64_t idx_tree, + uint32_t idx_leaf, const uint8_t sk_seed[SLHDSA_SHA2_128S_N], + const uint8_t pk_seed[SLHDSA_SHA2_128S_N]); + +// Implements Algorithm 13: ht_verify function (page 28) +int slhdsa_ht_verify( + const uint8_t sig[SLHDSA_SHA2_128S_D * SLHDSA_SHA2_128S_XMSS_BYTES], + const uint8_t message[SLHDSA_SHA2_128S_N], uint64_t idx_tree, + uint32_t idx_leaf, const uint8_t pk_root[SLHDSA_SHA2_128S_N], + const uint8_t pk_seed[SLHDSA_SHA2_128S_N]); + + +#if defined(__cplusplus) +} // extern C +#endif + +#endif // OPENSSL_HEADER_CRYPTO_SLHDSA_MERKLE_H diff --git a/Sources/CNIOBoringSSL/crypto/slhdsa/params.h b/Sources/CNIOBoringSSL/crypto/slhdsa/params.h new file mode 100644 index 000000000..4389ee86b --- /dev/null +++ b/Sources/CNIOBoringSSL/crypto/slhdsa/params.h @@ -0,0 +1,83 @@ +/* Copyright (c) 2024, Google LLC + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#ifndef OPENSSL_HEADER_CRYPTO_SLHDSA_PARAMS_H +#define OPENSSL_HEADER_CRYPTO_SLHDSA_PARAMS_H + +#include + +#if defined(__cplusplus) +extern "C" { +#endif + + +// Output length of the hash function. +#define SLHDSA_SHA2_128S_N 16 +// Total height of the tree structure. +#define SLHDSA_SHA2_128S_FULL_HEIGHT 63 +// Number of subtree layers. +#define SLHDSA_SHA2_128S_D 7 +// Height of the trees on each layer +#define SLHDSA_SHA2_128S_TREE_HEIGHT 9 +// Height of each individual FORS tree. +#define SLHDSA_SHA2_128S_FORS_HEIGHT 12 +// Total number of FORS tree used. +#define SLHDSA_SHA2_128S_FORS_TREES 14 +// Size of a FORS signature +#define SLHDSA_SHA2_128S_FORS_BYTES \ + ((SLHDSA_SHA2_128S_FORS_HEIGHT + 1) * SLHDSA_SHA2_128S_FORS_TREES * \ + SLHDSA_SHA2_128S_N) +// The number of bytes at the beginning of M', the augmented message, before the +// context. +#define SLHDSA_M_PRIME_HEADER_LEN 2 + +// Winternitz parameter and derived values +#define SLHDSA_SHA2_128S_WOTS_W 16 +#define SLHDSA_SHA2_128S_WOTS_LOG_W 4 +#define SLHDSA_SHA2_128S_WOTS_LEN1 32 +#define SLHDSA_SHA2_128S_WOTS_LEN2 3 +#define SLHDSA_SHA2_128S_WOTS_LEN 35 +#define SLHDSA_SHA2_128S_WOTS_BYTES \ + (SLHDSA_SHA2_128S_N * SLHDSA_SHA2_128S_WOTS_LEN) + +// XMSS sizes +#define SLHDSA_SHA2_128S_XMSS_BYTES \ + (SLHDSA_SHA2_128S_WOTS_BYTES + \ + (SLHDSA_SHA2_128S_N * SLHDSA_SHA2_128S_TREE_HEIGHT)) + +// Size of the message digest (NOTE: This is only correct for the SHA-256 params +// here) +#define SLHDSA_SHA2_128S_DIGEST_SIZE \ + (((SLHDSA_SHA2_128S_FORS_TREES * SLHDSA_SHA2_128S_FORS_HEIGHT) / 8) + \ + (((SLHDSA_SHA2_128S_FULL_HEIGHT - SLHDSA_SHA2_128S_TREE_HEIGHT) / 8) + 1) + \ + (SLHDSA_SHA2_128S_TREE_HEIGHT / 8) + 1) + +// Compressed address size when using SHA-256 +#define SLHDSA_SHA2_128S_SHA256_ADDR_BYTES 22 + +// Size of the FORS message hash +#define SLHDSA_SHA2_128S_FORS_MSG_BYTES \ + ((SLHDSA_SHA2_128S_FORS_HEIGHT * SLHDSA_SHA2_128S_FORS_TREES + 7) / 8) +#define SLHDSA_SHA2_128S_TREE_BITS \ + (SLHDSA_SHA2_128S_TREE_HEIGHT * (SLHDSA_SHA2_128S_D - 1)) +#define SLHDSA_SHA2_128S_TREE_BYTES ((SLHDSA_SHA2_128S_TREE_BITS + 7) / 8) +#define SLHDSA_SHA2_128S_LEAF_BITS SLHDSA_SHA2_128S_TREE_HEIGHT +#define SLHDSA_SHA2_128S_LEAF_BYTES ((SLHDSA_SHA2_128S_LEAF_BITS + 7) / 8) + + +#if defined(__cplusplus) +} // extern C +#endif + +#endif // OPENSSL_HEADER_CRYPTO_SLHDSA_PARAMS_H diff --git a/Sources/CNIOBoringSSL/crypto/slhdsa/slhdsa.c b/Sources/CNIOBoringSSL/crypto/slhdsa/slhdsa.c new file mode 100644 index 000000000..e0ffbc3d2 --- /dev/null +++ b/Sources/CNIOBoringSSL/crypto/slhdsa/slhdsa.c @@ -0,0 +1,206 @@ +/* Copyright (c) 2024, Google LLC + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#include + +#include + +#include + +#include "../internal.h" +#include "address.h" +#include "fors.h" +#include "internal.h" +#include "merkle.h" +#include "params.h" +#include "thash.h" + + +void SLHDSA_SHA2_128S_generate_key_from_seed( + uint8_t out_public_key[SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES], + uint8_t out_secret_key[SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES], + const uint8_t seed[3 * SLHDSA_SHA2_128S_N]) { + // Initialize SK.seed || SK.prf || PK.seed from seed. + OPENSSL_memcpy(out_secret_key, seed, 3 * SLHDSA_SHA2_128S_N); + + // Initialize PK.seed from seed. + OPENSSL_memcpy(out_public_key, seed + 2 * SLHDSA_SHA2_128S_N, + SLHDSA_SHA2_128S_N); + + uint8_t addr[32] = {0}; + slhdsa_set_layer_addr(addr, SLHDSA_SHA2_128S_D - 1); + + // Set PK.root + slhdsa_treehash(out_public_key + SLHDSA_SHA2_128S_N, out_secret_key, 0, + SLHDSA_SHA2_128S_TREE_HEIGHT, out_public_key, addr); + OPENSSL_memcpy(out_secret_key + 3 * SLHDSA_SHA2_128S_N, + out_public_key + SLHDSA_SHA2_128S_N, SLHDSA_SHA2_128S_N); +} + +void SLHDSA_SHA2_128S_generate_key( + uint8_t out_public_key[SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES], + uint8_t out_private_key[SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES]) { + uint8_t seed[3 * SLHDSA_SHA2_128S_N]; + RAND_bytes(seed, 3 * SLHDSA_SHA2_128S_N); + SLHDSA_SHA2_128S_generate_key_from_seed(out_public_key, out_private_key, + seed); +} + +OPENSSL_EXPORT void SLHDSA_SHA2_128S_public_from_private( + uint8_t out_public_key[SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES], + const uint8_t private_key[SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES]) { + OPENSSL_memcpy(out_public_key, private_key + 2 * SLHDSA_SHA2_128S_N, + SLHDSA_SHA2_128S_N * 2); +} + +// Note that this overreads by a byte. This is fine in the context that it's +// used. +static uint64_t load_tree_index(const uint8_t in[8]) { + static_assert(SLHDSA_SHA2_128S_TREE_BYTES == 7, + "This code needs to be updated"); + uint64_t index = CRYPTO_load_u64_be(in); + index >>= 8; + index &= (~(uint64_t)0) >> (64 - SLHDSA_SHA2_128S_TREE_BITS); + return index; +} + +// Implements Algorithm 22: slh_sign function (Section 10.2.1, page 39) +void SLHDSA_SHA2_128S_sign_internal( + uint8_t out_signature[SLHDSA_SHA2_128S_SIGNATURE_BYTES], + const uint8_t secret_key[SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES], + const uint8_t header[SLHDSA_M_PRIME_HEADER_LEN], const uint8_t *context, + size_t context_len, const uint8_t *msg, size_t msg_len, + const uint8_t entropy[SLHDSA_SHA2_128S_N]) { + const uint8_t *sk_seed = secret_key; + const uint8_t *sk_prf = secret_key + SLHDSA_SHA2_128S_N; + const uint8_t *pk_seed = secret_key + 2 * SLHDSA_SHA2_128S_N; + const uint8_t *pk_root = secret_key + 3 * SLHDSA_SHA2_128S_N; + + // Derive randomizer R and copy it to signature + uint8_t R[SLHDSA_SHA2_128S_N]; + slhdsa_thash_prfmsg(R, sk_prf, entropy, header, context, context_len, msg, + msg_len); + OPENSSL_memcpy(out_signature, R, SLHDSA_SHA2_128S_N); + + // Compute message digest + uint8_t digest[SLHDSA_SHA2_128S_DIGEST_SIZE]; + slhdsa_thash_hmsg(digest, R, pk_seed, pk_root, header, context, context_len, + msg, msg_len); + + uint8_t fors_digest[SLHDSA_SHA2_128S_FORS_MSG_BYTES]; + OPENSSL_memcpy(fors_digest, digest, SLHDSA_SHA2_128S_FORS_MSG_BYTES); + + const uint64_t idx_tree = + load_tree_index(digest + SLHDSA_SHA2_128S_FORS_MSG_BYTES); + uint32_t idx_leaf = CRYPTO_load_u16_be( + digest + SLHDSA_SHA2_128S_FORS_MSG_BYTES + SLHDSA_SHA2_128S_TREE_BYTES); + idx_leaf &= (~(uint32_t)0) >> (32 - SLHDSA_SHA2_128S_LEAF_BITS); + + uint8_t addr[32] = {0}; + slhdsa_set_tree_addr(addr, idx_tree); + slhdsa_set_type(addr, SLHDSA_SHA2_128S_ADDR_TYPE_FORSTREE); + slhdsa_set_keypair_addr(addr, idx_leaf); + + slhdsa_fors_sign(out_signature + SLHDSA_SHA2_128S_N, fors_digest, sk_seed, + pk_seed, addr); + + uint8_t pk_fors[SLHDSA_SHA2_128S_N]; + slhdsa_fors_pk_from_sig(pk_fors, out_signature + SLHDSA_SHA2_128S_N, + fors_digest, pk_seed, addr); + + slhdsa_ht_sign( + out_signature + SLHDSA_SHA2_128S_N + SLHDSA_SHA2_128S_FORS_BYTES, pk_fors, + idx_tree, idx_leaf, sk_seed, pk_seed); +} + +int SLHDSA_SHA2_128S_sign( + uint8_t out_signature[SLHDSA_SHA2_128S_SIGNATURE_BYTES], + const uint8_t private_key[SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES], + const uint8_t *msg, size_t msg_len, const uint8_t *context, + size_t context_len) { + if (context_len > 255) { + return 0; + } + + // Construct header for M' as specified in Algorithm 22 + uint8_t M_prime_header[2]; + M_prime_header[0] = 0; // domain separator for pure signing + M_prime_header[1] = (uint8_t)context_len; + + uint8_t entropy[SLHDSA_SHA2_128S_N]; + RAND_bytes(entropy, sizeof(entropy)); + SLHDSA_SHA2_128S_sign_internal(out_signature, private_key, M_prime_header, + context, context_len, msg, msg_len, entropy); + return 1; +} + +// Implements Algorithm 24: slh_verify function (Section 10.3, page 41) +int SLHDSA_SHA2_128S_verify( + const uint8_t *signature, size_t signature_len, + const uint8_t public_key[SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES], + const uint8_t *msg, size_t msg_len, const uint8_t *context, + size_t context_len) { + if (context_len > 255) { + return 0; + } + + // Construct header for M' as specified in Algorithm 24 + uint8_t M_prime_header[2]; + M_prime_header[0] = 0; // domain separator for pure verification + M_prime_header[1] = (uint8_t)context_len; + + return SLHDSA_SHA2_128S_verify_internal(signature, signature_len, public_key, + M_prime_header, context, context_len, + msg, msg_len); +} + +int SLHDSA_SHA2_128S_verify_internal( + const uint8_t *signature, size_t signature_len, + const uint8_t public_key[SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES], + const uint8_t header[SLHDSA_M_PRIME_HEADER_LEN], const uint8_t *context, + size_t context_len, const uint8_t *msg, size_t msg_len) { + if (signature_len != SLHDSA_SHA2_128S_SIGNATURE_BYTES) { + return 0; + } + const uint8_t *pk_seed = public_key; + const uint8_t *pk_root = public_key + SLHDSA_SHA2_128S_N; + + const uint8_t *r = signature; + const uint8_t *sig_fors = signature + SLHDSA_SHA2_128S_N; + const uint8_t *sig_ht = sig_fors + SLHDSA_SHA2_128S_FORS_BYTES; + + uint8_t digest[SLHDSA_SHA2_128S_DIGEST_SIZE]; + slhdsa_thash_hmsg(digest, r, pk_seed, pk_root, header, context, context_len, + msg, msg_len); + + uint8_t fors_digest[SLHDSA_SHA2_128S_FORS_MSG_BYTES]; + OPENSSL_memcpy(fors_digest, digest, SLHDSA_SHA2_128S_FORS_MSG_BYTES); + + const uint64_t idx_tree = + load_tree_index(digest + SLHDSA_SHA2_128S_FORS_MSG_BYTES); + uint32_t idx_leaf = CRYPTO_load_u16_be( + digest + SLHDSA_SHA2_128S_FORS_MSG_BYTES + SLHDSA_SHA2_128S_TREE_BYTES); + idx_leaf &= (~(uint32_t)0) >> (32 - SLHDSA_SHA2_128S_LEAF_BITS); + + uint8_t addr[32] = {0}; + slhdsa_set_tree_addr(addr, idx_tree); + slhdsa_set_type(addr, SLHDSA_SHA2_128S_ADDR_TYPE_FORSTREE); + slhdsa_set_keypair_addr(addr, idx_leaf); + + uint8_t pk_fors[SLHDSA_SHA2_128S_N]; + slhdsa_fors_pk_from_sig(pk_fors, sig_fors, fors_digest, pk_seed, addr); + + return slhdsa_ht_verify(sig_ht, pk_fors, idx_tree, idx_leaf, pk_root, + pk_seed); +} diff --git a/Sources/CNIOBoringSSL/crypto/slhdsa/thash.c b/Sources/CNIOBoringSSL/crypto/slhdsa/thash.c new file mode 100644 index 000000000..dc6889489 --- /dev/null +++ b/Sources/CNIOBoringSSL/crypto/slhdsa/thash.c @@ -0,0 +1,173 @@ +/* Copyright (c) 2024, Google LLC + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#include + +#include +#include + +#include + +#include "../internal.h" +#include "./params.h" +#include "./thash.h" + + +// Internal thash function used by F, H, and T_l (Section 11.2, pages 44-46) +static void slhdsa_thash(uint8_t output[SLHDSA_SHA2_128S_N], + const uint8_t *input, size_t input_blocks, + const uint8_t pk_seed[SLHDSA_SHA2_128S_N], + uint8_t addr[32]) { + SHA256_CTX sha256; + SHA256_Init(&sha256); + + // Process pubseed with padding to full block. + static const uint8_t kZeros[64 - SLHDSA_SHA2_128S_N] = {0}; + SHA256_Update(&sha256, pk_seed, SLHDSA_SHA2_128S_N); + SHA256_Update(&sha256, kZeros, sizeof(kZeros)); + SHA256_Update(&sha256, addr, SLHDSA_SHA2_128S_SHA256_ADDR_BYTES); + SHA256_Update(&sha256, input, input_blocks * SLHDSA_SHA2_128S_N); + + uint8_t hash[32]; + SHA256_Final(hash, &sha256); + OPENSSL_memcpy(output, hash, SLHDSA_SHA2_128S_N); +} + +// Implements PRF_msg function (Section 4.1, page 11 and Section 11.2, pages +// 44-46) +void slhdsa_thash_prfmsg(uint8_t output[SLHDSA_SHA2_128S_N], + const uint8_t sk_prf[SLHDSA_SHA2_128S_N], + const uint8_t entropy[SLHDSA_SHA2_128S_N], + const uint8_t header[SLHDSA_M_PRIME_HEADER_LEN], + const uint8_t *ctx, size_t ctx_len, const uint8_t *msg, + size_t msg_len) { + // Compute HMAC-SHA256(sk_prf, entropy || header || ctx || msg). We inline + // HMAC to avoid an allocation. + uint8_t hmac_key[SHA256_CBLOCK]; + static_assert(SLHDSA_SHA2_128S_N <= SHA256_CBLOCK, + "HMAC key is larger than block size"); + OPENSSL_memcpy(hmac_key, sk_prf, SLHDSA_SHA2_128S_N); + for (size_t i = 0; i < SLHDSA_SHA2_128S_N; i++) { + hmac_key[i] ^= 0x36; + } + OPENSSL_memset(hmac_key + SLHDSA_SHA2_128S_N, 0x36, + sizeof(hmac_key) - SLHDSA_SHA2_128S_N); + + SHA256_CTX sha_ctx; + SHA256_Init(&sha_ctx); + SHA256_Update(&sha_ctx, hmac_key, sizeof(hmac_key)); + SHA256_Update(&sha_ctx, entropy, SLHDSA_SHA2_128S_N); + if (header) { + SHA256_Update(&sha_ctx, header, SLHDSA_M_PRIME_HEADER_LEN); + } + SHA256_Update(&sha_ctx, ctx, ctx_len); + SHA256_Update(&sha_ctx, msg, msg_len); + uint8_t hash[SHA256_DIGEST_LENGTH]; + SHA256_Final(hash, &sha_ctx); + + for (size_t i = 0; i < SLHDSA_SHA2_128S_N; i++) { + hmac_key[i] ^= 0x36 ^ 0x5c; + } + OPENSSL_memset(hmac_key + SLHDSA_SHA2_128S_N, 0x5c, + sizeof(hmac_key) - SLHDSA_SHA2_128S_N); + + SHA256_Init(&sha_ctx); + SHA256_Update(&sha_ctx, hmac_key, sizeof(hmac_key)); + SHA256_Update(&sha_ctx, hash, sizeof(hash)); + SHA256_Final(hash, &sha_ctx); + + // Truncate to SLHDSA_SHA2_128S_N bytes + OPENSSL_memcpy(output, hash, SLHDSA_SHA2_128S_N); +} + +// Implements H_msg function (Section 4.1, page 11 and Section 11.2, pages +// 44-46) +void slhdsa_thash_hmsg(uint8_t output[SLHDSA_SHA2_128S_DIGEST_SIZE], + const uint8_t r[SLHDSA_SHA2_128S_N], + const uint8_t pk_seed[SLHDSA_SHA2_128S_N], + const uint8_t pk_root[SLHDSA_SHA2_128S_N], + const uint8_t header[SLHDSA_M_PRIME_HEADER_LEN], + const uint8_t *ctx, size_t ctx_len, const uint8_t *msg, + size_t msg_len) { + // MGF1-SHA-256(R || PK.seed || SHA-256(R || PK.seed || PK.root || header || + // ctx || M), m) input_buffer stores R || PK_SEED || SHA256(..) || 4-byte + // index + uint8_t input_buffer[2 * SLHDSA_SHA2_128S_N + 32 + 4] = {0}; + OPENSSL_memcpy(input_buffer, r, SLHDSA_SHA2_128S_N); + OPENSSL_memcpy(input_buffer + SLHDSA_SHA2_128S_N, pk_seed, + SLHDSA_SHA2_128S_N); + + // Inner hash + SHA256_CTX sha_ctx; + SHA256_Init(&sha_ctx); + SHA256_Update(&sha_ctx, r, SLHDSA_SHA2_128S_N); + SHA256_Update(&sha_ctx, pk_seed, SLHDSA_SHA2_128S_N); + SHA256_Update(&sha_ctx, pk_root, SLHDSA_SHA2_128S_N); + if (header) { + SHA256_Update(&sha_ctx, header, SLHDSA_M_PRIME_HEADER_LEN); + } + SHA256_Update(&sha_ctx, ctx, ctx_len); + SHA256_Update(&sha_ctx, msg, msg_len); + // Write directly into the input buffer + SHA256_Final(input_buffer + 2 * SLHDSA_SHA2_128S_N, &sha_ctx); + + // MGF1-SHA-256 + uint8_t hash[32]; + static_assert(SLHDSA_SHA2_128S_DIGEST_SIZE < sizeof(hash), + "More MGF1 iterations required"); + SHA256(input_buffer, sizeof(input_buffer), hash); + OPENSSL_memcpy(output, hash, SLHDSA_SHA2_128S_DIGEST_SIZE); +} + +// Implements PRF function (Section 4.1, page 11 and Section 11.2, pages 44-46) +void slhdsa_thash_prf(uint8_t output[SLHDSA_SHA2_128S_N], + const uint8_t pk_seed[SLHDSA_SHA2_128S_N], + const uint8_t sk_seed[SLHDSA_SHA2_128S_N], + uint8_t addr[32]) { + slhdsa_thash(output, sk_seed, 1, pk_seed, addr); +} + +// Implements T_l function for WOTS+ public key compression (Section 4.1, page +// 11 and Section 11.2, pages 44-46) +void slhdsa_thash_tl(uint8_t output[SLHDSA_SHA2_128S_N], + const uint8_t input[SLHDSA_SHA2_128S_WOTS_BYTES], + const uint8_t pk_seed[SLHDSA_SHA2_128S_N], + uint8_t addr[32]) { + slhdsa_thash(output, input, SLHDSA_SHA2_128S_WOTS_LEN, pk_seed, addr); +} + +// Implements H function (Section 4.1, page 11 and Section 11.2, pages 44-46) +void slhdsa_thash_h(uint8_t output[SLHDSA_SHA2_128S_N], + const uint8_t input[2 * SLHDSA_SHA2_128S_N], + const uint8_t pk_seed[SLHDSA_SHA2_128S_N], + uint8_t addr[32]) { + slhdsa_thash(output, input, 2, pk_seed, addr); +} + +// Implements F function (Section 4.1, page 11 and Section 11.2, pages 44-46) +void slhdsa_thash_f(uint8_t output[SLHDSA_SHA2_128S_N], + const uint8_t input[SLHDSA_SHA2_128S_N], + const uint8_t pk_seed[SLHDSA_SHA2_128S_N], + uint8_t addr[32]) { + slhdsa_thash(output, input, 1, pk_seed, addr); +} + +// Implements T_k function for FORS public key compression (Section 4.1, page 11 +// and Section 11.2, pages 44-46) +void slhdsa_thash_tk( + uint8_t output[SLHDSA_SHA2_128S_N], + const uint8_t input[SLHDSA_SHA2_128S_FORS_TREES * SLHDSA_SHA2_128S_N], + const uint8_t pk_seed[SLHDSA_SHA2_128S_N], uint8_t addr[32]) { + slhdsa_thash(output, input, SLHDSA_SHA2_128S_FORS_TREES, pk_seed, addr); +} diff --git a/Sources/CNIOBoringSSL/crypto/slhdsa/thash.h b/Sources/CNIOBoringSSL/crypto/slhdsa/thash.h new file mode 100644 index 000000000..19d9cd39b --- /dev/null +++ b/Sources/CNIOBoringSSL/crypto/slhdsa/thash.h @@ -0,0 +1,85 @@ +/* Copyright (c) 2024, Google LLC + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#ifndef OPENSSL_HEADER_CRYPTO_SLHDSA_THASH_H +#define OPENSSL_HEADER_CRYPTO_SLHDSA_THASH_H + +#include "./params.h" + +#if defined(__cplusplus) +extern "C" { +#endif + + +// Implements PRF_msg: a pseudo-random function that is used to generate the +// randomizer r for the randomized hashing of the message to be signed. +// (Section 4.1, page 11) +void slhdsa_thash_prfmsg(uint8_t output[SLHDSA_SHA2_128S_N], + const uint8_t sk_prf[SLHDSA_SHA2_128S_N], + const uint8_t opt_rand[SLHDSA_SHA2_128S_N], + const uint8_t header[SLHDSA_M_PRIME_HEADER_LEN], + const uint8_t *ctx, size_t ctx_len, const uint8_t *msg, + size_t msg_len); + +// Implements H_msg: a hash function used to generate the digest of the message +// to be signed. (Section 4.1, page 11) +void slhdsa_thash_hmsg(uint8_t output[SLHDSA_SHA2_128S_DIGEST_SIZE], + const uint8_t r[SLHDSA_SHA2_128S_N], + const uint8_t pk_seed[SLHDSA_SHA2_128S_N], + const uint8_t pk_root[SLHDSA_SHA2_128S_N], + const uint8_t header[SLHDSA_M_PRIME_HEADER_LEN], + const uint8_t *ctx, size_t ctx_len, const uint8_t *msg, + size_t msg_len); + +// Implements PRF: a pseudo-random function that is used to generate the secret +// values in WOTS+ and FORS private keys. (Section 4.1, page 11) +void slhdsa_thash_prf(uint8_t output[SLHDSA_SHA2_128S_N], + const uint8_t pk_seed[SLHDSA_SHA2_128S_N], + const uint8_t sk_seed[SLHDSA_SHA2_128S_N], + uint8_t addr[32]); + +// Implements T_l: a hash function that maps an l*n-byte message to an n-byte +// message. Used for WOTS+ public key compression. (Section 4.1, page 11) +void slhdsa_thash_tl(uint8_t output[SLHDSA_SHA2_128S_N], + const uint8_t input[SLHDSA_SHA2_128S_WOTS_BYTES], + const uint8_t pk_seed[SLHDSA_SHA2_128S_N], + uint8_t addr[32]); + +// Implements H: a hash function that takes a 2*n-byte message as input and +// produces an n-byte output. (Section 4.1, page 11) +void slhdsa_thash_h(uint8_t output[SLHDSA_SHA2_128S_N], + const uint8_t input[2 * SLHDSA_SHA2_128S_N], + const uint8_t pk_seed[SLHDSA_SHA2_128S_N], + uint8_t addr[32]); + +// Implements F: a hash function that takes an n-byte message as input and +// produces an n-byte output. (Section 4.1, page 11) +void slhdsa_thash_f(uint8_t output[SLHDSA_SHA2_128S_N], + const uint8_t input[SLHDSA_SHA2_128S_N], + const uint8_t pk_seed[SLHDSA_SHA2_128S_N], + uint8_t addr[32]); + +// Implements T_k: a hash function that maps a k*n-byte message to an n-byte +// message. Used for FORS public key compression. (Section 4.1, page 11) +void slhdsa_thash_tk( + uint8_t output[SLHDSA_SHA2_128S_N], + const uint8_t input[SLHDSA_SHA2_128S_FORS_TREES * SLHDSA_SHA2_128S_N], + const uint8_t pk_seed[SLHDSA_SHA2_128S_N], uint8_t addr[32]); + + +#if defined(__cplusplus) +} // extern C +#endif + +#endif // OPENSSL_HEADER_CRYPTO_SLHDSA_THASH_H diff --git a/Sources/CNIOBoringSSL/crypto/slhdsa/wots.c b/Sources/CNIOBoringSSL/crypto/slhdsa/wots.c new file mode 100644 index 000000000..6ee942b91 --- /dev/null +++ b/Sources/CNIOBoringSSL/crypto/slhdsa/wots.c @@ -0,0 +1,171 @@ +/* Copyright (c) 2024, Google LLC + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#include + +#include +#include +#include + +#include "../internal.h" +#include "./address.h" +#include "./params.h" +#include "./thash.h" +#include "./wots.h" + + +// Implements Algorithm 5: chain function, page 18 +static void chain(uint8_t output[SLHDSA_SHA2_128S_N], + const uint8_t input[SLHDSA_SHA2_128S_N], uint32_t start, + uint32_t steps, const uint8_t pub_seed[SLHDSA_SHA2_128S_N], + uint8_t addr[32]) { + assert(start < SLHDSA_SHA2_128S_WOTS_W); + assert(steps < SLHDSA_SHA2_128S_WOTS_W); + + OPENSSL_memcpy(output, input, SLHDSA_SHA2_128S_N); + + for (size_t i = start; i < (start + steps) && i < SLHDSA_SHA2_128S_WOTS_W; + ++i) { + slhdsa_set_hash_addr(addr, i); + slhdsa_thash_f(output, output, pub_seed, addr); + } +} + +static void slhdsa_wots_do_chain(uint8_t out[SLHDSA_SHA2_128S_N], + uint8_t sk_addr[32], uint8_t addr[32], + uint8_t value, + const uint8_t sk_seed[SLHDSA_SHA2_128S_N], + const uint8_t pub_seed[SLHDSA_SHA2_128S_N], + uint32_t chain_index) { + uint8_t tmp_sk[SLHDSA_SHA2_128S_N]; + slhdsa_set_chain_addr(sk_addr, chain_index); + slhdsa_thash_prf(tmp_sk, pub_seed, sk_seed, sk_addr); + slhdsa_set_chain_addr(addr, chain_index); + chain(out, tmp_sk, 0, value, pub_seed, addr); +} + +// Implements Algorithm 6: wots_pkGen function, page 18 +void slhdsa_wots_pk_gen(uint8_t pk[SLHDSA_SHA2_128S_N], + const uint8_t sk_seed[SLHDSA_SHA2_128S_N], + const uint8_t pub_seed[SLHDSA_SHA2_128S_N], + uint8_t addr[32]) { + uint8_t wots_pk_addr[32], sk_addr[32]; + OPENSSL_memcpy(wots_pk_addr, addr, sizeof(wots_pk_addr)); + OPENSSL_memcpy(sk_addr, addr, sizeof(sk_addr)); + slhdsa_set_type(sk_addr, SLHDSA_SHA2_128S_ADDR_TYPE_WOTSPRF); + slhdsa_copy_keypair_addr(sk_addr, addr); + + uint8_t tmp[SLHDSA_SHA2_128S_WOTS_BYTES]; + for (size_t i = 0; i < SLHDSA_SHA2_128S_WOTS_LEN; ++i) { + slhdsa_wots_do_chain(tmp + i * SLHDSA_SHA2_128S_N, sk_addr, addr, + SLHDSA_SHA2_128S_WOTS_W - 1, sk_seed, pub_seed, i); + } + + // Compress pk + slhdsa_set_type(wots_pk_addr, SLHDSA_SHA2_128S_ADDR_TYPE_WOTSPK); + slhdsa_copy_keypair_addr(wots_pk_addr, addr); + slhdsa_thash_tl(pk, tmp, pub_seed, wots_pk_addr); +} + +// Implements Algorithm 7: wots_sign function, page 20 +void slhdsa_wots_sign(uint8_t sig[SLHDSA_SHA2_128S_WOTS_BYTES], + const uint8_t msg[SLHDSA_SHA2_128S_N], + const uint8_t sk_seed[SLHDSA_SHA2_128S_N], + const uint8_t pub_seed[SLHDSA_SHA2_128S_N], + uint8_t addr[32]) { + // Compute checksum + static_assert(SLHDSA_SHA2_128S_WOTS_LEN1 == SLHDSA_SHA2_128S_N * 2, ""); + uint16_t csum = 0; + for (size_t i = 0; i < SLHDSA_SHA2_128S_N; ++i) { + csum += SLHDSA_SHA2_128S_WOTS_W - 1 - (msg[i] >> 4); + csum += SLHDSA_SHA2_128S_WOTS_W - 1 - (msg[i] & 15); + } + + // Compute chains + uint8_t sk_addr[32]; + OPENSSL_memcpy(sk_addr, addr, sizeof(sk_addr)); + slhdsa_set_type(sk_addr, SLHDSA_SHA2_128S_ADDR_TYPE_WOTSPRF); + slhdsa_copy_keypair_addr(sk_addr, addr); + + uint32_t chain_index = 0; + for (size_t i = 0; i < SLHDSA_SHA2_128S_N; ++i) { + slhdsa_wots_do_chain(sig, sk_addr, addr, msg[i] >> 4, sk_seed, pub_seed, + chain_index++); + sig += SLHDSA_SHA2_128S_N; + + slhdsa_wots_do_chain(sig, sk_addr, addr, msg[i] & 15, sk_seed, pub_seed, + chain_index++); + sig += SLHDSA_SHA2_128S_N; + } + + // Include the SLHDSA_SHA2_128S_WOTS_LEN2 checksum values. + slhdsa_wots_do_chain(sig, sk_addr, addr, (csum >> 8) & 15, sk_seed, pub_seed, + chain_index++); + sig += SLHDSA_SHA2_128S_N; + slhdsa_wots_do_chain(sig, sk_addr, addr, (csum >> 4) & 15, sk_seed, pub_seed, + chain_index++); + sig += SLHDSA_SHA2_128S_N; + slhdsa_wots_do_chain(sig, sk_addr, addr, csum & 15, sk_seed, pub_seed, + chain_index++); +} + +static void slhdsa_wots_pk_from_sig_do_chain( + uint8_t out[SLHDSA_SHA2_128S_WOTS_BYTES], uint8_t addr[32], + const uint8_t in[SLHDSA_SHA2_128S_WOTS_BYTES], uint8_t value, + const uint8_t pub_seed[SLHDSA_SHA2_128S_N], uint32_t chain_index) { + slhdsa_set_chain_addr(addr, chain_index); + chain(out + chain_index * SLHDSA_SHA2_128S_N, + in + chain_index * SLHDSA_SHA2_128S_N, value, + SLHDSA_SHA2_128S_WOTS_W - 1 - value, pub_seed, addr); +} + +// Implements Algorithm 8: wots_pkFromSig function, page 21 +void slhdsa_wots_pk_from_sig(uint8_t pk[SLHDSA_SHA2_128S_N], + const uint8_t sig[SLHDSA_SHA2_128S_WOTS_BYTES], + const uint8_t msg[SLHDSA_SHA2_128S_N], + const uint8_t pub_seed[SLHDSA_SHA2_128S_N], + uint8_t addr[32]) { + // Compute checksum + static_assert(SLHDSA_SHA2_128S_WOTS_LEN1 == SLHDSA_SHA2_128S_N * 2, ""); + uint16_t csum = 0; + for (size_t i = 0; i < SLHDSA_SHA2_128S_N; ++i) { + csum += SLHDSA_SHA2_128S_WOTS_W - 1 - (msg[i] >> 4); + csum += SLHDSA_SHA2_128S_WOTS_W - 1 - (msg[i] & 15); + } + + uint8_t tmp[SLHDSA_SHA2_128S_WOTS_BYTES]; + uint8_t wots_pk_addr[32]; + OPENSSL_memcpy(wots_pk_addr, addr, sizeof(wots_pk_addr)); + + uint32_t chain_index = 0; + static_assert(SLHDSA_SHA2_128S_WOTS_LEN1 == SLHDSA_SHA2_128S_N * 2, ""); + for (size_t i = 0; i < SLHDSA_SHA2_128S_N; ++i) { + slhdsa_wots_pk_from_sig_do_chain(tmp, addr, sig, msg[i] >> 4, pub_seed, + chain_index++); + slhdsa_wots_pk_from_sig_do_chain(tmp, addr, sig, msg[i] & 15, pub_seed, + chain_index++); + } + + slhdsa_wots_pk_from_sig_do_chain(tmp, addr, sig, csum >> 8, pub_seed, + chain_index++); + slhdsa_wots_pk_from_sig_do_chain(tmp, addr, sig, (csum >> 4) & 15, pub_seed, + chain_index++); + slhdsa_wots_pk_from_sig_do_chain(tmp, addr, sig, csum & 15, pub_seed, + chain_index++); + + // Compress pk + slhdsa_set_type(wots_pk_addr, SLHDSA_SHA2_128S_ADDR_TYPE_WOTSPK); + slhdsa_copy_keypair_addr(wots_pk_addr, addr); + slhdsa_thash_tl(pk, tmp, pub_seed, wots_pk_addr); +} diff --git a/Sources/CNIOBoringSSL/crypto/slhdsa/wots.h b/Sources/CNIOBoringSSL/crypto/slhdsa/wots.h new file mode 100644 index 000000000..8b3ca2ded --- /dev/null +++ b/Sources/CNIOBoringSSL/crypto/slhdsa/wots.h @@ -0,0 +1,50 @@ +/* Copyright (c) 2024, Google LLC + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#ifndef OPENSSL_HEADER_CRYPTO_SLHDSA_WOTS_H +#define OPENSSL_HEADER_CRYPTO_SLHDSA_WOTS_H + +#include "./params.h" + +#if defined(__cplusplus) +extern "C" { +#endif + + +// Implements Algorithm 6: wots_pkGen function, page 18 +void slhdsa_wots_pk_gen(uint8_t pk[SLHDSA_SHA2_128S_N], + const uint8_t sk_seed[SLHDSA_SHA2_128S_N], + const uint8_t pub_seed[SLHDSA_SHA2_128S_N], + uint8_t addr[32]); + +// Implements Algorithm 7: wots_sign function, page 20 +void slhdsa_wots_sign(uint8_t sig[SLHDSA_SHA2_128S_WOTS_BYTES], + const uint8_t msg[SLHDSA_SHA2_128S_N], + const uint8_t sk_seed[SLHDSA_SHA2_128S_N], + const uint8_t pub_seed[SLHDSA_SHA2_128S_N], + uint8_t addr[32]); + +// Implements Algorithm 8: wots_pkFromSig function, page 21 +void slhdsa_wots_pk_from_sig(uint8_t pk[SLHDSA_SHA2_128S_N], + const uint8_t sig[SLHDSA_SHA2_128S_WOTS_BYTES], + const uint8_t msg[SLHDSA_SHA2_128S_N], + const uint8_t pub_seed[SLHDSA_SHA2_128S_N], + uint8_t addr[32]); + + +#if defined(__cplusplus) +} // extern C +#endif + +#endif // OPENSSL_HEADER_CRYPTO_SLHDSA_WOTS_H diff --git a/Sources/CNIOBoringSSL/crypto/spx/spx.c b/Sources/CNIOBoringSSL/crypto/spx/spx.c new file mode 100644 index 000000000..cd1bedcfb --- /dev/null +++ b/Sources/CNIOBoringSSL/crypto/spx/spx.c @@ -0,0 +1,140 @@ +/* Copyright (c) 2023, Google LLC + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#include + +#include + +#define OPENSSL_UNSTABLE_EXPERIMENTAL_SPX +#include +#include + +#include "./spx_address.h" +#include "./spx_fors.h" +#include "./spx_merkle.h" +#include "./spx_params.h" +#include "./spx_util.h" +#include "./spx_thash.h" + +void SPX_generate_key(uint8_t out_public_key[SPX_PUBLIC_KEY_BYTES], + uint8_t out_secret_key[SPX_SECRET_KEY_BYTES]) { + uint8_t seed[3 * SPX_N]; + RAND_bytes(seed, 3 * SPX_N); + SPX_generate_key_from_seed(out_public_key, out_secret_key, seed); +} + +void SPX_generate_key_from_seed(uint8_t out_public_key[SPX_PUBLIC_KEY_BYTES], + uint8_t out_secret_key[SPX_SECRET_KEY_BYTES], + const uint8_t seed[3 * SPX_N]) { + // Initialize SK.seed || SK.prf || PK.seed from seed. + memcpy(out_secret_key, seed, 3 * SPX_N); + + // Initialize PK.seed from seed. + memcpy(out_public_key, seed + 2 * SPX_N, SPX_N); + + uint8_t addr[32] = {0}; + spx_set_layer_addr(addr, SPX_D - 1); + + // Set PK.root + spx_treehash(out_public_key + SPX_N, out_secret_key, 0, SPX_TREE_HEIGHT, + out_public_key, addr); + memcpy(out_secret_key + 3 * SPX_N, out_public_key + SPX_N, SPX_N); +} + +void SPX_sign(uint8_t out_signature[SPX_SIGNATURE_BYTES], + const uint8_t secret_key[SPX_SECRET_KEY_BYTES], + const uint8_t *msg, size_t msg_len, int randomized) { + uint8_t addr[32] = {0}; + const uint8_t *sk_seed = secret_key; + const uint8_t *sk_prf = secret_key + SPX_N; + const uint8_t *pk_seed = secret_key + 2 * SPX_N; + const uint8_t *pk_root = secret_key + 3 * SPX_N; + + uint8_t opt_rand[SPX_N] = {0}; + + if (randomized) { + RAND_bytes(opt_rand, SPX_N); + } else { + memcpy(opt_rand, pk_seed, SPX_N); + } + + // Derive randomizer r and copy it to signature. + uint8_t r[SPX_N]; + spx_thash_prfmsg(r, sk_prf, opt_rand, msg, msg_len); + memcpy(out_signature, r, SPX_N); + + uint8_t digest[SPX_DIGEST_SIZE]; + spx_thash_hmsg(digest, r, pk_seed, pk_root, msg, msg_len); + + uint8_t fors_digest[SPX_FORS_MSG_BYTES]; + memcpy(fors_digest, digest, SPX_FORS_MSG_BYTES); + + uint8_t *tmp_idx_tree = digest + SPX_FORS_MSG_BYTES; + uint8_t *tmp_idx_leaf = tmp_idx_tree + SPX_TREE_BYTES; + + uint64_t idx_tree = spx_to_uint64(tmp_idx_tree, SPX_TREE_BYTES); + idx_tree &= (~(uint64_t)0) >> (64 - SPX_TREE_BITS); + + uint32_t idx_leaf = (uint32_t)spx_to_uint64(tmp_idx_leaf, SPX_LEAF_BYTES); + idx_leaf &= (~(uint32_t)0) >> (32 - SPX_LEAF_BITS); + + spx_set_tree_addr(addr, idx_tree); + spx_set_type(addr, SPX_ADDR_TYPE_FORSTREE); + spx_set_keypair_addr(addr, idx_leaf); + + spx_fors_sign(out_signature + SPX_N, fors_digest, sk_seed, pk_seed, addr); + + uint8_t pk_fors[SPX_N]; + spx_fors_pk_from_sig(pk_fors, out_signature + SPX_N, fors_digest, pk_seed, + addr); + + spx_ht_sign(out_signature + SPX_N + SPX_FORS_BYTES, pk_fors, idx_tree, + idx_leaf, sk_seed, pk_seed); +} + +int SPX_verify(const uint8_t signature[SPX_SIGNATURE_BYTES], + const uint8_t public_key[SPX_SECRET_KEY_BYTES], + const uint8_t *msg, size_t msg_len) { + uint8_t addr[32] = {0}; + const uint8_t *pk_seed = public_key; + const uint8_t *pk_root = public_key + SPX_N; + + const uint8_t *r = signature; + const uint8_t *sig_fors = signature + SPX_N; + const uint8_t *sig_ht = sig_fors + SPX_FORS_BYTES; + + uint8_t digest[SPX_DIGEST_SIZE]; + spx_thash_hmsg(digest, r, pk_seed, pk_root, msg, msg_len); + + uint8_t fors_digest[SPX_FORS_MSG_BYTES]; + memcpy(fors_digest, digest, SPX_FORS_MSG_BYTES); + + uint8_t *tmp_idx_tree = digest + SPX_FORS_MSG_BYTES; + uint8_t *tmp_idx_leaf = tmp_idx_tree + SPX_TREE_BYTES; + + uint64_t idx_tree = spx_to_uint64(tmp_idx_tree, SPX_TREE_BYTES); + idx_tree &= (~(uint64_t)0) >> (64 - SPX_TREE_BITS); + + uint32_t idx_leaf = (uint32_t)spx_to_uint64(tmp_idx_leaf, SPX_LEAF_BYTES); + idx_leaf &= (~(uint32_t)0) >> (32 - SPX_LEAF_BITS); + + spx_set_tree_addr(addr, idx_tree); + spx_set_type(addr, SPX_ADDR_TYPE_FORSTREE); + spx_set_keypair_addr(addr, idx_leaf); + + uint8_t pk_fors[SPX_N]; + spx_fors_pk_from_sig(pk_fors, sig_fors, fors_digest, pk_seed, addr); + + return spx_ht_verify(sig_ht, pk_fors, idx_tree, idx_leaf, pk_root, pk_seed); +} diff --git a/Sources/CNIOBoringSSL/crypto/spx/spx_address.c b/Sources/CNIOBoringSSL/crypto/spx/spx_address.c new file mode 100644 index 000000000..2a1e6ff54 --- /dev/null +++ b/Sources/CNIOBoringSSL/crypto/spx/spx_address.c @@ -0,0 +1,101 @@ +/* Copyright (c) 2023, Google LLC + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#include + +#include + +#include "../internal.h" +#include "./spx_address.h" +#include "./spx_util.h" + + +// Offsets of various fields in the address structure for SPHINCS+-SHA2-128s. + +// The byte used to specify the Merkle tree layer. +#define SPX_OFFSET_LAYER 0 + +// The start of the 8 byte field used to specify the tree. +#define SPX_OFFSET_TREE 1 + +// The byte used to specify the hash type (reason). +#define SPX_OFFSET_TYPE 9 + +// The high byte used to specify the key pair (which one-time signature). +#define SPX_OFFSET_KP_ADDR2 12 + +// The low byte used to specific the key pair. +#define SPX_OFFSET_KP_ADDR1 13 + +// The byte used to specify the chain address (which Winternitz chain). +#define SPX_OFFSET_CHAIN_ADDR 17 + +// The byte used to specify the hash address (where in the Winternitz chain). +#define SPX_OFFSET_HASH_ADDR 21 + +// The byte used to specify the height of this node in the FORS or Merkle tree. +#define SPX_OFFSET_TREE_HGT 17 + +// The start of the 4 byte field used to specify the node in the FORS or Merkle +// tree. +#define SPX_OFFSET_TREE_INDEX 18 + + +void spx_set_chain_addr(uint8_t addr[32], uint32_t chain) { + addr[SPX_OFFSET_CHAIN_ADDR] = (uint8_t)chain; +} + +void spx_set_hash_addr(uint8_t addr[32], uint32_t hash) { + addr[SPX_OFFSET_HASH_ADDR] = (uint8_t)hash; +} + +void spx_set_keypair_addr(uint8_t addr[32], uint32_t keypair) { + addr[SPX_OFFSET_KP_ADDR2] = (uint8_t)(keypair >> 8); + addr[SPX_OFFSET_KP_ADDR1] = (uint8_t)keypair; +} + +void spx_copy_keypair_addr(uint8_t out[32], const uint8_t in[32]) { + memcpy(out, in, SPX_OFFSET_TREE + 8); + out[SPX_OFFSET_KP_ADDR2] = in[SPX_OFFSET_KP_ADDR2]; + out[SPX_OFFSET_KP_ADDR1] = in[SPX_OFFSET_KP_ADDR1]; +} + +void spx_set_layer_addr(uint8_t addr[32], uint32_t layer) { + addr[SPX_OFFSET_LAYER] = (uint8_t)layer; +} + +void spx_set_tree_addr(uint8_t addr[32], uint64_t tree) { + spx_uint64_to_len_bytes(&addr[SPX_OFFSET_TREE], 8, tree); +} + +void spx_set_type(uint8_t addr[32], uint32_t type) { + // NIST draft relies on this setting parts of the address to 0, so we do it + // here to avoid confusion. + // + // The behavior here is only correct for the SHA2 instantiations. + memset(addr + 10, 0, 12); + addr[SPX_OFFSET_TYPE] = (uint8_t)type; +} + +void spx_set_tree_height(uint8_t addr[32], uint32_t tree_height) { + addr[SPX_OFFSET_TREE_HGT] = (uint8_t)tree_height; +} + +void spx_set_tree_index(uint8_t addr[32], uint32_t tree_index) { + CRYPTO_store_u32_be(&addr[SPX_OFFSET_TREE_INDEX], tree_index); +} + +uint32_t spx_get_tree_index(uint8_t addr[32]) { + return CRYPTO_load_u32_be(addr + SPX_OFFSET_TREE_INDEX); +} diff --git a/Sources/CNIOBoringSSL/crypto/spx/spx_address.h b/Sources/CNIOBoringSSL/crypto/spx/spx_address.h new file mode 100644 index 000000000..7e2499fb5 --- /dev/null +++ b/Sources/CNIOBoringSSL/crypto/spx/spx_address.h @@ -0,0 +1,50 @@ +/* Copyright (c) 2023, Google LLC + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#ifndef OPENSSL_HEADER_CRYPTO_SPX_ADDRESS_H +#define OPENSSL_HEADER_CRYPTO_SPX_ADDRESS_H + +#include + +#if defined(__cplusplus) +extern "C" { +#endif + + +#define SPX_ADDR_TYPE_WOTS 0 +#define SPX_ADDR_TYPE_WOTSPK 1 +#define SPX_ADDR_TYPE_HASHTREE 2 +#define SPX_ADDR_TYPE_FORSTREE 3 +#define SPX_ADDR_TYPE_FORSPK 4 +#define SPX_ADDR_TYPE_WOTSPRF 5 +#define SPX_ADDR_TYPE_FORSPRF 6 + +void spx_set_chain_addr(uint8_t addr[32], uint32_t chain); +void spx_set_hash_addr(uint8_t addr[32], uint32_t hash); +void spx_set_keypair_addr(uint8_t addr[32], uint32_t keypair); +void spx_set_layer_addr(uint8_t addr[32], uint32_t layer); +void spx_set_tree_addr(uint8_t addr[32], uint64_t tree); +void spx_set_type(uint8_t addr[32], uint32_t type); +void spx_set_tree_height(uint8_t addr[32], uint32_t tree_height); +void spx_set_tree_index(uint8_t addr[32], uint32_t tree_index); +void spx_copy_keypair_addr(uint8_t out[32], const uint8_t in[32]); + +uint32_t spx_get_tree_index(uint8_t addr[32]); + + +#if defined(__cplusplus) +} // extern C +#endif + +#endif // OPENSSL_HEADER_CRYPTO_SPX_ADDRESS_H diff --git a/Sources/CNIOBoringSSL/crypto/spx/spx_fors.c b/Sources/CNIOBoringSSL/crypto/spx/spx_fors.c new file mode 100644 index 000000000..937a205fc --- /dev/null +++ b/Sources/CNIOBoringSSL/crypto/spx/spx_fors.c @@ -0,0 +1,133 @@ +/* Copyright (c) 2023, Google LLC + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#include + +#include + +#include "./spx_address.h" +#include "./spx_fors.h" +#include "./spx_params.h" +#include "./spx_util.h" +#include "./spx_thash.h" + +void spx_fors_sk_gen(uint8_t *fors_sk, uint32_t idx, + const uint8_t sk_seed[SPX_N], const uint8_t pk_seed[SPX_N], + uint8_t addr[32]) { + uint8_t sk_addr[32]; + memcpy(sk_addr, addr, sizeof(sk_addr)); + + spx_set_type(sk_addr, SPX_ADDR_TYPE_FORSPRF); + spx_copy_keypair_addr(sk_addr, addr); + spx_set_tree_index(sk_addr, idx); + spx_thash_prf(fors_sk, pk_seed, sk_seed, sk_addr); +} + +void spx_fors_treehash(uint8_t root_node[SPX_N], const uint8_t sk_seed[SPX_N], + uint32_t i /*target node index*/, + uint32_t z /*target node height*/, + const uint8_t pk_seed[SPX_N], uint8_t addr[32]) { + + BSSL_CHECK(z <= SPX_FORS_HEIGHT); + BSSL_CHECK(i < (uint32_t)(SPX_FORS_TREES * (1 << (SPX_FORS_HEIGHT - z)))); + + if (z == 0) { + uint8_t sk[SPX_N]; + spx_set_tree_height(addr, 0); + spx_set_tree_index(addr, i); + spx_fors_sk_gen(sk, i, sk_seed, pk_seed, addr); + spx_thash_f(root_node, sk, pk_seed, addr); + } else { + // Stores left node and right node. + uint8_t nodes[2 * SPX_N]; + spx_fors_treehash(nodes, sk_seed, 2 * i, z - 1, pk_seed, addr); + spx_fors_treehash(nodes + SPX_N, sk_seed, 2 * i + 1, z - 1, pk_seed, addr); + spx_set_tree_height(addr, z); + spx_set_tree_index(addr, i); + spx_thash_h(root_node, nodes, pk_seed, addr); + } +} + +void spx_fors_sign(uint8_t *fors_sig, const uint8_t message[SPX_FORS_MSG_BYTES], + const uint8_t sk_seed[SPX_N], const uint8_t pk_seed[SPX_N], + uint8_t addr[32]) { + uint32_t indices[SPX_FORS_TREES]; + + // Derive FORS indices compatible with the NIST changes. + spx_base_b(indices, SPX_FORS_TREES, message, /*log2_b=*/SPX_FORS_HEIGHT); + + for (size_t i = 0; i < SPX_FORS_TREES; ++i) { + spx_set_tree_height(addr, 0); + // Write the FORS secret key element to the correct position. + spx_fors_sk_gen(fors_sig + i * SPX_N * (SPX_FORS_HEIGHT + 1), + i * (1 << SPX_FORS_HEIGHT) + indices[i], sk_seed, pk_seed, + addr); + for (size_t j = 0; j < SPX_FORS_HEIGHT; ++j) { + size_t s = (indices[i] / (1 << j)) ^ 1; + // Write the FORS auth path element to the correct position. + spx_fors_treehash(fors_sig + SPX_N * (i * (SPX_FORS_HEIGHT + 1) + j + 1), + sk_seed, i * (1ULL << (SPX_FORS_HEIGHT - j)) + s, j, + pk_seed, addr); + } + } +} + +void spx_fors_pk_from_sig(uint8_t *fors_pk, + const uint8_t fors_sig[SPX_FORS_BYTES], + const uint8_t message[SPX_FORS_MSG_BYTES], + const uint8_t pk_seed[SPX_N], uint8_t addr[32]) { + uint32_t indices[SPX_FORS_TREES]; + uint8_t tmp[2 * SPX_N]; + uint8_t roots[SPX_FORS_TREES * SPX_N]; + + // Derive FORS indices compatible with the NIST changes. + spx_base_b(indices, SPX_FORS_TREES, message, /*log2_b=*/SPX_FORS_HEIGHT); + + for (size_t i = 0; i < SPX_FORS_TREES; ++i) { + // Pointer to current sk and authentication path + const uint8_t *sk = fors_sig + i * SPX_N * (SPX_FORS_HEIGHT + 1); + const uint8_t *auth = fors_sig + i * SPX_N * (SPX_FORS_HEIGHT + 1) + SPX_N; + uint8_t nodes[2 * SPX_N]; + + spx_set_tree_height(addr, 0); + spx_set_tree_index(addr, (i * (1 << SPX_FORS_HEIGHT)) + indices[i]); + + spx_thash_f(nodes, sk, pk_seed, addr); + + for (size_t j = 0; j < SPX_FORS_HEIGHT; ++j) { + spx_set_tree_height(addr, j + 1); + + // Even node + if (((indices[i] / (1 << j)) % 2) == 0) { + spx_set_tree_index(addr, spx_get_tree_index(addr) / 2); + memcpy(tmp, nodes, SPX_N); + memcpy(tmp + SPX_N, auth + j * SPX_N, SPX_N); + spx_thash_h(nodes + SPX_N, tmp, pk_seed, addr); + } else { + spx_set_tree_index(addr, (spx_get_tree_index(addr) - 1) / 2); + memcpy(tmp, auth + j * SPX_N, SPX_N); + memcpy(tmp + SPX_N, nodes, SPX_N); + spx_thash_h(nodes + SPX_N, tmp, pk_seed, addr); + } + memcpy(nodes, nodes + SPX_N, SPX_N); + } + memcpy(roots + i * SPX_N, nodes, SPX_N); + } + + uint8_t forspk_addr[32]; + memcpy(forspk_addr, addr, sizeof(forspk_addr)); + spx_set_type(forspk_addr, SPX_ADDR_TYPE_FORSPK); + spx_copy_keypair_addr(forspk_addr, addr); + spx_thash_tk(fors_pk, roots, pk_seed, forspk_addr); +} diff --git a/Sources/CNIOBoringSSL/crypto/spx/spx_fors.h b/Sources/CNIOBoringSSL/crypto/spx/spx_fors.h new file mode 100644 index 000000000..b5e4ee64a --- /dev/null +++ b/Sources/CNIOBoringSSL/crypto/spx/spx_fors.h @@ -0,0 +1,54 @@ +/* Copyright (c) 2023, Google LLC + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#ifndef OPENSSL_HEADER_CRYPTO_SPX_FORS_H +#define OPENSSL_HEADER_CRYPTO_SPX_FORS_H + +#include + +#include "./spx_params.h" + +#if defined(__cplusplus) +extern "C" { +#endif + + +// Algorithm 13: Generate a FORS private key value. +void spx_fors_sk_gen(uint8_t *fors_sk, uint32_t idx, + const uint8_t sk_seed[SPX_N], const uint8_t pk_seed[SPX_N], + uint8_t addr[32]); + +// Algorithm 14: Compute the root of a Merkle subtree of FORS public values. +void spx_fors_treehash(uint8_t root_node[SPX_N], const uint8_t sk_seed[SPX_N], + uint32_t i /*target node index*/, + uint32_t z /*target node height*/, + const uint8_t pk_seed[SPX_N], uint8_t addr[32]); + +// Algorithm 15: Generate a FORS signature. +void spx_fors_sign(uint8_t *fors_sig, const uint8_t message[SPX_FORS_MSG_BYTES], + const uint8_t sk_seed[SPX_N], const uint8_t pk_seed[SPX_N], + uint8_t addr[32]); + +// Algorithm 16: Compute a FORS public key from a FORS signature. +void spx_fors_pk_from_sig(uint8_t *fors_pk, + const uint8_t fors_sig[SPX_FORS_BYTES], + const uint8_t message[SPX_FORS_MSG_BYTES], + const uint8_t pk_seed[SPX_N], uint8_t addr[32]); + + +#if defined(__cplusplus) +} // extern C +#endif + +#endif // OPENSSL_HEADER_CRYPTO_SPX_FORS_H diff --git a/Sources/CNIOBoringSSL/crypto/spx/spx_merkle.c b/Sources/CNIOBoringSSL/crypto/spx/spx_merkle.c new file mode 100644 index 000000000..e49ee0255 --- /dev/null +++ b/Sources/CNIOBoringSSL/crypto/spx/spx_merkle.c @@ -0,0 +1,150 @@ +/* Copyright (c) 2023, Google LLC + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#include + +#include + +#include "./spx_address.h" +#include "./spx_merkle.h" +#include "./spx_params.h" +#include "./spx_thash.h" +#include "./spx_wots.h" + +void spx_treehash(uint8_t out_pk[SPX_N], const uint8_t sk_seed[SPX_N], + uint32_t i /*target node index*/, + uint32_t z /*target node height*/, + const uint8_t pk_seed[SPX_N], uint8_t addr[32]) { + BSSL_CHECK(z <= SPX_TREE_HEIGHT); + BSSL_CHECK(i < (uint32_t)(1 << (SPX_TREE_HEIGHT - z))); + + if (z == 0) { + spx_set_type(addr, SPX_ADDR_TYPE_WOTS); + spx_set_keypair_addr(addr, i); + spx_wots_pk_gen(out_pk, sk_seed, pk_seed, addr); + } else { + // Stores left node and right node. + uint8_t nodes[2 * SPX_N]; + spx_treehash(nodes, sk_seed, 2 * i, z - 1, pk_seed, addr); + spx_treehash(nodes + SPX_N, sk_seed, 2 * i + 1, z - 1, pk_seed, addr); + spx_set_type(addr, SPX_ADDR_TYPE_HASHTREE); + spx_set_tree_height(addr, z); + spx_set_tree_index(addr, i); + spx_thash_h(out_pk, nodes, pk_seed, addr); + } +} + +void spx_xmss_sign(uint8_t *sig, const uint8_t msg[SPX_N], unsigned int idx, + const uint8_t sk_seed[SPX_N], const uint8_t pk_seed[SPX_N], + uint8_t addr[32]) { + // Build authentication path + for (size_t j = 0; j < SPX_TREE_HEIGHT; ++j) { + unsigned int k = (idx >> j) ^ 1; + spx_treehash(sig + SPX_WOTS_BYTES + j * SPX_N, sk_seed, k, j, pk_seed, + addr); + } + + // Compute WOTS+ signature + spx_set_type(addr, SPX_ADDR_TYPE_WOTS); + spx_set_keypair_addr(addr, idx); + spx_wots_sign(sig, msg, sk_seed, pk_seed, addr); +} + +void spx_xmss_pk_from_sig(uint8_t *root, const uint8_t *xmss_sig, + unsigned int idx, const uint8_t msg[SPX_N], + const uint8_t pk_seed[SPX_N], uint8_t addr[32]) { + // Stores node[0] and node[1] from Algorithm 10 + uint8_t node[2 * SPX_N]; + uint8_t tmp[2 * SPX_N]; + spx_set_type(addr, SPX_ADDR_TYPE_WOTS); + spx_set_keypair_addr(addr, idx); + spx_wots_pk_from_sig(node, xmss_sig, msg, pk_seed, addr); + + const uint8_t *auth = xmss_sig + SPX_WOTS_BYTES; + + spx_set_type(addr, SPX_ADDR_TYPE_HASHTREE); + spx_set_tree_index(addr, idx); + for (size_t k = 0; k < SPX_TREE_HEIGHT; ++k) { + spx_set_tree_height(addr, k + 1); + // Is even + if (((idx >> k) & 1) == 0) { + spx_set_tree_index(addr, spx_get_tree_index(addr) >> 1); + memcpy(tmp, node, SPX_N); + memcpy(tmp + SPX_N, auth + k * SPX_N, SPX_N); + spx_thash_h(node + SPX_N, tmp, pk_seed, addr); + } else { + spx_set_tree_index(addr, (spx_get_tree_index(addr) - 1) >> 1); + memcpy(tmp, auth + k * SPX_N, SPX_N); + memcpy(tmp + SPX_N, node, SPX_N); + spx_thash_h(node + SPX_N, tmp, pk_seed, addr); + } + memcpy(node, node + SPX_N, SPX_N); + } + memcpy(root, node, SPX_N); +} + +void spx_ht_sign(uint8_t *sig, const uint8_t message[SPX_N], uint64_t idx_tree, + uint32_t idx_leaf, const uint8_t sk_seed[SPX_N], + const uint8_t pk_seed[SPX_N]) { + uint8_t addr[32] = {0}; + spx_set_tree_addr(addr, idx_tree); + + // Layer 0 + uint8_t sig_tmp[SPX_XMSS_BYTES]; + spx_xmss_sign(sig_tmp, message, idx_leaf, sk_seed, pk_seed, addr); + memcpy(sig, sig_tmp, sizeof(sig_tmp)); + + uint8_t root[SPX_N]; + spx_xmss_pk_from_sig(root, sig_tmp, idx_leaf, message, pk_seed, addr); + + // All other layers + for (size_t j = 1; j < SPX_D; ++j) { + idx_leaf = idx_tree % (1 << SPX_TREE_HEIGHT); + idx_tree = idx_tree >> SPX_TREE_HEIGHT; + spx_set_layer_addr(addr, j); + spx_set_tree_addr(addr, idx_tree); + spx_xmss_sign(sig_tmp, root, idx_leaf, sk_seed, pk_seed, addr); + memcpy(sig + j * SPX_XMSS_BYTES, sig_tmp, sizeof(sig_tmp)); + + if (j < (SPX_D - 1)) { + spx_xmss_pk_from_sig(root, sig_tmp, idx_leaf, root, pk_seed, addr); + } + } +} + +int spx_ht_verify(const uint8_t sig[SPX_D * SPX_XMSS_BYTES], + const uint8_t message[SPX_N], uint64_t idx_tree, + uint32_t idx_leaf, const uint8_t pk_root[SPX_N], + const uint8_t pk_seed[SPX_N]) { + uint8_t addr[32] = {0}; + spx_set_tree_addr(addr, idx_tree); + + uint8_t sig_tmp[SPX_XMSS_BYTES]; + memcpy(sig_tmp, sig, sizeof(sig_tmp)); + + uint8_t node[SPX_N]; + spx_xmss_pk_from_sig(node, sig_tmp, idx_leaf, message, pk_seed, addr); + + for (size_t j = 1; j < SPX_D; ++j) { + idx_leaf = idx_tree % (1 << SPX_TREE_HEIGHT); + idx_tree = idx_tree >> SPX_TREE_HEIGHT; + spx_set_layer_addr(addr, j); + spx_set_tree_addr(addr, idx_tree); + // Get jth XMSS signature + memcpy(sig_tmp, sig + j * SPX_XMSS_BYTES, sizeof(sig_tmp)); + + spx_xmss_pk_from_sig(node, sig_tmp, idx_leaf, node, pk_seed, addr); + } + return memcmp(node, pk_root, SPX_N) == 0; +} diff --git a/Sources/CNIOBoringSSL/crypto/spx/spx_merkle.h b/Sources/CNIOBoringSSL/crypto/spx/spx_merkle.h new file mode 100644 index 000000000..98d601662 --- /dev/null +++ b/Sources/CNIOBoringSSL/crypto/spx/spx_merkle.h @@ -0,0 +1,61 @@ +/* Copyright (c) 2023, Google LLC + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#ifndef OPENSSL_HEADER_CRYPTO_SPX_MERKLE_H +#define OPENSSL_HEADER_CRYPTO_SPX_MERKLE_H + +#include + +#include + +#include "./spx_params.h" + +#if defined(__cplusplus) +extern "C" { +#endif + + +// Algorithm 8: Compute the root of a Merkle subtree of WOTS+ public keys. +void spx_treehash(uint8_t out_pk[SPX_N], const uint8_t sk_seed[SPX_N], + uint32_t i /*target node index*/, + uint32_t z /*target node height*/, + const uint8_t pk_seed[SPX_N], uint8_t addr[32]); + +// Algorithm 9: Generate an XMSS signature. +void spx_xmss_sign(uint8_t *sig, const uint8_t msg[SPX_N], unsigned int idx, + const uint8_t sk_seed[SPX_N], const uint8_t pk_seed[SPX_N], + uint8_t addr[32]); + +// Algorithm 10: Compute an XMSS public key from an XMSS signature. +void spx_xmss_pk_from_sig(uint8_t *root, const uint8_t *xmss_sig, + unsigned int idx, const uint8_t msg[SPX_N], + const uint8_t pk_seed[SPX_N], uint8_t addr[32]); + +// Algorithm 11: Generate a hypertree signature. +void spx_ht_sign(uint8_t *sig, const uint8_t message[SPX_N], uint64_t idx_tree, + uint32_t idx_leaf, const uint8_t sk_seed[SPX_N], + const uint8_t pk_seed[SPX_N]); + +// Algorithm 12: Verify a hypertree signature. +int spx_ht_verify(const uint8_t sig[SPX_D * SPX_XMSS_BYTES], + const uint8_t message[SPX_N], uint64_t idx_tree, + uint32_t idx_leaf, const uint8_t pk_root[SPX_N], + const uint8_t pk_seed[SPX_N]); + + +#if defined(__cplusplus) +} // extern C +#endif + +#endif // OPENSSL_HEADER_CRYPTO_SPX_MERKLE_H diff --git a/Sources/CNIOBoringSSL/crypto/spx/spx_params.h b/Sources/CNIOBoringSSL/crypto/spx/spx_params.h new file mode 100644 index 000000000..cc7fd1026 --- /dev/null +++ b/Sources/CNIOBoringSSL/crypto/spx/spx_params.h @@ -0,0 +1,71 @@ +/* Copyright (c) 2023, Google LLC + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#ifndef OPENSSL_HEADER_CRYPTO_SPX_PARAMS_H +#define OPENSSL_HEADER_CRYPTO_SPX_PARAMS_H + +#if defined(__cplusplus) +extern "C" { +#endif + + +// Output length of the hash function. +#define SPX_N 16 +// Total height of the tree structure. +#define SPX_FULL_HEIGHT 63 +// Number of subtree layers. +#define SPX_D 7 +// Height of the trees on each layer +#define SPX_TREE_HEIGHT 9 +// Height of each individual FORS tree. +#define SPX_FORS_HEIGHT 12 +// Total number of FORS tree used. +#define SPX_FORS_TREES 14 +// Size of a FORS signature +#define SPX_FORS_BYTES ((SPX_FORS_HEIGHT + 1) * SPX_FORS_TREES * SPX_N) + +// Winternitz parameter and derived values +#define SPX_WOTS_W 16 +#define SPX_WOTS_LOG_W 4 +#define SPX_WOTS_LEN1 32 +#define SPX_WOTS_LEN2 3 +#define SPX_WOTS_LEN 35 +#define SPX_WOTS_BYTES (SPX_N * SPX_WOTS_LEN) + +// XMSS sizes +#define SPX_XMSS_BYTES (SPX_WOTS_BYTES + (SPX_N * SPX_TREE_HEIGHT)) + +// Size of the message digest (NOTE: This is only correct for the SHA256 params +// here) +#define SPX_DIGEST_SIZE \ + (((SPX_FORS_TREES * SPX_FORS_HEIGHT) / 8) + \ + (((SPX_FULL_HEIGHT - SPX_TREE_HEIGHT) / 8) + 1) + (SPX_TREE_HEIGHT / 8) + \ + 1) + +// Compressed address size when using SHA256 +#define SPX_SHA256_ADDR_BYTES 22 + +// Size of the FORS message hash +#define SPX_FORS_MSG_BYTES ((SPX_FORS_HEIGHT * SPX_FORS_TREES + 7) / 8) +#define SPX_TREE_BITS (SPX_TREE_HEIGHT * (SPX_D - 1)) +#define SPX_TREE_BYTES ((SPX_TREE_BITS + 7) / 8) +#define SPX_LEAF_BITS SPX_TREE_HEIGHT +#define SPX_LEAF_BYTES ((SPX_LEAF_BITS + 7) / 8) + + +#if defined(__cplusplus) +} // extern C +#endif + +#endif // OPENSSL_HEADER_CRYPTO_SPX_PARAMS_H diff --git a/Sources/CNIOBoringSSL/crypto/spx/spx_thash.c b/Sources/CNIOBoringSSL/crypto/spx/spx_thash.c new file mode 100644 index 000000000..2a12524ab --- /dev/null +++ b/Sources/CNIOBoringSSL/crypto/spx/spx_thash.c @@ -0,0 +1,136 @@ +/* Copyright (c) 2023, Google LLC + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#include + +#include +#include +#include + +#include + +#include "./spx_params.h" +#include "./spx_util.h" +#include "./spx_thash.h" + +static void spx_thash(uint8_t *output, const uint8_t *input, + size_t input_blocks, const uint8_t pk_seed[SPX_N], + uint8_t addr[32]) { + uint8_t hash[32]; + SHA256_CTX sha256; + SHA256_Init(&sha256); + + // Process pubseed with padding to full block. + // TODO: This could be precomputed instead as it will be the same across all + // hash calls. + uint8_t padded_pk_seed[64] = {0}; + memcpy(padded_pk_seed, pk_seed, SPX_N); + + SHA256_Update(&sha256, padded_pk_seed, sizeof(padded_pk_seed)); + SHA256_Update(&sha256, addr, SPX_SHA256_ADDR_BYTES); + SHA256_Update(&sha256, input, input_blocks * SPX_N); + + SHA256_Final(hash, &sha256); + memcpy(output, hash, SPX_N); +} + +void spx_thash_f(uint8_t *output, const uint8_t input[SPX_N], + const uint8_t pk_seed[SPX_N], uint8_t addr[32]) { + spx_thash(output, input, 1, pk_seed, addr); +} + +void spx_thash_h(uint8_t *output, const uint8_t input[2 * SPX_N], + const uint8_t pk_seed[SPX_N], uint8_t addr[32]) { + spx_thash(output, input, 2, pk_seed, addr); +} + +void spx_thash_hmsg(uint8_t *output, const uint8_t r[SPX_N], + const uint8_t pk_seed[SPX_N], const uint8_t pk_root[SPX_N], + const uint8_t *msg, size_t msg_len) { + // MGF1-SHA-256(R || PK.seed || SHA-256(R || PK.seed || PK.root || M), m) + // input_buffer stores R || PK_SEED || SHA256(..) || 4-byte index + uint8_t input_buffer[2 * SPX_N + 32 + 4] = {0}; + memcpy(input_buffer, r, SPX_N); + memcpy(input_buffer + SPX_N, pk_seed, SPX_N); + + // Inner hash + SHA256_CTX ctx; + SHA256_Init(&ctx); + SHA256_Update(&ctx, r, SPX_N); + SHA256_Update(&ctx, pk_seed, SPX_N); + SHA256_Update(&ctx, pk_root, SPX_N); + SHA256_Update(&ctx, msg, msg_len); + // Write directly into the input buffer + SHA256_Final(input_buffer + 2 * SPX_N, &ctx); + + // MGF1-SHA-256 + uint8_t output_buffer[3 * 32]; + // Need to call SHA256 3 times for message digest. + static_assert(SPX_DIGEST_SIZE <= sizeof(output_buffer), + "not enough room for hashes"); + SHA256(input_buffer, sizeof(input_buffer), output_buffer); + input_buffer[2 * SPX_N + 32 + 3] = 1; + SHA256(input_buffer, sizeof(input_buffer), output_buffer + 32); + input_buffer[2 * SPX_N + 32 + 3] = 2; + SHA256(input_buffer, sizeof(input_buffer), output_buffer + 64); + + memcpy(output, output_buffer, SPX_DIGEST_SIZE); +} + +void spx_thash_prf(uint8_t *output, const uint8_t pk_seed[SPX_N], + const uint8_t sk_seed[SPX_N], uint8_t addr[32]) { + spx_thash(output, sk_seed, 1, pk_seed, addr); +} + +void spx_thash_prfmsg(uint8_t *output, const uint8_t sk_prf[SPX_N], + const uint8_t opt_rand[SPX_N], const uint8_t *msg, + size_t msg_len) { + // Compute HMAC-SHA256(sk_prf, opt_rand || msg). We inline HMAC to avoid an + // allocation. + uint8_t hmac_key[SHA256_CBLOCK] = {0}; + static_assert(SPX_N <= SHA256_CBLOCK, "HMAC key is larger than block size"); + memcpy(hmac_key, sk_prf, SPX_N); + for (size_t i = 0; i < sizeof(hmac_key); i++) { + hmac_key[i] ^= 0x36; + } + + uint8_t hash[SHA256_DIGEST_LENGTH]; + SHA256_CTX ctx; + SHA256_Init(&ctx); + SHA256_Update(&ctx, hmac_key, sizeof(hmac_key)); + SHA256_Update(&ctx, opt_rand, SPX_N); + SHA256_Update(&ctx, msg, msg_len); + SHA256_Final(hash, &ctx); + + for (size_t i = 0; i < sizeof(hmac_key); i++) { + hmac_key[i] ^= 0x36 ^ 0x5c; + } + SHA256_Init(&ctx); + SHA256_Update(&ctx, hmac_key, sizeof(hmac_key)); + SHA256_Update(&ctx, hash, sizeof(hash)); + SHA256_Final(hash, &ctx); + + // Truncate to SPX_N bytes + memcpy(output, hash, SPX_N); +} + +void spx_thash_tl(uint8_t *output, const uint8_t input[SPX_WOTS_BYTES], + const uint8_t pk_seed[SPX_N], uint8_t addr[32]) { + spx_thash(output, input, SPX_WOTS_LEN, pk_seed, addr); +} + +void spx_thash_tk(uint8_t *output, const uint8_t input[SPX_FORS_TREES * SPX_N], + const uint8_t pk_seed[SPX_N], uint8_t addr[32]) { + spx_thash(output, input, SPX_FORS_TREES, pk_seed, addr); +} diff --git a/Sources/CNIOBoringSSL/crypto/spx/spx_thash.h b/Sources/CNIOBoringSSL/crypto/spx/spx_thash.h new file mode 100644 index 000000000..17aa79468 --- /dev/null +++ b/Sources/CNIOBoringSSL/crypto/spx/spx_thash.h @@ -0,0 +1,70 @@ +/* Copyright (c) 2023, Google LLC + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#ifndef OPENSSL_HEADER_CRYPTO_SPX_THASH_H +#define OPENSSL_HEADER_CRYPTO_SPX_THASH_H + +#include + +#include "./spx_params.h" + +#if defined(__cplusplus) +extern "C" { +#endif + + +// Implements F: a hash function takes an n-byte message as input and produces +// an n-byte output. +void spx_thash_f(uint8_t *output, const uint8_t input[SPX_N], + const uint8_t pk_seed[SPX_N], uint8_t addr[32]); + +// Implements H: a hash function takes a 2*n-byte message as input and produces +// an n-byte output. +void spx_thash_h(uint8_t *output, const uint8_t input[2 * SPX_N], + const uint8_t pk_seed[SPX_N], uint8_t addr[32]); + +// Implements Hmsg: a hash function used to generate the digest of the message +// to be signed. +void spx_thash_hmsg(uint8_t *output, const uint8_t r[SPX_N], + const uint8_t pk_seed[SPX_N], const uint8_t pk_root[SPX_N], + const uint8_t *msg, size_t msg_len); + +// Implements PRF: a pseudo-random function that is used to generate the secret +// values in WOTS+ and FORS private keys. +void spx_thash_prf(uint8_t *output, const uint8_t pk_seed[SPX_N], + const uint8_t sk_seed[SPX_N], uint8_t addr[32]); + +// Implements PRF: a pseudo-random function that is used to generate the +// randomizer r for the randomized hashing of the message to be signed. values +// in WOTS+ and FORS private keys. +void spx_thash_prfmsg(uint8_t *output, const uint8_t sk_prf[SPX_N], + const uint8_t opt_rand[SPX_N], const uint8_t *msg, + size_t msg_len); + +// Implements Tl: a hash function that maps an l*n-byte message to an n-byte +// message. +void spx_thash_tl(uint8_t *output, const uint8_t input[SPX_WOTS_BYTES], + const uint8_t pk_seed[SPX_N], uint8_t addr[32]); + +// Implements Tk: a hash function that maps a k*n-byte message to an n-byte +// message. +void spx_thash_tk(uint8_t *output, const uint8_t input[SPX_FORS_TREES * SPX_N], + const uint8_t pk_seed[SPX_N], uint8_t addr[32]); + + +#if defined(__cplusplus) +} // extern C +#endif + +#endif // OPENSSL_HEADER_CRYPTO_SPX_THASH_H diff --git a/Sources/CNIOBoringSSL/crypto/spx/spx_util.c b/Sources/CNIOBoringSSL/crypto/spx/spx_util.c new file mode 100644 index 000000000..d9ddba8b2 --- /dev/null +++ b/Sources/CNIOBoringSSL/crypto/spx/spx_util.c @@ -0,0 +1,53 @@ +/* Copyright (c) 2023, Google LLC + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#include + +#include + +#include "./spx_util.h" + +void spx_uint64_to_len_bytes(uint8_t *output, size_t out_len, uint64_t input) { + for (size_t i = out_len; i > 0; --i) { + output[i - 1] = input & 0xff; + input = input >> 8; + } +} + +uint64_t spx_to_uint64(const uint8_t *input, size_t input_len) { + uint64_t tmp = 0; + for (size_t i = 0; i < input_len; ++i) { + tmp = 256 * tmp + input[i]; + } + return tmp; +} + +void spx_base_b(uint32_t *output, size_t out_len, const uint8_t *input, + unsigned int log2_b) { + int in = 0; + uint32_t out = 0; + uint32_t bits = 0; + uint32_t total = 0; + uint32_t base = UINT32_C(1) << log2_b; + + for (out = 0; out < out_len; ++out) { + while (bits < log2_b) { + total = (total << 8) + input[in]; + in++; + bits = bits + 8; + } + bits -= log2_b; + output[out] = (total >> bits) % base; + } +} diff --git a/Sources/CNIOBoringSSL/crypto/spx/spx_util.h b/Sources/CNIOBoringSSL/crypto/spx/spx_util.h new file mode 100644 index 000000000..4278c174f --- /dev/null +++ b/Sources/CNIOBoringSSL/crypto/spx/spx_util.h @@ -0,0 +1,44 @@ +/* Copyright (c) 2023, Google LLC + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#ifndef OPENSSL_HEADER_CRYPTO_SPX_UTIL_H +#define OPENSSL_HEADER_CRYPTO_SPX_UTIL_H + +#include + +#if defined(__cplusplus) +extern "C" { +#endif + + +// Encodes the integer value of input to out_len bytes in big-endian order. +// Note that input < 2^(8*out_len), as otherwise this function will truncate +// the least significant bytes of the integer representation. +void spx_uint64_to_len_bytes(uint8_t *output, size_t out_len, uint64_t input); + +uint64_t spx_to_uint64(const uint8_t *input, size_t input_len); + +// Compute the base 2^log2_b representation of X. +// +// As some of the parameter sets in https://eprint.iacr.org/2022/1725.pdf use +// a FORS height > 16 we use a uint32_t to store the output. +void spx_base_b(uint32_t *output, size_t out_len, const uint8_t *input, + unsigned int log2_b); + + +#if defined(__cplusplus) +} // extern C +#endif + +#endif // OPENSSL_HEADER_CRYPTO_SPX_UTIL_H diff --git a/Sources/CNIOBoringSSL/crypto/spx/spx_wots.c b/Sources/CNIOBoringSSL/crypto/spx/spx_wots.c new file mode 100644 index 000000000..ee704be2a --- /dev/null +++ b/Sources/CNIOBoringSSL/crypto/spx/spx_wots.c @@ -0,0 +1,135 @@ +/* Copyright (c) 2023, Google LLC + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#include + +#include +#include +#include + +#include "./spx_address.h" +#include "./spx_params.h" +#include "./spx_util.h" +#include "./spx_thash.h" +#include "./spx_wots.h" + +// Chaining function used in WOTS+. +static void chain(uint8_t *output, const uint8_t *input, uint32_t start, + uint32_t steps, const uint8_t *pub_seed, uint8_t addr[32]) { + memcpy(output, input, SPX_N); + + for (size_t i = start; i < (start + steps) && i < SPX_WOTS_W; ++i) { + spx_set_hash_addr(addr, i); + spx_thash_f(output, output, pub_seed, addr); + } +} + +void spx_wots_pk_from_sig(uint8_t *pk, const uint8_t *sig, const uint8_t *msg, + const uint8_t pub_seed[SPX_N], uint8_t addr[32]) { + uint8_t tmp[SPX_WOTS_BYTES]; + uint8_t wots_pk_addr[32]; + memcpy(wots_pk_addr, addr, sizeof(wots_pk_addr)); + + // Convert message to base w + uint32_t base_w_msg[SPX_WOTS_LEN]; + spx_base_b(base_w_msg, SPX_WOTS_LEN1, msg, /*log2_b=*/SPX_WOTS_LOG_W); + + // Compute checksum + uint64_t csum = 0; + for (size_t i = 0; i < SPX_WOTS_LEN1; ++i) { + csum += SPX_WOTS_W - 1 - base_w_msg[i]; + } + + // Convert csum to base w as in Algorithm 7, Line 9 + uint8_t csum_bytes[(SPX_WOTS_LEN2 * SPX_WOTS_LOG_W + 7) / 8]; + csum = csum << ((8 - ((SPX_WOTS_LEN2 * SPX_WOTS_LOG_W)) % 8) % 8); + spx_uint64_to_len_bytes(csum_bytes, sizeof(csum_bytes), csum); + + // Write the base w representation of csum to the end of the message. + spx_base_b(base_w_msg + SPX_WOTS_LEN1, SPX_WOTS_LEN2, csum_bytes, + /*log2_b=*/SPX_WOTS_LOG_W); + + // Compute chains + for (size_t i = 0; i < SPX_WOTS_LEN; ++i) { + spx_set_chain_addr(addr, i); + chain(tmp + i * SPX_N, sig + i * SPX_N, base_w_msg[i], + SPX_WOTS_W - 1 - base_w_msg[i], pub_seed, addr); + } + + // Compress pk + spx_set_type(wots_pk_addr, SPX_ADDR_TYPE_WOTSPK); + spx_copy_keypair_addr(wots_pk_addr, addr); + spx_thash_tl(pk, tmp, pub_seed, wots_pk_addr); +} + +void spx_wots_pk_gen(uint8_t *pk, const uint8_t sk_seed[SPX_N], + const uint8_t pub_seed[SPX_N], uint8_t addr[32]) { + uint8_t tmp[SPX_WOTS_BYTES]; + uint8_t tmp_sk[SPX_N]; + uint8_t wots_pk_addr[32], sk_addr[32]; + memcpy(wots_pk_addr, addr, sizeof(wots_pk_addr)); + memcpy(sk_addr, addr, sizeof(sk_addr)); + + spx_set_type(sk_addr, SPX_ADDR_TYPE_WOTSPRF); + spx_copy_keypair_addr(sk_addr, addr); + + for (size_t i = 0; i < SPX_WOTS_LEN; ++i) { + spx_set_chain_addr(sk_addr, i); + spx_thash_prf(tmp_sk, pub_seed, sk_seed, sk_addr); + spx_set_chain_addr(addr, i); + chain(tmp + i * SPX_N, tmp_sk, 0, SPX_WOTS_W - 1, pub_seed, addr); + } + + // Compress pk + spx_set_type(wots_pk_addr, SPX_ADDR_TYPE_WOTSPK); + spx_copy_keypair_addr(wots_pk_addr, addr); + spx_thash_tl(pk, tmp, pub_seed, wots_pk_addr); +} + +void spx_wots_sign(uint8_t *sig, const uint8_t msg[SPX_N], + const uint8_t sk_seed[SPX_N], const uint8_t pub_seed[SPX_N], + uint8_t addr[32]) { + // Convert message to base w + uint32_t base_w_msg[SPX_WOTS_LEN]; + spx_base_b(base_w_msg, SPX_WOTS_LEN1, msg, /*log2_b=*/SPX_WOTS_LOG_W); + + // Compute checksum + uint64_t csum = 0; + for (size_t i = 0; i < SPX_WOTS_LEN1; ++i) { + csum += SPX_WOTS_W - 1 - base_w_msg[i]; + } + + // Convert csum to base w as in Algorithm 6, Line 9 + uint8_t csum_bytes[(SPX_WOTS_LEN2 * SPX_WOTS_LOG_W + 7) / 8]; + csum = csum << ((8 - ((SPX_WOTS_LEN2 * SPX_WOTS_LOG_W)) % 8) % 8); + spx_uint64_to_len_bytes(csum_bytes, sizeof(csum_bytes), csum); + + // Write the base w representation of csum to the end of the message. + spx_base_b(base_w_msg + SPX_WOTS_LEN1, SPX_WOTS_LEN2, csum_bytes, + /*log2_b=*/SPX_WOTS_LOG_W); + + // Compute chains + uint8_t tmp_sk[SPX_N]; + uint8_t sk_addr[32]; + memcpy(sk_addr, addr, sizeof(sk_addr)); + spx_set_type(sk_addr, SPX_ADDR_TYPE_WOTSPRF); + spx_copy_keypair_addr(sk_addr, addr); + + for (size_t i = 0; i < SPX_WOTS_LEN; ++i) { + spx_set_chain_addr(sk_addr, i); + spx_thash_prf(tmp_sk, pub_seed, sk_seed, sk_addr); + spx_set_chain_addr(addr, i); + chain(sig + i * SPX_N, tmp_sk, 0, base_w_msg[i], pub_seed, addr); + } +} diff --git a/Sources/CNIOBoringSSL/crypto/spx/spx_wots.h b/Sources/CNIOBoringSSL/crypto/spx/spx_wots.h new file mode 100644 index 000000000..229a86452 --- /dev/null +++ b/Sources/CNIOBoringSSL/crypto/spx/spx_wots.h @@ -0,0 +1,45 @@ +/* Copyright (c) 2023, Google LLC + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#ifndef OPENSSL_HEADER_CRYPTO_SPX_WOTS_H +#define OPENSSL_HEADER_CRYPTO_SPX_WOTS_H + +#include + +#include "./spx_params.h" + +#if defined(__cplusplus) +extern "C" { +#endif + + +// Algorithm 5: Generate a WOTS+ public key. +void spx_wots_pk_gen(uint8_t *pk, const uint8_t sk_seed[SPX_N], + const uint8_t pub_seed[SPX_N], uint8_t addr[32]); + +// Algorithm 6: Generate a WOTS+ signature on an n-byte message. +void spx_wots_sign(uint8_t *sig, const uint8_t msg[SPX_N], + const uint8_t sk_seed[SPX_N], const uint8_t pub_seed[SPX_N], + uint8_t addr[32]); + +// Algorithm 7: Compute a WOTS+ public key from a message and its signature. +void spx_wots_pk_from_sig(uint8_t *pk, const uint8_t *sig, const uint8_t *msg, + const uint8_t pub_seed[SPX_N], uint8_t addr[32]); + + +#if defined(__cplusplus) +} // extern C +#endif + +#endif // OPENSSL_HEADER_CRYPTO_SPX_WOTS_H diff --git a/Sources/CNIOBoringSSL/crypto/x509/asn1_gen.c b/Sources/CNIOBoringSSL/crypto/x509/asn1_gen.c index 58cdd1907..4f5a96b21 100644 --- a/Sources/CNIOBoringSSL/crypto/x509/asn1_gen.c +++ b/Sources/CNIOBoringSSL/crypto/x509/asn1_gen.c @@ -65,11 +65,9 @@ #include #include #include -#include #include "../conf/internal.h" #include "../internal.h" -#include "../x509v3/internal.h" #include "internal.h" diff --git a/Sources/CNIOBoringSSL/crypto/x509/by_dir.c b/Sources/CNIOBoringSSL/crypto/x509/by_dir.c index dae14e9e6..15dd1a9dd 100644 --- a/Sources/CNIOBoringSSL/crypto/x509/by_dir.c +++ b/Sources/CNIOBoringSSL/crypto/x509/by_dir.c @@ -54,9 +54,8 @@ * copied and put under another distribution licence * [including the GNU Public Licence.] */ +#include #include -#include -#include #include #include @@ -68,11 +67,12 @@ #include "internal.h" typedef struct lookup_dir_hashes_st { - unsigned long hash; + uint32_t hash; int suffix; } BY_DIR_HASH; typedef struct lookup_dir_entry_st { + CRYPTO_MUTEX lock; char *dir; int dir_type; STACK_OF(BY_DIR_HASH) *hashes; @@ -92,17 +92,16 @@ static void free_dir(X509_LOOKUP *lu); static int add_cert_dir(BY_DIR *ctx, const char *dir, int type); static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name, X509_OBJECT *ret); -static X509_LOOKUP_METHOD x509_dir_lookup = { - "Load certs from files in a directory", +static const X509_LOOKUP_METHOD x509_dir_lookup = { new_dir, // new free_dir, // free - NULL, // init - NULL, // shutdown dir_ctrl, // ctrl get_cert_by_subject, // get_by_subject }; -X509_LOOKUP_METHOD *X509_LOOKUP_hash_dir(void) { return &x509_dir_lookup; } +const X509_LOOKUP_METHOD *X509_LOOKUP_hash_dir(void) { + return &x509_dir_lookup; +} static int dir_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl, char **retp) { @@ -158,6 +157,7 @@ static int by_dir_hash_cmp(const BY_DIR_HASH *const *a, static void by_dir_entry_free(BY_DIR_ENTRY *ent) { if (ent != NULL) { + CRYPTO_MUTEX_cleanup(&ent->lock); OPENSSL_free(ent->dir); sk_BY_DIR_HASH_pop_free(ent->hashes, by_dir_hash_free); OPENSSL_free(ent); @@ -172,6 +172,12 @@ static void free_dir(X509_LOOKUP *lu) { } } +#if defined(OPENSSL_WINDOWS) +#define DIR_HASH_SEPARATOR ';' +#else +#define DIR_HASH_SEPARATOR ':' +#endif + static int add_cert_dir(BY_DIR *ctx, const char *dir, int type) { size_t j, len; const char *s, *ss, *p; @@ -184,7 +190,7 @@ static int add_cert_dir(BY_DIR *ctx, const char *dir, int type) { s = dir; p = s; do { - if ((*p == ':') || (*p == '\0')) { + if (*p == DIR_HASH_SEPARATOR || *p == '\0') { BY_DIR_ENTRY *ent; ss = s; s = p + 1; @@ -211,15 +217,12 @@ static int add_cert_dir(BY_DIR *ctx, const char *dir, int type) { if (!ent) { return 0; } + CRYPTO_MUTEX_init(&ent->lock); ent->dir_type = type; ent->hashes = sk_BY_DIR_HASH_new(by_dir_hash_cmp); - ent->dir = OPENSSL_malloc(len + 1); - if (!ent->dir || !ent->hashes) { - by_dir_entry_free(ent); - return 0; - } - OPENSSL_strlcpy(ent->dir, ss, len + 1); - if (!sk_BY_DIR_ENTRY_push(ctx->dirs, ent)) { + ent->dir = OPENSSL_strndup(ss, len); + if (ent->dir == NULL || ent->hashes == NULL || + !sk_BY_DIR_ENTRY_push(ctx->dirs, ent)) { by_dir_entry_free(ent); return 0; } @@ -228,10 +231,6 @@ static int add_cert_dir(BY_DIR *ctx, const char *dir, int type) { return 1; } -// g_ent_hashes_lock protects the |hashes| member of all |BY_DIR_ENTRY| -// objects. -static CRYPTO_MUTEX g_ent_hashes_lock = CRYPTO_MUTEX_INIT; - static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name, X509_OBJECT *ret) { union { @@ -247,8 +246,8 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name, int ok = 0; size_t i; int j, k; - unsigned long h; - unsigned long hash_array[2]; + uint32_t h; + uint32_t hash_array[2]; int hash_index; BUF_MEM *b = NULL; X509_OBJECT stmp, *tmp; @@ -296,7 +295,7 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name, } if (type == X509_LU_CRL && ent->hashes) { htmp.hash = h; - CRYPTO_MUTEX_lock_read(&g_ent_hashes_lock); + CRYPTO_MUTEX_lock_read(&ent->lock); if (sk_BY_DIR_HASH_find(ent->hashes, &idx, &htmp)) { hent = sk_BY_DIR_HASH_value(ent->hashes, idx); k = hent->suffix; @@ -304,35 +303,30 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name, hent = NULL; k = 0; } - CRYPTO_MUTEX_unlock_read(&g_ent_hashes_lock); + CRYPTO_MUTEX_unlock_read(&ent->lock); } else { k = 0; hent = NULL; } for (;;) { - snprintf(b->data, b->max, "%s/%08lx.%s%d", ent->dir, h, postfix, k); -#ifndef OPENSSL_NO_POSIX_IO -#if defined(_WIN32) && !defined(stat) -#define stat _stat -#endif - { - struct stat st; - if (stat(b->data, &st) < 0) { - break; - } - } -#endif - // found one. + snprintf(b->data, b->max, "%s/%08" PRIx32 ".%s%d", ent->dir, h, postfix, + k); if (type == X509_LU_X509) { if ((X509_load_cert_file(xl, b->data, ent->dir_type)) == 0) { + // Don't expose the lower level error, All of these boil + // down to "we could not find a CA". + ERR_clear_error(); break; } } else if (type == X509_LU_CRL) { if ((X509_load_crl_file(xl, b->data, ent->dir_type)) == 0) { + // Don't expose the lower level error, All of these boil + // down to "we could not find a CRL". + ERR_clear_error(); break; } } - // else case will caught higher up + // The lack of a CA or CRL will be caught higher up k++; } @@ -348,7 +342,7 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name, // If a CRL, update the last file suffix added for this if (type == X509_LU_CRL) { - CRYPTO_MUTEX_lock_write(&g_ent_hashes_lock); + CRYPTO_MUTEX_lock_write(&ent->lock); // Look for entry again in case another thread added an entry // first. if (!hent) { @@ -361,14 +355,14 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name, if (!hent) { hent = OPENSSL_malloc(sizeof(BY_DIR_HASH)); if (hent == NULL) { - CRYPTO_MUTEX_unlock_write(&g_ent_hashes_lock); + CRYPTO_MUTEX_unlock_write(&ent->lock); ok = 0; goto finish; } hent->hash = h; hent->suffix = k; if (!sk_BY_DIR_HASH_push(ent->hashes, hent)) { - CRYPTO_MUTEX_unlock_write(&g_ent_hashes_lock); + CRYPTO_MUTEX_unlock_write(&ent->lock); OPENSSL_free(hent); ok = 0; goto finish; @@ -378,7 +372,7 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name, hent->suffix = k; } - CRYPTO_MUTEX_unlock_write(&g_ent_hashes_lock); + CRYPTO_MUTEX_unlock_write(&ent->lock); } if (tmp != NULL) { @@ -400,3 +394,7 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name, BUF_MEM_free(b); return ok; } + +int X509_LOOKUP_add_dir(X509_LOOKUP *lookup, const char *name, int type) { + return X509_LOOKUP_ctrl(lookup, X509_L_ADD_DIR, name, type, NULL); +} diff --git a/Sources/CNIOBoringSSL/crypto/x509/by_file.c b/Sources/CNIOBoringSSL/crypto/x509/by_file.c index ee90ccffe..220c3194d 100644 --- a/Sources/CNIOBoringSSL/crypto/x509/by_file.c +++ b/Sources/CNIOBoringSSL/crypto/x509/by_file.c @@ -65,49 +65,35 @@ static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, long argl, char **ret); -static X509_LOOKUP_METHOD x509_file_lookup = { - "Load file into cache", +static const X509_LOOKUP_METHOD x509_file_lookup = { NULL, // new NULL, // free - NULL, // init - NULL, // shutdown by_file_ctrl, // ctrl NULL, // get_by_subject }; -X509_LOOKUP_METHOD *X509_LOOKUP_file(void) { return &x509_file_lookup; } +const X509_LOOKUP_METHOD *X509_LOOKUP_file(void) { return &x509_file_lookup; } static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl, char **ret) { - int ok = 0; - const char *file; - - switch (cmd) { - case X509_L_FILE_LOAD: - if (argl == X509_FILETYPE_DEFAULT) { - file = getenv(X509_get_default_cert_file_env()); - if (file) { - ok = (X509_load_cert_crl_file(ctx, file, X509_FILETYPE_PEM) != 0); - } - - else { - ok = (X509_load_cert_crl_file(ctx, X509_get_default_cert_file(), - X509_FILETYPE_PEM) != 0); - } - - if (!ok) { - OPENSSL_PUT_ERROR(X509, X509_R_LOADING_DEFAULTS); - } - } else { - if (argl == X509_FILETYPE_PEM) { - ok = (X509_load_cert_crl_file(ctx, argp, X509_FILETYPE_PEM) != 0); - } else { - ok = (X509_load_cert_file(ctx, argp, (int)argl) != 0); - } - } - break; + if (cmd != X509_L_FILE_LOAD) { + return 0; + } + const char *file = argp; + int type = argl; + if (argl == X509_FILETYPE_DEFAULT) { + if ((file = getenv(X509_get_default_cert_file_env())) == NULL) { + file = X509_get_default_cert_file(); + } + type = X509_FILETYPE_PEM; + } + if (X509_load_cert_crl_file(ctx, file, type) != 0) { + return 1; } - return ok; + if (argl == X509_FILETYPE_DEFAULT) { + OPENSSL_PUT_ERROR(X509, X509_R_LOADING_DEFAULTS); + } + return 0; } int X509_load_cert_file(X509_LOOKUP *ctx, const char *file, int type) { @@ -242,7 +228,7 @@ int X509_load_cert_crl_file(X509_LOOKUP *ctx, const char *file, int type) { if (type != X509_FILETYPE_PEM) { return X509_load_cert_file(ctx, file, type); } - in = BIO_new_file(file, "r"); + in = BIO_new_file(file, "rb"); if (!in) { OPENSSL_PUT_ERROR(X509, ERR_R_SYS_LIB); return 0; @@ -277,3 +263,7 @@ int X509_load_cert_crl_file(X509_LOOKUP *ctx, const char *file, int type) { sk_X509_INFO_pop_free(inf, X509_INFO_free); return count; } + +int X509_LOOKUP_load_file(X509_LOOKUP *lookup, const char *name, int type) { + return X509_LOOKUP_ctrl(lookup, X509_L_FILE_LOAD, name, type, NULL); +} diff --git a/Sources/CNIOBoringSSL/crypto/x509v3/ext_dat.h b/Sources/CNIOBoringSSL/crypto/x509/ext_dat.h similarity index 100% rename from Sources/CNIOBoringSSL/crypto/x509v3/ext_dat.h rename to Sources/CNIOBoringSSL/crypto/x509/ext_dat.h diff --git a/Sources/CNIOBoringSSL/crypto/x509/internal.h b/Sources/CNIOBoringSSL/crypto/x509/internal.h index 5e2e1641b..040a70bfe 100644 --- a/Sources/CNIOBoringSSL/crypto/x509/internal.h +++ b/Sources/CNIOBoringSSL/crypto/x509/internal.h @@ -86,18 +86,25 @@ struct X509_pubkey_st { EVP_PKEY *pkey; } /* X509_PUBKEY */; +// X509_PUBKEY is an |ASN1_ITEM| whose ASN.1 type is SubjectPublicKeyInfo and C +// type is |X509_PUBKEY*|. +DECLARE_ASN1_ITEM(X509_PUBKEY) + struct X509_name_entry_st { ASN1_OBJECT *object; ASN1_STRING *value; int set; } /* X509_NAME_ENTRY */; +// X509_NAME_ENTRY is an |ASN1_ITEM| whose ASN.1 type is AttributeTypeAndValue +// (RFC 5280) and C type is |X509_NAME_ENTRY*|. +DECLARE_ASN1_ITEM(X509_NAME_ENTRY) + // we always keep X509_NAMEs in 2 forms. struct X509_name_st { STACK_OF(X509_NAME_ENTRY) *entries; int modified; // true if 'bytes' needs to be built BUF_MEM *bytes; - // unsigned long hash; Keep the hash around for lookups unsigned char *canon_enc; int canon_enclen; } /* X509_NAME */; @@ -107,6 +114,10 @@ struct x509_attributes_st { STACK_OF(ASN1_TYPE) *set; } /* X509_ATTRIBUTE */; +// X509_ATTRIBUTE is an |ASN1_ITEM| whose ASN.1 type is Attribute (RFC 2986) and +// C type is |X509_ATTRIBUTE*|. +DECLARE_ASN1_ITEM(X509_ATTRIBUTE) + typedef struct x509_cert_aux_st { STACK_OF(ASN1_OBJECT) *trust; // trusted uses STACK_OF(ASN1_OBJECT) *reject; // rejected uses @@ -122,6 +133,14 @@ struct X509_extension_st { ASN1_OCTET_STRING *value; } /* X509_EXTENSION */; +// X509_EXTENSION is an |ASN1_ITEM| whose ASN.1 type is X.509 Extension (RFC +// 5280) and C type is |X509_EXTENSION*|. +DECLARE_ASN1_ITEM(X509_EXTENSION) + +// X509_EXTENSIONS is an |ASN1_ITEM| whose ASN.1 type is SEQUENCE of Extension +// (RFC 5280) and C type is |STACK_OF(X509_EXTENSION)*|. +DECLARE_ASN1_ITEM(X509_EXTENSIONS) + typedef struct { ASN1_INTEGER *version; // [ 0 ] default of v1 ASN1_INTEGER *serialNumber; @@ -151,7 +170,6 @@ struct x509_st { uint32_t ex_flags; uint32_t ex_kusage; uint32_t ex_xkusage; - uint32_t ex_nscert; ASN1_OCTET_STRING *skid; AUTHORITY_KEYID *akid; STACK_OF(DIST_POINT) *crldp; @@ -162,6 +180,10 @@ struct x509_st { CRYPTO_MUTEX lock; } /* X509 */; +// X509 is an |ASN1_ITEM| whose ASN.1 type is X.509 Certificate (RFC 5280) and C +// type is |X509*|. +DECLARE_ASN1_ITEM(X509) + typedef struct { ASN1_ENCODING enc; ASN1_INTEGER *version; @@ -181,16 +203,23 @@ struct X509_req_st { ASN1_BIT_STRING *signature; } /* X509_REQ */; +// X509_REQ is an |ASN1_ITEM| whose ASN.1 type is CertificateRequest (RFC 2986) +// and C type is |X509_REQ*|. +DECLARE_ASN1_ITEM(X509_REQ) + struct x509_revoked_st { ASN1_INTEGER *serialNumber; ASN1_TIME *revocationDate; STACK_OF(X509_EXTENSION) /* optional */ *extensions; - // Set up if indirect CRL - STACK_OF(GENERAL_NAME) *issuer; // Revocation reason int reason; } /* X509_REVOKED */; +// X509_REVOKED is an |ASN1_ITEM| whose ASN.1 type is an element of the +// revokedCertificates field of TBSCertList (RFC 5280) and C type is +// |X509_REVOKED*|. +DECLARE_ASN1_ITEM(X509_REVOKED) + typedef struct { ASN1_INTEGER *version; X509_ALGOR *sig_alg; @@ -206,6 +235,22 @@ typedef struct { // an |X509_NAME|. DECLARE_ASN1_FUNCTIONS(X509_CRL_INFO) +// Values in idp_flags field +// IDP present +#define IDP_PRESENT 0x1 +// IDP values inconsistent +#define IDP_INVALID 0x2 +// onlyuser true +#define IDP_ONLYUSER 0x4 +// onlyCA true +#define IDP_ONLYCA 0x8 +// onlyattr true +#define IDP_ONLYATTR 0x10 +// indirectCRL true +#define IDP_INDIRECT 0x20 +// onlysomereasons present +#define IDP_REASONS 0x40 + struct X509_crl_st { // actual signature X509_CRL_INFO *crl; @@ -218,18 +263,23 @@ struct X509_crl_st { ISSUING_DIST_POINT *idp; // Convenient breakdown of IDP int idp_flags; - int idp_reasons; - // CRL and base CRL numbers for delta processing - ASN1_INTEGER *crl_number; - ASN1_INTEGER *base_crl_number; unsigned char crl_hash[SHA256_DIGEST_LENGTH]; - STACK_OF(GENERAL_NAMES) *issuers; } /* X509_CRL */; +// X509_CRL is an |ASN1_ITEM| whose ASN.1 type is X.509 CertificateList (RFC +// 5280) and C type is |X509_CRL*|. +DECLARE_ASN1_ITEM(X509_CRL) + +// GENERAL_NAME is an |ASN1_ITEM| whose ASN.1 type is GeneralName and C type is +// |GENERAL_NAME*|. +DECLARE_ASN1_ITEM(GENERAL_NAME) + +// GENERAL_NAMES is an |ASN1_ITEM| whose ASN.1 type is SEQUENCE OF GeneralName +// and C type is |GENERAL_NAMES*|, aka |STACK_OF(GENERAL_NAME)*|. +DECLARE_ASN1_ITEM(GENERAL_NAMES) + struct X509_VERIFY_PARAM_st { - char *name; int64_t check_time; // POSIX time to use - unsigned long inh_flags; // Inheritance flags unsigned long flags; // Various verify flags int purpose; // purpose to check untrusted certificates int trust; // trust setting to check @@ -238,7 +288,6 @@ struct X509_VERIFY_PARAM_st { // The following fields specify acceptable peer identities. STACK_OF(OPENSSL_STRING) *hosts; // Set of acceptable names unsigned int hostflags; // Flags to control matching features - char *peername; // Matching hostname in peer certificate char *email; // If not NULL email address to match size_t emaillen; unsigned char *ip; // If not NULL IP address to match @@ -257,19 +306,26 @@ struct x509_object_st { } data; } /* X509_OBJECT */; +// NETSCAPE_SPKI is an |ASN1_ITEM| whose ASN.1 type is +// SignedPublicKeyAndChallenge and C type is |NETSCAPE_SPKI*|. +DECLARE_ASN1_ITEM(NETSCAPE_SPKI) + +// NETSCAPE_SPKAC is an |ASN1_ITEM| whose ASN.1 type is PublicKeyAndChallenge +// and C type is |NETSCAPE_SPKAC*|. +DECLARE_ASN1_ITEM(NETSCAPE_SPKAC) + // This is a static that defines the function interface struct x509_lookup_method_st { - const char *name; int (*new_item)(X509_LOOKUP *ctx); void (*free)(X509_LOOKUP *ctx); - int (*init)(X509_LOOKUP *ctx); - int (*shutdown)(X509_LOOKUP *ctx); int (*ctrl)(X509_LOOKUP *ctx, int cmd, const char *argc, long argl, char **ret); int (*get_by_subject)(X509_LOOKUP *ctx, int type, X509_NAME *name, X509_OBJECT *ret); } /* X509_LOOKUP_METHOD */; +DEFINE_STACK_OF(X509_LOOKUP) + // This is used to hold everything. It is used for all certificate // validation. Once we have a certificate chain, the 'verify' // function is then called to actually check the cert chain. @@ -284,28 +340,14 @@ struct x509_store_st { X509_VERIFY_PARAM *param; // Callbacks for various operations - X509_STORE_CTX_verify_fn verify; // called to verify a certificate X509_STORE_CTX_verify_cb verify_cb; // error callback - X509_STORE_CTX_get_issuer_fn get_issuer; // get issuers cert from ctx - X509_STORE_CTX_check_issued_fn check_issued; // check issued - X509_STORE_CTX_check_revocation_fn - check_revocation; // Check revocation status of chain - X509_STORE_CTX_get_crl_fn get_crl; // retrieve CRL - X509_STORE_CTX_check_crl_fn check_crl; // Check CRL validity - X509_STORE_CTX_cert_crl_fn cert_crl; // Check certificate against CRL - X509_STORE_CTX_lookup_certs_fn lookup_certs; - X509_STORE_CTX_lookup_crls_fn lookup_crls; - X509_STORE_CTX_cleanup_fn cleanup; CRYPTO_refcount_t references; } /* X509_STORE */; - // This is the functions plus an instance of the local variables. struct x509_lookup_st { - int init; // have we been started - int skip; // don't use us. - X509_LOOKUP_METHOD *method; // the functions + const X509_LOOKUP_METHOD *method; // the functions void *method_data; // method data X509_STORE *store_ctx; // who owns us @@ -323,39 +365,26 @@ struct x509_store_ctx_st { STACK_OF(X509_CRL) *crls; // set of CRLs passed in X509_VERIFY_PARAM *param; - void *other_ctx; // Other info for use with get_issuer() + + // trusted_stack, if non-NULL, is a set of trusted certificates to consider + // instead of those from |X509_STORE|. + STACK_OF(X509) *trusted_stack; // Callbacks for various operations - X509_STORE_CTX_verify_fn verify; // called to verify a certificate X509_STORE_CTX_verify_cb verify_cb; // error callback - X509_STORE_CTX_get_issuer_fn get_issuer; // get issuers cert from ctx - X509_STORE_CTX_check_issued_fn check_issued; // check issued - X509_STORE_CTX_check_revocation_fn - check_revocation; // Check revocation status of chain - X509_STORE_CTX_get_crl_fn get_crl; // retrieve CRL - X509_STORE_CTX_check_crl_fn check_crl; // Check CRL validity - X509_STORE_CTX_cert_crl_fn cert_crl; // Check certificate against CRL - X509_STORE_CTX_check_policy_fn check_policy; - X509_STORE_CTX_lookup_certs_fn lookup_certs; - X509_STORE_CTX_lookup_crls_fn lookup_crls; - X509_STORE_CTX_cleanup_fn cleanup; // The following is built up - int valid; // if 0, rebuild chain - int last_untrusted; // index of last untrusted cert - STACK_OF(X509) *chain; // chain of X509s - built up and trusted + int last_untrusted; // index of last untrusted cert + STACK_OF(X509) *chain; // chain of X509s - built up and trusted // When something goes wrong, this is why int error_depth; int error; X509 *current_cert; - X509 *current_issuer; // cert currently being tested as valid issuer X509_CRL *current_crl; // current CRL - int current_crl_score; // score of current CRL - unsigned int current_reasons; // Reason mask - - X509_STORE_CTX *parent; // For CRL path validation: parent context + X509 *current_crl_issuer; // issuer of current CRL + int current_crl_score; // score of current CRL CRYPTO_EX_DATA ex_data; } /* X509_STORE_CTX */; @@ -389,7 +418,7 @@ int x509_print_rsa_pss_params(BIO *bp, const X509_ALGOR *sigalg, int indent, // Signature algorithm functions. // x509_digest_sign_algorithm encodes the signing parameters of |ctx| as an -// AlgorithmIdentifer and saves the result in |algor|. It returns one on +// AlgorithmIdentifier and saves the result in |algor|. It returns one on // success, or zero on error. int x509_digest_sign_algorithm(EVP_MD_CTX *ctx, X509_ALGOR *algor); @@ -414,6 +443,154 @@ int X509_policy_check(const STACK_OF(X509) *certs, const STACK_OF(ASN1_OBJECT) *user_policies, unsigned long flags, X509 **out_current_cert); +// x509_check_issued_with_callback calls |X509_check_issued|, but allows the +// verify callback to override the result. It returns one on success and zero on +// error. +// +// TODO(davidben): Reduce the scope of the verify callback and remove this. The +// callback only runs with |X509_V_FLAG_CB_ISSUER_CHECK|, which is only used by +// one internal project and rust-openssl, who use it by mistake. +int x509_check_issued_with_callback(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); + +// x509v3_bytes_to_hex encodes |len| bytes from |in| to hex and returns a +// newly-allocated NUL-terminated string containing the result, or NULL on +// allocation error. +// +// This function was historically named |hex_to_string| in OpenSSL. Despite the +// name, |hex_to_string| converted to hex. +OPENSSL_EXPORT char *x509v3_bytes_to_hex(const uint8_t *in, size_t len); + +// x509v3_hex_string_to_bytes decodes |str| in hex and returns a newly-allocated +// array containing the result, or NULL on error. On success, it sets |*len| to +// the length of the result. Colon separators between bytes in the input are +// allowed and ignored. +// +// This function was historically named |string_to_hex| in OpenSSL. Despite the +// name, |string_to_hex| converted from hex. +unsigned char *x509v3_hex_to_bytes(const char *str, size_t *len); + +// x509v3_conf_name_matches returns one if |name| is equal to |cmp| or begins +// with |cmp| followed by '.', and zero otherwise. +int x509v3_conf_name_matches(const char *name, const char *cmp); + +// x509v3_looks_like_dns_name returns one if |in| looks like a DNS name and zero +// otherwise. +OPENSSL_EXPORT int x509v3_looks_like_dns_name(const unsigned char *in, + size_t len); + +// x509v3_cache_extensions fills in a number of fields relating to X.509 +// extensions in |x|. It returns one on success and zero if some extensions were +// invalid. +OPENSSL_EXPORT int x509v3_cache_extensions(X509 *x); + +// x509v3_a2i_ipadd decodes |ipasc| as an IPv4 or IPv6 address. IPv6 addresses +// use colon-separated syntax while IPv4 addresses use dotted decimal syntax. If +// it decodes an IPv4 address, it writes the result to the first four bytes of +// |ipout| and returns four. If it decodes an IPv6 address, it writes the result +// to all 16 bytes of |ipout| and returns 16. Otherwise, it returns zero. +int x509v3_a2i_ipadd(unsigned char ipout[16], const char *ipasc); + +// A |BIT_STRING_BITNAME| is used to contain a list of bit names. +typedef struct { + int bitnum; + const char *lname; + const char *sname; +} BIT_STRING_BITNAME; + +// x509V3_add_value_asn1_string appends a |CONF_VALUE| with the specified name +// and value to |*extlist|. if |*extlist| is NULL, it sets |*extlist| to a +// newly-allocated |STACK_OF(CONF_VALUE)| first. It returns one on success and +// zero on error. +int x509V3_add_value_asn1_string(const char *name, const ASN1_STRING *value, + STACK_OF(CONF_VALUE) **extlist); + +// X509V3_NAME_from_section adds attributes to |nm| by interpreting the +// key/value pairs in |dn_sk|. It returns one on success and zero on error. +// |chtype|, which should be one of |MBSTRING_*| constants, determines the +// character encoding used to interpret values. +int X509V3_NAME_from_section(X509_NAME *nm, const STACK_OF(CONF_VALUE) *dn_sk, + int chtype); + +// X509V3_bool_from_string decodes |str| as a boolean. On success, it returns +// one and sets |*out_bool| to resulting value. Otherwise, it returns zero. +int X509V3_bool_from_string(const char *str, ASN1_BOOLEAN *out_bool); + +// X509V3_get_value_bool decodes |value| as a boolean. On success, it returns +// one and sets |*out_bool| to the resulting value. Otherwise, it returns zero. +int X509V3_get_value_bool(const CONF_VALUE *value, ASN1_BOOLEAN *out_bool); + +// X509V3_get_value_int decodes |value| as an integer. On success, it returns +// one and sets |*aint| to the resulting value. Otherwise, it returns zero. If +// |*aint| was non-NULL at the start of the function, it frees the previous +// value before writing a new one. +int X509V3_get_value_int(const CONF_VALUE *value, ASN1_INTEGER **aint); + +// X509V3_get_section behaves like |NCONF_get_section| but queries |ctx|'s +// config database. +const STACK_OF(CONF_VALUE) *X509V3_get_section(const X509V3_CTX *ctx, + const char *section); + +// X509V3_add_value appends a |CONF_VALUE| containing |name| and |value| to +// |*extlist|. It returns one on success and zero on error. If |*extlist| is +// NULL, it sets |*extlist| to a newly-allocated |STACK_OF(CONF_VALUE)| +// containing the result. Either |name| or |value| may be NULL to omit the +// field. +// +// On failure, if |*extlist| was NULL, |*extlist| will remain NULL when the +// function returns. +int X509V3_add_value(const char *name, const char *value, + STACK_OF(CONF_VALUE) **extlist); + +// X509V3_add_value_bool behaves like |X509V3_add_value| but stores the value +// "TRUE" if |asn1_bool| is non-zero and "FALSE" otherwise. +int X509V3_add_value_bool(const char *name, int asn1_bool, + STACK_OF(CONF_VALUE) **extlist); + +// X509V3_add_value_bool behaves like |X509V3_add_value| but stores a string +// representation of |aint|. Note this string representation may be decimal or +// hexadecimal, depending on the size of |aint|. +int X509V3_add_value_int(const char *name, const ASN1_INTEGER *aint, + STACK_OF(CONF_VALUE) **extlist); + +STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line); + +#define X509V3_conf_err(val) \ + ERR_add_error_data(6, "section:", (val)->section, ",name:", (val)->name, \ + ",value:", (val)->value); + +// GENERAL_NAME_cmp returns zero if |a| and |b| are equal and a non-zero +// value otherwise. Note this function does not provide a comparison suitable +// for sorting. +// +// This function is exported for testing. +OPENSSL_EXPORT int GENERAL_NAME_cmp(const GENERAL_NAME *a, + const GENERAL_NAME *b); + +// X509_VERIFY_PARAM_lookup returns a pre-defined |X509_VERIFY_PARAM| named by +// |name|, or NULL if no such name is defined. +const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name); + +GENERAL_NAME *v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method, + const X509V3_CTX *ctx, const CONF_VALUE *cnf); +GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out, + const X509V3_EXT_METHOD *method, + const X509V3_CTX *ctx, const CONF_VALUE *cnf, + int is_nc); +GENERAL_NAMES *v2i_GENERAL_NAMES(const X509V3_EXT_METHOD *method, + const X509V3_CTX *ctx, + const STACK_OF(CONF_VALUE) *nval); + +// TODO(https://crbug.com/boringssl/407): Make |issuer| const once the +// |X509_NAME| issue is resolved. +int X509_check_akid(X509 *issuer, const AUTHORITY_KEYID *akid); + +int X509_is_valid_trust_id(int trust); + +int X509_PURPOSE_get_trust(const X509_PURPOSE *xp); + +// TODO(https://crbug.com/boringssl/695): Remove this. +int DIST_POINT_set_dpname(DIST_POINT_NAME *dpn, X509_NAME *iname); + #if defined(__cplusplus) } // extern C diff --git a/Sources/CNIOBoringSSL/crypto/x509/policy.c b/Sources/CNIOBoringSSL/crypto/x509/policy.c index 2ac0452b3..b0252e576 100644 --- a/Sources/CNIOBoringSSL/crypto/x509/policy.c +++ b/Sources/CNIOBoringSSL/crypto/x509/policy.c @@ -19,10 +19,8 @@ #include #include #include -#include #include "../internal.h" -#include "../x509v3/internal.h" #include "internal.h" diff --git a/Sources/CNIOBoringSSL/crypto/x509/rsa_pss.c b/Sources/CNIOBoringSSL/crypto/x509/rsa_pss.c index 42ee5fef6..98e61e6af 100644 --- a/Sources/CNIOBoringSSL/crypto/x509/rsa_pss.c +++ b/Sources/CNIOBoringSSL/crypto/x509/rsa_pss.c @@ -125,7 +125,11 @@ static int rsa_md_to_algor(X509_ALGOR **palg, const EVP_MD *md) { if (*palg == NULL) { return 0; } - X509_ALGOR_set_md(*palg, md); + if (!X509_ALGOR_set_md(*palg, md)) { + X509_ALGOR_free(*palg); + *palg = NULL; + return 0; + } return 1; } diff --git a/Sources/CNIOBoringSSL/crypto/x509/t_crl.c b/Sources/CNIOBoringSSL/crypto/x509/t_crl.c index 2c2d7651f..6f20d77c4 100644 --- a/Sources/CNIOBoringSSL/crypto/x509/t_crl.c +++ b/Sources/CNIOBoringSSL/crypto/x509/t_crl.c @@ -61,7 +61,7 @@ #include #include #include -#include + int X509_CRL_print_fp(FILE *fp, X509_CRL *x) { BIO *b = BIO_new_fp(fp, BIO_NOCLOSE); diff --git a/Sources/CNIOBoringSSL/crypto/x509/t_req.c b/Sources/CNIOBoringSSL/crypto/x509/t_req.c index e29455f67..3b0fb561e 100644 --- a/Sources/CNIOBoringSSL/crypto/x509/t_req.c +++ b/Sources/CNIOBoringSSL/crypto/x509/t_req.c @@ -62,7 +62,6 @@ #include #include #include -#include #include "internal.h" @@ -81,7 +80,6 @@ int X509_REQ_print_fp(FILE *fp, X509_REQ *x) { int X509_REQ_print_ex(BIO *bio, X509_REQ *x, unsigned long nmflags, unsigned long cflag) { long l; - EVP_PKEY *pkey; STACK_OF(X509_ATTRIBUTE) *sk; char mlch = ' '; @@ -128,13 +126,12 @@ int X509_REQ_print_ex(BIO *bio, X509_REQ *x, unsigned long nmflags, goto err; } - pkey = X509_REQ_get_pubkey(x); + const EVP_PKEY *pkey = X509_REQ_get0_pubkey(x); if (pkey == NULL) { BIO_printf(bio, "%12sUnable to load Public Key\n", ""); ERR_print_errors(bio); } else { EVP_PKEY_print_public(bio, pkey, 16, NULL); - EVP_PKEY_free(pkey); } } diff --git a/Sources/CNIOBoringSSL/crypto/x509/t_x509.c b/Sources/CNIOBoringSSL/crypto/x509/t_x509.c index dec84ff07..6faaef293 100644 --- a/Sources/CNIOBoringSSL/crypto/x509/t_x509.c +++ b/Sources/CNIOBoringSSL/crypto/x509/t_x509.c @@ -65,7 +65,6 @@ #include #include #include -#include #include "internal.h" @@ -214,13 +213,12 @@ int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, return 0; } - EVP_PKEY *pkey = X509_get_pubkey(x); + const EVP_PKEY *pkey = X509_get0_pubkey(x); if (pkey == NULL) { BIO_printf(bp, "%12sUnable to load Public Key\n", ""); ERR_print_errors(bp); } else { EVP_PKEY_print_public(bp, pkey, 16, NULL); - EVP_PKEY_free(pkey); } } diff --git a/Sources/CNIOBoringSSL/crypto/x509v3/v3_akey.c b/Sources/CNIOBoringSSL/crypto/x509/v3_akey.c similarity index 99% rename from Sources/CNIOBoringSSL/crypto/x509v3/v3_akey.c rename to Sources/CNIOBoringSSL/crypto/x509/v3_akey.c index 35f0a362d..1f2d93df7 100644 --- a/Sources/CNIOBoringSSL/crypto/x509v3/v3_akey.c +++ b/Sources/CNIOBoringSSL/crypto/x509/v3_akey.c @@ -63,7 +63,7 @@ #include #include #include -#include +#include #include "internal.h" diff --git a/Sources/CNIOBoringSSL/crypto/x509v3/v3_akeya.c b/Sources/CNIOBoringSSL/crypto/x509/v3_akeya.c similarity index 98% rename from Sources/CNIOBoringSSL/crypto/x509v3/v3_akeya.c rename to Sources/CNIOBoringSSL/crypto/x509/v3_akeya.c index d32d07f91..aed70f78b 100644 --- a/Sources/CNIOBoringSSL/crypto/x509v3/v3_akeya.c +++ b/Sources/CNIOBoringSSL/crypto/x509/v3_akeya.c @@ -59,7 +59,9 @@ #include #include #include -#include +#include + +#include "internal.h" ASN1_SEQUENCE(AUTHORITY_KEYID) = { diff --git a/Sources/CNIOBoringSSL/crypto/x509v3/v3_alt.c b/Sources/CNIOBoringSSL/crypto/x509/v3_alt.c similarity index 98% rename from Sources/CNIOBoringSSL/crypto/x509v3/v3_alt.c rename to Sources/CNIOBoringSSL/crypto/x509/v3_alt.c index d86529fe7..60a6603be 100644 --- a/Sources/CNIOBoringSSL/crypto/x509v3/v3_alt.c +++ b/Sources/CNIOBoringSSL/crypto/x509/v3_alt.c @@ -61,9 +61,8 @@ #include #include #include -#include +#include -#include "../x509/internal.h" #include "internal.h" @@ -447,10 +446,10 @@ GENERAL_NAME *v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method, return v2i_GENERAL_NAME_ex(NULL, method, ctx, cnf, 0); } -GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out, - const X509V3_EXT_METHOD *method, - const X509V3_CTX *ctx, int gen_type, - const char *value, int is_nc) { +static GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out, + const X509V3_EXT_METHOD *method, + const X509V3_CTX *ctx, int gen_type, + const char *value, int is_nc) { if (!value) { OPENSSL_PUT_ERROR(X509V3, X509V3_R_MISSING_VALUE); return NULL; diff --git a/Sources/CNIOBoringSSL/crypto/x509v3/v3_bcons.c b/Sources/CNIOBoringSSL/crypto/x509/v3_bcons.c similarity index 99% rename from Sources/CNIOBoringSSL/crypto/x509v3/v3_bcons.c rename to Sources/CNIOBoringSSL/crypto/x509/v3_bcons.c index 948882b4f..8ff71cb30 100644 --- a/Sources/CNIOBoringSSL/crypto/x509v3/v3_bcons.c +++ b/Sources/CNIOBoringSSL/crypto/x509/v3_bcons.c @@ -62,7 +62,7 @@ #include #include #include -#include +#include #include "internal.h" diff --git a/Sources/CNIOBoringSSL/crypto/x509v3/v3_bitst.c b/Sources/CNIOBoringSSL/crypto/x509/v3_bitst.c similarity index 99% rename from Sources/CNIOBoringSSL/crypto/x509v3/v3_bitst.c rename to Sources/CNIOBoringSSL/crypto/x509/v3_bitst.c index 8f1e2b265..f06ef66d1 100644 --- a/Sources/CNIOBoringSSL/crypto/x509v3/v3_bitst.c +++ b/Sources/CNIOBoringSSL/crypto/x509/v3_bitst.c @@ -60,7 +60,7 @@ #include #include #include -#include +#include #include "internal.h" diff --git a/Sources/CNIOBoringSSL/crypto/x509v3/v3_conf.c b/Sources/CNIOBoringSSL/crypto/x509/v3_conf.c similarity index 99% rename from Sources/CNIOBoringSSL/crypto/x509v3/v3_conf.c rename to Sources/CNIOBoringSSL/crypto/x509/v3_conf.c index 4248043cb..50d4bdf4e 100644 --- a/Sources/CNIOBoringSSL/crypto/x509v3/v3_conf.c +++ b/Sources/CNIOBoringSSL/crypto/x509/v3_conf.c @@ -66,10 +66,8 @@ #include #include #include -#include #include "../internal.h" -#include "../x509/internal.h" #include "internal.h" static int v3_check_critical(const char **value); diff --git a/Sources/CNIOBoringSSL/crypto/x509v3/v3_cpols.c b/Sources/CNIOBoringSSL/crypto/x509/v3_cpols.c similarity index 97% rename from Sources/CNIOBoringSSL/crypto/x509v3/v3_cpols.c rename to Sources/CNIOBoringSSL/crypto/x509/v3_cpols.c index bd6ccf6ea..b98816240 100644 --- a/Sources/CNIOBoringSSL/crypto/x509v3/v3_cpols.c +++ b/Sources/CNIOBoringSSL/crypto/x509/v3_cpols.c @@ -66,7 +66,7 @@ #include #include #include -#include +#include #include "internal.h" @@ -105,6 +105,11 @@ const X509V3_EXT_METHOD v3_cpols = { NULL, }; +DECLARE_ASN1_ITEM(POLICYINFO) +DECLARE_ASN1_ITEM(POLICYQUALINFO) +DECLARE_ASN1_ITEM(USERNOTICE) +DECLARE_ASN1_ITEM(NOTICEREF) + ASN1_ITEM_TEMPLATE(CERTIFICATEPOLICIES) = ASN1_EX_TEMPLATE_TYPE( ASN1_TFLG_SEQUENCE_OF, 0, CERTIFICATEPOLICIES, POLICYINFO) ASN1_ITEM_TEMPLATE_END(CERTIFICATEPOLICIES) @@ -116,7 +121,7 @@ ASN1_SEQUENCE(POLICYINFO) = { ASN1_SEQUENCE_OF_OPT(POLICYINFO, qualifiers, POLICYQUALINFO), } ASN1_SEQUENCE_END(POLICYINFO) -IMPLEMENT_ASN1_FUNCTIONS_const(POLICYINFO) +IMPLEMENT_ASN1_ALLOC_FUNCTIONS(POLICYINFO) ASN1_ADB_TEMPLATE(policydefault) = ASN1_SIMPLE(POLICYQUALINFO, d.other, ASN1_ANY); @@ -133,21 +138,21 @@ ASN1_SEQUENCE(POLICYQUALINFO) = { ASN1_ADB_OBJECT(POLICYQUALINFO), } ASN1_SEQUENCE_END(POLICYQUALINFO) -IMPLEMENT_ASN1_FUNCTIONS_const(POLICYQUALINFO) +IMPLEMENT_ASN1_ALLOC_FUNCTIONS(POLICYQUALINFO) ASN1_SEQUENCE(USERNOTICE) = { ASN1_OPT(USERNOTICE, noticeref, NOTICEREF), ASN1_OPT(USERNOTICE, exptext, DISPLAYTEXT), } ASN1_SEQUENCE_END(USERNOTICE) -IMPLEMENT_ASN1_FUNCTIONS_const(USERNOTICE) +IMPLEMENT_ASN1_ALLOC_FUNCTIONS(USERNOTICE) ASN1_SEQUENCE(NOTICEREF) = { ASN1_SIMPLE(NOTICEREF, organization, DISPLAYTEXT), ASN1_SEQUENCE_OF(NOTICEREF, noticenos, ASN1_INTEGER), } ASN1_SEQUENCE_END(NOTICEREF) -IMPLEMENT_ASN1_FUNCTIONS_const(NOTICEREF) +IMPLEMENT_ASN1_ALLOC_FUNCTIONS(NOTICEREF) static void *r2i_certpol(const X509V3_EXT_METHOD *method, const X509V3_CTX *ctx, const char *value) { diff --git a/Sources/CNIOBoringSSL/crypto/x509v3/v3_crld.c b/Sources/CNIOBoringSSL/crypto/x509/v3_crld.c similarity index 99% rename from Sources/CNIOBoringSSL/crypto/x509v3/v3_crld.c rename to Sources/CNIOBoringSSL/crypto/x509/v3_crld.c index a3a858aac..4089703c2 100644 --- a/Sources/CNIOBoringSSL/crypto/x509v3/v3_crld.c +++ b/Sources/CNIOBoringSSL/crypto/x509/v3_crld.c @@ -63,9 +63,8 @@ #include #include #include -#include +#include -#include "../x509/internal.h" #include "internal.h" @@ -394,7 +393,7 @@ ASN1_CHOICE_cb(DIST_POINT_NAME, dpn_cb) = { ASN1_IMP_SET_OF(DIST_POINT_NAME, name.relativename, X509_NAME_ENTRY, 1), } ASN1_CHOICE_END_cb(DIST_POINT_NAME, DIST_POINT_NAME, type) -IMPLEMENT_ASN1_FUNCTIONS(DIST_POINT_NAME) +IMPLEMENT_ASN1_ALLOC_FUNCTIONS(DIST_POINT_NAME) ASN1_SEQUENCE(DIST_POINT) = { ASN1_EXP_OPT(DIST_POINT, distpoint, DIST_POINT_NAME, 0), @@ -402,7 +401,7 @@ ASN1_SEQUENCE(DIST_POINT) = { ASN1_IMP_SEQUENCE_OF_OPT(DIST_POINT, CRLissuer, GENERAL_NAME, 2), } ASN1_SEQUENCE_END(DIST_POINT) -IMPLEMENT_ASN1_FUNCTIONS(DIST_POINT) +IMPLEMENT_ASN1_ALLOC_FUNCTIONS(DIST_POINT) ASN1_ITEM_TEMPLATE(CRL_DIST_POINTS) = ASN1_EX_TEMPLATE_TYPE( ASN1_TFLG_SEQUENCE_OF, 0, CRLDistributionPoints, DIST_POINT) diff --git a/Sources/CNIOBoringSSL/crypto/x509v3/v3_enum.c b/Sources/CNIOBoringSSL/crypto/x509/v3_enum.c similarity index 99% rename from Sources/CNIOBoringSSL/crypto/x509v3/v3_enum.c rename to Sources/CNIOBoringSSL/crypto/x509/v3_enum.c index b318af624..7aa5241d0 100644 --- a/Sources/CNIOBoringSSL/crypto/x509v3/v3_enum.c +++ b/Sources/CNIOBoringSSL/crypto/x509/v3_enum.c @@ -58,6 +58,7 @@ #include #include +#include #include #include "internal.h" diff --git a/Sources/CNIOBoringSSL/crypto/x509v3/v3_extku.c b/Sources/CNIOBoringSSL/crypto/x509/v3_extku.c similarity index 99% rename from Sources/CNIOBoringSSL/crypto/x509v3/v3_extku.c rename to Sources/CNIOBoringSSL/crypto/x509/v3_extku.c index 041fb3daf..0efb86ba9 100644 --- a/Sources/CNIOBoringSSL/crypto/x509v3/v3_extku.c +++ b/Sources/CNIOBoringSSL/crypto/x509/v3_extku.c @@ -60,7 +60,7 @@ #include #include #include -#include +#include #include "internal.h" diff --git a/Sources/CNIOBoringSSL/crypto/x509v3/v3_genn.c b/Sources/CNIOBoringSSL/crypto/x509/v3_genn.c similarity index 94% rename from Sources/CNIOBoringSSL/crypto/x509v3/v3_genn.c rename to Sources/CNIOBoringSSL/crypto/x509/v3_genn.c index 1b5c506e8..610b632f6 100644 --- a/Sources/CNIOBoringSSL/crypto/x509v3/v3_genn.c +++ b/Sources/CNIOBoringSSL/crypto/x509/v3_genn.c @@ -59,7 +59,7 @@ #include #include #include -#include +#include #include "internal.h" @@ -70,7 +70,7 @@ ASN1_SEQUENCE(OTHERNAME) = { ASN1_EXP(OTHERNAME, value, ASN1_ANY, 0), } ASN1_SEQUENCE_END(OTHERNAME) -IMPLEMENT_ASN1_FUNCTIONS_const(OTHERNAME) +IMPLEMENT_ASN1_ALLOC_FUNCTIONS(OTHERNAME) ASN1_SEQUENCE(EDIPARTYNAME) = { // DirectoryString is a CHOICE type, so use explicit tagging. @@ -78,7 +78,7 @@ ASN1_SEQUENCE(EDIPARTYNAME) = { ASN1_EXP(EDIPARTYNAME, partyName, DIRECTORYSTRING, 1), } ASN1_SEQUENCE_END(EDIPARTYNAME) -IMPLEMENT_ASN1_FUNCTIONS_const(EDIPARTYNAME) +IMPLEMENT_ASN1_ALLOC_FUNCTIONS(EDIPARTYNAME) ASN1_CHOICE(GENERAL_NAME) = { ASN1_IMP(GENERAL_NAME, d.otherName, OTHERNAME, GEN_OTHERNAME), @@ -208,9 +208,9 @@ void GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, void *value) { a->type = type; } -void *GENERAL_NAME_get0_value(const GENERAL_NAME *a, int *ptype) { - if (ptype) { - *ptype = a->type; +void *GENERAL_NAME_get0_value(const GENERAL_NAME *a, int *out_type) { + if (out_type) { + *out_type = a->type; } switch (a->type) { case GEN_X400: @@ -255,16 +255,16 @@ int GENERAL_NAME_set0_othername(GENERAL_NAME *gen, ASN1_OBJECT *oid, return 1; } -int GENERAL_NAME_get0_otherName(const GENERAL_NAME *gen, ASN1_OBJECT **poid, - ASN1_TYPE **pvalue) { +int GENERAL_NAME_get0_otherName(const GENERAL_NAME *gen, ASN1_OBJECT **out_oid, + ASN1_TYPE **out_value) { if (gen->type != GEN_OTHERNAME) { return 0; } - if (poid) { - *poid = gen->d.otherName->type_id; + if (out_oid != NULL) { + *out_oid = gen->d.otherName->type_id; } - if (pvalue) { - *pvalue = gen->d.otherName->value; + if (out_value != NULL) { + *out_value = gen->d.otherName->value; } return 1; } diff --git a/Sources/CNIOBoringSSL/crypto/x509v3/v3_ia5.c b/Sources/CNIOBoringSSL/crypto/x509/v3_ia5.c similarity index 99% rename from Sources/CNIOBoringSSL/crypto/x509v3/v3_ia5.c rename to Sources/CNIOBoringSSL/crypto/x509/v3_ia5.c index 28f8902d8..07b9b5110 100644 --- a/Sources/CNIOBoringSSL/crypto/x509v3/v3_ia5.c +++ b/Sources/CNIOBoringSSL/crypto/x509/v3_ia5.c @@ -64,7 +64,7 @@ #include #include #include -#include +#include #include "../internal.h" diff --git a/Sources/CNIOBoringSSL/crypto/x509v3/v3_info.c b/Sources/CNIOBoringSSL/crypto/x509/v3_info.c similarity index 97% rename from Sources/CNIOBoringSSL/crypto/x509v3/v3_info.c rename to Sources/CNIOBoringSSL/crypto/x509/v3_info.c index 7c76a0fdd..d5798332f 100644 --- a/Sources/CNIOBoringSSL/crypto/x509v3/v3_info.c +++ b/Sources/CNIOBoringSSL/crypto/x509/v3_info.c @@ -65,7 +65,10 @@ #include #include #include -#include +#include + +#include "internal.h" + static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS( const X509V3_EXT_METHOD *method, void *ext, STACK_OF(CONF_VALUE) *ret); @@ -112,7 +115,7 @@ ASN1_SEQUENCE(ACCESS_DESCRIPTION) = { ASN1_SIMPLE(ACCESS_DESCRIPTION, location, GENERAL_NAME), } ASN1_SEQUENCE_END(ACCESS_DESCRIPTION) -IMPLEMENT_ASN1_FUNCTIONS(ACCESS_DESCRIPTION) +IMPLEMENT_ASN1_ALLOC_FUNCTIONS(ACCESS_DESCRIPTION) ASN1_ITEM_TEMPLATE(AUTHORITY_INFO_ACCESS) = ASN1_EX_TEMPLATE_TYPE( ASN1_TFLG_SEQUENCE_OF, 0, GeneralNames, ACCESS_DESCRIPTION) @@ -206,8 +209,3 @@ static void *v2i_AUTHORITY_INFO_ACCESS(const X509V3_EXT_METHOD *method, sk_ACCESS_DESCRIPTION_pop_free(ainfo, ACCESS_DESCRIPTION_free); return NULL; } - -int i2a_ACCESS_DESCRIPTION(BIO *bp, const ACCESS_DESCRIPTION *a) { - i2a_ASN1_OBJECT(bp, a->method); - return 2; -} diff --git a/Sources/CNIOBoringSSL/crypto/x509v3/v3_int.c b/Sources/CNIOBoringSSL/crypto/x509/v3_int.c similarity index 99% rename from Sources/CNIOBoringSSL/crypto/x509v3/v3_int.c rename to Sources/CNIOBoringSSL/crypto/x509/v3_int.c index ada69ce6d..6df8f7e8a 100644 --- a/Sources/CNIOBoringSSL/crypto/x509v3/v3_int.c +++ b/Sources/CNIOBoringSSL/crypto/x509/v3_int.c @@ -57,7 +57,7 @@ #include #include -#include +#include static char *i2s_ASN1_INTEGER_cb(const X509V3_EXT_METHOD *method, void *ext) { diff --git a/Sources/CNIOBoringSSL/crypto/x509v3/v3_lib.c b/Sources/CNIOBoringSSL/crypto/x509/v3_lib.c similarity index 99% rename from Sources/CNIOBoringSSL/crypto/x509v3/v3_lib.c rename to Sources/CNIOBoringSSL/crypto/x509/v3_lib.c index e44f769d8..2e1be643b 100644 --- a/Sources/CNIOBoringSSL/crypto/x509v3/v3_lib.c +++ b/Sources/CNIOBoringSSL/crypto/x509/v3_lib.c @@ -64,11 +64,14 @@ #include #include #include -#include +#include -#include "../x509/internal.h" +#include "internal.h" #include "ext_dat.h" + +DEFINE_STACK_OF(X509V3_EXT_METHOD) + static STACK_OF(X509V3_EXT_METHOD) *ext_list = NULL; static int ext_stack_cmp(const X509V3_EXT_METHOD *const *a, diff --git a/Sources/CNIOBoringSSL/crypto/x509v3/v3_ncons.c b/Sources/CNIOBoringSSL/crypto/x509/v3_ncons.c similarity index 99% rename from Sources/CNIOBoringSSL/crypto/x509v3/v3_ncons.c rename to Sources/CNIOBoringSSL/crypto/x509/v3_ncons.c index 679951eb5..431ff68d6 100644 --- a/Sources/CNIOBoringSSL/crypto/x509v3/v3_ncons.c +++ b/Sources/CNIOBoringSSL/crypto/x509/v3_ncons.c @@ -62,10 +62,10 @@ #include #include #include -#include +#include #include "../internal.h" -#include "../x509/internal.h" +#include "internal.h" static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, diff --git a/Sources/CNIOBoringSSL/crypto/x509v3/v3_ocsp.c b/Sources/CNIOBoringSSL/crypto/x509/v3_ocsp.c similarity index 98% rename from Sources/CNIOBoringSSL/crypto/x509v3/v3_ocsp.c rename to Sources/CNIOBoringSSL/crypto/x509/v3_ocsp.c index ff07b7e58..90c7b48c7 100644 --- a/Sources/CNIOBoringSSL/crypto/x509v3/v3_ocsp.c +++ b/Sources/CNIOBoringSSL/crypto/x509/v3_ocsp.c @@ -7,7 +7,7 @@ * https://www.openssl.org/source/license.html */ -#include +#include #include #include diff --git a/Sources/CNIOBoringSSL/crypto/x509v3/v3_pcons.c b/Sources/CNIOBoringSSL/crypto/x509/v3_pcons.c similarity index 99% rename from Sources/CNIOBoringSSL/crypto/x509v3/v3_pcons.c rename to Sources/CNIOBoringSSL/crypto/x509/v3_pcons.c index ae0f27f0b..a9dfc624c 100644 --- a/Sources/CNIOBoringSSL/crypto/x509v3/v3_pcons.c +++ b/Sources/CNIOBoringSSL/crypto/x509/v3_pcons.c @@ -62,7 +62,7 @@ #include #include #include -#include +#include #include "internal.h" diff --git a/Sources/CNIOBoringSSL/crypto/x509v3/v3_pmaps.c b/Sources/CNIOBoringSSL/crypto/x509/v3_pmaps.c similarity index 99% rename from Sources/CNIOBoringSSL/crypto/x509v3/v3_pmaps.c rename to Sources/CNIOBoringSSL/crypto/x509/v3_pmaps.c index ff51cfc79..8977ff02f 100644 --- a/Sources/CNIOBoringSSL/crypto/x509v3/v3_pmaps.c +++ b/Sources/CNIOBoringSSL/crypto/x509/v3_pmaps.c @@ -60,7 +60,7 @@ #include #include #include -#include +#include #include "internal.h" diff --git a/Sources/CNIOBoringSSL/crypto/x509v3/v3_prn.c b/Sources/CNIOBoringSSL/crypto/x509/v3_prn.c similarity index 97% rename from Sources/CNIOBoringSSL/crypto/x509v3/v3_prn.c rename to Sources/CNIOBoringSSL/crypto/x509/v3_prn.c index ea5947235..d99b0e024 100644 --- a/Sources/CNIOBoringSSL/crypto/x509v3/v3_prn.c +++ b/Sources/CNIOBoringSSL/crypto/x509/v3_prn.c @@ -61,7 +61,7 @@ #include #include #include -#include +#include // Extension printing routines @@ -69,9 +69,8 @@ static int unknown_ext_print(BIO *out, const X509_EXTENSION *ext, unsigned long flag, int indent, int supported); // Print out a name+value stack - -void X509V3_EXT_val_prn(BIO *out, const STACK_OF(CONF_VALUE) *val, int indent, - int ml) { +static void X509V3_EXT_val_prn(BIO *out, const STACK_OF(CONF_VALUE) *val, + int indent, int ml) { if (!val) { return; } diff --git a/Sources/CNIOBoringSSL/crypto/x509v3/v3_purp.c b/Sources/CNIOBoringSSL/crypto/x509/v3_purp.c similarity index 57% rename from Sources/CNIOBoringSSL/crypto/x509v3/v3_purp.c rename to Sources/CNIOBoringSSL/crypto/x509/v3_purp.c index 8cbfd0a35..4b0a0969e 100644 --- a/Sources/CNIOBoringSSL/crypto/x509v3/v3_purp.c +++ b/Sources/CNIOBoringSSL/crypto/x509/v3_purp.c @@ -54,8 +54,6 @@ * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). */ -#include - #include #include @@ -63,27 +61,32 @@ #include #include #include -#include +#include #include "../internal.h" -#include "../x509/internal.h" #include "internal.h" + +struct x509_purpose_st { + int purpose; + int trust; // Default trust ID + int (*check_purpose)(const struct x509_purpose_st *, const X509 *, int); + const char *sname; +} /* X509_PURPOSE */; + #define V1_ROOT (EXFLAG_V1 | EXFLAG_SS) #define ku_reject(x, usage) \ (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage))) #define xku_reject(x, usage) \ (((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage))) -#define ns_reject(x, usage) \ - (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage))) +static int check_ca(const X509 *x); static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca); static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca); static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca); -static int purpose_smime(const X509 *x, int ca); static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int ca); static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x, @@ -93,281 +96,98 @@ static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x, int ca); static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca); -static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca); - -static int xp_cmp(const X509_PURPOSE *const *a, const X509_PURPOSE *const *b); -static void xptable_free(X509_PURPOSE *p); - -static X509_PURPOSE xstandard[] = { - {X509_PURPOSE_SSL_CLIENT, X509_TRUST_SSL_CLIENT, 0, - check_purpose_ssl_client, (char *)"SSL client", (char *)"sslclient", NULL}, - {X509_PURPOSE_SSL_SERVER, X509_TRUST_SSL_SERVER, 0, - check_purpose_ssl_server, (char *)"SSL server", (char *)"sslserver", NULL}, - {X509_PURPOSE_NS_SSL_SERVER, X509_TRUST_SSL_SERVER, 0, - check_purpose_ns_ssl_server, (char *)"Netscape SSL server", - (char *)"nssslserver", NULL}, - {X509_PURPOSE_SMIME_SIGN, X509_TRUST_EMAIL, 0, check_purpose_smime_sign, - (char *)"S/MIME signing", (char *)"smimesign", NULL}, - {X509_PURPOSE_SMIME_ENCRYPT, X509_TRUST_EMAIL, 0, - check_purpose_smime_encrypt, (char *)"S/MIME encryption", - (char *)"smimeencrypt", NULL}, - {X509_PURPOSE_CRL_SIGN, X509_TRUST_COMPAT, 0, check_purpose_crl_sign, - (char *)"CRL signing", (char *)"crlsign", NULL}, - {X509_PURPOSE_ANY, X509_TRUST_DEFAULT, 0, no_check, (char *)"Any Purpose", - (char *)"any", NULL}, - {X509_PURPOSE_OCSP_HELPER, X509_TRUST_COMPAT, 0, ocsp_helper, - (char *)"OCSP helper", (char *)"ocsphelper", NULL}, - {X509_PURPOSE_TIMESTAMP_SIGN, X509_TRUST_TSA, 0, - check_purpose_timestamp_sign, (char *)"Time Stamp signing", - (char *)"timestampsign", NULL}, -}; - -#define X509_PURPOSE_COUNT (sizeof(xstandard) / sizeof(X509_PURPOSE)) -static STACK_OF(X509_PURPOSE) *xptable = NULL; - -static int xp_cmp(const X509_PURPOSE *const *a, const X509_PURPOSE *const *b) { - return (*a)->purpose - (*b)->purpose; -} +// X509_TRUST_NONE is not a valid |X509_TRUST_*| constant. It is used by +// |X509_PURPOSE_ANY| to indicate that it has no corresponding trust type and +// cannot be used with |X509_STORE_CTX_set_purpose|. +#define X509_TRUST_NONE (-1) + +static const X509_PURPOSE xstandard[] = { + {X509_PURPOSE_SSL_CLIENT, X509_TRUST_SSL_CLIENT, check_purpose_ssl_client, + "sslclient"}, + {X509_PURPOSE_SSL_SERVER, X509_TRUST_SSL_SERVER, check_purpose_ssl_server, + "sslserver"}, + {X509_PURPOSE_NS_SSL_SERVER, X509_TRUST_SSL_SERVER, + check_purpose_ns_ssl_server, "nssslserver"}, + {X509_PURPOSE_SMIME_SIGN, X509_TRUST_EMAIL, check_purpose_smime_sign, + "smimesign"}, + {X509_PURPOSE_SMIME_ENCRYPT, X509_TRUST_EMAIL, check_purpose_smime_encrypt, + "smimeencrypt"}, + {X509_PURPOSE_CRL_SIGN, X509_TRUST_COMPAT, check_purpose_crl_sign, + "crlsign"}, + {X509_PURPOSE_ANY, X509_TRUST_NONE, no_check, "any"}, + // |X509_PURPOSE_OCSP_HELPER| performs no actual checks. OpenSSL's OCSP + // implementation relied on the caller performing EKU and KU checks. + {X509_PURPOSE_OCSP_HELPER, X509_TRUST_COMPAT, no_check, "ocsphelper"}, + {X509_PURPOSE_TIMESTAMP_SIGN, X509_TRUST_TSA, check_purpose_timestamp_sign, + "timestampsign"}, +}; -// As much as I'd like to make X509_check_purpose use a "const" X509* I -// really can't because it does recalculate hashes and do other non-const -// things. int X509_check_purpose(X509 *x, int id, int ca) { - int idx; - const X509_PURPOSE *pt; + // This differs from OpenSSL, which uses -1 to indicate a fatal error and 0 to + // indicate an invalid certificate. BoringSSL uses 0 for both. if (!x509v3_cache_extensions(x)) { - return -1; + return 0; } if (id == -1) { return 1; } - idx = X509_PURPOSE_get_by_id(id); - if (idx == -1) { - return -1; - } - pt = X509_PURPOSE_get0(idx); - return pt->check_purpose(pt, x, ca); -} - -int X509_PURPOSE_set(int *p, int purpose) { - if (X509_PURPOSE_get_by_id(purpose) == -1) { - OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_PURPOSE); + const X509_PURPOSE *pt = X509_PURPOSE_get0(id); + if (pt == NULL) { return 0; } - *p = purpose; - return 1; -} - -int X509_PURPOSE_get_count(void) { - if (!xptable) { - return X509_PURPOSE_COUNT; + // Historically, |check_purpose| implementations other than |X509_PURPOSE_ANY| + // called |check_ca|. This is redundant with the |X509_V_ERR_INVALID_CA| + // logic, but |X509_check_purpose| is public API, so we preserve this + // behavior. + if (ca && id != X509_PURPOSE_ANY && !check_ca(x)) { + return 0; } - return sk_X509_PURPOSE_num(xptable) + X509_PURPOSE_COUNT; + return pt->check_purpose(pt, x, ca); } -X509_PURPOSE *X509_PURPOSE_get0(int idx) { - if (idx < 0) { - return NULL; - } - if (idx < (int)X509_PURPOSE_COUNT) { - return xstandard + idx; +const X509_PURPOSE *X509_PURPOSE_get0(int id) { + for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(xstandard); i++) { + if (xstandard[i].purpose == id) { + return &xstandard[i]; + } } - return sk_X509_PURPOSE_value(xptable, idx - X509_PURPOSE_COUNT); + return NULL; } int X509_PURPOSE_get_by_sname(const char *sname) { - X509_PURPOSE *xptmp; - for (int i = 0; i < X509_PURPOSE_get_count(); i++) { - xptmp = X509_PURPOSE_get0(i); - if (!strcmp(xptmp->sname, sname)) { - return i; + for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(xstandard); i++) { + if (strcmp(xstandard[i].sname, sname) == 0) { + return xstandard[i].purpose; } } return -1; } -int X509_PURPOSE_get_by_id(int purpose) { - X509_PURPOSE tmp; - size_t idx; - - if ((purpose >= X509_PURPOSE_MIN) && (purpose <= X509_PURPOSE_MAX)) { - return purpose - X509_PURPOSE_MIN; - } - tmp.purpose = purpose; - if (!xptable) { - return -1; - } - - if (!sk_X509_PURPOSE_find(xptable, &idx, &tmp)) { - return -1; - } - return idx + X509_PURPOSE_COUNT; -} - -int X509_PURPOSE_add(int id, int trust, int flags, - int (*ck)(const X509_PURPOSE *, const X509 *, int), - const char *name, const char *sname, void *arg) { - X509_PURPOSE *ptmp; - char *name_dup, *sname_dup; - - // This is set according to what we change: application can't set it - flags &= ~X509_PURPOSE_DYNAMIC; - // This will always be set for application modified trust entries - flags |= X509_PURPOSE_DYNAMIC_NAME; - // Get existing entry if any - int idx = X509_PURPOSE_get_by_id(id); - // Need a new entry - if (idx == -1) { - if (!(ptmp = OPENSSL_malloc(sizeof(X509_PURPOSE)))) { - return 0; - } - ptmp->flags = X509_PURPOSE_DYNAMIC; - } else { - ptmp = X509_PURPOSE_get0(idx); - } - - // Duplicate the supplied names. - name_dup = OPENSSL_strdup(name); - sname_dup = OPENSSL_strdup(sname); - if (name_dup == NULL || sname_dup == NULL) { - if (name_dup != NULL) { - OPENSSL_free(name_dup); - } - if (sname_dup != NULL) { - OPENSSL_free(sname_dup); - } - if (idx == -1) { - OPENSSL_free(ptmp); - } - return 0; - } - - // OPENSSL_free existing name if dynamic - if (ptmp->flags & X509_PURPOSE_DYNAMIC_NAME) { - OPENSSL_free(ptmp->name); - OPENSSL_free(ptmp->sname); - } - // dup supplied name - ptmp->name = name_dup; - ptmp->sname = sname_dup; - // Keep the dynamic flag of existing entry - ptmp->flags &= X509_PURPOSE_DYNAMIC; - // Set all other flags - ptmp->flags |= flags; - - ptmp->purpose = id; - ptmp->trust = trust; - ptmp->check_purpose = ck; - ptmp->usr_data = arg; - - // If its a new entry manage the dynamic table - if (idx == -1) { - // TODO(davidben): This should be locked. Alternatively, remove the dynamic - // registration mechanism entirely. The trouble is there no way to pass in - // the various parameters into an |X509_VERIFY_PARAM| directly. You can only - // register it in the global table and get an ID. - if (!xptable && !(xptable = sk_X509_PURPOSE_new(xp_cmp))) { - xptable_free(ptmp); - return 0; - } - if (!sk_X509_PURPOSE_push(xptable, ptmp)) { - xptable_free(ptmp); - return 0; - } - sk_X509_PURPOSE_sort(xptable); - } - return 1; -} - -static void xptable_free(X509_PURPOSE *p) { - if (!p) { - return; - } - if (p->flags & X509_PURPOSE_DYNAMIC) { - if (p->flags & X509_PURPOSE_DYNAMIC_NAME) { - OPENSSL_free(p->name); - OPENSSL_free(p->sname); - } - OPENSSL_free(p); - } -} - -void X509_PURPOSE_cleanup(void) { - unsigned int i; - sk_X509_PURPOSE_pop_free(xptable, xptable_free); - for (i = 0; i < X509_PURPOSE_COUNT; i++) { - xptable_free(xstandard + i); - } - xptable = NULL; -} - int X509_PURPOSE_get_id(const X509_PURPOSE *xp) { return xp->purpose; } -char *X509_PURPOSE_get0_name(const X509_PURPOSE *xp) { return xp->name; } - -char *X509_PURPOSE_get0_sname(const X509_PURPOSE *xp) { return xp->sname; } - int X509_PURPOSE_get_trust(const X509_PURPOSE *xp) { return xp->trust; } -static int nid_cmp(const void *void_a, const void *void_b) { - const int *a = void_a, *b = void_b; - - return *a - *b; -} - int X509_supported_extension(const X509_EXTENSION *ex) { - // This table is a list of the NIDs of supported extensions: that is - // those which are used by the verify process. If an extension is - // critical and doesn't appear in this list then the verify process will - // normally reject the certificate. The list must be kept in numerical - // order because it will be searched using bsearch. - - static const int supported_nids[] = { - NID_netscape_cert_type, // 71 - NID_key_usage, // 83 - NID_subject_alt_name, // 85 - NID_basic_constraints, // 87 - NID_certificate_policies, // 89 - NID_ext_key_usage, // 126 - NID_policy_constraints, // 401 - NID_name_constraints, // 666 - NID_policy_mappings, // 747 - NID_inhibit_any_policy // 748 - }; - - int ex_nid = OBJ_obj2nid(X509_EXTENSION_get_object(ex)); - - if (ex_nid == NID_undef) { - return 0; - } - - if (bsearch(&ex_nid, supported_nids, sizeof(supported_nids) / sizeof(int), - sizeof(int), nid_cmp) != NULL) { - return 1; - } - return 0; + int nid = OBJ_obj2nid(X509_EXTENSION_get_object(ex)); + return nid == NID_key_usage || // + nid == NID_subject_alt_name || // + nid == NID_basic_constraints || // + nid == NID_certificate_policies || // + nid == NID_ext_key_usage || // + nid == NID_policy_constraints || // + nid == NID_name_constraints || // + nid == NID_policy_mappings || // + nid == NID_inhibit_any_policy; } static int setup_dp(X509 *x, DIST_POINT *dp) { - X509_NAME *iname = NULL; - size_t i; - if (dp->reasons) { - if (dp->reasons->length > 0) { - dp->dp_reasons = dp->reasons->data[0]; - } - if (dp->reasons->length > 1) { - dp->dp_reasons |= (dp->reasons->data[1] << 8); - } - dp->dp_reasons &= CRLDP_ALL_REASONS; - } else { - dp->dp_reasons = CRLDP_ALL_REASONS; - } if (!dp->distpoint || (dp->distpoint->type != 1)) { return 1; } - for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) { + X509_NAME *iname = NULL; + for (size_t i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) { GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i); if (gen->type == GEN_DIRNAME) { iname = gen->d.directoryName; @@ -398,7 +218,6 @@ static int setup_crldp(X509 *x) { int x509v3_cache_extensions(X509 *x) { BASIC_CONSTRAINTS *bs; ASN1_BIT_STRING *usage; - ASN1_BIT_STRING *ns; EXTENDED_KEY_USAGE *extusage; size_t i; int j; @@ -512,17 +331,6 @@ int x509v3_cache_extensions(X509 *x) { x->ex_flags |= EXFLAG_INVALID; } - if ((ns = X509_get_ext_d2i(x, NID_netscape_cert_type, &j, NULL))) { - if (ns->length > 0) { - x->ex_nscert = ns->data[0]; - } else { - x->ex_nscert = 0; - } - x->ex_flags |= EXFLAG_NSCERT; - ASN1_BIT_STRING_free(ns); - } else if (j != -1) { - x->ex_flags |= EXFLAG_INVALID; - } x->skid = X509_get_ext_d2i(x, NID_subject_key_identifier, &j, NULL); if (x->skid == NULL && j != -1) { x->ex_flags |= EXFLAG_INVALID; @@ -536,7 +344,7 @@ int x509v3_cache_extensions(X509 *x) { x->ex_flags |= EXFLAG_SI; // If SKID matches AKID also indicate self signed if (X509_check_akid(x, x->akid) == X509_V_OK && - !ku_reject(x, KU_KEY_CERT_SIGN)) { + !ku_reject(x, X509v3_KU_KEY_CERT_SIGN)) { x->ex_flags |= EXFLAG_SS; } } @@ -554,9 +362,6 @@ int x509v3_cache_extensions(X509 *x) { for (j = 0; j < X509_get_ext_count(x); j++) { const X509_EXTENSION *ex = X509_get_ext(x, j); - if (OBJ_obj2nid(X509_EXTENSION_get_object(ex)) == NID_freshest_crl) { - x->ex_flags |= EXFLAG_FRESHEST; - } if (!X509_EXTENSION_get_critical(ex)) { continue; } @@ -575,7 +380,7 @@ int x509v3_cache_extensions(X509 *x) { // otherwise. static int check_ca(const X509 *x) { // keyUsage if present should allow cert signing - if (ku_reject(x, KU_KEY_CERT_SIGN)) { + if (ku_reject(x, X509v3_KU_KEY_CERT_SIGN)) { return 0; } // Version 1 certificates are considered CAs and don't have extensions. @@ -593,138 +398,68 @@ int X509_check_ca(X509 *x) { return check_ca(x); } -static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, - int ca) { - if (xku_reject(x, XKU_SSL_CLIENT)) { - return 0; - } - if (ca) { - return check_ca(x); - } - // We need to do digital signatures or key agreement - if (ku_reject(x, KU_DIGITAL_SIGNATURE | KU_KEY_AGREEMENT)) { - return 0; - } - // nsCertType if present should allow SSL client use - if (ns_reject(x, NS_SSL_CLIENT)) { +// check_purpose returns one if |x| is a valid part of a certificate path for +// extended key usage |required_xku| and at least one of key usages in +// |required_kus|. |ca| indicates whether |x| is a CA or end-entity certificate. +static int check_purpose(const X509 *x, int ca, int required_xku, + int required_kus) { + // Check extended key usage on the entire chain. + if (required_xku != 0 && xku_reject(x, required_xku)) { return 0; } - return 1; + + // Check key usages only on the end-entity certificate. + return ca || !ku_reject(x, required_kus); +} + +static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, + int ca) { + // We need to do digital signatures or key agreement. + // + // TODO(davidben): We do not implement any TLS client certificate modes based + // on key agreement. + return check_purpose(x, ca, XKU_SSL_CLIENT, + X509v3_KU_DIGITAL_SIGNATURE | X509v3_KU_KEY_AGREEMENT); } // Key usage needed for TLS/SSL server: digital signature, encipherment or // key agreement. The ssl code can check this more thoroughly for individual // key types. -#define KU_TLS (KU_DIGITAL_SIGNATURE | KU_KEY_ENCIPHERMENT | KU_KEY_AGREEMENT) +#define X509v3_KU_TLS \ + (X509v3_KU_DIGITAL_SIGNATURE | X509v3_KU_KEY_ENCIPHERMENT | \ + X509v3_KU_KEY_AGREEMENT) static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca) { - if (xku_reject(x, XKU_SSL_SERVER)) { - return 0; - } - if (ca) { - return check_ca(x); - } - - if (ns_reject(x, NS_SSL_SERVER)) { - return 0; - } - if (ku_reject(x, KU_TLS)) { - return 0; - } - - return 1; + return check_purpose(x, ca, XKU_SSL_SERVER, X509v3_KU_TLS); } static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca) { - int ret; - ret = check_purpose_ssl_server(xp, x, ca); - if (!ret || ca) { - return ret; - } - // We need to encipher or Netscape complains - if (ku_reject(x, KU_KEY_ENCIPHERMENT)) { - return 0; - } - return ret; -} - -// purpose_smime returns one if |x| is a valid S/MIME leaf (|ca| is zero) or CA -// (|ca| is one) certificate, and zero otherwise. -static int purpose_smime(const X509 *x, int ca) { - if (xku_reject(x, XKU_SMIME)) { - return 0; - } - if (ca) { - // check nsCertType if present - if ((x->ex_flags & EXFLAG_NSCERT) && (x->ex_nscert & NS_SMIME_CA) == 0) { - return 0; - } - - return check_ca(x); - } - if (x->ex_flags & EXFLAG_NSCERT) { - return (x->ex_nscert & NS_SMIME) == NS_SMIME; - } - return 1; + // We need to encipher or Netscape complains. + return check_purpose(x, ca, XKU_SSL_SERVER, X509v3_KU_KEY_ENCIPHERMENT); } static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int ca) { - int ret; - ret = purpose_smime(x, ca); - if (!ret || ca) { - return ret; - } - if (ku_reject(x, KU_DIGITAL_SIGNATURE | KU_NON_REPUDIATION)) { - return 0; - } - return ret; + return check_purpose(x, ca, XKU_SMIME, + X509v3_KU_DIGITAL_SIGNATURE | X509v3_KU_NON_REPUDIATION); } static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x, int ca) { - int ret; - ret = purpose_smime(x, ca); - if (!ret || ca) { - return ret; - } - if (ku_reject(x, KU_KEY_ENCIPHERMENT)) { - return 0; - } - return ret; + return check_purpose(x, ca, XKU_SMIME, X509v3_KU_KEY_ENCIPHERMENT); } static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca) { - if (ca) { - return check_ca(x); - } - if (ku_reject(x, KU_CRL_SIGN)) { - return 0; - } - return 1; -} - -// OCSP helper: this is *not* a full OCSP check. It just checks that each CA -// is valid. Additional checks must be made on the chain. - -static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca) { - if (ca) { - return check_ca(x); - } - // leaf certificate is checked in OCSP_verify() - return 1; + return check_purpose(x, ca, /*required_xku=*/0, X509v3_KU_CRL_SIGN); } static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x, int ca) { - int i_ext; - - // If ca is true we must return if this is a valid CA certificate. if (ca) { - return check_ca(x); + return 1; } // Check the optional key usage field: @@ -732,20 +467,24 @@ static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x, // and/or nonRepudiation (other values are not consistent and shall // be rejected). if ((x->ex_flags & EXFLAG_KUSAGE) && - ((x->ex_kusage & ~(KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE)) || - !(x->ex_kusage & (KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE)))) { + ((x->ex_kusage & + ~(X509v3_KU_NON_REPUDIATION | X509v3_KU_DIGITAL_SIGNATURE)) || + !(x->ex_kusage & + (X509v3_KU_NON_REPUDIATION | X509v3_KU_DIGITAL_SIGNATURE)))) { return 0; } // Only time stamp key usage is permitted and it's required. + // + // TODO(davidben): Should we check EKUs up the chain like the other cases? if (!(x->ex_flags & EXFLAG_XKUSAGE) || x->ex_xkusage != XKU_TIMESTAMP) { return 0; } // Extended Key Usage MUST be critical - i_ext = X509_get_ext_by_NID((X509 *)x, NID_ext_key_usage, -1); + int i_ext = X509_get_ext_by_NID(x, NID_ext_key_usage, -1); if (i_ext >= 0) { - const X509_EXTENSION *ext = X509_get_ext((X509 *)x, i_ext); + const X509_EXTENSION *ext = X509_get_ext(x, i_ext); if (!X509_EXTENSION_get_critical(ext)) { return 0; } @@ -756,14 +495,6 @@ static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x, static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca) { return 1; } -// Various checks to see if one certificate issued the second. This can be -// used to prune a set of possible issuer certificates which have been looked -// up using some simple method such as by subject name. These are: 1. Check -// issuer_name(subject) == subject_name(issuer) 2. If akid(subject) exists -// check it matches issuer 3. If key_usage(issuer) exists check it supports -// certificate signing returns 0 for OK, positive for reason for mismatch, -// reasons match codes for X509_verify_cert() - int X509_check_issued(X509 *issuer, X509 *subject) { if (X509_NAME_cmp(X509_get_subject_name(issuer), X509_get_issuer_name(subject))) { @@ -780,13 +511,13 @@ int X509_check_issued(X509 *issuer, X509 *subject) { } } - if (ku_reject(issuer, KU_KEY_CERT_SIGN)) { + if (ku_reject(issuer, X509v3_KU_KEY_CERT_SIGN)) { return X509_V_ERR_KEYUSAGE_NO_CERTSIGN; } return X509_V_OK; } -int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid) { +int X509_check_akid(X509 *issuer, const AUTHORITY_KEYID *akid) { if (!akid) { return X509_V_OK; } @@ -839,6 +570,9 @@ uint32_t X509_get_key_usage(X509 *x) { if (x->ex_flags & EXFLAG_KUSAGE) { return x->ex_kusage; } + // If there is no extension, key usage is unconstrained, so set all bits to + // one. Note that, although we use |UINT32_MAX|, |ex_kusage| only contains the + // first 16 bits when the extension is present. return UINT32_MAX; } @@ -849,6 +583,8 @@ uint32_t X509_get_extended_key_usage(X509 *x) { if (x->ex_flags & EXFLAG_XKUSAGE) { return x->ex_xkusage; } + // If there is no extension, extended key usage is unconstrained, so set all + // bits to one. return UINT32_MAX; } diff --git a/Sources/CNIOBoringSSL/crypto/x509v3/v3_skey.c b/Sources/CNIOBoringSSL/crypto/x509/v3_skey.c similarity index 98% rename from Sources/CNIOBoringSSL/crypto/x509v3/v3_skey.c rename to Sources/CNIOBoringSSL/crypto/x509/v3_skey.c index a769f1dfe..c74295803 100644 --- a/Sources/CNIOBoringSSL/crypto/x509v3/v3_skey.c +++ b/Sources/CNIOBoringSSL/crypto/x509/v3_skey.c @@ -62,9 +62,8 @@ #include #include #include -#include +#include -#include "../x509/internal.h" #include "internal.h" diff --git a/Sources/CNIOBoringSSL/crypto/x509v3/v3_utl.c b/Sources/CNIOBoringSSL/crypto/x509/v3_utl.c similarity index 92% rename from Sources/CNIOBoringSSL/crypto/x509v3/v3_utl.c rename to Sources/CNIOBoringSSL/crypto/x509/v3_utl.c index bf2fa17d1..7277f1473 100644 --- a/Sources/CNIOBoringSSL/crypto/x509v3/v3_utl.c +++ b/Sources/CNIOBoringSSL/crypto/x509/v3_utl.c @@ -67,7 +67,7 @@ #include #include #include -#include +#include #include "../conf/internal.h" #include "../internal.h" @@ -82,10 +82,10 @@ static void str_free(OPENSSL_STRING str); static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, const ASN1_IA5STRING *email); -static int ipv4_from_asc(unsigned char v4[4], const char *in); -static int ipv6_from_asc(unsigned char v6[16], const char *in); +static int ipv4_from_asc(uint8_t v4[4], const char *in); +static int ipv6_from_asc(uint8_t v6[16], const char *in); static int ipv6_cb(const char *elem, size_t len, void *usr); -static int ipv6_hex(unsigned char *out, const char *in, size_t inlen); +static int ipv6_hex(uint8_t *out, const char *in, size_t inlen); // Add a CONF_VALUE name value pair to stack @@ -555,7 +555,7 @@ static int sk_strcmp(const char *const *a, const char *const *b) { return strcmp(*a, *b); } -STACK_OF(OPENSSL_STRING) *X509_get1_email(X509 *x) { +STACK_OF(OPENSSL_STRING) *X509_get1_email(const X509 *x) { GENERAL_NAMES *gens; STACK_OF(OPENSSL_STRING) *ret; @@ -565,7 +565,7 @@ STACK_OF(OPENSSL_STRING) *X509_get1_email(X509 *x) { return ret; } -STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x) { +STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(const X509 *x) { AUTHORITY_INFO_ACCESS *info; STACK_OF(OPENSSL_STRING) *ret = NULL; size_t i; @@ -588,7 +588,7 @@ STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x) { return ret; } -STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email(X509_REQ *x) { +STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email(const X509_REQ *x) { GENERAL_NAMES *gens; STACK_OF(X509_EXTENSION) *exts; STACK_OF(OPENSSL_STRING) *ret; @@ -942,6 +942,9 @@ static int do_check_string(const ASN1_STRING *a, int cmp_type, equal_fn equal, } if (rv > 0 && peername) { *peername = OPENSSL_strndup((char *)a->data, a->length); + if (*peername == NULL) { + return -1; + } } } else { int astrlen; @@ -960,13 +963,16 @@ static int do_check_string(const ASN1_STRING *a, int cmp_type, equal_fn equal, } if (rv > 0 && peername) { *peername = OPENSSL_strndup((char *)astr, astrlen); + if (*peername == NULL) { + return -1; + } } OPENSSL_free(astr); } return rv; } -static int do_x509_check(X509 *x, const char *chk, size_t chklen, +static int do_x509_check(const X509 *x, const char *chk, size_t chklen, unsigned int flags, int check_type, char **peername) { int cnid = NID_undef; int alt_type; @@ -1033,8 +1039,8 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen, return 0; } -int X509_check_host(X509 *x, const char *chk, size_t chklen, unsigned int flags, - char **peername) { +int X509_check_host(const X509 *x, const char *chk, size_t chklen, + unsigned int flags, char **peername) { if (chk == NULL) { return -2; } @@ -1044,7 +1050,7 @@ int X509_check_host(X509 *x, const char *chk, size_t chklen, unsigned int flags, return do_x509_check(x, chk, chklen, flags, GEN_DNS, peername); } -int X509_check_email(X509 *x, const char *chk, size_t chklen, +int X509_check_email(const X509 *x, const char *chk, size_t chklen, unsigned int flags) { if (chk == NULL) { return -2; @@ -1055,15 +1061,15 @@ int X509_check_email(X509 *x, const char *chk, size_t chklen, return do_x509_check(x, chk, chklen, flags, GEN_EMAIL, NULL); } -int X509_check_ip(X509 *x, const unsigned char *chk, size_t chklen, +int X509_check_ip(const X509 *x, const unsigned char *chk, size_t chklen, unsigned int flags) { if (chk == NULL) { return -2; } - return do_x509_check(x, (char *)chk, chklen, flags, GEN_IPADD, NULL); + return do_x509_check(x, (const char *)chk, chklen, flags, GEN_IPADD, NULL); } -int X509_check_ip_asc(X509 *x, const char *ipasc, unsigned int flags) { +int X509_check_ip_asc(const X509 *x, const char *ipasc, unsigned int flags) { unsigned char ipout[16]; size_t iplen; @@ -1074,7 +1080,7 @@ int X509_check_ip_asc(X509 *x, const char *ipasc, unsigned int flags) { if (iplen == 0) { return -2; } - return do_x509_check(x, (char *)ipout, iplen, flags, GEN_IPADD, NULL); + return do_x509_check(x, (const char *)ipout, iplen, flags, GEN_IPADD, NULL); } // Convert IP addresses both IPv4 and IPv6 into an OCTET STRING compatible @@ -1143,16 +1149,12 @@ ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc) { return ret; err: - if (iptmp) { - OPENSSL_free(iptmp); - } - if (ret) { - ASN1_OCTET_STRING_free(ret); - } + OPENSSL_free(iptmp); + ASN1_OCTET_STRING_free(ret); return NULL; } -int x509v3_a2i_ipadd(unsigned char ipout[16], const char *ipasc) { +int x509v3_a2i_ipadd(uint8_t ipout[16], const char *ipasc) { // If string contains a ':' assume IPv6 if (strchr(ipasc, ':')) { @@ -1168,25 +1170,58 @@ int x509v3_a2i_ipadd(unsigned char ipout[16], const char *ipasc) { } } -static int ipv4_from_asc(unsigned char v4[4], const char *in) { - int a0, a1, a2, a3; - if (sscanf(in, "%d.%d.%d.%d", &a0, &a1, &a2, &a3) != 4) { +// get_ipv4_component consumes one IPv4 component, terminated by either '.' or +// the end of the string, from |*str|. On success, it returns one, sets |*out| +// to the component, and advances |*str| to the first unconsumed character. On +// invalid input, it returns zero. +static int get_ipv4_component(uint8_t *out_byte, const char **str) { + // Store a slightly larger intermediary so the overflow check is easier. + uint32_t out = 0; + for (;;) { + if (!OPENSSL_isdigit(**str)) { + return 0; + } + out = (out * 10) + (**str - '0'); + if (out > 255) { + // Components must be 8-bit. + return 0; + } + (*str)++; + if ((**str) == '.' || (**str) == '\0') { + *out_byte = (uint8_t)out; + return 1; + } + if (out == 0) { + // Reject extra leading zeros. Parsers sometimes treat them as octal, so + // accepting them would misinterpret input. + return 0; + } + } +} + +// get_ipv4_dot consumes a '.' from |*str| and advances it. It returns one on +// success and zero if |*str| does not point to a '.'. +static int get_ipv4_dot(const char **str) { + if (**str != '.') { return 0; } - if ((a0 < 0) || (a0 > 255) || (a1 < 0) || (a1 > 255) || (a2 < 0) || - (a2 > 255) || (a3 < 0) || (a3 > 255)) { + (*str)++; + return 1; +} + +static int ipv4_from_asc(uint8_t v4[4], const char *in) { + if (!get_ipv4_component(&v4[0], &in) || !get_ipv4_dot(&in) || + !get_ipv4_component(&v4[1], &in) || !get_ipv4_dot(&in) || + !get_ipv4_component(&v4[2], &in) || !get_ipv4_dot(&in) || + !get_ipv4_component(&v4[3], &in) || *in != '\0') { return 0; } - v4[0] = a0; - v4[1] = a1; - v4[2] = a2; - v4[3] = a3; return 1; } typedef struct { // Temporary store for IPV6 output - unsigned char tmp[16]; + uint8_t tmp[16]; // Total number of bytes in tmp int total; // The position of a zero (corresponding to '::') @@ -1195,7 +1230,7 @@ typedef struct { int zero_cnt; } IPV6_STAT; -static int ipv6_from_asc(unsigned char v6[16], const char *in) { +static int ipv6_from_asc(uint8_t v6[16], const char *in) { IPV6_STAT v6stat; v6stat.total = 0; v6stat.zero_pos = -1; @@ -1303,7 +1338,7 @@ static int ipv6_cb(const char *elem, size_t len, void *usr) { // Convert a string of up to 4 hex digits into the corresponding IPv6 form. -static int ipv6_hex(unsigned char *out, const char *in, size_t inlen) { +static int ipv6_hex(uint8_t *out, const char *in, size_t inlen) { if (inlen > 4) { return 0; } diff --git a/Sources/CNIOBoringSSL/crypto/x509/x509_att.c b/Sources/CNIOBoringSSL/crypto/x509/x509_att.c index f5ad7f610..84c8dbaa6 100644 --- a/Sources/CNIOBoringSSL/crypto/x509/x509_att.c +++ b/Sources/CNIOBoringSSL/crypto/x509/x509_att.c @@ -137,54 +137,57 @@ int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, const ASN1_OBJECT *obj) { int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, const void *data, int len) { - ASN1_TYPE *ttmp = NULL; - ASN1_STRING *stmp = NULL; - int atype = 0; if (!attr) { return 0; } + + if (attrtype == 0) { + // Do nothing. This is used to create an empty value set in + // |X509_ATTRIBUTE_create_by_*|. This is invalid, but supported by OpenSSL. + return 1; + } + + ASN1_TYPE *typ = ASN1_TYPE_new(); + if (typ == NULL) { + return 0; + } + + // This function is several functions in one. if (attrtype & MBSTRING_FLAG) { - stmp = ASN1_STRING_set_by_NID(NULL, data, len, attrtype, - OBJ_obj2nid(attr->object)); - if (!stmp) { + // |data| is an encoded string. We must decode and re-encode it to |attr|'s + // preferred ASN.1 type. Note |len| may be -1, in which case + // |ASN1_STRING_set_by_NID| calls |strlen| automatically. + ASN1_STRING *str = ASN1_STRING_set_by_NID(NULL, data, len, attrtype, + OBJ_obj2nid(attr->object)); + if (str == NULL) { OPENSSL_PUT_ERROR(X509, ERR_R_ASN1_LIB); - return 0; - } - atype = stmp->type; - } else if (len != -1) { - if (!(stmp = ASN1_STRING_type_new(attrtype))) { goto err; } - if (!ASN1_STRING_set(stmp, data, len)) { + asn1_type_set0_string(typ, str); + } else if (len != -1) { + // |attrtype| must be a valid |ASN1_STRING| type. |data| and |len| is a + // value in the corresponding |ASN1_STRING| representation. + ASN1_STRING *str = ASN1_STRING_type_new(attrtype); + if (str == NULL || !ASN1_STRING_set(str, data, len)) { + ASN1_STRING_free(str); goto err; } - atype = attrtype; - } - // This is a bit naughty because the attribute should really have at - // least one value but some types use and zero length SET and require - // this. - if (attrtype == 0) { - ASN1_STRING_free(stmp); - return 1; - } - if (!(ttmp = ASN1_TYPE_new())) { - goto err; - } - if ((len == -1) && !(attrtype & MBSTRING_FLAG)) { - if (!ASN1_TYPE_set1(ttmp, attrtype, data)) { + asn1_type_set0_string(typ, str); + } else { + // |attrtype| must be a valid |ASN1_TYPE| type. |data| is a pointer to an + // object of the corresponding type. + if (!ASN1_TYPE_set1(typ, attrtype, data)) { goto err; } - } else { - ASN1_TYPE_set(ttmp, atype, stmp); - stmp = NULL; } - if (!sk_ASN1_TYPE_push(attr->set, ttmp)) { + + if (!sk_ASN1_TYPE_push(attr->set, typ)) { goto err; } return 1; + err: - ASN1_TYPE_free(ttmp); - ASN1_STRING_free(stmp); + ASN1_TYPE_free(typ); return 0; } diff --git a/Sources/CNIOBoringSSL/crypto/x509/x509_cmp.c b/Sources/CNIOBoringSSL/crypto/x509/x509_cmp.c index f01572540..05ae5cc71 100644 --- a/Sources/CNIOBoringSSL/crypto/x509/x509_cmp.c +++ b/Sources/CNIOBoringSSL/crypto/x509/x509_cmp.c @@ -60,13 +60,13 @@ #include #include #include +#include #include +#include #include #include -#include #include "../internal.h" -#include "../x509v3/internal.h" #include "internal.h" @@ -90,11 +90,11 @@ X509_NAME *X509_get_issuer_name(const X509 *a) { return a->cert_info->issuer; } -unsigned long X509_issuer_name_hash(X509 *x) { - return (X509_NAME_hash(x->cert_info->issuer)); +uint32_t X509_issuer_name_hash(X509 *x) { + return X509_NAME_hash(x->cert_info->issuer); } -unsigned long X509_issuer_name_hash_old(X509 *x) { +uint32_t X509_issuer_name_hash_old(X509 *x) { return (X509_NAME_hash_old(x->cert_info->issuer)); } @@ -110,12 +110,12 @@ const ASN1_INTEGER *X509_get0_serialNumber(const X509 *x509) { return x509->cert_info->serialNumber; } -unsigned long X509_subject_name_hash(X509 *x) { - return (X509_NAME_hash(x->cert_info->subject)); +uint32_t X509_subject_name_hash(X509 *x) { + return X509_NAME_hash(x->cert_info->subject); } -unsigned long X509_subject_name_hash_old(X509 *x) { - return (X509_NAME_hash_old(x->cert_info->subject)); +uint32_t X509_subject_name_hash_old(X509 *x) { + return X509_NAME_hash_old(x->cert_info->subject); } // Compare two certificates: they must be identical for this to work. NB: @@ -167,44 +167,29 @@ int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b) { return OPENSSL_memcmp(a->canon_enc, b->canon_enc, a->canon_enclen); } -unsigned long X509_NAME_hash(X509_NAME *x) { - unsigned long ret = 0; - unsigned char md[SHA_DIGEST_LENGTH]; - - // Make sure X509_NAME structure contains valid cached encoding - i2d_X509_NAME(x, NULL); - if (!EVP_Digest(x->canon_enc, x->canon_enclen, md, NULL, EVP_sha1(), NULL)) { +uint32_t X509_NAME_hash(X509_NAME *x) { + // Make sure the X509_NAME structure contains a valid cached encoding. + if (i2d_X509_NAME(x, NULL) < 0) { return 0; } - ret = (((unsigned long)md[0]) | ((unsigned long)md[1] << 8L) | - ((unsigned long)md[2] << 16L) | ((unsigned long)md[3] << 24L)) & - 0xffffffffL; - return ret; + uint8_t md[SHA_DIGEST_LENGTH]; + SHA1(x->canon_enc, x->canon_enclen, md); + return CRYPTO_load_u32_le(md); } // I now DER encode the name and hash it. Since I cache the DER encoding, // this is reasonably efficient. -unsigned long X509_NAME_hash_old(X509_NAME *x) { - EVP_MD_CTX md_ctx; - unsigned long ret = 0; - unsigned char md[16]; - - // Make sure X509_NAME structure contains valid cached encoding - i2d_X509_NAME(x, NULL); - EVP_MD_CTX_init(&md_ctx); - // EVP_MD_CTX_set_flags(&md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); - if (EVP_DigestInit_ex(&md_ctx, EVP_md5(), NULL) && - EVP_DigestUpdate(&md_ctx, x->bytes->data, x->bytes->length) && - EVP_DigestFinal_ex(&md_ctx, md, NULL)) { - ret = (((unsigned long)md[0]) | ((unsigned long)md[1] << 8L) | - ((unsigned long)md[2] << 16L) | ((unsigned long)md[3] << 24L)) & - 0xffffffffL; +uint32_t X509_NAME_hash_old(X509_NAME *x) { + // Make sure the X509_NAME structure contains a valid cached encoding. + if (i2d_X509_NAME(x, NULL) < 0) { + return 0; } - EVP_MD_CTX_cleanup(&md_ctx); - return ret; + uint8_t md[SHA_DIGEST_LENGTH]; + MD5((const uint8_t *)x->bytes->data, x->bytes->length, md); + return CRYPTO_load_u32_le(md); } X509 *X509_find_by_issuer_and_serial(const STACK_OF(X509) *sk, X509_NAME *name, @@ -233,11 +218,18 @@ X509 *X509_find_by_subject(const STACK_OF(X509) *sk, X509_NAME *name) { return NULL; } -EVP_PKEY *X509_get_pubkey(X509 *x) { - if ((x == NULL) || (x->cert_info == NULL)) { +EVP_PKEY *X509_get0_pubkey(const X509 *x) { + if (x == NULL) { + return NULL; + } + return X509_PUBKEY_get0(x->cert_info->key); +} + +EVP_PKEY *X509_get_pubkey(const X509 *x) { + if (x == NULL) { return NULL; } - return (X509_PUBKEY_get(x->cert_info->key)); + return X509_PUBKEY_get(x->cert_info->key); } ASN1_BIT_STRING *X509_get0_pubkey_bitstr(const X509 *x) { @@ -247,36 +239,29 @@ ASN1_BIT_STRING *X509_get0_pubkey_bitstr(const X509 *x) { return x->cert_info->key->public_key; } -int X509_check_private_key(X509 *x, const EVP_PKEY *k) { - EVP_PKEY *xk; - int ret; - - xk = X509_get_pubkey(x); +int X509_check_private_key(const X509 *x, const EVP_PKEY *k) { + const EVP_PKEY *xk = X509_get0_pubkey(x); + if (xk == NULL) { + return 0; + } - if (xk) { - ret = EVP_PKEY_cmp(xk, k); - } else { - ret = -2; + int ret = EVP_PKEY_cmp(xk, k); + if (ret > 0) { + return 1; } switch (ret) { - case 1: - break; case 0: OPENSSL_PUT_ERROR(X509, X509_R_KEY_VALUES_MISMATCH); - break; + return 0; case -1: OPENSSL_PUT_ERROR(X509, X509_R_KEY_TYPE_MISMATCH); - break; + return 0; case -2: OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_KEY_TYPE); + return 0; } - if (xk) { - EVP_PKEY_free(xk); - } - if (ret > 0) { - return 1; - } + return 0; } diff --git a/Sources/CNIOBoringSSL/crypto/x509/x509_ext.c b/Sources/CNIOBoringSSL/crypto/x509/x509_ext.c index 88e0c7117..ffdcf0778 100644 --- a/Sources/CNIOBoringSSL/crypto/x509/x509_ext.c +++ b/Sources/CNIOBoringSSL/crypto/x509/x509_ext.c @@ -59,7 +59,6 @@ #include #include #include -#include #include "internal.h" diff --git a/Sources/CNIOBoringSSL/crypto/x509/x509_lu.c b/Sources/CNIOBoringSSL/crypto/x509/x509_lu.c index b64034aa5..cdb20b775 100644 --- a/Sources/CNIOBoringSSL/crypto/x509/x509_lu.c +++ b/Sources/CNIOBoringSSL/crypto/x509/x509_lu.c @@ -60,25 +60,34 @@ #include #include #include -#include #include "../internal.h" #include "internal.h" -X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method) { - X509_LOOKUP *ret; - ret = (X509_LOOKUP *)OPENSSL_malloc(sizeof(X509_LOOKUP)); +static int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type, + X509_NAME *name); +static X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h, + int type, X509_NAME *name); +static X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, + X509_OBJECT *x); +static int X509_OBJECT_up_ref_count(X509_OBJECT *a); + +static X509_LOOKUP *X509_LOOKUP_new(const X509_LOOKUP_METHOD *method, + X509_STORE *store); +static int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, int type, X509_NAME *name, + X509_OBJECT *ret); + +static X509_LOOKUP *X509_LOOKUP_new(const X509_LOOKUP_METHOD *method, + X509_STORE *store) { + X509_LOOKUP *ret = OPENSSL_zalloc(sizeof(X509_LOOKUP)); if (ret == NULL) { return NULL; } - ret->init = 0; - ret->skip = 0; ret->method = method; - ret->method_data = NULL; - ret->store_ctx = NULL; - if ((method->new_item != NULL) && !method->new_item(ret)) { + ret->store_ctx = store; + if (method->new_item != NULL && !method->new_item(ret)) { OPENSSL_free(ret); return NULL; } @@ -89,34 +98,12 @@ void X509_LOOKUP_free(X509_LOOKUP *ctx) { if (ctx == NULL) { return; } - if ((ctx->method != NULL) && (ctx->method->free != NULL)) { + if (ctx->method != NULL && ctx->method->free != NULL) { (*ctx->method->free)(ctx); } OPENSSL_free(ctx); } -int X509_LOOKUP_init(X509_LOOKUP *ctx) { - if (ctx->method == NULL) { - return 0; - } - if (ctx->method->init != NULL) { - return ctx->method->init(ctx); - } else { - return 1; - } -} - -int X509_LOOKUP_shutdown(X509_LOOKUP *ctx) { - if (ctx->method == NULL) { - return 0; - } - if (ctx->method->shutdown != NULL) { - return ctx->method->shutdown(ctx); - } else { - return 1; - } -} - int X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, long argl, char **ret) { if (ctx->method == NULL) { @@ -129,14 +116,15 @@ int X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, long argl, } } -int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, int type, X509_NAME *name, - X509_OBJECT *ret) { - if ((ctx->method == NULL) || (ctx->method->get_by_subject == NULL)) { - return 0; - } - if (ctx->skip) { +static int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, int type, X509_NAME *name, + X509_OBJECT *ret) { + if (ctx->method == NULL || ctx->method->get_by_subject == NULL) { return 0; } + // Note |get_by_subject| leaves |ret| in an inconsistent state. It has + // pointers to an |X509| or |X509_CRL|, but has not bumped the refcount yet. + // For now, the caller is expected to fix this, but ideally we'd fix the + // |X509_LOOKUP| convention itself. return ctx->method->get_by_subject(ctx, type, name, ret) > 0; } @@ -162,42 +150,24 @@ static int x509_object_cmp_sk(const X509_OBJECT *const *a, } X509_STORE *X509_STORE_new(void) { - X509_STORE *ret; - - if ((ret = (X509_STORE *)OPENSSL_zalloc(sizeof(X509_STORE))) == NULL) { + X509_STORE *ret = OPENSSL_zalloc(sizeof(X509_STORE)); + if (ret == NULL) { return NULL; } + + ret->references = 1; CRYPTO_MUTEX_init(&ret->objs_lock); ret->objs = sk_X509_OBJECT_new(x509_object_cmp_sk); - if (ret->objs == NULL) { - goto err; - } ret->get_cert_methods = sk_X509_LOOKUP_new_null(); - if (ret->get_cert_methods == NULL) { - goto err; - } ret->param = X509_VERIFY_PARAM_new(); - if (ret->param == NULL) { - goto err; + if (ret->objs == NULL || + ret->get_cert_methods == NULL || + ret->param == NULL) { + X509_STORE_free(ret); + return NULL; } - ret->references = 1; return ret; -err: - if (ret) { - CRYPTO_MUTEX_cleanup(&ret->objs_lock); - if (ret->param) { - X509_VERIFY_PARAM_free(ret->param); - } - if (ret->get_cert_methods) { - sk_X509_LOOKUP_free(ret->get_cert_methods); - } - if (ret->objs) { - sk_X509_OBJECT_free(ret->objs); - } - OPENSSL_free(ret); - } - return NULL; } int X509_STORE_up_ref(X509_STORE *store) { @@ -205,26 +175,7 @@ int X509_STORE_up_ref(X509_STORE *store) { return 1; } -static void cleanup(X509_OBJECT *a) { - if (a == NULL) { - return; - } - if (a->type == X509_LU_X509) { - X509_free(a->data.x509); - } else if (a->type == X509_LU_CRL) { - X509_CRL_free(a->data.crl); - } else { - // abort(); - } - - OPENSSL_free(a); -} - void X509_STORE_free(X509_STORE *vfy) { - size_t j; - STACK_OF(X509_LOOKUP) *sk; - X509_LOOKUP *lu; - if (vfy == NULL) { return; } @@ -234,63 +185,41 @@ void X509_STORE_free(X509_STORE *vfy) { } CRYPTO_MUTEX_cleanup(&vfy->objs_lock); - - sk = vfy->get_cert_methods; - for (j = 0; j < sk_X509_LOOKUP_num(sk); j++) { - lu = sk_X509_LOOKUP_value(sk, j); - X509_LOOKUP_shutdown(lu); - X509_LOOKUP_free(lu); - } - sk_X509_LOOKUP_free(sk); - sk_X509_OBJECT_pop_free(vfy->objs, cleanup); - - if (vfy->param) { - X509_VERIFY_PARAM_free(vfy->param); - } + sk_X509_LOOKUP_pop_free(vfy->get_cert_methods, X509_LOOKUP_free); + sk_X509_OBJECT_pop_free(vfy->objs, X509_OBJECT_free); + X509_VERIFY_PARAM_free(vfy->param); OPENSSL_free(vfy); } -X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m) { - size_t i; - STACK_OF(X509_LOOKUP) *sk; - X509_LOOKUP *lu; - - sk = v->get_cert_methods; - for (i = 0; i < sk_X509_LOOKUP_num(sk); i++) { - lu = sk_X509_LOOKUP_value(sk, i); +X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, const X509_LOOKUP_METHOD *m) { + STACK_OF(X509_LOOKUP) *sk = v->get_cert_methods; + for (size_t i = 0; i < sk_X509_LOOKUP_num(sk); i++) { + X509_LOOKUP *lu = sk_X509_LOOKUP_value(sk, i); if (m == lu->method) { return lu; } } - // a new one - lu = X509_LOOKUP_new(m); - if (lu == NULL) { + + X509_LOOKUP *lu = X509_LOOKUP_new(m, v); + if (lu == NULL || !sk_X509_LOOKUP_push(v->get_cert_methods, lu)) { + X509_LOOKUP_free(lu); return NULL; - } else { - lu->store_ctx = v; - if (sk_X509_LOOKUP_push(v->get_cert_methods, lu)) { - return lu; - } else { - X509_LOOKUP_free(lu); - return NULL; - } } + + return lu; } -int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name, - X509_OBJECT *ret) { +int X509_STORE_CTX_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name, + X509_OBJECT *ret) { X509_STORE *ctx = vs->ctx; - X509_LOOKUP *lu; - X509_OBJECT stmp, *tmp; - int i; - + X509_OBJECT stmp; CRYPTO_MUTEX_lock_write(&ctx->objs_lock); - tmp = X509_OBJECT_retrieve_by_subject(ctx->objs, type, name); + X509_OBJECT *tmp = X509_OBJECT_retrieve_by_subject(ctx->objs, type, name); CRYPTO_MUTEX_unlock_write(&ctx->objs_lock); if (tmp == NULL || type == X509_LU_CRL) { - for (i = 0; i < (int)sk_X509_LOOKUP_num(ctx->get_cert_methods); i++) { - lu = sk_X509_LOOKUP_value(ctx->get_cert_methods, i); + for (size_t i = 0; i < sk_X509_LOOKUP_num(ctx->get_cert_methods); i++) { + X509_LOOKUP *lu = sk_X509_LOOKUP_value(ctx->get_cert_methods, i); if (X509_LOOKUP_by_subject(lu, type, name, &stmp)) { tmp = &stmp; break; @@ -301,13 +230,11 @@ int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name, } } - // if (ret->data.ptr != NULL) X509_OBJECT_free_contents(ret); - + // TODO(crbug.com/boringssl/685): This should call + // |X509_OBJECT_free_contents|. ret->type = tmp->type; - ret->data.ptr = tmp->data.ptr; - + ret->data = tmp->data; X509_OBJECT_up_ref_count(ret); - return 1; } @@ -316,7 +243,7 @@ static int x509_store_add(X509_STORE *ctx, void *x, int is_crl) { return 0; } - X509_OBJECT *const obj = (X509_OBJECT *)OPENSSL_malloc(sizeof(X509_OBJECT)); + X509_OBJECT *const obj = X509_OBJECT_new(); if (obj == NULL) { return 0; } @@ -342,8 +269,7 @@ static int x509_store_add(X509_STORE *ctx, void *x, int is_crl) { CRYPTO_MUTEX_unlock_write(&ctx->objs_lock); if (!added) { - X509_OBJECT_free_contents(obj); - OPENSSL_free(obj); + X509_OBJECT_free(obj); } return ret; @@ -357,7 +283,19 @@ int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x) { return x509_store_add(ctx, x, /*is_crl=*/1); } -int X509_OBJECT_up_ref_count(X509_OBJECT *a) { +X509_OBJECT *X509_OBJECT_new(void) { + return OPENSSL_zalloc(sizeof(X509_OBJECT)); +} + +void X509_OBJECT_free(X509_OBJECT *obj) { + if (obj == NULL) { + return; + } + X509_OBJECT_free_contents(obj); + OPENSSL_free(obj); +} + +static int X509_OBJECT_up_ref_count(X509_OBJECT *a) { switch (a->type) { case X509_LU_X509: X509_up_ref(a->data.x509); @@ -378,6 +316,8 @@ void X509_OBJECT_free_contents(X509_OBJECT *a) { X509_CRL_free(a->data.crl); break; } + + OPENSSL_memset(a, 0, sizeof(X509_OBJECT)); } int X509_OBJECT_get_type(const X509_OBJECT *a) { return a->type; } @@ -434,13 +374,13 @@ static int x509_object_idx_cnt(STACK_OF(X509_OBJECT) *h, int type, return (int)idx; } -int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type, - X509_NAME *name) { +static int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type, + X509_NAME *name) { return x509_object_idx_cnt(h, type, name, NULL); } -X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h, int type, - X509_NAME *name) { +static X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h, + int type, X509_NAME *name) { int idx; idx = X509_OBJECT_idx_by_subject(h, type, name); if (idx == -1) { @@ -449,27 +389,43 @@ X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h, int type, return sk_X509_OBJECT_value(h, idx); } -STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(X509_STORE *st) { - return st->objs; +static X509_OBJECT *x509_object_dup(const X509_OBJECT *obj) { + X509_OBJECT *ret = X509_OBJECT_new(); + if (ret == NULL) { + return NULL; + } + ret->type = obj->type; + ret->data = obj->data; + X509_OBJECT_up_ref_count(ret); + return ret; } -STACK_OF(X509) *X509_STORE_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm) { - int i, idx, cnt; - STACK_OF(X509) *sk; - X509 *x; - X509_OBJECT *obj; - sk = sk_X509_new_null(); +STACK_OF(X509_OBJECT) *X509_STORE_get1_objects(X509_STORE *store) { + CRYPTO_MUTEX_lock_read(&store->objs_lock); + STACK_OF(X509_OBJECT) *ret = + sk_X509_OBJECT_deep_copy(store->objs, x509_object_dup, X509_OBJECT_free); + CRYPTO_MUTEX_unlock_read(&store->objs_lock); + return ret; +} + +STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(X509_STORE *store) { + return store->objs; +} + +STACK_OF(X509) *X509_STORE_CTX_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm) { + int cnt; + STACK_OF(X509) *sk = sk_X509_new_null(); if (sk == NULL) { return NULL; } CRYPTO_MUTEX_lock_write(&ctx->ctx->objs_lock); - idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_X509, nm, &cnt); + int idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_X509, nm, &cnt); if (idx < 0) { // Nothing found in cache: do lookup to possibly add new objects to // cache X509_OBJECT xobj; CRYPTO_MUTEX_unlock_write(&ctx->ctx->objs_lock); - if (!X509_STORE_get_by_subject(ctx, X509_LU_X509, nm, &xobj)) { + if (!X509_STORE_CTX_get_by_subject(ctx, X509_LU_X509, nm, &xobj)) { sk_X509_free(sk); return NULL; } @@ -482,9 +438,9 @@ STACK_OF(X509) *X509_STORE_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm) { return NULL; } } - for (i = 0; i < cnt; i++, idx++) { - obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx); - x = obj->data.x509; + for (int i = 0; i < cnt; i++, idx++) { + X509_OBJECT *obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx); + X509 *x = obj->data.x509; if (!sk_X509_push(sk, x)) { CRYPTO_MUTEX_unlock_write(&ctx->ctx->objs_lock); sk_X509_pop_free(sk, X509_free); @@ -496,33 +452,32 @@ STACK_OF(X509) *X509_STORE_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm) { return sk; } -STACK_OF(X509_CRL) *X509_STORE_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm) { - int i, idx, cnt; - STACK_OF(X509_CRL) *sk; - X509_CRL *x; - X509_OBJECT *obj, xobj; - sk = sk_X509_CRL_new_null(); +STACK_OF(X509_CRL) *X509_STORE_CTX_get1_crls(X509_STORE_CTX *ctx, + X509_NAME *nm) { + int cnt; + X509_OBJECT xobj; + STACK_OF(X509_CRL) *sk = sk_X509_CRL_new_null(); if (sk == NULL) { return NULL; } // Always do lookup to possibly add new CRLs to cache. - if (!X509_STORE_get_by_subject(ctx, X509_LU_CRL, nm, &xobj)) { + if (!X509_STORE_CTX_get_by_subject(ctx, X509_LU_CRL, nm, &xobj)) { sk_X509_CRL_free(sk); return NULL; } X509_OBJECT_free_contents(&xobj); CRYPTO_MUTEX_lock_write(&ctx->ctx->objs_lock); - idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_CRL, nm, &cnt); + int idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_CRL, nm, &cnt); if (idx < 0) { CRYPTO_MUTEX_unlock_write(&ctx->ctx->objs_lock); sk_X509_CRL_free(sk); return NULL; } - for (i = 0; i < cnt; i++, idx++) { - obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx); - x = obj->data.crl; + for (int i = 0; i < cnt; i++, idx++) { + X509_OBJECT *obj = sk_X509_OBJECT_value(ctx->ctx->objs, idx); + X509_CRL *x = obj->data.crl; X509_CRL_up_ref(x); if (!sk_X509_CRL_push(sk, x)) { CRYPTO_MUTEX_unlock_write(&ctx->ctx->objs_lock); @@ -535,8 +490,8 @@ STACK_OF(X509_CRL) *X509_STORE_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm) { return sk; } -X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, - X509_OBJECT *x) { +static X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, + X509_OBJECT *x) { sk_X509_OBJECT_sort(h); size_t idx; if (!sk_X509_OBJECT_find(h, &idx, x)) { @@ -565,28 +520,25 @@ X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, return NULL; } -// Try to get issuer certificate from store. Due to limitations of the API -// this can only retrieve a single certificate matching a given subject name. -// However it will fill the cache with all matching certificates, so we can -// examine the cache for all matches. Return values are: 1 lookup -// successful. 0 certificate not found. -1 some other error. -int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) { +int X509_STORE_CTX_get1_issuer(X509 **out_issuer, X509_STORE_CTX *ctx, + X509 *x) { X509_NAME *xn; X509_OBJECT obj, *pobj; int idx, ret; size_t i; xn = X509_get_issuer_name(x); - if (!X509_STORE_get_by_subject(ctx, X509_LU_X509, xn, &obj)) { + if (!X509_STORE_CTX_get_by_subject(ctx, X509_LU_X509, xn, &obj)) { return 0; } // If certificate matches all OK - if (ctx->check_issued(ctx, x, obj.data.x509)) { - *issuer = obj.data.x509; + if (x509_check_issued_with_callback(ctx, x, obj.data.x509)) { + *out_issuer = obj.data.x509; return 1; } X509_OBJECT_free_contents(&obj); - // Else find index of first cert accepted by 'check_issued' + // Else find index of first cert accepted by + // |x509_check_issued_with_callback|. ret = 0; CRYPTO_MUTEX_lock_write(&ctx->ctx->objs_lock); idx = X509_OBJECT_idx_by_subject(ctx->ctx->objs, X509_LU_X509, xn); @@ -602,8 +554,8 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) { if (X509_NAME_cmp(xn, X509_get_subject_name(pobj->data.x509))) { break; } - if (ctx->check_issued(ctx, x, pobj->data.x509)) { - *issuer = pobj->data.x509; + if (x509_check_issued_with_callback(ctx, x, pobj->data.x509)) { + *out_issuer = pobj->data.x509; X509_OBJECT_up_ref_count(pobj); ret = 1; break; @@ -631,109 +583,17 @@ int X509_STORE_set_trust(X509_STORE *ctx, int trust) { return X509_VERIFY_PARAM_set_trust(ctx->param, trust); } -int X509_STORE_set1_param(X509_STORE *ctx, X509_VERIFY_PARAM *param) { +int X509_STORE_set1_param(X509_STORE *ctx, const X509_VERIFY_PARAM *param) { return X509_VERIFY_PARAM_set1(ctx->param, param); } X509_VERIFY_PARAM *X509_STORE_get0_param(X509_STORE *ctx) { return ctx->param; } -void X509_STORE_set_verify(X509_STORE *ctx, X509_STORE_CTX_verify_fn verify) { - ctx->verify = verify; -} - -X509_STORE_CTX_verify_fn X509_STORE_get_verify(X509_STORE *ctx) { - return ctx->verify; -} - void X509_STORE_set_verify_cb(X509_STORE *ctx, X509_STORE_CTX_verify_cb verify_cb) { ctx->verify_cb = verify_cb; } -X509_STORE_CTX_verify_cb X509_STORE_get_verify_cb(X509_STORE *ctx) { - return ctx->verify_cb; +X509_STORE *X509_STORE_CTX_get0_store(const X509_STORE_CTX *ctx) { + return ctx->ctx; } - -void X509_STORE_set_get_issuer(X509_STORE *ctx, - X509_STORE_CTX_get_issuer_fn get_issuer) { - ctx->get_issuer = get_issuer; -} - -X509_STORE_CTX_get_issuer_fn X509_STORE_get_get_issuer(X509_STORE *ctx) { - return ctx->get_issuer; -} - -void X509_STORE_set_check_issued(X509_STORE *ctx, - X509_STORE_CTX_check_issued_fn check_issued) { - ctx->check_issued = check_issued; -} - -X509_STORE_CTX_check_issued_fn X509_STORE_get_check_issued(X509_STORE *ctx) { - return ctx->check_issued; -} - -void X509_STORE_set_check_revocation( - X509_STORE *ctx, X509_STORE_CTX_check_revocation_fn check_revocation) { - ctx->check_revocation = check_revocation; -} - -X509_STORE_CTX_check_revocation_fn X509_STORE_get_check_revocation( - X509_STORE *ctx) { - return ctx->check_revocation; -} - -void X509_STORE_set_get_crl(X509_STORE *ctx, - X509_STORE_CTX_get_crl_fn get_crl) { - ctx->get_crl = get_crl; -} - -X509_STORE_CTX_get_crl_fn X509_STORE_get_get_crl(X509_STORE *ctx) { - return ctx->get_crl; -} - -void X509_STORE_set_check_crl(X509_STORE *ctx, - X509_STORE_CTX_check_crl_fn check_crl) { - ctx->check_crl = check_crl; -} - -X509_STORE_CTX_check_crl_fn X509_STORE_get_check_crl(X509_STORE *ctx) { - return ctx->check_crl; -} - -void X509_STORE_set_cert_crl(X509_STORE *ctx, - X509_STORE_CTX_cert_crl_fn cert_crl) { - ctx->cert_crl = cert_crl; -} - -X509_STORE_CTX_cert_crl_fn X509_STORE_get_cert_crl(X509_STORE *ctx) { - return ctx->cert_crl; -} - -void X509_STORE_set_lookup_certs(X509_STORE *ctx, - X509_STORE_CTX_lookup_certs_fn lookup_certs) { - ctx->lookup_certs = lookup_certs; -} - -X509_STORE_CTX_lookup_certs_fn X509_STORE_get_lookup_certs(X509_STORE *ctx) { - return ctx->lookup_certs; -} - -void X509_STORE_set_lookup_crls(X509_STORE *ctx, - X509_STORE_CTX_lookup_crls_fn lookup_crls) { - ctx->lookup_crls = lookup_crls; -} - -X509_STORE_CTX_lookup_crls_fn X509_STORE_get_lookup_crls(X509_STORE *ctx) { - return ctx->lookup_crls; -} - -void X509_STORE_set_cleanup(X509_STORE *ctx, - X509_STORE_CTX_cleanup_fn ctx_cleanup) { - ctx->cleanup = ctx_cleanup; -} - -X509_STORE_CTX_cleanup_fn X509_STORE_get_cleanup(X509_STORE *ctx) { - return ctx->cleanup; -} - -X509_STORE *X509_STORE_CTX_get0_store(X509_STORE_CTX *ctx) { return ctx->ctx; } diff --git a/Sources/CNIOBoringSSL/crypto/x509/x509_req.c b/Sources/CNIOBoringSSL/crypto/x509/x509_req.c index 88a9fa527..0ddf14efe 100644 --- a/Sources/CNIOBoringSSL/crypto/x509/x509_req.c +++ b/Sources/CNIOBoringSSL/crypto/x509/x509_req.c @@ -76,45 +76,55 @@ X509_NAME *X509_REQ_get_subject_name(const X509_REQ *req) { return req->req_info->subject; } -EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req) { - if ((req == NULL) || (req->req_info == NULL)) { +EVP_PKEY *X509_REQ_get_pubkey(const X509_REQ *req) { + if (req == NULL) { return NULL; } - return (X509_PUBKEY_get(req->req_info->pubkey)); + return X509_PUBKEY_get(req->req_info->pubkey); } -int X509_REQ_check_private_key(X509_REQ *x, EVP_PKEY *k) { - EVP_PKEY *xk = NULL; - int ok = 0; +EVP_PKEY *X509_REQ_get0_pubkey(const X509_REQ *req) { + if (req == NULL) { + return NULL; + } + return X509_PUBKEY_get0(req->req_info->pubkey); +} + +int X509_REQ_check_private_key(const X509_REQ *x, const EVP_PKEY *k) { + const EVP_PKEY *xk = X509_REQ_get0_pubkey(x); + if (xk == NULL) { + return 0; + } + + int ret = EVP_PKEY_cmp(xk, k); + if (ret > 0) { + return 1; + } - xk = X509_REQ_get_pubkey(x); - switch (EVP_PKEY_cmp(xk, k)) { - case 1: - ok = 1; - break; + switch (ret) { case 0: OPENSSL_PUT_ERROR(X509, X509_R_KEY_VALUES_MISMATCH); - break; + return 0; case -1: OPENSSL_PUT_ERROR(X509, X509_R_KEY_TYPE_MISMATCH); - break; + return 0; case -2: if (EVP_PKEY_id(k) == EVP_PKEY_EC) { OPENSSL_PUT_ERROR(X509, ERR_R_EC_LIB); - break; + } else { + OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_KEY_TYPE); } - OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_KEY_TYPE); + return 0; } - EVP_PKEY_free(xk); - return ok; + return 0; } int X509_REQ_extension_nid(int req_nid) { return req_nid == NID_ext_req || req_nid == NID_ms_ext_req; } -STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req) { +STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(const X509_REQ *req) { if (req == NULL || req->req_info == NULL) { return NULL; } @@ -127,8 +137,10 @@ STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req) { return NULL; } - X509_ATTRIBUTE *attr = X509_REQ_get_attr(req, idx); - ASN1_TYPE *ext = X509_ATTRIBUTE_get0_type(attr, 0); + const X509_ATTRIBUTE *attr = X509_REQ_get_attr(req, idx); + // TODO(davidben): |X509_ATTRIBUTE_get0_type| is not const-correct. It should + // take and return a const pointer. + const ASN1_TYPE *ext = X509_ATTRIBUTE_get0_type((X509_ATTRIBUTE *)attr, 0); if (!ext || ext->type != V_ASN1_SEQUENCE) { return NULL; } diff --git a/Sources/CNIOBoringSSL/crypto/x509/x509_trs.c b/Sources/CNIOBoringSSL/crypto/x509/x509_trs.c index 365090872..f0ad6134e 100644 --- a/Sources/CNIOBoringSSL/crypto/x509/x509_trs.c +++ b/Sources/CNIOBoringSSL/crypto/x509/x509_trs.c @@ -57,225 +57,78 @@ #include #include #include -#include +#include -#include "../x509v3/internal.h" +#include "../internal.h" #include "internal.h" -static int tr_cmp(const X509_TRUST *const *a, const X509_TRUST *const *b); -static void trtable_free(X509_TRUST *p); +typedef struct x509_trust_st X509_TRUST; -static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags); -static int trust_1oid(X509_TRUST *trust, X509 *x, int flags); -static int trust_compat(X509_TRUST *trust, X509 *x, int flags); +struct x509_trust_st { + int trust; + int (*check_trust)(const X509_TRUST *, X509 *); + int nid; +} /* X509_TRUST */; -static int obj_trust(int id, X509 *x, int flags); +static int trust_1oidany(const X509_TRUST *trust, X509 *x); +static int trust_compat(const X509_TRUST *trust, X509 *x); -// WARNING: the following table should be kept in order of trust and without -// any gaps so we can just subtract the minimum trust value to get an index -// into the table +static int obj_trust(int id, X509 *x); -static X509_TRUST trstandard[] = { - {X509_TRUST_COMPAT, 0, trust_compat, (char *)"compatible", 0, NULL}, - {X509_TRUST_SSL_CLIENT, 0, trust_1oidany, (char *)"SSL Client", - NID_client_auth, NULL}, - {X509_TRUST_SSL_SERVER, 0, trust_1oidany, (char *)"SSL Server", - NID_server_auth, NULL}, - {X509_TRUST_EMAIL, 0, trust_1oidany, (char *)"S/MIME email", - NID_email_protect, NULL}, - {X509_TRUST_OBJECT_SIGN, 0, trust_1oidany, (char *)"Object Signer", - NID_code_sign, NULL}, - {X509_TRUST_OCSP_SIGN, 0, trust_1oid, (char *)"OCSP responder", - NID_OCSP_sign, NULL}, - {X509_TRUST_OCSP_REQUEST, 0, trust_1oid, (char *)"OCSP request", - NID_ad_OCSP, NULL}, - {X509_TRUST_TSA, 0, trust_1oidany, (char *)"TSA server", NID_time_stamp, - NULL}}; +static const X509_TRUST trstandard[] = { + {X509_TRUST_COMPAT, trust_compat, 0}, + {X509_TRUST_SSL_CLIENT, trust_1oidany, NID_client_auth}, + {X509_TRUST_SSL_SERVER, trust_1oidany, NID_server_auth}, + {X509_TRUST_EMAIL, trust_1oidany, NID_email_protect}, + {X509_TRUST_OBJECT_SIGN, trust_1oidany, NID_code_sign}, + {X509_TRUST_TSA, trust_1oidany, NID_time_stamp}}; -#define X509_TRUST_COUNT (sizeof(trstandard) / sizeof(X509_TRUST)) - -static STACK_OF(X509_TRUST) *trtable = NULL; - -static int tr_cmp(const X509_TRUST *const *a, const X509_TRUST *const *b) { - return (*a)->trust - (*b)->trust; +static const X509_TRUST *X509_TRUST_get0(int id) { + for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(trstandard); i++) { + if (trstandard[i].trust == id) { + return &trstandard[i]; + } + } + return NULL; } int X509_check_trust(X509 *x, int id, int flags) { - X509_TRUST *pt; - int idx; if (id == -1) { - return 1; + return X509_TRUST_TRUSTED; } // We get this as a default value if (id == 0) { - int rv; - rv = obj_trust(NID_anyExtendedKeyUsage, x, 0); + int rv = obj_trust(NID_anyExtendedKeyUsage, x); if (rv != X509_TRUST_UNTRUSTED) { return rv; } - return trust_compat(NULL, x, 0); - } - idx = X509_TRUST_get_by_id(id); - if (idx == -1) { - return obj_trust(id, x, flags); - } - pt = X509_TRUST_get0(idx); - return pt->check_trust(pt, x, flags); -} - -int X509_TRUST_get_count(void) { - if (!trtable) { - return X509_TRUST_COUNT; - } - return sk_X509_TRUST_num(trtable) + X509_TRUST_COUNT; -} - -X509_TRUST *X509_TRUST_get0(int idx) { - if (idx < 0) { - return NULL; - } - if (idx < (int)X509_TRUST_COUNT) { - return trstandard + idx; - } - return sk_X509_TRUST_value(trtable, idx - X509_TRUST_COUNT); -} - -int X509_TRUST_get_by_id(int id) { - X509_TRUST tmp; - size_t idx; - - if ((id >= X509_TRUST_MIN) && (id <= X509_TRUST_MAX)) { - return id - X509_TRUST_MIN; - } - tmp.trust = id; - if (!trtable) { - return -1; - } - if (!sk_X509_TRUST_find(trtable, &idx, &tmp)) { - return -1; - } - return idx + X509_TRUST_COUNT; -} - -int X509_TRUST_set(int *t, int trust) { - if (X509_TRUST_get_by_id(trust) == -1) { - OPENSSL_PUT_ERROR(X509, X509_R_INVALID_TRUST); - return 0; - } - *t = trust; - return 1; -} - -int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int), - const char *name, int arg1, void *arg2) { - int idx; - X509_TRUST *trtmp; - char *name_dup; - - // This is set according to what we change: application can't set it - flags &= ~X509_TRUST_DYNAMIC; - // This will always be set for application modified trust entries - flags |= X509_TRUST_DYNAMIC_NAME; - // Get existing entry if any - idx = X509_TRUST_get_by_id(id); - // Need a new entry - if (idx == -1) { - if (!(trtmp = OPENSSL_malloc(sizeof(X509_TRUST)))) { - return 0; - } - trtmp->flags = X509_TRUST_DYNAMIC; - } else { - trtmp = X509_TRUST_get0(idx); + return trust_compat(NULL, x); } - - // Duplicate the supplied name. - name_dup = OPENSSL_strdup(name); - if (name_dup == NULL) { - if (idx == -1) { - OPENSSL_free(trtmp); - } - return 0; - } - - // OPENSSL_free existing name if dynamic - if (trtmp->flags & X509_TRUST_DYNAMIC_NAME) { - OPENSSL_free(trtmp->name); + const X509_TRUST *pt = X509_TRUST_get0(id); + if (pt == NULL) { + // Unknown trust IDs are silently reintrepreted as NIDs. This is unreachable + // from the certificate verifier itself, but wpa_supplicant relies on it. + // Note this relies on commonly-used NIDs and trust IDs not colliding. + return obj_trust(id, x); } - trtmp->name = name_dup; - // Keep the dynamic flag of existing entry - trtmp->flags &= X509_TRUST_DYNAMIC; - // Set all other flags - trtmp->flags |= flags; - - trtmp->trust = id; - trtmp->check_trust = ck; - trtmp->arg1 = arg1; - trtmp->arg2 = arg2; - - // If its a new entry manage the dynamic table - if (idx == -1) { - // TODO(davidben): This should be locked. Alternatively, remove the dynamic - // registration mechanism entirely. The trouble is there no way to pass in - // the various parameters into an |X509_VERIFY_PARAM| directly. You can only - // register it in the global table and get an ID. - if (!trtable && !(trtable = sk_X509_TRUST_new(tr_cmp))) { - trtable_free(trtmp); - return 0; - } - if (!sk_X509_TRUST_push(trtable, trtmp)) { - trtable_free(trtmp); - return 0; - } - sk_X509_TRUST_sort(trtable); - } - return 1; + return pt->check_trust(pt, x); } -static void trtable_free(X509_TRUST *p) { - if (!p) { - return; - } - if (p->flags & X509_TRUST_DYNAMIC) { - if (p->flags & X509_TRUST_DYNAMIC_NAME) { - OPENSSL_free(p->name); - } - OPENSSL_free(p); - } -} - -void X509_TRUST_cleanup(void) { - unsigned int i; - for (i = 0; i < X509_TRUST_COUNT; i++) { - trtable_free(trstandard + i); - } - sk_X509_TRUST_pop_free(trtable, trtable_free); - trtable = NULL; +int X509_is_valid_trust_id(int trust) { + return X509_TRUST_get0(trust) != NULL; } -int X509_TRUST_get_flags(const X509_TRUST *xp) { return xp->flags; } - -char *X509_TRUST_get0_name(const X509_TRUST *xp) { return xp->name; } - -int X509_TRUST_get_trust(const X509_TRUST *xp) { return xp->trust; } - -static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags) { +static int trust_1oidany(const X509_TRUST *trust, X509 *x) { if (x->aux && (x->aux->trust || x->aux->reject)) { - return obj_trust(trust->arg1, x, flags); + return obj_trust(trust->nid, x); } // we don't have any trust settings: for compatibility we return trusted // if it is self signed - return trust_compat(trust, x, flags); -} - -static int trust_1oid(X509_TRUST *trust, X509 *x, int flags) { - if (x->aux) { - return obj_trust(trust->arg1, x, flags); - } - return X509_TRUST_UNTRUSTED; + return trust_compat(trust, x); } -static int trust_compat(X509_TRUST *trust, X509 *x, int flags) { +static int trust_compat(const X509_TRUST *trust, X509 *x) { if (!x509v3_cache_extensions(x)) { return X509_TRUST_UNTRUSTED; } @@ -286,28 +139,21 @@ static int trust_compat(X509_TRUST *trust, X509 *x, int flags) { } } -static int obj_trust(int id, X509 *x, int flags) { - ASN1_OBJECT *obj; - size_t i; - X509_CERT_AUX *ax; - ax = x->aux; +static int obj_trust(int id, X509 *x) { + X509_CERT_AUX *ax = x->aux; if (!ax) { return X509_TRUST_UNTRUSTED; } - if (ax->reject) { - for (i = 0; i < sk_ASN1_OBJECT_num(ax->reject); i++) { - obj = sk_ASN1_OBJECT_value(ax->reject, i); - if (OBJ_obj2nid(obj) == id) { - return X509_TRUST_REJECTED; - } + for (size_t i = 0; i < sk_ASN1_OBJECT_num(ax->reject); i++) { + const ASN1_OBJECT *obj = sk_ASN1_OBJECT_value(ax->reject, i); + if (OBJ_obj2nid(obj) == id) { + return X509_TRUST_REJECTED; } } - if (ax->trust) { - for (i = 0; i < sk_ASN1_OBJECT_num(ax->trust); i++) { - obj = sk_ASN1_OBJECT_value(ax->trust, i); - if (OBJ_obj2nid(obj) == id) { - return X509_TRUST_TRUSTED; - } + for (size_t i = 0; i < sk_ASN1_OBJECT_num(ax->trust); i++) { + const ASN1_OBJECT *obj = sk_ASN1_OBJECT_value(ax->trust, i); + if (OBJ_obj2nid(obj) == id) { + return X509_TRUST_TRUSTED; } } return X509_TRUST_UNTRUSTED; diff --git a/Sources/CNIOBoringSSL/crypto/x509/x509_v3.c b/Sources/CNIOBoringSSL/crypto/x509/x509_v3.c index 158446aa2..744761de9 100644 --- a/Sources/CNIOBoringSSL/crypto/x509/x509_v3.c +++ b/Sources/CNIOBoringSSL/crypto/x509/x509_v3.c @@ -60,7 +60,6 @@ #include #include #include -#include #include "internal.h" diff --git a/Sources/CNIOBoringSSL/crypto/x509/x509_vfy.c b/Sources/CNIOBoringSSL/crypto/x509/x509_vfy.c index 2cfe487a6..7e806d685 100644 --- a/Sources/CNIOBoringSSL/crypto/x509/x509_vfy.c +++ b/Sources/CNIOBoringSSL/crypto/x509/x509_vfy.c @@ -55,6 +55,7 @@ * [including the GNU Public Licence.] */ #include +#include #include #include @@ -65,10 +66,8 @@ #include #include #include -#include #include "../internal.h" -#include "../x509v3/internal.h" #include "internal.h" static CRYPTO_EX_DATA_CLASS g_ex_data_class = @@ -77,44 +76,31 @@ static CRYPTO_EX_DATA_CLASS g_ex_data_class = // CRL score values // No unhandled critical extensions - #define CRL_SCORE_NOCRITICAL 0x100 // certificate is within CRL scope - #define CRL_SCORE_SCOPE 0x080 // CRL times valid - #define CRL_SCORE_TIME 0x040 // Issuer name matches certificate - #define CRL_SCORE_ISSUER_NAME 0x020 // If this score or above CRL is probably valid - #define CRL_SCORE_VALID \ (CRL_SCORE_NOCRITICAL | CRL_SCORE_TIME | CRL_SCORE_SCOPE) // CRL issuer is certificate issuer - #define CRL_SCORE_ISSUER_CERT 0x018 // CRL issuer is on certificate path - #define CRL_SCORE_SAME_PATH 0x008 // CRL issuer matches CRL AKID - #define CRL_SCORE_AKID 0x004 -// Have a delta CRL with valid times - -#define CRL_SCORE_TIME_DELTA 0x002 - static int null_callback(int ok, X509_STORE_CTX *e); -static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x); static int check_chain_extensions(X509_STORE_CTX *ctx); static int check_name_constraints(X509_STORE_CTX *ctx); @@ -124,19 +110,15 @@ static int check_revocation(X509_STORE_CTX *ctx); static int check_cert(X509_STORE_CTX *ctx); static int check_policy(X509_STORE_CTX *ctx); -static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, - unsigned int *preasons, X509_CRL *crl, X509 *x); -static int get_crl_delta(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, +static X509 *get_trusted_issuer(X509_STORE_CTX *ctx, X509 *x); +static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, X509_CRL *crl, X509 *x); -static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pcrl_score, - X509_CRL *base, STACK_OF(X509_CRL) *crls); -static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer, - int *pcrl_score); -static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score, - unsigned int *preasons); -static int check_crl_path(X509_STORE_CTX *ctx, X509 *x); -static int check_crl_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *cert_path, - STACK_OF(X509) *crl_path); +static int get_crl(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509 *x); +static int crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer, + int *pcrl_score); +static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score); +static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl); +static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); static int internal_verify(X509_STORE_CTX *ctx); @@ -153,14 +135,24 @@ static int cert_self_signed(X509 *x, int *out_is_self_signed) { return 1; } -// Given a certificate try and find an exact match in the store +static int call_verify_cb(int ok, X509_STORE_CTX *ctx) { + ok = ctx->verify_cb(ok, ctx); + // Historically, callbacks returning values like -1 would be treated as a mix + // of success or failure. Insert that callers check correctly. + // + // TODO(davidben): Also use this wrapper to constrain which errors may be + // suppressed, and ensure all |verify_cb| calls remember to fill in an error. + BSSL_CHECK(ok == 0 || ok == 1); + return ok; +} +// Given a certificate try and find an exact match in the store static X509 *lookup_cert_match(X509_STORE_CTX *ctx, X509 *x) { STACK_OF(X509) *certs; X509 *xtmp = NULL; size_t i; // Lookup all certs with matching subject name - certs = ctx->lookup_certs(ctx, X509_get_subject_name(x)); + certs = X509_STORE_CTX_get1_certs(ctx, X509_get_subject_name(x)); if (certs == NULL) { return NULL; } @@ -181,24 +173,35 @@ static X509 *lookup_cert_match(X509_STORE_CTX *ctx, X509 *x) { } int X509_verify_cert(X509_STORE_CTX *ctx) { - X509 *x, *xtmp, *xtmp2, *chain_ss = NULL; + X509 *chain_ss = NULL; int bad_chain = 0; X509_VERIFY_PARAM *param = ctx->param; - int depth, i, ok = 0; - int num, j, retry, trust; + int i, ok = 0; + int j, retry, trust; STACK_OF(X509) *sktmp = NULL; if (ctx->cert == NULL) { OPENSSL_PUT_ERROR(X509, X509_R_NO_CERT_SET_FOR_US_TO_VERIFY); ctx->error = X509_V_ERR_INVALID_CALL; - return -1; + return 0; } + if (ctx->chain != NULL) { // This X509_STORE_CTX has already been used to verify a cert. We // cannot do another one. OPENSSL_PUT_ERROR(X509, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); ctx->error = X509_V_ERR_INVALID_CALL; - return -1; + return 0; + } + + if (ctx->param->flags & + (X509_V_FLAG_EXTENDED_CRL_SUPPORT | X509_V_FLAG_USE_DELTAS)) { + // We do not support indirect or delta CRLs. The flags still exist for + // compatibility with bindings libraries, but to ensure we do not + // inadvertently skip a CRL check that the caller expects, fail closed. + OPENSSL_PUT_ERROR(X509, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + ctx->error = X509_V_ERR_INVALID_CALL; + return 0; } // first we make sure the chain we are going to build is present and that @@ -217,17 +220,17 @@ int X509_verify_cert(X509_STORE_CTX *ctx) { goto end; } - num = (int)sk_X509_num(ctx->chain); - x = sk_X509_value(ctx->chain, num - 1); - depth = param->depth; + int num = (int)sk_X509_num(ctx->chain); + X509 *x = sk_X509_value(ctx->chain, num - 1); + // |param->depth| does not include the leaf certificate or the trust anchor, + // so the maximum size is 2 more. + int max_chain = param->depth >= INT_MAX - 2 ? INT_MAX : param->depth + 2; for (;;) { - // If we have enough, we break - if (depth < num) { - break; // FIXME: If this happens, we should take - // note of it and, if appropriate, use the - // X509_V_ERR_CERT_CHAIN_TOO_LONG error code - // later. + if (num >= max_chain) { + // FIXME: If this happens, we should take note of it and, if appropriate, + // use the X509_V_ERR_CERT_CHAIN_TOO_LONG error code later. + break; } int is_self_signed; @@ -242,32 +245,26 @@ int X509_verify_cert(X509_STORE_CTX *ctx) { } // If asked see if we can find issuer in trusted store first if (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) { - ok = ctx->get_issuer(&xtmp, ctx, x); - if (ok < 0) { - ctx->error = X509_V_ERR_STORE_LOOKUP; - goto end; - } - // If successful for now free up cert so it will be picked up - // again later. - if (ok > 0) { - X509_free(xtmp); + X509 *issuer = get_trusted_issuer(ctx, x); + if (issuer != NULL) { + // Free the certificate. It will be picked up again later. + X509_free(issuer); break; } } // If we were passed a cert chain, use it first if (sktmp != NULL) { - xtmp = find_issuer(ctx, sktmp, x); - if (xtmp != NULL) { - if (!sk_X509_push(ctx->chain, xtmp)) { + X509 *issuer = find_issuer(ctx, sktmp, x); + if (issuer != NULL) { + if (!sk_X509_push(ctx->chain, issuer)) { ctx->error = X509_V_ERR_OUT_OF_MEM; - ok = 0; goto end; } - X509_up_ref(xtmp); - (void)sk_X509_delete_ptr(sktmp, xtmp); + X509_up_ref(issuer); + (void)sk_X509_delete_ptr(sktmp, issuer); ctx->last_untrusted++; - x = xtmp; + x = issuer; num++; // reparse the full chain for the next one continue; @@ -299,24 +296,21 @@ int X509_verify_cert(X509_STORE_CTX *ctx) { // We have a single self signed certificate: see if we can // find it in the store. We must have an exact match to avoid // possible impersonation. - ok = ctx->get_issuer(&xtmp, ctx, x); - if ((ok <= 0) || X509_cmp(x, xtmp)) { + X509 *issuer = get_trusted_issuer(ctx, x); + if (issuer == NULL || X509_cmp(x, issuer) != 0) { + X509_free(issuer); ctx->error = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT; ctx->current_cert = x; ctx->error_depth = i - 1; - if (ok == 1) { - X509_free(xtmp); - } bad_chain = 1; - ok = ctx->verify_cb(0, ctx); - if (!ok) { + if (!call_verify_cb(0, ctx)) { goto end; } } else { // We have a match: replace certificate with store // version so we get any trust settings. X509_free(x); - x = xtmp; + x = issuer; (void)sk_X509_set(ctx->chain, i - 1, x); ctx->last_untrusted = 0; } @@ -331,8 +325,9 @@ int X509_verify_cert(X509_STORE_CTX *ctx) { } // We now lookup certs from the certificate store for (;;) { - // If we have enough, we break - if (depth < num) { + if (num >= max_chain) { + // FIXME: If this happens, we should take note of it and, if + // appropriate, use the X509_V_ERR_CERT_CHAIN_TOO_LONG error code later. break; } if (!cert_self_signed(x, &is_self_signed)) { @@ -343,20 +338,14 @@ int X509_verify_cert(X509_STORE_CTX *ctx) { if (is_self_signed) { break; } - ok = ctx->get_issuer(&xtmp, ctx, x); - - if (ok < 0) { - ctx->error = X509_V_ERR_STORE_LOOKUP; - goto end; - } - if (ok == 0) { + X509 *issuer = get_trusted_issuer(ctx, x); + if (issuer == NULL) { break; } - x = xtmp; + x = issuer; if (!sk_X509_push(ctx->chain, x)) { - X509_free(xtmp); + X509_free(issuer); ctx->error = X509_V_ERR_OUT_OF_MEM; - ok = 0; goto end; } num++; @@ -367,7 +356,6 @@ int X509_verify_cert(X509_STORE_CTX *ctx) { // If explicitly rejected error if (trust == X509_TRUST_REJECTED) { - ok = 0; goto end; } // If it's not explicitly trusted then check if there is an alternative @@ -379,21 +367,17 @@ int X509_verify_cert(X509_STORE_CTX *ctx) { !(ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) && !(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) { while (j-- > 1) { - xtmp2 = sk_X509_value(ctx->chain, j - 1); - ok = ctx->get_issuer(&xtmp, ctx, xtmp2); - if (ok < 0) { - goto end; - } + X509 *issuer = + get_trusted_issuer(ctx, sk_X509_value(ctx->chain, j - 1)); // Check if we found an alternate chain - if (ok > 0) { + if (issuer != NULL) { // Free up the found cert we'll add it again later - X509_free(xtmp); + X509_free(issuer); // Dump all the certs above this point - we've found an // alternate chain while (num > j) { - xtmp = sk_X509_pop(ctx->chain); - X509_free(xtmp); + X509_free(sk_X509_pop(ctx->chain)); num--; } ctx->last_untrusted = (int)sk_X509_num(ctx->chain); @@ -408,7 +392,8 @@ int X509_verify_cert(X509_STORE_CTX *ctx) { // self signed certificate in which case we've indicated an error already // and set bad_chain == 1 if (trust != X509_TRUST_TRUSTED && !bad_chain) { - if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss)) { + if (chain_ss == NULL || + !x509_check_issued_with_callback(ctx, x, chain_ss)) { if (ctx->last_untrusted >= num) { ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; } else { @@ -416,7 +401,10 @@ int X509_verify_cert(X509_STORE_CTX *ctx) { } ctx->current_cert = x; } else { - sk_X509_push(ctx->chain, chain_ss); + if (!sk_X509_push(ctx->chain, chain_ss)) { + ctx->error = X509_V_ERR_OUT_OF_MEM; + goto end; + } num++; ctx->last_untrusted = num; ctx->current_cert = chain_ss; @@ -426,63 +414,33 @@ int X509_verify_cert(X509_STORE_CTX *ctx) { ctx->error_depth = num - 1; bad_chain = 1; - ok = ctx->verify_cb(0, ctx); - if (!ok) { + if (!call_verify_cb(0, ctx)) { goto end; } } // We have the chain complete: now we need to check its purpose - ok = check_chain_extensions(ctx); - - if (!ok) { - goto end; - } - - ok = check_id(ctx); - - if (!ok) { - goto end; - } - - // Check revocation status: we do this after copying parameters because - // they may be needed for CRL signature verification. - ok = ctx->check_revocation(ctx); - if (!ok) { - goto end; - } - - // At this point, we have a chain and need to verify it - if (ctx->verify != NULL) { - ok = ctx->verify(ctx); - } else { - ok = internal_verify(ctx); - } - if (!ok) { - goto end; - } - - // Check name constraints - ok = check_name_constraints(ctx); - if (!ok) { + if (!check_chain_extensions(ctx) || // + !check_id(ctx) || + // We check revocation status after copying parameters because they may be + // needed for CRL signature verification. + !check_revocation(ctx) || // + !internal_verify(ctx) || // + !check_name_constraints(ctx) || + // TODO(davidben): Does |check_policy| still need to be conditioned on + // |!bad_chain|? DoS concerns have been resolved. + (!bad_chain && !check_policy(ctx))) { goto end; } - // If we get this far, evaluate policies. - if (!bad_chain) { - ok = ctx->check_policy(ctx); - } + ok = 1; end: - if (sktmp != NULL) { - sk_X509_free(sktmp); - } - if (chain_ss != NULL) { - X509_free(chain_ss); - } + sk_X509_free(sktmp); + X509_free(chain_ss); // Safety net, error returns must set ctx->error - if (ok <= 0 && ctx->error == X509_V_OK) { + if (!ok && ctx->error == X509_V_OK) { ctx->error = X509_V_ERR_UNSPECIFIED; } return ok; @@ -495,7 +453,7 @@ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) { X509 *issuer; for (i = 0; i < sk_X509_num(sk); i++) { issuer = sk_X509_value(sk, i); - if (ctx->check_issued(ctx, x, issuer)) { + if (x509_check_issued_with_callback(ctx, x, issuer)) { return issuer; } } @@ -504,7 +462,8 @@ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) { // Given a possible certificate and issuer check them -static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer) { +int x509_check_issued_with_callback(X509_STORE_CTX *ctx, X509 *x, + X509 *issuer) { int ret; ret = X509_check_issued(issuer, x); if (ret == X509_V_OK) { @@ -517,31 +476,32 @@ static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer) { ctx->error = ret; ctx->current_cert = x; - ctx->current_issuer = issuer; - return ctx->verify_cb(0, ctx); + return call_verify_cb(0, ctx); } -// Alternative lookup method: look from a STACK stored in other_ctx +static X509 *get_trusted_issuer(X509_STORE_CTX *ctx, X509 *x) { + X509 *issuer; + if (ctx->trusted_stack != NULL) { + // Ignore the store and use the configured stack instead. + issuer = find_issuer(ctx, ctx->trusted_stack, x); + if (issuer != NULL) { + X509_up_ref(issuer); + } + return issuer; + } -static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) { - *issuer = find_issuer(ctx, ctx->other_ctx, x); - if (*issuer) { - X509_up_ref(*issuer); - return 1; - } else { - return 0; + if (!X509_STORE_CTX_get1_issuer(&issuer, ctx, x)) { + return NULL; } + return issuer; } // Check a certificate chains extensions for consistency with the supplied // purpose static int check_chain_extensions(X509_STORE_CTX *ctx) { - int ok = 0, plen = 0; - - // If |ctx->parent| is set, this is CRL path validation. - int purpose = - ctx->parent == NULL ? ctx->param->purpose : X509_PURPOSE_CRL_SIGN; + int plen = 0; + int purpose = ctx->param->purpose; // Check all untrusted certificates for (int i = 0; i < ctx->last_untrusted; i++) { @@ -551,9 +511,8 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) { ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION; ctx->error_depth = i; ctx->current_cert = x; - ok = ctx->verify_cb(0, ctx); - if (!ok) { - goto end; + if (!call_verify_cb(0, ctx)) { + return 0; } } @@ -562,9 +521,8 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) { ctx->error = X509_V_ERR_INVALID_CA; ctx->error_depth = i; ctx->current_cert = x; - ok = ctx->verify_cb(0, ctx); - if (!ok) { - goto end; + if (!call_verify_cb(0, ctx)) { + return 0; } } if (ctx->param->purpose > 0 && @@ -572,9 +530,8 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) { ctx->error = X509_V_ERR_INVALID_PURPOSE; ctx->error_depth = i; ctx->current_cert = x; - ok = ctx->verify_cb(0, ctx); - if (!ok) { - goto end; + if (!call_verify_cb(0, ctx)) { + return 0; } } // Check pathlen if not self issued @@ -583,9 +540,8 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) { ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED; ctx->error_depth = i; ctx->current_cert = x; - ok = ctx->verify_cb(0, ctx); - if (!ok) { - goto end; + if (!call_verify_cb(0, ctx)) { + return 0; } } // Increment path length if not self issued @@ -593,9 +549,8 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) { plen++; } } - ok = 1; -end: - return ok; + + return 1; } static int reject_dns_name_in_common_name(X509 *x509) { @@ -653,7 +608,7 @@ static int check_name_constraints(X509_STORE_CTX *ctx) { ctx->error = rv; ctx->error_depth = i; ctx->current_cert = x; - if (!ctx->verify_cb(0, ctx)) { + if (!call_verify_cb(0, ctx)) { return 0; } break; @@ -685,7 +640,7 @@ static int check_name_constraints(X509_STORE_CTX *ctx) { ctx->error = rv; ctx->error_depth = i; ctx->current_cert = leaf; - if (!ctx->verify_cb(0, ctx)) { + if (!call_verify_cb(0, ctx)) { return 0; } break; @@ -699,7 +654,7 @@ static int check_id_error(X509_STORE_CTX *ctx, int errcode) { ctx->error = errcode; ctx->current_cert = ctx->cert; ctx->error_depth = 0; - return ctx->verify_cb(0, ctx); + return call_verify_cb(0, ctx); } static int check_hosts(X509 *x, X509_VERIFY_PARAM *param) { @@ -707,14 +662,9 @@ static int check_hosts(X509 *x, X509_VERIFY_PARAM *param) { size_t n = sk_OPENSSL_STRING_num(param->hosts); char *name; - if (param->peername != NULL) { - OPENSSL_free(param->peername); - param->peername = NULL; - } for (i = 0; i < n; ++i) { name = sk_OPENSSL_STRING_value(param->hosts, i); - if (X509_check_host(x, name, strlen(name), param->hostflags, - ¶m->peername) > 0) { + if (X509_check_host(x, name, strlen(name), param->hostflags, NULL) > 0) { return 1; } } @@ -748,24 +698,22 @@ static int check_id(X509_STORE_CTX *ctx) { } static int check_trust(X509_STORE_CTX *ctx) { - int ok; X509 *x = NULL; // Check all trusted certificates in chain for (size_t i = ctx->last_untrusted; i < sk_X509_num(ctx->chain); i++) { x = sk_X509_value(ctx->chain, i); - ok = X509_check_trust(x, ctx->param->trust, 0); + int trust = X509_check_trust(x, ctx->param->trust, 0); // If explicitly trusted return trusted - if (ok == X509_TRUST_TRUSTED) { + if (trust == X509_TRUST_TRUSTED) { return X509_TRUST_TRUSTED; } // If explicitly rejected notify callback and reject if not // overridden. - if (ok == X509_TRUST_REJECTED) { + if (trust == X509_TRUST_REJECTED) { ctx->error_depth = (int)i; ctx->current_cert = x; ctx->error = X509_V_ERR_CERT_REJECTED; - ok = ctx->verify_cb(0, ctx); - if (!ok) { + if (!call_verify_cb(0, ctx)) { return X509_TRUST_REJECTED; } } @@ -800,96 +748,53 @@ static int check_revocation(X509_STORE_CTX *ctx) { if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL) { last = (int)sk_X509_num(ctx->chain) - 1; } else { - // If checking CRL paths this isn't the EE certificate - if (ctx->parent) { - return 1; - } last = 0; } for (int i = 0; i <= last; i++) { ctx->error_depth = i; - int ok = check_cert(ctx); - if (!ok) { - return ok; + if (!check_cert(ctx)) { + return 0; } } return 1; } static int check_cert(X509_STORE_CTX *ctx) { - X509_CRL *crl = NULL, *dcrl = NULL; - X509 *x; - int ok = 0, cnum; - unsigned int last_reasons; - cnum = ctx->error_depth; - x = sk_X509_value(ctx->chain, cnum); + X509_CRL *crl = NULL; + int ok = 0, cnum = ctx->error_depth; + X509 *x = sk_X509_value(ctx->chain, cnum); ctx->current_cert = x; - ctx->current_issuer = NULL; + ctx->current_crl_issuer = NULL; ctx->current_crl_score = 0; - ctx->current_reasons = 0; - while (ctx->current_reasons != CRLDP_ALL_REASONS) { - last_reasons = ctx->current_reasons; - // Try to retrieve relevant CRL - if (ctx->get_crl) { - ok = ctx->get_crl(ctx, &crl, x); - } else { - ok = get_crl_delta(ctx, &crl, &dcrl, x); - } - // If error looking up CRL, nothing we can do except notify callback - if (!ok) { - ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL; - ok = ctx->verify_cb(0, ctx); - goto err; - } - ctx->current_crl = crl; - ok = ctx->check_crl(ctx, crl); - if (!ok) { - goto err; - } - if (dcrl) { - ok = ctx->check_crl(ctx, dcrl); - if (!ok) { - goto err; - } - ok = ctx->cert_crl(ctx, dcrl, x); - if (!ok) { - goto err; - } - } else { - ok = 1; - } - - // Don't look in full CRL if delta reason is removefromCRL - if (ok != 2) { - ok = ctx->cert_crl(ctx, crl, x); - if (!ok) { - goto err; - } - } + // Try to retrieve the relevant CRL. Note that |get_crl| sets + // |current_crl_issuer| and |current_crl_score|, which |check_crl| then reads. + // + // TODO(davidben): The awkward internal calling convention is a historical + // artifact of when these functions were user-overridable callbacks, even + // though there was no way to set them correctly. These callbacks have since + // been removed, so we can pass input and output parameters more directly. + if (!get_crl(ctx, &crl, x)) { + ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL; + ok = call_verify_cb(0, ctx); + goto err; + } - X509_CRL_free(crl); - X509_CRL_free(dcrl); - crl = NULL; - dcrl = NULL; - // If reasons not updated we wont get anywhere by another iteration, - // so exit loop. - if (last_reasons == ctx->current_reasons) { - ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL; - ok = ctx->verify_cb(0, ctx); - goto err; - } + ctx->current_crl = crl; + if (!check_crl(ctx, crl) || // + !cert_crl(ctx, crl, x)) { + goto err; } + + ok = 1; + err: X509_CRL_free(crl); - X509_CRL_free(dcrl); - ctx->current_crl = NULL; return ok; } // Check CRL times against values in X509_STORE_CTX - static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) { if (ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME) { return 1; @@ -911,7 +816,7 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) { return 0; } ctx->error = X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD; - if (!ctx->verify_cb(0, ctx)) { + if (!call_verify_cb(0, ctx)) { return 0; } } @@ -921,7 +826,7 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) { return 0; } ctx->error = X509_V_ERR_CRL_NOT_YET_VALID; - if (!ctx->verify_cb(0, ctx)) { + if (!call_verify_cb(0, ctx)) { return 0; } } @@ -934,17 +839,16 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) { return 0; } ctx->error = X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD; - if (!ctx->verify_cb(0, ctx)) { + if (!call_verify_cb(0, ctx)) { return 0; } } - // Ignore expiry of base CRL is delta is valid - if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) { + if (i < 0) { if (!notify) { return 0; } ctx->error = X509_V_ERR_CRL_HAS_EXPIRED; - if (!ctx->verify_cb(0, ctx)) { + if (!call_verify_cb(0, ctx)) { return 0; } } @@ -957,20 +861,16 @@ static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) { return 1; } -static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, - X509 **pissuer, int *pscore, unsigned int *preasons, - STACK_OF(X509_CRL) *crls) { +static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509 **pissuer, + int *pscore, STACK_OF(X509_CRL) *crls) { int crl_score, best_score = *pscore; - size_t i; - unsigned int reasons, best_reasons = 0; X509 *x = ctx->current_cert; - X509_CRL *crl, *best_crl = NULL; + X509_CRL *best_crl = NULL; X509 *crl_issuer = NULL, *best_crl_issuer = NULL; - for (i = 0; i < sk_X509_CRL_num(crls); i++) { - crl = sk_X509_CRL_value(crls, i); - reasons = *preasons; - crl_score = get_crl_score(ctx, &crl_issuer, &reasons, crl, x); + for (size_t i = 0; i < sk_X509_CRL_num(crls); i++) { + X509_CRL *crl = sk_X509_CRL_value(crls, i); + crl_score = get_crl_score(ctx, &crl_issuer, crl, x); if (crl_score < best_score || crl_score == 0) { continue; } @@ -990,7 +890,6 @@ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, best_crl = crl; best_crl_issuer = crl_issuer; best_score = crl_score; - best_reasons = reasons; } if (best_crl) { @@ -1000,13 +899,7 @@ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, *pcrl = best_crl; *pissuer = best_crl_issuer; *pscore = best_score; - *preasons = best_reasons; X509_CRL_up_ref(best_crl); - if (*pdcrl) { - X509_CRL_free(*pdcrl); - *pdcrl = NULL; - } - get_delta_sk(ctx, pdcrl, pscore, best_crl, crls); } if (best_score >= CRL_SCORE_VALID) { @@ -1016,119 +909,12 @@ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, return 0; } -// Compare two CRL extensions for delta checking purposes. They should be -// both present or both absent. If both present all fields must be identical. - -static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid) { - const ASN1_OCTET_STRING *exta, *extb; - int i; - i = X509_CRL_get_ext_by_NID(a, nid, -1); - if (i >= 0) { - // Can't have multiple occurrences - if (X509_CRL_get_ext_by_NID(a, nid, i) != -1) { - return 0; - } - exta = X509_EXTENSION_get_data(X509_CRL_get_ext(a, i)); - } else { - exta = NULL; - } - - i = X509_CRL_get_ext_by_NID(b, nid, -1); - - if (i >= 0) { - if (X509_CRL_get_ext_by_NID(b, nid, i) != -1) { - return 0; - } - extb = X509_EXTENSION_get_data(X509_CRL_get_ext(b, i)); - } else { - extb = NULL; - } - - if (!exta && !extb) { - return 1; - } - - if (!exta || !extb) { - return 0; - } - - if (ASN1_OCTET_STRING_cmp(exta, extb)) { - return 0; - } - - return 1; -} - -// See if a base and delta are compatible - -static int check_delta_base(X509_CRL *delta, X509_CRL *base) { - // Delta CRL must be a delta - if (!delta->base_crl_number) { - return 0; - } - // Base must have a CRL number - if (!base->crl_number) { - return 0; - } - // Issuer names must match - if (X509_NAME_cmp(X509_CRL_get_issuer(base), X509_CRL_get_issuer(delta))) { - return 0; - } - // AKID and IDP must match - if (!crl_extension_match(delta, base, NID_authority_key_identifier)) { - return 0; - } - if (!crl_extension_match(delta, base, NID_issuing_distribution_point)) { - return 0; - } - // Delta CRL base number must not exceed Full CRL number. - if (ASN1_INTEGER_cmp(delta->base_crl_number, base->crl_number) > 0) { - return 0; - } - // Delta CRL number must exceed full CRL number - if (ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0) { - return 1; - } - return 0; -} - -// For a given base CRL find a delta... maybe extend to delta scoring or -// retrieve a chain of deltas... - -static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore, - X509_CRL *base, STACK_OF(X509_CRL) *crls) { - X509_CRL *delta; - size_t i; - if (!(ctx->param->flags & X509_V_FLAG_USE_DELTAS)) { - return; - } - if (!((ctx->current_cert->ex_flags | base->flags) & EXFLAG_FRESHEST)) { - return; - } - for (i = 0; i < sk_X509_CRL_num(crls); i++) { - delta = sk_X509_CRL_value(crls, i); - if (check_delta_base(delta, base)) { - if (check_crl_time(ctx, delta, 0)) { - *pscore |= CRL_SCORE_TIME_DELTA; - } - X509_CRL_up_ref(delta); - *dcrl = delta; - return; - } - } - *dcrl = NULL; -} - // For a given CRL return how suitable it is for the supplied certificate // 'x'. The return value is a mask of several criteria. If the issuer is not -// the certificate issuer this is returned in *pissuer. The reasons mask is -// also used to determine if the CRL is suitable: if no new reasons the CRL -// is rejected, otherwise reasons is updated. - -static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, - unsigned int *preasons, X509_CRL *crl, X509 *x) { +// the certificate issuer this is returned in *pissuer. +static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, X509_CRL *crl, + X509 *x) { int crl_score = 0; - unsigned int tmp_reasons = *preasons, crl_reasons; // First see if we can reject CRL straight away @@ -1136,29 +922,15 @@ static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, if (crl->idp_flags & IDP_INVALID) { return 0; } - // Reason codes or indirect CRLs need extended CRL support - if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT)) { - if (crl->idp_flags & (IDP_INDIRECT | IDP_REASONS)) { - return 0; - } - } else if (crl->idp_flags & IDP_REASONS) { - // If no new reasons reject - if (!(crl->idp_reasons & ~tmp_reasons)) { - return 0; - } - } - // Don't process deltas at this stage - else if (crl->base_crl_number) { + // Reason codes and indirect CRLs are not supported. + if (crl->idp_flags & (IDP_INDIRECT | IDP_REASONS)) { return 0; } - // If issuer name doesn't match certificate need indirect CRL + // We do not support indirect CRLs, so the issuer names must match. if (X509_NAME_cmp(X509_get_issuer_name(x), X509_CRL_get_issuer(crl))) { - if (!(crl->idp_flags & IDP_INDIRECT)) { - return 0; - } - } else { - crl_score |= CRL_SCORE_ISSUER_NAME; + return 0; } + crl_score |= CRL_SCORE_ISSUER_NAME; if (!(crl->flags & EXFLAG_CRITICAL)) { crl_score |= CRL_SCORE_NOCRITICAL; @@ -1170,36 +942,24 @@ static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, } // Check authority key ID and locate certificate issuer - crl_akid_check(ctx, crl, pissuer, &crl_score); - - // If we can't locate certificate issuer at this point forget it - - if (!(crl_score & CRL_SCORE_AKID)) { + if (!crl_akid_check(ctx, crl, pissuer, &crl_score)) { + // If we can't locate certificate issuer at this point forget it return 0; } // Check cert for matching CRL distribution points - - if (crl_crldp_check(x, crl, crl_score, &crl_reasons)) { - // If no new reasons reject - if (!(crl_reasons & ~tmp_reasons)) { - return 0; - } - tmp_reasons |= crl_reasons; + if (crl_crldp_check(x, crl, crl_score)) { crl_score |= CRL_SCORE_SCOPE; } - *preasons = tmp_reasons; - return crl_score; } -static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer, - int *pcrl_score) { +static int crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer, + int *pcrl_score) { X509 *crl_issuer = NULL; X509_NAME *cnm = X509_CRL_get_issuer(crl); int cidx = ctx->error_depth; - size_t i; if ((size_t)cidx != sk_X509_num(ctx->chain) - 1) { cidx++; @@ -1208,11 +968,9 @@ static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer, crl_issuer = sk_X509_value(ctx->chain, cidx); if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) { - if (*pcrl_score & CRL_SCORE_ISSUER_NAME) { - *pcrl_score |= CRL_SCORE_AKID | CRL_SCORE_ISSUER_CERT; - *pissuer = crl_issuer; - return; - } + *pcrl_score |= CRL_SCORE_AKID | CRL_SCORE_ISSUER_CERT; + *pissuer = crl_issuer; + return 1; } for (cidx++; cidx < (int)sk_X509_num(ctx->chain); cidx++) { @@ -1223,84 +981,10 @@ static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, X509 **pissuer, if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) { *pcrl_score |= CRL_SCORE_AKID | CRL_SCORE_SAME_PATH; *pissuer = crl_issuer; - return; - } - } - - // Anything else needs extended CRL support - - if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT)) { - return; - } - - // Otherwise the CRL issuer is not on the path. Look for it in the set of - // untrusted certificates. - for (i = 0; i < sk_X509_num(ctx->untrusted); i++) { - crl_issuer = sk_X509_value(ctx->untrusted, i); - if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm)) { - continue; - } - if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) { - *pissuer = crl_issuer; - *pcrl_score |= CRL_SCORE_AKID; - return; + return 1; } } -} - -// Check the path of a CRL issuer certificate. This creates a new -// X509_STORE_CTX and populates it with most of the parameters from the -// parent. This could be optimised somewhat since a lot of path checking will -// be duplicated by the parent, but this will rarely be used in practice. - -static int check_crl_path(X509_STORE_CTX *ctx, X509 *x) { - X509_STORE_CTX crl_ctx; - int ret; - // Don't allow recursive CRL path validation - if (ctx->parent) { - return 0; - } - if (!X509_STORE_CTX_init(&crl_ctx, ctx->ctx, x, ctx->untrusted)) { - return -1; - } - - crl_ctx.crls = ctx->crls; - // Copy verify params across - X509_STORE_CTX_set0_param(&crl_ctx, ctx->param); - - crl_ctx.parent = ctx; - crl_ctx.verify_cb = ctx->verify_cb; - - // Verify CRL issuer - ret = X509_verify_cert(&crl_ctx); - - if (ret <= 0) { - goto err; - } - // Check chain is acceptable - - ret = check_crl_chain(ctx, ctx->chain, crl_ctx.chain); -err: - X509_STORE_CTX_cleanup(&crl_ctx); - return ret; -} - -// RFC 3280 says nothing about the relationship between CRL path and -// certificate path, which could lead to situations where a certificate could -// be revoked or validated by a CA not authorised to do so. RFC 5280 is more -// strict and states that the two paths must end in the same trust anchor, -// though some discussions remain... until this is resolved we use the -// RFC 5280 version - -static int check_crl_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *cert_path, - STACK_OF(X509) *crl_path) { - X509 *cert_ta, *crl_ta; - cert_ta = sk_X509_value(cert_path, sk_X509_num(cert_path) - 1); - crl_ta = sk_X509_value(crl_path, sk_X509_num(crl_path) - 1); - if (!X509_cmp(cert_ta, crl_ta)) { - return 1; - } return 0; } @@ -1308,7 +992,6 @@ static int check_crl_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *cert_path, // Both are relative names and compare X509_NAME types. 2. One full, one // relative. Compare X509_NAME to GENERAL_NAMES. 3. Both are full names and // compare two GENERAL_NAMES. 4. One is NULL: automatic match. - static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b) { X509_NAME *nm = NULL; GENERAL_NAMES *gens = NULL; @@ -1373,30 +1056,8 @@ static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b) { return 0; } -static int crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score) { - size_t i; - X509_NAME *nm = X509_CRL_get_issuer(crl); - // If no CRLissuer return is successful iff don't need a match - if (!dp->CRLissuer) { - return !!(crl_score & CRL_SCORE_ISSUER_NAME); - } - for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) { - GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i); - if (gen->type != GEN_DIRNAME) { - continue; - } - if (!X509_NAME_cmp(gen->d.directoryName, nm)) { - return 1; - } - } - return 0; -} - // Check CRLDP and IDP - -static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score, - unsigned int *preasons) { - size_t i; +static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score) { if (crl->idp_flags & IDP_ONLYATTR) { return 0; } @@ -1409,52 +1070,49 @@ static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score, return 0; } } - *preasons = crl->idp_reasons; - for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++) { + for (size_t i = 0; i < sk_DIST_POINT_num(x->crldp); i++) { DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, i); - if (crldp_check_crlissuer(dp, crl, crl_score)) { - if (!crl->idp || idp_check_dp(dp->distpoint, crl->idp->distpoint)) { - *preasons &= dp->dp_reasons; - return 1; - } + // Skip distribution points with a reasons field or a CRL issuer: + // + // We do not support CRLs partitioned by reason code. RFC 5280 requires CAs + // include at least one DistributionPoint that covers all reasons. + // + // We also do not support indirect CRLs, and a CRL issuer can only match + // indirect CRLs (RFC 5280, section 6.3.3, step b.1). + // support. + if (dp->reasons != NULL && dp->CRLissuer != NULL && + (!crl->idp || idp_check_dp(dp->distpoint, crl->idp->distpoint))) { + return 1; } } - if ((!crl->idp || !crl->idp->distpoint) && - (crl_score & CRL_SCORE_ISSUER_NAME)) { - return 1; - } - return 0; -} -// Retrieve CRL corresponding to current certificate. If deltas enabled try -// to find a delta CRL too + // If the CRL does not specify an issuing distribution point, allow it to + // match anything. + // + // TODO(davidben): Does this match RFC 5280? It's hard to follow because RFC + // 5280 starts from distribution points, while this starts from CRLs. + return !crl->idp || !crl->idp->distpoint; +} -static int get_crl_delta(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, - X509 *x) { - int ok; +// Retrieve CRL corresponding to current certificate. +static int get_crl(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509 *x) { X509 *issuer = NULL; int crl_score = 0; - unsigned int reasons; - X509_CRL *crl = NULL, *dcrl = NULL; - STACK_OF(X509_CRL) *skcrl; - X509_NAME *nm = X509_get_issuer_name(x); - reasons = ctx->current_reasons; - ok = get_crl_sk(ctx, &crl, &dcrl, &issuer, &crl_score, &reasons, ctx->crls); - - if (ok) { + X509_CRL *crl = NULL; + if (get_crl_sk(ctx, &crl, &issuer, &crl_score, ctx->crls)) { goto done; } // Lookup CRLs from store - - skcrl = ctx->lookup_crls(ctx, nm); + STACK_OF(X509_CRL) *skcrl = + X509_STORE_CTX_get1_crls(ctx, X509_get_issuer_name(x)); // If no CRLs found and a near match from get_crl_sk use that if (!skcrl && crl) { goto done; } - get_crl_sk(ctx, &crl, &dcrl, &issuer, &crl_score, &reasons, skcrl); + get_crl_sk(ctx, &crl, &issuer, &crl_score, skcrl); sk_X509_CRL_pop_free(skcrl, X509_CRL_free); @@ -1462,11 +1120,9 @@ static int get_crl_delta(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, // If we got any kind of CRL use it and return success if (crl) { - ctx->current_issuer = issuer; + ctx->current_crl_issuer = issuer; ctx->current_crl_score = crl_score; - ctx->current_reasons = reasons; *pcrl = crl; - *pdcrl = dcrl; return 1; } @@ -1476,110 +1132,78 @@ static int get_crl_delta(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, // Check CRL validity static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) { X509 *issuer = NULL; - EVP_PKEY *ikey = NULL; - int ok = 0; int cnum = ctx->error_depth; int chnum = (int)sk_X509_num(ctx->chain) - 1; - // if we have an alternative CRL issuer cert use that - if (ctx->current_issuer) { - issuer = ctx->current_issuer; - } - - // Else find CRL issuer: if not last certificate then issuer is next - // certificate in chain. - else if (cnum < chnum) { + // If we have an alternative CRL issuer cert use that. Otherwise, it is the + // issuer of the current certificate. + if (ctx->current_crl_issuer) { + issuer = ctx->current_crl_issuer; + } else if (cnum < chnum) { issuer = sk_X509_value(ctx->chain, cnum + 1); } else { issuer = sk_X509_value(ctx->chain, chnum); // If not self signed, can't check signature - if (!ctx->check_issued(ctx, issuer, issuer)) { + if (!x509_check_issued_with_callback(ctx, issuer, issuer)) { ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER; - ok = ctx->verify_cb(0, ctx); - if (!ok) { - goto err; + if (!call_verify_cb(0, ctx)) { + return 0; } } } if (issuer) { - // Skip most tests for deltas because they have already been done - if (!crl->base_crl_number) { - // Check for cRLSign bit if keyUsage present - if ((issuer->ex_flags & EXFLAG_KUSAGE) && - !(issuer->ex_kusage & KU_CRL_SIGN)) { - ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN; - ok = ctx->verify_cb(0, ctx); - if (!ok) { - goto err; - } - } - - if (!(ctx->current_crl_score & CRL_SCORE_SCOPE)) { - ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE; - ok = ctx->verify_cb(0, ctx); - if (!ok) { - goto err; - } + // Check for cRLSign bit if keyUsage present + if ((issuer->ex_flags & EXFLAG_KUSAGE) && + !(issuer->ex_kusage & X509v3_KU_CRL_SIGN)) { + ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN; + if (!call_verify_cb(0, ctx)) { + return 0; } + } - if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH)) { - if (check_crl_path(ctx, ctx->current_issuer) <= 0) { - ctx->error = X509_V_ERR_CRL_PATH_VALIDATION_ERROR; - ok = ctx->verify_cb(0, ctx); - if (!ok) { - goto err; - } - } + if (!(ctx->current_crl_score & CRL_SCORE_SCOPE)) { + ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE; + if (!call_verify_cb(0, ctx)) { + return 0; } + } - if (crl->idp_flags & IDP_INVALID) { - ctx->error = X509_V_ERR_INVALID_EXTENSION; - ok = ctx->verify_cb(0, ctx); - if (!ok) { - goto err; - } + if (crl->idp_flags & IDP_INVALID) { + ctx->error = X509_V_ERR_INVALID_EXTENSION; + if (!call_verify_cb(0, ctx)) { + return 0; } } if (!(ctx->current_crl_score & CRL_SCORE_TIME)) { - ok = check_crl_time(ctx, crl, 1); - if (!ok) { - goto err; + if (!check_crl_time(ctx, crl, 1)) { + return 0; } } // Attempt to get issuer certificate public key - ikey = X509_get_pubkey(issuer); - + EVP_PKEY *ikey = X509_get0_pubkey(issuer); if (!ikey) { ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; - ok = ctx->verify_cb(0, ctx); - if (!ok) { - goto err; + if (!call_verify_cb(0, ctx)) { + return 0; } } else { // Verify CRL signature if (X509_CRL_verify(crl, ikey) <= 0) { ctx->error = X509_V_ERR_CRL_SIGNATURE_FAILURE; - ok = ctx->verify_cb(0, ctx); - if (!ok) { - goto err; + if (!call_verify_cb(0, ctx)) { + return 0; } } } } - ok = 1; - -err: - EVP_PKEY_free(ikey); - return ok; + return 1; } // Check certificate against CRL static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) { - int ok; - X509_REVOKED *rev; // The rules changed for this... previously if a CRL contained unhandled // critical extensions it could still be used to indicate a certificate // was revoked. This has since been changed since critical extension can @@ -1587,20 +1211,15 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) { if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) && (crl->flags & EXFLAG_CRITICAL)) { ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION; - ok = ctx->verify_cb(0, ctx); - if (!ok) { + if (!call_verify_cb(0, ctx)) { return 0; } } - // Look for serial number of certificate in CRL If found make sure reason - // is not removeFromCRL. + // Look for serial number of certificate in CRL. + X509_REVOKED *rev; if (X509_CRL_get0_by_cert(crl, &rev, x)) { - if (rev->reason == CRL_REASON_REMOVE_FROM_CRL) { - return 2; - } ctx->error = X509_V_ERR_CERT_REVOKED; - ok = ctx->verify_cb(0, ctx); - if (!ok) { + if (!call_verify_cb(0, ctx)) { return 0; } } @@ -1609,11 +1228,6 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) { } static int check_policy(X509_STORE_CTX *ctx) { - // TODO(davidben): Why do we disable policy validation for CRL paths? - if (ctx->parent) { - return 1; - } - X509 *current_cert = NULL; int ret = X509_policy_check(ctx->chain, ctx->param->policies, ctx->param->flags, ¤t_cert); @@ -1623,18 +1237,7 @@ static int check_policy(X509_STORE_CTX *ctx) { if (ret == X509_V_ERR_OUT_OF_MEM) { return 0; } - return ctx->verify_cb(0, ctx); - } - - if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY) { - ctx->current_cert = NULL; - // Verification errors need to be "sticky", a callback may have allowed - // an SSL handshake to continue despite an error, and we must then - // remain in an error state. Therefore, we MUST NOT clear earlier - // verification errors by setting the error to X509_V_OK. - if (!ctx->verify_cb(2, ctx)) { - return 0; - } + return call_verify_cb(0, ctx); } return 1; @@ -1656,7 +1259,7 @@ static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) { if (i == 0) { ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; ctx->current_cert = x; - if (!ctx->verify_cb(0, ctx)) { + if (!call_verify_cb(0, ctx)) { return 0; } } @@ -1664,7 +1267,7 @@ static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) { if (i > 0) { ctx->error = X509_V_ERR_CERT_NOT_YET_VALID; ctx->current_cert = x; - if (!ctx->verify_cb(0, ctx)) { + if (!call_verify_cb(0, ctx)) { return 0; } } @@ -1673,7 +1276,7 @@ static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) { if (i == 0) { ctx->error = X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD; ctx->current_cert = x; - if (!ctx->verify_cb(0, ctx)) { + if (!call_verify_cb(0, ctx)) { return 0; } } @@ -1681,7 +1284,7 @@ static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) { if (i < 0) { ctx->error = X509_V_ERR_CERT_HAS_EXPIRED; ctx->current_cert = x; - if (!ctx->verify_cb(0, ctx)) { + if (!call_verify_cb(0, ctx)) { return 0; } } @@ -1690,16 +1293,20 @@ static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) { } static int internal_verify(X509_STORE_CTX *ctx) { - int ok = 0; - X509 *xs, *xi; - EVP_PKEY *pkey = NULL; - + // TODO(davidben): This logic is incredibly confusing. Rewrite this: + // + // First, don't allow the verify callback to suppress + // X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, which will simplify the + // signature check. Then replace jumping into the middle of the loop. It's + // trying to ensure that all certificates see |check_cert_time|, then checking + // the root's self signature when requested, but not breaking partial chains + // in the process. int n = (int)sk_X509_num(ctx->chain); ctx->error_depth = n - 1; n--; - xi = sk_X509_value(ctx->chain, n); - - if (ctx->check_issued(ctx, xi, xi)) { + X509 *xi = sk_X509_value(ctx->chain, n); + X509 *xs; + if (x509_check_issued_with_callback(ctx, xi, xi)) { xs = xi; } else { if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) { @@ -1709,13 +1316,11 @@ static int internal_verify(X509_STORE_CTX *ctx) { if (n <= 0) { ctx->error = X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE; ctx->current_cert = xi; - ok = ctx->verify_cb(0, ctx); - goto end; - } else { - n--; - ctx->error_depth = n; - xs = sk_X509_value(ctx->chain, n); + return call_verify_cb(0, ctx); } + n--; + ctx->error_depth = n; + xs = sk_X509_value(ctx->chain, n); } // ctx->error=0; not needed @@ -1726,38 +1331,31 @@ static int internal_verify(X509_STORE_CTX *ctx) { // explicitly asked for. It doesn't add any security and just wastes // time. if (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)) { - if ((pkey = X509_get_pubkey(xi)) == NULL) { + EVP_PKEY *pkey = X509_get0_pubkey(xi); + if (pkey == NULL) { ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; ctx->current_cert = xi; - ok = ctx->verify_cb(0, ctx); - if (!ok) { - goto end; + if (!call_verify_cb(0, ctx)) { + return 0; } } else if (X509_verify(xs, pkey) <= 0) { ctx->error = X509_V_ERR_CERT_SIGNATURE_FAILURE; ctx->current_cert = xs; - ok = ctx->verify_cb(0, ctx); - if (!ok) { - EVP_PKEY_free(pkey); - goto end; + if (!call_verify_cb(0, ctx)) { + return 0; } } - EVP_PKEY_free(pkey); - pkey = NULL; } check_cert: - ok = check_cert_time(ctx, xs); - if (!ok) { - goto end; + if (!check_cert_time(ctx, xs)) { + return 0; } // The last error (if any) is still in the error value - ctx->current_issuer = xi; ctx->current_cert = xs; - ok = ctx->verify_cb(1, ctx); - if (!ok) { - goto end; + if (!call_verify_cb(1, ctx)) { + return 0; } n--; @@ -1766,9 +1364,8 @@ static int internal_verify(X509_STORE_CTX *ctx) { xs = sk_X509_value(ctx->chain, n); } } - ok = 1; -end: - return ok; + + return 1; } int X509_cmp_current_time(const ASN1_TIME *ctm) { @@ -1810,129 +1407,11 @@ ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s, int offset_day, long offset_sec, return ASN1_TIME_adj(s, t, offset_day, offset_sec); } -// Make a delta CRL as the diff between two full CRLs - -X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer, EVP_PKEY *skey, - const EVP_MD *md, unsigned int flags) { - X509_CRL *crl = NULL; - int i; - size_t j; - STACK_OF(X509_REVOKED) *revs = NULL; - // CRLs can't be delta already - if (base->base_crl_number || newer->base_crl_number) { - OPENSSL_PUT_ERROR(X509, X509_R_CRL_ALREADY_DELTA); - return NULL; - } - // Base and new CRL must have a CRL number - if (!base->crl_number || !newer->crl_number) { - OPENSSL_PUT_ERROR(X509, X509_R_NO_CRL_NUMBER); - return NULL; - } - // Issuer names must match - if (X509_NAME_cmp(X509_CRL_get_issuer(base), X509_CRL_get_issuer(newer))) { - OPENSSL_PUT_ERROR(X509, X509_R_ISSUER_MISMATCH); - return NULL; - } - // AKID and IDP must match - if (!crl_extension_match(base, newer, NID_authority_key_identifier)) { - OPENSSL_PUT_ERROR(X509, X509_R_AKID_MISMATCH); - return NULL; - } - if (!crl_extension_match(base, newer, NID_issuing_distribution_point)) { - OPENSSL_PUT_ERROR(X509, X509_R_IDP_MISMATCH); - return NULL; - } - // Newer CRL number must exceed full CRL number - if (ASN1_INTEGER_cmp(newer->crl_number, base->crl_number) <= 0) { - OPENSSL_PUT_ERROR(X509, X509_R_NEWER_CRL_NOT_NEWER); - return NULL; - } - // CRLs must verify - if (skey && - (X509_CRL_verify(base, skey) <= 0 || X509_CRL_verify(newer, skey) <= 0)) { - OPENSSL_PUT_ERROR(X509, X509_R_CRL_VERIFY_FAILURE); - return NULL; - } - // Create new CRL - crl = X509_CRL_new(); - if (!crl || !X509_CRL_set_version(crl, X509_CRL_VERSION_2)) { - goto memerr; - } - // Set issuer name - if (!X509_CRL_set_issuer_name(crl, X509_CRL_get_issuer(newer))) { - goto memerr; - } - - if (!X509_CRL_set1_lastUpdate(crl, X509_CRL_get0_lastUpdate(newer))) { - goto memerr; - } - if (!X509_CRL_set1_nextUpdate(crl, X509_CRL_get0_nextUpdate(newer))) { - goto memerr; - } - - // Set base CRL number: must be critical - - if (!X509_CRL_add1_ext_i2d(crl, NID_delta_crl, base->crl_number, 1, 0)) { - goto memerr; - } - - // Copy extensions across from newest CRL to delta: this will set CRL - // number to correct value too. - - for (i = 0; i < X509_CRL_get_ext_count(newer); i++) { - const X509_EXTENSION *ext = X509_CRL_get_ext(newer, i); - if (!X509_CRL_add_ext(crl, ext, -1)) { - goto memerr; - } - } - - // Go through revoked entries, copying as needed - - revs = X509_CRL_get_REVOKED(newer); - - for (j = 0; j < sk_X509_REVOKED_num(revs); j++) { - X509_REVOKED *rvn, *rvtmp; - rvn = sk_X509_REVOKED_value(revs, j); - // Add only if not also in base. TODO: need something cleverer here - // for some more complex CRLs covering multiple CAs. - if (!X509_CRL_get0_by_serial(base, &rvtmp, rvn->serialNumber)) { - rvtmp = X509_REVOKED_dup(rvn); - if (!rvtmp) { - goto memerr; - } - if (!X509_CRL_add0_revoked(crl, rvtmp)) { - X509_REVOKED_free(rvtmp); - goto memerr; - } - } - } - // TODO: optionally prune deleted entries - - if (skey && md && !X509_CRL_sign(crl, skey, md)) { - goto memerr; - } - - return crl; - -memerr: - if (crl) { - X509_CRL_free(crl); - } - return NULL; -} - int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused, CRYPTO_EX_dup *dup_unused, CRYPTO_EX_free *free_func) { - // This function is (usually) called only once, by - // SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c). - int index; - if (!CRYPTO_get_ex_new_index(&g_ex_data_class, &index, argl, argp, - free_func)) { - return -1; - } - return index; + return CRYPTO_get_ex_new_index_ex(&g_ex_data_class, argl, argp, free_func); } int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data) { @@ -1943,54 +1422,51 @@ void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx) { return CRYPTO_get_ex_data(&ctx->ex_data, idx); } -int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx) { return ctx->error; } +int X509_STORE_CTX_get_error(const X509_STORE_CTX *ctx) { return ctx->error; } void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err) { ctx->error = err; } -int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx) { +int X509_STORE_CTX_get_error_depth(const X509_STORE_CTX *ctx) { return ctx->error_depth; } -X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx) { +X509 *X509_STORE_CTX_get_current_cert(const X509_STORE_CTX *ctx) { return ctx->current_cert; } -STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx) { +STACK_OF(X509) *X509_STORE_CTX_get_chain(const X509_STORE_CTX *ctx) { return ctx->chain; } -STACK_OF(X509) *X509_STORE_CTX_get0_chain(X509_STORE_CTX *ctx) { +STACK_OF(X509) *X509_STORE_CTX_get0_chain(const X509_STORE_CTX *ctx) { return ctx->chain; } -STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx) { +STACK_OF(X509) *X509_STORE_CTX_get1_chain(const X509_STORE_CTX *ctx) { if (!ctx->chain) { return NULL; } return X509_chain_up_ref(ctx->chain); } -X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx) { - return ctx->current_issuer; -} - -X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx) { +X509_CRL *X509_STORE_CTX_get0_current_crl(const X509_STORE_CTX *ctx) { return ctx->current_crl; } -X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx) { - return ctx->parent; +X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(const X509_STORE_CTX *ctx) { + // In OpenSSL, an |X509_STORE_CTX| sometimes has a parent context during CRL + // path validation for indirect CRLs. We require the CRL to be issued + // somewhere along the certificate path, so this is always NULL. + return NULL; } -void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x) { ctx->cert = x; } - void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) { ctx->untrusted = sk; } -STACK_OF(X509) *X509_STORE_CTX_get0_untrusted(X509_STORE_CTX *ctx) { +STACK_OF(X509) *X509_STORE_CTX_get0_untrusted(const X509_STORE_CTX *ctx) { return ctx->untrusted; } @@ -1999,80 +1475,47 @@ void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk) { } int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose) { - return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0); -} + // If |purpose| is zero, this function historically silently did nothing. + if (purpose == 0) { + return 1; + } -int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust) { - return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust); -} - -// This function is used to set the X509_STORE_CTX purpose and trust values. -// This is intended to be used when another structure has its own trust and -// purpose values which (if set) will be inherited by the ctx. If they aren't -// set then we will usually have a default purpose in mind which should then -// be used to set the trust value. An example of this is SSL use: an SSL -// structure will have its own purpose and trust settings which the -// application can set: if they aren't set then we use the default of SSL -// client/server. - -int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose, - int purpose, int trust) { - int idx; - // If purpose not set use default - if (!purpose) { - purpose = def_purpose; - } - // If we have a purpose then check it is valid - if (purpose) { - X509_PURPOSE *ptmp; - idx = X509_PURPOSE_get_by_id(purpose); - if (idx == -1) { - OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_PURPOSE_ID); - return 0; - } - ptmp = X509_PURPOSE_get0(idx); - if (ptmp->trust == X509_TRUST_DEFAULT) { - idx = X509_PURPOSE_get_by_id(def_purpose); - if (idx == -1) { - OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_PURPOSE_ID); - return 0; - } - ptmp = X509_PURPOSE_get0(idx); - } - // If trust not set then get from purpose default - if (!trust) { - trust = ptmp->trust; - } + const X509_PURPOSE *pobj = X509_PURPOSE_get0(purpose); + if (pobj == NULL) { + OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_PURPOSE_ID); + return 0; } - if (trust) { - idx = X509_TRUST_get_by_id(trust); - if (idx == -1) { - OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_TRUST_ID); - return 0; - } + + int trust = X509_PURPOSE_get_trust(pobj); + if (!X509_STORE_CTX_set_trust(ctx, trust)) { + return 0; } - if (purpose && !ctx->param->purpose) { + if (ctx->param->purpose == 0) { ctx->param->purpose = purpose; } - if (trust && !ctx->param->trust) { - ctx->param->trust = trust; - } return 1; } -X509_STORE_CTX *X509_STORE_CTX_new(void) { - X509_STORE_CTX *ctx; - ctx = (X509_STORE_CTX *)OPENSSL_malloc(sizeof(X509_STORE_CTX)); - if (!ctx) { - return NULL; +int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust) { + // If |trust| is zero, this function historically silently did nothing. + if (trust == 0) { + return 1; + } + + if (!X509_is_valid_trust_id(trust)) { + OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_TRUST_ID); + return 0; } - X509_STORE_CTX_zero(ctx); - return ctx; + + if (ctx->param->trust == 0) { + ctx->param->trust = trust; + } + return 1; } -void X509_STORE_CTX_zero(X509_STORE_CTX *ctx) { - OPENSSL_memset(ctx, 0, sizeof(X509_STORE_CTX)); +X509_STORE_CTX *X509_STORE_CTX_new(void) { + return OPENSSL_zalloc(sizeof(X509_STORE_CTX)); } void X509_STORE_CTX_free(X509_STORE_CTX *ctx) { @@ -2085,7 +1528,8 @@ void X509_STORE_CTX_free(X509_STORE_CTX *ctx) { int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, STACK_OF(X509) *chain) { - X509_STORE_CTX_zero(ctx); + X509_STORE_CTX_cleanup(ctx); + ctx->ctx = store; ctx->cert = x509; ctx->untrusted = chain; @@ -2105,7 +1549,6 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, // Inherit callbacks and flags from X509_STORE. ctx->verify_cb = store->verify_cb; - ctx->cleanup = store->cleanup; if (!X509_VERIFY_PARAM_inherit(ctx->param, store->param) || !X509_VERIFY_PARAM_inherit(ctx->param, @@ -2113,68 +1556,12 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, goto err; } - if (store->check_issued) { - ctx->check_issued = store->check_issued; - } else { - ctx->check_issued = check_issued; - } - - if (store->get_issuer) { - ctx->get_issuer = store->get_issuer; - } else { - ctx->get_issuer = X509_STORE_CTX_get1_issuer; - } - if (store->verify_cb) { ctx->verify_cb = store->verify_cb; } else { ctx->verify_cb = null_callback; } - if (store->verify) { - ctx->verify = store->verify; - } else { - ctx->verify = internal_verify; - } - - if (store->check_revocation) { - ctx->check_revocation = store->check_revocation; - } else { - ctx->check_revocation = check_revocation; - } - - if (store->get_crl) { - ctx->get_crl = store->get_crl; - } else { - ctx->get_crl = NULL; - } - - if (store->check_crl) { - ctx->check_crl = store->check_crl; - } else { - ctx->check_crl = check_crl; - } - - if (store->cert_crl) { - ctx->cert_crl = store->cert_crl; - } else { - ctx->cert_crl = cert_crl; - } - - if (store->lookup_certs) { - ctx->lookup_certs = store->lookup_certs; - } else { - ctx->lookup_certs = X509_STORE_get1_certs; - } - - if (store->lookup_crls) { - ctx->lookup_crls = store->lookup_crls; - } else { - ctx->lookup_crls = X509_STORE_get1_crls; - } - - ctx->check_policy = check_policy; - return 1; err: @@ -2192,8 +1579,7 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, void X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) { - ctx->other_ctx = sk; - ctx->get_issuer = get_issuer_sk; + ctx->trusted_stack = sk; } void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) { @@ -2201,24 +1587,10 @@ void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) { } void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx) { - // We need to be idempotent because, unfortunately, |X509_STORE_CTX_free| - // also calls this function. - if (ctx->cleanup != NULL) { - ctx->cleanup(ctx); - ctx->cleanup = NULL; - } - if (ctx->param != NULL) { - if (ctx->parent == NULL) { - X509_VERIFY_PARAM_free(ctx->param); - } - ctx->param = NULL; - } - if (ctx->chain != NULL) { - sk_X509_pop_free(ctx->chain, X509_free); - ctx->chain = NULL; - } CRYPTO_free_ex_data(&g_ex_data_class, ctx, &(ctx->ex_data)); - OPENSSL_memset(&ctx->ex_data, 0, sizeof(CRYPTO_EX_DATA)); + X509_VERIFY_PARAM_free(ctx->param); + sk_X509_pop_free(ctx->chain, X509_free); + OPENSSL_memset(ctx, 0, sizeof(X509_STORE_CTX)); } void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth) { @@ -2230,7 +1602,7 @@ void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags) { } void X509_STORE_CTX_set_time_posix(X509_STORE_CTX *ctx, unsigned long flags, - int64_t t) { + int64_t t) { X509_VERIFY_PARAM_set_time_posix(ctx->param, t); } @@ -2239,9 +1611,7 @@ void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags, X509_STORE_CTX_set_time_posix(ctx, flags, t); } -X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx) { - return ctx->cert; -} +X509 *X509_STORE_CTX_get0_cert(const X509_STORE_CTX *ctx) { return ctx->cert; } void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx, int (*verify_cb)(int, X509_STORE_CTX *)) { @@ -2249,8 +1619,7 @@ void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx, } int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name) { - const X509_VERIFY_PARAM *param; - param = X509_VERIFY_PARAM_lookup(name); + const X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_lookup(name); if (!param) { return 0; } diff --git a/Sources/CNIOBoringSSL/crypto/x509/x509_vpm.c b/Sources/CNIOBoringSSL/crypto/x509/x509_vpm.c index cb57d51ff..7f7e55058 100644 --- a/Sources/CNIOBoringSSL/crypto/x509/x509_vpm.c +++ b/Sources/CNIOBoringSSL/crypto/x509/x509_vpm.c @@ -60,10 +60,8 @@ #include #include #include -#include #include "../internal.h" -#include "../x509v3/internal.h" #include "internal.h" @@ -74,8 +72,6 @@ static void str_free(char *s) { OPENSSL_free(s); } -#define string_stack_free(sk) sk_OPENSSL_STRING_pop_free(sk, str_free) - static int int_x509_param_set_hosts(X509_VERIFY_PARAM *param, int mode, const char *name, size_t namelen) { char *copy; @@ -92,7 +88,7 @@ static int int_x509_param_set_hosts(X509_VERIFY_PARAM *param, int mode, } if (mode == SET_HOST && param->hosts) { - string_stack_free(param->hosts); + sk_OPENSSL_STRING_pop_free(param->hosts, str_free); param->hosts = NULL; } @@ -119,48 +115,12 @@ static int int_x509_param_set_hosts(X509_VERIFY_PARAM *param, int mode, return 1; } -static void x509_verify_param_zero(X509_VERIFY_PARAM *param) { - if (!param) { - return; - } - param->name = NULL; - param->purpose = 0; - param->trust = 0; - // param->inh_flags = X509_VP_FLAG_DEFAULT; - param->inh_flags = 0; - param->flags = 0; - param->depth = -1; - if (param->policies) { - sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free); - param->policies = NULL; - } - if (param->hosts) { - string_stack_free(param->hosts); - param->hosts = NULL; - } - if (param->peername) { - OPENSSL_free(param->peername); - param->peername = NULL; - } - if (param->email) { - OPENSSL_free(param->email); - param->email = NULL; - param->emaillen = 0; - } - if (param->ip) { - OPENSSL_free(param->ip); - param->ip = NULL; - param->iplen = 0; - } - param->poison = 0; -} - X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void) { X509_VERIFY_PARAM *param = OPENSSL_zalloc(sizeof(X509_VERIFY_PARAM)); if (!param) { return NULL; } - x509_verify_param_zero(param); + param->depth = -1; return param; } @@ -168,147 +128,105 @@ void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param) { if (param == NULL) { return; } - x509_verify_param_zero(param); + sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free); + sk_OPENSSL_STRING_pop_free(param->hosts, str_free); + OPENSSL_free(param->email); + OPENSSL_free(param->ip); OPENSSL_free(param); } -//- -// This function determines how parameters are "inherited" from one structure -// to another. There are several different ways this can happen. -// -// 1. If a child structure needs to have its values initialized from a parent -// they are simply copied across. For example SSL_CTX copied to SSL. -// 2. If the structure should take on values only if they are currently unset. -// For example the values in an SSL structure will take appropriate value -// for SSL servers or clients but only if the application has not set new -// ones. -// -// The "inh_flags" field determines how this function behaves. -// -// Normally any values which are set in the default are not copied from the -// destination and verify flags are ORed together. -// -// If X509_VP_FLAG_DEFAULT is set then anything set in the source is copied -// to the destination. Effectively the values in "to" become default values -// which will be used only if nothing new is set in "from". -// -// If X509_VP_FLAG_OVERWRITE is set then all value are copied across whether -// they are set or not. Flags is still Ored though. -// -// If X509_VP_FLAG_RESET_FLAGS is set then the flags value is copied instead -// of ORed. -// -// If X509_VP_FLAG_LOCKED is set then no values are copied. -// -// If X509_VP_FLAG_ONCE is set then the current inh_flags setting is zeroed -// after the next call. - -// Macro to test if a field should be copied from src to dest - -#define test_x509_verify_param_copy(field, def) \ - (to_overwrite || \ - ((src->field != (def)) && (to_default || (dest->field == (def))))) - -// Macro to test and copy a field if necessary - -#define x509_verify_param_copy(field, def) \ - if (test_x509_verify_param_copy(field, def)) \ - dest->field = src->field - -int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, - const X509_VERIFY_PARAM *src) { - unsigned long inh_flags; - int to_default, to_overwrite; - if (!src) { - return 1; - } - inh_flags = dest->inh_flags | src->inh_flags; - - if (inh_flags & X509_VP_FLAG_ONCE) { - dest->inh_flags = 0; +static int should_copy(int dest_is_set, int src_is_set, int prefer_src) { + if (prefer_src) { + // We prefer the source, so as long as there is a value to copy, copy it. + return src_is_set; } - if (inh_flags & X509_VP_FLAG_LOCKED) { - return 1; - } + // We prefer the destination, so only copy if the destination is unset. + return src_is_set && !dest_is_set; +} - if (inh_flags & X509_VP_FLAG_DEFAULT) { - to_default = 1; - } else { - to_default = 0; +static void copy_int_param(int *dest, const int *src, int default_val, + int prefer_src) { + if (should_copy(*dest != default_val, *src != default_val, prefer_src)) { + *dest = *src; } +} - if (inh_flags & X509_VP_FLAG_OVERWRITE) { - to_overwrite = 1; - } else { - to_overwrite = 0; +// x509_verify_param_copy copies fields from |src| to |dest|. If both |src| and +// |dest| have some field set, |prefer_src| determines whether |src| or |dest|'s +// version is used. +static int x509_verify_param_copy(X509_VERIFY_PARAM *dest, + const X509_VERIFY_PARAM *src, + int prefer_src) { + if (src == NULL) { + return 1; } - x509_verify_param_copy(purpose, 0); - x509_verify_param_copy(trust, 0); - x509_verify_param_copy(depth, -1); - - // If overwrite or check time not set, copy across + copy_int_param(&dest->purpose, &src->purpose, /*default_val=*/0, prefer_src); + copy_int_param(&dest->trust, &src->trust, /*default_val=*/0, prefer_src); + copy_int_param(&dest->depth, &src->depth, /*default_val=*/-1, prefer_src); - if (to_overwrite || !(dest->flags & X509_V_FLAG_USE_CHECK_TIME)) { + // |check_time|, unlike all other parameters, does not honor |prefer_src|. + // This means |X509_VERIFY_PARAM_set1| will not overwrite it. This behavior + // comes from OpenSSL but may have been a bug. + if (!(dest->flags & X509_V_FLAG_USE_CHECK_TIME)) { dest->check_time = src->check_time; - dest->flags &= ~X509_V_FLAG_USE_CHECK_TIME; - // Don't need to copy flag: that is done below - } - - if (inh_flags & X509_VP_FLAG_RESET_FLAGS) { - dest->flags = 0; + // The source |X509_V_FLAG_USE_CHECK_TIME| flag, if set, is copied below. } dest->flags |= src->flags; - if (test_x509_verify_param_copy(policies, NULL)) { + if (should_copy(dest->policies != NULL, src->policies != NULL, prefer_src)) { if (!X509_VERIFY_PARAM_set1_policies(dest, src->policies)) { return 0; } } - // Copy the host flags if and only if we're copying the host list - if (test_x509_verify_param_copy(hosts, NULL)) { - if (dest->hosts) { - string_stack_free(dest->hosts); - dest->hosts = NULL; - } + if (should_copy(dest->hosts != NULL, src->hosts != NULL, prefer_src)) { + sk_OPENSSL_STRING_pop_free(dest->hosts, str_free); + dest->hosts = NULL; if (src->hosts) { dest->hosts = sk_OPENSSL_STRING_deep_copy(src->hosts, OPENSSL_strdup, str_free); if (dest->hosts == NULL) { return 0; } + // Copy the host flags if and only if we're copying the host list. Note + // this means mechanisms like |X509_STORE_CTX_set_default| cannot be used + // to set host flags. E.g. we cannot change the defaults using + // |kDefaultParam| below. dest->hostflags = src->hostflags; } } - if (test_x509_verify_param_copy(email, NULL)) { + if (should_copy(dest->email != NULL, src->email != NULL, prefer_src)) { if (!X509_VERIFY_PARAM_set1_email(dest, src->email, src->emaillen)) { return 0; } } - if (test_x509_verify_param_copy(ip, NULL)) { + if (should_copy(dest->ip != NULL, src->ip != NULL, prefer_src)) { if (!X509_VERIFY_PARAM_set1_ip(dest, src->ip, src->iplen)) { return 0; } } dest->poison = src->poison; - return 1; } +int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, + const X509_VERIFY_PARAM *src) { + // Prefer the destination. That is, this function only changes unset + // parameters in |dest|. + return x509_verify_param_copy(dest, src, /*prefer_src=*/0); +} + int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to, const X509_VERIFY_PARAM *from) { - unsigned long save_flags = to->inh_flags; - int ret; - to->inh_flags |= X509_VP_FLAG_DEFAULT; - ret = X509_VERIFY_PARAM_inherit(to, from); - to->inh_flags = save_flags; - return ret; + // Prefer the source. That is, values in |to| are only preserved if they were + // unset in |from|. + return x509_verify_param_copy(to, from, /*prefer_src=*/1); } static int int_x509_param_set1(char **pdest, size_t *pdestlen, const char *src, @@ -335,17 +253,6 @@ static int int_x509_param_set1(char **pdest, size_t *pdestlen, const char *src, return 1; } -int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name) { - if (param->name) { - OPENSSL_free(param->name); - } - param->name = OPENSSL_strdup(name); - if (param->name) { - return 1; - } - return 0; -} - int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags) { param->flags |= flags; return 1; @@ -357,16 +264,27 @@ int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, return 1; } -unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param) { +unsigned long X509_VERIFY_PARAM_get_flags(const X509_VERIFY_PARAM *param) { return param->flags; } int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose) { - return X509_PURPOSE_set(¶m->purpose, purpose); + if (X509_PURPOSE_get0(purpose) == NULL) { + OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_PURPOSE); + return 0; + } + param->purpose = purpose; + return 1; } int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust) { - return X509_TRUST_set(¶m->trust, trust); + if (!X509_is_valid_trust_id(trust)) { + OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_TRUST_ID); + return 0; + } + + param->trust = trust; + return 1; } void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth) { @@ -440,10 +358,6 @@ void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param, param->hostflags = flags; } -char *X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *param) { - return param->peername; -} - int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param, const char *email, size_t emaillen) { if (OPENSSL_memchr(email, '\0', emaillen) != NULL || @@ -482,68 +396,45 @@ int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param) { return param->depth; } -const char *X509_VERIFY_PARAM_get0_name(const X509_VERIFY_PARAM *param) { - return param->name; -} - -#define vpm_empty_id NULL, 0U, NULL, NULL, 0, NULL, 0, 0 - -// Default verify parameters: these are used for various applications and can -// be overridden by the user specified table. NB: the 'name' field *must* be -// in alphabetical order because it will be searched using OBJ_search. - -static const X509_VERIFY_PARAM default_table[] = { - {(char *)"default", // X509 default parameters - 0, // Check time - 0, // internal flags - X509_V_FLAG_TRUSTED_FIRST, // flags - 0, // purpose - 0, // trust - 100, // depth - NULL, // policies - vpm_empty_id}, - {(char *)"pkcs7", // S/MIME sign parameters - 0, // Check time - 0, // internal flags - 0, // flags - X509_PURPOSE_SMIME_SIGN, // purpose - X509_TRUST_EMAIL, // trust - -1, // depth - NULL, // policies - vpm_empty_id}, - {(char *)"smime_sign", // S/MIME sign parameters - 0, // Check time - 0, // internal flags - 0, // flags - X509_PURPOSE_SMIME_SIGN, // purpose - X509_TRUST_EMAIL, // trust - -1, // depth - NULL, // policies - vpm_empty_id}, - {(char *)"ssl_client", // SSL/TLS client parameters - 0, // Check time - 0, // internal flags - 0, // flags - X509_PURPOSE_SSL_CLIENT, // purpose - X509_TRUST_SSL_CLIENT, // trust - -1, // depth - NULL, // policies - vpm_empty_id}, - {(char *)"ssl_server", // SSL/TLS server parameters - 0, // Check time - 0, // internal flags - 0, // flags - X509_PURPOSE_SSL_SERVER, // purpose - X509_TRUST_SSL_SERVER, // trust - -1, // depth - NULL, // policies - vpm_empty_id}}; +static const X509_VERIFY_PARAM kDefaultParam = { + .flags = X509_V_FLAG_TRUSTED_FIRST, + .depth = 100, +}; + +static const X509_VERIFY_PARAM kSMIMESignParam = { + .purpose = X509_PURPOSE_SMIME_SIGN, + .trust = X509_TRUST_EMAIL, + .depth = -1, +}; + +static const X509_VERIFY_PARAM kSSLClientParam = { + .purpose = X509_PURPOSE_SSL_CLIENT, + .trust = X509_TRUST_SSL_CLIENT, + .depth = -1, +}; + +static const X509_VERIFY_PARAM kSSLServerParam = { + .purpose = X509_PURPOSE_SSL_SERVER, + .trust = X509_TRUST_SSL_SERVER, + .depth = -1, +}; const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name) { - for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(default_table); i++) { - if (strcmp(default_table[i].name, name) == 0) { - return &default_table[i]; - } + if (strcmp(name, "default") == 0) { + return &kDefaultParam; + } + if (strcmp(name, "pkcs7") == 0) { + // PKCS#7 and S/MIME signing use the same defaults. + return &kSMIMESignParam; + } + if (strcmp(name, "smime_sign") == 0) { + return &kSMIMESignParam; + } + if (strcmp(name, "ssl_client") == 0) { + return &kSSLClientParam; + } + if (strcmp(name, "ssl_server") == 0) { + return &kSSLServerParam; } return NULL; } diff --git a/Sources/CNIOBoringSSL/crypto/x509/x509spki.c b/Sources/CNIOBoringSSL/crypto/x509/x509spki.c index 5120b87cc..73015d87f 100644 --- a/Sources/CNIOBoringSSL/crypto/x509/x509spki.c +++ b/Sources/CNIOBoringSSL/crypto/x509/x509spki.c @@ -68,7 +68,7 @@ int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *x, EVP_PKEY *pkey) { return (X509_PUBKEY_set(&(x->spkac->pubkey), pkey)); } -EVP_PKEY *NETSCAPE_SPKI_get_pubkey(NETSCAPE_SPKI *x) { +EVP_PKEY *NETSCAPE_SPKI_get_pubkey(const NETSCAPE_SPKI *x) { if ((x == NULL) || (x->spkac == NULL)) { return NULL; } diff --git a/Sources/CNIOBoringSSL/crypto/x509/x_algor.c b/Sources/CNIOBoringSSL/crypto/x509/x_algor.c index 1c3eeeab8..243e86b9b 100644 --- a/Sources/CNIOBoringSSL/crypto/x509/x_algor.c +++ b/Sources/CNIOBoringSSL/crypto/x509/x_algor.c @@ -123,7 +123,7 @@ void X509_ALGOR_get0(const ASN1_OBJECT **out_obj, int *out_param_type, // Set up an X509_ALGOR DigestAlgorithmIdentifier from an EVP_MD -void X509_ALGOR_set_md(X509_ALGOR *alg, const EVP_MD *md) { +int X509_ALGOR_set_md(X509_ALGOR *alg, const EVP_MD *md) { int param_type; if (EVP_MD_flags(md) & EVP_MD_FLAG_DIGALGID_ABSENT) { @@ -132,7 +132,7 @@ void X509_ALGOR_set_md(X509_ALGOR *alg, const EVP_MD *md) { param_type = V_ASN1_NULL; } - X509_ALGOR_set0(alg, OBJ_nid2obj(EVP_MD_type(md)), param_type, NULL); + return X509_ALGOR_set0(alg, OBJ_nid2obj(EVP_MD_type(md)), param_type, NULL); } // X509_ALGOR_cmp returns 0 if |a| and |b| are equal and non-zero otherwise. diff --git a/Sources/CNIOBoringSSL/crypto/x509/x_crl.c b/Sources/CNIOBoringSSL/crypto/x509/x_crl.c index 36e0a335e..3bc0043b2 100644 --- a/Sources/CNIOBoringSSL/crypto/x509/x_crl.c +++ b/Sources/CNIOBoringSSL/crypto/x509/x_crl.c @@ -81,8 +81,8 @@ ASN1_SEQUENCE(X509_REVOKED) = { ASN1_SEQUENCE_OF_OPT(X509_REVOKED, extensions, X509_EXTENSION), } ASN1_SEQUENCE_END(X509_REVOKED) -static int crl_lookup(X509_CRL *crl, X509_REVOKED **ret, ASN1_INTEGER *serial, - X509_NAME *issuer); +static int crl_lookup(X509_CRL *crl, X509_REVOKED **ret, + const ASN1_INTEGER *serial, X509_NAME *issuer); // The X509_CRL_INFO structure needs a bit of customisation. Since we cache // the original encoding the signature wont be affected by reordering of the @@ -115,45 +115,15 @@ ASN1_SEQUENCE_enc(X509_CRL_INFO, enc, crl_inf_cb) = { ASN1_EXP_SEQUENCE_OF_OPT(X509_CRL_INFO, extensions, X509_EXTENSION, 0), } ASN1_SEQUENCE_END_enc(X509_CRL_INFO, X509_CRL_INFO) -// Set CRL entry issuer according to CRL certificate issuer extension. Check -// for unhandled critical CRL entry extensions. - -static int crl_set_issuers(X509_CRL *crl) { - size_t i, k; - int j; - GENERAL_NAMES *gens, *gtmp; - STACK_OF(X509_REVOKED) *revoked; - - revoked = X509_CRL_get_REVOKED(crl); - - gens = NULL; - for (i = 0; i < sk_X509_REVOKED_num(revoked); i++) { +static int crl_parse_entry_extensions(X509_CRL *crl) { + STACK_OF(X509_REVOKED) *revoked = X509_CRL_get_REVOKED(crl); + for (size_t i = 0; i < sk_X509_REVOKED_num(revoked); i++) { X509_REVOKED *rev = sk_X509_REVOKED_value(revoked, i); - STACK_OF(X509_EXTENSION) *exts; - ASN1_ENUMERATED *reason; - X509_EXTENSION *ext; - gtmp = X509_REVOKED_get_ext_d2i(rev, NID_certificate_issuer, &j, NULL); - if (!gtmp && (j != -1)) { - crl->flags |= EXFLAG_INVALID; - return 1; - } - - if (gtmp) { - gens = gtmp; - if (!crl->issuers) { - crl->issuers = sk_GENERAL_NAMES_new_null(); - if (!crl->issuers) { - return 0; - } - } - if (!sk_GENERAL_NAMES_push(crl->issuers, gtmp)) { - return 0; - } - } - rev->issuer = gens; - reason = X509_REVOKED_get_ext_d2i(rev, NID_crl_reason, &j, NULL); - if (!reason && (j != -1)) { + int crit; + ASN1_ENUMERATED *reason = + X509_REVOKED_get_ext_d2i(rev, NID_crl_reason, &crit, NULL); + if (!reason && crit != -1) { crl->flags |= EXFLAG_INVALID; return 1; } @@ -165,17 +135,11 @@ static int crl_set_issuers(X509_CRL *crl) { rev->reason = CRL_REASON_NONE; } - // Check for critical CRL entry extensions - - exts = rev->extensions; - - for (k = 0; k < sk_X509_EXTENSION_num(exts); k++) { - ext = sk_X509_EXTENSION_value(exts, k); + // We do not support any critical CRL entry extensions. + const STACK_OF(X509_EXTENSION) *exts = rev->extensions; + for (size_t j = 0; j < sk_X509_EXTENSION_num(exts); j++) { + const X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, j); if (X509_EXTENSION_get_critical(ext)) { - if (OBJ_obj2nid(X509_EXTENSION_get_object(ext)) == - NID_certificate_issuer) { - continue; - } crl->flags |= EXFLAG_CRITICAL; break; } @@ -190,9 +154,6 @@ static int crl_set_issuers(X509_CRL *crl) { static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) { X509_CRL *crl = (X509_CRL *)*pval; - STACK_OF(X509_EXTENSION) *exts; - X509_EXTENSION *ext; - size_t idx; int i; switch (operation) { @@ -201,10 +162,6 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, crl->akid = NULL; crl->flags = 0; crl->idp_flags = 0; - crl->idp_reasons = CRLDP_ALL_REASONS; - crl->issuers = NULL; - crl->crl_number = NULL; - crl->base_crl_number = NULL; break; case ASN1_OP_D2I_POST: { @@ -247,39 +204,17 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, return 0; } - crl->crl_number = X509_CRL_get_ext_d2i(crl, NID_crl_number, &i, NULL); - if (crl->crl_number == NULL && i != -1) { - return 0; - } - - crl->base_crl_number = X509_CRL_get_ext_d2i(crl, NID_delta_crl, &i, NULL); - if (crl->base_crl_number == NULL && i != -1) { - return 0; - } - // Delta CRLs must have CRL number - if (crl->base_crl_number && !crl->crl_number) { - OPENSSL_PUT_ERROR(X509, X509_R_DELTA_CRL_WITHOUT_CRL_NUMBER); - return 0; - } - // See if we have any unhandled critical CRL extensions and indicate // this in a flag. We only currently handle IDP so anything else // critical sets the flag. This code accesses the X509_CRL structure // directly: applications shouldn't do this. - - exts = crl->crl->extensions; - - for (idx = 0; idx < sk_X509_EXTENSION_num(exts); idx++) { - int nid; - ext = sk_X509_EXTENSION_value(exts, idx); - nid = OBJ_obj2nid(X509_EXTENSION_get_object(ext)); - if (nid == NID_freshest_crl) { - crl->flags |= EXFLAG_FRESHEST; - } + const STACK_OF(X509_EXTENSION) *exts = crl->crl->extensions; + for (size_t idx = 0; idx < sk_X509_EXTENSION_num(exts); idx++) { + const X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, idx); + int nid = OBJ_obj2nid(X509_EXTENSION_get_object(ext)); if (X509_EXTENSION_get_critical(ext)) { - // We handle IDP and deltas - if ((nid == NID_issuing_distribution_point) || - (nid == NID_authority_key_identifier) || (nid == NID_delta_crl)) { + if (nid == NID_issuing_distribution_point || + nid == NID_authority_key_identifier) { continue; } crl->flags |= EXFLAG_CRITICAL; @@ -287,7 +222,7 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, } } - if (!crl_set_issuers(crl)) { + if (!crl_parse_entry_extensions(crl)) { return 0; } @@ -297,16 +232,15 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, case ASN1_OP_FREE_POST: AUTHORITY_KEYID_free(crl->akid); ISSUING_DIST_POINT_free(crl->idp); - ASN1_INTEGER_free(crl->crl_number); - ASN1_INTEGER_free(crl->base_crl_number); - sk_GENERAL_NAMES_pop_free(crl->issuers, GENERAL_NAMES_free); break; } return 1; } // Convert IDP into a more convenient form - +// +// TODO(davidben): Each of these flags are already booleans, so this is not +// really more convenient. We can probably remove |idp_flags|. static int setup_idp(X509_CRL *crl, ISSUING_DIST_POINT *idp) { int idp_only = 0; // Set various flags according to IDP @@ -324,6 +258,11 @@ static int setup_idp(X509_CRL *crl, ISSUING_DIST_POINT *idp) { crl->idp_flags |= IDP_ONLYATTR; } + // Per RFC 5280, section 5.2.5, at most one of onlyContainsUserCerts, + // onlyContainsCACerts, and onlyContainsAttributeCerts may be true. + // + // TODO(crbug.com/boringssl/443): Move this check to the |ISSUING_DIST_POINT| + // parser. if (idp_only > 1) { crl->idp_flags |= IDP_INVALID; } @@ -334,15 +273,10 @@ static int setup_idp(X509_CRL *crl, ISSUING_DIST_POINT *idp) { if (idp->onlysomereasons) { crl->idp_flags |= IDP_REASONS; - if (idp->onlysomereasons->length > 0) { - crl->idp_reasons = idp->onlysomereasons->data[0]; - } - if (idp->onlysomereasons->length > 1) { - crl->idp_reasons |= (idp->onlysomereasons->data[1] << 8); - } - crl->idp_reasons &= CRLDP_ALL_REASONS; } + // TODO(davidben): The new verifier does not support nameRelativeToCRLIssuer. + // Remove this? return DIST_POINT_set_dpname(idp->distpoint, X509_CRL_get_issuer(crl)); } @@ -391,7 +325,7 @@ int X509_CRL_verify(X509_CRL *crl, EVP_PKEY *pkey) { } int X509_CRL_get0_by_serial(X509_CRL *crl, X509_REVOKED **ret, - ASN1_INTEGER *serial) { + const ASN1_INTEGER *serial) { return crl_lookup(crl, ret, serial, NULL); } @@ -402,44 +336,19 @@ int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, X509 *x) { static int crl_revoked_issuer_match(X509_CRL *crl, X509_NAME *nm, X509_REVOKED *rev) { - size_t i; - - if (!rev->issuer) { - if (!nm) { - return 1; - } - if (!X509_NAME_cmp(nm, X509_CRL_get_issuer(crl))) { - return 1; - } - return 0; - } - - if (!nm) { - nm = X509_CRL_get_issuer(crl); - } - - for (i = 0; i < sk_GENERAL_NAME_num(rev->issuer); i++) { - GENERAL_NAME *gen = sk_GENERAL_NAME_value(rev->issuer, i); - if (gen->type != GEN_DIRNAME) { - continue; - } - if (!X509_NAME_cmp(nm, gen->d.directoryName)) { - return 1; - } - } - return 0; + return nm == NULL || X509_NAME_cmp(nm, X509_CRL_get_issuer(crl)) == 0; } static CRYPTO_MUTEX g_crl_sort_lock = CRYPTO_MUTEX_INIT; -static int crl_lookup(X509_CRL *crl, X509_REVOKED **ret, ASN1_INTEGER *serial, - X509_NAME *issuer) { +static int crl_lookup(X509_CRL *crl, X509_REVOKED **ret, + const ASN1_INTEGER *serial, X509_NAME *issuer) { // Use an assert, rather than a runtime error, because returning nothing for a // CRL is arguably failing open, rather than closed. assert(serial->type == V_ASN1_INTEGER || serial->type == V_ASN1_NEG_INTEGER); X509_REVOKED rtmp, *rev; size_t idx; - rtmp.serialNumber = serial; + rtmp.serialNumber = (ASN1_INTEGER *)serial; // Sort revoked into serial number order if not already sorted. Do this // under a lock to avoid race condition. @@ -468,9 +377,6 @@ static int crl_lookup(X509_CRL *crl, X509_REVOKED **ret, ASN1_INTEGER *serial, if (ret) { *ret = rev; } - if (rev->reason == CRL_REASON_REMOVE_FROM_CRL) { - return 2; - } return 1; } } diff --git a/Sources/CNIOBoringSSL/crypto/x509/x_info.c b/Sources/CNIOBoringSSL/crypto/x509/x_info.c deleted file mode 100644 index ce4499e9e..000000000 --- a/Sources/CNIOBoringSSL/crypto/x509/x_info.c +++ /dev/null @@ -1,100 +0,0 @@ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] */ - -#include - -#include -#include -#include -#include - -X509_INFO *X509_INFO_new(void) { - X509_INFO *ret = NULL; - - ret = (X509_INFO *)OPENSSL_malloc(sizeof(X509_INFO)); - if (ret == NULL) { - return NULL; - } - - ret->enc_cipher.cipher = NULL; - ret->enc_len = 0; - ret->enc_data = NULL; - - ret->x509 = NULL; - ret->crl = NULL; - ret->x_pkey = NULL; - return ret; -} - -void X509_INFO_free(X509_INFO *x) { - if (x == NULL) { - return; - } - - if (x->x509 != NULL) { - X509_free(x->x509); - } - if (x->crl != NULL) { - X509_CRL_free(x->crl); - } - if (x->x_pkey != NULL) { - X509_PKEY_free(x->x_pkey); - } - if (x->enc_data != NULL) { - OPENSSL_free(x->enc_data); - } - OPENSSL_free(x); -} diff --git a/Sources/CNIOBoringSSL/crypto/x509/x_name.c b/Sources/CNIOBoringSSL/crypto/x509/x_name.c index 6ee3cd4f6..83816d4f1 100644 --- a/Sources/CNIOBoringSSL/crypto/x509/x_name.c +++ b/Sources/CNIOBoringSSL/crypto/x509/x_name.c @@ -99,7 +99,7 @@ ASN1_SEQUENCE(X509_NAME_ENTRY) = { ASN1_SIMPLE(X509_NAME_ENTRY, value, ASN1_PRINTABLE), } ASN1_SEQUENCE_END(X509_NAME_ENTRY) -IMPLEMENT_ASN1_FUNCTIONS_const(X509_NAME_ENTRY) +IMPLEMENT_ASN1_ALLOC_FUNCTIONS(X509_NAME_ENTRY) IMPLEMENT_ASN1_DUP_FUNCTION_const(X509_NAME_ENTRY) // For the "Name" type we need a SEQUENCE OF { SET OF X509_NAME_ENTRY } so @@ -511,17 +511,17 @@ int X509_NAME_set(X509_NAME **xn, X509_NAME *name) { int X509_NAME_ENTRY_set(const X509_NAME_ENTRY *ne) { return ne->set; } -int X509_NAME_get0_der(X509_NAME *nm, const unsigned char **pder, - size_t *pderlen) { +int X509_NAME_get0_der(X509_NAME *nm, const unsigned char **out_der, + size_t *out_der_len) { // Make sure encoding is valid if (i2d_X509_NAME(nm, NULL) <= 0) { return 0; } - if (pder != NULL) { - *pder = (unsigned char *)nm->bytes->data; + if (out_der != NULL) { + *out_der = (unsigned char *)nm->bytes->data; } - if (pderlen != NULL) { - *pderlen = nm->bytes->length; + if (out_der_len != NULL) { + *out_der_len = nm->bytes->length; } return 1; } diff --git a/Sources/CNIOBoringSSL/crypto/x509/x_pkey.c b/Sources/CNIOBoringSSL/crypto/x509/x_pkey.c deleted file mode 100644 index 8c81b46be..000000000 --- a/Sources/CNIOBoringSSL/crypto/x509/x_pkey.c +++ /dev/null @@ -1,110 +0,0 @@ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] */ - -#include - -#include - -#include -#include -#include -#include - -#include "../internal.h" - - -X509_PKEY *X509_PKEY_new(void) { - X509_PKEY *ret = OPENSSL_zalloc(sizeof(X509_PKEY)); - if (ret == NULL) { - goto err; - } - - ret->enc_algor = X509_ALGOR_new(); - if (ret->enc_algor == NULL) { - goto err; - } - ret->enc_pkey = ASN1_OCTET_STRING_new(); - if (ret->enc_pkey == NULL) { - goto err; - } - return ret; - -err: - if (ret != NULL) { - X509_PKEY_free(ret); - } - return NULL; -} - -void X509_PKEY_free(X509_PKEY *x) { - if (x == NULL) { - return; - } - - if (x->enc_algor != NULL) { - X509_ALGOR_free(x->enc_algor); - } - if (x->enc_pkey != NULL) { - ASN1_OCTET_STRING_free(x->enc_pkey); - } - if (x->dec_pkey != NULL) { - EVP_PKEY_free(x->dec_pkey); - } - if ((x->key_data != NULL) && (x->key_free)) { - OPENSSL_free(x->key_data); - } - OPENSSL_free(x); -} diff --git a/Sources/CNIOBoringSSL/crypto/x509/x_pubkey.c b/Sources/CNIOBoringSSL/crypto/x509/x_pubkey.c index c811a62eb..a77b98157 100644 --- a/Sources/CNIOBoringSSL/crypto/x509/x_pubkey.c +++ b/Sources/CNIOBoringSSL/crypto/x509/x_pubkey.c @@ -65,17 +65,46 @@ #include #include #include -#include #include "../internal.h" #include "internal.h" -// Minor tweak to operation: free up EVP_PKEY + +static void x509_pubkey_changed(X509_PUBKEY *pub) { + EVP_PKEY_free(pub->pkey); + pub->pkey = NULL; + + // Re-encode the |X509_PUBKEY| to DER and parse it with EVP's APIs. + uint8_t *spki = NULL; + int spki_len = i2d_X509_PUBKEY(pub, &spki); + if (spki_len < 0) { + goto err; + } + + CBS cbs; + CBS_init(&cbs, spki, (size_t)spki_len); + EVP_PKEY *pkey = EVP_parse_public_key(&cbs); + if (pkey == NULL || CBS_len(&cbs) != 0) { + EVP_PKEY_free(pkey); + goto err; + } + + pub->pkey = pkey; + +err: + OPENSSL_free(spki); + // If the operation failed, clear errors. An |X509_PUBKEY| whose key we cannot + // parse is still a valid SPKI. It just cannot be converted to an |EVP_PKEY|. + ERR_clear_error(); +} + static int pubkey_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) { + X509_PUBKEY *pubkey = (X509_PUBKEY *)*pval; if (operation == ASN1_OP_FREE_POST) { - X509_PUBKEY *pubkey = (X509_PUBKEY *)*pval; EVP_PKEY_free(pubkey->pkey); + } else if (operation == ASN1_OP_D2I_POST) { + x509_pubkey_changed(pubkey); } return 1; } @@ -124,60 +153,25 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey) { return 0; } -// g_pubkey_lock is used to protect the initialisation of the |pkey| member of -// |X509_PUBKEY| objects. Really |X509_PUBKEY| should have a |CRYPTO_once_t| -// inside it for this, but |CRYPTO_once_t| is private and |X509_PUBKEY| is -// not. -static CRYPTO_MUTEX g_pubkey_lock = CRYPTO_MUTEX_INIT; - -EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key) { - EVP_PKEY *ret = NULL; - uint8_t *spki = NULL; - +EVP_PKEY *X509_PUBKEY_get0(const X509_PUBKEY *key) { if (key == NULL) { - goto error; - } - - CRYPTO_MUTEX_lock_read(&g_pubkey_lock); - if (key->pkey != NULL) { - CRYPTO_MUTEX_unlock_read(&g_pubkey_lock); - EVP_PKEY_up_ref(key->pkey); - return key->pkey; + return NULL; } - CRYPTO_MUTEX_unlock_read(&g_pubkey_lock); - // Re-encode the |X509_PUBKEY| to DER and parse it. - int spki_len = i2d_X509_PUBKEY(key, &spki); - if (spki_len < 0) { - goto error; - } - CBS cbs; - CBS_init(&cbs, spki, (size_t)spki_len); - ret = EVP_parse_public_key(&cbs); - if (ret == NULL || CBS_len(&cbs) != 0) { + if (key->pkey == NULL) { OPENSSL_PUT_ERROR(X509, X509_R_PUBLIC_KEY_DECODE_ERROR); - goto error; + return NULL; } - // Check to see if another thread set key->pkey first - CRYPTO_MUTEX_lock_write(&g_pubkey_lock); - if (key->pkey) { - CRYPTO_MUTEX_unlock_write(&g_pubkey_lock); - EVP_PKEY_free(ret); - ret = key->pkey; - } else { - key->pkey = ret; - CRYPTO_MUTEX_unlock_write(&g_pubkey_lock); - } - - OPENSSL_free(spki); - EVP_PKEY_up_ref(ret); - return ret; + return key->pkey; +} -error: - OPENSSL_free(spki); - EVP_PKEY_free(ret); - return NULL; +EVP_PKEY *X509_PUBKEY_get(const X509_PUBKEY *key) { + EVP_PKEY *pkey = X509_PUBKEY_get0(key); + if (pkey != NULL) { + EVP_PKEY_up_ref(pkey); + } + return pkey; } int X509_PUBKEY_set0_param(X509_PUBKEY *pub, ASN1_OBJECT *obj, int param_type, @@ -190,6 +184,8 @@ int X509_PUBKEY_set0_param(X509_PUBKEY *pub, ASN1_OBJECT *obj, int param_type, // Set the number of unused bits to zero. pub->public_key->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07); pub->public_key->flags |= ASN1_STRING_FLAG_BITS_LEFT; + + x509_pubkey_changed(pub); return 1; } diff --git a/Sources/CNIOBoringSSL/crypto/x509/x_spki.c b/Sources/CNIOBoringSSL/crypto/x509/x_spki.c index d0d11400d..2596c1e6a 100644 --- a/Sources/CNIOBoringSSL/crypto/x509/x_spki.c +++ b/Sources/CNIOBoringSSL/crypto/x509/x_spki.c @@ -60,6 +60,8 @@ #include #include +#include "internal.h" + ASN1_SEQUENCE(NETSCAPE_SPKAC) = { ASN1_SIMPLE(NETSCAPE_SPKAC, pubkey, X509_PUBKEY), diff --git a/Sources/CNIOBoringSSL/crypto/x509/x_x509.c b/Sources/CNIOBoringSSL/crypto/x509/x_x509.c index 86d987b8b..f78faa2e1 100644 --- a/Sources/CNIOBoringSSL/crypto/x509/x_x509.c +++ b/Sources/CNIOBoringSSL/crypto/x509/x_x509.c @@ -65,7 +65,6 @@ #include #include #include -#include #include "../asn1/internal.h" #include "../bytestring/internal.h" @@ -381,12 +380,7 @@ int X509_up_ref(X509 *x) { int X509_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused, CRYPTO_EX_dup *dup_unused, CRYPTO_EX_free *free_func) { - int index; - if (!CRYPTO_get_ex_new_index(&g_ex_data_class, &index, argl, argp, - free_func)) { - return -1; - } - return index; + return CRYPTO_get_ex_new_index_ex(&g_ex_data_class, argl, argp, free_func); } int X509_set_ex_data(X509 *r, int idx, void *arg) { diff --git a/Sources/CNIOBoringSSL/crypto/x509/x_x509a.c b/Sources/CNIOBoringSSL/crypto/x509/x_x509a.c index d8fae293a..01004a422 100644 --- a/Sources/CNIOBoringSSL/crypto/x509/x_x509a.c +++ b/Sources/CNIOBoringSSL/crypto/x509/x_x509a.c @@ -90,7 +90,7 @@ static X509_CERT_AUX *aux_get(X509 *x) { return x->aux; } -int X509_alias_set1(X509 *x, const unsigned char *name, ossl_ssize_t len) { +int X509_alias_set1(X509 *x, const uint8_t *name, ossl_ssize_t len) { X509_CERT_AUX *aux; // TODO(davidben): Empty aliases are not meaningful in PKCS#12, and the // getters cannot quite represent them. Also erase the object if |len| is @@ -112,7 +112,7 @@ int X509_alias_set1(X509 *x, const unsigned char *name, ossl_ssize_t len) { return ASN1_STRING_set(aux->alias, name, len); } -int X509_keyid_set1(X509 *x, const unsigned char *id, ossl_ssize_t len) { +int X509_keyid_set1(X509 *x, const uint8_t *id, ossl_ssize_t len) { X509_CERT_AUX *aux; // TODO(davidben): Empty key IDs are not meaningful in PKCS#12, and the // getters cannot quite represent them. Also erase the object if |len| is @@ -134,7 +134,7 @@ int X509_keyid_set1(X509 *x, const unsigned char *id, ossl_ssize_t len) { return ASN1_STRING_set(aux->keyid, id, len); } -unsigned char *X509_alias_get0(X509 *x, int *out_len) { +const uint8_t *X509_alias_get0(const X509 *x, int *out_len) { const ASN1_UTF8STRING *alias = x->aux != NULL ? x->aux->alias : NULL; if (out_len != NULL) { *out_len = alias != NULL ? alias->length : 0; @@ -142,7 +142,7 @@ unsigned char *X509_alias_get0(X509 *x, int *out_len) { return alias != NULL ? alias->data : NULL; } -unsigned char *X509_keyid_get0(X509 *x, int *out_len) { +const uint8_t *X509_keyid_get0(const X509 *x, int *out_len) { const ASN1_OCTET_STRING *keyid = x->aux != NULL ? x->aux->keyid : NULL; if (out_len != NULL) { *out_len = keyid != NULL ? keyid->length : 0; @@ -150,7 +150,7 @@ unsigned char *X509_keyid_get0(X509 *x, int *out_len) { return keyid != NULL ? keyid->data : NULL; } -int X509_add1_trust_object(X509 *x, ASN1_OBJECT *obj) { +int X509_add1_trust_object(X509 *x, const ASN1_OBJECT *obj) { ASN1_OBJECT *objtmp = OBJ_dup(obj); if (objtmp == NULL) { goto err; @@ -172,7 +172,7 @@ int X509_add1_trust_object(X509 *x, ASN1_OBJECT *obj) { return 0; } -int X509_add1_reject_object(X509 *x, ASN1_OBJECT *obj) { +int X509_add1_reject_object(X509 *x, const ASN1_OBJECT *obj) { ASN1_OBJECT *objtmp = OBJ_dup(obj); if (objtmp == NULL) { goto err; diff --git a/Sources/CNIOBoringSSL/crypto/x509v3/internal.h b/Sources/CNIOBoringSSL/crypto/x509v3/internal.h deleted file mode 100644 index 2f8a8d07e..000000000 --- a/Sources/CNIOBoringSSL/crypto/x509v3/internal.h +++ /dev/null @@ -1,197 +0,0 @@ -/* - * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project - * 2004. - */ -/* ==================================================================== - * Copyright (c) 2004 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#ifndef OPENSSL_HEADER_X509V3_INTERNAL_H -#define OPENSSL_HEADER_X509V3_INTERNAL_H - -#include - -#include -#include -#include - -// TODO(davidben): Merge x509 and x509v3. This include is needed because some -// internal typedefs are shared between the two, but the two modules depend on -// each other circularly. -#include "../x509/internal.h" - -#if defined(__cplusplus) -extern "C" { -#endif - - -// x509v3_bytes_to_hex encodes |len| bytes from |in| to hex and returns a -// newly-allocated NUL-terminated string containing the result, or NULL on -// allocation error. -// -// This function was historically named |hex_to_string| in OpenSSL. Despite the -// name, |hex_to_string| converted to hex. -OPENSSL_EXPORT char *x509v3_bytes_to_hex(const uint8_t *in, size_t len); - -// x509v3_hex_string_to_bytes decodes |str| in hex and returns a newly-allocated -// array containing the result, or NULL on error. On success, it sets |*len| to -// the length of the result. Colon separators between bytes in the input are -// allowed and ignored. -// -// This function was historically named |string_to_hex| in OpenSSL. Despite the -// name, |string_to_hex| converted from hex. -unsigned char *x509v3_hex_to_bytes(const char *str, size_t *len); - -// x509v3_conf_name_matches returns one if |name| is equal to |cmp| or begins -// with |cmp| followed by '.', and zero otherwise. -int x509v3_conf_name_matches(const char *name, const char *cmp); - -// x509v3_looks_like_dns_name returns one if |in| looks like a DNS name and zero -// otherwise. -OPENSSL_EXPORT int x509v3_looks_like_dns_name(const unsigned char *in, - size_t len); - -// x509v3_cache_extensions fills in a number of fields relating to X.509 -// extensions in |x|. It returns one on success and zero if some extensions were -// invalid. -OPENSSL_EXPORT int x509v3_cache_extensions(X509 *x); - -// x509v3_a2i_ipadd decodes |ipasc| as an IPv4 or IPv6 address. IPv6 addresses -// use colon-separated syntax while IPv4 addresses use dotted decimal syntax. If -// it decodes an IPv4 address, it writes the result to the first four bytes of -// |ipout| and returns four. If it decodes an IPv6 address, it writes the result -// to all 16 bytes of |ipout| and returns 16. Otherwise, it returns zero. -int x509v3_a2i_ipadd(unsigned char ipout[16], const char *ipasc); - -// A |BIT_STRING_BITNAME| is used to contain a list of bit names. -typedef struct { - int bitnum; - const char *lname; - const char *sname; -} BIT_STRING_BITNAME; - -// x509V3_add_value_asn1_string appends a |CONF_VALUE| with the specified name -// and value to |*extlist|. if |*extlist| is NULL, it sets |*extlist| to a -// newly-allocated |STACK_OF(CONF_VALUE)| first. It returns one on success and -// zero on error. -int x509V3_add_value_asn1_string(const char *name, const ASN1_STRING *value, - STACK_OF(CONF_VALUE) **extlist); - -// X509V3_NAME_from_section adds attributes to |nm| by interpreting the -// key/value pairs in |dn_sk|. It returns one on success and zero on error. -// |chtype|, which should be one of |MBSTRING_*| constants, determines the -// character encoding used to interpret values. -int X509V3_NAME_from_section(X509_NAME *nm, const STACK_OF(CONF_VALUE) *dn_sk, - int chtype); - -// X509V3_bool_from_string decodes |str| as a boolean. On success, it returns -// one and sets |*out_bool| to resulting value. Otherwise, it returns zero. -int X509V3_bool_from_string(const char *str, ASN1_BOOLEAN *out_bool); - -// X509V3_get_value_bool decodes |value| as a boolean. On success, it returns -// one and sets |*out_bool| to the resulting value. Otherwise, it returns zero. -int X509V3_get_value_bool(const CONF_VALUE *value, ASN1_BOOLEAN *out_bool); - -// X509V3_get_value_int decodes |value| as an integer. On success, it returns -// one and sets |*aint| to the resulting value. Otherwise, it returns zero. If -// |*aint| was non-NULL at the start of the function, it frees the previous -// value before writing a new one. -int X509V3_get_value_int(const CONF_VALUE *value, ASN1_INTEGER **aint); - -// X509V3_get_section behaves like |NCONF_get_section| but queries |ctx|'s -// config database. -const STACK_OF(CONF_VALUE) *X509V3_get_section(const X509V3_CTX *ctx, - const char *section); - -// X509V3_add_value appends a |CONF_VALUE| containing |name| and |value| to -// |*extlist|. It returns one on success and zero on error. If |*extlist| is -// NULL, it sets |*extlist| to a newly-allocated |STACK_OF(CONF_VALUE)| -// containing the result. Either |name| or |value| may be NULL to omit the -// field. -// -// On failure, if |*extlist| was NULL, |*extlist| will remain NULL when the -// function returns. -int X509V3_add_value(const char *name, const char *value, - STACK_OF(CONF_VALUE) **extlist); - -// X509V3_add_value_bool behaves like |X509V3_add_value| but stores the value -// "TRUE" if |asn1_bool| is non-zero and "FALSE" otherwise. -int X509V3_add_value_bool(const char *name, int asn1_bool, - STACK_OF(CONF_VALUE) **extlist); - -// X509V3_add_value_bool behaves like |X509V3_add_value| but stores a string -// representation of |aint|. Note this string representation may be decimal or -// hexadecimal, depending on the size of |aint|. -int X509V3_add_value_int(const char *name, const ASN1_INTEGER *aint, - STACK_OF(CONF_VALUE) **extlist); - -STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line); - -#define X509V3_conf_err(val) \ - ERR_add_error_data(6, "section:", (val)->section, ",name:", (val)->name, \ - ",value:", (val)->value); - -// GENERAL_NAME_cmp returns zero if |a| and |b| are equal and a non-zero -// value otherwise. Note this function does not provide a comparison suitable -// for sorting. -// -// This function is exported for testing. -OPENSSL_EXPORT int GENERAL_NAME_cmp(const GENERAL_NAME *a, - const GENERAL_NAME *b); - - -#if defined(__cplusplus) -} // extern C -#endif - -#endif // OPENSSL_HEADER_X509V3_INTERNAL_H diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/aesni-gcm-x86_64-mac.mac.x86_64.S b/Sources/CNIOBoringSSL/gen/bcm/aesni-gcm-x86_64-apple.S similarity index 99% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/aesni-gcm-x86_64-mac.mac.x86_64.S rename to Sources/CNIOBoringSSL/gen/bcm/aesni-gcm-x86_64-apple.S index 6c1901c3d..846de77fe 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/aesni-gcm-x86_64-mac.mac.x86_64.S +++ b/Sources/CNIOBoringSSL/gen/bcm/aesni-gcm-x86_64-apple.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__x86_64__) && defined(__APPLE__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -868,7 +867,6 @@ L$one_lsb: .p2align 6 .text #endif -#endif // defined(__x86_64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/aesni-gcm-x86_64-linux.linux.x86_64.S b/Sources/CNIOBoringSSL/gen/bcm/aesni-gcm-x86_64-linux.S similarity index 99% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/aesni-gcm-x86_64-linux.linux.x86_64.S rename to Sources/CNIOBoringSSL/gen/bcm/aesni-gcm-x86_64-linux.S index 198e25efb..b046990e3 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/aesni-gcm-x86_64-linux.linux.x86_64.S +++ b/Sources/CNIOBoringSSL/gen/bcm/aesni-gcm-x86_64-linux.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__x86_64__) && defined(__linux__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -883,7 +882,6 @@ _CET_ENDBR .align 64 .text #endif -#endif // defined(__x86_64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/gen/bcm/aesni-x86-apple.S b/Sources/CNIOBoringSSL/gen/bcm/aesni-x86-apple.S new file mode 100644 index 000000000..3e5f9652a --- /dev/null +++ b/Sources/CNIOBoringSSL/gen/bcm/aesni-x86-apple.S @@ -0,0 +1,2495 @@ +#define BORINGSSL_PREFIX CNIOBoringSSL +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. + +#include + +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__APPLE__) +.text +#ifdef BORINGSSL_DISPATCH_TEST +#endif +.globl _aes_hw_encrypt +.private_extern _aes_hw_encrypt +.align 4 +_aes_hw_encrypt: +L_aes_hw_encrypt_begin: +#ifdef BORINGSSL_DISPATCH_TEST + pushl %ebx + pushl %edx + call L000pic_for_function_hit +L000pic_for_function_hit: + popl %ebx + leal _BORINGSSL_function_hit+1-L000pic_for_function_hit(%ebx),%ebx + movl $1,%edx + movb %dl,(%ebx) + popl %edx + popl %ebx +#endif + movl 4(%esp),%eax + movl 12(%esp),%edx + movups (%eax),%xmm2 + movl 240(%edx),%ecx + movl 8(%esp),%eax + movups (%edx),%xmm0 + movups 16(%edx),%xmm1 + leal 32(%edx),%edx + xorps %xmm0,%xmm2 +L001enc1_loop_1: +.byte 102,15,56,220,209 + decl %ecx + movups (%edx),%xmm1 + leal 16(%edx),%edx + jnz L001enc1_loop_1 +.byte 102,15,56,221,209 + pxor %xmm0,%xmm0 + pxor %xmm1,%xmm1 + movups %xmm2,(%eax) + pxor %xmm2,%xmm2 + ret +.globl _aes_hw_decrypt +.private_extern _aes_hw_decrypt +.align 4 +_aes_hw_decrypt: +L_aes_hw_decrypt_begin: + movl 4(%esp),%eax + movl 12(%esp),%edx + movups (%eax),%xmm2 + movl 240(%edx),%ecx + movl 8(%esp),%eax + movups (%edx),%xmm0 + movups 16(%edx),%xmm1 + leal 32(%edx),%edx + xorps %xmm0,%xmm2 +L002dec1_loop_2: +.byte 102,15,56,222,209 + decl %ecx + movups (%edx),%xmm1 + leal 16(%edx),%edx + jnz L002dec1_loop_2 +.byte 102,15,56,223,209 + pxor %xmm0,%xmm0 + pxor %xmm1,%xmm1 + movups %xmm2,(%eax) + pxor %xmm2,%xmm2 + ret +.private_extern __aesni_encrypt2 +.align 4 +__aesni_encrypt2: + movups (%edx),%xmm0 + shll $4,%ecx + movups 16(%edx),%xmm1 + xorps %xmm0,%xmm2 + pxor %xmm0,%xmm3 + movups 32(%edx),%xmm0 + leal 32(%edx,%ecx,1),%edx + negl %ecx + addl $16,%ecx +L003enc2_loop: +.byte 102,15,56,220,209 +.byte 102,15,56,220,217 + movups (%edx,%ecx,1),%xmm1 + addl $32,%ecx +.byte 102,15,56,220,208 +.byte 102,15,56,220,216 + movups -16(%edx,%ecx,1),%xmm0 + jnz L003enc2_loop +.byte 102,15,56,220,209 +.byte 102,15,56,220,217 +.byte 102,15,56,221,208 +.byte 102,15,56,221,216 + ret +.private_extern __aesni_decrypt2 +.align 4 +__aesni_decrypt2: + movups (%edx),%xmm0 + shll $4,%ecx + movups 16(%edx),%xmm1 + xorps %xmm0,%xmm2 + pxor %xmm0,%xmm3 + movups 32(%edx),%xmm0 + leal 32(%edx,%ecx,1),%edx + negl %ecx + addl $16,%ecx +L004dec2_loop: +.byte 102,15,56,222,209 +.byte 102,15,56,222,217 + movups (%edx,%ecx,1),%xmm1 + addl $32,%ecx +.byte 102,15,56,222,208 +.byte 102,15,56,222,216 + movups -16(%edx,%ecx,1),%xmm0 + jnz L004dec2_loop +.byte 102,15,56,222,209 +.byte 102,15,56,222,217 +.byte 102,15,56,223,208 +.byte 102,15,56,223,216 + ret +.private_extern __aesni_encrypt3 +.align 4 +__aesni_encrypt3: + movups (%edx),%xmm0 + shll $4,%ecx + movups 16(%edx),%xmm1 + xorps %xmm0,%xmm2 + pxor %xmm0,%xmm3 + pxor %xmm0,%xmm4 + movups 32(%edx),%xmm0 + leal 32(%edx,%ecx,1),%edx + negl %ecx + addl $16,%ecx +L005enc3_loop: +.byte 102,15,56,220,209 +.byte 102,15,56,220,217 +.byte 102,15,56,220,225 + movups (%edx,%ecx,1),%xmm1 + addl $32,%ecx +.byte 102,15,56,220,208 +.byte 102,15,56,220,216 +.byte 102,15,56,220,224 + movups -16(%edx,%ecx,1),%xmm0 + jnz L005enc3_loop +.byte 102,15,56,220,209 +.byte 102,15,56,220,217 +.byte 102,15,56,220,225 +.byte 102,15,56,221,208 +.byte 102,15,56,221,216 +.byte 102,15,56,221,224 + ret +.private_extern __aesni_decrypt3 +.align 4 +__aesni_decrypt3: + movups (%edx),%xmm0 + shll $4,%ecx + movups 16(%edx),%xmm1 + xorps %xmm0,%xmm2 + pxor %xmm0,%xmm3 + pxor %xmm0,%xmm4 + movups 32(%edx),%xmm0 + leal 32(%edx,%ecx,1),%edx + negl %ecx + addl $16,%ecx +L006dec3_loop: +.byte 102,15,56,222,209 +.byte 102,15,56,222,217 +.byte 102,15,56,222,225 + movups (%edx,%ecx,1),%xmm1 + addl $32,%ecx +.byte 102,15,56,222,208 +.byte 102,15,56,222,216 +.byte 102,15,56,222,224 + movups -16(%edx,%ecx,1),%xmm0 + jnz L006dec3_loop +.byte 102,15,56,222,209 +.byte 102,15,56,222,217 +.byte 102,15,56,222,225 +.byte 102,15,56,223,208 +.byte 102,15,56,223,216 +.byte 102,15,56,223,224 + ret +.private_extern __aesni_encrypt4 +.align 4 +__aesni_encrypt4: + movups (%edx),%xmm0 + movups 16(%edx),%xmm1 + shll $4,%ecx + xorps %xmm0,%xmm2 + pxor %xmm0,%xmm3 + pxor %xmm0,%xmm4 + pxor %xmm0,%xmm5 + movups 32(%edx),%xmm0 + leal 32(%edx,%ecx,1),%edx + negl %ecx +.byte 15,31,64,0 + addl $16,%ecx +L007enc4_loop: +.byte 102,15,56,220,209 +.byte 102,15,56,220,217 +.byte 102,15,56,220,225 +.byte 102,15,56,220,233 + movups (%edx,%ecx,1),%xmm1 + addl $32,%ecx +.byte 102,15,56,220,208 +.byte 102,15,56,220,216 +.byte 102,15,56,220,224 +.byte 102,15,56,220,232 + movups -16(%edx,%ecx,1),%xmm0 + jnz L007enc4_loop +.byte 102,15,56,220,209 +.byte 102,15,56,220,217 +.byte 102,15,56,220,225 +.byte 102,15,56,220,233 +.byte 102,15,56,221,208 +.byte 102,15,56,221,216 +.byte 102,15,56,221,224 +.byte 102,15,56,221,232 + ret +.private_extern __aesni_decrypt4 +.align 4 +__aesni_decrypt4: + movups (%edx),%xmm0 + movups 16(%edx),%xmm1 + shll $4,%ecx + xorps %xmm0,%xmm2 + pxor %xmm0,%xmm3 + pxor %xmm0,%xmm4 + pxor %xmm0,%xmm5 + movups 32(%edx),%xmm0 + leal 32(%edx,%ecx,1),%edx + negl %ecx +.byte 15,31,64,0 + addl $16,%ecx +L008dec4_loop: +.byte 102,15,56,222,209 +.byte 102,15,56,222,217 +.byte 102,15,56,222,225 +.byte 102,15,56,222,233 + movups (%edx,%ecx,1),%xmm1 + addl $32,%ecx +.byte 102,15,56,222,208 +.byte 102,15,56,222,216 +.byte 102,15,56,222,224 +.byte 102,15,56,222,232 + movups -16(%edx,%ecx,1),%xmm0 + jnz L008dec4_loop +.byte 102,15,56,222,209 +.byte 102,15,56,222,217 +.byte 102,15,56,222,225 +.byte 102,15,56,222,233 +.byte 102,15,56,223,208 +.byte 102,15,56,223,216 +.byte 102,15,56,223,224 +.byte 102,15,56,223,232 + ret +.private_extern __aesni_encrypt6 +.align 4 +__aesni_encrypt6: + movups (%edx),%xmm0 + shll $4,%ecx + movups 16(%edx),%xmm1 + xorps %xmm0,%xmm2 + pxor %xmm0,%xmm3 + pxor %xmm0,%xmm4 +.byte 102,15,56,220,209 + pxor %xmm0,%xmm5 + pxor %xmm0,%xmm6 +.byte 102,15,56,220,217 + leal 32(%edx,%ecx,1),%edx + negl %ecx +.byte 102,15,56,220,225 + pxor %xmm0,%xmm7 + movups (%edx,%ecx,1),%xmm0 + addl $16,%ecx + jmp L009_aesni_encrypt6_inner +.align 4,0x90 +L010enc6_loop: +.byte 102,15,56,220,209 +.byte 102,15,56,220,217 +.byte 102,15,56,220,225 +L009_aesni_encrypt6_inner: +.byte 102,15,56,220,233 +.byte 102,15,56,220,241 +.byte 102,15,56,220,249 +L_aesni_encrypt6_enter: + movups (%edx,%ecx,1),%xmm1 + addl $32,%ecx +.byte 102,15,56,220,208 +.byte 102,15,56,220,216 +.byte 102,15,56,220,224 +.byte 102,15,56,220,232 +.byte 102,15,56,220,240 +.byte 102,15,56,220,248 + movups -16(%edx,%ecx,1),%xmm0 + jnz L010enc6_loop +.byte 102,15,56,220,209 +.byte 102,15,56,220,217 +.byte 102,15,56,220,225 +.byte 102,15,56,220,233 +.byte 102,15,56,220,241 +.byte 102,15,56,220,249 +.byte 102,15,56,221,208 +.byte 102,15,56,221,216 +.byte 102,15,56,221,224 +.byte 102,15,56,221,232 +.byte 102,15,56,221,240 +.byte 102,15,56,221,248 + ret +.private_extern __aesni_decrypt6 +.align 4 +__aesni_decrypt6: + movups (%edx),%xmm0 + shll $4,%ecx + movups 16(%edx),%xmm1 + xorps %xmm0,%xmm2 + pxor %xmm0,%xmm3 + pxor %xmm0,%xmm4 +.byte 102,15,56,222,209 + pxor %xmm0,%xmm5 + pxor %xmm0,%xmm6 +.byte 102,15,56,222,217 + leal 32(%edx,%ecx,1),%edx + negl %ecx +.byte 102,15,56,222,225 + pxor %xmm0,%xmm7 + movups (%edx,%ecx,1),%xmm0 + addl $16,%ecx + jmp L011_aesni_decrypt6_inner +.align 4,0x90 +L012dec6_loop: +.byte 102,15,56,222,209 +.byte 102,15,56,222,217 +.byte 102,15,56,222,225 +L011_aesni_decrypt6_inner: +.byte 102,15,56,222,233 +.byte 102,15,56,222,241 +.byte 102,15,56,222,249 +L_aesni_decrypt6_enter: + movups (%edx,%ecx,1),%xmm1 + addl $32,%ecx +.byte 102,15,56,222,208 +.byte 102,15,56,222,216 +.byte 102,15,56,222,224 +.byte 102,15,56,222,232 +.byte 102,15,56,222,240 +.byte 102,15,56,222,248 + movups -16(%edx,%ecx,1),%xmm0 + jnz L012dec6_loop +.byte 102,15,56,222,209 +.byte 102,15,56,222,217 +.byte 102,15,56,222,225 +.byte 102,15,56,222,233 +.byte 102,15,56,222,241 +.byte 102,15,56,222,249 +.byte 102,15,56,223,208 +.byte 102,15,56,223,216 +.byte 102,15,56,223,224 +.byte 102,15,56,223,232 +.byte 102,15,56,223,240 +.byte 102,15,56,223,248 + ret +.globl _aes_hw_ecb_encrypt +.private_extern _aes_hw_ecb_encrypt +.align 4 +_aes_hw_ecb_encrypt: +L_aes_hw_ecb_encrypt_begin: + pushl %ebp + pushl %ebx + pushl %esi + pushl %edi + movl 20(%esp),%esi + movl 24(%esp),%edi + movl 28(%esp),%eax + movl 32(%esp),%edx + movl 36(%esp),%ebx + andl $-16,%eax + jz L013ecb_ret + movl 240(%edx),%ecx + testl %ebx,%ebx + jz L014ecb_decrypt + movl %edx,%ebp + movl %ecx,%ebx + cmpl $96,%eax + jb L015ecb_enc_tail + movdqu (%esi),%xmm2 + movdqu 16(%esi),%xmm3 + movdqu 32(%esi),%xmm4 + movdqu 48(%esi),%xmm5 + movdqu 64(%esi),%xmm6 + movdqu 80(%esi),%xmm7 + leal 96(%esi),%esi + subl $96,%eax + jmp L016ecb_enc_loop6_enter +.align 4,0x90 +L017ecb_enc_loop6: + movups %xmm2,(%edi) + movdqu (%esi),%xmm2 + movups %xmm3,16(%edi) + movdqu 16(%esi),%xmm3 + movups %xmm4,32(%edi) + movdqu 32(%esi),%xmm4 + movups %xmm5,48(%edi) + movdqu 48(%esi),%xmm5 + movups %xmm6,64(%edi) + movdqu 64(%esi),%xmm6 + movups %xmm7,80(%edi) + leal 96(%edi),%edi + movdqu 80(%esi),%xmm7 + leal 96(%esi),%esi +L016ecb_enc_loop6_enter: + call __aesni_encrypt6 + movl %ebp,%edx + movl %ebx,%ecx + subl $96,%eax + jnc L017ecb_enc_loop6 + movups %xmm2,(%edi) + movups %xmm3,16(%edi) + movups %xmm4,32(%edi) + movups %xmm5,48(%edi) + movups %xmm6,64(%edi) + movups %xmm7,80(%edi) + leal 96(%edi),%edi + addl $96,%eax + jz L013ecb_ret +L015ecb_enc_tail: + movups (%esi),%xmm2 + cmpl $32,%eax + jb L018ecb_enc_one + movups 16(%esi),%xmm3 + je L019ecb_enc_two + movups 32(%esi),%xmm4 + cmpl $64,%eax + jb L020ecb_enc_three + movups 48(%esi),%xmm5 + je L021ecb_enc_four + movups 64(%esi),%xmm6 + xorps %xmm7,%xmm7 + call __aesni_encrypt6 + movups %xmm2,(%edi) + movups %xmm3,16(%edi) + movups %xmm4,32(%edi) + movups %xmm5,48(%edi) + movups %xmm6,64(%edi) + jmp L013ecb_ret +.align 4,0x90 +L018ecb_enc_one: + movups (%edx),%xmm0 + movups 16(%edx),%xmm1 + leal 32(%edx),%edx + xorps %xmm0,%xmm2 +L022enc1_loop_3: +.byte 102,15,56,220,209 + decl %ecx + movups (%edx),%xmm1 + leal 16(%edx),%edx + jnz L022enc1_loop_3 +.byte 102,15,56,221,209 + movups %xmm2,(%edi) + jmp L013ecb_ret +.align 4,0x90 +L019ecb_enc_two: + call __aesni_encrypt2 + movups %xmm2,(%edi) + movups %xmm3,16(%edi) + jmp L013ecb_ret +.align 4,0x90 +L020ecb_enc_three: + call __aesni_encrypt3 + movups %xmm2,(%edi) + movups %xmm3,16(%edi) + movups %xmm4,32(%edi) + jmp L013ecb_ret +.align 4,0x90 +L021ecb_enc_four: + call __aesni_encrypt4 + movups %xmm2,(%edi) + movups %xmm3,16(%edi) + movups %xmm4,32(%edi) + movups %xmm5,48(%edi) + jmp L013ecb_ret +.align 4,0x90 +L014ecb_decrypt: + movl %edx,%ebp + movl %ecx,%ebx + cmpl $96,%eax + jb L023ecb_dec_tail + movdqu (%esi),%xmm2 + movdqu 16(%esi),%xmm3 + movdqu 32(%esi),%xmm4 + movdqu 48(%esi),%xmm5 + movdqu 64(%esi),%xmm6 + movdqu 80(%esi),%xmm7 + leal 96(%esi),%esi + subl $96,%eax + jmp L024ecb_dec_loop6_enter +.align 4,0x90 +L025ecb_dec_loop6: + movups %xmm2,(%edi) + movdqu (%esi),%xmm2 + movups %xmm3,16(%edi) + movdqu 16(%esi),%xmm3 + movups %xmm4,32(%edi) + movdqu 32(%esi),%xmm4 + movups %xmm5,48(%edi) + movdqu 48(%esi),%xmm5 + movups %xmm6,64(%edi) + movdqu 64(%esi),%xmm6 + movups %xmm7,80(%edi) + leal 96(%edi),%edi + movdqu 80(%esi),%xmm7 + leal 96(%esi),%esi +L024ecb_dec_loop6_enter: + call __aesni_decrypt6 + movl %ebp,%edx + movl %ebx,%ecx + subl $96,%eax + jnc L025ecb_dec_loop6 + movups %xmm2,(%edi) + movups %xmm3,16(%edi) + movups %xmm4,32(%edi) + movups %xmm5,48(%edi) + movups %xmm6,64(%edi) + movups %xmm7,80(%edi) + leal 96(%edi),%edi + addl $96,%eax + jz L013ecb_ret +L023ecb_dec_tail: + movups (%esi),%xmm2 + cmpl $32,%eax + jb L026ecb_dec_one + movups 16(%esi),%xmm3 + je L027ecb_dec_two + movups 32(%esi),%xmm4 + cmpl $64,%eax + jb L028ecb_dec_three + movups 48(%esi),%xmm5 + je L029ecb_dec_four + movups 64(%esi),%xmm6 + xorps %xmm7,%xmm7 + call __aesni_decrypt6 + movups %xmm2,(%edi) + movups %xmm3,16(%edi) + movups %xmm4,32(%edi) + movups %xmm5,48(%edi) + movups %xmm6,64(%edi) + jmp L013ecb_ret +.align 4,0x90 +L026ecb_dec_one: + movups (%edx),%xmm0 + movups 16(%edx),%xmm1 + leal 32(%edx),%edx + xorps %xmm0,%xmm2 +L030dec1_loop_4: +.byte 102,15,56,222,209 + decl %ecx + movups (%edx),%xmm1 + leal 16(%edx),%edx + jnz L030dec1_loop_4 +.byte 102,15,56,223,209 + movups %xmm2,(%edi) + jmp L013ecb_ret +.align 4,0x90 +L027ecb_dec_two: + call __aesni_decrypt2 + movups %xmm2,(%edi) + movups %xmm3,16(%edi) + jmp L013ecb_ret +.align 4,0x90 +L028ecb_dec_three: + call __aesni_decrypt3 + movups %xmm2,(%edi) + movups %xmm3,16(%edi) + movups %xmm4,32(%edi) + jmp L013ecb_ret +.align 4,0x90 +L029ecb_dec_four: + call __aesni_decrypt4 + movups %xmm2,(%edi) + movups %xmm3,16(%edi) + movups %xmm4,32(%edi) + movups %xmm5,48(%edi) +L013ecb_ret: + pxor %xmm0,%xmm0 + pxor %xmm1,%xmm1 + pxor %xmm2,%xmm2 + pxor %xmm3,%xmm3 + pxor %xmm4,%xmm4 + pxor %xmm5,%xmm5 + pxor %xmm6,%xmm6 + pxor %xmm7,%xmm7 + popl %edi + popl %esi + popl %ebx + popl %ebp + ret +.globl _aes_hw_ccm64_encrypt_blocks +.private_extern _aes_hw_ccm64_encrypt_blocks +.align 4 +_aes_hw_ccm64_encrypt_blocks: +L_aes_hw_ccm64_encrypt_blocks_begin: + pushl %ebp + pushl %ebx + pushl %esi + pushl %edi + movl 20(%esp),%esi + movl 24(%esp),%edi + movl 28(%esp),%eax + movl 32(%esp),%edx + movl 36(%esp),%ebx + movl 40(%esp),%ecx + movl %esp,%ebp + subl $60,%esp + andl $-16,%esp + movl %ebp,48(%esp) + movdqu (%ebx),%xmm7 + movdqu (%ecx),%xmm3 + movl 240(%edx),%ecx + movl $202182159,(%esp) + movl $134810123,4(%esp) + movl $67438087,8(%esp) + movl $66051,12(%esp) + movl $1,%ebx + xorl %ebp,%ebp + movl %ebx,16(%esp) + movl %ebp,20(%esp) + movl %ebp,24(%esp) + movl %ebp,28(%esp) + shll $4,%ecx + movl $16,%ebx + leal (%edx),%ebp + movdqa (%esp),%xmm5 + movdqa %xmm7,%xmm2 + leal 32(%edx,%ecx,1),%edx + subl %ecx,%ebx +.byte 102,15,56,0,253 +L031ccm64_enc_outer: + movups (%ebp),%xmm0 + movl %ebx,%ecx + movups (%esi),%xmm6 + xorps %xmm0,%xmm2 + movups 16(%ebp),%xmm1 + xorps %xmm6,%xmm0 + xorps %xmm0,%xmm3 + movups 32(%ebp),%xmm0 +L032ccm64_enc2_loop: +.byte 102,15,56,220,209 +.byte 102,15,56,220,217 + movups (%edx,%ecx,1),%xmm1 + addl $32,%ecx +.byte 102,15,56,220,208 +.byte 102,15,56,220,216 + movups -16(%edx,%ecx,1),%xmm0 + jnz L032ccm64_enc2_loop +.byte 102,15,56,220,209 +.byte 102,15,56,220,217 + paddq 16(%esp),%xmm7 + decl %eax +.byte 102,15,56,221,208 +.byte 102,15,56,221,216 + leal 16(%esi),%esi + xorps %xmm2,%xmm6 + movdqa %xmm7,%xmm2 + movups %xmm6,(%edi) +.byte 102,15,56,0,213 + leal 16(%edi),%edi + jnz L031ccm64_enc_outer + movl 48(%esp),%esp + movl 40(%esp),%edi + movups %xmm3,(%edi) + pxor %xmm0,%xmm0 + pxor %xmm1,%xmm1 + pxor %xmm2,%xmm2 + pxor %xmm3,%xmm3 + pxor %xmm4,%xmm4 + pxor %xmm5,%xmm5 + pxor %xmm6,%xmm6 + pxor %xmm7,%xmm7 + popl %edi + popl %esi + popl %ebx + popl %ebp + ret +.globl _aes_hw_ccm64_decrypt_blocks +.private_extern _aes_hw_ccm64_decrypt_blocks +.align 4 +_aes_hw_ccm64_decrypt_blocks: +L_aes_hw_ccm64_decrypt_blocks_begin: + pushl %ebp + pushl %ebx + pushl %esi + pushl %edi + movl 20(%esp),%esi + movl 24(%esp),%edi + movl 28(%esp),%eax + movl 32(%esp),%edx + movl 36(%esp),%ebx + movl 40(%esp),%ecx + movl %esp,%ebp + subl $60,%esp + andl $-16,%esp + movl %ebp,48(%esp) + movdqu (%ebx),%xmm7 + movdqu (%ecx),%xmm3 + movl 240(%edx),%ecx + movl $202182159,(%esp) + movl $134810123,4(%esp) + movl $67438087,8(%esp) + movl $66051,12(%esp) + movl $1,%ebx + xorl %ebp,%ebp + movl %ebx,16(%esp) + movl %ebp,20(%esp) + movl %ebp,24(%esp) + movl %ebp,28(%esp) + movdqa (%esp),%xmm5 + movdqa %xmm7,%xmm2 + movl %edx,%ebp + movl %ecx,%ebx +.byte 102,15,56,0,253 + movups (%edx),%xmm0 + movups 16(%edx),%xmm1 + leal 32(%edx),%edx + xorps %xmm0,%xmm2 +L033enc1_loop_5: +.byte 102,15,56,220,209 + decl %ecx + movups (%edx),%xmm1 + leal 16(%edx),%edx + jnz L033enc1_loop_5 +.byte 102,15,56,221,209 + shll $4,%ebx + movl $16,%ecx + movups (%esi),%xmm6 + paddq 16(%esp),%xmm7 + leal 16(%esi),%esi + subl %ebx,%ecx + leal 32(%ebp,%ebx,1),%edx + movl %ecx,%ebx + jmp L034ccm64_dec_outer +.align 4,0x90 +L034ccm64_dec_outer: + xorps %xmm2,%xmm6 + movdqa %xmm7,%xmm2 + movups %xmm6,(%edi) + leal 16(%edi),%edi +.byte 102,15,56,0,213 + subl $1,%eax + jz L035ccm64_dec_break + movups (%ebp),%xmm0 + movl %ebx,%ecx + movups 16(%ebp),%xmm1 + xorps %xmm0,%xmm6 + xorps %xmm0,%xmm2 + xorps %xmm6,%xmm3 + movups 32(%ebp),%xmm0 +L036ccm64_dec2_loop: +.byte 102,15,56,220,209 +.byte 102,15,56,220,217 + movups (%edx,%ecx,1),%xmm1 + addl $32,%ecx +.byte 102,15,56,220,208 +.byte 102,15,56,220,216 + movups -16(%edx,%ecx,1),%xmm0 + jnz L036ccm64_dec2_loop + movups (%esi),%xmm6 + paddq 16(%esp),%xmm7 +.byte 102,15,56,220,209 +.byte 102,15,56,220,217 +.byte 102,15,56,221,208 +.byte 102,15,56,221,216 + leal 16(%esi),%esi + jmp L034ccm64_dec_outer +.align 4,0x90 +L035ccm64_dec_break: + movl 240(%ebp),%ecx + movl %ebp,%edx + movups (%edx),%xmm0 + movups 16(%edx),%xmm1 + xorps %xmm0,%xmm6 + leal 32(%edx),%edx + xorps %xmm6,%xmm3 +L037enc1_loop_6: +.byte 102,15,56,220,217 + decl %ecx + movups (%edx),%xmm1 + leal 16(%edx),%edx + jnz L037enc1_loop_6 +.byte 102,15,56,221,217 + movl 48(%esp),%esp + movl 40(%esp),%edi + movups %xmm3,(%edi) + pxor %xmm0,%xmm0 + pxor %xmm1,%xmm1 + pxor %xmm2,%xmm2 + pxor %xmm3,%xmm3 + pxor %xmm4,%xmm4 + pxor %xmm5,%xmm5 + pxor %xmm6,%xmm6 + pxor %xmm7,%xmm7 + popl %edi + popl %esi + popl %ebx + popl %ebp + ret +.globl _aes_hw_ctr32_encrypt_blocks +.private_extern _aes_hw_ctr32_encrypt_blocks +.align 4 +_aes_hw_ctr32_encrypt_blocks: +L_aes_hw_ctr32_encrypt_blocks_begin: + pushl %ebp + pushl %ebx + pushl %esi + pushl %edi +#ifdef BORINGSSL_DISPATCH_TEST + pushl %ebx + pushl %edx + call L038pic_for_function_hit +L038pic_for_function_hit: + popl %ebx + leal _BORINGSSL_function_hit+0-L038pic_for_function_hit(%ebx),%ebx + movl $1,%edx + movb %dl,(%ebx) + popl %edx + popl %ebx +#endif + movl 20(%esp),%esi + movl 24(%esp),%edi + movl 28(%esp),%eax + movl 32(%esp),%edx + movl 36(%esp),%ebx + movl %esp,%ebp + subl $88,%esp + andl $-16,%esp + movl %ebp,80(%esp) + cmpl $1,%eax + je L039ctr32_one_shortcut + movdqu (%ebx),%xmm7 + movl $202182159,(%esp) + movl $134810123,4(%esp) + movl $67438087,8(%esp) + movl $66051,12(%esp) + movl $6,%ecx + xorl %ebp,%ebp + movl %ecx,16(%esp) + movl %ecx,20(%esp) + movl %ecx,24(%esp) + movl %ebp,28(%esp) +.byte 102,15,58,22,251,3 +.byte 102,15,58,34,253,3 + movl 240(%edx),%ecx + bswap %ebx + pxor %xmm0,%xmm0 + pxor %xmm1,%xmm1 + movdqa (%esp),%xmm2 +.byte 102,15,58,34,195,0 + leal 3(%ebx),%ebp +.byte 102,15,58,34,205,0 + incl %ebx +.byte 102,15,58,34,195,1 + incl %ebp +.byte 102,15,58,34,205,1 + incl %ebx +.byte 102,15,58,34,195,2 + incl %ebp +.byte 102,15,58,34,205,2 + movdqa %xmm0,48(%esp) +.byte 102,15,56,0,194 + movdqu (%edx),%xmm6 + movdqa %xmm1,64(%esp) +.byte 102,15,56,0,202 + pshufd $192,%xmm0,%xmm2 + pshufd $128,%xmm0,%xmm3 + cmpl $6,%eax + jb L040ctr32_tail + pxor %xmm6,%xmm7 + shll $4,%ecx + movl $16,%ebx + movdqa %xmm7,32(%esp) + movl %edx,%ebp + subl %ecx,%ebx + leal 32(%edx,%ecx,1),%edx + subl $6,%eax + jmp L041ctr32_loop6 +.align 4,0x90 +L041ctr32_loop6: + pshufd $64,%xmm0,%xmm4 + movdqa 32(%esp),%xmm0 + pshufd $192,%xmm1,%xmm5 + pxor %xmm0,%xmm2 + pshufd $128,%xmm1,%xmm6 + pxor %xmm0,%xmm3 + pshufd $64,%xmm1,%xmm7 + movups 16(%ebp),%xmm1 + pxor %xmm0,%xmm4 + pxor %xmm0,%xmm5 +.byte 102,15,56,220,209 + pxor %xmm0,%xmm6 + pxor %xmm0,%xmm7 +.byte 102,15,56,220,217 + movups 32(%ebp),%xmm0 + movl %ebx,%ecx +.byte 102,15,56,220,225 +.byte 102,15,56,220,233 +.byte 102,15,56,220,241 +.byte 102,15,56,220,249 + call L_aesni_encrypt6_enter + movups (%esi),%xmm1 + movups 16(%esi),%xmm0 + xorps %xmm1,%xmm2 + movups 32(%esi),%xmm1 + xorps %xmm0,%xmm3 + movups %xmm2,(%edi) + movdqa 16(%esp),%xmm0 + xorps %xmm1,%xmm4 + movdqa 64(%esp),%xmm1 + movups %xmm3,16(%edi) + movups %xmm4,32(%edi) + paddd %xmm0,%xmm1 + paddd 48(%esp),%xmm0 + movdqa (%esp),%xmm2 + movups 48(%esi),%xmm3 + movups 64(%esi),%xmm4 + xorps %xmm3,%xmm5 + movups 80(%esi),%xmm3 + leal 96(%esi),%esi + movdqa %xmm0,48(%esp) +.byte 102,15,56,0,194 + xorps %xmm4,%xmm6 + movups %xmm5,48(%edi) + xorps %xmm3,%xmm7 + movdqa %xmm1,64(%esp) +.byte 102,15,56,0,202 + movups %xmm6,64(%edi) + pshufd $192,%xmm0,%xmm2 + movups %xmm7,80(%edi) + leal 96(%edi),%edi + pshufd $128,%xmm0,%xmm3 + subl $6,%eax + jnc L041ctr32_loop6 + addl $6,%eax + jz L042ctr32_ret + movdqu (%ebp),%xmm7 + movl %ebp,%edx + pxor 32(%esp),%xmm7 + movl 240(%ebp),%ecx +L040ctr32_tail: + por %xmm7,%xmm2 + cmpl $2,%eax + jb L043ctr32_one + pshufd $64,%xmm0,%xmm4 + por %xmm7,%xmm3 + je L044ctr32_two + pshufd $192,%xmm1,%xmm5 + por %xmm7,%xmm4 + cmpl $4,%eax + jb L045ctr32_three + pshufd $128,%xmm1,%xmm6 + por %xmm7,%xmm5 + je L046ctr32_four + por %xmm7,%xmm6 + call __aesni_encrypt6 + movups (%esi),%xmm1 + movups 16(%esi),%xmm0 + xorps %xmm1,%xmm2 + movups 32(%esi),%xmm1 + xorps %xmm0,%xmm3 + movups 48(%esi),%xmm0 + xorps %xmm1,%xmm4 + movups 64(%esi),%xmm1 + xorps %xmm0,%xmm5 + movups %xmm2,(%edi) + xorps %xmm1,%xmm6 + movups %xmm3,16(%edi) + movups %xmm4,32(%edi) + movups %xmm5,48(%edi) + movups %xmm6,64(%edi) + jmp L042ctr32_ret +.align 4,0x90 +L039ctr32_one_shortcut: + movups (%ebx),%xmm2 + movl 240(%edx),%ecx +L043ctr32_one: + movups (%edx),%xmm0 + movups 16(%edx),%xmm1 + leal 32(%edx),%edx + xorps %xmm0,%xmm2 +L047enc1_loop_7: +.byte 102,15,56,220,209 + decl %ecx + movups (%edx),%xmm1 + leal 16(%edx),%edx + jnz L047enc1_loop_7 +.byte 102,15,56,221,209 + movups (%esi),%xmm6 + xorps %xmm2,%xmm6 + movups %xmm6,(%edi) + jmp L042ctr32_ret +.align 4,0x90 +L044ctr32_two: + call __aesni_encrypt2 + movups (%esi),%xmm5 + movups 16(%esi),%xmm6 + xorps %xmm5,%xmm2 + xorps %xmm6,%xmm3 + movups %xmm2,(%edi) + movups %xmm3,16(%edi) + jmp L042ctr32_ret +.align 4,0x90 +L045ctr32_three: + call __aesni_encrypt3 + movups (%esi),%xmm5 + movups 16(%esi),%xmm6 + xorps %xmm5,%xmm2 + movups 32(%esi),%xmm7 + xorps %xmm6,%xmm3 + movups %xmm2,(%edi) + xorps %xmm7,%xmm4 + movups %xmm3,16(%edi) + movups %xmm4,32(%edi) + jmp L042ctr32_ret +.align 4,0x90 +L046ctr32_four: + call __aesni_encrypt4 + movups (%esi),%xmm6 + movups 16(%esi),%xmm7 + movups 32(%esi),%xmm1 + xorps %xmm6,%xmm2 + movups 48(%esi),%xmm0 + xorps %xmm7,%xmm3 + movups %xmm2,(%edi) + xorps %xmm1,%xmm4 + movups %xmm3,16(%edi) + xorps %xmm0,%xmm5 + movups %xmm4,32(%edi) + movups %xmm5,48(%edi) +L042ctr32_ret: + pxor %xmm0,%xmm0 + pxor %xmm1,%xmm1 + pxor %xmm2,%xmm2 + pxor %xmm3,%xmm3 + pxor %xmm4,%xmm4 + movdqa %xmm0,32(%esp) + pxor %xmm5,%xmm5 + movdqa %xmm0,48(%esp) + pxor %xmm6,%xmm6 + movdqa %xmm0,64(%esp) + pxor %xmm7,%xmm7 + movl 80(%esp),%esp + popl %edi + popl %esi + popl %ebx + popl %ebp + ret +.globl _aes_hw_xts_encrypt +.private_extern _aes_hw_xts_encrypt +.align 4 +_aes_hw_xts_encrypt: +L_aes_hw_xts_encrypt_begin: + pushl %ebp + pushl %ebx + pushl %esi + pushl %edi + movl 36(%esp),%edx + movl 40(%esp),%esi + movl 240(%edx),%ecx + movups (%esi),%xmm2 + movups (%edx),%xmm0 + movups 16(%edx),%xmm1 + leal 32(%edx),%edx + xorps %xmm0,%xmm2 +L048enc1_loop_8: +.byte 102,15,56,220,209 + decl %ecx + movups (%edx),%xmm1 + leal 16(%edx),%edx + jnz L048enc1_loop_8 +.byte 102,15,56,221,209 + movl 20(%esp),%esi + movl 24(%esp),%edi + movl 28(%esp),%eax + movl 32(%esp),%edx + movl %esp,%ebp + subl $120,%esp + movl 240(%edx),%ecx + andl $-16,%esp + movl $135,96(%esp) + movl $0,100(%esp) + movl $1,104(%esp) + movl $0,108(%esp) + movl %eax,112(%esp) + movl %ebp,116(%esp) + movdqa %xmm2,%xmm1 + pxor %xmm0,%xmm0 + movdqa 96(%esp),%xmm3 + pcmpgtd %xmm1,%xmm0 + andl $-16,%eax + movl %edx,%ebp + movl %ecx,%ebx + subl $96,%eax + jc L049xts_enc_short + shll $4,%ecx + movl $16,%ebx + subl %ecx,%ebx + leal 32(%edx,%ecx,1),%edx + jmp L050xts_enc_loop6 +.align 4,0x90 +L050xts_enc_loop6: + pshufd $19,%xmm0,%xmm2 + pxor %xmm0,%xmm0 + movdqa %xmm1,(%esp) + paddq %xmm1,%xmm1 + pand %xmm3,%xmm2 + pcmpgtd %xmm1,%xmm0 + pxor %xmm2,%xmm1 + pshufd $19,%xmm0,%xmm2 + pxor %xmm0,%xmm0 + movdqa %xmm1,16(%esp) + paddq %xmm1,%xmm1 + pand %xmm3,%xmm2 + pcmpgtd %xmm1,%xmm0 + pxor %xmm2,%xmm1 + pshufd $19,%xmm0,%xmm2 + pxor %xmm0,%xmm0 + movdqa %xmm1,32(%esp) + paddq %xmm1,%xmm1 + pand %xmm3,%xmm2 + pcmpgtd %xmm1,%xmm0 + pxor %xmm2,%xmm1 + pshufd $19,%xmm0,%xmm2 + pxor %xmm0,%xmm0 + movdqa %xmm1,48(%esp) + paddq %xmm1,%xmm1 + pand %xmm3,%xmm2 + pcmpgtd %xmm1,%xmm0 + pxor %xmm2,%xmm1 + pshufd $19,%xmm0,%xmm7 + movdqa %xmm1,64(%esp) + paddq %xmm1,%xmm1 + movups (%ebp),%xmm0 + pand %xmm3,%xmm7 + movups (%esi),%xmm2 + pxor %xmm1,%xmm7 + movl %ebx,%ecx + movdqu 16(%esi),%xmm3 + xorps %xmm0,%xmm2 + movdqu 32(%esi),%xmm4 + pxor %xmm0,%xmm3 + movdqu 48(%esi),%xmm5 + pxor %xmm0,%xmm4 + movdqu 64(%esi),%xmm6 + pxor %xmm0,%xmm5 + movdqu 80(%esi),%xmm1 + pxor %xmm0,%xmm6 + leal 96(%esi),%esi + pxor (%esp),%xmm2 + movdqa %xmm7,80(%esp) + pxor %xmm1,%xmm7 + movups 16(%ebp),%xmm1 + pxor 16(%esp),%xmm3 + pxor 32(%esp),%xmm4 +.byte 102,15,56,220,209 + pxor 48(%esp),%xmm5 + pxor 64(%esp),%xmm6 +.byte 102,15,56,220,217 + pxor %xmm0,%xmm7 + movups 32(%ebp),%xmm0 +.byte 102,15,56,220,225 +.byte 102,15,56,220,233 +.byte 102,15,56,220,241 +.byte 102,15,56,220,249 + call L_aesni_encrypt6_enter + movdqa 80(%esp),%xmm1 + pxor %xmm0,%xmm0 + xorps (%esp),%xmm2 + pcmpgtd %xmm1,%xmm0 + xorps 16(%esp),%xmm3 + movups %xmm2,(%edi) + xorps 32(%esp),%xmm4 + movups %xmm3,16(%edi) + xorps 48(%esp),%xmm5 + movups %xmm4,32(%edi) + xorps 64(%esp),%xmm6 + movups %xmm5,48(%edi) + xorps %xmm1,%xmm7 + movups %xmm6,64(%edi) + pshufd $19,%xmm0,%xmm2 + movups %xmm7,80(%edi) + leal 96(%edi),%edi + movdqa 96(%esp),%xmm3 + pxor %xmm0,%xmm0 + paddq %xmm1,%xmm1 + pand %xmm3,%xmm2 + pcmpgtd %xmm1,%xmm0 + pxor %xmm2,%xmm1 + subl $96,%eax + jnc L050xts_enc_loop6 + movl 240(%ebp),%ecx + movl %ebp,%edx + movl %ecx,%ebx +L049xts_enc_short: + addl $96,%eax + jz L051xts_enc_done6x + movdqa %xmm1,%xmm5 + cmpl $32,%eax + jb L052xts_enc_one + pshufd $19,%xmm0,%xmm2 + pxor %xmm0,%xmm0 + paddq %xmm1,%xmm1 + pand %xmm3,%xmm2 + pcmpgtd %xmm1,%xmm0 + pxor %xmm2,%xmm1 + je L053xts_enc_two + pshufd $19,%xmm0,%xmm2 + pxor %xmm0,%xmm0 + movdqa %xmm1,%xmm6 + paddq %xmm1,%xmm1 + pand %xmm3,%xmm2 + pcmpgtd %xmm1,%xmm0 + pxor %xmm2,%xmm1 + cmpl $64,%eax + jb L054xts_enc_three + pshufd $19,%xmm0,%xmm2 + pxor %xmm0,%xmm0 + movdqa %xmm1,%xmm7 + paddq %xmm1,%xmm1 + pand %xmm3,%xmm2 + pcmpgtd %xmm1,%xmm0 + pxor %xmm2,%xmm1 + movdqa %xmm5,(%esp) + movdqa %xmm6,16(%esp) + je L055xts_enc_four + movdqa %xmm7,32(%esp) + pshufd $19,%xmm0,%xmm7 + movdqa %xmm1,48(%esp) + paddq %xmm1,%xmm1 + pand %xmm3,%xmm7 + pxor %xmm1,%xmm7 + movdqu (%esi),%xmm2 + movdqu 16(%esi),%xmm3 + movdqu 32(%esi),%xmm4 + pxor (%esp),%xmm2 + movdqu 48(%esi),%xmm5 + pxor 16(%esp),%xmm3 + movdqu 64(%esi),%xmm6 + pxor 32(%esp),%xmm4 + leal 80(%esi),%esi + pxor 48(%esp),%xmm5 + movdqa %xmm7,64(%esp) + pxor %xmm7,%xmm6 + call __aesni_encrypt6 + movaps 64(%esp),%xmm1 + xorps (%esp),%xmm2 + xorps 16(%esp),%xmm3 + xorps 32(%esp),%xmm4 + movups %xmm2,(%edi) + xorps 48(%esp),%xmm5 + movups %xmm3,16(%edi) + xorps %xmm1,%xmm6 + movups %xmm4,32(%edi) + movups %xmm5,48(%edi) + movups %xmm6,64(%edi) + leal 80(%edi),%edi + jmp L056xts_enc_done +.align 4,0x90 +L052xts_enc_one: + movups (%esi),%xmm2 + leal 16(%esi),%esi + xorps %xmm5,%xmm2 + movups (%edx),%xmm0 + movups 16(%edx),%xmm1 + leal 32(%edx),%edx + xorps %xmm0,%xmm2 +L057enc1_loop_9: +.byte 102,15,56,220,209 + decl %ecx + movups (%edx),%xmm1 + leal 16(%edx),%edx + jnz L057enc1_loop_9 +.byte 102,15,56,221,209 + xorps %xmm5,%xmm2 + movups %xmm2,(%edi) + leal 16(%edi),%edi + movdqa %xmm5,%xmm1 + jmp L056xts_enc_done +.align 4,0x90 +L053xts_enc_two: + movaps %xmm1,%xmm6 + movups (%esi),%xmm2 + movups 16(%esi),%xmm3 + leal 32(%esi),%esi + xorps %xmm5,%xmm2 + xorps %xmm6,%xmm3 + call __aesni_encrypt2 + xorps %xmm5,%xmm2 + xorps %xmm6,%xmm3 + movups %xmm2,(%edi) + movups %xmm3,16(%edi) + leal 32(%edi),%edi + movdqa %xmm6,%xmm1 + jmp L056xts_enc_done +.align 4,0x90 +L054xts_enc_three: + movaps %xmm1,%xmm7 + movups (%esi),%xmm2 + movups 16(%esi),%xmm3 + movups 32(%esi),%xmm4 + leal 48(%esi),%esi + xorps %xmm5,%xmm2 + xorps %xmm6,%xmm3 + xorps %xmm7,%xmm4 + call __aesni_encrypt3 + xorps %xmm5,%xmm2 + xorps %xmm6,%xmm3 + xorps %xmm7,%xmm4 + movups %xmm2,(%edi) + movups %xmm3,16(%edi) + movups %xmm4,32(%edi) + leal 48(%edi),%edi + movdqa %xmm7,%xmm1 + jmp L056xts_enc_done +.align 4,0x90 +L055xts_enc_four: + movaps %xmm1,%xmm6 + movups (%esi),%xmm2 + movups 16(%esi),%xmm3 + movups 32(%esi),%xmm4 + xorps (%esp),%xmm2 + movups 48(%esi),%xmm5 + leal 64(%esi),%esi + xorps 16(%esp),%xmm3 + xorps %xmm7,%xmm4 + xorps %xmm6,%xmm5 + call __aesni_encrypt4 + xorps (%esp),%xmm2 + xorps 16(%esp),%xmm3 + xorps %xmm7,%xmm4 + movups %xmm2,(%edi) + xorps %xmm6,%xmm5 + movups %xmm3,16(%edi) + movups %xmm4,32(%edi) + movups %xmm5,48(%edi) + leal 64(%edi),%edi + movdqa %xmm6,%xmm1 + jmp L056xts_enc_done +.align 4,0x90 +L051xts_enc_done6x: + movl 112(%esp),%eax + andl $15,%eax + jz L058xts_enc_ret + movdqa %xmm1,%xmm5 + movl %eax,112(%esp) + jmp L059xts_enc_steal +.align 4,0x90 +L056xts_enc_done: + movl 112(%esp),%eax + pxor %xmm0,%xmm0 + andl $15,%eax + jz L058xts_enc_ret + pcmpgtd %xmm1,%xmm0 + movl %eax,112(%esp) + pshufd $19,%xmm0,%xmm5 + paddq %xmm1,%xmm1 + pand 96(%esp),%xmm5 + pxor %xmm1,%xmm5 +L059xts_enc_steal: + movzbl (%esi),%ecx + movzbl -16(%edi),%edx + leal 1(%esi),%esi + movb %cl,-16(%edi) + movb %dl,(%edi) + leal 1(%edi),%edi + subl $1,%eax + jnz L059xts_enc_steal + subl 112(%esp),%edi + movl %ebp,%edx + movl %ebx,%ecx + movups -16(%edi),%xmm2 + xorps %xmm5,%xmm2 + movups (%edx),%xmm0 + movups 16(%edx),%xmm1 + leal 32(%edx),%edx + xorps %xmm0,%xmm2 +L060enc1_loop_10: +.byte 102,15,56,220,209 + decl %ecx + movups (%edx),%xmm1 + leal 16(%edx),%edx + jnz L060enc1_loop_10 +.byte 102,15,56,221,209 + xorps %xmm5,%xmm2 + movups %xmm2,-16(%edi) +L058xts_enc_ret: + pxor %xmm0,%xmm0 + pxor %xmm1,%xmm1 + pxor %xmm2,%xmm2 + movdqa %xmm0,(%esp) + pxor %xmm3,%xmm3 + movdqa %xmm0,16(%esp) + pxor %xmm4,%xmm4 + movdqa %xmm0,32(%esp) + pxor %xmm5,%xmm5 + movdqa %xmm0,48(%esp) + pxor %xmm6,%xmm6 + movdqa %xmm0,64(%esp) + pxor %xmm7,%xmm7 + movdqa %xmm0,80(%esp) + movl 116(%esp),%esp + popl %edi + popl %esi + popl %ebx + popl %ebp + ret +.globl _aes_hw_xts_decrypt +.private_extern _aes_hw_xts_decrypt +.align 4 +_aes_hw_xts_decrypt: +L_aes_hw_xts_decrypt_begin: + pushl %ebp + pushl %ebx + pushl %esi + pushl %edi + movl 36(%esp),%edx + movl 40(%esp),%esi + movl 240(%edx),%ecx + movups (%esi),%xmm2 + movups (%edx),%xmm0 + movups 16(%edx),%xmm1 + leal 32(%edx),%edx + xorps %xmm0,%xmm2 +L061enc1_loop_11: +.byte 102,15,56,220,209 + decl %ecx + movups (%edx),%xmm1 + leal 16(%edx),%edx + jnz L061enc1_loop_11 +.byte 102,15,56,221,209 + movl 20(%esp),%esi + movl 24(%esp),%edi + movl 28(%esp),%eax + movl 32(%esp),%edx + movl %esp,%ebp + subl $120,%esp + andl $-16,%esp + xorl %ebx,%ebx + testl $15,%eax + setnz %bl + shll $4,%ebx + subl %ebx,%eax + movl $135,96(%esp) + movl $0,100(%esp) + movl $1,104(%esp) + movl $0,108(%esp) + movl %eax,112(%esp) + movl %ebp,116(%esp) + movl 240(%edx),%ecx + movl %edx,%ebp + movl %ecx,%ebx + movdqa %xmm2,%xmm1 + pxor %xmm0,%xmm0 + movdqa 96(%esp),%xmm3 + pcmpgtd %xmm1,%xmm0 + andl $-16,%eax + subl $96,%eax + jc L062xts_dec_short + shll $4,%ecx + movl $16,%ebx + subl %ecx,%ebx + leal 32(%edx,%ecx,1),%edx + jmp L063xts_dec_loop6 +.align 4,0x90 +L063xts_dec_loop6: + pshufd $19,%xmm0,%xmm2 + pxor %xmm0,%xmm0 + movdqa %xmm1,(%esp) + paddq %xmm1,%xmm1 + pand %xmm3,%xmm2 + pcmpgtd %xmm1,%xmm0 + pxor %xmm2,%xmm1 + pshufd $19,%xmm0,%xmm2 + pxor %xmm0,%xmm0 + movdqa %xmm1,16(%esp) + paddq %xmm1,%xmm1 + pand %xmm3,%xmm2 + pcmpgtd %xmm1,%xmm0 + pxor %xmm2,%xmm1 + pshufd $19,%xmm0,%xmm2 + pxor %xmm0,%xmm0 + movdqa %xmm1,32(%esp) + paddq %xmm1,%xmm1 + pand %xmm3,%xmm2 + pcmpgtd %xmm1,%xmm0 + pxor %xmm2,%xmm1 + pshufd $19,%xmm0,%xmm2 + pxor %xmm0,%xmm0 + movdqa %xmm1,48(%esp) + paddq %xmm1,%xmm1 + pand %xmm3,%xmm2 + pcmpgtd %xmm1,%xmm0 + pxor %xmm2,%xmm1 + pshufd $19,%xmm0,%xmm7 + movdqa %xmm1,64(%esp) + paddq %xmm1,%xmm1 + movups (%ebp),%xmm0 + pand %xmm3,%xmm7 + movups (%esi),%xmm2 + pxor %xmm1,%xmm7 + movl %ebx,%ecx + movdqu 16(%esi),%xmm3 + xorps %xmm0,%xmm2 + movdqu 32(%esi),%xmm4 + pxor %xmm0,%xmm3 + movdqu 48(%esi),%xmm5 + pxor %xmm0,%xmm4 + movdqu 64(%esi),%xmm6 + pxor %xmm0,%xmm5 + movdqu 80(%esi),%xmm1 + pxor %xmm0,%xmm6 + leal 96(%esi),%esi + pxor (%esp),%xmm2 + movdqa %xmm7,80(%esp) + pxor %xmm1,%xmm7 + movups 16(%ebp),%xmm1 + pxor 16(%esp),%xmm3 + pxor 32(%esp),%xmm4 +.byte 102,15,56,222,209 + pxor 48(%esp),%xmm5 + pxor 64(%esp),%xmm6 +.byte 102,15,56,222,217 + pxor %xmm0,%xmm7 + movups 32(%ebp),%xmm0 +.byte 102,15,56,222,225 +.byte 102,15,56,222,233 +.byte 102,15,56,222,241 +.byte 102,15,56,222,249 + call L_aesni_decrypt6_enter + movdqa 80(%esp),%xmm1 + pxor %xmm0,%xmm0 + xorps (%esp),%xmm2 + pcmpgtd %xmm1,%xmm0 + xorps 16(%esp),%xmm3 + movups %xmm2,(%edi) + xorps 32(%esp),%xmm4 + movups %xmm3,16(%edi) + xorps 48(%esp),%xmm5 + movups %xmm4,32(%edi) + xorps 64(%esp),%xmm6 + movups %xmm5,48(%edi) + xorps %xmm1,%xmm7 + movups %xmm6,64(%edi) + pshufd $19,%xmm0,%xmm2 + movups %xmm7,80(%edi) + leal 96(%edi),%edi + movdqa 96(%esp),%xmm3 + pxor %xmm0,%xmm0 + paddq %xmm1,%xmm1 + pand %xmm3,%xmm2 + pcmpgtd %xmm1,%xmm0 + pxor %xmm2,%xmm1 + subl $96,%eax + jnc L063xts_dec_loop6 + movl 240(%ebp),%ecx + movl %ebp,%edx + movl %ecx,%ebx +L062xts_dec_short: + addl $96,%eax + jz L064xts_dec_done6x + movdqa %xmm1,%xmm5 + cmpl $32,%eax + jb L065xts_dec_one + pshufd $19,%xmm0,%xmm2 + pxor %xmm0,%xmm0 + paddq %xmm1,%xmm1 + pand %xmm3,%xmm2 + pcmpgtd %xmm1,%xmm0 + pxor %xmm2,%xmm1 + je L066xts_dec_two + pshufd $19,%xmm0,%xmm2 + pxor %xmm0,%xmm0 + movdqa %xmm1,%xmm6 + paddq %xmm1,%xmm1 + pand %xmm3,%xmm2 + pcmpgtd %xmm1,%xmm0 + pxor %xmm2,%xmm1 + cmpl $64,%eax + jb L067xts_dec_three + pshufd $19,%xmm0,%xmm2 + pxor %xmm0,%xmm0 + movdqa %xmm1,%xmm7 + paddq %xmm1,%xmm1 + pand %xmm3,%xmm2 + pcmpgtd %xmm1,%xmm0 + pxor %xmm2,%xmm1 + movdqa %xmm5,(%esp) + movdqa %xmm6,16(%esp) + je L068xts_dec_four + movdqa %xmm7,32(%esp) + pshufd $19,%xmm0,%xmm7 + movdqa %xmm1,48(%esp) + paddq %xmm1,%xmm1 + pand %xmm3,%xmm7 + pxor %xmm1,%xmm7 + movdqu (%esi),%xmm2 + movdqu 16(%esi),%xmm3 + movdqu 32(%esi),%xmm4 + pxor (%esp),%xmm2 + movdqu 48(%esi),%xmm5 + pxor 16(%esp),%xmm3 + movdqu 64(%esi),%xmm6 + pxor 32(%esp),%xmm4 + leal 80(%esi),%esi + pxor 48(%esp),%xmm5 + movdqa %xmm7,64(%esp) + pxor %xmm7,%xmm6 + call __aesni_decrypt6 + movaps 64(%esp),%xmm1 + xorps (%esp),%xmm2 + xorps 16(%esp),%xmm3 + xorps 32(%esp),%xmm4 + movups %xmm2,(%edi) + xorps 48(%esp),%xmm5 + movups %xmm3,16(%edi) + xorps %xmm1,%xmm6 + movups %xmm4,32(%edi) + movups %xmm5,48(%edi) + movups %xmm6,64(%edi) + leal 80(%edi),%edi + jmp L069xts_dec_done +.align 4,0x90 +L065xts_dec_one: + movups (%esi),%xmm2 + leal 16(%esi),%esi + xorps %xmm5,%xmm2 + movups (%edx),%xmm0 + movups 16(%edx),%xmm1 + leal 32(%edx),%edx + xorps %xmm0,%xmm2 +L070dec1_loop_12: +.byte 102,15,56,222,209 + decl %ecx + movups (%edx),%xmm1 + leal 16(%edx),%edx + jnz L070dec1_loop_12 +.byte 102,15,56,223,209 + xorps %xmm5,%xmm2 + movups %xmm2,(%edi) + leal 16(%edi),%edi + movdqa %xmm5,%xmm1 + jmp L069xts_dec_done +.align 4,0x90 +L066xts_dec_two: + movaps %xmm1,%xmm6 + movups (%esi),%xmm2 + movups 16(%esi),%xmm3 + leal 32(%esi),%esi + xorps %xmm5,%xmm2 + xorps %xmm6,%xmm3 + call __aesni_decrypt2 + xorps %xmm5,%xmm2 + xorps %xmm6,%xmm3 + movups %xmm2,(%edi) + movups %xmm3,16(%edi) + leal 32(%edi),%edi + movdqa %xmm6,%xmm1 + jmp L069xts_dec_done +.align 4,0x90 +L067xts_dec_three: + movaps %xmm1,%xmm7 + movups (%esi),%xmm2 + movups 16(%esi),%xmm3 + movups 32(%esi),%xmm4 + leal 48(%esi),%esi + xorps %xmm5,%xmm2 + xorps %xmm6,%xmm3 + xorps %xmm7,%xmm4 + call __aesni_decrypt3 + xorps %xmm5,%xmm2 + xorps %xmm6,%xmm3 + xorps %xmm7,%xmm4 + movups %xmm2,(%edi) + movups %xmm3,16(%edi) + movups %xmm4,32(%edi) + leal 48(%edi),%edi + movdqa %xmm7,%xmm1 + jmp L069xts_dec_done +.align 4,0x90 +L068xts_dec_four: + movaps %xmm1,%xmm6 + movups (%esi),%xmm2 + movups 16(%esi),%xmm3 + movups 32(%esi),%xmm4 + xorps (%esp),%xmm2 + movups 48(%esi),%xmm5 + leal 64(%esi),%esi + xorps 16(%esp),%xmm3 + xorps %xmm7,%xmm4 + xorps %xmm6,%xmm5 + call __aesni_decrypt4 + xorps (%esp),%xmm2 + xorps 16(%esp),%xmm3 + xorps %xmm7,%xmm4 + movups %xmm2,(%edi) + xorps %xmm6,%xmm5 + movups %xmm3,16(%edi) + movups %xmm4,32(%edi) + movups %xmm5,48(%edi) + leal 64(%edi),%edi + movdqa %xmm6,%xmm1 + jmp L069xts_dec_done +.align 4,0x90 +L064xts_dec_done6x: + movl 112(%esp),%eax + andl $15,%eax + jz L071xts_dec_ret + movl %eax,112(%esp) + jmp L072xts_dec_only_one_more +.align 4,0x90 +L069xts_dec_done: + movl 112(%esp),%eax + pxor %xmm0,%xmm0 + andl $15,%eax + jz L071xts_dec_ret + pcmpgtd %xmm1,%xmm0 + movl %eax,112(%esp) + pshufd $19,%xmm0,%xmm2 + pxor %xmm0,%xmm0 + movdqa 96(%esp),%xmm3 + paddq %xmm1,%xmm1 + pand %xmm3,%xmm2 + pcmpgtd %xmm1,%xmm0 + pxor %xmm2,%xmm1 +L072xts_dec_only_one_more: + pshufd $19,%xmm0,%xmm5 + movdqa %xmm1,%xmm6 + paddq %xmm1,%xmm1 + pand %xmm3,%xmm5 + pxor %xmm1,%xmm5 + movl %ebp,%edx + movl %ebx,%ecx + movups (%esi),%xmm2 + xorps %xmm5,%xmm2 + movups (%edx),%xmm0 + movups 16(%edx),%xmm1 + leal 32(%edx),%edx + xorps %xmm0,%xmm2 +L073dec1_loop_13: +.byte 102,15,56,222,209 + decl %ecx + movups (%edx),%xmm1 + leal 16(%edx),%edx + jnz L073dec1_loop_13 +.byte 102,15,56,223,209 + xorps %xmm5,%xmm2 + movups %xmm2,(%edi) +L074xts_dec_steal: + movzbl 16(%esi),%ecx + movzbl (%edi),%edx + leal 1(%esi),%esi + movb %cl,(%edi) + movb %dl,16(%edi) + leal 1(%edi),%edi + subl $1,%eax + jnz L074xts_dec_steal + subl 112(%esp),%edi + movl %ebp,%edx + movl %ebx,%ecx + movups (%edi),%xmm2 + xorps %xmm6,%xmm2 + movups (%edx),%xmm0 + movups 16(%edx),%xmm1 + leal 32(%edx),%edx + xorps %xmm0,%xmm2 +L075dec1_loop_14: +.byte 102,15,56,222,209 + decl %ecx + movups (%edx),%xmm1 + leal 16(%edx),%edx + jnz L075dec1_loop_14 +.byte 102,15,56,223,209 + xorps %xmm6,%xmm2 + movups %xmm2,(%edi) +L071xts_dec_ret: + pxor %xmm0,%xmm0 + pxor %xmm1,%xmm1 + pxor %xmm2,%xmm2 + movdqa %xmm0,(%esp) + pxor %xmm3,%xmm3 + movdqa %xmm0,16(%esp) + pxor %xmm4,%xmm4 + movdqa %xmm0,32(%esp) + pxor %xmm5,%xmm5 + movdqa %xmm0,48(%esp) + pxor %xmm6,%xmm6 + movdqa %xmm0,64(%esp) + pxor %xmm7,%xmm7 + movdqa %xmm0,80(%esp) + movl 116(%esp),%esp + popl %edi + popl %esi + popl %ebx + popl %ebp + ret +.globl _aes_hw_cbc_encrypt +.private_extern _aes_hw_cbc_encrypt +.align 4 +_aes_hw_cbc_encrypt: +L_aes_hw_cbc_encrypt_begin: + pushl %ebp + pushl %ebx + pushl %esi + pushl %edi + movl 20(%esp),%esi + movl %esp,%ebx + movl 24(%esp),%edi + subl $24,%ebx + movl 28(%esp),%eax + andl $-16,%ebx + movl 32(%esp),%edx + movl 36(%esp),%ebp + testl %eax,%eax + jz L076cbc_abort + cmpl $0,40(%esp) + xchgl %esp,%ebx + movups (%ebp),%xmm7 + movl 240(%edx),%ecx + movl %edx,%ebp + movl %ebx,16(%esp) + movl %ecx,%ebx + je L077cbc_decrypt + movaps %xmm7,%xmm2 + cmpl $16,%eax + jb L078cbc_enc_tail + subl $16,%eax + jmp L079cbc_enc_loop +.align 4,0x90 +L079cbc_enc_loop: + movups (%esi),%xmm7 + leal 16(%esi),%esi + movups (%edx),%xmm0 + movups 16(%edx),%xmm1 + xorps %xmm0,%xmm7 + leal 32(%edx),%edx + xorps %xmm7,%xmm2 +L080enc1_loop_15: +.byte 102,15,56,220,209 + decl %ecx + movups (%edx),%xmm1 + leal 16(%edx),%edx + jnz L080enc1_loop_15 +.byte 102,15,56,221,209 + movl %ebx,%ecx + movl %ebp,%edx + movups %xmm2,(%edi) + leal 16(%edi),%edi + subl $16,%eax + jnc L079cbc_enc_loop + addl $16,%eax + jnz L078cbc_enc_tail + movaps %xmm2,%xmm7 + pxor %xmm2,%xmm2 + jmp L081cbc_ret +L078cbc_enc_tail: + movl %eax,%ecx +.long 2767451785 + movl $16,%ecx + subl %eax,%ecx + xorl %eax,%eax +.long 2868115081 + leal -16(%edi),%edi + movl %ebx,%ecx + movl %edi,%esi + movl %ebp,%edx + jmp L079cbc_enc_loop +.align 4,0x90 +L077cbc_decrypt: + cmpl $80,%eax + jbe L082cbc_dec_tail + movaps %xmm7,(%esp) + subl $80,%eax + jmp L083cbc_dec_loop6_enter +.align 4,0x90 +L084cbc_dec_loop6: + movaps %xmm0,(%esp) + movups %xmm7,(%edi) + leal 16(%edi),%edi +L083cbc_dec_loop6_enter: + movdqu (%esi),%xmm2 + movdqu 16(%esi),%xmm3 + movdqu 32(%esi),%xmm4 + movdqu 48(%esi),%xmm5 + movdqu 64(%esi),%xmm6 + movdqu 80(%esi),%xmm7 + call __aesni_decrypt6 + movups (%esi),%xmm1 + movups 16(%esi),%xmm0 + xorps (%esp),%xmm2 + xorps %xmm1,%xmm3 + movups 32(%esi),%xmm1 + xorps %xmm0,%xmm4 + movups 48(%esi),%xmm0 + xorps %xmm1,%xmm5 + movups 64(%esi),%xmm1 + xorps %xmm0,%xmm6 + movups 80(%esi),%xmm0 + xorps %xmm1,%xmm7 + movups %xmm2,(%edi) + movups %xmm3,16(%edi) + leal 96(%esi),%esi + movups %xmm4,32(%edi) + movl %ebx,%ecx + movups %xmm5,48(%edi) + movl %ebp,%edx + movups %xmm6,64(%edi) + leal 80(%edi),%edi + subl $96,%eax + ja L084cbc_dec_loop6 + movaps %xmm7,%xmm2 + movaps %xmm0,%xmm7 + addl $80,%eax + jle L085cbc_dec_clear_tail_collected + movups %xmm2,(%edi) + leal 16(%edi),%edi +L082cbc_dec_tail: + movups (%esi),%xmm2 + movaps %xmm2,%xmm6 + cmpl $16,%eax + jbe L086cbc_dec_one + movups 16(%esi),%xmm3 + movaps %xmm3,%xmm5 + cmpl $32,%eax + jbe L087cbc_dec_two + movups 32(%esi),%xmm4 + cmpl $48,%eax + jbe L088cbc_dec_three + movups 48(%esi),%xmm5 + cmpl $64,%eax + jbe L089cbc_dec_four + movups 64(%esi),%xmm6 + movaps %xmm7,(%esp) + movups (%esi),%xmm2 + xorps %xmm7,%xmm7 + call __aesni_decrypt6 + movups (%esi),%xmm1 + movups 16(%esi),%xmm0 + xorps (%esp),%xmm2 + xorps %xmm1,%xmm3 + movups 32(%esi),%xmm1 + xorps %xmm0,%xmm4 + movups 48(%esi),%xmm0 + xorps %xmm1,%xmm5 + movups 64(%esi),%xmm7 + xorps %xmm0,%xmm6 + movups %xmm2,(%edi) + movups %xmm3,16(%edi) + pxor %xmm3,%xmm3 + movups %xmm4,32(%edi) + pxor %xmm4,%xmm4 + movups %xmm5,48(%edi) + pxor %xmm5,%xmm5 + leal 64(%edi),%edi + movaps %xmm6,%xmm2 + pxor %xmm6,%xmm6 + subl $80,%eax + jmp L090cbc_dec_tail_collected +.align 4,0x90 +L086cbc_dec_one: + movups (%edx),%xmm0 + movups 16(%edx),%xmm1 + leal 32(%edx),%edx + xorps %xmm0,%xmm2 +L091dec1_loop_16: +.byte 102,15,56,222,209 + decl %ecx + movups (%edx),%xmm1 + leal 16(%edx),%edx + jnz L091dec1_loop_16 +.byte 102,15,56,223,209 + xorps %xmm7,%xmm2 + movaps %xmm6,%xmm7 + subl $16,%eax + jmp L090cbc_dec_tail_collected +.align 4,0x90 +L087cbc_dec_two: + call __aesni_decrypt2 + xorps %xmm7,%xmm2 + xorps %xmm6,%xmm3 + movups %xmm2,(%edi) + movaps %xmm3,%xmm2 + pxor %xmm3,%xmm3 + leal 16(%edi),%edi + movaps %xmm5,%xmm7 + subl $32,%eax + jmp L090cbc_dec_tail_collected +.align 4,0x90 +L088cbc_dec_three: + call __aesni_decrypt3 + xorps %xmm7,%xmm2 + xorps %xmm6,%xmm3 + xorps %xmm5,%xmm4 + movups %xmm2,(%edi) + movaps %xmm4,%xmm2 + pxor %xmm4,%xmm4 + movups %xmm3,16(%edi) + pxor %xmm3,%xmm3 + leal 32(%edi),%edi + movups 32(%esi),%xmm7 + subl $48,%eax + jmp L090cbc_dec_tail_collected +.align 4,0x90 +L089cbc_dec_four: + call __aesni_decrypt4 + movups 16(%esi),%xmm1 + movups 32(%esi),%xmm0 + xorps %xmm7,%xmm2 + movups 48(%esi),%xmm7 + xorps %xmm6,%xmm3 + movups %xmm2,(%edi) + xorps %xmm1,%xmm4 + movups %xmm3,16(%edi) + pxor %xmm3,%xmm3 + xorps %xmm0,%xmm5 + movups %xmm4,32(%edi) + pxor %xmm4,%xmm4 + leal 48(%edi),%edi + movaps %xmm5,%xmm2 + pxor %xmm5,%xmm5 + subl $64,%eax + jmp L090cbc_dec_tail_collected +.align 4,0x90 +L085cbc_dec_clear_tail_collected: + pxor %xmm3,%xmm3 + pxor %xmm4,%xmm4 + pxor %xmm5,%xmm5 + pxor %xmm6,%xmm6 +L090cbc_dec_tail_collected: + andl $15,%eax + jnz L092cbc_dec_tail_partial + movups %xmm2,(%edi) + pxor %xmm0,%xmm0 + jmp L081cbc_ret +.align 4,0x90 +L092cbc_dec_tail_partial: + movaps %xmm2,(%esp) + pxor %xmm0,%xmm0 + movl $16,%ecx + movl %esp,%esi + subl %eax,%ecx +.long 2767451785 + movdqa %xmm2,(%esp) +L081cbc_ret: + movl 16(%esp),%esp + movl 36(%esp),%ebp + pxor %xmm2,%xmm2 + pxor %xmm1,%xmm1 + movups %xmm7,(%ebp) + pxor %xmm7,%xmm7 +L076cbc_abort: + popl %edi + popl %esi + popl %ebx + popl %ebp + ret +.globl _aes_hw_set_encrypt_key_base +.private_extern _aes_hw_set_encrypt_key_base +.align 4 +_aes_hw_set_encrypt_key_base: +L_aes_hw_set_encrypt_key_base_begin: +#ifdef BORINGSSL_DISPATCH_TEST + pushl %ebx + pushl %edx + call L093pic_for_function_hit +L093pic_for_function_hit: + popl %ebx + leal _BORINGSSL_function_hit+3-L093pic_for_function_hit(%ebx),%ebx + movl $1,%edx + movb %dl,(%ebx) + popl %edx + popl %ebx +#endif + movl 4(%esp),%eax + movl 8(%esp),%ecx + movl 12(%esp),%edx + pushl %ebx + call L094pic +L094pic: + popl %ebx + leal Lkey_const-L094pic(%ebx),%ebx + movups (%eax),%xmm0 + xorps %xmm4,%xmm4 + leal 16(%edx),%edx + cmpl $256,%ecx + je L09514rounds + cmpl $192,%ecx + je L09612rounds + cmpl $128,%ecx + jne L097bad_keybits +.align 4,0x90 +L09810rounds: + movl $9,%ecx + movups %xmm0,-16(%edx) +.byte 102,15,58,223,200,1 + call L099key_128_cold +.byte 102,15,58,223,200,2 + call L100key_128 +.byte 102,15,58,223,200,4 + call L100key_128 +.byte 102,15,58,223,200,8 + call L100key_128 +.byte 102,15,58,223,200,16 + call L100key_128 +.byte 102,15,58,223,200,32 + call L100key_128 +.byte 102,15,58,223,200,64 + call L100key_128 +.byte 102,15,58,223,200,128 + call L100key_128 +.byte 102,15,58,223,200,27 + call L100key_128 +.byte 102,15,58,223,200,54 + call L100key_128 + movups %xmm0,(%edx) + movl %ecx,80(%edx) + jmp L101good_key +.align 4,0x90 +L100key_128: + movups %xmm0,(%edx) + leal 16(%edx),%edx +L099key_128_cold: + shufps $16,%xmm0,%xmm4 + xorps %xmm4,%xmm0 + shufps $140,%xmm0,%xmm4 + xorps %xmm4,%xmm0 + shufps $255,%xmm1,%xmm1 + xorps %xmm1,%xmm0 + ret +.align 4,0x90 +L09612rounds: + movq 16(%eax),%xmm2 + movl $11,%ecx + movups %xmm0,-16(%edx) +.byte 102,15,58,223,202,1 + call L102key_192a_cold +.byte 102,15,58,223,202,2 + call L103key_192b +.byte 102,15,58,223,202,4 + call L104key_192a +.byte 102,15,58,223,202,8 + call L103key_192b +.byte 102,15,58,223,202,16 + call L104key_192a +.byte 102,15,58,223,202,32 + call L103key_192b +.byte 102,15,58,223,202,64 + call L104key_192a +.byte 102,15,58,223,202,128 + call L103key_192b + movups %xmm0,(%edx) + movl %ecx,48(%edx) + jmp L101good_key +.align 4,0x90 +L104key_192a: + movups %xmm0,(%edx) + leal 16(%edx),%edx +.align 4,0x90 +L102key_192a_cold: + movaps %xmm2,%xmm5 +L105key_192b_warm: + shufps $16,%xmm0,%xmm4 + movdqa %xmm2,%xmm3 + xorps %xmm4,%xmm0 + shufps $140,%xmm0,%xmm4 + pslldq $4,%xmm3 + xorps %xmm4,%xmm0 + pshufd $85,%xmm1,%xmm1 + pxor %xmm3,%xmm2 + pxor %xmm1,%xmm0 + pshufd $255,%xmm0,%xmm3 + pxor %xmm3,%xmm2 + ret +.align 4,0x90 +L103key_192b: + movaps %xmm0,%xmm3 + shufps $68,%xmm0,%xmm5 + movups %xmm5,(%edx) + shufps $78,%xmm2,%xmm3 + movups %xmm3,16(%edx) + leal 32(%edx),%edx + jmp L105key_192b_warm +.align 4,0x90 +L09514rounds: + movups 16(%eax),%xmm2 + leal 16(%edx),%edx + movl $13,%ecx + movups %xmm0,-32(%edx) + movups %xmm2,-16(%edx) +.byte 102,15,58,223,202,1 + call L106key_256a_cold +.byte 102,15,58,223,200,1 + call L107key_256b +.byte 102,15,58,223,202,2 + call L108key_256a +.byte 102,15,58,223,200,2 + call L107key_256b +.byte 102,15,58,223,202,4 + call L108key_256a +.byte 102,15,58,223,200,4 + call L107key_256b +.byte 102,15,58,223,202,8 + call L108key_256a +.byte 102,15,58,223,200,8 + call L107key_256b +.byte 102,15,58,223,202,16 + call L108key_256a +.byte 102,15,58,223,200,16 + call L107key_256b +.byte 102,15,58,223,202,32 + call L108key_256a +.byte 102,15,58,223,200,32 + call L107key_256b +.byte 102,15,58,223,202,64 + call L108key_256a + movups %xmm0,(%edx) + movl %ecx,16(%edx) + xorl %eax,%eax + jmp L101good_key +.align 4,0x90 +L108key_256a: + movups %xmm2,(%edx) + leal 16(%edx),%edx +L106key_256a_cold: + shufps $16,%xmm0,%xmm4 + xorps %xmm4,%xmm0 + shufps $140,%xmm0,%xmm4 + xorps %xmm4,%xmm0 + shufps $255,%xmm1,%xmm1 + xorps %xmm1,%xmm0 + ret +.align 4,0x90 +L107key_256b: + movups %xmm0,(%edx) + leal 16(%edx),%edx + shufps $16,%xmm2,%xmm4 + xorps %xmm4,%xmm2 + shufps $140,%xmm2,%xmm4 + xorps %xmm4,%xmm2 + shufps $170,%xmm1,%xmm1 + xorps %xmm1,%xmm2 + ret +L101good_key: + pxor %xmm0,%xmm0 + pxor %xmm1,%xmm1 + pxor %xmm2,%xmm2 + pxor %xmm3,%xmm3 + pxor %xmm4,%xmm4 + pxor %xmm5,%xmm5 + xorl %eax,%eax + popl %ebx + ret +.align 2,0x90 +L097bad_keybits: + pxor %xmm0,%xmm0 + movl $-2,%eax + popl %ebx + ret +.globl _aes_hw_set_encrypt_key_alt +.private_extern _aes_hw_set_encrypt_key_alt +.align 4 +_aes_hw_set_encrypt_key_alt: +L_aes_hw_set_encrypt_key_alt_begin: +#ifdef BORINGSSL_DISPATCH_TEST + pushl %ebx + pushl %edx + call L109pic_for_function_hit +L109pic_for_function_hit: + popl %ebx + leal _BORINGSSL_function_hit+3-L109pic_for_function_hit(%ebx),%ebx + movl $1,%edx + movb %dl,(%ebx) + popl %edx + popl %ebx +#endif + movl 4(%esp),%eax + movl 8(%esp),%ecx + movl 12(%esp),%edx + pushl %ebx + call L110pic +L110pic: + popl %ebx + leal Lkey_const-L110pic(%ebx),%ebx + movups (%eax),%xmm0 + xorps %xmm4,%xmm4 + leal 16(%edx),%edx + cmpl $256,%ecx + je L11114rounds_alt + cmpl $192,%ecx + je L11212rounds_alt + cmpl $128,%ecx + jne L113bad_keybits +.align 4,0x90 +L11410rounds_alt: + movdqa (%ebx),%xmm5 + movl $8,%ecx + movdqa 32(%ebx),%xmm4 + movdqa %xmm0,%xmm2 + movdqu %xmm0,-16(%edx) +L115loop_key128: +.byte 102,15,56,0,197 +.byte 102,15,56,221,196 + pslld $1,%xmm4 + leal 16(%edx),%edx + movdqa %xmm2,%xmm3 + pslldq $4,%xmm2 + pxor %xmm2,%xmm3 + pslldq $4,%xmm2 + pxor %xmm2,%xmm3 + pslldq $4,%xmm2 + pxor %xmm3,%xmm2 + pxor %xmm2,%xmm0 + movdqu %xmm0,-16(%edx) + movdqa %xmm0,%xmm2 + decl %ecx + jnz L115loop_key128 + movdqa 48(%ebx),%xmm4 +.byte 102,15,56,0,197 +.byte 102,15,56,221,196 + pslld $1,%xmm4 + movdqa %xmm2,%xmm3 + pslldq $4,%xmm2 + pxor %xmm2,%xmm3 + pslldq $4,%xmm2 + pxor %xmm2,%xmm3 + pslldq $4,%xmm2 + pxor %xmm3,%xmm2 + pxor %xmm2,%xmm0 + movdqu %xmm0,(%edx) + movdqa %xmm0,%xmm2 +.byte 102,15,56,0,197 +.byte 102,15,56,221,196 + movdqa %xmm2,%xmm3 + pslldq $4,%xmm2 + pxor %xmm2,%xmm3 + pslldq $4,%xmm2 + pxor %xmm2,%xmm3 + pslldq $4,%xmm2 + pxor %xmm3,%xmm2 + pxor %xmm2,%xmm0 + movdqu %xmm0,16(%edx) + movl $9,%ecx + movl %ecx,96(%edx) + jmp L116good_key +.align 4,0x90 +L11212rounds_alt: + movq 16(%eax),%xmm2 + movdqa 16(%ebx),%xmm5 + movdqa 32(%ebx),%xmm4 + movl $8,%ecx + movdqu %xmm0,-16(%edx) +L117loop_key192: + movq %xmm2,(%edx) + movdqa %xmm2,%xmm1 +.byte 102,15,56,0,213 +.byte 102,15,56,221,212 + pslld $1,%xmm4 + leal 24(%edx),%edx + movdqa %xmm0,%xmm3 + pslldq $4,%xmm0 + pxor %xmm0,%xmm3 + pslldq $4,%xmm0 + pxor %xmm0,%xmm3 + pslldq $4,%xmm0 + pxor %xmm3,%xmm0 + pshufd $255,%xmm0,%xmm3 + pxor %xmm1,%xmm3 + pslldq $4,%xmm1 + pxor %xmm1,%xmm3 + pxor %xmm2,%xmm0 + pxor %xmm3,%xmm2 + movdqu %xmm0,-16(%edx) + decl %ecx + jnz L117loop_key192 + movl $11,%ecx + movl %ecx,32(%edx) + jmp L116good_key +.align 4,0x90 +L11114rounds_alt: + movups 16(%eax),%xmm2 + leal 16(%edx),%edx + movdqa (%ebx),%xmm5 + movdqa 32(%ebx),%xmm4 + movl $7,%ecx + movdqu %xmm0,-32(%edx) + movdqa %xmm2,%xmm1 + movdqu %xmm2,-16(%edx) +L118loop_key256: +.byte 102,15,56,0,213 +.byte 102,15,56,221,212 + movdqa %xmm0,%xmm3 + pslldq $4,%xmm0 + pxor %xmm0,%xmm3 + pslldq $4,%xmm0 + pxor %xmm0,%xmm3 + pslldq $4,%xmm0 + pxor %xmm3,%xmm0 + pslld $1,%xmm4 + pxor %xmm2,%xmm0 + movdqu %xmm0,(%edx) + decl %ecx + jz L119done_key256 + pshufd $255,%xmm0,%xmm2 + pxor %xmm3,%xmm3 +.byte 102,15,56,221,211 + movdqa %xmm1,%xmm3 + pslldq $4,%xmm1 + pxor %xmm1,%xmm3 + pslldq $4,%xmm1 + pxor %xmm1,%xmm3 + pslldq $4,%xmm1 + pxor %xmm3,%xmm1 + pxor %xmm1,%xmm2 + movdqu %xmm2,16(%edx) + leal 32(%edx),%edx + movdqa %xmm2,%xmm1 + jmp L118loop_key256 +L119done_key256: + movl $13,%ecx + movl %ecx,16(%edx) +L116good_key: + pxor %xmm0,%xmm0 + pxor %xmm1,%xmm1 + pxor %xmm2,%xmm2 + pxor %xmm3,%xmm3 + pxor %xmm4,%xmm4 + pxor %xmm5,%xmm5 + xorl %eax,%eax + popl %ebx + ret +.align 2,0x90 +L113bad_keybits: + pxor %xmm0,%xmm0 + movl $-2,%eax + popl %ebx + ret +.globl _aes_hw_encrypt_key_to_decrypt_key +.private_extern _aes_hw_encrypt_key_to_decrypt_key +.align 4 +_aes_hw_encrypt_key_to_decrypt_key: +L_aes_hw_encrypt_key_to_decrypt_key_begin: + movl 4(%esp),%edx + movl 240(%edx),%ecx + shll $4,%ecx + leal 16(%edx,%ecx,1),%eax + movups (%edx),%xmm0 + movups (%eax),%xmm1 + movups %xmm0,(%eax) + movups %xmm1,(%edx) + leal 16(%edx),%edx + leal -16(%eax),%eax +L120dec_key_inverse: + movups (%edx),%xmm0 + movups (%eax),%xmm1 +.byte 102,15,56,219,192 +.byte 102,15,56,219,201 + leal 16(%edx),%edx + leal -16(%eax),%eax + movups %xmm0,16(%eax) + movups %xmm1,-16(%edx) + cmpl %edx,%eax + ja L120dec_key_inverse + movups (%edx),%xmm0 +.byte 102,15,56,219,192 + movups %xmm0,(%edx) + pxor %xmm0,%xmm0 + pxor %xmm1,%xmm1 + ret +.align 6,0x90 +Lkey_const: +.long 202313229,202313229,202313229,202313229 +.long 67569157,67569157,67569157,67569157 +.long 1,1,1,1 +.long 27,27,27,27 +.byte 65,69,83,32,102,111,114,32,73,110,116,101,108,32,65,69 +.byte 83,45,78,73,44,32,67,82,89,80,84,79,71,65,77,83 +.byte 32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115 +.byte 115,108,46,111,114,103,62,0 +#endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__APPLE__) +#if defined(__linux__) && defined(__ELF__) +.section .note.GNU-stack,"",%progbits +#endif + diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/aesni-x86-linux.linux.x86.S b/Sources/CNIOBoringSSL/gen/bcm/aesni-x86-linux.S similarity index 93% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/aesni-x86-linux.linux.x86.S rename to Sources/CNIOBoringSSL/gen/bcm/aesni-x86-linux.S index 548a6bfaa..7fe461c43 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/aesni-x86-linux.linux.x86.S +++ b/Sources/CNIOBoringSSL/gen/bcm/aesni-x86-linux.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__i386__) && defined(__linux__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -18,10 +17,10 @@ aes_hw_encrypt: #ifdef BORINGSSL_DISPATCH_TEST pushl %ebx pushl %edx - call .L000pic -.L000pic: + call .L000pic_for_function_hit +.L000pic_for_function_hit: popl %ebx - leal BORINGSSL_function_hit+1-.L000pic(%ebx),%ebx + leal BORINGSSL_function_hit+1-.L000pic_for_function_hit(%ebx),%ebx movl $1,%edx movb %dl,(%ebx) popl %edx @@ -849,10 +848,10 @@ aes_hw_ctr32_encrypt_blocks: #ifdef BORINGSSL_DISPATCH_TEST pushl %ebx pushl %edx - call .L038pic -.L038pic: + call .L038pic_for_function_hit +.L038pic_for_function_hit: popl %ebx - leal BORINGSSL_function_hit+0-.L038pic(%ebx),%ebx + leal BORINGSSL_function_hit+0-.L038pic_for_function_hit(%ebx),%ebx movl $1,%edx movb %dl,(%ebx) popl %edx @@ -2101,26 +2100,35 @@ aes_hw_cbc_encrypt: popl %ebp ret .size aes_hw_cbc_encrypt,.-.L_aes_hw_cbc_encrypt_begin -.hidden _aesni_set_encrypt_key -.type _aesni_set_encrypt_key,@function +.globl aes_hw_set_encrypt_key_base +.hidden aes_hw_set_encrypt_key_base +.type aes_hw_set_encrypt_key_base,@function .align 16 -_aesni_set_encrypt_key: - pushl %ebp +aes_hw_set_encrypt_key_base: +.L_aes_hw_set_encrypt_key_base_begin: +#ifdef BORINGSSL_DISPATCH_TEST + pushl %ebx + pushl %edx + call .L093pic_for_function_hit +.L093pic_for_function_hit: + popl %ebx + leal BORINGSSL_function_hit+3-.L093pic_for_function_hit(%ebx),%ebx + movl $1,%edx + movb %dl,(%ebx) + popl %edx + popl %ebx +#endif + movl 4(%esp),%eax + movl 8(%esp),%ecx + movl 12(%esp),%edx pushl %ebx - testl %eax,%eax - jz .L093bad_pointer - testl %edx,%edx - jz .L093bad_pointer call .L094pic .L094pic: popl %ebx leal .Lkey_const-.L094pic(%ebx),%ebx - leal OPENSSL_ia32cap_P-.Lkey_const(%ebx),%ebp movups (%eax),%xmm0 xorps %xmm4,%xmm4 - movl 4(%ebp),%ebp leal 16(%edx),%edx - andl $268437504,%ebp cmpl $256,%ecx je .L09514rounds cmpl $192,%ecx @@ -2129,38 +2137,36 @@ _aesni_set_encrypt_key: jne .L097bad_keybits .align 16 .L09810rounds: - cmpl $268435456,%ebp - je .L09910rounds_alt movl $9,%ecx movups %xmm0,-16(%edx) .byte 102,15,58,223,200,1 - call .L100key_128_cold + call .L099key_128_cold .byte 102,15,58,223,200,2 - call .L101key_128 + call .L100key_128 .byte 102,15,58,223,200,4 - call .L101key_128 + call .L100key_128 .byte 102,15,58,223,200,8 - call .L101key_128 + call .L100key_128 .byte 102,15,58,223,200,16 - call .L101key_128 + call .L100key_128 .byte 102,15,58,223,200,32 - call .L101key_128 + call .L100key_128 .byte 102,15,58,223,200,64 - call .L101key_128 + call .L100key_128 .byte 102,15,58,223,200,128 - call .L101key_128 + call .L100key_128 .byte 102,15,58,223,200,27 - call .L101key_128 + call .L100key_128 .byte 102,15,58,223,200,54 - call .L101key_128 + call .L100key_128 movups %xmm0,(%edx) movl %ecx,80(%edx) - jmp .L102good_key + jmp .L101good_key .align 16 -.L101key_128: +.L100key_128: movups %xmm0,(%edx) leal 16(%edx),%edx -.L100key_128_cold: +.L099key_128_cold: shufps $16,%xmm0,%xmm4 xorps %xmm4,%xmm0 shufps $140,%xmm0,%xmm4 @@ -2169,91 +2175,37 @@ _aesni_set_encrypt_key: xorps %xmm1,%xmm0 ret .align 16 -.L09910rounds_alt: - movdqa (%ebx),%xmm5 - movl $8,%ecx - movdqa 32(%ebx),%xmm4 - movdqa %xmm0,%xmm2 - movdqu %xmm0,-16(%edx) -.L103loop_key128: -.byte 102,15,56,0,197 -.byte 102,15,56,221,196 - pslld $1,%xmm4 - leal 16(%edx),%edx - movdqa %xmm2,%xmm3 - pslldq $4,%xmm2 - pxor %xmm2,%xmm3 - pslldq $4,%xmm2 - pxor %xmm2,%xmm3 - pslldq $4,%xmm2 - pxor %xmm3,%xmm2 - pxor %xmm2,%xmm0 - movdqu %xmm0,-16(%edx) - movdqa %xmm0,%xmm2 - decl %ecx - jnz .L103loop_key128 - movdqa 48(%ebx),%xmm4 -.byte 102,15,56,0,197 -.byte 102,15,56,221,196 - pslld $1,%xmm4 - movdqa %xmm2,%xmm3 - pslldq $4,%xmm2 - pxor %xmm2,%xmm3 - pslldq $4,%xmm2 - pxor %xmm2,%xmm3 - pslldq $4,%xmm2 - pxor %xmm3,%xmm2 - pxor %xmm2,%xmm0 - movdqu %xmm0,(%edx) - movdqa %xmm0,%xmm2 -.byte 102,15,56,0,197 -.byte 102,15,56,221,196 - movdqa %xmm2,%xmm3 - pslldq $4,%xmm2 - pxor %xmm2,%xmm3 - pslldq $4,%xmm2 - pxor %xmm2,%xmm3 - pslldq $4,%xmm2 - pxor %xmm3,%xmm2 - pxor %xmm2,%xmm0 - movdqu %xmm0,16(%edx) - movl $9,%ecx - movl %ecx,96(%edx) - jmp .L102good_key -.align 16 .L09612rounds: movq 16(%eax),%xmm2 - cmpl $268435456,%ebp - je .L10412rounds_alt movl $11,%ecx movups %xmm0,-16(%edx) .byte 102,15,58,223,202,1 - call .L105key_192a_cold + call .L102key_192a_cold .byte 102,15,58,223,202,2 - call .L106key_192b + call .L103key_192b .byte 102,15,58,223,202,4 - call .L107key_192a + call .L104key_192a .byte 102,15,58,223,202,8 - call .L106key_192b + call .L103key_192b .byte 102,15,58,223,202,16 - call .L107key_192a + call .L104key_192a .byte 102,15,58,223,202,32 - call .L106key_192b + call .L103key_192b .byte 102,15,58,223,202,64 - call .L107key_192a + call .L104key_192a .byte 102,15,58,223,202,128 - call .L106key_192b + call .L103key_192b movups %xmm0,(%edx) movl %ecx,48(%edx) - jmp .L102good_key + jmp .L101good_key .align 16 -.L107key_192a: +.L104key_192a: movups %xmm0,(%edx) leal 16(%edx),%edx .align 16 -.L105key_192a_cold: +.L102key_192a_cold: movaps %xmm2,%xmm5 -.L108key_192b_warm: +.L105key_192b_warm: shufps $16,%xmm0,%xmm4 movdqa %xmm2,%xmm3 xorps %xmm4,%xmm0 @@ -2267,90 +2219,56 @@ _aesni_set_encrypt_key: pxor %xmm3,%xmm2 ret .align 16 -.L106key_192b: +.L103key_192b: movaps %xmm0,%xmm3 shufps $68,%xmm0,%xmm5 movups %xmm5,(%edx) shufps $78,%xmm2,%xmm3 movups %xmm3,16(%edx) leal 32(%edx),%edx - jmp .L108key_192b_warm -.align 16 -.L10412rounds_alt: - movdqa 16(%ebx),%xmm5 - movdqa 32(%ebx),%xmm4 - movl $8,%ecx - movdqu %xmm0,-16(%edx) -.L109loop_key192: - movq %xmm2,(%edx) - movdqa %xmm2,%xmm1 -.byte 102,15,56,0,213 -.byte 102,15,56,221,212 - pslld $1,%xmm4 - leal 24(%edx),%edx - movdqa %xmm0,%xmm3 - pslldq $4,%xmm0 - pxor %xmm0,%xmm3 - pslldq $4,%xmm0 - pxor %xmm0,%xmm3 - pslldq $4,%xmm0 - pxor %xmm3,%xmm0 - pshufd $255,%xmm0,%xmm3 - pxor %xmm1,%xmm3 - pslldq $4,%xmm1 - pxor %xmm1,%xmm3 - pxor %xmm2,%xmm0 - pxor %xmm3,%xmm2 - movdqu %xmm0,-16(%edx) - decl %ecx - jnz .L109loop_key192 - movl $11,%ecx - movl %ecx,32(%edx) - jmp .L102good_key + jmp .L105key_192b_warm .align 16 .L09514rounds: movups 16(%eax),%xmm2 leal 16(%edx),%edx - cmpl $268435456,%ebp - je .L11014rounds_alt movl $13,%ecx movups %xmm0,-32(%edx) movups %xmm2,-16(%edx) .byte 102,15,58,223,202,1 - call .L111key_256a_cold + call .L106key_256a_cold .byte 102,15,58,223,200,1 - call .L112key_256b + call .L107key_256b .byte 102,15,58,223,202,2 - call .L113key_256a + call .L108key_256a .byte 102,15,58,223,200,2 - call .L112key_256b + call .L107key_256b .byte 102,15,58,223,202,4 - call .L113key_256a + call .L108key_256a .byte 102,15,58,223,200,4 - call .L112key_256b + call .L107key_256b .byte 102,15,58,223,202,8 - call .L113key_256a + call .L108key_256a .byte 102,15,58,223,200,8 - call .L112key_256b + call .L107key_256b .byte 102,15,58,223,202,16 - call .L113key_256a + call .L108key_256a .byte 102,15,58,223,200,16 - call .L112key_256b + call .L107key_256b .byte 102,15,58,223,202,32 - call .L113key_256a + call .L108key_256a .byte 102,15,58,223,200,32 - call .L112key_256b + call .L107key_256b .byte 102,15,58,223,202,64 - call .L113key_256a + call .L108key_256a movups %xmm0,(%edx) movl %ecx,16(%edx) xorl %eax,%eax - jmp .L102good_key + jmp .L101good_key .align 16 -.L113key_256a: +.L108key_256a: movups %xmm2,(%edx) leal 16(%edx),%edx -.L111key_256a_cold: +.L106key_256a_cold: shufps $16,%xmm0,%xmm4 xorps %xmm4,%xmm0 shufps $140,%xmm0,%xmm4 @@ -2359,7 +2277,7 @@ _aesni_set_encrypt_key: xorps %xmm1,%xmm0 ret .align 16 -.L112key_256b: +.L107key_256b: movups %xmm0,(%edx) leal 16(%edx),%edx shufps $16,%xmm2,%xmm4 @@ -2369,15 +2287,154 @@ _aesni_set_encrypt_key: shufps $170,%xmm1,%xmm1 xorps %xmm1,%xmm2 ret +.L101good_key: + pxor %xmm0,%xmm0 + pxor %xmm1,%xmm1 + pxor %xmm2,%xmm2 + pxor %xmm3,%xmm3 + pxor %xmm4,%xmm4 + pxor %xmm5,%xmm5 + xorl %eax,%eax + popl %ebx + ret +.align 4 +.L097bad_keybits: + pxor %xmm0,%xmm0 + movl $-2,%eax + popl %ebx + ret +.size aes_hw_set_encrypt_key_base,.-.L_aes_hw_set_encrypt_key_base_begin +.globl aes_hw_set_encrypt_key_alt +.hidden aes_hw_set_encrypt_key_alt +.type aes_hw_set_encrypt_key_alt,@function +.align 16 +aes_hw_set_encrypt_key_alt: +.L_aes_hw_set_encrypt_key_alt_begin: +#ifdef BORINGSSL_DISPATCH_TEST + pushl %ebx + pushl %edx + call .L109pic_for_function_hit +.L109pic_for_function_hit: + popl %ebx + leal BORINGSSL_function_hit+3-.L109pic_for_function_hit(%ebx),%ebx + movl $1,%edx + movb %dl,(%ebx) + popl %edx + popl %ebx +#endif + movl 4(%esp),%eax + movl 8(%esp),%ecx + movl 12(%esp),%edx + pushl %ebx + call .L110pic +.L110pic: + popl %ebx + leal .Lkey_const-.L110pic(%ebx),%ebx + movups (%eax),%xmm0 + xorps %xmm4,%xmm4 + leal 16(%edx),%edx + cmpl $256,%ecx + je .L11114rounds_alt + cmpl $192,%ecx + je .L11212rounds_alt + cmpl $128,%ecx + jne .L113bad_keybits .align 16 -.L11014rounds_alt: +.L11410rounds_alt: + movdqa (%ebx),%xmm5 + movl $8,%ecx + movdqa 32(%ebx),%xmm4 + movdqa %xmm0,%xmm2 + movdqu %xmm0,-16(%edx) +.L115loop_key128: +.byte 102,15,56,0,197 +.byte 102,15,56,221,196 + pslld $1,%xmm4 + leal 16(%edx),%edx + movdqa %xmm2,%xmm3 + pslldq $4,%xmm2 + pxor %xmm2,%xmm3 + pslldq $4,%xmm2 + pxor %xmm2,%xmm3 + pslldq $4,%xmm2 + pxor %xmm3,%xmm2 + pxor %xmm2,%xmm0 + movdqu %xmm0,-16(%edx) + movdqa %xmm0,%xmm2 + decl %ecx + jnz .L115loop_key128 + movdqa 48(%ebx),%xmm4 +.byte 102,15,56,0,197 +.byte 102,15,56,221,196 + pslld $1,%xmm4 + movdqa %xmm2,%xmm3 + pslldq $4,%xmm2 + pxor %xmm2,%xmm3 + pslldq $4,%xmm2 + pxor %xmm2,%xmm3 + pslldq $4,%xmm2 + pxor %xmm3,%xmm2 + pxor %xmm2,%xmm0 + movdqu %xmm0,(%edx) + movdqa %xmm0,%xmm2 +.byte 102,15,56,0,197 +.byte 102,15,56,221,196 + movdqa %xmm2,%xmm3 + pslldq $4,%xmm2 + pxor %xmm2,%xmm3 + pslldq $4,%xmm2 + pxor %xmm2,%xmm3 + pslldq $4,%xmm2 + pxor %xmm3,%xmm2 + pxor %xmm2,%xmm0 + movdqu %xmm0,16(%edx) + movl $9,%ecx + movl %ecx,96(%edx) + jmp .L116good_key +.align 16 +.L11212rounds_alt: + movq 16(%eax),%xmm2 + movdqa 16(%ebx),%xmm5 + movdqa 32(%ebx),%xmm4 + movl $8,%ecx + movdqu %xmm0,-16(%edx) +.L117loop_key192: + movq %xmm2,(%edx) + movdqa %xmm2,%xmm1 +.byte 102,15,56,0,213 +.byte 102,15,56,221,212 + pslld $1,%xmm4 + leal 24(%edx),%edx + movdqa %xmm0,%xmm3 + pslldq $4,%xmm0 + pxor %xmm0,%xmm3 + pslldq $4,%xmm0 + pxor %xmm0,%xmm3 + pslldq $4,%xmm0 + pxor %xmm3,%xmm0 + pshufd $255,%xmm0,%xmm3 + pxor %xmm1,%xmm3 + pslldq $4,%xmm1 + pxor %xmm1,%xmm3 + pxor %xmm2,%xmm0 + pxor %xmm3,%xmm2 + movdqu %xmm0,-16(%edx) + decl %ecx + jnz .L117loop_key192 + movl $11,%ecx + movl %ecx,32(%edx) + jmp .L116good_key +.align 16 +.L11114rounds_alt: + movups 16(%eax),%xmm2 + leal 16(%edx),%edx movdqa (%ebx),%xmm5 movdqa 32(%ebx),%xmm4 movl $7,%ecx movdqu %xmm0,-32(%edx) movdqa %xmm2,%xmm1 movdqu %xmm2,-16(%edx) -.L114loop_key256: +.L118loop_key256: .byte 102,15,56,0,213 .byte 102,15,56,221,212 movdqa %xmm0,%xmm3 @@ -2391,7 +2448,7 @@ _aesni_set_encrypt_key: pxor %xmm2,%xmm0 movdqu %xmm0,(%edx) decl %ecx - jz .L115done_key256 + jz .L119done_key256 pshufd $255,%xmm0,%xmm2 pxor %xmm3,%xmm3 .byte 102,15,56,221,211 @@ -2406,11 +2463,11 @@ _aesni_set_encrypt_key: movdqu %xmm2,16(%edx) leal 32(%edx),%edx movdqa %xmm2,%xmm1 - jmp .L114loop_key256 -.L115done_key256: + jmp .L118loop_key256 +.L119done_key256: movl $13,%ecx movl %ecx,16(%edx) -.L102good_key: +.L116good_key: pxor %xmm0,%xmm0 pxor %xmm1,%xmm1 pxor %xmm2,%xmm2 @@ -2419,60 +2476,23 @@ _aesni_set_encrypt_key: pxor %xmm5,%xmm5 xorl %eax,%eax popl %ebx - popl %ebp - ret -.align 4 -.L093bad_pointer: - movl $-1,%eax - popl %ebx - popl %ebp ret .align 4 -.L097bad_keybits: +.L113bad_keybits: pxor %xmm0,%xmm0 movl $-2,%eax popl %ebx - popl %ebp ret -.size _aesni_set_encrypt_key,.-_aesni_set_encrypt_key -.globl aes_hw_set_encrypt_key -.hidden aes_hw_set_encrypt_key -.type aes_hw_set_encrypt_key,@function -.align 16 -aes_hw_set_encrypt_key: -.L_aes_hw_set_encrypt_key_begin: -#ifdef BORINGSSL_DISPATCH_TEST - pushl %ebx - pushl %edx - call .L116pic -.L116pic: - popl %ebx - leal BORINGSSL_function_hit+3-.L116pic(%ebx),%ebx - movl $1,%edx - movb %dl,(%ebx) - popl %edx - popl %ebx -#endif - movl 4(%esp),%eax - movl 8(%esp),%ecx - movl 12(%esp),%edx - call _aesni_set_encrypt_key - ret -.size aes_hw_set_encrypt_key,.-.L_aes_hw_set_encrypt_key_begin -.globl aes_hw_set_decrypt_key -.hidden aes_hw_set_decrypt_key -.type aes_hw_set_decrypt_key,@function -.align 16 -aes_hw_set_decrypt_key: -.L_aes_hw_set_decrypt_key_begin: - movl 4(%esp),%eax - movl 8(%esp),%ecx - movl 12(%esp),%edx - call _aesni_set_encrypt_key - movl 12(%esp),%edx +.size aes_hw_set_encrypt_key_alt,.-.L_aes_hw_set_encrypt_key_alt_begin +.globl aes_hw_encrypt_key_to_decrypt_key +.hidden aes_hw_encrypt_key_to_decrypt_key +.type aes_hw_encrypt_key_to_decrypt_key,@function +.align 16 +aes_hw_encrypt_key_to_decrypt_key: +.L_aes_hw_encrypt_key_to_decrypt_key_begin: + movl 4(%esp),%edx + movl 240(%edx),%ecx shll $4,%ecx - testl %eax,%eax - jnz .L117dec_key_ret leal 16(%edx,%ecx,1),%eax movups (%edx),%xmm0 movups (%eax),%xmm1 @@ -2480,7 +2500,7 @@ aes_hw_set_decrypt_key: movups %xmm1,(%edx) leal 16(%edx),%edx leal -16(%eax),%eax -.L118dec_key_inverse: +.L120dec_key_inverse: movups (%edx),%xmm0 movups (%eax),%xmm1 .byte 102,15,56,219,192 @@ -2490,16 +2510,14 @@ aes_hw_set_decrypt_key: movups %xmm0,16(%eax) movups %xmm1,-16(%edx) cmpl %edx,%eax - ja .L118dec_key_inverse + ja .L120dec_key_inverse movups (%edx),%xmm0 .byte 102,15,56,219,192 movups %xmm0,(%edx) pxor %xmm0,%xmm0 pxor %xmm1,%xmm1 - xorl %eax,%eax -.L117dec_key_ret: ret -.size aes_hw_set_decrypt_key,.-.L_aes_hw_set_decrypt_key_begin +.size aes_hw_encrypt_key_to_decrypt_key,.-.L_aes_hw_encrypt_key_to_decrypt_key_begin .align 64 .Lkey_const: .long 202313229,202313229,202313229,202313229 @@ -2511,7 +2529,6 @@ aes_hw_set_decrypt_key: .byte 32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115 .byte 115,108,46,111,114,103,62,0 #endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__) -#endif // defined(__i386__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/aesni-x86_64-mac.mac.x86_64.S b/Sources/CNIOBoringSSL/gen/bcm/aesni-x86_64-apple.S similarity index 91% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/aesni-x86_64-mac.mac.x86_64.S rename to Sources/CNIOBoringSSL/gen/bcm/aesni-x86_64-apple.S index 14a8f5f93..ae07fa713 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/aesni-x86_64-mac.mac.x86_64.S +++ b/Sources/CNIOBoringSSL/gen/bcm/aesni-x86_64-apple.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__x86_64__) && defined(__APPLE__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -7,7 +6,6 @@ #if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__APPLE__) .text - .globl _aes_hw_encrypt .private_extern _aes_hw_encrypt @@ -971,10 +969,7 @@ L$ctr32_bulk: leaq 7(%r8),%r9 movl %r10d,96+12(%rsp) bswapl %r9d - leaq _OPENSSL_ia32cap_P(%rip),%r10 - movl 4(%r10),%r10d xorl %ebp,%r9d - andl $71303168,%r10d movl %r9d,112+12(%rsp) movups 16(%rcx),%xmm1 @@ -985,104 +980,10 @@ L$ctr32_bulk: cmpq $8,%rdx jb L$ctr32_tail - subq $6,%rdx - cmpl $4194304,%r10d - je L$ctr32_6x - leaq 128(%rcx),%rcx - subq $2,%rdx + subq $8,%rdx jmp L$ctr32_loop8 -.p2align 4 -L$ctr32_6x: - shll $4,%eax - movl $48,%r10d - bswapl %ebp - leaq 32(%rcx,%rax,1),%rcx - subq %rax,%r10 - jmp L$ctr32_loop6 - -.p2align 4 -L$ctr32_loop6: - addl $6,%r8d - movups -48(%rcx,%r10,1),%xmm0 -.byte 102,15,56,220,209 - movl %r8d,%eax - xorl %ebp,%eax -.byte 102,15,56,220,217 -.byte 0x0f,0x38,0xf1,0x44,0x24,12 - leal 1(%r8),%eax -.byte 102,15,56,220,225 - xorl %ebp,%eax -.byte 0x0f,0x38,0xf1,0x44,0x24,28 -.byte 102,15,56,220,233 - leal 2(%r8),%eax - xorl %ebp,%eax -.byte 102,15,56,220,241 -.byte 0x0f,0x38,0xf1,0x44,0x24,44 - leal 3(%r8),%eax -.byte 102,15,56,220,249 - movups -32(%rcx,%r10,1),%xmm1 - xorl %ebp,%eax - -.byte 102,15,56,220,208 -.byte 0x0f,0x38,0xf1,0x44,0x24,60 - leal 4(%r8),%eax -.byte 102,15,56,220,216 - xorl %ebp,%eax -.byte 0x0f,0x38,0xf1,0x44,0x24,76 -.byte 102,15,56,220,224 - leal 5(%r8),%eax - xorl %ebp,%eax -.byte 102,15,56,220,232 -.byte 0x0f,0x38,0xf1,0x44,0x24,92 - movq %r10,%rax -.byte 102,15,56,220,240 -.byte 102,15,56,220,248 - movups -16(%rcx,%r10,1),%xmm0 - - call L$enc_loop6 - - movdqu (%rdi),%xmm8 - movdqu 16(%rdi),%xmm9 - movdqu 32(%rdi),%xmm10 - movdqu 48(%rdi),%xmm11 - movdqu 64(%rdi),%xmm12 - movdqu 80(%rdi),%xmm13 - leaq 96(%rdi),%rdi - movups -64(%rcx,%r10,1),%xmm1 - pxor %xmm2,%xmm8 - movaps 0(%rsp),%xmm2 - pxor %xmm3,%xmm9 - movaps 16(%rsp),%xmm3 - pxor %xmm4,%xmm10 - movaps 32(%rsp),%xmm4 - pxor %xmm5,%xmm11 - movaps 48(%rsp),%xmm5 - pxor %xmm6,%xmm12 - movaps 64(%rsp),%xmm6 - pxor %xmm7,%xmm13 - movaps 80(%rsp),%xmm7 - movdqu %xmm8,(%rsi) - movdqu %xmm9,16(%rsi) - movdqu %xmm10,32(%rsi) - movdqu %xmm11,48(%rsi) - movdqu %xmm12,64(%rsi) - movdqu %xmm13,80(%rsi) - leaq 96(%rsi),%rsi - - subq $6,%rdx - jnc L$ctr32_loop6 - - addq $6,%rdx - jz L$ctr32_done - - leal -48(%r10),%eax - leaq -80(%rcx,%r10,1),%rcx - negl %eax - shrl $4,%eax - jmp L$ctr32_tail - .p2align 5 L$ctr32_loop8: addl $8,%r8d @@ -1584,16 +1485,10 @@ L$cbc_decrypt_bulk: movdqa %xmm5,%xmm14 movdqu 80(%rdi),%xmm7 movdqa %xmm6,%xmm15 - leaq _OPENSSL_ia32cap_P(%rip),%r9 - movl 4(%r9),%r9d cmpq $0x70,%rdx jbe L$cbc_dec_six_or_seven - andl $71303168,%r9d - subq $0x50,%rdx - cmpl $4194304,%r9d - je L$cbc_dec_loop6_enter - subq $0x20,%rdx + subq $0x70,%rdx leaq 112(%rcx),%rcx jmp L$cbc_dec_loop8_enter .p2align 4 @@ -1864,51 +1759,6 @@ L$cbc_dec_seven: pxor %xmm9,%xmm9 jmp L$cbc_dec_tail_collected -.p2align 4 -L$cbc_dec_loop6: - movups %xmm7,(%rsi) - leaq 16(%rsi),%rsi - movdqu 0(%rdi),%xmm2 - movdqu 16(%rdi),%xmm3 - movdqa %xmm2,%xmm11 - movdqu 32(%rdi),%xmm4 - movdqa %xmm3,%xmm12 - movdqu 48(%rdi),%xmm5 - movdqa %xmm4,%xmm13 - movdqu 64(%rdi),%xmm6 - movdqa %xmm5,%xmm14 - movdqu 80(%rdi),%xmm7 - movdqa %xmm6,%xmm15 -L$cbc_dec_loop6_enter: - leaq 96(%rdi),%rdi - movdqa %xmm7,%xmm8 - - call _aesni_decrypt6 - - pxor %xmm10,%xmm2 - movdqa %xmm8,%xmm10 - pxor %xmm11,%xmm3 - movdqu %xmm2,(%rsi) - pxor %xmm12,%xmm4 - movdqu %xmm3,16(%rsi) - pxor %xmm13,%xmm5 - movdqu %xmm4,32(%rsi) - pxor %xmm14,%xmm6 - movq %rbp,%rcx - movdqu %xmm5,48(%rsi) - pxor %xmm15,%xmm7 - movl %r10d,%eax - movdqu %xmm6,64(%rsi) - leaq 80(%rsi),%rsi - subq $0x60,%rdx - ja L$cbc_dec_loop6 - - movdqa %xmm7,%xmm2 - addq $0x50,%rdx - jle L$cbc_dec_clear_tail_collected - movups %xmm7,(%rsi) - leaq 16(%rsi),%rsi - L$cbc_dec_tail: movups (%rdi),%xmm2 subq $0x10,%rdx @@ -2055,76 +1905,63 @@ L$cbc_ret: ret -.globl _aes_hw_set_decrypt_key -.private_extern _aes_hw_set_decrypt_key +.globl _aes_hw_encrypt_key_to_decrypt_key +.private_extern _aes_hw_encrypt_key_to_decrypt_key .p2align 4 -_aes_hw_set_decrypt_key: +_aes_hw_encrypt_key_to_decrypt_key: _CET_ENDBR -.byte 0x48,0x83,0xEC,0x08 - call __aesni_set_encrypt_key + movl 240(%rdi),%esi shll $4,%esi - testl %eax,%eax - jnz L$dec_key_ret - leaq 16(%rdx,%rsi,1),%rdi - movups (%rdx),%xmm0 - movups (%rdi),%xmm1 - movups %xmm0,(%rdi) - movups %xmm1,(%rdx) - leaq 16(%rdx),%rdx - leaq -16(%rdi),%rdi + leaq 16(%rdi,%rsi,1),%rdx + + movups (%rdi),%xmm0 + movups (%rdx),%xmm1 + movups %xmm0,(%rdx) + movups %xmm1,(%rdi) + leaq 16(%rdi),%rdi + leaq -16(%rdx),%rdx L$dec_key_inverse: - movups (%rdx),%xmm0 - movups (%rdi),%xmm1 + movups (%rdi),%xmm0 + movups (%rdx),%xmm1 .byte 102,15,56,219,192 .byte 102,15,56,219,201 - leaq 16(%rdx),%rdx - leaq -16(%rdi),%rdi - movups %xmm0,16(%rdi) - movups %xmm1,-16(%rdx) - cmpq %rdx,%rdi + leaq 16(%rdi),%rdi + leaq -16(%rdx),%rdx + movups %xmm0,16(%rdx) + movups %xmm1,-16(%rdi) + cmpq %rdi,%rdx ja L$dec_key_inverse - movups (%rdx),%xmm0 + movups (%rdi),%xmm0 .byte 102,15,56,219,192 pxor %xmm1,%xmm1 - movups %xmm0,(%rdi) + movups %xmm0,(%rdx) pxor %xmm0,%xmm0 -L$dec_key_ret: - addq $8,%rsp - ret -L$SEH_end_set_decrypt_key: -.globl _aes_hw_set_encrypt_key -.private_extern _aes_hw_set_encrypt_key +.globl _aes_hw_set_encrypt_key_base +.private_extern _aes_hw_set_encrypt_key_base .p2align 4 -_aes_hw_set_encrypt_key: -__aesni_set_encrypt_key: +_aes_hw_set_encrypt_key_base: + _CET_ENDBR #ifdef BORINGSSL_DISPATCH_TEST movb $1,_BORINGSSL_function_hit+3(%rip) #endif -.byte 0x48,0x83,0xEC,0x08 + subq $8,%rsp + - movq $-1,%rax - testq %rdi,%rdi - jz L$enc_key_ret - testq %rdx,%rdx - jz L$enc_key_ret movups (%rdi),%xmm0 xorps %xmm4,%xmm4 - leaq _OPENSSL_ia32cap_P(%rip),%r10 - movl 4(%r10),%r10d - andl $268437504,%r10d leaq 16(%rdx),%rax cmpl $256,%esi je L$14rounds @@ -2135,8 +1972,6 @@ _CET_ENDBR L$10rounds: movl $9,%esi - cmpl $268435456,%r10d - je L$10rounds_alt movups %xmm0,(%rdx) .byte 102,15,58,223,200,1 @@ -2165,7 +2000,193 @@ L$10rounds: jmp L$enc_key_ret .p2align 4 -L$10rounds_alt: +L$12rounds: + movq 16(%rdi),%xmm2 + movl $11,%esi + + movups %xmm0,(%rdx) +.byte 102,15,58,223,202,1 + call L$key_expansion_192a_cold +.byte 102,15,58,223,202,2 + call L$key_expansion_192b +.byte 102,15,58,223,202,4 + call L$key_expansion_192a +.byte 102,15,58,223,202,8 + call L$key_expansion_192b +.byte 102,15,58,223,202,16 + call L$key_expansion_192a +.byte 102,15,58,223,202,32 + call L$key_expansion_192b +.byte 102,15,58,223,202,64 + call L$key_expansion_192a +.byte 102,15,58,223,202,128 + call L$key_expansion_192b + movups %xmm0,(%rax) + movl %esi,48(%rax) + xorq %rax,%rax + jmp L$enc_key_ret + +.p2align 4 +L$14rounds: + movups 16(%rdi),%xmm2 + movl $13,%esi + leaq 16(%rax),%rax + + movups %xmm0,(%rdx) + movups %xmm2,16(%rdx) +.byte 102,15,58,223,202,1 + call L$key_expansion_256a_cold +.byte 102,15,58,223,200,1 + call L$key_expansion_256b +.byte 102,15,58,223,202,2 + call L$key_expansion_256a +.byte 102,15,58,223,200,2 + call L$key_expansion_256b +.byte 102,15,58,223,202,4 + call L$key_expansion_256a +.byte 102,15,58,223,200,4 + call L$key_expansion_256b +.byte 102,15,58,223,202,8 + call L$key_expansion_256a +.byte 102,15,58,223,200,8 + call L$key_expansion_256b +.byte 102,15,58,223,202,16 + call L$key_expansion_256a +.byte 102,15,58,223,200,16 + call L$key_expansion_256b +.byte 102,15,58,223,202,32 + call L$key_expansion_256a +.byte 102,15,58,223,200,32 + call L$key_expansion_256b +.byte 102,15,58,223,202,64 + call L$key_expansion_256a + movups %xmm0,(%rax) + movl %esi,16(%rax) + xorq %rax,%rax + jmp L$enc_key_ret + +.p2align 4 +L$bad_keybits: + movq $-2,%rax +L$enc_key_ret: + pxor %xmm0,%xmm0 + pxor %xmm1,%xmm1 + pxor %xmm2,%xmm2 + pxor %xmm3,%xmm3 + pxor %xmm4,%xmm4 + pxor %xmm5,%xmm5 + addq $8,%rsp + + ret + + + +.p2align 4 +L$key_expansion_128: + + movups %xmm0,(%rax) + leaq 16(%rax),%rax +L$key_expansion_128_cold: + shufps $16,%xmm0,%xmm4 + xorps %xmm4,%xmm0 + shufps $140,%xmm0,%xmm4 + xorps %xmm4,%xmm0 + shufps $255,%xmm1,%xmm1 + xorps %xmm1,%xmm0 + ret + + +.p2align 4 +L$key_expansion_192a: + + movups %xmm0,(%rax) + leaq 16(%rax),%rax +L$key_expansion_192a_cold: + movaps %xmm2,%xmm5 +L$key_expansion_192b_warm: + shufps $16,%xmm0,%xmm4 + movdqa %xmm2,%xmm3 + xorps %xmm4,%xmm0 + shufps $140,%xmm0,%xmm4 + pslldq $4,%xmm3 + xorps %xmm4,%xmm0 + pshufd $85,%xmm1,%xmm1 + pxor %xmm3,%xmm2 + pxor %xmm1,%xmm0 + pshufd $255,%xmm0,%xmm3 + pxor %xmm3,%xmm2 + ret + + +.p2align 4 +L$key_expansion_192b: + + movaps %xmm0,%xmm3 + shufps $68,%xmm0,%xmm5 + movups %xmm5,(%rax) + shufps $78,%xmm2,%xmm3 + movups %xmm3,16(%rax) + leaq 32(%rax),%rax + jmp L$key_expansion_192b_warm + + +.p2align 4 +L$key_expansion_256a: + + movups %xmm2,(%rax) + leaq 16(%rax),%rax +L$key_expansion_256a_cold: + shufps $16,%xmm0,%xmm4 + xorps %xmm4,%xmm0 + shufps $140,%xmm0,%xmm4 + xorps %xmm4,%xmm0 + shufps $255,%xmm1,%xmm1 + xorps %xmm1,%xmm0 + ret + + +.p2align 4 +L$key_expansion_256b: + + movups %xmm0,(%rax) + leaq 16(%rax),%rax + + shufps $16,%xmm2,%xmm4 + xorps %xmm4,%xmm2 + shufps $140,%xmm2,%xmm4 + xorps %xmm4,%xmm2 + shufps $170,%xmm1,%xmm1 + xorps %xmm1,%xmm2 + ret + + + +.globl _aes_hw_set_encrypt_key_alt +.private_extern _aes_hw_set_encrypt_key_alt + +.p2align 4 +_aes_hw_set_encrypt_key_alt: + + +_CET_ENDBR +#ifdef BORINGSSL_DISPATCH_TEST + movb $1,_BORINGSSL_function_hit+3(%rip) +#endif + subq $8,%rsp + + + + movups (%rdi),%xmm0 + xorps %xmm4,%xmm4 + leaq 16(%rdx),%rax + cmpl $256,%esi + je L$14rounds_alt + cmpl $192,%esi + je L$12rounds_alt + cmpl $128,%esi + jne L$bad_keybits_alt + + movl $9,%esi movdqa L$key_rotate(%rip),%xmm5 movl $8,%r10d movdqa L$key_rcon1(%rip),%xmm4 @@ -2229,39 +2250,12 @@ L$oop_key128: movl %esi,96(%rax) xorl %eax,%eax - jmp L$enc_key_ret + jmp L$enc_key_ret_alt .p2align 4 -L$12rounds: +L$12rounds_alt: movq 16(%rdi),%xmm2 movl $11,%esi - cmpl $268435456,%r10d - je L$12rounds_alt - - movups %xmm0,(%rdx) -.byte 102,15,58,223,202,1 - call L$key_expansion_192a_cold -.byte 102,15,58,223,202,2 - call L$key_expansion_192b -.byte 102,15,58,223,202,4 - call L$key_expansion_192a -.byte 102,15,58,223,202,8 - call L$key_expansion_192b -.byte 102,15,58,223,202,16 - call L$key_expansion_192a -.byte 102,15,58,223,202,32 - call L$key_expansion_192b -.byte 102,15,58,223,202,64 - call L$key_expansion_192a -.byte 102,15,58,223,202,128 - call L$key_expansion_192b - movups %xmm0,(%rax) - movl %esi,48(%rax) - xorq %rax,%rax - jmp L$enc_key_ret - -.p2align 4 -L$12rounds_alt: movdqa L$key_rotate192(%rip),%xmm5 movdqa L$key_rcon1(%rip),%xmm4 movl $8,%r10d @@ -2299,51 +2293,13 @@ L$oop_key192: movl %esi,32(%rax) xorl %eax,%eax - jmp L$enc_key_ret + jmp L$enc_key_ret_alt .p2align 4 -L$14rounds: +L$14rounds_alt: movups 16(%rdi),%xmm2 movl $13,%esi leaq 16(%rax),%rax - cmpl $268435456,%r10d - je L$14rounds_alt - - movups %xmm0,(%rdx) - movups %xmm2,16(%rdx) -.byte 102,15,58,223,202,1 - call L$key_expansion_256a_cold -.byte 102,15,58,223,200,1 - call L$key_expansion_256b -.byte 102,15,58,223,202,2 - call L$key_expansion_256a -.byte 102,15,58,223,200,2 - call L$key_expansion_256b -.byte 102,15,58,223,202,4 - call L$key_expansion_256a -.byte 102,15,58,223,200,4 - call L$key_expansion_256b -.byte 102,15,58,223,202,8 - call L$key_expansion_256a -.byte 102,15,58,223,200,8 - call L$key_expansion_256b -.byte 102,15,58,223,202,16 - call L$key_expansion_256a -.byte 102,15,58,223,200,16 - call L$key_expansion_256b -.byte 102,15,58,223,202,32 - call L$key_expansion_256a -.byte 102,15,58,223,200,32 - call L$key_expansion_256b -.byte 102,15,58,223,202,64 - call L$key_expansion_256a - movups %xmm0,(%rax) - movl %esi,16(%rax) - xorq %rax,%rax - jmp L$enc_key_ret - -.p2align 4 -L$14rounds_alt: movdqa L$key_rotate(%rip),%xmm5 movdqa L$key_rcon1(%rip),%xmm4 movl $7,%r10d @@ -2394,12 +2350,12 @@ L$oop_key256: L$done_key256: movl %esi,16(%rax) xorl %eax,%eax - jmp L$enc_key_ret + jmp L$enc_key_ret_alt .p2align 4 -L$bad_keybits: +L$bad_keybits_alt: movq $-2,%rax -L$enc_key_ret: +L$enc_key_ret_alt: pxor %xmm0,%xmm0 pxor %xmm1,%xmm1 pxor %xmm2,%xmm2 @@ -2410,76 +2366,6 @@ L$enc_key_ret: ret -L$SEH_end_set_encrypt_key: - -.p2align 4 -L$key_expansion_128: - movups %xmm0,(%rax) - leaq 16(%rax),%rax -L$key_expansion_128_cold: - shufps $16,%xmm0,%xmm4 - xorps %xmm4,%xmm0 - shufps $140,%xmm0,%xmm4 - xorps %xmm4,%xmm0 - shufps $255,%xmm1,%xmm1 - xorps %xmm1,%xmm0 - ret - -.p2align 4 -L$key_expansion_192a: - movups %xmm0,(%rax) - leaq 16(%rax),%rax -L$key_expansion_192a_cold: - movaps %xmm2,%xmm5 -L$key_expansion_192b_warm: - shufps $16,%xmm0,%xmm4 - movdqa %xmm2,%xmm3 - xorps %xmm4,%xmm0 - shufps $140,%xmm0,%xmm4 - pslldq $4,%xmm3 - xorps %xmm4,%xmm0 - pshufd $85,%xmm1,%xmm1 - pxor %xmm3,%xmm2 - pxor %xmm1,%xmm0 - pshufd $255,%xmm0,%xmm3 - pxor %xmm3,%xmm2 - ret - -.p2align 4 -L$key_expansion_192b: - movaps %xmm0,%xmm3 - shufps $68,%xmm0,%xmm5 - movups %xmm5,(%rax) - shufps $78,%xmm2,%xmm3 - movups %xmm3,16(%rax) - leaq 32(%rax),%rax - jmp L$key_expansion_192b_warm - -.p2align 4 -L$key_expansion_256a: - movups %xmm2,(%rax) - leaq 16(%rax),%rax -L$key_expansion_256a_cold: - shufps $16,%xmm0,%xmm4 - xorps %xmm4,%xmm0 - shufps $140,%xmm0,%xmm4 - xorps %xmm4,%xmm0 - shufps $255,%xmm1,%xmm1 - xorps %xmm1,%xmm0 - ret - -.p2align 4 -L$key_expansion_256b: - movups %xmm0,(%rax) - leaq 16(%rax),%rax - - shufps $16,%xmm2,%xmm4 - xorps %xmm4,%xmm2 - shufps $140,%xmm2,%xmm4 - xorps %xmm4,%xmm2 - shufps $170,%xmm1,%xmm1 - xorps %xmm1,%xmm2 - ret .section __DATA,__const @@ -2507,7 +2393,6 @@ L$key_rcon1b: .p2align 6 .text #endif -#endif // defined(__x86_64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/aesni-x86_64-linux.linux.x86_64.S b/Sources/CNIOBoringSSL/gen/bcm/aesni-x86_64-linux.S similarity index 91% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/aesni-x86_64-linux.linux.x86_64.S rename to Sources/CNIOBoringSSL/gen/bcm/aesni-x86_64-linux.S index 4b368bb90..a0e401900 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/aesni-x86_64-linux.linux.x86_64.S +++ b/Sources/CNIOBoringSSL/gen/bcm/aesni-x86_64-linux.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__x86_64__) && defined(__linux__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -7,8 +6,6 @@ #if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__ELF__) .text -.extern OPENSSL_ia32cap_P -.hidden OPENSSL_ia32cap_P .globl aes_hw_encrypt .hidden aes_hw_encrypt .type aes_hw_encrypt,@function @@ -973,10 +970,7 @@ _CET_ENDBR leaq 7(%r8),%r9 movl %r10d,96+12(%rsp) bswapl %r9d - leaq OPENSSL_ia32cap_P(%rip),%r10 - movl 4(%r10),%r10d xorl %ebp,%r9d - andl $71303168,%r10d movl %r9d,112+12(%rsp) movups 16(%rcx),%xmm1 @@ -987,104 +981,10 @@ _CET_ENDBR cmpq $8,%rdx jb .Lctr32_tail - subq $6,%rdx - cmpl $4194304,%r10d - je .Lctr32_6x - leaq 128(%rcx),%rcx - subq $2,%rdx + subq $8,%rdx jmp .Lctr32_loop8 -.align 16 -.Lctr32_6x: - shll $4,%eax - movl $48,%r10d - bswapl %ebp - leaq 32(%rcx,%rax,1),%rcx - subq %rax,%r10 - jmp .Lctr32_loop6 - -.align 16 -.Lctr32_loop6: - addl $6,%r8d - movups -48(%rcx,%r10,1),%xmm0 -.byte 102,15,56,220,209 - movl %r8d,%eax - xorl %ebp,%eax -.byte 102,15,56,220,217 -.byte 0x0f,0x38,0xf1,0x44,0x24,12 - leal 1(%r8),%eax -.byte 102,15,56,220,225 - xorl %ebp,%eax -.byte 0x0f,0x38,0xf1,0x44,0x24,28 -.byte 102,15,56,220,233 - leal 2(%r8),%eax - xorl %ebp,%eax -.byte 102,15,56,220,241 -.byte 0x0f,0x38,0xf1,0x44,0x24,44 - leal 3(%r8),%eax -.byte 102,15,56,220,249 - movups -32(%rcx,%r10,1),%xmm1 - xorl %ebp,%eax - -.byte 102,15,56,220,208 -.byte 0x0f,0x38,0xf1,0x44,0x24,60 - leal 4(%r8),%eax -.byte 102,15,56,220,216 - xorl %ebp,%eax -.byte 0x0f,0x38,0xf1,0x44,0x24,76 -.byte 102,15,56,220,224 - leal 5(%r8),%eax - xorl %ebp,%eax -.byte 102,15,56,220,232 -.byte 0x0f,0x38,0xf1,0x44,0x24,92 - movq %r10,%rax -.byte 102,15,56,220,240 -.byte 102,15,56,220,248 - movups -16(%rcx,%r10,1),%xmm0 - - call .Lenc_loop6 - - movdqu (%rdi),%xmm8 - movdqu 16(%rdi),%xmm9 - movdqu 32(%rdi),%xmm10 - movdqu 48(%rdi),%xmm11 - movdqu 64(%rdi),%xmm12 - movdqu 80(%rdi),%xmm13 - leaq 96(%rdi),%rdi - movups -64(%rcx,%r10,1),%xmm1 - pxor %xmm2,%xmm8 - movaps 0(%rsp),%xmm2 - pxor %xmm3,%xmm9 - movaps 16(%rsp),%xmm3 - pxor %xmm4,%xmm10 - movaps 32(%rsp),%xmm4 - pxor %xmm5,%xmm11 - movaps 48(%rsp),%xmm5 - pxor %xmm6,%xmm12 - movaps 64(%rsp),%xmm6 - pxor %xmm7,%xmm13 - movaps 80(%rsp),%xmm7 - movdqu %xmm8,(%rsi) - movdqu %xmm9,16(%rsi) - movdqu %xmm10,32(%rsi) - movdqu %xmm11,48(%rsi) - movdqu %xmm12,64(%rsi) - movdqu %xmm13,80(%rsi) - leaq 96(%rsi),%rsi - - subq $6,%rdx - jnc .Lctr32_loop6 - - addq $6,%rdx - jz .Lctr32_done - - leal -48(%r10),%eax - leaq -80(%rcx,%r10,1),%rcx - negl %eax - shrl $4,%eax - jmp .Lctr32_tail - .align 32 .Lctr32_loop8: addl $8,%r8d @@ -1586,16 +1486,10 @@ _CET_ENDBR movdqa %xmm5,%xmm14 movdqu 80(%rdi),%xmm7 movdqa %xmm6,%xmm15 - leaq OPENSSL_ia32cap_P(%rip),%r9 - movl 4(%r9),%r9d cmpq $0x70,%rdx jbe .Lcbc_dec_six_or_seven - andl $71303168,%r9d - subq $0x50,%rdx - cmpl $4194304,%r9d - je .Lcbc_dec_loop6_enter - subq $0x20,%rdx + subq $0x70,%rdx leaq 112(%rcx),%rcx jmp .Lcbc_dec_loop8_enter .align 16 @@ -1866,51 +1760,6 @@ _CET_ENDBR pxor %xmm9,%xmm9 jmp .Lcbc_dec_tail_collected -.align 16 -.Lcbc_dec_loop6: - movups %xmm7,(%rsi) - leaq 16(%rsi),%rsi - movdqu 0(%rdi),%xmm2 - movdqu 16(%rdi),%xmm3 - movdqa %xmm2,%xmm11 - movdqu 32(%rdi),%xmm4 - movdqa %xmm3,%xmm12 - movdqu 48(%rdi),%xmm5 - movdqa %xmm4,%xmm13 - movdqu 64(%rdi),%xmm6 - movdqa %xmm5,%xmm14 - movdqu 80(%rdi),%xmm7 - movdqa %xmm6,%xmm15 -.Lcbc_dec_loop6_enter: - leaq 96(%rdi),%rdi - movdqa %xmm7,%xmm8 - - call _aesni_decrypt6 - - pxor %xmm10,%xmm2 - movdqa %xmm8,%xmm10 - pxor %xmm11,%xmm3 - movdqu %xmm2,(%rsi) - pxor %xmm12,%xmm4 - movdqu %xmm3,16(%rsi) - pxor %xmm13,%xmm5 - movdqu %xmm4,32(%rsi) - pxor %xmm14,%xmm6 - movq %rbp,%rcx - movdqu %xmm5,48(%rsi) - pxor %xmm15,%xmm7 - movl %r10d,%eax - movdqu %xmm6,64(%rsi) - leaq 80(%rsi),%rsi - subq $0x60,%rdx - ja .Lcbc_dec_loop6 - - movdqa %xmm7,%xmm2 - addq $0x50,%rdx - jle .Lcbc_dec_clear_tail_collected - movups %xmm7,(%rsi) - leaq 16(%rsi),%rsi - .Lcbc_dec_tail: movups (%rdi),%xmm2 subq $0x10,%rdx @@ -2057,76 +1906,63 @@ _CET_ENDBR ret .cfi_endproc .size aes_hw_cbc_encrypt,.-aes_hw_cbc_encrypt -.globl aes_hw_set_decrypt_key -.hidden aes_hw_set_decrypt_key -.type aes_hw_set_decrypt_key,@function +.globl aes_hw_encrypt_key_to_decrypt_key +.hidden aes_hw_encrypt_key_to_decrypt_key +.type aes_hw_encrypt_key_to_decrypt_key,@function .align 16 -aes_hw_set_decrypt_key: +aes_hw_encrypt_key_to_decrypt_key: .cfi_startproc _CET_ENDBR -.byte 0x48,0x83,0xEC,0x08 -.cfi_adjust_cfa_offset 8 - call __aesni_set_encrypt_key + + movl 240(%rdi),%esi shll $4,%esi - testl %eax,%eax - jnz .Ldec_key_ret - leaq 16(%rdx,%rsi,1),%rdi - movups (%rdx),%xmm0 - movups (%rdi),%xmm1 - movups %xmm0,(%rdi) - movups %xmm1,(%rdx) - leaq 16(%rdx),%rdx - leaq -16(%rdi),%rdi + leaq 16(%rdi,%rsi,1),%rdx + + movups (%rdi),%xmm0 + movups (%rdx),%xmm1 + movups %xmm0,(%rdx) + movups %xmm1,(%rdi) + leaq 16(%rdi),%rdi + leaq -16(%rdx),%rdx .Ldec_key_inverse: - movups (%rdx),%xmm0 - movups (%rdi),%xmm1 + movups (%rdi),%xmm0 + movups (%rdx),%xmm1 .byte 102,15,56,219,192 .byte 102,15,56,219,201 - leaq 16(%rdx),%rdx - leaq -16(%rdi),%rdi - movups %xmm0,16(%rdi) - movups %xmm1,-16(%rdx) - cmpq %rdx,%rdi + leaq 16(%rdi),%rdi + leaq -16(%rdx),%rdx + movups %xmm0,16(%rdx) + movups %xmm1,-16(%rdi) + cmpq %rdi,%rdx ja .Ldec_key_inverse - movups (%rdx),%xmm0 + movups (%rdi),%xmm0 .byte 102,15,56,219,192 pxor %xmm1,%xmm1 - movups %xmm0,(%rdi) + movups %xmm0,(%rdx) pxor %xmm0,%xmm0 -.Ldec_key_ret: - addq $8,%rsp -.cfi_adjust_cfa_offset -8 ret .cfi_endproc -.LSEH_end_set_decrypt_key: -.size aes_hw_set_decrypt_key,.-aes_hw_set_decrypt_key -.globl aes_hw_set_encrypt_key -.hidden aes_hw_set_encrypt_key -.type aes_hw_set_encrypt_key,@function -.align 16 -aes_hw_set_encrypt_key: -__aesni_set_encrypt_key: +.size aes_hw_encrypt_key_to_decrypt_key,.-aes_hw_encrypt_key_to_decrypt_key +.globl aes_hw_set_encrypt_key_base +.hidden aes_hw_set_encrypt_key_base +.type aes_hw_set_encrypt_key_base,@function +.align 16 +aes_hw_set_encrypt_key_base: .cfi_startproc + _CET_ENDBR #ifdef BORINGSSL_DISPATCH_TEST movb $1,BORINGSSL_function_hit+3(%rip) #endif -.byte 0x48,0x83,0xEC,0x08 + subq $8,%rsp .cfi_adjust_cfa_offset 8 - movq $-1,%rax - testq %rdi,%rdi - jz .Lenc_key_ret - testq %rdx,%rdx - jz .Lenc_key_ret + movups (%rdi),%xmm0 xorps %xmm4,%xmm4 - leaq OPENSSL_ia32cap_P(%rip),%r10 - movl 4(%r10),%r10d - andl $268437504,%r10d leaq 16(%rdx),%rax cmpl $256,%esi je .L14rounds @@ -2137,8 +1973,6 @@ _CET_ENDBR .L10rounds: movl $9,%esi - cmpl $268435456,%r10d - je .L10rounds_alt movups %xmm0,(%rdx) .byte 102,15,58,223,200,1 @@ -2167,7 +2001,193 @@ _CET_ENDBR jmp .Lenc_key_ret .align 16 -.L10rounds_alt: +.L12rounds: + movq 16(%rdi),%xmm2 + movl $11,%esi + + movups %xmm0,(%rdx) +.byte 102,15,58,223,202,1 + call .Lkey_expansion_192a_cold +.byte 102,15,58,223,202,2 + call .Lkey_expansion_192b +.byte 102,15,58,223,202,4 + call .Lkey_expansion_192a +.byte 102,15,58,223,202,8 + call .Lkey_expansion_192b +.byte 102,15,58,223,202,16 + call .Lkey_expansion_192a +.byte 102,15,58,223,202,32 + call .Lkey_expansion_192b +.byte 102,15,58,223,202,64 + call .Lkey_expansion_192a +.byte 102,15,58,223,202,128 + call .Lkey_expansion_192b + movups %xmm0,(%rax) + movl %esi,48(%rax) + xorq %rax,%rax + jmp .Lenc_key_ret + +.align 16 +.L14rounds: + movups 16(%rdi),%xmm2 + movl $13,%esi + leaq 16(%rax),%rax + + movups %xmm0,(%rdx) + movups %xmm2,16(%rdx) +.byte 102,15,58,223,202,1 + call .Lkey_expansion_256a_cold +.byte 102,15,58,223,200,1 + call .Lkey_expansion_256b +.byte 102,15,58,223,202,2 + call .Lkey_expansion_256a +.byte 102,15,58,223,200,2 + call .Lkey_expansion_256b +.byte 102,15,58,223,202,4 + call .Lkey_expansion_256a +.byte 102,15,58,223,200,4 + call .Lkey_expansion_256b +.byte 102,15,58,223,202,8 + call .Lkey_expansion_256a +.byte 102,15,58,223,200,8 + call .Lkey_expansion_256b +.byte 102,15,58,223,202,16 + call .Lkey_expansion_256a +.byte 102,15,58,223,200,16 + call .Lkey_expansion_256b +.byte 102,15,58,223,202,32 + call .Lkey_expansion_256a +.byte 102,15,58,223,200,32 + call .Lkey_expansion_256b +.byte 102,15,58,223,202,64 + call .Lkey_expansion_256a + movups %xmm0,(%rax) + movl %esi,16(%rax) + xorq %rax,%rax + jmp .Lenc_key_ret + +.align 16 +.Lbad_keybits: + movq $-2,%rax +.Lenc_key_ret: + pxor %xmm0,%xmm0 + pxor %xmm1,%xmm1 + pxor %xmm2,%xmm2 + pxor %xmm3,%xmm3 + pxor %xmm4,%xmm4 + pxor %xmm5,%xmm5 + addq $8,%rsp +.cfi_adjust_cfa_offset -8 + ret +.cfi_endproc + + +.align 16 +.Lkey_expansion_128: +.cfi_startproc + movups %xmm0,(%rax) + leaq 16(%rax),%rax +.Lkey_expansion_128_cold: + shufps $16,%xmm0,%xmm4 + xorps %xmm4,%xmm0 + shufps $140,%xmm0,%xmm4 + xorps %xmm4,%xmm0 + shufps $255,%xmm1,%xmm1 + xorps %xmm1,%xmm0 + ret +.cfi_endproc + +.align 16 +.Lkey_expansion_192a: +.cfi_startproc + movups %xmm0,(%rax) + leaq 16(%rax),%rax +.Lkey_expansion_192a_cold: + movaps %xmm2,%xmm5 +.Lkey_expansion_192b_warm: + shufps $16,%xmm0,%xmm4 + movdqa %xmm2,%xmm3 + xorps %xmm4,%xmm0 + shufps $140,%xmm0,%xmm4 + pslldq $4,%xmm3 + xorps %xmm4,%xmm0 + pshufd $85,%xmm1,%xmm1 + pxor %xmm3,%xmm2 + pxor %xmm1,%xmm0 + pshufd $255,%xmm0,%xmm3 + pxor %xmm3,%xmm2 + ret +.cfi_endproc + +.align 16 +.Lkey_expansion_192b: +.cfi_startproc + movaps %xmm0,%xmm3 + shufps $68,%xmm0,%xmm5 + movups %xmm5,(%rax) + shufps $78,%xmm2,%xmm3 + movups %xmm3,16(%rax) + leaq 32(%rax),%rax + jmp .Lkey_expansion_192b_warm +.cfi_endproc + +.align 16 +.Lkey_expansion_256a: +.cfi_startproc + movups %xmm2,(%rax) + leaq 16(%rax),%rax +.Lkey_expansion_256a_cold: + shufps $16,%xmm0,%xmm4 + xorps %xmm4,%xmm0 + shufps $140,%xmm0,%xmm4 + xorps %xmm4,%xmm0 + shufps $255,%xmm1,%xmm1 + xorps %xmm1,%xmm0 + ret +.cfi_endproc + +.align 16 +.Lkey_expansion_256b: +.cfi_startproc + movups %xmm0,(%rax) + leaq 16(%rax),%rax + + shufps $16,%xmm2,%xmm4 + xorps %xmm4,%xmm2 + shufps $140,%xmm2,%xmm4 + xorps %xmm4,%xmm2 + shufps $170,%xmm1,%xmm1 + xorps %xmm1,%xmm2 + ret +.cfi_endproc +.size aes_hw_set_encrypt_key_base,.-aes_hw_set_encrypt_key_base + +.globl aes_hw_set_encrypt_key_alt +.hidden aes_hw_set_encrypt_key_alt +.type aes_hw_set_encrypt_key_alt,@function +.align 16 +aes_hw_set_encrypt_key_alt: +.cfi_startproc + +_CET_ENDBR +#ifdef BORINGSSL_DISPATCH_TEST + movb $1,BORINGSSL_function_hit+3(%rip) +#endif + subq $8,%rsp +.cfi_adjust_cfa_offset 8 + + + movups (%rdi),%xmm0 + xorps %xmm4,%xmm4 + leaq 16(%rdx),%rax + cmpl $256,%esi + je .L14rounds_alt + cmpl $192,%esi + je .L12rounds_alt + cmpl $128,%esi + jne .Lbad_keybits_alt + + movl $9,%esi movdqa .Lkey_rotate(%rip),%xmm5 movl $8,%r10d movdqa .Lkey_rcon1(%rip),%xmm4 @@ -2231,39 +2251,12 @@ _CET_ENDBR movl %esi,96(%rax) xorl %eax,%eax - jmp .Lenc_key_ret + jmp .Lenc_key_ret_alt .align 16 -.L12rounds: +.L12rounds_alt: movq 16(%rdi),%xmm2 movl $11,%esi - cmpl $268435456,%r10d - je .L12rounds_alt - - movups %xmm0,(%rdx) -.byte 102,15,58,223,202,1 - call .Lkey_expansion_192a_cold -.byte 102,15,58,223,202,2 - call .Lkey_expansion_192b -.byte 102,15,58,223,202,4 - call .Lkey_expansion_192a -.byte 102,15,58,223,202,8 - call .Lkey_expansion_192b -.byte 102,15,58,223,202,16 - call .Lkey_expansion_192a -.byte 102,15,58,223,202,32 - call .Lkey_expansion_192b -.byte 102,15,58,223,202,64 - call .Lkey_expansion_192a -.byte 102,15,58,223,202,128 - call .Lkey_expansion_192b - movups %xmm0,(%rax) - movl %esi,48(%rax) - xorq %rax,%rax - jmp .Lenc_key_ret - -.align 16 -.L12rounds_alt: movdqa .Lkey_rotate192(%rip),%xmm5 movdqa .Lkey_rcon1(%rip),%xmm4 movl $8,%r10d @@ -2301,51 +2294,13 @@ _CET_ENDBR movl %esi,32(%rax) xorl %eax,%eax - jmp .Lenc_key_ret + jmp .Lenc_key_ret_alt .align 16 -.L14rounds: +.L14rounds_alt: movups 16(%rdi),%xmm2 movl $13,%esi leaq 16(%rax),%rax - cmpl $268435456,%r10d - je .L14rounds_alt - - movups %xmm0,(%rdx) - movups %xmm2,16(%rdx) -.byte 102,15,58,223,202,1 - call .Lkey_expansion_256a_cold -.byte 102,15,58,223,200,1 - call .Lkey_expansion_256b -.byte 102,15,58,223,202,2 - call .Lkey_expansion_256a -.byte 102,15,58,223,200,2 - call .Lkey_expansion_256b -.byte 102,15,58,223,202,4 - call .Lkey_expansion_256a -.byte 102,15,58,223,200,4 - call .Lkey_expansion_256b -.byte 102,15,58,223,202,8 - call .Lkey_expansion_256a -.byte 102,15,58,223,200,8 - call .Lkey_expansion_256b -.byte 102,15,58,223,202,16 - call .Lkey_expansion_256a -.byte 102,15,58,223,200,16 - call .Lkey_expansion_256b -.byte 102,15,58,223,202,32 - call .Lkey_expansion_256a -.byte 102,15,58,223,200,32 - call .Lkey_expansion_256b -.byte 102,15,58,223,202,64 - call .Lkey_expansion_256a - movups %xmm0,(%rax) - movl %esi,16(%rax) - xorq %rax,%rax - jmp .Lenc_key_ret - -.align 16 -.L14rounds_alt: movdqa .Lkey_rotate(%rip),%xmm5 movdqa .Lkey_rcon1(%rip),%xmm4 movl $7,%r10d @@ -2396,12 +2351,12 @@ _CET_ENDBR .Ldone_key256: movl %esi,16(%rax) xorl %eax,%eax - jmp .Lenc_key_ret + jmp .Lenc_key_ret_alt .align 16 -.Lbad_keybits: +.Lbad_keybits_alt: movq $-2,%rax -.Lenc_key_ret: +.Lenc_key_ret_alt: pxor %xmm0,%xmm0 pxor %xmm1,%xmm1 pxor %xmm2,%xmm2 @@ -2412,78 +2367,8 @@ _CET_ENDBR .cfi_adjust_cfa_offset -8 ret .cfi_endproc -.LSEH_end_set_encrypt_key: - -.align 16 -.Lkey_expansion_128: - movups %xmm0,(%rax) - leaq 16(%rax),%rax -.Lkey_expansion_128_cold: - shufps $16,%xmm0,%xmm4 - xorps %xmm4,%xmm0 - shufps $140,%xmm0,%xmm4 - xorps %xmm4,%xmm0 - shufps $255,%xmm1,%xmm1 - xorps %xmm1,%xmm0 - ret - -.align 16 -.Lkey_expansion_192a: - movups %xmm0,(%rax) - leaq 16(%rax),%rax -.Lkey_expansion_192a_cold: - movaps %xmm2,%xmm5 -.Lkey_expansion_192b_warm: - shufps $16,%xmm0,%xmm4 - movdqa %xmm2,%xmm3 - xorps %xmm4,%xmm0 - shufps $140,%xmm0,%xmm4 - pslldq $4,%xmm3 - xorps %xmm4,%xmm0 - pshufd $85,%xmm1,%xmm1 - pxor %xmm3,%xmm2 - pxor %xmm1,%xmm0 - pshufd $255,%xmm0,%xmm3 - pxor %xmm3,%xmm2 - ret - -.align 16 -.Lkey_expansion_192b: - movaps %xmm0,%xmm3 - shufps $68,%xmm0,%xmm5 - movups %xmm5,(%rax) - shufps $78,%xmm2,%xmm3 - movups %xmm3,16(%rax) - leaq 32(%rax),%rax - jmp .Lkey_expansion_192b_warm -.align 16 -.Lkey_expansion_256a: - movups %xmm2,(%rax) - leaq 16(%rax),%rax -.Lkey_expansion_256a_cold: - shufps $16,%xmm0,%xmm4 - xorps %xmm4,%xmm0 - shufps $140,%xmm0,%xmm4 - xorps %xmm4,%xmm0 - shufps $255,%xmm1,%xmm1 - xorps %xmm1,%xmm0 - ret - -.align 16 -.Lkey_expansion_256b: - movups %xmm0,(%rax) - leaq 16(%rax),%rax - - shufps $16,%xmm2,%xmm4 - xorps %xmm4,%xmm2 - shufps $140,%xmm2,%xmm4 - xorps %xmm4,%xmm2 - shufps $170,%xmm1,%xmm1 - xorps %xmm1,%xmm2 - ret -.size aes_hw_set_encrypt_key,.-aes_hw_set_encrypt_key -.size __aesni_set_encrypt_key,.-__aesni_set_encrypt_key +.size aes_hw_set_encrypt_key_alt,.-aes_hw_set_encrypt_key_alt .section .rodata .align 64 .Lbswap_mask: @@ -2509,7 +2394,6 @@ _CET_ENDBR .align 64 .text #endif -#endif // defined(__x86_64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/aesv8-armv7-linux.linux.arm.S b/Sources/CNIOBoringSSL/gen/bcm/aesv8-armv7-linux.S similarity index 99% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/aesv8-armv7-linux.linux.arm.S rename to Sources/CNIOBoringSSL/gen/bcm/aesv8-armv7-linux.S index 5f74453ec..466459ac4 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/aesv8-armv7-linux.linux.arm.S +++ b/Sources/CNIOBoringSSL/gen/bcm/aesv8-armv7-linux.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__arm__) && defined(__linux__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -28,11 +27,6 @@ .align 5 aes_hw_set_encrypt_key: .Lenc_key: - mov r3,#-1 - cmp r0,#0 - beq .Lenc_key_abort - cmp r2,#0 - beq .Lenc_key_abort mov r3,#-2 cmp r1,#128 blt .Lenc_key_abort @@ -789,7 +783,6 @@ aes_hw_ctr32_encrypt_blocks: .size aes_hw_ctr32_encrypt_blocks,.-aes_hw_ctr32_encrypt_blocks #endif #endif // !OPENSSL_NO_ASM && defined(OPENSSL_ARM) && defined(__ELF__) -#endif // defined(__arm__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/aesv8-armv8-ios.ios.aarch64.S b/Sources/CNIOBoringSSL/gen/bcm/aesv8-armv8-apple.S similarity index 98% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/aesv8-armv8-ios.ios.aarch64.S rename to Sources/CNIOBoringSSL/gen/bcm/aesv8-armv8-apple.S index 0376f00e9..db8ac9c29 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/aesv8-armv8-ios.ios.aarch64.S +++ b/Sources/CNIOBoringSSL/gen/bcm/aesv8-armv8-apple.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__aarch64__) && defined(__APPLE__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -30,11 +29,6 @@ Lenc_key: AARCH64_VALID_CALL_TARGET stp x29,x30,[sp,#-16]! add x29,sp,#0 - mov x3,#-1 - cmp x0,#0 - b.eq Lenc_key_abort - cmp x2,#0 - b.eq Lenc_key_abort mov x3,#-2 cmp w1,#128 b.lt Lenc_key_abort @@ -791,7 +785,6 @@ Lctr32_done: #endif #endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__APPLE__) -#endif // defined(__aarch64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/aesv8-armv8-linux.linux.aarch64.S b/Sources/CNIOBoringSSL/gen/bcm/aesv8-armv8-linux.S similarity index 98% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/aesv8-armv8-linux.linux.aarch64.S rename to Sources/CNIOBoringSSL/gen/bcm/aesv8-armv8-linux.S index 31f501009..14f3d94d1 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/aesv8-armv8-linux.linux.aarch64.S +++ b/Sources/CNIOBoringSSL/gen/bcm/aesv8-armv8-linux.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__aarch64__) && defined(__linux__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -30,11 +29,6 @@ aes_hw_set_encrypt_key: AARCH64_VALID_CALL_TARGET stp x29,x30,[sp,#-16]! add x29,sp,#0 - mov x3,#-1 - cmp x0,#0 - b.eq .Lenc_key_abort - cmp x2,#0 - b.eq .Lenc_key_abort mov x3,#-2 cmp w1,#128 b.lt .Lenc_key_abort @@ -791,7 +785,6 @@ aes_hw_ctr32_encrypt_blocks: .size aes_hw_ctr32_encrypt_blocks,.-aes_hw_ctr32_encrypt_blocks #endif #endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__ELF__) -#endif // defined(__aarch64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/gen/bcm/aesv8-armv8-win.S b/Sources/CNIOBoringSSL/gen/bcm/aesv8-armv8-win.S new file mode 100644 index 000000000..4bc2219ed --- /dev/null +++ b/Sources/CNIOBoringSSL/gen/bcm/aesv8-armv8-win.S @@ -0,0 +1,803 @@ +#define BORINGSSL_PREFIX CNIOBoringSSL +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. + +#include + +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(_WIN32) +#include + +#if __ARM_MAX_ARCH__>=7 +.text +.arch armv8-a+crypto +.section .rodata +.align 5 +Lrcon: +.long 0x01,0x01,0x01,0x01 +.long 0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d // rotate-n-splat +.long 0x1b,0x1b,0x1b,0x1b + +.text + +.globl aes_hw_set_encrypt_key + +.def aes_hw_set_encrypt_key + .type 32 +.endef +.align 5 +aes_hw_set_encrypt_key: +Lenc_key: + // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. + AARCH64_VALID_CALL_TARGET + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + mov x3,#-2 + cmp w1,#128 + b.lt Lenc_key_abort + cmp w1,#256 + b.gt Lenc_key_abort + tst w1,#0x3f + b.ne Lenc_key_abort + + adrp x3,Lrcon + add x3,x3,:lo12:Lrcon + cmp w1,#192 + + eor v0.16b,v0.16b,v0.16b + ld1 {v3.16b},[x0],#16 + mov w1,#8 // reuse w1 + ld1 {v1.4s,v2.4s},[x3],#32 + + b.lt Loop128 + b.eq L192 + b L256 + +.align 4 +Loop128: + tbl v6.16b,{v3.16b},v2.16b + ext v5.16b,v0.16b,v3.16b,#12 + st1 {v3.4s},[x2],#16 + aese v6.16b,v0.16b + subs w1,w1,#1 + + eor v3.16b,v3.16b,v5.16b + ext v5.16b,v0.16b,v5.16b,#12 + eor v3.16b,v3.16b,v5.16b + ext v5.16b,v0.16b,v5.16b,#12 + eor v6.16b,v6.16b,v1.16b + eor v3.16b,v3.16b,v5.16b + shl v1.16b,v1.16b,#1 + eor v3.16b,v3.16b,v6.16b + b.ne Loop128 + + ld1 {v1.4s},[x3] + + tbl v6.16b,{v3.16b},v2.16b + ext v5.16b,v0.16b,v3.16b,#12 + st1 {v3.4s},[x2],#16 + aese v6.16b,v0.16b + + eor v3.16b,v3.16b,v5.16b + ext v5.16b,v0.16b,v5.16b,#12 + eor v3.16b,v3.16b,v5.16b + ext v5.16b,v0.16b,v5.16b,#12 + eor v6.16b,v6.16b,v1.16b + eor v3.16b,v3.16b,v5.16b + shl v1.16b,v1.16b,#1 + eor v3.16b,v3.16b,v6.16b + + tbl v6.16b,{v3.16b},v2.16b + ext v5.16b,v0.16b,v3.16b,#12 + st1 {v3.4s},[x2],#16 + aese v6.16b,v0.16b + + eor v3.16b,v3.16b,v5.16b + ext v5.16b,v0.16b,v5.16b,#12 + eor v3.16b,v3.16b,v5.16b + ext v5.16b,v0.16b,v5.16b,#12 + eor v6.16b,v6.16b,v1.16b + eor v3.16b,v3.16b,v5.16b + eor v3.16b,v3.16b,v6.16b + st1 {v3.4s},[x2] + add x2,x2,#0x50 + + mov w12,#10 + b Ldone + +.align 4 +L192: + ld1 {v4.8b},[x0],#8 + movi v6.16b,#8 // borrow v6.16b + st1 {v3.4s},[x2],#16 + sub v2.16b,v2.16b,v6.16b // adjust the mask + +Loop192: + tbl v6.16b,{v4.16b},v2.16b + ext v5.16b,v0.16b,v3.16b,#12 + st1 {v4.8b},[x2],#8 + aese v6.16b,v0.16b + subs w1,w1,#1 + + eor v3.16b,v3.16b,v5.16b + ext v5.16b,v0.16b,v5.16b,#12 + eor v3.16b,v3.16b,v5.16b + ext v5.16b,v0.16b,v5.16b,#12 + eor v3.16b,v3.16b,v5.16b + + dup v5.4s,v3.s[3] + eor v5.16b,v5.16b,v4.16b + eor v6.16b,v6.16b,v1.16b + ext v4.16b,v0.16b,v4.16b,#12 + shl v1.16b,v1.16b,#1 + eor v4.16b,v4.16b,v5.16b + eor v3.16b,v3.16b,v6.16b + eor v4.16b,v4.16b,v6.16b + st1 {v3.4s},[x2],#16 + b.ne Loop192 + + mov w12,#12 + add x2,x2,#0x20 + b Ldone + +.align 4 +L256: + ld1 {v4.16b},[x0] + mov w1,#7 + mov w12,#14 + st1 {v3.4s},[x2],#16 + +Loop256: + tbl v6.16b,{v4.16b},v2.16b + ext v5.16b,v0.16b,v3.16b,#12 + st1 {v4.4s},[x2],#16 + aese v6.16b,v0.16b + subs w1,w1,#1 + + eor v3.16b,v3.16b,v5.16b + ext v5.16b,v0.16b,v5.16b,#12 + eor v3.16b,v3.16b,v5.16b + ext v5.16b,v0.16b,v5.16b,#12 + eor v6.16b,v6.16b,v1.16b + eor v3.16b,v3.16b,v5.16b + shl v1.16b,v1.16b,#1 + eor v3.16b,v3.16b,v6.16b + st1 {v3.4s},[x2],#16 + b.eq Ldone + + dup v6.4s,v3.s[3] // just splat + ext v5.16b,v0.16b,v4.16b,#12 + aese v6.16b,v0.16b + + eor v4.16b,v4.16b,v5.16b + ext v5.16b,v0.16b,v5.16b,#12 + eor v4.16b,v4.16b,v5.16b + ext v5.16b,v0.16b,v5.16b,#12 + eor v4.16b,v4.16b,v5.16b + + eor v4.16b,v4.16b,v6.16b + b Loop256 + +Ldone: + str w12,[x2] + mov x3,#0 + +Lenc_key_abort: + mov x0,x3 // return value + ldr x29,[sp],#16 + ret + + +.globl aes_hw_set_decrypt_key + +.def aes_hw_set_decrypt_key + .type 32 +.endef +.align 5 +aes_hw_set_decrypt_key: + AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + bl Lenc_key + + cmp x0,#0 + b.ne Ldec_key_abort + + sub x2,x2,#240 // restore original x2 + mov x4,#-16 + add x0,x2,x12,lsl#4 // end of key schedule + + ld1 {v0.4s},[x2] + ld1 {v1.4s},[x0] + st1 {v0.4s},[x0],x4 + st1 {v1.4s},[x2],#16 + +Loop_imc: + ld1 {v0.4s},[x2] + ld1 {v1.4s},[x0] + aesimc v0.16b,v0.16b + aesimc v1.16b,v1.16b + st1 {v0.4s},[x0],x4 + st1 {v1.4s},[x2],#16 + cmp x0,x2 + b.hi Loop_imc + + ld1 {v0.4s},[x2] + aesimc v0.16b,v0.16b + st1 {v0.4s},[x0] + + eor x0,x0,x0 // return value +Ldec_key_abort: + ldp x29,x30,[sp],#16 + AARCH64_VALIDATE_LINK_REGISTER + ret + +.globl aes_hw_encrypt + +.def aes_hw_encrypt + .type 32 +.endef +.align 5 +aes_hw_encrypt: + AARCH64_VALID_CALL_TARGET + ldr w3,[x2,#240] + ld1 {v0.4s},[x2],#16 + ld1 {v2.16b},[x0] + sub w3,w3,#2 + ld1 {v1.4s},[x2],#16 + +Loop_enc: + aese v2.16b,v0.16b + aesmc v2.16b,v2.16b + ld1 {v0.4s},[x2],#16 + subs w3,w3,#2 + aese v2.16b,v1.16b + aesmc v2.16b,v2.16b + ld1 {v1.4s},[x2],#16 + b.gt Loop_enc + + aese v2.16b,v0.16b + aesmc v2.16b,v2.16b + ld1 {v0.4s},[x2] + aese v2.16b,v1.16b + eor v2.16b,v2.16b,v0.16b + + st1 {v2.16b},[x1] + ret + +.globl aes_hw_decrypt + +.def aes_hw_decrypt + .type 32 +.endef +.align 5 +aes_hw_decrypt: + AARCH64_VALID_CALL_TARGET + ldr w3,[x2,#240] + ld1 {v0.4s},[x2],#16 + ld1 {v2.16b},[x0] + sub w3,w3,#2 + ld1 {v1.4s},[x2],#16 + +Loop_dec: + aesd v2.16b,v0.16b + aesimc v2.16b,v2.16b + ld1 {v0.4s},[x2],#16 + subs w3,w3,#2 + aesd v2.16b,v1.16b + aesimc v2.16b,v2.16b + ld1 {v1.4s},[x2],#16 + b.gt Loop_dec + + aesd v2.16b,v0.16b + aesimc v2.16b,v2.16b + ld1 {v0.4s},[x2] + aesd v2.16b,v1.16b + eor v2.16b,v2.16b,v0.16b + + st1 {v2.16b},[x1] + ret + +.globl aes_hw_cbc_encrypt + +.def aes_hw_cbc_encrypt + .type 32 +.endef +.align 5 +aes_hw_cbc_encrypt: + // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. + AARCH64_VALID_CALL_TARGET + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + subs x2,x2,#16 + mov x8,#16 + b.lo Lcbc_abort + csel x8,xzr,x8,eq + + cmp w5,#0 // en- or decrypting? + ldr w5,[x3,#240] + and x2,x2,#-16 + ld1 {v6.16b},[x4] + ld1 {v0.16b},[x0],x8 + + ld1 {v16.4s,v17.4s},[x3] // load key schedule... + sub w5,w5,#6 + add x7,x3,x5,lsl#4 // pointer to last 7 round keys + sub w5,w5,#2 + ld1 {v18.4s,v19.4s},[x7],#32 + ld1 {v20.4s,v21.4s},[x7],#32 + ld1 {v22.4s,v23.4s},[x7],#32 + ld1 {v7.4s},[x7] + + add x7,x3,#32 + mov w6,w5 + b.eq Lcbc_dec + + cmp w5,#2 + eor v0.16b,v0.16b,v6.16b + eor v5.16b,v16.16b,v7.16b + b.eq Lcbc_enc128 + + ld1 {v2.4s,v3.4s},[x7] + add x7,x3,#16 + add x6,x3,#16*4 + add x12,x3,#16*5 + aese v0.16b,v16.16b + aesmc v0.16b,v0.16b + add x14,x3,#16*6 + add x3,x3,#16*7 + b Lenter_cbc_enc + +.align 4 +Loop_cbc_enc: + aese v0.16b,v16.16b + aesmc v0.16b,v0.16b + st1 {v6.16b},[x1],#16 +Lenter_cbc_enc: + aese v0.16b,v17.16b + aesmc v0.16b,v0.16b + aese v0.16b,v2.16b + aesmc v0.16b,v0.16b + ld1 {v16.4s},[x6] + cmp w5,#4 + aese v0.16b,v3.16b + aesmc v0.16b,v0.16b + ld1 {v17.4s},[x12] + b.eq Lcbc_enc192 + + aese v0.16b,v16.16b + aesmc v0.16b,v0.16b + ld1 {v16.4s},[x14] + aese v0.16b,v17.16b + aesmc v0.16b,v0.16b + ld1 {v17.4s},[x3] + nop + +Lcbc_enc192: + aese v0.16b,v16.16b + aesmc v0.16b,v0.16b + subs x2,x2,#16 + aese v0.16b,v17.16b + aesmc v0.16b,v0.16b + csel x8,xzr,x8,eq + aese v0.16b,v18.16b + aesmc v0.16b,v0.16b + aese v0.16b,v19.16b + aesmc v0.16b,v0.16b + ld1 {v16.16b},[x0],x8 + aese v0.16b,v20.16b + aesmc v0.16b,v0.16b + eor v16.16b,v16.16b,v5.16b + aese v0.16b,v21.16b + aesmc v0.16b,v0.16b + ld1 {v17.4s},[x7] // re-pre-load rndkey[1] + aese v0.16b,v22.16b + aesmc v0.16b,v0.16b + aese v0.16b,v23.16b + eor v6.16b,v0.16b,v7.16b + b.hs Loop_cbc_enc + + st1 {v6.16b},[x1],#16 + b Lcbc_done + +.align 5 +Lcbc_enc128: + ld1 {v2.4s,v3.4s},[x7] + aese v0.16b,v16.16b + aesmc v0.16b,v0.16b + b Lenter_cbc_enc128 +Loop_cbc_enc128: + aese v0.16b,v16.16b + aesmc v0.16b,v0.16b + st1 {v6.16b},[x1],#16 +Lenter_cbc_enc128: + aese v0.16b,v17.16b + aesmc v0.16b,v0.16b + subs x2,x2,#16 + aese v0.16b,v2.16b + aesmc v0.16b,v0.16b + csel x8,xzr,x8,eq + aese v0.16b,v3.16b + aesmc v0.16b,v0.16b + aese v0.16b,v18.16b + aesmc v0.16b,v0.16b + aese v0.16b,v19.16b + aesmc v0.16b,v0.16b + ld1 {v16.16b},[x0],x8 + aese v0.16b,v20.16b + aesmc v0.16b,v0.16b + aese v0.16b,v21.16b + aesmc v0.16b,v0.16b + aese v0.16b,v22.16b + aesmc v0.16b,v0.16b + eor v16.16b,v16.16b,v5.16b + aese v0.16b,v23.16b + eor v6.16b,v0.16b,v7.16b + b.hs Loop_cbc_enc128 + + st1 {v6.16b},[x1],#16 + b Lcbc_done +.align 5 +Lcbc_dec: + ld1 {v18.16b},[x0],#16 + subs x2,x2,#32 // bias + add w6,w5,#2 + orr v3.16b,v0.16b,v0.16b + orr v1.16b,v0.16b,v0.16b + orr v19.16b,v18.16b,v18.16b + b.lo Lcbc_dec_tail + + orr v1.16b,v18.16b,v18.16b + ld1 {v18.16b},[x0],#16 + orr v2.16b,v0.16b,v0.16b + orr v3.16b,v1.16b,v1.16b + orr v19.16b,v18.16b,v18.16b + +Loop3x_cbc_dec: + aesd v0.16b,v16.16b + aesimc v0.16b,v0.16b + aesd v1.16b,v16.16b + aesimc v1.16b,v1.16b + aesd v18.16b,v16.16b + aesimc v18.16b,v18.16b + ld1 {v16.4s},[x7],#16 + subs w6,w6,#2 + aesd v0.16b,v17.16b + aesimc v0.16b,v0.16b + aesd v1.16b,v17.16b + aesimc v1.16b,v1.16b + aesd v18.16b,v17.16b + aesimc v18.16b,v18.16b + ld1 {v17.4s},[x7],#16 + b.gt Loop3x_cbc_dec + + aesd v0.16b,v16.16b + aesimc v0.16b,v0.16b + aesd v1.16b,v16.16b + aesimc v1.16b,v1.16b + aesd v18.16b,v16.16b + aesimc v18.16b,v18.16b + eor v4.16b,v6.16b,v7.16b + subs x2,x2,#0x30 + eor v5.16b,v2.16b,v7.16b + csel x6,x2,x6,lo // x6, w6, is zero at this point + aesd v0.16b,v17.16b + aesimc v0.16b,v0.16b + aesd v1.16b,v17.16b + aesimc v1.16b,v1.16b + aesd v18.16b,v17.16b + aesimc v18.16b,v18.16b + eor v17.16b,v3.16b,v7.16b + add x0,x0,x6 // x0 is adjusted in such way that + // at exit from the loop v1.16b-v18.16b + // are loaded with last "words" + orr v6.16b,v19.16b,v19.16b + mov x7,x3 + aesd v0.16b,v20.16b + aesimc v0.16b,v0.16b + aesd v1.16b,v20.16b + aesimc v1.16b,v1.16b + aesd v18.16b,v20.16b + aesimc v18.16b,v18.16b + ld1 {v2.16b},[x0],#16 + aesd v0.16b,v21.16b + aesimc v0.16b,v0.16b + aesd v1.16b,v21.16b + aesimc v1.16b,v1.16b + aesd v18.16b,v21.16b + aesimc v18.16b,v18.16b + ld1 {v3.16b},[x0],#16 + aesd v0.16b,v22.16b + aesimc v0.16b,v0.16b + aesd v1.16b,v22.16b + aesimc v1.16b,v1.16b + aesd v18.16b,v22.16b + aesimc v18.16b,v18.16b + ld1 {v19.16b},[x0],#16 + aesd v0.16b,v23.16b + aesd v1.16b,v23.16b + aesd v18.16b,v23.16b + ld1 {v16.4s},[x7],#16 // re-pre-load rndkey[0] + add w6,w5,#2 + eor v4.16b,v4.16b,v0.16b + eor v5.16b,v5.16b,v1.16b + eor v18.16b,v18.16b,v17.16b + ld1 {v17.4s},[x7],#16 // re-pre-load rndkey[1] + st1 {v4.16b},[x1],#16 + orr v0.16b,v2.16b,v2.16b + st1 {v5.16b},[x1],#16 + orr v1.16b,v3.16b,v3.16b + st1 {v18.16b},[x1],#16 + orr v18.16b,v19.16b,v19.16b + b.hs Loop3x_cbc_dec + + cmn x2,#0x30 + b.eq Lcbc_done + nop + +Lcbc_dec_tail: + aesd v1.16b,v16.16b + aesimc v1.16b,v1.16b + aesd v18.16b,v16.16b + aesimc v18.16b,v18.16b + ld1 {v16.4s},[x7],#16 + subs w6,w6,#2 + aesd v1.16b,v17.16b + aesimc v1.16b,v1.16b + aesd v18.16b,v17.16b + aesimc v18.16b,v18.16b + ld1 {v17.4s},[x7],#16 + b.gt Lcbc_dec_tail + + aesd v1.16b,v16.16b + aesimc v1.16b,v1.16b + aesd v18.16b,v16.16b + aesimc v18.16b,v18.16b + aesd v1.16b,v17.16b + aesimc v1.16b,v1.16b + aesd v18.16b,v17.16b + aesimc v18.16b,v18.16b + aesd v1.16b,v20.16b + aesimc v1.16b,v1.16b + aesd v18.16b,v20.16b + aesimc v18.16b,v18.16b + cmn x2,#0x20 + aesd v1.16b,v21.16b + aesimc v1.16b,v1.16b + aesd v18.16b,v21.16b + aesimc v18.16b,v18.16b + eor v5.16b,v6.16b,v7.16b + aesd v1.16b,v22.16b + aesimc v1.16b,v1.16b + aesd v18.16b,v22.16b + aesimc v18.16b,v18.16b + eor v17.16b,v3.16b,v7.16b + aesd v1.16b,v23.16b + aesd v18.16b,v23.16b + b.eq Lcbc_dec_one + eor v5.16b,v5.16b,v1.16b + eor v17.16b,v17.16b,v18.16b + orr v6.16b,v19.16b,v19.16b + st1 {v5.16b},[x1],#16 + st1 {v17.16b},[x1],#16 + b Lcbc_done + +Lcbc_dec_one: + eor v5.16b,v5.16b,v18.16b + orr v6.16b,v19.16b,v19.16b + st1 {v5.16b},[x1],#16 + +Lcbc_done: + st1 {v6.16b},[x4] +Lcbc_abort: + ldr x29,[sp],#16 + ret + +.globl aes_hw_ctr32_encrypt_blocks + +.def aes_hw_ctr32_encrypt_blocks + .type 32 +.endef +.align 5 +aes_hw_ctr32_encrypt_blocks: + // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. + AARCH64_VALID_CALL_TARGET + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + ldr w5,[x3,#240] + + ldr w8, [x4, #12] + ld1 {v0.4s},[x4] + + ld1 {v16.4s,v17.4s},[x3] // load key schedule... + sub w5,w5,#4 + mov x12,#16 + cmp x2,#2 + add x7,x3,x5,lsl#4 // pointer to last 5 round keys + sub w5,w5,#2 + ld1 {v20.4s,v21.4s},[x7],#32 + ld1 {v22.4s,v23.4s},[x7],#32 + ld1 {v7.4s},[x7] + add x7,x3,#32 + mov w6,w5 + csel x12,xzr,x12,lo + + // ARM Cortex-A57 and Cortex-A72 cores running in 32-bit mode are + // affected by silicon errata #1742098 [0] and #1655431 [1], + // respectively, where the second instruction of an aese/aesmc + // instruction pair may execute twice if an interrupt is taken right + // after the first instruction consumes an input register of which a + // single 32-bit lane has been updated the last time it was modified. + // + // This function uses a counter in one 32-bit lane. The vmov lines + // could write to v1.16b and v18.16b directly, but that trips this bugs. + // We write to v6.16b and copy to the final register as a workaround. + // + // [0] ARM-EPM-049219 v23 Cortex-A57 MPCore Software Developers Errata Notice + // [1] ARM-EPM-012079 v11.0 Cortex-A72 MPCore Software Developers Errata Notice +#ifndef __AARCH64EB__ + rev w8, w8 +#endif + add w10, w8, #1 + orr v6.16b,v0.16b,v0.16b + rev w10, w10 + mov v6.s[3],w10 + add w8, w8, #2 + orr v1.16b,v6.16b,v6.16b + b.ls Lctr32_tail + rev w12, w8 + mov v6.s[3],w12 + sub x2,x2,#3 // bias + orr v18.16b,v6.16b,v6.16b + b Loop3x_ctr32 + +.align 4 +Loop3x_ctr32: + aese v0.16b,v16.16b + aesmc v0.16b,v0.16b + aese v1.16b,v16.16b + aesmc v1.16b,v1.16b + aese v18.16b,v16.16b + aesmc v18.16b,v18.16b + ld1 {v16.4s},[x7],#16 + subs w6,w6,#2 + aese v0.16b,v17.16b + aesmc v0.16b,v0.16b + aese v1.16b,v17.16b + aesmc v1.16b,v1.16b + aese v18.16b,v17.16b + aesmc v18.16b,v18.16b + ld1 {v17.4s},[x7],#16 + b.gt Loop3x_ctr32 + + aese v0.16b,v16.16b + aesmc v4.16b,v0.16b + aese v1.16b,v16.16b + aesmc v5.16b,v1.16b + ld1 {v2.16b},[x0],#16 + add w9,w8,#1 + aese v18.16b,v16.16b + aesmc v18.16b,v18.16b + ld1 {v3.16b},[x0],#16 + rev w9,w9 + aese v4.16b,v17.16b + aesmc v4.16b,v4.16b + aese v5.16b,v17.16b + aesmc v5.16b,v5.16b + ld1 {v19.16b},[x0],#16 + mov x7,x3 + aese v18.16b,v17.16b + aesmc v17.16b,v18.16b + aese v4.16b,v20.16b + aesmc v4.16b,v4.16b + aese v5.16b,v20.16b + aesmc v5.16b,v5.16b + eor v2.16b,v2.16b,v7.16b + add w10,w8,#2 + aese v17.16b,v20.16b + aesmc v17.16b,v17.16b + eor v3.16b,v3.16b,v7.16b + add w8,w8,#3 + aese v4.16b,v21.16b + aesmc v4.16b,v4.16b + aese v5.16b,v21.16b + aesmc v5.16b,v5.16b + // Note the logic to update v0.16b, v1.16b, and v1.16b is written to work + // around a bug in ARM Cortex-A57 and Cortex-A72 cores running in + // 32-bit mode. See the comment above. + eor v19.16b,v19.16b,v7.16b + mov v6.s[3], w9 + aese v17.16b,v21.16b + aesmc v17.16b,v17.16b + orr v0.16b,v6.16b,v6.16b + rev w10,w10 + aese v4.16b,v22.16b + aesmc v4.16b,v4.16b + mov v6.s[3], w10 + rev w12,w8 + aese v5.16b,v22.16b + aesmc v5.16b,v5.16b + orr v1.16b,v6.16b,v6.16b + mov v6.s[3], w12 + aese v17.16b,v22.16b + aesmc v17.16b,v17.16b + orr v18.16b,v6.16b,v6.16b + subs x2,x2,#3 + aese v4.16b,v23.16b + aese v5.16b,v23.16b + aese v17.16b,v23.16b + + eor v2.16b,v2.16b,v4.16b + ld1 {v16.4s},[x7],#16 // re-pre-load rndkey[0] + st1 {v2.16b},[x1],#16 + eor v3.16b,v3.16b,v5.16b + mov w6,w5 + st1 {v3.16b},[x1],#16 + eor v19.16b,v19.16b,v17.16b + ld1 {v17.4s},[x7],#16 // re-pre-load rndkey[1] + st1 {v19.16b},[x1],#16 + b.hs Loop3x_ctr32 + + adds x2,x2,#3 + b.eq Lctr32_done + cmp x2,#1 + mov x12,#16 + csel x12,xzr,x12,eq + +Lctr32_tail: + aese v0.16b,v16.16b + aesmc v0.16b,v0.16b + aese v1.16b,v16.16b + aesmc v1.16b,v1.16b + ld1 {v16.4s},[x7],#16 + subs w6,w6,#2 + aese v0.16b,v17.16b + aesmc v0.16b,v0.16b + aese v1.16b,v17.16b + aesmc v1.16b,v1.16b + ld1 {v17.4s},[x7],#16 + b.gt Lctr32_tail + + aese v0.16b,v16.16b + aesmc v0.16b,v0.16b + aese v1.16b,v16.16b + aesmc v1.16b,v1.16b + aese v0.16b,v17.16b + aesmc v0.16b,v0.16b + aese v1.16b,v17.16b + aesmc v1.16b,v1.16b + ld1 {v2.16b},[x0],x12 + aese v0.16b,v20.16b + aesmc v0.16b,v0.16b + aese v1.16b,v20.16b + aesmc v1.16b,v1.16b + ld1 {v3.16b},[x0] + aese v0.16b,v21.16b + aesmc v0.16b,v0.16b + aese v1.16b,v21.16b + aesmc v1.16b,v1.16b + eor v2.16b,v2.16b,v7.16b + aese v0.16b,v22.16b + aesmc v0.16b,v0.16b + aese v1.16b,v22.16b + aesmc v1.16b,v1.16b + eor v3.16b,v3.16b,v7.16b + aese v0.16b,v23.16b + aese v1.16b,v23.16b + + cmp x2,#1 + eor v2.16b,v2.16b,v0.16b + eor v3.16b,v3.16b,v1.16b + st1 {v2.16b},[x1],#16 + b.eq Lctr32_done + st1 {v3.16b},[x1] + +Lctr32_done: + ldr x29,[sp],#16 + ret + +#endif +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(_WIN32) +#if defined(__linux__) && defined(__ELF__) +.section .note.GNU-stack,"",%progbits +#endif + diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/aesv8-gcm-armv8-ios.ios.aarch64.S b/Sources/CNIOBoringSSL/gen/bcm/aesv8-gcm-armv8-apple.S similarity index 99% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/aesv8-gcm-armv8-ios.ios.aarch64.S rename to Sources/CNIOBoringSSL/gen/bcm/aesv8-gcm-armv8-apple.S index 710c1b6ab..496ea7f03 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/aesv8-gcm-armv8-ios.ios.aarch64.S +++ b/Sources/CNIOBoringSSL/gen/bcm/aesv8-gcm-armv8-apple.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__aarch64__) && defined(__APPLE__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -1555,7 +1554,6 @@ Ldec_blocks_less_than_1: // blocks left <= 1 #endif #endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__APPLE__) -#endif // defined(__aarch64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/aesv8-gcm-armv8-linux.linux.aarch64.S b/Sources/CNIOBoringSSL/gen/bcm/aesv8-gcm-armv8-linux.S similarity index 99% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/aesv8-gcm-armv8-linux.linux.aarch64.S rename to Sources/CNIOBoringSSL/gen/bcm/aesv8-gcm-armv8-linux.S index 5b05d4977..af0224454 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/aesv8-gcm-armv8-linux.linux.aarch64.S +++ b/Sources/CNIOBoringSSL/gen/bcm/aesv8-gcm-armv8-linux.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__aarch64__) && defined(__linux__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -1555,7 +1554,6 @@ aes_gcm_dec_kernel: .size aes_gcm_dec_kernel,.-aes_gcm_dec_kernel #endif #endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__ELF__) -#endif // defined(__aarch64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/gen/bcm/aesv8-gcm-armv8-win.S b/Sources/CNIOBoringSSL/gen/bcm/aesv8-gcm-armv8-win.S new file mode 100644 index 000000000..dd2a98875 --- /dev/null +++ b/Sources/CNIOBoringSSL/gen/bcm/aesv8-gcm-armv8-win.S @@ -0,0 +1,1564 @@ +#define BORINGSSL_PREFIX CNIOBoringSSL +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. + +#include + +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(_WIN32) +#include +#if __ARM_MAX_ARCH__ >= 8 + +.arch armv8-a+crypto +.text +.globl aes_gcm_enc_kernel + +.def aes_gcm_enc_kernel + .type 32 +.endef +.align 4 +aes_gcm_enc_kernel: + AARCH64_SIGN_LINK_REGISTER + stp x29, x30, [sp, #-128]! + mov x29, sp + stp x19, x20, [sp, #16] + mov x16, x4 + mov x8, x5 + stp x21, x22, [sp, #32] + stp x23, x24, [sp, #48] + stp d8, d9, [sp, #64] + stp d10, d11, [sp, #80] + stp d12, d13, [sp, #96] + stp d14, d15, [sp, #112] + ldr w17, [x8, #240] + add x19, x8, x17, lsl #4 // borrow input_l1 for last key + ldp x13, x14, [x19] // load round N keys + ldr q31, [x19, #-16] // load round N-1 keys + add x4, x0, x1, lsr #3 // end_input_ptr + lsr x5, x1, #3 // byte_len + mov x15, x5 + ldp x10, x11, [x16] // ctr96_b64, ctr96_t32 + ld1 { v0.16b}, [x16] // special case vector load initial counter so we can start first AES block as quickly as possible + sub x5, x5, #1 // byte_len - 1 + ldr q18, [x8, #0] // load rk0 + and x5, x5, #0xffffffffffffffc0 // number of bytes to be processed in main loop (at least 1 byte must be handled by tail) + ldr q25, [x8, #112] // load rk7 + add x5, x5, x0 + lsr x12, x11, #32 + fmov d2, x10 // CTR block 2 + orr w11, w11, w11 + rev w12, w12 // rev_ctr32 + fmov d1, x10 // CTR block 1 + aese v0.16b, v18.16b + aesmc v0.16b, v0.16b // AES block 0 - round 0 + add w12, w12, #1 // increment rev_ctr32 + rev w9, w12 // CTR block 1 + fmov d3, x10 // CTR block 3 + orr x9, x11, x9, lsl #32 // CTR block 1 + add w12, w12, #1 // CTR block 1 + ldr q19, [x8, #16] // load rk1 + fmov v1.d[1], x9 // CTR block 1 + rev w9, w12 // CTR block 2 + add w12, w12, #1 // CTR block 2 + orr x9, x11, x9, lsl #32 // CTR block 2 + ldr q20, [x8, #32] // load rk2 + fmov v2.d[1], x9 // CTR block 2 + rev w9, w12 // CTR block 3 + aese v0.16b, v19.16b + aesmc v0.16b, v0.16b // AES block 0 - round 1 + orr x9, x11, x9, lsl #32 // CTR block 3 + fmov v3.d[1], x9 // CTR block 3 + aese v1.16b, v18.16b + aesmc v1.16b, v1.16b // AES block 1 - round 0 + ldr q21, [x8, #48] // load rk3 + aese v0.16b, v20.16b + aesmc v0.16b, v0.16b // AES block 0 - round 2 + ldr q24, [x8, #96] // load rk6 + aese v2.16b, v18.16b + aesmc v2.16b, v2.16b // AES block 2 - round 0 + ldr q23, [x8, #80] // load rk5 + aese v1.16b, v19.16b + aesmc v1.16b, v1.16b // AES block 1 - round 1 + ldr q14, [x6, #48] // load h3l | h3h + ext v14.16b, v14.16b, v14.16b, #8 + aese v3.16b, v18.16b + aesmc v3.16b, v3.16b // AES block 3 - round 0 + aese v2.16b, v19.16b + aesmc v2.16b, v2.16b // AES block 2 - round 1 + ldr q22, [x8, #64] // load rk4 + aese v1.16b, v20.16b + aesmc v1.16b, v1.16b // AES block 1 - round 2 + ldr q13, [x6, #32] // load h2l | h2h + ext v13.16b, v13.16b, v13.16b, #8 + aese v3.16b, v19.16b + aesmc v3.16b, v3.16b // AES block 3 - round 1 + ldr q30, [x8, #192] // load rk12 + aese v2.16b, v20.16b + aesmc v2.16b, v2.16b // AES block 2 - round 2 + ldr q15, [x6, #80] // load h4l | h4h + ext v15.16b, v15.16b, v15.16b, #8 + aese v1.16b, v21.16b + aesmc v1.16b, v1.16b // AES block 1 - round 3 + ldr q29, [x8, #176] // load rk11 + aese v3.16b, v20.16b + aesmc v3.16b, v3.16b // AES block 3 - round 2 + ldr q26, [x8, #128] // load rk8 + aese v2.16b, v21.16b + aesmc v2.16b, v2.16b // AES block 2 - round 3 + add w12, w12, #1 // CTR block 3 + aese v0.16b, v21.16b + aesmc v0.16b, v0.16b // AES block 0 - round 3 + aese v3.16b, v21.16b + aesmc v3.16b, v3.16b // AES block 3 - round 3 + ld1 { v11.16b}, [x3] + ext v11.16b, v11.16b, v11.16b, #8 + rev64 v11.16b, v11.16b + aese v2.16b, v22.16b + aesmc v2.16b, v2.16b // AES block 2 - round 4 + aese v0.16b, v22.16b + aesmc v0.16b, v0.16b // AES block 0 - round 4 + aese v1.16b, v22.16b + aesmc v1.16b, v1.16b // AES block 1 - round 4 + aese v3.16b, v22.16b + aesmc v3.16b, v3.16b // AES block 3 - round 4 + cmp x17, #12 // setup flags for AES-128/192/256 check + aese v0.16b, v23.16b + aesmc v0.16b, v0.16b // AES block 0 - round 5 + aese v1.16b, v23.16b + aesmc v1.16b, v1.16b // AES block 1 - round 5 + aese v3.16b, v23.16b + aesmc v3.16b, v3.16b // AES block 3 - round 5 + aese v2.16b, v23.16b + aesmc v2.16b, v2.16b // AES block 2 - round 5 + aese v1.16b, v24.16b + aesmc v1.16b, v1.16b // AES block 1 - round 6 + trn2 v17.2d, v14.2d, v15.2d // h4l | h3l + aese v3.16b, v24.16b + aesmc v3.16b, v3.16b // AES block 3 - round 6 + ldr q27, [x8, #144] // load rk9 + aese v0.16b, v24.16b + aesmc v0.16b, v0.16b // AES block 0 - round 6 + ldr q12, [x6] // load h1l | h1h + ext v12.16b, v12.16b, v12.16b, #8 + aese v2.16b, v24.16b + aesmc v2.16b, v2.16b // AES block 2 - round 6 + ldr q28, [x8, #160] // load rk10 + aese v1.16b, v25.16b + aesmc v1.16b, v1.16b // AES block 1 - round 7 + trn1 v9.2d, v14.2d, v15.2d // h4h | h3h + aese v0.16b, v25.16b + aesmc v0.16b, v0.16b // AES block 0 - round 7 + aese v2.16b, v25.16b + aesmc v2.16b, v2.16b // AES block 2 - round 7 + aese v3.16b, v25.16b + aesmc v3.16b, v3.16b // AES block 3 - round 7 + trn2 v16.2d, v12.2d, v13.2d // h2l | h1l + aese v1.16b, v26.16b + aesmc v1.16b, v1.16b // AES block 1 - round 8 + aese v2.16b, v26.16b + aesmc v2.16b, v2.16b // AES block 2 - round 8 + aese v3.16b, v26.16b + aesmc v3.16b, v3.16b // AES block 3 - round 8 + aese v0.16b, v26.16b + aesmc v0.16b, v0.16b // AES block 0 - round 8 + b.lt Lenc_finish_first_blocks // branch if AES-128 + + aese v1.16b, v27.16b + aesmc v1.16b, v1.16b // AES block 1 - round 9 + aese v2.16b, v27.16b + aesmc v2.16b, v2.16b // AES block 2 - round 9 + aese v3.16b, v27.16b + aesmc v3.16b, v3.16b // AES block 3 - round 9 + aese v0.16b, v27.16b + aesmc v0.16b, v0.16b // AES block 0 - round 9 + aese v1.16b, v28.16b + aesmc v1.16b, v1.16b // AES block 1 - round 10 + aese v2.16b, v28.16b + aesmc v2.16b, v2.16b // AES block 2 - round 10 + aese v3.16b, v28.16b + aesmc v3.16b, v3.16b // AES block 3 - round 10 + aese v0.16b, v28.16b + aesmc v0.16b, v0.16b // AES block 0 - round 10 + b.eq Lenc_finish_first_blocks // branch if AES-192 + + aese v1.16b, v29.16b + aesmc v1.16b, v1.16b // AES block 1 - round 11 + aese v2.16b, v29.16b + aesmc v2.16b, v2.16b // AES block 2 - round 11 + aese v0.16b, v29.16b + aesmc v0.16b, v0.16b // AES block 0 - round 11 + aese v3.16b, v29.16b + aesmc v3.16b, v3.16b // AES block 3 - round 11 + aese v1.16b, v30.16b + aesmc v1.16b, v1.16b // AES block 1 - round 12 + aese v2.16b, v30.16b + aesmc v2.16b, v2.16b // AES block 2 - round 12 + aese v0.16b, v30.16b + aesmc v0.16b, v0.16b // AES block 0 - round 12 + aese v3.16b, v30.16b + aesmc v3.16b, v3.16b // AES block 3 - round 12 + +Lenc_finish_first_blocks: + cmp x0, x5 // check if we have <= 4 blocks + eor v17.16b, v17.16b, v9.16b // h4k | h3k + aese v2.16b, v31.16b // AES block 2 - round N-1 + trn1 v8.2d, v12.2d, v13.2d // h2h | h1h + aese v1.16b, v31.16b // AES block 1 - round N-1 + aese v0.16b, v31.16b // AES block 0 - round N-1 + aese v3.16b, v31.16b // AES block 3 - round N-1 + eor v16.16b, v16.16b, v8.16b // h2k | h1k + b.ge Lenc_tail // handle tail + + ldp x19, x20, [x0, #16] // AES block 1 - load plaintext + rev w9, w12 // CTR block 4 + ldp x6, x7, [x0, #0] // AES block 0 - load plaintext + ldp x23, x24, [x0, #48] // AES block 3 - load plaintext + ldp x21, x22, [x0, #32] // AES block 2 - load plaintext + add x0, x0, #64 // AES input_ptr update + eor x19, x19, x13 // AES block 1 - round N low + eor x20, x20, x14 // AES block 1 - round N high + fmov d5, x19 // AES block 1 - mov low + eor x6, x6, x13 // AES block 0 - round N low + eor x7, x7, x14 // AES block 0 - round N high + eor x24, x24, x14 // AES block 3 - round N high + fmov d4, x6 // AES block 0 - mov low + cmp x0, x5 // check if we have <= 8 blocks + fmov v4.d[1], x7 // AES block 0 - mov high + eor x23, x23, x13 // AES block 3 - round N low + eor x21, x21, x13 // AES block 2 - round N low + fmov v5.d[1], x20 // AES block 1 - mov high + fmov d6, x21 // AES block 2 - mov low + add w12, w12, #1 // CTR block 4 + orr x9, x11, x9, lsl #32 // CTR block 4 + fmov d7, x23 // AES block 3 - mov low + eor x22, x22, x14 // AES block 2 - round N high + fmov v6.d[1], x22 // AES block 2 - mov high + eor v4.16b, v4.16b, v0.16b // AES block 0 - result + fmov d0, x10 // CTR block 4 + fmov v0.d[1], x9 // CTR block 4 + rev w9, w12 // CTR block 5 + add w12, w12, #1 // CTR block 5 + eor v5.16b, v5.16b, v1.16b // AES block 1 - result + fmov d1, x10 // CTR block 5 + orr x9, x11, x9, lsl #32 // CTR block 5 + fmov v1.d[1], x9 // CTR block 5 + rev w9, w12 // CTR block 6 + st1 { v4.16b}, [x2], #16 // AES block 0 - store result + fmov v7.d[1], x24 // AES block 3 - mov high + orr x9, x11, x9, lsl #32 // CTR block 6 + eor v6.16b, v6.16b, v2.16b // AES block 2 - result + st1 { v5.16b}, [x2], #16 // AES block 1 - store result + add w12, w12, #1 // CTR block 6 + fmov d2, x10 // CTR block 6 + fmov v2.d[1], x9 // CTR block 6 + st1 { v6.16b}, [x2], #16 // AES block 2 - store result + rev w9, w12 // CTR block 7 + orr x9, x11, x9, lsl #32 // CTR block 7 + eor v7.16b, v7.16b, v3.16b // AES block 3 - result + st1 { v7.16b}, [x2], #16 // AES block 3 - store result + b.ge Lenc_prepretail // do prepretail + +Lenc_main_loop: // main loop start + aese v0.16b, v18.16b + aesmc v0.16b, v0.16b // AES block 4k+4 - round 0 + rev64 v4.16b, v4.16b // GHASH block 4k (only t0 is free) + aese v1.16b, v18.16b + aesmc v1.16b, v1.16b // AES block 4k+5 - round 0 + fmov d3, x10 // CTR block 4k+3 + aese v2.16b, v18.16b + aesmc v2.16b, v2.16b // AES block 4k+6 - round 0 + ext v11.16b, v11.16b, v11.16b, #8 // PRE 0 + aese v0.16b, v19.16b + aesmc v0.16b, v0.16b // AES block 4k+4 - round 1 + fmov v3.d[1], x9 // CTR block 4k+3 + aese v1.16b, v19.16b + aesmc v1.16b, v1.16b // AES block 4k+5 - round 1 + ldp x23, x24, [x0, #48] // AES block 4k+7 - load plaintext + aese v2.16b, v19.16b + aesmc v2.16b, v2.16b // AES block 4k+6 - round 1 + ldp x21, x22, [x0, #32] // AES block 4k+6 - load plaintext + aese v0.16b, v20.16b + aesmc v0.16b, v0.16b // AES block 4k+4 - round 2 + eor v4.16b, v4.16b, v11.16b // PRE 1 + aese v1.16b, v20.16b + aesmc v1.16b, v1.16b // AES block 4k+5 - round 2 + aese v3.16b, v18.16b + aesmc v3.16b, v3.16b // AES block 4k+7 - round 0 + eor x23, x23, x13 // AES block 4k+7 - round N low + aese v0.16b, v21.16b + aesmc v0.16b, v0.16b // AES block 4k+4 - round 3 + mov d10, v17.d[1] // GHASH block 4k - mid + pmull2 v9.1q, v4.2d, v15.2d // GHASH block 4k - high + eor x22, x22, x14 // AES block 4k+6 - round N high + mov d8, v4.d[1] // GHASH block 4k - mid + aese v3.16b, v19.16b + aesmc v3.16b, v3.16b // AES block 4k+7 - round 1 + rev64 v5.16b, v5.16b // GHASH block 4k+1 (t0 and t1 free) + aese v0.16b, v22.16b + aesmc v0.16b, v0.16b // AES block 4k+4 - round 4 + pmull v11.1q, v4.1d, v15.1d // GHASH block 4k - low + eor v8.8b, v8.8b, v4.8b // GHASH block 4k - mid + aese v2.16b, v20.16b + aesmc v2.16b, v2.16b // AES block 4k+6 - round 2 + aese v0.16b, v23.16b + aesmc v0.16b, v0.16b // AES block 4k+4 - round 5 + rev64 v7.16b, v7.16b // GHASH block 4k+3 (t0, t1, t2 and t3 free) + pmull2 v4.1q, v5.2d, v14.2d // GHASH block 4k+1 - high + pmull v10.1q, v8.1d, v10.1d // GHASH block 4k - mid + rev64 v6.16b, v6.16b // GHASH block 4k+2 (t0, t1, and t2 free) + pmull v8.1q, v5.1d, v14.1d // GHASH block 4k+1 - low + eor v9.16b, v9.16b, v4.16b // GHASH block 4k+1 - high + mov d4, v5.d[1] // GHASH block 4k+1 - mid + aese v1.16b, v21.16b + aesmc v1.16b, v1.16b // AES block 4k+5 - round 3 + aese v3.16b, v20.16b + aesmc v3.16b, v3.16b // AES block 4k+7 - round 2 + eor v11.16b, v11.16b, v8.16b // GHASH block 4k+1 - low + aese v2.16b, v21.16b + aesmc v2.16b, v2.16b // AES block 4k+6 - round 3 + aese v1.16b, v22.16b + aesmc v1.16b, v1.16b // AES block 4k+5 - round 4 + mov d8, v6.d[1] // GHASH block 4k+2 - mid + aese v3.16b, v21.16b + aesmc v3.16b, v3.16b // AES block 4k+7 - round 3 + eor v4.8b, v4.8b, v5.8b // GHASH block 4k+1 - mid + aese v2.16b, v22.16b + aesmc v2.16b, v2.16b // AES block 4k+6 - round 4 + aese v0.16b, v24.16b + aesmc v0.16b, v0.16b // AES block 4k+4 - round 6 + eor v8.8b, v8.8b, v6.8b // GHASH block 4k+2 - mid + aese v3.16b, v22.16b + aesmc v3.16b, v3.16b // AES block 4k+7 - round 4 + pmull v4.1q, v4.1d, v17.1d // GHASH block 4k+1 - mid + aese v0.16b, v25.16b + aesmc v0.16b, v0.16b // AES block 4k+4 - round 7 + aese v3.16b, v23.16b + aesmc v3.16b, v3.16b // AES block 4k+7 - round 5 + ins v8.d[1], v8.d[0] // GHASH block 4k+2 - mid + aese v1.16b, v23.16b + aesmc v1.16b, v1.16b // AES block 4k+5 - round 5 + aese v0.16b, v26.16b + aesmc v0.16b, v0.16b // AES block 4k+4 - round 8 + aese v2.16b, v23.16b + aesmc v2.16b, v2.16b // AES block 4k+6 - round 5 + aese v1.16b, v24.16b + aesmc v1.16b, v1.16b // AES block 4k+5 - round 6 + eor v10.16b, v10.16b, v4.16b // GHASH block 4k+1 - mid + pmull2 v4.1q, v6.2d, v13.2d // GHASH block 4k+2 - high + pmull v5.1q, v6.1d, v13.1d // GHASH block 4k+2 - low + aese v1.16b, v25.16b + aesmc v1.16b, v1.16b // AES block 4k+5 - round 7 + pmull v6.1q, v7.1d, v12.1d // GHASH block 4k+3 - low + eor v9.16b, v9.16b, v4.16b // GHASH block 4k+2 - high + aese v3.16b, v24.16b + aesmc v3.16b, v3.16b // AES block 4k+7 - round 6 + ldp x19, x20, [x0, #16] // AES block 4k+5 - load plaintext + aese v1.16b, v26.16b + aesmc v1.16b, v1.16b // AES block 4k+5 - round 8 + mov d4, v7.d[1] // GHASH block 4k+3 - mid + aese v2.16b, v24.16b + aesmc v2.16b, v2.16b // AES block 4k+6 - round 6 + eor v11.16b, v11.16b, v5.16b // GHASH block 4k+2 - low + pmull2 v8.1q, v8.2d, v16.2d // GHASH block 4k+2 - mid + pmull2 v5.1q, v7.2d, v12.2d // GHASH block 4k+3 - high + eor v4.8b, v4.8b, v7.8b // GHASH block 4k+3 - mid + aese v2.16b, v25.16b + aesmc v2.16b, v2.16b // AES block 4k+6 - round 7 + eor x19, x19, x13 // AES block 4k+5 - round N low + aese v2.16b, v26.16b + aesmc v2.16b, v2.16b // AES block 4k+6 - round 8 + eor v10.16b, v10.16b, v8.16b // GHASH block 4k+2 - mid + aese v3.16b, v25.16b + aesmc v3.16b, v3.16b // AES block 4k+7 - round 7 + eor x21, x21, x13 // AES block 4k+6 - round N low + aese v3.16b, v26.16b + aesmc v3.16b, v3.16b // AES block 4k+7 - round 8 + movi v8.8b, #0xc2 + pmull v4.1q, v4.1d, v16.1d // GHASH block 4k+3 - mid + eor v9.16b, v9.16b, v5.16b // GHASH block 4k+3 - high + cmp x17, #12 // setup flags for AES-128/192/256 check + fmov d5, x19 // AES block 4k+5 - mov low + ldp x6, x7, [x0, #0] // AES block 4k+4 - load plaintext + b.lt Lenc_main_loop_continue // branch if AES-128 + + aese v1.16b, v27.16b + aesmc v1.16b, v1.16b // AES block 4k+5 - round 9 + aese v0.16b, v27.16b + aesmc v0.16b, v0.16b // AES block 4k+4 - round 9 + aese v2.16b, v27.16b + aesmc v2.16b, v2.16b // AES block 4k+6 - round 9 + aese v3.16b, v27.16b + aesmc v3.16b, v3.16b // AES block 4k+7 - round 9 + aese v0.16b, v28.16b + aesmc v0.16b, v0.16b // AES block 4k+4 - round 10 + aese v1.16b, v28.16b + aesmc v1.16b, v1.16b // AES block 4k+5 - round 10 + aese v2.16b, v28.16b + aesmc v2.16b, v2.16b // AES block 4k+6 - round 10 + aese v3.16b, v28.16b + aesmc v3.16b, v3.16b // AES block 4k+7 - round 10 + b.eq Lenc_main_loop_continue // branch if AES-192 + + aese v0.16b, v29.16b + aesmc v0.16b, v0.16b // AES block 4k+4 - round 11 + aese v1.16b, v29.16b + aesmc v1.16b, v1.16b // AES block 4k+5 - round 11 + aese v2.16b, v29.16b + aesmc v2.16b, v2.16b // AES block 4k+6 - round 11 + aese v3.16b, v29.16b + aesmc v3.16b, v3.16b // AES block 4k+7 - round 11 + aese v1.16b, v30.16b + aesmc v1.16b, v1.16b // AES block 4k+5 - round 12 + aese v0.16b, v30.16b + aesmc v0.16b, v0.16b // AES block 4k+4 - round 12 + aese v2.16b, v30.16b + aesmc v2.16b, v2.16b // AES block 4k+6 - round 12 + aese v3.16b, v30.16b + aesmc v3.16b, v3.16b // AES block 4k+7 - round 12 + +Lenc_main_loop_continue: + shl d8, d8, #56 // mod_constant + eor v11.16b, v11.16b, v6.16b // GHASH block 4k+3 - low + eor v10.16b, v10.16b, v4.16b // GHASH block 4k+3 - mid + add w12, w12, #1 // CTR block 4k+3 + eor v4.16b, v11.16b, v9.16b // MODULO - karatsuba tidy up + add x0, x0, #64 // AES input_ptr update + pmull v7.1q, v9.1d, v8.1d // MODULO - top 64b align with mid + rev w9, w12 // CTR block 4k+8 + ext v9.16b, v9.16b, v9.16b, #8 // MODULO - other top alignment + eor x6, x6, x13 // AES block 4k+4 - round N low + eor v10.16b, v10.16b, v4.16b // MODULO - karatsuba tidy up + eor x7, x7, x14 // AES block 4k+4 - round N high + fmov d4, x6 // AES block 4k+4 - mov low + orr x9, x11, x9, lsl #32 // CTR block 4k+8 + eor v7.16b, v9.16b, v7.16b // MODULO - fold into mid + eor x20, x20, x14 // AES block 4k+5 - round N high + eor x24, x24, x14 // AES block 4k+7 - round N high + add w12, w12, #1 // CTR block 4k+8 + aese v0.16b, v31.16b // AES block 4k+4 - round N-1 + fmov v4.d[1], x7 // AES block 4k+4 - mov high + eor v10.16b, v10.16b, v7.16b // MODULO - fold into mid + fmov d7, x23 // AES block 4k+7 - mov low + aese v1.16b, v31.16b // AES block 4k+5 - round N-1 + fmov v5.d[1], x20 // AES block 4k+5 - mov high + fmov d6, x21 // AES block 4k+6 - mov low + cmp x0, x5 // LOOP CONTROL + fmov v6.d[1], x22 // AES block 4k+6 - mov high + pmull v9.1q, v10.1d, v8.1d // MODULO - mid 64b align with low + eor v4.16b, v4.16b, v0.16b // AES block 4k+4 - result + fmov d0, x10 // CTR block 4k+8 + fmov v0.d[1], x9 // CTR block 4k+8 + rev w9, w12 // CTR block 4k+9 + add w12, w12, #1 // CTR block 4k+9 + eor v5.16b, v5.16b, v1.16b // AES block 4k+5 - result + fmov d1, x10 // CTR block 4k+9 + orr x9, x11, x9, lsl #32 // CTR block 4k+9 + fmov v1.d[1], x9 // CTR block 4k+9 + aese v2.16b, v31.16b // AES block 4k+6 - round N-1 + rev w9, w12 // CTR block 4k+10 + st1 { v4.16b}, [x2], #16 // AES block 4k+4 - store result + orr x9, x11, x9, lsl #32 // CTR block 4k+10 + eor v11.16b, v11.16b, v9.16b // MODULO - fold into low + fmov v7.d[1], x24 // AES block 4k+7 - mov high + ext v10.16b, v10.16b, v10.16b, #8 // MODULO - other mid alignment + st1 { v5.16b}, [x2], #16 // AES block 4k+5 - store result + add w12, w12, #1 // CTR block 4k+10 + aese v3.16b, v31.16b // AES block 4k+7 - round N-1 + eor v6.16b, v6.16b, v2.16b // AES block 4k+6 - result + fmov d2, x10 // CTR block 4k+10 + st1 { v6.16b}, [x2], #16 // AES block 4k+6 - store result + fmov v2.d[1], x9 // CTR block 4k+10 + rev w9, w12 // CTR block 4k+11 + eor v11.16b, v11.16b, v10.16b // MODULO - fold into low + orr x9, x11, x9, lsl #32 // CTR block 4k+11 + eor v7.16b, v7.16b, v3.16b // AES block 4k+7 - result + st1 { v7.16b}, [x2], #16 // AES block 4k+7 - store result + b.lt Lenc_main_loop + +Lenc_prepretail: // PREPRETAIL + aese v1.16b, v18.16b + aesmc v1.16b, v1.16b // AES block 4k+5 - round 0 + rev64 v6.16b, v6.16b // GHASH block 4k+2 (t0, t1, and t2 free) + aese v2.16b, v18.16b + aesmc v2.16b, v2.16b // AES block 4k+6 - round 0 + fmov d3, x10 // CTR block 4k+3 + aese v0.16b, v18.16b + aesmc v0.16b, v0.16b // AES block 4k+4 - round 0 + rev64 v4.16b, v4.16b // GHASH block 4k (only t0 is free) + fmov v3.d[1], x9 // CTR block 4k+3 + ext v11.16b, v11.16b, v11.16b, #8 // PRE 0 + aese v2.16b, v19.16b + aesmc v2.16b, v2.16b // AES block 4k+6 - round 1 + aese v0.16b, v19.16b + aesmc v0.16b, v0.16b // AES block 4k+4 - round 1 + eor v4.16b, v4.16b, v11.16b // PRE 1 + rev64 v5.16b, v5.16b // GHASH block 4k+1 (t0 and t1 free) + aese v2.16b, v20.16b + aesmc v2.16b, v2.16b // AES block 4k+6 - round 2 + aese v3.16b, v18.16b + aesmc v3.16b, v3.16b // AES block 4k+7 - round 0 + mov d10, v17.d[1] // GHASH block 4k - mid + aese v1.16b, v19.16b + aesmc v1.16b, v1.16b // AES block 4k+5 - round 1 + pmull v11.1q, v4.1d, v15.1d // GHASH block 4k - low + mov d8, v4.d[1] // GHASH block 4k - mid + pmull2 v9.1q, v4.2d, v15.2d // GHASH block 4k - high + aese v2.16b, v21.16b + aesmc v2.16b, v2.16b // AES block 4k+6 - round 3 + aese v1.16b, v20.16b + aesmc v1.16b, v1.16b // AES block 4k+5 - round 2 + eor v8.8b, v8.8b, v4.8b // GHASH block 4k - mid + aese v0.16b, v20.16b + aesmc v0.16b, v0.16b // AES block 4k+4 - round 2 + aese v3.16b, v19.16b + aesmc v3.16b, v3.16b // AES block 4k+7 - round 1 + aese v1.16b, v21.16b + aesmc v1.16b, v1.16b // AES block 4k+5 - round 3 + pmull v10.1q, v8.1d, v10.1d // GHASH block 4k - mid + pmull2 v4.1q, v5.2d, v14.2d // GHASH block 4k+1 - high + pmull v8.1q, v5.1d, v14.1d // GHASH block 4k+1 - low + aese v3.16b, v20.16b + aesmc v3.16b, v3.16b // AES block 4k+7 - round 2 + eor v9.16b, v9.16b, v4.16b // GHASH block 4k+1 - high + mov d4, v5.d[1] // GHASH block 4k+1 - mid + aese v0.16b, v21.16b + aesmc v0.16b, v0.16b // AES block 4k+4 - round 3 + eor v11.16b, v11.16b, v8.16b // GHASH block 4k+1 - low + aese v3.16b, v21.16b + aesmc v3.16b, v3.16b // AES block 4k+7 - round 3 + eor v4.8b, v4.8b, v5.8b // GHASH block 4k+1 - mid + mov d8, v6.d[1] // GHASH block 4k+2 - mid + aese v0.16b, v22.16b + aesmc v0.16b, v0.16b // AES block 4k+4 - round 4 + rev64 v7.16b, v7.16b // GHASH block 4k+3 (t0, t1, t2 and t3 free) + aese v3.16b, v22.16b + aesmc v3.16b, v3.16b // AES block 4k+7 - round 4 + pmull v4.1q, v4.1d, v17.1d // GHASH block 4k+1 - mid + eor v8.8b, v8.8b, v6.8b // GHASH block 4k+2 - mid + add w12, w12, #1 // CTR block 4k+3 + pmull v5.1q, v6.1d, v13.1d // GHASH block 4k+2 - low + aese v3.16b, v23.16b + aesmc v3.16b, v3.16b // AES block 4k+7 - round 5 + aese v2.16b, v22.16b + aesmc v2.16b, v2.16b // AES block 4k+6 - round 4 + eor v10.16b, v10.16b, v4.16b // GHASH block 4k+1 - mid + pmull2 v4.1q, v6.2d, v13.2d // GHASH block 4k+2 - high + eor v11.16b, v11.16b, v5.16b // GHASH block 4k+2 - low + ins v8.d[1], v8.d[0] // GHASH block 4k+2 - mid + aese v2.16b, v23.16b + aesmc v2.16b, v2.16b // AES block 4k+6 - round 5 + eor v9.16b, v9.16b, v4.16b // GHASH block 4k+2 - high + mov d4, v7.d[1] // GHASH block 4k+3 - mid + aese v1.16b, v22.16b + aesmc v1.16b, v1.16b // AES block 4k+5 - round 4 + pmull2 v8.1q, v8.2d, v16.2d // GHASH block 4k+2 - mid + eor v4.8b, v4.8b, v7.8b // GHASH block 4k+3 - mid + pmull2 v5.1q, v7.2d, v12.2d // GHASH block 4k+3 - high + aese v1.16b, v23.16b + aesmc v1.16b, v1.16b // AES block 4k+5 - round 5 + pmull v4.1q, v4.1d, v16.1d // GHASH block 4k+3 - mid + eor v10.16b, v10.16b, v8.16b // GHASH block 4k+2 - mid + aese v0.16b, v23.16b + aesmc v0.16b, v0.16b // AES block 4k+4 - round 5 + aese v1.16b, v24.16b + aesmc v1.16b, v1.16b // AES block 4k+5 - round 6 + aese v2.16b, v24.16b + aesmc v2.16b, v2.16b // AES block 4k+6 - round 6 + aese v0.16b, v24.16b + aesmc v0.16b, v0.16b // AES block 4k+4 - round 6 + movi v8.8b, #0xc2 + aese v3.16b, v24.16b + aesmc v3.16b, v3.16b // AES block 4k+7 - round 6 + aese v1.16b, v25.16b + aesmc v1.16b, v1.16b // AES block 4k+5 - round 7 + eor v9.16b, v9.16b, v5.16b // GHASH block 4k+3 - high + aese v0.16b, v25.16b + aesmc v0.16b, v0.16b // AES block 4k+4 - round 7 + aese v3.16b, v25.16b + aesmc v3.16b, v3.16b // AES block 4k+7 - round 7 + shl d8, d8, #56 // mod_constant + aese v1.16b, v26.16b + aesmc v1.16b, v1.16b // AES block 4k+5 - round 8 + eor v10.16b, v10.16b, v4.16b // GHASH block 4k+3 - mid + pmull v6.1q, v7.1d, v12.1d // GHASH block 4k+3 - low + aese v3.16b, v26.16b + aesmc v3.16b, v3.16b // AES block 4k+7 - round 8 + cmp x17, #12 // setup flags for AES-128/192/256 check + aese v0.16b, v26.16b + aesmc v0.16b, v0.16b // AES block 4k+4 - round 8 + eor v11.16b, v11.16b, v6.16b // GHASH block 4k+3 - low + aese v2.16b, v25.16b + aesmc v2.16b, v2.16b // AES block 4k+6 - round 7 + eor v10.16b, v10.16b, v9.16b // karatsuba tidy up + aese v2.16b, v26.16b + aesmc v2.16b, v2.16b // AES block 4k+6 - round 8 + pmull v4.1q, v9.1d, v8.1d + ext v9.16b, v9.16b, v9.16b, #8 + eor v10.16b, v10.16b, v11.16b + b.lt Lenc_finish_prepretail // branch if AES-128 + + aese v1.16b, v27.16b + aesmc v1.16b, v1.16b // AES block 4k+5 - round 9 + aese v3.16b, v27.16b + aesmc v3.16b, v3.16b // AES block 4k+7 - round 9 + aese v0.16b, v27.16b + aesmc v0.16b, v0.16b // AES block 4k+4 - round 9 + aese v2.16b, v27.16b + aesmc v2.16b, v2.16b // AES block 4k+6 - round 9 + aese v3.16b, v28.16b + aesmc v3.16b, v3.16b // AES block 4k+7 - round 10 + aese v1.16b, v28.16b + aesmc v1.16b, v1.16b // AES block 4k+5 - round 10 + aese v0.16b, v28.16b + aesmc v0.16b, v0.16b // AES block 4k+4 - round 10 + aese v2.16b, v28.16b + aesmc v2.16b, v2.16b // AES block 4k+6 - round 10 + b.eq Lenc_finish_prepretail // branch if AES-192 + + aese v1.16b, v29.16b + aesmc v1.16b, v1.16b // AES block 4k+5 - round 11 + aese v0.16b, v29.16b + aesmc v0.16b, v0.16b // AES block 4k+4 - round 11 + aese v3.16b, v29.16b + aesmc v3.16b, v3.16b // AES block 4k+7 - round 11 + aese v2.16b, v29.16b + aesmc v2.16b, v2.16b // AES block 4k+6 - round 11 + aese v1.16b, v30.16b + aesmc v1.16b, v1.16b // AES block 4k+5 - round 12 + aese v0.16b, v30.16b + aesmc v0.16b, v0.16b // AES block 4k+4 - round 12 + aese v3.16b, v30.16b + aesmc v3.16b, v3.16b // AES block 4k+7 - round 12 + aese v2.16b, v30.16b + aesmc v2.16b, v2.16b // AES block 4k+6 - round 12 + +Lenc_finish_prepretail: + eor v10.16b, v10.16b, v4.16b + eor v10.16b, v10.16b, v9.16b + pmull v4.1q, v10.1d, v8.1d + ext v10.16b, v10.16b, v10.16b, #8 + aese v1.16b, v31.16b // AES block 4k+5 - round N-1 + eor v11.16b, v11.16b, v4.16b + aese v3.16b, v31.16b // AES block 4k+7 - round N-1 + aese v0.16b, v31.16b // AES block 4k+4 - round N-1 + aese v2.16b, v31.16b // AES block 4k+6 - round N-1 + eor v11.16b, v11.16b, v10.16b + +Lenc_tail: // TAIL + ext v8.16b, v11.16b, v11.16b, #8 // prepare final partial tag + sub x5, x4, x0 // main_end_input_ptr is number of bytes left to process + ldp x6, x7, [x0], #16 // AES block 4k+4 - load plaintext + eor x6, x6, x13 // AES block 4k+4 - round N low + eor x7, x7, x14 // AES block 4k+4 - round N high + cmp x5, #48 + fmov d4, x6 // AES block 4k+4 - mov low + fmov v4.d[1], x7 // AES block 4k+4 - mov high + eor v5.16b, v4.16b, v0.16b // AES block 4k+4 - result + b.gt Lenc_blocks_more_than_3 + cmp x5, #32 + mov v3.16b, v2.16b + movi v11.8b, #0 + movi v9.8b, #0 + sub w12, w12, #1 + mov v2.16b, v1.16b + movi v10.8b, #0 + b.gt Lenc_blocks_more_than_2 + mov v3.16b, v1.16b + sub w12, w12, #1 + cmp x5, #16 + b.gt Lenc_blocks_more_than_1 + sub w12, w12, #1 + b Lenc_blocks_less_than_1 +Lenc_blocks_more_than_3: // blocks left > 3 + st1 { v5.16b}, [x2], #16 // AES final-3 block - store result + ldp x6, x7, [x0], #16 // AES final-2 block - load input low & high + rev64 v4.16b, v5.16b // GHASH final-3 block + eor x6, x6, x13 // AES final-2 block - round N low + eor v4.16b, v4.16b, v8.16b // feed in partial tag + eor x7, x7, x14 // AES final-2 block - round N high + mov d22, v4.d[1] // GHASH final-3 block - mid + fmov d5, x6 // AES final-2 block - mov low + fmov v5.d[1], x7 // AES final-2 block - mov high + eor v22.8b, v22.8b, v4.8b // GHASH final-3 block - mid + movi v8.8b, #0 // suppress further partial tag feed in + mov d10, v17.d[1] // GHASH final-3 block - mid + pmull v11.1q, v4.1d, v15.1d // GHASH final-3 block - low + pmull2 v9.1q, v4.2d, v15.2d // GHASH final-3 block - high + pmull v10.1q, v22.1d, v10.1d // GHASH final-3 block - mid + eor v5.16b, v5.16b, v1.16b // AES final-2 block - result +Lenc_blocks_more_than_2: // blocks left > 2 + st1 { v5.16b}, [x2], #16 // AES final-2 block - store result + ldp x6, x7, [x0], #16 // AES final-1 block - load input low & high + rev64 v4.16b, v5.16b // GHASH final-2 block + eor x6, x6, x13 // AES final-1 block - round N low + eor v4.16b, v4.16b, v8.16b // feed in partial tag + fmov d5, x6 // AES final-1 block - mov low + eor x7, x7, x14 // AES final-1 block - round N high + fmov v5.d[1], x7 // AES final-1 block - mov high + movi v8.8b, #0 // suppress further partial tag feed in + pmull2 v20.1q, v4.2d, v14.2d // GHASH final-2 block - high + mov d22, v4.d[1] // GHASH final-2 block - mid + pmull v21.1q, v4.1d, v14.1d // GHASH final-2 block - low + eor v22.8b, v22.8b, v4.8b // GHASH final-2 block - mid + eor v5.16b, v5.16b, v2.16b // AES final-1 block - result + eor v9.16b, v9.16b, v20.16b // GHASH final-2 block - high + pmull v22.1q, v22.1d, v17.1d // GHASH final-2 block - mid + eor v11.16b, v11.16b, v21.16b // GHASH final-2 block - low + eor v10.16b, v10.16b, v22.16b // GHASH final-2 block - mid +Lenc_blocks_more_than_1: // blocks left > 1 + st1 { v5.16b}, [x2], #16 // AES final-1 block - store result + rev64 v4.16b, v5.16b // GHASH final-1 block + ldp x6, x7, [x0], #16 // AES final block - load input low & high + eor v4.16b, v4.16b, v8.16b // feed in partial tag + movi v8.8b, #0 // suppress further partial tag feed in + eor x6, x6, x13 // AES final block - round N low + mov d22, v4.d[1] // GHASH final-1 block - mid + pmull2 v20.1q, v4.2d, v13.2d // GHASH final-1 block - high + eor x7, x7, x14 // AES final block - round N high + eor v22.8b, v22.8b, v4.8b // GHASH final-1 block - mid + eor v9.16b, v9.16b, v20.16b // GHASH final-1 block - high + ins v22.d[1], v22.d[0] // GHASH final-1 block - mid + fmov d5, x6 // AES final block - mov low + fmov v5.d[1], x7 // AES final block - mov high + pmull2 v22.1q, v22.2d, v16.2d // GHASH final-1 block - mid + pmull v21.1q, v4.1d, v13.1d // GHASH final-1 block - low + eor v5.16b, v5.16b, v3.16b // AES final block - result + eor v10.16b, v10.16b, v22.16b // GHASH final-1 block - mid + eor v11.16b, v11.16b, v21.16b // GHASH final-1 block - low +Lenc_blocks_less_than_1: // blocks left <= 1 + and x1, x1, #127 // bit_length %= 128 + mvn x13, xzr // rkN_l = 0xffffffffffffffff + sub x1, x1, #128 // bit_length -= 128 + neg x1, x1 // bit_length = 128 - #bits in input (in range [1,128]) + ld1 { v18.16b}, [x2] // load existing bytes where the possibly partial last block is to be stored + mvn x14, xzr // rkN_h = 0xffffffffffffffff + and x1, x1, #127 // bit_length %= 128 + lsr x14, x14, x1 // rkN_h is mask for top 64b of last block + cmp x1, #64 + csel x6, x13, x14, lt + csel x7, x14, xzr, lt + fmov d0, x6 // ctr0b is mask for last block + fmov v0.d[1], x7 + and v5.16b, v5.16b, v0.16b // possibly partial last block has zeroes in highest bits + rev64 v4.16b, v5.16b // GHASH final block + eor v4.16b, v4.16b, v8.16b // feed in partial tag + bif v5.16b, v18.16b, v0.16b // insert existing bytes in top end of result before storing + pmull2 v20.1q, v4.2d, v12.2d // GHASH final block - high + mov d8, v4.d[1] // GHASH final block - mid + rev w9, w12 + pmull v21.1q, v4.1d, v12.1d // GHASH final block - low + eor v9.16b, v9.16b, v20.16b // GHASH final block - high + eor v8.8b, v8.8b, v4.8b // GHASH final block - mid + pmull v8.1q, v8.1d, v16.1d // GHASH final block - mid + eor v11.16b, v11.16b, v21.16b // GHASH final block - low + eor v10.16b, v10.16b, v8.16b // GHASH final block - mid + movi v8.8b, #0xc2 + eor v4.16b, v11.16b, v9.16b // MODULO - karatsuba tidy up + shl d8, d8, #56 // mod_constant + eor v10.16b, v10.16b, v4.16b // MODULO - karatsuba tidy up + pmull v7.1q, v9.1d, v8.1d // MODULO - top 64b align with mid + ext v9.16b, v9.16b, v9.16b, #8 // MODULO - other top alignment + eor v10.16b, v10.16b, v7.16b // MODULO - fold into mid + eor v10.16b, v10.16b, v9.16b // MODULO - fold into mid + pmull v9.1q, v10.1d, v8.1d // MODULO - mid 64b align with low + ext v10.16b, v10.16b, v10.16b, #8 // MODULO - other mid alignment + str w9, [x16, #12] // store the updated counter + st1 { v5.16b}, [x2] // store all 16B + eor v11.16b, v11.16b, v9.16b // MODULO - fold into low + eor v11.16b, v11.16b, v10.16b // MODULO - fold into low + ext v11.16b, v11.16b, v11.16b, #8 + rev64 v11.16b, v11.16b + mov x0, x15 + st1 { v11.16b }, [x3] + ldp x19, x20, [sp, #16] + ldp x21, x22, [sp, #32] + ldp x23, x24, [sp, #48] + ldp d8, d9, [sp, #64] + ldp d10, d11, [sp, #80] + ldp d12, d13, [sp, #96] + ldp d14, d15, [sp, #112] + ldp x29, x30, [sp], #128 + AARCH64_VALIDATE_LINK_REGISTER + ret + +.globl aes_gcm_dec_kernel + +.def aes_gcm_dec_kernel + .type 32 +.endef +.align 4 +aes_gcm_dec_kernel: + AARCH64_SIGN_LINK_REGISTER + stp x29, x30, [sp, #-128]! + mov x29, sp + stp x19, x20, [sp, #16] + mov x16, x4 + mov x8, x5 + stp x21, x22, [sp, #32] + stp x23, x24, [sp, #48] + stp d8, d9, [sp, #64] + stp d10, d11, [sp, #80] + stp d12, d13, [sp, #96] + stp d14, d15, [sp, #112] + ldr w17, [x8, #240] + add x19, x8, x17, lsl #4 // borrow input_l1 for last key + ldp x13, x14, [x19] // load round N keys + ldr q31, [x19, #-16] // load round N-1 keys + lsr x5, x1, #3 // byte_len + mov x15, x5 + ldp x10, x11, [x16] // ctr96_b64, ctr96_t32 + ldr q26, [x8, #128] // load rk8 + sub x5, x5, #1 // byte_len - 1 + ldr q25, [x8, #112] // load rk7 + and x5, x5, #0xffffffffffffffc0 // number of bytes to be processed in main loop (at least 1 byte must be handled by tail) + add x4, x0, x1, lsr #3 // end_input_ptr + ldr q24, [x8, #96] // load rk6 + lsr x12, x11, #32 + ldr q23, [x8, #80] // load rk5 + orr w11, w11, w11 + ldr q21, [x8, #48] // load rk3 + add x5, x5, x0 + rev w12, w12 // rev_ctr32 + add w12, w12, #1 // increment rev_ctr32 + fmov d3, x10 // CTR block 3 + rev w9, w12 // CTR block 1 + add w12, w12, #1 // CTR block 1 + fmov d1, x10 // CTR block 1 + orr x9, x11, x9, lsl #32 // CTR block 1 + ld1 { v0.16b}, [x16] // special case vector load initial counter so we can start first AES block as quickly as possible + fmov v1.d[1], x9 // CTR block 1 + rev w9, w12 // CTR block 2 + add w12, w12, #1 // CTR block 2 + fmov d2, x10 // CTR block 2 + orr x9, x11, x9, lsl #32 // CTR block 2 + fmov v2.d[1], x9 // CTR block 2 + rev w9, w12 // CTR block 3 + orr x9, x11, x9, lsl #32 // CTR block 3 + ldr q18, [x8, #0] // load rk0 + fmov v3.d[1], x9 // CTR block 3 + add w12, w12, #1 // CTR block 3 + ldr q22, [x8, #64] // load rk4 + ldr q19, [x8, #16] // load rk1 + aese v0.16b, v18.16b + aesmc v0.16b, v0.16b // AES block 0 - round 0 + ldr q14, [x6, #48] // load h3l | h3h + ext v14.16b, v14.16b, v14.16b, #8 + aese v3.16b, v18.16b + aesmc v3.16b, v3.16b // AES block 3 - round 0 + ldr q15, [x6, #80] // load h4l | h4h + ext v15.16b, v15.16b, v15.16b, #8 + aese v1.16b, v18.16b + aesmc v1.16b, v1.16b // AES block 1 - round 0 + ldr q13, [x6, #32] // load h2l | h2h + ext v13.16b, v13.16b, v13.16b, #8 + aese v2.16b, v18.16b + aesmc v2.16b, v2.16b // AES block 2 - round 0 + ldr q20, [x8, #32] // load rk2 + aese v0.16b, v19.16b + aesmc v0.16b, v0.16b // AES block 0 - round 1 + aese v1.16b, v19.16b + aesmc v1.16b, v1.16b // AES block 1 - round 1 + ld1 { v11.16b}, [x3] + ext v11.16b, v11.16b, v11.16b, #8 + rev64 v11.16b, v11.16b + aese v2.16b, v19.16b + aesmc v2.16b, v2.16b // AES block 2 - round 1 + ldr q27, [x8, #144] // load rk9 + aese v3.16b, v19.16b + aesmc v3.16b, v3.16b // AES block 3 - round 1 + ldr q30, [x8, #192] // load rk12 + aese v0.16b, v20.16b + aesmc v0.16b, v0.16b // AES block 0 - round 2 + ldr q12, [x6] // load h1l | h1h + ext v12.16b, v12.16b, v12.16b, #8 + aese v2.16b, v20.16b + aesmc v2.16b, v2.16b // AES block 2 - round 2 + ldr q28, [x8, #160] // load rk10 + aese v3.16b, v20.16b + aesmc v3.16b, v3.16b // AES block 3 - round 2 + aese v0.16b, v21.16b + aesmc v0.16b, v0.16b // AES block 0 - round 3 + aese v1.16b, v20.16b + aesmc v1.16b, v1.16b // AES block 1 - round 2 + aese v3.16b, v21.16b + aesmc v3.16b, v3.16b // AES block 3 - round 3 + aese v0.16b, v22.16b + aesmc v0.16b, v0.16b // AES block 0 - round 4 + aese v2.16b, v21.16b + aesmc v2.16b, v2.16b // AES block 2 - round 3 + aese v1.16b, v21.16b + aesmc v1.16b, v1.16b // AES block 1 - round 3 + aese v3.16b, v22.16b + aesmc v3.16b, v3.16b // AES block 3 - round 4 + aese v2.16b, v22.16b + aesmc v2.16b, v2.16b // AES block 2 - round 4 + aese v1.16b, v22.16b + aesmc v1.16b, v1.16b // AES block 1 - round 4 + aese v3.16b, v23.16b + aesmc v3.16b, v3.16b // AES block 3 - round 5 + aese v0.16b, v23.16b + aesmc v0.16b, v0.16b // AES block 0 - round 5 + aese v1.16b, v23.16b + aesmc v1.16b, v1.16b // AES block 1 - round 5 + aese v2.16b, v23.16b + aesmc v2.16b, v2.16b // AES block 2 - round 5 + aese v0.16b, v24.16b + aesmc v0.16b, v0.16b // AES block 0 - round 6 + aese v3.16b, v24.16b + aesmc v3.16b, v3.16b // AES block 3 - round 6 + cmp x17, #12 // setup flags for AES-128/192/256 check + aese v1.16b, v24.16b + aesmc v1.16b, v1.16b // AES block 1 - round 6 + aese v2.16b, v24.16b + aesmc v2.16b, v2.16b // AES block 2 - round 6 + aese v0.16b, v25.16b + aesmc v0.16b, v0.16b // AES block 0 - round 7 + aese v1.16b, v25.16b + aesmc v1.16b, v1.16b // AES block 1 - round 7 + aese v3.16b, v25.16b + aesmc v3.16b, v3.16b // AES block 3 - round 7 + aese v0.16b, v26.16b + aesmc v0.16b, v0.16b // AES block 0 - round 8 + aese v2.16b, v25.16b + aesmc v2.16b, v2.16b // AES block 2 - round 7 + aese v3.16b, v26.16b + aesmc v3.16b, v3.16b // AES block 3 - round 8 + aese v1.16b, v26.16b + aesmc v1.16b, v1.16b // AES block 1 - round 8 + ldr q29, [x8, #176] // load rk11 + aese v2.16b, v26.16b + aesmc v2.16b, v2.16b // AES block 2 - round 8 + b.lt Ldec_finish_first_blocks // branch if AES-128 + + aese v0.16b, v27.16b + aesmc v0.16b, v0.16b // AES block 0 - round 9 + aese v1.16b, v27.16b + aesmc v1.16b, v1.16b // AES block 1 - round 9 + aese v3.16b, v27.16b + aesmc v3.16b, v3.16b // AES block 3 - round 9 + aese v2.16b, v27.16b + aesmc v2.16b, v2.16b // AES block 2 - round 9 + aese v0.16b, v28.16b + aesmc v0.16b, v0.16b // AES block 0 - round 10 + aese v1.16b, v28.16b + aesmc v1.16b, v1.16b // AES block 1 - round 10 + aese v3.16b, v28.16b + aesmc v3.16b, v3.16b // AES block 3 - round 10 + aese v2.16b, v28.16b + aesmc v2.16b, v2.16b // AES block 2 - round 10 + b.eq Ldec_finish_first_blocks // branch if AES-192 + + aese v0.16b, v29.16b + aesmc v0.16b, v0.16b // AES block 0 - round 11 + aese v3.16b, v29.16b + aesmc v3.16b, v3.16b // AES block 3 - round 11 + aese v1.16b, v29.16b + aesmc v1.16b, v1.16b // AES block 1 - round 11 + aese v2.16b, v29.16b + aesmc v2.16b, v2.16b // AES block 2 - round 11 + aese v1.16b, v30.16b + aesmc v1.16b, v1.16b // AES block 1 - round 12 + aese v0.16b, v30.16b + aesmc v0.16b, v0.16b // AES block 0 - round 12 + aese v2.16b, v30.16b + aesmc v2.16b, v2.16b // AES block 2 - round 12 + aese v3.16b, v30.16b + aesmc v3.16b, v3.16b // AES block 3 - round 12 + +Ldec_finish_first_blocks: + cmp x0, x5 // check if we have <= 4 blocks + trn1 v9.2d, v14.2d, v15.2d // h4h | h3h + trn2 v17.2d, v14.2d, v15.2d // h4l | h3l + trn1 v8.2d, v12.2d, v13.2d // h2h | h1h + trn2 v16.2d, v12.2d, v13.2d // h2l | h1l + eor v17.16b, v17.16b, v9.16b // h4k | h3k + aese v1.16b, v31.16b // AES block 1 - round N-1 + aese v2.16b, v31.16b // AES block 2 - round N-1 + eor v16.16b, v16.16b, v8.16b // h2k | h1k + aese v3.16b, v31.16b // AES block 3 - round N-1 + aese v0.16b, v31.16b // AES block 0 - round N-1 + b.ge Ldec_tail // handle tail + + ldr q4, [x0, #0] // AES block 0 - load ciphertext + ldr q5, [x0, #16] // AES block 1 - load ciphertext + rev w9, w12 // CTR block 4 + eor v0.16b, v4.16b, v0.16b // AES block 0 - result + eor v1.16b, v5.16b, v1.16b // AES block 1 - result + rev64 v5.16b, v5.16b // GHASH block 1 + ldr q7, [x0, #48] // AES block 3 - load ciphertext + mov x7, v0.d[1] // AES block 0 - mov high + mov x6, v0.d[0] // AES block 0 - mov low + rev64 v4.16b, v4.16b // GHASH block 0 + add w12, w12, #1 // CTR block 4 + fmov d0, x10 // CTR block 4 + orr x9, x11, x9, lsl #32 // CTR block 4 + fmov v0.d[1], x9 // CTR block 4 + rev w9, w12 // CTR block 5 + add w12, w12, #1 // CTR block 5 + mov x19, v1.d[0] // AES block 1 - mov low + orr x9, x11, x9, lsl #32 // CTR block 5 + mov x20, v1.d[1] // AES block 1 - mov high + eor x7, x7, x14 // AES block 0 - round N high + eor x6, x6, x13 // AES block 0 - round N low + stp x6, x7, [x2], #16 // AES block 0 - store result + fmov d1, x10 // CTR block 5 + ldr q6, [x0, #32] // AES block 2 - load ciphertext + add x0, x0, #64 // AES input_ptr update + fmov v1.d[1], x9 // CTR block 5 + rev w9, w12 // CTR block 6 + add w12, w12, #1 // CTR block 6 + eor x19, x19, x13 // AES block 1 - round N low + orr x9, x11, x9, lsl #32 // CTR block 6 + eor x20, x20, x14 // AES block 1 - round N high + stp x19, x20, [x2], #16 // AES block 1 - store result + eor v2.16b, v6.16b, v2.16b // AES block 2 - result + cmp x0, x5 // check if we have <= 8 blocks + b.ge Ldec_prepretail // do prepretail + +Ldec_main_loop: // main loop start + mov x21, v2.d[0] // AES block 4k+2 - mov low + ext v11.16b, v11.16b, v11.16b, #8 // PRE 0 + eor v3.16b, v7.16b, v3.16b // AES block 4k+3 - result + aese v0.16b, v18.16b + aesmc v0.16b, v0.16b // AES block 4k+4 - round 0 + mov x22, v2.d[1] // AES block 4k+2 - mov high + aese v1.16b, v18.16b + aesmc v1.16b, v1.16b // AES block 4k+5 - round 0 + fmov d2, x10 // CTR block 4k+6 + fmov v2.d[1], x9 // CTR block 4k+6 + eor v4.16b, v4.16b, v11.16b // PRE 1 + rev w9, w12 // CTR block 4k+7 + aese v0.16b, v19.16b + aesmc v0.16b, v0.16b // AES block 4k+4 - round 1 + mov x24, v3.d[1] // AES block 4k+3 - mov high + aese v1.16b, v19.16b + aesmc v1.16b, v1.16b // AES block 4k+5 - round 1 + mov x23, v3.d[0] // AES block 4k+3 - mov low + pmull2 v9.1q, v4.2d, v15.2d // GHASH block 4k - high + mov d8, v4.d[1] // GHASH block 4k - mid + fmov d3, x10 // CTR block 4k+7 + aese v0.16b, v20.16b + aesmc v0.16b, v0.16b // AES block 4k+4 - round 2 + orr x9, x11, x9, lsl #32 // CTR block 4k+7 + aese v2.16b, v18.16b + aesmc v2.16b, v2.16b // AES block 4k+6 - round 0 + fmov v3.d[1], x9 // CTR block 4k+7 + aese v1.16b, v20.16b + aesmc v1.16b, v1.16b // AES block 4k+5 - round 2 + eor v8.8b, v8.8b, v4.8b // GHASH block 4k - mid + aese v0.16b, v21.16b + aesmc v0.16b, v0.16b // AES block 4k+4 - round 3 + eor x22, x22, x14 // AES block 4k+2 - round N high + aese v2.16b, v19.16b + aesmc v2.16b, v2.16b // AES block 4k+6 - round 1 + mov d10, v17.d[1] // GHASH block 4k - mid + aese v1.16b, v21.16b + aesmc v1.16b, v1.16b // AES block 4k+5 - round 3 + rev64 v6.16b, v6.16b // GHASH block 4k+2 + aese v3.16b, v18.16b + aesmc v3.16b, v3.16b // AES block 4k+7 - round 0 + eor x21, x21, x13 // AES block 4k+2 - round N low + aese v2.16b, v20.16b + aesmc v2.16b, v2.16b // AES block 4k+6 - round 2 + stp x21, x22, [x2], #16 // AES block 4k+2 - store result + pmull v11.1q, v4.1d, v15.1d // GHASH block 4k - low + pmull2 v4.1q, v5.2d, v14.2d // GHASH block 4k+1 - high + aese v2.16b, v21.16b + aesmc v2.16b, v2.16b // AES block 4k+6 - round 3 + rev64 v7.16b, v7.16b // GHASH block 4k+3 + pmull v10.1q, v8.1d, v10.1d // GHASH block 4k - mid + eor x23, x23, x13 // AES block 4k+3 - round N low + pmull v8.1q, v5.1d, v14.1d // GHASH block 4k+1 - low + eor x24, x24, x14 // AES block 4k+3 - round N high + eor v9.16b, v9.16b, v4.16b // GHASH block 4k+1 - high + aese v2.16b, v22.16b + aesmc v2.16b, v2.16b // AES block 4k+6 - round 4 + aese v3.16b, v19.16b + aesmc v3.16b, v3.16b // AES block 4k+7 - round 1 + mov d4, v5.d[1] // GHASH block 4k+1 - mid + aese v0.16b, v22.16b + aesmc v0.16b, v0.16b // AES block 4k+4 - round 4 + eor v11.16b, v11.16b, v8.16b // GHASH block 4k+1 - low + aese v2.16b, v23.16b + aesmc v2.16b, v2.16b // AES block 4k+6 - round 5 + add w12, w12, #1 // CTR block 4k+7 + aese v3.16b, v20.16b + aesmc v3.16b, v3.16b // AES block 4k+7 - round 2 + mov d8, v6.d[1] // GHASH block 4k+2 - mid + aese v1.16b, v22.16b + aesmc v1.16b, v1.16b // AES block 4k+5 - round 4 + eor v4.8b, v4.8b, v5.8b // GHASH block 4k+1 - mid + pmull v5.1q, v6.1d, v13.1d // GHASH block 4k+2 - low + aese v3.16b, v21.16b + aesmc v3.16b, v3.16b // AES block 4k+7 - round 3 + eor v8.8b, v8.8b, v6.8b // GHASH block 4k+2 - mid + aese v1.16b, v23.16b + aesmc v1.16b, v1.16b // AES block 4k+5 - round 5 + aese v0.16b, v23.16b + aesmc v0.16b, v0.16b // AES block 4k+4 - round 5 + eor v11.16b, v11.16b, v5.16b // GHASH block 4k+2 - low + pmull v4.1q, v4.1d, v17.1d // GHASH block 4k+1 - mid + rev w9, w12 // CTR block 4k+8 + aese v1.16b, v24.16b + aesmc v1.16b, v1.16b // AES block 4k+5 - round 6 + ins v8.d[1], v8.d[0] // GHASH block 4k+2 - mid + aese v0.16b, v24.16b + aesmc v0.16b, v0.16b // AES block 4k+4 - round 6 + add w12, w12, #1 // CTR block 4k+8 + aese v3.16b, v22.16b + aesmc v3.16b, v3.16b // AES block 4k+7 - round 4 + aese v1.16b, v25.16b + aesmc v1.16b, v1.16b // AES block 4k+5 - round 7 + eor v10.16b, v10.16b, v4.16b // GHASH block 4k+1 - mid + aese v0.16b, v25.16b + aesmc v0.16b, v0.16b // AES block 4k+4 - round 7 + pmull2 v4.1q, v6.2d, v13.2d // GHASH block 4k+2 - high + mov d6, v7.d[1] // GHASH block 4k+3 - mid + aese v3.16b, v23.16b + aesmc v3.16b, v3.16b // AES block 4k+7 - round 5 + pmull2 v8.1q, v8.2d, v16.2d // GHASH block 4k+2 - mid + aese v0.16b, v26.16b + aesmc v0.16b, v0.16b // AES block 4k+4 - round 8 + eor v9.16b, v9.16b, v4.16b // GHASH block 4k+2 - high + aese v3.16b, v24.16b + aesmc v3.16b, v3.16b // AES block 4k+7 - round 6 + pmull v4.1q, v7.1d, v12.1d // GHASH block 4k+3 - low + orr x9, x11, x9, lsl #32 // CTR block 4k+8 + eor v10.16b, v10.16b, v8.16b // GHASH block 4k+2 - mid + pmull2 v5.1q, v7.2d, v12.2d // GHASH block 4k+3 - high + cmp x17, #12 // setup flags for AES-128/192/256 check + eor v6.8b, v6.8b, v7.8b // GHASH block 4k+3 - mid + aese v1.16b, v26.16b + aesmc v1.16b, v1.16b // AES block 4k+5 - round 8 + aese v2.16b, v24.16b + aesmc v2.16b, v2.16b // AES block 4k+6 - round 6 + eor v9.16b, v9.16b, v5.16b // GHASH block 4k+3 - high + pmull v6.1q, v6.1d, v16.1d // GHASH block 4k+3 - mid + movi v8.8b, #0xc2 + aese v2.16b, v25.16b + aesmc v2.16b, v2.16b // AES block 4k+6 - round 7 + eor v11.16b, v11.16b, v4.16b // GHASH block 4k+3 - low + aese v3.16b, v25.16b + aesmc v3.16b, v3.16b // AES block 4k+7 - round 7 + shl d8, d8, #56 // mod_constant + aese v2.16b, v26.16b + aesmc v2.16b, v2.16b // AES block 4k+6 - round 8 + eor v10.16b, v10.16b, v6.16b // GHASH block 4k+3 - mid + aese v3.16b, v26.16b + aesmc v3.16b, v3.16b // AES block 4k+7 - round 8 + b.lt Ldec_main_loop_continue // branch if AES-128 + + aese v0.16b, v27.16b + aesmc v0.16b, v0.16b // AES block 4k+4 - round 9 + aese v2.16b, v27.16b + aesmc v2.16b, v2.16b // AES block 4k+6 - round 9 + aese v1.16b, v27.16b + aesmc v1.16b, v1.16b // AES block 4k+5 - round 9 + aese v3.16b, v27.16b + aesmc v3.16b, v3.16b // AES block 4k+7 - round 9 + aese v0.16b, v28.16b + aesmc v0.16b, v0.16b // AES block 4k+4 - round 10 + aese v1.16b, v28.16b + aesmc v1.16b, v1.16b // AES block 4k+5 - round 10 + aese v2.16b, v28.16b + aesmc v2.16b, v2.16b // AES block 4k+6 - round 10 + aese v3.16b, v28.16b + aesmc v3.16b, v3.16b // AES block 4k+7 - round 10 + b.eq Ldec_main_loop_continue // branch if AES-192 + + aese v0.16b, v29.16b + aesmc v0.16b, v0.16b // AES block 4k+4 - round 11 + aese v1.16b, v29.16b + aesmc v1.16b, v1.16b // AES block 4k+5 - round 11 + aese v2.16b, v29.16b + aesmc v2.16b, v2.16b // AES block 4k+6 - round 11 + aese v3.16b, v29.16b + aesmc v3.16b, v3.16b // AES block 4k+7 - round 11 + aese v0.16b, v30.16b + aesmc v0.16b, v0.16b // AES block 4k+4 - round 12 + aese v1.16b, v30.16b + aesmc v1.16b, v1.16b // AES block 4k+5 - round 12 + aese v2.16b, v30.16b + aesmc v2.16b, v2.16b // AES block 4k+6 - round 12 + aese v3.16b, v30.16b + aesmc v3.16b, v3.16b // AES block 4k+7 - round 12 + +Ldec_main_loop_continue: + pmull v7.1q, v9.1d, v8.1d // MODULO - top 64b align with mid + eor v6.16b, v11.16b, v9.16b // MODULO - karatsuba tidy up + ldr q4, [x0, #0] // AES block 4k+4 - load ciphertext + aese v0.16b, v31.16b // AES block 4k+4 - round N-1 + ext v9.16b, v9.16b, v9.16b, #8 // MODULO - other top alignment + eor v10.16b, v10.16b, v6.16b // MODULO - karatsuba tidy up + ldr q5, [x0, #16] // AES block 4k+5 - load ciphertext + eor v0.16b, v4.16b, v0.16b // AES block 4k+4 - result + stp x23, x24, [x2], #16 // AES block 4k+3 - store result + eor v10.16b, v10.16b, v7.16b // MODULO - fold into mid + ldr q7, [x0, #48] // AES block 4k+7 - load ciphertext + ldr q6, [x0, #32] // AES block 4k+6 - load ciphertext + mov x7, v0.d[1] // AES block 4k+4 - mov high + eor v10.16b, v10.16b, v9.16b // MODULO - fold into mid + aese v1.16b, v31.16b // AES block 4k+5 - round N-1 + add x0, x0, #64 // AES input_ptr update + mov x6, v0.d[0] // AES block 4k+4 - mov low + fmov d0, x10 // CTR block 4k+8 + fmov v0.d[1], x9 // CTR block 4k+8 + pmull v8.1q, v10.1d, v8.1d // MODULO - mid 64b align with low + eor v1.16b, v5.16b, v1.16b // AES block 4k+5 - result + rev w9, w12 // CTR block 4k+9 + aese v2.16b, v31.16b // AES block 4k+6 - round N-1 + orr x9, x11, x9, lsl #32 // CTR block 4k+9 + cmp x0, x5 // LOOP CONTROL + add w12, w12, #1 // CTR block 4k+9 + eor x6, x6, x13 // AES block 4k+4 - round N low + eor x7, x7, x14 // AES block 4k+4 - round N high + mov x20, v1.d[1] // AES block 4k+5 - mov high + eor v2.16b, v6.16b, v2.16b // AES block 4k+6 - result + eor v11.16b, v11.16b, v8.16b // MODULO - fold into low + mov x19, v1.d[0] // AES block 4k+5 - mov low + fmov d1, x10 // CTR block 4k+9 + ext v10.16b, v10.16b, v10.16b, #8 // MODULO - other mid alignment + fmov v1.d[1], x9 // CTR block 4k+9 + rev w9, w12 // CTR block 4k+10 + add w12, w12, #1 // CTR block 4k+10 + aese v3.16b, v31.16b // AES block 4k+7 - round N-1 + orr x9, x11, x9, lsl #32 // CTR block 4k+10 + rev64 v5.16b, v5.16b // GHASH block 4k+5 + eor x20, x20, x14 // AES block 4k+5 - round N high + stp x6, x7, [x2], #16 // AES block 4k+4 - store result + eor x19, x19, x13 // AES block 4k+5 - round N low + stp x19, x20, [x2], #16 // AES block 4k+5 - store result + rev64 v4.16b, v4.16b // GHASH block 4k+4 + eor v11.16b, v11.16b, v10.16b // MODULO - fold into low + b.lt Ldec_main_loop + +Ldec_prepretail: // PREPRETAIL + ext v11.16b, v11.16b, v11.16b, #8 // PRE 0 + mov x21, v2.d[0] // AES block 4k+2 - mov low + eor v3.16b, v7.16b, v3.16b // AES block 4k+3 - result + aese v0.16b, v18.16b + aesmc v0.16b, v0.16b // AES block 4k+4 - round 0 + mov x22, v2.d[1] // AES block 4k+2 - mov high + aese v1.16b, v18.16b + aesmc v1.16b, v1.16b // AES block 4k+5 - round 0 + fmov d2, x10 // CTR block 4k+6 + fmov v2.d[1], x9 // CTR block 4k+6 + rev w9, w12 // CTR block 4k+7 + eor v4.16b, v4.16b, v11.16b // PRE 1 + rev64 v6.16b, v6.16b // GHASH block 4k+2 + orr x9, x11, x9, lsl #32 // CTR block 4k+7 + mov x23, v3.d[0] // AES block 4k+3 - mov low + aese v1.16b, v19.16b + aesmc v1.16b, v1.16b // AES block 4k+5 - round 1 + mov x24, v3.d[1] // AES block 4k+3 - mov high + pmull v11.1q, v4.1d, v15.1d // GHASH block 4k - low + mov d8, v4.d[1] // GHASH block 4k - mid + fmov d3, x10 // CTR block 4k+7 + pmull2 v9.1q, v4.2d, v15.2d // GHASH block 4k - high + fmov v3.d[1], x9 // CTR block 4k+7 + aese v2.16b, v18.16b + aesmc v2.16b, v2.16b // AES block 4k+6 - round 0 + mov d10, v17.d[1] // GHASH block 4k - mid + aese v0.16b, v19.16b + aesmc v0.16b, v0.16b // AES block 4k+4 - round 1 + eor v8.8b, v8.8b, v4.8b // GHASH block 4k - mid + pmull2 v4.1q, v5.2d, v14.2d // GHASH block 4k+1 - high + aese v2.16b, v19.16b + aesmc v2.16b, v2.16b // AES block 4k+6 - round 1 + rev64 v7.16b, v7.16b // GHASH block 4k+3 + aese v3.16b, v18.16b + aesmc v3.16b, v3.16b // AES block 4k+7 - round 0 + pmull v10.1q, v8.1d, v10.1d // GHASH block 4k - mid + eor v9.16b, v9.16b, v4.16b // GHASH block 4k+1 - high + pmull v8.1q, v5.1d, v14.1d // GHASH block 4k+1 - low + aese v3.16b, v19.16b + aesmc v3.16b, v3.16b // AES block 4k+7 - round 1 + mov d4, v5.d[1] // GHASH block 4k+1 - mid + aese v0.16b, v20.16b + aesmc v0.16b, v0.16b // AES block 4k+4 - round 2 + aese v1.16b, v20.16b + aesmc v1.16b, v1.16b // AES block 4k+5 - round 2 + eor v11.16b, v11.16b, v8.16b // GHASH block 4k+1 - low + aese v2.16b, v20.16b + aesmc v2.16b, v2.16b // AES block 4k+6 - round 2 + aese v0.16b, v21.16b + aesmc v0.16b, v0.16b // AES block 4k+4 - round 3 + mov d8, v6.d[1] // GHASH block 4k+2 - mid + aese v3.16b, v20.16b + aesmc v3.16b, v3.16b // AES block 4k+7 - round 2 + eor v4.8b, v4.8b, v5.8b // GHASH block 4k+1 - mid + pmull v5.1q, v6.1d, v13.1d // GHASH block 4k+2 - low + aese v0.16b, v22.16b + aesmc v0.16b, v0.16b // AES block 4k+4 - round 4 + aese v3.16b, v21.16b + aesmc v3.16b, v3.16b // AES block 4k+7 - round 3 + eor v8.8b, v8.8b, v6.8b // GHASH block 4k+2 - mid + pmull v4.1q, v4.1d, v17.1d // GHASH block 4k+1 - mid + aese v0.16b, v23.16b + aesmc v0.16b, v0.16b // AES block 4k+4 - round 5 + eor v11.16b, v11.16b, v5.16b // GHASH block 4k+2 - low + aese v3.16b, v22.16b + aesmc v3.16b, v3.16b // AES block 4k+7 - round 4 + pmull2 v5.1q, v7.2d, v12.2d // GHASH block 4k+3 - high + eor v10.16b, v10.16b, v4.16b // GHASH block 4k+1 - mid + pmull2 v4.1q, v6.2d, v13.2d // GHASH block 4k+2 - high + aese v3.16b, v23.16b + aesmc v3.16b, v3.16b // AES block 4k+7 - round 5 + ins v8.d[1], v8.d[0] // GHASH block 4k+2 - mid + aese v2.16b, v21.16b + aesmc v2.16b, v2.16b // AES block 4k+6 - round 3 + aese v1.16b, v21.16b + aesmc v1.16b, v1.16b // AES block 4k+5 - round 3 + eor v9.16b, v9.16b, v4.16b // GHASH block 4k+2 - high + pmull v4.1q, v7.1d, v12.1d // GHASH block 4k+3 - low + aese v2.16b, v22.16b + aesmc v2.16b, v2.16b // AES block 4k+6 - round 4 + mov d6, v7.d[1] // GHASH block 4k+3 - mid + aese v1.16b, v22.16b + aesmc v1.16b, v1.16b // AES block 4k+5 - round 4 + pmull2 v8.1q, v8.2d, v16.2d // GHASH block 4k+2 - mid + aese v2.16b, v23.16b + aesmc v2.16b, v2.16b // AES block 4k+6 - round 5 + eor v6.8b, v6.8b, v7.8b // GHASH block 4k+3 - mid + aese v1.16b, v23.16b + aesmc v1.16b, v1.16b // AES block 4k+5 - round 5 + aese v3.16b, v24.16b + aesmc v3.16b, v3.16b // AES block 4k+7 - round 6 + eor v10.16b, v10.16b, v8.16b // GHASH block 4k+2 - mid + aese v2.16b, v24.16b + aesmc v2.16b, v2.16b // AES block 4k+6 - round 6 + aese v0.16b, v24.16b + aesmc v0.16b, v0.16b // AES block 4k+4 - round 6 + movi v8.8b, #0xc2 + aese v1.16b, v24.16b + aesmc v1.16b, v1.16b // AES block 4k+5 - round 6 + eor v11.16b, v11.16b, v4.16b // GHASH block 4k+3 - low + pmull v6.1q, v6.1d, v16.1d // GHASH block 4k+3 - mid + aese v3.16b, v25.16b + aesmc v3.16b, v3.16b // AES block 4k+7 - round 7 + cmp x17, #12 // setup flags for AES-128/192/256 check + eor v9.16b, v9.16b, v5.16b // GHASH block 4k+3 - high + aese v1.16b, v25.16b + aesmc v1.16b, v1.16b // AES block 4k+5 - round 7 + aese v0.16b, v25.16b + aesmc v0.16b, v0.16b // AES block 4k+4 - round 7 + eor v10.16b, v10.16b, v6.16b // GHASH block 4k+3 - mid + aese v3.16b, v26.16b + aesmc v3.16b, v3.16b // AES block 4k+7 - round 8 + aese v2.16b, v25.16b + aesmc v2.16b, v2.16b // AES block 4k+6 - round 7 + eor v6.16b, v11.16b, v9.16b // MODULO - karatsuba tidy up + aese v1.16b, v26.16b + aesmc v1.16b, v1.16b // AES block 4k+5 - round 8 + aese v0.16b, v26.16b + aesmc v0.16b, v0.16b // AES block 4k+4 - round 8 + shl d8, d8, #56 // mod_constant + aese v2.16b, v26.16b + aesmc v2.16b, v2.16b // AES block 4k+6 - round 8 + b.lt Ldec_finish_prepretail // branch if AES-128 + + aese v1.16b, v27.16b + aesmc v1.16b, v1.16b // AES block 4k+5 - round 9 + aese v2.16b, v27.16b + aesmc v2.16b, v2.16b // AES block 4k+6 - round 9 + aese v3.16b, v27.16b + aesmc v3.16b, v3.16b // AES block 4k+7 - round 9 + aese v0.16b, v27.16b + aesmc v0.16b, v0.16b // AES block 4k+4 - round 9 + aese v2.16b, v28.16b + aesmc v2.16b, v2.16b // AES block 4k+6 - round 10 + aese v3.16b, v28.16b + aesmc v3.16b, v3.16b // AES block 4k+7 - round 10 + aese v0.16b, v28.16b + aesmc v0.16b, v0.16b // AES block 4k+4 - round 10 + aese v1.16b, v28.16b + aesmc v1.16b, v1.16b // AES block 4k+5 - round 10 + b.eq Ldec_finish_prepretail // branch if AES-192 + + aese v2.16b, v29.16b + aesmc v2.16b, v2.16b // AES block 4k+6 - round 11 + aese v0.16b, v29.16b + aesmc v0.16b, v0.16b // AES block 4k+4 - round 11 + aese v1.16b, v29.16b + aesmc v1.16b, v1.16b // AES block 4k+5 - round 11 + aese v2.16b, v30.16b + aesmc v2.16b, v2.16b // AES block 4k+6 - round 12 + aese v3.16b, v29.16b + aesmc v3.16b, v3.16b // AES block 4k+7 - round 11 + aese v1.16b, v30.16b + aesmc v1.16b, v1.16b // AES block 4k+5 - round 12 + aese v0.16b, v30.16b + aesmc v0.16b, v0.16b // AES block 4k+4 - round 12 + aese v3.16b, v30.16b + aesmc v3.16b, v3.16b // AES block 4k+7 - round 12 + +Ldec_finish_prepretail: + eor v10.16b, v10.16b, v6.16b // MODULO - karatsuba tidy up + pmull v7.1q, v9.1d, v8.1d // MODULO - top 64b align with mid + ext v9.16b, v9.16b, v9.16b, #8 // MODULO - other top alignment + eor v10.16b, v10.16b, v7.16b // MODULO - fold into mid + eor x22, x22, x14 // AES block 4k+2 - round N high + eor x23, x23, x13 // AES block 4k+3 - round N low + eor v10.16b, v10.16b, v9.16b // MODULO - fold into mid + add w12, w12, #1 // CTR block 4k+7 + eor x21, x21, x13 // AES block 4k+2 - round N low + pmull v8.1q, v10.1d, v8.1d // MODULO - mid 64b align with low + eor x24, x24, x14 // AES block 4k+3 - round N high + stp x21, x22, [x2], #16 // AES block 4k+2 - store result + ext v10.16b, v10.16b, v10.16b, #8 // MODULO - other mid alignment + stp x23, x24, [x2], #16 // AES block 4k+3 - store result + + eor v11.16b, v11.16b, v8.16b // MODULO - fold into low + aese v1.16b, v31.16b // AES block 4k+5 - round N-1 + aese v0.16b, v31.16b // AES block 4k+4 - round N-1 + aese v3.16b, v31.16b // AES block 4k+7 - round N-1 + aese v2.16b, v31.16b // AES block 4k+6 - round N-1 + eor v11.16b, v11.16b, v10.16b // MODULO - fold into low + +Ldec_tail: // TAIL + sub x5, x4, x0 // main_end_input_ptr is number of bytes left to process + ld1 { v5.16b}, [x0], #16 // AES block 4k+4 - load ciphertext + eor v0.16b, v5.16b, v0.16b // AES block 4k+4 - result + mov x6, v0.d[0] // AES block 4k+4 - mov low + mov x7, v0.d[1] // AES block 4k+4 - mov high + ext v8.16b, v11.16b, v11.16b, #8 // prepare final partial tag + cmp x5, #48 + eor x6, x6, x13 // AES block 4k+4 - round N low + eor x7, x7, x14 // AES block 4k+4 - round N high + b.gt Ldec_blocks_more_than_3 + sub w12, w12, #1 + mov v3.16b, v2.16b + movi v10.8b, #0 + movi v11.8b, #0 + cmp x5, #32 + movi v9.8b, #0 + mov v2.16b, v1.16b + b.gt Ldec_blocks_more_than_2 + sub w12, w12, #1 + mov v3.16b, v1.16b + cmp x5, #16 + b.gt Ldec_blocks_more_than_1 + sub w12, w12, #1 + b Ldec_blocks_less_than_1 +Ldec_blocks_more_than_3: // blocks left > 3 + rev64 v4.16b, v5.16b // GHASH final-3 block + ld1 { v5.16b}, [x0], #16 // AES final-2 block - load ciphertext + stp x6, x7, [x2], #16 // AES final-3 block - store result + mov d10, v17.d[1] // GHASH final-3 block - mid + eor v4.16b, v4.16b, v8.16b // feed in partial tag + eor v0.16b, v5.16b, v1.16b // AES final-2 block - result + mov d22, v4.d[1] // GHASH final-3 block - mid + mov x6, v0.d[0] // AES final-2 block - mov low + mov x7, v0.d[1] // AES final-2 block - mov high + eor v22.8b, v22.8b, v4.8b // GHASH final-3 block - mid + movi v8.8b, #0 // suppress further partial tag feed in + pmull2 v9.1q, v4.2d, v15.2d // GHASH final-3 block - high + pmull v10.1q, v22.1d, v10.1d // GHASH final-3 block - mid + eor x6, x6, x13 // AES final-2 block - round N low + pmull v11.1q, v4.1d, v15.1d // GHASH final-3 block - low + eor x7, x7, x14 // AES final-2 block - round N high +Ldec_blocks_more_than_2: // blocks left > 2 + rev64 v4.16b, v5.16b // GHASH final-2 block + ld1 { v5.16b}, [x0], #16 // AES final-1 block - load ciphertext + eor v4.16b, v4.16b, v8.16b // feed in partial tag + stp x6, x7, [x2], #16 // AES final-2 block - store result + eor v0.16b, v5.16b, v2.16b // AES final-1 block - result + mov d22, v4.d[1] // GHASH final-2 block - mid + pmull v21.1q, v4.1d, v14.1d // GHASH final-2 block - low + pmull2 v20.1q, v4.2d, v14.2d // GHASH final-2 block - high + eor v22.8b, v22.8b, v4.8b // GHASH final-2 block - mid + mov x6, v0.d[0] // AES final-1 block - mov low + mov x7, v0.d[1] // AES final-1 block - mov high + eor v11.16b, v11.16b, v21.16b // GHASH final-2 block - low + movi v8.8b, #0 // suppress further partial tag feed in + pmull v22.1q, v22.1d, v17.1d // GHASH final-2 block - mid + eor v9.16b, v9.16b, v20.16b // GHASH final-2 block - high + eor x6, x6, x13 // AES final-1 block - round N low + eor v10.16b, v10.16b, v22.16b // GHASH final-2 block - mid + eor x7, x7, x14 // AES final-1 block - round N high +Ldec_blocks_more_than_1: // blocks left > 1 + stp x6, x7, [x2], #16 // AES final-1 block - store result + rev64 v4.16b, v5.16b // GHASH final-1 block + ld1 { v5.16b}, [x0], #16 // AES final block - load ciphertext + eor v4.16b, v4.16b, v8.16b // feed in partial tag + movi v8.8b, #0 // suppress further partial tag feed in + mov d22, v4.d[1] // GHASH final-1 block - mid + eor v0.16b, v5.16b, v3.16b // AES final block - result + pmull2 v20.1q, v4.2d, v13.2d // GHASH final-1 block - high + eor v22.8b, v22.8b, v4.8b // GHASH final-1 block - mid + pmull v21.1q, v4.1d, v13.1d // GHASH final-1 block - low + mov x6, v0.d[0] // AES final block - mov low + ins v22.d[1], v22.d[0] // GHASH final-1 block - mid + mov x7, v0.d[1] // AES final block - mov high + pmull2 v22.1q, v22.2d, v16.2d // GHASH final-1 block - mid + eor x6, x6, x13 // AES final block - round N low + eor v11.16b, v11.16b, v21.16b // GHASH final-1 block - low + eor v9.16b, v9.16b, v20.16b // GHASH final-1 block - high + eor v10.16b, v10.16b, v22.16b // GHASH final-1 block - mid + eor x7, x7, x14 // AES final block - round N high +Ldec_blocks_less_than_1: // blocks left <= 1 + and x1, x1, #127 // bit_length %= 128 + mvn x14, xzr // rkN_h = 0xffffffffffffffff + sub x1, x1, #128 // bit_length -= 128 + mvn x13, xzr // rkN_l = 0xffffffffffffffff + ldp x4, x5, [x2] // load existing bytes we need to not overwrite + neg x1, x1 // bit_length = 128 - #bits in input (in range [1,128]) + and x1, x1, #127 // bit_length %= 128 + lsr x14, x14, x1 // rkN_h is mask for top 64b of last block + cmp x1, #64 + csel x9, x13, x14, lt + csel x10, x14, xzr, lt + fmov d0, x9 // ctr0b is mask for last block + and x6, x6, x9 + mov v0.d[1], x10 + bic x4, x4, x9 // mask out low existing bytes + rev w9, w12 + bic x5, x5, x10 // mask out high existing bytes + orr x6, x6, x4 + and x7, x7, x10 + orr x7, x7, x5 + and v5.16b, v5.16b, v0.16b // possibly partial last block has zeroes in highest bits + rev64 v4.16b, v5.16b // GHASH final block + eor v4.16b, v4.16b, v8.16b // feed in partial tag + pmull v21.1q, v4.1d, v12.1d // GHASH final block - low + mov d8, v4.d[1] // GHASH final block - mid + eor v8.8b, v8.8b, v4.8b // GHASH final block - mid + pmull2 v20.1q, v4.2d, v12.2d // GHASH final block - high + pmull v8.1q, v8.1d, v16.1d // GHASH final block - mid + eor v9.16b, v9.16b, v20.16b // GHASH final block - high + eor v11.16b, v11.16b, v21.16b // GHASH final block - low + eor v10.16b, v10.16b, v8.16b // GHASH final block - mid + movi v8.8b, #0xc2 + eor v6.16b, v11.16b, v9.16b // MODULO - karatsuba tidy up + shl d8, d8, #56 // mod_constant + eor v10.16b, v10.16b, v6.16b // MODULO - karatsuba tidy up + pmull v7.1q, v9.1d, v8.1d // MODULO - top 64b align with mid + ext v9.16b, v9.16b, v9.16b, #8 // MODULO - other top alignment + eor v10.16b, v10.16b, v7.16b // MODULO - fold into mid + eor v10.16b, v10.16b, v9.16b // MODULO - fold into mid + pmull v8.1q, v10.1d, v8.1d // MODULO - mid 64b align with low + ext v10.16b, v10.16b, v10.16b, #8 // MODULO - other mid alignment + eor v11.16b, v11.16b, v8.16b // MODULO - fold into low + stp x6, x7, [x2] + str w9, [x16, #12] // store the updated counter + eor v11.16b, v11.16b, v10.16b // MODULO - fold into low + ext v11.16b, v11.16b, v11.16b, #8 + rev64 v11.16b, v11.16b + mov x0, x15 + st1 { v11.16b }, [x3] + ldp x19, x20, [sp, #16] + ldp x21, x22, [sp, #32] + ldp x23, x24, [sp, #48] + ldp d8, d9, [sp, #64] + ldp d10, d11, [sp, #80] + ldp d12, d13, [sp, #96] + ldp d14, d15, [sp, #112] + ldp x29, x30, [sp], #128 + AARCH64_VALIDATE_LINK_REGISTER + ret + +#endif +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(_WIN32) +#if defined(__linux__) && defined(__ELF__) +.section .note.GNU-stack,"",%progbits +#endif + diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/armv4-mont-linux.linux.arm.S b/Sources/CNIOBoringSSL/gen/bcm/armv4-mont-linux.S similarity index 96% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/armv4-mont-linux.linux.arm.S rename to Sources/CNIOBoringSSL/gen/bcm/armv4-mont-linux.S index cdb2aaf86..0375e0118 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/armv4-mont-linux.linux.arm.S +++ b/Sources/CNIOBoringSSL/gen/bcm/armv4-mont-linux.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__arm__) && defined(__linux__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -20,38 +19,14 @@ .code 32 #endif -#if __ARM_MAX_ARCH__>=7 -.align 5 -.LOPENSSL_armcap: -.word OPENSSL_armcap_P-.Lbn_mul_mont -#endif - -.globl bn_mul_mont -.hidden bn_mul_mont -.type bn_mul_mont,%function +.globl bn_mul_mont_nohw +.hidden bn_mul_mont_nohw +.type bn_mul_mont_nohw,%function .align 5 -bn_mul_mont: -.Lbn_mul_mont: +bn_mul_mont_nohw: ldr ip,[sp,#4] @ load num stmdb sp!,{r0,r2} @ sp points at argument block -#if __ARM_MAX_ARCH__>=7 - tst ip,#7 - bne .Lialu - adr r0,.Lbn_mul_mont - ldr r2,.LOPENSSL_armcap - ldr r0,[r0,r2] -#ifdef __APPLE__ - ldr r0,[r0] -#endif - tst r0,#ARMV7_NEON @ NEON available? - ldmia sp, {r0,r2} - beq .Lialu - add sp,sp,#8 - b bn_mul8x_mont_neon -.align 4 -.Lialu: -#endif cmp ip,#2 mov r0,ip @ load num #ifdef __thumb2__ @@ -202,11 +177,13 @@ bn_mul_mont: moveq pc,lr @ be binary compatible with V4, yet .word 0xe12fff1e @ interoperable with Thumb ISA:-) #endif -.size bn_mul_mont,.-bn_mul_mont +.size bn_mul_mont_nohw,.-bn_mul_mont_nohw #if __ARM_MAX_ARCH__>=7 .arch armv7-a .fpu neon +.globl bn_mul8x_mont_neon +.hidden bn_mul8x_mont_neon .type bn_mul8x_mont_neon,%function .align 5 bn_mul8x_mont_neon: @@ -960,13 +937,7 @@ bn_mul8x_mont_neon: #endif .byte 77,111,110,116,103,111,109,101,114,121,32,109,117,108,116,105,112,108,105,99,97,116,105,111,110,32,102,111,114,32,65,82,77,118,52,47,78,69,79,78,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .align 2 -.align 2 -#if __ARM_MAX_ARCH__>=7 -.comm OPENSSL_armcap_P,4,4 -.hidden OPENSSL_armcap_P -#endif #endif // !OPENSSL_NO_ASM && defined(OPENSSL_ARM) && defined(__ELF__) -#endif // defined(__arm__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/armv8-mont-ios.ios.aarch64.S b/Sources/CNIOBoringSSL/gen/bcm/armv8-mont-apple.S similarity index 99% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/armv8-mont-ios.ios.aarch64.S rename to Sources/CNIOBoringSSL/gen/bcm/armv8-mont-apple.S index cdc217e92..596b5c92f 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/armv8-mont-ios.ios.aarch64.S +++ b/Sources/CNIOBoringSSL/gen/bcm/armv8-mont-apple.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__aarch64__) && defined(__APPLE__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -1425,7 +1424,6 @@ Lmul4x_done: .align 2 .align 4 #endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__APPLE__) -#endif // defined(__aarch64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/armv8-mont-linux.linux.aarch64.S b/Sources/CNIOBoringSSL/gen/bcm/armv8-mont-linux.S similarity index 99% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/armv8-mont-linux.linux.aarch64.S rename to Sources/CNIOBoringSSL/gen/bcm/armv8-mont-linux.S index 4911d7707..6c2361e30 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/armv8-mont-linux.linux.aarch64.S +++ b/Sources/CNIOBoringSSL/gen/bcm/armv8-mont-linux.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__aarch64__) && defined(__linux__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -1425,7 +1424,6 @@ __bn_mul4x_mont: .align 2 .align 4 #endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__ELF__) -#endif // defined(__aarch64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/gen/bcm/armv8-mont-win.S b/Sources/CNIOBoringSSL/gen/bcm/armv8-mont-win.S new file mode 100644 index 000000000..24117ab5e --- /dev/null +++ b/Sources/CNIOBoringSSL/gen/bcm/armv8-mont-win.S @@ -0,0 +1,1436 @@ +#define BORINGSSL_PREFIX CNIOBoringSSL +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. + +#include + +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(_WIN32) +#include + +.text + +.globl bn_mul_mont + +.def bn_mul_mont + .type 32 +.endef +.align 5 +bn_mul_mont: + AARCH64_SIGN_LINK_REGISTER + tst x5,#7 + b.eq __bn_sqr8x_mont + tst x5,#3 + b.eq __bn_mul4x_mont +Lmul_mont: + stp x29,x30,[sp,#-64]! + add x29,sp,#0 + stp x19,x20,[sp,#16] + stp x21,x22,[sp,#32] + stp x23,x24,[sp,#48] + + ldr x9,[x2],#8 // bp[0] + sub x22,sp,x5,lsl#3 + ldp x7,x8,[x1],#16 // ap[0..1] + lsl x5,x5,#3 + ldr x4,[x4] // *n0 + and x22,x22,#-16 // ABI says so + ldp x13,x14,[x3],#16 // np[0..1] + + mul x6,x7,x9 // ap[0]*bp[0] + sub x21,x5,#16 // j=num-2 + umulh x7,x7,x9 + mul x10,x8,x9 // ap[1]*bp[0] + umulh x11,x8,x9 + + mul x15,x6,x4 // "tp[0]"*n0 + mov sp,x22 // alloca + + // (*) mul x12,x13,x15 // np[0]*m1 + umulh x13,x13,x15 + mul x16,x14,x15 // np[1]*m1 + // (*) adds x12,x12,x6 // discarded + // (*) As for removal of first multiplication and addition + // instructions. The outcome of first addition is + // guaranteed to be zero, which leaves two computationally + // significant outcomes: it either carries or not. Then + // question is when does it carry? Is there alternative + // way to deduce it? If you follow operations, you can + // observe that condition for carry is quite simple: + // x6 being non-zero. So that carry can be calculated + // by adding -1 to x6. That's what next instruction does. + subs xzr,x6,#1 // (*) + umulh x17,x14,x15 + adc x13,x13,xzr + cbz x21,L1st_skip + +L1st: + ldr x8,[x1],#8 + adds x6,x10,x7 + sub x21,x21,#8 // j-- + adc x7,x11,xzr + + ldr x14,[x3],#8 + adds x12,x16,x13 + mul x10,x8,x9 // ap[j]*bp[0] + adc x13,x17,xzr + umulh x11,x8,x9 + + adds x12,x12,x6 + mul x16,x14,x15 // np[j]*m1 + adc x13,x13,xzr + umulh x17,x14,x15 + str x12,[x22],#8 // tp[j-1] + cbnz x21,L1st + +L1st_skip: + adds x6,x10,x7 + sub x1,x1,x5 // rewind x1 + adc x7,x11,xzr + + adds x12,x16,x13 + sub x3,x3,x5 // rewind x3 + adc x13,x17,xzr + + adds x12,x12,x6 + sub x20,x5,#8 // i=num-1 + adcs x13,x13,x7 + + adc x19,xzr,xzr // upmost overflow bit + stp x12,x13,[x22] + +Louter: + ldr x9,[x2],#8 // bp[i] + ldp x7,x8,[x1],#16 + ldr x23,[sp] // tp[0] + add x22,sp,#8 + + mul x6,x7,x9 // ap[0]*bp[i] + sub x21,x5,#16 // j=num-2 + umulh x7,x7,x9 + ldp x13,x14,[x3],#16 + mul x10,x8,x9 // ap[1]*bp[i] + adds x6,x6,x23 + umulh x11,x8,x9 + adc x7,x7,xzr + + mul x15,x6,x4 + sub x20,x20,#8 // i-- + + // (*) mul x12,x13,x15 // np[0]*m1 + umulh x13,x13,x15 + mul x16,x14,x15 // np[1]*m1 + // (*) adds x12,x12,x6 + subs xzr,x6,#1 // (*) + umulh x17,x14,x15 + cbz x21,Linner_skip + +Linner: + ldr x8,[x1],#8 + adc x13,x13,xzr + ldr x23,[x22],#8 // tp[j] + adds x6,x10,x7 + sub x21,x21,#8 // j-- + adc x7,x11,xzr + + adds x12,x16,x13 + ldr x14,[x3],#8 + adc x13,x17,xzr + + mul x10,x8,x9 // ap[j]*bp[i] + adds x6,x6,x23 + umulh x11,x8,x9 + adc x7,x7,xzr + + mul x16,x14,x15 // np[j]*m1 + adds x12,x12,x6 + umulh x17,x14,x15 + str x12,[x22,#-16] // tp[j-1] + cbnz x21,Linner + +Linner_skip: + ldr x23,[x22],#8 // tp[j] + adc x13,x13,xzr + adds x6,x10,x7 + sub x1,x1,x5 // rewind x1 + adc x7,x11,xzr + + adds x12,x16,x13 + sub x3,x3,x5 // rewind x3 + adcs x13,x17,x19 + adc x19,xzr,xzr + + adds x6,x6,x23 + adc x7,x7,xzr + + adds x12,x12,x6 + adcs x13,x13,x7 + adc x19,x19,xzr // upmost overflow bit + stp x12,x13,[x22,#-16] + + cbnz x20,Louter + + // Final step. We see if result is larger than modulus, and + // if it is, subtract the modulus. But comparison implies + // subtraction. So we subtract modulus, see if it borrowed, + // and conditionally copy original value. + ldr x23,[sp] // tp[0] + add x22,sp,#8 + ldr x14,[x3],#8 // np[0] + subs x21,x5,#8 // j=num-1 and clear borrow + mov x1,x0 +Lsub: + sbcs x8,x23,x14 // tp[j]-np[j] + ldr x23,[x22],#8 + sub x21,x21,#8 // j-- + ldr x14,[x3],#8 + str x8,[x1],#8 // rp[j]=tp[j]-np[j] + cbnz x21,Lsub + + sbcs x8,x23,x14 + sbcs x19,x19,xzr // did it borrow? + str x8,[x1],#8 // rp[num-1] + + ldr x23,[sp] // tp[0] + add x22,sp,#8 + ldr x8,[x0],#8 // rp[0] + sub x5,x5,#8 // num-- + nop +Lcond_copy: + sub x5,x5,#8 // num-- + csel x14,x23,x8,lo // did it borrow? + ldr x23,[x22],#8 + ldr x8,[x0],#8 + str xzr,[x22,#-16] // wipe tp + str x14,[x0,#-16] + cbnz x5,Lcond_copy + + csel x14,x23,x8,lo + str xzr,[x22,#-8] // wipe tp + str x14,[x0,#-8] + + ldp x19,x20,[x29,#16] + mov sp,x29 + ldp x21,x22,[x29,#32] + mov x0,#1 + ldp x23,x24,[x29,#48] + ldr x29,[sp],#64 + AARCH64_VALIDATE_LINK_REGISTER + ret + +.def __bn_sqr8x_mont + .type 32 +.endef +.align 5 +__bn_sqr8x_mont: + // Not adding AARCH64_SIGN_LINK_REGISTER here because __bn_sqr8x_mont is jumped to + // only from bn_mul_mont which has already signed the return address. + cmp x1,x2 + b.ne __bn_mul4x_mont +Lsqr8x_mont: + stp x29,x30,[sp,#-128]! + add x29,sp,#0 + stp x19,x20,[sp,#16] + stp x21,x22,[sp,#32] + stp x23,x24,[sp,#48] + stp x25,x26,[sp,#64] + stp x27,x28,[sp,#80] + stp x0,x3,[sp,#96] // offload rp and np + + ldp x6,x7,[x1,#8*0] + ldp x8,x9,[x1,#8*2] + ldp x10,x11,[x1,#8*4] + ldp x12,x13,[x1,#8*6] + + sub x2,sp,x5,lsl#4 + lsl x5,x5,#3 + ldr x4,[x4] // *n0 + mov sp,x2 // alloca + sub x27,x5,#8*8 + b Lsqr8x_zero_start + +Lsqr8x_zero: + sub x27,x27,#8*8 + stp xzr,xzr,[x2,#8*0] + stp xzr,xzr,[x2,#8*2] + stp xzr,xzr,[x2,#8*4] + stp xzr,xzr,[x2,#8*6] +Lsqr8x_zero_start: + stp xzr,xzr,[x2,#8*8] + stp xzr,xzr,[x2,#8*10] + stp xzr,xzr,[x2,#8*12] + stp xzr,xzr,[x2,#8*14] + add x2,x2,#8*16 + cbnz x27,Lsqr8x_zero + + add x3,x1,x5 + add x1,x1,#8*8 + mov x19,xzr + mov x20,xzr + mov x21,xzr + mov x22,xzr + mov x23,xzr + mov x24,xzr + mov x25,xzr + mov x26,xzr + mov x2,sp + str x4,[x29,#112] // offload n0 + + // Multiply everything but a[i]*a[i] +.align 4 +Lsqr8x_outer_loop: + // a[1]a[0] (i) + // a[2]a[0] + // a[3]a[0] + // a[4]a[0] + // a[5]a[0] + // a[6]a[0] + // a[7]a[0] + // a[2]a[1] (ii) + // a[3]a[1] + // a[4]a[1] + // a[5]a[1] + // a[6]a[1] + // a[7]a[1] + // a[3]a[2] (iii) + // a[4]a[2] + // a[5]a[2] + // a[6]a[2] + // a[7]a[2] + // a[4]a[3] (iv) + // a[5]a[3] + // a[6]a[3] + // a[7]a[3] + // a[5]a[4] (v) + // a[6]a[4] + // a[7]a[4] + // a[6]a[5] (vi) + // a[7]a[5] + // a[7]a[6] (vii) + + mul x14,x7,x6 // lo(a[1..7]*a[0]) (i) + mul x15,x8,x6 + mul x16,x9,x6 + mul x17,x10,x6 + adds x20,x20,x14 // t[1]+lo(a[1]*a[0]) + mul x14,x11,x6 + adcs x21,x21,x15 + mul x15,x12,x6 + adcs x22,x22,x16 + mul x16,x13,x6 + adcs x23,x23,x17 + umulh x17,x7,x6 // hi(a[1..7]*a[0]) + adcs x24,x24,x14 + umulh x14,x8,x6 + adcs x25,x25,x15 + umulh x15,x9,x6 + adcs x26,x26,x16 + umulh x16,x10,x6 + stp x19,x20,[x2],#8*2 // t[0..1] + adc x19,xzr,xzr // t[8] + adds x21,x21,x17 // t[2]+lo(a[1]*a[0]) + umulh x17,x11,x6 + adcs x22,x22,x14 + umulh x14,x12,x6 + adcs x23,x23,x15 + umulh x15,x13,x6 + adcs x24,x24,x16 + mul x16,x8,x7 // lo(a[2..7]*a[1]) (ii) + adcs x25,x25,x17 + mul x17,x9,x7 + adcs x26,x26,x14 + mul x14,x10,x7 + adc x19,x19,x15 + + mul x15,x11,x7 + adds x22,x22,x16 + mul x16,x12,x7 + adcs x23,x23,x17 + mul x17,x13,x7 + adcs x24,x24,x14 + umulh x14,x8,x7 // hi(a[2..7]*a[1]) + adcs x25,x25,x15 + umulh x15,x9,x7 + adcs x26,x26,x16 + umulh x16,x10,x7 + adcs x19,x19,x17 + umulh x17,x11,x7 + stp x21,x22,[x2],#8*2 // t[2..3] + adc x20,xzr,xzr // t[9] + adds x23,x23,x14 + umulh x14,x12,x7 + adcs x24,x24,x15 + umulh x15,x13,x7 + adcs x25,x25,x16 + mul x16,x9,x8 // lo(a[3..7]*a[2]) (iii) + adcs x26,x26,x17 + mul x17,x10,x8 + adcs x19,x19,x14 + mul x14,x11,x8 + adc x20,x20,x15 + + mul x15,x12,x8 + adds x24,x24,x16 + mul x16,x13,x8 + adcs x25,x25,x17 + umulh x17,x9,x8 // hi(a[3..7]*a[2]) + adcs x26,x26,x14 + umulh x14,x10,x8 + adcs x19,x19,x15 + umulh x15,x11,x8 + adcs x20,x20,x16 + umulh x16,x12,x8 + stp x23,x24,[x2],#8*2 // t[4..5] + adc x21,xzr,xzr // t[10] + adds x25,x25,x17 + umulh x17,x13,x8 + adcs x26,x26,x14 + mul x14,x10,x9 // lo(a[4..7]*a[3]) (iv) + adcs x19,x19,x15 + mul x15,x11,x9 + adcs x20,x20,x16 + mul x16,x12,x9 + adc x21,x21,x17 + + mul x17,x13,x9 + adds x26,x26,x14 + umulh x14,x10,x9 // hi(a[4..7]*a[3]) + adcs x19,x19,x15 + umulh x15,x11,x9 + adcs x20,x20,x16 + umulh x16,x12,x9 + adcs x21,x21,x17 + umulh x17,x13,x9 + stp x25,x26,[x2],#8*2 // t[6..7] + adc x22,xzr,xzr // t[11] + adds x19,x19,x14 + mul x14,x11,x10 // lo(a[5..7]*a[4]) (v) + adcs x20,x20,x15 + mul x15,x12,x10 + adcs x21,x21,x16 + mul x16,x13,x10 + adc x22,x22,x17 + + umulh x17,x11,x10 // hi(a[5..7]*a[4]) + adds x20,x20,x14 + umulh x14,x12,x10 + adcs x21,x21,x15 + umulh x15,x13,x10 + adcs x22,x22,x16 + mul x16,x12,x11 // lo(a[6..7]*a[5]) (vi) + adc x23,xzr,xzr // t[12] + adds x21,x21,x17 + mul x17,x13,x11 + adcs x22,x22,x14 + umulh x14,x12,x11 // hi(a[6..7]*a[5]) + adc x23,x23,x15 + + umulh x15,x13,x11 + adds x22,x22,x16 + mul x16,x13,x12 // lo(a[7]*a[6]) (vii) + adcs x23,x23,x17 + umulh x17,x13,x12 // hi(a[7]*a[6]) + adc x24,xzr,xzr // t[13] + adds x23,x23,x14 + sub x27,x3,x1 // done yet? + adc x24,x24,x15 + + adds x24,x24,x16 + sub x14,x3,x5 // rewinded ap + adc x25,xzr,xzr // t[14] + add x25,x25,x17 + + cbz x27,Lsqr8x_outer_break + + mov x4,x6 + ldp x6,x7,[x2,#8*0] + ldp x8,x9,[x2,#8*2] + ldp x10,x11,[x2,#8*4] + ldp x12,x13,[x2,#8*6] + adds x19,x19,x6 + adcs x20,x20,x7 + ldp x6,x7,[x1,#8*0] + adcs x21,x21,x8 + adcs x22,x22,x9 + ldp x8,x9,[x1,#8*2] + adcs x23,x23,x10 + adcs x24,x24,x11 + ldp x10,x11,[x1,#8*4] + adcs x25,x25,x12 + mov x0,x1 + adcs x26,xzr,x13 + ldp x12,x13,[x1,#8*6] + add x1,x1,#8*8 + //adc x28,xzr,xzr // moved below + mov x27,#-8*8 + + // a[8]a[0] + // a[9]a[0] + // a[a]a[0] + // a[b]a[0] + // a[c]a[0] + // a[d]a[0] + // a[e]a[0] + // a[f]a[0] + // a[8]a[1] + // a[f]a[1]........................ + // a[8]a[2] + // a[f]a[2]........................ + // a[8]a[3] + // a[f]a[3]........................ + // a[8]a[4] + // a[f]a[4]........................ + // a[8]a[5] + // a[f]a[5]........................ + // a[8]a[6] + // a[f]a[6]........................ + // a[8]a[7] + // a[f]a[7]........................ +Lsqr8x_mul: + mul x14,x6,x4 + adc x28,xzr,xzr // carry bit, modulo-scheduled + mul x15,x7,x4 + add x27,x27,#8 + mul x16,x8,x4 + mul x17,x9,x4 + adds x19,x19,x14 + mul x14,x10,x4 + adcs x20,x20,x15 + mul x15,x11,x4 + adcs x21,x21,x16 + mul x16,x12,x4 + adcs x22,x22,x17 + mul x17,x13,x4 + adcs x23,x23,x14 + umulh x14,x6,x4 + adcs x24,x24,x15 + umulh x15,x7,x4 + adcs x25,x25,x16 + umulh x16,x8,x4 + adcs x26,x26,x17 + umulh x17,x9,x4 + adc x28,x28,xzr + str x19,[x2],#8 + adds x19,x20,x14 + umulh x14,x10,x4 + adcs x20,x21,x15 + umulh x15,x11,x4 + adcs x21,x22,x16 + umulh x16,x12,x4 + adcs x22,x23,x17 + umulh x17,x13,x4 + ldr x4,[x0,x27] + adcs x23,x24,x14 + adcs x24,x25,x15 + adcs x25,x26,x16 + adcs x26,x28,x17 + //adc x28,xzr,xzr // moved above + cbnz x27,Lsqr8x_mul + // note that carry flag is guaranteed + // to be zero at this point + cmp x1,x3 // done yet? + b.eq Lsqr8x_break + + ldp x6,x7,[x2,#8*0] + ldp x8,x9,[x2,#8*2] + ldp x10,x11,[x2,#8*4] + ldp x12,x13,[x2,#8*6] + adds x19,x19,x6 + ldr x4,[x0,#-8*8] + adcs x20,x20,x7 + ldp x6,x7,[x1,#8*0] + adcs x21,x21,x8 + adcs x22,x22,x9 + ldp x8,x9,[x1,#8*2] + adcs x23,x23,x10 + adcs x24,x24,x11 + ldp x10,x11,[x1,#8*4] + adcs x25,x25,x12 + mov x27,#-8*8 + adcs x26,x26,x13 + ldp x12,x13,[x1,#8*6] + add x1,x1,#8*8 + //adc x28,xzr,xzr // moved above + b Lsqr8x_mul + +.align 4 +Lsqr8x_break: + ldp x6,x7,[x0,#8*0] + add x1,x0,#8*8 + ldp x8,x9,[x0,#8*2] + sub x14,x3,x1 // is it last iteration? + ldp x10,x11,[x0,#8*4] + sub x15,x2,x14 + ldp x12,x13,[x0,#8*6] + cbz x14,Lsqr8x_outer_loop + + stp x19,x20,[x2,#8*0] + ldp x19,x20,[x15,#8*0] + stp x21,x22,[x2,#8*2] + ldp x21,x22,[x15,#8*2] + stp x23,x24,[x2,#8*4] + ldp x23,x24,[x15,#8*4] + stp x25,x26,[x2,#8*6] + mov x2,x15 + ldp x25,x26,[x15,#8*6] + b Lsqr8x_outer_loop + +.align 4 +Lsqr8x_outer_break: + // Now multiply above result by 2 and add a[n-1]*a[n-1]|...|a[0]*a[0] + ldp x7,x9,[x14,#8*0] // recall that x14 is &a[0] + ldp x15,x16,[sp,#8*1] + ldp x11,x13,[x14,#8*2] + add x1,x14,#8*4 + ldp x17,x14,[sp,#8*3] + + stp x19,x20,[x2,#8*0] + mul x19,x7,x7 + stp x21,x22,[x2,#8*2] + umulh x7,x7,x7 + stp x23,x24,[x2,#8*4] + mul x8,x9,x9 + stp x25,x26,[x2,#8*6] + mov x2,sp + umulh x9,x9,x9 + adds x20,x7,x15,lsl#1 + extr x15,x16,x15,#63 + sub x27,x5,#8*4 + +Lsqr4x_shift_n_add: + adcs x21,x8,x15 + extr x16,x17,x16,#63 + sub x27,x27,#8*4 + adcs x22,x9,x16 + ldp x15,x16,[x2,#8*5] + mul x10,x11,x11 + ldp x7,x9,[x1],#8*2 + umulh x11,x11,x11 + mul x12,x13,x13 + umulh x13,x13,x13 + extr x17,x14,x17,#63 + stp x19,x20,[x2,#8*0] + adcs x23,x10,x17 + extr x14,x15,x14,#63 + stp x21,x22,[x2,#8*2] + adcs x24,x11,x14 + ldp x17,x14,[x2,#8*7] + extr x15,x16,x15,#63 + adcs x25,x12,x15 + extr x16,x17,x16,#63 + adcs x26,x13,x16 + ldp x15,x16,[x2,#8*9] + mul x6,x7,x7 + ldp x11,x13,[x1],#8*2 + umulh x7,x7,x7 + mul x8,x9,x9 + umulh x9,x9,x9 + stp x23,x24,[x2,#8*4] + extr x17,x14,x17,#63 + stp x25,x26,[x2,#8*6] + add x2,x2,#8*8 + adcs x19,x6,x17 + extr x14,x15,x14,#63 + adcs x20,x7,x14 + ldp x17,x14,[x2,#8*3] + extr x15,x16,x15,#63 + cbnz x27,Lsqr4x_shift_n_add + ldp x1,x4,[x29,#104] // pull np and n0 + + adcs x21,x8,x15 + extr x16,x17,x16,#63 + adcs x22,x9,x16 + ldp x15,x16,[x2,#8*5] + mul x10,x11,x11 + umulh x11,x11,x11 + stp x19,x20,[x2,#8*0] + mul x12,x13,x13 + umulh x13,x13,x13 + stp x21,x22,[x2,#8*2] + extr x17,x14,x17,#63 + adcs x23,x10,x17 + extr x14,x15,x14,#63 + ldp x19,x20,[sp,#8*0] + adcs x24,x11,x14 + extr x15,x16,x15,#63 + ldp x6,x7,[x1,#8*0] + adcs x25,x12,x15 + extr x16,xzr,x16,#63 + ldp x8,x9,[x1,#8*2] + adc x26,x13,x16 + ldp x10,x11,[x1,#8*4] + + // Reduce by 512 bits per iteration + mul x28,x4,x19 // t[0]*n0 + ldp x12,x13,[x1,#8*6] + add x3,x1,x5 + ldp x21,x22,[sp,#8*2] + stp x23,x24,[x2,#8*4] + ldp x23,x24,[sp,#8*4] + stp x25,x26,[x2,#8*6] + ldp x25,x26,[sp,#8*6] + add x1,x1,#8*8 + mov x30,xzr // initial top-most carry + mov x2,sp + mov x27,#8 + +Lsqr8x_reduction: + // (*) mul x14,x6,x28 // lo(n[0-7])*lo(t[0]*n0) + mul x15,x7,x28 + sub x27,x27,#1 + mul x16,x8,x28 + str x28,[x2],#8 // put aside t[0]*n0 for tail processing + mul x17,x9,x28 + // (*) adds xzr,x19,x14 + subs xzr,x19,#1 // (*) + mul x14,x10,x28 + adcs x19,x20,x15 + mul x15,x11,x28 + adcs x20,x21,x16 + mul x16,x12,x28 + adcs x21,x22,x17 + mul x17,x13,x28 + adcs x22,x23,x14 + umulh x14,x6,x28 // hi(n[0-7])*lo(t[0]*n0) + adcs x23,x24,x15 + umulh x15,x7,x28 + adcs x24,x25,x16 + umulh x16,x8,x28 + adcs x25,x26,x17 + umulh x17,x9,x28 + adc x26,xzr,xzr + adds x19,x19,x14 + umulh x14,x10,x28 + adcs x20,x20,x15 + umulh x15,x11,x28 + adcs x21,x21,x16 + umulh x16,x12,x28 + adcs x22,x22,x17 + umulh x17,x13,x28 + mul x28,x4,x19 // next t[0]*n0 + adcs x23,x23,x14 + adcs x24,x24,x15 + adcs x25,x25,x16 + adc x26,x26,x17 + cbnz x27,Lsqr8x_reduction + + ldp x14,x15,[x2,#8*0] + ldp x16,x17,[x2,#8*2] + mov x0,x2 + sub x27,x3,x1 // done yet? + adds x19,x19,x14 + adcs x20,x20,x15 + ldp x14,x15,[x2,#8*4] + adcs x21,x21,x16 + adcs x22,x22,x17 + ldp x16,x17,[x2,#8*6] + adcs x23,x23,x14 + adcs x24,x24,x15 + adcs x25,x25,x16 + adcs x26,x26,x17 + //adc x28,xzr,xzr // moved below + cbz x27,Lsqr8x8_post_condition + + ldr x4,[x2,#-8*8] + ldp x6,x7,[x1,#8*0] + ldp x8,x9,[x1,#8*2] + ldp x10,x11,[x1,#8*4] + mov x27,#-8*8 + ldp x12,x13,[x1,#8*6] + add x1,x1,#8*8 + +Lsqr8x_tail: + mul x14,x6,x4 + adc x28,xzr,xzr // carry bit, modulo-scheduled + mul x15,x7,x4 + add x27,x27,#8 + mul x16,x8,x4 + mul x17,x9,x4 + adds x19,x19,x14 + mul x14,x10,x4 + adcs x20,x20,x15 + mul x15,x11,x4 + adcs x21,x21,x16 + mul x16,x12,x4 + adcs x22,x22,x17 + mul x17,x13,x4 + adcs x23,x23,x14 + umulh x14,x6,x4 + adcs x24,x24,x15 + umulh x15,x7,x4 + adcs x25,x25,x16 + umulh x16,x8,x4 + adcs x26,x26,x17 + umulh x17,x9,x4 + adc x28,x28,xzr + str x19,[x2],#8 + adds x19,x20,x14 + umulh x14,x10,x4 + adcs x20,x21,x15 + umulh x15,x11,x4 + adcs x21,x22,x16 + umulh x16,x12,x4 + adcs x22,x23,x17 + umulh x17,x13,x4 + ldr x4,[x0,x27] + adcs x23,x24,x14 + adcs x24,x25,x15 + adcs x25,x26,x16 + adcs x26,x28,x17 + //adc x28,xzr,xzr // moved above + cbnz x27,Lsqr8x_tail + // note that carry flag is guaranteed + // to be zero at this point + ldp x6,x7,[x2,#8*0] + sub x27,x3,x1 // done yet? + sub x16,x3,x5 // rewinded np + ldp x8,x9,[x2,#8*2] + ldp x10,x11,[x2,#8*4] + ldp x12,x13,[x2,#8*6] + cbz x27,Lsqr8x_tail_break + + ldr x4,[x0,#-8*8] + adds x19,x19,x6 + adcs x20,x20,x7 + ldp x6,x7,[x1,#8*0] + adcs x21,x21,x8 + adcs x22,x22,x9 + ldp x8,x9,[x1,#8*2] + adcs x23,x23,x10 + adcs x24,x24,x11 + ldp x10,x11,[x1,#8*4] + adcs x25,x25,x12 + mov x27,#-8*8 + adcs x26,x26,x13 + ldp x12,x13,[x1,#8*6] + add x1,x1,#8*8 + //adc x28,xzr,xzr // moved above + b Lsqr8x_tail + +.align 4 +Lsqr8x_tail_break: + ldr x4,[x29,#112] // pull n0 + add x27,x2,#8*8 // end of current t[num] window + + subs xzr,x30,#1 // "move" top-most carry to carry bit + adcs x14,x19,x6 + adcs x15,x20,x7 + ldp x19,x20,[x0,#8*0] + adcs x21,x21,x8 + ldp x6,x7,[x16,#8*0] // recall that x16 is &n[0] + adcs x22,x22,x9 + ldp x8,x9,[x16,#8*2] + adcs x23,x23,x10 + adcs x24,x24,x11 + ldp x10,x11,[x16,#8*4] + adcs x25,x25,x12 + adcs x26,x26,x13 + ldp x12,x13,[x16,#8*6] + add x1,x16,#8*8 + adc x30,xzr,xzr // top-most carry + mul x28,x4,x19 + stp x14,x15,[x2,#8*0] + stp x21,x22,[x2,#8*2] + ldp x21,x22,[x0,#8*2] + stp x23,x24,[x2,#8*4] + ldp x23,x24,[x0,#8*4] + cmp x27,x29 // did we hit the bottom? + stp x25,x26,[x2,#8*6] + mov x2,x0 // slide the window + ldp x25,x26,[x0,#8*6] + mov x27,#8 + b.ne Lsqr8x_reduction + + // Final step. We see if result is larger than modulus, and + // if it is, subtract the modulus. But comparison implies + // subtraction. So we subtract modulus, see if it borrowed, + // and conditionally copy original value. + ldr x0,[x29,#96] // pull rp + add x2,x2,#8*8 + subs x14,x19,x6 + sbcs x15,x20,x7 + sub x27,x5,#8*8 + mov x3,x0 // x0 copy + +Lsqr8x_sub: + sbcs x16,x21,x8 + ldp x6,x7,[x1,#8*0] + sbcs x17,x22,x9 + stp x14,x15,[x0,#8*0] + sbcs x14,x23,x10 + ldp x8,x9,[x1,#8*2] + sbcs x15,x24,x11 + stp x16,x17,[x0,#8*2] + sbcs x16,x25,x12 + ldp x10,x11,[x1,#8*4] + sbcs x17,x26,x13 + ldp x12,x13,[x1,#8*6] + add x1,x1,#8*8 + ldp x19,x20,[x2,#8*0] + sub x27,x27,#8*8 + ldp x21,x22,[x2,#8*2] + ldp x23,x24,[x2,#8*4] + ldp x25,x26,[x2,#8*6] + add x2,x2,#8*8 + stp x14,x15,[x0,#8*4] + sbcs x14,x19,x6 + stp x16,x17,[x0,#8*6] + add x0,x0,#8*8 + sbcs x15,x20,x7 + cbnz x27,Lsqr8x_sub + + sbcs x16,x21,x8 + mov x2,sp + add x1,sp,x5 + ldp x6,x7,[x3,#8*0] + sbcs x17,x22,x9 + stp x14,x15,[x0,#8*0] + sbcs x14,x23,x10 + ldp x8,x9,[x3,#8*2] + sbcs x15,x24,x11 + stp x16,x17,[x0,#8*2] + sbcs x16,x25,x12 + ldp x19,x20,[x1,#8*0] + sbcs x17,x26,x13 + ldp x21,x22,[x1,#8*2] + sbcs xzr,x30,xzr // did it borrow? + ldr x30,[x29,#8] // pull return address + stp x14,x15,[x0,#8*4] + stp x16,x17,[x0,#8*6] + + sub x27,x5,#8*4 +Lsqr4x_cond_copy: + sub x27,x27,#8*4 + csel x14,x19,x6,lo + stp xzr,xzr,[x2,#8*0] + csel x15,x20,x7,lo + ldp x6,x7,[x3,#8*4] + ldp x19,x20,[x1,#8*4] + csel x16,x21,x8,lo + stp xzr,xzr,[x2,#8*2] + add x2,x2,#8*4 + csel x17,x22,x9,lo + ldp x8,x9,[x3,#8*6] + ldp x21,x22,[x1,#8*6] + add x1,x1,#8*4 + stp x14,x15,[x3,#8*0] + stp x16,x17,[x3,#8*2] + add x3,x3,#8*4 + stp xzr,xzr,[x1,#8*0] + stp xzr,xzr,[x1,#8*2] + cbnz x27,Lsqr4x_cond_copy + + csel x14,x19,x6,lo + stp xzr,xzr,[x2,#8*0] + csel x15,x20,x7,lo + stp xzr,xzr,[x2,#8*2] + csel x16,x21,x8,lo + csel x17,x22,x9,lo + stp x14,x15,[x3,#8*0] + stp x16,x17,[x3,#8*2] + + b Lsqr8x_done + +.align 4 +Lsqr8x8_post_condition: + adc x28,xzr,xzr + ldr x30,[x29,#8] // pull return address + // x19-7,x28 hold result, x6-7 hold modulus + subs x6,x19,x6 + ldr x1,[x29,#96] // pull rp + sbcs x7,x20,x7 + stp xzr,xzr,[sp,#8*0] + sbcs x8,x21,x8 + stp xzr,xzr,[sp,#8*2] + sbcs x9,x22,x9 + stp xzr,xzr,[sp,#8*4] + sbcs x10,x23,x10 + stp xzr,xzr,[sp,#8*6] + sbcs x11,x24,x11 + stp xzr,xzr,[sp,#8*8] + sbcs x12,x25,x12 + stp xzr,xzr,[sp,#8*10] + sbcs x13,x26,x13 + stp xzr,xzr,[sp,#8*12] + sbcs x28,x28,xzr // did it borrow? + stp xzr,xzr,[sp,#8*14] + + // x6-7 hold result-modulus + csel x6,x19,x6,lo + csel x7,x20,x7,lo + csel x8,x21,x8,lo + csel x9,x22,x9,lo + stp x6,x7,[x1,#8*0] + csel x10,x23,x10,lo + csel x11,x24,x11,lo + stp x8,x9,[x1,#8*2] + csel x12,x25,x12,lo + csel x13,x26,x13,lo + stp x10,x11,[x1,#8*4] + stp x12,x13,[x1,#8*6] + +Lsqr8x_done: + ldp x19,x20,[x29,#16] + mov sp,x29 + ldp x21,x22,[x29,#32] + mov x0,#1 + ldp x23,x24,[x29,#48] + ldp x25,x26,[x29,#64] + ldp x27,x28,[x29,#80] + ldr x29,[sp],#128 + // x30 is popped earlier + AARCH64_VALIDATE_LINK_REGISTER + ret + +.def __bn_mul4x_mont + .type 32 +.endef +.align 5 +__bn_mul4x_mont: + // Not adding AARCH64_SIGN_LINK_REGISTER here because __bn_mul4x_mont is jumped to + // only from bn_mul_mont or __bn_mul8x_mont which have already signed the + // return address. + stp x29,x30,[sp,#-128]! + add x29,sp,#0 + stp x19,x20,[sp,#16] + stp x21,x22,[sp,#32] + stp x23,x24,[sp,#48] + stp x25,x26,[sp,#64] + stp x27,x28,[sp,#80] + + sub x26,sp,x5,lsl#3 + lsl x5,x5,#3 + ldr x4,[x4] // *n0 + sub sp,x26,#8*4 // alloca + + add x10,x2,x5 + add x27,x1,x5 + stp x0,x10,[x29,#96] // offload rp and &b[num] + + ldr x24,[x2,#8*0] // b[0] + ldp x6,x7,[x1,#8*0] // a[0..3] + ldp x8,x9,[x1,#8*2] + add x1,x1,#8*4 + mov x19,xzr + mov x20,xzr + mov x21,xzr + mov x22,xzr + ldp x14,x15,[x3,#8*0] // n[0..3] + ldp x16,x17,[x3,#8*2] + adds x3,x3,#8*4 // clear carry bit + mov x0,xzr + mov x28,#0 + mov x26,sp + +Loop_mul4x_1st_reduction: + mul x10,x6,x24 // lo(a[0..3]*b[0]) + adc x0,x0,xzr // modulo-scheduled + mul x11,x7,x24 + add x28,x28,#8 + mul x12,x8,x24 + and x28,x28,#31 + mul x13,x9,x24 + adds x19,x19,x10 + umulh x10,x6,x24 // hi(a[0..3]*b[0]) + adcs x20,x20,x11 + mul x25,x19,x4 // t[0]*n0 + adcs x21,x21,x12 + umulh x11,x7,x24 + adcs x22,x22,x13 + umulh x12,x8,x24 + adc x23,xzr,xzr + umulh x13,x9,x24 + ldr x24,[x2,x28] // next b[i] (or b[0]) + adds x20,x20,x10 + // (*) mul x10,x14,x25 // lo(n[0..3]*t[0]*n0) + str x25,[x26],#8 // put aside t[0]*n0 for tail processing + adcs x21,x21,x11 + mul x11,x15,x25 + adcs x22,x22,x12 + mul x12,x16,x25 + adc x23,x23,x13 // can't overflow + mul x13,x17,x25 + // (*) adds xzr,x19,x10 + subs xzr,x19,#1 // (*) + umulh x10,x14,x25 // hi(n[0..3]*t[0]*n0) + adcs x19,x20,x11 + umulh x11,x15,x25 + adcs x20,x21,x12 + umulh x12,x16,x25 + adcs x21,x22,x13 + umulh x13,x17,x25 + adcs x22,x23,x0 + adc x0,xzr,xzr + adds x19,x19,x10 + sub x10,x27,x1 + adcs x20,x20,x11 + adcs x21,x21,x12 + adcs x22,x22,x13 + //adc x0,x0,xzr + cbnz x28,Loop_mul4x_1st_reduction + + cbz x10,Lmul4x4_post_condition + + ldp x6,x7,[x1,#8*0] // a[4..7] + ldp x8,x9,[x1,#8*2] + add x1,x1,#8*4 + ldr x25,[sp] // a[0]*n0 + ldp x14,x15,[x3,#8*0] // n[4..7] + ldp x16,x17,[x3,#8*2] + add x3,x3,#8*4 + +Loop_mul4x_1st_tail: + mul x10,x6,x24 // lo(a[4..7]*b[i]) + adc x0,x0,xzr // modulo-scheduled + mul x11,x7,x24 + add x28,x28,#8 + mul x12,x8,x24 + and x28,x28,#31 + mul x13,x9,x24 + adds x19,x19,x10 + umulh x10,x6,x24 // hi(a[4..7]*b[i]) + adcs x20,x20,x11 + umulh x11,x7,x24 + adcs x21,x21,x12 + umulh x12,x8,x24 + adcs x22,x22,x13 + umulh x13,x9,x24 + adc x23,xzr,xzr + ldr x24,[x2,x28] // next b[i] (or b[0]) + adds x20,x20,x10 + mul x10,x14,x25 // lo(n[4..7]*a[0]*n0) + adcs x21,x21,x11 + mul x11,x15,x25 + adcs x22,x22,x12 + mul x12,x16,x25 + adc x23,x23,x13 // can't overflow + mul x13,x17,x25 + adds x19,x19,x10 + umulh x10,x14,x25 // hi(n[4..7]*a[0]*n0) + adcs x20,x20,x11 + umulh x11,x15,x25 + adcs x21,x21,x12 + umulh x12,x16,x25 + adcs x22,x22,x13 + adcs x23,x23,x0 + umulh x13,x17,x25 + adc x0,xzr,xzr + ldr x25,[sp,x28] // next t[0]*n0 + str x19,[x26],#8 // result!!! + adds x19,x20,x10 + sub x10,x27,x1 // done yet? + adcs x20,x21,x11 + adcs x21,x22,x12 + adcs x22,x23,x13 + //adc x0,x0,xzr + cbnz x28,Loop_mul4x_1st_tail + + sub x11,x27,x5 // rewinded x1 + cbz x10,Lmul4x_proceed + + ldp x6,x7,[x1,#8*0] + ldp x8,x9,[x1,#8*2] + add x1,x1,#8*4 + ldp x14,x15,[x3,#8*0] + ldp x16,x17,[x3,#8*2] + add x3,x3,#8*4 + b Loop_mul4x_1st_tail + +.align 5 +Lmul4x_proceed: + ldr x24,[x2,#8*4]! // *++b + adc x30,x0,xzr + ldp x6,x7,[x11,#8*0] // a[0..3] + sub x3,x3,x5 // rewind np + ldp x8,x9,[x11,#8*2] + add x1,x11,#8*4 + + stp x19,x20,[x26,#8*0] // result!!! + ldp x19,x20,[sp,#8*4] // t[0..3] + stp x21,x22,[x26,#8*2] // result!!! + ldp x21,x22,[sp,#8*6] + + ldp x14,x15,[x3,#8*0] // n[0..3] + mov x26,sp + ldp x16,x17,[x3,#8*2] + adds x3,x3,#8*4 // clear carry bit + mov x0,xzr + +.align 4 +Loop_mul4x_reduction: + mul x10,x6,x24 // lo(a[0..3]*b[4]) + adc x0,x0,xzr // modulo-scheduled + mul x11,x7,x24 + add x28,x28,#8 + mul x12,x8,x24 + and x28,x28,#31 + mul x13,x9,x24 + adds x19,x19,x10 + umulh x10,x6,x24 // hi(a[0..3]*b[4]) + adcs x20,x20,x11 + mul x25,x19,x4 // t[0]*n0 + adcs x21,x21,x12 + umulh x11,x7,x24 + adcs x22,x22,x13 + umulh x12,x8,x24 + adc x23,xzr,xzr + umulh x13,x9,x24 + ldr x24,[x2,x28] // next b[i] + adds x20,x20,x10 + // (*) mul x10,x14,x25 + str x25,[x26],#8 // put aside t[0]*n0 for tail processing + adcs x21,x21,x11 + mul x11,x15,x25 // lo(n[0..3]*t[0]*n0 + adcs x22,x22,x12 + mul x12,x16,x25 + adc x23,x23,x13 // can't overflow + mul x13,x17,x25 + // (*) adds xzr,x19,x10 + subs xzr,x19,#1 // (*) + umulh x10,x14,x25 // hi(n[0..3]*t[0]*n0 + adcs x19,x20,x11 + umulh x11,x15,x25 + adcs x20,x21,x12 + umulh x12,x16,x25 + adcs x21,x22,x13 + umulh x13,x17,x25 + adcs x22,x23,x0 + adc x0,xzr,xzr + adds x19,x19,x10 + adcs x20,x20,x11 + adcs x21,x21,x12 + adcs x22,x22,x13 + //adc x0,x0,xzr + cbnz x28,Loop_mul4x_reduction + + adc x0,x0,xzr + ldp x10,x11,[x26,#8*4] // t[4..7] + ldp x12,x13,[x26,#8*6] + ldp x6,x7,[x1,#8*0] // a[4..7] + ldp x8,x9,[x1,#8*2] + add x1,x1,#8*4 + adds x19,x19,x10 + adcs x20,x20,x11 + adcs x21,x21,x12 + adcs x22,x22,x13 + //adc x0,x0,xzr + + ldr x25,[sp] // t[0]*n0 + ldp x14,x15,[x3,#8*0] // n[4..7] + ldp x16,x17,[x3,#8*2] + add x3,x3,#8*4 + +.align 4 +Loop_mul4x_tail: + mul x10,x6,x24 // lo(a[4..7]*b[4]) + adc x0,x0,xzr // modulo-scheduled + mul x11,x7,x24 + add x28,x28,#8 + mul x12,x8,x24 + and x28,x28,#31 + mul x13,x9,x24 + adds x19,x19,x10 + umulh x10,x6,x24 // hi(a[4..7]*b[4]) + adcs x20,x20,x11 + umulh x11,x7,x24 + adcs x21,x21,x12 + umulh x12,x8,x24 + adcs x22,x22,x13 + umulh x13,x9,x24 + adc x23,xzr,xzr + ldr x24,[x2,x28] // next b[i] + adds x20,x20,x10 + mul x10,x14,x25 // lo(n[4..7]*t[0]*n0) + adcs x21,x21,x11 + mul x11,x15,x25 + adcs x22,x22,x12 + mul x12,x16,x25 + adc x23,x23,x13 // can't overflow + mul x13,x17,x25 + adds x19,x19,x10 + umulh x10,x14,x25 // hi(n[4..7]*t[0]*n0) + adcs x20,x20,x11 + umulh x11,x15,x25 + adcs x21,x21,x12 + umulh x12,x16,x25 + adcs x22,x22,x13 + umulh x13,x17,x25 + adcs x23,x23,x0 + ldr x25,[sp,x28] // next a[0]*n0 + adc x0,xzr,xzr + str x19,[x26],#8 // result!!! + adds x19,x20,x10 + sub x10,x27,x1 // done yet? + adcs x20,x21,x11 + adcs x21,x22,x12 + adcs x22,x23,x13 + //adc x0,x0,xzr + cbnz x28,Loop_mul4x_tail + + sub x11,x3,x5 // rewinded np? + adc x0,x0,xzr + cbz x10,Loop_mul4x_break + + ldp x10,x11,[x26,#8*4] + ldp x12,x13,[x26,#8*6] + ldp x6,x7,[x1,#8*0] + ldp x8,x9,[x1,#8*2] + add x1,x1,#8*4 + adds x19,x19,x10 + adcs x20,x20,x11 + adcs x21,x21,x12 + adcs x22,x22,x13 + //adc x0,x0,xzr + ldp x14,x15,[x3,#8*0] + ldp x16,x17,[x3,#8*2] + add x3,x3,#8*4 + b Loop_mul4x_tail + +.align 4 +Loop_mul4x_break: + ldp x12,x13,[x29,#96] // pull rp and &b[num] + adds x19,x19,x30 + add x2,x2,#8*4 // bp++ + adcs x20,x20,xzr + sub x1,x1,x5 // rewind ap + adcs x21,x21,xzr + stp x19,x20,[x26,#8*0] // result!!! + adcs x22,x22,xzr + ldp x19,x20,[sp,#8*4] // t[0..3] + adc x30,x0,xzr + stp x21,x22,[x26,#8*2] // result!!! + cmp x2,x13 // done yet? + ldp x21,x22,[sp,#8*6] + ldp x14,x15,[x11,#8*0] // n[0..3] + ldp x16,x17,[x11,#8*2] + add x3,x11,#8*4 + b.eq Lmul4x_post + + ldr x24,[x2] + ldp x6,x7,[x1,#8*0] // a[0..3] + ldp x8,x9,[x1,#8*2] + adds x1,x1,#8*4 // clear carry bit + mov x0,xzr + mov x26,sp + b Loop_mul4x_reduction + +.align 4 +Lmul4x_post: + // Final step. We see if result is larger than modulus, and + // if it is, subtract the modulus. But comparison implies + // subtraction. So we subtract modulus, see if it borrowed, + // and conditionally copy original value. + mov x0,x12 + mov x27,x12 // x0 copy + subs x10,x19,x14 + add x26,sp,#8*8 + sbcs x11,x20,x15 + sub x28,x5,#8*4 + +Lmul4x_sub: + sbcs x12,x21,x16 + ldp x14,x15,[x3,#8*0] + sub x28,x28,#8*4 + ldp x19,x20,[x26,#8*0] + sbcs x13,x22,x17 + ldp x16,x17,[x3,#8*2] + add x3,x3,#8*4 + ldp x21,x22,[x26,#8*2] + add x26,x26,#8*4 + stp x10,x11,[x0,#8*0] + sbcs x10,x19,x14 + stp x12,x13,[x0,#8*2] + add x0,x0,#8*4 + sbcs x11,x20,x15 + cbnz x28,Lmul4x_sub + + sbcs x12,x21,x16 + mov x26,sp + add x1,sp,#8*4 + ldp x6,x7,[x27,#8*0] + sbcs x13,x22,x17 + stp x10,x11,[x0,#8*0] + ldp x8,x9,[x27,#8*2] + stp x12,x13,[x0,#8*2] + ldp x19,x20,[x1,#8*0] + ldp x21,x22,[x1,#8*2] + sbcs xzr,x30,xzr // did it borrow? + ldr x30,[x29,#8] // pull return address + + sub x28,x5,#8*4 +Lmul4x_cond_copy: + sub x28,x28,#8*4 + csel x10,x19,x6,lo + stp xzr,xzr,[x26,#8*0] + csel x11,x20,x7,lo + ldp x6,x7,[x27,#8*4] + ldp x19,x20,[x1,#8*4] + csel x12,x21,x8,lo + stp xzr,xzr,[x26,#8*2] + add x26,x26,#8*4 + csel x13,x22,x9,lo + ldp x8,x9,[x27,#8*6] + ldp x21,x22,[x1,#8*6] + add x1,x1,#8*4 + stp x10,x11,[x27,#8*0] + stp x12,x13,[x27,#8*2] + add x27,x27,#8*4 + cbnz x28,Lmul4x_cond_copy + + csel x10,x19,x6,lo + stp xzr,xzr,[x26,#8*0] + csel x11,x20,x7,lo + stp xzr,xzr,[x26,#8*2] + csel x12,x21,x8,lo + stp xzr,xzr,[x26,#8*3] + csel x13,x22,x9,lo + stp xzr,xzr,[x26,#8*4] + stp x10,x11,[x27,#8*0] + stp x12,x13,[x27,#8*2] + + b Lmul4x_done + +.align 4 +Lmul4x4_post_condition: + adc x0,x0,xzr + ldr x1,[x29,#96] // pull rp + // x19-3,x0 hold result, x14-7 hold modulus + subs x6,x19,x14 + ldr x30,[x29,#8] // pull return address + sbcs x7,x20,x15 + stp xzr,xzr,[sp,#8*0] + sbcs x8,x21,x16 + stp xzr,xzr,[sp,#8*2] + sbcs x9,x22,x17 + stp xzr,xzr,[sp,#8*4] + sbcs xzr,x0,xzr // did it borrow? + stp xzr,xzr,[sp,#8*6] + + // x6-3 hold result-modulus + csel x6,x19,x6,lo + csel x7,x20,x7,lo + csel x8,x21,x8,lo + csel x9,x22,x9,lo + stp x6,x7,[x1,#8*0] + stp x8,x9,[x1,#8*2] + +Lmul4x_done: + ldp x19,x20,[x29,#16] + mov sp,x29 + ldp x21,x22,[x29,#32] + mov x0,#1 + ldp x23,x24,[x29,#48] + ldp x25,x26,[x29,#64] + ldp x27,x28,[x29,#80] + ldr x29,[sp],#128 + // x30 is popped earlier + AARCH64_VALIDATE_LINK_REGISTER + ret + +.byte 77,111,110,116,103,111,109,101,114,121,32,77,117,108,116,105,112,108,105,99,97,116,105,111,110,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 +.align 2 +.align 4 +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(_WIN32) +#if defined(__linux__) && defined(__ELF__) +.section .note.GNU-stack,"",%progbits +#endif + diff --git a/Sources/CNIOBoringSSL/gen/bcm/bn-586-apple.S b/Sources/CNIOBoringSSL/gen/bcm/bn-586-apple.S new file mode 100644 index 000000000..ecac41ebf --- /dev/null +++ b/Sources/CNIOBoringSSL/gen/bcm/bn-586-apple.S @@ -0,0 +1,536 @@ +#define BORINGSSL_PREFIX CNIOBoringSSL +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. + +#include + +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__APPLE__) +.text +.globl _bn_mul_add_words +.private_extern _bn_mul_add_words +.align 4 +_bn_mul_add_words: +L_bn_mul_add_words_begin: + movl 4(%esp),%eax + movl 8(%esp),%edx + movl 12(%esp),%ecx + movd 16(%esp),%mm0 + pxor %mm1,%mm1 + jmp L000maw_sse2_entry +.align 4,0x90 +L001maw_sse2_unrolled: + movd (%eax),%mm3 + paddq %mm3,%mm1 + movd (%edx),%mm2 + pmuludq %mm0,%mm2 + movd 4(%edx),%mm4 + pmuludq %mm0,%mm4 + movd 8(%edx),%mm6 + pmuludq %mm0,%mm6 + movd 12(%edx),%mm7 + pmuludq %mm0,%mm7 + paddq %mm2,%mm1 + movd 4(%eax),%mm3 + paddq %mm4,%mm3 + movd 8(%eax),%mm5 + paddq %mm6,%mm5 + movd 12(%eax),%mm4 + paddq %mm4,%mm7 + movd %mm1,(%eax) + movd 16(%edx),%mm2 + pmuludq %mm0,%mm2 + psrlq $32,%mm1 + movd 20(%edx),%mm4 + pmuludq %mm0,%mm4 + paddq %mm3,%mm1 + movd 24(%edx),%mm6 + pmuludq %mm0,%mm6 + movd %mm1,4(%eax) + psrlq $32,%mm1 + movd 28(%edx),%mm3 + addl $32,%edx + pmuludq %mm0,%mm3 + paddq %mm5,%mm1 + movd 16(%eax),%mm5 + paddq %mm5,%mm2 + movd %mm1,8(%eax) + psrlq $32,%mm1 + paddq %mm7,%mm1 + movd 20(%eax),%mm5 + paddq %mm5,%mm4 + movd %mm1,12(%eax) + psrlq $32,%mm1 + paddq %mm2,%mm1 + movd 24(%eax),%mm5 + paddq %mm5,%mm6 + movd %mm1,16(%eax) + psrlq $32,%mm1 + paddq %mm4,%mm1 + movd 28(%eax),%mm5 + paddq %mm5,%mm3 + movd %mm1,20(%eax) + psrlq $32,%mm1 + paddq %mm6,%mm1 + movd %mm1,24(%eax) + psrlq $32,%mm1 + paddq %mm3,%mm1 + movd %mm1,28(%eax) + leal 32(%eax),%eax + psrlq $32,%mm1 + subl $8,%ecx + jz L002maw_sse2_exit +L000maw_sse2_entry: + testl $4294967288,%ecx + jnz L001maw_sse2_unrolled +.align 2,0x90 +L003maw_sse2_loop: + movd (%edx),%mm2 + movd (%eax),%mm3 + pmuludq %mm0,%mm2 + leal 4(%edx),%edx + paddq %mm3,%mm1 + paddq %mm2,%mm1 + movd %mm1,(%eax) + subl $1,%ecx + psrlq $32,%mm1 + leal 4(%eax),%eax + jnz L003maw_sse2_loop +L002maw_sse2_exit: + movd %mm1,%eax + emms + ret + popl %edi + popl %esi + popl %ebx + popl %ebp + ret +.globl _bn_mul_words +.private_extern _bn_mul_words +.align 4 +_bn_mul_words: +L_bn_mul_words_begin: + movl 4(%esp),%eax + movl 8(%esp),%edx + movl 12(%esp),%ecx + movd 16(%esp),%mm0 + pxor %mm1,%mm1 +.align 4,0x90 +L004mw_sse2_loop: + movd (%edx),%mm2 + pmuludq %mm0,%mm2 + leal 4(%edx),%edx + paddq %mm2,%mm1 + movd %mm1,(%eax) + subl $1,%ecx + psrlq $32,%mm1 + leal 4(%eax),%eax + jnz L004mw_sse2_loop + movd %mm1,%eax + emms + ret + popl %edi + popl %esi + popl %ebx + popl %ebp + ret +.globl _bn_sqr_words +.private_extern _bn_sqr_words +.align 4 +_bn_sqr_words: +L_bn_sqr_words_begin: + movl 4(%esp),%eax + movl 8(%esp),%edx + movl 12(%esp),%ecx +.align 4,0x90 +L005sqr_sse2_loop: + movd (%edx),%mm0 + pmuludq %mm0,%mm0 + leal 4(%edx),%edx + movq %mm0,(%eax) + subl $1,%ecx + leal 8(%eax),%eax + jnz L005sqr_sse2_loop + emms + ret + popl %edi + popl %esi + popl %ebx + popl %ebp + ret +.globl _bn_div_words +.private_extern _bn_div_words +.align 4 +_bn_div_words: +L_bn_div_words_begin: + movl 4(%esp),%edx + movl 8(%esp),%eax + movl 12(%esp),%ecx + divl %ecx + ret +.globl _bn_add_words +.private_extern _bn_add_words +.align 4 +_bn_add_words: +L_bn_add_words_begin: + pushl %ebp + pushl %ebx + pushl %esi + pushl %edi + + movl 20(%esp),%ebx + movl 24(%esp),%esi + movl 28(%esp),%edi + movl 32(%esp),%ebp + xorl %eax,%eax + andl $4294967288,%ebp + jz L006aw_finish +L007aw_loop: + # Round 0 + movl (%esi),%ecx + movl (%edi),%edx + addl %eax,%ecx + movl $0,%eax + adcl %eax,%eax + addl %edx,%ecx + adcl $0,%eax + movl %ecx,(%ebx) + # Round 1 + movl 4(%esi),%ecx + movl 4(%edi),%edx + addl %eax,%ecx + movl $0,%eax + adcl %eax,%eax + addl %edx,%ecx + adcl $0,%eax + movl %ecx,4(%ebx) + # Round 2 + movl 8(%esi),%ecx + movl 8(%edi),%edx + addl %eax,%ecx + movl $0,%eax + adcl %eax,%eax + addl %edx,%ecx + adcl $0,%eax + movl %ecx,8(%ebx) + # Round 3 + movl 12(%esi),%ecx + movl 12(%edi),%edx + addl %eax,%ecx + movl $0,%eax + adcl %eax,%eax + addl %edx,%ecx + adcl $0,%eax + movl %ecx,12(%ebx) + # Round 4 + movl 16(%esi),%ecx + movl 16(%edi),%edx + addl %eax,%ecx + movl $0,%eax + adcl %eax,%eax + addl %edx,%ecx + adcl $0,%eax + movl %ecx,16(%ebx) + # Round 5 + movl 20(%esi),%ecx + movl 20(%edi),%edx + addl %eax,%ecx + movl $0,%eax + adcl %eax,%eax + addl %edx,%ecx + adcl $0,%eax + movl %ecx,20(%ebx) + # Round 6 + movl 24(%esi),%ecx + movl 24(%edi),%edx + addl %eax,%ecx + movl $0,%eax + adcl %eax,%eax + addl %edx,%ecx + adcl $0,%eax + movl %ecx,24(%ebx) + # Round 7 + movl 28(%esi),%ecx + movl 28(%edi),%edx + addl %eax,%ecx + movl $0,%eax + adcl %eax,%eax + addl %edx,%ecx + adcl $0,%eax + movl %ecx,28(%ebx) + + addl $32,%esi + addl $32,%edi + addl $32,%ebx + subl $8,%ebp + jnz L007aw_loop +L006aw_finish: + movl 32(%esp),%ebp + andl $7,%ebp + jz L008aw_end + # Tail Round 0 + movl (%esi),%ecx + movl (%edi),%edx + addl %eax,%ecx + movl $0,%eax + adcl %eax,%eax + addl %edx,%ecx + adcl $0,%eax + decl %ebp + movl %ecx,(%ebx) + jz L008aw_end + # Tail Round 1 + movl 4(%esi),%ecx + movl 4(%edi),%edx + addl %eax,%ecx + movl $0,%eax + adcl %eax,%eax + addl %edx,%ecx + adcl $0,%eax + decl %ebp + movl %ecx,4(%ebx) + jz L008aw_end + # Tail Round 2 + movl 8(%esi),%ecx + movl 8(%edi),%edx + addl %eax,%ecx + movl $0,%eax + adcl %eax,%eax + addl %edx,%ecx + adcl $0,%eax + decl %ebp + movl %ecx,8(%ebx) + jz L008aw_end + # Tail Round 3 + movl 12(%esi),%ecx + movl 12(%edi),%edx + addl %eax,%ecx + movl $0,%eax + adcl %eax,%eax + addl %edx,%ecx + adcl $0,%eax + decl %ebp + movl %ecx,12(%ebx) + jz L008aw_end + # Tail Round 4 + movl 16(%esi),%ecx + movl 16(%edi),%edx + addl %eax,%ecx + movl $0,%eax + adcl %eax,%eax + addl %edx,%ecx + adcl $0,%eax + decl %ebp + movl %ecx,16(%ebx) + jz L008aw_end + # Tail Round 5 + movl 20(%esi),%ecx + movl 20(%edi),%edx + addl %eax,%ecx + movl $0,%eax + adcl %eax,%eax + addl %edx,%ecx + adcl $0,%eax + decl %ebp + movl %ecx,20(%ebx) + jz L008aw_end + # Tail Round 6 + movl 24(%esi),%ecx + movl 24(%edi),%edx + addl %eax,%ecx + movl $0,%eax + adcl %eax,%eax + addl %edx,%ecx + adcl $0,%eax + movl %ecx,24(%ebx) +L008aw_end: + popl %edi + popl %esi + popl %ebx + popl %ebp + ret +.globl _bn_sub_words +.private_extern _bn_sub_words +.align 4 +_bn_sub_words: +L_bn_sub_words_begin: + pushl %ebp + pushl %ebx + pushl %esi + pushl %edi + + movl 20(%esp),%ebx + movl 24(%esp),%esi + movl 28(%esp),%edi + movl 32(%esp),%ebp + xorl %eax,%eax + andl $4294967288,%ebp + jz L009aw_finish +L010aw_loop: + # Round 0 + movl (%esi),%ecx + movl (%edi),%edx + subl %eax,%ecx + movl $0,%eax + adcl %eax,%eax + subl %edx,%ecx + adcl $0,%eax + movl %ecx,(%ebx) + # Round 1 + movl 4(%esi),%ecx + movl 4(%edi),%edx + subl %eax,%ecx + movl $0,%eax + adcl %eax,%eax + subl %edx,%ecx + adcl $0,%eax + movl %ecx,4(%ebx) + # Round 2 + movl 8(%esi),%ecx + movl 8(%edi),%edx + subl %eax,%ecx + movl $0,%eax + adcl %eax,%eax + subl %edx,%ecx + adcl $0,%eax + movl %ecx,8(%ebx) + # Round 3 + movl 12(%esi),%ecx + movl 12(%edi),%edx + subl %eax,%ecx + movl $0,%eax + adcl %eax,%eax + subl %edx,%ecx + adcl $0,%eax + movl %ecx,12(%ebx) + # Round 4 + movl 16(%esi),%ecx + movl 16(%edi),%edx + subl %eax,%ecx + movl $0,%eax + adcl %eax,%eax + subl %edx,%ecx + adcl $0,%eax + movl %ecx,16(%ebx) + # Round 5 + movl 20(%esi),%ecx + movl 20(%edi),%edx + subl %eax,%ecx + movl $0,%eax + adcl %eax,%eax + subl %edx,%ecx + adcl $0,%eax + movl %ecx,20(%ebx) + # Round 6 + movl 24(%esi),%ecx + movl 24(%edi),%edx + subl %eax,%ecx + movl $0,%eax + adcl %eax,%eax + subl %edx,%ecx + adcl $0,%eax + movl %ecx,24(%ebx) + # Round 7 + movl 28(%esi),%ecx + movl 28(%edi),%edx + subl %eax,%ecx + movl $0,%eax + adcl %eax,%eax + subl %edx,%ecx + adcl $0,%eax + movl %ecx,28(%ebx) + + addl $32,%esi + addl $32,%edi + addl $32,%ebx + subl $8,%ebp + jnz L010aw_loop +L009aw_finish: + movl 32(%esp),%ebp + andl $7,%ebp + jz L011aw_end + # Tail Round 0 + movl (%esi),%ecx + movl (%edi),%edx + subl %eax,%ecx + movl $0,%eax + adcl %eax,%eax + subl %edx,%ecx + adcl $0,%eax + decl %ebp + movl %ecx,(%ebx) + jz L011aw_end + # Tail Round 1 + movl 4(%esi),%ecx + movl 4(%edi),%edx + subl %eax,%ecx + movl $0,%eax + adcl %eax,%eax + subl %edx,%ecx + adcl $0,%eax + decl %ebp + movl %ecx,4(%ebx) + jz L011aw_end + # Tail Round 2 + movl 8(%esi),%ecx + movl 8(%edi),%edx + subl %eax,%ecx + movl $0,%eax + adcl %eax,%eax + subl %edx,%ecx + adcl $0,%eax + decl %ebp + movl %ecx,8(%ebx) + jz L011aw_end + # Tail Round 3 + movl 12(%esi),%ecx + movl 12(%edi),%edx + subl %eax,%ecx + movl $0,%eax + adcl %eax,%eax + subl %edx,%ecx + adcl $0,%eax + decl %ebp + movl %ecx,12(%ebx) + jz L011aw_end + # Tail Round 4 + movl 16(%esi),%ecx + movl 16(%edi),%edx + subl %eax,%ecx + movl $0,%eax + adcl %eax,%eax + subl %edx,%ecx + adcl $0,%eax + decl %ebp + movl %ecx,16(%ebx) + jz L011aw_end + # Tail Round 5 + movl 20(%esi),%ecx + movl 20(%edi),%edx + subl %eax,%ecx + movl $0,%eax + adcl %eax,%eax + subl %edx,%ecx + adcl $0,%eax + decl %ebp + movl %ecx,20(%ebx) + jz L011aw_end + # Tail Round 6 + movl 24(%esi),%ecx + movl 24(%edi),%edx + subl %eax,%ecx + movl $0,%eax + adcl %eax,%eax + subl %edx,%ecx + adcl $0,%eax + movl %ecx,24(%ebx) +L011aw_end: + popl %edi + popl %esi + popl %ebx + popl %ebp + ret +#endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__APPLE__) +#if defined(__linux__) && defined(__ELF__) +.section .note.GNU-stack,"",%progbits +#endif + diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/bn-586-linux.linux.x86.S b/Sources/CNIOBoringSSL/gen/bcm/bn-586-linux.S similarity index 53% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/bn-586-linux.linux.x86.S rename to Sources/CNIOBoringSSL/gen/bcm/bn-586-linux.S index 4b191581a..ff910ba82 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/bn-586-linux.linux.x86.S +++ b/Sources/CNIOBoringSSL/gen/bcm/bn-586-linux.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__i386__) && defined(__linux__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -13,20 +12,14 @@ .align 16 bn_mul_add_words: .L_bn_mul_add_words_begin: - call .L000PIC_me_up -.L000PIC_me_up: - popl %eax - leal OPENSSL_ia32cap_P-.L000PIC_me_up(%eax),%eax - btl $26,(%eax) - jnc .L001maw_non_sse2 movl 4(%esp),%eax movl 8(%esp),%edx movl 12(%esp),%ecx movd 16(%esp),%mm0 pxor %mm1,%mm1 - jmp .L002maw_sse2_entry + jmp .L000maw_sse2_entry .align 16 -.L003maw_sse2_unrolled: +.L001maw_sse2_unrolled: movd (%eax),%mm3 paddq %mm3,%mm1 movd (%edx),%mm2 @@ -86,12 +79,12 @@ bn_mul_add_words: leal 32(%eax),%eax psrlq $32,%mm1 subl $8,%ecx - jz .L004maw_sse2_exit -.L002maw_sse2_entry: + jz .L002maw_sse2_exit +.L000maw_sse2_entry: testl $4294967288,%ecx - jnz .L003maw_sse2_unrolled + jnz .L001maw_sse2_unrolled .align 4 -.L005maw_sse2_loop: +.L003maw_sse2_loop: movd (%edx),%mm2 movd (%eax),%mm3 pmuludq %mm0,%mm2 @@ -102,189 +95,11 @@ bn_mul_add_words: subl $1,%ecx psrlq $32,%mm1 leal 4(%eax),%eax - jnz .L005maw_sse2_loop -.L004maw_sse2_exit: + jnz .L003maw_sse2_loop +.L002maw_sse2_exit: movd %mm1,%eax emms ret -.align 16 -.L001maw_non_sse2: - pushl %ebp - pushl %ebx - pushl %esi - pushl %edi - - xorl %esi,%esi - movl 20(%esp),%edi - movl 28(%esp),%ecx - movl 24(%esp),%ebx - andl $4294967288,%ecx - movl 32(%esp),%ebp - pushl %ecx - jz .L006maw_finish -.align 16 -.L007maw_loop: - - movl (%ebx),%eax - mull %ebp - addl %esi,%eax - adcl $0,%edx - addl (%edi),%eax - adcl $0,%edx - movl %eax,(%edi) - movl %edx,%esi - - movl 4(%ebx),%eax - mull %ebp - addl %esi,%eax - adcl $0,%edx - addl 4(%edi),%eax - adcl $0,%edx - movl %eax,4(%edi) - movl %edx,%esi - - movl 8(%ebx),%eax - mull %ebp - addl %esi,%eax - adcl $0,%edx - addl 8(%edi),%eax - adcl $0,%edx - movl %eax,8(%edi) - movl %edx,%esi - - movl 12(%ebx),%eax - mull %ebp - addl %esi,%eax - adcl $0,%edx - addl 12(%edi),%eax - adcl $0,%edx - movl %eax,12(%edi) - movl %edx,%esi - - movl 16(%ebx),%eax - mull %ebp - addl %esi,%eax - adcl $0,%edx - addl 16(%edi),%eax - adcl $0,%edx - movl %eax,16(%edi) - movl %edx,%esi - - movl 20(%ebx),%eax - mull %ebp - addl %esi,%eax - adcl $0,%edx - addl 20(%edi),%eax - adcl $0,%edx - movl %eax,20(%edi) - movl %edx,%esi - - movl 24(%ebx),%eax - mull %ebp - addl %esi,%eax - adcl $0,%edx - addl 24(%edi),%eax - adcl $0,%edx - movl %eax,24(%edi) - movl %edx,%esi - - movl 28(%ebx),%eax - mull %ebp - addl %esi,%eax - adcl $0,%edx - addl 28(%edi),%eax - adcl $0,%edx - movl %eax,28(%edi) - movl %edx,%esi - - subl $8,%ecx - leal 32(%ebx),%ebx - leal 32(%edi),%edi - jnz .L007maw_loop -.L006maw_finish: - movl 32(%esp),%ecx - andl $7,%ecx - jnz .L008maw_finish2 - jmp .L009maw_end -.L008maw_finish2: - - movl (%ebx),%eax - mull %ebp - addl %esi,%eax - adcl $0,%edx - addl (%edi),%eax - adcl $0,%edx - decl %ecx - movl %eax,(%edi) - movl %edx,%esi - jz .L009maw_end - - movl 4(%ebx),%eax - mull %ebp - addl %esi,%eax - adcl $0,%edx - addl 4(%edi),%eax - adcl $0,%edx - decl %ecx - movl %eax,4(%edi) - movl %edx,%esi - jz .L009maw_end - - movl 8(%ebx),%eax - mull %ebp - addl %esi,%eax - adcl $0,%edx - addl 8(%edi),%eax - adcl $0,%edx - decl %ecx - movl %eax,8(%edi) - movl %edx,%esi - jz .L009maw_end - - movl 12(%ebx),%eax - mull %ebp - addl %esi,%eax - adcl $0,%edx - addl 12(%edi),%eax - adcl $0,%edx - decl %ecx - movl %eax,12(%edi) - movl %edx,%esi - jz .L009maw_end - - movl 16(%ebx),%eax - mull %ebp - addl %esi,%eax - adcl $0,%edx - addl 16(%edi),%eax - adcl $0,%edx - decl %ecx - movl %eax,16(%edi) - movl %edx,%esi - jz .L009maw_end - - movl 20(%ebx),%eax - mull %ebp - addl %esi,%eax - adcl $0,%edx - addl 20(%edi),%eax - adcl $0,%edx - decl %ecx - movl %eax,20(%edi) - movl %edx,%esi - jz .L009maw_end - - movl 24(%ebx),%eax - mull %ebp - addl %esi,%eax - adcl $0,%edx - addl 24(%edi),%eax - adcl $0,%edx - movl %eax,24(%edi) - movl %edx,%esi -.L009maw_end: - movl %esi,%eax - popl %ecx popl %edi popl %esi popl %ebx @@ -297,19 +112,13 @@ bn_mul_add_words: .align 16 bn_mul_words: .L_bn_mul_words_begin: - call .L010PIC_me_up -.L010PIC_me_up: - popl %eax - leal OPENSSL_ia32cap_P-.L010PIC_me_up(%eax),%eax - btl $26,(%eax) - jnc .L011mw_non_sse2 movl 4(%esp),%eax movl 8(%esp),%edx movl 12(%esp),%ecx movd 16(%esp),%mm0 pxor %mm1,%mm1 .align 16 -.L012mw_sse2_loop: +.L004mw_sse2_loop: movd (%edx),%mm2 pmuludq %mm0,%mm2 leal 4(%edx),%edx @@ -318,156 +127,10 @@ bn_mul_words: subl $1,%ecx psrlq $32,%mm1 leal 4(%eax),%eax - jnz .L012mw_sse2_loop + jnz .L004mw_sse2_loop movd %mm1,%eax emms ret -.align 16 -.L011mw_non_sse2: - pushl %ebp - pushl %ebx - pushl %esi - pushl %edi - - xorl %esi,%esi - movl 20(%esp),%edi - movl 24(%esp),%ebx - movl 28(%esp),%ebp - movl 32(%esp),%ecx - andl $4294967288,%ebp - jz .L013mw_finish -.L014mw_loop: - - movl (%ebx),%eax - mull %ecx - addl %esi,%eax - adcl $0,%edx - movl %eax,(%edi) - movl %edx,%esi - - movl 4(%ebx),%eax - mull %ecx - addl %esi,%eax - adcl $0,%edx - movl %eax,4(%edi) - movl %edx,%esi - - movl 8(%ebx),%eax - mull %ecx - addl %esi,%eax - adcl $0,%edx - movl %eax,8(%edi) - movl %edx,%esi - - movl 12(%ebx),%eax - mull %ecx - addl %esi,%eax - adcl $0,%edx - movl %eax,12(%edi) - movl %edx,%esi - - movl 16(%ebx),%eax - mull %ecx - addl %esi,%eax - adcl $0,%edx - movl %eax,16(%edi) - movl %edx,%esi - - movl 20(%ebx),%eax - mull %ecx - addl %esi,%eax - adcl $0,%edx - movl %eax,20(%edi) - movl %edx,%esi - - movl 24(%ebx),%eax - mull %ecx - addl %esi,%eax - adcl $0,%edx - movl %eax,24(%edi) - movl %edx,%esi - - movl 28(%ebx),%eax - mull %ecx - addl %esi,%eax - adcl $0,%edx - movl %eax,28(%edi) - movl %edx,%esi - - addl $32,%ebx - addl $32,%edi - subl $8,%ebp - jz .L013mw_finish - jmp .L014mw_loop -.L013mw_finish: - movl 28(%esp),%ebp - andl $7,%ebp - jnz .L015mw_finish2 - jmp .L016mw_end -.L015mw_finish2: - - movl (%ebx),%eax - mull %ecx - addl %esi,%eax - adcl $0,%edx - movl %eax,(%edi) - movl %edx,%esi - decl %ebp - jz .L016mw_end - - movl 4(%ebx),%eax - mull %ecx - addl %esi,%eax - adcl $0,%edx - movl %eax,4(%edi) - movl %edx,%esi - decl %ebp - jz .L016mw_end - - movl 8(%ebx),%eax - mull %ecx - addl %esi,%eax - adcl $0,%edx - movl %eax,8(%edi) - movl %edx,%esi - decl %ebp - jz .L016mw_end - - movl 12(%ebx),%eax - mull %ecx - addl %esi,%eax - adcl $0,%edx - movl %eax,12(%edi) - movl %edx,%esi - decl %ebp - jz .L016mw_end - - movl 16(%ebx),%eax - mull %ecx - addl %esi,%eax - adcl $0,%edx - movl %eax,16(%edi) - movl %edx,%esi - decl %ebp - jz .L016mw_end - - movl 20(%ebx),%eax - mull %ecx - addl %esi,%eax - adcl $0,%edx - movl %eax,20(%edi) - movl %edx,%esi - decl %ebp - jz .L016mw_end - - movl 24(%ebx),%eax - mull %ecx - addl %esi,%eax - adcl $0,%edx - movl %eax,24(%edi) - movl %edx,%esi -.L016mw_end: - movl %esi,%eax popl %edi popl %esi popl %ebx @@ -480,136 +143,20 @@ bn_mul_words: .align 16 bn_sqr_words: .L_bn_sqr_words_begin: - call .L017PIC_me_up -.L017PIC_me_up: - popl %eax - leal OPENSSL_ia32cap_P-.L017PIC_me_up(%eax),%eax - btl $26,(%eax) - jnc .L018sqr_non_sse2 movl 4(%esp),%eax movl 8(%esp),%edx movl 12(%esp),%ecx .align 16 -.L019sqr_sse2_loop: +.L005sqr_sse2_loop: movd (%edx),%mm0 pmuludq %mm0,%mm0 leal 4(%edx),%edx movq %mm0,(%eax) subl $1,%ecx leal 8(%eax),%eax - jnz .L019sqr_sse2_loop + jnz .L005sqr_sse2_loop emms ret -.align 16 -.L018sqr_non_sse2: - pushl %ebp - pushl %ebx - pushl %esi - pushl %edi - - movl 20(%esp),%esi - movl 24(%esp),%edi - movl 28(%esp),%ebx - andl $4294967288,%ebx - jz .L020sw_finish -.L021sw_loop: - - movl (%edi),%eax - mull %eax - movl %eax,(%esi) - movl %edx,4(%esi) - - movl 4(%edi),%eax - mull %eax - movl %eax,8(%esi) - movl %edx,12(%esi) - - movl 8(%edi),%eax - mull %eax - movl %eax,16(%esi) - movl %edx,20(%esi) - - movl 12(%edi),%eax - mull %eax - movl %eax,24(%esi) - movl %edx,28(%esi) - - movl 16(%edi),%eax - mull %eax - movl %eax,32(%esi) - movl %edx,36(%esi) - - movl 20(%edi),%eax - mull %eax - movl %eax,40(%esi) - movl %edx,44(%esi) - - movl 24(%edi),%eax - mull %eax - movl %eax,48(%esi) - movl %edx,52(%esi) - - movl 28(%edi),%eax - mull %eax - movl %eax,56(%esi) - movl %edx,60(%esi) - - addl $32,%edi - addl $64,%esi - subl $8,%ebx - jnz .L021sw_loop -.L020sw_finish: - movl 28(%esp),%ebx - andl $7,%ebx - jz .L022sw_end - - movl (%edi),%eax - mull %eax - movl %eax,(%esi) - decl %ebx - movl %edx,4(%esi) - jz .L022sw_end - - movl 4(%edi),%eax - mull %eax - movl %eax,8(%esi) - decl %ebx - movl %edx,12(%esi) - jz .L022sw_end - - movl 8(%edi),%eax - mull %eax - movl %eax,16(%esi) - decl %ebx - movl %edx,20(%esi) - jz .L022sw_end - - movl 12(%edi),%eax - mull %eax - movl %eax,24(%esi) - decl %ebx - movl %edx,28(%esi) - jz .L022sw_end - - movl 16(%edi),%eax - mull %eax - movl %eax,32(%esi) - decl %ebx - movl %edx,36(%esi) - jz .L022sw_end - - movl 20(%edi),%eax - mull %eax - movl %eax,40(%esi) - decl %ebx - movl %edx,44(%esi) - jz .L022sw_end - - movl 24(%edi),%eax - mull %eax - movl %eax,48(%esi) - movl %edx,52(%esi) -.L022sw_end: popl %edi popl %esi popl %ebx @@ -645,8 +192,8 @@ bn_add_words: movl 32(%esp),%ebp xorl %eax,%eax andl $4294967288,%ebp - jz .L023aw_finish -.L024aw_loop: + jz .L006aw_finish +.L007aw_loop: movl (%esi),%ecx movl (%edi),%edx @@ -724,11 +271,11 @@ bn_add_words: addl $32,%edi addl $32,%ebx subl $8,%ebp - jnz .L024aw_loop -.L023aw_finish: + jnz .L007aw_loop +.L006aw_finish: movl 32(%esp),%ebp andl $7,%ebp - jz .L025aw_end + jz .L008aw_end movl (%esi),%ecx movl (%edi),%edx @@ -739,7 +286,7 @@ bn_add_words: adcl $0,%eax decl %ebp movl %ecx,(%ebx) - jz .L025aw_end + jz .L008aw_end movl 4(%esi),%ecx movl 4(%edi),%edx @@ -750,7 +297,7 @@ bn_add_words: adcl $0,%eax decl %ebp movl %ecx,4(%ebx) - jz .L025aw_end + jz .L008aw_end movl 8(%esi),%ecx movl 8(%edi),%edx @@ -761,7 +308,7 @@ bn_add_words: adcl $0,%eax decl %ebp movl %ecx,8(%ebx) - jz .L025aw_end + jz .L008aw_end movl 12(%esi),%ecx movl 12(%edi),%edx @@ -772,7 +319,7 @@ bn_add_words: adcl $0,%eax decl %ebp movl %ecx,12(%ebx) - jz .L025aw_end + jz .L008aw_end movl 16(%esi),%ecx movl 16(%edi),%edx @@ -783,7 +330,7 @@ bn_add_words: adcl $0,%eax decl %ebp movl %ecx,16(%ebx) - jz .L025aw_end + jz .L008aw_end movl 20(%esi),%ecx movl 20(%edi),%edx @@ -794,7 +341,7 @@ bn_add_words: adcl $0,%eax decl %ebp movl %ecx,20(%ebx) - jz .L025aw_end + jz .L008aw_end movl 24(%esi),%ecx movl 24(%edi),%edx @@ -804,7 +351,7 @@ bn_add_words: addl %edx,%ecx adcl $0,%eax movl %ecx,24(%ebx) -.L025aw_end: +.L008aw_end: popl %edi popl %esi popl %ebx @@ -828,8 +375,8 @@ bn_sub_words: movl 32(%esp),%ebp xorl %eax,%eax andl $4294967288,%ebp - jz .L026aw_finish -.L027aw_loop: + jz .L009aw_finish +.L010aw_loop: movl (%esi),%ecx movl (%edi),%edx @@ -907,11 +454,11 @@ bn_sub_words: addl $32,%edi addl $32,%ebx subl $8,%ebp - jnz .L027aw_loop -.L026aw_finish: + jnz .L010aw_loop +.L009aw_finish: movl 32(%esp),%ebp andl $7,%ebp - jz .L028aw_end + jz .L011aw_end movl (%esi),%ecx movl (%edi),%edx @@ -922,7 +469,7 @@ bn_sub_words: adcl $0,%eax decl %ebp movl %ecx,(%ebx) - jz .L028aw_end + jz .L011aw_end movl 4(%esi),%ecx movl 4(%edi),%edx @@ -933,7 +480,7 @@ bn_sub_words: adcl $0,%eax decl %ebp movl %ecx,4(%ebx) - jz .L028aw_end + jz .L011aw_end movl 8(%esi),%ecx movl 8(%edi),%edx @@ -944,7 +491,7 @@ bn_sub_words: adcl $0,%eax decl %ebp movl %ecx,8(%ebx) - jz .L028aw_end + jz .L011aw_end movl 12(%esi),%ecx movl 12(%edi),%edx @@ -955,7 +502,7 @@ bn_sub_words: adcl $0,%eax decl %ebp movl %ecx,12(%ebx) - jz .L028aw_end + jz .L011aw_end movl 16(%esi),%ecx movl 16(%edi),%edx @@ -966,7 +513,7 @@ bn_sub_words: adcl $0,%eax decl %ebp movl %ecx,16(%ebx) - jz .L028aw_end + jz .L011aw_end movl 20(%esi),%ecx movl 20(%edi),%edx @@ -977,7 +524,7 @@ bn_sub_words: adcl $0,%eax decl %ebp movl %ecx,20(%ebx) - jz .L028aw_end + jz .L011aw_end movl 24(%esi),%ecx movl 24(%edi),%edx @@ -987,7 +534,7 @@ bn_sub_words: subl %edx,%ecx adcl $0,%eax movl %ecx,24(%ebx) -.L028aw_end: +.L011aw_end: popl %edi popl %esi popl %ebx @@ -995,7 +542,6 @@ bn_sub_words: ret .size bn_sub_words,.-.L_bn_sub_words_begin #endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__) -#endif // defined(__i386__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/bn-armv8-ios.ios.aarch64.S b/Sources/CNIOBoringSSL/gen/bcm/bn-armv8-apple.S similarity index 95% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/bn-armv8-ios.ios.aarch64.S rename to Sources/CNIOBoringSSL/gen/bcm/bn-armv8-apple.S index 2302766f8..c0a8ced13 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/bn-armv8-ios.ios.aarch64.S +++ b/Sources/CNIOBoringSSL/gen/bcm/bn-armv8-apple.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__aarch64__) && defined(__APPLE__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -89,7 +88,6 @@ Lsub_exit: ret #endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__APPLE__) -#endif // defined(__aarch64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/bn-armv8-linux.linux.aarch64.S b/Sources/CNIOBoringSSL/gen/bcm/bn-armv8-linux.S similarity index 95% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/bn-armv8-linux.linux.aarch64.S rename to Sources/CNIOBoringSSL/gen/bcm/bn-armv8-linux.S index 64d2171ce..012e1ef0d 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/bn-armv8-linux.linux.aarch64.S +++ b/Sources/CNIOBoringSSL/gen/bcm/bn-armv8-linux.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__aarch64__) && defined(__linux__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -89,7 +88,6 @@ bn_sub_words: ret .size bn_sub_words,.-bn_sub_words #endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__ELF__) -#endif // defined(__aarch64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/gen/bcm/bn-armv8-win.S b/Sources/CNIOBoringSSL/gen/bcm/bn-armv8-win.S new file mode 100644 index 000000000..ba8de3d26 --- /dev/null +++ b/Sources/CNIOBoringSSL/gen/bcm/bn-armv8-win.S @@ -0,0 +1,94 @@ +#define BORINGSSL_PREFIX CNIOBoringSSL +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. + +#include + +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(_WIN32) +#include + +.text + +// BN_ULONG bn_add_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, +// size_t num); + +.globl bn_add_words + +.align 4 +bn_add_words: + AARCH64_VALID_CALL_TARGET + # Clear the carry flag. + cmn xzr, xzr + + # aarch64 can load two registers at a time, so we do two loop iterations at + # at a time. Split x3 = 2 * x8 + x3. This allows loop + # operations to use CBNZ without clobbering the carry flag. + lsr x8, x3, #1 + and x3, x3, #1 + + cbz x8, Ladd_tail +Ladd_loop: + ldp x4, x5, [x1], #16 + ldp x6, x7, [x2], #16 + sub x8, x8, #1 + adcs x4, x4, x6 + adcs x5, x5, x7 + stp x4, x5, [x0], #16 + cbnz x8, Ladd_loop + +Ladd_tail: + cbz x3, Ladd_exit + ldr x4, [x1], #8 + ldr x6, [x2], #8 + adcs x4, x4, x6 + str x4, [x0], #8 + +Ladd_exit: + cset x0, cs + ret + + +// BN_ULONG bn_sub_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, +// size_t num); + +.globl bn_sub_words + +.align 4 +bn_sub_words: + AARCH64_VALID_CALL_TARGET + # Set the carry flag. Arm's borrow bit is flipped from the carry flag, + # so we want C = 1 here. + cmp xzr, xzr + + # aarch64 can load two registers at a time, so we do two loop iterations at + # at a time. Split x3 = 2 * x8 + x3. This allows loop + # operations to use CBNZ without clobbering the carry flag. + lsr x8, x3, #1 + and x3, x3, #1 + + cbz x8, Lsub_tail +Lsub_loop: + ldp x4, x5, [x1], #16 + ldp x6, x7, [x2], #16 + sub x8, x8, #1 + sbcs x4, x4, x6 + sbcs x5, x5, x7 + stp x4, x5, [x0], #16 + cbnz x8, Lsub_loop + +Lsub_tail: + cbz x3, Lsub_exit + ldr x4, [x1], #8 + ldr x6, [x2], #8 + sbcs x4, x4, x6 + str x4, [x0], #8 + +Lsub_exit: + cset x0, cc + ret + +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(_WIN32) +#if defined(__linux__) && defined(__ELF__) +.section .note.GNU-stack,"",%progbits +#endif + diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/bsaes-armv7-linux.linux.arm.S b/Sources/CNIOBoringSSL/gen/bcm/bsaes-armv7-linux.S similarity index 99% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/bsaes-armv7-linux.linux.arm.S rename to Sources/CNIOBoringSSL/gen/bcm/bsaes-armv7-linux.S index dafb5751d..f1e87f548 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/bsaes-armv7-linux.linux.arm.S +++ b/Sources/CNIOBoringSSL/gen/bcm/bsaes-armv7-linux.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__arm__) && defined(__linux__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -1517,7 +1516,6 @@ bsaes_ctr32_encrypt_blocks: .size bsaes_ctr32_encrypt_blocks,.-bsaes_ctr32_encrypt_blocks #endif #endif // !OPENSSL_NO_ASM && defined(OPENSSL_ARM) && defined(__ELF__) -#endif // defined(__arm__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/gen/bcm/co-586-apple.S b/Sources/CNIOBoringSSL/gen/bcm/co-586-apple.S new file mode 100644 index 000000000..23eb1d92b --- /dev/null +++ b/Sources/CNIOBoringSSL/gen/bcm/co-586-apple.S @@ -0,0 +1,1261 @@ +#define BORINGSSL_PREFIX CNIOBoringSSL +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. + +#include + +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__APPLE__) +.text +.globl _bn_mul_comba8 +.private_extern _bn_mul_comba8 +.align 4 +_bn_mul_comba8: +L_bn_mul_comba8_begin: + pushl %esi + movl 12(%esp),%esi + pushl %edi + movl 20(%esp),%edi + pushl %ebp + pushl %ebx + xorl %ebx,%ebx + movl (%esi),%eax + xorl %ecx,%ecx + movl (%edi),%edx + # ################## Calculate word 0 + xorl %ebp,%ebp + # mul a[0]*b[0] + mull %edx + addl %eax,%ebx + movl 20(%esp),%eax + adcl %edx,%ecx + movl (%edi),%edx + adcl $0,%ebp + movl %ebx,(%eax) + movl 4(%esi),%eax + # saved r[0] + # ################## Calculate word 1 + xorl %ebx,%ebx + # mul a[1]*b[0] + mull %edx + addl %eax,%ecx + movl (%esi),%eax + adcl %edx,%ebp + movl 4(%edi),%edx + adcl $0,%ebx + # mul a[0]*b[1] + mull %edx + addl %eax,%ecx + movl 20(%esp),%eax + adcl %edx,%ebp + movl (%edi),%edx + adcl $0,%ebx + movl %ecx,4(%eax) + movl 8(%esi),%eax + # saved r[1] + # ################## Calculate word 2 + xorl %ecx,%ecx + # mul a[2]*b[0] + mull %edx + addl %eax,%ebp + movl 4(%esi),%eax + adcl %edx,%ebx + movl 4(%edi),%edx + adcl $0,%ecx + # mul a[1]*b[1] + mull %edx + addl %eax,%ebp + movl (%esi),%eax + adcl %edx,%ebx + movl 8(%edi),%edx + adcl $0,%ecx + # mul a[0]*b[2] + mull %edx + addl %eax,%ebp + movl 20(%esp),%eax + adcl %edx,%ebx + movl (%edi),%edx + adcl $0,%ecx + movl %ebp,8(%eax) + movl 12(%esi),%eax + # saved r[2] + # ################## Calculate word 3 + xorl %ebp,%ebp + # mul a[3]*b[0] + mull %edx + addl %eax,%ebx + movl 8(%esi),%eax + adcl %edx,%ecx + movl 4(%edi),%edx + adcl $0,%ebp + # mul a[2]*b[1] + mull %edx + addl %eax,%ebx + movl 4(%esi),%eax + adcl %edx,%ecx + movl 8(%edi),%edx + adcl $0,%ebp + # mul a[1]*b[2] + mull %edx + addl %eax,%ebx + movl (%esi),%eax + adcl %edx,%ecx + movl 12(%edi),%edx + adcl $0,%ebp + # mul a[0]*b[3] + mull %edx + addl %eax,%ebx + movl 20(%esp),%eax + adcl %edx,%ecx + movl (%edi),%edx + adcl $0,%ebp + movl %ebx,12(%eax) + movl 16(%esi),%eax + # saved r[3] + # ################## Calculate word 4 + xorl %ebx,%ebx + # mul a[4]*b[0] + mull %edx + addl %eax,%ecx + movl 12(%esi),%eax + adcl %edx,%ebp + movl 4(%edi),%edx + adcl $0,%ebx + # mul a[3]*b[1] + mull %edx + addl %eax,%ecx + movl 8(%esi),%eax + adcl %edx,%ebp + movl 8(%edi),%edx + adcl $0,%ebx + # mul a[2]*b[2] + mull %edx + addl %eax,%ecx + movl 4(%esi),%eax + adcl %edx,%ebp + movl 12(%edi),%edx + adcl $0,%ebx + # mul a[1]*b[3] + mull %edx + addl %eax,%ecx + movl (%esi),%eax + adcl %edx,%ebp + movl 16(%edi),%edx + adcl $0,%ebx + # mul a[0]*b[4] + mull %edx + addl %eax,%ecx + movl 20(%esp),%eax + adcl %edx,%ebp + movl (%edi),%edx + adcl $0,%ebx + movl %ecx,16(%eax) + movl 20(%esi),%eax + # saved r[4] + # ################## Calculate word 5 + xorl %ecx,%ecx + # mul a[5]*b[0] + mull %edx + addl %eax,%ebp + movl 16(%esi),%eax + adcl %edx,%ebx + movl 4(%edi),%edx + adcl $0,%ecx + # mul a[4]*b[1] + mull %edx + addl %eax,%ebp + movl 12(%esi),%eax + adcl %edx,%ebx + movl 8(%edi),%edx + adcl $0,%ecx + # mul a[3]*b[2] + mull %edx + addl %eax,%ebp + movl 8(%esi),%eax + adcl %edx,%ebx + movl 12(%edi),%edx + adcl $0,%ecx + # mul a[2]*b[3] + mull %edx + addl %eax,%ebp + movl 4(%esi),%eax + adcl %edx,%ebx + movl 16(%edi),%edx + adcl $0,%ecx + # mul a[1]*b[4] + mull %edx + addl %eax,%ebp + movl (%esi),%eax + adcl %edx,%ebx + movl 20(%edi),%edx + adcl $0,%ecx + # mul a[0]*b[5] + mull %edx + addl %eax,%ebp + movl 20(%esp),%eax + adcl %edx,%ebx + movl (%edi),%edx + adcl $0,%ecx + movl %ebp,20(%eax) + movl 24(%esi),%eax + # saved r[5] + # ################## Calculate word 6 + xorl %ebp,%ebp + # mul a[6]*b[0] + mull %edx + addl %eax,%ebx + movl 20(%esi),%eax + adcl %edx,%ecx + movl 4(%edi),%edx + adcl $0,%ebp + # mul a[5]*b[1] + mull %edx + addl %eax,%ebx + movl 16(%esi),%eax + adcl %edx,%ecx + movl 8(%edi),%edx + adcl $0,%ebp + # mul a[4]*b[2] + mull %edx + addl %eax,%ebx + movl 12(%esi),%eax + adcl %edx,%ecx + movl 12(%edi),%edx + adcl $0,%ebp + # mul a[3]*b[3] + mull %edx + addl %eax,%ebx + movl 8(%esi),%eax + adcl %edx,%ecx + movl 16(%edi),%edx + adcl $0,%ebp + # mul a[2]*b[4] + mull %edx + addl %eax,%ebx + movl 4(%esi),%eax + adcl %edx,%ecx + movl 20(%edi),%edx + adcl $0,%ebp + # mul a[1]*b[5] + mull %edx + addl %eax,%ebx + movl (%esi),%eax + adcl %edx,%ecx + movl 24(%edi),%edx + adcl $0,%ebp + # mul a[0]*b[6] + mull %edx + addl %eax,%ebx + movl 20(%esp),%eax + adcl %edx,%ecx + movl (%edi),%edx + adcl $0,%ebp + movl %ebx,24(%eax) + movl 28(%esi),%eax + # saved r[6] + # ################## Calculate word 7 + xorl %ebx,%ebx + # mul a[7]*b[0] + mull %edx + addl %eax,%ecx + movl 24(%esi),%eax + adcl %edx,%ebp + movl 4(%edi),%edx + adcl $0,%ebx + # mul a[6]*b[1] + mull %edx + addl %eax,%ecx + movl 20(%esi),%eax + adcl %edx,%ebp + movl 8(%edi),%edx + adcl $0,%ebx + # mul a[5]*b[2] + mull %edx + addl %eax,%ecx + movl 16(%esi),%eax + adcl %edx,%ebp + movl 12(%edi),%edx + adcl $0,%ebx + # mul a[4]*b[3] + mull %edx + addl %eax,%ecx + movl 12(%esi),%eax + adcl %edx,%ebp + movl 16(%edi),%edx + adcl $0,%ebx + # mul a[3]*b[4] + mull %edx + addl %eax,%ecx + movl 8(%esi),%eax + adcl %edx,%ebp + movl 20(%edi),%edx + adcl $0,%ebx + # mul a[2]*b[5] + mull %edx + addl %eax,%ecx + movl 4(%esi),%eax + adcl %edx,%ebp + movl 24(%edi),%edx + adcl $0,%ebx + # mul a[1]*b[6] + mull %edx + addl %eax,%ecx + movl (%esi),%eax + adcl %edx,%ebp + movl 28(%edi),%edx + adcl $0,%ebx + # mul a[0]*b[7] + mull %edx + addl %eax,%ecx + movl 20(%esp),%eax + adcl %edx,%ebp + movl 4(%edi),%edx + adcl $0,%ebx + movl %ecx,28(%eax) + movl 28(%esi),%eax + # saved r[7] + # ################## Calculate word 8 + xorl %ecx,%ecx + # mul a[7]*b[1] + mull %edx + addl %eax,%ebp + movl 24(%esi),%eax + adcl %edx,%ebx + movl 8(%edi),%edx + adcl $0,%ecx + # mul a[6]*b[2] + mull %edx + addl %eax,%ebp + movl 20(%esi),%eax + adcl %edx,%ebx + movl 12(%edi),%edx + adcl $0,%ecx + # mul a[5]*b[3] + mull %edx + addl %eax,%ebp + movl 16(%esi),%eax + adcl %edx,%ebx + movl 16(%edi),%edx + adcl $0,%ecx + # mul a[4]*b[4] + mull %edx + addl %eax,%ebp + movl 12(%esi),%eax + adcl %edx,%ebx + movl 20(%edi),%edx + adcl $0,%ecx + # mul a[3]*b[5] + mull %edx + addl %eax,%ebp + movl 8(%esi),%eax + adcl %edx,%ebx + movl 24(%edi),%edx + adcl $0,%ecx + # mul a[2]*b[6] + mull %edx + addl %eax,%ebp + movl 4(%esi),%eax + adcl %edx,%ebx + movl 28(%edi),%edx + adcl $0,%ecx + # mul a[1]*b[7] + mull %edx + addl %eax,%ebp + movl 20(%esp),%eax + adcl %edx,%ebx + movl 8(%edi),%edx + adcl $0,%ecx + movl %ebp,32(%eax) + movl 28(%esi),%eax + # saved r[8] + # ################## Calculate word 9 + xorl %ebp,%ebp + # mul a[7]*b[2] + mull %edx + addl %eax,%ebx + movl 24(%esi),%eax + adcl %edx,%ecx + movl 12(%edi),%edx + adcl $0,%ebp + # mul a[6]*b[3] + mull %edx + addl %eax,%ebx + movl 20(%esi),%eax + adcl %edx,%ecx + movl 16(%edi),%edx + adcl $0,%ebp + # mul a[5]*b[4] + mull %edx + addl %eax,%ebx + movl 16(%esi),%eax + adcl %edx,%ecx + movl 20(%edi),%edx + adcl $0,%ebp + # mul a[4]*b[5] + mull %edx + addl %eax,%ebx + movl 12(%esi),%eax + adcl %edx,%ecx + movl 24(%edi),%edx + adcl $0,%ebp + # mul a[3]*b[6] + mull %edx + addl %eax,%ebx + movl 8(%esi),%eax + adcl %edx,%ecx + movl 28(%edi),%edx + adcl $0,%ebp + # mul a[2]*b[7] + mull %edx + addl %eax,%ebx + movl 20(%esp),%eax + adcl %edx,%ecx + movl 12(%edi),%edx + adcl $0,%ebp + movl %ebx,36(%eax) + movl 28(%esi),%eax + # saved r[9] + # ################## Calculate word 10 + xorl %ebx,%ebx + # mul a[7]*b[3] + mull %edx + addl %eax,%ecx + movl 24(%esi),%eax + adcl %edx,%ebp + movl 16(%edi),%edx + adcl $0,%ebx + # mul a[6]*b[4] + mull %edx + addl %eax,%ecx + movl 20(%esi),%eax + adcl %edx,%ebp + movl 20(%edi),%edx + adcl $0,%ebx + # mul a[5]*b[5] + mull %edx + addl %eax,%ecx + movl 16(%esi),%eax + adcl %edx,%ebp + movl 24(%edi),%edx + adcl $0,%ebx + # mul a[4]*b[6] + mull %edx + addl %eax,%ecx + movl 12(%esi),%eax + adcl %edx,%ebp + movl 28(%edi),%edx + adcl $0,%ebx + # mul a[3]*b[7] + mull %edx + addl %eax,%ecx + movl 20(%esp),%eax + adcl %edx,%ebp + movl 16(%edi),%edx + adcl $0,%ebx + movl %ecx,40(%eax) + movl 28(%esi),%eax + # saved r[10] + # ################## Calculate word 11 + xorl %ecx,%ecx + # mul a[7]*b[4] + mull %edx + addl %eax,%ebp + movl 24(%esi),%eax + adcl %edx,%ebx + movl 20(%edi),%edx + adcl $0,%ecx + # mul a[6]*b[5] + mull %edx + addl %eax,%ebp + movl 20(%esi),%eax + adcl %edx,%ebx + movl 24(%edi),%edx + adcl $0,%ecx + # mul a[5]*b[6] + mull %edx + addl %eax,%ebp + movl 16(%esi),%eax + adcl %edx,%ebx + movl 28(%edi),%edx + adcl $0,%ecx + # mul a[4]*b[7] + mull %edx + addl %eax,%ebp + movl 20(%esp),%eax + adcl %edx,%ebx + movl 20(%edi),%edx + adcl $0,%ecx + movl %ebp,44(%eax) + movl 28(%esi),%eax + # saved r[11] + # ################## Calculate word 12 + xorl %ebp,%ebp + # mul a[7]*b[5] + mull %edx + addl %eax,%ebx + movl 24(%esi),%eax + adcl %edx,%ecx + movl 24(%edi),%edx + adcl $0,%ebp + # mul a[6]*b[6] + mull %edx + addl %eax,%ebx + movl 20(%esi),%eax + adcl %edx,%ecx + movl 28(%edi),%edx + adcl $0,%ebp + # mul a[5]*b[7] + mull %edx + addl %eax,%ebx + movl 20(%esp),%eax + adcl %edx,%ecx + movl 24(%edi),%edx + adcl $0,%ebp + movl %ebx,48(%eax) + movl 28(%esi),%eax + # saved r[12] + # ################## Calculate word 13 + xorl %ebx,%ebx + # mul a[7]*b[6] + mull %edx + addl %eax,%ecx + movl 24(%esi),%eax + adcl %edx,%ebp + movl 28(%edi),%edx + adcl $0,%ebx + # mul a[6]*b[7] + mull %edx + addl %eax,%ecx + movl 20(%esp),%eax + adcl %edx,%ebp + movl 28(%edi),%edx + adcl $0,%ebx + movl %ecx,52(%eax) + movl 28(%esi),%eax + # saved r[13] + # ################## Calculate word 14 + xorl %ecx,%ecx + # mul a[7]*b[7] + mull %edx + addl %eax,%ebp + movl 20(%esp),%eax + adcl %edx,%ebx + adcl $0,%ecx + movl %ebp,56(%eax) + # saved r[14] + # save r[15] + movl %ebx,60(%eax) + popl %ebx + popl %ebp + popl %edi + popl %esi + ret +.globl _bn_mul_comba4 +.private_extern _bn_mul_comba4 +.align 4 +_bn_mul_comba4: +L_bn_mul_comba4_begin: + pushl %esi + movl 12(%esp),%esi + pushl %edi + movl 20(%esp),%edi + pushl %ebp + pushl %ebx + xorl %ebx,%ebx + movl (%esi),%eax + xorl %ecx,%ecx + movl (%edi),%edx + # ################## Calculate word 0 + xorl %ebp,%ebp + # mul a[0]*b[0] + mull %edx + addl %eax,%ebx + movl 20(%esp),%eax + adcl %edx,%ecx + movl (%edi),%edx + adcl $0,%ebp + movl %ebx,(%eax) + movl 4(%esi),%eax + # saved r[0] + # ################## Calculate word 1 + xorl %ebx,%ebx + # mul a[1]*b[0] + mull %edx + addl %eax,%ecx + movl (%esi),%eax + adcl %edx,%ebp + movl 4(%edi),%edx + adcl $0,%ebx + # mul a[0]*b[1] + mull %edx + addl %eax,%ecx + movl 20(%esp),%eax + adcl %edx,%ebp + movl (%edi),%edx + adcl $0,%ebx + movl %ecx,4(%eax) + movl 8(%esi),%eax + # saved r[1] + # ################## Calculate word 2 + xorl %ecx,%ecx + # mul a[2]*b[0] + mull %edx + addl %eax,%ebp + movl 4(%esi),%eax + adcl %edx,%ebx + movl 4(%edi),%edx + adcl $0,%ecx + # mul a[1]*b[1] + mull %edx + addl %eax,%ebp + movl (%esi),%eax + adcl %edx,%ebx + movl 8(%edi),%edx + adcl $0,%ecx + # mul a[0]*b[2] + mull %edx + addl %eax,%ebp + movl 20(%esp),%eax + adcl %edx,%ebx + movl (%edi),%edx + adcl $0,%ecx + movl %ebp,8(%eax) + movl 12(%esi),%eax + # saved r[2] + # ################## Calculate word 3 + xorl %ebp,%ebp + # mul a[3]*b[0] + mull %edx + addl %eax,%ebx + movl 8(%esi),%eax + adcl %edx,%ecx + movl 4(%edi),%edx + adcl $0,%ebp + # mul a[2]*b[1] + mull %edx + addl %eax,%ebx + movl 4(%esi),%eax + adcl %edx,%ecx + movl 8(%edi),%edx + adcl $0,%ebp + # mul a[1]*b[2] + mull %edx + addl %eax,%ebx + movl (%esi),%eax + adcl %edx,%ecx + movl 12(%edi),%edx + adcl $0,%ebp + # mul a[0]*b[3] + mull %edx + addl %eax,%ebx + movl 20(%esp),%eax + adcl %edx,%ecx + movl 4(%edi),%edx + adcl $0,%ebp + movl %ebx,12(%eax) + movl 12(%esi),%eax + # saved r[3] + # ################## Calculate word 4 + xorl %ebx,%ebx + # mul a[3]*b[1] + mull %edx + addl %eax,%ecx + movl 8(%esi),%eax + adcl %edx,%ebp + movl 8(%edi),%edx + adcl $0,%ebx + # mul a[2]*b[2] + mull %edx + addl %eax,%ecx + movl 4(%esi),%eax + adcl %edx,%ebp + movl 12(%edi),%edx + adcl $0,%ebx + # mul a[1]*b[3] + mull %edx + addl %eax,%ecx + movl 20(%esp),%eax + adcl %edx,%ebp + movl 8(%edi),%edx + adcl $0,%ebx + movl %ecx,16(%eax) + movl 12(%esi),%eax + # saved r[4] + # ################## Calculate word 5 + xorl %ecx,%ecx + # mul a[3]*b[2] + mull %edx + addl %eax,%ebp + movl 8(%esi),%eax + adcl %edx,%ebx + movl 12(%edi),%edx + adcl $0,%ecx + # mul a[2]*b[3] + mull %edx + addl %eax,%ebp + movl 20(%esp),%eax + adcl %edx,%ebx + movl 12(%edi),%edx + adcl $0,%ecx + movl %ebp,20(%eax) + movl 12(%esi),%eax + # saved r[5] + # ################## Calculate word 6 + xorl %ebp,%ebp + # mul a[3]*b[3] + mull %edx + addl %eax,%ebx + movl 20(%esp),%eax + adcl %edx,%ecx + adcl $0,%ebp + movl %ebx,24(%eax) + # saved r[6] + # save r[7] + movl %ecx,28(%eax) + popl %ebx + popl %ebp + popl %edi + popl %esi + ret +.globl _bn_sqr_comba8 +.private_extern _bn_sqr_comba8 +.align 4 +_bn_sqr_comba8: +L_bn_sqr_comba8_begin: + pushl %esi + pushl %edi + pushl %ebp + pushl %ebx + movl 20(%esp),%edi + movl 24(%esp),%esi + xorl %ebx,%ebx + xorl %ecx,%ecx + movl (%esi),%eax + # ############### Calculate word 0 + xorl %ebp,%ebp + # sqr a[0]*a[0] + mull %eax + addl %eax,%ebx + adcl %edx,%ecx + movl (%esi),%edx + adcl $0,%ebp + movl %ebx,(%edi) + movl 4(%esi),%eax + # saved r[0] + # ############### Calculate word 1 + xorl %ebx,%ebx + # sqr a[1]*a[0] + mull %edx + addl %eax,%eax + adcl %edx,%edx + adcl $0,%ebx + addl %eax,%ecx + adcl %edx,%ebp + movl 8(%esi),%eax + adcl $0,%ebx + movl %ecx,4(%edi) + movl (%esi),%edx + # saved r[1] + # ############### Calculate word 2 + xorl %ecx,%ecx + # sqr a[2]*a[0] + mull %edx + addl %eax,%eax + adcl %edx,%edx + adcl $0,%ecx + addl %eax,%ebp + adcl %edx,%ebx + movl 4(%esi),%eax + adcl $0,%ecx + # sqr a[1]*a[1] + mull %eax + addl %eax,%ebp + adcl %edx,%ebx + movl (%esi),%edx + adcl $0,%ecx + movl %ebp,8(%edi) + movl 12(%esi),%eax + # saved r[2] + # ############### Calculate word 3 + xorl %ebp,%ebp + # sqr a[3]*a[0] + mull %edx + addl %eax,%eax + adcl %edx,%edx + adcl $0,%ebp + addl %eax,%ebx + adcl %edx,%ecx + movl 8(%esi),%eax + adcl $0,%ebp + movl 4(%esi),%edx + # sqr a[2]*a[1] + mull %edx + addl %eax,%eax + adcl %edx,%edx + adcl $0,%ebp + addl %eax,%ebx + adcl %edx,%ecx + movl 16(%esi),%eax + adcl $0,%ebp + movl %ebx,12(%edi) + movl (%esi),%edx + # saved r[3] + # ############### Calculate word 4 + xorl %ebx,%ebx + # sqr a[4]*a[0] + mull %edx + addl %eax,%eax + adcl %edx,%edx + adcl $0,%ebx + addl %eax,%ecx + adcl %edx,%ebp + movl 12(%esi),%eax + adcl $0,%ebx + movl 4(%esi),%edx + # sqr a[3]*a[1] + mull %edx + addl %eax,%eax + adcl %edx,%edx + adcl $0,%ebx + addl %eax,%ecx + adcl %edx,%ebp + movl 8(%esi),%eax + adcl $0,%ebx + # sqr a[2]*a[2] + mull %eax + addl %eax,%ecx + adcl %edx,%ebp + movl (%esi),%edx + adcl $0,%ebx + movl %ecx,16(%edi) + movl 20(%esi),%eax + # saved r[4] + # ############### Calculate word 5 + xorl %ecx,%ecx + # sqr a[5]*a[0] + mull %edx + addl %eax,%eax + adcl %edx,%edx + adcl $0,%ecx + addl %eax,%ebp + adcl %edx,%ebx + movl 16(%esi),%eax + adcl $0,%ecx + movl 4(%esi),%edx + # sqr a[4]*a[1] + mull %edx + addl %eax,%eax + adcl %edx,%edx + adcl $0,%ecx + addl %eax,%ebp + adcl %edx,%ebx + movl 12(%esi),%eax + adcl $0,%ecx + movl 8(%esi),%edx + # sqr a[3]*a[2] + mull %edx + addl %eax,%eax + adcl %edx,%edx + adcl $0,%ecx + addl %eax,%ebp + adcl %edx,%ebx + movl 24(%esi),%eax + adcl $0,%ecx + movl %ebp,20(%edi) + movl (%esi),%edx + # saved r[5] + # ############### Calculate word 6 + xorl %ebp,%ebp + # sqr a[6]*a[0] + mull %edx + addl %eax,%eax + adcl %edx,%edx + adcl $0,%ebp + addl %eax,%ebx + adcl %edx,%ecx + movl 20(%esi),%eax + adcl $0,%ebp + movl 4(%esi),%edx + # sqr a[5]*a[1] + mull %edx + addl %eax,%eax + adcl %edx,%edx + adcl $0,%ebp + addl %eax,%ebx + adcl %edx,%ecx + movl 16(%esi),%eax + adcl $0,%ebp + movl 8(%esi),%edx + # sqr a[4]*a[2] + mull %edx + addl %eax,%eax + adcl %edx,%edx + adcl $0,%ebp + addl %eax,%ebx + adcl %edx,%ecx + movl 12(%esi),%eax + adcl $0,%ebp + # sqr a[3]*a[3] + mull %eax + addl %eax,%ebx + adcl %edx,%ecx + movl (%esi),%edx + adcl $0,%ebp + movl %ebx,24(%edi) + movl 28(%esi),%eax + # saved r[6] + # ############### Calculate word 7 + xorl %ebx,%ebx + # sqr a[7]*a[0] + mull %edx + addl %eax,%eax + adcl %edx,%edx + adcl $0,%ebx + addl %eax,%ecx + adcl %edx,%ebp + movl 24(%esi),%eax + adcl $0,%ebx + movl 4(%esi),%edx + # sqr a[6]*a[1] + mull %edx + addl %eax,%eax + adcl %edx,%edx + adcl $0,%ebx + addl %eax,%ecx + adcl %edx,%ebp + movl 20(%esi),%eax + adcl $0,%ebx + movl 8(%esi),%edx + # sqr a[5]*a[2] + mull %edx + addl %eax,%eax + adcl %edx,%edx + adcl $0,%ebx + addl %eax,%ecx + adcl %edx,%ebp + movl 16(%esi),%eax + adcl $0,%ebx + movl 12(%esi),%edx + # sqr a[4]*a[3] + mull %edx + addl %eax,%eax + adcl %edx,%edx + adcl $0,%ebx + addl %eax,%ecx + adcl %edx,%ebp + movl 28(%esi),%eax + adcl $0,%ebx + movl %ecx,28(%edi) + movl 4(%esi),%edx + # saved r[7] + # ############### Calculate word 8 + xorl %ecx,%ecx + # sqr a[7]*a[1] + mull %edx + addl %eax,%eax + adcl %edx,%edx + adcl $0,%ecx + addl %eax,%ebp + adcl %edx,%ebx + movl 24(%esi),%eax + adcl $0,%ecx + movl 8(%esi),%edx + # sqr a[6]*a[2] + mull %edx + addl %eax,%eax + adcl %edx,%edx + adcl $0,%ecx + addl %eax,%ebp + adcl %edx,%ebx + movl 20(%esi),%eax + adcl $0,%ecx + movl 12(%esi),%edx + # sqr a[5]*a[3] + mull %edx + addl %eax,%eax + adcl %edx,%edx + adcl $0,%ecx + addl %eax,%ebp + adcl %edx,%ebx + movl 16(%esi),%eax + adcl $0,%ecx + # sqr a[4]*a[4] + mull %eax + addl %eax,%ebp + adcl %edx,%ebx + movl 8(%esi),%edx + adcl $0,%ecx + movl %ebp,32(%edi) + movl 28(%esi),%eax + # saved r[8] + # ############### Calculate word 9 + xorl %ebp,%ebp + # sqr a[7]*a[2] + mull %edx + addl %eax,%eax + adcl %edx,%edx + adcl $0,%ebp + addl %eax,%ebx + adcl %edx,%ecx + movl 24(%esi),%eax + adcl $0,%ebp + movl 12(%esi),%edx + # sqr a[6]*a[3] + mull %edx + addl %eax,%eax + adcl %edx,%edx + adcl $0,%ebp + addl %eax,%ebx + adcl %edx,%ecx + movl 20(%esi),%eax + adcl $0,%ebp + movl 16(%esi),%edx + # sqr a[5]*a[4] + mull %edx + addl %eax,%eax + adcl %edx,%edx + adcl $0,%ebp + addl %eax,%ebx + adcl %edx,%ecx + movl 28(%esi),%eax + adcl $0,%ebp + movl %ebx,36(%edi) + movl 12(%esi),%edx + # saved r[9] + # ############### Calculate word 10 + xorl %ebx,%ebx + # sqr a[7]*a[3] + mull %edx + addl %eax,%eax + adcl %edx,%edx + adcl $0,%ebx + addl %eax,%ecx + adcl %edx,%ebp + movl 24(%esi),%eax + adcl $0,%ebx + movl 16(%esi),%edx + # sqr a[6]*a[4] + mull %edx + addl %eax,%eax + adcl %edx,%edx + adcl $0,%ebx + addl %eax,%ecx + adcl %edx,%ebp + movl 20(%esi),%eax + adcl $0,%ebx + # sqr a[5]*a[5] + mull %eax + addl %eax,%ecx + adcl %edx,%ebp + movl 16(%esi),%edx + adcl $0,%ebx + movl %ecx,40(%edi) + movl 28(%esi),%eax + # saved r[10] + # ############### Calculate word 11 + xorl %ecx,%ecx + # sqr a[7]*a[4] + mull %edx + addl %eax,%eax + adcl %edx,%edx + adcl $0,%ecx + addl %eax,%ebp + adcl %edx,%ebx + movl 24(%esi),%eax + adcl $0,%ecx + movl 20(%esi),%edx + # sqr a[6]*a[5] + mull %edx + addl %eax,%eax + adcl %edx,%edx + adcl $0,%ecx + addl %eax,%ebp + adcl %edx,%ebx + movl 28(%esi),%eax + adcl $0,%ecx + movl %ebp,44(%edi) + movl 20(%esi),%edx + # saved r[11] + # ############### Calculate word 12 + xorl %ebp,%ebp + # sqr a[7]*a[5] + mull %edx + addl %eax,%eax + adcl %edx,%edx + adcl $0,%ebp + addl %eax,%ebx + adcl %edx,%ecx + movl 24(%esi),%eax + adcl $0,%ebp + # sqr a[6]*a[6] + mull %eax + addl %eax,%ebx + adcl %edx,%ecx + movl 24(%esi),%edx + adcl $0,%ebp + movl %ebx,48(%edi) + movl 28(%esi),%eax + # saved r[12] + # ############### Calculate word 13 + xorl %ebx,%ebx + # sqr a[7]*a[6] + mull %edx + addl %eax,%eax + adcl %edx,%edx + adcl $0,%ebx + addl %eax,%ecx + adcl %edx,%ebp + movl 28(%esi),%eax + adcl $0,%ebx + movl %ecx,52(%edi) + # saved r[13] + # ############### Calculate word 14 + xorl %ecx,%ecx + # sqr a[7]*a[7] + mull %eax + addl %eax,%ebp + adcl %edx,%ebx + adcl $0,%ecx + movl %ebp,56(%edi) + # saved r[14] + movl %ebx,60(%edi) + popl %ebx + popl %ebp + popl %edi + popl %esi + ret +.globl _bn_sqr_comba4 +.private_extern _bn_sqr_comba4 +.align 4 +_bn_sqr_comba4: +L_bn_sqr_comba4_begin: + pushl %esi + pushl %edi + pushl %ebp + pushl %ebx + movl 20(%esp),%edi + movl 24(%esp),%esi + xorl %ebx,%ebx + xorl %ecx,%ecx + movl (%esi),%eax + # ############### Calculate word 0 + xorl %ebp,%ebp + # sqr a[0]*a[0] + mull %eax + addl %eax,%ebx + adcl %edx,%ecx + movl (%esi),%edx + adcl $0,%ebp + movl %ebx,(%edi) + movl 4(%esi),%eax + # saved r[0] + # ############### Calculate word 1 + xorl %ebx,%ebx + # sqr a[1]*a[0] + mull %edx + addl %eax,%eax + adcl %edx,%edx + adcl $0,%ebx + addl %eax,%ecx + adcl %edx,%ebp + movl 8(%esi),%eax + adcl $0,%ebx + movl %ecx,4(%edi) + movl (%esi),%edx + # saved r[1] + # ############### Calculate word 2 + xorl %ecx,%ecx + # sqr a[2]*a[0] + mull %edx + addl %eax,%eax + adcl %edx,%edx + adcl $0,%ecx + addl %eax,%ebp + adcl %edx,%ebx + movl 4(%esi),%eax + adcl $0,%ecx + # sqr a[1]*a[1] + mull %eax + addl %eax,%ebp + adcl %edx,%ebx + movl (%esi),%edx + adcl $0,%ecx + movl %ebp,8(%edi) + movl 12(%esi),%eax + # saved r[2] + # ############### Calculate word 3 + xorl %ebp,%ebp + # sqr a[3]*a[0] + mull %edx + addl %eax,%eax + adcl %edx,%edx + adcl $0,%ebp + addl %eax,%ebx + adcl %edx,%ecx + movl 8(%esi),%eax + adcl $0,%ebp + movl 4(%esi),%edx + # sqr a[2]*a[1] + mull %edx + addl %eax,%eax + adcl %edx,%edx + adcl $0,%ebp + addl %eax,%ebx + adcl %edx,%ecx + movl 12(%esi),%eax + adcl $0,%ebp + movl %ebx,12(%edi) + movl 4(%esi),%edx + # saved r[3] + # ############### Calculate word 4 + xorl %ebx,%ebx + # sqr a[3]*a[1] + mull %edx + addl %eax,%eax + adcl %edx,%edx + adcl $0,%ebx + addl %eax,%ecx + adcl %edx,%ebp + movl 8(%esi),%eax + adcl $0,%ebx + # sqr a[2]*a[2] + mull %eax + addl %eax,%ecx + adcl %edx,%ebp + movl 8(%esi),%edx + adcl $0,%ebx + movl %ecx,16(%edi) + movl 12(%esi),%eax + # saved r[4] + # ############### Calculate word 5 + xorl %ecx,%ecx + # sqr a[3]*a[2] + mull %edx + addl %eax,%eax + adcl %edx,%edx + adcl $0,%ecx + addl %eax,%ebp + adcl %edx,%ebx + movl 12(%esi),%eax + adcl $0,%ecx + movl %ebp,20(%edi) + # saved r[5] + # ############### Calculate word 6 + xorl %ebp,%ebp + # sqr a[3]*a[3] + mull %eax + addl %eax,%ebx + adcl %edx,%ecx + adcl $0,%ebp + movl %ebx,24(%edi) + # saved r[6] + movl %ecx,28(%edi) + popl %ebx + popl %ebp + popl %edi + popl %esi + ret +#endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__APPLE__) +#if defined(__linux__) && defined(__ELF__) +.section .note.GNU-stack,"",%progbits +#endif + diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/co-586-linux.linux.x86.S b/Sources/CNIOBoringSSL/gen/bcm/co-586-linux.S similarity index 99% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/co-586-linux.linux.x86.S rename to Sources/CNIOBoringSSL/gen/bcm/co-586-linux.S index 7035a0bcb..7b0818bf4 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/co-586-linux.linux.x86.S +++ b/Sources/CNIOBoringSSL/gen/bcm/co-586-linux.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__i386__) && defined(__linux__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -1264,7 +1263,6 @@ bn_sqr_comba4: ret .size bn_sqr_comba4,.-.L_bn_sqr_comba4_begin #endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__) -#endif // defined(__i386__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/ghash-armv4-linux.linux.arm.S b/Sources/CNIOBoringSSL/gen/bcm/ghash-armv4-linux.S similarity index 98% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/ghash-armv4-linux.linux.arm.S rename to Sources/CNIOBoringSSL/gen/bcm/ghash-armv4-linux.S index d0a6f8196..99877c0d6 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/ghash-armv4-linux.linux.arm.S +++ b/Sources/CNIOBoringSSL/gen/bcm/ghash-armv4-linux.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__arm__) && defined(__linux__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -244,7 +243,6 @@ gcm_ghash_neon: .align 2 .align 2 #endif // !OPENSSL_NO_ASM && defined(OPENSSL_ARM) && defined(__ELF__) -#endif // defined(__arm__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/ghash-neon-armv8-ios.ios.aarch64.S b/Sources/CNIOBoringSSL/gen/bcm/ghash-neon-armv8-apple.S similarity index 99% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/ghash-neon-armv8-ios.ios.aarch64.S rename to Sources/CNIOBoringSSL/gen/bcm/ghash-neon-armv8-apple.S index bb62d508c..eff3a1596 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/ghash-neon-armv8-ios.ios.aarch64.S +++ b/Sources/CNIOBoringSSL/gen/bcm/ghash-neon-armv8-apple.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__aarch64__) && defined(__APPLE__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -335,7 +334,6 @@ Lmasks: .align 2 .align 2 #endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__APPLE__) -#endif // defined(__aarch64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/ghash-neon-armv8-linux.linux.aarch64.S b/Sources/CNIOBoringSSL/gen/bcm/ghash-neon-armv8-linux.S similarity index 99% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/ghash-neon-armv8-linux.linux.aarch64.S rename to Sources/CNIOBoringSSL/gen/bcm/ghash-neon-armv8-linux.S index 9ef9c492f..7a45fe89b 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/ghash-neon-armv8-linux.linux.aarch64.S +++ b/Sources/CNIOBoringSSL/gen/bcm/ghash-neon-armv8-linux.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__aarch64__) && defined(__linux__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -335,7 +334,6 @@ gcm_ghash_neon: .align 2 .align 2 #endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__ELF__) -#endif // defined(__aarch64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/gen/bcm/ghash-neon-armv8-win.S b/Sources/CNIOBoringSSL/gen/bcm/ghash-neon-armv8-win.S new file mode 100644 index 000000000..9744675b8 --- /dev/null +++ b/Sources/CNIOBoringSSL/gen/bcm/ghash-neon-armv8-win.S @@ -0,0 +1,346 @@ +#define BORINGSSL_PREFIX CNIOBoringSSL +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. + +#include + +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(_WIN32) +#include + +.text + +.globl gcm_init_neon + +.def gcm_init_neon + .type 32 +.endef +.align 4 +gcm_init_neon: + AARCH64_VALID_CALL_TARGET + // This function is adapted from gcm_init_v8. xC2 is t3. + ld1 {v17.2d}, [x1] // load H + movi v19.16b, #0xe1 + shl v19.2d, v19.2d, #57 // 0xc2.0 + ext v3.16b, v17.16b, v17.16b, #8 + ushr v18.2d, v19.2d, #63 + dup v17.4s, v17.s[1] + ext v16.16b, v18.16b, v19.16b, #8 // t0=0xc2....01 + ushr v18.2d, v3.2d, #63 + sshr v17.4s, v17.4s, #31 // broadcast carry bit + and v18.16b, v18.16b, v16.16b + shl v3.2d, v3.2d, #1 + ext v18.16b, v18.16b, v18.16b, #8 + and v16.16b, v16.16b, v17.16b + orr v3.16b, v3.16b, v18.16b // H<<<=1 + eor v5.16b, v3.16b, v16.16b // twisted H + st1 {v5.2d}, [x0] // store Htable[0] + ret + + +.globl gcm_gmult_neon + +.def gcm_gmult_neon + .type 32 +.endef +.align 4 +gcm_gmult_neon: + AARCH64_VALID_CALL_TARGET + ld1 {v3.16b}, [x0] // load Xi + ld1 {v5.1d}, [x1], #8 // load twisted H + ld1 {v6.1d}, [x1] + adrp x9, Lmasks // load constants + add x9, x9, :lo12:Lmasks + ld1 {v24.2d, v25.2d}, [x9] + rev64 v3.16b, v3.16b // byteswap Xi + ext v3.16b, v3.16b, v3.16b, #8 + eor v7.8b, v5.8b, v6.8b // Karatsuba pre-processing + + mov x3, #16 + b Lgmult_neon + + +.globl gcm_ghash_neon + +.def gcm_ghash_neon + .type 32 +.endef +.align 4 +gcm_ghash_neon: + AARCH64_VALID_CALL_TARGET + ld1 {v0.16b}, [x0] // load Xi + ld1 {v5.1d}, [x1], #8 // load twisted H + ld1 {v6.1d}, [x1] + adrp x9, Lmasks // load constants + add x9, x9, :lo12:Lmasks + ld1 {v24.2d, v25.2d}, [x9] + rev64 v0.16b, v0.16b // byteswap Xi + ext v0.16b, v0.16b, v0.16b, #8 + eor v7.8b, v5.8b, v6.8b // Karatsuba pre-processing + +Loop_neon: + ld1 {v3.16b}, [x2], #16 // load inp + rev64 v3.16b, v3.16b // byteswap inp + ext v3.16b, v3.16b, v3.16b, #8 + eor v3.16b, v3.16b, v0.16b // inp ^= Xi + +Lgmult_neon: + // Split the input into v3 and v4. (The upper halves are unused, + // so it is okay to leave them alone.) + ins v4.d[0], v3.d[1] + ext v16.8b, v5.8b, v5.8b, #1 // A1 + pmull v16.8h, v16.8b, v3.8b // F = A1*B + ext v0.8b, v3.8b, v3.8b, #1 // B1 + pmull v0.8h, v5.8b, v0.8b // E = A*B1 + ext v17.8b, v5.8b, v5.8b, #2 // A2 + pmull v17.8h, v17.8b, v3.8b // H = A2*B + ext v19.8b, v3.8b, v3.8b, #2 // B2 + pmull v19.8h, v5.8b, v19.8b // G = A*B2 + ext v18.8b, v5.8b, v5.8b, #3 // A3 + eor v16.16b, v16.16b, v0.16b // L = E + F + pmull v18.8h, v18.8b, v3.8b // J = A3*B + ext v0.8b, v3.8b, v3.8b, #3 // B3 + eor v17.16b, v17.16b, v19.16b // M = G + H + pmull v0.8h, v5.8b, v0.8b // I = A*B3 + + // Here we diverge from the 32-bit version. It computes the following + // (instructions reordered for clarity): + // + // veor $t0#lo, $t0#lo, $t0#hi @ t0 = P0 + P1 (L) + // vand $t0#hi, $t0#hi, $k48 + // veor $t0#lo, $t0#lo, $t0#hi + // + // veor $t1#lo, $t1#lo, $t1#hi @ t1 = P2 + P3 (M) + // vand $t1#hi, $t1#hi, $k32 + // veor $t1#lo, $t1#lo, $t1#hi + // + // veor $t2#lo, $t2#lo, $t2#hi @ t2 = P4 + P5 (N) + // vand $t2#hi, $t2#hi, $k16 + // veor $t2#lo, $t2#lo, $t2#hi + // + // veor $t3#lo, $t3#lo, $t3#hi @ t3 = P6 + P7 (K) + // vmov.i64 $t3#hi, #0 + // + // $kN is a mask with the bottom N bits set. AArch64 cannot compute on + // upper halves of SIMD registers, so we must split each half into + // separate registers. To compensate, we pair computations up and + // parallelize. + + ext v19.8b, v3.8b, v3.8b, #4 // B4 + eor v18.16b, v18.16b, v0.16b // N = I + J + pmull v19.8h, v5.8b, v19.8b // K = A*B4 + + // This can probably be scheduled more efficiently. For now, we just + // pair up independent instructions. + zip1 v20.2d, v16.2d, v17.2d + zip1 v22.2d, v18.2d, v19.2d + zip2 v21.2d, v16.2d, v17.2d + zip2 v23.2d, v18.2d, v19.2d + eor v20.16b, v20.16b, v21.16b + eor v22.16b, v22.16b, v23.16b + and v21.16b, v21.16b, v24.16b + and v23.16b, v23.16b, v25.16b + eor v20.16b, v20.16b, v21.16b + eor v22.16b, v22.16b, v23.16b + zip1 v16.2d, v20.2d, v21.2d + zip1 v18.2d, v22.2d, v23.2d + zip2 v17.2d, v20.2d, v21.2d + zip2 v19.2d, v22.2d, v23.2d + + ext v16.16b, v16.16b, v16.16b, #15 // t0 = t0 << 8 + ext v17.16b, v17.16b, v17.16b, #14 // t1 = t1 << 16 + pmull v0.8h, v5.8b, v3.8b // D = A*B + ext v19.16b, v19.16b, v19.16b, #12 // t3 = t3 << 32 + ext v18.16b, v18.16b, v18.16b, #13 // t2 = t2 << 24 + eor v16.16b, v16.16b, v17.16b + eor v18.16b, v18.16b, v19.16b + eor v0.16b, v0.16b, v16.16b + eor v0.16b, v0.16b, v18.16b + eor v3.8b, v3.8b, v4.8b // Karatsuba pre-processing + ext v16.8b, v7.8b, v7.8b, #1 // A1 + pmull v16.8h, v16.8b, v3.8b // F = A1*B + ext v1.8b, v3.8b, v3.8b, #1 // B1 + pmull v1.8h, v7.8b, v1.8b // E = A*B1 + ext v17.8b, v7.8b, v7.8b, #2 // A2 + pmull v17.8h, v17.8b, v3.8b // H = A2*B + ext v19.8b, v3.8b, v3.8b, #2 // B2 + pmull v19.8h, v7.8b, v19.8b // G = A*B2 + ext v18.8b, v7.8b, v7.8b, #3 // A3 + eor v16.16b, v16.16b, v1.16b // L = E + F + pmull v18.8h, v18.8b, v3.8b // J = A3*B + ext v1.8b, v3.8b, v3.8b, #3 // B3 + eor v17.16b, v17.16b, v19.16b // M = G + H + pmull v1.8h, v7.8b, v1.8b // I = A*B3 + + // Here we diverge from the 32-bit version. It computes the following + // (instructions reordered for clarity): + // + // veor $t0#lo, $t0#lo, $t0#hi @ t0 = P0 + P1 (L) + // vand $t0#hi, $t0#hi, $k48 + // veor $t0#lo, $t0#lo, $t0#hi + // + // veor $t1#lo, $t1#lo, $t1#hi @ t1 = P2 + P3 (M) + // vand $t1#hi, $t1#hi, $k32 + // veor $t1#lo, $t1#lo, $t1#hi + // + // veor $t2#lo, $t2#lo, $t2#hi @ t2 = P4 + P5 (N) + // vand $t2#hi, $t2#hi, $k16 + // veor $t2#lo, $t2#lo, $t2#hi + // + // veor $t3#lo, $t3#lo, $t3#hi @ t3 = P6 + P7 (K) + // vmov.i64 $t3#hi, #0 + // + // $kN is a mask with the bottom N bits set. AArch64 cannot compute on + // upper halves of SIMD registers, so we must split each half into + // separate registers. To compensate, we pair computations up and + // parallelize. + + ext v19.8b, v3.8b, v3.8b, #4 // B4 + eor v18.16b, v18.16b, v1.16b // N = I + J + pmull v19.8h, v7.8b, v19.8b // K = A*B4 + + // This can probably be scheduled more efficiently. For now, we just + // pair up independent instructions. + zip1 v20.2d, v16.2d, v17.2d + zip1 v22.2d, v18.2d, v19.2d + zip2 v21.2d, v16.2d, v17.2d + zip2 v23.2d, v18.2d, v19.2d + eor v20.16b, v20.16b, v21.16b + eor v22.16b, v22.16b, v23.16b + and v21.16b, v21.16b, v24.16b + and v23.16b, v23.16b, v25.16b + eor v20.16b, v20.16b, v21.16b + eor v22.16b, v22.16b, v23.16b + zip1 v16.2d, v20.2d, v21.2d + zip1 v18.2d, v22.2d, v23.2d + zip2 v17.2d, v20.2d, v21.2d + zip2 v19.2d, v22.2d, v23.2d + + ext v16.16b, v16.16b, v16.16b, #15 // t0 = t0 << 8 + ext v17.16b, v17.16b, v17.16b, #14 // t1 = t1 << 16 + pmull v1.8h, v7.8b, v3.8b // D = A*B + ext v19.16b, v19.16b, v19.16b, #12 // t3 = t3 << 32 + ext v18.16b, v18.16b, v18.16b, #13 // t2 = t2 << 24 + eor v16.16b, v16.16b, v17.16b + eor v18.16b, v18.16b, v19.16b + eor v1.16b, v1.16b, v16.16b + eor v1.16b, v1.16b, v18.16b + ext v16.8b, v6.8b, v6.8b, #1 // A1 + pmull v16.8h, v16.8b, v4.8b // F = A1*B + ext v2.8b, v4.8b, v4.8b, #1 // B1 + pmull v2.8h, v6.8b, v2.8b // E = A*B1 + ext v17.8b, v6.8b, v6.8b, #2 // A2 + pmull v17.8h, v17.8b, v4.8b // H = A2*B + ext v19.8b, v4.8b, v4.8b, #2 // B2 + pmull v19.8h, v6.8b, v19.8b // G = A*B2 + ext v18.8b, v6.8b, v6.8b, #3 // A3 + eor v16.16b, v16.16b, v2.16b // L = E + F + pmull v18.8h, v18.8b, v4.8b // J = A3*B + ext v2.8b, v4.8b, v4.8b, #3 // B3 + eor v17.16b, v17.16b, v19.16b // M = G + H + pmull v2.8h, v6.8b, v2.8b // I = A*B3 + + // Here we diverge from the 32-bit version. It computes the following + // (instructions reordered for clarity): + // + // veor $t0#lo, $t0#lo, $t0#hi @ t0 = P0 + P1 (L) + // vand $t0#hi, $t0#hi, $k48 + // veor $t0#lo, $t0#lo, $t0#hi + // + // veor $t1#lo, $t1#lo, $t1#hi @ t1 = P2 + P3 (M) + // vand $t1#hi, $t1#hi, $k32 + // veor $t1#lo, $t1#lo, $t1#hi + // + // veor $t2#lo, $t2#lo, $t2#hi @ t2 = P4 + P5 (N) + // vand $t2#hi, $t2#hi, $k16 + // veor $t2#lo, $t2#lo, $t2#hi + // + // veor $t3#lo, $t3#lo, $t3#hi @ t3 = P6 + P7 (K) + // vmov.i64 $t3#hi, #0 + // + // $kN is a mask with the bottom N bits set. AArch64 cannot compute on + // upper halves of SIMD registers, so we must split each half into + // separate registers. To compensate, we pair computations up and + // parallelize. + + ext v19.8b, v4.8b, v4.8b, #4 // B4 + eor v18.16b, v18.16b, v2.16b // N = I + J + pmull v19.8h, v6.8b, v19.8b // K = A*B4 + + // This can probably be scheduled more efficiently. For now, we just + // pair up independent instructions. + zip1 v20.2d, v16.2d, v17.2d + zip1 v22.2d, v18.2d, v19.2d + zip2 v21.2d, v16.2d, v17.2d + zip2 v23.2d, v18.2d, v19.2d + eor v20.16b, v20.16b, v21.16b + eor v22.16b, v22.16b, v23.16b + and v21.16b, v21.16b, v24.16b + and v23.16b, v23.16b, v25.16b + eor v20.16b, v20.16b, v21.16b + eor v22.16b, v22.16b, v23.16b + zip1 v16.2d, v20.2d, v21.2d + zip1 v18.2d, v22.2d, v23.2d + zip2 v17.2d, v20.2d, v21.2d + zip2 v19.2d, v22.2d, v23.2d + + ext v16.16b, v16.16b, v16.16b, #15 // t0 = t0 << 8 + ext v17.16b, v17.16b, v17.16b, #14 // t1 = t1 << 16 + pmull v2.8h, v6.8b, v4.8b // D = A*B + ext v19.16b, v19.16b, v19.16b, #12 // t3 = t3 << 32 + ext v18.16b, v18.16b, v18.16b, #13 // t2 = t2 << 24 + eor v16.16b, v16.16b, v17.16b + eor v18.16b, v18.16b, v19.16b + eor v2.16b, v2.16b, v16.16b + eor v2.16b, v2.16b, v18.16b + ext v16.16b, v0.16b, v2.16b, #8 + eor v1.16b, v1.16b, v0.16b // Karatsuba post-processing + eor v1.16b, v1.16b, v2.16b + eor v1.16b, v1.16b, v16.16b // Xm overlaps Xh.lo and Xl.hi + ins v0.d[1], v1.d[0] // Xh|Xl - 256-bit result + // This is a no-op due to the ins instruction below. + // ins v2.d[0], v1.d[1] + + // equivalent of reduction_avx from ghash-x86_64.pl + shl v17.2d, v0.2d, #57 // 1st phase + shl v18.2d, v0.2d, #62 + eor v18.16b, v18.16b, v17.16b // + shl v17.2d, v0.2d, #63 + eor v18.16b, v18.16b, v17.16b // + // Note Xm contains {Xl.d[1], Xh.d[0]}. + eor v18.16b, v18.16b, v1.16b + ins v0.d[1], v18.d[0] // Xl.d[1] ^= t2.d[0] + ins v2.d[0], v18.d[1] // Xh.d[0] ^= t2.d[1] + + ushr v18.2d, v0.2d, #1 // 2nd phase + eor v2.16b, v2.16b,v0.16b + eor v0.16b, v0.16b,v18.16b // + ushr v18.2d, v18.2d, #6 + ushr v0.2d, v0.2d, #1 // + eor v0.16b, v0.16b, v2.16b // + eor v0.16b, v0.16b, v18.16b // + + subs x3, x3, #16 + bne Loop_neon + + rev64 v0.16b, v0.16b // byteswap Xi and write + ext v0.16b, v0.16b, v0.16b, #8 + st1 {v0.16b}, [x0] + + ret + + +.section .rodata +.align 4 +Lmasks: +.quad 0x0000ffffffffffff // k48 +.quad 0x00000000ffffffff // k32 +.quad 0x000000000000ffff // k16 +.quad 0x0000000000000000 // k0 +.byte 71,72,65,83,72,32,102,111,114,32,65,82,77,118,56,44,32,100,101,114,105,118,101,100,32,102,114,111,109,32,65,82,77,118,52,32,118,101,114,115,105,111,110,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 +.align 2 +.align 2 +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(_WIN32) +#if defined(__linux__) && defined(__ELF__) +.section .note.GNU-stack,"",%progbits +#endif + diff --git a/Sources/CNIOBoringSSL/gen/bcm/ghash-ssse3-x86-apple.S b/Sources/CNIOBoringSSL/gen/bcm/ghash-ssse3-x86-apple.S new file mode 100644 index 000000000..98f3fc169 --- /dev/null +++ b/Sources/CNIOBoringSSL/gen/bcm/ghash-ssse3-x86-apple.S @@ -0,0 +1,293 @@ +#define BORINGSSL_PREFIX CNIOBoringSSL +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. + +#include + +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__APPLE__) +.text +.globl _gcm_gmult_ssse3 +.private_extern _gcm_gmult_ssse3 +.align 4 +_gcm_gmult_ssse3: +L_gcm_gmult_ssse3_begin: + pushl %ebp + pushl %ebx + pushl %esi + pushl %edi + movl 20(%esp),%edi + movl 24(%esp),%esi + movdqu (%edi),%xmm0 + call L000pic_point +L000pic_point: + popl %eax + movdqa Lreverse_bytes-L000pic_point(%eax),%xmm7 + movdqa Llow4_mask-L000pic_point(%eax),%xmm2 +.byte 102,15,56,0,199 + movdqa %xmm2,%xmm1 + pandn %xmm0,%xmm1 + psrld $4,%xmm1 + pand %xmm2,%xmm0 + pxor %xmm2,%xmm2 + pxor %xmm3,%xmm3 + movl $5,%eax +L001loop_row_1: + movdqa (%esi),%xmm4 + leal 16(%esi),%esi + movdqa %xmm2,%xmm6 +.byte 102,15,58,15,243,1 + movdqa %xmm6,%xmm3 + psrldq $1,%xmm2 + movdqa %xmm4,%xmm5 +.byte 102,15,56,0,224 +.byte 102,15,56,0,233 + pxor %xmm5,%xmm2 + movdqa %xmm4,%xmm5 + psllq $60,%xmm5 + movdqa %xmm5,%xmm6 + pslldq $8,%xmm6 + pxor %xmm6,%xmm3 + psrldq $8,%xmm5 + pxor %xmm5,%xmm2 + psrlq $4,%xmm4 + pxor %xmm4,%xmm2 + subl $1,%eax + jnz L001loop_row_1 + pxor %xmm3,%xmm2 + psrlq $1,%xmm3 + pxor %xmm3,%xmm2 + psrlq $1,%xmm3 + pxor %xmm3,%xmm2 + psrlq $5,%xmm3 + pxor %xmm3,%xmm2 + pxor %xmm3,%xmm3 + movl $5,%eax +L002loop_row_2: + movdqa (%esi),%xmm4 + leal 16(%esi),%esi + movdqa %xmm2,%xmm6 +.byte 102,15,58,15,243,1 + movdqa %xmm6,%xmm3 + psrldq $1,%xmm2 + movdqa %xmm4,%xmm5 +.byte 102,15,56,0,224 +.byte 102,15,56,0,233 + pxor %xmm5,%xmm2 + movdqa %xmm4,%xmm5 + psllq $60,%xmm5 + movdqa %xmm5,%xmm6 + pslldq $8,%xmm6 + pxor %xmm6,%xmm3 + psrldq $8,%xmm5 + pxor %xmm5,%xmm2 + psrlq $4,%xmm4 + pxor %xmm4,%xmm2 + subl $1,%eax + jnz L002loop_row_2 + pxor %xmm3,%xmm2 + psrlq $1,%xmm3 + pxor %xmm3,%xmm2 + psrlq $1,%xmm3 + pxor %xmm3,%xmm2 + psrlq $5,%xmm3 + pxor %xmm3,%xmm2 + pxor %xmm3,%xmm3 + movl $6,%eax +L003loop_row_3: + movdqa (%esi),%xmm4 + leal 16(%esi),%esi + movdqa %xmm2,%xmm6 +.byte 102,15,58,15,243,1 + movdqa %xmm6,%xmm3 + psrldq $1,%xmm2 + movdqa %xmm4,%xmm5 +.byte 102,15,56,0,224 +.byte 102,15,56,0,233 + pxor %xmm5,%xmm2 + movdqa %xmm4,%xmm5 + psllq $60,%xmm5 + movdqa %xmm5,%xmm6 + pslldq $8,%xmm6 + pxor %xmm6,%xmm3 + psrldq $8,%xmm5 + pxor %xmm5,%xmm2 + psrlq $4,%xmm4 + pxor %xmm4,%xmm2 + subl $1,%eax + jnz L003loop_row_3 + pxor %xmm3,%xmm2 + psrlq $1,%xmm3 + pxor %xmm3,%xmm2 + psrlq $1,%xmm3 + pxor %xmm3,%xmm2 + psrlq $5,%xmm3 + pxor %xmm3,%xmm2 + pxor %xmm3,%xmm3 +.byte 102,15,56,0,215 + movdqu %xmm2,(%edi) + pxor %xmm0,%xmm0 + pxor %xmm1,%xmm1 + pxor %xmm2,%xmm2 + pxor %xmm3,%xmm3 + pxor %xmm4,%xmm4 + pxor %xmm5,%xmm5 + pxor %xmm6,%xmm6 + popl %edi + popl %esi + popl %ebx + popl %ebp + ret +.globl _gcm_ghash_ssse3 +.private_extern _gcm_ghash_ssse3 +.align 4 +_gcm_ghash_ssse3: +L_gcm_ghash_ssse3_begin: + pushl %ebp + pushl %ebx + pushl %esi + pushl %edi + movl 20(%esp),%edi + movl 24(%esp),%esi + movl 28(%esp),%edx + movl 32(%esp),%ecx + movdqu (%edi),%xmm0 + call L004pic_point +L004pic_point: + popl %ebx + movdqa Lreverse_bytes-L004pic_point(%ebx),%xmm7 + andl $-16,%ecx +.byte 102,15,56,0,199 + pxor %xmm3,%xmm3 +L005loop_ghash: + movdqa Llow4_mask-L004pic_point(%ebx),%xmm2 + movdqu (%edx),%xmm1 +.byte 102,15,56,0,207 + pxor %xmm1,%xmm0 + movdqa %xmm2,%xmm1 + pandn %xmm0,%xmm1 + psrld $4,%xmm1 + pand %xmm2,%xmm0 + pxor %xmm2,%xmm2 + movl $5,%eax +L006loop_row_4: + movdqa (%esi),%xmm4 + leal 16(%esi),%esi + movdqa %xmm2,%xmm6 +.byte 102,15,58,15,243,1 + movdqa %xmm6,%xmm3 + psrldq $1,%xmm2 + movdqa %xmm4,%xmm5 +.byte 102,15,56,0,224 +.byte 102,15,56,0,233 + pxor %xmm5,%xmm2 + movdqa %xmm4,%xmm5 + psllq $60,%xmm5 + movdqa %xmm5,%xmm6 + pslldq $8,%xmm6 + pxor %xmm6,%xmm3 + psrldq $8,%xmm5 + pxor %xmm5,%xmm2 + psrlq $4,%xmm4 + pxor %xmm4,%xmm2 + subl $1,%eax + jnz L006loop_row_4 + pxor %xmm3,%xmm2 + psrlq $1,%xmm3 + pxor %xmm3,%xmm2 + psrlq $1,%xmm3 + pxor %xmm3,%xmm2 + psrlq $5,%xmm3 + pxor %xmm3,%xmm2 + pxor %xmm3,%xmm3 + movl $5,%eax +L007loop_row_5: + movdqa (%esi),%xmm4 + leal 16(%esi),%esi + movdqa %xmm2,%xmm6 +.byte 102,15,58,15,243,1 + movdqa %xmm6,%xmm3 + psrldq $1,%xmm2 + movdqa %xmm4,%xmm5 +.byte 102,15,56,0,224 +.byte 102,15,56,0,233 + pxor %xmm5,%xmm2 + movdqa %xmm4,%xmm5 + psllq $60,%xmm5 + movdqa %xmm5,%xmm6 + pslldq $8,%xmm6 + pxor %xmm6,%xmm3 + psrldq $8,%xmm5 + pxor %xmm5,%xmm2 + psrlq $4,%xmm4 + pxor %xmm4,%xmm2 + subl $1,%eax + jnz L007loop_row_5 + pxor %xmm3,%xmm2 + psrlq $1,%xmm3 + pxor %xmm3,%xmm2 + psrlq $1,%xmm3 + pxor %xmm3,%xmm2 + psrlq $5,%xmm3 + pxor %xmm3,%xmm2 + pxor %xmm3,%xmm3 + movl $6,%eax +L008loop_row_6: + movdqa (%esi),%xmm4 + leal 16(%esi),%esi + movdqa %xmm2,%xmm6 +.byte 102,15,58,15,243,1 + movdqa %xmm6,%xmm3 + psrldq $1,%xmm2 + movdqa %xmm4,%xmm5 +.byte 102,15,56,0,224 +.byte 102,15,56,0,233 + pxor %xmm5,%xmm2 + movdqa %xmm4,%xmm5 + psllq $60,%xmm5 + movdqa %xmm5,%xmm6 + pslldq $8,%xmm6 + pxor %xmm6,%xmm3 + psrldq $8,%xmm5 + pxor %xmm5,%xmm2 + psrlq $4,%xmm4 + pxor %xmm4,%xmm2 + subl $1,%eax + jnz L008loop_row_6 + pxor %xmm3,%xmm2 + psrlq $1,%xmm3 + pxor %xmm3,%xmm2 + psrlq $1,%xmm3 + pxor %xmm3,%xmm2 + psrlq $5,%xmm3 + pxor %xmm3,%xmm2 + pxor %xmm3,%xmm3 + movdqa %xmm2,%xmm0 + leal -256(%esi),%esi + leal 16(%edx),%edx + subl $16,%ecx + jnz L005loop_ghash +.byte 102,15,56,0,199 + movdqu %xmm0,(%edi) + pxor %xmm0,%xmm0 + pxor %xmm1,%xmm1 + pxor %xmm2,%xmm2 + pxor %xmm3,%xmm3 + pxor %xmm4,%xmm4 + pxor %xmm5,%xmm5 + pxor %xmm6,%xmm6 + popl %edi + popl %esi + popl %ebx + popl %ebp + ret +.align 4,0x90 +Lreverse_bytes: +.byte 15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0 +.align 4,0x90 +Llow4_mask: +.long 252645135,252645135,252645135,252645135 +#endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__APPLE__) +#if defined(__linux__) && defined(__ELF__) +.section .note.GNU-stack,"",%progbits +#endif + diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/ghash-ssse3-x86-linux.linux.x86.S b/Sources/CNIOBoringSSL/gen/bcm/ghash-ssse3-x86-linux.S similarity index 98% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/ghash-ssse3-x86-linux.linux.x86.S rename to Sources/CNIOBoringSSL/gen/bcm/ghash-ssse3-x86-linux.S index 28676b5f0..10f5f889b 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/ghash-ssse3-x86-linux.linux.x86.S +++ b/Sources/CNIOBoringSSL/gen/bcm/ghash-ssse3-x86-linux.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__i386__) && defined(__linux__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -292,7 +291,6 @@ gcm_ghash_ssse3: .Llow4_mask: .long 252645135,252645135,252645135,252645135 #endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__) -#endif // defined(__i386__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/ghash-ssse3-x86_64-mac.mac.x86_64.S b/Sources/CNIOBoringSSL/gen/bcm/ghash-ssse3-x86_64-apple.S similarity index 98% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/ghash-ssse3-x86_64-mac.mac.x86_64.S rename to Sources/CNIOBoringSSL/gen/bcm/ghash-ssse3-x86_64-apple.S index 66959369d..e3ec3defb 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/ghash-ssse3-x86_64-mac.mac.x86_64.S +++ b/Sources/CNIOBoringSSL/gen/bcm/ghash-ssse3-x86_64-apple.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__x86_64__) && defined(__APPLE__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -423,7 +422,6 @@ L$low4_mask: .quad 0x0f0f0f0f0f0f0f0f, 0x0f0f0f0f0f0f0f0f .text #endif -#endif // defined(__x86_64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/ghash-ssse3-x86_64-linux.linux.x86_64.S b/Sources/CNIOBoringSSL/gen/bcm/ghash-ssse3-x86_64-linux.S similarity index 98% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/ghash-ssse3-x86_64-linux.linux.x86_64.S rename to Sources/CNIOBoringSSL/gen/bcm/ghash-ssse3-x86_64-linux.S index 7d5a7cda1..7aca38937 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/ghash-ssse3-x86_64-linux.linux.x86_64.S +++ b/Sources/CNIOBoringSSL/gen/bcm/ghash-ssse3-x86_64-linux.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__x86_64__) && defined(__linux__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -423,7 +422,6 @@ _CET_ENDBR .quad 0x0f0f0f0f0f0f0f0f, 0x0f0f0f0f0f0f0f0f .text #endif -#endif // defined(__x86_64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/gen/bcm/ghash-x86-apple.S b/Sources/CNIOBoringSSL/gen/bcm/ghash-x86-apple.S new file mode 100644 index 000000000..83e0a342c --- /dev/null +++ b/Sources/CNIOBoringSSL/gen/bcm/ghash-x86-apple.S @@ -0,0 +1,327 @@ +#define BORINGSSL_PREFIX CNIOBoringSSL +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. + +#include + +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__APPLE__) +.text +.globl _gcm_init_clmul +.private_extern _gcm_init_clmul +.align 4 +_gcm_init_clmul: +L_gcm_init_clmul_begin: + movl 4(%esp),%edx + movl 8(%esp),%eax + call L000pic +L000pic: + popl %ecx + leal Lbswap-L000pic(%ecx),%ecx + movdqu (%eax),%xmm2 + pshufd $78,%xmm2,%xmm2 + pshufd $255,%xmm2,%xmm4 + movdqa %xmm2,%xmm3 + psllq $1,%xmm2 + pxor %xmm5,%xmm5 + psrlq $63,%xmm3 + pcmpgtd %xmm4,%xmm5 + pslldq $8,%xmm3 + por %xmm3,%xmm2 + pand 16(%ecx),%xmm5 + pxor %xmm5,%xmm2 + movdqa %xmm2,%xmm0 + movdqa %xmm0,%xmm1 + pshufd $78,%xmm0,%xmm3 + pshufd $78,%xmm2,%xmm4 + pxor %xmm0,%xmm3 + pxor %xmm2,%xmm4 +.byte 102,15,58,68,194,0 +.byte 102,15,58,68,202,17 +.byte 102,15,58,68,220,0 + xorps %xmm0,%xmm3 + xorps %xmm1,%xmm3 + movdqa %xmm3,%xmm4 + psrldq $8,%xmm3 + pslldq $8,%xmm4 + pxor %xmm3,%xmm1 + pxor %xmm4,%xmm0 + movdqa %xmm0,%xmm4 + movdqa %xmm0,%xmm3 + psllq $5,%xmm0 + pxor %xmm0,%xmm3 + psllq $1,%xmm0 + pxor %xmm3,%xmm0 + psllq $57,%xmm0 + movdqa %xmm0,%xmm3 + pslldq $8,%xmm0 + psrldq $8,%xmm3 + pxor %xmm4,%xmm0 + pxor %xmm3,%xmm1 + movdqa %xmm0,%xmm4 + psrlq $1,%xmm0 + pxor %xmm4,%xmm1 + pxor %xmm0,%xmm4 + psrlq $5,%xmm0 + pxor %xmm4,%xmm0 + psrlq $1,%xmm0 + pxor %xmm1,%xmm0 + pshufd $78,%xmm2,%xmm3 + pshufd $78,%xmm0,%xmm4 + pxor %xmm2,%xmm3 + movdqu %xmm2,(%edx) + pxor %xmm0,%xmm4 + movdqu %xmm0,16(%edx) +.byte 102,15,58,15,227,8 + movdqu %xmm4,32(%edx) + ret +.globl _gcm_gmult_clmul +.private_extern _gcm_gmult_clmul +.align 4 +_gcm_gmult_clmul: +L_gcm_gmult_clmul_begin: + movl 4(%esp),%eax + movl 8(%esp),%edx + call L001pic +L001pic: + popl %ecx + leal Lbswap-L001pic(%ecx),%ecx + movdqu (%eax),%xmm0 + movdqa (%ecx),%xmm5 + movups (%edx),%xmm2 +.byte 102,15,56,0,197 + movups 32(%edx),%xmm4 + movdqa %xmm0,%xmm1 + pshufd $78,%xmm0,%xmm3 + pxor %xmm0,%xmm3 +.byte 102,15,58,68,194,0 +.byte 102,15,58,68,202,17 +.byte 102,15,58,68,220,0 + xorps %xmm0,%xmm3 + xorps %xmm1,%xmm3 + movdqa %xmm3,%xmm4 + psrldq $8,%xmm3 + pslldq $8,%xmm4 + pxor %xmm3,%xmm1 + pxor %xmm4,%xmm0 + movdqa %xmm0,%xmm4 + movdqa %xmm0,%xmm3 + psllq $5,%xmm0 + pxor %xmm0,%xmm3 + psllq $1,%xmm0 + pxor %xmm3,%xmm0 + psllq $57,%xmm0 + movdqa %xmm0,%xmm3 + pslldq $8,%xmm0 + psrldq $8,%xmm3 + pxor %xmm4,%xmm0 + pxor %xmm3,%xmm1 + movdqa %xmm0,%xmm4 + psrlq $1,%xmm0 + pxor %xmm4,%xmm1 + pxor %xmm0,%xmm4 + psrlq $5,%xmm0 + pxor %xmm4,%xmm0 + psrlq $1,%xmm0 + pxor %xmm1,%xmm0 +.byte 102,15,56,0,197 + movdqu %xmm0,(%eax) + ret +.globl _gcm_ghash_clmul +.private_extern _gcm_ghash_clmul +.align 4 +_gcm_ghash_clmul: +L_gcm_ghash_clmul_begin: + pushl %ebp + pushl %ebx + pushl %esi + pushl %edi + movl 20(%esp),%eax + movl 24(%esp),%edx + movl 28(%esp),%esi + movl 32(%esp),%ebx + call L002pic +L002pic: + popl %ecx + leal Lbswap-L002pic(%ecx),%ecx + movdqu (%eax),%xmm0 + movdqa (%ecx),%xmm5 + movdqu (%edx),%xmm2 +.byte 102,15,56,0,197 + subl $16,%ebx + jz L003odd_tail + movdqu (%esi),%xmm3 + movdqu 16(%esi),%xmm6 +.byte 102,15,56,0,221 +.byte 102,15,56,0,245 + movdqu 32(%edx),%xmm5 + pxor %xmm3,%xmm0 + pshufd $78,%xmm6,%xmm3 + movdqa %xmm6,%xmm7 + pxor %xmm6,%xmm3 + leal 32(%esi),%esi +.byte 102,15,58,68,242,0 +.byte 102,15,58,68,250,17 +.byte 102,15,58,68,221,0 + movups 16(%edx),%xmm2 + nop + subl $32,%ebx + jbe L004even_tail + jmp L005mod_loop +.align 5,0x90 +L005mod_loop: + pshufd $78,%xmm0,%xmm4 + movdqa %xmm0,%xmm1 + pxor %xmm0,%xmm4 + nop +.byte 102,15,58,68,194,0 +.byte 102,15,58,68,202,17 +.byte 102,15,58,68,229,16 + movups (%edx),%xmm2 + xorps %xmm6,%xmm0 + movdqa (%ecx),%xmm5 + xorps %xmm7,%xmm1 + movdqu (%esi),%xmm7 + pxor %xmm0,%xmm3 + movdqu 16(%esi),%xmm6 + pxor %xmm1,%xmm3 +.byte 102,15,56,0,253 + pxor %xmm3,%xmm4 + movdqa %xmm4,%xmm3 + psrldq $8,%xmm4 + pslldq $8,%xmm3 + pxor %xmm4,%xmm1 + pxor %xmm3,%xmm0 +.byte 102,15,56,0,245 + pxor %xmm7,%xmm1 + movdqa %xmm6,%xmm7 + movdqa %xmm0,%xmm4 + movdqa %xmm0,%xmm3 + psllq $5,%xmm0 + pxor %xmm0,%xmm3 + psllq $1,%xmm0 + pxor %xmm3,%xmm0 +.byte 102,15,58,68,242,0 + movups 32(%edx),%xmm5 + psllq $57,%xmm0 + movdqa %xmm0,%xmm3 + pslldq $8,%xmm0 + psrldq $8,%xmm3 + pxor %xmm4,%xmm0 + pxor %xmm3,%xmm1 + pshufd $78,%xmm7,%xmm3 + movdqa %xmm0,%xmm4 + psrlq $1,%xmm0 + pxor %xmm7,%xmm3 + pxor %xmm4,%xmm1 +.byte 102,15,58,68,250,17 + movups 16(%edx),%xmm2 + pxor %xmm0,%xmm4 + psrlq $5,%xmm0 + pxor %xmm4,%xmm0 + psrlq $1,%xmm0 + pxor %xmm1,%xmm0 +.byte 102,15,58,68,221,0 + leal 32(%esi),%esi + subl $32,%ebx + ja L005mod_loop +L004even_tail: + pshufd $78,%xmm0,%xmm4 + movdqa %xmm0,%xmm1 + pxor %xmm0,%xmm4 +.byte 102,15,58,68,194,0 +.byte 102,15,58,68,202,17 +.byte 102,15,58,68,229,16 + movdqa (%ecx),%xmm5 + xorps %xmm6,%xmm0 + xorps %xmm7,%xmm1 + pxor %xmm0,%xmm3 + pxor %xmm1,%xmm3 + pxor %xmm3,%xmm4 + movdqa %xmm4,%xmm3 + psrldq $8,%xmm4 + pslldq $8,%xmm3 + pxor %xmm4,%xmm1 + pxor %xmm3,%xmm0 + movdqa %xmm0,%xmm4 + movdqa %xmm0,%xmm3 + psllq $5,%xmm0 + pxor %xmm0,%xmm3 + psllq $1,%xmm0 + pxor %xmm3,%xmm0 + psllq $57,%xmm0 + movdqa %xmm0,%xmm3 + pslldq $8,%xmm0 + psrldq $8,%xmm3 + pxor %xmm4,%xmm0 + pxor %xmm3,%xmm1 + movdqa %xmm0,%xmm4 + psrlq $1,%xmm0 + pxor %xmm4,%xmm1 + pxor %xmm0,%xmm4 + psrlq $5,%xmm0 + pxor %xmm4,%xmm0 + psrlq $1,%xmm0 + pxor %xmm1,%xmm0 + testl %ebx,%ebx + jnz L006done + movups (%edx),%xmm2 +L003odd_tail: + movdqu (%esi),%xmm3 +.byte 102,15,56,0,221 + pxor %xmm3,%xmm0 + movdqa %xmm0,%xmm1 + pshufd $78,%xmm0,%xmm3 + pshufd $78,%xmm2,%xmm4 + pxor %xmm0,%xmm3 + pxor %xmm2,%xmm4 +.byte 102,15,58,68,194,0 +.byte 102,15,58,68,202,17 +.byte 102,15,58,68,220,0 + xorps %xmm0,%xmm3 + xorps %xmm1,%xmm3 + movdqa %xmm3,%xmm4 + psrldq $8,%xmm3 + pslldq $8,%xmm4 + pxor %xmm3,%xmm1 + pxor %xmm4,%xmm0 + movdqa %xmm0,%xmm4 + movdqa %xmm0,%xmm3 + psllq $5,%xmm0 + pxor %xmm0,%xmm3 + psllq $1,%xmm0 + pxor %xmm3,%xmm0 + psllq $57,%xmm0 + movdqa %xmm0,%xmm3 + pslldq $8,%xmm0 + psrldq $8,%xmm3 + pxor %xmm4,%xmm0 + pxor %xmm3,%xmm1 + movdqa %xmm0,%xmm4 + psrlq $1,%xmm0 + pxor %xmm4,%xmm1 + pxor %xmm0,%xmm4 + psrlq $5,%xmm0 + pxor %xmm4,%xmm0 + psrlq $1,%xmm0 + pxor %xmm1,%xmm0 +L006done: +.byte 102,15,56,0,197 + movdqu %xmm0,(%eax) + popl %edi + popl %esi + popl %ebx + popl %ebp + ret +.align 6,0x90 +Lbswap: +.byte 15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0 +.byte 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,194 +.byte 71,72,65,83,72,32,102,111,114,32,120,56,54,44,32,67 +.byte 82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112 +.byte 112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62 +.byte 0 +#endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__APPLE__) +#if defined(__linux__) && defined(__ELF__) +.section .note.GNU-stack,"",%progbits +#endif + diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/ghash-x86-linux.linux.x86.S b/Sources/CNIOBoringSSL/gen/bcm/ghash-x86-linux.S similarity index 98% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/ghash-x86-linux.linux.x86.S rename to Sources/CNIOBoringSSL/gen/bcm/ghash-x86-linux.S index 41ad0c426..7e80141d8 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/ghash-x86-linux.linux.x86.S +++ b/Sources/CNIOBoringSSL/gen/bcm/ghash-x86-linux.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__i386__) && defined(__linux__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -328,7 +327,6 @@ gcm_ghash_clmul: .byte 112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62 .byte 0 #endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__) -#endif // defined(__i386__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/ghash-x86_64-mac.mac.x86_64.S b/Sources/CNIOBoringSSL/gen/bcm/ghash-x86_64-apple.S similarity index 99% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/ghash-x86_64-mac.mac.x86_64.S rename to Sources/CNIOBoringSSL/gen/bcm/ghash-x86_64-apple.S index 79a116f3c..029dcf5ca 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/ghash-x86_64-mac.mac.x86_64.S +++ b/Sources/CNIOBoringSSL/gen/bcm/ghash-x86_64-apple.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__x86_64__) && defined(__APPLE__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -7,7 +6,6 @@ #if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__APPLE__) .text - .globl _gcm_init_clmul .private_extern _gcm_init_clmul @@ -245,15 +243,9 @@ L$_ghash_clmul: jz L$odd_tail movdqu 16(%rsi),%xmm6 - leaq _OPENSSL_ia32cap_P(%rip),%rax - movl 4(%rax),%eax cmpq $0x30,%rcx jb L$skip4x - andl $71303168,%eax - cmpl $4194304,%eax - je L$skip4x - subq $0x30,%rcx movq $0xA040608020C0E000,%rax movdqu 48(%rsi),%xmm14 @@ -621,6 +613,7 @@ L$done: .p2align 5 _gcm_init_avx: + _CET_ENDBR vzeroupper @@ -743,6 +736,7 @@ _CET_ENDBR .p2align 5 _gcm_ghash_avx: + _CET_ENDBR vzeroupper @@ -1132,7 +1126,6 @@ L$7_mask: .p2align 6 .text #endif -#endif // defined(__x86_64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/ghash-x86_64-linux.linux.x86_64.S b/Sources/CNIOBoringSSL/gen/bcm/ghash-x86_64-linux.S similarity index 98% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/ghash-x86_64-linux.linux.x86_64.S rename to Sources/CNIOBoringSSL/gen/bcm/ghash-x86_64-linux.S index a1796c49f..14aca581b 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/ghash-x86_64-linux.linux.x86_64.S +++ b/Sources/CNIOBoringSSL/gen/bcm/ghash-x86_64-linux.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__x86_64__) && defined(__linux__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -7,8 +6,6 @@ #if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__ELF__) .text -.extern OPENSSL_ia32cap_P -.hidden OPENSSL_ia32cap_P .globl gcm_init_clmul .hidden gcm_init_clmul .type gcm_init_clmul,@function @@ -246,15 +243,9 @@ _CET_ENDBR jz .Lodd_tail movdqu 16(%rsi),%xmm6 - leaq OPENSSL_ia32cap_P(%rip),%rax - movl 4(%rax),%eax cmpq $0x30,%rcx jb .Lskip4x - andl $71303168,%eax - cmpl $4194304,%eax - je .Lskip4x - subq $0x30,%rcx movq $0xA040608020C0E000,%rax movdqu 48(%rsi),%xmm14 @@ -622,6 +613,7 @@ _CET_ENDBR .align 32 gcm_init_avx: .cfi_startproc + _CET_ENDBR vzeroupper @@ -744,6 +736,7 @@ _CET_ENDBR .align 32 gcm_ghash_avx: .cfi_startproc + _CET_ENDBR vzeroupper @@ -1133,7 +1126,6 @@ _CET_ENDBR .align 64 .text #endif -#endif // defined(__x86_64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/ghashv8-armv7-linux.linux.arm.S b/Sources/CNIOBoringSSL/gen/bcm/ghashv8-armv7-linux.S similarity index 98% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/ghashv8-armv7-linux.linux.arm.S rename to Sources/CNIOBoringSSL/gen/bcm/ghashv8-armv7-linux.S index c1118e71d..31dd0b525 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/ghashv8-armv7-linux.linux.arm.S +++ b/Sources/CNIOBoringSSL/gen/bcm/ghashv8-armv7-linux.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__arm__) && defined(__linux__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -246,7 +245,6 @@ gcm_ghash_v8: .align 2 #endif #endif // !OPENSSL_NO_ASM && defined(OPENSSL_ARM) && defined(__ELF__) -#endif // defined(__arm__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/ghashv8-armv8-ios.ios.aarch64.S b/Sources/CNIOBoringSSL/gen/bcm/ghashv8-armv8-apple.S similarity index 99% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/ghashv8-armv8-ios.ios.aarch64.S rename to Sources/CNIOBoringSSL/gen/bcm/ghashv8-armv8-apple.S index ad4d98b57..0abf718af 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/ghashv8-armv8-ios.ios.aarch64.S +++ b/Sources/CNIOBoringSSL/gen/bcm/ghashv8-armv8-apple.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__aarch64__) && defined(__APPLE__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -565,7 +564,6 @@ Ldone4x: .align 2 #endif #endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__APPLE__) -#endif // defined(__aarch64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/ghashv8-armv8-linux.linux.aarch64.S b/Sources/CNIOBoringSSL/gen/bcm/ghashv8-armv8-linux.S similarity index 99% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/ghashv8-armv8-linux.linux.aarch64.S rename to Sources/CNIOBoringSSL/gen/bcm/ghashv8-armv8-linux.S index 699a6309a..eeaea9ad7 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/ghashv8-armv8-linux.linux.aarch64.S +++ b/Sources/CNIOBoringSSL/gen/bcm/ghashv8-armv8-linux.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__aarch64__) && defined(__linux__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -565,7 +564,6 @@ gcm_ghash_v8_4x: .align 2 #endif #endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__ELF__) -#endif // defined(__aarch64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/gen/bcm/ghashv8-armv8-win.S b/Sources/CNIOBoringSSL/gen/bcm/ghashv8-armv8-win.S new file mode 100644 index 000000000..17d0ecce1 --- /dev/null +++ b/Sources/CNIOBoringSSL/gen/bcm/ghashv8-armv8-win.S @@ -0,0 +1,578 @@ +#define BORINGSSL_PREFIX CNIOBoringSSL +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. + +#include + +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(_WIN32) +#include + +#if __ARM_MAX_ARCH__>=7 +.text +.arch armv8-a+crypto +.globl gcm_init_v8 + +.def gcm_init_v8 + .type 32 +.endef +.align 4 +gcm_init_v8: + AARCH64_VALID_CALL_TARGET + ld1 {v17.2d},[x1] //load input H + movi v19.16b,#0xe1 + shl v19.2d,v19.2d,#57 //0xc2.0 + ext v3.16b,v17.16b,v17.16b,#8 + ushr v18.2d,v19.2d,#63 + dup v17.4s,v17.s[1] + ext v16.16b,v18.16b,v19.16b,#8 //t0=0xc2....01 + ushr v18.2d,v3.2d,#63 + sshr v17.4s,v17.4s,#31 //broadcast carry bit + and v18.16b,v18.16b,v16.16b + shl v3.2d,v3.2d,#1 + ext v18.16b,v18.16b,v18.16b,#8 + and v16.16b,v16.16b,v17.16b + orr v3.16b,v3.16b,v18.16b //H<<<=1 + eor v20.16b,v3.16b,v16.16b //twisted H + st1 {v20.2d},[x0],#16 //store Htable[0] + + //calculate H^2 + ext v16.16b,v20.16b,v20.16b,#8 //Karatsuba pre-processing + pmull v0.1q,v20.1d,v20.1d + eor v16.16b,v16.16b,v20.16b + pmull2 v2.1q,v20.2d,v20.2d + pmull v1.1q,v16.1d,v16.1d + + ext v17.16b,v0.16b,v2.16b,#8 //Karatsuba post-processing + eor v18.16b,v0.16b,v2.16b + eor v1.16b,v1.16b,v17.16b + eor v1.16b,v1.16b,v18.16b + pmull v18.1q,v0.1d,v19.1d //1st phase + + ins v2.d[0],v1.d[1] + ins v1.d[1],v0.d[0] + eor v0.16b,v1.16b,v18.16b + + ext v18.16b,v0.16b,v0.16b,#8 //2nd phase + pmull v0.1q,v0.1d,v19.1d + eor v18.16b,v18.16b,v2.16b + eor v22.16b,v0.16b,v18.16b + + ext v17.16b,v22.16b,v22.16b,#8 //Karatsuba pre-processing + eor v17.16b,v17.16b,v22.16b + ext v21.16b,v16.16b,v17.16b,#8 //pack Karatsuba pre-processed + st1 {v21.2d,v22.2d},[x0],#32 //store Htable[1..2] + //calculate H^3 and H^4 + pmull v0.1q,v20.1d, v22.1d + pmull v5.1q,v22.1d,v22.1d + pmull2 v2.1q,v20.2d, v22.2d + pmull2 v7.1q,v22.2d,v22.2d + pmull v1.1q,v16.1d,v17.1d + pmull v6.1q,v17.1d,v17.1d + + ext v16.16b,v0.16b,v2.16b,#8 //Karatsuba post-processing + ext v17.16b,v5.16b,v7.16b,#8 + eor v18.16b,v0.16b,v2.16b + eor v1.16b,v1.16b,v16.16b + eor v4.16b,v5.16b,v7.16b + eor v6.16b,v6.16b,v17.16b + eor v1.16b,v1.16b,v18.16b + pmull v18.1q,v0.1d,v19.1d //1st phase + eor v6.16b,v6.16b,v4.16b + pmull v4.1q,v5.1d,v19.1d + + ins v2.d[0],v1.d[1] + ins v7.d[0],v6.d[1] + ins v1.d[1],v0.d[0] + ins v6.d[1],v5.d[0] + eor v0.16b,v1.16b,v18.16b + eor v5.16b,v6.16b,v4.16b + + ext v18.16b,v0.16b,v0.16b,#8 //2nd phase + ext v4.16b,v5.16b,v5.16b,#8 + pmull v0.1q,v0.1d,v19.1d + pmull v5.1q,v5.1d,v19.1d + eor v18.16b,v18.16b,v2.16b + eor v4.16b,v4.16b,v7.16b + eor v20.16b, v0.16b,v18.16b //H^3 + eor v22.16b,v5.16b,v4.16b //H^4 + + ext v16.16b,v20.16b, v20.16b,#8 //Karatsuba pre-processing + ext v17.16b,v22.16b,v22.16b,#8 + eor v16.16b,v16.16b,v20.16b + eor v17.16b,v17.16b,v22.16b + ext v21.16b,v16.16b,v17.16b,#8 //pack Karatsuba pre-processed + st1 {v20.2d,v21.2d,v22.2d},[x0] //store Htable[3..5] + ret + +.globl gcm_gmult_v8 + +.def gcm_gmult_v8 + .type 32 +.endef +.align 4 +gcm_gmult_v8: + AARCH64_VALID_CALL_TARGET + ld1 {v17.2d},[x0] //load Xi + movi v19.16b,#0xe1 + ld1 {v20.2d,v21.2d},[x1] //load twisted H, ... + shl v19.2d,v19.2d,#57 +#ifndef __AARCH64EB__ + rev64 v17.16b,v17.16b +#endif + ext v3.16b,v17.16b,v17.16b,#8 + + pmull v0.1q,v20.1d,v3.1d //H.lo·Xi.lo + eor v17.16b,v17.16b,v3.16b //Karatsuba pre-processing + pmull2 v2.1q,v20.2d,v3.2d //H.hi·Xi.hi + pmull v1.1q,v21.1d,v17.1d //(H.lo+H.hi)·(Xi.lo+Xi.hi) + + ext v17.16b,v0.16b,v2.16b,#8 //Karatsuba post-processing + eor v18.16b,v0.16b,v2.16b + eor v1.16b,v1.16b,v17.16b + eor v1.16b,v1.16b,v18.16b + pmull v18.1q,v0.1d,v19.1d //1st phase of reduction + + ins v2.d[0],v1.d[1] + ins v1.d[1],v0.d[0] + eor v0.16b,v1.16b,v18.16b + + ext v18.16b,v0.16b,v0.16b,#8 //2nd phase of reduction + pmull v0.1q,v0.1d,v19.1d + eor v18.16b,v18.16b,v2.16b + eor v0.16b,v0.16b,v18.16b + +#ifndef __AARCH64EB__ + rev64 v0.16b,v0.16b +#endif + ext v0.16b,v0.16b,v0.16b,#8 + st1 {v0.2d},[x0] //write out Xi + + ret + +.globl gcm_ghash_v8 + +.def gcm_ghash_v8 + .type 32 +.endef +.align 4 +gcm_ghash_v8: + AARCH64_VALID_CALL_TARGET + cmp x3,#64 + b.hs Lgcm_ghash_v8_4x + ld1 {v0.2d},[x0] //load [rotated] Xi + //"[rotated]" means that + //loaded value would have + //to be rotated in order to + //make it appear as in + //algorithm specification + subs x3,x3,#32 //see if x3 is 32 or larger + mov x12,#16 //x12 is used as post- + //increment for input pointer; + //as loop is modulo-scheduled + //x12 is zeroed just in time + //to preclude overstepping + //inp[len], which means that + //last block[s] are actually + //loaded twice, but last + //copy is not processed + ld1 {v20.2d,v21.2d},[x1],#32 //load twisted H, ..., H^2 + movi v19.16b,#0xe1 + ld1 {v22.2d},[x1] + csel x12,xzr,x12,eq //is it time to zero x12? + ext v0.16b,v0.16b,v0.16b,#8 //rotate Xi + ld1 {v16.2d},[x2],#16 //load [rotated] I[0] + shl v19.2d,v19.2d,#57 //compose 0xc2.0 constant +#ifndef __AARCH64EB__ + rev64 v16.16b,v16.16b + rev64 v0.16b,v0.16b +#endif + ext v3.16b,v16.16b,v16.16b,#8 //rotate I[0] + b.lo Lodd_tail_v8 //x3 was less than 32 + ld1 {v17.2d},[x2],x12 //load [rotated] I[1] +#ifndef __AARCH64EB__ + rev64 v17.16b,v17.16b +#endif + ext v7.16b,v17.16b,v17.16b,#8 + eor v3.16b,v3.16b,v0.16b //I[i]^=Xi + pmull v4.1q,v20.1d,v7.1d //H·Ii+1 + eor v17.16b,v17.16b,v7.16b //Karatsuba pre-processing + pmull2 v6.1q,v20.2d,v7.2d + b Loop_mod2x_v8 + +.align 4 +Loop_mod2x_v8: + ext v18.16b,v3.16b,v3.16b,#8 + subs x3,x3,#32 //is there more data? + pmull v0.1q,v22.1d,v3.1d //H^2.lo·Xi.lo + csel x12,xzr,x12,lo //is it time to zero x12? + + pmull v5.1q,v21.1d,v17.1d + eor v18.16b,v18.16b,v3.16b //Karatsuba pre-processing + pmull2 v2.1q,v22.2d,v3.2d //H^2.hi·Xi.hi + eor v0.16b,v0.16b,v4.16b //accumulate + pmull2 v1.1q,v21.2d,v18.2d //(H^2.lo+H^2.hi)·(Xi.lo+Xi.hi) + ld1 {v16.2d},[x2],x12 //load [rotated] I[i+2] + + eor v2.16b,v2.16b,v6.16b + csel x12,xzr,x12,eq //is it time to zero x12? + eor v1.16b,v1.16b,v5.16b + + ext v17.16b,v0.16b,v2.16b,#8 //Karatsuba post-processing + eor v18.16b,v0.16b,v2.16b + eor v1.16b,v1.16b,v17.16b + ld1 {v17.2d},[x2],x12 //load [rotated] I[i+3] +#ifndef __AARCH64EB__ + rev64 v16.16b,v16.16b +#endif + eor v1.16b,v1.16b,v18.16b + pmull v18.1q,v0.1d,v19.1d //1st phase of reduction + +#ifndef __AARCH64EB__ + rev64 v17.16b,v17.16b +#endif + ins v2.d[0],v1.d[1] + ins v1.d[1],v0.d[0] + ext v7.16b,v17.16b,v17.16b,#8 + ext v3.16b,v16.16b,v16.16b,#8 + eor v0.16b,v1.16b,v18.16b + pmull v4.1q,v20.1d,v7.1d //H·Ii+1 + eor v3.16b,v3.16b,v2.16b //accumulate v3.16b early + + ext v18.16b,v0.16b,v0.16b,#8 //2nd phase of reduction + pmull v0.1q,v0.1d,v19.1d + eor v3.16b,v3.16b,v18.16b + eor v17.16b,v17.16b,v7.16b //Karatsuba pre-processing + eor v3.16b,v3.16b,v0.16b + pmull2 v6.1q,v20.2d,v7.2d + b.hs Loop_mod2x_v8 //there was at least 32 more bytes + + eor v2.16b,v2.16b,v18.16b + ext v3.16b,v16.16b,v16.16b,#8 //re-construct v3.16b + adds x3,x3,#32 //re-construct x3 + eor v0.16b,v0.16b,v2.16b //re-construct v0.16b + b.eq Ldone_v8 //is x3 zero? +Lodd_tail_v8: + ext v18.16b,v0.16b,v0.16b,#8 + eor v3.16b,v3.16b,v0.16b //inp^=Xi + eor v17.16b,v16.16b,v18.16b //v17.16b is rotated inp^Xi + + pmull v0.1q,v20.1d,v3.1d //H.lo·Xi.lo + eor v17.16b,v17.16b,v3.16b //Karatsuba pre-processing + pmull2 v2.1q,v20.2d,v3.2d //H.hi·Xi.hi + pmull v1.1q,v21.1d,v17.1d //(H.lo+H.hi)·(Xi.lo+Xi.hi) + + ext v17.16b,v0.16b,v2.16b,#8 //Karatsuba post-processing + eor v18.16b,v0.16b,v2.16b + eor v1.16b,v1.16b,v17.16b + eor v1.16b,v1.16b,v18.16b + pmull v18.1q,v0.1d,v19.1d //1st phase of reduction + + ins v2.d[0],v1.d[1] + ins v1.d[1],v0.d[0] + eor v0.16b,v1.16b,v18.16b + + ext v18.16b,v0.16b,v0.16b,#8 //2nd phase of reduction + pmull v0.1q,v0.1d,v19.1d + eor v18.16b,v18.16b,v2.16b + eor v0.16b,v0.16b,v18.16b + +Ldone_v8: +#ifndef __AARCH64EB__ + rev64 v0.16b,v0.16b +#endif + ext v0.16b,v0.16b,v0.16b,#8 + st1 {v0.2d},[x0] //write out Xi + + ret + +.def gcm_ghash_v8_4x + .type 32 +.endef +.align 4 +gcm_ghash_v8_4x: +Lgcm_ghash_v8_4x: + ld1 {v0.2d},[x0] //load [rotated] Xi + ld1 {v20.2d,v21.2d,v22.2d},[x1],#48 //load twisted H, ..., H^2 + movi v19.16b,#0xe1 + ld1 {v26.2d,v27.2d,v28.2d},[x1] //load twisted H^3, ..., H^4 + shl v19.2d,v19.2d,#57 //compose 0xc2.0 constant + + ld1 {v4.2d,v5.2d,v6.2d,v7.2d},[x2],#64 +#ifndef __AARCH64EB__ + rev64 v0.16b,v0.16b + rev64 v5.16b,v5.16b + rev64 v6.16b,v6.16b + rev64 v7.16b,v7.16b + rev64 v4.16b,v4.16b +#endif + ext v25.16b,v7.16b,v7.16b,#8 + ext v24.16b,v6.16b,v6.16b,#8 + ext v23.16b,v5.16b,v5.16b,#8 + + pmull v29.1q,v20.1d,v25.1d //H·Ii+3 + eor v7.16b,v7.16b,v25.16b + pmull2 v31.1q,v20.2d,v25.2d + pmull v30.1q,v21.1d,v7.1d + + pmull v16.1q,v22.1d,v24.1d //H^2·Ii+2 + eor v6.16b,v6.16b,v24.16b + pmull2 v24.1q,v22.2d,v24.2d + pmull2 v6.1q,v21.2d,v6.2d + + eor v29.16b,v29.16b,v16.16b + eor v31.16b,v31.16b,v24.16b + eor v30.16b,v30.16b,v6.16b + + pmull v7.1q,v26.1d,v23.1d //H^3·Ii+1 + eor v5.16b,v5.16b,v23.16b + pmull2 v23.1q,v26.2d,v23.2d + pmull v5.1q,v27.1d,v5.1d + + eor v29.16b,v29.16b,v7.16b + eor v31.16b,v31.16b,v23.16b + eor v30.16b,v30.16b,v5.16b + + subs x3,x3,#128 + b.lo Ltail4x + + b Loop4x + +.align 4 +Loop4x: + eor v16.16b,v4.16b,v0.16b + ld1 {v4.2d,v5.2d,v6.2d,v7.2d},[x2],#64 + ext v3.16b,v16.16b,v16.16b,#8 +#ifndef __AARCH64EB__ + rev64 v5.16b,v5.16b + rev64 v6.16b,v6.16b + rev64 v7.16b,v7.16b + rev64 v4.16b,v4.16b +#endif + + pmull v0.1q,v28.1d,v3.1d //H^4·(Xi+Ii) + eor v16.16b,v16.16b,v3.16b + pmull2 v2.1q,v28.2d,v3.2d + ext v25.16b,v7.16b,v7.16b,#8 + pmull2 v1.1q,v27.2d,v16.2d + + eor v0.16b,v0.16b,v29.16b + eor v2.16b,v2.16b,v31.16b + ext v24.16b,v6.16b,v6.16b,#8 + eor v1.16b,v1.16b,v30.16b + ext v23.16b,v5.16b,v5.16b,#8 + + ext v17.16b,v0.16b,v2.16b,#8 //Karatsuba post-processing + eor v18.16b,v0.16b,v2.16b + pmull v29.1q,v20.1d,v25.1d //H·Ii+3 + eor v7.16b,v7.16b,v25.16b + eor v1.16b,v1.16b,v17.16b + pmull2 v31.1q,v20.2d,v25.2d + eor v1.16b,v1.16b,v18.16b + pmull v30.1q,v21.1d,v7.1d + + pmull v18.1q,v0.1d,v19.1d //1st phase of reduction + ins v2.d[0],v1.d[1] + ins v1.d[1],v0.d[0] + pmull v16.1q,v22.1d,v24.1d //H^2·Ii+2 + eor v6.16b,v6.16b,v24.16b + pmull2 v24.1q,v22.2d,v24.2d + eor v0.16b,v1.16b,v18.16b + pmull2 v6.1q,v21.2d,v6.2d + + eor v29.16b,v29.16b,v16.16b + eor v31.16b,v31.16b,v24.16b + eor v30.16b,v30.16b,v6.16b + + ext v18.16b,v0.16b,v0.16b,#8 //2nd phase of reduction + pmull v0.1q,v0.1d,v19.1d + pmull v7.1q,v26.1d,v23.1d //H^3·Ii+1 + eor v5.16b,v5.16b,v23.16b + eor v18.16b,v18.16b,v2.16b + pmull2 v23.1q,v26.2d,v23.2d + pmull v5.1q,v27.1d,v5.1d + + eor v0.16b,v0.16b,v18.16b + eor v29.16b,v29.16b,v7.16b + eor v31.16b,v31.16b,v23.16b + ext v0.16b,v0.16b,v0.16b,#8 + eor v30.16b,v30.16b,v5.16b + + subs x3,x3,#64 + b.hs Loop4x + +Ltail4x: + eor v16.16b,v4.16b,v0.16b + ext v3.16b,v16.16b,v16.16b,#8 + + pmull v0.1q,v28.1d,v3.1d //H^4·(Xi+Ii) + eor v16.16b,v16.16b,v3.16b + pmull2 v2.1q,v28.2d,v3.2d + pmull2 v1.1q,v27.2d,v16.2d + + eor v0.16b,v0.16b,v29.16b + eor v2.16b,v2.16b,v31.16b + eor v1.16b,v1.16b,v30.16b + + adds x3,x3,#64 + b.eq Ldone4x + + cmp x3,#32 + b.lo Lone + b.eq Ltwo +Lthree: + ext v17.16b,v0.16b,v2.16b,#8 //Karatsuba post-processing + eor v18.16b,v0.16b,v2.16b + eor v1.16b,v1.16b,v17.16b + ld1 {v4.2d,v5.2d,v6.2d},[x2] + eor v1.16b,v1.16b,v18.16b +#ifndef __AARCH64EB__ + rev64 v5.16b,v5.16b + rev64 v6.16b,v6.16b + rev64 v4.16b,v4.16b +#endif + + pmull v18.1q,v0.1d,v19.1d //1st phase of reduction + ins v2.d[0],v1.d[1] + ins v1.d[1],v0.d[0] + ext v24.16b,v6.16b,v6.16b,#8 + ext v23.16b,v5.16b,v5.16b,#8 + eor v0.16b,v1.16b,v18.16b + + pmull v29.1q,v20.1d,v24.1d //H·Ii+2 + eor v6.16b,v6.16b,v24.16b + + ext v18.16b,v0.16b,v0.16b,#8 //2nd phase of reduction + pmull v0.1q,v0.1d,v19.1d + eor v18.16b,v18.16b,v2.16b + pmull2 v31.1q,v20.2d,v24.2d + pmull v30.1q,v21.1d,v6.1d + eor v0.16b,v0.16b,v18.16b + pmull v7.1q,v22.1d,v23.1d //H^2·Ii+1 + eor v5.16b,v5.16b,v23.16b + ext v0.16b,v0.16b,v0.16b,#8 + + pmull2 v23.1q,v22.2d,v23.2d + eor v16.16b,v4.16b,v0.16b + pmull2 v5.1q,v21.2d,v5.2d + ext v3.16b,v16.16b,v16.16b,#8 + + eor v29.16b,v29.16b,v7.16b + eor v31.16b,v31.16b,v23.16b + eor v30.16b,v30.16b,v5.16b + + pmull v0.1q,v26.1d,v3.1d //H^3·(Xi+Ii) + eor v16.16b,v16.16b,v3.16b + pmull2 v2.1q,v26.2d,v3.2d + pmull v1.1q,v27.1d,v16.1d + + eor v0.16b,v0.16b,v29.16b + eor v2.16b,v2.16b,v31.16b + eor v1.16b,v1.16b,v30.16b + b Ldone4x + +.align 4 +Ltwo: + ext v17.16b,v0.16b,v2.16b,#8 //Karatsuba post-processing + eor v18.16b,v0.16b,v2.16b + eor v1.16b,v1.16b,v17.16b + ld1 {v4.2d,v5.2d},[x2] + eor v1.16b,v1.16b,v18.16b +#ifndef __AARCH64EB__ + rev64 v5.16b,v5.16b + rev64 v4.16b,v4.16b +#endif + + pmull v18.1q,v0.1d,v19.1d //1st phase of reduction + ins v2.d[0],v1.d[1] + ins v1.d[1],v0.d[0] + ext v23.16b,v5.16b,v5.16b,#8 + eor v0.16b,v1.16b,v18.16b + + ext v18.16b,v0.16b,v0.16b,#8 //2nd phase of reduction + pmull v0.1q,v0.1d,v19.1d + eor v18.16b,v18.16b,v2.16b + eor v0.16b,v0.16b,v18.16b + ext v0.16b,v0.16b,v0.16b,#8 + + pmull v29.1q,v20.1d,v23.1d //H·Ii+1 + eor v5.16b,v5.16b,v23.16b + + eor v16.16b,v4.16b,v0.16b + ext v3.16b,v16.16b,v16.16b,#8 + + pmull2 v31.1q,v20.2d,v23.2d + pmull v30.1q,v21.1d,v5.1d + + pmull v0.1q,v22.1d,v3.1d //H^2·(Xi+Ii) + eor v16.16b,v16.16b,v3.16b + pmull2 v2.1q,v22.2d,v3.2d + pmull2 v1.1q,v21.2d,v16.2d + + eor v0.16b,v0.16b,v29.16b + eor v2.16b,v2.16b,v31.16b + eor v1.16b,v1.16b,v30.16b + b Ldone4x + +.align 4 +Lone: + ext v17.16b,v0.16b,v2.16b,#8 //Karatsuba post-processing + eor v18.16b,v0.16b,v2.16b + eor v1.16b,v1.16b,v17.16b + ld1 {v4.2d},[x2] + eor v1.16b,v1.16b,v18.16b +#ifndef __AARCH64EB__ + rev64 v4.16b,v4.16b +#endif + + pmull v18.1q,v0.1d,v19.1d //1st phase of reduction + ins v2.d[0],v1.d[1] + ins v1.d[1],v0.d[0] + eor v0.16b,v1.16b,v18.16b + + ext v18.16b,v0.16b,v0.16b,#8 //2nd phase of reduction + pmull v0.1q,v0.1d,v19.1d + eor v18.16b,v18.16b,v2.16b + eor v0.16b,v0.16b,v18.16b + ext v0.16b,v0.16b,v0.16b,#8 + + eor v16.16b,v4.16b,v0.16b + ext v3.16b,v16.16b,v16.16b,#8 + + pmull v0.1q,v20.1d,v3.1d + eor v16.16b,v16.16b,v3.16b + pmull2 v2.1q,v20.2d,v3.2d + pmull v1.1q,v21.1d,v16.1d + +Ldone4x: + ext v17.16b,v0.16b,v2.16b,#8 //Karatsuba post-processing + eor v18.16b,v0.16b,v2.16b + eor v1.16b,v1.16b,v17.16b + eor v1.16b,v1.16b,v18.16b + + pmull v18.1q,v0.1d,v19.1d //1st phase of reduction + ins v2.d[0],v1.d[1] + ins v1.d[1],v0.d[0] + eor v0.16b,v1.16b,v18.16b + + ext v18.16b,v0.16b,v0.16b,#8 //2nd phase of reduction + pmull v0.1q,v0.1d,v19.1d + eor v18.16b,v18.16b,v2.16b + eor v0.16b,v0.16b,v18.16b + ext v0.16b,v0.16b,v0.16b,#8 + +#ifndef __AARCH64EB__ + rev64 v0.16b,v0.16b +#endif + st1 {v0.2d},[x0] //write out Xi + + ret + +.byte 71,72,65,83,72,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 +.align 2 +.align 2 +#endif +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(_WIN32) +#if defined(__linux__) && defined(__ELF__) +.section .note.GNU-stack,"",%progbits +#endif + diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/p256-armv8-asm-ios.ios.aarch64.S b/Sources/CNIOBoringSSL/gen/bcm/p256-armv8-asm-apple.S similarity index 99% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/p256-armv8-asm-ios.ios.aarch64.S rename to Sources/CNIOBoringSSL/gen/bcm/p256-armv8-asm-apple.S index 4ca4de71b..d66cf5977 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/p256-armv8-asm-ios.ios.aarch64.S +++ b/Sources/CNIOBoringSSL/gen/bcm/p256-armv8-asm-apple.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__aarch64__) && defined(__APPLE__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -1726,7 +1725,6 @@ Lselect_w7_loop: ret #endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__APPLE__) -#endif // defined(__aarch64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/p256-armv8-asm-linux.linux.aarch64.S b/Sources/CNIOBoringSSL/gen/bcm/p256-armv8-asm-linux.S similarity index 99% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/p256-armv8-asm-linux.linux.aarch64.S rename to Sources/CNIOBoringSSL/gen/bcm/p256-armv8-asm-linux.S index a61944ce6..558708acd 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/p256-armv8-asm-linux.linux.aarch64.S +++ b/Sources/CNIOBoringSSL/gen/bcm/p256-armv8-asm-linux.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__aarch64__) && defined(__linux__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -1726,7 +1725,6 @@ ecp_nistz256_select_w7: ret .size ecp_nistz256_select_w7,.-ecp_nistz256_select_w7 #endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__ELF__) -#endif // defined(__aarch64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/gen/bcm/p256-armv8-asm-win.S b/Sources/CNIOBoringSSL/gen/bcm/p256-armv8-asm-win.S new file mode 100644 index 000000000..db87fed76 --- /dev/null +++ b/Sources/CNIOBoringSSL/gen/bcm/p256-armv8-asm-win.S @@ -0,0 +1,1771 @@ +#define BORINGSSL_PREFIX CNIOBoringSSL +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. + +#include + +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(_WIN32) +#include "CNIOBoringSSL_arm_arch.h" + +.section .rodata +.align 5 +Lpoly: +.quad 0xffffffffffffffff,0x00000000ffffffff,0x0000000000000000,0xffffffff00000001 +LRR: // 2^512 mod P precomputed for NIST P256 polynomial +.quad 0x0000000000000003,0xfffffffbffffffff,0xfffffffffffffffe,0x00000004fffffffd +Lone_mont: +.quad 0x0000000000000001,0xffffffff00000000,0xffffffffffffffff,0x00000000fffffffe +Lone: +.quad 1,0,0,0 +Lord: +.quad 0xf3b9cac2fc632551,0xbce6faada7179e84,0xffffffffffffffff,0xffffffff00000000 +LordK: +.quad 0xccd1c8aaee00bc4f +.byte 69,67,80,95,78,73,83,84,90,50,53,54,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 +.align 2 +.text + +// void ecp_nistz256_mul_mont(BN_ULONG x0[4],const BN_ULONG x1[4], +// const BN_ULONG x2[4]); +.globl ecp_nistz256_mul_mont + +.def ecp_nistz256_mul_mont + .type 32 +.endef +.align 4 +ecp_nistz256_mul_mont: + AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-32]! + add x29,sp,#0 + stp x19,x20,[sp,#16] + + ldr x3,[x2] // bp[0] + ldp x4,x5,[x1] + ldp x6,x7,[x1,#16] + adrp x13,Lpoly + add x13,x13,:lo12:Lpoly + ldr x12,[x13,#8] + ldr x13,[x13,#24] + + bl __ecp_nistz256_mul_mont + + ldp x19,x20,[sp,#16] + ldp x29,x30,[sp],#32 + AARCH64_VALIDATE_LINK_REGISTER + ret + + +// void ecp_nistz256_sqr_mont(BN_ULONG x0[4],const BN_ULONG x1[4]); +.globl ecp_nistz256_sqr_mont + +.def ecp_nistz256_sqr_mont + .type 32 +.endef +.align 4 +ecp_nistz256_sqr_mont: + AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-32]! + add x29,sp,#0 + stp x19,x20,[sp,#16] + + ldp x4,x5,[x1] + ldp x6,x7,[x1,#16] + adrp x13,Lpoly + add x13,x13,:lo12:Lpoly + ldr x12,[x13,#8] + ldr x13,[x13,#24] + + bl __ecp_nistz256_sqr_mont + + ldp x19,x20,[sp,#16] + ldp x29,x30,[sp],#32 + AARCH64_VALIDATE_LINK_REGISTER + ret + + +// void ecp_nistz256_div_by_2(BN_ULONG x0[4],const BN_ULONG x1[4]); +.globl ecp_nistz256_div_by_2 + +.def ecp_nistz256_div_by_2 + .type 32 +.endef +.align 4 +ecp_nistz256_div_by_2: + AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + + ldp x14,x15,[x1] + ldp x16,x17,[x1,#16] + adrp x13,Lpoly + add x13,x13,:lo12:Lpoly + ldr x12,[x13,#8] + ldr x13,[x13,#24] + + bl __ecp_nistz256_div_by_2 + + ldp x29,x30,[sp],#16 + AARCH64_VALIDATE_LINK_REGISTER + ret + + +// void ecp_nistz256_mul_by_2(BN_ULONG x0[4],const BN_ULONG x1[4]); +.globl ecp_nistz256_mul_by_2 + +.def ecp_nistz256_mul_by_2 + .type 32 +.endef +.align 4 +ecp_nistz256_mul_by_2: + AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + + ldp x14,x15,[x1] + ldp x16,x17,[x1,#16] + adrp x13,Lpoly + add x13,x13,:lo12:Lpoly + ldr x12,[x13,#8] + ldr x13,[x13,#24] + mov x8,x14 + mov x9,x15 + mov x10,x16 + mov x11,x17 + + bl __ecp_nistz256_add_to // ret = a+a // 2*a + + ldp x29,x30,[sp],#16 + AARCH64_VALIDATE_LINK_REGISTER + ret + + +// void ecp_nistz256_mul_by_3(BN_ULONG x0[4],const BN_ULONG x1[4]); +.globl ecp_nistz256_mul_by_3 + +.def ecp_nistz256_mul_by_3 + .type 32 +.endef +.align 4 +ecp_nistz256_mul_by_3: + AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + + ldp x14,x15,[x1] + ldp x16,x17,[x1,#16] + adrp x13,Lpoly + add x13,x13,:lo12:Lpoly + ldr x12,[x13,#8] + ldr x13,[x13,#24] + mov x8,x14 + mov x9,x15 + mov x10,x16 + mov x11,x17 + mov x4,x14 + mov x5,x15 + mov x6,x16 + mov x7,x17 + + bl __ecp_nistz256_add_to // ret = a+a // 2*a + + mov x8,x4 + mov x9,x5 + mov x10,x6 + mov x11,x7 + + bl __ecp_nistz256_add_to // ret += a // 2*a+a=3*a + + ldp x29,x30,[sp],#16 + AARCH64_VALIDATE_LINK_REGISTER + ret + + +// void ecp_nistz256_sub(BN_ULONG x0[4],const BN_ULONG x1[4], +// const BN_ULONG x2[4]); +.globl ecp_nistz256_sub + +.def ecp_nistz256_sub + .type 32 +.endef +.align 4 +ecp_nistz256_sub: + AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + + ldp x14,x15,[x1] + ldp x16,x17,[x1,#16] + adrp x13,Lpoly + add x13,x13,:lo12:Lpoly + ldr x12,[x13,#8] + ldr x13,[x13,#24] + + bl __ecp_nistz256_sub_from + + ldp x29,x30,[sp],#16 + AARCH64_VALIDATE_LINK_REGISTER + ret + + +// void ecp_nistz256_neg(BN_ULONG x0[4],const BN_ULONG x1[4]); +.globl ecp_nistz256_neg + +.def ecp_nistz256_neg + .type 32 +.endef +.align 4 +ecp_nistz256_neg: + AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + + mov x2,x1 + mov x14,xzr // a = 0 + mov x15,xzr + mov x16,xzr + mov x17,xzr + adrp x13,Lpoly + add x13,x13,:lo12:Lpoly + ldr x12,[x13,#8] + ldr x13,[x13,#24] + + bl __ecp_nistz256_sub_from + + ldp x29,x30,[sp],#16 + AARCH64_VALIDATE_LINK_REGISTER + ret + + +// note that __ecp_nistz256_mul_mont expects a[0-3] input pre-loaded +// to x4-x7 and b[0] - to x3 +.def __ecp_nistz256_mul_mont + .type 32 +.endef +.align 4 +__ecp_nistz256_mul_mont: + mul x14,x4,x3 // a[0]*b[0] + umulh x8,x4,x3 + + mul x15,x5,x3 // a[1]*b[0] + umulh x9,x5,x3 + + mul x16,x6,x3 // a[2]*b[0] + umulh x10,x6,x3 + + mul x17,x7,x3 // a[3]*b[0] + umulh x11,x7,x3 + ldr x3,[x2,#8] // b[1] + + adds x15,x15,x8 // accumulate high parts of multiplication + lsl x8,x14,#32 + adcs x16,x16,x9 + lsr x9,x14,#32 + adcs x17,x17,x10 + adc x19,xzr,x11 + mov x20,xzr + subs x10,x14,x8 // "*0xffff0001" + sbc x11,x14,x9 + adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0] + mul x8,x4,x3 // lo(a[0]*b[i]) + adcs x15,x16,x9 + mul x9,x5,x3 // lo(a[1]*b[i]) + adcs x16,x17,x10 // +=acc[0]*0xffff0001 + mul x10,x6,x3 // lo(a[2]*b[i]) + adcs x17,x19,x11 + mul x11,x7,x3 // lo(a[3]*b[i]) + adc x19,x20,xzr + + adds x14,x14,x8 // accumulate low parts of multiplication + umulh x8,x4,x3 // hi(a[0]*b[i]) + adcs x15,x15,x9 + umulh x9,x5,x3 // hi(a[1]*b[i]) + adcs x16,x16,x10 + umulh x10,x6,x3 // hi(a[2]*b[i]) + adcs x17,x17,x11 + umulh x11,x7,x3 // hi(a[3]*b[i]) + adc x19,x19,xzr + ldr x3,[x2,#8*(1+1)] // b[1+1] + adds x15,x15,x8 // accumulate high parts of multiplication + lsl x8,x14,#32 + adcs x16,x16,x9 + lsr x9,x14,#32 + adcs x17,x17,x10 + adcs x19,x19,x11 + adc x20,xzr,xzr + subs x10,x14,x8 // "*0xffff0001" + sbc x11,x14,x9 + adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0] + mul x8,x4,x3 // lo(a[0]*b[i]) + adcs x15,x16,x9 + mul x9,x5,x3 // lo(a[1]*b[i]) + adcs x16,x17,x10 // +=acc[0]*0xffff0001 + mul x10,x6,x3 // lo(a[2]*b[i]) + adcs x17,x19,x11 + mul x11,x7,x3 // lo(a[3]*b[i]) + adc x19,x20,xzr + + adds x14,x14,x8 // accumulate low parts of multiplication + umulh x8,x4,x3 // hi(a[0]*b[i]) + adcs x15,x15,x9 + umulh x9,x5,x3 // hi(a[1]*b[i]) + adcs x16,x16,x10 + umulh x10,x6,x3 // hi(a[2]*b[i]) + adcs x17,x17,x11 + umulh x11,x7,x3 // hi(a[3]*b[i]) + adc x19,x19,xzr + ldr x3,[x2,#8*(2+1)] // b[2+1] + adds x15,x15,x8 // accumulate high parts of multiplication + lsl x8,x14,#32 + adcs x16,x16,x9 + lsr x9,x14,#32 + adcs x17,x17,x10 + adcs x19,x19,x11 + adc x20,xzr,xzr + subs x10,x14,x8 // "*0xffff0001" + sbc x11,x14,x9 + adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0] + mul x8,x4,x3 // lo(a[0]*b[i]) + adcs x15,x16,x9 + mul x9,x5,x3 // lo(a[1]*b[i]) + adcs x16,x17,x10 // +=acc[0]*0xffff0001 + mul x10,x6,x3 // lo(a[2]*b[i]) + adcs x17,x19,x11 + mul x11,x7,x3 // lo(a[3]*b[i]) + adc x19,x20,xzr + + adds x14,x14,x8 // accumulate low parts of multiplication + umulh x8,x4,x3 // hi(a[0]*b[i]) + adcs x15,x15,x9 + umulh x9,x5,x3 // hi(a[1]*b[i]) + adcs x16,x16,x10 + umulh x10,x6,x3 // hi(a[2]*b[i]) + adcs x17,x17,x11 + umulh x11,x7,x3 // hi(a[3]*b[i]) + adc x19,x19,xzr + adds x15,x15,x8 // accumulate high parts of multiplication + lsl x8,x14,#32 + adcs x16,x16,x9 + lsr x9,x14,#32 + adcs x17,x17,x10 + adcs x19,x19,x11 + adc x20,xzr,xzr + // last reduction + subs x10,x14,x8 // "*0xffff0001" + sbc x11,x14,x9 + adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0] + adcs x15,x16,x9 + adcs x16,x17,x10 // +=acc[0]*0xffff0001 + adcs x17,x19,x11 + adc x19,x20,xzr + + adds x8,x14,#1 // subs x8,x14,#-1 // tmp = ret-modulus + sbcs x9,x15,x12 + sbcs x10,x16,xzr + sbcs x11,x17,x13 + sbcs xzr,x19,xzr // did it borrow? + + csel x14,x14,x8,lo // ret = borrow ? ret : ret-modulus + csel x15,x15,x9,lo + csel x16,x16,x10,lo + stp x14,x15,[x0] + csel x17,x17,x11,lo + stp x16,x17,[x0,#16] + + ret + + +// note that __ecp_nistz256_sqr_mont expects a[0-3] input pre-loaded +// to x4-x7 +.def __ecp_nistz256_sqr_mont + .type 32 +.endef +.align 4 +__ecp_nistz256_sqr_mont: + // | | | | | |a1*a0| | + // | | | | |a2*a0| | | + // | |a3*a2|a3*a0| | | | + // | | | |a2*a1| | | | + // | | |a3*a1| | | | | + // *| | | | | | | | 2| + // +|a3*a3|a2*a2|a1*a1|a0*a0| + // |--+--+--+--+--+--+--+--| + // |A7|A6|A5|A4|A3|A2|A1|A0|, where Ax is , i.e. follow + // + // "can't overflow" below mark carrying into high part of + // multiplication result, which can't overflow, because it + // can never be all ones. + + mul x15,x5,x4 // a[1]*a[0] + umulh x9,x5,x4 + mul x16,x6,x4 // a[2]*a[0] + umulh x10,x6,x4 + mul x17,x7,x4 // a[3]*a[0] + umulh x19,x7,x4 + + adds x16,x16,x9 // accumulate high parts of multiplication + mul x8,x6,x5 // a[2]*a[1] + umulh x9,x6,x5 + adcs x17,x17,x10 + mul x10,x7,x5 // a[3]*a[1] + umulh x11,x7,x5 + adc x19,x19,xzr // can't overflow + + mul x20,x7,x6 // a[3]*a[2] + umulh x1,x7,x6 + + adds x9,x9,x10 // accumulate high parts of multiplication + mul x14,x4,x4 // a[0]*a[0] + adc x10,x11,xzr // can't overflow + + adds x17,x17,x8 // accumulate low parts of multiplication + umulh x4,x4,x4 + adcs x19,x19,x9 + mul x9,x5,x5 // a[1]*a[1] + adcs x20,x20,x10 + umulh x5,x5,x5 + adc x1,x1,xzr // can't overflow + + adds x15,x15,x15 // acc[1-6]*=2 + mul x10,x6,x6 // a[2]*a[2] + adcs x16,x16,x16 + umulh x6,x6,x6 + adcs x17,x17,x17 + mul x11,x7,x7 // a[3]*a[3] + adcs x19,x19,x19 + umulh x7,x7,x7 + adcs x20,x20,x20 + adcs x1,x1,x1 + adc x2,xzr,xzr + + adds x15,x15,x4 // +a[i]*a[i] + adcs x16,x16,x9 + adcs x17,x17,x5 + adcs x19,x19,x10 + adcs x20,x20,x6 + lsl x8,x14,#32 + adcs x1,x1,x11 + lsr x9,x14,#32 + adc x2,x2,x7 + subs x10,x14,x8 // "*0xffff0001" + sbc x11,x14,x9 + adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0] + adcs x15,x16,x9 + lsl x8,x14,#32 + adcs x16,x17,x10 // +=acc[0]*0xffff0001 + lsr x9,x14,#32 + adc x17,x11,xzr // can't overflow + subs x10,x14,x8 // "*0xffff0001" + sbc x11,x14,x9 + adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0] + adcs x15,x16,x9 + lsl x8,x14,#32 + adcs x16,x17,x10 // +=acc[0]*0xffff0001 + lsr x9,x14,#32 + adc x17,x11,xzr // can't overflow + subs x10,x14,x8 // "*0xffff0001" + sbc x11,x14,x9 + adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0] + adcs x15,x16,x9 + lsl x8,x14,#32 + adcs x16,x17,x10 // +=acc[0]*0xffff0001 + lsr x9,x14,#32 + adc x17,x11,xzr // can't overflow + subs x10,x14,x8 // "*0xffff0001" + sbc x11,x14,x9 + adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0] + adcs x15,x16,x9 + adcs x16,x17,x10 // +=acc[0]*0xffff0001 + adc x17,x11,xzr // can't overflow + + adds x14,x14,x19 // accumulate upper half + adcs x15,x15,x20 + adcs x16,x16,x1 + adcs x17,x17,x2 + adc x19,xzr,xzr + + adds x8,x14,#1 // subs x8,x14,#-1 // tmp = ret-modulus + sbcs x9,x15,x12 + sbcs x10,x16,xzr + sbcs x11,x17,x13 + sbcs xzr,x19,xzr // did it borrow? + + csel x14,x14,x8,lo // ret = borrow ? ret : ret-modulus + csel x15,x15,x9,lo + csel x16,x16,x10,lo + stp x14,x15,[x0] + csel x17,x17,x11,lo + stp x16,x17,[x0,#16] + + ret + + +// Note that __ecp_nistz256_add_to expects both input vectors pre-loaded to +// x4-x7 and x8-x11. This is done because it's used in multiple +// contexts, e.g. in multiplication by 2 and 3... +.def __ecp_nistz256_add_to + .type 32 +.endef +.align 4 +__ecp_nistz256_add_to: + adds x14,x14,x8 // ret = a+b + adcs x15,x15,x9 + adcs x16,x16,x10 + adcs x17,x17,x11 + adc x1,xzr,xzr // zap x1 + + adds x8,x14,#1 // subs x8,x4,#-1 // tmp = ret-modulus + sbcs x9,x15,x12 + sbcs x10,x16,xzr + sbcs x11,x17,x13 + sbcs xzr,x1,xzr // did subtraction borrow? + + csel x14,x14,x8,lo // ret = borrow ? ret : ret-modulus + csel x15,x15,x9,lo + csel x16,x16,x10,lo + stp x14,x15,[x0] + csel x17,x17,x11,lo + stp x16,x17,[x0,#16] + + ret + + +.def __ecp_nistz256_sub_from + .type 32 +.endef +.align 4 +__ecp_nistz256_sub_from: + ldp x8,x9,[x2] + ldp x10,x11,[x2,#16] + subs x14,x14,x8 // ret = a-b + sbcs x15,x15,x9 + sbcs x16,x16,x10 + sbcs x17,x17,x11 + sbc x1,xzr,xzr // zap x1 + + subs x8,x14,#1 // adds x8,x4,#-1 // tmp = ret+modulus + adcs x9,x15,x12 + adcs x10,x16,xzr + adc x11,x17,x13 + cmp x1,xzr // did subtraction borrow? + + csel x14,x14,x8,eq // ret = borrow ? ret+modulus : ret + csel x15,x15,x9,eq + csel x16,x16,x10,eq + stp x14,x15,[x0] + csel x17,x17,x11,eq + stp x16,x17,[x0,#16] + + ret + + +.def __ecp_nistz256_sub_morf + .type 32 +.endef +.align 4 +__ecp_nistz256_sub_morf: + ldp x8,x9,[x2] + ldp x10,x11,[x2,#16] + subs x14,x8,x14 // ret = b-a + sbcs x15,x9,x15 + sbcs x16,x10,x16 + sbcs x17,x11,x17 + sbc x1,xzr,xzr // zap x1 + + subs x8,x14,#1 // adds x8,x4,#-1 // tmp = ret+modulus + adcs x9,x15,x12 + adcs x10,x16,xzr + adc x11,x17,x13 + cmp x1,xzr // did subtraction borrow? + + csel x14,x14,x8,eq // ret = borrow ? ret+modulus : ret + csel x15,x15,x9,eq + csel x16,x16,x10,eq + stp x14,x15,[x0] + csel x17,x17,x11,eq + stp x16,x17,[x0,#16] + + ret + + +.def __ecp_nistz256_div_by_2 + .type 32 +.endef +.align 4 +__ecp_nistz256_div_by_2: + subs x8,x14,#1 // adds x8,x4,#-1 // tmp = a+modulus + adcs x9,x15,x12 + adcs x10,x16,xzr + adcs x11,x17,x13 + adc x1,xzr,xzr // zap x1 + tst x14,#1 // is a even? + + csel x14,x14,x8,eq // ret = even ? a : a+modulus + csel x15,x15,x9,eq + csel x16,x16,x10,eq + csel x17,x17,x11,eq + csel x1,xzr,x1,eq + + lsr x14,x14,#1 // ret >>= 1 + orr x14,x14,x15,lsl#63 + lsr x15,x15,#1 + orr x15,x15,x16,lsl#63 + lsr x16,x16,#1 + orr x16,x16,x17,lsl#63 + lsr x17,x17,#1 + stp x14,x15,[x0] + orr x17,x17,x1,lsl#63 + stp x16,x17,[x0,#16] + + ret + +.globl ecp_nistz256_point_double + +.def ecp_nistz256_point_double + .type 32 +.endef +.align 5 +ecp_nistz256_point_double: + AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-96]! + add x29,sp,#0 + stp x19,x20,[sp,#16] + stp x21,x22,[sp,#32] + sub sp,sp,#32*4 + +Ldouble_shortcut: + ldp x14,x15,[x1,#32] + mov x21,x0 + ldp x16,x17,[x1,#48] + mov x22,x1 + adrp x13,Lpoly + add x13,x13,:lo12:Lpoly + ldr x12,[x13,#8] + mov x8,x14 + ldr x13,[x13,#24] + mov x9,x15 + ldp x4,x5,[x22,#64] // forward load for p256_sqr_mont + mov x10,x16 + mov x11,x17 + ldp x6,x7,[x22,#64+16] + add x0,sp,#0 + bl __ecp_nistz256_add_to // p256_mul_by_2(S, in_y); + + add x0,sp,#64 + bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Zsqr, in_z); + + ldp x8,x9,[x22] + ldp x10,x11,[x22,#16] + mov x4,x14 // put Zsqr aside for p256_sub + mov x5,x15 + mov x6,x16 + mov x7,x17 + add x0,sp,#32 + bl __ecp_nistz256_add_to // p256_add(M, Zsqr, in_x); + + add x2,x22,#0 + mov x14,x4 // restore Zsqr + mov x15,x5 + ldp x4,x5,[sp,#0] // forward load for p256_sqr_mont + mov x16,x6 + mov x17,x7 + ldp x6,x7,[sp,#0+16] + add x0,sp,#64 + bl __ecp_nistz256_sub_morf // p256_sub(Zsqr, in_x, Zsqr); + + add x0,sp,#0 + bl __ecp_nistz256_sqr_mont // p256_sqr_mont(S, S); + + ldr x3,[x22,#32] + ldp x4,x5,[x22,#64] + ldp x6,x7,[x22,#64+16] + add x2,x22,#32 + add x0,sp,#96 + bl __ecp_nistz256_mul_mont // p256_mul_mont(tmp0, in_z, in_y); + + mov x8,x14 + mov x9,x15 + ldp x4,x5,[sp,#0] // forward load for p256_sqr_mont + mov x10,x16 + mov x11,x17 + ldp x6,x7,[sp,#0+16] + add x0,x21,#64 + bl __ecp_nistz256_add_to // p256_mul_by_2(res_z, tmp0); + + add x0,sp,#96 + bl __ecp_nistz256_sqr_mont // p256_sqr_mont(tmp0, S); + + ldr x3,[sp,#64] // forward load for p256_mul_mont + ldp x4,x5,[sp,#32] + ldp x6,x7,[sp,#32+16] + add x0,x21,#32 + bl __ecp_nistz256_div_by_2 // p256_div_by_2(res_y, tmp0); + + add x2,sp,#64 + add x0,sp,#32 + bl __ecp_nistz256_mul_mont // p256_mul_mont(M, M, Zsqr); + + mov x8,x14 // duplicate M + mov x9,x15 + mov x10,x16 + mov x11,x17 + mov x4,x14 // put M aside + mov x5,x15 + mov x6,x16 + mov x7,x17 + add x0,sp,#32 + bl __ecp_nistz256_add_to + mov x8,x4 // restore M + mov x9,x5 + ldr x3,[x22] // forward load for p256_mul_mont + mov x10,x6 + ldp x4,x5,[sp,#0] + mov x11,x7 + ldp x6,x7,[sp,#0+16] + bl __ecp_nistz256_add_to // p256_mul_by_3(M, M); + + add x2,x22,#0 + add x0,sp,#0 + bl __ecp_nistz256_mul_mont // p256_mul_mont(S, S, in_x); + + mov x8,x14 + mov x9,x15 + ldp x4,x5,[sp,#32] // forward load for p256_sqr_mont + mov x10,x16 + mov x11,x17 + ldp x6,x7,[sp,#32+16] + add x0,sp,#96 + bl __ecp_nistz256_add_to // p256_mul_by_2(tmp0, S); + + add x0,x21,#0 + bl __ecp_nistz256_sqr_mont // p256_sqr_mont(res_x, M); + + add x2,sp,#96 + bl __ecp_nistz256_sub_from // p256_sub(res_x, res_x, tmp0); + + add x2,sp,#0 + add x0,sp,#0 + bl __ecp_nistz256_sub_morf // p256_sub(S, S, res_x); + + ldr x3,[sp,#32] + mov x4,x14 // copy S + mov x5,x15 + mov x6,x16 + mov x7,x17 + add x2,sp,#32 + bl __ecp_nistz256_mul_mont // p256_mul_mont(S, S, M); + + add x2,x21,#32 + add x0,x21,#32 + bl __ecp_nistz256_sub_from // p256_sub(res_y, S, res_y); + + add sp,x29,#0 // destroy frame + ldp x19,x20,[x29,#16] + ldp x21,x22,[x29,#32] + ldp x29,x30,[sp],#96 + AARCH64_VALIDATE_LINK_REGISTER + ret + +.globl ecp_nistz256_point_add + +.def ecp_nistz256_point_add + .type 32 +.endef +.align 5 +ecp_nistz256_point_add: + AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-96]! + add x29,sp,#0 + stp x19,x20,[sp,#16] + stp x21,x22,[sp,#32] + stp x23,x24,[sp,#48] + stp x25,x26,[sp,#64] + stp x27,x28,[sp,#80] + sub sp,sp,#32*12 + + ldp x4,x5,[x2,#64] // in2_z + ldp x6,x7,[x2,#64+16] + mov x21,x0 + mov x22,x1 + mov x23,x2 + adrp x13,Lpoly + add x13,x13,:lo12:Lpoly + ldr x12,[x13,#8] + ldr x13,[x13,#24] + orr x8,x4,x5 + orr x10,x6,x7 + orr x25,x8,x10 + cmp x25,#0 + csetm x25,ne // ~in2infty + add x0,sp,#192 + bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Z2sqr, in2_z); + + ldp x4,x5,[x22,#64] // in1_z + ldp x6,x7,[x22,#64+16] + orr x8,x4,x5 + orr x10,x6,x7 + orr x24,x8,x10 + cmp x24,#0 + csetm x24,ne // ~in1infty + add x0,sp,#128 + bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Z1sqr, in1_z); + + ldr x3,[x23,#64] + ldp x4,x5,[sp,#192] + ldp x6,x7,[sp,#192+16] + add x2,x23,#64 + add x0,sp,#320 + bl __ecp_nistz256_mul_mont // p256_mul_mont(S1, Z2sqr, in2_z); + + ldr x3,[x22,#64] + ldp x4,x5,[sp,#128] + ldp x6,x7,[sp,#128+16] + add x2,x22,#64 + add x0,sp,#352 + bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, Z1sqr, in1_z); + + ldr x3,[x22,#32] + ldp x4,x5,[sp,#320] + ldp x6,x7,[sp,#320+16] + add x2,x22,#32 + add x0,sp,#320 + bl __ecp_nistz256_mul_mont // p256_mul_mont(S1, S1, in1_y); + + ldr x3,[x23,#32] + ldp x4,x5,[sp,#352] + ldp x6,x7,[sp,#352+16] + add x2,x23,#32 + add x0,sp,#352 + bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, S2, in2_y); + + add x2,sp,#320 + ldr x3,[sp,#192] // forward load for p256_mul_mont + ldp x4,x5,[x22] + ldp x6,x7,[x22,#16] + add x0,sp,#160 + bl __ecp_nistz256_sub_from // p256_sub(R, S2, S1); + + orr x14,x14,x15 // see if result is zero + orr x16,x16,x17 + orr x26,x14,x16 // ~is_equal(S1,S2) + + add x2,sp,#192 + add x0,sp,#256 + bl __ecp_nistz256_mul_mont // p256_mul_mont(U1, in1_x, Z2sqr); + + ldr x3,[sp,#128] + ldp x4,x5,[x23] + ldp x6,x7,[x23,#16] + add x2,sp,#128 + add x0,sp,#288 + bl __ecp_nistz256_mul_mont // p256_mul_mont(U2, in2_x, Z1sqr); + + add x2,sp,#256 + ldp x4,x5,[sp,#160] // forward load for p256_sqr_mont + ldp x6,x7,[sp,#160+16] + add x0,sp,#96 + bl __ecp_nistz256_sub_from // p256_sub(H, U2, U1); + + orr x14,x14,x15 // see if result is zero + orr x16,x16,x17 + orr x14,x14,x16 // ~is_equal(U1,U2) + + mvn x27,x24 // -1/0 -> 0/-1 + mvn x28,x25 // -1/0 -> 0/-1 + orr x14,x14,x27 + orr x14,x14,x28 + orr x14,x14,x26 + cbnz x14,Ladd_proceed // if(~is_equal(U1,U2) | in1infty | in2infty | ~is_equal(S1,S2)) + +Ladd_double: + mov x1,x22 + mov x0,x21 + ldp x23,x24,[x29,#48] + ldp x25,x26,[x29,#64] + ldp x27,x28,[x29,#80] + add sp,sp,#256 // #256 is from #32*(12-4). difference in stack frames + b Ldouble_shortcut + +.align 4 +Ladd_proceed: + add x0,sp,#192 + bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Rsqr, R); + + ldr x3,[x22,#64] + ldp x4,x5,[sp,#96] + ldp x6,x7,[sp,#96+16] + add x2,x22,#64 + add x0,sp,#64 + bl __ecp_nistz256_mul_mont // p256_mul_mont(res_z, H, in1_z); + + ldp x4,x5,[sp,#96] + ldp x6,x7,[sp,#96+16] + add x0,sp,#128 + bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Hsqr, H); + + ldr x3,[x23,#64] + ldp x4,x5,[sp,#64] + ldp x6,x7,[sp,#64+16] + add x2,x23,#64 + add x0,sp,#64 + bl __ecp_nistz256_mul_mont // p256_mul_mont(res_z, res_z, in2_z); + + ldr x3,[sp,#96] + ldp x4,x5,[sp,#128] + ldp x6,x7,[sp,#128+16] + add x2,sp,#96 + add x0,sp,#224 + bl __ecp_nistz256_mul_mont // p256_mul_mont(Hcub, Hsqr, H); + + ldr x3,[sp,#128] + ldp x4,x5,[sp,#256] + ldp x6,x7,[sp,#256+16] + add x2,sp,#128 + add x0,sp,#288 + bl __ecp_nistz256_mul_mont // p256_mul_mont(U2, U1, Hsqr); + + mov x8,x14 + mov x9,x15 + mov x10,x16 + mov x11,x17 + add x0,sp,#128 + bl __ecp_nistz256_add_to // p256_mul_by_2(Hsqr, U2); + + add x2,sp,#192 + add x0,sp,#0 + bl __ecp_nistz256_sub_morf // p256_sub(res_x, Rsqr, Hsqr); + + add x2,sp,#224 + bl __ecp_nistz256_sub_from // p256_sub(res_x, res_x, Hcub); + + add x2,sp,#288 + ldr x3,[sp,#224] // forward load for p256_mul_mont + ldp x4,x5,[sp,#320] + ldp x6,x7,[sp,#320+16] + add x0,sp,#32 + bl __ecp_nistz256_sub_morf // p256_sub(res_y, U2, res_x); + + add x2,sp,#224 + add x0,sp,#352 + bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, S1, Hcub); + + ldr x3,[sp,#160] + ldp x4,x5,[sp,#32] + ldp x6,x7,[sp,#32+16] + add x2,sp,#160 + add x0,sp,#32 + bl __ecp_nistz256_mul_mont // p256_mul_mont(res_y, res_y, R); + + add x2,sp,#352 + bl __ecp_nistz256_sub_from // p256_sub(res_y, res_y, S2); + + ldp x4,x5,[sp,#0] // res + ldp x6,x7,[sp,#0+16] + ldp x8,x9,[x23] // in2 + ldp x10,x11,[x23,#16] + ldp x14,x15,[x22,#0] // in1 + cmp x24,#0 // ~, remember? + ldp x16,x17,[x22,#0+16] + csel x8,x4,x8,ne + csel x9,x5,x9,ne + ldp x4,x5,[sp,#0+0+32] // res + csel x10,x6,x10,ne + csel x11,x7,x11,ne + cmp x25,#0 // ~, remember? + ldp x6,x7,[sp,#0+0+48] + csel x14,x8,x14,ne + csel x15,x9,x15,ne + ldp x8,x9,[x23,#0+32] // in2 + csel x16,x10,x16,ne + csel x17,x11,x17,ne + ldp x10,x11,[x23,#0+48] + stp x14,x15,[x21,#0] + stp x16,x17,[x21,#0+16] + ldp x14,x15,[x22,#32] // in1 + cmp x24,#0 // ~, remember? + ldp x16,x17,[x22,#32+16] + csel x8,x4,x8,ne + csel x9,x5,x9,ne + ldp x4,x5,[sp,#0+32+32] // res + csel x10,x6,x10,ne + csel x11,x7,x11,ne + cmp x25,#0 // ~, remember? + ldp x6,x7,[sp,#0+32+48] + csel x14,x8,x14,ne + csel x15,x9,x15,ne + ldp x8,x9,[x23,#32+32] // in2 + csel x16,x10,x16,ne + csel x17,x11,x17,ne + ldp x10,x11,[x23,#32+48] + stp x14,x15,[x21,#32] + stp x16,x17,[x21,#32+16] + ldp x14,x15,[x22,#64] // in1 + cmp x24,#0 // ~, remember? + ldp x16,x17,[x22,#64+16] + csel x8,x4,x8,ne + csel x9,x5,x9,ne + csel x10,x6,x10,ne + csel x11,x7,x11,ne + cmp x25,#0 // ~, remember? + csel x14,x8,x14,ne + csel x15,x9,x15,ne + csel x16,x10,x16,ne + csel x17,x11,x17,ne + stp x14,x15,[x21,#64] + stp x16,x17,[x21,#64+16] + +Ladd_done: + add sp,x29,#0 // destroy frame + ldp x19,x20,[x29,#16] + ldp x21,x22,[x29,#32] + ldp x23,x24,[x29,#48] + ldp x25,x26,[x29,#64] + ldp x27,x28,[x29,#80] + ldp x29,x30,[sp],#96 + AARCH64_VALIDATE_LINK_REGISTER + ret + +.globl ecp_nistz256_point_add_affine + +.def ecp_nistz256_point_add_affine + .type 32 +.endef +.align 5 +ecp_nistz256_point_add_affine: + AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-80]! + add x29,sp,#0 + stp x19,x20,[sp,#16] + stp x21,x22,[sp,#32] + stp x23,x24,[sp,#48] + stp x25,x26,[sp,#64] + sub sp,sp,#32*10 + + mov x21,x0 + mov x22,x1 + mov x23,x2 + adrp x13,Lpoly + add x13,x13,:lo12:Lpoly + ldr x12,[x13,#8] + ldr x13,[x13,#24] + + ldp x4,x5,[x1,#64] // in1_z + ldp x6,x7,[x1,#64+16] + orr x8,x4,x5 + orr x10,x6,x7 + orr x24,x8,x10 + cmp x24,#0 + csetm x24,ne // ~in1infty + + ldp x14,x15,[x2] // in2_x + ldp x16,x17,[x2,#16] + ldp x8,x9,[x2,#32] // in2_y + ldp x10,x11,[x2,#48] + orr x14,x14,x15 + orr x16,x16,x17 + orr x8,x8,x9 + orr x10,x10,x11 + orr x14,x14,x16 + orr x8,x8,x10 + orr x25,x14,x8 + cmp x25,#0 + csetm x25,ne // ~in2infty + + add x0,sp,#128 + bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Z1sqr, in1_z); + + mov x4,x14 + mov x5,x15 + mov x6,x16 + mov x7,x17 + ldr x3,[x23] + add x2,x23,#0 + add x0,sp,#96 + bl __ecp_nistz256_mul_mont // p256_mul_mont(U2, Z1sqr, in2_x); + + add x2,x22,#0 + ldr x3,[x22,#64] // forward load for p256_mul_mont + ldp x4,x5,[sp,#128] + ldp x6,x7,[sp,#128+16] + add x0,sp,#160 + bl __ecp_nistz256_sub_from // p256_sub(H, U2, in1_x); + + add x2,x22,#64 + add x0,sp,#128 + bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, Z1sqr, in1_z); + + ldr x3,[x22,#64] + ldp x4,x5,[sp,#160] + ldp x6,x7,[sp,#160+16] + add x2,x22,#64 + add x0,sp,#64 + bl __ecp_nistz256_mul_mont // p256_mul_mont(res_z, H, in1_z); + + ldr x3,[x23,#32] + ldp x4,x5,[sp,#128] + ldp x6,x7,[sp,#128+16] + add x2,x23,#32 + add x0,sp,#128 + bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, S2, in2_y); + + add x2,x22,#32 + ldp x4,x5,[sp,#160] // forward load for p256_sqr_mont + ldp x6,x7,[sp,#160+16] + add x0,sp,#192 + bl __ecp_nistz256_sub_from // p256_sub(R, S2, in1_y); + + add x0,sp,#224 + bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Hsqr, H); + + ldp x4,x5,[sp,#192] + ldp x6,x7,[sp,#192+16] + add x0,sp,#288 + bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Rsqr, R); + + ldr x3,[sp,#160] + ldp x4,x5,[sp,#224] + ldp x6,x7,[sp,#224+16] + add x2,sp,#160 + add x0,sp,#256 + bl __ecp_nistz256_mul_mont // p256_mul_mont(Hcub, Hsqr, H); + + ldr x3,[x22] + ldp x4,x5,[sp,#224] + ldp x6,x7,[sp,#224+16] + add x2,x22,#0 + add x0,sp,#96 + bl __ecp_nistz256_mul_mont // p256_mul_mont(U2, in1_x, Hsqr); + + mov x8,x14 + mov x9,x15 + mov x10,x16 + mov x11,x17 + add x0,sp,#224 + bl __ecp_nistz256_add_to // p256_mul_by_2(Hsqr, U2); + + add x2,sp,#288 + add x0,sp,#0 + bl __ecp_nistz256_sub_morf // p256_sub(res_x, Rsqr, Hsqr); + + add x2,sp,#256 + bl __ecp_nistz256_sub_from // p256_sub(res_x, res_x, Hcub); + + add x2,sp,#96 + ldr x3,[x22,#32] // forward load for p256_mul_mont + ldp x4,x5,[sp,#256] + ldp x6,x7,[sp,#256+16] + add x0,sp,#32 + bl __ecp_nistz256_sub_morf // p256_sub(res_y, U2, res_x); + + add x2,x22,#32 + add x0,sp,#128 + bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, in1_y, Hcub); + + ldr x3,[sp,#192] + ldp x4,x5,[sp,#32] + ldp x6,x7,[sp,#32+16] + add x2,sp,#192 + add x0,sp,#32 + bl __ecp_nistz256_mul_mont // p256_mul_mont(res_y, res_y, R); + + add x2,sp,#128 + bl __ecp_nistz256_sub_from // p256_sub(res_y, res_y, S2); + + ldp x4,x5,[sp,#0] // res + ldp x6,x7,[sp,#0+16] + ldp x8,x9,[x23] // in2 + ldp x10,x11,[x23,#16] + ldp x14,x15,[x22,#0] // in1 + cmp x24,#0 // ~, remember? + ldp x16,x17,[x22,#0+16] + csel x8,x4,x8,ne + csel x9,x5,x9,ne + ldp x4,x5,[sp,#0+0+32] // res + csel x10,x6,x10,ne + csel x11,x7,x11,ne + cmp x25,#0 // ~, remember? + ldp x6,x7,[sp,#0+0+48] + csel x14,x8,x14,ne + csel x15,x9,x15,ne + ldp x8,x9,[x23,#0+32] // in2 + csel x16,x10,x16,ne + csel x17,x11,x17,ne + ldp x10,x11,[x23,#0+48] + stp x14,x15,[x21,#0] + stp x16,x17,[x21,#0+16] + adrp x23,Lone_mont-64 + add x23,x23,:lo12:Lone_mont-64 + ldp x14,x15,[x22,#32] // in1 + cmp x24,#0 // ~, remember? + ldp x16,x17,[x22,#32+16] + csel x8,x4,x8,ne + csel x9,x5,x9,ne + ldp x4,x5,[sp,#0+32+32] // res + csel x10,x6,x10,ne + csel x11,x7,x11,ne + cmp x25,#0 // ~, remember? + ldp x6,x7,[sp,#0+32+48] + csel x14,x8,x14,ne + csel x15,x9,x15,ne + ldp x8,x9,[x23,#32+32] // in2 + csel x16,x10,x16,ne + csel x17,x11,x17,ne + ldp x10,x11,[x23,#32+48] + stp x14,x15,[x21,#32] + stp x16,x17,[x21,#32+16] + ldp x14,x15,[x22,#64] // in1 + cmp x24,#0 // ~, remember? + ldp x16,x17,[x22,#64+16] + csel x8,x4,x8,ne + csel x9,x5,x9,ne + csel x10,x6,x10,ne + csel x11,x7,x11,ne + cmp x25,#0 // ~, remember? + csel x14,x8,x14,ne + csel x15,x9,x15,ne + csel x16,x10,x16,ne + csel x17,x11,x17,ne + stp x14,x15,[x21,#64] + stp x16,x17,[x21,#64+16] + + add sp,x29,#0 // destroy frame + ldp x19,x20,[x29,#16] + ldp x21,x22,[x29,#32] + ldp x23,x24,[x29,#48] + ldp x25,x26,[x29,#64] + ldp x29,x30,[sp],#80 + AARCH64_VALIDATE_LINK_REGISTER + ret + +//////////////////////////////////////////////////////////////////////// +// void ecp_nistz256_ord_mul_mont(uint64_t res[4], uint64_t a[4], +// uint64_t b[4]); +.globl ecp_nistz256_ord_mul_mont + +.def ecp_nistz256_ord_mul_mont + .type 32 +.endef +.align 4 +ecp_nistz256_ord_mul_mont: + AARCH64_VALID_CALL_TARGET + // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. + stp x29,x30,[sp,#-64]! + add x29,sp,#0 + stp x19,x20,[sp,#16] + stp x21,x22,[sp,#32] + stp x23,x24,[sp,#48] + + adrp x23,Lord + add x23,x23,:lo12:Lord + ldr x3,[x2] // bp[0] + ldp x4,x5,[x1] + ldp x6,x7,[x1,#16] + + ldp x12,x13,[x23,#0] + ldp x21,x22,[x23,#16] + ldr x23,[x23,#32] + + mul x14,x4,x3 // a[0]*b[0] + umulh x8,x4,x3 + + mul x15,x5,x3 // a[1]*b[0] + umulh x9,x5,x3 + + mul x16,x6,x3 // a[2]*b[0] + umulh x10,x6,x3 + + mul x17,x7,x3 // a[3]*b[0] + umulh x19,x7,x3 + + mul x24,x14,x23 + + adds x15,x15,x8 // accumulate high parts of multiplication + adcs x16,x16,x9 + adcs x17,x17,x10 + adc x19,x19,xzr + mov x20,xzr + ldr x3,[x2,#8*1] // b[i] + + lsl x8,x24,#32 + subs x16,x16,x24 + lsr x9,x24,#32 + sbcs x17,x17,x8 + sbcs x19,x19,x9 + sbc x20,x20,xzr + + subs xzr,x14,#1 + umulh x9,x12,x24 + mul x10,x13,x24 + umulh x11,x13,x24 + + adcs x10,x10,x9 + mul x8,x4,x3 + adc x11,x11,xzr + mul x9,x5,x3 + + adds x14,x15,x10 + mul x10,x6,x3 + adcs x15,x16,x11 + mul x11,x7,x3 + adcs x16,x17,x24 + adcs x17,x19,x24 + adc x19,x20,xzr + + adds x14,x14,x8 // accumulate low parts + umulh x8,x4,x3 + adcs x15,x15,x9 + umulh x9,x5,x3 + adcs x16,x16,x10 + umulh x10,x6,x3 + adcs x17,x17,x11 + umulh x11,x7,x3 + adc x19,x19,xzr + mul x24,x14,x23 + adds x15,x15,x8 // accumulate high parts + adcs x16,x16,x9 + adcs x17,x17,x10 + adcs x19,x19,x11 + adc x20,xzr,xzr + ldr x3,[x2,#8*2] // b[i] + + lsl x8,x24,#32 + subs x16,x16,x24 + lsr x9,x24,#32 + sbcs x17,x17,x8 + sbcs x19,x19,x9 + sbc x20,x20,xzr + + subs xzr,x14,#1 + umulh x9,x12,x24 + mul x10,x13,x24 + umulh x11,x13,x24 + + adcs x10,x10,x9 + mul x8,x4,x3 + adc x11,x11,xzr + mul x9,x5,x3 + + adds x14,x15,x10 + mul x10,x6,x3 + adcs x15,x16,x11 + mul x11,x7,x3 + adcs x16,x17,x24 + adcs x17,x19,x24 + adc x19,x20,xzr + + adds x14,x14,x8 // accumulate low parts + umulh x8,x4,x3 + adcs x15,x15,x9 + umulh x9,x5,x3 + adcs x16,x16,x10 + umulh x10,x6,x3 + adcs x17,x17,x11 + umulh x11,x7,x3 + adc x19,x19,xzr + mul x24,x14,x23 + adds x15,x15,x8 // accumulate high parts + adcs x16,x16,x9 + adcs x17,x17,x10 + adcs x19,x19,x11 + adc x20,xzr,xzr + ldr x3,[x2,#8*3] // b[i] + + lsl x8,x24,#32 + subs x16,x16,x24 + lsr x9,x24,#32 + sbcs x17,x17,x8 + sbcs x19,x19,x9 + sbc x20,x20,xzr + + subs xzr,x14,#1 + umulh x9,x12,x24 + mul x10,x13,x24 + umulh x11,x13,x24 + + adcs x10,x10,x9 + mul x8,x4,x3 + adc x11,x11,xzr + mul x9,x5,x3 + + adds x14,x15,x10 + mul x10,x6,x3 + adcs x15,x16,x11 + mul x11,x7,x3 + adcs x16,x17,x24 + adcs x17,x19,x24 + adc x19,x20,xzr + + adds x14,x14,x8 // accumulate low parts + umulh x8,x4,x3 + adcs x15,x15,x9 + umulh x9,x5,x3 + adcs x16,x16,x10 + umulh x10,x6,x3 + adcs x17,x17,x11 + umulh x11,x7,x3 + adc x19,x19,xzr + mul x24,x14,x23 + adds x15,x15,x8 // accumulate high parts + adcs x16,x16,x9 + adcs x17,x17,x10 + adcs x19,x19,x11 + adc x20,xzr,xzr + lsl x8,x24,#32 // last reduction + subs x16,x16,x24 + lsr x9,x24,#32 + sbcs x17,x17,x8 + sbcs x19,x19,x9 + sbc x20,x20,xzr + + subs xzr,x14,#1 + umulh x9,x12,x24 + mul x10,x13,x24 + umulh x11,x13,x24 + + adcs x10,x10,x9 + adc x11,x11,xzr + + adds x14,x15,x10 + adcs x15,x16,x11 + adcs x16,x17,x24 + adcs x17,x19,x24 + adc x19,x20,xzr + + subs x8,x14,x12 // ret -= modulus + sbcs x9,x15,x13 + sbcs x10,x16,x21 + sbcs x11,x17,x22 + sbcs xzr,x19,xzr + + csel x14,x14,x8,lo // ret = borrow ? ret : ret-modulus + csel x15,x15,x9,lo + csel x16,x16,x10,lo + stp x14,x15,[x0] + csel x17,x17,x11,lo + stp x16,x17,[x0,#16] + + ldp x19,x20,[sp,#16] + ldp x21,x22,[sp,#32] + ldp x23,x24,[sp,#48] + ldr x29,[sp],#64 + ret + + +//////////////////////////////////////////////////////////////////////// +// void ecp_nistz256_ord_sqr_mont(uint64_t res[4], uint64_t a[4], +// uint64_t rep); +.globl ecp_nistz256_ord_sqr_mont + +.def ecp_nistz256_ord_sqr_mont + .type 32 +.endef +.align 4 +ecp_nistz256_ord_sqr_mont: + AARCH64_VALID_CALL_TARGET + // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. + stp x29,x30,[sp,#-64]! + add x29,sp,#0 + stp x19,x20,[sp,#16] + stp x21,x22,[sp,#32] + stp x23,x24,[sp,#48] + + adrp x23,Lord + add x23,x23,:lo12:Lord + ldp x4,x5,[x1] + ldp x6,x7,[x1,#16] + + ldp x12,x13,[x23,#0] + ldp x21,x22,[x23,#16] + ldr x23,[x23,#32] + b Loop_ord_sqr + +.align 4 +Loop_ord_sqr: + sub x2,x2,#1 + //////////////////////////////////////////////////////////////// + // | | | | | |a1*a0| | + // | | | | |a2*a0| | | + // | |a3*a2|a3*a0| | | | + // | | | |a2*a1| | | | + // | | |a3*a1| | | | | + // *| | | | | | | | 2| + // +|a3*a3|a2*a2|a1*a1|a0*a0| + // |--+--+--+--+--+--+--+--| + // |A7|A6|A5|A4|A3|A2|A1|A0|, where Ax is , i.e. follow + // + // "can't overflow" below mark carrying into high part of + // multiplication result, which can't overflow, because it + // can never be all ones. + + mul x15,x5,x4 // a[1]*a[0] + umulh x9,x5,x4 + mul x16,x6,x4 // a[2]*a[0] + umulh x10,x6,x4 + mul x17,x7,x4 // a[3]*a[0] + umulh x19,x7,x4 + + adds x16,x16,x9 // accumulate high parts of multiplication + mul x8,x6,x5 // a[2]*a[1] + umulh x9,x6,x5 + adcs x17,x17,x10 + mul x10,x7,x5 // a[3]*a[1] + umulh x11,x7,x5 + adc x19,x19,xzr // can't overflow + + mul x20,x7,x6 // a[3]*a[2] + umulh x1,x7,x6 + + adds x9,x9,x10 // accumulate high parts of multiplication + mul x14,x4,x4 // a[0]*a[0] + adc x10,x11,xzr // can't overflow + + adds x17,x17,x8 // accumulate low parts of multiplication + umulh x4,x4,x4 + adcs x19,x19,x9 + mul x9,x5,x5 // a[1]*a[1] + adcs x20,x20,x10 + umulh x5,x5,x5 + adc x1,x1,xzr // can't overflow + + adds x15,x15,x15 // acc[1-6]*=2 + mul x10,x6,x6 // a[2]*a[2] + adcs x16,x16,x16 + umulh x6,x6,x6 + adcs x17,x17,x17 + mul x11,x7,x7 // a[3]*a[3] + adcs x19,x19,x19 + umulh x7,x7,x7 + adcs x20,x20,x20 + adcs x1,x1,x1 + adc x3,xzr,xzr + + adds x15,x15,x4 // +a[i]*a[i] + mul x24,x14,x23 + adcs x16,x16,x9 + adcs x17,x17,x5 + adcs x19,x19,x10 + adcs x20,x20,x6 + adcs x1,x1,x11 + adc x3,x3,x7 + subs xzr,x14,#1 + umulh x9,x12,x24 + mul x10,x13,x24 + umulh x11,x13,x24 + + adcs x10,x10,x9 + adc x11,x11,xzr + + adds x14,x15,x10 + adcs x15,x16,x11 + adcs x16,x17,x24 + adc x17,xzr,x24 // can't overflow + mul x11,x14,x23 + lsl x8,x24,#32 + subs x15,x15,x24 + lsr x9,x24,#32 + sbcs x16,x16,x8 + sbc x17,x17,x9 // can't borrow + subs xzr,x14,#1 + umulh x9,x12,x11 + mul x10,x13,x11 + umulh x24,x13,x11 + + adcs x10,x10,x9 + adc x24,x24,xzr + + adds x14,x15,x10 + adcs x15,x16,x24 + adcs x16,x17,x11 + adc x17,xzr,x11 // can't overflow + mul x24,x14,x23 + lsl x8,x11,#32 + subs x15,x15,x11 + lsr x9,x11,#32 + sbcs x16,x16,x8 + sbc x17,x17,x9 // can't borrow + subs xzr,x14,#1 + umulh x9,x12,x24 + mul x10,x13,x24 + umulh x11,x13,x24 + + adcs x10,x10,x9 + adc x11,x11,xzr + + adds x14,x15,x10 + adcs x15,x16,x11 + adcs x16,x17,x24 + adc x17,xzr,x24 // can't overflow + mul x11,x14,x23 + lsl x8,x24,#32 + subs x15,x15,x24 + lsr x9,x24,#32 + sbcs x16,x16,x8 + sbc x17,x17,x9 // can't borrow + subs xzr,x14,#1 + umulh x9,x12,x11 + mul x10,x13,x11 + umulh x24,x13,x11 + + adcs x10,x10,x9 + adc x24,x24,xzr + + adds x14,x15,x10 + adcs x15,x16,x24 + adcs x16,x17,x11 + adc x17,xzr,x11 // can't overflow + lsl x8,x11,#32 + subs x15,x15,x11 + lsr x9,x11,#32 + sbcs x16,x16,x8 + sbc x17,x17,x9 // can't borrow + adds x14,x14,x19 // accumulate upper half + adcs x15,x15,x20 + adcs x16,x16,x1 + adcs x17,x17,x3 + adc x19,xzr,xzr + + subs x8,x14,x12 // ret -= modulus + sbcs x9,x15,x13 + sbcs x10,x16,x21 + sbcs x11,x17,x22 + sbcs xzr,x19,xzr + + csel x4,x14,x8,lo // ret = borrow ? ret : ret-modulus + csel x5,x15,x9,lo + csel x6,x16,x10,lo + csel x7,x17,x11,lo + + cbnz x2,Loop_ord_sqr + + stp x4,x5,[x0] + stp x6,x7,[x0,#16] + + ldp x19,x20,[sp,#16] + ldp x21,x22,[sp,#32] + ldp x23,x24,[sp,#48] + ldr x29,[sp],#64 + ret + +//////////////////////////////////////////////////////////////////////// +// void ecp_nistz256_select_w5(uint64_t *val, uint64_t *in_t, int index); +.globl ecp_nistz256_select_w5 + +.def ecp_nistz256_select_w5 + .type 32 +.endef +.align 4 +ecp_nistz256_select_w5: + AARCH64_VALID_CALL_TARGET + + // x10 := x0 + // w9 := 0; loop counter and incremented internal index + mov x10, x0 + mov w9, #0 + + // [v16-v21] := 0 + movi v16.16b, #0 + movi v17.16b, #0 + movi v18.16b, #0 + movi v19.16b, #0 + movi v20.16b, #0 + movi v21.16b, #0 + +Lselect_w5_loop: + // Loop 16 times. + + // Increment index (loop counter); tested at the end of the loop + add w9, w9, #1 + + // [v22-v27] := Load a (3*256-bit = 6*128-bit) table entry starting at x1 + // and advance x1 to point to the next entry + ld1 {v22.2d, v23.2d, v24.2d, v25.2d}, [x1],#64 + + // x11 := (w9 == w2)? All 1s : All 0s + cmp w9, w2 + csetm x11, eq + + // continue loading ... + ld1 {v26.2d, v27.2d}, [x1],#32 + + // duplicate mask_64 into Mask (all 0s or all 1s) + dup v3.2d, x11 + + // [v16-v19] := (Mask == all 1s)? [v22-v25] : [v16-v19] + // i.e., values in output registers will remain the same if w9 != w2 + bit v16.16b, v22.16b, v3.16b + bit v17.16b, v23.16b, v3.16b + + bit v18.16b, v24.16b, v3.16b + bit v19.16b, v25.16b, v3.16b + + bit v20.16b, v26.16b, v3.16b + bit v21.16b, v27.16b, v3.16b + + // If bit #4 is not 0 (i.e. idx_ctr < 16) loop back + tbz w9, #4, Lselect_w5_loop + + // Write [v16-v21] to memory at the output pointer + st1 {v16.2d, v17.2d, v18.2d, v19.2d}, [x10],#64 + st1 {v20.2d, v21.2d}, [x10] + + ret + + + +//////////////////////////////////////////////////////////////////////// +// void ecp_nistz256_select_w7(uint64_t *val, uint64_t *in_t, int index); +.globl ecp_nistz256_select_w7 + +.def ecp_nistz256_select_w7 + .type 32 +.endef +.align 4 +ecp_nistz256_select_w7: + AARCH64_VALID_CALL_TARGET + + // w9 := 0; loop counter and incremented internal index + mov w9, #0 + + // [v16-v21] := 0 + movi v16.16b, #0 + movi v17.16b, #0 + movi v18.16b, #0 + movi v19.16b, #0 + +Lselect_w7_loop: + // Loop 64 times. + + // Increment index (loop counter); tested at the end of the loop + add w9, w9, #1 + + // [v22-v25] := Load a (2*256-bit = 4*128-bit) table entry starting at x1 + // and advance x1 to point to the next entry + ld1 {v22.2d, v23.2d, v24.2d, v25.2d}, [x1],#64 + + // x11 := (w9 == w2)? All 1s : All 0s + cmp w9, w2 + csetm x11, eq + + // duplicate mask_64 into Mask (all 0s or all 1s) + dup v3.2d, x11 + + // [v16-v19] := (Mask == all 1s)? [v22-v25] : [v16-v19] + // i.e., values in output registers will remain the same if w9 != w2 + bit v16.16b, v22.16b, v3.16b + bit v17.16b, v23.16b, v3.16b + + bit v18.16b, v24.16b, v3.16b + bit v19.16b, v25.16b, v3.16b + + // If bit #6 is not 0 (i.e. idx_ctr < 64) loop back + tbz w9, #6, Lselect_w7_loop + + // Write [v16-v19] to memory at the output pointer + st1 {v16.2d, v17.2d, v18.2d, v19.2d}, [x0] + + ret + +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(_WIN32) +#if defined(__linux__) && defined(__ELF__) +.section .note.GNU-stack,"",%progbits +#endif + diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/p256-x86_64-asm-mac.mac.x86_64.S b/Sources/CNIOBoringSSL/gen/bcm/p256-x86_64-asm-apple.S similarity index 95% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/p256-x86_64-asm-mac.mac.x86_64.S rename to Sources/CNIOBoringSSL/gen/bcm/p256-x86_64-asm-apple.S index 3d0767b6b..03d9832c0 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/p256-x86_64-asm-mac.mac.x86_64.S +++ b/Sources/CNIOBoringSSL/gen/bcm/p256-x86_64-asm-apple.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__x86_64__) && defined(__APPLE__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -9,7 +8,6 @@ .text - .section __DATA,__const .p2align 6 L$poly: @@ -94,18 +92,13 @@ L$neg_epilogue: -.globl _ecp_nistz256_ord_mul_mont -.private_extern _ecp_nistz256_ord_mul_mont +.globl _ecp_nistz256_ord_mul_mont_nohw +.private_extern _ecp_nistz256_ord_mul_mont_nohw .p2align 5 -_ecp_nistz256_ord_mul_mont: +_ecp_nistz256_ord_mul_mont_nohw: _CET_ENDBR - leaq _OPENSSL_ia32cap_P(%rip),%rcx - movq 8(%rcx),%rcx - andl $0x80100,%ecx - cmpl $0x80100,%ecx - je L$ecp_nistz256_ord_mul_montx pushq %rbp pushq %rbx @@ -423,18 +416,13 @@ L$ord_mul_epilogue: -.globl _ecp_nistz256_ord_sqr_mont -.private_extern _ecp_nistz256_ord_sqr_mont +.globl _ecp_nistz256_ord_sqr_mont_nohw +.private_extern _ecp_nistz256_ord_sqr_mont_nohw .p2align 5 -_ecp_nistz256_ord_sqr_mont: +_ecp_nistz256_ord_sqr_mont_nohw: _CET_ENDBR - leaq _OPENSSL_ia32cap_P(%rip),%rcx - movq 8(%rcx),%rcx - andl $0x80100,%ecx - cmpl $0x80100,%ecx - je L$ecp_nistz256_ord_sqr_montx pushq %rbp pushq %rbx @@ -716,11 +704,14 @@ L$ord_sqr_epilogue: +.globl _ecp_nistz256_ord_mul_mont_adx +.private_extern _ecp_nistz256_ord_mul_mont_adx .p2align 5 -ecp_nistz256_ord_mul_montx: +_ecp_nistz256_ord_mul_mont_adx: -L$ecp_nistz256_ord_mul_montx: +L$ecp_nistz256_ord_mul_mont_adx: +_CET_ENDBR pushq %rbp pushq %rbx @@ -952,11 +943,14 @@ L$ord_mulx_epilogue: +.globl _ecp_nistz256_ord_sqr_mont_adx +.private_extern _ecp_nistz256_ord_sqr_mont_adx .p2align 5 -ecp_nistz256_ord_sqr_montx: +_ecp_nistz256_ord_sqr_mont_adx: -L$ecp_nistz256_ord_sqr_montx: +_CET_ENDBR +L$ecp_nistz256_ord_sqr_mont_adx: pushq %rbp pushq %rbx @@ -1165,17 +1159,13 @@ L$ord_sqrx_epilogue: -.globl _ecp_nistz256_mul_mont -.private_extern _ecp_nistz256_mul_mont +.globl _ecp_nistz256_mul_mont_nohw +.private_extern _ecp_nistz256_mul_mont_nohw .p2align 5 -_ecp_nistz256_mul_mont: +_ecp_nistz256_mul_mont_nohw: _CET_ENDBR - leaq _OPENSSL_ia32cap_P(%rip),%rcx - movq 8(%rcx),%rcx - andl $0x80100,%ecx -L$mul_mont: pushq %rbp pushq %rbx @@ -1189,8 +1179,6 @@ L$mul_mont: pushq %r15 L$mul_body: - cmpl $0x80100,%ecx - je L$mul_montx movq %rdx,%rbx movq 0(%rdx),%rax movq 0(%rsi),%r9 @@ -1199,20 +1187,7 @@ L$mul_body: movq 24(%rsi),%r12 call __ecp_nistz256_mul_montq - jmp L$mul_mont_done - -.p2align 5 -L$mul_montx: - movq %rdx,%rbx - movq 0(%rdx),%rdx - movq 0(%rsi),%r9 - movq 8(%rsi),%r10 - movq 16(%rsi),%r11 - movq 24(%rsi),%r12 - leaq -128(%rsi),%rsi - call __ecp_nistz256_mul_montx -L$mul_mont_done: movq 0(%rsp),%r15 movq 8(%rsp),%r14 @@ -1457,16 +1432,13 @@ __ecp_nistz256_mul_montq: -.globl _ecp_nistz256_sqr_mont -.private_extern _ecp_nistz256_sqr_mont +.globl _ecp_nistz256_sqr_mont_nohw +.private_extern _ecp_nistz256_sqr_mont_nohw .p2align 5 -_ecp_nistz256_sqr_mont: +_ecp_nistz256_sqr_mont_nohw: _CET_ENDBR - leaq _OPENSSL_ia32cap_P(%rip),%rcx - movq 8(%rcx),%rcx - andl $0x80100,%ecx pushq %rbp pushq %rbx @@ -1480,26 +1452,13 @@ _CET_ENDBR pushq %r15 L$sqr_body: - cmpl $0x80100,%ecx - je L$sqr_montx movq 0(%rsi),%rax movq 8(%rsi),%r14 movq 16(%rsi),%r15 movq 24(%rsi),%r8 call __ecp_nistz256_sqr_montq - jmp L$sqr_mont_done - -.p2align 5 -L$sqr_montx: - movq 0(%rsi),%rdx - movq 8(%rsi),%r14 - movq 16(%rsi),%r15 - movq 24(%rsi),%r8 - leaq -128(%rsi),%rsi - call __ecp_nistz256_sqr_montx -L$sqr_mont_done: movq 0(%rsp),%r15 movq 8(%rsp),%r14 @@ -1682,6 +1641,55 @@ __ecp_nistz256_sqr_montq: ret +.globl _ecp_nistz256_mul_mont_adx +.private_extern _ecp_nistz256_mul_mont_adx + +.p2align 5 +_ecp_nistz256_mul_mont_adx: + +_CET_ENDBR + pushq %rbp + + pushq %rbx + + pushq %r12 + + pushq %r13 + + pushq %r14 + + pushq %r15 + +L$mulx_body: + movq %rdx,%rbx + movq 0(%rdx),%rdx + movq 0(%rsi),%r9 + movq 8(%rsi),%r10 + movq 16(%rsi),%r11 + movq 24(%rsi),%r12 + leaq -128(%rsi),%rsi + + call __ecp_nistz256_mul_montx + + movq 0(%rsp),%r15 + + movq 8(%rsp),%r14 + + movq 16(%rsp),%r13 + + movq 24(%rsp),%r12 + + movq 32(%rsp),%rbx + + movq 40(%rsp),%rbp + + leaq 48(%rsp),%rsp + +L$mulx_epilogue: + ret + + + .p2align 5 __ecp_nistz256_mul_montx: @@ -1851,6 +1859,53 @@ __ecp_nistz256_mul_montx: +.globl _ecp_nistz256_sqr_mont_adx +.private_extern _ecp_nistz256_sqr_mont_adx + +.p2align 5 +_ecp_nistz256_sqr_mont_adx: + +_CET_ENDBR + pushq %rbp + + pushq %rbx + + pushq %r12 + + pushq %r13 + + pushq %r14 + + pushq %r15 + +L$sqrx_body: + movq 0(%rsi),%rdx + movq 8(%rsi),%r14 + movq 16(%rsi),%r15 + movq 24(%rsi),%r8 + leaq -128(%rsi),%rsi + + call __ecp_nistz256_sqr_montx + + movq 0(%rsp),%r15 + + movq 8(%rsp),%r14 + + movq 16(%rsp),%r13 + + movq 24(%rsp),%r12 + + movq 32(%rsp),%rbx + + movq 40(%rsp),%rbp + + leaq 48(%rsp),%rsp + +L$sqrx_epilogue: + ret + + + .p2align 5 __ecp_nistz256_sqr_montx: @@ -1982,17 +2037,13 @@ __ecp_nistz256_sqr_montx: -.globl _ecp_nistz256_select_w5 -.private_extern _ecp_nistz256_select_w5 +.globl _ecp_nistz256_select_w5_nohw +.private_extern _ecp_nistz256_select_w5_nohw .p2align 5 -_ecp_nistz256_select_w5: +_ecp_nistz256_select_w5_nohw: _CET_ENDBR - leaq _OPENSSL_ia32cap_P(%rip),%rax - movq 8(%rax),%rax - testl $32,%eax - jnz L$avx2_select_w5 movdqa L$One(%rip),%xmm0 movd %edx,%xmm1 @@ -2045,22 +2096,18 @@ L$select_loop_sse_w5: movdqu %xmm7,80(%rdi) ret -L$SEH_end_ecp_nistz256_select_w5: +L$SEH_end_ecp_nistz256_select_w5_nohw: -.globl _ecp_nistz256_select_w7 -.private_extern _ecp_nistz256_select_w7 +.globl _ecp_nistz256_select_w7_nohw +.private_extern _ecp_nistz256_select_w7_nohw .p2align 5 -_ecp_nistz256_select_w7: +_ecp_nistz256_select_w7_nohw: _CET_ENDBR - leaq _OPENSSL_ia32cap_P(%rip),%rax - movq 8(%rax),%rax - testl $32,%eax - jnz L$avx2_select_w7 movdqa L$One(%rip),%xmm8 movd %edx,%xmm1 @@ -2102,15 +2149,17 @@ L$select_loop_sse_w7: movdqu %xmm5,48(%rdi) ret -L$SEH_end_ecp_nistz256_select_w7: +L$SEH_end_ecp_nistz256_select_w7_nohw: +.globl _ecp_nistz256_select_w5_avx2 +.private_extern _ecp_nistz256_select_w5_avx2 .p2align 5 -ecp_nistz256_avx2_select_w5: +_ecp_nistz256_select_w5_avx2: -L$avx2_select_w5: +_CET_ENDBR vzeroupper vmovdqa L$Two(%rip),%ymm0 @@ -2165,18 +2214,17 @@ L$select_loop_avx2_w5: vzeroupper ret -L$SEH_end_ecp_nistz256_avx2_select_w5: +L$SEH_end_ecp_nistz256_select_w5_avx2: -.globl _ecp_nistz256_avx2_select_w7 -.private_extern _ecp_nistz256_avx2_select_w7 +.globl _ecp_nistz256_select_w7_avx2 +.private_extern _ecp_nistz256_select_w7_avx2 .p2align 5 -_ecp_nistz256_avx2_select_w7: +_ecp_nistz256_select_w7_avx2: -L$avx2_select_w7: _CET_ENDBR vzeroupper vmovdqa L$Three(%rip),%ymm0 @@ -2247,7 +2295,7 @@ L$select_loop_avx2_w7: vzeroupper ret -L$SEH_end_ecp_nistz256_avx2_select_w7: +L$SEH_end_ecp_nistz256_select_w7_avx2: .p2align 5 @@ -2378,18 +2426,13 @@ __ecp_nistz256_mul_by_2q: ret -.globl _ecp_nistz256_point_double -.private_extern _ecp_nistz256_point_double +.globl _ecp_nistz256_point_double_nohw +.private_extern _ecp_nistz256_point_double_nohw .p2align 5 -_ecp_nistz256_point_double: +_ecp_nistz256_point_double_nohw: _CET_ENDBR - leaq _OPENSSL_ia32cap_P(%rip),%rcx - movq 8(%rcx),%rcx - andl $0x80100,%ecx - cmpl $0x80100,%ecx - je L$point_doublex pushq %rbp pushq %rbx @@ -2607,18 +2650,13 @@ L$point_doubleq_epilogue: ret -.globl _ecp_nistz256_point_add -.private_extern _ecp_nistz256_point_add +.globl _ecp_nistz256_point_add_nohw +.private_extern _ecp_nistz256_point_add_nohw .p2align 5 -_ecp_nistz256_point_add: +_ecp_nistz256_point_add_nohw: _CET_ENDBR - leaq _OPENSSL_ia32cap_P(%rip),%rcx - movq 8(%rcx),%rcx - andl $0x80100,%ecx - cmpl $0x80100,%ecx - je L$point_addx pushq %rbp pushq %rbx @@ -3039,18 +3077,13 @@ L$point_addq_epilogue: ret -.globl _ecp_nistz256_point_add_affine -.private_extern _ecp_nistz256_point_add_affine +.globl _ecp_nistz256_point_add_affine_nohw +.private_extern _ecp_nistz256_point_add_affine_nohw .p2align 5 -_ecp_nistz256_point_add_affine: +_ecp_nistz256_point_add_affine_nohw: _CET_ENDBR - leaq _OPENSSL_ia32cap_P(%rip),%rcx - movq 8(%rcx),%rcx - andl $0x80100,%ecx - cmpl $0x80100,%ecx - je L$point_add_affinex pushq %rbp pushq %rbx @@ -3503,11 +3536,13 @@ __ecp_nistz256_mul_by_2x: ret +.globl _ecp_nistz256_point_double_adx +.private_extern _ecp_nistz256_point_double_adx .p2align 5 -ecp_nistz256_point_doublex: +_ecp_nistz256_point_double_adx: -L$point_doublex: +_CET_ENDBR pushq %rbp pushq %rbx @@ -3725,11 +3760,13 @@ L$point_doublex_epilogue: ret +.globl _ecp_nistz256_point_add_adx +.private_extern _ecp_nistz256_point_add_adx .p2align 5 -ecp_nistz256_point_addx: +_ecp_nistz256_point_add_adx: -L$point_addx: +_CET_ENDBR pushq %rbp pushq %rbx @@ -4150,11 +4187,13 @@ L$point_addx_epilogue: ret +.globl _ecp_nistz256_point_add_affine_adx +.private_extern _ecp_nistz256_point_add_affine_adx .p2align 5 -ecp_nistz256_point_add_affinex: +_ecp_nistz256_point_add_affine_adx: -L$point_add_affinex: +_CET_ENDBR pushq %rbp pushq %rbx @@ -4473,7 +4512,6 @@ L$add_affinex_epilogue: #endif -#endif // defined(__x86_64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/p256-x86_64-asm-linux.linux.x86_64.S b/Sources/CNIOBoringSSL/gen/bcm/p256-x86_64-asm-linux.S similarity index 92% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/p256-x86_64-asm-linux.linux.x86_64.S rename to Sources/CNIOBoringSSL/gen/bcm/p256-x86_64-asm-linux.S index 083667092..1eaf3b957 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/p256-x86_64-asm-linux.linux.x86_64.S +++ b/Sources/CNIOBoringSSL/gen/bcm/p256-x86_64-asm-linux.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__x86_64__) && defined(__linux__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -7,8 +6,6 @@ #if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__ELF__) .text -.extern OPENSSL_ia32cap_P -.hidden OPENSSL_ia32cap_P .section .rodata @@ -97,18 +94,13 @@ _CET_ENDBR -.globl ecp_nistz256_ord_mul_mont -.hidden ecp_nistz256_ord_mul_mont -.type ecp_nistz256_ord_mul_mont,@function +.globl ecp_nistz256_ord_mul_mont_nohw +.hidden ecp_nistz256_ord_mul_mont_nohw +.type ecp_nistz256_ord_mul_mont_nohw,@function .align 32 -ecp_nistz256_ord_mul_mont: +ecp_nistz256_ord_mul_mont_nohw: .cfi_startproc _CET_ENDBR - leaq OPENSSL_ia32cap_P(%rip),%rcx - movq 8(%rcx),%rcx - andl $0x80100,%ecx - cmpl $0x80100,%ecx - je .Lecp_nistz256_ord_mul_montx pushq %rbp .cfi_adjust_cfa_offset 8 .cfi_offset %rbp,-16 @@ -424,7 +416,7 @@ _CET_ENDBR .Lord_mul_epilogue: ret .cfi_endproc -.size ecp_nistz256_ord_mul_mont,.-ecp_nistz256_ord_mul_mont +.size ecp_nistz256_ord_mul_mont_nohw,.-ecp_nistz256_ord_mul_mont_nohw @@ -432,18 +424,13 @@ _CET_ENDBR -.globl ecp_nistz256_ord_sqr_mont -.hidden ecp_nistz256_ord_sqr_mont -.type ecp_nistz256_ord_sqr_mont,@function +.globl ecp_nistz256_ord_sqr_mont_nohw +.hidden ecp_nistz256_ord_sqr_mont_nohw +.type ecp_nistz256_ord_sqr_mont_nohw,@function .align 32 -ecp_nistz256_ord_sqr_mont: +ecp_nistz256_ord_sqr_mont_nohw: .cfi_startproc _CET_ENDBR - leaq OPENSSL_ia32cap_P(%rip),%rcx - movq 8(%rcx),%rcx - andl $0x80100,%ecx - cmpl $0x80100,%ecx - je .Lecp_nistz256_ord_sqr_montx pushq %rbp .cfi_adjust_cfa_offset 8 .cfi_offset %rbp,-16 @@ -729,13 +716,16 @@ _CET_ENDBR .Lord_sqr_epilogue: ret .cfi_endproc -.size ecp_nistz256_ord_sqr_mont,.-ecp_nistz256_ord_sqr_mont +.size ecp_nistz256_ord_sqr_mont_nohw,.-ecp_nistz256_ord_sqr_mont_nohw -.type ecp_nistz256_ord_mul_montx,@function +.globl ecp_nistz256_ord_mul_mont_adx +.hidden ecp_nistz256_ord_mul_mont_adx +.type ecp_nistz256_ord_mul_mont_adx,@function .align 32 -ecp_nistz256_ord_mul_montx: +ecp_nistz256_ord_mul_mont_adx: .cfi_startproc -.Lecp_nistz256_ord_mul_montx: +.Lecp_nistz256_ord_mul_mont_adx: +_CET_ENDBR pushq %rbp .cfi_adjust_cfa_offset 8 .cfi_offset %rbp,-16 @@ -971,13 +961,16 @@ ecp_nistz256_ord_mul_montx: .Lord_mulx_epilogue: ret .cfi_endproc -.size ecp_nistz256_ord_mul_montx,.-ecp_nistz256_ord_mul_montx +.size ecp_nistz256_ord_mul_mont_adx,.-ecp_nistz256_ord_mul_mont_adx -.type ecp_nistz256_ord_sqr_montx,@function +.globl ecp_nistz256_ord_sqr_mont_adx +.hidden ecp_nistz256_ord_sqr_mont_adx +.type ecp_nistz256_ord_sqr_mont_adx,@function .align 32 -ecp_nistz256_ord_sqr_montx: +ecp_nistz256_ord_sqr_mont_adx: .cfi_startproc -.Lecp_nistz256_ord_sqr_montx: +_CET_ENDBR +.Lecp_nistz256_ord_sqr_mont_adx: pushq %rbp .cfi_adjust_cfa_offset 8 .cfi_offset %rbp,-16 @@ -1185,24 +1178,20 @@ ecp_nistz256_ord_sqr_montx: .Lord_sqrx_epilogue: ret .cfi_endproc -.size ecp_nistz256_ord_sqr_montx,.-ecp_nistz256_ord_sqr_montx +.size ecp_nistz256_ord_sqr_mont_adx,.-ecp_nistz256_ord_sqr_mont_adx -.globl ecp_nistz256_mul_mont -.hidden ecp_nistz256_mul_mont -.type ecp_nistz256_mul_mont,@function +.globl ecp_nistz256_mul_mont_nohw +.hidden ecp_nistz256_mul_mont_nohw +.type ecp_nistz256_mul_mont_nohw,@function .align 32 -ecp_nistz256_mul_mont: +ecp_nistz256_mul_mont_nohw: .cfi_startproc _CET_ENDBR - leaq OPENSSL_ia32cap_P(%rip),%rcx - movq 8(%rcx),%rcx - andl $0x80100,%ecx -.Lmul_mont: pushq %rbp .cfi_adjust_cfa_offset 8 .cfi_offset %rbp,-16 @@ -1222,8 +1211,6 @@ _CET_ENDBR .cfi_adjust_cfa_offset 8 .cfi_offset %r15,-56 .Lmul_body: - cmpl $0x80100,%ecx - je .Lmul_montx movq %rdx,%rbx movq 0(%rdx),%rax movq 0(%rsi),%r9 @@ -1232,20 +1219,7 @@ _CET_ENDBR movq 24(%rsi),%r12 call __ecp_nistz256_mul_montq - jmp .Lmul_mont_done -.align 32 -.Lmul_montx: - movq %rdx,%rbx - movq 0(%rdx),%rdx - movq 0(%rsi),%r9 - movq 8(%rsi),%r10 - movq 16(%rsi),%r11 - movq 24(%rsi),%r12 - leaq -128(%rsi),%rsi - - call __ecp_nistz256_mul_montx -.Lmul_mont_done: movq 0(%rsp),%r15 .cfi_restore %r15 movq 8(%rsp),%r14 @@ -1263,7 +1237,7 @@ _CET_ENDBR .Lmul_epilogue: ret .cfi_endproc -.size ecp_nistz256_mul_mont,.-ecp_nistz256_mul_mont +.size ecp_nistz256_mul_mont_nohw,.-ecp_nistz256_mul_mont_nohw .type __ecp_nistz256_mul_montq,@function .align 32 @@ -1490,16 +1464,13 @@ __ecp_nistz256_mul_montq: -.globl ecp_nistz256_sqr_mont -.hidden ecp_nistz256_sqr_mont -.type ecp_nistz256_sqr_mont,@function +.globl ecp_nistz256_sqr_mont_nohw +.hidden ecp_nistz256_sqr_mont_nohw +.type ecp_nistz256_sqr_mont_nohw,@function .align 32 -ecp_nistz256_sqr_mont: +ecp_nistz256_sqr_mont_nohw: .cfi_startproc _CET_ENDBR - leaq OPENSSL_ia32cap_P(%rip),%rcx - movq 8(%rcx),%rcx - andl $0x80100,%ecx pushq %rbp .cfi_adjust_cfa_offset 8 .cfi_offset %rbp,-16 @@ -1519,26 +1490,13 @@ _CET_ENDBR .cfi_adjust_cfa_offset 8 .cfi_offset %r15,-56 .Lsqr_body: - cmpl $0x80100,%ecx - je .Lsqr_montx movq 0(%rsi),%rax movq 8(%rsi),%r14 movq 16(%rsi),%r15 movq 24(%rsi),%r8 call __ecp_nistz256_sqr_montq - jmp .Lsqr_mont_done - -.align 32 -.Lsqr_montx: - movq 0(%rsi),%rdx - movq 8(%rsi),%r14 - movq 16(%rsi),%r15 - movq 24(%rsi),%r8 - leaq -128(%rsi),%rsi - call __ecp_nistz256_sqr_montx -.Lsqr_mont_done: movq 0(%rsp),%r15 .cfi_restore %r15 movq 8(%rsp),%r14 @@ -1556,7 +1514,7 @@ _CET_ENDBR .Lsqr_epilogue: ret .cfi_endproc -.size ecp_nistz256_sqr_mont,.-ecp_nistz256_sqr_mont +.size ecp_nistz256_sqr_mont_nohw,.-ecp_nistz256_sqr_mont_nohw .type __ecp_nistz256_sqr_montq,@function .align 32 @@ -1721,6 +1679,61 @@ __ecp_nistz256_sqr_montq: ret .cfi_endproc .size __ecp_nistz256_sqr_montq,.-__ecp_nistz256_sqr_montq +.globl ecp_nistz256_mul_mont_adx +.hidden ecp_nistz256_mul_mont_adx +.type ecp_nistz256_mul_mont_adx,@function +.align 32 +ecp_nistz256_mul_mont_adx: +.cfi_startproc +_CET_ENDBR + pushq %rbp +.cfi_adjust_cfa_offset 8 +.cfi_offset %rbp,-16 + pushq %rbx +.cfi_adjust_cfa_offset 8 +.cfi_offset %rbx,-24 + pushq %r12 +.cfi_adjust_cfa_offset 8 +.cfi_offset %r12,-32 + pushq %r13 +.cfi_adjust_cfa_offset 8 +.cfi_offset %r13,-40 + pushq %r14 +.cfi_adjust_cfa_offset 8 +.cfi_offset %r14,-48 + pushq %r15 +.cfi_adjust_cfa_offset 8 +.cfi_offset %r15,-56 +.Lmulx_body: + movq %rdx,%rbx + movq 0(%rdx),%rdx + movq 0(%rsi),%r9 + movq 8(%rsi),%r10 + movq 16(%rsi),%r11 + movq 24(%rsi),%r12 + leaq -128(%rsi),%rsi + + call __ecp_nistz256_mul_montx + + movq 0(%rsp),%r15 +.cfi_restore %r15 + movq 8(%rsp),%r14 +.cfi_restore %r14 + movq 16(%rsp),%r13 +.cfi_restore %r13 + movq 24(%rsp),%r12 +.cfi_restore %r12 + movq 32(%rsp),%rbx +.cfi_restore %rbx + movq 40(%rsp),%rbp +.cfi_restore %rbp + leaq 48(%rsp),%rsp +.cfi_adjust_cfa_offset -48 +.Lmulx_epilogue: + ret +.cfi_endproc +.size ecp_nistz256_mul_mont_adx,.-ecp_nistz256_mul_mont_adx + .type __ecp_nistz256_mul_montx,@function .align 32 __ecp_nistz256_mul_montx: @@ -1890,6 +1903,59 @@ __ecp_nistz256_mul_montx: .cfi_endproc .size __ecp_nistz256_mul_montx,.-__ecp_nistz256_mul_montx +.globl ecp_nistz256_sqr_mont_adx +.hidden ecp_nistz256_sqr_mont_adx +.type ecp_nistz256_sqr_mont_adx,@function +.align 32 +ecp_nistz256_sqr_mont_adx: +.cfi_startproc +_CET_ENDBR + pushq %rbp +.cfi_adjust_cfa_offset 8 +.cfi_offset %rbp,-16 + pushq %rbx +.cfi_adjust_cfa_offset 8 +.cfi_offset %rbx,-24 + pushq %r12 +.cfi_adjust_cfa_offset 8 +.cfi_offset %r12,-32 + pushq %r13 +.cfi_adjust_cfa_offset 8 +.cfi_offset %r13,-40 + pushq %r14 +.cfi_adjust_cfa_offset 8 +.cfi_offset %r14,-48 + pushq %r15 +.cfi_adjust_cfa_offset 8 +.cfi_offset %r15,-56 +.Lsqrx_body: + movq 0(%rsi),%rdx + movq 8(%rsi),%r14 + movq 16(%rsi),%r15 + movq 24(%rsi),%r8 + leaq -128(%rsi),%rsi + + call __ecp_nistz256_sqr_montx + + movq 0(%rsp),%r15 +.cfi_restore %r15 + movq 8(%rsp),%r14 +.cfi_restore %r14 + movq 16(%rsp),%r13 +.cfi_restore %r13 + movq 24(%rsp),%r12 +.cfi_restore %r12 + movq 32(%rsp),%rbx +.cfi_restore %rbx + movq 40(%rsp),%rbp +.cfi_restore %rbp + leaq 48(%rsp),%rsp +.cfi_adjust_cfa_offset -48 +.Lsqrx_epilogue: + ret +.cfi_endproc +.size ecp_nistz256_sqr_mont_adx,.-ecp_nistz256_sqr_mont_adx + .type __ecp_nistz256_sqr_montx,@function .align 32 __ecp_nistz256_sqr_montx: @@ -2021,17 +2087,13 @@ __ecp_nistz256_sqr_montx: .size __ecp_nistz256_sqr_montx,.-__ecp_nistz256_sqr_montx -.globl ecp_nistz256_select_w5 -.hidden ecp_nistz256_select_w5 -.type ecp_nistz256_select_w5,@function +.globl ecp_nistz256_select_w5_nohw +.hidden ecp_nistz256_select_w5_nohw +.type ecp_nistz256_select_w5_nohw,@function .align 32 -ecp_nistz256_select_w5: +ecp_nistz256_select_w5_nohw: .cfi_startproc _CET_ENDBR - leaq OPENSSL_ia32cap_P(%rip),%rax - movq 8(%rax),%rax - testl $32,%eax - jnz .Lavx2_select_w5 movdqa .LOne(%rip),%xmm0 movd %edx,%xmm1 @@ -2084,22 +2146,18 @@ _CET_ENDBR movdqu %xmm7,80(%rdi) ret .cfi_endproc -.LSEH_end_ecp_nistz256_select_w5: -.size ecp_nistz256_select_w5,.-ecp_nistz256_select_w5 +.LSEH_end_ecp_nistz256_select_w5_nohw: +.size ecp_nistz256_select_w5_nohw,.-ecp_nistz256_select_w5_nohw -.globl ecp_nistz256_select_w7 -.hidden ecp_nistz256_select_w7 -.type ecp_nistz256_select_w7,@function +.globl ecp_nistz256_select_w7_nohw +.hidden ecp_nistz256_select_w7_nohw +.type ecp_nistz256_select_w7_nohw,@function .align 32 -ecp_nistz256_select_w7: +ecp_nistz256_select_w7_nohw: .cfi_startproc _CET_ENDBR - leaq OPENSSL_ia32cap_P(%rip),%rax - movq 8(%rax),%rax - testl $32,%eax - jnz .Lavx2_select_w7 movdqa .LOne(%rip),%xmm8 movd %edx,%xmm1 @@ -2141,15 +2199,17 @@ _CET_ENDBR movdqu %xmm5,48(%rdi) ret .cfi_endproc -.LSEH_end_ecp_nistz256_select_w7: -.size ecp_nistz256_select_w7,.-ecp_nistz256_select_w7 +.LSEH_end_ecp_nistz256_select_w7_nohw: +.size ecp_nistz256_select_w7_nohw,.-ecp_nistz256_select_w7_nohw -.type ecp_nistz256_avx2_select_w5,@function +.globl ecp_nistz256_select_w5_avx2 +.hidden ecp_nistz256_select_w5_avx2 +.type ecp_nistz256_select_w5_avx2,@function .align 32 -ecp_nistz256_avx2_select_w5: +ecp_nistz256_select_w5_avx2: .cfi_startproc -.Lavx2_select_w5: +_CET_ENDBR vzeroupper vmovdqa .LTwo(%rip),%ymm0 @@ -2204,18 +2264,17 @@ ecp_nistz256_avx2_select_w5: vzeroupper ret .cfi_endproc -.LSEH_end_ecp_nistz256_avx2_select_w5: -.size ecp_nistz256_avx2_select_w5,.-ecp_nistz256_avx2_select_w5 +.LSEH_end_ecp_nistz256_select_w5_avx2: +.size ecp_nistz256_select_w5_avx2,.-ecp_nistz256_select_w5_avx2 -.globl ecp_nistz256_avx2_select_w7 -.hidden ecp_nistz256_avx2_select_w7 -.type ecp_nistz256_avx2_select_w7,@function +.globl ecp_nistz256_select_w7_avx2 +.hidden ecp_nistz256_select_w7_avx2 +.type ecp_nistz256_select_w7_avx2,@function .align 32 -ecp_nistz256_avx2_select_w7: +ecp_nistz256_select_w7_avx2: .cfi_startproc -.Lavx2_select_w7: _CET_ENDBR vzeroupper vmovdqa .LThree(%rip),%ymm0 @@ -2286,8 +2345,8 @@ _CET_ENDBR vzeroupper ret .cfi_endproc -.LSEH_end_ecp_nistz256_avx2_select_w7: -.size ecp_nistz256_avx2_select_w7,.-ecp_nistz256_avx2_select_w7 +.LSEH_end_ecp_nistz256_select_w7_avx2: +.size ecp_nistz256_select_w7_avx2,.-ecp_nistz256_select_w7_avx2 .type __ecp_nistz256_add_toq,@function .align 32 __ecp_nistz256_add_toq: @@ -2417,18 +2476,13 @@ __ecp_nistz256_mul_by_2q: ret .cfi_endproc .size __ecp_nistz256_mul_by_2q,.-__ecp_nistz256_mul_by_2q -.globl ecp_nistz256_point_double -.hidden ecp_nistz256_point_double -.type ecp_nistz256_point_double,@function +.globl ecp_nistz256_point_double_nohw +.hidden ecp_nistz256_point_double_nohw +.type ecp_nistz256_point_double_nohw,@function .align 32 -ecp_nistz256_point_double: +ecp_nistz256_point_double_nohw: .cfi_startproc _CET_ENDBR - leaq OPENSSL_ia32cap_P(%rip),%rcx - movq 8(%rcx),%rcx - andl $0x80100,%ecx - cmpl $0x80100,%ecx - je .Lpoint_doublex pushq %rbp .cfi_adjust_cfa_offset 8 .cfi_offset %rbp,-16 @@ -2651,19 +2705,14 @@ _CET_ENDBR .Lpoint_doubleq_epilogue: ret .cfi_endproc -.size ecp_nistz256_point_double,.-ecp_nistz256_point_double -.globl ecp_nistz256_point_add -.hidden ecp_nistz256_point_add -.type ecp_nistz256_point_add,@function +.size ecp_nistz256_point_double_nohw,.-ecp_nistz256_point_double_nohw +.globl ecp_nistz256_point_add_nohw +.hidden ecp_nistz256_point_add_nohw +.type ecp_nistz256_point_add_nohw,@function .align 32 -ecp_nistz256_point_add: +ecp_nistz256_point_add_nohw: .cfi_startproc _CET_ENDBR - leaq OPENSSL_ia32cap_P(%rip),%rcx - movq 8(%rcx),%rcx - andl $0x80100,%ecx - cmpl $0x80100,%ecx - je .Lpoint_addx pushq %rbp .cfi_adjust_cfa_offset 8 .cfi_offset %rbp,-16 @@ -3089,19 +3138,14 @@ _CET_ENDBR .Lpoint_addq_epilogue: ret .cfi_endproc -.size ecp_nistz256_point_add,.-ecp_nistz256_point_add -.globl ecp_nistz256_point_add_affine -.hidden ecp_nistz256_point_add_affine -.type ecp_nistz256_point_add_affine,@function +.size ecp_nistz256_point_add_nohw,.-ecp_nistz256_point_add_nohw +.globl ecp_nistz256_point_add_affine_nohw +.hidden ecp_nistz256_point_add_affine_nohw +.type ecp_nistz256_point_add_affine_nohw,@function .align 32 -ecp_nistz256_point_add_affine: +ecp_nistz256_point_add_affine_nohw: .cfi_startproc _CET_ENDBR - leaq OPENSSL_ia32cap_P(%rip),%rcx - movq 8(%rcx),%rcx - andl $0x80100,%ecx - cmpl $0x80100,%ecx - je .Lpoint_add_affinex pushq %rbp .cfi_adjust_cfa_offset 8 .cfi_offset %rbp,-16 @@ -3424,7 +3468,7 @@ _CET_ENDBR .Ladd_affineq_epilogue: ret .cfi_endproc -.size ecp_nistz256_point_add_affine,.-ecp_nistz256_point_add_affine +.size ecp_nistz256_point_add_affine_nohw,.-ecp_nistz256_point_add_affine_nohw .type __ecp_nistz256_add_tox,@function .align 32 __ecp_nistz256_add_tox: @@ -3560,11 +3604,13 @@ __ecp_nistz256_mul_by_2x: ret .cfi_endproc .size __ecp_nistz256_mul_by_2x,.-__ecp_nistz256_mul_by_2x -.type ecp_nistz256_point_doublex,@function +.globl ecp_nistz256_point_double_adx +.hidden ecp_nistz256_point_double_adx +.type ecp_nistz256_point_double_adx,@function .align 32 -ecp_nistz256_point_doublex: +ecp_nistz256_point_double_adx: .cfi_startproc -.Lpoint_doublex: +_CET_ENDBR pushq %rbp .cfi_adjust_cfa_offset 8 .cfi_offset %rbp,-16 @@ -3787,12 +3833,14 @@ ecp_nistz256_point_doublex: .Lpoint_doublex_epilogue: ret .cfi_endproc -.size ecp_nistz256_point_doublex,.-ecp_nistz256_point_doublex -.type ecp_nistz256_point_addx,@function +.size ecp_nistz256_point_double_adx,.-ecp_nistz256_point_double_adx +.globl ecp_nistz256_point_add_adx +.hidden ecp_nistz256_point_add_adx +.type ecp_nistz256_point_add_adx,@function .align 32 -ecp_nistz256_point_addx: +ecp_nistz256_point_add_adx: .cfi_startproc -.Lpoint_addx: +_CET_ENDBR pushq %rbp .cfi_adjust_cfa_offset 8 .cfi_offset %rbp,-16 @@ -4218,12 +4266,14 @@ ecp_nistz256_point_addx: .Lpoint_addx_epilogue: ret .cfi_endproc -.size ecp_nistz256_point_addx,.-ecp_nistz256_point_addx -.type ecp_nistz256_point_add_affinex,@function +.size ecp_nistz256_point_add_adx,.-ecp_nistz256_point_add_adx +.globl ecp_nistz256_point_add_affine_adx +.hidden ecp_nistz256_point_add_affine_adx +.type ecp_nistz256_point_add_affine_adx,@function .align 32 -ecp_nistz256_point_add_affinex: +ecp_nistz256_point_add_affine_adx: .cfi_startproc -.Lpoint_add_affinex: +_CET_ENDBR pushq %rbp .cfi_adjust_cfa_offset 8 .cfi_offset %rbp,-16 @@ -4546,9 +4596,8 @@ ecp_nistz256_point_add_affinex: .Ladd_affinex_epilogue: ret .cfi_endproc -.size ecp_nistz256_point_add_affinex,.-ecp_nistz256_point_add_affinex +.size ecp_nistz256_point_add_affine_adx,.-ecp_nistz256_point_add_affine_adx #endif -#endif // defined(__x86_64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/p256_beeu-armv8-asm-ios.ios.aarch64.S b/Sources/CNIOBoringSSL/gen/bcm/p256_beeu-armv8-asm-apple.S similarity index 98% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/p256_beeu-armv8-asm-ios.ios.aarch64.S rename to Sources/CNIOBoringSSL/gen/bcm/p256_beeu-armv8-asm-apple.S index 3226352ee..fe23aaa7d 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/p256_beeu-armv8-asm-ios.ios.aarch64.S +++ b/Sources/CNIOBoringSSL/gen/bcm/p256_beeu-armv8-asm-apple.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__aarch64__) && defined(__APPLE__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -309,7 +308,6 @@ Lbeeu_finish: ret #endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__APPLE__) -#endif // defined(__aarch64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/p256_beeu-armv8-asm-linux.linux.aarch64.S b/Sources/CNIOBoringSSL/gen/bcm/p256_beeu-armv8-asm-linux.S similarity index 98% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/p256_beeu-armv8-asm-linux.linux.aarch64.S rename to Sources/CNIOBoringSSL/gen/bcm/p256_beeu-armv8-asm-linux.S index 462d32416..f5a2603f0 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/p256_beeu-armv8-asm-linux.linux.aarch64.S +++ b/Sources/CNIOBoringSSL/gen/bcm/p256_beeu-armv8-asm-linux.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__aarch64__) && defined(__linux__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -309,7 +308,6 @@ beeu_mod_inverse_vartime: ret .size beeu_mod_inverse_vartime,.-beeu_mod_inverse_vartime #endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__ELF__) -#endif // defined(__aarch64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/gen/bcm/p256_beeu-armv8-asm-win.S b/Sources/CNIOBoringSSL/gen/bcm/p256_beeu-armv8-asm-win.S new file mode 100644 index 000000000..320acc419 --- /dev/null +++ b/Sources/CNIOBoringSSL/gen/bcm/p256_beeu-armv8-asm-win.S @@ -0,0 +1,314 @@ +#define BORINGSSL_PREFIX CNIOBoringSSL +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. + +#include + +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(_WIN32) +#include "CNIOBoringSSL_arm_arch.h" + +.text +.globl beeu_mod_inverse_vartime + + +.align 4 +beeu_mod_inverse_vartime: + // Reserve enough space for 14 8-byte registers on the stack + // in the first stp call for x29, x30. + // Then store the remaining callee-saved registers. + // + // | x29 | x30 | x19 | x20 | ... | x27 | x28 | x0 | x2 | + // ^ ^ + // sp <------------------- 112 bytes ----------------> old sp + // x29 (FP) + // + AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-112]! + add x29,sp,#0 + stp x19,x20,[sp,#16] + stp x21,x22,[sp,#32] + stp x23,x24,[sp,#48] + stp x25,x26,[sp,#64] + stp x27,x28,[sp,#80] + stp x0,x2,[sp,#96] + + // B = b3..b0 := a + ldp x25,x26,[x1] + ldp x27,x28,[x1,#16] + + // n3..n0 := n + // Note: the value of input params are changed in the following. + ldp x0,x1,[x2] + ldp x2,x30,[x2,#16] + + // A = a3..a0 := n + mov x21, x0 + mov x22, x1 + mov x23, x2 + mov x24, x30 + + // X = x4..x0 := 1 + mov x3, #1 + eor x4, x4, x4 + eor x5, x5, x5 + eor x6, x6, x6 + eor x7, x7, x7 + + // Y = y4..y0 := 0 + eor x8, x8, x8 + eor x9, x9, x9 + eor x10, x10, x10 + eor x11, x11, x11 + eor x12, x12, x12 + +Lbeeu_loop: + // if B == 0, jump to .Lbeeu_loop_end + orr x14, x25, x26 + orr x14, x14, x27 + + // reverse the bit order of x25. This is needed for clz after this macro + rbit x15, x25 + + orr x14, x14, x28 + cbz x14,Lbeeu_loop_end + + + // 0 < B < |n|, + // 0 < A <= |n|, + // (1) X*a == B (mod |n|), + // (2) (-1)*Y*a == A (mod |n|) + + // Now divide B by the maximum possible power of two in the + // integers, and divide X by the same value mod |n|. + // When we're done, (1) still holds. + + // shift := number of trailing 0s in x25 + // ( = number of leading 0s in x15; see the "rbit" instruction in TEST_B_ZERO) + clz x13, x15 + + // If there is no shift, goto shift_A_Y + cbz x13, Lbeeu_shift_A_Y + + // Shift B right by "x13" bits + neg x14, x13 + lsr x25, x25, x13 + lsl x15, x26, x14 + + lsr x26, x26, x13 + lsl x19, x27, x14 + + orr x25, x25, x15 + + lsr x27, x27, x13 + lsl x20, x28, x14 + + orr x26, x26, x19 + + lsr x28, x28, x13 + + orr x27, x27, x20 + + + // Shift X right by "x13" bits, adding n whenever X becomes odd. + // x13--; + // x14 := 0; needed in the addition to the most significant word in SHIFT1 + eor x14, x14, x14 +Lbeeu_shift_loop_X: + tbz x3, #0, Lshift1_0 + adds x3, x3, x0 + adcs x4, x4, x1 + adcs x5, x5, x2 + adcs x6, x6, x30 + adc x7, x7, x14 +Lshift1_0: + // var0 := [var1|var0]<64..1>; + // i.e. concatenate var1 and var0, + // extract bits <64..1> from the resulting 128-bit value + // and put them in var0 + extr x3, x4, x3, #1 + extr x4, x5, x4, #1 + extr x5, x6, x5, #1 + extr x6, x7, x6, #1 + lsr x7, x7, #1 + + subs x13, x13, #1 + bne Lbeeu_shift_loop_X + + // Note: the steps above perform the same sequence as in p256_beeu-x86_64-asm.pl + // with the following differences: + // - "x13" is set directly to the number of trailing 0s in B + // (using rbit and clz instructions) + // - The loop is only used to call SHIFT1(X) + // and x13 is decreased while executing the X loop. + // - SHIFT256(B, x13) is performed before right-shifting X; they are independent + +Lbeeu_shift_A_Y: + // Same for A and Y. + // Afterwards, (2) still holds. + // Reverse the bit order of x21 + // x13 := number of trailing 0s in x21 (= number of leading 0s in x15) + rbit x15, x21 + clz x13, x15 + + // If there is no shift, goto |B-A|, X+Y update + cbz x13, Lbeeu_update_B_X_or_A_Y + + // Shift A right by "x13" bits + neg x14, x13 + lsr x21, x21, x13 + lsl x15, x22, x14 + + lsr x22, x22, x13 + lsl x19, x23, x14 + + orr x21, x21, x15 + + lsr x23, x23, x13 + lsl x20, x24, x14 + + orr x22, x22, x19 + + lsr x24, x24, x13 + + orr x23, x23, x20 + + + // Shift Y right by "x13" bits, adding n whenever Y becomes odd. + // x13--; + // x14 := 0; needed in the addition to the most significant word in SHIFT1 + eor x14, x14, x14 +Lbeeu_shift_loop_Y: + tbz x8, #0, Lshift1_1 + adds x8, x8, x0 + adcs x9, x9, x1 + adcs x10, x10, x2 + adcs x11, x11, x30 + adc x12, x12, x14 +Lshift1_1: + // var0 := [var1|var0]<64..1>; + // i.e. concatenate var1 and var0, + // extract bits <64..1> from the resulting 128-bit value + // and put them in var0 + extr x8, x9, x8, #1 + extr x9, x10, x9, #1 + extr x10, x11, x10, #1 + extr x11, x12, x11, #1 + lsr x12, x12, #1 + + subs x13, x13, #1 + bne Lbeeu_shift_loop_Y + +Lbeeu_update_B_X_or_A_Y: + // Try T := B - A; if cs, continue with B > A (cs: carry set = no borrow) + // Note: this is a case of unsigned arithmetic, where T fits in 4 64-bit words + // without taking a sign bit if generated. The lack of a carry would + // indicate a negative result. See, for example, + // https://community.arm.com/developer/ip-products/processors/b/processors-ip-blog/posts/condition-codes-1-condition-flags-and-codes + subs x14, x25, x21 + sbcs x15, x26, x22 + sbcs x19, x27, x23 + sbcs x20, x28, x24 + bcs Lbeeu_B_greater_than_A + + // Else A > B => + // A := A - B; Y := Y + X; goto beginning of the loop + subs x21, x21, x25 + sbcs x22, x22, x26 + sbcs x23, x23, x27 + sbcs x24, x24, x28 + + adds x8, x8, x3 + adcs x9, x9, x4 + adcs x10, x10, x5 + adcs x11, x11, x6 + adc x12, x12, x7 + b Lbeeu_loop + +Lbeeu_B_greater_than_A: + // Continue with B > A => + // B := B - A; X := X + Y; goto beginning of the loop + mov x25, x14 + mov x26, x15 + mov x27, x19 + mov x28, x20 + + adds x3, x3, x8 + adcs x4, x4, x9 + adcs x5, x5, x10 + adcs x6, x6, x11 + adc x7, x7, x12 + b Lbeeu_loop + +Lbeeu_loop_end: + // The Euclid's algorithm loop ends when A == gcd(a,n); + // this would be 1, when a and n are co-prime (i.e. do not have a common factor). + // Since (-1)*Y*a == A (mod |n|), Y>0 + // then out = -Y mod n + + // Verify that A = 1 ==> (-1)*Y*a = A = 1 (mod |n|) + // Is A-1 == 0? + // If not, fail. + sub x14, x21, #1 + orr x14, x14, x22 + orr x14, x14, x23 + orr x14, x14, x24 + cbnz x14, Lbeeu_err + + // If Y>n ==> Y:=Y-n +Lbeeu_reduction_loop: + // x_i := y_i - n_i (X is no longer needed, use it as temp) + // (x14 = 0 from above) + subs x3, x8, x0 + sbcs x4, x9, x1 + sbcs x5, x10, x2 + sbcs x6, x11, x30 + sbcs x7, x12, x14 + + // If result is non-negative (i.e., cs = carry set = no borrow), + // y_i := x_i; goto reduce again + // else + // y_i := y_i; continue + csel x8, x3, x8, cs + csel x9, x4, x9, cs + csel x10, x5, x10, cs + csel x11, x6, x11, cs + csel x12, x7, x12, cs + bcs Lbeeu_reduction_loop + + // Now Y < n (Y cannot be equal to n, since the inverse cannot be 0) + // out = -Y = n-Y + subs x8, x0, x8 + sbcs x9, x1, x9 + sbcs x10, x2, x10 + sbcs x11, x30, x11 + + // Save Y in output (out (x0) was saved on the stack) + ldr x3, [sp,#96] + stp x8, x9, [x3] + stp x10, x11, [x3,#16] + // return 1 (success) + mov x0, #1 + b Lbeeu_finish + +Lbeeu_err: + // return 0 (error) + eor x0, x0, x0 + +Lbeeu_finish: + // Restore callee-saved registers, except x0, x2 + add sp,x29,#0 + ldp x19,x20,[sp,#16] + ldp x21,x22,[sp,#32] + ldp x23,x24,[sp,#48] + ldp x25,x26,[sp,#64] + ldp x27,x28,[sp,#80] + ldp x29,x30,[sp],#112 + + AARCH64_VALIDATE_LINK_REGISTER + ret + +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(_WIN32) +#if defined(__linux__) && defined(__ELF__) +.section .note.GNU-stack,"",%progbits +#endif + diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/p256_beeu-x86_64-asm-mac.mac.x86_64.S b/Sources/CNIOBoringSSL/gen/bcm/p256_beeu-x86_64-asm-apple.S similarity index 97% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/p256_beeu-x86_64-asm-mac.mac.x86_64.S rename to Sources/CNIOBoringSSL/gen/bcm/p256_beeu-x86_64-asm-apple.S index d877651b9..4dadded99 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/p256_beeu-x86_64-asm-mac.mac.x86_64.S +++ b/Sources/CNIOBoringSSL/gen/bcm/p256_beeu-x86_64-asm-apple.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__x86_64__) && defined(__APPLE__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -322,7 +321,6 @@ L$beeu_finish: #endif -#endif // defined(__x86_64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/p256_beeu-x86_64-asm-linux.linux.x86_64.S b/Sources/CNIOBoringSSL/gen/bcm/p256_beeu-x86_64-asm-linux.S similarity index 98% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/p256_beeu-x86_64-asm-linux.linux.x86_64.S rename to Sources/CNIOBoringSSL/gen/bcm/p256_beeu-x86_64-asm-linux.S index 833118a43..c0a1ee2fc 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/p256_beeu-x86_64-asm-linux.linux.x86_64.S +++ b/Sources/CNIOBoringSSL/gen/bcm/p256_beeu-x86_64-asm-linux.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__x86_64__) && defined(__linux__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -336,7 +335,6 @@ _CET_ENDBR .size beeu_mod_inverse_vartime, .-beeu_mod_inverse_vartime #endif -#endif // defined(__x86_64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/rdrand-x86_64-mac.mac.x86_64.S b/Sources/CNIOBoringSSL/gen/bcm/rdrand-x86_64-apple.S similarity index 89% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/rdrand-x86_64-mac.mac.x86_64.S rename to Sources/CNIOBoringSSL/gen/bcm/rdrand-x86_64-apple.S index 232c8570e..298cdaf42 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/rdrand-x86_64-mac.mac.x86_64.S +++ b/Sources/CNIOBoringSSL/gen/bcm/rdrand-x86_64-apple.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__x86_64__) && defined(__APPLE__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -57,7 +56,6 @@ L$err: #endif -#endif // defined(__x86_64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/rdrand-x86_64-linux.linux.x86_64.S b/Sources/CNIOBoringSSL/gen/bcm/rdrand-x86_64-linux.S similarity index 91% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/rdrand-x86_64-linux.linux.x86_64.S rename to Sources/CNIOBoringSSL/gen/bcm/rdrand-x86_64-linux.S index f9005ef5e..5cdf70b75 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/rdrand-x86_64-linux.linux.x86_64.S +++ b/Sources/CNIOBoringSSL/gen/bcm/rdrand-x86_64-linux.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__x86_64__) && defined(__linux__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -57,7 +56,6 @@ _CET_ENDBR .cfi_endproc .size CRYPTO_rdrand_multiple8_buf,.-CRYPTO_rdrand_multiple8_buf #endif -#endif // defined(__x86_64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/rsaz-avx2-mac.mac.x86_64.S b/Sources/CNIOBoringSSL/gen/bcm/rsaz-avx2-apple.S similarity index 99% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/rsaz-avx2-mac.mac.x86_64.S rename to Sources/CNIOBoringSSL/gen/bcm/rsaz-avx2-apple.S index 55e0a456a..2a7efd109 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/rsaz-avx2-mac.mac.x86_64.S +++ b/Sources/CNIOBoringSSL/gen/bcm/rsaz-avx2-apple.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__x86_64__) && defined(__APPLE__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -1749,7 +1748,6 @@ L$inc: .p2align 6 .text #endif -#endif // defined(__x86_64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/rsaz-avx2-linux.linux.x86_64.S b/Sources/CNIOBoringSSL/gen/bcm/rsaz-avx2-linux.S similarity index 99% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/rsaz-avx2-linux.linux.x86_64.S rename to Sources/CNIOBoringSSL/gen/bcm/rsaz-avx2-linux.S index 1697cb3ce..c8633e670 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/rsaz-avx2-linux.linux.x86_64.S +++ b/Sources/CNIOBoringSSL/gen/bcm/rsaz-avx2-linux.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__x86_64__) && defined(__linux__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -1749,7 +1748,6 @@ _CET_ENDBR .align 64 .text #endif -#endif // defined(__x86_64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/gen/bcm/sha1-586-apple.S b/Sources/CNIOBoringSSL/gen/bcm/sha1-586-apple.S new file mode 100644 index 000000000..e4812bacb --- /dev/null +++ b/Sources/CNIOBoringSSL/gen/bcm/sha1-586-apple.S @@ -0,0 +1,3787 @@ +#define BORINGSSL_PREFIX CNIOBoringSSL +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. + +#include + +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__APPLE__) +.text +.globl _sha1_block_data_order_nohw +.private_extern _sha1_block_data_order_nohw +.align 4 +_sha1_block_data_order_nohw: +L_sha1_block_data_order_nohw_begin: + pushl %ebp + pushl %ebx + pushl %esi + pushl %edi + movl 20(%esp),%ebp + movl 24(%esp),%esi + movl 28(%esp),%eax + subl $76,%esp + shll $6,%eax + addl %esi,%eax + movl %eax,104(%esp) + movl 16(%ebp),%edi + jmp L000loop +.align 4,0x90 +L000loop: + movl (%esi),%eax + movl 4(%esi),%ebx + movl 8(%esi),%ecx + movl 12(%esi),%edx + bswap %eax + bswap %ebx + bswap %ecx + bswap %edx + movl %eax,(%esp) + movl %ebx,4(%esp) + movl %ecx,8(%esp) + movl %edx,12(%esp) + movl 16(%esi),%eax + movl 20(%esi),%ebx + movl 24(%esi),%ecx + movl 28(%esi),%edx + bswap %eax + bswap %ebx + bswap %ecx + bswap %edx + movl %eax,16(%esp) + movl %ebx,20(%esp) + movl %ecx,24(%esp) + movl %edx,28(%esp) + movl 32(%esi),%eax + movl 36(%esi),%ebx + movl 40(%esi),%ecx + movl 44(%esi),%edx + bswap %eax + bswap %ebx + bswap %ecx + bswap %edx + movl %eax,32(%esp) + movl %ebx,36(%esp) + movl %ecx,40(%esp) + movl %edx,44(%esp) + movl 48(%esi),%eax + movl 52(%esi),%ebx + movl 56(%esi),%ecx + movl 60(%esi),%edx + bswap %eax + bswap %ebx + bswap %ecx + bswap %edx + movl %eax,48(%esp) + movl %ebx,52(%esp) + movl %ecx,56(%esp) + movl %edx,60(%esp) + movl %esi,100(%esp) + movl (%ebp),%eax + movl 4(%ebp),%ebx + movl 8(%ebp),%ecx + movl 12(%ebp),%edx + # 00_15 0 + movl %ecx,%esi + movl %eax,%ebp + roll $5,%ebp + xorl %edx,%esi + addl %edi,%ebp + movl (%esp),%edi + andl %ebx,%esi + rorl $2,%ebx + xorl %edx,%esi + leal 1518500249(%ebp,%edi,1),%ebp + addl %esi,%ebp + # 00_15 1 + movl %ebx,%edi + movl %ebp,%esi + roll $5,%ebp + xorl %ecx,%edi + addl %edx,%ebp + movl 4(%esp),%edx + andl %eax,%edi + rorl $2,%eax + xorl %ecx,%edi + leal 1518500249(%ebp,%edx,1),%ebp + addl %edi,%ebp + # 00_15 2 + movl %eax,%edx + movl %ebp,%edi + roll $5,%ebp + xorl %ebx,%edx + addl %ecx,%ebp + movl 8(%esp),%ecx + andl %esi,%edx + rorl $2,%esi + xorl %ebx,%edx + leal 1518500249(%ebp,%ecx,1),%ebp + addl %edx,%ebp + # 00_15 3 + movl %esi,%ecx + movl %ebp,%edx + roll $5,%ebp + xorl %eax,%ecx + addl %ebx,%ebp + movl 12(%esp),%ebx + andl %edi,%ecx + rorl $2,%edi + xorl %eax,%ecx + leal 1518500249(%ebp,%ebx,1),%ebp + addl %ecx,%ebp + # 00_15 4 + movl %edi,%ebx + movl %ebp,%ecx + roll $5,%ebp + xorl %esi,%ebx + addl %eax,%ebp + movl 16(%esp),%eax + andl %edx,%ebx + rorl $2,%edx + xorl %esi,%ebx + leal 1518500249(%ebp,%eax,1),%ebp + addl %ebx,%ebp + # 00_15 5 + movl %edx,%eax + movl %ebp,%ebx + roll $5,%ebp + xorl %edi,%eax + addl %esi,%ebp + movl 20(%esp),%esi + andl %ecx,%eax + rorl $2,%ecx + xorl %edi,%eax + leal 1518500249(%ebp,%esi,1),%ebp + addl %eax,%ebp + # 00_15 6 + movl %ecx,%esi + movl %ebp,%eax + roll $5,%ebp + xorl %edx,%esi + addl %edi,%ebp + movl 24(%esp),%edi + andl %ebx,%esi + rorl $2,%ebx + xorl %edx,%esi + leal 1518500249(%ebp,%edi,1),%ebp + addl %esi,%ebp + # 00_15 7 + movl %ebx,%edi + movl %ebp,%esi + roll $5,%ebp + xorl %ecx,%edi + addl %edx,%ebp + movl 28(%esp),%edx + andl %eax,%edi + rorl $2,%eax + xorl %ecx,%edi + leal 1518500249(%ebp,%edx,1),%ebp + addl %edi,%ebp + # 00_15 8 + movl %eax,%edx + movl %ebp,%edi + roll $5,%ebp + xorl %ebx,%edx + addl %ecx,%ebp + movl 32(%esp),%ecx + andl %esi,%edx + rorl $2,%esi + xorl %ebx,%edx + leal 1518500249(%ebp,%ecx,1),%ebp + addl %edx,%ebp + # 00_15 9 + movl %esi,%ecx + movl %ebp,%edx + roll $5,%ebp + xorl %eax,%ecx + addl %ebx,%ebp + movl 36(%esp),%ebx + andl %edi,%ecx + rorl $2,%edi + xorl %eax,%ecx + leal 1518500249(%ebp,%ebx,1),%ebp + addl %ecx,%ebp + # 00_15 10 + movl %edi,%ebx + movl %ebp,%ecx + roll $5,%ebp + xorl %esi,%ebx + addl %eax,%ebp + movl 40(%esp),%eax + andl %edx,%ebx + rorl $2,%edx + xorl %esi,%ebx + leal 1518500249(%ebp,%eax,1),%ebp + addl %ebx,%ebp + # 00_15 11 + movl %edx,%eax + movl %ebp,%ebx + roll $5,%ebp + xorl %edi,%eax + addl %esi,%ebp + movl 44(%esp),%esi + andl %ecx,%eax + rorl $2,%ecx + xorl %edi,%eax + leal 1518500249(%ebp,%esi,1),%ebp + addl %eax,%ebp + # 00_15 12 + movl %ecx,%esi + movl %ebp,%eax + roll $5,%ebp + xorl %edx,%esi + addl %edi,%ebp + movl 48(%esp),%edi + andl %ebx,%esi + rorl $2,%ebx + xorl %edx,%esi + leal 1518500249(%ebp,%edi,1),%ebp + addl %esi,%ebp + # 00_15 13 + movl %ebx,%edi + movl %ebp,%esi + roll $5,%ebp + xorl %ecx,%edi + addl %edx,%ebp + movl 52(%esp),%edx + andl %eax,%edi + rorl $2,%eax + xorl %ecx,%edi + leal 1518500249(%ebp,%edx,1),%ebp + addl %edi,%ebp + # 00_15 14 + movl %eax,%edx + movl %ebp,%edi + roll $5,%ebp + xorl %ebx,%edx + addl %ecx,%ebp + movl 56(%esp),%ecx + andl %esi,%edx + rorl $2,%esi + xorl %ebx,%edx + leal 1518500249(%ebp,%ecx,1),%ebp + addl %edx,%ebp + # 00_15 15 + movl %esi,%ecx + movl %ebp,%edx + roll $5,%ebp + xorl %eax,%ecx + addl %ebx,%ebp + movl 60(%esp),%ebx + andl %edi,%ecx + rorl $2,%edi + xorl %eax,%ecx + leal 1518500249(%ebp,%ebx,1),%ebp + movl (%esp),%ebx + addl %ebp,%ecx + # 16_19 16 + movl %edi,%ebp + xorl 8(%esp),%ebx + xorl %esi,%ebp + xorl 32(%esp),%ebx + andl %edx,%ebp + xorl 52(%esp),%ebx + roll $1,%ebx + xorl %esi,%ebp + addl %ebp,%eax + movl %ecx,%ebp + rorl $2,%edx + movl %ebx,(%esp) + roll $5,%ebp + leal 1518500249(%ebx,%eax,1),%ebx + movl 4(%esp),%eax + addl %ebp,%ebx + # 16_19 17 + movl %edx,%ebp + xorl 12(%esp),%eax + xorl %edi,%ebp + xorl 36(%esp),%eax + andl %ecx,%ebp + xorl 56(%esp),%eax + roll $1,%eax + xorl %edi,%ebp + addl %ebp,%esi + movl %ebx,%ebp + rorl $2,%ecx + movl %eax,4(%esp) + roll $5,%ebp + leal 1518500249(%eax,%esi,1),%eax + movl 8(%esp),%esi + addl %ebp,%eax + # 16_19 18 + movl %ecx,%ebp + xorl 16(%esp),%esi + xorl %edx,%ebp + xorl 40(%esp),%esi + andl %ebx,%ebp + xorl 60(%esp),%esi + roll $1,%esi + xorl %edx,%ebp + addl %ebp,%edi + movl %eax,%ebp + rorl $2,%ebx + movl %esi,8(%esp) + roll $5,%ebp + leal 1518500249(%esi,%edi,1),%esi + movl 12(%esp),%edi + addl %ebp,%esi + # 16_19 19 + movl %ebx,%ebp + xorl 20(%esp),%edi + xorl %ecx,%ebp + xorl 44(%esp),%edi + andl %eax,%ebp + xorl (%esp),%edi + roll $1,%edi + xorl %ecx,%ebp + addl %ebp,%edx + movl %esi,%ebp + rorl $2,%eax + movl %edi,12(%esp) + roll $5,%ebp + leal 1518500249(%edi,%edx,1),%edi + movl 16(%esp),%edx + addl %ebp,%edi + # 20_39 20 + movl %esi,%ebp + xorl 24(%esp),%edx + xorl %eax,%ebp + xorl 48(%esp),%edx + xorl %ebx,%ebp + xorl 4(%esp),%edx + roll $1,%edx + addl %ebp,%ecx + rorl $2,%esi + movl %edi,%ebp + roll $5,%ebp + movl %edx,16(%esp) + leal 1859775393(%edx,%ecx,1),%edx + movl 20(%esp),%ecx + addl %ebp,%edx + # 20_39 21 + movl %edi,%ebp + xorl 28(%esp),%ecx + xorl %esi,%ebp + xorl 52(%esp),%ecx + xorl %eax,%ebp + xorl 8(%esp),%ecx + roll $1,%ecx + addl %ebp,%ebx + rorl $2,%edi + movl %edx,%ebp + roll $5,%ebp + movl %ecx,20(%esp) + leal 1859775393(%ecx,%ebx,1),%ecx + movl 24(%esp),%ebx + addl %ebp,%ecx + # 20_39 22 + movl %edx,%ebp + xorl 32(%esp),%ebx + xorl %edi,%ebp + xorl 56(%esp),%ebx + xorl %esi,%ebp + xorl 12(%esp),%ebx + roll $1,%ebx + addl %ebp,%eax + rorl $2,%edx + movl %ecx,%ebp + roll $5,%ebp + movl %ebx,24(%esp) + leal 1859775393(%ebx,%eax,1),%ebx + movl 28(%esp),%eax + addl %ebp,%ebx + # 20_39 23 + movl %ecx,%ebp + xorl 36(%esp),%eax + xorl %edx,%ebp + xorl 60(%esp),%eax + xorl %edi,%ebp + xorl 16(%esp),%eax + roll $1,%eax + addl %ebp,%esi + rorl $2,%ecx + movl %ebx,%ebp + roll $5,%ebp + movl %eax,28(%esp) + leal 1859775393(%eax,%esi,1),%eax + movl 32(%esp),%esi + addl %ebp,%eax + # 20_39 24 + movl %ebx,%ebp + xorl 40(%esp),%esi + xorl %ecx,%ebp + xorl (%esp),%esi + xorl %edx,%ebp + xorl 20(%esp),%esi + roll $1,%esi + addl %ebp,%edi + rorl $2,%ebx + movl %eax,%ebp + roll $5,%ebp + movl %esi,32(%esp) + leal 1859775393(%esi,%edi,1),%esi + movl 36(%esp),%edi + addl %ebp,%esi + # 20_39 25 + movl %eax,%ebp + xorl 44(%esp),%edi + xorl %ebx,%ebp + xorl 4(%esp),%edi + xorl %ecx,%ebp + xorl 24(%esp),%edi + roll $1,%edi + addl %ebp,%edx + rorl $2,%eax + movl %esi,%ebp + roll $5,%ebp + movl %edi,36(%esp) + leal 1859775393(%edi,%edx,1),%edi + movl 40(%esp),%edx + addl %ebp,%edi + # 20_39 26 + movl %esi,%ebp + xorl 48(%esp),%edx + xorl %eax,%ebp + xorl 8(%esp),%edx + xorl %ebx,%ebp + xorl 28(%esp),%edx + roll $1,%edx + addl %ebp,%ecx + rorl $2,%esi + movl %edi,%ebp + roll $5,%ebp + movl %edx,40(%esp) + leal 1859775393(%edx,%ecx,1),%edx + movl 44(%esp),%ecx + addl %ebp,%edx + # 20_39 27 + movl %edi,%ebp + xorl 52(%esp),%ecx + xorl %esi,%ebp + xorl 12(%esp),%ecx + xorl %eax,%ebp + xorl 32(%esp),%ecx + roll $1,%ecx + addl %ebp,%ebx + rorl $2,%edi + movl %edx,%ebp + roll $5,%ebp + movl %ecx,44(%esp) + leal 1859775393(%ecx,%ebx,1),%ecx + movl 48(%esp),%ebx + addl %ebp,%ecx + # 20_39 28 + movl %edx,%ebp + xorl 56(%esp),%ebx + xorl %edi,%ebp + xorl 16(%esp),%ebx + xorl %esi,%ebp + xorl 36(%esp),%ebx + roll $1,%ebx + addl %ebp,%eax + rorl $2,%edx + movl %ecx,%ebp + roll $5,%ebp + movl %ebx,48(%esp) + leal 1859775393(%ebx,%eax,1),%ebx + movl 52(%esp),%eax + addl %ebp,%ebx + # 20_39 29 + movl %ecx,%ebp + xorl 60(%esp),%eax + xorl %edx,%ebp + xorl 20(%esp),%eax + xorl %edi,%ebp + xorl 40(%esp),%eax + roll $1,%eax + addl %ebp,%esi + rorl $2,%ecx + movl %ebx,%ebp + roll $5,%ebp + movl %eax,52(%esp) + leal 1859775393(%eax,%esi,1),%eax + movl 56(%esp),%esi + addl %ebp,%eax + # 20_39 30 + movl %ebx,%ebp + xorl (%esp),%esi + xorl %ecx,%ebp + xorl 24(%esp),%esi + xorl %edx,%ebp + xorl 44(%esp),%esi + roll $1,%esi + addl %ebp,%edi + rorl $2,%ebx + movl %eax,%ebp + roll $5,%ebp + movl %esi,56(%esp) + leal 1859775393(%esi,%edi,1),%esi + movl 60(%esp),%edi + addl %ebp,%esi + # 20_39 31 + movl %eax,%ebp + xorl 4(%esp),%edi + xorl %ebx,%ebp + xorl 28(%esp),%edi + xorl %ecx,%ebp + xorl 48(%esp),%edi + roll $1,%edi + addl %ebp,%edx + rorl $2,%eax + movl %esi,%ebp + roll $5,%ebp + movl %edi,60(%esp) + leal 1859775393(%edi,%edx,1),%edi + movl (%esp),%edx + addl %ebp,%edi + # 20_39 32 + movl %esi,%ebp + xorl 8(%esp),%edx + xorl %eax,%ebp + xorl 32(%esp),%edx + xorl %ebx,%ebp + xorl 52(%esp),%edx + roll $1,%edx + addl %ebp,%ecx + rorl $2,%esi + movl %edi,%ebp + roll $5,%ebp + movl %edx,(%esp) + leal 1859775393(%edx,%ecx,1),%edx + movl 4(%esp),%ecx + addl %ebp,%edx + # 20_39 33 + movl %edi,%ebp + xorl 12(%esp),%ecx + xorl %esi,%ebp + xorl 36(%esp),%ecx + xorl %eax,%ebp + xorl 56(%esp),%ecx + roll $1,%ecx + addl %ebp,%ebx + rorl $2,%edi + movl %edx,%ebp + roll $5,%ebp + movl %ecx,4(%esp) + leal 1859775393(%ecx,%ebx,1),%ecx + movl 8(%esp),%ebx + addl %ebp,%ecx + # 20_39 34 + movl %edx,%ebp + xorl 16(%esp),%ebx + xorl %edi,%ebp + xorl 40(%esp),%ebx + xorl %esi,%ebp + xorl 60(%esp),%ebx + roll $1,%ebx + addl %ebp,%eax + rorl $2,%edx + movl %ecx,%ebp + roll $5,%ebp + movl %ebx,8(%esp) + leal 1859775393(%ebx,%eax,1),%ebx + movl 12(%esp),%eax + addl %ebp,%ebx + # 20_39 35 + movl %ecx,%ebp + xorl 20(%esp),%eax + xorl %edx,%ebp + xorl 44(%esp),%eax + xorl %edi,%ebp + xorl (%esp),%eax + roll $1,%eax + addl %ebp,%esi + rorl $2,%ecx + movl %ebx,%ebp + roll $5,%ebp + movl %eax,12(%esp) + leal 1859775393(%eax,%esi,1),%eax + movl 16(%esp),%esi + addl %ebp,%eax + # 20_39 36 + movl %ebx,%ebp + xorl 24(%esp),%esi + xorl %ecx,%ebp + xorl 48(%esp),%esi + xorl %edx,%ebp + xorl 4(%esp),%esi + roll $1,%esi + addl %ebp,%edi + rorl $2,%ebx + movl %eax,%ebp + roll $5,%ebp + movl %esi,16(%esp) + leal 1859775393(%esi,%edi,1),%esi + movl 20(%esp),%edi + addl %ebp,%esi + # 20_39 37 + movl %eax,%ebp + xorl 28(%esp),%edi + xorl %ebx,%ebp + xorl 52(%esp),%edi + xorl %ecx,%ebp + xorl 8(%esp),%edi + roll $1,%edi + addl %ebp,%edx + rorl $2,%eax + movl %esi,%ebp + roll $5,%ebp + movl %edi,20(%esp) + leal 1859775393(%edi,%edx,1),%edi + movl 24(%esp),%edx + addl %ebp,%edi + # 20_39 38 + movl %esi,%ebp + xorl 32(%esp),%edx + xorl %eax,%ebp + xorl 56(%esp),%edx + xorl %ebx,%ebp + xorl 12(%esp),%edx + roll $1,%edx + addl %ebp,%ecx + rorl $2,%esi + movl %edi,%ebp + roll $5,%ebp + movl %edx,24(%esp) + leal 1859775393(%edx,%ecx,1),%edx + movl 28(%esp),%ecx + addl %ebp,%edx + # 20_39 39 + movl %edi,%ebp + xorl 36(%esp),%ecx + xorl %esi,%ebp + xorl 60(%esp),%ecx + xorl %eax,%ebp + xorl 16(%esp),%ecx + roll $1,%ecx + addl %ebp,%ebx + rorl $2,%edi + movl %edx,%ebp + roll $5,%ebp + movl %ecx,28(%esp) + leal 1859775393(%ecx,%ebx,1),%ecx + movl 32(%esp),%ebx + addl %ebp,%ecx + # 40_59 40 + movl %edi,%ebp + xorl 40(%esp),%ebx + xorl %esi,%ebp + xorl (%esp),%ebx + andl %edx,%ebp + xorl 20(%esp),%ebx + roll $1,%ebx + addl %eax,%ebp + rorl $2,%edx + movl %ecx,%eax + roll $5,%eax + movl %ebx,32(%esp) + leal 2400959708(%ebx,%ebp,1),%ebx + movl %edi,%ebp + addl %eax,%ebx + andl %esi,%ebp + movl 36(%esp),%eax + addl %ebp,%ebx + # 40_59 41 + movl %edx,%ebp + xorl 44(%esp),%eax + xorl %edi,%ebp + xorl 4(%esp),%eax + andl %ecx,%ebp + xorl 24(%esp),%eax + roll $1,%eax + addl %esi,%ebp + rorl $2,%ecx + movl %ebx,%esi + roll $5,%esi + movl %eax,36(%esp) + leal 2400959708(%eax,%ebp,1),%eax + movl %edx,%ebp + addl %esi,%eax + andl %edi,%ebp + movl 40(%esp),%esi + addl %ebp,%eax + # 40_59 42 + movl %ecx,%ebp + xorl 48(%esp),%esi + xorl %edx,%ebp + xorl 8(%esp),%esi + andl %ebx,%ebp + xorl 28(%esp),%esi + roll $1,%esi + addl %edi,%ebp + rorl $2,%ebx + movl %eax,%edi + roll $5,%edi + movl %esi,40(%esp) + leal 2400959708(%esi,%ebp,1),%esi + movl %ecx,%ebp + addl %edi,%esi + andl %edx,%ebp + movl 44(%esp),%edi + addl %ebp,%esi + # 40_59 43 + movl %ebx,%ebp + xorl 52(%esp),%edi + xorl %ecx,%ebp + xorl 12(%esp),%edi + andl %eax,%ebp + xorl 32(%esp),%edi + roll $1,%edi + addl %edx,%ebp + rorl $2,%eax + movl %esi,%edx + roll $5,%edx + movl %edi,44(%esp) + leal 2400959708(%edi,%ebp,1),%edi + movl %ebx,%ebp + addl %edx,%edi + andl %ecx,%ebp + movl 48(%esp),%edx + addl %ebp,%edi + # 40_59 44 + movl %eax,%ebp + xorl 56(%esp),%edx + xorl %ebx,%ebp + xorl 16(%esp),%edx + andl %esi,%ebp + xorl 36(%esp),%edx + roll $1,%edx + addl %ecx,%ebp + rorl $2,%esi + movl %edi,%ecx + roll $5,%ecx + movl %edx,48(%esp) + leal 2400959708(%edx,%ebp,1),%edx + movl %eax,%ebp + addl %ecx,%edx + andl %ebx,%ebp + movl 52(%esp),%ecx + addl %ebp,%edx + # 40_59 45 + movl %esi,%ebp + xorl 60(%esp),%ecx + xorl %eax,%ebp + xorl 20(%esp),%ecx + andl %edi,%ebp + xorl 40(%esp),%ecx + roll $1,%ecx + addl %ebx,%ebp + rorl $2,%edi + movl %edx,%ebx + roll $5,%ebx + movl %ecx,52(%esp) + leal 2400959708(%ecx,%ebp,1),%ecx + movl %esi,%ebp + addl %ebx,%ecx + andl %eax,%ebp + movl 56(%esp),%ebx + addl %ebp,%ecx + # 40_59 46 + movl %edi,%ebp + xorl (%esp),%ebx + xorl %esi,%ebp + xorl 24(%esp),%ebx + andl %edx,%ebp + xorl 44(%esp),%ebx + roll $1,%ebx + addl %eax,%ebp + rorl $2,%edx + movl %ecx,%eax + roll $5,%eax + movl %ebx,56(%esp) + leal 2400959708(%ebx,%ebp,1),%ebx + movl %edi,%ebp + addl %eax,%ebx + andl %esi,%ebp + movl 60(%esp),%eax + addl %ebp,%ebx + # 40_59 47 + movl %edx,%ebp + xorl 4(%esp),%eax + xorl %edi,%ebp + xorl 28(%esp),%eax + andl %ecx,%ebp + xorl 48(%esp),%eax + roll $1,%eax + addl %esi,%ebp + rorl $2,%ecx + movl %ebx,%esi + roll $5,%esi + movl %eax,60(%esp) + leal 2400959708(%eax,%ebp,1),%eax + movl %edx,%ebp + addl %esi,%eax + andl %edi,%ebp + movl (%esp),%esi + addl %ebp,%eax + # 40_59 48 + movl %ecx,%ebp + xorl 8(%esp),%esi + xorl %edx,%ebp + xorl 32(%esp),%esi + andl %ebx,%ebp + xorl 52(%esp),%esi + roll $1,%esi + addl %edi,%ebp + rorl $2,%ebx + movl %eax,%edi + roll $5,%edi + movl %esi,(%esp) + leal 2400959708(%esi,%ebp,1),%esi + movl %ecx,%ebp + addl %edi,%esi + andl %edx,%ebp + movl 4(%esp),%edi + addl %ebp,%esi + # 40_59 49 + movl %ebx,%ebp + xorl 12(%esp),%edi + xorl %ecx,%ebp + xorl 36(%esp),%edi + andl %eax,%ebp + xorl 56(%esp),%edi + roll $1,%edi + addl %edx,%ebp + rorl $2,%eax + movl %esi,%edx + roll $5,%edx + movl %edi,4(%esp) + leal 2400959708(%edi,%ebp,1),%edi + movl %ebx,%ebp + addl %edx,%edi + andl %ecx,%ebp + movl 8(%esp),%edx + addl %ebp,%edi + # 40_59 50 + movl %eax,%ebp + xorl 16(%esp),%edx + xorl %ebx,%ebp + xorl 40(%esp),%edx + andl %esi,%ebp + xorl 60(%esp),%edx + roll $1,%edx + addl %ecx,%ebp + rorl $2,%esi + movl %edi,%ecx + roll $5,%ecx + movl %edx,8(%esp) + leal 2400959708(%edx,%ebp,1),%edx + movl %eax,%ebp + addl %ecx,%edx + andl %ebx,%ebp + movl 12(%esp),%ecx + addl %ebp,%edx + # 40_59 51 + movl %esi,%ebp + xorl 20(%esp),%ecx + xorl %eax,%ebp + xorl 44(%esp),%ecx + andl %edi,%ebp + xorl (%esp),%ecx + roll $1,%ecx + addl %ebx,%ebp + rorl $2,%edi + movl %edx,%ebx + roll $5,%ebx + movl %ecx,12(%esp) + leal 2400959708(%ecx,%ebp,1),%ecx + movl %esi,%ebp + addl %ebx,%ecx + andl %eax,%ebp + movl 16(%esp),%ebx + addl %ebp,%ecx + # 40_59 52 + movl %edi,%ebp + xorl 24(%esp),%ebx + xorl %esi,%ebp + xorl 48(%esp),%ebx + andl %edx,%ebp + xorl 4(%esp),%ebx + roll $1,%ebx + addl %eax,%ebp + rorl $2,%edx + movl %ecx,%eax + roll $5,%eax + movl %ebx,16(%esp) + leal 2400959708(%ebx,%ebp,1),%ebx + movl %edi,%ebp + addl %eax,%ebx + andl %esi,%ebp + movl 20(%esp),%eax + addl %ebp,%ebx + # 40_59 53 + movl %edx,%ebp + xorl 28(%esp),%eax + xorl %edi,%ebp + xorl 52(%esp),%eax + andl %ecx,%ebp + xorl 8(%esp),%eax + roll $1,%eax + addl %esi,%ebp + rorl $2,%ecx + movl %ebx,%esi + roll $5,%esi + movl %eax,20(%esp) + leal 2400959708(%eax,%ebp,1),%eax + movl %edx,%ebp + addl %esi,%eax + andl %edi,%ebp + movl 24(%esp),%esi + addl %ebp,%eax + # 40_59 54 + movl %ecx,%ebp + xorl 32(%esp),%esi + xorl %edx,%ebp + xorl 56(%esp),%esi + andl %ebx,%ebp + xorl 12(%esp),%esi + roll $1,%esi + addl %edi,%ebp + rorl $2,%ebx + movl %eax,%edi + roll $5,%edi + movl %esi,24(%esp) + leal 2400959708(%esi,%ebp,1),%esi + movl %ecx,%ebp + addl %edi,%esi + andl %edx,%ebp + movl 28(%esp),%edi + addl %ebp,%esi + # 40_59 55 + movl %ebx,%ebp + xorl 36(%esp),%edi + xorl %ecx,%ebp + xorl 60(%esp),%edi + andl %eax,%ebp + xorl 16(%esp),%edi + roll $1,%edi + addl %edx,%ebp + rorl $2,%eax + movl %esi,%edx + roll $5,%edx + movl %edi,28(%esp) + leal 2400959708(%edi,%ebp,1),%edi + movl %ebx,%ebp + addl %edx,%edi + andl %ecx,%ebp + movl 32(%esp),%edx + addl %ebp,%edi + # 40_59 56 + movl %eax,%ebp + xorl 40(%esp),%edx + xorl %ebx,%ebp + xorl (%esp),%edx + andl %esi,%ebp + xorl 20(%esp),%edx + roll $1,%edx + addl %ecx,%ebp + rorl $2,%esi + movl %edi,%ecx + roll $5,%ecx + movl %edx,32(%esp) + leal 2400959708(%edx,%ebp,1),%edx + movl %eax,%ebp + addl %ecx,%edx + andl %ebx,%ebp + movl 36(%esp),%ecx + addl %ebp,%edx + # 40_59 57 + movl %esi,%ebp + xorl 44(%esp),%ecx + xorl %eax,%ebp + xorl 4(%esp),%ecx + andl %edi,%ebp + xorl 24(%esp),%ecx + roll $1,%ecx + addl %ebx,%ebp + rorl $2,%edi + movl %edx,%ebx + roll $5,%ebx + movl %ecx,36(%esp) + leal 2400959708(%ecx,%ebp,1),%ecx + movl %esi,%ebp + addl %ebx,%ecx + andl %eax,%ebp + movl 40(%esp),%ebx + addl %ebp,%ecx + # 40_59 58 + movl %edi,%ebp + xorl 48(%esp),%ebx + xorl %esi,%ebp + xorl 8(%esp),%ebx + andl %edx,%ebp + xorl 28(%esp),%ebx + roll $1,%ebx + addl %eax,%ebp + rorl $2,%edx + movl %ecx,%eax + roll $5,%eax + movl %ebx,40(%esp) + leal 2400959708(%ebx,%ebp,1),%ebx + movl %edi,%ebp + addl %eax,%ebx + andl %esi,%ebp + movl 44(%esp),%eax + addl %ebp,%ebx + # 40_59 59 + movl %edx,%ebp + xorl 52(%esp),%eax + xorl %edi,%ebp + xorl 12(%esp),%eax + andl %ecx,%ebp + xorl 32(%esp),%eax + roll $1,%eax + addl %esi,%ebp + rorl $2,%ecx + movl %ebx,%esi + roll $5,%esi + movl %eax,44(%esp) + leal 2400959708(%eax,%ebp,1),%eax + movl %edx,%ebp + addl %esi,%eax + andl %edi,%ebp + movl 48(%esp),%esi + addl %ebp,%eax + # 20_39 60 + movl %ebx,%ebp + xorl 56(%esp),%esi + xorl %ecx,%ebp + xorl 16(%esp),%esi + xorl %edx,%ebp + xorl 36(%esp),%esi + roll $1,%esi + addl %ebp,%edi + rorl $2,%ebx + movl %eax,%ebp + roll $5,%ebp + movl %esi,48(%esp) + leal 3395469782(%esi,%edi,1),%esi + movl 52(%esp),%edi + addl %ebp,%esi + # 20_39 61 + movl %eax,%ebp + xorl 60(%esp),%edi + xorl %ebx,%ebp + xorl 20(%esp),%edi + xorl %ecx,%ebp + xorl 40(%esp),%edi + roll $1,%edi + addl %ebp,%edx + rorl $2,%eax + movl %esi,%ebp + roll $5,%ebp + movl %edi,52(%esp) + leal 3395469782(%edi,%edx,1),%edi + movl 56(%esp),%edx + addl %ebp,%edi + # 20_39 62 + movl %esi,%ebp + xorl (%esp),%edx + xorl %eax,%ebp + xorl 24(%esp),%edx + xorl %ebx,%ebp + xorl 44(%esp),%edx + roll $1,%edx + addl %ebp,%ecx + rorl $2,%esi + movl %edi,%ebp + roll $5,%ebp + movl %edx,56(%esp) + leal 3395469782(%edx,%ecx,1),%edx + movl 60(%esp),%ecx + addl %ebp,%edx + # 20_39 63 + movl %edi,%ebp + xorl 4(%esp),%ecx + xorl %esi,%ebp + xorl 28(%esp),%ecx + xorl %eax,%ebp + xorl 48(%esp),%ecx + roll $1,%ecx + addl %ebp,%ebx + rorl $2,%edi + movl %edx,%ebp + roll $5,%ebp + movl %ecx,60(%esp) + leal 3395469782(%ecx,%ebx,1),%ecx + movl (%esp),%ebx + addl %ebp,%ecx + # 20_39 64 + movl %edx,%ebp + xorl 8(%esp),%ebx + xorl %edi,%ebp + xorl 32(%esp),%ebx + xorl %esi,%ebp + xorl 52(%esp),%ebx + roll $1,%ebx + addl %ebp,%eax + rorl $2,%edx + movl %ecx,%ebp + roll $5,%ebp + movl %ebx,(%esp) + leal 3395469782(%ebx,%eax,1),%ebx + movl 4(%esp),%eax + addl %ebp,%ebx + # 20_39 65 + movl %ecx,%ebp + xorl 12(%esp),%eax + xorl %edx,%ebp + xorl 36(%esp),%eax + xorl %edi,%ebp + xorl 56(%esp),%eax + roll $1,%eax + addl %ebp,%esi + rorl $2,%ecx + movl %ebx,%ebp + roll $5,%ebp + movl %eax,4(%esp) + leal 3395469782(%eax,%esi,1),%eax + movl 8(%esp),%esi + addl %ebp,%eax + # 20_39 66 + movl %ebx,%ebp + xorl 16(%esp),%esi + xorl %ecx,%ebp + xorl 40(%esp),%esi + xorl %edx,%ebp + xorl 60(%esp),%esi + roll $1,%esi + addl %ebp,%edi + rorl $2,%ebx + movl %eax,%ebp + roll $5,%ebp + movl %esi,8(%esp) + leal 3395469782(%esi,%edi,1),%esi + movl 12(%esp),%edi + addl %ebp,%esi + # 20_39 67 + movl %eax,%ebp + xorl 20(%esp),%edi + xorl %ebx,%ebp + xorl 44(%esp),%edi + xorl %ecx,%ebp + xorl (%esp),%edi + roll $1,%edi + addl %ebp,%edx + rorl $2,%eax + movl %esi,%ebp + roll $5,%ebp + movl %edi,12(%esp) + leal 3395469782(%edi,%edx,1),%edi + movl 16(%esp),%edx + addl %ebp,%edi + # 20_39 68 + movl %esi,%ebp + xorl 24(%esp),%edx + xorl %eax,%ebp + xorl 48(%esp),%edx + xorl %ebx,%ebp + xorl 4(%esp),%edx + roll $1,%edx + addl %ebp,%ecx + rorl $2,%esi + movl %edi,%ebp + roll $5,%ebp + movl %edx,16(%esp) + leal 3395469782(%edx,%ecx,1),%edx + movl 20(%esp),%ecx + addl %ebp,%edx + # 20_39 69 + movl %edi,%ebp + xorl 28(%esp),%ecx + xorl %esi,%ebp + xorl 52(%esp),%ecx + xorl %eax,%ebp + xorl 8(%esp),%ecx + roll $1,%ecx + addl %ebp,%ebx + rorl $2,%edi + movl %edx,%ebp + roll $5,%ebp + movl %ecx,20(%esp) + leal 3395469782(%ecx,%ebx,1),%ecx + movl 24(%esp),%ebx + addl %ebp,%ecx + # 20_39 70 + movl %edx,%ebp + xorl 32(%esp),%ebx + xorl %edi,%ebp + xorl 56(%esp),%ebx + xorl %esi,%ebp + xorl 12(%esp),%ebx + roll $1,%ebx + addl %ebp,%eax + rorl $2,%edx + movl %ecx,%ebp + roll $5,%ebp + movl %ebx,24(%esp) + leal 3395469782(%ebx,%eax,1),%ebx + movl 28(%esp),%eax + addl %ebp,%ebx + # 20_39 71 + movl %ecx,%ebp + xorl 36(%esp),%eax + xorl %edx,%ebp + xorl 60(%esp),%eax + xorl %edi,%ebp + xorl 16(%esp),%eax + roll $1,%eax + addl %ebp,%esi + rorl $2,%ecx + movl %ebx,%ebp + roll $5,%ebp + movl %eax,28(%esp) + leal 3395469782(%eax,%esi,1),%eax + movl 32(%esp),%esi + addl %ebp,%eax + # 20_39 72 + movl %ebx,%ebp + xorl 40(%esp),%esi + xorl %ecx,%ebp + xorl (%esp),%esi + xorl %edx,%ebp + xorl 20(%esp),%esi + roll $1,%esi + addl %ebp,%edi + rorl $2,%ebx + movl %eax,%ebp + roll $5,%ebp + movl %esi,32(%esp) + leal 3395469782(%esi,%edi,1),%esi + movl 36(%esp),%edi + addl %ebp,%esi + # 20_39 73 + movl %eax,%ebp + xorl 44(%esp),%edi + xorl %ebx,%ebp + xorl 4(%esp),%edi + xorl %ecx,%ebp + xorl 24(%esp),%edi + roll $1,%edi + addl %ebp,%edx + rorl $2,%eax + movl %esi,%ebp + roll $5,%ebp + movl %edi,36(%esp) + leal 3395469782(%edi,%edx,1),%edi + movl 40(%esp),%edx + addl %ebp,%edi + # 20_39 74 + movl %esi,%ebp + xorl 48(%esp),%edx + xorl %eax,%ebp + xorl 8(%esp),%edx + xorl %ebx,%ebp + xorl 28(%esp),%edx + roll $1,%edx + addl %ebp,%ecx + rorl $2,%esi + movl %edi,%ebp + roll $5,%ebp + movl %edx,40(%esp) + leal 3395469782(%edx,%ecx,1),%edx + movl 44(%esp),%ecx + addl %ebp,%edx + # 20_39 75 + movl %edi,%ebp + xorl 52(%esp),%ecx + xorl %esi,%ebp + xorl 12(%esp),%ecx + xorl %eax,%ebp + xorl 32(%esp),%ecx + roll $1,%ecx + addl %ebp,%ebx + rorl $2,%edi + movl %edx,%ebp + roll $5,%ebp + movl %ecx,44(%esp) + leal 3395469782(%ecx,%ebx,1),%ecx + movl 48(%esp),%ebx + addl %ebp,%ecx + # 20_39 76 + movl %edx,%ebp + xorl 56(%esp),%ebx + xorl %edi,%ebp + xorl 16(%esp),%ebx + xorl %esi,%ebp + xorl 36(%esp),%ebx + roll $1,%ebx + addl %ebp,%eax + rorl $2,%edx + movl %ecx,%ebp + roll $5,%ebp + movl %ebx,48(%esp) + leal 3395469782(%ebx,%eax,1),%ebx + movl 52(%esp),%eax + addl %ebp,%ebx + # 20_39 77 + movl %ecx,%ebp + xorl 60(%esp),%eax + xorl %edx,%ebp + xorl 20(%esp),%eax + xorl %edi,%ebp + xorl 40(%esp),%eax + roll $1,%eax + addl %ebp,%esi + rorl $2,%ecx + movl %ebx,%ebp + roll $5,%ebp + leal 3395469782(%eax,%esi,1),%eax + movl 56(%esp),%esi + addl %ebp,%eax + # 20_39 78 + movl %ebx,%ebp + xorl (%esp),%esi + xorl %ecx,%ebp + xorl 24(%esp),%esi + xorl %edx,%ebp + xorl 44(%esp),%esi + roll $1,%esi + addl %ebp,%edi + rorl $2,%ebx + movl %eax,%ebp + roll $5,%ebp + leal 3395469782(%esi,%edi,1),%esi + movl 60(%esp),%edi + addl %ebp,%esi + # 20_39 79 + movl %eax,%ebp + xorl 4(%esp),%edi + xorl %ebx,%ebp + xorl 28(%esp),%edi + xorl %ecx,%ebp + xorl 48(%esp),%edi + roll $1,%edi + addl %ebp,%edx + rorl $2,%eax + movl %esi,%ebp + roll $5,%ebp + leal 3395469782(%edi,%edx,1),%edi + addl %ebp,%edi + movl 96(%esp),%ebp + movl 100(%esp),%edx + addl (%ebp),%edi + addl 4(%ebp),%esi + addl 8(%ebp),%eax + addl 12(%ebp),%ebx + addl 16(%ebp),%ecx + movl %edi,(%ebp) + addl $64,%edx + movl %esi,4(%ebp) + cmpl 104(%esp),%edx + movl %eax,8(%ebp) + movl %ecx,%edi + movl %ebx,12(%ebp) + movl %edx,%esi + movl %ecx,16(%ebp) + jb L000loop + addl $76,%esp + popl %edi + popl %esi + popl %ebx + popl %ebp + ret +.globl _sha1_block_data_order_ssse3 +.private_extern _sha1_block_data_order_ssse3 +.align 4 +_sha1_block_data_order_ssse3: +L_sha1_block_data_order_ssse3_begin: + pushl %ebp + pushl %ebx + pushl %esi + pushl %edi + call L001pic_point +L001pic_point: + popl %ebp + leal LK_XX_XX-L001pic_point(%ebp),%ebp + movdqa (%ebp),%xmm7 + movdqa 16(%ebp),%xmm0 + movdqa 32(%ebp),%xmm1 + movdqa 48(%ebp),%xmm2 + movdqa 64(%ebp),%xmm6 + movl 20(%esp),%edi + movl 24(%esp),%ebp + movl 28(%esp),%edx + movl %esp,%esi + subl $208,%esp + andl $-64,%esp + movdqa %xmm0,112(%esp) + movdqa %xmm1,128(%esp) + movdqa %xmm2,144(%esp) + shll $6,%edx + movdqa %xmm7,160(%esp) + addl %ebp,%edx + movdqa %xmm6,176(%esp) + addl $64,%ebp + movl %edi,192(%esp) + movl %ebp,196(%esp) + movl %edx,200(%esp) + movl %esi,204(%esp) + movl (%edi),%eax + movl 4(%edi),%ebx + movl 8(%edi),%ecx + movl 12(%edi),%edx + movl 16(%edi),%edi + movl %ebx,%esi + movdqu -64(%ebp),%xmm0 + movdqu -48(%ebp),%xmm1 + movdqu -32(%ebp),%xmm2 + movdqu -16(%ebp),%xmm3 +.byte 102,15,56,0,198 +.byte 102,15,56,0,206 +.byte 102,15,56,0,214 + movdqa %xmm7,96(%esp) +.byte 102,15,56,0,222 + paddd %xmm7,%xmm0 + paddd %xmm7,%xmm1 + paddd %xmm7,%xmm2 + movdqa %xmm0,(%esp) + psubd %xmm7,%xmm0 + movdqa %xmm1,16(%esp) + psubd %xmm7,%xmm1 + movdqa %xmm2,32(%esp) + movl %ecx,%ebp + psubd %xmm7,%xmm2 + xorl %edx,%ebp + pshufd $238,%xmm0,%xmm4 + andl %ebp,%esi + jmp L002loop +.align 4,0x90 +L002loop: + rorl $2,%ebx + xorl %edx,%esi + movl %eax,%ebp + punpcklqdq %xmm1,%xmm4 + movdqa %xmm3,%xmm6 + addl (%esp),%edi + xorl %ecx,%ebx + paddd %xmm3,%xmm7 + movdqa %xmm0,64(%esp) + roll $5,%eax + addl %esi,%edi + psrldq $4,%xmm6 + andl %ebx,%ebp + xorl %ecx,%ebx + pxor %xmm0,%xmm4 + addl %eax,%edi + rorl $7,%eax + pxor %xmm2,%xmm6 + xorl %ecx,%ebp + movl %edi,%esi + addl 4(%esp),%edx + pxor %xmm6,%xmm4 + xorl %ebx,%eax + roll $5,%edi + movdqa %xmm7,48(%esp) + addl %ebp,%edx + andl %eax,%esi + movdqa %xmm4,%xmm0 + xorl %ebx,%eax + addl %edi,%edx + rorl $7,%edi + movdqa %xmm4,%xmm6 + xorl %ebx,%esi + pslldq $12,%xmm0 + paddd %xmm4,%xmm4 + movl %edx,%ebp + addl 8(%esp),%ecx + psrld $31,%xmm6 + xorl %eax,%edi + roll $5,%edx + movdqa %xmm0,%xmm7 + addl %esi,%ecx + andl %edi,%ebp + xorl %eax,%edi + psrld $30,%xmm0 + addl %edx,%ecx + rorl $7,%edx + por %xmm6,%xmm4 + xorl %eax,%ebp + movl %ecx,%esi + addl 12(%esp),%ebx + pslld $2,%xmm7 + xorl %edi,%edx + roll $5,%ecx + pxor %xmm0,%xmm4 + movdqa 96(%esp),%xmm0 + addl %ebp,%ebx + andl %edx,%esi + pxor %xmm7,%xmm4 + pshufd $238,%xmm1,%xmm5 + xorl %edi,%edx + addl %ecx,%ebx + rorl $7,%ecx + xorl %edi,%esi + movl %ebx,%ebp + punpcklqdq %xmm2,%xmm5 + movdqa %xmm4,%xmm7 + addl 16(%esp),%eax + xorl %edx,%ecx + paddd %xmm4,%xmm0 + movdqa %xmm1,80(%esp) + roll $5,%ebx + addl %esi,%eax + psrldq $4,%xmm7 + andl %ecx,%ebp + xorl %edx,%ecx + pxor %xmm1,%xmm5 + addl %ebx,%eax + rorl $7,%ebx + pxor %xmm3,%xmm7 + xorl %edx,%ebp + movl %eax,%esi + addl 20(%esp),%edi + pxor %xmm7,%xmm5 + xorl %ecx,%ebx + roll $5,%eax + movdqa %xmm0,(%esp) + addl %ebp,%edi + andl %ebx,%esi + movdqa %xmm5,%xmm1 + xorl %ecx,%ebx + addl %eax,%edi + rorl $7,%eax + movdqa %xmm5,%xmm7 + xorl %ecx,%esi + pslldq $12,%xmm1 + paddd %xmm5,%xmm5 + movl %edi,%ebp + addl 24(%esp),%edx + psrld $31,%xmm7 + xorl %ebx,%eax + roll $5,%edi + movdqa %xmm1,%xmm0 + addl %esi,%edx + andl %eax,%ebp + xorl %ebx,%eax + psrld $30,%xmm1 + addl %edi,%edx + rorl $7,%edi + por %xmm7,%xmm5 + xorl %ebx,%ebp + movl %edx,%esi + addl 28(%esp),%ecx + pslld $2,%xmm0 + xorl %eax,%edi + roll $5,%edx + pxor %xmm1,%xmm5 + movdqa 112(%esp),%xmm1 + addl %ebp,%ecx + andl %edi,%esi + pxor %xmm0,%xmm5 + pshufd $238,%xmm2,%xmm6 + xorl %eax,%edi + addl %edx,%ecx + rorl $7,%edx + xorl %eax,%esi + movl %ecx,%ebp + punpcklqdq %xmm3,%xmm6 + movdqa %xmm5,%xmm0 + addl 32(%esp),%ebx + xorl %edi,%edx + paddd %xmm5,%xmm1 + movdqa %xmm2,96(%esp) + roll $5,%ecx + addl %esi,%ebx + psrldq $4,%xmm0 + andl %edx,%ebp + xorl %edi,%edx + pxor %xmm2,%xmm6 + addl %ecx,%ebx + rorl $7,%ecx + pxor %xmm4,%xmm0 + xorl %edi,%ebp + movl %ebx,%esi + addl 36(%esp),%eax + pxor %xmm0,%xmm6 + xorl %edx,%ecx + roll $5,%ebx + movdqa %xmm1,16(%esp) + addl %ebp,%eax + andl %ecx,%esi + movdqa %xmm6,%xmm2 + xorl %edx,%ecx + addl %ebx,%eax + rorl $7,%ebx + movdqa %xmm6,%xmm0 + xorl %edx,%esi + pslldq $12,%xmm2 + paddd %xmm6,%xmm6 + movl %eax,%ebp + addl 40(%esp),%edi + psrld $31,%xmm0 + xorl %ecx,%ebx + roll $5,%eax + movdqa %xmm2,%xmm1 + addl %esi,%edi + andl %ebx,%ebp + xorl %ecx,%ebx + psrld $30,%xmm2 + addl %eax,%edi + rorl $7,%eax + por %xmm0,%xmm6 + xorl %ecx,%ebp + movdqa 64(%esp),%xmm0 + movl %edi,%esi + addl 44(%esp),%edx + pslld $2,%xmm1 + xorl %ebx,%eax + roll $5,%edi + pxor %xmm2,%xmm6 + movdqa 112(%esp),%xmm2 + addl %ebp,%edx + andl %eax,%esi + pxor %xmm1,%xmm6 + pshufd $238,%xmm3,%xmm7 + xorl %ebx,%eax + addl %edi,%edx + rorl $7,%edi + xorl %ebx,%esi + movl %edx,%ebp + punpcklqdq %xmm4,%xmm7 + movdqa %xmm6,%xmm1 + addl 48(%esp),%ecx + xorl %eax,%edi + paddd %xmm6,%xmm2 + movdqa %xmm3,64(%esp) + roll $5,%edx + addl %esi,%ecx + psrldq $4,%xmm1 + andl %edi,%ebp + xorl %eax,%edi + pxor %xmm3,%xmm7 + addl %edx,%ecx + rorl $7,%edx + pxor %xmm5,%xmm1 + xorl %eax,%ebp + movl %ecx,%esi + addl 52(%esp),%ebx + pxor %xmm1,%xmm7 + xorl %edi,%edx + roll $5,%ecx + movdqa %xmm2,32(%esp) + addl %ebp,%ebx + andl %edx,%esi + movdqa %xmm7,%xmm3 + xorl %edi,%edx + addl %ecx,%ebx + rorl $7,%ecx + movdqa %xmm7,%xmm1 + xorl %edi,%esi + pslldq $12,%xmm3 + paddd %xmm7,%xmm7 + movl %ebx,%ebp + addl 56(%esp),%eax + psrld $31,%xmm1 + xorl %edx,%ecx + roll $5,%ebx + movdqa %xmm3,%xmm2 + addl %esi,%eax + andl %ecx,%ebp + xorl %edx,%ecx + psrld $30,%xmm3 + addl %ebx,%eax + rorl $7,%ebx + por %xmm1,%xmm7 + xorl %edx,%ebp + movdqa 80(%esp),%xmm1 + movl %eax,%esi + addl 60(%esp),%edi + pslld $2,%xmm2 + xorl %ecx,%ebx + roll $5,%eax + pxor %xmm3,%xmm7 + movdqa 112(%esp),%xmm3 + addl %ebp,%edi + andl %ebx,%esi + pxor %xmm2,%xmm7 + pshufd $238,%xmm6,%xmm2 + xorl %ecx,%ebx + addl %eax,%edi + rorl $7,%eax + pxor %xmm4,%xmm0 + punpcklqdq %xmm7,%xmm2 + xorl %ecx,%esi + movl %edi,%ebp + addl (%esp),%edx + pxor %xmm1,%xmm0 + movdqa %xmm4,80(%esp) + xorl %ebx,%eax + roll $5,%edi + movdqa %xmm3,%xmm4 + addl %esi,%edx + paddd %xmm7,%xmm3 + andl %eax,%ebp + pxor %xmm2,%xmm0 + xorl %ebx,%eax + addl %edi,%edx + rorl $7,%edi + xorl %ebx,%ebp + movdqa %xmm0,%xmm2 + movdqa %xmm3,48(%esp) + movl %edx,%esi + addl 4(%esp),%ecx + xorl %eax,%edi + roll $5,%edx + pslld $2,%xmm0 + addl %ebp,%ecx + andl %edi,%esi + psrld $30,%xmm2 + xorl %eax,%edi + addl %edx,%ecx + rorl $7,%edx + xorl %eax,%esi + movl %ecx,%ebp + addl 8(%esp),%ebx + xorl %edi,%edx + roll $5,%ecx + por %xmm2,%xmm0 + addl %esi,%ebx + andl %edx,%ebp + movdqa 96(%esp),%xmm2 + xorl %edi,%edx + addl %ecx,%ebx + addl 12(%esp),%eax + xorl %edi,%ebp + movl %ebx,%esi + pshufd $238,%xmm7,%xmm3 + roll $5,%ebx + addl %ebp,%eax + xorl %edx,%esi + rorl $7,%ecx + addl %ebx,%eax + addl 16(%esp),%edi + pxor %xmm5,%xmm1 + punpcklqdq %xmm0,%xmm3 + xorl %ecx,%esi + movl %eax,%ebp + roll $5,%eax + pxor %xmm2,%xmm1 + movdqa %xmm5,96(%esp) + addl %esi,%edi + xorl %ecx,%ebp + movdqa %xmm4,%xmm5 + rorl $7,%ebx + paddd %xmm0,%xmm4 + addl %eax,%edi + pxor %xmm3,%xmm1 + addl 20(%esp),%edx + xorl %ebx,%ebp + movl %edi,%esi + roll $5,%edi + movdqa %xmm1,%xmm3 + movdqa %xmm4,(%esp) + addl %ebp,%edx + xorl %ebx,%esi + rorl $7,%eax + addl %edi,%edx + pslld $2,%xmm1 + addl 24(%esp),%ecx + xorl %eax,%esi + psrld $30,%xmm3 + movl %edx,%ebp + roll $5,%edx + addl %esi,%ecx + xorl %eax,%ebp + rorl $7,%edi + addl %edx,%ecx + por %xmm3,%xmm1 + addl 28(%esp),%ebx + xorl %edi,%ebp + movdqa 64(%esp),%xmm3 + movl %ecx,%esi + roll $5,%ecx + addl %ebp,%ebx + xorl %edi,%esi + rorl $7,%edx + pshufd $238,%xmm0,%xmm4 + addl %ecx,%ebx + addl 32(%esp),%eax + pxor %xmm6,%xmm2 + punpcklqdq %xmm1,%xmm4 + xorl %edx,%esi + movl %ebx,%ebp + roll $5,%ebx + pxor %xmm3,%xmm2 + movdqa %xmm6,64(%esp) + addl %esi,%eax + xorl %edx,%ebp + movdqa 128(%esp),%xmm6 + rorl $7,%ecx + paddd %xmm1,%xmm5 + addl %ebx,%eax + pxor %xmm4,%xmm2 + addl 36(%esp),%edi + xorl %ecx,%ebp + movl %eax,%esi + roll $5,%eax + movdqa %xmm2,%xmm4 + movdqa %xmm5,16(%esp) + addl %ebp,%edi + xorl %ecx,%esi + rorl $7,%ebx + addl %eax,%edi + pslld $2,%xmm2 + addl 40(%esp),%edx + xorl %ebx,%esi + psrld $30,%xmm4 + movl %edi,%ebp + roll $5,%edi + addl %esi,%edx + xorl %ebx,%ebp + rorl $7,%eax + addl %edi,%edx + por %xmm4,%xmm2 + addl 44(%esp),%ecx + xorl %eax,%ebp + movdqa 80(%esp),%xmm4 + movl %edx,%esi + roll $5,%edx + addl %ebp,%ecx + xorl %eax,%esi + rorl $7,%edi + pshufd $238,%xmm1,%xmm5 + addl %edx,%ecx + addl 48(%esp),%ebx + pxor %xmm7,%xmm3 + punpcklqdq %xmm2,%xmm5 + xorl %edi,%esi + movl %ecx,%ebp + roll $5,%ecx + pxor %xmm4,%xmm3 + movdqa %xmm7,80(%esp) + addl %esi,%ebx + xorl %edi,%ebp + movdqa %xmm6,%xmm7 + rorl $7,%edx + paddd %xmm2,%xmm6 + addl %ecx,%ebx + pxor %xmm5,%xmm3 + addl 52(%esp),%eax + xorl %edx,%ebp + movl %ebx,%esi + roll $5,%ebx + movdqa %xmm3,%xmm5 + movdqa %xmm6,32(%esp) + addl %ebp,%eax + xorl %edx,%esi + rorl $7,%ecx + addl %ebx,%eax + pslld $2,%xmm3 + addl 56(%esp),%edi + xorl %ecx,%esi + psrld $30,%xmm5 + movl %eax,%ebp + roll $5,%eax + addl %esi,%edi + xorl %ecx,%ebp + rorl $7,%ebx + addl %eax,%edi + por %xmm5,%xmm3 + addl 60(%esp),%edx + xorl %ebx,%ebp + movdqa 96(%esp),%xmm5 + movl %edi,%esi + roll $5,%edi + addl %ebp,%edx + xorl %ebx,%esi + rorl $7,%eax + pshufd $238,%xmm2,%xmm6 + addl %edi,%edx + addl (%esp),%ecx + pxor %xmm0,%xmm4 + punpcklqdq %xmm3,%xmm6 + xorl %eax,%esi + movl %edx,%ebp + roll $5,%edx + pxor %xmm5,%xmm4 + movdqa %xmm0,96(%esp) + addl %esi,%ecx + xorl %eax,%ebp + movdqa %xmm7,%xmm0 + rorl $7,%edi + paddd %xmm3,%xmm7 + addl %edx,%ecx + pxor %xmm6,%xmm4 + addl 4(%esp),%ebx + xorl %edi,%ebp + movl %ecx,%esi + roll $5,%ecx + movdqa %xmm4,%xmm6 + movdqa %xmm7,48(%esp) + addl %ebp,%ebx + xorl %edi,%esi + rorl $7,%edx + addl %ecx,%ebx + pslld $2,%xmm4 + addl 8(%esp),%eax + xorl %edx,%esi + psrld $30,%xmm6 + movl %ebx,%ebp + roll $5,%ebx + addl %esi,%eax + xorl %edx,%ebp + rorl $7,%ecx + addl %ebx,%eax + por %xmm6,%xmm4 + addl 12(%esp),%edi + xorl %ecx,%ebp + movdqa 64(%esp),%xmm6 + movl %eax,%esi + roll $5,%eax + addl %ebp,%edi + xorl %ecx,%esi + rorl $7,%ebx + pshufd $238,%xmm3,%xmm7 + addl %eax,%edi + addl 16(%esp),%edx + pxor %xmm1,%xmm5 + punpcklqdq %xmm4,%xmm7 + xorl %ebx,%esi + movl %edi,%ebp + roll $5,%edi + pxor %xmm6,%xmm5 + movdqa %xmm1,64(%esp) + addl %esi,%edx + xorl %ebx,%ebp + movdqa %xmm0,%xmm1 + rorl $7,%eax + paddd %xmm4,%xmm0 + addl %edi,%edx + pxor %xmm7,%xmm5 + addl 20(%esp),%ecx + xorl %eax,%ebp + movl %edx,%esi + roll $5,%edx + movdqa %xmm5,%xmm7 + movdqa %xmm0,(%esp) + addl %ebp,%ecx + xorl %eax,%esi + rorl $7,%edi + addl %edx,%ecx + pslld $2,%xmm5 + addl 24(%esp),%ebx + xorl %edi,%esi + psrld $30,%xmm7 + movl %ecx,%ebp + roll $5,%ecx + addl %esi,%ebx + xorl %edi,%ebp + rorl $7,%edx + addl %ecx,%ebx + por %xmm7,%xmm5 + addl 28(%esp),%eax + movdqa 80(%esp),%xmm7 + rorl $7,%ecx + movl %ebx,%esi + xorl %edx,%ebp + roll $5,%ebx + pshufd $238,%xmm4,%xmm0 + addl %ebp,%eax + xorl %ecx,%esi + xorl %edx,%ecx + addl %ebx,%eax + addl 32(%esp),%edi + pxor %xmm2,%xmm6 + punpcklqdq %xmm5,%xmm0 + andl %ecx,%esi + xorl %edx,%ecx + rorl $7,%ebx + pxor %xmm7,%xmm6 + movdqa %xmm2,80(%esp) + movl %eax,%ebp + xorl %ecx,%esi + roll $5,%eax + movdqa %xmm1,%xmm2 + addl %esi,%edi + paddd %xmm5,%xmm1 + xorl %ebx,%ebp + pxor %xmm0,%xmm6 + xorl %ecx,%ebx + addl %eax,%edi + addl 36(%esp),%edx + andl %ebx,%ebp + movdqa %xmm6,%xmm0 + movdqa %xmm1,16(%esp) + xorl %ecx,%ebx + rorl $7,%eax + movl %edi,%esi + xorl %ebx,%ebp + roll $5,%edi + pslld $2,%xmm6 + addl %ebp,%edx + xorl %eax,%esi + psrld $30,%xmm0 + xorl %ebx,%eax + addl %edi,%edx + addl 40(%esp),%ecx + andl %eax,%esi + xorl %ebx,%eax + rorl $7,%edi + por %xmm0,%xmm6 + movl %edx,%ebp + xorl %eax,%esi + movdqa 96(%esp),%xmm0 + roll $5,%edx + addl %esi,%ecx + xorl %edi,%ebp + xorl %eax,%edi + addl %edx,%ecx + pshufd $238,%xmm5,%xmm1 + addl 44(%esp),%ebx + andl %edi,%ebp + xorl %eax,%edi + rorl $7,%edx + movl %ecx,%esi + xorl %edi,%ebp + roll $5,%ecx + addl %ebp,%ebx + xorl %edx,%esi + xorl %edi,%edx + addl %ecx,%ebx + addl 48(%esp),%eax + pxor %xmm3,%xmm7 + punpcklqdq %xmm6,%xmm1 + andl %edx,%esi + xorl %edi,%edx + rorl $7,%ecx + pxor %xmm0,%xmm7 + movdqa %xmm3,96(%esp) + movl %ebx,%ebp + xorl %edx,%esi + roll $5,%ebx + movdqa 144(%esp),%xmm3 + addl %esi,%eax + paddd %xmm6,%xmm2 + xorl %ecx,%ebp + pxor %xmm1,%xmm7 + xorl %edx,%ecx + addl %ebx,%eax + addl 52(%esp),%edi + andl %ecx,%ebp + movdqa %xmm7,%xmm1 + movdqa %xmm2,32(%esp) + xorl %edx,%ecx + rorl $7,%ebx + movl %eax,%esi + xorl %ecx,%ebp + roll $5,%eax + pslld $2,%xmm7 + addl %ebp,%edi + xorl %ebx,%esi + psrld $30,%xmm1 + xorl %ecx,%ebx + addl %eax,%edi + addl 56(%esp),%edx + andl %ebx,%esi + xorl %ecx,%ebx + rorl $7,%eax + por %xmm1,%xmm7 + movl %edi,%ebp + xorl %ebx,%esi + movdqa 64(%esp),%xmm1 + roll $5,%edi + addl %esi,%edx + xorl %eax,%ebp + xorl %ebx,%eax + addl %edi,%edx + pshufd $238,%xmm6,%xmm2 + addl 60(%esp),%ecx + andl %eax,%ebp + xorl %ebx,%eax + rorl $7,%edi + movl %edx,%esi + xorl %eax,%ebp + roll $5,%edx + addl %ebp,%ecx + xorl %edi,%esi + xorl %eax,%edi + addl %edx,%ecx + addl (%esp),%ebx + pxor %xmm4,%xmm0 + punpcklqdq %xmm7,%xmm2 + andl %edi,%esi + xorl %eax,%edi + rorl $7,%edx + pxor %xmm1,%xmm0 + movdqa %xmm4,64(%esp) + movl %ecx,%ebp + xorl %edi,%esi + roll $5,%ecx + movdqa %xmm3,%xmm4 + addl %esi,%ebx + paddd %xmm7,%xmm3 + xorl %edx,%ebp + pxor %xmm2,%xmm0 + xorl %edi,%edx + addl %ecx,%ebx + addl 4(%esp),%eax + andl %edx,%ebp + movdqa %xmm0,%xmm2 + movdqa %xmm3,48(%esp) + xorl %edi,%edx + rorl $7,%ecx + movl %ebx,%esi + xorl %edx,%ebp + roll $5,%ebx + pslld $2,%xmm0 + addl %ebp,%eax + xorl %ecx,%esi + psrld $30,%xmm2 + xorl %edx,%ecx + addl %ebx,%eax + addl 8(%esp),%edi + andl %ecx,%esi + xorl %edx,%ecx + rorl $7,%ebx + por %xmm2,%xmm0 + movl %eax,%ebp + xorl %ecx,%esi + movdqa 80(%esp),%xmm2 + roll $5,%eax + addl %esi,%edi + xorl %ebx,%ebp + xorl %ecx,%ebx + addl %eax,%edi + pshufd $238,%xmm7,%xmm3 + addl 12(%esp),%edx + andl %ebx,%ebp + xorl %ecx,%ebx + rorl $7,%eax + movl %edi,%esi + xorl %ebx,%ebp + roll $5,%edi + addl %ebp,%edx + xorl %eax,%esi + xorl %ebx,%eax + addl %edi,%edx + addl 16(%esp),%ecx + pxor %xmm5,%xmm1 + punpcklqdq %xmm0,%xmm3 + andl %eax,%esi + xorl %ebx,%eax + rorl $7,%edi + pxor %xmm2,%xmm1 + movdqa %xmm5,80(%esp) + movl %edx,%ebp + xorl %eax,%esi + roll $5,%edx + movdqa %xmm4,%xmm5 + addl %esi,%ecx + paddd %xmm0,%xmm4 + xorl %edi,%ebp + pxor %xmm3,%xmm1 + xorl %eax,%edi + addl %edx,%ecx + addl 20(%esp),%ebx + andl %edi,%ebp + movdqa %xmm1,%xmm3 + movdqa %xmm4,(%esp) + xorl %eax,%edi + rorl $7,%edx + movl %ecx,%esi + xorl %edi,%ebp + roll $5,%ecx + pslld $2,%xmm1 + addl %ebp,%ebx + xorl %edx,%esi + psrld $30,%xmm3 + xorl %edi,%edx + addl %ecx,%ebx + addl 24(%esp),%eax + andl %edx,%esi + xorl %edi,%edx + rorl $7,%ecx + por %xmm3,%xmm1 + movl %ebx,%ebp + xorl %edx,%esi + movdqa 96(%esp),%xmm3 + roll $5,%ebx + addl %esi,%eax + xorl %ecx,%ebp + xorl %edx,%ecx + addl %ebx,%eax + pshufd $238,%xmm0,%xmm4 + addl 28(%esp),%edi + andl %ecx,%ebp + xorl %edx,%ecx + rorl $7,%ebx + movl %eax,%esi + xorl %ecx,%ebp + roll $5,%eax + addl %ebp,%edi + xorl %ebx,%esi + xorl %ecx,%ebx + addl %eax,%edi + addl 32(%esp),%edx + pxor %xmm6,%xmm2 + punpcklqdq %xmm1,%xmm4 + andl %ebx,%esi + xorl %ecx,%ebx + rorl $7,%eax + pxor %xmm3,%xmm2 + movdqa %xmm6,96(%esp) + movl %edi,%ebp + xorl %ebx,%esi + roll $5,%edi + movdqa %xmm5,%xmm6 + addl %esi,%edx + paddd %xmm1,%xmm5 + xorl %eax,%ebp + pxor %xmm4,%xmm2 + xorl %ebx,%eax + addl %edi,%edx + addl 36(%esp),%ecx + andl %eax,%ebp + movdqa %xmm2,%xmm4 + movdqa %xmm5,16(%esp) + xorl %ebx,%eax + rorl $7,%edi + movl %edx,%esi + xorl %eax,%ebp + roll $5,%edx + pslld $2,%xmm2 + addl %ebp,%ecx + xorl %edi,%esi + psrld $30,%xmm4 + xorl %eax,%edi + addl %edx,%ecx + addl 40(%esp),%ebx + andl %edi,%esi + xorl %eax,%edi + rorl $7,%edx + por %xmm4,%xmm2 + movl %ecx,%ebp + xorl %edi,%esi + movdqa 64(%esp),%xmm4 + roll $5,%ecx + addl %esi,%ebx + xorl %edx,%ebp + xorl %edi,%edx + addl %ecx,%ebx + pshufd $238,%xmm1,%xmm5 + addl 44(%esp),%eax + andl %edx,%ebp + xorl %edi,%edx + rorl $7,%ecx + movl %ebx,%esi + xorl %edx,%ebp + roll $5,%ebx + addl %ebp,%eax + xorl %edx,%esi + addl %ebx,%eax + addl 48(%esp),%edi + pxor %xmm7,%xmm3 + punpcklqdq %xmm2,%xmm5 + xorl %ecx,%esi + movl %eax,%ebp + roll $5,%eax + pxor %xmm4,%xmm3 + movdqa %xmm7,64(%esp) + addl %esi,%edi + xorl %ecx,%ebp + movdqa %xmm6,%xmm7 + rorl $7,%ebx + paddd %xmm2,%xmm6 + addl %eax,%edi + pxor %xmm5,%xmm3 + addl 52(%esp),%edx + xorl %ebx,%ebp + movl %edi,%esi + roll $5,%edi + movdqa %xmm3,%xmm5 + movdqa %xmm6,32(%esp) + addl %ebp,%edx + xorl %ebx,%esi + rorl $7,%eax + addl %edi,%edx + pslld $2,%xmm3 + addl 56(%esp),%ecx + xorl %eax,%esi + psrld $30,%xmm5 + movl %edx,%ebp + roll $5,%edx + addl %esi,%ecx + xorl %eax,%ebp + rorl $7,%edi + addl %edx,%ecx + por %xmm5,%xmm3 + addl 60(%esp),%ebx + xorl %edi,%ebp + movl %ecx,%esi + roll $5,%ecx + addl %ebp,%ebx + xorl %edi,%esi + rorl $7,%edx + addl %ecx,%ebx + addl (%esp),%eax + xorl %edx,%esi + movl %ebx,%ebp + roll $5,%ebx + addl %esi,%eax + xorl %edx,%ebp + rorl $7,%ecx + paddd %xmm3,%xmm7 + addl %ebx,%eax + addl 4(%esp),%edi + xorl %ecx,%ebp + movl %eax,%esi + movdqa %xmm7,48(%esp) + roll $5,%eax + addl %ebp,%edi + xorl %ecx,%esi + rorl $7,%ebx + addl %eax,%edi + addl 8(%esp),%edx + xorl %ebx,%esi + movl %edi,%ebp + roll $5,%edi + addl %esi,%edx + xorl %ebx,%ebp + rorl $7,%eax + addl %edi,%edx + addl 12(%esp),%ecx + xorl %eax,%ebp + movl %edx,%esi + roll $5,%edx + addl %ebp,%ecx + xorl %eax,%esi + rorl $7,%edi + addl %edx,%ecx + movl 196(%esp),%ebp + cmpl 200(%esp),%ebp + je L003done + movdqa 160(%esp),%xmm7 + movdqa 176(%esp),%xmm6 + movdqu (%ebp),%xmm0 + movdqu 16(%ebp),%xmm1 + movdqu 32(%ebp),%xmm2 + movdqu 48(%ebp),%xmm3 + addl $64,%ebp +.byte 102,15,56,0,198 + movl %ebp,196(%esp) + movdqa %xmm7,96(%esp) + addl 16(%esp),%ebx + xorl %edi,%esi + movl %ecx,%ebp + roll $5,%ecx + addl %esi,%ebx + xorl %edi,%ebp + rorl $7,%edx +.byte 102,15,56,0,206 + addl %ecx,%ebx + addl 20(%esp),%eax + xorl %edx,%ebp + movl %ebx,%esi + paddd %xmm7,%xmm0 + roll $5,%ebx + addl %ebp,%eax + xorl %edx,%esi + rorl $7,%ecx + movdqa %xmm0,(%esp) + addl %ebx,%eax + addl 24(%esp),%edi + xorl %ecx,%esi + movl %eax,%ebp + psubd %xmm7,%xmm0 + roll $5,%eax + addl %esi,%edi + xorl %ecx,%ebp + rorl $7,%ebx + addl %eax,%edi + addl 28(%esp),%edx + xorl %ebx,%ebp + movl %edi,%esi + roll $5,%edi + addl %ebp,%edx + xorl %ebx,%esi + rorl $7,%eax + addl %edi,%edx + addl 32(%esp),%ecx + xorl %eax,%esi + movl %edx,%ebp + roll $5,%edx + addl %esi,%ecx + xorl %eax,%ebp + rorl $7,%edi +.byte 102,15,56,0,214 + addl %edx,%ecx + addl 36(%esp),%ebx + xorl %edi,%ebp + movl %ecx,%esi + paddd %xmm7,%xmm1 + roll $5,%ecx + addl %ebp,%ebx + xorl %edi,%esi + rorl $7,%edx + movdqa %xmm1,16(%esp) + addl %ecx,%ebx + addl 40(%esp),%eax + xorl %edx,%esi + movl %ebx,%ebp + psubd %xmm7,%xmm1 + roll $5,%ebx + addl %esi,%eax + xorl %edx,%ebp + rorl $7,%ecx + addl %ebx,%eax + addl 44(%esp),%edi + xorl %ecx,%ebp + movl %eax,%esi + roll $5,%eax + addl %ebp,%edi + xorl %ecx,%esi + rorl $7,%ebx + addl %eax,%edi + addl 48(%esp),%edx + xorl %ebx,%esi + movl %edi,%ebp + roll $5,%edi + addl %esi,%edx + xorl %ebx,%ebp + rorl $7,%eax +.byte 102,15,56,0,222 + addl %edi,%edx + addl 52(%esp),%ecx + xorl %eax,%ebp + movl %edx,%esi + paddd %xmm7,%xmm2 + roll $5,%edx + addl %ebp,%ecx + xorl %eax,%esi + rorl $7,%edi + movdqa %xmm2,32(%esp) + addl %edx,%ecx + addl 56(%esp),%ebx + xorl %edi,%esi + movl %ecx,%ebp + psubd %xmm7,%xmm2 + roll $5,%ecx + addl %esi,%ebx + xorl %edi,%ebp + rorl $7,%edx + addl %ecx,%ebx + addl 60(%esp),%eax + xorl %edx,%ebp + movl %ebx,%esi + roll $5,%ebx + addl %ebp,%eax + rorl $7,%ecx + addl %ebx,%eax + movl 192(%esp),%ebp + addl (%ebp),%eax + addl 4(%ebp),%esi + addl 8(%ebp),%ecx + movl %eax,(%ebp) + addl 12(%ebp),%edx + movl %esi,4(%ebp) + addl 16(%ebp),%edi + movl %ecx,8(%ebp) + movl %ecx,%ebx + movl %edx,12(%ebp) + xorl %edx,%ebx + movl %edi,16(%ebp) + movl %esi,%ebp + pshufd $238,%xmm0,%xmm4 + andl %ebx,%esi + movl %ebp,%ebx + jmp L002loop +.align 4,0x90 +L003done: + addl 16(%esp),%ebx + xorl %edi,%esi + movl %ecx,%ebp + roll $5,%ecx + addl %esi,%ebx + xorl %edi,%ebp + rorl $7,%edx + addl %ecx,%ebx + addl 20(%esp),%eax + xorl %edx,%ebp + movl %ebx,%esi + roll $5,%ebx + addl %ebp,%eax + xorl %edx,%esi + rorl $7,%ecx + addl %ebx,%eax + addl 24(%esp),%edi + xorl %ecx,%esi + movl %eax,%ebp + roll $5,%eax + addl %esi,%edi + xorl %ecx,%ebp + rorl $7,%ebx + addl %eax,%edi + addl 28(%esp),%edx + xorl %ebx,%ebp + movl %edi,%esi + roll $5,%edi + addl %ebp,%edx + xorl %ebx,%esi + rorl $7,%eax + addl %edi,%edx + addl 32(%esp),%ecx + xorl %eax,%esi + movl %edx,%ebp + roll $5,%edx + addl %esi,%ecx + xorl %eax,%ebp + rorl $7,%edi + addl %edx,%ecx + addl 36(%esp),%ebx + xorl %edi,%ebp + movl %ecx,%esi + roll $5,%ecx + addl %ebp,%ebx + xorl %edi,%esi + rorl $7,%edx + addl %ecx,%ebx + addl 40(%esp),%eax + xorl %edx,%esi + movl %ebx,%ebp + roll $5,%ebx + addl %esi,%eax + xorl %edx,%ebp + rorl $7,%ecx + addl %ebx,%eax + addl 44(%esp),%edi + xorl %ecx,%ebp + movl %eax,%esi + roll $5,%eax + addl %ebp,%edi + xorl %ecx,%esi + rorl $7,%ebx + addl %eax,%edi + addl 48(%esp),%edx + xorl %ebx,%esi + movl %edi,%ebp + roll $5,%edi + addl %esi,%edx + xorl %ebx,%ebp + rorl $7,%eax + addl %edi,%edx + addl 52(%esp),%ecx + xorl %eax,%ebp + movl %edx,%esi + roll $5,%edx + addl %ebp,%ecx + xorl %eax,%esi + rorl $7,%edi + addl %edx,%ecx + addl 56(%esp),%ebx + xorl %edi,%esi + movl %ecx,%ebp + roll $5,%ecx + addl %esi,%ebx + xorl %edi,%ebp + rorl $7,%edx + addl %ecx,%ebx + addl 60(%esp),%eax + xorl %edx,%ebp + movl %ebx,%esi + roll $5,%ebx + addl %ebp,%eax + rorl $7,%ecx + addl %ebx,%eax + movl 192(%esp),%ebp + addl (%ebp),%eax + movl 204(%esp),%esp + addl 4(%ebp),%esi + addl 8(%ebp),%ecx + movl %eax,(%ebp) + addl 12(%ebp),%edx + movl %esi,4(%ebp) + addl 16(%ebp),%edi + movl %ecx,8(%ebp) + movl %edx,12(%ebp) + movl %edi,16(%ebp) + popl %edi + popl %esi + popl %ebx + popl %ebp + ret +.globl _sha1_block_data_order_avx +.private_extern _sha1_block_data_order_avx +.align 4 +_sha1_block_data_order_avx: +L_sha1_block_data_order_avx_begin: + pushl %ebp + pushl %ebx + pushl %esi + pushl %edi + call L004pic_point +L004pic_point: + popl %ebp + leal LK_XX_XX-L004pic_point(%ebp),%ebp + vzeroall + vmovdqa (%ebp),%xmm7 + vmovdqa 16(%ebp),%xmm0 + vmovdqa 32(%ebp),%xmm1 + vmovdqa 48(%ebp),%xmm2 + vmovdqa 64(%ebp),%xmm6 + movl 20(%esp),%edi + movl 24(%esp),%ebp + movl 28(%esp),%edx + movl %esp,%esi + subl $208,%esp + andl $-64,%esp + vmovdqa %xmm0,112(%esp) + vmovdqa %xmm1,128(%esp) + vmovdqa %xmm2,144(%esp) + shll $6,%edx + vmovdqa %xmm7,160(%esp) + addl %ebp,%edx + vmovdqa %xmm6,176(%esp) + addl $64,%ebp + movl %edi,192(%esp) + movl %ebp,196(%esp) + movl %edx,200(%esp) + movl %esi,204(%esp) + movl (%edi),%eax + movl 4(%edi),%ebx + movl 8(%edi),%ecx + movl 12(%edi),%edx + movl 16(%edi),%edi + movl %ebx,%esi + vmovdqu -64(%ebp),%xmm0 + vmovdqu -48(%ebp),%xmm1 + vmovdqu -32(%ebp),%xmm2 + vmovdqu -16(%ebp),%xmm3 + vpshufb %xmm6,%xmm0,%xmm0 + vpshufb %xmm6,%xmm1,%xmm1 + vpshufb %xmm6,%xmm2,%xmm2 + vmovdqa %xmm7,96(%esp) + vpshufb %xmm6,%xmm3,%xmm3 + vpaddd %xmm7,%xmm0,%xmm4 + vpaddd %xmm7,%xmm1,%xmm5 + vpaddd %xmm7,%xmm2,%xmm6 + vmovdqa %xmm4,(%esp) + movl %ecx,%ebp + vmovdqa %xmm5,16(%esp) + xorl %edx,%ebp + vmovdqa %xmm6,32(%esp) + andl %ebp,%esi + jmp L005loop +.align 4,0x90 +L005loop: + shrdl $2,%ebx,%ebx + xorl %edx,%esi + vpalignr $8,%xmm0,%xmm1,%xmm4 + movl %eax,%ebp + addl (%esp),%edi + vpaddd %xmm3,%xmm7,%xmm7 + vmovdqa %xmm0,64(%esp) + xorl %ecx,%ebx + shldl $5,%eax,%eax + vpsrldq $4,%xmm3,%xmm6 + addl %esi,%edi + andl %ebx,%ebp + vpxor %xmm0,%xmm4,%xmm4 + xorl %ecx,%ebx + addl %eax,%edi + vpxor %xmm2,%xmm6,%xmm6 + shrdl $7,%eax,%eax + xorl %ecx,%ebp + vmovdqa %xmm7,48(%esp) + movl %edi,%esi + addl 4(%esp),%edx + vpxor %xmm6,%xmm4,%xmm4 + xorl %ebx,%eax + shldl $5,%edi,%edi + addl %ebp,%edx + andl %eax,%esi + vpsrld $31,%xmm4,%xmm6 + xorl %ebx,%eax + addl %edi,%edx + shrdl $7,%edi,%edi + xorl %ebx,%esi + vpslldq $12,%xmm4,%xmm0 + vpaddd %xmm4,%xmm4,%xmm4 + movl %edx,%ebp + addl 8(%esp),%ecx + xorl %eax,%edi + shldl $5,%edx,%edx + vpsrld $30,%xmm0,%xmm7 + vpor %xmm6,%xmm4,%xmm4 + addl %esi,%ecx + andl %edi,%ebp + xorl %eax,%edi + addl %edx,%ecx + vpslld $2,%xmm0,%xmm0 + shrdl $7,%edx,%edx + xorl %eax,%ebp + vpxor %xmm7,%xmm4,%xmm4 + movl %ecx,%esi + addl 12(%esp),%ebx + xorl %edi,%edx + shldl $5,%ecx,%ecx + vpxor %xmm0,%xmm4,%xmm4 + addl %ebp,%ebx + andl %edx,%esi + vmovdqa 96(%esp),%xmm0 + xorl %edi,%edx + addl %ecx,%ebx + shrdl $7,%ecx,%ecx + xorl %edi,%esi + vpalignr $8,%xmm1,%xmm2,%xmm5 + movl %ebx,%ebp + addl 16(%esp),%eax + vpaddd %xmm4,%xmm0,%xmm0 + vmovdqa %xmm1,80(%esp) + xorl %edx,%ecx + shldl $5,%ebx,%ebx + vpsrldq $4,%xmm4,%xmm7 + addl %esi,%eax + andl %ecx,%ebp + vpxor %xmm1,%xmm5,%xmm5 + xorl %edx,%ecx + addl %ebx,%eax + vpxor %xmm3,%xmm7,%xmm7 + shrdl $7,%ebx,%ebx + xorl %edx,%ebp + vmovdqa %xmm0,(%esp) + movl %eax,%esi + addl 20(%esp),%edi + vpxor %xmm7,%xmm5,%xmm5 + xorl %ecx,%ebx + shldl $5,%eax,%eax + addl %ebp,%edi + andl %ebx,%esi + vpsrld $31,%xmm5,%xmm7 + xorl %ecx,%ebx + addl %eax,%edi + shrdl $7,%eax,%eax + xorl %ecx,%esi + vpslldq $12,%xmm5,%xmm1 + vpaddd %xmm5,%xmm5,%xmm5 + movl %edi,%ebp + addl 24(%esp),%edx + xorl %ebx,%eax + shldl $5,%edi,%edi + vpsrld $30,%xmm1,%xmm0 + vpor %xmm7,%xmm5,%xmm5 + addl %esi,%edx + andl %eax,%ebp + xorl %ebx,%eax + addl %edi,%edx + vpslld $2,%xmm1,%xmm1 + shrdl $7,%edi,%edi + xorl %ebx,%ebp + vpxor %xmm0,%xmm5,%xmm5 + movl %edx,%esi + addl 28(%esp),%ecx + xorl %eax,%edi + shldl $5,%edx,%edx + vpxor %xmm1,%xmm5,%xmm5 + addl %ebp,%ecx + andl %edi,%esi + vmovdqa 112(%esp),%xmm1 + xorl %eax,%edi + addl %edx,%ecx + shrdl $7,%edx,%edx + xorl %eax,%esi + vpalignr $8,%xmm2,%xmm3,%xmm6 + movl %ecx,%ebp + addl 32(%esp),%ebx + vpaddd %xmm5,%xmm1,%xmm1 + vmovdqa %xmm2,96(%esp) + xorl %edi,%edx + shldl $5,%ecx,%ecx + vpsrldq $4,%xmm5,%xmm0 + addl %esi,%ebx + andl %edx,%ebp + vpxor %xmm2,%xmm6,%xmm6 + xorl %edi,%edx + addl %ecx,%ebx + vpxor %xmm4,%xmm0,%xmm0 + shrdl $7,%ecx,%ecx + xorl %edi,%ebp + vmovdqa %xmm1,16(%esp) + movl %ebx,%esi + addl 36(%esp),%eax + vpxor %xmm0,%xmm6,%xmm6 + xorl %edx,%ecx + shldl $5,%ebx,%ebx + addl %ebp,%eax + andl %ecx,%esi + vpsrld $31,%xmm6,%xmm0 + xorl %edx,%ecx + addl %ebx,%eax + shrdl $7,%ebx,%ebx + xorl %edx,%esi + vpslldq $12,%xmm6,%xmm2 + vpaddd %xmm6,%xmm6,%xmm6 + movl %eax,%ebp + addl 40(%esp),%edi + xorl %ecx,%ebx + shldl $5,%eax,%eax + vpsrld $30,%xmm2,%xmm1 + vpor %xmm0,%xmm6,%xmm6 + addl %esi,%edi + andl %ebx,%ebp + xorl %ecx,%ebx + addl %eax,%edi + vpslld $2,%xmm2,%xmm2 + vmovdqa 64(%esp),%xmm0 + shrdl $7,%eax,%eax + xorl %ecx,%ebp + vpxor %xmm1,%xmm6,%xmm6 + movl %edi,%esi + addl 44(%esp),%edx + xorl %ebx,%eax + shldl $5,%edi,%edi + vpxor %xmm2,%xmm6,%xmm6 + addl %ebp,%edx + andl %eax,%esi + vmovdqa 112(%esp),%xmm2 + xorl %ebx,%eax + addl %edi,%edx + shrdl $7,%edi,%edi + xorl %ebx,%esi + vpalignr $8,%xmm3,%xmm4,%xmm7 + movl %edx,%ebp + addl 48(%esp),%ecx + vpaddd %xmm6,%xmm2,%xmm2 + vmovdqa %xmm3,64(%esp) + xorl %eax,%edi + shldl $5,%edx,%edx + vpsrldq $4,%xmm6,%xmm1 + addl %esi,%ecx + andl %edi,%ebp + vpxor %xmm3,%xmm7,%xmm7 + xorl %eax,%edi + addl %edx,%ecx + vpxor %xmm5,%xmm1,%xmm1 + shrdl $7,%edx,%edx + xorl %eax,%ebp + vmovdqa %xmm2,32(%esp) + movl %ecx,%esi + addl 52(%esp),%ebx + vpxor %xmm1,%xmm7,%xmm7 + xorl %edi,%edx + shldl $5,%ecx,%ecx + addl %ebp,%ebx + andl %edx,%esi + vpsrld $31,%xmm7,%xmm1 + xorl %edi,%edx + addl %ecx,%ebx + shrdl $7,%ecx,%ecx + xorl %edi,%esi + vpslldq $12,%xmm7,%xmm3 + vpaddd %xmm7,%xmm7,%xmm7 + movl %ebx,%ebp + addl 56(%esp),%eax + xorl %edx,%ecx + shldl $5,%ebx,%ebx + vpsrld $30,%xmm3,%xmm2 + vpor %xmm1,%xmm7,%xmm7 + addl %esi,%eax + andl %ecx,%ebp + xorl %edx,%ecx + addl %ebx,%eax + vpslld $2,%xmm3,%xmm3 + vmovdqa 80(%esp),%xmm1 + shrdl $7,%ebx,%ebx + xorl %edx,%ebp + vpxor %xmm2,%xmm7,%xmm7 + movl %eax,%esi + addl 60(%esp),%edi + xorl %ecx,%ebx + shldl $5,%eax,%eax + vpxor %xmm3,%xmm7,%xmm7 + addl %ebp,%edi + andl %ebx,%esi + vmovdqa 112(%esp),%xmm3 + xorl %ecx,%ebx + addl %eax,%edi + vpalignr $8,%xmm6,%xmm7,%xmm2 + vpxor %xmm4,%xmm0,%xmm0 + shrdl $7,%eax,%eax + xorl %ecx,%esi + movl %edi,%ebp + addl (%esp),%edx + vpxor %xmm1,%xmm0,%xmm0 + vmovdqa %xmm4,80(%esp) + xorl %ebx,%eax + shldl $5,%edi,%edi + vmovdqa %xmm3,%xmm4 + vpaddd %xmm7,%xmm3,%xmm3 + addl %esi,%edx + andl %eax,%ebp + vpxor %xmm2,%xmm0,%xmm0 + xorl %ebx,%eax + addl %edi,%edx + shrdl $7,%edi,%edi + xorl %ebx,%ebp + vpsrld $30,%xmm0,%xmm2 + vmovdqa %xmm3,48(%esp) + movl %edx,%esi + addl 4(%esp),%ecx + xorl %eax,%edi + shldl $5,%edx,%edx + vpslld $2,%xmm0,%xmm0 + addl %ebp,%ecx + andl %edi,%esi + xorl %eax,%edi + addl %edx,%ecx + shrdl $7,%edx,%edx + xorl %eax,%esi + movl %ecx,%ebp + addl 8(%esp),%ebx + vpor %xmm2,%xmm0,%xmm0 + xorl %edi,%edx + shldl $5,%ecx,%ecx + vmovdqa 96(%esp),%xmm2 + addl %esi,%ebx + andl %edx,%ebp + xorl %edi,%edx + addl %ecx,%ebx + addl 12(%esp),%eax + xorl %edi,%ebp + movl %ebx,%esi + shldl $5,%ebx,%ebx + addl %ebp,%eax + xorl %edx,%esi + shrdl $7,%ecx,%ecx + addl %ebx,%eax + vpalignr $8,%xmm7,%xmm0,%xmm3 + vpxor %xmm5,%xmm1,%xmm1 + addl 16(%esp),%edi + xorl %ecx,%esi + movl %eax,%ebp + shldl $5,%eax,%eax + vpxor %xmm2,%xmm1,%xmm1 + vmovdqa %xmm5,96(%esp) + addl %esi,%edi + xorl %ecx,%ebp + vmovdqa %xmm4,%xmm5 + vpaddd %xmm0,%xmm4,%xmm4 + shrdl $7,%ebx,%ebx + addl %eax,%edi + vpxor %xmm3,%xmm1,%xmm1 + addl 20(%esp),%edx + xorl %ebx,%ebp + movl %edi,%esi + shldl $5,%edi,%edi + vpsrld $30,%xmm1,%xmm3 + vmovdqa %xmm4,(%esp) + addl %ebp,%edx + xorl %ebx,%esi + shrdl $7,%eax,%eax + addl %edi,%edx + vpslld $2,%xmm1,%xmm1 + addl 24(%esp),%ecx + xorl %eax,%esi + movl %edx,%ebp + shldl $5,%edx,%edx + addl %esi,%ecx + xorl %eax,%ebp + shrdl $7,%edi,%edi + addl %edx,%ecx + vpor %xmm3,%xmm1,%xmm1 + addl 28(%esp),%ebx + xorl %edi,%ebp + vmovdqa 64(%esp),%xmm3 + movl %ecx,%esi + shldl $5,%ecx,%ecx + addl %ebp,%ebx + xorl %edi,%esi + shrdl $7,%edx,%edx + addl %ecx,%ebx + vpalignr $8,%xmm0,%xmm1,%xmm4 + vpxor %xmm6,%xmm2,%xmm2 + addl 32(%esp),%eax + xorl %edx,%esi + movl %ebx,%ebp + shldl $5,%ebx,%ebx + vpxor %xmm3,%xmm2,%xmm2 + vmovdqa %xmm6,64(%esp) + addl %esi,%eax + xorl %edx,%ebp + vmovdqa 128(%esp),%xmm6 + vpaddd %xmm1,%xmm5,%xmm5 + shrdl $7,%ecx,%ecx + addl %ebx,%eax + vpxor %xmm4,%xmm2,%xmm2 + addl 36(%esp),%edi + xorl %ecx,%ebp + movl %eax,%esi + shldl $5,%eax,%eax + vpsrld $30,%xmm2,%xmm4 + vmovdqa %xmm5,16(%esp) + addl %ebp,%edi + xorl %ecx,%esi + shrdl $7,%ebx,%ebx + addl %eax,%edi + vpslld $2,%xmm2,%xmm2 + addl 40(%esp),%edx + xorl %ebx,%esi + movl %edi,%ebp + shldl $5,%edi,%edi + addl %esi,%edx + xorl %ebx,%ebp + shrdl $7,%eax,%eax + addl %edi,%edx + vpor %xmm4,%xmm2,%xmm2 + addl 44(%esp),%ecx + xorl %eax,%ebp + vmovdqa 80(%esp),%xmm4 + movl %edx,%esi + shldl $5,%edx,%edx + addl %ebp,%ecx + xorl %eax,%esi + shrdl $7,%edi,%edi + addl %edx,%ecx + vpalignr $8,%xmm1,%xmm2,%xmm5 + vpxor %xmm7,%xmm3,%xmm3 + addl 48(%esp),%ebx + xorl %edi,%esi + movl %ecx,%ebp + shldl $5,%ecx,%ecx + vpxor %xmm4,%xmm3,%xmm3 + vmovdqa %xmm7,80(%esp) + addl %esi,%ebx + xorl %edi,%ebp + vmovdqa %xmm6,%xmm7 + vpaddd %xmm2,%xmm6,%xmm6 + shrdl $7,%edx,%edx + addl %ecx,%ebx + vpxor %xmm5,%xmm3,%xmm3 + addl 52(%esp),%eax + xorl %edx,%ebp + movl %ebx,%esi + shldl $5,%ebx,%ebx + vpsrld $30,%xmm3,%xmm5 + vmovdqa %xmm6,32(%esp) + addl %ebp,%eax + xorl %edx,%esi + shrdl $7,%ecx,%ecx + addl %ebx,%eax + vpslld $2,%xmm3,%xmm3 + addl 56(%esp),%edi + xorl %ecx,%esi + movl %eax,%ebp + shldl $5,%eax,%eax + addl %esi,%edi + xorl %ecx,%ebp + shrdl $7,%ebx,%ebx + addl %eax,%edi + vpor %xmm5,%xmm3,%xmm3 + addl 60(%esp),%edx + xorl %ebx,%ebp + vmovdqa 96(%esp),%xmm5 + movl %edi,%esi + shldl $5,%edi,%edi + addl %ebp,%edx + xorl %ebx,%esi + shrdl $7,%eax,%eax + addl %edi,%edx + vpalignr $8,%xmm2,%xmm3,%xmm6 + vpxor %xmm0,%xmm4,%xmm4 + addl (%esp),%ecx + xorl %eax,%esi + movl %edx,%ebp + shldl $5,%edx,%edx + vpxor %xmm5,%xmm4,%xmm4 + vmovdqa %xmm0,96(%esp) + addl %esi,%ecx + xorl %eax,%ebp + vmovdqa %xmm7,%xmm0 + vpaddd %xmm3,%xmm7,%xmm7 + shrdl $7,%edi,%edi + addl %edx,%ecx + vpxor %xmm6,%xmm4,%xmm4 + addl 4(%esp),%ebx + xorl %edi,%ebp + movl %ecx,%esi + shldl $5,%ecx,%ecx + vpsrld $30,%xmm4,%xmm6 + vmovdqa %xmm7,48(%esp) + addl %ebp,%ebx + xorl %edi,%esi + shrdl $7,%edx,%edx + addl %ecx,%ebx + vpslld $2,%xmm4,%xmm4 + addl 8(%esp),%eax + xorl %edx,%esi + movl %ebx,%ebp + shldl $5,%ebx,%ebx + addl %esi,%eax + xorl %edx,%ebp + shrdl $7,%ecx,%ecx + addl %ebx,%eax + vpor %xmm6,%xmm4,%xmm4 + addl 12(%esp),%edi + xorl %ecx,%ebp + vmovdqa 64(%esp),%xmm6 + movl %eax,%esi + shldl $5,%eax,%eax + addl %ebp,%edi + xorl %ecx,%esi + shrdl $7,%ebx,%ebx + addl %eax,%edi + vpalignr $8,%xmm3,%xmm4,%xmm7 + vpxor %xmm1,%xmm5,%xmm5 + addl 16(%esp),%edx + xorl %ebx,%esi + movl %edi,%ebp + shldl $5,%edi,%edi + vpxor %xmm6,%xmm5,%xmm5 + vmovdqa %xmm1,64(%esp) + addl %esi,%edx + xorl %ebx,%ebp + vmovdqa %xmm0,%xmm1 + vpaddd %xmm4,%xmm0,%xmm0 + shrdl $7,%eax,%eax + addl %edi,%edx + vpxor %xmm7,%xmm5,%xmm5 + addl 20(%esp),%ecx + xorl %eax,%ebp + movl %edx,%esi + shldl $5,%edx,%edx + vpsrld $30,%xmm5,%xmm7 + vmovdqa %xmm0,(%esp) + addl %ebp,%ecx + xorl %eax,%esi + shrdl $7,%edi,%edi + addl %edx,%ecx + vpslld $2,%xmm5,%xmm5 + addl 24(%esp),%ebx + xorl %edi,%esi + movl %ecx,%ebp + shldl $5,%ecx,%ecx + addl %esi,%ebx + xorl %edi,%ebp + shrdl $7,%edx,%edx + addl %ecx,%ebx + vpor %xmm7,%xmm5,%xmm5 + addl 28(%esp),%eax + vmovdqa 80(%esp),%xmm7 + shrdl $7,%ecx,%ecx + movl %ebx,%esi + xorl %edx,%ebp + shldl $5,%ebx,%ebx + addl %ebp,%eax + xorl %ecx,%esi + xorl %edx,%ecx + addl %ebx,%eax + vpalignr $8,%xmm4,%xmm5,%xmm0 + vpxor %xmm2,%xmm6,%xmm6 + addl 32(%esp),%edi + andl %ecx,%esi + xorl %edx,%ecx + shrdl $7,%ebx,%ebx + vpxor %xmm7,%xmm6,%xmm6 + vmovdqa %xmm2,80(%esp) + movl %eax,%ebp + xorl %ecx,%esi + vmovdqa %xmm1,%xmm2 + vpaddd %xmm5,%xmm1,%xmm1 + shldl $5,%eax,%eax + addl %esi,%edi + vpxor %xmm0,%xmm6,%xmm6 + xorl %ebx,%ebp + xorl %ecx,%ebx + addl %eax,%edi + addl 36(%esp),%edx + vpsrld $30,%xmm6,%xmm0 + vmovdqa %xmm1,16(%esp) + andl %ebx,%ebp + xorl %ecx,%ebx + shrdl $7,%eax,%eax + movl %edi,%esi + vpslld $2,%xmm6,%xmm6 + xorl %ebx,%ebp + shldl $5,%edi,%edi + addl %ebp,%edx + xorl %eax,%esi + xorl %ebx,%eax + addl %edi,%edx + addl 40(%esp),%ecx + andl %eax,%esi + vpor %xmm0,%xmm6,%xmm6 + xorl %ebx,%eax + shrdl $7,%edi,%edi + vmovdqa 96(%esp),%xmm0 + movl %edx,%ebp + xorl %eax,%esi + shldl $5,%edx,%edx + addl %esi,%ecx + xorl %edi,%ebp + xorl %eax,%edi + addl %edx,%ecx + addl 44(%esp),%ebx + andl %edi,%ebp + xorl %eax,%edi + shrdl $7,%edx,%edx + movl %ecx,%esi + xorl %edi,%ebp + shldl $5,%ecx,%ecx + addl %ebp,%ebx + xorl %edx,%esi + xorl %edi,%edx + addl %ecx,%ebx + vpalignr $8,%xmm5,%xmm6,%xmm1 + vpxor %xmm3,%xmm7,%xmm7 + addl 48(%esp),%eax + andl %edx,%esi + xorl %edi,%edx + shrdl $7,%ecx,%ecx + vpxor %xmm0,%xmm7,%xmm7 + vmovdqa %xmm3,96(%esp) + movl %ebx,%ebp + xorl %edx,%esi + vmovdqa 144(%esp),%xmm3 + vpaddd %xmm6,%xmm2,%xmm2 + shldl $5,%ebx,%ebx + addl %esi,%eax + vpxor %xmm1,%xmm7,%xmm7 + xorl %ecx,%ebp + xorl %edx,%ecx + addl %ebx,%eax + addl 52(%esp),%edi + vpsrld $30,%xmm7,%xmm1 + vmovdqa %xmm2,32(%esp) + andl %ecx,%ebp + xorl %edx,%ecx + shrdl $7,%ebx,%ebx + movl %eax,%esi + vpslld $2,%xmm7,%xmm7 + xorl %ecx,%ebp + shldl $5,%eax,%eax + addl %ebp,%edi + xorl %ebx,%esi + xorl %ecx,%ebx + addl %eax,%edi + addl 56(%esp),%edx + andl %ebx,%esi + vpor %xmm1,%xmm7,%xmm7 + xorl %ecx,%ebx + shrdl $7,%eax,%eax + vmovdqa 64(%esp),%xmm1 + movl %edi,%ebp + xorl %ebx,%esi + shldl $5,%edi,%edi + addl %esi,%edx + xorl %eax,%ebp + xorl %ebx,%eax + addl %edi,%edx + addl 60(%esp),%ecx + andl %eax,%ebp + xorl %ebx,%eax + shrdl $7,%edi,%edi + movl %edx,%esi + xorl %eax,%ebp + shldl $5,%edx,%edx + addl %ebp,%ecx + xorl %edi,%esi + xorl %eax,%edi + addl %edx,%ecx + vpalignr $8,%xmm6,%xmm7,%xmm2 + vpxor %xmm4,%xmm0,%xmm0 + addl (%esp),%ebx + andl %edi,%esi + xorl %eax,%edi + shrdl $7,%edx,%edx + vpxor %xmm1,%xmm0,%xmm0 + vmovdqa %xmm4,64(%esp) + movl %ecx,%ebp + xorl %edi,%esi + vmovdqa %xmm3,%xmm4 + vpaddd %xmm7,%xmm3,%xmm3 + shldl $5,%ecx,%ecx + addl %esi,%ebx + vpxor %xmm2,%xmm0,%xmm0 + xorl %edx,%ebp + xorl %edi,%edx + addl %ecx,%ebx + addl 4(%esp),%eax + vpsrld $30,%xmm0,%xmm2 + vmovdqa %xmm3,48(%esp) + andl %edx,%ebp + xorl %edi,%edx + shrdl $7,%ecx,%ecx + movl %ebx,%esi + vpslld $2,%xmm0,%xmm0 + xorl %edx,%ebp + shldl $5,%ebx,%ebx + addl %ebp,%eax + xorl %ecx,%esi + xorl %edx,%ecx + addl %ebx,%eax + addl 8(%esp),%edi + andl %ecx,%esi + vpor %xmm2,%xmm0,%xmm0 + xorl %edx,%ecx + shrdl $7,%ebx,%ebx + vmovdqa 80(%esp),%xmm2 + movl %eax,%ebp + xorl %ecx,%esi + shldl $5,%eax,%eax + addl %esi,%edi + xorl %ebx,%ebp + xorl %ecx,%ebx + addl %eax,%edi + addl 12(%esp),%edx + andl %ebx,%ebp + xorl %ecx,%ebx + shrdl $7,%eax,%eax + movl %edi,%esi + xorl %ebx,%ebp + shldl $5,%edi,%edi + addl %ebp,%edx + xorl %eax,%esi + xorl %ebx,%eax + addl %edi,%edx + vpalignr $8,%xmm7,%xmm0,%xmm3 + vpxor %xmm5,%xmm1,%xmm1 + addl 16(%esp),%ecx + andl %eax,%esi + xorl %ebx,%eax + shrdl $7,%edi,%edi + vpxor %xmm2,%xmm1,%xmm1 + vmovdqa %xmm5,80(%esp) + movl %edx,%ebp + xorl %eax,%esi + vmovdqa %xmm4,%xmm5 + vpaddd %xmm0,%xmm4,%xmm4 + shldl $5,%edx,%edx + addl %esi,%ecx + vpxor %xmm3,%xmm1,%xmm1 + xorl %edi,%ebp + xorl %eax,%edi + addl %edx,%ecx + addl 20(%esp),%ebx + vpsrld $30,%xmm1,%xmm3 + vmovdqa %xmm4,(%esp) + andl %edi,%ebp + xorl %eax,%edi + shrdl $7,%edx,%edx + movl %ecx,%esi + vpslld $2,%xmm1,%xmm1 + xorl %edi,%ebp + shldl $5,%ecx,%ecx + addl %ebp,%ebx + xorl %edx,%esi + xorl %edi,%edx + addl %ecx,%ebx + addl 24(%esp),%eax + andl %edx,%esi + vpor %xmm3,%xmm1,%xmm1 + xorl %edi,%edx + shrdl $7,%ecx,%ecx + vmovdqa 96(%esp),%xmm3 + movl %ebx,%ebp + xorl %edx,%esi + shldl $5,%ebx,%ebx + addl %esi,%eax + xorl %ecx,%ebp + xorl %edx,%ecx + addl %ebx,%eax + addl 28(%esp),%edi + andl %ecx,%ebp + xorl %edx,%ecx + shrdl $7,%ebx,%ebx + movl %eax,%esi + xorl %ecx,%ebp + shldl $5,%eax,%eax + addl %ebp,%edi + xorl %ebx,%esi + xorl %ecx,%ebx + addl %eax,%edi + vpalignr $8,%xmm0,%xmm1,%xmm4 + vpxor %xmm6,%xmm2,%xmm2 + addl 32(%esp),%edx + andl %ebx,%esi + xorl %ecx,%ebx + shrdl $7,%eax,%eax + vpxor %xmm3,%xmm2,%xmm2 + vmovdqa %xmm6,96(%esp) + movl %edi,%ebp + xorl %ebx,%esi + vmovdqa %xmm5,%xmm6 + vpaddd %xmm1,%xmm5,%xmm5 + shldl $5,%edi,%edi + addl %esi,%edx + vpxor %xmm4,%xmm2,%xmm2 + xorl %eax,%ebp + xorl %ebx,%eax + addl %edi,%edx + addl 36(%esp),%ecx + vpsrld $30,%xmm2,%xmm4 + vmovdqa %xmm5,16(%esp) + andl %eax,%ebp + xorl %ebx,%eax + shrdl $7,%edi,%edi + movl %edx,%esi + vpslld $2,%xmm2,%xmm2 + xorl %eax,%ebp + shldl $5,%edx,%edx + addl %ebp,%ecx + xorl %edi,%esi + xorl %eax,%edi + addl %edx,%ecx + addl 40(%esp),%ebx + andl %edi,%esi + vpor %xmm4,%xmm2,%xmm2 + xorl %eax,%edi + shrdl $7,%edx,%edx + vmovdqa 64(%esp),%xmm4 + movl %ecx,%ebp + xorl %edi,%esi + shldl $5,%ecx,%ecx + addl %esi,%ebx + xorl %edx,%ebp + xorl %edi,%edx + addl %ecx,%ebx + addl 44(%esp),%eax + andl %edx,%ebp + xorl %edi,%edx + shrdl $7,%ecx,%ecx + movl %ebx,%esi + xorl %edx,%ebp + shldl $5,%ebx,%ebx + addl %ebp,%eax + xorl %edx,%esi + addl %ebx,%eax + vpalignr $8,%xmm1,%xmm2,%xmm5 + vpxor %xmm7,%xmm3,%xmm3 + addl 48(%esp),%edi + xorl %ecx,%esi + movl %eax,%ebp + shldl $5,%eax,%eax + vpxor %xmm4,%xmm3,%xmm3 + vmovdqa %xmm7,64(%esp) + addl %esi,%edi + xorl %ecx,%ebp + vmovdqa %xmm6,%xmm7 + vpaddd %xmm2,%xmm6,%xmm6 + shrdl $7,%ebx,%ebx + addl %eax,%edi + vpxor %xmm5,%xmm3,%xmm3 + addl 52(%esp),%edx + xorl %ebx,%ebp + movl %edi,%esi + shldl $5,%edi,%edi + vpsrld $30,%xmm3,%xmm5 + vmovdqa %xmm6,32(%esp) + addl %ebp,%edx + xorl %ebx,%esi + shrdl $7,%eax,%eax + addl %edi,%edx + vpslld $2,%xmm3,%xmm3 + addl 56(%esp),%ecx + xorl %eax,%esi + movl %edx,%ebp + shldl $5,%edx,%edx + addl %esi,%ecx + xorl %eax,%ebp + shrdl $7,%edi,%edi + addl %edx,%ecx + vpor %xmm5,%xmm3,%xmm3 + addl 60(%esp),%ebx + xorl %edi,%ebp + movl %ecx,%esi + shldl $5,%ecx,%ecx + addl %ebp,%ebx + xorl %edi,%esi + shrdl $7,%edx,%edx + addl %ecx,%ebx + addl (%esp),%eax + vpaddd %xmm3,%xmm7,%xmm7 + xorl %edx,%esi + movl %ebx,%ebp + shldl $5,%ebx,%ebx + addl %esi,%eax + vmovdqa %xmm7,48(%esp) + xorl %edx,%ebp + shrdl $7,%ecx,%ecx + addl %ebx,%eax + addl 4(%esp),%edi + xorl %ecx,%ebp + movl %eax,%esi + shldl $5,%eax,%eax + addl %ebp,%edi + xorl %ecx,%esi + shrdl $7,%ebx,%ebx + addl %eax,%edi + addl 8(%esp),%edx + xorl %ebx,%esi + movl %edi,%ebp + shldl $5,%edi,%edi + addl %esi,%edx + xorl %ebx,%ebp + shrdl $7,%eax,%eax + addl %edi,%edx + addl 12(%esp),%ecx + xorl %eax,%ebp + movl %edx,%esi + shldl $5,%edx,%edx + addl %ebp,%ecx + xorl %eax,%esi + shrdl $7,%edi,%edi + addl %edx,%ecx + movl 196(%esp),%ebp + cmpl 200(%esp),%ebp + je L006done + vmovdqa 160(%esp),%xmm7 + vmovdqa 176(%esp),%xmm6 + vmovdqu (%ebp),%xmm0 + vmovdqu 16(%ebp),%xmm1 + vmovdqu 32(%ebp),%xmm2 + vmovdqu 48(%ebp),%xmm3 + addl $64,%ebp + vpshufb %xmm6,%xmm0,%xmm0 + movl %ebp,196(%esp) + vmovdqa %xmm7,96(%esp) + addl 16(%esp),%ebx + xorl %edi,%esi + vpshufb %xmm6,%xmm1,%xmm1 + movl %ecx,%ebp + shldl $5,%ecx,%ecx + vpaddd %xmm7,%xmm0,%xmm4 + addl %esi,%ebx + xorl %edi,%ebp + shrdl $7,%edx,%edx + addl %ecx,%ebx + vmovdqa %xmm4,(%esp) + addl 20(%esp),%eax + xorl %edx,%ebp + movl %ebx,%esi + shldl $5,%ebx,%ebx + addl %ebp,%eax + xorl %edx,%esi + shrdl $7,%ecx,%ecx + addl %ebx,%eax + addl 24(%esp),%edi + xorl %ecx,%esi + movl %eax,%ebp + shldl $5,%eax,%eax + addl %esi,%edi + xorl %ecx,%ebp + shrdl $7,%ebx,%ebx + addl %eax,%edi + addl 28(%esp),%edx + xorl %ebx,%ebp + movl %edi,%esi + shldl $5,%edi,%edi + addl %ebp,%edx + xorl %ebx,%esi + shrdl $7,%eax,%eax + addl %edi,%edx + addl 32(%esp),%ecx + xorl %eax,%esi + vpshufb %xmm6,%xmm2,%xmm2 + movl %edx,%ebp + shldl $5,%edx,%edx + vpaddd %xmm7,%xmm1,%xmm5 + addl %esi,%ecx + xorl %eax,%ebp + shrdl $7,%edi,%edi + addl %edx,%ecx + vmovdqa %xmm5,16(%esp) + addl 36(%esp),%ebx + xorl %edi,%ebp + movl %ecx,%esi + shldl $5,%ecx,%ecx + addl %ebp,%ebx + xorl %edi,%esi + shrdl $7,%edx,%edx + addl %ecx,%ebx + addl 40(%esp),%eax + xorl %edx,%esi + movl %ebx,%ebp + shldl $5,%ebx,%ebx + addl %esi,%eax + xorl %edx,%ebp + shrdl $7,%ecx,%ecx + addl %ebx,%eax + addl 44(%esp),%edi + xorl %ecx,%ebp + movl %eax,%esi + shldl $5,%eax,%eax + addl %ebp,%edi + xorl %ecx,%esi + shrdl $7,%ebx,%ebx + addl %eax,%edi + addl 48(%esp),%edx + xorl %ebx,%esi + vpshufb %xmm6,%xmm3,%xmm3 + movl %edi,%ebp + shldl $5,%edi,%edi + vpaddd %xmm7,%xmm2,%xmm6 + addl %esi,%edx + xorl %ebx,%ebp + shrdl $7,%eax,%eax + addl %edi,%edx + vmovdqa %xmm6,32(%esp) + addl 52(%esp),%ecx + xorl %eax,%ebp + movl %edx,%esi + shldl $5,%edx,%edx + addl %ebp,%ecx + xorl %eax,%esi + shrdl $7,%edi,%edi + addl %edx,%ecx + addl 56(%esp),%ebx + xorl %edi,%esi + movl %ecx,%ebp + shldl $5,%ecx,%ecx + addl %esi,%ebx + xorl %edi,%ebp + shrdl $7,%edx,%edx + addl %ecx,%ebx + addl 60(%esp),%eax + xorl %edx,%ebp + movl %ebx,%esi + shldl $5,%ebx,%ebx + addl %ebp,%eax + shrdl $7,%ecx,%ecx + addl %ebx,%eax + movl 192(%esp),%ebp + addl (%ebp),%eax + addl 4(%ebp),%esi + addl 8(%ebp),%ecx + movl %eax,(%ebp) + addl 12(%ebp),%edx + movl %esi,4(%ebp) + addl 16(%ebp),%edi + movl %ecx,%ebx + movl %ecx,8(%ebp) + xorl %edx,%ebx + movl %edx,12(%ebp) + movl %edi,16(%ebp) + movl %esi,%ebp + andl %ebx,%esi + movl %ebp,%ebx + jmp L005loop +.align 4,0x90 +L006done: + addl 16(%esp),%ebx + xorl %edi,%esi + movl %ecx,%ebp + shldl $5,%ecx,%ecx + addl %esi,%ebx + xorl %edi,%ebp + shrdl $7,%edx,%edx + addl %ecx,%ebx + addl 20(%esp),%eax + xorl %edx,%ebp + movl %ebx,%esi + shldl $5,%ebx,%ebx + addl %ebp,%eax + xorl %edx,%esi + shrdl $7,%ecx,%ecx + addl %ebx,%eax + addl 24(%esp),%edi + xorl %ecx,%esi + movl %eax,%ebp + shldl $5,%eax,%eax + addl %esi,%edi + xorl %ecx,%ebp + shrdl $7,%ebx,%ebx + addl %eax,%edi + addl 28(%esp),%edx + xorl %ebx,%ebp + movl %edi,%esi + shldl $5,%edi,%edi + addl %ebp,%edx + xorl %ebx,%esi + shrdl $7,%eax,%eax + addl %edi,%edx + addl 32(%esp),%ecx + xorl %eax,%esi + movl %edx,%ebp + shldl $5,%edx,%edx + addl %esi,%ecx + xorl %eax,%ebp + shrdl $7,%edi,%edi + addl %edx,%ecx + addl 36(%esp),%ebx + xorl %edi,%ebp + movl %ecx,%esi + shldl $5,%ecx,%ecx + addl %ebp,%ebx + xorl %edi,%esi + shrdl $7,%edx,%edx + addl %ecx,%ebx + addl 40(%esp),%eax + xorl %edx,%esi + movl %ebx,%ebp + shldl $5,%ebx,%ebx + addl %esi,%eax + xorl %edx,%ebp + shrdl $7,%ecx,%ecx + addl %ebx,%eax + addl 44(%esp),%edi + xorl %ecx,%ebp + movl %eax,%esi + shldl $5,%eax,%eax + addl %ebp,%edi + xorl %ecx,%esi + shrdl $7,%ebx,%ebx + addl %eax,%edi + addl 48(%esp),%edx + xorl %ebx,%esi + movl %edi,%ebp + shldl $5,%edi,%edi + addl %esi,%edx + xorl %ebx,%ebp + shrdl $7,%eax,%eax + addl %edi,%edx + addl 52(%esp),%ecx + xorl %eax,%ebp + movl %edx,%esi + shldl $5,%edx,%edx + addl %ebp,%ecx + xorl %eax,%esi + shrdl $7,%edi,%edi + addl %edx,%ecx + addl 56(%esp),%ebx + xorl %edi,%esi + movl %ecx,%ebp + shldl $5,%ecx,%ecx + addl %esi,%ebx + xorl %edi,%ebp + shrdl $7,%edx,%edx + addl %ecx,%ebx + addl 60(%esp),%eax + xorl %edx,%ebp + movl %ebx,%esi + shldl $5,%ebx,%ebx + addl %ebp,%eax + shrdl $7,%ecx,%ecx + addl %ebx,%eax + vzeroall + movl 192(%esp),%ebp + addl (%ebp),%eax + movl 204(%esp),%esp + addl 4(%ebp),%esi + addl 8(%ebp),%ecx + movl %eax,(%ebp) + addl 12(%ebp),%edx + movl %esi,4(%ebp) + addl 16(%ebp),%edi + movl %ecx,8(%ebp) + movl %edx,12(%ebp) + movl %edi,16(%ebp) + popl %edi + popl %esi + popl %ebx + popl %ebp + ret +.align 6,0x90 +LK_XX_XX: +.long 1518500249,1518500249,1518500249,1518500249 +.long 1859775393,1859775393,1859775393,1859775393 +.long 2400959708,2400959708,2400959708,2400959708 +.long 3395469782,3395469782,3395469782,3395469782 +.long 66051,67438087,134810123,202182159 +.byte 15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0 +.byte 83,72,65,49,32,98,108,111,99,107,32,116,114,97,110,115 +.byte 102,111,114,109,32,102,111,114,32,120,56,54,44,32,67,82 +.byte 89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112 +.byte 114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 +#endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__APPLE__) +#if defined(__linux__) && defined(__ELF__) +.section .note.GNU-stack,"",%progbits +#endif + diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/sha1-586-linux.linux.x86.S b/Sources/CNIOBoringSSL/gen/bcm/sha1-586-linux.S similarity index 97% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/sha1-586-linux.linux.x86.S rename to Sources/CNIOBoringSSL/gen/bcm/sha1-586-linux.S index e37dc942e..ab1002d41 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/sha1-586-linux.linux.x86.S +++ b/Sources/CNIOBoringSSL/gen/bcm/sha1-586-linux.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__i386__) && defined(__linux__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -7,36 +6,16 @@ #if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__) .text -.globl sha1_block_data_order -.hidden sha1_block_data_order -.type sha1_block_data_order,@function +.globl sha1_block_data_order_nohw +.hidden sha1_block_data_order_nohw +.type sha1_block_data_order_nohw,@function .align 16 -sha1_block_data_order: -.L_sha1_block_data_order_begin: +sha1_block_data_order_nohw: +.L_sha1_block_data_order_nohw_begin: pushl %ebp pushl %ebx pushl %esi pushl %edi - call .L000pic_point -.L000pic_point: - popl %ebp - leal OPENSSL_ia32cap_P-.L000pic_point(%ebp),%esi - leal .LK_XX_XX-.L000pic_point(%ebp),%ebp - movl (%esi),%eax - movl 4(%esi),%edx - testl $512,%edx - jz .L001x86 - movl 8(%esi),%ecx - testl $16777216,%eax - jz .L001x86 - andl $268435456,%edx - andl $1073741824,%eax - orl %edx,%eax - cmpl $1342177280,%eax - je .Lavx_shortcut - jmp .Lssse3_shortcut -.align 16 -.L001x86: movl 20(%esp),%ebp movl 24(%esp),%esi movl 28(%esp),%eax @@ -45,9 +24,9 @@ sha1_block_data_order: addl %esi,%eax movl %eax,104(%esp) movl 16(%ebp),%edi - jmp .L002loop + jmp .L000loop .align 16 -.L002loop: +.L000loop: movl (%esi),%eax movl 4(%esi),%ebx movl 8(%esi),%ecx @@ -1394,27 +1373,28 @@ sha1_block_data_order: movl %ebx,12(%ebp) movl %edx,%esi movl %ecx,16(%ebp) - jb .L002loop + jb .L000loop addl $76,%esp popl %edi popl %esi popl %ebx popl %ebp ret -.size sha1_block_data_order,.-.L_sha1_block_data_order_begin -.hidden _sha1_block_data_order_ssse3 -.type _sha1_block_data_order_ssse3,@function +.size sha1_block_data_order_nohw,.-.L_sha1_block_data_order_nohw_begin +.globl sha1_block_data_order_ssse3 +.hidden sha1_block_data_order_ssse3 +.type sha1_block_data_order_ssse3,@function .align 16 -_sha1_block_data_order_ssse3: +sha1_block_data_order_ssse3: +.L_sha1_block_data_order_ssse3_begin: pushl %ebp pushl %ebx pushl %esi pushl %edi - call .L003pic_point -.L003pic_point: + call .L001pic_point +.L001pic_point: popl %ebp - leal .LK_XX_XX-.L003pic_point(%ebp),%ebp -.Lssse3_shortcut: + leal .LK_XX_XX-.L001pic_point(%ebp),%ebp movdqa (%ebp),%xmm7 movdqa 16(%ebp),%xmm0 movdqa 32(%ebp),%xmm1 @@ -1466,9 +1446,9 @@ _sha1_block_data_order_ssse3: xorl %edx,%ebp pshufd $238,%xmm0,%xmm4 andl %ebp,%esi - jmp .L004loop + jmp .L002loop .align 16 -.L004loop: +.L002loop: rorl $2,%ebx xorl %edx,%esi movl %eax,%ebp @@ -2371,7 +2351,7 @@ _sha1_block_data_order_ssse3: addl %edx,%ecx movl 196(%esp),%ebp cmpl 200(%esp),%ebp - je .L005done + je .L003done movdqa 160(%esp),%xmm7 movdqa 176(%esp),%xmm6 movdqu (%ebp),%xmm0 @@ -2506,9 +2486,9 @@ _sha1_block_data_order_ssse3: pshufd $238,%xmm0,%xmm4 andl %ebx,%esi movl %ebp,%ebx - jmp .L004loop + jmp .L002loop .align 16 -.L005done: +.L003done: addl 16(%esp),%ebx xorl %edi,%esi movl %ecx,%ebp @@ -2621,20 +2601,21 @@ _sha1_block_data_order_ssse3: popl %ebx popl %ebp ret -.size _sha1_block_data_order_ssse3,.-_sha1_block_data_order_ssse3 -.hidden _sha1_block_data_order_avx -.type _sha1_block_data_order_avx,@function +.size sha1_block_data_order_ssse3,.-.L_sha1_block_data_order_ssse3_begin +.globl sha1_block_data_order_avx +.hidden sha1_block_data_order_avx +.type sha1_block_data_order_avx,@function .align 16 -_sha1_block_data_order_avx: +sha1_block_data_order_avx: +.L_sha1_block_data_order_avx_begin: pushl %ebp pushl %ebx pushl %esi pushl %edi - call .L006pic_point -.L006pic_point: + call .L004pic_point +.L004pic_point: popl %ebp - leal .LK_XX_XX-.L006pic_point(%ebp),%ebp -.Lavx_shortcut: + leal .LK_XX_XX-.L004pic_point(%ebp),%ebp vzeroall vmovdqa (%ebp),%xmm7 vmovdqa 16(%ebp),%xmm0 @@ -2683,9 +2664,9 @@ _sha1_block_data_order_avx: xorl %edx,%ebp vmovdqa %xmm6,32(%esp) andl %ebp,%esi - jmp .L007loop + jmp .L005loop .align 16 -.L007loop: +.L005loop: shrdl $2,%ebx,%ebx xorl %edx,%esi vpalignr $8,%xmm0,%xmm1,%xmm4 @@ -3545,7 +3526,7 @@ _sha1_block_data_order_avx: addl %edx,%ecx movl 196(%esp),%ebp cmpl 200(%esp),%ebp - je .L008done + je .L006done vmovdqa 160(%esp),%xmm7 vmovdqa 176(%esp),%xmm6 vmovdqu (%ebp),%xmm0 @@ -3676,9 +3657,9 @@ _sha1_block_data_order_avx: movl %esi,%ebp andl %ebx,%esi movl %ebp,%ebx - jmp .L007loop + jmp .L005loop .align 16 -.L008done: +.L006done: addl 16(%esp),%ebx xorl %edi,%esi movl %ecx,%ebp @@ -3792,7 +3773,7 @@ _sha1_block_data_order_avx: popl %ebx popl %ebp ret -.size _sha1_block_data_order_avx,.-_sha1_block_data_order_avx +.size sha1_block_data_order_avx,.-.L_sha1_block_data_order_avx_begin .align 64 .LK_XX_XX: .long 1518500249,1518500249,1518500249,1518500249 @@ -3806,7 +3787,6 @@ _sha1_block_data_order_avx: .byte 89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112 .byte 114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 #endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__) -#endif // defined(__i386__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/sha1-armv4-large-linux.linux.arm.S b/Sources/CNIOBoringSSL/gen/bcm/sha1-armv4-large-linux.S similarity index 97% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/sha1-armv4-large-linux.linux.arm.S rename to Sources/CNIOBoringSSL/gen/bcm/sha1-armv4-large-linux.S index e121efe49..dcb6a7e94 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/sha1-armv4-large-linux.linux.arm.S +++ b/Sources/CNIOBoringSSL/gen/bcm/sha1-armv4-large-linux.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__arm__) && defined(__linux__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -16,25 +15,12 @@ .code 32 #endif -.globl sha1_block_data_order -.hidden sha1_block_data_order -.type sha1_block_data_order,%function +.globl sha1_block_data_order_nohw +.hidden sha1_block_data_order_nohw +.type sha1_block_data_order_nohw,%function .align 5 -sha1_block_data_order: -#if __ARM_MAX_ARCH__>=7 -.Lsha1_block: - adr r3,.Lsha1_block - ldr r12,.LOPENSSL_armcap - ldr r12,[r3,r12] @ OPENSSL_armcap_P -#ifdef __APPLE__ - ldr r12,[r12] -#endif - tst r12,#ARMV8_SHA1 - bne .LARMv8 - tst r12,#ARMV7_NEON - bne .LNEON -#endif +sha1_block_data_order_nohw: stmdb sp!,{r4,r5,r6,r7,r8,r9,r10,r11,r12,lr} add r2,r1,r2,lsl#6 @ r2 to point at the end of r1 ldmia r0,{r3,r4,r5,r6,r7} @@ -485,17 +471,13 @@ sha1_block_data_order: moveq pc,lr @ be binary compatible with V4, yet .word 0xe12fff1e @ interoperable with Thumb ISA:-) #endif -.size sha1_block_data_order,.-sha1_block_data_order +.size sha1_block_data_order_nohw,.-sha1_block_data_order_nohw .align 5 .LK_00_19:.word 0x5a827999 .LK_20_39:.word 0x6ed9eba1 .LK_40_59:.word 0x8f1bbcdc .LK_60_79:.word 0xca62c1d6 -#if __ARM_MAX_ARCH__>=7 -.LOPENSSL_armcap: -.word OPENSSL_armcap_P-.Lsha1_block -#endif .byte 83,72,65,49,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,65,82,77,118,52,47,78,69,79,78,47,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .align 2 .align 5 @@ -503,10 +485,11 @@ sha1_block_data_order: .arch armv7-a .fpu neon +.globl sha1_block_data_order_neon +.hidden sha1_block_data_order_neon .type sha1_block_data_order_neon,%function .align 4 sha1_block_data_order_neon: -.LNEON: stmdb sp!,{r4,r5,r6,r7,r8,r9,r10,r11,r12,lr} add r2,r1,r2,lsl#6 @ r2 to point at the end of r1 @ dmb @ errata #451034 on early Cortex A8 @@ -1362,10 +1345,11 @@ sha1_block_data_order_neon: # define INST(a,b,c,d) .byte a,b,c,d|0x10 # endif -.type sha1_block_data_order_armv8,%function +.globl sha1_block_data_order_hw +.hidden sha1_block_data_order_hw +.type sha1_block_data_order_hw,%function .align 5 -sha1_block_data_order_armv8: -.LARMv8: +sha1_block_data_order_hw: vstmdb sp!,{d8,d9,d10,d11,d12,d13,d14,d15} @ ABI specification says so veor q1,q1,q1 @@ -1493,14 +1477,9 @@ sha1_block_data_order_armv8: vldmia sp!,{d8,d9,d10,d11,d12,d13,d14,d15} bx lr @ bx lr -.size sha1_block_data_order_armv8,.-sha1_block_data_order_armv8 -#endif -#if __ARM_MAX_ARCH__>=7 -.comm OPENSSL_armcap_P,4,4 -.hidden OPENSSL_armcap_P +.size sha1_block_data_order_hw,.-sha1_block_data_order_hw #endif #endif // !OPENSSL_NO_ASM && defined(OPENSSL_ARM) && defined(__ELF__) -#endif // defined(__arm__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/sha1-armv8-ios.ios.aarch64.S b/Sources/CNIOBoringSSL/gen/bcm/sha1-armv8-apple.S similarity index 98% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/sha1-armv8-ios.ios.aarch64.S rename to Sources/CNIOBoringSSL/gen/bcm/sha1-armv8-apple.S index 1886ed5a0..d89b2a863 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/sha1-armv8-ios.ios.aarch64.S +++ b/Sources/CNIOBoringSSL/gen/bcm/sha1-armv8-apple.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__aarch64__) && defined(__APPLE__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -10,23 +9,13 @@ .text - -.private_extern _OPENSSL_armcap_P -.globl _sha1_block_data_order -.private_extern _sha1_block_data_order +.globl _sha1_block_data_order_nohw +.private_extern _sha1_block_data_order_nohw .align 6 -_sha1_block_data_order: +_sha1_block_data_order_nohw: // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. AARCH64_VALID_CALL_TARGET -#if defined(OPENSSL_HWASAN) && __clang_major__ >= 10 - adrp x16,:pg_hi21_nc:_OPENSSL_armcap_P -#else - adrp x16,_OPENSSL_armcap_P@PAGE -#endif - ldr w16,[x16,_OPENSSL_armcap_P@PAGEOFF] - tst w16,#ARMV8_SHA1 - b.ne Lv8_entry stp x29,x30,[sp,#-96]! add x29,sp,#0 @@ -1083,12 +1072,13 @@ Loop: ldr x29,[sp],#96 ret +.globl _sha1_block_data_order_hw +.private_extern _sha1_block_data_order_hw .align 6 -sha1_block_armv8: +_sha1_block_data_order_hw: // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. AARCH64_VALID_CALL_TARGET -Lv8_entry: stp x29,x30,[sp,#-16]! add x29,sp,#0 @@ -1227,7 +1217,6 @@ Lconst: .align 2 .align 2 #endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__APPLE__) -#endif // defined(__aarch64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/sha1-armv8-linux.linux.aarch64.S b/Sources/CNIOBoringSSL/gen/bcm/sha1-armv8-linux.S similarity index 97% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/sha1-armv8-linux.linux.aarch64.S rename to Sources/CNIOBoringSSL/gen/bcm/sha1-armv8-linux.S index b994cc88c..b7c968cb9 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/sha1-armv8-linux.linux.aarch64.S +++ b/Sources/CNIOBoringSSL/gen/bcm/sha1-armv8-linux.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__aarch64__) && defined(__linux__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -10,23 +9,13 @@ .text - -.hidden OPENSSL_armcap_P -.globl sha1_block_data_order -.hidden sha1_block_data_order -.type sha1_block_data_order,%function +.globl sha1_block_data_order_nohw +.hidden sha1_block_data_order_nohw +.type sha1_block_data_order_nohw,%function .align 6 -sha1_block_data_order: +sha1_block_data_order_nohw: // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. AARCH64_VALID_CALL_TARGET -#if defined(OPENSSL_HWASAN) && __clang_major__ >= 10 - adrp x16,:pg_hi21_nc:OPENSSL_armcap_P -#else - adrp x16,OPENSSL_armcap_P -#endif - ldr w16,[x16,:lo12:OPENSSL_armcap_P] - tst w16,#ARMV8_SHA1 - b.ne .Lv8_entry stp x29,x30,[sp,#-96]! add x29,sp,#0 @@ -1082,13 +1071,14 @@ sha1_block_data_order: ldp x27,x28,[sp,#80] ldr x29,[sp],#96 ret -.size sha1_block_data_order,.-sha1_block_data_order -.type sha1_block_armv8,%function +.size sha1_block_data_order_nohw,.-sha1_block_data_order_nohw +.globl sha1_block_data_order_hw +.hidden sha1_block_data_order_hw +.type sha1_block_data_order_hw,%function .align 6 -sha1_block_armv8: +sha1_block_data_order_hw: // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. AARCH64_VALID_CALL_TARGET -.Lv8_entry: stp x29,x30,[sp,#-16]! add x29,sp,#0 @@ -1215,7 +1205,7 @@ sha1_block_armv8: ldr x29,[sp],#16 ret -.size sha1_block_armv8,.-sha1_block_armv8 +.size sha1_block_data_order_hw,.-sha1_block_data_order_hw .section .rodata .align 6 .Lconst: @@ -1227,7 +1217,6 @@ sha1_block_armv8: .align 2 .align 2 #endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__ELF__) -#endif // defined(__aarch64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/gen/bcm/sha1-armv8-win.S b/Sources/CNIOBoringSSL/gen/bcm/sha1-armv8-win.S new file mode 100644 index 000000000..fbb992d66 --- /dev/null +++ b/Sources/CNIOBoringSSL/gen/bcm/sha1-armv8-win.S @@ -0,0 +1,1227 @@ +#define BORINGSSL_PREFIX CNIOBoringSSL +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. + +#include + +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(_WIN32) +#include + +.text + +.globl sha1_block_data_order_nohw + +.def sha1_block_data_order_nohw + .type 32 +.endef +.align 6 +sha1_block_data_order_nohw: + // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. + AARCH64_VALID_CALL_TARGET + + stp x29,x30,[sp,#-96]! + add x29,sp,#0 + stp x19,x20,[sp,#16] + stp x21,x22,[sp,#32] + stp x23,x24,[sp,#48] + stp x25,x26,[sp,#64] + stp x27,x28,[sp,#80] + + ldp w20,w21,[x0] + ldp w22,w23,[x0,#8] + ldr w24,[x0,#16] + +Loop: + ldr x3,[x1],#64 + movz w28,#0x7999 + sub x2,x2,#1 + movk w28,#0x5a82,lsl#16 +#ifdef __AARCH64EB__ + ror x3,x3,#32 +#else + rev32 x3,x3 +#endif + add w24,w24,w28 // warm it up + add w24,w24,w3 + lsr x4,x3,#32 + ldr x5,[x1,#-56] + bic w25,w23,w21 + and w26,w22,w21 + ror w27,w20,#27 + add w23,w23,w28 // future e+=K + orr w25,w25,w26 + add w24,w24,w27 // e+=rot(a,5) + ror w21,w21,#2 + add w23,w23,w4 // future e+=X[i] + add w24,w24,w25 // e+=F(b,c,d) +#ifdef __AARCH64EB__ + ror x5,x5,#32 +#else + rev32 x5,x5 +#endif + bic w25,w22,w20 + and w26,w21,w20 + ror w27,w24,#27 + add w22,w22,w28 // future e+=K + orr w25,w25,w26 + add w23,w23,w27 // e+=rot(a,5) + ror w20,w20,#2 + add w22,w22,w5 // future e+=X[i] + add w23,w23,w25 // e+=F(b,c,d) + lsr x6,x5,#32 + ldr x7,[x1,#-48] + bic w25,w21,w24 + and w26,w20,w24 + ror w27,w23,#27 + add w21,w21,w28 // future e+=K + orr w25,w25,w26 + add w22,w22,w27 // e+=rot(a,5) + ror w24,w24,#2 + add w21,w21,w6 // future e+=X[i] + add w22,w22,w25 // e+=F(b,c,d) +#ifdef __AARCH64EB__ + ror x7,x7,#32 +#else + rev32 x7,x7 +#endif + bic w25,w20,w23 + and w26,w24,w23 + ror w27,w22,#27 + add w20,w20,w28 // future e+=K + orr w25,w25,w26 + add w21,w21,w27 // e+=rot(a,5) + ror w23,w23,#2 + add w20,w20,w7 // future e+=X[i] + add w21,w21,w25 // e+=F(b,c,d) + lsr x8,x7,#32 + ldr x9,[x1,#-40] + bic w25,w24,w22 + and w26,w23,w22 + ror w27,w21,#27 + add w24,w24,w28 // future e+=K + orr w25,w25,w26 + add w20,w20,w27 // e+=rot(a,5) + ror w22,w22,#2 + add w24,w24,w8 // future e+=X[i] + add w20,w20,w25 // e+=F(b,c,d) +#ifdef __AARCH64EB__ + ror x9,x9,#32 +#else + rev32 x9,x9 +#endif + bic w25,w23,w21 + and w26,w22,w21 + ror w27,w20,#27 + add w23,w23,w28 // future e+=K + orr w25,w25,w26 + add w24,w24,w27 // e+=rot(a,5) + ror w21,w21,#2 + add w23,w23,w9 // future e+=X[i] + add w24,w24,w25 // e+=F(b,c,d) + lsr x10,x9,#32 + ldr x11,[x1,#-32] + bic w25,w22,w20 + and w26,w21,w20 + ror w27,w24,#27 + add w22,w22,w28 // future e+=K + orr w25,w25,w26 + add w23,w23,w27 // e+=rot(a,5) + ror w20,w20,#2 + add w22,w22,w10 // future e+=X[i] + add w23,w23,w25 // e+=F(b,c,d) +#ifdef __AARCH64EB__ + ror x11,x11,#32 +#else + rev32 x11,x11 +#endif + bic w25,w21,w24 + and w26,w20,w24 + ror w27,w23,#27 + add w21,w21,w28 // future e+=K + orr w25,w25,w26 + add w22,w22,w27 // e+=rot(a,5) + ror w24,w24,#2 + add w21,w21,w11 // future e+=X[i] + add w22,w22,w25 // e+=F(b,c,d) + lsr x12,x11,#32 + ldr x13,[x1,#-24] + bic w25,w20,w23 + and w26,w24,w23 + ror w27,w22,#27 + add w20,w20,w28 // future e+=K + orr w25,w25,w26 + add w21,w21,w27 // e+=rot(a,5) + ror w23,w23,#2 + add w20,w20,w12 // future e+=X[i] + add w21,w21,w25 // e+=F(b,c,d) +#ifdef __AARCH64EB__ + ror x13,x13,#32 +#else + rev32 x13,x13 +#endif + bic w25,w24,w22 + and w26,w23,w22 + ror w27,w21,#27 + add w24,w24,w28 // future e+=K + orr w25,w25,w26 + add w20,w20,w27 // e+=rot(a,5) + ror w22,w22,#2 + add w24,w24,w13 // future e+=X[i] + add w20,w20,w25 // e+=F(b,c,d) + lsr x14,x13,#32 + ldr x15,[x1,#-16] + bic w25,w23,w21 + and w26,w22,w21 + ror w27,w20,#27 + add w23,w23,w28 // future e+=K + orr w25,w25,w26 + add w24,w24,w27 // e+=rot(a,5) + ror w21,w21,#2 + add w23,w23,w14 // future e+=X[i] + add w24,w24,w25 // e+=F(b,c,d) +#ifdef __AARCH64EB__ + ror x15,x15,#32 +#else + rev32 x15,x15 +#endif + bic w25,w22,w20 + and w26,w21,w20 + ror w27,w24,#27 + add w22,w22,w28 // future e+=K + orr w25,w25,w26 + add w23,w23,w27 // e+=rot(a,5) + ror w20,w20,#2 + add w22,w22,w15 // future e+=X[i] + add w23,w23,w25 // e+=F(b,c,d) + lsr x16,x15,#32 + ldr x17,[x1,#-8] + bic w25,w21,w24 + and w26,w20,w24 + ror w27,w23,#27 + add w21,w21,w28 // future e+=K + orr w25,w25,w26 + add w22,w22,w27 // e+=rot(a,5) + ror w24,w24,#2 + add w21,w21,w16 // future e+=X[i] + add w22,w22,w25 // e+=F(b,c,d) +#ifdef __AARCH64EB__ + ror x17,x17,#32 +#else + rev32 x17,x17 +#endif + bic w25,w20,w23 + and w26,w24,w23 + ror w27,w22,#27 + add w20,w20,w28 // future e+=K + orr w25,w25,w26 + add w21,w21,w27 // e+=rot(a,5) + ror w23,w23,#2 + add w20,w20,w17 // future e+=X[i] + add w21,w21,w25 // e+=F(b,c,d) + lsr x19,x17,#32 + eor w3,w3,w5 + bic w25,w24,w22 + and w26,w23,w22 + ror w27,w21,#27 + eor w3,w3,w11 + add w24,w24,w28 // future e+=K + orr w25,w25,w26 + add w20,w20,w27 // e+=rot(a,5) + eor w3,w3,w16 + ror w22,w22,#2 + add w24,w24,w19 // future e+=X[i] + add w20,w20,w25 // e+=F(b,c,d) + ror w3,w3,#31 + eor w4,w4,w6 + bic w25,w23,w21 + and w26,w22,w21 + ror w27,w20,#27 + eor w4,w4,w12 + add w23,w23,w28 // future e+=K + orr w25,w25,w26 + add w24,w24,w27 // e+=rot(a,5) + eor w4,w4,w17 + ror w21,w21,#2 + add w23,w23,w3 // future e+=X[i] + add w24,w24,w25 // e+=F(b,c,d) + ror w4,w4,#31 + eor w5,w5,w7 + bic w25,w22,w20 + and w26,w21,w20 + ror w27,w24,#27 + eor w5,w5,w13 + add w22,w22,w28 // future e+=K + orr w25,w25,w26 + add w23,w23,w27 // e+=rot(a,5) + eor w5,w5,w19 + ror w20,w20,#2 + add w22,w22,w4 // future e+=X[i] + add w23,w23,w25 // e+=F(b,c,d) + ror w5,w5,#31 + eor w6,w6,w8 + bic w25,w21,w24 + and w26,w20,w24 + ror w27,w23,#27 + eor w6,w6,w14 + add w21,w21,w28 // future e+=K + orr w25,w25,w26 + add w22,w22,w27 // e+=rot(a,5) + eor w6,w6,w3 + ror w24,w24,#2 + add w21,w21,w5 // future e+=X[i] + add w22,w22,w25 // e+=F(b,c,d) + ror w6,w6,#31 + eor w7,w7,w9 + bic w25,w20,w23 + and w26,w24,w23 + ror w27,w22,#27 + eor w7,w7,w15 + add w20,w20,w28 // future e+=K + orr w25,w25,w26 + add w21,w21,w27 // e+=rot(a,5) + eor w7,w7,w4 + ror w23,w23,#2 + add w20,w20,w6 // future e+=X[i] + add w21,w21,w25 // e+=F(b,c,d) + ror w7,w7,#31 + movz w28,#0xeba1 + movk w28,#0x6ed9,lsl#16 + eor w8,w8,w10 + bic w25,w24,w22 + and w26,w23,w22 + ror w27,w21,#27 + eor w8,w8,w16 + add w24,w24,w28 // future e+=K + orr w25,w25,w26 + add w20,w20,w27 // e+=rot(a,5) + eor w8,w8,w5 + ror w22,w22,#2 + add w24,w24,w7 // future e+=X[i] + add w20,w20,w25 // e+=F(b,c,d) + ror w8,w8,#31 + eor w9,w9,w11 + eor w25,w23,w21 + ror w27,w20,#27 + add w23,w23,w28 // future e+=K + eor w9,w9,w17 + eor w25,w25,w22 + add w24,w24,w27 // e+=rot(a,5) + ror w21,w21,#2 + eor w9,w9,w6 + add w23,w23,w8 // future e+=X[i] + add w24,w24,w25 // e+=F(b,c,d) + ror w9,w9,#31 + eor w10,w10,w12 + eor w25,w22,w20 + ror w27,w24,#27 + add w22,w22,w28 // future e+=K + eor w10,w10,w19 + eor w25,w25,w21 + add w23,w23,w27 // e+=rot(a,5) + ror w20,w20,#2 + eor w10,w10,w7 + add w22,w22,w9 // future e+=X[i] + add w23,w23,w25 // e+=F(b,c,d) + ror w10,w10,#31 + eor w11,w11,w13 + eor w25,w21,w24 + ror w27,w23,#27 + add w21,w21,w28 // future e+=K + eor w11,w11,w3 + eor w25,w25,w20 + add w22,w22,w27 // e+=rot(a,5) + ror w24,w24,#2 + eor w11,w11,w8 + add w21,w21,w10 // future e+=X[i] + add w22,w22,w25 // e+=F(b,c,d) + ror w11,w11,#31 + eor w12,w12,w14 + eor w25,w20,w23 + ror w27,w22,#27 + add w20,w20,w28 // future e+=K + eor w12,w12,w4 + eor w25,w25,w24 + add w21,w21,w27 // e+=rot(a,5) + ror w23,w23,#2 + eor w12,w12,w9 + add w20,w20,w11 // future e+=X[i] + add w21,w21,w25 // e+=F(b,c,d) + ror w12,w12,#31 + eor w13,w13,w15 + eor w25,w24,w22 + ror w27,w21,#27 + add w24,w24,w28 // future e+=K + eor w13,w13,w5 + eor w25,w25,w23 + add w20,w20,w27 // e+=rot(a,5) + ror w22,w22,#2 + eor w13,w13,w10 + add w24,w24,w12 // future e+=X[i] + add w20,w20,w25 // e+=F(b,c,d) + ror w13,w13,#31 + eor w14,w14,w16 + eor w25,w23,w21 + ror w27,w20,#27 + add w23,w23,w28 // future e+=K + eor w14,w14,w6 + eor w25,w25,w22 + add w24,w24,w27 // e+=rot(a,5) + ror w21,w21,#2 + eor w14,w14,w11 + add w23,w23,w13 // future e+=X[i] + add w24,w24,w25 // e+=F(b,c,d) + ror w14,w14,#31 + eor w15,w15,w17 + eor w25,w22,w20 + ror w27,w24,#27 + add w22,w22,w28 // future e+=K + eor w15,w15,w7 + eor w25,w25,w21 + add w23,w23,w27 // e+=rot(a,5) + ror w20,w20,#2 + eor w15,w15,w12 + add w22,w22,w14 // future e+=X[i] + add w23,w23,w25 // e+=F(b,c,d) + ror w15,w15,#31 + eor w16,w16,w19 + eor w25,w21,w24 + ror w27,w23,#27 + add w21,w21,w28 // future e+=K + eor w16,w16,w8 + eor w25,w25,w20 + add w22,w22,w27 // e+=rot(a,5) + ror w24,w24,#2 + eor w16,w16,w13 + add w21,w21,w15 // future e+=X[i] + add w22,w22,w25 // e+=F(b,c,d) + ror w16,w16,#31 + eor w17,w17,w3 + eor w25,w20,w23 + ror w27,w22,#27 + add w20,w20,w28 // future e+=K + eor w17,w17,w9 + eor w25,w25,w24 + add w21,w21,w27 // e+=rot(a,5) + ror w23,w23,#2 + eor w17,w17,w14 + add w20,w20,w16 // future e+=X[i] + add w21,w21,w25 // e+=F(b,c,d) + ror w17,w17,#31 + eor w19,w19,w4 + eor w25,w24,w22 + ror w27,w21,#27 + add w24,w24,w28 // future e+=K + eor w19,w19,w10 + eor w25,w25,w23 + add w20,w20,w27 // e+=rot(a,5) + ror w22,w22,#2 + eor w19,w19,w15 + add w24,w24,w17 // future e+=X[i] + add w20,w20,w25 // e+=F(b,c,d) + ror w19,w19,#31 + eor w3,w3,w5 + eor w25,w23,w21 + ror w27,w20,#27 + add w23,w23,w28 // future e+=K + eor w3,w3,w11 + eor w25,w25,w22 + add w24,w24,w27 // e+=rot(a,5) + ror w21,w21,#2 + eor w3,w3,w16 + add w23,w23,w19 // future e+=X[i] + add w24,w24,w25 // e+=F(b,c,d) + ror w3,w3,#31 + eor w4,w4,w6 + eor w25,w22,w20 + ror w27,w24,#27 + add w22,w22,w28 // future e+=K + eor w4,w4,w12 + eor w25,w25,w21 + add w23,w23,w27 // e+=rot(a,5) + ror w20,w20,#2 + eor w4,w4,w17 + add w22,w22,w3 // future e+=X[i] + add w23,w23,w25 // e+=F(b,c,d) + ror w4,w4,#31 + eor w5,w5,w7 + eor w25,w21,w24 + ror w27,w23,#27 + add w21,w21,w28 // future e+=K + eor w5,w5,w13 + eor w25,w25,w20 + add w22,w22,w27 // e+=rot(a,5) + ror w24,w24,#2 + eor w5,w5,w19 + add w21,w21,w4 // future e+=X[i] + add w22,w22,w25 // e+=F(b,c,d) + ror w5,w5,#31 + eor w6,w6,w8 + eor w25,w20,w23 + ror w27,w22,#27 + add w20,w20,w28 // future e+=K + eor w6,w6,w14 + eor w25,w25,w24 + add w21,w21,w27 // e+=rot(a,5) + ror w23,w23,#2 + eor w6,w6,w3 + add w20,w20,w5 // future e+=X[i] + add w21,w21,w25 // e+=F(b,c,d) + ror w6,w6,#31 + eor w7,w7,w9 + eor w25,w24,w22 + ror w27,w21,#27 + add w24,w24,w28 // future e+=K + eor w7,w7,w15 + eor w25,w25,w23 + add w20,w20,w27 // e+=rot(a,5) + ror w22,w22,#2 + eor w7,w7,w4 + add w24,w24,w6 // future e+=X[i] + add w20,w20,w25 // e+=F(b,c,d) + ror w7,w7,#31 + eor w8,w8,w10 + eor w25,w23,w21 + ror w27,w20,#27 + add w23,w23,w28 // future e+=K + eor w8,w8,w16 + eor w25,w25,w22 + add w24,w24,w27 // e+=rot(a,5) + ror w21,w21,#2 + eor w8,w8,w5 + add w23,w23,w7 // future e+=X[i] + add w24,w24,w25 // e+=F(b,c,d) + ror w8,w8,#31 + eor w9,w9,w11 + eor w25,w22,w20 + ror w27,w24,#27 + add w22,w22,w28 // future e+=K + eor w9,w9,w17 + eor w25,w25,w21 + add w23,w23,w27 // e+=rot(a,5) + ror w20,w20,#2 + eor w9,w9,w6 + add w22,w22,w8 // future e+=X[i] + add w23,w23,w25 // e+=F(b,c,d) + ror w9,w9,#31 + eor w10,w10,w12 + eor w25,w21,w24 + ror w27,w23,#27 + add w21,w21,w28 // future e+=K + eor w10,w10,w19 + eor w25,w25,w20 + add w22,w22,w27 // e+=rot(a,5) + ror w24,w24,#2 + eor w10,w10,w7 + add w21,w21,w9 // future e+=X[i] + add w22,w22,w25 // e+=F(b,c,d) + ror w10,w10,#31 + eor w11,w11,w13 + eor w25,w20,w23 + ror w27,w22,#27 + add w20,w20,w28 // future e+=K + eor w11,w11,w3 + eor w25,w25,w24 + add w21,w21,w27 // e+=rot(a,5) + ror w23,w23,#2 + eor w11,w11,w8 + add w20,w20,w10 // future e+=X[i] + add w21,w21,w25 // e+=F(b,c,d) + ror w11,w11,#31 + movz w28,#0xbcdc + movk w28,#0x8f1b,lsl#16 + eor w12,w12,w14 + eor w25,w24,w22 + ror w27,w21,#27 + add w24,w24,w28 // future e+=K + eor w12,w12,w4 + eor w25,w25,w23 + add w20,w20,w27 // e+=rot(a,5) + ror w22,w22,#2 + eor w12,w12,w9 + add w24,w24,w11 // future e+=X[i] + add w20,w20,w25 // e+=F(b,c,d) + ror w12,w12,#31 + orr w25,w21,w22 + and w26,w21,w22 + eor w13,w13,w15 + ror w27,w20,#27 + and w25,w25,w23 + add w23,w23,w28 // future e+=K + eor w13,w13,w5 + add w24,w24,w27 // e+=rot(a,5) + orr w25,w25,w26 + ror w21,w21,#2 + eor w13,w13,w10 + add w23,w23,w12 // future e+=X[i] + add w24,w24,w25 // e+=F(b,c,d) + ror w13,w13,#31 + orr w25,w20,w21 + and w26,w20,w21 + eor w14,w14,w16 + ror w27,w24,#27 + and w25,w25,w22 + add w22,w22,w28 // future e+=K + eor w14,w14,w6 + add w23,w23,w27 // e+=rot(a,5) + orr w25,w25,w26 + ror w20,w20,#2 + eor w14,w14,w11 + add w22,w22,w13 // future e+=X[i] + add w23,w23,w25 // e+=F(b,c,d) + ror w14,w14,#31 + orr w25,w24,w20 + and w26,w24,w20 + eor w15,w15,w17 + ror w27,w23,#27 + and w25,w25,w21 + add w21,w21,w28 // future e+=K + eor w15,w15,w7 + add w22,w22,w27 // e+=rot(a,5) + orr w25,w25,w26 + ror w24,w24,#2 + eor w15,w15,w12 + add w21,w21,w14 // future e+=X[i] + add w22,w22,w25 // e+=F(b,c,d) + ror w15,w15,#31 + orr w25,w23,w24 + and w26,w23,w24 + eor w16,w16,w19 + ror w27,w22,#27 + and w25,w25,w20 + add w20,w20,w28 // future e+=K + eor w16,w16,w8 + add w21,w21,w27 // e+=rot(a,5) + orr w25,w25,w26 + ror w23,w23,#2 + eor w16,w16,w13 + add w20,w20,w15 // future e+=X[i] + add w21,w21,w25 // e+=F(b,c,d) + ror w16,w16,#31 + orr w25,w22,w23 + and w26,w22,w23 + eor w17,w17,w3 + ror w27,w21,#27 + and w25,w25,w24 + add w24,w24,w28 // future e+=K + eor w17,w17,w9 + add w20,w20,w27 // e+=rot(a,5) + orr w25,w25,w26 + ror w22,w22,#2 + eor w17,w17,w14 + add w24,w24,w16 // future e+=X[i] + add w20,w20,w25 // e+=F(b,c,d) + ror w17,w17,#31 + orr w25,w21,w22 + and w26,w21,w22 + eor w19,w19,w4 + ror w27,w20,#27 + and w25,w25,w23 + add w23,w23,w28 // future e+=K + eor w19,w19,w10 + add w24,w24,w27 // e+=rot(a,5) + orr w25,w25,w26 + ror w21,w21,#2 + eor w19,w19,w15 + add w23,w23,w17 // future e+=X[i] + add w24,w24,w25 // e+=F(b,c,d) + ror w19,w19,#31 + orr w25,w20,w21 + and w26,w20,w21 + eor w3,w3,w5 + ror w27,w24,#27 + and w25,w25,w22 + add w22,w22,w28 // future e+=K + eor w3,w3,w11 + add w23,w23,w27 // e+=rot(a,5) + orr w25,w25,w26 + ror w20,w20,#2 + eor w3,w3,w16 + add w22,w22,w19 // future e+=X[i] + add w23,w23,w25 // e+=F(b,c,d) + ror w3,w3,#31 + orr w25,w24,w20 + and w26,w24,w20 + eor w4,w4,w6 + ror w27,w23,#27 + and w25,w25,w21 + add w21,w21,w28 // future e+=K + eor w4,w4,w12 + add w22,w22,w27 // e+=rot(a,5) + orr w25,w25,w26 + ror w24,w24,#2 + eor w4,w4,w17 + add w21,w21,w3 // future e+=X[i] + add w22,w22,w25 // e+=F(b,c,d) + ror w4,w4,#31 + orr w25,w23,w24 + and w26,w23,w24 + eor w5,w5,w7 + ror w27,w22,#27 + and w25,w25,w20 + add w20,w20,w28 // future e+=K + eor w5,w5,w13 + add w21,w21,w27 // e+=rot(a,5) + orr w25,w25,w26 + ror w23,w23,#2 + eor w5,w5,w19 + add w20,w20,w4 // future e+=X[i] + add w21,w21,w25 // e+=F(b,c,d) + ror w5,w5,#31 + orr w25,w22,w23 + and w26,w22,w23 + eor w6,w6,w8 + ror w27,w21,#27 + and w25,w25,w24 + add w24,w24,w28 // future e+=K + eor w6,w6,w14 + add w20,w20,w27 // e+=rot(a,5) + orr w25,w25,w26 + ror w22,w22,#2 + eor w6,w6,w3 + add w24,w24,w5 // future e+=X[i] + add w20,w20,w25 // e+=F(b,c,d) + ror w6,w6,#31 + orr w25,w21,w22 + and w26,w21,w22 + eor w7,w7,w9 + ror w27,w20,#27 + and w25,w25,w23 + add w23,w23,w28 // future e+=K + eor w7,w7,w15 + add w24,w24,w27 // e+=rot(a,5) + orr w25,w25,w26 + ror w21,w21,#2 + eor w7,w7,w4 + add w23,w23,w6 // future e+=X[i] + add w24,w24,w25 // e+=F(b,c,d) + ror w7,w7,#31 + orr w25,w20,w21 + and w26,w20,w21 + eor w8,w8,w10 + ror w27,w24,#27 + and w25,w25,w22 + add w22,w22,w28 // future e+=K + eor w8,w8,w16 + add w23,w23,w27 // e+=rot(a,5) + orr w25,w25,w26 + ror w20,w20,#2 + eor w8,w8,w5 + add w22,w22,w7 // future e+=X[i] + add w23,w23,w25 // e+=F(b,c,d) + ror w8,w8,#31 + orr w25,w24,w20 + and w26,w24,w20 + eor w9,w9,w11 + ror w27,w23,#27 + and w25,w25,w21 + add w21,w21,w28 // future e+=K + eor w9,w9,w17 + add w22,w22,w27 // e+=rot(a,5) + orr w25,w25,w26 + ror w24,w24,#2 + eor w9,w9,w6 + add w21,w21,w8 // future e+=X[i] + add w22,w22,w25 // e+=F(b,c,d) + ror w9,w9,#31 + orr w25,w23,w24 + and w26,w23,w24 + eor w10,w10,w12 + ror w27,w22,#27 + and w25,w25,w20 + add w20,w20,w28 // future e+=K + eor w10,w10,w19 + add w21,w21,w27 // e+=rot(a,5) + orr w25,w25,w26 + ror w23,w23,#2 + eor w10,w10,w7 + add w20,w20,w9 // future e+=X[i] + add w21,w21,w25 // e+=F(b,c,d) + ror w10,w10,#31 + orr w25,w22,w23 + and w26,w22,w23 + eor w11,w11,w13 + ror w27,w21,#27 + and w25,w25,w24 + add w24,w24,w28 // future e+=K + eor w11,w11,w3 + add w20,w20,w27 // e+=rot(a,5) + orr w25,w25,w26 + ror w22,w22,#2 + eor w11,w11,w8 + add w24,w24,w10 // future e+=X[i] + add w20,w20,w25 // e+=F(b,c,d) + ror w11,w11,#31 + orr w25,w21,w22 + and w26,w21,w22 + eor w12,w12,w14 + ror w27,w20,#27 + and w25,w25,w23 + add w23,w23,w28 // future e+=K + eor w12,w12,w4 + add w24,w24,w27 // e+=rot(a,5) + orr w25,w25,w26 + ror w21,w21,#2 + eor w12,w12,w9 + add w23,w23,w11 // future e+=X[i] + add w24,w24,w25 // e+=F(b,c,d) + ror w12,w12,#31 + orr w25,w20,w21 + and w26,w20,w21 + eor w13,w13,w15 + ror w27,w24,#27 + and w25,w25,w22 + add w22,w22,w28 // future e+=K + eor w13,w13,w5 + add w23,w23,w27 // e+=rot(a,5) + orr w25,w25,w26 + ror w20,w20,#2 + eor w13,w13,w10 + add w22,w22,w12 // future e+=X[i] + add w23,w23,w25 // e+=F(b,c,d) + ror w13,w13,#31 + orr w25,w24,w20 + and w26,w24,w20 + eor w14,w14,w16 + ror w27,w23,#27 + and w25,w25,w21 + add w21,w21,w28 // future e+=K + eor w14,w14,w6 + add w22,w22,w27 // e+=rot(a,5) + orr w25,w25,w26 + ror w24,w24,#2 + eor w14,w14,w11 + add w21,w21,w13 // future e+=X[i] + add w22,w22,w25 // e+=F(b,c,d) + ror w14,w14,#31 + orr w25,w23,w24 + and w26,w23,w24 + eor w15,w15,w17 + ror w27,w22,#27 + and w25,w25,w20 + add w20,w20,w28 // future e+=K + eor w15,w15,w7 + add w21,w21,w27 // e+=rot(a,5) + orr w25,w25,w26 + ror w23,w23,#2 + eor w15,w15,w12 + add w20,w20,w14 // future e+=X[i] + add w21,w21,w25 // e+=F(b,c,d) + ror w15,w15,#31 + movz w28,#0xc1d6 + movk w28,#0xca62,lsl#16 + orr w25,w22,w23 + and w26,w22,w23 + eor w16,w16,w19 + ror w27,w21,#27 + and w25,w25,w24 + add w24,w24,w28 // future e+=K + eor w16,w16,w8 + add w20,w20,w27 // e+=rot(a,5) + orr w25,w25,w26 + ror w22,w22,#2 + eor w16,w16,w13 + add w24,w24,w15 // future e+=X[i] + add w20,w20,w25 // e+=F(b,c,d) + ror w16,w16,#31 + eor w17,w17,w3 + eor w25,w23,w21 + ror w27,w20,#27 + add w23,w23,w28 // future e+=K + eor w17,w17,w9 + eor w25,w25,w22 + add w24,w24,w27 // e+=rot(a,5) + ror w21,w21,#2 + eor w17,w17,w14 + add w23,w23,w16 // future e+=X[i] + add w24,w24,w25 // e+=F(b,c,d) + ror w17,w17,#31 + eor w19,w19,w4 + eor w25,w22,w20 + ror w27,w24,#27 + add w22,w22,w28 // future e+=K + eor w19,w19,w10 + eor w25,w25,w21 + add w23,w23,w27 // e+=rot(a,5) + ror w20,w20,#2 + eor w19,w19,w15 + add w22,w22,w17 // future e+=X[i] + add w23,w23,w25 // e+=F(b,c,d) + ror w19,w19,#31 + eor w3,w3,w5 + eor w25,w21,w24 + ror w27,w23,#27 + add w21,w21,w28 // future e+=K + eor w3,w3,w11 + eor w25,w25,w20 + add w22,w22,w27 // e+=rot(a,5) + ror w24,w24,#2 + eor w3,w3,w16 + add w21,w21,w19 // future e+=X[i] + add w22,w22,w25 // e+=F(b,c,d) + ror w3,w3,#31 + eor w4,w4,w6 + eor w25,w20,w23 + ror w27,w22,#27 + add w20,w20,w28 // future e+=K + eor w4,w4,w12 + eor w25,w25,w24 + add w21,w21,w27 // e+=rot(a,5) + ror w23,w23,#2 + eor w4,w4,w17 + add w20,w20,w3 // future e+=X[i] + add w21,w21,w25 // e+=F(b,c,d) + ror w4,w4,#31 + eor w5,w5,w7 + eor w25,w24,w22 + ror w27,w21,#27 + add w24,w24,w28 // future e+=K + eor w5,w5,w13 + eor w25,w25,w23 + add w20,w20,w27 // e+=rot(a,5) + ror w22,w22,#2 + eor w5,w5,w19 + add w24,w24,w4 // future e+=X[i] + add w20,w20,w25 // e+=F(b,c,d) + ror w5,w5,#31 + eor w6,w6,w8 + eor w25,w23,w21 + ror w27,w20,#27 + add w23,w23,w28 // future e+=K + eor w6,w6,w14 + eor w25,w25,w22 + add w24,w24,w27 // e+=rot(a,5) + ror w21,w21,#2 + eor w6,w6,w3 + add w23,w23,w5 // future e+=X[i] + add w24,w24,w25 // e+=F(b,c,d) + ror w6,w6,#31 + eor w7,w7,w9 + eor w25,w22,w20 + ror w27,w24,#27 + add w22,w22,w28 // future e+=K + eor w7,w7,w15 + eor w25,w25,w21 + add w23,w23,w27 // e+=rot(a,5) + ror w20,w20,#2 + eor w7,w7,w4 + add w22,w22,w6 // future e+=X[i] + add w23,w23,w25 // e+=F(b,c,d) + ror w7,w7,#31 + eor w8,w8,w10 + eor w25,w21,w24 + ror w27,w23,#27 + add w21,w21,w28 // future e+=K + eor w8,w8,w16 + eor w25,w25,w20 + add w22,w22,w27 // e+=rot(a,5) + ror w24,w24,#2 + eor w8,w8,w5 + add w21,w21,w7 // future e+=X[i] + add w22,w22,w25 // e+=F(b,c,d) + ror w8,w8,#31 + eor w9,w9,w11 + eor w25,w20,w23 + ror w27,w22,#27 + add w20,w20,w28 // future e+=K + eor w9,w9,w17 + eor w25,w25,w24 + add w21,w21,w27 // e+=rot(a,5) + ror w23,w23,#2 + eor w9,w9,w6 + add w20,w20,w8 // future e+=X[i] + add w21,w21,w25 // e+=F(b,c,d) + ror w9,w9,#31 + eor w10,w10,w12 + eor w25,w24,w22 + ror w27,w21,#27 + add w24,w24,w28 // future e+=K + eor w10,w10,w19 + eor w25,w25,w23 + add w20,w20,w27 // e+=rot(a,5) + ror w22,w22,#2 + eor w10,w10,w7 + add w24,w24,w9 // future e+=X[i] + add w20,w20,w25 // e+=F(b,c,d) + ror w10,w10,#31 + eor w11,w11,w13 + eor w25,w23,w21 + ror w27,w20,#27 + add w23,w23,w28 // future e+=K + eor w11,w11,w3 + eor w25,w25,w22 + add w24,w24,w27 // e+=rot(a,5) + ror w21,w21,#2 + eor w11,w11,w8 + add w23,w23,w10 // future e+=X[i] + add w24,w24,w25 // e+=F(b,c,d) + ror w11,w11,#31 + eor w12,w12,w14 + eor w25,w22,w20 + ror w27,w24,#27 + add w22,w22,w28 // future e+=K + eor w12,w12,w4 + eor w25,w25,w21 + add w23,w23,w27 // e+=rot(a,5) + ror w20,w20,#2 + eor w12,w12,w9 + add w22,w22,w11 // future e+=X[i] + add w23,w23,w25 // e+=F(b,c,d) + ror w12,w12,#31 + eor w13,w13,w15 + eor w25,w21,w24 + ror w27,w23,#27 + add w21,w21,w28 // future e+=K + eor w13,w13,w5 + eor w25,w25,w20 + add w22,w22,w27 // e+=rot(a,5) + ror w24,w24,#2 + eor w13,w13,w10 + add w21,w21,w12 // future e+=X[i] + add w22,w22,w25 // e+=F(b,c,d) + ror w13,w13,#31 + eor w14,w14,w16 + eor w25,w20,w23 + ror w27,w22,#27 + add w20,w20,w28 // future e+=K + eor w14,w14,w6 + eor w25,w25,w24 + add w21,w21,w27 // e+=rot(a,5) + ror w23,w23,#2 + eor w14,w14,w11 + add w20,w20,w13 // future e+=X[i] + add w21,w21,w25 // e+=F(b,c,d) + ror w14,w14,#31 + eor w15,w15,w17 + eor w25,w24,w22 + ror w27,w21,#27 + add w24,w24,w28 // future e+=K + eor w15,w15,w7 + eor w25,w25,w23 + add w20,w20,w27 // e+=rot(a,5) + ror w22,w22,#2 + eor w15,w15,w12 + add w24,w24,w14 // future e+=X[i] + add w20,w20,w25 // e+=F(b,c,d) + ror w15,w15,#31 + eor w16,w16,w19 + eor w25,w23,w21 + ror w27,w20,#27 + add w23,w23,w28 // future e+=K + eor w16,w16,w8 + eor w25,w25,w22 + add w24,w24,w27 // e+=rot(a,5) + ror w21,w21,#2 + eor w16,w16,w13 + add w23,w23,w15 // future e+=X[i] + add w24,w24,w25 // e+=F(b,c,d) + ror w16,w16,#31 + eor w17,w17,w3 + eor w25,w22,w20 + ror w27,w24,#27 + add w22,w22,w28 // future e+=K + eor w17,w17,w9 + eor w25,w25,w21 + add w23,w23,w27 // e+=rot(a,5) + ror w20,w20,#2 + eor w17,w17,w14 + add w22,w22,w16 // future e+=X[i] + add w23,w23,w25 // e+=F(b,c,d) + ror w17,w17,#31 + eor w19,w19,w4 + eor w25,w21,w24 + ror w27,w23,#27 + add w21,w21,w28 // future e+=K + eor w19,w19,w10 + eor w25,w25,w20 + add w22,w22,w27 // e+=rot(a,5) + ror w24,w24,#2 + eor w19,w19,w15 + add w21,w21,w17 // future e+=X[i] + add w22,w22,w25 // e+=F(b,c,d) + ror w19,w19,#31 + ldp w4,w5,[x0] + eor w25,w20,w23 + ror w27,w22,#27 + add w20,w20,w28 // future e+=K + eor w25,w25,w24 + add w21,w21,w27 // e+=rot(a,5) + ror w23,w23,#2 + add w20,w20,w19 // future e+=X[i] + add w21,w21,w25 // e+=F(b,c,d) + ldp w6,w7,[x0,#8] + eor w25,w24,w22 + ror w27,w21,#27 + eor w25,w25,w23 + add w20,w20,w27 // e+=rot(a,5) + ror w22,w22,#2 + ldr w8,[x0,#16] + add w20,w20,w25 // e+=F(b,c,d) + add w21,w21,w5 + add w22,w22,w6 + add w20,w20,w4 + add w23,w23,w7 + add w24,w24,w8 + stp w20,w21,[x0] + stp w22,w23,[x0,#8] + str w24,[x0,#16] + cbnz x2,Loop + + ldp x19,x20,[sp,#16] + ldp x21,x22,[sp,#32] + ldp x23,x24,[sp,#48] + ldp x25,x26,[sp,#64] + ldp x27,x28,[sp,#80] + ldr x29,[sp],#96 + ret + +.globl sha1_block_data_order_hw + +.def sha1_block_data_order_hw + .type 32 +.endef +.align 6 +sha1_block_data_order_hw: + // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. + AARCH64_VALID_CALL_TARGET + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + + adrp x4,Lconst + add x4,x4,:lo12:Lconst + eor v1.16b,v1.16b,v1.16b + ld1 {v0.4s},[x0],#16 + ld1 {v1.s}[0],[x0] + sub x0,x0,#16 + ld1 {v16.4s,v17.4s,v18.4s,v19.4s},[x4] + +Loop_hw: + ld1 {v4.16b,v5.16b,v6.16b,v7.16b},[x1],#64 + sub x2,x2,#1 + rev32 v4.16b,v4.16b + rev32 v5.16b,v5.16b + + add v20.4s,v16.4s,v4.4s + rev32 v6.16b,v6.16b + orr v22.16b,v0.16b,v0.16b // offload + + add v21.4s,v16.4s,v5.4s + rev32 v7.16b,v7.16b +.long 0x5e280803 //sha1h v3.16b,v0.16b +.long 0x5e140020 //sha1c v0.16b,v1.16b,v20.4s // 0 + add v20.4s,v16.4s,v6.4s +.long 0x5e0630a4 //sha1su0 v4.16b,v5.16b,v6.16b +.long 0x5e280802 //sha1h v2.16b,v0.16b // 1 +.long 0x5e150060 //sha1c v0.16b,v3.16b,v21.4s + add v21.4s,v16.4s,v7.4s +.long 0x5e2818e4 //sha1su1 v4.16b,v7.16b +.long 0x5e0730c5 //sha1su0 v5.16b,v6.16b,v7.16b +.long 0x5e280803 //sha1h v3.16b,v0.16b // 2 +.long 0x5e140040 //sha1c v0.16b,v2.16b,v20.4s + add v20.4s,v16.4s,v4.4s +.long 0x5e281885 //sha1su1 v5.16b,v4.16b +.long 0x5e0430e6 //sha1su0 v6.16b,v7.16b,v4.16b +.long 0x5e280802 //sha1h v2.16b,v0.16b // 3 +.long 0x5e150060 //sha1c v0.16b,v3.16b,v21.4s + add v21.4s,v17.4s,v5.4s +.long 0x5e2818a6 //sha1su1 v6.16b,v5.16b +.long 0x5e053087 //sha1su0 v7.16b,v4.16b,v5.16b +.long 0x5e280803 //sha1h v3.16b,v0.16b // 4 +.long 0x5e140040 //sha1c v0.16b,v2.16b,v20.4s + add v20.4s,v17.4s,v6.4s +.long 0x5e2818c7 //sha1su1 v7.16b,v6.16b +.long 0x5e0630a4 //sha1su0 v4.16b,v5.16b,v6.16b +.long 0x5e280802 //sha1h v2.16b,v0.16b // 5 +.long 0x5e151060 //sha1p v0.16b,v3.16b,v21.4s + add v21.4s,v17.4s,v7.4s +.long 0x5e2818e4 //sha1su1 v4.16b,v7.16b +.long 0x5e0730c5 //sha1su0 v5.16b,v6.16b,v7.16b +.long 0x5e280803 //sha1h v3.16b,v0.16b // 6 +.long 0x5e141040 //sha1p v0.16b,v2.16b,v20.4s + add v20.4s,v17.4s,v4.4s +.long 0x5e281885 //sha1su1 v5.16b,v4.16b +.long 0x5e0430e6 //sha1su0 v6.16b,v7.16b,v4.16b +.long 0x5e280802 //sha1h v2.16b,v0.16b // 7 +.long 0x5e151060 //sha1p v0.16b,v3.16b,v21.4s + add v21.4s,v17.4s,v5.4s +.long 0x5e2818a6 //sha1su1 v6.16b,v5.16b +.long 0x5e053087 //sha1su0 v7.16b,v4.16b,v5.16b +.long 0x5e280803 //sha1h v3.16b,v0.16b // 8 +.long 0x5e141040 //sha1p v0.16b,v2.16b,v20.4s + add v20.4s,v18.4s,v6.4s +.long 0x5e2818c7 //sha1su1 v7.16b,v6.16b +.long 0x5e0630a4 //sha1su0 v4.16b,v5.16b,v6.16b +.long 0x5e280802 //sha1h v2.16b,v0.16b // 9 +.long 0x5e151060 //sha1p v0.16b,v3.16b,v21.4s + add v21.4s,v18.4s,v7.4s +.long 0x5e2818e4 //sha1su1 v4.16b,v7.16b +.long 0x5e0730c5 //sha1su0 v5.16b,v6.16b,v7.16b +.long 0x5e280803 //sha1h v3.16b,v0.16b // 10 +.long 0x5e142040 //sha1m v0.16b,v2.16b,v20.4s + add v20.4s,v18.4s,v4.4s +.long 0x5e281885 //sha1su1 v5.16b,v4.16b +.long 0x5e0430e6 //sha1su0 v6.16b,v7.16b,v4.16b +.long 0x5e280802 //sha1h v2.16b,v0.16b // 11 +.long 0x5e152060 //sha1m v0.16b,v3.16b,v21.4s + add v21.4s,v18.4s,v5.4s +.long 0x5e2818a6 //sha1su1 v6.16b,v5.16b +.long 0x5e053087 //sha1su0 v7.16b,v4.16b,v5.16b +.long 0x5e280803 //sha1h v3.16b,v0.16b // 12 +.long 0x5e142040 //sha1m v0.16b,v2.16b,v20.4s + add v20.4s,v18.4s,v6.4s +.long 0x5e2818c7 //sha1su1 v7.16b,v6.16b +.long 0x5e0630a4 //sha1su0 v4.16b,v5.16b,v6.16b +.long 0x5e280802 //sha1h v2.16b,v0.16b // 13 +.long 0x5e152060 //sha1m v0.16b,v3.16b,v21.4s + add v21.4s,v19.4s,v7.4s +.long 0x5e2818e4 //sha1su1 v4.16b,v7.16b +.long 0x5e0730c5 //sha1su0 v5.16b,v6.16b,v7.16b +.long 0x5e280803 //sha1h v3.16b,v0.16b // 14 +.long 0x5e142040 //sha1m v0.16b,v2.16b,v20.4s + add v20.4s,v19.4s,v4.4s +.long 0x5e281885 //sha1su1 v5.16b,v4.16b +.long 0x5e0430e6 //sha1su0 v6.16b,v7.16b,v4.16b +.long 0x5e280802 //sha1h v2.16b,v0.16b // 15 +.long 0x5e151060 //sha1p v0.16b,v3.16b,v21.4s + add v21.4s,v19.4s,v5.4s +.long 0x5e2818a6 //sha1su1 v6.16b,v5.16b +.long 0x5e053087 //sha1su0 v7.16b,v4.16b,v5.16b +.long 0x5e280803 //sha1h v3.16b,v0.16b // 16 +.long 0x5e141040 //sha1p v0.16b,v2.16b,v20.4s + add v20.4s,v19.4s,v6.4s +.long 0x5e2818c7 //sha1su1 v7.16b,v6.16b +.long 0x5e280802 //sha1h v2.16b,v0.16b // 17 +.long 0x5e151060 //sha1p v0.16b,v3.16b,v21.4s + add v21.4s,v19.4s,v7.4s + +.long 0x5e280803 //sha1h v3.16b,v0.16b // 18 +.long 0x5e141040 //sha1p v0.16b,v2.16b,v20.4s + +.long 0x5e280802 //sha1h v2.16b,v0.16b // 19 +.long 0x5e151060 //sha1p v0.16b,v3.16b,v21.4s + + add v1.4s,v1.4s,v2.4s + add v0.4s,v0.4s,v22.4s + + cbnz x2,Loop_hw + + st1 {v0.4s},[x0],#16 + st1 {v1.s}[0],[x0] + + ldr x29,[sp],#16 + ret + +.section .rodata +.align 6 +Lconst: +.long 0x5a827999,0x5a827999,0x5a827999,0x5a827999 //K_00_19 +.long 0x6ed9eba1,0x6ed9eba1,0x6ed9eba1,0x6ed9eba1 //K_20_39 +.long 0x8f1bbcdc,0x8f1bbcdc,0x8f1bbcdc,0x8f1bbcdc //K_40_59 +.long 0xca62c1d6,0xca62c1d6,0xca62c1d6,0xca62c1d6 //K_60_79 +.byte 83,72,65,49,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 +.align 2 +.align 2 +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(_WIN32) +#if defined(__linux__) && defined(__ELF__) +.section .note.GNU-stack,"",%progbits +#endif + diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/sha1-x86_64-mac.mac.x86_64.S b/Sources/CNIOBoringSSL/gen/bcm/sha1-x86_64-apple.S similarity index 99% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/sha1-x86_64-mac.mac.x86_64.S rename to Sources/CNIOBoringSSL/gen/bcm/sha1-x86_64-apple.S index a073e353b..c515a18e1 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/sha1-x86_64-mac.mac.x86_64.S +++ b/Sources/CNIOBoringSSL/gen/bcm/sha1-x86_64-apple.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__x86_64__) && defined(__APPLE__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -8,34 +7,13 @@ #if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__APPLE__) .text - -.globl _sha1_block_data_order -.private_extern _sha1_block_data_order +.globl _sha1_block_data_order_nohw +.private_extern _sha1_block_data_order_nohw .p2align 4 -_sha1_block_data_order: +_sha1_block_data_order_nohw: _CET_ENDBR - leaq _OPENSSL_ia32cap_P(%rip),%r10 - movl 0(%r10),%r9d - movl 4(%r10),%r8d - movl 8(%r10),%r10d - testl $512,%r8d - jz L$ialu - testl $536870912,%r10d - jnz _shaext_shortcut - andl $296,%r10d - cmpl $296,%r10d - je _avx2_shortcut - andl $268435456,%r8d - andl $1073741824,%r9d - orl %r9d,%r8d - cmpl $1342177280,%r8d - je _avx_shortcut - jmp _ssse3_shortcut - -.p2align 4 -L$ialu: movq %rsp,%rax pushq %rbx @@ -1266,11 +1244,13 @@ L$epilogue: ret +.globl _sha1_block_data_order_hw +.private_extern _sha1_block_data_order_hw .p2align 5 -sha1_block_data_order_shaext: -_shaext_shortcut: +_sha1_block_data_order_hw: +_CET_ENDBR movdqu (%rdi),%xmm0 movd 16(%rdi),%xmm1 movdqa K_XX_XX+160(%rip),%xmm3 @@ -1436,11 +1416,13 @@ L$oop_shaext: ret +.globl _sha1_block_data_order_ssse3 +.private_extern _sha1_block_data_order_ssse3 .p2align 4 -sha1_block_data_order_ssse3: -_ssse3_shortcut: +_sha1_block_data_order_ssse3: +_CET_ENDBR movq %rsp,%r11 pushq %rbx @@ -2624,11 +2606,13 @@ L$epilogue_ssse3: ret +.globl _sha1_block_data_order_avx +.private_extern _sha1_block_data_order_avx .p2align 4 -sha1_block_data_order_avx: -_avx_shortcut: +_sha1_block_data_order_avx: +_CET_ENDBR movq %rsp,%r11 pushq %rbx @@ -3752,11 +3736,13 @@ L$epilogue_avx: ret +.globl _sha1_block_data_order_avx2 +.private_extern _sha1_block_data_order_avx2 .p2align 4 -sha1_block_data_order_avx2: -_avx2_shortcut: +_sha1_block_data_order_avx2: +_CET_ENDBR movq %rsp,%r11 pushq %rbx @@ -5463,7 +5449,6 @@ K_XX_XX: .p2align 6 .text #endif -#endif // defined(__x86_64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/sha1-x86_64-linux.linux.x86_64.S b/Sources/CNIOBoringSSL/gen/bcm/sha1-x86_64-linux.S similarity index 99% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/sha1-x86_64-linux.linux.x86_64.S rename to Sources/CNIOBoringSSL/gen/bcm/sha1-x86_64-linux.S index b40fe065d..0d20ef409 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/sha1-x86_64-linux.linux.x86_64.S +++ b/Sources/CNIOBoringSSL/gen/bcm/sha1-x86_64-linux.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__x86_64__) && defined(__linux__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -7,36 +6,14 @@ #if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__ELF__) .text -.extern OPENSSL_ia32cap_P -.hidden OPENSSL_ia32cap_P -.globl sha1_block_data_order -.hidden sha1_block_data_order -.type sha1_block_data_order,@function +.globl sha1_block_data_order_nohw +.hidden sha1_block_data_order_nohw +.type sha1_block_data_order_nohw,@function .align 16 -sha1_block_data_order: +sha1_block_data_order_nohw: .cfi_startproc _CET_ENDBR - leaq OPENSSL_ia32cap_P(%rip),%r10 - movl 0(%r10),%r9d - movl 4(%r10),%r8d - movl 8(%r10),%r10d - testl $512,%r8d - jz .Lialu - testl $536870912,%r10d - jnz _shaext_shortcut - andl $296,%r10d - cmpl $296,%r10d - je _avx2_shortcut - andl $268435456,%r8d - andl $1073741824,%r9d - orl %r9d,%r8d - cmpl $1342177280,%r8d - je _avx_shortcut - jmp _ssse3_shortcut - -.align 16 -.Lialu: movq %rsp,%rax .cfi_def_cfa_register %rax pushq %rbx @@ -1266,12 +1243,14 @@ _CET_ENDBR .Lepilogue: ret .cfi_endproc -.size sha1_block_data_order,.-sha1_block_data_order -.type sha1_block_data_order_shaext,@function +.size sha1_block_data_order_nohw,.-sha1_block_data_order_nohw +.globl sha1_block_data_order_hw +.hidden sha1_block_data_order_hw +.type sha1_block_data_order_hw,@function .align 32 -sha1_block_data_order_shaext: -_shaext_shortcut: +sha1_block_data_order_hw: .cfi_startproc +_CET_ENDBR movdqu (%rdi),%xmm0 movd 16(%rdi),%xmm1 movdqa K_XX_XX+160(%rip),%xmm3 @@ -1436,12 +1415,14 @@ _shaext_shortcut: movd %xmm1,16(%rdi) ret .cfi_endproc -.size sha1_block_data_order_shaext,.-sha1_block_data_order_shaext +.size sha1_block_data_order_hw,.-sha1_block_data_order_hw +.globl sha1_block_data_order_ssse3 +.hidden sha1_block_data_order_ssse3 .type sha1_block_data_order_ssse3,@function .align 16 sha1_block_data_order_ssse3: -_ssse3_shortcut: .cfi_startproc +_CET_ENDBR movq %rsp,%r11 .cfi_def_cfa_register %r11 pushq %rbx @@ -2625,11 +2606,13 @@ _ssse3_shortcut: ret .cfi_endproc .size sha1_block_data_order_ssse3,.-sha1_block_data_order_ssse3 +.globl sha1_block_data_order_avx +.hidden sha1_block_data_order_avx .type sha1_block_data_order_avx,@function .align 16 sha1_block_data_order_avx: -_avx_shortcut: .cfi_startproc +_CET_ENDBR movq %rsp,%r11 .cfi_def_cfa_register %r11 pushq %rbx @@ -3753,11 +3736,13 @@ _avx_shortcut: ret .cfi_endproc .size sha1_block_data_order_avx,.-sha1_block_data_order_avx +.globl sha1_block_data_order_avx2 +.hidden sha1_block_data_order_avx2 .type sha1_block_data_order_avx2,@function .align 16 sha1_block_data_order_avx2: -_avx2_shortcut: .cfi_startproc +_CET_ENDBR movq %rsp,%r11 .cfi_def_cfa_register %r11 pushq %rbx @@ -5464,7 +5449,6 @@ K_XX_XX: .align 64 .text #endif -#endif // defined(__x86_64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/sha256-586-linux.linux.x86.S b/Sources/CNIOBoringSSL/gen/bcm/sha256-586-apple.S similarity index 98% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/sha256-586-linux.linux.x86.S rename to Sources/CNIOBoringSSL/gen/bcm/sha256-586-apple.S index a53625c2c..dcc0aec25 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/sha256-586-linux.linux.x86.S +++ b/Sources/CNIOBoringSSL/gen/bcm/sha256-586-apple.S @@ -1,18 +1,16 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__i386__) && defined(__linux__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. #include -#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__) +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__APPLE__) .text -.globl sha256_block_data_order -.hidden sha256_block_data_order -.type sha256_block_data_order,@function -.align 16 -sha256_block_data_order: -.L_sha256_block_data_order_begin: +.globl _sha256_block_data_order_nohw +.private_extern _sha256_block_data_order_nohw +.align 4 +_sha256_block_data_order_nohw: +L_sha256_block_data_order_nohw_begin: pushl %ebp pushl %ebx pushl %esi @@ -21,10 +19,10 @@ sha256_block_data_order: movl 24(%esp),%edi movl 28(%esp),%eax movl %esp,%ebx - call .L000pic_point -.L000pic_point: + call L000pic_point +L000pic_point: popl %ebp - leal .L001K256-.L000pic_point(%ebp),%ebp + leal LK256-L000pic_point(%ebp),%ebp subl $16,%esp andl $-64,%esp shll $6,%eax @@ -33,29 +31,13 @@ sha256_block_data_order: movl %edi,4(%esp) movl %eax,8(%esp) movl %ebx,12(%esp) - leal OPENSSL_ia32cap_P-.L001K256(%ebp),%edx - movl (%edx),%ecx - movl 4(%edx),%ebx - testl $1048576,%ecx - jnz .L002loop - movl 8(%edx),%edx - testl $16777216,%ecx - jz .L003no_xmm - andl $1073741824,%ecx - andl $268435968,%ebx - orl %ebx,%ecx - andl $1342177280,%ecx - cmpl $1342177280,%ecx - je .L004AVX - testl $512,%ebx - jnz .L005SSSE3 -.L003no_xmm: +L001no_xmm: subl %edi,%eax cmpl $256,%eax - jae .L006unrolled - jmp .L002loop -.align 16 -.L002loop: + jae L002unrolled + jmp L003loop +.align 4,0x90 +L003loop: movl (%edi),%eax movl 4(%edi),%ebx movl 8(%edi),%ecx @@ -123,8 +105,8 @@ sha256_block_data_order: movl %ebx,24(%esp) movl %ecx,28(%esp) movl %edi,32(%esp) -.align 16 -.L00700_15: +.align 4,0x90 +L00400_15: movl %edx,%ecx movl 24(%esp),%esi rorl $14,%ecx @@ -162,11 +144,11 @@ sha256_block_data_order: addl $4,%ebp addl %ebx,%eax cmpl $3248222580,%esi - jne .L00700_15 + jne L00400_15 movl 156(%esp),%ecx - jmp .L00816_63 -.align 16 -.L00816_63: + jmp L00516_63 +.align 4,0x90 +L00516_63: movl %ecx,%ebx movl 104(%esp),%esi rorl $11,%ecx @@ -221,7 +203,7 @@ sha256_block_data_order: addl $4,%ebp addl %ebx,%eax cmpl $3329325298,%esi - jne .L00816_63 + jne L00516_63 movl 356(%esp),%esi movl 8(%esp),%ebx movl 16(%esp),%ecx @@ -248,15 +230,15 @@ sha256_block_data_order: leal 356(%esp),%esp subl $256,%ebp cmpl 8(%esp),%edi - jb .L002loop + jb L003loop movl 12(%esp),%esp popl %edi popl %esi popl %ebx popl %ebp ret -.align 64 -.L001K256: +.align 6,0x90 +LK256: .long 1116352408,1899447441,3049323471,3921009573,961987163,1508970993,2453635748,2870763221,3624381080,310598401,607225278,1426881987,1925078388,2162078206,2614888103,3248222580,3835390401,4022224774,264347078,604807628,770255983,1249150122,1555081692,1996064986,2554220882,2821834349,2952996808,3210313671,3336571891,3584528711,113926993,338241895,666307205,773529912,1294757372,1396182291,1695183700,1986661051,2177026350,2456956037,2730485921,2820302411,3259730800,3345764771,3516065817,3600352804,4094571909,275423344,430227734,506948616,659060556,883997877,958139571,1322822218,1537002063,1747873779,1955562222,2024104815,2227730452,2361852424,2428436474,2756734187,3204031479,3329325298 .long 66051,67438087,134810123,202182159 .byte 83,72,65,50,53,54,32,98,108,111,99,107,32,116,114,97 @@ -264,8 +246,8 @@ sha256_block_data_order: .byte 67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97 .byte 112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103 .byte 62,0 -.align 16 -.L006unrolled: +.align 4,0x90 +L002unrolled: leal -96(%esp),%esp movl (%esi),%eax movl 4(%esi),%ebp @@ -282,9 +264,9 @@ sha256_block_data_order: movl %ebx,20(%esp) movl %ecx,24(%esp) movl %esi,28(%esp) - jmp .L009grand_loop -.align 16 -.L009grand_loop: + jmp L006grand_loop +.align 4,0x90 +L006grand_loop: movl (%edi),%ebx movl 4(%edi),%ecx bswap %ebx @@ -3164,15 +3146,38 @@ sha256_block_data_order: movl %ebx,24(%esp) movl %ecx,28(%esp) cmpl 104(%esp),%edi - jb .L009grand_loop + jb L006grand_loop movl 108(%esp),%esp popl %edi popl %esi popl %ebx popl %ebp ret -.align 32 -.L005SSSE3: +.globl _sha256_block_data_order_ssse3 +.private_extern _sha256_block_data_order_ssse3 +.align 4 +_sha256_block_data_order_ssse3: +L_sha256_block_data_order_ssse3_begin: + pushl %ebp + pushl %ebx + pushl %esi + pushl %edi + movl 20(%esp),%esi + movl 24(%esp),%edi + movl 28(%esp),%eax + movl %esp,%ebx + call L007pic_point +L007pic_point: + popl %ebp + leal LK256-L007pic_point(%ebp),%ebp + subl $16,%esp + andl $-64,%esp + shll $6,%eax + addl %edi,%eax + movl %esi,(%esp) + movl %edi,4(%esp) + movl %eax,8(%esp) + movl %ebx,12(%esp) leal -96(%esp),%esp movl (%esi),%eax movl 4(%esi),%ebx @@ -3191,9 +3196,9 @@ sha256_block_data_order: movl %ecx,24(%esp) movl %esi,28(%esp) movdqa 256(%ebp),%xmm7 - jmp .L010grand_ssse3 -.align 16 -.L010grand_ssse3: + jmp L008grand_ssse3 +.align 4,0x90 +L008grand_ssse3: movdqu (%edi),%xmm0 movdqu 16(%edi),%xmm1 movdqu 32(%edi),%xmm2 @@ -3216,9 +3221,9 @@ sha256_block_data_order: paddd %xmm3,%xmm7 movdqa %xmm6,64(%esp) movdqa %xmm7,80(%esp) - jmp .L011ssse3_00_47 -.align 16 -.L011ssse3_00_47: + jmp L009ssse3_00_47 +.align 4,0x90 +L009ssse3_00_47: addl $64,%ebp movl %edx,%ecx movdqa %xmm1,%xmm4 @@ -3861,7 +3866,7 @@ sha256_block_data_order: addl %ecx,%eax movdqa %xmm6,80(%esp) cmpl $66051,64(%ebp) - jne .L011ssse3_00_47 + jne L009ssse3_00_47 movl %edx,%ecx rorl $14,%edx movl 20(%esp),%esi @@ -4375,15 +4380,38 @@ sha256_block_data_order: movdqa 64(%ebp),%xmm7 subl $192,%ebp cmpl 104(%esp),%edi - jb .L010grand_ssse3 + jb L008grand_ssse3 movl 108(%esp),%esp popl %edi popl %esi popl %ebx popl %ebp ret -.align 32 -.L004AVX: +.globl _sha256_block_data_order_avx +.private_extern _sha256_block_data_order_avx +.align 4 +_sha256_block_data_order_avx: +L_sha256_block_data_order_avx_begin: + pushl %ebp + pushl %ebx + pushl %esi + pushl %edi + movl 20(%esp),%esi + movl 24(%esp),%edi + movl 28(%esp),%eax + movl %esp,%ebx + call L010pic_point +L010pic_point: + popl %ebp + leal LK256-L010pic_point(%ebp),%ebp + subl $16,%esp + andl $-64,%esp + shll $6,%eax + addl %edi,%eax + movl %esi,(%esp) + movl %edi,4(%esp) + movl %eax,8(%esp) + movl %ebx,12(%esp) leal -96(%esp),%esp vzeroall movl (%esi),%eax @@ -4403,9 +4431,9 @@ sha256_block_data_order: movl %ecx,24(%esp) movl %esi,28(%esp) vmovdqa 256(%ebp),%xmm7 - jmp .L012grand_avx -.align 32 -.L012grand_avx: + jmp L011grand_avx +.align 5,0x90 +L011grand_avx: vmovdqu (%edi),%xmm0 vmovdqu 16(%edi),%xmm1 vmovdqu 32(%edi),%xmm2 @@ -4424,9 +4452,9 @@ sha256_block_data_order: vmovdqa %xmm5,48(%esp) vmovdqa %xmm6,64(%esp) vmovdqa %xmm7,80(%esp) - jmp .L013avx_00_47 -.align 16 -.L013avx_00_47: + jmp L012avx_00_47 +.align 4,0x90 +L012avx_00_47: addl $64,%ebp vpalignr $4,%xmm0,%xmm1,%xmm4 movl %edx,%ecx @@ -5041,7 +5069,7 @@ sha256_block_data_order: addl %ecx,%eax vmovdqa %xmm6,80(%esp) cmpl $66051,64(%ebp) - jne .L013avx_00_47 + jne L012avx_00_47 movl %edx,%ecx shrdl $14,%edx,%edx movl 20(%esp),%esi @@ -5555,7 +5583,7 @@ sha256_block_data_order: vmovdqa 64(%ebp),%xmm7 subl $192,%ebp cmpl 104(%esp),%edi - jb .L012grand_avx + jb L011grand_avx movl 108(%esp),%esp vzeroall popl %edi @@ -5563,9 +5591,7 @@ sha256_block_data_order: popl %ebx popl %ebp ret -.size sha256_block_data_order,.-.L_sha256_block_data_order_begin -#endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__) -#endif // defined(__i386__) && defined(__linux__) +#endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/gen/bcm/sha256-586-linux.S b/Sources/CNIOBoringSSL/gen/bcm/sha256-586-linux.S new file mode 100644 index 000000000..401a7e145 --- /dev/null +++ b/Sources/CNIOBoringSSL/gen/bcm/sha256-586-linux.S @@ -0,0 +1,5604 @@ +#define BORINGSSL_PREFIX CNIOBoringSSL +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. + +#include + +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__) +.text +.globl sha256_block_data_order_nohw +.hidden sha256_block_data_order_nohw +.type sha256_block_data_order_nohw,@function +.align 16 +sha256_block_data_order_nohw: +.L_sha256_block_data_order_nohw_begin: + pushl %ebp + pushl %ebx + pushl %esi + pushl %edi + movl 20(%esp),%esi + movl 24(%esp),%edi + movl 28(%esp),%eax + movl %esp,%ebx + call .L000pic_point +.L000pic_point: + popl %ebp + leal .LK256-.L000pic_point(%ebp),%ebp + subl $16,%esp + andl $-64,%esp + shll $6,%eax + addl %edi,%eax + movl %esi,(%esp) + movl %edi,4(%esp) + movl %eax,8(%esp) + movl %ebx,12(%esp) +.L001no_xmm: + subl %edi,%eax + cmpl $256,%eax + jae .L002unrolled + jmp .L003loop +.align 16 +.L003loop: + movl (%edi),%eax + movl 4(%edi),%ebx + movl 8(%edi),%ecx + bswap %eax + movl 12(%edi),%edx + bswap %ebx + pushl %eax + bswap %ecx + pushl %ebx + bswap %edx + pushl %ecx + pushl %edx + movl 16(%edi),%eax + movl 20(%edi),%ebx + movl 24(%edi),%ecx + bswap %eax + movl 28(%edi),%edx + bswap %ebx + pushl %eax + bswap %ecx + pushl %ebx + bswap %edx + pushl %ecx + pushl %edx + movl 32(%edi),%eax + movl 36(%edi),%ebx + movl 40(%edi),%ecx + bswap %eax + movl 44(%edi),%edx + bswap %ebx + pushl %eax + bswap %ecx + pushl %ebx + bswap %edx + pushl %ecx + pushl %edx + movl 48(%edi),%eax + movl 52(%edi),%ebx + movl 56(%edi),%ecx + bswap %eax + movl 60(%edi),%edx + bswap %ebx + pushl %eax + bswap %ecx + pushl %ebx + bswap %edx + pushl %ecx + pushl %edx + addl $64,%edi + leal -36(%esp),%esp + movl %edi,104(%esp) + movl (%esi),%eax + movl 4(%esi),%ebx + movl 8(%esi),%ecx + movl 12(%esi),%edi + movl %ebx,8(%esp) + xorl %ecx,%ebx + movl %ecx,12(%esp) + movl %edi,16(%esp) + movl %ebx,(%esp) + movl 16(%esi),%edx + movl 20(%esi),%ebx + movl 24(%esi),%ecx + movl 28(%esi),%edi + movl %ebx,24(%esp) + movl %ecx,28(%esp) + movl %edi,32(%esp) +.align 16 +.L00400_15: + movl %edx,%ecx + movl 24(%esp),%esi + rorl $14,%ecx + movl 28(%esp),%edi + xorl %edx,%ecx + xorl %edi,%esi + movl 96(%esp),%ebx + rorl $5,%ecx + andl %edx,%esi + movl %edx,20(%esp) + xorl %ecx,%edx + addl 32(%esp),%ebx + xorl %edi,%esi + rorl $6,%edx + movl %eax,%ecx + addl %esi,%ebx + rorl $9,%ecx + addl %edx,%ebx + movl 8(%esp),%edi + xorl %eax,%ecx + movl %eax,4(%esp) + leal -4(%esp),%esp + rorl $11,%ecx + movl (%ebp),%esi + xorl %eax,%ecx + movl 20(%esp),%edx + xorl %edi,%eax + rorl $2,%ecx + addl %esi,%ebx + movl %eax,(%esp) + addl %ebx,%edx + andl 4(%esp),%eax + addl %ecx,%ebx + xorl %edi,%eax + addl $4,%ebp + addl %ebx,%eax + cmpl $3248222580,%esi + jne .L00400_15 + movl 156(%esp),%ecx + jmp .L00516_63 +.align 16 +.L00516_63: + movl %ecx,%ebx + movl 104(%esp),%esi + rorl $11,%ecx + movl %esi,%edi + rorl $2,%esi + xorl %ebx,%ecx + shrl $3,%ebx + rorl $7,%ecx + xorl %edi,%esi + xorl %ecx,%ebx + rorl $17,%esi + addl 160(%esp),%ebx + shrl $10,%edi + addl 124(%esp),%ebx + movl %edx,%ecx + xorl %esi,%edi + movl 24(%esp),%esi + rorl $14,%ecx + addl %edi,%ebx + movl 28(%esp),%edi + xorl %edx,%ecx + xorl %edi,%esi + movl %ebx,96(%esp) + rorl $5,%ecx + andl %edx,%esi + movl %edx,20(%esp) + xorl %ecx,%edx + addl 32(%esp),%ebx + xorl %edi,%esi + rorl $6,%edx + movl %eax,%ecx + addl %esi,%ebx + rorl $9,%ecx + addl %edx,%ebx + movl 8(%esp),%edi + xorl %eax,%ecx + movl %eax,4(%esp) + leal -4(%esp),%esp + rorl $11,%ecx + movl (%ebp),%esi + xorl %eax,%ecx + movl 20(%esp),%edx + xorl %edi,%eax + rorl $2,%ecx + addl %esi,%ebx + movl %eax,(%esp) + addl %ebx,%edx + andl 4(%esp),%eax + addl %ecx,%ebx + xorl %edi,%eax + movl 156(%esp),%ecx + addl $4,%ebp + addl %ebx,%eax + cmpl $3329325298,%esi + jne .L00516_63 + movl 356(%esp),%esi + movl 8(%esp),%ebx + movl 16(%esp),%ecx + addl (%esi),%eax + addl 4(%esi),%ebx + addl 8(%esi),%edi + addl 12(%esi),%ecx + movl %eax,(%esi) + movl %ebx,4(%esi) + movl %edi,8(%esi) + movl %ecx,12(%esi) + movl 24(%esp),%eax + movl 28(%esp),%ebx + movl 32(%esp),%ecx + movl 360(%esp),%edi + addl 16(%esi),%edx + addl 20(%esi),%eax + addl 24(%esi),%ebx + addl 28(%esi),%ecx + movl %edx,16(%esi) + movl %eax,20(%esi) + movl %ebx,24(%esi) + movl %ecx,28(%esi) + leal 356(%esp),%esp + subl $256,%ebp + cmpl 8(%esp),%edi + jb .L003loop + movl 12(%esp),%esp + popl %edi + popl %esi + popl %ebx + popl %ebp + ret +.align 64 +.LK256: +.long 1116352408,1899447441,3049323471,3921009573,961987163,1508970993,2453635748,2870763221,3624381080,310598401,607225278,1426881987,1925078388,2162078206,2614888103,3248222580,3835390401,4022224774,264347078,604807628,770255983,1249150122,1555081692,1996064986,2554220882,2821834349,2952996808,3210313671,3336571891,3584528711,113926993,338241895,666307205,773529912,1294757372,1396182291,1695183700,1986661051,2177026350,2456956037,2730485921,2820302411,3259730800,3345764771,3516065817,3600352804,4094571909,275423344,430227734,506948616,659060556,883997877,958139571,1322822218,1537002063,1747873779,1955562222,2024104815,2227730452,2361852424,2428436474,2756734187,3204031479,3329325298 +.long 66051,67438087,134810123,202182159 +.byte 83,72,65,50,53,54,32,98,108,111,99,107,32,116,114,97 +.byte 110,115,102,111,114,109,32,102,111,114,32,120,56,54,44,32 +.byte 67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97 +.byte 112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103 +.byte 62,0 +.align 16 +.L002unrolled: + leal -96(%esp),%esp + movl (%esi),%eax + movl 4(%esi),%ebp + movl 8(%esi),%ecx + movl 12(%esi),%ebx + movl %ebp,4(%esp) + xorl %ecx,%ebp + movl %ecx,8(%esp) + movl %ebx,12(%esp) + movl 16(%esi),%edx + movl 20(%esi),%ebx + movl 24(%esi),%ecx + movl 28(%esi),%esi + movl %ebx,20(%esp) + movl %ecx,24(%esp) + movl %esi,28(%esp) + jmp .L006grand_loop +.align 16 +.L006grand_loop: + movl (%edi),%ebx + movl 4(%edi),%ecx + bswap %ebx + movl 8(%edi),%esi + bswap %ecx + movl %ebx,32(%esp) + bswap %esi + movl %ecx,36(%esp) + movl %esi,40(%esp) + movl 12(%edi),%ebx + movl 16(%edi),%ecx + bswap %ebx + movl 20(%edi),%esi + bswap %ecx + movl %ebx,44(%esp) + bswap %esi + movl %ecx,48(%esp) + movl %esi,52(%esp) + movl 24(%edi),%ebx + movl 28(%edi),%ecx + bswap %ebx + movl 32(%edi),%esi + bswap %ecx + movl %ebx,56(%esp) + bswap %esi + movl %ecx,60(%esp) + movl %esi,64(%esp) + movl 36(%edi),%ebx + movl 40(%edi),%ecx + bswap %ebx + movl 44(%edi),%esi + bswap %ecx + movl %ebx,68(%esp) + bswap %esi + movl %ecx,72(%esp) + movl %esi,76(%esp) + movl 48(%edi),%ebx + movl 52(%edi),%ecx + bswap %ebx + movl 56(%edi),%esi + bswap %ecx + movl %ebx,80(%esp) + bswap %esi + movl %ecx,84(%esp) + movl %esi,88(%esp) + movl 60(%edi),%ebx + addl $64,%edi + bswap %ebx + movl %edi,100(%esp) + movl %ebx,92(%esp) + movl %edx,%ecx + movl 20(%esp),%esi + rorl $14,%edx + movl 24(%esp),%edi + xorl %ecx,%edx + movl 32(%esp),%ebx + xorl %edi,%esi + rorl $5,%edx + andl %ecx,%esi + movl %ecx,16(%esp) + xorl %ecx,%edx + addl 28(%esp),%ebx + xorl %esi,%edi + rorl $6,%edx + movl %eax,%ecx + addl %edi,%ebx + rorl $9,%ecx + movl %eax,%esi + movl 4(%esp),%edi + xorl %eax,%ecx + movl %eax,(%esp) + xorl %edi,%eax + rorl $11,%ecx + andl %eax,%ebp + leal 1116352408(%ebx,%edx,1),%edx + xorl %esi,%ecx + xorl %edi,%ebp + rorl $2,%ecx + addl %edx,%ebp + addl 12(%esp),%edx + addl %ecx,%ebp + movl %edx,%esi + movl 16(%esp),%ecx + rorl $14,%edx + movl 20(%esp),%edi + xorl %esi,%edx + movl 36(%esp),%ebx + xorl %edi,%ecx + rorl $5,%edx + andl %esi,%ecx + movl %esi,12(%esp) + xorl %esi,%edx + addl 24(%esp),%ebx + xorl %ecx,%edi + rorl $6,%edx + movl %ebp,%esi + addl %edi,%ebx + rorl $9,%esi + movl %ebp,%ecx + movl (%esp),%edi + xorl %ebp,%esi + movl %ebp,28(%esp) + xorl %edi,%ebp + rorl $11,%esi + andl %ebp,%eax + leal 1899447441(%ebx,%edx,1),%edx + xorl %ecx,%esi + xorl %edi,%eax + rorl $2,%esi + addl %edx,%eax + addl 8(%esp),%edx + addl %esi,%eax + movl %edx,%ecx + movl 12(%esp),%esi + rorl $14,%edx + movl 16(%esp),%edi + xorl %ecx,%edx + movl 40(%esp),%ebx + xorl %edi,%esi + rorl $5,%edx + andl %ecx,%esi + movl %ecx,8(%esp) + xorl %ecx,%edx + addl 20(%esp),%ebx + xorl %esi,%edi + rorl $6,%edx + movl %eax,%ecx + addl %edi,%ebx + rorl $9,%ecx + movl %eax,%esi + movl 28(%esp),%edi + xorl %eax,%ecx + movl %eax,24(%esp) + xorl %edi,%eax + rorl $11,%ecx + andl %eax,%ebp + leal 3049323471(%ebx,%edx,1),%edx + xorl %esi,%ecx + xorl %edi,%ebp + rorl $2,%ecx + addl %edx,%ebp + addl 4(%esp),%edx + addl %ecx,%ebp + movl %edx,%esi + movl 8(%esp),%ecx + rorl $14,%edx + movl 12(%esp),%edi + xorl %esi,%edx + movl 44(%esp),%ebx + xorl %edi,%ecx + rorl $5,%edx + andl %esi,%ecx + movl %esi,4(%esp) + xorl %esi,%edx + addl 16(%esp),%ebx + xorl %ecx,%edi + rorl $6,%edx + movl %ebp,%esi + addl %edi,%ebx + rorl $9,%esi + movl %ebp,%ecx + movl 24(%esp),%edi + xorl %ebp,%esi + movl %ebp,20(%esp) + xorl %edi,%ebp + rorl $11,%esi + andl %ebp,%eax + leal 3921009573(%ebx,%edx,1),%edx + xorl %ecx,%esi + xorl %edi,%eax + rorl $2,%esi + addl %edx,%eax + addl (%esp),%edx + addl %esi,%eax + movl %edx,%ecx + movl 4(%esp),%esi + rorl $14,%edx + movl 8(%esp),%edi + xorl %ecx,%edx + movl 48(%esp),%ebx + xorl %edi,%esi + rorl $5,%edx + andl %ecx,%esi + movl %ecx,(%esp) + xorl %ecx,%edx + addl 12(%esp),%ebx + xorl %esi,%edi + rorl $6,%edx + movl %eax,%ecx + addl %edi,%ebx + rorl $9,%ecx + movl %eax,%esi + movl 20(%esp),%edi + xorl %eax,%ecx + movl %eax,16(%esp) + xorl %edi,%eax + rorl $11,%ecx + andl %eax,%ebp + leal 961987163(%ebx,%edx,1),%edx + xorl %esi,%ecx + xorl %edi,%ebp + rorl $2,%ecx + addl %edx,%ebp + addl 28(%esp),%edx + addl %ecx,%ebp + movl %edx,%esi + movl (%esp),%ecx + rorl $14,%edx + movl 4(%esp),%edi + xorl %esi,%edx + movl 52(%esp),%ebx + xorl %edi,%ecx + rorl $5,%edx + andl %esi,%ecx + movl %esi,28(%esp) + xorl %esi,%edx + addl 8(%esp),%ebx + xorl %ecx,%edi + rorl $6,%edx + movl %ebp,%esi + addl %edi,%ebx + rorl $9,%esi + movl %ebp,%ecx + movl 16(%esp),%edi + xorl %ebp,%esi + movl %ebp,12(%esp) + xorl %edi,%ebp + rorl $11,%esi + andl %ebp,%eax + leal 1508970993(%ebx,%edx,1),%edx + xorl %ecx,%esi + xorl %edi,%eax + rorl $2,%esi + addl %edx,%eax + addl 24(%esp),%edx + addl %esi,%eax + movl %edx,%ecx + movl 28(%esp),%esi + rorl $14,%edx + movl (%esp),%edi + xorl %ecx,%edx + movl 56(%esp),%ebx + xorl %edi,%esi + rorl $5,%edx + andl %ecx,%esi + movl %ecx,24(%esp) + xorl %ecx,%edx + addl 4(%esp),%ebx + xorl %esi,%edi + rorl $6,%edx + movl %eax,%ecx + addl %edi,%ebx + rorl $9,%ecx + movl %eax,%esi + movl 12(%esp),%edi + xorl %eax,%ecx + movl %eax,8(%esp) + xorl %edi,%eax + rorl $11,%ecx + andl %eax,%ebp + leal 2453635748(%ebx,%edx,1),%edx + xorl %esi,%ecx + xorl %edi,%ebp + rorl $2,%ecx + addl %edx,%ebp + addl 20(%esp),%edx + addl %ecx,%ebp + movl %edx,%esi + movl 24(%esp),%ecx + rorl $14,%edx + movl 28(%esp),%edi + xorl %esi,%edx + movl 60(%esp),%ebx + xorl %edi,%ecx + rorl $5,%edx + andl %esi,%ecx + movl %esi,20(%esp) + xorl %esi,%edx + addl (%esp),%ebx + xorl %ecx,%edi + rorl $6,%edx + movl %ebp,%esi + addl %edi,%ebx + rorl $9,%esi + movl %ebp,%ecx + movl 8(%esp),%edi + xorl %ebp,%esi + movl %ebp,4(%esp) + xorl %edi,%ebp + rorl $11,%esi + andl %ebp,%eax + leal 2870763221(%ebx,%edx,1),%edx + xorl %ecx,%esi + xorl %edi,%eax + rorl $2,%esi + addl %edx,%eax + addl 16(%esp),%edx + addl %esi,%eax + movl %edx,%ecx + movl 20(%esp),%esi + rorl $14,%edx + movl 24(%esp),%edi + xorl %ecx,%edx + movl 64(%esp),%ebx + xorl %edi,%esi + rorl $5,%edx + andl %ecx,%esi + movl %ecx,16(%esp) + xorl %ecx,%edx + addl 28(%esp),%ebx + xorl %esi,%edi + rorl $6,%edx + movl %eax,%ecx + addl %edi,%ebx + rorl $9,%ecx + movl %eax,%esi + movl 4(%esp),%edi + xorl %eax,%ecx + movl %eax,(%esp) + xorl %edi,%eax + rorl $11,%ecx + andl %eax,%ebp + leal 3624381080(%ebx,%edx,1),%edx + xorl %esi,%ecx + xorl %edi,%ebp + rorl $2,%ecx + addl %edx,%ebp + addl 12(%esp),%edx + addl %ecx,%ebp + movl %edx,%esi + movl 16(%esp),%ecx + rorl $14,%edx + movl 20(%esp),%edi + xorl %esi,%edx + movl 68(%esp),%ebx + xorl %edi,%ecx + rorl $5,%edx + andl %esi,%ecx + movl %esi,12(%esp) + xorl %esi,%edx + addl 24(%esp),%ebx + xorl %ecx,%edi + rorl $6,%edx + movl %ebp,%esi + addl %edi,%ebx + rorl $9,%esi + movl %ebp,%ecx + movl (%esp),%edi + xorl %ebp,%esi + movl %ebp,28(%esp) + xorl %edi,%ebp + rorl $11,%esi + andl %ebp,%eax + leal 310598401(%ebx,%edx,1),%edx + xorl %ecx,%esi + xorl %edi,%eax + rorl $2,%esi + addl %edx,%eax + addl 8(%esp),%edx + addl %esi,%eax + movl %edx,%ecx + movl 12(%esp),%esi + rorl $14,%edx + movl 16(%esp),%edi + xorl %ecx,%edx + movl 72(%esp),%ebx + xorl %edi,%esi + rorl $5,%edx + andl %ecx,%esi + movl %ecx,8(%esp) + xorl %ecx,%edx + addl 20(%esp),%ebx + xorl %esi,%edi + rorl $6,%edx + movl %eax,%ecx + addl %edi,%ebx + rorl $9,%ecx + movl %eax,%esi + movl 28(%esp),%edi + xorl %eax,%ecx + movl %eax,24(%esp) + xorl %edi,%eax + rorl $11,%ecx + andl %eax,%ebp + leal 607225278(%ebx,%edx,1),%edx + xorl %esi,%ecx + xorl %edi,%ebp + rorl $2,%ecx + addl %edx,%ebp + addl 4(%esp),%edx + addl %ecx,%ebp + movl %edx,%esi + movl 8(%esp),%ecx + rorl $14,%edx + movl 12(%esp),%edi + xorl %esi,%edx + movl 76(%esp),%ebx + xorl %edi,%ecx + rorl $5,%edx + andl %esi,%ecx + movl %esi,4(%esp) + xorl %esi,%edx + addl 16(%esp),%ebx + xorl %ecx,%edi + rorl $6,%edx + movl %ebp,%esi + addl %edi,%ebx + rorl $9,%esi + movl %ebp,%ecx + movl 24(%esp),%edi + xorl %ebp,%esi + movl %ebp,20(%esp) + xorl %edi,%ebp + rorl $11,%esi + andl %ebp,%eax + leal 1426881987(%ebx,%edx,1),%edx + xorl %ecx,%esi + xorl %edi,%eax + rorl $2,%esi + addl %edx,%eax + addl (%esp),%edx + addl %esi,%eax + movl %edx,%ecx + movl 4(%esp),%esi + rorl $14,%edx + movl 8(%esp),%edi + xorl %ecx,%edx + movl 80(%esp),%ebx + xorl %edi,%esi + rorl $5,%edx + andl %ecx,%esi + movl %ecx,(%esp) + xorl %ecx,%edx + addl 12(%esp),%ebx + xorl %esi,%edi + rorl $6,%edx + movl %eax,%ecx + addl %edi,%ebx + rorl $9,%ecx + movl %eax,%esi + movl 20(%esp),%edi + xorl %eax,%ecx + movl %eax,16(%esp) + xorl %edi,%eax + rorl $11,%ecx + andl %eax,%ebp + leal 1925078388(%ebx,%edx,1),%edx + xorl %esi,%ecx + xorl %edi,%ebp + rorl $2,%ecx + addl %edx,%ebp + addl 28(%esp),%edx + addl %ecx,%ebp + movl %edx,%esi + movl (%esp),%ecx + rorl $14,%edx + movl 4(%esp),%edi + xorl %esi,%edx + movl 84(%esp),%ebx + xorl %edi,%ecx + rorl $5,%edx + andl %esi,%ecx + movl %esi,28(%esp) + xorl %esi,%edx + addl 8(%esp),%ebx + xorl %ecx,%edi + rorl $6,%edx + movl %ebp,%esi + addl %edi,%ebx + rorl $9,%esi + movl %ebp,%ecx + movl 16(%esp),%edi + xorl %ebp,%esi + movl %ebp,12(%esp) + xorl %edi,%ebp + rorl $11,%esi + andl %ebp,%eax + leal 2162078206(%ebx,%edx,1),%edx + xorl %ecx,%esi + xorl %edi,%eax + rorl $2,%esi + addl %edx,%eax + addl 24(%esp),%edx + addl %esi,%eax + movl %edx,%ecx + movl 28(%esp),%esi + rorl $14,%edx + movl (%esp),%edi + xorl %ecx,%edx + movl 88(%esp),%ebx + xorl %edi,%esi + rorl $5,%edx + andl %ecx,%esi + movl %ecx,24(%esp) + xorl %ecx,%edx + addl 4(%esp),%ebx + xorl %esi,%edi + rorl $6,%edx + movl %eax,%ecx + addl %edi,%ebx + rorl $9,%ecx + movl %eax,%esi + movl 12(%esp),%edi + xorl %eax,%ecx + movl %eax,8(%esp) + xorl %edi,%eax + rorl $11,%ecx + andl %eax,%ebp + leal 2614888103(%ebx,%edx,1),%edx + xorl %esi,%ecx + xorl %edi,%ebp + rorl $2,%ecx + addl %edx,%ebp + addl 20(%esp),%edx + addl %ecx,%ebp + movl %edx,%esi + movl 24(%esp),%ecx + rorl $14,%edx + movl 28(%esp),%edi + xorl %esi,%edx + movl 92(%esp),%ebx + xorl %edi,%ecx + rorl $5,%edx + andl %esi,%ecx + movl %esi,20(%esp) + xorl %esi,%edx + addl (%esp),%ebx + xorl %ecx,%edi + rorl $6,%edx + movl %ebp,%esi + addl %edi,%ebx + rorl $9,%esi + movl %ebp,%ecx + movl 8(%esp),%edi + xorl %ebp,%esi + movl %ebp,4(%esp) + xorl %edi,%ebp + rorl $11,%esi + andl %ebp,%eax + leal 3248222580(%ebx,%edx,1),%edx + xorl %ecx,%esi + xorl %edi,%eax + movl 36(%esp),%ecx + rorl $2,%esi + addl %edx,%eax + addl 16(%esp),%edx + addl %esi,%eax + movl 88(%esp),%esi + movl %ecx,%ebx + rorl $11,%ecx + movl %esi,%edi + rorl $2,%esi + xorl %ebx,%ecx + shrl $3,%ebx + rorl $7,%ecx + xorl %edi,%esi + xorl %ecx,%ebx + rorl $17,%esi + addl 32(%esp),%ebx + shrl $10,%edi + addl 68(%esp),%ebx + movl %edx,%ecx + xorl %esi,%edi + movl 20(%esp),%esi + rorl $14,%edx + addl %edi,%ebx + movl 24(%esp),%edi + xorl %ecx,%edx + movl %ebx,32(%esp) + xorl %edi,%esi + rorl $5,%edx + andl %ecx,%esi + movl %ecx,16(%esp) + xorl %ecx,%edx + addl 28(%esp),%ebx + xorl %esi,%edi + rorl $6,%edx + movl %eax,%ecx + addl %edi,%ebx + rorl $9,%ecx + movl %eax,%esi + movl 4(%esp),%edi + xorl %eax,%ecx + movl %eax,(%esp) + xorl %edi,%eax + rorl $11,%ecx + andl %eax,%ebp + leal 3835390401(%ebx,%edx,1),%edx + xorl %esi,%ecx + xorl %edi,%ebp + movl 40(%esp),%esi + rorl $2,%ecx + addl %edx,%ebp + addl 12(%esp),%edx + addl %ecx,%ebp + movl 92(%esp),%ecx + movl %esi,%ebx + rorl $11,%esi + movl %ecx,%edi + rorl $2,%ecx + xorl %ebx,%esi + shrl $3,%ebx + rorl $7,%esi + xorl %edi,%ecx + xorl %esi,%ebx + rorl $17,%ecx + addl 36(%esp),%ebx + shrl $10,%edi + addl 72(%esp),%ebx + movl %edx,%esi + xorl %ecx,%edi + movl 16(%esp),%ecx + rorl $14,%edx + addl %edi,%ebx + movl 20(%esp),%edi + xorl %esi,%edx + movl %ebx,36(%esp) + xorl %edi,%ecx + rorl $5,%edx + andl %esi,%ecx + movl %esi,12(%esp) + xorl %esi,%edx + addl 24(%esp),%ebx + xorl %ecx,%edi + rorl $6,%edx + movl %ebp,%esi + addl %edi,%ebx + rorl $9,%esi + movl %ebp,%ecx + movl (%esp),%edi + xorl %ebp,%esi + movl %ebp,28(%esp) + xorl %edi,%ebp + rorl $11,%esi + andl %ebp,%eax + leal 4022224774(%ebx,%edx,1),%edx + xorl %ecx,%esi + xorl %edi,%eax + movl 44(%esp),%ecx + rorl $2,%esi + addl %edx,%eax + addl 8(%esp),%edx + addl %esi,%eax + movl 32(%esp),%esi + movl %ecx,%ebx + rorl $11,%ecx + movl %esi,%edi + rorl $2,%esi + xorl %ebx,%ecx + shrl $3,%ebx + rorl $7,%ecx + xorl %edi,%esi + xorl %ecx,%ebx + rorl $17,%esi + addl 40(%esp),%ebx + shrl $10,%edi + addl 76(%esp),%ebx + movl %edx,%ecx + xorl %esi,%edi + movl 12(%esp),%esi + rorl $14,%edx + addl %edi,%ebx + movl 16(%esp),%edi + xorl %ecx,%edx + movl %ebx,40(%esp) + xorl %edi,%esi + rorl $5,%edx + andl %ecx,%esi + movl %ecx,8(%esp) + xorl %ecx,%edx + addl 20(%esp),%ebx + xorl %esi,%edi + rorl $6,%edx + movl %eax,%ecx + addl %edi,%ebx + rorl $9,%ecx + movl %eax,%esi + movl 28(%esp),%edi + xorl %eax,%ecx + movl %eax,24(%esp) + xorl %edi,%eax + rorl $11,%ecx + andl %eax,%ebp + leal 264347078(%ebx,%edx,1),%edx + xorl %esi,%ecx + xorl %edi,%ebp + movl 48(%esp),%esi + rorl $2,%ecx + addl %edx,%ebp + addl 4(%esp),%edx + addl %ecx,%ebp + movl 36(%esp),%ecx + movl %esi,%ebx + rorl $11,%esi + movl %ecx,%edi + rorl $2,%ecx + xorl %ebx,%esi + shrl $3,%ebx + rorl $7,%esi + xorl %edi,%ecx + xorl %esi,%ebx + rorl $17,%ecx + addl 44(%esp),%ebx + shrl $10,%edi + addl 80(%esp),%ebx + movl %edx,%esi + xorl %ecx,%edi + movl 8(%esp),%ecx + rorl $14,%edx + addl %edi,%ebx + movl 12(%esp),%edi + xorl %esi,%edx + movl %ebx,44(%esp) + xorl %edi,%ecx + rorl $5,%edx + andl %esi,%ecx + movl %esi,4(%esp) + xorl %esi,%edx + addl 16(%esp),%ebx + xorl %ecx,%edi + rorl $6,%edx + movl %ebp,%esi + addl %edi,%ebx + rorl $9,%esi + movl %ebp,%ecx + movl 24(%esp),%edi + xorl %ebp,%esi + movl %ebp,20(%esp) + xorl %edi,%ebp + rorl $11,%esi + andl %ebp,%eax + leal 604807628(%ebx,%edx,1),%edx + xorl %ecx,%esi + xorl %edi,%eax + movl 52(%esp),%ecx + rorl $2,%esi + addl %edx,%eax + addl (%esp),%edx + addl %esi,%eax + movl 40(%esp),%esi + movl %ecx,%ebx + rorl $11,%ecx + movl %esi,%edi + rorl $2,%esi + xorl %ebx,%ecx + shrl $3,%ebx + rorl $7,%ecx + xorl %edi,%esi + xorl %ecx,%ebx + rorl $17,%esi + addl 48(%esp),%ebx + shrl $10,%edi + addl 84(%esp),%ebx + movl %edx,%ecx + xorl %esi,%edi + movl 4(%esp),%esi + rorl $14,%edx + addl %edi,%ebx + movl 8(%esp),%edi + xorl %ecx,%edx + movl %ebx,48(%esp) + xorl %edi,%esi + rorl $5,%edx + andl %ecx,%esi + movl %ecx,(%esp) + xorl %ecx,%edx + addl 12(%esp),%ebx + xorl %esi,%edi + rorl $6,%edx + movl %eax,%ecx + addl %edi,%ebx + rorl $9,%ecx + movl %eax,%esi + movl 20(%esp),%edi + xorl %eax,%ecx + movl %eax,16(%esp) + xorl %edi,%eax + rorl $11,%ecx + andl %eax,%ebp + leal 770255983(%ebx,%edx,1),%edx + xorl %esi,%ecx + xorl %edi,%ebp + movl 56(%esp),%esi + rorl $2,%ecx + addl %edx,%ebp + addl 28(%esp),%edx + addl %ecx,%ebp + movl 44(%esp),%ecx + movl %esi,%ebx + rorl $11,%esi + movl %ecx,%edi + rorl $2,%ecx + xorl %ebx,%esi + shrl $3,%ebx + rorl $7,%esi + xorl %edi,%ecx + xorl %esi,%ebx + rorl $17,%ecx + addl 52(%esp),%ebx + shrl $10,%edi + addl 88(%esp),%ebx + movl %edx,%esi + xorl %ecx,%edi + movl (%esp),%ecx + rorl $14,%edx + addl %edi,%ebx + movl 4(%esp),%edi + xorl %esi,%edx + movl %ebx,52(%esp) + xorl %edi,%ecx + rorl $5,%edx + andl %esi,%ecx + movl %esi,28(%esp) + xorl %esi,%edx + addl 8(%esp),%ebx + xorl %ecx,%edi + rorl $6,%edx + movl %ebp,%esi + addl %edi,%ebx + rorl $9,%esi + movl %ebp,%ecx + movl 16(%esp),%edi + xorl %ebp,%esi + movl %ebp,12(%esp) + xorl %edi,%ebp + rorl $11,%esi + andl %ebp,%eax + leal 1249150122(%ebx,%edx,1),%edx + xorl %ecx,%esi + xorl %edi,%eax + movl 60(%esp),%ecx + rorl $2,%esi + addl %edx,%eax + addl 24(%esp),%edx + addl %esi,%eax + movl 48(%esp),%esi + movl %ecx,%ebx + rorl $11,%ecx + movl %esi,%edi + rorl $2,%esi + xorl %ebx,%ecx + shrl $3,%ebx + rorl $7,%ecx + xorl %edi,%esi + xorl %ecx,%ebx + rorl $17,%esi + addl 56(%esp),%ebx + shrl $10,%edi + addl 92(%esp),%ebx + movl %edx,%ecx + xorl %esi,%edi + movl 28(%esp),%esi + rorl $14,%edx + addl %edi,%ebx + movl (%esp),%edi + xorl %ecx,%edx + movl %ebx,56(%esp) + xorl %edi,%esi + rorl $5,%edx + andl %ecx,%esi + movl %ecx,24(%esp) + xorl %ecx,%edx + addl 4(%esp),%ebx + xorl %esi,%edi + rorl $6,%edx + movl %eax,%ecx + addl %edi,%ebx + rorl $9,%ecx + movl %eax,%esi + movl 12(%esp),%edi + xorl %eax,%ecx + movl %eax,8(%esp) + xorl %edi,%eax + rorl $11,%ecx + andl %eax,%ebp + leal 1555081692(%ebx,%edx,1),%edx + xorl %esi,%ecx + xorl %edi,%ebp + movl 64(%esp),%esi + rorl $2,%ecx + addl %edx,%ebp + addl 20(%esp),%edx + addl %ecx,%ebp + movl 52(%esp),%ecx + movl %esi,%ebx + rorl $11,%esi + movl %ecx,%edi + rorl $2,%ecx + xorl %ebx,%esi + shrl $3,%ebx + rorl $7,%esi + xorl %edi,%ecx + xorl %esi,%ebx + rorl $17,%ecx + addl 60(%esp),%ebx + shrl $10,%edi + addl 32(%esp),%ebx + movl %edx,%esi + xorl %ecx,%edi + movl 24(%esp),%ecx + rorl $14,%edx + addl %edi,%ebx + movl 28(%esp),%edi + xorl %esi,%edx + movl %ebx,60(%esp) + xorl %edi,%ecx + rorl $5,%edx + andl %esi,%ecx + movl %esi,20(%esp) + xorl %esi,%edx + addl (%esp),%ebx + xorl %ecx,%edi + rorl $6,%edx + movl %ebp,%esi + addl %edi,%ebx + rorl $9,%esi + movl %ebp,%ecx + movl 8(%esp),%edi + xorl %ebp,%esi + movl %ebp,4(%esp) + xorl %edi,%ebp + rorl $11,%esi + andl %ebp,%eax + leal 1996064986(%ebx,%edx,1),%edx + xorl %ecx,%esi + xorl %edi,%eax + movl 68(%esp),%ecx + rorl $2,%esi + addl %edx,%eax + addl 16(%esp),%edx + addl %esi,%eax + movl 56(%esp),%esi + movl %ecx,%ebx + rorl $11,%ecx + movl %esi,%edi + rorl $2,%esi + xorl %ebx,%ecx + shrl $3,%ebx + rorl $7,%ecx + xorl %edi,%esi + xorl %ecx,%ebx + rorl $17,%esi + addl 64(%esp),%ebx + shrl $10,%edi + addl 36(%esp),%ebx + movl %edx,%ecx + xorl %esi,%edi + movl 20(%esp),%esi + rorl $14,%edx + addl %edi,%ebx + movl 24(%esp),%edi + xorl %ecx,%edx + movl %ebx,64(%esp) + xorl %edi,%esi + rorl $5,%edx + andl %ecx,%esi + movl %ecx,16(%esp) + xorl %ecx,%edx + addl 28(%esp),%ebx + xorl %esi,%edi + rorl $6,%edx + movl %eax,%ecx + addl %edi,%ebx + rorl $9,%ecx + movl %eax,%esi + movl 4(%esp),%edi + xorl %eax,%ecx + movl %eax,(%esp) + xorl %edi,%eax + rorl $11,%ecx + andl %eax,%ebp + leal 2554220882(%ebx,%edx,1),%edx + xorl %esi,%ecx + xorl %edi,%ebp + movl 72(%esp),%esi + rorl $2,%ecx + addl %edx,%ebp + addl 12(%esp),%edx + addl %ecx,%ebp + movl 60(%esp),%ecx + movl %esi,%ebx + rorl $11,%esi + movl %ecx,%edi + rorl $2,%ecx + xorl %ebx,%esi + shrl $3,%ebx + rorl $7,%esi + xorl %edi,%ecx + xorl %esi,%ebx + rorl $17,%ecx + addl 68(%esp),%ebx + shrl $10,%edi + addl 40(%esp),%ebx + movl %edx,%esi + xorl %ecx,%edi + movl 16(%esp),%ecx + rorl $14,%edx + addl %edi,%ebx + movl 20(%esp),%edi + xorl %esi,%edx + movl %ebx,68(%esp) + xorl %edi,%ecx + rorl $5,%edx + andl %esi,%ecx + movl %esi,12(%esp) + xorl %esi,%edx + addl 24(%esp),%ebx + xorl %ecx,%edi + rorl $6,%edx + movl %ebp,%esi + addl %edi,%ebx + rorl $9,%esi + movl %ebp,%ecx + movl (%esp),%edi + xorl %ebp,%esi + movl %ebp,28(%esp) + xorl %edi,%ebp + rorl $11,%esi + andl %ebp,%eax + leal 2821834349(%ebx,%edx,1),%edx + xorl %ecx,%esi + xorl %edi,%eax + movl 76(%esp),%ecx + rorl $2,%esi + addl %edx,%eax + addl 8(%esp),%edx + addl %esi,%eax + movl 64(%esp),%esi + movl %ecx,%ebx + rorl $11,%ecx + movl %esi,%edi + rorl $2,%esi + xorl %ebx,%ecx + shrl $3,%ebx + rorl $7,%ecx + xorl %edi,%esi + xorl %ecx,%ebx + rorl $17,%esi + addl 72(%esp),%ebx + shrl $10,%edi + addl 44(%esp),%ebx + movl %edx,%ecx + xorl %esi,%edi + movl 12(%esp),%esi + rorl $14,%edx + addl %edi,%ebx + movl 16(%esp),%edi + xorl %ecx,%edx + movl %ebx,72(%esp) + xorl %edi,%esi + rorl $5,%edx + andl %ecx,%esi + movl %ecx,8(%esp) + xorl %ecx,%edx + addl 20(%esp),%ebx + xorl %esi,%edi + rorl $6,%edx + movl %eax,%ecx + addl %edi,%ebx + rorl $9,%ecx + movl %eax,%esi + movl 28(%esp),%edi + xorl %eax,%ecx + movl %eax,24(%esp) + xorl %edi,%eax + rorl $11,%ecx + andl %eax,%ebp + leal 2952996808(%ebx,%edx,1),%edx + xorl %esi,%ecx + xorl %edi,%ebp + movl 80(%esp),%esi + rorl $2,%ecx + addl %edx,%ebp + addl 4(%esp),%edx + addl %ecx,%ebp + movl 68(%esp),%ecx + movl %esi,%ebx + rorl $11,%esi + movl %ecx,%edi + rorl $2,%ecx + xorl %ebx,%esi + shrl $3,%ebx + rorl $7,%esi + xorl %edi,%ecx + xorl %esi,%ebx + rorl $17,%ecx + addl 76(%esp),%ebx + shrl $10,%edi + addl 48(%esp),%ebx + movl %edx,%esi + xorl %ecx,%edi + movl 8(%esp),%ecx + rorl $14,%edx + addl %edi,%ebx + movl 12(%esp),%edi + xorl %esi,%edx + movl %ebx,76(%esp) + xorl %edi,%ecx + rorl $5,%edx + andl %esi,%ecx + movl %esi,4(%esp) + xorl %esi,%edx + addl 16(%esp),%ebx + xorl %ecx,%edi + rorl $6,%edx + movl %ebp,%esi + addl %edi,%ebx + rorl $9,%esi + movl %ebp,%ecx + movl 24(%esp),%edi + xorl %ebp,%esi + movl %ebp,20(%esp) + xorl %edi,%ebp + rorl $11,%esi + andl %ebp,%eax + leal 3210313671(%ebx,%edx,1),%edx + xorl %ecx,%esi + xorl %edi,%eax + movl 84(%esp),%ecx + rorl $2,%esi + addl %edx,%eax + addl (%esp),%edx + addl %esi,%eax + movl 72(%esp),%esi + movl %ecx,%ebx + rorl $11,%ecx + movl %esi,%edi + rorl $2,%esi + xorl %ebx,%ecx + shrl $3,%ebx + rorl $7,%ecx + xorl %edi,%esi + xorl %ecx,%ebx + rorl $17,%esi + addl 80(%esp),%ebx + shrl $10,%edi + addl 52(%esp),%ebx + movl %edx,%ecx + xorl %esi,%edi + movl 4(%esp),%esi + rorl $14,%edx + addl %edi,%ebx + movl 8(%esp),%edi + xorl %ecx,%edx + movl %ebx,80(%esp) + xorl %edi,%esi + rorl $5,%edx + andl %ecx,%esi + movl %ecx,(%esp) + xorl %ecx,%edx + addl 12(%esp),%ebx + xorl %esi,%edi + rorl $6,%edx + movl %eax,%ecx + addl %edi,%ebx + rorl $9,%ecx + movl %eax,%esi + movl 20(%esp),%edi + xorl %eax,%ecx + movl %eax,16(%esp) + xorl %edi,%eax + rorl $11,%ecx + andl %eax,%ebp + leal 3336571891(%ebx,%edx,1),%edx + xorl %esi,%ecx + xorl %edi,%ebp + movl 88(%esp),%esi + rorl $2,%ecx + addl %edx,%ebp + addl 28(%esp),%edx + addl %ecx,%ebp + movl 76(%esp),%ecx + movl %esi,%ebx + rorl $11,%esi + movl %ecx,%edi + rorl $2,%ecx + xorl %ebx,%esi + shrl $3,%ebx + rorl $7,%esi + xorl %edi,%ecx + xorl %esi,%ebx + rorl $17,%ecx + addl 84(%esp),%ebx + shrl $10,%edi + addl 56(%esp),%ebx + movl %edx,%esi + xorl %ecx,%edi + movl (%esp),%ecx + rorl $14,%edx + addl %edi,%ebx + movl 4(%esp),%edi + xorl %esi,%edx + movl %ebx,84(%esp) + xorl %edi,%ecx + rorl $5,%edx + andl %esi,%ecx + movl %esi,28(%esp) + xorl %esi,%edx + addl 8(%esp),%ebx + xorl %ecx,%edi + rorl $6,%edx + movl %ebp,%esi + addl %edi,%ebx + rorl $9,%esi + movl %ebp,%ecx + movl 16(%esp),%edi + xorl %ebp,%esi + movl %ebp,12(%esp) + xorl %edi,%ebp + rorl $11,%esi + andl %ebp,%eax + leal 3584528711(%ebx,%edx,1),%edx + xorl %ecx,%esi + xorl %edi,%eax + movl 92(%esp),%ecx + rorl $2,%esi + addl %edx,%eax + addl 24(%esp),%edx + addl %esi,%eax + movl 80(%esp),%esi + movl %ecx,%ebx + rorl $11,%ecx + movl %esi,%edi + rorl $2,%esi + xorl %ebx,%ecx + shrl $3,%ebx + rorl $7,%ecx + xorl %edi,%esi + xorl %ecx,%ebx + rorl $17,%esi + addl 88(%esp),%ebx + shrl $10,%edi + addl 60(%esp),%ebx + movl %edx,%ecx + xorl %esi,%edi + movl 28(%esp),%esi + rorl $14,%edx + addl %edi,%ebx + movl (%esp),%edi + xorl %ecx,%edx + movl %ebx,88(%esp) + xorl %edi,%esi + rorl $5,%edx + andl %ecx,%esi + movl %ecx,24(%esp) + xorl %ecx,%edx + addl 4(%esp),%ebx + xorl %esi,%edi + rorl $6,%edx + movl %eax,%ecx + addl %edi,%ebx + rorl $9,%ecx + movl %eax,%esi + movl 12(%esp),%edi + xorl %eax,%ecx + movl %eax,8(%esp) + xorl %edi,%eax + rorl $11,%ecx + andl %eax,%ebp + leal 113926993(%ebx,%edx,1),%edx + xorl %esi,%ecx + xorl %edi,%ebp + movl 32(%esp),%esi + rorl $2,%ecx + addl %edx,%ebp + addl 20(%esp),%edx + addl %ecx,%ebp + movl 84(%esp),%ecx + movl %esi,%ebx + rorl $11,%esi + movl %ecx,%edi + rorl $2,%ecx + xorl %ebx,%esi + shrl $3,%ebx + rorl $7,%esi + xorl %edi,%ecx + xorl %esi,%ebx + rorl $17,%ecx + addl 92(%esp),%ebx + shrl $10,%edi + addl 64(%esp),%ebx + movl %edx,%esi + xorl %ecx,%edi + movl 24(%esp),%ecx + rorl $14,%edx + addl %edi,%ebx + movl 28(%esp),%edi + xorl %esi,%edx + movl %ebx,92(%esp) + xorl %edi,%ecx + rorl $5,%edx + andl %esi,%ecx + movl %esi,20(%esp) + xorl %esi,%edx + addl (%esp),%ebx + xorl %ecx,%edi + rorl $6,%edx + movl %ebp,%esi + addl %edi,%ebx + rorl $9,%esi + movl %ebp,%ecx + movl 8(%esp),%edi + xorl %ebp,%esi + movl %ebp,4(%esp) + xorl %edi,%ebp + rorl $11,%esi + andl %ebp,%eax + leal 338241895(%ebx,%edx,1),%edx + xorl %ecx,%esi + xorl %edi,%eax + movl 36(%esp),%ecx + rorl $2,%esi + addl %edx,%eax + addl 16(%esp),%edx + addl %esi,%eax + movl 88(%esp),%esi + movl %ecx,%ebx + rorl $11,%ecx + movl %esi,%edi + rorl $2,%esi + xorl %ebx,%ecx + shrl $3,%ebx + rorl $7,%ecx + xorl %edi,%esi + xorl %ecx,%ebx + rorl $17,%esi + addl 32(%esp),%ebx + shrl $10,%edi + addl 68(%esp),%ebx + movl %edx,%ecx + xorl %esi,%edi + movl 20(%esp),%esi + rorl $14,%edx + addl %edi,%ebx + movl 24(%esp),%edi + xorl %ecx,%edx + movl %ebx,32(%esp) + xorl %edi,%esi + rorl $5,%edx + andl %ecx,%esi + movl %ecx,16(%esp) + xorl %ecx,%edx + addl 28(%esp),%ebx + xorl %esi,%edi + rorl $6,%edx + movl %eax,%ecx + addl %edi,%ebx + rorl $9,%ecx + movl %eax,%esi + movl 4(%esp),%edi + xorl %eax,%ecx + movl %eax,(%esp) + xorl %edi,%eax + rorl $11,%ecx + andl %eax,%ebp + leal 666307205(%ebx,%edx,1),%edx + xorl %esi,%ecx + xorl %edi,%ebp + movl 40(%esp),%esi + rorl $2,%ecx + addl %edx,%ebp + addl 12(%esp),%edx + addl %ecx,%ebp + movl 92(%esp),%ecx + movl %esi,%ebx + rorl $11,%esi + movl %ecx,%edi + rorl $2,%ecx + xorl %ebx,%esi + shrl $3,%ebx + rorl $7,%esi + xorl %edi,%ecx + xorl %esi,%ebx + rorl $17,%ecx + addl 36(%esp),%ebx + shrl $10,%edi + addl 72(%esp),%ebx + movl %edx,%esi + xorl %ecx,%edi + movl 16(%esp),%ecx + rorl $14,%edx + addl %edi,%ebx + movl 20(%esp),%edi + xorl %esi,%edx + movl %ebx,36(%esp) + xorl %edi,%ecx + rorl $5,%edx + andl %esi,%ecx + movl %esi,12(%esp) + xorl %esi,%edx + addl 24(%esp),%ebx + xorl %ecx,%edi + rorl $6,%edx + movl %ebp,%esi + addl %edi,%ebx + rorl $9,%esi + movl %ebp,%ecx + movl (%esp),%edi + xorl %ebp,%esi + movl %ebp,28(%esp) + xorl %edi,%ebp + rorl $11,%esi + andl %ebp,%eax + leal 773529912(%ebx,%edx,1),%edx + xorl %ecx,%esi + xorl %edi,%eax + movl 44(%esp),%ecx + rorl $2,%esi + addl %edx,%eax + addl 8(%esp),%edx + addl %esi,%eax + movl 32(%esp),%esi + movl %ecx,%ebx + rorl $11,%ecx + movl %esi,%edi + rorl $2,%esi + xorl %ebx,%ecx + shrl $3,%ebx + rorl $7,%ecx + xorl %edi,%esi + xorl %ecx,%ebx + rorl $17,%esi + addl 40(%esp),%ebx + shrl $10,%edi + addl 76(%esp),%ebx + movl %edx,%ecx + xorl %esi,%edi + movl 12(%esp),%esi + rorl $14,%edx + addl %edi,%ebx + movl 16(%esp),%edi + xorl %ecx,%edx + movl %ebx,40(%esp) + xorl %edi,%esi + rorl $5,%edx + andl %ecx,%esi + movl %ecx,8(%esp) + xorl %ecx,%edx + addl 20(%esp),%ebx + xorl %esi,%edi + rorl $6,%edx + movl %eax,%ecx + addl %edi,%ebx + rorl $9,%ecx + movl %eax,%esi + movl 28(%esp),%edi + xorl %eax,%ecx + movl %eax,24(%esp) + xorl %edi,%eax + rorl $11,%ecx + andl %eax,%ebp + leal 1294757372(%ebx,%edx,1),%edx + xorl %esi,%ecx + xorl %edi,%ebp + movl 48(%esp),%esi + rorl $2,%ecx + addl %edx,%ebp + addl 4(%esp),%edx + addl %ecx,%ebp + movl 36(%esp),%ecx + movl %esi,%ebx + rorl $11,%esi + movl %ecx,%edi + rorl $2,%ecx + xorl %ebx,%esi + shrl $3,%ebx + rorl $7,%esi + xorl %edi,%ecx + xorl %esi,%ebx + rorl $17,%ecx + addl 44(%esp),%ebx + shrl $10,%edi + addl 80(%esp),%ebx + movl %edx,%esi + xorl %ecx,%edi + movl 8(%esp),%ecx + rorl $14,%edx + addl %edi,%ebx + movl 12(%esp),%edi + xorl %esi,%edx + movl %ebx,44(%esp) + xorl %edi,%ecx + rorl $5,%edx + andl %esi,%ecx + movl %esi,4(%esp) + xorl %esi,%edx + addl 16(%esp),%ebx + xorl %ecx,%edi + rorl $6,%edx + movl %ebp,%esi + addl %edi,%ebx + rorl $9,%esi + movl %ebp,%ecx + movl 24(%esp),%edi + xorl %ebp,%esi + movl %ebp,20(%esp) + xorl %edi,%ebp + rorl $11,%esi + andl %ebp,%eax + leal 1396182291(%ebx,%edx,1),%edx + xorl %ecx,%esi + xorl %edi,%eax + movl 52(%esp),%ecx + rorl $2,%esi + addl %edx,%eax + addl (%esp),%edx + addl %esi,%eax + movl 40(%esp),%esi + movl %ecx,%ebx + rorl $11,%ecx + movl %esi,%edi + rorl $2,%esi + xorl %ebx,%ecx + shrl $3,%ebx + rorl $7,%ecx + xorl %edi,%esi + xorl %ecx,%ebx + rorl $17,%esi + addl 48(%esp),%ebx + shrl $10,%edi + addl 84(%esp),%ebx + movl %edx,%ecx + xorl %esi,%edi + movl 4(%esp),%esi + rorl $14,%edx + addl %edi,%ebx + movl 8(%esp),%edi + xorl %ecx,%edx + movl %ebx,48(%esp) + xorl %edi,%esi + rorl $5,%edx + andl %ecx,%esi + movl %ecx,(%esp) + xorl %ecx,%edx + addl 12(%esp),%ebx + xorl %esi,%edi + rorl $6,%edx + movl %eax,%ecx + addl %edi,%ebx + rorl $9,%ecx + movl %eax,%esi + movl 20(%esp),%edi + xorl %eax,%ecx + movl %eax,16(%esp) + xorl %edi,%eax + rorl $11,%ecx + andl %eax,%ebp + leal 1695183700(%ebx,%edx,1),%edx + xorl %esi,%ecx + xorl %edi,%ebp + movl 56(%esp),%esi + rorl $2,%ecx + addl %edx,%ebp + addl 28(%esp),%edx + addl %ecx,%ebp + movl 44(%esp),%ecx + movl %esi,%ebx + rorl $11,%esi + movl %ecx,%edi + rorl $2,%ecx + xorl %ebx,%esi + shrl $3,%ebx + rorl $7,%esi + xorl %edi,%ecx + xorl %esi,%ebx + rorl $17,%ecx + addl 52(%esp),%ebx + shrl $10,%edi + addl 88(%esp),%ebx + movl %edx,%esi + xorl %ecx,%edi + movl (%esp),%ecx + rorl $14,%edx + addl %edi,%ebx + movl 4(%esp),%edi + xorl %esi,%edx + movl %ebx,52(%esp) + xorl %edi,%ecx + rorl $5,%edx + andl %esi,%ecx + movl %esi,28(%esp) + xorl %esi,%edx + addl 8(%esp),%ebx + xorl %ecx,%edi + rorl $6,%edx + movl %ebp,%esi + addl %edi,%ebx + rorl $9,%esi + movl %ebp,%ecx + movl 16(%esp),%edi + xorl %ebp,%esi + movl %ebp,12(%esp) + xorl %edi,%ebp + rorl $11,%esi + andl %ebp,%eax + leal 1986661051(%ebx,%edx,1),%edx + xorl %ecx,%esi + xorl %edi,%eax + movl 60(%esp),%ecx + rorl $2,%esi + addl %edx,%eax + addl 24(%esp),%edx + addl %esi,%eax + movl 48(%esp),%esi + movl %ecx,%ebx + rorl $11,%ecx + movl %esi,%edi + rorl $2,%esi + xorl %ebx,%ecx + shrl $3,%ebx + rorl $7,%ecx + xorl %edi,%esi + xorl %ecx,%ebx + rorl $17,%esi + addl 56(%esp),%ebx + shrl $10,%edi + addl 92(%esp),%ebx + movl %edx,%ecx + xorl %esi,%edi + movl 28(%esp),%esi + rorl $14,%edx + addl %edi,%ebx + movl (%esp),%edi + xorl %ecx,%edx + movl %ebx,56(%esp) + xorl %edi,%esi + rorl $5,%edx + andl %ecx,%esi + movl %ecx,24(%esp) + xorl %ecx,%edx + addl 4(%esp),%ebx + xorl %esi,%edi + rorl $6,%edx + movl %eax,%ecx + addl %edi,%ebx + rorl $9,%ecx + movl %eax,%esi + movl 12(%esp),%edi + xorl %eax,%ecx + movl %eax,8(%esp) + xorl %edi,%eax + rorl $11,%ecx + andl %eax,%ebp + leal 2177026350(%ebx,%edx,1),%edx + xorl %esi,%ecx + xorl %edi,%ebp + movl 64(%esp),%esi + rorl $2,%ecx + addl %edx,%ebp + addl 20(%esp),%edx + addl %ecx,%ebp + movl 52(%esp),%ecx + movl %esi,%ebx + rorl $11,%esi + movl %ecx,%edi + rorl $2,%ecx + xorl %ebx,%esi + shrl $3,%ebx + rorl $7,%esi + xorl %edi,%ecx + xorl %esi,%ebx + rorl $17,%ecx + addl 60(%esp),%ebx + shrl $10,%edi + addl 32(%esp),%ebx + movl %edx,%esi + xorl %ecx,%edi + movl 24(%esp),%ecx + rorl $14,%edx + addl %edi,%ebx + movl 28(%esp),%edi + xorl %esi,%edx + movl %ebx,60(%esp) + xorl %edi,%ecx + rorl $5,%edx + andl %esi,%ecx + movl %esi,20(%esp) + xorl %esi,%edx + addl (%esp),%ebx + xorl %ecx,%edi + rorl $6,%edx + movl %ebp,%esi + addl %edi,%ebx + rorl $9,%esi + movl %ebp,%ecx + movl 8(%esp),%edi + xorl %ebp,%esi + movl %ebp,4(%esp) + xorl %edi,%ebp + rorl $11,%esi + andl %ebp,%eax + leal 2456956037(%ebx,%edx,1),%edx + xorl %ecx,%esi + xorl %edi,%eax + movl 68(%esp),%ecx + rorl $2,%esi + addl %edx,%eax + addl 16(%esp),%edx + addl %esi,%eax + movl 56(%esp),%esi + movl %ecx,%ebx + rorl $11,%ecx + movl %esi,%edi + rorl $2,%esi + xorl %ebx,%ecx + shrl $3,%ebx + rorl $7,%ecx + xorl %edi,%esi + xorl %ecx,%ebx + rorl $17,%esi + addl 64(%esp),%ebx + shrl $10,%edi + addl 36(%esp),%ebx + movl %edx,%ecx + xorl %esi,%edi + movl 20(%esp),%esi + rorl $14,%edx + addl %edi,%ebx + movl 24(%esp),%edi + xorl %ecx,%edx + movl %ebx,64(%esp) + xorl %edi,%esi + rorl $5,%edx + andl %ecx,%esi + movl %ecx,16(%esp) + xorl %ecx,%edx + addl 28(%esp),%ebx + xorl %esi,%edi + rorl $6,%edx + movl %eax,%ecx + addl %edi,%ebx + rorl $9,%ecx + movl %eax,%esi + movl 4(%esp),%edi + xorl %eax,%ecx + movl %eax,(%esp) + xorl %edi,%eax + rorl $11,%ecx + andl %eax,%ebp + leal 2730485921(%ebx,%edx,1),%edx + xorl %esi,%ecx + xorl %edi,%ebp + movl 72(%esp),%esi + rorl $2,%ecx + addl %edx,%ebp + addl 12(%esp),%edx + addl %ecx,%ebp + movl 60(%esp),%ecx + movl %esi,%ebx + rorl $11,%esi + movl %ecx,%edi + rorl $2,%ecx + xorl %ebx,%esi + shrl $3,%ebx + rorl $7,%esi + xorl %edi,%ecx + xorl %esi,%ebx + rorl $17,%ecx + addl 68(%esp),%ebx + shrl $10,%edi + addl 40(%esp),%ebx + movl %edx,%esi + xorl %ecx,%edi + movl 16(%esp),%ecx + rorl $14,%edx + addl %edi,%ebx + movl 20(%esp),%edi + xorl %esi,%edx + movl %ebx,68(%esp) + xorl %edi,%ecx + rorl $5,%edx + andl %esi,%ecx + movl %esi,12(%esp) + xorl %esi,%edx + addl 24(%esp),%ebx + xorl %ecx,%edi + rorl $6,%edx + movl %ebp,%esi + addl %edi,%ebx + rorl $9,%esi + movl %ebp,%ecx + movl (%esp),%edi + xorl %ebp,%esi + movl %ebp,28(%esp) + xorl %edi,%ebp + rorl $11,%esi + andl %ebp,%eax + leal 2820302411(%ebx,%edx,1),%edx + xorl %ecx,%esi + xorl %edi,%eax + movl 76(%esp),%ecx + rorl $2,%esi + addl %edx,%eax + addl 8(%esp),%edx + addl %esi,%eax + movl 64(%esp),%esi + movl %ecx,%ebx + rorl $11,%ecx + movl %esi,%edi + rorl $2,%esi + xorl %ebx,%ecx + shrl $3,%ebx + rorl $7,%ecx + xorl %edi,%esi + xorl %ecx,%ebx + rorl $17,%esi + addl 72(%esp),%ebx + shrl $10,%edi + addl 44(%esp),%ebx + movl %edx,%ecx + xorl %esi,%edi + movl 12(%esp),%esi + rorl $14,%edx + addl %edi,%ebx + movl 16(%esp),%edi + xorl %ecx,%edx + movl %ebx,72(%esp) + xorl %edi,%esi + rorl $5,%edx + andl %ecx,%esi + movl %ecx,8(%esp) + xorl %ecx,%edx + addl 20(%esp),%ebx + xorl %esi,%edi + rorl $6,%edx + movl %eax,%ecx + addl %edi,%ebx + rorl $9,%ecx + movl %eax,%esi + movl 28(%esp),%edi + xorl %eax,%ecx + movl %eax,24(%esp) + xorl %edi,%eax + rorl $11,%ecx + andl %eax,%ebp + leal 3259730800(%ebx,%edx,1),%edx + xorl %esi,%ecx + xorl %edi,%ebp + movl 80(%esp),%esi + rorl $2,%ecx + addl %edx,%ebp + addl 4(%esp),%edx + addl %ecx,%ebp + movl 68(%esp),%ecx + movl %esi,%ebx + rorl $11,%esi + movl %ecx,%edi + rorl $2,%ecx + xorl %ebx,%esi + shrl $3,%ebx + rorl $7,%esi + xorl %edi,%ecx + xorl %esi,%ebx + rorl $17,%ecx + addl 76(%esp),%ebx + shrl $10,%edi + addl 48(%esp),%ebx + movl %edx,%esi + xorl %ecx,%edi + movl 8(%esp),%ecx + rorl $14,%edx + addl %edi,%ebx + movl 12(%esp),%edi + xorl %esi,%edx + movl %ebx,76(%esp) + xorl %edi,%ecx + rorl $5,%edx + andl %esi,%ecx + movl %esi,4(%esp) + xorl %esi,%edx + addl 16(%esp),%ebx + xorl %ecx,%edi + rorl $6,%edx + movl %ebp,%esi + addl %edi,%ebx + rorl $9,%esi + movl %ebp,%ecx + movl 24(%esp),%edi + xorl %ebp,%esi + movl %ebp,20(%esp) + xorl %edi,%ebp + rorl $11,%esi + andl %ebp,%eax + leal 3345764771(%ebx,%edx,1),%edx + xorl %ecx,%esi + xorl %edi,%eax + movl 84(%esp),%ecx + rorl $2,%esi + addl %edx,%eax + addl (%esp),%edx + addl %esi,%eax + movl 72(%esp),%esi + movl %ecx,%ebx + rorl $11,%ecx + movl %esi,%edi + rorl $2,%esi + xorl %ebx,%ecx + shrl $3,%ebx + rorl $7,%ecx + xorl %edi,%esi + xorl %ecx,%ebx + rorl $17,%esi + addl 80(%esp),%ebx + shrl $10,%edi + addl 52(%esp),%ebx + movl %edx,%ecx + xorl %esi,%edi + movl 4(%esp),%esi + rorl $14,%edx + addl %edi,%ebx + movl 8(%esp),%edi + xorl %ecx,%edx + movl %ebx,80(%esp) + xorl %edi,%esi + rorl $5,%edx + andl %ecx,%esi + movl %ecx,(%esp) + xorl %ecx,%edx + addl 12(%esp),%ebx + xorl %esi,%edi + rorl $6,%edx + movl %eax,%ecx + addl %edi,%ebx + rorl $9,%ecx + movl %eax,%esi + movl 20(%esp),%edi + xorl %eax,%ecx + movl %eax,16(%esp) + xorl %edi,%eax + rorl $11,%ecx + andl %eax,%ebp + leal 3516065817(%ebx,%edx,1),%edx + xorl %esi,%ecx + xorl %edi,%ebp + movl 88(%esp),%esi + rorl $2,%ecx + addl %edx,%ebp + addl 28(%esp),%edx + addl %ecx,%ebp + movl 76(%esp),%ecx + movl %esi,%ebx + rorl $11,%esi + movl %ecx,%edi + rorl $2,%ecx + xorl %ebx,%esi + shrl $3,%ebx + rorl $7,%esi + xorl %edi,%ecx + xorl %esi,%ebx + rorl $17,%ecx + addl 84(%esp),%ebx + shrl $10,%edi + addl 56(%esp),%ebx + movl %edx,%esi + xorl %ecx,%edi + movl (%esp),%ecx + rorl $14,%edx + addl %edi,%ebx + movl 4(%esp),%edi + xorl %esi,%edx + movl %ebx,84(%esp) + xorl %edi,%ecx + rorl $5,%edx + andl %esi,%ecx + movl %esi,28(%esp) + xorl %esi,%edx + addl 8(%esp),%ebx + xorl %ecx,%edi + rorl $6,%edx + movl %ebp,%esi + addl %edi,%ebx + rorl $9,%esi + movl %ebp,%ecx + movl 16(%esp),%edi + xorl %ebp,%esi + movl %ebp,12(%esp) + xorl %edi,%ebp + rorl $11,%esi + andl %ebp,%eax + leal 3600352804(%ebx,%edx,1),%edx + xorl %ecx,%esi + xorl %edi,%eax + movl 92(%esp),%ecx + rorl $2,%esi + addl %edx,%eax + addl 24(%esp),%edx + addl %esi,%eax + movl 80(%esp),%esi + movl %ecx,%ebx + rorl $11,%ecx + movl %esi,%edi + rorl $2,%esi + xorl %ebx,%ecx + shrl $3,%ebx + rorl $7,%ecx + xorl %edi,%esi + xorl %ecx,%ebx + rorl $17,%esi + addl 88(%esp),%ebx + shrl $10,%edi + addl 60(%esp),%ebx + movl %edx,%ecx + xorl %esi,%edi + movl 28(%esp),%esi + rorl $14,%edx + addl %edi,%ebx + movl (%esp),%edi + xorl %ecx,%edx + movl %ebx,88(%esp) + xorl %edi,%esi + rorl $5,%edx + andl %ecx,%esi + movl %ecx,24(%esp) + xorl %ecx,%edx + addl 4(%esp),%ebx + xorl %esi,%edi + rorl $6,%edx + movl %eax,%ecx + addl %edi,%ebx + rorl $9,%ecx + movl %eax,%esi + movl 12(%esp),%edi + xorl %eax,%ecx + movl %eax,8(%esp) + xorl %edi,%eax + rorl $11,%ecx + andl %eax,%ebp + leal 4094571909(%ebx,%edx,1),%edx + xorl %esi,%ecx + xorl %edi,%ebp + movl 32(%esp),%esi + rorl $2,%ecx + addl %edx,%ebp + addl 20(%esp),%edx + addl %ecx,%ebp + movl 84(%esp),%ecx + movl %esi,%ebx + rorl $11,%esi + movl %ecx,%edi + rorl $2,%ecx + xorl %ebx,%esi + shrl $3,%ebx + rorl $7,%esi + xorl %edi,%ecx + xorl %esi,%ebx + rorl $17,%ecx + addl 92(%esp),%ebx + shrl $10,%edi + addl 64(%esp),%ebx + movl %edx,%esi + xorl %ecx,%edi + movl 24(%esp),%ecx + rorl $14,%edx + addl %edi,%ebx + movl 28(%esp),%edi + xorl %esi,%edx + movl %ebx,92(%esp) + xorl %edi,%ecx + rorl $5,%edx + andl %esi,%ecx + movl %esi,20(%esp) + xorl %esi,%edx + addl (%esp),%ebx + xorl %ecx,%edi + rorl $6,%edx + movl %ebp,%esi + addl %edi,%ebx + rorl $9,%esi + movl %ebp,%ecx + movl 8(%esp),%edi + xorl %ebp,%esi + movl %ebp,4(%esp) + xorl %edi,%ebp + rorl $11,%esi + andl %ebp,%eax + leal 275423344(%ebx,%edx,1),%edx + xorl %ecx,%esi + xorl %edi,%eax + movl 36(%esp),%ecx + rorl $2,%esi + addl %edx,%eax + addl 16(%esp),%edx + addl %esi,%eax + movl 88(%esp),%esi + movl %ecx,%ebx + rorl $11,%ecx + movl %esi,%edi + rorl $2,%esi + xorl %ebx,%ecx + shrl $3,%ebx + rorl $7,%ecx + xorl %edi,%esi + xorl %ecx,%ebx + rorl $17,%esi + addl 32(%esp),%ebx + shrl $10,%edi + addl 68(%esp),%ebx + movl %edx,%ecx + xorl %esi,%edi + movl 20(%esp),%esi + rorl $14,%edx + addl %edi,%ebx + movl 24(%esp),%edi + xorl %ecx,%edx + movl %ebx,32(%esp) + xorl %edi,%esi + rorl $5,%edx + andl %ecx,%esi + movl %ecx,16(%esp) + xorl %ecx,%edx + addl 28(%esp),%ebx + xorl %esi,%edi + rorl $6,%edx + movl %eax,%ecx + addl %edi,%ebx + rorl $9,%ecx + movl %eax,%esi + movl 4(%esp),%edi + xorl %eax,%ecx + movl %eax,(%esp) + xorl %edi,%eax + rorl $11,%ecx + andl %eax,%ebp + leal 430227734(%ebx,%edx,1),%edx + xorl %esi,%ecx + xorl %edi,%ebp + movl 40(%esp),%esi + rorl $2,%ecx + addl %edx,%ebp + addl 12(%esp),%edx + addl %ecx,%ebp + movl 92(%esp),%ecx + movl %esi,%ebx + rorl $11,%esi + movl %ecx,%edi + rorl $2,%ecx + xorl %ebx,%esi + shrl $3,%ebx + rorl $7,%esi + xorl %edi,%ecx + xorl %esi,%ebx + rorl $17,%ecx + addl 36(%esp),%ebx + shrl $10,%edi + addl 72(%esp),%ebx + movl %edx,%esi + xorl %ecx,%edi + movl 16(%esp),%ecx + rorl $14,%edx + addl %edi,%ebx + movl 20(%esp),%edi + xorl %esi,%edx + movl %ebx,36(%esp) + xorl %edi,%ecx + rorl $5,%edx + andl %esi,%ecx + movl %esi,12(%esp) + xorl %esi,%edx + addl 24(%esp),%ebx + xorl %ecx,%edi + rorl $6,%edx + movl %ebp,%esi + addl %edi,%ebx + rorl $9,%esi + movl %ebp,%ecx + movl (%esp),%edi + xorl %ebp,%esi + movl %ebp,28(%esp) + xorl %edi,%ebp + rorl $11,%esi + andl %ebp,%eax + leal 506948616(%ebx,%edx,1),%edx + xorl %ecx,%esi + xorl %edi,%eax + movl 44(%esp),%ecx + rorl $2,%esi + addl %edx,%eax + addl 8(%esp),%edx + addl %esi,%eax + movl 32(%esp),%esi + movl %ecx,%ebx + rorl $11,%ecx + movl %esi,%edi + rorl $2,%esi + xorl %ebx,%ecx + shrl $3,%ebx + rorl $7,%ecx + xorl %edi,%esi + xorl %ecx,%ebx + rorl $17,%esi + addl 40(%esp),%ebx + shrl $10,%edi + addl 76(%esp),%ebx + movl %edx,%ecx + xorl %esi,%edi + movl 12(%esp),%esi + rorl $14,%edx + addl %edi,%ebx + movl 16(%esp),%edi + xorl %ecx,%edx + movl %ebx,40(%esp) + xorl %edi,%esi + rorl $5,%edx + andl %ecx,%esi + movl %ecx,8(%esp) + xorl %ecx,%edx + addl 20(%esp),%ebx + xorl %esi,%edi + rorl $6,%edx + movl %eax,%ecx + addl %edi,%ebx + rorl $9,%ecx + movl %eax,%esi + movl 28(%esp),%edi + xorl %eax,%ecx + movl %eax,24(%esp) + xorl %edi,%eax + rorl $11,%ecx + andl %eax,%ebp + leal 659060556(%ebx,%edx,1),%edx + xorl %esi,%ecx + xorl %edi,%ebp + movl 48(%esp),%esi + rorl $2,%ecx + addl %edx,%ebp + addl 4(%esp),%edx + addl %ecx,%ebp + movl 36(%esp),%ecx + movl %esi,%ebx + rorl $11,%esi + movl %ecx,%edi + rorl $2,%ecx + xorl %ebx,%esi + shrl $3,%ebx + rorl $7,%esi + xorl %edi,%ecx + xorl %esi,%ebx + rorl $17,%ecx + addl 44(%esp),%ebx + shrl $10,%edi + addl 80(%esp),%ebx + movl %edx,%esi + xorl %ecx,%edi + movl 8(%esp),%ecx + rorl $14,%edx + addl %edi,%ebx + movl 12(%esp),%edi + xorl %esi,%edx + movl %ebx,44(%esp) + xorl %edi,%ecx + rorl $5,%edx + andl %esi,%ecx + movl %esi,4(%esp) + xorl %esi,%edx + addl 16(%esp),%ebx + xorl %ecx,%edi + rorl $6,%edx + movl %ebp,%esi + addl %edi,%ebx + rorl $9,%esi + movl %ebp,%ecx + movl 24(%esp),%edi + xorl %ebp,%esi + movl %ebp,20(%esp) + xorl %edi,%ebp + rorl $11,%esi + andl %ebp,%eax + leal 883997877(%ebx,%edx,1),%edx + xorl %ecx,%esi + xorl %edi,%eax + movl 52(%esp),%ecx + rorl $2,%esi + addl %edx,%eax + addl (%esp),%edx + addl %esi,%eax + movl 40(%esp),%esi + movl %ecx,%ebx + rorl $11,%ecx + movl %esi,%edi + rorl $2,%esi + xorl %ebx,%ecx + shrl $3,%ebx + rorl $7,%ecx + xorl %edi,%esi + xorl %ecx,%ebx + rorl $17,%esi + addl 48(%esp),%ebx + shrl $10,%edi + addl 84(%esp),%ebx + movl %edx,%ecx + xorl %esi,%edi + movl 4(%esp),%esi + rorl $14,%edx + addl %edi,%ebx + movl 8(%esp),%edi + xorl %ecx,%edx + movl %ebx,48(%esp) + xorl %edi,%esi + rorl $5,%edx + andl %ecx,%esi + movl %ecx,(%esp) + xorl %ecx,%edx + addl 12(%esp),%ebx + xorl %esi,%edi + rorl $6,%edx + movl %eax,%ecx + addl %edi,%ebx + rorl $9,%ecx + movl %eax,%esi + movl 20(%esp),%edi + xorl %eax,%ecx + movl %eax,16(%esp) + xorl %edi,%eax + rorl $11,%ecx + andl %eax,%ebp + leal 958139571(%ebx,%edx,1),%edx + xorl %esi,%ecx + xorl %edi,%ebp + movl 56(%esp),%esi + rorl $2,%ecx + addl %edx,%ebp + addl 28(%esp),%edx + addl %ecx,%ebp + movl 44(%esp),%ecx + movl %esi,%ebx + rorl $11,%esi + movl %ecx,%edi + rorl $2,%ecx + xorl %ebx,%esi + shrl $3,%ebx + rorl $7,%esi + xorl %edi,%ecx + xorl %esi,%ebx + rorl $17,%ecx + addl 52(%esp),%ebx + shrl $10,%edi + addl 88(%esp),%ebx + movl %edx,%esi + xorl %ecx,%edi + movl (%esp),%ecx + rorl $14,%edx + addl %edi,%ebx + movl 4(%esp),%edi + xorl %esi,%edx + movl %ebx,52(%esp) + xorl %edi,%ecx + rorl $5,%edx + andl %esi,%ecx + movl %esi,28(%esp) + xorl %esi,%edx + addl 8(%esp),%ebx + xorl %ecx,%edi + rorl $6,%edx + movl %ebp,%esi + addl %edi,%ebx + rorl $9,%esi + movl %ebp,%ecx + movl 16(%esp),%edi + xorl %ebp,%esi + movl %ebp,12(%esp) + xorl %edi,%ebp + rorl $11,%esi + andl %ebp,%eax + leal 1322822218(%ebx,%edx,1),%edx + xorl %ecx,%esi + xorl %edi,%eax + movl 60(%esp),%ecx + rorl $2,%esi + addl %edx,%eax + addl 24(%esp),%edx + addl %esi,%eax + movl 48(%esp),%esi + movl %ecx,%ebx + rorl $11,%ecx + movl %esi,%edi + rorl $2,%esi + xorl %ebx,%ecx + shrl $3,%ebx + rorl $7,%ecx + xorl %edi,%esi + xorl %ecx,%ebx + rorl $17,%esi + addl 56(%esp),%ebx + shrl $10,%edi + addl 92(%esp),%ebx + movl %edx,%ecx + xorl %esi,%edi + movl 28(%esp),%esi + rorl $14,%edx + addl %edi,%ebx + movl (%esp),%edi + xorl %ecx,%edx + movl %ebx,56(%esp) + xorl %edi,%esi + rorl $5,%edx + andl %ecx,%esi + movl %ecx,24(%esp) + xorl %ecx,%edx + addl 4(%esp),%ebx + xorl %esi,%edi + rorl $6,%edx + movl %eax,%ecx + addl %edi,%ebx + rorl $9,%ecx + movl %eax,%esi + movl 12(%esp),%edi + xorl %eax,%ecx + movl %eax,8(%esp) + xorl %edi,%eax + rorl $11,%ecx + andl %eax,%ebp + leal 1537002063(%ebx,%edx,1),%edx + xorl %esi,%ecx + xorl %edi,%ebp + movl 64(%esp),%esi + rorl $2,%ecx + addl %edx,%ebp + addl 20(%esp),%edx + addl %ecx,%ebp + movl 52(%esp),%ecx + movl %esi,%ebx + rorl $11,%esi + movl %ecx,%edi + rorl $2,%ecx + xorl %ebx,%esi + shrl $3,%ebx + rorl $7,%esi + xorl %edi,%ecx + xorl %esi,%ebx + rorl $17,%ecx + addl 60(%esp),%ebx + shrl $10,%edi + addl 32(%esp),%ebx + movl %edx,%esi + xorl %ecx,%edi + movl 24(%esp),%ecx + rorl $14,%edx + addl %edi,%ebx + movl 28(%esp),%edi + xorl %esi,%edx + movl %ebx,60(%esp) + xorl %edi,%ecx + rorl $5,%edx + andl %esi,%ecx + movl %esi,20(%esp) + xorl %esi,%edx + addl (%esp),%ebx + xorl %ecx,%edi + rorl $6,%edx + movl %ebp,%esi + addl %edi,%ebx + rorl $9,%esi + movl %ebp,%ecx + movl 8(%esp),%edi + xorl %ebp,%esi + movl %ebp,4(%esp) + xorl %edi,%ebp + rorl $11,%esi + andl %ebp,%eax + leal 1747873779(%ebx,%edx,1),%edx + xorl %ecx,%esi + xorl %edi,%eax + movl 68(%esp),%ecx + rorl $2,%esi + addl %edx,%eax + addl 16(%esp),%edx + addl %esi,%eax + movl 56(%esp),%esi + movl %ecx,%ebx + rorl $11,%ecx + movl %esi,%edi + rorl $2,%esi + xorl %ebx,%ecx + shrl $3,%ebx + rorl $7,%ecx + xorl %edi,%esi + xorl %ecx,%ebx + rorl $17,%esi + addl 64(%esp),%ebx + shrl $10,%edi + addl 36(%esp),%ebx + movl %edx,%ecx + xorl %esi,%edi + movl 20(%esp),%esi + rorl $14,%edx + addl %edi,%ebx + movl 24(%esp),%edi + xorl %ecx,%edx + movl %ebx,64(%esp) + xorl %edi,%esi + rorl $5,%edx + andl %ecx,%esi + movl %ecx,16(%esp) + xorl %ecx,%edx + addl 28(%esp),%ebx + xorl %esi,%edi + rorl $6,%edx + movl %eax,%ecx + addl %edi,%ebx + rorl $9,%ecx + movl %eax,%esi + movl 4(%esp),%edi + xorl %eax,%ecx + movl %eax,(%esp) + xorl %edi,%eax + rorl $11,%ecx + andl %eax,%ebp + leal 1955562222(%ebx,%edx,1),%edx + xorl %esi,%ecx + xorl %edi,%ebp + movl 72(%esp),%esi + rorl $2,%ecx + addl %edx,%ebp + addl 12(%esp),%edx + addl %ecx,%ebp + movl 60(%esp),%ecx + movl %esi,%ebx + rorl $11,%esi + movl %ecx,%edi + rorl $2,%ecx + xorl %ebx,%esi + shrl $3,%ebx + rorl $7,%esi + xorl %edi,%ecx + xorl %esi,%ebx + rorl $17,%ecx + addl 68(%esp),%ebx + shrl $10,%edi + addl 40(%esp),%ebx + movl %edx,%esi + xorl %ecx,%edi + movl 16(%esp),%ecx + rorl $14,%edx + addl %edi,%ebx + movl 20(%esp),%edi + xorl %esi,%edx + movl %ebx,68(%esp) + xorl %edi,%ecx + rorl $5,%edx + andl %esi,%ecx + movl %esi,12(%esp) + xorl %esi,%edx + addl 24(%esp),%ebx + xorl %ecx,%edi + rorl $6,%edx + movl %ebp,%esi + addl %edi,%ebx + rorl $9,%esi + movl %ebp,%ecx + movl (%esp),%edi + xorl %ebp,%esi + movl %ebp,28(%esp) + xorl %edi,%ebp + rorl $11,%esi + andl %ebp,%eax + leal 2024104815(%ebx,%edx,1),%edx + xorl %ecx,%esi + xorl %edi,%eax + movl 76(%esp),%ecx + rorl $2,%esi + addl %edx,%eax + addl 8(%esp),%edx + addl %esi,%eax + movl 64(%esp),%esi + movl %ecx,%ebx + rorl $11,%ecx + movl %esi,%edi + rorl $2,%esi + xorl %ebx,%ecx + shrl $3,%ebx + rorl $7,%ecx + xorl %edi,%esi + xorl %ecx,%ebx + rorl $17,%esi + addl 72(%esp),%ebx + shrl $10,%edi + addl 44(%esp),%ebx + movl %edx,%ecx + xorl %esi,%edi + movl 12(%esp),%esi + rorl $14,%edx + addl %edi,%ebx + movl 16(%esp),%edi + xorl %ecx,%edx + movl %ebx,72(%esp) + xorl %edi,%esi + rorl $5,%edx + andl %ecx,%esi + movl %ecx,8(%esp) + xorl %ecx,%edx + addl 20(%esp),%ebx + xorl %esi,%edi + rorl $6,%edx + movl %eax,%ecx + addl %edi,%ebx + rorl $9,%ecx + movl %eax,%esi + movl 28(%esp),%edi + xorl %eax,%ecx + movl %eax,24(%esp) + xorl %edi,%eax + rorl $11,%ecx + andl %eax,%ebp + leal 2227730452(%ebx,%edx,1),%edx + xorl %esi,%ecx + xorl %edi,%ebp + movl 80(%esp),%esi + rorl $2,%ecx + addl %edx,%ebp + addl 4(%esp),%edx + addl %ecx,%ebp + movl 68(%esp),%ecx + movl %esi,%ebx + rorl $11,%esi + movl %ecx,%edi + rorl $2,%ecx + xorl %ebx,%esi + shrl $3,%ebx + rorl $7,%esi + xorl %edi,%ecx + xorl %esi,%ebx + rorl $17,%ecx + addl 76(%esp),%ebx + shrl $10,%edi + addl 48(%esp),%ebx + movl %edx,%esi + xorl %ecx,%edi + movl 8(%esp),%ecx + rorl $14,%edx + addl %edi,%ebx + movl 12(%esp),%edi + xorl %esi,%edx + movl %ebx,76(%esp) + xorl %edi,%ecx + rorl $5,%edx + andl %esi,%ecx + movl %esi,4(%esp) + xorl %esi,%edx + addl 16(%esp),%ebx + xorl %ecx,%edi + rorl $6,%edx + movl %ebp,%esi + addl %edi,%ebx + rorl $9,%esi + movl %ebp,%ecx + movl 24(%esp),%edi + xorl %ebp,%esi + movl %ebp,20(%esp) + xorl %edi,%ebp + rorl $11,%esi + andl %ebp,%eax + leal 2361852424(%ebx,%edx,1),%edx + xorl %ecx,%esi + xorl %edi,%eax + movl 84(%esp),%ecx + rorl $2,%esi + addl %edx,%eax + addl (%esp),%edx + addl %esi,%eax + movl 72(%esp),%esi + movl %ecx,%ebx + rorl $11,%ecx + movl %esi,%edi + rorl $2,%esi + xorl %ebx,%ecx + shrl $3,%ebx + rorl $7,%ecx + xorl %edi,%esi + xorl %ecx,%ebx + rorl $17,%esi + addl 80(%esp),%ebx + shrl $10,%edi + addl 52(%esp),%ebx + movl %edx,%ecx + xorl %esi,%edi + movl 4(%esp),%esi + rorl $14,%edx + addl %edi,%ebx + movl 8(%esp),%edi + xorl %ecx,%edx + movl %ebx,80(%esp) + xorl %edi,%esi + rorl $5,%edx + andl %ecx,%esi + movl %ecx,(%esp) + xorl %ecx,%edx + addl 12(%esp),%ebx + xorl %esi,%edi + rorl $6,%edx + movl %eax,%ecx + addl %edi,%ebx + rorl $9,%ecx + movl %eax,%esi + movl 20(%esp),%edi + xorl %eax,%ecx + movl %eax,16(%esp) + xorl %edi,%eax + rorl $11,%ecx + andl %eax,%ebp + leal 2428436474(%ebx,%edx,1),%edx + xorl %esi,%ecx + xorl %edi,%ebp + movl 88(%esp),%esi + rorl $2,%ecx + addl %edx,%ebp + addl 28(%esp),%edx + addl %ecx,%ebp + movl 76(%esp),%ecx + movl %esi,%ebx + rorl $11,%esi + movl %ecx,%edi + rorl $2,%ecx + xorl %ebx,%esi + shrl $3,%ebx + rorl $7,%esi + xorl %edi,%ecx + xorl %esi,%ebx + rorl $17,%ecx + addl 84(%esp),%ebx + shrl $10,%edi + addl 56(%esp),%ebx + movl %edx,%esi + xorl %ecx,%edi + movl (%esp),%ecx + rorl $14,%edx + addl %edi,%ebx + movl 4(%esp),%edi + xorl %esi,%edx + movl %ebx,84(%esp) + xorl %edi,%ecx + rorl $5,%edx + andl %esi,%ecx + movl %esi,28(%esp) + xorl %esi,%edx + addl 8(%esp),%ebx + xorl %ecx,%edi + rorl $6,%edx + movl %ebp,%esi + addl %edi,%ebx + rorl $9,%esi + movl %ebp,%ecx + movl 16(%esp),%edi + xorl %ebp,%esi + movl %ebp,12(%esp) + xorl %edi,%ebp + rorl $11,%esi + andl %ebp,%eax + leal 2756734187(%ebx,%edx,1),%edx + xorl %ecx,%esi + xorl %edi,%eax + movl 92(%esp),%ecx + rorl $2,%esi + addl %edx,%eax + addl 24(%esp),%edx + addl %esi,%eax + movl 80(%esp),%esi + movl %ecx,%ebx + rorl $11,%ecx + movl %esi,%edi + rorl $2,%esi + xorl %ebx,%ecx + shrl $3,%ebx + rorl $7,%ecx + xorl %edi,%esi + xorl %ecx,%ebx + rorl $17,%esi + addl 88(%esp),%ebx + shrl $10,%edi + addl 60(%esp),%ebx + movl %edx,%ecx + xorl %esi,%edi + movl 28(%esp),%esi + rorl $14,%edx + addl %edi,%ebx + movl (%esp),%edi + xorl %ecx,%edx + xorl %edi,%esi + rorl $5,%edx + andl %ecx,%esi + movl %ecx,24(%esp) + xorl %ecx,%edx + addl 4(%esp),%ebx + xorl %esi,%edi + rorl $6,%edx + movl %eax,%ecx + addl %edi,%ebx + rorl $9,%ecx + movl %eax,%esi + movl 12(%esp),%edi + xorl %eax,%ecx + movl %eax,8(%esp) + xorl %edi,%eax + rorl $11,%ecx + andl %eax,%ebp + leal 3204031479(%ebx,%edx,1),%edx + xorl %esi,%ecx + xorl %edi,%ebp + movl 32(%esp),%esi + rorl $2,%ecx + addl %edx,%ebp + addl 20(%esp),%edx + addl %ecx,%ebp + movl 84(%esp),%ecx + movl %esi,%ebx + rorl $11,%esi + movl %ecx,%edi + rorl $2,%ecx + xorl %ebx,%esi + shrl $3,%ebx + rorl $7,%esi + xorl %edi,%ecx + xorl %esi,%ebx + rorl $17,%ecx + addl 92(%esp),%ebx + shrl $10,%edi + addl 64(%esp),%ebx + movl %edx,%esi + xorl %ecx,%edi + movl 24(%esp),%ecx + rorl $14,%edx + addl %edi,%ebx + movl 28(%esp),%edi + xorl %esi,%edx + xorl %edi,%ecx + rorl $5,%edx + andl %esi,%ecx + movl %esi,20(%esp) + xorl %esi,%edx + addl (%esp),%ebx + xorl %ecx,%edi + rorl $6,%edx + movl %ebp,%esi + addl %edi,%ebx + rorl $9,%esi + movl %ebp,%ecx + movl 8(%esp),%edi + xorl %ebp,%esi + movl %ebp,4(%esp) + xorl %edi,%ebp + rorl $11,%esi + andl %ebp,%eax + leal 3329325298(%ebx,%edx,1),%edx + xorl %ecx,%esi + xorl %edi,%eax + rorl $2,%esi + addl %edx,%eax + addl 16(%esp),%edx + addl %esi,%eax + movl 96(%esp),%esi + xorl %edi,%ebp + movl 12(%esp),%ecx + addl (%esi),%eax + addl 4(%esi),%ebp + addl 8(%esi),%edi + addl 12(%esi),%ecx + movl %eax,(%esi) + movl %ebp,4(%esi) + movl %edi,8(%esi) + movl %ecx,12(%esi) + movl %ebp,4(%esp) + xorl %edi,%ebp + movl %edi,8(%esp) + movl %ecx,12(%esp) + movl 20(%esp),%edi + movl 24(%esp),%ebx + movl 28(%esp),%ecx + addl 16(%esi),%edx + addl 20(%esi),%edi + addl 24(%esi),%ebx + addl 28(%esi),%ecx + movl %edx,16(%esi) + movl %edi,20(%esi) + movl %ebx,24(%esi) + movl %ecx,28(%esi) + movl %edi,20(%esp) + movl 100(%esp),%edi + movl %ebx,24(%esp) + movl %ecx,28(%esp) + cmpl 104(%esp),%edi + jb .L006grand_loop + movl 108(%esp),%esp + popl %edi + popl %esi + popl %ebx + popl %ebp + ret +.size sha256_block_data_order_nohw,.-.L_sha256_block_data_order_nohw_begin +.globl sha256_block_data_order_ssse3 +.hidden sha256_block_data_order_ssse3 +.type sha256_block_data_order_ssse3,@function +.align 16 +sha256_block_data_order_ssse3: +.L_sha256_block_data_order_ssse3_begin: + pushl %ebp + pushl %ebx + pushl %esi + pushl %edi + movl 20(%esp),%esi + movl 24(%esp),%edi + movl 28(%esp),%eax + movl %esp,%ebx + call .L007pic_point +.L007pic_point: + popl %ebp + leal .LK256-.L007pic_point(%ebp),%ebp + subl $16,%esp + andl $-64,%esp + shll $6,%eax + addl %edi,%eax + movl %esi,(%esp) + movl %edi,4(%esp) + movl %eax,8(%esp) + movl %ebx,12(%esp) + leal -96(%esp),%esp + movl (%esi),%eax + movl 4(%esi),%ebx + movl 8(%esi),%ecx + movl 12(%esi),%edi + movl %ebx,4(%esp) + xorl %ecx,%ebx + movl %ecx,8(%esp) + movl %edi,12(%esp) + movl 16(%esi),%edx + movl 20(%esi),%edi + movl 24(%esi),%ecx + movl 28(%esi),%esi + movl %edi,20(%esp) + movl 100(%esp),%edi + movl %ecx,24(%esp) + movl %esi,28(%esp) + movdqa 256(%ebp),%xmm7 + jmp .L008grand_ssse3 +.align 16 +.L008grand_ssse3: + movdqu (%edi),%xmm0 + movdqu 16(%edi),%xmm1 + movdqu 32(%edi),%xmm2 + movdqu 48(%edi),%xmm3 + addl $64,%edi +.byte 102,15,56,0,199 + movl %edi,100(%esp) +.byte 102,15,56,0,207 + movdqa (%ebp),%xmm4 +.byte 102,15,56,0,215 + movdqa 16(%ebp),%xmm5 + paddd %xmm0,%xmm4 +.byte 102,15,56,0,223 + movdqa 32(%ebp),%xmm6 + paddd %xmm1,%xmm5 + movdqa 48(%ebp),%xmm7 + movdqa %xmm4,32(%esp) + paddd %xmm2,%xmm6 + movdqa %xmm5,48(%esp) + paddd %xmm3,%xmm7 + movdqa %xmm6,64(%esp) + movdqa %xmm7,80(%esp) + jmp .L009ssse3_00_47 +.align 16 +.L009ssse3_00_47: + addl $64,%ebp + movl %edx,%ecx + movdqa %xmm1,%xmm4 + rorl $14,%edx + movl 20(%esp),%esi + movdqa %xmm3,%xmm7 + xorl %ecx,%edx + movl 24(%esp),%edi +.byte 102,15,58,15,224,4 + xorl %edi,%esi + rorl $5,%edx + andl %ecx,%esi +.byte 102,15,58,15,250,4 + movl %ecx,16(%esp) + xorl %ecx,%edx + xorl %esi,%edi + movdqa %xmm4,%xmm5 + rorl $6,%edx + movl %eax,%ecx + movdqa %xmm4,%xmm6 + addl %edi,%edx + movl 4(%esp),%edi + psrld $3,%xmm4 + movl %eax,%esi + rorl $9,%ecx + paddd %xmm7,%xmm0 + movl %eax,(%esp) + xorl %eax,%ecx + psrld $7,%xmm6 + xorl %edi,%eax + addl 28(%esp),%edx + rorl $11,%ecx + andl %eax,%ebx + pshufd $250,%xmm3,%xmm7 + xorl %esi,%ecx + addl 32(%esp),%edx + pslld $14,%xmm5 + xorl %edi,%ebx + rorl $2,%ecx + pxor %xmm6,%xmm4 + addl %edx,%ebx + addl 12(%esp),%edx + psrld $11,%xmm6 + addl %ecx,%ebx + movl %edx,%ecx + rorl $14,%edx + pxor %xmm5,%xmm4 + movl 16(%esp),%esi + xorl %ecx,%edx + pslld $11,%xmm5 + movl 20(%esp),%edi + xorl %edi,%esi + rorl $5,%edx + pxor %xmm6,%xmm4 + andl %ecx,%esi + movl %ecx,12(%esp) + movdqa %xmm7,%xmm6 + xorl %ecx,%edx + xorl %esi,%edi + rorl $6,%edx + pxor %xmm5,%xmm4 + movl %ebx,%ecx + addl %edi,%edx + psrld $10,%xmm7 + movl (%esp),%edi + movl %ebx,%esi + rorl $9,%ecx + paddd %xmm4,%xmm0 + movl %ebx,28(%esp) + xorl %ebx,%ecx + psrlq $17,%xmm6 + xorl %edi,%ebx + addl 24(%esp),%edx + rorl $11,%ecx + pxor %xmm6,%xmm7 + andl %ebx,%eax + xorl %esi,%ecx + psrlq $2,%xmm6 + addl 36(%esp),%edx + xorl %edi,%eax + rorl $2,%ecx + pxor %xmm6,%xmm7 + addl %edx,%eax + addl 8(%esp),%edx + pshufd $128,%xmm7,%xmm7 + addl %ecx,%eax + movl %edx,%ecx + rorl $14,%edx + movl 12(%esp),%esi + xorl %ecx,%edx + movl 16(%esp),%edi + xorl %edi,%esi + rorl $5,%edx + andl %ecx,%esi + psrldq $8,%xmm7 + movl %ecx,8(%esp) + xorl %ecx,%edx + xorl %esi,%edi + paddd %xmm7,%xmm0 + rorl $6,%edx + movl %eax,%ecx + addl %edi,%edx + movl 28(%esp),%edi + movl %eax,%esi + rorl $9,%ecx + movl %eax,24(%esp) + pshufd $80,%xmm0,%xmm7 + xorl %eax,%ecx + xorl %edi,%eax + addl 20(%esp),%edx + movdqa %xmm7,%xmm6 + rorl $11,%ecx + psrld $10,%xmm7 + andl %eax,%ebx + psrlq $17,%xmm6 + xorl %esi,%ecx + addl 40(%esp),%edx + xorl %edi,%ebx + rorl $2,%ecx + pxor %xmm6,%xmm7 + addl %edx,%ebx + addl 4(%esp),%edx + psrlq $2,%xmm6 + addl %ecx,%ebx + movl %edx,%ecx + rorl $14,%edx + pxor %xmm6,%xmm7 + movl 8(%esp),%esi + xorl %ecx,%edx + movl 12(%esp),%edi + pshufd $8,%xmm7,%xmm7 + xorl %edi,%esi + rorl $5,%edx + movdqa (%ebp),%xmm6 + andl %ecx,%esi + movl %ecx,4(%esp) + pslldq $8,%xmm7 + xorl %ecx,%edx + xorl %esi,%edi + rorl $6,%edx + movl %ebx,%ecx + addl %edi,%edx + movl 24(%esp),%edi + movl %ebx,%esi + rorl $9,%ecx + paddd %xmm7,%xmm0 + movl %ebx,20(%esp) + xorl %ebx,%ecx + xorl %edi,%ebx + addl 16(%esp),%edx + paddd %xmm0,%xmm6 + rorl $11,%ecx + andl %ebx,%eax + xorl %esi,%ecx + addl 44(%esp),%edx + xorl %edi,%eax + rorl $2,%ecx + addl %edx,%eax + addl (%esp),%edx + addl %ecx,%eax + movdqa %xmm6,32(%esp) + movl %edx,%ecx + movdqa %xmm2,%xmm4 + rorl $14,%edx + movl 4(%esp),%esi + movdqa %xmm0,%xmm7 + xorl %ecx,%edx + movl 8(%esp),%edi +.byte 102,15,58,15,225,4 + xorl %edi,%esi + rorl $5,%edx + andl %ecx,%esi +.byte 102,15,58,15,251,4 + movl %ecx,(%esp) + xorl %ecx,%edx + xorl %esi,%edi + movdqa %xmm4,%xmm5 + rorl $6,%edx + movl %eax,%ecx + movdqa %xmm4,%xmm6 + addl %edi,%edx + movl 20(%esp),%edi + psrld $3,%xmm4 + movl %eax,%esi + rorl $9,%ecx + paddd %xmm7,%xmm1 + movl %eax,16(%esp) + xorl %eax,%ecx + psrld $7,%xmm6 + xorl %edi,%eax + addl 12(%esp),%edx + rorl $11,%ecx + andl %eax,%ebx + pshufd $250,%xmm0,%xmm7 + xorl %esi,%ecx + addl 48(%esp),%edx + pslld $14,%xmm5 + xorl %edi,%ebx + rorl $2,%ecx + pxor %xmm6,%xmm4 + addl %edx,%ebx + addl 28(%esp),%edx + psrld $11,%xmm6 + addl %ecx,%ebx + movl %edx,%ecx + rorl $14,%edx + pxor %xmm5,%xmm4 + movl (%esp),%esi + xorl %ecx,%edx + pslld $11,%xmm5 + movl 4(%esp),%edi + xorl %edi,%esi + rorl $5,%edx + pxor %xmm6,%xmm4 + andl %ecx,%esi + movl %ecx,28(%esp) + movdqa %xmm7,%xmm6 + xorl %ecx,%edx + xorl %esi,%edi + rorl $6,%edx + pxor %xmm5,%xmm4 + movl %ebx,%ecx + addl %edi,%edx + psrld $10,%xmm7 + movl 16(%esp),%edi + movl %ebx,%esi + rorl $9,%ecx + paddd %xmm4,%xmm1 + movl %ebx,12(%esp) + xorl %ebx,%ecx + psrlq $17,%xmm6 + xorl %edi,%ebx + addl 8(%esp),%edx + rorl $11,%ecx + pxor %xmm6,%xmm7 + andl %ebx,%eax + xorl %esi,%ecx + psrlq $2,%xmm6 + addl 52(%esp),%edx + xorl %edi,%eax + rorl $2,%ecx + pxor %xmm6,%xmm7 + addl %edx,%eax + addl 24(%esp),%edx + pshufd $128,%xmm7,%xmm7 + addl %ecx,%eax + movl %edx,%ecx + rorl $14,%edx + movl 28(%esp),%esi + xorl %ecx,%edx + movl (%esp),%edi + xorl %edi,%esi + rorl $5,%edx + andl %ecx,%esi + psrldq $8,%xmm7 + movl %ecx,24(%esp) + xorl %ecx,%edx + xorl %esi,%edi + paddd %xmm7,%xmm1 + rorl $6,%edx + movl %eax,%ecx + addl %edi,%edx + movl 12(%esp),%edi + movl %eax,%esi + rorl $9,%ecx + movl %eax,8(%esp) + pshufd $80,%xmm1,%xmm7 + xorl %eax,%ecx + xorl %edi,%eax + addl 4(%esp),%edx + movdqa %xmm7,%xmm6 + rorl $11,%ecx + psrld $10,%xmm7 + andl %eax,%ebx + psrlq $17,%xmm6 + xorl %esi,%ecx + addl 56(%esp),%edx + xorl %edi,%ebx + rorl $2,%ecx + pxor %xmm6,%xmm7 + addl %edx,%ebx + addl 20(%esp),%edx + psrlq $2,%xmm6 + addl %ecx,%ebx + movl %edx,%ecx + rorl $14,%edx + pxor %xmm6,%xmm7 + movl 24(%esp),%esi + xorl %ecx,%edx + movl 28(%esp),%edi + pshufd $8,%xmm7,%xmm7 + xorl %edi,%esi + rorl $5,%edx + movdqa 16(%ebp),%xmm6 + andl %ecx,%esi + movl %ecx,20(%esp) + pslldq $8,%xmm7 + xorl %ecx,%edx + xorl %esi,%edi + rorl $6,%edx + movl %ebx,%ecx + addl %edi,%edx + movl 8(%esp),%edi + movl %ebx,%esi + rorl $9,%ecx + paddd %xmm7,%xmm1 + movl %ebx,4(%esp) + xorl %ebx,%ecx + xorl %edi,%ebx + addl (%esp),%edx + paddd %xmm1,%xmm6 + rorl $11,%ecx + andl %ebx,%eax + xorl %esi,%ecx + addl 60(%esp),%edx + xorl %edi,%eax + rorl $2,%ecx + addl %edx,%eax + addl 16(%esp),%edx + addl %ecx,%eax + movdqa %xmm6,48(%esp) + movl %edx,%ecx + movdqa %xmm3,%xmm4 + rorl $14,%edx + movl 20(%esp),%esi + movdqa %xmm1,%xmm7 + xorl %ecx,%edx + movl 24(%esp),%edi +.byte 102,15,58,15,226,4 + xorl %edi,%esi + rorl $5,%edx + andl %ecx,%esi +.byte 102,15,58,15,248,4 + movl %ecx,16(%esp) + xorl %ecx,%edx + xorl %esi,%edi + movdqa %xmm4,%xmm5 + rorl $6,%edx + movl %eax,%ecx + movdqa %xmm4,%xmm6 + addl %edi,%edx + movl 4(%esp),%edi + psrld $3,%xmm4 + movl %eax,%esi + rorl $9,%ecx + paddd %xmm7,%xmm2 + movl %eax,(%esp) + xorl %eax,%ecx + psrld $7,%xmm6 + xorl %edi,%eax + addl 28(%esp),%edx + rorl $11,%ecx + andl %eax,%ebx + pshufd $250,%xmm1,%xmm7 + xorl %esi,%ecx + addl 64(%esp),%edx + pslld $14,%xmm5 + xorl %edi,%ebx + rorl $2,%ecx + pxor %xmm6,%xmm4 + addl %edx,%ebx + addl 12(%esp),%edx + psrld $11,%xmm6 + addl %ecx,%ebx + movl %edx,%ecx + rorl $14,%edx + pxor %xmm5,%xmm4 + movl 16(%esp),%esi + xorl %ecx,%edx + pslld $11,%xmm5 + movl 20(%esp),%edi + xorl %edi,%esi + rorl $5,%edx + pxor %xmm6,%xmm4 + andl %ecx,%esi + movl %ecx,12(%esp) + movdqa %xmm7,%xmm6 + xorl %ecx,%edx + xorl %esi,%edi + rorl $6,%edx + pxor %xmm5,%xmm4 + movl %ebx,%ecx + addl %edi,%edx + psrld $10,%xmm7 + movl (%esp),%edi + movl %ebx,%esi + rorl $9,%ecx + paddd %xmm4,%xmm2 + movl %ebx,28(%esp) + xorl %ebx,%ecx + psrlq $17,%xmm6 + xorl %edi,%ebx + addl 24(%esp),%edx + rorl $11,%ecx + pxor %xmm6,%xmm7 + andl %ebx,%eax + xorl %esi,%ecx + psrlq $2,%xmm6 + addl 68(%esp),%edx + xorl %edi,%eax + rorl $2,%ecx + pxor %xmm6,%xmm7 + addl %edx,%eax + addl 8(%esp),%edx + pshufd $128,%xmm7,%xmm7 + addl %ecx,%eax + movl %edx,%ecx + rorl $14,%edx + movl 12(%esp),%esi + xorl %ecx,%edx + movl 16(%esp),%edi + xorl %edi,%esi + rorl $5,%edx + andl %ecx,%esi + psrldq $8,%xmm7 + movl %ecx,8(%esp) + xorl %ecx,%edx + xorl %esi,%edi + paddd %xmm7,%xmm2 + rorl $6,%edx + movl %eax,%ecx + addl %edi,%edx + movl 28(%esp),%edi + movl %eax,%esi + rorl $9,%ecx + movl %eax,24(%esp) + pshufd $80,%xmm2,%xmm7 + xorl %eax,%ecx + xorl %edi,%eax + addl 20(%esp),%edx + movdqa %xmm7,%xmm6 + rorl $11,%ecx + psrld $10,%xmm7 + andl %eax,%ebx + psrlq $17,%xmm6 + xorl %esi,%ecx + addl 72(%esp),%edx + xorl %edi,%ebx + rorl $2,%ecx + pxor %xmm6,%xmm7 + addl %edx,%ebx + addl 4(%esp),%edx + psrlq $2,%xmm6 + addl %ecx,%ebx + movl %edx,%ecx + rorl $14,%edx + pxor %xmm6,%xmm7 + movl 8(%esp),%esi + xorl %ecx,%edx + movl 12(%esp),%edi + pshufd $8,%xmm7,%xmm7 + xorl %edi,%esi + rorl $5,%edx + movdqa 32(%ebp),%xmm6 + andl %ecx,%esi + movl %ecx,4(%esp) + pslldq $8,%xmm7 + xorl %ecx,%edx + xorl %esi,%edi + rorl $6,%edx + movl %ebx,%ecx + addl %edi,%edx + movl 24(%esp),%edi + movl %ebx,%esi + rorl $9,%ecx + paddd %xmm7,%xmm2 + movl %ebx,20(%esp) + xorl %ebx,%ecx + xorl %edi,%ebx + addl 16(%esp),%edx + paddd %xmm2,%xmm6 + rorl $11,%ecx + andl %ebx,%eax + xorl %esi,%ecx + addl 76(%esp),%edx + xorl %edi,%eax + rorl $2,%ecx + addl %edx,%eax + addl (%esp),%edx + addl %ecx,%eax + movdqa %xmm6,64(%esp) + movl %edx,%ecx + movdqa %xmm0,%xmm4 + rorl $14,%edx + movl 4(%esp),%esi + movdqa %xmm2,%xmm7 + xorl %ecx,%edx + movl 8(%esp),%edi +.byte 102,15,58,15,227,4 + xorl %edi,%esi + rorl $5,%edx + andl %ecx,%esi +.byte 102,15,58,15,249,4 + movl %ecx,(%esp) + xorl %ecx,%edx + xorl %esi,%edi + movdqa %xmm4,%xmm5 + rorl $6,%edx + movl %eax,%ecx + movdqa %xmm4,%xmm6 + addl %edi,%edx + movl 20(%esp),%edi + psrld $3,%xmm4 + movl %eax,%esi + rorl $9,%ecx + paddd %xmm7,%xmm3 + movl %eax,16(%esp) + xorl %eax,%ecx + psrld $7,%xmm6 + xorl %edi,%eax + addl 12(%esp),%edx + rorl $11,%ecx + andl %eax,%ebx + pshufd $250,%xmm2,%xmm7 + xorl %esi,%ecx + addl 80(%esp),%edx + pslld $14,%xmm5 + xorl %edi,%ebx + rorl $2,%ecx + pxor %xmm6,%xmm4 + addl %edx,%ebx + addl 28(%esp),%edx + psrld $11,%xmm6 + addl %ecx,%ebx + movl %edx,%ecx + rorl $14,%edx + pxor %xmm5,%xmm4 + movl (%esp),%esi + xorl %ecx,%edx + pslld $11,%xmm5 + movl 4(%esp),%edi + xorl %edi,%esi + rorl $5,%edx + pxor %xmm6,%xmm4 + andl %ecx,%esi + movl %ecx,28(%esp) + movdqa %xmm7,%xmm6 + xorl %ecx,%edx + xorl %esi,%edi + rorl $6,%edx + pxor %xmm5,%xmm4 + movl %ebx,%ecx + addl %edi,%edx + psrld $10,%xmm7 + movl 16(%esp),%edi + movl %ebx,%esi + rorl $9,%ecx + paddd %xmm4,%xmm3 + movl %ebx,12(%esp) + xorl %ebx,%ecx + psrlq $17,%xmm6 + xorl %edi,%ebx + addl 8(%esp),%edx + rorl $11,%ecx + pxor %xmm6,%xmm7 + andl %ebx,%eax + xorl %esi,%ecx + psrlq $2,%xmm6 + addl 84(%esp),%edx + xorl %edi,%eax + rorl $2,%ecx + pxor %xmm6,%xmm7 + addl %edx,%eax + addl 24(%esp),%edx + pshufd $128,%xmm7,%xmm7 + addl %ecx,%eax + movl %edx,%ecx + rorl $14,%edx + movl 28(%esp),%esi + xorl %ecx,%edx + movl (%esp),%edi + xorl %edi,%esi + rorl $5,%edx + andl %ecx,%esi + psrldq $8,%xmm7 + movl %ecx,24(%esp) + xorl %ecx,%edx + xorl %esi,%edi + paddd %xmm7,%xmm3 + rorl $6,%edx + movl %eax,%ecx + addl %edi,%edx + movl 12(%esp),%edi + movl %eax,%esi + rorl $9,%ecx + movl %eax,8(%esp) + pshufd $80,%xmm3,%xmm7 + xorl %eax,%ecx + xorl %edi,%eax + addl 4(%esp),%edx + movdqa %xmm7,%xmm6 + rorl $11,%ecx + psrld $10,%xmm7 + andl %eax,%ebx + psrlq $17,%xmm6 + xorl %esi,%ecx + addl 88(%esp),%edx + xorl %edi,%ebx + rorl $2,%ecx + pxor %xmm6,%xmm7 + addl %edx,%ebx + addl 20(%esp),%edx + psrlq $2,%xmm6 + addl %ecx,%ebx + movl %edx,%ecx + rorl $14,%edx + pxor %xmm6,%xmm7 + movl 24(%esp),%esi + xorl %ecx,%edx + movl 28(%esp),%edi + pshufd $8,%xmm7,%xmm7 + xorl %edi,%esi + rorl $5,%edx + movdqa 48(%ebp),%xmm6 + andl %ecx,%esi + movl %ecx,20(%esp) + pslldq $8,%xmm7 + xorl %ecx,%edx + xorl %esi,%edi + rorl $6,%edx + movl %ebx,%ecx + addl %edi,%edx + movl 8(%esp),%edi + movl %ebx,%esi + rorl $9,%ecx + paddd %xmm7,%xmm3 + movl %ebx,4(%esp) + xorl %ebx,%ecx + xorl %edi,%ebx + addl (%esp),%edx + paddd %xmm3,%xmm6 + rorl $11,%ecx + andl %ebx,%eax + xorl %esi,%ecx + addl 92(%esp),%edx + xorl %edi,%eax + rorl $2,%ecx + addl %edx,%eax + addl 16(%esp),%edx + addl %ecx,%eax + movdqa %xmm6,80(%esp) + cmpl $66051,64(%ebp) + jne .L009ssse3_00_47 + movl %edx,%ecx + rorl $14,%edx + movl 20(%esp),%esi + xorl %ecx,%edx + movl 24(%esp),%edi + xorl %edi,%esi + rorl $5,%edx + andl %ecx,%esi + movl %ecx,16(%esp) + xorl %ecx,%edx + xorl %esi,%edi + rorl $6,%edx + movl %eax,%ecx + addl %edi,%edx + movl 4(%esp),%edi + movl %eax,%esi + rorl $9,%ecx + movl %eax,(%esp) + xorl %eax,%ecx + xorl %edi,%eax + addl 28(%esp),%edx + rorl $11,%ecx + andl %eax,%ebx + xorl %esi,%ecx + addl 32(%esp),%edx + xorl %edi,%ebx + rorl $2,%ecx + addl %edx,%ebx + addl 12(%esp),%edx + addl %ecx,%ebx + movl %edx,%ecx + rorl $14,%edx + movl 16(%esp),%esi + xorl %ecx,%edx + movl 20(%esp),%edi + xorl %edi,%esi + rorl $5,%edx + andl %ecx,%esi + movl %ecx,12(%esp) + xorl %ecx,%edx + xorl %esi,%edi + rorl $6,%edx + movl %ebx,%ecx + addl %edi,%edx + movl (%esp),%edi + movl %ebx,%esi + rorl $9,%ecx + movl %ebx,28(%esp) + xorl %ebx,%ecx + xorl %edi,%ebx + addl 24(%esp),%edx + rorl $11,%ecx + andl %ebx,%eax + xorl %esi,%ecx + addl 36(%esp),%edx + xorl %edi,%eax + rorl $2,%ecx + addl %edx,%eax + addl 8(%esp),%edx + addl %ecx,%eax + movl %edx,%ecx + rorl $14,%edx + movl 12(%esp),%esi + xorl %ecx,%edx + movl 16(%esp),%edi + xorl %edi,%esi + rorl $5,%edx + andl %ecx,%esi + movl %ecx,8(%esp) + xorl %ecx,%edx + xorl %esi,%edi + rorl $6,%edx + movl %eax,%ecx + addl %edi,%edx + movl 28(%esp),%edi + movl %eax,%esi + rorl $9,%ecx + movl %eax,24(%esp) + xorl %eax,%ecx + xorl %edi,%eax + addl 20(%esp),%edx + rorl $11,%ecx + andl %eax,%ebx + xorl %esi,%ecx + addl 40(%esp),%edx + xorl %edi,%ebx + rorl $2,%ecx + addl %edx,%ebx + addl 4(%esp),%edx + addl %ecx,%ebx + movl %edx,%ecx + rorl $14,%edx + movl 8(%esp),%esi + xorl %ecx,%edx + movl 12(%esp),%edi + xorl %edi,%esi + rorl $5,%edx + andl %ecx,%esi + movl %ecx,4(%esp) + xorl %ecx,%edx + xorl %esi,%edi + rorl $6,%edx + movl %ebx,%ecx + addl %edi,%edx + movl 24(%esp),%edi + movl %ebx,%esi + rorl $9,%ecx + movl %ebx,20(%esp) + xorl %ebx,%ecx + xorl %edi,%ebx + addl 16(%esp),%edx + rorl $11,%ecx + andl %ebx,%eax + xorl %esi,%ecx + addl 44(%esp),%edx + xorl %edi,%eax + rorl $2,%ecx + addl %edx,%eax + addl (%esp),%edx + addl %ecx,%eax + movl %edx,%ecx + rorl $14,%edx + movl 4(%esp),%esi + xorl %ecx,%edx + movl 8(%esp),%edi + xorl %edi,%esi + rorl $5,%edx + andl %ecx,%esi + movl %ecx,(%esp) + xorl %ecx,%edx + xorl %esi,%edi + rorl $6,%edx + movl %eax,%ecx + addl %edi,%edx + movl 20(%esp),%edi + movl %eax,%esi + rorl $9,%ecx + movl %eax,16(%esp) + xorl %eax,%ecx + xorl %edi,%eax + addl 12(%esp),%edx + rorl $11,%ecx + andl %eax,%ebx + xorl %esi,%ecx + addl 48(%esp),%edx + xorl %edi,%ebx + rorl $2,%ecx + addl %edx,%ebx + addl 28(%esp),%edx + addl %ecx,%ebx + movl %edx,%ecx + rorl $14,%edx + movl (%esp),%esi + xorl %ecx,%edx + movl 4(%esp),%edi + xorl %edi,%esi + rorl $5,%edx + andl %ecx,%esi + movl %ecx,28(%esp) + xorl %ecx,%edx + xorl %esi,%edi + rorl $6,%edx + movl %ebx,%ecx + addl %edi,%edx + movl 16(%esp),%edi + movl %ebx,%esi + rorl $9,%ecx + movl %ebx,12(%esp) + xorl %ebx,%ecx + xorl %edi,%ebx + addl 8(%esp),%edx + rorl $11,%ecx + andl %ebx,%eax + xorl %esi,%ecx + addl 52(%esp),%edx + xorl %edi,%eax + rorl $2,%ecx + addl %edx,%eax + addl 24(%esp),%edx + addl %ecx,%eax + movl %edx,%ecx + rorl $14,%edx + movl 28(%esp),%esi + xorl %ecx,%edx + movl (%esp),%edi + xorl %edi,%esi + rorl $5,%edx + andl %ecx,%esi + movl %ecx,24(%esp) + xorl %ecx,%edx + xorl %esi,%edi + rorl $6,%edx + movl %eax,%ecx + addl %edi,%edx + movl 12(%esp),%edi + movl %eax,%esi + rorl $9,%ecx + movl %eax,8(%esp) + xorl %eax,%ecx + xorl %edi,%eax + addl 4(%esp),%edx + rorl $11,%ecx + andl %eax,%ebx + xorl %esi,%ecx + addl 56(%esp),%edx + xorl %edi,%ebx + rorl $2,%ecx + addl %edx,%ebx + addl 20(%esp),%edx + addl %ecx,%ebx + movl %edx,%ecx + rorl $14,%edx + movl 24(%esp),%esi + xorl %ecx,%edx + movl 28(%esp),%edi + xorl %edi,%esi + rorl $5,%edx + andl %ecx,%esi + movl %ecx,20(%esp) + xorl %ecx,%edx + xorl %esi,%edi + rorl $6,%edx + movl %ebx,%ecx + addl %edi,%edx + movl 8(%esp),%edi + movl %ebx,%esi + rorl $9,%ecx + movl %ebx,4(%esp) + xorl %ebx,%ecx + xorl %edi,%ebx + addl (%esp),%edx + rorl $11,%ecx + andl %ebx,%eax + xorl %esi,%ecx + addl 60(%esp),%edx + xorl %edi,%eax + rorl $2,%ecx + addl %edx,%eax + addl 16(%esp),%edx + addl %ecx,%eax + movl %edx,%ecx + rorl $14,%edx + movl 20(%esp),%esi + xorl %ecx,%edx + movl 24(%esp),%edi + xorl %edi,%esi + rorl $5,%edx + andl %ecx,%esi + movl %ecx,16(%esp) + xorl %ecx,%edx + xorl %esi,%edi + rorl $6,%edx + movl %eax,%ecx + addl %edi,%edx + movl 4(%esp),%edi + movl %eax,%esi + rorl $9,%ecx + movl %eax,(%esp) + xorl %eax,%ecx + xorl %edi,%eax + addl 28(%esp),%edx + rorl $11,%ecx + andl %eax,%ebx + xorl %esi,%ecx + addl 64(%esp),%edx + xorl %edi,%ebx + rorl $2,%ecx + addl %edx,%ebx + addl 12(%esp),%edx + addl %ecx,%ebx + movl %edx,%ecx + rorl $14,%edx + movl 16(%esp),%esi + xorl %ecx,%edx + movl 20(%esp),%edi + xorl %edi,%esi + rorl $5,%edx + andl %ecx,%esi + movl %ecx,12(%esp) + xorl %ecx,%edx + xorl %esi,%edi + rorl $6,%edx + movl %ebx,%ecx + addl %edi,%edx + movl (%esp),%edi + movl %ebx,%esi + rorl $9,%ecx + movl %ebx,28(%esp) + xorl %ebx,%ecx + xorl %edi,%ebx + addl 24(%esp),%edx + rorl $11,%ecx + andl %ebx,%eax + xorl %esi,%ecx + addl 68(%esp),%edx + xorl %edi,%eax + rorl $2,%ecx + addl %edx,%eax + addl 8(%esp),%edx + addl %ecx,%eax + movl %edx,%ecx + rorl $14,%edx + movl 12(%esp),%esi + xorl %ecx,%edx + movl 16(%esp),%edi + xorl %edi,%esi + rorl $5,%edx + andl %ecx,%esi + movl %ecx,8(%esp) + xorl %ecx,%edx + xorl %esi,%edi + rorl $6,%edx + movl %eax,%ecx + addl %edi,%edx + movl 28(%esp),%edi + movl %eax,%esi + rorl $9,%ecx + movl %eax,24(%esp) + xorl %eax,%ecx + xorl %edi,%eax + addl 20(%esp),%edx + rorl $11,%ecx + andl %eax,%ebx + xorl %esi,%ecx + addl 72(%esp),%edx + xorl %edi,%ebx + rorl $2,%ecx + addl %edx,%ebx + addl 4(%esp),%edx + addl %ecx,%ebx + movl %edx,%ecx + rorl $14,%edx + movl 8(%esp),%esi + xorl %ecx,%edx + movl 12(%esp),%edi + xorl %edi,%esi + rorl $5,%edx + andl %ecx,%esi + movl %ecx,4(%esp) + xorl %ecx,%edx + xorl %esi,%edi + rorl $6,%edx + movl %ebx,%ecx + addl %edi,%edx + movl 24(%esp),%edi + movl %ebx,%esi + rorl $9,%ecx + movl %ebx,20(%esp) + xorl %ebx,%ecx + xorl %edi,%ebx + addl 16(%esp),%edx + rorl $11,%ecx + andl %ebx,%eax + xorl %esi,%ecx + addl 76(%esp),%edx + xorl %edi,%eax + rorl $2,%ecx + addl %edx,%eax + addl (%esp),%edx + addl %ecx,%eax + movl %edx,%ecx + rorl $14,%edx + movl 4(%esp),%esi + xorl %ecx,%edx + movl 8(%esp),%edi + xorl %edi,%esi + rorl $5,%edx + andl %ecx,%esi + movl %ecx,(%esp) + xorl %ecx,%edx + xorl %esi,%edi + rorl $6,%edx + movl %eax,%ecx + addl %edi,%edx + movl 20(%esp),%edi + movl %eax,%esi + rorl $9,%ecx + movl %eax,16(%esp) + xorl %eax,%ecx + xorl %edi,%eax + addl 12(%esp),%edx + rorl $11,%ecx + andl %eax,%ebx + xorl %esi,%ecx + addl 80(%esp),%edx + xorl %edi,%ebx + rorl $2,%ecx + addl %edx,%ebx + addl 28(%esp),%edx + addl %ecx,%ebx + movl %edx,%ecx + rorl $14,%edx + movl (%esp),%esi + xorl %ecx,%edx + movl 4(%esp),%edi + xorl %edi,%esi + rorl $5,%edx + andl %ecx,%esi + movl %ecx,28(%esp) + xorl %ecx,%edx + xorl %esi,%edi + rorl $6,%edx + movl %ebx,%ecx + addl %edi,%edx + movl 16(%esp),%edi + movl %ebx,%esi + rorl $9,%ecx + movl %ebx,12(%esp) + xorl %ebx,%ecx + xorl %edi,%ebx + addl 8(%esp),%edx + rorl $11,%ecx + andl %ebx,%eax + xorl %esi,%ecx + addl 84(%esp),%edx + xorl %edi,%eax + rorl $2,%ecx + addl %edx,%eax + addl 24(%esp),%edx + addl %ecx,%eax + movl %edx,%ecx + rorl $14,%edx + movl 28(%esp),%esi + xorl %ecx,%edx + movl (%esp),%edi + xorl %edi,%esi + rorl $5,%edx + andl %ecx,%esi + movl %ecx,24(%esp) + xorl %ecx,%edx + xorl %esi,%edi + rorl $6,%edx + movl %eax,%ecx + addl %edi,%edx + movl 12(%esp),%edi + movl %eax,%esi + rorl $9,%ecx + movl %eax,8(%esp) + xorl %eax,%ecx + xorl %edi,%eax + addl 4(%esp),%edx + rorl $11,%ecx + andl %eax,%ebx + xorl %esi,%ecx + addl 88(%esp),%edx + xorl %edi,%ebx + rorl $2,%ecx + addl %edx,%ebx + addl 20(%esp),%edx + addl %ecx,%ebx + movl %edx,%ecx + rorl $14,%edx + movl 24(%esp),%esi + xorl %ecx,%edx + movl 28(%esp),%edi + xorl %edi,%esi + rorl $5,%edx + andl %ecx,%esi + movl %ecx,20(%esp) + xorl %ecx,%edx + xorl %esi,%edi + rorl $6,%edx + movl %ebx,%ecx + addl %edi,%edx + movl 8(%esp),%edi + movl %ebx,%esi + rorl $9,%ecx + movl %ebx,4(%esp) + xorl %ebx,%ecx + xorl %edi,%ebx + addl (%esp),%edx + rorl $11,%ecx + andl %ebx,%eax + xorl %esi,%ecx + addl 92(%esp),%edx + xorl %edi,%eax + rorl $2,%ecx + addl %edx,%eax + addl 16(%esp),%edx + addl %ecx,%eax + movl 96(%esp),%esi + xorl %edi,%ebx + movl 12(%esp),%ecx + addl (%esi),%eax + addl 4(%esi),%ebx + addl 8(%esi),%edi + addl 12(%esi),%ecx + movl %eax,(%esi) + movl %ebx,4(%esi) + movl %edi,8(%esi) + movl %ecx,12(%esi) + movl %ebx,4(%esp) + xorl %edi,%ebx + movl %edi,8(%esp) + movl %ecx,12(%esp) + movl 20(%esp),%edi + movl 24(%esp),%ecx + addl 16(%esi),%edx + addl 20(%esi),%edi + addl 24(%esi),%ecx + movl %edx,16(%esi) + movl %edi,20(%esi) + movl %edi,20(%esp) + movl 28(%esp),%edi + movl %ecx,24(%esi) + addl 28(%esi),%edi + movl %ecx,24(%esp) + movl %edi,28(%esi) + movl %edi,28(%esp) + movl 100(%esp),%edi + movdqa 64(%ebp),%xmm7 + subl $192,%ebp + cmpl 104(%esp),%edi + jb .L008grand_ssse3 + movl 108(%esp),%esp + popl %edi + popl %esi + popl %ebx + popl %ebp + ret +.size sha256_block_data_order_ssse3,.-.L_sha256_block_data_order_ssse3_begin +.globl sha256_block_data_order_avx +.hidden sha256_block_data_order_avx +.type sha256_block_data_order_avx,@function +.align 16 +sha256_block_data_order_avx: +.L_sha256_block_data_order_avx_begin: + pushl %ebp + pushl %ebx + pushl %esi + pushl %edi + movl 20(%esp),%esi + movl 24(%esp),%edi + movl 28(%esp),%eax + movl %esp,%ebx + call .L010pic_point +.L010pic_point: + popl %ebp + leal .LK256-.L010pic_point(%ebp),%ebp + subl $16,%esp + andl $-64,%esp + shll $6,%eax + addl %edi,%eax + movl %esi,(%esp) + movl %edi,4(%esp) + movl %eax,8(%esp) + movl %ebx,12(%esp) + leal -96(%esp),%esp + vzeroall + movl (%esi),%eax + movl 4(%esi),%ebx + movl 8(%esi),%ecx + movl 12(%esi),%edi + movl %ebx,4(%esp) + xorl %ecx,%ebx + movl %ecx,8(%esp) + movl %edi,12(%esp) + movl 16(%esi),%edx + movl 20(%esi),%edi + movl 24(%esi),%ecx + movl 28(%esi),%esi + movl %edi,20(%esp) + movl 100(%esp),%edi + movl %ecx,24(%esp) + movl %esi,28(%esp) + vmovdqa 256(%ebp),%xmm7 + jmp .L011grand_avx +.align 32 +.L011grand_avx: + vmovdqu (%edi),%xmm0 + vmovdqu 16(%edi),%xmm1 + vmovdqu 32(%edi),%xmm2 + vmovdqu 48(%edi),%xmm3 + addl $64,%edi + vpshufb %xmm7,%xmm0,%xmm0 + movl %edi,100(%esp) + vpshufb %xmm7,%xmm1,%xmm1 + vpshufb %xmm7,%xmm2,%xmm2 + vpaddd (%ebp),%xmm0,%xmm4 + vpshufb %xmm7,%xmm3,%xmm3 + vpaddd 16(%ebp),%xmm1,%xmm5 + vpaddd 32(%ebp),%xmm2,%xmm6 + vpaddd 48(%ebp),%xmm3,%xmm7 + vmovdqa %xmm4,32(%esp) + vmovdqa %xmm5,48(%esp) + vmovdqa %xmm6,64(%esp) + vmovdqa %xmm7,80(%esp) + jmp .L012avx_00_47 +.align 16 +.L012avx_00_47: + addl $64,%ebp + vpalignr $4,%xmm0,%xmm1,%xmm4 + movl %edx,%ecx + shrdl $14,%edx,%edx + movl 20(%esp),%esi + vpalignr $4,%xmm2,%xmm3,%xmm7 + xorl %ecx,%edx + movl 24(%esp),%edi + xorl %edi,%esi + vpsrld $7,%xmm4,%xmm6 + shrdl $5,%edx,%edx + andl %ecx,%esi + movl %ecx,16(%esp) + vpaddd %xmm7,%xmm0,%xmm0 + xorl %ecx,%edx + xorl %esi,%edi + shrdl $6,%edx,%edx + vpsrld $3,%xmm4,%xmm7 + movl %eax,%ecx + addl %edi,%edx + movl 4(%esp),%edi + vpslld $14,%xmm4,%xmm5 + movl %eax,%esi + shrdl $9,%ecx,%ecx + movl %eax,(%esp) + vpxor %xmm6,%xmm7,%xmm4 + xorl %eax,%ecx + xorl %edi,%eax + addl 28(%esp),%edx + vpshufd $250,%xmm3,%xmm7 + shrdl $11,%ecx,%ecx + andl %eax,%ebx + xorl %esi,%ecx + vpsrld $11,%xmm6,%xmm6 + addl 32(%esp),%edx + xorl %edi,%ebx + shrdl $2,%ecx,%ecx + vpxor %xmm5,%xmm4,%xmm4 + addl %edx,%ebx + addl 12(%esp),%edx + addl %ecx,%ebx + vpslld $11,%xmm5,%xmm5 + movl %edx,%ecx + shrdl $14,%edx,%edx + movl 16(%esp),%esi + vpxor %xmm6,%xmm4,%xmm4 + xorl %ecx,%edx + movl 20(%esp),%edi + xorl %edi,%esi + vpsrld $10,%xmm7,%xmm6 + shrdl $5,%edx,%edx + andl %ecx,%esi + movl %ecx,12(%esp) + vpxor %xmm5,%xmm4,%xmm4 + xorl %ecx,%edx + xorl %esi,%edi + shrdl $6,%edx,%edx + vpsrlq $17,%xmm7,%xmm5 + movl %ebx,%ecx + addl %edi,%edx + movl (%esp),%edi + vpaddd %xmm4,%xmm0,%xmm0 + movl %ebx,%esi + shrdl $9,%ecx,%ecx + movl %ebx,28(%esp) + vpxor %xmm5,%xmm6,%xmm6 + xorl %ebx,%ecx + xorl %edi,%ebx + addl 24(%esp),%edx + vpsrlq $19,%xmm7,%xmm7 + shrdl $11,%ecx,%ecx + andl %ebx,%eax + xorl %esi,%ecx + vpxor %xmm7,%xmm6,%xmm6 + addl 36(%esp),%edx + xorl %edi,%eax + shrdl $2,%ecx,%ecx + vpshufd $132,%xmm6,%xmm7 + addl %edx,%eax + addl 8(%esp),%edx + addl %ecx,%eax + vpsrldq $8,%xmm7,%xmm7 + movl %edx,%ecx + shrdl $14,%edx,%edx + movl 12(%esp),%esi + vpaddd %xmm7,%xmm0,%xmm0 + xorl %ecx,%edx + movl 16(%esp),%edi + xorl %edi,%esi + vpshufd $80,%xmm0,%xmm7 + shrdl $5,%edx,%edx + andl %ecx,%esi + movl %ecx,8(%esp) + vpsrld $10,%xmm7,%xmm6 + xorl %ecx,%edx + xorl %esi,%edi + shrdl $6,%edx,%edx + vpsrlq $17,%xmm7,%xmm5 + movl %eax,%ecx + addl %edi,%edx + movl 28(%esp),%edi + vpxor %xmm5,%xmm6,%xmm6 + movl %eax,%esi + shrdl $9,%ecx,%ecx + movl %eax,24(%esp) + vpsrlq $19,%xmm7,%xmm7 + xorl %eax,%ecx + xorl %edi,%eax + addl 20(%esp),%edx + vpxor %xmm7,%xmm6,%xmm6 + shrdl $11,%ecx,%ecx + andl %eax,%ebx + xorl %esi,%ecx + vpshufd $232,%xmm6,%xmm7 + addl 40(%esp),%edx + xorl %edi,%ebx + shrdl $2,%ecx,%ecx + vpslldq $8,%xmm7,%xmm7 + addl %edx,%ebx + addl 4(%esp),%edx + addl %ecx,%ebx + vpaddd %xmm7,%xmm0,%xmm0 + movl %edx,%ecx + shrdl $14,%edx,%edx + movl 8(%esp),%esi + vpaddd (%ebp),%xmm0,%xmm6 + xorl %ecx,%edx + movl 12(%esp),%edi + xorl %edi,%esi + shrdl $5,%edx,%edx + andl %ecx,%esi + movl %ecx,4(%esp) + xorl %ecx,%edx + xorl %esi,%edi + shrdl $6,%edx,%edx + movl %ebx,%ecx + addl %edi,%edx + movl 24(%esp),%edi + movl %ebx,%esi + shrdl $9,%ecx,%ecx + movl %ebx,20(%esp) + xorl %ebx,%ecx + xorl %edi,%ebx + addl 16(%esp),%edx + shrdl $11,%ecx,%ecx + andl %ebx,%eax + xorl %esi,%ecx + addl 44(%esp),%edx + xorl %edi,%eax + shrdl $2,%ecx,%ecx + addl %edx,%eax + addl (%esp),%edx + addl %ecx,%eax + vmovdqa %xmm6,32(%esp) + vpalignr $4,%xmm1,%xmm2,%xmm4 + movl %edx,%ecx + shrdl $14,%edx,%edx + movl 4(%esp),%esi + vpalignr $4,%xmm3,%xmm0,%xmm7 + xorl %ecx,%edx + movl 8(%esp),%edi + xorl %edi,%esi + vpsrld $7,%xmm4,%xmm6 + shrdl $5,%edx,%edx + andl %ecx,%esi + movl %ecx,(%esp) + vpaddd %xmm7,%xmm1,%xmm1 + xorl %ecx,%edx + xorl %esi,%edi + shrdl $6,%edx,%edx + vpsrld $3,%xmm4,%xmm7 + movl %eax,%ecx + addl %edi,%edx + movl 20(%esp),%edi + vpslld $14,%xmm4,%xmm5 + movl %eax,%esi + shrdl $9,%ecx,%ecx + movl %eax,16(%esp) + vpxor %xmm6,%xmm7,%xmm4 + xorl %eax,%ecx + xorl %edi,%eax + addl 12(%esp),%edx + vpshufd $250,%xmm0,%xmm7 + shrdl $11,%ecx,%ecx + andl %eax,%ebx + xorl %esi,%ecx + vpsrld $11,%xmm6,%xmm6 + addl 48(%esp),%edx + xorl %edi,%ebx + shrdl $2,%ecx,%ecx + vpxor %xmm5,%xmm4,%xmm4 + addl %edx,%ebx + addl 28(%esp),%edx + addl %ecx,%ebx + vpslld $11,%xmm5,%xmm5 + movl %edx,%ecx + shrdl $14,%edx,%edx + movl (%esp),%esi + vpxor %xmm6,%xmm4,%xmm4 + xorl %ecx,%edx + movl 4(%esp),%edi + xorl %edi,%esi + vpsrld $10,%xmm7,%xmm6 + shrdl $5,%edx,%edx + andl %ecx,%esi + movl %ecx,28(%esp) + vpxor %xmm5,%xmm4,%xmm4 + xorl %ecx,%edx + xorl %esi,%edi + shrdl $6,%edx,%edx + vpsrlq $17,%xmm7,%xmm5 + movl %ebx,%ecx + addl %edi,%edx + movl 16(%esp),%edi + vpaddd %xmm4,%xmm1,%xmm1 + movl %ebx,%esi + shrdl $9,%ecx,%ecx + movl %ebx,12(%esp) + vpxor %xmm5,%xmm6,%xmm6 + xorl %ebx,%ecx + xorl %edi,%ebx + addl 8(%esp),%edx + vpsrlq $19,%xmm7,%xmm7 + shrdl $11,%ecx,%ecx + andl %ebx,%eax + xorl %esi,%ecx + vpxor %xmm7,%xmm6,%xmm6 + addl 52(%esp),%edx + xorl %edi,%eax + shrdl $2,%ecx,%ecx + vpshufd $132,%xmm6,%xmm7 + addl %edx,%eax + addl 24(%esp),%edx + addl %ecx,%eax + vpsrldq $8,%xmm7,%xmm7 + movl %edx,%ecx + shrdl $14,%edx,%edx + movl 28(%esp),%esi + vpaddd %xmm7,%xmm1,%xmm1 + xorl %ecx,%edx + movl (%esp),%edi + xorl %edi,%esi + vpshufd $80,%xmm1,%xmm7 + shrdl $5,%edx,%edx + andl %ecx,%esi + movl %ecx,24(%esp) + vpsrld $10,%xmm7,%xmm6 + xorl %ecx,%edx + xorl %esi,%edi + shrdl $6,%edx,%edx + vpsrlq $17,%xmm7,%xmm5 + movl %eax,%ecx + addl %edi,%edx + movl 12(%esp),%edi + vpxor %xmm5,%xmm6,%xmm6 + movl %eax,%esi + shrdl $9,%ecx,%ecx + movl %eax,8(%esp) + vpsrlq $19,%xmm7,%xmm7 + xorl %eax,%ecx + xorl %edi,%eax + addl 4(%esp),%edx + vpxor %xmm7,%xmm6,%xmm6 + shrdl $11,%ecx,%ecx + andl %eax,%ebx + xorl %esi,%ecx + vpshufd $232,%xmm6,%xmm7 + addl 56(%esp),%edx + xorl %edi,%ebx + shrdl $2,%ecx,%ecx + vpslldq $8,%xmm7,%xmm7 + addl %edx,%ebx + addl 20(%esp),%edx + addl %ecx,%ebx + vpaddd %xmm7,%xmm1,%xmm1 + movl %edx,%ecx + shrdl $14,%edx,%edx + movl 24(%esp),%esi + vpaddd 16(%ebp),%xmm1,%xmm6 + xorl %ecx,%edx + movl 28(%esp),%edi + xorl %edi,%esi + shrdl $5,%edx,%edx + andl %ecx,%esi + movl %ecx,20(%esp) + xorl %ecx,%edx + xorl %esi,%edi + shrdl $6,%edx,%edx + movl %ebx,%ecx + addl %edi,%edx + movl 8(%esp),%edi + movl %ebx,%esi + shrdl $9,%ecx,%ecx + movl %ebx,4(%esp) + xorl %ebx,%ecx + xorl %edi,%ebx + addl (%esp),%edx + shrdl $11,%ecx,%ecx + andl %ebx,%eax + xorl %esi,%ecx + addl 60(%esp),%edx + xorl %edi,%eax + shrdl $2,%ecx,%ecx + addl %edx,%eax + addl 16(%esp),%edx + addl %ecx,%eax + vmovdqa %xmm6,48(%esp) + vpalignr $4,%xmm2,%xmm3,%xmm4 + movl %edx,%ecx + shrdl $14,%edx,%edx + movl 20(%esp),%esi + vpalignr $4,%xmm0,%xmm1,%xmm7 + xorl %ecx,%edx + movl 24(%esp),%edi + xorl %edi,%esi + vpsrld $7,%xmm4,%xmm6 + shrdl $5,%edx,%edx + andl %ecx,%esi + movl %ecx,16(%esp) + vpaddd %xmm7,%xmm2,%xmm2 + xorl %ecx,%edx + xorl %esi,%edi + shrdl $6,%edx,%edx + vpsrld $3,%xmm4,%xmm7 + movl %eax,%ecx + addl %edi,%edx + movl 4(%esp),%edi + vpslld $14,%xmm4,%xmm5 + movl %eax,%esi + shrdl $9,%ecx,%ecx + movl %eax,(%esp) + vpxor %xmm6,%xmm7,%xmm4 + xorl %eax,%ecx + xorl %edi,%eax + addl 28(%esp),%edx + vpshufd $250,%xmm1,%xmm7 + shrdl $11,%ecx,%ecx + andl %eax,%ebx + xorl %esi,%ecx + vpsrld $11,%xmm6,%xmm6 + addl 64(%esp),%edx + xorl %edi,%ebx + shrdl $2,%ecx,%ecx + vpxor %xmm5,%xmm4,%xmm4 + addl %edx,%ebx + addl 12(%esp),%edx + addl %ecx,%ebx + vpslld $11,%xmm5,%xmm5 + movl %edx,%ecx + shrdl $14,%edx,%edx + movl 16(%esp),%esi + vpxor %xmm6,%xmm4,%xmm4 + xorl %ecx,%edx + movl 20(%esp),%edi + xorl %edi,%esi + vpsrld $10,%xmm7,%xmm6 + shrdl $5,%edx,%edx + andl %ecx,%esi + movl %ecx,12(%esp) + vpxor %xmm5,%xmm4,%xmm4 + xorl %ecx,%edx + xorl %esi,%edi + shrdl $6,%edx,%edx + vpsrlq $17,%xmm7,%xmm5 + movl %ebx,%ecx + addl %edi,%edx + movl (%esp),%edi + vpaddd %xmm4,%xmm2,%xmm2 + movl %ebx,%esi + shrdl $9,%ecx,%ecx + movl %ebx,28(%esp) + vpxor %xmm5,%xmm6,%xmm6 + xorl %ebx,%ecx + xorl %edi,%ebx + addl 24(%esp),%edx + vpsrlq $19,%xmm7,%xmm7 + shrdl $11,%ecx,%ecx + andl %ebx,%eax + xorl %esi,%ecx + vpxor %xmm7,%xmm6,%xmm6 + addl 68(%esp),%edx + xorl %edi,%eax + shrdl $2,%ecx,%ecx + vpshufd $132,%xmm6,%xmm7 + addl %edx,%eax + addl 8(%esp),%edx + addl %ecx,%eax + vpsrldq $8,%xmm7,%xmm7 + movl %edx,%ecx + shrdl $14,%edx,%edx + movl 12(%esp),%esi + vpaddd %xmm7,%xmm2,%xmm2 + xorl %ecx,%edx + movl 16(%esp),%edi + xorl %edi,%esi + vpshufd $80,%xmm2,%xmm7 + shrdl $5,%edx,%edx + andl %ecx,%esi + movl %ecx,8(%esp) + vpsrld $10,%xmm7,%xmm6 + xorl %ecx,%edx + xorl %esi,%edi + shrdl $6,%edx,%edx + vpsrlq $17,%xmm7,%xmm5 + movl %eax,%ecx + addl %edi,%edx + movl 28(%esp),%edi + vpxor %xmm5,%xmm6,%xmm6 + movl %eax,%esi + shrdl $9,%ecx,%ecx + movl %eax,24(%esp) + vpsrlq $19,%xmm7,%xmm7 + xorl %eax,%ecx + xorl %edi,%eax + addl 20(%esp),%edx + vpxor %xmm7,%xmm6,%xmm6 + shrdl $11,%ecx,%ecx + andl %eax,%ebx + xorl %esi,%ecx + vpshufd $232,%xmm6,%xmm7 + addl 72(%esp),%edx + xorl %edi,%ebx + shrdl $2,%ecx,%ecx + vpslldq $8,%xmm7,%xmm7 + addl %edx,%ebx + addl 4(%esp),%edx + addl %ecx,%ebx + vpaddd %xmm7,%xmm2,%xmm2 + movl %edx,%ecx + shrdl $14,%edx,%edx + movl 8(%esp),%esi + vpaddd 32(%ebp),%xmm2,%xmm6 + xorl %ecx,%edx + movl 12(%esp),%edi + xorl %edi,%esi + shrdl $5,%edx,%edx + andl %ecx,%esi + movl %ecx,4(%esp) + xorl %ecx,%edx + xorl %esi,%edi + shrdl $6,%edx,%edx + movl %ebx,%ecx + addl %edi,%edx + movl 24(%esp),%edi + movl %ebx,%esi + shrdl $9,%ecx,%ecx + movl %ebx,20(%esp) + xorl %ebx,%ecx + xorl %edi,%ebx + addl 16(%esp),%edx + shrdl $11,%ecx,%ecx + andl %ebx,%eax + xorl %esi,%ecx + addl 76(%esp),%edx + xorl %edi,%eax + shrdl $2,%ecx,%ecx + addl %edx,%eax + addl (%esp),%edx + addl %ecx,%eax + vmovdqa %xmm6,64(%esp) + vpalignr $4,%xmm3,%xmm0,%xmm4 + movl %edx,%ecx + shrdl $14,%edx,%edx + movl 4(%esp),%esi + vpalignr $4,%xmm1,%xmm2,%xmm7 + xorl %ecx,%edx + movl 8(%esp),%edi + xorl %edi,%esi + vpsrld $7,%xmm4,%xmm6 + shrdl $5,%edx,%edx + andl %ecx,%esi + movl %ecx,(%esp) + vpaddd %xmm7,%xmm3,%xmm3 + xorl %ecx,%edx + xorl %esi,%edi + shrdl $6,%edx,%edx + vpsrld $3,%xmm4,%xmm7 + movl %eax,%ecx + addl %edi,%edx + movl 20(%esp),%edi + vpslld $14,%xmm4,%xmm5 + movl %eax,%esi + shrdl $9,%ecx,%ecx + movl %eax,16(%esp) + vpxor %xmm6,%xmm7,%xmm4 + xorl %eax,%ecx + xorl %edi,%eax + addl 12(%esp),%edx + vpshufd $250,%xmm2,%xmm7 + shrdl $11,%ecx,%ecx + andl %eax,%ebx + xorl %esi,%ecx + vpsrld $11,%xmm6,%xmm6 + addl 80(%esp),%edx + xorl %edi,%ebx + shrdl $2,%ecx,%ecx + vpxor %xmm5,%xmm4,%xmm4 + addl %edx,%ebx + addl 28(%esp),%edx + addl %ecx,%ebx + vpslld $11,%xmm5,%xmm5 + movl %edx,%ecx + shrdl $14,%edx,%edx + movl (%esp),%esi + vpxor %xmm6,%xmm4,%xmm4 + xorl %ecx,%edx + movl 4(%esp),%edi + xorl %edi,%esi + vpsrld $10,%xmm7,%xmm6 + shrdl $5,%edx,%edx + andl %ecx,%esi + movl %ecx,28(%esp) + vpxor %xmm5,%xmm4,%xmm4 + xorl %ecx,%edx + xorl %esi,%edi + shrdl $6,%edx,%edx + vpsrlq $17,%xmm7,%xmm5 + movl %ebx,%ecx + addl %edi,%edx + movl 16(%esp),%edi + vpaddd %xmm4,%xmm3,%xmm3 + movl %ebx,%esi + shrdl $9,%ecx,%ecx + movl %ebx,12(%esp) + vpxor %xmm5,%xmm6,%xmm6 + xorl %ebx,%ecx + xorl %edi,%ebx + addl 8(%esp),%edx + vpsrlq $19,%xmm7,%xmm7 + shrdl $11,%ecx,%ecx + andl %ebx,%eax + xorl %esi,%ecx + vpxor %xmm7,%xmm6,%xmm6 + addl 84(%esp),%edx + xorl %edi,%eax + shrdl $2,%ecx,%ecx + vpshufd $132,%xmm6,%xmm7 + addl %edx,%eax + addl 24(%esp),%edx + addl %ecx,%eax + vpsrldq $8,%xmm7,%xmm7 + movl %edx,%ecx + shrdl $14,%edx,%edx + movl 28(%esp),%esi + vpaddd %xmm7,%xmm3,%xmm3 + xorl %ecx,%edx + movl (%esp),%edi + xorl %edi,%esi + vpshufd $80,%xmm3,%xmm7 + shrdl $5,%edx,%edx + andl %ecx,%esi + movl %ecx,24(%esp) + vpsrld $10,%xmm7,%xmm6 + xorl %ecx,%edx + xorl %esi,%edi + shrdl $6,%edx,%edx + vpsrlq $17,%xmm7,%xmm5 + movl %eax,%ecx + addl %edi,%edx + movl 12(%esp),%edi + vpxor %xmm5,%xmm6,%xmm6 + movl %eax,%esi + shrdl $9,%ecx,%ecx + movl %eax,8(%esp) + vpsrlq $19,%xmm7,%xmm7 + xorl %eax,%ecx + xorl %edi,%eax + addl 4(%esp),%edx + vpxor %xmm7,%xmm6,%xmm6 + shrdl $11,%ecx,%ecx + andl %eax,%ebx + xorl %esi,%ecx + vpshufd $232,%xmm6,%xmm7 + addl 88(%esp),%edx + xorl %edi,%ebx + shrdl $2,%ecx,%ecx + vpslldq $8,%xmm7,%xmm7 + addl %edx,%ebx + addl 20(%esp),%edx + addl %ecx,%ebx + vpaddd %xmm7,%xmm3,%xmm3 + movl %edx,%ecx + shrdl $14,%edx,%edx + movl 24(%esp),%esi + vpaddd 48(%ebp),%xmm3,%xmm6 + xorl %ecx,%edx + movl 28(%esp),%edi + xorl %edi,%esi + shrdl $5,%edx,%edx + andl %ecx,%esi + movl %ecx,20(%esp) + xorl %ecx,%edx + xorl %esi,%edi + shrdl $6,%edx,%edx + movl %ebx,%ecx + addl %edi,%edx + movl 8(%esp),%edi + movl %ebx,%esi + shrdl $9,%ecx,%ecx + movl %ebx,4(%esp) + xorl %ebx,%ecx + xorl %edi,%ebx + addl (%esp),%edx + shrdl $11,%ecx,%ecx + andl %ebx,%eax + xorl %esi,%ecx + addl 92(%esp),%edx + xorl %edi,%eax + shrdl $2,%ecx,%ecx + addl %edx,%eax + addl 16(%esp),%edx + addl %ecx,%eax + vmovdqa %xmm6,80(%esp) + cmpl $66051,64(%ebp) + jne .L012avx_00_47 + movl %edx,%ecx + shrdl $14,%edx,%edx + movl 20(%esp),%esi + xorl %ecx,%edx + movl 24(%esp),%edi + xorl %edi,%esi + shrdl $5,%edx,%edx + andl %ecx,%esi + movl %ecx,16(%esp) + xorl %ecx,%edx + xorl %esi,%edi + shrdl $6,%edx,%edx + movl %eax,%ecx + addl %edi,%edx + movl 4(%esp),%edi + movl %eax,%esi + shrdl $9,%ecx,%ecx + movl %eax,(%esp) + xorl %eax,%ecx + xorl %edi,%eax + addl 28(%esp),%edx + shrdl $11,%ecx,%ecx + andl %eax,%ebx + xorl %esi,%ecx + addl 32(%esp),%edx + xorl %edi,%ebx + shrdl $2,%ecx,%ecx + addl %edx,%ebx + addl 12(%esp),%edx + addl %ecx,%ebx + movl %edx,%ecx + shrdl $14,%edx,%edx + movl 16(%esp),%esi + xorl %ecx,%edx + movl 20(%esp),%edi + xorl %edi,%esi + shrdl $5,%edx,%edx + andl %ecx,%esi + movl %ecx,12(%esp) + xorl %ecx,%edx + xorl %esi,%edi + shrdl $6,%edx,%edx + movl %ebx,%ecx + addl %edi,%edx + movl (%esp),%edi + movl %ebx,%esi + shrdl $9,%ecx,%ecx + movl %ebx,28(%esp) + xorl %ebx,%ecx + xorl %edi,%ebx + addl 24(%esp),%edx + shrdl $11,%ecx,%ecx + andl %ebx,%eax + xorl %esi,%ecx + addl 36(%esp),%edx + xorl %edi,%eax + shrdl $2,%ecx,%ecx + addl %edx,%eax + addl 8(%esp),%edx + addl %ecx,%eax + movl %edx,%ecx + shrdl $14,%edx,%edx + movl 12(%esp),%esi + xorl %ecx,%edx + movl 16(%esp),%edi + xorl %edi,%esi + shrdl $5,%edx,%edx + andl %ecx,%esi + movl %ecx,8(%esp) + xorl %ecx,%edx + xorl %esi,%edi + shrdl $6,%edx,%edx + movl %eax,%ecx + addl %edi,%edx + movl 28(%esp),%edi + movl %eax,%esi + shrdl $9,%ecx,%ecx + movl %eax,24(%esp) + xorl %eax,%ecx + xorl %edi,%eax + addl 20(%esp),%edx + shrdl $11,%ecx,%ecx + andl %eax,%ebx + xorl %esi,%ecx + addl 40(%esp),%edx + xorl %edi,%ebx + shrdl $2,%ecx,%ecx + addl %edx,%ebx + addl 4(%esp),%edx + addl %ecx,%ebx + movl %edx,%ecx + shrdl $14,%edx,%edx + movl 8(%esp),%esi + xorl %ecx,%edx + movl 12(%esp),%edi + xorl %edi,%esi + shrdl $5,%edx,%edx + andl %ecx,%esi + movl %ecx,4(%esp) + xorl %ecx,%edx + xorl %esi,%edi + shrdl $6,%edx,%edx + movl %ebx,%ecx + addl %edi,%edx + movl 24(%esp),%edi + movl %ebx,%esi + shrdl $9,%ecx,%ecx + movl %ebx,20(%esp) + xorl %ebx,%ecx + xorl %edi,%ebx + addl 16(%esp),%edx + shrdl $11,%ecx,%ecx + andl %ebx,%eax + xorl %esi,%ecx + addl 44(%esp),%edx + xorl %edi,%eax + shrdl $2,%ecx,%ecx + addl %edx,%eax + addl (%esp),%edx + addl %ecx,%eax + movl %edx,%ecx + shrdl $14,%edx,%edx + movl 4(%esp),%esi + xorl %ecx,%edx + movl 8(%esp),%edi + xorl %edi,%esi + shrdl $5,%edx,%edx + andl %ecx,%esi + movl %ecx,(%esp) + xorl %ecx,%edx + xorl %esi,%edi + shrdl $6,%edx,%edx + movl %eax,%ecx + addl %edi,%edx + movl 20(%esp),%edi + movl %eax,%esi + shrdl $9,%ecx,%ecx + movl %eax,16(%esp) + xorl %eax,%ecx + xorl %edi,%eax + addl 12(%esp),%edx + shrdl $11,%ecx,%ecx + andl %eax,%ebx + xorl %esi,%ecx + addl 48(%esp),%edx + xorl %edi,%ebx + shrdl $2,%ecx,%ecx + addl %edx,%ebx + addl 28(%esp),%edx + addl %ecx,%ebx + movl %edx,%ecx + shrdl $14,%edx,%edx + movl (%esp),%esi + xorl %ecx,%edx + movl 4(%esp),%edi + xorl %edi,%esi + shrdl $5,%edx,%edx + andl %ecx,%esi + movl %ecx,28(%esp) + xorl %ecx,%edx + xorl %esi,%edi + shrdl $6,%edx,%edx + movl %ebx,%ecx + addl %edi,%edx + movl 16(%esp),%edi + movl %ebx,%esi + shrdl $9,%ecx,%ecx + movl %ebx,12(%esp) + xorl %ebx,%ecx + xorl %edi,%ebx + addl 8(%esp),%edx + shrdl $11,%ecx,%ecx + andl %ebx,%eax + xorl %esi,%ecx + addl 52(%esp),%edx + xorl %edi,%eax + shrdl $2,%ecx,%ecx + addl %edx,%eax + addl 24(%esp),%edx + addl %ecx,%eax + movl %edx,%ecx + shrdl $14,%edx,%edx + movl 28(%esp),%esi + xorl %ecx,%edx + movl (%esp),%edi + xorl %edi,%esi + shrdl $5,%edx,%edx + andl %ecx,%esi + movl %ecx,24(%esp) + xorl %ecx,%edx + xorl %esi,%edi + shrdl $6,%edx,%edx + movl %eax,%ecx + addl %edi,%edx + movl 12(%esp),%edi + movl %eax,%esi + shrdl $9,%ecx,%ecx + movl %eax,8(%esp) + xorl %eax,%ecx + xorl %edi,%eax + addl 4(%esp),%edx + shrdl $11,%ecx,%ecx + andl %eax,%ebx + xorl %esi,%ecx + addl 56(%esp),%edx + xorl %edi,%ebx + shrdl $2,%ecx,%ecx + addl %edx,%ebx + addl 20(%esp),%edx + addl %ecx,%ebx + movl %edx,%ecx + shrdl $14,%edx,%edx + movl 24(%esp),%esi + xorl %ecx,%edx + movl 28(%esp),%edi + xorl %edi,%esi + shrdl $5,%edx,%edx + andl %ecx,%esi + movl %ecx,20(%esp) + xorl %ecx,%edx + xorl %esi,%edi + shrdl $6,%edx,%edx + movl %ebx,%ecx + addl %edi,%edx + movl 8(%esp),%edi + movl %ebx,%esi + shrdl $9,%ecx,%ecx + movl %ebx,4(%esp) + xorl %ebx,%ecx + xorl %edi,%ebx + addl (%esp),%edx + shrdl $11,%ecx,%ecx + andl %ebx,%eax + xorl %esi,%ecx + addl 60(%esp),%edx + xorl %edi,%eax + shrdl $2,%ecx,%ecx + addl %edx,%eax + addl 16(%esp),%edx + addl %ecx,%eax + movl %edx,%ecx + shrdl $14,%edx,%edx + movl 20(%esp),%esi + xorl %ecx,%edx + movl 24(%esp),%edi + xorl %edi,%esi + shrdl $5,%edx,%edx + andl %ecx,%esi + movl %ecx,16(%esp) + xorl %ecx,%edx + xorl %esi,%edi + shrdl $6,%edx,%edx + movl %eax,%ecx + addl %edi,%edx + movl 4(%esp),%edi + movl %eax,%esi + shrdl $9,%ecx,%ecx + movl %eax,(%esp) + xorl %eax,%ecx + xorl %edi,%eax + addl 28(%esp),%edx + shrdl $11,%ecx,%ecx + andl %eax,%ebx + xorl %esi,%ecx + addl 64(%esp),%edx + xorl %edi,%ebx + shrdl $2,%ecx,%ecx + addl %edx,%ebx + addl 12(%esp),%edx + addl %ecx,%ebx + movl %edx,%ecx + shrdl $14,%edx,%edx + movl 16(%esp),%esi + xorl %ecx,%edx + movl 20(%esp),%edi + xorl %edi,%esi + shrdl $5,%edx,%edx + andl %ecx,%esi + movl %ecx,12(%esp) + xorl %ecx,%edx + xorl %esi,%edi + shrdl $6,%edx,%edx + movl %ebx,%ecx + addl %edi,%edx + movl (%esp),%edi + movl %ebx,%esi + shrdl $9,%ecx,%ecx + movl %ebx,28(%esp) + xorl %ebx,%ecx + xorl %edi,%ebx + addl 24(%esp),%edx + shrdl $11,%ecx,%ecx + andl %ebx,%eax + xorl %esi,%ecx + addl 68(%esp),%edx + xorl %edi,%eax + shrdl $2,%ecx,%ecx + addl %edx,%eax + addl 8(%esp),%edx + addl %ecx,%eax + movl %edx,%ecx + shrdl $14,%edx,%edx + movl 12(%esp),%esi + xorl %ecx,%edx + movl 16(%esp),%edi + xorl %edi,%esi + shrdl $5,%edx,%edx + andl %ecx,%esi + movl %ecx,8(%esp) + xorl %ecx,%edx + xorl %esi,%edi + shrdl $6,%edx,%edx + movl %eax,%ecx + addl %edi,%edx + movl 28(%esp),%edi + movl %eax,%esi + shrdl $9,%ecx,%ecx + movl %eax,24(%esp) + xorl %eax,%ecx + xorl %edi,%eax + addl 20(%esp),%edx + shrdl $11,%ecx,%ecx + andl %eax,%ebx + xorl %esi,%ecx + addl 72(%esp),%edx + xorl %edi,%ebx + shrdl $2,%ecx,%ecx + addl %edx,%ebx + addl 4(%esp),%edx + addl %ecx,%ebx + movl %edx,%ecx + shrdl $14,%edx,%edx + movl 8(%esp),%esi + xorl %ecx,%edx + movl 12(%esp),%edi + xorl %edi,%esi + shrdl $5,%edx,%edx + andl %ecx,%esi + movl %ecx,4(%esp) + xorl %ecx,%edx + xorl %esi,%edi + shrdl $6,%edx,%edx + movl %ebx,%ecx + addl %edi,%edx + movl 24(%esp),%edi + movl %ebx,%esi + shrdl $9,%ecx,%ecx + movl %ebx,20(%esp) + xorl %ebx,%ecx + xorl %edi,%ebx + addl 16(%esp),%edx + shrdl $11,%ecx,%ecx + andl %ebx,%eax + xorl %esi,%ecx + addl 76(%esp),%edx + xorl %edi,%eax + shrdl $2,%ecx,%ecx + addl %edx,%eax + addl (%esp),%edx + addl %ecx,%eax + movl %edx,%ecx + shrdl $14,%edx,%edx + movl 4(%esp),%esi + xorl %ecx,%edx + movl 8(%esp),%edi + xorl %edi,%esi + shrdl $5,%edx,%edx + andl %ecx,%esi + movl %ecx,(%esp) + xorl %ecx,%edx + xorl %esi,%edi + shrdl $6,%edx,%edx + movl %eax,%ecx + addl %edi,%edx + movl 20(%esp),%edi + movl %eax,%esi + shrdl $9,%ecx,%ecx + movl %eax,16(%esp) + xorl %eax,%ecx + xorl %edi,%eax + addl 12(%esp),%edx + shrdl $11,%ecx,%ecx + andl %eax,%ebx + xorl %esi,%ecx + addl 80(%esp),%edx + xorl %edi,%ebx + shrdl $2,%ecx,%ecx + addl %edx,%ebx + addl 28(%esp),%edx + addl %ecx,%ebx + movl %edx,%ecx + shrdl $14,%edx,%edx + movl (%esp),%esi + xorl %ecx,%edx + movl 4(%esp),%edi + xorl %edi,%esi + shrdl $5,%edx,%edx + andl %ecx,%esi + movl %ecx,28(%esp) + xorl %ecx,%edx + xorl %esi,%edi + shrdl $6,%edx,%edx + movl %ebx,%ecx + addl %edi,%edx + movl 16(%esp),%edi + movl %ebx,%esi + shrdl $9,%ecx,%ecx + movl %ebx,12(%esp) + xorl %ebx,%ecx + xorl %edi,%ebx + addl 8(%esp),%edx + shrdl $11,%ecx,%ecx + andl %ebx,%eax + xorl %esi,%ecx + addl 84(%esp),%edx + xorl %edi,%eax + shrdl $2,%ecx,%ecx + addl %edx,%eax + addl 24(%esp),%edx + addl %ecx,%eax + movl %edx,%ecx + shrdl $14,%edx,%edx + movl 28(%esp),%esi + xorl %ecx,%edx + movl (%esp),%edi + xorl %edi,%esi + shrdl $5,%edx,%edx + andl %ecx,%esi + movl %ecx,24(%esp) + xorl %ecx,%edx + xorl %esi,%edi + shrdl $6,%edx,%edx + movl %eax,%ecx + addl %edi,%edx + movl 12(%esp),%edi + movl %eax,%esi + shrdl $9,%ecx,%ecx + movl %eax,8(%esp) + xorl %eax,%ecx + xorl %edi,%eax + addl 4(%esp),%edx + shrdl $11,%ecx,%ecx + andl %eax,%ebx + xorl %esi,%ecx + addl 88(%esp),%edx + xorl %edi,%ebx + shrdl $2,%ecx,%ecx + addl %edx,%ebx + addl 20(%esp),%edx + addl %ecx,%ebx + movl %edx,%ecx + shrdl $14,%edx,%edx + movl 24(%esp),%esi + xorl %ecx,%edx + movl 28(%esp),%edi + xorl %edi,%esi + shrdl $5,%edx,%edx + andl %ecx,%esi + movl %ecx,20(%esp) + xorl %ecx,%edx + xorl %esi,%edi + shrdl $6,%edx,%edx + movl %ebx,%ecx + addl %edi,%edx + movl 8(%esp),%edi + movl %ebx,%esi + shrdl $9,%ecx,%ecx + movl %ebx,4(%esp) + xorl %ebx,%ecx + xorl %edi,%ebx + addl (%esp),%edx + shrdl $11,%ecx,%ecx + andl %ebx,%eax + xorl %esi,%ecx + addl 92(%esp),%edx + xorl %edi,%eax + shrdl $2,%ecx,%ecx + addl %edx,%eax + addl 16(%esp),%edx + addl %ecx,%eax + movl 96(%esp),%esi + xorl %edi,%ebx + movl 12(%esp),%ecx + addl (%esi),%eax + addl 4(%esi),%ebx + addl 8(%esi),%edi + addl 12(%esi),%ecx + movl %eax,(%esi) + movl %ebx,4(%esi) + movl %edi,8(%esi) + movl %ecx,12(%esi) + movl %ebx,4(%esp) + xorl %edi,%ebx + movl %edi,8(%esp) + movl %ecx,12(%esp) + movl 20(%esp),%edi + movl 24(%esp),%ecx + addl 16(%esi),%edx + addl 20(%esi),%edi + addl 24(%esi),%ecx + movl %edx,16(%esi) + movl %edi,20(%esi) + movl %edi,20(%esp) + movl 28(%esp),%edi + movl %ecx,24(%esi) + addl 28(%esi),%edi + movl %ecx,24(%esp) + movl %edi,28(%esi) + movl %edi,28(%esp) + movl 100(%esp),%edi + vmovdqa 64(%ebp),%xmm7 + subl $192,%ebp + cmpl 104(%esp),%edi + jb .L011grand_avx + movl 108(%esp),%esp + vzeroall + popl %edi + popl %esi + popl %ebx + popl %ebp + ret +.size sha256_block_data_order_avx,.-.L_sha256_block_data_order_avx_begin +#endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__) +#if defined(__linux__) && defined(__ELF__) +.section .note.GNU-stack,"",%progbits +#endif + diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/sha256-armv4-linux.linux.arm.S b/Sources/CNIOBoringSSL/gen/bcm/sha256-armv4-linux.S similarity index 97% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/sha256-armv4-linux.linux.arm.S rename to Sources/CNIOBoringSSL/gen/bcm/sha256-armv4-linux.S index 84471bf78..af97a997e 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/sha256-armv4-linux.linux.arm.S +++ b/Sources/CNIOBoringSSL/gen/bcm/sha256-armv4-linux.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__arm__) && defined(__linux__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -92,37 +91,16 @@ K256: .word 0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2 .size K256,.-K256 .word 0 @ terminator -#if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__) -.LOPENSSL_armcap: -.word OPENSSL_armcap_P-.Lsha256_block_data_order -#endif .align 5 -.globl sha256_block_data_order -.hidden sha256_block_data_order -.type sha256_block_data_order,%function -sha256_block_data_order: -.Lsha256_block_data_order: -#if __ARM_ARCH<7 && !defined(__thumb2__) - sub r3,pc,#8 @ sha256_block_data_order -#else - adr r3,.Lsha256_block_data_order -#endif -#if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__) - ldr r12,.LOPENSSL_armcap - ldr r12,[r3,r12] @ OPENSSL_armcap_P -#ifdef __APPLE__ - ldr r12,[r12] -#endif - tst r12,#ARMV8_SHA256 - bne .LARMv8 - tst r12,#ARMV7_NEON - bne .LNEON -#endif +.globl sha256_block_data_order_nohw +.hidden sha256_block_data_order_nohw +.type sha256_block_data_order_nohw,%function +sha256_block_data_order_nohw: add r2,r1,r2,lsl#6 @ len to point at the end of inp stmdb sp!,{r0,r1,r2,r4-r11,lr} ldmia r0,{r4,r5,r6,r7,r8,r9,r10,r11} - sub r14,r3,#256+32 @ K256 + adr r14,K256 sub sp,sp,#16*4 @ alloca(X[16]) .Loop: # if __ARM_ARCH>=7 @@ -1884,22 +1862,43 @@ sha256_block_data_order: moveq pc,lr @ be binary compatible with V4, yet .word 0xe12fff1e @ interoperable with Thumb ISA:-) #endif -.size sha256_block_data_order,.-sha256_block_data_order +.size sha256_block_data_order_nohw,.-sha256_block_data_order_nohw #if __ARM_MAX_ARCH__>=7 .arch armv7-a .fpu neon +.LK256_shortcut_neon: +@ PC is 8 bytes ahead in Arm mode and 4 bytes ahead in Thumb mode. +#if defined(__thumb2__) +.word K256-(.LK256_add_neon+4) +#else +.word K256-(.LK256_add_neon+8) +#endif + .globl sha256_block_data_order_neon .hidden sha256_block_data_order_neon .type sha256_block_data_order_neon,%function .align 5 .skip 16 sha256_block_data_order_neon: -.LNEON: stmdb sp!,{r4,r5,r6,r7,r8,r9,r10,r11,r12,lr} sub r11,sp,#16*4+16 - adr r14,K256 + + @ K256 is just at the boundary of being easily referenced by an ADR from + @ this function. In Arm mode, when building with __ARM_ARCH=6, it does + @ not fit. By moving code around, we could make it fit, but this is too + @ fragile. For simplicity, just load the offset from + @ .LK256_shortcut_neon. + @ + @ TODO(davidben): adrl would avoid a load, but clang-assembler does not + @ support it. We might be able to emulate it with a macro, but Android's + @ did not work when I tried it. + @ https://android.googlesource.com/platform/ndk/+/refs/heads/master/docs/ClangMigration.md#arm + ldr r14,.LK256_shortcut_neon +.LK256_add_neon: + add r14,pc,r14 + bic r11,r11,#15 @ align for 128-bit stores mov r12,sp mov sp,r11 @ alloca @@ -2681,12 +2680,27 @@ sha256_block_data_order_neon: # define INST(a,b,c,d) .byte a,b,c,d # endif -.type sha256_block_data_order_armv8,%function +.LK256_shortcut_hw: +@ PC is 8 bytes ahead in Arm mode and 4 bytes ahead in Thumb mode. +#if defined(__thumb2__) +.word K256-(.LK256_add_hw+4) +#else +.word K256-(.LK256_add_hw+8) +#endif + +.globl sha256_block_data_order_hw +.hidden sha256_block_data_order_hw +.type sha256_block_data_order_hw,%function .align 5 -sha256_block_data_order_armv8: -.LARMv8: +sha256_block_data_order_hw: + @ K256 is too far to reference from one ADR command in Thumb mode. In + @ Arm mode, we could make it fit by aligning the ADR offset to a 64-byte + @ boundary. For simplicity, just load the offset from .LK256_shortcut_hw. + ldr r3,.LK256_shortcut_hw +.LK256_add_hw: + add r3,pc,r3 + vld1.32 {q0,q1},[r0] - sub r3,r3,#256+32 add r2,r1,r2,lsl#6 @ len to point at the end of inp b .Loop_v8 @@ -2818,17 +2832,12 @@ sha256_block_data_order_armv8: vst1.32 {q0,q1},[r0] bx lr @ bx lr -.size sha256_block_data_order_armv8,.-sha256_block_data_order_armv8 +.size sha256_block_data_order_hw,.-sha256_block_data_order_hw #endif .byte 83,72,65,50,53,54,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,65,82,77,118,52,47,78,69,79,78,47,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .align 2 .align 2 -#if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__) -.comm OPENSSL_armcap_P,4,4 -.hidden OPENSSL_armcap_P -#endif #endif // !OPENSSL_NO_ASM && defined(OPENSSL_ARM) && defined(__ELF__) -#endif // defined(__arm__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/sha256-armv8-ios.ios.aarch64.S b/Sources/CNIOBoringSSL/gen/bcm/sha256-armv8-apple.S similarity index 98% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/sha256-armv8-ios.ios.aarch64.S rename to Sources/CNIOBoringSSL/gen/bcm/sha256-armv8-apple.S index 81083e167..8ce291c47 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/sha256-armv8-ios.ios.aarch64.S +++ b/Sources/CNIOBoringSSL/gen/bcm/sha256-armv8-apple.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__aarch64__) && defined(__APPLE__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -52,24 +51,11 @@ .text - -.private_extern _OPENSSL_armcap_P -.globl _sha256_block_data_order -.private_extern _sha256_block_data_order +.globl _sha256_block_data_order_nohw +.private_extern _sha256_block_data_order_nohw .align 6 -_sha256_block_data_order: - AARCH64_VALID_CALL_TARGET -#ifndef __KERNEL__ -#if defined(OPENSSL_HWASAN) && __clang_major__ >= 10 - adrp x16,:pg_hi21_nc:_OPENSSL_armcap_P -#else - adrp x16,_OPENSSL_armcap_P@PAGE -#endif - ldr w16,[x16,_OPENSSL_armcap_P@PAGEOFF] - tst w16,#ARMV8_SHA256 - b.ne Lv8_entry -#endif +_sha256_block_data_order_nohw: AARCH64_SIGN_LINK_REGISTER stp x29,x30,[sp,#-128]! add x29,sp,#0 @@ -1062,11 +1048,13 @@ LK256: .align 2 .text #ifndef __KERNEL__ +.globl _sha256_block_data_order_hw +.private_extern _sha256_block_data_order_hw .align 6 -sha256_block_armv8: -Lv8_entry: +_sha256_block_data_order_hw: // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. + AARCH64_VALID_CALL_TARGET stp x29,x30,[sp,#-16]! add x29,sp,#0 @@ -1204,7 +1192,6 @@ Loop_hw: #endif #endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__APPLE__) -#endif // defined(__aarch64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/sha256-armv8-linux.linux.aarch64.S b/Sources/CNIOBoringSSL/gen/bcm/sha256-armv8-linux.S similarity index 98% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/sha256-armv8-linux.linux.aarch64.S rename to Sources/CNIOBoringSSL/gen/bcm/sha256-armv8-linux.S index 56384e9c0..6bebcdfa5 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/sha256-armv8-linux.linux.aarch64.S +++ b/Sources/CNIOBoringSSL/gen/bcm/sha256-armv8-linux.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__aarch64__) && defined(__linux__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -52,24 +51,11 @@ .text - -.hidden OPENSSL_armcap_P -.globl sha256_block_data_order -.hidden sha256_block_data_order -.type sha256_block_data_order,%function +.globl sha256_block_data_order_nohw +.hidden sha256_block_data_order_nohw +.type sha256_block_data_order_nohw,%function .align 6 -sha256_block_data_order: - AARCH64_VALID_CALL_TARGET -#ifndef __KERNEL__ -#if defined(OPENSSL_HWASAN) && __clang_major__ >= 10 - adrp x16,:pg_hi21_nc:OPENSSL_armcap_P -#else - adrp x16,OPENSSL_armcap_P -#endif - ldr w16,[x16,:lo12:OPENSSL_armcap_P] - tst w16,#ARMV8_SHA256 - b.ne .Lv8_entry -#endif +sha256_block_data_order_nohw: AARCH64_SIGN_LINK_REGISTER stp x29,x30,[sp,#-128]! add x29,sp,#0 @@ -1033,7 +1019,7 @@ sha256_block_data_order: ldp x29,x30,[sp],#128 AARCH64_VALIDATE_LINK_REGISTER ret -.size sha256_block_data_order,.-sha256_block_data_order +.size sha256_block_data_order_nohw,.-sha256_block_data_order_nohw .section .rodata .align 6 @@ -1062,11 +1048,13 @@ sha256_block_data_order: .align 2 .text #ifndef __KERNEL__ -.type sha256_block_armv8,%function +.globl sha256_block_data_order_hw +.hidden sha256_block_data_order_hw +.type sha256_block_data_order_hw,%function .align 6 -sha256_block_armv8: -.Lv8_entry: +sha256_block_data_order_hw: // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. + AARCH64_VALID_CALL_TARGET stp x29,x30,[sp,#-16]! add x29,sp,#0 @@ -1201,10 +1189,9 @@ sha256_block_armv8: ldr x29,[sp],#16 ret -.size sha256_block_armv8,.-sha256_block_armv8 +.size sha256_block_data_order_hw,.-sha256_block_data_order_hw #endif #endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__ELF__) -#endif // defined(__aarch64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/gen/bcm/sha256-armv8-win.S b/Sources/CNIOBoringSSL/gen/bcm/sha256-armv8-win.S new file mode 100644 index 000000000..a8045de66 --- /dev/null +++ b/Sources/CNIOBoringSSL/gen/bcm/sha256-armv8-win.S @@ -0,0 +1,1202 @@ +#define BORINGSSL_PREFIX CNIOBoringSSL +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. + +#include + +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(_WIN32) +// Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved. +// +// Licensed under the OpenSSL license (the "License"). You may not use +// this file except in compliance with the License. You can obtain a copy +// in the file LICENSE in the source distribution or at +// https://www.openssl.org/source/license.html + +// ==================================================================== +// Written by Andy Polyakov for the OpenSSL +// project. The module is, however, dual licensed under OpenSSL and +// CRYPTOGAMS licenses depending on where you obtain it. For further +// details see http://www.openssl.org/~appro/cryptogams/. +// +// Permission to use under GPLv2 terms is granted. +// ==================================================================== +// +// SHA256/512 for ARMv8. +// +// Performance in cycles per processed byte and improvement coefficient +// over code generated with "default" compiler: +// +// SHA256-hw SHA256(*) SHA512 +// Apple A7 1.97 10.5 (+33%) 6.73 (-1%(**)) +// Cortex-A53 2.38 15.5 (+115%) 10.0 (+150%(***)) +// Cortex-A57 2.31 11.6 (+86%) 7.51 (+260%(***)) +// Denver 2.01 10.5 (+26%) 6.70 (+8%) +// X-Gene 20.0 (+100%) 12.8 (+300%(***)) +// Mongoose 2.36 13.0 (+50%) 8.36 (+33%) +// Kryo 1.92 17.4 (+30%) 11.2 (+8%) +// +// (*) Software SHA256 results are of lesser relevance, presented +// mostly for informational purposes. +// (**) The result is a trade-off: it's possible to improve it by +// 10% (or by 1 cycle per round), but at the cost of 20% loss +// on Cortex-A53 (or by 4 cycles per round). +// (***) Super-impressive coefficients over gcc-generated code are +// indication of some compiler "pathology", most notably code +// generated with -mgeneral-regs-only is significantly faster +// and the gap is only 40-90%. + +#ifndef __KERNEL__ +# include +#endif + +.text + +.globl sha256_block_data_order_nohw + +.def sha256_block_data_order_nohw + .type 32 +.endef +.align 6 +sha256_block_data_order_nohw: + AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-128]! + add x29,sp,#0 + + stp x19,x20,[sp,#16] + stp x21,x22,[sp,#32] + stp x23,x24,[sp,#48] + stp x25,x26,[sp,#64] + stp x27,x28,[sp,#80] + sub sp,sp,#4*4 + + ldp w20,w21,[x0] // load context + ldp w22,w23,[x0,#2*4] + ldp w24,w25,[x0,#4*4] + add x2,x1,x2,lsl#6 // end of input + ldp w26,w27,[x0,#6*4] + adrp x30,LK256 + add x30,x30,:lo12:LK256 + stp x0,x2,[x29,#96] + +Loop: + ldp w3,w4,[x1],#2*4 + ldr w19,[x30],#4 // *K++ + eor w28,w21,w22 // magic seed + str x1,[x29,#112] +#ifndef __AARCH64EB__ + rev w3,w3 // 0 +#endif + ror w16,w24,#6 + add w27,w27,w19 // h+=K[i] + eor w6,w24,w24,ror#14 + and w17,w25,w24 + bic w19,w26,w24 + add w27,w27,w3 // h+=X[i] + orr w17,w17,w19 // Ch(e,f,g) + eor w19,w20,w21 // a^b, b^c in next round + eor w16,w16,w6,ror#11 // Sigma1(e) + ror w6,w20,#2 + add w27,w27,w17 // h+=Ch(e,f,g) + eor w17,w20,w20,ror#9 + add w27,w27,w16 // h+=Sigma1(e) + and w28,w28,w19 // (b^c)&=(a^b) + add w23,w23,w27 // d+=h + eor w28,w28,w21 // Maj(a,b,c) + eor w17,w6,w17,ror#13 // Sigma0(a) + add w27,w27,w28 // h+=Maj(a,b,c) + ldr w28,[x30],#4 // *K++, w19 in next round + //add w27,w27,w17 // h+=Sigma0(a) +#ifndef __AARCH64EB__ + rev w4,w4 // 1 +#endif + ldp w5,w6,[x1],#2*4 + add w27,w27,w17 // h+=Sigma0(a) + ror w16,w23,#6 + add w26,w26,w28 // h+=K[i] + eor w7,w23,w23,ror#14 + and w17,w24,w23 + bic w28,w25,w23 + add w26,w26,w4 // h+=X[i] + orr w17,w17,w28 // Ch(e,f,g) + eor w28,w27,w20 // a^b, b^c in next round + eor w16,w16,w7,ror#11 // Sigma1(e) + ror w7,w27,#2 + add w26,w26,w17 // h+=Ch(e,f,g) + eor w17,w27,w27,ror#9 + add w26,w26,w16 // h+=Sigma1(e) + and w19,w19,w28 // (b^c)&=(a^b) + add w22,w22,w26 // d+=h + eor w19,w19,w20 // Maj(a,b,c) + eor w17,w7,w17,ror#13 // Sigma0(a) + add w26,w26,w19 // h+=Maj(a,b,c) + ldr w19,[x30],#4 // *K++, w28 in next round + //add w26,w26,w17 // h+=Sigma0(a) +#ifndef __AARCH64EB__ + rev w5,w5 // 2 +#endif + add w26,w26,w17 // h+=Sigma0(a) + ror w16,w22,#6 + add w25,w25,w19 // h+=K[i] + eor w8,w22,w22,ror#14 + and w17,w23,w22 + bic w19,w24,w22 + add w25,w25,w5 // h+=X[i] + orr w17,w17,w19 // Ch(e,f,g) + eor w19,w26,w27 // a^b, b^c in next round + eor w16,w16,w8,ror#11 // Sigma1(e) + ror w8,w26,#2 + add w25,w25,w17 // h+=Ch(e,f,g) + eor w17,w26,w26,ror#9 + add w25,w25,w16 // h+=Sigma1(e) + and w28,w28,w19 // (b^c)&=(a^b) + add w21,w21,w25 // d+=h + eor w28,w28,w27 // Maj(a,b,c) + eor w17,w8,w17,ror#13 // Sigma0(a) + add w25,w25,w28 // h+=Maj(a,b,c) + ldr w28,[x30],#4 // *K++, w19 in next round + //add w25,w25,w17 // h+=Sigma0(a) +#ifndef __AARCH64EB__ + rev w6,w6 // 3 +#endif + ldp w7,w8,[x1],#2*4 + add w25,w25,w17 // h+=Sigma0(a) + ror w16,w21,#6 + add w24,w24,w28 // h+=K[i] + eor w9,w21,w21,ror#14 + and w17,w22,w21 + bic w28,w23,w21 + add w24,w24,w6 // h+=X[i] + orr w17,w17,w28 // Ch(e,f,g) + eor w28,w25,w26 // a^b, b^c in next round + eor w16,w16,w9,ror#11 // Sigma1(e) + ror w9,w25,#2 + add w24,w24,w17 // h+=Ch(e,f,g) + eor w17,w25,w25,ror#9 + add w24,w24,w16 // h+=Sigma1(e) + and w19,w19,w28 // (b^c)&=(a^b) + add w20,w20,w24 // d+=h + eor w19,w19,w26 // Maj(a,b,c) + eor w17,w9,w17,ror#13 // Sigma0(a) + add w24,w24,w19 // h+=Maj(a,b,c) + ldr w19,[x30],#4 // *K++, w28 in next round + //add w24,w24,w17 // h+=Sigma0(a) +#ifndef __AARCH64EB__ + rev w7,w7 // 4 +#endif + add w24,w24,w17 // h+=Sigma0(a) + ror w16,w20,#6 + add w23,w23,w19 // h+=K[i] + eor w10,w20,w20,ror#14 + and w17,w21,w20 + bic w19,w22,w20 + add w23,w23,w7 // h+=X[i] + orr w17,w17,w19 // Ch(e,f,g) + eor w19,w24,w25 // a^b, b^c in next round + eor w16,w16,w10,ror#11 // Sigma1(e) + ror w10,w24,#2 + add w23,w23,w17 // h+=Ch(e,f,g) + eor w17,w24,w24,ror#9 + add w23,w23,w16 // h+=Sigma1(e) + and w28,w28,w19 // (b^c)&=(a^b) + add w27,w27,w23 // d+=h + eor w28,w28,w25 // Maj(a,b,c) + eor w17,w10,w17,ror#13 // Sigma0(a) + add w23,w23,w28 // h+=Maj(a,b,c) + ldr w28,[x30],#4 // *K++, w19 in next round + //add w23,w23,w17 // h+=Sigma0(a) +#ifndef __AARCH64EB__ + rev w8,w8 // 5 +#endif + ldp w9,w10,[x1],#2*4 + add w23,w23,w17 // h+=Sigma0(a) + ror w16,w27,#6 + add w22,w22,w28 // h+=K[i] + eor w11,w27,w27,ror#14 + and w17,w20,w27 + bic w28,w21,w27 + add w22,w22,w8 // h+=X[i] + orr w17,w17,w28 // Ch(e,f,g) + eor w28,w23,w24 // a^b, b^c in next round + eor w16,w16,w11,ror#11 // Sigma1(e) + ror w11,w23,#2 + add w22,w22,w17 // h+=Ch(e,f,g) + eor w17,w23,w23,ror#9 + add w22,w22,w16 // h+=Sigma1(e) + and w19,w19,w28 // (b^c)&=(a^b) + add w26,w26,w22 // d+=h + eor w19,w19,w24 // Maj(a,b,c) + eor w17,w11,w17,ror#13 // Sigma0(a) + add w22,w22,w19 // h+=Maj(a,b,c) + ldr w19,[x30],#4 // *K++, w28 in next round + //add w22,w22,w17 // h+=Sigma0(a) +#ifndef __AARCH64EB__ + rev w9,w9 // 6 +#endif + add w22,w22,w17 // h+=Sigma0(a) + ror w16,w26,#6 + add w21,w21,w19 // h+=K[i] + eor w12,w26,w26,ror#14 + and w17,w27,w26 + bic w19,w20,w26 + add w21,w21,w9 // h+=X[i] + orr w17,w17,w19 // Ch(e,f,g) + eor w19,w22,w23 // a^b, b^c in next round + eor w16,w16,w12,ror#11 // Sigma1(e) + ror w12,w22,#2 + add w21,w21,w17 // h+=Ch(e,f,g) + eor w17,w22,w22,ror#9 + add w21,w21,w16 // h+=Sigma1(e) + and w28,w28,w19 // (b^c)&=(a^b) + add w25,w25,w21 // d+=h + eor w28,w28,w23 // Maj(a,b,c) + eor w17,w12,w17,ror#13 // Sigma0(a) + add w21,w21,w28 // h+=Maj(a,b,c) + ldr w28,[x30],#4 // *K++, w19 in next round + //add w21,w21,w17 // h+=Sigma0(a) +#ifndef __AARCH64EB__ + rev w10,w10 // 7 +#endif + ldp w11,w12,[x1],#2*4 + add w21,w21,w17 // h+=Sigma0(a) + ror w16,w25,#6 + add w20,w20,w28 // h+=K[i] + eor w13,w25,w25,ror#14 + and w17,w26,w25 + bic w28,w27,w25 + add w20,w20,w10 // h+=X[i] + orr w17,w17,w28 // Ch(e,f,g) + eor w28,w21,w22 // a^b, b^c in next round + eor w16,w16,w13,ror#11 // Sigma1(e) + ror w13,w21,#2 + add w20,w20,w17 // h+=Ch(e,f,g) + eor w17,w21,w21,ror#9 + add w20,w20,w16 // h+=Sigma1(e) + and w19,w19,w28 // (b^c)&=(a^b) + add w24,w24,w20 // d+=h + eor w19,w19,w22 // Maj(a,b,c) + eor w17,w13,w17,ror#13 // Sigma0(a) + add w20,w20,w19 // h+=Maj(a,b,c) + ldr w19,[x30],#4 // *K++, w28 in next round + //add w20,w20,w17 // h+=Sigma0(a) +#ifndef __AARCH64EB__ + rev w11,w11 // 8 +#endif + add w20,w20,w17 // h+=Sigma0(a) + ror w16,w24,#6 + add w27,w27,w19 // h+=K[i] + eor w14,w24,w24,ror#14 + and w17,w25,w24 + bic w19,w26,w24 + add w27,w27,w11 // h+=X[i] + orr w17,w17,w19 // Ch(e,f,g) + eor w19,w20,w21 // a^b, b^c in next round + eor w16,w16,w14,ror#11 // Sigma1(e) + ror w14,w20,#2 + add w27,w27,w17 // h+=Ch(e,f,g) + eor w17,w20,w20,ror#9 + add w27,w27,w16 // h+=Sigma1(e) + and w28,w28,w19 // (b^c)&=(a^b) + add w23,w23,w27 // d+=h + eor w28,w28,w21 // Maj(a,b,c) + eor w17,w14,w17,ror#13 // Sigma0(a) + add w27,w27,w28 // h+=Maj(a,b,c) + ldr w28,[x30],#4 // *K++, w19 in next round + //add w27,w27,w17 // h+=Sigma0(a) +#ifndef __AARCH64EB__ + rev w12,w12 // 9 +#endif + ldp w13,w14,[x1],#2*4 + add w27,w27,w17 // h+=Sigma0(a) + ror w16,w23,#6 + add w26,w26,w28 // h+=K[i] + eor w15,w23,w23,ror#14 + and w17,w24,w23 + bic w28,w25,w23 + add w26,w26,w12 // h+=X[i] + orr w17,w17,w28 // Ch(e,f,g) + eor w28,w27,w20 // a^b, b^c in next round + eor w16,w16,w15,ror#11 // Sigma1(e) + ror w15,w27,#2 + add w26,w26,w17 // h+=Ch(e,f,g) + eor w17,w27,w27,ror#9 + add w26,w26,w16 // h+=Sigma1(e) + and w19,w19,w28 // (b^c)&=(a^b) + add w22,w22,w26 // d+=h + eor w19,w19,w20 // Maj(a,b,c) + eor w17,w15,w17,ror#13 // Sigma0(a) + add w26,w26,w19 // h+=Maj(a,b,c) + ldr w19,[x30],#4 // *K++, w28 in next round + //add w26,w26,w17 // h+=Sigma0(a) +#ifndef __AARCH64EB__ + rev w13,w13 // 10 +#endif + add w26,w26,w17 // h+=Sigma0(a) + ror w16,w22,#6 + add w25,w25,w19 // h+=K[i] + eor w0,w22,w22,ror#14 + and w17,w23,w22 + bic w19,w24,w22 + add w25,w25,w13 // h+=X[i] + orr w17,w17,w19 // Ch(e,f,g) + eor w19,w26,w27 // a^b, b^c in next round + eor w16,w16,w0,ror#11 // Sigma1(e) + ror w0,w26,#2 + add w25,w25,w17 // h+=Ch(e,f,g) + eor w17,w26,w26,ror#9 + add w25,w25,w16 // h+=Sigma1(e) + and w28,w28,w19 // (b^c)&=(a^b) + add w21,w21,w25 // d+=h + eor w28,w28,w27 // Maj(a,b,c) + eor w17,w0,w17,ror#13 // Sigma0(a) + add w25,w25,w28 // h+=Maj(a,b,c) + ldr w28,[x30],#4 // *K++, w19 in next round + //add w25,w25,w17 // h+=Sigma0(a) +#ifndef __AARCH64EB__ + rev w14,w14 // 11 +#endif + ldp w15,w0,[x1],#2*4 + add w25,w25,w17 // h+=Sigma0(a) + str w6,[sp,#12] + ror w16,w21,#6 + add w24,w24,w28 // h+=K[i] + eor w6,w21,w21,ror#14 + and w17,w22,w21 + bic w28,w23,w21 + add w24,w24,w14 // h+=X[i] + orr w17,w17,w28 // Ch(e,f,g) + eor w28,w25,w26 // a^b, b^c in next round + eor w16,w16,w6,ror#11 // Sigma1(e) + ror w6,w25,#2 + add w24,w24,w17 // h+=Ch(e,f,g) + eor w17,w25,w25,ror#9 + add w24,w24,w16 // h+=Sigma1(e) + and w19,w19,w28 // (b^c)&=(a^b) + add w20,w20,w24 // d+=h + eor w19,w19,w26 // Maj(a,b,c) + eor w17,w6,w17,ror#13 // Sigma0(a) + add w24,w24,w19 // h+=Maj(a,b,c) + ldr w19,[x30],#4 // *K++, w28 in next round + //add w24,w24,w17 // h+=Sigma0(a) +#ifndef __AARCH64EB__ + rev w15,w15 // 12 +#endif + add w24,w24,w17 // h+=Sigma0(a) + str w7,[sp,#0] + ror w16,w20,#6 + add w23,w23,w19 // h+=K[i] + eor w7,w20,w20,ror#14 + and w17,w21,w20 + bic w19,w22,w20 + add w23,w23,w15 // h+=X[i] + orr w17,w17,w19 // Ch(e,f,g) + eor w19,w24,w25 // a^b, b^c in next round + eor w16,w16,w7,ror#11 // Sigma1(e) + ror w7,w24,#2 + add w23,w23,w17 // h+=Ch(e,f,g) + eor w17,w24,w24,ror#9 + add w23,w23,w16 // h+=Sigma1(e) + and w28,w28,w19 // (b^c)&=(a^b) + add w27,w27,w23 // d+=h + eor w28,w28,w25 // Maj(a,b,c) + eor w17,w7,w17,ror#13 // Sigma0(a) + add w23,w23,w28 // h+=Maj(a,b,c) + ldr w28,[x30],#4 // *K++, w19 in next round + //add w23,w23,w17 // h+=Sigma0(a) +#ifndef __AARCH64EB__ + rev w0,w0 // 13 +#endif + ldp w1,w2,[x1] + add w23,w23,w17 // h+=Sigma0(a) + str w8,[sp,#4] + ror w16,w27,#6 + add w22,w22,w28 // h+=K[i] + eor w8,w27,w27,ror#14 + and w17,w20,w27 + bic w28,w21,w27 + add w22,w22,w0 // h+=X[i] + orr w17,w17,w28 // Ch(e,f,g) + eor w28,w23,w24 // a^b, b^c in next round + eor w16,w16,w8,ror#11 // Sigma1(e) + ror w8,w23,#2 + add w22,w22,w17 // h+=Ch(e,f,g) + eor w17,w23,w23,ror#9 + add w22,w22,w16 // h+=Sigma1(e) + and w19,w19,w28 // (b^c)&=(a^b) + add w26,w26,w22 // d+=h + eor w19,w19,w24 // Maj(a,b,c) + eor w17,w8,w17,ror#13 // Sigma0(a) + add w22,w22,w19 // h+=Maj(a,b,c) + ldr w19,[x30],#4 // *K++, w28 in next round + //add w22,w22,w17 // h+=Sigma0(a) +#ifndef __AARCH64EB__ + rev w1,w1 // 14 +#endif + ldr w6,[sp,#12] + add w22,w22,w17 // h+=Sigma0(a) + str w9,[sp,#8] + ror w16,w26,#6 + add w21,w21,w19 // h+=K[i] + eor w9,w26,w26,ror#14 + and w17,w27,w26 + bic w19,w20,w26 + add w21,w21,w1 // h+=X[i] + orr w17,w17,w19 // Ch(e,f,g) + eor w19,w22,w23 // a^b, b^c in next round + eor w16,w16,w9,ror#11 // Sigma1(e) + ror w9,w22,#2 + add w21,w21,w17 // h+=Ch(e,f,g) + eor w17,w22,w22,ror#9 + add w21,w21,w16 // h+=Sigma1(e) + and w28,w28,w19 // (b^c)&=(a^b) + add w25,w25,w21 // d+=h + eor w28,w28,w23 // Maj(a,b,c) + eor w17,w9,w17,ror#13 // Sigma0(a) + add w21,w21,w28 // h+=Maj(a,b,c) + ldr w28,[x30],#4 // *K++, w19 in next round + //add w21,w21,w17 // h+=Sigma0(a) +#ifndef __AARCH64EB__ + rev w2,w2 // 15 +#endif + ldr w7,[sp,#0] + add w21,w21,w17 // h+=Sigma0(a) + str w10,[sp,#12] + ror w16,w25,#6 + add w20,w20,w28 // h+=K[i] + ror w9,w4,#7 + and w17,w26,w25 + ror w8,w1,#17 + bic w28,w27,w25 + ror w10,w21,#2 + add w20,w20,w2 // h+=X[i] + eor w16,w16,w25,ror#11 + eor w9,w9,w4,ror#18 + orr w17,w17,w28 // Ch(e,f,g) + eor w28,w21,w22 // a^b, b^c in next round + eor w16,w16,w25,ror#25 // Sigma1(e) + eor w10,w10,w21,ror#13 + add w20,w20,w17 // h+=Ch(e,f,g) + and w19,w19,w28 // (b^c)&=(a^b) + eor w8,w8,w1,ror#19 + eor w9,w9,w4,lsr#3 // sigma0(X[i+1]) + add w20,w20,w16 // h+=Sigma1(e) + eor w19,w19,w22 // Maj(a,b,c) + eor w17,w10,w21,ror#22 // Sigma0(a) + eor w8,w8,w1,lsr#10 // sigma1(X[i+14]) + add w3,w3,w12 + add w24,w24,w20 // d+=h + add w20,w20,w19 // h+=Maj(a,b,c) + ldr w19,[x30],#4 // *K++, w28 in next round + add w3,w3,w9 + add w20,w20,w17 // h+=Sigma0(a) + add w3,w3,w8 +Loop_16_xx: + ldr w8,[sp,#4] + str w11,[sp,#0] + ror w16,w24,#6 + add w27,w27,w19 // h+=K[i] + ror w10,w5,#7 + and w17,w25,w24 + ror w9,w2,#17 + bic w19,w26,w24 + ror w11,w20,#2 + add w27,w27,w3 // h+=X[i] + eor w16,w16,w24,ror#11 + eor w10,w10,w5,ror#18 + orr w17,w17,w19 // Ch(e,f,g) + eor w19,w20,w21 // a^b, b^c in next round + eor w16,w16,w24,ror#25 // Sigma1(e) + eor w11,w11,w20,ror#13 + add w27,w27,w17 // h+=Ch(e,f,g) + and w28,w28,w19 // (b^c)&=(a^b) + eor w9,w9,w2,ror#19 + eor w10,w10,w5,lsr#3 // sigma0(X[i+1]) + add w27,w27,w16 // h+=Sigma1(e) + eor w28,w28,w21 // Maj(a,b,c) + eor w17,w11,w20,ror#22 // Sigma0(a) + eor w9,w9,w2,lsr#10 // sigma1(X[i+14]) + add w4,w4,w13 + add w23,w23,w27 // d+=h + add w27,w27,w28 // h+=Maj(a,b,c) + ldr w28,[x30],#4 // *K++, w19 in next round + add w4,w4,w10 + add w27,w27,w17 // h+=Sigma0(a) + add w4,w4,w9 + ldr w9,[sp,#8] + str w12,[sp,#4] + ror w16,w23,#6 + add w26,w26,w28 // h+=K[i] + ror w11,w6,#7 + and w17,w24,w23 + ror w10,w3,#17 + bic w28,w25,w23 + ror w12,w27,#2 + add w26,w26,w4 // h+=X[i] + eor w16,w16,w23,ror#11 + eor w11,w11,w6,ror#18 + orr w17,w17,w28 // Ch(e,f,g) + eor w28,w27,w20 // a^b, b^c in next round + eor w16,w16,w23,ror#25 // Sigma1(e) + eor w12,w12,w27,ror#13 + add w26,w26,w17 // h+=Ch(e,f,g) + and w19,w19,w28 // (b^c)&=(a^b) + eor w10,w10,w3,ror#19 + eor w11,w11,w6,lsr#3 // sigma0(X[i+1]) + add w26,w26,w16 // h+=Sigma1(e) + eor w19,w19,w20 // Maj(a,b,c) + eor w17,w12,w27,ror#22 // Sigma0(a) + eor w10,w10,w3,lsr#10 // sigma1(X[i+14]) + add w5,w5,w14 + add w22,w22,w26 // d+=h + add w26,w26,w19 // h+=Maj(a,b,c) + ldr w19,[x30],#4 // *K++, w28 in next round + add w5,w5,w11 + add w26,w26,w17 // h+=Sigma0(a) + add w5,w5,w10 + ldr w10,[sp,#12] + str w13,[sp,#8] + ror w16,w22,#6 + add w25,w25,w19 // h+=K[i] + ror w12,w7,#7 + and w17,w23,w22 + ror w11,w4,#17 + bic w19,w24,w22 + ror w13,w26,#2 + add w25,w25,w5 // h+=X[i] + eor w16,w16,w22,ror#11 + eor w12,w12,w7,ror#18 + orr w17,w17,w19 // Ch(e,f,g) + eor w19,w26,w27 // a^b, b^c in next round + eor w16,w16,w22,ror#25 // Sigma1(e) + eor w13,w13,w26,ror#13 + add w25,w25,w17 // h+=Ch(e,f,g) + and w28,w28,w19 // (b^c)&=(a^b) + eor w11,w11,w4,ror#19 + eor w12,w12,w7,lsr#3 // sigma0(X[i+1]) + add w25,w25,w16 // h+=Sigma1(e) + eor w28,w28,w27 // Maj(a,b,c) + eor w17,w13,w26,ror#22 // Sigma0(a) + eor w11,w11,w4,lsr#10 // sigma1(X[i+14]) + add w6,w6,w15 + add w21,w21,w25 // d+=h + add w25,w25,w28 // h+=Maj(a,b,c) + ldr w28,[x30],#4 // *K++, w19 in next round + add w6,w6,w12 + add w25,w25,w17 // h+=Sigma0(a) + add w6,w6,w11 + ldr w11,[sp,#0] + str w14,[sp,#12] + ror w16,w21,#6 + add w24,w24,w28 // h+=K[i] + ror w13,w8,#7 + and w17,w22,w21 + ror w12,w5,#17 + bic w28,w23,w21 + ror w14,w25,#2 + add w24,w24,w6 // h+=X[i] + eor w16,w16,w21,ror#11 + eor w13,w13,w8,ror#18 + orr w17,w17,w28 // Ch(e,f,g) + eor w28,w25,w26 // a^b, b^c in next round + eor w16,w16,w21,ror#25 // Sigma1(e) + eor w14,w14,w25,ror#13 + add w24,w24,w17 // h+=Ch(e,f,g) + and w19,w19,w28 // (b^c)&=(a^b) + eor w12,w12,w5,ror#19 + eor w13,w13,w8,lsr#3 // sigma0(X[i+1]) + add w24,w24,w16 // h+=Sigma1(e) + eor w19,w19,w26 // Maj(a,b,c) + eor w17,w14,w25,ror#22 // Sigma0(a) + eor w12,w12,w5,lsr#10 // sigma1(X[i+14]) + add w7,w7,w0 + add w20,w20,w24 // d+=h + add w24,w24,w19 // h+=Maj(a,b,c) + ldr w19,[x30],#4 // *K++, w28 in next round + add w7,w7,w13 + add w24,w24,w17 // h+=Sigma0(a) + add w7,w7,w12 + ldr w12,[sp,#4] + str w15,[sp,#0] + ror w16,w20,#6 + add w23,w23,w19 // h+=K[i] + ror w14,w9,#7 + and w17,w21,w20 + ror w13,w6,#17 + bic w19,w22,w20 + ror w15,w24,#2 + add w23,w23,w7 // h+=X[i] + eor w16,w16,w20,ror#11 + eor w14,w14,w9,ror#18 + orr w17,w17,w19 // Ch(e,f,g) + eor w19,w24,w25 // a^b, b^c in next round + eor w16,w16,w20,ror#25 // Sigma1(e) + eor w15,w15,w24,ror#13 + add w23,w23,w17 // h+=Ch(e,f,g) + and w28,w28,w19 // (b^c)&=(a^b) + eor w13,w13,w6,ror#19 + eor w14,w14,w9,lsr#3 // sigma0(X[i+1]) + add w23,w23,w16 // h+=Sigma1(e) + eor w28,w28,w25 // Maj(a,b,c) + eor w17,w15,w24,ror#22 // Sigma0(a) + eor w13,w13,w6,lsr#10 // sigma1(X[i+14]) + add w8,w8,w1 + add w27,w27,w23 // d+=h + add w23,w23,w28 // h+=Maj(a,b,c) + ldr w28,[x30],#4 // *K++, w19 in next round + add w8,w8,w14 + add w23,w23,w17 // h+=Sigma0(a) + add w8,w8,w13 + ldr w13,[sp,#8] + str w0,[sp,#4] + ror w16,w27,#6 + add w22,w22,w28 // h+=K[i] + ror w15,w10,#7 + and w17,w20,w27 + ror w14,w7,#17 + bic w28,w21,w27 + ror w0,w23,#2 + add w22,w22,w8 // h+=X[i] + eor w16,w16,w27,ror#11 + eor w15,w15,w10,ror#18 + orr w17,w17,w28 // Ch(e,f,g) + eor w28,w23,w24 // a^b, b^c in next round + eor w16,w16,w27,ror#25 // Sigma1(e) + eor w0,w0,w23,ror#13 + add w22,w22,w17 // h+=Ch(e,f,g) + and w19,w19,w28 // (b^c)&=(a^b) + eor w14,w14,w7,ror#19 + eor w15,w15,w10,lsr#3 // sigma0(X[i+1]) + add w22,w22,w16 // h+=Sigma1(e) + eor w19,w19,w24 // Maj(a,b,c) + eor w17,w0,w23,ror#22 // Sigma0(a) + eor w14,w14,w7,lsr#10 // sigma1(X[i+14]) + add w9,w9,w2 + add w26,w26,w22 // d+=h + add w22,w22,w19 // h+=Maj(a,b,c) + ldr w19,[x30],#4 // *K++, w28 in next round + add w9,w9,w15 + add w22,w22,w17 // h+=Sigma0(a) + add w9,w9,w14 + ldr w14,[sp,#12] + str w1,[sp,#8] + ror w16,w26,#6 + add w21,w21,w19 // h+=K[i] + ror w0,w11,#7 + and w17,w27,w26 + ror w15,w8,#17 + bic w19,w20,w26 + ror w1,w22,#2 + add w21,w21,w9 // h+=X[i] + eor w16,w16,w26,ror#11 + eor w0,w0,w11,ror#18 + orr w17,w17,w19 // Ch(e,f,g) + eor w19,w22,w23 // a^b, b^c in next round + eor w16,w16,w26,ror#25 // Sigma1(e) + eor w1,w1,w22,ror#13 + add w21,w21,w17 // h+=Ch(e,f,g) + and w28,w28,w19 // (b^c)&=(a^b) + eor w15,w15,w8,ror#19 + eor w0,w0,w11,lsr#3 // sigma0(X[i+1]) + add w21,w21,w16 // h+=Sigma1(e) + eor w28,w28,w23 // Maj(a,b,c) + eor w17,w1,w22,ror#22 // Sigma0(a) + eor w15,w15,w8,lsr#10 // sigma1(X[i+14]) + add w10,w10,w3 + add w25,w25,w21 // d+=h + add w21,w21,w28 // h+=Maj(a,b,c) + ldr w28,[x30],#4 // *K++, w19 in next round + add w10,w10,w0 + add w21,w21,w17 // h+=Sigma0(a) + add w10,w10,w15 + ldr w15,[sp,#0] + str w2,[sp,#12] + ror w16,w25,#6 + add w20,w20,w28 // h+=K[i] + ror w1,w12,#7 + and w17,w26,w25 + ror w0,w9,#17 + bic w28,w27,w25 + ror w2,w21,#2 + add w20,w20,w10 // h+=X[i] + eor w16,w16,w25,ror#11 + eor w1,w1,w12,ror#18 + orr w17,w17,w28 // Ch(e,f,g) + eor w28,w21,w22 // a^b, b^c in next round + eor w16,w16,w25,ror#25 // Sigma1(e) + eor w2,w2,w21,ror#13 + add w20,w20,w17 // h+=Ch(e,f,g) + and w19,w19,w28 // (b^c)&=(a^b) + eor w0,w0,w9,ror#19 + eor w1,w1,w12,lsr#3 // sigma0(X[i+1]) + add w20,w20,w16 // h+=Sigma1(e) + eor w19,w19,w22 // Maj(a,b,c) + eor w17,w2,w21,ror#22 // Sigma0(a) + eor w0,w0,w9,lsr#10 // sigma1(X[i+14]) + add w11,w11,w4 + add w24,w24,w20 // d+=h + add w20,w20,w19 // h+=Maj(a,b,c) + ldr w19,[x30],#4 // *K++, w28 in next round + add w11,w11,w1 + add w20,w20,w17 // h+=Sigma0(a) + add w11,w11,w0 + ldr w0,[sp,#4] + str w3,[sp,#0] + ror w16,w24,#6 + add w27,w27,w19 // h+=K[i] + ror w2,w13,#7 + and w17,w25,w24 + ror w1,w10,#17 + bic w19,w26,w24 + ror w3,w20,#2 + add w27,w27,w11 // h+=X[i] + eor w16,w16,w24,ror#11 + eor w2,w2,w13,ror#18 + orr w17,w17,w19 // Ch(e,f,g) + eor w19,w20,w21 // a^b, b^c in next round + eor w16,w16,w24,ror#25 // Sigma1(e) + eor w3,w3,w20,ror#13 + add w27,w27,w17 // h+=Ch(e,f,g) + and w28,w28,w19 // (b^c)&=(a^b) + eor w1,w1,w10,ror#19 + eor w2,w2,w13,lsr#3 // sigma0(X[i+1]) + add w27,w27,w16 // h+=Sigma1(e) + eor w28,w28,w21 // Maj(a,b,c) + eor w17,w3,w20,ror#22 // Sigma0(a) + eor w1,w1,w10,lsr#10 // sigma1(X[i+14]) + add w12,w12,w5 + add w23,w23,w27 // d+=h + add w27,w27,w28 // h+=Maj(a,b,c) + ldr w28,[x30],#4 // *K++, w19 in next round + add w12,w12,w2 + add w27,w27,w17 // h+=Sigma0(a) + add w12,w12,w1 + ldr w1,[sp,#8] + str w4,[sp,#4] + ror w16,w23,#6 + add w26,w26,w28 // h+=K[i] + ror w3,w14,#7 + and w17,w24,w23 + ror w2,w11,#17 + bic w28,w25,w23 + ror w4,w27,#2 + add w26,w26,w12 // h+=X[i] + eor w16,w16,w23,ror#11 + eor w3,w3,w14,ror#18 + orr w17,w17,w28 // Ch(e,f,g) + eor w28,w27,w20 // a^b, b^c in next round + eor w16,w16,w23,ror#25 // Sigma1(e) + eor w4,w4,w27,ror#13 + add w26,w26,w17 // h+=Ch(e,f,g) + and w19,w19,w28 // (b^c)&=(a^b) + eor w2,w2,w11,ror#19 + eor w3,w3,w14,lsr#3 // sigma0(X[i+1]) + add w26,w26,w16 // h+=Sigma1(e) + eor w19,w19,w20 // Maj(a,b,c) + eor w17,w4,w27,ror#22 // Sigma0(a) + eor w2,w2,w11,lsr#10 // sigma1(X[i+14]) + add w13,w13,w6 + add w22,w22,w26 // d+=h + add w26,w26,w19 // h+=Maj(a,b,c) + ldr w19,[x30],#4 // *K++, w28 in next round + add w13,w13,w3 + add w26,w26,w17 // h+=Sigma0(a) + add w13,w13,w2 + ldr w2,[sp,#12] + str w5,[sp,#8] + ror w16,w22,#6 + add w25,w25,w19 // h+=K[i] + ror w4,w15,#7 + and w17,w23,w22 + ror w3,w12,#17 + bic w19,w24,w22 + ror w5,w26,#2 + add w25,w25,w13 // h+=X[i] + eor w16,w16,w22,ror#11 + eor w4,w4,w15,ror#18 + orr w17,w17,w19 // Ch(e,f,g) + eor w19,w26,w27 // a^b, b^c in next round + eor w16,w16,w22,ror#25 // Sigma1(e) + eor w5,w5,w26,ror#13 + add w25,w25,w17 // h+=Ch(e,f,g) + and w28,w28,w19 // (b^c)&=(a^b) + eor w3,w3,w12,ror#19 + eor w4,w4,w15,lsr#3 // sigma0(X[i+1]) + add w25,w25,w16 // h+=Sigma1(e) + eor w28,w28,w27 // Maj(a,b,c) + eor w17,w5,w26,ror#22 // Sigma0(a) + eor w3,w3,w12,lsr#10 // sigma1(X[i+14]) + add w14,w14,w7 + add w21,w21,w25 // d+=h + add w25,w25,w28 // h+=Maj(a,b,c) + ldr w28,[x30],#4 // *K++, w19 in next round + add w14,w14,w4 + add w25,w25,w17 // h+=Sigma0(a) + add w14,w14,w3 + ldr w3,[sp,#0] + str w6,[sp,#12] + ror w16,w21,#6 + add w24,w24,w28 // h+=K[i] + ror w5,w0,#7 + and w17,w22,w21 + ror w4,w13,#17 + bic w28,w23,w21 + ror w6,w25,#2 + add w24,w24,w14 // h+=X[i] + eor w16,w16,w21,ror#11 + eor w5,w5,w0,ror#18 + orr w17,w17,w28 // Ch(e,f,g) + eor w28,w25,w26 // a^b, b^c in next round + eor w16,w16,w21,ror#25 // Sigma1(e) + eor w6,w6,w25,ror#13 + add w24,w24,w17 // h+=Ch(e,f,g) + and w19,w19,w28 // (b^c)&=(a^b) + eor w4,w4,w13,ror#19 + eor w5,w5,w0,lsr#3 // sigma0(X[i+1]) + add w24,w24,w16 // h+=Sigma1(e) + eor w19,w19,w26 // Maj(a,b,c) + eor w17,w6,w25,ror#22 // Sigma0(a) + eor w4,w4,w13,lsr#10 // sigma1(X[i+14]) + add w15,w15,w8 + add w20,w20,w24 // d+=h + add w24,w24,w19 // h+=Maj(a,b,c) + ldr w19,[x30],#4 // *K++, w28 in next round + add w15,w15,w5 + add w24,w24,w17 // h+=Sigma0(a) + add w15,w15,w4 + ldr w4,[sp,#4] + str w7,[sp,#0] + ror w16,w20,#6 + add w23,w23,w19 // h+=K[i] + ror w6,w1,#7 + and w17,w21,w20 + ror w5,w14,#17 + bic w19,w22,w20 + ror w7,w24,#2 + add w23,w23,w15 // h+=X[i] + eor w16,w16,w20,ror#11 + eor w6,w6,w1,ror#18 + orr w17,w17,w19 // Ch(e,f,g) + eor w19,w24,w25 // a^b, b^c in next round + eor w16,w16,w20,ror#25 // Sigma1(e) + eor w7,w7,w24,ror#13 + add w23,w23,w17 // h+=Ch(e,f,g) + and w28,w28,w19 // (b^c)&=(a^b) + eor w5,w5,w14,ror#19 + eor w6,w6,w1,lsr#3 // sigma0(X[i+1]) + add w23,w23,w16 // h+=Sigma1(e) + eor w28,w28,w25 // Maj(a,b,c) + eor w17,w7,w24,ror#22 // Sigma0(a) + eor w5,w5,w14,lsr#10 // sigma1(X[i+14]) + add w0,w0,w9 + add w27,w27,w23 // d+=h + add w23,w23,w28 // h+=Maj(a,b,c) + ldr w28,[x30],#4 // *K++, w19 in next round + add w0,w0,w6 + add w23,w23,w17 // h+=Sigma0(a) + add w0,w0,w5 + ldr w5,[sp,#8] + str w8,[sp,#4] + ror w16,w27,#6 + add w22,w22,w28 // h+=K[i] + ror w7,w2,#7 + and w17,w20,w27 + ror w6,w15,#17 + bic w28,w21,w27 + ror w8,w23,#2 + add w22,w22,w0 // h+=X[i] + eor w16,w16,w27,ror#11 + eor w7,w7,w2,ror#18 + orr w17,w17,w28 // Ch(e,f,g) + eor w28,w23,w24 // a^b, b^c in next round + eor w16,w16,w27,ror#25 // Sigma1(e) + eor w8,w8,w23,ror#13 + add w22,w22,w17 // h+=Ch(e,f,g) + and w19,w19,w28 // (b^c)&=(a^b) + eor w6,w6,w15,ror#19 + eor w7,w7,w2,lsr#3 // sigma0(X[i+1]) + add w22,w22,w16 // h+=Sigma1(e) + eor w19,w19,w24 // Maj(a,b,c) + eor w17,w8,w23,ror#22 // Sigma0(a) + eor w6,w6,w15,lsr#10 // sigma1(X[i+14]) + add w1,w1,w10 + add w26,w26,w22 // d+=h + add w22,w22,w19 // h+=Maj(a,b,c) + ldr w19,[x30],#4 // *K++, w28 in next round + add w1,w1,w7 + add w22,w22,w17 // h+=Sigma0(a) + add w1,w1,w6 + ldr w6,[sp,#12] + str w9,[sp,#8] + ror w16,w26,#6 + add w21,w21,w19 // h+=K[i] + ror w8,w3,#7 + and w17,w27,w26 + ror w7,w0,#17 + bic w19,w20,w26 + ror w9,w22,#2 + add w21,w21,w1 // h+=X[i] + eor w16,w16,w26,ror#11 + eor w8,w8,w3,ror#18 + orr w17,w17,w19 // Ch(e,f,g) + eor w19,w22,w23 // a^b, b^c in next round + eor w16,w16,w26,ror#25 // Sigma1(e) + eor w9,w9,w22,ror#13 + add w21,w21,w17 // h+=Ch(e,f,g) + and w28,w28,w19 // (b^c)&=(a^b) + eor w7,w7,w0,ror#19 + eor w8,w8,w3,lsr#3 // sigma0(X[i+1]) + add w21,w21,w16 // h+=Sigma1(e) + eor w28,w28,w23 // Maj(a,b,c) + eor w17,w9,w22,ror#22 // Sigma0(a) + eor w7,w7,w0,lsr#10 // sigma1(X[i+14]) + add w2,w2,w11 + add w25,w25,w21 // d+=h + add w21,w21,w28 // h+=Maj(a,b,c) + ldr w28,[x30],#4 // *K++, w19 in next round + add w2,w2,w8 + add w21,w21,w17 // h+=Sigma0(a) + add w2,w2,w7 + ldr w7,[sp,#0] + str w10,[sp,#12] + ror w16,w25,#6 + add w20,w20,w28 // h+=K[i] + ror w9,w4,#7 + and w17,w26,w25 + ror w8,w1,#17 + bic w28,w27,w25 + ror w10,w21,#2 + add w20,w20,w2 // h+=X[i] + eor w16,w16,w25,ror#11 + eor w9,w9,w4,ror#18 + orr w17,w17,w28 // Ch(e,f,g) + eor w28,w21,w22 // a^b, b^c in next round + eor w16,w16,w25,ror#25 // Sigma1(e) + eor w10,w10,w21,ror#13 + add w20,w20,w17 // h+=Ch(e,f,g) + and w19,w19,w28 // (b^c)&=(a^b) + eor w8,w8,w1,ror#19 + eor w9,w9,w4,lsr#3 // sigma0(X[i+1]) + add w20,w20,w16 // h+=Sigma1(e) + eor w19,w19,w22 // Maj(a,b,c) + eor w17,w10,w21,ror#22 // Sigma0(a) + eor w8,w8,w1,lsr#10 // sigma1(X[i+14]) + add w3,w3,w12 + add w24,w24,w20 // d+=h + add w20,w20,w19 // h+=Maj(a,b,c) + ldr w19,[x30],#4 // *K++, w28 in next round + add w3,w3,w9 + add w20,w20,w17 // h+=Sigma0(a) + add w3,w3,w8 + cbnz w19,Loop_16_xx + + ldp x0,x2,[x29,#96] + ldr x1,[x29,#112] + sub x30,x30,#260 // rewind + + ldp w3,w4,[x0] + ldp w5,w6,[x0,#2*4] + add x1,x1,#14*4 // advance input pointer + ldp w7,w8,[x0,#4*4] + add w20,w20,w3 + ldp w9,w10,[x0,#6*4] + add w21,w21,w4 + add w22,w22,w5 + add w23,w23,w6 + stp w20,w21,[x0] + add w24,w24,w7 + add w25,w25,w8 + stp w22,w23,[x0,#2*4] + add w26,w26,w9 + add w27,w27,w10 + cmp x1,x2 + stp w24,w25,[x0,#4*4] + stp w26,w27,[x0,#6*4] + b.ne Loop + + ldp x19,x20,[x29,#16] + add sp,sp,#4*4 + ldp x21,x22,[x29,#32] + ldp x23,x24,[x29,#48] + ldp x25,x26,[x29,#64] + ldp x27,x28,[x29,#80] + ldp x29,x30,[sp],#128 + AARCH64_VALIDATE_LINK_REGISTER + ret + + +.section .rodata +.align 6 + +LK256: +.long 0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5 +.long 0x3956c25b,0x59f111f1,0x923f82a4,0xab1c5ed5 +.long 0xd807aa98,0x12835b01,0x243185be,0x550c7dc3 +.long 0x72be5d74,0x80deb1fe,0x9bdc06a7,0xc19bf174 +.long 0xe49b69c1,0xefbe4786,0x0fc19dc6,0x240ca1cc +.long 0x2de92c6f,0x4a7484aa,0x5cb0a9dc,0x76f988da +.long 0x983e5152,0xa831c66d,0xb00327c8,0xbf597fc7 +.long 0xc6e00bf3,0xd5a79147,0x06ca6351,0x14292967 +.long 0x27b70a85,0x2e1b2138,0x4d2c6dfc,0x53380d13 +.long 0x650a7354,0x766a0abb,0x81c2c92e,0x92722c85 +.long 0xa2bfe8a1,0xa81a664b,0xc24b8b70,0xc76c51a3 +.long 0xd192e819,0xd6990624,0xf40e3585,0x106aa070 +.long 0x19a4c116,0x1e376c08,0x2748774c,0x34b0bcb5 +.long 0x391c0cb3,0x4ed8aa4a,0x5b9cca4f,0x682e6ff3 +.long 0x748f82ee,0x78a5636f,0x84c87814,0x8cc70208 +.long 0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2 +.long 0 //terminator + +.byte 83,72,65,50,53,54,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 +.align 2 +.align 2 +.text +#ifndef __KERNEL__ +.globl sha256_block_data_order_hw + +.def sha256_block_data_order_hw + .type 32 +.endef +.align 6 +sha256_block_data_order_hw: + // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. + AARCH64_VALID_CALL_TARGET + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + + ld1 {v0.4s,v1.4s},[x0] + adrp x3,LK256 + add x3,x3,:lo12:LK256 + +Loop_hw: + ld1 {v4.16b,v5.16b,v6.16b,v7.16b},[x1],#64 + sub x2,x2,#1 + ld1 {v16.4s},[x3],#16 + rev32 v4.16b,v4.16b + rev32 v5.16b,v5.16b + rev32 v6.16b,v6.16b + rev32 v7.16b,v7.16b + orr v18.16b,v0.16b,v0.16b // offload + orr v19.16b,v1.16b,v1.16b + ld1 {v17.4s},[x3],#16 + add v16.4s,v16.4s,v4.4s +.long 0x5e2828a4 //sha256su0 v4.16b,v5.16b + orr v2.16b,v0.16b,v0.16b +.long 0x5e104020 //sha256h v0.16b,v1.16b,v16.4s +.long 0x5e105041 //sha256h2 v1.16b,v2.16b,v16.4s +.long 0x5e0760c4 //sha256su1 v4.16b,v6.16b,v7.16b + ld1 {v16.4s},[x3],#16 + add v17.4s,v17.4s,v5.4s +.long 0x5e2828c5 //sha256su0 v5.16b,v6.16b + orr v2.16b,v0.16b,v0.16b +.long 0x5e114020 //sha256h v0.16b,v1.16b,v17.4s +.long 0x5e115041 //sha256h2 v1.16b,v2.16b,v17.4s +.long 0x5e0460e5 //sha256su1 v5.16b,v7.16b,v4.16b + ld1 {v17.4s},[x3],#16 + add v16.4s,v16.4s,v6.4s +.long 0x5e2828e6 //sha256su0 v6.16b,v7.16b + orr v2.16b,v0.16b,v0.16b +.long 0x5e104020 //sha256h v0.16b,v1.16b,v16.4s +.long 0x5e105041 //sha256h2 v1.16b,v2.16b,v16.4s +.long 0x5e056086 //sha256su1 v6.16b,v4.16b,v5.16b + ld1 {v16.4s},[x3],#16 + add v17.4s,v17.4s,v7.4s +.long 0x5e282887 //sha256su0 v7.16b,v4.16b + orr v2.16b,v0.16b,v0.16b +.long 0x5e114020 //sha256h v0.16b,v1.16b,v17.4s +.long 0x5e115041 //sha256h2 v1.16b,v2.16b,v17.4s +.long 0x5e0660a7 //sha256su1 v7.16b,v5.16b,v6.16b + ld1 {v17.4s},[x3],#16 + add v16.4s,v16.4s,v4.4s +.long 0x5e2828a4 //sha256su0 v4.16b,v5.16b + orr v2.16b,v0.16b,v0.16b +.long 0x5e104020 //sha256h v0.16b,v1.16b,v16.4s +.long 0x5e105041 //sha256h2 v1.16b,v2.16b,v16.4s +.long 0x5e0760c4 //sha256su1 v4.16b,v6.16b,v7.16b + ld1 {v16.4s},[x3],#16 + add v17.4s,v17.4s,v5.4s +.long 0x5e2828c5 //sha256su0 v5.16b,v6.16b + orr v2.16b,v0.16b,v0.16b +.long 0x5e114020 //sha256h v0.16b,v1.16b,v17.4s +.long 0x5e115041 //sha256h2 v1.16b,v2.16b,v17.4s +.long 0x5e0460e5 //sha256su1 v5.16b,v7.16b,v4.16b + ld1 {v17.4s},[x3],#16 + add v16.4s,v16.4s,v6.4s +.long 0x5e2828e6 //sha256su0 v6.16b,v7.16b + orr v2.16b,v0.16b,v0.16b +.long 0x5e104020 //sha256h v0.16b,v1.16b,v16.4s +.long 0x5e105041 //sha256h2 v1.16b,v2.16b,v16.4s +.long 0x5e056086 //sha256su1 v6.16b,v4.16b,v5.16b + ld1 {v16.4s},[x3],#16 + add v17.4s,v17.4s,v7.4s +.long 0x5e282887 //sha256su0 v7.16b,v4.16b + orr v2.16b,v0.16b,v0.16b +.long 0x5e114020 //sha256h v0.16b,v1.16b,v17.4s +.long 0x5e115041 //sha256h2 v1.16b,v2.16b,v17.4s +.long 0x5e0660a7 //sha256su1 v7.16b,v5.16b,v6.16b + ld1 {v17.4s},[x3],#16 + add v16.4s,v16.4s,v4.4s +.long 0x5e2828a4 //sha256su0 v4.16b,v5.16b + orr v2.16b,v0.16b,v0.16b +.long 0x5e104020 //sha256h v0.16b,v1.16b,v16.4s +.long 0x5e105041 //sha256h2 v1.16b,v2.16b,v16.4s +.long 0x5e0760c4 //sha256su1 v4.16b,v6.16b,v7.16b + ld1 {v16.4s},[x3],#16 + add v17.4s,v17.4s,v5.4s +.long 0x5e2828c5 //sha256su0 v5.16b,v6.16b + orr v2.16b,v0.16b,v0.16b +.long 0x5e114020 //sha256h v0.16b,v1.16b,v17.4s +.long 0x5e115041 //sha256h2 v1.16b,v2.16b,v17.4s +.long 0x5e0460e5 //sha256su1 v5.16b,v7.16b,v4.16b + ld1 {v17.4s},[x3],#16 + add v16.4s,v16.4s,v6.4s +.long 0x5e2828e6 //sha256su0 v6.16b,v7.16b + orr v2.16b,v0.16b,v0.16b +.long 0x5e104020 //sha256h v0.16b,v1.16b,v16.4s +.long 0x5e105041 //sha256h2 v1.16b,v2.16b,v16.4s +.long 0x5e056086 //sha256su1 v6.16b,v4.16b,v5.16b + ld1 {v16.4s},[x3],#16 + add v17.4s,v17.4s,v7.4s +.long 0x5e282887 //sha256su0 v7.16b,v4.16b + orr v2.16b,v0.16b,v0.16b +.long 0x5e114020 //sha256h v0.16b,v1.16b,v17.4s +.long 0x5e115041 //sha256h2 v1.16b,v2.16b,v17.4s +.long 0x5e0660a7 //sha256su1 v7.16b,v5.16b,v6.16b + ld1 {v17.4s},[x3],#16 + add v16.4s,v16.4s,v4.4s + orr v2.16b,v0.16b,v0.16b +.long 0x5e104020 //sha256h v0.16b,v1.16b,v16.4s +.long 0x5e105041 //sha256h2 v1.16b,v2.16b,v16.4s + + ld1 {v16.4s},[x3],#16 + add v17.4s,v17.4s,v5.4s + orr v2.16b,v0.16b,v0.16b +.long 0x5e114020 //sha256h v0.16b,v1.16b,v17.4s +.long 0x5e115041 //sha256h2 v1.16b,v2.16b,v17.4s + + ld1 {v17.4s},[x3] + add v16.4s,v16.4s,v6.4s + sub x3,x3,#64*4-16 // rewind + orr v2.16b,v0.16b,v0.16b +.long 0x5e104020 //sha256h v0.16b,v1.16b,v16.4s +.long 0x5e105041 //sha256h2 v1.16b,v2.16b,v16.4s + + add v17.4s,v17.4s,v7.4s + orr v2.16b,v0.16b,v0.16b +.long 0x5e114020 //sha256h v0.16b,v1.16b,v17.4s +.long 0x5e115041 //sha256h2 v1.16b,v2.16b,v17.4s + + add v0.4s,v0.4s,v18.4s + add v1.4s,v1.4s,v19.4s + + cbnz x2,Loop_hw + + st1 {v0.4s,v1.4s},[x0] + + ldr x29,[sp],#16 + ret + +#endif +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(_WIN32) +#if defined(__linux__) && defined(__ELF__) +.section .note.GNU-stack,"",%progbits +#endif + diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/sha256-x86_64-mac.mac.x86_64.S b/Sources/CNIOBoringSSL/gen/bcm/sha256-x86_64-apple.S similarity index 99% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/sha256-x86_64-mac.mac.x86_64.S rename to Sources/CNIOBoringSSL/gen/bcm/sha256-x86_64-apple.S index 0c63d3f54..b9cc8a5e8 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/sha256-x86_64-mac.mac.x86_64.S +++ b/Sources/CNIOBoringSSL/gen/bcm/sha256-x86_64-apple.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__x86_64__) && defined(__APPLE__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -8,27 +7,13 @@ #if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__APPLE__) .text - -.globl _sha256_block_data_order -.private_extern _sha256_block_data_order +.globl _sha256_block_data_order_nohw +.private_extern _sha256_block_data_order_nohw .p2align 4 -_sha256_block_data_order: +_sha256_block_data_order_nohw: _CET_ENDBR - leaq _OPENSSL_ia32cap_P(%rip),%r11 - movl 0(%r11),%r9d - movl 4(%r11),%r10d - movl 8(%r11),%r11d - testl $536870912,%r11d - jnz L$shaext_shortcut - andl $1073741824,%r9d - andl $268435968,%r10d - orl %r9d,%r10d - cmpl $1342177792,%r10d - je L$avx_shortcut - testl $512,%r10d - jnz L$ssse3_shortcut movq %rsp,%rax pushq %rbx @@ -1780,11 +1765,13 @@ K256: .long 0xffffffff,0xffffffff,0x03020100,0x0b0a0908 .byte 83,72,65,50,53,54,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .text +.globl _sha256_block_data_order_hw +.private_extern _sha256_block_data_order_hw .p2align 6 -sha256_block_data_order_shaext: +_sha256_block_data_order_hw: -L$shaext_shortcut: +_CET_ENDBR leaq K256+128(%rip),%rcx movdqu (%rdi),%xmm1 movdqu 16(%rdi),%xmm2 @@ -1989,11 +1976,13 @@ L$oop_shaext: ret +.globl _sha256_block_data_order_ssse3 +.private_extern _sha256_block_data_order_ssse3 .p2align 6 -sha256_block_data_order_ssse3: +_sha256_block_data_order_ssse3: -L$ssse3_shortcut: +_CET_ENDBR movq %rsp,%rax pushq %rbx @@ -3102,11 +3091,13 @@ L$epilogue_ssse3: ret +.globl _sha256_block_data_order_avx +.private_extern _sha256_block_data_order_avx .p2align 6 -sha256_block_data_order_avx: +_sha256_block_data_order_avx: -L$avx_shortcut: +_CET_ENDBR movq %rsp,%rax pushq %rbx @@ -4178,7 +4169,6 @@ L$epilogue_avx: #endif -#endif // defined(__x86_64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/sha256-x86_64-linux.linux.x86_64.S b/Sources/CNIOBoringSSL/gen/bcm/sha256-x86_64-linux.S similarity index 98% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/sha256-x86_64-linux.linux.x86_64.S rename to Sources/CNIOBoringSSL/gen/bcm/sha256-x86_64-linux.S index 24f33b1cb..3552dbbf6 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/sha256-x86_64-linux.linux.x86_64.S +++ b/Sources/CNIOBoringSSL/gen/bcm/sha256-x86_64-linux.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__x86_64__) && defined(__linux__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -8,28 +7,13 @@ #if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__ELF__) .text -.extern OPENSSL_ia32cap_P -.hidden OPENSSL_ia32cap_P -.globl sha256_block_data_order -.hidden sha256_block_data_order -.type sha256_block_data_order,@function +.globl sha256_block_data_order_nohw +.hidden sha256_block_data_order_nohw +.type sha256_block_data_order_nohw,@function .align 16 -sha256_block_data_order: +sha256_block_data_order_nohw: .cfi_startproc _CET_ENDBR - leaq OPENSSL_ia32cap_P(%rip),%r11 - movl 0(%r11),%r9d - movl 4(%r11),%r10d - movl 8(%r11),%r11d - testl $536870912,%r11d - jnz .Lshaext_shortcut - andl $1073741824,%r9d - andl $268435968,%r10d - orl %r9d,%r10d - cmpl $1342177792,%r10d - je .Lavx_shortcut - testl $512,%r10d - jnz .Lssse3_shortcut movq %rsp,%rax .cfi_def_cfa_register %rax pushq %rbx @@ -1735,7 +1719,7 @@ _CET_ENDBR .Lepilogue: ret .cfi_endproc -.size sha256_block_data_order,.-sha256_block_data_order +.size sha256_block_data_order_nohw,.-sha256_block_data_order_nohw .section .rodata .align 64 .type K256,@object @@ -1781,11 +1765,13 @@ K256: .long 0xffffffff,0xffffffff,0x03020100,0x0b0a0908 .byte 83,72,65,50,53,54,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .text -.type sha256_block_data_order_shaext,@function +.globl sha256_block_data_order_hw +.hidden sha256_block_data_order_hw +.type sha256_block_data_order_hw,@function .align 64 -sha256_block_data_order_shaext: +sha256_block_data_order_hw: .cfi_startproc -.Lshaext_shortcut: +_CET_ENDBR leaq K256+128(%rip),%rcx movdqu (%rdi),%xmm1 movdqu 16(%rdi),%xmm2 @@ -1989,12 +1975,14 @@ sha256_block_data_order_shaext: movdqu %xmm2,16(%rdi) ret .cfi_endproc -.size sha256_block_data_order_shaext,.-sha256_block_data_order_shaext +.size sha256_block_data_order_hw,.-sha256_block_data_order_hw +.globl sha256_block_data_order_ssse3 +.hidden sha256_block_data_order_ssse3 .type sha256_block_data_order_ssse3,@function .align 64 sha256_block_data_order_ssse3: .cfi_startproc -.Lssse3_shortcut: +_CET_ENDBR movq %rsp,%rax .cfi_def_cfa_register %rax pushq %rbx @@ -3103,11 +3091,13 @@ sha256_block_data_order_ssse3: ret .cfi_endproc .size sha256_block_data_order_ssse3,.-sha256_block_data_order_ssse3 +.globl sha256_block_data_order_avx +.hidden sha256_block_data_order_avx .type sha256_block_data_order_avx,@function .align 64 sha256_block_data_order_avx: .cfi_startproc -.Lavx_shortcut: +_CET_ENDBR movq %rsp,%rax .cfi_def_cfa_register %rax pushq %rbx @@ -4179,7 +4169,6 @@ sha256_block_data_order_avx: .cfi_endproc .size sha256_block_data_order_avx,.-sha256_block_data_order_avx #endif -#endif // defined(__x86_64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/gen/bcm/sha512-586-apple.S b/Sources/CNIOBoringSSL/gen/bcm/sha512-586-apple.S new file mode 100644 index 000000000..49b20a75b --- /dev/null +++ b/Sources/CNIOBoringSSL/gen/bcm/sha512-586-apple.S @@ -0,0 +1,2411 @@ +#define BORINGSSL_PREFIX CNIOBoringSSL +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. + +#include + +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__APPLE__) +.text +.globl _sha512_block_data_order_nohw +.private_extern _sha512_block_data_order_nohw +.align 4 +_sha512_block_data_order_nohw: +L_sha512_block_data_order_nohw_begin: + pushl %ebp + pushl %ebx + pushl %esi + pushl %edi + movl 20(%esp),%esi + movl 24(%esp),%edi + movl 28(%esp),%eax + movl %esp,%ebx + call L000pic_point +L000pic_point: + popl %ebp + leal LK512-L000pic_point(%ebp),%ebp + subl $16,%esp + andl $-64,%esp + shll $7,%eax + addl %edi,%eax + movl %esi,(%esp) + movl %edi,4(%esp) + movl %eax,8(%esp) + movl %ebx,12(%esp) + movq (%esi),%mm0 + movq 8(%esi),%mm1 + movq 16(%esi),%mm2 + movq 24(%esi),%mm3 + movq 32(%esi),%mm4 + movq 40(%esi),%mm5 + movq 48(%esi),%mm6 + movq 56(%esi),%mm7 + subl $80,%esp + jmp L001loop_sse2 +.align 4,0x90 +L001loop_sse2: + movq %mm1,8(%esp) + movq %mm2,16(%esp) + movq %mm3,24(%esp) + movq %mm5,40(%esp) + movq %mm6,48(%esp) + pxor %mm1,%mm2 + movq %mm7,56(%esp) + movq %mm0,%mm3 + movl (%edi),%eax + movl 4(%edi),%ebx + addl $8,%edi + movl $15,%edx + bswap %eax + bswap %ebx + jmp L00200_14_sse2 +.align 4,0x90 +L00200_14_sse2: + movd %eax,%mm1 + movl (%edi),%eax + movd %ebx,%mm7 + movl 4(%edi),%ebx + addl $8,%edi + bswap %eax + bswap %ebx + punpckldq %mm1,%mm7 + movq %mm4,%mm1 + pxor %mm6,%mm5 + psrlq $14,%mm1 + movq %mm4,32(%esp) + pand %mm4,%mm5 + psllq $23,%mm4 + movq %mm3,%mm0 + movq %mm7,72(%esp) + movq %mm1,%mm3 + psrlq $4,%mm1 + pxor %mm6,%mm5 + pxor %mm4,%mm3 + psllq $23,%mm4 + pxor %mm1,%mm3 + movq %mm0,(%esp) + paddq %mm5,%mm7 + pxor %mm4,%mm3 + psrlq $23,%mm1 + paddq 56(%esp),%mm7 + pxor %mm1,%mm3 + psllq $4,%mm4 + paddq (%ebp),%mm7 + pxor %mm4,%mm3 + movq 24(%esp),%mm4 + paddq %mm7,%mm3 + movq %mm0,%mm5 + psrlq $28,%mm5 + paddq %mm3,%mm4 + movq %mm0,%mm6 + movq %mm5,%mm7 + psllq $25,%mm6 + movq 8(%esp),%mm1 + psrlq $6,%mm5 + pxor %mm6,%mm7 + subl $8,%esp + psllq $5,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm0 + psrlq $5,%mm5 + pxor %mm6,%mm7 + pand %mm0,%mm2 + psllq $6,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm2 + pxor %mm7,%mm6 + movq 40(%esp),%mm5 + paddq %mm2,%mm3 + movq %mm0,%mm2 + addl $8,%ebp + paddq %mm6,%mm3 + movq 48(%esp),%mm6 + decl %edx + jnz L00200_14_sse2 + movd %eax,%mm1 + movd %ebx,%mm7 + punpckldq %mm1,%mm7 + movq %mm4,%mm1 + pxor %mm6,%mm5 + psrlq $14,%mm1 + movq %mm4,32(%esp) + pand %mm4,%mm5 + psllq $23,%mm4 + movq %mm3,%mm0 + movq %mm7,72(%esp) + movq %mm1,%mm3 + psrlq $4,%mm1 + pxor %mm6,%mm5 + pxor %mm4,%mm3 + psllq $23,%mm4 + pxor %mm1,%mm3 + movq %mm0,(%esp) + paddq %mm5,%mm7 + pxor %mm4,%mm3 + psrlq $23,%mm1 + paddq 56(%esp),%mm7 + pxor %mm1,%mm3 + psllq $4,%mm4 + paddq (%ebp),%mm7 + pxor %mm4,%mm3 + movq 24(%esp),%mm4 + paddq %mm7,%mm3 + movq %mm0,%mm5 + psrlq $28,%mm5 + paddq %mm3,%mm4 + movq %mm0,%mm6 + movq %mm5,%mm7 + psllq $25,%mm6 + movq 8(%esp),%mm1 + psrlq $6,%mm5 + pxor %mm6,%mm7 + subl $8,%esp + psllq $5,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm0 + psrlq $5,%mm5 + pxor %mm6,%mm7 + pand %mm0,%mm2 + psllq $6,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm2 + pxor %mm7,%mm6 + movq 192(%esp),%mm7 + paddq %mm2,%mm3 + movq %mm0,%mm2 + addl $8,%ebp + paddq %mm6,%mm3 + pxor %mm0,%mm0 + movl $32,%edx + jmp L00316_79_sse2 +.align 4,0x90 +L00316_79_sse2: + movq 88(%esp),%mm5 + movq %mm7,%mm1 + psrlq $1,%mm7 + movq %mm5,%mm6 + psrlq $6,%mm5 + psllq $56,%mm1 + paddq %mm3,%mm0 + movq %mm7,%mm3 + psrlq $6,%mm7 + pxor %mm1,%mm3 + psllq $7,%mm1 + pxor %mm7,%mm3 + psrlq $1,%mm7 + pxor %mm1,%mm3 + movq %mm5,%mm1 + psrlq $13,%mm5 + pxor %mm3,%mm7 + psllq $3,%mm6 + pxor %mm5,%mm1 + paddq 200(%esp),%mm7 + pxor %mm6,%mm1 + psrlq $42,%mm5 + paddq 128(%esp),%mm7 + pxor %mm5,%mm1 + psllq $42,%mm6 + movq 40(%esp),%mm5 + pxor %mm6,%mm1 + movq 48(%esp),%mm6 + paddq %mm1,%mm7 + movq %mm4,%mm1 + pxor %mm6,%mm5 + psrlq $14,%mm1 + movq %mm4,32(%esp) + pand %mm4,%mm5 + psllq $23,%mm4 + movq %mm7,72(%esp) + movq %mm1,%mm3 + psrlq $4,%mm1 + pxor %mm6,%mm5 + pxor %mm4,%mm3 + psllq $23,%mm4 + pxor %mm1,%mm3 + movq %mm0,(%esp) + paddq %mm5,%mm7 + pxor %mm4,%mm3 + psrlq $23,%mm1 + paddq 56(%esp),%mm7 + pxor %mm1,%mm3 + psllq $4,%mm4 + paddq (%ebp),%mm7 + pxor %mm4,%mm3 + movq 24(%esp),%mm4 + paddq %mm7,%mm3 + movq %mm0,%mm5 + psrlq $28,%mm5 + paddq %mm3,%mm4 + movq %mm0,%mm6 + movq %mm5,%mm7 + psllq $25,%mm6 + movq 8(%esp),%mm1 + psrlq $6,%mm5 + pxor %mm6,%mm7 + subl $8,%esp + psllq $5,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm0 + psrlq $5,%mm5 + pxor %mm6,%mm7 + pand %mm0,%mm2 + psllq $6,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm2 + pxor %mm7,%mm6 + movq 192(%esp),%mm7 + paddq %mm6,%mm2 + addl $8,%ebp + movq 88(%esp),%mm5 + movq %mm7,%mm1 + psrlq $1,%mm7 + movq %mm5,%mm6 + psrlq $6,%mm5 + psllq $56,%mm1 + paddq %mm3,%mm2 + movq %mm7,%mm3 + psrlq $6,%mm7 + pxor %mm1,%mm3 + psllq $7,%mm1 + pxor %mm7,%mm3 + psrlq $1,%mm7 + pxor %mm1,%mm3 + movq %mm5,%mm1 + psrlq $13,%mm5 + pxor %mm3,%mm7 + psllq $3,%mm6 + pxor %mm5,%mm1 + paddq 200(%esp),%mm7 + pxor %mm6,%mm1 + psrlq $42,%mm5 + paddq 128(%esp),%mm7 + pxor %mm5,%mm1 + psllq $42,%mm6 + movq 40(%esp),%mm5 + pxor %mm6,%mm1 + movq 48(%esp),%mm6 + paddq %mm1,%mm7 + movq %mm4,%mm1 + pxor %mm6,%mm5 + psrlq $14,%mm1 + movq %mm4,32(%esp) + pand %mm4,%mm5 + psllq $23,%mm4 + movq %mm7,72(%esp) + movq %mm1,%mm3 + psrlq $4,%mm1 + pxor %mm6,%mm5 + pxor %mm4,%mm3 + psllq $23,%mm4 + pxor %mm1,%mm3 + movq %mm2,(%esp) + paddq %mm5,%mm7 + pxor %mm4,%mm3 + psrlq $23,%mm1 + paddq 56(%esp),%mm7 + pxor %mm1,%mm3 + psllq $4,%mm4 + paddq (%ebp),%mm7 + pxor %mm4,%mm3 + movq 24(%esp),%mm4 + paddq %mm7,%mm3 + movq %mm2,%mm5 + psrlq $28,%mm5 + paddq %mm3,%mm4 + movq %mm2,%mm6 + movq %mm5,%mm7 + psllq $25,%mm6 + movq 8(%esp),%mm1 + psrlq $6,%mm5 + pxor %mm6,%mm7 + subl $8,%esp + psllq $5,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm2 + psrlq $5,%mm5 + pxor %mm6,%mm7 + pand %mm2,%mm0 + psllq $6,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm0 + pxor %mm7,%mm6 + movq 192(%esp),%mm7 + paddq %mm6,%mm0 + addl $8,%ebp + decl %edx + jnz L00316_79_sse2 + paddq %mm3,%mm0 + movq 8(%esp),%mm1 + movq 24(%esp),%mm3 + movq 40(%esp),%mm5 + movq 48(%esp),%mm6 + movq 56(%esp),%mm7 + pxor %mm1,%mm2 + paddq (%esi),%mm0 + paddq 8(%esi),%mm1 + paddq 16(%esi),%mm2 + paddq 24(%esi),%mm3 + paddq 32(%esi),%mm4 + paddq 40(%esi),%mm5 + paddq 48(%esi),%mm6 + paddq 56(%esi),%mm7 + movl $640,%eax + movq %mm0,(%esi) + movq %mm1,8(%esi) + movq %mm2,16(%esi) + movq %mm3,24(%esi) + movq %mm4,32(%esi) + movq %mm5,40(%esi) + movq %mm6,48(%esi) + movq %mm7,56(%esi) + leal (%esp,%eax,1),%esp + subl %eax,%ebp + cmpl 88(%esp),%edi + jb L001loop_sse2 + movl 92(%esp),%esp + emms + popl %edi + popl %esi + popl %ebx + popl %ebp + ret +.globl _sha512_block_data_order_ssse3 +.private_extern _sha512_block_data_order_ssse3 +.align 4 +_sha512_block_data_order_ssse3: +L_sha512_block_data_order_ssse3_begin: + pushl %ebp + pushl %ebx + pushl %esi + pushl %edi + movl 20(%esp),%esi + movl 24(%esp),%edi + movl 28(%esp),%eax + movl %esp,%ebx + call L004pic_point +L004pic_point: + popl %ebp + leal LK512-L004pic_point(%ebp),%ebp + subl $16,%esp + andl $-64,%esp + shll $7,%eax + addl %edi,%eax + movl %esi,(%esp) + movl %edi,4(%esp) + movl %eax,8(%esp) + movl %ebx,12(%esp) + movq (%esi),%mm0 + movq 8(%esi),%mm1 + movq 16(%esi),%mm2 + movq 24(%esi),%mm3 + movq 32(%esi),%mm4 + movq 40(%esi),%mm5 + movq 48(%esi),%mm6 + movq 56(%esi),%mm7 + leal -64(%esp),%edx + subl $256,%esp + movdqa 640(%ebp),%xmm1 + movdqu (%edi),%xmm0 +.byte 102,15,56,0,193 + movdqa (%ebp),%xmm3 + movdqa %xmm1,%xmm2 + movdqu 16(%edi),%xmm1 + paddq %xmm0,%xmm3 +.byte 102,15,56,0,202 + movdqa %xmm3,-128(%edx) + movdqa 16(%ebp),%xmm4 + movdqa %xmm2,%xmm3 + movdqu 32(%edi),%xmm2 + paddq %xmm1,%xmm4 +.byte 102,15,56,0,211 + movdqa %xmm4,-112(%edx) + movdqa 32(%ebp),%xmm5 + movdqa %xmm3,%xmm4 + movdqu 48(%edi),%xmm3 + paddq %xmm2,%xmm5 +.byte 102,15,56,0,220 + movdqa %xmm5,-96(%edx) + movdqa 48(%ebp),%xmm6 + movdqa %xmm4,%xmm5 + movdqu 64(%edi),%xmm4 + paddq %xmm3,%xmm6 +.byte 102,15,56,0,229 + movdqa %xmm6,-80(%edx) + movdqa 64(%ebp),%xmm7 + movdqa %xmm5,%xmm6 + movdqu 80(%edi),%xmm5 + paddq %xmm4,%xmm7 +.byte 102,15,56,0,238 + movdqa %xmm7,-64(%edx) + movdqa %xmm0,(%edx) + movdqa 80(%ebp),%xmm0 + movdqa %xmm6,%xmm7 + movdqu 96(%edi),%xmm6 + paddq %xmm5,%xmm0 +.byte 102,15,56,0,247 + movdqa %xmm0,-48(%edx) + movdqa %xmm1,16(%edx) + movdqa 96(%ebp),%xmm1 + movdqa %xmm7,%xmm0 + movdqu 112(%edi),%xmm7 + paddq %xmm6,%xmm1 +.byte 102,15,56,0,248 + movdqa %xmm1,-32(%edx) + movdqa %xmm2,32(%edx) + movdqa 112(%ebp),%xmm2 + movdqa (%edx),%xmm0 + paddq %xmm7,%xmm2 + movdqa %xmm2,-16(%edx) + nop +.align 5,0x90 +L005loop_ssse3: + movdqa 16(%edx),%xmm2 + movdqa %xmm3,48(%edx) + leal 128(%ebp),%ebp + movq %mm1,8(%esp) + movl %edi,%ebx + movq %mm2,16(%esp) + leal 128(%edi),%edi + movq %mm3,24(%esp) + cmpl %eax,%edi + movq %mm5,40(%esp) + cmovbl %edi,%ebx + movq %mm6,48(%esp) + movl $4,%ecx + pxor %mm1,%mm2 + movq %mm7,56(%esp) + pxor %mm3,%mm3 + jmp L00600_47_ssse3 +.align 5,0x90 +L00600_47_ssse3: + movdqa %xmm5,%xmm3 + movdqa %xmm2,%xmm1 +.byte 102,15,58,15,208,8 + movdqa %xmm4,(%edx) +.byte 102,15,58,15,220,8 + movdqa %xmm2,%xmm4 + psrlq $7,%xmm2 + paddq %xmm3,%xmm0 + movdqa %xmm4,%xmm3 + psrlq $1,%xmm4 + psllq $56,%xmm3 + pxor %xmm4,%xmm2 + psrlq $7,%xmm4 + pxor %xmm3,%xmm2 + psllq $7,%xmm3 + pxor %xmm4,%xmm2 + movdqa %xmm7,%xmm4 + pxor %xmm3,%xmm2 + movdqa %xmm7,%xmm3 + psrlq $6,%xmm4 + paddq %xmm2,%xmm0 + movdqa %xmm7,%xmm2 + psrlq $19,%xmm3 + psllq $3,%xmm2 + pxor %xmm3,%xmm4 + psrlq $42,%xmm3 + pxor %xmm2,%xmm4 + psllq $42,%xmm2 + pxor %xmm3,%xmm4 + movdqa 32(%edx),%xmm3 + pxor %xmm2,%xmm4 + movdqa (%ebp),%xmm2 + movq %mm4,%mm1 + paddq %xmm4,%xmm0 + movq -128(%edx),%mm7 + pxor %mm6,%mm5 + psrlq $14,%mm1 + movq %mm4,32(%esp) + paddq %xmm0,%xmm2 + pand %mm4,%mm5 + psllq $23,%mm4 + paddq %mm3,%mm0 + movq %mm1,%mm3 + psrlq $4,%mm1 + pxor %mm6,%mm5 + pxor %mm4,%mm3 + psllq $23,%mm4 + pxor %mm1,%mm3 + movq %mm0,(%esp) + paddq %mm5,%mm7 + pxor %mm4,%mm3 + psrlq $23,%mm1 + paddq 56(%esp),%mm7 + pxor %mm1,%mm3 + psllq $4,%mm4 + pxor %mm4,%mm3 + movq 24(%esp),%mm4 + paddq %mm7,%mm3 + movq %mm0,%mm5 + psrlq $28,%mm5 + paddq %mm3,%mm4 + movq %mm0,%mm6 + movq %mm5,%mm7 + psllq $25,%mm6 + movq 8(%esp),%mm1 + psrlq $6,%mm5 + pxor %mm6,%mm7 + psllq $5,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm0 + psrlq $5,%mm5 + pxor %mm6,%mm7 + pand %mm0,%mm2 + psllq $6,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm2 + pxor %mm7,%mm6 + movq 32(%esp),%mm5 + paddq %mm6,%mm2 + movq 40(%esp),%mm6 + movq %mm4,%mm1 + movq -120(%edx),%mm7 + pxor %mm6,%mm5 + psrlq $14,%mm1 + movq %mm4,24(%esp) + pand %mm4,%mm5 + psllq $23,%mm4 + paddq %mm3,%mm2 + movq %mm1,%mm3 + psrlq $4,%mm1 + pxor %mm6,%mm5 + pxor %mm4,%mm3 + psllq $23,%mm4 + pxor %mm1,%mm3 + movq %mm2,56(%esp) + paddq %mm5,%mm7 + pxor %mm4,%mm3 + psrlq $23,%mm1 + paddq 48(%esp),%mm7 + pxor %mm1,%mm3 + psllq $4,%mm4 + pxor %mm4,%mm3 + movq 16(%esp),%mm4 + paddq %mm7,%mm3 + movq %mm2,%mm5 + psrlq $28,%mm5 + paddq %mm3,%mm4 + movq %mm2,%mm6 + movq %mm5,%mm7 + psllq $25,%mm6 + movq (%esp),%mm1 + psrlq $6,%mm5 + pxor %mm6,%mm7 + psllq $5,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm2 + psrlq $5,%mm5 + pxor %mm6,%mm7 + pand %mm2,%mm0 + psllq $6,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm0 + pxor %mm7,%mm6 + movq 24(%esp),%mm5 + paddq %mm6,%mm0 + movq 32(%esp),%mm6 + movdqa %xmm2,-128(%edx) + movdqa %xmm6,%xmm4 + movdqa %xmm3,%xmm2 +.byte 102,15,58,15,217,8 + movdqa %xmm5,16(%edx) +.byte 102,15,58,15,229,8 + movdqa %xmm3,%xmm5 + psrlq $7,%xmm3 + paddq %xmm4,%xmm1 + movdqa %xmm5,%xmm4 + psrlq $1,%xmm5 + psllq $56,%xmm4 + pxor %xmm5,%xmm3 + psrlq $7,%xmm5 + pxor %xmm4,%xmm3 + psllq $7,%xmm4 + pxor %xmm5,%xmm3 + movdqa %xmm0,%xmm5 + pxor %xmm4,%xmm3 + movdqa %xmm0,%xmm4 + psrlq $6,%xmm5 + paddq %xmm3,%xmm1 + movdqa %xmm0,%xmm3 + psrlq $19,%xmm4 + psllq $3,%xmm3 + pxor %xmm4,%xmm5 + psrlq $42,%xmm4 + pxor %xmm3,%xmm5 + psllq $42,%xmm3 + pxor %xmm4,%xmm5 + movdqa 48(%edx),%xmm4 + pxor %xmm3,%xmm5 + movdqa 16(%ebp),%xmm3 + movq %mm4,%mm1 + paddq %xmm5,%xmm1 + movq -112(%edx),%mm7 + pxor %mm6,%mm5 + psrlq $14,%mm1 + movq %mm4,16(%esp) + paddq %xmm1,%xmm3 + pand %mm4,%mm5 + psllq $23,%mm4 + paddq %mm3,%mm0 + movq %mm1,%mm3 + psrlq $4,%mm1 + pxor %mm6,%mm5 + pxor %mm4,%mm3 + psllq $23,%mm4 + pxor %mm1,%mm3 + movq %mm0,48(%esp) + paddq %mm5,%mm7 + pxor %mm4,%mm3 + psrlq $23,%mm1 + paddq 40(%esp),%mm7 + pxor %mm1,%mm3 + psllq $4,%mm4 + pxor %mm4,%mm3 + movq 8(%esp),%mm4 + paddq %mm7,%mm3 + movq %mm0,%mm5 + psrlq $28,%mm5 + paddq %mm3,%mm4 + movq %mm0,%mm6 + movq %mm5,%mm7 + psllq $25,%mm6 + movq 56(%esp),%mm1 + psrlq $6,%mm5 + pxor %mm6,%mm7 + psllq $5,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm0 + psrlq $5,%mm5 + pxor %mm6,%mm7 + pand %mm0,%mm2 + psllq $6,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm2 + pxor %mm7,%mm6 + movq 16(%esp),%mm5 + paddq %mm6,%mm2 + movq 24(%esp),%mm6 + movq %mm4,%mm1 + movq -104(%edx),%mm7 + pxor %mm6,%mm5 + psrlq $14,%mm1 + movq %mm4,8(%esp) + pand %mm4,%mm5 + psllq $23,%mm4 + paddq %mm3,%mm2 + movq %mm1,%mm3 + psrlq $4,%mm1 + pxor %mm6,%mm5 + pxor %mm4,%mm3 + psllq $23,%mm4 + pxor %mm1,%mm3 + movq %mm2,40(%esp) + paddq %mm5,%mm7 + pxor %mm4,%mm3 + psrlq $23,%mm1 + paddq 32(%esp),%mm7 + pxor %mm1,%mm3 + psllq $4,%mm4 + pxor %mm4,%mm3 + movq (%esp),%mm4 + paddq %mm7,%mm3 + movq %mm2,%mm5 + psrlq $28,%mm5 + paddq %mm3,%mm4 + movq %mm2,%mm6 + movq %mm5,%mm7 + psllq $25,%mm6 + movq 48(%esp),%mm1 + psrlq $6,%mm5 + pxor %mm6,%mm7 + psllq $5,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm2 + psrlq $5,%mm5 + pxor %mm6,%mm7 + pand %mm2,%mm0 + psllq $6,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm0 + pxor %mm7,%mm6 + movq 8(%esp),%mm5 + paddq %mm6,%mm0 + movq 16(%esp),%mm6 + movdqa %xmm3,-112(%edx) + movdqa %xmm7,%xmm5 + movdqa %xmm4,%xmm3 +.byte 102,15,58,15,226,8 + movdqa %xmm6,32(%edx) +.byte 102,15,58,15,238,8 + movdqa %xmm4,%xmm6 + psrlq $7,%xmm4 + paddq %xmm5,%xmm2 + movdqa %xmm6,%xmm5 + psrlq $1,%xmm6 + psllq $56,%xmm5 + pxor %xmm6,%xmm4 + psrlq $7,%xmm6 + pxor %xmm5,%xmm4 + psllq $7,%xmm5 + pxor %xmm6,%xmm4 + movdqa %xmm1,%xmm6 + pxor %xmm5,%xmm4 + movdqa %xmm1,%xmm5 + psrlq $6,%xmm6 + paddq %xmm4,%xmm2 + movdqa %xmm1,%xmm4 + psrlq $19,%xmm5 + psllq $3,%xmm4 + pxor %xmm5,%xmm6 + psrlq $42,%xmm5 + pxor %xmm4,%xmm6 + psllq $42,%xmm4 + pxor %xmm5,%xmm6 + movdqa (%edx),%xmm5 + pxor %xmm4,%xmm6 + movdqa 32(%ebp),%xmm4 + movq %mm4,%mm1 + paddq %xmm6,%xmm2 + movq -96(%edx),%mm7 + pxor %mm6,%mm5 + psrlq $14,%mm1 + movq %mm4,(%esp) + paddq %xmm2,%xmm4 + pand %mm4,%mm5 + psllq $23,%mm4 + paddq %mm3,%mm0 + movq %mm1,%mm3 + psrlq $4,%mm1 + pxor %mm6,%mm5 + pxor %mm4,%mm3 + psllq $23,%mm4 + pxor %mm1,%mm3 + movq %mm0,32(%esp) + paddq %mm5,%mm7 + pxor %mm4,%mm3 + psrlq $23,%mm1 + paddq 24(%esp),%mm7 + pxor %mm1,%mm3 + psllq $4,%mm4 + pxor %mm4,%mm3 + movq 56(%esp),%mm4 + paddq %mm7,%mm3 + movq %mm0,%mm5 + psrlq $28,%mm5 + paddq %mm3,%mm4 + movq %mm0,%mm6 + movq %mm5,%mm7 + psllq $25,%mm6 + movq 40(%esp),%mm1 + psrlq $6,%mm5 + pxor %mm6,%mm7 + psllq $5,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm0 + psrlq $5,%mm5 + pxor %mm6,%mm7 + pand %mm0,%mm2 + psllq $6,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm2 + pxor %mm7,%mm6 + movq (%esp),%mm5 + paddq %mm6,%mm2 + movq 8(%esp),%mm6 + movq %mm4,%mm1 + movq -88(%edx),%mm7 + pxor %mm6,%mm5 + psrlq $14,%mm1 + movq %mm4,56(%esp) + pand %mm4,%mm5 + psllq $23,%mm4 + paddq %mm3,%mm2 + movq %mm1,%mm3 + psrlq $4,%mm1 + pxor %mm6,%mm5 + pxor %mm4,%mm3 + psllq $23,%mm4 + pxor %mm1,%mm3 + movq %mm2,24(%esp) + paddq %mm5,%mm7 + pxor %mm4,%mm3 + psrlq $23,%mm1 + paddq 16(%esp),%mm7 + pxor %mm1,%mm3 + psllq $4,%mm4 + pxor %mm4,%mm3 + movq 48(%esp),%mm4 + paddq %mm7,%mm3 + movq %mm2,%mm5 + psrlq $28,%mm5 + paddq %mm3,%mm4 + movq %mm2,%mm6 + movq %mm5,%mm7 + psllq $25,%mm6 + movq 32(%esp),%mm1 + psrlq $6,%mm5 + pxor %mm6,%mm7 + psllq $5,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm2 + psrlq $5,%mm5 + pxor %mm6,%mm7 + pand %mm2,%mm0 + psllq $6,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm0 + pxor %mm7,%mm6 + movq 56(%esp),%mm5 + paddq %mm6,%mm0 + movq (%esp),%mm6 + movdqa %xmm4,-96(%edx) + movdqa %xmm0,%xmm6 + movdqa %xmm5,%xmm4 +.byte 102,15,58,15,235,8 + movdqa %xmm7,48(%edx) +.byte 102,15,58,15,247,8 + movdqa %xmm5,%xmm7 + psrlq $7,%xmm5 + paddq %xmm6,%xmm3 + movdqa %xmm7,%xmm6 + psrlq $1,%xmm7 + psllq $56,%xmm6 + pxor %xmm7,%xmm5 + psrlq $7,%xmm7 + pxor %xmm6,%xmm5 + psllq $7,%xmm6 + pxor %xmm7,%xmm5 + movdqa %xmm2,%xmm7 + pxor %xmm6,%xmm5 + movdqa %xmm2,%xmm6 + psrlq $6,%xmm7 + paddq %xmm5,%xmm3 + movdqa %xmm2,%xmm5 + psrlq $19,%xmm6 + psllq $3,%xmm5 + pxor %xmm6,%xmm7 + psrlq $42,%xmm6 + pxor %xmm5,%xmm7 + psllq $42,%xmm5 + pxor %xmm6,%xmm7 + movdqa 16(%edx),%xmm6 + pxor %xmm5,%xmm7 + movdqa 48(%ebp),%xmm5 + movq %mm4,%mm1 + paddq %xmm7,%xmm3 + movq -80(%edx),%mm7 + pxor %mm6,%mm5 + psrlq $14,%mm1 + movq %mm4,48(%esp) + paddq %xmm3,%xmm5 + pand %mm4,%mm5 + psllq $23,%mm4 + paddq %mm3,%mm0 + movq %mm1,%mm3 + psrlq $4,%mm1 + pxor %mm6,%mm5 + pxor %mm4,%mm3 + psllq $23,%mm4 + pxor %mm1,%mm3 + movq %mm0,16(%esp) + paddq %mm5,%mm7 + pxor %mm4,%mm3 + psrlq $23,%mm1 + paddq 8(%esp),%mm7 + pxor %mm1,%mm3 + psllq $4,%mm4 + pxor %mm4,%mm3 + movq 40(%esp),%mm4 + paddq %mm7,%mm3 + movq %mm0,%mm5 + psrlq $28,%mm5 + paddq %mm3,%mm4 + movq %mm0,%mm6 + movq %mm5,%mm7 + psllq $25,%mm6 + movq 24(%esp),%mm1 + psrlq $6,%mm5 + pxor %mm6,%mm7 + psllq $5,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm0 + psrlq $5,%mm5 + pxor %mm6,%mm7 + pand %mm0,%mm2 + psllq $6,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm2 + pxor %mm7,%mm6 + movq 48(%esp),%mm5 + paddq %mm6,%mm2 + movq 56(%esp),%mm6 + movq %mm4,%mm1 + movq -72(%edx),%mm7 + pxor %mm6,%mm5 + psrlq $14,%mm1 + movq %mm4,40(%esp) + pand %mm4,%mm5 + psllq $23,%mm4 + paddq %mm3,%mm2 + movq %mm1,%mm3 + psrlq $4,%mm1 + pxor %mm6,%mm5 + pxor %mm4,%mm3 + psllq $23,%mm4 + pxor %mm1,%mm3 + movq %mm2,8(%esp) + paddq %mm5,%mm7 + pxor %mm4,%mm3 + psrlq $23,%mm1 + paddq (%esp),%mm7 + pxor %mm1,%mm3 + psllq $4,%mm4 + pxor %mm4,%mm3 + movq 32(%esp),%mm4 + paddq %mm7,%mm3 + movq %mm2,%mm5 + psrlq $28,%mm5 + paddq %mm3,%mm4 + movq %mm2,%mm6 + movq %mm5,%mm7 + psllq $25,%mm6 + movq 16(%esp),%mm1 + psrlq $6,%mm5 + pxor %mm6,%mm7 + psllq $5,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm2 + psrlq $5,%mm5 + pxor %mm6,%mm7 + pand %mm2,%mm0 + psllq $6,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm0 + pxor %mm7,%mm6 + movq 40(%esp),%mm5 + paddq %mm6,%mm0 + movq 48(%esp),%mm6 + movdqa %xmm5,-80(%edx) + movdqa %xmm1,%xmm7 + movdqa %xmm6,%xmm5 +.byte 102,15,58,15,244,8 + movdqa %xmm0,(%edx) +.byte 102,15,58,15,248,8 + movdqa %xmm6,%xmm0 + psrlq $7,%xmm6 + paddq %xmm7,%xmm4 + movdqa %xmm0,%xmm7 + psrlq $1,%xmm0 + psllq $56,%xmm7 + pxor %xmm0,%xmm6 + psrlq $7,%xmm0 + pxor %xmm7,%xmm6 + psllq $7,%xmm7 + pxor %xmm0,%xmm6 + movdqa %xmm3,%xmm0 + pxor %xmm7,%xmm6 + movdqa %xmm3,%xmm7 + psrlq $6,%xmm0 + paddq %xmm6,%xmm4 + movdqa %xmm3,%xmm6 + psrlq $19,%xmm7 + psllq $3,%xmm6 + pxor %xmm7,%xmm0 + psrlq $42,%xmm7 + pxor %xmm6,%xmm0 + psllq $42,%xmm6 + pxor %xmm7,%xmm0 + movdqa 32(%edx),%xmm7 + pxor %xmm6,%xmm0 + movdqa 64(%ebp),%xmm6 + movq %mm4,%mm1 + paddq %xmm0,%xmm4 + movq -64(%edx),%mm7 + pxor %mm6,%mm5 + psrlq $14,%mm1 + movq %mm4,32(%esp) + paddq %xmm4,%xmm6 + pand %mm4,%mm5 + psllq $23,%mm4 + paddq %mm3,%mm0 + movq %mm1,%mm3 + psrlq $4,%mm1 + pxor %mm6,%mm5 + pxor %mm4,%mm3 + psllq $23,%mm4 + pxor %mm1,%mm3 + movq %mm0,(%esp) + paddq %mm5,%mm7 + pxor %mm4,%mm3 + psrlq $23,%mm1 + paddq 56(%esp),%mm7 + pxor %mm1,%mm3 + psllq $4,%mm4 + pxor %mm4,%mm3 + movq 24(%esp),%mm4 + paddq %mm7,%mm3 + movq %mm0,%mm5 + psrlq $28,%mm5 + paddq %mm3,%mm4 + movq %mm0,%mm6 + movq %mm5,%mm7 + psllq $25,%mm6 + movq 8(%esp),%mm1 + psrlq $6,%mm5 + pxor %mm6,%mm7 + psllq $5,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm0 + psrlq $5,%mm5 + pxor %mm6,%mm7 + pand %mm0,%mm2 + psllq $6,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm2 + pxor %mm7,%mm6 + movq 32(%esp),%mm5 + paddq %mm6,%mm2 + movq 40(%esp),%mm6 + movq %mm4,%mm1 + movq -56(%edx),%mm7 + pxor %mm6,%mm5 + psrlq $14,%mm1 + movq %mm4,24(%esp) + pand %mm4,%mm5 + psllq $23,%mm4 + paddq %mm3,%mm2 + movq %mm1,%mm3 + psrlq $4,%mm1 + pxor %mm6,%mm5 + pxor %mm4,%mm3 + psllq $23,%mm4 + pxor %mm1,%mm3 + movq %mm2,56(%esp) + paddq %mm5,%mm7 + pxor %mm4,%mm3 + psrlq $23,%mm1 + paddq 48(%esp),%mm7 + pxor %mm1,%mm3 + psllq $4,%mm4 + pxor %mm4,%mm3 + movq 16(%esp),%mm4 + paddq %mm7,%mm3 + movq %mm2,%mm5 + psrlq $28,%mm5 + paddq %mm3,%mm4 + movq %mm2,%mm6 + movq %mm5,%mm7 + psllq $25,%mm6 + movq (%esp),%mm1 + psrlq $6,%mm5 + pxor %mm6,%mm7 + psllq $5,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm2 + psrlq $5,%mm5 + pxor %mm6,%mm7 + pand %mm2,%mm0 + psllq $6,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm0 + pxor %mm7,%mm6 + movq 24(%esp),%mm5 + paddq %mm6,%mm0 + movq 32(%esp),%mm6 + movdqa %xmm6,-64(%edx) + movdqa %xmm2,%xmm0 + movdqa %xmm7,%xmm6 +.byte 102,15,58,15,253,8 + movdqa %xmm1,16(%edx) +.byte 102,15,58,15,193,8 + movdqa %xmm7,%xmm1 + psrlq $7,%xmm7 + paddq %xmm0,%xmm5 + movdqa %xmm1,%xmm0 + psrlq $1,%xmm1 + psllq $56,%xmm0 + pxor %xmm1,%xmm7 + psrlq $7,%xmm1 + pxor %xmm0,%xmm7 + psllq $7,%xmm0 + pxor %xmm1,%xmm7 + movdqa %xmm4,%xmm1 + pxor %xmm0,%xmm7 + movdqa %xmm4,%xmm0 + psrlq $6,%xmm1 + paddq %xmm7,%xmm5 + movdqa %xmm4,%xmm7 + psrlq $19,%xmm0 + psllq $3,%xmm7 + pxor %xmm0,%xmm1 + psrlq $42,%xmm0 + pxor %xmm7,%xmm1 + psllq $42,%xmm7 + pxor %xmm0,%xmm1 + movdqa 48(%edx),%xmm0 + pxor %xmm7,%xmm1 + movdqa 80(%ebp),%xmm7 + movq %mm4,%mm1 + paddq %xmm1,%xmm5 + movq -48(%edx),%mm7 + pxor %mm6,%mm5 + psrlq $14,%mm1 + movq %mm4,16(%esp) + paddq %xmm5,%xmm7 + pand %mm4,%mm5 + psllq $23,%mm4 + paddq %mm3,%mm0 + movq %mm1,%mm3 + psrlq $4,%mm1 + pxor %mm6,%mm5 + pxor %mm4,%mm3 + psllq $23,%mm4 + pxor %mm1,%mm3 + movq %mm0,48(%esp) + paddq %mm5,%mm7 + pxor %mm4,%mm3 + psrlq $23,%mm1 + paddq 40(%esp),%mm7 + pxor %mm1,%mm3 + psllq $4,%mm4 + pxor %mm4,%mm3 + movq 8(%esp),%mm4 + paddq %mm7,%mm3 + movq %mm0,%mm5 + psrlq $28,%mm5 + paddq %mm3,%mm4 + movq %mm0,%mm6 + movq %mm5,%mm7 + psllq $25,%mm6 + movq 56(%esp),%mm1 + psrlq $6,%mm5 + pxor %mm6,%mm7 + psllq $5,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm0 + psrlq $5,%mm5 + pxor %mm6,%mm7 + pand %mm0,%mm2 + psllq $6,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm2 + pxor %mm7,%mm6 + movq 16(%esp),%mm5 + paddq %mm6,%mm2 + movq 24(%esp),%mm6 + movq %mm4,%mm1 + movq -40(%edx),%mm7 + pxor %mm6,%mm5 + psrlq $14,%mm1 + movq %mm4,8(%esp) + pand %mm4,%mm5 + psllq $23,%mm4 + paddq %mm3,%mm2 + movq %mm1,%mm3 + psrlq $4,%mm1 + pxor %mm6,%mm5 + pxor %mm4,%mm3 + psllq $23,%mm4 + pxor %mm1,%mm3 + movq %mm2,40(%esp) + paddq %mm5,%mm7 + pxor %mm4,%mm3 + psrlq $23,%mm1 + paddq 32(%esp),%mm7 + pxor %mm1,%mm3 + psllq $4,%mm4 + pxor %mm4,%mm3 + movq (%esp),%mm4 + paddq %mm7,%mm3 + movq %mm2,%mm5 + psrlq $28,%mm5 + paddq %mm3,%mm4 + movq %mm2,%mm6 + movq %mm5,%mm7 + psllq $25,%mm6 + movq 48(%esp),%mm1 + psrlq $6,%mm5 + pxor %mm6,%mm7 + psllq $5,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm2 + psrlq $5,%mm5 + pxor %mm6,%mm7 + pand %mm2,%mm0 + psllq $6,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm0 + pxor %mm7,%mm6 + movq 8(%esp),%mm5 + paddq %mm6,%mm0 + movq 16(%esp),%mm6 + movdqa %xmm7,-48(%edx) + movdqa %xmm3,%xmm1 + movdqa %xmm0,%xmm7 +.byte 102,15,58,15,198,8 + movdqa %xmm2,32(%edx) +.byte 102,15,58,15,202,8 + movdqa %xmm0,%xmm2 + psrlq $7,%xmm0 + paddq %xmm1,%xmm6 + movdqa %xmm2,%xmm1 + psrlq $1,%xmm2 + psllq $56,%xmm1 + pxor %xmm2,%xmm0 + psrlq $7,%xmm2 + pxor %xmm1,%xmm0 + psllq $7,%xmm1 + pxor %xmm2,%xmm0 + movdqa %xmm5,%xmm2 + pxor %xmm1,%xmm0 + movdqa %xmm5,%xmm1 + psrlq $6,%xmm2 + paddq %xmm0,%xmm6 + movdqa %xmm5,%xmm0 + psrlq $19,%xmm1 + psllq $3,%xmm0 + pxor %xmm1,%xmm2 + psrlq $42,%xmm1 + pxor %xmm0,%xmm2 + psllq $42,%xmm0 + pxor %xmm1,%xmm2 + movdqa (%edx),%xmm1 + pxor %xmm0,%xmm2 + movdqa 96(%ebp),%xmm0 + movq %mm4,%mm1 + paddq %xmm2,%xmm6 + movq -32(%edx),%mm7 + pxor %mm6,%mm5 + psrlq $14,%mm1 + movq %mm4,(%esp) + paddq %xmm6,%xmm0 + pand %mm4,%mm5 + psllq $23,%mm4 + paddq %mm3,%mm0 + movq %mm1,%mm3 + psrlq $4,%mm1 + pxor %mm6,%mm5 + pxor %mm4,%mm3 + psllq $23,%mm4 + pxor %mm1,%mm3 + movq %mm0,32(%esp) + paddq %mm5,%mm7 + pxor %mm4,%mm3 + psrlq $23,%mm1 + paddq 24(%esp),%mm7 + pxor %mm1,%mm3 + psllq $4,%mm4 + pxor %mm4,%mm3 + movq 56(%esp),%mm4 + paddq %mm7,%mm3 + movq %mm0,%mm5 + psrlq $28,%mm5 + paddq %mm3,%mm4 + movq %mm0,%mm6 + movq %mm5,%mm7 + psllq $25,%mm6 + movq 40(%esp),%mm1 + psrlq $6,%mm5 + pxor %mm6,%mm7 + psllq $5,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm0 + psrlq $5,%mm5 + pxor %mm6,%mm7 + pand %mm0,%mm2 + psllq $6,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm2 + pxor %mm7,%mm6 + movq (%esp),%mm5 + paddq %mm6,%mm2 + movq 8(%esp),%mm6 + movq %mm4,%mm1 + movq -24(%edx),%mm7 + pxor %mm6,%mm5 + psrlq $14,%mm1 + movq %mm4,56(%esp) + pand %mm4,%mm5 + psllq $23,%mm4 + paddq %mm3,%mm2 + movq %mm1,%mm3 + psrlq $4,%mm1 + pxor %mm6,%mm5 + pxor %mm4,%mm3 + psllq $23,%mm4 + pxor %mm1,%mm3 + movq %mm2,24(%esp) + paddq %mm5,%mm7 + pxor %mm4,%mm3 + psrlq $23,%mm1 + paddq 16(%esp),%mm7 + pxor %mm1,%mm3 + psllq $4,%mm4 + pxor %mm4,%mm3 + movq 48(%esp),%mm4 + paddq %mm7,%mm3 + movq %mm2,%mm5 + psrlq $28,%mm5 + paddq %mm3,%mm4 + movq %mm2,%mm6 + movq %mm5,%mm7 + psllq $25,%mm6 + movq 32(%esp),%mm1 + psrlq $6,%mm5 + pxor %mm6,%mm7 + psllq $5,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm2 + psrlq $5,%mm5 + pxor %mm6,%mm7 + pand %mm2,%mm0 + psllq $6,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm0 + pxor %mm7,%mm6 + movq 56(%esp),%mm5 + paddq %mm6,%mm0 + movq (%esp),%mm6 + movdqa %xmm0,-32(%edx) + movdqa %xmm4,%xmm2 + movdqa %xmm1,%xmm0 +.byte 102,15,58,15,207,8 + movdqa %xmm3,48(%edx) +.byte 102,15,58,15,211,8 + movdqa %xmm1,%xmm3 + psrlq $7,%xmm1 + paddq %xmm2,%xmm7 + movdqa %xmm3,%xmm2 + psrlq $1,%xmm3 + psllq $56,%xmm2 + pxor %xmm3,%xmm1 + psrlq $7,%xmm3 + pxor %xmm2,%xmm1 + psllq $7,%xmm2 + pxor %xmm3,%xmm1 + movdqa %xmm6,%xmm3 + pxor %xmm2,%xmm1 + movdqa %xmm6,%xmm2 + psrlq $6,%xmm3 + paddq %xmm1,%xmm7 + movdqa %xmm6,%xmm1 + psrlq $19,%xmm2 + psllq $3,%xmm1 + pxor %xmm2,%xmm3 + psrlq $42,%xmm2 + pxor %xmm1,%xmm3 + psllq $42,%xmm1 + pxor %xmm2,%xmm3 + movdqa 16(%edx),%xmm2 + pxor %xmm1,%xmm3 + movdqa 112(%ebp),%xmm1 + movq %mm4,%mm1 + paddq %xmm3,%xmm7 + movq -16(%edx),%mm7 + pxor %mm6,%mm5 + psrlq $14,%mm1 + movq %mm4,48(%esp) + paddq %xmm7,%xmm1 + pand %mm4,%mm5 + psllq $23,%mm4 + paddq %mm3,%mm0 + movq %mm1,%mm3 + psrlq $4,%mm1 + pxor %mm6,%mm5 + pxor %mm4,%mm3 + psllq $23,%mm4 + pxor %mm1,%mm3 + movq %mm0,16(%esp) + paddq %mm5,%mm7 + pxor %mm4,%mm3 + psrlq $23,%mm1 + paddq 8(%esp),%mm7 + pxor %mm1,%mm3 + psllq $4,%mm4 + pxor %mm4,%mm3 + movq 40(%esp),%mm4 + paddq %mm7,%mm3 + movq %mm0,%mm5 + psrlq $28,%mm5 + paddq %mm3,%mm4 + movq %mm0,%mm6 + movq %mm5,%mm7 + psllq $25,%mm6 + movq 24(%esp),%mm1 + psrlq $6,%mm5 + pxor %mm6,%mm7 + psllq $5,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm0 + psrlq $5,%mm5 + pxor %mm6,%mm7 + pand %mm0,%mm2 + psllq $6,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm2 + pxor %mm7,%mm6 + movq 48(%esp),%mm5 + paddq %mm6,%mm2 + movq 56(%esp),%mm6 + movq %mm4,%mm1 + movq -8(%edx),%mm7 + pxor %mm6,%mm5 + psrlq $14,%mm1 + movq %mm4,40(%esp) + pand %mm4,%mm5 + psllq $23,%mm4 + paddq %mm3,%mm2 + movq %mm1,%mm3 + psrlq $4,%mm1 + pxor %mm6,%mm5 + pxor %mm4,%mm3 + psllq $23,%mm4 + pxor %mm1,%mm3 + movq %mm2,8(%esp) + paddq %mm5,%mm7 + pxor %mm4,%mm3 + psrlq $23,%mm1 + paddq (%esp),%mm7 + pxor %mm1,%mm3 + psllq $4,%mm4 + pxor %mm4,%mm3 + movq 32(%esp),%mm4 + paddq %mm7,%mm3 + movq %mm2,%mm5 + psrlq $28,%mm5 + paddq %mm3,%mm4 + movq %mm2,%mm6 + movq %mm5,%mm7 + psllq $25,%mm6 + movq 16(%esp),%mm1 + psrlq $6,%mm5 + pxor %mm6,%mm7 + psllq $5,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm2 + psrlq $5,%mm5 + pxor %mm6,%mm7 + pand %mm2,%mm0 + psllq $6,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm0 + pxor %mm7,%mm6 + movq 40(%esp),%mm5 + paddq %mm6,%mm0 + movq 48(%esp),%mm6 + movdqa %xmm1,-16(%edx) + leal 128(%ebp),%ebp + decl %ecx + jnz L00600_47_ssse3 + movdqa (%ebp),%xmm1 + leal -640(%ebp),%ebp + movdqu (%ebx),%xmm0 +.byte 102,15,56,0,193 + movdqa (%ebp),%xmm3 + movdqa %xmm1,%xmm2 + movdqu 16(%ebx),%xmm1 + paddq %xmm0,%xmm3 +.byte 102,15,56,0,202 + movq %mm4,%mm1 + movq -128(%edx),%mm7 + pxor %mm6,%mm5 + psrlq $14,%mm1 + movq %mm4,32(%esp) + pand %mm4,%mm5 + psllq $23,%mm4 + paddq %mm3,%mm0 + movq %mm1,%mm3 + psrlq $4,%mm1 + pxor %mm6,%mm5 + pxor %mm4,%mm3 + psllq $23,%mm4 + pxor %mm1,%mm3 + movq %mm0,(%esp) + paddq %mm5,%mm7 + pxor %mm4,%mm3 + psrlq $23,%mm1 + paddq 56(%esp),%mm7 + pxor %mm1,%mm3 + psllq $4,%mm4 + pxor %mm4,%mm3 + movq 24(%esp),%mm4 + paddq %mm7,%mm3 + movq %mm0,%mm5 + psrlq $28,%mm5 + paddq %mm3,%mm4 + movq %mm0,%mm6 + movq %mm5,%mm7 + psllq $25,%mm6 + movq 8(%esp),%mm1 + psrlq $6,%mm5 + pxor %mm6,%mm7 + psllq $5,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm0 + psrlq $5,%mm5 + pxor %mm6,%mm7 + pand %mm0,%mm2 + psllq $6,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm2 + pxor %mm7,%mm6 + movq 32(%esp),%mm5 + paddq %mm6,%mm2 + movq 40(%esp),%mm6 + movq %mm4,%mm1 + movq -120(%edx),%mm7 + pxor %mm6,%mm5 + psrlq $14,%mm1 + movq %mm4,24(%esp) + pand %mm4,%mm5 + psllq $23,%mm4 + paddq %mm3,%mm2 + movq %mm1,%mm3 + psrlq $4,%mm1 + pxor %mm6,%mm5 + pxor %mm4,%mm3 + psllq $23,%mm4 + pxor %mm1,%mm3 + movq %mm2,56(%esp) + paddq %mm5,%mm7 + pxor %mm4,%mm3 + psrlq $23,%mm1 + paddq 48(%esp),%mm7 + pxor %mm1,%mm3 + psllq $4,%mm4 + pxor %mm4,%mm3 + movq 16(%esp),%mm4 + paddq %mm7,%mm3 + movq %mm2,%mm5 + psrlq $28,%mm5 + paddq %mm3,%mm4 + movq %mm2,%mm6 + movq %mm5,%mm7 + psllq $25,%mm6 + movq (%esp),%mm1 + psrlq $6,%mm5 + pxor %mm6,%mm7 + psllq $5,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm2 + psrlq $5,%mm5 + pxor %mm6,%mm7 + pand %mm2,%mm0 + psllq $6,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm0 + pxor %mm7,%mm6 + movq 24(%esp),%mm5 + paddq %mm6,%mm0 + movq 32(%esp),%mm6 + movdqa %xmm3,-128(%edx) + movdqa 16(%ebp),%xmm4 + movdqa %xmm2,%xmm3 + movdqu 32(%ebx),%xmm2 + paddq %xmm1,%xmm4 +.byte 102,15,56,0,211 + movq %mm4,%mm1 + movq -112(%edx),%mm7 + pxor %mm6,%mm5 + psrlq $14,%mm1 + movq %mm4,16(%esp) + pand %mm4,%mm5 + psllq $23,%mm4 + paddq %mm3,%mm0 + movq %mm1,%mm3 + psrlq $4,%mm1 + pxor %mm6,%mm5 + pxor %mm4,%mm3 + psllq $23,%mm4 + pxor %mm1,%mm3 + movq %mm0,48(%esp) + paddq %mm5,%mm7 + pxor %mm4,%mm3 + psrlq $23,%mm1 + paddq 40(%esp),%mm7 + pxor %mm1,%mm3 + psllq $4,%mm4 + pxor %mm4,%mm3 + movq 8(%esp),%mm4 + paddq %mm7,%mm3 + movq %mm0,%mm5 + psrlq $28,%mm5 + paddq %mm3,%mm4 + movq %mm0,%mm6 + movq %mm5,%mm7 + psllq $25,%mm6 + movq 56(%esp),%mm1 + psrlq $6,%mm5 + pxor %mm6,%mm7 + psllq $5,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm0 + psrlq $5,%mm5 + pxor %mm6,%mm7 + pand %mm0,%mm2 + psllq $6,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm2 + pxor %mm7,%mm6 + movq 16(%esp),%mm5 + paddq %mm6,%mm2 + movq 24(%esp),%mm6 + movq %mm4,%mm1 + movq -104(%edx),%mm7 + pxor %mm6,%mm5 + psrlq $14,%mm1 + movq %mm4,8(%esp) + pand %mm4,%mm5 + psllq $23,%mm4 + paddq %mm3,%mm2 + movq %mm1,%mm3 + psrlq $4,%mm1 + pxor %mm6,%mm5 + pxor %mm4,%mm3 + psllq $23,%mm4 + pxor %mm1,%mm3 + movq %mm2,40(%esp) + paddq %mm5,%mm7 + pxor %mm4,%mm3 + psrlq $23,%mm1 + paddq 32(%esp),%mm7 + pxor %mm1,%mm3 + psllq $4,%mm4 + pxor %mm4,%mm3 + movq (%esp),%mm4 + paddq %mm7,%mm3 + movq %mm2,%mm5 + psrlq $28,%mm5 + paddq %mm3,%mm4 + movq %mm2,%mm6 + movq %mm5,%mm7 + psllq $25,%mm6 + movq 48(%esp),%mm1 + psrlq $6,%mm5 + pxor %mm6,%mm7 + psllq $5,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm2 + psrlq $5,%mm5 + pxor %mm6,%mm7 + pand %mm2,%mm0 + psllq $6,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm0 + pxor %mm7,%mm6 + movq 8(%esp),%mm5 + paddq %mm6,%mm0 + movq 16(%esp),%mm6 + movdqa %xmm4,-112(%edx) + movdqa 32(%ebp),%xmm5 + movdqa %xmm3,%xmm4 + movdqu 48(%ebx),%xmm3 + paddq %xmm2,%xmm5 +.byte 102,15,56,0,220 + movq %mm4,%mm1 + movq -96(%edx),%mm7 + pxor %mm6,%mm5 + psrlq $14,%mm1 + movq %mm4,(%esp) + pand %mm4,%mm5 + psllq $23,%mm4 + paddq %mm3,%mm0 + movq %mm1,%mm3 + psrlq $4,%mm1 + pxor %mm6,%mm5 + pxor %mm4,%mm3 + psllq $23,%mm4 + pxor %mm1,%mm3 + movq %mm0,32(%esp) + paddq %mm5,%mm7 + pxor %mm4,%mm3 + psrlq $23,%mm1 + paddq 24(%esp),%mm7 + pxor %mm1,%mm3 + psllq $4,%mm4 + pxor %mm4,%mm3 + movq 56(%esp),%mm4 + paddq %mm7,%mm3 + movq %mm0,%mm5 + psrlq $28,%mm5 + paddq %mm3,%mm4 + movq %mm0,%mm6 + movq %mm5,%mm7 + psllq $25,%mm6 + movq 40(%esp),%mm1 + psrlq $6,%mm5 + pxor %mm6,%mm7 + psllq $5,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm0 + psrlq $5,%mm5 + pxor %mm6,%mm7 + pand %mm0,%mm2 + psllq $6,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm2 + pxor %mm7,%mm6 + movq (%esp),%mm5 + paddq %mm6,%mm2 + movq 8(%esp),%mm6 + movq %mm4,%mm1 + movq -88(%edx),%mm7 + pxor %mm6,%mm5 + psrlq $14,%mm1 + movq %mm4,56(%esp) + pand %mm4,%mm5 + psllq $23,%mm4 + paddq %mm3,%mm2 + movq %mm1,%mm3 + psrlq $4,%mm1 + pxor %mm6,%mm5 + pxor %mm4,%mm3 + psllq $23,%mm4 + pxor %mm1,%mm3 + movq %mm2,24(%esp) + paddq %mm5,%mm7 + pxor %mm4,%mm3 + psrlq $23,%mm1 + paddq 16(%esp),%mm7 + pxor %mm1,%mm3 + psllq $4,%mm4 + pxor %mm4,%mm3 + movq 48(%esp),%mm4 + paddq %mm7,%mm3 + movq %mm2,%mm5 + psrlq $28,%mm5 + paddq %mm3,%mm4 + movq %mm2,%mm6 + movq %mm5,%mm7 + psllq $25,%mm6 + movq 32(%esp),%mm1 + psrlq $6,%mm5 + pxor %mm6,%mm7 + psllq $5,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm2 + psrlq $5,%mm5 + pxor %mm6,%mm7 + pand %mm2,%mm0 + psllq $6,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm0 + pxor %mm7,%mm6 + movq 56(%esp),%mm5 + paddq %mm6,%mm0 + movq (%esp),%mm6 + movdqa %xmm5,-96(%edx) + movdqa 48(%ebp),%xmm6 + movdqa %xmm4,%xmm5 + movdqu 64(%ebx),%xmm4 + paddq %xmm3,%xmm6 +.byte 102,15,56,0,229 + movq %mm4,%mm1 + movq -80(%edx),%mm7 + pxor %mm6,%mm5 + psrlq $14,%mm1 + movq %mm4,48(%esp) + pand %mm4,%mm5 + psllq $23,%mm4 + paddq %mm3,%mm0 + movq %mm1,%mm3 + psrlq $4,%mm1 + pxor %mm6,%mm5 + pxor %mm4,%mm3 + psllq $23,%mm4 + pxor %mm1,%mm3 + movq %mm0,16(%esp) + paddq %mm5,%mm7 + pxor %mm4,%mm3 + psrlq $23,%mm1 + paddq 8(%esp),%mm7 + pxor %mm1,%mm3 + psllq $4,%mm4 + pxor %mm4,%mm3 + movq 40(%esp),%mm4 + paddq %mm7,%mm3 + movq %mm0,%mm5 + psrlq $28,%mm5 + paddq %mm3,%mm4 + movq %mm0,%mm6 + movq %mm5,%mm7 + psllq $25,%mm6 + movq 24(%esp),%mm1 + psrlq $6,%mm5 + pxor %mm6,%mm7 + psllq $5,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm0 + psrlq $5,%mm5 + pxor %mm6,%mm7 + pand %mm0,%mm2 + psllq $6,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm2 + pxor %mm7,%mm6 + movq 48(%esp),%mm5 + paddq %mm6,%mm2 + movq 56(%esp),%mm6 + movq %mm4,%mm1 + movq -72(%edx),%mm7 + pxor %mm6,%mm5 + psrlq $14,%mm1 + movq %mm4,40(%esp) + pand %mm4,%mm5 + psllq $23,%mm4 + paddq %mm3,%mm2 + movq %mm1,%mm3 + psrlq $4,%mm1 + pxor %mm6,%mm5 + pxor %mm4,%mm3 + psllq $23,%mm4 + pxor %mm1,%mm3 + movq %mm2,8(%esp) + paddq %mm5,%mm7 + pxor %mm4,%mm3 + psrlq $23,%mm1 + paddq (%esp),%mm7 + pxor %mm1,%mm3 + psllq $4,%mm4 + pxor %mm4,%mm3 + movq 32(%esp),%mm4 + paddq %mm7,%mm3 + movq %mm2,%mm5 + psrlq $28,%mm5 + paddq %mm3,%mm4 + movq %mm2,%mm6 + movq %mm5,%mm7 + psllq $25,%mm6 + movq 16(%esp),%mm1 + psrlq $6,%mm5 + pxor %mm6,%mm7 + psllq $5,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm2 + psrlq $5,%mm5 + pxor %mm6,%mm7 + pand %mm2,%mm0 + psllq $6,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm0 + pxor %mm7,%mm6 + movq 40(%esp),%mm5 + paddq %mm6,%mm0 + movq 48(%esp),%mm6 + movdqa %xmm6,-80(%edx) + movdqa 64(%ebp),%xmm7 + movdqa %xmm5,%xmm6 + movdqu 80(%ebx),%xmm5 + paddq %xmm4,%xmm7 +.byte 102,15,56,0,238 + movq %mm4,%mm1 + movq -64(%edx),%mm7 + pxor %mm6,%mm5 + psrlq $14,%mm1 + movq %mm4,32(%esp) + pand %mm4,%mm5 + psllq $23,%mm4 + paddq %mm3,%mm0 + movq %mm1,%mm3 + psrlq $4,%mm1 + pxor %mm6,%mm5 + pxor %mm4,%mm3 + psllq $23,%mm4 + pxor %mm1,%mm3 + movq %mm0,(%esp) + paddq %mm5,%mm7 + pxor %mm4,%mm3 + psrlq $23,%mm1 + paddq 56(%esp),%mm7 + pxor %mm1,%mm3 + psllq $4,%mm4 + pxor %mm4,%mm3 + movq 24(%esp),%mm4 + paddq %mm7,%mm3 + movq %mm0,%mm5 + psrlq $28,%mm5 + paddq %mm3,%mm4 + movq %mm0,%mm6 + movq %mm5,%mm7 + psllq $25,%mm6 + movq 8(%esp),%mm1 + psrlq $6,%mm5 + pxor %mm6,%mm7 + psllq $5,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm0 + psrlq $5,%mm5 + pxor %mm6,%mm7 + pand %mm0,%mm2 + psllq $6,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm2 + pxor %mm7,%mm6 + movq 32(%esp),%mm5 + paddq %mm6,%mm2 + movq 40(%esp),%mm6 + movq %mm4,%mm1 + movq -56(%edx),%mm7 + pxor %mm6,%mm5 + psrlq $14,%mm1 + movq %mm4,24(%esp) + pand %mm4,%mm5 + psllq $23,%mm4 + paddq %mm3,%mm2 + movq %mm1,%mm3 + psrlq $4,%mm1 + pxor %mm6,%mm5 + pxor %mm4,%mm3 + psllq $23,%mm4 + pxor %mm1,%mm3 + movq %mm2,56(%esp) + paddq %mm5,%mm7 + pxor %mm4,%mm3 + psrlq $23,%mm1 + paddq 48(%esp),%mm7 + pxor %mm1,%mm3 + psllq $4,%mm4 + pxor %mm4,%mm3 + movq 16(%esp),%mm4 + paddq %mm7,%mm3 + movq %mm2,%mm5 + psrlq $28,%mm5 + paddq %mm3,%mm4 + movq %mm2,%mm6 + movq %mm5,%mm7 + psllq $25,%mm6 + movq (%esp),%mm1 + psrlq $6,%mm5 + pxor %mm6,%mm7 + psllq $5,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm2 + psrlq $5,%mm5 + pxor %mm6,%mm7 + pand %mm2,%mm0 + psllq $6,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm0 + pxor %mm7,%mm6 + movq 24(%esp),%mm5 + paddq %mm6,%mm0 + movq 32(%esp),%mm6 + movdqa %xmm7,-64(%edx) + movdqa %xmm0,(%edx) + movdqa 80(%ebp),%xmm0 + movdqa %xmm6,%xmm7 + movdqu 96(%ebx),%xmm6 + paddq %xmm5,%xmm0 +.byte 102,15,56,0,247 + movq %mm4,%mm1 + movq -48(%edx),%mm7 + pxor %mm6,%mm5 + psrlq $14,%mm1 + movq %mm4,16(%esp) + pand %mm4,%mm5 + psllq $23,%mm4 + paddq %mm3,%mm0 + movq %mm1,%mm3 + psrlq $4,%mm1 + pxor %mm6,%mm5 + pxor %mm4,%mm3 + psllq $23,%mm4 + pxor %mm1,%mm3 + movq %mm0,48(%esp) + paddq %mm5,%mm7 + pxor %mm4,%mm3 + psrlq $23,%mm1 + paddq 40(%esp),%mm7 + pxor %mm1,%mm3 + psllq $4,%mm4 + pxor %mm4,%mm3 + movq 8(%esp),%mm4 + paddq %mm7,%mm3 + movq %mm0,%mm5 + psrlq $28,%mm5 + paddq %mm3,%mm4 + movq %mm0,%mm6 + movq %mm5,%mm7 + psllq $25,%mm6 + movq 56(%esp),%mm1 + psrlq $6,%mm5 + pxor %mm6,%mm7 + psllq $5,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm0 + psrlq $5,%mm5 + pxor %mm6,%mm7 + pand %mm0,%mm2 + psllq $6,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm2 + pxor %mm7,%mm6 + movq 16(%esp),%mm5 + paddq %mm6,%mm2 + movq 24(%esp),%mm6 + movq %mm4,%mm1 + movq -40(%edx),%mm7 + pxor %mm6,%mm5 + psrlq $14,%mm1 + movq %mm4,8(%esp) + pand %mm4,%mm5 + psllq $23,%mm4 + paddq %mm3,%mm2 + movq %mm1,%mm3 + psrlq $4,%mm1 + pxor %mm6,%mm5 + pxor %mm4,%mm3 + psllq $23,%mm4 + pxor %mm1,%mm3 + movq %mm2,40(%esp) + paddq %mm5,%mm7 + pxor %mm4,%mm3 + psrlq $23,%mm1 + paddq 32(%esp),%mm7 + pxor %mm1,%mm3 + psllq $4,%mm4 + pxor %mm4,%mm3 + movq (%esp),%mm4 + paddq %mm7,%mm3 + movq %mm2,%mm5 + psrlq $28,%mm5 + paddq %mm3,%mm4 + movq %mm2,%mm6 + movq %mm5,%mm7 + psllq $25,%mm6 + movq 48(%esp),%mm1 + psrlq $6,%mm5 + pxor %mm6,%mm7 + psllq $5,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm2 + psrlq $5,%mm5 + pxor %mm6,%mm7 + pand %mm2,%mm0 + psllq $6,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm0 + pxor %mm7,%mm6 + movq 8(%esp),%mm5 + paddq %mm6,%mm0 + movq 16(%esp),%mm6 + movdqa %xmm0,-48(%edx) + movdqa %xmm1,16(%edx) + movdqa 96(%ebp),%xmm1 + movdqa %xmm7,%xmm0 + movdqu 112(%ebx),%xmm7 + paddq %xmm6,%xmm1 +.byte 102,15,56,0,248 + movq %mm4,%mm1 + movq -32(%edx),%mm7 + pxor %mm6,%mm5 + psrlq $14,%mm1 + movq %mm4,(%esp) + pand %mm4,%mm5 + psllq $23,%mm4 + paddq %mm3,%mm0 + movq %mm1,%mm3 + psrlq $4,%mm1 + pxor %mm6,%mm5 + pxor %mm4,%mm3 + psllq $23,%mm4 + pxor %mm1,%mm3 + movq %mm0,32(%esp) + paddq %mm5,%mm7 + pxor %mm4,%mm3 + psrlq $23,%mm1 + paddq 24(%esp),%mm7 + pxor %mm1,%mm3 + psllq $4,%mm4 + pxor %mm4,%mm3 + movq 56(%esp),%mm4 + paddq %mm7,%mm3 + movq %mm0,%mm5 + psrlq $28,%mm5 + paddq %mm3,%mm4 + movq %mm0,%mm6 + movq %mm5,%mm7 + psllq $25,%mm6 + movq 40(%esp),%mm1 + psrlq $6,%mm5 + pxor %mm6,%mm7 + psllq $5,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm0 + psrlq $5,%mm5 + pxor %mm6,%mm7 + pand %mm0,%mm2 + psllq $6,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm2 + pxor %mm7,%mm6 + movq (%esp),%mm5 + paddq %mm6,%mm2 + movq 8(%esp),%mm6 + movq %mm4,%mm1 + movq -24(%edx),%mm7 + pxor %mm6,%mm5 + psrlq $14,%mm1 + movq %mm4,56(%esp) + pand %mm4,%mm5 + psllq $23,%mm4 + paddq %mm3,%mm2 + movq %mm1,%mm3 + psrlq $4,%mm1 + pxor %mm6,%mm5 + pxor %mm4,%mm3 + psllq $23,%mm4 + pxor %mm1,%mm3 + movq %mm2,24(%esp) + paddq %mm5,%mm7 + pxor %mm4,%mm3 + psrlq $23,%mm1 + paddq 16(%esp),%mm7 + pxor %mm1,%mm3 + psllq $4,%mm4 + pxor %mm4,%mm3 + movq 48(%esp),%mm4 + paddq %mm7,%mm3 + movq %mm2,%mm5 + psrlq $28,%mm5 + paddq %mm3,%mm4 + movq %mm2,%mm6 + movq %mm5,%mm7 + psllq $25,%mm6 + movq 32(%esp),%mm1 + psrlq $6,%mm5 + pxor %mm6,%mm7 + psllq $5,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm2 + psrlq $5,%mm5 + pxor %mm6,%mm7 + pand %mm2,%mm0 + psllq $6,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm0 + pxor %mm7,%mm6 + movq 56(%esp),%mm5 + paddq %mm6,%mm0 + movq (%esp),%mm6 + movdqa %xmm1,-32(%edx) + movdqa %xmm2,32(%edx) + movdqa 112(%ebp),%xmm2 + movdqa (%edx),%xmm0 + paddq %xmm7,%xmm2 + movq %mm4,%mm1 + movq -16(%edx),%mm7 + pxor %mm6,%mm5 + psrlq $14,%mm1 + movq %mm4,48(%esp) + pand %mm4,%mm5 + psllq $23,%mm4 + paddq %mm3,%mm0 + movq %mm1,%mm3 + psrlq $4,%mm1 + pxor %mm6,%mm5 + pxor %mm4,%mm3 + psllq $23,%mm4 + pxor %mm1,%mm3 + movq %mm0,16(%esp) + paddq %mm5,%mm7 + pxor %mm4,%mm3 + psrlq $23,%mm1 + paddq 8(%esp),%mm7 + pxor %mm1,%mm3 + psllq $4,%mm4 + pxor %mm4,%mm3 + movq 40(%esp),%mm4 + paddq %mm7,%mm3 + movq %mm0,%mm5 + psrlq $28,%mm5 + paddq %mm3,%mm4 + movq %mm0,%mm6 + movq %mm5,%mm7 + psllq $25,%mm6 + movq 24(%esp),%mm1 + psrlq $6,%mm5 + pxor %mm6,%mm7 + psllq $5,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm0 + psrlq $5,%mm5 + pxor %mm6,%mm7 + pand %mm0,%mm2 + psllq $6,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm2 + pxor %mm7,%mm6 + movq 48(%esp),%mm5 + paddq %mm6,%mm2 + movq 56(%esp),%mm6 + movq %mm4,%mm1 + movq -8(%edx),%mm7 + pxor %mm6,%mm5 + psrlq $14,%mm1 + movq %mm4,40(%esp) + pand %mm4,%mm5 + psllq $23,%mm4 + paddq %mm3,%mm2 + movq %mm1,%mm3 + psrlq $4,%mm1 + pxor %mm6,%mm5 + pxor %mm4,%mm3 + psllq $23,%mm4 + pxor %mm1,%mm3 + movq %mm2,8(%esp) + paddq %mm5,%mm7 + pxor %mm4,%mm3 + psrlq $23,%mm1 + paddq (%esp),%mm7 + pxor %mm1,%mm3 + psllq $4,%mm4 + pxor %mm4,%mm3 + movq 32(%esp),%mm4 + paddq %mm7,%mm3 + movq %mm2,%mm5 + psrlq $28,%mm5 + paddq %mm3,%mm4 + movq %mm2,%mm6 + movq %mm5,%mm7 + psllq $25,%mm6 + movq 16(%esp),%mm1 + psrlq $6,%mm5 + pxor %mm6,%mm7 + psllq $5,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm2 + psrlq $5,%mm5 + pxor %mm6,%mm7 + pand %mm2,%mm0 + psllq $6,%mm6 + pxor %mm5,%mm7 + pxor %mm1,%mm0 + pxor %mm7,%mm6 + movq 40(%esp),%mm5 + paddq %mm6,%mm0 + movq 48(%esp),%mm6 + movdqa %xmm2,-16(%edx) + movq 8(%esp),%mm1 + paddq %mm3,%mm0 + movq 24(%esp),%mm3 + movq 56(%esp),%mm7 + pxor %mm1,%mm2 + paddq (%esi),%mm0 + paddq 8(%esi),%mm1 + paddq 16(%esi),%mm2 + paddq 24(%esi),%mm3 + paddq 32(%esi),%mm4 + paddq 40(%esi),%mm5 + paddq 48(%esi),%mm6 + paddq 56(%esi),%mm7 + movq %mm0,(%esi) + movq %mm1,8(%esi) + movq %mm2,16(%esi) + movq %mm3,24(%esi) + movq %mm4,32(%esi) + movq %mm5,40(%esi) + movq %mm6,48(%esi) + movq %mm7,56(%esi) + cmpl %eax,%edi + jb L005loop_ssse3 + movl 76(%edx),%esp + emms + popl %edi + popl %esi + popl %ebx + popl %ebp + ret +.align 6,0x90 +LK512: +.long 3609767458,1116352408 +.long 602891725,1899447441 +.long 3964484399,3049323471 +.long 2173295548,3921009573 +.long 4081628472,961987163 +.long 3053834265,1508970993 +.long 2937671579,2453635748 +.long 3664609560,2870763221 +.long 2734883394,3624381080 +.long 1164996542,310598401 +.long 1323610764,607225278 +.long 3590304994,1426881987 +.long 4068182383,1925078388 +.long 991336113,2162078206 +.long 633803317,2614888103 +.long 3479774868,3248222580 +.long 2666613458,3835390401 +.long 944711139,4022224774 +.long 2341262773,264347078 +.long 2007800933,604807628 +.long 1495990901,770255983 +.long 1856431235,1249150122 +.long 3175218132,1555081692 +.long 2198950837,1996064986 +.long 3999719339,2554220882 +.long 766784016,2821834349 +.long 2566594879,2952996808 +.long 3203337956,3210313671 +.long 1034457026,3336571891 +.long 2466948901,3584528711 +.long 3758326383,113926993 +.long 168717936,338241895 +.long 1188179964,666307205 +.long 1546045734,773529912 +.long 1522805485,1294757372 +.long 2643833823,1396182291 +.long 2343527390,1695183700 +.long 1014477480,1986661051 +.long 1206759142,2177026350 +.long 344077627,2456956037 +.long 1290863460,2730485921 +.long 3158454273,2820302411 +.long 3505952657,3259730800 +.long 106217008,3345764771 +.long 3606008344,3516065817 +.long 1432725776,3600352804 +.long 1467031594,4094571909 +.long 851169720,275423344 +.long 3100823752,430227734 +.long 1363258195,506948616 +.long 3750685593,659060556 +.long 3785050280,883997877 +.long 3318307427,958139571 +.long 3812723403,1322822218 +.long 2003034995,1537002063 +.long 3602036899,1747873779 +.long 1575990012,1955562222 +.long 1125592928,2024104815 +.long 2716904306,2227730452 +.long 442776044,2361852424 +.long 593698344,2428436474 +.long 3733110249,2756734187 +.long 2999351573,3204031479 +.long 3815920427,3329325298 +.long 3928383900,3391569614 +.long 566280711,3515267271 +.long 3454069534,3940187606 +.long 4000239992,4118630271 +.long 1914138554,116418474 +.long 2731055270,174292421 +.long 3203993006,289380356 +.long 320620315,460393269 +.long 587496836,685471733 +.long 1086792851,852142971 +.long 365543100,1017036298 +.long 2618297676,1126000580 +.long 3409855158,1288033470 +.long 4234509866,1501505948 +.long 987167468,1607167915 +.long 1246189591,1816402316 +.long 67438087,66051 +.long 202182159,134810123 +.byte 83,72,65,53,49,50,32,98,108,111,99,107,32,116,114,97 +.byte 110,115,102,111,114,109,32,102,111,114,32,120,56,54,44,32 +.byte 67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97 +.byte 112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103 +.byte 62,0 +#endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__APPLE__) +#if defined(__linux__) && defined(__ELF__) +.section .note.GNU-stack,"",%progbits +#endif + diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/sha512-586-linux.linux.x86.S b/Sources/CNIOBoringSSL/gen/bcm/sha512-586-linux.S similarity index 83% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/sha512-586-linux.linux.x86.S rename to Sources/CNIOBoringSSL/gen/bcm/sha512-586-linux.S index f7d65c365..6501204af 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/sha512-586-linux.linux.x86.S +++ b/Sources/CNIOBoringSSL/gen/bcm/sha512-586-linux.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__i386__) && defined(__linux__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -7,12 +6,12 @@ #if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__) .text -.globl sha512_block_data_order -.hidden sha512_block_data_order -.type sha512_block_data_order,@function +.globl sha512_block_data_order_nohw +.hidden sha512_block_data_order_nohw +.type sha512_block_data_order_nohw,@function .align 16 -sha512_block_data_order: -.L_sha512_block_data_order_begin: +sha512_block_data_order_nohw: +.L_sha512_block_data_order_nohw_begin: pushl %ebp pushl %ebx pushl %esi @@ -24,7 +23,7 @@ sha512_block_data_order: call .L000pic_point .L000pic_point: popl %ebp - leal .L001K512-.L000pic_point(%ebp),%ebp + leal .LK512-.L000pic_point(%ebp),%ebp subl $16,%esp andl $-64,%esp shll $7,%eax @@ -33,28 +32,18 @@ sha512_block_data_order: movl %edi,4(%esp) movl %eax,8(%esp) movl %ebx,12(%esp) - leal OPENSSL_ia32cap_P-.L001K512(%ebp),%edx - movl (%edx),%ecx - testl $67108864,%ecx - jz .L002loop_x86 - movl 4(%edx),%edx movq (%esi),%mm0 - andl $16777216,%ecx movq 8(%esi),%mm1 - andl $512,%edx movq 16(%esi),%mm2 - orl %edx,%ecx movq 24(%esi),%mm3 movq 32(%esi),%mm4 movq 40(%esi),%mm5 movq 48(%esi),%mm6 movq 56(%esi),%mm7 - cmpl $16777728,%ecx - je .L003SSSE3 subl $80,%esp - jmp .L004loop_sse2 + jmp .L001loop_sse2 .align 16 -.L004loop_sse2: +.L001loop_sse2: movq %mm1,8(%esp) movq %mm2,16(%esp) movq %mm3,24(%esp) @@ -69,9 +58,9 @@ sha512_block_data_order: movl $15,%edx bswap %eax bswap %ebx - jmp .L00500_14_sse2 + jmp .L00200_14_sse2 .align 16 -.L00500_14_sse2: +.L00200_14_sse2: movd %eax,%mm1 movl (%edi),%eax movd %ebx,%mm7 @@ -132,7 +121,7 @@ sha512_block_data_order: paddq %mm6,%mm3 movq 48(%esp),%mm6 decl %edx - jnz .L00500_14_sse2 + jnz .L00200_14_sse2 movd %eax,%mm1 movd %ebx,%mm7 punpckldq %mm1,%mm7 @@ -188,9 +177,9 @@ sha512_block_data_order: paddq %mm6,%mm3 pxor %mm0,%mm0 movl $32,%edx - jmp .L00616_79_sse2 + jmp .L00316_79_sse2 .align 16 -.L00616_79_sse2: +.L00316_79_sse2: movq 88(%esp),%mm5 movq %mm7,%mm1 psrlq $1,%mm7 @@ -344,7 +333,7 @@ sha512_block_data_order: paddq %mm6,%mm0 addl $8,%ebp decl %edx - jnz .L00616_79_sse2 + jnz .L00316_79_sse2 paddq %mm3,%mm0 movq 8(%esp),%mm1 movq 24(%esp),%mm3 @@ -372,7 +361,7 @@ sha512_block_data_order: leal (%esp,%eax,1),%esp subl %eax,%ebp cmpl 88(%esp),%edi - jb .L004loop_sse2 + jb .L001loop_sse2 movl 92(%esp),%esp emms popl %edi @@ -380,8 +369,41 @@ sha512_block_data_order: popl %ebx popl %ebp ret -.align 32 -.L003SSSE3: +.size sha512_block_data_order_nohw,.-.L_sha512_block_data_order_nohw_begin +.globl sha512_block_data_order_ssse3 +.hidden sha512_block_data_order_ssse3 +.type sha512_block_data_order_ssse3,@function +.align 16 +sha512_block_data_order_ssse3: +.L_sha512_block_data_order_ssse3_begin: + pushl %ebp + pushl %ebx + pushl %esi + pushl %edi + movl 20(%esp),%esi + movl 24(%esp),%edi + movl 28(%esp),%eax + movl %esp,%ebx + call .L004pic_point +.L004pic_point: + popl %ebp + leal .LK512-.L004pic_point(%ebp),%ebp + subl $16,%esp + andl $-64,%esp + shll $7,%eax + addl %edi,%eax + movl %esi,(%esp) + movl %edi,4(%esp) + movl %eax,8(%esp) + movl %ebx,12(%esp) + movq (%esi),%mm0 + movq 8(%esi),%mm1 + movq 16(%esi),%mm2 + movq 24(%esi),%mm3 + movq 32(%esi),%mm4 + movq 40(%esi),%mm5 + movq 48(%esi),%mm6 + movq 56(%esi),%mm7 leal -64(%esp),%edx subl $256,%esp movdqa 640(%ebp),%xmm1 @@ -438,7 +460,7 @@ sha512_block_data_order: movdqa %xmm2,-16(%edx) nop .align 32 -.L007loop_ssse3: +.L005loop_ssse3: movdqa 16(%edx),%xmm2 movdqa %xmm3,48(%edx) leal 128(%ebp),%ebp @@ -455,9 +477,9 @@ sha512_block_data_order: pxor %mm1,%mm2 movq %mm7,56(%esp) pxor %mm3,%mm3 - jmp .L00800_47_ssse3 + jmp .L00600_47_ssse3 .align 32 -.L00800_47_ssse3: +.L00600_47_ssse3: movdqa %xmm5,%xmm3 movdqa %xmm2,%xmm1 .byte 102,15,58,15,208,8 @@ -1476,7 +1498,7 @@ sha512_block_data_order: movdqa %xmm1,-16(%edx) leal 128(%ebp),%ebp decl %ecx - jnz .L00800_47_ssse3 + jnz .L00600_47_ssse3 movdqa (%ebp),%xmm1 leal -640(%ebp),%ebp movdqu (%ebx),%xmm0 @@ -2288,7 +2310,7 @@ sha512_block_data_order: movq %mm6,48(%esi) movq %mm7,56(%esi) cmpl %eax,%edi - jb .L007loop_ssse3 + jb .L005loop_ssse3 movl 76(%edx),%esp emms popl %edi @@ -2296,456 +2318,9 @@ sha512_block_data_order: popl %ebx popl %ebp ret -.align 16 -.L002loop_x86: - movl (%edi),%eax - movl 4(%edi),%ebx - movl 8(%edi),%ecx - movl 12(%edi),%edx - bswap %eax - bswap %ebx - bswap %ecx - bswap %edx - pushl %eax - pushl %ebx - pushl %ecx - pushl %edx - movl 16(%edi),%eax - movl 20(%edi),%ebx - movl 24(%edi),%ecx - movl 28(%edi),%edx - bswap %eax - bswap %ebx - bswap %ecx - bswap %edx - pushl %eax - pushl %ebx - pushl %ecx - pushl %edx - movl 32(%edi),%eax - movl 36(%edi),%ebx - movl 40(%edi),%ecx - movl 44(%edi),%edx - bswap %eax - bswap %ebx - bswap %ecx - bswap %edx - pushl %eax - pushl %ebx - pushl %ecx - pushl %edx - movl 48(%edi),%eax - movl 52(%edi),%ebx - movl 56(%edi),%ecx - movl 60(%edi),%edx - bswap %eax - bswap %ebx - bswap %ecx - bswap %edx - pushl %eax - pushl %ebx - pushl %ecx - pushl %edx - movl 64(%edi),%eax - movl 68(%edi),%ebx - movl 72(%edi),%ecx - movl 76(%edi),%edx - bswap %eax - bswap %ebx - bswap %ecx - bswap %edx - pushl %eax - pushl %ebx - pushl %ecx - pushl %edx - movl 80(%edi),%eax - movl 84(%edi),%ebx - movl 88(%edi),%ecx - movl 92(%edi),%edx - bswap %eax - bswap %ebx - bswap %ecx - bswap %edx - pushl %eax - pushl %ebx - pushl %ecx - pushl %edx - movl 96(%edi),%eax - movl 100(%edi),%ebx - movl 104(%edi),%ecx - movl 108(%edi),%edx - bswap %eax - bswap %ebx - bswap %ecx - bswap %edx - pushl %eax - pushl %ebx - pushl %ecx - pushl %edx - movl 112(%edi),%eax - movl 116(%edi),%ebx - movl 120(%edi),%ecx - movl 124(%edi),%edx - bswap %eax - bswap %ebx - bswap %ecx - bswap %edx - pushl %eax - pushl %ebx - pushl %ecx - pushl %edx - addl $128,%edi - subl $72,%esp - movl %edi,204(%esp) - leal 8(%esp),%edi - movl $16,%ecx -.long 2784229001 -.align 16 -.L00900_15_x86: - movl 40(%esp),%ecx - movl 44(%esp),%edx - movl %ecx,%esi - shrl $9,%ecx - movl %edx,%edi - shrl $9,%edx - movl %ecx,%ebx - shll $14,%esi - movl %edx,%eax - shll $14,%edi - xorl %esi,%ebx - shrl $5,%ecx - xorl %edi,%eax - shrl $5,%edx - xorl %ecx,%eax - shll $4,%esi - xorl %edx,%ebx - shll $4,%edi - xorl %esi,%ebx - shrl $4,%ecx - xorl %edi,%eax - shrl $4,%edx - xorl %ecx,%eax - shll $5,%esi - xorl %edx,%ebx - shll $5,%edi - xorl %esi,%eax - xorl %edi,%ebx - movl 48(%esp),%ecx - movl 52(%esp),%edx - movl 56(%esp),%esi - movl 60(%esp),%edi - addl 64(%esp),%eax - adcl 68(%esp),%ebx - xorl %esi,%ecx - xorl %edi,%edx - andl 40(%esp),%ecx - andl 44(%esp),%edx - addl 192(%esp),%eax - adcl 196(%esp),%ebx - xorl %esi,%ecx - xorl %edi,%edx - movl (%ebp),%esi - movl 4(%ebp),%edi - addl %ecx,%eax - adcl %edx,%ebx - movl 32(%esp),%ecx - movl 36(%esp),%edx - addl %esi,%eax - adcl %edi,%ebx - movl %eax,(%esp) - movl %ebx,4(%esp) - addl %ecx,%eax - adcl %edx,%ebx - movl 8(%esp),%ecx - movl 12(%esp),%edx - movl %eax,32(%esp) - movl %ebx,36(%esp) - movl %ecx,%esi - shrl $2,%ecx - movl %edx,%edi - shrl $2,%edx - movl %ecx,%ebx - shll $4,%esi - movl %edx,%eax - shll $4,%edi - xorl %esi,%ebx - shrl $5,%ecx - xorl %edi,%eax - shrl $5,%edx - xorl %ecx,%ebx - shll $21,%esi - xorl %edx,%eax - shll $21,%edi - xorl %esi,%eax - shrl $21,%ecx - xorl %edi,%ebx - shrl $21,%edx - xorl %ecx,%eax - shll $5,%esi - xorl %edx,%ebx - shll $5,%edi - xorl %esi,%eax - xorl %edi,%ebx - movl 8(%esp),%ecx - movl 12(%esp),%edx - movl 16(%esp),%esi - movl 20(%esp),%edi - addl (%esp),%eax - adcl 4(%esp),%ebx - orl %esi,%ecx - orl %edi,%edx - andl 24(%esp),%ecx - andl 28(%esp),%edx - andl 8(%esp),%esi - andl 12(%esp),%edi - orl %esi,%ecx - orl %edi,%edx - addl %ecx,%eax - adcl %edx,%ebx - movl %eax,(%esp) - movl %ebx,4(%esp) - movb (%ebp),%dl - subl $8,%esp - leal 8(%ebp),%ebp - cmpb $148,%dl - jne .L00900_15_x86 -.align 16 -.L01016_79_x86: - movl 312(%esp),%ecx - movl 316(%esp),%edx - movl %ecx,%esi - shrl $1,%ecx - movl %edx,%edi - shrl $1,%edx - movl %ecx,%eax - shll $24,%esi - movl %edx,%ebx - shll $24,%edi - xorl %esi,%ebx - shrl $6,%ecx - xorl %edi,%eax - shrl $6,%edx - xorl %ecx,%eax - shll $7,%esi - xorl %edx,%ebx - shll $1,%edi - xorl %esi,%ebx - shrl $1,%ecx - xorl %edi,%eax - shrl $1,%edx - xorl %ecx,%eax - shll $6,%edi - xorl %edx,%ebx - xorl %edi,%eax - movl %eax,(%esp) - movl %ebx,4(%esp) - movl 208(%esp),%ecx - movl 212(%esp),%edx - movl %ecx,%esi - shrl $6,%ecx - movl %edx,%edi - shrl $6,%edx - movl %ecx,%eax - shll $3,%esi - movl %edx,%ebx - shll $3,%edi - xorl %esi,%eax - shrl $13,%ecx - xorl %edi,%ebx - shrl $13,%edx - xorl %ecx,%eax - shll $10,%esi - xorl %edx,%ebx - shll $10,%edi - xorl %esi,%ebx - shrl $10,%ecx - xorl %edi,%eax - shrl $10,%edx - xorl %ecx,%ebx - shll $13,%edi - xorl %edx,%eax - xorl %edi,%eax - movl 320(%esp),%ecx - movl 324(%esp),%edx - addl (%esp),%eax - adcl 4(%esp),%ebx - movl 248(%esp),%esi - movl 252(%esp),%edi - addl %ecx,%eax - adcl %edx,%ebx - addl %esi,%eax - adcl %edi,%ebx - movl %eax,192(%esp) - movl %ebx,196(%esp) - movl 40(%esp),%ecx - movl 44(%esp),%edx - movl %ecx,%esi - shrl $9,%ecx - movl %edx,%edi - shrl $9,%edx - movl %ecx,%ebx - shll $14,%esi - movl %edx,%eax - shll $14,%edi - xorl %esi,%ebx - shrl $5,%ecx - xorl %edi,%eax - shrl $5,%edx - xorl %ecx,%eax - shll $4,%esi - xorl %edx,%ebx - shll $4,%edi - xorl %esi,%ebx - shrl $4,%ecx - xorl %edi,%eax - shrl $4,%edx - xorl %ecx,%eax - shll $5,%esi - xorl %edx,%ebx - shll $5,%edi - xorl %esi,%eax - xorl %edi,%ebx - movl 48(%esp),%ecx - movl 52(%esp),%edx - movl 56(%esp),%esi - movl 60(%esp),%edi - addl 64(%esp),%eax - adcl 68(%esp),%ebx - xorl %esi,%ecx - xorl %edi,%edx - andl 40(%esp),%ecx - andl 44(%esp),%edx - addl 192(%esp),%eax - adcl 196(%esp),%ebx - xorl %esi,%ecx - xorl %edi,%edx - movl (%ebp),%esi - movl 4(%ebp),%edi - addl %ecx,%eax - adcl %edx,%ebx - movl 32(%esp),%ecx - movl 36(%esp),%edx - addl %esi,%eax - adcl %edi,%ebx - movl %eax,(%esp) - movl %ebx,4(%esp) - addl %ecx,%eax - adcl %edx,%ebx - movl 8(%esp),%ecx - movl 12(%esp),%edx - movl %eax,32(%esp) - movl %ebx,36(%esp) - movl %ecx,%esi - shrl $2,%ecx - movl %edx,%edi - shrl $2,%edx - movl %ecx,%ebx - shll $4,%esi - movl %edx,%eax - shll $4,%edi - xorl %esi,%ebx - shrl $5,%ecx - xorl %edi,%eax - shrl $5,%edx - xorl %ecx,%ebx - shll $21,%esi - xorl %edx,%eax - shll $21,%edi - xorl %esi,%eax - shrl $21,%ecx - xorl %edi,%ebx - shrl $21,%edx - xorl %ecx,%eax - shll $5,%esi - xorl %edx,%ebx - shll $5,%edi - xorl %esi,%eax - xorl %edi,%ebx - movl 8(%esp),%ecx - movl 12(%esp),%edx - movl 16(%esp),%esi - movl 20(%esp),%edi - addl (%esp),%eax - adcl 4(%esp),%ebx - orl %esi,%ecx - orl %edi,%edx - andl 24(%esp),%ecx - andl 28(%esp),%edx - andl 8(%esp),%esi - andl 12(%esp),%edi - orl %esi,%ecx - orl %edi,%edx - addl %ecx,%eax - adcl %edx,%ebx - movl %eax,(%esp) - movl %ebx,4(%esp) - movb (%ebp),%dl - subl $8,%esp - leal 8(%ebp),%ebp - cmpb $23,%dl - jne .L01016_79_x86 - movl 840(%esp),%esi - movl 844(%esp),%edi - movl (%esi),%eax - movl 4(%esi),%ebx - movl 8(%esi),%ecx - movl 12(%esi),%edx - addl 8(%esp),%eax - adcl 12(%esp),%ebx - movl %eax,(%esi) - movl %ebx,4(%esi) - addl 16(%esp),%ecx - adcl 20(%esp),%edx - movl %ecx,8(%esi) - movl %edx,12(%esi) - movl 16(%esi),%eax - movl 20(%esi),%ebx - movl 24(%esi),%ecx - movl 28(%esi),%edx - addl 24(%esp),%eax - adcl 28(%esp),%ebx - movl %eax,16(%esi) - movl %ebx,20(%esi) - addl 32(%esp),%ecx - adcl 36(%esp),%edx - movl %ecx,24(%esi) - movl %edx,28(%esi) - movl 32(%esi),%eax - movl 36(%esi),%ebx - movl 40(%esi),%ecx - movl 44(%esi),%edx - addl 40(%esp),%eax - adcl 44(%esp),%ebx - movl %eax,32(%esi) - movl %ebx,36(%esi) - addl 48(%esp),%ecx - adcl 52(%esp),%edx - movl %ecx,40(%esi) - movl %edx,44(%esi) - movl 48(%esi),%eax - movl 52(%esi),%ebx - movl 56(%esi),%ecx - movl 60(%esi),%edx - addl 56(%esp),%eax - adcl 60(%esp),%ebx - movl %eax,48(%esi) - movl %ebx,52(%esi) - addl 64(%esp),%ecx - adcl 68(%esp),%edx - movl %ecx,56(%esi) - movl %edx,60(%esi) - addl $840,%esp - subl $640,%ebp - cmpl 8(%esp),%edi - jb .L002loop_x86 - movl 12(%esp),%esp - popl %edi - popl %esi - popl %ebx - popl %ebp - ret +.size sha512_block_data_order_ssse3,.-.L_sha512_block_data_order_ssse3_begin .align 64 -.L001K512: +.LK512: .long 3609767458,1116352408 .long 602891725,1899447441 .long 3964484399,3049323471 @@ -2828,14 +2403,12 @@ sha512_block_data_order: .long 1246189591,1816402316 .long 67438087,66051 .long 202182159,134810123 -.size sha512_block_data_order,.-.L_sha512_block_data_order_begin .byte 83,72,65,53,49,50,32,98,108,111,99,107,32,116,114,97 .byte 110,115,102,111,114,109,32,102,111,114,32,120,56,54,44,32 .byte 67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97 .byte 112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103 .byte 62,0 #endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__) -#endif // defined(__i386__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/sha512-armv4-linux.linux.arm.S b/Sources/CNIOBoringSSL/gen/bcm/sha512-armv4-linux.S similarity index 97% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/sha512-armv4-linux.linux.arm.S rename to Sources/CNIOBoringSSL/gen/bcm/sha512-armv4-linux.S index 62eaa4038..1b035af93 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/sha512-armv4-linux.linux.arm.S +++ b/Sources/CNIOBoringSSL/gen/bcm/sha512-armv4-linux.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__arm__) && defined(__linux__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -137,36 +136,14 @@ K512: WORD64(0x4cc5d4be,0xcb3e42b6, 0x597f299c,0xfc657e2a) WORD64(0x5fcb6fab,0x3ad6faec, 0x6c44198c,0x4a475817) .size K512,.-K512 -#if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__) -.LOPENSSL_armcap: -.word OPENSSL_armcap_P-.Lsha512_block_data_order -.skip 32-4 -#else -.skip 32 -#endif -.globl sha512_block_data_order -.hidden sha512_block_data_order -.type sha512_block_data_order,%function -sha512_block_data_order: -.Lsha512_block_data_order: -#if __ARM_ARCH<7 && !defined(__thumb2__) - sub r3,pc,#8 @ sha512_block_data_order -#else - adr r3,.Lsha512_block_data_order -#endif -#if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__) - ldr r12,.LOPENSSL_armcap - ldr r12,[r3,r12] @ OPENSSL_armcap_P -#ifdef __APPLE__ - ldr r12,[r12] -#endif - tst r12,#ARMV7_NEON - bne .LNEON -#endif +.globl sha512_block_data_order_nohw +.hidden sha512_block_data_order_nohw +.type sha512_block_data_order_nohw,%function +sha512_block_data_order_nohw: add r2,r1,r2,lsl#7 @ len to point at the end of inp stmdb sp!,{r4,r5,r6,r7,r8,r9,r10,r11,r12,lr} - sub r14,r3,#672 @ K512 + adr r14,K512 sub sp,sp,#9*8 ldr r7,[r0,#32+LO] @@ -541,7 +518,7 @@ sha512_block_data_order: moveq pc,lr @ be binary compatible with V4, yet .word 0xe12fff1e @ interoperable with Thumb ISA:-) #endif -.size sha512_block_data_order,.-sha512_block_data_order +.size sha512_block_data_order_nohw,.-sha512_block_data_order_nohw #if __ARM_MAX_ARCH__>=7 .arch armv7-a .fpu neon @@ -551,7 +528,6 @@ sha512_block_data_order: .type sha512_block_data_order_neon,%function .align 4 sha512_block_data_order_neon: -.LNEON: dmb @ errata #451034 on early Cortex A8 add r2,r1,r2,lsl#7 @ len to point at the end of inp adr r3,K512 @@ -1877,12 +1853,7 @@ sha512_block_data_order_neon: .byte 83,72,65,53,49,50,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,65,82,77,118,52,47,78,69,79,78,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .align 2 .align 2 -#if __ARM_MAX_ARCH__>=7 && !defined(__KERNEL__) -.comm OPENSSL_armcap_P,4,4 -.hidden OPENSSL_armcap_P -#endif #endif // !OPENSSL_NO_ASM && defined(OPENSSL_ARM) && defined(__ELF__) -#endif // defined(__arm__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/sha512-armv8-ios.ios.aarch64.S b/Sources/CNIOBoringSSL/gen/bcm/sha512-armv8-apple.S similarity index 98% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/sha512-armv8-ios.ios.aarch64.S rename to Sources/CNIOBoringSSL/gen/bcm/sha512-armv8-apple.S index b89f58805..bac67fba2 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/sha512-armv8-ios.ios.aarch64.S +++ b/Sources/CNIOBoringSSL/gen/bcm/sha512-armv8-apple.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__aarch64__) && defined(__APPLE__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -52,24 +51,11 @@ .text - -.private_extern _OPENSSL_armcap_P -.globl _sha512_block_data_order -.private_extern _sha512_block_data_order +.globl _sha512_block_data_order_nohw +.private_extern _sha512_block_data_order_nohw .align 6 -_sha512_block_data_order: - AARCH64_VALID_CALL_TARGET -#ifndef __KERNEL__ -#if defined(OPENSSL_HWASAN) && __clang_major__ >= 10 - adrp x16,:pg_hi21_nc:_OPENSSL_armcap_P -#else - adrp x16,_OPENSSL_armcap_P@PAGE -#endif - ldr w16,[x16,_OPENSSL_armcap_P@PAGEOFF] - tst w16,#ARMV8_SHA512 - b.ne Lv8_entry -#endif +_sha512_block_data_order_nohw: AARCH64_SIGN_LINK_REGISTER stp x29,x30,[sp,#-128]! add x29,sp,#0 @@ -1086,10 +1072,13 @@ LK512: .align 2 .text #ifndef __KERNEL__ +.globl _sha512_block_data_order_hw +.private_extern _sha512_block_data_order_hw .align 6 -sha512_block_armv8: -Lv8_entry: +_sha512_block_data_order_hw: + // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. + AARCH64_VALID_CALL_TARGET stp x29,x30,[sp,#-16]! add x29,sp,#0 @@ -1606,7 +1595,6 @@ Loop_hw: #endif #endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__APPLE__) -#endif // defined(__aarch64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/sha512-armv8-linux.linux.aarch64.S b/Sources/CNIOBoringSSL/gen/bcm/sha512-armv8-linux.S similarity index 98% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/sha512-armv8-linux.linux.aarch64.S rename to Sources/CNIOBoringSSL/gen/bcm/sha512-armv8-linux.S index f3ff1a86b..066020223 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/sha512-armv8-linux.linux.aarch64.S +++ b/Sources/CNIOBoringSSL/gen/bcm/sha512-armv8-linux.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__aarch64__) && defined(__linux__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -52,24 +51,11 @@ .text - -.hidden OPENSSL_armcap_P -.globl sha512_block_data_order -.hidden sha512_block_data_order -.type sha512_block_data_order,%function +.globl sha512_block_data_order_nohw +.hidden sha512_block_data_order_nohw +.type sha512_block_data_order_nohw,%function .align 6 -sha512_block_data_order: - AARCH64_VALID_CALL_TARGET -#ifndef __KERNEL__ -#if defined(OPENSSL_HWASAN) && __clang_major__ >= 10 - adrp x16,:pg_hi21_nc:OPENSSL_armcap_P -#else - adrp x16,OPENSSL_armcap_P -#endif - ldr w16,[x16,:lo12:OPENSSL_armcap_P] - tst w16,#ARMV8_SHA512 - b.ne .Lv8_entry -#endif +sha512_block_data_order_nohw: AARCH64_SIGN_LINK_REGISTER stp x29,x30,[sp,#-128]! add x29,sp,#0 @@ -1033,7 +1019,7 @@ sha512_block_data_order: ldp x29,x30,[sp],#128 AARCH64_VALIDATE_LINK_REGISTER ret -.size sha512_block_data_order,.-sha512_block_data_order +.size sha512_block_data_order_nohw,.-sha512_block_data_order_nohw .section .rodata .align 6 @@ -1086,10 +1072,13 @@ sha512_block_data_order: .align 2 .text #ifndef __KERNEL__ -.type sha512_block_armv8,%function +.globl sha512_block_data_order_hw +.hidden sha512_block_data_order_hw +.type sha512_block_data_order_hw,%function .align 6 -sha512_block_armv8: -.Lv8_entry: +sha512_block_data_order_hw: + // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. + AARCH64_VALID_CALL_TARGET stp x29,x30,[sp,#-16]! add x29,sp,#0 @@ -1603,10 +1592,9 @@ sha512_block_armv8: ldr x29,[sp],#16 ret -.size sha512_block_armv8,.-sha512_block_armv8 +.size sha512_block_data_order_hw,.-sha512_block_data_order_hw #endif #endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__ELF__) -#endif // defined(__aarch64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/gen/bcm/sha512-armv8-win.S b/Sources/CNIOBoringSSL/gen/bcm/sha512-armv8-win.S new file mode 100644 index 000000000..7554b8a16 --- /dev/null +++ b/Sources/CNIOBoringSSL/gen/bcm/sha512-armv8-win.S @@ -0,0 +1,1605 @@ +#define BORINGSSL_PREFIX CNIOBoringSSL +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. + +#include + +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(_WIN32) +// Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved. +// +// Licensed under the OpenSSL license (the "License"). You may not use +// this file except in compliance with the License. You can obtain a copy +// in the file LICENSE in the source distribution or at +// https://www.openssl.org/source/license.html + +// ==================================================================== +// Written by Andy Polyakov for the OpenSSL +// project. The module is, however, dual licensed under OpenSSL and +// CRYPTOGAMS licenses depending on where you obtain it. For further +// details see http://www.openssl.org/~appro/cryptogams/. +// +// Permission to use under GPLv2 terms is granted. +// ==================================================================== +// +// SHA256/512 for ARMv8. +// +// Performance in cycles per processed byte and improvement coefficient +// over code generated with "default" compiler: +// +// SHA256-hw SHA256(*) SHA512 +// Apple A7 1.97 10.5 (+33%) 6.73 (-1%(**)) +// Cortex-A53 2.38 15.5 (+115%) 10.0 (+150%(***)) +// Cortex-A57 2.31 11.6 (+86%) 7.51 (+260%(***)) +// Denver 2.01 10.5 (+26%) 6.70 (+8%) +// X-Gene 20.0 (+100%) 12.8 (+300%(***)) +// Mongoose 2.36 13.0 (+50%) 8.36 (+33%) +// Kryo 1.92 17.4 (+30%) 11.2 (+8%) +// +// (*) Software SHA256 results are of lesser relevance, presented +// mostly for informational purposes. +// (**) The result is a trade-off: it's possible to improve it by +// 10% (or by 1 cycle per round), but at the cost of 20% loss +// on Cortex-A53 (or by 4 cycles per round). +// (***) Super-impressive coefficients over gcc-generated code are +// indication of some compiler "pathology", most notably code +// generated with -mgeneral-regs-only is significantly faster +// and the gap is only 40-90%. + +#ifndef __KERNEL__ +# include +#endif + +.text + +.globl sha512_block_data_order_nohw + +.def sha512_block_data_order_nohw + .type 32 +.endef +.align 6 +sha512_block_data_order_nohw: + AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-128]! + add x29,sp,#0 + + stp x19,x20,[sp,#16] + stp x21,x22,[sp,#32] + stp x23,x24,[sp,#48] + stp x25,x26,[sp,#64] + stp x27,x28,[sp,#80] + sub sp,sp,#4*8 + + ldp x20,x21,[x0] // load context + ldp x22,x23,[x0,#2*8] + ldp x24,x25,[x0,#4*8] + add x2,x1,x2,lsl#7 // end of input + ldp x26,x27,[x0,#6*8] + adrp x30,LK512 + add x30,x30,:lo12:LK512 + stp x0,x2,[x29,#96] + +Loop: + ldp x3,x4,[x1],#2*8 + ldr x19,[x30],#8 // *K++ + eor x28,x21,x22 // magic seed + str x1,[x29,#112] +#ifndef __AARCH64EB__ + rev x3,x3 // 0 +#endif + ror x16,x24,#14 + add x27,x27,x19 // h+=K[i] + eor x6,x24,x24,ror#23 + and x17,x25,x24 + bic x19,x26,x24 + add x27,x27,x3 // h+=X[i] + orr x17,x17,x19 // Ch(e,f,g) + eor x19,x20,x21 // a^b, b^c in next round + eor x16,x16,x6,ror#18 // Sigma1(e) + ror x6,x20,#28 + add x27,x27,x17 // h+=Ch(e,f,g) + eor x17,x20,x20,ror#5 + add x27,x27,x16 // h+=Sigma1(e) + and x28,x28,x19 // (b^c)&=(a^b) + add x23,x23,x27 // d+=h + eor x28,x28,x21 // Maj(a,b,c) + eor x17,x6,x17,ror#34 // Sigma0(a) + add x27,x27,x28 // h+=Maj(a,b,c) + ldr x28,[x30],#8 // *K++, x19 in next round + //add x27,x27,x17 // h+=Sigma0(a) +#ifndef __AARCH64EB__ + rev x4,x4 // 1 +#endif + ldp x5,x6,[x1],#2*8 + add x27,x27,x17 // h+=Sigma0(a) + ror x16,x23,#14 + add x26,x26,x28 // h+=K[i] + eor x7,x23,x23,ror#23 + and x17,x24,x23 + bic x28,x25,x23 + add x26,x26,x4 // h+=X[i] + orr x17,x17,x28 // Ch(e,f,g) + eor x28,x27,x20 // a^b, b^c in next round + eor x16,x16,x7,ror#18 // Sigma1(e) + ror x7,x27,#28 + add x26,x26,x17 // h+=Ch(e,f,g) + eor x17,x27,x27,ror#5 + add x26,x26,x16 // h+=Sigma1(e) + and x19,x19,x28 // (b^c)&=(a^b) + add x22,x22,x26 // d+=h + eor x19,x19,x20 // Maj(a,b,c) + eor x17,x7,x17,ror#34 // Sigma0(a) + add x26,x26,x19 // h+=Maj(a,b,c) + ldr x19,[x30],#8 // *K++, x28 in next round + //add x26,x26,x17 // h+=Sigma0(a) +#ifndef __AARCH64EB__ + rev x5,x5 // 2 +#endif + add x26,x26,x17 // h+=Sigma0(a) + ror x16,x22,#14 + add x25,x25,x19 // h+=K[i] + eor x8,x22,x22,ror#23 + and x17,x23,x22 + bic x19,x24,x22 + add x25,x25,x5 // h+=X[i] + orr x17,x17,x19 // Ch(e,f,g) + eor x19,x26,x27 // a^b, b^c in next round + eor x16,x16,x8,ror#18 // Sigma1(e) + ror x8,x26,#28 + add x25,x25,x17 // h+=Ch(e,f,g) + eor x17,x26,x26,ror#5 + add x25,x25,x16 // h+=Sigma1(e) + and x28,x28,x19 // (b^c)&=(a^b) + add x21,x21,x25 // d+=h + eor x28,x28,x27 // Maj(a,b,c) + eor x17,x8,x17,ror#34 // Sigma0(a) + add x25,x25,x28 // h+=Maj(a,b,c) + ldr x28,[x30],#8 // *K++, x19 in next round + //add x25,x25,x17 // h+=Sigma0(a) +#ifndef __AARCH64EB__ + rev x6,x6 // 3 +#endif + ldp x7,x8,[x1],#2*8 + add x25,x25,x17 // h+=Sigma0(a) + ror x16,x21,#14 + add x24,x24,x28 // h+=K[i] + eor x9,x21,x21,ror#23 + and x17,x22,x21 + bic x28,x23,x21 + add x24,x24,x6 // h+=X[i] + orr x17,x17,x28 // Ch(e,f,g) + eor x28,x25,x26 // a^b, b^c in next round + eor x16,x16,x9,ror#18 // Sigma1(e) + ror x9,x25,#28 + add x24,x24,x17 // h+=Ch(e,f,g) + eor x17,x25,x25,ror#5 + add x24,x24,x16 // h+=Sigma1(e) + and x19,x19,x28 // (b^c)&=(a^b) + add x20,x20,x24 // d+=h + eor x19,x19,x26 // Maj(a,b,c) + eor x17,x9,x17,ror#34 // Sigma0(a) + add x24,x24,x19 // h+=Maj(a,b,c) + ldr x19,[x30],#8 // *K++, x28 in next round + //add x24,x24,x17 // h+=Sigma0(a) +#ifndef __AARCH64EB__ + rev x7,x7 // 4 +#endif + add x24,x24,x17 // h+=Sigma0(a) + ror x16,x20,#14 + add x23,x23,x19 // h+=K[i] + eor x10,x20,x20,ror#23 + and x17,x21,x20 + bic x19,x22,x20 + add x23,x23,x7 // h+=X[i] + orr x17,x17,x19 // Ch(e,f,g) + eor x19,x24,x25 // a^b, b^c in next round + eor x16,x16,x10,ror#18 // Sigma1(e) + ror x10,x24,#28 + add x23,x23,x17 // h+=Ch(e,f,g) + eor x17,x24,x24,ror#5 + add x23,x23,x16 // h+=Sigma1(e) + and x28,x28,x19 // (b^c)&=(a^b) + add x27,x27,x23 // d+=h + eor x28,x28,x25 // Maj(a,b,c) + eor x17,x10,x17,ror#34 // Sigma0(a) + add x23,x23,x28 // h+=Maj(a,b,c) + ldr x28,[x30],#8 // *K++, x19 in next round + //add x23,x23,x17 // h+=Sigma0(a) +#ifndef __AARCH64EB__ + rev x8,x8 // 5 +#endif + ldp x9,x10,[x1],#2*8 + add x23,x23,x17 // h+=Sigma0(a) + ror x16,x27,#14 + add x22,x22,x28 // h+=K[i] + eor x11,x27,x27,ror#23 + and x17,x20,x27 + bic x28,x21,x27 + add x22,x22,x8 // h+=X[i] + orr x17,x17,x28 // Ch(e,f,g) + eor x28,x23,x24 // a^b, b^c in next round + eor x16,x16,x11,ror#18 // Sigma1(e) + ror x11,x23,#28 + add x22,x22,x17 // h+=Ch(e,f,g) + eor x17,x23,x23,ror#5 + add x22,x22,x16 // h+=Sigma1(e) + and x19,x19,x28 // (b^c)&=(a^b) + add x26,x26,x22 // d+=h + eor x19,x19,x24 // Maj(a,b,c) + eor x17,x11,x17,ror#34 // Sigma0(a) + add x22,x22,x19 // h+=Maj(a,b,c) + ldr x19,[x30],#8 // *K++, x28 in next round + //add x22,x22,x17 // h+=Sigma0(a) +#ifndef __AARCH64EB__ + rev x9,x9 // 6 +#endif + add x22,x22,x17 // h+=Sigma0(a) + ror x16,x26,#14 + add x21,x21,x19 // h+=K[i] + eor x12,x26,x26,ror#23 + and x17,x27,x26 + bic x19,x20,x26 + add x21,x21,x9 // h+=X[i] + orr x17,x17,x19 // Ch(e,f,g) + eor x19,x22,x23 // a^b, b^c in next round + eor x16,x16,x12,ror#18 // Sigma1(e) + ror x12,x22,#28 + add x21,x21,x17 // h+=Ch(e,f,g) + eor x17,x22,x22,ror#5 + add x21,x21,x16 // h+=Sigma1(e) + and x28,x28,x19 // (b^c)&=(a^b) + add x25,x25,x21 // d+=h + eor x28,x28,x23 // Maj(a,b,c) + eor x17,x12,x17,ror#34 // Sigma0(a) + add x21,x21,x28 // h+=Maj(a,b,c) + ldr x28,[x30],#8 // *K++, x19 in next round + //add x21,x21,x17 // h+=Sigma0(a) +#ifndef __AARCH64EB__ + rev x10,x10 // 7 +#endif + ldp x11,x12,[x1],#2*8 + add x21,x21,x17 // h+=Sigma0(a) + ror x16,x25,#14 + add x20,x20,x28 // h+=K[i] + eor x13,x25,x25,ror#23 + and x17,x26,x25 + bic x28,x27,x25 + add x20,x20,x10 // h+=X[i] + orr x17,x17,x28 // Ch(e,f,g) + eor x28,x21,x22 // a^b, b^c in next round + eor x16,x16,x13,ror#18 // Sigma1(e) + ror x13,x21,#28 + add x20,x20,x17 // h+=Ch(e,f,g) + eor x17,x21,x21,ror#5 + add x20,x20,x16 // h+=Sigma1(e) + and x19,x19,x28 // (b^c)&=(a^b) + add x24,x24,x20 // d+=h + eor x19,x19,x22 // Maj(a,b,c) + eor x17,x13,x17,ror#34 // Sigma0(a) + add x20,x20,x19 // h+=Maj(a,b,c) + ldr x19,[x30],#8 // *K++, x28 in next round + //add x20,x20,x17 // h+=Sigma0(a) +#ifndef __AARCH64EB__ + rev x11,x11 // 8 +#endif + add x20,x20,x17 // h+=Sigma0(a) + ror x16,x24,#14 + add x27,x27,x19 // h+=K[i] + eor x14,x24,x24,ror#23 + and x17,x25,x24 + bic x19,x26,x24 + add x27,x27,x11 // h+=X[i] + orr x17,x17,x19 // Ch(e,f,g) + eor x19,x20,x21 // a^b, b^c in next round + eor x16,x16,x14,ror#18 // Sigma1(e) + ror x14,x20,#28 + add x27,x27,x17 // h+=Ch(e,f,g) + eor x17,x20,x20,ror#5 + add x27,x27,x16 // h+=Sigma1(e) + and x28,x28,x19 // (b^c)&=(a^b) + add x23,x23,x27 // d+=h + eor x28,x28,x21 // Maj(a,b,c) + eor x17,x14,x17,ror#34 // Sigma0(a) + add x27,x27,x28 // h+=Maj(a,b,c) + ldr x28,[x30],#8 // *K++, x19 in next round + //add x27,x27,x17 // h+=Sigma0(a) +#ifndef __AARCH64EB__ + rev x12,x12 // 9 +#endif + ldp x13,x14,[x1],#2*8 + add x27,x27,x17 // h+=Sigma0(a) + ror x16,x23,#14 + add x26,x26,x28 // h+=K[i] + eor x15,x23,x23,ror#23 + and x17,x24,x23 + bic x28,x25,x23 + add x26,x26,x12 // h+=X[i] + orr x17,x17,x28 // Ch(e,f,g) + eor x28,x27,x20 // a^b, b^c in next round + eor x16,x16,x15,ror#18 // Sigma1(e) + ror x15,x27,#28 + add x26,x26,x17 // h+=Ch(e,f,g) + eor x17,x27,x27,ror#5 + add x26,x26,x16 // h+=Sigma1(e) + and x19,x19,x28 // (b^c)&=(a^b) + add x22,x22,x26 // d+=h + eor x19,x19,x20 // Maj(a,b,c) + eor x17,x15,x17,ror#34 // Sigma0(a) + add x26,x26,x19 // h+=Maj(a,b,c) + ldr x19,[x30],#8 // *K++, x28 in next round + //add x26,x26,x17 // h+=Sigma0(a) +#ifndef __AARCH64EB__ + rev x13,x13 // 10 +#endif + add x26,x26,x17 // h+=Sigma0(a) + ror x16,x22,#14 + add x25,x25,x19 // h+=K[i] + eor x0,x22,x22,ror#23 + and x17,x23,x22 + bic x19,x24,x22 + add x25,x25,x13 // h+=X[i] + orr x17,x17,x19 // Ch(e,f,g) + eor x19,x26,x27 // a^b, b^c in next round + eor x16,x16,x0,ror#18 // Sigma1(e) + ror x0,x26,#28 + add x25,x25,x17 // h+=Ch(e,f,g) + eor x17,x26,x26,ror#5 + add x25,x25,x16 // h+=Sigma1(e) + and x28,x28,x19 // (b^c)&=(a^b) + add x21,x21,x25 // d+=h + eor x28,x28,x27 // Maj(a,b,c) + eor x17,x0,x17,ror#34 // Sigma0(a) + add x25,x25,x28 // h+=Maj(a,b,c) + ldr x28,[x30],#8 // *K++, x19 in next round + //add x25,x25,x17 // h+=Sigma0(a) +#ifndef __AARCH64EB__ + rev x14,x14 // 11 +#endif + ldp x15,x0,[x1],#2*8 + add x25,x25,x17 // h+=Sigma0(a) + str x6,[sp,#24] + ror x16,x21,#14 + add x24,x24,x28 // h+=K[i] + eor x6,x21,x21,ror#23 + and x17,x22,x21 + bic x28,x23,x21 + add x24,x24,x14 // h+=X[i] + orr x17,x17,x28 // Ch(e,f,g) + eor x28,x25,x26 // a^b, b^c in next round + eor x16,x16,x6,ror#18 // Sigma1(e) + ror x6,x25,#28 + add x24,x24,x17 // h+=Ch(e,f,g) + eor x17,x25,x25,ror#5 + add x24,x24,x16 // h+=Sigma1(e) + and x19,x19,x28 // (b^c)&=(a^b) + add x20,x20,x24 // d+=h + eor x19,x19,x26 // Maj(a,b,c) + eor x17,x6,x17,ror#34 // Sigma0(a) + add x24,x24,x19 // h+=Maj(a,b,c) + ldr x19,[x30],#8 // *K++, x28 in next round + //add x24,x24,x17 // h+=Sigma0(a) +#ifndef __AARCH64EB__ + rev x15,x15 // 12 +#endif + add x24,x24,x17 // h+=Sigma0(a) + str x7,[sp,#0] + ror x16,x20,#14 + add x23,x23,x19 // h+=K[i] + eor x7,x20,x20,ror#23 + and x17,x21,x20 + bic x19,x22,x20 + add x23,x23,x15 // h+=X[i] + orr x17,x17,x19 // Ch(e,f,g) + eor x19,x24,x25 // a^b, b^c in next round + eor x16,x16,x7,ror#18 // Sigma1(e) + ror x7,x24,#28 + add x23,x23,x17 // h+=Ch(e,f,g) + eor x17,x24,x24,ror#5 + add x23,x23,x16 // h+=Sigma1(e) + and x28,x28,x19 // (b^c)&=(a^b) + add x27,x27,x23 // d+=h + eor x28,x28,x25 // Maj(a,b,c) + eor x17,x7,x17,ror#34 // Sigma0(a) + add x23,x23,x28 // h+=Maj(a,b,c) + ldr x28,[x30],#8 // *K++, x19 in next round + //add x23,x23,x17 // h+=Sigma0(a) +#ifndef __AARCH64EB__ + rev x0,x0 // 13 +#endif + ldp x1,x2,[x1] + add x23,x23,x17 // h+=Sigma0(a) + str x8,[sp,#8] + ror x16,x27,#14 + add x22,x22,x28 // h+=K[i] + eor x8,x27,x27,ror#23 + and x17,x20,x27 + bic x28,x21,x27 + add x22,x22,x0 // h+=X[i] + orr x17,x17,x28 // Ch(e,f,g) + eor x28,x23,x24 // a^b, b^c in next round + eor x16,x16,x8,ror#18 // Sigma1(e) + ror x8,x23,#28 + add x22,x22,x17 // h+=Ch(e,f,g) + eor x17,x23,x23,ror#5 + add x22,x22,x16 // h+=Sigma1(e) + and x19,x19,x28 // (b^c)&=(a^b) + add x26,x26,x22 // d+=h + eor x19,x19,x24 // Maj(a,b,c) + eor x17,x8,x17,ror#34 // Sigma0(a) + add x22,x22,x19 // h+=Maj(a,b,c) + ldr x19,[x30],#8 // *K++, x28 in next round + //add x22,x22,x17 // h+=Sigma0(a) +#ifndef __AARCH64EB__ + rev x1,x1 // 14 +#endif + ldr x6,[sp,#24] + add x22,x22,x17 // h+=Sigma0(a) + str x9,[sp,#16] + ror x16,x26,#14 + add x21,x21,x19 // h+=K[i] + eor x9,x26,x26,ror#23 + and x17,x27,x26 + bic x19,x20,x26 + add x21,x21,x1 // h+=X[i] + orr x17,x17,x19 // Ch(e,f,g) + eor x19,x22,x23 // a^b, b^c in next round + eor x16,x16,x9,ror#18 // Sigma1(e) + ror x9,x22,#28 + add x21,x21,x17 // h+=Ch(e,f,g) + eor x17,x22,x22,ror#5 + add x21,x21,x16 // h+=Sigma1(e) + and x28,x28,x19 // (b^c)&=(a^b) + add x25,x25,x21 // d+=h + eor x28,x28,x23 // Maj(a,b,c) + eor x17,x9,x17,ror#34 // Sigma0(a) + add x21,x21,x28 // h+=Maj(a,b,c) + ldr x28,[x30],#8 // *K++, x19 in next round + //add x21,x21,x17 // h+=Sigma0(a) +#ifndef __AARCH64EB__ + rev x2,x2 // 15 +#endif + ldr x7,[sp,#0] + add x21,x21,x17 // h+=Sigma0(a) + str x10,[sp,#24] + ror x16,x25,#14 + add x20,x20,x28 // h+=K[i] + ror x9,x4,#1 + and x17,x26,x25 + ror x8,x1,#19 + bic x28,x27,x25 + ror x10,x21,#28 + add x20,x20,x2 // h+=X[i] + eor x16,x16,x25,ror#18 + eor x9,x9,x4,ror#8 + orr x17,x17,x28 // Ch(e,f,g) + eor x28,x21,x22 // a^b, b^c in next round + eor x16,x16,x25,ror#41 // Sigma1(e) + eor x10,x10,x21,ror#34 + add x20,x20,x17 // h+=Ch(e,f,g) + and x19,x19,x28 // (b^c)&=(a^b) + eor x8,x8,x1,ror#61 + eor x9,x9,x4,lsr#7 // sigma0(X[i+1]) + add x20,x20,x16 // h+=Sigma1(e) + eor x19,x19,x22 // Maj(a,b,c) + eor x17,x10,x21,ror#39 // Sigma0(a) + eor x8,x8,x1,lsr#6 // sigma1(X[i+14]) + add x3,x3,x12 + add x24,x24,x20 // d+=h + add x20,x20,x19 // h+=Maj(a,b,c) + ldr x19,[x30],#8 // *K++, x28 in next round + add x3,x3,x9 + add x20,x20,x17 // h+=Sigma0(a) + add x3,x3,x8 +Loop_16_xx: + ldr x8,[sp,#8] + str x11,[sp,#0] + ror x16,x24,#14 + add x27,x27,x19 // h+=K[i] + ror x10,x5,#1 + and x17,x25,x24 + ror x9,x2,#19 + bic x19,x26,x24 + ror x11,x20,#28 + add x27,x27,x3 // h+=X[i] + eor x16,x16,x24,ror#18 + eor x10,x10,x5,ror#8 + orr x17,x17,x19 // Ch(e,f,g) + eor x19,x20,x21 // a^b, b^c in next round + eor x16,x16,x24,ror#41 // Sigma1(e) + eor x11,x11,x20,ror#34 + add x27,x27,x17 // h+=Ch(e,f,g) + and x28,x28,x19 // (b^c)&=(a^b) + eor x9,x9,x2,ror#61 + eor x10,x10,x5,lsr#7 // sigma0(X[i+1]) + add x27,x27,x16 // h+=Sigma1(e) + eor x28,x28,x21 // Maj(a,b,c) + eor x17,x11,x20,ror#39 // Sigma0(a) + eor x9,x9,x2,lsr#6 // sigma1(X[i+14]) + add x4,x4,x13 + add x23,x23,x27 // d+=h + add x27,x27,x28 // h+=Maj(a,b,c) + ldr x28,[x30],#8 // *K++, x19 in next round + add x4,x4,x10 + add x27,x27,x17 // h+=Sigma0(a) + add x4,x4,x9 + ldr x9,[sp,#16] + str x12,[sp,#8] + ror x16,x23,#14 + add x26,x26,x28 // h+=K[i] + ror x11,x6,#1 + and x17,x24,x23 + ror x10,x3,#19 + bic x28,x25,x23 + ror x12,x27,#28 + add x26,x26,x4 // h+=X[i] + eor x16,x16,x23,ror#18 + eor x11,x11,x6,ror#8 + orr x17,x17,x28 // Ch(e,f,g) + eor x28,x27,x20 // a^b, b^c in next round + eor x16,x16,x23,ror#41 // Sigma1(e) + eor x12,x12,x27,ror#34 + add x26,x26,x17 // h+=Ch(e,f,g) + and x19,x19,x28 // (b^c)&=(a^b) + eor x10,x10,x3,ror#61 + eor x11,x11,x6,lsr#7 // sigma0(X[i+1]) + add x26,x26,x16 // h+=Sigma1(e) + eor x19,x19,x20 // Maj(a,b,c) + eor x17,x12,x27,ror#39 // Sigma0(a) + eor x10,x10,x3,lsr#6 // sigma1(X[i+14]) + add x5,x5,x14 + add x22,x22,x26 // d+=h + add x26,x26,x19 // h+=Maj(a,b,c) + ldr x19,[x30],#8 // *K++, x28 in next round + add x5,x5,x11 + add x26,x26,x17 // h+=Sigma0(a) + add x5,x5,x10 + ldr x10,[sp,#24] + str x13,[sp,#16] + ror x16,x22,#14 + add x25,x25,x19 // h+=K[i] + ror x12,x7,#1 + and x17,x23,x22 + ror x11,x4,#19 + bic x19,x24,x22 + ror x13,x26,#28 + add x25,x25,x5 // h+=X[i] + eor x16,x16,x22,ror#18 + eor x12,x12,x7,ror#8 + orr x17,x17,x19 // Ch(e,f,g) + eor x19,x26,x27 // a^b, b^c in next round + eor x16,x16,x22,ror#41 // Sigma1(e) + eor x13,x13,x26,ror#34 + add x25,x25,x17 // h+=Ch(e,f,g) + and x28,x28,x19 // (b^c)&=(a^b) + eor x11,x11,x4,ror#61 + eor x12,x12,x7,lsr#7 // sigma0(X[i+1]) + add x25,x25,x16 // h+=Sigma1(e) + eor x28,x28,x27 // Maj(a,b,c) + eor x17,x13,x26,ror#39 // Sigma0(a) + eor x11,x11,x4,lsr#6 // sigma1(X[i+14]) + add x6,x6,x15 + add x21,x21,x25 // d+=h + add x25,x25,x28 // h+=Maj(a,b,c) + ldr x28,[x30],#8 // *K++, x19 in next round + add x6,x6,x12 + add x25,x25,x17 // h+=Sigma0(a) + add x6,x6,x11 + ldr x11,[sp,#0] + str x14,[sp,#24] + ror x16,x21,#14 + add x24,x24,x28 // h+=K[i] + ror x13,x8,#1 + and x17,x22,x21 + ror x12,x5,#19 + bic x28,x23,x21 + ror x14,x25,#28 + add x24,x24,x6 // h+=X[i] + eor x16,x16,x21,ror#18 + eor x13,x13,x8,ror#8 + orr x17,x17,x28 // Ch(e,f,g) + eor x28,x25,x26 // a^b, b^c in next round + eor x16,x16,x21,ror#41 // Sigma1(e) + eor x14,x14,x25,ror#34 + add x24,x24,x17 // h+=Ch(e,f,g) + and x19,x19,x28 // (b^c)&=(a^b) + eor x12,x12,x5,ror#61 + eor x13,x13,x8,lsr#7 // sigma0(X[i+1]) + add x24,x24,x16 // h+=Sigma1(e) + eor x19,x19,x26 // Maj(a,b,c) + eor x17,x14,x25,ror#39 // Sigma0(a) + eor x12,x12,x5,lsr#6 // sigma1(X[i+14]) + add x7,x7,x0 + add x20,x20,x24 // d+=h + add x24,x24,x19 // h+=Maj(a,b,c) + ldr x19,[x30],#8 // *K++, x28 in next round + add x7,x7,x13 + add x24,x24,x17 // h+=Sigma0(a) + add x7,x7,x12 + ldr x12,[sp,#8] + str x15,[sp,#0] + ror x16,x20,#14 + add x23,x23,x19 // h+=K[i] + ror x14,x9,#1 + and x17,x21,x20 + ror x13,x6,#19 + bic x19,x22,x20 + ror x15,x24,#28 + add x23,x23,x7 // h+=X[i] + eor x16,x16,x20,ror#18 + eor x14,x14,x9,ror#8 + orr x17,x17,x19 // Ch(e,f,g) + eor x19,x24,x25 // a^b, b^c in next round + eor x16,x16,x20,ror#41 // Sigma1(e) + eor x15,x15,x24,ror#34 + add x23,x23,x17 // h+=Ch(e,f,g) + and x28,x28,x19 // (b^c)&=(a^b) + eor x13,x13,x6,ror#61 + eor x14,x14,x9,lsr#7 // sigma0(X[i+1]) + add x23,x23,x16 // h+=Sigma1(e) + eor x28,x28,x25 // Maj(a,b,c) + eor x17,x15,x24,ror#39 // Sigma0(a) + eor x13,x13,x6,lsr#6 // sigma1(X[i+14]) + add x8,x8,x1 + add x27,x27,x23 // d+=h + add x23,x23,x28 // h+=Maj(a,b,c) + ldr x28,[x30],#8 // *K++, x19 in next round + add x8,x8,x14 + add x23,x23,x17 // h+=Sigma0(a) + add x8,x8,x13 + ldr x13,[sp,#16] + str x0,[sp,#8] + ror x16,x27,#14 + add x22,x22,x28 // h+=K[i] + ror x15,x10,#1 + and x17,x20,x27 + ror x14,x7,#19 + bic x28,x21,x27 + ror x0,x23,#28 + add x22,x22,x8 // h+=X[i] + eor x16,x16,x27,ror#18 + eor x15,x15,x10,ror#8 + orr x17,x17,x28 // Ch(e,f,g) + eor x28,x23,x24 // a^b, b^c in next round + eor x16,x16,x27,ror#41 // Sigma1(e) + eor x0,x0,x23,ror#34 + add x22,x22,x17 // h+=Ch(e,f,g) + and x19,x19,x28 // (b^c)&=(a^b) + eor x14,x14,x7,ror#61 + eor x15,x15,x10,lsr#7 // sigma0(X[i+1]) + add x22,x22,x16 // h+=Sigma1(e) + eor x19,x19,x24 // Maj(a,b,c) + eor x17,x0,x23,ror#39 // Sigma0(a) + eor x14,x14,x7,lsr#6 // sigma1(X[i+14]) + add x9,x9,x2 + add x26,x26,x22 // d+=h + add x22,x22,x19 // h+=Maj(a,b,c) + ldr x19,[x30],#8 // *K++, x28 in next round + add x9,x9,x15 + add x22,x22,x17 // h+=Sigma0(a) + add x9,x9,x14 + ldr x14,[sp,#24] + str x1,[sp,#16] + ror x16,x26,#14 + add x21,x21,x19 // h+=K[i] + ror x0,x11,#1 + and x17,x27,x26 + ror x15,x8,#19 + bic x19,x20,x26 + ror x1,x22,#28 + add x21,x21,x9 // h+=X[i] + eor x16,x16,x26,ror#18 + eor x0,x0,x11,ror#8 + orr x17,x17,x19 // Ch(e,f,g) + eor x19,x22,x23 // a^b, b^c in next round + eor x16,x16,x26,ror#41 // Sigma1(e) + eor x1,x1,x22,ror#34 + add x21,x21,x17 // h+=Ch(e,f,g) + and x28,x28,x19 // (b^c)&=(a^b) + eor x15,x15,x8,ror#61 + eor x0,x0,x11,lsr#7 // sigma0(X[i+1]) + add x21,x21,x16 // h+=Sigma1(e) + eor x28,x28,x23 // Maj(a,b,c) + eor x17,x1,x22,ror#39 // Sigma0(a) + eor x15,x15,x8,lsr#6 // sigma1(X[i+14]) + add x10,x10,x3 + add x25,x25,x21 // d+=h + add x21,x21,x28 // h+=Maj(a,b,c) + ldr x28,[x30],#8 // *K++, x19 in next round + add x10,x10,x0 + add x21,x21,x17 // h+=Sigma0(a) + add x10,x10,x15 + ldr x15,[sp,#0] + str x2,[sp,#24] + ror x16,x25,#14 + add x20,x20,x28 // h+=K[i] + ror x1,x12,#1 + and x17,x26,x25 + ror x0,x9,#19 + bic x28,x27,x25 + ror x2,x21,#28 + add x20,x20,x10 // h+=X[i] + eor x16,x16,x25,ror#18 + eor x1,x1,x12,ror#8 + orr x17,x17,x28 // Ch(e,f,g) + eor x28,x21,x22 // a^b, b^c in next round + eor x16,x16,x25,ror#41 // Sigma1(e) + eor x2,x2,x21,ror#34 + add x20,x20,x17 // h+=Ch(e,f,g) + and x19,x19,x28 // (b^c)&=(a^b) + eor x0,x0,x9,ror#61 + eor x1,x1,x12,lsr#7 // sigma0(X[i+1]) + add x20,x20,x16 // h+=Sigma1(e) + eor x19,x19,x22 // Maj(a,b,c) + eor x17,x2,x21,ror#39 // Sigma0(a) + eor x0,x0,x9,lsr#6 // sigma1(X[i+14]) + add x11,x11,x4 + add x24,x24,x20 // d+=h + add x20,x20,x19 // h+=Maj(a,b,c) + ldr x19,[x30],#8 // *K++, x28 in next round + add x11,x11,x1 + add x20,x20,x17 // h+=Sigma0(a) + add x11,x11,x0 + ldr x0,[sp,#8] + str x3,[sp,#0] + ror x16,x24,#14 + add x27,x27,x19 // h+=K[i] + ror x2,x13,#1 + and x17,x25,x24 + ror x1,x10,#19 + bic x19,x26,x24 + ror x3,x20,#28 + add x27,x27,x11 // h+=X[i] + eor x16,x16,x24,ror#18 + eor x2,x2,x13,ror#8 + orr x17,x17,x19 // Ch(e,f,g) + eor x19,x20,x21 // a^b, b^c in next round + eor x16,x16,x24,ror#41 // Sigma1(e) + eor x3,x3,x20,ror#34 + add x27,x27,x17 // h+=Ch(e,f,g) + and x28,x28,x19 // (b^c)&=(a^b) + eor x1,x1,x10,ror#61 + eor x2,x2,x13,lsr#7 // sigma0(X[i+1]) + add x27,x27,x16 // h+=Sigma1(e) + eor x28,x28,x21 // Maj(a,b,c) + eor x17,x3,x20,ror#39 // Sigma0(a) + eor x1,x1,x10,lsr#6 // sigma1(X[i+14]) + add x12,x12,x5 + add x23,x23,x27 // d+=h + add x27,x27,x28 // h+=Maj(a,b,c) + ldr x28,[x30],#8 // *K++, x19 in next round + add x12,x12,x2 + add x27,x27,x17 // h+=Sigma0(a) + add x12,x12,x1 + ldr x1,[sp,#16] + str x4,[sp,#8] + ror x16,x23,#14 + add x26,x26,x28 // h+=K[i] + ror x3,x14,#1 + and x17,x24,x23 + ror x2,x11,#19 + bic x28,x25,x23 + ror x4,x27,#28 + add x26,x26,x12 // h+=X[i] + eor x16,x16,x23,ror#18 + eor x3,x3,x14,ror#8 + orr x17,x17,x28 // Ch(e,f,g) + eor x28,x27,x20 // a^b, b^c in next round + eor x16,x16,x23,ror#41 // Sigma1(e) + eor x4,x4,x27,ror#34 + add x26,x26,x17 // h+=Ch(e,f,g) + and x19,x19,x28 // (b^c)&=(a^b) + eor x2,x2,x11,ror#61 + eor x3,x3,x14,lsr#7 // sigma0(X[i+1]) + add x26,x26,x16 // h+=Sigma1(e) + eor x19,x19,x20 // Maj(a,b,c) + eor x17,x4,x27,ror#39 // Sigma0(a) + eor x2,x2,x11,lsr#6 // sigma1(X[i+14]) + add x13,x13,x6 + add x22,x22,x26 // d+=h + add x26,x26,x19 // h+=Maj(a,b,c) + ldr x19,[x30],#8 // *K++, x28 in next round + add x13,x13,x3 + add x26,x26,x17 // h+=Sigma0(a) + add x13,x13,x2 + ldr x2,[sp,#24] + str x5,[sp,#16] + ror x16,x22,#14 + add x25,x25,x19 // h+=K[i] + ror x4,x15,#1 + and x17,x23,x22 + ror x3,x12,#19 + bic x19,x24,x22 + ror x5,x26,#28 + add x25,x25,x13 // h+=X[i] + eor x16,x16,x22,ror#18 + eor x4,x4,x15,ror#8 + orr x17,x17,x19 // Ch(e,f,g) + eor x19,x26,x27 // a^b, b^c in next round + eor x16,x16,x22,ror#41 // Sigma1(e) + eor x5,x5,x26,ror#34 + add x25,x25,x17 // h+=Ch(e,f,g) + and x28,x28,x19 // (b^c)&=(a^b) + eor x3,x3,x12,ror#61 + eor x4,x4,x15,lsr#7 // sigma0(X[i+1]) + add x25,x25,x16 // h+=Sigma1(e) + eor x28,x28,x27 // Maj(a,b,c) + eor x17,x5,x26,ror#39 // Sigma0(a) + eor x3,x3,x12,lsr#6 // sigma1(X[i+14]) + add x14,x14,x7 + add x21,x21,x25 // d+=h + add x25,x25,x28 // h+=Maj(a,b,c) + ldr x28,[x30],#8 // *K++, x19 in next round + add x14,x14,x4 + add x25,x25,x17 // h+=Sigma0(a) + add x14,x14,x3 + ldr x3,[sp,#0] + str x6,[sp,#24] + ror x16,x21,#14 + add x24,x24,x28 // h+=K[i] + ror x5,x0,#1 + and x17,x22,x21 + ror x4,x13,#19 + bic x28,x23,x21 + ror x6,x25,#28 + add x24,x24,x14 // h+=X[i] + eor x16,x16,x21,ror#18 + eor x5,x5,x0,ror#8 + orr x17,x17,x28 // Ch(e,f,g) + eor x28,x25,x26 // a^b, b^c in next round + eor x16,x16,x21,ror#41 // Sigma1(e) + eor x6,x6,x25,ror#34 + add x24,x24,x17 // h+=Ch(e,f,g) + and x19,x19,x28 // (b^c)&=(a^b) + eor x4,x4,x13,ror#61 + eor x5,x5,x0,lsr#7 // sigma0(X[i+1]) + add x24,x24,x16 // h+=Sigma1(e) + eor x19,x19,x26 // Maj(a,b,c) + eor x17,x6,x25,ror#39 // Sigma0(a) + eor x4,x4,x13,lsr#6 // sigma1(X[i+14]) + add x15,x15,x8 + add x20,x20,x24 // d+=h + add x24,x24,x19 // h+=Maj(a,b,c) + ldr x19,[x30],#8 // *K++, x28 in next round + add x15,x15,x5 + add x24,x24,x17 // h+=Sigma0(a) + add x15,x15,x4 + ldr x4,[sp,#8] + str x7,[sp,#0] + ror x16,x20,#14 + add x23,x23,x19 // h+=K[i] + ror x6,x1,#1 + and x17,x21,x20 + ror x5,x14,#19 + bic x19,x22,x20 + ror x7,x24,#28 + add x23,x23,x15 // h+=X[i] + eor x16,x16,x20,ror#18 + eor x6,x6,x1,ror#8 + orr x17,x17,x19 // Ch(e,f,g) + eor x19,x24,x25 // a^b, b^c in next round + eor x16,x16,x20,ror#41 // Sigma1(e) + eor x7,x7,x24,ror#34 + add x23,x23,x17 // h+=Ch(e,f,g) + and x28,x28,x19 // (b^c)&=(a^b) + eor x5,x5,x14,ror#61 + eor x6,x6,x1,lsr#7 // sigma0(X[i+1]) + add x23,x23,x16 // h+=Sigma1(e) + eor x28,x28,x25 // Maj(a,b,c) + eor x17,x7,x24,ror#39 // Sigma0(a) + eor x5,x5,x14,lsr#6 // sigma1(X[i+14]) + add x0,x0,x9 + add x27,x27,x23 // d+=h + add x23,x23,x28 // h+=Maj(a,b,c) + ldr x28,[x30],#8 // *K++, x19 in next round + add x0,x0,x6 + add x23,x23,x17 // h+=Sigma0(a) + add x0,x0,x5 + ldr x5,[sp,#16] + str x8,[sp,#8] + ror x16,x27,#14 + add x22,x22,x28 // h+=K[i] + ror x7,x2,#1 + and x17,x20,x27 + ror x6,x15,#19 + bic x28,x21,x27 + ror x8,x23,#28 + add x22,x22,x0 // h+=X[i] + eor x16,x16,x27,ror#18 + eor x7,x7,x2,ror#8 + orr x17,x17,x28 // Ch(e,f,g) + eor x28,x23,x24 // a^b, b^c in next round + eor x16,x16,x27,ror#41 // Sigma1(e) + eor x8,x8,x23,ror#34 + add x22,x22,x17 // h+=Ch(e,f,g) + and x19,x19,x28 // (b^c)&=(a^b) + eor x6,x6,x15,ror#61 + eor x7,x7,x2,lsr#7 // sigma0(X[i+1]) + add x22,x22,x16 // h+=Sigma1(e) + eor x19,x19,x24 // Maj(a,b,c) + eor x17,x8,x23,ror#39 // Sigma0(a) + eor x6,x6,x15,lsr#6 // sigma1(X[i+14]) + add x1,x1,x10 + add x26,x26,x22 // d+=h + add x22,x22,x19 // h+=Maj(a,b,c) + ldr x19,[x30],#8 // *K++, x28 in next round + add x1,x1,x7 + add x22,x22,x17 // h+=Sigma0(a) + add x1,x1,x6 + ldr x6,[sp,#24] + str x9,[sp,#16] + ror x16,x26,#14 + add x21,x21,x19 // h+=K[i] + ror x8,x3,#1 + and x17,x27,x26 + ror x7,x0,#19 + bic x19,x20,x26 + ror x9,x22,#28 + add x21,x21,x1 // h+=X[i] + eor x16,x16,x26,ror#18 + eor x8,x8,x3,ror#8 + orr x17,x17,x19 // Ch(e,f,g) + eor x19,x22,x23 // a^b, b^c in next round + eor x16,x16,x26,ror#41 // Sigma1(e) + eor x9,x9,x22,ror#34 + add x21,x21,x17 // h+=Ch(e,f,g) + and x28,x28,x19 // (b^c)&=(a^b) + eor x7,x7,x0,ror#61 + eor x8,x8,x3,lsr#7 // sigma0(X[i+1]) + add x21,x21,x16 // h+=Sigma1(e) + eor x28,x28,x23 // Maj(a,b,c) + eor x17,x9,x22,ror#39 // Sigma0(a) + eor x7,x7,x0,lsr#6 // sigma1(X[i+14]) + add x2,x2,x11 + add x25,x25,x21 // d+=h + add x21,x21,x28 // h+=Maj(a,b,c) + ldr x28,[x30],#8 // *K++, x19 in next round + add x2,x2,x8 + add x21,x21,x17 // h+=Sigma0(a) + add x2,x2,x7 + ldr x7,[sp,#0] + str x10,[sp,#24] + ror x16,x25,#14 + add x20,x20,x28 // h+=K[i] + ror x9,x4,#1 + and x17,x26,x25 + ror x8,x1,#19 + bic x28,x27,x25 + ror x10,x21,#28 + add x20,x20,x2 // h+=X[i] + eor x16,x16,x25,ror#18 + eor x9,x9,x4,ror#8 + orr x17,x17,x28 // Ch(e,f,g) + eor x28,x21,x22 // a^b, b^c in next round + eor x16,x16,x25,ror#41 // Sigma1(e) + eor x10,x10,x21,ror#34 + add x20,x20,x17 // h+=Ch(e,f,g) + and x19,x19,x28 // (b^c)&=(a^b) + eor x8,x8,x1,ror#61 + eor x9,x9,x4,lsr#7 // sigma0(X[i+1]) + add x20,x20,x16 // h+=Sigma1(e) + eor x19,x19,x22 // Maj(a,b,c) + eor x17,x10,x21,ror#39 // Sigma0(a) + eor x8,x8,x1,lsr#6 // sigma1(X[i+14]) + add x3,x3,x12 + add x24,x24,x20 // d+=h + add x20,x20,x19 // h+=Maj(a,b,c) + ldr x19,[x30],#8 // *K++, x28 in next round + add x3,x3,x9 + add x20,x20,x17 // h+=Sigma0(a) + add x3,x3,x8 + cbnz x19,Loop_16_xx + + ldp x0,x2,[x29,#96] + ldr x1,[x29,#112] + sub x30,x30,#648 // rewind + + ldp x3,x4,[x0] + ldp x5,x6,[x0,#2*8] + add x1,x1,#14*8 // advance input pointer + ldp x7,x8,[x0,#4*8] + add x20,x20,x3 + ldp x9,x10,[x0,#6*8] + add x21,x21,x4 + add x22,x22,x5 + add x23,x23,x6 + stp x20,x21,[x0] + add x24,x24,x7 + add x25,x25,x8 + stp x22,x23,[x0,#2*8] + add x26,x26,x9 + add x27,x27,x10 + cmp x1,x2 + stp x24,x25,[x0,#4*8] + stp x26,x27,[x0,#6*8] + b.ne Loop + + ldp x19,x20,[x29,#16] + add sp,sp,#4*8 + ldp x21,x22,[x29,#32] + ldp x23,x24,[x29,#48] + ldp x25,x26,[x29,#64] + ldp x27,x28,[x29,#80] + ldp x29,x30,[sp],#128 + AARCH64_VALIDATE_LINK_REGISTER + ret + + +.section .rodata +.align 6 + +LK512: +.quad 0x428a2f98d728ae22,0x7137449123ef65cd +.quad 0xb5c0fbcfec4d3b2f,0xe9b5dba58189dbbc +.quad 0x3956c25bf348b538,0x59f111f1b605d019 +.quad 0x923f82a4af194f9b,0xab1c5ed5da6d8118 +.quad 0xd807aa98a3030242,0x12835b0145706fbe +.quad 0x243185be4ee4b28c,0x550c7dc3d5ffb4e2 +.quad 0x72be5d74f27b896f,0x80deb1fe3b1696b1 +.quad 0x9bdc06a725c71235,0xc19bf174cf692694 +.quad 0xe49b69c19ef14ad2,0xefbe4786384f25e3 +.quad 0x0fc19dc68b8cd5b5,0x240ca1cc77ac9c65 +.quad 0x2de92c6f592b0275,0x4a7484aa6ea6e483 +.quad 0x5cb0a9dcbd41fbd4,0x76f988da831153b5 +.quad 0x983e5152ee66dfab,0xa831c66d2db43210 +.quad 0xb00327c898fb213f,0xbf597fc7beef0ee4 +.quad 0xc6e00bf33da88fc2,0xd5a79147930aa725 +.quad 0x06ca6351e003826f,0x142929670a0e6e70 +.quad 0x27b70a8546d22ffc,0x2e1b21385c26c926 +.quad 0x4d2c6dfc5ac42aed,0x53380d139d95b3df +.quad 0x650a73548baf63de,0x766a0abb3c77b2a8 +.quad 0x81c2c92e47edaee6,0x92722c851482353b +.quad 0xa2bfe8a14cf10364,0xa81a664bbc423001 +.quad 0xc24b8b70d0f89791,0xc76c51a30654be30 +.quad 0xd192e819d6ef5218,0xd69906245565a910 +.quad 0xf40e35855771202a,0x106aa07032bbd1b8 +.quad 0x19a4c116b8d2d0c8,0x1e376c085141ab53 +.quad 0x2748774cdf8eeb99,0x34b0bcb5e19b48a8 +.quad 0x391c0cb3c5c95a63,0x4ed8aa4ae3418acb +.quad 0x5b9cca4f7763e373,0x682e6ff3d6b2b8a3 +.quad 0x748f82ee5defb2fc,0x78a5636f43172f60 +.quad 0x84c87814a1f0ab72,0x8cc702081a6439ec +.quad 0x90befffa23631e28,0xa4506cebde82bde9 +.quad 0xbef9a3f7b2c67915,0xc67178f2e372532b +.quad 0xca273eceea26619c,0xd186b8c721c0c207 +.quad 0xeada7dd6cde0eb1e,0xf57d4f7fee6ed178 +.quad 0x06f067aa72176fba,0x0a637dc5a2c898a6 +.quad 0x113f9804bef90dae,0x1b710b35131c471b +.quad 0x28db77f523047d84,0x32caab7b40c72493 +.quad 0x3c9ebe0a15c9bebc,0x431d67c49c100d4c +.quad 0x4cc5d4becb3e42b6,0x597f299cfc657e2a +.quad 0x5fcb6fab3ad6faec,0x6c44198c4a475817 +.quad 0 // terminator + +.byte 83,72,65,53,49,50,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 +.align 2 +.align 2 +.text +#ifndef __KERNEL__ +.globl sha512_block_data_order_hw + +.def sha512_block_data_order_hw + .type 32 +.endef +.align 6 +sha512_block_data_order_hw: + // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. + AARCH64_VALID_CALL_TARGET + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + + ld1 {v16.16b,v17.16b,v18.16b,v19.16b},[x1],#64 // load input + ld1 {v20.16b,v21.16b,v22.16b,v23.16b},[x1],#64 + + ld1 {v0.2d,v1.2d,v2.2d,v3.2d},[x0] // load context + adrp x3,LK512 + add x3,x3,:lo12:LK512 + + rev64 v16.16b,v16.16b + rev64 v17.16b,v17.16b + rev64 v18.16b,v18.16b + rev64 v19.16b,v19.16b + rev64 v20.16b,v20.16b + rev64 v21.16b,v21.16b + rev64 v22.16b,v22.16b + rev64 v23.16b,v23.16b + b Loop_hw + +.align 4 +Loop_hw: + ld1 {v24.2d},[x3],#16 + subs x2,x2,#1 + sub x4,x1,#128 + orr v26.16b,v0.16b,v0.16b // offload + orr v27.16b,v1.16b,v1.16b + orr v28.16b,v2.16b,v2.16b + orr v29.16b,v3.16b,v3.16b + csel x1,x1,x4,ne // conditional rewind + add v24.2d,v24.2d,v16.2d + ld1 {v25.2d},[x3],#16 + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v2.16b,v3.16b,#8 + ext v6.16b,v1.16b,v2.16b,#8 + add v3.2d,v3.2d,v24.2d // "T1 + H + K512[i]" +.long 0xcec08230 //sha512su0 v16.16b,v17.16b + ext v7.16b,v20.16b,v21.16b,#8 +.long 0xce6680a3 //sha512h v3.16b,v5.16b,v6.16b +.long 0xce678af0 //sha512su1 v16.16b,v23.16b,v7.16b + add v4.2d,v1.2d,v3.2d // "D + T1" +.long 0xce608423 //sha512h2 v3.16b,v1.16b,v0.16b + add v25.2d,v25.2d,v17.2d + ld1 {v24.2d},[x3],#16 + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v4.16b,v2.16b,#8 + ext v6.16b,v0.16b,v4.16b,#8 + add v2.2d,v2.2d,v25.2d // "T1 + H + K512[i]" +.long 0xcec08251 //sha512su0 v17.16b,v18.16b + ext v7.16b,v21.16b,v22.16b,#8 +.long 0xce6680a2 //sha512h v2.16b,v5.16b,v6.16b +.long 0xce678a11 //sha512su1 v17.16b,v16.16b,v7.16b + add v1.2d,v0.2d,v2.2d // "D + T1" +.long 0xce638402 //sha512h2 v2.16b,v0.16b,v3.16b + add v24.2d,v24.2d,v18.2d + ld1 {v25.2d},[x3],#16 + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v1.16b,v4.16b,#8 + ext v6.16b,v3.16b,v1.16b,#8 + add v4.2d,v4.2d,v24.2d // "T1 + H + K512[i]" +.long 0xcec08272 //sha512su0 v18.16b,v19.16b + ext v7.16b,v22.16b,v23.16b,#8 +.long 0xce6680a4 //sha512h v4.16b,v5.16b,v6.16b +.long 0xce678a32 //sha512su1 v18.16b,v17.16b,v7.16b + add v0.2d,v3.2d,v4.2d // "D + T1" +.long 0xce628464 //sha512h2 v4.16b,v3.16b,v2.16b + add v25.2d,v25.2d,v19.2d + ld1 {v24.2d},[x3],#16 + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v0.16b,v1.16b,#8 + ext v6.16b,v2.16b,v0.16b,#8 + add v1.2d,v1.2d,v25.2d // "T1 + H + K512[i]" +.long 0xcec08293 //sha512su0 v19.16b,v20.16b + ext v7.16b,v23.16b,v16.16b,#8 +.long 0xce6680a1 //sha512h v1.16b,v5.16b,v6.16b +.long 0xce678a53 //sha512su1 v19.16b,v18.16b,v7.16b + add v3.2d,v2.2d,v1.2d // "D + T1" +.long 0xce648441 //sha512h2 v1.16b,v2.16b,v4.16b + add v24.2d,v24.2d,v20.2d + ld1 {v25.2d},[x3],#16 + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v3.16b,v0.16b,#8 + ext v6.16b,v4.16b,v3.16b,#8 + add v0.2d,v0.2d,v24.2d // "T1 + H + K512[i]" +.long 0xcec082b4 //sha512su0 v20.16b,v21.16b + ext v7.16b,v16.16b,v17.16b,#8 +.long 0xce6680a0 //sha512h v0.16b,v5.16b,v6.16b +.long 0xce678a74 //sha512su1 v20.16b,v19.16b,v7.16b + add v2.2d,v4.2d,v0.2d // "D + T1" +.long 0xce618480 //sha512h2 v0.16b,v4.16b,v1.16b + add v25.2d,v25.2d,v21.2d + ld1 {v24.2d},[x3],#16 + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v2.16b,v3.16b,#8 + ext v6.16b,v1.16b,v2.16b,#8 + add v3.2d,v3.2d,v25.2d // "T1 + H + K512[i]" +.long 0xcec082d5 //sha512su0 v21.16b,v22.16b + ext v7.16b,v17.16b,v18.16b,#8 +.long 0xce6680a3 //sha512h v3.16b,v5.16b,v6.16b +.long 0xce678a95 //sha512su1 v21.16b,v20.16b,v7.16b + add v4.2d,v1.2d,v3.2d // "D + T1" +.long 0xce608423 //sha512h2 v3.16b,v1.16b,v0.16b + add v24.2d,v24.2d,v22.2d + ld1 {v25.2d},[x3],#16 + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v4.16b,v2.16b,#8 + ext v6.16b,v0.16b,v4.16b,#8 + add v2.2d,v2.2d,v24.2d // "T1 + H + K512[i]" +.long 0xcec082f6 //sha512su0 v22.16b,v23.16b + ext v7.16b,v18.16b,v19.16b,#8 +.long 0xce6680a2 //sha512h v2.16b,v5.16b,v6.16b +.long 0xce678ab6 //sha512su1 v22.16b,v21.16b,v7.16b + add v1.2d,v0.2d,v2.2d // "D + T1" +.long 0xce638402 //sha512h2 v2.16b,v0.16b,v3.16b + add v25.2d,v25.2d,v23.2d + ld1 {v24.2d},[x3],#16 + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v1.16b,v4.16b,#8 + ext v6.16b,v3.16b,v1.16b,#8 + add v4.2d,v4.2d,v25.2d // "T1 + H + K512[i]" +.long 0xcec08217 //sha512su0 v23.16b,v16.16b + ext v7.16b,v19.16b,v20.16b,#8 +.long 0xce6680a4 //sha512h v4.16b,v5.16b,v6.16b +.long 0xce678ad7 //sha512su1 v23.16b,v22.16b,v7.16b + add v0.2d,v3.2d,v4.2d // "D + T1" +.long 0xce628464 //sha512h2 v4.16b,v3.16b,v2.16b + add v24.2d,v24.2d,v16.2d + ld1 {v25.2d},[x3],#16 + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v0.16b,v1.16b,#8 + ext v6.16b,v2.16b,v0.16b,#8 + add v1.2d,v1.2d,v24.2d // "T1 + H + K512[i]" +.long 0xcec08230 //sha512su0 v16.16b,v17.16b + ext v7.16b,v20.16b,v21.16b,#8 +.long 0xce6680a1 //sha512h v1.16b,v5.16b,v6.16b +.long 0xce678af0 //sha512su1 v16.16b,v23.16b,v7.16b + add v3.2d,v2.2d,v1.2d // "D + T1" +.long 0xce648441 //sha512h2 v1.16b,v2.16b,v4.16b + add v25.2d,v25.2d,v17.2d + ld1 {v24.2d},[x3],#16 + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v3.16b,v0.16b,#8 + ext v6.16b,v4.16b,v3.16b,#8 + add v0.2d,v0.2d,v25.2d // "T1 + H + K512[i]" +.long 0xcec08251 //sha512su0 v17.16b,v18.16b + ext v7.16b,v21.16b,v22.16b,#8 +.long 0xce6680a0 //sha512h v0.16b,v5.16b,v6.16b +.long 0xce678a11 //sha512su1 v17.16b,v16.16b,v7.16b + add v2.2d,v4.2d,v0.2d // "D + T1" +.long 0xce618480 //sha512h2 v0.16b,v4.16b,v1.16b + add v24.2d,v24.2d,v18.2d + ld1 {v25.2d},[x3],#16 + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v2.16b,v3.16b,#8 + ext v6.16b,v1.16b,v2.16b,#8 + add v3.2d,v3.2d,v24.2d // "T1 + H + K512[i]" +.long 0xcec08272 //sha512su0 v18.16b,v19.16b + ext v7.16b,v22.16b,v23.16b,#8 +.long 0xce6680a3 //sha512h v3.16b,v5.16b,v6.16b +.long 0xce678a32 //sha512su1 v18.16b,v17.16b,v7.16b + add v4.2d,v1.2d,v3.2d // "D + T1" +.long 0xce608423 //sha512h2 v3.16b,v1.16b,v0.16b + add v25.2d,v25.2d,v19.2d + ld1 {v24.2d},[x3],#16 + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v4.16b,v2.16b,#8 + ext v6.16b,v0.16b,v4.16b,#8 + add v2.2d,v2.2d,v25.2d // "T1 + H + K512[i]" +.long 0xcec08293 //sha512su0 v19.16b,v20.16b + ext v7.16b,v23.16b,v16.16b,#8 +.long 0xce6680a2 //sha512h v2.16b,v5.16b,v6.16b +.long 0xce678a53 //sha512su1 v19.16b,v18.16b,v7.16b + add v1.2d,v0.2d,v2.2d // "D + T1" +.long 0xce638402 //sha512h2 v2.16b,v0.16b,v3.16b + add v24.2d,v24.2d,v20.2d + ld1 {v25.2d},[x3],#16 + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v1.16b,v4.16b,#8 + ext v6.16b,v3.16b,v1.16b,#8 + add v4.2d,v4.2d,v24.2d // "T1 + H + K512[i]" +.long 0xcec082b4 //sha512su0 v20.16b,v21.16b + ext v7.16b,v16.16b,v17.16b,#8 +.long 0xce6680a4 //sha512h v4.16b,v5.16b,v6.16b +.long 0xce678a74 //sha512su1 v20.16b,v19.16b,v7.16b + add v0.2d,v3.2d,v4.2d // "D + T1" +.long 0xce628464 //sha512h2 v4.16b,v3.16b,v2.16b + add v25.2d,v25.2d,v21.2d + ld1 {v24.2d},[x3],#16 + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v0.16b,v1.16b,#8 + ext v6.16b,v2.16b,v0.16b,#8 + add v1.2d,v1.2d,v25.2d // "T1 + H + K512[i]" +.long 0xcec082d5 //sha512su0 v21.16b,v22.16b + ext v7.16b,v17.16b,v18.16b,#8 +.long 0xce6680a1 //sha512h v1.16b,v5.16b,v6.16b +.long 0xce678a95 //sha512su1 v21.16b,v20.16b,v7.16b + add v3.2d,v2.2d,v1.2d // "D + T1" +.long 0xce648441 //sha512h2 v1.16b,v2.16b,v4.16b + add v24.2d,v24.2d,v22.2d + ld1 {v25.2d},[x3],#16 + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v3.16b,v0.16b,#8 + ext v6.16b,v4.16b,v3.16b,#8 + add v0.2d,v0.2d,v24.2d // "T1 + H + K512[i]" +.long 0xcec082f6 //sha512su0 v22.16b,v23.16b + ext v7.16b,v18.16b,v19.16b,#8 +.long 0xce6680a0 //sha512h v0.16b,v5.16b,v6.16b +.long 0xce678ab6 //sha512su1 v22.16b,v21.16b,v7.16b + add v2.2d,v4.2d,v0.2d // "D + T1" +.long 0xce618480 //sha512h2 v0.16b,v4.16b,v1.16b + add v25.2d,v25.2d,v23.2d + ld1 {v24.2d},[x3],#16 + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v2.16b,v3.16b,#8 + ext v6.16b,v1.16b,v2.16b,#8 + add v3.2d,v3.2d,v25.2d // "T1 + H + K512[i]" +.long 0xcec08217 //sha512su0 v23.16b,v16.16b + ext v7.16b,v19.16b,v20.16b,#8 +.long 0xce6680a3 //sha512h v3.16b,v5.16b,v6.16b +.long 0xce678ad7 //sha512su1 v23.16b,v22.16b,v7.16b + add v4.2d,v1.2d,v3.2d // "D + T1" +.long 0xce608423 //sha512h2 v3.16b,v1.16b,v0.16b + add v24.2d,v24.2d,v16.2d + ld1 {v25.2d},[x3],#16 + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v4.16b,v2.16b,#8 + ext v6.16b,v0.16b,v4.16b,#8 + add v2.2d,v2.2d,v24.2d // "T1 + H + K512[i]" +.long 0xcec08230 //sha512su0 v16.16b,v17.16b + ext v7.16b,v20.16b,v21.16b,#8 +.long 0xce6680a2 //sha512h v2.16b,v5.16b,v6.16b +.long 0xce678af0 //sha512su1 v16.16b,v23.16b,v7.16b + add v1.2d,v0.2d,v2.2d // "D + T1" +.long 0xce638402 //sha512h2 v2.16b,v0.16b,v3.16b + add v25.2d,v25.2d,v17.2d + ld1 {v24.2d},[x3],#16 + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v1.16b,v4.16b,#8 + ext v6.16b,v3.16b,v1.16b,#8 + add v4.2d,v4.2d,v25.2d // "T1 + H + K512[i]" +.long 0xcec08251 //sha512su0 v17.16b,v18.16b + ext v7.16b,v21.16b,v22.16b,#8 +.long 0xce6680a4 //sha512h v4.16b,v5.16b,v6.16b +.long 0xce678a11 //sha512su1 v17.16b,v16.16b,v7.16b + add v0.2d,v3.2d,v4.2d // "D + T1" +.long 0xce628464 //sha512h2 v4.16b,v3.16b,v2.16b + add v24.2d,v24.2d,v18.2d + ld1 {v25.2d},[x3],#16 + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v0.16b,v1.16b,#8 + ext v6.16b,v2.16b,v0.16b,#8 + add v1.2d,v1.2d,v24.2d // "T1 + H + K512[i]" +.long 0xcec08272 //sha512su0 v18.16b,v19.16b + ext v7.16b,v22.16b,v23.16b,#8 +.long 0xce6680a1 //sha512h v1.16b,v5.16b,v6.16b +.long 0xce678a32 //sha512su1 v18.16b,v17.16b,v7.16b + add v3.2d,v2.2d,v1.2d // "D + T1" +.long 0xce648441 //sha512h2 v1.16b,v2.16b,v4.16b + add v25.2d,v25.2d,v19.2d + ld1 {v24.2d},[x3],#16 + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v3.16b,v0.16b,#8 + ext v6.16b,v4.16b,v3.16b,#8 + add v0.2d,v0.2d,v25.2d // "T1 + H + K512[i]" +.long 0xcec08293 //sha512su0 v19.16b,v20.16b + ext v7.16b,v23.16b,v16.16b,#8 +.long 0xce6680a0 //sha512h v0.16b,v5.16b,v6.16b +.long 0xce678a53 //sha512su1 v19.16b,v18.16b,v7.16b + add v2.2d,v4.2d,v0.2d // "D + T1" +.long 0xce618480 //sha512h2 v0.16b,v4.16b,v1.16b + add v24.2d,v24.2d,v20.2d + ld1 {v25.2d},[x3],#16 + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v2.16b,v3.16b,#8 + ext v6.16b,v1.16b,v2.16b,#8 + add v3.2d,v3.2d,v24.2d // "T1 + H + K512[i]" +.long 0xcec082b4 //sha512su0 v20.16b,v21.16b + ext v7.16b,v16.16b,v17.16b,#8 +.long 0xce6680a3 //sha512h v3.16b,v5.16b,v6.16b +.long 0xce678a74 //sha512su1 v20.16b,v19.16b,v7.16b + add v4.2d,v1.2d,v3.2d // "D + T1" +.long 0xce608423 //sha512h2 v3.16b,v1.16b,v0.16b + add v25.2d,v25.2d,v21.2d + ld1 {v24.2d},[x3],#16 + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v4.16b,v2.16b,#8 + ext v6.16b,v0.16b,v4.16b,#8 + add v2.2d,v2.2d,v25.2d // "T1 + H + K512[i]" +.long 0xcec082d5 //sha512su0 v21.16b,v22.16b + ext v7.16b,v17.16b,v18.16b,#8 +.long 0xce6680a2 //sha512h v2.16b,v5.16b,v6.16b +.long 0xce678a95 //sha512su1 v21.16b,v20.16b,v7.16b + add v1.2d,v0.2d,v2.2d // "D + T1" +.long 0xce638402 //sha512h2 v2.16b,v0.16b,v3.16b + add v24.2d,v24.2d,v22.2d + ld1 {v25.2d},[x3],#16 + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v1.16b,v4.16b,#8 + ext v6.16b,v3.16b,v1.16b,#8 + add v4.2d,v4.2d,v24.2d // "T1 + H + K512[i]" +.long 0xcec082f6 //sha512su0 v22.16b,v23.16b + ext v7.16b,v18.16b,v19.16b,#8 +.long 0xce6680a4 //sha512h v4.16b,v5.16b,v6.16b +.long 0xce678ab6 //sha512su1 v22.16b,v21.16b,v7.16b + add v0.2d,v3.2d,v4.2d // "D + T1" +.long 0xce628464 //sha512h2 v4.16b,v3.16b,v2.16b + add v25.2d,v25.2d,v23.2d + ld1 {v24.2d},[x3],#16 + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v0.16b,v1.16b,#8 + ext v6.16b,v2.16b,v0.16b,#8 + add v1.2d,v1.2d,v25.2d // "T1 + H + K512[i]" +.long 0xcec08217 //sha512su0 v23.16b,v16.16b + ext v7.16b,v19.16b,v20.16b,#8 +.long 0xce6680a1 //sha512h v1.16b,v5.16b,v6.16b +.long 0xce678ad7 //sha512su1 v23.16b,v22.16b,v7.16b + add v3.2d,v2.2d,v1.2d // "D + T1" +.long 0xce648441 //sha512h2 v1.16b,v2.16b,v4.16b + add v24.2d,v24.2d,v16.2d + ld1 {v25.2d},[x3],#16 + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v3.16b,v0.16b,#8 + ext v6.16b,v4.16b,v3.16b,#8 + add v0.2d,v0.2d,v24.2d // "T1 + H + K512[i]" +.long 0xcec08230 //sha512su0 v16.16b,v17.16b + ext v7.16b,v20.16b,v21.16b,#8 +.long 0xce6680a0 //sha512h v0.16b,v5.16b,v6.16b +.long 0xce678af0 //sha512su1 v16.16b,v23.16b,v7.16b + add v2.2d,v4.2d,v0.2d // "D + T1" +.long 0xce618480 //sha512h2 v0.16b,v4.16b,v1.16b + add v25.2d,v25.2d,v17.2d + ld1 {v24.2d},[x3],#16 + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v2.16b,v3.16b,#8 + ext v6.16b,v1.16b,v2.16b,#8 + add v3.2d,v3.2d,v25.2d // "T1 + H + K512[i]" +.long 0xcec08251 //sha512su0 v17.16b,v18.16b + ext v7.16b,v21.16b,v22.16b,#8 +.long 0xce6680a3 //sha512h v3.16b,v5.16b,v6.16b +.long 0xce678a11 //sha512su1 v17.16b,v16.16b,v7.16b + add v4.2d,v1.2d,v3.2d // "D + T1" +.long 0xce608423 //sha512h2 v3.16b,v1.16b,v0.16b + add v24.2d,v24.2d,v18.2d + ld1 {v25.2d},[x3],#16 + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v4.16b,v2.16b,#8 + ext v6.16b,v0.16b,v4.16b,#8 + add v2.2d,v2.2d,v24.2d // "T1 + H + K512[i]" +.long 0xcec08272 //sha512su0 v18.16b,v19.16b + ext v7.16b,v22.16b,v23.16b,#8 +.long 0xce6680a2 //sha512h v2.16b,v5.16b,v6.16b +.long 0xce678a32 //sha512su1 v18.16b,v17.16b,v7.16b + add v1.2d,v0.2d,v2.2d // "D + T1" +.long 0xce638402 //sha512h2 v2.16b,v0.16b,v3.16b + add v25.2d,v25.2d,v19.2d + ld1 {v24.2d},[x3],#16 + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v1.16b,v4.16b,#8 + ext v6.16b,v3.16b,v1.16b,#8 + add v4.2d,v4.2d,v25.2d // "T1 + H + K512[i]" +.long 0xcec08293 //sha512su0 v19.16b,v20.16b + ext v7.16b,v23.16b,v16.16b,#8 +.long 0xce6680a4 //sha512h v4.16b,v5.16b,v6.16b +.long 0xce678a53 //sha512su1 v19.16b,v18.16b,v7.16b + add v0.2d,v3.2d,v4.2d // "D + T1" +.long 0xce628464 //sha512h2 v4.16b,v3.16b,v2.16b + add v24.2d,v24.2d,v20.2d + ld1 {v25.2d},[x3],#16 + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v0.16b,v1.16b,#8 + ext v6.16b,v2.16b,v0.16b,#8 + add v1.2d,v1.2d,v24.2d // "T1 + H + K512[i]" +.long 0xcec082b4 //sha512su0 v20.16b,v21.16b + ext v7.16b,v16.16b,v17.16b,#8 +.long 0xce6680a1 //sha512h v1.16b,v5.16b,v6.16b +.long 0xce678a74 //sha512su1 v20.16b,v19.16b,v7.16b + add v3.2d,v2.2d,v1.2d // "D + T1" +.long 0xce648441 //sha512h2 v1.16b,v2.16b,v4.16b + add v25.2d,v25.2d,v21.2d + ld1 {v24.2d},[x3],#16 + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v3.16b,v0.16b,#8 + ext v6.16b,v4.16b,v3.16b,#8 + add v0.2d,v0.2d,v25.2d // "T1 + H + K512[i]" +.long 0xcec082d5 //sha512su0 v21.16b,v22.16b + ext v7.16b,v17.16b,v18.16b,#8 +.long 0xce6680a0 //sha512h v0.16b,v5.16b,v6.16b +.long 0xce678a95 //sha512su1 v21.16b,v20.16b,v7.16b + add v2.2d,v4.2d,v0.2d // "D + T1" +.long 0xce618480 //sha512h2 v0.16b,v4.16b,v1.16b + add v24.2d,v24.2d,v22.2d + ld1 {v25.2d},[x3],#16 + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v2.16b,v3.16b,#8 + ext v6.16b,v1.16b,v2.16b,#8 + add v3.2d,v3.2d,v24.2d // "T1 + H + K512[i]" +.long 0xcec082f6 //sha512su0 v22.16b,v23.16b + ext v7.16b,v18.16b,v19.16b,#8 +.long 0xce6680a3 //sha512h v3.16b,v5.16b,v6.16b +.long 0xce678ab6 //sha512su1 v22.16b,v21.16b,v7.16b + add v4.2d,v1.2d,v3.2d // "D + T1" +.long 0xce608423 //sha512h2 v3.16b,v1.16b,v0.16b + add v25.2d,v25.2d,v23.2d + ld1 {v24.2d},[x3],#16 + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v4.16b,v2.16b,#8 + ext v6.16b,v0.16b,v4.16b,#8 + add v2.2d,v2.2d,v25.2d // "T1 + H + K512[i]" +.long 0xcec08217 //sha512su0 v23.16b,v16.16b + ext v7.16b,v19.16b,v20.16b,#8 +.long 0xce6680a2 //sha512h v2.16b,v5.16b,v6.16b +.long 0xce678ad7 //sha512su1 v23.16b,v22.16b,v7.16b + add v1.2d,v0.2d,v2.2d // "D + T1" +.long 0xce638402 //sha512h2 v2.16b,v0.16b,v3.16b + ld1 {v25.2d},[x3],#16 + add v24.2d,v24.2d,v16.2d + ld1 {v16.16b},[x1],#16 // load next input + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v1.16b,v4.16b,#8 + ext v6.16b,v3.16b,v1.16b,#8 + add v4.2d,v4.2d,v24.2d // "T1 + H + K512[i]" +.long 0xce6680a4 //sha512h v4.16b,v5.16b,v6.16b + rev64 v16.16b,v16.16b + add v0.2d,v3.2d,v4.2d // "D + T1" +.long 0xce628464 //sha512h2 v4.16b,v3.16b,v2.16b + ld1 {v24.2d},[x3],#16 + add v25.2d,v25.2d,v17.2d + ld1 {v17.16b},[x1],#16 // load next input + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v0.16b,v1.16b,#8 + ext v6.16b,v2.16b,v0.16b,#8 + add v1.2d,v1.2d,v25.2d // "T1 + H + K512[i]" +.long 0xce6680a1 //sha512h v1.16b,v5.16b,v6.16b + rev64 v17.16b,v17.16b + add v3.2d,v2.2d,v1.2d // "D + T1" +.long 0xce648441 //sha512h2 v1.16b,v2.16b,v4.16b + ld1 {v25.2d},[x3],#16 + add v24.2d,v24.2d,v18.2d + ld1 {v18.16b},[x1],#16 // load next input + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v3.16b,v0.16b,#8 + ext v6.16b,v4.16b,v3.16b,#8 + add v0.2d,v0.2d,v24.2d // "T1 + H + K512[i]" +.long 0xce6680a0 //sha512h v0.16b,v5.16b,v6.16b + rev64 v18.16b,v18.16b + add v2.2d,v4.2d,v0.2d // "D + T1" +.long 0xce618480 //sha512h2 v0.16b,v4.16b,v1.16b + ld1 {v24.2d},[x3],#16 + add v25.2d,v25.2d,v19.2d + ld1 {v19.16b},[x1],#16 // load next input + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v2.16b,v3.16b,#8 + ext v6.16b,v1.16b,v2.16b,#8 + add v3.2d,v3.2d,v25.2d // "T1 + H + K512[i]" +.long 0xce6680a3 //sha512h v3.16b,v5.16b,v6.16b + rev64 v19.16b,v19.16b + add v4.2d,v1.2d,v3.2d // "D + T1" +.long 0xce608423 //sha512h2 v3.16b,v1.16b,v0.16b + ld1 {v25.2d},[x3],#16 + add v24.2d,v24.2d,v20.2d + ld1 {v20.16b},[x1],#16 // load next input + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v4.16b,v2.16b,#8 + ext v6.16b,v0.16b,v4.16b,#8 + add v2.2d,v2.2d,v24.2d // "T1 + H + K512[i]" +.long 0xce6680a2 //sha512h v2.16b,v5.16b,v6.16b + rev64 v20.16b,v20.16b + add v1.2d,v0.2d,v2.2d // "D + T1" +.long 0xce638402 //sha512h2 v2.16b,v0.16b,v3.16b + ld1 {v24.2d},[x3],#16 + add v25.2d,v25.2d,v21.2d + ld1 {v21.16b},[x1],#16 // load next input + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v1.16b,v4.16b,#8 + ext v6.16b,v3.16b,v1.16b,#8 + add v4.2d,v4.2d,v25.2d // "T1 + H + K512[i]" +.long 0xce6680a4 //sha512h v4.16b,v5.16b,v6.16b + rev64 v21.16b,v21.16b + add v0.2d,v3.2d,v4.2d // "D + T1" +.long 0xce628464 //sha512h2 v4.16b,v3.16b,v2.16b + ld1 {v25.2d},[x3],#16 + add v24.2d,v24.2d,v22.2d + ld1 {v22.16b},[x1],#16 // load next input + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v0.16b,v1.16b,#8 + ext v6.16b,v2.16b,v0.16b,#8 + add v1.2d,v1.2d,v24.2d // "T1 + H + K512[i]" +.long 0xce6680a1 //sha512h v1.16b,v5.16b,v6.16b + rev64 v22.16b,v22.16b + add v3.2d,v2.2d,v1.2d // "D + T1" +.long 0xce648441 //sha512h2 v1.16b,v2.16b,v4.16b + sub x3,x3,#80*8 // rewind + add v25.2d,v25.2d,v23.2d + ld1 {v23.16b},[x1],#16 // load next input + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v3.16b,v0.16b,#8 + ext v6.16b,v4.16b,v3.16b,#8 + add v0.2d,v0.2d,v25.2d // "T1 + H + K512[i]" +.long 0xce6680a0 //sha512h v0.16b,v5.16b,v6.16b + rev64 v23.16b,v23.16b + add v2.2d,v4.2d,v0.2d // "D + T1" +.long 0xce618480 //sha512h2 v0.16b,v4.16b,v1.16b + add v0.2d,v0.2d,v26.2d // accumulate + add v1.2d,v1.2d,v27.2d + add v2.2d,v2.2d,v28.2d + add v3.2d,v3.2d,v29.2d + + cbnz x2,Loop_hw + + st1 {v0.2d,v1.2d,v2.2d,v3.2d},[x0] // store context + + ldr x29,[sp],#16 + ret + +#endif +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(_WIN32) +#if defined(__linux__) && defined(__ELF__) +.section .note.GNU-stack,"",%progbits +#endif + diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/sha512-x86_64-mac.mac.x86_64.S b/Sources/CNIOBoringSSL/gen/bcm/sha512-x86_64-apple.S similarity index 99% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/sha512-x86_64-mac.mac.x86_64.S rename to Sources/CNIOBoringSSL/gen/bcm/sha512-x86_64-apple.S index 961f0f7d8..2bfbd644e 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/sha512-x86_64-mac.mac.x86_64.S +++ b/Sources/CNIOBoringSSL/gen/bcm/sha512-x86_64-apple.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__x86_64__) && defined(__APPLE__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -8,23 +7,13 @@ #if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__APPLE__) .text - -.globl _sha512_block_data_order -.private_extern _sha512_block_data_order +.globl _sha512_block_data_order_nohw +.private_extern _sha512_block_data_order_nohw .p2align 4 -_sha512_block_data_order: +_sha512_block_data_order_nohw: _CET_ENDBR - leaq _OPENSSL_ia32cap_P(%rip),%r11 - movl 0(%r11),%r9d - movl 4(%r11),%r10d - movl 8(%r11),%r11d - andl $1073741824,%r9d - andl $268435968,%r10d - orl %r9d,%r10d - cmpl $1342177792,%r10d - je L$avx_shortcut movq %rsp,%rax pushq %rbx @@ -1820,11 +1809,13 @@ K512: .quad 0x0001020304050607,0x08090a0b0c0d0e0f .byte 83,72,65,53,49,50,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .text +.globl _sha512_block_data_order_avx +.private_extern _sha512_block_data_order_avx .p2align 6 -sha512_block_data_order_avx: +_sha512_block_data_order_avx: -L$avx_shortcut: +_CET_ENDBR movq %rsp,%rax pushq %rbx @@ -2986,7 +2977,6 @@ L$epilogue_avx: #endif -#endif // defined(__x86_64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/sha512-x86_64-linux.linux.x86_64.S b/Sources/CNIOBoringSSL/gen/bcm/sha512-x86_64-linux.S similarity index 98% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/sha512-x86_64-linux.linux.x86_64.S rename to Sources/CNIOBoringSSL/gen/bcm/sha512-x86_64-linux.S index e6df1aa58..84552d6c1 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/sha512-x86_64-linux.linux.x86_64.S +++ b/Sources/CNIOBoringSSL/gen/bcm/sha512-x86_64-linux.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__x86_64__) && defined(__linux__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -8,24 +7,13 @@ #if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__ELF__) .text -.extern OPENSSL_ia32cap_P -.hidden OPENSSL_ia32cap_P -.globl sha512_block_data_order -.hidden sha512_block_data_order -.type sha512_block_data_order,@function +.globl sha512_block_data_order_nohw +.hidden sha512_block_data_order_nohw +.type sha512_block_data_order_nohw,@function .align 16 -sha512_block_data_order: +sha512_block_data_order_nohw: .cfi_startproc _CET_ENDBR - leaq OPENSSL_ia32cap_P(%rip),%r11 - movl 0(%r11),%r9d - movl 4(%r11),%r10d - movl 8(%r11),%r11d - andl $1073741824,%r9d - andl $268435968,%r10d - orl %r9d,%r10d - cmpl $1342177792,%r10d - je .Lavx_shortcut movq %rsp,%rax .cfi_def_cfa_register %rax pushq %rbx @@ -1731,7 +1719,7 @@ _CET_ENDBR .Lepilogue: ret .cfi_endproc -.size sha512_block_data_order,.-sha512_block_data_order +.size sha512_block_data_order_nohw,.-sha512_block_data_order_nohw .section .rodata .align 64 .type K512,@object @@ -1821,11 +1809,13 @@ K512: .quad 0x0001020304050607,0x08090a0b0c0d0e0f .byte 83,72,65,53,49,50,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .text +.globl sha512_block_data_order_avx +.hidden sha512_block_data_order_avx .type sha512_block_data_order_avx,@function .align 64 sha512_block_data_order_avx: .cfi_startproc -.Lavx_shortcut: +_CET_ENDBR movq %rsp,%rax .cfi_def_cfa_register %rax pushq %rbx @@ -2987,7 +2977,6 @@ sha512_block_data_order_avx: .cfi_endproc .size sha512_block_data_order_avx,.-sha512_block_data_order_avx #endif -#endif // defined(__x86_64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/vpaes-armv7-linux.linux.arm.S b/Sources/CNIOBoringSSL/gen/bcm/vpaes-armv7-linux.S similarity index 99% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/vpaes-armv7-linux.linux.arm.S rename to Sources/CNIOBoringSSL/gen/bcm/vpaes-armv7-linux.S index b7c9d18cf..14dcea0c8 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/vpaes-armv7-linux.linux.arm.S +++ b/Sources/CNIOBoringSSL/gen/bcm/vpaes-armv7-linux.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__arm__) && defined(__linux__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -1225,7 +1224,6 @@ vpaes_ctr32_encrypt_blocks: ldmia sp!, {r7,r8,r9,r10,r11, pc} @ return .size vpaes_ctr32_encrypt_blocks,.-vpaes_ctr32_encrypt_blocks #endif // !OPENSSL_NO_ASM && defined(OPENSSL_ARM) && defined(__ELF__) -#endif // defined(__arm__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/vpaes-armv8-ios.ios.aarch64.S b/Sources/CNIOBoringSSL/gen/bcm/vpaes-armv8-apple.S similarity index 99% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/vpaes-armv8-ios.ios.aarch64.S rename to Sources/CNIOBoringSSL/gen/bcm/vpaes-armv8-apple.S index d7fcf2723..e36aced4f 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/vpaes-armv8-ios.ios.aarch64.S +++ b/Sources/CNIOBoringSSL/gen/bcm/vpaes-armv8-apple.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__aarch64__) && defined(__APPLE__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -1224,7 +1223,6 @@ Lctr32_done: ret #endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__APPLE__) -#endif // defined(__aarch64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/vpaes-armv8-linux.linux.aarch64.S b/Sources/CNIOBoringSSL/gen/bcm/vpaes-armv8-linux.S similarity index 99% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/vpaes-armv8-linux.linux.aarch64.S rename to Sources/CNIOBoringSSL/gen/bcm/vpaes-armv8-linux.S index 6e55bf416..c3f26be93 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/vpaes-armv8-linux.linux.aarch64.S +++ b/Sources/CNIOBoringSSL/gen/bcm/vpaes-armv8-linux.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__aarch64__) && defined(__linux__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -1224,7 +1223,6 @@ vpaes_ctr32_encrypt_blocks: ret .size vpaes_ctr32_encrypt_blocks,.-vpaes_ctr32_encrypt_blocks #endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__ELF__) -#endif // defined(__aarch64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/gen/bcm/vpaes-armv8-win.S b/Sources/CNIOBoringSSL/gen/bcm/vpaes-armv8-win.S new file mode 100644 index 000000000..715d4b9f3 --- /dev/null +++ b/Sources/CNIOBoringSSL/gen/bcm/vpaes-armv8-win.S @@ -0,0 +1,1267 @@ +#define BORINGSSL_PREFIX CNIOBoringSSL +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. + +#include + +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(_WIN32) +#include + +.section .rodata + + +.align 7 // totally strategic alignment +_vpaes_consts: +Lk_mc_forward: // mc_forward +.quad 0x0407060500030201, 0x0C0F0E0D080B0A09 +.quad 0x080B0A0904070605, 0x000302010C0F0E0D +.quad 0x0C0F0E0D080B0A09, 0x0407060500030201 +.quad 0x000302010C0F0E0D, 0x080B0A0904070605 +Lk_mc_backward: // mc_backward +.quad 0x0605040702010003, 0x0E0D0C0F0A09080B +.quad 0x020100030E0D0C0F, 0x0A09080B06050407 +.quad 0x0E0D0C0F0A09080B, 0x0605040702010003 +.quad 0x0A09080B06050407, 0x020100030E0D0C0F +Lk_sr: // sr +.quad 0x0706050403020100, 0x0F0E0D0C0B0A0908 +.quad 0x030E09040F0A0500, 0x0B06010C07020D08 +.quad 0x0F060D040B020900, 0x070E050C030A0108 +.quad 0x0B0E0104070A0D00, 0x0306090C0F020508 + +// +// "Hot" constants +// +Lk_inv: // inv, inva +.quad 0x0E05060F0D080180, 0x040703090A0B0C02 +.quad 0x01040A060F0B0780, 0x030D0E0C02050809 +Lk_ipt: // input transform (lo, hi) +.quad 0xC2B2E8985A2A7000, 0xCABAE09052227808 +.quad 0x4C01307D317C4D00, 0xCD80B1FCB0FDCC81 +Lk_sbo: // sbou, sbot +.quad 0xD0D26D176FBDC700, 0x15AABF7AC502A878 +.quad 0xCFE474A55FBB6A00, 0x8E1E90D1412B35FA +Lk_sb1: // sb1u, sb1t +.quad 0x3618D415FAE22300, 0x3BF7CCC10D2ED9EF +.quad 0xB19BE18FCB503E00, 0xA5DF7A6E142AF544 +Lk_sb2: // sb2u, sb2t +.quad 0x69EB88400AE12900, 0xC2A163C8AB82234A +.quad 0xE27A93C60B712400, 0x5EB7E955BC982FCD + +// +// Decryption stuff +// +Lk_dipt: // decryption input transform +.quad 0x0F505B040B545F00, 0x154A411E114E451A +.quad 0x86E383E660056500, 0x12771772F491F194 +Lk_dsbo: // decryption sbox final output +.quad 0x1387EA537EF94000, 0xC7AA6DB9D4943E2D +.quad 0x12D7560F93441D00, 0xCA4B8159D8C58E9C +Lk_dsb9: // decryption sbox output *9*u, *9*t +.quad 0x851C03539A86D600, 0xCAD51F504F994CC9 +.quad 0xC03B1789ECD74900, 0x725E2C9EB2FBA565 +Lk_dsbd: // decryption sbox output *D*u, *D*t +.quad 0x7D57CCDFE6B1A200, 0xF56E9B13882A4439 +.quad 0x3CE2FAF724C6CB00, 0x2931180D15DEEFD3 +Lk_dsbb: // decryption sbox output *B*u, *B*t +.quad 0xD022649296B44200, 0x602646F6B0F2D404 +.quad 0xC19498A6CD596700, 0xF3FF0C3E3255AA6B +Lk_dsbe: // decryption sbox output *E*u, *E*t +.quad 0x46F2929626D4D000, 0x2242600464B4F6B0 +.quad 0x0C55A6CDFFAAC100, 0x9467F36B98593E32 + +// +// Key schedule constants +// +Lk_dksd: // decryption key schedule: invskew x*D +.quad 0xFEB91A5DA3E44700, 0x0740E3A45A1DBEF9 +.quad 0x41C277F4B5368300, 0x5FDC69EAAB289D1E +Lk_dksb: // decryption key schedule: invskew x*B +.quad 0x9A4FCA1F8550D500, 0x03D653861CC94C99 +.quad 0x115BEDA7B6FC4A00, 0xD993256F7E3482C8 +Lk_dkse: // decryption key schedule: invskew x*E + 0x63 +.quad 0xD5031CCA1FC9D600, 0x53859A4C994F5086 +.quad 0xA23196054FDC7BE8, 0xCD5EF96A20B31487 +Lk_dks9: // decryption key schedule: invskew x*9 +.quad 0xB6116FC87ED9A700, 0x4AED933482255BFC +.quad 0x4576516227143300, 0x8BB89FACE9DAFDCE + +Lk_rcon: // rcon +.quad 0x1F8391B9AF9DEEB6, 0x702A98084D7C7D81 + +Lk_opt: // output transform +.quad 0xFF9F4929D6B66000, 0xF7974121DEBE6808 +.quad 0x01EDBD5150BCEC00, 0xE10D5DB1B05C0CE0 +Lk_deskew: // deskew tables: inverts the sbox's "skew" +.quad 0x07E4A34047A4E300, 0x1DFEB95A5DBEF91A +.quad 0x5F36B5DC83EA6900, 0x2841C2ABF49D1E77 + +.byte 86,101,99,116,111,114,32,80,101,114,109,117,116,97,116,105,111,110,32,65,69,83,32,102,111,114,32,65,82,77,118,56,44,32,77,105,107,101,32,72,97,109,98,117,114,103,32,40,83,116,97,110,102,111,114,100,32,85,110,105,118,101,114,115,105,116,121,41,0 +.align 2 + +.align 6 + +.text +## +## _aes_preheat +## +## Fills register %r10 -> .aes_consts (so you can -fPIC) +## and %xmm9-%xmm15 as specified below. +## +.def _vpaes_encrypt_preheat + .type 32 +.endef +.align 4 +_vpaes_encrypt_preheat: + adrp x10, Lk_inv + add x10, x10, :lo12:Lk_inv + movi v17.16b, #0x0f + ld1 {v18.2d,v19.2d}, [x10],#32 // Lk_inv + ld1 {v20.2d,v21.2d,v22.2d,v23.2d}, [x10],#64 // Lk_ipt, Lk_sbo + ld1 {v24.2d,v25.2d,v26.2d,v27.2d}, [x10] // Lk_sb1, Lk_sb2 + ret + + +## +## _aes_encrypt_core +## +## AES-encrypt %xmm0. +## +## Inputs: +## %xmm0 = input +## %xmm9-%xmm15 as in _vpaes_preheat +## (%rdx) = scheduled keys +## +## Output in %xmm0 +## Clobbers %xmm1-%xmm5, %r9, %r10, %r11, %rax +## Preserves %xmm6 - %xmm8 so you get some local vectors +## +## +.def _vpaes_encrypt_core + .type 32 +.endef +.align 4 +_vpaes_encrypt_core: + mov x9, x2 + ldr w8, [x2,#240] // pull rounds + adrp x11, Lk_mc_forward+16 + add x11, x11, :lo12:Lk_mc_forward+16 + // vmovdqa .Lk_ipt(%rip), %xmm2 # iptlo + ld1 {v16.2d}, [x9], #16 // vmovdqu (%r9), %xmm5 # round0 key + and v1.16b, v7.16b, v17.16b // vpand %xmm9, %xmm0, %xmm1 + ushr v0.16b, v7.16b, #4 // vpsrlb $4, %xmm0, %xmm0 + tbl v1.16b, {v20.16b}, v1.16b // vpshufb %xmm1, %xmm2, %xmm1 + // vmovdqa .Lk_ipt+16(%rip), %xmm3 # ipthi + tbl v2.16b, {v21.16b}, v0.16b // vpshufb %xmm0, %xmm3, %xmm2 + eor v0.16b, v1.16b, v16.16b // vpxor %xmm5, %xmm1, %xmm0 + eor v0.16b, v0.16b, v2.16b // vpxor %xmm2, %xmm0, %xmm0 + b Lenc_entry + +.align 4 +Lenc_loop: + // middle of middle round + add x10, x11, #0x40 + tbl v4.16b, {v25.16b}, v2.16b // vpshufb %xmm2, %xmm13, %xmm4 # 4 = sb1u + ld1 {v1.2d}, [x11], #16 // vmovdqa -0x40(%r11,%r10), %xmm1 # Lk_mc_forward[] + tbl v0.16b, {v24.16b}, v3.16b // vpshufb %xmm3, %xmm12, %xmm0 # 0 = sb1t + eor v4.16b, v4.16b, v16.16b // vpxor %xmm5, %xmm4, %xmm4 # 4 = sb1u + k + tbl v5.16b, {v27.16b}, v2.16b // vpshufb %xmm2, %xmm15, %xmm5 # 4 = sb2u + eor v0.16b, v0.16b, v4.16b // vpxor %xmm4, %xmm0, %xmm0 # 0 = A + tbl v2.16b, {v26.16b}, v3.16b // vpshufb %xmm3, %xmm14, %xmm2 # 2 = sb2t + ld1 {v4.2d}, [x10] // vmovdqa (%r11,%r10), %xmm4 # Lk_mc_backward[] + tbl v3.16b, {v0.16b}, v1.16b // vpshufb %xmm1, %xmm0, %xmm3 # 0 = B + eor v2.16b, v2.16b, v5.16b // vpxor %xmm5, %xmm2, %xmm2 # 2 = 2A + tbl v0.16b, {v0.16b}, v4.16b // vpshufb %xmm4, %xmm0, %xmm0 # 3 = D + eor v3.16b, v3.16b, v2.16b // vpxor %xmm2, %xmm3, %xmm3 # 0 = 2A+B + tbl v4.16b, {v3.16b}, v1.16b // vpshufb %xmm1, %xmm3, %xmm4 # 0 = 2B+C + eor v0.16b, v0.16b, v3.16b // vpxor %xmm3, %xmm0, %xmm0 # 3 = 2A+B+D + and x11, x11, #~(1<<6) // and $0x30, %r11 # ... mod 4 + eor v0.16b, v0.16b, v4.16b // vpxor %xmm4, %xmm0, %xmm0 # 0 = 2A+3B+C+D + sub w8, w8, #1 // nr-- + +Lenc_entry: + // top of round + and v1.16b, v0.16b, v17.16b // vpand %xmm0, %xmm9, %xmm1 # 0 = k + ushr v0.16b, v0.16b, #4 // vpsrlb $4, %xmm0, %xmm0 # 1 = i + tbl v5.16b, {v19.16b}, v1.16b // vpshufb %xmm1, %xmm11, %xmm5 # 2 = a/k + eor v1.16b, v1.16b, v0.16b // vpxor %xmm0, %xmm1, %xmm1 # 0 = j + tbl v3.16b, {v18.16b}, v0.16b // vpshufb %xmm0, %xmm10, %xmm3 # 3 = 1/i + tbl v4.16b, {v18.16b}, v1.16b // vpshufb %xmm1, %xmm10, %xmm4 # 4 = 1/j + eor v3.16b, v3.16b, v5.16b // vpxor %xmm5, %xmm3, %xmm3 # 3 = iak = 1/i + a/k + eor v4.16b, v4.16b, v5.16b // vpxor %xmm5, %xmm4, %xmm4 # 4 = jak = 1/j + a/k + tbl v2.16b, {v18.16b}, v3.16b // vpshufb %xmm3, %xmm10, %xmm2 # 2 = 1/iak + tbl v3.16b, {v18.16b}, v4.16b // vpshufb %xmm4, %xmm10, %xmm3 # 3 = 1/jak + eor v2.16b, v2.16b, v1.16b // vpxor %xmm1, %xmm2, %xmm2 # 2 = io + eor v3.16b, v3.16b, v0.16b // vpxor %xmm0, %xmm3, %xmm3 # 3 = jo + ld1 {v16.2d}, [x9],#16 // vmovdqu (%r9), %xmm5 + cbnz w8, Lenc_loop + + // middle of last round + add x10, x11, #0x80 + // vmovdqa -0x60(%r10), %xmm4 # 3 : sbou .Lk_sbo + // vmovdqa -0x50(%r10), %xmm0 # 0 : sbot .Lk_sbo+16 + tbl v4.16b, {v22.16b}, v2.16b // vpshufb %xmm2, %xmm4, %xmm4 # 4 = sbou + ld1 {v1.2d}, [x10] // vmovdqa 0x40(%r11,%r10), %xmm1 # Lk_sr[] + tbl v0.16b, {v23.16b}, v3.16b // vpshufb %xmm3, %xmm0, %xmm0 # 0 = sb1t + eor v4.16b, v4.16b, v16.16b // vpxor %xmm5, %xmm4, %xmm4 # 4 = sb1u + k + eor v0.16b, v0.16b, v4.16b // vpxor %xmm4, %xmm0, %xmm0 # 0 = A + tbl v0.16b, {v0.16b}, v1.16b // vpshufb %xmm1, %xmm0, %xmm0 + ret + + +.globl vpaes_encrypt + +.def vpaes_encrypt + .type 32 +.endef +.align 4 +vpaes_encrypt: + AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + + ld1 {v7.16b}, [x0] + bl _vpaes_encrypt_preheat + bl _vpaes_encrypt_core + st1 {v0.16b}, [x1] + + ldp x29,x30,[sp],#16 + AARCH64_VALIDATE_LINK_REGISTER + ret + + +.def _vpaes_encrypt_2x + .type 32 +.endef +.align 4 +_vpaes_encrypt_2x: + mov x9, x2 + ldr w8, [x2,#240] // pull rounds + adrp x11, Lk_mc_forward+16 + add x11, x11, :lo12:Lk_mc_forward+16 + // vmovdqa .Lk_ipt(%rip), %xmm2 # iptlo + ld1 {v16.2d}, [x9], #16 // vmovdqu (%r9), %xmm5 # round0 key + and v1.16b, v14.16b, v17.16b // vpand %xmm9, %xmm0, %xmm1 + ushr v0.16b, v14.16b, #4 // vpsrlb $4, %xmm0, %xmm0 + and v9.16b, v15.16b, v17.16b + ushr v8.16b, v15.16b, #4 + tbl v1.16b, {v20.16b}, v1.16b // vpshufb %xmm1, %xmm2, %xmm1 + tbl v9.16b, {v20.16b}, v9.16b + // vmovdqa .Lk_ipt+16(%rip), %xmm3 # ipthi + tbl v2.16b, {v21.16b}, v0.16b // vpshufb %xmm0, %xmm3, %xmm2 + tbl v10.16b, {v21.16b}, v8.16b + eor v0.16b, v1.16b, v16.16b // vpxor %xmm5, %xmm1, %xmm0 + eor v8.16b, v9.16b, v16.16b + eor v0.16b, v0.16b, v2.16b // vpxor %xmm2, %xmm0, %xmm0 + eor v8.16b, v8.16b, v10.16b + b Lenc_2x_entry + +.align 4 +Lenc_2x_loop: + // middle of middle round + add x10, x11, #0x40 + tbl v4.16b, {v25.16b}, v2.16b // vpshufb %xmm2, %xmm13, %xmm4 # 4 = sb1u + tbl v12.16b, {v25.16b}, v10.16b + ld1 {v1.2d}, [x11], #16 // vmovdqa -0x40(%r11,%r10), %xmm1 # Lk_mc_forward[] + tbl v0.16b, {v24.16b}, v3.16b // vpshufb %xmm3, %xmm12, %xmm0 # 0 = sb1t + tbl v8.16b, {v24.16b}, v11.16b + eor v4.16b, v4.16b, v16.16b // vpxor %xmm5, %xmm4, %xmm4 # 4 = sb1u + k + eor v12.16b, v12.16b, v16.16b + tbl v5.16b, {v27.16b}, v2.16b // vpshufb %xmm2, %xmm15, %xmm5 # 4 = sb2u + tbl v13.16b, {v27.16b}, v10.16b + eor v0.16b, v0.16b, v4.16b // vpxor %xmm4, %xmm0, %xmm0 # 0 = A + eor v8.16b, v8.16b, v12.16b + tbl v2.16b, {v26.16b}, v3.16b // vpshufb %xmm3, %xmm14, %xmm2 # 2 = sb2t + tbl v10.16b, {v26.16b}, v11.16b + ld1 {v4.2d}, [x10] // vmovdqa (%r11,%r10), %xmm4 # Lk_mc_backward[] + tbl v3.16b, {v0.16b}, v1.16b // vpshufb %xmm1, %xmm0, %xmm3 # 0 = B + tbl v11.16b, {v8.16b}, v1.16b + eor v2.16b, v2.16b, v5.16b // vpxor %xmm5, %xmm2, %xmm2 # 2 = 2A + eor v10.16b, v10.16b, v13.16b + tbl v0.16b, {v0.16b}, v4.16b // vpshufb %xmm4, %xmm0, %xmm0 # 3 = D + tbl v8.16b, {v8.16b}, v4.16b + eor v3.16b, v3.16b, v2.16b // vpxor %xmm2, %xmm3, %xmm3 # 0 = 2A+B + eor v11.16b, v11.16b, v10.16b + tbl v4.16b, {v3.16b}, v1.16b // vpshufb %xmm1, %xmm3, %xmm4 # 0 = 2B+C + tbl v12.16b, {v11.16b},v1.16b + eor v0.16b, v0.16b, v3.16b // vpxor %xmm3, %xmm0, %xmm0 # 3 = 2A+B+D + eor v8.16b, v8.16b, v11.16b + and x11, x11, #~(1<<6) // and $0x30, %r11 # ... mod 4 + eor v0.16b, v0.16b, v4.16b // vpxor %xmm4, %xmm0, %xmm0 # 0 = 2A+3B+C+D + eor v8.16b, v8.16b, v12.16b + sub w8, w8, #1 // nr-- + +Lenc_2x_entry: + // top of round + and v1.16b, v0.16b, v17.16b // vpand %xmm0, %xmm9, %xmm1 # 0 = k + ushr v0.16b, v0.16b, #4 // vpsrlb $4, %xmm0, %xmm0 # 1 = i + and v9.16b, v8.16b, v17.16b + ushr v8.16b, v8.16b, #4 + tbl v5.16b, {v19.16b},v1.16b // vpshufb %xmm1, %xmm11, %xmm5 # 2 = a/k + tbl v13.16b, {v19.16b},v9.16b + eor v1.16b, v1.16b, v0.16b // vpxor %xmm0, %xmm1, %xmm1 # 0 = j + eor v9.16b, v9.16b, v8.16b + tbl v3.16b, {v18.16b},v0.16b // vpshufb %xmm0, %xmm10, %xmm3 # 3 = 1/i + tbl v11.16b, {v18.16b},v8.16b + tbl v4.16b, {v18.16b},v1.16b // vpshufb %xmm1, %xmm10, %xmm4 # 4 = 1/j + tbl v12.16b, {v18.16b},v9.16b + eor v3.16b, v3.16b, v5.16b // vpxor %xmm5, %xmm3, %xmm3 # 3 = iak = 1/i + a/k + eor v11.16b, v11.16b, v13.16b + eor v4.16b, v4.16b, v5.16b // vpxor %xmm5, %xmm4, %xmm4 # 4 = jak = 1/j + a/k + eor v12.16b, v12.16b, v13.16b + tbl v2.16b, {v18.16b},v3.16b // vpshufb %xmm3, %xmm10, %xmm2 # 2 = 1/iak + tbl v10.16b, {v18.16b},v11.16b + tbl v3.16b, {v18.16b},v4.16b // vpshufb %xmm4, %xmm10, %xmm3 # 3 = 1/jak + tbl v11.16b, {v18.16b},v12.16b + eor v2.16b, v2.16b, v1.16b // vpxor %xmm1, %xmm2, %xmm2 # 2 = io + eor v10.16b, v10.16b, v9.16b + eor v3.16b, v3.16b, v0.16b // vpxor %xmm0, %xmm3, %xmm3 # 3 = jo + eor v11.16b, v11.16b, v8.16b + ld1 {v16.2d}, [x9],#16 // vmovdqu (%r9), %xmm5 + cbnz w8, Lenc_2x_loop + + // middle of last round + add x10, x11, #0x80 + // vmovdqa -0x60(%r10), %xmm4 # 3 : sbou .Lk_sbo + // vmovdqa -0x50(%r10), %xmm0 # 0 : sbot .Lk_sbo+16 + tbl v4.16b, {v22.16b}, v2.16b // vpshufb %xmm2, %xmm4, %xmm4 # 4 = sbou + tbl v12.16b, {v22.16b}, v10.16b + ld1 {v1.2d}, [x10] // vmovdqa 0x40(%r11,%r10), %xmm1 # Lk_sr[] + tbl v0.16b, {v23.16b}, v3.16b // vpshufb %xmm3, %xmm0, %xmm0 # 0 = sb1t + tbl v8.16b, {v23.16b}, v11.16b + eor v4.16b, v4.16b, v16.16b // vpxor %xmm5, %xmm4, %xmm4 # 4 = sb1u + k + eor v12.16b, v12.16b, v16.16b + eor v0.16b, v0.16b, v4.16b // vpxor %xmm4, %xmm0, %xmm0 # 0 = A + eor v8.16b, v8.16b, v12.16b + tbl v0.16b, {v0.16b},v1.16b // vpshufb %xmm1, %xmm0, %xmm0 + tbl v1.16b, {v8.16b},v1.16b + ret + + +.def _vpaes_decrypt_preheat + .type 32 +.endef +.align 4 +_vpaes_decrypt_preheat: + adrp x10, Lk_inv + add x10, x10, :lo12:Lk_inv + movi v17.16b, #0x0f + adrp x11, Lk_dipt + add x11, x11, :lo12:Lk_dipt + ld1 {v18.2d,v19.2d}, [x10],#32 // Lk_inv + ld1 {v20.2d,v21.2d,v22.2d,v23.2d}, [x11],#64 // Lk_dipt, Lk_dsbo + ld1 {v24.2d,v25.2d,v26.2d,v27.2d}, [x11],#64 // Lk_dsb9, Lk_dsbd + ld1 {v28.2d,v29.2d,v30.2d,v31.2d}, [x11] // Lk_dsbb, Lk_dsbe + ret + + +## +## Decryption core +## +## Same API as encryption core. +## +.def _vpaes_decrypt_core + .type 32 +.endef +.align 4 +_vpaes_decrypt_core: + mov x9, x2 + ldr w8, [x2,#240] // pull rounds + + // vmovdqa .Lk_dipt(%rip), %xmm2 # iptlo + lsl x11, x8, #4 // mov %rax, %r11; shl $4, %r11 + eor x11, x11, #0x30 // xor $0x30, %r11 + adrp x10, Lk_sr + add x10, x10, :lo12:Lk_sr + and x11, x11, #0x30 // and $0x30, %r11 + add x11, x11, x10 + adrp x10, Lk_mc_forward+48 + add x10, x10, :lo12:Lk_mc_forward+48 + + ld1 {v16.2d}, [x9],#16 // vmovdqu (%r9), %xmm4 # round0 key + and v1.16b, v7.16b, v17.16b // vpand %xmm9, %xmm0, %xmm1 + ushr v0.16b, v7.16b, #4 // vpsrlb $4, %xmm0, %xmm0 + tbl v2.16b, {v20.16b}, v1.16b // vpshufb %xmm1, %xmm2, %xmm2 + ld1 {v5.2d}, [x10] // vmovdqa Lk_mc_forward+48(%rip), %xmm5 + // vmovdqa .Lk_dipt+16(%rip), %xmm1 # ipthi + tbl v0.16b, {v21.16b}, v0.16b // vpshufb %xmm0, %xmm1, %xmm0 + eor v2.16b, v2.16b, v16.16b // vpxor %xmm4, %xmm2, %xmm2 + eor v0.16b, v0.16b, v2.16b // vpxor %xmm2, %xmm0, %xmm0 + b Ldec_entry + +.align 4 +Ldec_loop: +// +// Inverse mix columns +// + // vmovdqa -0x20(%r10),%xmm4 # 4 : sb9u + // vmovdqa -0x10(%r10),%xmm1 # 0 : sb9t + tbl v4.16b, {v24.16b}, v2.16b // vpshufb %xmm2, %xmm4, %xmm4 # 4 = sb9u + tbl v1.16b, {v25.16b}, v3.16b // vpshufb %xmm3, %xmm1, %xmm1 # 0 = sb9t + eor v0.16b, v4.16b, v16.16b // vpxor %xmm4, %xmm0, %xmm0 + // vmovdqa 0x00(%r10),%xmm4 # 4 : sbdu + eor v0.16b, v0.16b, v1.16b // vpxor %xmm1, %xmm0, %xmm0 # 0 = ch + // vmovdqa 0x10(%r10),%xmm1 # 0 : sbdt + + tbl v4.16b, {v26.16b}, v2.16b // vpshufb %xmm2, %xmm4, %xmm4 # 4 = sbdu + tbl v0.16b, {v0.16b}, v5.16b // vpshufb %xmm5, %xmm0, %xmm0 # MC ch + tbl v1.16b, {v27.16b}, v3.16b // vpshufb %xmm3, %xmm1, %xmm1 # 0 = sbdt + eor v0.16b, v0.16b, v4.16b // vpxor %xmm4, %xmm0, %xmm0 # 4 = ch + // vmovdqa 0x20(%r10), %xmm4 # 4 : sbbu + eor v0.16b, v0.16b, v1.16b // vpxor %xmm1, %xmm0, %xmm0 # 0 = ch + // vmovdqa 0x30(%r10), %xmm1 # 0 : sbbt + + tbl v4.16b, {v28.16b}, v2.16b // vpshufb %xmm2, %xmm4, %xmm4 # 4 = sbbu + tbl v0.16b, {v0.16b}, v5.16b // vpshufb %xmm5, %xmm0, %xmm0 # MC ch + tbl v1.16b, {v29.16b}, v3.16b // vpshufb %xmm3, %xmm1, %xmm1 # 0 = sbbt + eor v0.16b, v0.16b, v4.16b // vpxor %xmm4, %xmm0, %xmm0 # 4 = ch + // vmovdqa 0x40(%r10), %xmm4 # 4 : sbeu + eor v0.16b, v0.16b, v1.16b // vpxor %xmm1, %xmm0, %xmm0 # 0 = ch + // vmovdqa 0x50(%r10), %xmm1 # 0 : sbet + + tbl v4.16b, {v30.16b}, v2.16b // vpshufb %xmm2, %xmm4, %xmm4 # 4 = sbeu + tbl v0.16b, {v0.16b}, v5.16b // vpshufb %xmm5, %xmm0, %xmm0 # MC ch + tbl v1.16b, {v31.16b}, v3.16b // vpshufb %xmm3, %xmm1, %xmm1 # 0 = sbet + eor v0.16b, v0.16b, v4.16b // vpxor %xmm4, %xmm0, %xmm0 # 4 = ch + ext v5.16b, v5.16b, v5.16b, #12 // vpalignr $12, %xmm5, %xmm5, %xmm5 + eor v0.16b, v0.16b, v1.16b // vpxor %xmm1, %xmm0, %xmm0 # 0 = ch + sub w8, w8, #1 // sub $1,%rax # nr-- + +Ldec_entry: + // top of round + and v1.16b, v0.16b, v17.16b // vpand %xmm9, %xmm0, %xmm1 # 0 = k + ushr v0.16b, v0.16b, #4 // vpsrlb $4, %xmm0, %xmm0 # 1 = i + tbl v2.16b, {v19.16b}, v1.16b // vpshufb %xmm1, %xmm11, %xmm2 # 2 = a/k + eor v1.16b, v1.16b, v0.16b // vpxor %xmm0, %xmm1, %xmm1 # 0 = j + tbl v3.16b, {v18.16b}, v0.16b // vpshufb %xmm0, %xmm10, %xmm3 # 3 = 1/i + tbl v4.16b, {v18.16b}, v1.16b // vpshufb %xmm1, %xmm10, %xmm4 # 4 = 1/j + eor v3.16b, v3.16b, v2.16b // vpxor %xmm2, %xmm3, %xmm3 # 3 = iak = 1/i + a/k + eor v4.16b, v4.16b, v2.16b // vpxor %xmm2, %xmm4, %xmm4 # 4 = jak = 1/j + a/k + tbl v2.16b, {v18.16b}, v3.16b // vpshufb %xmm3, %xmm10, %xmm2 # 2 = 1/iak + tbl v3.16b, {v18.16b}, v4.16b // vpshufb %xmm4, %xmm10, %xmm3 # 3 = 1/jak + eor v2.16b, v2.16b, v1.16b // vpxor %xmm1, %xmm2, %xmm2 # 2 = io + eor v3.16b, v3.16b, v0.16b // vpxor %xmm0, %xmm3, %xmm3 # 3 = jo + ld1 {v16.2d}, [x9],#16 // vmovdqu (%r9), %xmm0 + cbnz w8, Ldec_loop + + // middle of last round + // vmovdqa 0x60(%r10), %xmm4 # 3 : sbou + tbl v4.16b, {v22.16b}, v2.16b // vpshufb %xmm2, %xmm4, %xmm4 # 4 = sbou + // vmovdqa 0x70(%r10), %xmm1 # 0 : sbot + ld1 {v2.2d}, [x11] // vmovdqa -0x160(%r11), %xmm2 # Lk_sr-Lk_dsbd=-0x160 + tbl v1.16b, {v23.16b}, v3.16b // vpshufb %xmm3, %xmm1, %xmm1 # 0 = sb1t + eor v4.16b, v4.16b, v16.16b // vpxor %xmm0, %xmm4, %xmm4 # 4 = sb1u + k + eor v0.16b, v1.16b, v4.16b // vpxor %xmm4, %xmm1, %xmm0 # 0 = A + tbl v0.16b, {v0.16b}, v2.16b // vpshufb %xmm2, %xmm0, %xmm0 + ret + + +.globl vpaes_decrypt + +.def vpaes_decrypt + .type 32 +.endef +.align 4 +vpaes_decrypt: + AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + + ld1 {v7.16b}, [x0] + bl _vpaes_decrypt_preheat + bl _vpaes_decrypt_core + st1 {v0.16b}, [x1] + + ldp x29,x30,[sp],#16 + AARCH64_VALIDATE_LINK_REGISTER + ret + + +// v14-v15 input, v0-v1 output +.def _vpaes_decrypt_2x + .type 32 +.endef +.align 4 +_vpaes_decrypt_2x: + mov x9, x2 + ldr w8, [x2,#240] // pull rounds + + // vmovdqa .Lk_dipt(%rip), %xmm2 # iptlo + lsl x11, x8, #4 // mov %rax, %r11; shl $4, %r11 + eor x11, x11, #0x30 // xor $0x30, %r11 + adrp x10, Lk_sr + add x10, x10, :lo12:Lk_sr + and x11, x11, #0x30 // and $0x30, %r11 + add x11, x11, x10 + adrp x10, Lk_mc_forward+48 + add x10, x10, :lo12:Lk_mc_forward+48 + + ld1 {v16.2d}, [x9],#16 // vmovdqu (%r9), %xmm4 # round0 key + and v1.16b, v14.16b, v17.16b // vpand %xmm9, %xmm0, %xmm1 + ushr v0.16b, v14.16b, #4 // vpsrlb $4, %xmm0, %xmm0 + and v9.16b, v15.16b, v17.16b + ushr v8.16b, v15.16b, #4 + tbl v2.16b, {v20.16b},v1.16b // vpshufb %xmm1, %xmm2, %xmm2 + tbl v10.16b, {v20.16b},v9.16b + ld1 {v5.2d}, [x10] // vmovdqa Lk_mc_forward+48(%rip), %xmm5 + // vmovdqa .Lk_dipt+16(%rip), %xmm1 # ipthi + tbl v0.16b, {v21.16b},v0.16b // vpshufb %xmm0, %xmm1, %xmm0 + tbl v8.16b, {v21.16b},v8.16b + eor v2.16b, v2.16b, v16.16b // vpxor %xmm4, %xmm2, %xmm2 + eor v10.16b, v10.16b, v16.16b + eor v0.16b, v0.16b, v2.16b // vpxor %xmm2, %xmm0, %xmm0 + eor v8.16b, v8.16b, v10.16b + b Ldec_2x_entry + +.align 4 +Ldec_2x_loop: +// +// Inverse mix columns +// + // vmovdqa -0x20(%r10),%xmm4 # 4 : sb9u + // vmovdqa -0x10(%r10),%xmm1 # 0 : sb9t + tbl v4.16b, {v24.16b}, v2.16b // vpshufb %xmm2, %xmm4, %xmm4 # 4 = sb9u + tbl v12.16b, {v24.16b}, v10.16b + tbl v1.16b, {v25.16b}, v3.16b // vpshufb %xmm3, %xmm1, %xmm1 # 0 = sb9t + tbl v9.16b, {v25.16b}, v11.16b + eor v0.16b, v4.16b, v16.16b // vpxor %xmm4, %xmm0, %xmm0 + eor v8.16b, v12.16b, v16.16b + // vmovdqa 0x00(%r10),%xmm4 # 4 : sbdu + eor v0.16b, v0.16b, v1.16b // vpxor %xmm1, %xmm0, %xmm0 # 0 = ch + eor v8.16b, v8.16b, v9.16b // vpxor %xmm1, %xmm0, %xmm0 # 0 = ch + // vmovdqa 0x10(%r10),%xmm1 # 0 : sbdt + + tbl v4.16b, {v26.16b}, v2.16b // vpshufb %xmm2, %xmm4, %xmm4 # 4 = sbdu + tbl v12.16b, {v26.16b}, v10.16b + tbl v0.16b, {v0.16b},v5.16b // vpshufb %xmm5, %xmm0, %xmm0 # MC ch + tbl v8.16b, {v8.16b},v5.16b + tbl v1.16b, {v27.16b}, v3.16b // vpshufb %xmm3, %xmm1, %xmm1 # 0 = sbdt + tbl v9.16b, {v27.16b}, v11.16b + eor v0.16b, v0.16b, v4.16b // vpxor %xmm4, %xmm0, %xmm0 # 4 = ch + eor v8.16b, v8.16b, v12.16b + // vmovdqa 0x20(%r10), %xmm4 # 4 : sbbu + eor v0.16b, v0.16b, v1.16b // vpxor %xmm1, %xmm0, %xmm0 # 0 = ch + eor v8.16b, v8.16b, v9.16b + // vmovdqa 0x30(%r10), %xmm1 # 0 : sbbt + + tbl v4.16b, {v28.16b}, v2.16b // vpshufb %xmm2, %xmm4, %xmm4 # 4 = sbbu + tbl v12.16b, {v28.16b}, v10.16b + tbl v0.16b, {v0.16b},v5.16b // vpshufb %xmm5, %xmm0, %xmm0 # MC ch + tbl v8.16b, {v8.16b},v5.16b + tbl v1.16b, {v29.16b}, v3.16b // vpshufb %xmm3, %xmm1, %xmm1 # 0 = sbbt + tbl v9.16b, {v29.16b}, v11.16b + eor v0.16b, v0.16b, v4.16b // vpxor %xmm4, %xmm0, %xmm0 # 4 = ch + eor v8.16b, v8.16b, v12.16b + // vmovdqa 0x40(%r10), %xmm4 # 4 : sbeu + eor v0.16b, v0.16b, v1.16b // vpxor %xmm1, %xmm0, %xmm0 # 0 = ch + eor v8.16b, v8.16b, v9.16b + // vmovdqa 0x50(%r10), %xmm1 # 0 : sbet + + tbl v4.16b, {v30.16b}, v2.16b // vpshufb %xmm2, %xmm4, %xmm4 # 4 = sbeu + tbl v12.16b, {v30.16b}, v10.16b + tbl v0.16b, {v0.16b},v5.16b // vpshufb %xmm5, %xmm0, %xmm0 # MC ch + tbl v8.16b, {v8.16b},v5.16b + tbl v1.16b, {v31.16b}, v3.16b // vpshufb %xmm3, %xmm1, %xmm1 # 0 = sbet + tbl v9.16b, {v31.16b}, v11.16b + eor v0.16b, v0.16b, v4.16b // vpxor %xmm4, %xmm0, %xmm0 # 4 = ch + eor v8.16b, v8.16b, v12.16b + ext v5.16b, v5.16b, v5.16b, #12 // vpalignr $12, %xmm5, %xmm5, %xmm5 + eor v0.16b, v0.16b, v1.16b // vpxor %xmm1, %xmm0, %xmm0 # 0 = ch + eor v8.16b, v8.16b, v9.16b + sub w8, w8, #1 // sub $1,%rax # nr-- + +Ldec_2x_entry: + // top of round + and v1.16b, v0.16b, v17.16b // vpand %xmm9, %xmm0, %xmm1 # 0 = k + ushr v0.16b, v0.16b, #4 // vpsrlb $4, %xmm0, %xmm0 # 1 = i + and v9.16b, v8.16b, v17.16b + ushr v8.16b, v8.16b, #4 + tbl v2.16b, {v19.16b},v1.16b // vpshufb %xmm1, %xmm11, %xmm2 # 2 = a/k + tbl v10.16b, {v19.16b},v9.16b + eor v1.16b, v1.16b, v0.16b // vpxor %xmm0, %xmm1, %xmm1 # 0 = j + eor v9.16b, v9.16b, v8.16b + tbl v3.16b, {v18.16b},v0.16b // vpshufb %xmm0, %xmm10, %xmm3 # 3 = 1/i + tbl v11.16b, {v18.16b},v8.16b + tbl v4.16b, {v18.16b},v1.16b // vpshufb %xmm1, %xmm10, %xmm4 # 4 = 1/j + tbl v12.16b, {v18.16b},v9.16b + eor v3.16b, v3.16b, v2.16b // vpxor %xmm2, %xmm3, %xmm3 # 3 = iak = 1/i + a/k + eor v11.16b, v11.16b, v10.16b + eor v4.16b, v4.16b, v2.16b // vpxor %xmm2, %xmm4, %xmm4 # 4 = jak = 1/j + a/k + eor v12.16b, v12.16b, v10.16b + tbl v2.16b, {v18.16b},v3.16b // vpshufb %xmm3, %xmm10, %xmm2 # 2 = 1/iak + tbl v10.16b, {v18.16b},v11.16b + tbl v3.16b, {v18.16b},v4.16b // vpshufb %xmm4, %xmm10, %xmm3 # 3 = 1/jak + tbl v11.16b, {v18.16b},v12.16b + eor v2.16b, v2.16b, v1.16b // vpxor %xmm1, %xmm2, %xmm2 # 2 = io + eor v10.16b, v10.16b, v9.16b + eor v3.16b, v3.16b, v0.16b // vpxor %xmm0, %xmm3, %xmm3 # 3 = jo + eor v11.16b, v11.16b, v8.16b + ld1 {v16.2d}, [x9],#16 // vmovdqu (%r9), %xmm0 + cbnz w8, Ldec_2x_loop + + // middle of last round + // vmovdqa 0x60(%r10), %xmm4 # 3 : sbou + tbl v4.16b, {v22.16b}, v2.16b // vpshufb %xmm2, %xmm4, %xmm4 # 4 = sbou + tbl v12.16b, {v22.16b}, v10.16b + // vmovdqa 0x70(%r10), %xmm1 # 0 : sbot + tbl v1.16b, {v23.16b}, v3.16b // vpshufb %xmm3, %xmm1, %xmm1 # 0 = sb1t + tbl v9.16b, {v23.16b}, v11.16b + ld1 {v2.2d}, [x11] // vmovdqa -0x160(%r11), %xmm2 # Lk_sr-Lk_dsbd=-0x160 + eor v4.16b, v4.16b, v16.16b // vpxor %xmm0, %xmm4, %xmm4 # 4 = sb1u + k + eor v12.16b, v12.16b, v16.16b + eor v0.16b, v1.16b, v4.16b // vpxor %xmm4, %xmm1, %xmm0 # 0 = A + eor v8.16b, v9.16b, v12.16b + tbl v0.16b, {v0.16b},v2.16b // vpshufb %xmm2, %xmm0, %xmm0 + tbl v1.16b, {v8.16b},v2.16b + ret + +######################################################## +## ## +## AES key schedule ## +## ## +######################################################## +.def _vpaes_key_preheat + .type 32 +.endef +.align 4 +_vpaes_key_preheat: + adrp x10, Lk_inv + add x10, x10, :lo12:Lk_inv + movi v16.16b, #0x5b // Lk_s63 + adrp x11, Lk_sb1 + add x11, x11, :lo12:Lk_sb1 + movi v17.16b, #0x0f // Lk_s0F + ld1 {v18.2d,v19.2d,v20.2d,v21.2d}, [x10] // Lk_inv, Lk_ipt + adrp x10, Lk_dksd + add x10, x10, :lo12:Lk_dksd + ld1 {v22.2d,v23.2d}, [x11] // Lk_sb1 + adrp x11, Lk_mc_forward + add x11, x11, :lo12:Lk_mc_forward + ld1 {v24.2d,v25.2d,v26.2d,v27.2d}, [x10],#64 // Lk_dksd, Lk_dksb + ld1 {v28.2d,v29.2d,v30.2d,v31.2d}, [x10],#64 // Lk_dkse, Lk_dks9 + ld1 {v8.2d}, [x10] // Lk_rcon + ld1 {v9.2d}, [x11] // Lk_mc_forward[0] + ret + + +.def _vpaes_schedule_core + .type 32 +.endef +.align 4 +_vpaes_schedule_core: + AARCH64_SIGN_LINK_REGISTER + stp x29, x30, [sp,#-16]! + add x29,sp,#0 + + bl _vpaes_key_preheat // load the tables + + ld1 {v0.16b}, [x0],#16 // vmovdqu (%rdi), %xmm0 # load key (unaligned) + + // input transform + mov v3.16b, v0.16b // vmovdqa %xmm0, %xmm3 + bl _vpaes_schedule_transform + mov v7.16b, v0.16b // vmovdqa %xmm0, %xmm7 + + adrp x10, Lk_sr // lea Lk_sr(%rip),%r10 + add x10, x10, :lo12:Lk_sr + + add x8, x8, x10 + cbnz w3, Lschedule_am_decrypting + + // encrypting, output zeroth round key after transform + st1 {v0.2d}, [x2] // vmovdqu %xmm0, (%rdx) + b Lschedule_go + +Lschedule_am_decrypting: + // decrypting, output zeroth round key after shiftrows + ld1 {v1.2d}, [x8] // vmovdqa (%r8,%r10), %xmm1 + tbl v3.16b, {v3.16b}, v1.16b // vpshufb %xmm1, %xmm3, %xmm3 + st1 {v3.2d}, [x2] // vmovdqu %xmm3, (%rdx) + eor x8, x8, #0x30 // xor $0x30, %r8 + +Lschedule_go: + cmp w1, #192 // cmp $192, %esi + b.hi Lschedule_256 + b.eq Lschedule_192 + // 128: fall though + +## +## .schedule_128 +## +## 128-bit specific part of key schedule. +## +## This schedule is really simple, because all its parts +## are accomplished by the subroutines. +## +Lschedule_128: + mov x0, #10 // mov $10, %esi + +Loop_schedule_128: + sub x0, x0, #1 // dec %esi + bl _vpaes_schedule_round + cbz x0, Lschedule_mangle_last + bl _vpaes_schedule_mangle // write output + b Loop_schedule_128 + +## +## .aes_schedule_192 +## +## 192-bit specific part of key schedule. +## +## The main body of this schedule is the same as the 128-bit +## schedule, but with more smearing. The long, high side is +## stored in %xmm7 as before, and the short, low side is in +## the high bits of %xmm6. +## +## This schedule is somewhat nastier, however, because each +## round produces 192 bits of key material, or 1.5 round keys. +## Therefore, on each cycle we do 2 rounds and produce 3 round +## keys. +## +.align 4 +Lschedule_192: + sub x0, x0, #8 + ld1 {v0.16b}, [x0] // vmovdqu 8(%rdi),%xmm0 # load key part 2 (very unaligned) + bl _vpaes_schedule_transform // input transform + mov v6.16b, v0.16b // vmovdqa %xmm0, %xmm6 # save short part + eor v4.16b, v4.16b, v4.16b // vpxor %xmm4, %xmm4, %xmm4 # clear 4 + ins v6.d[0], v4.d[0] // vmovhlps %xmm4, %xmm6, %xmm6 # clobber low side with zeros + mov x0, #4 // mov $4, %esi + +Loop_schedule_192: + sub x0, x0, #1 // dec %esi + bl _vpaes_schedule_round + ext v0.16b, v6.16b, v0.16b, #8 // vpalignr $8,%xmm6,%xmm0,%xmm0 + bl _vpaes_schedule_mangle // save key n + bl _vpaes_schedule_192_smear + bl _vpaes_schedule_mangle // save key n+1 + bl _vpaes_schedule_round + cbz x0, Lschedule_mangle_last + bl _vpaes_schedule_mangle // save key n+2 + bl _vpaes_schedule_192_smear + b Loop_schedule_192 + +## +## .aes_schedule_256 +## +## 256-bit specific part of key schedule. +## +## The structure here is very similar to the 128-bit +## schedule, but with an additional "low side" in +## %xmm6. The low side's rounds are the same as the +## high side's, except no rcon and no rotation. +## +.align 4 +Lschedule_256: + ld1 {v0.16b}, [x0] // vmovdqu 16(%rdi),%xmm0 # load key part 2 (unaligned) + bl _vpaes_schedule_transform // input transform + mov x0, #7 // mov $7, %esi + +Loop_schedule_256: + sub x0, x0, #1 // dec %esi + bl _vpaes_schedule_mangle // output low result + mov v6.16b, v0.16b // vmovdqa %xmm0, %xmm6 # save cur_lo in xmm6 + + // high round + bl _vpaes_schedule_round + cbz x0, Lschedule_mangle_last + bl _vpaes_schedule_mangle + + // low round. swap xmm7 and xmm6 + dup v0.4s, v0.s[3] // vpshufd $0xFF, %xmm0, %xmm0 + movi v4.16b, #0 + mov v5.16b, v7.16b // vmovdqa %xmm7, %xmm5 + mov v7.16b, v6.16b // vmovdqa %xmm6, %xmm7 + bl _vpaes_schedule_low_round + mov v7.16b, v5.16b // vmovdqa %xmm5, %xmm7 + + b Loop_schedule_256 + +## +## .aes_schedule_mangle_last +## +## Mangler for last round of key schedule +## Mangles %xmm0 +## when encrypting, outputs out(%xmm0) ^ 63 +## when decrypting, outputs unskew(%xmm0) +## +## Always called right before return... jumps to cleanup and exits +## +.align 4 +Lschedule_mangle_last: + // schedule last round key from xmm0 + adrp x11, Lk_deskew // lea Lk_deskew(%rip),%r11 # prepare to deskew + add x11, x11, :lo12:Lk_deskew + + cbnz w3, Lschedule_mangle_last_dec + + // encrypting + ld1 {v1.2d}, [x8] // vmovdqa (%r8,%r10),%xmm1 + adrp x11, Lk_opt // lea Lk_opt(%rip), %r11 # prepare to output transform + add x11, x11, :lo12:Lk_opt + add x2, x2, #32 // add $32, %rdx + tbl v0.16b, {v0.16b}, v1.16b // vpshufb %xmm1, %xmm0, %xmm0 # output permute + +Lschedule_mangle_last_dec: + ld1 {v20.2d,v21.2d}, [x11] // reload constants + sub x2, x2, #16 // add $-16, %rdx + eor v0.16b, v0.16b, v16.16b // vpxor Lk_s63(%rip), %xmm0, %xmm0 + bl _vpaes_schedule_transform // output transform + st1 {v0.2d}, [x2] // vmovdqu %xmm0, (%rdx) # save last key + + // cleanup + eor v0.16b, v0.16b, v0.16b // vpxor %xmm0, %xmm0, %xmm0 + eor v1.16b, v1.16b, v1.16b // vpxor %xmm1, %xmm1, %xmm1 + eor v2.16b, v2.16b, v2.16b // vpxor %xmm2, %xmm2, %xmm2 + eor v3.16b, v3.16b, v3.16b // vpxor %xmm3, %xmm3, %xmm3 + eor v4.16b, v4.16b, v4.16b // vpxor %xmm4, %xmm4, %xmm4 + eor v5.16b, v5.16b, v5.16b // vpxor %xmm5, %xmm5, %xmm5 + eor v6.16b, v6.16b, v6.16b // vpxor %xmm6, %xmm6, %xmm6 + eor v7.16b, v7.16b, v7.16b // vpxor %xmm7, %xmm7, %xmm7 + ldp x29, x30, [sp],#16 + AARCH64_VALIDATE_LINK_REGISTER + ret + + +## +## .aes_schedule_192_smear +## +## Smear the short, low side in the 192-bit key schedule. +## +## Inputs: +## %xmm7: high side, b a x y +## %xmm6: low side, d c 0 0 +## %xmm13: 0 +## +## Outputs: +## %xmm6: b+c+d b+c 0 0 +## %xmm0: b+c+d b+c b a +## +.def _vpaes_schedule_192_smear + .type 32 +.endef +.align 4 +_vpaes_schedule_192_smear: + movi v1.16b, #0 + dup v0.4s, v7.s[3] + ins v1.s[3], v6.s[2] // vpshufd $0x80, %xmm6, %xmm1 # d c 0 0 -> c 0 0 0 + ins v0.s[0], v7.s[2] // vpshufd $0xFE, %xmm7, %xmm0 # b a _ _ -> b b b a + eor v6.16b, v6.16b, v1.16b // vpxor %xmm1, %xmm6, %xmm6 # -> c+d c 0 0 + eor v1.16b, v1.16b, v1.16b // vpxor %xmm1, %xmm1, %xmm1 + eor v6.16b, v6.16b, v0.16b // vpxor %xmm0, %xmm6, %xmm6 # -> b+c+d b+c b a + mov v0.16b, v6.16b // vmovdqa %xmm6, %xmm0 + ins v6.d[0], v1.d[0] // vmovhlps %xmm1, %xmm6, %xmm6 # clobber low side with zeros + ret + + +## +## .aes_schedule_round +## +## Runs one main round of the key schedule on %xmm0, %xmm7 +## +## Specifically, runs subbytes on the high dword of %xmm0 +## then rotates it by one byte and xors into the low dword of +## %xmm7. +## +## Adds rcon from low byte of %xmm8, then rotates %xmm8 for +## next rcon. +## +## Smears the dwords of %xmm7 by xoring the low into the +## second low, result into third, result into highest. +## +## Returns results in %xmm7 = %xmm0. +## Clobbers %xmm1-%xmm4, %r11. +## +.def _vpaes_schedule_round + .type 32 +.endef +.align 4 +_vpaes_schedule_round: + // extract rcon from xmm8 + movi v4.16b, #0 // vpxor %xmm4, %xmm4, %xmm4 + ext v1.16b, v8.16b, v4.16b, #15 // vpalignr $15, %xmm8, %xmm4, %xmm1 + ext v8.16b, v8.16b, v8.16b, #15 // vpalignr $15, %xmm8, %xmm8, %xmm8 + eor v7.16b, v7.16b, v1.16b // vpxor %xmm1, %xmm7, %xmm7 + + // rotate + dup v0.4s, v0.s[3] // vpshufd $0xFF, %xmm0, %xmm0 + ext v0.16b, v0.16b, v0.16b, #1 // vpalignr $1, %xmm0, %xmm0, %xmm0 + + // fall through... + + // low round: same as high round, but no rotation and no rcon. +_vpaes_schedule_low_round: + // smear xmm7 + ext v1.16b, v4.16b, v7.16b, #12 // vpslldq $4, %xmm7, %xmm1 + eor v7.16b, v7.16b, v1.16b // vpxor %xmm1, %xmm7, %xmm7 + ext v4.16b, v4.16b, v7.16b, #8 // vpslldq $8, %xmm7, %xmm4 + + // subbytes + and v1.16b, v0.16b, v17.16b // vpand %xmm9, %xmm0, %xmm1 # 0 = k + ushr v0.16b, v0.16b, #4 // vpsrlb $4, %xmm0, %xmm0 # 1 = i + eor v7.16b, v7.16b, v4.16b // vpxor %xmm4, %xmm7, %xmm7 + tbl v2.16b, {v19.16b}, v1.16b // vpshufb %xmm1, %xmm11, %xmm2 # 2 = a/k + eor v1.16b, v1.16b, v0.16b // vpxor %xmm0, %xmm1, %xmm1 # 0 = j + tbl v3.16b, {v18.16b}, v0.16b // vpshufb %xmm0, %xmm10, %xmm3 # 3 = 1/i + eor v3.16b, v3.16b, v2.16b // vpxor %xmm2, %xmm3, %xmm3 # 3 = iak = 1/i + a/k + tbl v4.16b, {v18.16b}, v1.16b // vpshufb %xmm1, %xmm10, %xmm4 # 4 = 1/j + eor v7.16b, v7.16b, v16.16b // vpxor Lk_s63(%rip), %xmm7, %xmm7 + tbl v3.16b, {v18.16b}, v3.16b // vpshufb %xmm3, %xmm10, %xmm3 # 2 = 1/iak + eor v4.16b, v4.16b, v2.16b // vpxor %xmm2, %xmm4, %xmm4 # 4 = jak = 1/j + a/k + tbl v2.16b, {v18.16b}, v4.16b // vpshufb %xmm4, %xmm10, %xmm2 # 3 = 1/jak + eor v3.16b, v3.16b, v1.16b // vpxor %xmm1, %xmm3, %xmm3 # 2 = io + eor v2.16b, v2.16b, v0.16b // vpxor %xmm0, %xmm2, %xmm2 # 3 = jo + tbl v4.16b, {v23.16b}, v3.16b // vpshufb %xmm3, %xmm13, %xmm4 # 4 = sbou + tbl v1.16b, {v22.16b}, v2.16b // vpshufb %xmm2, %xmm12, %xmm1 # 0 = sb1t + eor v1.16b, v1.16b, v4.16b // vpxor %xmm4, %xmm1, %xmm1 # 0 = sbox output + + // add in smeared stuff + eor v0.16b, v1.16b, v7.16b // vpxor %xmm7, %xmm1, %xmm0 + eor v7.16b, v1.16b, v7.16b // vmovdqa %xmm0, %xmm7 + ret + + +## +## .aes_schedule_transform +## +## Linear-transform %xmm0 according to tables at (%r11) +## +## Requires that %xmm9 = 0x0F0F... as in preheat +## Output in %xmm0 +## Clobbers %xmm1, %xmm2 +## +.def _vpaes_schedule_transform + .type 32 +.endef +.align 4 +_vpaes_schedule_transform: + and v1.16b, v0.16b, v17.16b // vpand %xmm9, %xmm0, %xmm1 + ushr v0.16b, v0.16b, #4 // vpsrlb $4, %xmm0, %xmm0 + // vmovdqa (%r11), %xmm2 # lo + tbl v2.16b, {v20.16b}, v1.16b // vpshufb %xmm1, %xmm2, %xmm2 + // vmovdqa 16(%r11), %xmm1 # hi + tbl v0.16b, {v21.16b}, v0.16b // vpshufb %xmm0, %xmm1, %xmm0 + eor v0.16b, v0.16b, v2.16b // vpxor %xmm2, %xmm0, %xmm0 + ret + + +## +## .aes_schedule_mangle +## +## Mangle xmm0 from (basis-transformed) standard version +## to our version. +## +## On encrypt, +## xor with 0x63 +## multiply by circulant 0,1,1,1 +## apply shiftrows transform +## +## On decrypt, +## xor with 0x63 +## multiply by "inverse mixcolumns" circulant E,B,D,9 +## deskew +## apply shiftrows transform +## +## +## Writes out to (%rdx), and increments or decrements it +## Keeps track of round number mod 4 in %r8 +## Preserves xmm0 +## Clobbers xmm1-xmm5 +## +.def _vpaes_schedule_mangle + .type 32 +.endef +.align 4 +_vpaes_schedule_mangle: + mov v4.16b, v0.16b // vmovdqa %xmm0, %xmm4 # save xmm0 for later + // vmovdqa .Lk_mc_forward(%rip),%xmm5 + cbnz w3, Lschedule_mangle_dec + + // encrypting + eor v4.16b, v0.16b, v16.16b // vpxor Lk_s63(%rip), %xmm0, %xmm4 + add x2, x2, #16 // add $16, %rdx + tbl v4.16b, {v4.16b}, v9.16b // vpshufb %xmm5, %xmm4, %xmm4 + tbl v1.16b, {v4.16b}, v9.16b // vpshufb %xmm5, %xmm4, %xmm1 + tbl v3.16b, {v1.16b}, v9.16b // vpshufb %xmm5, %xmm1, %xmm3 + eor v4.16b, v4.16b, v1.16b // vpxor %xmm1, %xmm4, %xmm4 + ld1 {v1.2d}, [x8] // vmovdqa (%r8,%r10), %xmm1 + eor v3.16b, v3.16b, v4.16b // vpxor %xmm4, %xmm3, %xmm3 + + b Lschedule_mangle_both +.align 4 +Lschedule_mangle_dec: + // inverse mix columns + // lea .Lk_dksd(%rip),%r11 + ushr v1.16b, v4.16b, #4 // vpsrlb $4, %xmm4, %xmm1 # 1 = hi + and v4.16b, v4.16b, v17.16b // vpand %xmm9, %xmm4, %xmm4 # 4 = lo + + // vmovdqa 0x00(%r11), %xmm2 + tbl v2.16b, {v24.16b}, v4.16b // vpshufb %xmm4, %xmm2, %xmm2 + // vmovdqa 0x10(%r11), %xmm3 + tbl v3.16b, {v25.16b}, v1.16b // vpshufb %xmm1, %xmm3, %xmm3 + eor v3.16b, v3.16b, v2.16b // vpxor %xmm2, %xmm3, %xmm3 + tbl v3.16b, {v3.16b}, v9.16b // vpshufb %xmm5, %xmm3, %xmm3 + + // vmovdqa 0x20(%r11), %xmm2 + tbl v2.16b, {v26.16b}, v4.16b // vpshufb %xmm4, %xmm2, %xmm2 + eor v2.16b, v2.16b, v3.16b // vpxor %xmm3, %xmm2, %xmm2 + // vmovdqa 0x30(%r11), %xmm3 + tbl v3.16b, {v27.16b}, v1.16b // vpshufb %xmm1, %xmm3, %xmm3 + eor v3.16b, v3.16b, v2.16b // vpxor %xmm2, %xmm3, %xmm3 + tbl v3.16b, {v3.16b}, v9.16b // vpshufb %xmm5, %xmm3, %xmm3 + + // vmovdqa 0x40(%r11), %xmm2 + tbl v2.16b, {v28.16b}, v4.16b // vpshufb %xmm4, %xmm2, %xmm2 + eor v2.16b, v2.16b, v3.16b // vpxor %xmm3, %xmm2, %xmm2 + // vmovdqa 0x50(%r11), %xmm3 + tbl v3.16b, {v29.16b}, v1.16b // vpshufb %xmm1, %xmm3, %xmm3 + eor v3.16b, v3.16b, v2.16b // vpxor %xmm2, %xmm3, %xmm3 + + // vmovdqa 0x60(%r11), %xmm2 + tbl v2.16b, {v30.16b}, v4.16b // vpshufb %xmm4, %xmm2, %xmm2 + tbl v3.16b, {v3.16b}, v9.16b // vpshufb %xmm5, %xmm3, %xmm3 + // vmovdqa 0x70(%r11), %xmm4 + tbl v4.16b, {v31.16b}, v1.16b // vpshufb %xmm1, %xmm4, %xmm4 + ld1 {v1.2d}, [x8] // vmovdqa (%r8,%r10), %xmm1 + eor v2.16b, v2.16b, v3.16b // vpxor %xmm3, %xmm2, %xmm2 + eor v3.16b, v4.16b, v2.16b // vpxor %xmm2, %xmm4, %xmm3 + + sub x2, x2, #16 // add $-16, %rdx + +Lschedule_mangle_both: + tbl v3.16b, {v3.16b}, v1.16b // vpshufb %xmm1, %xmm3, %xmm3 + add x8, x8, #48 // add $-16, %r8 + and x8, x8, #~(1<<6) // and $0x30, %r8 + st1 {v3.2d}, [x2] // vmovdqu %xmm3, (%rdx) + ret + + +.globl vpaes_set_encrypt_key + +.def vpaes_set_encrypt_key + .type 32 +.endef +.align 4 +vpaes_set_encrypt_key: + AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + stp d8,d9,[sp,#-16]! // ABI spec says so + + lsr w9, w1, #5 // shr $5,%eax + add w9, w9, #5 // $5,%eax + str w9, [x2,#240] // mov %eax,240(%rdx) # AES_KEY->rounds = nbits/32+5; + + mov w3, #0 // mov $0,%ecx + mov x8, #0x30 // mov $0x30,%r8d + bl _vpaes_schedule_core + eor x0, x0, x0 + + ldp d8,d9,[sp],#16 + ldp x29,x30,[sp],#16 + AARCH64_VALIDATE_LINK_REGISTER + ret + + +.globl vpaes_set_decrypt_key + +.def vpaes_set_decrypt_key + .type 32 +.endef +.align 4 +vpaes_set_decrypt_key: + AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + stp d8,d9,[sp,#-16]! // ABI spec says so + + lsr w9, w1, #5 // shr $5,%eax + add w9, w9, #5 // $5,%eax + str w9, [x2,#240] // mov %eax,240(%rdx) # AES_KEY->rounds = nbits/32+5; + lsl w9, w9, #4 // shl $4,%eax + add x2, x2, #16 // lea 16(%rdx,%rax),%rdx + add x2, x2, x9 + + mov w3, #1 // mov $1,%ecx + lsr w8, w1, #1 // shr $1,%r8d + and x8, x8, #32 // and $32,%r8d + eor x8, x8, #32 // xor $32,%r8d # nbits==192?0:32 + bl _vpaes_schedule_core + + ldp d8,d9,[sp],#16 + ldp x29,x30,[sp],#16 + AARCH64_VALIDATE_LINK_REGISTER + ret + +.globl vpaes_cbc_encrypt + +.def vpaes_cbc_encrypt + .type 32 +.endef +.align 4 +vpaes_cbc_encrypt: + AARCH64_SIGN_LINK_REGISTER + cbz x2, Lcbc_abort + cmp w5, #0 // check direction + b.eq vpaes_cbc_decrypt + + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + + mov x17, x2 // reassign + mov x2, x3 // reassign + + ld1 {v0.16b}, [x4] // load ivec + bl _vpaes_encrypt_preheat + b Lcbc_enc_loop + +.align 4 +Lcbc_enc_loop: + ld1 {v7.16b}, [x0],#16 // load input + eor v7.16b, v7.16b, v0.16b // xor with ivec + bl _vpaes_encrypt_core + st1 {v0.16b}, [x1],#16 // save output + subs x17, x17, #16 + b.hi Lcbc_enc_loop + + st1 {v0.16b}, [x4] // write ivec + + ldp x29,x30,[sp],#16 +Lcbc_abort: + AARCH64_VALIDATE_LINK_REGISTER + ret + + +.def vpaes_cbc_decrypt + .type 32 +.endef +.align 4 +vpaes_cbc_decrypt: + // Not adding AARCH64_SIGN_LINK_REGISTER here because vpaes_cbc_decrypt is jumped to + // only from vpaes_cbc_encrypt which has already signed the return address. + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + stp d8,d9,[sp,#-16]! // ABI spec says so + stp d10,d11,[sp,#-16]! + stp d12,d13,[sp,#-16]! + stp d14,d15,[sp,#-16]! + + mov x17, x2 // reassign + mov x2, x3 // reassign + ld1 {v6.16b}, [x4] // load ivec + bl _vpaes_decrypt_preheat + tst x17, #16 + b.eq Lcbc_dec_loop2x + + ld1 {v7.16b}, [x0], #16 // load input + bl _vpaes_decrypt_core + eor v0.16b, v0.16b, v6.16b // xor with ivec + orr v6.16b, v7.16b, v7.16b // next ivec value + st1 {v0.16b}, [x1], #16 + subs x17, x17, #16 + b.ls Lcbc_dec_done + +.align 4 +Lcbc_dec_loop2x: + ld1 {v14.16b,v15.16b}, [x0], #32 + bl _vpaes_decrypt_2x + eor v0.16b, v0.16b, v6.16b // xor with ivec + eor v1.16b, v1.16b, v14.16b + orr v6.16b, v15.16b, v15.16b + st1 {v0.16b,v1.16b}, [x1], #32 + subs x17, x17, #32 + b.hi Lcbc_dec_loop2x + +Lcbc_dec_done: + st1 {v6.16b}, [x4] + + ldp d14,d15,[sp],#16 + ldp d12,d13,[sp],#16 + ldp d10,d11,[sp],#16 + ldp d8,d9,[sp],#16 + ldp x29,x30,[sp],#16 + AARCH64_VALIDATE_LINK_REGISTER + ret + +.globl vpaes_ctr32_encrypt_blocks + +.def vpaes_ctr32_encrypt_blocks + .type 32 +.endef +.align 4 +vpaes_ctr32_encrypt_blocks: + AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + stp d8,d9,[sp,#-16]! // ABI spec says so + stp d10,d11,[sp,#-16]! + stp d12,d13,[sp,#-16]! + stp d14,d15,[sp,#-16]! + + cbz x2, Lctr32_done + + // Note, unlike the other functions, x2 here is measured in blocks, + // not bytes. + mov x17, x2 + mov x2, x3 + + // Load the IV and counter portion. + ldr w6, [x4, #12] + ld1 {v7.16b}, [x4] + + bl _vpaes_encrypt_preheat + tst x17, #1 + rev w6, w6 // The counter is big-endian. + b.eq Lctr32_prep_loop + + // Handle one block so the remaining block count is even for + // _vpaes_encrypt_2x. + ld1 {v6.16b}, [x0], #16 // Load input ahead of time + bl _vpaes_encrypt_core + eor v0.16b, v0.16b, v6.16b // XOR input and result + st1 {v0.16b}, [x1], #16 + subs x17, x17, #1 + // Update the counter. + add w6, w6, #1 + rev w7, w6 + mov v7.s[3], w7 + b.ls Lctr32_done + +Lctr32_prep_loop: + // _vpaes_encrypt_core takes its input from v7, while _vpaes_encrypt_2x + // uses v14 and v15. + mov v15.16b, v7.16b + mov v14.16b, v7.16b + add w6, w6, #1 + rev w7, w6 + mov v15.s[3], w7 + +Lctr32_loop: + ld1 {v6.16b,v7.16b}, [x0], #32 // Load input ahead of time + bl _vpaes_encrypt_2x + eor v0.16b, v0.16b, v6.16b // XOR input and result + eor v1.16b, v1.16b, v7.16b // XOR input and result (#2) + st1 {v0.16b,v1.16b}, [x1], #32 + subs x17, x17, #2 + // Update the counter. + add w7, w6, #1 + add w6, w6, #2 + rev w7, w7 + mov v14.s[3], w7 + rev w7, w6 + mov v15.s[3], w7 + b.hi Lctr32_loop + +Lctr32_done: + ldp d14,d15,[sp],#16 + ldp d12,d13,[sp],#16 + ldp d10,d11,[sp],#16 + ldp d8,d9,[sp],#16 + ldp x29,x30,[sp],#16 + AARCH64_VALIDATE_LINK_REGISTER + ret + +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(_WIN32) +#if defined(__linux__) && defined(__ELF__) +.section .note.GNU-stack,"",%progbits +#endif + diff --git a/Sources/CNIOBoringSSL/gen/bcm/vpaes-x86-apple.S b/Sources/CNIOBoringSSL/gen/bcm/vpaes-x86-apple.S new file mode 100644 index 000000000..886574278 --- /dev/null +++ b/Sources/CNIOBoringSSL/gen/bcm/vpaes-x86-apple.S @@ -0,0 +1,685 @@ +#define BORINGSSL_PREFIX CNIOBoringSSL +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. + +#include + +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__APPLE__) +.text +#ifdef BORINGSSL_DISPATCH_TEST +#endif +.align 6,0x90 +L_vpaes_consts: +.long 218628480,235210255,168496130,67568393 +.long 252381056,17041926,33884169,51187212 +.long 252645135,252645135,252645135,252645135 +.long 1512730624,3266504856,1377990664,3401244816 +.long 830229760,1275146365,2969422977,3447763452 +.long 3411033600,2979783055,338359620,2782886510 +.long 4209124096,907596821,221174255,1006095553 +.long 191964160,3799684038,3164090317,1589111125 +.long 182528256,1777043520,2877432650,3265356744 +.long 1874708224,3503451415,3305285752,363511674 +.long 1606117888,3487855781,1093350906,2384367825 +.long 197121,67569157,134941193,202313229 +.long 67569157,134941193,202313229,197121 +.long 134941193,202313229,197121,67569157 +.long 202313229,197121,67569157,134941193 +.long 33619971,100992007,168364043,235736079 +.long 235736079,33619971,100992007,168364043 +.long 168364043,235736079,33619971,100992007 +.long 100992007,168364043,235736079,33619971 +.long 50462976,117835012,185207048,252579084 +.long 252314880,51251460,117574920,184942860 +.long 184682752,252054788,50987272,118359308 +.long 118099200,185467140,251790600,50727180 +.long 2946363062,528716217,1300004225,1881839624 +.long 1532713819,1532713819,1532713819,1532713819 +.long 3602276352,4288629033,3737020424,4153884961 +.long 1354558464,32357713,2958822624,3775749553 +.long 1201988352,132424512,1572796698,503232858 +.long 2213177600,1597421020,4103937655,675398315 +.long 2749646592,4273543773,1511898873,121693092 +.long 3040248576,1103263732,2871565598,1608280554 +.long 2236667136,2588920351,482954393,64377734 +.long 3069987328,291237287,2117370568,3650299247 +.long 533321216,3573750986,2572112006,1401264716 +.long 1339849704,2721158661,548607111,3445553514 +.long 2128193280,3054596040,2183486460,1257083700 +.long 655635200,1165381986,3923443150,2344132524 +.long 190078720,256924420,290342170,357187870 +.long 1610966272,2263057382,4103205268,309794674 +.long 2592527872,2233205587,1335446729,3402964816 +.long 3973531904,3225098121,3002836325,1918774430 +.long 3870401024,2102906079,2284471353,4117666579 +.long 617007872,1021508343,366931923,691083277 +.long 2528395776,3491914898,2968704004,1613121270 +.long 3445188352,3247741094,844474987,4093578302 +.long 651481088,1190302358,1689581232,574775300 +.long 4289380608,206939853,2555985458,2489840491 +.long 2130264064,327674451,3566485037,3349835193 +.long 2470714624,316102159,3636825756,3393945945 +.byte 86,101,99,116,111,114,32,80,101,114,109,117,116,97,116,105 +.byte 111,110,32,65,69,83,32,102,111,114,32,120,56,54,47,83 +.byte 83,83,69,51,44,32,77,105,107,101,32,72,97,109,98,117 +.byte 114,103,32,40,83,116,97,110,102,111,114,100,32,85,110,105 +.byte 118,101,114,115,105,116,121,41,0 +.align 6,0x90 +.private_extern __vpaes_preheat +.align 4 +__vpaes_preheat: + addl (%esp),%ebp + movdqa -48(%ebp),%xmm7 + movdqa -16(%ebp),%xmm6 + ret +.private_extern __vpaes_encrypt_core +.align 4 +__vpaes_encrypt_core: + movl $16,%ecx + movl 240(%edx),%eax + movdqa %xmm6,%xmm1 + movdqa (%ebp),%xmm2 + pandn %xmm0,%xmm1 + pand %xmm6,%xmm0 + movdqu (%edx),%xmm5 +.byte 102,15,56,0,208 + movdqa 16(%ebp),%xmm0 + pxor %xmm5,%xmm2 + psrld $4,%xmm1 + addl $16,%edx +.byte 102,15,56,0,193 + leal 192(%ebp),%ebx + pxor %xmm2,%xmm0 + jmp L000enc_entry +.align 4,0x90 +L001enc_loop: + movdqa 32(%ebp),%xmm4 + movdqa 48(%ebp),%xmm0 +.byte 102,15,56,0,226 +.byte 102,15,56,0,195 + pxor %xmm5,%xmm4 + movdqa 64(%ebp),%xmm5 + pxor %xmm4,%xmm0 + movdqa -64(%ebx,%ecx,1),%xmm1 +.byte 102,15,56,0,234 + movdqa 80(%ebp),%xmm2 + movdqa (%ebx,%ecx,1),%xmm4 +.byte 102,15,56,0,211 + movdqa %xmm0,%xmm3 + pxor %xmm5,%xmm2 +.byte 102,15,56,0,193 + addl $16,%edx + pxor %xmm2,%xmm0 +.byte 102,15,56,0,220 + addl $16,%ecx + pxor %xmm0,%xmm3 +.byte 102,15,56,0,193 + andl $48,%ecx + subl $1,%eax + pxor %xmm3,%xmm0 +L000enc_entry: + movdqa %xmm6,%xmm1 + movdqa -32(%ebp),%xmm5 + pandn %xmm0,%xmm1 + psrld $4,%xmm1 + pand %xmm6,%xmm0 +.byte 102,15,56,0,232 + movdqa %xmm7,%xmm3 + pxor %xmm1,%xmm0 +.byte 102,15,56,0,217 + movdqa %xmm7,%xmm4 + pxor %xmm5,%xmm3 +.byte 102,15,56,0,224 + movdqa %xmm7,%xmm2 + pxor %xmm5,%xmm4 +.byte 102,15,56,0,211 + movdqa %xmm7,%xmm3 + pxor %xmm0,%xmm2 +.byte 102,15,56,0,220 + movdqu (%edx),%xmm5 + pxor %xmm1,%xmm3 + jnz L001enc_loop + movdqa 96(%ebp),%xmm4 + movdqa 112(%ebp),%xmm0 +.byte 102,15,56,0,226 + pxor %xmm5,%xmm4 +.byte 102,15,56,0,195 + movdqa 64(%ebx,%ecx,1),%xmm1 + pxor %xmm4,%xmm0 +.byte 102,15,56,0,193 + ret +.private_extern __vpaes_decrypt_core +.align 4 +__vpaes_decrypt_core: + leal 608(%ebp),%ebx + movl 240(%edx),%eax + movdqa %xmm6,%xmm1 + movdqa -64(%ebx),%xmm2 + pandn %xmm0,%xmm1 + movl %eax,%ecx + psrld $4,%xmm1 + movdqu (%edx),%xmm5 + shll $4,%ecx + pand %xmm6,%xmm0 +.byte 102,15,56,0,208 + movdqa -48(%ebx),%xmm0 + xorl $48,%ecx +.byte 102,15,56,0,193 + andl $48,%ecx + pxor %xmm5,%xmm2 + movdqa 176(%ebp),%xmm5 + pxor %xmm2,%xmm0 + addl $16,%edx + leal -352(%ebx,%ecx,1),%ecx + jmp L002dec_entry +.align 4,0x90 +L003dec_loop: + movdqa -32(%ebx),%xmm4 + movdqa -16(%ebx),%xmm1 +.byte 102,15,56,0,226 +.byte 102,15,56,0,203 + pxor %xmm4,%xmm0 + movdqa (%ebx),%xmm4 + pxor %xmm1,%xmm0 + movdqa 16(%ebx),%xmm1 +.byte 102,15,56,0,226 +.byte 102,15,56,0,197 +.byte 102,15,56,0,203 + pxor %xmm4,%xmm0 + movdqa 32(%ebx),%xmm4 + pxor %xmm1,%xmm0 + movdqa 48(%ebx),%xmm1 +.byte 102,15,56,0,226 +.byte 102,15,56,0,197 +.byte 102,15,56,0,203 + pxor %xmm4,%xmm0 + movdqa 64(%ebx),%xmm4 + pxor %xmm1,%xmm0 + movdqa 80(%ebx),%xmm1 +.byte 102,15,56,0,226 +.byte 102,15,56,0,197 +.byte 102,15,56,0,203 + pxor %xmm4,%xmm0 + addl $16,%edx +.byte 102,15,58,15,237,12 + pxor %xmm1,%xmm0 + subl $1,%eax +L002dec_entry: + movdqa %xmm6,%xmm1 + movdqa -32(%ebp),%xmm2 + pandn %xmm0,%xmm1 + pand %xmm6,%xmm0 + psrld $4,%xmm1 +.byte 102,15,56,0,208 + movdqa %xmm7,%xmm3 + pxor %xmm1,%xmm0 +.byte 102,15,56,0,217 + movdqa %xmm7,%xmm4 + pxor %xmm2,%xmm3 +.byte 102,15,56,0,224 + pxor %xmm2,%xmm4 + movdqa %xmm7,%xmm2 +.byte 102,15,56,0,211 + movdqa %xmm7,%xmm3 + pxor %xmm0,%xmm2 +.byte 102,15,56,0,220 + movdqu (%edx),%xmm0 + pxor %xmm1,%xmm3 + jnz L003dec_loop + movdqa 96(%ebx),%xmm4 +.byte 102,15,56,0,226 + pxor %xmm0,%xmm4 + movdqa 112(%ebx),%xmm0 + movdqa (%ecx),%xmm2 +.byte 102,15,56,0,195 + pxor %xmm4,%xmm0 +.byte 102,15,56,0,194 + ret +.private_extern __vpaes_schedule_core +.align 4 +__vpaes_schedule_core: + addl (%esp),%ebp + movdqu (%esi),%xmm0 + movdqa 320(%ebp),%xmm2 + movdqa %xmm0,%xmm3 + leal (%ebp),%ebx + movdqa %xmm2,4(%esp) + call __vpaes_schedule_transform + movdqa %xmm0,%xmm7 + testl %edi,%edi + jnz L004schedule_am_decrypting + movdqu %xmm0,(%edx) + jmp L005schedule_go +L004schedule_am_decrypting: + movdqa 256(%ebp,%ecx,1),%xmm1 +.byte 102,15,56,0,217 + movdqu %xmm3,(%edx) + xorl $48,%ecx +L005schedule_go: + cmpl $192,%eax + ja L006schedule_256 + je L007schedule_192 +L008schedule_128: + movl $10,%eax +L009loop_schedule_128: + call __vpaes_schedule_round + decl %eax + jz L010schedule_mangle_last + call __vpaes_schedule_mangle + jmp L009loop_schedule_128 +.align 4,0x90 +L007schedule_192: + movdqu 8(%esi),%xmm0 + call __vpaes_schedule_transform + movdqa %xmm0,%xmm6 + pxor %xmm4,%xmm4 + movhlps %xmm4,%xmm6 + movl $4,%eax +L011loop_schedule_192: + call __vpaes_schedule_round +.byte 102,15,58,15,198,8 + call __vpaes_schedule_mangle + call __vpaes_schedule_192_smear + call __vpaes_schedule_mangle + call __vpaes_schedule_round + decl %eax + jz L010schedule_mangle_last + call __vpaes_schedule_mangle + call __vpaes_schedule_192_smear + jmp L011loop_schedule_192 +.align 4,0x90 +L006schedule_256: + movdqu 16(%esi),%xmm0 + call __vpaes_schedule_transform + movl $7,%eax +L012loop_schedule_256: + call __vpaes_schedule_mangle + movdqa %xmm0,%xmm6 + call __vpaes_schedule_round + decl %eax + jz L010schedule_mangle_last + call __vpaes_schedule_mangle + pshufd $255,%xmm0,%xmm0 + movdqa %xmm7,20(%esp) + movdqa %xmm6,%xmm7 + call L_vpaes_schedule_low_round + movdqa 20(%esp),%xmm7 + jmp L012loop_schedule_256 +.align 4,0x90 +L010schedule_mangle_last: + leal 384(%ebp),%ebx + testl %edi,%edi + jnz L013schedule_mangle_last_dec + movdqa 256(%ebp,%ecx,1),%xmm1 +.byte 102,15,56,0,193 + leal 352(%ebp),%ebx + addl $32,%edx +L013schedule_mangle_last_dec: + addl $-16,%edx + pxor 336(%ebp),%xmm0 + call __vpaes_schedule_transform + movdqu %xmm0,(%edx) + pxor %xmm0,%xmm0 + pxor %xmm1,%xmm1 + pxor %xmm2,%xmm2 + pxor %xmm3,%xmm3 + pxor %xmm4,%xmm4 + pxor %xmm5,%xmm5 + pxor %xmm6,%xmm6 + pxor %xmm7,%xmm7 + ret +.private_extern __vpaes_schedule_192_smear +.align 4 +__vpaes_schedule_192_smear: + pshufd $128,%xmm6,%xmm1 + pshufd $254,%xmm7,%xmm0 + pxor %xmm1,%xmm6 + pxor %xmm1,%xmm1 + pxor %xmm0,%xmm6 + movdqa %xmm6,%xmm0 + movhlps %xmm1,%xmm6 + ret +.private_extern __vpaes_schedule_round +.align 4 +__vpaes_schedule_round: + movdqa 8(%esp),%xmm2 + pxor %xmm1,%xmm1 +.byte 102,15,58,15,202,15 +.byte 102,15,58,15,210,15 + pxor %xmm1,%xmm7 + pshufd $255,%xmm0,%xmm0 +.byte 102,15,58,15,192,1 + movdqa %xmm2,8(%esp) +L_vpaes_schedule_low_round: + movdqa %xmm7,%xmm1 + pslldq $4,%xmm7 + pxor %xmm1,%xmm7 + movdqa %xmm7,%xmm1 + pslldq $8,%xmm7 + pxor %xmm1,%xmm7 + pxor 336(%ebp),%xmm7 + movdqa -16(%ebp),%xmm4 + movdqa -48(%ebp),%xmm5 + movdqa %xmm4,%xmm1 + pandn %xmm0,%xmm1 + psrld $4,%xmm1 + pand %xmm4,%xmm0 + movdqa -32(%ebp),%xmm2 +.byte 102,15,56,0,208 + pxor %xmm1,%xmm0 + movdqa %xmm5,%xmm3 +.byte 102,15,56,0,217 + pxor %xmm2,%xmm3 + movdqa %xmm5,%xmm4 +.byte 102,15,56,0,224 + pxor %xmm2,%xmm4 + movdqa %xmm5,%xmm2 +.byte 102,15,56,0,211 + pxor %xmm0,%xmm2 + movdqa %xmm5,%xmm3 +.byte 102,15,56,0,220 + pxor %xmm1,%xmm3 + movdqa 32(%ebp),%xmm4 +.byte 102,15,56,0,226 + movdqa 48(%ebp),%xmm0 +.byte 102,15,56,0,195 + pxor %xmm4,%xmm0 + pxor %xmm7,%xmm0 + movdqa %xmm0,%xmm7 + ret +.private_extern __vpaes_schedule_transform +.align 4 +__vpaes_schedule_transform: + movdqa -16(%ebp),%xmm2 + movdqa %xmm2,%xmm1 + pandn %xmm0,%xmm1 + psrld $4,%xmm1 + pand %xmm2,%xmm0 + movdqa (%ebx),%xmm2 +.byte 102,15,56,0,208 + movdqa 16(%ebx),%xmm0 +.byte 102,15,56,0,193 + pxor %xmm2,%xmm0 + ret +.private_extern __vpaes_schedule_mangle +.align 4 +__vpaes_schedule_mangle: + movdqa %xmm0,%xmm4 + movdqa 128(%ebp),%xmm5 + testl %edi,%edi + jnz L014schedule_mangle_dec + addl $16,%edx + pxor 336(%ebp),%xmm4 +.byte 102,15,56,0,229 + movdqa %xmm4,%xmm3 +.byte 102,15,56,0,229 + pxor %xmm4,%xmm3 +.byte 102,15,56,0,229 + pxor %xmm4,%xmm3 + jmp L015schedule_mangle_both +.align 4,0x90 +L014schedule_mangle_dec: + movdqa -16(%ebp),%xmm2 + leal 416(%ebp),%esi + movdqa %xmm2,%xmm1 + pandn %xmm4,%xmm1 + psrld $4,%xmm1 + pand %xmm2,%xmm4 + movdqa (%esi),%xmm2 +.byte 102,15,56,0,212 + movdqa 16(%esi),%xmm3 +.byte 102,15,56,0,217 + pxor %xmm2,%xmm3 +.byte 102,15,56,0,221 + movdqa 32(%esi),%xmm2 +.byte 102,15,56,0,212 + pxor %xmm3,%xmm2 + movdqa 48(%esi),%xmm3 +.byte 102,15,56,0,217 + pxor %xmm2,%xmm3 +.byte 102,15,56,0,221 + movdqa 64(%esi),%xmm2 +.byte 102,15,56,0,212 + pxor %xmm3,%xmm2 + movdqa 80(%esi),%xmm3 +.byte 102,15,56,0,217 + pxor %xmm2,%xmm3 +.byte 102,15,56,0,221 + movdqa 96(%esi),%xmm2 +.byte 102,15,56,0,212 + pxor %xmm3,%xmm2 + movdqa 112(%esi),%xmm3 +.byte 102,15,56,0,217 + pxor %xmm2,%xmm3 + addl $-16,%edx +L015schedule_mangle_both: + movdqa 256(%ebp,%ecx,1),%xmm1 +.byte 102,15,56,0,217 + addl $-16,%ecx + andl $48,%ecx + movdqu %xmm3,(%edx) + ret +.globl _vpaes_set_encrypt_key +.private_extern _vpaes_set_encrypt_key +.align 4 +_vpaes_set_encrypt_key: +L_vpaes_set_encrypt_key_begin: + pushl %ebp + pushl %ebx + pushl %esi + pushl %edi +#ifdef BORINGSSL_DISPATCH_TEST + pushl %ebx + pushl %edx + call L016pic_for_function_hit +L016pic_for_function_hit: + popl %ebx + leal _BORINGSSL_function_hit+5-L016pic_for_function_hit(%ebx),%ebx + movl $1,%edx + movb %dl,(%ebx) + popl %edx + popl %ebx +#endif + movl 20(%esp),%esi + leal -56(%esp),%ebx + movl 24(%esp),%eax + andl $-16,%ebx + movl 28(%esp),%edx + xchgl %esp,%ebx + movl %ebx,48(%esp) + movl %eax,%ebx + shrl $5,%ebx + addl $5,%ebx + movl %ebx,240(%edx) + movl $48,%ecx + movl $0,%edi + leal L_vpaes_consts+0x30-L017pic_point,%ebp + call __vpaes_schedule_core +L017pic_point: + movl 48(%esp),%esp + xorl %eax,%eax + popl %edi + popl %esi + popl %ebx + popl %ebp + ret +.globl _vpaes_set_decrypt_key +.private_extern _vpaes_set_decrypt_key +.align 4 +_vpaes_set_decrypt_key: +L_vpaes_set_decrypt_key_begin: + pushl %ebp + pushl %ebx + pushl %esi + pushl %edi + movl 20(%esp),%esi + leal -56(%esp),%ebx + movl 24(%esp),%eax + andl $-16,%ebx + movl 28(%esp),%edx + xchgl %esp,%ebx + movl %ebx,48(%esp) + movl %eax,%ebx + shrl $5,%ebx + addl $5,%ebx + movl %ebx,240(%edx) + shll $4,%ebx + leal 16(%edx,%ebx,1),%edx + movl $1,%edi + movl %eax,%ecx + shrl $1,%ecx + andl $32,%ecx + xorl $32,%ecx + leal L_vpaes_consts+0x30-L018pic_point,%ebp + call __vpaes_schedule_core +L018pic_point: + movl 48(%esp),%esp + xorl %eax,%eax + popl %edi + popl %esi + popl %ebx + popl %ebp + ret +.globl _vpaes_encrypt +.private_extern _vpaes_encrypt +.align 4 +_vpaes_encrypt: +L_vpaes_encrypt_begin: + pushl %ebp + pushl %ebx + pushl %esi + pushl %edi +#ifdef BORINGSSL_DISPATCH_TEST + pushl %ebx + pushl %edx + call L019pic_for_function_hit +L019pic_for_function_hit: + popl %ebx + leal _BORINGSSL_function_hit+4-L019pic_for_function_hit(%ebx),%ebx + movl $1,%edx + movb %dl,(%ebx) + popl %edx + popl %ebx +#endif + leal L_vpaes_consts+0x30-L020pic_point,%ebp + call __vpaes_preheat +L020pic_point: + movl 20(%esp),%esi + leal -56(%esp),%ebx + movl 24(%esp),%edi + andl $-16,%ebx + movl 28(%esp),%edx + xchgl %esp,%ebx + movl %ebx,48(%esp) + movdqu (%esi),%xmm0 + call __vpaes_encrypt_core + movdqu %xmm0,(%edi) + movl 48(%esp),%esp + popl %edi + popl %esi + popl %ebx + popl %ebp + ret +.globl _vpaes_decrypt +.private_extern _vpaes_decrypt +.align 4 +_vpaes_decrypt: +L_vpaes_decrypt_begin: + pushl %ebp + pushl %ebx + pushl %esi + pushl %edi + leal L_vpaes_consts+0x30-L021pic_point,%ebp + call __vpaes_preheat +L021pic_point: + movl 20(%esp),%esi + leal -56(%esp),%ebx + movl 24(%esp),%edi + andl $-16,%ebx + movl 28(%esp),%edx + xchgl %esp,%ebx + movl %ebx,48(%esp) + movdqu (%esi),%xmm0 + call __vpaes_decrypt_core + movdqu %xmm0,(%edi) + movl 48(%esp),%esp + popl %edi + popl %esi + popl %ebx + popl %ebp + ret +.globl _vpaes_cbc_encrypt +.private_extern _vpaes_cbc_encrypt +.align 4 +_vpaes_cbc_encrypt: +L_vpaes_cbc_encrypt_begin: + pushl %ebp + pushl %ebx + pushl %esi + pushl %edi + movl 20(%esp),%esi + movl 24(%esp),%edi + movl 28(%esp),%eax + movl 32(%esp),%edx + subl $16,%eax + jc L022cbc_abort + leal -56(%esp),%ebx + movl 36(%esp),%ebp + andl $-16,%ebx + movl 40(%esp),%ecx + xchgl %esp,%ebx + movdqu (%ebp),%xmm1 + subl %esi,%edi + movl %ebx,48(%esp) + movl %edi,(%esp) + movl %edx,4(%esp) + movl %ebp,8(%esp) + movl %eax,%edi + leal L_vpaes_consts+0x30-L023pic_point,%ebp + call __vpaes_preheat +L023pic_point: + cmpl $0,%ecx + je L024cbc_dec_loop + jmp L025cbc_enc_loop +.align 4,0x90 +L025cbc_enc_loop: + movdqu (%esi),%xmm0 + pxor %xmm1,%xmm0 + call __vpaes_encrypt_core + movl (%esp),%ebx + movl 4(%esp),%edx + movdqa %xmm0,%xmm1 + movdqu %xmm0,(%ebx,%esi,1) + leal 16(%esi),%esi + subl $16,%edi + jnc L025cbc_enc_loop + jmp L026cbc_done +.align 4,0x90 +L024cbc_dec_loop: + movdqu (%esi),%xmm0 + movdqa %xmm1,16(%esp) + movdqa %xmm0,32(%esp) + call __vpaes_decrypt_core + movl (%esp),%ebx + movl 4(%esp),%edx + pxor 16(%esp),%xmm0 + movdqa 32(%esp),%xmm1 + movdqu %xmm0,(%ebx,%esi,1) + leal 16(%esi),%esi + subl $16,%edi + jnc L024cbc_dec_loop +L026cbc_done: + movl 8(%esp),%ebx + movl 48(%esp),%esp + movdqu %xmm1,(%ebx) +L022cbc_abort: + popl %edi + popl %esi + popl %ebx + popl %ebp + ret +#endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__APPLE__) +#if defined(__linux__) && defined(__ELF__) +.section .note.GNU-stack,"",%progbits +#endif + diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/vpaes-x86-linux.linux.x86.S b/Sources/CNIOBoringSSL/gen/bcm/vpaes-x86-linux.S similarity index 98% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/vpaes-x86-linux.linux.x86.S rename to Sources/CNIOBoringSSL/gen/bcm/vpaes-x86-linux.S index 8a072a993..d58e4626d 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/vpaes-x86-linux.linux.x86.S +++ b/Sources/CNIOBoringSSL/gen/bcm/vpaes-x86-linux.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__i386__) && defined(__linux__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -489,10 +488,10 @@ vpaes_set_encrypt_key: #ifdef BORINGSSL_DISPATCH_TEST pushl %ebx pushl %edx - call .L016pic -.L016pic: + call .L016pic_for_function_hit +.L016pic_for_function_hit: popl %ebx - leal BORINGSSL_function_hit+5-.L016pic(%ebx),%ebx + leal BORINGSSL_function_hit+5-.L016pic_for_function_hit(%ebx),%ebx movl $1,%edx movb %dl,(%ebx) popl %edx @@ -574,10 +573,10 @@ vpaes_encrypt: #ifdef BORINGSSL_DISPATCH_TEST pushl %ebx pushl %edx - call .L019pic -.L019pic: + call .L019pic_for_function_hit +.L019pic_for_function_hit: popl %ebx - leal BORINGSSL_function_hit+4-.L019pic(%ebx),%ebx + leal BORINGSSL_function_hit+4-.L019pic_for_function_hit(%ebx),%ebx movl $1,%edx movb %dl,(%ebx) popl %edx @@ -706,7 +705,6 @@ vpaes_cbc_encrypt: ret .size vpaes_cbc_encrypt,.-.L_vpaes_cbc_encrypt_begin #endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__) -#endif // defined(__i386__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/vpaes-x86_64-mac.mac.x86_64.S b/Sources/CNIOBoringSSL/gen/bcm/vpaes-x86_64-apple.S similarity index 99% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/vpaes-x86_64-mac.mac.x86_64.S rename to Sources/CNIOBoringSSL/gen/bcm/vpaes-x86_64-apple.S index 9d5c2f7c1..c216da3a3 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/vpaes-x86_64-mac.mac.x86_64.S +++ b/Sources/CNIOBoringSSL/gen/bcm/vpaes-x86_64-apple.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__x86_64__) && defined(__APPLE__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -1131,7 +1130,6 @@ L$ctr_add_two: .text #endif -#endif // defined(__x86_64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/vpaes-x86_64-linux.linux.x86_64.S b/Sources/CNIOBoringSSL/gen/bcm/vpaes-x86_64-linux.S similarity index 99% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/vpaes-x86_64-linux.linux.x86_64.S rename to Sources/CNIOBoringSSL/gen/bcm/vpaes-x86_64-linux.S index e2850f07f..2cc2d928c 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/vpaes-x86_64-linux.linux.x86_64.S +++ b/Sources/CNIOBoringSSL/gen/bcm/vpaes-x86_64-linux.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__x86_64__) && defined(__linux__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -1133,7 +1132,6 @@ _vpaes_consts: .size _vpaes_consts,.-_vpaes_consts .text #endif -#endif // defined(__x86_64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/gen/bcm/x86-mont-apple.S b/Sources/CNIOBoringSSL/gen/bcm/x86-mont-apple.S new file mode 100644 index 000000000..cc19edd33 --- /dev/null +++ b/Sources/CNIOBoringSSL/gen/bcm/x86-mont-apple.S @@ -0,0 +1,226 @@ +#define BORINGSSL_PREFIX CNIOBoringSSL +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. + +#include + +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__APPLE__) +.text +.globl _bn_mul_mont +.private_extern _bn_mul_mont +.align 4 +_bn_mul_mont: +L_bn_mul_mont_begin: + pushl %ebp + pushl %ebx + pushl %esi + pushl %edi + xorl %eax,%eax + movl 40(%esp),%edi + cmpl $4,%edi + jl L000just_leave + leal 20(%esp),%esi + leal 24(%esp),%edx + addl $2,%edi + negl %edi + leal -32(%esp,%edi,4),%ebp + negl %edi + movl %ebp,%eax + subl %edx,%eax + andl $2047,%eax + subl %eax,%ebp + xorl %ebp,%edx + andl $2048,%edx + xorl $2048,%edx + subl %edx,%ebp + andl $-64,%ebp + movl %esp,%eax + subl %ebp,%eax + andl $-4096,%eax + movl %esp,%edx + leal (%ebp,%eax,1),%esp + movl (%esp),%eax + cmpl %ebp,%esp + ja L001page_walk + jmp L002page_walk_done +.align 4,0x90 +L001page_walk: + leal -4096(%esp),%esp + movl (%esp),%eax + cmpl %ebp,%esp + ja L001page_walk +L002page_walk_done: + movl (%esi),%eax + movl 4(%esi),%ebx + movl 8(%esi),%ecx + movl 12(%esi),%ebp + movl 16(%esi),%esi + movl (%esi),%esi + movl %eax,4(%esp) + movl %ebx,8(%esp) + movl %ecx,12(%esp) + movl %ebp,16(%esp) + movl %esi,20(%esp) + leal -3(%edi),%ebx + movl %edx,24(%esp) + movl $-1,%eax + movd %eax,%mm7 + movl 8(%esp),%esi + movl 12(%esp),%edi + movl 16(%esp),%ebp + xorl %edx,%edx + xorl %ecx,%ecx + movd (%edi),%mm4 + movd (%esi),%mm5 + movd (%ebp),%mm3 + pmuludq %mm4,%mm5 + movq %mm5,%mm2 + movq %mm5,%mm0 + pand %mm7,%mm0 + pmuludq 20(%esp),%mm5 + pmuludq %mm5,%mm3 + paddq %mm0,%mm3 + movd 4(%ebp),%mm1 + movd 4(%esi),%mm0 + psrlq $32,%mm2 + psrlq $32,%mm3 + incl %ecx +.align 4,0x90 +L0031st: + pmuludq %mm4,%mm0 + pmuludq %mm5,%mm1 + paddq %mm0,%mm2 + paddq %mm1,%mm3 + movq %mm2,%mm0 + pand %mm7,%mm0 + movd 4(%ebp,%ecx,4),%mm1 + paddq %mm0,%mm3 + movd 4(%esi,%ecx,4),%mm0 + psrlq $32,%mm2 + movd %mm3,28(%esp,%ecx,4) + psrlq $32,%mm3 + leal 1(%ecx),%ecx + cmpl %ebx,%ecx + jl L0031st + pmuludq %mm4,%mm0 + pmuludq %mm5,%mm1 + paddq %mm0,%mm2 + paddq %mm1,%mm3 + movq %mm2,%mm0 + pand %mm7,%mm0 + paddq %mm0,%mm3 + movd %mm3,28(%esp,%ecx,4) + psrlq $32,%mm2 + psrlq $32,%mm3 + paddq %mm2,%mm3 + movq %mm3,32(%esp,%ebx,4) + incl %edx +L004outer: + xorl %ecx,%ecx + movd (%edi,%edx,4),%mm4 + movd (%esi),%mm5 + movd 32(%esp),%mm6 + movd (%ebp),%mm3 + pmuludq %mm4,%mm5 + paddq %mm6,%mm5 + movq %mm5,%mm0 + movq %mm5,%mm2 + pand %mm7,%mm0 + pmuludq 20(%esp),%mm5 + pmuludq %mm5,%mm3 + paddq %mm0,%mm3 + movd 36(%esp),%mm6 + movd 4(%ebp),%mm1 + movd 4(%esi),%mm0 + psrlq $32,%mm2 + psrlq $32,%mm3 + paddq %mm6,%mm2 + incl %ecx + decl %ebx +L005inner: + pmuludq %mm4,%mm0 + pmuludq %mm5,%mm1 + paddq %mm0,%mm2 + paddq %mm1,%mm3 + movq %mm2,%mm0 + movd 36(%esp,%ecx,4),%mm6 + pand %mm7,%mm0 + movd 4(%ebp,%ecx,4),%mm1 + paddq %mm0,%mm3 + movd 4(%esi,%ecx,4),%mm0 + psrlq $32,%mm2 + movd %mm3,28(%esp,%ecx,4) + psrlq $32,%mm3 + paddq %mm6,%mm2 + decl %ebx + leal 1(%ecx),%ecx + jnz L005inner + movl %ecx,%ebx + pmuludq %mm4,%mm0 + pmuludq %mm5,%mm1 + paddq %mm0,%mm2 + paddq %mm1,%mm3 + movq %mm2,%mm0 + pand %mm7,%mm0 + paddq %mm0,%mm3 + movd %mm3,28(%esp,%ecx,4) + psrlq $32,%mm2 + psrlq $32,%mm3 + movd 36(%esp,%ebx,4),%mm6 + paddq %mm2,%mm3 + paddq %mm6,%mm3 + movq %mm3,32(%esp,%ebx,4) + leal 1(%edx),%edx + cmpl %ebx,%edx + jle L004outer + emms + jmp L006common_tail +.align 4,0x90 +L006common_tail: + movl 16(%esp),%ebp + movl 4(%esp),%edi + leal 32(%esp),%esi + movl (%esi),%eax + movl %ebx,%ecx + xorl %edx,%edx +.align 4,0x90 +L007sub: + sbbl (%ebp,%edx,4),%eax + movl %eax,(%edi,%edx,4) + decl %ecx + movl 4(%esi,%edx,4),%eax + leal 1(%edx),%edx + jge L007sub + sbbl $0,%eax + movl $-1,%edx + xorl %eax,%edx + jmp L008copy +.align 4,0x90 +L008copy: + movl 32(%esp,%ebx,4),%esi + movl (%edi,%ebx,4),%ebp + movl %ecx,32(%esp,%ebx,4) + andl %eax,%esi + andl %edx,%ebp + orl %esi,%ebp + movl %ebp,(%edi,%ebx,4) + decl %ebx + jge L008copy + movl 24(%esp),%esp + movl $1,%eax +L000just_leave: + popl %edi + popl %esi + popl %ebx + popl %ebp + ret +.byte 77,111,110,116,103,111,109,101,114,121,32,77,117,108,116,105 +.byte 112,108,105,99,97,116,105,111,110,32,102,111,114,32,120,56 +.byte 54,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121 +.byte 32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46 +.byte 111,114,103,62,0 +#endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__APPLE__) +#if defined(__linux__) && defined(__ELF__) +.section .note.GNU-stack,"",%progbits +#endif + diff --git a/Sources/CNIOBoringSSL/gen/bcm/x86-mont-linux.S b/Sources/CNIOBoringSSL/gen/bcm/x86-mont-linux.S new file mode 100644 index 000000000..6f37e4690 --- /dev/null +++ b/Sources/CNIOBoringSSL/gen/bcm/x86-mont-linux.S @@ -0,0 +1,228 @@ +#define BORINGSSL_PREFIX CNIOBoringSSL +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. + +#include + +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__) +.text +.globl bn_mul_mont +.hidden bn_mul_mont +.type bn_mul_mont,@function +.align 16 +bn_mul_mont: +.L_bn_mul_mont_begin: + pushl %ebp + pushl %ebx + pushl %esi + pushl %edi + xorl %eax,%eax + movl 40(%esp),%edi + cmpl $4,%edi + jl .L000just_leave + leal 20(%esp),%esi + leal 24(%esp),%edx + addl $2,%edi + negl %edi + leal -32(%esp,%edi,4),%ebp + negl %edi + movl %ebp,%eax + subl %edx,%eax + andl $2047,%eax + subl %eax,%ebp + xorl %ebp,%edx + andl $2048,%edx + xorl $2048,%edx + subl %edx,%ebp + andl $-64,%ebp + movl %esp,%eax + subl %ebp,%eax + andl $-4096,%eax + movl %esp,%edx + leal (%ebp,%eax,1),%esp + movl (%esp),%eax + cmpl %ebp,%esp + ja .L001page_walk + jmp .L002page_walk_done +.align 16 +.L001page_walk: + leal -4096(%esp),%esp + movl (%esp),%eax + cmpl %ebp,%esp + ja .L001page_walk +.L002page_walk_done: + movl (%esi),%eax + movl 4(%esi),%ebx + movl 8(%esi),%ecx + movl 12(%esi),%ebp + movl 16(%esi),%esi + movl (%esi),%esi + movl %eax,4(%esp) + movl %ebx,8(%esp) + movl %ecx,12(%esp) + movl %ebp,16(%esp) + movl %esi,20(%esp) + leal -3(%edi),%ebx + movl %edx,24(%esp) + movl $-1,%eax + movd %eax,%mm7 + movl 8(%esp),%esi + movl 12(%esp),%edi + movl 16(%esp),%ebp + xorl %edx,%edx + xorl %ecx,%ecx + movd (%edi),%mm4 + movd (%esi),%mm5 + movd (%ebp),%mm3 + pmuludq %mm4,%mm5 + movq %mm5,%mm2 + movq %mm5,%mm0 + pand %mm7,%mm0 + pmuludq 20(%esp),%mm5 + pmuludq %mm5,%mm3 + paddq %mm0,%mm3 + movd 4(%ebp),%mm1 + movd 4(%esi),%mm0 + psrlq $32,%mm2 + psrlq $32,%mm3 + incl %ecx +.align 16 +.L0031st: + pmuludq %mm4,%mm0 + pmuludq %mm5,%mm1 + paddq %mm0,%mm2 + paddq %mm1,%mm3 + movq %mm2,%mm0 + pand %mm7,%mm0 + movd 4(%ebp,%ecx,4),%mm1 + paddq %mm0,%mm3 + movd 4(%esi,%ecx,4),%mm0 + psrlq $32,%mm2 + movd %mm3,28(%esp,%ecx,4) + psrlq $32,%mm3 + leal 1(%ecx),%ecx + cmpl %ebx,%ecx + jl .L0031st + pmuludq %mm4,%mm0 + pmuludq %mm5,%mm1 + paddq %mm0,%mm2 + paddq %mm1,%mm3 + movq %mm2,%mm0 + pand %mm7,%mm0 + paddq %mm0,%mm3 + movd %mm3,28(%esp,%ecx,4) + psrlq $32,%mm2 + psrlq $32,%mm3 + paddq %mm2,%mm3 + movq %mm3,32(%esp,%ebx,4) + incl %edx +.L004outer: + xorl %ecx,%ecx + movd (%edi,%edx,4),%mm4 + movd (%esi),%mm5 + movd 32(%esp),%mm6 + movd (%ebp),%mm3 + pmuludq %mm4,%mm5 + paddq %mm6,%mm5 + movq %mm5,%mm0 + movq %mm5,%mm2 + pand %mm7,%mm0 + pmuludq 20(%esp),%mm5 + pmuludq %mm5,%mm3 + paddq %mm0,%mm3 + movd 36(%esp),%mm6 + movd 4(%ebp),%mm1 + movd 4(%esi),%mm0 + psrlq $32,%mm2 + psrlq $32,%mm3 + paddq %mm6,%mm2 + incl %ecx + decl %ebx +.L005inner: + pmuludq %mm4,%mm0 + pmuludq %mm5,%mm1 + paddq %mm0,%mm2 + paddq %mm1,%mm3 + movq %mm2,%mm0 + movd 36(%esp,%ecx,4),%mm6 + pand %mm7,%mm0 + movd 4(%ebp,%ecx,4),%mm1 + paddq %mm0,%mm3 + movd 4(%esi,%ecx,4),%mm0 + psrlq $32,%mm2 + movd %mm3,28(%esp,%ecx,4) + psrlq $32,%mm3 + paddq %mm6,%mm2 + decl %ebx + leal 1(%ecx),%ecx + jnz .L005inner + movl %ecx,%ebx + pmuludq %mm4,%mm0 + pmuludq %mm5,%mm1 + paddq %mm0,%mm2 + paddq %mm1,%mm3 + movq %mm2,%mm0 + pand %mm7,%mm0 + paddq %mm0,%mm3 + movd %mm3,28(%esp,%ecx,4) + psrlq $32,%mm2 + psrlq $32,%mm3 + movd 36(%esp,%ebx,4),%mm6 + paddq %mm2,%mm3 + paddq %mm6,%mm3 + movq %mm3,32(%esp,%ebx,4) + leal 1(%edx),%edx + cmpl %ebx,%edx + jle .L004outer + emms + jmp .L006common_tail +.align 16 +.L006common_tail: + movl 16(%esp),%ebp + movl 4(%esp),%edi + leal 32(%esp),%esi + movl (%esi),%eax + movl %ebx,%ecx + xorl %edx,%edx +.align 16 +.L007sub: + sbbl (%ebp,%edx,4),%eax + movl %eax,(%edi,%edx,4) + decl %ecx + movl 4(%esi,%edx,4),%eax + leal 1(%edx),%edx + jge .L007sub + sbbl $0,%eax + movl $-1,%edx + xorl %eax,%edx + jmp .L008copy +.align 16 +.L008copy: + movl 32(%esp,%ebx,4),%esi + movl (%edi,%ebx,4),%ebp + movl %ecx,32(%esp,%ebx,4) + andl %eax,%esi + andl %edx,%ebp + orl %esi,%ebp + movl %ebp,(%edi,%ebx,4) + decl %ebx + jge .L008copy + movl 24(%esp),%esp + movl $1,%eax +.L000just_leave: + popl %edi + popl %esi + popl %ebx + popl %ebp + ret +.size bn_mul_mont,.-.L_bn_mul_mont_begin +.byte 77,111,110,116,103,111,109,101,114,121,32,77,117,108,116,105 +.byte 112,108,105,99,97,116,105,111,110,32,102,111,114,32,120,56 +.byte 54,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121 +.byte 32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46 +.byte 111,114,103,62,0 +#endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__) +#if defined(__linux__) && defined(__ELF__) +.section .note.GNU-stack,"",%progbits +#endif + diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/x86_64-mont-mac.mac.x86_64.S b/Sources/CNIOBoringSSL/gen/bcm/x86_64-mont-apple.S similarity index 96% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/x86_64-mont-mac.mac.x86_64.S rename to Sources/CNIOBoringSSL/gen/bcm/x86_64-mont-apple.S index 741e3f1b2..eea59ddb0 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/x86_64-mont-mac.mac.x86_64.S +++ b/Sources/CNIOBoringSSL/gen/bcm/x86_64-mont-apple.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__x86_64__) && defined(__APPLE__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -8,32 +7,16 @@ #if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__APPLE__) .text - - -.globl _bn_mul_mont -.private_extern _bn_mul_mont +.globl _bn_mul_mont_nohw +.private_extern _bn_mul_mont_nohw .p2align 4 -_bn_mul_mont: +_bn_mul_mont_nohw: _CET_ENDBR movl %r9d,%r9d movq %rsp,%rax - testl $3,%r9d - jnz L$mul_enter - cmpl $8,%r9d - jb L$mul_enter - leaq _OPENSSL_ia32cap_P(%rip),%r11 - movl 8(%r11),%r11d - cmpq %rsi,%rdx - jne L$mul4x_enter - testl $7,%r9d - jz L$sqr8x_enter - jmp L$mul4x_enter - -.p2align 4 -L$mul_enter: pushq %rbx pushq %rbp @@ -266,17 +249,16 @@ L$mul_epilogue: ret +.globl _bn_mul4x_mont +.private_extern _bn_mul4x_mont .p2align 4 -bn_mul4x_mont: +_bn_mul4x_mont: +_CET_ENDBR movl %r9d,%r9d movq %rsp,%rax -L$mul4x_enter: - andl $0x80100,%r11d - cmpl $0x80100,%r11d - je L$mulx4x_enter pushq %rbx pushq %rbp @@ -703,13 +685,16 @@ L$mul4x_epilogue: +.globl _bn_sqr8x_mont +.private_extern _bn_sqr8x_mont .p2align 5 -bn_sqr8x_mont: +_bn_sqr8x_mont: +_CET_ENDBR + movl %r9d,%r9d movq %rsp,%rax -L$sqr8x_enter: pushq %rbx pushq %rbp @@ -784,11 +769,8 @@ L$sqr8x_body: pxor %xmm0,%xmm0 .byte 102,72,15,110,207 .byte 102,73,15,110,218 - leaq _OPENSSL_ia32cap_P(%rip),%rax - movl 8(%rax),%eax - andl $0x80100,%eax - cmpl $0x80100,%eax - jne L$sqr8x_nox + testq %rdx,%rdx + jz L$sqr8x_nox call _bn_sqrx8x_internal @@ -891,13 +873,15 @@ L$sqr8x_epilogue: ret +.globl _bn_mulx4x_mont +.private_extern _bn_mulx4x_mont .p2align 5 -bn_mulx4x_mont: +_bn_mulx4x_mont: +_CET_ENDBR movq %rsp,%rax -L$mulx4x_enter: pushq %rbx pushq %rbp @@ -1250,7 +1234,6 @@ L$mulx4x_epilogue: .byte 77,111,110,116,103,111,109,101,114,121,32,77,117,108,116,105,112,108,105,99,97,116,105,111,110,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .p2align 4 #endif -#endif // defined(__x86_64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/x86_64-mont-linux.linux.x86_64.S b/Sources/CNIOBoringSSL/gen/bcm/x86_64-mont-linux.S similarity index 96% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/x86_64-mont-linux.linux.x86_64.S rename to Sources/CNIOBoringSSL/gen/bcm/x86_64-mont-linux.S index 8992b0801..958aa8756 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/x86_64-mont-linux.linux.x86_64.S +++ b/Sources/CNIOBoringSSL/gen/bcm/x86_64-mont-linux.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__x86_64__) && defined(__linux__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -8,33 +7,16 @@ #if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__ELF__) .text -.extern OPENSSL_ia32cap_P -.hidden OPENSSL_ia32cap_P - -.globl bn_mul_mont -.hidden bn_mul_mont -.type bn_mul_mont,@function +.globl bn_mul_mont_nohw +.hidden bn_mul_mont_nohw +.type bn_mul_mont_nohw,@function .align 16 -bn_mul_mont: +bn_mul_mont_nohw: .cfi_startproc _CET_ENDBR movl %r9d,%r9d movq %rsp,%rax .cfi_def_cfa_register %rax - testl $3,%r9d - jnz .Lmul_enter - cmpl $8,%r9d - jb .Lmul_enter - leaq OPENSSL_ia32cap_P(%rip),%r11 - movl 8(%r11),%r11d - cmpq %rsi,%rdx - jne .Lmul4x_enter - testl $7,%r9d - jz .Lsqr8x_enter - jmp .Lmul4x_enter - -.align 16 -.Lmul_enter: pushq %rbx .cfi_offset %rbx,-16 pushq %rbp @@ -266,18 +248,17 @@ _CET_ENDBR .Lmul_epilogue: ret .cfi_endproc -.size bn_mul_mont,.-bn_mul_mont +.size bn_mul_mont_nohw,.-bn_mul_mont_nohw +.globl bn_mul4x_mont +.hidden bn_mul4x_mont .type bn_mul4x_mont,@function .align 16 bn_mul4x_mont: .cfi_startproc +_CET_ENDBR movl %r9d,%r9d movq %rsp,%rax .cfi_def_cfa_register %rax -.Lmul4x_enter: - andl $0x80100,%r11d - cmpl $0x80100,%r11d - je .Lmulx4x_enter pushq %rbx .cfi_offset %rbx,-16 pushq %rbp @@ -706,13 +687,16 @@ bn_mul4x_mont: .extern bn_sqr8x_internal .hidden bn_sqr8x_internal +.globl bn_sqr8x_mont +.hidden bn_sqr8x_mont .type bn_sqr8x_mont,@function .align 32 bn_sqr8x_mont: .cfi_startproc +_CET_ENDBR + movl %r9d,%r9d movq %rsp,%rax .cfi_def_cfa_register %rax -.Lsqr8x_enter: pushq %rbx .cfi_offset %rbx,-16 pushq %rbp @@ -787,11 +771,8 @@ bn_sqr8x_mont: pxor %xmm0,%xmm0 .byte 102,72,15,110,207 .byte 102,73,15,110,218 - leaq OPENSSL_ia32cap_P(%rip),%rax - movl 8(%rax),%eax - andl $0x80100,%eax - cmpl $0x80100,%eax - jne .Lsqr8x_nox + testq %rdx,%rdx + jz .Lsqr8x_nox call bn_sqrx8x_internal @@ -894,13 +875,15 @@ bn_sqr8x_mont: ret .cfi_endproc .size bn_sqr8x_mont,.-bn_sqr8x_mont +.globl bn_mulx4x_mont +.hidden bn_mulx4x_mont .type bn_mulx4x_mont,@function .align 32 bn_mulx4x_mont: .cfi_startproc +_CET_ENDBR movq %rsp,%rax .cfi_def_cfa_register %rax -.Lmulx4x_enter: pushq %rbx .cfi_offset %rbx,-16 pushq %rbp @@ -1253,7 +1236,6 @@ bn_mulx4x_mont: .byte 77,111,110,116,103,111,109,101,114,121,32,77,117,108,116,105,112,108,105,99,97,116,105,111,110,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .align 16 #endif -#endif // defined(__x86_64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/x86_64-mont5-mac.mac.x86_64.S b/Sources/CNIOBoringSSL/gen/bcm/x86_64-mont5-apple.S similarity index 98% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/x86_64-mont5-mac.mac.x86_64.S rename to Sources/CNIOBoringSSL/gen/bcm/x86_64-mont5-apple.S index 8ebc9d906..1a7570ee0 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/x86_64-mont5-mac.mac.x86_64.S +++ b/Sources/CNIOBoringSSL/gen/bcm/x86_64-mont5-apple.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__x86_64__) && defined(__APPLE__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -8,26 +7,18 @@ #if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__APPLE__) .text - - -.globl _bn_mul_mont_gather5 -.private_extern _bn_mul_mont_gather5 +.globl _bn_mul_mont_gather5_nohw +.private_extern _bn_mul_mont_gather5_nohw .p2align 6 -_bn_mul_mont_gather5: +_bn_mul_mont_gather5_nohw: _CET_ENDBR + + movl %r9d,%r9d movq %rsp,%rax - testl $7,%r9d - jnz L$mul_enter - leaq _OPENSSL_ia32cap_P(%rip),%r11 - movl 8(%r11),%r11d - jmp L$mul4x_enter - -.p2align 4 -L$mul_enter: movd 8(%rsp),%xmm5 pushq %rbx @@ -454,17 +445,16 @@ L$mul_epilogue: ret +.globl _bn_mul4x_mont_gather5 +.private_extern _bn_mul4x_mont_gather5 .p2align 5 -bn_mul4x_mont_gather5: +_bn_mul4x_mont_gather5: +_CET_ENDBR .byte 0x67 movq %rsp,%rax -L$mul4x_enter: - andl $0x80108,%r11d - cmpl $0x80108,%r11d - je L$mulx4x_enter pushq %rbx pushq %rbp @@ -480,6 +470,9 @@ L$mul4x_enter: L$mul4x_prologue: .byte 0x67 + + + shll $3,%r9d leaq (%r9,%r9,2),%r10 negq %r9 @@ -1089,20 +1082,15 @@ L$inner4x: jmp L$sqr4x_sub_entry -.globl _bn_power5 -.private_extern _bn_power5 +.globl _bn_power5_nohw +.private_extern _bn_power5_nohw .p2align 5 -_bn_power5: +_bn_power5_nohw: _CET_ENDBR movq %rsp,%rax - leaq _OPENSSL_ia32cap_P(%rip),%r11 - movl 8(%r11),%r11d - andl $0x80108,%r11d - cmpl $0x80108,%r11d - je L$powerx5_enter pushq %rbx pushq %rbp @@ -1117,6 +1105,9 @@ _CET_ENDBR L$power5_prologue: + + + shll $3,%r9d leal (%r9,%r9,2),%r10d negq %r9 @@ -2068,13 +2059,15 @@ L$sqr4x_sub_entry: ret +.globl _bn_mulx4x_mont_gather5 +.private_extern _bn_mulx4x_mont_gather5 .p2align 5 -bn_mulx4x_mont_gather5: +_bn_mulx4x_mont_gather5: +_CET_ENDBR movq %rsp,%rax -L$mulx4x_enter: pushq %rbx pushq %rbp @@ -2089,6 +2082,9 @@ L$mulx4x_enter: L$mulx4x_prologue: + + + shll $3,%r9d leaq (%r9,%r9,2),%r10 negq %r9 @@ -2605,13 +2601,15 @@ L$mulx4x_inner: jmp L$sqrx4x_sub_entry +.globl _bn_powerx5 +.private_extern _bn_powerx5 .p2align 5 -bn_powerx5: +_bn_powerx5: +_CET_ENDBR movq %rsp,%rax -L$powerx5_enter: pushq %rbx pushq %rbp @@ -2626,6 +2624,9 @@ L$powerx5_enter: L$powerx5_prologue: + + + shll $3,%r9d leaq (%r9,%r9,2),%r10 negq %r9 @@ -3624,7 +3625,6 @@ L$inc: .byte 77,111,110,116,103,111,109,101,114,121,32,77,117,108,116,105,112,108,105,99,97,116,105,111,110,32,119,105,116,104,32,115,99,97,116,116,101,114,47,103,97,116,104,101,114,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .text #endif -#endif // defined(__x86_64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/x86_64-mont5-linux.linux.x86_64.S b/Sources/CNIOBoringSSL/gen/bcm/x86_64-mont5-linux.S similarity index 98% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/x86_64-mont5-linux.linux.x86_64.S rename to Sources/CNIOBoringSSL/gen/bcm/x86_64-mont5-linux.S index d8570c42c..486d67480 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/x86_64-mont5-linux.linux.x86_64.S +++ b/Sources/CNIOBoringSSL/gen/bcm/x86_64-mont5-linux.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__x86_64__) && defined(__linux__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -8,27 +7,18 @@ #if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__ELF__) .text -.extern OPENSSL_ia32cap_P -.hidden OPENSSL_ia32cap_P - -.globl bn_mul_mont_gather5 -.hidden bn_mul_mont_gather5 -.type bn_mul_mont_gather5,@function +.globl bn_mul_mont_gather5_nohw +.hidden bn_mul_mont_gather5_nohw +.type bn_mul_mont_gather5_nohw,@function .align 64 -bn_mul_mont_gather5: +bn_mul_mont_gather5_nohw: .cfi_startproc _CET_ENDBR + + movl %r9d,%r9d movq %rsp,%rax .cfi_def_cfa_register %rax - testl $7,%r9d - jnz .Lmul_enter - leaq OPENSSL_ia32cap_P(%rip),%r11 - movl 8(%r11),%r11d - jmp .Lmul4x_enter - -.align 16 -.Lmul_enter: movd 8(%rsp),%xmm5 pushq %rbx .cfi_offset %rbx,-16 @@ -454,18 +444,17 @@ _CET_ENDBR .Lmul_epilogue: ret .cfi_endproc -.size bn_mul_mont_gather5,.-bn_mul_mont_gather5 +.size bn_mul_mont_gather5_nohw,.-bn_mul_mont_gather5_nohw +.globl bn_mul4x_mont_gather5 +.hidden bn_mul4x_mont_gather5 .type bn_mul4x_mont_gather5,@function .align 32 bn_mul4x_mont_gather5: .cfi_startproc +_CET_ENDBR .byte 0x67 movq %rsp,%rax .cfi_def_cfa_register %rax -.Lmul4x_enter: - andl $0x80108,%r11d - cmpl $0x80108,%r11d - je .Lmulx4x_enter pushq %rbx .cfi_offset %rbx,-16 pushq %rbp @@ -481,6 +470,9 @@ bn_mul4x_mont_gather5: .Lmul4x_prologue: .byte 0x67 + + + shll $3,%r9d leaq (%r9,%r9,2),%r10 negq %r9 @@ -1090,20 +1082,15 @@ mul4x_internal: jmp .Lsqr4x_sub_entry .cfi_endproc .size mul4x_internal,.-mul4x_internal -.globl bn_power5 -.hidden bn_power5 -.type bn_power5,@function +.globl bn_power5_nohw +.hidden bn_power5_nohw +.type bn_power5_nohw,@function .align 32 -bn_power5: +bn_power5_nohw: .cfi_startproc _CET_ENDBR movq %rsp,%rax .cfi_def_cfa_register %rax - leaq OPENSSL_ia32cap_P(%rip),%r11 - movl 8(%r11),%r11d - andl $0x80108,%r11d - cmpl $0x80108,%r11d - je .Lpowerx5_enter pushq %rbx .cfi_offset %rbx,-16 pushq %rbp @@ -1118,6 +1105,9 @@ _CET_ENDBR .cfi_offset %r15,-56 .Lpower5_prologue: + + + shll $3,%r9d leal (%r9,%r9,2),%r10d negq %r9 @@ -1226,7 +1216,7 @@ _CET_ENDBR .Lpower5_epilogue: ret .cfi_endproc -.size bn_power5,.-bn_power5 +.size bn_power5_nohw,.-bn_power5_nohw .globl bn_sqr8x_internal .hidden bn_sqr8x_internal @@ -2069,13 +2059,15 @@ __bn_post4x_internal: ret .cfi_endproc .size __bn_post4x_internal,.-__bn_post4x_internal +.globl bn_mulx4x_mont_gather5 +.hidden bn_mulx4x_mont_gather5 .type bn_mulx4x_mont_gather5,@function .align 32 bn_mulx4x_mont_gather5: .cfi_startproc +_CET_ENDBR movq %rsp,%rax .cfi_def_cfa_register %rax -.Lmulx4x_enter: pushq %rbx .cfi_offset %rbx,-16 pushq %rbp @@ -2090,6 +2082,9 @@ bn_mulx4x_mont_gather5: .cfi_offset %r15,-56 .Lmulx4x_prologue: + + + shll $3,%r9d leaq (%r9,%r9,2),%r10 negq %r9 @@ -2606,13 +2601,15 @@ mulx4x_internal: jmp .Lsqrx4x_sub_entry .cfi_endproc .size mulx4x_internal,.-mulx4x_internal +.globl bn_powerx5 +.hidden bn_powerx5 .type bn_powerx5,@function .align 32 bn_powerx5: .cfi_startproc +_CET_ENDBR movq %rsp,%rax .cfi_def_cfa_register %rax -.Lpowerx5_enter: pushq %rbx .cfi_offset %rbx,-16 pushq %rbp @@ -2627,6 +2624,9 @@ bn_powerx5: .cfi_offset %r15,-56 .Lpowerx5_prologue: + + + shll $3,%r9d leaq (%r9,%r9,2),%r10 negq %r9 @@ -3625,7 +3625,6 @@ _CET_ENDBR .byte 77,111,110,116,103,111,109,101,114,121,32,77,117,108,116,105,112,108,105,99,97,116,105,111,110,32,119,105,116,104,32,115,99,97,116,116,101,114,47,103,97,116,104,101,114,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .text #endif -#endif // defined(__x86_64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/cipher_extra/aes128gcmsiv-x86_64-mac.mac.x86_64.S b/Sources/CNIOBoringSSL/gen/crypto/aes128gcmsiv-x86_64-apple.S similarity index 99% rename from Sources/CNIOBoringSSL/crypto/cipher_extra/aes128gcmsiv-x86_64-mac.mac.x86_64.S rename to Sources/CNIOBoringSSL/gen/crypto/aes128gcmsiv-x86_64-apple.S index 3d5d596b8..edf0a5043 100644 --- a/Sources/CNIOBoringSSL/crypto/cipher_extra/aes128gcmsiv-x86_64-mac.mac.x86_64.S +++ b/Sources/CNIOBoringSSL/gen/crypto/aes128gcmsiv-x86_64-apple.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__x86_64__) && defined(__APPLE__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -1157,14 +1156,15 @@ _CET_ENDBR L$128_dec_start: vzeroupper vmovdqa (%rdx),%xmm0 + + + vmovdqu 16(%rdx),%xmm15 + vpor OR_MASK(%rip),%xmm15,%xmm15 movq %rdx,%rax leaq 32(%rax),%rax leaq 32(%rcx),%rcx - - vmovdqu (%rdi,%r9,1),%xmm15 - vpor OR_MASK(%rip),%xmm15,%xmm15 andq $~15,%r9 @@ -2379,14 +2379,15 @@ _CET_ENDBR L$256_dec_start: vzeroupper vmovdqa (%rdx),%xmm0 + + + vmovdqu 16(%rdx),%xmm15 + vpor OR_MASK(%rip),%xmm15,%xmm15 movq %rdx,%rax leaq 32(%rax),%rax leaq 32(%rcx),%rcx - - vmovdqu (%rdi,%r9,1),%xmm15 - vpor OR_MASK(%rip),%xmm15,%xmm15 andq $~15,%r9 @@ -3079,7 +3080,6 @@ _CET_ENDBR #endif -#endif // defined(__x86_64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/cipher_extra/aes128gcmsiv-x86_64-linux.linux.x86_64.S b/Sources/CNIOBoringSSL/gen/crypto/aes128gcmsiv-x86_64-linux.S similarity index 99% rename from Sources/CNIOBoringSSL/crypto/cipher_extra/aes128gcmsiv-x86_64-linux.linux.x86_64.S rename to Sources/CNIOBoringSSL/gen/crypto/aes128gcmsiv-x86_64-linux.S index 08d29f32d..58db2a1e7 100644 --- a/Sources/CNIOBoringSSL/crypto/cipher_extra/aes128gcmsiv-x86_64-linux.linux.x86_64.S +++ b/Sources/CNIOBoringSSL/gen/crypto/aes128gcmsiv-x86_64-linux.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__x86_64__) && defined(__linux__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -1167,14 +1166,15 @@ _CET_ENDBR .L128_dec_start: vzeroupper vmovdqa (%rdx),%xmm0 + + + vmovdqu 16(%rdx),%xmm15 + vpor OR_MASK(%rip),%xmm15,%xmm15 movq %rdx,%rax leaq 32(%rax),%rax leaq 32(%rcx),%rcx - - vmovdqu (%rdi,%r9,1),%xmm15 - vpor OR_MASK(%rip),%xmm15,%xmm15 andq $~15,%r9 @@ -2389,14 +2389,15 @@ _CET_ENDBR .L256_dec_start: vzeroupper vmovdqa (%rdx),%xmm0 + + + vmovdqu 16(%rdx),%xmm15 + vpor OR_MASK(%rip),%xmm15,%xmm15 movq %rdx,%rax leaq 32(%rax),%rax leaq 32(%rcx),%rcx - - vmovdqu (%rdi,%r9,1),%xmm15 - vpor OR_MASK(%rip),%xmm15,%xmm15 andq $~15,%r9 @@ -3089,7 +3090,6 @@ _CET_ENDBR .cfi_endproc .size aes256gcmsiv_kdf, .-aes256gcmsiv_kdf #endif -#endif // defined(__x86_64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/chacha/chacha-armv4-linux.linux.arm.S b/Sources/CNIOBoringSSL/gen/crypto/chacha-armv4-linux.S similarity index 96% rename from Sources/CNIOBoringSSL/crypto/chacha/chacha-armv4-linux.linux.arm.S rename to Sources/CNIOBoringSSL/gen/crypto/chacha-armv4-linux.S index ccd6c29f3..8d01e8e79 100644 --- a/Sources/CNIOBoringSSL/crypto/chacha/chacha-armv4-linux.linux.arm.S +++ b/Sources/CNIOBoringSSL/gen/crypto/chacha-armv4-linux.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__arm__) && defined(__linux__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -31,47 +30,17 @@ .long 0x61707865,0x3320646e,0x79622d32,0x6b206574 @ endian-neutral .Lone: .long 1,0,0,0 -#if __ARM_MAX_ARCH__>=7 -.LOPENSSL_armcap: -.word OPENSSL_armcap_P-.LChaCha20_ctr32 -#else -.word -1 -#endif -.globl ChaCha20_ctr32 -.hidden ChaCha20_ctr32 -.type ChaCha20_ctr32,%function +.globl ChaCha20_ctr32_nohw +.hidden ChaCha20_ctr32_nohw +.type ChaCha20_ctr32_nohw,%function .align 5 -ChaCha20_ctr32: -.LChaCha20_ctr32: +ChaCha20_ctr32_nohw: ldr r12,[sp,#0] @ pull pointer to counter and nonce stmdb sp!,{r0,r1,r2,r4-r11,lr} -#if __ARM_ARCH<7 && !defined(__thumb2__) - sub r14,pc,#16 @ ChaCha20_ctr32 -#else - adr r14,.LChaCha20_ctr32 -#endif - cmp r2,#0 @ len==0? -#ifdef __thumb2__ - itt eq -#endif - addeq sp,sp,#4*3 - beq .Lno_data -#if __ARM_MAX_ARCH__>=7 - cmp r2,#192 @ test len - bls .Lshort - ldr r4,[r14,#-32] - ldr r4,[r14,r4] -# ifdef __APPLE__ - ldr r4,[r4] -# endif - tst r4,#ARMV7_NEON - bne .LChaCha20_neon -.Lshort: -#endif + adr r14,.Lsigma ldmia r12,{r4,r5,r6,r7} @ load counter and nonce sub sp,sp,#4*(16) @ off-load area - sub r14,r14,#64 @ .Lsigma stmdb sp!,{r4,r5,r6,r7} @ copy counter and nonce ldmia r3,{r4,r5,r6,r7,r8,r9,r10,r11} @ load key ldmia r14,{r0,r1,r2,r3} @ load sigma @@ -798,19 +767,19 @@ ChaCha20_ctr32: .Ldone: add sp,sp,#4*(32+3) -.Lno_data: ldmia sp!,{r4,r5,r6,r7,r8,r9,r10,r11,pc} -.size ChaCha20_ctr32,.-ChaCha20_ctr32 +.size ChaCha20_ctr32_nohw,.-ChaCha20_ctr32_nohw #if __ARM_MAX_ARCH__>=7 .arch armv7-a .fpu neon -.type ChaCha20_neon,%function +.globl ChaCha20_ctr32_neon +.hidden ChaCha20_ctr32_neon +.type ChaCha20_ctr32_neon,%function .align 5 -ChaCha20_neon: +ChaCha20_ctr32_neon: ldr r12,[sp,#0] @ pull pointer to counter and nonce stmdb sp!,{r0,r1,r2,r4-r11,lr} -.LChaCha20_neon: adr r14,.Lsigma vstmdb sp!,{d8,d9,d10,d11,d12,d13,d14,d15} @ ABI spec says so stmdb sp!,{r0,r1,r2,r3} @@ -1478,11 +1447,9 @@ ChaCha20_neon: vldmia sp,{d8,d9,d10,d11,d12,d13,d14,d15} add sp,sp,#4*(16+3) ldmia sp!,{r4,r5,r6,r7,r8,r9,r10,r11,pc} -.size ChaCha20_neon,.-ChaCha20_neon -.comm OPENSSL_armcap_P,4,4 +.size ChaCha20_ctr32_neon,.-ChaCha20_ctr32_neon #endif #endif // !OPENSSL_NO_ASM && defined(OPENSSL_ARM) && defined(__ELF__) -#endif // defined(__arm__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/chacha/chacha-armv8-ios.ios.aarch64.S b/Sources/CNIOBoringSSL/gen/crypto/chacha-armv8-apple.S similarity index 98% rename from Sources/CNIOBoringSSL/crypto/chacha/chacha-armv8-ios.ios.aarch64.S rename to Sources/CNIOBoringSSL/gen/crypto/chacha-armv8-apple.S index 4fccbd86a..3bdf56547 100644 --- a/Sources/CNIOBoringSSL/crypto/chacha/chacha-armv8-ios.ios.aarch64.S +++ b/Sources/CNIOBoringSSL/gen/crypto/chacha-armv8-apple.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__aarch64__) && defined(__APPLE__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -8,9 +7,6 @@ #if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__APPLE__) #include - -.private_extern _OPENSSL_armcap_P - .section __TEXT,__const .align 5 @@ -23,25 +19,11 @@ Lone: .text -.globl _ChaCha20_ctr32 -.private_extern _ChaCha20_ctr32 +.globl _ChaCha20_ctr32_nohw +.private_extern _ChaCha20_ctr32_nohw .align 5 -_ChaCha20_ctr32: - AARCH64_VALID_CALL_TARGET - cbz x2,Labort -#if defined(OPENSSL_HWASAN) && __clang_major__ >= 10 - adrp x5,:pg_hi21_nc:_OPENSSL_armcap_P -#else - adrp x5,_OPENSSL_armcap_P@PAGE -#endif - cmp x2,#192 - b.lo Lshort - ldr w17,[x5,_OPENSSL_armcap_P@PAGEOFF] - tst w17,#ARMV7_NEON - b.ne ChaCha20_neon - -Lshort: +_ChaCha20_ctr32_nohw: AARCH64_SIGN_LINK_REGISTER stp x29,x30,[sp,#-96]! add x29,sp,#0 @@ -256,7 +238,6 @@ Loop: ldp x27,x28,[x29,#80] ldp x29,x30,[sp],#96 AARCH64_VALIDATE_LINK_REGISTER -Labort: ret .align 4 @@ -316,9 +297,11 @@ Loop_tail: ret +.globl _ChaCha20_ctr32_neon +.private_extern _ChaCha20_ctr32_neon .align 5 -ChaCha20_neon: +_ChaCha20_ctr32_neon: AARCH64_SIGN_LINK_REGISTER stp x29,x30,[sp,#-96]! add x29,sp,#0 @@ -1984,7 +1967,6 @@ Ldone_512_neon: ret #endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__APPLE__) -#endif // defined(__aarch64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/chacha/chacha-armv8-linux.linux.aarch64.S b/Sources/CNIOBoringSSL/gen/crypto/chacha-armv8-linux.S similarity index 98% rename from Sources/CNIOBoringSSL/crypto/chacha/chacha-armv8-linux.linux.aarch64.S rename to Sources/CNIOBoringSSL/gen/crypto/chacha-armv8-linux.S index 3bf9acda4..4e4ba4f28 100644 --- a/Sources/CNIOBoringSSL/crypto/chacha/chacha-armv8-linux.linux.aarch64.S +++ b/Sources/CNIOBoringSSL/gen/crypto/chacha-armv8-linux.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__aarch64__) && defined(__linux__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -8,9 +7,6 @@ #if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__ELF__) #include - -.hidden OPENSSL_armcap_P - .section .rodata .align 5 @@ -23,25 +19,11 @@ .text -.globl ChaCha20_ctr32 -.hidden ChaCha20_ctr32 -.type ChaCha20_ctr32,%function +.globl ChaCha20_ctr32_nohw +.hidden ChaCha20_ctr32_nohw +.type ChaCha20_ctr32_nohw,%function .align 5 -ChaCha20_ctr32: - AARCH64_VALID_CALL_TARGET - cbz x2,.Labort -#if defined(OPENSSL_HWASAN) && __clang_major__ >= 10 - adrp x5,:pg_hi21_nc:OPENSSL_armcap_P -#else - adrp x5,OPENSSL_armcap_P -#endif - cmp x2,#192 - b.lo .Lshort - ldr w17,[x5,:lo12:OPENSSL_armcap_P] - tst w17,#ARMV7_NEON - b.ne ChaCha20_neon - -.Lshort: +ChaCha20_ctr32_nohw: AARCH64_SIGN_LINK_REGISTER stp x29,x30,[sp,#-96]! add x29,sp,#0 @@ -256,7 +238,6 @@ ChaCha20_ctr32: ldp x27,x28,[x29,#80] ldp x29,x30,[sp],#96 AARCH64_VALIDATE_LINK_REGISTER -.Labort: ret .align 4 @@ -314,11 +295,13 @@ ChaCha20_ctr32: ldp x29,x30,[sp],#96 AARCH64_VALIDATE_LINK_REGISTER ret -.size ChaCha20_ctr32,.-ChaCha20_ctr32 +.size ChaCha20_ctr32_nohw,.-ChaCha20_ctr32_nohw -.type ChaCha20_neon,%function +.globl ChaCha20_ctr32_neon +.hidden ChaCha20_ctr32_neon +.type ChaCha20_ctr32_neon,%function .align 5 -ChaCha20_neon: +ChaCha20_ctr32_neon: AARCH64_SIGN_LINK_REGISTER stp x29,x30,[sp,#-96]! add x29,sp,#0 @@ -812,7 +795,7 @@ ChaCha20_neon: ldp x29,x30,[sp],#96 AARCH64_VALIDATE_LINK_REGISTER ret -.size ChaCha20_neon,.-ChaCha20_neon +.size ChaCha20_ctr32_neon,.-ChaCha20_ctr32_neon .type ChaCha20_512_neon,%function .align 5 ChaCha20_512_neon: @@ -1984,7 +1967,6 @@ ChaCha20_512_neon: ret .size ChaCha20_512_neon,.-ChaCha20_512_neon #endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__ELF__) -#endif // defined(__aarch64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/gen/crypto/chacha-armv8-win.S b/Sources/CNIOBoringSSL/gen/crypto/chacha-armv8-win.S new file mode 100644 index 000000000..b9f0d5c90 --- /dev/null +++ b/Sources/CNIOBoringSSL/gen/crypto/chacha-armv8-win.S @@ -0,0 +1,1979 @@ +#define BORINGSSL_PREFIX CNIOBoringSSL +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. + +#include + +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(_WIN32) +#include + +.section .rodata + +.align 5 +Lsigma: +.quad 0x3320646e61707865,0x6b20657479622d32 // endian-neutral +Lone: +.long 1,0,0,0 +.byte 67,104,97,67,104,97,50,48,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 +.align 2 + +.text + +.globl ChaCha20_ctr32_nohw + +.def ChaCha20_ctr32_nohw + .type 32 +.endef +.align 5 +ChaCha20_ctr32_nohw: + AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-96]! + add x29,sp,#0 + + adrp x5,Lsigma + add x5,x5,:lo12:Lsigma + stp x19,x20,[sp,#16] + stp x21,x22,[sp,#32] + stp x23,x24,[sp,#48] + stp x25,x26,[sp,#64] + stp x27,x28,[sp,#80] + sub sp,sp,#64 + + ldp x22,x23,[x5] // load sigma + ldp x24,x25,[x3] // load key + ldp x26,x27,[x3,#16] + ldp x28,x30,[x4] // load counter +#ifdef __AARCH64EB__ + ror x24,x24,#32 + ror x25,x25,#32 + ror x26,x26,#32 + ror x27,x27,#32 + ror x28,x28,#32 + ror x30,x30,#32 +#endif + +Loop_outer: + mov w5,w22 // unpack key block + lsr x6,x22,#32 + mov w7,w23 + lsr x8,x23,#32 + mov w9,w24 + lsr x10,x24,#32 + mov w11,w25 + lsr x12,x25,#32 + mov w13,w26 + lsr x14,x26,#32 + mov w15,w27 + lsr x16,x27,#32 + mov w17,w28 + lsr x19,x28,#32 + mov w20,w30 + lsr x21,x30,#32 + + mov x4,#10 + subs x2,x2,#64 +Loop: + sub x4,x4,#1 + add w5,w5,w9 + add w6,w6,w10 + add w7,w7,w11 + add w8,w8,w12 + eor w17,w17,w5 + eor w19,w19,w6 + eor w20,w20,w7 + eor w21,w21,w8 + ror w17,w17,#16 + ror w19,w19,#16 + ror w20,w20,#16 + ror w21,w21,#16 + add w13,w13,w17 + add w14,w14,w19 + add w15,w15,w20 + add w16,w16,w21 + eor w9,w9,w13 + eor w10,w10,w14 + eor w11,w11,w15 + eor w12,w12,w16 + ror w9,w9,#20 + ror w10,w10,#20 + ror w11,w11,#20 + ror w12,w12,#20 + add w5,w5,w9 + add w6,w6,w10 + add w7,w7,w11 + add w8,w8,w12 + eor w17,w17,w5 + eor w19,w19,w6 + eor w20,w20,w7 + eor w21,w21,w8 + ror w17,w17,#24 + ror w19,w19,#24 + ror w20,w20,#24 + ror w21,w21,#24 + add w13,w13,w17 + add w14,w14,w19 + add w15,w15,w20 + add w16,w16,w21 + eor w9,w9,w13 + eor w10,w10,w14 + eor w11,w11,w15 + eor w12,w12,w16 + ror w9,w9,#25 + ror w10,w10,#25 + ror w11,w11,#25 + ror w12,w12,#25 + add w5,w5,w10 + add w6,w6,w11 + add w7,w7,w12 + add w8,w8,w9 + eor w21,w21,w5 + eor w17,w17,w6 + eor w19,w19,w7 + eor w20,w20,w8 + ror w21,w21,#16 + ror w17,w17,#16 + ror w19,w19,#16 + ror w20,w20,#16 + add w15,w15,w21 + add w16,w16,w17 + add w13,w13,w19 + add w14,w14,w20 + eor w10,w10,w15 + eor w11,w11,w16 + eor w12,w12,w13 + eor w9,w9,w14 + ror w10,w10,#20 + ror w11,w11,#20 + ror w12,w12,#20 + ror w9,w9,#20 + add w5,w5,w10 + add w6,w6,w11 + add w7,w7,w12 + add w8,w8,w9 + eor w21,w21,w5 + eor w17,w17,w6 + eor w19,w19,w7 + eor w20,w20,w8 + ror w21,w21,#24 + ror w17,w17,#24 + ror w19,w19,#24 + ror w20,w20,#24 + add w15,w15,w21 + add w16,w16,w17 + add w13,w13,w19 + add w14,w14,w20 + eor w10,w10,w15 + eor w11,w11,w16 + eor w12,w12,w13 + eor w9,w9,w14 + ror w10,w10,#25 + ror w11,w11,#25 + ror w12,w12,#25 + ror w9,w9,#25 + cbnz x4,Loop + + add w5,w5,w22 // accumulate key block + add x6,x6,x22,lsr#32 + add w7,w7,w23 + add x8,x8,x23,lsr#32 + add w9,w9,w24 + add x10,x10,x24,lsr#32 + add w11,w11,w25 + add x12,x12,x25,lsr#32 + add w13,w13,w26 + add x14,x14,x26,lsr#32 + add w15,w15,w27 + add x16,x16,x27,lsr#32 + add w17,w17,w28 + add x19,x19,x28,lsr#32 + add w20,w20,w30 + add x21,x21,x30,lsr#32 + + b.lo Ltail + + add x5,x5,x6,lsl#32 // pack + add x7,x7,x8,lsl#32 + ldp x6,x8,[x1,#0] // load input + add x9,x9,x10,lsl#32 + add x11,x11,x12,lsl#32 + ldp x10,x12,[x1,#16] + add x13,x13,x14,lsl#32 + add x15,x15,x16,lsl#32 + ldp x14,x16,[x1,#32] + add x17,x17,x19,lsl#32 + add x20,x20,x21,lsl#32 + ldp x19,x21,[x1,#48] + add x1,x1,#64 +#ifdef __AARCH64EB__ + rev x5,x5 + rev x7,x7 + rev x9,x9 + rev x11,x11 + rev x13,x13 + rev x15,x15 + rev x17,x17 + rev x20,x20 +#endif + eor x5,x5,x6 + eor x7,x7,x8 + eor x9,x9,x10 + eor x11,x11,x12 + eor x13,x13,x14 + eor x15,x15,x16 + eor x17,x17,x19 + eor x20,x20,x21 + + stp x5,x7,[x0,#0] // store output + add x28,x28,#1 // increment counter + stp x9,x11,[x0,#16] + stp x13,x15,[x0,#32] + stp x17,x20,[x0,#48] + add x0,x0,#64 + + b.hi Loop_outer + + ldp x19,x20,[x29,#16] + add sp,sp,#64 + ldp x21,x22,[x29,#32] + ldp x23,x24,[x29,#48] + ldp x25,x26,[x29,#64] + ldp x27,x28,[x29,#80] + ldp x29,x30,[sp],#96 + AARCH64_VALIDATE_LINK_REGISTER + ret + +.align 4 +Ltail: + add x2,x2,#64 +Less_than_64: + sub x0,x0,#1 + add x1,x1,x2 + add x0,x0,x2 + add x4,sp,x2 + neg x2,x2 + + add x5,x5,x6,lsl#32 // pack + add x7,x7,x8,lsl#32 + add x9,x9,x10,lsl#32 + add x11,x11,x12,lsl#32 + add x13,x13,x14,lsl#32 + add x15,x15,x16,lsl#32 + add x17,x17,x19,lsl#32 + add x20,x20,x21,lsl#32 +#ifdef __AARCH64EB__ + rev x5,x5 + rev x7,x7 + rev x9,x9 + rev x11,x11 + rev x13,x13 + rev x15,x15 + rev x17,x17 + rev x20,x20 +#endif + stp x5,x7,[sp,#0] + stp x9,x11,[sp,#16] + stp x13,x15,[sp,#32] + stp x17,x20,[sp,#48] + +Loop_tail: + ldrb w10,[x1,x2] + ldrb w11,[x4,x2] + add x2,x2,#1 + eor w10,w10,w11 + strb w10,[x0,x2] + cbnz x2,Loop_tail + + stp xzr,xzr,[sp,#0] + stp xzr,xzr,[sp,#16] + stp xzr,xzr,[sp,#32] + stp xzr,xzr,[sp,#48] + + ldp x19,x20,[x29,#16] + add sp,sp,#64 + ldp x21,x22,[x29,#32] + ldp x23,x24,[x29,#48] + ldp x25,x26,[x29,#64] + ldp x27,x28,[x29,#80] + ldp x29,x30,[sp],#96 + AARCH64_VALIDATE_LINK_REGISTER + ret + + +.globl ChaCha20_ctr32_neon + +.def ChaCha20_ctr32_neon + .type 32 +.endef +.align 5 +ChaCha20_ctr32_neon: + AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-96]! + add x29,sp,#0 + + adrp x5,Lsigma + add x5,x5,:lo12:Lsigma + stp x19,x20,[sp,#16] + stp x21,x22,[sp,#32] + stp x23,x24,[sp,#48] + stp x25,x26,[sp,#64] + stp x27,x28,[sp,#80] + cmp x2,#512 + b.hs L512_or_more_neon + + sub sp,sp,#64 + + ldp x22,x23,[x5] // load sigma + ld1 {v24.4s},[x5],#16 + ldp x24,x25,[x3] // load key + ldp x26,x27,[x3,#16] + ld1 {v25.4s,v26.4s},[x3] + ldp x28,x30,[x4] // load counter + ld1 {v27.4s},[x4] + ld1 {v31.4s},[x5] +#ifdef __AARCH64EB__ + rev64 v24.4s,v24.4s + ror x24,x24,#32 + ror x25,x25,#32 + ror x26,x26,#32 + ror x27,x27,#32 + ror x28,x28,#32 + ror x30,x30,#32 +#endif + add v27.4s,v27.4s,v31.4s // += 1 + add v28.4s,v27.4s,v31.4s + add v29.4s,v28.4s,v31.4s + shl v31.4s,v31.4s,#2 // 1 -> 4 + +Loop_outer_neon: + mov w5,w22 // unpack key block + lsr x6,x22,#32 + mov v0.16b,v24.16b + mov w7,w23 + lsr x8,x23,#32 + mov v4.16b,v24.16b + mov w9,w24 + lsr x10,x24,#32 + mov v16.16b,v24.16b + mov w11,w25 + mov v1.16b,v25.16b + lsr x12,x25,#32 + mov v5.16b,v25.16b + mov w13,w26 + mov v17.16b,v25.16b + lsr x14,x26,#32 + mov v3.16b,v27.16b + mov w15,w27 + mov v7.16b,v28.16b + lsr x16,x27,#32 + mov v19.16b,v29.16b + mov w17,w28 + mov v2.16b,v26.16b + lsr x19,x28,#32 + mov v6.16b,v26.16b + mov w20,w30 + mov v18.16b,v26.16b + lsr x21,x30,#32 + + mov x4,#10 + subs x2,x2,#256 +Loop_neon: + sub x4,x4,#1 + add v0.4s,v0.4s,v1.4s + add w5,w5,w9 + add v4.4s,v4.4s,v5.4s + add w6,w6,w10 + add v16.4s,v16.4s,v17.4s + add w7,w7,w11 + eor v3.16b,v3.16b,v0.16b + add w8,w8,w12 + eor v7.16b,v7.16b,v4.16b + eor w17,w17,w5 + eor v19.16b,v19.16b,v16.16b + eor w19,w19,w6 + rev32 v3.8h,v3.8h + eor w20,w20,w7 + rev32 v7.8h,v7.8h + eor w21,w21,w8 + rev32 v19.8h,v19.8h + ror w17,w17,#16 + add v2.4s,v2.4s,v3.4s + ror w19,w19,#16 + add v6.4s,v6.4s,v7.4s + ror w20,w20,#16 + add v18.4s,v18.4s,v19.4s + ror w21,w21,#16 + eor v20.16b,v1.16b,v2.16b + add w13,w13,w17 + eor v21.16b,v5.16b,v6.16b + add w14,w14,w19 + eor v22.16b,v17.16b,v18.16b + add w15,w15,w20 + ushr v1.4s,v20.4s,#20 + add w16,w16,w21 + ushr v5.4s,v21.4s,#20 + eor w9,w9,w13 + ushr v17.4s,v22.4s,#20 + eor w10,w10,w14 + sli v1.4s,v20.4s,#12 + eor w11,w11,w15 + sli v5.4s,v21.4s,#12 + eor w12,w12,w16 + sli v17.4s,v22.4s,#12 + ror w9,w9,#20 + add v0.4s,v0.4s,v1.4s + ror w10,w10,#20 + add v4.4s,v4.4s,v5.4s + ror w11,w11,#20 + add v16.4s,v16.4s,v17.4s + ror w12,w12,#20 + eor v20.16b,v3.16b,v0.16b + add w5,w5,w9 + eor v21.16b,v7.16b,v4.16b + add w6,w6,w10 + eor v22.16b,v19.16b,v16.16b + add w7,w7,w11 + ushr v3.4s,v20.4s,#24 + add w8,w8,w12 + ushr v7.4s,v21.4s,#24 + eor w17,w17,w5 + ushr v19.4s,v22.4s,#24 + eor w19,w19,w6 + sli v3.4s,v20.4s,#8 + eor w20,w20,w7 + sli v7.4s,v21.4s,#8 + eor w21,w21,w8 + sli v19.4s,v22.4s,#8 + ror w17,w17,#24 + add v2.4s,v2.4s,v3.4s + ror w19,w19,#24 + add v6.4s,v6.4s,v7.4s + ror w20,w20,#24 + add v18.4s,v18.4s,v19.4s + ror w21,w21,#24 + eor v20.16b,v1.16b,v2.16b + add w13,w13,w17 + eor v21.16b,v5.16b,v6.16b + add w14,w14,w19 + eor v22.16b,v17.16b,v18.16b + add w15,w15,w20 + ushr v1.4s,v20.4s,#25 + add w16,w16,w21 + ushr v5.4s,v21.4s,#25 + eor w9,w9,w13 + ushr v17.4s,v22.4s,#25 + eor w10,w10,w14 + sli v1.4s,v20.4s,#7 + eor w11,w11,w15 + sli v5.4s,v21.4s,#7 + eor w12,w12,w16 + sli v17.4s,v22.4s,#7 + ror w9,w9,#25 + ext v2.16b,v2.16b,v2.16b,#8 + ror w10,w10,#25 + ext v6.16b,v6.16b,v6.16b,#8 + ror w11,w11,#25 + ext v18.16b,v18.16b,v18.16b,#8 + ror w12,w12,#25 + ext v3.16b,v3.16b,v3.16b,#12 + ext v7.16b,v7.16b,v7.16b,#12 + ext v19.16b,v19.16b,v19.16b,#12 + ext v1.16b,v1.16b,v1.16b,#4 + ext v5.16b,v5.16b,v5.16b,#4 + ext v17.16b,v17.16b,v17.16b,#4 + add v0.4s,v0.4s,v1.4s + add w5,w5,w10 + add v4.4s,v4.4s,v5.4s + add w6,w6,w11 + add v16.4s,v16.4s,v17.4s + add w7,w7,w12 + eor v3.16b,v3.16b,v0.16b + add w8,w8,w9 + eor v7.16b,v7.16b,v4.16b + eor w21,w21,w5 + eor v19.16b,v19.16b,v16.16b + eor w17,w17,w6 + rev32 v3.8h,v3.8h + eor w19,w19,w7 + rev32 v7.8h,v7.8h + eor w20,w20,w8 + rev32 v19.8h,v19.8h + ror w21,w21,#16 + add v2.4s,v2.4s,v3.4s + ror w17,w17,#16 + add v6.4s,v6.4s,v7.4s + ror w19,w19,#16 + add v18.4s,v18.4s,v19.4s + ror w20,w20,#16 + eor v20.16b,v1.16b,v2.16b + add w15,w15,w21 + eor v21.16b,v5.16b,v6.16b + add w16,w16,w17 + eor v22.16b,v17.16b,v18.16b + add w13,w13,w19 + ushr v1.4s,v20.4s,#20 + add w14,w14,w20 + ushr v5.4s,v21.4s,#20 + eor w10,w10,w15 + ushr v17.4s,v22.4s,#20 + eor w11,w11,w16 + sli v1.4s,v20.4s,#12 + eor w12,w12,w13 + sli v5.4s,v21.4s,#12 + eor w9,w9,w14 + sli v17.4s,v22.4s,#12 + ror w10,w10,#20 + add v0.4s,v0.4s,v1.4s + ror w11,w11,#20 + add v4.4s,v4.4s,v5.4s + ror w12,w12,#20 + add v16.4s,v16.4s,v17.4s + ror w9,w9,#20 + eor v20.16b,v3.16b,v0.16b + add w5,w5,w10 + eor v21.16b,v7.16b,v4.16b + add w6,w6,w11 + eor v22.16b,v19.16b,v16.16b + add w7,w7,w12 + ushr v3.4s,v20.4s,#24 + add w8,w8,w9 + ushr v7.4s,v21.4s,#24 + eor w21,w21,w5 + ushr v19.4s,v22.4s,#24 + eor w17,w17,w6 + sli v3.4s,v20.4s,#8 + eor w19,w19,w7 + sli v7.4s,v21.4s,#8 + eor w20,w20,w8 + sli v19.4s,v22.4s,#8 + ror w21,w21,#24 + add v2.4s,v2.4s,v3.4s + ror w17,w17,#24 + add v6.4s,v6.4s,v7.4s + ror w19,w19,#24 + add v18.4s,v18.4s,v19.4s + ror w20,w20,#24 + eor v20.16b,v1.16b,v2.16b + add w15,w15,w21 + eor v21.16b,v5.16b,v6.16b + add w16,w16,w17 + eor v22.16b,v17.16b,v18.16b + add w13,w13,w19 + ushr v1.4s,v20.4s,#25 + add w14,w14,w20 + ushr v5.4s,v21.4s,#25 + eor w10,w10,w15 + ushr v17.4s,v22.4s,#25 + eor w11,w11,w16 + sli v1.4s,v20.4s,#7 + eor w12,w12,w13 + sli v5.4s,v21.4s,#7 + eor w9,w9,w14 + sli v17.4s,v22.4s,#7 + ror w10,w10,#25 + ext v2.16b,v2.16b,v2.16b,#8 + ror w11,w11,#25 + ext v6.16b,v6.16b,v6.16b,#8 + ror w12,w12,#25 + ext v18.16b,v18.16b,v18.16b,#8 + ror w9,w9,#25 + ext v3.16b,v3.16b,v3.16b,#4 + ext v7.16b,v7.16b,v7.16b,#4 + ext v19.16b,v19.16b,v19.16b,#4 + ext v1.16b,v1.16b,v1.16b,#12 + ext v5.16b,v5.16b,v5.16b,#12 + ext v17.16b,v17.16b,v17.16b,#12 + cbnz x4,Loop_neon + + add w5,w5,w22 // accumulate key block + add v0.4s,v0.4s,v24.4s + add x6,x6,x22,lsr#32 + add v4.4s,v4.4s,v24.4s + add w7,w7,w23 + add v16.4s,v16.4s,v24.4s + add x8,x8,x23,lsr#32 + add v2.4s,v2.4s,v26.4s + add w9,w9,w24 + add v6.4s,v6.4s,v26.4s + add x10,x10,x24,lsr#32 + add v18.4s,v18.4s,v26.4s + add w11,w11,w25 + add v3.4s,v3.4s,v27.4s + add x12,x12,x25,lsr#32 + add w13,w13,w26 + add v7.4s,v7.4s,v28.4s + add x14,x14,x26,lsr#32 + add w15,w15,w27 + add v19.4s,v19.4s,v29.4s + add x16,x16,x27,lsr#32 + add w17,w17,w28 + add v1.4s,v1.4s,v25.4s + add x19,x19,x28,lsr#32 + add w20,w20,w30 + add v5.4s,v5.4s,v25.4s + add x21,x21,x30,lsr#32 + add v17.4s,v17.4s,v25.4s + + b.lo Ltail_neon + + add x5,x5,x6,lsl#32 // pack + add x7,x7,x8,lsl#32 + ldp x6,x8,[x1,#0] // load input + add x9,x9,x10,lsl#32 + add x11,x11,x12,lsl#32 + ldp x10,x12,[x1,#16] + add x13,x13,x14,lsl#32 + add x15,x15,x16,lsl#32 + ldp x14,x16,[x1,#32] + add x17,x17,x19,lsl#32 + add x20,x20,x21,lsl#32 + ldp x19,x21,[x1,#48] + add x1,x1,#64 +#ifdef __AARCH64EB__ + rev x5,x5 + rev x7,x7 + rev x9,x9 + rev x11,x11 + rev x13,x13 + rev x15,x15 + rev x17,x17 + rev x20,x20 +#endif + ld1 {v20.16b,v21.16b,v22.16b,v23.16b},[x1],#64 + eor x5,x5,x6 + eor x7,x7,x8 + eor x9,x9,x10 + eor x11,x11,x12 + eor x13,x13,x14 + eor v0.16b,v0.16b,v20.16b + eor x15,x15,x16 + eor v1.16b,v1.16b,v21.16b + eor x17,x17,x19 + eor v2.16b,v2.16b,v22.16b + eor x20,x20,x21 + eor v3.16b,v3.16b,v23.16b + ld1 {v20.16b,v21.16b,v22.16b,v23.16b},[x1],#64 + + stp x5,x7,[x0,#0] // store output + add x28,x28,#4 // increment counter + stp x9,x11,[x0,#16] + add v27.4s,v27.4s,v31.4s // += 4 + stp x13,x15,[x0,#32] + add v28.4s,v28.4s,v31.4s + stp x17,x20,[x0,#48] + add v29.4s,v29.4s,v31.4s + add x0,x0,#64 + + st1 {v0.16b,v1.16b,v2.16b,v3.16b},[x0],#64 + ld1 {v0.16b,v1.16b,v2.16b,v3.16b},[x1],#64 + + eor v4.16b,v4.16b,v20.16b + eor v5.16b,v5.16b,v21.16b + eor v6.16b,v6.16b,v22.16b + eor v7.16b,v7.16b,v23.16b + st1 {v4.16b,v5.16b,v6.16b,v7.16b},[x0],#64 + + eor v16.16b,v16.16b,v0.16b + eor v17.16b,v17.16b,v1.16b + eor v18.16b,v18.16b,v2.16b + eor v19.16b,v19.16b,v3.16b + st1 {v16.16b,v17.16b,v18.16b,v19.16b},[x0],#64 + + b.hi Loop_outer_neon + + ldp x19,x20,[x29,#16] + add sp,sp,#64 + ldp x21,x22,[x29,#32] + ldp x23,x24,[x29,#48] + ldp x25,x26,[x29,#64] + ldp x27,x28,[x29,#80] + ldp x29,x30,[sp],#96 + AARCH64_VALIDATE_LINK_REGISTER + ret + +Ltail_neon: + add x2,x2,#256 + cmp x2,#64 + b.lo Less_than_64 + + add x5,x5,x6,lsl#32 // pack + add x7,x7,x8,lsl#32 + ldp x6,x8,[x1,#0] // load input + add x9,x9,x10,lsl#32 + add x11,x11,x12,lsl#32 + ldp x10,x12,[x1,#16] + add x13,x13,x14,lsl#32 + add x15,x15,x16,lsl#32 + ldp x14,x16,[x1,#32] + add x17,x17,x19,lsl#32 + add x20,x20,x21,lsl#32 + ldp x19,x21,[x1,#48] + add x1,x1,#64 +#ifdef __AARCH64EB__ + rev x5,x5 + rev x7,x7 + rev x9,x9 + rev x11,x11 + rev x13,x13 + rev x15,x15 + rev x17,x17 + rev x20,x20 +#endif + eor x5,x5,x6 + eor x7,x7,x8 + eor x9,x9,x10 + eor x11,x11,x12 + eor x13,x13,x14 + eor x15,x15,x16 + eor x17,x17,x19 + eor x20,x20,x21 + + stp x5,x7,[x0,#0] // store output + add x28,x28,#4 // increment counter + stp x9,x11,[x0,#16] + stp x13,x15,[x0,#32] + stp x17,x20,[x0,#48] + add x0,x0,#64 + b.eq Ldone_neon + sub x2,x2,#64 + cmp x2,#64 + b.lo Less_than_128 + + ld1 {v20.16b,v21.16b,v22.16b,v23.16b},[x1],#64 + eor v0.16b,v0.16b,v20.16b + eor v1.16b,v1.16b,v21.16b + eor v2.16b,v2.16b,v22.16b + eor v3.16b,v3.16b,v23.16b + st1 {v0.16b,v1.16b,v2.16b,v3.16b},[x0],#64 + b.eq Ldone_neon + sub x2,x2,#64 + cmp x2,#64 + b.lo Less_than_192 + + ld1 {v20.16b,v21.16b,v22.16b,v23.16b},[x1],#64 + eor v4.16b,v4.16b,v20.16b + eor v5.16b,v5.16b,v21.16b + eor v6.16b,v6.16b,v22.16b + eor v7.16b,v7.16b,v23.16b + st1 {v4.16b,v5.16b,v6.16b,v7.16b},[x0],#64 + b.eq Ldone_neon + sub x2,x2,#64 + + st1 {v16.16b,v17.16b,v18.16b,v19.16b},[sp] + b Last_neon + +Less_than_128: + st1 {v0.16b,v1.16b,v2.16b,v3.16b},[sp] + b Last_neon +Less_than_192: + st1 {v4.16b,v5.16b,v6.16b,v7.16b},[sp] + b Last_neon + +.align 4 +Last_neon: + sub x0,x0,#1 + add x1,x1,x2 + add x0,x0,x2 + add x4,sp,x2 + neg x2,x2 + +Loop_tail_neon: + ldrb w10,[x1,x2] + ldrb w11,[x4,x2] + add x2,x2,#1 + eor w10,w10,w11 + strb w10,[x0,x2] + cbnz x2,Loop_tail_neon + + stp xzr,xzr,[sp,#0] + stp xzr,xzr,[sp,#16] + stp xzr,xzr,[sp,#32] + stp xzr,xzr,[sp,#48] + +Ldone_neon: + ldp x19,x20,[x29,#16] + add sp,sp,#64 + ldp x21,x22,[x29,#32] + ldp x23,x24,[x29,#48] + ldp x25,x26,[x29,#64] + ldp x27,x28,[x29,#80] + ldp x29,x30,[sp],#96 + AARCH64_VALIDATE_LINK_REGISTER + ret + +.def ChaCha20_512_neon + .type 32 +.endef +.align 5 +ChaCha20_512_neon: + AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-96]! + add x29,sp,#0 + + adrp x5,Lsigma + add x5,x5,:lo12:Lsigma + stp x19,x20,[sp,#16] + stp x21,x22,[sp,#32] + stp x23,x24,[sp,#48] + stp x25,x26,[sp,#64] + stp x27,x28,[sp,#80] + +L512_or_more_neon: + sub sp,sp,#128+64 + + ldp x22,x23,[x5] // load sigma + ld1 {v24.4s},[x5],#16 + ldp x24,x25,[x3] // load key + ldp x26,x27,[x3,#16] + ld1 {v25.4s,v26.4s},[x3] + ldp x28,x30,[x4] // load counter + ld1 {v27.4s},[x4] + ld1 {v31.4s},[x5] +#ifdef __AARCH64EB__ + rev64 v24.4s,v24.4s + ror x24,x24,#32 + ror x25,x25,#32 + ror x26,x26,#32 + ror x27,x27,#32 + ror x28,x28,#32 + ror x30,x30,#32 +#endif + add v27.4s,v27.4s,v31.4s // += 1 + stp q24,q25,[sp,#0] // off-load key block, invariant part + add v27.4s,v27.4s,v31.4s // not typo + str q26,[sp,#32] + add v28.4s,v27.4s,v31.4s + add v29.4s,v28.4s,v31.4s + add v30.4s,v29.4s,v31.4s + shl v31.4s,v31.4s,#2 // 1 -> 4 + + stp d8,d9,[sp,#128+0] // meet ABI requirements + stp d10,d11,[sp,#128+16] + stp d12,d13,[sp,#128+32] + stp d14,d15,[sp,#128+48] + + sub x2,x2,#512 // not typo + +Loop_outer_512_neon: + mov v0.16b,v24.16b + mov v4.16b,v24.16b + mov v8.16b,v24.16b + mov v12.16b,v24.16b + mov v16.16b,v24.16b + mov v20.16b,v24.16b + mov v1.16b,v25.16b + mov w5,w22 // unpack key block + mov v5.16b,v25.16b + lsr x6,x22,#32 + mov v9.16b,v25.16b + mov w7,w23 + mov v13.16b,v25.16b + lsr x8,x23,#32 + mov v17.16b,v25.16b + mov w9,w24 + mov v21.16b,v25.16b + lsr x10,x24,#32 + mov v3.16b,v27.16b + mov w11,w25 + mov v7.16b,v28.16b + lsr x12,x25,#32 + mov v11.16b,v29.16b + mov w13,w26 + mov v15.16b,v30.16b + lsr x14,x26,#32 + mov v2.16b,v26.16b + mov w15,w27 + mov v6.16b,v26.16b + lsr x16,x27,#32 + add v19.4s,v3.4s,v31.4s // +4 + mov w17,w28 + add v23.4s,v7.4s,v31.4s // +4 + lsr x19,x28,#32 + mov v10.16b,v26.16b + mov w20,w30 + mov v14.16b,v26.16b + lsr x21,x30,#32 + mov v18.16b,v26.16b + stp q27,q28,[sp,#48] // off-load key block, variable part + mov v22.16b,v26.16b + str q29,[sp,#80] + + mov x4,#5 + subs x2,x2,#512 +Loop_upper_neon: + sub x4,x4,#1 + add v0.4s,v0.4s,v1.4s + add w5,w5,w9 + add v4.4s,v4.4s,v5.4s + add w6,w6,w10 + add v8.4s,v8.4s,v9.4s + add w7,w7,w11 + add v12.4s,v12.4s,v13.4s + add w8,w8,w12 + add v16.4s,v16.4s,v17.4s + eor w17,w17,w5 + add v20.4s,v20.4s,v21.4s + eor w19,w19,w6 + eor v3.16b,v3.16b,v0.16b + eor w20,w20,w7 + eor v7.16b,v7.16b,v4.16b + eor w21,w21,w8 + eor v11.16b,v11.16b,v8.16b + ror w17,w17,#16 + eor v15.16b,v15.16b,v12.16b + ror w19,w19,#16 + eor v19.16b,v19.16b,v16.16b + ror w20,w20,#16 + eor v23.16b,v23.16b,v20.16b + ror w21,w21,#16 + rev32 v3.8h,v3.8h + add w13,w13,w17 + rev32 v7.8h,v7.8h + add w14,w14,w19 + rev32 v11.8h,v11.8h + add w15,w15,w20 + rev32 v15.8h,v15.8h + add w16,w16,w21 + rev32 v19.8h,v19.8h + eor w9,w9,w13 + rev32 v23.8h,v23.8h + eor w10,w10,w14 + add v2.4s,v2.4s,v3.4s + eor w11,w11,w15 + add v6.4s,v6.4s,v7.4s + eor w12,w12,w16 + add v10.4s,v10.4s,v11.4s + ror w9,w9,#20 + add v14.4s,v14.4s,v15.4s + ror w10,w10,#20 + add v18.4s,v18.4s,v19.4s + ror w11,w11,#20 + add v22.4s,v22.4s,v23.4s + ror w12,w12,#20 + eor v24.16b,v1.16b,v2.16b + add w5,w5,w9 + eor v25.16b,v5.16b,v6.16b + add w6,w6,w10 + eor v26.16b,v9.16b,v10.16b + add w7,w7,w11 + eor v27.16b,v13.16b,v14.16b + add w8,w8,w12 + eor v28.16b,v17.16b,v18.16b + eor w17,w17,w5 + eor v29.16b,v21.16b,v22.16b + eor w19,w19,w6 + ushr v1.4s,v24.4s,#20 + eor w20,w20,w7 + ushr v5.4s,v25.4s,#20 + eor w21,w21,w8 + ushr v9.4s,v26.4s,#20 + ror w17,w17,#24 + ushr v13.4s,v27.4s,#20 + ror w19,w19,#24 + ushr v17.4s,v28.4s,#20 + ror w20,w20,#24 + ushr v21.4s,v29.4s,#20 + ror w21,w21,#24 + sli v1.4s,v24.4s,#12 + add w13,w13,w17 + sli v5.4s,v25.4s,#12 + add w14,w14,w19 + sli v9.4s,v26.4s,#12 + add w15,w15,w20 + sli v13.4s,v27.4s,#12 + add w16,w16,w21 + sli v17.4s,v28.4s,#12 + eor w9,w9,w13 + sli v21.4s,v29.4s,#12 + eor w10,w10,w14 + add v0.4s,v0.4s,v1.4s + eor w11,w11,w15 + add v4.4s,v4.4s,v5.4s + eor w12,w12,w16 + add v8.4s,v8.4s,v9.4s + ror w9,w9,#25 + add v12.4s,v12.4s,v13.4s + ror w10,w10,#25 + add v16.4s,v16.4s,v17.4s + ror w11,w11,#25 + add v20.4s,v20.4s,v21.4s + ror w12,w12,#25 + eor v24.16b,v3.16b,v0.16b + add w5,w5,w10 + eor v25.16b,v7.16b,v4.16b + add w6,w6,w11 + eor v26.16b,v11.16b,v8.16b + add w7,w7,w12 + eor v27.16b,v15.16b,v12.16b + add w8,w8,w9 + eor v28.16b,v19.16b,v16.16b + eor w21,w21,w5 + eor v29.16b,v23.16b,v20.16b + eor w17,w17,w6 + ushr v3.4s,v24.4s,#24 + eor w19,w19,w7 + ushr v7.4s,v25.4s,#24 + eor w20,w20,w8 + ushr v11.4s,v26.4s,#24 + ror w21,w21,#16 + ushr v15.4s,v27.4s,#24 + ror w17,w17,#16 + ushr v19.4s,v28.4s,#24 + ror w19,w19,#16 + ushr v23.4s,v29.4s,#24 + ror w20,w20,#16 + sli v3.4s,v24.4s,#8 + add w15,w15,w21 + sli v7.4s,v25.4s,#8 + add w16,w16,w17 + sli v11.4s,v26.4s,#8 + add w13,w13,w19 + sli v15.4s,v27.4s,#8 + add w14,w14,w20 + sli v19.4s,v28.4s,#8 + eor w10,w10,w15 + sli v23.4s,v29.4s,#8 + eor w11,w11,w16 + add v2.4s,v2.4s,v3.4s + eor w12,w12,w13 + add v6.4s,v6.4s,v7.4s + eor w9,w9,w14 + add v10.4s,v10.4s,v11.4s + ror w10,w10,#20 + add v14.4s,v14.4s,v15.4s + ror w11,w11,#20 + add v18.4s,v18.4s,v19.4s + ror w12,w12,#20 + add v22.4s,v22.4s,v23.4s + ror w9,w9,#20 + eor v24.16b,v1.16b,v2.16b + add w5,w5,w10 + eor v25.16b,v5.16b,v6.16b + add w6,w6,w11 + eor v26.16b,v9.16b,v10.16b + add w7,w7,w12 + eor v27.16b,v13.16b,v14.16b + add w8,w8,w9 + eor v28.16b,v17.16b,v18.16b + eor w21,w21,w5 + eor v29.16b,v21.16b,v22.16b + eor w17,w17,w6 + ushr v1.4s,v24.4s,#25 + eor w19,w19,w7 + ushr v5.4s,v25.4s,#25 + eor w20,w20,w8 + ushr v9.4s,v26.4s,#25 + ror w21,w21,#24 + ushr v13.4s,v27.4s,#25 + ror w17,w17,#24 + ushr v17.4s,v28.4s,#25 + ror w19,w19,#24 + ushr v21.4s,v29.4s,#25 + ror w20,w20,#24 + sli v1.4s,v24.4s,#7 + add w15,w15,w21 + sli v5.4s,v25.4s,#7 + add w16,w16,w17 + sli v9.4s,v26.4s,#7 + add w13,w13,w19 + sli v13.4s,v27.4s,#7 + add w14,w14,w20 + sli v17.4s,v28.4s,#7 + eor w10,w10,w15 + sli v21.4s,v29.4s,#7 + eor w11,w11,w16 + ext v2.16b,v2.16b,v2.16b,#8 + eor w12,w12,w13 + ext v6.16b,v6.16b,v6.16b,#8 + eor w9,w9,w14 + ext v10.16b,v10.16b,v10.16b,#8 + ror w10,w10,#25 + ext v14.16b,v14.16b,v14.16b,#8 + ror w11,w11,#25 + ext v18.16b,v18.16b,v18.16b,#8 + ror w12,w12,#25 + ext v22.16b,v22.16b,v22.16b,#8 + ror w9,w9,#25 + ext v3.16b,v3.16b,v3.16b,#12 + ext v7.16b,v7.16b,v7.16b,#12 + ext v11.16b,v11.16b,v11.16b,#12 + ext v15.16b,v15.16b,v15.16b,#12 + ext v19.16b,v19.16b,v19.16b,#12 + ext v23.16b,v23.16b,v23.16b,#12 + ext v1.16b,v1.16b,v1.16b,#4 + ext v5.16b,v5.16b,v5.16b,#4 + ext v9.16b,v9.16b,v9.16b,#4 + ext v13.16b,v13.16b,v13.16b,#4 + ext v17.16b,v17.16b,v17.16b,#4 + ext v21.16b,v21.16b,v21.16b,#4 + add v0.4s,v0.4s,v1.4s + add w5,w5,w9 + add v4.4s,v4.4s,v5.4s + add w6,w6,w10 + add v8.4s,v8.4s,v9.4s + add w7,w7,w11 + add v12.4s,v12.4s,v13.4s + add w8,w8,w12 + add v16.4s,v16.4s,v17.4s + eor w17,w17,w5 + add v20.4s,v20.4s,v21.4s + eor w19,w19,w6 + eor v3.16b,v3.16b,v0.16b + eor w20,w20,w7 + eor v7.16b,v7.16b,v4.16b + eor w21,w21,w8 + eor v11.16b,v11.16b,v8.16b + ror w17,w17,#16 + eor v15.16b,v15.16b,v12.16b + ror w19,w19,#16 + eor v19.16b,v19.16b,v16.16b + ror w20,w20,#16 + eor v23.16b,v23.16b,v20.16b + ror w21,w21,#16 + rev32 v3.8h,v3.8h + add w13,w13,w17 + rev32 v7.8h,v7.8h + add w14,w14,w19 + rev32 v11.8h,v11.8h + add w15,w15,w20 + rev32 v15.8h,v15.8h + add w16,w16,w21 + rev32 v19.8h,v19.8h + eor w9,w9,w13 + rev32 v23.8h,v23.8h + eor w10,w10,w14 + add v2.4s,v2.4s,v3.4s + eor w11,w11,w15 + add v6.4s,v6.4s,v7.4s + eor w12,w12,w16 + add v10.4s,v10.4s,v11.4s + ror w9,w9,#20 + add v14.4s,v14.4s,v15.4s + ror w10,w10,#20 + add v18.4s,v18.4s,v19.4s + ror w11,w11,#20 + add v22.4s,v22.4s,v23.4s + ror w12,w12,#20 + eor v24.16b,v1.16b,v2.16b + add w5,w5,w9 + eor v25.16b,v5.16b,v6.16b + add w6,w6,w10 + eor v26.16b,v9.16b,v10.16b + add w7,w7,w11 + eor v27.16b,v13.16b,v14.16b + add w8,w8,w12 + eor v28.16b,v17.16b,v18.16b + eor w17,w17,w5 + eor v29.16b,v21.16b,v22.16b + eor w19,w19,w6 + ushr v1.4s,v24.4s,#20 + eor w20,w20,w7 + ushr v5.4s,v25.4s,#20 + eor w21,w21,w8 + ushr v9.4s,v26.4s,#20 + ror w17,w17,#24 + ushr v13.4s,v27.4s,#20 + ror w19,w19,#24 + ushr v17.4s,v28.4s,#20 + ror w20,w20,#24 + ushr v21.4s,v29.4s,#20 + ror w21,w21,#24 + sli v1.4s,v24.4s,#12 + add w13,w13,w17 + sli v5.4s,v25.4s,#12 + add w14,w14,w19 + sli v9.4s,v26.4s,#12 + add w15,w15,w20 + sli v13.4s,v27.4s,#12 + add w16,w16,w21 + sli v17.4s,v28.4s,#12 + eor w9,w9,w13 + sli v21.4s,v29.4s,#12 + eor w10,w10,w14 + add v0.4s,v0.4s,v1.4s + eor w11,w11,w15 + add v4.4s,v4.4s,v5.4s + eor w12,w12,w16 + add v8.4s,v8.4s,v9.4s + ror w9,w9,#25 + add v12.4s,v12.4s,v13.4s + ror w10,w10,#25 + add v16.4s,v16.4s,v17.4s + ror w11,w11,#25 + add v20.4s,v20.4s,v21.4s + ror w12,w12,#25 + eor v24.16b,v3.16b,v0.16b + add w5,w5,w10 + eor v25.16b,v7.16b,v4.16b + add w6,w6,w11 + eor v26.16b,v11.16b,v8.16b + add w7,w7,w12 + eor v27.16b,v15.16b,v12.16b + add w8,w8,w9 + eor v28.16b,v19.16b,v16.16b + eor w21,w21,w5 + eor v29.16b,v23.16b,v20.16b + eor w17,w17,w6 + ushr v3.4s,v24.4s,#24 + eor w19,w19,w7 + ushr v7.4s,v25.4s,#24 + eor w20,w20,w8 + ushr v11.4s,v26.4s,#24 + ror w21,w21,#16 + ushr v15.4s,v27.4s,#24 + ror w17,w17,#16 + ushr v19.4s,v28.4s,#24 + ror w19,w19,#16 + ushr v23.4s,v29.4s,#24 + ror w20,w20,#16 + sli v3.4s,v24.4s,#8 + add w15,w15,w21 + sli v7.4s,v25.4s,#8 + add w16,w16,w17 + sli v11.4s,v26.4s,#8 + add w13,w13,w19 + sli v15.4s,v27.4s,#8 + add w14,w14,w20 + sli v19.4s,v28.4s,#8 + eor w10,w10,w15 + sli v23.4s,v29.4s,#8 + eor w11,w11,w16 + add v2.4s,v2.4s,v3.4s + eor w12,w12,w13 + add v6.4s,v6.4s,v7.4s + eor w9,w9,w14 + add v10.4s,v10.4s,v11.4s + ror w10,w10,#20 + add v14.4s,v14.4s,v15.4s + ror w11,w11,#20 + add v18.4s,v18.4s,v19.4s + ror w12,w12,#20 + add v22.4s,v22.4s,v23.4s + ror w9,w9,#20 + eor v24.16b,v1.16b,v2.16b + add w5,w5,w10 + eor v25.16b,v5.16b,v6.16b + add w6,w6,w11 + eor v26.16b,v9.16b,v10.16b + add w7,w7,w12 + eor v27.16b,v13.16b,v14.16b + add w8,w8,w9 + eor v28.16b,v17.16b,v18.16b + eor w21,w21,w5 + eor v29.16b,v21.16b,v22.16b + eor w17,w17,w6 + ushr v1.4s,v24.4s,#25 + eor w19,w19,w7 + ushr v5.4s,v25.4s,#25 + eor w20,w20,w8 + ushr v9.4s,v26.4s,#25 + ror w21,w21,#24 + ushr v13.4s,v27.4s,#25 + ror w17,w17,#24 + ushr v17.4s,v28.4s,#25 + ror w19,w19,#24 + ushr v21.4s,v29.4s,#25 + ror w20,w20,#24 + sli v1.4s,v24.4s,#7 + add w15,w15,w21 + sli v5.4s,v25.4s,#7 + add w16,w16,w17 + sli v9.4s,v26.4s,#7 + add w13,w13,w19 + sli v13.4s,v27.4s,#7 + add w14,w14,w20 + sli v17.4s,v28.4s,#7 + eor w10,w10,w15 + sli v21.4s,v29.4s,#7 + eor w11,w11,w16 + ext v2.16b,v2.16b,v2.16b,#8 + eor w12,w12,w13 + ext v6.16b,v6.16b,v6.16b,#8 + eor w9,w9,w14 + ext v10.16b,v10.16b,v10.16b,#8 + ror w10,w10,#25 + ext v14.16b,v14.16b,v14.16b,#8 + ror w11,w11,#25 + ext v18.16b,v18.16b,v18.16b,#8 + ror w12,w12,#25 + ext v22.16b,v22.16b,v22.16b,#8 + ror w9,w9,#25 + ext v3.16b,v3.16b,v3.16b,#4 + ext v7.16b,v7.16b,v7.16b,#4 + ext v11.16b,v11.16b,v11.16b,#4 + ext v15.16b,v15.16b,v15.16b,#4 + ext v19.16b,v19.16b,v19.16b,#4 + ext v23.16b,v23.16b,v23.16b,#4 + ext v1.16b,v1.16b,v1.16b,#12 + ext v5.16b,v5.16b,v5.16b,#12 + ext v9.16b,v9.16b,v9.16b,#12 + ext v13.16b,v13.16b,v13.16b,#12 + ext v17.16b,v17.16b,v17.16b,#12 + ext v21.16b,v21.16b,v21.16b,#12 + cbnz x4,Loop_upper_neon + + add w5,w5,w22 // accumulate key block + add x6,x6,x22,lsr#32 + add w7,w7,w23 + add x8,x8,x23,lsr#32 + add w9,w9,w24 + add x10,x10,x24,lsr#32 + add w11,w11,w25 + add x12,x12,x25,lsr#32 + add w13,w13,w26 + add x14,x14,x26,lsr#32 + add w15,w15,w27 + add x16,x16,x27,lsr#32 + add w17,w17,w28 + add x19,x19,x28,lsr#32 + add w20,w20,w30 + add x21,x21,x30,lsr#32 + + add x5,x5,x6,lsl#32 // pack + add x7,x7,x8,lsl#32 + ldp x6,x8,[x1,#0] // load input + add x9,x9,x10,lsl#32 + add x11,x11,x12,lsl#32 + ldp x10,x12,[x1,#16] + add x13,x13,x14,lsl#32 + add x15,x15,x16,lsl#32 + ldp x14,x16,[x1,#32] + add x17,x17,x19,lsl#32 + add x20,x20,x21,lsl#32 + ldp x19,x21,[x1,#48] + add x1,x1,#64 +#ifdef __AARCH64EB__ + rev x5,x5 + rev x7,x7 + rev x9,x9 + rev x11,x11 + rev x13,x13 + rev x15,x15 + rev x17,x17 + rev x20,x20 +#endif + eor x5,x5,x6 + eor x7,x7,x8 + eor x9,x9,x10 + eor x11,x11,x12 + eor x13,x13,x14 + eor x15,x15,x16 + eor x17,x17,x19 + eor x20,x20,x21 + + stp x5,x7,[x0,#0] // store output + add x28,x28,#1 // increment counter + mov w5,w22 // unpack key block + lsr x6,x22,#32 + stp x9,x11,[x0,#16] + mov w7,w23 + lsr x8,x23,#32 + stp x13,x15,[x0,#32] + mov w9,w24 + lsr x10,x24,#32 + stp x17,x20,[x0,#48] + add x0,x0,#64 + mov w11,w25 + lsr x12,x25,#32 + mov w13,w26 + lsr x14,x26,#32 + mov w15,w27 + lsr x16,x27,#32 + mov w17,w28 + lsr x19,x28,#32 + mov w20,w30 + lsr x21,x30,#32 + + mov x4,#5 +Loop_lower_neon: + sub x4,x4,#1 + add v0.4s,v0.4s,v1.4s + add w5,w5,w9 + add v4.4s,v4.4s,v5.4s + add w6,w6,w10 + add v8.4s,v8.4s,v9.4s + add w7,w7,w11 + add v12.4s,v12.4s,v13.4s + add w8,w8,w12 + add v16.4s,v16.4s,v17.4s + eor w17,w17,w5 + add v20.4s,v20.4s,v21.4s + eor w19,w19,w6 + eor v3.16b,v3.16b,v0.16b + eor w20,w20,w7 + eor v7.16b,v7.16b,v4.16b + eor w21,w21,w8 + eor v11.16b,v11.16b,v8.16b + ror w17,w17,#16 + eor v15.16b,v15.16b,v12.16b + ror w19,w19,#16 + eor v19.16b,v19.16b,v16.16b + ror w20,w20,#16 + eor v23.16b,v23.16b,v20.16b + ror w21,w21,#16 + rev32 v3.8h,v3.8h + add w13,w13,w17 + rev32 v7.8h,v7.8h + add w14,w14,w19 + rev32 v11.8h,v11.8h + add w15,w15,w20 + rev32 v15.8h,v15.8h + add w16,w16,w21 + rev32 v19.8h,v19.8h + eor w9,w9,w13 + rev32 v23.8h,v23.8h + eor w10,w10,w14 + add v2.4s,v2.4s,v3.4s + eor w11,w11,w15 + add v6.4s,v6.4s,v7.4s + eor w12,w12,w16 + add v10.4s,v10.4s,v11.4s + ror w9,w9,#20 + add v14.4s,v14.4s,v15.4s + ror w10,w10,#20 + add v18.4s,v18.4s,v19.4s + ror w11,w11,#20 + add v22.4s,v22.4s,v23.4s + ror w12,w12,#20 + eor v24.16b,v1.16b,v2.16b + add w5,w5,w9 + eor v25.16b,v5.16b,v6.16b + add w6,w6,w10 + eor v26.16b,v9.16b,v10.16b + add w7,w7,w11 + eor v27.16b,v13.16b,v14.16b + add w8,w8,w12 + eor v28.16b,v17.16b,v18.16b + eor w17,w17,w5 + eor v29.16b,v21.16b,v22.16b + eor w19,w19,w6 + ushr v1.4s,v24.4s,#20 + eor w20,w20,w7 + ushr v5.4s,v25.4s,#20 + eor w21,w21,w8 + ushr v9.4s,v26.4s,#20 + ror w17,w17,#24 + ushr v13.4s,v27.4s,#20 + ror w19,w19,#24 + ushr v17.4s,v28.4s,#20 + ror w20,w20,#24 + ushr v21.4s,v29.4s,#20 + ror w21,w21,#24 + sli v1.4s,v24.4s,#12 + add w13,w13,w17 + sli v5.4s,v25.4s,#12 + add w14,w14,w19 + sli v9.4s,v26.4s,#12 + add w15,w15,w20 + sli v13.4s,v27.4s,#12 + add w16,w16,w21 + sli v17.4s,v28.4s,#12 + eor w9,w9,w13 + sli v21.4s,v29.4s,#12 + eor w10,w10,w14 + add v0.4s,v0.4s,v1.4s + eor w11,w11,w15 + add v4.4s,v4.4s,v5.4s + eor w12,w12,w16 + add v8.4s,v8.4s,v9.4s + ror w9,w9,#25 + add v12.4s,v12.4s,v13.4s + ror w10,w10,#25 + add v16.4s,v16.4s,v17.4s + ror w11,w11,#25 + add v20.4s,v20.4s,v21.4s + ror w12,w12,#25 + eor v24.16b,v3.16b,v0.16b + add w5,w5,w10 + eor v25.16b,v7.16b,v4.16b + add w6,w6,w11 + eor v26.16b,v11.16b,v8.16b + add w7,w7,w12 + eor v27.16b,v15.16b,v12.16b + add w8,w8,w9 + eor v28.16b,v19.16b,v16.16b + eor w21,w21,w5 + eor v29.16b,v23.16b,v20.16b + eor w17,w17,w6 + ushr v3.4s,v24.4s,#24 + eor w19,w19,w7 + ushr v7.4s,v25.4s,#24 + eor w20,w20,w8 + ushr v11.4s,v26.4s,#24 + ror w21,w21,#16 + ushr v15.4s,v27.4s,#24 + ror w17,w17,#16 + ushr v19.4s,v28.4s,#24 + ror w19,w19,#16 + ushr v23.4s,v29.4s,#24 + ror w20,w20,#16 + sli v3.4s,v24.4s,#8 + add w15,w15,w21 + sli v7.4s,v25.4s,#8 + add w16,w16,w17 + sli v11.4s,v26.4s,#8 + add w13,w13,w19 + sli v15.4s,v27.4s,#8 + add w14,w14,w20 + sli v19.4s,v28.4s,#8 + eor w10,w10,w15 + sli v23.4s,v29.4s,#8 + eor w11,w11,w16 + add v2.4s,v2.4s,v3.4s + eor w12,w12,w13 + add v6.4s,v6.4s,v7.4s + eor w9,w9,w14 + add v10.4s,v10.4s,v11.4s + ror w10,w10,#20 + add v14.4s,v14.4s,v15.4s + ror w11,w11,#20 + add v18.4s,v18.4s,v19.4s + ror w12,w12,#20 + add v22.4s,v22.4s,v23.4s + ror w9,w9,#20 + eor v24.16b,v1.16b,v2.16b + add w5,w5,w10 + eor v25.16b,v5.16b,v6.16b + add w6,w6,w11 + eor v26.16b,v9.16b,v10.16b + add w7,w7,w12 + eor v27.16b,v13.16b,v14.16b + add w8,w8,w9 + eor v28.16b,v17.16b,v18.16b + eor w21,w21,w5 + eor v29.16b,v21.16b,v22.16b + eor w17,w17,w6 + ushr v1.4s,v24.4s,#25 + eor w19,w19,w7 + ushr v5.4s,v25.4s,#25 + eor w20,w20,w8 + ushr v9.4s,v26.4s,#25 + ror w21,w21,#24 + ushr v13.4s,v27.4s,#25 + ror w17,w17,#24 + ushr v17.4s,v28.4s,#25 + ror w19,w19,#24 + ushr v21.4s,v29.4s,#25 + ror w20,w20,#24 + sli v1.4s,v24.4s,#7 + add w15,w15,w21 + sli v5.4s,v25.4s,#7 + add w16,w16,w17 + sli v9.4s,v26.4s,#7 + add w13,w13,w19 + sli v13.4s,v27.4s,#7 + add w14,w14,w20 + sli v17.4s,v28.4s,#7 + eor w10,w10,w15 + sli v21.4s,v29.4s,#7 + eor w11,w11,w16 + ext v2.16b,v2.16b,v2.16b,#8 + eor w12,w12,w13 + ext v6.16b,v6.16b,v6.16b,#8 + eor w9,w9,w14 + ext v10.16b,v10.16b,v10.16b,#8 + ror w10,w10,#25 + ext v14.16b,v14.16b,v14.16b,#8 + ror w11,w11,#25 + ext v18.16b,v18.16b,v18.16b,#8 + ror w12,w12,#25 + ext v22.16b,v22.16b,v22.16b,#8 + ror w9,w9,#25 + ext v3.16b,v3.16b,v3.16b,#12 + ext v7.16b,v7.16b,v7.16b,#12 + ext v11.16b,v11.16b,v11.16b,#12 + ext v15.16b,v15.16b,v15.16b,#12 + ext v19.16b,v19.16b,v19.16b,#12 + ext v23.16b,v23.16b,v23.16b,#12 + ext v1.16b,v1.16b,v1.16b,#4 + ext v5.16b,v5.16b,v5.16b,#4 + ext v9.16b,v9.16b,v9.16b,#4 + ext v13.16b,v13.16b,v13.16b,#4 + ext v17.16b,v17.16b,v17.16b,#4 + ext v21.16b,v21.16b,v21.16b,#4 + add v0.4s,v0.4s,v1.4s + add w5,w5,w9 + add v4.4s,v4.4s,v5.4s + add w6,w6,w10 + add v8.4s,v8.4s,v9.4s + add w7,w7,w11 + add v12.4s,v12.4s,v13.4s + add w8,w8,w12 + add v16.4s,v16.4s,v17.4s + eor w17,w17,w5 + add v20.4s,v20.4s,v21.4s + eor w19,w19,w6 + eor v3.16b,v3.16b,v0.16b + eor w20,w20,w7 + eor v7.16b,v7.16b,v4.16b + eor w21,w21,w8 + eor v11.16b,v11.16b,v8.16b + ror w17,w17,#16 + eor v15.16b,v15.16b,v12.16b + ror w19,w19,#16 + eor v19.16b,v19.16b,v16.16b + ror w20,w20,#16 + eor v23.16b,v23.16b,v20.16b + ror w21,w21,#16 + rev32 v3.8h,v3.8h + add w13,w13,w17 + rev32 v7.8h,v7.8h + add w14,w14,w19 + rev32 v11.8h,v11.8h + add w15,w15,w20 + rev32 v15.8h,v15.8h + add w16,w16,w21 + rev32 v19.8h,v19.8h + eor w9,w9,w13 + rev32 v23.8h,v23.8h + eor w10,w10,w14 + add v2.4s,v2.4s,v3.4s + eor w11,w11,w15 + add v6.4s,v6.4s,v7.4s + eor w12,w12,w16 + add v10.4s,v10.4s,v11.4s + ror w9,w9,#20 + add v14.4s,v14.4s,v15.4s + ror w10,w10,#20 + add v18.4s,v18.4s,v19.4s + ror w11,w11,#20 + add v22.4s,v22.4s,v23.4s + ror w12,w12,#20 + eor v24.16b,v1.16b,v2.16b + add w5,w5,w9 + eor v25.16b,v5.16b,v6.16b + add w6,w6,w10 + eor v26.16b,v9.16b,v10.16b + add w7,w7,w11 + eor v27.16b,v13.16b,v14.16b + add w8,w8,w12 + eor v28.16b,v17.16b,v18.16b + eor w17,w17,w5 + eor v29.16b,v21.16b,v22.16b + eor w19,w19,w6 + ushr v1.4s,v24.4s,#20 + eor w20,w20,w7 + ushr v5.4s,v25.4s,#20 + eor w21,w21,w8 + ushr v9.4s,v26.4s,#20 + ror w17,w17,#24 + ushr v13.4s,v27.4s,#20 + ror w19,w19,#24 + ushr v17.4s,v28.4s,#20 + ror w20,w20,#24 + ushr v21.4s,v29.4s,#20 + ror w21,w21,#24 + sli v1.4s,v24.4s,#12 + add w13,w13,w17 + sli v5.4s,v25.4s,#12 + add w14,w14,w19 + sli v9.4s,v26.4s,#12 + add w15,w15,w20 + sli v13.4s,v27.4s,#12 + add w16,w16,w21 + sli v17.4s,v28.4s,#12 + eor w9,w9,w13 + sli v21.4s,v29.4s,#12 + eor w10,w10,w14 + add v0.4s,v0.4s,v1.4s + eor w11,w11,w15 + add v4.4s,v4.4s,v5.4s + eor w12,w12,w16 + add v8.4s,v8.4s,v9.4s + ror w9,w9,#25 + add v12.4s,v12.4s,v13.4s + ror w10,w10,#25 + add v16.4s,v16.4s,v17.4s + ror w11,w11,#25 + add v20.4s,v20.4s,v21.4s + ror w12,w12,#25 + eor v24.16b,v3.16b,v0.16b + add w5,w5,w10 + eor v25.16b,v7.16b,v4.16b + add w6,w6,w11 + eor v26.16b,v11.16b,v8.16b + add w7,w7,w12 + eor v27.16b,v15.16b,v12.16b + add w8,w8,w9 + eor v28.16b,v19.16b,v16.16b + eor w21,w21,w5 + eor v29.16b,v23.16b,v20.16b + eor w17,w17,w6 + ushr v3.4s,v24.4s,#24 + eor w19,w19,w7 + ushr v7.4s,v25.4s,#24 + eor w20,w20,w8 + ushr v11.4s,v26.4s,#24 + ror w21,w21,#16 + ushr v15.4s,v27.4s,#24 + ror w17,w17,#16 + ushr v19.4s,v28.4s,#24 + ror w19,w19,#16 + ushr v23.4s,v29.4s,#24 + ror w20,w20,#16 + sli v3.4s,v24.4s,#8 + add w15,w15,w21 + sli v7.4s,v25.4s,#8 + add w16,w16,w17 + sli v11.4s,v26.4s,#8 + add w13,w13,w19 + sli v15.4s,v27.4s,#8 + add w14,w14,w20 + sli v19.4s,v28.4s,#8 + eor w10,w10,w15 + sli v23.4s,v29.4s,#8 + eor w11,w11,w16 + add v2.4s,v2.4s,v3.4s + eor w12,w12,w13 + add v6.4s,v6.4s,v7.4s + eor w9,w9,w14 + add v10.4s,v10.4s,v11.4s + ror w10,w10,#20 + add v14.4s,v14.4s,v15.4s + ror w11,w11,#20 + add v18.4s,v18.4s,v19.4s + ror w12,w12,#20 + add v22.4s,v22.4s,v23.4s + ror w9,w9,#20 + eor v24.16b,v1.16b,v2.16b + add w5,w5,w10 + eor v25.16b,v5.16b,v6.16b + add w6,w6,w11 + eor v26.16b,v9.16b,v10.16b + add w7,w7,w12 + eor v27.16b,v13.16b,v14.16b + add w8,w8,w9 + eor v28.16b,v17.16b,v18.16b + eor w21,w21,w5 + eor v29.16b,v21.16b,v22.16b + eor w17,w17,w6 + ushr v1.4s,v24.4s,#25 + eor w19,w19,w7 + ushr v5.4s,v25.4s,#25 + eor w20,w20,w8 + ushr v9.4s,v26.4s,#25 + ror w21,w21,#24 + ushr v13.4s,v27.4s,#25 + ror w17,w17,#24 + ushr v17.4s,v28.4s,#25 + ror w19,w19,#24 + ushr v21.4s,v29.4s,#25 + ror w20,w20,#24 + sli v1.4s,v24.4s,#7 + add w15,w15,w21 + sli v5.4s,v25.4s,#7 + add w16,w16,w17 + sli v9.4s,v26.4s,#7 + add w13,w13,w19 + sli v13.4s,v27.4s,#7 + add w14,w14,w20 + sli v17.4s,v28.4s,#7 + eor w10,w10,w15 + sli v21.4s,v29.4s,#7 + eor w11,w11,w16 + ext v2.16b,v2.16b,v2.16b,#8 + eor w12,w12,w13 + ext v6.16b,v6.16b,v6.16b,#8 + eor w9,w9,w14 + ext v10.16b,v10.16b,v10.16b,#8 + ror w10,w10,#25 + ext v14.16b,v14.16b,v14.16b,#8 + ror w11,w11,#25 + ext v18.16b,v18.16b,v18.16b,#8 + ror w12,w12,#25 + ext v22.16b,v22.16b,v22.16b,#8 + ror w9,w9,#25 + ext v3.16b,v3.16b,v3.16b,#4 + ext v7.16b,v7.16b,v7.16b,#4 + ext v11.16b,v11.16b,v11.16b,#4 + ext v15.16b,v15.16b,v15.16b,#4 + ext v19.16b,v19.16b,v19.16b,#4 + ext v23.16b,v23.16b,v23.16b,#4 + ext v1.16b,v1.16b,v1.16b,#12 + ext v5.16b,v5.16b,v5.16b,#12 + ext v9.16b,v9.16b,v9.16b,#12 + ext v13.16b,v13.16b,v13.16b,#12 + ext v17.16b,v17.16b,v17.16b,#12 + ext v21.16b,v21.16b,v21.16b,#12 + cbnz x4,Loop_lower_neon + + add w5,w5,w22 // accumulate key block + ldp q24,q25,[sp,#0] + add x6,x6,x22,lsr#32 + ldp q26,q27,[sp,#32] + add w7,w7,w23 + ldp q28,q29,[sp,#64] + add x8,x8,x23,lsr#32 + add v0.4s,v0.4s,v24.4s + add w9,w9,w24 + add v4.4s,v4.4s,v24.4s + add x10,x10,x24,lsr#32 + add v8.4s,v8.4s,v24.4s + add w11,w11,w25 + add v12.4s,v12.4s,v24.4s + add x12,x12,x25,lsr#32 + add v16.4s,v16.4s,v24.4s + add w13,w13,w26 + add v20.4s,v20.4s,v24.4s + add x14,x14,x26,lsr#32 + add v2.4s,v2.4s,v26.4s + add w15,w15,w27 + add v6.4s,v6.4s,v26.4s + add x16,x16,x27,lsr#32 + add v10.4s,v10.4s,v26.4s + add w17,w17,w28 + add v14.4s,v14.4s,v26.4s + add x19,x19,x28,lsr#32 + add v18.4s,v18.4s,v26.4s + add w20,w20,w30 + add v22.4s,v22.4s,v26.4s + add x21,x21,x30,lsr#32 + add v19.4s,v19.4s,v31.4s // +4 + add x5,x5,x6,lsl#32 // pack + add v23.4s,v23.4s,v31.4s // +4 + add x7,x7,x8,lsl#32 + add v3.4s,v3.4s,v27.4s + ldp x6,x8,[x1,#0] // load input + add v7.4s,v7.4s,v28.4s + add x9,x9,x10,lsl#32 + add v11.4s,v11.4s,v29.4s + add x11,x11,x12,lsl#32 + add v15.4s,v15.4s,v30.4s + ldp x10,x12,[x1,#16] + add v19.4s,v19.4s,v27.4s + add x13,x13,x14,lsl#32 + add v23.4s,v23.4s,v28.4s + add x15,x15,x16,lsl#32 + add v1.4s,v1.4s,v25.4s + ldp x14,x16,[x1,#32] + add v5.4s,v5.4s,v25.4s + add x17,x17,x19,lsl#32 + add v9.4s,v9.4s,v25.4s + add x20,x20,x21,lsl#32 + add v13.4s,v13.4s,v25.4s + ldp x19,x21,[x1,#48] + add v17.4s,v17.4s,v25.4s + add x1,x1,#64 + add v21.4s,v21.4s,v25.4s + +#ifdef __AARCH64EB__ + rev x5,x5 + rev x7,x7 + rev x9,x9 + rev x11,x11 + rev x13,x13 + rev x15,x15 + rev x17,x17 + rev x20,x20 +#endif + ld1 {v24.16b,v25.16b,v26.16b,v27.16b},[x1],#64 + eor x5,x5,x6 + eor x7,x7,x8 + eor x9,x9,x10 + eor x11,x11,x12 + eor x13,x13,x14 + eor v0.16b,v0.16b,v24.16b + eor x15,x15,x16 + eor v1.16b,v1.16b,v25.16b + eor x17,x17,x19 + eor v2.16b,v2.16b,v26.16b + eor x20,x20,x21 + eor v3.16b,v3.16b,v27.16b + ld1 {v24.16b,v25.16b,v26.16b,v27.16b},[x1],#64 + + stp x5,x7,[x0,#0] // store output + add x28,x28,#7 // increment counter + stp x9,x11,[x0,#16] + stp x13,x15,[x0,#32] + stp x17,x20,[x0,#48] + add x0,x0,#64 + st1 {v0.16b,v1.16b,v2.16b,v3.16b},[x0],#64 + + ld1 {v0.16b,v1.16b,v2.16b,v3.16b},[x1],#64 + eor v4.16b,v4.16b,v24.16b + eor v5.16b,v5.16b,v25.16b + eor v6.16b,v6.16b,v26.16b + eor v7.16b,v7.16b,v27.16b + st1 {v4.16b,v5.16b,v6.16b,v7.16b},[x0],#64 + + ld1 {v4.16b,v5.16b,v6.16b,v7.16b},[x1],#64 + eor v8.16b,v8.16b,v0.16b + ldp q24,q25,[sp,#0] + eor v9.16b,v9.16b,v1.16b + ldp q26,q27,[sp,#32] + eor v10.16b,v10.16b,v2.16b + eor v11.16b,v11.16b,v3.16b + st1 {v8.16b,v9.16b,v10.16b,v11.16b},[x0],#64 + + ld1 {v8.16b,v9.16b,v10.16b,v11.16b},[x1],#64 + eor v12.16b,v12.16b,v4.16b + eor v13.16b,v13.16b,v5.16b + eor v14.16b,v14.16b,v6.16b + eor v15.16b,v15.16b,v7.16b + st1 {v12.16b,v13.16b,v14.16b,v15.16b},[x0],#64 + + ld1 {v12.16b,v13.16b,v14.16b,v15.16b},[x1],#64 + eor v16.16b,v16.16b,v8.16b + eor v17.16b,v17.16b,v9.16b + eor v18.16b,v18.16b,v10.16b + eor v19.16b,v19.16b,v11.16b + st1 {v16.16b,v17.16b,v18.16b,v19.16b},[x0],#64 + + shl v0.4s,v31.4s,#1 // 4 -> 8 + eor v20.16b,v20.16b,v12.16b + eor v21.16b,v21.16b,v13.16b + eor v22.16b,v22.16b,v14.16b + eor v23.16b,v23.16b,v15.16b + st1 {v20.16b,v21.16b,v22.16b,v23.16b},[x0],#64 + + add v27.4s,v27.4s,v0.4s // += 8 + add v28.4s,v28.4s,v0.4s + add v29.4s,v29.4s,v0.4s + add v30.4s,v30.4s,v0.4s + + b.hs Loop_outer_512_neon + + adds x2,x2,#512 + ushr v0.4s,v31.4s,#2 // 4 -> 1 + + ldp d8,d9,[sp,#128+0] // meet ABI requirements + ldp d10,d11,[sp,#128+16] + ldp d12,d13,[sp,#128+32] + ldp d14,d15,[sp,#128+48] + + stp q24,q31,[sp,#0] // wipe off-load area + stp q24,q31,[sp,#32] + stp q24,q31,[sp,#64] + + b.eq Ldone_512_neon + + cmp x2,#192 + sub v27.4s,v27.4s,v0.4s // -= 1 + sub v28.4s,v28.4s,v0.4s + sub v29.4s,v29.4s,v0.4s + add sp,sp,#128 + b.hs Loop_outer_neon + + eor v25.16b,v25.16b,v25.16b + eor v26.16b,v26.16b,v26.16b + eor v27.16b,v27.16b,v27.16b + eor v28.16b,v28.16b,v28.16b + eor v29.16b,v29.16b,v29.16b + eor v30.16b,v30.16b,v30.16b + b Loop_outer + +Ldone_512_neon: + ldp x19,x20,[x29,#16] + add sp,sp,#128+64 + ldp x21,x22,[x29,#32] + ldp x23,x24,[x29,#48] + ldp x25,x26,[x29,#64] + ldp x27,x28,[x29,#80] + ldp x29,x30,[sp],#96 + AARCH64_VALIDATE_LINK_REGISTER + ret + +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(_WIN32) +#if defined(__linux__) && defined(__ELF__) +.section .note.GNU-stack,"",%progbits +#endif + diff --git a/Sources/CNIOBoringSSL/gen/crypto/chacha-x86-apple.S b/Sources/CNIOBoringSSL/gen/crypto/chacha-x86-apple.S new file mode 100644 index 000000000..b417aeb07 --- /dev/null +++ b/Sources/CNIOBoringSSL/gen/crypto/chacha-x86-apple.S @@ -0,0 +1,962 @@ +#define BORINGSSL_PREFIX CNIOBoringSSL +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. + +#include + +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__APPLE__) +.text +.globl _ChaCha20_ctr32_nohw +.private_extern _ChaCha20_ctr32_nohw +.align 4 +_ChaCha20_ctr32_nohw: +L_ChaCha20_ctr32_nohw_begin: + pushl %ebp + pushl %ebx + pushl %esi + pushl %edi + movl 32(%esp),%esi + movl 36(%esp),%edi + subl $132,%esp + movl (%esi),%eax + movl 4(%esi),%ebx + movl 8(%esi),%ecx + movl 12(%esi),%edx + movl %eax,80(%esp) + movl %ebx,84(%esp) + movl %ecx,88(%esp) + movl %edx,92(%esp) + movl 16(%esi),%eax + movl 20(%esi),%ebx + movl 24(%esi),%ecx + movl 28(%esi),%edx + movl %eax,96(%esp) + movl %ebx,100(%esp) + movl %ecx,104(%esp) + movl %edx,108(%esp) + movl (%edi),%eax + movl 4(%edi),%ebx + movl 8(%edi),%ecx + movl 12(%edi),%edx + subl $1,%eax + movl %eax,112(%esp) + movl %ebx,116(%esp) + movl %ecx,120(%esp) + movl %edx,124(%esp) + jmp L000entry +.align 4,0x90 +L001outer_loop: + movl %ebx,156(%esp) + movl %eax,152(%esp) + movl %ecx,160(%esp) +L000entry: + movl $1634760805,%eax + movl $857760878,4(%esp) + movl $2036477234,8(%esp) + movl $1797285236,12(%esp) + movl 84(%esp),%ebx + movl 88(%esp),%ebp + movl 104(%esp),%ecx + movl 108(%esp),%esi + movl 116(%esp),%edx + movl 120(%esp),%edi + movl %ebx,20(%esp) + movl %ebp,24(%esp) + movl %ecx,40(%esp) + movl %esi,44(%esp) + movl %edx,52(%esp) + movl %edi,56(%esp) + movl 92(%esp),%ebx + movl 124(%esp),%edi + movl 112(%esp),%edx + movl 80(%esp),%ebp + movl 96(%esp),%ecx + movl 100(%esp),%esi + addl $1,%edx + movl %ebx,28(%esp) + movl %edi,60(%esp) + movl %edx,112(%esp) + movl $10,%ebx + jmp L002loop +.align 4,0x90 +L002loop: + addl %ebp,%eax + movl %ebx,128(%esp) + movl %ebp,%ebx + xorl %eax,%edx + roll $16,%edx + addl %edx,%ecx + xorl %ecx,%ebx + movl 52(%esp),%edi + roll $12,%ebx + movl 20(%esp),%ebp + addl %ebx,%eax + xorl %eax,%edx + movl %eax,(%esp) + roll $8,%edx + movl 4(%esp),%eax + addl %edx,%ecx + movl %edx,48(%esp) + xorl %ecx,%ebx + addl %ebp,%eax + roll $7,%ebx + xorl %eax,%edi + movl %ecx,32(%esp) + roll $16,%edi + movl %ebx,16(%esp) + addl %edi,%esi + movl 40(%esp),%ecx + xorl %esi,%ebp + movl 56(%esp),%edx + roll $12,%ebp + movl 24(%esp),%ebx + addl %ebp,%eax + xorl %eax,%edi + movl %eax,4(%esp) + roll $8,%edi + movl 8(%esp),%eax + addl %edi,%esi + movl %edi,52(%esp) + xorl %esi,%ebp + addl %ebx,%eax + roll $7,%ebp + xorl %eax,%edx + movl %esi,36(%esp) + roll $16,%edx + movl %ebp,20(%esp) + addl %edx,%ecx + movl 44(%esp),%esi + xorl %ecx,%ebx + movl 60(%esp),%edi + roll $12,%ebx + movl 28(%esp),%ebp + addl %ebx,%eax + xorl %eax,%edx + movl %eax,8(%esp) + roll $8,%edx + movl 12(%esp),%eax + addl %edx,%ecx + movl %edx,56(%esp) + xorl %ecx,%ebx + addl %ebp,%eax + roll $7,%ebx + xorl %eax,%edi + roll $16,%edi + movl %ebx,24(%esp) + addl %edi,%esi + xorl %esi,%ebp + roll $12,%ebp + movl 20(%esp),%ebx + addl %ebp,%eax + xorl %eax,%edi + movl %eax,12(%esp) + roll $8,%edi + movl (%esp),%eax + addl %edi,%esi + movl %edi,%edx + xorl %esi,%ebp + addl %ebx,%eax + roll $7,%ebp + xorl %eax,%edx + roll $16,%edx + movl %ebp,28(%esp) + addl %edx,%ecx + xorl %ecx,%ebx + movl 48(%esp),%edi + roll $12,%ebx + movl 24(%esp),%ebp + addl %ebx,%eax + xorl %eax,%edx + movl %eax,(%esp) + roll $8,%edx + movl 4(%esp),%eax + addl %edx,%ecx + movl %edx,60(%esp) + xorl %ecx,%ebx + addl %ebp,%eax + roll $7,%ebx + xorl %eax,%edi + movl %ecx,40(%esp) + roll $16,%edi + movl %ebx,20(%esp) + addl %edi,%esi + movl 32(%esp),%ecx + xorl %esi,%ebp + movl 52(%esp),%edx + roll $12,%ebp + movl 28(%esp),%ebx + addl %ebp,%eax + xorl %eax,%edi + movl %eax,4(%esp) + roll $8,%edi + movl 8(%esp),%eax + addl %edi,%esi + movl %edi,48(%esp) + xorl %esi,%ebp + addl %ebx,%eax + roll $7,%ebp + xorl %eax,%edx + movl %esi,44(%esp) + roll $16,%edx + movl %ebp,24(%esp) + addl %edx,%ecx + movl 36(%esp),%esi + xorl %ecx,%ebx + movl 56(%esp),%edi + roll $12,%ebx + movl 16(%esp),%ebp + addl %ebx,%eax + xorl %eax,%edx + movl %eax,8(%esp) + roll $8,%edx + movl 12(%esp),%eax + addl %edx,%ecx + movl %edx,52(%esp) + xorl %ecx,%ebx + addl %ebp,%eax + roll $7,%ebx + xorl %eax,%edi + roll $16,%edi + movl %ebx,28(%esp) + addl %edi,%esi + xorl %esi,%ebp + movl 48(%esp),%edx + roll $12,%ebp + movl 128(%esp),%ebx + addl %ebp,%eax + xorl %eax,%edi + movl %eax,12(%esp) + roll $8,%edi + movl (%esp),%eax + addl %edi,%esi + movl %edi,56(%esp) + xorl %esi,%ebp + roll $7,%ebp + decl %ebx + jnz L002loop + movl 160(%esp),%ebx + addl $1634760805,%eax + addl 80(%esp),%ebp + addl 96(%esp),%ecx + addl 100(%esp),%esi + cmpl $64,%ebx + jb L003tail + movl 156(%esp),%ebx + addl 112(%esp),%edx + addl 120(%esp),%edi + xorl (%ebx),%eax + xorl 16(%ebx),%ebp + movl %eax,(%esp) + movl 152(%esp),%eax + xorl 32(%ebx),%ecx + xorl 36(%ebx),%esi + xorl 48(%ebx),%edx + xorl 56(%ebx),%edi + movl %ebp,16(%eax) + movl %ecx,32(%eax) + movl %esi,36(%eax) + movl %edx,48(%eax) + movl %edi,56(%eax) + movl 4(%esp),%ebp + movl 8(%esp),%ecx + movl 12(%esp),%esi + movl 20(%esp),%edx + movl 24(%esp),%edi + addl $857760878,%ebp + addl $2036477234,%ecx + addl $1797285236,%esi + addl 84(%esp),%edx + addl 88(%esp),%edi + xorl 4(%ebx),%ebp + xorl 8(%ebx),%ecx + xorl 12(%ebx),%esi + xorl 20(%ebx),%edx + xorl 24(%ebx),%edi + movl %ebp,4(%eax) + movl %ecx,8(%eax) + movl %esi,12(%eax) + movl %edx,20(%eax) + movl %edi,24(%eax) + movl 28(%esp),%ebp + movl 40(%esp),%ecx + movl 44(%esp),%esi + movl 52(%esp),%edx + movl 60(%esp),%edi + addl 92(%esp),%ebp + addl 104(%esp),%ecx + addl 108(%esp),%esi + addl 116(%esp),%edx + addl 124(%esp),%edi + xorl 28(%ebx),%ebp + xorl 40(%ebx),%ecx + xorl 44(%ebx),%esi + xorl 52(%ebx),%edx + xorl 60(%ebx),%edi + leal 64(%ebx),%ebx + movl %ebp,28(%eax) + movl (%esp),%ebp + movl %ecx,40(%eax) + movl 160(%esp),%ecx + movl %esi,44(%eax) + movl %edx,52(%eax) + movl %edi,60(%eax) + movl %ebp,(%eax) + leal 64(%eax),%eax + subl $64,%ecx + jnz L001outer_loop + jmp L004done +L003tail: + addl 112(%esp),%edx + addl 120(%esp),%edi + movl %eax,(%esp) + movl %ebp,16(%esp) + movl %ecx,32(%esp) + movl %esi,36(%esp) + movl %edx,48(%esp) + movl %edi,56(%esp) + movl 4(%esp),%ebp + movl 8(%esp),%ecx + movl 12(%esp),%esi + movl 20(%esp),%edx + movl 24(%esp),%edi + addl $857760878,%ebp + addl $2036477234,%ecx + addl $1797285236,%esi + addl 84(%esp),%edx + addl 88(%esp),%edi + movl %ebp,4(%esp) + movl %ecx,8(%esp) + movl %esi,12(%esp) + movl %edx,20(%esp) + movl %edi,24(%esp) + movl 28(%esp),%ebp + movl 40(%esp),%ecx + movl 44(%esp),%esi + movl 52(%esp),%edx + movl 60(%esp),%edi + addl 92(%esp),%ebp + addl 104(%esp),%ecx + addl 108(%esp),%esi + addl 116(%esp),%edx + addl 124(%esp),%edi + movl %ebp,28(%esp) + movl 156(%esp),%ebp + movl %ecx,40(%esp) + movl 152(%esp),%ecx + movl %esi,44(%esp) + xorl %esi,%esi + movl %edx,52(%esp) + movl %edi,60(%esp) + xorl %eax,%eax + xorl %edx,%edx +L005tail_loop: + movb (%esi,%ebp,1),%al + movb (%esp,%esi,1),%dl + leal 1(%esi),%esi + xorb %dl,%al + movb %al,-1(%ecx,%esi,1) + decl %ebx + jnz L005tail_loop +L004done: + addl $132,%esp + popl %edi + popl %esi + popl %ebx + popl %ebp + ret +.globl _ChaCha20_ctr32_ssse3 +.private_extern _ChaCha20_ctr32_ssse3 +.align 4 +_ChaCha20_ctr32_ssse3: +L_ChaCha20_ctr32_ssse3_begin: + pushl %ebp + pushl %ebx + pushl %esi + pushl %edi + call Lpic_point +Lpic_point: + popl %eax + movl 20(%esp),%edi + movl 24(%esp),%esi + movl 28(%esp),%ecx + movl 32(%esp),%edx + movl 36(%esp),%ebx + movl %esp,%ebp + subl $524,%esp + andl $-64,%esp + movl %ebp,512(%esp) + leal Lssse3_data-Lpic_point(%eax),%eax + movdqu (%ebx),%xmm3 + cmpl $256,%ecx + jb L0061x + movl %edx,516(%esp) + movl %ebx,520(%esp) + subl $256,%ecx + leal 384(%esp),%ebp + movdqu (%edx),%xmm7 + pshufd $0,%xmm3,%xmm0 + pshufd $85,%xmm3,%xmm1 + pshufd $170,%xmm3,%xmm2 + pshufd $255,%xmm3,%xmm3 + paddd 48(%eax),%xmm0 + pshufd $0,%xmm7,%xmm4 + pshufd $85,%xmm7,%xmm5 + psubd 64(%eax),%xmm0 + pshufd $170,%xmm7,%xmm6 + pshufd $255,%xmm7,%xmm7 + movdqa %xmm0,64(%ebp) + movdqa %xmm1,80(%ebp) + movdqa %xmm2,96(%ebp) + movdqa %xmm3,112(%ebp) + movdqu 16(%edx),%xmm3 + movdqa %xmm4,-64(%ebp) + movdqa %xmm5,-48(%ebp) + movdqa %xmm6,-32(%ebp) + movdqa %xmm7,-16(%ebp) + movdqa 32(%eax),%xmm7 + leal 128(%esp),%ebx + pshufd $0,%xmm3,%xmm0 + pshufd $85,%xmm3,%xmm1 + pshufd $170,%xmm3,%xmm2 + pshufd $255,%xmm3,%xmm3 + pshufd $0,%xmm7,%xmm4 + pshufd $85,%xmm7,%xmm5 + pshufd $170,%xmm7,%xmm6 + pshufd $255,%xmm7,%xmm7 + movdqa %xmm0,(%ebp) + movdqa %xmm1,16(%ebp) + movdqa %xmm2,32(%ebp) + movdqa %xmm3,48(%ebp) + movdqa %xmm4,-128(%ebp) + movdqa %xmm5,-112(%ebp) + movdqa %xmm6,-96(%ebp) + movdqa %xmm7,-80(%ebp) + leal 128(%esi),%esi + leal 128(%edi),%edi + jmp L007outer_loop +.align 4,0x90 +L007outer_loop: + movdqa -112(%ebp),%xmm1 + movdqa -96(%ebp),%xmm2 + movdqa -80(%ebp),%xmm3 + movdqa -48(%ebp),%xmm5 + movdqa -32(%ebp),%xmm6 + movdqa -16(%ebp),%xmm7 + movdqa %xmm1,-112(%ebx) + movdqa %xmm2,-96(%ebx) + movdqa %xmm3,-80(%ebx) + movdqa %xmm5,-48(%ebx) + movdqa %xmm6,-32(%ebx) + movdqa %xmm7,-16(%ebx) + movdqa 32(%ebp),%xmm2 + movdqa 48(%ebp),%xmm3 + movdqa 64(%ebp),%xmm4 + movdqa 80(%ebp),%xmm5 + movdqa 96(%ebp),%xmm6 + movdqa 112(%ebp),%xmm7 + paddd 64(%eax),%xmm4 + movdqa %xmm2,32(%ebx) + movdqa %xmm3,48(%ebx) + movdqa %xmm4,64(%ebx) + movdqa %xmm5,80(%ebx) + movdqa %xmm6,96(%ebx) + movdqa %xmm7,112(%ebx) + movdqa %xmm4,64(%ebp) + movdqa -128(%ebp),%xmm0 + movdqa %xmm4,%xmm6 + movdqa -64(%ebp),%xmm3 + movdqa (%ebp),%xmm4 + movdqa 16(%ebp),%xmm5 + movl $10,%edx + nop +.align 4,0x90 +L008loop: + paddd %xmm3,%xmm0 + movdqa %xmm3,%xmm2 + pxor %xmm0,%xmm6 + pshufb (%eax),%xmm6 + paddd %xmm6,%xmm4 + pxor %xmm4,%xmm2 + movdqa -48(%ebx),%xmm3 + movdqa %xmm2,%xmm1 + pslld $12,%xmm2 + psrld $20,%xmm1 + por %xmm1,%xmm2 + movdqa -112(%ebx),%xmm1 + paddd %xmm2,%xmm0 + movdqa 80(%ebx),%xmm7 + pxor %xmm0,%xmm6 + movdqa %xmm0,-128(%ebx) + pshufb 16(%eax),%xmm6 + paddd %xmm6,%xmm4 + movdqa %xmm6,64(%ebx) + pxor %xmm4,%xmm2 + paddd %xmm3,%xmm1 + movdqa %xmm2,%xmm0 + pslld $7,%xmm2 + psrld $25,%xmm0 + pxor %xmm1,%xmm7 + por %xmm0,%xmm2 + movdqa %xmm4,(%ebx) + pshufb (%eax),%xmm7 + movdqa %xmm2,-64(%ebx) + paddd %xmm7,%xmm5 + movdqa 32(%ebx),%xmm4 + pxor %xmm5,%xmm3 + movdqa -32(%ebx),%xmm2 + movdqa %xmm3,%xmm0 + pslld $12,%xmm3 + psrld $20,%xmm0 + por %xmm0,%xmm3 + movdqa -96(%ebx),%xmm0 + paddd %xmm3,%xmm1 + movdqa 96(%ebx),%xmm6 + pxor %xmm1,%xmm7 + movdqa %xmm1,-112(%ebx) + pshufb 16(%eax),%xmm7 + paddd %xmm7,%xmm5 + movdqa %xmm7,80(%ebx) + pxor %xmm5,%xmm3 + paddd %xmm2,%xmm0 + movdqa %xmm3,%xmm1 + pslld $7,%xmm3 + psrld $25,%xmm1 + pxor %xmm0,%xmm6 + por %xmm1,%xmm3 + movdqa %xmm5,16(%ebx) + pshufb (%eax),%xmm6 + movdqa %xmm3,-48(%ebx) + paddd %xmm6,%xmm4 + movdqa 48(%ebx),%xmm5 + pxor %xmm4,%xmm2 + movdqa -16(%ebx),%xmm3 + movdqa %xmm2,%xmm1 + pslld $12,%xmm2 + psrld $20,%xmm1 + por %xmm1,%xmm2 + movdqa -80(%ebx),%xmm1 + paddd %xmm2,%xmm0 + movdqa 112(%ebx),%xmm7 + pxor %xmm0,%xmm6 + movdqa %xmm0,-96(%ebx) + pshufb 16(%eax),%xmm6 + paddd %xmm6,%xmm4 + movdqa %xmm6,96(%ebx) + pxor %xmm4,%xmm2 + paddd %xmm3,%xmm1 + movdqa %xmm2,%xmm0 + pslld $7,%xmm2 + psrld $25,%xmm0 + pxor %xmm1,%xmm7 + por %xmm0,%xmm2 + pshufb (%eax),%xmm7 + movdqa %xmm2,-32(%ebx) + paddd %xmm7,%xmm5 + pxor %xmm5,%xmm3 + movdqa -48(%ebx),%xmm2 + movdqa %xmm3,%xmm0 + pslld $12,%xmm3 + psrld $20,%xmm0 + por %xmm0,%xmm3 + movdqa -128(%ebx),%xmm0 + paddd %xmm3,%xmm1 + pxor %xmm1,%xmm7 + movdqa %xmm1,-80(%ebx) + pshufb 16(%eax),%xmm7 + paddd %xmm7,%xmm5 + movdqa %xmm7,%xmm6 + pxor %xmm5,%xmm3 + paddd %xmm2,%xmm0 + movdqa %xmm3,%xmm1 + pslld $7,%xmm3 + psrld $25,%xmm1 + pxor %xmm0,%xmm6 + por %xmm1,%xmm3 + pshufb (%eax),%xmm6 + movdqa %xmm3,-16(%ebx) + paddd %xmm6,%xmm4 + pxor %xmm4,%xmm2 + movdqa -32(%ebx),%xmm3 + movdqa %xmm2,%xmm1 + pslld $12,%xmm2 + psrld $20,%xmm1 + por %xmm1,%xmm2 + movdqa -112(%ebx),%xmm1 + paddd %xmm2,%xmm0 + movdqa 64(%ebx),%xmm7 + pxor %xmm0,%xmm6 + movdqa %xmm0,-128(%ebx) + pshufb 16(%eax),%xmm6 + paddd %xmm6,%xmm4 + movdqa %xmm6,112(%ebx) + pxor %xmm4,%xmm2 + paddd %xmm3,%xmm1 + movdqa %xmm2,%xmm0 + pslld $7,%xmm2 + psrld $25,%xmm0 + pxor %xmm1,%xmm7 + por %xmm0,%xmm2 + movdqa %xmm4,32(%ebx) + pshufb (%eax),%xmm7 + movdqa %xmm2,-48(%ebx) + paddd %xmm7,%xmm5 + movdqa (%ebx),%xmm4 + pxor %xmm5,%xmm3 + movdqa -16(%ebx),%xmm2 + movdqa %xmm3,%xmm0 + pslld $12,%xmm3 + psrld $20,%xmm0 + por %xmm0,%xmm3 + movdqa -96(%ebx),%xmm0 + paddd %xmm3,%xmm1 + movdqa 80(%ebx),%xmm6 + pxor %xmm1,%xmm7 + movdqa %xmm1,-112(%ebx) + pshufb 16(%eax),%xmm7 + paddd %xmm7,%xmm5 + movdqa %xmm7,64(%ebx) + pxor %xmm5,%xmm3 + paddd %xmm2,%xmm0 + movdqa %xmm3,%xmm1 + pslld $7,%xmm3 + psrld $25,%xmm1 + pxor %xmm0,%xmm6 + por %xmm1,%xmm3 + movdqa %xmm5,48(%ebx) + pshufb (%eax),%xmm6 + movdqa %xmm3,-32(%ebx) + paddd %xmm6,%xmm4 + movdqa 16(%ebx),%xmm5 + pxor %xmm4,%xmm2 + movdqa -64(%ebx),%xmm3 + movdqa %xmm2,%xmm1 + pslld $12,%xmm2 + psrld $20,%xmm1 + por %xmm1,%xmm2 + movdqa -80(%ebx),%xmm1 + paddd %xmm2,%xmm0 + movdqa 96(%ebx),%xmm7 + pxor %xmm0,%xmm6 + movdqa %xmm0,-96(%ebx) + pshufb 16(%eax),%xmm6 + paddd %xmm6,%xmm4 + movdqa %xmm6,80(%ebx) + pxor %xmm4,%xmm2 + paddd %xmm3,%xmm1 + movdqa %xmm2,%xmm0 + pslld $7,%xmm2 + psrld $25,%xmm0 + pxor %xmm1,%xmm7 + por %xmm0,%xmm2 + pshufb (%eax),%xmm7 + movdqa %xmm2,-16(%ebx) + paddd %xmm7,%xmm5 + pxor %xmm5,%xmm3 + movdqa %xmm3,%xmm0 + pslld $12,%xmm3 + psrld $20,%xmm0 + por %xmm0,%xmm3 + movdqa -128(%ebx),%xmm0 + paddd %xmm3,%xmm1 + movdqa 64(%ebx),%xmm6 + pxor %xmm1,%xmm7 + movdqa %xmm1,-80(%ebx) + pshufb 16(%eax),%xmm7 + paddd %xmm7,%xmm5 + movdqa %xmm7,96(%ebx) + pxor %xmm5,%xmm3 + movdqa %xmm3,%xmm1 + pslld $7,%xmm3 + psrld $25,%xmm1 + por %xmm1,%xmm3 + decl %edx + jnz L008loop + movdqa %xmm3,-64(%ebx) + movdqa %xmm4,(%ebx) + movdqa %xmm5,16(%ebx) + movdqa %xmm6,64(%ebx) + movdqa %xmm7,96(%ebx) + movdqa -112(%ebx),%xmm1 + movdqa -96(%ebx),%xmm2 + movdqa -80(%ebx),%xmm3 + paddd -128(%ebp),%xmm0 + paddd -112(%ebp),%xmm1 + paddd -96(%ebp),%xmm2 + paddd -80(%ebp),%xmm3 + movdqa %xmm0,%xmm6 + punpckldq %xmm1,%xmm0 + movdqa %xmm2,%xmm7 + punpckldq %xmm3,%xmm2 + punpckhdq %xmm1,%xmm6 + punpckhdq %xmm3,%xmm7 + movdqa %xmm0,%xmm1 + punpcklqdq %xmm2,%xmm0 + movdqa %xmm6,%xmm3 + punpcklqdq %xmm7,%xmm6 + punpckhqdq %xmm2,%xmm1 + punpckhqdq %xmm7,%xmm3 + movdqu -128(%esi),%xmm4 + movdqu -64(%esi),%xmm5 + movdqu (%esi),%xmm2 + movdqu 64(%esi),%xmm7 + leal 16(%esi),%esi + pxor %xmm0,%xmm4 + movdqa -64(%ebx),%xmm0 + pxor %xmm1,%xmm5 + movdqa -48(%ebx),%xmm1 + pxor %xmm2,%xmm6 + movdqa -32(%ebx),%xmm2 + pxor %xmm3,%xmm7 + movdqa -16(%ebx),%xmm3 + movdqu %xmm4,-128(%edi) + movdqu %xmm5,-64(%edi) + movdqu %xmm6,(%edi) + movdqu %xmm7,64(%edi) + leal 16(%edi),%edi + paddd -64(%ebp),%xmm0 + paddd -48(%ebp),%xmm1 + paddd -32(%ebp),%xmm2 + paddd -16(%ebp),%xmm3 + movdqa %xmm0,%xmm6 + punpckldq %xmm1,%xmm0 + movdqa %xmm2,%xmm7 + punpckldq %xmm3,%xmm2 + punpckhdq %xmm1,%xmm6 + punpckhdq %xmm3,%xmm7 + movdqa %xmm0,%xmm1 + punpcklqdq %xmm2,%xmm0 + movdqa %xmm6,%xmm3 + punpcklqdq %xmm7,%xmm6 + punpckhqdq %xmm2,%xmm1 + punpckhqdq %xmm7,%xmm3 + movdqu -128(%esi),%xmm4 + movdqu -64(%esi),%xmm5 + movdqu (%esi),%xmm2 + movdqu 64(%esi),%xmm7 + leal 16(%esi),%esi + pxor %xmm0,%xmm4 + movdqa (%ebx),%xmm0 + pxor %xmm1,%xmm5 + movdqa 16(%ebx),%xmm1 + pxor %xmm2,%xmm6 + movdqa 32(%ebx),%xmm2 + pxor %xmm3,%xmm7 + movdqa 48(%ebx),%xmm3 + movdqu %xmm4,-128(%edi) + movdqu %xmm5,-64(%edi) + movdqu %xmm6,(%edi) + movdqu %xmm7,64(%edi) + leal 16(%edi),%edi + paddd (%ebp),%xmm0 + paddd 16(%ebp),%xmm1 + paddd 32(%ebp),%xmm2 + paddd 48(%ebp),%xmm3 + movdqa %xmm0,%xmm6 + punpckldq %xmm1,%xmm0 + movdqa %xmm2,%xmm7 + punpckldq %xmm3,%xmm2 + punpckhdq %xmm1,%xmm6 + punpckhdq %xmm3,%xmm7 + movdqa %xmm0,%xmm1 + punpcklqdq %xmm2,%xmm0 + movdqa %xmm6,%xmm3 + punpcklqdq %xmm7,%xmm6 + punpckhqdq %xmm2,%xmm1 + punpckhqdq %xmm7,%xmm3 + movdqu -128(%esi),%xmm4 + movdqu -64(%esi),%xmm5 + movdqu (%esi),%xmm2 + movdqu 64(%esi),%xmm7 + leal 16(%esi),%esi + pxor %xmm0,%xmm4 + movdqa 64(%ebx),%xmm0 + pxor %xmm1,%xmm5 + movdqa 80(%ebx),%xmm1 + pxor %xmm2,%xmm6 + movdqa 96(%ebx),%xmm2 + pxor %xmm3,%xmm7 + movdqa 112(%ebx),%xmm3 + movdqu %xmm4,-128(%edi) + movdqu %xmm5,-64(%edi) + movdqu %xmm6,(%edi) + movdqu %xmm7,64(%edi) + leal 16(%edi),%edi + paddd 64(%ebp),%xmm0 + paddd 80(%ebp),%xmm1 + paddd 96(%ebp),%xmm2 + paddd 112(%ebp),%xmm3 + movdqa %xmm0,%xmm6 + punpckldq %xmm1,%xmm0 + movdqa %xmm2,%xmm7 + punpckldq %xmm3,%xmm2 + punpckhdq %xmm1,%xmm6 + punpckhdq %xmm3,%xmm7 + movdqa %xmm0,%xmm1 + punpcklqdq %xmm2,%xmm0 + movdqa %xmm6,%xmm3 + punpcklqdq %xmm7,%xmm6 + punpckhqdq %xmm2,%xmm1 + punpckhqdq %xmm7,%xmm3 + movdqu -128(%esi),%xmm4 + movdqu -64(%esi),%xmm5 + movdqu (%esi),%xmm2 + movdqu 64(%esi),%xmm7 + leal 208(%esi),%esi + pxor %xmm0,%xmm4 + pxor %xmm1,%xmm5 + pxor %xmm2,%xmm6 + pxor %xmm3,%xmm7 + movdqu %xmm4,-128(%edi) + movdqu %xmm5,-64(%edi) + movdqu %xmm6,(%edi) + movdqu %xmm7,64(%edi) + leal 208(%edi),%edi + subl $256,%ecx + jnc L007outer_loop + addl $256,%ecx + jz L009done + movl 520(%esp),%ebx + leal -128(%esi),%esi + movl 516(%esp),%edx + leal -128(%edi),%edi + movd 64(%ebp),%xmm2 + movdqu (%ebx),%xmm3 + paddd 96(%eax),%xmm2 + pand 112(%eax),%xmm3 + por %xmm2,%xmm3 +L0061x: + movdqa 32(%eax),%xmm0 + movdqu (%edx),%xmm1 + movdqu 16(%edx),%xmm2 + movdqa (%eax),%xmm6 + movdqa 16(%eax),%xmm7 + movl %ebp,48(%esp) + movdqa %xmm0,(%esp) + movdqa %xmm1,16(%esp) + movdqa %xmm2,32(%esp) + movdqa %xmm3,48(%esp) + movl $10,%edx + jmp L010loop1x +.align 4,0x90 +L011outer1x: + movdqa 80(%eax),%xmm3 + movdqa (%esp),%xmm0 + movdqa 16(%esp),%xmm1 + movdqa 32(%esp),%xmm2 + paddd 48(%esp),%xmm3 + movl $10,%edx + movdqa %xmm3,48(%esp) + jmp L010loop1x +.align 4,0x90 +L010loop1x: + paddd %xmm1,%xmm0 + pxor %xmm0,%xmm3 +.byte 102,15,56,0,222 + paddd %xmm3,%xmm2 + pxor %xmm2,%xmm1 + movdqa %xmm1,%xmm4 + psrld $20,%xmm1 + pslld $12,%xmm4 + por %xmm4,%xmm1 + paddd %xmm1,%xmm0 + pxor %xmm0,%xmm3 +.byte 102,15,56,0,223 + paddd %xmm3,%xmm2 + pxor %xmm2,%xmm1 + movdqa %xmm1,%xmm4 + psrld $25,%xmm1 + pslld $7,%xmm4 + por %xmm4,%xmm1 + pshufd $78,%xmm2,%xmm2 + pshufd $57,%xmm1,%xmm1 + pshufd $147,%xmm3,%xmm3 + nop + paddd %xmm1,%xmm0 + pxor %xmm0,%xmm3 +.byte 102,15,56,0,222 + paddd %xmm3,%xmm2 + pxor %xmm2,%xmm1 + movdqa %xmm1,%xmm4 + psrld $20,%xmm1 + pslld $12,%xmm4 + por %xmm4,%xmm1 + paddd %xmm1,%xmm0 + pxor %xmm0,%xmm3 +.byte 102,15,56,0,223 + paddd %xmm3,%xmm2 + pxor %xmm2,%xmm1 + movdqa %xmm1,%xmm4 + psrld $25,%xmm1 + pslld $7,%xmm4 + por %xmm4,%xmm1 + pshufd $78,%xmm2,%xmm2 + pshufd $147,%xmm1,%xmm1 + pshufd $57,%xmm3,%xmm3 + decl %edx + jnz L010loop1x + paddd (%esp),%xmm0 + paddd 16(%esp),%xmm1 + paddd 32(%esp),%xmm2 + paddd 48(%esp),%xmm3 + cmpl $64,%ecx + jb L012tail + movdqu (%esi),%xmm4 + movdqu 16(%esi),%xmm5 + pxor %xmm4,%xmm0 + movdqu 32(%esi),%xmm4 + pxor %xmm5,%xmm1 + movdqu 48(%esi),%xmm5 + pxor %xmm4,%xmm2 + pxor %xmm5,%xmm3 + leal 64(%esi),%esi + movdqu %xmm0,(%edi) + movdqu %xmm1,16(%edi) + movdqu %xmm2,32(%edi) + movdqu %xmm3,48(%edi) + leal 64(%edi),%edi + subl $64,%ecx + jnz L011outer1x + jmp L009done +L012tail: + movdqa %xmm0,(%esp) + movdqa %xmm1,16(%esp) + movdqa %xmm2,32(%esp) + movdqa %xmm3,48(%esp) + xorl %eax,%eax + xorl %edx,%edx + xorl %ebp,%ebp +L013tail_loop: + movb (%esp,%ebp,1),%al + movb (%esi,%ebp,1),%dl + leal 1(%ebp),%ebp + xorb %dl,%al + movb %al,-1(%edi,%ebp,1) + decl %ecx + jnz L013tail_loop +L009done: + movl 512(%esp),%esp + popl %edi + popl %esi + popl %ebx + popl %ebp + ret +.align 6,0x90 +Lssse3_data: +.byte 2,3,0,1,6,7,4,5,10,11,8,9,14,15,12,13 +.byte 3,0,1,2,7,4,5,6,11,8,9,10,15,12,13,14 +.long 1634760805,857760878,2036477234,1797285236 +.long 0,1,2,3 +.long 4,4,4,4 +.long 1,0,0,0 +.long 4,0,0,0 +.long 0,-1,-1,-1 +.align 6,0x90 +.byte 67,104,97,67,104,97,50,48,32,102,111,114,32,120,56,54 +.byte 44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32 +.byte 60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111 +.byte 114,103,62,0 +#endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__APPLE__) +#if defined(__linux__) && defined(__ELF__) +.section .note.GNU-stack,"",%progbits +#endif + diff --git a/Sources/CNIOBoringSSL/crypto/chacha/chacha-x86-linux.linux.x86.S b/Sources/CNIOBoringSSL/gen/crypto/chacha-x86-linux.S similarity index 94% rename from Sources/CNIOBoringSSL/crypto/chacha/chacha-x86-linux.linux.x86.S rename to Sources/CNIOBoringSSL/gen/crypto/chacha-x86-linux.S index b69cb3d57..6a1277ffd 100644 --- a/Sources/CNIOBoringSSL/crypto/chacha/chacha-x86-linux.linux.x86.S +++ b/Sources/CNIOBoringSSL/gen/crypto/chacha-x86-linux.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__i386__) && defined(__linux__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -7,29 +6,16 @@ #if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__) .text -.globl ChaCha20_ctr32 -.hidden ChaCha20_ctr32 -.type ChaCha20_ctr32,@function +.globl ChaCha20_ctr32_nohw +.hidden ChaCha20_ctr32_nohw +.type ChaCha20_ctr32_nohw,@function .align 16 -ChaCha20_ctr32: -.L_ChaCha20_ctr32_begin: +ChaCha20_ctr32_nohw: +.L_ChaCha20_ctr32_nohw_begin: pushl %ebp pushl %ebx pushl %esi pushl %edi - xorl %eax,%eax - cmpl 28(%esp),%eax - je .L000no_data - call .Lpic_point -.Lpic_point: - popl %eax - leal OPENSSL_ia32cap_P-.Lpic_point(%eax),%ebp - testl $16777216,(%ebp) - jz .L001x86 - testl $512,4(%ebp) - jz .L001x86 - jmp .Lssse3_shortcut -.L001x86: movl 32(%esp),%esi movl 36(%esp),%edi subl $132,%esp @@ -58,13 +44,13 @@ ChaCha20_ctr32: movl %ebx,116(%esp) movl %ecx,120(%esp) movl %edx,124(%esp) - jmp .L002entry + jmp .L000entry .align 16 -.L003outer_loop: +.L001outer_loop: movl %ebx,156(%esp) movl %eax,152(%esp) movl %ecx,160(%esp) -.L002entry: +.L000entry: movl $1634760805,%eax movl $857760878,4(%esp) movl $2036477234,8(%esp) @@ -92,9 +78,9 @@ ChaCha20_ctr32: movl %edi,60(%esp) movl %edx,112(%esp) movl $10,%ebx - jmp .L004loop + jmp .L002loop .align 16 -.L004loop: +.L002loop: addl %ebp,%eax movl %ebx,128(%esp) movl %ebp,%ebx @@ -248,14 +234,14 @@ ChaCha20_ctr32: xorl %esi,%ebp roll $7,%ebp decl %ebx - jnz .L004loop + jnz .L002loop movl 160(%esp),%ebx addl $1634760805,%eax addl 80(%esp),%ebp addl 96(%esp),%ecx addl 100(%esp),%esi cmpl $64,%ebx - jb .L005tail + jb .L003tail movl 156(%esp),%ebx addl 112(%esp),%edx addl 120(%esp),%edi @@ -318,9 +304,9 @@ ChaCha20_ctr32: movl %ebp,(%eax) leal 64(%eax),%eax subl $64,%ecx - jnz .L003outer_loop - jmp .L006done -.L005tail: + jnz .L001outer_loop + jmp .L004done +.L003tail: addl 112(%esp),%edx addl 120(%esp),%edi movl %eax,(%esp) @@ -364,34 +350,35 @@ ChaCha20_ctr32: movl %edi,60(%esp) xorl %eax,%eax xorl %edx,%edx -.L007tail_loop: +.L005tail_loop: movb (%esi,%ebp,1),%al movb (%esp,%esi,1),%dl leal 1(%esi),%esi xorb %dl,%al movb %al,-1(%ecx,%esi,1) decl %ebx - jnz .L007tail_loop -.L006done: + jnz .L005tail_loop +.L004done: addl $132,%esp -.L000no_data: popl %edi popl %esi popl %ebx popl %ebp ret -.size ChaCha20_ctr32,.-.L_ChaCha20_ctr32_begin -.globl ChaCha20_ssse3 -.hidden ChaCha20_ssse3 -.type ChaCha20_ssse3,@function +.size ChaCha20_ctr32_nohw,.-.L_ChaCha20_ctr32_nohw_begin +.globl ChaCha20_ctr32_ssse3 +.hidden ChaCha20_ctr32_ssse3 +.type ChaCha20_ctr32_ssse3,@function .align 16 -ChaCha20_ssse3: -.L_ChaCha20_ssse3_begin: +ChaCha20_ctr32_ssse3: +.L_ChaCha20_ctr32_ssse3_begin: pushl %ebp pushl %ebx pushl %esi pushl %edi -.Lssse3_shortcut: + call .Lpic_point +.Lpic_point: + popl %eax movl 20(%esp),%edi movl 24(%esp),%esi movl 28(%esp),%ecx @@ -404,7 +391,7 @@ ChaCha20_ssse3: leal .Lssse3_data-.Lpic_point(%eax),%eax movdqu (%ebx),%xmm3 cmpl $256,%ecx - jb .L0081x + jb .L0061x movl %edx,516(%esp) movl %ebx,520(%esp) subl $256,%ecx @@ -449,9 +436,9 @@ ChaCha20_ssse3: movdqa %xmm7,-80(%ebp) leal 128(%esi),%esi leal 128(%edi),%edi - jmp .L009outer_loop + jmp .L007outer_loop .align 16 -.L009outer_loop: +.L007outer_loop: movdqa -112(%ebp),%xmm1 movdqa -96(%ebp),%xmm2 movdqa -80(%ebp),%xmm3 @@ -486,7 +473,7 @@ ChaCha20_ssse3: movl $10,%edx nop .align 16 -.L010loop: +.L008loop: paddd %xmm3,%xmm0 movdqa %xmm3,%xmm2 pxor %xmm0,%xmm6 @@ -686,7 +673,7 @@ ChaCha20_ssse3: psrld $25,%xmm1 por %xmm1,%xmm3 decl %edx - jnz .L010loop + jnz .L008loop movdqa %xmm3,-64(%ebx) movdqa %xmm4,(%ebx) movdqa %xmm5,16(%ebx) @@ -828,9 +815,9 @@ ChaCha20_ssse3: movdqu %xmm7,64(%edi) leal 208(%edi),%edi subl $256,%ecx - jnc .L009outer_loop + jnc .L007outer_loop addl $256,%ecx - jz .L011done + jz .L009done movl 520(%esp),%ebx leal -128(%esi),%esi movl 516(%esp),%edx @@ -840,7 +827,7 @@ ChaCha20_ssse3: paddd 96(%eax),%xmm2 pand 112(%eax),%xmm3 por %xmm2,%xmm3 -.L0081x: +.L0061x: movdqa 32(%eax),%xmm0 movdqu (%edx),%xmm1 movdqu 16(%edx),%xmm2 @@ -852,9 +839,9 @@ ChaCha20_ssse3: movdqa %xmm2,32(%esp) movdqa %xmm3,48(%esp) movl $10,%edx - jmp .L012loop1x + jmp .L010loop1x .align 16 -.L013outer1x: +.L011outer1x: movdqa 80(%eax),%xmm3 movdqa (%esp),%xmm0 movdqa 16(%esp),%xmm1 @@ -862,9 +849,9 @@ ChaCha20_ssse3: paddd 48(%esp),%xmm3 movl $10,%edx movdqa %xmm3,48(%esp) - jmp .L012loop1x + jmp .L010loop1x .align 16 -.L012loop1x: +.L010loop1x: paddd %xmm1,%xmm0 pxor %xmm0,%xmm3 .byte 102,15,56,0,222 @@ -909,13 +896,13 @@ ChaCha20_ssse3: pshufd $147,%xmm1,%xmm1 pshufd $57,%xmm3,%xmm3 decl %edx - jnz .L012loop1x + jnz .L010loop1x paddd (%esp),%xmm0 paddd 16(%esp),%xmm1 paddd 32(%esp),%xmm2 paddd 48(%esp),%xmm3 cmpl $64,%ecx - jb .L014tail + jb .L012tail movdqu (%esi),%xmm4 movdqu 16(%esi),%xmm5 pxor %xmm4,%xmm0 @@ -931,9 +918,9 @@ ChaCha20_ssse3: movdqu %xmm3,48(%edi) leal 64(%edi),%edi subl $64,%ecx - jnz .L013outer1x - jmp .L011done -.L014tail: + jnz .L011outer1x + jmp .L009done +.L012tail: movdqa %xmm0,(%esp) movdqa %xmm1,16(%esp) movdqa %xmm2,32(%esp) @@ -941,22 +928,22 @@ ChaCha20_ssse3: xorl %eax,%eax xorl %edx,%edx xorl %ebp,%ebp -.L015tail_loop: +.L013tail_loop: movb (%esp,%ebp,1),%al movb (%esi,%ebp,1),%dl leal 1(%ebp),%ebp xorb %dl,%al movb %al,-1(%edi,%ebp,1) decl %ecx - jnz .L015tail_loop -.L011done: + jnz .L013tail_loop +.L009done: movl 512(%esp),%esp popl %edi popl %esi popl %ebx popl %ebp ret -.size ChaCha20_ssse3,.-.L_ChaCha20_ssse3_begin +.size ChaCha20_ctr32_ssse3,.-.L_ChaCha20_ctr32_ssse3_begin .align 64 .Lssse3_data: .byte 2,3,0,1,6,7,4,5,10,11,8,9,14,15,12,13 @@ -973,7 +960,6 @@ ChaCha20_ssse3: .byte 60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111 .byte 114,103,62,0 #endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__) -#endif // defined(__i386__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/chacha/chacha-x86_64-mac.mac.x86_64.S b/Sources/CNIOBoringSSL/gen/crypto/chacha-x86_64-apple.S similarity index 98% rename from Sources/CNIOBoringSSL/crypto/chacha/chacha-x86_64-mac.mac.x86_64.S rename to Sources/CNIOBoringSSL/gen/crypto/chacha-x86_64-apple.S index 1356051c1..15e14ecf9 100644 --- a/Sources/CNIOBoringSSL/crypto/chacha/chacha-x86_64-mac.mac.x86_64.S +++ b/Sources/CNIOBoringSSL/gen/crypto/chacha-x86_64-apple.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__x86_64__) && defined(__APPLE__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -8,8 +7,6 @@ #if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__APPLE__) .text - - .section __DATA,__const .p2align 6 L$zero: @@ -41,19 +38,13 @@ L$sixteen: .long 16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16 .byte 67,104,97,67,104,97,50,48,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .text -.globl _ChaCha20_ctr32 -.private_extern _ChaCha20_ctr32 +.globl _ChaCha20_ctr32_nohw +.private_extern _ChaCha20_ctr32_nohw .p2align 6 -_ChaCha20_ctr32: +_ChaCha20_ctr32_nohw: _CET_ENDBR - cmpq $0,%rdx - je L$no_data - movq _OPENSSL_ia32cap_P+4(%rip),%r10 - testl $512,%r10d - jnz L$ChaCha20_ssse3 - pushq %rbx pushq %rbp @@ -325,17 +316,15 @@ L$no_data: ret +.globl _ChaCha20_ctr32_ssse3 +.private_extern _ChaCha20_ctr32_ssse3 .p2align 5 -ChaCha20_ssse3: -L$ChaCha20_ssse3: +_ChaCha20_ctr32_ssse3: +_CET_ENDBR movq %rsp,%r9 - cmpq $128,%rdx - ja L$ChaCha20_4x - -L$do_sse3_after_all: subq $64+8,%rsp movdqa L$sigma(%rip),%xmm0 movdqu (%rcx),%xmm1 @@ -462,25 +451,15 @@ L$ssse3_epilogue: ret +.globl _ChaCha20_ctr32_ssse3_4x +.private_extern _ChaCha20_ctr32_ssse3_4x .p2align 5 -ChaCha20_4x: -L$ChaCha20_4x: +_ChaCha20_ctr32_ssse3_4x: +_CET_ENDBR movq %rsp,%r9 - movq %r10,%r11 - shrq $32,%r10 - testq $32,%r10 - jnz L$ChaCha20_8x - cmpq $192,%rdx - ja L$proceed4x - - andq $71303168,%r11 - cmpq $4194304,%r11 - je L$do_sse3_after_all - -L$proceed4x: subq $0x140+8,%rsp movdqa L$sigma(%rip),%xmm11 movdqu (%rcx),%xmm15 @@ -1014,11 +993,13 @@ L$4x_epilogue: ret +.globl _ChaCha20_ctr32_avx2 +.private_extern _ChaCha20_ctr32_avx2 .p2align 5 -ChaCha20_8x: -L$ChaCha20_8x: +_ChaCha20_ctr32_avx2: +_CET_ENDBR movq %rsp,%r9 subq $0x280+8,%rsp @@ -1621,7 +1602,6 @@ L$8x_epilogue: #endif -#endif // defined(__x86_64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/chacha/chacha-x86_64-linux.linux.x86_64.S b/Sources/CNIOBoringSSL/gen/crypto/chacha-x86_64-linux.S similarity index 97% rename from Sources/CNIOBoringSSL/crypto/chacha/chacha-x86_64-linux.linux.x86_64.S rename to Sources/CNIOBoringSSL/gen/crypto/chacha-x86_64-linux.S index 48dbab327..46bf3fe6b 100644 --- a/Sources/CNIOBoringSSL/crypto/chacha/chacha-x86_64-linux.linux.x86_64.S +++ b/Sources/CNIOBoringSSL/gen/crypto/chacha-x86_64-linux.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__x86_64__) && defined(__linux__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -8,9 +7,6 @@ #if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__ELF__) .text -.extern OPENSSL_ia32cap_P -.hidden OPENSSL_ia32cap_P - .section .rodata .align 64 .Lzero: @@ -42,19 +38,13 @@ .long 16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16 .byte 67,104,97,67,104,97,50,48,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .text -.globl ChaCha20_ctr32 -.hidden ChaCha20_ctr32 -.type ChaCha20_ctr32,@function +.globl ChaCha20_ctr32_nohw +.hidden ChaCha20_ctr32_nohw +.type ChaCha20_ctr32_nohw,@function .align 64 -ChaCha20_ctr32: +ChaCha20_ctr32_nohw: .cfi_startproc _CET_ENDBR - cmpq $0,%rdx - je .Lno_data - movq OPENSSL_ia32cap_P+4(%rip),%r10 - testl $512,%r10d - jnz .LChaCha20_ssse3 - pushq %rbx .cfi_adjust_cfa_offset 8 .cfi_offset rbx,-16 @@ -331,18 +321,16 @@ _CET_ENDBR .Lno_data: ret .cfi_endproc -.size ChaCha20_ctr32,.-ChaCha20_ctr32 -.type ChaCha20_ssse3,@function +.size ChaCha20_ctr32_nohw,.-ChaCha20_ctr32_nohw +.globl ChaCha20_ctr32_ssse3 +.hidden ChaCha20_ctr32_ssse3 +.type ChaCha20_ctr32_ssse3,@function .align 32 -ChaCha20_ssse3: -.LChaCha20_ssse3: +ChaCha20_ctr32_ssse3: .cfi_startproc +_CET_ENDBR movq %rsp,%r9 .cfi_def_cfa_register r9 - cmpq $128,%rdx - ja .LChaCha20_4x - -.Ldo_sse3_after_all: subq $64+8,%rsp movdqa .Lsigma(%rip),%xmm0 movdqu (%rcx),%xmm1 @@ -468,26 +456,16 @@ ChaCha20_ssse3: .Lssse3_epilogue: ret .cfi_endproc -.size ChaCha20_ssse3,.-ChaCha20_ssse3 -.type ChaCha20_4x,@function +.size ChaCha20_ctr32_ssse3,.-ChaCha20_ctr32_ssse3 +.globl ChaCha20_ctr32_ssse3_4x +.hidden ChaCha20_ctr32_ssse3_4x +.type ChaCha20_ctr32_ssse3_4x,@function .align 32 -ChaCha20_4x: -.LChaCha20_4x: +ChaCha20_ctr32_ssse3_4x: .cfi_startproc +_CET_ENDBR movq %rsp,%r9 .cfi_def_cfa_register r9 - movq %r10,%r11 - shrq $32,%r10 - testq $32,%r10 - jnz .LChaCha20_8x - cmpq $192,%rdx - ja .Lproceed4x - - andq $71303168,%r11 - cmpq $4194304,%r11 - je .Ldo_sse3_after_all - -.Lproceed4x: subq $0x140+8,%rsp movdqa .Lsigma(%rip),%xmm11 movdqu (%rcx),%xmm15 @@ -1020,12 +998,14 @@ ChaCha20_4x: .L4x_epilogue: ret .cfi_endproc -.size ChaCha20_4x,.-ChaCha20_4x -.type ChaCha20_8x,@function +.size ChaCha20_ctr32_ssse3_4x,.-ChaCha20_ctr32_ssse3_4x +.globl ChaCha20_ctr32_avx2 +.hidden ChaCha20_ctr32_avx2 +.type ChaCha20_ctr32_avx2,@function .align 32 -ChaCha20_8x: -.LChaCha20_8x: +ChaCha20_ctr32_avx2: .cfi_startproc +_CET_ENDBR movq %rsp,%r9 .cfi_def_cfa_register r9 subq $0x280+8,%rsp @@ -1626,9 +1606,8 @@ ChaCha20_8x: .L8x_epilogue: ret .cfi_endproc -.size ChaCha20_8x,.-ChaCha20_8x +.size ChaCha20_ctr32_avx2,.-ChaCha20_ctr32_avx2 #endif -#endif // defined(__x86_64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/cipher_extra/chacha20_poly1305_armv8-ios.ios.aarch64.S b/Sources/CNIOBoringSSL/gen/crypto/chacha20_poly1305_armv8-apple.S similarity index 99% rename from Sources/CNIOBoringSSL/crypto/cipher_extra/chacha20_poly1305_armv8-ios.ios.aarch64.S rename to Sources/CNIOBoringSSL/gen/crypto/chacha20_poly1305_armv8-apple.S index b0315e4e4..c2aab5578 100644 --- a/Sources/CNIOBoringSSL/crypto/cipher_extra/chacha20_poly1305_armv8-ios.ios.aarch64.S +++ b/Sources/CNIOBoringSSL/gen/crypto/chacha20_poly1305_armv8-apple.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__aarch64__) && defined(__APPLE__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -3009,7 +3008,6 @@ Lopen_128_hash_64: .cfi_endproc #endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__APPLE__) -#endif // defined(__aarch64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/cipher_extra/chacha20_poly1305_armv8-linux.linux.aarch64.S b/Sources/CNIOBoringSSL/gen/crypto/chacha20_poly1305_armv8-linux.S similarity index 99% rename from Sources/CNIOBoringSSL/crypto/cipher_extra/chacha20_poly1305_armv8-linux.linux.aarch64.S rename to Sources/CNIOBoringSSL/gen/crypto/chacha20_poly1305_armv8-linux.S index 6f3b9dcf3..750a9d514 100644 --- a/Sources/CNIOBoringSSL/crypto/cipher_extra/chacha20_poly1305_armv8-linux.linux.aarch64.S +++ b/Sources/CNIOBoringSSL/gen/crypto/chacha20_poly1305_armv8-linux.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__aarch64__) && defined(__linux__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -3009,7 +3008,6 @@ chacha20_poly1305_open: .cfi_endproc .size chacha20_poly1305_open,.-chacha20_poly1305_open #endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__ELF__) -#endif // defined(__aarch64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/gen/crypto/chacha20_poly1305_armv8-win.S b/Sources/CNIOBoringSSL/gen/crypto/chacha20_poly1305_armv8-win.S new file mode 100644 index 000000000..3e17f67c3 --- /dev/null +++ b/Sources/CNIOBoringSSL/gen/crypto/chacha20_poly1305_armv8-win.S @@ -0,0 +1,3020 @@ +#define BORINGSSL_PREFIX CNIOBoringSSL +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. + +#include + +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(_WIN32) +#include +.section .rodata + +.align 7 +Lchacha20_consts: +.byte 'e','x','p','a','n','d',' ','3','2','-','b','y','t','e',' ','k' +Linc: +.long 1,2,3,4 +Lrol8: +.byte 3,0,1,2, 7,4,5,6, 11,8,9,10, 15,12,13,14 +Lclamp: +.quad 0x0FFFFFFC0FFFFFFF, 0x0FFFFFFC0FFFFFFC + +.text + +.def Lpoly_hash_ad_internal + .type 32 +.endef +.align 6 +Lpoly_hash_ad_internal: +.cfi_startproc + cbnz x4, Lpoly_hash_intro + ret + +Lpoly_hash_intro: + cmp x4, #16 + b.lt Lpoly_hash_ad_tail + ldp x11, x12, [x3], 16 + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + sub x4, x4, #16 + b Lpoly_hash_ad_internal + +Lpoly_hash_ad_tail: + cbz x4, Lpoly_hash_ad_ret + + eor v20.16b, v20.16b, v20.16b // Use T0 to load the AAD + sub x4, x4, #1 + +Lpoly_hash_tail_16_compose: + ext v20.16b, v20.16b, v20.16b, #15 + ldrb w11, [x3, x4] + mov v20.b[0], w11 + subs x4, x4, #1 + b.ge Lpoly_hash_tail_16_compose + mov x11, v20.d[0] + mov x12, v20.d[1] + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + +Lpoly_hash_ad_ret: + ret +.cfi_endproc + + +///////////////////////////////// +// +// void chacha20_poly1305_seal(uint8_t *pt, uint8_t *ct, size_t len_in, uint8_t *ad, size_t len_ad, union open_data *seal_data); +// +.globl chacha20_poly1305_seal + +.def chacha20_poly1305_seal + .type 32 +.endef +.align 6 +chacha20_poly1305_seal: + AARCH64_SIGN_LINK_REGISTER +.cfi_startproc + stp x29, x30, [sp, #-80]! +.cfi_def_cfa_offset 80 +.cfi_offset w30, -72 +.cfi_offset w29, -80 + mov x29, sp + // We probably could do .cfi_def_cfa w29, 80 at this point, but since + // we don't actually use the frame pointer like that, it's probably not + // worth bothering. + stp d8, d9, [sp, #16] + stp d10, d11, [sp, #32] + stp d12, d13, [sp, #48] + stp d14, d15, [sp, #64] +.cfi_offset b15, -8 +.cfi_offset b14, -16 +.cfi_offset b13, -24 +.cfi_offset b12, -32 +.cfi_offset b11, -40 +.cfi_offset b10, -48 +.cfi_offset b9, -56 +.cfi_offset b8, -64 + + adrp x11, Lchacha20_consts + add x11, x11, :lo12:Lchacha20_consts + + ld1 {v24.16b - v27.16b}, [x11] // Load the CONSTS, INC, ROL8 and CLAMP values + ld1 {v28.16b - v30.16b}, [x5] + + mov x15, #1 // Prepare the Poly1305 state + mov x8, #0 + mov x9, #0 + mov x10, #0 + + ldr x12, [x5, #56] // The total cipher text length includes extra_in_len + add x12, x12, x2 + mov v31.d[0], x4 // Store the input and aad lengths + mov v31.d[1], x12 + + cmp x2, #128 + b.le Lseal_128 // Optimization for smaller buffers + + // Initially we prepare 5 ChaCha20 blocks. Four to encrypt up to 4 blocks (256 bytes) of plaintext, + // and one for the Poly1305 R and S keys. The first four blocks (A0-A3..D0-D3) are computed vertically, + // the fifth block (A4-D4) horizontally. + ld4r {v0.4s,v1.4s,v2.4s,v3.4s}, [x11] + mov v4.16b, v24.16b + + ld4r {v5.4s,v6.4s,v7.4s,v8.4s}, [x5], #16 + mov v9.16b, v28.16b + + ld4r {v10.4s,v11.4s,v12.4s,v13.4s}, [x5], #16 + mov v14.16b, v29.16b + + ld4r {v15.4s,v16.4s,v17.4s,v18.4s}, [x5] + add v15.4s, v15.4s, v25.4s + mov v19.16b, v30.16b + + sub x5, x5, #32 + + mov x6, #10 + +.align 5 +Lseal_init_rounds: + add v0.4s, v0.4s, v5.4s + add v1.4s, v1.4s, v6.4s + add v2.4s, v2.4s, v7.4s + add v3.4s, v3.4s, v8.4s + add v4.4s, v4.4s, v9.4s + + eor v15.16b, v15.16b, v0.16b + eor v16.16b, v16.16b, v1.16b + eor v17.16b, v17.16b, v2.16b + eor v18.16b, v18.16b, v3.16b + eor v19.16b, v19.16b, v4.16b + + rev32 v15.8h, v15.8h + rev32 v16.8h, v16.8h + rev32 v17.8h, v17.8h + rev32 v18.8h, v18.8h + rev32 v19.8h, v19.8h + + add v10.4s, v10.4s, v15.4s + add v11.4s, v11.4s, v16.4s + add v12.4s, v12.4s, v17.4s + add v13.4s, v13.4s, v18.4s + add v14.4s, v14.4s, v19.4s + + eor v5.16b, v5.16b, v10.16b + eor v6.16b, v6.16b, v11.16b + eor v7.16b, v7.16b, v12.16b + eor v8.16b, v8.16b, v13.16b + eor v9.16b, v9.16b, v14.16b + + ushr v20.4s, v5.4s, #20 + sli v20.4s, v5.4s, #12 + ushr v5.4s, v6.4s, #20 + sli v5.4s, v6.4s, #12 + ushr v6.4s, v7.4s, #20 + sli v6.4s, v7.4s, #12 + ushr v7.4s, v8.4s, #20 + sli v7.4s, v8.4s, #12 + ushr v8.4s, v9.4s, #20 + sli v8.4s, v9.4s, #12 + + add v0.4s, v0.4s, v20.4s + add v1.4s, v1.4s, v5.4s + add v2.4s, v2.4s, v6.4s + add v3.4s, v3.4s, v7.4s + add v4.4s, v4.4s, v8.4s + + eor v15.16b, v15.16b, v0.16b + eor v16.16b, v16.16b, v1.16b + eor v17.16b, v17.16b, v2.16b + eor v18.16b, v18.16b, v3.16b + eor v19.16b, v19.16b, v4.16b + + tbl v15.16b, {v15.16b}, v26.16b + tbl v16.16b, {v16.16b}, v26.16b + tbl v17.16b, {v17.16b}, v26.16b + tbl v18.16b, {v18.16b}, v26.16b + tbl v19.16b, {v19.16b}, v26.16b + + add v10.4s, v10.4s, v15.4s + add v11.4s, v11.4s, v16.4s + add v12.4s, v12.4s, v17.4s + add v13.4s, v13.4s, v18.4s + add v14.4s, v14.4s, v19.4s + + eor v20.16b, v20.16b, v10.16b + eor v5.16b, v5.16b, v11.16b + eor v6.16b, v6.16b, v12.16b + eor v7.16b, v7.16b, v13.16b + eor v8.16b, v8.16b, v14.16b + + ushr v9.4s, v8.4s, #25 + sli v9.4s, v8.4s, #7 + ushr v8.4s, v7.4s, #25 + sli v8.4s, v7.4s, #7 + ushr v7.4s, v6.4s, #25 + sli v7.4s, v6.4s, #7 + ushr v6.4s, v5.4s, #25 + sli v6.4s, v5.4s, #7 + ushr v5.4s, v20.4s, #25 + sli v5.4s, v20.4s, #7 + + ext v9.16b, v9.16b, v9.16b, #4 + ext v14.16b, v14.16b, v14.16b, #8 + ext v19.16b, v19.16b, v19.16b, #12 + add v0.4s, v0.4s, v6.4s + add v1.4s, v1.4s, v7.4s + add v2.4s, v2.4s, v8.4s + add v3.4s, v3.4s, v5.4s + add v4.4s, v4.4s, v9.4s + + eor v18.16b, v18.16b, v0.16b + eor v15.16b, v15.16b, v1.16b + eor v16.16b, v16.16b, v2.16b + eor v17.16b, v17.16b, v3.16b + eor v19.16b, v19.16b, v4.16b + + rev32 v18.8h, v18.8h + rev32 v15.8h, v15.8h + rev32 v16.8h, v16.8h + rev32 v17.8h, v17.8h + rev32 v19.8h, v19.8h + + add v12.4s, v12.4s, v18.4s + add v13.4s, v13.4s, v15.4s + add v10.4s, v10.4s, v16.4s + add v11.4s, v11.4s, v17.4s + add v14.4s, v14.4s, v19.4s + + eor v6.16b, v6.16b, v12.16b + eor v7.16b, v7.16b, v13.16b + eor v8.16b, v8.16b, v10.16b + eor v5.16b, v5.16b, v11.16b + eor v9.16b, v9.16b, v14.16b + + ushr v20.4s, v6.4s, #20 + sli v20.4s, v6.4s, #12 + ushr v6.4s, v7.4s, #20 + sli v6.4s, v7.4s, #12 + ushr v7.4s, v8.4s, #20 + sli v7.4s, v8.4s, #12 + ushr v8.4s, v5.4s, #20 + sli v8.4s, v5.4s, #12 + ushr v5.4s, v9.4s, #20 + sli v5.4s, v9.4s, #12 + + add v0.4s, v0.4s, v20.4s + add v1.4s, v1.4s, v6.4s + add v2.4s, v2.4s, v7.4s + add v3.4s, v3.4s, v8.4s + add v4.4s, v4.4s, v5.4s + + eor v18.16b, v18.16b, v0.16b + eor v15.16b, v15.16b, v1.16b + eor v16.16b, v16.16b, v2.16b + eor v17.16b, v17.16b, v3.16b + eor v19.16b, v19.16b, v4.16b + + tbl v18.16b, {v18.16b}, v26.16b + tbl v15.16b, {v15.16b}, v26.16b + tbl v16.16b, {v16.16b}, v26.16b + tbl v17.16b, {v17.16b}, v26.16b + tbl v19.16b, {v19.16b}, v26.16b + + add v12.4s, v12.4s, v18.4s + add v13.4s, v13.4s, v15.4s + add v10.4s, v10.4s, v16.4s + add v11.4s, v11.4s, v17.4s + add v14.4s, v14.4s, v19.4s + + eor v20.16b, v20.16b, v12.16b + eor v6.16b, v6.16b, v13.16b + eor v7.16b, v7.16b, v10.16b + eor v8.16b, v8.16b, v11.16b + eor v5.16b, v5.16b, v14.16b + + ushr v9.4s, v5.4s, #25 + sli v9.4s, v5.4s, #7 + ushr v5.4s, v8.4s, #25 + sli v5.4s, v8.4s, #7 + ushr v8.4s, v7.4s, #25 + sli v8.4s, v7.4s, #7 + ushr v7.4s, v6.4s, #25 + sli v7.4s, v6.4s, #7 + ushr v6.4s, v20.4s, #25 + sli v6.4s, v20.4s, #7 + + ext v9.16b, v9.16b, v9.16b, #12 + ext v14.16b, v14.16b, v14.16b, #8 + ext v19.16b, v19.16b, v19.16b, #4 + subs x6, x6, #1 + b.hi Lseal_init_rounds + + add v15.4s, v15.4s, v25.4s + mov x11, #4 + dup v20.4s, w11 + add v25.4s, v25.4s, v20.4s + + zip1 v20.4s, v0.4s, v1.4s + zip2 v21.4s, v0.4s, v1.4s + zip1 v22.4s, v2.4s, v3.4s + zip2 v23.4s, v2.4s, v3.4s + + zip1 v0.2d, v20.2d, v22.2d + zip2 v1.2d, v20.2d, v22.2d + zip1 v2.2d, v21.2d, v23.2d + zip2 v3.2d, v21.2d, v23.2d + + zip1 v20.4s, v5.4s, v6.4s + zip2 v21.4s, v5.4s, v6.4s + zip1 v22.4s, v7.4s, v8.4s + zip2 v23.4s, v7.4s, v8.4s + + zip1 v5.2d, v20.2d, v22.2d + zip2 v6.2d, v20.2d, v22.2d + zip1 v7.2d, v21.2d, v23.2d + zip2 v8.2d, v21.2d, v23.2d + + zip1 v20.4s, v10.4s, v11.4s + zip2 v21.4s, v10.4s, v11.4s + zip1 v22.4s, v12.4s, v13.4s + zip2 v23.4s, v12.4s, v13.4s + + zip1 v10.2d, v20.2d, v22.2d + zip2 v11.2d, v20.2d, v22.2d + zip1 v12.2d, v21.2d, v23.2d + zip2 v13.2d, v21.2d, v23.2d + + zip1 v20.4s, v15.4s, v16.4s + zip2 v21.4s, v15.4s, v16.4s + zip1 v22.4s, v17.4s, v18.4s + zip2 v23.4s, v17.4s, v18.4s + + zip1 v15.2d, v20.2d, v22.2d + zip2 v16.2d, v20.2d, v22.2d + zip1 v17.2d, v21.2d, v23.2d + zip2 v18.2d, v21.2d, v23.2d + + add v4.4s, v4.4s, v24.4s + add v9.4s, v9.4s, v28.4s + and v4.16b, v4.16b, v27.16b + + add v0.4s, v0.4s, v24.4s + add v5.4s, v5.4s, v28.4s + add v10.4s, v10.4s, v29.4s + add v15.4s, v15.4s, v30.4s + + add v1.4s, v1.4s, v24.4s + add v6.4s, v6.4s, v28.4s + add v11.4s, v11.4s, v29.4s + add v16.4s, v16.4s, v30.4s + + add v2.4s, v2.4s, v24.4s + add v7.4s, v7.4s, v28.4s + add v12.4s, v12.4s, v29.4s + add v17.4s, v17.4s, v30.4s + + add v3.4s, v3.4s, v24.4s + add v8.4s, v8.4s, v28.4s + add v13.4s, v13.4s, v29.4s + add v18.4s, v18.4s, v30.4s + + mov x16, v4.d[0] // Move the R key to GPRs + mov x17, v4.d[1] + mov v27.16b, v9.16b // Store the S key + + bl Lpoly_hash_ad_internal + + mov x3, x0 + cmp x2, #256 + b.le Lseal_tail + + ld1 {v20.16b - v23.16b}, [x1], #64 + eor v20.16b, v20.16b, v0.16b + eor v21.16b, v21.16b, v5.16b + eor v22.16b, v22.16b, v10.16b + eor v23.16b, v23.16b, v15.16b + st1 {v20.16b - v23.16b}, [x0], #64 + + ld1 {v20.16b - v23.16b}, [x1], #64 + eor v20.16b, v20.16b, v1.16b + eor v21.16b, v21.16b, v6.16b + eor v22.16b, v22.16b, v11.16b + eor v23.16b, v23.16b, v16.16b + st1 {v20.16b - v23.16b}, [x0], #64 + + ld1 {v20.16b - v23.16b}, [x1], #64 + eor v20.16b, v20.16b, v2.16b + eor v21.16b, v21.16b, v7.16b + eor v22.16b, v22.16b, v12.16b + eor v23.16b, v23.16b, v17.16b + st1 {v20.16b - v23.16b}, [x0], #64 + + ld1 {v20.16b - v23.16b}, [x1], #64 + eor v20.16b, v20.16b, v3.16b + eor v21.16b, v21.16b, v8.16b + eor v22.16b, v22.16b, v13.16b + eor v23.16b, v23.16b, v18.16b + st1 {v20.16b - v23.16b}, [x0], #64 + + sub x2, x2, #256 + + mov x6, #4 // In the first run of the loop we need to hash 256 bytes, therefore we hash one block for the first 4 rounds + mov x7, #6 // and two blocks for the remaining 6, for a total of (1 * 4 + 2 * 6) * 16 = 256 + +Lseal_main_loop: + adrp x11, Lchacha20_consts + add x11, x11, :lo12:Lchacha20_consts + + ld4r {v0.4s,v1.4s,v2.4s,v3.4s}, [x11] + mov v4.16b, v24.16b + + ld4r {v5.4s,v6.4s,v7.4s,v8.4s}, [x5], #16 + mov v9.16b, v28.16b + + ld4r {v10.4s,v11.4s,v12.4s,v13.4s}, [x5], #16 + mov v14.16b, v29.16b + + ld4r {v15.4s,v16.4s,v17.4s,v18.4s}, [x5] + add v15.4s, v15.4s, v25.4s + mov v19.16b, v30.16b + + eor v20.16b, v20.16b, v20.16b //zero + not v21.16b, v20.16b // -1 + sub v21.4s, v25.4s, v21.4s // Add +1 + ext v20.16b, v21.16b, v20.16b, #12 // Get the last element (counter) + add v19.4s, v19.4s, v20.4s + + sub x5, x5, #32 +.align 5 +Lseal_main_loop_rounds: + add v0.4s, v0.4s, v5.4s + add v1.4s, v1.4s, v6.4s + add v2.4s, v2.4s, v7.4s + add v3.4s, v3.4s, v8.4s + add v4.4s, v4.4s, v9.4s + + eor v15.16b, v15.16b, v0.16b + eor v16.16b, v16.16b, v1.16b + eor v17.16b, v17.16b, v2.16b + eor v18.16b, v18.16b, v3.16b + eor v19.16b, v19.16b, v4.16b + + rev32 v15.8h, v15.8h + rev32 v16.8h, v16.8h + rev32 v17.8h, v17.8h + rev32 v18.8h, v18.8h + rev32 v19.8h, v19.8h + + add v10.4s, v10.4s, v15.4s + add v11.4s, v11.4s, v16.4s + add v12.4s, v12.4s, v17.4s + add v13.4s, v13.4s, v18.4s + add v14.4s, v14.4s, v19.4s + + eor v5.16b, v5.16b, v10.16b + eor v6.16b, v6.16b, v11.16b + eor v7.16b, v7.16b, v12.16b + eor v8.16b, v8.16b, v13.16b + eor v9.16b, v9.16b, v14.16b + + ushr v20.4s, v5.4s, #20 + sli v20.4s, v5.4s, #12 + ushr v5.4s, v6.4s, #20 + sli v5.4s, v6.4s, #12 + ushr v6.4s, v7.4s, #20 + sli v6.4s, v7.4s, #12 + ushr v7.4s, v8.4s, #20 + sli v7.4s, v8.4s, #12 + ushr v8.4s, v9.4s, #20 + sli v8.4s, v9.4s, #12 + + add v0.4s, v0.4s, v20.4s + add v1.4s, v1.4s, v5.4s + add v2.4s, v2.4s, v6.4s + add v3.4s, v3.4s, v7.4s + add v4.4s, v4.4s, v8.4s + + eor v15.16b, v15.16b, v0.16b + eor v16.16b, v16.16b, v1.16b + eor v17.16b, v17.16b, v2.16b + eor v18.16b, v18.16b, v3.16b + eor v19.16b, v19.16b, v4.16b + + tbl v15.16b, {v15.16b}, v26.16b + tbl v16.16b, {v16.16b}, v26.16b + tbl v17.16b, {v17.16b}, v26.16b + tbl v18.16b, {v18.16b}, v26.16b + tbl v19.16b, {v19.16b}, v26.16b + + add v10.4s, v10.4s, v15.4s + add v11.4s, v11.4s, v16.4s + add v12.4s, v12.4s, v17.4s + add v13.4s, v13.4s, v18.4s + add v14.4s, v14.4s, v19.4s + + eor v20.16b, v20.16b, v10.16b + eor v5.16b, v5.16b, v11.16b + eor v6.16b, v6.16b, v12.16b + eor v7.16b, v7.16b, v13.16b + eor v8.16b, v8.16b, v14.16b + + ushr v9.4s, v8.4s, #25 + sli v9.4s, v8.4s, #7 + ushr v8.4s, v7.4s, #25 + sli v8.4s, v7.4s, #7 + ushr v7.4s, v6.4s, #25 + sli v7.4s, v6.4s, #7 + ushr v6.4s, v5.4s, #25 + sli v6.4s, v5.4s, #7 + ushr v5.4s, v20.4s, #25 + sli v5.4s, v20.4s, #7 + + ext v9.16b, v9.16b, v9.16b, #4 + ext v14.16b, v14.16b, v14.16b, #8 + ext v19.16b, v19.16b, v19.16b, #12 + ldp x11, x12, [x3], 16 + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + add v0.4s, v0.4s, v6.4s + add v1.4s, v1.4s, v7.4s + add v2.4s, v2.4s, v8.4s + add v3.4s, v3.4s, v5.4s + add v4.4s, v4.4s, v9.4s + + eor v18.16b, v18.16b, v0.16b + eor v15.16b, v15.16b, v1.16b + eor v16.16b, v16.16b, v2.16b + eor v17.16b, v17.16b, v3.16b + eor v19.16b, v19.16b, v4.16b + + rev32 v18.8h, v18.8h + rev32 v15.8h, v15.8h + rev32 v16.8h, v16.8h + rev32 v17.8h, v17.8h + rev32 v19.8h, v19.8h + + add v12.4s, v12.4s, v18.4s + add v13.4s, v13.4s, v15.4s + add v10.4s, v10.4s, v16.4s + add v11.4s, v11.4s, v17.4s + add v14.4s, v14.4s, v19.4s + + eor v6.16b, v6.16b, v12.16b + eor v7.16b, v7.16b, v13.16b + eor v8.16b, v8.16b, v10.16b + eor v5.16b, v5.16b, v11.16b + eor v9.16b, v9.16b, v14.16b + + ushr v20.4s, v6.4s, #20 + sli v20.4s, v6.4s, #12 + ushr v6.4s, v7.4s, #20 + sli v6.4s, v7.4s, #12 + ushr v7.4s, v8.4s, #20 + sli v7.4s, v8.4s, #12 + ushr v8.4s, v5.4s, #20 + sli v8.4s, v5.4s, #12 + ushr v5.4s, v9.4s, #20 + sli v5.4s, v9.4s, #12 + + add v0.4s, v0.4s, v20.4s + add v1.4s, v1.4s, v6.4s + add v2.4s, v2.4s, v7.4s + add v3.4s, v3.4s, v8.4s + add v4.4s, v4.4s, v5.4s + + eor v18.16b, v18.16b, v0.16b + eor v15.16b, v15.16b, v1.16b + eor v16.16b, v16.16b, v2.16b + eor v17.16b, v17.16b, v3.16b + eor v19.16b, v19.16b, v4.16b + + tbl v18.16b, {v18.16b}, v26.16b + tbl v15.16b, {v15.16b}, v26.16b + tbl v16.16b, {v16.16b}, v26.16b + tbl v17.16b, {v17.16b}, v26.16b + tbl v19.16b, {v19.16b}, v26.16b + + add v12.4s, v12.4s, v18.4s + add v13.4s, v13.4s, v15.4s + add v10.4s, v10.4s, v16.4s + add v11.4s, v11.4s, v17.4s + add v14.4s, v14.4s, v19.4s + + eor v20.16b, v20.16b, v12.16b + eor v6.16b, v6.16b, v13.16b + eor v7.16b, v7.16b, v10.16b + eor v8.16b, v8.16b, v11.16b + eor v5.16b, v5.16b, v14.16b + + ushr v9.4s, v5.4s, #25 + sli v9.4s, v5.4s, #7 + ushr v5.4s, v8.4s, #25 + sli v5.4s, v8.4s, #7 + ushr v8.4s, v7.4s, #25 + sli v8.4s, v7.4s, #7 + ushr v7.4s, v6.4s, #25 + sli v7.4s, v6.4s, #7 + ushr v6.4s, v20.4s, #25 + sli v6.4s, v20.4s, #7 + + ext v9.16b, v9.16b, v9.16b, #12 + ext v14.16b, v14.16b, v14.16b, #8 + ext v19.16b, v19.16b, v19.16b, #4 + subs x6, x6, #1 + b.ge Lseal_main_loop_rounds + ldp x11, x12, [x3], 16 + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + subs x7, x7, #1 + b.gt Lseal_main_loop_rounds + + eor v20.16b, v20.16b, v20.16b //zero + not v21.16b, v20.16b // -1 + sub v21.4s, v25.4s, v21.4s // Add +1 + ext v20.16b, v21.16b, v20.16b, #12 // Get the last element (counter) + add v19.4s, v19.4s, v20.4s + + add v15.4s, v15.4s, v25.4s + mov x11, #5 + dup v20.4s, w11 + add v25.4s, v25.4s, v20.4s + + zip1 v20.4s, v0.4s, v1.4s + zip2 v21.4s, v0.4s, v1.4s + zip1 v22.4s, v2.4s, v3.4s + zip2 v23.4s, v2.4s, v3.4s + + zip1 v0.2d, v20.2d, v22.2d + zip2 v1.2d, v20.2d, v22.2d + zip1 v2.2d, v21.2d, v23.2d + zip2 v3.2d, v21.2d, v23.2d + + zip1 v20.4s, v5.4s, v6.4s + zip2 v21.4s, v5.4s, v6.4s + zip1 v22.4s, v7.4s, v8.4s + zip2 v23.4s, v7.4s, v8.4s + + zip1 v5.2d, v20.2d, v22.2d + zip2 v6.2d, v20.2d, v22.2d + zip1 v7.2d, v21.2d, v23.2d + zip2 v8.2d, v21.2d, v23.2d + + zip1 v20.4s, v10.4s, v11.4s + zip2 v21.4s, v10.4s, v11.4s + zip1 v22.4s, v12.4s, v13.4s + zip2 v23.4s, v12.4s, v13.4s + + zip1 v10.2d, v20.2d, v22.2d + zip2 v11.2d, v20.2d, v22.2d + zip1 v12.2d, v21.2d, v23.2d + zip2 v13.2d, v21.2d, v23.2d + + zip1 v20.4s, v15.4s, v16.4s + zip2 v21.4s, v15.4s, v16.4s + zip1 v22.4s, v17.4s, v18.4s + zip2 v23.4s, v17.4s, v18.4s + + zip1 v15.2d, v20.2d, v22.2d + zip2 v16.2d, v20.2d, v22.2d + zip1 v17.2d, v21.2d, v23.2d + zip2 v18.2d, v21.2d, v23.2d + + add v0.4s, v0.4s, v24.4s + add v5.4s, v5.4s, v28.4s + add v10.4s, v10.4s, v29.4s + add v15.4s, v15.4s, v30.4s + + add v1.4s, v1.4s, v24.4s + add v6.4s, v6.4s, v28.4s + add v11.4s, v11.4s, v29.4s + add v16.4s, v16.4s, v30.4s + + add v2.4s, v2.4s, v24.4s + add v7.4s, v7.4s, v28.4s + add v12.4s, v12.4s, v29.4s + add v17.4s, v17.4s, v30.4s + + add v3.4s, v3.4s, v24.4s + add v8.4s, v8.4s, v28.4s + add v13.4s, v13.4s, v29.4s + add v18.4s, v18.4s, v30.4s + + add v4.4s, v4.4s, v24.4s + add v9.4s, v9.4s, v28.4s + add v14.4s, v14.4s, v29.4s + add v19.4s, v19.4s, v30.4s + + cmp x2, #320 + b.le Lseal_tail + + ld1 {v20.16b - v23.16b}, [x1], #64 + eor v20.16b, v20.16b, v0.16b + eor v21.16b, v21.16b, v5.16b + eor v22.16b, v22.16b, v10.16b + eor v23.16b, v23.16b, v15.16b + st1 {v20.16b - v23.16b}, [x0], #64 + + ld1 {v20.16b - v23.16b}, [x1], #64 + eor v20.16b, v20.16b, v1.16b + eor v21.16b, v21.16b, v6.16b + eor v22.16b, v22.16b, v11.16b + eor v23.16b, v23.16b, v16.16b + st1 {v20.16b - v23.16b}, [x0], #64 + + ld1 {v20.16b - v23.16b}, [x1], #64 + eor v20.16b, v20.16b, v2.16b + eor v21.16b, v21.16b, v7.16b + eor v22.16b, v22.16b, v12.16b + eor v23.16b, v23.16b, v17.16b + st1 {v20.16b - v23.16b}, [x0], #64 + + ld1 {v20.16b - v23.16b}, [x1], #64 + eor v20.16b, v20.16b, v3.16b + eor v21.16b, v21.16b, v8.16b + eor v22.16b, v22.16b, v13.16b + eor v23.16b, v23.16b, v18.16b + st1 {v20.16b - v23.16b}, [x0], #64 + + ld1 {v20.16b - v23.16b}, [x1], #64 + eor v20.16b, v20.16b, v4.16b + eor v21.16b, v21.16b, v9.16b + eor v22.16b, v22.16b, v14.16b + eor v23.16b, v23.16b, v19.16b + st1 {v20.16b - v23.16b}, [x0], #64 + + sub x2, x2, #320 + + mov x6, #0 + mov x7, #10 // For the remainder of the loop we always hash and encrypt 320 bytes per iteration + + b Lseal_main_loop + +Lseal_tail: + // This part of the function handles the storage and authentication of the last [0,320) bytes + // We assume A0-A4 ... D0-D4 hold at least inl (320 max) bytes of the stream data. + cmp x2, #64 + b.lt Lseal_tail_64 + + // Store and authenticate 64B blocks per iteration + ld1 {v20.16b - v23.16b}, [x1], #64 + + eor v20.16b, v20.16b, v0.16b + eor v21.16b, v21.16b, v5.16b + eor v22.16b, v22.16b, v10.16b + eor v23.16b, v23.16b, v15.16b + mov x11, v20.d[0] + mov x12, v20.d[1] + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + mov x11, v21.d[0] + mov x12, v21.d[1] + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + mov x11, v22.d[0] + mov x12, v22.d[1] + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + mov x11, v23.d[0] + mov x12, v23.d[1] + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + st1 {v20.16b - v23.16b}, [x0], #64 + sub x2, x2, #64 + + // Shift the state left by 64 bytes for the next iteration of the loop + mov v0.16b, v1.16b + mov v5.16b, v6.16b + mov v10.16b, v11.16b + mov v15.16b, v16.16b + + mov v1.16b, v2.16b + mov v6.16b, v7.16b + mov v11.16b, v12.16b + mov v16.16b, v17.16b + + mov v2.16b, v3.16b + mov v7.16b, v8.16b + mov v12.16b, v13.16b + mov v17.16b, v18.16b + + mov v3.16b, v4.16b + mov v8.16b, v9.16b + mov v13.16b, v14.16b + mov v18.16b, v19.16b + + b Lseal_tail + +Lseal_tail_64: + ldp x3, x4, [x5, #48] // extra_in_len and extra_in_ptr + + // Here we handle the last [0,64) bytes of plaintext + cmp x2, #16 + b.lt Lseal_tail_16 + // Each iteration encrypt and authenticate a 16B block + ld1 {v20.16b}, [x1], #16 + eor v20.16b, v20.16b, v0.16b + mov x11, v20.d[0] + mov x12, v20.d[1] + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + st1 {v20.16b}, [x0], #16 + + sub x2, x2, #16 + + // Shift the state left by 16 bytes for the next iteration of the loop + mov v0.16b, v5.16b + mov v5.16b, v10.16b + mov v10.16b, v15.16b + + b Lseal_tail_64 + +Lseal_tail_16: + // Here we handle the last [0,16) bytes of ciphertext that require a padded block + cbz x2, Lseal_hash_extra + + eor v20.16b, v20.16b, v20.16b // Use T0 to load the plaintext/extra in + eor v21.16b, v21.16b, v21.16b // Use T1 to generate an AND mask that will only mask the ciphertext bytes + not v22.16b, v20.16b + + mov x6, x2 + add x1, x1, x2 + + cbz x4, Lseal_tail_16_compose // No extra data to pad with, zero padding + + mov x7, #16 // We need to load some extra_in first for padding + sub x7, x7, x2 + cmp x4, x7 + csel x7, x4, x7, lt // Load the minimum of extra_in_len and the amount needed to fill the register + mov x12, x7 + add x3, x3, x7 + sub x4, x4, x7 + +Lseal_tail16_compose_extra_in: + ext v20.16b, v20.16b, v20.16b, #15 + ldrb w11, [x3, #-1]! + mov v20.b[0], w11 + subs x7, x7, #1 + b.gt Lseal_tail16_compose_extra_in + + add x3, x3, x12 + +Lseal_tail_16_compose: + ext v20.16b, v20.16b, v20.16b, #15 + ldrb w11, [x1, #-1]! + mov v20.b[0], w11 + ext v21.16b, v22.16b, v21.16b, #15 + subs x2, x2, #1 + b.gt Lseal_tail_16_compose + + and v0.16b, v0.16b, v21.16b + eor v20.16b, v20.16b, v0.16b + mov v21.16b, v20.16b + +Lseal_tail_16_store: + umov w11, v20.b[0] + strb w11, [x0], #1 + ext v20.16b, v20.16b, v20.16b, #1 + subs x6, x6, #1 + b.gt Lseal_tail_16_store + + // Hash in the final ct block concatenated with extra_in + mov x11, v21.d[0] + mov x12, v21.d[1] + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + +Lseal_hash_extra: + cbz x4, Lseal_finalize + +Lseal_hash_extra_loop: + cmp x4, #16 + b.lt Lseal_hash_extra_tail + ld1 {v20.16b}, [x3], #16 + mov x11, v20.d[0] + mov x12, v20.d[1] + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + sub x4, x4, #16 + b Lseal_hash_extra_loop + +Lseal_hash_extra_tail: + cbz x4, Lseal_finalize + eor v20.16b, v20.16b, v20.16b // Use T0 to load the remaining extra ciphertext + add x3, x3, x4 + +Lseal_hash_extra_load: + ext v20.16b, v20.16b, v20.16b, #15 + ldrb w11, [x3, #-1]! + mov v20.b[0], w11 + subs x4, x4, #1 + b.gt Lseal_hash_extra_load + + // Hash in the final padded extra_in blcok + mov x11, v20.d[0] + mov x12, v20.d[1] + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + +Lseal_finalize: + mov x11, v31.d[0] + mov x12, v31.d[1] + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + // Final reduction step + sub x12, xzr, x15 + orr x13, xzr, #3 + subs x11, x8, #-5 + sbcs x12, x9, x12 + sbcs x13, x10, x13 + csel x8, x11, x8, cs + csel x9, x12, x9, cs + csel x10, x13, x10, cs + mov x11, v27.d[0] + mov x12, v27.d[1] + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + + stp x8, x9, [x5] + + ldp d8, d9, [sp, #16] + ldp d10, d11, [sp, #32] + ldp d12, d13, [sp, #48] + ldp d14, d15, [sp, #64] +.cfi_restore b15 +.cfi_restore b14 +.cfi_restore b13 +.cfi_restore b12 +.cfi_restore b11 +.cfi_restore b10 +.cfi_restore b9 +.cfi_restore b8 + ldp x29, x30, [sp], 80 +.cfi_restore w29 +.cfi_restore w30 +.cfi_def_cfa_offset 0 + AARCH64_VALIDATE_LINK_REGISTER + ret + +Lseal_128: + // On some architectures preparing 5 blocks for small buffers is wasteful + eor v25.16b, v25.16b, v25.16b + mov x11, #1 + mov v25.s[0], w11 + mov v0.16b, v24.16b + mov v1.16b, v24.16b + mov v2.16b, v24.16b + mov v5.16b, v28.16b + mov v6.16b, v28.16b + mov v7.16b, v28.16b + mov v10.16b, v29.16b + mov v11.16b, v29.16b + mov v12.16b, v29.16b + mov v17.16b, v30.16b + add v15.4s, v17.4s, v25.4s + add v16.4s, v15.4s, v25.4s + + mov x6, #10 + +Lseal_128_rounds: + add v0.4s, v0.4s, v5.4s + add v1.4s, v1.4s, v6.4s + add v2.4s, v2.4s, v7.4s + eor v15.16b, v15.16b, v0.16b + eor v16.16b, v16.16b, v1.16b + eor v17.16b, v17.16b, v2.16b + rev32 v15.8h, v15.8h + rev32 v16.8h, v16.8h + rev32 v17.8h, v17.8h + + add v10.4s, v10.4s, v15.4s + add v11.4s, v11.4s, v16.4s + add v12.4s, v12.4s, v17.4s + eor v5.16b, v5.16b, v10.16b + eor v6.16b, v6.16b, v11.16b + eor v7.16b, v7.16b, v12.16b + ushr v20.4s, v5.4s, #20 + sli v20.4s, v5.4s, #12 + ushr v5.4s, v6.4s, #20 + sli v5.4s, v6.4s, #12 + ushr v6.4s, v7.4s, #20 + sli v6.4s, v7.4s, #12 + + add v0.4s, v0.4s, v20.4s + add v1.4s, v1.4s, v5.4s + add v2.4s, v2.4s, v6.4s + eor v15.16b, v15.16b, v0.16b + eor v16.16b, v16.16b, v1.16b + eor v17.16b, v17.16b, v2.16b + tbl v15.16b, {v15.16b}, v26.16b + tbl v16.16b, {v16.16b}, v26.16b + tbl v17.16b, {v17.16b}, v26.16b + + add v10.4s, v10.4s, v15.4s + add v11.4s, v11.4s, v16.4s + add v12.4s, v12.4s, v17.4s + eor v20.16b, v20.16b, v10.16b + eor v5.16b, v5.16b, v11.16b + eor v6.16b, v6.16b, v12.16b + ushr v7.4s, v6.4s, #25 + sli v7.4s, v6.4s, #7 + ushr v6.4s, v5.4s, #25 + sli v6.4s, v5.4s, #7 + ushr v5.4s, v20.4s, #25 + sli v5.4s, v20.4s, #7 + + ext v5.16b, v5.16b, v5.16b, #4 + ext v6.16b, v6.16b, v6.16b, #4 + ext v7.16b, v7.16b, v7.16b, #4 + + ext v10.16b, v10.16b, v10.16b, #8 + ext v11.16b, v11.16b, v11.16b, #8 + ext v12.16b, v12.16b, v12.16b, #8 + + ext v15.16b, v15.16b, v15.16b, #12 + ext v16.16b, v16.16b, v16.16b, #12 + ext v17.16b, v17.16b, v17.16b, #12 + add v0.4s, v0.4s, v5.4s + add v1.4s, v1.4s, v6.4s + add v2.4s, v2.4s, v7.4s + eor v15.16b, v15.16b, v0.16b + eor v16.16b, v16.16b, v1.16b + eor v17.16b, v17.16b, v2.16b + rev32 v15.8h, v15.8h + rev32 v16.8h, v16.8h + rev32 v17.8h, v17.8h + + add v10.4s, v10.4s, v15.4s + add v11.4s, v11.4s, v16.4s + add v12.4s, v12.4s, v17.4s + eor v5.16b, v5.16b, v10.16b + eor v6.16b, v6.16b, v11.16b + eor v7.16b, v7.16b, v12.16b + ushr v20.4s, v5.4s, #20 + sli v20.4s, v5.4s, #12 + ushr v5.4s, v6.4s, #20 + sli v5.4s, v6.4s, #12 + ushr v6.4s, v7.4s, #20 + sli v6.4s, v7.4s, #12 + + add v0.4s, v0.4s, v20.4s + add v1.4s, v1.4s, v5.4s + add v2.4s, v2.4s, v6.4s + eor v15.16b, v15.16b, v0.16b + eor v16.16b, v16.16b, v1.16b + eor v17.16b, v17.16b, v2.16b + tbl v15.16b, {v15.16b}, v26.16b + tbl v16.16b, {v16.16b}, v26.16b + tbl v17.16b, {v17.16b}, v26.16b + + add v10.4s, v10.4s, v15.4s + add v11.4s, v11.4s, v16.4s + add v12.4s, v12.4s, v17.4s + eor v20.16b, v20.16b, v10.16b + eor v5.16b, v5.16b, v11.16b + eor v6.16b, v6.16b, v12.16b + ushr v7.4s, v6.4s, #25 + sli v7.4s, v6.4s, #7 + ushr v6.4s, v5.4s, #25 + sli v6.4s, v5.4s, #7 + ushr v5.4s, v20.4s, #25 + sli v5.4s, v20.4s, #7 + + ext v5.16b, v5.16b, v5.16b, #12 + ext v6.16b, v6.16b, v6.16b, #12 + ext v7.16b, v7.16b, v7.16b, #12 + + ext v10.16b, v10.16b, v10.16b, #8 + ext v11.16b, v11.16b, v11.16b, #8 + ext v12.16b, v12.16b, v12.16b, #8 + + ext v15.16b, v15.16b, v15.16b, #4 + ext v16.16b, v16.16b, v16.16b, #4 + ext v17.16b, v17.16b, v17.16b, #4 + subs x6, x6, #1 + b.hi Lseal_128_rounds + + add v0.4s, v0.4s, v24.4s + add v1.4s, v1.4s, v24.4s + add v2.4s, v2.4s, v24.4s + + add v5.4s, v5.4s, v28.4s + add v6.4s, v6.4s, v28.4s + add v7.4s, v7.4s, v28.4s + + // Only the first 32 bytes of the third block (counter = 0) are needed, + // so skip updating v12 and v17. + add v10.4s, v10.4s, v29.4s + add v11.4s, v11.4s, v29.4s + + add v30.4s, v30.4s, v25.4s + add v15.4s, v15.4s, v30.4s + add v30.4s, v30.4s, v25.4s + add v16.4s, v16.4s, v30.4s + + and v2.16b, v2.16b, v27.16b + mov x16, v2.d[0] // Move the R key to GPRs + mov x17, v2.d[1] + mov v27.16b, v7.16b // Store the S key + + bl Lpoly_hash_ad_internal + b Lseal_tail +.cfi_endproc + + +///////////////////////////////// +// +// void chacha20_poly1305_open(uint8_t *pt, uint8_t *ct, size_t len_in, uint8_t *ad, size_t len_ad, union open_data *aead_data); +// +.globl chacha20_poly1305_open + +.def chacha20_poly1305_open + .type 32 +.endef +.align 6 +chacha20_poly1305_open: + AARCH64_SIGN_LINK_REGISTER +.cfi_startproc + stp x29, x30, [sp, #-80]! +.cfi_def_cfa_offset 80 +.cfi_offset w30, -72 +.cfi_offset w29, -80 + mov x29, sp + // We probably could do .cfi_def_cfa w29, 80 at this point, but since + // we don't actually use the frame pointer like that, it's probably not + // worth bothering. + stp d8, d9, [sp, #16] + stp d10, d11, [sp, #32] + stp d12, d13, [sp, #48] + stp d14, d15, [sp, #64] +.cfi_offset b15, -8 +.cfi_offset b14, -16 +.cfi_offset b13, -24 +.cfi_offset b12, -32 +.cfi_offset b11, -40 +.cfi_offset b10, -48 +.cfi_offset b9, -56 +.cfi_offset b8, -64 + + adrp x11, Lchacha20_consts + add x11, x11, :lo12:Lchacha20_consts + + ld1 {v24.16b - v27.16b}, [x11] // Load the CONSTS, INC, ROL8 and CLAMP values + ld1 {v28.16b - v30.16b}, [x5] + + mov x15, #1 // Prepare the Poly1305 state + mov x8, #0 + mov x9, #0 + mov x10, #0 + + mov v31.d[0], x4 // Store the input and aad lengths + mov v31.d[1], x2 + + cmp x2, #128 + b.le Lopen_128 // Optimization for smaller buffers + + // Initially we prepare a single ChaCha20 block for the Poly1305 R and S keys + mov v0.16b, v24.16b + mov v5.16b, v28.16b + mov v10.16b, v29.16b + mov v15.16b, v30.16b + + mov x6, #10 + +.align 5 +Lopen_init_rounds: + add v0.4s, v0.4s, v5.4s + eor v15.16b, v15.16b, v0.16b + rev32 v15.8h, v15.8h + + add v10.4s, v10.4s, v15.4s + eor v5.16b, v5.16b, v10.16b + ushr v20.4s, v5.4s, #20 + sli v20.4s, v5.4s, #12 + add v0.4s, v0.4s, v20.4s + eor v15.16b, v15.16b, v0.16b + tbl v15.16b, {v15.16b}, v26.16b + + add v10.4s, v10.4s, v15.4s + eor v20.16b, v20.16b, v10.16b + ushr v5.4s, v20.4s, #25 + sli v5.4s, v20.4s, #7 + ext v5.16b, v5.16b, v5.16b, #4 + ext v10.16b, v10.16b, v10.16b, #8 + ext v15.16b, v15.16b, v15.16b, #12 + add v0.4s, v0.4s, v5.4s + eor v15.16b, v15.16b, v0.16b + rev32 v15.8h, v15.8h + + add v10.4s, v10.4s, v15.4s + eor v5.16b, v5.16b, v10.16b + ushr v20.4s, v5.4s, #20 + sli v20.4s, v5.4s, #12 + add v0.4s, v0.4s, v20.4s + eor v15.16b, v15.16b, v0.16b + tbl v15.16b, {v15.16b}, v26.16b + + add v10.4s, v10.4s, v15.4s + eor v20.16b, v20.16b, v10.16b + ushr v5.4s, v20.4s, #25 + sli v5.4s, v20.4s, #7 + ext v5.16b, v5.16b, v5.16b, #12 + ext v10.16b, v10.16b, v10.16b, #8 + ext v15.16b, v15.16b, v15.16b, #4 + subs x6, x6, #1 + b.hi Lopen_init_rounds + + add v0.4s, v0.4s, v24.4s + add v5.4s, v5.4s, v28.4s + + and v0.16b, v0.16b, v27.16b + mov x16, v0.d[0] // Move the R key to GPRs + mov x17, v0.d[1] + mov v27.16b, v5.16b // Store the S key + + bl Lpoly_hash_ad_internal + +Lopen_ad_done: + mov x3, x1 + +// Each iteration of the loop hash 320 bytes, and prepare stream for 320 bytes +Lopen_main_loop: + + cmp x2, #192 + b.lt Lopen_tail + + adrp x11, Lchacha20_consts + add x11, x11, :lo12:Lchacha20_consts + + ld4r {v0.4s,v1.4s,v2.4s,v3.4s}, [x11] + mov v4.16b, v24.16b + + ld4r {v5.4s,v6.4s,v7.4s,v8.4s}, [x5], #16 + mov v9.16b, v28.16b + + ld4r {v10.4s,v11.4s,v12.4s,v13.4s}, [x5], #16 + mov v14.16b, v29.16b + + ld4r {v15.4s,v16.4s,v17.4s,v18.4s}, [x5] + sub x5, x5, #32 + add v15.4s, v15.4s, v25.4s + mov v19.16b, v30.16b + + eor v20.16b, v20.16b, v20.16b //zero + not v21.16b, v20.16b // -1 + sub v21.4s, v25.4s, v21.4s // Add +1 + ext v20.16b, v21.16b, v20.16b, #12 // Get the last element (counter) + add v19.4s, v19.4s, v20.4s + + lsr x4, x2, #4 // How many whole blocks we have to hash, will always be at least 12 + sub x4, x4, #10 + + mov x7, #10 + subs x6, x7, x4 + subs x6, x7, x4 // itr1 can be negative if we have more than 320 bytes to hash + csel x7, x7, x4, le // if itr1 is zero or less, itr2 should be 10 to indicate all 10 rounds are full + + cbz x7, Lopen_main_loop_rounds_short + +.align 5 +Lopen_main_loop_rounds: + ldp x11, x12, [x3], 16 + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most +Lopen_main_loop_rounds_short: + add v0.4s, v0.4s, v5.4s + add v1.4s, v1.4s, v6.4s + add v2.4s, v2.4s, v7.4s + add v3.4s, v3.4s, v8.4s + add v4.4s, v4.4s, v9.4s + + eor v15.16b, v15.16b, v0.16b + eor v16.16b, v16.16b, v1.16b + eor v17.16b, v17.16b, v2.16b + eor v18.16b, v18.16b, v3.16b + eor v19.16b, v19.16b, v4.16b + + rev32 v15.8h, v15.8h + rev32 v16.8h, v16.8h + rev32 v17.8h, v17.8h + rev32 v18.8h, v18.8h + rev32 v19.8h, v19.8h + + add v10.4s, v10.4s, v15.4s + add v11.4s, v11.4s, v16.4s + add v12.4s, v12.4s, v17.4s + add v13.4s, v13.4s, v18.4s + add v14.4s, v14.4s, v19.4s + + eor v5.16b, v5.16b, v10.16b + eor v6.16b, v6.16b, v11.16b + eor v7.16b, v7.16b, v12.16b + eor v8.16b, v8.16b, v13.16b + eor v9.16b, v9.16b, v14.16b + + ushr v20.4s, v5.4s, #20 + sli v20.4s, v5.4s, #12 + ushr v5.4s, v6.4s, #20 + sli v5.4s, v6.4s, #12 + ushr v6.4s, v7.4s, #20 + sli v6.4s, v7.4s, #12 + ushr v7.4s, v8.4s, #20 + sli v7.4s, v8.4s, #12 + ushr v8.4s, v9.4s, #20 + sli v8.4s, v9.4s, #12 + + add v0.4s, v0.4s, v20.4s + add v1.4s, v1.4s, v5.4s + add v2.4s, v2.4s, v6.4s + add v3.4s, v3.4s, v7.4s + add v4.4s, v4.4s, v8.4s + + eor v15.16b, v15.16b, v0.16b + eor v16.16b, v16.16b, v1.16b + eor v17.16b, v17.16b, v2.16b + eor v18.16b, v18.16b, v3.16b + eor v19.16b, v19.16b, v4.16b + + tbl v15.16b, {v15.16b}, v26.16b + tbl v16.16b, {v16.16b}, v26.16b + tbl v17.16b, {v17.16b}, v26.16b + tbl v18.16b, {v18.16b}, v26.16b + tbl v19.16b, {v19.16b}, v26.16b + + add v10.4s, v10.4s, v15.4s + add v11.4s, v11.4s, v16.4s + add v12.4s, v12.4s, v17.4s + add v13.4s, v13.4s, v18.4s + add v14.4s, v14.4s, v19.4s + + eor v20.16b, v20.16b, v10.16b + eor v5.16b, v5.16b, v11.16b + eor v6.16b, v6.16b, v12.16b + eor v7.16b, v7.16b, v13.16b + eor v8.16b, v8.16b, v14.16b + + ushr v9.4s, v8.4s, #25 + sli v9.4s, v8.4s, #7 + ushr v8.4s, v7.4s, #25 + sli v8.4s, v7.4s, #7 + ushr v7.4s, v6.4s, #25 + sli v7.4s, v6.4s, #7 + ushr v6.4s, v5.4s, #25 + sli v6.4s, v5.4s, #7 + ushr v5.4s, v20.4s, #25 + sli v5.4s, v20.4s, #7 + + ext v9.16b, v9.16b, v9.16b, #4 + ext v14.16b, v14.16b, v14.16b, #8 + ext v19.16b, v19.16b, v19.16b, #12 + ldp x11, x12, [x3], 16 + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + add v0.4s, v0.4s, v6.4s + add v1.4s, v1.4s, v7.4s + add v2.4s, v2.4s, v8.4s + add v3.4s, v3.4s, v5.4s + add v4.4s, v4.4s, v9.4s + + eor v18.16b, v18.16b, v0.16b + eor v15.16b, v15.16b, v1.16b + eor v16.16b, v16.16b, v2.16b + eor v17.16b, v17.16b, v3.16b + eor v19.16b, v19.16b, v4.16b + + rev32 v18.8h, v18.8h + rev32 v15.8h, v15.8h + rev32 v16.8h, v16.8h + rev32 v17.8h, v17.8h + rev32 v19.8h, v19.8h + + add v12.4s, v12.4s, v18.4s + add v13.4s, v13.4s, v15.4s + add v10.4s, v10.4s, v16.4s + add v11.4s, v11.4s, v17.4s + add v14.4s, v14.4s, v19.4s + + eor v6.16b, v6.16b, v12.16b + eor v7.16b, v7.16b, v13.16b + eor v8.16b, v8.16b, v10.16b + eor v5.16b, v5.16b, v11.16b + eor v9.16b, v9.16b, v14.16b + + ushr v20.4s, v6.4s, #20 + sli v20.4s, v6.4s, #12 + ushr v6.4s, v7.4s, #20 + sli v6.4s, v7.4s, #12 + ushr v7.4s, v8.4s, #20 + sli v7.4s, v8.4s, #12 + ushr v8.4s, v5.4s, #20 + sli v8.4s, v5.4s, #12 + ushr v5.4s, v9.4s, #20 + sli v5.4s, v9.4s, #12 + + add v0.4s, v0.4s, v20.4s + add v1.4s, v1.4s, v6.4s + add v2.4s, v2.4s, v7.4s + add v3.4s, v3.4s, v8.4s + add v4.4s, v4.4s, v5.4s + + eor v18.16b, v18.16b, v0.16b + eor v15.16b, v15.16b, v1.16b + eor v16.16b, v16.16b, v2.16b + eor v17.16b, v17.16b, v3.16b + eor v19.16b, v19.16b, v4.16b + + tbl v18.16b, {v18.16b}, v26.16b + tbl v15.16b, {v15.16b}, v26.16b + tbl v16.16b, {v16.16b}, v26.16b + tbl v17.16b, {v17.16b}, v26.16b + tbl v19.16b, {v19.16b}, v26.16b + + add v12.4s, v12.4s, v18.4s + add v13.4s, v13.4s, v15.4s + add v10.4s, v10.4s, v16.4s + add v11.4s, v11.4s, v17.4s + add v14.4s, v14.4s, v19.4s + + eor v20.16b, v20.16b, v12.16b + eor v6.16b, v6.16b, v13.16b + eor v7.16b, v7.16b, v10.16b + eor v8.16b, v8.16b, v11.16b + eor v5.16b, v5.16b, v14.16b + + ushr v9.4s, v5.4s, #25 + sli v9.4s, v5.4s, #7 + ushr v5.4s, v8.4s, #25 + sli v5.4s, v8.4s, #7 + ushr v8.4s, v7.4s, #25 + sli v8.4s, v7.4s, #7 + ushr v7.4s, v6.4s, #25 + sli v7.4s, v6.4s, #7 + ushr v6.4s, v20.4s, #25 + sli v6.4s, v20.4s, #7 + + ext v9.16b, v9.16b, v9.16b, #12 + ext v14.16b, v14.16b, v14.16b, #8 + ext v19.16b, v19.16b, v19.16b, #4 + subs x7, x7, #1 + b.gt Lopen_main_loop_rounds + subs x6, x6, #1 + b.ge Lopen_main_loop_rounds_short + + eor v20.16b, v20.16b, v20.16b //zero + not v21.16b, v20.16b // -1 + sub v21.4s, v25.4s, v21.4s // Add +1 + ext v20.16b, v21.16b, v20.16b, #12 // Get the last element (counter) + add v19.4s, v19.4s, v20.4s + + add v15.4s, v15.4s, v25.4s + mov x11, #5 + dup v20.4s, w11 + add v25.4s, v25.4s, v20.4s + + zip1 v20.4s, v0.4s, v1.4s + zip2 v21.4s, v0.4s, v1.4s + zip1 v22.4s, v2.4s, v3.4s + zip2 v23.4s, v2.4s, v3.4s + + zip1 v0.2d, v20.2d, v22.2d + zip2 v1.2d, v20.2d, v22.2d + zip1 v2.2d, v21.2d, v23.2d + zip2 v3.2d, v21.2d, v23.2d + + zip1 v20.4s, v5.4s, v6.4s + zip2 v21.4s, v5.4s, v6.4s + zip1 v22.4s, v7.4s, v8.4s + zip2 v23.4s, v7.4s, v8.4s + + zip1 v5.2d, v20.2d, v22.2d + zip2 v6.2d, v20.2d, v22.2d + zip1 v7.2d, v21.2d, v23.2d + zip2 v8.2d, v21.2d, v23.2d + + zip1 v20.4s, v10.4s, v11.4s + zip2 v21.4s, v10.4s, v11.4s + zip1 v22.4s, v12.4s, v13.4s + zip2 v23.4s, v12.4s, v13.4s + + zip1 v10.2d, v20.2d, v22.2d + zip2 v11.2d, v20.2d, v22.2d + zip1 v12.2d, v21.2d, v23.2d + zip2 v13.2d, v21.2d, v23.2d + + zip1 v20.4s, v15.4s, v16.4s + zip2 v21.4s, v15.4s, v16.4s + zip1 v22.4s, v17.4s, v18.4s + zip2 v23.4s, v17.4s, v18.4s + + zip1 v15.2d, v20.2d, v22.2d + zip2 v16.2d, v20.2d, v22.2d + zip1 v17.2d, v21.2d, v23.2d + zip2 v18.2d, v21.2d, v23.2d + + add v0.4s, v0.4s, v24.4s + add v5.4s, v5.4s, v28.4s + add v10.4s, v10.4s, v29.4s + add v15.4s, v15.4s, v30.4s + + add v1.4s, v1.4s, v24.4s + add v6.4s, v6.4s, v28.4s + add v11.4s, v11.4s, v29.4s + add v16.4s, v16.4s, v30.4s + + add v2.4s, v2.4s, v24.4s + add v7.4s, v7.4s, v28.4s + add v12.4s, v12.4s, v29.4s + add v17.4s, v17.4s, v30.4s + + add v3.4s, v3.4s, v24.4s + add v8.4s, v8.4s, v28.4s + add v13.4s, v13.4s, v29.4s + add v18.4s, v18.4s, v30.4s + + add v4.4s, v4.4s, v24.4s + add v9.4s, v9.4s, v28.4s + add v14.4s, v14.4s, v29.4s + add v19.4s, v19.4s, v30.4s + + // We can always safely store 192 bytes + ld1 {v20.16b - v23.16b}, [x1], #64 + eor v20.16b, v20.16b, v0.16b + eor v21.16b, v21.16b, v5.16b + eor v22.16b, v22.16b, v10.16b + eor v23.16b, v23.16b, v15.16b + st1 {v20.16b - v23.16b}, [x0], #64 + + ld1 {v20.16b - v23.16b}, [x1], #64 + eor v20.16b, v20.16b, v1.16b + eor v21.16b, v21.16b, v6.16b + eor v22.16b, v22.16b, v11.16b + eor v23.16b, v23.16b, v16.16b + st1 {v20.16b - v23.16b}, [x0], #64 + + ld1 {v20.16b - v23.16b}, [x1], #64 + eor v20.16b, v20.16b, v2.16b + eor v21.16b, v21.16b, v7.16b + eor v22.16b, v22.16b, v12.16b + eor v23.16b, v23.16b, v17.16b + st1 {v20.16b - v23.16b}, [x0], #64 + + sub x2, x2, #192 + + mov v0.16b, v3.16b + mov v5.16b, v8.16b + mov v10.16b, v13.16b + mov v15.16b, v18.16b + + cmp x2, #64 + b.lt Lopen_tail_64_store + + ld1 {v20.16b - v23.16b}, [x1], #64 + eor v20.16b, v20.16b, v3.16b + eor v21.16b, v21.16b, v8.16b + eor v22.16b, v22.16b, v13.16b + eor v23.16b, v23.16b, v18.16b + st1 {v20.16b - v23.16b}, [x0], #64 + + sub x2, x2, #64 + + mov v0.16b, v4.16b + mov v5.16b, v9.16b + mov v10.16b, v14.16b + mov v15.16b, v19.16b + + cmp x2, #64 + b.lt Lopen_tail_64_store + + ld1 {v20.16b - v23.16b}, [x1], #64 + eor v20.16b, v20.16b, v4.16b + eor v21.16b, v21.16b, v9.16b + eor v22.16b, v22.16b, v14.16b + eor v23.16b, v23.16b, v19.16b + st1 {v20.16b - v23.16b}, [x0], #64 + + sub x2, x2, #64 + b Lopen_main_loop + +Lopen_tail: + + cbz x2, Lopen_finalize + + lsr x4, x2, #4 // How many whole blocks we have to hash + + cmp x2, #64 + b.le Lopen_tail_64 + cmp x2, #128 + b.le Lopen_tail_128 + +Lopen_tail_192: + // We need three more blocks + mov v0.16b, v24.16b + mov v1.16b, v24.16b + mov v2.16b, v24.16b + mov v5.16b, v28.16b + mov v6.16b, v28.16b + mov v7.16b, v28.16b + mov v10.16b, v29.16b + mov v11.16b, v29.16b + mov v12.16b, v29.16b + mov v15.16b, v30.16b + mov v16.16b, v30.16b + mov v17.16b, v30.16b + eor v23.16b, v23.16b, v23.16b + eor v21.16b, v21.16b, v21.16b + ins v23.s[0], v25.s[0] + ins v21.d[0], x15 + + add v22.4s, v23.4s, v21.4s + add v21.4s, v22.4s, v21.4s + + add v15.4s, v15.4s, v21.4s + add v16.4s, v16.4s, v23.4s + add v17.4s, v17.4s, v22.4s + + mov x7, #10 + subs x6, x7, x4 // itr1 can be negative if we have more than 160 bytes to hash + csel x7, x7, x4, le // if itr1 is zero or less, itr2 should be 10 to indicate all 10 rounds are hashing + sub x4, x4, x7 + + cbz x7, Lopen_tail_192_rounds_no_hash + +Lopen_tail_192_rounds: + ldp x11, x12, [x3], 16 + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most +Lopen_tail_192_rounds_no_hash: + add v0.4s, v0.4s, v5.4s + add v1.4s, v1.4s, v6.4s + add v2.4s, v2.4s, v7.4s + eor v15.16b, v15.16b, v0.16b + eor v16.16b, v16.16b, v1.16b + eor v17.16b, v17.16b, v2.16b + rev32 v15.8h, v15.8h + rev32 v16.8h, v16.8h + rev32 v17.8h, v17.8h + + add v10.4s, v10.4s, v15.4s + add v11.4s, v11.4s, v16.4s + add v12.4s, v12.4s, v17.4s + eor v5.16b, v5.16b, v10.16b + eor v6.16b, v6.16b, v11.16b + eor v7.16b, v7.16b, v12.16b + ushr v20.4s, v5.4s, #20 + sli v20.4s, v5.4s, #12 + ushr v5.4s, v6.4s, #20 + sli v5.4s, v6.4s, #12 + ushr v6.4s, v7.4s, #20 + sli v6.4s, v7.4s, #12 + + add v0.4s, v0.4s, v20.4s + add v1.4s, v1.4s, v5.4s + add v2.4s, v2.4s, v6.4s + eor v15.16b, v15.16b, v0.16b + eor v16.16b, v16.16b, v1.16b + eor v17.16b, v17.16b, v2.16b + tbl v15.16b, {v15.16b}, v26.16b + tbl v16.16b, {v16.16b}, v26.16b + tbl v17.16b, {v17.16b}, v26.16b + + add v10.4s, v10.4s, v15.4s + add v11.4s, v11.4s, v16.4s + add v12.4s, v12.4s, v17.4s + eor v20.16b, v20.16b, v10.16b + eor v5.16b, v5.16b, v11.16b + eor v6.16b, v6.16b, v12.16b + ushr v7.4s, v6.4s, #25 + sli v7.4s, v6.4s, #7 + ushr v6.4s, v5.4s, #25 + sli v6.4s, v5.4s, #7 + ushr v5.4s, v20.4s, #25 + sli v5.4s, v20.4s, #7 + + ext v5.16b, v5.16b, v5.16b, #4 + ext v6.16b, v6.16b, v6.16b, #4 + ext v7.16b, v7.16b, v7.16b, #4 + + ext v10.16b, v10.16b, v10.16b, #8 + ext v11.16b, v11.16b, v11.16b, #8 + ext v12.16b, v12.16b, v12.16b, #8 + + ext v15.16b, v15.16b, v15.16b, #12 + ext v16.16b, v16.16b, v16.16b, #12 + ext v17.16b, v17.16b, v17.16b, #12 + add v0.4s, v0.4s, v5.4s + add v1.4s, v1.4s, v6.4s + add v2.4s, v2.4s, v7.4s + eor v15.16b, v15.16b, v0.16b + eor v16.16b, v16.16b, v1.16b + eor v17.16b, v17.16b, v2.16b + rev32 v15.8h, v15.8h + rev32 v16.8h, v16.8h + rev32 v17.8h, v17.8h + + add v10.4s, v10.4s, v15.4s + add v11.4s, v11.4s, v16.4s + add v12.4s, v12.4s, v17.4s + eor v5.16b, v5.16b, v10.16b + eor v6.16b, v6.16b, v11.16b + eor v7.16b, v7.16b, v12.16b + ushr v20.4s, v5.4s, #20 + sli v20.4s, v5.4s, #12 + ushr v5.4s, v6.4s, #20 + sli v5.4s, v6.4s, #12 + ushr v6.4s, v7.4s, #20 + sli v6.4s, v7.4s, #12 + + add v0.4s, v0.4s, v20.4s + add v1.4s, v1.4s, v5.4s + add v2.4s, v2.4s, v6.4s + eor v15.16b, v15.16b, v0.16b + eor v16.16b, v16.16b, v1.16b + eor v17.16b, v17.16b, v2.16b + tbl v15.16b, {v15.16b}, v26.16b + tbl v16.16b, {v16.16b}, v26.16b + tbl v17.16b, {v17.16b}, v26.16b + + add v10.4s, v10.4s, v15.4s + add v11.4s, v11.4s, v16.4s + add v12.4s, v12.4s, v17.4s + eor v20.16b, v20.16b, v10.16b + eor v5.16b, v5.16b, v11.16b + eor v6.16b, v6.16b, v12.16b + ushr v7.4s, v6.4s, #25 + sli v7.4s, v6.4s, #7 + ushr v6.4s, v5.4s, #25 + sli v6.4s, v5.4s, #7 + ushr v5.4s, v20.4s, #25 + sli v5.4s, v20.4s, #7 + + ext v5.16b, v5.16b, v5.16b, #12 + ext v6.16b, v6.16b, v6.16b, #12 + ext v7.16b, v7.16b, v7.16b, #12 + + ext v10.16b, v10.16b, v10.16b, #8 + ext v11.16b, v11.16b, v11.16b, #8 + ext v12.16b, v12.16b, v12.16b, #8 + + ext v15.16b, v15.16b, v15.16b, #4 + ext v16.16b, v16.16b, v16.16b, #4 + ext v17.16b, v17.16b, v17.16b, #4 + subs x7, x7, #1 + b.gt Lopen_tail_192_rounds + subs x6, x6, #1 + b.ge Lopen_tail_192_rounds_no_hash + + // We hashed 160 bytes at most, may still have 32 bytes left +Lopen_tail_192_hash: + cbz x4, Lopen_tail_192_hash_done + ldp x11, x12, [x3], 16 + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + sub x4, x4, #1 + b Lopen_tail_192_hash + +Lopen_tail_192_hash_done: + + add v0.4s, v0.4s, v24.4s + add v1.4s, v1.4s, v24.4s + add v2.4s, v2.4s, v24.4s + add v5.4s, v5.4s, v28.4s + add v6.4s, v6.4s, v28.4s + add v7.4s, v7.4s, v28.4s + add v10.4s, v10.4s, v29.4s + add v11.4s, v11.4s, v29.4s + add v12.4s, v12.4s, v29.4s + add v15.4s, v15.4s, v30.4s + add v16.4s, v16.4s, v30.4s + add v17.4s, v17.4s, v30.4s + + add v15.4s, v15.4s, v21.4s + add v16.4s, v16.4s, v23.4s + add v17.4s, v17.4s, v22.4s + + ld1 {v20.16b - v23.16b}, [x1], #64 + + eor v20.16b, v20.16b, v1.16b + eor v21.16b, v21.16b, v6.16b + eor v22.16b, v22.16b, v11.16b + eor v23.16b, v23.16b, v16.16b + + st1 {v20.16b - v23.16b}, [x0], #64 + + ld1 {v20.16b - v23.16b}, [x1], #64 + + eor v20.16b, v20.16b, v2.16b + eor v21.16b, v21.16b, v7.16b + eor v22.16b, v22.16b, v12.16b + eor v23.16b, v23.16b, v17.16b + + st1 {v20.16b - v23.16b}, [x0], #64 + + sub x2, x2, #128 + b Lopen_tail_64_store + +Lopen_tail_128: + // We need two more blocks + mov v0.16b, v24.16b + mov v1.16b, v24.16b + mov v5.16b, v28.16b + mov v6.16b, v28.16b + mov v10.16b, v29.16b + mov v11.16b, v29.16b + mov v15.16b, v30.16b + mov v16.16b, v30.16b + eor v23.16b, v23.16b, v23.16b + eor v22.16b, v22.16b, v22.16b + ins v23.s[0], v25.s[0] + ins v22.d[0], x15 + add v22.4s, v22.4s, v23.4s + + add v15.4s, v15.4s, v22.4s + add v16.4s, v16.4s, v23.4s + + mov x6, #10 + sub x6, x6, x4 + +Lopen_tail_128_rounds: + add v0.4s, v0.4s, v5.4s + eor v15.16b, v15.16b, v0.16b + rev32 v15.8h, v15.8h + + add v10.4s, v10.4s, v15.4s + eor v5.16b, v5.16b, v10.16b + ushr v20.4s, v5.4s, #20 + sli v20.4s, v5.4s, #12 + add v0.4s, v0.4s, v20.4s + eor v15.16b, v15.16b, v0.16b + tbl v15.16b, {v15.16b}, v26.16b + + add v10.4s, v10.4s, v15.4s + eor v20.16b, v20.16b, v10.16b + ushr v5.4s, v20.4s, #25 + sli v5.4s, v20.4s, #7 + ext v5.16b, v5.16b, v5.16b, #4 + ext v10.16b, v10.16b, v10.16b, #8 + ext v15.16b, v15.16b, v15.16b, #12 + add v1.4s, v1.4s, v6.4s + eor v16.16b, v16.16b, v1.16b + rev32 v16.8h, v16.8h + + add v11.4s, v11.4s, v16.4s + eor v6.16b, v6.16b, v11.16b + ushr v20.4s, v6.4s, #20 + sli v20.4s, v6.4s, #12 + add v1.4s, v1.4s, v20.4s + eor v16.16b, v16.16b, v1.16b + tbl v16.16b, {v16.16b}, v26.16b + + add v11.4s, v11.4s, v16.4s + eor v20.16b, v20.16b, v11.16b + ushr v6.4s, v20.4s, #25 + sli v6.4s, v20.4s, #7 + ext v6.16b, v6.16b, v6.16b, #4 + ext v11.16b, v11.16b, v11.16b, #8 + ext v16.16b, v16.16b, v16.16b, #12 + add v0.4s, v0.4s, v5.4s + eor v15.16b, v15.16b, v0.16b + rev32 v15.8h, v15.8h + + add v10.4s, v10.4s, v15.4s + eor v5.16b, v5.16b, v10.16b + ushr v20.4s, v5.4s, #20 + sli v20.4s, v5.4s, #12 + add v0.4s, v0.4s, v20.4s + eor v15.16b, v15.16b, v0.16b + tbl v15.16b, {v15.16b}, v26.16b + + add v10.4s, v10.4s, v15.4s + eor v20.16b, v20.16b, v10.16b + ushr v5.4s, v20.4s, #25 + sli v5.4s, v20.4s, #7 + ext v5.16b, v5.16b, v5.16b, #12 + ext v10.16b, v10.16b, v10.16b, #8 + ext v15.16b, v15.16b, v15.16b, #4 + add v1.4s, v1.4s, v6.4s + eor v16.16b, v16.16b, v1.16b + rev32 v16.8h, v16.8h + + add v11.4s, v11.4s, v16.4s + eor v6.16b, v6.16b, v11.16b + ushr v20.4s, v6.4s, #20 + sli v20.4s, v6.4s, #12 + add v1.4s, v1.4s, v20.4s + eor v16.16b, v16.16b, v1.16b + tbl v16.16b, {v16.16b}, v26.16b + + add v11.4s, v11.4s, v16.4s + eor v20.16b, v20.16b, v11.16b + ushr v6.4s, v20.4s, #25 + sli v6.4s, v20.4s, #7 + ext v6.16b, v6.16b, v6.16b, #12 + ext v11.16b, v11.16b, v11.16b, #8 + ext v16.16b, v16.16b, v16.16b, #4 + subs x6, x6, #1 + b.gt Lopen_tail_128_rounds + cbz x4, Lopen_tail_128_rounds_done + subs x4, x4, #1 + ldp x11, x12, [x3], 16 + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + b Lopen_tail_128_rounds + +Lopen_tail_128_rounds_done: + add v0.4s, v0.4s, v24.4s + add v1.4s, v1.4s, v24.4s + add v5.4s, v5.4s, v28.4s + add v6.4s, v6.4s, v28.4s + add v10.4s, v10.4s, v29.4s + add v11.4s, v11.4s, v29.4s + add v15.4s, v15.4s, v30.4s + add v16.4s, v16.4s, v30.4s + add v15.4s, v15.4s, v22.4s + add v16.4s, v16.4s, v23.4s + + ld1 {v20.16b - v23.16b}, [x1], #64 + + eor v20.16b, v20.16b, v1.16b + eor v21.16b, v21.16b, v6.16b + eor v22.16b, v22.16b, v11.16b + eor v23.16b, v23.16b, v16.16b + + st1 {v20.16b - v23.16b}, [x0], #64 + sub x2, x2, #64 + + b Lopen_tail_64_store + +Lopen_tail_64: + // We just need a single block + mov v0.16b, v24.16b + mov v5.16b, v28.16b + mov v10.16b, v29.16b + mov v15.16b, v30.16b + eor v23.16b, v23.16b, v23.16b + ins v23.s[0], v25.s[0] + add v15.4s, v15.4s, v23.4s + + mov x6, #10 + sub x6, x6, x4 + +Lopen_tail_64_rounds: + add v0.4s, v0.4s, v5.4s + eor v15.16b, v15.16b, v0.16b + rev32 v15.8h, v15.8h + + add v10.4s, v10.4s, v15.4s + eor v5.16b, v5.16b, v10.16b + ushr v20.4s, v5.4s, #20 + sli v20.4s, v5.4s, #12 + add v0.4s, v0.4s, v20.4s + eor v15.16b, v15.16b, v0.16b + tbl v15.16b, {v15.16b}, v26.16b + + add v10.4s, v10.4s, v15.4s + eor v20.16b, v20.16b, v10.16b + ushr v5.4s, v20.4s, #25 + sli v5.4s, v20.4s, #7 + ext v5.16b, v5.16b, v5.16b, #4 + ext v10.16b, v10.16b, v10.16b, #8 + ext v15.16b, v15.16b, v15.16b, #12 + add v0.4s, v0.4s, v5.4s + eor v15.16b, v15.16b, v0.16b + rev32 v15.8h, v15.8h + + add v10.4s, v10.4s, v15.4s + eor v5.16b, v5.16b, v10.16b + ushr v20.4s, v5.4s, #20 + sli v20.4s, v5.4s, #12 + add v0.4s, v0.4s, v20.4s + eor v15.16b, v15.16b, v0.16b + tbl v15.16b, {v15.16b}, v26.16b + + add v10.4s, v10.4s, v15.4s + eor v20.16b, v20.16b, v10.16b + ushr v5.4s, v20.4s, #25 + sli v5.4s, v20.4s, #7 + ext v5.16b, v5.16b, v5.16b, #12 + ext v10.16b, v10.16b, v10.16b, #8 + ext v15.16b, v15.16b, v15.16b, #4 + subs x6, x6, #1 + b.gt Lopen_tail_64_rounds + cbz x4, Lopen_tail_64_rounds_done + subs x4, x4, #1 + ldp x11, x12, [x3], 16 + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + b Lopen_tail_64_rounds + +Lopen_tail_64_rounds_done: + add v0.4s, v0.4s, v24.4s + add v5.4s, v5.4s, v28.4s + add v10.4s, v10.4s, v29.4s + add v15.4s, v15.4s, v30.4s + add v15.4s, v15.4s, v23.4s + +Lopen_tail_64_store: + cmp x2, #16 + b.lt Lopen_tail_16 + + ld1 {v20.16b}, [x1], #16 + eor v20.16b, v20.16b, v0.16b + st1 {v20.16b}, [x0], #16 + mov v0.16b, v5.16b + mov v5.16b, v10.16b + mov v10.16b, v15.16b + sub x2, x2, #16 + b Lopen_tail_64_store + +Lopen_tail_16: + // Here we handle the last [0,16) bytes that require a padded block + cbz x2, Lopen_finalize + + eor v20.16b, v20.16b, v20.16b // Use T0 to load the ciphertext + eor v21.16b, v21.16b, v21.16b // Use T1 to generate an AND mask + not v22.16b, v20.16b + + add x7, x1, x2 + mov x6, x2 + +Lopen_tail_16_compose: + ext v20.16b, v20.16b, v20.16b, #15 + ldrb w11, [x7, #-1]! + mov v20.b[0], w11 + ext v21.16b, v22.16b, v21.16b, #15 + subs x2, x2, #1 + b.gt Lopen_tail_16_compose + + and v20.16b, v20.16b, v21.16b + // Hash in the final padded block + mov x11, v20.d[0] + mov x12, v20.d[1] + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + eor v20.16b, v20.16b, v0.16b + +Lopen_tail_16_store: + umov w11, v20.b[0] + strb w11, [x0], #1 + ext v20.16b, v20.16b, v20.16b, #1 + subs x6, x6, #1 + b.gt Lopen_tail_16_store + +Lopen_finalize: + mov x11, v31.d[0] + mov x12, v31.d[1] + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + // Final reduction step + sub x12, xzr, x15 + orr x13, xzr, #3 + subs x11, x8, #-5 + sbcs x12, x9, x12 + sbcs x13, x10, x13 + csel x8, x11, x8, cs + csel x9, x12, x9, cs + csel x10, x13, x10, cs + mov x11, v27.d[0] + mov x12, v27.d[1] + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + + stp x8, x9, [x5] + + ldp d8, d9, [sp, #16] + ldp d10, d11, [sp, #32] + ldp d12, d13, [sp, #48] + ldp d14, d15, [sp, #64] +.cfi_restore b15 +.cfi_restore b14 +.cfi_restore b13 +.cfi_restore b12 +.cfi_restore b11 +.cfi_restore b10 +.cfi_restore b9 +.cfi_restore b8 + ldp x29, x30, [sp], 80 +.cfi_restore w29 +.cfi_restore w30 +.cfi_def_cfa_offset 0 + AARCH64_VALIDATE_LINK_REGISTER + ret + +Lopen_128: + // On some architectures preparing 5 blocks for small buffers is wasteful + eor v25.16b, v25.16b, v25.16b + mov x11, #1 + mov v25.s[0], w11 + mov v0.16b, v24.16b + mov v1.16b, v24.16b + mov v2.16b, v24.16b + mov v5.16b, v28.16b + mov v6.16b, v28.16b + mov v7.16b, v28.16b + mov v10.16b, v29.16b + mov v11.16b, v29.16b + mov v12.16b, v29.16b + mov v17.16b, v30.16b + add v15.4s, v17.4s, v25.4s + add v16.4s, v15.4s, v25.4s + + mov x6, #10 + +Lopen_128_rounds: + add v0.4s, v0.4s, v5.4s + add v1.4s, v1.4s, v6.4s + add v2.4s, v2.4s, v7.4s + eor v15.16b, v15.16b, v0.16b + eor v16.16b, v16.16b, v1.16b + eor v17.16b, v17.16b, v2.16b + rev32 v15.8h, v15.8h + rev32 v16.8h, v16.8h + rev32 v17.8h, v17.8h + + add v10.4s, v10.4s, v15.4s + add v11.4s, v11.4s, v16.4s + add v12.4s, v12.4s, v17.4s + eor v5.16b, v5.16b, v10.16b + eor v6.16b, v6.16b, v11.16b + eor v7.16b, v7.16b, v12.16b + ushr v20.4s, v5.4s, #20 + sli v20.4s, v5.4s, #12 + ushr v5.4s, v6.4s, #20 + sli v5.4s, v6.4s, #12 + ushr v6.4s, v7.4s, #20 + sli v6.4s, v7.4s, #12 + + add v0.4s, v0.4s, v20.4s + add v1.4s, v1.4s, v5.4s + add v2.4s, v2.4s, v6.4s + eor v15.16b, v15.16b, v0.16b + eor v16.16b, v16.16b, v1.16b + eor v17.16b, v17.16b, v2.16b + tbl v15.16b, {v15.16b}, v26.16b + tbl v16.16b, {v16.16b}, v26.16b + tbl v17.16b, {v17.16b}, v26.16b + + add v10.4s, v10.4s, v15.4s + add v11.4s, v11.4s, v16.4s + add v12.4s, v12.4s, v17.4s + eor v20.16b, v20.16b, v10.16b + eor v5.16b, v5.16b, v11.16b + eor v6.16b, v6.16b, v12.16b + ushr v7.4s, v6.4s, #25 + sli v7.4s, v6.4s, #7 + ushr v6.4s, v5.4s, #25 + sli v6.4s, v5.4s, #7 + ushr v5.4s, v20.4s, #25 + sli v5.4s, v20.4s, #7 + + ext v5.16b, v5.16b, v5.16b, #4 + ext v6.16b, v6.16b, v6.16b, #4 + ext v7.16b, v7.16b, v7.16b, #4 + + ext v10.16b, v10.16b, v10.16b, #8 + ext v11.16b, v11.16b, v11.16b, #8 + ext v12.16b, v12.16b, v12.16b, #8 + + ext v15.16b, v15.16b, v15.16b, #12 + ext v16.16b, v16.16b, v16.16b, #12 + ext v17.16b, v17.16b, v17.16b, #12 + add v0.4s, v0.4s, v5.4s + add v1.4s, v1.4s, v6.4s + add v2.4s, v2.4s, v7.4s + eor v15.16b, v15.16b, v0.16b + eor v16.16b, v16.16b, v1.16b + eor v17.16b, v17.16b, v2.16b + rev32 v15.8h, v15.8h + rev32 v16.8h, v16.8h + rev32 v17.8h, v17.8h + + add v10.4s, v10.4s, v15.4s + add v11.4s, v11.4s, v16.4s + add v12.4s, v12.4s, v17.4s + eor v5.16b, v5.16b, v10.16b + eor v6.16b, v6.16b, v11.16b + eor v7.16b, v7.16b, v12.16b + ushr v20.4s, v5.4s, #20 + sli v20.4s, v5.4s, #12 + ushr v5.4s, v6.4s, #20 + sli v5.4s, v6.4s, #12 + ushr v6.4s, v7.4s, #20 + sli v6.4s, v7.4s, #12 + + add v0.4s, v0.4s, v20.4s + add v1.4s, v1.4s, v5.4s + add v2.4s, v2.4s, v6.4s + eor v15.16b, v15.16b, v0.16b + eor v16.16b, v16.16b, v1.16b + eor v17.16b, v17.16b, v2.16b + tbl v15.16b, {v15.16b}, v26.16b + tbl v16.16b, {v16.16b}, v26.16b + tbl v17.16b, {v17.16b}, v26.16b + + add v10.4s, v10.4s, v15.4s + add v11.4s, v11.4s, v16.4s + add v12.4s, v12.4s, v17.4s + eor v20.16b, v20.16b, v10.16b + eor v5.16b, v5.16b, v11.16b + eor v6.16b, v6.16b, v12.16b + ushr v7.4s, v6.4s, #25 + sli v7.4s, v6.4s, #7 + ushr v6.4s, v5.4s, #25 + sli v6.4s, v5.4s, #7 + ushr v5.4s, v20.4s, #25 + sli v5.4s, v20.4s, #7 + + ext v5.16b, v5.16b, v5.16b, #12 + ext v6.16b, v6.16b, v6.16b, #12 + ext v7.16b, v7.16b, v7.16b, #12 + + ext v10.16b, v10.16b, v10.16b, #8 + ext v11.16b, v11.16b, v11.16b, #8 + ext v12.16b, v12.16b, v12.16b, #8 + + ext v15.16b, v15.16b, v15.16b, #4 + ext v16.16b, v16.16b, v16.16b, #4 + ext v17.16b, v17.16b, v17.16b, #4 + subs x6, x6, #1 + b.hi Lopen_128_rounds + + add v0.4s, v0.4s, v24.4s + add v1.4s, v1.4s, v24.4s + add v2.4s, v2.4s, v24.4s + + add v5.4s, v5.4s, v28.4s + add v6.4s, v6.4s, v28.4s + add v7.4s, v7.4s, v28.4s + + add v10.4s, v10.4s, v29.4s + add v11.4s, v11.4s, v29.4s + + add v30.4s, v30.4s, v25.4s + add v15.4s, v15.4s, v30.4s + add v30.4s, v30.4s, v25.4s + add v16.4s, v16.4s, v30.4s + + and v2.16b, v2.16b, v27.16b + mov x16, v2.d[0] // Move the R key to GPRs + mov x17, v2.d[1] + mov v27.16b, v7.16b // Store the S key + + bl Lpoly_hash_ad_internal + +Lopen_128_store: + cmp x2, #64 + b.lt Lopen_128_store_64 + + ld1 {v20.16b - v23.16b}, [x1], #64 + + mov x11, v20.d[0] + mov x12, v20.d[1] + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + mov x11, v21.d[0] + mov x12, v21.d[1] + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + mov x11, v22.d[0] + mov x12, v22.d[1] + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + mov x11, v23.d[0] + mov x12, v23.d[1] + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + + eor v20.16b, v20.16b, v0.16b + eor v21.16b, v21.16b, v5.16b + eor v22.16b, v22.16b, v10.16b + eor v23.16b, v23.16b, v15.16b + + st1 {v20.16b - v23.16b}, [x0], #64 + + sub x2, x2, #64 + + mov v0.16b, v1.16b + mov v5.16b, v6.16b + mov v10.16b, v11.16b + mov v15.16b, v16.16b + +Lopen_128_store_64: + + lsr x4, x2, #4 + mov x3, x1 + +Lopen_128_hash_64: + cbz x4, Lopen_tail_64_store + ldp x11, x12, [x3], 16 + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + sub x4, x4, #1 + b Lopen_128_hash_64 +.cfi_endproc + +#endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(_WIN32) +#if defined(__linux__) && defined(__ELF__) +.section .note.GNU-stack,"",%progbits +#endif + diff --git a/Sources/CNIOBoringSSL/crypto/cipher_extra/chacha20_poly1305_x86_64-mac.mac.x86_64.S b/Sources/CNIOBoringSSL/gen/crypto/chacha20_poly1305_x86_64-apple.S similarity index 99% rename from Sources/CNIOBoringSSL/crypto/cipher_extra/chacha20_poly1305_x86_64-mac.mac.x86_64.S rename to Sources/CNIOBoringSSL/gen/crypto/chacha20_poly1305_x86_64-apple.S index a872fc020..245e541a8 100644 --- a/Sources/CNIOBoringSSL/crypto/cipher_extra/chacha20_poly1305_x86_64-mac.mac.x86_64.S +++ b/Sources/CNIOBoringSSL/gen/crypto/chacha20_poly1305_x86_64-apple.S @@ -1,18 +1,13 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__x86_64__) && defined(__APPLE__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. #include #if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__APPLE__) -.text - - -chacha20_poly1305_constants: - .section __DATA,__const .p2align 6 +chacha20_poly1305_constants: L$chacha20_consts: .byte 'e','x','p','a','n','d',' ','3','2','-','b','y','t','e',' ','k' .byte 'e','x','p','a','n','d',' ','3','2','-','b','y','t','e',' ','k' @@ -218,11 +213,11 @@ L$hash_ad_done: -.globl _chacha20_poly1305_open -.private_extern _chacha20_poly1305_open +.globl _chacha20_poly1305_open_nohw +.private_extern _chacha20_poly1305_open_nohw .p2align 6 -_chacha20_poly1305_open: +_chacha20_poly1305_open_nohw: _CET_ENDBR pushq %rbp @@ -251,11 +246,6 @@ _CET_ENDBR movq %r8,0+0+32(%rbp) movq %rbx,8+0+32(%rbp) - movl _OPENSSL_ia32cap_P+8(%rip),%eax - andl $288,%eax - xorl $288,%eax - jz chacha20_poly1305_open_avx2 - cmpq $128,%rbx jbe L$open_sse_128 @@ -2090,11 +2080,11 @@ L$open_sse_128_xor_hash: -.globl _chacha20_poly1305_seal -.private_extern _chacha20_poly1305_seal +.globl _chacha20_poly1305_seal_nohw +.private_extern _chacha20_poly1305_seal_nohw .p2align 6 -_chacha20_poly1305_seal: +_chacha20_poly1305_seal_nohw: _CET_ENDBR pushq %rbp @@ -2124,11 +2114,6 @@ _CET_ENDBR movq %rbx,8+0+32(%rbp) movq %rdx,%rbx - movl _OPENSSL_ia32cap_P+8(%rip),%eax - andl $288,%eax - xorl $288,%eax - jz chacha20_poly1305_seal_avx2 - cmpq $128,%rbx jbe L$seal_sse_128 @@ -4077,20 +4062,38 @@ L$seal_sse_128_rounds: +.globl _chacha20_poly1305_open_avx2 +.private_extern _chacha20_poly1305_open_avx2 .p2align 6 -chacha20_poly1305_open_avx2: +_chacha20_poly1305_open_avx2: +_CET_ENDBR + pushq %rbp + pushq %rbx + pushq %r12 + pushq %r13 + pushq %r14 + + pushq %r15 + pushq %r9 + subq $288 + 0 + 32,%rsp + leaq 32(%rsp),%rbp + andq $-32,%rbp + + movq %rdx,%rbx + movq %r8,0+0+32(%rbp) + movq %rbx,8+0+32(%rbp) vzeroupper vmovdqa L$chacha20_consts(%rip),%ymm0 @@ -6225,20 +6228,39 @@ L$open_avx2_320_rounds: +.globl _chacha20_poly1305_seal_avx2 +.private_extern _chacha20_poly1305_seal_avx2 .p2align 6 -chacha20_poly1305_seal_avx2: +_chacha20_poly1305_seal_avx2: + +_CET_ENDBR + pushq %rbp + pushq %rbx + pushq %r12 + pushq %r13 + pushq %r14 + pushq %r15 + pushq %r9 + subq $288 + 0 + 32,%rsp + leaq 32(%rsp),%rbp + andq $-32,%rbp + movq 56(%r9),%rbx + addq %rdx,%rbx + movq %r8,0+0+32(%rbp) + movq %rbx,8+0+32(%rbp) + movq %rdx,%rbx vzeroupper vmovdqa L$chacha20_consts(%rip),%ymm0 @@ -8875,7 +8897,6 @@ L$seal_avx2_exit: #endif -#endif // defined(__x86_64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/cipher_extra/chacha20_poly1305_x86_64-linux.linux.x86_64.S b/Sources/CNIOBoringSSL/gen/crypto/chacha20_poly1305_x86_64-linux.S similarity index 99% rename from Sources/CNIOBoringSSL/crypto/cipher_extra/chacha20_poly1305_x86_64-linux.linux.x86_64.S rename to Sources/CNIOBoringSSL/gen/crypto/chacha20_poly1305_x86_64-linux.S index bb8b2f4cc..4bc59f76c 100644 --- a/Sources/CNIOBoringSSL/crypto/cipher_extra/chacha20_poly1305_x86_64-linux.linux.x86_64.S +++ b/Sources/CNIOBoringSSL/gen/crypto/chacha20_poly1305_x86_64-linux.S @@ -1,19 +1,13 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__x86_64__) && defined(__linux__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. #include #if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__ELF__) -.text -.extern OPENSSL_ia32cap_P -.hidden OPENSSL_ia32cap_P - -chacha20_poly1305_constants: - .section .rodata .align 64 +chacha20_poly1305_constants: .Lchacha20_consts: .byte 'e','x','p','a','n','d',' ','3','2','-','b','y','t','e',' ','k' .byte 'e','x','p','a','n','d',' ','3','2','-','b','y','t','e',' ','k' @@ -219,11 +213,11 @@ poly_hash_ad_internal: .cfi_endproc .size poly_hash_ad_internal, .-poly_hash_ad_internal -.globl chacha20_poly1305_open -.hidden chacha20_poly1305_open -.type chacha20_poly1305_open,@function +.globl chacha20_poly1305_open_nohw +.hidden chacha20_poly1305_open_nohw +.type chacha20_poly1305_open_nohw,@function .align 64 -chacha20_poly1305_open: +chacha20_poly1305_open_nohw: .cfi_startproc _CET_ENDBR pushq %rbp @@ -259,11 +253,6 @@ _CET_ENDBR movq %r8,0+0+32(%rbp) movq %rbx,8+0+32(%rbp) - movl OPENSSL_ia32cap_P+8(%rip),%eax - andl $288,%eax - xorl $288,%eax - jz chacha20_poly1305_open_avx2 - cmpq $128,%rbx jbe .Lopen_sse_128 @@ -2096,7 +2085,7 @@ _CET_ENDBR movdqa %xmm10,%xmm6 movdqa %xmm14,%xmm10 jmp .Lopen_sse_128_xor_hash -.size chacha20_poly1305_open, .-chacha20_poly1305_open +.size chacha20_poly1305_open_nohw, .-chacha20_poly1305_open_nohw .cfi_endproc @@ -2105,11 +2094,11 @@ _CET_ENDBR -.globl chacha20_poly1305_seal -.hidden chacha20_poly1305_seal -.type chacha20_poly1305_seal,@function +.globl chacha20_poly1305_seal_nohw +.hidden chacha20_poly1305_seal_nohw +.type chacha20_poly1305_seal_nohw,@function .align 64 -chacha20_poly1305_seal: +chacha20_poly1305_seal_nohw: .cfi_startproc _CET_ENDBR pushq %rbp @@ -2146,11 +2135,6 @@ _CET_ENDBR movq %rbx,8+0+32(%rbp) movq %rdx,%rbx - movl OPENSSL_ia32cap_P+8(%rip),%eax - andl $288,%eax - xorl $288,%eax - jz chacha20_poly1305_seal_avx2 - cmpq $128,%rbx jbe .Lseal_sse_128 @@ -4102,32 +4086,50 @@ process_extra_in_trailer: movq %r8,%r8 call poly_hash_ad_internal jmp .Lseal_sse_128_tail_xor -.size chacha20_poly1305_seal, .-chacha20_poly1305_seal +.size chacha20_poly1305_seal_nohw, .-chacha20_poly1305_seal_nohw .cfi_endproc +.globl chacha20_poly1305_open_avx2 +.hidden chacha20_poly1305_open_avx2 .type chacha20_poly1305_open_avx2,@function .align 64 chacha20_poly1305_open_avx2: .cfi_startproc - - +_CET_ENDBR + pushq %rbp .cfi_adjust_cfa_offset 8 .cfi_offset %rbp,-16 + pushq %rbx .cfi_adjust_cfa_offset 8 .cfi_offset %rbx,-24 + pushq %r12 .cfi_adjust_cfa_offset 8 .cfi_offset %r12,-32 + pushq %r13 .cfi_adjust_cfa_offset 8 .cfi_offset %r13,-40 + pushq %r14 .cfi_adjust_cfa_offset 8 .cfi_offset %r14,-48 + pushq %r15 .cfi_adjust_cfa_offset 8 .cfi_offset %r15,-56 + + + pushq %r9 .cfi_adjust_cfa_offset 8 .cfi_offset %r9,-64 + subq $288 + 0 + 32,%rsp .cfi_adjust_cfa_offset 288 + 32 + leaq 32(%rsp),%rbp + andq $-32,%rbp + + movq %rdx,%rbx + movq %r8,0+0+32(%rbp) + movq %rbx,8+0+32(%rbp) + vzeroupper vmovdqa .Lchacha20_consts(%rip),%ymm0 vbroadcasti128 0(%r9),%ymm4 @@ -6261,27 +6263,46 @@ chacha20_poly1305_open_avx2: .cfi_endproc +.globl chacha20_poly1305_seal_avx2 +.hidden chacha20_poly1305_seal_avx2 .type chacha20_poly1305_seal_avx2,@function .align 64 chacha20_poly1305_seal_avx2: .cfi_startproc - - +_CET_ENDBR + pushq %rbp .cfi_adjust_cfa_offset 8 .cfi_offset %rbp,-16 + pushq %rbx .cfi_adjust_cfa_offset 8 .cfi_offset %rbx,-24 + pushq %r12 .cfi_adjust_cfa_offset 8 .cfi_offset %r12,-32 + pushq %r13 .cfi_adjust_cfa_offset 8 .cfi_offset %r13,-40 + pushq %r14 .cfi_adjust_cfa_offset 8 .cfi_offset %r14,-48 + pushq %r15 .cfi_adjust_cfa_offset 8 .cfi_offset %r15,-56 + + + pushq %r9 .cfi_adjust_cfa_offset 8 .cfi_offset %r9,-64 + subq $288 + 0 + 32,%rsp .cfi_adjust_cfa_offset 288 + 32 + leaq 32(%rsp),%rbp + andq $-32,%rbp + + movq 56(%r9),%rbx + addq %rdx,%rbx + movq %r8,0+0+32(%rbp) + movq %rbx,8+0+32(%rbp) + movq %rdx,%rbx vzeroupper vmovdqa .Lchacha20_consts(%rip),%ymm0 @@ -8918,7 +8939,6 @@ chacha20_poly1305_seal_avx2: .cfi_endproc .size chacha20_poly1305_seal_avx2, .-chacha20_poly1305_seal_avx2 #endif -#endif // defined(__x86_64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/err/err_data.c b/Sources/CNIOBoringSSL/gen/crypto/err_data.c similarity index 78% rename from Sources/CNIOBoringSSL/crypto/err/err_data.c rename to Sources/CNIOBoringSSL/gen/crypto/err_data.c index da02dc9b2..6bf5f4f5c 100644 --- a/Sources/CNIOBoringSSL/crypto/err/err_data.c +++ b/Sources/CNIOBoringSSL/gen/crypto/err_data.c @@ -12,7 +12,7 @@ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ - /* This file was generated by err_data_generate.go. */ + /* This file was generated by go run ./util/pregenerate. */ #include #include @@ -76,54 +76,54 @@ const uint32_t kOpenSSLReasonValues[] = { 0xc3b00f7, 0xc3b8921, 0x10320892, - 0x10329641, - 0x1033164d, - 0x10339666, - 0x10341679, + 0x10329654, + 0x10331660, + 0x10339679, + 0x1034168c, 0x10348f93, 0x10350cdf, - 0x1035968c, - 0x103616b6, - 0x103696c9, - 0x103716e8, - 0x10379701, - 0x10381716, - 0x10389734, - 0x10391743, - 0x1039975f, - 0x103a177a, - 0x103a9789, - 0x103b17a5, - 0x103b97c0, - 0x103c17e6, + 0x1035969f, + 0x103616c9, + 0x103696dc, + 0x103716fb, + 0x10379714, + 0x10381729, + 0x10389747, + 0x10391756, + 0x10399772, + 0x103a178d, + 0x103a979c, + 0x103b17b8, + 0x103b97d3, + 0x103c17f9, 0x103c80f7, - 0x103d17f7, - 0x103d980b, - 0x103e182a, - 0x103e9839, - 0x103f1850, - 0x103f9863, + 0x103d180a, + 0x103d981e, + 0x103e183d, + 0x103e984c, + 0x103f1863, + 0x103f9876, 0x10400ca3, - 0x10409876, - 0x10411894, - 0x104198a7, - 0x104218c1, - 0x104298d1, - 0x104318e5, - 0x104398fb, - 0x10441913, - 0x10449928, - 0x1045193c, - 0x1045994e, + 0x10409889, + 0x104118a7, + 0x104198ba, + 0x104218d4, + 0x104298e4, + 0x104318f8, + 0x1043990e, + 0x10441926, + 0x1044993b, + 0x1045194f, + 0x10459961, 0x10460635, 0x1046899a, - 0x10471963, - 0x1047997a, - 0x1048198f, - 0x1048999d, + 0x10471976, + 0x1047998d, + 0x104819a2, + 0x104899b0, 0x10490edf, - 0x104997d7, - 0x104a16a1, + 0x104997ea, + 0x104a16b4, 0x14320c73, 0x14328c94, 0x14330ca3, @@ -139,53 +139,54 @@ const uint32_t kOpenSSLReasonValues[] = { 0x183480f7, 0x18351032, 0x1835904a, - 0x1836105f, - 0x18369073, - 0x183710ab, - 0x183790c1, - 0x183810d5, - 0x183890e5, + 0x18361072, + 0x18369086, + 0x183710be, + 0x183790d4, + 0x183810e8, + 0x183890f8, 0x18390ac0, - 0x183990f5, - 0x183a111b, - 0x183a9141, + 0x18399108, + 0x183a112e, + 0x183a9154, 0x183b0ceb, - 0x183b9190, - 0x183c11a2, - 0x183c91ad, - 0x183d11bd, - 0x183d91ce, - 0x183e11df, - 0x183e91f1, - 0x183f121a, - 0x183f9233, - 0x1840124b, + 0x183b91a3, + 0x183c11b5, + 0x183c91c0, + 0x183d11d0, + 0x183d91e1, + 0x183e11f2, + 0x183e9204, + 0x183f122d, + 0x183f9246, + 0x1840125e, 0x1840870d, - 0x18411164, - 0x1841912f, - 0x1842114e, + 0x18411177, + 0x18419142, + 0x18421161, 0x18428c81, - 0x1843110a, - 0x18439176, + 0x1843111d, + 0x18439189, 0x18441028, - 0x18449097, - 0x20321285, - 0x20329272, - 0x24321291, + 0x184490aa, + 0x1845105f, + 0x20321298, + 0x20329285, + 0x243212a4, 0x243289e0, - 0x243312a3, - 0x243392b0, - 0x243412bd, - 0x243492cf, - 0x243512de, - 0x243592fb, - 0x24361308, - 0x24369316, - 0x24371324, - 0x24379332, - 0x2438133b, - 0x24389348, - 0x2439135b, + 0x243312b6, + 0x243392c3, + 0x243412d0, + 0x243492e2, + 0x243512f1, + 0x2435930e, + 0x2436131b, + 0x24369329, + 0x24371337, + 0x24379345, + 0x2438134e, + 0x2438935b, + 0x2439136e, 0x28320cd3, 0x28328ceb, 0x28330ca3, @@ -195,51 +196,51 @@ const uint32_t kOpenSSLReasonValues[] = { 0x283500f7, 0x28358c81, 0x2836099a, - 0x2c3232e7, - 0x2c329372, - 0x2c3332f5, - 0x2c33b307, - 0x2c34331b, - 0x2c34b32d, - 0x2c353348, - 0x2c35b35a, - 0x2c36338a, + 0x2c3232fa, + 0x2c329385, + 0x2c333308, + 0x2c33b31a, + 0x2c34332e, + 0x2c34b340, + 0x2c35335b, + 0x2c35b36d, + 0x2c36339d, 0x2c36833a, - 0x2c373397, - 0x2c37b3c3, - 0x2c383401, - 0x2c38b418, - 0x2c393436, - 0x2c39b446, - 0x2c3a3458, - 0x2c3ab46c, - 0x2c3b347d, - 0x2c3bb49c, - 0x2c3c1384, - 0x2c3c939a, - 0x2c3d34e1, - 0x2c3d93b3, - 0x2c3e350b, - 0x2c3eb519, - 0x2c3f3531, - 0x2c3fb549, - 0x2c403573, - 0x2c409285, - 0x2c413584, - 0x2c41b597, - 0x2c42124b, - 0x2c42b5a8, + 0x2c3733aa, + 0x2c37b3d6, + 0x2c383414, + 0x2c38b42b, + 0x2c393449, + 0x2c39b459, + 0x2c3a346b, + 0x2c3ab47f, + 0x2c3b3490, + 0x2c3bb4af, + 0x2c3c1397, + 0x2c3c93ad, + 0x2c3d34f4, + 0x2c3d93c6, + 0x2c3e351e, + 0x2c3eb52c, + 0x2c3f3544, + 0x2c3fb55c, + 0x2c403586, + 0x2c409298, + 0x2c413597, + 0x2c41b5aa, + 0x2c42125e, + 0x2c42b5bb, 0x2c43076d, - 0x2c43b48e, - 0x2c4433d6, - 0x2c44b556, - 0x2c45336d, - 0x2c45b3a9, - 0x2c463426, - 0x2c46b4b0, - 0x2c4734c5, - 0x2c47b4fe, - 0x2c4833e8, + 0x2c43b4a1, + 0x2c4433e9, + 0x2c44b569, + 0x2c453380, + 0x2c45b3bc, + 0x2c463439, + 0x2c46b4c3, + 0x2c4734d8, + 0x2c47b511, + 0x2c4833fb, 0x30320000, 0x30328015, 0x3033001f, @@ -379,261 +380,261 @@ const uint32_t kOpenSSLReasonValues[] = { 0x3c418dd3, 0x3c420edf, 0x3c428e69, - 0x40321a2f, - 0x40329a45, - 0x40331a73, - 0x40339a7d, - 0x40341a94, - 0x40349ab2, - 0x40351ac2, - 0x40359ad4, - 0x40361ae1, - 0x40369aed, - 0x40371b02, - 0x40379b14, - 0x40381b1f, - 0x40389b31, + 0x40321a42, + 0x40329a58, + 0x40331a86, + 0x40339a90, + 0x40341aa7, + 0x40349ac5, + 0x40351ad5, + 0x40359ae7, + 0x40361af4, + 0x40369b00, + 0x40371b15, + 0x40379b27, + 0x40381b32, + 0x40389b44, 0x40390f93, - 0x40399b41, - 0x403a1b54, - 0x403a9b75, - 0x403b1b86, - 0x403b9b96, + 0x40399b54, + 0x403a1b67, + 0x403a9b88, + 0x403b1b99, + 0x403b9ba9, 0x403c0071, 0x403c8090, - 0x403d1bf7, - 0x403d9c0d, - 0x403e1c1c, - 0x403e9c54, - 0x403f1c6e, - 0x403f9c96, - 0x40401cab, - 0x40409cbf, - 0x40411cfa, - 0x40419d15, - 0x40421d2e, - 0x40429d41, - 0x40431d55, - 0x40439d83, - 0x40441d9a, + 0x403d1c0a, + 0x403d9c20, + 0x403e1c2f, + 0x403e9c67, + 0x403f1c81, + 0x403f9ca9, + 0x40401cbe, + 0x40409cd2, + 0x40411d0d, + 0x40419d28, + 0x40421d41, + 0x40429d54, + 0x40431d68, + 0x40439d96, + 0x40441dad, 0x404480b9, - 0x40451daf, - 0x40459dc1, - 0x40461de5, - 0x40469e05, - 0x40471e13, - 0x40479e3a, - 0x40481eab, - 0x40489f65, - 0x40491f7c, - 0x40499f96, - 0x404a1fad, - 0x404a9fcb, - 0x404b1fe3, - 0x404ba010, - 0x404c2026, - 0x404ca038, - 0x404d2059, - 0x404da092, - 0x404e20a6, - 0x404ea0b3, - 0x404f2164, - 0x404fa1da, - 0x40502249, - 0x4050a25d, - 0x40512290, - 0x405222a0, - 0x4052a2c4, - 0x405322dc, - 0x4053a2ef, - 0x40542304, - 0x4054a327, - 0x40552352, - 0x4055a38f, - 0x405623b4, - 0x4056a3cd, - 0x405723e5, - 0x4057a3f8, - 0x4058240d, - 0x4058a434, - 0x40592463, - 0x4059a490, - 0x405aa4a4, - 0x405b24bc, - 0x405ba4cd, - 0x405c24e0, - 0x405ca51f, - 0x405d252c, - 0x405da551, - 0x405e258f, + 0x40451dc2, + 0x40459dd4, + 0x40461df8, + 0x40469e18, + 0x40471e26, + 0x40479e4d, + 0x40481ebe, + 0x40489f78, + 0x40491f8f, + 0x40499fa9, + 0x404a1fc0, + 0x404a9fde, + 0x404b1ff6, + 0x404ba023, + 0x404c2039, + 0x404ca04b, + 0x404d206c, + 0x404da0a5, + 0x404e20b9, + 0x404ea0c6, + 0x404f2177, + 0x404fa1ed, + 0x4050225c, + 0x4050a270, + 0x405122a3, + 0x405222b3, + 0x4052a2d7, + 0x405322ef, + 0x4053a302, + 0x40542317, + 0x4054a33a, + 0x40552365, + 0x4055a3a2, + 0x405623c7, + 0x4056a3e0, + 0x405723f8, + 0x4057a40b, + 0x40582420, + 0x4058a447, + 0x40592476, + 0x4059a4a3, + 0x405aa4b7, + 0x405b24cf, + 0x405ba4e0, + 0x405c24f3, + 0x405ca532, + 0x405d253f, + 0x405da564, + 0x405e25a2, 0x405e8afe, - 0x405f25b0, - 0x405fa5bd, - 0x406025cb, - 0x4060a5ed, - 0x4061264e, - 0x4061a686, - 0x4062269d, - 0x4062a6ae, - 0x406326fb, - 0x4063a710, - 0x40642727, - 0x4064a753, - 0x4065276e, - 0x4065a785, - 0x4066279d, - 0x4066a7c7, - 0x406727f2, - 0x4067a837, - 0x4068287f, - 0x4068a8a0, - 0x406928d2, - 0x4069a900, - 0x406a2921, - 0x406aa941, - 0x406b2ac9, - 0x406baaec, - 0x406c2b02, - 0x406cae0c, - 0x406d2e3b, - 0x406dae63, - 0x406e2e91, - 0x406eaede, - 0x406f2f37, - 0x406faf6f, - 0x40702f82, - 0x4070af9f, + 0x405f25c3, + 0x405fa5d0, + 0x406025de, + 0x4060a600, + 0x40612661, + 0x4061a699, + 0x406226b0, + 0x4062a6c1, + 0x4063270e, + 0x4063a723, + 0x4064273a, + 0x4064a766, + 0x40652781, + 0x4065a798, + 0x406627b0, + 0x4066a7da, + 0x40672805, + 0x4067a84a, + 0x40682892, + 0x4068a8b3, + 0x406928e5, + 0x4069a913, + 0x406a2934, + 0x406aa954, + 0x406b2adc, + 0x406baaff, + 0x406c2b15, + 0x406cae1f, + 0x406d2e4e, + 0x406dae76, + 0x406e2ea4, + 0x406eaef1, + 0x406f2f4a, + 0x406faf82, + 0x40702f95, + 0x4070afb2, 0x4071084d, - 0x4071afb1, - 0x40722fc4, - 0x4072affa, - 0x40733012, - 0x4073959c, - 0x40743026, - 0x4074b040, - 0x40753051, - 0x4075b065, - 0x40763073, - 0x40769348, - 0x40773098, - 0x4077b0d8, - 0x407830f3, - 0x4078b12c, - 0x40793143, - 0x4079b159, - 0x407a3185, - 0x407ab198, - 0x407b31ad, - 0x407bb1bf, - 0x407c31f0, - 0x407cb1f9, - 0x407d28bb, - 0x407da202, - 0x407e3108, - 0x407ea444, - 0x407f1e27, - 0x407f9ffa, - 0x40802174, - 0x40809e4f, - 0x408122b2, - 0x4081a101, - 0x40822e7c, - 0x40829ba2, - 0x4083241f, - 0x4083a738, - 0x40841e63, - 0x4084a47c, - 0x408524f1, - 0x4085a615, - 0x40862571, - 0x4086a21c, - 0x40872ec2, - 0x4087a663, - 0x40881be0, - 0x4088a84a, - 0x40891c2f, - 0x40899bbc, - 0x408a2b3a, - 0x408a99b4, - 0x408b31d4, - 0x408baf4c, - 0x408c2501, - 0x408c99ec, - 0x408d1f4b, - 0x408d9e95, - 0x408e207b, - 0x408ea36f, - 0x408f285e, - 0x408fa631, - 0x40902813, - 0x4090a543, - 0x40912b22, - 0x40919a12, - 0x40921c7c, - 0x4092aefd, - 0x40932fdd, - 0x4093a22d, - 0x40941e77, - 0x4094ab53, - 0x409526bf, - 0x4095b165, - 0x40962ea9, - 0x4096a18d, - 0x40972278, - 0x4097a0ca, - 0x40981cdc, - 0x4098a6d3, - 0x40992f19, - 0x4099a39c, - 0x409a2335, - 0x409a99d0, - 0x409b1ed1, - 0x409b9efc, - 0x409c30ba, - 0x409c9f24, - 0x409d2149, - 0x409da117, - 0x409e1d6d, - 0x409ea1c2, - 0x409f21aa, - 0x409f9ec4, - 0x40a021ea, - 0x40a0a0e4, - 0x40a12132, - 0x41f429f4, - 0x41f92a86, - 0x41fe2979, - 0x41feac2f, - 0x41ff2d5d, - 0x42032a0d, - 0x42082a2f, - 0x4208aa6b, - 0x4209295d, - 0x4209aaa5, - 0x420a29b4, - 0x420aa994, - 0x420b29d4, - 0x420baa4d, - 0x420c2d79, - 0x420cab63, - 0x420d2c16, - 0x420dac4d, - 0x42122c80, - 0x42172d40, - 0x4217acc2, - 0x421c2ce4, - 0x421f2c9f, - 0x42212df1, - 0x42262d23, - 0x422b2dcf, - 0x422babf1, - 0x422c2db1, - 0x422caba4, - 0x422d2b7d, - 0x422dad90, - 0x422e2bd0, - 0x42302cff, - 0x4230ac67, + 0x4071afc4, + 0x40722fd7, + 0x4072b00d, + 0x40733025, + 0x407395af, + 0x40743039, + 0x4074b053, + 0x40753064, + 0x4075b078, + 0x40763086, + 0x4076935b, + 0x407730ab, + 0x4077b0eb, + 0x40783106, + 0x4078b13f, + 0x40793156, + 0x4079b16c, + 0x407a3198, + 0x407ab1ab, + 0x407b31c0, + 0x407bb1d2, + 0x407c3203, + 0x407cb20c, + 0x407d28ce, + 0x407da215, + 0x407e311b, + 0x407ea457, + 0x407f1e3a, + 0x407fa00d, + 0x40802187, + 0x40809e62, + 0x408122c5, + 0x4081a114, + 0x40822e8f, + 0x40829bb5, + 0x40832432, + 0x4083a74b, + 0x40841e76, + 0x4084a48f, + 0x40852504, + 0x4085a628, + 0x40862584, + 0x4086a22f, + 0x40872ed5, + 0x4087a676, + 0x40881bf3, + 0x4088a85d, + 0x40891c42, + 0x40899bcf, + 0x408a2b4d, + 0x408a99c7, + 0x408b31e7, + 0x408baf5f, + 0x408c2514, + 0x408c99ff, + 0x408d1f5e, + 0x408d9ea8, + 0x408e208e, + 0x408ea382, + 0x408f2871, + 0x408fa644, + 0x40902826, + 0x4090a556, + 0x40912b35, + 0x40919a25, + 0x40921c8f, + 0x4092af10, + 0x40932ff0, + 0x4093a240, + 0x40941e8a, + 0x4094ab66, + 0x409526d2, + 0x4095b178, + 0x40962ebc, + 0x4096a1a0, + 0x4097228b, + 0x4097a0dd, + 0x40981cef, + 0x4098a6e6, + 0x40992f2c, + 0x4099a3af, + 0x409a2348, + 0x409a99e3, + 0x409b1ee4, + 0x409b9f0f, + 0x409c30cd, + 0x409c9f37, + 0x409d215c, + 0x409da12a, + 0x409e1d80, + 0x409ea1d5, + 0x409f21bd, + 0x409f9ed7, + 0x40a021fd, + 0x40a0a0f7, + 0x40a12145, + 0x41f42a07, + 0x41f92a99, + 0x41fe298c, + 0x41feac42, + 0x41ff2d70, + 0x42032a20, + 0x42082a42, + 0x4208aa7e, + 0x42092970, + 0x4209aab8, + 0x420a29c7, + 0x420aa9a7, + 0x420b29e7, + 0x420baa60, + 0x420c2d8c, + 0x420cab76, + 0x420d2c29, + 0x420dac60, + 0x42122c93, + 0x42172d53, + 0x4217acd5, + 0x421c2cf7, + 0x421f2cb2, + 0x42212e04, + 0x42262d36, + 0x422b2de2, + 0x422bac04, + 0x422c2dc4, + 0x422cabb7, + 0x422d2b90, + 0x422dada3, + 0x422e2be3, + 0x42302d12, + 0x4230ac7a, 0x44320778, 0x44328787, 0x44330793, @@ -651,109 +652,109 @@ const uint32_t kOpenSSLReasonValues[] = { 0x4439084d, 0x4439885b, 0x443a086e, - 0x48321372, - 0x48329384, - 0x4833139a, - 0x483393b3, - 0x4c3213f0, - 0x4c329400, - 0x4c331413, - 0x4c339433, + 0x48321385, + 0x48329397, + 0x483313ad, + 0x483393c6, + 0x4c321403, + 0x4c329413, + 0x4c331426, + 0x4c339446, 0x4c3400b9, 0x4c3480f7, - 0x4c35143f, - 0x4c35944d, - 0x4c361469, - 0x4c36948f, - 0x4c37149e, - 0x4c3794ac, - 0x4c3814c1, - 0x4c3894cd, - 0x4c3914ed, - 0x4c399517, - 0x4c3a1530, - 0x4c3a9549, + 0x4c351452, + 0x4c359460, + 0x4c36147c, + 0x4c3694a2, + 0x4c3714b1, + 0x4c3794bf, + 0x4c3814d4, + 0x4c3894e0, + 0x4c391500, + 0x4c39952a, + 0x4c3a1543, + 0x4c3a955c, 0x4c3b0635, - 0x4c3b9562, - 0x4c3c1574, - 0x4c3c9583, - 0x4c3d159c, + 0x4c3b9575, + 0x4c3c1587, + 0x4c3c9596, + 0x4c3d15af, 0x4c3d8cc6, - 0x4c3e1609, - 0x4c3e95ab, - 0x4c3f162b, - 0x4c3f9348, - 0x4c4015c1, - 0x4c4093dc, - 0x4c4115f9, - 0x4c41947c, - 0x4c4215e5, - 0x4c4293c4, - 0x503235ba, - 0x5032b5c9, - 0x503335d4, - 0x5033b5e4, - 0x503435fd, - 0x5034b617, - 0x50353625, - 0x5035b63b, - 0x5036364d, - 0x5036b663, - 0x5037367c, - 0x5037b68f, - 0x503836a7, - 0x5038b6b8, - 0x503936cd, - 0x5039b6e1, - 0x503a3701, - 0x503ab717, - 0x503b372f, - 0x503bb741, - 0x503c375d, - 0x503cb774, - 0x503d378d, - 0x503db7a3, - 0x503e37b0, - 0x503eb7c6, - 0x503f37d8, + 0x4c3e161c, + 0x4c3e95be, + 0x4c3f163e, + 0x4c3f935b, + 0x4c4015d4, + 0x4c4093ef, + 0x4c41160c, + 0x4c41948f, + 0x4c4215f8, + 0x4c4293d7, + 0x503235cd, + 0x5032b5dc, + 0x503335e7, + 0x5033b5f7, + 0x50343610, + 0x5034b62a, + 0x50353638, + 0x5035b64e, + 0x50363660, + 0x5036b676, + 0x5037368f, + 0x5037b6a2, + 0x503836ba, + 0x5038b6cb, + 0x503936e0, + 0x5039b6f4, + 0x503a3714, + 0x503ab72a, + 0x503b3742, + 0x503bb754, + 0x503c3770, + 0x503cb787, + 0x503d37a0, + 0x503db7b6, + 0x503e37c3, + 0x503eb7d9, + 0x503f37eb, 0x503f83b3, - 0x504037eb, - 0x5040b7fb, - 0x50413815, - 0x5041b824, - 0x5042383e, - 0x5042b85b, - 0x5043386b, - 0x5043b87b, - 0x50443898, + 0x504037fe, + 0x5040b80e, + 0x50413828, + 0x5041b837, + 0x50423851, + 0x5042b86e, + 0x5043387e, + 0x5043b88e, + 0x504438ab, 0x50448469, - 0x504538ac, - 0x5045b8ca, - 0x504638dd, - 0x5046b8f3, - 0x50473905, - 0x5047b91a, - 0x50483940, - 0x5048b94e, - 0x50493961, - 0x5049b976, - 0x504a398c, - 0x504ab99c, - 0x504b39bc, - 0x504bb9cf, - 0x504c39f2, - 0x504cba20, - 0x504d3a4d, - 0x504dba6a, - 0x504e3a85, - 0x504ebaa1, - 0x504f3ab3, - 0x504fbaca, - 0x50503ad9, + 0x504538bf, + 0x5045b8dd, + 0x504638f0, + 0x5046b906, + 0x50473918, + 0x5047b92d, + 0x50483953, + 0x5048b961, + 0x50493974, + 0x5049b989, + 0x504a399f, + 0x504ab9af, + 0x504b39cf, + 0x504bb9e2, + 0x504c3a05, + 0x504cba33, + 0x504d3a60, + 0x504dba7d, + 0x504e3a98, + 0x504ebab4, + 0x504f3ac6, + 0x504fbadd, + 0x50503aec, 0x50508729, - 0x50513aec, - 0x5051b88a, - 0x50523a32, + 0x50513aff, + 0x5051b89d, + 0x50523a45, 0x58320fd1, 0x68320f93, 0x68328ceb, @@ -795,22 +796,22 @@ const uint32_t kOpenSSLReasonValues[] = { 0x783d8b97, 0x783e0aed, 0x783e8a9f, - 0x7c321261, - 0x8032148f, + 0x7c321274, + 0x803214a2, 0x80328090, - 0x803332b6, + 0x803332c9, 0x803380b9, - 0x803432c5, - 0x8034b22d, - 0x8035324b, - 0x8035b2d9, - 0x8036328d, - 0x8036b23c, - 0x8037327f, - 0x8037b21a, - 0x803832a0, - 0x8038b25c, - 0x80393271, + 0x803432d8, + 0x8034b240, + 0x8035325e, + 0x8035b2ec, + 0x803632a0, + 0x8036b24f, + 0x80373292, + 0x8037b22d, + 0x803832b3, + 0x8038b26f, + 0x80393284, }; const size_t kOpenSSLReasonValuesLen = sizeof(kOpenSSLReasonValues) / sizeof(kOpenSSLReasonValues[0]); @@ -1034,6 +1035,7 @@ const char kOpenSSLReasonStringData[] = "EMPTY_PSK\0" "EXPECTING_AN_EC_KEY_KEY\0" "EXPECTING_AN_RSA_KEY\0" + "EXPECTING_A_DH_KEY\0" "EXPECTING_A_DSA_KEY\0" "ILLEGAL_OR_UNSUPPORTED_PADDING_MODE\0" "INVALID_BUFFER_SIZE\0" diff --git a/Sources/CNIOBoringSSL/gen/crypto/md5-586-apple.S b/Sources/CNIOBoringSSL/gen/crypto/md5-586-apple.S new file mode 100644 index 000000000..751f306aa --- /dev/null +++ b/Sources/CNIOBoringSSL/gen/crypto/md5-586-apple.S @@ -0,0 +1,689 @@ +#define BORINGSSL_PREFIX CNIOBoringSSL +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. + +#include + +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__APPLE__) +.text +.globl _md5_block_asm_data_order +.private_extern _md5_block_asm_data_order +.align 4 +_md5_block_asm_data_order: +L_md5_block_asm_data_order_begin: + pushl %esi + pushl %edi + movl 12(%esp),%edi + movl 16(%esp),%esi + movl 20(%esp),%ecx + pushl %ebp + shll $6,%ecx + pushl %ebx + addl %esi,%ecx + subl $64,%ecx + movl (%edi),%eax + pushl %ecx + movl 4(%edi),%ebx + movl 8(%edi),%ecx + movl 12(%edi),%edx +L000start: + + # R0 section + movl %ecx,%edi + movl (%esi),%ebp + # R0 0 + xorl %edx,%edi + andl %ebx,%edi + leal 3614090360(%eax,%ebp,1),%eax + xorl %edx,%edi + addl %edi,%eax + movl %ebx,%edi + roll $7,%eax + movl 4(%esi),%ebp + addl %ebx,%eax + # R0 1 + xorl %ecx,%edi + andl %eax,%edi + leal 3905402710(%edx,%ebp,1),%edx + xorl %ecx,%edi + addl %edi,%edx + movl %eax,%edi + roll $12,%edx + movl 8(%esi),%ebp + addl %eax,%edx + # R0 2 + xorl %ebx,%edi + andl %edx,%edi + leal 606105819(%ecx,%ebp,1),%ecx + xorl %ebx,%edi + addl %edi,%ecx + movl %edx,%edi + roll $17,%ecx + movl 12(%esi),%ebp + addl %edx,%ecx + # R0 3 + xorl %eax,%edi + andl %ecx,%edi + leal 3250441966(%ebx,%ebp,1),%ebx + xorl %eax,%edi + addl %edi,%ebx + movl %ecx,%edi + roll $22,%ebx + movl 16(%esi),%ebp + addl %ecx,%ebx + # R0 4 + xorl %edx,%edi + andl %ebx,%edi + leal 4118548399(%eax,%ebp,1),%eax + xorl %edx,%edi + addl %edi,%eax + movl %ebx,%edi + roll $7,%eax + movl 20(%esi),%ebp + addl %ebx,%eax + # R0 5 + xorl %ecx,%edi + andl %eax,%edi + leal 1200080426(%edx,%ebp,1),%edx + xorl %ecx,%edi + addl %edi,%edx + movl %eax,%edi + roll $12,%edx + movl 24(%esi),%ebp + addl %eax,%edx + # R0 6 + xorl %ebx,%edi + andl %edx,%edi + leal 2821735955(%ecx,%ebp,1),%ecx + xorl %ebx,%edi + addl %edi,%ecx + movl %edx,%edi + roll $17,%ecx + movl 28(%esi),%ebp + addl %edx,%ecx + # R0 7 + xorl %eax,%edi + andl %ecx,%edi + leal 4249261313(%ebx,%ebp,1),%ebx + xorl %eax,%edi + addl %edi,%ebx + movl %ecx,%edi + roll $22,%ebx + movl 32(%esi),%ebp + addl %ecx,%ebx + # R0 8 + xorl %edx,%edi + andl %ebx,%edi + leal 1770035416(%eax,%ebp,1),%eax + xorl %edx,%edi + addl %edi,%eax + movl %ebx,%edi + roll $7,%eax + movl 36(%esi),%ebp + addl %ebx,%eax + # R0 9 + xorl %ecx,%edi + andl %eax,%edi + leal 2336552879(%edx,%ebp,1),%edx + xorl %ecx,%edi + addl %edi,%edx + movl %eax,%edi + roll $12,%edx + movl 40(%esi),%ebp + addl %eax,%edx + # R0 10 + xorl %ebx,%edi + andl %edx,%edi + leal 4294925233(%ecx,%ebp,1),%ecx + xorl %ebx,%edi + addl %edi,%ecx + movl %edx,%edi + roll $17,%ecx + movl 44(%esi),%ebp + addl %edx,%ecx + # R0 11 + xorl %eax,%edi + andl %ecx,%edi + leal 2304563134(%ebx,%ebp,1),%ebx + xorl %eax,%edi + addl %edi,%ebx + movl %ecx,%edi + roll $22,%ebx + movl 48(%esi),%ebp + addl %ecx,%ebx + # R0 12 + xorl %edx,%edi + andl %ebx,%edi + leal 1804603682(%eax,%ebp,1),%eax + xorl %edx,%edi + addl %edi,%eax + movl %ebx,%edi + roll $7,%eax + movl 52(%esi),%ebp + addl %ebx,%eax + # R0 13 + xorl %ecx,%edi + andl %eax,%edi + leal 4254626195(%edx,%ebp,1),%edx + xorl %ecx,%edi + addl %edi,%edx + movl %eax,%edi + roll $12,%edx + movl 56(%esi),%ebp + addl %eax,%edx + # R0 14 + xorl %ebx,%edi + andl %edx,%edi + leal 2792965006(%ecx,%ebp,1),%ecx + xorl %ebx,%edi + addl %edi,%ecx + movl %edx,%edi + roll $17,%ecx + movl 60(%esi),%ebp + addl %edx,%ecx + # R0 15 + xorl %eax,%edi + andl %ecx,%edi + leal 1236535329(%ebx,%ebp,1),%ebx + xorl %eax,%edi + addl %edi,%ebx + movl %ecx,%edi + roll $22,%ebx + movl 4(%esi),%ebp + addl %ecx,%ebx + + # R1 section + # R1 16 + leal 4129170786(%eax,%ebp,1),%eax + xorl %ebx,%edi + andl %edx,%edi + movl 24(%esi),%ebp + xorl %ecx,%edi + addl %edi,%eax + movl %ebx,%edi + roll $5,%eax + addl %ebx,%eax + # R1 17 + leal 3225465664(%edx,%ebp,1),%edx + xorl %eax,%edi + andl %ecx,%edi + movl 44(%esi),%ebp + xorl %ebx,%edi + addl %edi,%edx + movl %eax,%edi + roll $9,%edx + addl %eax,%edx + # R1 18 + leal 643717713(%ecx,%ebp,1),%ecx + xorl %edx,%edi + andl %ebx,%edi + movl (%esi),%ebp + xorl %eax,%edi + addl %edi,%ecx + movl %edx,%edi + roll $14,%ecx + addl %edx,%ecx + # R1 19 + leal 3921069994(%ebx,%ebp,1),%ebx + xorl %ecx,%edi + andl %eax,%edi + movl 20(%esi),%ebp + xorl %edx,%edi + addl %edi,%ebx + movl %ecx,%edi + roll $20,%ebx + addl %ecx,%ebx + # R1 20 + leal 3593408605(%eax,%ebp,1),%eax + xorl %ebx,%edi + andl %edx,%edi + movl 40(%esi),%ebp + xorl %ecx,%edi + addl %edi,%eax + movl %ebx,%edi + roll $5,%eax + addl %ebx,%eax + # R1 21 + leal 38016083(%edx,%ebp,1),%edx + xorl %eax,%edi + andl %ecx,%edi + movl 60(%esi),%ebp + xorl %ebx,%edi + addl %edi,%edx + movl %eax,%edi + roll $9,%edx + addl %eax,%edx + # R1 22 + leal 3634488961(%ecx,%ebp,1),%ecx + xorl %edx,%edi + andl %ebx,%edi + movl 16(%esi),%ebp + xorl %eax,%edi + addl %edi,%ecx + movl %edx,%edi + roll $14,%ecx + addl %edx,%ecx + # R1 23 + leal 3889429448(%ebx,%ebp,1),%ebx + xorl %ecx,%edi + andl %eax,%edi + movl 36(%esi),%ebp + xorl %edx,%edi + addl %edi,%ebx + movl %ecx,%edi + roll $20,%ebx + addl %ecx,%ebx + # R1 24 + leal 568446438(%eax,%ebp,1),%eax + xorl %ebx,%edi + andl %edx,%edi + movl 56(%esi),%ebp + xorl %ecx,%edi + addl %edi,%eax + movl %ebx,%edi + roll $5,%eax + addl %ebx,%eax + # R1 25 + leal 3275163606(%edx,%ebp,1),%edx + xorl %eax,%edi + andl %ecx,%edi + movl 12(%esi),%ebp + xorl %ebx,%edi + addl %edi,%edx + movl %eax,%edi + roll $9,%edx + addl %eax,%edx + # R1 26 + leal 4107603335(%ecx,%ebp,1),%ecx + xorl %edx,%edi + andl %ebx,%edi + movl 32(%esi),%ebp + xorl %eax,%edi + addl %edi,%ecx + movl %edx,%edi + roll $14,%ecx + addl %edx,%ecx + # R1 27 + leal 1163531501(%ebx,%ebp,1),%ebx + xorl %ecx,%edi + andl %eax,%edi + movl 52(%esi),%ebp + xorl %edx,%edi + addl %edi,%ebx + movl %ecx,%edi + roll $20,%ebx + addl %ecx,%ebx + # R1 28 + leal 2850285829(%eax,%ebp,1),%eax + xorl %ebx,%edi + andl %edx,%edi + movl 8(%esi),%ebp + xorl %ecx,%edi + addl %edi,%eax + movl %ebx,%edi + roll $5,%eax + addl %ebx,%eax + # R1 29 + leal 4243563512(%edx,%ebp,1),%edx + xorl %eax,%edi + andl %ecx,%edi + movl 28(%esi),%ebp + xorl %ebx,%edi + addl %edi,%edx + movl %eax,%edi + roll $9,%edx + addl %eax,%edx + # R1 30 + leal 1735328473(%ecx,%ebp,1),%ecx + xorl %edx,%edi + andl %ebx,%edi + movl 48(%esi),%ebp + xorl %eax,%edi + addl %edi,%ecx + movl %edx,%edi + roll $14,%ecx + addl %edx,%ecx + # R1 31 + leal 2368359562(%ebx,%ebp,1),%ebx + xorl %ecx,%edi + andl %eax,%edi + movl 20(%esi),%ebp + xorl %edx,%edi + addl %edi,%ebx + movl %ecx,%edi + roll $20,%ebx + addl %ecx,%ebx + + # R2 section + # R2 32 + xorl %edx,%edi + xorl %ebx,%edi + leal 4294588738(%eax,%ebp,1),%eax + addl %edi,%eax + roll $4,%eax + movl 32(%esi),%ebp + movl %ebx,%edi + # R2 33 + leal 2272392833(%edx,%ebp,1),%edx + addl %ebx,%eax + xorl %ecx,%edi + xorl %eax,%edi + movl 44(%esi),%ebp + addl %edi,%edx + movl %eax,%edi + roll $11,%edx + addl %eax,%edx + # R2 34 + xorl %ebx,%edi + xorl %edx,%edi + leal 1839030562(%ecx,%ebp,1),%ecx + addl %edi,%ecx + roll $16,%ecx + movl 56(%esi),%ebp + movl %edx,%edi + # R2 35 + leal 4259657740(%ebx,%ebp,1),%ebx + addl %edx,%ecx + xorl %eax,%edi + xorl %ecx,%edi + movl 4(%esi),%ebp + addl %edi,%ebx + movl %ecx,%edi + roll $23,%ebx + addl %ecx,%ebx + # R2 36 + xorl %edx,%edi + xorl %ebx,%edi + leal 2763975236(%eax,%ebp,1),%eax + addl %edi,%eax + roll $4,%eax + movl 16(%esi),%ebp + movl %ebx,%edi + # R2 37 + leal 1272893353(%edx,%ebp,1),%edx + addl %ebx,%eax + xorl %ecx,%edi + xorl %eax,%edi + movl 28(%esi),%ebp + addl %edi,%edx + movl %eax,%edi + roll $11,%edx + addl %eax,%edx + # R2 38 + xorl %ebx,%edi + xorl %edx,%edi + leal 4139469664(%ecx,%ebp,1),%ecx + addl %edi,%ecx + roll $16,%ecx + movl 40(%esi),%ebp + movl %edx,%edi + # R2 39 + leal 3200236656(%ebx,%ebp,1),%ebx + addl %edx,%ecx + xorl %eax,%edi + xorl %ecx,%edi + movl 52(%esi),%ebp + addl %edi,%ebx + movl %ecx,%edi + roll $23,%ebx + addl %ecx,%ebx + # R2 40 + xorl %edx,%edi + xorl %ebx,%edi + leal 681279174(%eax,%ebp,1),%eax + addl %edi,%eax + roll $4,%eax + movl (%esi),%ebp + movl %ebx,%edi + # R2 41 + leal 3936430074(%edx,%ebp,1),%edx + addl %ebx,%eax + xorl %ecx,%edi + xorl %eax,%edi + movl 12(%esi),%ebp + addl %edi,%edx + movl %eax,%edi + roll $11,%edx + addl %eax,%edx + # R2 42 + xorl %ebx,%edi + xorl %edx,%edi + leal 3572445317(%ecx,%ebp,1),%ecx + addl %edi,%ecx + roll $16,%ecx + movl 24(%esi),%ebp + movl %edx,%edi + # R2 43 + leal 76029189(%ebx,%ebp,1),%ebx + addl %edx,%ecx + xorl %eax,%edi + xorl %ecx,%edi + movl 36(%esi),%ebp + addl %edi,%ebx + movl %ecx,%edi + roll $23,%ebx + addl %ecx,%ebx + # R2 44 + xorl %edx,%edi + xorl %ebx,%edi + leal 3654602809(%eax,%ebp,1),%eax + addl %edi,%eax + roll $4,%eax + movl 48(%esi),%ebp + movl %ebx,%edi + # R2 45 + leal 3873151461(%edx,%ebp,1),%edx + addl %ebx,%eax + xorl %ecx,%edi + xorl %eax,%edi + movl 60(%esi),%ebp + addl %edi,%edx + movl %eax,%edi + roll $11,%edx + addl %eax,%edx + # R2 46 + xorl %ebx,%edi + xorl %edx,%edi + leal 530742520(%ecx,%ebp,1),%ecx + addl %edi,%ecx + roll $16,%ecx + movl 8(%esi),%ebp + movl %edx,%edi + # R2 47 + leal 3299628645(%ebx,%ebp,1),%ebx + addl %edx,%ecx + xorl %eax,%edi + xorl %ecx,%edi + movl (%esi),%ebp + addl %edi,%ebx + movl $-1,%edi + roll $23,%ebx + addl %ecx,%ebx + + # R3 section + # R3 48 + xorl %edx,%edi + orl %ebx,%edi + leal 4096336452(%eax,%ebp,1),%eax + xorl %ecx,%edi + movl 28(%esi),%ebp + addl %edi,%eax + movl $-1,%edi + roll $6,%eax + xorl %ecx,%edi + addl %ebx,%eax + # R3 49 + orl %eax,%edi + leal 1126891415(%edx,%ebp,1),%edx + xorl %ebx,%edi + movl 56(%esi),%ebp + addl %edi,%edx + movl $-1,%edi + roll $10,%edx + xorl %ebx,%edi + addl %eax,%edx + # R3 50 + orl %edx,%edi + leal 2878612391(%ecx,%ebp,1),%ecx + xorl %eax,%edi + movl 20(%esi),%ebp + addl %edi,%ecx + movl $-1,%edi + roll $15,%ecx + xorl %eax,%edi + addl %edx,%ecx + # R3 51 + orl %ecx,%edi + leal 4237533241(%ebx,%ebp,1),%ebx + xorl %edx,%edi + movl 48(%esi),%ebp + addl %edi,%ebx + movl $-1,%edi + roll $21,%ebx + xorl %edx,%edi + addl %ecx,%ebx + # R3 52 + orl %ebx,%edi + leal 1700485571(%eax,%ebp,1),%eax + xorl %ecx,%edi + movl 12(%esi),%ebp + addl %edi,%eax + movl $-1,%edi + roll $6,%eax + xorl %ecx,%edi + addl %ebx,%eax + # R3 53 + orl %eax,%edi + leal 2399980690(%edx,%ebp,1),%edx + xorl %ebx,%edi + movl 40(%esi),%ebp + addl %edi,%edx + movl $-1,%edi + roll $10,%edx + xorl %ebx,%edi + addl %eax,%edx + # R3 54 + orl %edx,%edi + leal 4293915773(%ecx,%ebp,1),%ecx + xorl %eax,%edi + movl 4(%esi),%ebp + addl %edi,%ecx + movl $-1,%edi + roll $15,%ecx + xorl %eax,%edi + addl %edx,%ecx + # R3 55 + orl %ecx,%edi + leal 2240044497(%ebx,%ebp,1),%ebx + xorl %edx,%edi + movl 32(%esi),%ebp + addl %edi,%ebx + movl $-1,%edi + roll $21,%ebx + xorl %edx,%edi + addl %ecx,%ebx + # R3 56 + orl %ebx,%edi + leal 1873313359(%eax,%ebp,1),%eax + xorl %ecx,%edi + movl 60(%esi),%ebp + addl %edi,%eax + movl $-1,%edi + roll $6,%eax + xorl %ecx,%edi + addl %ebx,%eax + # R3 57 + orl %eax,%edi + leal 4264355552(%edx,%ebp,1),%edx + xorl %ebx,%edi + movl 24(%esi),%ebp + addl %edi,%edx + movl $-1,%edi + roll $10,%edx + xorl %ebx,%edi + addl %eax,%edx + # R3 58 + orl %edx,%edi + leal 2734768916(%ecx,%ebp,1),%ecx + xorl %eax,%edi + movl 52(%esi),%ebp + addl %edi,%ecx + movl $-1,%edi + roll $15,%ecx + xorl %eax,%edi + addl %edx,%ecx + # R3 59 + orl %ecx,%edi + leal 1309151649(%ebx,%ebp,1),%ebx + xorl %edx,%edi + movl 16(%esi),%ebp + addl %edi,%ebx + movl $-1,%edi + roll $21,%ebx + xorl %edx,%edi + addl %ecx,%ebx + # R3 60 + orl %ebx,%edi + leal 4149444226(%eax,%ebp,1),%eax + xorl %ecx,%edi + movl 44(%esi),%ebp + addl %edi,%eax + movl $-1,%edi + roll $6,%eax + xorl %ecx,%edi + addl %ebx,%eax + # R3 61 + orl %eax,%edi + leal 3174756917(%edx,%ebp,1),%edx + xorl %ebx,%edi + movl 8(%esi),%ebp + addl %edi,%edx + movl $-1,%edi + roll $10,%edx + xorl %ebx,%edi + addl %eax,%edx + # R3 62 + orl %edx,%edi + leal 718787259(%ecx,%ebp,1),%ecx + xorl %eax,%edi + movl 36(%esi),%ebp + addl %edi,%ecx + movl $-1,%edi + roll $15,%ecx + xorl %eax,%edi + addl %edx,%ecx + # R3 63 + orl %ecx,%edi + leal 3951481745(%ebx,%ebp,1),%ebx + xorl %edx,%edi + movl 24(%esp),%ebp + addl %edi,%ebx + addl $64,%esi + roll $21,%ebx + movl (%ebp),%edi + addl %ecx,%ebx + addl %edi,%eax + movl 4(%ebp),%edi + addl %edi,%ebx + movl 8(%ebp),%edi + addl %edi,%ecx + movl 12(%ebp),%edi + addl %edi,%edx + movl %eax,(%ebp) + movl %ebx,4(%ebp) + movl (%esp),%edi + movl %ecx,8(%ebp) + movl %edx,12(%ebp) + cmpl %esi,%edi + jae L000start + popl %eax + popl %ebx + popl %ebp + popl %edi + popl %esi + ret +#endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__APPLE__) +#if defined(__linux__) && defined(__ELF__) +.section .note.GNU-stack,"",%progbits +#endif + diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/md5-586-linux.linux.x86.S b/Sources/CNIOBoringSSL/gen/crypto/md5-586-linux.S similarity index 99% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/md5-586-linux.linux.x86.S rename to Sources/CNIOBoringSSL/gen/crypto/md5-586-linux.S index bf0b22226..9ff06ed49 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/md5-586-linux.linux.x86.S +++ b/Sources/CNIOBoringSSL/gen/crypto/md5-586-linux.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__i386__) && defined(__linux__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -686,7 +685,6 @@ md5_block_asm_data_order: ret .size md5_block_asm_data_order,.-.L_md5_block_asm_data_order_begin #endif // !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86) && defined(__ELF__) -#endif // defined(__i386__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/md5-x86_64-mac.mac.x86_64.S b/Sources/CNIOBoringSSL/gen/crypto/md5-x86_64-apple.S similarity index 99% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/md5-x86_64-mac.mac.x86_64.S rename to Sources/CNIOBoringSSL/gen/crypto/md5-x86_64-apple.S index 7109d7678..93d1307cb 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/md5-x86_64-mac.mac.x86_64.S +++ b/Sources/CNIOBoringSSL/gen/crypto/md5-x86_64-apple.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__x86_64__) && defined(__APPLE__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -690,7 +689,6 @@ L$epilogue: #endif -#endif // defined(__x86_64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/crypto/fipsmodule/md5-x86_64-linux.linux.x86_64.S b/Sources/CNIOBoringSSL/gen/crypto/md5-x86_64-linux.S similarity index 99% rename from Sources/CNIOBoringSSL/crypto/fipsmodule/md5-x86_64-linux.linux.x86_64.S rename to Sources/CNIOBoringSSL/gen/crypto/md5-x86_64-linux.S index 32a4e4da0..972b2c05f 100644 --- a/Sources/CNIOBoringSSL/crypto/fipsmodule/md5-x86_64-linux.linux.x86_64.S +++ b/Sources/CNIOBoringSSL/gen/crypto/md5-x86_64-linux.S @@ -1,5 +1,4 @@ #define BORINGSSL_PREFIX CNIOBoringSSL -#if defined(__x86_64__) && defined(__linux__) // This file is generated from a similarly-named Perl script in the BoringSSL // source tree. Do not edit by hand. @@ -695,7 +694,6 @@ _CET_ENDBR .cfi_endproc .size md5_block_asm_data_order,.-md5_block_asm_data_order #endif -#endif // defined(__x86_64__) && defined(__linux__) #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits #endif diff --git a/Sources/CNIOBoringSSL/hash.txt b/Sources/CNIOBoringSSL/hash.txt index 180fe539e..f4d65c330 100644 --- a/Sources/CNIOBoringSSL/hash.txt +++ b/Sources/CNIOBoringSSL/hash.txt @@ -1 +1 @@ -This directory is derived from BoringSSL cloned from https://boringssl.googlesource.com/boringssl at revision 3309ca66385ecb0c37f1ac1be9f88712e25aa8ec +This directory is derived from BoringSSL cloned from https://boringssl.googlesource.com/boringssl at revision d0a175601b9e180ce58cb1e33649057f5c484146 diff --git a/Sources/CNIOBoringSSL/include/CNIOBoringSSL.h b/Sources/CNIOBoringSSL/include/CNIOBoringSSL.h index af1b1ebc6..c5a545ea2 100644 --- a/Sources/CNIOBoringSSL/include/CNIOBoringSSL.h +++ b/Sources/CNIOBoringSSL/include/CNIOBoringSSL.h @@ -14,6 +14,7 @@ #ifndef C_NIO_BORINGSSL_H #define C_NIO_BORINGSSL_H +#include "CNIOBoringSSL_aead.h" #include "CNIOBoringSSL_aes.h" #include "CNIOBoringSSL_arm_arch.h" #include "CNIOBoringSSL_asm_base.h" @@ -23,6 +24,7 @@ #include "CNIOBoringSSL_bio.h" #include "CNIOBoringSSL_blake2.h" #include "CNIOBoringSSL_blowfish.h" +#include "CNIOBoringSSL_bn.h" #include "CNIOBoringSSL_boringssl_prefix_symbols.h" #include "CNIOBoringSSL_boringssl_prefix_symbols_asm.h" #include "CNIOBoringSSL_cast.h" @@ -45,9 +47,10 @@ #include "CNIOBoringSSL_hpke.h" #include "CNIOBoringSSL_hrss.h" #include "CNIOBoringSSL_kdf.h" -#include "CNIOBoringSSL_kyber.h" #include "CNIOBoringSSL_md4.h" #include "CNIOBoringSSL_md5.h" +#include "CNIOBoringSSL_mldsa.h" +#include "CNIOBoringSSL_mlkem.h" #include "CNIOBoringSSL_obj_mac.h" #include "CNIOBoringSSL_objects.h" #include "CNIOBoringSSL_opensslv.h" @@ -62,6 +65,7 @@ #include "CNIOBoringSSL_service_indicator.h" #include "CNIOBoringSSL_sha.h" #include "CNIOBoringSSL_siphash.h" +#include "CNIOBoringSSL_slhdsa.h" #include "CNIOBoringSSL_srtp.h" #include "CNIOBoringSSL_ssl.h" #include "CNIOBoringSSL_time.h" @@ -69,5 +73,8 @@ #include "CNIOBoringSSL_type_check.h" #include "CNIOBoringSSL_x509_vfy.h" #include "CNIOBoringSSL_x509v3.h" +#include "experimental/CNIOBoringSSL_dilithium.h" +#include "experimental/CNIOBoringSSL_kyber.h" +#include "experimental/CNIOBoringSSL_spx.h" #endif // C_NIO_BORINGSSL_H diff --git a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_asn1.h b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_asn1.h index f7bd1378e..231a23bff 100644 --- a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_asn1.h +++ b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_asn1.h @@ -468,7 +468,8 @@ DECLARE_ASN1_ITEM(ASN1_FBOOLEAN) // An asn1_string_st (aka |ASN1_STRING|) represents a value of a string-like // ASN.1 type. It contains a |type| field, and a byte string |data| field with a -// type-specific representation. +// type-specific representation. This type-specific representation does not +// always correspond to the DER encoding of the type. // // If |type| is one of |V_ASN1_OCTET_STRING|, |V_ASN1_UTF8STRING|, // |V_ASN1_NUMERICSTRING|, |V_ASN1_PRINTABLESTRING|, |V_ASN1_T61STRING|, @@ -568,6 +569,10 @@ OPENSSL_EXPORT int ASN1_STRING_type(const ASN1_STRING *str); // ASN1_STRING_get0_data returns a pointer to |str|'s contents. Callers should // use |ASN1_STRING_length| to determine the length of the string. The string // may have embedded NUL bytes and may not be NUL-terminated. +// +// The contents of an |ASN1_STRING| encode the value in some type-specific +// representation that does not always correspond to the DER encoding of the +// type. See the documentation for |ASN1_STRING| for details. OPENSSL_EXPORT const unsigned char *ASN1_STRING_get0_data( const ASN1_STRING *str); @@ -575,10 +580,18 @@ OPENSSL_EXPORT const unsigned char *ASN1_STRING_get0_data( // should use |ASN1_STRING_length| to determine the length of the string. The // string may have embedded NUL bytes and may not be NUL-terminated. // +// The contents of an |ASN1_STRING| encode the value in some type-specific +// representation that does not always correspond to the DER encoding of the +// type. See the documentation for |ASN1_STRING| for details. +// // Prefer |ASN1_STRING_get0_data|. OPENSSL_EXPORT unsigned char *ASN1_STRING_data(ASN1_STRING *str); // ASN1_STRING_length returns the length of |str|, in bytes. +// +// The contents of an |ASN1_STRING| encode the value in some type-specific +// representation that does not always correspond to the DER encoding of the +// type. See the documentation for |ASN1_STRING| for details. OPENSSL_EXPORT int ASN1_STRING_length(const ASN1_STRING *str); // ASN1_STRING_cmp compares |a| and |b|'s type and contents. It returns an @@ -1636,18 +1649,18 @@ OPENSSL_EXPORT int ASN1_STRING_print(BIO *out, const ASN1_STRING *str); // ASN1_STRFLGS_ESC_2253 causes characters to be escaped as in RFC 2253, section // 2.4. -#define ASN1_STRFLGS_ESC_2253 1 +#define ASN1_STRFLGS_ESC_2253 1ul // ASN1_STRFLGS_ESC_CTRL causes all control characters to be escaped. -#define ASN1_STRFLGS_ESC_CTRL 2 +#define ASN1_STRFLGS_ESC_CTRL 2ul // ASN1_STRFLGS_ESC_MSB causes all characters above 127 to be escaped. -#define ASN1_STRFLGS_ESC_MSB 4 +#define ASN1_STRFLGS_ESC_MSB 4ul // ASN1_STRFLGS_ESC_QUOTE causes the string to be surrounded by quotes, rather // than using backslashes, when characters are escaped. Fewer characters will // require escapes in this case. -#define ASN1_STRFLGS_ESC_QUOTE 8 +#define ASN1_STRFLGS_ESC_QUOTE 8ul // ASN1_STRFLGS_UTF8_CONVERT causes the string to be encoded as UTF-8, with each // byte in the UTF-8 encoding treated as an individual character for purposes of @@ -1655,29 +1668,29 @@ OPENSSL_EXPORT int ASN1_STRING_print(BIO *out, const ASN1_STRING *str); // as a character, with wide characters escaped as "\Uxxxx" or "\Wxxxxxxxx". // Note this can be ambiguous if |ASN1_STRFLGS_ESC_*| are all unset. In that // case, backslashes are not escaped, but wide characters are. -#define ASN1_STRFLGS_UTF8_CONVERT 0x10 +#define ASN1_STRFLGS_UTF8_CONVERT 0x10ul // ASN1_STRFLGS_IGNORE_TYPE causes the string type to be ignored. The // |ASN1_STRING| in-memory representation will be printed directly. -#define ASN1_STRFLGS_IGNORE_TYPE 0x20 +#define ASN1_STRFLGS_IGNORE_TYPE 0x20ul // ASN1_STRFLGS_SHOW_TYPE causes the string type to be included in the output. -#define ASN1_STRFLGS_SHOW_TYPE 0x40 +#define ASN1_STRFLGS_SHOW_TYPE 0x40ul // ASN1_STRFLGS_DUMP_ALL causes all strings to be printed as a hexdump, using // RFC 2253 hexstring notation, such as "#0123456789ABCDEF". -#define ASN1_STRFLGS_DUMP_ALL 0x80 +#define ASN1_STRFLGS_DUMP_ALL 0x80ul // ASN1_STRFLGS_DUMP_UNKNOWN behaves like |ASN1_STRFLGS_DUMP_ALL| but only // applies to values of unknown type. If unset, unknown values will print // their contents as single-byte characters with escape sequences. -#define ASN1_STRFLGS_DUMP_UNKNOWN 0x100 +#define ASN1_STRFLGS_DUMP_UNKNOWN 0x100ul // ASN1_STRFLGS_DUMP_DER causes hexdumped strings (as determined by // |ASN1_STRFLGS_DUMP_ALL| or |ASN1_STRFLGS_DUMP_UNKNOWN|) to print the entire // DER element as in RFC 2253, rather than only the contents of the // |ASN1_STRING|. -#define ASN1_STRFLGS_DUMP_DER 0x200 +#define ASN1_STRFLGS_DUMP_DER 0x200ul // ASN1_STRFLGS_RFC2253 causes the string to be escaped as in RFC 2253, // additionally escaping control characters. diff --git a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_base.h b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_base.h index 32644558e..636961d18 100644 --- a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_base.h +++ b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_base.h @@ -52,9 +52,6 @@ #ifndef OPENSSL_HEADER_BASE_H #define OPENSSL_HEADER_BASE_H -#if defined(__APPLE__) && defined(__i386__) -#define OPENSSL_NO_ASM -#endif #define BORINGSSL_PREFIX CNIOBoringSSL @@ -114,7 +111,7 @@ extern "C" { // A consumer may use this symbol in the preprocessor to temporarily build // against multiple revisions of BoringSSL at the same time. It is not // recommended to do so for longer than is necessary. -#define BORINGSSL_API_VERSION 27 +#define BORINGSSL_API_VERSION 32 #if defined(BORINGSSL_SHARED_LIBRARY) @@ -186,6 +183,13 @@ extern "C" { #define OPENSSL_PRINTF_FORMAT_FUNC(string_index, first_to_check) #endif +// OPENSSL_CLANG_PRAGMA emits a pragma on clang and nothing on other compilers. +#if defined(__clang__) +#define OPENSSL_CLANG_PRAGMA(arg) _Pragma(arg) +#else +#define OPENSSL_CLANG_PRAGMA(arg) +#endif + // OPENSSL_MSVC_PRAGMA emits a pragma on MSVC and nothing on other compilers. #if defined(_MSC_VER) #define OPENSSL_MSVC_PRAGMA(arg) __pragma(arg) @@ -291,6 +295,7 @@ typedef struct AUTHORITY_KEYID_st AUTHORITY_KEYID; typedef struct BASIC_CONSTRAINTS_st BASIC_CONSTRAINTS; typedef struct DIST_POINT_st DIST_POINT; typedef struct DSA_SIG_st DSA_SIG; +typedef struct GENERAL_NAME_st GENERAL_NAME; typedef struct ISSUING_DIST_POINT_st ISSUING_DIST_POINT; typedef struct NAME_CONSTRAINTS_st NAME_CONSTRAINTS; typedef struct Netscape_spkac_st NETSCAPE_SPKAC; @@ -362,6 +367,7 @@ typedef struct sha_state_st SHA_CTX; typedef struct spake2_ctx_st SPAKE2_CTX; typedef struct srtp_protection_profile_st SRTP_PROTECTION_PROFILE; typedef struct ssl_cipher_st SSL_CIPHER; +typedef struct ssl_credential_st SSL_CREDENTIAL; typedef struct ssl_ctx_st SSL_CTX; typedef struct ssl_early_callback_ctx SSL_CLIENT_HELLO; typedef struct ssl_ech_keys_st SSL_ECH_KEYS; @@ -377,15 +383,16 @@ typedef struct trust_token_client_st TRUST_TOKEN_CLIENT; typedef struct trust_token_issuer_st TRUST_TOKEN_ISSUER; typedef struct trust_token_method_st TRUST_TOKEN_METHOD; typedef struct v3_ext_ctx X509V3_CTX; +typedef struct v3_ext_method X509V3_EXT_METHOD; typedef struct x509_attributes_st X509_ATTRIBUTE; typedef struct x509_lookup_st X509_LOOKUP; typedef struct x509_lookup_method_st X509_LOOKUP_METHOD; typedef struct x509_object_st X509_OBJECT; +typedef struct x509_purpose_st X509_PURPOSE; typedef struct x509_revoked_st X509_REVOKED; typedef struct x509_st X509; typedef struct x509_store_ctx_st X509_STORE_CTX; typedef struct x509_store_st X509_STORE; -typedef struct x509_trust_st X509_TRUST; typedef void *OPENSSL_BLOCK; diff --git a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_bcm_public.h b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_bcm_public.h new file mode 100644 index 000000000..f679b7d32 --- /dev/null +++ b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_bcm_public.h @@ -0,0 +1,82 @@ +/* Copyright (c) 2024, Google LLC + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#ifndef OPENSSL_HEADER_BCM_PUBLIC_H_ +#define OPENSSL_HEADER_BCM_PUBLIC_H_ + +#include "CNIOBoringSSL_base.h" + +#if defined(__cplusplus) +extern "C" { +#endif + +// Public types referenced by BoringCrypto +// +// This header contains public types referenced by BCM. Such types are difficult +// to hide from the libcrypto interface, so we treat them as part of BCM. + +// BCM_SHA_CBLOCK is the block size of SHA-1. +#define BCM_SHA_CBLOCK 64 + +// SHA_CTX +struct sha_state_st { +#if defined(__cplusplus) || defined(OPENSSL_WINDOWS) + uint32_t h[5]; +#else + // wpa_supplicant accesses |h0|..|h4| so we must support those names for + // compatibility with it until it can be updated. Anonymous unions are only + // standard in C11, so disable this workaround in C++. + union { + uint32_t h[5]; + struct { + uint32_t h0; + uint32_t h1; + uint32_t h2; + uint32_t h3; + uint32_t h4; + }; + }; +#endif + uint32_t Nl, Nh; + uint8_t data[BCM_SHA_CBLOCK]; + unsigned num; +}; + +// SHA256_CBLOCK is the block size of SHA-256. +#define BCM_SHA256_CBLOCK 64 + +// SHA256_CTX +struct sha256_state_st { + uint32_t h[8]; + uint32_t Nl, Nh; + uint8_t data[BCM_SHA256_CBLOCK]; + unsigned num, md_len; +}; + +// BCM_SHA512_CBLOCK is the block size of SHA-512. +#define BCM_SHA512_CBLOCK 128 + +struct sha512_state_st { + uint64_t h[8]; + uint64_t Nl, Nh; + uint8_t p[BCM_SHA512_CBLOCK]; + unsigned num, md_len; +}; + + +#if defined(__cplusplus) +} // extern C +#endif + +#endif // OPENSSL_HEADER_BCM_PUBLIC_H_ diff --git a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_bio.h b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_bio.h index 92cda1a11..d0b930cfc 100644 --- a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_bio.h +++ b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_bio.h @@ -269,11 +269,11 @@ OPENSSL_EXPORT int BIO_set_close(BIO *bio, int close_flag); // BIO_number_read returns the number of bytes that have been read from // |bio|. -OPENSSL_EXPORT size_t BIO_number_read(const BIO *bio); +OPENSSL_EXPORT uint64_t BIO_number_read(const BIO *bio); // BIO_number_written returns the number of bytes that have been written to // |bio|. -OPENSSL_EXPORT size_t BIO_number_written(const BIO *bio); +OPENSSL_EXPORT uint64_t BIO_number_written(const BIO *bio); // Managing chains of BIOs. @@ -473,41 +473,82 @@ OPENSSL_EXPORT int BIO_get_fd(BIO *bio, int *out_fd); OPENSSL_EXPORT const BIO_METHOD *BIO_s_file(void); // BIO_new_file creates a file BIO by opening |filename| with the given mode. -// See the |fopen| manual page for details of the mode argument. +// See the |fopen| manual page for details of the mode argument. On Windows, +// files may be opened in either binary or text mode so, as in |fopen|, callers +// must specify the desired option in |mode|. OPENSSL_EXPORT BIO *BIO_new_file(const char *filename, const char *mode); -// BIO_new_fp creates a new file BIO that wraps the given |FILE|. If -// |close_flag| is |BIO_CLOSE|, then |fclose| will be called on |stream| when -// the BIO is closed. -OPENSSL_EXPORT BIO *BIO_new_fp(FILE *stream, int close_flag); +// BIO_FP_TEXT indicates the |FILE| should be switched to text mode on Windows. +// It has no effect on non-Windows platforms. +#define BIO_FP_TEXT 0x10 + +// BIO_new_fp creates a new file BIO that wraps |file|. If |flags| contains +// |BIO_CLOSE|, then |fclose| will be called on |file| when the BIO is closed. +// +// On Windows, if |flags| contains |BIO_FP_TEXT|, this function will +// additionally switch |file| to text mode. This is not recommended, but may be +// required for OpenSSL compatibility. If |file| was not already in text mode, +// mode changes can cause unflushed data in |file| to be written in unexpected +// ways. See |_setmode| in Windows documentation for details. +// +// Unlike OpenSSL, if |flags| does not contain |BIO_FP_TEXT|, the translation +// mode of |file| is left as-is. In OpenSSL, |file| will be set to binary, with +// the same pitfalls as above. BoringSSL does not do this so that wrapping a +// |FILE| in a |BIO| will not inadvertently change its state. +// +// To avoid these pitfalls, callers should set the desired translation mode when +// opening the file. If targeting just BoringSSL, this is sufficient. If +// targeting both OpenSSL and BoringSSL, callers should set |BIO_FP_TEXT| to +// match the desired state of the file. +OPENSSL_EXPORT BIO *BIO_new_fp(FILE *file, int flags); // BIO_get_fp sets |*out_file| to the current |FILE| for |bio|. It returns one // on success and zero otherwise. OPENSSL_EXPORT int BIO_get_fp(BIO *bio, FILE **out_file); -// BIO_set_fp sets the |FILE| for |bio|. If |close_flag| is |BIO_CLOSE| then +// BIO_set_fp sets the |FILE| for |bio|. If |flags| contains |BIO_CLOSE| then // |fclose| will be called on |file| when |bio| is closed. It returns one on // success and zero otherwise. -OPENSSL_EXPORT int BIO_set_fp(BIO *bio, FILE *file, int close_flag); +// +// On Windows, if |flags| contains |BIO_FP_TEXT|, this function will +// additionally switch |file| to text mode. This is not recommended, but may be +// required for OpenSSL compatibility. If |file| was not already in text mode, +// mode changes can cause unflushed data in |file| to be written in unexpected +// ways. See |_setmode| in Windows documentation for details. +// +// Unlike OpenSSL, if |flags| does not contain |BIO_FP_TEXT|, the translation +// mode of |file| is left as-is. In OpenSSL, |file| will be set to binary, with +// the same pitfalls as above. BoringSSL does not do this so that wrapping a +// |FILE| in a |BIO| will not inadvertently change its state. +// +// To avoid these pitfalls, callers should set the desired translation mode when +// opening the file. If targeting just BoringSSL, this is sufficient. If +// targeting both OpenSSL and BoringSSL, callers should set |BIO_FP_TEXT| to +// match the desired state of the file. +OPENSSL_EXPORT int BIO_set_fp(BIO *bio, FILE *file, int flags); // BIO_read_filename opens |filename| for reading and sets the result as the // |FILE| for |bio|. It returns one on success and zero otherwise. The |FILE| -// will be closed when |bio| is freed. +// will be closed when |bio| is freed. On Windows, the file is opened in binary +// mode. OPENSSL_EXPORT int BIO_read_filename(BIO *bio, const char *filename); // BIO_write_filename opens |filename| for writing and sets the result as the // |FILE| for |bio|. It returns one on success and zero otherwise. The |FILE| -// will be closed when |bio| is freed. +// will be closed when |bio| is freed. On Windows, the file is opened in binary +// mode. OPENSSL_EXPORT int BIO_write_filename(BIO *bio, const char *filename); // BIO_append_filename opens |filename| for appending and sets the result as // the |FILE| for |bio|. It returns one on success and zero otherwise. The -// |FILE| will be closed when |bio| is freed. +// |FILE| will be closed when |bio| is freed. On Windows, the file is opened in +// binary mode. OPENSSL_EXPORT int BIO_append_filename(BIO *bio, const char *filename); // BIO_rw_filename opens |filename| for reading and writing and sets the result // as the |FILE| for |bio|. It returns one on success and zero otherwise. The -// |FILE| will be closed when |bio| is freed. +// |FILE| will be closed when |bio| is freed. On Windows, the file is opened in +// binary mode. OPENSSL_EXPORT int BIO_rw_filename(BIO *bio, const char *filename); // BIO_tell returns the file offset of |bio|, or a negative number on error or @@ -673,39 +714,49 @@ OPENSSL_EXPORT void BIO_meth_free(BIO_METHOD *method); // and returns one. The function should return one on success and zero on // error. OPENSSL_EXPORT int BIO_meth_set_create(BIO_METHOD *method, - int (*create)(BIO *)); + int (*create_func)(BIO *)); // BIO_meth_set_destroy sets a function to release data associated with a |BIO| // and returns one. The function's return value is ignored. OPENSSL_EXPORT int BIO_meth_set_destroy(BIO_METHOD *method, - int (*destroy)(BIO *)); + int (*destroy_func)(BIO *)); // BIO_meth_set_write sets the implementation of |BIO_write| for |method| and // returns one. |BIO_METHOD|s which implement |BIO_write| should also implement // |BIO_CTRL_FLUSH|. (See |BIO_meth_set_ctrl|.) OPENSSL_EXPORT int BIO_meth_set_write(BIO_METHOD *method, - int (*write)(BIO *, const char *, int)); + int (*write_func)(BIO *, const char *, + int)); // BIO_meth_set_read sets the implementation of |BIO_read| for |method| and // returns one. OPENSSL_EXPORT int BIO_meth_set_read(BIO_METHOD *method, - int (*read)(BIO *, char *, int)); + int (*read_func)(BIO *, char *, int)); // BIO_meth_set_gets sets the implementation of |BIO_gets| for |method| and // returns one. OPENSSL_EXPORT int BIO_meth_set_gets(BIO_METHOD *method, - int (*gets)(BIO *, char *, int)); + int (*gets_func)(BIO *, char *, int)); // BIO_meth_set_ctrl sets the implementation of |BIO_ctrl| for |method| and // returns one. OPENSSL_EXPORT int BIO_meth_set_ctrl(BIO_METHOD *method, - long (*ctrl)(BIO *, int, long, void *)); + long (*ctrl_func)(BIO *, int, long, + void *)); // BIO_set_data sets custom data on |bio|. It may be retried with // |BIO_get_data|. +// +// This function should only be called by the implementation of a custom |BIO|. +// In particular, the data pointer of a built-in |BIO| is private to the +// library. For other uses, see |BIO_set_ex_data| and |BIO_set_app_data|. OPENSSL_EXPORT void BIO_set_data(BIO *bio, void *ptr); // BIO_get_data returns custom data on |bio| set by |BIO_get_data|. +// +// This function should only be called by the implementation of a custom |BIO|. +// In particular, the data pointer of a built-in |BIO| is private to the +// library. For other uses, see |BIO_get_ex_data| and |BIO_get_app_data|. OPENSSL_EXPORT void *BIO_get_data(BIO *bio); // BIO_set_init sets whether |bio| has been fully initialized. Until fully @@ -761,6 +812,21 @@ OPENSSL_EXPORT int BIO_get_init(BIO *bio); #define BIO_CTRL_SET_FILENAME 30 +// ex_data functions. +// +// See |ex_data.h| for details. + +OPENSSL_EXPORT int BIO_get_ex_new_index(long argl, void *argp, + CRYPTO_EX_unused *unused, + CRYPTO_EX_dup *dup_unused, + CRYPTO_EX_free *free_func); +OPENSSL_EXPORT int BIO_set_ex_data(BIO *bio, int idx, void *arg); +OPENSSL_EXPORT void *BIO_get_ex_data(const BIO *bio, int idx); + +#define BIO_set_app_data(bio, arg) (BIO_set_ex_data(bio, 0, (char *)(arg))) +#define BIO_get_app_data(bio) (BIO_get_ex_data(bio, 0)) + + // Deprecated functions. // BIO_f_base64 returns a filter |BIO| that base64-encodes data written into @@ -801,37 +867,37 @@ OPENSSL_EXPORT int BIO_meth_set_puts(BIO_METHOD *method, // or change the data in any way. #define BIO_FLAGS_MEM_RDONLY 0x200 -// These are the 'types' of BIOs -#define BIO_TYPE_NONE 0 -#define BIO_TYPE_MEM (1 | 0x0400) -#define BIO_TYPE_FILE (2 | 0x0400) -#define BIO_TYPE_FD (4 | 0x0400 | 0x0100) -#define BIO_TYPE_SOCKET (5 | 0x0400 | 0x0100) -#define BIO_TYPE_NULL (6 | 0x0400) -#define BIO_TYPE_SSL (7 | 0x0200) -#define BIO_TYPE_MD (8 | 0x0200) // passive filter -#define BIO_TYPE_BUFFER (9 | 0x0200) // filter -#define BIO_TYPE_CIPHER (10 | 0x0200) // filter -#define BIO_TYPE_BASE64 (11 | 0x0200) // filter -#define BIO_TYPE_CONNECT (12 | 0x0400 | 0x0100) // socket - connect -#define BIO_TYPE_ACCEPT (13 | 0x0400 | 0x0100) // socket for accept -#define BIO_TYPE_PROXY_CLIENT (14 | 0x0200) // client proxy BIO -#define BIO_TYPE_PROXY_SERVER (15 | 0x0200) // server proxy BIO -#define BIO_TYPE_NBIO_TEST (16 | 0x0200) // server proxy BIO -#define BIO_TYPE_NULL_FILTER (17 | 0x0200) -#define BIO_TYPE_BER (18 | 0x0200) // BER -> bin filter -#define BIO_TYPE_BIO (19 | 0x0400) // (half a) BIO pair -#define BIO_TYPE_LINEBUFFER (20 | 0x0200) // filter -#define BIO_TYPE_DGRAM (21 | 0x0400 | 0x0100) -#define BIO_TYPE_ASN1 (22 | 0x0200) // filter -#define BIO_TYPE_COMP (23 | 0x0200) // filter - // BIO_TYPE_DESCRIPTOR denotes that the |BIO| responds to the |BIO_C_SET_FD| // (|BIO_set_fd|) and |BIO_C_GET_FD| (|BIO_get_fd|) control hooks. #define BIO_TYPE_DESCRIPTOR 0x0100 // socket, fd, connect or accept #define BIO_TYPE_FILTER 0x0200 #define BIO_TYPE_SOURCE_SINK 0x0400 +// These are the 'types' of BIOs +#define BIO_TYPE_NONE 0 +#define BIO_TYPE_MEM (1 | BIO_TYPE_SOURCE_SINK) +#define BIO_TYPE_FILE (2 | BIO_TYPE_SOURCE_SINK) +#define BIO_TYPE_FD (4 | BIO_TYPE_SOURCE_SINK | BIO_TYPE_DESCRIPTOR) +#define BIO_TYPE_SOCKET (5 | BIO_TYPE_SOURCE_SINK | BIO_TYPE_DESCRIPTOR) +#define BIO_TYPE_NULL (6 | BIO_TYPE_SOURCE_SINK) +#define BIO_TYPE_SSL (7 | BIO_TYPE_FILTER) +#define BIO_TYPE_MD (8 | BIO_TYPE_FILTER) +#define BIO_TYPE_BUFFER (9 | BIO_TYPE_FILTER) +#define BIO_TYPE_CIPHER (10 | BIO_TYPE_FILTER) +#define BIO_TYPE_BASE64 (11 | BIO_TYPE_FILTER) +#define BIO_TYPE_CONNECT (12 | BIO_TYPE_SOURCE_SINK | BIO_TYPE_DESCRIPTOR) +#define BIO_TYPE_ACCEPT (13 | BIO_TYPE_SOURCE_SINK | BIO_TYPE_DESCRIPTOR) +#define BIO_TYPE_PROXY_CLIENT (14 | BIO_TYPE_FILTER) +#define BIO_TYPE_PROXY_SERVER (15 | BIO_TYPE_FILTER) +#define BIO_TYPE_NBIO_TEST (16 | BIO_TYPE_FILTER) +#define BIO_TYPE_NULL_FILTER (17 | BIO_TYPE_FILTER) +#define BIO_TYPE_BER (18 | BIO_TYPE_FILTER) // BER -> bin filter +#define BIO_TYPE_BIO (19 | BIO_TYPE_SOURCE_SINK) // (half a) BIO pair +#define BIO_TYPE_LINEBUFFER (20 | BIO_TYPE_FILTER) +#define BIO_TYPE_DGRAM (21 | BIO_TYPE_SOURCE_SINK | BIO_TYPE_DESCRIPTOR) +#define BIO_TYPE_ASN1 (22 | BIO_TYPE_FILTER) +#define BIO_TYPE_COMP (23 | BIO_TYPE_FILTER) + // BIO_TYPE_START is the first user-allocated |BIO| type. No pre-defined type, // flag bits aside, may exceed this value. #define BIO_TYPE_START 128 @@ -852,6 +918,7 @@ struct bio_method_st { struct bio_st { const BIO_METHOD *method; + CRYPTO_EX_DATA ex_data; // init is non-zero if this |BIO| has been initialised. int init; @@ -870,7 +937,7 @@ struct bio_st { // next_bio points to the next |BIO| in a chain. This |BIO| owns a reference // to |next_bio|. BIO *next_bio; // used by filter BIOs - size_t num_read, num_write; + uint64_t num_read, num_write; }; #define BIO_C_SET_CONNECT 100 diff --git a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_bn.h b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_bn.h index c407d64c2..79b49e832 100644 --- a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_bn.h +++ b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_bn.h @@ -387,9 +387,9 @@ OPENSSL_EXPORT void BN_CTX_end(BN_CTX *ctx); // or |b|. It returns one on success and zero on allocation failure. OPENSSL_EXPORT int BN_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b); -// BN_uadd sets |r| = |a| + |b|, where |a| and |b| are non-negative and |r| may -// be the same pointer as either |a| or |b|. It returns one on success and zero -// on allocation failure. +// BN_uadd sets |r| = |a| + |b|, considering only the absolute values of |a| and +// |b|. |r| may be the same pointer as either |a| or |b|. It returns one on +// success and zero on allocation failure. OPENSSL_EXPORT int BN_uadd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b); // BN_add_word adds |w| to |a|. It returns one on success and zero otherwise. @@ -399,9 +399,9 @@ OPENSSL_EXPORT int BN_add_word(BIGNUM *a, BN_ULONG w); // or |b|. It returns one on success and zero on allocation failure. OPENSSL_EXPORT int BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b); -// BN_usub sets |r| = |a| - |b|, where |a| and |b| are non-negative integers, -// |b| < |a| and |r| may be the same pointer as either |a| or |b|. It returns -// one on success and zero on allocation failure. +// BN_usub sets |r| = |a| - |b|, considering only the absolute values of |a| and +// |b|. The result must be non-negative, i.e. |b| <= |a|. |r| may be the same +// pointer as either |a| or |b|. It returns one on success and zero on error. OPENSSL_EXPORT int BN_usub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b); // BN_sub_word subtracts |w| from |a|. It returns one on success and zero on @@ -424,9 +424,14 @@ OPENSSL_EXPORT int BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx); // BN_div divides |numerator| by |divisor| and places the result in |quotient| // and the remainder in |rem|. Either of |quotient| or |rem| may be NULL, in -// which case the respective value is not returned. The result is rounded -// towards zero; thus if |numerator| is negative, the remainder will be zero or -// negative. It returns one on success or zero on error. +// which case the respective value is not returned. It returns one on success or +// zero on error. It is an error condition if |divisor| is zero. +// +// The outputs will be such that |quotient| * |divisor| + |rem| = |numerator|, +// with the quotient rounded towards zero. Thus, if |numerator| is negative, +// |rem| will be zero or negative. If |divisor| is negative, the sign of +// |quotient| will be flipped to compensate but otherwise rounding will be as if +// |divisor| were its absolute value. OPENSSL_EXPORT int BN_div(BIGNUM *quotient, BIGNUM *rem, const BIGNUM *numerator, const BIGNUM *divisor, BN_CTX *ctx); @@ -666,11 +671,11 @@ OPENSSL_EXPORT int BN_pseudo_rand_range(BIGNUM *rnd, const BIGNUM *range); // The callback receives the address of that |BN_GENCB| structure as its last // argument and the user is free to put an arbitrary pointer in |arg|. The other // arguments are set as follows: -// event=BN_GENCB_GENERATED, n=i: after generating the i'th possible prime +// - event=BN_GENCB_GENERATED, n=i: after generating the i'th possible prime // number. -// event=BN_GENCB_PRIME_TEST, n=-1: when finished trial division primality +// - event=BN_GENCB_PRIME_TEST, n=-1: when finished trial division primality // checks. -// event=BN_GENCB_PRIME_TEST, n=i: when the i'th primality test has finished. +// - event=BN_GENCB_PRIME_TEST, n=i: when the i'th primality test has finished. // // The callback can return zero to abort the generation progress or one to // allow it to continue. diff --git a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_boringssl_prefix_symbols.h b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_boringssl_prefix_symbols.h index 2c5fe0aa3..f334cd923 100644 --- a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_boringssl_prefix_symbols.h +++ b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_boringssl_prefix_symbols.h @@ -210,6 +210,32 @@ #define BASIC_CONSTRAINTS_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BASIC_CONSTRAINTS_free) #define BASIC_CONSTRAINTS_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BASIC_CONSTRAINTS_it) #define BASIC_CONSTRAINTS_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BASIC_CONSTRAINTS_new) +#define BCM_fips_186_2_prf BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_fips_186_2_prf) +#define BCM_rand_bytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_rand_bytes) +#define BCM_rand_bytes_hwrng BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_rand_bytes_hwrng) +#define BCM_rand_bytes_with_additional_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_rand_bytes_with_additional_data) +#define BCM_sha1_final BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_sha1_final) +#define BCM_sha1_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_sha1_init) +#define BCM_sha1_transform BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_sha1_transform) +#define BCM_sha1_update BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_sha1_update) +#define BCM_sha224_final BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_sha224_final) +#define BCM_sha224_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_sha224_init) +#define BCM_sha224_update BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_sha224_update) +#define BCM_sha256_final BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_sha256_final) +#define BCM_sha256_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_sha256_init) +#define BCM_sha256_transform BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_sha256_transform) +#define BCM_sha256_transform_blocks BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_sha256_transform_blocks) +#define BCM_sha256_update BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_sha256_update) +#define BCM_sha384_final BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_sha384_final) +#define BCM_sha384_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_sha384_init) +#define BCM_sha384_update BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_sha384_update) +#define BCM_sha512_256_final BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_sha512_256_final) +#define BCM_sha512_256_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_sha512_256_init) +#define BCM_sha512_256_update BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_sha512_256_update) +#define BCM_sha512_final BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_sha512_final) +#define BCM_sha512_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_sha512_init) +#define BCM_sha512_transform BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_sha512_transform) +#define BCM_sha512_update BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BCM_sha512_update) #define BIO_append_filename BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_append_filename) #define BIO_callback_ctrl BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_callback_ctrl) #define BIO_clear_flags BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_clear_flags) @@ -227,6 +253,8 @@ #define BIO_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_free) #define BIO_free_all BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_free_all) #define BIO_get_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_get_data) +#define BIO_get_ex_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_get_ex_data) +#define BIO_get_ex_new_index BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_get_ex_new_index) #define BIO_get_fd BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_get_fd) #define BIO_get_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_get_fp) #define BIO_get_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_get_init) @@ -284,6 +312,7 @@ #define BIO_set_conn_int_port BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_set_conn_int_port) #define BIO_set_conn_port BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_set_conn_port) #define BIO_set_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_set_data) +#define BIO_set_ex_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_set_ex_data) #define BIO_set_fd BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_set_fd) #define BIO_set_flags BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_set_flags) #define BIO_set_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_set_fp) @@ -614,6 +643,7 @@ #define CRYPTO_cleanup_all_ex_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_cleanup_all_ex_data) #define CRYPTO_ctr128_encrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_ctr128_encrypt) #define CRYPTO_ctr128_encrypt_ctr32 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_ctr128_encrypt_ctr32) +#define CRYPTO_fips_186_2_prf BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_fips_186_2_prf) #define CRYPTO_fork_detect_force_madv_wipeonfork_for_testing BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_fork_detect_force_madv_wipeonfork_for_testing) #define CRYPTO_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_free) #define CRYPTO_free_ex_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_free_ex_data) @@ -630,10 +660,11 @@ #define CRYPTO_get_dynlock_destroy_callback BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_get_dynlock_destroy_callback) #define CRYPTO_get_dynlock_lock_callback BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_get_dynlock_lock_callback) #define CRYPTO_get_ex_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_get_ex_data) -#define CRYPTO_get_ex_new_index BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_get_ex_new_index) +#define CRYPTO_get_ex_new_index_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_get_ex_new_index_ex) #define CRYPTO_get_fork_generation BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_get_fork_generation) #define CRYPTO_get_lock_name BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_get_lock_name) #define CRYPTO_get_locking_callback BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_get_locking_callback) +#define CRYPTO_get_stderr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_get_stderr) #define CRYPTO_get_thread_local BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_get_thread_local) #define CRYPTO_ghash_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_ghash_init) #define CRYPTO_has_asm BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_has_asm) @@ -679,15 +710,24 @@ #define CTR_DRBG_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CTR_DRBG_init) #define CTR_DRBG_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CTR_DRBG_new) #define CTR_DRBG_reseed BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CTR_DRBG_reseed) -#define ChaCha20_ctr32 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ChaCha20_ctr32) +#define ChaCha20_ctr32_avx2 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ChaCha20_ctr32_avx2) +#define ChaCha20_ctr32_neon BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ChaCha20_ctr32_neon) +#define ChaCha20_ctr32_nohw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ChaCha20_ctr32_nohw) +#define ChaCha20_ctr32_ssse3 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ChaCha20_ctr32_ssse3) +#define ChaCha20_ctr32_ssse3_4x BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ChaCha20_ctr32_ssse3_4x) #define DES_decrypt3 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DES_decrypt3) #define DES_ecb3_encrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DES_ecb3_encrypt) +#define DES_ecb3_encrypt_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DES_ecb3_encrypt_ex) #define DES_ecb_encrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DES_ecb_encrypt) +#define DES_ecb_encrypt_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DES_ecb_encrypt_ex) #define DES_ede2_cbc_encrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DES_ede2_cbc_encrypt) #define DES_ede3_cbc_encrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DES_ede3_cbc_encrypt) +#define DES_ede3_cbc_encrypt_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DES_ede3_cbc_encrypt_ex) #define DES_encrypt3 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DES_encrypt3) #define DES_ncbc_encrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DES_ncbc_encrypt) +#define DES_ncbc_encrypt_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DES_ncbc_encrypt_ex) #define DES_set_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DES_set_key) +#define DES_set_key_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DES_set_key_ex) #define DES_set_key_unchecked BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DES_set_key_unchecked) #define DES_set_odd_parity BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DES_set_odd_parity) #define DH_bits BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DH_bits) @@ -717,6 +757,16 @@ #define DH_size BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DH_size) #define DH_up_ref BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DH_up_ref) #define DHparams_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DHparams_dup) +#define DILITHIUM_generate_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DILITHIUM_generate_key) +#define DILITHIUM_generate_key_external_entropy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DILITHIUM_generate_key_external_entropy) +#define DILITHIUM_marshal_private_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DILITHIUM_marshal_private_key) +#define DILITHIUM_marshal_public_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DILITHIUM_marshal_public_key) +#define DILITHIUM_parse_private_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DILITHIUM_parse_private_key) +#define DILITHIUM_parse_public_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DILITHIUM_parse_public_key) +#define DILITHIUM_public_from_private BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DILITHIUM_public_from_private) +#define DILITHIUM_sign BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DILITHIUM_sign) +#define DILITHIUM_sign_deterministic BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DILITHIUM_sign_deterministic) +#define DILITHIUM_verify BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DILITHIUM_verify) #define DIRECTORYSTRING_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DIRECTORYSTRING_free) #define DIRECTORYSTRING_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DIRECTORYSTRING_it) #define DIRECTORYSTRING_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DIRECTORYSTRING_new) @@ -923,6 +973,7 @@ #define ERR_get_error_line_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_get_error_line_data) #define ERR_get_next_error_library BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_get_next_error_library) #define ERR_lib_error_string BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_lib_error_string) +#define ERR_lib_symbol_name BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_lib_symbol_name) #define ERR_load_BIO_strings BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_load_BIO_strings) #define ERR_load_ERR_strings BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_load_ERR_strings) #define ERR_load_RAND_strings BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_load_RAND_strings) @@ -940,6 +991,7 @@ #define ERR_print_errors_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_print_errors_fp) #define ERR_put_error BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_put_error) #define ERR_reason_error_string BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_reason_error_string) +#define ERR_reason_symbol_name BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_reason_symbol_name) #define ERR_remove_state BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_remove_state) #define ERR_remove_thread_state BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_remove_thread_state) #define ERR_restore_state BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_restore_state) @@ -1112,6 +1164,7 @@ #define EVP_PKEY_CTX_set0_rsa_oaep_label BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_CTX_set0_rsa_oaep_label) #define EVP_PKEY_CTX_set1_hkdf_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_CTX_set1_hkdf_key) #define EVP_PKEY_CTX_set1_hkdf_salt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_CTX_set1_hkdf_salt) +#define EVP_PKEY_CTX_set_dh_pad BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_CTX_set_dh_pad) #define EVP_PKEY_CTX_set_dsa_paramgen_bits BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_CTX_set_dsa_paramgen_bits) #define EVP_PKEY_CTX_set_dsa_paramgen_q_bits BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_CTX_set_dsa_paramgen_q_bits) #define EVP_PKEY_CTX_set_ec_param_enc BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_CTX_set_ec_param_enc) @@ -1128,6 +1181,7 @@ #define EVP_PKEY_CTX_set_rsa_pss_saltlen BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_CTX_set_rsa_pss_saltlen) #define EVP_PKEY_CTX_set_signature_md BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_CTX_set_signature_md) #define EVP_PKEY_assign BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_assign) +#define EVP_PKEY_assign_DH BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_assign_DH) #define EVP_PKEY_assign_DSA BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_assign_DSA) #define EVP_PKEY_assign_EC_KEY BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_assign_EC_KEY) #define EVP_PKEY_assign_RSA BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_assign_RSA) @@ -1169,6 +1223,7 @@ #define EVP_PKEY_print_params BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_print_params) #define EVP_PKEY_print_private BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_print_private) #define EVP_PKEY_print_public BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_print_public) +#define EVP_PKEY_set1_DH BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_set1_DH) #define EVP_PKEY_set1_DSA BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_set1_DSA) #define EVP_PKEY_set1_EC_KEY BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_set1_EC_KEY) #define EVP_PKEY_set1_RSA BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_PKEY_set1_RSA) @@ -1253,6 +1308,7 @@ #define EVP_hpke_aes_256_gcm BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_hpke_aes_256_gcm) #define EVP_hpke_chacha20_poly1305 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_hpke_chacha20_poly1305) #define EVP_hpke_hkdf_sha256 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_hpke_hkdf_sha256) +#define EVP_hpke_p256_hkdf_sha256 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_hpke_p256_hkdf_sha256) #define EVP_hpke_x25519_hkdf_sha256 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_hpke_x25519_hkdf_sha256) #define EVP_marshal_digest_algorithm BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_marshal_digest_algorithm) #define EVP_marshal_private_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_marshal_private_key) @@ -1355,6 +1411,40 @@ #define MD5_Update BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MD5_Update) #define METHOD_ref BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, METHOD_ref) #define METHOD_unref BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, METHOD_unref) +#define MLDSA65_generate_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MLDSA65_generate_key) +#define MLDSA65_generate_key_external_entropy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MLDSA65_generate_key_external_entropy) +#define MLDSA65_marshal_private_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MLDSA65_marshal_private_key) +#define MLDSA65_marshal_public_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MLDSA65_marshal_public_key) +#define MLDSA65_parse_private_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MLDSA65_parse_private_key) +#define MLDSA65_parse_public_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MLDSA65_parse_public_key) +#define MLDSA65_private_key_from_seed BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MLDSA65_private_key_from_seed) +#define MLDSA65_public_from_private BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MLDSA65_public_from_private) +#define MLDSA65_sign BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MLDSA65_sign) +#define MLDSA65_sign_internal BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MLDSA65_sign_internal) +#define MLDSA65_verify BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MLDSA65_verify) +#define MLDSA65_verify_internal BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MLDSA65_verify_internal) +#define MLKEM1024_decap BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MLKEM1024_decap) +#define MLKEM1024_encap BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MLKEM1024_encap) +#define MLKEM1024_encap_external_entropy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MLKEM1024_encap_external_entropy) +#define MLKEM1024_generate_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MLKEM1024_generate_key) +#define MLKEM1024_generate_key_external_seed BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MLKEM1024_generate_key_external_seed) +#define MLKEM1024_marshal_private_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MLKEM1024_marshal_private_key) +#define MLKEM1024_marshal_public_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MLKEM1024_marshal_public_key) +#define MLKEM1024_parse_private_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MLKEM1024_parse_private_key) +#define MLKEM1024_parse_public_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MLKEM1024_parse_public_key) +#define MLKEM1024_private_key_from_seed BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MLKEM1024_private_key_from_seed) +#define MLKEM1024_public_from_private BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MLKEM1024_public_from_private) +#define MLKEM768_decap BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MLKEM768_decap) +#define MLKEM768_encap BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MLKEM768_encap) +#define MLKEM768_encap_external_entropy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MLKEM768_encap_external_entropy) +#define MLKEM768_generate_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MLKEM768_generate_key) +#define MLKEM768_generate_key_external_seed BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MLKEM768_generate_key_external_seed) +#define MLKEM768_marshal_private_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MLKEM768_marshal_private_key) +#define MLKEM768_marshal_public_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MLKEM768_marshal_public_key) +#define MLKEM768_parse_private_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MLKEM768_parse_private_key) +#define MLKEM768_parse_public_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MLKEM768_parse_public_key) +#define MLKEM768_private_key_from_seed BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MLKEM768_private_key_from_seed) +#define MLKEM768_public_from_private BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, MLKEM768_public_from_private) #define NAME_CONSTRAINTS_check BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, NAME_CONSTRAINTS_check) #define NAME_CONSTRAINTS_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, NAME_CONSTRAINTS_free) #define NAME_CONSTRAINTS_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, NAME_CONSTRAINTS_it) @@ -1419,6 +1509,7 @@ #define OPENSSL_gmtime_diff BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_gmtime_diff) #define OPENSSL_hash32 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_hash32) #define OPENSSL_ia32cap_P BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_ia32cap_P) +#define OPENSSL_init_cpuid BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_init_cpuid) #define OPENSSL_init_crypto BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_init_crypto) #define OPENSSL_init_ssl BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_init_ssl) #define OPENSSL_isalnum BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, OPENSSL_isalnum) @@ -1633,7 +1724,6 @@ #define RAND_SSLeay BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RAND_SSLeay) #define RAND_add BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RAND_add) #define RAND_bytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RAND_bytes) -#define RAND_bytes_with_additional_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RAND_bytes_with_additional_data) #define RAND_cleanup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RAND_cleanup) #define RAND_disable_fork_unsafe_buffering BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RAND_disable_fork_unsafe_buffering) #define RAND_egd BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RAND_egd) @@ -1657,6 +1747,7 @@ #define RSA_PSS_PARAMS_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_PSS_PARAMS_new) #define RSA_add_pkcs1_prefix BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_add_pkcs1_prefix) #define RSA_bits BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_bits) +#define RSA_blinding_off BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_blinding_off) #define RSA_blinding_on BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_blinding_on) #define RSA_check_fips BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_check_fips) #define RSA_check_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_check_key) @@ -1753,10 +1844,21 @@ #define SHA512_Transform BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SHA512_Transform) #define SHA512_Update BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SHA512_Update) #define SIPHASH_24 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SIPHASH_24) +#define SLHDSA_SHA2_128S_generate_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SLHDSA_SHA2_128S_generate_key) +#define SLHDSA_SHA2_128S_generate_key_from_seed BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SLHDSA_SHA2_128S_generate_key_from_seed) +#define SLHDSA_SHA2_128S_public_from_private BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SLHDSA_SHA2_128S_public_from_private) +#define SLHDSA_SHA2_128S_sign BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SLHDSA_SHA2_128S_sign) +#define SLHDSA_SHA2_128S_sign_internal BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SLHDSA_SHA2_128S_sign_internal) +#define SLHDSA_SHA2_128S_verify BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SLHDSA_SHA2_128S_verify) +#define SLHDSA_SHA2_128S_verify_internal BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SLHDSA_SHA2_128S_verify_internal) #define SPAKE2_CTX_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SPAKE2_CTX_free) #define SPAKE2_CTX_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SPAKE2_CTX_new) #define SPAKE2_generate_msg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SPAKE2_generate_msg) #define SPAKE2_process_msg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SPAKE2_process_msg) +#define SPX_generate_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SPX_generate_key) +#define SPX_generate_key_from_seed BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SPX_generate_key_from_seed) +#define SPX_sign BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SPX_sign) +#define SPX_verify BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SPX_verify) #define SSL_CIPHER_description BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CIPHER_description) #define SSL_CIPHER_get_auth_nid BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CIPHER_get_auth_nid) #define SSL_CIPHER_get_bits BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CIPHER_get_bits) @@ -1781,8 +1883,23 @@ #define SSL_COMP_get_compression_methods BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_COMP_get_compression_methods) #define SSL_COMP_get_id BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_COMP_get_id) #define SSL_COMP_get_name BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_COMP_get_name) +#define SSL_CREDENTIAL_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CREDENTIAL_free) +#define SSL_CREDENTIAL_get_ex_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CREDENTIAL_get_ex_data) +#define SSL_CREDENTIAL_get_ex_new_index BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CREDENTIAL_get_ex_new_index) +#define SSL_CREDENTIAL_new_delegated BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CREDENTIAL_new_delegated) +#define SSL_CREDENTIAL_new_x509 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CREDENTIAL_new_x509) +#define SSL_CREDENTIAL_set1_cert_chain BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CREDENTIAL_set1_cert_chain) +#define SSL_CREDENTIAL_set1_delegated_credential BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CREDENTIAL_set1_delegated_credential) +#define SSL_CREDENTIAL_set1_ocsp_response BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CREDENTIAL_set1_ocsp_response) +#define SSL_CREDENTIAL_set1_private_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CREDENTIAL_set1_private_key) +#define SSL_CREDENTIAL_set1_signed_cert_timestamp_list BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CREDENTIAL_set1_signed_cert_timestamp_list) +#define SSL_CREDENTIAL_set1_signing_algorithm_prefs BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CREDENTIAL_set1_signing_algorithm_prefs) +#define SSL_CREDENTIAL_set_ex_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CREDENTIAL_set_ex_data) +#define SSL_CREDENTIAL_set_private_key_method BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CREDENTIAL_set_private_key_method) +#define SSL_CREDENTIAL_up_ref BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CREDENTIAL_up_ref) #define SSL_CTX_add0_chain_cert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_add0_chain_cert) #define SSL_CTX_add1_chain_cert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_add1_chain_cert) +#define SSL_CTX_add1_credential BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_add1_credential) #define SSL_CTX_add_cert_compression_alg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_add_cert_compression_alg) #define SSL_CTX_add_client_CA BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_add_client_CA) #define SSL_CTX_add_extra_chain_cert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_CTX_add_extra_chain_cert) @@ -1997,6 +2114,7 @@ #define SSL_accept BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_accept) #define SSL_add0_chain_cert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_add0_chain_cert) #define SSL_add1_chain_cert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_add1_chain_cert) +#define SSL_add1_credential BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_add1_credential) #define SSL_add_application_settings BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_add_application_settings) #define SSL_add_bio_cert_subjects_to_stack BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_add_bio_cert_subjects_to_stack) #define SSL_add_client_CA BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_add_client_CA) @@ -2016,7 +2134,6 @@ #define SSL_clear_options BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_clear_options) #define SSL_connect BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_connect) #define SSL_cutthrough_complete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_cutthrough_complete) -#define SSL_delegated_credential_used BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_delegated_credential_used) #define SSL_do_handshake BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_do_handshake) #define SSL_dup_CA_list BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_dup_CA_list) #define SSL_early_callback_ctx_extension_get BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_early_callback_ctx_extension_get) @@ -2032,6 +2149,7 @@ #define SSL_generate_key_block BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_generate_key_block) #define SSL_get0_alpn_selected BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get0_alpn_selected) #define SSL_get0_certificate_types BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get0_certificate_types) +#define SSL_get0_chain BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get0_chain) #define SSL_get0_chain_certs BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get0_chain_certs) #define SSL_get0_ech_name_override BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get0_ech_name_override) #define SSL_get0_ech_retry_configs BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get0_ech_retry_configs) @@ -2042,6 +2160,7 @@ #define SSL_get0_peer_certificates BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get0_peer_certificates) #define SSL_get0_peer_delegation_algorithms BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get0_peer_delegation_algorithms) #define SSL_get0_peer_verify_algorithms BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get0_peer_verify_algorithms) +#define SSL_get0_selected_credential BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get0_selected_credential) #define SSL_get0_server_requested_CAs BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get0_server_requested_CAs) #define SSL_get0_session_id_context BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get0_session_id_context) #define SSL_get0_signed_cert_timestamp_list BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_get0_signed_cert_timestamp_list) @@ -2171,7 +2290,6 @@ #define SSL_set1_chain BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set1_chain) #define SSL_set1_curves BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set1_curves) #define SSL_set1_curves_list BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set1_curves_list) -#define SSL_set1_delegated_credential BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set1_delegated_credential) #define SSL_set1_ech_config_list BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set1_ech_config_list) #define SSL_set1_group_ids BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set1_group_ids) #define SSL_set1_groups BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set1_groups) @@ -2189,6 +2307,8 @@ #define SSL_set_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_bio) #define SSL_set_cert_cb BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_cert_cb) #define SSL_set_chain_and_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_chain_and_key) +#define SSL_set_check_client_certificate_type BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_check_client_certificate_type) +#define SSL_set_check_ecdsa_curve BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_check_ecdsa_curve) #define SSL_set_cipher_list BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_cipher_list) #define SSL_set_client_CA_list BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_client_CA_list) #define SSL_set_compliance_policy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, SSL_set_compliance_policy) @@ -2338,7 +2458,6 @@ #define X509V3_EXT_nconf_nid BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509V3_EXT_nconf_nid) #define X509V3_EXT_print BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509V3_EXT_print) #define X509V3_EXT_print_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509V3_EXT_print_fp) -#define X509V3_EXT_val_prn BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509V3_EXT_val_prn) #define X509V3_NAME_from_section BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509V3_NAME_from_section) #define X509V3_add1_i2d BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509V3_add1_i2d) #define X509V3_add_standard_extensions BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509V3_add_standard_extensions) @@ -2392,7 +2511,6 @@ #define X509_CRL_add_ext BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_add_ext) #define X509_CRL_cmp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_cmp) #define X509_CRL_delete_ext BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_delete_ext) -#define X509_CRL_diff BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_diff) #define X509_CRL_digest BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_digest) #define X509_CRL_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_dup) #define X509_CRL_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_CRL_free) @@ -2444,15 +2562,12 @@ #define X509_EXTENSION_set_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_EXTENSION_set_data) #define X509_EXTENSION_set_object BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_EXTENSION_set_object) #define X509_INFO_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_INFO_free) -#define X509_INFO_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_INFO_new) -#define X509_LOOKUP_by_subject BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_LOOKUP_by_subject) +#define X509_LOOKUP_add_dir BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_LOOKUP_add_dir) #define X509_LOOKUP_ctrl BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_LOOKUP_ctrl) #define X509_LOOKUP_file BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_LOOKUP_file) #define X509_LOOKUP_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_LOOKUP_free) #define X509_LOOKUP_hash_dir BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_LOOKUP_hash_dir) -#define X509_LOOKUP_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_LOOKUP_init) -#define X509_LOOKUP_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_LOOKUP_new) -#define X509_LOOKUP_shutdown BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_LOOKUP_shutdown) +#define X509_LOOKUP_load_file BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_LOOKUP_load_file) #define X509_NAME_ENTRIES_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_NAME_ENTRIES_it) #define X509_NAME_ENTRY_create_by_NID BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_NAME_ENTRY_create_by_NID) #define X509_NAME_ENTRY_create_by_OBJ BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_NAME_ENTRY_create_by_OBJ) @@ -2492,34 +2607,24 @@ #define X509_NAME_print_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_NAME_print_ex) #define X509_NAME_print_ex_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_NAME_print_ex_fp) #define X509_NAME_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_NAME_set) +#define X509_OBJECT_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_OBJECT_free) #define X509_OBJECT_free_contents BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_OBJECT_free_contents) #define X509_OBJECT_get0_X509 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_OBJECT_get0_X509) #define X509_OBJECT_get_type BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_OBJECT_get_type) -#define X509_OBJECT_idx_by_subject BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_OBJECT_idx_by_subject) -#define X509_OBJECT_retrieve_by_subject BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_OBJECT_retrieve_by_subject) -#define X509_OBJECT_retrieve_match BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_OBJECT_retrieve_match) -#define X509_OBJECT_up_ref_count BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_OBJECT_up_ref_count) -#define X509_PKEY_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_PKEY_free) -#define X509_PKEY_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_PKEY_new) +#define X509_OBJECT_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_OBJECT_new) #define X509_PUBKEY_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_PUBKEY_free) #define X509_PUBKEY_get BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_PUBKEY_get) +#define X509_PUBKEY_get0 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_PUBKEY_get0) #define X509_PUBKEY_get0_param BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_PUBKEY_get0_param) #define X509_PUBKEY_get0_public_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_PUBKEY_get0_public_key) #define X509_PUBKEY_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_PUBKEY_it) #define X509_PUBKEY_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_PUBKEY_new) #define X509_PUBKEY_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_PUBKEY_set) #define X509_PUBKEY_set0_param BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_PUBKEY_set0_param) -#define X509_PURPOSE_add BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_PURPOSE_add) -#define X509_PURPOSE_cleanup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_PURPOSE_cleanup) #define X509_PURPOSE_get0 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_PURPOSE_get0) -#define X509_PURPOSE_get0_name BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_PURPOSE_get0_name) -#define X509_PURPOSE_get0_sname BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_PURPOSE_get0_sname) -#define X509_PURPOSE_get_by_id BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_PURPOSE_get_by_id) #define X509_PURPOSE_get_by_sname BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_PURPOSE_get_by_sname) -#define X509_PURPOSE_get_count BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_PURPOSE_get_count) #define X509_PURPOSE_get_id BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_PURPOSE_get_id) #define X509_PURPOSE_get_trust BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_PURPOSE_get_trust) -#define X509_PURPOSE_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_PURPOSE_set) #define X509_REQ_INFO_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REQ_INFO_free) #define X509_REQ_INFO_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REQ_INFO_it) #define X509_REQ_INFO_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REQ_INFO_new) @@ -2535,6 +2640,7 @@ #define X509_REQ_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REQ_dup) #define X509_REQ_extension_nid BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REQ_extension_nid) #define X509_REQ_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REQ_free) +#define X509_REQ_get0_pubkey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REQ_get0_pubkey) #define X509_REQ_get0_signature BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REQ_get0_signature) #define X509_REQ_get1_email BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REQ_get1_email) #define X509_REQ_get_attr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_REQ_get_attr) @@ -2587,13 +2693,15 @@ #define X509_STORE_CTX_get0_cert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_get0_cert) #define X509_STORE_CTX_get0_chain BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_get0_chain) #define X509_STORE_CTX_get0_current_crl BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_get0_current_crl) -#define X509_STORE_CTX_get0_current_issuer BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_get0_current_issuer) #define X509_STORE_CTX_get0_param BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_get0_param) #define X509_STORE_CTX_get0_parent_ctx BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_get0_parent_ctx) #define X509_STORE_CTX_get0_store BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_get0_store) #define X509_STORE_CTX_get0_untrusted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_get0_untrusted) +#define X509_STORE_CTX_get1_certs BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_get1_certs) #define X509_STORE_CTX_get1_chain BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_get1_chain) +#define X509_STORE_CTX_get1_crls BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_get1_crls) #define X509_STORE_CTX_get1_issuer BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_get1_issuer) +#define X509_STORE_CTX_get_by_subject BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_get_by_subject) #define X509_STORE_CTX_get_chain BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_get_chain) #define X509_STORE_CTX_get_current_cert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_get_current_cert) #define X509_STORE_CTX_get_error BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_get_error) @@ -2602,11 +2710,9 @@ #define X509_STORE_CTX_get_ex_new_index BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_get_ex_new_index) #define X509_STORE_CTX_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_init) #define X509_STORE_CTX_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_new) -#define X509_STORE_CTX_purpose_inherit BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_purpose_inherit) #define X509_STORE_CTX_set0_crls BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_set0_crls) #define X509_STORE_CTX_set0_param BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_set0_param) #define X509_STORE_CTX_set0_trusted_stack BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_set0_trusted_stack) -#define X509_STORE_CTX_set_cert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_set_cert) #define X509_STORE_CTX_set_chain BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_set_chain) #define X509_STORE_CTX_set_default BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_set_default) #define X509_STORE_CTX_set_depth BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_set_depth) @@ -2619,56 +2725,23 @@ #define X509_STORE_CTX_set_trust BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_set_trust) #define X509_STORE_CTX_set_verify_cb BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_set_verify_cb) #define X509_STORE_CTX_trusted_stack BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_trusted_stack) -#define X509_STORE_CTX_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_CTX_zero) #define X509_STORE_add_cert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_add_cert) #define X509_STORE_add_crl BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_add_crl) #define X509_STORE_add_lookup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_add_lookup) #define X509_STORE_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_free) #define X509_STORE_get0_objects BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_get0_objects) #define X509_STORE_get0_param BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_get0_param) -#define X509_STORE_get1_certs BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_get1_certs) -#define X509_STORE_get1_crls BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_get1_crls) -#define X509_STORE_get_by_subject BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_get_by_subject) -#define X509_STORE_get_cert_crl BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_get_cert_crl) -#define X509_STORE_get_check_crl BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_get_check_crl) -#define X509_STORE_get_check_issued BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_get_check_issued) -#define X509_STORE_get_check_revocation BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_get_check_revocation) -#define X509_STORE_get_cleanup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_get_cleanup) -#define X509_STORE_get_get_crl BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_get_get_crl) -#define X509_STORE_get_get_issuer BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_get_get_issuer) -#define X509_STORE_get_lookup_certs BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_get_lookup_certs) -#define X509_STORE_get_lookup_crls BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_get_lookup_crls) -#define X509_STORE_get_verify BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_get_verify) -#define X509_STORE_get_verify_cb BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_get_verify_cb) +#define X509_STORE_get1_objects BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_get1_objects) #define X509_STORE_load_locations BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_load_locations) #define X509_STORE_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_new) #define X509_STORE_set1_param BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_set1_param) -#define X509_STORE_set_cert_crl BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_set_cert_crl) -#define X509_STORE_set_check_crl BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_set_check_crl) -#define X509_STORE_set_check_issued BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_set_check_issued) -#define X509_STORE_set_check_revocation BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_set_check_revocation) -#define X509_STORE_set_cleanup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_set_cleanup) #define X509_STORE_set_default_paths BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_set_default_paths) #define X509_STORE_set_depth BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_set_depth) #define X509_STORE_set_flags BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_set_flags) -#define X509_STORE_set_get_crl BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_set_get_crl) -#define X509_STORE_set_get_issuer BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_set_get_issuer) -#define X509_STORE_set_lookup_certs BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_set_lookup_certs) -#define X509_STORE_set_lookup_crls BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_set_lookup_crls) #define X509_STORE_set_purpose BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_set_purpose) #define X509_STORE_set_trust BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_set_trust) -#define X509_STORE_set_verify BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_set_verify) #define X509_STORE_set_verify_cb BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_set_verify_cb) #define X509_STORE_up_ref BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_up_ref) -#define X509_TRUST_add BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_TRUST_add) -#define X509_TRUST_cleanup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_TRUST_cleanup) -#define X509_TRUST_get0 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_TRUST_get0) -#define X509_TRUST_get0_name BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_TRUST_get0_name) -#define X509_TRUST_get_by_id BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_TRUST_get_by_id) -#define X509_TRUST_get_count BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_TRUST_get_count) -#define X509_TRUST_get_flags BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_TRUST_get_flags) -#define X509_TRUST_get_trust BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_TRUST_get_trust) -#define X509_TRUST_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_TRUST_set) #define X509_VAL_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VAL_free) #define X509_VAL_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VAL_it) #define X509_VAL_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VAL_new) @@ -2676,8 +2749,6 @@ #define X509_VERIFY_PARAM_add1_host BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VERIFY_PARAM_add1_host) #define X509_VERIFY_PARAM_clear_flags BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VERIFY_PARAM_clear_flags) #define X509_VERIFY_PARAM_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VERIFY_PARAM_free) -#define X509_VERIFY_PARAM_get0_name BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VERIFY_PARAM_get0_name) -#define X509_VERIFY_PARAM_get0_peername BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VERIFY_PARAM_get0_peername) #define X509_VERIFY_PARAM_get_depth BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VERIFY_PARAM_get_depth) #define X509_VERIFY_PARAM_get_flags BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VERIFY_PARAM_get_flags) #define X509_VERIFY_PARAM_inherit BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VERIFY_PARAM_inherit) @@ -2688,7 +2759,6 @@ #define X509_VERIFY_PARAM_set1_host BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VERIFY_PARAM_set1_host) #define X509_VERIFY_PARAM_set1_ip BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VERIFY_PARAM_set1_ip) #define X509_VERIFY_PARAM_set1_ip_asc BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VERIFY_PARAM_set1_ip_asc) -#define X509_VERIFY_PARAM_set1_name BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VERIFY_PARAM_set1_name) #define X509_VERIFY_PARAM_set1_policies BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VERIFY_PARAM_set1_policies) #define X509_VERIFY_PARAM_set_depth BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VERIFY_PARAM_set_depth) #define X509_VERIFY_PARAM_set_flags BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VERIFY_PARAM_set_flags) @@ -2731,6 +2801,7 @@ #define X509_get0_extensions BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_get0_extensions) #define X509_get0_notAfter BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_get0_notAfter) #define X509_get0_notBefore BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_get0_notBefore) +#define X509_get0_pubkey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_get0_pubkey) #define X509_get0_pubkey_bitstr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_get0_pubkey_bitstr) #define X509_get0_serialNumber BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_get0_serialNumber) #define X509_get0_signature BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_get0_signature) @@ -2769,6 +2840,7 @@ #define X509_getm_notAfter BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_getm_notAfter) #define X509_getm_notBefore BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_getm_notBefore) #define X509_gmtime_adj BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_gmtime_adj) +#define X509_is_valid_trust_id BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_is_valid_trust_id) #define X509_issuer_name_cmp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_issuer_name_cmp) #define X509_issuer_name_hash BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_issuer_name_hash) #define X509_issuer_name_hash_old BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_issuer_name_hash_old) @@ -2822,7 +2894,6 @@ #define X509v3_get_ext_by_critical BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509v3_get_ext_by_critical) #define X509v3_get_ext_count BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509v3_get_ext_count) #define __clang_call_terminate BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, __clang_call_terminate) -#define a2i_GENERAL_NAME BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, a2i_GENERAL_NAME) #define a2i_IPADDRESS BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, a2i_IPADDRESS) #define a2i_IPADDRESS_NC BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, a2i_IPADDRESS_NC) #define aes128gcmsiv_aes_ks BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aes128gcmsiv_aes_ks) @@ -2847,8 +2918,11 @@ #define aes_hw_decrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aes_hw_decrypt) #define aes_hw_ecb_encrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aes_hw_ecb_encrypt) #define aes_hw_encrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aes_hw_encrypt) +#define aes_hw_encrypt_key_to_decrypt_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aes_hw_encrypt_key_to_decrypt_key) #define aes_hw_set_decrypt_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aes_hw_set_decrypt_key) #define aes_hw_set_encrypt_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aes_hw_set_encrypt_key) +#define aes_hw_set_encrypt_key_alt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aes_hw_set_encrypt_key_alt) +#define aes_hw_set_encrypt_key_base BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aes_hw_set_encrypt_key_base) #define aes_nohw_cbc_encrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aes_nohw_cbc_encrypt) #define aes_nohw_ctr32_encrypt_blocks BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aes_nohw_ctr32_encrypt_blocks) #define aes_nohw_decrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aes_nohw_decrypt) @@ -2877,6 +2951,7 @@ #define asn1_refcount_set_one BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, asn1_refcount_set_one) #define asn1_set_choice_selector BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, asn1_set_choice_selector) #define asn1_type_cleanup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, asn1_type_cleanup) +#define asn1_type_set0_string BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, asn1_type_set0_string) #define asn1_type_value_as_pointer BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, asn1_type_value_as_pointer) #define asn1_utctime_to_tm BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, asn1_utctime_to_tm) #define beeu_mod_inverse_vartime BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, beeu_mod_inverse_vartime) @@ -2923,17 +2998,23 @@ #define bn_mont_ctx_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mont_ctx_init) #define bn_mont_ctx_set_RR_consttime BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mont_ctx_set_RR_consttime) #define bn_mont_n0 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mont_n0) +#define bn_mul4x_mont BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mul4x_mont) +#define bn_mul4x_mont_gather5 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mul4x_mont_gather5) #define bn_mul_add_words BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mul_add_words) #define bn_mul_comba4 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mul_comba4) #define bn_mul_comba8 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mul_comba8) #define bn_mul_consttime BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mul_consttime) #define bn_mul_mont BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mul_mont) -#define bn_mul_mont_gather5 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mul_mont_gather5) +#define bn_mul_mont_gather5_nohw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mul_mont_gather5_nohw) +#define bn_mul_mont_nohw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mul_mont_nohw) #define bn_mul_small BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mul_small) #define bn_mul_words BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mul_words) +#define bn_mulx4x_mont BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mulx4x_mont) +#define bn_mulx4x_mont_gather5 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_mulx4x_mont_gather5) #define bn_odd_number_is_obviously_composite BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_odd_number_is_obviously_composite) #define bn_one_to_montgomery BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_one_to_montgomery) -#define bn_power5 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_power5) +#define bn_power5_nohw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_power5_nohw) +#define bn_powerx5 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_powerx5) #define bn_rand_range_words BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_rand_range_words) #define bn_rand_secret_range BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_rand_secret_range) #define bn_reduce_once BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_reduce_once) @@ -2948,6 +3029,7 @@ #define bn_set_static_words BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_set_static_words) #define bn_set_words BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_set_words) #define bn_sqr8x_internal BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_sqr8x_internal) +#define bn_sqr8x_mont BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_sqr8x_mont) #define bn_sqr_comba4 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_sqr_comba4) #define bn_sqr_comba8 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_sqr_comba8) #define bn_sqr_consttime BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_sqr_consttime) @@ -2967,9 +3049,12 @@ #define c2i_ASN1_INTEGER BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, c2i_ASN1_INTEGER) #define c2i_ASN1_OBJECT BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, c2i_ASN1_OBJECT) #define chacha20_poly1305_open BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, chacha20_poly1305_open) +#define chacha20_poly1305_open_avx2 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, chacha20_poly1305_open_avx2) +#define chacha20_poly1305_open_nohw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, chacha20_poly1305_open_nohw) #define chacha20_poly1305_seal BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, chacha20_poly1305_seal) +#define chacha20_poly1305_seal_avx2 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, chacha20_poly1305_seal_avx2) +#define chacha20_poly1305_seal_nohw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, chacha20_poly1305_seal_nohw) #define crypto_gcm_clmul_enabled BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, crypto_gcm_clmul_enabled) -#define d2i_ACCESS_DESCRIPTION BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_ACCESS_DESCRIPTION) #define d2i_ASN1_BIT_STRING BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_ASN1_BIT_STRING) #define d2i_ASN1_BMPSTRING BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_ASN1_BMPSTRING) #define d2i_ASN1_BOOLEAN BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_ASN1_BOOLEAN) @@ -3002,8 +3087,6 @@ #define d2i_DHparams_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_DHparams_bio) #define d2i_DIRECTORYSTRING BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_DIRECTORYSTRING) #define d2i_DISPLAYTEXT BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_DISPLAYTEXT) -#define d2i_DIST_POINT BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_DIST_POINT) -#define d2i_DIST_POINT_NAME BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_DIST_POINT_NAME) #define d2i_DSAPrivateKey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_DSAPrivateKey) #define d2i_DSAPrivateKey_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_DSAPrivateKey_bio) #define d2i_DSAPrivateKey_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_DSAPrivateKey_fp) @@ -3014,6 +3097,7 @@ #define d2i_DSA_SIG BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_DSA_SIG) #define d2i_DSAparams BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_DSAparams) #define d2i_ECDSA_SIG BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_ECDSA_SIG) +#define d2i_ECPKParameters BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_ECPKParameters) #define d2i_ECParameters BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_ECParameters) #define d2i_ECPrivateKey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_ECPrivateKey) #define d2i_ECPrivateKey_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_ECPrivateKey_bio) @@ -3021,15 +3105,12 @@ #define d2i_EC_PUBKEY BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_EC_PUBKEY) #define d2i_EC_PUBKEY_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_EC_PUBKEY_bio) #define d2i_EC_PUBKEY_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_EC_PUBKEY_fp) -#define d2i_EDIPARTYNAME BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_EDIPARTYNAME) #define d2i_EXTENDED_KEY_USAGE BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_EXTENDED_KEY_USAGE) #define d2i_GENERAL_NAME BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_GENERAL_NAME) #define d2i_GENERAL_NAMES BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_GENERAL_NAMES) #define d2i_ISSUING_DIST_POINT BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_ISSUING_DIST_POINT) #define d2i_NETSCAPE_SPKAC BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_NETSCAPE_SPKAC) #define d2i_NETSCAPE_SPKI BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_NETSCAPE_SPKI) -#define d2i_NOTICEREF BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_NOTICEREF) -#define d2i_OTHERNAME BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_OTHERNAME) #define d2i_PKCS12 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_PKCS12) #define d2i_PKCS12_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_PKCS12_bio) #define d2i_PKCS12_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_PKCS12_fp) @@ -3042,8 +3123,6 @@ #define d2i_PKCS8_PRIV_KEY_INFO_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_PKCS8_PRIV_KEY_INFO_fp) #define d2i_PKCS8_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_PKCS8_bio) #define d2i_PKCS8_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_PKCS8_fp) -#define d2i_POLICYINFO BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_POLICYINFO) -#define d2i_POLICYQUALINFO BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_POLICYQUALINFO) #define d2i_PUBKEY BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_PUBKEY) #define d2i_PUBKEY_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_PUBKEY_bio) #define d2i_PUBKEY_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_PUBKEY_fp) @@ -3063,7 +3142,6 @@ #define d2i_RSA_PUBKEY_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_RSA_PUBKEY_fp) #define d2i_SSL_SESSION BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_SSL_SESSION) #define d2i_SSL_SESSION_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_SSL_SESSION_bio) -#define d2i_USERNOTICE BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_USERNOTICE) #define d2i_X509 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_X509) #define d2i_X509_ALGOR BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_X509_ALGOR) #define d2i_X509_ATTRIBUTE BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_X509_ATTRIBUTE) @@ -3077,7 +3155,6 @@ #define d2i_X509_EXTENSION BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_X509_EXTENSION) #define d2i_X509_EXTENSIONS BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_X509_EXTENSIONS) #define d2i_X509_NAME BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_X509_NAME) -#define d2i_X509_NAME_ENTRY BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_X509_NAME_ENTRY) #define d2i_X509_PUBKEY BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_X509_PUBKEY) #define d2i_X509_REQ BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_X509_REQ) #define d2i_X509_REQ_INFO BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_X509_REQ_INFO) @@ -3088,8 +3165,10 @@ #define d2i_X509_VAL BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_X509_VAL) #define d2i_X509_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_X509_bio) #define d2i_X509_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_X509_fp) +#define dh_asn1_meth BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, dh_asn1_meth) #define dh_check_params_fast BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, dh_check_params_fast) #define dh_compute_key_padded_no_self_test BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, dh_compute_key_padded_no_self_test) +#define dh_pkey_meth BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, dh_pkey_meth) #define dsa_asn1_meth BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, dsa_asn1_meth) #define dsa_check_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, dsa_check_key) #define ec_GFp_mont_add BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_GFp_mont_add) @@ -3179,25 +3258,46 @@ #define ec_set_to_safe_point BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_set_to_safe_point) #define ec_simple_scalar_inv0_montgomery BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_simple_scalar_inv0_montgomery) #define ec_simple_scalar_to_montgomery_inv_vartime BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_simple_scalar_to_montgomery_inv_vartime) -#define ecdsa_do_verify_no_self_test BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecdsa_do_verify_no_self_test) -#define ecdsa_sign_with_nonce_for_known_answer_test BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecdsa_sign_with_nonce_for_known_answer_test) -#define ecp_nistz256_avx2_select_w7 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_avx2_select_w7) +#define ecdsa_sign_fixed BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecdsa_sign_fixed) +#define ecdsa_sign_fixed_with_nonce_for_known_answer_test BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecdsa_sign_fixed_with_nonce_for_known_answer_test) +#define ecdsa_verify_fixed BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecdsa_verify_fixed) +#define ecdsa_verify_fixed_no_self_test BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecdsa_verify_fixed_no_self_test) #define ecp_nistz256_div_by_2 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_div_by_2) #define ecp_nistz256_mul_by_2 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_mul_by_2) #define ecp_nistz256_mul_by_3 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_mul_by_3) #define ecp_nistz256_mul_mont BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_mul_mont) +#define ecp_nistz256_mul_mont_adx BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_mul_mont_adx) +#define ecp_nistz256_mul_mont_nohw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_mul_mont_nohw) #define ecp_nistz256_neg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_neg) #define ecp_nistz256_ord_mul_mont BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_ord_mul_mont) +#define ecp_nistz256_ord_mul_mont_adx BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_ord_mul_mont_adx) +#define ecp_nistz256_ord_mul_mont_nohw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_ord_mul_mont_nohw) #define ecp_nistz256_ord_sqr_mont BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_ord_sqr_mont) +#define ecp_nistz256_ord_sqr_mont_adx BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_ord_sqr_mont_adx) +#define ecp_nistz256_ord_sqr_mont_nohw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_ord_sqr_mont_nohw) #define ecp_nistz256_point_add BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_point_add) +#define ecp_nistz256_point_add_adx BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_point_add_adx) #define ecp_nistz256_point_add_affine BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_point_add_affine) +#define ecp_nistz256_point_add_affine_adx BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_point_add_affine_adx) +#define ecp_nistz256_point_add_affine_nohw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_point_add_affine_nohw) +#define ecp_nistz256_point_add_nohw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_point_add_nohw) #define ecp_nistz256_point_double BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_point_double) +#define ecp_nistz256_point_double_adx BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_point_double_adx) +#define ecp_nistz256_point_double_nohw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_point_double_nohw) #define ecp_nistz256_select_w5 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_select_w5) +#define ecp_nistz256_select_w5_avx2 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_select_w5_avx2) +#define ecp_nistz256_select_w5_nohw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_select_w5_nohw) #define ecp_nistz256_select_w7 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_select_w7) +#define ecp_nistz256_select_w7_avx2 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_select_w7_avx2) +#define ecp_nistz256_select_w7_nohw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_select_w7_nohw) #define ecp_nistz256_sqr_mont BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_sqr_mont) +#define ecp_nistz256_sqr_mont_adx BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_sqr_mont_adx) +#define ecp_nistz256_sqr_mont_nohw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_sqr_mont_nohw) #define ecp_nistz256_sub BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_sub) #define ed25519_asn1_meth BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ed25519_asn1_meth) #define ed25519_pkey_meth BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ed25519_pkey_meth) +#define evp_md_md5_sha1 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, evp_md_md5_sha1) +#define evp_pkey_set_method BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, evp_pkey_set_method) #define fiat_curve25519_adx_mul BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, fiat_curve25519_adx_mul) #define fiat_curve25519_adx_square BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, fiat_curve25519_adx_square) #define fiat_p256_adx_mul BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, fiat_p256_adx_mul) @@ -3221,14 +3321,12 @@ #define gcm_init_ssse3 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, gcm_init_ssse3) #define gcm_init_v8 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, gcm_init_v8) #define hkdf_pkey_meth BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, hkdf_pkey_meth) -#define i2a_ACCESS_DESCRIPTION BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2a_ACCESS_DESCRIPTION) #define i2a_ASN1_ENUMERATED BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2a_ASN1_ENUMERATED) #define i2a_ASN1_INTEGER BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2a_ASN1_INTEGER) #define i2a_ASN1_OBJECT BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2a_ASN1_OBJECT) #define i2a_ASN1_STRING BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2a_ASN1_STRING) #define i2c_ASN1_BIT_STRING BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2c_ASN1_BIT_STRING) #define i2c_ASN1_INTEGER BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2c_ASN1_INTEGER) -#define i2d_ACCESS_DESCRIPTION BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_ACCESS_DESCRIPTION) #define i2d_ASN1_BIT_STRING BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_ASN1_BIT_STRING) #define i2d_ASN1_BMPSTRING BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_ASN1_BMPSTRING) #define i2d_ASN1_BOOLEAN BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_ASN1_BOOLEAN) @@ -3260,8 +3358,6 @@ #define i2d_DHparams_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_DHparams_bio) #define i2d_DIRECTORYSTRING BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_DIRECTORYSTRING) #define i2d_DISPLAYTEXT BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_DISPLAYTEXT) -#define i2d_DIST_POINT BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_DIST_POINT) -#define i2d_DIST_POINT_NAME BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_DIST_POINT_NAME) #define i2d_DSAPrivateKey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_DSAPrivateKey) #define i2d_DSAPrivateKey_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_DSAPrivateKey_bio) #define i2d_DSAPrivateKey_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_DSAPrivateKey_fp) @@ -3272,6 +3368,7 @@ #define i2d_DSA_SIG BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_DSA_SIG) #define i2d_DSAparams BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_DSAparams) #define i2d_ECDSA_SIG BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_ECDSA_SIG) +#define i2d_ECPKParameters BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_ECPKParameters) #define i2d_ECParameters BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_ECParameters) #define i2d_ECPrivateKey BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_ECPrivateKey) #define i2d_ECPrivateKey_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_ECPrivateKey_bio) @@ -3279,15 +3376,12 @@ #define i2d_EC_PUBKEY BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_EC_PUBKEY) #define i2d_EC_PUBKEY_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_EC_PUBKEY_bio) #define i2d_EC_PUBKEY_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_EC_PUBKEY_fp) -#define i2d_EDIPARTYNAME BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_EDIPARTYNAME) #define i2d_EXTENDED_KEY_USAGE BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_EXTENDED_KEY_USAGE) #define i2d_GENERAL_NAME BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_GENERAL_NAME) #define i2d_GENERAL_NAMES BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_GENERAL_NAMES) #define i2d_ISSUING_DIST_POINT BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_ISSUING_DIST_POINT) #define i2d_NETSCAPE_SPKAC BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_NETSCAPE_SPKAC) #define i2d_NETSCAPE_SPKI BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_NETSCAPE_SPKI) -#define i2d_NOTICEREF BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_NOTICEREF) -#define i2d_OTHERNAME BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_OTHERNAME) #define i2d_PKCS12 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_PKCS12) #define i2d_PKCS12_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_PKCS12_bio) #define i2d_PKCS12_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_PKCS12_fp) @@ -3304,8 +3398,6 @@ #define i2d_PKCS8_PRIV_KEY_INFO_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_PKCS8_PRIV_KEY_INFO_fp) #define i2d_PKCS8_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_PKCS8_bio) #define i2d_PKCS8_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_PKCS8_fp) -#define i2d_POLICYINFO BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_POLICYINFO) -#define i2d_POLICYQUALINFO BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_POLICYQUALINFO) #define i2d_PUBKEY BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_PUBKEY) #define i2d_PUBKEY_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_PUBKEY_bio) #define i2d_PUBKEY_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_PUBKEY_fp) @@ -3325,7 +3417,6 @@ #define i2d_RSA_PUBKEY_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_RSA_PUBKEY_fp) #define i2d_SSL_SESSION BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_SSL_SESSION) #define i2d_SSL_SESSION_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_SSL_SESSION_bio) -#define i2d_USERNOTICE BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_USERNOTICE) #define i2d_X509 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_X509) #define i2d_X509_ALGOR BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_X509_ALGOR) #define i2d_X509_ATTRIBUTE BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_X509_ATTRIBUTE) @@ -3340,7 +3431,6 @@ #define i2d_X509_EXTENSION BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_X509_EXTENSION) #define i2d_X509_EXTENSIONS BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_X509_EXTENSIONS) #define i2d_X509_NAME BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_X509_NAME) -#define i2d_X509_NAME_ENTRY BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_X509_NAME_ENTRY) #define i2d_X509_PUBKEY BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_X509_PUBKEY) #define i2d_X509_REQ BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_X509_REQ) #define i2d_X509_REQ_INFO BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, i2d_X509_REQ_INFO) @@ -3426,14 +3516,24 @@ #define rsaz_1024_sqr_avx2 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, rsaz_1024_sqr_avx2) #define s2i_ASN1_INTEGER BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, s2i_ASN1_INTEGER) #define s2i_ASN1_OCTET_STRING BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, s2i_ASN1_OCTET_STRING) -#define sha1_block_data_order BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sha1_block_data_order) -#define sha256_block_data_order BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sha256_block_data_order) -#define sha512_block_data_order BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sha512_block_data_order) +#define sha1_block_data_order_avx BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sha1_block_data_order_avx) +#define sha1_block_data_order_avx2 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sha1_block_data_order_avx2) +#define sha1_block_data_order_hw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sha1_block_data_order_hw) +#define sha1_block_data_order_nohw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sha1_block_data_order_nohw) +#define sha1_block_data_order_ssse3 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sha1_block_data_order_ssse3) +#define sha256_block_data_order_avx BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sha256_block_data_order_avx) +#define sha256_block_data_order_hw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sha256_block_data_order_hw) +#define sha256_block_data_order_nohw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sha256_block_data_order_nohw) +#define sha256_block_data_order_ssse3 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sha256_block_data_order_ssse3) +#define sha512_block_data_order_avx BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sha512_block_data_order_avx) +#define sha512_block_data_order_hw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sha512_block_data_order_hw) +#define sha512_block_data_order_nohw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sha512_block_data_order_nohw) #define sk_CRYPTO_BUFFER_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_call_copy_func) #define sk_CRYPTO_BUFFER_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_call_free_func) #define sk_CRYPTO_BUFFER_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_deep_copy) #define sk_CRYPTO_BUFFER_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_new_null) #define sk_CRYPTO_BUFFER_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_num) +#define sk_CRYPTO_BUFFER_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_pop) #define sk_CRYPTO_BUFFER_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_push) #define sk_CRYPTO_BUFFER_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_set) #define sk_CRYPTO_BUFFER_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_value) @@ -3475,6 +3575,57 @@ #define sk_pop_free_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_pop_free_ex) #define sk_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_push) #define sk_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_value) +#define slhdsa_fors_pk_from_sig BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, slhdsa_fors_pk_from_sig) +#define slhdsa_fors_sign BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, slhdsa_fors_sign) +#define slhdsa_fors_sk_gen BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, slhdsa_fors_sk_gen) +#define slhdsa_fors_treehash BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, slhdsa_fors_treehash) +#define slhdsa_ht_sign BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, slhdsa_ht_sign) +#define slhdsa_ht_verify BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, slhdsa_ht_verify) +#define slhdsa_thash_f BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, slhdsa_thash_f) +#define slhdsa_thash_h BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, slhdsa_thash_h) +#define slhdsa_thash_hmsg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, slhdsa_thash_hmsg) +#define slhdsa_thash_prf BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, slhdsa_thash_prf) +#define slhdsa_thash_prfmsg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, slhdsa_thash_prfmsg) +#define slhdsa_thash_tk BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, slhdsa_thash_tk) +#define slhdsa_thash_tl BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, slhdsa_thash_tl) +#define slhdsa_treehash BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, slhdsa_treehash) +#define slhdsa_wots_pk_from_sig BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, slhdsa_wots_pk_from_sig) +#define slhdsa_wots_pk_gen BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, slhdsa_wots_pk_gen) +#define slhdsa_wots_sign BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, slhdsa_wots_sign) +#define slhdsa_xmss_pk_from_sig BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, slhdsa_xmss_pk_from_sig) +#define slhdsa_xmss_sign BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, slhdsa_xmss_sign) +#define spx_base_b BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_base_b) +#define spx_copy_keypair_addr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_copy_keypair_addr) +#define spx_fors_pk_from_sig BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_fors_pk_from_sig) +#define spx_fors_sign BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_fors_sign) +#define spx_fors_sk_gen BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_fors_sk_gen) +#define spx_fors_treehash BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_fors_treehash) +#define spx_get_tree_index BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_get_tree_index) +#define spx_ht_sign BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_ht_sign) +#define spx_ht_verify BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_ht_verify) +#define spx_set_chain_addr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_set_chain_addr) +#define spx_set_hash_addr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_set_hash_addr) +#define spx_set_keypair_addr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_set_keypair_addr) +#define spx_set_layer_addr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_set_layer_addr) +#define spx_set_tree_addr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_set_tree_addr) +#define spx_set_tree_height BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_set_tree_height) +#define spx_set_tree_index BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_set_tree_index) +#define spx_set_type BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_set_type) +#define spx_thash_f BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_thash_f) +#define spx_thash_h BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_thash_h) +#define spx_thash_hmsg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_thash_hmsg) +#define spx_thash_prf BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_thash_prf) +#define spx_thash_prfmsg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_thash_prfmsg) +#define spx_thash_tk BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_thash_tk) +#define spx_thash_tl BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_thash_tl) +#define spx_to_uint64 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_to_uint64) +#define spx_treehash BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_treehash) +#define spx_uint64_to_len_bytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_uint64_to_len_bytes) +#define spx_wots_pk_from_sig BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_wots_pk_from_sig) +#define spx_wots_pk_gen BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_wots_pk_gen) +#define spx_wots_sign BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_wots_sign) +#define spx_xmss_pk_from_sig BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_xmss_pk_from_sig) +#define spx_xmss_sign BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, spx_xmss_sign) #define v2i_GENERAL_NAME BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, v2i_GENERAL_NAME) #define v2i_GENERAL_NAMES BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, v2i_GENERAL_NAMES) #define v2i_GENERAL_NAME_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, v2i_GENERAL_NAME_ex) @@ -3541,6 +3692,7 @@ #define x25519_sc_reduce BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x25519_sc_reduce) #define x25519_scalar_mult_adx BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x25519_scalar_mult_adx) #define x509V3_add_value_asn1_string BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x509V3_add_value_asn1_string) +#define x509_check_issued_with_callback BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x509_check_issued_with_callback) #define x509_digest_sign_algorithm BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x509_digest_sign_algorithm) #define x509_digest_verify_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x509_digest_verify_init) #define x509_print_rsa_pss_params BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x509_print_rsa_pss_params) @@ -3621,6 +3773,52 @@ #define sk_BIGNUM_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIGNUM_is_sorted) #define sk_BIGNUM_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIGNUM_set_cmp_func) #define sk_BIGNUM_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIGNUM_deep_copy) +#define sk_X509V3_EXT_METHOD_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_call_free_func) +#define sk_X509V3_EXT_METHOD_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_call_copy_func) +#define sk_X509V3_EXT_METHOD_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_call_cmp_func) +#define sk_X509V3_EXT_METHOD_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_new) +#define sk_X509V3_EXT_METHOD_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_new_null) +#define sk_X509V3_EXT_METHOD_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_num) +#define sk_X509V3_EXT_METHOD_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_zero) +#define sk_X509V3_EXT_METHOD_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_value) +#define sk_X509V3_EXT_METHOD_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_set) +#define sk_X509V3_EXT_METHOD_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_free) +#define sk_X509V3_EXT_METHOD_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_pop_free) +#define sk_X509V3_EXT_METHOD_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_insert) +#define sk_X509V3_EXT_METHOD_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_delete) +#define sk_X509V3_EXT_METHOD_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_delete_ptr) +#define sk_X509V3_EXT_METHOD_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_find) +#define sk_X509V3_EXT_METHOD_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_shift) +#define sk_X509V3_EXT_METHOD_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_push) +#define sk_X509V3_EXT_METHOD_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_pop) +#define sk_X509V3_EXT_METHOD_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_dup) +#define sk_X509V3_EXT_METHOD_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_sort) +#define sk_X509V3_EXT_METHOD_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_is_sorted) +#define sk_X509V3_EXT_METHOD_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_set_cmp_func) +#define sk_X509V3_EXT_METHOD_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_deep_copy) +#define sk_X509_LOOKUP_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_call_free_func) +#define sk_X509_LOOKUP_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_call_copy_func) +#define sk_X509_LOOKUP_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_call_cmp_func) +#define sk_X509_LOOKUP_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_new) +#define sk_X509_LOOKUP_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_new_null) +#define sk_X509_LOOKUP_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_num) +#define sk_X509_LOOKUP_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_zero) +#define sk_X509_LOOKUP_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_value) +#define sk_X509_LOOKUP_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_set) +#define sk_X509_LOOKUP_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_free) +#define sk_X509_LOOKUP_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_pop_free) +#define sk_X509_LOOKUP_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_insert) +#define sk_X509_LOOKUP_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_delete) +#define sk_X509_LOOKUP_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_delete_ptr) +#define sk_X509_LOOKUP_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_find) +#define sk_X509_LOOKUP_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_shift) +#define sk_X509_LOOKUP_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_push) +#define sk_X509_LOOKUP_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_pop) +#define sk_X509_LOOKUP_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_dup) +#define sk_X509_LOOKUP_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_sort) +#define sk_X509_LOOKUP_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_is_sorted) +#define sk_X509_LOOKUP_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_set_cmp_func) +#define sk_X509_LOOKUP_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_deep_copy) #define sk_STACK_OF_X509_NAME_ENTRY_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_STACK_OF_X509_NAME_ENTRY_call_free_func) #define sk_STACK_OF_X509_NAME_ENTRY_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_STACK_OF_X509_NAME_ENTRY_call_copy_func) #define sk_STACK_OF_X509_NAME_ENTRY_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_STACK_OF_X509_NAME_ENTRY_call_cmp_func) @@ -3759,6 +3957,29 @@ #define sk_X509_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_is_sorted) #define sk_X509_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_set_cmp_func) #define sk_X509_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_deep_copy) +#define sk_GENERAL_NAME_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_call_free_func) +#define sk_GENERAL_NAME_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_call_copy_func) +#define sk_GENERAL_NAME_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_call_cmp_func) +#define sk_GENERAL_NAME_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_new) +#define sk_GENERAL_NAME_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_new_null) +#define sk_GENERAL_NAME_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_num) +#define sk_GENERAL_NAME_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_zero) +#define sk_GENERAL_NAME_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_value) +#define sk_GENERAL_NAME_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_set) +#define sk_GENERAL_NAME_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_free) +#define sk_GENERAL_NAME_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_pop_free) +#define sk_GENERAL_NAME_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_insert) +#define sk_GENERAL_NAME_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_delete) +#define sk_GENERAL_NAME_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_delete_ptr) +#define sk_GENERAL_NAME_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_find) +#define sk_GENERAL_NAME_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_shift) +#define sk_GENERAL_NAME_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_push) +#define sk_GENERAL_NAME_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_pop) +#define sk_GENERAL_NAME_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_dup) +#define sk_GENERAL_NAME_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_sort) +#define sk_GENERAL_NAME_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_is_sorted) +#define sk_GENERAL_NAME_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_set_cmp_func) +#define sk_GENERAL_NAME_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_deep_copy) #define sk_X509_CRL_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_CRL_call_free_func) #define sk_X509_CRL_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_CRL_call_copy_func) #define sk_X509_CRL_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_CRL_call_cmp_func) @@ -3782,6 +4003,29 @@ #define sk_X509_CRL_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_CRL_is_sorted) #define sk_X509_CRL_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_CRL_set_cmp_func) #define sk_X509_CRL_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_CRL_deep_copy) +#define sk_X509_REVOKED_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_call_free_func) +#define sk_X509_REVOKED_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_call_copy_func) +#define sk_X509_REVOKED_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_call_cmp_func) +#define sk_X509_REVOKED_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_new) +#define sk_X509_REVOKED_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_new_null) +#define sk_X509_REVOKED_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_num) +#define sk_X509_REVOKED_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_zero) +#define sk_X509_REVOKED_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_value) +#define sk_X509_REVOKED_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_set) +#define sk_X509_REVOKED_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_free) +#define sk_X509_REVOKED_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_pop_free) +#define sk_X509_REVOKED_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_insert) +#define sk_X509_REVOKED_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_delete) +#define sk_X509_REVOKED_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_delete_ptr) +#define sk_X509_REVOKED_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_find) +#define sk_X509_REVOKED_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_shift) +#define sk_X509_REVOKED_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_push) +#define sk_X509_REVOKED_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_pop) +#define sk_X509_REVOKED_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_dup) +#define sk_X509_REVOKED_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_sort) +#define sk_X509_REVOKED_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_is_sorted) +#define sk_X509_REVOKED_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_set_cmp_func) +#define sk_X509_REVOKED_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_deep_copy) #define sk_X509_NAME_ENTRY_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_ENTRY_call_free_func) #define sk_X509_NAME_ENTRY_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_ENTRY_call_copy_func) #define sk_X509_NAME_ENTRY_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_NAME_ENTRY_call_cmp_func) @@ -3851,6 +4095,144 @@ #define sk_X509_EXTENSION_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_EXTENSION_is_sorted) #define sk_X509_EXTENSION_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_EXTENSION_set_cmp_func) #define sk_X509_EXTENSION_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_EXTENSION_deep_copy) +#define sk_GENERAL_SUBTREE_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_call_free_func) +#define sk_GENERAL_SUBTREE_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_call_copy_func) +#define sk_GENERAL_SUBTREE_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_call_cmp_func) +#define sk_GENERAL_SUBTREE_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_new) +#define sk_GENERAL_SUBTREE_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_new_null) +#define sk_GENERAL_SUBTREE_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_num) +#define sk_GENERAL_SUBTREE_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_zero) +#define sk_GENERAL_SUBTREE_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_value) +#define sk_GENERAL_SUBTREE_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_set) +#define sk_GENERAL_SUBTREE_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_free) +#define sk_GENERAL_SUBTREE_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_pop_free) +#define sk_GENERAL_SUBTREE_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_insert) +#define sk_GENERAL_SUBTREE_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_delete) +#define sk_GENERAL_SUBTREE_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_delete_ptr) +#define sk_GENERAL_SUBTREE_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_find) +#define sk_GENERAL_SUBTREE_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_shift) +#define sk_GENERAL_SUBTREE_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_push) +#define sk_GENERAL_SUBTREE_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_pop) +#define sk_GENERAL_SUBTREE_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_dup) +#define sk_GENERAL_SUBTREE_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_sort) +#define sk_GENERAL_SUBTREE_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_is_sorted) +#define sk_GENERAL_SUBTREE_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_set_cmp_func) +#define sk_GENERAL_SUBTREE_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_deep_copy) +#define sk_ACCESS_DESCRIPTION_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_call_free_func) +#define sk_ACCESS_DESCRIPTION_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_call_copy_func) +#define sk_ACCESS_DESCRIPTION_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_call_cmp_func) +#define sk_ACCESS_DESCRIPTION_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_new) +#define sk_ACCESS_DESCRIPTION_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_new_null) +#define sk_ACCESS_DESCRIPTION_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_num) +#define sk_ACCESS_DESCRIPTION_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_zero) +#define sk_ACCESS_DESCRIPTION_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_value) +#define sk_ACCESS_DESCRIPTION_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_set) +#define sk_ACCESS_DESCRIPTION_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_free) +#define sk_ACCESS_DESCRIPTION_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_pop_free) +#define sk_ACCESS_DESCRIPTION_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_insert) +#define sk_ACCESS_DESCRIPTION_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_delete) +#define sk_ACCESS_DESCRIPTION_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_delete_ptr) +#define sk_ACCESS_DESCRIPTION_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_find) +#define sk_ACCESS_DESCRIPTION_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_shift) +#define sk_ACCESS_DESCRIPTION_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_push) +#define sk_ACCESS_DESCRIPTION_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_pop) +#define sk_ACCESS_DESCRIPTION_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_dup) +#define sk_ACCESS_DESCRIPTION_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_sort) +#define sk_ACCESS_DESCRIPTION_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_is_sorted) +#define sk_ACCESS_DESCRIPTION_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_set_cmp_func) +#define sk_ACCESS_DESCRIPTION_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_deep_copy) +#define sk_DIST_POINT_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_call_free_func) +#define sk_DIST_POINT_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_call_copy_func) +#define sk_DIST_POINT_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_call_cmp_func) +#define sk_DIST_POINT_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_new) +#define sk_DIST_POINT_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_new_null) +#define sk_DIST_POINT_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_num) +#define sk_DIST_POINT_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_zero) +#define sk_DIST_POINT_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_value) +#define sk_DIST_POINT_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_set) +#define sk_DIST_POINT_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_free) +#define sk_DIST_POINT_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_pop_free) +#define sk_DIST_POINT_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_insert) +#define sk_DIST_POINT_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_delete) +#define sk_DIST_POINT_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_delete_ptr) +#define sk_DIST_POINT_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_find) +#define sk_DIST_POINT_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_shift) +#define sk_DIST_POINT_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_push) +#define sk_DIST_POINT_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_pop) +#define sk_DIST_POINT_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_dup) +#define sk_DIST_POINT_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_sort) +#define sk_DIST_POINT_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_is_sorted) +#define sk_DIST_POINT_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_set_cmp_func) +#define sk_DIST_POINT_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_deep_copy) +#define sk_POLICYQUALINFO_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_call_free_func) +#define sk_POLICYQUALINFO_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_call_copy_func) +#define sk_POLICYQUALINFO_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_call_cmp_func) +#define sk_POLICYQUALINFO_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_new) +#define sk_POLICYQUALINFO_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_new_null) +#define sk_POLICYQUALINFO_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_num) +#define sk_POLICYQUALINFO_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_zero) +#define sk_POLICYQUALINFO_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_value) +#define sk_POLICYQUALINFO_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_set) +#define sk_POLICYQUALINFO_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_free) +#define sk_POLICYQUALINFO_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_pop_free) +#define sk_POLICYQUALINFO_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_insert) +#define sk_POLICYQUALINFO_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_delete) +#define sk_POLICYQUALINFO_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_delete_ptr) +#define sk_POLICYQUALINFO_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_find) +#define sk_POLICYQUALINFO_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_shift) +#define sk_POLICYQUALINFO_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_push) +#define sk_POLICYQUALINFO_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_pop) +#define sk_POLICYQUALINFO_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_dup) +#define sk_POLICYQUALINFO_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_sort) +#define sk_POLICYQUALINFO_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_is_sorted) +#define sk_POLICYQUALINFO_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_set_cmp_func) +#define sk_POLICYQUALINFO_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_deep_copy) +#define sk_POLICYINFO_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_call_free_func) +#define sk_POLICYINFO_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_call_copy_func) +#define sk_POLICYINFO_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_call_cmp_func) +#define sk_POLICYINFO_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_new) +#define sk_POLICYINFO_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_new_null) +#define sk_POLICYINFO_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_num) +#define sk_POLICYINFO_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_zero) +#define sk_POLICYINFO_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_value) +#define sk_POLICYINFO_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_set) +#define sk_POLICYINFO_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_free) +#define sk_POLICYINFO_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_pop_free) +#define sk_POLICYINFO_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_insert) +#define sk_POLICYINFO_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_delete) +#define sk_POLICYINFO_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_delete_ptr) +#define sk_POLICYINFO_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_find) +#define sk_POLICYINFO_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_shift) +#define sk_POLICYINFO_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_push) +#define sk_POLICYINFO_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_pop) +#define sk_POLICYINFO_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_dup) +#define sk_POLICYINFO_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_sort) +#define sk_POLICYINFO_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_is_sorted) +#define sk_POLICYINFO_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_set_cmp_func) +#define sk_POLICYINFO_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_deep_copy) +#define sk_POLICY_MAPPING_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_call_free_func) +#define sk_POLICY_MAPPING_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_call_copy_func) +#define sk_POLICY_MAPPING_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_call_cmp_func) +#define sk_POLICY_MAPPING_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_new) +#define sk_POLICY_MAPPING_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_new_null) +#define sk_POLICY_MAPPING_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_num) +#define sk_POLICY_MAPPING_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_zero) +#define sk_POLICY_MAPPING_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_value) +#define sk_POLICY_MAPPING_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_set) +#define sk_POLICY_MAPPING_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_free) +#define sk_POLICY_MAPPING_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_pop_free) +#define sk_POLICY_MAPPING_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_insert) +#define sk_POLICY_MAPPING_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_delete) +#define sk_POLICY_MAPPING_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_delete_ptr) +#define sk_POLICY_MAPPING_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_find) +#define sk_POLICY_MAPPING_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_shift) +#define sk_POLICY_MAPPING_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_push) +#define sk_POLICY_MAPPING_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_pop) +#define sk_POLICY_MAPPING_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_dup) +#define sk_POLICY_MAPPING_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_sort) +#define sk_POLICY_MAPPING_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_is_sorted) +#define sk_POLICY_MAPPING_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_set_cmp_func) +#define sk_POLICY_MAPPING_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_deep_copy) #define sk_X509_ALGOR_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ALGOR_call_free_func) #define sk_X509_ALGOR_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ALGOR_call_copy_func) #define sk_X509_ALGOR_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ALGOR_call_cmp_func) @@ -3897,98 +4279,6 @@ #define sk_X509_ATTRIBUTE_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ATTRIBUTE_is_sorted) #define sk_X509_ATTRIBUTE_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ATTRIBUTE_set_cmp_func) #define sk_X509_ATTRIBUTE_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_ATTRIBUTE_deep_copy) -#define sk_X509_TRUST_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_call_free_func) -#define sk_X509_TRUST_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_call_copy_func) -#define sk_X509_TRUST_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_call_cmp_func) -#define sk_X509_TRUST_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_new) -#define sk_X509_TRUST_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_new_null) -#define sk_X509_TRUST_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_num) -#define sk_X509_TRUST_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_zero) -#define sk_X509_TRUST_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_value) -#define sk_X509_TRUST_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_set) -#define sk_X509_TRUST_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_free) -#define sk_X509_TRUST_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_pop_free) -#define sk_X509_TRUST_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_insert) -#define sk_X509_TRUST_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_delete) -#define sk_X509_TRUST_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_delete_ptr) -#define sk_X509_TRUST_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_find) -#define sk_X509_TRUST_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_shift) -#define sk_X509_TRUST_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_push) -#define sk_X509_TRUST_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_pop) -#define sk_X509_TRUST_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_dup) -#define sk_X509_TRUST_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_sort) -#define sk_X509_TRUST_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_is_sorted) -#define sk_X509_TRUST_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_set_cmp_func) -#define sk_X509_TRUST_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_TRUST_deep_copy) -#define sk_X509_REVOKED_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_call_free_func) -#define sk_X509_REVOKED_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_call_copy_func) -#define sk_X509_REVOKED_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_call_cmp_func) -#define sk_X509_REVOKED_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_new) -#define sk_X509_REVOKED_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_new_null) -#define sk_X509_REVOKED_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_num) -#define sk_X509_REVOKED_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_zero) -#define sk_X509_REVOKED_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_value) -#define sk_X509_REVOKED_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_set) -#define sk_X509_REVOKED_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_free) -#define sk_X509_REVOKED_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_pop_free) -#define sk_X509_REVOKED_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_insert) -#define sk_X509_REVOKED_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_delete) -#define sk_X509_REVOKED_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_delete_ptr) -#define sk_X509_REVOKED_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_find) -#define sk_X509_REVOKED_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_shift) -#define sk_X509_REVOKED_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_push) -#define sk_X509_REVOKED_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_pop) -#define sk_X509_REVOKED_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_dup) -#define sk_X509_REVOKED_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_sort) -#define sk_X509_REVOKED_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_is_sorted) -#define sk_X509_REVOKED_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_set_cmp_func) -#define sk_X509_REVOKED_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_REVOKED_deep_copy) -#define sk_X509_INFO_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_call_free_func) -#define sk_X509_INFO_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_call_copy_func) -#define sk_X509_INFO_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_call_cmp_func) -#define sk_X509_INFO_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_new) -#define sk_X509_INFO_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_new_null) -#define sk_X509_INFO_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_num) -#define sk_X509_INFO_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_zero) -#define sk_X509_INFO_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_value) -#define sk_X509_INFO_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_set) -#define sk_X509_INFO_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_free) -#define sk_X509_INFO_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_pop_free) -#define sk_X509_INFO_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_insert) -#define sk_X509_INFO_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_delete) -#define sk_X509_INFO_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_delete_ptr) -#define sk_X509_INFO_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_find) -#define sk_X509_INFO_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_shift) -#define sk_X509_INFO_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_push) -#define sk_X509_INFO_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_pop) -#define sk_X509_INFO_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_dup) -#define sk_X509_INFO_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_sort) -#define sk_X509_INFO_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_is_sorted) -#define sk_X509_INFO_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_set_cmp_func) -#define sk_X509_INFO_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_deep_copy) -#define sk_X509_LOOKUP_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_call_free_func) -#define sk_X509_LOOKUP_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_call_copy_func) -#define sk_X509_LOOKUP_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_call_cmp_func) -#define sk_X509_LOOKUP_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_new) -#define sk_X509_LOOKUP_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_new_null) -#define sk_X509_LOOKUP_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_num) -#define sk_X509_LOOKUP_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_zero) -#define sk_X509_LOOKUP_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_value) -#define sk_X509_LOOKUP_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_set) -#define sk_X509_LOOKUP_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_free) -#define sk_X509_LOOKUP_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_pop_free) -#define sk_X509_LOOKUP_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_insert) -#define sk_X509_LOOKUP_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_delete) -#define sk_X509_LOOKUP_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_delete_ptr) -#define sk_X509_LOOKUP_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_find) -#define sk_X509_LOOKUP_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_shift) -#define sk_X509_LOOKUP_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_push) -#define sk_X509_LOOKUP_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_pop) -#define sk_X509_LOOKUP_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_dup) -#define sk_X509_LOOKUP_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_sort) -#define sk_X509_LOOKUP_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_is_sorted) -#define sk_X509_LOOKUP_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_set_cmp_func) -#define sk_X509_LOOKUP_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_deep_copy) #define sk_X509_OBJECT_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_call_free_func) #define sk_X509_OBJECT_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_call_copy_func) #define sk_X509_OBJECT_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_call_cmp_func) @@ -4012,29 +4302,29 @@ #define sk_X509_OBJECT_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_is_sorted) #define sk_X509_OBJECT_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_set_cmp_func) #define sk_X509_OBJECT_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_deep_copy) -#define sk_X509_VERIFY_PARAM_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_call_free_func) -#define sk_X509_VERIFY_PARAM_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_call_copy_func) -#define sk_X509_VERIFY_PARAM_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_call_cmp_func) -#define sk_X509_VERIFY_PARAM_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_new) -#define sk_X509_VERIFY_PARAM_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_new_null) -#define sk_X509_VERIFY_PARAM_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_num) -#define sk_X509_VERIFY_PARAM_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_zero) -#define sk_X509_VERIFY_PARAM_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_value) -#define sk_X509_VERIFY_PARAM_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_set) -#define sk_X509_VERIFY_PARAM_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_free) -#define sk_X509_VERIFY_PARAM_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_pop_free) -#define sk_X509_VERIFY_PARAM_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_insert) -#define sk_X509_VERIFY_PARAM_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_delete) -#define sk_X509_VERIFY_PARAM_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_delete_ptr) -#define sk_X509_VERIFY_PARAM_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_find) -#define sk_X509_VERIFY_PARAM_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_shift) -#define sk_X509_VERIFY_PARAM_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_push) -#define sk_X509_VERIFY_PARAM_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_pop) -#define sk_X509_VERIFY_PARAM_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_dup) -#define sk_X509_VERIFY_PARAM_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_sort) -#define sk_X509_VERIFY_PARAM_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_is_sorted) -#define sk_X509_VERIFY_PARAM_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_set_cmp_func) -#define sk_X509_VERIFY_PARAM_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_deep_copy) +#define sk_X509_INFO_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_call_free_func) +#define sk_X509_INFO_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_call_copy_func) +#define sk_X509_INFO_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_call_cmp_func) +#define sk_X509_INFO_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_new) +#define sk_X509_INFO_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_new_null) +#define sk_X509_INFO_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_num) +#define sk_X509_INFO_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_zero) +#define sk_X509_INFO_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_value) +#define sk_X509_INFO_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_set) +#define sk_X509_INFO_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_free) +#define sk_X509_INFO_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_pop_free) +#define sk_X509_INFO_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_insert) +#define sk_X509_INFO_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_delete) +#define sk_X509_INFO_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_delete_ptr) +#define sk_X509_INFO_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_find) +#define sk_X509_INFO_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_shift) +#define sk_X509_INFO_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_push) +#define sk_X509_INFO_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_pop) +#define sk_X509_INFO_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_dup) +#define sk_X509_INFO_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_sort) +#define sk_X509_INFO_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_is_sorted) +#define sk_X509_INFO_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_set_cmp_func) +#define sk_X509_INFO_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_deep_copy) #define sk_CRYPTO_BUFFER_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_call_free_func) #define sk_CRYPTO_BUFFER_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_call_copy_func) #define sk_CRYPTO_BUFFER_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_call_cmp_func) @@ -4150,236 +4440,6 @@ #define sk_BIO_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_is_sorted) #define sk_BIO_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_set_cmp_func) #define sk_BIO_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_BIO_deep_copy) -#define sk_X509V3_EXT_METHOD_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_call_free_func) -#define sk_X509V3_EXT_METHOD_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_call_copy_func) -#define sk_X509V3_EXT_METHOD_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_call_cmp_func) -#define sk_X509V3_EXT_METHOD_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_new) -#define sk_X509V3_EXT_METHOD_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_new_null) -#define sk_X509V3_EXT_METHOD_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_num) -#define sk_X509V3_EXT_METHOD_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_zero) -#define sk_X509V3_EXT_METHOD_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_value) -#define sk_X509V3_EXT_METHOD_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_set) -#define sk_X509V3_EXT_METHOD_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_free) -#define sk_X509V3_EXT_METHOD_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_pop_free) -#define sk_X509V3_EXT_METHOD_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_insert) -#define sk_X509V3_EXT_METHOD_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_delete) -#define sk_X509V3_EXT_METHOD_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_delete_ptr) -#define sk_X509V3_EXT_METHOD_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_find) -#define sk_X509V3_EXT_METHOD_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_shift) -#define sk_X509V3_EXT_METHOD_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_push) -#define sk_X509V3_EXT_METHOD_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_pop) -#define sk_X509V3_EXT_METHOD_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_dup) -#define sk_X509V3_EXT_METHOD_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_sort) -#define sk_X509V3_EXT_METHOD_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_is_sorted) -#define sk_X509V3_EXT_METHOD_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_set_cmp_func) -#define sk_X509V3_EXT_METHOD_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509V3_EXT_METHOD_deep_copy) -#define sk_GENERAL_NAME_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_call_free_func) -#define sk_GENERAL_NAME_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_call_copy_func) -#define sk_GENERAL_NAME_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_call_cmp_func) -#define sk_GENERAL_NAME_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_new) -#define sk_GENERAL_NAME_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_new_null) -#define sk_GENERAL_NAME_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_num) -#define sk_GENERAL_NAME_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_zero) -#define sk_GENERAL_NAME_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_value) -#define sk_GENERAL_NAME_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_set) -#define sk_GENERAL_NAME_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_free) -#define sk_GENERAL_NAME_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_pop_free) -#define sk_GENERAL_NAME_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_insert) -#define sk_GENERAL_NAME_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_delete) -#define sk_GENERAL_NAME_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_delete_ptr) -#define sk_GENERAL_NAME_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_find) -#define sk_GENERAL_NAME_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_shift) -#define sk_GENERAL_NAME_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_push) -#define sk_GENERAL_NAME_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_pop) -#define sk_GENERAL_NAME_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_dup) -#define sk_GENERAL_NAME_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_sort) -#define sk_GENERAL_NAME_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_is_sorted) -#define sk_GENERAL_NAME_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_set_cmp_func) -#define sk_GENERAL_NAME_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAME_deep_copy) -#define sk_GENERAL_NAMES_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAMES_call_free_func) -#define sk_GENERAL_NAMES_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAMES_call_copy_func) -#define sk_GENERAL_NAMES_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAMES_call_cmp_func) -#define sk_GENERAL_NAMES_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAMES_new) -#define sk_GENERAL_NAMES_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAMES_new_null) -#define sk_GENERAL_NAMES_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAMES_num) -#define sk_GENERAL_NAMES_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAMES_zero) -#define sk_GENERAL_NAMES_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAMES_value) -#define sk_GENERAL_NAMES_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAMES_set) -#define sk_GENERAL_NAMES_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAMES_free) -#define sk_GENERAL_NAMES_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAMES_pop_free) -#define sk_GENERAL_NAMES_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAMES_insert) -#define sk_GENERAL_NAMES_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAMES_delete) -#define sk_GENERAL_NAMES_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAMES_delete_ptr) -#define sk_GENERAL_NAMES_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAMES_find) -#define sk_GENERAL_NAMES_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAMES_shift) -#define sk_GENERAL_NAMES_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAMES_push) -#define sk_GENERAL_NAMES_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAMES_pop) -#define sk_GENERAL_NAMES_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAMES_dup) -#define sk_GENERAL_NAMES_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAMES_sort) -#define sk_GENERAL_NAMES_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAMES_is_sorted) -#define sk_GENERAL_NAMES_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAMES_set_cmp_func) -#define sk_GENERAL_NAMES_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_NAMES_deep_copy) -#define sk_ACCESS_DESCRIPTION_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_call_free_func) -#define sk_ACCESS_DESCRIPTION_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_call_copy_func) -#define sk_ACCESS_DESCRIPTION_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_call_cmp_func) -#define sk_ACCESS_DESCRIPTION_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_new) -#define sk_ACCESS_DESCRIPTION_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_new_null) -#define sk_ACCESS_DESCRIPTION_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_num) -#define sk_ACCESS_DESCRIPTION_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_zero) -#define sk_ACCESS_DESCRIPTION_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_value) -#define sk_ACCESS_DESCRIPTION_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_set) -#define sk_ACCESS_DESCRIPTION_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_free) -#define sk_ACCESS_DESCRIPTION_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_pop_free) -#define sk_ACCESS_DESCRIPTION_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_insert) -#define sk_ACCESS_DESCRIPTION_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_delete) -#define sk_ACCESS_DESCRIPTION_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_delete_ptr) -#define sk_ACCESS_DESCRIPTION_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_find) -#define sk_ACCESS_DESCRIPTION_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_shift) -#define sk_ACCESS_DESCRIPTION_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_push) -#define sk_ACCESS_DESCRIPTION_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_pop) -#define sk_ACCESS_DESCRIPTION_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_dup) -#define sk_ACCESS_DESCRIPTION_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_sort) -#define sk_ACCESS_DESCRIPTION_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_is_sorted) -#define sk_ACCESS_DESCRIPTION_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_set_cmp_func) -#define sk_ACCESS_DESCRIPTION_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ACCESS_DESCRIPTION_deep_copy) -#define sk_DIST_POINT_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_call_free_func) -#define sk_DIST_POINT_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_call_copy_func) -#define sk_DIST_POINT_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_call_cmp_func) -#define sk_DIST_POINT_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_new) -#define sk_DIST_POINT_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_new_null) -#define sk_DIST_POINT_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_num) -#define sk_DIST_POINT_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_zero) -#define sk_DIST_POINT_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_value) -#define sk_DIST_POINT_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_set) -#define sk_DIST_POINT_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_free) -#define sk_DIST_POINT_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_pop_free) -#define sk_DIST_POINT_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_insert) -#define sk_DIST_POINT_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_delete) -#define sk_DIST_POINT_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_delete_ptr) -#define sk_DIST_POINT_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_find) -#define sk_DIST_POINT_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_shift) -#define sk_DIST_POINT_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_push) -#define sk_DIST_POINT_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_pop) -#define sk_DIST_POINT_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_dup) -#define sk_DIST_POINT_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_sort) -#define sk_DIST_POINT_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_is_sorted) -#define sk_DIST_POINT_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_set_cmp_func) -#define sk_DIST_POINT_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_DIST_POINT_deep_copy) -#define sk_POLICYQUALINFO_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_call_free_func) -#define sk_POLICYQUALINFO_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_call_copy_func) -#define sk_POLICYQUALINFO_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_call_cmp_func) -#define sk_POLICYQUALINFO_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_new) -#define sk_POLICYQUALINFO_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_new_null) -#define sk_POLICYQUALINFO_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_num) -#define sk_POLICYQUALINFO_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_zero) -#define sk_POLICYQUALINFO_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_value) -#define sk_POLICYQUALINFO_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_set) -#define sk_POLICYQUALINFO_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_free) -#define sk_POLICYQUALINFO_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_pop_free) -#define sk_POLICYQUALINFO_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_insert) -#define sk_POLICYQUALINFO_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_delete) -#define sk_POLICYQUALINFO_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_delete_ptr) -#define sk_POLICYQUALINFO_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_find) -#define sk_POLICYQUALINFO_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_shift) -#define sk_POLICYQUALINFO_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_push) -#define sk_POLICYQUALINFO_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_pop) -#define sk_POLICYQUALINFO_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_dup) -#define sk_POLICYQUALINFO_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_sort) -#define sk_POLICYQUALINFO_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_is_sorted) -#define sk_POLICYQUALINFO_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_set_cmp_func) -#define sk_POLICYQUALINFO_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYQUALINFO_deep_copy) -#define sk_POLICYINFO_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_call_free_func) -#define sk_POLICYINFO_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_call_copy_func) -#define sk_POLICYINFO_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_call_cmp_func) -#define sk_POLICYINFO_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_new) -#define sk_POLICYINFO_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_new_null) -#define sk_POLICYINFO_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_num) -#define sk_POLICYINFO_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_zero) -#define sk_POLICYINFO_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_value) -#define sk_POLICYINFO_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_set) -#define sk_POLICYINFO_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_free) -#define sk_POLICYINFO_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_pop_free) -#define sk_POLICYINFO_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_insert) -#define sk_POLICYINFO_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_delete) -#define sk_POLICYINFO_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_delete_ptr) -#define sk_POLICYINFO_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_find) -#define sk_POLICYINFO_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_shift) -#define sk_POLICYINFO_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_push) -#define sk_POLICYINFO_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_pop) -#define sk_POLICYINFO_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_dup) -#define sk_POLICYINFO_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_sort) -#define sk_POLICYINFO_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_is_sorted) -#define sk_POLICYINFO_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_set_cmp_func) -#define sk_POLICYINFO_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICYINFO_deep_copy) -#define sk_POLICY_MAPPING_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_call_free_func) -#define sk_POLICY_MAPPING_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_call_copy_func) -#define sk_POLICY_MAPPING_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_call_cmp_func) -#define sk_POLICY_MAPPING_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_new) -#define sk_POLICY_MAPPING_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_new_null) -#define sk_POLICY_MAPPING_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_num) -#define sk_POLICY_MAPPING_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_zero) -#define sk_POLICY_MAPPING_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_value) -#define sk_POLICY_MAPPING_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_set) -#define sk_POLICY_MAPPING_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_free) -#define sk_POLICY_MAPPING_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_pop_free) -#define sk_POLICY_MAPPING_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_insert) -#define sk_POLICY_MAPPING_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_delete) -#define sk_POLICY_MAPPING_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_delete_ptr) -#define sk_POLICY_MAPPING_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_find) -#define sk_POLICY_MAPPING_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_shift) -#define sk_POLICY_MAPPING_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_push) -#define sk_POLICY_MAPPING_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_pop) -#define sk_POLICY_MAPPING_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_dup) -#define sk_POLICY_MAPPING_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_sort) -#define sk_POLICY_MAPPING_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_is_sorted) -#define sk_POLICY_MAPPING_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_set_cmp_func) -#define sk_POLICY_MAPPING_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_POLICY_MAPPING_deep_copy) -#define sk_GENERAL_SUBTREE_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_call_free_func) -#define sk_GENERAL_SUBTREE_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_call_copy_func) -#define sk_GENERAL_SUBTREE_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_call_cmp_func) -#define sk_GENERAL_SUBTREE_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_new) -#define sk_GENERAL_SUBTREE_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_new_null) -#define sk_GENERAL_SUBTREE_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_num) -#define sk_GENERAL_SUBTREE_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_zero) -#define sk_GENERAL_SUBTREE_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_value) -#define sk_GENERAL_SUBTREE_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_set) -#define sk_GENERAL_SUBTREE_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_free) -#define sk_GENERAL_SUBTREE_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_pop_free) -#define sk_GENERAL_SUBTREE_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_insert) -#define sk_GENERAL_SUBTREE_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_delete) -#define sk_GENERAL_SUBTREE_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_delete_ptr) -#define sk_GENERAL_SUBTREE_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_find) -#define sk_GENERAL_SUBTREE_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_shift) -#define sk_GENERAL_SUBTREE_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_push) -#define sk_GENERAL_SUBTREE_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_pop) -#define sk_GENERAL_SUBTREE_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_dup) -#define sk_GENERAL_SUBTREE_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_sort) -#define sk_GENERAL_SUBTREE_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_is_sorted) -#define sk_GENERAL_SUBTREE_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_set_cmp_func) -#define sk_GENERAL_SUBTREE_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_GENERAL_SUBTREE_deep_copy) -#define sk_X509_PURPOSE_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_PURPOSE_call_free_func) -#define sk_X509_PURPOSE_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_PURPOSE_call_copy_func) -#define sk_X509_PURPOSE_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_PURPOSE_call_cmp_func) -#define sk_X509_PURPOSE_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_PURPOSE_new) -#define sk_X509_PURPOSE_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_PURPOSE_new_null) -#define sk_X509_PURPOSE_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_PURPOSE_num) -#define sk_X509_PURPOSE_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_PURPOSE_zero) -#define sk_X509_PURPOSE_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_PURPOSE_value) -#define sk_X509_PURPOSE_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_PURPOSE_set) -#define sk_X509_PURPOSE_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_PURPOSE_free) -#define sk_X509_PURPOSE_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_PURPOSE_pop_free) -#define sk_X509_PURPOSE_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_PURPOSE_insert) -#define sk_X509_PURPOSE_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_PURPOSE_delete) -#define sk_X509_PURPOSE_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_PURPOSE_delete_ptr) -#define sk_X509_PURPOSE_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_PURPOSE_find) -#define sk_X509_PURPOSE_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_PURPOSE_shift) -#define sk_X509_PURPOSE_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_PURPOSE_push) -#define sk_X509_PURPOSE_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_PURPOSE_pop) -#define sk_X509_PURPOSE_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_PURPOSE_dup) -#define sk_X509_PURPOSE_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_PURPOSE_sort) -#define sk_X509_PURPOSE_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_PURPOSE_is_sorted) -#define sk_X509_PURPOSE_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_PURPOSE_set_cmp_func) -#define sk_X509_PURPOSE_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_PURPOSE_deep_copy) #define sk_CONF_VALUE_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CONF_VALUE_call_free_func) #define sk_CONF_VALUE_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CONF_VALUE_call_copy_func) #define sk_CONF_VALUE_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CONF_VALUE_call_cmp_func) @@ -4546,6 +4606,20 @@ #define lh_ASN1_OBJECT_call_doall_arg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_ASN1_OBJECT_call_doall_arg) #define lh_ASN1_OBJECT_doall BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_ASN1_OBJECT_doall) #define lh_ASN1_OBJECT_doall_arg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_ASN1_OBJECT_doall_arg) +#define lh_CONF_SECTION_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_SECTION_call_cmp_func) +#define lh_CONF_SECTION_call_hash_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_SECTION_call_hash_func) +#define lh_CONF_SECTION_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_SECTION_new) +#define lh_CONF_SECTION_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_SECTION_free) +#define lh_CONF_SECTION_num_items BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_SECTION_num_items) +#define lh_CONF_SECTION_retrieve BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_SECTION_retrieve) +#define lh_CONF_SECTION_call_cmp_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_SECTION_call_cmp_key) +#define lh_CONF_SECTION_retrieve_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_SECTION_retrieve_key) +#define lh_CONF_SECTION_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_SECTION_insert) +#define lh_CONF_SECTION_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_SECTION_delete) +#define lh_CONF_SECTION_call_doall BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_SECTION_call_doall) +#define lh_CONF_SECTION_call_doall_arg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_SECTION_call_doall_arg) +#define lh_CONF_SECTION_doall BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_SECTION_doall) +#define lh_CONF_SECTION_doall_arg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_SECTION_doall_arg) #define lh_CONF_VALUE_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_VALUE_call_cmp_func) #define lh_CONF_VALUE_call_hash_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_VALUE_call_hash_func) #define lh_CONF_VALUE_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_CONF_VALUE_new) @@ -4588,6 +4662,7 @@ #define lh_SSL_SESSION_call_doall_arg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_SSL_SESSION_call_doall_arg) #define lh_SSL_SESSION_doall BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_SSL_SESSION_doall) #define lh_SSL_SESSION_doall_arg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_SSL_SESSION_doall_arg) +#define ssl_credential_st BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ssl_credential_st) #define ssl_ctx_st BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ssl_ctx_st) #define ssl_ech_keys_st BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ssl_ech_keys_st) #define ssl_session_st BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ssl_session_st) diff --git a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_boringssl_prefix_symbols_asm.h b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_boringssl_prefix_symbols_asm.h index e0e5ad878..a66e092ea 100644 --- a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_boringssl_prefix_symbols_asm.h +++ b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_boringssl_prefix_symbols_asm.h @@ -215,6 +215,32 @@ #define _BASIC_CONSTRAINTS_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BASIC_CONSTRAINTS_free) #define _BASIC_CONSTRAINTS_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BASIC_CONSTRAINTS_it) #define _BASIC_CONSTRAINTS_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BASIC_CONSTRAINTS_new) +#define _BCM_fips_186_2_prf BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_fips_186_2_prf) +#define _BCM_rand_bytes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_rand_bytes) +#define _BCM_rand_bytes_hwrng BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_rand_bytes_hwrng) +#define _BCM_rand_bytes_with_additional_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_rand_bytes_with_additional_data) +#define _BCM_sha1_final BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_sha1_final) +#define _BCM_sha1_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_sha1_init) +#define _BCM_sha1_transform BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_sha1_transform) +#define _BCM_sha1_update BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_sha1_update) +#define _BCM_sha224_final BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_sha224_final) +#define _BCM_sha224_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_sha224_init) +#define _BCM_sha224_update BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_sha224_update) +#define _BCM_sha256_final BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_sha256_final) +#define _BCM_sha256_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_sha256_init) +#define _BCM_sha256_transform BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_sha256_transform) +#define _BCM_sha256_transform_blocks BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_sha256_transform_blocks) +#define _BCM_sha256_update BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_sha256_update) +#define _BCM_sha384_final BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_sha384_final) +#define _BCM_sha384_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_sha384_init) +#define _BCM_sha384_update BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_sha384_update) +#define _BCM_sha512_256_final BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_sha512_256_final) +#define _BCM_sha512_256_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_sha512_256_init) +#define _BCM_sha512_256_update BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_sha512_256_update) +#define _BCM_sha512_final BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_sha512_final) +#define _BCM_sha512_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_sha512_init) +#define _BCM_sha512_transform BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_sha512_transform) +#define _BCM_sha512_update BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BCM_sha512_update) #define _BIO_append_filename BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_append_filename) #define _BIO_callback_ctrl BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_callback_ctrl) #define _BIO_clear_flags BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_clear_flags) @@ -232,6 +258,8 @@ #define _BIO_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_free) #define _BIO_free_all BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_free_all) #define _BIO_get_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_get_data) +#define _BIO_get_ex_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_get_ex_data) +#define _BIO_get_ex_new_index BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_get_ex_new_index) #define _BIO_get_fd BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_get_fd) #define _BIO_get_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_get_fp) #define _BIO_get_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_get_init) @@ -289,6 +317,7 @@ #define _BIO_set_conn_int_port BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_set_conn_int_port) #define _BIO_set_conn_port BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_set_conn_port) #define _BIO_set_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_set_data) +#define _BIO_set_ex_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_set_ex_data) #define _BIO_set_fd BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_set_fd) #define _BIO_set_flags BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_set_flags) #define _BIO_set_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_set_fp) @@ -619,6 +648,7 @@ #define _CRYPTO_cleanup_all_ex_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_cleanup_all_ex_data) #define _CRYPTO_ctr128_encrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_ctr128_encrypt) #define _CRYPTO_ctr128_encrypt_ctr32 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_ctr128_encrypt_ctr32) +#define _CRYPTO_fips_186_2_prf BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_fips_186_2_prf) #define _CRYPTO_fork_detect_force_madv_wipeonfork_for_testing BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_fork_detect_force_madv_wipeonfork_for_testing) #define _CRYPTO_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_free) #define _CRYPTO_free_ex_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_free_ex_data) @@ -635,10 +665,11 @@ #define _CRYPTO_get_dynlock_destroy_callback BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_get_dynlock_destroy_callback) #define _CRYPTO_get_dynlock_lock_callback BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_get_dynlock_lock_callback) #define _CRYPTO_get_ex_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_get_ex_data) -#define _CRYPTO_get_ex_new_index BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_get_ex_new_index) +#define _CRYPTO_get_ex_new_index_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_get_ex_new_index_ex) #define _CRYPTO_get_fork_generation BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_get_fork_generation) #define _CRYPTO_get_lock_name BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_get_lock_name) #define _CRYPTO_get_locking_callback BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_get_locking_callback) +#define _CRYPTO_get_stderr BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_get_stderr) #define _CRYPTO_get_thread_local BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_get_thread_local) #define _CRYPTO_ghash_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_ghash_init) #define _CRYPTO_has_asm BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_has_asm) @@ -684,15 +715,24 @@ #define _CTR_DRBG_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CTR_DRBG_init) #define _CTR_DRBG_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CTR_DRBG_new) #define _CTR_DRBG_reseed BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CTR_DRBG_reseed) -#define _ChaCha20_ctr32 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ChaCha20_ctr32) +#define _ChaCha20_ctr32_avx2 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ChaCha20_ctr32_avx2) +#define _ChaCha20_ctr32_neon BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ChaCha20_ctr32_neon) +#define _ChaCha20_ctr32_nohw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ChaCha20_ctr32_nohw) +#define _ChaCha20_ctr32_ssse3 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ChaCha20_ctr32_ssse3) +#define _ChaCha20_ctr32_ssse3_4x BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ChaCha20_ctr32_ssse3_4x) #define _DES_decrypt3 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DES_decrypt3) #define _DES_ecb3_encrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DES_ecb3_encrypt) +#define _DES_ecb3_encrypt_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DES_ecb3_encrypt_ex) #define _DES_ecb_encrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DES_ecb_encrypt) +#define _DES_ecb_encrypt_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DES_ecb_encrypt_ex) #define _DES_ede2_cbc_encrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DES_ede2_cbc_encrypt) #define _DES_ede3_cbc_encrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DES_ede3_cbc_encrypt) +#define _DES_ede3_cbc_encrypt_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DES_ede3_cbc_encrypt_ex) #define _DES_encrypt3 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DES_encrypt3) #define _DES_ncbc_encrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DES_ncbc_encrypt) +#define _DES_ncbc_encrypt_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DES_ncbc_encrypt_ex) #define _DES_set_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DES_set_key) +#define _DES_set_key_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DES_set_key_ex) #define _DES_set_key_unchecked BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DES_set_key_unchecked) #define _DES_set_odd_parity BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DES_set_odd_parity) #define _DH_bits BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DH_bits) @@ -722,6 +762,16 @@ #define _DH_size BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DH_size) #define _DH_up_ref BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DH_up_ref) #define _DHparams_dup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DHparams_dup) +#define _DILITHIUM_generate_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DILITHIUM_generate_key) +#define _DILITHIUM_generate_key_external_entropy BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DILITHIUM_generate_key_external_entropy) +#define _DILITHIUM_marshal_private_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DILITHIUM_marshal_private_key) +#define _DILITHIUM_marshal_public_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DILITHIUM_marshal_public_key) +#define _DILITHIUM_parse_private_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DILITHIUM_parse_private_key) +#define _DILITHIUM_parse_public_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DILITHIUM_parse_public_key) +#define _DILITHIUM_public_from_private BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DILITHIUM_public_from_private) +#define _DILITHIUM_sign BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DILITHIUM_sign) +#define _DILITHIUM_sign_deterministic BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DILITHIUM_sign_deterministic) +#define _DILITHIUM_verify BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DILITHIUM_verify) #define _DIRECTORYSTRING_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DIRECTORYSTRING_free) #define _DIRECTORYSTRING_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DIRECTORYSTRING_it) #define _DIRECTORYSTRING_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DIRECTORYSTRING_new) @@ -928,6 +978,7 @@ #define _ERR_get_error_line_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_get_error_line_data) #define _ERR_get_next_error_library BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_get_next_error_library) #define _ERR_lib_error_string BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_lib_error_string) +#define _ERR_lib_symbol_name BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_lib_symbol_name) #define _ERR_load_BIO_strings BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_load_BIO_strings) #define _ERR_load_ERR_strings BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_load_ERR_strings) #define _ERR_load_RAND_strings BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_load_RAND_strings) @@ -945,6 +996,7 @@ #define _ERR_print_errors_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_print_errors_fp) #define _ERR_put_error BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_put_error) #define _ERR_reason_error_string BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_reason_error_string) +#define _ERR_reason_symbol_name BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_reason_symbol_name) #define _ERR_remove_state BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_remove_state) #define _ERR_remove_thread_state BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_remove_thread_state) #define _ERR_restore_state BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_restore_state) @@ -1117,6 +1169,7 @@ #define _EVP_PKEY_CTX_set0_rsa_oaep_label BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_CTX_set0_rsa_oaep_label) #define _EVP_PKEY_CTX_set1_hkdf_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_CTX_set1_hkdf_key) #define _EVP_PKEY_CTX_set1_hkdf_salt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_CTX_set1_hkdf_salt) +#define _EVP_PKEY_CTX_set_dh_pad BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_CTX_set_dh_pad) #define _EVP_PKEY_CTX_set_dsa_paramgen_bits BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_CTX_set_dsa_paramgen_bits) #define _EVP_PKEY_CTX_set_dsa_paramgen_q_bits BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_CTX_set_dsa_paramgen_q_bits) #define _EVP_PKEY_CTX_set_ec_param_enc BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_CTX_set_ec_param_enc) @@ -1133,6 +1186,7 @@ #define _EVP_PKEY_CTX_set_rsa_pss_saltlen BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_CTX_set_rsa_pss_saltlen) #define _EVP_PKEY_CTX_set_signature_md BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_CTX_set_signature_md) #define _EVP_PKEY_assign BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_assign) +#define _EVP_PKEY_assign_DH BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_assign_DH) #define _EVP_PKEY_assign_DSA BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_assign_DSA) #define _EVP_PKEY_assign_EC_KEY BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_assign_EC_KEY) #define _EVP_PKEY_assign_RSA BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_assign_RSA) @@ -1174,6 +1228,7 @@ #define _EVP_PKEY_print_params BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_print_params) #define _EVP_PKEY_print_private BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_print_private) #define _EVP_PKEY_print_public BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_print_public) +#define _EVP_PKEY_set1_DH BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_set1_DH) #define _EVP_PKEY_set1_DSA BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_set1_DSA) #define _EVP_PKEY_set1_EC_KEY BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_set1_EC_KEY) #define _EVP_PKEY_set1_RSA BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_PKEY_set1_RSA) @@ -1258,6 +1313,7 @@ #define _EVP_hpke_aes_256_gcm BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_hpke_aes_256_gcm) #define _EVP_hpke_chacha20_poly1305 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_hpke_chacha20_poly1305) #define _EVP_hpke_hkdf_sha256 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_hpke_hkdf_sha256) +#define _EVP_hpke_p256_hkdf_sha256 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_hpke_p256_hkdf_sha256) #define _EVP_hpke_x25519_hkdf_sha256 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_hpke_x25519_hkdf_sha256) #define _EVP_marshal_digest_algorithm BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_marshal_digest_algorithm) #define _EVP_marshal_private_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_marshal_private_key) @@ -1360,6 +1416,40 @@ #define _MD5_Update BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MD5_Update) #define _METHOD_ref BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, METHOD_ref) #define _METHOD_unref BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, METHOD_unref) +#define _MLDSA65_generate_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MLDSA65_generate_key) +#define _MLDSA65_generate_key_external_entropy BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MLDSA65_generate_key_external_entropy) +#define _MLDSA65_marshal_private_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MLDSA65_marshal_private_key) +#define _MLDSA65_marshal_public_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MLDSA65_marshal_public_key) +#define _MLDSA65_parse_private_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MLDSA65_parse_private_key) +#define _MLDSA65_parse_public_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MLDSA65_parse_public_key) +#define _MLDSA65_private_key_from_seed BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MLDSA65_private_key_from_seed) +#define _MLDSA65_public_from_private BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MLDSA65_public_from_private) +#define _MLDSA65_sign BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MLDSA65_sign) +#define _MLDSA65_sign_internal BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MLDSA65_sign_internal) +#define _MLDSA65_verify BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MLDSA65_verify) +#define _MLDSA65_verify_internal BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MLDSA65_verify_internal) +#define _MLKEM1024_decap BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MLKEM1024_decap) +#define _MLKEM1024_encap BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MLKEM1024_encap) +#define _MLKEM1024_encap_external_entropy BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MLKEM1024_encap_external_entropy) +#define _MLKEM1024_generate_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MLKEM1024_generate_key) +#define _MLKEM1024_generate_key_external_seed BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MLKEM1024_generate_key_external_seed) +#define _MLKEM1024_marshal_private_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MLKEM1024_marshal_private_key) +#define _MLKEM1024_marshal_public_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MLKEM1024_marshal_public_key) +#define _MLKEM1024_parse_private_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MLKEM1024_parse_private_key) +#define _MLKEM1024_parse_public_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MLKEM1024_parse_public_key) +#define _MLKEM1024_private_key_from_seed BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MLKEM1024_private_key_from_seed) +#define _MLKEM1024_public_from_private BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MLKEM1024_public_from_private) +#define _MLKEM768_decap BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MLKEM768_decap) +#define _MLKEM768_encap BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MLKEM768_encap) +#define _MLKEM768_encap_external_entropy BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MLKEM768_encap_external_entropy) +#define _MLKEM768_generate_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MLKEM768_generate_key) +#define _MLKEM768_generate_key_external_seed BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MLKEM768_generate_key_external_seed) +#define _MLKEM768_marshal_private_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MLKEM768_marshal_private_key) +#define _MLKEM768_marshal_public_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MLKEM768_marshal_public_key) +#define _MLKEM768_parse_private_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MLKEM768_parse_private_key) +#define _MLKEM768_parse_public_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MLKEM768_parse_public_key) +#define _MLKEM768_private_key_from_seed BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MLKEM768_private_key_from_seed) +#define _MLKEM768_public_from_private BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, MLKEM768_public_from_private) #define _NAME_CONSTRAINTS_check BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, NAME_CONSTRAINTS_check) #define _NAME_CONSTRAINTS_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, NAME_CONSTRAINTS_free) #define _NAME_CONSTRAINTS_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, NAME_CONSTRAINTS_it) @@ -1424,6 +1514,7 @@ #define _OPENSSL_gmtime_diff BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_gmtime_diff) #define _OPENSSL_hash32 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_hash32) #define _OPENSSL_ia32cap_P BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_ia32cap_P) +#define _OPENSSL_init_cpuid BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_init_cpuid) #define _OPENSSL_init_crypto BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_init_crypto) #define _OPENSSL_init_ssl BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_init_ssl) #define _OPENSSL_isalnum BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, OPENSSL_isalnum) @@ -1638,7 +1729,6 @@ #define _RAND_SSLeay BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RAND_SSLeay) #define _RAND_add BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RAND_add) #define _RAND_bytes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RAND_bytes) -#define _RAND_bytes_with_additional_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RAND_bytes_with_additional_data) #define _RAND_cleanup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RAND_cleanup) #define _RAND_disable_fork_unsafe_buffering BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RAND_disable_fork_unsafe_buffering) #define _RAND_egd BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RAND_egd) @@ -1662,6 +1752,7 @@ #define _RSA_PSS_PARAMS_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_PSS_PARAMS_new) #define _RSA_add_pkcs1_prefix BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_add_pkcs1_prefix) #define _RSA_bits BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_bits) +#define _RSA_blinding_off BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_blinding_off) #define _RSA_blinding_on BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_blinding_on) #define _RSA_check_fips BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_check_fips) #define _RSA_check_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_check_key) @@ -1758,10 +1849,21 @@ #define _SHA512_Transform BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SHA512_Transform) #define _SHA512_Update BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SHA512_Update) #define _SIPHASH_24 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SIPHASH_24) +#define _SLHDSA_SHA2_128S_generate_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SLHDSA_SHA2_128S_generate_key) +#define _SLHDSA_SHA2_128S_generate_key_from_seed BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SLHDSA_SHA2_128S_generate_key_from_seed) +#define _SLHDSA_SHA2_128S_public_from_private BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SLHDSA_SHA2_128S_public_from_private) +#define _SLHDSA_SHA2_128S_sign BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SLHDSA_SHA2_128S_sign) +#define _SLHDSA_SHA2_128S_sign_internal BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SLHDSA_SHA2_128S_sign_internal) +#define _SLHDSA_SHA2_128S_verify BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SLHDSA_SHA2_128S_verify) +#define _SLHDSA_SHA2_128S_verify_internal BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SLHDSA_SHA2_128S_verify_internal) #define _SPAKE2_CTX_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SPAKE2_CTX_free) #define _SPAKE2_CTX_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SPAKE2_CTX_new) #define _SPAKE2_generate_msg BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SPAKE2_generate_msg) #define _SPAKE2_process_msg BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SPAKE2_process_msg) +#define _SPX_generate_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SPX_generate_key) +#define _SPX_generate_key_from_seed BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SPX_generate_key_from_seed) +#define _SPX_sign BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SPX_sign) +#define _SPX_verify BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SPX_verify) #define _SSL_CIPHER_description BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CIPHER_description) #define _SSL_CIPHER_get_auth_nid BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CIPHER_get_auth_nid) #define _SSL_CIPHER_get_bits BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CIPHER_get_bits) @@ -1786,8 +1888,23 @@ #define _SSL_COMP_get_compression_methods BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_COMP_get_compression_methods) #define _SSL_COMP_get_id BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_COMP_get_id) #define _SSL_COMP_get_name BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_COMP_get_name) +#define _SSL_CREDENTIAL_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CREDENTIAL_free) +#define _SSL_CREDENTIAL_get_ex_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CREDENTIAL_get_ex_data) +#define _SSL_CREDENTIAL_get_ex_new_index BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CREDENTIAL_get_ex_new_index) +#define _SSL_CREDENTIAL_new_delegated BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CREDENTIAL_new_delegated) +#define _SSL_CREDENTIAL_new_x509 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CREDENTIAL_new_x509) +#define _SSL_CREDENTIAL_set1_cert_chain BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CREDENTIAL_set1_cert_chain) +#define _SSL_CREDENTIAL_set1_delegated_credential BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CREDENTIAL_set1_delegated_credential) +#define _SSL_CREDENTIAL_set1_ocsp_response BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CREDENTIAL_set1_ocsp_response) +#define _SSL_CREDENTIAL_set1_private_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CREDENTIAL_set1_private_key) +#define _SSL_CREDENTIAL_set1_signed_cert_timestamp_list BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CREDENTIAL_set1_signed_cert_timestamp_list) +#define _SSL_CREDENTIAL_set1_signing_algorithm_prefs BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CREDENTIAL_set1_signing_algorithm_prefs) +#define _SSL_CREDENTIAL_set_ex_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CREDENTIAL_set_ex_data) +#define _SSL_CREDENTIAL_set_private_key_method BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CREDENTIAL_set_private_key_method) +#define _SSL_CREDENTIAL_up_ref BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CREDENTIAL_up_ref) #define _SSL_CTX_add0_chain_cert BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_add0_chain_cert) #define _SSL_CTX_add1_chain_cert BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_add1_chain_cert) +#define _SSL_CTX_add1_credential BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_add1_credential) #define _SSL_CTX_add_cert_compression_alg BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_add_cert_compression_alg) #define _SSL_CTX_add_client_CA BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_add_client_CA) #define _SSL_CTX_add_extra_chain_cert BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_CTX_add_extra_chain_cert) @@ -2002,6 +2119,7 @@ #define _SSL_accept BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_accept) #define _SSL_add0_chain_cert BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_add0_chain_cert) #define _SSL_add1_chain_cert BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_add1_chain_cert) +#define _SSL_add1_credential BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_add1_credential) #define _SSL_add_application_settings BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_add_application_settings) #define _SSL_add_bio_cert_subjects_to_stack BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_add_bio_cert_subjects_to_stack) #define _SSL_add_client_CA BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_add_client_CA) @@ -2021,7 +2139,6 @@ #define _SSL_clear_options BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_clear_options) #define _SSL_connect BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_connect) #define _SSL_cutthrough_complete BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_cutthrough_complete) -#define _SSL_delegated_credential_used BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_delegated_credential_used) #define _SSL_do_handshake BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_do_handshake) #define _SSL_dup_CA_list BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_dup_CA_list) #define _SSL_early_callback_ctx_extension_get BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_early_callback_ctx_extension_get) @@ -2037,6 +2154,7 @@ #define _SSL_generate_key_block BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_generate_key_block) #define _SSL_get0_alpn_selected BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get0_alpn_selected) #define _SSL_get0_certificate_types BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get0_certificate_types) +#define _SSL_get0_chain BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get0_chain) #define _SSL_get0_chain_certs BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get0_chain_certs) #define _SSL_get0_ech_name_override BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get0_ech_name_override) #define _SSL_get0_ech_retry_configs BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get0_ech_retry_configs) @@ -2047,6 +2165,7 @@ #define _SSL_get0_peer_certificates BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get0_peer_certificates) #define _SSL_get0_peer_delegation_algorithms BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get0_peer_delegation_algorithms) #define _SSL_get0_peer_verify_algorithms BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get0_peer_verify_algorithms) +#define _SSL_get0_selected_credential BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get0_selected_credential) #define _SSL_get0_server_requested_CAs BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get0_server_requested_CAs) #define _SSL_get0_session_id_context BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get0_session_id_context) #define _SSL_get0_signed_cert_timestamp_list BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_get0_signed_cert_timestamp_list) @@ -2176,7 +2295,6 @@ #define _SSL_set1_chain BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set1_chain) #define _SSL_set1_curves BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set1_curves) #define _SSL_set1_curves_list BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set1_curves_list) -#define _SSL_set1_delegated_credential BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set1_delegated_credential) #define _SSL_set1_ech_config_list BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set1_ech_config_list) #define _SSL_set1_group_ids BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set1_group_ids) #define _SSL_set1_groups BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set1_groups) @@ -2194,6 +2312,8 @@ #define _SSL_set_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_bio) #define _SSL_set_cert_cb BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_cert_cb) #define _SSL_set_chain_and_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_chain_and_key) +#define _SSL_set_check_client_certificate_type BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_check_client_certificate_type) +#define _SSL_set_check_ecdsa_curve BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_check_ecdsa_curve) #define _SSL_set_cipher_list BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_cipher_list) #define _SSL_set_client_CA_list BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_client_CA_list) #define _SSL_set_compliance_policy BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, SSL_set_compliance_policy) @@ -2343,7 +2463,6 @@ #define _X509V3_EXT_nconf_nid BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509V3_EXT_nconf_nid) #define _X509V3_EXT_print BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509V3_EXT_print) #define _X509V3_EXT_print_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509V3_EXT_print_fp) -#define _X509V3_EXT_val_prn BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509V3_EXT_val_prn) #define _X509V3_NAME_from_section BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509V3_NAME_from_section) #define _X509V3_add1_i2d BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509V3_add1_i2d) #define _X509V3_add_standard_extensions BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509V3_add_standard_extensions) @@ -2397,7 +2516,6 @@ #define _X509_CRL_add_ext BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_add_ext) #define _X509_CRL_cmp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_cmp) #define _X509_CRL_delete_ext BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_delete_ext) -#define _X509_CRL_diff BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_diff) #define _X509_CRL_digest BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_digest) #define _X509_CRL_dup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_dup) #define _X509_CRL_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_CRL_free) @@ -2449,15 +2567,12 @@ #define _X509_EXTENSION_set_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_EXTENSION_set_data) #define _X509_EXTENSION_set_object BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_EXTENSION_set_object) #define _X509_INFO_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_INFO_free) -#define _X509_INFO_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_INFO_new) -#define _X509_LOOKUP_by_subject BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_LOOKUP_by_subject) +#define _X509_LOOKUP_add_dir BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_LOOKUP_add_dir) #define _X509_LOOKUP_ctrl BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_LOOKUP_ctrl) #define _X509_LOOKUP_file BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_LOOKUP_file) #define _X509_LOOKUP_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_LOOKUP_free) #define _X509_LOOKUP_hash_dir BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_LOOKUP_hash_dir) -#define _X509_LOOKUP_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_LOOKUP_init) -#define _X509_LOOKUP_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_LOOKUP_new) -#define _X509_LOOKUP_shutdown BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_LOOKUP_shutdown) +#define _X509_LOOKUP_load_file BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_LOOKUP_load_file) #define _X509_NAME_ENTRIES_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_NAME_ENTRIES_it) #define _X509_NAME_ENTRY_create_by_NID BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_NAME_ENTRY_create_by_NID) #define _X509_NAME_ENTRY_create_by_OBJ BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_NAME_ENTRY_create_by_OBJ) @@ -2497,34 +2612,24 @@ #define _X509_NAME_print_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_NAME_print_ex) #define _X509_NAME_print_ex_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_NAME_print_ex_fp) #define _X509_NAME_set BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_NAME_set) +#define _X509_OBJECT_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_OBJECT_free) #define _X509_OBJECT_free_contents BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_OBJECT_free_contents) #define _X509_OBJECT_get0_X509 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_OBJECT_get0_X509) #define _X509_OBJECT_get_type BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_OBJECT_get_type) -#define _X509_OBJECT_idx_by_subject BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_OBJECT_idx_by_subject) -#define _X509_OBJECT_retrieve_by_subject BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_OBJECT_retrieve_by_subject) -#define _X509_OBJECT_retrieve_match BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_OBJECT_retrieve_match) -#define _X509_OBJECT_up_ref_count BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_OBJECT_up_ref_count) -#define _X509_PKEY_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_PKEY_free) -#define _X509_PKEY_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_PKEY_new) +#define _X509_OBJECT_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_OBJECT_new) #define _X509_PUBKEY_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_PUBKEY_free) #define _X509_PUBKEY_get BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_PUBKEY_get) +#define _X509_PUBKEY_get0 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_PUBKEY_get0) #define _X509_PUBKEY_get0_param BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_PUBKEY_get0_param) #define _X509_PUBKEY_get0_public_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_PUBKEY_get0_public_key) #define _X509_PUBKEY_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_PUBKEY_it) #define _X509_PUBKEY_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_PUBKEY_new) #define _X509_PUBKEY_set BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_PUBKEY_set) #define _X509_PUBKEY_set0_param BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_PUBKEY_set0_param) -#define _X509_PURPOSE_add BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_PURPOSE_add) -#define _X509_PURPOSE_cleanup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_PURPOSE_cleanup) #define _X509_PURPOSE_get0 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_PURPOSE_get0) -#define _X509_PURPOSE_get0_name BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_PURPOSE_get0_name) -#define _X509_PURPOSE_get0_sname BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_PURPOSE_get0_sname) -#define _X509_PURPOSE_get_by_id BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_PURPOSE_get_by_id) #define _X509_PURPOSE_get_by_sname BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_PURPOSE_get_by_sname) -#define _X509_PURPOSE_get_count BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_PURPOSE_get_count) #define _X509_PURPOSE_get_id BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_PURPOSE_get_id) #define _X509_PURPOSE_get_trust BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_PURPOSE_get_trust) -#define _X509_PURPOSE_set BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_PURPOSE_set) #define _X509_REQ_INFO_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REQ_INFO_free) #define _X509_REQ_INFO_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REQ_INFO_it) #define _X509_REQ_INFO_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REQ_INFO_new) @@ -2540,6 +2645,7 @@ #define _X509_REQ_dup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REQ_dup) #define _X509_REQ_extension_nid BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REQ_extension_nid) #define _X509_REQ_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REQ_free) +#define _X509_REQ_get0_pubkey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REQ_get0_pubkey) #define _X509_REQ_get0_signature BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REQ_get0_signature) #define _X509_REQ_get1_email BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REQ_get1_email) #define _X509_REQ_get_attr BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_REQ_get_attr) @@ -2592,13 +2698,15 @@ #define _X509_STORE_CTX_get0_cert BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_get0_cert) #define _X509_STORE_CTX_get0_chain BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_get0_chain) #define _X509_STORE_CTX_get0_current_crl BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_get0_current_crl) -#define _X509_STORE_CTX_get0_current_issuer BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_get0_current_issuer) #define _X509_STORE_CTX_get0_param BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_get0_param) #define _X509_STORE_CTX_get0_parent_ctx BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_get0_parent_ctx) #define _X509_STORE_CTX_get0_store BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_get0_store) #define _X509_STORE_CTX_get0_untrusted BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_get0_untrusted) +#define _X509_STORE_CTX_get1_certs BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_get1_certs) #define _X509_STORE_CTX_get1_chain BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_get1_chain) +#define _X509_STORE_CTX_get1_crls BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_get1_crls) #define _X509_STORE_CTX_get1_issuer BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_get1_issuer) +#define _X509_STORE_CTX_get_by_subject BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_get_by_subject) #define _X509_STORE_CTX_get_chain BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_get_chain) #define _X509_STORE_CTX_get_current_cert BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_get_current_cert) #define _X509_STORE_CTX_get_error BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_get_error) @@ -2607,11 +2715,9 @@ #define _X509_STORE_CTX_get_ex_new_index BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_get_ex_new_index) #define _X509_STORE_CTX_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_init) #define _X509_STORE_CTX_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_new) -#define _X509_STORE_CTX_purpose_inherit BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_purpose_inherit) #define _X509_STORE_CTX_set0_crls BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_set0_crls) #define _X509_STORE_CTX_set0_param BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_set0_param) #define _X509_STORE_CTX_set0_trusted_stack BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_set0_trusted_stack) -#define _X509_STORE_CTX_set_cert BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_set_cert) #define _X509_STORE_CTX_set_chain BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_set_chain) #define _X509_STORE_CTX_set_default BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_set_default) #define _X509_STORE_CTX_set_depth BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_set_depth) @@ -2624,56 +2730,23 @@ #define _X509_STORE_CTX_set_trust BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_set_trust) #define _X509_STORE_CTX_set_verify_cb BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_set_verify_cb) #define _X509_STORE_CTX_trusted_stack BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_trusted_stack) -#define _X509_STORE_CTX_zero BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_CTX_zero) #define _X509_STORE_add_cert BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_add_cert) #define _X509_STORE_add_crl BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_add_crl) #define _X509_STORE_add_lookup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_add_lookup) #define _X509_STORE_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_free) #define _X509_STORE_get0_objects BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_get0_objects) #define _X509_STORE_get0_param BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_get0_param) -#define _X509_STORE_get1_certs BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_get1_certs) -#define _X509_STORE_get1_crls BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_get1_crls) -#define _X509_STORE_get_by_subject BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_get_by_subject) -#define _X509_STORE_get_cert_crl BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_get_cert_crl) -#define _X509_STORE_get_check_crl BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_get_check_crl) -#define _X509_STORE_get_check_issued BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_get_check_issued) -#define _X509_STORE_get_check_revocation BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_get_check_revocation) -#define _X509_STORE_get_cleanup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_get_cleanup) -#define _X509_STORE_get_get_crl BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_get_get_crl) -#define _X509_STORE_get_get_issuer BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_get_get_issuer) -#define _X509_STORE_get_lookup_certs BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_get_lookup_certs) -#define _X509_STORE_get_lookup_crls BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_get_lookup_crls) -#define _X509_STORE_get_verify BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_get_verify) -#define _X509_STORE_get_verify_cb BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_get_verify_cb) +#define _X509_STORE_get1_objects BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_get1_objects) #define _X509_STORE_load_locations BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_load_locations) #define _X509_STORE_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_new) #define _X509_STORE_set1_param BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_set1_param) -#define _X509_STORE_set_cert_crl BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_set_cert_crl) -#define _X509_STORE_set_check_crl BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_set_check_crl) -#define _X509_STORE_set_check_issued BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_set_check_issued) -#define _X509_STORE_set_check_revocation BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_set_check_revocation) -#define _X509_STORE_set_cleanup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_set_cleanup) #define _X509_STORE_set_default_paths BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_set_default_paths) #define _X509_STORE_set_depth BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_set_depth) #define _X509_STORE_set_flags BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_set_flags) -#define _X509_STORE_set_get_crl BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_set_get_crl) -#define _X509_STORE_set_get_issuer BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_set_get_issuer) -#define _X509_STORE_set_lookup_certs BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_set_lookup_certs) -#define _X509_STORE_set_lookup_crls BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_set_lookup_crls) #define _X509_STORE_set_purpose BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_set_purpose) #define _X509_STORE_set_trust BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_set_trust) -#define _X509_STORE_set_verify BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_set_verify) #define _X509_STORE_set_verify_cb BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_set_verify_cb) #define _X509_STORE_up_ref BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_up_ref) -#define _X509_TRUST_add BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_TRUST_add) -#define _X509_TRUST_cleanup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_TRUST_cleanup) -#define _X509_TRUST_get0 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_TRUST_get0) -#define _X509_TRUST_get0_name BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_TRUST_get0_name) -#define _X509_TRUST_get_by_id BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_TRUST_get_by_id) -#define _X509_TRUST_get_count BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_TRUST_get_count) -#define _X509_TRUST_get_flags BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_TRUST_get_flags) -#define _X509_TRUST_get_trust BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_TRUST_get_trust) -#define _X509_TRUST_set BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_TRUST_set) #define _X509_VAL_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VAL_free) #define _X509_VAL_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VAL_it) #define _X509_VAL_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VAL_new) @@ -2681,8 +2754,6 @@ #define _X509_VERIFY_PARAM_add1_host BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VERIFY_PARAM_add1_host) #define _X509_VERIFY_PARAM_clear_flags BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VERIFY_PARAM_clear_flags) #define _X509_VERIFY_PARAM_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VERIFY_PARAM_free) -#define _X509_VERIFY_PARAM_get0_name BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VERIFY_PARAM_get0_name) -#define _X509_VERIFY_PARAM_get0_peername BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VERIFY_PARAM_get0_peername) #define _X509_VERIFY_PARAM_get_depth BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VERIFY_PARAM_get_depth) #define _X509_VERIFY_PARAM_get_flags BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VERIFY_PARAM_get_flags) #define _X509_VERIFY_PARAM_inherit BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VERIFY_PARAM_inherit) @@ -2693,7 +2764,6 @@ #define _X509_VERIFY_PARAM_set1_host BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VERIFY_PARAM_set1_host) #define _X509_VERIFY_PARAM_set1_ip BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VERIFY_PARAM_set1_ip) #define _X509_VERIFY_PARAM_set1_ip_asc BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VERIFY_PARAM_set1_ip_asc) -#define _X509_VERIFY_PARAM_set1_name BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VERIFY_PARAM_set1_name) #define _X509_VERIFY_PARAM_set1_policies BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VERIFY_PARAM_set1_policies) #define _X509_VERIFY_PARAM_set_depth BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VERIFY_PARAM_set_depth) #define _X509_VERIFY_PARAM_set_flags BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VERIFY_PARAM_set_flags) @@ -2736,6 +2806,7 @@ #define _X509_get0_extensions BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_get0_extensions) #define _X509_get0_notAfter BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_get0_notAfter) #define _X509_get0_notBefore BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_get0_notBefore) +#define _X509_get0_pubkey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_get0_pubkey) #define _X509_get0_pubkey_bitstr BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_get0_pubkey_bitstr) #define _X509_get0_serialNumber BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_get0_serialNumber) #define _X509_get0_signature BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_get0_signature) @@ -2774,6 +2845,7 @@ #define _X509_getm_notAfter BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_getm_notAfter) #define _X509_getm_notBefore BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_getm_notBefore) #define _X509_gmtime_adj BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_gmtime_adj) +#define _X509_is_valid_trust_id BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_is_valid_trust_id) #define _X509_issuer_name_cmp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_issuer_name_cmp) #define _X509_issuer_name_hash BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_issuer_name_hash) #define _X509_issuer_name_hash_old BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_issuer_name_hash_old) @@ -2827,7 +2899,6 @@ #define _X509v3_get_ext_by_critical BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509v3_get_ext_by_critical) #define _X509v3_get_ext_count BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509v3_get_ext_count) #define ___clang_call_terminate BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, __clang_call_terminate) -#define _a2i_GENERAL_NAME BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, a2i_GENERAL_NAME) #define _a2i_IPADDRESS BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, a2i_IPADDRESS) #define _a2i_IPADDRESS_NC BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, a2i_IPADDRESS_NC) #define _aes128gcmsiv_aes_ks BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aes128gcmsiv_aes_ks) @@ -2852,8 +2923,11 @@ #define _aes_hw_decrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aes_hw_decrypt) #define _aes_hw_ecb_encrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aes_hw_ecb_encrypt) #define _aes_hw_encrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aes_hw_encrypt) +#define _aes_hw_encrypt_key_to_decrypt_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aes_hw_encrypt_key_to_decrypt_key) #define _aes_hw_set_decrypt_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aes_hw_set_decrypt_key) #define _aes_hw_set_encrypt_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aes_hw_set_encrypt_key) +#define _aes_hw_set_encrypt_key_alt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aes_hw_set_encrypt_key_alt) +#define _aes_hw_set_encrypt_key_base BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aes_hw_set_encrypt_key_base) #define _aes_nohw_cbc_encrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aes_nohw_cbc_encrypt) #define _aes_nohw_ctr32_encrypt_blocks BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aes_nohw_ctr32_encrypt_blocks) #define _aes_nohw_decrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aes_nohw_decrypt) @@ -2882,6 +2956,7 @@ #define _asn1_refcount_set_one BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, asn1_refcount_set_one) #define _asn1_set_choice_selector BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, asn1_set_choice_selector) #define _asn1_type_cleanup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, asn1_type_cleanup) +#define _asn1_type_set0_string BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, asn1_type_set0_string) #define _asn1_type_value_as_pointer BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, asn1_type_value_as_pointer) #define _asn1_utctime_to_tm BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, asn1_utctime_to_tm) #define _beeu_mod_inverse_vartime BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, beeu_mod_inverse_vartime) @@ -2928,17 +3003,23 @@ #define _bn_mont_ctx_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mont_ctx_init) #define _bn_mont_ctx_set_RR_consttime BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mont_ctx_set_RR_consttime) #define _bn_mont_n0 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mont_n0) +#define _bn_mul4x_mont BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mul4x_mont) +#define _bn_mul4x_mont_gather5 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mul4x_mont_gather5) #define _bn_mul_add_words BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mul_add_words) #define _bn_mul_comba4 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mul_comba4) #define _bn_mul_comba8 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mul_comba8) #define _bn_mul_consttime BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mul_consttime) #define _bn_mul_mont BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mul_mont) -#define _bn_mul_mont_gather5 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mul_mont_gather5) +#define _bn_mul_mont_gather5_nohw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mul_mont_gather5_nohw) +#define _bn_mul_mont_nohw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mul_mont_nohw) #define _bn_mul_small BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mul_small) #define _bn_mul_words BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mul_words) +#define _bn_mulx4x_mont BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mulx4x_mont) +#define _bn_mulx4x_mont_gather5 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_mulx4x_mont_gather5) #define _bn_odd_number_is_obviously_composite BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_odd_number_is_obviously_composite) #define _bn_one_to_montgomery BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_one_to_montgomery) -#define _bn_power5 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_power5) +#define _bn_power5_nohw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_power5_nohw) +#define _bn_powerx5 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_powerx5) #define _bn_rand_range_words BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_rand_range_words) #define _bn_rand_secret_range BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_rand_secret_range) #define _bn_reduce_once BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_reduce_once) @@ -2953,6 +3034,7 @@ #define _bn_set_static_words BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_set_static_words) #define _bn_set_words BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_set_words) #define _bn_sqr8x_internal BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_sqr8x_internal) +#define _bn_sqr8x_mont BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_sqr8x_mont) #define _bn_sqr_comba4 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_sqr_comba4) #define _bn_sqr_comba8 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_sqr_comba8) #define _bn_sqr_consttime BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_sqr_consttime) @@ -2972,9 +3054,12 @@ #define _c2i_ASN1_INTEGER BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, c2i_ASN1_INTEGER) #define _c2i_ASN1_OBJECT BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, c2i_ASN1_OBJECT) #define _chacha20_poly1305_open BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, chacha20_poly1305_open) +#define _chacha20_poly1305_open_avx2 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, chacha20_poly1305_open_avx2) +#define _chacha20_poly1305_open_nohw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, chacha20_poly1305_open_nohw) #define _chacha20_poly1305_seal BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, chacha20_poly1305_seal) +#define _chacha20_poly1305_seal_avx2 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, chacha20_poly1305_seal_avx2) +#define _chacha20_poly1305_seal_nohw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, chacha20_poly1305_seal_nohw) #define _crypto_gcm_clmul_enabled BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, crypto_gcm_clmul_enabled) -#define _d2i_ACCESS_DESCRIPTION BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_ACCESS_DESCRIPTION) #define _d2i_ASN1_BIT_STRING BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_ASN1_BIT_STRING) #define _d2i_ASN1_BMPSTRING BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_ASN1_BMPSTRING) #define _d2i_ASN1_BOOLEAN BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_ASN1_BOOLEAN) @@ -3007,8 +3092,6 @@ #define _d2i_DHparams_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_DHparams_bio) #define _d2i_DIRECTORYSTRING BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_DIRECTORYSTRING) #define _d2i_DISPLAYTEXT BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_DISPLAYTEXT) -#define _d2i_DIST_POINT BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_DIST_POINT) -#define _d2i_DIST_POINT_NAME BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_DIST_POINT_NAME) #define _d2i_DSAPrivateKey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_DSAPrivateKey) #define _d2i_DSAPrivateKey_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_DSAPrivateKey_bio) #define _d2i_DSAPrivateKey_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_DSAPrivateKey_fp) @@ -3019,6 +3102,7 @@ #define _d2i_DSA_SIG BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_DSA_SIG) #define _d2i_DSAparams BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_DSAparams) #define _d2i_ECDSA_SIG BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_ECDSA_SIG) +#define _d2i_ECPKParameters BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_ECPKParameters) #define _d2i_ECParameters BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_ECParameters) #define _d2i_ECPrivateKey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_ECPrivateKey) #define _d2i_ECPrivateKey_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_ECPrivateKey_bio) @@ -3026,15 +3110,12 @@ #define _d2i_EC_PUBKEY BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_EC_PUBKEY) #define _d2i_EC_PUBKEY_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_EC_PUBKEY_bio) #define _d2i_EC_PUBKEY_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_EC_PUBKEY_fp) -#define _d2i_EDIPARTYNAME BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_EDIPARTYNAME) #define _d2i_EXTENDED_KEY_USAGE BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_EXTENDED_KEY_USAGE) #define _d2i_GENERAL_NAME BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_GENERAL_NAME) #define _d2i_GENERAL_NAMES BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_GENERAL_NAMES) #define _d2i_ISSUING_DIST_POINT BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_ISSUING_DIST_POINT) #define _d2i_NETSCAPE_SPKAC BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_NETSCAPE_SPKAC) #define _d2i_NETSCAPE_SPKI BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_NETSCAPE_SPKI) -#define _d2i_NOTICEREF BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_NOTICEREF) -#define _d2i_OTHERNAME BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_OTHERNAME) #define _d2i_PKCS12 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_PKCS12) #define _d2i_PKCS12_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_PKCS12_bio) #define _d2i_PKCS12_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_PKCS12_fp) @@ -3047,8 +3128,6 @@ #define _d2i_PKCS8_PRIV_KEY_INFO_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_PKCS8_PRIV_KEY_INFO_fp) #define _d2i_PKCS8_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_PKCS8_bio) #define _d2i_PKCS8_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_PKCS8_fp) -#define _d2i_POLICYINFO BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_POLICYINFO) -#define _d2i_POLICYQUALINFO BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_POLICYQUALINFO) #define _d2i_PUBKEY BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_PUBKEY) #define _d2i_PUBKEY_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_PUBKEY_bio) #define _d2i_PUBKEY_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_PUBKEY_fp) @@ -3068,7 +3147,6 @@ #define _d2i_RSA_PUBKEY_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_RSA_PUBKEY_fp) #define _d2i_SSL_SESSION BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_SSL_SESSION) #define _d2i_SSL_SESSION_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_SSL_SESSION_bio) -#define _d2i_USERNOTICE BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_USERNOTICE) #define _d2i_X509 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_X509) #define _d2i_X509_ALGOR BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_X509_ALGOR) #define _d2i_X509_ATTRIBUTE BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_X509_ATTRIBUTE) @@ -3082,7 +3160,6 @@ #define _d2i_X509_EXTENSION BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_X509_EXTENSION) #define _d2i_X509_EXTENSIONS BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_X509_EXTENSIONS) #define _d2i_X509_NAME BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_X509_NAME) -#define _d2i_X509_NAME_ENTRY BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_X509_NAME_ENTRY) #define _d2i_X509_PUBKEY BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_X509_PUBKEY) #define _d2i_X509_REQ BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_X509_REQ) #define _d2i_X509_REQ_INFO BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_X509_REQ_INFO) @@ -3093,8 +3170,10 @@ #define _d2i_X509_VAL BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_X509_VAL) #define _d2i_X509_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_X509_bio) #define _d2i_X509_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_X509_fp) +#define _dh_asn1_meth BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, dh_asn1_meth) #define _dh_check_params_fast BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, dh_check_params_fast) #define _dh_compute_key_padded_no_self_test BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, dh_compute_key_padded_no_self_test) +#define _dh_pkey_meth BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, dh_pkey_meth) #define _dsa_asn1_meth BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, dsa_asn1_meth) #define _dsa_check_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, dsa_check_key) #define _ec_GFp_mont_add BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_GFp_mont_add) @@ -3184,25 +3263,46 @@ #define _ec_set_to_safe_point BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_set_to_safe_point) #define _ec_simple_scalar_inv0_montgomery BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_simple_scalar_inv0_montgomery) #define _ec_simple_scalar_to_montgomery_inv_vartime BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_simple_scalar_to_montgomery_inv_vartime) -#define _ecdsa_do_verify_no_self_test BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecdsa_do_verify_no_self_test) -#define _ecdsa_sign_with_nonce_for_known_answer_test BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecdsa_sign_with_nonce_for_known_answer_test) -#define _ecp_nistz256_avx2_select_w7 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_avx2_select_w7) +#define _ecdsa_sign_fixed BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecdsa_sign_fixed) +#define _ecdsa_sign_fixed_with_nonce_for_known_answer_test BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecdsa_sign_fixed_with_nonce_for_known_answer_test) +#define _ecdsa_verify_fixed BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecdsa_verify_fixed) +#define _ecdsa_verify_fixed_no_self_test BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecdsa_verify_fixed_no_self_test) #define _ecp_nistz256_div_by_2 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_div_by_2) #define _ecp_nistz256_mul_by_2 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_mul_by_2) #define _ecp_nistz256_mul_by_3 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_mul_by_3) #define _ecp_nistz256_mul_mont BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_mul_mont) +#define _ecp_nistz256_mul_mont_adx BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_mul_mont_adx) +#define _ecp_nistz256_mul_mont_nohw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_mul_mont_nohw) #define _ecp_nistz256_neg BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_neg) #define _ecp_nistz256_ord_mul_mont BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_ord_mul_mont) +#define _ecp_nistz256_ord_mul_mont_adx BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_ord_mul_mont_adx) +#define _ecp_nistz256_ord_mul_mont_nohw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_ord_mul_mont_nohw) #define _ecp_nistz256_ord_sqr_mont BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_ord_sqr_mont) +#define _ecp_nistz256_ord_sqr_mont_adx BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_ord_sqr_mont_adx) +#define _ecp_nistz256_ord_sqr_mont_nohw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_ord_sqr_mont_nohw) #define _ecp_nistz256_point_add BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_point_add) +#define _ecp_nistz256_point_add_adx BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_point_add_adx) #define _ecp_nistz256_point_add_affine BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_point_add_affine) +#define _ecp_nistz256_point_add_affine_adx BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_point_add_affine_adx) +#define _ecp_nistz256_point_add_affine_nohw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_point_add_affine_nohw) +#define _ecp_nistz256_point_add_nohw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_point_add_nohw) #define _ecp_nistz256_point_double BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_point_double) +#define _ecp_nistz256_point_double_adx BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_point_double_adx) +#define _ecp_nistz256_point_double_nohw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_point_double_nohw) #define _ecp_nistz256_select_w5 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_select_w5) +#define _ecp_nistz256_select_w5_avx2 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_select_w5_avx2) +#define _ecp_nistz256_select_w5_nohw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_select_w5_nohw) #define _ecp_nistz256_select_w7 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_select_w7) +#define _ecp_nistz256_select_w7_avx2 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_select_w7_avx2) +#define _ecp_nistz256_select_w7_nohw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_select_w7_nohw) #define _ecp_nistz256_sqr_mont BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_sqr_mont) +#define _ecp_nistz256_sqr_mont_adx BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_sqr_mont_adx) +#define _ecp_nistz256_sqr_mont_nohw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_sqr_mont_nohw) #define _ecp_nistz256_sub BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_sub) #define _ed25519_asn1_meth BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ed25519_asn1_meth) #define _ed25519_pkey_meth BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ed25519_pkey_meth) +#define _evp_md_md5_sha1 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, evp_md_md5_sha1) +#define _evp_pkey_set_method BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, evp_pkey_set_method) #define _fiat_curve25519_adx_mul BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, fiat_curve25519_adx_mul) #define _fiat_curve25519_adx_square BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, fiat_curve25519_adx_square) #define _fiat_p256_adx_mul BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, fiat_p256_adx_mul) @@ -3226,14 +3326,12 @@ #define _gcm_init_ssse3 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, gcm_init_ssse3) #define _gcm_init_v8 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, gcm_init_v8) #define _hkdf_pkey_meth BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, hkdf_pkey_meth) -#define _i2a_ACCESS_DESCRIPTION BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2a_ACCESS_DESCRIPTION) #define _i2a_ASN1_ENUMERATED BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2a_ASN1_ENUMERATED) #define _i2a_ASN1_INTEGER BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2a_ASN1_INTEGER) #define _i2a_ASN1_OBJECT BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2a_ASN1_OBJECT) #define _i2a_ASN1_STRING BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2a_ASN1_STRING) #define _i2c_ASN1_BIT_STRING BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2c_ASN1_BIT_STRING) #define _i2c_ASN1_INTEGER BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2c_ASN1_INTEGER) -#define _i2d_ACCESS_DESCRIPTION BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_ACCESS_DESCRIPTION) #define _i2d_ASN1_BIT_STRING BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_ASN1_BIT_STRING) #define _i2d_ASN1_BMPSTRING BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_ASN1_BMPSTRING) #define _i2d_ASN1_BOOLEAN BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_ASN1_BOOLEAN) @@ -3265,8 +3363,6 @@ #define _i2d_DHparams_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_DHparams_bio) #define _i2d_DIRECTORYSTRING BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_DIRECTORYSTRING) #define _i2d_DISPLAYTEXT BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_DISPLAYTEXT) -#define _i2d_DIST_POINT BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_DIST_POINT) -#define _i2d_DIST_POINT_NAME BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_DIST_POINT_NAME) #define _i2d_DSAPrivateKey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_DSAPrivateKey) #define _i2d_DSAPrivateKey_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_DSAPrivateKey_bio) #define _i2d_DSAPrivateKey_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_DSAPrivateKey_fp) @@ -3277,6 +3373,7 @@ #define _i2d_DSA_SIG BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_DSA_SIG) #define _i2d_DSAparams BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_DSAparams) #define _i2d_ECDSA_SIG BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_ECDSA_SIG) +#define _i2d_ECPKParameters BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_ECPKParameters) #define _i2d_ECParameters BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_ECParameters) #define _i2d_ECPrivateKey BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_ECPrivateKey) #define _i2d_ECPrivateKey_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_ECPrivateKey_bio) @@ -3284,15 +3381,12 @@ #define _i2d_EC_PUBKEY BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_EC_PUBKEY) #define _i2d_EC_PUBKEY_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_EC_PUBKEY_bio) #define _i2d_EC_PUBKEY_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_EC_PUBKEY_fp) -#define _i2d_EDIPARTYNAME BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_EDIPARTYNAME) #define _i2d_EXTENDED_KEY_USAGE BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_EXTENDED_KEY_USAGE) #define _i2d_GENERAL_NAME BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_GENERAL_NAME) #define _i2d_GENERAL_NAMES BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_GENERAL_NAMES) #define _i2d_ISSUING_DIST_POINT BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_ISSUING_DIST_POINT) #define _i2d_NETSCAPE_SPKAC BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_NETSCAPE_SPKAC) #define _i2d_NETSCAPE_SPKI BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_NETSCAPE_SPKI) -#define _i2d_NOTICEREF BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_NOTICEREF) -#define _i2d_OTHERNAME BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_OTHERNAME) #define _i2d_PKCS12 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_PKCS12) #define _i2d_PKCS12_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_PKCS12_bio) #define _i2d_PKCS12_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_PKCS12_fp) @@ -3309,8 +3403,6 @@ #define _i2d_PKCS8_PRIV_KEY_INFO_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_PKCS8_PRIV_KEY_INFO_fp) #define _i2d_PKCS8_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_PKCS8_bio) #define _i2d_PKCS8_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_PKCS8_fp) -#define _i2d_POLICYINFO BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_POLICYINFO) -#define _i2d_POLICYQUALINFO BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_POLICYQUALINFO) #define _i2d_PUBKEY BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_PUBKEY) #define _i2d_PUBKEY_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_PUBKEY_bio) #define _i2d_PUBKEY_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_PUBKEY_fp) @@ -3330,7 +3422,6 @@ #define _i2d_RSA_PUBKEY_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_RSA_PUBKEY_fp) #define _i2d_SSL_SESSION BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_SSL_SESSION) #define _i2d_SSL_SESSION_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_SSL_SESSION_bio) -#define _i2d_USERNOTICE BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_USERNOTICE) #define _i2d_X509 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_X509) #define _i2d_X509_ALGOR BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_X509_ALGOR) #define _i2d_X509_ATTRIBUTE BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_X509_ATTRIBUTE) @@ -3345,7 +3436,6 @@ #define _i2d_X509_EXTENSION BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_X509_EXTENSION) #define _i2d_X509_EXTENSIONS BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_X509_EXTENSIONS) #define _i2d_X509_NAME BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_X509_NAME) -#define _i2d_X509_NAME_ENTRY BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_X509_NAME_ENTRY) #define _i2d_X509_PUBKEY BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_X509_PUBKEY) #define _i2d_X509_REQ BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_X509_REQ) #define _i2d_X509_REQ_INFO BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, i2d_X509_REQ_INFO) @@ -3431,14 +3521,24 @@ #define _rsaz_1024_sqr_avx2 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, rsaz_1024_sqr_avx2) #define _s2i_ASN1_INTEGER BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, s2i_ASN1_INTEGER) #define _s2i_ASN1_OCTET_STRING BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, s2i_ASN1_OCTET_STRING) -#define _sha1_block_data_order BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sha1_block_data_order) -#define _sha256_block_data_order BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sha256_block_data_order) -#define _sha512_block_data_order BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sha512_block_data_order) +#define _sha1_block_data_order_avx BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sha1_block_data_order_avx) +#define _sha1_block_data_order_avx2 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sha1_block_data_order_avx2) +#define _sha1_block_data_order_hw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sha1_block_data_order_hw) +#define _sha1_block_data_order_nohw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sha1_block_data_order_nohw) +#define _sha1_block_data_order_ssse3 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sha1_block_data_order_ssse3) +#define _sha256_block_data_order_avx BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sha256_block_data_order_avx) +#define _sha256_block_data_order_hw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sha256_block_data_order_hw) +#define _sha256_block_data_order_nohw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sha256_block_data_order_nohw) +#define _sha256_block_data_order_ssse3 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sha256_block_data_order_ssse3) +#define _sha512_block_data_order_avx BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sha512_block_data_order_avx) +#define _sha512_block_data_order_hw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sha512_block_data_order_hw) +#define _sha512_block_data_order_nohw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sha512_block_data_order_nohw) #define _sk_CRYPTO_BUFFER_call_copy_func BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_call_copy_func) #define _sk_CRYPTO_BUFFER_call_free_func BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_call_free_func) #define _sk_CRYPTO_BUFFER_deep_copy BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_deep_copy) #define _sk_CRYPTO_BUFFER_new_null BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_new_null) #define _sk_CRYPTO_BUFFER_num BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_num) +#define _sk_CRYPTO_BUFFER_pop BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_pop) #define _sk_CRYPTO_BUFFER_push BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_push) #define _sk_CRYPTO_BUFFER_set BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_set) #define _sk_CRYPTO_BUFFER_value BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_value) @@ -3480,6 +3580,57 @@ #define _sk_pop_free_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_pop_free_ex) #define _sk_push BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_push) #define _sk_value BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, sk_value) +#define _slhdsa_fors_pk_from_sig BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, slhdsa_fors_pk_from_sig) +#define _slhdsa_fors_sign BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, slhdsa_fors_sign) +#define _slhdsa_fors_sk_gen BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, slhdsa_fors_sk_gen) +#define _slhdsa_fors_treehash BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, slhdsa_fors_treehash) +#define _slhdsa_ht_sign BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, slhdsa_ht_sign) +#define _slhdsa_ht_verify BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, slhdsa_ht_verify) +#define _slhdsa_thash_f BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, slhdsa_thash_f) +#define _slhdsa_thash_h BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, slhdsa_thash_h) +#define _slhdsa_thash_hmsg BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, slhdsa_thash_hmsg) +#define _slhdsa_thash_prf BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, slhdsa_thash_prf) +#define _slhdsa_thash_prfmsg BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, slhdsa_thash_prfmsg) +#define _slhdsa_thash_tk BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, slhdsa_thash_tk) +#define _slhdsa_thash_tl BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, slhdsa_thash_tl) +#define _slhdsa_treehash BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, slhdsa_treehash) +#define _slhdsa_wots_pk_from_sig BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, slhdsa_wots_pk_from_sig) +#define _slhdsa_wots_pk_gen BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, slhdsa_wots_pk_gen) +#define _slhdsa_wots_sign BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, slhdsa_wots_sign) +#define _slhdsa_xmss_pk_from_sig BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, slhdsa_xmss_pk_from_sig) +#define _slhdsa_xmss_sign BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, slhdsa_xmss_sign) +#define _spx_base_b BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_base_b) +#define _spx_copy_keypair_addr BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_copy_keypair_addr) +#define _spx_fors_pk_from_sig BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_fors_pk_from_sig) +#define _spx_fors_sign BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_fors_sign) +#define _spx_fors_sk_gen BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_fors_sk_gen) +#define _spx_fors_treehash BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_fors_treehash) +#define _spx_get_tree_index BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_get_tree_index) +#define _spx_ht_sign BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_ht_sign) +#define _spx_ht_verify BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_ht_verify) +#define _spx_set_chain_addr BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_set_chain_addr) +#define _spx_set_hash_addr BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_set_hash_addr) +#define _spx_set_keypair_addr BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_set_keypair_addr) +#define _spx_set_layer_addr BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_set_layer_addr) +#define _spx_set_tree_addr BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_set_tree_addr) +#define _spx_set_tree_height BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_set_tree_height) +#define _spx_set_tree_index BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_set_tree_index) +#define _spx_set_type BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_set_type) +#define _spx_thash_f BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_thash_f) +#define _spx_thash_h BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_thash_h) +#define _spx_thash_hmsg BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_thash_hmsg) +#define _spx_thash_prf BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_thash_prf) +#define _spx_thash_prfmsg BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_thash_prfmsg) +#define _spx_thash_tk BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_thash_tk) +#define _spx_thash_tl BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_thash_tl) +#define _spx_to_uint64 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_to_uint64) +#define _spx_treehash BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_treehash) +#define _spx_uint64_to_len_bytes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_uint64_to_len_bytes) +#define _spx_wots_pk_from_sig BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_wots_pk_from_sig) +#define _spx_wots_pk_gen BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_wots_pk_gen) +#define _spx_wots_sign BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_wots_sign) +#define _spx_xmss_pk_from_sig BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_xmss_pk_from_sig) +#define _spx_xmss_sign BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, spx_xmss_sign) #define _v2i_GENERAL_NAME BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, v2i_GENERAL_NAME) #define _v2i_GENERAL_NAMES BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, v2i_GENERAL_NAMES) #define _v2i_GENERAL_NAME_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, v2i_GENERAL_NAME_ex) @@ -3546,6 +3697,7 @@ #define _x25519_sc_reduce BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, x25519_sc_reduce) #define _x25519_scalar_mult_adx BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, x25519_scalar_mult_adx) #define _x509V3_add_value_asn1_string BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, x509V3_add_value_asn1_string) +#define _x509_check_issued_with_callback BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, x509_check_issued_with_callback) #define _x509_digest_sign_algorithm BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, x509_digest_sign_algorithm) #define _x509_digest_verify_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, x509_digest_verify_init) #define _x509_print_rsa_pss_params BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, x509_print_rsa_pss_params) diff --git a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_bytestring.h b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_bytestring.h index ce4016943..428a9c250 100644 --- a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_bytestring.h +++ b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_bytestring.h @@ -58,17 +58,20 @@ struct cbs_st { // CBS_init sets |cbs| to point to |data|. It does not take ownership of // |data|. -OPENSSL_EXPORT void CBS_init(CBS *cbs, const uint8_t *data, size_t len); +OPENSSL_INLINE void CBS_init(CBS *cbs, const uint8_t *data, size_t len) { + cbs->data = data; + cbs->len = len; +} // CBS_skip advances |cbs| by |len| bytes. It returns one on success and zero // otherwise. OPENSSL_EXPORT int CBS_skip(CBS *cbs, size_t len); // CBS_data returns a pointer to the contents of |cbs|. -OPENSSL_EXPORT const uint8_t *CBS_data(const CBS *cbs); +OPENSSL_INLINE const uint8_t *CBS_data(const CBS *cbs) { return cbs->data; } // CBS_len returns the number of bytes remaining in |cbs|. -OPENSSL_EXPORT size_t CBS_len(const CBS *cbs); +OPENSSL_INLINE size_t CBS_len(const CBS *cbs) { return cbs->len; } // CBS_stow copies the current contents of |cbs| into |*out_ptr| and // |*out_len|. If |*out_ptr| is not NULL, the contents are freed with @@ -636,6 +639,9 @@ OPENSSL_EXPORT int CBB_flush_asn1_set_of(CBB *cbb); // Unicode utilities. +// +// These functions consider noncharacters (see section 23.7 from Unicode 15.0.0) +// to be invalid code points and will treat them as an error condition. // The following functions read one Unicode code point from |cbs| with the // corresponding encoding and store it in |*out|. They return one on success and @@ -650,7 +656,9 @@ OPENSSL_EXPORT int CBS_get_utf32_be(CBS *cbs, uint32_t *out); OPENSSL_EXPORT size_t CBB_get_utf8_len(uint32_t u); // The following functions encode |u| to |cbb| with the corresponding -// encoding. They return one on success and zero on error. +// encoding. They return one on success and zero on error. Error conditions +// include |u| being an invalid code point, or |u| being unencodable in the +// specified encoding. OPENSSL_EXPORT int CBB_add_utf8(CBB *cbb, uint32_t u); OPENSSL_EXPORT int CBB_add_latin1(CBB *cbb, uint32_t u); OPENSSL_EXPORT int CBB_add_ucs2_be(CBB *cbb, uint32_t u); diff --git a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_conf.h b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_conf.h index ce235d63f..7f7d4d1f0 100644 --- a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_conf.h +++ b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_conf.h @@ -67,7 +67,9 @@ extern "C" { #endif -// Config files look like: +// Config files. +// +// This library handles OpenSSL's config files, which look like: // // # Comment // @@ -82,6 +84,7 @@ extern "C" { // untrusted input as a config file risks string injection and denial of service // vulnerabilities. + struct conf_value_st { char *section; char *name; diff --git a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_crypto.h b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_crypto.h index c37eee350..b8cf975bf 100644 --- a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_crypto.h +++ b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_crypto.h @@ -32,18 +32,9 @@ extern "C" { #endif -// crypto.h contains functions for initializing the crypto library. +// crypto.h contains functions for library-wide initialization and properties. -// CRYPTO_library_init initializes the crypto library. It must be called if the -// library is built with BORINGSSL_NO_STATIC_INITIALIZER. Otherwise, it does -// nothing and a static initializer is used instead. It is safe to call this -// function multiple times and concurrently from multiple threads. -// -// On some ARM configurations, this function may require filesystem access and -// should be called before entering a sandbox. -OPENSSL_EXPORT void CRYPTO_library_init(void); - // CRYPTO_is_confidential_build returns one if the linked version of BoringSSL // has been built with the BORINGSSL_CONFIDENTIAL define and zero otherwise. // @@ -154,6 +145,8 @@ OPENSSL_EXPORT int ENGINE_register_all_complete(void); // OPENSSL_load_builtin_modules does nothing. OPENSSL_EXPORT void OPENSSL_load_builtin_modules(void); +// OPENSSL_INIT_* are options in OpenSSL to configure the library. In BoringSSL, +// they do nothing. #define OPENSSL_INIT_NO_LOAD_CRYPTO_STRINGS 0 #define OPENSSL_INIT_LOAD_CRYPTO_STRINGS 0 #define OPENSSL_INIT_ADD_ALL_CIPHERS 0 @@ -162,8 +155,18 @@ OPENSSL_EXPORT void OPENSSL_load_builtin_modules(void); #define OPENSSL_INIT_NO_ADD_ALL_DIGESTS 0 #define OPENSSL_INIT_LOAD_CONFIG 0 #define OPENSSL_INIT_NO_LOAD_CONFIG 0 - -// OPENSSL_init_crypto calls |CRYPTO_library_init| and returns one. +#define OPENSSL_INIT_NO_ATEXIT 0 +#define OPENSSL_INIT_ATFORK 0 +#define OPENSSL_INIT_ENGINE_RDRAND 0 +#define OPENSSL_INIT_ENGINE_DYNAMIC 0 +#define OPENSSL_INIT_ENGINE_OPENSSL 0 +#define OPENSSL_INIT_ENGINE_CRYPTODEV 0 +#define OPENSSL_INIT_ENGINE_CAPI 0 +#define OPENSSL_INIT_ENGINE_PADLOCK 0 +#define OPENSSL_INIT_ENGINE_AFALG 0 +#define OPENSSL_INIT_ENGINE_ALL_BUILTIN 0 + +// OPENSSL_init_crypto returns one. OPENSSL_EXPORT int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings); @@ -177,6 +180,9 @@ OPENSSL_EXPORT int FIPS_mode_set(int on); // FIPS_module_name returns the name of the FIPS module. OPENSSL_EXPORT const char *FIPS_module_name(void); +// FIPS_module_hash returns the 32-byte hash of the FIPS module. +OPENSSL_EXPORT const uint8_t* FIPS_module_hash(void); + // FIPS_version returns the version of the FIPS module, or zero if the build // isn't exactly at a verified version. The version, expressed in base 10, will // be a date in the form yyyymmddXX where XX is often "00", but can be @@ -195,6 +201,10 @@ OPENSSL_EXPORT int FIPS_query_algorithm_status(const char *algorithm); OPENSSL_EXPORT int CRYPTO_has_broken_NEON(void); #endif +// CRYPTO_library_init does nothing. Historically, it was needed in some build +// configurations to initialization the library. This is no longer necessary. +OPENSSL_EXPORT void CRYPTO_library_init(void); + #if defined(__cplusplus) } // extern C diff --git a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_curve25519.h b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_curve25519.h index 605d25bb2..d131888ff 100644 --- a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_curve25519.h +++ b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_curve25519.h @@ -161,10 +161,10 @@ OPENSSL_EXPORT int SPAKE2_generate_msg(SPAKE2_CTX *ctx, uint8_t *out, // |*out_key_len| to the number of bytes written. // // The resulting keying material is suitable for: -// a) Using directly in a key-confirmation step: i.e. each side could +// - Using directly in a key-confirmation step: i.e. each side could // transmit a hash of their role, a channel-binding value and the key // material to prove to the other side that they know the shared key. -// b) Using as input keying material to HKDF to generate a variety of subkeys +// - Using as input keying material to HKDF to generate a variety of subkeys // for encryption etc. // // If |max_out_key_key| is smaller than the amount of key material generated diff --git a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_des.h b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_des.h index d50ec4e2c..e361c1142 100644 --- a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_des.h +++ b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_des.h @@ -163,19 +163,6 @@ OPENSSL_EXPORT void DES_ede3_cfb_encrypt(const uint8_t *in, uint8_t *out, DES_cblock *ivec, int enc); -// Private functions. -// -// These functions are only exported for use in |decrepit|. - -OPENSSL_EXPORT void DES_decrypt3(uint32_t *data, const DES_key_schedule *ks1, - const DES_key_schedule *ks2, - const DES_key_schedule *ks3); - -OPENSSL_EXPORT void DES_encrypt3(uint32_t *data, const DES_key_schedule *ks1, - const DES_key_schedule *ks2, - const DES_key_schedule *ks3); - - #if defined(__cplusplus) } // extern C #endif diff --git a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_dh.h b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_dh.h index 1fcf82f24..a11f7b2b8 100644 --- a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_dh.h +++ b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_dh.h @@ -75,6 +75,12 @@ extern "C" { // Allocation and destruction. +// +// A |DH| object represents a Diffie-Hellman key or group parameters. A given +// object may be used concurrently on multiple threads by non-mutating +// functions, provided no other thread is concurrently calling a mutating +// function. Unless otherwise documented, functions which take a |const| pointer +// are non-mutating and functions which take a non-|const| pointer are mutating. // DH_new returns a new, empty DH object or NULL on error. OPENSSL_EXPORT DH *DH_new(void); @@ -83,12 +89,17 @@ OPENSSL_EXPORT DH *DH_new(void); // count drops to zero. OPENSSL_EXPORT void DH_free(DH *dh); -// DH_up_ref increments the reference count of |dh| and returns one. +// DH_up_ref increments the reference count of |dh| and returns one. It does not +// mutate |dh| for thread-safety purposes and may be used concurrently. OPENSSL_EXPORT int DH_up_ref(DH *dh); // Properties. +// OPENSSL_DH_MAX_MODULUS_BITS is the maximum supported Diffie-Hellman group +// modulus, in bits. +#define OPENSSL_DH_MAX_MODULUS_BITS 10000 + // DH_bits returns the size of |dh|'s group modulus, in bits. OPENSSL_EXPORT unsigned DH_bits(const DH *dh); @@ -214,6 +225,9 @@ OPENSSL_EXPORT int DH_generate_key(DH *dh); // Callers that expect a fixed-width secret should use this function over // |DH_compute_key|. Callers that use either function should migrate to a modern // primitive such as X25519 or ECDH with P-256 instead. +// +// This function does not mutate |dh| for thread-safety purposes and may be used +// concurrently. OPENSSL_EXPORT int DH_compute_key_padded(uint8_t *out, const BIGNUM *peers_key, DH *dh); @@ -225,6 +239,9 @@ OPENSSL_EXPORT int DH_compute_key_padded(uint8_t *out, const BIGNUM *peers_key, // // NOTE: this follows the usual BoringSSL return-value convention, but that's // different from |DH_compute_key| and |DH_compute_key_padded|. +// +// This function does not mutate |dh| for thread-safety purposes and may be used +// concurrently. OPENSSL_EXPORT int DH_compute_key_hashed(DH *dh, uint8_t *out, size_t *out_len, size_t max_out_len, const BIGNUM *peers_key, @@ -327,6 +344,9 @@ OPENSSL_EXPORT int i2d_DHparams(const DH *in, unsigned char **outp); // Callers that expect a fixed-width secret should use |DH_compute_key_padded| // instead. Callers that use either function should migrate to a modern // primitive such as X25519 or ECDH with P-256 instead. +// +// This function does not mutate |dh| for thread-safety purposes and may be used +// concurrently. OPENSSL_EXPORT int DH_compute_key(uint8_t *out, const BIGNUM *peers_key, DH *dh); diff --git a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_dsa.h b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_dsa.h index d1f412054..cceece50f 100644 --- a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_dsa.h +++ b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_dsa.h @@ -78,6 +78,12 @@ extern "C" { // Allocation and destruction. +// +// A |DSA| object represents a DSA key or group parameters. A given object may +// be used concurrently on multiple threads by non-mutating functions, provided +// no other thread is concurrently calling a mutating function. Unless otherwise +// documented, functions which take a |const| pointer are non-mutating and +// functions which take a non-|const| pointer are mutating. // DSA_new returns a new, empty DSA object or NULL on error. OPENSSL_EXPORT DSA *DSA_new(void); @@ -86,12 +92,17 @@ OPENSSL_EXPORT DSA *DSA_new(void); // reference count drops to zero. OPENSSL_EXPORT void DSA_free(DSA *dsa); -// DSA_up_ref increments the reference count of |dsa| and returns one. +// DSA_up_ref increments the reference count of |dsa| and returns one. It does +// not mutate |dsa| for thread-safety purposes and may be used concurrently. OPENSSL_EXPORT int DSA_up_ref(DSA *dsa); // Properties. +// OPENSSL_DSA_MAX_MODULUS_BITS is the maximum supported DSA group modulus, in +// bits. +#define OPENSSL_DSA_MAX_MODULUS_BITS 10000 + // DSA_bits returns the size of |dsa|'s group modulus, in bits. OPENSSL_EXPORT unsigned DSA_bits(const DSA *dsa); @@ -216,7 +227,7 @@ OPENSSL_EXPORT DSA_SIG *DSA_do_sign(const uint8_t *digest, size_t digest_len, // // TODO(fork): deprecate. OPENSSL_EXPORT int DSA_do_verify(const uint8_t *digest, size_t digest_len, - DSA_SIG *sig, const DSA *dsa); + const DSA_SIG *sig, const DSA *dsa); // DSA_do_check_signature sets |*out_valid| to zero. Then it verifies that |sig| // is a valid signature, by the public key in |dsa| of the hash in |digest| @@ -225,7 +236,7 @@ OPENSSL_EXPORT int DSA_do_verify(const uint8_t *digest, size_t digest_len, // It returns one if it was able to verify the signature as valid or invalid, // and zero on error. OPENSSL_EXPORT int DSA_do_check_signature(int *out_valid, const uint8_t *digest, - size_t digest_len, DSA_SIG *sig, + size_t digest_len, const DSA_SIG *sig, const DSA *dsa); diff --git a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_ec.h b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_ec.h index 3c6ba3c1a..3a2aba7fb 100644 --- a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_ec.h +++ b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_ec.h @@ -100,6 +100,16 @@ typedef enum { // Elliptic curve groups. +// +// Elliptic curve groups are represented by |EC_GROUP| objects. Unlike OpenSSL, +// if limited to the APIs in this section, callers may treat |EC_GROUP|s as +// static, immutable objects which do not need to be copied or released. In +// BoringSSL, only custom |EC_GROUP|s created by |EC_GROUP_new_curve_GFp| +// (deprecated) are dynamic. +// +// Callers may cast away |const| and use |EC_GROUP_dup| and |EC_GROUP_free| with +// static groups, for compatibility with OpenSSL or dynamic groups, but it is +// otherwise unnecessary. // EC_group_p224 returns an |EC_GROUP| for P-224, also known as secp224r1. OPENSSL_EXPORT const EC_GROUP *EC_group_p224(void); @@ -121,10 +131,10 @@ OPENSSL_EXPORT const EC_GROUP *EC_group_p521(void); // calling |EC_GROUP_free| is optional. // // The supported NIDs are: -// NID_secp224r1 (P-224), -// NID_X9_62_prime256v1 (P-256), -// NID_secp384r1 (P-384), -// NID_secp521r1 (P-521) +// - |NID_secp224r1| (P-224) +// - |NID_X9_62_prime256v1| (P-256) +// - |NID_secp384r1| (P-384) +// - |NID_secp521r1| (P-521) // // Calling this function causes all four curves to be linked into the binary. // Prefer calling |EC_group_*| to allow the static linker to drop unused curves. @@ -133,12 +143,6 @@ OPENSSL_EXPORT const EC_GROUP *EC_group_p521(void); // more modern primitives. OPENSSL_EXPORT EC_GROUP *EC_GROUP_new_by_curve_name(int nid); -// EC_GROUP_free releases a reference to |group|. -OPENSSL_EXPORT void EC_GROUP_free(EC_GROUP *group); - -// EC_GROUP_dup takes a reference to |a| and returns it. -OPENSSL_EXPORT EC_GROUP *EC_GROUP_dup(const EC_GROUP *a); - // EC_GROUP_cmp returns zero if |a| and |b| are the same group and non-zero // otherwise. OPENSSL_EXPORT int EC_GROUP_cmp(const EC_GROUP *a, const EC_GROUP *b, @@ -363,9 +367,27 @@ OPENSSL_EXPORT int EC_hash_to_curve_p384_xmd_sha384_sswu( // Deprecated functions. +// EC_GROUP_free releases a reference to |group|, if |group| was created by +// |EC_GROUP_new_curve_GFp|. If |group| is static, it does nothing. +// +// This function exists for OpenSSL compatibilty, and to manage dynamic +// |EC_GROUP|s constructed by |EC_GROUP_new_curve_GFp|. Callers that do not need +// either may ignore this function. +OPENSSL_EXPORT void EC_GROUP_free(EC_GROUP *group); + +// EC_GROUP_dup increments |group|'s reference count and returns it, if |group| +// was created by |EC_GROUP_new_curve_GFp|. If |group| is static, it simply +// returns |group|. +// +// This function exists for OpenSSL compatibilty, and to manage dynamic +// |EC_GROUP|s constructed by |EC_GROUP_new_curve_GFp|. Callers that do not need +// either may ignore this function. +OPENSSL_EXPORT EC_GROUP *EC_GROUP_dup(const EC_GROUP *group); + // EC_GROUP_new_curve_GFp creates a new, arbitrary elliptic curve group based // on the equation y² = x³ + a·x + b. It returns the new group or NULL on -// error. +// error. The lifetime of the resulting object must be managed with +// |EC_GROUP_dup| and |EC_GROUP_free|. // // This new group has no generator. It is an error to use a generator-less group // with any functions except for |EC_GROUP_free|, |EC_POINT_new|, diff --git a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_ec_key.h b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_ec_key.h index 8c6797509..f11603e5d 100644 --- a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_ec_key.h +++ b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_ec_key.h @@ -351,8 +351,24 @@ OPENSSL_EXPORT EC_KEY *d2i_ECPrivateKey(EC_KEY **out_key, const uint8_t **inp, // Use |EC_KEY_marshal_private_key| instead. OPENSSL_EXPORT int i2d_ECPrivateKey(const EC_KEY *key, uint8_t **outp); +// d2i_ECPKParameters parses a DER-encoded ECParameters structure (RFC 5480) +// from |len| bytes at |*inp|, as described in |d2i_SAMPLE|. For legacy reasons, +// it recognizes the specifiedCurve form, but only for curves that are already +// supported as named curves. +// +// Use |EC_KEY_parse_parameters| or |EC_KEY_parse_curve_name| instead. +OPENSSL_EXPORT EC_GROUP *d2i_ECPKParameters(EC_GROUP **out, const uint8_t **inp, + long len); + +// i2d_ECPKParameters marshals |group| as a DER-encoded ECParameters structure +// (RFC 5480), as described in |i2d_SAMPLE|. +// +// Use |EC_KEY_marshal_curve_name| instead. +OPENSSL_EXPORT int i2d_ECPKParameters(const EC_GROUP *group, uint8_t **outp); + // d2i_ECParameters parses a DER-encoded ECParameters structure (RFC 5480) from -// |len| bytes at |*inp|, as described in |d2i_SAMPLE|. +// |len| bytes at |*inp|, as described in |d2i_SAMPLE|. It returns the result as +// an |EC_KEY| with parameters, but no key, configured. // // Use |EC_KEY_parse_parameters| or |EC_KEY_parse_curve_name| instead. OPENSSL_EXPORT EC_KEY *d2i_ECParameters(EC_KEY **out_key, const uint8_t **inp, diff --git a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_err.h b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_err.h index 567c192c8..1e8ea553a 100644 --- a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_err.h +++ b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_err.h @@ -244,6 +244,19 @@ OPENSSL_EXPORT const char *ERR_lib_error_string(uint32_t packed_error); // |packed_error|, or a placeholder string if the reason is unrecognized. OPENSSL_EXPORT const char *ERR_reason_error_string(uint32_t packed_error); +// ERR_lib_symbol_name returns the symbol name of library that generated +// |packed_error|, or NULL if unrecognized. For example, an error from +// |ERR_LIB_EVP| would return "EVP". +OPENSSL_EXPORT const char *ERR_lib_symbol_name(uint32_t packed_error); + +// ERR_reason_symbol_name returns the symbol name of the reason for +// |packed_error|, or NULL if unrecognized. For example, |ERR_R_INTERNAL_ERROR| +// would return "INTERNAL_ERROR". +// +// Errors from the |ERR_LIB_SYS| library are typically |errno| values and will +// return NULL. User-defined errors will also return NULL. +OPENSSL_EXPORT const char *ERR_reason_symbol_name(uint32_t packed_error); + // ERR_print_errors_callback_t is the type of a function used by // |ERR_print_errors_cb|. It takes a pointer to a human readable string (and // its length) that describes an entry in the error queue. The |ctx| argument diff --git a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_evp.h b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_evp.h index 098e9b59b..579703a7d 100644 --- a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_evp.h +++ b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_evp.h @@ -136,10 +136,6 @@ OPENSSL_EXPORT int EVP_PKEY_bits(const EVP_PKEY *pkey); // values. OPENSSL_EXPORT int EVP_PKEY_id(const EVP_PKEY *pkey); -// EVP_PKEY_type returns |nid| if |nid| is a known key type and |NID_undef| -// otherwise. -OPENSSL_EXPORT int EVP_PKEY_type(int nid); - // Getting and setting concrete public key types. // @@ -171,6 +167,11 @@ OPENSSL_EXPORT int EVP_PKEY_assign_EC_KEY(EVP_PKEY *pkey, EC_KEY *key); OPENSSL_EXPORT EC_KEY *EVP_PKEY_get0_EC_KEY(const EVP_PKEY *pkey); OPENSSL_EXPORT EC_KEY *EVP_PKEY_get1_EC_KEY(const EVP_PKEY *pkey); +OPENSSL_EXPORT int EVP_PKEY_set1_DH(EVP_PKEY *pkey, DH *key); +OPENSSL_EXPORT int EVP_PKEY_assign_DH(EVP_PKEY *pkey, DH *key); +OPENSSL_EXPORT DH *EVP_PKEY_get0_DH(const EVP_PKEY *pkey); +OPENSSL_EXPORT DH *EVP_PKEY_get1_DH(const EVP_PKEY *pkey); + #define EVP_PKEY_NONE NID_undef #define EVP_PKEY_RSA NID_rsaEncryption #define EVP_PKEY_RSA_PSS NID_rsassaPss @@ -179,6 +180,7 @@ OPENSSL_EXPORT EC_KEY *EVP_PKEY_get1_EC_KEY(const EVP_PKEY *pkey); #define EVP_PKEY_ED25519 NID_ED25519 #define EVP_PKEY_X25519 NID_X25519 #define EVP_PKEY_HKDF NID_hkdf +#define EVP_PKEY_DH NID_dhKeyAgreement // EVP_PKEY_set_type sets the type of |pkey| to |type|. It returns one if // successful or zero if the |type| argument is not one of the |EVP_PKEY_*| @@ -814,11 +816,23 @@ OPENSSL_EXPORT int EVP_PKEY_CTX_set_ec_paramgen_curve_nid(EVP_PKEY_CTX *ctx, int nid); -// Deprecated functions. +// Diffie-Hellman-specific control functions. -// EVP_PKEY_DH is defined for compatibility, but it is impossible to create an -// |EVP_PKEY| of that type. -#define EVP_PKEY_DH NID_dhKeyAgreement +// EVP_PKEY_CTX_set_dh_pad configures configures whether |ctx|, which must be an +// |EVP_PKEY_derive| operation, configures the handling of leading zeros in the +// Diffie-Hellman shared secret. If |pad| is zero, leading zeros are removed +// from the secret. If |pad| is non-zero, the fixed-width shared secret is used +// unmodified, as in PKCS #3. If this function is not called, the default is to +// remove leading zeros. +// +// WARNING: The behavior when |pad| is zero leaks information about the shared +// secret. This may result in side channel attacks such as +// https://raccoon-attack.com/, particularly when the same private key is used +// for multiple operations. +OPENSSL_EXPORT int EVP_PKEY_CTX_set_dh_pad(EVP_PKEY_CTX *ctx, int pad); + + +// Deprecated functions. // EVP_PKEY_RSA2 was historically an alternate form for RSA public keys (OID // 2.5.8.1.1), but is no longer accepted. @@ -917,12 +931,6 @@ OPENSSL_EXPORT EVP_PKEY *d2i_AutoPrivateKey(EVP_PKEY **out, const uint8_t **inp, OPENSSL_EXPORT EVP_PKEY *d2i_PublicKey(int type, EVP_PKEY **out, const uint8_t **inp, long len); -// EVP_PKEY_get0_DH returns NULL. -OPENSSL_EXPORT DH *EVP_PKEY_get0_DH(const EVP_PKEY *pkey); - -// EVP_PKEY_get1_DH returns NULL. -OPENSSL_EXPORT DH *EVP_PKEY_get1_DH(const EVP_PKEY *pkey); - // EVP_PKEY_CTX_set_ec_param_enc returns one if |encoding| is // |OPENSSL_EC_NAMED_CURVE| or zero with an error otherwise. OPENSSL_EXPORT int EVP_PKEY_CTX_set_ec_param_enc(EVP_PKEY_CTX *ctx, @@ -1036,6 +1044,9 @@ OPENSSL_EXPORT int EVP_PKEY_CTX_set_dsa_paramgen_q_bits(EVP_PKEY_CTX *ctx, // Use the |EVP_PKEY_assign_*| functions instead. OPENSSL_EXPORT int EVP_PKEY_assign(EVP_PKEY *pkey, int type, void *key); +// EVP_PKEY_type returns |nid|. +OPENSSL_EXPORT int EVP_PKEY_type(int nid); + // Preprocessor compatibility section (hidden). // diff --git a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_evp_errors.h b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_evp_errors.h index 8583f521c..163f17e2b 100644 --- a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_evp_errors.h +++ b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_evp_errors.h @@ -95,5 +95,6 @@ #define EVP_R_NOT_XOF_OR_INVALID_LENGTH 135 #define EVP_R_EMPTY_PSK 136 #define EVP_R_INVALID_BUFFER_SIZE 137 +#define EVP_R_EXPECTING_A_DH_KEY 138 #endif // OPENSSL_HEADER_EVP_ERRORS_H diff --git a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_ex_data.h b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_ex_data.h index 030fe16a2..5d37148c6 100644 --- a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_ex_data.h +++ b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_ex_data.h @@ -129,11 +129,11 @@ typedef struct crypto_ex_data_st CRYPTO_EX_DATA; // Type-specific functions. -// -// Each type that supports ex_data provides three functions: #if 0 // Sample +// Each type that supports ex_data provides three functions: + // TYPE_get_ex_new_index allocates a new index for |TYPE|. An optional // |free_func| argument may be provided which is called when the owning object // is destroyed. See |CRYPTO_EX_free| for details. The |argl| and |argp| @@ -153,6 +153,18 @@ OPENSSL_EXPORT int TYPE_set_ex_data(TYPE *t, int index, void *arg); // previous call to |TYPE_get_ex_new_index|. OPENSSL_EXPORT void *TYPE_get_ex_data(const TYPE *t, int index); +// Some types additionally preallocate index zero, with all callbacks set to +// NULL. Applications that do not need the general ex_data machinery may use +// this instead. + +// TYPE_set_app_data sets |t|'s application data pointer to |arg|. It returns +// one on success and zero on error. +OPENSSL_EXPORT int TYPE_set_app_data(TYPE *t, void *arg); + +// TYPE_get_app_data returns the application data pointer for |t|, or NULL if no +// such pointer exists. +OPENSSL_EXPORT void *TYPE_get_app_data(const TYPE *t); + #endif // Sample @@ -163,10 +175,11 @@ OPENSSL_EXPORT void *TYPE_get_ex_data(const TYPE *t, int index); // callback has been passed to |SSL_get_ex_new_index| then it may be called each // time an |SSL*| is destroyed. // -// The callback is passed the new object (i.e. the |SSL*|) in |parent|. The -// arguments |argl| and |argp| contain opaque values that were given to -// |CRYPTO_get_ex_new_index|. The callback should return one on success, but -// the value is ignored. +// The callback is passed the to-be-destroyed object (i.e. the |SSL*|) in +// |parent|. As |parent| will shortly be destroyed, callers must not perform +// operations that would increment its reference count, pass ownership, or +// assume the object outlives the function call. The arguments |argl| and |argp| +// contain opaque values that were given to |CRYPTO_get_ex_new_index_ex|. // // This callback may be called with a NULL value for |ptr| if |parent| has no // value set for this index. However, the callbacks may also be skipped entirely diff --git a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_hpke.h b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_hpke.h index d1b4798ca..5a80ad747 100644 --- a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_hpke.h +++ b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_hpke.h @@ -40,12 +40,14 @@ extern "C" { // respectively. // The following constants are KEM identifiers. +#define EVP_HPKE_DHKEM_P256_HKDF_SHA256 0x0010 #define EVP_HPKE_DHKEM_X25519_HKDF_SHA256 0x0020 // The following functions are KEM algorithms which may be used with HPKE. Note // that, while some HPKE KEMs use KDFs internally, this is separate from the // |EVP_HPKE_KDF| selection. OPENSSL_EXPORT const EVP_HPKE_KEM *EVP_hpke_x25519_hkdf_sha256(void); +OPENSSL_EXPORT const EVP_HPKE_KEM *EVP_hpke_p256_hkdf_sha256(void); // EVP_HPKE_KEM_id returns the HPKE KEM identifier for |kem|, which // will be one of the |EVP_HPKE_KEM_*| constants. @@ -53,7 +55,7 @@ OPENSSL_EXPORT uint16_t EVP_HPKE_KEM_id(const EVP_HPKE_KEM *kem); // EVP_HPKE_MAX_PUBLIC_KEY_LENGTH is the maximum length of an encoded public key // for all KEMs currently supported by this library. -#define EVP_HPKE_MAX_PUBLIC_KEY_LENGTH 32 +#define EVP_HPKE_MAX_PUBLIC_KEY_LENGTH 65 // EVP_HPKE_KEM_public_key_len returns the length of a public key for |kem|. // This value will be at most |EVP_HPKE_MAX_PUBLIC_KEY_LENGTH|. @@ -69,7 +71,7 @@ OPENSSL_EXPORT size_t EVP_HPKE_KEM_private_key_len(const EVP_HPKE_KEM *kem); // EVP_HPKE_MAX_ENC_LENGTH is the maximum length of "enc", the encapsulated // shared secret, for all KEMs currently supported by this library. -#define EVP_HPKE_MAX_ENC_LENGTH 32 +#define EVP_HPKE_MAX_ENC_LENGTH 65 // EVP_HPKE_KEM_enc_len returns the length of the "enc", the encapsulated shared // secret, for |kem|. This value will be at most |EVP_HPKE_MAX_ENC_LENGTH|. @@ -233,7 +235,7 @@ OPENSSL_EXPORT int EVP_HPKE_CTX_setup_sender( // EVP_HPKE_CTX_setup_sender_with_seed_for_testing behaves like // |EVP_HPKE_CTX_setup_sender|, but takes a seed to behave deterministically. // The seed's format depends on |kem|. For X25519, it is the sender's -// ephemeral private key. +// ephemeral private key. For P256, it's an HKDF input. OPENSSL_EXPORT int EVP_HPKE_CTX_setup_sender_with_seed_for_testing( EVP_HPKE_CTX *ctx, uint8_t *out_enc, size_t *out_enc_len, size_t max_enc, const EVP_HPKE_KEM *kem, const EVP_HPKE_KDF *kdf, const EVP_HPKE_AEAD *aead, @@ -265,7 +267,7 @@ OPENSSL_EXPORT int EVP_HPKE_CTX_setup_auth_sender( // EVP_HPKE_CTX_setup_auth_sender_with_seed_for_testing behaves like // |EVP_HPKE_CTX_setup_auth_sender|, but takes a seed to behave // deterministically. The seed's format depends on |kem|. For X25519, it is the -// sender's ephemeral private key. +// sender's ephemeral private key. For P256, it's an HKDF input. OPENSSL_EXPORT int EVP_HPKE_CTX_setup_auth_sender_with_seed_for_testing( EVP_HPKE_CTX *ctx, uint8_t *out_enc, size_t *out_enc_len, size_t max_enc, const EVP_HPKE_KEY *key, const EVP_HPKE_KDF *kdf, const EVP_HPKE_AEAD *aead, @@ -375,8 +377,8 @@ struct evp_hpke_ctx_st { struct evp_hpke_key_st { const EVP_HPKE_KEM *kem; - uint8_t private_key[X25519_PRIVATE_KEY_LEN]; - uint8_t public_key[X25519_PUBLIC_VALUE_LEN]; + uint8_t private_key[EVP_HPKE_MAX_PRIVATE_KEY_LENGTH]; + uint8_t public_key[EVP_HPKE_MAX_PUBLIC_KEY_LENGTH]; }; diff --git a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_mldsa.h b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_mldsa.h new file mode 100644 index 000000000..7ad73261b --- /dev/null +++ b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_mldsa.h @@ -0,0 +1,136 @@ +/* Copyright (c) 2024, Google LLC + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#ifndef OPENSSL_HEADER_MLDSA_H_ +#define OPENSSL_HEADER_MLDSA_H_ + +#include "CNIOBoringSSL_base.h" + +#if defined(__cplusplus) +extern "C" { +#endif + + +// ML-DSA-65. +// +// This implements the Module-Lattice-Based Digital Signature Standard from +// https://csrc.nist.gov/pubs/fips/204/final + + +// MLDSA65_private_key contains an ML-DSA-65 private key. The contents of this +// object should never leave the address space since the format is unstable. +struct MLDSA65_private_key { + union { + uint8_t bytes[32 + 32 + 64 + 256 * 4 * (5 + 6 + 6)]; + uint32_t alignment; + } opaque; +}; + +// MLDSA65_public_key contains an ML-DSA-65 public key. The contents of this +// object should never leave the address space since the format is unstable. +struct MLDSA65_public_key { + union { + uint8_t bytes[32 + 64 + 256 * 4 * 6]; + uint32_t alignment; + } opaque; +}; + +// MLDSA65_PRIVATE_KEY_BYTES is the number of bytes in an encoded ML-DSA-65 +// private key. +#define MLDSA65_PRIVATE_KEY_BYTES 4032 + +// MLDSA65_PUBLIC_KEY_BYTES is the number of bytes in an encoded ML-DSA-65 +// public key. +#define MLDSA65_PUBLIC_KEY_BYTES 1952 + +// MLDSA65_SIGNATURE_BYTES is the number of bytes in an encoded ML-DSA-65 +// signature. +#define MLDSA65_SIGNATURE_BYTES 3309 + +// MLDSA_SEED_BYTES is the number of bytes in an ML-DSA seed value. +#define MLDSA_SEED_BYTES 32 + +// MLDSA65_generate_key generates a random public/private key pair, writes the +// encoded public key to |out_encoded_public_key|, writes the seed to +// |out_seed|, and sets |out_private_key| to the private key. Returns 1 on +// success and 0 on allocation failure. +OPENSSL_EXPORT int MLDSA65_generate_key( + uint8_t out_encoded_public_key[MLDSA65_PUBLIC_KEY_BYTES], + uint8_t out_seed[MLDSA_SEED_BYTES], + struct MLDSA65_private_key *out_private_key); + +// MLDSA65_private_key_from_seed regenerates a private key from a seed value +// that was generated by |MLDSA65_generate_key|. Returns 1 on success and 0 on +// allocation failure or if |seed_len| is incorrect. +OPENSSL_EXPORT int MLDSA65_private_key_from_seed( + struct MLDSA65_private_key *out_private_key, const uint8_t *seed, + size_t seed_len); + +// MLDSA65_public_from_private sets |*out_public_key| to the public key that +// corresponds to |private_key|. Returns 1 on success and 0 on failure. +OPENSSL_EXPORT int MLDSA65_public_from_private( + struct MLDSA65_public_key *out_public_key, + const struct MLDSA65_private_key *private_key); + +// MLDSA65_sign generates a signature for the message |msg| of length +// |msg_len| using |private_key| (following the randomized algorithm), and +// writes the encoded signature to |out_encoded_signature|. The |context| +// argument is also signed over and can be used to include implicit contextual +// information that isn't included in |msg|. The same value of |context| must be +// presented to |MLDSA65_verify| in order for the generated signature to be +// considered valid. |context| and |context_len| may be |NULL| and 0 to use an +// empty context (this is common). Returns 1 on success and 0 on failure. +OPENSSL_EXPORT int MLDSA65_sign( + uint8_t out_encoded_signature[MLDSA65_SIGNATURE_BYTES], + const struct MLDSA65_private_key *private_key, const uint8_t *msg, + size_t msg_len, const uint8_t *context, size_t context_len); + +// MLDSA65_verify verifies that |signature| constitutes a valid +// signature for the message |msg| of length |msg_len| using |public_key|. The +// value of |context| must equal the value that was passed to |MLDSA65_sign| +// when the signature was generated. Returns 1 on success or 0 on error. +OPENSSL_EXPORT int MLDSA65_verify(const struct MLDSA65_public_key *public_key, + const uint8_t *signature, + size_t signature_len, const uint8_t *msg, + size_t msg_len, const uint8_t *context, + size_t context_len); + + +// Serialisation of keys. + +// MLDSA65_marshal_public_key serializes |public_key| to |out| in the standard +// format for ML-DSA-65 public keys. It returns 1 on success or 0 on +// allocation error. +OPENSSL_EXPORT int MLDSA65_marshal_public_key( + CBB *out, const struct MLDSA65_public_key *public_key); + +// MLDSA65_parse_public_key parses a public key, in the format generated by +// |MLDSA65_marshal_public_key|, from |in| and writes the result to +// |out_public_key|. It returns 1 on success or 0 on parse error or if +// there are trailing bytes in |in|. +OPENSSL_EXPORT int MLDSA65_parse_public_key( + struct MLDSA65_public_key *public_key, CBS *in); + +// MLDSA65_parse_private_key parses a private key, in the NIST format, from |in| +// and writes the result to |out_private_key|. It returns 1 on success or 0 on +// parse error or if there are trailing bytes in |in|. +OPENSSL_EXPORT int MLDSA65_parse_private_key( + struct MLDSA65_private_key *private_key, CBS *in); + + +#if defined(__cplusplus) +} // extern C +#endif + +#endif // OPENSSL_HEADER_MLDSA_H_ diff --git a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_mlkem.h b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_mlkem.h new file mode 100644 index 000000000..9b2b153ca --- /dev/null +++ b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_mlkem.h @@ -0,0 +1,246 @@ +/* Copyright (c) 2024, Google Inc. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#ifndef OPENSSL_HEADER_MLKEM_H +#define OPENSSL_HEADER_MLKEM_H + +#include "CNIOBoringSSL_base.h" + +#if defined(__cplusplus) +extern "C" { +#endif + + +// ML-KEM-768. +// +// This implements the Module-Lattice-Based Key-Encapsulation Mechanism from +// https://csrc.nist.gov/pubs/fips/204/final + + +// MLKEM768_public_key contains an ML-KEM-768 public key. The contents of this +// object should never leave the address space since the format is unstable. +struct MLKEM768_public_key { + union { + uint8_t bytes[512 * (3 + 9) + 32 + 32]; + uint16_t alignment; + } opaque; +}; + +// MLKEM768_private_key contains an ML-KEM-768 private key. The contents of this +// object should never leave the address space since the format is unstable. +struct MLKEM768_private_key { + union { + uint8_t bytes[512 * (3 + 3 + 9) + 32 + 32 + 32]; + uint16_t alignment; + } opaque; +}; + +// MLKEM768_PUBLIC_KEY_BYTES is the number of bytes in an encoded ML-KEM-768 +// public key. +#define MLKEM768_PUBLIC_KEY_BYTES 1184 + +// MLKEM_SEED_BYTES is the number of bytes in an ML-KEM seed. +#define MLKEM_SEED_BYTES 64 + +// MLKEM768_generate_key generates a random public/private key pair, writes the +// encoded public key to |out_encoded_public_key| and sets |out_private_key| to +// the private key. If |optional_out_seed| is not NULL then the seed used to +// generate the private key is written to it. +OPENSSL_EXPORT void MLKEM768_generate_key( + uint8_t out_encoded_public_key[MLKEM768_PUBLIC_KEY_BYTES], + uint8_t optional_out_seed[MLKEM_SEED_BYTES], + struct MLKEM768_private_key *out_private_key); + +// MLKEM768_private_key_from_seed derives a private key from a seed that was +// generated by |MLKEM768_generate_key|. It fails and returns 0 if |seed_len| is +// incorrect, otherwise it writes |*out_private_key| and returns 1. +OPENSSL_EXPORT int MLKEM768_private_key_from_seed( + struct MLKEM768_private_key *out_private_key, const uint8_t *seed, + size_t seed_len); + +// MLKEM768_public_from_private sets |*out_public_key| to the public key that +// corresponds to |private_key|. (This is faster than parsing the output of +// |MLKEM768_generate_key| if, for some reason, you need to encapsulate to a key +// that was just generated.) +OPENSSL_EXPORT void MLKEM768_public_from_private( + struct MLKEM768_public_key *out_public_key, + const struct MLKEM768_private_key *private_key); + +// MLKEM768_CIPHERTEXT_BYTES is number of bytes in the ML-KEM-768 ciphertext. +#define MLKEM768_CIPHERTEXT_BYTES 1088 + +// MLKEM_SHARED_SECRET_BYTES is the number of bytes in an ML-KEM shared secret. +#define MLKEM_SHARED_SECRET_BYTES 32 + +// MLKEM768_encap encrypts a random shared secret for |public_key|, writes the +// ciphertext to |out_ciphertext|, and writes the random shared secret to +// |out_shared_secret|. +OPENSSL_EXPORT void MLKEM768_encap( + uint8_t out_ciphertext[MLKEM768_CIPHERTEXT_BYTES], + uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES], + const struct MLKEM768_public_key *public_key); + +// MLKEM768_decap decrypts a shared secret from |ciphertext| using |private_key| +// and writes it to |out_shared_secret|. If |ciphertext_len| is incorrect it +// returns 0, otherwise it returns 1. If |ciphertext| is invalid (but of the +// correct length), |out_shared_secret| is filled with a key that will always be +// the same for the same |ciphertext| and |private_key|, but which appears to be +// random unless one has access to |private_key|. These alternatives occur in +// constant time. Any subsequent symmetric encryption using |out_shared_secret| +// must use an authenticated encryption scheme in order to discover the +// decapsulation failure. +OPENSSL_EXPORT int MLKEM768_decap( + uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES], + const uint8_t *ciphertext, size_t ciphertext_len, + const struct MLKEM768_private_key *private_key); + + +// Serialisation of keys. + +// MLKEM768_marshal_public_key serializes |public_key| to |out| in the standard +// format for ML-KEM-768 public keys. It returns one on success or zero on +// allocation error. +OPENSSL_EXPORT int MLKEM768_marshal_public_key( + CBB *out, const struct MLKEM768_public_key *public_key); + +// MLKEM768_parse_public_key parses a public key, in the format generated by +// |MLKEM768_marshal_public_key|, from |in| and writes the result to +// |out_public_key|. It returns one on success or zero on parse error or if +// there are trailing bytes in |in|. +OPENSSL_EXPORT int MLKEM768_parse_public_key( + struct MLKEM768_public_key *out_public_key, CBS *in); + +// MLKEM768_PRIVATE_KEY_BYTES is the length of the data produced by +// |MLKEM768_marshal_private_key|. +#define MLKEM768_PRIVATE_KEY_BYTES 2400 + +// MLKEM768_parse_private_key parses a private key, in NIST's format for +// private keys, from |in| and writes the result to |out_private_key|. It +// returns one on success or zero on parse error or if there are trailing bytes +// in |in|. This format is verbose and should be avoided. Private keys should be +// stored as seeds and parsed using |MLKEM768_private_key_from_seed|. +OPENSSL_EXPORT int MLKEM768_parse_private_key( + struct MLKEM768_private_key *out_private_key, CBS *in); + + +// ML-KEM-1024 +// +// ML-KEM-1024 also exists. You should prefer ML-KEM-768 where possible. + +// MLKEM1024_public_key contains an ML-KEM-1024 public key. The contents of this +// object should never leave the address space since the format is unstable. +struct MLKEM1024_public_key { + union { + uint8_t bytes[512 * (4 + 16) + 32 + 32]; + uint16_t alignment; + } opaque; +}; + +// MLKEM1024_private_key contains a ML-KEM-1024 private key. The contents of +// this object should never leave the address space since the format is +// unstable. +struct MLKEM1024_private_key { + union { + uint8_t bytes[512 * (4 + 4 + 16) + 32 + 32 + 32]; + uint16_t alignment; + } opaque; +}; + +// MLKEM1024_PUBLIC_KEY_BYTES is the number of bytes in an encoded ML-KEM-1024 +// public key. +#define MLKEM1024_PUBLIC_KEY_BYTES 1568 + +// MLKEM1024_generate_key generates a random public/private key pair, writes the +// encoded public key to |out_encoded_public_key| and sets |out_private_key| to +// the private key. If |optional_out_seed| is not NULL then the seed used to +// generate the private key is written to it. +OPENSSL_EXPORT void MLKEM1024_generate_key( + uint8_t out_encoded_public_key[MLKEM1024_PUBLIC_KEY_BYTES], + uint8_t optional_out_seed[MLKEM_SEED_BYTES], + struct MLKEM1024_private_key *out_private_key); + +// MLKEM1024_private_key_from_seed derives a private key from a seed that was +// generated by |MLKEM1024_generate_key|. It fails and returns 0 if |seed_len| +// is incorrect, otherwise it writes |*out_private_key| and returns 1. +OPENSSL_EXPORT int MLKEM1024_private_key_from_seed( + struct MLKEM1024_private_key *out_private_key, const uint8_t *seed, + size_t seed_len); + +// MLKEM1024_public_from_private sets |*out_public_key| to the public key that +// corresponds to |private_key|. (This is faster than parsing the output of +// |MLKEM1024_generate_key| if, for some reason, you need to encapsulate to a +// key that was just generated.) +OPENSSL_EXPORT void MLKEM1024_public_from_private( + struct MLKEM1024_public_key *out_public_key, + const struct MLKEM1024_private_key *private_key); + +// MLKEM1024_CIPHERTEXT_BYTES is number of bytes in the ML-KEM-1024 ciphertext. +#define MLKEM1024_CIPHERTEXT_BYTES 1568 + +// MLKEM1024_encap encrypts a random shared secret for |public_key|, writes the +// ciphertext to |out_ciphertext|, and writes the random shared secret to +// |out_shared_secret|. +OPENSSL_EXPORT void MLKEM1024_encap( + uint8_t out_ciphertext[MLKEM1024_CIPHERTEXT_BYTES], + uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES], + const struct MLKEM1024_public_key *public_key); + +// MLKEM1024_decap decrypts a shared secret from |ciphertext| using +// |private_key| and writes it to |out_shared_secret|. If |ciphertext_len| is +// incorrect it returns 0, otherwise it returns 1. If |ciphertext| is invalid +// (but of the correct length), |out_shared_secret| is filled with a key that +// will always be the same for the same |ciphertext| and |private_key|, but +// which appears to be random unless one has access to |private_key|. These +// alternatives occur in constant time. Any subsequent symmetric encryption +// using |out_shared_secret| must use an authenticated encryption scheme in +// order to discover the decapsulation failure. +OPENSSL_EXPORT int MLKEM1024_decap( + uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES], + const uint8_t *ciphertext, size_t ciphertext_len, + const struct MLKEM1024_private_key *private_key); + + +// Serialisation of ML-KEM-1024 keys. + +// MLKEM1024_marshal_public_key serializes |public_key| to |out| in the standard +// format for ML-KEM-1024 public keys. It returns one on success or zero on +// allocation error. +OPENSSL_EXPORT int MLKEM1024_marshal_public_key( + CBB *out, const struct MLKEM1024_public_key *public_key); + +// MLKEM1024_parse_public_key parses a public key, in the format generated by +// |MLKEM1024_marshal_public_key|, from |in| and writes the result to +// |out_public_key|. It returns one on success or zero on parse error or if +// there are trailing bytes in |in|. +OPENSSL_EXPORT int MLKEM1024_parse_public_key( + struct MLKEM1024_public_key *out_public_key, CBS *in); + +// MLKEM1024_PRIVATE_KEY_BYTES is the length of the data produced by +// |MLKEM1024_marshal_private_key|. +#define MLKEM1024_PRIVATE_KEY_BYTES 3168 + +// MLKEM1024_parse_private_key parses a private key, in NIST's format for +// private keys, from |in| and writes the result to |out_private_key|. It +// returns one on success or zero on parse error or if there are trailing bytes +// in |in|. This format is verbose and should be avoided. Private keys should be +// stored as seeds and parsed using |MLKEM1024_private_key_from_seed|. +OPENSSL_EXPORT int MLKEM1024_parse_private_key( + struct MLKEM1024_private_key *out_private_key, CBS *in); + + +#if defined(__cplusplus) +} // extern C +#endif + +#endif // OPENSSL_HEADER_MLKEM_H diff --git a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_nid.h b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_nid.h index 06a841c6f..ff3b60cfc 100644 --- a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_nid.h +++ b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_nid.h @@ -4255,6 +4255,9 @@ extern "C" { #define SN_X25519Kyber768Draft00 "X25519Kyber768Draft00" #define NID_X25519Kyber768Draft00 964 +#define SN_X25519MLKEM768 "X25519MLKEM768" +#define NID_X25519MLKEM768 965 + #if defined(__cplusplus) } /* extern C */ diff --git a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_obj.h b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_obj.h index afd8f931d..e7a32ab33 100644 --- a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_obj.h +++ b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_obj.h @@ -194,8 +194,8 @@ OPENSSL_EXPORT int OBJ_obj2txt(char *out, int out_len, const ASN1_OBJECT *obj, // duplicate OIDs, short names, or long names. If two callers in the same // address space add conflicting values, only one registration will take effect. // Avoid this function if possible. Instead, callers can process OIDs unknown to -// BoringSSL by acting on the byte representation directly. See |OBJ_get0_data| -// and |OBJ_length|. +// BoringSSL by acting on the byte representation directly. See +// |ASN1_OBJECT_create|, |OBJ_get0_data|, and |OBJ_length|. OPENSSL_EXPORT int OBJ_create(const char *oid, const char *short_name, const char *long_name); diff --git a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_pem.h b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_pem.h index da30db25c..f99c97136 100644 --- a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_pem.h +++ b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_pem.h @@ -142,26 +142,26 @@ extern "C" { NULL, 0, NULL, NULL); \ } -#define IMPLEMENT_PEM_write_cb_fp(name, type, str, asn1) \ - static int pem_write_##name##_i2d(const void *x, unsigned char **outp) { \ - return i2d_##asn1((type *)x, outp); \ - } \ - OPENSSL_EXPORT int PEM_write_##name( \ - FILE *fp, type *x, const EVP_CIPHER *enc, unsigned char *kstr, int klen, \ - pem_password_cb *cb, void *u) { \ - return PEM_ASN1_write(pem_write_##name##_i2d, str, fp, x, enc, kstr, klen, \ - cb, u); \ +#define IMPLEMENT_PEM_write_cb_fp(name, type, str, asn1) \ + static int pem_write_##name##_i2d(const void *x, unsigned char **outp) { \ + return i2d_##asn1((type *)x, outp); \ + } \ + OPENSSL_EXPORT int PEM_write_##name( \ + FILE *fp, type *x, const EVP_CIPHER *enc, const unsigned char *pass, \ + int pass_len, pem_password_cb *cb, void *u) { \ + return PEM_ASN1_write(pem_write_##name##_i2d, str, fp, x, enc, pass, \ + pass_len, cb, u); \ } -#define IMPLEMENT_PEM_write_cb_fp_const(name, type, str, asn1) \ - static int pem_write_##name##_i2d(const void *x, unsigned char **outp) { \ - return i2d_##asn1((const type *)x, outp); \ - } \ - OPENSSL_EXPORT int PEM_write_##name( \ - FILE *fp, type *x, const EVP_CIPHER *enc, unsigned char *kstr, int klen, \ - pem_password_cb *cb, void *u) { \ - return PEM_ASN1_write(pem_write_##name##_i2d, str, fp, x, enc, kstr, klen, \ - cb, u); \ +#define IMPLEMENT_PEM_write_cb_fp_const(name, type, str, asn1) \ + static int pem_write_##name##_i2d(const void *x, unsigned char **outp) { \ + return i2d_##asn1((const type *)x, outp); \ + } \ + OPENSSL_EXPORT int PEM_write_##name( \ + FILE *fp, type *x, const EVP_CIPHER *enc, const unsigned char *pass, \ + int pass_len, pem_password_cb *cb, void *u) { \ + return PEM_ASN1_write(pem_write_##name##_i2d, str, fp, x, enc, pass, \ + pass_len, cb, u); \ } @@ -199,10 +199,10 @@ extern "C" { return i2d_##asn1((type *)x, outp); \ } \ OPENSSL_EXPORT int PEM_write_bio_##name( \ - BIO *bp, type *x, const EVP_CIPHER *enc, unsigned char *kstr, int klen, \ - pem_password_cb *cb, void *u) { \ + BIO *bp, type *x, const EVP_CIPHER *enc, const unsigned char *pass, \ + int pass_len, pem_password_cb *cb, void *u) { \ return PEM_ASN1_write_bio(pem_write_bio_##name##_i2d, str, bp, x, enc, \ - kstr, klen, cb, u); \ + pass, pass_len, cb, u); \ } #define IMPLEMENT_PEM_write_cb_bio_const(name, type, str, asn1) \ @@ -210,10 +210,10 @@ extern "C" { return i2d_##asn1((const type *)x, outp); \ } \ OPENSSL_EXPORT int PEM_write_bio_##name( \ - BIO *bp, type *x, const EVP_CIPHER *enc, unsigned char *kstr, int klen, \ - pem_password_cb *cb, void *u) { \ + BIO *bp, type *x, const EVP_CIPHER *enc, const unsigned char *pass, \ + int pass_len, pem_password_cb *cb, void *u) { \ return PEM_ASN1_write_bio(pem_write_bio_##name##_i2d, str, bp, (void *)x, \ - enc, kstr, klen, cb, u); \ + enc, pass, pass_len, cb, u); \ } #define IMPLEMENT_PEM_write(name, type, str, asn1) \ @@ -260,10 +260,10 @@ extern "C" { #define DECLARE_PEM_write_fp_const(name, type) \ OPENSSL_EXPORT int PEM_write_##name(FILE *fp, const type *x); -#define DECLARE_PEM_write_cb_fp(name, type) \ - OPENSSL_EXPORT int PEM_write_##name( \ - FILE *fp, type *x, const EVP_CIPHER *enc, unsigned char *kstr, int klen, \ - pem_password_cb *cb, void *u); +#define DECLARE_PEM_write_cb_fp(name, type) \ + OPENSSL_EXPORT int PEM_write_##name( \ + FILE *fp, type *x, const EVP_CIPHER *enc, const unsigned char *pass, \ + int pass_len, pem_password_cb *cb, void *u); #define DECLARE_PEM_read_bio(name, type) \ OPENSSL_EXPORT type *PEM_read_bio_##name(BIO *bp, type **x, \ @@ -275,10 +275,10 @@ extern "C" { #define DECLARE_PEM_write_bio_const(name, type) \ OPENSSL_EXPORT int PEM_write_bio_##name(BIO *bp, const type *x); -#define DECLARE_PEM_write_cb_bio(name, type) \ - OPENSSL_EXPORT int PEM_write_bio_##name( \ - BIO *bp, type *x, const EVP_CIPHER *enc, unsigned char *kstr, int klen, \ - pem_password_cb *cb, void *u); +#define DECLARE_PEM_write_cb_bio(name, type) \ + OPENSSL_EXPORT int PEM_write_bio_##name( \ + BIO *bp, type *x, const EVP_CIPHER *enc, const unsigned char *pass, \ + int pass_len, pem_password_cb *cb, void *u); #define DECLARE_PEM_write(name, type) \ @@ -344,12 +344,35 @@ OPENSSL_EXPORT void *PEM_ASN1_read_bio(d2i_of_void *d2i, const char *name, void *u); OPENSSL_EXPORT int PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp, void *x, const EVP_CIPHER *enc, - unsigned char *kstr, int klen, + const unsigned char *pass, int pass_len, pem_password_cb *cb, void *u); +// PEM_X509_INFO_read_bio reads PEM blocks from |bp| and decodes any +// certificates, CRLs, and private keys found. It returns a +// |STACK_OF(X509_INFO)| structure containing the results, or NULL on error. +// +// If |sk| is NULL, the result on success will be a newly-allocated +// |STACK_OF(X509_INFO)| structure which should be released with +// |sk_X509_INFO_pop_free| and |X509_INFO_free| when done. +// +// If |sk| is non-NULL, it appends the results to |sk| instead and returns |sk| +// on success. In this case, the caller retains ownership of |sk| in both +// success and failure. +// +// WARNING: If the input contains "TRUSTED CERTIFICATE" PEM blocks, this +// function parses auxiliary properties as in |d2i_X509_AUX|. Passing untrusted +// input to this function allows an attacker to influence those properties. See +// |d2i_X509_AUX| for details. OPENSSL_EXPORT STACK_OF(X509_INFO) *PEM_X509_INFO_read_bio( BIO *bp, STACK_OF(X509_INFO) *sk, pem_password_cb *cb, void *u); +// PEM_X509_INFO_read behaves like |PEM_X509_INFO_read_bio| but reads from a +// |FILE|. +OPENSSL_EXPORT STACK_OF(X509_INFO) *PEM_X509_INFO_read(FILE *fp, + STACK_OF(X509_INFO) *sk, + pem_password_cb *cb, + void *u); + OPENSSL_EXPORT int PEM_read(FILE *fp, char **name, char **header, unsigned char **data, long *len); OPENSSL_EXPORT int PEM_write(FILE *fp, const char *name, const char *hdr, @@ -358,24 +381,21 @@ OPENSSL_EXPORT void *PEM_ASN1_read(d2i_of_void *d2i, const char *name, FILE *fp, void **x, pem_password_cb *cb, void *u); OPENSSL_EXPORT int PEM_ASN1_write(i2d_of_void *i2d, const char *name, FILE *fp, void *x, const EVP_CIPHER *enc, - unsigned char *kstr, int klen, + const unsigned char *pass, int pass_len, pem_password_cb *callback, void *u); -OPENSSL_EXPORT STACK_OF(X509_INFO) *PEM_X509_INFO_read(FILE *fp, - STACK_OF(X509_INFO) *sk, - pem_password_cb *cb, - void *u); // PEM_def_callback treats |userdata| as a string and copies it into |buf|, -// assuming its |size| is sufficient. Returns the length of the string, or 0 -// if there is not enough room. If either |buf| or |userdata| is NULL, 0 is -// returned. Note that this is different from OpenSSL, which prompts for a -// password. +// assuming its |size| is sufficient. Returns the length of the string, or -1 on +// error. Error cases the buffer being too small, or |buf| and |userdata| being +// NULL. Note that this is different from OpenSSL, which prompts for a password. OPENSSL_EXPORT int PEM_def_callback(char *buf, int size, int rwflag, void *userdata); DECLARE_PEM_rw(X509, X509) +// TODO(crbug.com/boringssl/426): When documenting these, copy the warning +// about auxiliary properties from |PEM_X509_INFO_read_bio|. DECLARE_PEM_rw(X509_AUX, X509) DECLARE_PEM_rw(X509_REQ, X509_REQ) @@ -415,46 +435,49 @@ DECLARE_PEM_rw_cb(PrivateKey, EVP_PKEY) DECLARE_PEM_rw(PUBKEY, EVP_PKEY) OPENSSL_EXPORT int PEM_write_bio_PKCS8PrivateKey_nid(BIO *bp, const EVP_PKEY *x, - int nid, char *kstr, - int klen, + int nid, const char *pass, + int pass_len, pem_password_cb *cb, void *u); -OPENSSL_EXPORT int PEM_write_bio_PKCS8PrivateKey(BIO *, const EVP_PKEY *, - const EVP_CIPHER *, char *, - int, pem_password_cb *, - void *); +OPENSSL_EXPORT int PEM_write_bio_PKCS8PrivateKey(BIO *bp, const EVP_PKEY *x, + const EVP_CIPHER *enc, + const char *pass, int pass_len, + pem_password_cb *cb, void *u); OPENSSL_EXPORT int i2d_PKCS8PrivateKey_bio(BIO *bp, const EVP_PKEY *x, - const EVP_CIPHER *enc, char *kstr, - int klen, pem_password_cb *cb, - void *u); + const EVP_CIPHER *enc, + const char *pass, int pass_len, + pem_password_cb *cb, void *u); OPENSSL_EXPORT int i2d_PKCS8PrivateKey_nid_bio(BIO *bp, const EVP_PKEY *x, - int nid, char *kstr, int klen, + int nid, const char *pass, + int pass_len, pem_password_cb *cb, void *u); OPENSSL_EXPORT EVP_PKEY *d2i_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, void *u); OPENSSL_EXPORT int i2d_PKCS8PrivateKey_fp(FILE *fp, const EVP_PKEY *x, - const EVP_CIPHER *enc, char *kstr, - int klen, pem_password_cb *cb, - void *u); + const EVP_CIPHER *enc, + const char *pass, int pass_len, + pem_password_cb *cb, void *u); OPENSSL_EXPORT int i2d_PKCS8PrivateKey_nid_fp(FILE *fp, const EVP_PKEY *x, - int nid, char *kstr, int klen, - pem_password_cb *cb, void *u); + int nid, const char *pass, + int pass_len, pem_password_cb *cb, + void *u); OPENSSL_EXPORT int PEM_write_PKCS8PrivateKey_nid(FILE *fp, const EVP_PKEY *x, - int nid, char *kstr, int klen, + int nid, const char *pass, + int pass_len, pem_password_cb *cb, void *u); OPENSSL_EXPORT EVP_PKEY *d2i_PKCS8PrivateKey_fp(FILE *fp, EVP_PKEY **x, pem_password_cb *cb, void *u); OPENSSL_EXPORT int PEM_write_PKCS8PrivateKey(FILE *fp, const EVP_PKEY *x, - const EVP_CIPHER *enc, char *kstr, - int klen, pem_password_cb *cd, - void *u); + const EVP_CIPHER *enc, + const char *pass, int pass_len, + pem_password_cb *cd, void *u); #ifdef __cplusplus -} +} // extern "C" #endif #define PEM_R_BAD_BASE64_DECODE 100 diff --git a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_posix_time.h b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_posix_time.h new file mode 100644 index 000000000..13c2e7b41 --- /dev/null +++ b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_posix_time.h @@ -0,0 +1,51 @@ +/* Copyright (c) 2022, Google Inc. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#ifndef OPENSSL_HEADER_POSIX_TIME_H +#define OPENSSL_HEADER_POSIX_TIME_H + +#include "CNIOBoringSSL_base.h" + +#include + +#if defined(__cplusplus) +extern "C" { +#endif + + +// Time functions. + + +// OPENSSL_posix_to_tm converts a int64_t POSIX time value in |time|, which must +// be in the range of year 0000 to 9999, to a broken out time value in |tm|. It +// returns one on success and zero on error. +OPENSSL_EXPORT int OPENSSL_posix_to_tm(int64_t time, struct tm *out_tm); + +// OPENSSL_tm_to_posix converts a time value between the years 0 and 9999 in +// |tm| to a POSIX time value in |out|. One is returned on success, zero is +// returned on failure. It is a failure if |tm| contains out of range values. +OPENSSL_EXPORT int OPENSSL_tm_to_posix(const struct tm *tm, int64_t *out); + +// OPENSSL_timegm converts a time value between the years 0 and 9999 in |tm| to +// a time_t value in |out|. One is returned on success, zero is returned on +// failure. It is a failure if the converted time can not be represented in a +// time_t, or if the tm contains out of range values. +OPENSSL_EXPORT int OPENSSL_timegm(const struct tm *tm, time_t *out); + + +#if defined(__cplusplus) +} // extern C +#endif + +#endif // OPENSSL_HEADER_POSIX_TIME_H diff --git a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_rand.h b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_rand.h index addaf0213..689440a70 100644 --- a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_rand.h +++ b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_rand.h @@ -33,20 +33,29 @@ OPENSSL_EXPORT int RAND_bytes(uint8_t *buf, size_t len); // Obscure functions. #if !defined(OPENSSL_WINDOWS) -// RAND_enable_fork_unsafe_buffering enables efficient buffered reading of -// /dev/urandom. It adds an overhead of a few KB of memory per thread. It must -// be called before the first call to |RAND_bytes|. +// RAND_enable_fork_unsafe_buffering indicates that clones of the address space, +// e.g. via |fork|, will never call into BoringSSL. It may be used to disable +// BoringSSL's more expensive fork-safety measures. However, calling this +// function and then using BoringSSL across |fork| calls will leak secret keys. +// |fd| must be -1. // -// |fd| must be -1. We no longer support setting the file descriptor with this -// function. +// WARNING: This function affects BoringSSL for the entire address space. Thus +// this function should never be called by library code, only by code with +// global knowledge of the application's use of BoringSSL. // -// It has an unusual name because the buffer is unsafe across calls to |fork|. -// Hence, this function should never be called by libraries. +// Do not use this function unless a performance issue was measured with the +// default behavior. BoringSSL can efficiently detect forks on most platforms, +// in which case this function is a no-op and is unnecessary. In particular, +// Linux kernel versions 4.14 or later provide |MADV_WIPEONFORK|. Future +// versions of BoringSSL will remove this functionality when older kernels are +// sufficiently rare. +// +// This function has an unusual name because it historically controlled internal +// buffers, but no longer does. OPENSSL_EXPORT void RAND_enable_fork_unsafe_buffering(int fd); -// RAND_disable_fork_unsafe_buffering disables efficient buffered reading of -// /dev/urandom, causing BoringSSL to always draw entropy on every request -// for random bytes. +// RAND_disable_fork_unsafe_buffering restores BoringSSL's default fork-safety +// protections. See also |RAND_enable_fork_unsafe_buffering|. OPENSSL_EXPORT void RAND_disable_fork_unsafe_buffering(void); #endif diff --git a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_rsa.h b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_rsa.h index 1dae6b6e3..f798d8a27 100644 --- a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_rsa.h +++ b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_rsa.h @@ -111,6 +111,11 @@ OPENSSL_EXPORT int RSA_up_ref(RSA *rsa); // Properties. +// OPENSSL_RSA_MAX_MODULUS_BITS is the maximum supported RSA modulus, in bits. +// +// TODO(davidben): Reduce this to 8192. +#define OPENSSL_RSA_MAX_MODULUS_BITS 16384 + // RSA_bits returns the size of |rsa|, in bits. OPENSSL_EXPORT unsigned RSA_bits(const RSA *rsa); @@ -236,6 +241,13 @@ OPENSSL_EXPORT int RSA_generate_key_fips(RSA *rsa, int bits, BN_GENCB *cb); // RSA_PKCS1_PADDING denotes PKCS#1 v1.5 padding. When used with encryption, // this is RSAES-PKCS1-v1_5. When used with signing, this is RSASSA-PKCS1-v1_5. +// +// WARNING: The RSAES-PKCS1-v1_5 encryption scheme is vulnerable to a +// chosen-ciphertext attack. Decrypting attacker-supplied ciphertext with +// RSAES-PKCS1-v1_5 may give the attacker control over your private key. This +// does not impact the RSASSA-PKCS1-v1_5 signature scheme. See "Chosen +// Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard +// PKCS #1", Daniel Bleichenbacher, Advances in Cryptology (Crypto '98). #define RSA_PKCS1_PADDING 1 // RSA_NO_PADDING denotes a raw RSA operation. @@ -256,8 +268,7 @@ OPENSSL_EXPORT int RSA_generate_key_fips(RSA *rsa, int bits, BN_GENCB *cb); // It returns 1 on success or zero on error. // // The |padding| argument must be one of the |RSA_*_PADDING| values. If in -// doubt, use |RSA_PKCS1_OAEP_PADDING| for new protocols but -// |RSA_PKCS1_PADDING| is most common. +// doubt, use |RSA_PKCS1_OAEP_PADDING| for new protocols. OPENSSL_EXPORT int RSA_encrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, const uint8_t *in, size_t in_len, int padding); @@ -271,12 +282,16 @@ OPENSSL_EXPORT int RSA_encrypt(RSA *rsa, size_t *out_len, uint8_t *out, // The |padding| argument must be one of the |RSA_*_PADDING| values. If in // doubt, use |RSA_PKCS1_OAEP_PADDING| for new protocols. // -// Passing |RSA_PKCS1_PADDING| into this function is deprecated and insecure. If -// implementing a protocol using RSAES-PKCS1-V1_5, use |RSA_NO_PADDING| and then -// check padding in constant-time combined with a swap to a random session key -// or other mitigation. See "Chosen Ciphertext Attacks Against Protocols Based -// on the RSA Encryption Standard PKCS #1", Daniel Bleichenbacher, Advances in -// Cryptology (Crypto '98). +// WARNING: Passing |RSA_PKCS1_PADDING| into this function is deprecated and +// insecure. RSAES-PKCS1-v1_5 is vulnerable to a chosen-ciphertext attack. +// Decrypting attacker-supplied ciphertext with RSAES-PKCS1-v1_5 may give the +// attacker control over your private key. See "Chosen Ciphertext Attacks +// Against Protocols Based on the RSA Encryption Standard PKCS #1", Daniel +// Bleichenbacher, Advances in Cryptology (Crypto '98). +// +// In some limited cases, such as TLS RSA key exchange, it is possible to +// mitigate this flaw with custom, protocol-specific padding logic. This +// should be implemented with |RSA_NO_PADDING|, not |RSA_PKCS1_PADDING|. OPENSSL_EXPORT int RSA_decrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, const uint8_t *in, size_t in_len, int padding); @@ -285,8 +300,7 @@ OPENSSL_EXPORT int RSA_decrypt(RSA *rsa, size_t *out_len, uint8_t *out, // |rsa| and writes the encrypted data to |to|. The |to| buffer must have at // least |RSA_size| bytes of space. It returns the number of bytes written, or // -1 on error. The |padding| argument must be one of the |RSA_*_PADDING| -// values. If in doubt, use |RSA_PKCS1_OAEP_PADDING| for new protocols but -// |RSA_PKCS1_PADDING| is most common. +// values. If in doubt, use |RSA_PKCS1_OAEP_PADDING| for new protocols. // // WARNING: this function is dangerous because it breaks the usual return value // convention. Use |RSA_encrypt| instead. @@ -661,11 +675,8 @@ OPENSSL_EXPORT void *RSA_get_ex_data(const RSA *rsa, int idx); #define RSA_FLAG_OPAQUE 1 // RSA_FLAG_NO_BLINDING disables blinding of private operations, which is a -// dangerous thing to do. It is deprecated and should not be used. It will -// be ignored whenever possible. -// -// This flag must be used if a key without the public exponent |e| is used for -// private key operations; avoid using such keys whenever possible. +// dangerous thing to do. This flag is set internally as part of self-tests but +// is otherwise impossible to set externally. #define RSA_FLAG_NO_BLINDING 8 // RSA_FLAG_EXT_PKEY is deprecated and ignored. @@ -703,6 +714,9 @@ OPENSSL_EXPORT int RSA_test_flags(const RSA *rsa, int flags); // RSA_blinding_on returns one. OPENSSL_EXPORT int RSA_blinding_on(RSA *rsa, BN_CTX *ctx); +// RSA_blinding_off does nothing. +OPENSSL_EXPORT void RSA_blinding_off(RSA *rsa); + // RSA_generate_key behaves like |RSA_generate_key_ex|, which is what you // should use instead. It returns NULL on error, or a newly-allocated |RSA| on // success. This function is provided for compatibility only. The |callback| diff --git a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_service_indicator.h b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_service_indicator.h index 86224ab7d..52c28bda0 100644 --- a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_service_indicator.h +++ b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_service_indicator.h @@ -56,7 +56,7 @@ extern "C++" { return func; \ }() -namespace bssl { +BSSL_NAMESPACE_BEGIN enum class FIPSStatus { NOT_APPROVED = 0, @@ -87,7 +87,7 @@ class FIPSIndicatorHelper { const uint64_t before_; }; -} // namespace bssl +BSSL_NAMESPACE_END } // extern "C++" #endif // !BORINGSSL_NO_CXX diff --git a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_sha.h b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_sha.h index 4f2b7a1af..fbdc10c8d 100644 --- a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_sha.h +++ b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_sha.h @@ -58,6 +58,7 @@ #define OPENSSL_HEADER_SHA_H #include "CNIOBoringSSL_base.h" +#include "CNIOBoringSSL_bcm_public.h" // IWYU pragma: export #if defined(__cplusplus) extern "C" { @@ -96,27 +97,21 @@ OPENSSL_EXPORT uint8_t *SHA1(const uint8_t *data, size_t len, OPENSSL_EXPORT void SHA1_Transform(SHA_CTX *sha, const uint8_t block[SHA_CBLOCK]); -struct sha_state_st { -#if defined(OPENSSL_WINDOWS) - uint32_t h[5]; -#else - // wpa_supplicant accesses |h0|..|h4| so we must support those names - // for compatibility with it until it can be updated. - union { - uint32_t h[5]; - struct { - uint32_t h0; - uint32_t h1; - uint32_t h2; - uint32_t h3; - uint32_t h4; - }; - }; -#endif - uint32_t Nl, Nh; - uint8_t data[SHA_CBLOCK]; - unsigned num; -}; +// CRYPTO_fips_186_2_prf derives |out_len| bytes from |xkey| using the PRF +// defined in FIPS 186-2, Appendix 3.1, with change notice 1 applied. The b +// parameter is 160 and seed, XKEY, is also 160 bits. The optional XSEED user +// input is all zeros. +// +// The PRF generates a sequence of 320-bit numbers. Each number is encoded as a +// 40-byte string in big-endian and then concatenated to form |out|. If +// |out_len| is not a multiple of 40, the result is truncated. This matches the +// construction used in Section 7 of RFC 4186 and Section 7 of RFC 4187. +// +// This PRF is based on SHA-1, a weak hash function, and should not be used +// in new protocols. It is provided for compatibility with some legacy EAP +// methods. +OPENSSL_EXPORT void CRYPTO_fips_186_2_prf( + uint8_t *out, size_t out_len, const uint8_t xkey[SHA_DIGEST_LENGTH]); // SHA-224. @@ -135,7 +130,7 @@ OPENSSL_EXPORT int SHA224_Update(SHA256_CTX *sha, const void *data, size_t len); // SHA224_Final adds the final padding to |sha| and writes the resulting digest // to |out|, which must have at least |SHA224_DIGEST_LENGTH| bytes of space. It -// returns one on success and zero on programmer error. +// returns 1. OPENSSL_EXPORT int SHA224_Final(uint8_t out[SHA224_DIGEST_LENGTH], SHA256_CTX *sha); @@ -186,14 +181,6 @@ OPENSSL_EXPORT void SHA256_TransformBlocks(uint32_t state[8], const uint8_t *data, size_t num_blocks); -struct sha256_state_st { - uint32_t h[8]; - uint32_t Nl, Nh; - uint8_t data[SHA256_CBLOCK]; - unsigned num, md_len; -}; - - // SHA-384. // SHA384_CBLOCK is the block size of SHA-384. @@ -253,14 +240,6 @@ OPENSSL_EXPORT uint8_t *SHA512(const uint8_t *data, size_t len, OPENSSL_EXPORT void SHA512_Transform(SHA512_CTX *sha, const uint8_t block[SHA512_CBLOCK]); -struct sha512_state_st { - uint64_t h[8]; - uint64_t Nl, Nh; - uint8_t p[128]; - unsigned num, md_len; -}; - - // SHA-512-256 // // See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf section 5.3.6 diff --git a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_slhdsa.h b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_slhdsa.h new file mode 100644 index 000000000..0c5bf3576 --- /dev/null +++ b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_slhdsa.h @@ -0,0 +1,79 @@ +/* Copyright (c) 2024, Google LLC + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#ifndef OPENSSL_HEADER_SLHDSA_H +#define OPENSSL_HEADER_SLHDSA_H + +#include "CNIOBoringSSL_base.h" + +#if defined(__cplusplus) +extern "C" { +#endif + + +// SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES is the number of bytes in an +// SLH-DSA-SHA2-128s public key. +#define SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES 32 + +// SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES is the number of bytes in an +// SLH-DSA-SHA2-128s private key. +#define SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES 64 + +// SLHDSA_SHA2_128S_SIGNATURE_BYTES is the number of bytes in an +// SLH-DSA-SHA2-128s signature. +#define SLHDSA_SHA2_128S_SIGNATURE_BYTES 7856 + +// SLHDSA_SHA2_128S_generate_key generates a SLH-DSA-SHA2-128s key pair and +// writes the result to |out_public_key| and |out_private_key|. +OPENSSL_EXPORT void SLHDSA_SHA2_128S_generate_key( + uint8_t out_public_key[SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES], + uint8_t out_private_key[SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES]); + +// SLHDSA_SHA2_128S_public_from_private writes the public key corresponding to +// |private_key| to |out_public_key|. +OPENSSL_EXPORT void SLHDSA_SHA2_128S_public_from_private( + uint8_t out_public_key[SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES], + const uint8_t private_key[SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES]); + +// SLHDSA_SHA2_128S_sign slowly generates a SLH-DSA-SHA2-128s signature of |msg| +// using |private_key| and writes it to |out_signature|. The |context| argument +// is also signed over and can be used to include implicit contextual +// information that isn't included in |msg|. The same value of |context| must be +// presented to |SLHDSA_SHA2_128S_verify| in order for the generated signature +// to be considered valid. |context| and |context_len| may be |NULL| and 0 to +// use an empty context (this is common). It returns 1 on success and 0 if +// |context_len| is larger than 255. +OPENSSL_EXPORT int SLHDSA_SHA2_128S_sign( + uint8_t out_signature[SLHDSA_SHA2_128S_SIGNATURE_BYTES], + const uint8_t private_key[SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES], + const uint8_t *msg, size_t msg_len, const uint8_t *context, + size_t context_len); + +// SLHDSA_SHA2_128S_verify verifies that |signature| is a valid +// SLH-DSA-SHA2-128s signature of |msg| by |public_key|. The value of |context| +// must equal the value that was passed to |SLHDSA_SHA2_128S_sign| when the +// signature was generated. It returns 1 if the signature is valid and 0 +// otherwise. +OPENSSL_EXPORT int SLHDSA_SHA2_128S_verify( + const uint8_t *signature, size_t signature_len, + const uint8_t public_key[SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES], + const uint8_t *msg, size_t msg_len, const uint8_t *context, + size_t context_len); + + +#if defined(__cplusplus) +} // extern C +#endif + +#endif // OPENSSL_HEADER_SLHDSA_H diff --git a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_span.h b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_span.h index e0a64288e..81647de52 100644 --- a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_span.h +++ b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_span.h @@ -26,6 +26,32 @@ extern "C++" { #include #include +#if __cplusplus >= 201703L +#include +#endif + +#if defined(__has_include) +#if __has_include() +#include +#endif +#endif + +#if defined(__cpp_lib_ranges) && __cpp_lib_ranges >= 201911L +#include +BSSL_NAMESPACE_BEGIN +template +class Span; +BSSL_NAMESPACE_END + +// Mark `Span` as satisfying the `view` and `borrowed_range` concepts. This +// should be done before the definition of `Span`, so that any inlined calls to +// range functionality use the correct specializations. +template +inline constexpr bool std::ranges::enable_view> = true; +template +inline constexpr bool std::ranges::enable_borrowed_range> = true; +#endif + BSSL_NAMESPACE_BEGIN template @@ -40,24 +66,21 @@ class SpanBase { "Span must be derived from SpanBase"); friend bool operator==(Span lhs, Span rhs) { - // MSVC issues warning C4996 because std::equal is unsafe. The pragma to - // suppress the warning mysteriously has no effect, hence this - // implementation. See - // https://msdn.microsoft.com/en-us/library/aa985974.aspx. - if (lhs.size() != rhs.size()) { - return false; - } - for (T *l = lhs.begin(), *r = rhs.begin(); l != lhs.end() && r != rhs.end(); - ++l, ++r) { - if (*l != *r) { - return false; - } - } - return true; + return std::equal(lhs.begin(), lhs.end(), rhs.begin(), rhs.end()); } friend bool operator!=(Span lhs, Span rhs) { return !(lhs == rhs); } }; + +// Heuristically test whether C is a container type that can be converted into +// a Span by checking for data() and size() member functions. +// +// TODO(davidben): Require C++17 support for std::is_convertible_v, etc. +template +using EnableIfContainer = std::enable_if_t< + std::is_convertible().data()), T *>::value && + std::is_integral().size())>::value>; + } // namespace internal // A Span is a non-owning reference to a contiguous array of objects of type @@ -93,31 +116,32 @@ class SpanBase { // a reference or pointer to a container or array. template class Span : private internal::SpanBase { - private: + public: static const size_t npos = static_cast(-1); - // Heuristically test whether C is a container type that can be converted into - // a Span by checking for data() and size() member functions. - // - // TODO(davidben): Require C++17 support for std::is_convertible_v, etc. - template - using EnableIfContainer = std::enable_if_t< - std::is_convertible().data()), T *>::value && - std::is_integral().size())>::value>; + using element_type = T; + using value_type = std::remove_cv_t; + using size_type = size_t; + using difference_type = ptrdiff_t; + using pointer = T *; + using const_pointer = const T *; + using reference = T &; + using const_reference = const T &; + using iterator = T *; + using const_iterator = const T *; - public: constexpr Span() : Span(nullptr, 0) {} constexpr Span(T *ptr, size_t len) : data_(ptr), size_(len) {} template constexpr Span(T (&array)[N]) : Span(array, N) {} - template , + template , typename = std::enable_if_t::value, C>> constexpr Span(const C &container) : data_(container.data()), size_(container.size()) {} - template , + template , typename = std::enable_if_t::value, C>> constexpr explicit Span(C &container) : data_(container.data()), size_(container.size()) {} @@ -126,10 +150,10 @@ class Span : private internal::SpanBase { constexpr size_t size() const { return size_; } constexpr bool empty() const { return size_ == 0; } - constexpr T *begin() const { return data_; } - constexpr const T *cbegin() const { return data_; } - constexpr T *end() const { return data_ + size_; } - constexpr const T *cend() const { return end(); } + constexpr iterator begin() const { return data_; } + constexpr const_iterator cbegin() const { return data_; } + constexpr iterator end() const { return data_ + size_; } + constexpr const_iterator cend() const { return end(); } constexpr T &front() const { if (size_ == 0) { @@ -186,6 +210,20 @@ class Span : private internal::SpanBase { template const size_t Span::npos; +#if __cplusplus >= 201703L +template +Span(T *, size_t) -> Span; +template +Span(T (&array)[size]) -> Span; +template < + typename C, + typename T = std::remove_pointer_t().data())>, + typename = internal::EnableIfContainer> +Span(C &) -> Span; +#endif + +// C++17 callers can instead rely on CTAD and the deduction guides defined +// above. template constexpr Span MakeSpan(T *ptr, size_t size) { return Span(ptr, size); @@ -196,6 +234,11 @@ constexpr auto MakeSpan(C &c) -> decltype(MakeSpan(c.data(), c.size())) { return MakeSpan(c.data(), c.size()); } +template +constexpr Span MakeSpan(T (&array)[N]) { + return Span(array, N); +} + template constexpr Span MakeConstSpan(T *ptr, size_t size) { return Span(ptr, size); @@ -212,6 +255,16 @@ constexpr Span MakeConstSpan(T (&array)[size]) { return array; } +#if __cplusplus >= 201703L +inline Span StringAsBytes(std::string_view s) { + return MakeConstSpan(reinterpret_cast(s.data()), s.size()); +} + +inline std::string_view BytesAsStringView(bssl::Span b) { + return std::string_view(reinterpret_cast(b.data()), b.size()); +} +#endif + BSSL_NAMESPACE_END } // extern C++ diff --git a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_ssl.h b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_ssl.h index 31c0c1463..56bef83cc 100644 --- a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_ssl.h +++ b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_ssl.h @@ -478,7 +478,7 @@ OPENSSL_EXPORT int SSL_get_error(const SSL *ssl, int ret_code); #define SSL_ERROR_NONE 0 // SSL_ERROR_SSL indicates the operation failed within the library. The caller -// may inspect the error queue for more information. +// may inspect the error queue (see |ERR_get_error|) for more information. #define SSL_ERROR_SSL 1 // SSL_ERROR_WANT_READ indicates the operation failed attempting to read from @@ -550,8 +550,8 @@ OPENSSL_EXPORT int SSL_get_error(const SSL *ssl, int ret_code); // a private key operation was unfinished. The caller may retry the operation // when the private key operation is complete. // -// See also |SSL_set_private_key_method| and -// |SSL_CTX_set_private_key_method|. +// See also |SSL_set_private_key_method|, |SSL_CTX_set_private_key_method|, and +// |SSL_CREDENTIAL_set_private_key_method|. #define SSL_ERROR_WANT_PRIVATE_KEY_OPERATION 13 // SSL_ERROR_PENDING_TICKET indicates that a ticket decryption is pending. The @@ -651,6 +651,17 @@ OPENSSL_EXPORT int DTLSv1_handle_timeout(SSL *ssl); #define DTLS1_VERSION 0xfeff #define DTLS1_2_VERSION 0xfefd +// DTLS1_3_EXPERIMENTAL_VERSION gates experimental, in-progress code for DTLS +// 1.3. +// +// WARNING: Do not use this value. BoringSSL's DTLS 1.3 implementation is still +// under development. The code enabled by this value is neither stable nor +// secure. It does not correspond to any real protocol. It is also incompatible +// with other DTLS implementations, and it is not compatible with future or past +// versions of BoringSSL. +// +// When the DTLS 1.3 implementation is complete, this symbol will be replaced. +#define DTLS1_3_EXPERIMENTAL_VERSION 0xfc25 // SSL_CTX_set_min_proto_version sets the minimum protocol version for |ctx| to // |version|. If |version| is zero, the default minimum version is used. It @@ -841,6 +852,143 @@ OPENSSL_EXPORT void SSL_CTX_set0_buffer_pool(SSL_CTX *ctx, CRYPTO_BUFFER_POOL *pool); +// Credentials. +// +// TLS endpoints may present authentication during the handshake, usually using +// X.509 certificates. This is typically required for servers and optional for +// clients. BoringSSL uses the |SSL_CREDENTIAL| object to abstract between +// different kinds of credentials, as well as configure automatic selection +// between multiple credentials. This may be used to select between ECDSA and +// RSA certificates. +// +// |SSL_CTX| and |SSL| objects maintain lists of credentials in preference +// order. During the handshake, BoringSSL will select the first usable +// credential from the list. Non-credential APIs, such as +// |SSL_CTX_use_certificate|, configure a "legacy credential", which is +// appended to this list if configured. Using the legacy credential is the same +// as configuring an equivalent credential with the |SSL_CREDENTIAL| API. +// +// When selecting credentials, BoringSSL considers the credential's type, its +// cryptographic capabilities, and capabilities advertised by the peer. This +// varies between TLS versions but includes: +// +// - Whether the peer supports the leaf certificate key +// - Whether there is a common signature algorithm that is compatible with the +// credential +// - Whether there is a common cipher suite that is compatible with the +// credential +// +// WARNING: In TLS 1.2 and below, there is no mechanism for servers to advertise +// supported ECDSA curves to the client. BoringSSL clients will assume the +// server accepts all ECDSA curves in client certificates. +// +// By default, BoringSSL does not check the following, though we may add APIs +// in the future to enable them on a per-credential basis. +// +// - Whether the peer supports the signature algorithms in the certificate chain +// - Whether the a server certificate is compatible with the server_name +// extension (SNI) +// - Whether the peer supports the certificate authority that issued the +// certificate +// +// Credentials may be configured before the handshake or dynamically in the +// early callback (see |SSL_CTX_set_select_certificate_cb|) and certificate +// callback (see |SSL_CTX_set_cert_cb|). These callbacks allow applications to +// use BoringSSL's built-in selection logic in tandem with custom logic. For +// example, a callback could evaluate application-specific SNI rules to filter +// down to an ECDSA and RSA credential, then configure both for BoringSSL to +// select between the two. + +// SSL_CREDENTIAL_new_x509 returns a new, empty X.509 credential, or NULL on +// error. Callers should release the result with |SSL_CREDENTIAL_free| when +// done. +// +// Callers should configure a certificate chain and private key on the +// credential, along with other properties, then add it with +// |SSL_CTX_add1_credential|. +OPENSSL_EXPORT SSL_CREDENTIAL *SSL_CREDENTIAL_new_x509(void); + +// SSL_CREDENTIAL_up_ref increments the reference count of |cred|. +OPENSSL_EXPORT void SSL_CREDENTIAL_up_ref(SSL_CREDENTIAL *cred); + +// SSL_CREDENTIAL_free decrements the reference count of |cred|. If it reaches +// zero, all data referenced by |cred| and |cred| itself are released. +OPENSSL_EXPORT void SSL_CREDENTIAL_free(SSL_CREDENTIAL *cred); + +// SSL_CREDENTIAL_set1_private_key sets |cred|'s private key to |cred|. It +// returns one on success and zero on failure. +OPENSSL_EXPORT int SSL_CREDENTIAL_set1_private_key(SSL_CREDENTIAL *cred, + EVP_PKEY *key); + +// SSL_CREDENTIAL_set1_signing_algorithm_prefs configures |cred| to use |prefs| +// as the preference list when signing with |cred|'s private key. It returns one +// on success and zero on error. |prefs| should not include the internal-only +// value |SSL_SIGN_RSA_PKCS1_MD5_SHA1|. +// +// It is an error to call this function with delegated credentials (see +// |SSL_CREDENTIAL_new_delegated|) because delegated credentials already +// constrain the key to a single algorithm. +OPENSSL_EXPORT int SSL_CREDENTIAL_set1_signing_algorithm_prefs( + SSL_CREDENTIAL *cred, const uint16_t *prefs, size_t num_prefs); + +// SSL_CREDENTIAL_set1_cert_chain sets |cred|'s certificate chain, starting from +// the leaf, to |num_cert|s certificates from |certs|. It returns one on success +// and zero on error. +OPENSSL_EXPORT int SSL_CREDENTIAL_set1_cert_chain(SSL_CREDENTIAL *cred, + CRYPTO_BUFFER *const *certs, + size_t num_certs); + +// SSL_CREDENTIAL_set1_ocsp_response sets |cred|'s stapled OCSP response to +// |ocsp|. It returns one on success and zero on error. +OPENSSL_EXPORT int SSL_CREDENTIAL_set1_ocsp_response(SSL_CREDENTIAL *cred, + CRYPTO_BUFFER *ocsp); + +// SSL_CREDENTIAL_set1_signed_cert_timestamp_list sets |cred|'s list of signed +// certificate timestamps |sct_list|. |sct_list| must contain one or more SCT +// structures serialised as a SignedCertificateTimestampList (see +// https://tools.ietf.org/html/rfc6962#section-3.3) – i.e. each SCT is prefixed +// by a big-endian, uint16 length and the concatenation of one or more such +// prefixed SCTs are themselves also prefixed by a uint16 length. It returns one +// on success and zero on error. +OPENSSL_EXPORT int SSL_CREDENTIAL_set1_signed_cert_timestamp_list( + SSL_CREDENTIAL *cred, CRYPTO_BUFFER *sct_list); + +// SSL_CTX_add1_credential appends |cred| to |ctx|'s credential list. It returns +// one on success and zero on error. The credential list is maintained in order +// of decreasing preference, so earlier calls are preferred over later calls. +// +// After calling this function, it is an error to modify |cred|. Doing so may +// result in inconsistent handshake behavior or race conditions. +OPENSSL_EXPORT int SSL_CTX_add1_credential(SSL_CTX *ctx, SSL_CREDENTIAL *cred); + +// SSL_add1_credential appends |cred| to |ssl|'s credential list. It returns one +// on success and zero on error. The credential list is maintained in order of +// decreasing preference, so earlier calls are preferred over later calls. +// +// After calling this function, it is an error to modify |cred|. Doing so may +// result in inconsistent handshake behavior or race conditions. +OPENSSL_EXPORT int SSL_add1_credential(SSL *ssl, SSL_CREDENTIAL *cred); + +// SSL_certs_clear removes all credentials configured on |ssl|. It also removes +// the certificate chain and private key on the legacy credential. +OPENSSL_EXPORT void SSL_certs_clear(SSL *ssl); + +// SSL_get0_selected_credential returns the credential in use in the current +// handshake on |ssl|. If there is current handshake on |ssl| or if the +// handshake has not progressed to this point, it returns NULL. +// +// This function is intended for use with |SSL_CREDENTIAL_get_ex_data|. It may +// be called from handshake callbacks, such as those in +// |SSL_PRIVATE_KEY_METHOD|, to trigger credential-specific behavior. +// +// In applications that use the older APIs, such as |SSL_use_certificate|, this +// function may return an internal |SSL_CREDENTIAL| object. This internal object +// will have no ex_data installed. To avoid this, it is recommended that callers +// moving to |SSL_CREDENTIAL| use the new APIs consistently. +OPENSSL_EXPORT const SSL_CREDENTIAL *SSL_get0_selected_credential( + const SSL *ssl); + + // Configuring certificates and private keys. // // These functions configure the connection's leaf certificate, private key, and @@ -848,23 +996,33 @@ OPENSSL_EXPORT void SSL_CTX_set0_buffer_pool(SSL_CTX *ctx, // the wire) but does not include the leaf. Both client and server certificates // use these functions. // -// Certificates and keys may be configured before the handshake or dynamically -// in the early callback and certificate callback. +// Prefer to configure the certificate before the private key. If configured in +// the other order, inconsistent private keys will be silently dropped, rather +// than return an error. Additionally, overwriting a previously-configured +// certificate and key pair only works if the certificate is configured first. +// +// Each of these functions configures the single "legacy credential" on the +// |SSL_CTX| or |SSL|. To select between multiple certificates, use +// |SSL_CREDENTIAL_new_x509| and other APIs to configure a list of credentials. // SSL_CTX_use_certificate sets |ctx|'s leaf certificate to |x509|. It returns -// one on success and zero on failure. +// one on success and zero on failure. If |ctx| has a private key which is +// inconsistent with |x509|, the private key is silently dropped. OPENSSL_EXPORT int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x509); // SSL_use_certificate sets |ssl|'s leaf certificate to |x509|. It returns one -// on success and zero on failure. +// on success and zero on failure. If |ssl| has a private key which is +// inconsistent with |x509|, the private key is silently dropped. OPENSSL_EXPORT int SSL_use_certificate(SSL *ssl, X509 *x509); // SSL_CTX_use_PrivateKey sets |ctx|'s private key to |pkey|. It returns one on -// success and zero on failure. +// success and zero on failure. If |ctx| had a private key or +// |SSL_PRIVATE_KEY_METHOD| previously configured, it is replaced. OPENSSL_EXPORT int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey); // SSL_use_PrivateKey sets |ssl|'s private key to |pkey|. It returns one on -// success and zero on failure. +// success and zero on failure. If |ssl| had a private key or +// |SSL_PRIVATE_KEY_METHOD| previously configured, it is replaced. OPENSSL_EXPORT int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey); // SSL_CTX_set0_chain sets |ctx|'s certificate chain, excluding the leaf, to @@ -986,18 +1144,6 @@ OPENSSL_EXPORT size_t SSL_get0_peer_delegation_algorithms(const SSL *ssl, const uint16_t **out_sigalgs); -// SSL_certs_clear resets the private key, leaf certificate, and certificate -// chain of |ssl|. -OPENSSL_EXPORT void SSL_certs_clear(SSL *ssl); - -// SSL_CTX_check_private_key returns one if the certificate and private key -// configured in |ctx| are consistent and zero otherwise. -OPENSSL_EXPORT int SSL_CTX_check_private_key(const SSL_CTX *ctx); - -// SSL_check_private_key returns one if the certificate and private key -// configured in |ssl| are consistent and zero otherwise. -OPENSSL_EXPORT int SSL_check_private_key(const SSL *ssl); - // SSL_CTX_get0_certificate returns |ctx|'s leaf certificate. OPENSSL_EXPORT X509 *SSL_CTX_get0_certificate(const SSL_CTX *ctx); @@ -1072,6 +1218,11 @@ OPENSSL_EXPORT int SSL_set_ocsp_response(SSL *ssl, #define SSL_SIGN_RSA_PSS_RSAE_SHA512 0x0806 #define SSL_SIGN_ED25519 0x0807 +// SSL_SIGN_RSA_PKCS1_SHA256_LEGACY is a backport of RSASSA-PKCS1-v1_5 with +// SHA-256 to TLS 1.3. It is disabled by default and only defined for client +// certificates. +#define SSL_SIGN_RSA_PKCS1_SHA256_LEGACY 0x0420 + // SSL_SIGN_RSA_PKCS1_MD5_SHA1 is an internal signature algorithm used to // specify raw RSASSA-PKCS1-v1_5 with an MD5/SHA-1 concatenation, as used in TLS // before TLS 1.2. @@ -1154,11 +1305,23 @@ OPENSSL_EXPORT int SSL_set_chain_and_key( // the return value is undefined and, even if not NULL, the stack itself may // contain nullptrs. Thus you shouldn't mix this function with // non-|CRYPTO_BUFFER| functions for manipulating the chain.) +OPENSSL_EXPORT const STACK_OF(CRYPTO_BUFFER) *SSL_CTX_get0_chain( + const SSL_CTX *ctx); + +// SSL_get0_chain returns the list of |CRYPTO_BUFFER|s that were set by +// |SSL_set_chain_and_key|, unless they have been discarded. Reference counts +// are not incremented by this call. The return value may be |NULL| if no chain +// has been set. +// +// (Note: if a chain was configured by non-|CRYPTO_BUFFER|-based functions then +// the return value is undefined and, even if not NULL, the stack itself may +// contain nullptrs. Thus you shouldn't mix this function with +// non-|CRYPTO_BUFFER| functions for manipulating the chain.) // -// There is no |SSL*| version of this function because connections discard -// configuration after handshaking, thus making it of questionable utility. -OPENSSL_EXPORT const STACK_OF(CRYPTO_BUFFER)* - SSL_CTX_get0_chain(const SSL_CTX *ctx); +// This function may return nullptr if a handshake has completed even if +// |SSL_set_chain_and_key| was previously called, since the configuration +// containing the certificates is typically cleared after handshake completion. +OPENSSL_EXPORT const STACK_OF(CRYPTO_BUFFER) *SSL_get0_chain(const SSL *ssl); // SSL_CTX_use_RSAPrivateKey sets |ctx|'s private key to |rsa|. It returns one // on success and zero on failure. @@ -1217,6 +1380,11 @@ OPENSSL_EXPORT int SSL_use_PrivateKey_file(SSL *ssl, const char *file, // reads the contents of |file| as a PEM-encoded leaf certificate followed // optionally by the certificate chain to send to the peer. It returns one on // success and zero on failure. +// +// WARNING: If the input contains "TRUSTED CERTIFICATE" PEM blocks, this +// function parses auxiliary properties as in |d2i_X509_AUX|. Passing untrusted +// input to this function allows an attacker to influence those properties. See +// |d2i_X509_AUX| for details. OPENSSL_EXPORT int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file); @@ -1252,11 +1420,6 @@ enum ssl_private_key_result_t BORINGSSL_ENUM_INT { // key hooks. This is used to off-load signing operations to a custom, // potentially asynchronous, backend. Metadata about the key such as the type // and size are parsed out of the certificate. -// -// Callers that use this structure should additionally call -// |SSL_set_signing_algorithm_prefs| or |SSL_CTX_set_signing_algorithm_prefs| -// with the private key's capabilities. This ensures BoringSSL will select a -// suitable signature algorithm for the private key. struct ssl_private_key_method_st { // sign signs the message |in| in using the specified signature algorithm. On // success, it returns |ssl_private_key_success| and writes at most |max_out| @@ -1309,14 +1472,39 @@ struct ssl_private_key_method_st { // SSL_set_private_key_method configures a custom private key on |ssl|. // |key_method| must remain valid for the lifetime of |ssl|. +// +// If using an RSA or ECDSA key, callers should configure signing capabilities +// with |SSL_set_signing_algorithm_prefs|. Otherwise, BoringSSL may select a +// signature algorithm that |key_method| does not support. OPENSSL_EXPORT void SSL_set_private_key_method( SSL *ssl, const SSL_PRIVATE_KEY_METHOD *key_method); // SSL_CTX_set_private_key_method configures a custom private key on |ctx|. // |key_method| must remain valid for the lifetime of |ctx|. +// +// If using an RSA or ECDSA key, callers should configure signing capabilities +// with |SSL_CTX_set_signing_algorithm_prefs|. Otherwise, BoringSSL may select a +// signature algorithm that |key_method| does not support. OPENSSL_EXPORT void SSL_CTX_set_private_key_method( SSL_CTX *ctx, const SSL_PRIVATE_KEY_METHOD *key_method); +// SSL_CREDENTIAL_set_private_key_method configures a custom private key on +// |cred|. |key_method| must remain valid for the lifetime of |cred|. It returns +// one on success and zero if |cred| does not use private keys. +// +// If using an RSA or ECDSA key, callers should configure signing capabilities +// with |SSL_CREDENTIAL_set1_signing_algorithm_prefs|. Otherwise, BoringSSL may +// select a signature algorithm that |key_method| does not support. This is not +// necessary for delegated credentials (see |SSL_CREDENTIAL_new_delegated|) +// because delegated credentials only support a single signature algorithm. +// +// Functions in |key_method| will be passed an |SSL| object, but not |cred| +// directly. Use |SSL_get0_selected_credential| to determine the selected +// credential. From there, |SSL_CREDENTIAL_get_ex_data| can be used to look up +// credential-specific state, such as a handle to the private key. +OPENSSL_EXPORT int SSL_CREDENTIAL_set_private_key_method( + SSL_CREDENTIAL *cred, const SSL_PRIVATE_KEY_METHOD *key_method); + // SSL_can_release_private_key returns one if |ssl| will no longer call into the // private key and zero otherwise. If the function returns one, the caller can // release state associated with the private key. @@ -1461,19 +1649,19 @@ OPENSSL_EXPORT size_t SSL_get_all_standard_cipher_names(const char **out, // // Available opcodes are: // -// The empty opcode enables and appends all matching disabled ciphers to the +// - The empty opcode enables and appends all matching disabled ciphers to the // end of the enabled list. The newly appended ciphers are ordered relative to // each other matching their order in the disabled list. // -// |-| disables all matching enabled ciphers and prepends them to the disabled +// - |-| disables all matching enabled ciphers and prepends them to the disabled // list, with relative order from the enabled list preserved. This means the // most recently disabled ciphers get highest preference relative to other // disabled ciphers if re-enabled. // -// |+| moves all matching enabled ciphers to the end of the enabled list, with +// - |+| moves all matching enabled ciphers to the end of the enabled list, with // relative order preserved. // -// |!| deletes all matching ciphers, enabled or not, from either list. Deleted +// - |!| deletes all matching ciphers, enabled or not, from either list. Deleted // ciphers will not matched by future operations. // // A selector may be a specific cipher (using either the standard or OpenSSL @@ -1483,36 +1671,36 @@ OPENSSL_EXPORT size_t SSL_get_all_standard_cipher_names(const char **out, // // Available cipher rules are: // -// |ALL| matches all ciphers, except for deprecated ciphers which must be +// - |ALL| matches all ciphers, except for deprecated ciphers which must be // named explicitly. // -// |kRSA|, |kDHE|, |kECDHE|, and |kPSK| match ciphers using plain RSA, DHE, +// - |kRSA|, |kDHE|, |kECDHE|, and |kPSK| match ciphers using plain RSA, DHE, // ECDHE, and plain PSK key exchanges, respectively. Note that ECDHE_PSK is // matched by |kECDHE| and not |kPSK|. // -// |aRSA|, |aECDSA|, and |aPSK| match ciphers authenticated by RSA, ECDSA, and +// - |aRSA|, |aECDSA|, and |aPSK| match ciphers authenticated by RSA, ECDSA, and // a pre-shared key, respectively. // -// |RSA|, |DHE|, |ECDHE|, |PSK|, |ECDSA|, and |PSK| are aliases for the +// - |RSA|, |DHE|, |ECDHE|, |PSK|, |ECDSA|, and |PSK| are aliases for the // corresponding |k*| or |a*| cipher rule. |RSA| is an alias for |kRSA|, not // |aRSA|. // -// |3DES|, |AES128|, |AES256|, |AES|, |AESGCM|, |CHACHA20| match ciphers +// - |3DES|, |AES128|, |AES256|, |AES|, |AESGCM|, |CHACHA20| match ciphers // whose bulk cipher use the corresponding encryption scheme. Note that // |AES|, |AES128|, and |AES256| match both CBC and GCM ciphers. // -// |SHA1|, and its alias |SHA|, match legacy cipher suites using HMAC-SHA1. +// - |SHA1|, and its alias |SHA|, match legacy cipher suites using HMAC-SHA1. // // Deprecated cipher rules: // -// |kEDH|, |EDH|, |kEECDH|, and |EECDH| are legacy aliases for |kDHE|, |DHE|, +// - |kEDH|, |EDH|, |kEECDH|, and |EECDH| are legacy aliases for |kDHE|, |DHE|, // |kECDHE|, and |ECDHE|, respectively. // -// |HIGH| is an alias for |ALL|. +// - |HIGH| is an alias for |ALL|. // -// |FIPS| is an alias for |HIGH|. +// - |FIPS| is an alias for |HIGH|. // -// |SSLv3| and |TLSv1| match ciphers available in TLS 1.1 or earlier. +// - |SSLv3| and |TLSv1| match ciphers available in TLS 1.1 or earlier. // |TLSv1_2| matches ciphers new in TLS 1.2. This is confusing and should not // be used. // @@ -2362,6 +2550,7 @@ OPENSSL_EXPORT size_t SSL_CTX_get_num_tickets(const SSL_CTX *ctx); #define SSL_GROUP_SECP384R1 24 #define SSL_GROUP_SECP521R1 25 #define SSL_GROUP_X25519 29 +#define SSL_GROUP_X25519_MLKEM768 0x11ec #define SSL_GROUP_X25519_KYBER768_DRAFT00 0x6399 // SSL_CTX_set1_group_ids sets the preferred groups for |ctx| to |group_ids|. @@ -2479,16 +2668,19 @@ OPENSSL_EXPORT int SSL_get_negotiated_group(const SSL *ssl); #define SSL_VERIFY_PEER_IF_NO_OBC 0x04 // SSL_CTX_set_verify configures certificate verification behavior. |mode| is -// one of the |SSL_VERIFY_*| values defined above. |callback|, if not NULL, is -// used to customize certificate verification, but is deprecated. See -// |X509_STORE_CTX_set_verify_cb| for details. -// -// The callback may use |SSL_get_ex_data_X509_STORE_CTX_idx| with -// |X509_STORE_CTX_get_ex_data| to look up the |SSL| from |store_ctx|. -// -// WARNING: |callback| should be NULL. This callback does not replace the -// default certificate verification process and is, instead, called multiple -// times in the course of that process. It is very difficult to implement this +// one of the |SSL_VERIFY_*| values defined above. |callback| should be NULL. +// +// If |callback| is non-NULL, it is called as in |X509_STORE_CTX_set_verify_cb|, +// which is a deprecated and fragile mechanism to run the default certificate +// verification process, but suppress individual errors in it. See +// |X509_STORE_CTX_set_verify_cb| for details, If set, the callback may use +// |SSL_get_ex_data_X509_STORE_CTX_idx| with |X509_STORE_CTX_get_ex_data| to +// look up the |SSL| from |store_ctx|. +// +// WARNING: |callback| is not suitable for implementing custom certificate +// check, accepting all certificates, or extracting the certificate after +// verification. It does not replace the default process and is called multiple +// times throughout that process. It is also very difficult to implement this // callback safely, without inadvertently relying on implementation details or // making incorrect assumptions about when the callback is called. // @@ -2496,35 +2688,30 @@ OPENSSL_EXPORT int SSL_get_negotiated_group(const SSL *ssl); // |SSL_CTX_set_cert_verify_callback| to customize certificate verification. // Those callbacks can inspect the peer-sent chain, call |X509_verify_cert| and // inspect the result, or perform other operations more straightforwardly. -// -// TODO(crbug.com/boringssl/426): We cite |X509_STORE_CTX_set_verify_cb| but -// haven't documented it yet. Later that will have a more detailed warning about -// why one should not use this callback. OPENSSL_EXPORT void SSL_CTX_set_verify( SSL_CTX *ctx, int mode, int (*callback)(int ok, X509_STORE_CTX *store_ctx)); // SSL_set_verify configures certificate verification behavior. |mode| is one of -// the |SSL_VERIFY_*| values defined above. |callback|, if not NULL, is used to -// customize certificate verification, but is deprecated. See the behavior of -// |X509_STORE_CTX_set_verify_cb|. -// -// The callback may use |SSL_get_ex_data_X509_STORE_CTX_idx| with -// |X509_STORE_CTX_get_ex_data| to look up the |SSL| from |store_ctx|. -// -// WARNING: |callback| should be NULL. This callback does not replace the -// default certificate verification process and is, instead, called multiple -// times in the course of that process. It is very difficult to implement this +// the |SSL_VERIFY_*| values defined above. |callback| should be NULL. +// +// If |callback| is non-NULL, it is called as in |X509_STORE_CTX_set_verify_cb|, +// which is a deprecated and fragile mechanism to run the default certificate +// verification process, but suppress individual errors in it. See +// |X509_STORE_CTX_set_verify_cb| for details, If set, the callback may use +// |SSL_get_ex_data_X509_STORE_CTX_idx| with |X509_STORE_CTX_get_ex_data| to +// look up the |SSL| from |store_ctx|. +// +// WARNING: |callback| is not suitable for implementing custom certificate +// check, accepting all certificates, or extracting the certificate after +// verification. It does not replace the default process and is called multiple +// times throughout that process. It is also very difficult to implement this // callback safely, without inadvertently relying on implementation details or // making incorrect assumptions about when the callback is called. // -// Instead, use |SSL_set_custom_verify| or |SSL_CTX_set_cert_verify_callback| to +// Instead, use |SSL_set_custom_verify| or |SSL_set_cert_verify_callback| to // customize certificate verification. Those callbacks can inspect the peer-sent // chain, call |X509_verify_cert| and inspect the result, or perform other // operations more straightforwardly. -// -// TODO(crbug.com/boringssl/426): We cite |X509_STORE_CTX_set_verify_cb| but -// haven't documented it yet. Later that will have a more detailed warning about -// why one should not use this callback. OPENSSL_EXPORT void SSL_set_verify(SSL *ssl, int mode, int (*callback)(int ok, X509_STORE_CTX *store_ctx)); @@ -2587,16 +2774,27 @@ OPENSSL_EXPORT int (*SSL_get_verify_callback(const SSL *ssl))( // ineffective. Simply checking that a host has some certificate from a CA is // rarely meaningful—you have to check that the CA believed that the host was // who you expect to be talking to. +// +// By default, both subject alternative names and the subject's common name +// attribute are checked. The latter has long been deprecated, so callers should +// call |SSL_set_hostflags| with |X509_CHECK_FLAG_NEVER_CHECK_SUBJECT| to use +// the standard behavior. https://crbug.com/boringssl/464 tracks fixing the +// default. OPENSSL_EXPORT int SSL_set1_host(SSL *ssl, const char *hostname); +// SSL_set_hostflags calls |X509_VERIFY_PARAM_set_hostflags| on the +// |X509_VERIFY_PARAM| associated with this |SSL*|. |flags| should be some +// combination of the |X509_CHECK_*| constants. +OPENSSL_EXPORT void SSL_set_hostflags(SSL *ssl, unsigned flags); + // SSL_CTX_set_verify_depth sets the maximum depth of a certificate chain -// accepted in verification. This number does not include the leaf, so a depth -// of 1 allows the leaf and one CA certificate. +// accepted in verification. This count excludes both the target certificate and +// the trust anchor (root certificate). OPENSSL_EXPORT void SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth); // SSL_set_verify_depth sets the maximum depth of a certificate chain accepted -// in verification. This number does not include the leaf, so a depth of 1 -// allows the leaf and one CA certificate. +// in verification. This count excludes both the target certificate and the +// trust anchor (root certificate). OPENSSL_EXPORT void SSL_set_verify_depth(SSL *ssl, int depth); // SSL_CTX_get_verify_depth returns the maximum depth of a certificate accepted @@ -2653,19 +2851,17 @@ OPENSSL_EXPORT void SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *store); // SSL_CTX_get_cert_store returns |ctx|'s certificate store. OPENSSL_EXPORT X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx); -// SSL_CTX_set_default_verify_paths loads the OpenSSL system-default trust -// anchors into |ctx|'s store. It returns one on success and zero on failure. +// SSL_CTX_set_default_verify_paths calls |X509_STORE_set_default_paths| on +// |ctx|'s store. See that function for details. +// +// Using this function is not recommended. In OpenSSL, these defaults are +// determined by OpenSSL's install prefix. There is no corresponding concept for +// BoringSSL. Future versions of BoringSSL may change or remove this +// functionality. OPENSSL_EXPORT int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx); -// SSL_CTX_load_verify_locations loads trust anchors into |ctx|'s store from -// |ca_file| and |ca_dir|, either of which may be NULL. If |ca_file| is passed, -// it is opened and PEM-encoded CA certificates are read. If |ca_dir| is passed, -// it is treated as a directory in OpenSSL's hashed directory format. It returns -// one on success and zero on failure. -// -// See -// https://www.openssl.org/docs/man1.1.0/man3/SSL_CTX_load_verify_locations.html -// for documentation on the directory format. +// SSL_CTX_load_verify_locations calls |X509_STORE_load_locations| on |ctx|'s +// store. See that function for details. OPENSSL_EXPORT int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *ca_file, const char *ca_dir); @@ -2762,11 +2958,6 @@ OPENSSL_EXPORT int SSL_set_verify_algorithm_prefs(SSL *ssl, const uint16_t *prefs, size_t num_prefs); -// SSL_set_hostflags calls |X509_VERIFY_PARAM_set_hostflags| on the -// |X509_VERIFY_PARAM| associated with this |SSL*|. The |flags| argument -// should be one of the |X509_CHECK_*| constants. -OPENSSL_EXPORT void SSL_set_hostflags(SSL *ssl, unsigned flags); - // Client certificate CA list. // @@ -2943,7 +3134,8 @@ OPENSSL_EXPORT int SSL_set_alpn_protos(SSL *ssl, const uint8_t *protos, // SSL_CTX_set_alpn_select_cb sets a callback function on |ctx| that is called // during ClientHello processing in order to select an ALPN protocol from the -// client's list of offered protocols. +// client's list of offered protocols. |SSL_select_next_proto| is an optional +// utility function which may be useful in implementing this callback. // // The callback is passed a wire-format (i.e. a series of non-empty, 8-bit // length-prefixed strings) ALPN protocol list in |in|. To select a protocol, @@ -3093,30 +3285,50 @@ OPENSSL_EXPORT int SSL_CTX_add_cert_compression_alg( // and deprecated in favor of it. // SSL_CTX_set_next_protos_advertised_cb sets a callback that is called when a -// TLS server needs a list of supported protocols for Next Protocol -// Negotiation. The returned list must be in wire format. The list is returned -// by setting |*out| to point to it and |*out_len| to its length. This memory -// will not be modified, but one should assume that |ssl| keeps a reference to -// it. -// -// The callback should return |SSL_TLSEXT_ERR_OK| if it wishes to advertise. -// Otherwise, no such extension will be included in the ServerHello. +// TLS server needs a list of supported protocols for Next Protocol Negotiation. +// +// If the callback wishes to advertise NPN to the client, it should return +// |SSL_TLSEXT_ERR_OK| and then set |*out| and |*out_len| to describe to a +// buffer containing a (possibly empty) list of supported protocols in wire +// format. That is, each protocol is prefixed with a 1-byte length, then +// concatenated. From there, the client will select a protocol, possibly one not +// on the server's list. The caller can use |SSL_get0_next_proto_negotiated| +// after the handshake completes to query the final protocol. +// +// The returned buffer must remain valid and unmodified for at least the +// duration of the |SSL| operation (e.g. |SSL_do_handshake|) that triggered the +// callback. +// +// If the caller wishes not to advertise NPN, it should return +// |SSL_TLSEXT_ERR_NOACK|. No NPN extension will be included in the ServerHello, +// and the TLS server will behave as if it does not implement NPN. OPENSSL_EXPORT void SSL_CTX_set_next_protos_advertised_cb( SSL_CTX *ctx, int (*cb)(SSL *ssl, const uint8_t **out, unsigned *out_len, void *arg), void *arg); // SSL_CTX_set_next_proto_select_cb sets a callback that is called when a client -// needs to select a protocol from the server's provided list. |*out| must be -// set to point to the selected protocol (which may be within |in|). The length -// of the protocol name must be written into |*out_len|. The server's advertised -// protocols are provided in |in| and |in_len|. The callback can assume that -// |in| is syntactically valid. -// -// The client must select a protocol. It is fatal to the connection if this -// callback returns a value other than |SSL_TLSEXT_ERR_OK|. -// -// Configuring this callback enables NPN on a client. +// needs to select a protocol from the server's provided list, passed in wire +// format in |in_len| bytes from |in|. The callback can assume that |in| is +// syntactically valid. |SSL_select_next_proto| is an optional utility function +// which may be useful in implementing this callback. +// +// On success, the callback should return |SSL_TLSEXT_ERR_OK| and set |*out| and +// |*out_len| to describe a buffer containing the selected protocol, or an +// empty buffer to select no protocol. The returned buffer may point within +// |in|, or it may point to some other buffer that remains valid and unmodified +// for at least the duration of the |SSL| operation (e.g. |SSL_do_handshake|) +// that triggered the callback. +// +// Returning any other value indicates a fatal error and will terminate the TLS +// connection. To proceed without selecting a protocol, the callback must return +// |SSL_TLSEXT_ERR_OK| and set |*out| and |*out_len| to an empty buffer. (E.g. +// NULL and zero, respectively.) +// +// Configuring this callback enables NPN on a client. Although the callback can +// then decline to negotiate a protocol, merely configuring the callback causes +// the client to offer NPN in the ClientHello. Callers thus should not configure +// this callback in TLS client contexts that are not intended to use NPN. OPENSSL_EXPORT void SSL_CTX_set_next_proto_select_cb( SSL_CTX *ctx, int (*cb)(SSL *ssl, uint8_t **out, uint8_t *out_len, const uint8_t *in, unsigned in_len, void *arg), @@ -3124,7 +3336,7 @@ OPENSSL_EXPORT void SSL_CTX_set_next_proto_select_cb( // SSL_get0_next_proto_negotiated sets |*out_data| and |*out_len| to point to // the client's requested protocol for this connection. If the client didn't -// request any protocol, then |*out_data| is set to NULL. +// request any protocol, then |*out_len| is set to zero. // // Note that the client can request any protocol it chooses. The value returned // from this function need not be a member of the list of supported protocols @@ -3133,21 +3345,45 @@ OPENSSL_EXPORT void SSL_get0_next_proto_negotiated(const SSL *ssl, const uint8_t **out_data, unsigned *out_len); -// SSL_select_next_proto implements the standard protocol selection. It is -// expected that this function is called from the callback set by +// SSL_select_next_proto implements the standard protocol selection for either +// ALPN servers or NPN clients. It is expected that this function is called from +// the callback set by |SSL_CTX_set_alpn_select_cb| or // |SSL_CTX_set_next_proto_select_cb|. // -// |peer| and |supported| must be vectors of 8-bit, length-prefixed byte strings -// containing the peer and locally-configured protocols, respectively. The -// length byte itself is not included in the length. A byte string of length 0 -// is invalid. No byte string may be truncated. |supported| is assumed to be -// non-empty. -// -// This function finds the first protocol in |peer| which is also in -// |supported|. If one was found, it sets |*out| and |*out_len| to point to it -// and returns |OPENSSL_NPN_NEGOTIATED|. Otherwise, it returns +// |peer| and |supported| contain the peer and locally-configured protocols, +// respectively. This function finds the first protocol in |peer| which is also +// in |supported|. If one was found, it sets |*out| and |*out_len| to point to +// it and returns |OPENSSL_NPN_NEGOTIATED|. Otherwise, it returns // |OPENSSL_NPN_NO_OVERLAP| and sets |*out| and |*out_len| to the first // supported protocol. +// +// In ALPN, the server should only select protocols among those that the client +// offered. Thus, if this function returns |OPENSSL_NPN_NO_OVERLAP|, the caller +// should ignore |*out| and return |SSL_TLSEXT_ERR_ALERT_FATAL| from +// |SSL_CTX_set_alpn_select_cb|'s callback to indicate there was no match. +// +// In NPN, the client may either select one of the server's protocols, or an +// "opportunistic" protocol as described in Section 6 of +// draft-agl-tls-nextprotoneg-03. When this function returns +// |OPENSSL_NPN_NO_OVERLAP|, |*out| implicitly selects the first supported +// protocol for use as the opportunistic protocol. The caller may use it, +// ignore it and select a different opportunistic protocol, or ignore it and +// select no protocol (empty string). +// +// |peer| and |supported| must be vectors of 8-bit, length-prefixed byte +// strings. The length byte itself is not included in the length. A byte string +// of length 0 is invalid. No byte string may be truncated. |supported| must be +// non-empty; a caller that supports no ALPN/NPN protocols should skip +// negotiating the extension, rather than calling this function. If any of these +// preconditions do not hold, this function will return |OPENSSL_NPN_NO_OVERLAP| +// and set |*out| and |*out_len| to an empty buffer for robustness, but callers +// are not recommended to rely on this. An empty buffer is not a valid output +// for |SSL_CTX_set_alpn_select_cb|'s callback. +// +// WARNING: |*out| and |*out_len| may alias either |peer| or |supported| and may +// not be used after one of those buffers is modified or released. Additionally, +// this function is not const-correct for compatibility reasons. Although |*out| +// is a non-const pointer, callers may not modify the buffer though |*out|. OPENSSL_EXPORT int SSL_select_next_proto(uint8_t **out, uint8_t *out_len, const uint8_t *peer, unsigned peer_len, const uint8_t *supported, @@ -3319,41 +3555,34 @@ OPENSSL_EXPORT const char *SSL_get_psk_identity(const SSL *ssl); // Delegated credentials. // -// *** EXPERIMENTAL — PRONE TO CHANGE *** -// -// draft-ietf-tls-subcerts is a proposed extension for TLS 1.3 and above that -// allows an end point to use its certificate to delegate credentials for -// authentication. If the peer indicates support for this extension, then this -// host may use a delegated credential to sign the handshake. Once issued, +// Delegated credentials (RFC 9345) allow a TLS 1.3 endpoint to use its +// certificate to issue new credentials for authentication. Once issued, // credentials can't be revoked. In order to mitigate the damage in case the // credential secret key is compromised, the credential is only valid for a -// short time (days, hours, or even minutes). This library implements draft-03 -// of the protocol spec. +// short time (days, hours, or even minutes). // -// The extension ID has not been assigned; we're using 0xff02 for the time -// being. Currently only the server side is implemented. -// -// Servers configure a DC for use in the handshake via -// |SSL_set1_delegated_credential|. It must be signed by the host's end-entity -// certificate as defined in draft-ietf-tls-subcerts-03. +// Currently only the authenticating side, as a server, is implemented. To +// authenticate with delegated credentials, construct an |SSL_CREDENTIAL| with +// |SSL_CREDENTIAL_new_delegated| and add it to the credential list. See also +// |SSL_CTX_add1_credential|. Callers may configure a mix of delegated +// credentials and X.509 credentials on the same |SSL| or |SSL_CTX| to support a +// range of clients. -// SSL_set1_delegated_credential configures the delegated credential (DC) that -// will be sent to the peer for the current connection. |dc| is the DC in wire -// format, and |pkey| or |key_method| is the corresponding private key. -// Currently (as of draft-03), only servers may configure a DC to use in the -// handshake. +// SSL_CREDENTIAL_new_delegated returns a new, empty delegated credential, or +// NULL on error. Callers should release the result with |SSL_CREDENTIAL_free| +// when done. // -// The DC will only be used if the protocol version is correct and the signature -// scheme is supported by the peer. If not, the DC will not be negotiated and -// the handshake will use the private key (or private key method) associated -// with the certificate. -OPENSSL_EXPORT int SSL_set1_delegated_credential( - SSL *ssl, CRYPTO_BUFFER *dc, EVP_PKEY *pkey, - const SSL_PRIVATE_KEY_METHOD *key_method); +// Callers should configure a delegated credential, certificate chain and +// private key on the credential, along with other properties, then add it with +// |SSL_CTX_add1_credential|. +OPENSSL_EXPORT SSL_CREDENTIAL *SSL_CREDENTIAL_new_delegated(void); -// SSL_delegated_credential_used returns one if a delegated credential was used -// and zero otherwise. -OPENSSL_EXPORT int SSL_delegated_credential_used(const SSL *ssl); +// SSL_CREDENTIAL_set1_delegated_credential sets |cred|'s delegated credentials +// structure to |dc|. It returns one on success and zero on error, including if +// |dc| is malformed. This should be a DelegatedCredential structure, signed by +// the end-entity certificate, as described in RFC 9345. +OPENSSL_EXPORT int SSL_CREDENTIAL_set1_delegated_credential( + SSL_CREDENTIAL *cred, CRYPTO_BUFFER *dc); // QUIC integration. @@ -3420,13 +3649,13 @@ OPENSSL_EXPORT int SSL_delegated_credential_used(const SSL *ssl); // holds for any application protocol state remembered for 0-RTT, e.g. HTTP/3 // SETTINGS. -// ssl_encryption_level_t represents a specific QUIC encryption level used to -// transmit handshake messages. +// ssl_encryption_level_t represents an encryption level in TLS 1.3. Values in +// this enum match the first 4 epochs used in DTLS 1.3 (section 6.1). enum ssl_encryption_level_t BORINGSSL_ENUM_INT { ssl_encryption_initial = 0, - ssl_encryption_early_data, - ssl_encryption_handshake, - ssl_encryption_application, + ssl_encryption_early_data = 1, + ssl_encryption_handshake = 2, + ssl_encryption_application = 3, }; // ssl_quic_method_st (aka |SSL_QUIC_METHOD|) describes custom QUIC hooks. @@ -3822,7 +4051,7 @@ OPENSSL_EXPORT void SSL_get0_ech_retry_configs( // to the size of the buffer. The caller must call |OPENSSL_free| on |*out| to // release the memory. On failure, it returns zero. // -// The |config_id| field is a single byte identifer for the ECHConfig. Reusing +// The |config_id| field is a single byte identifier for the ECHConfig. Reusing // config IDs is allowed, but if multiple ECHConfigs with the same config ID are // active at a time, server load may increase. See // |SSL_ECH_KEYS_has_duplicate_config_id|. @@ -4018,6 +4247,15 @@ OPENSSL_EXPORT int SSL_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_dup *dup_unused, CRYPTO_EX_free *free_func); +OPENSSL_EXPORT int SSL_CREDENTIAL_set_ex_data(SSL_CREDENTIAL *cred, int idx, + void *data); +OPENSSL_EXPORT void *SSL_CREDENTIAL_get_ex_data(const SSL_CREDENTIAL *cred, + int idx); +OPENSSL_EXPORT int SSL_CREDENTIAL_get_ex_new_index(long argl, void *argp, + CRYPTO_EX_unused *unused, + CRYPTO_EX_dup *dup_unused, + CRYPTO_EX_free *free_func); + // Low-level record-layer state. @@ -4201,9 +4439,18 @@ OPENSSL_EXPORT void SSL_set_msg_callback_arg(SSL *ssl, void *arg); // access to the log. // // The format is described in -// https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format. -OPENSSL_EXPORT void SSL_CTX_set_keylog_callback( - SSL_CTX *ctx, void (*cb)(const SSL *ssl, const char *line)); +// https://www.ietf.org/archive/id/draft-ietf-tls-keylogfile-01.html +// +// WARNING: The data in |line| allows an attacker to break security properties +// of the TLS protocol, including confidentiality, integrity, and forward +// secrecy. This impacts both the current connection, and, in TLS 1.2, future +// connections that resume a session from it. Both direct access to the data and +// side channel leaks from application code are possible attack vectors. This +// callback is intended for debugging and should not be used in production +// connections. +OPENSSL_EXPORT void SSL_CTX_set_keylog_callback(SSL_CTX *ctx, + void (*cb)(const SSL *ssl, + const char *line)); // SSL_CTX_get_keylog_callback returns the callback configured by // |SSL_CTX_set_keylog_callback|. @@ -4384,6 +4631,16 @@ enum ssl_select_cert_result_t BORINGSSL_ENUM_INT { // ssl_select_cert_error indicates that a fatal error occured and the // handshake should be terminated. ssl_select_cert_error = -1, + // ssl_select_cert_disable_ech indicates that, although an encrypted + // ClientHelloInner was decrypted, it should be discarded. The certificate + // selection callback will then be called again, passing in the + // ClientHelloOuter instead. From there, the handshake will proceed + // without retry_configs, to signal to the client to disable ECH. + // + // This value may only be returned when |SSL_ech_accepted| returnes one. It + // may be useful if the ClientHelloInner indicated a service which does not + // support ECH, e.g. if it is a TLS-1.2 only service. + ssl_select_cert_disable_ech = -2, }; // SSL_early_callback_ctx_extension_get searches the extensions in @@ -4610,10 +4867,28 @@ OPENSSL_EXPORT int SSL_used_hello_retry_request(const SSL *ssl); // https://bugs.openjdk.java.net/browse/JDK-8213202 OPENSSL_EXPORT void SSL_set_jdk11_workaround(SSL *ssl, int enable); +// SSL_set_check_client_certificate_type configures whether the client, in +// TLS 1.2 and below, will check its certificate against the server's requested +// certificate types. +// +// By default, this option is enabled. If disabled, certificate selection within +// the library may not function correctly. This flag is provided temporarily in +// case of compatibility issues. It will be removed sometime after June 2024. +OPENSSL_EXPORT void SSL_set_check_client_certificate_type(SSL *ssl, int enable); + +// SSL_set_check_ecdsa_curve configures whether the server, in TLS 1.2 and +// below, will check its certificate against the client's supported ECDSA +// curves. +// +// By default, this option is enabled. If disabled, certificate selection within +// the library may not function correctly. This flag is provided temporarily in +// case of compatibility issues. It will be removed sometime after June 2024. +OPENSSL_EXPORT void SSL_set_check_ecdsa_curve(SSL *ssl, int enable); + // Deprecated functions. -// SSL_library_init calls |CRYPTO_library_init| and returns one. +// SSL_library_init returns one. OPENSSL_EXPORT int SSL_library_init(void); // SSL_CIPHER_description writes a description of |cipher| into |buf| and @@ -5176,7 +5451,7 @@ OPENSSL_EXPORT SSL_SESSION *SSL_get1_session(SSL *ssl); #define OPENSSL_INIT_LOAD_SSL_STRINGS 0 #define OPENSSL_INIT_SSL_DEFAULT 0 -// OPENSSL_init_ssl calls |CRYPTO_library_init| and returns one. +// OPENSSL_init_ssl returns one. OPENSSL_EXPORT int OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings); @@ -5299,6 +5574,25 @@ OPENSSL_EXPORT int SSL_set1_curves_list(SSL *ssl, const char *curves); // returns this value, but we define this constant for compatibility. #define TLSEXT_nid_unknown 0x1000000 +// SSL_CTX_check_private_key returns one if |ctx| has both a certificate and +// private key, and zero otherwise. +// +// This function does not check consistency because the library checks when the +// certificate and key are individually configured. However, if the private key +// is configured before the certificate, inconsistent private keys are silently +// dropped. Some callers are inadvertently relying on this function to detect +// when this happens. +// +// Instead, callers should configure the certificate first, then the private +// key, checking for errors in each. This function is then unnecessary. +OPENSSL_EXPORT int SSL_CTX_check_private_key(const SSL_CTX *ctx); + +// SSL_check_private_key returns one if |ssl| has both a certificate and private +// key, and zero otherwise. +// +// See discussion in |SSL_CTX_check_private_key|. +OPENSSL_EXPORT int SSL_check_private_key(const SSL *ssl); + // Compliance policy configurations // @@ -5313,7 +5607,7 @@ enum ssl_compliance_policy_t BORINGSSL_ENUM_INT { // doesn't undo other policies it's an error to try and set it. ssl_compliance_policy_none, - // ssl_policy_fips_202205 configures a TLS connection to use: + // ssl_compliance_policy_fips_202205 configures a TLS connection to use: // * TLS 1.2 or 1.3 // * For TLS 1.2, only ECDHE_[RSA|ECDSA]_WITH_AES_*_GCM_SHA*. // * For TLS 1.3, only AES-GCM @@ -5346,6 +5640,14 @@ enum ssl_compliance_policy_t BORINGSSL_ENUM_INT { // implementation risks of using a more obscure primitive like P-384 // dominate other considerations. ssl_compliance_policy_wpa3_192_202304, + + // ssl_compliance_policy_cnsa_202407 confingures a TLS connection to use: + // * For TLS 1.3, AES-256-GCM over AES-128-GCM over ChaCha20-Poly1305. + // + // I.e. it ensures that AES-GCM will be used whenever the client supports it. + // The cipher suite configuration mini-language can be used to similarly + // configure prior TLS versions if they are enabled. + ssl_compliance_policy_cnsa_202407, }; // SSL_CTX_set_compliance_policy configures various aspects of |ctx| based on @@ -5527,6 +5829,8 @@ extern "C++" { BSSL_NAMESPACE_BEGIN BORINGSSL_MAKE_DELETER(SSL, SSL_free) +BORINGSSL_MAKE_DELETER(SSL_CREDENTIAL, SSL_CREDENTIAL_free) +BORINGSSL_MAKE_UP_REF(SSL_CREDENTIAL, SSL_CREDENTIAL_up_ref) BORINGSSL_MAKE_DELETER(SSL_CTX, SSL_CTX_free) BORINGSSL_MAKE_UP_REF(SSL_CTX, SSL_CTX_up_ref) BORINGSSL_MAKE_DELETER(SSL_ECH_KEYS, SSL_ECH_KEYS_free) @@ -5592,9 +5896,12 @@ OPENSSL_EXPORT bool SSL_serialize_handback(const SSL *ssl, CBB *out); OPENSSL_EXPORT bool SSL_apply_handback(SSL *ssl, Span handback); // SSL_get_traffic_secrets sets |*out_read_traffic_secret| and -// |*out_write_traffic_secret| to reference the TLS 1.3 traffic secrets for -// |ssl|. This function is only valid on TLS 1.3 connections that have -// completed the handshake. It returns true on success and false on error. +// |*out_write_traffic_secret| to reference the current TLS 1.3 traffic secrets +// for |ssl|. It returns true on success and false on error. +// +// This function is only valid on TLS 1.3 connections that have completed the +// handshake. It is not valid for QUIC or DTLS, where multiple traffic secrets +// may be active at a time. OPENSSL_EXPORT bool SSL_get_traffic_secrets( const SSL *ssl, Span *out_read_traffic_secret, Span *out_write_traffic_secret); diff --git a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_stack.h b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_stack.h index fbb3d4efa..ca88deb76 100644 --- a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_stack.h +++ b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_stack.h @@ -139,7 +139,8 @@ STACK_OF(SAMPLE) *sk_SAMPLE_new(sk_SAMPLE_cmp_func comp); STACK_OF(SAMPLE) *sk_SAMPLE_new_null(void); // sk_SAMPLE_num returns the number of elements in |sk|. It is safe to cast this -// value to |int|. |sk| is guaranteed to have at most |INT_MAX| elements. +// value to |int|. |sk| is guaranteed to have at most |INT_MAX| elements. If +// |sk| is NULL, it is treated as the empty list and this function returns zero. size_t sk_SAMPLE_num(const STACK_OF(SAMPLE) *sk); // sk_SAMPLE_zero resets |sk| to the empty state but does nothing to free the @@ -147,7 +148,8 @@ size_t sk_SAMPLE_num(const STACK_OF(SAMPLE) *sk); void sk_SAMPLE_zero(STACK_OF(SAMPLE) *sk); // sk_SAMPLE_value returns the |i|th pointer in |sk|, or NULL if |i| is out of -// range. +// range. If |sk| is NULL, it is treated as an empty list and the function +// returns NULL. SAMPLE *sk_SAMPLE_value(const STACK_OF(SAMPLE) *sk, size_t i); // sk_SAMPLE_set sets the |i|th pointer in |sk| to |p| and returns |p|. If |i| @@ -195,7 +197,8 @@ void sk_SAMPLE_delete_if(STACK_OF(SAMPLE) *sk, sk_SAMPLE_delete_if_func func, // If the stack is sorted (see |sk_SAMPLE_sort|), this function uses a binary // search. Otherwise it performs a linear search. If it finds a matching // element, it writes the index to |*out_index| (if |out_index| is not NULL) and -// returns one. Otherwise, it returns zero. +// returns one. Otherwise, it returns zero. If |sk| is NULL, it is treated as +// the empty list and the function returns zero. // // Note this differs from OpenSSL. The type signature is slightly different, and // OpenSSL's version will implicitly sort |sk| if it has a comparison function @@ -399,6 +402,9 @@ BSSL_NAMESPACE_END * positive warning. */ \ OPENSSL_MSVC_PRAGMA(warning(push)) \ OPENSSL_MSVC_PRAGMA(warning(disable : 4191)) \ + OPENSSL_CLANG_PRAGMA("clang diagnostic push") \ + OPENSSL_CLANG_PRAGMA("clang diagnostic ignored \"-Wunknown-warning-option\"") \ + OPENSSL_CLANG_PRAGMA("clang diagnostic ignored \"-Wcast-function-type-strict\"") \ \ DECLARE_STACK_OF(name) \ \ @@ -534,6 +540,7 @@ BSSL_NAMESPACE_END (OPENSSL_sk_free_func)free_func); \ } \ \ + OPENSSL_CLANG_PRAGMA("clang diagnostic pop") \ OPENSSL_MSVC_PRAGMA(warning(pop)) diff --git a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_target.h b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_target.h index 3e777313c..2760f52ce 100644 --- a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_target.h +++ b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_target.h @@ -83,17 +83,19 @@ #endif // Trusty and Android baremetal aren't Linux but currently define __linux__. -// As a workaround, we exclude them here. We also exclude nanolibc. nanolibc -// sometimes build for a non-Linux target (which should not define __linux__), -// but also sometimes build for Linux. Although technically running in Linux -// userspace, this lacks all the libc APIs we'd normally expect on Linux, so we -// treat it as a non-Linux target. +// As a workaround, we exclude them here. +// We also exclude nanolibc/CrOS EC. nanolibc/CrOS EC sometimes build for a +// non-Linux target (which should not define __linux__), but also sometimes +// build for Linux. Although technically running in Linux userspace, this lacks +// all the libc APIs we'd normally expect on Linux, so we treat it as a +// non-Linux target. // // TODO(b/169780122): Remove this workaround once Trusty no longer defines it. // TODO(b/291101350): Remove this workaround once Android baremetal no longer // defines it. #if defined(__linux__) && !defined(__TRUSTY__) && \ - !defined(ANDROID_BAREMETAL) && !defined(OPENSSL_NANOLIBC) + !defined(ANDROID_BAREMETAL) && !defined(OPENSSL_NANOLIBC) && \ + !defined(CROS_EC) #define OPENSSL_LINUX #endif @@ -146,16 +148,19 @@ #define OPENSSL_NO_THREADS_CORRUPT_MEMORY_AND_LEAK_SECRETS_IF_THREADED #endif -// CROS_ZEPHYR is an embedded target for ChromeOS Zephyr Embedded Controller. +// Zephyr is an open source RTOS, optimized for embedded devices. // Defining this on any other platform is not supported. Other embedded // platforms must introduce their own defines. // -// https://chromium.googlesource.com/chromiumos/platform/ec/+/HEAD/docs/zephyr/README.md -#if defined(CROS_ZEPHYR) +// Zephyr supports multithreading with cooperative and preemptive scheduling. +// It also implements POSIX Threads (pthread) API, so it's not necessary to +// implement BoringSSL internal threading API using some custom API. +// +// https://www.zephyrproject.org/ +#if defined(__ZEPHYR__) #define OPENSSL_NO_FILESYSTEM #define OPENSSL_NO_POSIX_IO #define OPENSSL_NO_SOCK -#define OPENSSL_NO_THREADS_CORRUPT_MEMORY_AND_LEAK_SECRETS_IF_THREADED #endif #if defined(__ANDROID_API__) @@ -208,6 +213,12 @@ #endif #endif +// Disable 32-bit Arm assembly on Apple platforms. The last iOS version that +// supported 32-bit Arm was iOS 10. +#if defined(OPENSSL_APPLE) && defined(OPENSSL_ARM) +#define OPENSSL_ASM_INCOMPATIBLE +#endif + #if defined(OPENSSL_ASM_INCOMPATIBLE) #undef OPENSSL_ASM_INCOMPATIBLE #if !defined(OPENSSL_NO_ASM) diff --git a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_time.h b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_time.h index 4d2739484..520e28abe 100644 --- a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_time.h +++ b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_time.h @@ -1,4 +1,4 @@ -/* Copyright (c) 2022, Google Inc. +/* Copyright (c) 2024, Google Inc. * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -15,27 +15,8 @@ #ifndef OPENSSL_HEADER_TIME_H #define OPENSSL_HEADER_TIME_H -#include "CNIOBoringSSL_base.h" +// Compatibility header, to be deprecated. use instead. -#include - -#if defined(__cplusplus) -extern "C" { -#endif - -// OPENSSL_posix_to_tm converts a int64_t POSIX time value in |time|, which must -// be in the range of year 0000 to 9999, to a broken out time value in |tm|. It -// returns one on success and zero on error. -OPENSSL_EXPORT int OPENSSL_posix_to_tm(int64_t time, struct tm *out_tm); - -// OPENSSL_tm_to_posix converts a time value between the years 0 and 9999 in -// |tm| to a POSIX time value in |out|. One is returned on success, zero is -// returned on failure. It is a failure if |tm| contains out of range values. -OPENSSL_EXPORT int OPENSSL_tm_to_posix(const struct tm *tm, int64_t *out); - - -#if defined(__cplusplus) -} // extern C -#endif +#include "CNIOBoringSSL_posix_time.h" #endif // OPENSSL_HEADER_TIME_H diff --git a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_tls1.h b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_tls1.h index 4c68d1d37..f96a2fa9d 100644 --- a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_tls1.h +++ b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_tls1.h @@ -239,8 +239,8 @@ extern "C" { // ExtensionType value from RFC 5746 #define TLSEXT_TYPE_renegotiate 0xff01 -// ExtensionType value from draft-ietf-tls-subcerts. -#define TLSEXT_TYPE_delegated_credential 0x22 +// ExtensionType value from RFC 9345 +#define TLSEXT_TYPE_delegated_credential 34 // ExtensionType value from draft-vvv-tls-alps. This is not an IANA defined // extension number. diff --git a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_x509.h b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_x509.h index 3fb4d5518..e40be1979 100644 --- a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_x509.h +++ b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_x509.h @@ -63,16 +63,21 @@ #ifndef OPENSSL_HEADER_X509_H #define OPENSSL_HEADER_X509_H -#include "CNIOBoringSSL_asn1.h" #include "CNIOBoringSSL_base.h" + +#include + +#include "CNIOBoringSSL_asn1.h" #include "CNIOBoringSSL_bio.h" #include "CNIOBoringSSL_cipher.h" +#include "CNIOBoringSSL_conf.h" #include "CNIOBoringSSL_dh.h" #include "CNIOBoringSSL_dsa.h" #include "CNIOBoringSSL_ec.h" #include "CNIOBoringSSL_ecdh.h" #include "CNIOBoringSSL_ecdsa.h" #include "CNIOBoringSSL_evp.h" +#include "CNIOBoringSSL_lhash.h" #include "CNIOBoringSSL_obj.h" #include "CNIOBoringSSL_pkcs7.h" #include "CNIOBoringSSL_pool.h" @@ -80,7 +85,7 @@ #include "CNIOBoringSSL_sha.h" #include "CNIOBoringSSL_stack.h" #include "CNIOBoringSSL_thread.h" -#include +#include "CNIOBoringSSL_x509v3_errors.h" // IWYU pragma: export #if defined(__cplusplus) extern "C" { @@ -97,10 +102,6 @@ extern "C" { // // In the future, a replacement library will be available. Meanwhile, minimize // dependencies on this header where possible. -// -// TODO(https://crbug.com/boringssl/426): Documentation for this library is -// still in progress. Some functions have not yet been documented, and some -// functions have not yet been grouped into sections. // Certificates. @@ -193,11 +194,16 @@ OPENSSL_EXPORT X509_NAME *X509_get_subject_name(const X509 *x509); // object. OPENSSL_EXPORT X509_PUBKEY *X509_get_X509_PUBKEY(const X509 *x509); -// X509_get_pubkey returns |x509|'s public key as an |EVP_PKEY|, or NULL if the -// public key was unsupported or could not be decoded. This function returns a -// reference to the |EVP_PKEY|. The caller must release the result with -// |EVP_PKEY_free| when done. -OPENSSL_EXPORT EVP_PKEY *X509_get_pubkey(X509 *x509); +// X509_get0_pubkey returns |x509|'s public key as an |EVP_PKEY|, or NULL if the +// public key was unsupported or could not be decoded. The |EVP_PKEY| is cached +// in |x509|, so callers must not mutate the result. +OPENSSL_EXPORT EVP_PKEY *X509_get0_pubkey(const X509 *x509); + +// X509_get_pubkey behaves like |X509_get0_pubkey| but increments the reference +// count on the |EVP_PKEY|. The caller must release the result with +// |EVP_PKEY_free| when done. The |EVP_PKEY| is cached in |x509|, so callers +// must not mutate the result. +OPENSSL_EXPORT EVP_PKEY *X509_get_pubkey(const X509 *x509); // X509_get0_pubkey_bitstr returns the BIT STRING portion of |x509|'s public // key. Note this does not contain the AlgorithmIdentifier portion. @@ -207,6 +213,11 @@ OPENSSL_EXPORT EVP_PKEY *X509_get_pubkey(X509 *x509); // internal invariants in |x509|. OPENSSL_EXPORT ASN1_BIT_STRING *X509_get0_pubkey_bitstr(const X509 *x509); +// X509_check_private_key returns one if |x509|'s public key matches |pkey| and +// zero otherwise. +OPENSSL_EXPORT int X509_check_private_key(const X509 *x509, + const EVP_PKEY *pkey); + // X509_get0_uids sets |*out_issuer_uid| to a non-owning pointer to the // issuerUID field of |x509|, or NULL if |x509| has no issuerUID. It similarly // outputs |x509|'s subjectUID field to |*out_subject_uid|. @@ -217,6 +228,146 @@ OPENSSL_EXPORT void X509_get0_uids(const X509 *x509, const ASN1_BIT_STRING **out_issuer_uid, const ASN1_BIT_STRING **out_subject_uid); +// The following bits are returned from |X509_get_extension_flags|. + +// EXFLAG_BCONS indicates the certificate has a basic constraints extension. +#define EXFLAG_BCONS 0x1 +// EXFLAG_KUSAGE indicates the certifcate has a key usage extension. +#define EXFLAG_KUSAGE 0x2 +// EXFLAG_XKUSAGE indicates the certifcate has an extended key usage extension. +#define EXFLAG_XKUSAGE 0x4 +// EXFLAG_CA indicates the certificate has a basic constraints extension with +// the CA bit set. +#define EXFLAG_CA 0x10 +// EXFLAG_SI indicates the certificate is self-issued, i.e. its subject and +// issuer names match. +#define EXFLAG_SI 0x20 +// EXFLAG_V1 indicates an X.509v1 certificate. +#define EXFLAG_V1 0x40 +// EXFLAG_INVALID indicates an error processing some extension. The certificate +// should not be accepted. Note the lack of this bit does not imply all +// extensions are valid, only those used to compute extension flags. +#define EXFLAG_INVALID 0x80 +// EXFLAG_SET is an internal bit that indicates extension flags were computed. +#define EXFLAG_SET 0x100 +// EXFLAG_CRITICAL indicates an unsupported critical extension. The certificate +// should not be accepted. +#define EXFLAG_CRITICAL 0x200 +// EXFLAG_SS indicates the certificate is likely self-signed. That is, if it is +// self-issued, its authority key identifier (if any) matches itself, and its +// key usage extension (if any) allows certificate signatures. The signature +// itself is not checked in computing this bit. +#define EXFLAG_SS 0x2000 + +// X509_get_extension_flags decodes a set of extensions from |x509| and returns +// a collection of |EXFLAG_*| bits which reflect |x509|. If there was an error +// in computing this bitmask, the result will include the |EXFLAG_INVALID| bit. +OPENSSL_EXPORT uint32_t X509_get_extension_flags(X509 *x509); + +// X509_get_pathlen returns path length constraint from the basic constraints +// extension in |x509|. (See RFC 5280, section 4.2.1.9.) It returns -1 if the +// constraint is not present, or if some extension in |x509| was invalid. +// +// TODO(crbug.com/boringssl/381): Decoding an |X509| object will not check for +// invalid extensions. To detect the error case, call +// |X509_get_extension_flags| and check the |EXFLAG_INVALID| bit. +OPENSSL_EXPORT long X509_get_pathlen(X509 *x509); + +// X509v3_KU_* are key usage bits returned from |X509_get_key_usage|. +#define X509v3_KU_DIGITAL_SIGNATURE 0x0080 +#define X509v3_KU_NON_REPUDIATION 0x0040 +#define X509v3_KU_KEY_ENCIPHERMENT 0x0020 +#define X509v3_KU_DATA_ENCIPHERMENT 0x0010 +#define X509v3_KU_KEY_AGREEMENT 0x0008 +#define X509v3_KU_KEY_CERT_SIGN 0x0004 +#define X509v3_KU_CRL_SIGN 0x0002 +#define X509v3_KU_ENCIPHER_ONLY 0x0001 +#define X509v3_KU_DECIPHER_ONLY 0x8000 + +// X509_get_key_usage returns a bitmask of key usages (see Section 4.2.1.3 of +// RFC 5280) which |x509| is valid for. This function only reports the first 16 +// bits, in a little-endian byte order, but big-endian bit order. That is, bits +// 0 though 7 are reported at 1<<7 through 1<<0, and bits 8 through 15 are +// reported at 1<<15 through 1<<8. +// +// Instead of depending on this bit order, callers should compare against the +// |X509v3_KU_*| constants. +// +// If |x509| has no key usage extension, all key usages are valid and this +// function returns |UINT32_MAX|. If there was an error processing |x509|'s +// extensions, or if the first 16 bits in the key usage extension were all zero, +// this function returns zero. +OPENSSL_EXPORT uint32_t X509_get_key_usage(X509 *x509); + +// XKU_* are extended key usage bits returned from +// |X509_get_extended_key_usage|. +#define XKU_SSL_SERVER 0x1 +#define XKU_SSL_CLIENT 0x2 +#define XKU_SMIME 0x4 +#define XKU_CODE_SIGN 0x8 +#define XKU_SGC 0x10 +#define XKU_OCSP_SIGN 0x20 +#define XKU_TIMESTAMP 0x40 +#define XKU_DVCS 0x80 +#define XKU_ANYEKU 0x100 + +// X509_get_extended_key_usage returns a bitmask of extended key usages (see +// Section 4.2.1.12 of RFC 5280) which |x509| is valid for. The result will be +// a combination of |XKU_*| constants. If checking an extended key usage not +// defined above, callers should extract the extended key usage extension +// separately, e.g. via |X509_get_ext_d2i|. +// +// If |x509| has no extended key usage extension, all extended key usages are +// valid and this function returns |UINT32_MAX|. If there was an error +// processing |x509|'s extensions, or if |x509|'s extended key usage extension +// contained no recognized usages, this function returns zero. +OPENSSL_EXPORT uint32_t X509_get_extended_key_usage(X509 *x509); + +// X509_get0_subject_key_id returns |x509|'s subject key identifier, if present. +// (See RFC 5280, section 4.2.1.2.) It returns NULL if the extension is not +// present or if some extension in |x509| was invalid. +// +// TODO(crbug.com/boringssl/381): Decoding an |X509| object will not check for +// invalid extensions. To detect the error case, call +// |X509_get_extension_flags| and check the |EXFLAG_INVALID| bit. +OPENSSL_EXPORT const ASN1_OCTET_STRING *X509_get0_subject_key_id(X509 *x509); + +// X509_get0_authority_key_id returns keyIdentifier of |x509|'s authority key +// identifier, if the extension and field are present. (See RFC 5280, +// section 4.2.1.1.) It returns NULL if the extension is not present, if it is +// present but lacks a keyIdentifier field, or if some extension in |x509| was +// invalid. +// +// TODO(crbug.com/boringssl/381): Decoding an |X509| object will not check for +// invalid extensions. To detect the error case, call +// |X509_get_extension_flags| and check the |EXFLAG_INVALID| bit. +OPENSSL_EXPORT const ASN1_OCTET_STRING *X509_get0_authority_key_id(X509 *x509); + +DEFINE_STACK_OF(GENERAL_NAME) +typedef STACK_OF(GENERAL_NAME) GENERAL_NAMES; + +// X509_get0_authority_issuer returns the authorityCertIssuer of |x509|'s +// authority key identifier, if the extension and field are present. (See +// RFC 5280, section 4.2.1.1.) It returns NULL if the extension is not present, +// if it is present but lacks a authorityCertIssuer field, or if some extension +// in |x509| was invalid. +// +// TODO(crbug.com/boringssl/381): Decoding an |X509| object will not check for +// invalid extensions. To detect the error case, call +// |X509_get_extension_flags| and check the |EXFLAG_INVALID| bit. +OPENSSL_EXPORT const GENERAL_NAMES *X509_get0_authority_issuer(X509 *x509); + +// X509_get0_authority_serial returns the authorityCertSerialNumber of |x509|'s +// authority key identifier, if the extension and field are present. (See +// RFC 5280, section 4.2.1.1.) It returns NULL if the extension is not present, +// if it is present but lacks a authorityCertSerialNumber field, or if some +// extension in |x509| was invalid. +// +// TODO(crbug.com/boringssl/381): Decoding an |X509| object will not check for +// invalid extensions. To detect the error case, call +// |X509_get_extension_flags| and check the |EXFLAG_INVALID| bit. +OPENSSL_EXPORT const ASN1_INTEGER *X509_get0_authority_serial(X509 *x509); + // X509_get0_extensions returns |x509|'s extension list, or NULL if |x509| omits // it. OPENSSL_EXPORT const STACK_OF(X509_EXTENSION) *X509_get0_extensions( @@ -244,6 +395,14 @@ OPENSSL_EXPORT int X509_get_ext_by_critical(const X509 *x, int crit, // compatibility, but callers should not mutate the result. OPENSSL_EXPORT X509_EXTENSION *X509_get_ext(const X509 *x, int loc); +// X509_get_ext_d2i behaves like |X509V3_get_d2i| but looks for the extension in +// |x509|'s extension list. +// +// WARNING: This function is difficult to use correctly. See the documentation +// for |X509V3_get_d2i| for details. +OPENSSL_EXPORT void *X509_get_ext_d2i(const X509 *x509, int nid, + int *out_critical, int *out_idx); + // X509_get0_tbs_sigalg returns the signature algorithm in |x509|'s // TBSCertificate. For the outer signature algorithm, see |X509_get0_signature|. // @@ -283,6 +442,46 @@ OPENSSL_EXPORT int i2d_X509_tbs(X509 *x509, unsigned char **outp); // validation. OPENSSL_EXPORT int X509_verify(X509 *x509, EVP_PKEY *pkey); +// X509_get1_email returns a newly-allocated list of NUL-terminated strings +// containing all email addresses in |x509|'s subject and all rfc822name names +// in |x509|'s subject alternative names. Email addresses which contain embedded +// NUL bytes are skipped. +// +// On error, or if there are no such email addresses, it returns NULL. When +// done, the caller must release the result with |X509_email_free|. +OPENSSL_EXPORT STACK_OF(OPENSSL_STRING) *X509_get1_email(const X509 *x509); + +// X509_get1_ocsp returns a newly-allocated list of NUL-terminated strings +// containing all OCSP URIs in |x509|. That is, it collects all URI +// AccessDescriptions with an accessMethod of id-ad-ocsp in |x509|'s authority +// information access extension. URIs which contain embedded NUL bytes are +// skipped. +// +// On error, or if there are no such URIs, it returns NULL. When done, the +// caller must release the result with |X509_email_free|. +OPENSSL_EXPORT STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(const X509 *x509); + +// X509_email_free releases memory associated with |sk|, including |sk| itself. +// Each |OPENSSL_STRING| in |sk| must be a NUL-terminated string allocated with +// |OPENSSL_malloc|. If |sk| is NULL, no action is taken. +OPENSSL_EXPORT void X509_email_free(STACK_OF(OPENSSL_STRING) *sk); + +// X509_cmp compares |a| and |b| and returns zero if they are equal, a negative +// number if |b| sorts after |a| and a negative number if |a| sorts after |b|. +// The sort order implemented by this function is arbitrary and does not +// reflect properties of the certificate such as expiry. Applications should not +// rely on the order itself. +// +// TODO(https://crbug.com/boringssl/355): This function works by comparing a +// cached hash of the encoded certificate. If |a| or |b| could not be +// serialized, the current behavior is to compare all unencodable certificates +// as equal. This function should only be used with |X509| objects that were +// parsed from bytes and never mutated. +// +// TODO(https://crbug.com/boringssl/407): This function is const, but it is not +// always thread-safe, notably if |a| and |b| were mutated. +OPENSSL_EXPORT int X509_cmp(const X509 *a, const X509 *b); + // Issuing certificates. // @@ -347,6 +546,15 @@ OPENSSL_EXPORT X509_EXTENSION *X509_delete_ext(X509 *x, int loc); // list. OPENSSL_EXPORT int X509_add_ext(X509 *x, const X509_EXTENSION *ex, int loc); +// X509_add1_ext_i2d behaves like |X509V3_add1_i2d| but adds the extension to +// |x|'s extension list. +// +// WARNING: This function may return zero or -1 on error. The caller must also +// ensure |value|'s type matches |nid|. See the documentation for +// |X509V3_add1_i2d| for details. +OPENSSL_EXPORT int X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit, + unsigned long flags); + // X509_sign signs |x509| with |pkey| and replaces the signature algorithm and // signature fields. It returns the length of the signature on success and zero // on error. This function uses digest algorithm |md|, or |pkey|'s default if @@ -359,6 +567,9 @@ OPENSSL_EXPORT int X509_sign(X509 *x509, EVP_PKEY *pkey, const EVP_MD *md); // zero on error. The signature algorithm and parameters come from |ctx|, which // must have been initialized with |EVP_DigestSignInit|. The caller should // configure the corresponding |EVP_PKEY_CTX| before calling this function. +// +// On success or failure, this function mutates |ctx| and resets it to the empty +// state. Caller should not rely on its contents after the function returns. OPENSSL_EXPORT int X509_sign_ctx(X509 *x509, EVP_MD_CTX *ctx); // i2d_re_X509_tbs serializes the TBSCertificate portion of |x509|, as described @@ -401,31 +612,38 @@ OPENSSL_EXPORT int X509_set1_signature_value(X509 *x509, const uint8_t *sig, // Unlike similarly-named functions, this function does not output a single // ASN.1 element. Directly embedding the output in a larger ASN.1 structure will // not behave correctly. -OPENSSL_EXPORT int i2d_X509_AUX(X509 *x509, unsigned char **outp); +// +// TODO(crbug.com/boringssl/407): |x509| should be const. +OPENSSL_EXPORT int i2d_X509_AUX(X509 *x509, uint8_t **outp); // d2i_X509_AUX parses up to |length| bytes from |*inp| as a DER-encoded X.509 // Certificate (RFC 5280), followed optionally by a separate, OpenSSL-specific // structure with auxiliary properties. It behaves as described in |d2i_SAMPLE|. // -// Some auxiliary properties affect trust decisions, so this function should not -// be used with untrusted input. +// WARNING: Passing untrusted input to this function allows an attacker to +// control auxiliary properties. This can allow unexpected influence over the +// application if the certificate is used in a context that reads auxiliary +// properties. This includes PKCS#12 serialization, trusted certificates in +// |X509_STORE|, and callers of |X509_alias_get0| or |X509_keyid_get0|. // // Unlike similarly-named functions, this function does not parse a single // ASN.1 element. Trying to parse data directly embedded in a larger ASN.1 // structure will not behave correctly. -OPENSSL_EXPORT X509 *d2i_X509_AUX(X509 **x509, const unsigned char **inp, +OPENSSL_EXPORT X509 *d2i_X509_AUX(X509 **x509, const uint8_t **inp, long length); // X509_alias_set1 sets |x509|'s alias to |len| bytes from |name|. If |name| is // NULL, the alias is cleared instead. Aliases are not part of the certificate -// itself and will not be serialized by |i2d_X509|. -OPENSSL_EXPORT int X509_alias_set1(X509 *x509, const unsigned char *name, +// itself and will not be serialized by |i2d_X509|. If |x509| is serialized in +// a PKCS#12 structure, the friendlyName attribute (RFC 2985) will contain this +// alias. +OPENSSL_EXPORT int X509_alias_set1(X509 *x509, const uint8_t *name, ossl_ssize_t len); // X509_keyid_set1 sets |x509|'s key ID to |len| bytes from |id|. If |id| is // NULL, the key ID is cleared instead. Key IDs are not part of the certificate // itself and will not be serialized by |i2d_X509|. -OPENSSL_EXPORT int X509_keyid_set1(X509 *x509, const unsigned char *id, +OPENSSL_EXPORT int X509_keyid_set1(X509 *x509, const uint8_t *id, ossl_ssize_t len); // X509_alias_get0 looks up |x509|'s alias. If found, it sets |*out_len| to the @@ -440,7 +658,7 @@ OPENSSL_EXPORT int X509_keyid_set1(X509 *x509, const unsigned char *id, // WARNING: In OpenSSL, this function did not set |*out_len| when the alias was // missing. Callers that target both OpenSSL and BoringSSL should set the value // to zero before calling this function. -OPENSSL_EXPORT unsigned char *X509_alias_get0(X509 *x509, int *out_len); +OPENSSL_EXPORT const uint8_t *X509_alias_get0(const X509 *x509, int *out_len); // X509_keyid_get0 looks up |x509|'s key ID. If found, it sets |*out_len| to the // key ID's length and returns a pointer to a buffer containing the contents. If @@ -450,29 +668,54 @@ OPENSSL_EXPORT unsigned char *X509_alias_get0(X509 *x509, int *out_len); // WARNING: In OpenSSL, this function did not set |*out_len| when the alias was // missing. Callers that target both OpenSSL and BoringSSL should set the value // to zero before calling this function. -OPENSSL_EXPORT unsigned char *X509_keyid_get0(X509 *x509, int *out_len); +OPENSSL_EXPORT const uint8_t *X509_keyid_get0(const X509 *x509, int *out_len); + +// X509_add1_trust_object configures |x509| as a valid trust anchor for |obj|. +// It returns one on success and zero on error. |obj| should be a certificate +// usage OID associated with an |X509_TRUST_*| constant. +// +// See |X509_VERIFY_PARAM_set_trust| for details on how this value is evaluated. +// Note this only takes effect if |x509| was configured as a trusted certificate +// via |X509_STORE|. +OPENSSL_EXPORT int X509_add1_trust_object(X509 *x509, const ASN1_OBJECT *obj); + +// X509_add1_reject_object configures |x509| as distrusted for |obj|. It returns +// one on success and zero on error. |obj| should be a certificate usage OID +// associated with an |X509_TRUST_*| constant. +// +// See |X509_VERIFY_PARAM_set_trust| for details on how this value is evaluated. +// Note this only takes effect if |x509| was configured as a trusted certificate +// via |X509_STORE|. +OPENSSL_EXPORT int X509_add1_reject_object(X509 *x509, const ASN1_OBJECT *obj); + +// X509_trust_clear clears the list of OIDs for which |x509| is trusted. See +// also |X509_add1_trust_object|. +OPENSSL_EXPORT void X509_trust_clear(X509 *x509); + +// X509_reject_clear clears the list of OIDs for which |x509| is distrusted. See +// also |X509_add1_reject_object|. +OPENSSL_EXPORT void X509_reject_clear(X509 *x509); // Certificate revocation lists. // // An |X509_CRL| object represents an X.509 certificate revocation list (CRL), -// defined in RFC 5280. A CRL is a signed list of certificates which are no -// longer considered valid. +// defined in RFC 5280. A CRL is a signed list of certificates, the +// revokedCertificates field, which are no longer considered valid. Each entry +// of this list is represented with an |X509_REVOKED| object, documented in the +// "CRL entries" section below. // -// Although an |X509_CRL| is a mutable object, mutating an |X509_CRL| can give -// incorrect results. Callers typically obtain |X509_CRL|s by parsing some input -// with |d2i_X509_CRL|, etc. Such objects carry information such as the -// serialized TBSCertList and decoded extensions, which will become inconsistent -// when mutated. +// Although an |X509_CRL| is a mutable object, mutating an |X509_CRL| or its +// |X509_REVOKED|s can give incorrect results. Callers typically obtain +// |X509_CRL|s by parsing some input with |d2i_X509_CRL|, etc. Such objects +// carry information such as the serialized TBSCertList and decoded extensions, +// which will become inconsistent when mutated. // // Instead, mutation functions should only be used when issuing new CRLs, as // described in a later section. DEFINE_STACK_OF(X509_CRL) - -// X509_CRL is an |ASN1_ITEM| whose ASN.1 type is X.509 CertificateList (RFC -// 5280) and C type is |X509_CRL*|. -DECLARE_ASN1_ITEM(X509_CRL) +DEFINE_STACK_OF(X509_REVOKED) // X509_CRL_up_ref adds one to the reference count of |crl| and returns one. OPENSSL_EXPORT int X509_CRL_up_ref(X509_CRL *crl); @@ -503,6 +746,18 @@ OPENSSL_EXPORT X509_CRL *d2i_X509_CRL(X509_CRL **out, const uint8_t **inp, // mutated. OPENSSL_EXPORT int i2d_X509_CRL(X509_CRL *crl, uint8_t **outp); +// X509_CRL_match compares |a| and |b| and returns zero if they are equal, a +// negative number if |b| sorts after |a| and a negative number if |a| sorts +// after |b|. The sort order implemented by this function is arbitrary and does +// not reflect properties of the CRL such as expiry. Applications should not +// rely on the order itself. +// +// TODO(https://crbug.com/boringssl/355): This function works by comparing a +// cached hash of the encoded CRL. This cached hash is computed when the CRL is +// parsed, but not when mutating or issuing CRLs. This function should only be +// used with |X509_CRL| objects that were parsed from bytes and never mutated. +OPENSSL_EXPORT int X509_CRL_match(const X509_CRL *a, const X509_CRL *b); + #define X509_CRL_VERSION_1 0 #define X509_CRL_VERSION_2 1 @@ -522,6 +777,24 @@ OPENSSL_EXPORT const ASN1_TIME *X509_CRL_get0_nextUpdate(const X509_CRL *crl); // const-correct for legacy reasons. OPENSSL_EXPORT X509_NAME *X509_CRL_get_issuer(const X509_CRL *crl); +// X509_CRL_get0_by_serial finds the entry in |crl| whose serial number is +// |serial|. If found, it sets |*out| to the entry and returns one. If not +// found, it returns zero. +// +// On success, |*out| continues to be owned by |crl|. It is an error to free or +// otherwise modify |*out|. +// +// TODO(crbug.com/boringssl/600): Ideally |crl| would be const. It is broadly +// thread-safe, but changes the order of entries in |crl|. It cannot be called +// concurrently with |i2d_X509_CRL|. +OPENSSL_EXPORT int X509_CRL_get0_by_serial(X509_CRL *crl, X509_REVOKED **out, + const ASN1_INTEGER *serial); + +// X509_CRL_get0_by_cert behaves like |X509_CRL_get0_by_serial|, except it looks +// for the entry that matches |x509|. +OPENSSL_EXPORT int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **out, + X509 *x509); + // X509_CRL_get_REVOKED returns the list of revoked certificates in |crl|, or // NULL if |crl| omits it. // @@ -531,7 +804,9 @@ OPENSSL_EXPORT X509_NAME *X509_CRL_get_issuer(const X509_CRL *crl); OPENSSL_EXPORT STACK_OF(X509_REVOKED) *X509_CRL_get_REVOKED(X509_CRL *crl); // X509_CRL_get0_extensions returns |crl|'s extension list, or NULL if |crl| -// omits it. +// omits it. A CRL can have extensions on individual entries, which is +// |X509_REVOKED_get0_extensions|, or on the overall CRL, which is this +// function. OPENSSL_EXPORT const STACK_OF(X509_EXTENSION) *X509_CRL_get0_extensions( const X509_CRL *crl); @@ -558,6 +833,14 @@ OPENSSL_EXPORT int X509_CRL_get_ext_by_critical(const X509_CRL *x, int crit, // compatibility, but callers should not mutate the result. OPENSSL_EXPORT X509_EXTENSION *X509_CRL_get_ext(const X509_CRL *x, int loc); +// X509_CRL_get_ext_d2i behaves like |X509V3_get_d2i| but looks for the +// extension in |crl|'s extension list. +// +// WARNING: This function is difficult to use correctly. See the documentation +// for |X509V3_get_d2i| for details. +OPENSSL_EXPORT void *X509_CRL_get_ext_d2i(const X509_CRL *crl, int nid, + int *out_critical, int *out_idx); + // X509_CRL_get0_signature sets |*out_sig| and |*out_alg| to the signature and // signature algorithm of |crl|, respectively. Either output pointer may be NULL // to ignore the value. @@ -619,6 +902,15 @@ OPENSSL_EXPORT int X509_CRL_set1_lastUpdate(X509_CRL *crl, const ASN1_TIME *tm); // on success and zero on error. OPENSSL_EXPORT int X509_CRL_set1_nextUpdate(X509_CRL *crl, const ASN1_TIME *tm); +// X509_CRL_add0_revoked adds |rev| to |crl|. On success, it takes ownership of +// |rev| and returns one. On error, it returns zero. If this function fails, the +// caller retains ownership of |rev| and must release it when done. +OPENSSL_EXPORT int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev); + +// X509_CRL_sort sorts the entries in |crl| by serial number. It returns one on +// success and zero on error. +OPENSSL_EXPORT int X509_CRL_sort(X509_CRL *crl); + // X509_CRL_delete_ext removes the extension in |x| at index |loc| and returns // the removed extension, or NULL if |loc| was out of bounds. If non-NULL, the // caller must release the result with |X509_EXTENSION_free|. @@ -634,6 +926,15 @@ OPENSSL_EXPORT X509_EXTENSION *X509_CRL_delete_ext(X509_CRL *x, int loc); OPENSSL_EXPORT int X509_CRL_add_ext(X509_CRL *x, const X509_EXTENSION *ex, int loc); +// X509_CRL_add1_ext_i2d behaves like |X509V3_add1_i2d| but adds the extension +// to |x|'s extension list. +// +// WARNING: This function may return zero or -1 on error. The caller must also +// ensure |value|'s type matches |nid|. See the documentation for +// |X509V3_add1_i2d| for details. +OPENSSL_EXPORT int X509_CRL_add1_ext_i2d(X509_CRL *x, int nid, void *value, + int crit, unsigned long flags); + // X509_CRL_sign signs |crl| with |pkey| and replaces the signature algorithm // and signature fields. It returns the length of the signature on success and // zero on error. This function uses digest algorithm |md|, or |pkey|'s default @@ -647,6 +948,9 @@ OPENSSL_EXPORT int X509_CRL_sign(X509_CRL *crl, EVP_PKEY *pkey, // zero on error. The signature algorithm and parameters come from |ctx|, which // must have been initialized with |EVP_DigestSignInit|. The caller should // configure the corresponding |EVP_PKEY_CTX| before calling this function. +// +// On success or failure, this function mutates |ctx| and resets it to the empty +// state. Caller should not rely on its contents after the function returns. OPENSSL_EXPORT int X509_CRL_sign_ctx(X509_CRL *crl, EVP_MD_CTX *ctx); // i2d_re_X509_CRL_tbs serializes the TBSCertList portion of |crl|, as described @@ -677,6 +981,123 @@ OPENSSL_EXPORT int X509_CRL_set1_signature_value(X509_CRL *crl, size_t sig_len); +// CRL entries. +// +// Each entry of a CRL is represented as an |X509_REVOKED| object, which +// describes a revoked certificate by serial number. +// +// When an |X509_REVOKED| is obtained from an |X509_CRL| object, it is an error +// to mutate the object. Doing so may break |X509_CRL|'s and cause the library +// to behave incorrectly. + +// X509_REVOKED_new returns a newly-allocated, empty |X509_REVOKED| object, or +// NULL on allocation error. +OPENSSL_EXPORT X509_REVOKED *X509_REVOKED_new(void); + +// X509_REVOKED_free releases memory associated with |rev|. +OPENSSL_EXPORT void X509_REVOKED_free(X509_REVOKED *rev); + +// d2i_X509_REVOKED parses up to |len| bytes from |*inp| as a DER-encoded X.509 +// CRL entry, as described in |d2i_SAMPLE|. +OPENSSL_EXPORT X509_REVOKED *d2i_X509_REVOKED(X509_REVOKED **out, + const uint8_t **inp, long len); + +// i2d_X509_REVOKED marshals |alg| as a DER-encoded X.509 CRL entry, as +// described in |i2d_SAMPLE|. +OPENSSL_EXPORT int i2d_X509_REVOKED(const X509_REVOKED *alg, uint8_t **outp); + +// X509_REVOKED_dup returns a newly-allocated copy of |rev|, or NULL on error. +// This function works by serializing the structure, so if |rev| is incomplete, +// it may fail. +OPENSSL_EXPORT X509_REVOKED *X509_REVOKED_dup(const X509_REVOKED *rev); + +// X509_REVOKED_get0_serialNumber returns the serial number of the certificate +// revoked by |revoked|. +OPENSSL_EXPORT const ASN1_INTEGER *X509_REVOKED_get0_serialNumber( + const X509_REVOKED *revoked); + +// X509_REVOKED_set_serialNumber sets |revoked|'s serial number to |serial|. It +// returns one on success or zero on error. +OPENSSL_EXPORT int X509_REVOKED_set_serialNumber(X509_REVOKED *revoked, + const ASN1_INTEGER *serial); + +// X509_REVOKED_get0_revocationDate returns the revocation time of the +// certificate revoked by |revoked|. +OPENSSL_EXPORT const ASN1_TIME *X509_REVOKED_get0_revocationDate( + const X509_REVOKED *revoked); + +// X509_REVOKED_set_revocationDate sets |revoked|'s revocation time to |tm|. It +// returns one on success or zero on error. +OPENSSL_EXPORT int X509_REVOKED_set_revocationDate(X509_REVOKED *revoked, + const ASN1_TIME *tm); + +// X509_REVOKED_get0_extensions returns |r|'s extensions list, or NULL if |r| +// omits it. A CRL can have extensions on individual entries, which is this +// function, or on the overall CRL, which is |X509_CRL_get0_extensions|. +OPENSSL_EXPORT const STACK_OF(X509_EXTENSION) *X509_REVOKED_get0_extensions( + const X509_REVOKED *r); + + // X509_REVOKED_get_ext_count returns the number of extensions in |x|. +OPENSSL_EXPORT int X509_REVOKED_get_ext_count(const X509_REVOKED *x); + +// X509_REVOKED_get_ext_by_NID behaves like |X509v3_get_ext_by_NID| but searches +// for extensions in |x|. +OPENSSL_EXPORT int X509_REVOKED_get_ext_by_NID(const X509_REVOKED *x, int nid, + int lastpos); + +// X509_REVOKED_get_ext_by_OBJ behaves like |X509v3_get_ext_by_OBJ| but searches +// for extensions in |x|. +OPENSSL_EXPORT int X509_REVOKED_get_ext_by_OBJ(const X509_REVOKED *x, + const ASN1_OBJECT *obj, + int lastpos); + +// X509_REVOKED_get_ext_by_critical behaves like |X509v3_get_ext_by_critical| +// but searches for extensions in |x|. +OPENSSL_EXPORT int X509_REVOKED_get_ext_by_critical(const X509_REVOKED *x, + int crit, int lastpos); + +// X509_REVOKED_get_ext returns the extension in |x| at index |loc|, or NULL if +// |loc| is out of bounds. This function returns a non-const pointer for OpenSSL +// compatibility, but callers should not mutate the result. +OPENSSL_EXPORT X509_EXTENSION *X509_REVOKED_get_ext(const X509_REVOKED *x, + int loc); + +// X509_REVOKED_delete_ext removes the extension in |x| at index |loc| and +// returns the removed extension, or NULL if |loc| was out of bounds. If +// non-NULL, the caller must release the result with |X509_EXTENSION_free|. +OPENSSL_EXPORT X509_EXTENSION *X509_REVOKED_delete_ext(X509_REVOKED *x, + int loc); + +// X509_REVOKED_add_ext adds a copy of |ex| to |x|. It returns one on success +// and zero on failure. The caller retains ownership of |ex| and can release it +// independently of |x|. +// +// The new extension is inserted at index |loc|, shifting extensions to the +// right. If |loc| is -1 or out of bounds, the new extension is appended to the +// list. +OPENSSL_EXPORT int X509_REVOKED_add_ext(X509_REVOKED *x, + const X509_EXTENSION *ex, int loc); + +// X509_REVOKED_get_ext_d2i behaves like |X509V3_get_d2i| but looks for the +// extension in |revoked|'s extension list. +// +// WARNING: This function is difficult to use correctly. See the documentation +// for |X509V3_get_d2i| for details. +OPENSSL_EXPORT void *X509_REVOKED_get_ext_d2i(const X509_REVOKED *revoked, + int nid, int *out_critical, + int *out_idx); + +// X509_REVOKED_add1_ext_i2d behaves like |X509V3_add1_i2d| but adds the +// extension to |x|'s extension list. +// +// WARNING: This function may return zero or -1 on error. The caller must also +// ensure |value|'s type matches |nid|. See the documentation for +// |X509V3_add1_i2d| for details. +OPENSSL_EXPORT int X509_REVOKED_add1_ext_i2d(X509_REVOKED *x, int nid, + void *value, int crit, + unsigned long flags); + + // Certificate requests. // // An |X509_REQ| represents a PKCS #10 certificate request (RFC 2986). These are @@ -692,10 +1113,6 @@ OPENSSL_EXPORT int X509_CRL_set1_signature_value(X509_CRL *crl, // Instead, mutation functions should only be used when issuing new CRLs, as // described in a later section. -// X509_REQ is an |ASN1_ITEM| whose ASN.1 type is CertificateRequest (RFC 2986) -// and C type is |X509_REQ*|. -DECLARE_ASN1_ITEM(X509_REQ) - // X509_REQ_dup returns a newly-allocated copy of |req|, or NULL on error. This // function works by serializing the structure, so if |req| is incomplete, it // may fail. @@ -735,11 +1152,21 @@ OPENSSL_EXPORT long X509_REQ_get_version(const X509_REQ *req); // not const-correct for legacy reasons. OPENSSL_EXPORT X509_NAME *X509_REQ_get_subject_name(const X509_REQ *req); -// X509_REQ_get_pubkey returns |req|'s public key as an |EVP_PKEY|, or NULL if -// the public key was unsupported or could not be decoded. This function returns -// a reference to the |EVP_PKEY|. The caller must release the result with -// |EVP_PKEY_free| when done. -OPENSSL_EXPORT EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req); +// X509_REQ_get0_pubkey returns |req|'s public key as an |EVP_PKEY|, or NULL if +// the public key was unsupported or could not be decoded. The |EVP_PKEY| is +// cached in |req|, so callers must not mutate the result. +OPENSSL_EXPORT EVP_PKEY *X509_REQ_get0_pubkey(const X509_REQ *req); + +// X509_REQ_get_pubkey behaves like |X509_REQ_get0_pubkey| but increments the +// reference count on the |EVP_PKEY|. The caller must release the result with +// |EVP_PKEY_free| when done. The |EVP_PKEY| is cached in |req|, so callers must +// not mutate the result. +OPENSSL_EXPORT EVP_PKEY *X509_REQ_get_pubkey(const X509_REQ *req); + +// X509_REQ_check_private_key returns one if |req|'s public key matches |pkey| +// and zero otherwise. +OPENSSL_EXPORT int X509_REQ_check_private_key(const X509_REQ *req, + const EVP_PKEY *pkey); // X509_REQ_get_attr_count returns the number of attributes in |req|. OPENSSL_EXPORT int X509_REQ_get_attr_count(const X509_REQ *req); @@ -770,16 +1197,18 @@ OPENSSL_EXPORT int X509_REQ_get_attr_by_OBJ(const X509_REQ *req, // (a Microsoft szOID_CERT_EXTENSIONS variant). OPENSSL_EXPORT int X509_REQ_extension_nid(int nid); -// X509_REQ_get_extensions decodes the list of requested extensions in |req| and -// returns a newly-allocated |STACK_OF(X509_EXTENSION)| containing the result. -// It returns NULL on error, or if |req| did not request extensions. +// X509_REQ_get_extensions decodes the most preferred list of requested +// extensions in |req| and returns a newly-allocated |STACK_OF(X509_EXTENSION)| +// containing the result. It returns NULL on error, or if |req| did not request +// extensions. // // CSRs do not store extensions directly. Instead there are attribute types // which are defined to hold extensions. See |X509_REQ_extension_nid|. This // function supports both pkcs-9-at-extensionRequest from RFC 2985 and the // Microsoft szOID_CERT_EXTENSIONS variant. If both are present, // pkcs-9-at-extensionRequest is preferred. -OPENSSL_EXPORT STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req); +OPENSSL_EXPORT STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions( + const X509_REQ *req); // X509_REQ_get0_signature sets |*out_sig| and |*out_alg| to the signature and // signature algorithm of |req|, respectively. Either output pointer may be NULL @@ -797,6 +1226,17 @@ OPENSSL_EXPORT int X509_REQ_get_signature_nid(const X509_REQ *req); // one if the signature is valid and zero otherwise. OPENSSL_EXPORT int X509_REQ_verify(X509_REQ *req, EVP_PKEY *pkey); +// X509_REQ_get1_email returns a newly-allocated list of NUL-terminated strings +// containing all email addresses in |req|'s subject and all rfc822name names +// in |req|'s subject alternative names. The subject alternative names extension +// is extracted from the result of |X509_REQ_get_extensions|. Email addresses +// which contain embedded NUL bytes are skipped. +// +// On error, or if there are no such email addresses, it returns NULL. When +// done, the caller must release the result with |X509_email_free|. +OPENSSL_EXPORT STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email( + const X509_REQ *req); + // Issuing certificate requests. // @@ -886,6 +1326,9 @@ OPENSSL_EXPORT int X509_REQ_sign(X509_REQ *req, EVP_PKEY *pkey, // zero on error. The signature algorithm and parameters come from |ctx|, which // must have been initialized with |EVP_DigestSignInit|. The caller should // configure the corresponding |EVP_PKEY_CTX| before calling this function. +// +// On success or failure, this function mutates |ctx| and resets it to the empty +// state. Caller should not rely on its contents after the function returns. OPENSSL_EXPORT int X509_REQ_sign_ctx(X509_REQ *req, EVP_MD_CTX *ctx); // i2d_re_X509_REQ_tbs serializes the CertificationRequestInfo (see RFC 2986) @@ -944,8 +1387,7 @@ DEFINE_STACK_OF(X509_NAME) // type is |X509_NAME*|. DECLARE_ASN1_ITEM(X509_NAME) -// X509_NAME_new returns a new, empty |X509_NAME_new|, or NULL on -// error. +// X509_NAME_new returns a new, empty |X509_NAME|, or NULL on error. OPENSSL_EXPORT X509_NAME *X509_NAME_new(void); // X509_NAME_free releases memory associated with |name|. @@ -971,12 +1413,30 @@ OPENSSL_EXPORT int i2d_X509_NAME(X509_NAME *in, uint8_t **outp); // mutated. OPENSSL_EXPORT X509_NAME *X509_NAME_dup(X509_NAME *name); -// X509_NAME_get0_der sets |*out_der| and |*out_der_len| +// X509_NAME_cmp compares |a| and |b|'s canonicalized forms. It returns zero if +// they are equal, one if |a| sorts after |b|, -1 if |b| sorts after |a|, and -2 +// on error. +// +// TODO(https://crbug.com/boringssl/407): This function is const, but it is not +// always thread-safe, notably if |name| was mutated. +// +// TODO(https://crbug.com/boringssl/355): The -2 return is very inconvenient to +// pass to a sorting function. Can we make this infallible? In the meantime, +// prefer to use this function only for equality checks rather than comparisons. +// Although even the library itself passes this to a sorting function. +OPENSSL_EXPORT int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b); + +// X509_NAME_get0_der marshals |name| as a DER-encoded X.509 Name (RFC 5280). On +// success, it returns one and sets |*out_der| and |*out_der_len| to a buffer +// containing the result. Otherwise, it returns zero. |*out_der| is owned by +// |name| and must not be freed by the caller. It is invalidated after |name| is +// mutated or freed. // // Avoid this function and prefer |i2d_X509_NAME|. It is one of the reasons -// these functions are not consistently thread-safe or const-correct. Depending -// on the resolution of https://crbug.com/boringssl/407, this function may be -// removed or cause poor performance. +// |X509_NAME| functions, including this one, are not consistently thread-safe +// or const-correct. Depending on the resolution of +// https://crbug.com/boringssl/407, this function may be removed or cause poor +// performance. OPENSSL_EXPORT int X509_NAME_get0_der(X509_NAME *name, const uint8_t **out_der, size_t *out_der_len); @@ -1063,28 +1523,12 @@ OPENSSL_EXPORT int X509_NAME_add_entry_by_txt(X509_NAME *name, ossl_ssize_t len, int loc, int set); -// X509_NAME_ENTRY is an |ASN1_ITEM| whose ASN.1 type is AttributeTypeAndValue -// (RFC 5280) and C type is |X509_NAME_ENTRY*|. -DECLARE_ASN1_ITEM(X509_NAME_ENTRY) - -// X509_NAME_ENTRY_new returns a new, empty |X509_NAME_ENTRY_new|, or NULL on -// error. +// X509_NAME_ENTRY_new returns a new, empty |X509_NAME_ENTRY|, or NULL on error. OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_ENTRY_new(void); // X509_NAME_ENTRY_free releases memory associated with |entry|. OPENSSL_EXPORT void X509_NAME_ENTRY_free(X509_NAME_ENTRY *entry); -// d2i_X509_NAME_ENTRY parses up to |len| bytes from |*inp| as a DER-encoded -// AttributeTypeAndValue (RFC 5280), as described in |d2i_SAMPLE|. -OPENSSL_EXPORT X509_NAME_ENTRY *d2i_X509_NAME_ENTRY(X509_NAME_ENTRY **out, - const uint8_t **inp, - long len); - -// i2d_X509_NAME_ENTRY marshals |in| as a DER-encoded AttributeTypeAndValue (RFC -// 5280), as described in |i2d_SAMPLE|. -OPENSSL_EXPORT int i2d_X509_NAME_ENTRY(const X509_NAME_ENTRY *in, - uint8_t **outp); - // X509_NAME_ENTRY_dup returns a newly-allocated copy of |entry|, or NULL on // error. OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_ENTRY_dup( @@ -1160,47 +1604,122 @@ OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt( ossl_ssize_t len); -// Extensions. +// Public keys. // -// X.509 certificates and CRLs may contain a list of extensions (RFC 5280). -// Extensions have a type, specified by an object identifier (|ASN1_OBJECT|) and -// a byte string value, which should a DER-encoded structure whose type is -// determined by the extension type. This library represents extensions with the -// |X509_EXTENSION| type. +// X.509 encodes public keys as SubjectPublicKeyInfo (RFC 5280), sometimes +// referred to as SPKI. These are represented in this library by |X509_PUBKEY|. -// X509_EXTENSION is an |ASN1_ITEM| whose ASN.1 type is X.509 Extension (RFC -// 5280) and C type is |X509_EXTENSION*|. -DECLARE_ASN1_ITEM(X509_EXTENSION) +// X509_PUBKEY_new returns a newly-allocated, empty |X509_PUBKEY| object, or +// NULL on error. +OPENSSL_EXPORT X509_PUBKEY *X509_PUBKEY_new(void); -// X509_EXTENSION_new returns a newly-allocated, empty |X509_EXTENSION| object -// or NULL on error. -OPENSSL_EXPORT X509_EXTENSION *X509_EXTENSION_new(void); +// X509_PUBKEY_free releases memory associated with |key|. +OPENSSL_EXPORT void X509_PUBKEY_free(X509_PUBKEY *key); -// X509_EXTENSION_free releases memory associated with |ex|. -OPENSSL_EXPORT void X509_EXTENSION_free(X509_EXTENSION *ex); +// d2i_X509_PUBKEY parses up to |len| bytes from |*inp| as a DER-encoded +// SubjectPublicKeyInfo, as described in |d2i_SAMPLE|. +OPENSSL_EXPORT X509_PUBKEY *d2i_X509_PUBKEY(X509_PUBKEY **out, + const uint8_t **inp, long len); -// d2i_X509_EXTENSION parses up to |len| bytes from |*inp| as a DER-encoded -// X.509 Extension (RFC 5280), as described in |d2i_SAMPLE|. -OPENSSL_EXPORT X509_EXTENSION *d2i_X509_EXTENSION(X509_EXTENSION **out, - const uint8_t **inp, - long len); +// i2d_X509_PUBKEY marshals |key| as a DER-encoded SubjectPublicKeyInfo, as +// described in |i2d_SAMPLE|. +OPENSSL_EXPORT int i2d_X509_PUBKEY(const X509_PUBKEY *key, uint8_t **outp); -// i2d_X509_EXTENSION marshals |ex| as a DER-encoded X.509 Extension (RFC -// 5280), as described in |i2d_SAMPLE|. -OPENSSL_EXPORT int i2d_X509_EXTENSION(const X509_EXTENSION *ex, uint8_t **outp); +// X509_PUBKEY_set serializes |pkey| into a newly-allocated |X509_PUBKEY| +// structure. On success, it frees |*x| if non-NULL, then sets |*x| to the new +// object, and returns one. Otherwise, it returns zero. +OPENSSL_EXPORT int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey); -// X509_EXTENSION_dup returns a newly-allocated copy of |ex|, or NULL on error. -// This function works by serializing the structure, so if |ex| is incomplete, -// it may fail. -OPENSSL_EXPORT X509_EXTENSION *X509_EXTENSION_dup(const X509_EXTENSION *ex); +// X509_PUBKEY_get0 returns |key| as an |EVP_PKEY|, or NULL if |key| either +// could not be parsed or is an unrecognized algorithm. The |EVP_PKEY| is cached +// in |key|, so callers must not mutate the result. +OPENSSL_EXPORT EVP_PKEY *X509_PUBKEY_get0(const X509_PUBKEY *key); -// X509_EXTENSION_create_by_NID creates a new |X509_EXTENSION| with type |nid|, -// value |data|, and critical bit |crit|. It returns an |X509_EXTENSION| on -// success, and NULL on error. |nid| should be a |NID_*| constant. +// X509_PUBKEY_get behaves like |X509_PUBKEY_get0| but increments the reference +// count on the |EVP_PKEY|. The caller must release the result with +// |EVP_PKEY_free| when done. The |EVP_PKEY| is cached in |key|, so callers must +// not mutate the result. +OPENSSL_EXPORT EVP_PKEY *X509_PUBKEY_get(const X509_PUBKEY *key); + +// X509_PUBKEY_set0_param sets |pub| to a key with AlgorithmIdentifier +// determined by |obj|, |param_type|, and |param_value|, and an encoded +// public key of |key|. On success, it gives |pub| ownership of all the other +// parameters and returns one. Otherwise, it returns zero. |key| must have been +// allocated by |OPENSSL_malloc|. |obj| and, if applicable, |param_value| must +// not be freed after a successful call, and must have been allocated in a +// manner compatible with |ASN1_OBJECT_free| or |ASN1_STRING_free|. // -// If |ex| and |*ex| are both non-NULL, |*ex| is used to hold the result, -// otherwise a new object is allocated. If |ex| is non-NULL and |*ex| is NULL, -// the function sets |*ex| to point to the newly allocated result, in addition +// |obj|, |param_type|, and |param_value| are interpreted as in +// |X509_ALGOR_set0|. See |X509_ALGOR_set0| for details. +OPENSSL_EXPORT int X509_PUBKEY_set0_param(X509_PUBKEY *pub, ASN1_OBJECT *obj, + int param_type, void *param_value, + uint8_t *key, int key_len); + +// X509_PUBKEY_get0_param outputs fields of |pub| and returns one. If |out_obj| +// is not NULL, it sets |*out_obj| to AlgorithmIdentifier's OID. If |out_key| +// is not NULL, it sets |*out_key| and |*out_key_len| to the encoded public key. +// If |out_alg| is not NULL, it sets |*out_alg| to the AlgorithmIdentifier. +// +// All pointers outputted by this function are internal to |pub| and must not be +// freed by the caller. Additionally, although some outputs are non-const, +// callers must not mutate the resulting objects. +// +// Note: X.509 SubjectPublicKeyInfo structures store the encoded public key as a +// BIT STRING. |*out_key| and |*out_key_len| will silently pad the key with zero +// bits if |pub| did not contain a whole number of bytes. Use +// |X509_PUBKEY_get0_public_key| to preserve this information. +OPENSSL_EXPORT int X509_PUBKEY_get0_param(ASN1_OBJECT **out_obj, + const uint8_t **out_key, + int *out_key_len, + X509_ALGOR **out_alg, + X509_PUBKEY *pub); + +// X509_PUBKEY_get0_public_key returns |pub|'s encoded public key. +OPENSSL_EXPORT const ASN1_BIT_STRING *X509_PUBKEY_get0_public_key( + const X509_PUBKEY *pub); + + +// Extensions. +// +// X.509 certificates and CRLs may contain a list of extensions (RFC 5280). +// Extensions have a type, specified by an object identifier (|ASN1_OBJECT|) and +// a byte string value, which should a DER-encoded structure whose type is +// determined by the extension type. This library represents extensions with the +// |X509_EXTENSION| type. + +// X509_EXTENSION is an |ASN1_ITEM| whose ASN.1 type is X.509 Extension (RFC +// 5280) and C type is |X509_EXTENSION*|. +DECLARE_ASN1_ITEM(X509_EXTENSION) + +// X509_EXTENSION_new returns a newly-allocated, empty |X509_EXTENSION| object +// or NULL on error. +OPENSSL_EXPORT X509_EXTENSION *X509_EXTENSION_new(void); + +// X509_EXTENSION_free releases memory associated with |ex|. +OPENSSL_EXPORT void X509_EXTENSION_free(X509_EXTENSION *ex); + +// d2i_X509_EXTENSION parses up to |len| bytes from |*inp| as a DER-encoded +// X.509 Extension (RFC 5280), as described in |d2i_SAMPLE|. +OPENSSL_EXPORT X509_EXTENSION *d2i_X509_EXTENSION(X509_EXTENSION **out, + const uint8_t **inp, + long len); + +// i2d_X509_EXTENSION marshals |ex| as a DER-encoded X.509 Extension (RFC +// 5280), as described in |i2d_SAMPLE|. +OPENSSL_EXPORT int i2d_X509_EXTENSION(const X509_EXTENSION *ex, uint8_t **outp); + +// X509_EXTENSION_dup returns a newly-allocated copy of |ex|, or NULL on error. +// This function works by serializing the structure, so if |ex| is incomplete, +// it may fail. +OPENSSL_EXPORT X509_EXTENSION *X509_EXTENSION_dup(const X509_EXTENSION *ex); + +// X509_EXTENSION_create_by_NID creates a new |X509_EXTENSION| with type |nid|, +// value |data|, and critical bit |crit|. It returns an |X509_EXTENSION| on +// success, and NULL on error. |nid| should be a |NID_*| constant. +// +// If |ex| and |*ex| are both non-NULL, |*ex| is used to hold the result, +// otherwise a new object is allocated. If |ex| is non-NULL and |*ex| is NULL, +// the function sets |*ex| to point to the newly allocated result, in addition // to returning the result. OPENSSL_EXPORT X509_EXTENSION *X509_EXTENSION_create_by_NID( X509_EXTENSION **ex, int nid, int crit, const ASN1_OCTET_STRING *data); @@ -1250,10 +1769,6 @@ OPENSSL_EXPORT int X509_EXTENSION_set_data(X509_EXTENSION *ex, DEFINE_STACK_OF(X509_EXTENSION) typedef STACK_OF(X509_EXTENSION) X509_EXTENSIONS; -// X509_EXTENSIONS is an |ASN1_ITEM| whose ASN.1 type is SEQUENCE of Extension -// (RFC 5280) and C type is |STACK_OF(X509_EXTENSION)*|. -DECLARE_ASN1_ITEM(X509_EXTENSIONS) - // d2i_X509_EXTENSIONS parses up to |len| bytes from |*inp| as a DER-encoded // SEQUENCE OF Extension (RFC 5280), as described in |d2i_SAMPLE|. OPENSSL_EXPORT X509_EXTENSIONS *d2i_X509_EXTENSIONS(X509_EXTENSIONS **out, @@ -1317,6 +1832,797 @@ OPENSSL_EXPORT STACK_OF(X509_EXTENSION) *X509v3_add_ext( STACK_OF(X509_EXTENSION) **x, const X509_EXTENSION *ex, int loc); +// Built-in extensions. +// +// Several functions in the library encode and decode extension values into a +// C structure to that extension. The following extensions are supported: +// +// - |NID_authority_key_identifier| with type |AUTHORITY_KEYID| +// - |NID_basic_constraints| with type |BASIC_CONSTRAINTS| +// - |NID_certificate_issuer| with type |GENERAL_NAMES| +// - |NID_certificate_policies| with type |CERTIFICATEPOLICIES| +// - |NID_crl_distribution_points| with type |CRL_DIST_POINTS| +// - |NID_crl_number| with type |ASN1_INTEGER| +// - |NID_crl_reason| with type |ASN1_ENUMERATED| +// - |NID_delta_crl| with type |ASN1_INTEGER| +// - |NID_ext_key_usage| with type |EXTENDED_KEY_USAGE| +// - |NID_freshest_crl| with type |ISSUING_DIST_POINT| +// - |NID_id_pkix_OCSP_noCheck| with type |ASN1_NULL| +// - |NID_info_access| with type |AUTHORITY_INFO_ACCESS| +// - |NID_inhibit_any_policy| with type |ASN1_INTEGER| +// - |NID_invalidity_date| with type |ASN1_GENERALIZEDTIME| +// - |NID_issuer_alt_name| with type |GENERAL_NAMES| +// - |NID_issuing_distribution_point| with type |ISSUING_DIST_POINT| +// - |NID_key_usage| with type |ASN1_BIT_STRING| +// - |NID_name_constraints| with type |NAME_CONSTRAINTS| +// - |NID_netscape_base_url| with type |ASN1_IA5STRING| +// - |NID_netscape_ca_policy_url| with type |ASN1_IA5STRING| +// - |NID_netscape_ca_revocation_url| with type |ASN1_IA5STRING| +// - |NID_netscape_cert_type| with type |ASN1_BIT_STRING| +// - |NID_netscape_comment| with type |ASN1_IA5STRING| +// - |NID_netscape_renewal_url| with type |ASN1_IA5STRING| +// - |NID_netscape_revocation_url| with type |ASN1_IA5STRING| +// - |NID_netscape_ssl_server_name| with type |ASN1_IA5STRING| +// - |NID_policy_constraints| with type |POLICY_CONSTRAINTS| +// - |NID_policy_mappings| with type |POLICY_MAPPINGS| +// - |NID_sinfo_access| with type |AUTHORITY_INFO_ACCESS| +// - |NID_subject_alt_name| with type |GENERAL_NAMES| +// - |NID_subject_key_identifier| with type |ASN1_OCTET_STRING| +// +// If an extension does not appear in this list, e.g. for a custom extension, +// callers can instead use functions such as |X509_get_ext_by_OBJ|, +// |X509_EXTENSION_get_data|, and |X509_EXTENSION_create_by_OBJ| to inspect or +// create extensions directly. Although the |X509V3_EXT_METHOD| mechanism allows +// registering custom extensions, doing so is deprecated and may result in +// threading or memory errors. + +// X509V3_EXT_d2i decodes |ext| and returns a pointer to a newly-allocated +// structure, with type dependent on the type of the extension. It returns NULL +// if |ext| is an unsupported extension or if there was a syntax error in the +// extension. The caller should cast the return value to the expected type and +// free the structure when done. +// +// WARNING: Casting the return value to the wrong type is a potentially +// exploitable memory error, so callers must not use this function before +// checking |ext| is of a known type. See the list at the top of this section +// for the correct types. +OPENSSL_EXPORT void *X509V3_EXT_d2i(const X509_EXTENSION *ext); + +// X509V3_get_d2i finds and decodes the extension in |extensions| of type |nid|. +// If found, it decodes it and returns a newly-allocated structure, with type +// dependent on |nid|. If the extension is not found or on error, it returns +// NULL. The caller may distinguish these cases using the |out_critical| value. +// +// If |out_critical| is not NULL, this function sets |*out_critical| to one if +// the extension is found and critical, zero if it is found and not critical, -1 +// if it is not found, and -2 if there is an invalid duplicate extension. Note +// this function may set |*out_critical| to one or zero and still return NULL if +// the extension is found but has a syntax error. +// +// If |out_idx| is not NULL, this function looks for the first occurrence of the +// extension after |*out_idx|. It then sets |*out_idx| to the index of the +// extension, or -1 if not found. If |out_idx| is non-NULL, duplicate extensions +// are not treated as an error. Callers, however, should not rely on this +// behavior as it may be removed in the future. Duplicate extensions are +// forbidden in RFC 5280. +// +// WARNING: This function is difficult to use correctly. Callers should pass a +// non-NULL |out_critical| and check both the return value and |*out_critical| +// to handle errors. If the return value is NULL and |*out_critical| is not -1, +// there was an error. Otherwise, the function succeeded and but may return NULL +// for a missing extension. Callers should pass NULL to |out_idx| so that +// duplicate extensions are handled correctly. +// +// Additionally, casting the return value to the wrong type is a potentially +// exploitable memory error, so callers must ensure the cast and |nid| match. +// See the list at the top of this section for the correct types. +OPENSSL_EXPORT void *X509V3_get_d2i(const STACK_OF(X509_EXTENSION) *extensions, + int nid, int *out_critical, int *out_idx); + +// X509V3_EXT_free casts |ext_data| into the type that corresponds to |nid| and +// releases memory associated with it. It returns one on success and zero if +// |nid| is not a known extension. +// +// WARNING: Casting |ext_data| to the wrong type is a potentially exploitable +// memory error, so callers must ensure |ext_data|'s type matches |nid|. See the +// list at the top of this section for the correct types. +// +// TODO(davidben): OpenSSL upstream no longer exposes this function. Remove it? +OPENSSL_EXPORT int X509V3_EXT_free(int nid, void *ext_data); + +// X509V3_EXT_i2d casts |ext_struc| into the type that corresponds to +// |ext_nid|, serializes it, and returns a newly-allocated |X509_EXTENSION| +// object containing the serialization, or NULL on error. The |X509_EXTENSION| +// has OID |ext_nid| and is critical if |crit| is one. +// +// WARNING: Casting |ext_struc| to the wrong type is a potentially exploitable +// memory error, so callers must ensure |ext_struct|'s type matches |ext_nid|. +// See the list at the top of this section for the correct types. +OPENSSL_EXPORT X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, + void *ext_struc); + +// The following constants control the behavior of |X509V3_add1_i2d| and related +// functions. + +// X509V3_ADD_OP_MASK can be ANDed with the flags to determine how duplicate +// extensions are processed. +#define X509V3_ADD_OP_MASK 0xfL + +// X509V3_ADD_DEFAULT causes the function to fail if the extension was already +// present. +#define X509V3_ADD_DEFAULT 0L + +// X509V3_ADD_APPEND causes the function to unconditionally appended the new +// extension to to the extensions list, even if there is a duplicate. +#define X509V3_ADD_APPEND 1L + +// X509V3_ADD_REPLACE causes the function to replace the existing extension, or +// append if it is not present. +#define X509V3_ADD_REPLACE 2L + +// X509V3_ADD_REPLACE_EXISTING causes the function to replace the existing +// extension and fail if it is not present. +#define X509V3_ADD_REPLACE_EXISTING 3L + +// X509V3_ADD_KEEP_EXISTING causes the function to succeed without replacing the +// extension if already present. +#define X509V3_ADD_KEEP_EXISTING 4L + +// X509V3_ADD_DELETE causes the function to remove the matching extension. No +// new extension is added. If there is no matching extension, the function +// fails. The |value| parameter is ignored in this mode. +#define X509V3_ADD_DELETE 5L + +// X509V3_ADD_SILENT may be ORed into one of the values above to indicate the +// function should not add to the error queue on duplicate or missing extension. +// The function will continue to return zero in those cases, and it will +// continue to return -1 and add to the error queue on other errors. +#define X509V3_ADD_SILENT 0x10 + +// X509V3_add1_i2d casts |value| to the type that corresponds to |nid|, +// serializes it, and appends it to the extension list in |*x|. If |*x| is NULL, +// it will set |*x| to a newly-allocated |STACK_OF(X509_EXTENSION)| as needed. +// The |crit| parameter determines whether the new extension is critical. +// |flags| may be some combination of the |X509V3_ADD_*| constants to control +// the function's behavior on duplicate extension. +// +// This function returns one on success, zero if the operation failed due to a +// missing or duplicate extension, and -1 on other errors. +// +// WARNING: Casting |value| to the wrong type is a potentially exploitable +// memory error, so callers must ensure |value|'s type matches |nid|. See the +// list at the top of this section for the correct types. +OPENSSL_EXPORT int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, + void *value, int crit, unsigned long flags); + + +// Basic constraints. +// +// The basic constraints extension (RFC 5280, section 4.2.1.9) determines +// whether a certificate is a CA certificate and, if so, optionally constrains +// the maximum depth of the certificate chain. + +// A BASIC_CONSTRAINTS_st, aka |BASIC_CONSTRAINTS| represents an +// BasicConstraints structure (RFC 5280). +struct BASIC_CONSTRAINTS_st { + ASN1_BOOLEAN ca; + ASN1_INTEGER *pathlen; +} /* BASIC_CONSTRAINTS */; + +// BASIC_CONSTRAINTS is an |ASN1_ITEM| whose ASN.1 type is BasicConstraints (RFC +// 5280) and C type is |BASIC_CONSTRAINTS*|. +DECLARE_ASN1_ITEM(BASIC_CONSTRAINTS) + +// BASIC_CONSTRAINTS_new returns a newly-allocated, empty |BASIC_CONSTRAINTS| +// object, or NULL on error. +OPENSSL_EXPORT BASIC_CONSTRAINTS *BASIC_CONSTRAINTS_new(void); + +// BASIC_CONSTRAINTS_free releases memory associated with |bcons|. +OPENSSL_EXPORT void BASIC_CONSTRAINTS_free(BASIC_CONSTRAINTS *bcons); + +// d2i_BASIC_CONSTRAINTS parses up to |len| bytes from |*inp| as a DER-encoded +// BasicConstraints (RFC 5280), as described in |d2i_SAMPLE|. +OPENSSL_EXPORT BASIC_CONSTRAINTS *d2i_BASIC_CONSTRAINTS(BASIC_CONSTRAINTS **out, + const uint8_t **inp, + long len); + +// i2d_BASIC_CONSTRAINTS marshals |bcons| as a DER-encoded BasicConstraints (RFC +// 5280), as described in |i2d_SAMPLE|. +OPENSSL_EXPORT int i2d_BASIC_CONSTRAINTS(const BASIC_CONSTRAINTS *bcons, + uint8_t **outp); + + +// Extended key usage. +// +// The extended key usage extension (RFC 5280, section 4.2.1.12) indicates the +// purposes of the certificate's public key. Such constraints are important to +// avoid cross-protocol attacks. + +typedef STACK_OF(ASN1_OBJECT) EXTENDED_KEY_USAGE; + +// EXTENDED_KEY_USAGE is an |ASN1_ITEM| whose ASN.1 type is ExtKeyUsageSyntax +// (RFC 5280) and C type is |STACK_OF(ASN1_OBJECT)*|, or |EXTENDED_KEY_USAGE*|. +DECLARE_ASN1_ITEM(EXTENDED_KEY_USAGE) + +// EXTENDED_KEY_USAGE_new returns a newly-allocated, empty |EXTENDED_KEY_USAGE| +// object, or NULL on error. +OPENSSL_EXPORT EXTENDED_KEY_USAGE *EXTENDED_KEY_USAGE_new(void); + +// EXTENDED_KEY_USAGE_free releases memory associated with |eku|. +OPENSSL_EXPORT void EXTENDED_KEY_USAGE_free(EXTENDED_KEY_USAGE *eku); + +// d2i_EXTENDED_KEY_USAGE parses up to |len| bytes from |*inp| as a DER-encoded +// ExtKeyUsageSyntax (RFC 5280), as described in |d2i_SAMPLE|. +OPENSSL_EXPORT EXTENDED_KEY_USAGE *d2i_EXTENDED_KEY_USAGE( + EXTENDED_KEY_USAGE **out, const uint8_t **inp, long len); + +// i2d_EXTENDED_KEY_USAGE marshals |eku| as a DER-encoded ExtKeyUsageSyntax (RFC +// 5280), as described in |i2d_SAMPLE|. +OPENSSL_EXPORT int i2d_EXTENDED_KEY_USAGE(const EXTENDED_KEY_USAGE *eku, + uint8_t **outp); + + +// General names. +// +// A |GENERAL_NAME| represents an X.509 GeneralName structure, defined in RFC +// 5280, Section 4.2.1.6. General names are distinct from names (|X509_NAME|). A +// general name is a CHOICE type which may contain one of several name types, +// most commonly a DNS name or an IP address. General names most commonly appear +// in the subject alternative name (SAN) extension, though they are also used in +// other extensions. +// +// Many extensions contain a SEQUENCE OF GeneralName, or GeneralNames, so +// |STACK_OF(GENERAL_NAME)| is defined and aliased to |GENERAL_NAMES|. + +typedef struct otherName_st { + ASN1_OBJECT *type_id; + ASN1_TYPE *value; +} OTHERNAME; + +typedef struct EDIPartyName_st { + ASN1_STRING *nameAssigner; + ASN1_STRING *partyName; +} EDIPARTYNAME; + +// GEN_* are constants for the |type| field of |GENERAL_NAME|, defined below. +#define GEN_OTHERNAME 0 +#define GEN_EMAIL 1 +#define GEN_DNS 2 +#define GEN_X400 3 +#define GEN_DIRNAME 4 +#define GEN_EDIPARTY 5 +#define GEN_URI 6 +#define GEN_IPADD 7 +#define GEN_RID 8 + +// A GENERAL_NAME_st, aka |GENERAL_NAME|, represents an X.509 GeneralName. The +// |type| field determines which member of |d| is active. A |GENERAL_NAME| may +// also be empty, in which case |type| is -1 and |d| is NULL. Empty +// |GENERAL_NAME|s are invalid and will never be returned from the parser, but +// may be created temporarily, e.g. by |GENERAL_NAME_new|. +// +// WARNING: |type| and |d| must be kept consistent. An inconsistency will result +// in a potentially exploitable memory error. +struct GENERAL_NAME_st { + int type; + union { + char *ptr; + OTHERNAME *otherName; + ASN1_IA5STRING *rfc822Name; + ASN1_IA5STRING *dNSName; + ASN1_STRING *x400Address; + X509_NAME *directoryName; + EDIPARTYNAME *ediPartyName; + ASN1_IA5STRING *uniformResourceIdentifier; + ASN1_OCTET_STRING *iPAddress; + ASN1_OBJECT *registeredID; + + // Old names + ASN1_OCTET_STRING *ip; // iPAddress + X509_NAME *dirn; // dirn + ASN1_IA5STRING *ia5; // rfc822Name, dNSName, uniformResourceIdentifier + ASN1_OBJECT *rid; // registeredID + } d; +} /* GENERAL_NAME */; + +// GENERAL_NAME_new returns a new, empty |GENERAL_NAME|, or NULL on error. +OPENSSL_EXPORT GENERAL_NAME *GENERAL_NAME_new(void); + +// GENERAL_NAME_free releases memory associated with |gen|. +OPENSSL_EXPORT void GENERAL_NAME_free(GENERAL_NAME *gen); + +// d2i_GENERAL_NAME parses up to |len| bytes from |*inp| as a DER-encoded X.509 +// GeneralName (RFC 5280), as described in |d2i_SAMPLE|. +OPENSSL_EXPORT GENERAL_NAME *d2i_GENERAL_NAME(GENERAL_NAME **out, + const uint8_t **inp, long len); + +// i2d_GENERAL_NAME marshals |in| as a DER-encoded X.509 GeneralName (RFC 5280), +// as described in |i2d_SAMPLE|. +// +// TODO(https://crbug.com/boringssl/407): This function should be const and +// thread-safe but is currently neither in some cases, notably if |in| is an +// directoryName and the |X509_NAME| has been modified. +OPENSSL_EXPORT int i2d_GENERAL_NAME(GENERAL_NAME *in, uint8_t **outp); + +// GENERAL_NAME_dup returns a newly-allocated copy of |gen|, or NULL on error. +// This function works by serializing the structure, so it will fail if |gen| is +// empty. +// +// TODO(https://crbug.com/boringssl/407): This function should be const and +// thread-safe but is currently neither in some cases, notably if |gen| is an +// directoryName and the |X509_NAME| has been modified. +OPENSSL_EXPORT GENERAL_NAME *GENERAL_NAME_dup(GENERAL_NAME *gen); + +// GENERAL_NAMES_new returns a new, empty |GENERAL_NAMES|, or NULL on error. +OPENSSL_EXPORT GENERAL_NAMES *GENERAL_NAMES_new(void); + +// GENERAL_NAMES_free releases memory associated with |gens|. +OPENSSL_EXPORT void GENERAL_NAMES_free(GENERAL_NAMES *gens); + +// d2i_GENERAL_NAMES parses up to |len| bytes from |*inp| as a DER-encoded +// SEQUENCE OF GeneralName, as described in |d2i_SAMPLE|. +OPENSSL_EXPORT GENERAL_NAMES *d2i_GENERAL_NAMES(GENERAL_NAMES **out, + const uint8_t **inp, long len); + +// i2d_GENERAL_NAMES marshals |in| as a DER-encoded SEQUENCE OF GeneralName, as +// described in |i2d_SAMPLE|. +// +// TODO(https://crbug.com/boringssl/407): This function should be const and +// thread-safe but is currently neither in some cases, notably if some element +// of |in| is an directoryName and the |X509_NAME| has been modified. +OPENSSL_EXPORT int i2d_GENERAL_NAMES(GENERAL_NAMES *in, uint8_t **outp); + +// OTHERNAME_new returns a new, empty |OTHERNAME|, or NULL on error. +OPENSSL_EXPORT OTHERNAME *OTHERNAME_new(void); + +// OTHERNAME_free releases memory associated with |name|. +OPENSSL_EXPORT void OTHERNAME_free(OTHERNAME *name); + +// EDIPARTYNAME_new returns a new, empty |EDIPARTYNAME|, or NULL on error. +// EDIPartyName is rarely used in practice, so callers are unlikely to need this +// function. +OPENSSL_EXPORT EDIPARTYNAME *EDIPARTYNAME_new(void); + +// EDIPARTYNAME_free releases memory associated with |name|. EDIPartyName is +// rarely used in practice, so callers are unlikely to need this function. +OPENSSL_EXPORT void EDIPARTYNAME_free(EDIPARTYNAME *name); + +// GENERAL_NAME_set0_value set |gen|'s type and value to |type| and |value|. +// |type| must be a |GEN_*| constant and |value| must be an object of the +// corresponding type. |gen| takes ownership of |value|, so |value| must have +// been an allocated object. +// +// WARNING: |gen| must be empty (typically as returned from |GENERAL_NAME_new|) +// before calling this function. If |gen| already contained a value, the +// previous contents will be leaked. +OPENSSL_EXPORT void GENERAL_NAME_set0_value(GENERAL_NAME *gen, int type, + void *value); + +// GENERAL_NAME_get0_value returns the in-memory representation of |gen|'s +// contents and, |out_type| is not NULL, sets |*out_type| to the type of |gen|, +// which will be a |GEN_*| constant. If |gen| is incomplete, the return value +// will be NULL and the type will be -1. +// +// WARNING: Casting the result of this function to the wrong type is a +// potentially exploitable memory error. Callers must check |gen|'s type, either +// via |*out_type| or checking |gen->type| directly, before inspecting the +// result. +// +// WARNING: This function is not const-correct. The return value should be +// const. Callers shoudl not mutate the returned object. +OPENSSL_EXPORT void *GENERAL_NAME_get0_value(const GENERAL_NAME *gen, + int *out_type); + +// GENERAL_NAME_set0_othername sets |gen| to be an OtherName with type |oid| and +// value |value|. On success, it returns one and takes ownership of |oid| and +// |value|, which must be created in a way compatible with |ASN1_OBJECT_free| +// and |ASN1_TYPE_free|, respectively. On allocation failure, it returns zero. +// In the failure case, the caller retains ownership of |oid| and |value| and +// must release them when done. +// +// WARNING: |gen| must be empty (typically as returned from |GENERAL_NAME_new|) +// before calling this function. If |gen| already contained a value, the +// previously contents will be leaked. +OPENSSL_EXPORT int GENERAL_NAME_set0_othername(GENERAL_NAME *gen, + ASN1_OBJECT *oid, + ASN1_TYPE *value); + +// GENERAL_NAME_get0_otherName, if |gen| is an OtherName, sets |*out_oid| and +// |*out_value| to the OtherName's type-id and value, respectively, and returns +// one. If |gen| is not an OtherName, it returns zero and leaves |*out_oid| and +// |*out_value| unmodified. Either of |out_oid| or |out_value| may be NULL to +// ignore the value. +// +// WARNING: This function is not const-correct. |out_oid| and |out_value| are +// not const, but callers should not mutate the resulting objects. +OPENSSL_EXPORT int GENERAL_NAME_get0_otherName(const GENERAL_NAME *gen, + ASN1_OBJECT **out_oid, + ASN1_TYPE **out_value); + + +// Authority key identifier. +// +// The authority key identifier extension (RFC 5280, section 4.2.1.1) allows a +// certificate to more precisely identify its issuer. This is helpful when +// multiple certificates share a name. Only the keyIdentifier (|keyid| in +// |AUTHORITY_KEYID|) field is used in practice. + +// A AUTHORITY_KEYID_st, aka |AUTHORITY_KEYID|, represents an +// AuthorityKeyIdentifier structure (RFC 5280). +struct AUTHORITY_KEYID_st { + ASN1_OCTET_STRING *keyid; + GENERAL_NAMES *issuer; + ASN1_INTEGER *serial; +} /* AUTHORITY_KEYID */; + +// AUTHORITY_KEYID is an |ASN1_ITEM| whose ASN.1 type is AuthorityKeyIdentifier +// (RFC 5280) and C type is |AUTHORITY_KEYID*|. +DECLARE_ASN1_ITEM(AUTHORITY_KEYID) + +// AUTHORITY_KEYID_new returns a newly-allocated, empty |AUTHORITY_KEYID| +// object, or NULL on error. +OPENSSL_EXPORT AUTHORITY_KEYID *AUTHORITY_KEYID_new(void); + +// AUTHORITY_KEYID_free releases memory associated with |akid|. +OPENSSL_EXPORT void AUTHORITY_KEYID_free(AUTHORITY_KEYID *akid); + +// d2i_AUTHORITY_KEYID parses up to |len| bytes from |*inp| as a DER-encoded +// AuthorityKeyIdentifier (RFC 5280), as described in |d2i_SAMPLE|. +OPENSSL_EXPORT AUTHORITY_KEYID *d2i_AUTHORITY_KEYID(AUTHORITY_KEYID **out, + const uint8_t **inp, + long len); + +// i2d_AUTHORITY_KEYID marshals |akid| as a DER-encoded AuthorityKeyIdentifier +// (RFC 5280), as described in |i2d_SAMPLE|. +// +// TODO(https://crbug.com/boringssl/407): |akid| is not const because it +// contains an |X509_NAME|. +OPENSSL_EXPORT int i2d_AUTHORITY_KEYID(AUTHORITY_KEYID *akid, uint8_t **outp); + + +// Name constraints. +// +// The name constraints extension (RFC 5280, section 4.2.1.10) constrains which +// names may be asserted by certificates issued by some CA. For example, a +// general CA may issue an intermediate certificate to the owner of example.com, +// but constrained to ".example.com". + +// A GENERAL_SUBTREE represents a GeneralSubtree structure (RFC 5280). +typedef struct GENERAL_SUBTREE_st { + GENERAL_NAME *base; + ASN1_INTEGER *minimum; + ASN1_INTEGER *maximum; +} GENERAL_SUBTREE; + +DEFINE_STACK_OF(GENERAL_SUBTREE) + +// GENERAL_SUBTREE_new returns a newly-allocated, empty |GENERAL_SUBTREE| +// object, or NULL on error. +OPENSSL_EXPORT GENERAL_SUBTREE *GENERAL_SUBTREE_new(void); + +// GENERAL_SUBTREE_free releases memory associated with |subtree|. +OPENSSL_EXPORT void GENERAL_SUBTREE_free(GENERAL_SUBTREE *subtree); + +// A NAME_CONSTRAINTS_st, aka |NAME_CONSTRAINTS|, represents a NameConstraints +// structure (RFC 5280). +struct NAME_CONSTRAINTS_st { + STACK_OF(GENERAL_SUBTREE) *permittedSubtrees; + STACK_OF(GENERAL_SUBTREE) *excludedSubtrees; +} /* NAME_CONSTRAINTS */; + +// NAME_CONSTRAINTS is an |ASN1_ITEM| whose ASN.1 type is NameConstraints (RFC +// 5280) and C type is |NAME_CONSTRAINTS*|. +DECLARE_ASN1_ITEM(NAME_CONSTRAINTS) + +// NAME_CONSTRAINTS_new returns a newly-allocated, empty |NAME_CONSTRAINTS| +// object, or NULL on error. +OPENSSL_EXPORT NAME_CONSTRAINTS *NAME_CONSTRAINTS_new(void); + +// NAME_CONSTRAINTS_free releases memory associated with |ncons|. +OPENSSL_EXPORT void NAME_CONSTRAINTS_free(NAME_CONSTRAINTS *ncons); + + +// Authority information access. +// +// The authority information access extension (RFC 5280, 4.2.2.1) describes +// where to obtain information about the issuer of a certificate. It is most +// commonly used with accessMethod values of id-ad-caIssuers and id-ad-ocsp, to +// indicate where to fetch the issuer certificate (if not provided in-band) and +// the issuer's OCSP responder, respectively. + +// An ACCESS_DESCRIPTION represents an AccessDescription structure (RFC 5280). +typedef struct ACCESS_DESCRIPTION_st { + ASN1_OBJECT *method; + GENERAL_NAME *location; +} ACCESS_DESCRIPTION; + +DEFINE_STACK_OF(ACCESS_DESCRIPTION) + +// ACCESS_DESCRIPTION_new returns a newly-allocated, empty |ACCESS_DESCRIPTION| +// object, or NULL on error. +OPENSSL_EXPORT ACCESS_DESCRIPTION *ACCESS_DESCRIPTION_new(void); + +// ACCESS_DESCRIPTION_free releases memory associated with |desc|. +OPENSSL_EXPORT void ACCESS_DESCRIPTION_free(ACCESS_DESCRIPTION *desc); + +typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS; + +// AUTHORITY_INFO_ACCESS is an |ASN1_ITEM| whose ASN.1 type is +// AuthorityInfoAccessSyntax (RFC 5280) and C type is +// |STACK_OF(ACCESS_DESCRIPTION)*|, or |AUTHORITY_INFO_ACCESS*|. +DECLARE_ASN1_ITEM(AUTHORITY_INFO_ACCESS) + +// AUTHORITY_INFO_ACCESS_new returns a newly-allocated, empty +// |AUTHORITY_INFO_ACCESS| object, or NULL on error. +OPENSSL_EXPORT AUTHORITY_INFO_ACCESS *AUTHORITY_INFO_ACCESS_new(void); + +// AUTHORITY_INFO_ACCESS_free releases memory associated with |aia|. +OPENSSL_EXPORT void AUTHORITY_INFO_ACCESS_free(AUTHORITY_INFO_ACCESS *aia); + +// d2i_AUTHORITY_INFO_ACCESS parses up to |len| bytes from |*inp| as a +// DER-encoded AuthorityInfoAccessSyntax (RFC 5280), as described in +// |d2i_SAMPLE|. +OPENSSL_EXPORT AUTHORITY_INFO_ACCESS *d2i_AUTHORITY_INFO_ACCESS( + AUTHORITY_INFO_ACCESS **out, const uint8_t **inp, long len); + +// i2d_AUTHORITY_INFO_ACCESS marshals |aia| as a DER-encoded +// AuthorityInfoAccessSyntax (RFC 5280), as described in |i2d_SAMPLE|. +// +// TODO(https://crbug.com/boringssl/407): |aia| is not const because it +// contains an |X509_NAME|. +OPENSSL_EXPORT int i2d_AUTHORITY_INFO_ACCESS(AUTHORITY_INFO_ACCESS *aia, + uint8_t **outp); + + +// CRL distribution points. +// +// The CRL distribution points extension (RFC 5280, 4.2.1.13) indicates where to +// fetch a certificate issuer's CRL. The corresponding issuing distribution +// point CRL extension (RFC 5280, section 5.2.5) matches against this extension. + +// A DIST_POINT_NAME represents a DistributionPointName structure (RFC 5280). +// The |name| field contains the CHOICE value and is determined by |type|. If +// |type| is zero, |name| must be a |fullname|. If |type| is one, |name| must be +// a |relativename|. +// +// WARNING: |type| and |name| must be kept consistent. An inconsistency will +// result in a potentially exploitable memory error. +typedef struct DIST_POINT_NAME_st { + int type; + union { + GENERAL_NAMES *fullname; + STACK_OF(X509_NAME_ENTRY) *relativename; + } name; + // If relativename then this contains the full distribution point name + X509_NAME *dpname; +} DIST_POINT_NAME; + +// DIST_POINT_NAME_new returns a newly-allocated, empty |DIST_POINT_NAME| +// object, or NULL on error. +OPENSSL_EXPORT DIST_POINT_NAME *DIST_POINT_NAME_new(void); + +// DIST_POINT_NAME_free releases memory associated with |name|. +OPENSSL_EXPORT void DIST_POINT_NAME_free(DIST_POINT_NAME *name); + +// A DIST_POINT_st, aka |DIST_POINT|, represents a DistributionPoint structure +// (RFC 5280). +struct DIST_POINT_st { + DIST_POINT_NAME *distpoint; + ASN1_BIT_STRING *reasons; + GENERAL_NAMES *CRLissuer; +} /* DIST_POINT */; + +DEFINE_STACK_OF(DIST_POINT) + +// DIST_POINT_new returns a newly-allocated, empty |DIST_POINT| object, or NULL +// on error. +OPENSSL_EXPORT DIST_POINT *DIST_POINT_new(void); + +// DIST_POINT_free releases memory associated with |dp|. +OPENSSL_EXPORT void DIST_POINT_free(DIST_POINT *dp); + +typedef STACK_OF(DIST_POINT) CRL_DIST_POINTS; + +// CRL_DIST_POINTS is an |ASN1_ITEM| whose ASN.1 type is CRLDistributionPoints +// (RFC 5280) and C type is |CRL_DIST_POINTS*|. +DECLARE_ASN1_ITEM(CRL_DIST_POINTS) + +// CRL_DIST_POINTS_new returns a newly-allocated, empty |CRL_DIST_POINTS| +// object, or NULL on error. +OPENSSL_EXPORT CRL_DIST_POINTS *CRL_DIST_POINTS_new(void); + +// CRL_DIST_POINTS_free releases memory associated with |crldp|. +OPENSSL_EXPORT void CRL_DIST_POINTS_free(CRL_DIST_POINTS *crldp); + +// d2i_CRL_DIST_POINTS parses up to |len| bytes from |*inp| as a DER-encoded +// CRLDistributionPoints (RFC 5280), as described in |d2i_SAMPLE|. +OPENSSL_EXPORT CRL_DIST_POINTS *d2i_CRL_DIST_POINTS(CRL_DIST_POINTS **out, + const uint8_t **inp, + long len); + +// i2d_CRL_DIST_POINTS marshals |crldp| as a DER-encoded CRLDistributionPoints +// (RFC 5280), as described in |i2d_SAMPLE|. +// +// TODO(https://crbug.com/boringssl/407): |crldp| is not const because it +// contains an |X509_NAME|. +OPENSSL_EXPORT int i2d_CRL_DIST_POINTS(CRL_DIST_POINTS *crldp, uint8_t **outp); + +// A ISSUING_DIST_POINT_st, aka |ISSUING_DIST_POINT|, represents a +// IssuingDistributionPoint structure (RFC 5280). +struct ISSUING_DIST_POINT_st { + DIST_POINT_NAME *distpoint; + ASN1_BOOLEAN onlyuser; + ASN1_BOOLEAN onlyCA; + ASN1_BIT_STRING *onlysomereasons; + ASN1_BOOLEAN indirectCRL; + ASN1_BOOLEAN onlyattr; +} /* ISSUING_DIST_POINT */; + +// ISSUING_DIST_POINT is an |ASN1_ITEM| whose ASN.1 type is +// IssuingDistributionPoint (RFC 5280) and C type is |ISSUING_DIST_POINT*|. +DECLARE_ASN1_ITEM(ISSUING_DIST_POINT) + +// ISSUING_DIST_POINT_new returns a newly-allocated, empty |ISSUING_DIST_POINT| +// object, or NULL on error. +OPENSSL_EXPORT ISSUING_DIST_POINT *ISSUING_DIST_POINT_new(void); + +// ISSUING_DIST_POINT_free releases memory associated with |idp|. +OPENSSL_EXPORT void ISSUING_DIST_POINT_free(ISSUING_DIST_POINT *idp); + +// d2i_ISSUING_DIST_POINT parses up to |len| bytes from |*inp| as a DER-encoded +// IssuingDistributionPoint (RFC 5280), as described in |d2i_SAMPLE|. +OPENSSL_EXPORT ISSUING_DIST_POINT *d2i_ISSUING_DIST_POINT( + ISSUING_DIST_POINT **out, const uint8_t **inp, long len); + +// i2d_ISSUING_DIST_POINT marshals |idp| as a DER-encoded +// IssuingDistributionPoint (RFC 5280), as described in |i2d_SAMPLE|. +// +// TODO(https://crbug.com/boringssl/407): |idp| is not const because it +// contains an |X509_NAME|. +OPENSSL_EXPORT int i2d_ISSUING_DIST_POINT(ISSUING_DIST_POINT *idp, + uint8_t **outp); + + +// Certificate policies. +// +// The certificate policies extension (RFC 5280, section 4.2.1.4), along with a +// suite of related extensions determines the "policies" that apply to a +// certificate path. Evaluating these policies is extremely complex and has led +// to denial-of-service vulnerabilities in several X.509 implementations. See +// draft-ietf-lamps-x509-policy-graph. +// +// Do not use this mechanism. + +// A NOTICEREF represents a NoticeReference structure (RFC 5280). +typedef struct NOTICEREF_st { + ASN1_STRING *organization; + STACK_OF(ASN1_INTEGER) *noticenos; +} NOTICEREF; + +// NOTICEREF_new returns a newly-allocated, empty |NOTICEREF| object, or NULL +// on error. +OPENSSL_EXPORT NOTICEREF *NOTICEREF_new(void); + +// NOTICEREF_free releases memory associated with |ref|. +OPENSSL_EXPORT void NOTICEREF_free(NOTICEREF *ref); + +// A USERNOTICE represents a UserNotice structure (RFC 5280). +typedef struct USERNOTICE_st { + NOTICEREF *noticeref; + ASN1_STRING *exptext; +} USERNOTICE; + +// USERNOTICE_new returns a newly-allocated, empty |USERNOTICE| object, or NULL +// on error. +OPENSSL_EXPORT USERNOTICE *USERNOTICE_new(void); + +// USERNOTICE_free releases memory associated with |notice|. +OPENSSL_EXPORT void USERNOTICE_free(USERNOTICE *notice); + +// A POLICYQUALINFO represents a PolicyQualifierInfo structure (RFC 5280). |d| +// contains the qualifier field of the PolicyQualifierInfo. Its type is +// determined by |pqualid|. If |pqualid| is |NID_id_qt_cps|, |d| must be +// |cpsuri|. If |pqualid| is |NID_id_qt_unotice|, |d| must be |usernotice|. +// Otherwise, |d| must be |other|. +// +// WARNING: |pqualid| and |d| must be kept consistent. An inconsistency will +// result in a potentially exploitable memory error. +typedef struct POLICYQUALINFO_st { + ASN1_OBJECT *pqualid; + union { + ASN1_IA5STRING *cpsuri; + USERNOTICE *usernotice; + ASN1_TYPE *other; + } d; +} POLICYQUALINFO; + +DEFINE_STACK_OF(POLICYQUALINFO) + +// POLICYQUALINFO_new returns a newly-allocated, empty |POLICYQUALINFO| object, +// or NULL on error. +OPENSSL_EXPORT POLICYQUALINFO *POLICYQUALINFO_new(void); + +// POLICYQUALINFO_free releases memory associated with |info|. +OPENSSL_EXPORT void POLICYQUALINFO_free(POLICYQUALINFO *info); + +// A POLICYINFO represents a PolicyInformation structure (RFC 5280). +typedef struct POLICYINFO_st { + ASN1_OBJECT *policyid; + STACK_OF(POLICYQUALINFO) *qualifiers; +} POLICYINFO; + +DEFINE_STACK_OF(POLICYINFO) + +// POLICYINFO_new returns a newly-allocated, empty |POLICYINFO| object, or NULL +// on error. +OPENSSL_EXPORT POLICYINFO *POLICYINFO_new(void); + +// POLICYINFO_free releases memory associated with |info|. +OPENSSL_EXPORT void POLICYINFO_free(POLICYINFO *info); + +typedef STACK_OF(POLICYINFO) CERTIFICATEPOLICIES; + +// CERTIFICATEPOLICIES is an |ASN1_ITEM| whose ASN.1 type is CertificatePolicies +// (RFC 5280) and C type is |STACK_OF(POLICYINFO)*|, or |CERTIFICATEPOLICIES*|. +DECLARE_ASN1_ITEM(CERTIFICATEPOLICIES) + +// CERTIFICATEPOLICIES_new returns a newly-allocated, empty +// |CERTIFICATEPOLICIES| object, or NULL on error. +OPENSSL_EXPORT CERTIFICATEPOLICIES *CERTIFICATEPOLICIES_new(void); + +// CERTIFICATEPOLICIES_free releases memory associated with |policies|. +OPENSSL_EXPORT void CERTIFICATEPOLICIES_free(CERTIFICATEPOLICIES *policies); + +// d2i_CERTIFICATEPOLICIES parses up to |len| bytes from |*inp| as a DER-encoded +// CertificatePolicies (RFC 5280), as described in |d2i_SAMPLE|. +OPENSSL_EXPORT CERTIFICATEPOLICIES *d2i_CERTIFICATEPOLICIES( + CERTIFICATEPOLICIES **out, const uint8_t **inp, long len); + +// i2d_CERTIFICATEPOLICIES marshals |policies| as a DER-encoded +// CertificatePolicies (RFC 5280), as described in |i2d_SAMPLE|. +OPENSSL_EXPORT int i2d_CERTIFICATEPOLICIES(const CERTIFICATEPOLICIES *policies, + uint8_t **outp); + +// A POLICY_MAPPING represents an individual element of a PolicyMappings +// structure (RFC 5280). +typedef struct POLICY_MAPPING_st { + ASN1_OBJECT *issuerDomainPolicy; + ASN1_OBJECT *subjectDomainPolicy; +} POLICY_MAPPING; + +DEFINE_STACK_OF(POLICY_MAPPING) + +// POLICY_MAPPING_new returns a newly-allocated, empty |POLICY_MAPPING| object, +// or NULL on error. +OPENSSL_EXPORT POLICY_MAPPING *POLICY_MAPPING_new(void); + +// POLICY_MAPPING_free releases memory associated with |mapping|. +OPENSSL_EXPORT void POLICY_MAPPING_free(POLICY_MAPPING *mapping); + +typedef STACK_OF(POLICY_MAPPING) POLICY_MAPPINGS; + +// POLICY_MAPPINGS is an |ASN1_ITEM| whose ASN.1 type is PolicyMappings (RFC +// 5280) and C type is |STACK_OF(POLICY_MAPPING)*|, or |POLICY_MAPPINGS*|. +DECLARE_ASN1_ITEM(POLICY_MAPPINGS) + +// A POLICY_CONSTRAINTS represents a PolicyConstraints structure (RFC 5280). +typedef struct POLICY_CONSTRAINTS_st { + ASN1_INTEGER *requireExplicitPolicy; + ASN1_INTEGER *inhibitPolicyMapping; +} POLICY_CONSTRAINTS; + +// POLICY_CONSTRAINTS is an |ASN1_ITEM| whose ASN.1 type is PolicyConstraints +// (RFC 5280) and C type is |POLICY_CONSTRAINTS*|. +DECLARE_ASN1_ITEM(POLICY_CONSTRAINTS) + +// POLICY_CONSTRAINTS_new returns a newly-allocated, empty |POLICY_CONSTRAINTS| +// object, or NULL on error. +OPENSSL_EXPORT POLICY_CONSTRAINTS *POLICY_CONSTRAINTS_new(void); + +// POLICY_CONSTRAINTS_free releases memory associated with |pcons|. +OPENSSL_EXPORT void POLICY_CONSTRAINTS_free(POLICY_CONSTRAINTS *pcons); + + // Algorithm identifiers. // // An |X509_ALGOR| represents an AlgorithmIdentifier structure, used in X.509 @@ -1390,8 +2696,18 @@ OPENSSL_EXPORT void X509_ALGOR_get0(const ASN1_OBJECT **out_obj, // X509_ALGOR_set_md sets |alg| to the hash function |md|. Note this // AlgorithmIdentifier represents the hash function itself, not a signature -// algorithm that uses |md|. -OPENSSL_EXPORT void X509_ALGOR_set_md(X509_ALGOR *alg, const EVP_MD *md); +// algorithm that uses |md|. It returns one on success and zero on error. +// +// Due to historical specification mistakes (see Section 2.1 of RFC 4055), the +// parameters field is sometimes omitted and sometimes a NULL value. When used +// in RSASSA-PSS and RSAES-OAEP, it should be a NULL value. In other contexts, +// the parameters should be omitted. This function assumes the caller is +// constructing a RSASSA-PSS or RSAES-OAEP AlgorithmIdentifier and includes a +// NULL parameter. This differs from OpenSSL's behavior. +// +// TODO(davidben): Rename this function, or perhaps just add a bespoke API for +// constructing PSS and move on. +OPENSSL_EXPORT int X509_ALGOR_set_md(X509_ALGOR *alg, const EVP_MD *md); // X509_ALGOR_cmp returns zero if |a| and |b| are equal, and some non-zero value // otherwise. Note this function can only be used for equality checks, not an @@ -1407,10 +2723,6 @@ OPENSSL_EXPORT int X509_ALGOR_cmp(const X509_ALGOR *a, const X509_ALGOR *b); DEFINE_STACK_OF(X509_ATTRIBUTE) -// X509_ATTRIBUTE is an |ASN1_ITEM| whose ASN.1 type is Attribute (RFC 2986) and -// C type is |X509_ATTRIBUTE*|. -DECLARE_ASN1_ITEM(X509_ATTRIBUTE) - // X509_ATTRIBUTE_new returns a newly-allocated, empty |X509_ATTRIBUTE| object, // or NULL on error. |X509_ATTRIBUTE_set1_*| may be used to finish initializing // it. @@ -1480,21 +2792,21 @@ OPENSSL_EXPORT int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, // X509_ATTRIBUTE_set1_data appends a value to |attr|'s value set and returns // one on success or zero on error. The value is determined as follows: // -// If |attrtype| is a |MBSTRING_*| constant, the value is an ASN.1 string. The -// string is determined by decoding |len| bytes from |data| in the encoding -// specified by |attrtype|, and then re-encoding it in a form appropriate for -// |attr|'s type. If |len| is -1, |strlen(data)| is used instead. See -// |ASN1_STRING_set_by_NID| for details. +// If |attrtype| is zero, this function returns one and does nothing. This form +// may be used when calling |X509_ATTRIBUTE_create_by_*| to create an attribute +// with an empty value set. Such attributes are invalid, but OpenSSL supports +// creating them. +// +// Otherwise, if |attrtype| is a |MBSTRING_*| constant, the value is an ASN.1 +// string. The string is determined by decoding |len| bytes from |data| in the +// encoding specified by |attrtype|, and then re-encoding it in a form +// appropriate for |attr|'s type. If |len| is -1, |strlen(data)| is used +// instead. See |ASN1_STRING_set_by_NID| for details. // // Otherwise, if |len| is not -1, the value is an ASN.1 string. |attrtype| is an // |ASN1_STRING| type value and the |len| bytes from |data| are copied as the // type-specific representation of |ASN1_STRING|. See |ASN1_STRING| for details. // -// WARNING: If this form is used to construct a negative INTEGER or ENUMERATED, -// |attrtype| includes the |V_ASN1_NEG| flag for |ASN1_STRING|, but the function -// forgets to clear the flag for |ASN1_TYPE|. This matches OpenSSL but is -// probably a bug. For now, do not use this form with negative values. -// // Otherwise, if |len| is -1, the value is constructed by passing |attrtype| and // |data| to |ASN1_TYPE_set1|. That is, |attrtype| is an |ASN1_TYPE| type value, // and |data| is cast to the corresponding pointer type. @@ -1533,1401 +2845,2436 @@ OPENSSL_EXPORT ASN1_TYPE *X509_ATTRIBUTE_get0_type(X509_ATTRIBUTE *attr, int idx); -// SignedPublicKeyAndChallenge structures. +// Certificate stores. // -// The SignedPublicKeyAndChallenge (SPKAC) is a legacy structure to request -// certificates, primarily in the legacy HTML tag. An SPKAC structure -// is represented by a |NETSCAPE_SPKI| structure. +// An |X509_STORE| contains trusted certificates, CRLs, and verification +// parameters that are shared between multiple certificate verifications. // -// The structure is described in -// https://developer.mozilla.org/en-US/docs/Web/HTML/Element/keygen +// Certificates in an |X509_STORE| are referred to as "trusted certificates", +// but an individual certificate verification may not necessarily treat every +// trusted certificate as a trust anchor. See |X509_VERIFY_PARAM_set_trust| for +// details. +// +// WARNING: Although a trusted certificate which fails the +// |X509_VERIFY_PARAM_set_trust| check is functionally an untrusted +// intermediate certificate, callers should not rely on this to configure +// untrusted intermediates in an |X509_STORE|. The trust check is complex, so +// this risks inadvertently treating it as a trust anchor. Instead, configure +// untrusted intermediates with the |chain| parameter of |X509_STORE_CTX_init|. +// +// Certificates in |X509_STORE| may be specified in several ways: +// - Added by |X509_STORE_add_cert|. +// - Returned by an |X509_LOOKUP| added by |X509_STORE_add_lookup|. +// +// |X509_STORE|s are reference-counted and may be shared by certificate +// verifications running concurrently on multiple threads. However, an +// |X509_STORE|'s verification parameters may not be modified concurrently with +// certificate verification or other operations. Unless otherwise documented, +// functions which take const pointer may be used concurrently, while +// functions which take a non-const pointer may not. Callers that wish to modify +// verification parameters in a shared |X509_STORE| should instead modify +// |X509_STORE_CTX|s individually. +// +// Objects in an |X509_STORE| are represented as an |X509_OBJECT|. Some +// functions in this library return values with this type. -// A Netscape_spki_st, or |NETSCAPE_SPKI|, represents a -// SignedPublicKeyAndChallenge structure. Although this structure contains a -// |spkac| field of type |NETSCAPE_SPKAC|, these are misnamed. The SPKAC is the -// entire structure, not the signed portion. -struct Netscape_spki_st { - NETSCAPE_SPKAC *spkac; - X509_ALGOR *sig_algor; - ASN1_BIT_STRING *signature; -} /* NETSCAPE_SPKI */; +// X509_STORE_new returns a newly-allocated |X509_STORE|, or NULL on error. +OPENSSL_EXPORT X509_STORE *X509_STORE_new(void); -// NETSCAPE_SPKI is an |ASN1_ITEM| whose ASN.1 type is -// SignedPublicKeyAndChallenge and C type is |NETSCAPE_SPKI*|. -DECLARE_ASN1_ITEM(NETSCAPE_SPKI) +// X509_STORE_up_ref adds one to the reference count of |store| and returns one. +// Although |store| is not const, this function's use of |store| is thread-safe. +OPENSSL_EXPORT int X509_STORE_up_ref(X509_STORE *store); -// NETSCAPE_SPKI_new returns a newly-allocated, empty |NETSCAPE_SPKI| object, or -// NULL on error. -OPENSSL_EXPORT NETSCAPE_SPKI *NETSCAPE_SPKI_new(void); +// X509_STORE_free releases memory associated with |store|. +OPENSSL_EXPORT void X509_STORE_free(X509_STORE *store); -// NETSCAPE_SPKI_free releases memory associated with |spki|. -OPENSSL_EXPORT void NETSCAPE_SPKI_free(NETSCAPE_SPKI *spki); +// X509_STORE_add_cert adds |x509| to |store| as a trusted certificate. It +// returns one on success and zero on error. This function internally increments +// |x509|'s reference count, so the caller retains ownership of |x509|. +// +// Certificates configured by this function are still subject to the checks +// described in |X509_VERIFY_PARAM_set_trust|. +// +// Although |store| is not const, this function's use of |store| is thread-safe. +// However, if this function is called concurrently with |X509_verify_cert|, it +// is a race condition whether |x509| is available for issuer lookups. +// Moreover, the result may differ for each issuer lookup performed by a single +// |X509_verify_cert| call. +OPENSSL_EXPORT int X509_STORE_add_cert(X509_STORE *store, X509 *x509); + +// X509_STORE_add_crl adds |crl| to |store|. It returns one on success and zero +// on error. This function internally increments |crl|'s reference count, so the +// caller retains ownership of |crl|. CRLs added in this way are candidates for +// CRL lookup when |X509_V_FLAG_CRL_CHECK| is set. +// +// Although |store| is not const, this function's use of |store| is thread-safe. +// However, if this function is called concurrently with |X509_verify_cert|, it +// is a race condition whether |crl| is available for CRL checks. Moreover, the +// result may differ for each CRL check performed by a single +// |X509_verify_cert| call. +// +// Note there are no supported APIs to remove CRLs from |store| once inserted. +// To vary the set of CRLs over time, callers should either create a new +// |X509_STORE| or configure CRLs on a per-verification basis with +// |X509_STORE_CTX_set0_crls|. +OPENSSL_EXPORT int X509_STORE_add_crl(X509_STORE *store, X509_CRL *crl); + +// X509_STORE_get0_param returns |store|'s verification parameters. This object +// is mutable and may be modified by the caller. For an individual certificate +// verification operation, |X509_STORE_CTX_init| initializes the +// |X509_STORE_CTX|'s parameters with these parameters. +// +// WARNING: |X509_STORE_CTX_init| applies some default parameters (as in +// |X509_VERIFY_PARAM_inherit|) after copying |store|'s parameters. This means +// it is impossible to leave some parameters unset at |store|. They must be +// explicitly unset after creating the |X509_STORE_CTX|. +// +// As of writing these late defaults are a depth limit (see +// |X509_VERIFY_PARAM_set_depth|) and the |X509_V_FLAG_TRUSTED_FIRST| flag. This +// warning does not apply if the parameters were set in |store|. +// +// TODO(crbug.com/boringssl/441): This behavior is very surprising. Can we +// remove this notion of late defaults? The unsettable value at |X509_STORE| is +// -1, which rejects everything but explicitly-trusted self-signed certificates. +// |X509_V_FLAG_TRUSTED_FIRST| is mostly a workaround for poor path-building. +OPENSSL_EXPORT X509_VERIFY_PARAM *X509_STORE_get0_param(X509_STORE *store); + +// X509_STORE_set1_param copies verification parameters from |param| as in +// |X509_VERIFY_PARAM_set1|. It returns one on success and zero on error. +OPENSSL_EXPORT int X509_STORE_set1_param(X509_STORE *store, + const X509_VERIFY_PARAM *param); + +// X509_STORE_set_flags enables all values in |flags| in |store|'s verification +// flags. |flags| should be a combination of |X509_V_FLAG_*| constants. +// +// WARNING: These flags will be combined with default flags when copied to an +// |X509_STORE_CTX|. This means it is impossible to unset those defaults from +// the |X509_STORE|. See discussion in |X509_STORE_get0_param|. +OPENSSL_EXPORT int X509_STORE_set_flags(X509_STORE *store, unsigned long flags); + +// X509_STORE_set_depth configures |store| to, by default, limit certificate +// chains to |depth| intermediate certificates. This count excludes both the +// target certificate and the trust anchor (root certificate). +OPENSSL_EXPORT int X509_STORE_set_depth(X509_STORE *store, int depth); -// d2i_NETSCAPE_SPKI parses up to |len| bytes from |*inp| as a DER-encoded -// SignedPublicKeyAndChallenge structure, as described in |d2i_SAMPLE|. -OPENSSL_EXPORT NETSCAPE_SPKI *d2i_NETSCAPE_SPKI(NETSCAPE_SPKI **out, - const uint8_t **inp, long len); +// X509_STORE_set_purpose configures the purpose check for |store|. See +// |X509_VERIFY_PARAM_set_purpose| for details. +OPENSSL_EXPORT int X509_STORE_set_purpose(X509_STORE *store, int purpose); -// i2d_NETSCAPE_SPKI marshals |spki| as a DER-encoded -// SignedPublicKeyAndChallenge structure, as described in |i2d_SAMPLE|. -OPENSSL_EXPORT int i2d_NETSCAPE_SPKI(const NETSCAPE_SPKI *spki, uint8_t **outp); +// X509_STORE_set_trust configures the trust check for |store|. See +// |X509_VERIFY_PARAM_set_trust| for details. +OPENSSL_EXPORT int X509_STORE_set_trust(X509_STORE *store, int trust); -// NETSCAPE_SPKI_verify checks that |spki| has a valid signature by |pkey|. It -// returns one if the signature is valid and zero otherwise. -OPENSSL_EXPORT int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *spki, EVP_PKEY *pkey); +// The following constants indicate the type of an |X509_OBJECT|. +#define X509_LU_NONE 0 +#define X509_LU_X509 1 +#define X509_LU_CRL 2 +#define X509_LU_PKEY 3 -// NETSCAPE_SPKI_b64_decode decodes |len| bytes from |str| as a base64-encoded -// SignedPublicKeyAndChallenge structure. It returns a newly-allocated -// |NETSCAPE_SPKI| structure with the result, or NULL on error. If |len| is 0 or -// negative, the length is calculated with |strlen| and |str| must be a -// NUL-terminated C string. -OPENSSL_EXPORT NETSCAPE_SPKI *NETSCAPE_SPKI_b64_decode(const char *str, - ossl_ssize_t len); +DEFINE_STACK_OF(X509_OBJECT) -// NETSCAPE_SPKI_b64_encode encodes |spki| as a base64-encoded -// SignedPublicKeyAndChallenge structure. It returns a newly-allocated -// NUL-terminated C string with the result, or NULL on error. The caller must -// release the memory with |OPENSSL_free| when done. -OPENSSL_EXPORT char *NETSCAPE_SPKI_b64_encode(NETSCAPE_SPKI *spki); +// X509_OBJECT_new returns a newly-allocated, empty |X509_OBJECT| or NULL on +// error. +OPENSSL_EXPORT X509_OBJECT *X509_OBJECT_new(void); -// NETSCAPE_SPKI_get_pubkey decodes and returns the public key in |spki| as an -// |EVP_PKEY|, or NULL on error. The caller takes ownership of the resulting -// pointer and must call |EVP_PKEY_free| when done. -OPENSSL_EXPORT EVP_PKEY *NETSCAPE_SPKI_get_pubkey(NETSCAPE_SPKI *spki); +// X509_OBJECT_free releases memory associated with |obj|. +OPENSSL_EXPORT void X509_OBJECT_free(X509_OBJECT *obj); -// NETSCAPE_SPKI_set_pubkey sets |spki|'s public key to |pkey|. It returns one -// on success or zero on error. This function does not take ownership of |pkey|, -// so the caller may continue to manage its lifetime independently of |spki|. -OPENSSL_EXPORT int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *spki, - EVP_PKEY *pkey); +// X509_OBJECT_get_type returns the type of |obj|, which will be one of the +// |X509_LU_*| constants. +OPENSSL_EXPORT int X509_OBJECT_get_type(const X509_OBJECT *obj); -// NETSCAPE_SPKI_sign signs |spki| with |pkey| and replaces the signature -// algorithm and signature fields. It returns the length of the signature on -// success and zero on error. This function uses digest algorithm |md|, or -// |pkey|'s default if NULL. Other signing parameters use |pkey|'s defaults. -OPENSSL_EXPORT int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *spki, EVP_PKEY *pkey, - const EVP_MD *md); +// X509_OBJECT_get0_X509 returns |obj| as a certificate, or NULL if |obj| is not +// a certificate. +OPENSSL_EXPORT X509 *X509_OBJECT_get0_X509(const X509_OBJECT *obj); -// A Netscape_spkac_st, or |NETSCAPE_SPKAC|, represents a PublicKeyAndChallenge -// structure. This type is misnamed. The full SPKAC includes the signature, -// which is represented with the |NETSCAPE_SPKI| type. -struct Netscape_spkac_st { - X509_PUBKEY *pubkey; - ASN1_IA5STRING *challenge; -} /* NETSCAPE_SPKAC */; +// X509_STORE_get1_objects returns a newly-allocated stack containing the +// contents of |store|, or NULL on error. The caller must release the result +// with |sk_X509_OBJECT_pop_free| and |X509_OBJECT_free| when done. +// +// The result will include all certificates and CRLs added via +// |X509_STORE_add_cert| and |X509_STORE_add_crl|, as well as any cached objects +// added by |X509_LOOKUP_add_dir|. The last of these may change over time, as +// different objects are loaded from the filesystem. Callers should not depend +// on this caching behavior. The objects are returned in no particular order. +OPENSSL_EXPORT STACK_OF(X509_OBJECT) *X509_STORE_get1_objects( + X509_STORE *store); -// NETSCAPE_SPKAC is an |ASN1_ITEM| whose ASN.1 type is PublicKeyAndChallenge -// and C type is |NETSCAPE_SPKAC*|. -DECLARE_ASN1_ITEM(NETSCAPE_SPKAC) -// NETSCAPE_SPKAC_new returns a newly-allocated, empty |NETSCAPE_SPKAC| object, -// or NULL on error. -OPENSSL_EXPORT NETSCAPE_SPKAC *NETSCAPE_SPKAC_new(void); +// Certificate verification. +// +// An |X509_STORE_CTX| object represents a single certificate verification +// operation. To verify a certificate chain, callers construct an +// |X509_STORE_CTX|, initialize it with |X509_STORE_CTX_init|, configure extra +// parameters with |X509_STORE_CTX_get0_param|, and call |X509_verify_cert|. -// NETSCAPE_SPKAC_free releases memory associated with |spkac|. -OPENSSL_EXPORT void NETSCAPE_SPKAC_free(NETSCAPE_SPKAC *spkac); +// X509_STORE_CTX_new returns a newly-allocated, empty |X509_STORE_CTX|, or NULL +// on error. +OPENSSL_EXPORT X509_STORE_CTX *X509_STORE_CTX_new(void); -// d2i_NETSCAPE_SPKAC parses up to |len| bytes from |*inp| as a DER-encoded -// PublicKeyAndChallenge structure, as described in |d2i_SAMPLE|. -OPENSSL_EXPORT NETSCAPE_SPKAC *d2i_NETSCAPE_SPKAC(NETSCAPE_SPKAC **out, - const uint8_t **inp, - long len); +// X509_STORE_CTX_free releases memory associated with |ctx|. +OPENSSL_EXPORT void X509_STORE_CTX_free(X509_STORE_CTX *ctx); -// i2d_NETSCAPE_SPKAC marshals |spkac| as a DER-encoded PublicKeyAndChallenge -// structure, as described in |i2d_SAMPLE|. -OPENSSL_EXPORT int i2d_NETSCAPE_SPKAC(const NETSCAPE_SPKAC *spkac, - uint8_t **outp); +// X509_STORE_CTX_init initializes |ctx| to verify |x509|, using trusted +// certificates and parameters in |store|. It returns one on success and zero on +// error. |chain| is a list of untrusted intermediate certificates to use in +// verification. +// +// |ctx| stores pointers to |store|, |x509|, and |chain|. Each of these objects +// must outlive |ctx| and may not be mutated for the duration of the certificate +// verification. +OPENSSL_EXPORT int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, + X509 *x509, STACK_OF(X509) *chain); +// X509_verify_cert performs certifice verification with |ctx|, which must have +// been initialized with |X509_STORE_CTX_init|. It returns one on success and +// zero on error. On success, |X509_STORE_CTX_get0_chain| or +// |X509_STORE_CTX_get1_chain| may be used to return the verified certificate +// chain. On error, |X509_STORE_CTX_get_error| may be used to return additional +// error information. +// +// WARNING: Most failure conditions from this function do not use the error +// queue. Use |X509_STORE_CTX_get_error| to determine the cause of the error. +OPENSSL_EXPORT int X509_verify_cert(X509_STORE_CTX *ctx); -// Printing functions. +// X509_STORE_CTX_get0_chain, after a successful |X509_verify_cert| call, +// returns the verified certificate chain. The chain begins with the leaf and +// ends with trust anchor. // -// The following functions output human-readable representations of -// X.509-related structures. They should only be used for debugging or logging -// and not parsed programmatically. In many cases, the outputs are ambiguous, so -// attempting to parse them can lead to string injection vulnerabilities. +// At other points, such as after a failed verification or during the deprecated +// verification callback, it returns the partial chain built so far. Callers +// should avoid relying on this as this exposes unstable library implementation +// details. +OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get0_chain( + const X509_STORE_CTX *ctx); + +// X509_STORE_CTX_get1_chain behaves like |X509_STORE_CTX_get0_chain| but +// returns a newly-allocated |STACK_OF(X509)| containing the completed chain, +// with each certificate's reference count incremented. Callers must free the +// result with |sk_X509_pop_free| and |X509_free| when done. +OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get1_chain( + const X509_STORE_CTX *ctx); + +// The following values are possible outputs of |X509_STORE_CTX_get_error|. +#define X509_V_OK 0 +#define X509_V_ERR_UNSPECIFIED 1 +#define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT 2 +#define X509_V_ERR_UNABLE_TO_GET_CRL 3 +#define X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE 4 +#define X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE 5 +#define X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY 6 +#define X509_V_ERR_CERT_SIGNATURE_FAILURE 7 +#define X509_V_ERR_CRL_SIGNATURE_FAILURE 8 +#define X509_V_ERR_CERT_NOT_YET_VALID 9 +#define X509_V_ERR_CERT_HAS_EXPIRED 10 +#define X509_V_ERR_CRL_NOT_YET_VALID 11 +#define X509_V_ERR_CRL_HAS_EXPIRED 12 +#define X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD 13 +#define X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD 14 +#define X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD 15 +#define X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD 16 +#define X509_V_ERR_OUT_OF_MEM 17 +#define X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT 18 +#define X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN 19 +#define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY 20 +#define X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE 21 +#define X509_V_ERR_CERT_CHAIN_TOO_LONG 22 +#define X509_V_ERR_CERT_REVOKED 23 +#define X509_V_ERR_INVALID_CA 24 +#define X509_V_ERR_PATH_LENGTH_EXCEEDED 25 +#define X509_V_ERR_INVALID_PURPOSE 26 +#define X509_V_ERR_CERT_UNTRUSTED 27 +#define X509_V_ERR_CERT_REJECTED 28 +#define X509_V_ERR_SUBJECT_ISSUER_MISMATCH 29 +#define X509_V_ERR_AKID_SKID_MISMATCH 30 +#define X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH 31 +#define X509_V_ERR_KEYUSAGE_NO_CERTSIGN 32 +#define X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER 33 +#define X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION 34 +#define X509_V_ERR_KEYUSAGE_NO_CRL_SIGN 35 +#define X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION 36 +#define X509_V_ERR_INVALID_NON_CA 37 +#define X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED 38 +#define X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE 39 +#define X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED 40 +#define X509_V_ERR_INVALID_EXTENSION 41 +#define X509_V_ERR_INVALID_POLICY_EXTENSION 42 +#define X509_V_ERR_NO_EXPLICIT_POLICY 43 +#define X509_V_ERR_DIFFERENT_CRL_SCOPE 44 +#define X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE 45 +#define X509_V_ERR_UNNESTED_RESOURCE 46 +#define X509_V_ERR_PERMITTED_VIOLATION 47 +#define X509_V_ERR_EXCLUDED_VIOLATION 48 +#define X509_V_ERR_SUBTREE_MINMAX 49 +#define X509_V_ERR_APPLICATION_VERIFICATION 50 +#define X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE 51 +#define X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX 52 +#define X509_V_ERR_UNSUPPORTED_NAME_SYNTAX 53 +#define X509_V_ERR_CRL_PATH_VALIDATION_ERROR 54 +#define X509_V_ERR_HOSTNAME_MISMATCH 62 +#define X509_V_ERR_EMAIL_MISMATCH 63 +#define X509_V_ERR_IP_ADDRESS_MISMATCH 64 +#define X509_V_ERR_INVALID_CALL 65 +#define X509_V_ERR_STORE_LOOKUP 66 +#define X509_V_ERR_NAME_CONSTRAINTS_WITHOUT_SANS 67 -// The following flags control |X509_print_ex| and |X509_REQ_print_ex|. +// X509_STORE_CTX_get_error, after |X509_verify_cert| returns, returns +// |X509_V_OK| if verification succeeded or an |X509_V_ERR_*| describing why +// verification failed. This will be consistent with |X509_verify_cert|'s return +// value, unless the caller used the deprecated verification callback (see +// |X509_STORE_CTX_set_verify_cb|) in a way that breaks |ctx|'s invariants. +// +// If called during the deprecated verification callback when |ok| is zero, it +// returns the current error under consideration. +OPENSSL_EXPORT int X509_STORE_CTX_get_error(const X509_STORE_CTX *ctx); -// X509_FLAG_COMPAT disables all flags. It additionally causes names to be -// printed with a 16-byte indent. -#define X509_FLAG_COMPAT 0 +// X509_STORE_CTX_set_error sets |ctx|'s error to |err|, which should be +// |X509_V_OK| or an |X509_V_ERR_*| constant. It is not expected to be called in +// typical |X509_STORE_CTX| usage, but may be used in callback APIs where +// applications synthesize |X509_STORE_CTX| error conditions. See also +// |X509_STORE_CTX_set_verify_cb| and |SSL_CTX_set_cert_verify_callback|. +OPENSSL_EXPORT void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err); -// X509_FLAG_NO_HEADER skips a header identifying the type of object printed. -#define X509_FLAG_NO_HEADER 1L +// X509_verify_cert_error_string returns |err| as a human-readable string, where +// |err| should be one of the |X509_V_*| values. If |err| is unknown, it returns +// a default description. +OPENSSL_EXPORT const char *X509_verify_cert_error_string(long err); -// X509_FLAG_NO_VERSION skips printing the X.509 version number. -#define X509_FLAG_NO_VERSION (1L << 1) +// X509_STORE_CTX_get_error_depth returns the depth at which the error returned +// by |X509_STORE_CTX_get_error| occured. This is zero-indexed integer into the +// certificate chain. Zero indicates the target certificate, one its issuer, and +// so on. +OPENSSL_EXPORT int X509_STORE_CTX_get_error_depth(const X509_STORE_CTX *ctx); -// X509_FLAG_NO_SERIAL skips printing the serial number. It is ignored in -// |X509_REQ_print_fp|. -#define X509_FLAG_NO_SERIAL (1L << 2) +// X509_STORE_CTX_get_current_cert returns the certificate which caused the +// error returned by |X509_STORE_CTX_get_error|. +OPENSSL_EXPORT X509 *X509_STORE_CTX_get_current_cert(const X509_STORE_CTX *ctx); -// X509_FLAG_NO_SIGNAME skips printing the signature algorithm in the -// TBSCertificate. It is ignored in |X509_REQ_print_fp|. -#define X509_FLAG_NO_SIGNAME (1L << 3) +// X509_STORE_CTX_get0_current_crl returns the CRL which caused the error +// returned by |X509_STORE_CTX_get_error|. +OPENSSL_EXPORT X509_CRL *X509_STORE_CTX_get0_current_crl( + const X509_STORE_CTX *ctx); -// X509_FLAG_NO_ISSUER skips printing the issuer. -#define X509_FLAG_NO_ISSUER (1L << 4) +// X509_STORE_CTX_get0_store returns the |X509_STORE| that |ctx| uses. +OPENSSL_EXPORT X509_STORE *X509_STORE_CTX_get0_store(const X509_STORE_CTX *ctx); -// X509_FLAG_NO_VALIDITY skips printing the notBefore and notAfter times. It is -// ignored in |X509_REQ_print_fp|. -#define X509_FLAG_NO_VALIDITY (1L << 5) +// X509_STORE_CTX_get0_cert returns the leaf certificate that |ctx| is +// verifying. +OPENSSL_EXPORT X509 *X509_STORE_CTX_get0_cert(const X509_STORE_CTX *ctx); -// X509_FLAG_NO_SUBJECT skips printing the subject. -#define X509_FLAG_NO_SUBJECT (1L << 6) +// X509_STORE_CTX_get0_untrusted returns the stack of untrusted intermediates +// used by |ctx| for certificate verification. +OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get0_untrusted( + const X509_STORE_CTX *ctx); -// X509_FLAG_NO_PUBKEY skips printing the public key. -#define X509_FLAG_NO_PUBKEY (1L << 7) +// X509_STORE_CTX_set0_trusted_stack configures |ctx| to trust the certificates +// in |sk|. |sk| must remain valid for the duration of |ctx|. Calling this +// function causes |ctx| to ignore any certificates configured in the +// |X509_STORE|. Certificates in |sk| are still subject to the check described +// in |X509_VERIFY_PARAM_set_trust|. +// +// WARNING: This function differs from most |set0| functions in that it does not +// take ownership of its input. The caller is required to ensure the lifetimes +// are consistent. +OPENSSL_EXPORT void X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx, + STACK_OF(X509) *sk); -// X509_FLAG_NO_EXTENSIONS skips printing the extension list. It is ignored in -// |X509_REQ_print_fp|. CSRs instead have attributes, which is controlled by -// |X509_FLAG_NO_ATTRIBUTES|. -#define X509_FLAG_NO_EXTENSIONS (1L << 8) +// X509_STORE_CTX_set0_crls configures |ctx| to consider the CRLs in |sk| as +// candidates for CRL lookup. |sk| must remain valid for the duration of |ctx|. +// These CRLs are considered in addition to CRLs found in |X509_STORE|. +// +// WARNING: This function differs from most |set0| functions in that it does not +// take ownership of its input. The caller is required to ensure the lifetimes +// are consistent. +OPENSSL_EXPORT void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, + STACK_OF(X509_CRL) *sk); -// X509_FLAG_NO_SIGDUMP skips printing the signature and outer signature -// algorithm. -#define X509_FLAG_NO_SIGDUMP (1L << 9) +// X509_STORE_CTX_set_default looks up the set of parameters named |name| and +// applies those default verification parameters for |ctx|. As in +// |X509_VERIFY_PARAM_inherit|, only unset parameters are changed. This function +// returns one on success and zero on error. +// +// The supported values of |name| are: +// - "default" is an internal value which configures some late defaults. See the +// discussion in |X509_STORE_get0_param|. +// - "pkcs7" configures default trust and purpose checks for PKCS#7 signatures. +// - "smime_sign" configures trust and purpose checks for S/MIME signatures. +// - "ssl_client" configures trust and purpose checks for TLS clients. +// - "ssl_server" configures trust and purpose checks for TLS servers. +// +// TODO(crbug.com/boringssl/441): Make "default" a no-op. +OPENSSL_EXPORT int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, + const char *name); -// X509_FLAG_NO_AUX skips printing auxiliary properties. (See |d2i_X509_AUX| and -// related functions.) -#define X509_FLAG_NO_AUX (1L << 10) +// X509_STORE_CTX_get0_param returns |ctx|'s verification parameters. This +// object is mutable and may be modified by the caller. +OPENSSL_EXPORT X509_VERIFY_PARAM *X509_STORE_CTX_get0_param( + X509_STORE_CTX *ctx); -// X509_FLAG_NO_ATTRIBUTES skips printing CSR attributes. It does nothing for -// certificates and CRLs. -#define X509_FLAG_NO_ATTRIBUTES (1L << 11) +// X509_STORE_CTX_set0_param returns |ctx|'s verification parameters to |param| +// and takes ownership of |param|. After this function returns, the caller +// should not free |param|. +// +// WARNING: This function discards any values which were previously applied in +// |ctx|, including the "default" parameters applied late in +// |X509_STORE_CTX_init|. These late defaults are not applied to parameters +// created standalone by |X509_VERIFY_PARAM_new|. +// +// TODO(crbug.com/boringssl/441): This behavior is very surprising. Should we +// re-apply the late defaults in |param|, or somehow avoid this notion of late +// defaults altogether? +OPENSSL_EXPORT void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, + X509_VERIFY_PARAM *param); -// X509_FLAG_NO_IDS skips printing the issuerUniqueID and subjectUniqueID in a -// certificate. It is ignored in |X509_REQ_print_fp|. -#define X509_FLAG_NO_IDS (1L << 12) +// X509_STORE_CTX_set_flags enables all values in |flags| in |ctx|'s +// verification flags. |flags| should be a combination of |X509_V_FLAG_*| +// constants. +OPENSSL_EXPORT void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, + unsigned long flags); -// X509_print_ex writes a human-readable representation of |x| to |bp|. It -// returns one on success and zero on error. |nmflags| is the flags parameter -// for |X509_NAME_print_ex| when printing the subject and issuer. |cflag| should -// be some combination of the |X509_FLAG_*| constants. -OPENSSL_EXPORT int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflag, - unsigned long cflag); +// X509_STORE_CTX_set_time configures certificate verification to use |t| +// instead of the current time. |flags| is ignored and should be zero. +OPENSSL_EXPORT void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, + unsigned long flags, time_t t); -// X509_print_ex_fp behaves like |X509_print_ex| but writes to |fp|. -OPENSSL_EXPORT int X509_print_ex_fp(FILE *fp, X509 *x, unsigned long nmflag, - unsigned long cflag); +// X509_STORE_CTX_set_time_posix configures certificate verification to use |t| +// instead of the current time. |t| is interpreted as a POSIX timestamp in +// seconds. |flags| is ignored and should be zero. +OPENSSL_EXPORT void X509_STORE_CTX_set_time_posix(X509_STORE_CTX *ctx, + unsigned long flags, + int64_t t); -// X509_print calls |X509_print_ex| with |XN_FLAG_COMPAT| and |X509_FLAG_COMPAT| -// flags. -OPENSSL_EXPORT int X509_print(BIO *bp, X509 *x); +// X509_STORE_CTX_set_depth configures |ctx| to, by default, limit certificate +// chains to |depth| intermediate certificates. This count excludes both the +// target certificate and the trust anchor (root certificate). +OPENSSL_EXPORT void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); -// X509_print_fp behaves like |X509_print| but writes to |fp|. -OPENSSL_EXPORT int X509_print_fp(FILE *fp, X509 *x); +// X509_STORE_CTX_set_purpose simultaneously configures |ctx|'s purpose and +// trust checks, if unset. It returns one on success and zero if |purpose| is +// not a valid purpose value. |purpose| should be an |X509_PURPOSE_*| constant. +// If so, it configures |ctx| with a purpose check of |purpose| and a trust +// check of |purpose|'s corresponding trust value. If either the purpose or +// trust check had already been specified for |ctx|, that corresponding +// modification is silently dropped. +// +// See |X509_VERIFY_PARAM_set_purpose| and |X509_VERIFY_PARAM_set_trust| for +// details on the purpose and trust checks, respectively. +// +// If |purpose| is |X509_PURPOSE_ANY|, this function returns an error because it +// has no corresponding |X509_TRUST_*| value. It is not possible to set +// |X509_PURPOSE_ANY| with this function, only |X509_VERIFY_PARAM_set_purpose|. +// +// WARNING: Unlike similarly named functions in this header, this function +// silently does not behave the same as |X509_VERIFY_PARAM_set_purpose|. Callers +// may use |X509_VERIFY_PARAM_set_purpose| with |X509_STORE_CTX_get0_param| to +// avoid this difference. +OPENSSL_EXPORT int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose); -// X509_CRL_print writes a human-readable representation of |x| to |bp|. It -// returns one on success and zero on error. -OPENSSL_EXPORT int X509_CRL_print(BIO *bp, X509_CRL *x); +// X509_STORE_CTX_set_trust configures |ctx|'s trust check, if unset. It returns +// one on success and zero if |trust| is not a valid trust value. |trust| should +// be an |X509_TRUST_*| constant. If so, it configures |ctx| with a trust check +// of |trust|. If the trust check had already been specified for |ctx|, it +// silently does nothing. +// +// See |X509_VERIFY_PARAM_set_trust| for details on the purpose and trust check. +// +// WARNING: Unlike similarly named functions in this header, this function +// does not behave the same as |X509_VERIFY_PARAM_set_trust|. Callers may use +// |X509_VERIFY_PARAM_set_trust| with |X509_STORE_CTX_get0_param| to avoid this +// difference. +OPENSSL_EXPORT int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust); -// X509_CRL_print_fp behaves like |X509_CRL_print| but writes to |fp|. -OPENSSL_EXPORT int X509_CRL_print_fp(FILE *fp, X509_CRL *x); -// X509_REQ_print_ex writes a human-readable representation of |x| to |bp|. It -// returns one on success and zero on error. |nmflags| is the flags parameter -// for |X509_NAME_print_ex|, when printing the subject. |cflag| should be some -// combination of the |X509_FLAG_*| constants. -OPENSSL_EXPORT int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflag, - unsigned long cflag); +// Verification parameters. +// +// An |X509_VERIFY_PARAM| contains a set of parameters for certificate +// verification. -// X509_REQ_print calls |X509_REQ_print_ex| with |XN_FLAG_COMPAT| and -// |X509_FLAG_COMPAT| flags. -OPENSSL_EXPORT int X509_REQ_print(BIO *bp, X509_REQ *req); +// X509_VERIFY_PARAM_new returns a newly-allocated |X509_VERIFY_PARAM|, or NULL +// on error. +OPENSSL_EXPORT X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void); -// X509_REQ_print_fp behaves like |X509_REQ_print| but writes to |fp|. -OPENSSL_EXPORT int X509_REQ_print_fp(FILE *fp, X509_REQ *req); +// X509_VERIFY_PARAM_free releases memory associated with |param|. +OPENSSL_EXPORT void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param); -// The following flags are control |X509_NAME_print_ex|. They must not collide -// with |ASN1_STRFLGS_*|. -// -// TODO(davidben): This is far, far too many options and most of them are -// useless. Trim this down. +// X509_VERIFY_PARAM_inherit applies |from| as the default values for |to|. That +// is, for each parameter that is unset in |to|, it copies the value in |from|. +// This function returns one on success and zero on error. +OPENSSL_EXPORT int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *to, + const X509_VERIFY_PARAM *from); -// XN_FLAG_COMPAT prints with |X509_NAME_print|'s format and return value -// convention. -#define XN_FLAG_COMPAT 0 +// X509_VERIFY_PARAM_set1 copies parameters from |from| to |to|. If a parameter +// is unset in |from|, the existing value in |to| is preserved. This function +// returns one on success and zero on error. +OPENSSL_EXPORT int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to, + const X509_VERIFY_PARAM *from); -// XN_FLAG_SEP_MASK determines the separators to use between attributes. -#define XN_FLAG_SEP_MASK (0xf << 16) +// X509_V_FLAG_* are flags for |X509_VERIFY_PARAM_set_flags| and +// |X509_VERIFY_PARAM_clear_flags|. -// XN_FLAG_SEP_COMMA_PLUS separates RDNs with "," and attributes within an RDN -// with "+", as in RFC 2253. -#define XN_FLAG_SEP_COMMA_PLUS (1 << 16) +// X509_V_FLAG_CB_ISSUER_CHECK causes the deprecated verify callback (see +// |X509_STORE_CTX_set_verify_cb|) to be called for errors while matching +// subject and issuer certificates. +#define X509_V_FLAG_CB_ISSUER_CHECK 0x1 +// X509_V_FLAG_USE_CHECK_TIME is an internal flag used to track whether +// |X509_STORE_CTX_set_time| has been used. If cleared, the system time is +// restored. +#define X509_V_FLAG_USE_CHECK_TIME 0x2 +// X509_V_FLAG_CRL_CHECK enables CRL lookup and checking for the leaf. +#define X509_V_FLAG_CRL_CHECK 0x4 +// X509_V_FLAG_CRL_CHECK_ALL enables CRL lookup and checking for the entire +// certificate chain. |X509_V_FLAG_CRL_CHECK| must be set for this flag to take +// effect. +#define X509_V_FLAG_CRL_CHECK_ALL 0x8 +// X509_V_FLAG_IGNORE_CRITICAL ignores unhandled critical extensions. Do not use +// this option. Critical extensions ensure the verifier does not bypass +// unrecognized security restrictions in certificates. +#define X509_V_FLAG_IGNORE_CRITICAL 0x10 +// X509_V_FLAG_X509_STRICT does nothing. Its functionality has been enabled by +// default. +#define X509_V_FLAG_X509_STRICT 0x00 +// X509_V_FLAG_ALLOW_PROXY_CERTS does nothing. Proxy certificate support has +// been removed. +#define X509_V_FLAG_ALLOW_PROXY_CERTS 0x40 +// X509_V_FLAG_POLICY_CHECK does nothing. Policy checking is always enabled. +#define X509_V_FLAG_POLICY_CHECK 0x80 +// X509_V_FLAG_EXPLICIT_POLICY requires some policy OID to be asserted by the +// final certificate chain. See initial-explicit-policy from RFC 5280, +// section 6.1.1. +#define X509_V_FLAG_EXPLICIT_POLICY 0x100 +// X509_V_FLAG_INHIBIT_ANY inhibits the anyPolicy OID. See +// initial-any-policy-inhibit from RFC 5280, section 6.1.1. +#define X509_V_FLAG_INHIBIT_ANY 0x200 +// X509_V_FLAG_INHIBIT_MAP inhibits policy mapping. See +// initial-policy-mapping-inhibit from RFC 5280, section 6.1.1. +#define X509_V_FLAG_INHIBIT_MAP 0x400 +// X509_V_FLAG_NOTIFY_POLICY does nothing. Its functionality has been removed. +#define X509_V_FLAG_NOTIFY_POLICY 0x800 +// X509_V_FLAG_EXTENDED_CRL_SUPPORT causes all verifications to fail. Extended +// CRL features have been removed. +#define X509_V_FLAG_EXTENDED_CRL_SUPPORT 0x1000 +// X509_V_FLAG_USE_DELTAS causes all verifications to fail. Delta CRL support +// has been removed. +#define X509_V_FLAG_USE_DELTAS 0x2000 +// X509_V_FLAG_CHECK_SS_SIGNATURE checks the redundant signature on self-signed +// trust anchors. This check provides no security benefit and only wastes CPU. +#define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000 +// X509_V_FLAG_TRUSTED_FIRST, during path-building, checks for a match in the +// trust store before considering an untrusted intermediate. This flag is +// enabled by default. +#define X509_V_FLAG_TRUSTED_FIRST 0x8000 +// X509_V_FLAG_PARTIAL_CHAIN treats all trusted certificates as trust anchors, +// independent of the |X509_VERIFY_PARAM_set_trust| setting. +#define X509_V_FLAG_PARTIAL_CHAIN 0x80000 +// X509_V_FLAG_NO_ALT_CHAINS disables building alternative chains if the initial +// one was rejected. +#define X509_V_FLAG_NO_ALT_CHAINS 0x100000 +// X509_V_FLAG_NO_CHECK_TIME disables all time checks in certificate +// verification. +#define X509_V_FLAG_NO_CHECK_TIME 0x200000 -// XN_FLAG_SEP_CPLUS_SPC behaves like |XN_FLAG_SEP_COMMA_PLUS| but adds spaces -// between the separators. -#define XN_FLAG_SEP_CPLUS_SPC (2 << 16) +// X509_VERIFY_PARAM_set_flags enables all values in |flags| in |param|'s +// verification flags and returns one. |flags| should be a combination of +// |X509_V_FLAG_*| constants. +OPENSSL_EXPORT int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, + unsigned long flags); -// XN_FLAG_SEP_SPLUS_SPC separates RDNs with "; " and attributes within an RDN -// with " + ". -#define XN_FLAG_SEP_SPLUS_SPC (3 << 16) +// X509_VERIFY_PARAM_clear_flags disables all values in |flags| in |param|'s +// verification flags and returns one. |flags| should be a combination of +// |X509_V_FLAG_*| constants. +OPENSSL_EXPORT int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, + unsigned long flags); -// XN_FLAG_SEP_MULTILINE prints each attribute on one line. -#define XN_FLAG_SEP_MULTILINE (4 << 16) +// X509_VERIFY_PARAM_get_flags returns |param|'s verification flags. +OPENSSL_EXPORT unsigned long X509_VERIFY_PARAM_get_flags( + const X509_VERIFY_PARAM *param); -// XN_FLAG_DN_REV prints RDNs in reverse, from least significant to most -// significant, as RFC 2253. -#define XN_FLAG_DN_REV (1 << 20) +// X509_VERIFY_PARAM_set_depth configures |param| to limit certificate chains to +// |depth| intermediate certificates. This count excludes both the target +// certificate and the trust anchor (root certificate). +OPENSSL_EXPORT void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, + int depth); -// XN_FLAG_FN_MASK determines how attribute types are displayed. -#define XN_FLAG_FN_MASK (0x3 << 21) +// X509_VERIFY_PARAM_get_depth returns the maximum depth configured in |param|. +// See |X509_VERIFY_PARAM_set_depth|. +OPENSSL_EXPORT int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param); -// XN_FLAG_FN_SN uses the attribute type's short name, when available. -#define XN_FLAG_FN_SN 0 +// X509_VERIFY_PARAM_set_time configures certificate verification to use |t| +// instead of the current time. +OPENSSL_EXPORT void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, + time_t t); -// XN_FLAG_SPC_EQ wraps the "=" operator with spaces when printing attributes. -#define XN_FLAG_SPC_EQ (1 << 23) +// X509_VERIFY_PARAM_set_time_posix configures certificate verification to use +// |t| instead of the current time. |t| is interpreted as a POSIX timestamp in +// seconds. +OPENSSL_EXPORT void X509_VERIFY_PARAM_set_time_posix(X509_VERIFY_PARAM *param, + int64_t t); -// XN_FLAG_DUMP_UNKNOWN_FIELDS causes unknown attribute types to be printed in -// hex, as in RFC 2253. -#define XN_FLAG_DUMP_UNKNOWN_FIELDS (1 << 24) +// X509_VERIFY_PARAM_add0_policy adds |policy| to the user-initial-policy-set +// (see Section 6.1.1 of RFC 5280). On success, it takes ownership of +// |policy| and returns one. Otherwise, it returns zero and the caller retains +// owneship of |policy|. +OPENSSL_EXPORT int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, + ASN1_OBJECT *policy); -// XN_FLAG_RFC2253 prints like RFC 2253. -#define XN_FLAG_RFC2253 \ - (ASN1_STRFLGS_RFC2253 | XN_FLAG_SEP_COMMA_PLUS | XN_FLAG_DN_REV | \ - XN_FLAG_FN_SN | XN_FLAG_DUMP_UNKNOWN_FIELDS) +// X509_VERIFY_PARAM_set1_policies sets the user-initial-policy-set (see +// Section 6.1.1 of RFC 5280) to a copy of |policies|. It returns one on success +// and zero on error. +OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_policies( + X509_VERIFY_PARAM *param, const STACK_OF(ASN1_OBJECT) *policies); -// XN_FLAG_ONELINE prints a one-line representation of the name. -#define XN_FLAG_ONELINE \ - (ASN1_STRFLGS_RFC2253 | ASN1_STRFLGS_ESC_QUOTE | XN_FLAG_SEP_CPLUS_SPC | \ - XN_FLAG_SPC_EQ | XN_FLAG_FN_SN) +// X509_VERIFY_PARAM_set1_host configures |param| to check for the DNS name +// specified by |name|. It returns one on success and zero on error. +// +// By default, both subject alternative names and the subject's common name +// attribute are checked. The latter has long been deprecated, so callers should +// call |X509_VERIFY_PARAM_set_hostflags| with +// |X509_CHECK_FLAG_NEVER_CHECK_SUBJECT| to use the standard behavior. +// https://crbug.com/boringssl/464 tracks fixing the default. +OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param, + const char *name, + size_t name_len); -// X509_NAME_print_ex writes a human-readable representation of |nm| to |out|. -// Each line of output is indented by |indent| spaces. It returns the number of -// bytes written on success, and -1 on error. If |out| is NULL, it returns the -// number of bytes it would have written but does not write anything. |flags| -// should be some combination of |XN_FLAG_*| and |ASN1_STRFLGS_*| values and -// determines the output. If unsure, use |XN_FLAG_RFC2253|. +// X509_VERIFY_PARAM_add1_host adds |name| to the list of names checked by +// |param|. If any configured DNS name matches the certificate, verification +// succeeds. It returns one on success and zero on error. // -// If |flags| is |XN_FLAG_COMPAT|, or zero, this function calls -// |X509_NAME_print| instead. In that case, it returns one on success, rather -// than the output length. -OPENSSL_EXPORT int X509_NAME_print_ex(BIO *out, const X509_NAME *nm, int indent, - unsigned long flags); +// By default, both subject alternative names and the subject's common name +// attribute are checked. The latter has long been deprecated, so callers should +// call |X509_VERIFY_PARAM_set_hostflags| with +// |X509_CHECK_FLAG_NEVER_CHECK_SUBJECT| to use the standard behavior. +// https://crbug.com/boringssl/464 tracks fixing the default. +OPENSSL_EXPORT int X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param, + const char *name, + size_t name_len); -// X509_NAME_print prints a human-readable representation of |name| to |bp|. It -// returns one on success and zero on error. |obase| is ignored. +// X509_CHECK_FLAG_NO_WILDCARDS disables wildcard matching for DNS names. +#define X509_CHECK_FLAG_NO_WILDCARDS 0x2 + +// X509_CHECK_FLAG_NEVER_CHECK_SUBJECT disables the subject fallback, normally +// enabled when subjectAltNames is missing. +#define X509_CHECK_FLAG_NEVER_CHECK_SUBJECT 0x20 + +// X509_VERIFY_PARAM_set_hostflags sets the name-checking flags on |param| to +// |flags|. |flags| should be a combination of |X509_CHECK_FLAG_*| constants. +OPENSSL_EXPORT void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param, + unsigned int flags); + +// X509_VERIFY_PARAM_set1_email configures |param| to check for the email +// address specified by |email|. It returns one on success and zero on error. // -// This function outputs a legacy format that does not correctly handle string -// encodings and other cases. Prefer |X509_NAME_print_ex| if printing a name for -// debugging purposes. -OPENSSL_EXPORT int X509_NAME_print(BIO *bp, const X509_NAME *name, int obase); +// By default, both subject alternative names and the subject's email address +// attribute are checked. The |X509_CHECK_FLAG_NEVER_CHECK_SUBJECT| flag may be +// used to change this behavior. +OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param, + const char *email, + size_t email_len); -// X509_NAME_oneline writes a human-readable representation to |name| to a -// buffer as a NUL-terminated C string. +// X509_VERIFY_PARAM_set1_ip configures |param| to check for the IP address +// specified by |ip|. It returns one on success and zero on error. The IP +// address is specified in its binary representation. |ip_len| must be 4 for an +// IPv4 address and 16 for an IPv6 address. +OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param, + const uint8_t *ip, size_t ip_len); + +// X509_VERIFY_PARAM_set1_ip_asc decodes |ipasc| as the ASCII representation of +// an IPv4 or IPv6 address, and configures |param| to check for it. It returns +// one on success and zero on error. +OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *param, + const char *ipasc); + +// X509_PURPOSE_SSL_CLIENT validates TLS client certificates. It checks for the +// id-kp-clientAuth EKU and one of digitalSignature or keyAgreement key usages. +// The TLS library is expected to check for the key usage specific to the +// negotiated TLS parameters. +#define X509_PURPOSE_SSL_CLIENT 1 +// X509_PURPOSE_SSL_SERVER validates TLS server certificates. It checks for the +// id-kp-clientAuth EKU and one of digitalSignature, keyAgreement, or +// keyEncipherment key usages. The TLS library is expected to check for the key +// usage specific to the negotiated TLS parameters. +#define X509_PURPOSE_SSL_SERVER 2 +// X509_PURPOSE_NS_SSL_SERVER is a legacy mode. It behaves like +// |X509_PURPOSE_SSL_SERVER|, but only accepts the keyEncipherment key usage, +// used by SSL 2.0 and RSA key exchange. Do not use this. +#define X509_PURPOSE_NS_SSL_SERVER 3 +// X509_PURPOSE_SMIME_SIGN validates S/MIME signing certificates. It checks for +// the id-kp-emailProtection EKU and one of digitalSignature or nonRepudiation +// key usages. +#define X509_PURPOSE_SMIME_SIGN 4 +// X509_PURPOSE_SMIME_ENCRYPT validates S/MIME encryption certificates. It +// checks for the id-kp-emailProtection EKU and keyEncipherment key usage. +#define X509_PURPOSE_SMIME_ENCRYPT 5 +// X509_PURPOSE_CRL_SIGN validates indirect CRL signers. It checks for the +// cRLSign key usage. BoringSSL does not support indirect CRLs and does not use +// this mode. +#define X509_PURPOSE_CRL_SIGN 6 +// X509_PURPOSE_ANY performs no EKU or key usage checks. Such checks are the +// responsibility of the caller. +#define X509_PURPOSE_ANY 7 +// X509_PURPOSE_OCSP_HELPER performs no EKU or key usage checks. It was +// historically used in OpenSSL's OCSP implementation, which left those checks +// to the OCSP implementation itself. +#define X509_PURPOSE_OCSP_HELPER 8 +// X509_PURPOSE_TIMESTAMP_SIGN validates Time Stamping Authority (RFC 3161) +// certificates. It checks for the id-kp-timeStamping EKU and one of +// digitalSignature or nonRepudiation key usages. It additionally checks that +// the EKU extension is critical and that no other EKUs or key usages are +// asserted. +#define X509_PURPOSE_TIMESTAMP_SIGN 9 + +// X509_VERIFY_PARAM_set_purpose configures |param| to validate certificates for +// a specified purpose. It returns one on success and zero if |purpose| is not a +// valid purpose type. |purpose| should be one of the |X509_PURPOSE_*| values. // -// If |buf| is NULL, returns a newly-allocated buffer containing the result on -// success, or NULL on error. The buffer must be released with |OPENSSL_free| -// when done. +// This option controls checking the extended key usage (EKU) and key usage +// extensions. These extensions specify how a certificate's public key may be +// used and are important to avoid cross-protocol attacks, particularly in PKIs +// that may issue certificates for multiple protocols, or for protocols that use +// keys in multiple ways. If not configured, these security checks are the +// caller's responsibility. // -// If |buf| is non-NULL, at most |size| bytes of output are written to |buf| -// instead. |size| includes the trailing NUL. The function then returns |buf| on -// success or NULL on error. If the output does not fit in |size| bytes, the -// output is silently truncated at an attribute boundary. +// This library applies the EKU checks to all untrusted intermediates. Although +// not defined in RFC 5280, this matches widely-deployed practice. It also does +// not accept anyExtendedKeyUsage. // -// This function outputs a legacy format that does not correctly handle string -// encodings and other cases. Prefer |X509_NAME_print_ex| if printing a name for -// debugging purposes. -OPENSSL_EXPORT char *X509_NAME_oneline(const X509_NAME *name, char *buf, int size); +// Many purpose values have a corresponding trust value, which is not configured +// by this function. See |X509_VERIFY_PARAM_set_trust| for details. Callers +// that wish to configure both should either call both functions, or use +// |X509_STORE_CTX_set_purpose|. +// +// It is currently not possible to configure custom EKU OIDs or key usage bits. +// Contact the BoringSSL maintainers if your application needs to do so. OpenSSL +// had an |X509_PURPOSE_add| API, but it was not thread-safe and relied on +// global mutable state, so we removed it. +// +// TODO(davidben): This function additionally configures checking the legacy +// Netscape certificate type extension. Remove this. +OPENSSL_EXPORT int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, + int purpose); -// X509_NAME_print_ex_fp behaves like |X509_NAME_print_ex| but writes to |fp|. -OPENSSL_EXPORT int X509_NAME_print_ex_fp(FILE *fp, const X509_NAME *nm, - int indent, unsigned long flags); +// X509_TRUST_COMPAT evaluates trust using only the self-signed fallback. Trust +// and distrust OIDs are ignored. +#define X509_TRUST_COMPAT 1 +// X509_TRUST_SSL_CLIENT evaluates trust with the |NID_client_auth| OID, for +// validating TLS client certificates. +#define X509_TRUST_SSL_CLIENT 2 +// X509_TRUST_SSL_SERVER evaluates trust with the |NID_server_auth| OID, for +// validating TLS server certificates. +#define X509_TRUST_SSL_SERVER 3 +// X509_TRUST_EMAIL evaluates trust with the |NID_email_protect| OID, for +// validating S/MIME email certificates. +#define X509_TRUST_EMAIL 4 +// X509_TRUST_OBJECT_SIGN evaluates trust with the |NID_code_sign| OID, for +// validating code signing certificates. +#define X509_TRUST_OBJECT_SIGN 5 +// X509_TRUST_TSA evaluates trust with the |NID_time_stamp| OID, for validating +// Time Stamping Authority (RFC 3161) certificates. +#define X509_TRUST_TSA 8 -// X509_signature_dump writes a human-readable representation of |sig| to |bio|, -// indented with |indent| spaces. It returns one on success and zero on error. -OPENSSL_EXPORT int X509_signature_dump(BIO *bio, const ASN1_STRING *sig, - int indent); +// X509_VERIFY_PARAM_set_trust configures which certificates from |X509_STORE| +// are trust anchors. It returns one on success and zero if |trust| is not a +// valid trust value. |trust| should be one of the |X509_TRUST_*| constants. +// This function allows applications to vary trust anchors when the same set of +// trusted certificates is used in multiple contexts. +// +// Two properties determine whether a certificate is a trust anchor: +// +// - Whether it is trusted or distrusted for some OID, via auxiliary information +// configured by |X509_add1_trust_object| or |X509_add1_reject_object|. +// +// - Whether it is "self-signed". That is, whether |X509_get_extension_flags| +// includes |EXFLAG_SS|. The signature itself is not checked. +// +// When this function is called, |trust| determines the OID to check in the +// first case. If the certificate is not explicitly trusted or distrusted for +// any OID, it is trusted if self-signed instead. +// +// If unset, the default behavior is to check for the |NID_anyExtendedKeyUsage| +// OID. If the certificate is not explicitly trusted or distrusted for this OID, +// it is trusted if self-signed instead. Note this slightly differs from the +// above. +// +// If the |X509_V_FLAG_PARTIAL_CHAIN| is set, every certificate from +// |X509_STORE| is a trust anchor, unless it was explicitly distrusted for the +// OID. +// +// It is currently not possible to configure custom trust OIDs. Contact the +// BoringSSL maintainers if your application needs to do so. OpenSSL had an +// |X509_TRUST_add| API, but it was not thread-safe and relied on global mutable +// state, so we removed it. +OPENSSL_EXPORT int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, + int trust); -// X509_signature_print writes a human-readable representation of |alg| and -// |sig| to |bio|. It returns one on success and zero on error. -OPENSSL_EXPORT int X509_signature_print(BIO *bio, const X509_ALGOR *alg, - const ASN1_STRING *sig); +// Filesystem-based certificate stores. +// +// An |X509_STORE| may be configured to get its contents from the filesystem. +// This is done by adding |X509_LOOKUP| structures to the |X509_STORE| with +// |X509_STORE_add_lookup| and then configuring the |X509_LOOKUP| with paths. +// +// Most cases can use |X509_STORE_load_locations|, which configures the same +// thing but is simpler to use. -// Convenience functions. +// X509_STORE_load_locations configures |store| to load data from filepaths +// |file| and |dir|. It returns one on success and zero on error. Either of +// |file| or |dir| may be NULL, but at least one must be non-NULL. +// +// If |file| is non-NULL, it loads CRLs and trusted certificates in PEM format +// from the file at |file|, and them to |store|, as in |X509_load_cert_crl_file| +// with |X509_FILETYPE_PEM|. +// +// If |dir| is non-NULL, it configures |store| to load CRLs and trusted +// certificates from the directory at |dir| in PEM format, as in +// |X509_LOOKUP_add_dir| with |X509_FILETYPE_PEM|. +OPENSSL_EXPORT int X509_STORE_load_locations(X509_STORE *store, + const char *file, const char *dir); + +// X509_STORE_add_lookup returns an |X509_LOOKUP| associated with |store| with +// type |method|, or NULL on error. The result is owned by |store|, so callers +// are not expected to free it. This may be used with |X509_LOOKUP_add_dir| or +// |X509_LOOKUP_load_file|, depending on |method|, to configure |store|. +// +// A single |X509_LOOKUP| may be configured with multiple paths, and an +// |X509_STORE| only contains one |X509_LOOKUP| of each type, so there is no +// need to call this function multiple times for a single type. Calling it +// multiple times will return the previous |X509_LOOKUP| of that type. +OPENSSL_EXPORT X509_LOOKUP *X509_STORE_add_lookup( + X509_STORE *store, const X509_LOOKUP_METHOD *method); + +// X509_LOOKUP_hash_dir creates |X509_LOOKUP|s that may be used with +// |X509_LOOKUP_add_dir|. +OPENSSL_EXPORT const X509_LOOKUP_METHOD *X509_LOOKUP_hash_dir(void); + +// X509_LOOKUP_file creates |X509_LOOKUP|s that may be used with +// |X509_LOOKUP_load_file|. +// +// Although this is modeled as an |X509_LOOKUP|, this function is redundant. It +// has the same effect as loading a certificate or CRL from the filesystem, in +// the caller's desired format, and then adding it with |X509_STORE_add_cert| +// and |X509_STORE_add_crl|. +OPENSSL_EXPORT const X509_LOOKUP_METHOD *X509_LOOKUP_file(void); + +// The following constants are used to specify the format of files in an +// |X509_LOOKUP|. +#define X509_FILETYPE_PEM 1 +#define X509_FILETYPE_ASN1 2 +#define X509_FILETYPE_DEFAULT 3 -// X509_pubkey_digest hashes the contents of the BIT STRING in |x509|'s -// subjectPublicKeyInfo field with |md| and writes the result to |out|. -// |EVP_MD_CTX_size| bytes are written, which is at most |EVP_MAX_MD_SIZE|. If -// |out_len| is not NULL, |*out_len| is set to the number of bytes written. This -// function returns one on success and zero on error. +// X509_LOOKUP_load_file calls |X509_load_cert_crl_file|. |lookup| must have +// been constructed with |X509_LOOKUP_file|. // -// This hash omits the BIT STRING tag, length, and number of unused bits. It -// also omits the AlgorithmIdentifier which describes the key type. It -// corresponds to the OCSP KeyHash definition and is not suitable for other -// purposes. -OPENSSL_EXPORT int X509_pubkey_digest(const X509 *x509, const EVP_MD *md, - uint8_t *out, unsigned *out_len); +// If |type| is |X509_FILETYPE_DEFAULT|, it ignores |file| and instead uses some +// default system path with |X509_FILETYPE_PEM|. See also +// |X509_STORE_set_default_paths|. +OPENSSL_EXPORT int X509_LOOKUP_load_file(X509_LOOKUP *lookup, const char *file, + int type); + +// X509_LOOKUP_add_dir configures |lookup| to load CRLs and trusted certificates +// from the directories in |path|. It returns one on success and zero on error. +// |lookup| must have been constructed with |X509_LOOKUP_hash_dir|. +// +// WARNING: |path| is interpreted as a colon-separated (semicolon-separated on +// Windows) list of paths. It is not possible to configure a path containing the +// separator character. https://crbug.com/boringssl/691 tracks removing this +// behavior. +// +// |type| should be one of the |X509_FILETYPE_*| constants and determines the +// format of the files. If |type| is |X509_FILETYPE_DEFAULT|, |path| is ignored +// and some default system path is used with |X509_FILETYPE_PEM|. See also +// |X509_STORE_set_default_paths|. +// +// Trusted certificates should be named HASH.N and CRLs should be +// named HASH.rN. HASH is |X509_NAME_hash| of the certificate subject and CRL +// issuer, respectively, in hexadecimal. N is in decimal and counts hash +// collisions consecutively, starting from zero. For example, "002c0b4f.0" and +// "002c0b4f.r0". +// +// WARNING: Objects from |path| are loaded on demand, but cached in memory on +// the |X509_STORE|. If a CA is removed from the directory, existing +// |X509_STORE|s will continue to trust it. Cache entries are not evicted for +// the lifetime of the |X509_STORE|. +// +// WARNING: This mechanism is also not well-suited for CRL updates. +// |X509_STORE|s rely on this cache and never load the same CRL file twice. CRL +// updates must use a new file, with an incremented suffix, to be reflected in +// existing |X509_STORE|s. However, this means each CRL update will use +// additional storage and memory. Instead, configure inputs that vary per +// verification, such as CRLs, on each |X509_STORE_CTX| separately, using +// functions like |X509_STORE_CTX_set0_crl|. +OPENSSL_EXPORT int X509_LOOKUP_add_dir(X509_LOOKUP *lookup, const char *path, + int type); -// X509_digest hashes |x509|'s DER encoding with |md| and writes the result to -// |out|. |EVP_MD_CTX_size| bytes are written, which is at most -// |EVP_MAX_MD_SIZE|. If |out_len| is not NULL, |*out_len| is set to the number -// of bytes written. This function returns one on success and zero on error. -// Note this digest covers the entire certificate, not just the signed portion. -OPENSSL_EXPORT int X509_digest(const X509 *x509, const EVP_MD *md, uint8_t *out, - unsigned *out_len); +// X509_L_* are commands for |X509_LOOKUP_ctrl|. +#define X509_L_FILE_LOAD 1 +#define X509_L_ADD_DIR 2 -// X509_CRL_digest hashes |crl|'s DER encoding with |md| and writes the result -// to |out|. |EVP_MD_CTX_size| bytes are written, which is at most -// |EVP_MAX_MD_SIZE|. If |out_len| is not NULL, |*out_len| is set to the number -// of bytes written. This function returns one on success and zero on error. -// Note this digest covers the entire CRL, not just the signed portion. -OPENSSL_EXPORT int X509_CRL_digest(const X509_CRL *crl, const EVP_MD *md, - uint8_t *out, unsigned *out_len); +// X509_LOOKUP_ctrl implements commands on |lookup|. |cmd| specifies the +// command. The other arguments specify the operation in a command-specific way. +// Use |X509_LOOKUP_load_file| or |X509_LOOKUP_add_dir| instead. +OPENSSL_EXPORT int X509_LOOKUP_ctrl(X509_LOOKUP *lookup, int cmd, + const char *argc, long argl, char **ret); -// X509_REQ_digest hashes |req|'s DER encoding with |md| and writes the result -// to |out|. |EVP_MD_CTX_size| bytes are written, which is at most -// |EVP_MAX_MD_SIZE|. If |out_len| is not NULL, |*out_len| is set to the number -// of bytes written. This function returns one on success and zero on error. -// Note this digest covers the entire certificate request, not just the signed -// portion. -OPENSSL_EXPORT int X509_REQ_digest(const X509_REQ *req, const EVP_MD *md, - uint8_t *out, unsigned *out_len); +// X509_load_cert_file loads trusted certificates from |file| and adds them to +// |lookup|'s |X509_STORE|. It returns one on success and zero on error. +// +// If |type| is |X509_FILETYPE_ASN1|, it loads a single DER-encoded certificate. +// If |type| is |X509_FILETYPE_PEM|, it loads a sequence of PEM-encoded +// certificates. |type| may not be |X509_FILETYPE_DEFAULT|. +OPENSSL_EXPORT int X509_load_cert_file(X509_LOOKUP *lookup, const char *file, + int type); -// X509_NAME_digest hashes |name|'s DER encoding with |md| and writes the result -// to |out|. |EVP_MD_CTX_size| bytes are written, which is at most -// |EVP_MAX_MD_SIZE|. If |out_len| is not NULL, |*out_len| is set to the number -// of bytes written. This function returns one on success and zero on error. -OPENSSL_EXPORT int X509_NAME_digest(const X509_NAME *name, const EVP_MD *md, - uint8_t *out, unsigned *out_len); +// X509_load_crl_file loads CRLs from |file| and add them it to |lookup|'s +// |X509_STORE|. It returns one on success and zero on error. +// +// If |type| is |X509_FILETYPE_ASN1|, it loads a single DER-encoded CRL. If +// |type| is |X509_FILETYPE_PEM|, it loads a sequence of PEM-encoded CRLs. +// |type| may not be |X509_FILETYPE_DEFAULT|. +OPENSSL_EXPORT int X509_load_crl_file(X509_LOOKUP *lookup, const char *file, + int type); -// The following functions behave like the corresponding unsuffixed |d2i_*| -// functions, but read the result from |bp| instead. Callers using these -// functions with memory |BIO|s to parse structures already in memory should use -// |d2i_*| instead. -OPENSSL_EXPORT X509 *d2i_X509_bio(BIO *bp, X509 **x509); -OPENSSL_EXPORT X509_CRL *d2i_X509_CRL_bio(BIO *bp, X509_CRL **crl); -OPENSSL_EXPORT X509_REQ *d2i_X509_REQ_bio(BIO *bp, X509_REQ **req); -OPENSSL_EXPORT RSA *d2i_RSAPrivateKey_bio(BIO *bp, RSA **rsa); -OPENSSL_EXPORT RSA *d2i_RSAPublicKey_bio(BIO *bp, RSA **rsa); -OPENSSL_EXPORT RSA *d2i_RSA_PUBKEY_bio(BIO *bp, RSA **rsa); -OPENSSL_EXPORT DSA *d2i_DSA_PUBKEY_bio(BIO *bp, DSA **dsa); -OPENSSL_EXPORT DSA *d2i_DSAPrivateKey_bio(BIO *bp, DSA **dsa); -OPENSSL_EXPORT EC_KEY *d2i_EC_PUBKEY_bio(BIO *bp, EC_KEY **eckey); -OPENSSL_EXPORT EC_KEY *d2i_ECPrivateKey_bio(BIO *bp, EC_KEY **eckey); -OPENSSL_EXPORT X509_SIG *d2i_PKCS8_bio(BIO *bp, X509_SIG **p8); -OPENSSL_EXPORT PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_bio( - BIO *bp, PKCS8_PRIV_KEY_INFO **p8inf); -OPENSSL_EXPORT EVP_PKEY *d2i_PUBKEY_bio(BIO *bp, EVP_PKEY **a); -OPENSSL_EXPORT DH *d2i_DHparams_bio(BIO *bp, DH **dh); +// X509_load_cert_crl_file loads CRLs and trusted certificates from |file| and +// adds them to |lookup|'s |X509_STORE|. It returns one on success and zero on +// error. +// +// If |type| is |X509_FILETYPE_ASN1|, it loads a single DER-encoded certificate. +// This function cannot be used to load a DER-encoded CRL. If |type| is +// |X509_FILETYPE_PEM|, it loads a sequence of PEM-encoded certificates and +// CRLs. |type| may not be |X509_FILETYPE_DEFAULT|. +OPENSSL_EXPORT int X509_load_cert_crl_file(X509_LOOKUP *lookup, + const char *file, int type); + +// X509_NAME_hash returns a hash of |name|, or zero on error. This is the new +// hash used by |X509_LOOKUP_add_dir|. +// +// This hash is specific to the |X509_LOOKUP_add_dir| filesystem format and is +// not suitable for general-purpose X.509 name processing. It is very short, so +// there will be hash collisions. It also depends on an OpenSSL-specific +// canonicalization process. +// +// TODO(https://crbug.com/boringssl/407): This should be const and thread-safe +// but currently is neither, notably if |name| was modified from its parsed +// value. +OPENSSL_EXPORT uint32_t X509_NAME_hash(X509_NAME *name); + +// X509_NAME_hash_old returns a hash of |name|, or zero on error. This is the +// legacy hash used by |X509_LOOKUP_add_dir|, which is still supported for +// compatibility. +// +// This hash is specific to the |X509_LOOKUP_add_dir| filesystem format and is +// not suitable for general-purpose X.509 name processing. It is very short, so +// there will be hash collisions. +// +// TODO(https://crbug.com/boringssl/407): This should be const and thread-safe +// but currently is neither, notably if |name| was modified from its parsed +// value. +OPENSSL_EXPORT uint32_t X509_NAME_hash_old(X509_NAME *name); + +// X509_STORE_set_default_paths configures |store| to read from some "default" +// filesystem paths. It returns one on success and zero on error. The filesystem +// paths are determined by a combination of hardcoded paths and the SSL_CERT_DIR +// and SSL_CERT_FILE environment variables. +// +// Using this function is not recommended. In OpenSSL, these defaults are +// determined by OpenSSL's install prefix. There is no corresponding concept for +// BoringSSL. Future versions of BoringSSL may change or remove this +// functionality. +OPENSSL_EXPORT int X509_STORE_set_default_paths(X509_STORE *store); + +// The following functions return filesystem paths used to determine the above +// "default" paths, when the corresponding environment variables are not set. +// +// Using these functions is not recommended. In OpenSSL, these defaults are +// determined by OpenSSL's install prefix. There is no corresponding concept for +// BoringSSL. Future versions of BoringSSL may change or remove this +// functionality. +OPENSSL_EXPORT const char *X509_get_default_cert_area(void); +OPENSSL_EXPORT const char *X509_get_default_cert_dir(void); +OPENSSL_EXPORT const char *X509_get_default_cert_file(void); +OPENSSL_EXPORT const char *X509_get_default_private_dir(void); -// d2i_PrivateKey_bio behaves like |d2i_AutoPrivateKey|, but reads from |bp| -// instead. -OPENSSL_EXPORT EVP_PKEY *d2i_PrivateKey_bio(BIO *bp, EVP_PKEY **a); +// X509_get_default_cert_dir_env returns "SSL_CERT_DIR", an environment variable +// used to determine the above "default" paths. +OPENSSL_EXPORT const char *X509_get_default_cert_dir_env(void); -// The following functions behave like the corresponding unsuffixed |i2d_*| -// functions, but write the result to |bp|. They return one on success and zero -// on error. Callers using them with memory |BIO|s to encode structures to -// memory should use |i2d_*| directly instead. -OPENSSL_EXPORT int i2d_X509_bio(BIO *bp, X509 *x509); -OPENSSL_EXPORT int i2d_X509_CRL_bio(BIO *bp, X509_CRL *crl); -OPENSSL_EXPORT int i2d_X509_REQ_bio(BIO *bp, X509_REQ *req); -OPENSSL_EXPORT int i2d_RSAPrivateKey_bio(BIO *bp, RSA *rsa); -OPENSSL_EXPORT int i2d_RSAPublicKey_bio(BIO *bp, RSA *rsa); -OPENSSL_EXPORT int i2d_RSA_PUBKEY_bio(BIO *bp, RSA *rsa); -OPENSSL_EXPORT int i2d_DSA_PUBKEY_bio(BIO *bp, DSA *dsa); -OPENSSL_EXPORT int i2d_DSAPrivateKey_bio(BIO *bp, DSA *dsa); -OPENSSL_EXPORT int i2d_EC_PUBKEY_bio(BIO *bp, EC_KEY *eckey); -OPENSSL_EXPORT int i2d_ECPrivateKey_bio(BIO *bp, EC_KEY *eckey); -OPENSSL_EXPORT int i2d_PKCS8_bio(BIO *bp, X509_SIG *p8); -OPENSSL_EXPORT int i2d_PKCS8_PRIV_KEY_INFO_bio(BIO *bp, - PKCS8_PRIV_KEY_INFO *p8inf); -OPENSSL_EXPORT int i2d_PrivateKey_bio(BIO *bp, EVP_PKEY *pkey); -OPENSSL_EXPORT int i2d_PUBKEY_bio(BIO *bp, EVP_PKEY *pkey); -OPENSSL_EXPORT int i2d_DHparams_bio(BIO *bp, const DH *dh); - -// i2d_PKCS8PrivateKeyInfo_bio encodes |key| as a PKCS#8 PrivateKeyInfo -// structure (see |EVP_marshal_private_key|) and writes the result to |bp|. It -// returns one on success and zero on error. -OPENSSL_EXPORT int i2d_PKCS8PrivateKeyInfo_bio(BIO *bp, EVP_PKEY *key); - -// The following functions behave like the corresponding |d2i_*_bio| functions, -// but read from |fp| instead. -OPENSSL_EXPORT X509 *d2i_X509_fp(FILE *fp, X509 **x509); -OPENSSL_EXPORT X509_CRL *d2i_X509_CRL_fp(FILE *fp, X509_CRL **crl); -OPENSSL_EXPORT X509_REQ *d2i_X509_REQ_fp(FILE *fp, X509_REQ **req); -OPENSSL_EXPORT RSA *d2i_RSAPrivateKey_fp(FILE *fp, RSA **rsa); -OPENSSL_EXPORT RSA *d2i_RSAPublicKey_fp(FILE *fp, RSA **rsa); -OPENSSL_EXPORT RSA *d2i_RSA_PUBKEY_fp(FILE *fp, RSA **rsa); -OPENSSL_EXPORT DSA *d2i_DSA_PUBKEY_fp(FILE *fp, DSA **dsa); -OPENSSL_EXPORT DSA *d2i_DSAPrivateKey_fp(FILE *fp, DSA **dsa); -OPENSSL_EXPORT EC_KEY *d2i_EC_PUBKEY_fp(FILE *fp, EC_KEY **eckey); -OPENSSL_EXPORT EC_KEY *d2i_ECPrivateKey_fp(FILE *fp, EC_KEY **eckey); -OPENSSL_EXPORT X509_SIG *d2i_PKCS8_fp(FILE *fp, X509_SIG **p8); -OPENSSL_EXPORT PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_fp( - FILE *fp, PKCS8_PRIV_KEY_INFO **p8inf); -OPENSSL_EXPORT EVP_PKEY *d2i_PrivateKey_fp(FILE *fp, EVP_PKEY **a); -OPENSSL_EXPORT EVP_PKEY *d2i_PUBKEY_fp(FILE *fp, EVP_PKEY **a); +// X509_get_default_cert_file_env returns "SSL_CERT_FILE", an environment +// variable used to determine the above "default" paths. +OPENSSL_EXPORT const char *X509_get_default_cert_file_env(void); -// The following functions behave like the corresponding |i2d_*_bio| functions, -// but write to |fp| instead. -OPENSSL_EXPORT int i2d_X509_fp(FILE *fp, X509 *x509); -OPENSSL_EXPORT int i2d_X509_CRL_fp(FILE *fp, X509_CRL *crl); -OPENSSL_EXPORT int i2d_X509_REQ_fp(FILE *fp, X509_REQ *req); -OPENSSL_EXPORT int i2d_RSAPrivateKey_fp(FILE *fp, RSA *rsa); -OPENSSL_EXPORT int i2d_RSAPublicKey_fp(FILE *fp, RSA *rsa); -OPENSSL_EXPORT int i2d_RSA_PUBKEY_fp(FILE *fp, RSA *rsa); -OPENSSL_EXPORT int i2d_DSA_PUBKEY_fp(FILE *fp, DSA *dsa); -OPENSSL_EXPORT int i2d_DSAPrivateKey_fp(FILE *fp, DSA *dsa); -OPENSSL_EXPORT int i2d_EC_PUBKEY_fp(FILE *fp, EC_KEY *eckey); -OPENSSL_EXPORT int i2d_ECPrivateKey_fp(FILE *fp, EC_KEY *eckey); -OPENSSL_EXPORT int i2d_PKCS8_fp(FILE *fp, X509_SIG *p8); -OPENSSL_EXPORT int i2d_PKCS8_PRIV_KEY_INFO_fp(FILE *fp, - PKCS8_PRIV_KEY_INFO *p8inf); -OPENSSL_EXPORT int i2d_PKCS8PrivateKeyInfo_fp(FILE *fp, EVP_PKEY *key); -OPENSSL_EXPORT int i2d_PrivateKey_fp(FILE *fp, EVP_PKEY *pkey); -OPENSSL_EXPORT int i2d_PUBKEY_fp(FILE *fp, EVP_PKEY *pkey); -// X509_find_by_issuer_and_serial returns the first |X509| in |sk| whose issuer -// and serial are |name| and |serial|, respectively. If no match is found, it -// returns NULL. -OPENSSL_EXPORT X509 *X509_find_by_issuer_and_serial(const STACK_OF(X509) *sk, - X509_NAME *name, - const ASN1_INTEGER *serial); +// SignedPublicKeyAndChallenge structures. +// +// The SignedPublicKeyAndChallenge (SPKAC) is a legacy structure to request +// certificates, primarily in the legacy HTML tag. An SPKAC structure +// is represented by a |NETSCAPE_SPKI| structure. +// +// The structure is described in +// https://developer.mozilla.org/en-US/docs/Web/HTML/Element/keygen -// X509_find_by_subject returns the first |X509| in |sk| whose subject is -// |name|. If no match is found, it returns NULL. -OPENSSL_EXPORT X509 *X509_find_by_subject(const STACK_OF(X509) *sk, - X509_NAME *name); +// A Netscape_spki_st, or |NETSCAPE_SPKI|, represents a +// SignedPublicKeyAndChallenge structure. Although this structure contains a +// |spkac| field of type |NETSCAPE_SPKAC|, these are misnamed. The SPKAC is the +// entire structure, not the signed portion. +struct Netscape_spki_st { + NETSCAPE_SPKAC *spkac; + X509_ALGOR *sig_algor; + ASN1_BIT_STRING *signature; +} /* NETSCAPE_SPKI */; -// X509_cmp_time compares |s| against |*t|. On success, it returns a negative -// number if |s| <= |*t| and a positive number if |s| > |*t|. On error, it -// returns zero. If |t| is NULL, it uses the current time instead of |*t|. -// -// WARNING: Unlike most comparison functions, this function returns zero on -// error, not equality. -OPENSSL_EXPORT int X509_cmp_time(const ASN1_TIME *s, const time_t *t); +// NETSCAPE_SPKI_new returns a newly-allocated, empty |NETSCAPE_SPKI| object, or +// NULL on error. +OPENSSL_EXPORT NETSCAPE_SPKI *NETSCAPE_SPKI_new(void); -// X509_cmp_time_posix compares |s| against |t|. On success, it returns a -// negative number if |s| <= |t| and a positive number if |s| > |t|. On error, -// it returns zero. -// -// WARNING: Unlike most comparison functions, this function returns zero on -// error, not equality. -OPENSSL_EXPORT int X509_cmp_time_posix(const ASN1_TIME *s, int64_t t); +// NETSCAPE_SPKI_free releases memory associated with |spki|. +OPENSSL_EXPORT void NETSCAPE_SPKI_free(NETSCAPE_SPKI *spki); -// X509_cmp_current_time behaves like |X509_cmp_time| but compares |s| against -// the current time. -OPENSSL_EXPORT int X509_cmp_current_time(const ASN1_TIME *s); +// d2i_NETSCAPE_SPKI parses up to |len| bytes from |*inp| as a DER-encoded +// SignedPublicKeyAndChallenge structure, as described in |d2i_SAMPLE|. +OPENSSL_EXPORT NETSCAPE_SPKI *d2i_NETSCAPE_SPKI(NETSCAPE_SPKI **out, + const uint8_t **inp, long len); -// X509_time_adj calls |X509_time_adj_ex| with |offset_day| equal to zero. -OPENSSL_EXPORT ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, - const time_t *t); +// i2d_NETSCAPE_SPKI marshals |spki| as a DER-encoded +// SignedPublicKeyAndChallenge structure, as described in |i2d_SAMPLE|. +OPENSSL_EXPORT int i2d_NETSCAPE_SPKI(const NETSCAPE_SPKI *spki, uint8_t **outp); -// X509_time_adj_ex behaves like |ASN1_TIME_adj|, but adds an offset to |*t|. If -// |t| is NULL, it uses the current time instead of |*t|. -OPENSSL_EXPORT ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s, int offset_day, - long offset_sec, const time_t *t); +// NETSCAPE_SPKI_verify checks that |spki| has a valid signature by |pkey|. It +// returns one if the signature is valid and zero otherwise. +OPENSSL_EXPORT int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *spki, EVP_PKEY *pkey); -// X509_gmtime_adj behaves like |X509_time_adj_ex| but adds |offset_sec| to the -// current time. -OPENSSL_EXPORT ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long offset_sec); +// NETSCAPE_SPKI_b64_decode decodes |len| bytes from |str| as a base64-encoded +// SignedPublicKeyAndChallenge structure. It returns a newly-allocated +// |NETSCAPE_SPKI| structure with the result, or NULL on error. If |len| is 0 or +// negative, the length is calculated with |strlen| and |str| must be a +// NUL-terminated C string. +OPENSSL_EXPORT NETSCAPE_SPKI *NETSCAPE_SPKI_b64_decode(const char *str, + ossl_ssize_t len); +// NETSCAPE_SPKI_b64_encode encodes |spki| as a base64-encoded +// SignedPublicKeyAndChallenge structure. It returns a newly-allocated +// NUL-terminated C string with the result, or NULL on error. The caller must +// release the memory with |OPENSSL_free| when done. +OPENSSL_EXPORT char *NETSCAPE_SPKI_b64_encode(NETSCAPE_SPKI *spki); -// ex_data functions. -// -// See |ex_data.h| for details. +// NETSCAPE_SPKI_get_pubkey decodes and returns the public key in |spki| as an +// |EVP_PKEY|, or NULL on error. The caller takes ownership of the resulting +// pointer and must call |EVP_PKEY_free| when done. +OPENSSL_EXPORT EVP_PKEY *NETSCAPE_SPKI_get_pubkey(const NETSCAPE_SPKI *spki); -OPENSSL_EXPORT int X509_get_ex_new_index(long argl, void *argp, - CRYPTO_EX_unused *unused, - CRYPTO_EX_dup *dup_unused, - CRYPTO_EX_free *free_func); -OPENSSL_EXPORT int X509_set_ex_data(X509 *r, int idx, void *arg); -OPENSSL_EXPORT void *X509_get_ex_data(X509 *r, int idx); +// NETSCAPE_SPKI_set_pubkey sets |spki|'s public key to |pkey|. It returns one +// on success or zero on error. This function does not take ownership of |pkey|, +// so the caller may continue to manage its lifetime independently of |spki|. +OPENSSL_EXPORT int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *spki, + EVP_PKEY *pkey); -OPENSSL_EXPORT int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, - CRYPTO_EX_unused *unused, - CRYPTO_EX_dup *dup_unused, - CRYPTO_EX_free *free_func); -OPENSSL_EXPORT int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, - void *data); -OPENSSL_EXPORT void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx); +// NETSCAPE_SPKI_sign signs |spki| with |pkey| and replaces the signature +// algorithm and signature fields. It returns the length of the signature on +// success and zero on error. This function uses digest algorithm |md|, or +// |pkey|'s default if NULL. Other signing parameters use |pkey|'s defaults. +OPENSSL_EXPORT int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *spki, EVP_PKEY *pkey, + const EVP_MD *md); +// A Netscape_spkac_st, or |NETSCAPE_SPKAC|, represents a PublicKeyAndChallenge +// structure. This type is misnamed. The full SPKAC includes the signature, +// which is represented with the |NETSCAPE_SPKI| type. +struct Netscape_spkac_st { + X509_PUBKEY *pubkey; + ASN1_IA5STRING *challenge; +} /* NETSCAPE_SPKAC */; -// Deprecated functions. +// NETSCAPE_SPKAC_new returns a newly-allocated, empty |NETSCAPE_SPKAC| object, +// or NULL on error. +OPENSSL_EXPORT NETSCAPE_SPKAC *NETSCAPE_SPKAC_new(void); -// X509_get_notBefore returns |x509|'s notBefore time. Note this function is not -// const-correct for legacy reasons. Use |X509_get0_notBefore| or -// |X509_getm_notBefore| instead. -OPENSSL_EXPORT ASN1_TIME *X509_get_notBefore(const X509 *x509); +// NETSCAPE_SPKAC_free releases memory associated with |spkac|. +OPENSSL_EXPORT void NETSCAPE_SPKAC_free(NETSCAPE_SPKAC *spkac); -// X509_get_notAfter returns |x509|'s notAfter time. Note this function is not -// const-correct for legacy reasons. Use |X509_get0_notAfter| or -// |X509_getm_notAfter| instead. -OPENSSL_EXPORT ASN1_TIME *X509_get_notAfter(const X509 *x509); +// d2i_NETSCAPE_SPKAC parses up to |len| bytes from |*inp| as a DER-encoded +// PublicKeyAndChallenge structure, as described in |d2i_SAMPLE|. +OPENSSL_EXPORT NETSCAPE_SPKAC *d2i_NETSCAPE_SPKAC(NETSCAPE_SPKAC **out, + const uint8_t **inp, + long len); -// X509_set_notBefore calls |X509_set1_notBefore|. Use |X509_set1_notBefore| -// instead. -OPENSSL_EXPORT int X509_set_notBefore(X509 *x509, const ASN1_TIME *tm); +// i2d_NETSCAPE_SPKAC marshals |spkac| as a DER-encoded PublicKeyAndChallenge +// structure, as described in |i2d_SAMPLE|. +OPENSSL_EXPORT int i2d_NETSCAPE_SPKAC(const NETSCAPE_SPKAC *spkac, + uint8_t **outp); -// X509_set_notAfter calls |X509_set1_notAfter|. Use |X509_set1_notAfter| -// instead. -OPENSSL_EXPORT int X509_set_notAfter(X509 *x509, const ASN1_TIME *tm); -// X509_CRL_get_lastUpdate returns a mutable pointer to |crl|'s thisUpdate time. -// The OpenSSL API refers to this field as lastUpdate. +// RSASSA-PSS Parameters. // -// Use |X509_CRL_get0_lastUpdate| or |X509_CRL_set1_lastUpdate| instead. -OPENSSL_EXPORT ASN1_TIME *X509_CRL_get_lastUpdate(X509_CRL *crl); +// In X.509, RSASSA-PSS signatures and keys use a complex parameter structure, +// defined in RFC 4055. The following functions are provided for compatibility +// with some OpenSSL APIs relating to this. Use of RSASSA-PSS in X.509 is +// discouraged. The parameters structure is very complex, and it takes more +// bytes to merely encode parameters than an entire P-256 ECDSA signature. + +// An rsa_pss_params_st, aka |RSA_PSS_PARAMS|, represents a parsed +// RSASSA-PSS-params structure, as defined in (RFC 4055). +struct rsa_pss_params_st { + X509_ALGOR *hashAlgorithm; + X509_ALGOR *maskGenAlgorithm; + ASN1_INTEGER *saltLength; + ASN1_INTEGER *trailerField; + // OpenSSL caches the MGF hash on |RSA_PSS_PARAMS| in some cases. None of the + // cases apply to BoringSSL, so this is always NULL, but Node expects the + // field to be present. + X509_ALGOR *maskHash; +} /* RSA_PSS_PARAMS */; -// X509_CRL_get_nextUpdate returns a mutable pointer to |crl|'s nextUpdate time, -// or NULL if |crl| has none. Use |X509_CRL_get0_nextUpdate| or -// |X509_CRL_set1_nextUpdate| instead. -OPENSSL_EXPORT ASN1_TIME *X509_CRL_get_nextUpdate(X509_CRL *crl); +// RSA_PSS_PARAMS is an |ASN1_ITEM| whose ASN.1 type is RSASSA-PSS-params (RFC +// 4055) and C type is |RSA_PSS_PARAMS*|. +DECLARE_ASN1_ITEM(RSA_PSS_PARAMS) -// X509_extract_key is a legacy alias to |X509_get_pubkey|. Use -// |X509_get_pubkey| instead. -#define X509_extract_key(x) X509_get_pubkey(x) +// RSA_PSS_PARAMS_new returns a new, empty |RSA_PSS_PARAMS|, or NULL on error. +OPENSSL_EXPORT RSA_PSS_PARAMS *RSA_PSS_PARAMS_new(void); -// X509_REQ_extract_key is a legacy alias for |X509_REQ_get_pubkey|. -#define X509_REQ_extract_key(a) X509_REQ_get_pubkey(a) +// RSA_PSS_PARAMS_free releases memory associated with |params|. +OPENSSL_EXPORT void RSA_PSS_PARAMS_free(RSA_PSS_PARAMS *params); -// X509_name_cmp is a legacy alias for |X509_NAME_cmp|. -#define X509_name_cmp(a, b) X509_NAME_cmp((a), (b)) +// d2i_RSA_PSS_PARAMS parses up to |len| bytes from |*inp| as a DER-encoded +// RSASSA-PSS-params (RFC 4055), as described in |d2i_SAMPLE|. +OPENSSL_EXPORT RSA_PSS_PARAMS *d2i_RSA_PSS_PARAMS(RSA_PSS_PARAMS **out, + const uint8_t **inp, + long len); -// The following symbols are deprecated aliases to |X509_CRL_set1_*|. -#define X509_CRL_set_lastUpdate X509_CRL_set1_lastUpdate -#define X509_CRL_set_nextUpdate X509_CRL_set1_nextUpdate +// i2d_RSA_PSS_PARAMS marshals |in| as a DER-encoded RSASSA-PSS-params (RFC +// 4055), as described in |i2d_SAMPLE|. +OPENSSL_EXPORT int i2d_RSA_PSS_PARAMS(const RSA_PSS_PARAMS *in, uint8_t **outp); -// X509_get_serialNumber returns a mutable pointer to |x509|'s serial number. -// Prefer |X509_get0_serialNumber|. -OPENSSL_EXPORT ASN1_INTEGER *X509_get_serialNumber(X509 *x509); -// X509_NAME_get_text_by_OBJ finds the first attribute with type |obj| in -// |name|. If found, it writes the value's UTF-8 representation to |buf|. -// followed by a NUL byte, and returns the number of bytes in the output, -// excluding the NUL byte. This is unlike OpenSSL which returns the raw -// ASN1_STRING data. The UTF-8 encoding of the |ASN1_STRING| may not contain a 0 -// codepoint. +// PKCS#8 private keys. // -// This function writes at most |len| bytes, including the NUL byte. If |buf| -// is NULL, it writes nothing and returns the number of bytes in the -// output, excluding the NUL byte that would be required for the full UTF-8 -// output. +// The |PKCS8_PRIV_KEY_INFO| type represents a PKCS#8 PrivateKeyInfo (RFC 5208) +// structure. This is analogous to SubjectPublicKeyInfo and uses the same +// AlgorithmIdentifiers, but carries private keys and is not part of X.509 +// itself. // -// This function may return -1 if an error occurs for any reason, including the -// value not being a recognized string type, |len| being of insufficient size to -// hold the full UTF-8 encoding and NUL byte, memory allocation failures, an -// object with type |obj| not existing in |name|, or if the UTF-8 encoding of -// the string contains a zero byte. -OPENSSL_EXPORT int X509_NAME_get_text_by_OBJ(const X509_NAME *name, - const ASN1_OBJECT *obj, char *buf, - int len); +// TODO(davidben): Do these functions really belong in this header? -// X509_NAME_get_text_by_NID behaves like |X509_NAME_get_text_by_OBJ| except it -// finds an attribute of type |nid|, which should be one of the |NID_*| -// constants. -OPENSSL_EXPORT int X509_NAME_get_text_by_NID(const X509_NAME *name, int nid, - char *buf, int len); +// PKCS8_PRIV_KEY_INFO_new returns a newly-allocated, empty +// |PKCS8_PRIV_KEY_INFO| object, or NULL on error. +OPENSSL_EXPORT PKCS8_PRIV_KEY_INFO *PKCS8_PRIV_KEY_INFO_new(void); +// PKCS8_PRIV_KEY_INFO_free releases memory associated with |key|. +OPENSSL_EXPORT void PKCS8_PRIV_KEY_INFO_free(PKCS8_PRIV_KEY_INFO *key); -// Private structures. +// d2i_PKCS8_PRIV_KEY_INFO parses up to |len| bytes from |*inp| as a DER-encoded +// PrivateKeyInfo, as described in |d2i_SAMPLE|. +OPENSSL_EXPORT PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO( + PKCS8_PRIV_KEY_INFO **out, const uint8_t **inp, long len); -struct X509_algor_st { - ASN1_OBJECT *algorithm; - ASN1_TYPE *parameter; -} /* X509_ALGOR */; +// i2d_PKCS8_PRIV_KEY_INFO marshals |key| as a DER-encoded PrivateKeyInfo, as +// described in |i2d_SAMPLE|. +OPENSSL_EXPORT int i2d_PKCS8_PRIV_KEY_INFO(const PKCS8_PRIV_KEY_INFO *key, + uint8_t **outp); +// EVP_PKCS82PKEY returns |p8| as a newly-allocated |EVP_PKEY|, or NULL if the +// key was unsupported or could not be decoded. The caller must release the +// result with |EVP_PKEY_free| when done. +// +// Use |EVP_parse_private_key| instead. +OPENSSL_EXPORT EVP_PKEY *EVP_PKCS82PKEY(const PKCS8_PRIV_KEY_INFO *p8); -// Functions below this point have not yet been organized into sections. +// EVP_PKEY2PKCS8 encodes |pkey| as a PKCS#8 PrivateKeyInfo (RFC 5208), +// represented as a newly-allocated |PKCS8_PRIV_KEY_INFO|, or NULL on error. The +// caller must release the result with |PKCS8_PRIV_KEY_INFO_free| when done. +// +// Use |EVP_marshal_private_key| instead. +OPENSSL_EXPORT PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(const EVP_PKEY *pkey); -#define X509_FILETYPE_PEM 1 -#define X509_FILETYPE_ASN1 2 -#define X509_FILETYPE_DEFAULT 3 -#define X509v3_KU_DIGITAL_SIGNATURE 0x0080 -#define X509v3_KU_NON_REPUDIATION 0x0040 -#define X509v3_KU_KEY_ENCIPHERMENT 0x0020 -#define X509v3_KU_DATA_ENCIPHERMENT 0x0010 -#define X509v3_KU_KEY_AGREEMENT 0x0008 -#define X509v3_KU_KEY_CERT_SIGN 0x0004 -#define X509v3_KU_CRL_SIGN 0x0002 -#define X509v3_KU_ENCIPHER_ONLY 0x0001 -#define X509v3_KU_DECIPHER_ONLY 0x8000 -#define X509v3_KU_UNDEF 0xffff +// Algorithm and octet string pairs. +// +// The |X509_SIG| type represents an ASN.1 SEQUENCE type of an +// AlgorithmIdentifier and an OCTET STRING. Although named |X509_SIG|, there is +// no type in X.509 which matches this format. The two common types which do are +// DigestInfo (RFC 2315 and RFC 8017), and EncryptedPrivateKeyInfo (RFC 5208). -// This stuff is certificate "auxiliary info" -// it contains details which are useful in certificate -// stores and databases. When used this is tagged onto -// the end of the certificate itself +// X509_SIG_new returns a newly-allocated, empty |X509_SIG| object, or NULL on +// error. +OPENSSL_EXPORT X509_SIG *X509_SIG_new(void); -DECLARE_STACK_OF(DIST_POINT) -DECLARE_STACK_OF(GENERAL_NAME) +// X509_SIG_free releases memory associated with |key|. +OPENSSL_EXPORT void X509_SIG_free(X509_SIG *key); -// This is used for a table of trust checking functions +// d2i_X509_SIG parses up to |len| bytes from |*inp| as a DER-encoded algorithm +// and octet string pair, as described in |d2i_SAMPLE|. +OPENSSL_EXPORT X509_SIG *d2i_X509_SIG(X509_SIG **out, const uint8_t **inp, + long len); -struct x509_trust_st { - int trust; - int flags; - int (*check_trust)(struct x509_trust_st *, X509 *, int); - char *name; - int arg1; - void *arg2; -} /* X509_TRUST */; +// i2d_X509_SIG marshals |sig| as a DER-encoded algorithm +// and octet string pair, as described in |i2d_SAMPLE|. +OPENSSL_EXPORT int i2d_X509_SIG(const X509_SIG *sig, uint8_t **outp); -DEFINE_STACK_OF(X509_TRUST) +// X509_SIG_get0 sets |*out_alg| and |*out_digest| to non-owning pointers to +// |sig|'s algorithm and digest fields, respectively. Either |out_alg| and +// |out_digest| may be NULL to skip those fields. +OPENSSL_EXPORT void X509_SIG_get0(const X509_SIG *sig, + const X509_ALGOR **out_alg, + const ASN1_OCTET_STRING **out_digest); -// standard trust ids +// X509_SIG_getm behaves like |X509_SIG_get0| but returns mutable pointers. +OPENSSL_EXPORT void X509_SIG_getm(X509_SIG *sig, X509_ALGOR **out_alg, + ASN1_OCTET_STRING **out_digest); -#define X509_TRUST_DEFAULT (-1) // Only valid in purpose settings -#define X509_TRUST_COMPAT 1 -#define X509_TRUST_SSL_CLIENT 2 -#define X509_TRUST_SSL_SERVER 3 -#define X509_TRUST_EMAIL 4 -#define X509_TRUST_OBJECT_SIGN 5 -#define X509_TRUST_OCSP_SIGN 6 -#define X509_TRUST_OCSP_REQUEST 7 -#define X509_TRUST_TSA 8 +// Printing functions. +// +// The following functions output human-readable representations of +// X.509-related structures. They should only be used for debugging or logging +// and not parsed programmatically. In many cases, the outputs are ambiguous, so +// attempting to parse them can lead to string injection vulnerabilities. + +// The following flags control |X509_print_ex| and |X509_REQ_print_ex|. These +// flags co-exist with |X509V3_EXT_*|, so avoid collisions when adding new ones. + +// X509_FLAG_COMPAT disables all flags. It additionally causes names to be +// printed with a 16-byte indent. +#define X509_FLAG_COMPAT 0 -// Keep these up to date! -#define X509_TRUST_MIN 1 -#define X509_TRUST_MAX 8 +// X509_FLAG_NO_HEADER skips a header identifying the type of object printed. +#define X509_FLAG_NO_HEADER 1L +// X509_FLAG_NO_VERSION skips printing the X.509 version number. +#define X509_FLAG_NO_VERSION (1L << 1) -// trust_flags values -#define X509_TRUST_DYNAMIC 1 -#define X509_TRUST_DYNAMIC_NAME 2 +// X509_FLAG_NO_SERIAL skips printing the serial number. It is ignored in +// |X509_REQ_print_fp|. +#define X509_FLAG_NO_SERIAL (1L << 2) -// check_trust return codes +// X509_FLAG_NO_SIGNAME skips printing the signature algorithm in the +// TBSCertificate. It is ignored in |X509_REQ_print_fp|. +#define X509_FLAG_NO_SIGNAME (1L << 3) -#define X509_TRUST_TRUSTED 1 -#define X509_TRUST_REJECTED 2 -#define X509_TRUST_UNTRUSTED 3 +// X509_FLAG_NO_ISSUER skips printing the issuer. +#define X509_FLAG_NO_ISSUER (1L << 4) -DEFINE_STACK_OF(X509_REVOKED) +// X509_FLAG_NO_VALIDITY skips printing the notBefore and notAfter times. It is +// ignored in |X509_REQ_print_fp|. +#define X509_FLAG_NO_VALIDITY (1L << 5) -DECLARE_STACK_OF(GENERAL_NAMES) +// X509_FLAG_NO_SUBJECT skips printing the subject. +#define X509_FLAG_NO_SUBJECT (1L << 6) -struct private_key_st { - int version; - // The PKCS#8 data types - X509_ALGOR *enc_algor; - ASN1_OCTET_STRING *enc_pkey; // encrypted pub key +// X509_FLAG_NO_PUBKEY skips printing the public key. +#define X509_FLAG_NO_PUBKEY (1L << 7) - // When decrypted, the following will not be NULL - EVP_PKEY *dec_pkey; +// X509_FLAG_NO_EXTENSIONS skips printing the extension list. It is ignored in +// |X509_REQ_print_fp|. CSRs instead have attributes, which is controlled by +// |X509_FLAG_NO_ATTRIBUTES|. +#define X509_FLAG_NO_EXTENSIONS (1L << 8) - // used to encrypt and decrypt - int key_length; - char *key_data; - int key_free; // true if we should auto free key_data +// X509_FLAG_NO_SIGDUMP skips printing the signature and outer signature +// algorithm. +#define X509_FLAG_NO_SIGDUMP (1L << 9) - // expanded version of 'enc_algor' - EVP_CIPHER_INFO cipher; -} /* X509_PKEY */; +// X509_FLAG_NO_AUX skips printing auxiliary properties. (See |d2i_X509_AUX| and +// related functions.) +#define X509_FLAG_NO_AUX (1L << 10) -struct X509_info_st { - X509 *x509; - X509_CRL *crl; - X509_PKEY *x_pkey; +// X509_FLAG_NO_ATTRIBUTES skips printing CSR attributes. It does nothing for +// certificates and CRLs. +#define X509_FLAG_NO_ATTRIBUTES (1L << 11) - EVP_CIPHER_INFO enc_cipher; - int enc_len; - char *enc_data; +// X509_FLAG_NO_IDS skips printing the issuerUniqueID and subjectUniqueID in a +// certificate. It is ignored in |X509_REQ_print_fp|. +#define X509_FLAG_NO_IDS (1L << 12) -} /* X509_INFO */; +// The following flags control |X509_print_ex|, |X509_REQ_print_ex|, +// |X509V3_EXT_print|, and |X509V3_extensions_print|. These flags coexist with +// |X509_FLAG_*|, so avoid collisions when adding new ones. -DEFINE_STACK_OF(X509_INFO) +// X509V3_EXT_UNKNOWN_MASK is a mask that determines how unknown extensions are +// processed. +#define X509V3_EXT_UNKNOWN_MASK (0xfL << 16) -// X509_get_pathlen returns path length constraint from the basic constraints -// extension in |x509|. (See RFC 5280, section 4.2.1.9.) It returns -1 if the -// constraint is not present, or if some extension in |x509| was invalid. +// X509V3_EXT_DEFAULT causes unknown extensions or syntax errors to return +// failure. +#define X509V3_EXT_DEFAULT 0 + +// X509V3_EXT_ERROR_UNKNOWN causes unknown extensions or syntax errors to print +// as "" or "", respectively. +#define X509V3_EXT_ERROR_UNKNOWN (1L << 16) + +// X509V3_EXT_PARSE_UNKNOWN is deprecated and behaves like +// |X509V3_EXT_DUMP_UNKNOWN|. +#define X509V3_EXT_PARSE_UNKNOWN (2L << 16) + +// X509V3_EXT_DUMP_UNKNOWN causes unknown extensions to be displayed as a +// hexdump. +#define X509V3_EXT_DUMP_UNKNOWN (3L << 16) + +// X509_print_ex writes a human-readable representation of |x| to |bp|. It +// returns one on success and zero on error. |nmflags| is the flags parameter +// for |X509_NAME_print_ex| when printing the subject and issuer. |cflag| should +// be some combination of the |X509_FLAG_*| and |X509V3_EXT_*| constants. +OPENSSL_EXPORT int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflag, + unsigned long cflag); + +// X509_print_ex_fp behaves like |X509_print_ex| but writes to |fp|. +OPENSSL_EXPORT int X509_print_ex_fp(FILE *fp, X509 *x, unsigned long nmflag, + unsigned long cflag); + +// X509_print calls |X509_print_ex| with |XN_FLAG_COMPAT| and |X509_FLAG_COMPAT| +// flags. +OPENSSL_EXPORT int X509_print(BIO *bp, X509 *x); + +// X509_print_fp behaves like |X509_print| but writes to |fp|. +OPENSSL_EXPORT int X509_print_fp(FILE *fp, X509 *x); + +// X509_CRL_print writes a human-readable representation of |x| to |bp|. It +// returns one on success and zero on error. +OPENSSL_EXPORT int X509_CRL_print(BIO *bp, X509_CRL *x); + +// X509_CRL_print_fp behaves like |X509_CRL_print| but writes to |fp|. +OPENSSL_EXPORT int X509_CRL_print_fp(FILE *fp, X509_CRL *x); + +// X509_REQ_print_ex writes a human-readable representation of |x| to |bp|. It +// returns one on success and zero on error. |nmflags| is the flags parameter +// for |X509_NAME_print_ex|, when printing the subject. |cflag| should be some +// combination of the |X509_FLAG_*| and |X509V3_EXT_*| constants. +OPENSSL_EXPORT int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflag, + unsigned long cflag); + +// X509_REQ_print calls |X509_REQ_print_ex| with |XN_FLAG_COMPAT| and +// |X509_FLAG_COMPAT| flags. +OPENSSL_EXPORT int X509_REQ_print(BIO *bp, X509_REQ *req); + +// X509_REQ_print_fp behaves like |X509_REQ_print| but writes to |fp|. +OPENSSL_EXPORT int X509_REQ_print_fp(FILE *fp, X509_REQ *req); + +// The following flags are control |X509_NAME_print_ex|. They must not collide +// with |ASN1_STRFLGS_*|. // -// Note that decoding an |X509| object will not check for invalid extensions. To -// detect the error case, call |X509_get_extensions_flags| and check the -// |EXFLAG_INVALID| bit. -OPENSSL_EXPORT long X509_get_pathlen(X509 *x509); +// TODO(davidben): This is far, far too many options and most of them are +// useless. Trim this down. -// X509_SIG_get0 sets |*out_alg| and |*out_digest| to non-owning pointers to -// |sig|'s algorithm and digest fields, respectively. Either |out_alg| and -// |out_digest| may be NULL to skip those fields. -OPENSSL_EXPORT void X509_SIG_get0(const X509_SIG *sig, - const X509_ALGOR **out_alg, - const ASN1_OCTET_STRING **out_digest); +// XN_FLAG_COMPAT prints with |X509_NAME_print|'s format and return value +// convention. +#define XN_FLAG_COMPAT 0ul -// X509_SIG_getm behaves like |X509_SIG_get0| but returns mutable pointers. -OPENSSL_EXPORT void X509_SIG_getm(X509_SIG *sig, X509_ALGOR **out_alg, - ASN1_OCTET_STRING **out_digest); +// XN_FLAG_SEP_MASK determines the separators to use between attributes. +#define XN_FLAG_SEP_MASK (0xful << 16) -// X509_verify_cert_error_string returns |err| as a human-readable string, where -// |err| should be one of the |X509_V_*| values. If |err| is unknown, it returns -// a default description. -OPENSSL_EXPORT const char *X509_verify_cert_error_string(long err); +// XN_FLAG_SEP_COMMA_PLUS separates RDNs with "," and attributes within an RDN +// with "+", as in RFC 2253. +#define XN_FLAG_SEP_COMMA_PLUS (1ul << 16) -// X509_REVOKED_dup returns a newly-allocated copy of |rev|, or NULL on error. -// This function works by serializing the structure, so if |rev| is incomplete, -// it may fail. -OPENSSL_EXPORT X509_REVOKED *X509_REVOKED_dup(const X509_REVOKED *rev); +// XN_FLAG_SEP_CPLUS_SPC behaves like |XN_FLAG_SEP_COMMA_PLUS| but adds spaces +// between the separators. +#define XN_FLAG_SEP_CPLUS_SPC (2ul << 16) -OPENSSL_EXPORT const char *X509_get_default_cert_area(void); -OPENSSL_EXPORT const char *X509_get_default_cert_dir(void); -OPENSSL_EXPORT const char *X509_get_default_cert_file(void); -OPENSSL_EXPORT const char *X509_get_default_cert_dir_env(void); -OPENSSL_EXPORT const char *X509_get_default_cert_file_env(void); -OPENSSL_EXPORT const char *X509_get_default_private_dir(void); +// XN_FLAG_SEP_SPLUS_SPC separates RDNs with "; " and attributes within an RDN +// with " + ". +#define XN_FLAG_SEP_SPLUS_SPC (3ul << 16) -DECLARE_ASN1_FUNCTIONS_const(X509_PUBKEY) +// XN_FLAG_SEP_MULTILINE prints each attribute on one line. +#define XN_FLAG_SEP_MULTILINE (4ul << 16) -// X509_PUBKEY_set serializes |pkey| into a newly-allocated |X509_PUBKEY| -// structure. On success, it frees |*x|, sets |*x| to the new object, and -// returns one. Otherwise, it returns zero. -OPENSSL_EXPORT int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey); +// XN_FLAG_DN_REV prints RDNs in reverse, from least significant to most +// significant, as RFC 2253. +#define XN_FLAG_DN_REV (1ul << 20) -// X509_PUBKEY_get decodes the public key in |key| and returns an |EVP_PKEY| on -// success, or NULL on error. The caller must release the result with -// |EVP_PKEY_free| when done. The |EVP_PKEY| is cached in |key|, so callers must -// not mutate the result. -OPENSSL_EXPORT EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key); +// XN_FLAG_FN_MASK determines how attribute types are displayed. +#define XN_FLAG_FN_MASK (0x3ul << 21) -DECLARE_ASN1_FUNCTIONS_const(X509_SIG) +// XN_FLAG_FN_SN uses the attribute type's short name, when available. +#define XN_FLAG_FN_SN 0ul -OPENSSL_EXPORT int X509_add1_trust_object(X509 *x, ASN1_OBJECT *obj); -OPENSSL_EXPORT int X509_add1_reject_object(X509 *x, ASN1_OBJECT *obj); -OPENSSL_EXPORT void X509_trust_clear(X509 *x); -OPENSSL_EXPORT void X509_reject_clear(X509 *x); +// XN_FLAG_SPC_EQ wraps the "=" operator with spaces when printing attributes. +#define XN_FLAG_SPC_EQ (1ul << 23) +// XN_FLAG_DUMP_UNKNOWN_FIELDS causes unknown attribute types to be printed in +// hex, as in RFC 2253. +#define XN_FLAG_DUMP_UNKNOWN_FIELDS (1ul << 24) -OPENSSL_EXPORT int X509_TRUST_set(int *t, int trust); +// XN_FLAG_RFC2253 prints like RFC 2253. +#define XN_FLAG_RFC2253 \ + (ASN1_STRFLGS_RFC2253 | XN_FLAG_SEP_COMMA_PLUS | XN_FLAG_DN_REV | \ + XN_FLAG_FN_SN | XN_FLAG_DUMP_UNKNOWN_FIELDS) -DECLARE_ASN1_FUNCTIONS_const(X509_REVOKED) +// XN_FLAG_ONELINE prints a one-line representation of the name. +#define XN_FLAG_ONELINE \ + (ASN1_STRFLGS_RFC2253 | ASN1_STRFLGS_ESC_QUOTE | XN_FLAG_SEP_CPLUS_SPC | \ + XN_FLAG_SPC_EQ | XN_FLAG_FN_SN) -OPENSSL_EXPORT int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev); -OPENSSL_EXPORT int X509_CRL_get0_by_serial(X509_CRL *crl, X509_REVOKED **ret, - ASN1_INTEGER *serial); -OPENSSL_EXPORT int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, - X509 *x); +// X509_NAME_print_ex writes a human-readable representation of |nm| to |out|. +// Each line of output is indented by |indent| spaces. It returns the number of +// bytes written on success, and -1 on error. If |out| is NULL, it returns the +// number of bytes it would have written but does not write anything. |flags| +// should be some combination of |XN_FLAG_*| and |ASN1_STRFLGS_*| values and +// determines the output. If unsure, use |XN_FLAG_RFC2253|. +// +// If |flags| is |XN_FLAG_COMPAT|, or zero, this function calls +// |X509_NAME_print| instead. In that case, it returns one on success, rather +// than the output length. +OPENSSL_EXPORT int X509_NAME_print_ex(BIO *out, const X509_NAME *nm, int indent, + unsigned long flags); -OPENSSL_EXPORT X509_PKEY *X509_PKEY_new(void); -OPENSSL_EXPORT void X509_PKEY_free(X509_PKEY *a); +// X509_NAME_print prints a human-readable representation of |name| to |bp|. It +// returns one on success and zero on error. |obase| is ignored. +// +// This function outputs a legacy format that does not correctly handle string +// encodings and other cases. Prefer |X509_NAME_print_ex| if printing a name for +// debugging purposes. +OPENSSL_EXPORT int X509_NAME_print(BIO *bp, const X509_NAME *name, int obase); -OPENSSL_EXPORT X509_INFO *X509_INFO_new(void); -OPENSSL_EXPORT void X509_INFO_free(X509_INFO *a); +// X509_NAME_oneline writes a human-readable representation to |name| to a +// buffer as a NUL-terminated C string. +// +// If |buf| is NULL, returns a newly-allocated buffer containing the result on +// success, or NULL on error. The buffer must be released with |OPENSSL_free| +// when done. +// +// If |buf| is non-NULL, at most |size| bytes of output are written to |buf| +// instead. |size| includes the trailing NUL. The function then returns |buf| on +// success or NULL on error. If the output does not fit in |size| bytes, the +// output is silently truncated at an attribute boundary. +// +// This function outputs a legacy format that does not correctly handle string +// encodings and other cases. Prefer |X509_NAME_print_ex| if printing a name for +// debugging purposes. +OPENSSL_EXPORT char *X509_NAME_oneline(const X509_NAME *name, char *buf, int size); -OPENSSL_EXPORT int ASN1_digest(i2d_of_void *i2d, const EVP_MD *type, char *data, - unsigned char *md, unsigned int *len); +// X509_NAME_print_ex_fp behaves like |X509_NAME_print_ex| but writes to |fp|. +OPENSSL_EXPORT int X509_NAME_print_ex_fp(FILE *fp, const X509_NAME *nm, + int indent, unsigned long flags); -OPENSSL_EXPORT int ASN1_item_digest(const ASN1_ITEM *it, const EVP_MD *type, - void *data, unsigned char *md, - unsigned int *len); +// X509_signature_dump writes a human-readable representation of |sig| to |bio|, +// indented with |indent| spaces. It returns one on success and zero on error. +OPENSSL_EXPORT int X509_signature_dump(BIO *bio, const ASN1_STRING *sig, + int indent); -OPENSSL_EXPORT int ASN1_item_verify(const ASN1_ITEM *it, - const X509_ALGOR *algor1, - const ASN1_BIT_STRING *signature, - void *data, EVP_PKEY *pkey); +// X509_signature_print writes a human-readable representation of |alg| and +// |sig| to |bio|. It returns one on success and zero on error. +OPENSSL_EXPORT int X509_signature_print(BIO *bio, const X509_ALGOR *alg, + const ASN1_STRING *sig); -OPENSSL_EXPORT int ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1, - X509_ALGOR *algor2, - ASN1_BIT_STRING *signature, void *data, - EVP_PKEY *pkey, const EVP_MD *type); -OPENSSL_EXPORT int ASN1_item_sign_ctx(const ASN1_ITEM *it, X509_ALGOR *algor1, - X509_ALGOR *algor2, - ASN1_BIT_STRING *signature, void *asn, - EVP_MD_CTX *ctx); +// X509V3_EXT_print prints a human-readable representation of |ext| to out. It +// returns one on success and zero on error. The output is indented by |indent| +// spaces. |flag| is one of the |X509V3_EXT_*| constants and controls printing +// of unknown extensions and syntax errors. +// +// WARNING: Although some applications programmatically parse the output of this +// function to process X.509 extensions, this is not safe. In many cases, the +// outputs are ambiguous to attempting to parse them can lead to string +// injection vulnerabilities. These functions should only be used for debugging +// or logging. +OPENSSL_EXPORT int X509V3_EXT_print(BIO *out, const X509_EXTENSION *ext, + unsigned long flag, int indent); + +// X509V3_EXT_print_fp behaves like |X509V3_EXT_print| but writes to a |FILE| +// instead of a |BIO|. +OPENSSL_EXPORT int X509V3_EXT_print_fp(FILE *out, const X509_EXTENSION *ext, + int flag, int indent); + +// X509V3_extensions_print prints |title|, followed by a human-readable +// representation of |exts| to |out|. It returns one on success and zero on +// error. The output is indented by |indent| spaces. |flag| is one of the +// |X509V3_EXT_*| constants and controls printing of unknown extensions and +// syntax errors. +OPENSSL_EXPORT int X509V3_extensions_print(BIO *out, const char *title, + const STACK_OF(X509_EXTENSION) *exts, + unsigned long flag, int indent); + +// GENERAL_NAME_print prints a human-readable representation of |gen| to |out|. +// It returns one on success and zero on error. +// +// TODO(davidben): Actually, it just returns one and doesn't check for I/O or +// allocation errors. But it should return zero on error. +OPENSSL_EXPORT int GENERAL_NAME_print(BIO *out, const GENERAL_NAME *gen); -OPENSSL_EXPORT int X509_CRL_sort(X509_CRL *crl); -// X509_REVOKED_get0_serialNumber returns the serial number of the certificate -// revoked by |revoked|. -OPENSSL_EXPORT const ASN1_INTEGER *X509_REVOKED_get0_serialNumber( - const X509_REVOKED *revoked); +// Convenience functions. -// X509_REVOKED_set_serialNumber sets |revoked|'s serial number to |serial|. It -// returns one on success or zero on error. -OPENSSL_EXPORT int X509_REVOKED_set_serialNumber(X509_REVOKED *revoked, - const ASN1_INTEGER *serial); +// X509_pubkey_digest hashes the contents of the BIT STRING in |x509|'s +// subjectPublicKeyInfo field with |md| and writes the result to |out|. +// |EVP_MD_CTX_size| bytes are written, which is at most |EVP_MAX_MD_SIZE|. If +// |out_len| is not NULL, |*out_len| is set to the number of bytes written. This +// function returns one on success and zero on error. +// +// This hash omits the BIT STRING tag, length, and number of unused bits. It +// also omits the AlgorithmIdentifier which describes the key type. It +// corresponds to the OCSP KeyHash definition and is not suitable for other +// purposes. +OPENSSL_EXPORT int X509_pubkey_digest(const X509 *x509, const EVP_MD *md, + uint8_t *out, unsigned *out_len); -// X509_REVOKED_get0_revocationDate returns the revocation time of the -// certificate revoked by |revoked|. -OPENSSL_EXPORT const ASN1_TIME *X509_REVOKED_get0_revocationDate( - const X509_REVOKED *revoked); +// X509_digest hashes |x509|'s DER encoding with |md| and writes the result to +// |out|. |EVP_MD_CTX_size| bytes are written, which is at most +// |EVP_MAX_MD_SIZE|. If |out_len| is not NULL, |*out_len| is set to the number +// of bytes written. This function returns one on success and zero on error. +// Note this digest covers the entire certificate, not just the signed portion. +OPENSSL_EXPORT int X509_digest(const X509 *x509, const EVP_MD *md, uint8_t *out, + unsigned *out_len); -// X509_REVOKED_set_revocationDate sets |revoked|'s revocation time to |tm|. It -// returns one on success or zero on error. -OPENSSL_EXPORT int X509_REVOKED_set_revocationDate(X509_REVOKED *revoked, - const ASN1_TIME *tm); +// X509_CRL_digest hashes |crl|'s DER encoding with |md| and writes the result +// to |out|. |EVP_MD_CTX_size| bytes are written, which is at most +// |EVP_MAX_MD_SIZE|. If |out_len| is not NULL, |*out_len| is set to the number +// of bytes written. This function returns one on success and zero on error. +// Note this digest covers the entire CRL, not just the signed portion. +OPENSSL_EXPORT int X509_CRL_digest(const X509_CRL *crl, const EVP_MD *md, + uint8_t *out, unsigned *out_len); -// X509_REVOKED_get0_extensions returns |r|'s extensions list, or NULL if |r| -// omits it. -OPENSSL_EXPORT const STACK_OF(X509_EXTENSION) *X509_REVOKED_get0_extensions( - const X509_REVOKED *r); +// X509_REQ_digest hashes |req|'s DER encoding with |md| and writes the result +// to |out|. |EVP_MD_CTX_size| bytes are written, which is at most +// |EVP_MAX_MD_SIZE|. If |out_len| is not NULL, |*out_len| is set to the number +// of bytes written. This function returns one on success and zero on error. +// Note this digest covers the entire certificate request, not just the signed +// portion. +OPENSSL_EXPORT int X509_REQ_digest(const X509_REQ *req, const EVP_MD *md, + uint8_t *out, unsigned *out_len); -OPENSSL_EXPORT X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer, - EVP_PKEY *skey, const EVP_MD *md, - unsigned int flags); +// X509_NAME_digest hashes |name|'s DER encoding with |md| and writes the result +// to |out|. |EVP_MD_CTX_size| bytes are written, which is at most +// |EVP_MAX_MD_SIZE|. If |out_len| is not NULL, |*out_len| is set to the number +// of bytes written. This function returns one on success and zero on error. +OPENSSL_EXPORT int X509_NAME_digest(const X509_NAME *name, const EVP_MD *md, + uint8_t *out, unsigned *out_len); -OPENSSL_EXPORT int X509_REQ_check_private_key(X509_REQ *x509, EVP_PKEY *pkey); +// The following functions behave like the corresponding unsuffixed |d2i_*| +// functions, but read the result from |bp| instead. Callers using these +// functions with memory |BIO|s to parse structures already in memory should use +// |d2i_*| instead. +OPENSSL_EXPORT X509 *d2i_X509_bio(BIO *bp, X509 **x509); +OPENSSL_EXPORT X509_CRL *d2i_X509_CRL_bio(BIO *bp, X509_CRL **crl); +OPENSSL_EXPORT X509_REQ *d2i_X509_REQ_bio(BIO *bp, X509_REQ **req); +OPENSSL_EXPORT RSA *d2i_RSAPrivateKey_bio(BIO *bp, RSA **rsa); +OPENSSL_EXPORT RSA *d2i_RSAPublicKey_bio(BIO *bp, RSA **rsa); +OPENSSL_EXPORT RSA *d2i_RSA_PUBKEY_bio(BIO *bp, RSA **rsa); +OPENSSL_EXPORT DSA *d2i_DSA_PUBKEY_bio(BIO *bp, DSA **dsa); +OPENSSL_EXPORT DSA *d2i_DSAPrivateKey_bio(BIO *bp, DSA **dsa); +OPENSSL_EXPORT EC_KEY *d2i_EC_PUBKEY_bio(BIO *bp, EC_KEY **eckey); +OPENSSL_EXPORT EC_KEY *d2i_ECPrivateKey_bio(BIO *bp, EC_KEY **eckey); +OPENSSL_EXPORT X509_SIG *d2i_PKCS8_bio(BIO *bp, X509_SIG **p8); +OPENSSL_EXPORT PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_bio( + BIO *bp, PKCS8_PRIV_KEY_INFO **p8inf); +OPENSSL_EXPORT EVP_PKEY *d2i_PUBKEY_bio(BIO *bp, EVP_PKEY **a); +OPENSSL_EXPORT DH *d2i_DHparams_bio(BIO *bp, DH **dh); + +// d2i_PrivateKey_bio behaves like |d2i_AutoPrivateKey|, but reads from |bp| +// instead. +OPENSSL_EXPORT EVP_PKEY *d2i_PrivateKey_bio(BIO *bp, EVP_PKEY **a); + +// The following functions behave like the corresponding unsuffixed |i2d_*| +// functions, but write the result to |bp|. They return one on success and zero +// on error. Callers using them with memory |BIO|s to encode structures to +// memory should use |i2d_*| directly instead. +OPENSSL_EXPORT int i2d_X509_bio(BIO *bp, X509 *x509); +OPENSSL_EXPORT int i2d_X509_CRL_bio(BIO *bp, X509_CRL *crl); +OPENSSL_EXPORT int i2d_X509_REQ_bio(BIO *bp, X509_REQ *req); +OPENSSL_EXPORT int i2d_RSAPrivateKey_bio(BIO *bp, RSA *rsa); +OPENSSL_EXPORT int i2d_RSAPublicKey_bio(BIO *bp, RSA *rsa); +OPENSSL_EXPORT int i2d_RSA_PUBKEY_bio(BIO *bp, RSA *rsa); +OPENSSL_EXPORT int i2d_DSA_PUBKEY_bio(BIO *bp, DSA *dsa); +OPENSSL_EXPORT int i2d_DSAPrivateKey_bio(BIO *bp, DSA *dsa); +OPENSSL_EXPORT int i2d_EC_PUBKEY_bio(BIO *bp, EC_KEY *eckey); +OPENSSL_EXPORT int i2d_ECPrivateKey_bio(BIO *bp, EC_KEY *eckey); +OPENSSL_EXPORT int i2d_PKCS8_bio(BIO *bp, X509_SIG *p8); +OPENSSL_EXPORT int i2d_PKCS8_PRIV_KEY_INFO_bio(BIO *bp, + PKCS8_PRIV_KEY_INFO *p8inf); +OPENSSL_EXPORT int i2d_PrivateKey_bio(BIO *bp, EVP_PKEY *pkey); +OPENSSL_EXPORT int i2d_PUBKEY_bio(BIO *bp, EVP_PKEY *pkey); +OPENSSL_EXPORT int i2d_DHparams_bio(BIO *bp, const DH *dh); + +// i2d_PKCS8PrivateKeyInfo_bio encodes |key| as a PKCS#8 PrivateKeyInfo +// structure (see |EVP_marshal_private_key|) and writes the result to |bp|. It +// returns one on success and zero on error. +OPENSSL_EXPORT int i2d_PKCS8PrivateKeyInfo_bio(BIO *bp, EVP_PKEY *key); + +// The following functions behave like the corresponding |d2i_*_bio| functions, +// but read from |fp| instead. +OPENSSL_EXPORT X509 *d2i_X509_fp(FILE *fp, X509 **x509); +OPENSSL_EXPORT X509_CRL *d2i_X509_CRL_fp(FILE *fp, X509_CRL **crl); +OPENSSL_EXPORT X509_REQ *d2i_X509_REQ_fp(FILE *fp, X509_REQ **req); +OPENSSL_EXPORT RSA *d2i_RSAPrivateKey_fp(FILE *fp, RSA **rsa); +OPENSSL_EXPORT RSA *d2i_RSAPublicKey_fp(FILE *fp, RSA **rsa); +OPENSSL_EXPORT RSA *d2i_RSA_PUBKEY_fp(FILE *fp, RSA **rsa); +OPENSSL_EXPORT DSA *d2i_DSA_PUBKEY_fp(FILE *fp, DSA **dsa); +OPENSSL_EXPORT DSA *d2i_DSAPrivateKey_fp(FILE *fp, DSA **dsa); +OPENSSL_EXPORT EC_KEY *d2i_EC_PUBKEY_fp(FILE *fp, EC_KEY **eckey); +OPENSSL_EXPORT EC_KEY *d2i_ECPrivateKey_fp(FILE *fp, EC_KEY **eckey); +OPENSSL_EXPORT X509_SIG *d2i_PKCS8_fp(FILE *fp, X509_SIG **p8); +OPENSSL_EXPORT PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_fp( + FILE *fp, PKCS8_PRIV_KEY_INFO **p8inf); +OPENSSL_EXPORT EVP_PKEY *d2i_PrivateKey_fp(FILE *fp, EVP_PKEY **a); +OPENSSL_EXPORT EVP_PKEY *d2i_PUBKEY_fp(FILE *fp, EVP_PKEY **a); + +// The following functions behave like the corresponding |i2d_*_bio| functions, +// but write to |fp| instead. +OPENSSL_EXPORT int i2d_X509_fp(FILE *fp, X509 *x509); +OPENSSL_EXPORT int i2d_X509_CRL_fp(FILE *fp, X509_CRL *crl); +OPENSSL_EXPORT int i2d_X509_REQ_fp(FILE *fp, X509_REQ *req); +OPENSSL_EXPORT int i2d_RSAPrivateKey_fp(FILE *fp, RSA *rsa); +OPENSSL_EXPORT int i2d_RSAPublicKey_fp(FILE *fp, RSA *rsa); +OPENSSL_EXPORT int i2d_RSA_PUBKEY_fp(FILE *fp, RSA *rsa); +OPENSSL_EXPORT int i2d_DSA_PUBKEY_fp(FILE *fp, DSA *dsa); +OPENSSL_EXPORT int i2d_DSAPrivateKey_fp(FILE *fp, DSA *dsa); +OPENSSL_EXPORT int i2d_EC_PUBKEY_fp(FILE *fp, EC_KEY *eckey); +OPENSSL_EXPORT int i2d_ECPrivateKey_fp(FILE *fp, EC_KEY *eckey); +OPENSSL_EXPORT int i2d_PKCS8_fp(FILE *fp, X509_SIG *p8); +OPENSSL_EXPORT int i2d_PKCS8_PRIV_KEY_INFO_fp(FILE *fp, + PKCS8_PRIV_KEY_INFO *p8inf); +OPENSSL_EXPORT int i2d_PKCS8PrivateKeyInfo_fp(FILE *fp, EVP_PKEY *key); +OPENSSL_EXPORT int i2d_PrivateKey_fp(FILE *fp, EVP_PKEY *pkey); +OPENSSL_EXPORT int i2d_PUBKEY_fp(FILE *fp, EVP_PKEY *pkey); + +// X509_find_by_issuer_and_serial returns the first |X509| in |sk| whose issuer +// and serial are |name| and |serial|, respectively. If no match is found, it +// returns NULL. +OPENSSL_EXPORT X509 *X509_find_by_issuer_and_serial(const STACK_OF(X509) *sk, + X509_NAME *name, + const ASN1_INTEGER *serial); + +// X509_find_by_subject returns the first |X509| in |sk| whose subject is +// |name|. If no match is found, it returns NULL. +OPENSSL_EXPORT X509 *X509_find_by_subject(const STACK_OF(X509) *sk, + X509_NAME *name); + +// X509_cmp_time compares |s| against |*t|. On success, it returns a negative +// number if |s| <= |*t| and a positive number if |s| > |*t|. On error, it +// returns zero. If |t| is NULL, it uses the current time instead of |*t|. +// +// WARNING: Unlike most comparison functions, this function returns zero on +// error, not equality. +OPENSSL_EXPORT int X509_cmp_time(const ASN1_TIME *s, const time_t *t); + +// X509_cmp_time_posix compares |s| against |t|. On success, it returns a +// negative number if |s| <= |t| and a positive number if |s| > |t|. On error, +// it returns zero. +// +// WARNING: Unlike most comparison functions, this function returns zero on +// error, not equality. +OPENSSL_EXPORT int X509_cmp_time_posix(const ASN1_TIME *s, int64_t t); + +// X509_cmp_current_time behaves like |X509_cmp_time| but compares |s| against +// the current time. +OPENSSL_EXPORT int X509_cmp_current_time(const ASN1_TIME *s); + +// X509_time_adj calls |X509_time_adj_ex| with |offset_day| equal to zero. +OPENSSL_EXPORT ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, + const time_t *t); + +// X509_time_adj_ex behaves like |ASN1_TIME_adj|, but adds an offset to |*t|. If +// |t| is NULL, it uses the current time instead of |*t|. +OPENSSL_EXPORT ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s, int offset_day, + long offset_sec, const time_t *t); -OPENSSL_EXPORT int X509_check_private_key(X509 *x509, const EVP_PKEY *pkey); +// X509_gmtime_adj behaves like |X509_time_adj_ex| but adds |offset_sec| to the +// current time. +OPENSSL_EXPORT ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long offset_sec); +// X509_issuer_name_cmp behaves like |X509_NAME_cmp|, but compares |a| and |b|'s +// issuer names. OPENSSL_EXPORT int X509_issuer_name_cmp(const X509 *a, const X509 *b); -OPENSSL_EXPORT unsigned long X509_issuer_name_hash(X509 *a); +// X509_subject_name_cmp behaves like |X509_NAME_cmp|, but compares |a| and +// |b|'s subject names. OPENSSL_EXPORT int X509_subject_name_cmp(const X509 *a, const X509 *b); -OPENSSL_EXPORT unsigned long X509_subject_name_hash(X509 *x); - -OPENSSL_EXPORT unsigned long X509_issuer_name_hash_old(X509 *a); -OPENSSL_EXPORT unsigned long X509_subject_name_hash_old(X509 *x); - -OPENSSL_EXPORT int X509_cmp(const X509 *a, const X509 *b); -OPENSSL_EXPORT int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b); -OPENSSL_EXPORT unsigned long X509_NAME_hash(X509_NAME *x); -OPENSSL_EXPORT unsigned long X509_NAME_hash_old(X509_NAME *x); +// X509_CRL_cmp behaves like |X509_NAME_cmp|, but compares |a| and |b|'s +// issuer names. +// +// WARNING: This function is misnamed. It does not compare other parts of the +// CRL, only the issuer fields using |X509_NAME_cmp|. OPENSSL_EXPORT int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b); -OPENSSL_EXPORT int X509_CRL_match(const X509_CRL *a, const X509_CRL *b); -// X509_get_ext_d2i behaves like |X509V3_get_d2i| but looks for the extension in -// |x509|'s extension list. +// X509_issuer_name_hash returns the hash of |x509|'s issuer name with +// |X509_NAME_hash|. // -// WARNING: This function is difficult to use correctly. See the documentation -// for |X509V3_get_d2i| for details. -OPENSSL_EXPORT void *X509_get_ext_d2i(const X509 *x509, int nid, - int *out_critical, int *out_idx); - -// X509_add1_ext_i2d behaves like |X509V3_add1_i2d| but adds the extension to -// |x|'s extension list. +// This hash is specific to the |X509_LOOKUP_add_dir| filesystem format and is +// not suitable for general-purpose X.509 name processing. It is very short, so +// there will be hash collisions. It also depends on an OpenSSL-specific +// canonicalization process. +OPENSSL_EXPORT uint32_t X509_issuer_name_hash(X509 *x509); + +// X509_subject_name_hash returns the hash of |x509|'s subject name with +// |X509_NAME_hash|. // -// WARNING: This function may return zero or -1 on error. The caller must also -// ensure |value|'s type matches |nid|. See the documentation for -// |X509V3_add1_i2d| for details. -OPENSSL_EXPORT int X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit, - unsigned long flags); - -// X509_CRL_get_ext_d2i behaves like |X509V3_get_d2i| but looks for the -// extension in |crl|'s extension list. +// This hash is specific to the |X509_LOOKUP_add_dir| filesystem format and is +// not suitable for general-purpose X.509 name processing. It is very short, so +// there will be hash collisions. It also depends on an OpenSSL-specific +// canonicalization process. +OPENSSL_EXPORT uint32_t X509_subject_name_hash(X509 *x509); + +// X509_issuer_name_hash_old returns the hash of |x509|'s issuer name with +// |X509_NAME_hash_old|. // -// WARNING: This function is difficult to use correctly. See the documentation -// for |X509V3_get_d2i| for details. -OPENSSL_EXPORT void *X509_CRL_get_ext_d2i(const X509_CRL *crl, int nid, - int *out_critical, int *out_idx); +// This hash is specific to the |X509_LOOKUP_add_dir| filesystem format and is +// not suitable for general-purpose X.509 name processing. It is very short, so +// there will be hash collisions. +OPENSSL_EXPORT uint32_t X509_issuer_name_hash_old(X509 *x509); -// X509_CRL_add1_ext_i2d behaves like |X509V3_add1_i2d| but adds the extension -// to |x|'s extension list. +// X509_subject_name_hash_old returns the hash of |x509|'s usjbect name with +// |X509_NAME_hash_old|. // -// WARNING: This function may return zero or -1 on error. The caller must also -// ensure |value|'s type matches |nid|. See the documentation for -// |X509V3_add1_i2d| for details. -OPENSSL_EXPORT int X509_CRL_add1_ext_i2d(X509_CRL *x, int nid, void *value, - int crit, unsigned long flags); +// This hash is specific to the |X509_LOOKUP_add_dir| filesystem format and is +// not suitable for general-purpose X.509 name processing. It is very short, so +// there will be hash collisions. +OPENSSL_EXPORT uint32_t X509_subject_name_hash_old(X509 *x509); -// X509_REVOKED_get_ext_count returns the number of extensions in |x|. -OPENSSL_EXPORT int X509_REVOKED_get_ext_count(const X509_REVOKED *x); -// X509_REVOKED_get_ext_by_NID behaves like |X509v3_get_ext_by_NID| but searches -// for extensions in |x|. -OPENSSL_EXPORT int X509_REVOKED_get_ext_by_NID(const X509_REVOKED *x, int nid, - int lastpos); +// ex_data functions. +// +// See |ex_data.h| for details. -// X509_REVOKED_get_ext_by_OBJ behaves like |X509v3_get_ext_by_OBJ| but searches -// for extensions in |x|. -OPENSSL_EXPORT int X509_REVOKED_get_ext_by_OBJ(const X509_REVOKED *x, - const ASN1_OBJECT *obj, - int lastpos); +OPENSSL_EXPORT int X509_get_ex_new_index(long argl, void *argp, + CRYPTO_EX_unused *unused, + CRYPTO_EX_dup *dup_unused, + CRYPTO_EX_free *free_func); +OPENSSL_EXPORT int X509_set_ex_data(X509 *r, int idx, void *arg); +OPENSSL_EXPORT void *X509_get_ex_data(X509 *r, int idx); -// X509_REVOKED_get_ext_by_critical behaves like |X509v3_get_ext_by_critical| -// but searches for extensions in |x|. -OPENSSL_EXPORT int X509_REVOKED_get_ext_by_critical(const X509_REVOKED *x, - int crit, int lastpos); +OPENSSL_EXPORT int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, + CRYPTO_EX_unused *unused, + CRYPTO_EX_dup *dup_unused, + CRYPTO_EX_free *free_func); +OPENSSL_EXPORT int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, + void *data); +OPENSSL_EXPORT void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx); -// X509_REVOKED_get_ext returns the extension in |x| at index |loc|, or NULL if -// |loc| is out of bounds. This function returns a non-const pointer for OpenSSL -// compatibility, but callers should not mutate the result. -OPENSSL_EXPORT X509_EXTENSION *X509_REVOKED_get_ext(const X509_REVOKED *x, - int loc); +#define X509_STORE_CTX_set_app_data(ctx, data) \ + X509_STORE_CTX_set_ex_data(ctx, 0, data) +#define X509_STORE_CTX_get_app_data(ctx) X509_STORE_CTX_get_ex_data(ctx, 0) -// X509_REVOKED_delete_ext removes the extension in |x| at index |loc| and -// returns the removed extension, or NULL if |loc| was out of bounds. If -// non-NULL, the caller must release the result with |X509_EXTENSION_free|. -OPENSSL_EXPORT X509_EXTENSION *X509_REVOKED_delete_ext(X509_REVOKED *x, - int loc); -// X509_REVOKED_add_ext adds a copy of |ex| to |x|. It returns one on success -// and zero on failure. The caller retains ownership of |ex| and can release it -// independently of |x|. -// -// The new extension is inserted at index |loc|, shifting extensions to the -// right. If |loc| is -1 or out of bounds, the new extension is appended to the -// list. -OPENSSL_EXPORT int X509_REVOKED_add_ext(X509_REVOKED *x, - const X509_EXTENSION *ex, int loc); +// Hashing and signing ASN.1 structures. -// X509_REVOKED_get_ext_d2i behaves like |X509V3_get_d2i| but looks for the -// extension in |revoked|'s extension list. +// ASN1_digest serializes |data| with |i2d| and then hashes the result with +// |type|. On success, it returns one, writes the digest to |md|, and sets +// |*len| to the digest length if non-NULL. On error, it returns zero. // -// WARNING: This function is difficult to use correctly. See the documentation -// for |X509V3_get_d2i| for details. -OPENSSL_EXPORT void *X509_REVOKED_get_ext_d2i(const X509_REVOKED *revoked, - int nid, int *out_critical, - int *out_idx); +// |EVP_MD_CTX_size| bytes are written, which is at most |EVP_MAX_MD_SIZE|. The +// buffer must have sufficient space for this output. +OPENSSL_EXPORT int ASN1_digest(i2d_of_void *i2d, const EVP_MD *type, char *data, + unsigned char *md, unsigned int *len); -// X509_REVOKED_add1_ext_i2d behaves like |X509V3_add1_i2d| but adds the -// extension to |x|'s extension list. +// ASN1_item_digest serializes |data| with |it| and then hashes the result with +// |type|. On success, it returns one, writes the digest to |md|, and sets +// |*len| to the digest length if non-NULL. On error, it returns zero. // -// WARNING: This function may return zero or -1 on error. The caller must also -// ensure |value|'s type matches |nid|. See the documentation for -// |X509V3_add1_i2d| for details. -OPENSSL_EXPORT int X509_REVOKED_add1_ext_i2d(X509_REVOKED *x, int nid, - void *value, int crit, - unsigned long flags); - -OPENSSL_EXPORT int X509_verify_cert(X509_STORE_CTX *ctx); - -// PKCS#8 utilities - -DECLARE_ASN1_FUNCTIONS_const(PKCS8_PRIV_KEY_INFO) - -// EVP_PKCS82PKEY returns |p8| as a newly-allocated |EVP_PKEY|, or NULL if the -// key was unsupported or could not be decoded. If non-NULL, the caller must -// release the result with |EVP_PKEY_free| when done. +// |EVP_MD_CTX_size| bytes are written, which is at most |EVP_MAX_MD_SIZE|. The +// buffer must have sufficient space for this output. // -// Use |EVP_parse_private_key| instead. -OPENSSL_EXPORT EVP_PKEY *EVP_PKCS82PKEY(const PKCS8_PRIV_KEY_INFO *p8); +// WARNING: |data| must be a pointer with the same type as |it|'s corresponding +// C type. Using the wrong type is a potentially exploitable memory error. +OPENSSL_EXPORT int ASN1_item_digest(const ASN1_ITEM *it, const EVP_MD *type, + void *data, unsigned char *md, + unsigned int *len); -// EVP_PKEY2PKCS8 encodes |pkey| as a PKCS#8 PrivateKeyInfo (RFC 5208), -// represented as a newly-allocated |PKCS8_PRIV_KEY_INFO|, or NULL on error. The -// caller must release the result with |PKCS8_PRIV_KEY_INFO_free| when done. +// ASN1_item_verify serializes |data| with |it| and then verifies |signature| is +// a valid signature for the result with |algor1| and |pkey|. It returns one on +// success and zero on error. The signature and algorithm are interpreted as in +// X.509. // -// Use |EVP_marshal_private_key| instead. -OPENSSL_EXPORT PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(const EVP_PKEY *pkey); +// WARNING: |data| must be a pointer with the same type as |it|'s corresponding +// C type. Using the wrong type is a potentially exploitable memory error. +OPENSSL_EXPORT int ASN1_item_verify(const ASN1_ITEM *it, + const X509_ALGOR *algor1, + const ASN1_BIT_STRING *signature, + void *data, EVP_PKEY *pkey); -// X509_PUBKEY_set0_param sets |pub| to a key with AlgorithmIdentifier -// determined by |obj|, |param_type|, and |param_value|, and an encoded -// public key of |key|. On success, it takes ownership of all its parameters and -// returns one. Otherwise, it returns zero. |key| must have been allocated by -// |OPENSSL_malloc|. +// ASN1_item_sign serializes |data| with |it| and then signs the result with +// the private key |pkey|. It returns the length of the signature on success and +// zero on error. On success, it writes the signature to |signature| and the +// signature algorithm to each of |algor1| and |algor2|. Either of |algor1| or +// |algor2| may be NULL to ignore them. This function uses digest algorithm +// |md|, or |pkey|'s default if NULL. Other signing parameters use |pkey|'s +// defaults. To customize them, use |ASN1_item_sign_ctx|. // -// |obj|, |param_type|, and |param_value| are interpreted as in -// |X509_ALGOR_set0|. See |X509_ALGOR_set0| for details. -OPENSSL_EXPORT int X509_PUBKEY_set0_param(X509_PUBKEY *pub, ASN1_OBJECT *obj, - int param_type, void *param_value, - uint8_t *key, int key_len); +// WARNING: |data| must be a pointer with the same type as |it|'s corresponding +// C type. Using the wrong type is a potentially exploitable memory error. +OPENSSL_EXPORT int ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1, + X509_ALGOR *algor2, + ASN1_BIT_STRING *signature, void *data, + EVP_PKEY *pkey, const EVP_MD *type); -// X509_PUBKEY_get0_param outputs fields of |pub| and returns one. If |out_obj| -// is not NULL, it sets |*out_obj| to AlgorithmIdentifier's OID. If |out_key| -// is not NULL, it sets |*out_key| and |*out_key_len| to the encoded public key. -// If |out_alg| is not NULL, it sets |*out_alg| to the AlgorithmIdentifier. +// ASN1_item_sign_ctx behaves like |ASN1_item_sign| except the signature is +// signed with |ctx|, |ctx|, which must have been initialized with +// |EVP_DigestSignInit|. The caller should configure the corresponding +// |EVP_PKEY_CTX| with any additional parameters before calling this function. // -// Note: X.509 SubjectPublicKeyInfo structures store the encoded public key as a -// BIT STRING. |*out_key| and |*out_key_len| will silently pad the key with zero -// bits if |pub| did not contain a whole number of bytes. Use -// |X509_PUBKEY_get0_public_key| to preserve this information. -OPENSSL_EXPORT int X509_PUBKEY_get0_param(ASN1_OBJECT **out_obj, - const uint8_t **out_key, - int *out_key_len, - X509_ALGOR **out_alg, - X509_PUBKEY *pub); - -// X509_PUBKEY_get0_public_key returns |pub|'s encoded public key. -OPENSSL_EXPORT const ASN1_BIT_STRING *X509_PUBKEY_get0_public_key( - const X509_PUBKEY *pub); - -OPENSSL_EXPORT int X509_check_trust(X509 *x, int id, int flags); -OPENSSL_EXPORT int X509_TRUST_get_count(void); -OPENSSL_EXPORT X509_TRUST *X509_TRUST_get0(int idx); -OPENSSL_EXPORT int X509_TRUST_get_by_id(int id); -OPENSSL_EXPORT int X509_TRUST_add(int id, int flags, - int (*ck)(X509_TRUST *, X509 *, int), - const char *name, int arg1, void *arg2); -OPENSSL_EXPORT void X509_TRUST_cleanup(void); -OPENSSL_EXPORT int X509_TRUST_get_flags(const X509_TRUST *xp); -OPENSSL_EXPORT char *X509_TRUST_get0_name(const X509_TRUST *xp); -OPENSSL_EXPORT int X509_TRUST_get_trust(const X509_TRUST *xp); - - -struct rsa_pss_params_st { - X509_ALGOR *hashAlgorithm; - X509_ALGOR *maskGenAlgorithm; - ASN1_INTEGER *saltLength; - ASN1_INTEGER *trailerField; - // OpenSSL caches the MGF hash on |RSA_PSS_PARAMS| in some cases. None of the - // cases apply to BoringSSL, so this is always NULL, but Node expects the - // field to be present. - X509_ALGOR *maskHash; -} /* RSA_PSS_PARAMS */; - -DECLARE_ASN1_FUNCTIONS_const(RSA_PSS_PARAMS) - -/* -SSL_CTX -> X509_STORE - -> X509_LOOKUP - ->X509_LOOKUP_METHOD - -> X509_LOOKUP - ->X509_LOOKUP_METHOD - -SSL -> X509_STORE_CTX - ->X509_STORE - -The X509_STORE holds the tables etc for verification stuff. -A X509_STORE_CTX is used while validating a single certificate. -The X509_STORE has X509_LOOKUPs for looking up certs. -The X509_STORE then calls a function to actually verify the -certificate chain. -*/ +// On success or failure, this function mutates |ctx| and resets it to the empty +// state. Caller should not rely on its contents after the function returns. +// +// WARNING: |data| must be a pointer with the same type as |it|'s corresponding +// C type. Using the wrong type is a potentially exploitable memory error. +OPENSSL_EXPORT int ASN1_item_sign_ctx(const ASN1_ITEM *it, X509_ALGOR *algor1, + X509_ALGOR *algor2, + ASN1_BIT_STRING *signature, void *asn, + EVP_MD_CTX *ctx); -#define X509_LU_X509 1 -#define X509_LU_CRL 2 -#define X509_LU_PKEY 3 -DEFINE_STACK_OF(X509_LOOKUP) -DEFINE_STACK_OF(X509_OBJECT) -DEFINE_STACK_OF(X509_VERIFY_PARAM) +// Verification internals. +// +// The following functions expose portions of certificate validation. They are +// exported for compatibility with existing callers, or to support some obscure +// use cases. Most callers, however, will not need these functions and should +// instead use |X509_STORE_CTX| APIs. -typedef int (*X509_STORE_CTX_verify_cb)(int, X509_STORE_CTX *); -typedef int (*X509_STORE_CTX_verify_fn)(X509_STORE_CTX *); -typedef int (*X509_STORE_CTX_get_issuer_fn)(X509 **issuer, X509_STORE_CTX *ctx, - X509 *x); -typedef int (*X509_STORE_CTX_check_issued_fn)(X509_STORE_CTX *ctx, X509 *x, - X509 *issuer); -typedef int (*X509_STORE_CTX_check_revocation_fn)(X509_STORE_CTX *ctx); -typedef int (*X509_STORE_CTX_get_crl_fn)(X509_STORE_CTX *ctx, X509_CRL **crl, - X509 *x); -typedef int (*X509_STORE_CTX_check_crl_fn)(X509_STORE_CTX *ctx, X509_CRL *crl); -typedef int (*X509_STORE_CTX_cert_crl_fn)(X509_STORE_CTX *ctx, X509_CRL *crl, - X509 *x); -typedef int (*X509_STORE_CTX_check_policy_fn)(X509_STORE_CTX *ctx); -typedef STACK_OF(X509) *(*X509_STORE_CTX_lookup_certs_fn)(X509_STORE_CTX *ctx, - X509_NAME *nm); -typedef STACK_OF(X509_CRL) *(*X509_STORE_CTX_lookup_crls_fn)( - X509_STORE_CTX *ctx, X509_NAME *nm); -typedef int (*X509_STORE_CTX_cleanup_fn)(X509_STORE_CTX *ctx); +// X509_supported_extension returns one if |ex| is a critical X.509 certificate +// extension, supported by |X509_verify_cert|, and zero otherwise. +// +// Note this function only reports certificate extensions (as opposed to CRL or +// CRL extensions), and only extensions that are expected to be marked critical. +// Additionally, |X509_verify_cert| checks for unsupported critical extensions +// internally, so most callers will not need to call this function separately. +OPENSSL_EXPORT int X509_supported_extension(const X509_EXTENSION *ex); + +// X509_check_ca returns one if |x509| may be considered a CA certificate, +// according to basic constraints and key usage extensions. Otherwise, it +// returns zero. If |x509| is an X509v1 certificate, and thus has no extensions, +// it is considered eligible. +// +// This function returning one does not indicate that |x509| is trusted, only +// that it is eligible to be a CA. +// +// TODO(crbug.com/boringssl/407): |x509| should be const. +OPENSSL_EXPORT int X509_check_ca(X509 *x509); -OPENSSL_EXPORT int X509_STORE_set_depth(X509_STORE *store, int depth); +// X509_check_issued checks if |issuer| and |subject|'s name, authority key +// identifier, and key usage fields allow |issuer| to have issued |subject|. It +// returns |X509_V_OK| on success and an |X509_V_ERR_*| value otherwise. +// +// This function does not check the signature on |subject|. Rather, it is +// intended to prune the set of possible issuer certificates during +// path-building. +// +// TODO(crbug.com/boringssl/407): Both parameters should be const. +OPENSSL_EXPORT int X509_check_issued(X509 *issuer, X509 *subject); -OPENSSL_EXPORT void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); +// NAME_CONSTRAINTS_check checks if |x509| satisfies name constraints in |nc|. +// It returns |X509_V_OK| on success and some |X509_V_ERR_*| constant on error. +// +// TODO(crbug.com/boringssl/407): Both parameters should be const. +OPENSSL_EXPORT int NAME_CONSTRAINTS_check(X509 *x509, NAME_CONSTRAINTS *nc); + +// X509_check_host checks if |x509| matches the DNS name |chk|. It returns one +// on match, zero on mismatch, or a negative number on error. |flags| should be +// some combination of |X509_CHECK_FLAG_*| and modifies the behavior. On match, +// if |out_peername| is non-NULL, it additionally sets |*out_peername| to a +// newly-allocated, NUL-terminated string containing the DNS name or wildcard in +// the certificate which matched. The caller must then free |*out_peername| with +// |OPENSSL_free| when done. +// +// By default, both subject alternative names and the subject's common name +// attribute are checked. The latter has long been deprecated, so callers should +// include |X509_CHECK_FLAG_NEVER_CHECK_SUBJECT| in |flags| to use the standard +// behavior. https://crbug.com/boringssl/464 tracks fixing the default. +// +// This function does not check if |x509| is a trusted certificate, only if, +// were it trusted, it would match |chk|. +// +// WARNING: This function differs from the usual calling convention and may +// return either 0 or a negative number on error. +// +// TODO(davidben): Make the error case also return zero. +OPENSSL_EXPORT int X509_check_host(const X509 *x509, const char *chk, + size_t chklen, unsigned int flags, + char **out_peername); + +// X509_check_email checks if |x509| matches the email address |chk|. It returns +// one on match, zero on mismatch, or a negative number on error. |flags| should +// be some combination of |X509_CHECK_FLAG_*| and modifies the behavior. +// +// By default, both subject alternative names and the subject's email address +// attribute are checked. The |X509_CHECK_FLAG_NEVER_CHECK_SUBJECT| flag may be +// used to change this behavior. +// +// This function does not check if |x509| is a trusted certificate, only if, +// were it trusted, it would match |chk|. +// +// WARNING: This function differs from the usual calling convention and may +// return either 0 or a negative number on error. +// +// TODO(davidben): Make the error case also return zero. +OPENSSL_EXPORT int X509_check_email(const X509 *x509, const char *chk, + size_t chklen, unsigned int flags); + +// X509_check_ip checks if |x509| matches the IP address |chk|. The IP address +// is represented in byte form and should be 4 bytes for an IPv4 address and 16 +// bytes for an IPv6 address. It returns one on match, zero on mismatch, or a +// negative number on error. |flags| should be some combination of +// |X509_CHECK_FLAG_*| and modifies the behavior. +// +// This function does not check if |x509| is a trusted certificate, only if, +// were it trusted, it would match |chk|. +// +// WARNING: This function differs from the usual calling convention and may +// return either 0 or a negative number on error. +// +// TODO(davidben): Make the error case also return zero. +OPENSSL_EXPORT int X509_check_ip(const X509 *x509, const uint8_t *chk, + size_t chklen, unsigned int flags); -#define X509_STORE_CTX_set_app_data(ctx, data) \ - X509_STORE_CTX_set_ex_data(ctx, 0, data) -#define X509_STORE_CTX_get_app_data(ctx) X509_STORE_CTX_get_ex_data(ctx, 0) +// X509_check_ip_asc behaves like |X509_check_ip| except the IP address is +// specified in textual form in |ipasc|. +// +// WARNING: This function differs from the usual calling convention and may +// return either 0 or a negative number on error. +// +// TODO(davidben): Make the error case also return zero. +OPENSSL_EXPORT int X509_check_ip_asc(const X509 *x509, const char *ipasc, + unsigned int flags); + +// X509_STORE_CTX_get1_issuer looks up a candidate trusted issuer for |x509| out +// of |ctx|'s |X509_STORE|, based on the criteria in |X509_check_issued|. If one +// was found, it returns one and sets |*out_issuer| to the issuer. The caller +// must release |*out_issuer| with |X509_free| when done. If none was found, it +// returns zero and leaves |*out_issuer| unchanged. +// +// This function only searches for trusted issuers. It does not consider +// untrusted intermediates passed in to |X509_STORE_CTX_init|. +// +// TODO(crbug.com/boringssl/407): |x509| should be const. +OPENSSL_EXPORT int X509_STORE_CTX_get1_issuer(X509 **out_issuer, + X509_STORE_CTX *ctx, X509 *x509); + +// X509_check_purpose performs checks if |x509|'s basic constraints, key usage, +// and extended key usage extensions for the specified purpose. |purpose| should +// be one of |X509_PURPOSE_*| constants. See |X509_VERIFY_PARAM_set_purpose| for +// details. It returns one if |x509|'s extensions are consistent with |purpose| +// and zero otherwise. If |ca| is non-zero, |x509| is checked as a CA +// certificate. Otherwise, it is checked as an end-entity certificate. +// +// If |purpose| is -1, this function performs no purpose checks, but it parses +// some extensions in |x509| and may return zero on syntax error. Historically, +// callers primarily used this function to trigger this parsing, but this is no +// longer necessary. Functions acting on |X509| will internally parse as needed. +OPENSSL_EXPORT int X509_check_purpose(X509 *x509, int purpose, int ca); -#define X509_L_FILE_LOAD 1 -#define X509_L_ADD_DIR 2 +#define X509_TRUST_TRUSTED 1 +#define X509_TRUST_REJECTED 2 +#define X509_TRUST_UNTRUSTED 3 -#define X509_LOOKUP_load_file(x, name, type) \ - X509_LOOKUP_ctrl((x), X509_L_FILE_LOAD, (name), (long)(type), NULL) +// X509_check_trust checks if |x509| is a valid trust anchor for trust type +// |id|. See |X509_VERIFY_PARAM_set_trust| for details. It returns +// |X509_TRUST_TRUSTED| if |x509| is a trust anchor, |X509_TRUST_REJECTED| if it +// was distrusted, and |X509_TRUST_UNTRUSTED| otherwise. |id| should be one of +// the |X509_TRUST_*| constants, or zero to indicate the default behavior. +// |flags| should be zero and is ignored. +OPENSSL_EXPORT int X509_check_trust(X509 *x509, int id, int flags); + +// X509_STORE_CTX_get1_certs returns a newly-allocated stack containing all +// trusted certificates in |ctx|'s |X509_STORE| whose subject matches |name|, or +// NULL on error. The caller must release the result with |sk_X509_pop_free| and +// |X509_free| when done. +// +// TODO(crbug.com/boringssl/407): |name| should be const. +OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get1_certs(X509_STORE_CTX *ctx, + X509_NAME *name); + +// X509_STORE_CTX_get1_crls returns a newly-allocated stack containing all +// CRLs in |ctx|'s |X509_STORE| whose subject matches |name|, or NULL on error. +// The caller must release the result with |sk_X509_CRL_pop_free| and +// |X509_CRL_free| when done. +// +// TODO(crbug.com/boringssl/407): |name| should be const. +OPENSSL_EXPORT STACK_OF(X509_CRL) *X509_STORE_CTX_get1_crls(X509_STORE_CTX *ctx, + X509_NAME *name); + +// X509_STORE_CTX_get_by_subject looks up an object of type |type| in |ctx|'s +// |X509_STORE| that matches |name|. |type| should be one of the |X509_LU_*| +// constants to indicate the type of object. If a match was found, it stores the +// result in |ret| and returns one. Otherwise, it returns zero. If multiple +// objects match, this function outputs an arbitray one. +// +// WARNING: |ret| must be in the empty state, as returned by |X509_OBJECT_new|. +// Otherwise, the object currently in |ret| will be leaked when overwritten. +// https://crbug.com/boringssl/685 tracks fixing this. +// +// WARNING: Multiple trusted certificates or CRLs may share a name. In this +// case, this function returns an arbitrary match. Use +// |X509_STORE_CTX_get1_certs| or |X509_STORE_CTX_get1_crls| instead. +// +// TODO(crbug.com/boringssl/407): |name| should be const. +OPENSSL_EXPORT int X509_STORE_CTX_get_by_subject(X509_STORE_CTX *ctx, int type, + X509_NAME *name, + X509_OBJECT *ret); -#define X509_LOOKUP_add_dir(x, name, type) \ - X509_LOOKUP_ctrl((x), X509_L_ADD_DIR, (name), (long)(type), NULL) -#define X509_V_OK 0 -#define X509_V_ERR_UNSPECIFIED 1 +// X.509 information. +// +// |X509_INFO| is the return type for |PEM_X509_INFO_read_bio|, defined in +// . It is used to store a certificate, CRL, or private key. This +// type is defined in this header for OpenSSL compatibility. -#define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT 2 -#define X509_V_ERR_UNABLE_TO_GET_CRL 3 -#define X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE 4 -#define X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE 5 -#define X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY 6 -#define X509_V_ERR_CERT_SIGNATURE_FAILURE 7 -#define X509_V_ERR_CRL_SIGNATURE_FAILURE 8 -#define X509_V_ERR_CERT_NOT_YET_VALID 9 -#define X509_V_ERR_CERT_HAS_EXPIRED 10 -#define X509_V_ERR_CRL_NOT_YET_VALID 11 -#define X509_V_ERR_CRL_HAS_EXPIRED 12 -#define X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD 13 -#define X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD 14 -#define X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD 15 -#define X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD 16 -#define X509_V_ERR_OUT_OF_MEM 17 -#define X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT 18 -#define X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN 19 -#define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY 20 -#define X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE 21 -#define X509_V_ERR_CERT_CHAIN_TOO_LONG 22 -#define X509_V_ERR_CERT_REVOKED 23 -#define X509_V_ERR_INVALID_CA 24 -#define X509_V_ERR_PATH_LENGTH_EXCEEDED 25 -#define X509_V_ERR_INVALID_PURPOSE 26 -#define X509_V_ERR_CERT_UNTRUSTED 27 -#define X509_V_ERR_CERT_REJECTED 28 -// These are 'informational' when looking for issuer cert -#define X509_V_ERR_SUBJECT_ISSUER_MISMATCH 29 -#define X509_V_ERR_AKID_SKID_MISMATCH 30 -#define X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH 31 -#define X509_V_ERR_KEYUSAGE_NO_CERTSIGN 32 +struct private_key_st { + EVP_PKEY *dec_pkey; +} /* X509_PKEY */; -#define X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER 33 -#define X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION 34 -#define X509_V_ERR_KEYUSAGE_NO_CRL_SIGN 35 -#define X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION 36 -#define X509_V_ERR_INVALID_NON_CA 37 -#define X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED 38 -#define X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE 39 -#define X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED 40 +struct X509_info_st { + X509 *x509; + X509_CRL *crl; + X509_PKEY *x_pkey; -#define X509_V_ERR_INVALID_EXTENSION 41 -#define X509_V_ERR_INVALID_POLICY_EXTENSION 42 -#define X509_V_ERR_NO_EXPLICIT_POLICY 43 -#define X509_V_ERR_DIFFERENT_CRL_SCOPE 44 -#define X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE 45 + EVP_CIPHER_INFO enc_cipher; + int enc_len; + char *enc_data; +} /* X509_INFO */; -#define X509_V_ERR_UNNESTED_RESOURCE 46 +DEFINE_STACK_OF(X509_INFO) -#define X509_V_ERR_PERMITTED_VIOLATION 47 -#define X509_V_ERR_EXCLUDED_VIOLATION 48 -#define X509_V_ERR_SUBTREE_MINMAX 49 -#define X509_V_ERR_APPLICATION_VERIFICATION 50 -#define X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE 51 -#define X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX 52 -#define X509_V_ERR_UNSUPPORTED_NAME_SYNTAX 53 -#define X509_V_ERR_CRL_PATH_VALIDATION_ERROR 54 +// X509_INFO_free releases memory associated with |info|. +OPENSSL_EXPORT void X509_INFO_free(X509_INFO *info); -// Host, email and IP check errors -#define X509_V_ERR_HOSTNAME_MISMATCH 62 -#define X509_V_ERR_EMAIL_MISMATCH 63 -#define X509_V_ERR_IP_ADDRESS_MISMATCH 64 -// Caller error -#define X509_V_ERR_INVALID_CALL 65 -// Issuer lookup error -#define X509_V_ERR_STORE_LOOKUP 66 +// Deprecated custom extension registration. +// +// The following functions allow callers to register custom extensions for use +// with |X509V3_EXT_d2i| and related functions. This mechanism is deprecated and +// will be removed in the future. As discussed in |X509V3_EXT_add|, it is not +// possible to safely register a custom extension without risking race +// conditions and memory errors when linked with other users of BoringSSL. +// +// Moreover, it is not necessary to register a custom extension to process +// extensions unknown to BoringSSL. Registration does not impact certificate +// verification. Caller should instead use functions such as +// |ASN1_OBJECT_create|, |X509_get_ext_by_OBJ|, |X509_EXTENSION_get_data|, and +// |X509_EXTENSION_create_by_OBJ| to inspect or create extensions directly. + +// The following function pointer types are used in |X509V3_EXT_METHOD|. +typedef void *(*X509V3_EXT_NEW)(void); +typedef void (*X509V3_EXT_FREE)(void *ext); +typedef void *(*X509V3_EXT_D2I)(void *ext, const uint8_t **inp, long len); +typedef int (*X509V3_EXT_I2D)(void *ext, uint8_t **outp); +typedef STACK_OF(CONF_VALUE) *(*X509V3_EXT_I2V)(const X509V3_EXT_METHOD *method, + void *ext, + STACK_OF(CONF_VALUE) *extlist); +typedef void *(*X509V3_EXT_V2I)(const X509V3_EXT_METHOD *method, + const X509V3_CTX *ctx, + const STACK_OF(CONF_VALUE) *values); +typedef char *(*X509V3_EXT_I2S)(const X509V3_EXT_METHOD *method, void *ext); +typedef void *(*X509V3_EXT_S2I)(const X509V3_EXT_METHOD *method, + const X509V3_CTX *ctx, const char *str); +typedef int (*X509V3_EXT_I2R)(const X509V3_EXT_METHOD *method, void *ext, + BIO *out, int indent); +typedef void *(*X509V3_EXT_R2I)(const X509V3_EXT_METHOD *method, + const X509V3_CTX *ctx, const char *str); + +// A v3_ext_method, aka |X509V3_EXT_METHOD|, is a deprecated type which defines +// a custom extension. +struct v3_ext_method { + // ext_nid is the NID of the extension. + int ext_nid; + + // ext_flags is a combination of |X509V3_EXT_*| constants. + int ext_flags; + + // it determines how values of this extension are allocated, released, parsed, + // and marshalled. This must be non-NULL. + ASN1_ITEM_EXP *it; + + // The following functions are ignored in favor of |it|. They are retained in + // the struct only for source compatibility with existing struct definitions. + X509V3_EXT_NEW ext_new; + X509V3_EXT_FREE ext_free; + X509V3_EXT_D2I d2i; + X509V3_EXT_I2D i2d; + + // The following functions are used for string extensions. + X509V3_EXT_I2S i2s; + X509V3_EXT_S2I s2i; + + // The following functions are used for multi-valued extensions. + X509V3_EXT_I2V i2v; + X509V3_EXT_V2I v2i; + + // The following functions are used for "raw" extensions, which implement + // custom printing behavior. + X509V3_EXT_I2R i2r; + X509V3_EXT_R2I r2i; + + void *usr_data; // Any extension specific data +} /* X509V3_EXT_METHOD */; + +// X509V3_EXT_MULTILINE causes the result of an |X509V3_EXT_METHOD|'s |i2v| +// function to be printed on separate lines, rather than separated by commas. +#define X509V3_EXT_MULTILINE 0x4 + +// X509V3_EXT_get returns the |X509V3_EXT_METHOD| corresponding to |ext|'s +// extension type, or NULL if none was registered. +OPENSSL_EXPORT const X509V3_EXT_METHOD *X509V3_EXT_get( + const X509_EXTENSION *ext); + +// X509V3_EXT_get_nid returns the |X509V3_EXT_METHOD| corresponding to |nid|, or +// NULL if none was registered. +OPENSSL_EXPORT const X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid); + +// X509V3_EXT_add registers |ext| as a custom extension for the extension type +// |ext->ext_nid|. |ext| must be valid for the remainder of the address space's +// lifetime. It returns one on success and zero on error. +// +// WARNING: This function modifies global state. If other code in the same +// address space also registers an extension with type |ext->ext_nid|, the two +// registrations will conflict. Which registration takes effect is undefined. If +// the two registrations use incompatible in-memory representations, code +// expecting the other registration will then cast a type to the wrong type, +// resulting in a potentially exploitable memory error. This conflict can also +// occur if BoringSSL later adds support for |ext->ext_nid|, with a different +// in-memory representation than the one expected by |ext|. +// +// This function, additionally, is not thread-safe and cannot be called +// concurrently with any other BoringSSL function. +// +// As a result, it is impossible to safely use this function. Registering a +// custom extension has no impact on certificate verification so, instead, +// callers should simply handle the custom extension with the byte-based +// |X509_EXTENSION| APIs directly. Registering |ext| with the library has little +// practical value. +OPENSSL_EXPORT OPENSSL_DEPRECATED int X509V3_EXT_add(X509V3_EXT_METHOD *ext); + +// X509V3_EXT_add_alias registers a custom extension with NID |nid_to|. The +// corresponding ASN.1 type is copied from |nid_from|. It returns one on success +// and zero on error. +// +// WARNING: Do not use this function. See |X509V3_EXT_add|. +OPENSSL_EXPORT OPENSSL_DEPRECATED int X509V3_EXT_add_alias(int nid_to, + int nid_from); -#define X509_V_ERR_NAME_CONSTRAINTS_WITHOUT_SANS 67 -// Certificate verify flags +// Deprecated config-based extension creation. +// +// The following functions allow specifying X.509 extensions using OpenSSL's +// config file syntax, from the OpenSSL command-line tool. They are retained, +// for now, for compatibility with legacy software but may be removed in the +// future. Construct the extensions using the typed C APIs instead. +// +// Callers should especially avoid these functions if passing in non-constant +// values. They use ad-hoc, string-based formats which are prone to injection +// vulnerabilities. For a CA, this means using them risks misissuance. +// +// These functions are not safe to use with untrusted inputs. The string formats +// may implicitly reference context information and, in OpenSSL (though not +// BoringSSL), one even allows reading arbitrary files. Many formats can also +// produce far larger outputs than their inputs, so untrusted inputs may lead to +// denial-of-service attacks. Finally, the parsers see much less testing and +// review than most of the library and may have bugs including memory leaks or +// crashes. + +// v3_ext_ctx, aka |X509V3_CTX|, contains additional context information for +// constructing extensions. Some string formats reference additional values in +// these objects. It must be initialized with |X509V3_set_ctx| or +// |X509V3_set_ctx_test| before use. +struct v3_ext_ctx { + int flags; + const X509 *issuer_cert; + const X509 *subject_cert; + const X509_REQ *subject_req; + const X509_CRL *crl; + const CONF *db; +}; + +#define X509V3_CTX_TEST 0x1 + +// X509V3_set_ctx initializes |ctx| with the specified objects. Some string +// formats will reference fields in these objects. Each object may be NULL to +// omit it, in which case those formats cannot be used. |flags| should be zero, +// unless called via |X509V3_set_ctx_test|. +// +// |issuer|, |subject|, |req|, and |crl|, if non-NULL, must outlive |ctx|. +OPENSSL_EXPORT void X509V3_set_ctx(X509V3_CTX *ctx, const X509 *issuer, + const X509 *subject, const X509_REQ *req, + const X509_CRL *crl, int flags); + +// X509V3_set_ctx_test calls |X509V3_set_ctx| without any reference objects and +// mocks out some features that use them. The resulting extensions may be +// incomplete and should be discarded. This can be used to partially validate +// syntax. +// +// TODO(davidben): Can we remove this? +#define X509V3_set_ctx_test(ctx) \ + X509V3_set_ctx(ctx, NULL, NULL, NULL, NULL, X509V3_CTX_TEST) + +// X509V3_set_nconf sets |ctx| to use |conf| as the config database. |ctx| must +// have previously been initialized by |X509V3_set_ctx| or +// |X509V3_set_ctx_test|. Some string formats will reference sections in |conf|. +// |conf| may be NULL, in which case these formats cannot be used. If non-NULL, +// |conf| must outlive |ctx|. +OPENSSL_EXPORT void X509V3_set_nconf(X509V3_CTX *ctx, const CONF *conf); + +// X509V3_set_ctx_nodb calls |X509V3_set_nconf| with no config database. +#define X509V3_set_ctx_nodb(ctx) X509V3_set_nconf(ctx, NULL) + +// X509V3_EXT_nconf constructs an extension of type specified by |name|, and +// value specified by |value|. It returns a newly-allocated |X509_EXTENSION| +// object on success, or NULL on error. |conf| and |ctx| specify additional +// information referenced by some formats. Either |conf| or |ctx| may be NULL, +// in which case features which use it will be disabled. +// +// If non-NULL, |ctx| must be initialized with |X509V3_set_ctx| or +// |X509V3_set_ctx_test|. +// +// Both |conf| and |ctx| provide a |CONF| object. When |ctx| is non-NULL, most +// features use the |ctx| copy, configured with |X509V3_set_ctx|, but some use +// |conf|. Callers should ensure the two match to avoid surprisingly behavior. +OPENSSL_EXPORT X509_EXTENSION *X509V3_EXT_nconf(const CONF *conf, + const X509V3_CTX *ctx, + const char *name, + const char *value); + +// X509V3_EXT_nconf_nid behaves like |X509V3_EXT_nconf|, except the extension +// type is specified as a NID. +OPENSSL_EXPORT X509_EXTENSION *X509V3_EXT_nconf_nid(const CONF *conf, + const X509V3_CTX *ctx, + int ext_nid, + const char *value); + +// X509V3_EXT_conf_nid calls |X509V3_EXT_nconf_nid|. |conf| must be NULL. +// +// TODO(davidben): This is the only exposed instance of an LHASH in our public +// headers. cryptography.io wraps this function so we cannot, yet, replace the +// type with a dummy struct. +OPENSSL_EXPORT X509_EXTENSION *X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf, + const X509V3_CTX *ctx, + int ext_nid, + const char *value); + +// X509V3_EXT_add_nconf_sk looks up the section named |section| in |conf|. For +// each |CONF_VALUE| in the section, it constructs an extension as in +// |X509V3_EXT_nconf|, taking |name| and |value| from the |CONF_VALUE|. Each new +// extension is appended to |*sk|. If |*sk| is non-NULL, and at least one +// extension is added, it sets |*sk| to a newly-allocated +// |STACK_OF(X509_EXTENSION)|. It returns one on success and zero on error. +OPENSSL_EXPORT int X509V3_EXT_add_nconf_sk(const CONF *conf, + const X509V3_CTX *ctx, + const char *section, + STACK_OF(X509_EXTENSION) **sk); + +// X509V3_EXT_add_nconf adds extensions to |cert| as in +// |X509V3_EXT_add_nconf_sk|. It returns one on success and zero on error. +OPENSSL_EXPORT int X509V3_EXT_add_nconf(const CONF *conf, const X509V3_CTX *ctx, + const char *section, X509 *cert); + +// X509V3_EXT_REQ_add_nconf adds extensions to |req| as in +// |X509V3_EXT_add_nconf_sk|. It returns one on success and zero on error. +OPENSSL_EXPORT int X509V3_EXT_REQ_add_nconf(const CONF *conf, + const X509V3_CTX *ctx, + const char *section, X509_REQ *req); + +// X509V3_EXT_CRL_add_nconf adds extensions to |crl| as in +// |X509V3_EXT_add_nconf_sk|. It returns one on success and zero on error. +OPENSSL_EXPORT int X509V3_EXT_CRL_add_nconf(const CONF *conf, + const X509V3_CTX *ctx, + const char *section, X509_CRL *crl); + +// i2s_ASN1_OCTET_STRING returns a human-readable representation of |oct| as a +// newly-allocated, NUL-terminated string, or NULL on error. |method| is +// ignored. The caller must release the result with |OPENSSL_free| when done. +OPENSSL_EXPORT char *i2s_ASN1_OCTET_STRING(const X509V3_EXT_METHOD *method, + const ASN1_OCTET_STRING *oct); + +// s2i_ASN1_OCTET_STRING decodes |str| as a hexdecimal byte string, with +// optional colon separators between bytes. It returns a newly-allocated +// |ASN1_OCTET_STRING| with the result on success, or NULL on error. |method| +// and |ctx| are ignored. +OPENSSL_EXPORT ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING( + const X509V3_EXT_METHOD *method, const X509V3_CTX *ctx, const char *str); + +// i2s_ASN1_INTEGER returns a human-readable representation of |aint| as a +// newly-allocated, NUL-terminated string, or NULL on error. |method| is +// ignored. The caller must release the result with |OPENSSL_free| when done. +OPENSSL_EXPORT char *i2s_ASN1_INTEGER(const X509V3_EXT_METHOD *method, + const ASN1_INTEGER *aint); + +// s2i_ASN1_INTEGER decodes |value| as the ASCII representation of an integer, +// and returns a newly-allocated |ASN1_INTEGER| containing the result, or NULL +// on error. |method| is ignored. If |value| begins with "0x" or "0X", the input +// is decoded in hexadecimal, otherwise decimal. +OPENSSL_EXPORT ASN1_INTEGER *s2i_ASN1_INTEGER(const X509V3_EXT_METHOD *method, + const char *value); + +// i2s_ASN1_ENUMERATED returns a human-readable representation of |aint| as a +// newly-allocated, NUL-terminated string, or NULL on error. |method| is +// ignored. The caller must release the result with |OPENSSL_free| when done. +OPENSSL_EXPORT char *i2s_ASN1_ENUMERATED(const X509V3_EXT_METHOD *method, + const ASN1_ENUMERATED *aint); + +// X509V3_conf_free releases memory associated with |CONF_VALUE|. +OPENSSL_EXPORT void X509V3_conf_free(CONF_VALUE *val); + +// i2v_GENERAL_NAME serializes |gen| as a |CONF_VALUE|. If |ret| is non-NULL, it +// appends the value to |ret| and returns |ret| on success or NULL on error. If +// it returns NULL, the caller is still responsible for freeing |ret|. If |ret| +// is NULL, it returns a newly-allocated |STACK_OF(CONF_VALUE)| containing the +// result. |method| is ignored. When done, the caller should release the result +// with |sk_CONF_VALUE_pop_free| and |X509V3_conf_free|. +// +// Do not use this function. This is an internal implementation detail of the +// human-readable print functions. If extracting a SAN list from a certificate, +// look at |gen| directly. +OPENSSL_EXPORT STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME( + const X509V3_EXT_METHOD *method, const GENERAL_NAME *gen, + STACK_OF(CONF_VALUE) *ret); + +// i2v_GENERAL_NAMES serializes |gen| as a list of |CONF_VALUE|s. If |ret| is +// non-NULL, it appends the values to |ret| and returns |ret| on success or NULL +// on error. If it returns NULL, the caller is still responsible for freeing +// |ret|. If |ret| is NULL, it returns a newly-allocated |STACK_OF(CONF_VALUE)| +// containing the results. |method| is ignored. +// +// Do not use this function. This is an internal implementation detail of the +// human-readable print functions. If extracting a SAN list from a certificate, +// look at |gen| directly. +OPENSSL_EXPORT STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES( + const X509V3_EXT_METHOD *method, const GENERAL_NAMES *gen, + STACK_OF(CONF_VALUE) *extlist); + +// a2i_IPADDRESS decodes |ipasc| as the textual representation of an IPv4 or +// IPv6 address. On success, it returns a newly-allocated |ASN1_OCTET_STRING| +// containing the decoded IP address. IPv4 addresses are represented as 4-byte +// strings and IPv6 addresses as 16-byte strings. On failure, it returns NULL. +OPENSSL_EXPORT ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc); + +// a2i_IPADDRESS_NC decodes |ipasc| as the textual representation of an IPv4 or +// IPv6 address range. On success, it returns a newly-allocated +// |ASN1_OCTET_STRING| containing the decoded IP address, followed by the +// decoded mask. IPv4 ranges are represented as 8-byte strings and IPv6 ranges +// as 32-byte strings. On failure, it returns NULL. +// +// The text format decoded by this function is not the standard CIDR notiation. +// Instead, the mask after the "/" is represented as another IP address. For +// example, "192.168.0.0/16" would be written "192.168.0.0/255.255.0.0". +OPENSSL_EXPORT ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc); -// Send issuer+subject checks to verify_cb -#define X509_V_FLAG_CB_ISSUER_CHECK 0x1 -// Use check time instead of current time -#define X509_V_FLAG_USE_CHECK_TIME 0x2 -// Lookup CRLs -#define X509_V_FLAG_CRL_CHECK 0x4 -// Lookup CRLs for whole chain -#define X509_V_FLAG_CRL_CHECK_ALL 0x8 -// Ignore unhandled critical extensions -#define X509_V_FLAG_IGNORE_CRITICAL 0x10 -// Does nothing as its functionality has been enabled by default. -#define X509_V_FLAG_X509_STRICT 0x00 -// This flag does nothing as proxy certificate support has been removed. -#define X509_V_FLAG_ALLOW_PROXY_CERTS 0x40 -// Does nothing as its functionality has been enabled by default. -#define X509_V_FLAG_POLICY_CHECK 0x80 -// Policy variable require-explicit-policy -#define X509_V_FLAG_EXPLICIT_POLICY 0x100 -// Policy variable inhibit-any-policy -#define X509_V_FLAG_INHIBIT_ANY 0x200 -// Policy variable inhibit-policy-mapping -#define X509_V_FLAG_INHIBIT_MAP 0x400 -// Notify callback that policy is OK -#define X509_V_FLAG_NOTIFY_POLICY 0x800 -// Extended CRL features such as indirect CRLs, alternate CRL signing keys -#define X509_V_FLAG_EXTENDED_CRL_SUPPORT 0x1000 -// Delta CRL support -#define X509_V_FLAG_USE_DELTAS 0x2000 -// Check selfsigned CA signature -#define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000 -// Use trusted store first -#define X509_V_FLAG_TRUSTED_FIRST 0x8000 -// Allow partial chains if at least one certificate is in trusted store -#define X509_V_FLAG_PARTIAL_CHAIN 0x80000 +// Deprecated functions. -// If the initial chain is not trusted, do not attempt to build an alternative -// chain. Alternate chain checking was introduced in 1.0.2b. Setting this flag -// will force the behaviour to match that of previous versions. -#define X509_V_FLAG_NO_ALT_CHAINS 0x100000 +// X509_get_notBefore returns |x509|'s notBefore time. Note this function is not +// const-correct for legacy reasons. Use |X509_get0_notBefore| or +// |X509_getm_notBefore| instead. +OPENSSL_EXPORT ASN1_TIME *X509_get_notBefore(const X509 *x509); -// X509_V_FLAG_NO_CHECK_TIME disables all time checks in certificate -// verification. -#define X509_V_FLAG_NO_CHECK_TIME 0x200000 +// X509_get_notAfter returns |x509|'s notAfter time. Note this function is not +// const-correct for legacy reasons. Use |X509_get0_notAfter| or +// |X509_getm_notAfter| instead. +OPENSSL_EXPORT ASN1_TIME *X509_get_notAfter(const X509 *x509); -#define X509_VP_FLAG_DEFAULT 0x1 -#define X509_VP_FLAG_OVERWRITE 0x2 -#define X509_VP_FLAG_RESET_FLAGS 0x4 -#define X509_VP_FLAG_LOCKED 0x8 -#define X509_VP_FLAG_ONCE 0x10 - -OPENSSL_EXPORT int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, - int type, X509_NAME *name); -OPENSSL_EXPORT X509_OBJECT *X509_OBJECT_retrieve_by_subject( - STACK_OF(X509_OBJECT) *h, int type, X509_NAME *name); -OPENSSL_EXPORT X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, - X509_OBJECT *x); -OPENSSL_EXPORT int X509_OBJECT_up_ref_count(X509_OBJECT *a); -OPENSSL_EXPORT void X509_OBJECT_free_contents(X509_OBJECT *a); -OPENSSL_EXPORT int X509_OBJECT_get_type(const X509_OBJECT *a); -OPENSSL_EXPORT X509 *X509_OBJECT_get0_X509(const X509_OBJECT *a); -OPENSSL_EXPORT X509_STORE *X509_STORE_new(void); -OPENSSL_EXPORT int X509_STORE_up_ref(X509_STORE *store); -OPENSSL_EXPORT void X509_STORE_free(X509_STORE *v); - -OPENSSL_EXPORT STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(X509_STORE *st); -OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_get1_certs(X509_STORE_CTX *st, - X509_NAME *nm); -OPENSSL_EXPORT STACK_OF(X509_CRL) *X509_STORE_get1_crls(X509_STORE_CTX *st, - X509_NAME *nm); -OPENSSL_EXPORT int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags); -OPENSSL_EXPORT int X509_STORE_set_purpose(X509_STORE *ctx, int purpose); -OPENSSL_EXPORT int X509_STORE_set_trust(X509_STORE *ctx, int trust); -OPENSSL_EXPORT int X509_STORE_set1_param(X509_STORE *ctx, - X509_VERIFY_PARAM *pm); -OPENSSL_EXPORT X509_VERIFY_PARAM *X509_STORE_get0_param(X509_STORE *ctx); - -OPENSSL_EXPORT void X509_STORE_set_verify(X509_STORE *ctx, - X509_STORE_CTX_verify_fn verify); -#define X509_STORE_set_verify_func(ctx, func) \ - X509_STORE_set_verify((ctx), (func)) -OPENSSL_EXPORT void X509_STORE_CTX_set_verify(X509_STORE_CTX *ctx, - X509_STORE_CTX_verify_fn verify); -OPENSSL_EXPORT X509_STORE_CTX_verify_fn X509_STORE_get_verify(X509_STORE *ctx); +// X509_set_notBefore calls |X509_set1_notBefore|. Use |X509_set1_notBefore| +// instead. +OPENSSL_EXPORT int X509_set_notBefore(X509 *x509, const ASN1_TIME *tm); -// X509_STORE_set_verify_cb acts like |X509_STORE_CTX_set_verify_cb| but sets -// the verify callback for any |X509_STORE_CTX| created from this |X509_STORE| +// X509_set_notAfter calls |X509_set1_notAfter|. Use |X509_set1_notAfter| +// instead. +OPENSSL_EXPORT int X509_set_notAfter(X509 *x509, const ASN1_TIME *tm); + +// X509_CRL_get_lastUpdate returns a mutable pointer to |crl|'s thisUpdate time. +// The OpenSSL API refers to this field as lastUpdate. // -// Do not use this funciton. see |X509_STORE_CTX_set_verify_cb|. -OPENSSL_EXPORT void X509_STORE_set_verify_cb( - X509_STORE *ctx, X509_STORE_CTX_verify_cb verify_cb); -#define X509_STORE_set_verify_cb_func(ctx, func) \ - X509_STORE_set_verify_cb((ctx), (func)) -OPENSSL_EXPORT X509_STORE_CTX_verify_cb -X509_STORE_get_verify_cb(X509_STORE *ctx); -OPENSSL_EXPORT void X509_STORE_set_get_issuer( - X509_STORE *ctx, X509_STORE_CTX_get_issuer_fn get_issuer); -OPENSSL_EXPORT X509_STORE_CTX_get_issuer_fn -X509_STORE_get_get_issuer(X509_STORE *ctx); -OPENSSL_EXPORT void X509_STORE_set_check_issued( - X509_STORE *ctx, X509_STORE_CTX_check_issued_fn check_issued); -OPENSSL_EXPORT X509_STORE_CTX_check_issued_fn -X509_STORE_get_check_issued(X509_STORE *ctx); -OPENSSL_EXPORT void X509_STORE_set_check_revocation( - X509_STORE *ctx, X509_STORE_CTX_check_revocation_fn check_revocation); -OPENSSL_EXPORT X509_STORE_CTX_check_revocation_fn -X509_STORE_get_check_revocation(X509_STORE *ctx); -OPENSSL_EXPORT void X509_STORE_set_get_crl(X509_STORE *ctx, - X509_STORE_CTX_get_crl_fn get_crl); -OPENSSL_EXPORT X509_STORE_CTX_get_crl_fn -X509_STORE_get_get_crl(X509_STORE *ctx); -OPENSSL_EXPORT void X509_STORE_set_check_crl( - X509_STORE *ctx, X509_STORE_CTX_check_crl_fn check_crl); -OPENSSL_EXPORT X509_STORE_CTX_check_crl_fn -X509_STORE_get_check_crl(X509_STORE *ctx); -OPENSSL_EXPORT void X509_STORE_set_cert_crl( - X509_STORE *ctx, X509_STORE_CTX_cert_crl_fn cert_crl); -OPENSSL_EXPORT X509_STORE_CTX_cert_crl_fn -X509_STORE_get_cert_crl(X509_STORE *ctx); -OPENSSL_EXPORT void X509_STORE_set_lookup_certs( - X509_STORE *ctx, X509_STORE_CTX_lookup_certs_fn lookup_certs); -OPENSSL_EXPORT X509_STORE_CTX_lookup_certs_fn -X509_STORE_get_lookup_certs(X509_STORE *ctx); -OPENSSL_EXPORT void X509_STORE_set_lookup_crls( - X509_STORE *ctx, X509_STORE_CTX_lookup_crls_fn lookup_crls); -#define X509_STORE_set_lookup_crls_cb(ctx, func) \ - X509_STORE_set_lookup_crls((ctx), (func)) -OPENSSL_EXPORT X509_STORE_CTX_lookup_crls_fn -X509_STORE_get_lookup_crls(X509_STORE *ctx); -OPENSSL_EXPORT void X509_STORE_set_cleanup(X509_STORE *ctx, - X509_STORE_CTX_cleanup_fn cleanup); -OPENSSL_EXPORT X509_STORE_CTX_cleanup_fn -X509_STORE_get_cleanup(X509_STORE *ctx); +// Use |X509_CRL_get0_lastUpdate| or |X509_CRL_set1_lastUpdate| instead. +OPENSSL_EXPORT ASN1_TIME *X509_CRL_get_lastUpdate(X509_CRL *crl); -OPENSSL_EXPORT X509_STORE_CTX *X509_STORE_CTX_new(void); +// X509_CRL_get_nextUpdate returns a mutable pointer to |crl|'s nextUpdate time, +// or NULL if |crl| has none. Use |X509_CRL_get0_nextUpdate| or +// |X509_CRL_set1_nextUpdate| instead. +OPENSSL_EXPORT ASN1_TIME *X509_CRL_get_nextUpdate(X509_CRL *crl); -OPENSSL_EXPORT int X509_STORE_CTX_get1_issuer(X509 **issuer, - X509_STORE_CTX *ctx, X509 *x); +// X509_extract_key is a legacy alias to |X509_get_pubkey|. Use +// |X509_get_pubkey| instead. +#define X509_extract_key(x) X509_get_pubkey(x) -OPENSSL_EXPORT void X509_STORE_CTX_zero(X509_STORE_CTX *ctx); -OPENSSL_EXPORT void X509_STORE_CTX_free(X509_STORE_CTX *ctx); -OPENSSL_EXPORT int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, - X509 *x509, STACK_OF(X509) *chain); +// X509_REQ_extract_key is a legacy alias for |X509_REQ_get_pubkey|. +#define X509_REQ_extract_key(a) X509_REQ_get_pubkey(a) -// X509_STORE_CTX_set0_trusted_stack configures |ctx| to trust the certificates -// in |sk|. |sk| must remain valid for the duration of |ctx|. +// X509_name_cmp is a legacy alias for |X509_NAME_cmp|. +#define X509_name_cmp(a, b) X509_NAME_cmp((a), (b)) + +// The following symbols are deprecated aliases to |X509_CRL_set1_*|. +#define X509_CRL_set_lastUpdate X509_CRL_set1_lastUpdate +#define X509_CRL_set_nextUpdate X509_CRL_set1_nextUpdate + +// X509_get_serialNumber returns a mutable pointer to |x509|'s serial number. +// Prefer |X509_get0_serialNumber|. +OPENSSL_EXPORT ASN1_INTEGER *X509_get_serialNumber(X509 *x509); + +// X509_NAME_get_text_by_OBJ finds the first attribute with type |obj| in +// |name|. If found, it writes the value's UTF-8 representation to |buf|. +// followed by a NUL byte, and returns the number of bytes in the output, +// excluding the NUL byte. This is unlike OpenSSL which returns the raw +// ASN1_STRING data. The UTF-8 encoding of the |ASN1_STRING| may not contain a 0 +// codepoint. // -// WARNING: This function differs from most |set0| functions in that it does not -// take ownership of its input. The caller is required to ensure the lifetimes -// are consistent. -OPENSSL_EXPORT void X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx, - STACK_OF(X509) *sk); +// This function writes at most |len| bytes, including the NUL byte. If |buf| +// is NULL, it writes nothing and returns the number of bytes in the +// output, excluding the NUL byte that would be required for the full UTF-8 +// output. +// +// This function may return -1 if an error occurs for any reason, including the +// value not being a recognized string type, |len| being of insufficient size to +// hold the full UTF-8 encoding and NUL byte, memory allocation failures, an +// object with type |obj| not existing in |name|, or if the UTF-8 encoding of +// the string contains a zero byte. +OPENSSL_EXPORT int X509_NAME_get_text_by_OBJ(const X509_NAME *name, + const ASN1_OBJECT *obj, char *buf, + int len); -// X509_STORE_CTX_trusted_stack is a deprecated alias for -// |X509_STORE_CTX_set0_trusted_stack|. -OPENSSL_EXPORT void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, - STACK_OF(X509) *sk); +// X509_NAME_get_text_by_NID behaves like |X509_NAME_get_text_by_OBJ| except it +// finds an attribute of type |nid|, which should be one of the |NID_*| +// constants. +OPENSSL_EXPORT int X509_NAME_get_text_by_NID(const X509_NAME *name, int nid, + char *buf, int len); -OPENSSL_EXPORT void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx); +// X509_STORE_CTX_get0_parent_ctx returns NULL. +OPENSSL_EXPORT X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx( + const X509_STORE_CTX *ctx); -OPENSSL_EXPORT X509_STORE *X509_STORE_CTX_get0_store(X509_STORE_CTX *ctx); -OPENSSL_EXPORT X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx); +// X509_OBJECT_free_contents sets |obj| to the empty object, freeing any values +// that were previously there. +// +// TODO(davidben): Unexport this function after rust-openssl is fixed to no +// longer call it. +OPENSSL_EXPORT void X509_OBJECT_free_contents(X509_OBJECT *obj); -OPENSSL_EXPORT X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, - X509_LOOKUP_METHOD *m); +// X509_LOOKUP_free releases memory associated with |ctx|. This function should +// never be used outside the library. No function in the public API hands +// ownership of an |X509_LOOKUP| to the caller. +// +// TODO(davidben): Unexport this function after rust-openssl is fixed to no +// longer call it. +OPENSSL_EXPORT void X509_LOOKUP_free(X509_LOOKUP *ctx); -OPENSSL_EXPORT X509_LOOKUP_METHOD *X509_LOOKUP_hash_dir(void); -OPENSSL_EXPORT X509_LOOKUP_METHOD *X509_LOOKUP_file(void); +// X509_STORE_CTX_cleanup resets |ctx| to the empty state. +// +// This function is a remnant of when |X509_STORE_CTX| was stack-allocated and +// should not be used. If releasing |ctx|, call |X509_STORE_CTX_free|. If +// reusing |ctx| for a new verification, release the old one and create a new +// one. +OPENSSL_EXPORT void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx); -OPENSSL_EXPORT int X509_STORE_add_cert(X509_STORE *ctx, X509 *x); -OPENSSL_EXPORT int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x); +// X509V3_add_standard_extensions returns one. +OPENSSL_EXPORT int X509V3_add_standard_extensions(void); -OPENSSL_EXPORT int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, - X509_NAME *name, X509_OBJECT *ret); +// The following symbols are legacy aliases for |X509_STORE_CTX| functions. +#define X509_STORE_get_by_subject X509_STORE_CTX_get_by_subject +#define X509_STORE_get1_certs X509_STORE_CTX_get1_certs +#define X509_STORE_get1_crls X509_STORE_CTX_get1_crls -OPENSSL_EXPORT int X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, - long argl, char **ret); +// X509_STORE_CTX_get_chain is a legacy alias for |X509_STORE_CTX_get0_chain|. +OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get_chain( + const X509_STORE_CTX *ctx); -OPENSSL_EXPORT int X509_load_cert_file(X509_LOOKUP *ctx, const char *file, - int type); -OPENSSL_EXPORT int X509_load_crl_file(X509_LOOKUP *ctx, const char *file, - int type); -OPENSSL_EXPORT int X509_load_cert_crl_file(X509_LOOKUP *ctx, const char *file, - int type); +// X509_STORE_CTX_trusted_stack is a deprecated alias for +// |X509_STORE_CTX_set0_trusted_stack|. +OPENSSL_EXPORT void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, + STACK_OF(X509) *sk); -OPENSSL_EXPORT X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method); -OPENSSL_EXPORT void X509_LOOKUP_free(X509_LOOKUP *ctx); -OPENSSL_EXPORT int X509_LOOKUP_init(X509_LOOKUP *ctx); -OPENSSL_EXPORT int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, int type, - X509_NAME *name, X509_OBJECT *ret); -OPENSSL_EXPORT int X509_LOOKUP_shutdown(X509_LOOKUP *ctx); - -OPENSSL_EXPORT int X509_STORE_load_locations(X509_STORE *ctx, const char *file, - const char *dir); -OPENSSL_EXPORT int X509_STORE_set_default_paths(X509_STORE *ctx); -OPENSSL_EXPORT int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx); -OPENSSL_EXPORT void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int s); -OPENSSL_EXPORT int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx); -OPENSSL_EXPORT X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx); -OPENSSL_EXPORT X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx); -OPENSSL_EXPORT X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx); -OPENSSL_EXPORT X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx( - X509_STORE_CTX *ctx); -OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx); -OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get0_chain(X509_STORE_CTX *ctx); -OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx); -OPENSSL_EXPORT void X509_STORE_CTX_set_cert(X509_STORE_CTX *c, X509 *x); -OPENSSL_EXPORT void X509_STORE_CTX_set_chain(X509_STORE_CTX *c, - STACK_OF(X509) *sk); -OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get0_untrusted( - X509_STORE_CTX *ctx); -OPENSSL_EXPORT void X509_STORE_CTX_set0_crls(X509_STORE_CTX *c, - STACK_OF(X509_CRL) *sk); -OPENSSL_EXPORT int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose); -OPENSSL_EXPORT int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust); -OPENSSL_EXPORT int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, - int def_purpose, int purpose, - int trust); -OPENSSL_EXPORT void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, - unsigned long flags); -OPENSSL_EXPORT void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, - unsigned long flags, time_t t); -OPENSSL_EXPORT void X509_STORE_CTX_set_time_posix(X509_STORE_CTX *ctx, - unsigned long flags, - int64_t t); +typedef int (*X509_STORE_CTX_verify_cb)(int, X509_STORE_CTX *); // X509_STORE_CTX_set_verify_cb configures a callback function for |ctx| that is // called multiple times during |X509_verify_cert|. The callback returns zero to -// fail verification and non-zero to proceed. Typically, it will return |ok|, -// which preserves the default behavior. Returning one when |ok| is zero will -// proceed past some error. The callback may inspect |ctx| and the error queue -// to attempt to determine the current stage of certificate verification, but -// this is often unreliable. +// fail verification and one to proceed. Typically, it will return |ok|, which +// preserves the default behavior. Returning one when |ok| is zero will proceed +// past some error. The callback may inspect |ctx| and the error queue to +// attempt to determine the current stage of certificate verification, but this +// is often unreliable. When synthesizing an error, callbacks should use +// |X509_STORE_CTX_set_error| to set a corresponding error. // // WARNING: Do not use this function. It is extremely fragile and unpredictable. // This callback exposes implementation details of certificate verification, // which change as the library evolves. Attempting to use it for security checks // can introduce vulnerabilities if making incorrect assumptions about when the -// callback is called. Additionally, overriding |ok| may leave |ctx| in an -// inconsistent state and break invariants. +// callback is called. Some errors, when suppressed, may implicitly suppress +// other errors due to internal implementation details. Additionally, overriding +// |ok| may leave |ctx| in an inconsistent state and break invariants. // // Instead, customize certificate verification by configuring options on the // |X509_STORE_CTX| before verification, or applying additional checks after @@ -2935,68 +5282,106 @@ OPENSSL_EXPORT void X509_STORE_CTX_set_time_posix(X509_STORE_CTX *ctx, OPENSSL_EXPORT void X509_STORE_CTX_set_verify_cb( X509_STORE_CTX *ctx, int (*verify_cb)(int ok, X509_STORE_CTX *ctx)); -OPENSSL_EXPORT X509_VERIFY_PARAM *X509_STORE_CTX_get0_param( - X509_STORE_CTX *ctx); -OPENSSL_EXPORT void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, - X509_VERIFY_PARAM *param); -OPENSSL_EXPORT int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, - const char *name); +// X509_STORE_set_verify_cb acts like |X509_STORE_CTX_set_verify_cb| but sets +// the verify callback for any |X509_STORE_CTX| created from this |X509_STORE| +// +// Do not use this function. See |X509_STORE_CTX_set_verify_cb| for details. +OPENSSL_EXPORT void X509_STORE_set_verify_cb( + X509_STORE *store, X509_STORE_CTX_verify_cb verify_cb); -// X509_VERIFY_PARAM functions +// X509_STORE_set_verify_cb_func is a deprecated alias for +// |X509_STORE_set_verify_cb|. +#define X509_STORE_set_verify_cb_func(store, func) \ + X509_STORE_set_verify_cb((store), (func)) -OPENSSL_EXPORT X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void); -OPENSSL_EXPORT void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param); -OPENSSL_EXPORT int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *to, - const X509_VERIFY_PARAM *from); -OPENSSL_EXPORT int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to, - const X509_VERIFY_PARAM *from); -OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, - const char *name); -OPENSSL_EXPORT int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, - unsigned long flags); -OPENSSL_EXPORT int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, - unsigned long flags); -OPENSSL_EXPORT unsigned long X509_VERIFY_PARAM_get_flags( - X509_VERIFY_PARAM *param); -OPENSSL_EXPORT int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, - int purpose); -OPENSSL_EXPORT int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, - int trust); -OPENSSL_EXPORT void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, - int depth); -OPENSSL_EXPORT void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, - time_t t); -OPENSSL_EXPORT void X509_VERIFY_PARAM_set_time_posix(X509_VERIFY_PARAM *param, - int64_t t); -OPENSSL_EXPORT int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, - ASN1_OBJECT *policy); -OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_policies( - X509_VERIFY_PARAM *param, const STACK_OF(ASN1_OBJECT) *policies); +// X509_STORE_CTX_set_chain configures |ctx| to use |sk| for untrusted +// intermediate certificates to use in verification. This function is redundant +// with the |chain| parameter of |X509_STORE_CTX_init|. Use the parameter +// instead. +// +// WARNING: Despite the similar name, this function is unrelated to +// |X509_STORE_CTX_get0_chain|. +// +// WARNING: This function saves a pointer to |sk| without copying or +// incrementing reference counts. |sk| must outlive |ctx| and may not be mutated +// for the duration of the certificate verification. +OPENSSL_EXPORT void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, + STACK_OF(X509) *sk); -OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param, - const char *name, - size_t namelen); -OPENSSL_EXPORT int X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param, - const char *name, - size_t namelen); -OPENSSL_EXPORT void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param, - unsigned int flags); -OPENSSL_EXPORT char *X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *); -OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param, - const char *email, - size_t emaillen); -OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param, - const unsigned char *ip, - size_t iplen); -OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *param, - const char *ipasc); +// The following flags do nothing. The corresponding non-standard options have +// been removed. +#define X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT 0 +#define X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS 0 +#define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0 -OPENSSL_EXPORT int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param); -OPENSSL_EXPORT const char *X509_VERIFY_PARAM_get0_name( - const X509_VERIFY_PARAM *param); +// X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS does nothing, but is necessary in +// OpenSSL to enable standard wildcard matching. In BoringSSL, this behavior is +// always enabled. +#define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0 + +// X509_STORE_get0_objects returns a non-owning pointer of |store|'s internal +// object list. Although this function is not const, callers must not modify +// the result of this function. +// +// WARNING: This function is not thread-safe. If |store| is shared across +// multiple threads, callers cannot safely inspect the result of this function, +// because another thread may have concurrently added to it. In particular, +// |X509_LOOKUP_add_dir| treats this list as a cache and may add to it in the +// course of certificate verification. This API additionally prevents fixing +// some quadratic worst-case behavior in |X509_STORE| and may be removed in the +// future. Use |X509_STORE_get1_objects| instead. +OPENSSL_EXPORT STACK_OF(X509_OBJECT) *X509_STORE_get0_objects( + X509_STORE *store); + +// X509_PURPOSE_get_by_sname returns the |X509_PURPOSE_*| constant corresponding +// a short name |sname|, or -1 if |sname| was not recognized. +// +// Use |X509_PURPOSE_*| constants directly instead. The short names used by this +// function look like "sslserver" or "smimeencrypt", so they do not make +// especially good APIs. +// +// This function differs from OpenSSL, which returns an "index" to be passed to +// |X509_PURPOSE_get0|, followed by |X509_PURPOSE_get_id|, to finally obtain an +// |X509_PURPOSE_*| value suitable for use with |X509_VERIFY_PARAM_set_purpose|. +OPENSSL_EXPORT int X509_PURPOSE_get_by_sname(const char *sname); + +// X509_PURPOSE_get0 returns the |X509_PURPOSE| object corresponding to |id|, +// which should be one of the |X509_PURPOSE_*| constants, or NULL if none +// exists. +// +// This function differs from OpenSSL, which takes an "index", returned from +// |X509_PURPOSE_get_by_sname|. In BoringSSL, indices and |X509_PURPOSE_*| IDs +// are the same. +OPENSSL_EXPORT const X509_PURPOSE *X509_PURPOSE_get0(int id); + +// X509_PURPOSE_get_id returns |purpose|'s ID. This will be one of the +// |X509_PURPOSE_*| constants. +OPENSSL_EXPORT int X509_PURPOSE_get_id(const X509_PURPOSE *purpose); + +// The following constants are values for the legacy Netscape certificate type +// X.509 extension, a precursor to extended key usage. These values correspond +// to the DER encoding of the first byte of the BIT STRING. That is, 0x80 is +// bit zero and 0x01 is bit seven. +// +// TODO(davidben): These constants are only used by OpenVPN, which deprecated +// the feature in 2017. The documentation says it was removed, but they did not +// actually remove it. See if OpenVPN will accept a patch to finish this. +#define NS_SSL_CLIENT 0x80 +#define NS_SSL_SERVER 0x40 +#define NS_SMIME 0x20 +#define NS_OBJSIGN 0x10 +#define NS_SSL_CA 0x04 +#define NS_SMIME_CA 0x02 +#define NS_OBJSIGN_CA 0x01 +#define NS_ANY_CA (NS_SSL_CA | NS_SMIME_CA | NS_OBJSIGN_CA) + + +// Private structures. -OPENSSL_EXPORT const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup( - const char *name); +struct X509_algor_st { + ASN1_OBJECT *algorithm; + ASN1_TYPE *parameter; +} /* X509_ALGOR */; #if defined(__cplusplus) @@ -3008,7 +5393,18 @@ extern "C++" { BSSL_NAMESPACE_BEGIN +BORINGSSL_MAKE_DELETER(ACCESS_DESCRIPTION, ACCESS_DESCRIPTION_free) +BORINGSSL_MAKE_DELETER(AUTHORITY_KEYID, AUTHORITY_KEYID_free) +BORINGSSL_MAKE_DELETER(BASIC_CONSTRAINTS, BASIC_CONSTRAINTS_free) +// TODO(davidben): Move this to conf.h and rename to CONF_VALUE_free. +BORINGSSL_MAKE_DELETER(CONF_VALUE, X509V3_conf_free) +BORINGSSL_MAKE_DELETER(DIST_POINT, DIST_POINT_free) +BORINGSSL_MAKE_DELETER(GENERAL_NAME, GENERAL_NAME_free) +BORINGSSL_MAKE_DELETER(GENERAL_SUBTREE, GENERAL_SUBTREE_free) +BORINGSSL_MAKE_DELETER(NAME_CONSTRAINTS, NAME_CONSTRAINTS_free) BORINGSSL_MAKE_DELETER(NETSCAPE_SPKI, NETSCAPE_SPKI_free) +BORINGSSL_MAKE_DELETER(POLICY_MAPPING, POLICY_MAPPING_free) +BORINGSSL_MAKE_DELETER(POLICYINFO, POLICYINFO_free) BORINGSSL_MAKE_DELETER(RSA_PSS_PARAMS, RSA_PSS_PARAMS_free) BORINGSSL_MAKE_DELETER(X509, X509_free) BORINGSSL_MAKE_UP_REF(X509, X509_up_ref) @@ -3021,7 +5417,7 @@ BORINGSSL_MAKE_DELETER(X509_INFO, X509_INFO_free) BORINGSSL_MAKE_DELETER(X509_LOOKUP, X509_LOOKUP_free) BORINGSSL_MAKE_DELETER(X509_NAME, X509_NAME_free) BORINGSSL_MAKE_DELETER(X509_NAME_ENTRY, X509_NAME_ENTRY_free) -BORINGSSL_MAKE_DELETER(X509_PKEY, X509_PKEY_free) +BORINGSSL_MAKE_DELETER(X509_OBJECT, X509_OBJECT_free) BORINGSSL_MAKE_DELETER(X509_PUBKEY, X509_PUBKEY_free) BORINGSSL_MAKE_DELETER(X509_REQ, X509_REQ_free) BORINGSSL_MAKE_DELETER(X509_REVOKED, X509_REVOKED_free) diff --git a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_x509v3.h b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_x509v3.h index c4c3f6039..23e4108a8 100644 --- a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_x509v3.h +++ b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_x509v3.h @@ -1,219 +1,36 @@ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 1999. */ -/* ==================================================================== - * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved. +/* Copyright (c) 2023, Google Inc. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). */ + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ #ifndef OPENSSL_HEADER_X509V3_H #define OPENSSL_HEADER_X509V3_H -#include "CNIOBoringSSL_bio.h" -#include "CNIOBoringSSL_conf.h" -#include "CNIOBoringSSL_lhash.h" +// This header primarily exists in order to make compiling against code that +// expects OpenSSL easier. We have merged this header into . +// However, due to conflicts, some deprecated symbols are defined here. #include "CNIOBoringSSL_x509.h" -#if defined(__cplusplus) -extern "C" { -#endif - - -// Legacy X.509 library. -// -// This header is part of OpenSSL's X.509 implementation. It is retained for -// compatibility but otherwise underdocumented and not actively maintained. In -// the future, a replacement library will be available. Meanwhile, minimize -// dependencies on this header where possible. - - -// Forward reference -struct v3_ext_method; -struct v3_ext_ctx; - -// Useful typedefs - -typedef struct v3_ext_method X509V3_EXT_METHOD; - -typedef void *(*X509V3_EXT_NEW)(void); -typedef void (*X509V3_EXT_FREE)(void *); -typedef void *(*X509V3_EXT_D2I)(void *, const unsigned char **, long); -typedef int (*X509V3_EXT_I2D)(void *, unsigned char **); -typedef STACK_OF(CONF_VALUE) *(*X509V3_EXT_I2V)(const X509V3_EXT_METHOD *method, - void *ext, - STACK_OF(CONF_VALUE) *extlist); -typedef void *(*X509V3_EXT_V2I)(const X509V3_EXT_METHOD *method, - const X509V3_CTX *ctx, - const STACK_OF(CONF_VALUE) *values); -typedef char *(*X509V3_EXT_I2S)(const X509V3_EXT_METHOD *method, void *ext); -typedef void *(*X509V3_EXT_S2I)(const X509V3_EXT_METHOD *method, - const X509V3_CTX *ctx, const char *str); -typedef int (*X509V3_EXT_I2R)(const X509V3_EXT_METHOD *method, void *ext, - BIO *out, int indent); -typedef void *(*X509V3_EXT_R2I)(const X509V3_EXT_METHOD *method, - const X509V3_CTX *ctx, const char *str); - -// V3 extension structure - -struct v3_ext_method { - int ext_nid; - int ext_flags; - - // it determines how values of this extension are allocated, released, parsed, - // and marshalled. This must be non-NULL. - ASN1_ITEM_EXP *it; - - // The following functions are ignored in favor of |it|. They are retained in - // the struct only for source compatibility with existing struct definitions. - X509V3_EXT_NEW ext_new; - X509V3_EXT_FREE ext_free; - X509V3_EXT_D2I d2i; - X509V3_EXT_I2D i2d; - - // The following pair is used for string extensions - X509V3_EXT_I2S i2s; - X509V3_EXT_S2I s2i; - - // The following pair is used for multi-valued extensions - X509V3_EXT_I2V i2v; - X509V3_EXT_V2I v2i; - - // The following are used for raw extensions - X509V3_EXT_I2R i2r; - X509V3_EXT_R2I r2i; - - void *usr_data; // Any extension specific data -}; - -DEFINE_STACK_OF(X509V3_EXT_METHOD) - -// ext_flags values -#define X509V3_EXT_CTX_DEP 0x2 -#define X509V3_EXT_MULTILINE 0x4 - -struct BASIC_CONSTRAINTS_st { - int ca; - ASN1_INTEGER *pathlen; -}; - - -typedef struct otherName_st { - ASN1_OBJECT *type_id; - ASN1_TYPE *value; -} OTHERNAME; - -typedef struct EDIPartyName_st { - ASN1_STRING *nameAssigner; - ASN1_STRING *partyName; -} EDIPARTYNAME; - -typedef struct GENERAL_NAME_st { -#define GEN_OTHERNAME 0 -#define GEN_EMAIL 1 -#define GEN_DNS 2 -#define GEN_X400 3 -#define GEN_DIRNAME 4 -#define GEN_EDIPARTY 5 -#define GEN_URI 6 -#define GEN_IPADD 7 -#define GEN_RID 8 - - int type; - union { - char *ptr; - OTHERNAME *otherName; // otherName - ASN1_IA5STRING *rfc822Name; - ASN1_IA5STRING *dNSName; - ASN1_STRING *x400Address; - X509_NAME *directoryName; - EDIPARTYNAME *ediPartyName; - ASN1_IA5STRING *uniformResourceIdentifier; - ASN1_OCTET_STRING *iPAddress; - ASN1_OBJECT *registeredID; - - // Old names - ASN1_OCTET_STRING *ip; // iPAddress - X509_NAME *dirn; // dirn - ASN1_IA5STRING *ia5; // rfc822Name, dNSName, uniformResourceIdentifier - ASN1_OBJECT *rid; // registeredID - } d; -} GENERAL_NAME; - -DEFINE_STACK_OF(GENERAL_NAME) - -typedef STACK_OF(GENERAL_NAME) GENERAL_NAMES; - -DEFINE_STACK_OF(GENERAL_NAMES) - -typedef struct ACCESS_DESCRIPTION_st { - ASN1_OBJECT *method; - GENERAL_NAME *location; -} ACCESS_DESCRIPTION; - -DEFINE_STACK_OF(ACCESS_DESCRIPTION) - -typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS; - -typedef STACK_OF(ASN1_OBJECT) EXTENDED_KEY_USAGE; -typedef struct DIST_POINT_NAME_st { - int type; - union { - GENERAL_NAMES *fullname; - STACK_OF(X509_NAME_ENTRY) *relativename; - } name; - // If relativename then this contains the full distribution point name - X509_NAME *dpname; -} DIST_POINT_NAME; -// All existing reasons -#define CRLDP_ALL_REASONS 0x807f +// CRL reason constants. +// TODO(davidben): These constants live here because strongswan defines +// conflicting symbols and has been relying on them only being defined in +// . Defining the constants in would break +// strongswan, but we would also like for new code to only need +// . Introduce properly namespaced versions of these constants +// and, separately, see if we can fix strongswan to similarly avoid the +// conflict. Between OpenSSL, strongswan, and wincrypt.h all defining these +// constants, it seems best for everyone to just avoid them going forward. #define CRL_REASON_NONE (-1) #define CRL_REASON_UNSPECIFIED 0 #define CRL_REASON_KEY_COMPROMISE 1 @@ -226,825 +43,21 @@ typedef struct DIST_POINT_NAME_st { #define CRL_REASON_PRIVILEGE_WITHDRAWN 9 #define CRL_REASON_AA_COMPROMISE 10 -struct DIST_POINT_st { - DIST_POINT_NAME *distpoint; - ASN1_BIT_STRING *reasons; - GENERAL_NAMES *CRLissuer; - int dp_reasons; -}; - -typedef STACK_OF(DIST_POINT) CRL_DIST_POINTS; - -DEFINE_STACK_OF(DIST_POINT) - -struct AUTHORITY_KEYID_st { - ASN1_OCTET_STRING *keyid; - GENERAL_NAMES *issuer; - ASN1_INTEGER *serial; -}; - -typedef struct NOTICEREF_st { - ASN1_STRING *organization; - STACK_OF(ASN1_INTEGER) *noticenos; -} NOTICEREF; - -typedef struct USERNOTICE_st { - NOTICEREF *noticeref; - ASN1_STRING *exptext; -} USERNOTICE; - -typedef struct POLICYQUALINFO_st { - ASN1_OBJECT *pqualid; - union { - ASN1_IA5STRING *cpsuri; - USERNOTICE *usernotice; - ASN1_TYPE *other; - } d; -} POLICYQUALINFO; - -DEFINE_STACK_OF(POLICYQUALINFO) - -typedef struct POLICYINFO_st { - ASN1_OBJECT *policyid; - STACK_OF(POLICYQUALINFO) *qualifiers; -} POLICYINFO; - -typedef STACK_OF(POLICYINFO) CERTIFICATEPOLICIES; - -DEFINE_STACK_OF(POLICYINFO) - -typedef struct POLICY_MAPPING_st { - ASN1_OBJECT *issuerDomainPolicy; - ASN1_OBJECT *subjectDomainPolicy; -} POLICY_MAPPING; - -DEFINE_STACK_OF(POLICY_MAPPING) - -typedef STACK_OF(POLICY_MAPPING) POLICY_MAPPINGS; - -typedef struct GENERAL_SUBTREE_st { - GENERAL_NAME *base; - ASN1_INTEGER *minimum; - ASN1_INTEGER *maximum; -} GENERAL_SUBTREE; - -DEFINE_STACK_OF(GENERAL_SUBTREE) - -struct NAME_CONSTRAINTS_st { - STACK_OF(GENERAL_SUBTREE) *permittedSubtrees; - STACK_OF(GENERAL_SUBTREE) *excludedSubtrees; -}; - -typedef struct POLICY_CONSTRAINTS_st { - ASN1_INTEGER *requireExplicitPolicy; - ASN1_INTEGER *inhibitPolicyMapping; -} POLICY_CONSTRAINTS; - -struct ISSUING_DIST_POINT_st { - DIST_POINT_NAME *distpoint; - int onlyuser; - int onlyCA; - ASN1_BIT_STRING *onlysomereasons; - int indirectCRL; - int onlyattr; -}; - -// Values in idp_flags field -// IDP present -#define IDP_PRESENT 0x1 -// IDP values inconsistent -#define IDP_INVALID 0x2 -// onlyuser true -#define IDP_ONLYUSER 0x4 -// onlyCA true -#define IDP_ONLYCA 0x8 -// onlyattr true -#define IDP_ONLYATTR 0x10 -// indirectCRL true -#define IDP_INDIRECT 0x20 -// onlysomereasons present -#define IDP_REASONS 0x40 - - - -// X509_PURPOSE stuff - -#define EXFLAG_BCONS 0x1 -#define EXFLAG_KUSAGE 0x2 -#define EXFLAG_XKUSAGE 0x4 -#define EXFLAG_NSCERT 0x8 - -#define EXFLAG_CA 0x10 -// Really self issued not necessarily self signed -#define EXFLAG_SI 0x20 -#define EXFLAG_V1 0x40 -#define EXFLAG_INVALID 0x80 -#define EXFLAG_SET 0x100 -#define EXFLAG_CRITICAL 0x200 - -#define EXFLAG_FRESHEST 0x1000 -// Self signed -#define EXFLAG_SS 0x2000 - -#define KU_DIGITAL_SIGNATURE 0x0080 -#define KU_NON_REPUDIATION 0x0040 -#define KU_KEY_ENCIPHERMENT 0x0020 -#define KU_DATA_ENCIPHERMENT 0x0010 -#define KU_KEY_AGREEMENT 0x0008 -#define KU_KEY_CERT_SIGN 0x0004 -#define KU_CRL_SIGN 0x0002 -#define KU_ENCIPHER_ONLY 0x0001 -#define KU_DECIPHER_ONLY 0x8000 - -#define NS_SSL_CLIENT 0x80 -#define NS_SSL_SERVER 0x40 -#define NS_SMIME 0x20 -#define NS_OBJSIGN 0x10 -#define NS_SSL_CA 0x04 -#define NS_SMIME_CA 0x02 -#define NS_OBJSIGN_CA 0x01 -#define NS_ANY_CA (NS_SSL_CA | NS_SMIME_CA | NS_OBJSIGN_CA) - -#define XKU_SSL_SERVER 0x1 -#define XKU_SSL_CLIENT 0x2 -#define XKU_SMIME 0x4 -#define XKU_CODE_SIGN 0x8 -#define XKU_SGC 0x10 -#define XKU_OCSP_SIGN 0x20 -#define XKU_TIMESTAMP 0x40 -#define XKU_DVCS 0x80 -#define XKU_ANYEKU 0x100 - -#define X509_PURPOSE_DYNAMIC 0x1 -#define X509_PURPOSE_DYNAMIC_NAME 0x2 - -typedef struct x509_purpose_st { - int purpose; - int trust; // Default trust ID - int flags; - int (*check_purpose)(const struct x509_purpose_st *, const X509 *, int); - char *name; - char *sname; - void *usr_data; -} X509_PURPOSE; - -#define X509_PURPOSE_SSL_CLIENT 1 -#define X509_PURPOSE_SSL_SERVER 2 -#define X509_PURPOSE_NS_SSL_SERVER 3 -#define X509_PURPOSE_SMIME_SIGN 4 -#define X509_PURPOSE_SMIME_ENCRYPT 5 -#define X509_PURPOSE_CRL_SIGN 6 -#define X509_PURPOSE_ANY 7 -#define X509_PURPOSE_OCSP_HELPER 8 -#define X509_PURPOSE_TIMESTAMP_SIGN 9 - -#define X509_PURPOSE_MIN 1 -#define X509_PURPOSE_MAX 9 - -DEFINE_STACK_OF(X509_PURPOSE) - -DECLARE_ASN1_FUNCTIONS_const(BASIC_CONSTRAINTS) - -// TODO(https://crbug.com/boringssl/407): This is not const because it contains -// an |X509_NAME|. -DECLARE_ASN1_FUNCTIONS(AUTHORITY_KEYID) - -// TODO(https://crbug.com/boringssl/407): This is not const because it contains -// an |X509_NAME|. -DECLARE_ASN1_FUNCTIONS(GENERAL_NAME) -OPENSSL_EXPORT GENERAL_NAME *GENERAL_NAME_dup(GENERAL_NAME *a); - -// i2v_GENERAL_NAME serializes |gen| as a |CONF_VALUE|. If |ret| is non-NULL, it -// appends the value to |ret| and returns |ret| on success or NULL on error. If -// it returns NULL, the caller is still responsible for freeing |ret|. If |ret| -// is NULL, it returns a newly-allocated |STACK_OF(CONF_VALUE)| containing the -// result. |method| is ignored. -// -// Do not use this function. This is an internal implementation detail of the -// human-readable print functions. If extracting a SAN list from a certificate, -// look at |gen| directly. -OPENSSL_EXPORT STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME( - const X509V3_EXT_METHOD *method, const GENERAL_NAME *gen, - STACK_OF(CONF_VALUE) *ret); - -// GENERAL_NAME_print prints a human-readable representation of |gen| to |out|. -// It returns one on success and zero on error. -// -// TODO(davidben): Actually, it just returns one and doesn't check for I/O or -// allocation errors. But it should return zero on error. -OPENSSL_EXPORT int GENERAL_NAME_print(BIO *out, const GENERAL_NAME *gen); - -// TODO(https://crbug.com/boringssl/407): This is not const because it contains -// an |X509_NAME|. -DECLARE_ASN1_FUNCTIONS(GENERAL_NAMES) - -// i2v_GENERAL_NAMES serializes |gen| as a list of |CONF_VALUE|s. If |ret| is -// non-NULL, it appends the values to |ret| and returns |ret| on success or NULL -// on error. If it returns NULL, the caller is still responsible for freeing -// |ret|. If |ret| is NULL, it returns a newly-allocated |STACK_OF(CONF_VALUE)| -// containing the results. |method| is ignored. -// -// Do not use this function. This is an internal implementation detail of the -// human-readable print functions. If extracting a SAN list from a certificate, -// look at |gen| directly. -OPENSSL_EXPORT STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES( - const X509V3_EXT_METHOD *method, const GENERAL_NAMES *gen, - STACK_OF(CONF_VALUE) *extlist); -OPENSSL_EXPORT GENERAL_NAMES *v2i_GENERAL_NAMES( - const X509V3_EXT_METHOD *method, const X509V3_CTX *ctx, - const STACK_OF(CONF_VALUE) *nval); - -DECLARE_ASN1_FUNCTIONS_const(OTHERNAME) -DECLARE_ASN1_FUNCTIONS_const(EDIPARTYNAME) -OPENSSL_EXPORT void GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, - void *value); -OPENSSL_EXPORT void *GENERAL_NAME_get0_value(const GENERAL_NAME *a, int *ptype); -OPENSSL_EXPORT int GENERAL_NAME_set0_othername(GENERAL_NAME *gen, - ASN1_OBJECT *oid, - ASN1_TYPE *value); -OPENSSL_EXPORT int GENERAL_NAME_get0_otherName(const GENERAL_NAME *gen, - ASN1_OBJECT **poid, - ASN1_TYPE **pvalue); - -// i2s_ASN1_OCTET_STRING returns a human-readable representation of |oct| as a -// newly-allocated, NUL-terminated string, or NULL on error. |method| is -// ignored. The caller must release the result with |OPENSSL_free| when done. -OPENSSL_EXPORT char *i2s_ASN1_OCTET_STRING(const X509V3_EXT_METHOD *method, - const ASN1_OCTET_STRING *oct); - -OPENSSL_EXPORT ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING( - const X509V3_EXT_METHOD *method, const X509V3_CTX *ctx, const char *str); - -DECLARE_ASN1_FUNCTIONS_const(EXTENDED_KEY_USAGE) -OPENSSL_EXPORT int i2a_ACCESS_DESCRIPTION(BIO *bp, const ACCESS_DESCRIPTION *a); - -DECLARE_ASN1_FUNCTIONS_const(CERTIFICATEPOLICIES) -DECLARE_ASN1_FUNCTIONS_const(POLICYINFO) -DECLARE_ASN1_FUNCTIONS_const(POLICYQUALINFO) -DECLARE_ASN1_FUNCTIONS_const(USERNOTICE) -DECLARE_ASN1_FUNCTIONS_const(NOTICEREF) - -// TODO(https://crbug.com/boringssl/407): This is not const because it contains -// an |X509_NAME|. -DECLARE_ASN1_FUNCTIONS(CRL_DIST_POINTS) -// TODO(https://crbug.com/boringssl/407): This is not const because it contains -// an |X509_NAME|. -DECLARE_ASN1_FUNCTIONS(DIST_POINT) -// TODO(https://crbug.com/boringssl/407): This is not const because it contains -// an |X509_NAME|. -DECLARE_ASN1_FUNCTIONS(DIST_POINT_NAME) -// TODO(https://crbug.com/boringssl/407): This is not const because it contains -// an |X509_NAME|. -DECLARE_ASN1_FUNCTIONS(ISSUING_DIST_POINT) - -OPENSSL_EXPORT int DIST_POINT_set_dpname(DIST_POINT_NAME *dpn, - X509_NAME *iname); - -OPENSSL_EXPORT int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc); - -// TODO(https://crbug.com/boringssl/407): This is not const because it contains -// an |X509_NAME|. -DECLARE_ASN1_FUNCTIONS(ACCESS_DESCRIPTION) -// TODO(https://crbug.com/boringssl/407): This is not const because it contains -// an |X509_NAME|. -DECLARE_ASN1_FUNCTIONS(AUTHORITY_INFO_ACCESS) - -DECLARE_ASN1_ITEM(POLICY_MAPPING) -DECLARE_ASN1_ALLOC_FUNCTIONS(POLICY_MAPPING) -DECLARE_ASN1_ITEM(POLICY_MAPPINGS) - -DECLARE_ASN1_ITEM(GENERAL_SUBTREE) -DECLARE_ASN1_ALLOC_FUNCTIONS(GENERAL_SUBTREE) - -DECLARE_ASN1_ITEM(NAME_CONSTRAINTS) -DECLARE_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS) - -DECLARE_ASN1_ALLOC_FUNCTIONS(POLICY_CONSTRAINTS) -DECLARE_ASN1_ITEM(POLICY_CONSTRAINTS) - -OPENSSL_EXPORT GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out, - const X509V3_EXT_METHOD *method, - const X509V3_CTX *ctx, int gen_type, - const char *value, int is_nc); - -OPENSSL_EXPORT GENERAL_NAME *v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method, - const X509V3_CTX *ctx, - const CONF_VALUE *cnf); -OPENSSL_EXPORT GENERAL_NAME *v2i_GENERAL_NAME_ex( - GENERAL_NAME *out, const X509V3_EXT_METHOD *method, const X509V3_CTX *ctx, - const CONF_VALUE *cnf, int is_nc); -OPENSSL_EXPORT void X509V3_conf_free(CONF_VALUE *val); - - -// Deprecated config-based extension creation. -// -// The following functions allow specifying X.509 extensions using OpenSSL's -// config file syntax, from the OpenSSL command-line tool. They are retained, -// for now, for compatibility with legacy software but may be removed in the -// future. Construct the extensions using the typed C APIs instead. -// -// Callers should especially avoid these functions if passing in non-constant -// values. They use ad-hoc, string-based formats which are prone to injection -// vulnerabilities. For a CA, this means using them risks misissuance. -// -// These functions are not safe to use with untrusted inputs. The string formats -// may implicitly reference context information and, in OpenSSL (though not -// BoringSSL), one even allows reading arbitrary files. Many formats can also -// produce far larger outputs than their inputs, so untrusted inputs may lead to -// denial-of-service attacks. Finally, the parsers see much less testing and -// review than most of the library and may have bugs including memory leaks or -// crashes. - -// v3_ext_ctx, aka |X509V3_CTX|, contains additional context information for -// constructing extensions. Some string formats reference additional values in -// these objects. It must be initialized with |X509V3_set_ctx| or -// |X509V3_set_ctx_test| before use. -struct v3_ext_ctx { - int flags; - const X509 *issuer_cert; - const X509 *subject_cert; - const X509_REQ *subject_req; - const X509_CRL *crl; - const CONF *db; -}; - -#define X509V3_CTX_TEST 0x1 - -// X509V3_set_ctx initializes |ctx| with the specified objects. Some string -// formats will reference fields in these objects. Each object may be NULL to -// omit it, in which case those formats cannot be used. |flags| should be zero, -// unless called via |X509V3_set_ctx_test|. -// -// |issuer|, |subject|, |req|, and |crl|, if non-NULL, must outlive |ctx|. -OPENSSL_EXPORT void X509V3_set_ctx(X509V3_CTX *ctx, const X509 *issuer, - const X509 *subject, const X509_REQ *req, - const X509_CRL *crl, int flags); - -// X509V3_set_ctx_test calls |X509V3_set_ctx| without any reference objects and -// mocks out some features that use them. The resulting extensions may be -// incomplete and should be discarded. This can be used to partially validate -// syntax. -// -// TODO(davidben): Can we remove this? -#define X509V3_set_ctx_test(ctx) \ - X509V3_set_ctx(ctx, NULL, NULL, NULL, NULL, X509V3_CTX_TEST) - -// X509V3_set_nconf sets |ctx| to use |conf| as the config database. |ctx| must -// have previously been initialized by |X509V3_set_ctx| or -// |X509V3_set_ctx_test|. Some string formats will reference sections in |conf|. -// |conf| may be NULL, in which case these formats cannot be used. If non-NULL, -// |conf| must outlive |ctx|. -OPENSSL_EXPORT void X509V3_set_nconf(X509V3_CTX *ctx, const CONF *conf); - -// X509V3_set_ctx_nodb calls |X509V3_set_nconf| with no config database. -#define X509V3_set_ctx_nodb(ctx) X509V3_set_nconf(ctx, NULL) - -// X509V3_EXT_nconf constructs an extension of type specified by |name|, and -// value specified by |value|. It returns a newly-allocated |X509_EXTENSION| -// object on success, or NULL on error. |conf| and |ctx| specify additional -// information referenced by some formats. Either |conf| or |ctx| may be NULL, -// in which case features which use it will be disabled. -// -// If non-NULL, |ctx| must be initialized with |X509V3_set_ctx| or -// |X509V3_set_ctx_test|. -// -// Both |conf| and |ctx| provide a |CONF| object. When |ctx| is non-NULL, most -// features use the |ctx| copy, configured with |X509V3_set_ctx|, but some use -// |conf|. Callers should ensure the two match to avoid surprisingly behavior. -OPENSSL_EXPORT X509_EXTENSION *X509V3_EXT_nconf(const CONF *conf, - const X509V3_CTX *ctx, - const char *name, - const char *value); - -// X509V3_EXT_nconf_nid behaves like |X509V3_EXT_nconf|, except the extension -// type is specified as a NID. -OPENSSL_EXPORT X509_EXTENSION *X509V3_EXT_nconf_nid(const CONF *conf, - const X509V3_CTX *ctx, - int ext_nid, - const char *value); - -// X509V3_EXT_conf_nid calls |X509V3_EXT_nconf_nid|. |conf| must be NULL. -// -// TODO(davidben): This is the only exposed instance of an LHASH in our public -// headers. cryptography.io wraps this function so we cannot, yet, replace the -// type with a dummy struct. -OPENSSL_EXPORT X509_EXTENSION *X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf, - const X509V3_CTX *ctx, - int ext_nid, - const char *value); - -// X509V3_EXT_add_nconf_sk looks up the section named |section| in |conf|. For -// each |CONF_VALUE| in the section, it constructs an extension as in -// |X509V3_EXT_nconf|, taking |name| and |value| from the |CONF_VALUE|. Each new -// extension is appended to |*sk|. If |*sk| is non-NULL, and at least one -// extension is added, it sets |*sk| to a newly-allocated -// |STACK_OF(X509_EXTENSION)|. It returns one on success and zero on error. -OPENSSL_EXPORT int X509V3_EXT_add_nconf_sk(const CONF *conf, - const X509V3_CTX *ctx, - const char *section, - STACK_OF(X509_EXTENSION) **sk); - -// X509V3_EXT_add_nconf adds extensions to |cert| as in -// |X509V3_EXT_add_nconf_sk|. It returns one on success and zero on error. -OPENSSL_EXPORT int X509V3_EXT_add_nconf(const CONF *conf, const X509V3_CTX *ctx, - const char *section, X509 *cert); - -// X509V3_EXT_REQ_add_nconf adds extensions to |req| as in -// |X509V3_EXT_add_nconf_sk|. It returns one on success and zero on error. -OPENSSL_EXPORT int X509V3_EXT_REQ_add_nconf(const CONF *conf, - const X509V3_CTX *ctx, - const char *section, X509_REQ *req); - -// X509V3_EXT_CRL_add_nconf adds extensions to |crl| as in -// |X509V3_EXT_add_nconf_sk|. It returns one on success and zero on error. -OPENSSL_EXPORT int X509V3_EXT_CRL_add_nconf(const CONF *conf, - const X509V3_CTX *ctx, - const char *section, X509_CRL *crl); - - -OPENSSL_EXPORT char *i2s_ASN1_INTEGER(const X509V3_EXT_METHOD *meth, - const ASN1_INTEGER *aint); -OPENSSL_EXPORT ASN1_INTEGER *s2i_ASN1_INTEGER(const X509V3_EXT_METHOD *meth, - const char *value); -OPENSSL_EXPORT char *i2s_ASN1_ENUMERATED(const X509V3_EXT_METHOD *meth, - const ASN1_ENUMERATED *aint); - -// X509V3_EXT_add registers |ext| as a custom extension for the extension type -// |ext->ext_nid|. |ext| must be valid for the remainder of the address space's -// lifetime. It returns one on success and zero on error. -// -// WARNING: This function modifies global state. If other code in the same -// address space also registers an extension with type |ext->ext_nid|, the two -// registrations will conflict. Which registration takes effect is undefined. If -// the two registrations use incompatible in-memory representations, code -// expecting the other registration will then cast a type to the wrong type, -// resulting in a potentially exploitable memory error. This conflict can also -// occur if BoringSSL later adds support for |ext->ext_nid|, with a different -// in-memory representation than the one expected by |ext|. -// -// This function, additionally, is not thread-safe and cannot be called -// concurrently with any other BoringSSL function. -// -// As a result, it is impossible to safely use this function. Registering a -// custom extension has no impact on certificate verification so, instead, -// callers should simply handle the custom extension with the byte-based -// |X509_EXTENSION| APIs directly. Registering |ext| with the library has little -// practical value. -OPENSSL_EXPORT OPENSSL_DEPRECATED int X509V3_EXT_add(X509V3_EXT_METHOD *ext); - -// X509V3_EXT_add_alias registers a custom extension with NID |nid_to|. The -// corresponding ASN.1 type is copied from |nid_from|. It returns one on success -// and zero on error. -// -// WARNING: Do not use this function. See |X509V3_EXT_add|. -OPENSSL_EXPORT OPENSSL_DEPRECATED int X509V3_EXT_add_alias(int nid_to, - int nid_from); - -OPENSSL_EXPORT const X509V3_EXT_METHOD *X509V3_EXT_get( - const X509_EXTENSION *ext); -OPENSSL_EXPORT const X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid); -OPENSSL_EXPORT int X509V3_add_standard_extensions(void); - -// X509V3_EXT_d2i decodes |ext| and returns a pointer to a newly-allocated -// structure, with type dependent on the type of the extension. It returns NULL -// if |ext| is an unsupported extension or if there was a syntax error in the -// extension. The caller should cast the return value to the expected type and -// free the structure when done. -// -// WARNING: Casting the return value to the wrong type is a potentially -// exploitable memory error, so callers must not use this function before -// checking |ext| is of a known type. -OPENSSL_EXPORT void *X509V3_EXT_d2i(const X509_EXTENSION *ext); - -// X509V3_get_d2i finds and decodes the extension in |extensions| of type |nid|. -// If found, it decodes it and returns a newly-allocated structure, with type -// dependent on |nid|. If the extension is not found or on error, it returns -// NULL. The caller may distinguish these cases using the |out_critical| value. -// -// If |out_critical| is not NULL, this function sets |*out_critical| to one if -// the extension is found and critical, zero if it is found and not critical, -1 -// if it is not found, and -2 if there is an invalid duplicate extension. Note -// this function may set |*out_critical| to one or zero and still return NULL if -// the extension is found but has a syntax error. -// -// If |out_idx| is not NULL, this function looks for the first occurrence of the -// extension after |*out_idx|. It then sets |*out_idx| to the index of the -// extension, or -1 if not found. If |out_idx| is non-NULL, duplicate extensions -// are not treated as an error. Callers, however, should not rely on this -// behavior as it may be removed in the future. Duplicate extensions are -// forbidden in RFC 5280. -// -// WARNING: This function is difficult to use correctly. Callers should pass a -// non-NULL |out_critical| and check both the return value and |*out_critical| -// to handle errors. If the return value is NULL and |*out_critical| is not -1, -// there was an error. Otherwise, the function succeeded and but may return NULL -// for a missing extension. Callers should pass NULL to |out_idx| so that -// duplicate extensions are handled correctly. -// -// Additionally, casting the return value to the wrong type is a potentially -// exploitable memory error, so callers must ensure the cast and |nid| match. -OPENSSL_EXPORT void *X509V3_get_d2i(const STACK_OF(X509_EXTENSION) *extensions, - int nid, int *out_critical, int *out_idx); - -// X509V3_EXT_free casts |ext_data| into the type that corresponds to |nid| and -// releases memory associated with it. It returns one on success and zero if -// |nid| is not a known extension. -// -// WARNING: Casting |ext_data| to the wrong type is a potentially exploitable -// memory error, so callers must ensure |ext_data|'s type matches |nid|. -// -// TODO(davidben): OpenSSL upstream no longer exposes this function. Remove it? -OPENSSL_EXPORT int X509V3_EXT_free(int nid, void *ext_data); - -// X509V3_EXT_i2d casts |ext_struc| into the type that corresponds to -// |ext_nid|, serializes it, and returns a newly-allocated |X509_EXTENSION| -// object containing the serialization, or NULL on error. The |X509_EXTENSION| -// has OID |ext_nid| and is critical if |crit| is one. -// -// WARNING: Casting |ext_struc| to the wrong type is a potentially exploitable -// memory error, so callers must ensure |ext_struct|'s type matches |ext_nid|. -OPENSSL_EXPORT X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, - void *ext_struc); - -// The following constants control the behavior of |X509V3_add1_i2d| and related -// functions. - -// X509V3_ADD_OP_MASK can be ANDed with the flags to determine how duplicate -// extensions are processed. -#define X509V3_ADD_OP_MASK 0xfL - -// X509V3_ADD_DEFAULT causes the function to fail if the extension was already -// present. -#define X509V3_ADD_DEFAULT 0L - -// X509V3_ADD_APPEND causes the function to unconditionally appended the new -// extension to to the extensions list, even if there is a duplicate. -#define X509V3_ADD_APPEND 1L - -// X509V3_ADD_REPLACE causes the function to replace the existing extension, or -// append if it is not present. -#define X509V3_ADD_REPLACE 2L - -// X509V3_ADD_REPLACE causes the function to replace the existing extension and -// fail if it is not present. -#define X509V3_ADD_REPLACE_EXISTING 3L - -// X509V3_ADD_KEEP_EXISTING causes the function to succeed without replacing the -// extension if already present. -#define X509V3_ADD_KEEP_EXISTING 4L - -// X509V3_ADD_DELETE causes the function to remove the matching extension. No -// new extension is added. If there is no matching extension, the function -// fails. The |value| parameter is ignored in this mode. -#define X509V3_ADD_DELETE 5L - -// X509V3_ADD_SILENT may be ORed into one of the values above to indicate the -// function should not add to the error queue on duplicate or missing extension. -// The function will continue to return zero in those cases, and it will -// continue to return -1 and add to the error queue on other errors. -#define X509V3_ADD_SILENT 0x10 - -// X509V3_add1_i2d casts |value| to the type that corresponds to |nid|, -// serializes it, and appends it to the extension list in |*x|. If |*x| is NULL, -// it will set |*x| to a newly-allocated |STACK_OF(X509_EXTENSION)| as needed. -// The |crit| parameter determines whether the new extension is critical. -// |flags| may be some combination of the |X509V3_ADD_*| constants to control -// the function's behavior on duplicate extension. -// -// This function returns one on success, zero if the operation failed due to a -// missing or duplicate extension, and -1 on other errors. -// -// WARNING: Casting |value| to the wrong type is a potentially exploitable -// memory error, so callers must ensure |value|'s type matches |nid|. -OPENSSL_EXPORT int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, - void *value, int crit, unsigned long flags); - -#define X509V3_EXT_UNKNOWN_MASK (0xfL << 16) - -// X509V3_EXT_DEFAULT causes unknown extensions or syntax errors to return -// failure. -#define X509V3_EXT_DEFAULT 0 -// X509V3_EXT_ERROR_UNKNOWN causes unknown extensions or syntax errors to print -// as "" or "", respectively. -#define X509V3_EXT_ERROR_UNKNOWN (1L << 16) -// X509V3_EXT_PARSE_UNKNOWN is deprecated and behaves like -// |X509V3_EXT_DUMP_UNKNOWN|. -#define X509V3_EXT_PARSE_UNKNOWN (2L << 16) -// X509V3_EXT_DUMP_UNKNOWN causes unknown extensions to be displayed as a -// hexdump. -#define X509V3_EXT_DUMP_UNKNOWN (3L << 16) - -OPENSSL_EXPORT void X509V3_EXT_val_prn(BIO *out, - const STACK_OF(CONF_VALUE) *val, - int indent, int ml); -OPENSSL_EXPORT int X509V3_EXT_print(BIO *out, const X509_EXTENSION *ext, - unsigned long flag, int indent); -OPENSSL_EXPORT int X509V3_EXT_print_fp(FILE *out, const X509_EXTENSION *ext, - int flag, int indent); - -// X509V3_extensions_print prints |title|, followed by a human-readable -// representation of |exts| to |out|. It returns one on success and zero on -// error. The output is indented by |indent| spaces. |flag| is one of the -// |X509V3_EXT_*| constants and controls printing of unknown extensions and -// syntax errors. -OPENSSL_EXPORT int X509V3_extensions_print(BIO *out, const char *title, - const STACK_OF(X509_EXTENSION) *exts, - unsigned long flag, int indent); - -OPENSSL_EXPORT int X509_check_ca(X509 *x); -OPENSSL_EXPORT int X509_check_purpose(X509 *x, int id, int ca); -OPENSSL_EXPORT int X509_supported_extension(const X509_EXTENSION *ex); -OPENSSL_EXPORT int X509_PURPOSE_set(int *p, int purpose); -OPENSSL_EXPORT int X509_check_issued(X509 *issuer, X509 *subject); -OPENSSL_EXPORT int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid); - -OPENSSL_EXPORT uint32_t X509_get_extension_flags(X509 *x); -OPENSSL_EXPORT uint32_t X509_get_key_usage(X509 *x); -OPENSSL_EXPORT uint32_t X509_get_extended_key_usage(X509 *x); - -// X509_get0_subject_key_id returns |x509|'s subject key identifier, if present. -// (See RFC 5280, section 4.2.1.2.) It returns NULL if the extension is not -// present or if some extension in |x509| was invalid. -// -// Note that decoding an |X509| object will not check for invalid extensions. To -// detect the error case, call |X509_get_extensions_flags| and check the -// |EXFLAG_INVALID| bit. -OPENSSL_EXPORT const ASN1_OCTET_STRING *X509_get0_subject_key_id(X509 *x509); - -// X509_get0_authority_key_id returns keyIdentifier of |x509|'s authority key -// identifier, if the extension and field are present. (See RFC 5280, -// section 4.2.1.1.) It returns NULL if the extension is not present, if it is -// present but lacks a keyIdentifier field, or if some extension in |x509| was -// invalid. -// -// Note that decoding an |X509| object will not check for invalid extensions. To -// detect the error case, call |X509_get_extensions_flags| and check the -// |EXFLAG_INVALID| bit. -OPENSSL_EXPORT const ASN1_OCTET_STRING *X509_get0_authority_key_id(X509 *x509); - -// X509_get0_authority_issuer returns the authorityCertIssuer of |x509|'s -// authority key identifier, if the extension and field are present. (See -// RFC 5280, section 4.2.1.1.) It returns NULL if the extension is not present, -// if it is present but lacks a authorityCertIssuer field, or if some extension -// in |x509| was invalid. -// -// Note that decoding an |X509| object will not check for invalid extensions. To -// detect the error case, call |X509_get_extensions_flags| and check the -// |EXFLAG_INVALID| bit. -OPENSSL_EXPORT const GENERAL_NAMES *X509_get0_authority_issuer(X509 *x509); - -// X509_get0_authority_serial returns the authorityCertSerialNumber of |x509|'s -// authority key identifier, if the extension and field are present. (See -// RFC 5280, section 4.2.1.1.) It returns NULL if the extension is not present, -// if it is present but lacks a authorityCertSerialNumber field, or if some -// extension in |x509| was invalid. -// -// Note that decoding an |X509| object will not check for invalid extensions. To -// detect the error case, call |X509_get_extensions_flags| and check the -// |EXFLAG_INVALID| bit. -OPENSSL_EXPORT const ASN1_INTEGER *X509_get0_authority_serial(X509 *x509); - -OPENSSL_EXPORT int X509_PURPOSE_get_count(void); -OPENSSL_EXPORT X509_PURPOSE *X509_PURPOSE_get0(int idx); -OPENSSL_EXPORT int X509_PURPOSE_get_by_sname(const char *sname); -OPENSSL_EXPORT int X509_PURPOSE_get_by_id(int id); -OPENSSL_EXPORT int X509_PURPOSE_add(int id, int trust, int flags, - int (*ck)(const X509_PURPOSE *, - const X509 *, int), - const char *name, const char *sname, - void *arg); -OPENSSL_EXPORT char *X509_PURPOSE_get0_name(const X509_PURPOSE *xp); -OPENSSL_EXPORT char *X509_PURPOSE_get0_sname(const X509_PURPOSE *xp); -OPENSSL_EXPORT int X509_PURPOSE_get_trust(const X509_PURPOSE *xp); -OPENSSL_EXPORT void X509_PURPOSE_cleanup(void); -OPENSSL_EXPORT int X509_PURPOSE_get_id(const X509_PURPOSE *); - -OPENSSL_EXPORT STACK_OF(OPENSSL_STRING) *X509_get1_email(X509 *x); -OPENSSL_EXPORT STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email(X509_REQ *x); -OPENSSL_EXPORT void X509_email_free(STACK_OF(OPENSSL_STRING) *sk); -OPENSSL_EXPORT STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x); -// Flags for X509_check_* functions - -// Deprecated: this flag does nothing -#define X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT 0 -// Disable wildcard matching for dnsName fields and common name. -#define X509_CHECK_FLAG_NO_WILDCARDS 0x2 -// X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS does nothing, but is necessary in -// OpenSSL to enable standard wildcard matching. In BoringSSL, this behavior is -// always enabled. -#define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0 -// Deprecated: this flag does nothing -#define X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS 0 -// Deprecated: this flag does nothing -#define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0 -// Skip the subject common name fallback if subjectAltNames is missing. -#define X509_CHECK_FLAG_NEVER_CHECK_SUBJECT 0x20 - -OPENSSL_EXPORT int X509_check_host(X509 *x, const char *chk, size_t chklen, - unsigned int flags, char **peername); -OPENSSL_EXPORT int X509_check_email(X509 *x, const char *chk, size_t chklen, - unsigned int flags); -OPENSSL_EXPORT int X509_check_ip(X509 *x, const unsigned char *chk, - size_t chklen, unsigned int flags); -OPENSSL_EXPORT int X509_check_ip_asc(X509 *x, const char *ipasc, - unsigned int flags); - -OPENSSL_EXPORT ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc); -OPENSSL_EXPORT ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc); - -// BEGIN ERROR CODES -// The following lines are auto generated by the script mkerr.pl. Any changes -// made after this point may be overwritten when the script is next run. - - -#if defined(__cplusplus) -} // extern C - -extern "C++" { - -BSSL_NAMESPACE_BEGIN - -BORINGSSL_MAKE_DELETER(ACCESS_DESCRIPTION, ACCESS_DESCRIPTION_free) -BORINGSSL_MAKE_DELETER(AUTHORITY_KEYID, AUTHORITY_KEYID_free) -BORINGSSL_MAKE_DELETER(BASIC_CONSTRAINTS, BASIC_CONSTRAINTS_free) -// TODO(davidben): Move this to conf.h and rename to CONF_VALUE_free. -BORINGSSL_MAKE_DELETER(CONF_VALUE, X509V3_conf_free) -BORINGSSL_MAKE_DELETER(DIST_POINT, DIST_POINT_free) -BORINGSSL_MAKE_DELETER(GENERAL_NAME, GENERAL_NAME_free) -BORINGSSL_MAKE_DELETER(GENERAL_SUBTREE, GENERAL_SUBTREE_free) -BORINGSSL_MAKE_DELETER(NAME_CONSTRAINTS, NAME_CONSTRAINTS_free) -BORINGSSL_MAKE_DELETER(POLICY_MAPPING, POLICY_MAPPING_free) -BORINGSSL_MAKE_DELETER(POLICYINFO, POLICYINFO_free) - -BSSL_NAMESPACE_END - -} // extern C++ -#endif -#define X509V3_R_BAD_IP_ADDRESS 100 -#define X509V3_R_BAD_OBJECT 101 -#define X509V3_R_BN_DEC2BN_ERROR 102 -#define X509V3_R_BN_TO_ASN1_INTEGER_ERROR 103 -#define X509V3_R_CANNOT_FIND_FREE_FUNCTION 104 -#define X509V3_R_DIRNAME_ERROR 105 -#define X509V3_R_DISTPOINT_ALREADY_SET 106 -#define X509V3_R_DUPLICATE_ZONE_ID 107 -#define X509V3_R_ERROR_CONVERTING_ZONE 108 -#define X509V3_R_ERROR_CREATING_EXTENSION 109 -#define X509V3_R_ERROR_IN_EXTENSION 110 -#define X509V3_R_EXPECTED_A_SECTION_NAME 111 -#define X509V3_R_EXTENSION_EXISTS 112 -#define X509V3_R_EXTENSION_NAME_ERROR 113 -#define X509V3_R_EXTENSION_NOT_FOUND 114 -#define X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED 115 -#define X509V3_R_EXTENSION_VALUE_ERROR 116 -#define X509V3_R_ILLEGAL_EMPTY_EXTENSION 117 -#define X509V3_R_ILLEGAL_HEX_DIGIT 118 -#define X509V3_R_INCORRECT_POLICY_SYNTAX_TAG 119 -#define X509V3_R_INVALID_BOOLEAN_STRING 120 -#define X509V3_R_INVALID_EXTENSION_STRING 121 -#define X509V3_R_INVALID_MULTIPLE_RDNS 122 -#define X509V3_R_INVALID_NAME 123 -#define X509V3_R_INVALID_NULL_ARGUMENT 124 -#define X509V3_R_INVALID_NULL_NAME 125 -#define X509V3_R_INVALID_NULL_VALUE 126 -#define X509V3_R_INVALID_NUMBER 127 -#define X509V3_R_INVALID_NUMBERS 128 -#define X509V3_R_INVALID_OBJECT_IDENTIFIER 129 -#define X509V3_R_INVALID_OPTION 130 -#define X509V3_R_INVALID_POLICY_IDENTIFIER 131 -#define X509V3_R_INVALID_PROXY_POLICY_SETTING 132 -#define X509V3_R_INVALID_PURPOSE 133 -#define X509V3_R_INVALID_SECTION 134 -#define X509V3_R_INVALID_SYNTAX 135 -#define X509V3_R_ISSUER_DECODE_ERROR 136 -#define X509V3_R_MISSING_VALUE 137 -#define X509V3_R_NEED_ORGANIZATION_AND_NUMBERS 138 -#define X509V3_R_NO_CONFIG_DATABASE 139 -#define X509V3_R_NO_ISSUER_CERTIFICATE 140 -#define X509V3_R_NO_ISSUER_DETAILS 141 -#define X509V3_R_NO_POLICY_IDENTIFIER 142 -#define X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED 143 -#define X509V3_R_NO_PUBLIC_KEY 144 -#define X509V3_R_NO_SUBJECT_DETAILS 145 -#define X509V3_R_ODD_NUMBER_OF_DIGITS 146 -#define X509V3_R_OPERATION_NOT_DEFINED 147 -#define X509V3_R_OTHERNAME_ERROR 148 -#define X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED 149 -#define X509V3_R_POLICY_PATH_LENGTH 150 -#define X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED 151 -#define X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY 152 -#define X509V3_R_SECTION_NOT_FOUND 153 -#define X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS 154 -#define X509V3_R_UNABLE_TO_GET_ISSUER_KEYID 155 -#define X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT 156 -#define X509V3_R_UNKNOWN_EXTENSION 157 -#define X509V3_R_UNKNOWN_EXTENSION_NAME 158 -#define X509V3_R_UNKNOWN_OPTION 159 -#define X509V3_R_UNSUPPORTED_OPTION 160 -#define X509V3_R_UNSUPPORTED_TYPE 161 -#define X509V3_R_USER_TOO_LONG 162 -#define X509V3_R_INVALID_VALUE 163 -#define X509V3_R_TRAILING_DATA_IN_EXTENSION 164 +// Deprecated constants. + +// The following constants are legacy aliases for |X509v3_KU_*|. They are +// defined here instead of in because NSS's public headers use +// the same symbols. Some callers have inadvertently relied on the conflicts +// only being defined in this header. +#define KU_DIGITAL_SIGNATURE X509v3_KU_DIGITAL_SIGNATURE +#define KU_NON_REPUDIATION X509v3_KU_NON_REPUDIATION +#define KU_KEY_ENCIPHERMENT X509v3_KU_KEY_ENCIPHERMENT +#define KU_DATA_ENCIPHERMENT X509v3_KU_DATA_ENCIPHERMENT +#define KU_KEY_AGREEMENT X509v3_KU_KEY_AGREEMENT +#define KU_KEY_CERT_SIGN X509v3_KU_KEY_CERT_SIGN +#define KU_CRL_SIGN X509v3_KU_CRL_SIGN +#define KU_ENCIPHER_ONLY X509v3_KU_ENCIPHER_ONLY +#define KU_DECIPHER_ONLY X509v3_KU_DECIPHER_ONLY #endif // OPENSSL_HEADER_X509V3_H diff --git a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_x509v3_errors.h b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_x509v3_errors.h new file mode 100644 index 000000000..293d268d5 --- /dev/null +++ b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_x509v3_errors.h @@ -0,0 +1,124 @@ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project 1999. */ +/* ==================================================================== + * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). */ + +#ifndef OPENSSL_HEADER_X509V3_ERRORS_H +#define OPENSSL_HEADER_X509V3_ERRORS_H + +#define X509V3_R_BAD_IP_ADDRESS 100 +#define X509V3_R_BAD_OBJECT 101 +#define X509V3_R_BN_DEC2BN_ERROR 102 +#define X509V3_R_BN_TO_ASN1_INTEGER_ERROR 103 +#define X509V3_R_CANNOT_FIND_FREE_FUNCTION 104 +#define X509V3_R_DIRNAME_ERROR 105 +#define X509V3_R_DISTPOINT_ALREADY_SET 106 +#define X509V3_R_DUPLICATE_ZONE_ID 107 +#define X509V3_R_ERROR_CONVERTING_ZONE 108 +#define X509V3_R_ERROR_CREATING_EXTENSION 109 +#define X509V3_R_ERROR_IN_EXTENSION 110 +#define X509V3_R_EXPECTED_A_SECTION_NAME 111 +#define X509V3_R_EXTENSION_EXISTS 112 +#define X509V3_R_EXTENSION_NAME_ERROR 113 +#define X509V3_R_EXTENSION_NOT_FOUND 114 +#define X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED 115 +#define X509V3_R_EXTENSION_VALUE_ERROR 116 +#define X509V3_R_ILLEGAL_EMPTY_EXTENSION 117 +#define X509V3_R_ILLEGAL_HEX_DIGIT 118 +#define X509V3_R_INCORRECT_POLICY_SYNTAX_TAG 119 +#define X509V3_R_INVALID_BOOLEAN_STRING 120 +#define X509V3_R_INVALID_EXTENSION_STRING 121 +#define X509V3_R_INVALID_MULTIPLE_RDNS 122 +#define X509V3_R_INVALID_NAME 123 +#define X509V3_R_INVALID_NULL_ARGUMENT 124 +#define X509V3_R_INVALID_NULL_NAME 125 +#define X509V3_R_INVALID_NULL_VALUE 126 +#define X509V3_R_INVALID_NUMBER 127 +#define X509V3_R_INVALID_NUMBERS 128 +#define X509V3_R_INVALID_OBJECT_IDENTIFIER 129 +#define X509V3_R_INVALID_OPTION 130 +#define X509V3_R_INVALID_POLICY_IDENTIFIER 131 +#define X509V3_R_INVALID_PROXY_POLICY_SETTING 132 +#define X509V3_R_INVALID_PURPOSE 133 +#define X509V3_R_INVALID_SECTION 134 +#define X509V3_R_INVALID_SYNTAX 135 +#define X509V3_R_ISSUER_DECODE_ERROR 136 +#define X509V3_R_MISSING_VALUE 137 +#define X509V3_R_NEED_ORGANIZATION_AND_NUMBERS 138 +#define X509V3_R_NO_CONFIG_DATABASE 139 +#define X509V3_R_NO_ISSUER_CERTIFICATE 140 +#define X509V3_R_NO_ISSUER_DETAILS 141 +#define X509V3_R_NO_POLICY_IDENTIFIER 142 +#define X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED 143 +#define X509V3_R_NO_PUBLIC_KEY 144 +#define X509V3_R_NO_SUBJECT_DETAILS 145 +#define X509V3_R_ODD_NUMBER_OF_DIGITS 146 +#define X509V3_R_OPERATION_NOT_DEFINED 147 +#define X509V3_R_OTHERNAME_ERROR 148 +#define X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED 149 +#define X509V3_R_POLICY_PATH_LENGTH 150 +#define X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED 151 +#define X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY 152 +#define X509V3_R_SECTION_NOT_FOUND 153 +#define X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS 154 +#define X509V3_R_UNABLE_TO_GET_ISSUER_KEYID 155 +#define X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT 156 +#define X509V3_R_UNKNOWN_EXTENSION 157 +#define X509V3_R_UNKNOWN_EXTENSION_NAME 158 +#define X509V3_R_UNKNOWN_OPTION 159 +#define X509V3_R_UNSUPPORTED_OPTION 160 +#define X509V3_R_UNSUPPORTED_TYPE 161 +#define X509V3_R_USER_TOO_LONG 162 +#define X509V3_R_INVALID_VALUE 163 +#define X509V3_R_TRAILING_DATA_IN_EXTENSION 164 + +#endif // OPENSSL_HEADER_X509V3_ERRORS_H diff --git a/Sources/CNIOBoringSSL/include/boringssl_prefix_symbols_nasm.inc b/Sources/CNIOBoringSSL/include/boringssl_prefix_symbols_nasm.inc index bf4d7d9c0..f0abaf12e 100644 --- a/Sources/CNIOBoringSSL/include/boringssl_prefix_symbols_nasm.inc +++ b/Sources/CNIOBoringSSL/include/boringssl_prefix_symbols_nasm.inc @@ -207,6 +207,32 @@ %xdefine _BASIC_CONSTRAINTS_free _ %+ BORINGSSL_PREFIX %+ _BASIC_CONSTRAINTS_free %xdefine _BASIC_CONSTRAINTS_it _ %+ BORINGSSL_PREFIX %+ _BASIC_CONSTRAINTS_it %xdefine _BASIC_CONSTRAINTS_new _ %+ BORINGSSL_PREFIX %+ _BASIC_CONSTRAINTS_new +%xdefine _BCM_fips_186_2_prf _ %+ BORINGSSL_PREFIX %+ _BCM_fips_186_2_prf +%xdefine _BCM_rand_bytes _ %+ BORINGSSL_PREFIX %+ _BCM_rand_bytes +%xdefine _BCM_rand_bytes_hwrng _ %+ BORINGSSL_PREFIX %+ _BCM_rand_bytes_hwrng +%xdefine _BCM_rand_bytes_with_additional_data _ %+ BORINGSSL_PREFIX %+ _BCM_rand_bytes_with_additional_data +%xdefine _BCM_sha1_final _ %+ BORINGSSL_PREFIX %+ _BCM_sha1_final +%xdefine _BCM_sha1_init _ %+ BORINGSSL_PREFIX %+ _BCM_sha1_init +%xdefine _BCM_sha1_transform _ %+ BORINGSSL_PREFIX %+ _BCM_sha1_transform +%xdefine _BCM_sha1_update _ %+ BORINGSSL_PREFIX %+ _BCM_sha1_update +%xdefine _BCM_sha224_final _ %+ BORINGSSL_PREFIX %+ _BCM_sha224_final +%xdefine _BCM_sha224_init _ %+ BORINGSSL_PREFIX %+ _BCM_sha224_init +%xdefine _BCM_sha224_update _ %+ BORINGSSL_PREFIX %+ _BCM_sha224_update +%xdefine _BCM_sha256_final _ %+ BORINGSSL_PREFIX %+ _BCM_sha256_final +%xdefine _BCM_sha256_init _ %+ BORINGSSL_PREFIX %+ _BCM_sha256_init +%xdefine _BCM_sha256_transform _ %+ BORINGSSL_PREFIX %+ _BCM_sha256_transform +%xdefine _BCM_sha256_transform_blocks _ %+ BORINGSSL_PREFIX %+ _BCM_sha256_transform_blocks +%xdefine _BCM_sha256_update _ %+ BORINGSSL_PREFIX %+ _BCM_sha256_update +%xdefine _BCM_sha384_final _ %+ BORINGSSL_PREFIX %+ _BCM_sha384_final +%xdefine _BCM_sha384_init _ %+ BORINGSSL_PREFIX %+ _BCM_sha384_init +%xdefine _BCM_sha384_update _ %+ BORINGSSL_PREFIX %+ _BCM_sha384_update +%xdefine _BCM_sha512_256_final _ %+ BORINGSSL_PREFIX %+ _BCM_sha512_256_final +%xdefine _BCM_sha512_256_init _ %+ BORINGSSL_PREFIX %+ _BCM_sha512_256_init +%xdefine _BCM_sha512_256_update _ %+ BORINGSSL_PREFIX %+ _BCM_sha512_256_update +%xdefine _BCM_sha512_final _ %+ BORINGSSL_PREFIX %+ _BCM_sha512_final +%xdefine _BCM_sha512_init _ %+ BORINGSSL_PREFIX %+ _BCM_sha512_init +%xdefine _BCM_sha512_transform _ %+ BORINGSSL_PREFIX %+ _BCM_sha512_transform +%xdefine _BCM_sha512_update _ %+ BORINGSSL_PREFIX %+ _BCM_sha512_update %xdefine _BIO_append_filename _ %+ BORINGSSL_PREFIX %+ _BIO_append_filename %xdefine _BIO_callback_ctrl _ %+ BORINGSSL_PREFIX %+ _BIO_callback_ctrl %xdefine _BIO_clear_flags _ %+ BORINGSSL_PREFIX %+ _BIO_clear_flags @@ -224,6 +250,8 @@ %xdefine _BIO_free _ %+ BORINGSSL_PREFIX %+ _BIO_free %xdefine _BIO_free_all _ %+ BORINGSSL_PREFIX %+ _BIO_free_all %xdefine _BIO_get_data _ %+ BORINGSSL_PREFIX %+ _BIO_get_data +%xdefine _BIO_get_ex_data _ %+ BORINGSSL_PREFIX %+ _BIO_get_ex_data +%xdefine _BIO_get_ex_new_index _ %+ BORINGSSL_PREFIX %+ _BIO_get_ex_new_index %xdefine _BIO_get_fd _ %+ BORINGSSL_PREFIX %+ _BIO_get_fd %xdefine _BIO_get_fp _ %+ BORINGSSL_PREFIX %+ _BIO_get_fp %xdefine _BIO_get_init _ %+ BORINGSSL_PREFIX %+ _BIO_get_init @@ -281,6 +309,7 @@ %xdefine _BIO_set_conn_int_port _ %+ BORINGSSL_PREFIX %+ _BIO_set_conn_int_port %xdefine _BIO_set_conn_port _ %+ BORINGSSL_PREFIX %+ _BIO_set_conn_port %xdefine _BIO_set_data _ %+ BORINGSSL_PREFIX %+ _BIO_set_data +%xdefine _BIO_set_ex_data _ %+ BORINGSSL_PREFIX %+ _BIO_set_ex_data %xdefine _BIO_set_fd _ %+ BORINGSSL_PREFIX %+ _BIO_set_fd %xdefine _BIO_set_flags _ %+ BORINGSSL_PREFIX %+ _BIO_set_flags %xdefine _BIO_set_fp _ %+ BORINGSSL_PREFIX %+ _BIO_set_fp @@ -611,6 +640,7 @@ %xdefine _CRYPTO_cleanup_all_ex_data _ %+ BORINGSSL_PREFIX %+ _CRYPTO_cleanup_all_ex_data %xdefine _CRYPTO_ctr128_encrypt _ %+ BORINGSSL_PREFIX %+ _CRYPTO_ctr128_encrypt %xdefine _CRYPTO_ctr128_encrypt_ctr32 _ %+ BORINGSSL_PREFIX %+ _CRYPTO_ctr128_encrypt_ctr32 +%xdefine _CRYPTO_fips_186_2_prf _ %+ BORINGSSL_PREFIX %+ _CRYPTO_fips_186_2_prf %xdefine _CRYPTO_fork_detect_force_madv_wipeonfork_for_testing _ %+ BORINGSSL_PREFIX %+ _CRYPTO_fork_detect_force_madv_wipeonfork_for_testing %xdefine _CRYPTO_free _ %+ BORINGSSL_PREFIX %+ _CRYPTO_free %xdefine _CRYPTO_free_ex_data _ %+ BORINGSSL_PREFIX %+ _CRYPTO_free_ex_data @@ -627,10 +657,11 @@ %xdefine _CRYPTO_get_dynlock_destroy_callback _ %+ BORINGSSL_PREFIX %+ _CRYPTO_get_dynlock_destroy_callback %xdefine _CRYPTO_get_dynlock_lock_callback _ %+ BORINGSSL_PREFIX %+ _CRYPTO_get_dynlock_lock_callback %xdefine _CRYPTO_get_ex_data _ %+ BORINGSSL_PREFIX %+ _CRYPTO_get_ex_data -%xdefine _CRYPTO_get_ex_new_index _ %+ BORINGSSL_PREFIX %+ _CRYPTO_get_ex_new_index +%xdefine _CRYPTO_get_ex_new_index_ex _ %+ BORINGSSL_PREFIX %+ _CRYPTO_get_ex_new_index_ex %xdefine _CRYPTO_get_fork_generation _ %+ BORINGSSL_PREFIX %+ _CRYPTO_get_fork_generation %xdefine _CRYPTO_get_lock_name _ %+ BORINGSSL_PREFIX %+ _CRYPTO_get_lock_name %xdefine _CRYPTO_get_locking_callback _ %+ BORINGSSL_PREFIX %+ _CRYPTO_get_locking_callback +%xdefine _CRYPTO_get_stderr _ %+ BORINGSSL_PREFIX %+ _CRYPTO_get_stderr %xdefine _CRYPTO_get_thread_local _ %+ BORINGSSL_PREFIX %+ _CRYPTO_get_thread_local %xdefine _CRYPTO_ghash_init _ %+ BORINGSSL_PREFIX %+ _CRYPTO_ghash_init %xdefine _CRYPTO_has_asm _ %+ BORINGSSL_PREFIX %+ _CRYPTO_has_asm @@ -676,15 +707,24 @@ %xdefine _CTR_DRBG_init _ %+ BORINGSSL_PREFIX %+ _CTR_DRBG_init %xdefine _CTR_DRBG_new _ %+ BORINGSSL_PREFIX %+ _CTR_DRBG_new %xdefine _CTR_DRBG_reseed _ %+ BORINGSSL_PREFIX %+ _CTR_DRBG_reseed -%xdefine _ChaCha20_ctr32 _ %+ BORINGSSL_PREFIX %+ _ChaCha20_ctr32 +%xdefine _ChaCha20_ctr32_avx2 _ %+ BORINGSSL_PREFIX %+ _ChaCha20_ctr32_avx2 +%xdefine _ChaCha20_ctr32_neon _ %+ BORINGSSL_PREFIX %+ _ChaCha20_ctr32_neon +%xdefine _ChaCha20_ctr32_nohw _ %+ BORINGSSL_PREFIX %+ _ChaCha20_ctr32_nohw +%xdefine _ChaCha20_ctr32_ssse3 _ %+ BORINGSSL_PREFIX %+ _ChaCha20_ctr32_ssse3 +%xdefine _ChaCha20_ctr32_ssse3_4x _ %+ BORINGSSL_PREFIX %+ _ChaCha20_ctr32_ssse3_4x %xdefine _DES_decrypt3 _ %+ BORINGSSL_PREFIX %+ _DES_decrypt3 %xdefine _DES_ecb3_encrypt _ %+ BORINGSSL_PREFIX %+ _DES_ecb3_encrypt +%xdefine _DES_ecb3_encrypt_ex _ %+ BORINGSSL_PREFIX %+ _DES_ecb3_encrypt_ex %xdefine _DES_ecb_encrypt _ %+ BORINGSSL_PREFIX %+ _DES_ecb_encrypt +%xdefine _DES_ecb_encrypt_ex _ %+ BORINGSSL_PREFIX %+ _DES_ecb_encrypt_ex %xdefine _DES_ede2_cbc_encrypt _ %+ BORINGSSL_PREFIX %+ _DES_ede2_cbc_encrypt %xdefine _DES_ede3_cbc_encrypt _ %+ BORINGSSL_PREFIX %+ _DES_ede3_cbc_encrypt +%xdefine _DES_ede3_cbc_encrypt_ex _ %+ BORINGSSL_PREFIX %+ _DES_ede3_cbc_encrypt_ex %xdefine _DES_encrypt3 _ %+ BORINGSSL_PREFIX %+ _DES_encrypt3 %xdefine _DES_ncbc_encrypt _ %+ BORINGSSL_PREFIX %+ _DES_ncbc_encrypt +%xdefine _DES_ncbc_encrypt_ex _ %+ BORINGSSL_PREFIX %+ _DES_ncbc_encrypt_ex %xdefine _DES_set_key _ %+ BORINGSSL_PREFIX %+ _DES_set_key +%xdefine _DES_set_key_ex _ %+ BORINGSSL_PREFIX %+ _DES_set_key_ex %xdefine _DES_set_key_unchecked _ %+ BORINGSSL_PREFIX %+ _DES_set_key_unchecked %xdefine _DES_set_odd_parity _ %+ BORINGSSL_PREFIX %+ _DES_set_odd_parity %xdefine _DH_bits _ %+ BORINGSSL_PREFIX %+ _DH_bits @@ -714,6 +754,16 @@ %xdefine _DH_size _ %+ BORINGSSL_PREFIX %+ _DH_size %xdefine _DH_up_ref _ %+ BORINGSSL_PREFIX %+ _DH_up_ref %xdefine _DHparams_dup _ %+ BORINGSSL_PREFIX %+ _DHparams_dup +%xdefine _DILITHIUM_generate_key _ %+ BORINGSSL_PREFIX %+ _DILITHIUM_generate_key +%xdefine _DILITHIUM_generate_key_external_entropy _ %+ BORINGSSL_PREFIX %+ _DILITHIUM_generate_key_external_entropy +%xdefine _DILITHIUM_marshal_private_key _ %+ BORINGSSL_PREFIX %+ _DILITHIUM_marshal_private_key +%xdefine _DILITHIUM_marshal_public_key _ %+ BORINGSSL_PREFIX %+ _DILITHIUM_marshal_public_key +%xdefine _DILITHIUM_parse_private_key _ %+ BORINGSSL_PREFIX %+ _DILITHIUM_parse_private_key +%xdefine _DILITHIUM_parse_public_key _ %+ BORINGSSL_PREFIX %+ _DILITHIUM_parse_public_key +%xdefine _DILITHIUM_public_from_private _ %+ BORINGSSL_PREFIX %+ _DILITHIUM_public_from_private +%xdefine _DILITHIUM_sign _ %+ BORINGSSL_PREFIX %+ _DILITHIUM_sign +%xdefine _DILITHIUM_sign_deterministic _ %+ BORINGSSL_PREFIX %+ _DILITHIUM_sign_deterministic +%xdefine _DILITHIUM_verify _ %+ BORINGSSL_PREFIX %+ _DILITHIUM_verify %xdefine _DIRECTORYSTRING_free _ %+ BORINGSSL_PREFIX %+ _DIRECTORYSTRING_free %xdefine _DIRECTORYSTRING_it _ %+ BORINGSSL_PREFIX %+ _DIRECTORYSTRING_it %xdefine _DIRECTORYSTRING_new _ %+ BORINGSSL_PREFIX %+ _DIRECTORYSTRING_new @@ -779,7 +829,6 @@ %xdefine _DTLSv1_method _ %+ BORINGSSL_PREFIX %+ _DTLSv1_method %xdefine _DTLSv1_server_method _ %+ BORINGSSL_PREFIX %+ _DTLSv1_server_method %xdefine _DTLSv1_set_initial_timeout_duration _ %+ BORINGSSL_PREFIX %+ _DTLSv1_set_initial_timeout_duration -%xdefine _DW.ref.__gxx_personality_v0 _ %+ BORINGSSL_PREFIX %+ _DW.ref.__gxx_personality_v0 %xdefine _ECDH_compute_key _ %+ BORINGSSL_PREFIX %+ _ECDH_compute_key %xdefine _ECDH_compute_key_fips _ %+ BORINGSSL_PREFIX %+ _ECDH_compute_key_fips %xdefine _ECDSA_SIG_free _ %+ BORINGSSL_PREFIX %+ _ECDSA_SIG_free @@ -921,6 +970,7 @@ %xdefine _ERR_get_error_line_data _ %+ BORINGSSL_PREFIX %+ _ERR_get_error_line_data %xdefine _ERR_get_next_error_library _ %+ BORINGSSL_PREFIX %+ _ERR_get_next_error_library %xdefine _ERR_lib_error_string _ %+ BORINGSSL_PREFIX %+ _ERR_lib_error_string +%xdefine _ERR_lib_symbol_name _ %+ BORINGSSL_PREFIX %+ _ERR_lib_symbol_name %xdefine _ERR_load_BIO_strings _ %+ BORINGSSL_PREFIX %+ _ERR_load_BIO_strings %xdefine _ERR_load_ERR_strings _ %+ BORINGSSL_PREFIX %+ _ERR_load_ERR_strings %xdefine _ERR_load_RAND_strings _ %+ BORINGSSL_PREFIX %+ _ERR_load_RAND_strings @@ -938,6 +988,7 @@ %xdefine _ERR_print_errors_fp _ %+ BORINGSSL_PREFIX %+ _ERR_print_errors_fp %xdefine _ERR_put_error _ %+ BORINGSSL_PREFIX %+ _ERR_put_error %xdefine _ERR_reason_error_string _ %+ BORINGSSL_PREFIX %+ _ERR_reason_error_string +%xdefine _ERR_reason_symbol_name _ %+ BORINGSSL_PREFIX %+ _ERR_reason_symbol_name %xdefine _ERR_remove_state _ %+ BORINGSSL_PREFIX %+ _ERR_remove_state %xdefine _ERR_remove_thread_state _ %+ BORINGSSL_PREFIX %+ _ERR_remove_thread_state %xdefine _ERR_restore_state _ %+ BORINGSSL_PREFIX %+ _ERR_restore_state @@ -1110,6 +1161,7 @@ %xdefine _EVP_PKEY_CTX_set0_rsa_oaep_label _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_set0_rsa_oaep_label %xdefine _EVP_PKEY_CTX_set1_hkdf_key _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_set1_hkdf_key %xdefine _EVP_PKEY_CTX_set1_hkdf_salt _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_set1_hkdf_salt +%xdefine _EVP_PKEY_CTX_set_dh_pad _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_set_dh_pad %xdefine _EVP_PKEY_CTX_set_dsa_paramgen_bits _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_set_dsa_paramgen_bits %xdefine _EVP_PKEY_CTX_set_dsa_paramgen_q_bits _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_set_dsa_paramgen_q_bits %xdefine _EVP_PKEY_CTX_set_ec_param_enc _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_set_ec_param_enc @@ -1126,6 +1178,7 @@ %xdefine _EVP_PKEY_CTX_set_rsa_pss_saltlen _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_set_rsa_pss_saltlen %xdefine _EVP_PKEY_CTX_set_signature_md _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_set_signature_md %xdefine _EVP_PKEY_assign _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_assign +%xdefine _EVP_PKEY_assign_DH _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_assign_DH %xdefine _EVP_PKEY_assign_DSA _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_assign_DSA %xdefine _EVP_PKEY_assign_EC_KEY _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_assign_EC_KEY %xdefine _EVP_PKEY_assign_RSA _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_assign_RSA @@ -1167,6 +1220,7 @@ %xdefine _EVP_PKEY_print_params _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_print_params %xdefine _EVP_PKEY_print_private _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_print_private %xdefine _EVP_PKEY_print_public _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_print_public +%xdefine _EVP_PKEY_set1_DH _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_set1_DH %xdefine _EVP_PKEY_set1_DSA _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_set1_DSA %xdefine _EVP_PKEY_set1_EC_KEY _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_set1_EC_KEY %xdefine _EVP_PKEY_set1_RSA _ %+ BORINGSSL_PREFIX %+ _EVP_PKEY_set1_RSA @@ -1251,6 +1305,7 @@ %xdefine _EVP_hpke_aes_256_gcm _ %+ BORINGSSL_PREFIX %+ _EVP_hpke_aes_256_gcm %xdefine _EVP_hpke_chacha20_poly1305 _ %+ BORINGSSL_PREFIX %+ _EVP_hpke_chacha20_poly1305 %xdefine _EVP_hpke_hkdf_sha256 _ %+ BORINGSSL_PREFIX %+ _EVP_hpke_hkdf_sha256 +%xdefine _EVP_hpke_p256_hkdf_sha256 _ %+ BORINGSSL_PREFIX %+ _EVP_hpke_p256_hkdf_sha256 %xdefine _EVP_hpke_x25519_hkdf_sha256 _ %+ BORINGSSL_PREFIX %+ _EVP_hpke_x25519_hkdf_sha256 %xdefine _EVP_marshal_digest_algorithm _ %+ BORINGSSL_PREFIX %+ _EVP_marshal_digest_algorithm %xdefine _EVP_marshal_private_key _ %+ BORINGSSL_PREFIX %+ _EVP_marshal_private_key @@ -1353,6 +1408,40 @@ %xdefine _MD5_Update _ %+ BORINGSSL_PREFIX %+ _MD5_Update %xdefine _METHOD_ref _ %+ BORINGSSL_PREFIX %+ _METHOD_ref %xdefine _METHOD_unref _ %+ BORINGSSL_PREFIX %+ _METHOD_unref +%xdefine _MLDSA65_generate_key _ %+ BORINGSSL_PREFIX %+ _MLDSA65_generate_key +%xdefine _MLDSA65_generate_key_external_entropy _ %+ BORINGSSL_PREFIX %+ _MLDSA65_generate_key_external_entropy +%xdefine _MLDSA65_marshal_private_key _ %+ BORINGSSL_PREFIX %+ _MLDSA65_marshal_private_key +%xdefine _MLDSA65_marshal_public_key _ %+ BORINGSSL_PREFIX %+ _MLDSA65_marshal_public_key +%xdefine _MLDSA65_parse_private_key _ %+ BORINGSSL_PREFIX %+ _MLDSA65_parse_private_key +%xdefine _MLDSA65_parse_public_key _ %+ BORINGSSL_PREFIX %+ _MLDSA65_parse_public_key +%xdefine _MLDSA65_private_key_from_seed _ %+ BORINGSSL_PREFIX %+ _MLDSA65_private_key_from_seed +%xdefine _MLDSA65_public_from_private _ %+ BORINGSSL_PREFIX %+ _MLDSA65_public_from_private +%xdefine _MLDSA65_sign _ %+ BORINGSSL_PREFIX %+ _MLDSA65_sign +%xdefine _MLDSA65_sign_internal _ %+ BORINGSSL_PREFIX %+ _MLDSA65_sign_internal +%xdefine _MLDSA65_verify _ %+ BORINGSSL_PREFIX %+ _MLDSA65_verify +%xdefine _MLDSA65_verify_internal _ %+ BORINGSSL_PREFIX %+ _MLDSA65_verify_internal +%xdefine _MLKEM1024_decap _ %+ BORINGSSL_PREFIX %+ _MLKEM1024_decap +%xdefine _MLKEM1024_encap _ %+ BORINGSSL_PREFIX %+ _MLKEM1024_encap +%xdefine _MLKEM1024_encap_external_entropy _ %+ BORINGSSL_PREFIX %+ _MLKEM1024_encap_external_entropy +%xdefine _MLKEM1024_generate_key _ %+ BORINGSSL_PREFIX %+ _MLKEM1024_generate_key +%xdefine _MLKEM1024_generate_key_external_seed _ %+ BORINGSSL_PREFIX %+ _MLKEM1024_generate_key_external_seed +%xdefine _MLKEM1024_marshal_private_key _ %+ BORINGSSL_PREFIX %+ _MLKEM1024_marshal_private_key +%xdefine _MLKEM1024_marshal_public_key _ %+ BORINGSSL_PREFIX %+ _MLKEM1024_marshal_public_key +%xdefine _MLKEM1024_parse_private_key _ %+ BORINGSSL_PREFIX %+ _MLKEM1024_parse_private_key +%xdefine _MLKEM1024_parse_public_key _ %+ BORINGSSL_PREFIX %+ _MLKEM1024_parse_public_key +%xdefine _MLKEM1024_private_key_from_seed _ %+ BORINGSSL_PREFIX %+ _MLKEM1024_private_key_from_seed +%xdefine _MLKEM1024_public_from_private _ %+ BORINGSSL_PREFIX %+ _MLKEM1024_public_from_private +%xdefine _MLKEM768_decap _ %+ BORINGSSL_PREFIX %+ _MLKEM768_decap +%xdefine _MLKEM768_encap _ %+ BORINGSSL_PREFIX %+ _MLKEM768_encap +%xdefine _MLKEM768_encap_external_entropy _ %+ BORINGSSL_PREFIX %+ _MLKEM768_encap_external_entropy +%xdefine _MLKEM768_generate_key _ %+ BORINGSSL_PREFIX %+ _MLKEM768_generate_key +%xdefine _MLKEM768_generate_key_external_seed _ %+ BORINGSSL_PREFIX %+ _MLKEM768_generate_key_external_seed +%xdefine _MLKEM768_marshal_private_key _ %+ BORINGSSL_PREFIX %+ _MLKEM768_marshal_private_key +%xdefine _MLKEM768_marshal_public_key _ %+ BORINGSSL_PREFIX %+ _MLKEM768_marshal_public_key +%xdefine _MLKEM768_parse_private_key _ %+ BORINGSSL_PREFIX %+ _MLKEM768_parse_private_key +%xdefine _MLKEM768_parse_public_key _ %+ BORINGSSL_PREFIX %+ _MLKEM768_parse_public_key +%xdefine _MLKEM768_private_key_from_seed _ %+ BORINGSSL_PREFIX %+ _MLKEM768_private_key_from_seed +%xdefine _MLKEM768_public_from_private _ %+ BORINGSSL_PREFIX %+ _MLKEM768_public_from_private %xdefine _NAME_CONSTRAINTS_check _ %+ BORINGSSL_PREFIX %+ _NAME_CONSTRAINTS_check %xdefine _NAME_CONSTRAINTS_free _ %+ BORINGSSL_PREFIX %+ _NAME_CONSTRAINTS_free %xdefine _NAME_CONSTRAINTS_it _ %+ BORINGSSL_PREFIX %+ _NAME_CONSTRAINTS_it @@ -1417,6 +1506,7 @@ %xdefine _OPENSSL_gmtime_diff _ %+ BORINGSSL_PREFIX %+ _OPENSSL_gmtime_diff %xdefine _OPENSSL_hash32 _ %+ BORINGSSL_PREFIX %+ _OPENSSL_hash32 %xdefine _OPENSSL_ia32cap_P _ %+ BORINGSSL_PREFIX %+ _OPENSSL_ia32cap_P +%xdefine _OPENSSL_init_cpuid _ %+ BORINGSSL_PREFIX %+ _OPENSSL_init_cpuid %xdefine _OPENSSL_init_crypto _ %+ BORINGSSL_PREFIX %+ _OPENSSL_init_crypto %xdefine _OPENSSL_init_ssl _ %+ BORINGSSL_PREFIX %+ _OPENSSL_init_ssl %xdefine _OPENSSL_isalnum _ %+ BORINGSSL_PREFIX %+ _OPENSSL_isalnum @@ -1631,7 +1721,6 @@ %xdefine _RAND_SSLeay _ %+ BORINGSSL_PREFIX %+ _RAND_SSLeay %xdefine _RAND_add _ %+ BORINGSSL_PREFIX %+ _RAND_add %xdefine _RAND_bytes _ %+ BORINGSSL_PREFIX %+ _RAND_bytes -%xdefine _RAND_bytes_with_additional_data _ %+ BORINGSSL_PREFIX %+ _RAND_bytes_with_additional_data %xdefine _RAND_cleanup _ %+ BORINGSSL_PREFIX %+ _RAND_cleanup %xdefine _RAND_disable_fork_unsafe_buffering _ %+ BORINGSSL_PREFIX %+ _RAND_disable_fork_unsafe_buffering %xdefine _RAND_egd _ %+ BORINGSSL_PREFIX %+ _RAND_egd @@ -1655,6 +1744,7 @@ %xdefine _RSA_PSS_PARAMS_new _ %+ BORINGSSL_PREFIX %+ _RSA_PSS_PARAMS_new %xdefine _RSA_add_pkcs1_prefix _ %+ BORINGSSL_PREFIX %+ _RSA_add_pkcs1_prefix %xdefine _RSA_bits _ %+ BORINGSSL_PREFIX %+ _RSA_bits +%xdefine _RSA_blinding_off _ %+ BORINGSSL_PREFIX %+ _RSA_blinding_off %xdefine _RSA_blinding_on _ %+ BORINGSSL_PREFIX %+ _RSA_blinding_on %xdefine _RSA_check_fips _ %+ BORINGSSL_PREFIX %+ _RSA_check_fips %xdefine _RSA_check_key _ %+ BORINGSSL_PREFIX %+ _RSA_check_key @@ -1751,10 +1841,21 @@ %xdefine _SHA512_Transform _ %+ BORINGSSL_PREFIX %+ _SHA512_Transform %xdefine _SHA512_Update _ %+ BORINGSSL_PREFIX %+ _SHA512_Update %xdefine _SIPHASH_24 _ %+ BORINGSSL_PREFIX %+ _SIPHASH_24 +%xdefine _SLHDSA_SHA2_128S_generate_key _ %+ BORINGSSL_PREFIX %+ _SLHDSA_SHA2_128S_generate_key +%xdefine _SLHDSA_SHA2_128S_generate_key_from_seed _ %+ BORINGSSL_PREFIX %+ _SLHDSA_SHA2_128S_generate_key_from_seed +%xdefine _SLHDSA_SHA2_128S_public_from_private _ %+ BORINGSSL_PREFIX %+ _SLHDSA_SHA2_128S_public_from_private +%xdefine _SLHDSA_SHA2_128S_sign _ %+ BORINGSSL_PREFIX %+ _SLHDSA_SHA2_128S_sign +%xdefine _SLHDSA_SHA2_128S_sign_internal _ %+ BORINGSSL_PREFIX %+ _SLHDSA_SHA2_128S_sign_internal +%xdefine _SLHDSA_SHA2_128S_verify _ %+ BORINGSSL_PREFIX %+ _SLHDSA_SHA2_128S_verify +%xdefine _SLHDSA_SHA2_128S_verify_internal _ %+ BORINGSSL_PREFIX %+ _SLHDSA_SHA2_128S_verify_internal %xdefine _SPAKE2_CTX_free _ %+ BORINGSSL_PREFIX %+ _SPAKE2_CTX_free %xdefine _SPAKE2_CTX_new _ %+ BORINGSSL_PREFIX %+ _SPAKE2_CTX_new %xdefine _SPAKE2_generate_msg _ %+ BORINGSSL_PREFIX %+ _SPAKE2_generate_msg %xdefine _SPAKE2_process_msg _ %+ BORINGSSL_PREFIX %+ _SPAKE2_process_msg +%xdefine _SPX_generate_key _ %+ BORINGSSL_PREFIX %+ _SPX_generate_key +%xdefine _SPX_generate_key_from_seed _ %+ BORINGSSL_PREFIX %+ _SPX_generate_key_from_seed +%xdefine _SPX_sign _ %+ BORINGSSL_PREFIX %+ _SPX_sign +%xdefine _SPX_verify _ %+ BORINGSSL_PREFIX %+ _SPX_verify %xdefine _SSL_CIPHER_description _ %+ BORINGSSL_PREFIX %+ _SSL_CIPHER_description %xdefine _SSL_CIPHER_get_auth_nid _ %+ BORINGSSL_PREFIX %+ _SSL_CIPHER_get_auth_nid %xdefine _SSL_CIPHER_get_bits _ %+ BORINGSSL_PREFIX %+ _SSL_CIPHER_get_bits @@ -1779,8 +1880,23 @@ %xdefine _SSL_COMP_get_compression_methods _ %+ BORINGSSL_PREFIX %+ _SSL_COMP_get_compression_methods %xdefine _SSL_COMP_get_id _ %+ BORINGSSL_PREFIX %+ _SSL_COMP_get_id %xdefine _SSL_COMP_get_name _ %+ BORINGSSL_PREFIX %+ _SSL_COMP_get_name +%xdefine _SSL_CREDENTIAL_free _ %+ BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_free +%xdefine _SSL_CREDENTIAL_get_ex_data _ %+ BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_get_ex_data +%xdefine _SSL_CREDENTIAL_get_ex_new_index _ %+ BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_get_ex_new_index +%xdefine _SSL_CREDENTIAL_new_delegated _ %+ BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_new_delegated +%xdefine _SSL_CREDENTIAL_new_x509 _ %+ BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_new_x509 +%xdefine _SSL_CREDENTIAL_set1_cert_chain _ %+ BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_set1_cert_chain +%xdefine _SSL_CREDENTIAL_set1_delegated_credential _ %+ BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_set1_delegated_credential +%xdefine _SSL_CREDENTIAL_set1_ocsp_response _ %+ BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_set1_ocsp_response +%xdefine _SSL_CREDENTIAL_set1_private_key _ %+ BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_set1_private_key +%xdefine _SSL_CREDENTIAL_set1_signed_cert_timestamp_list _ %+ BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_set1_signed_cert_timestamp_list +%xdefine _SSL_CREDENTIAL_set1_signing_algorithm_prefs _ %+ BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_set1_signing_algorithm_prefs +%xdefine _SSL_CREDENTIAL_set_ex_data _ %+ BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_set_ex_data +%xdefine _SSL_CREDENTIAL_set_private_key_method _ %+ BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_set_private_key_method +%xdefine _SSL_CREDENTIAL_up_ref _ %+ BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_up_ref %xdefine _SSL_CTX_add0_chain_cert _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_add0_chain_cert %xdefine _SSL_CTX_add1_chain_cert _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_add1_chain_cert +%xdefine _SSL_CTX_add1_credential _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_add1_credential %xdefine _SSL_CTX_add_cert_compression_alg _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_add_cert_compression_alg %xdefine _SSL_CTX_add_client_CA _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_add_client_CA %xdefine _SSL_CTX_add_extra_chain_cert _ %+ BORINGSSL_PREFIX %+ _SSL_CTX_add_extra_chain_cert @@ -1995,6 +2111,7 @@ %xdefine _SSL_accept _ %+ BORINGSSL_PREFIX %+ _SSL_accept %xdefine _SSL_add0_chain_cert _ %+ BORINGSSL_PREFIX %+ _SSL_add0_chain_cert %xdefine _SSL_add1_chain_cert _ %+ BORINGSSL_PREFIX %+ _SSL_add1_chain_cert +%xdefine _SSL_add1_credential _ %+ BORINGSSL_PREFIX %+ _SSL_add1_credential %xdefine _SSL_add_application_settings _ %+ BORINGSSL_PREFIX %+ _SSL_add_application_settings %xdefine _SSL_add_bio_cert_subjects_to_stack _ %+ BORINGSSL_PREFIX %+ _SSL_add_bio_cert_subjects_to_stack %xdefine _SSL_add_client_CA _ %+ BORINGSSL_PREFIX %+ _SSL_add_client_CA @@ -2014,7 +2131,6 @@ %xdefine _SSL_clear_options _ %+ BORINGSSL_PREFIX %+ _SSL_clear_options %xdefine _SSL_connect _ %+ BORINGSSL_PREFIX %+ _SSL_connect %xdefine _SSL_cutthrough_complete _ %+ BORINGSSL_PREFIX %+ _SSL_cutthrough_complete -%xdefine _SSL_delegated_credential_used _ %+ BORINGSSL_PREFIX %+ _SSL_delegated_credential_used %xdefine _SSL_do_handshake _ %+ BORINGSSL_PREFIX %+ _SSL_do_handshake %xdefine _SSL_dup_CA_list _ %+ BORINGSSL_PREFIX %+ _SSL_dup_CA_list %xdefine _SSL_early_callback_ctx_extension_get _ %+ BORINGSSL_PREFIX %+ _SSL_early_callback_ctx_extension_get @@ -2030,6 +2146,7 @@ %xdefine _SSL_generate_key_block _ %+ BORINGSSL_PREFIX %+ _SSL_generate_key_block %xdefine _SSL_get0_alpn_selected _ %+ BORINGSSL_PREFIX %+ _SSL_get0_alpn_selected %xdefine _SSL_get0_certificate_types _ %+ BORINGSSL_PREFIX %+ _SSL_get0_certificate_types +%xdefine _SSL_get0_chain _ %+ BORINGSSL_PREFIX %+ _SSL_get0_chain %xdefine _SSL_get0_chain_certs _ %+ BORINGSSL_PREFIX %+ _SSL_get0_chain_certs %xdefine _SSL_get0_ech_name_override _ %+ BORINGSSL_PREFIX %+ _SSL_get0_ech_name_override %xdefine _SSL_get0_ech_retry_configs _ %+ BORINGSSL_PREFIX %+ _SSL_get0_ech_retry_configs @@ -2040,6 +2157,7 @@ %xdefine _SSL_get0_peer_certificates _ %+ BORINGSSL_PREFIX %+ _SSL_get0_peer_certificates %xdefine _SSL_get0_peer_delegation_algorithms _ %+ BORINGSSL_PREFIX %+ _SSL_get0_peer_delegation_algorithms %xdefine _SSL_get0_peer_verify_algorithms _ %+ BORINGSSL_PREFIX %+ _SSL_get0_peer_verify_algorithms +%xdefine _SSL_get0_selected_credential _ %+ BORINGSSL_PREFIX %+ _SSL_get0_selected_credential %xdefine _SSL_get0_server_requested_CAs _ %+ BORINGSSL_PREFIX %+ _SSL_get0_server_requested_CAs %xdefine _SSL_get0_session_id_context _ %+ BORINGSSL_PREFIX %+ _SSL_get0_session_id_context %xdefine _SSL_get0_signed_cert_timestamp_list _ %+ BORINGSSL_PREFIX %+ _SSL_get0_signed_cert_timestamp_list @@ -2169,7 +2287,6 @@ %xdefine _SSL_set1_chain _ %+ BORINGSSL_PREFIX %+ _SSL_set1_chain %xdefine _SSL_set1_curves _ %+ BORINGSSL_PREFIX %+ _SSL_set1_curves %xdefine _SSL_set1_curves_list _ %+ BORINGSSL_PREFIX %+ _SSL_set1_curves_list -%xdefine _SSL_set1_delegated_credential _ %+ BORINGSSL_PREFIX %+ _SSL_set1_delegated_credential %xdefine _SSL_set1_ech_config_list _ %+ BORINGSSL_PREFIX %+ _SSL_set1_ech_config_list %xdefine _SSL_set1_group_ids _ %+ BORINGSSL_PREFIX %+ _SSL_set1_group_ids %xdefine _SSL_set1_groups _ %+ BORINGSSL_PREFIX %+ _SSL_set1_groups @@ -2187,6 +2304,8 @@ %xdefine _SSL_set_bio _ %+ BORINGSSL_PREFIX %+ _SSL_set_bio %xdefine _SSL_set_cert_cb _ %+ BORINGSSL_PREFIX %+ _SSL_set_cert_cb %xdefine _SSL_set_chain_and_key _ %+ BORINGSSL_PREFIX %+ _SSL_set_chain_and_key +%xdefine _SSL_set_check_client_certificate_type _ %+ BORINGSSL_PREFIX %+ _SSL_set_check_client_certificate_type +%xdefine _SSL_set_check_ecdsa_curve _ %+ BORINGSSL_PREFIX %+ _SSL_set_check_ecdsa_curve %xdefine _SSL_set_cipher_list _ %+ BORINGSSL_PREFIX %+ _SSL_set_cipher_list %xdefine _SSL_set_client_CA_list _ %+ BORINGSSL_PREFIX %+ _SSL_set_client_CA_list %xdefine _SSL_set_compliance_policy _ %+ BORINGSSL_PREFIX %+ _SSL_set_compliance_policy @@ -2336,7 +2455,6 @@ %xdefine _X509V3_EXT_nconf_nid _ %+ BORINGSSL_PREFIX %+ _X509V3_EXT_nconf_nid %xdefine _X509V3_EXT_print _ %+ BORINGSSL_PREFIX %+ _X509V3_EXT_print %xdefine _X509V3_EXT_print_fp _ %+ BORINGSSL_PREFIX %+ _X509V3_EXT_print_fp -%xdefine _X509V3_EXT_val_prn _ %+ BORINGSSL_PREFIX %+ _X509V3_EXT_val_prn %xdefine _X509V3_NAME_from_section _ %+ BORINGSSL_PREFIX %+ _X509V3_NAME_from_section %xdefine _X509V3_add1_i2d _ %+ BORINGSSL_PREFIX %+ _X509V3_add1_i2d %xdefine _X509V3_add_standard_extensions _ %+ BORINGSSL_PREFIX %+ _X509V3_add_standard_extensions @@ -2390,7 +2508,6 @@ %xdefine _X509_CRL_add_ext _ %+ BORINGSSL_PREFIX %+ _X509_CRL_add_ext %xdefine _X509_CRL_cmp _ %+ BORINGSSL_PREFIX %+ _X509_CRL_cmp %xdefine _X509_CRL_delete_ext _ %+ BORINGSSL_PREFIX %+ _X509_CRL_delete_ext -%xdefine _X509_CRL_diff _ %+ BORINGSSL_PREFIX %+ _X509_CRL_diff %xdefine _X509_CRL_digest _ %+ BORINGSSL_PREFIX %+ _X509_CRL_digest %xdefine _X509_CRL_dup _ %+ BORINGSSL_PREFIX %+ _X509_CRL_dup %xdefine _X509_CRL_free _ %+ BORINGSSL_PREFIX %+ _X509_CRL_free @@ -2442,15 +2559,12 @@ %xdefine _X509_EXTENSION_set_data _ %+ BORINGSSL_PREFIX %+ _X509_EXTENSION_set_data %xdefine _X509_EXTENSION_set_object _ %+ BORINGSSL_PREFIX %+ _X509_EXTENSION_set_object %xdefine _X509_INFO_free _ %+ BORINGSSL_PREFIX %+ _X509_INFO_free -%xdefine _X509_INFO_new _ %+ BORINGSSL_PREFIX %+ _X509_INFO_new -%xdefine _X509_LOOKUP_by_subject _ %+ BORINGSSL_PREFIX %+ _X509_LOOKUP_by_subject +%xdefine _X509_LOOKUP_add_dir _ %+ BORINGSSL_PREFIX %+ _X509_LOOKUP_add_dir %xdefine _X509_LOOKUP_ctrl _ %+ BORINGSSL_PREFIX %+ _X509_LOOKUP_ctrl %xdefine _X509_LOOKUP_file _ %+ BORINGSSL_PREFIX %+ _X509_LOOKUP_file %xdefine _X509_LOOKUP_free _ %+ BORINGSSL_PREFIX %+ _X509_LOOKUP_free %xdefine _X509_LOOKUP_hash_dir _ %+ BORINGSSL_PREFIX %+ _X509_LOOKUP_hash_dir -%xdefine _X509_LOOKUP_init _ %+ BORINGSSL_PREFIX %+ _X509_LOOKUP_init -%xdefine _X509_LOOKUP_new _ %+ BORINGSSL_PREFIX %+ _X509_LOOKUP_new -%xdefine _X509_LOOKUP_shutdown _ %+ BORINGSSL_PREFIX %+ _X509_LOOKUP_shutdown +%xdefine _X509_LOOKUP_load_file _ %+ BORINGSSL_PREFIX %+ _X509_LOOKUP_load_file %xdefine _X509_NAME_ENTRIES_it _ %+ BORINGSSL_PREFIX %+ _X509_NAME_ENTRIES_it %xdefine _X509_NAME_ENTRY_create_by_NID _ %+ BORINGSSL_PREFIX %+ _X509_NAME_ENTRY_create_by_NID %xdefine _X509_NAME_ENTRY_create_by_OBJ _ %+ BORINGSSL_PREFIX %+ _X509_NAME_ENTRY_create_by_OBJ @@ -2490,34 +2604,24 @@ %xdefine _X509_NAME_print_ex _ %+ BORINGSSL_PREFIX %+ _X509_NAME_print_ex %xdefine _X509_NAME_print_ex_fp _ %+ BORINGSSL_PREFIX %+ _X509_NAME_print_ex_fp %xdefine _X509_NAME_set _ %+ BORINGSSL_PREFIX %+ _X509_NAME_set +%xdefine _X509_OBJECT_free _ %+ BORINGSSL_PREFIX %+ _X509_OBJECT_free %xdefine _X509_OBJECT_free_contents _ %+ BORINGSSL_PREFIX %+ _X509_OBJECT_free_contents %xdefine _X509_OBJECT_get0_X509 _ %+ BORINGSSL_PREFIX %+ _X509_OBJECT_get0_X509 %xdefine _X509_OBJECT_get_type _ %+ BORINGSSL_PREFIX %+ _X509_OBJECT_get_type -%xdefine _X509_OBJECT_idx_by_subject _ %+ BORINGSSL_PREFIX %+ _X509_OBJECT_idx_by_subject -%xdefine _X509_OBJECT_retrieve_by_subject _ %+ BORINGSSL_PREFIX %+ _X509_OBJECT_retrieve_by_subject -%xdefine _X509_OBJECT_retrieve_match _ %+ BORINGSSL_PREFIX %+ _X509_OBJECT_retrieve_match -%xdefine _X509_OBJECT_up_ref_count _ %+ BORINGSSL_PREFIX %+ _X509_OBJECT_up_ref_count -%xdefine _X509_PKEY_free _ %+ BORINGSSL_PREFIX %+ _X509_PKEY_free -%xdefine _X509_PKEY_new _ %+ BORINGSSL_PREFIX %+ _X509_PKEY_new +%xdefine _X509_OBJECT_new _ %+ BORINGSSL_PREFIX %+ _X509_OBJECT_new %xdefine _X509_PUBKEY_free _ %+ BORINGSSL_PREFIX %+ _X509_PUBKEY_free %xdefine _X509_PUBKEY_get _ %+ BORINGSSL_PREFIX %+ _X509_PUBKEY_get +%xdefine _X509_PUBKEY_get0 _ %+ BORINGSSL_PREFIX %+ _X509_PUBKEY_get0 %xdefine _X509_PUBKEY_get0_param _ %+ BORINGSSL_PREFIX %+ _X509_PUBKEY_get0_param %xdefine _X509_PUBKEY_get0_public_key _ %+ BORINGSSL_PREFIX %+ _X509_PUBKEY_get0_public_key %xdefine _X509_PUBKEY_it _ %+ BORINGSSL_PREFIX %+ _X509_PUBKEY_it %xdefine _X509_PUBKEY_new _ %+ BORINGSSL_PREFIX %+ _X509_PUBKEY_new %xdefine _X509_PUBKEY_set _ %+ BORINGSSL_PREFIX %+ _X509_PUBKEY_set %xdefine _X509_PUBKEY_set0_param _ %+ BORINGSSL_PREFIX %+ _X509_PUBKEY_set0_param -%xdefine _X509_PURPOSE_add _ %+ BORINGSSL_PREFIX %+ _X509_PURPOSE_add -%xdefine _X509_PURPOSE_cleanup _ %+ BORINGSSL_PREFIX %+ _X509_PURPOSE_cleanup %xdefine _X509_PURPOSE_get0 _ %+ BORINGSSL_PREFIX %+ _X509_PURPOSE_get0 -%xdefine _X509_PURPOSE_get0_name _ %+ BORINGSSL_PREFIX %+ _X509_PURPOSE_get0_name -%xdefine _X509_PURPOSE_get0_sname _ %+ BORINGSSL_PREFIX %+ _X509_PURPOSE_get0_sname -%xdefine _X509_PURPOSE_get_by_id _ %+ BORINGSSL_PREFIX %+ _X509_PURPOSE_get_by_id %xdefine _X509_PURPOSE_get_by_sname _ %+ BORINGSSL_PREFIX %+ _X509_PURPOSE_get_by_sname -%xdefine _X509_PURPOSE_get_count _ %+ BORINGSSL_PREFIX %+ _X509_PURPOSE_get_count %xdefine _X509_PURPOSE_get_id _ %+ BORINGSSL_PREFIX %+ _X509_PURPOSE_get_id %xdefine _X509_PURPOSE_get_trust _ %+ BORINGSSL_PREFIX %+ _X509_PURPOSE_get_trust -%xdefine _X509_PURPOSE_set _ %+ BORINGSSL_PREFIX %+ _X509_PURPOSE_set %xdefine _X509_REQ_INFO_free _ %+ BORINGSSL_PREFIX %+ _X509_REQ_INFO_free %xdefine _X509_REQ_INFO_it _ %+ BORINGSSL_PREFIX %+ _X509_REQ_INFO_it %xdefine _X509_REQ_INFO_new _ %+ BORINGSSL_PREFIX %+ _X509_REQ_INFO_new @@ -2533,6 +2637,7 @@ %xdefine _X509_REQ_dup _ %+ BORINGSSL_PREFIX %+ _X509_REQ_dup %xdefine _X509_REQ_extension_nid _ %+ BORINGSSL_PREFIX %+ _X509_REQ_extension_nid %xdefine _X509_REQ_free _ %+ BORINGSSL_PREFIX %+ _X509_REQ_free +%xdefine _X509_REQ_get0_pubkey _ %+ BORINGSSL_PREFIX %+ _X509_REQ_get0_pubkey %xdefine _X509_REQ_get0_signature _ %+ BORINGSSL_PREFIX %+ _X509_REQ_get0_signature %xdefine _X509_REQ_get1_email _ %+ BORINGSSL_PREFIX %+ _X509_REQ_get1_email %xdefine _X509_REQ_get_attr _ %+ BORINGSSL_PREFIX %+ _X509_REQ_get_attr @@ -2585,13 +2690,15 @@ %xdefine _X509_STORE_CTX_get0_cert _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_get0_cert %xdefine _X509_STORE_CTX_get0_chain _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_get0_chain %xdefine _X509_STORE_CTX_get0_current_crl _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_get0_current_crl -%xdefine _X509_STORE_CTX_get0_current_issuer _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_get0_current_issuer %xdefine _X509_STORE_CTX_get0_param _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_get0_param %xdefine _X509_STORE_CTX_get0_parent_ctx _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_get0_parent_ctx %xdefine _X509_STORE_CTX_get0_store _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_get0_store %xdefine _X509_STORE_CTX_get0_untrusted _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_get0_untrusted +%xdefine _X509_STORE_CTX_get1_certs _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_get1_certs %xdefine _X509_STORE_CTX_get1_chain _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_get1_chain +%xdefine _X509_STORE_CTX_get1_crls _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_get1_crls %xdefine _X509_STORE_CTX_get1_issuer _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_get1_issuer +%xdefine _X509_STORE_CTX_get_by_subject _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_get_by_subject %xdefine _X509_STORE_CTX_get_chain _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_get_chain %xdefine _X509_STORE_CTX_get_current_cert _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_get_current_cert %xdefine _X509_STORE_CTX_get_error _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_get_error @@ -2600,11 +2707,9 @@ %xdefine _X509_STORE_CTX_get_ex_new_index _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_get_ex_new_index %xdefine _X509_STORE_CTX_init _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_init %xdefine _X509_STORE_CTX_new _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_new -%xdefine _X509_STORE_CTX_purpose_inherit _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_purpose_inherit %xdefine _X509_STORE_CTX_set0_crls _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_set0_crls %xdefine _X509_STORE_CTX_set0_param _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_set0_param %xdefine _X509_STORE_CTX_set0_trusted_stack _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_set0_trusted_stack -%xdefine _X509_STORE_CTX_set_cert _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_set_cert %xdefine _X509_STORE_CTX_set_chain _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_set_chain %xdefine _X509_STORE_CTX_set_default _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_set_default %xdefine _X509_STORE_CTX_set_depth _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_set_depth @@ -2617,56 +2722,23 @@ %xdefine _X509_STORE_CTX_set_trust _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_set_trust %xdefine _X509_STORE_CTX_set_verify_cb _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_set_verify_cb %xdefine _X509_STORE_CTX_trusted_stack _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_trusted_stack -%xdefine _X509_STORE_CTX_zero _ %+ BORINGSSL_PREFIX %+ _X509_STORE_CTX_zero %xdefine _X509_STORE_add_cert _ %+ BORINGSSL_PREFIX %+ _X509_STORE_add_cert %xdefine _X509_STORE_add_crl _ %+ BORINGSSL_PREFIX %+ _X509_STORE_add_crl %xdefine _X509_STORE_add_lookup _ %+ BORINGSSL_PREFIX %+ _X509_STORE_add_lookup %xdefine _X509_STORE_free _ %+ BORINGSSL_PREFIX %+ _X509_STORE_free %xdefine _X509_STORE_get0_objects _ %+ BORINGSSL_PREFIX %+ _X509_STORE_get0_objects %xdefine _X509_STORE_get0_param _ %+ BORINGSSL_PREFIX %+ _X509_STORE_get0_param -%xdefine _X509_STORE_get1_certs _ %+ BORINGSSL_PREFIX %+ _X509_STORE_get1_certs -%xdefine _X509_STORE_get1_crls _ %+ BORINGSSL_PREFIX %+ _X509_STORE_get1_crls -%xdefine _X509_STORE_get_by_subject _ %+ BORINGSSL_PREFIX %+ _X509_STORE_get_by_subject -%xdefine _X509_STORE_get_cert_crl _ %+ BORINGSSL_PREFIX %+ _X509_STORE_get_cert_crl -%xdefine _X509_STORE_get_check_crl _ %+ BORINGSSL_PREFIX %+ _X509_STORE_get_check_crl -%xdefine _X509_STORE_get_check_issued _ %+ BORINGSSL_PREFIX %+ _X509_STORE_get_check_issued -%xdefine _X509_STORE_get_check_revocation _ %+ BORINGSSL_PREFIX %+ _X509_STORE_get_check_revocation -%xdefine _X509_STORE_get_cleanup _ %+ BORINGSSL_PREFIX %+ _X509_STORE_get_cleanup -%xdefine _X509_STORE_get_get_crl _ %+ BORINGSSL_PREFIX %+ _X509_STORE_get_get_crl -%xdefine _X509_STORE_get_get_issuer _ %+ BORINGSSL_PREFIX %+ _X509_STORE_get_get_issuer -%xdefine _X509_STORE_get_lookup_certs _ %+ BORINGSSL_PREFIX %+ _X509_STORE_get_lookup_certs -%xdefine _X509_STORE_get_lookup_crls _ %+ BORINGSSL_PREFIX %+ _X509_STORE_get_lookup_crls -%xdefine _X509_STORE_get_verify _ %+ BORINGSSL_PREFIX %+ _X509_STORE_get_verify -%xdefine _X509_STORE_get_verify_cb _ %+ BORINGSSL_PREFIX %+ _X509_STORE_get_verify_cb +%xdefine _X509_STORE_get1_objects _ %+ BORINGSSL_PREFIX %+ _X509_STORE_get1_objects %xdefine _X509_STORE_load_locations _ %+ BORINGSSL_PREFIX %+ _X509_STORE_load_locations %xdefine _X509_STORE_new _ %+ BORINGSSL_PREFIX %+ _X509_STORE_new %xdefine _X509_STORE_set1_param _ %+ BORINGSSL_PREFIX %+ _X509_STORE_set1_param -%xdefine _X509_STORE_set_cert_crl _ %+ BORINGSSL_PREFIX %+ _X509_STORE_set_cert_crl -%xdefine _X509_STORE_set_check_crl _ %+ BORINGSSL_PREFIX %+ _X509_STORE_set_check_crl -%xdefine _X509_STORE_set_check_issued _ %+ BORINGSSL_PREFIX %+ _X509_STORE_set_check_issued -%xdefine _X509_STORE_set_check_revocation _ %+ BORINGSSL_PREFIX %+ _X509_STORE_set_check_revocation -%xdefine _X509_STORE_set_cleanup _ %+ BORINGSSL_PREFIX %+ _X509_STORE_set_cleanup %xdefine _X509_STORE_set_default_paths _ %+ BORINGSSL_PREFIX %+ _X509_STORE_set_default_paths %xdefine _X509_STORE_set_depth _ %+ BORINGSSL_PREFIX %+ _X509_STORE_set_depth %xdefine _X509_STORE_set_flags _ %+ BORINGSSL_PREFIX %+ _X509_STORE_set_flags -%xdefine _X509_STORE_set_get_crl _ %+ BORINGSSL_PREFIX %+ _X509_STORE_set_get_crl -%xdefine _X509_STORE_set_get_issuer _ %+ BORINGSSL_PREFIX %+ _X509_STORE_set_get_issuer -%xdefine _X509_STORE_set_lookup_certs _ %+ BORINGSSL_PREFIX %+ _X509_STORE_set_lookup_certs -%xdefine _X509_STORE_set_lookup_crls _ %+ BORINGSSL_PREFIX %+ _X509_STORE_set_lookup_crls %xdefine _X509_STORE_set_purpose _ %+ BORINGSSL_PREFIX %+ _X509_STORE_set_purpose %xdefine _X509_STORE_set_trust _ %+ BORINGSSL_PREFIX %+ _X509_STORE_set_trust -%xdefine _X509_STORE_set_verify _ %+ BORINGSSL_PREFIX %+ _X509_STORE_set_verify %xdefine _X509_STORE_set_verify_cb _ %+ BORINGSSL_PREFIX %+ _X509_STORE_set_verify_cb %xdefine _X509_STORE_up_ref _ %+ BORINGSSL_PREFIX %+ _X509_STORE_up_ref -%xdefine _X509_TRUST_add _ %+ BORINGSSL_PREFIX %+ _X509_TRUST_add -%xdefine _X509_TRUST_cleanup _ %+ BORINGSSL_PREFIX %+ _X509_TRUST_cleanup -%xdefine _X509_TRUST_get0 _ %+ BORINGSSL_PREFIX %+ _X509_TRUST_get0 -%xdefine _X509_TRUST_get0_name _ %+ BORINGSSL_PREFIX %+ _X509_TRUST_get0_name -%xdefine _X509_TRUST_get_by_id _ %+ BORINGSSL_PREFIX %+ _X509_TRUST_get_by_id -%xdefine _X509_TRUST_get_count _ %+ BORINGSSL_PREFIX %+ _X509_TRUST_get_count -%xdefine _X509_TRUST_get_flags _ %+ BORINGSSL_PREFIX %+ _X509_TRUST_get_flags -%xdefine _X509_TRUST_get_trust _ %+ BORINGSSL_PREFIX %+ _X509_TRUST_get_trust -%xdefine _X509_TRUST_set _ %+ BORINGSSL_PREFIX %+ _X509_TRUST_set %xdefine _X509_VAL_free _ %+ BORINGSSL_PREFIX %+ _X509_VAL_free %xdefine _X509_VAL_it _ %+ BORINGSSL_PREFIX %+ _X509_VAL_it %xdefine _X509_VAL_new _ %+ BORINGSSL_PREFIX %+ _X509_VAL_new @@ -2674,8 +2746,6 @@ %xdefine _X509_VERIFY_PARAM_add1_host _ %+ BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_add1_host %xdefine _X509_VERIFY_PARAM_clear_flags _ %+ BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_clear_flags %xdefine _X509_VERIFY_PARAM_free _ %+ BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_free -%xdefine _X509_VERIFY_PARAM_get0_name _ %+ BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_get0_name -%xdefine _X509_VERIFY_PARAM_get0_peername _ %+ BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_get0_peername %xdefine _X509_VERIFY_PARAM_get_depth _ %+ BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_get_depth %xdefine _X509_VERIFY_PARAM_get_flags _ %+ BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_get_flags %xdefine _X509_VERIFY_PARAM_inherit _ %+ BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_inherit @@ -2686,7 +2756,6 @@ %xdefine _X509_VERIFY_PARAM_set1_host _ %+ BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_set1_host %xdefine _X509_VERIFY_PARAM_set1_ip _ %+ BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_set1_ip %xdefine _X509_VERIFY_PARAM_set1_ip_asc _ %+ BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_set1_ip_asc -%xdefine _X509_VERIFY_PARAM_set1_name _ %+ BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_set1_name %xdefine _X509_VERIFY_PARAM_set1_policies _ %+ BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_set1_policies %xdefine _X509_VERIFY_PARAM_set_depth _ %+ BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_set_depth %xdefine _X509_VERIFY_PARAM_set_flags _ %+ BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_set_flags @@ -2729,6 +2798,7 @@ %xdefine _X509_get0_extensions _ %+ BORINGSSL_PREFIX %+ _X509_get0_extensions %xdefine _X509_get0_notAfter _ %+ BORINGSSL_PREFIX %+ _X509_get0_notAfter %xdefine _X509_get0_notBefore _ %+ BORINGSSL_PREFIX %+ _X509_get0_notBefore +%xdefine _X509_get0_pubkey _ %+ BORINGSSL_PREFIX %+ _X509_get0_pubkey %xdefine _X509_get0_pubkey_bitstr _ %+ BORINGSSL_PREFIX %+ _X509_get0_pubkey_bitstr %xdefine _X509_get0_serialNumber _ %+ BORINGSSL_PREFIX %+ _X509_get0_serialNumber %xdefine _X509_get0_signature _ %+ BORINGSSL_PREFIX %+ _X509_get0_signature @@ -2767,6 +2837,7 @@ %xdefine _X509_getm_notAfter _ %+ BORINGSSL_PREFIX %+ _X509_getm_notAfter %xdefine _X509_getm_notBefore _ %+ BORINGSSL_PREFIX %+ _X509_getm_notBefore %xdefine _X509_gmtime_adj _ %+ BORINGSSL_PREFIX %+ _X509_gmtime_adj +%xdefine _X509_is_valid_trust_id _ %+ BORINGSSL_PREFIX %+ _X509_is_valid_trust_id %xdefine _X509_issuer_name_cmp _ %+ BORINGSSL_PREFIX %+ _X509_issuer_name_cmp %xdefine _X509_issuer_name_hash _ %+ BORINGSSL_PREFIX %+ _X509_issuer_name_hash %xdefine _X509_issuer_name_hash_old _ %+ BORINGSSL_PREFIX %+ _X509_issuer_name_hash_old @@ -2820,7 +2891,6 @@ %xdefine _X509v3_get_ext_by_critical _ %+ BORINGSSL_PREFIX %+ _X509v3_get_ext_by_critical %xdefine _X509v3_get_ext_count _ %+ BORINGSSL_PREFIX %+ _X509v3_get_ext_count %xdefine ___clang_call_terminate _ %+ BORINGSSL_PREFIX %+ ___clang_call_terminate -%xdefine _a2i_GENERAL_NAME _ %+ BORINGSSL_PREFIX %+ _a2i_GENERAL_NAME %xdefine _a2i_IPADDRESS _ %+ BORINGSSL_PREFIX %+ _a2i_IPADDRESS %xdefine _a2i_IPADDRESS_NC _ %+ BORINGSSL_PREFIX %+ _a2i_IPADDRESS_NC %xdefine _aes128gcmsiv_aes_ks _ %+ BORINGSSL_PREFIX %+ _aes128gcmsiv_aes_ks @@ -2845,8 +2915,11 @@ %xdefine _aes_hw_decrypt _ %+ BORINGSSL_PREFIX %+ _aes_hw_decrypt %xdefine _aes_hw_ecb_encrypt _ %+ BORINGSSL_PREFIX %+ _aes_hw_ecb_encrypt %xdefine _aes_hw_encrypt _ %+ BORINGSSL_PREFIX %+ _aes_hw_encrypt +%xdefine _aes_hw_encrypt_key_to_decrypt_key _ %+ BORINGSSL_PREFIX %+ _aes_hw_encrypt_key_to_decrypt_key %xdefine _aes_hw_set_decrypt_key _ %+ BORINGSSL_PREFIX %+ _aes_hw_set_decrypt_key %xdefine _aes_hw_set_encrypt_key _ %+ BORINGSSL_PREFIX %+ _aes_hw_set_encrypt_key +%xdefine _aes_hw_set_encrypt_key_alt _ %+ BORINGSSL_PREFIX %+ _aes_hw_set_encrypt_key_alt +%xdefine _aes_hw_set_encrypt_key_base _ %+ BORINGSSL_PREFIX %+ _aes_hw_set_encrypt_key_base %xdefine _aes_nohw_cbc_encrypt _ %+ BORINGSSL_PREFIX %+ _aes_nohw_cbc_encrypt %xdefine _aes_nohw_ctr32_encrypt_blocks _ %+ BORINGSSL_PREFIX %+ _aes_nohw_ctr32_encrypt_blocks %xdefine _aes_nohw_decrypt _ %+ BORINGSSL_PREFIX %+ _aes_nohw_decrypt @@ -2875,6 +2948,7 @@ %xdefine _asn1_refcount_set_one _ %+ BORINGSSL_PREFIX %+ _asn1_refcount_set_one %xdefine _asn1_set_choice_selector _ %+ BORINGSSL_PREFIX %+ _asn1_set_choice_selector %xdefine _asn1_type_cleanup _ %+ BORINGSSL_PREFIX %+ _asn1_type_cleanup +%xdefine _asn1_type_set0_string _ %+ BORINGSSL_PREFIX %+ _asn1_type_set0_string %xdefine _asn1_type_value_as_pointer _ %+ BORINGSSL_PREFIX %+ _asn1_type_value_as_pointer %xdefine _asn1_utctime_to_tm _ %+ BORINGSSL_PREFIX %+ _asn1_utctime_to_tm %xdefine _beeu_mod_inverse_vartime _ %+ BORINGSSL_PREFIX %+ _beeu_mod_inverse_vartime @@ -2921,17 +2995,23 @@ %xdefine _bn_mont_ctx_init _ %+ BORINGSSL_PREFIX %+ _bn_mont_ctx_init %xdefine _bn_mont_ctx_set_RR_consttime _ %+ BORINGSSL_PREFIX %+ _bn_mont_ctx_set_RR_consttime %xdefine _bn_mont_n0 _ %+ BORINGSSL_PREFIX %+ _bn_mont_n0 +%xdefine _bn_mul4x_mont _ %+ BORINGSSL_PREFIX %+ _bn_mul4x_mont +%xdefine _bn_mul4x_mont_gather5 _ %+ BORINGSSL_PREFIX %+ _bn_mul4x_mont_gather5 %xdefine _bn_mul_add_words _ %+ BORINGSSL_PREFIX %+ _bn_mul_add_words %xdefine _bn_mul_comba4 _ %+ BORINGSSL_PREFIX %+ _bn_mul_comba4 %xdefine _bn_mul_comba8 _ %+ BORINGSSL_PREFIX %+ _bn_mul_comba8 %xdefine _bn_mul_consttime _ %+ BORINGSSL_PREFIX %+ _bn_mul_consttime %xdefine _bn_mul_mont _ %+ BORINGSSL_PREFIX %+ _bn_mul_mont -%xdefine _bn_mul_mont_gather5 _ %+ BORINGSSL_PREFIX %+ _bn_mul_mont_gather5 +%xdefine _bn_mul_mont_gather5_nohw _ %+ BORINGSSL_PREFIX %+ _bn_mul_mont_gather5_nohw +%xdefine _bn_mul_mont_nohw _ %+ BORINGSSL_PREFIX %+ _bn_mul_mont_nohw %xdefine _bn_mul_small _ %+ BORINGSSL_PREFIX %+ _bn_mul_small %xdefine _bn_mul_words _ %+ BORINGSSL_PREFIX %+ _bn_mul_words +%xdefine _bn_mulx4x_mont _ %+ BORINGSSL_PREFIX %+ _bn_mulx4x_mont +%xdefine _bn_mulx4x_mont_gather5 _ %+ BORINGSSL_PREFIX %+ _bn_mulx4x_mont_gather5 %xdefine _bn_odd_number_is_obviously_composite _ %+ BORINGSSL_PREFIX %+ _bn_odd_number_is_obviously_composite %xdefine _bn_one_to_montgomery _ %+ BORINGSSL_PREFIX %+ _bn_one_to_montgomery -%xdefine _bn_power5 _ %+ BORINGSSL_PREFIX %+ _bn_power5 +%xdefine _bn_power5_nohw _ %+ BORINGSSL_PREFIX %+ _bn_power5_nohw +%xdefine _bn_powerx5 _ %+ BORINGSSL_PREFIX %+ _bn_powerx5 %xdefine _bn_rand_range_words _ %+ BORINGSSL_PREFIX %+ _bn_rand_range_words %xdefine _bn_rand_secret_range _ %+ BORINGSSL_PREFIX %+ _bn_rand_secret_range %xdefine _bn_reduce_once _ %+ BORINGSSL_PREFIX %+ _bn_reduce_once @@ -2946,6 +3026,7 @@ %xdefine _bn_set_static_words _ %+ BORINGSSL_PREFIX %+ _bn_set_static_words %xdefine _bn_set_words _ %+ BORINGSSL_PREFIX %+ _bn_set_words %xdefine _bn_sqr8x_internal _ %+ BORINGSSL_PREFIX %+ _bn_sqr8x_internal +%xdefine _bn_sqr8x_mont _ %+ BORINGSSL_PREFIX %+ _bn_sqr8x_mont %xdefine _bn_sqr_comba4 _ %+ BORINGSSL_PREFIX %+ _bn_sqr_comba4 %xdefine _bn_sqr_comba8 _ %+ BORINGSSL_PREFIX %+ _bn_sqr_comba8 %xdefine _bn_sqr_consttime _ %+ BORINGSSL_PREFIX %+ _bn_sqr_consttime @@ -2965,9 +3046,12 @@ %xdefine _c2i_ASN1_INTEGER _ %+ BORINGSSL_PREFIX %+ _c2i_ASN1_INTEGER %xdefine _c2i_ASN1_OBJECT _ %+ BORINGSSL_PREFIX %+ _c2i_ASN1_OBJECT %xdefine _chacha20_poly1305_open _ %+ BORINGSSL_PREFIX %+ _chacha20_poly1305_open +%xdefine _chacha20_poly1305_open_avx2 _ %+ BORINGSSL_PREFIX %+ _chacha20_poly1305_open_avx2 +%xdefine _chacha20_poly1305_open_nohw _ %+ BORINGSSL_PREFIX %+ _chacha20_poly1305_open_nohw %xdefine _chacha20_poly1305_seal _ %+ BORINGSSL_PREFIX %+ _chacha20_poly1305_seal +%xdefine _chacha20_poly1305_seal_avx2 _ %+ BORINGSSL_PREFIX %+ _chacha20_poly1305_seal_avx2 +%xdefine _chacha20_poly1305_seal_nohw _ %+ BORINGSSL_PREFIX %+ _chacha20_poly1305_seal_nohw %xdefine _crypto_gcm_clmul_enabled _ %+ BORINGSSL_PREFIX %+ _crypto_gcm_clmul_enabled -%xdefine _d2i_ACCESS_DESCRIPTION _ %+ BORINGSSL_PREFIX %+ _d2i_ACCESS_DESCRIPTION %xdefine _d2i_ASN1_BIT_STRING _ %+ BORINGSSL_PREFIX %+ _d2i_ASN1_BIT_STRING %xdefine _d2i_ASN1_BMPSTRING _ %+ BORINGSSL_PREFIX %+ _d2i_ASN1_BMPSTRING %xdefine _d2i_ASN1_BOOLEAN _ %+ BORINGSSL_PREFIX %+ _d2i_ASN1_BOOLEAN @@ -3000,8 +3084,6 @@ %xdefine _d2i_DHparams_bio _ %+ BORINGSSL_PREFIX %+ _d2i_DHparams_bio %xdefine _d2i_DIRECTORYSTRING _ %+ BORINGSSL_PREFIX %+ _d2i_DIRECTORYSTRING %xdefine _d2i_DISPLAYTEXT _ %+ BORINGSSL_PREFIX %+ _d2i_DISPLAYTEXT -%xdefine _d2i_DIST_POINT _ %+ BORINGSSL_PREFIX %+ _d2i_DIST_POINT -%xdefine _d2i_DIST_POINT_NAME _ %+ BORINGSSL_PREFIX %+ _d2i_DIST_POINT_NAME %xdefine _d2i_DSAPrivateKey _ %+ BORINGSSL_PREFIX %+ _d2i_DSAPrivateKey %xdefine _d2i_DSAPrivateKey_bio _ %+ BORINGSSL_PREFIX %+ _d2i_DSAPrivateKey_bio %xdefine _d2i_DSAPrivateKey_fp _ %+ BORINGSSL_PREFIX %+ _d2i_DSAPrivateKey_fp @@ -3012,6 +3094,7 @@ %xdefine _d2i_DSA_SIG _ %+ BORINGSSL_PREFIX %+ _d2i_DSA_SIG %xdefine _d2i_DSAparams _ %+ BORINGSSL_PREFIX %+ _d2i_DSAparams %xdefine _d2i_ECDSA_SIG _ %+ BORINGSSL_PREFIX %+ _d2i_ECDSA_SIG +%xdefine _d2i_ECPKParameters _ %+ BORINGSSL_PREFIX %+ _d2i_ECPKParameters %xdefine _d2i_ECParameters _ %+ BORINGSSL_PREFIX %+ _d2i_ECParameters %xdefine _d2i_ECPrivateKey _ %+ BORINGSSL_PREFIX %+ _d2i_ECPrivateKey %xdefine _d2i_ECPrivateKey_bio _ %+ BORINGSSL_PREFIX %+ _d2i_ECPrivateKey_bio @@ -3019,15 +3102,12 @@ %xdefine _d2i_EC_PUBKEY _ %+ BORINGSSL_PREFIX %+ _d2i_EC_PUBKEY %xdefine _d2i_EC_PUBKEY_bio _ %+ BORINGSSL_PREFIX %+ _d2i_EC_PUBKEY_bio %xdefine _d2i_EC_PUBKEY_fp _ %+ BORINGSSL_PREFIX %+ _d2i_EC_PUBKEY_fp -%xdefine _d2i_EDIPARTYNAME _ %+ BORINGSSL_PREFIX %+ _d2i_EDIPARTYNAME %xdefine _d2i_EXTENDED_KEY_USAGE _ %+ BORINGSSL_PREFIX %+ _d2i_EXTENDED_KEY_USAGE %xdefine _d2i_GENERAL_NAME _ %+ BORINGSSL_PREFIX %+ _d2i_GENERAL_NAME %xdefine _d2i_GENERAL_NAMES _ %+ BORINGSSL_PREFIX %+ _d2i_GENERAL_NAMES %xdefine _d2i_ISSUING_DIST_POINT _ %+ BORINGSSL_PREFIX %+ _d2i_ISSUING_DIST_POINT %xdefine _d2i_NETSCAPE_SPKAC _ %+ BORINGSSL_PREFIX %+ _d2i_NETSCAPE_SPKAC %xdefine _d2i_NETSCAPE_SPKI _ %+ BORINGSSL_PREFIX %+ _d2i_NETSCAPE_SPKI -%xdefine _d2i_NOTICEREF _ %+ BORINGSSL_PREFIX %+ _d2i_NOTICEREF -%xdefine _d2i_OTHERNAME _ %+ BORINGSSL_PREFIX %+ _d2i_OTHERNAME %xdefine _d2i_PKCS12 _ %+ BORINGSSL_PREFIX %+ _d2i_PKCS12 %xdefine _d2i_PKCS12_bio _ %+ BORINGSSL_PREFIX %+ _d2i_PKCS12_bio %xdefine _d2i_PKCS12_fp _ %+ BORINGSSL_PREFIX %+ _d2i_PKCS12_fp @@ -3040,8 +3120,6 @@ %xdefine _d2i_PKCS8_PRIV_KEY_INFO_fp _ %+ BORINGSSL_PREFIX %+ _d2i_PKCS8_PRIV_KEY_INFO_fp %xdefine _d2i_PKCS8_bio _ %+ BORINGSSL_PREFIX %+ _d2i_PKCS8_bio %xdefine _d2i_PKCS8_fp _ %+ BORINGSSL_PREFIX %+ _d2i_PKCS8_fp -%xdefine _d2i_POLICYINFO _ %+ BORINGSSL_PREFIX %+ _d2i_POLICYINFO -%xdefine _d2i_POLICYQUALINFO _ %+ BORINGSSL_PREFIX %+ _d2i_POLICYQUALINFO %xdefine _d2i_PUBKEY _ %+ BORINGSSL_PREFIX %+ _d2i_PUBKEY %xdefine _d2i_PUBKEY_bio _ %+ BORINGSSL_PREFIX %+ _d2i_PUBKEY_bio %xdefine _d2i_PUBKEY_fp _ %+ BORINGSSL_PREFIX %+ _d2i_PUBKEY_fp @@ -3061,7 +3139,6 @@ %xdefine _d2i_RSA_PUBKEY_fp _ %+ BORINGSSL_PREFIX %+ _d2i_RSA_PUBKEY_fp %xdefine _d2i_SSL_SESSION _ %+ BORINGSSL_PREFIX %+ _d2i_SSL_SESSION %xdefine _d2i_SSL_SESSION_bio _ %+ BORINGSSL_PREFIX %+ _d2i_SSL_SESSION_bio -%xdefine _d2i_USERNOTICE _ %+ BORINGSSL_PREFIX %+ _d2i_USERNOTICE %xdefine _d2i_X509 _ %+ BORINGSSL_PREFIX %+ _d2i_X509 %xdefine _d2i_X509_ALGOR _ %+ BORINGSSL_PREFIX %+ _d2i_X509_ALGOR %xdefine _d2i_X509_ATTRIBUTE _ %+ BORINGSSL_PREFIX %+ _d2i_X509_ATTRIBUTE @@ -3075,7 +3152,6 @@ %xdefine _d2i_X509_EXTENSION _ %+ BORINGSSL_PREFIX %+ _d2i_X509_EXTENSION %xdefine _d2i_X509_EXTENSIONS _ %+ BORINGSSL_PREFIX %+ _d2i_X509_EXTENSIONS %xdefine _d2i_X509_NAME _ %+ BORINGSSL_PREFIX %+ _d2i_X509_NAME -%xdefine _d2i_X509_NAME_ENTRY _ %+ BORINGSSL_PREFIX %+ _d2i_X509_NAME_ENTRY %xdefine _d2i_X509_PUBKEY _ %+ BORINGSSL_PREFIX %+ _d2i_X509_PUBKEY %xdefine _d2i_X509_REQ _ %+ BORINGSSL_PREFIX %+ _d2i_X509_REQ %xdefine _d2i_X509_REQ_INFO _ %+ BORINGSSL_PREFIX %+ _d2i_X509_REQ_INFO @@ -3086,8 +3162,10 @@ %xdefine _d2i_X509_VAL _ %+ BORINGSSL_PREFIX %+ _d2i_X509_VAL %xdefine _d2i_X509_bio _ %+ BORINGSSL_PREFIX %+ _d2i_X509_bio %xdefine _d2i_X509_fp _ %+ BORINGSSL_PREFIX %+ _d2i_X509_fp +%xdefine _dh_asn1_meth _ %+ BORINGSSL_PREFIX %+ _dh_asn1_meth %xdefine _dh_check_params_fast _ %+ BORINGSSL_PREFIX %+ _dh_check_params_fast %xdefine _dh_compute_key_padded_no_self_test _ %+ BORINGSSL_PREFIX %+ _dh_compute_key_padded_no_self_test +%xdefine _dh_pkey_meth _ %+ BORINGSSL_PREFIX %+ _dh_pkey_meth %xdefine _dsa_asn1_meth _ %+ BORINGSSL_PREFIX %+ _dsa_asn1_meth %xdefine _dsa_check_key _ %+ BORINGSSL_PREFIX %+ _dsa_check_key %xdefine _ec_GFp_mont_add _ %+ BORINGSSL_PREFIX %+ _ec_GFp_mont_add @@ -3177,25 +3255,46 @@ %xdefine _ec_set_to_safe_point _ %+ BORINGSSL_PREFIX %+ _ec_set_to_safe_point %xdefine _ec_simple_scalar_inv0_montgomery _ %+ BORINGSSL_PREFIX %+ _ec_simple_scalar_inv0_montgomery %xdefine _ec_simple_scalar_to_montgomery_inv_vartime _ %+ BORINGSSL_PREFIX %+ _ec_simple_scalar_to_montgomery_inv_vartime -%xdefine _ecdsa_do_verify_no_self_test _ %+ BORINGSSL_PREFIX %+ _ecdsa_do_verify_no_self_test -%xdefine _ecdsa_sign_with_nonce_for_known_answer_test _ %+ BORINGSSL_PREFIX %+ _ecdsa_sign_with_nonce_for_known_answer_test -%xdefine _ecp_nistz256_avx2_select_w7 _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_avx2_select_w7 +%xdefine _ecdsa_sign_fixed _ %+ BORINGSSL_PREFIX %+ _ecdsa_sign_fixed +%xdefine _ecdsa_sign_fixed_with_nonce_for_known_answer_test _ %+ BORINGSSL_PREFIX %+ _ecdsa_sign_fixed_with_nonce_for_known_answer_test +%xdefine _ecdsa_verify_fixed _ %+ BORINGSSL_PREFIX %+ _ecdsa_verify_fixed +%xdefine _ecdsa_verify_fixed_no_self_test _ %+ BORINGSSL_PREFIX %+ _ecdsa_verify_fixed_no_self_test %xdefine _ecp_nistz256_div_by_2 _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_div_by_2 %xdefine _ecp_nistz256_mul_by_2 _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_mul_by_2 %xdefine _ecp_nistz256_mul_by_3 _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_mul_by_3 %xdefine _ecp_nistz256_mul_mont _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_mul_mont +%xdefine _ecp_nistz256_mul_mont_adx _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_mul_mont_adx +%xdefine _ecp_nistz256_mul_mont_nohw _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_mul_mont_nohw %xdefine _ecp_nistz256_neg _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_neg %xdefine _ecp_nistz256_ord_mul_mont _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_ord_mul_mont +%xdefine _ecp_nistz256_ord_mul_mont_adx _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_ord_mul_mont_adx +%xdefine _ecp_nistz256_ord_mul_mont_nohw _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_ord_mul_mont_nohw %xdefine _ecp_nistz256_ord_sqr_mont _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_ord_sqr_mont +%xdefine _ecp_nistz256_ord_sqr_mont_adx _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_ord_sqr_mont_adx +%xdefine _ecp_nistz256_ord_sqr_mont_nohw _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_ord_sqr_mont_nohw %xdefine _ecp_nistz256_point_add _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_point_add +%xdefine _ecp_nistz256_point_add_adx _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_point_add_adx %xdefine _ecp_nistz256_point_add_affine _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_point_add_affine +%xdefine _ecp_nistz256_point_add_affine_adx _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_point_add_affine_adx +%xdefine _ecp_nistz256_point_add_affine_nohw _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_point_add_affine_nohw +%xdefine _ecp_nistz256_point_add_nohw _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_point_add_nohw %xdefine _ecp_nistz256_point_double _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_point_double +%xdefine _ecp_nistz256_point_double_adx _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_point_double_adx +%xdefine _ecp_nistz256_point_double_nohw _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_point_double_nohw %xdefine _ecp_nistz256_select_w5 _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_select_w5 +%xdefine _ecp_nistz256_select_w5_avx2 _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_select_w5_avx2 +%xdefine _ecp_nistz256_select_w5_nohw _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_select_w5_nohw %xdefine _ecp_nistz256_select_w7 _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_select_w7 +%xdefine _ecp_nistz256_select_w7_avx2 _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_select_w7_avx2 +%xdefine _ecp_nistz256_select_w7_nohw _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_select_w7_nohw %xdefine _ecp_nistz256_sqr_mont _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_sqr_mont +%xdefine _ecp_nistz256_sqr_mont_adx _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_sqr_mont_adx +%xdefine _ecp_nistz256_sqr_mont_nohw _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_sqr_mont_nohw %xdefine _ecp_nistz256_sub _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_sub %xdefine _ed25519_asn1_meth _ %+ BORINGSSL_PREFIX %+ _ed25519_asn1_meth %xdefine _ed25519_pkey_meth _ %+ BORINGSSL_PREFIX %+ _ed25519_pkey_meth +%xdefine _evp_md_md5_sha1 _ %+ BORINGSSL_PREFIX %+ _evp_md_md5_sha1 +%xdefine _evp_pkey_set_method _ %+ BORINGSSL_PREFIX %+ _evp_pkey_set_method %xdefine _fiat_curve25519_adx_mul _ %+ BORINGSSL_PREFIX %+ _fiat_curve25519_adx_mul %xdefine _fiat_curve25519_adx_square _ %+ BORINGSSL_PREFIX %+ _fiat_curve25519_adx_square %xdefine _fiat_p256_adx_mul _ %+ BORINGSSL_PREFIX %+ _fiat_p256_adx_mul @@ -3219,14 +3318,12 @@ %xdefine _gcm_init_ssse3 _ %+ BORINGSSL_PREFIX %+ _gcm_init_ssse3 %xdefine _gcm_init_v8 _ %+ BORINGSSL_PREFIX %+ _gcm_init_v8 %xdefine _hkdf_pkey_meth _ %+ BORINGSSL_PREFIX %+ _hkdf_pkey_meth -%xdefine _i2a_ACCESS_DESCRIPTION _ %+ BORINGSSL_PREFIX %+ _i2a_ACCESS_DESCRIPTION %xdefine _i2a_ASN1_ENUMERATED _ %+ BORINGSSL_PREFIX %+ _i2a_ASN1_ENUMERATED %xdefine _i2a_ASN1_INTEGER _ %+ BORINGSSL_PREFIX %+ _i2a_ASN1_INTEGER %xdefine _i2a_ASN1_OBJECT _ %+ BORINGSSL_PREFIX %+ _i2a_ASN1_OBJECT %xdefine _i2a_ASN1_STRING _ %+ BORINGSSL_PREFIX %+ _i2a_ASN1_STRING %xdefine _i2c_ASN1_BIT_STRING _ %+ BORINGSSL_PREFIX %+ _i2c_ASN1_BIT_STRING %xdefine _i2c_ASN1_INTEGER _ %+ BORINGSSL_PREFIX %+ _i2c_ASN1_INTEGER -%xdefine _i2d_ACCESS_DESCRIPTION _ %+ BORINGSSL_PREFIX %+ _i2d_ACCESS_DESCRIPTION %xdefine _i2d_ASN1_BIT_STRING _ %+ BORINGSSL_PREFIX %+ _i2d_ASN1_BIT_STRING %xdefine _i2d_ASN1_BMPSTRING _ %+ BORINGSSL_PREFIX %+ _i2d_ASN1_BMPSTRING %xdefine _i2d_ASN1_BOOLEAN _ %+ BORINGSSL_PREFIX %+ _i2d_ASN1_BOOLEAN @@ -3258,8 +3355,6 @@ %xdefine _i2d_DHparams_bio _ %+ BORINGSSL_PREFIX %+ _i2d_DHparams_bio %xdefine _i2d_DIRECTORYSTRING _ %+ BORINGSSL_PREFIX %+ _i2d_DIRECTORYSTRING %xdefine _i2d_DISPLAYTEXT _ %+ BORINGSSL_PREFIX %+ _i2d_DISPLAYTEXT -%xdefine _i2d_DIST_POINT _ %+ BORINGSSL_PREFIX %+ _i2d_DIST_POINT -%xdefine _i2d_DIST_POINT_NAME _ %+ BORINGSSL_PREFIX %+ _i2d_DIST_POINT_NAME %xdefine _i2d_DSAPrivateKey _ %+ BORINGSSL_PREFIX %+ _i2d_DSAPrivateKey %xdefine _i2d_DSAPrivateKey_bio _ %+ BORINGSSL_PREFIX %+ _i2d_DSAPrivateKey_bio %xdefine _i2d_DSAPrivateKey_fp _ %+ BORINGSSL_PREFIX %+ _i2d_DSAPrivateKey_fp @@ -3270,6 +3365,7 @@ %xdefine _i2d_DSA_SIG _ %+ BORINGSSL_PREFIX %+ _i2d_DSA_SIG %xdefine _i2d_DSAparams _ %+ BORINGSSL_PREFIX %+ _i2d_DSAparams %xdefine _i2d_ECDSA_SIG _ %+ BORINGSSL_PREFIX %+ _i2d_ECDSA_SIG +%xdefine _i2d_ECPKParameters _ %+ BORINGSSL_PREFIX %+ _i2d_ECPKParameters %xdefine _i2d_ECParameters _ %+ BORINGSSL_PREFIX %+ _i2d_ECParameters %xdefine _i2d_ECPrivateKey _ %+ BORINGSSL_PREFIX %+ _i2d_ECPrivateKey %xdefine _i2d_ECPrivateKey_bio _ %+ BORINGSSL_PREFIX %+ _i2d_ECPrivateKey_bio @@ -3277,15 +3373,12 @@ %xdefine _i2d_EC_PUBKEY _ %+ BORINGSSL_PREFIX %+ _i2d_EC_PUBKEY %xdefine _i2d_EC_PUBKEY_bio _ %+ BORINGSSL_PREFIX %+ _i2d_EC_PUBKEY_bio %xdefine _i2d_EC_PUBKEY_fp _ %+ BORINGSSL_PREFIX %+ _i2d_EC_PUBKEY_fp -%xdefine _i2d_EDIPARTYNAME _ %+ BORINGSSL_PREFIX %+ _i2d_EDIPARTYNAME %xdefine _i2d_EXTENDED_KEY_USAGE _ %+ BORINGSSL_PREFIX %+ _i2d_EXTENDED_KEY_USAGE %xdefine _i2d_GENERAL_NAME _ %+ BORINGSSL_PREFIX %+ _i2d_GENERAL_NAME %xdefine _i2d_GENERAL_NAMES _ %+ BORINGSSL_PREFIX %+ _i2d_GENERAL_NAMES %xdefine _i2d_ISSUING_DIST_POINT _ %+ BORINGSSL_PREFIX %+ _i2d_ISSUING_DIST_POINT %xdefine _i2d_NETSCAPE_SPKAC _ %+ BORINGSSL_PREFIX %+ _i2d_NETSCAPE_SPKAC %xdefine _i2d_NETSCAPE_SPKI _ %+ BORINGSSL_PREFIX %+ _i2d_NETSCAPE_SPKI -%xdefine _i2d_NOTICEREF _ %+ BORINGSSL_PREFIX %+ _i2d_NOTICEREF -%xdefine _i2d_OTHERNAME _ %+ BORINGSSL_PREFIX %+ _i2d_OTHERNAME %xdefine _i2d_PKCS12 _ %+ BORINGSSL_PREFIX %+ _i2d_PKCS12 %xdefine _i2d_PKCS12_bio _ %+ BORINGSSL_PREFIX %+ _i2d_PKCS12_bio %xdefine _i2d_PKCS12_fp _ %+ BORINGSSL_PREFIX %+ _i2d_PKCS12_fp @@ -3302,8 +3395,6 @@ %xdefine _i2d_PKCS8_PRIV_KEY_INFO_fp _ %+ BORINGSSL_PREFIX %+ _i2d_PKCS8_PRIV_KEY_INFO_fp %xdefine _i2d_PKCS8_bio _ %+ BORINGSSL_PREFIX %+ _i2d_PKCS8_bio %xdefine _i2d_PKCS8_fp _ %+ BORINGSSL_PREFIX %+ _i2d_PKCS8_fp -%xdefine _i2d_POLICYINFO _ %+ BORINGSSL_PREFIX %+ _i2d_POLICYINFO -%xdefine _i2d_POLICYQUALINFO _ %+ BORINGSSL_PREFIX %+ _i2d_POLICYQUALINFO %xdefine _i2d_PUBKEY _ %+ BORINGSSL_PREFIX %+ _i2d_PUBKEY %xdefine _i2d_PUBKEY_bio _ %+ BORINGSSL_PREFIX %+ _i2d_PUBKEY_bio %xdefine _i2d_PUBKEY_fp _ %+ BORINGSSL_PREFIX %+ _i2d_PUBKEY_fp @@ -3323,7 +3414,6 @@ %xdefine _i2d_RSA_PUBKEY_fp _ %+ BORINGSSL_PREFIX %+ _i2d_RSA_PUBKEY_fp %xdefine _i2d_SSL_SESSION _ %+ BORINGSSL_PREFIX %+ _i2d_SSL_SESSION %xdefine _i2d_SSL_SESSION_bio _ %+ BORINGSSL_PREFIX %+ _i2d_SSL_SESSION_bio -%xdefine _i2d_USERNOTICE _ %+ BORINGSSL_PREFIX %+ _i2d_USERNOTICE %xdefine _i2d_X509 _ %+ BORINGSSL_PREFIX %+ _i2d_X509 %xdefine _i2d_X509_ALGOR _ %+ BORINGSSL_PREFIX %+ _i2d_X509_ALGOR %xdefine _i2d_X509_ATTRIBUTE _ %+ BORINGSSL_PREFIX %+ _i2d_X509_ATTRIBUTE @@ -3338,7 +3428,6 @@ %xdefine _i2d_X509_EXTENSION _ %+ BORINGSSL_PREFIX %+ _i2d_X509_EXTENSION %xdefine _i2d_X509_EXTENSIONS _ %+ BORINGSSL_PREFIX %+ _i2d_X509_EXTENSIONS %xdefine _i2d_X509_NAME _ %+ BORINGSSL_PREFIX %+ _i2d_X509_NAME -%xdefine _i2d_X509_NAME_ENTRY _ %+ BORINGSSL_PREFIX %+ _i2d_X509_NAME_ENTRY %xdefine _i2d_X509_PUBKEY _ %+ BORINGSSL_PREFIX %+ _i2d_X509_PUBKEY %xdefine _i2d_X509_REQ _ %+ BORINGSSL_PREFIX %+ _i2d_X509_REQ %xdefine _i2d_X509_REQ_INFO _ %+ BORINGSSL_PREFIX %+ _i2d_X509_REQ_INFO @@ -3424,14 +3513,24 @@ %xdefine _rsaz_1024_sqr_avx2 _ %+ BORINGSSL_PREFIX %+ _rsaz_1024_sqr_avx2 %xdefine _s2i_ASN1_INTEGER _ %+ BORINGSSL_PREFIX %+ _s2i_ASN1_INTEGER %xdefine _s2i_ASN1_OCTET_STRING _ %+ BORINGSSL_PREFIX %+ _s2i_ASN1_OCTET_STRING -%xdefine _sha1_block_data_order _ %+ BORINGSSL_PREFIX %+ _sha1_block_data_order -%xdefine _sha256_block_data_order _ %+ BORINGSSL_PREFIX %+ _sha256_block_data_order -%xdefine _sha512_block_data_order _ %+ BORINGSSL_PREFIX %+ _sha512_block_data_order +%xdefine _sha1_block_data_order_avx _ %+ BORINGSSL_PREFIX %+ _sha1_block_data_order_avx +%xdefine _sha1_block_data_order_avx2 _ %+ BORINGSSL_PREFIX %+ _sha1_block_data_order_avx2 +%xdefine _sha1_block_data_order_hw _ %+ BORINGSSL_PREFIX %+ _sha1_block_data_order_hw +%xdefine _sha1_block_data_order_nohw _ %+ BORINGSSL_PREFIX %+ _sha1_block_data_order_nohw +%xdefine _sha1_block_data_order_ssse3 _ %+ BORINGSSL_PREFIX %+ _sha1_block_data_order_ssse3 +%xdefine _sha256_block_data_order_avx _ %+ BORINGSSL_PREFIX %+ _sha256_block_data_order_avx +%xdefine _sha256_block_data_order_hw _ %+ BORINGSSL_PREFIX %+ _sha256_block_data_order_hw +%xdefine _sha256_block_data_order_nohw _ %+ BORINGSSL_PREFIX %+ _sha256_block_data_order_nohw +%xdefine _sha256_block_data_order_ssse3 _ %+ BORINGSSL_PREFIX %+ _sha256_block_data_order_ssse3 +%xdefine _sha512_block_data_order_avx _ %+ BORINGSSL_PREFIX %+ _sha512_block_data_order_avx +%xdefine _sha512_block_data_order_hw _ %+ BORINGSSL_PREFIX %+ _sha512_block_data_order_hw +%xdefine _sha512_block_data_order_nohw _ %+ BORINGSSL_PREFIX %+ _sha512_block_data_order_nohw %xdefine _sk_CRYPTO_BUFFER_call_copy_func _ %+ BORINGSSL_PREFIX %+ _sk_CRYPTO_BUFFER_call_copy_func %xdefine _sk_CRYPTO_BUFFER_call_free_func _ %+ BORINGSSL_PREFIX %+ _sk_CRYPTO_BUFFER_call_free_func %xdefine _sk_CRYPTO_BUFFER_deep_copy _ %+ BORINGSSL_PREFIX %+ _sk_CRYPTO_BUFFER_deep_copy %xdefine _sk_CRYPTO_BUFFER_new_null _ %+ BORINGSSL_PREFIX %+ _sk_CRYPTO_BUFFER_new_null %xdefine _sk_CRYPTO_BUFFER_num _ %+ BORINGSSL_PREFIX %+ _sk_CRYPTO_BUFFER_num +%xdefine _sk_CRYPTO_BUFFER_pop _ %+ BORINGSSL_PREFIX %+ _sk_CRYPTO_BUFFER_pop %xdefine _sk_CRYPTO_BUFFER_push _ %+ BORINGSSL_PREFIX %+ _sk_CRYPTO_BUFFER_push %xdefine _sk_CRYPTO_BUFFER_set _ %+ BORINGSSL_PREFIX %+ _sk_CRYPTO_BUFFER_set %xdefine _sk_CRYPTO_BUFFER_value _ %+ BORINGSSL_PREFIX %+ _sk_CRYPTO_BUFFER_value @@ -3473,6 +3572,57 @@ %xdefine _sk_pop_free_ex _ %+ BORINGSSL_PREFIX %+ _sk_pop_free_ex %xdefine _sk_push _ %+ BORINGSSL_PREFIX %+ _sk_push %xdefine _sk_value _ %+ BORINGSSL_PREFIX %+ _sk_value +%xdefine _slhdsa_fors_pk_from_sig _ %+ BORINGSSL_PREFIX %+ _slhdsa_fors_pk_from_sig +%xdefine _slhdsa_fors_sign _ %+ BORINGSSL_PREFIX %+ _slhdsa_fors_sign +%xdefine _slhdsa_fors_sk_gen _ %+ BORINGSSL_PREFIX %+ _slhdsa_fors_sk_gen +%xdefine _slhdsa_fors_treehash _ %+ BORINGSSL_PREFIX %+ _slhdsa_fors_treehash +%xdefine _slhdsa_ht_sign _ %+ BORINGSSL_PREFIX %+ _slhdsa_ht_sign +%xdefine _slhdsa_ht_verify _ %+ BORINGSSL_PREFIX %+ _slhdsa_ht_verify +%xdefine _slhdsa_thash_f _ %+ BORINGSSL_PREFIX %+ _slhdsa_thash_f +%xdefine _slhdsa_thash_h _ %+ BORINGSSL_PREFIX %+ _slhdsa_thash_h +%xdefine _slhdsa_thash_hmsg _ %+ BORINGSSL_PREFIX %+ _slhdsa_thash_hmsg +%xdefine _slhdsa_thash_prf _ %+ BORINGSSL_PREFIX %+ _slhdsa_thash_prf +%xdefine _slhdsa_thash_prfmsg _ %+ BORINGSSL_PREFIX %+ _slhdsa_thash_prfmsg +%xdefine _slhdsa_thash_tk _ %+ BORINGSSL_PREFIX %+ _slhdsa_thash_tk +%xdefine _slhdsa_thash_tl _ %+ BORINGSSL_PREFIX %+ _slhdsa_thash_tl +%xdefine _slhdsa_treehash _ %+ BORINGSSL_PREFIX %+ _slhdsa_treehash +%xdefine _slhdsa_wots_pk_from_sig _ %+ BORINGSSL_PREFIX %+ _slhdsa_wots_pk_from_sig +%xdefine _slhdsa_wots_pk_gen _ %+ BORINGSSL_PREFIX %+ _slhdsa_wots_pk_gen +%xdefine _slhdsa_wots_sign _ %+ BORINGSSL_PREFIX %+ _slhdsa_wots_sign +%xdefine _slhdsa_xmss_pk_from_sig _ %+ BORINGSSL_PREFIX %+ _slhdsa_xmss_pk_from_sig +%xdefine _slhdsa_xmss_sign _ %+ BORINGSSL_PREFIX %+ _slhdsa_xmss_sign +%xdefine _spx_base_b _ %+ BORINGSSL_PREFIX %+ _spx_base_b +%xdefine _spx_copy_keypair_addr _ %+ BORINGSSL_PREFIX %+ _spx_copy_keypair_addr +%xdefine _spx_fors_pk_from_sig _ %+ BORINGSSL_PREFIX %+ _spx_fors_pk_from_sig +%xdefine _spx_fors_sign _ %+ BORINGSSL_PREFIX %+ _spx_fors_sign +%xdefine _spx_fors_sk_gen _ %+ BORINGSSL_PREFIX %+ _spx_fors_sk_gen +%xdefine _spx_fors_treehash _ %+ BORINGSSL_PREFIX %+ _spx_fors_treehash +%xdefine _spx_get_tree_index _ %+ BORINGSSL_PREFIX %+ _spx_get_tree_index +%xdefine _spx_ht_sign _ %+ BORINGSSL_PREFIX %+ _spx_ht_sign +%xdefine _spx_ht_verify _ %+ BORINGSSL_PREFIX %+ _spx_ht_verify +%xdefine _spx_set_chain_addr _ %+ BORINGSSL_PREFIX %+ _spx_set_chain_addr +%xdefine _spx_set_hash_addr _ %+ BORINGSSL_PREFIX %+ _spx_set_hash_addr +%xdefine _spx_set_keypair_addr _ %+ BORINGSSL_PREFIX %+ _spx_set_keypair_addr +%xdefine _spx_set_layer_addr _ %+ BORINGSSL_PREFIX %+ _spx_set_layer_addr +%xdefine _spx_set_tree_addr _ %+ BORINGSSL_PREFIX %+ _spx_set_tree_addr +%xdefine _spx_set_tree_height _ %+ BORINGSSL_PREFIX %+ _spx_set_tree_height +%xdefine _spx_set_tree_index _ %+ BORINGSSL_PREFIX %+ _spx_set_tree_index +%xdefine _spx_set_type _ %+ BORINGSSL_PREFIX %+ _spx_set_type +%xdefine _spx_thash_f _ %+ BORINGSSL_PREFIX %+ _spx_thash_f +%xdefine _spx_thash_h _ %+ BORINGSSL_PREFIX %+ _spx_thash_h +%xdefine _spx_thash_hmsg _ %+ BORINGSSL_PREFIX %+ _spx_thash_hmsg +%xdefine _spx_thash_prf _ %+ BORINGSSL_PREFIX %+ _spx_thash_prf +%xdefine _spx_thash_prfmsg _ %+ BORINGSSL_PREFIX %+ _spx_thash_prfmsg +%xdefine _spx_thash_tk _ %+ BORINGSSL_PREFIX %+ _spx_thash_tk +%xdefine _spx_thash_tl _ %+ BORINGSSL_PREFIX %+ _spx_thash_tl +%xdefine _spx_to_uint64 _ %+ BORINGSSL_PREFIX %+ _spx_to_uint64 +%xdefine _spx_treehash _ %+ BORINGSSL_PREFIX %+ _spx_treehash +%xdefine _spx_uint64_to_len_bytes _ %+ BORINGSSL_PREFIX %+ _spx_uint64_to_len_bytes +%xdefine _spx_wots_pk_from_sig _ %+ BORINGSSL_PREFIX %+ _spx_wots_pk_from_sig +%xdefine _spx_wots_pk_gen _ %+ BORINGSSL_PREFIX %+ _spx_wots_pk_gen +%xdefine _spx_wots_sign _ %+ BORINGSSL_PREFIX %+ _spx_wots_sign +%xdefine _spx_xmss_pk_from_sig _ %+ BORINGSSL_PREFIX %+ _spx_xmss_pk_from_sig +%xdefine _spx_xmss_sign _ %+ BORINGSSL_PREFIX %+ _spx_xmss_sign %xdefine _v2i_GENERAL_NAME _ %+ BORINGSSL_PREFIX %+ _v2i_GENERAL_NAME %xdefine _v2i_GENERAL_NAMES _ %+ BORINGSSL_PREFIX %+ _v2i_GENERAL_NAMES %xdefine _v2i_GENERAL_NAME_ex _ %+ BORINGSSL_PREFIX %+ _v2i_GENERAL_NAME_ex @@ -3539,6 +3689,7 @@ %xdefine _x25519_sc_reduce _ %+ BORINGSSL_PREFIX %+ _x25519_sc_reduce %xdefine _x25519_scalar_mult_adx _ %+ BORINGSSL_PREFIX %+ _x25519_scalar_mult_adx %xdefine _x509V3_add_value_asn1_string _ %+ BORINGSSL_PREFIX %+ _x509V3_add_value_asn1_string +%xdefine _x509_check_issued_with_callback _ %+ BORINGSSL_PREFIX %+ _x509_check_issued_with_callback %xdefine _x509_digest_sign_algorithm _ %+ BORINGSSL_PREFIX %+ _x509_digest_sign_algorithm %xdefine _x509_digest_verify_init _ %+ BORINGSSL_PREFIX %+ _x509_digest_verify_init %xdefine _x509_print_rsa_pss_params _ %+ BORINGSSL_PREFIX %+ _x509_print_rsa_pss_params @@ -3744,6 +3895,32 @@ %xdefine BASIC_CONSTRAINTS_free BORINGSSL_PREFIX %+ _BASIC_CONSTRAINTS_free %xdefine BASIC_CONSTRAINTS_it BORINGSSL_PREFIX %+ _BASIC_CONSTRAINTS_it %xdefine BASIC_CONSTRAINTS_new BORINGSSL_PREFIX %+ _BASIC_CONSTRAINTS_new +%xdefine BCM_fips_186_2_prf BORINGSSL_PREFIX %+ _BCM_fips_186_2_prf +%xdefine BCM_rand_bytes BORINGSSL_PREFIX %+ _BCM_rand_bytes +%xdefine BCM_rand_bytes_hwrng BORINGSSL_PREFIX %+ _BCM_rand_bytes_hwrng +%xdefine BCM_rand_bytes_with_additional_data BORINGSSL_PREFIX %+ _BCM_rand_bytes_with_additional_data +%xdefine BCM_sha1_final BORINGSSL_PREFIX %+ _BCM_sha1_final +%xdefine BCM_sha1_init BORINGSSL_PREFIX %+ _BCM_sha1_init +%xdefine BCM_sha1_transform BORINGSSL_PREFIX %+ _BCM_sha1_transform +%xdefine BCM_sha1_update BORINGSSL_PREFIX %+ _BCM_sha1_update +%xdefine BCM_sha224_final BORINGSSL_PREFIX %+ _BCM_sha224_final +%xdefine BCM_sha224_init BORINGSSL_PREFIX %+ _BCM_sha224_init +%xdefine BCM_sha224_update BORINGSSL_PREFIX %+ _BCM_sha224_update +%xdefine BCM_sha256_final BORINGSSL_PREFIX %+ _BCM_sha256_final +%xdefine BCM_sha256_init BORINGSSL_PREFIX %+ _BCM_sha256_init +%xdefine BCM_sha256_transform BORINGSSL_PREFIX %+ _BCM_sha256_transform +%xdefine BCM_sha256_transform_blocks BORINGSSL_PREFIX %+ _BCM_sha256_transform_blocks +%xdefine BCM_sha256_update BORINGSSL_PREFIX %+ _BCM_sha256_update +%xdefine BCM_sha384_final BORINGSSL_PREFIX %+ _BCM_sha384_final +%xdefine BCM_sha384_init BORINGSSL_PREFIX %+ _BCM_sha384_init +%xdefine BCM_sha384_update BORINGSSL_PREFIX %+ _BCM_sha384_update +%xdefine BCM_sha512_256_final BORINGSSL_PREFIX %+ _BCM_sha512_256_final +%xdefine BCM_sha512_256_init BORINGSSL_PREFIX %+ _BCM_sha512_256_init +%xdefine BCM_sha512_256_update BORINGSSL_PREFIX %+ _BCM_sha512_256_update +%xdefine BCM_sha512_final BORINGSSL_PREFIX %+ _BCM_sha512_final +%xdefine BCM_sha512_init BORINGSSL_PREFIX %+ _BCM_sha512_init +%xdefine BCM_sha512_transform BORINGSSL_PREFIX %+ _BCM_sha512_transform +%xdefine BCM_sha512_update BORINGSSL_PREFIX %+ _BCM_sha512_update %xdefine BIO_append_filename BORINGSSL_PREFIX %+ _BIO_append_filename %xdefine BIO_callback_ctrl BORINGSSL_PREFIX %+ _BIO_callback_ctrl %xdefine BIO_clear_flags BORINGSSL_PREFIX %+ _BIO_clear_flags @@ -3761,6 +3938,8 @@ %xdefine BIO_free BORINGSSL_PREFIX %+ _BIO_free %xdefine BIO_free_all BORINGSSL_PREFIX %+ _BIO_free_all %xdefine BIO_get_data BORINGSSL_PREFIX %+ _BIO_get_data +%xdefine BIO_get_ex_data BORINGSSL_PREFIX %+ _BIO_get_ex_data +%xdefine BIO_get_ex_new_index BORINGSSL_PREFIX %+ _BIO_get_ex_new_index %xdefine BIO_get_fd BORINGSSL_PREFIX %+ _BIO_get_fd %xdefine BIO_get_fp BORINGSSL_PREFIX %+ _BIO_get_fp %xdefine BIO_get_init BORINGSSL_PREFIX %+ _BIO_get_init @@ -3818,6 +3997,7 @@ %xdefine BIO_set_conn_int_port BORINGSSL_PREFIX %+ _BIO_set_conn_int_port %xdefine BIO_set_conn_port BORINGSSL_PREFIX %+ _BIO_set_conn_port %xdefine BIO_set_data BORINGSSL_PREFIX %+ _BIO_set_data +%xdefine BIO_set_ex_data BORINGSSL_PREFIX %+ _BIO_set_ex_data %xdefine BIO_set_fd BORINGSSL_PREFIX %+ _BIO_set_fd %xdefine BIO_set_flags BORINGSSL_PREFIX %+ _BIO_set_flags %xdefine BIO_set_fp BORINGSSL_PREFIX %+ _BIO_set_fp @@ -4148,6 +4328,7 @@ %xdefine CRYPTO_cleanup_all_ex_data BORINGSSL_PREFIX %+ _CRYPTO_cleanup_all_ex_data %xdefine CRYPTO_ctr128_encrypt BORINGSSL_PREFIX %+ _CRYPTO_ctr128_encrypt %xdefine CRYPTO_ctr128_encrypt_ctr32 BORINGSSL_PREFIX %+ _CRYPTO_ctr128_encrypt_ctr32 +%xdefine CRYPTO_fips_186_2_prf BORINGSSL_PREFIX %+ _CRYPTO_fips_186_2_prf %xdefine CRYPTO_fork_detect_force_madv_wipeonfork_for_testing BORINGSSL_PREFIX %+ _CRYPTO_fork_detect_force_madv_wipeonfork_for_testing %xdefine CRYPTO_free BORINGSSL_PREFIX %+ _CRYPTO_free %xdefine CRYPTO_free_ex_data BORINGSSL_PREFIX %+ _CRYPTO_free_ex_data @@ -4164,10 +4345,11 @@ %xdefine CRYPTO_get_dynlock_destroy_callback BORINGSSL_PREFIX %+ _CRYPTO_get_dynlock_destroy_callback %xdefine CRYPTO_get_dynlock_lock_callback BORINGSSL_PREFIX %+ _CRYPTO_get_dynlock_lock_callback %xdefine CRYPTO_get_ex_data BORINGSSL_PREFIX %+ _CRYPTO_get_ex_data -%xdefine CRYPTO_get_ex_new_index BORINGSSL_PREFIX %+ _CRYPTO_get_ex_new_index +%xdefine CRYPTO_get_ex_new_index_ex BORINGSSL_PREFIX %+ _CRYPTO_get_ex_new_index_ex %xdefine CRYPTO_get_fork_generation BORINGSSL_PREFIX %+ _CRYPTO_get_fork_generation %xdefine CRYPTO_get_lock_name BORINGSSL_PREFIX %+ _CRYPTO_get_lock_name %xdefine CRYPTO_get_locking_callback BORINGSSL_PREFIX %+ _CRYPTO_get_locking_callback +%xdefine CRYPTO_get_stderr BORINGSSL_PREFIX %+ _CRYPTO_get_stderr %xdefine CRYPTO_get_thread_local BORINGSSL_PREFIX %+ _CRYPTO_get_thread_local %xdefine CRYPTO_ghash_init BORINGSSL_PREFIX %+ _CRYPTO_ghash_init %xdefine CRYPTO_has_asm BORINGSSL_PREFIX %+ _CRYPTO_has_asm @@ -4213,15 +4395,24 @@ %xdefine CTR_DRBG_init BORINGSSL_PREFIX %+ _CTR_DRBG_init %xdefine CTR_DRBG_new BORINGSSL_PREFIX %+ _CTR_DRBG_new %xdefine CTR_DRBG_reseed BORINGSSL_PREFIX %+ _CTR_DRBG_reseed -%xdefine ChaCha20_ctr32 BORINGSSL_PREFIX %+ _ChaCha20_ctr32 +%xdefine ChaCha20_ctr32_avx2 BORINGSSL_PREFIX %+ _ChaCha20_ctr32_avx2 +%xdefine ChaCha20_ctr32_neon BORINGSSL_PREFIX %+ _ChaCha20_ctr32_neon +%xdefine ChaCha20_ctr32_nohw BORINGSSL_PREFIX %+ _ChaCha20_ctr32_nohw +%xdefine ChaCha20_ctr32_ssse3 BORINGSSL_PREFIX %+ _ChaCha20_ctr32_ssse3 +%xdefine ChaCha20_ctr32_ssse3_4x BORINGSSL_PREFIX %+ _ChaCha20_ctr32_ssse3_4x %xdefine DES_decrypt3 BORINGSSL_PREFIX %+ _DES_decrypt3 %xdefine DES_ecb3_encrypt BORINGSSL_PREFIX %+ _DES_ecb3_encrypt +%xdefine DES_ecb3_encrypt_ex BORINGSSL_PREFIX %+ _DES_ecb3_encrypt_ex %xdefine DES_ecb_encrypt BORINGSSL_PREFIX %+ _DES_ecb_encrypt +%xdefine DES_ecb_encrypt_ex BORINGSSL_PREFIX %+ _DES_ecb_encrypt_ex %xdefine DES_ede2_cbc_encrypt BORINGSSL_PREFIX %+ _DES_ede2_cbc_encrypt %xdefine DES_ede3_cbc_encrypt BORINGSSL_PREFIX %+ _DES_ede3_cbc_encrypt +%xdefine DES_ede3_cbc_encrypt_ex BORINGSSL_PREFIX %+ _DES_ede3_cbc_encrypt_ex %xdefine DES_encrypt3 BORINGSSL_PREFIX %+ _DES_encrypt3 %xdefine DES_ncbc_encrypt BORINGSSL_PREFIX %+ _DES_ncbc_encrypt +%xdefine DES_ncbc_encrypt_ex BORINGSSL_PREFIX %+ _DES_ncbc_encrypt_ex %xdefine DES_set_key BORINGSSL_PREFIX %+ _DES_set_key +%xdefine DES_set_key_ex BORINGSSL_PREFIX %+ _DES_set_key_ex %xdefine DES_set_key_unchecked BORINGSSL_PREFIX %+ _DES_set_key_unchecked %xdefine DES_set_odd_parity BORINGSSL_PREFIX %+ _DES_set_odd_parity %xdefine DH_bits BORINGSSL_PREFIX %+ _DH_bits @@ -4251,6 +4442,16 @@ %xdefine DH_size BORINGSSL_PREFIX %+ _DH_size %xdefine DH_up_ref BORINGSSL_PREFIX %+ _DH_up_ref %xdefine DHparams_dup BORINGSSL_PREFIX %+ _DHparams_dup +%xdefine DILITHIUM_generate_key BORINGSSL_PREFIX %+ _DILITHIUM_generate_key +%xdefine DILITHIUM_generate_key_external_entropy BORINGSSL_PREFIX %+ _DILITHIUM_generate_key_external_entropy +%xdefine DILITHIUM_marshal_private_key BORINGSSL_PREFIX %+ _DILITHIUM_marshal_private_key +%xdefine DILITHIUM_marshal_public_key BORINGSSL_PREFIX %+ _DILITHIUM_marshal_public_key +%xdefine DILITHIUM_parse_private_key BORINGSSL_PREFIX %+ _DILITHIUM_parse_private_key +%xdefine DILITHIUM_parse_public_key BORINGSSL_PREFIX %+ _DILITHIUM_parse_public_key +%xdefine DILITHIUM_public_from_private BORINGSSL_PREFIX %+ _DILITHIUM_public_from_private +%xdefine DILITHIUM_sign BORINGSSL_PREFIX %+ _DILITHIUM_sign +%xdefine DILITHIUM_sign_deterministic BORINGSSL_PREFIX %+ _DILITHIUM_sign_deterministic +%xdefine DILITHIUM_verify BORINGSSL_PREFIX %+ _DILITHIUM_verify %xdefine DIRECTORYSTRING_free BORINGSSL_PREFIX %+ _DIRECTORYSTRING_free %xdefine DIRECTORYSTRING_it BORINGSSL_PREFIX %+ _DIRECTORYSTRING_it %xdefine DIRECTORYSTRING_new BORINGSSL_PREFIX %+ _DIRECTORYSTRING_new @@ -4316,7 +4517,6 @@ %xdefine DTLSv1_method BORINGSSL_PREFIX %+ _DTLSv1_method %xdefine DTLSv1_server_method BORINGSSL_PREFIX %+ _DTLSv1_server_method %xdefine DTLSv1_set_initial_timeout_duration BORINGSSL_PREFIX %+ _DTLSv1_set_initial_timeout_duration -%xdefine DW.ref.__gxx_personality_v0 BORINGSSL_PREFIX %+ _DW.ref.__gxx_personality_v0 %xdefine ECDH_compute_key BORINGSSL_PREFIX %+ _ECDH_compute_key %xdefine ECDH_compute_key_fips BORINGSSL_PREFIX %+ _ECDH_compute_key_fips %xdefine ECDSA_SIG_free BORINGSSL_PREFIX %+ _ECDSA_SIG_free @@ -4458,6 +4658,7 @@ %xdefine ERR_get_error_line_data BORINGSSL_PREFIX %+ _ERR_get_error_line_data %xdefine ERR_get_next_error_library BORINGSSL_PREFIX %+ _ERR_get_next_error_library %xdefine ERR_lib_error_string BORINGSSL_PREFIX %+ _ERR_lib_error_string +%xdefine ERR_lib_symbol_name BORINGSSL_PREFIX %+ _ERR_lib_symbol_name %xdefine ERR_load_BIO_strings BORINGSSL_PREFIX %+ _ERR_load_BIO_strings %xdefine ERR_load_ERR_strings BORINGSSL_PREFIX %+ _ERR_load_ERR_strings %xdefine ERR_load_RAND_strings BORINGSSL_PREFIX %+ _ERR_load_RAND_strings @@ -4475,6 +4676,7 @@ %xdefine ERR_print_errors_fp BORINGSSL_PREFIX %+ _ERR_print_errors_fp %xdefine ERR_put_error BORINGSSL_PREFIX %+ _ERR_put_error %xdefine ERR_reason_error_string BORINGSSL_PREFIX %+ _ERR_reason_error_string +%xdefine ERR_reason_symbol_name BORINGSSL_PREFIX %+ _ERR_reason_symbol_name %xdefine ERR_remove_state BORINGSSL_PREFIX %+ _ERR_remove_state %xdefine ERR_remove_thread_state BORINGSSL_PREFIX %+ _ERR_remove_thread_state %xdefine ERR_restore_state BORINGSSL_PREFIX %+ _ERR_restore_state @@ -4647,6 +4849,7 @@ %xdefine EVP_PKEY_CTX_set0_rsa_oaep_label BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_set0_rsa_oaep_label %xdefine EVP_PKEY_CTX_set1_hkdf_key BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_set1_hkdf_key %xdefine EVP_PKEY_CTX_set1_hkdf_salt BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_set1_hkdf_salt +%xdefine EVP_PKEY_CTX_set_dh_pad BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_set_dh_pad %xdefine EVP_PKEY_CTX_set_dsa_paramgen_bits BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_set_dsa_paramgen_bits %xdefine EVP_PKEY_CTX_set_dsa_paramgen_q_bits BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_set_dsa_paramgen_q_bits %xdefine EVP_PKEY_CTX_set_ec_param_enc BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_set_ec_param_enc @@ -4663,6 +4866,7 @@ %xdefine EVP_PKEY_CTX_set_rsa_pss_saltlen BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_set_rsa_pss_saltlen %xdefine EVP_PKEY_CTX_set_signature_md BORINGSSL_PREFIX %+ _EVP_PKEY_CTX_set_signature_md %xdefine EVP_PKEY_assign BORINGSSL_PREFIX %+ _EVP_PKEY_assign +%xdefine EVP_PKEY_assign_DH BORINGSSL_PREFIX %+ _EVP_PKEY_assign_DH %xdefine EVP_PKEY_assign_DSA BORINGSSL_PREFIX %+ _EVP_PKEY_assign_DSA %xdefine EVP_PKEY_assign_EC_KEY BORINGSSL_PREFIX %+ _EVP_PKEY_assign_EC_KEY %xdefine EVP_PKEY_assign_RSA BORINGSSL_PREFIX %+ _EVP_PKEY_assign_RSA @@ -4704,6 +4908,7 @@ %xdefine EVP_PKEY_print_params BORINGSSL_PREFIX %+ _EVP_PKEY_print_params %xdefine EVP_PKEY_print_private BORINGSSL_PREFIX %+ _EVP_PKEY_print_private %xdefine EVP_PKEY_print_public BORINGSSL_PREFIX %+ _EVP_PKEY_print_public +%xdefine EVP_PKEY_set1_DH BORINGSSL_PREFIX %+ _EVP_PKEY_set1_DH %xdefine EVP_PKEY_set1_DSA BORINGSSL_PREFIX %+ _EVP_PKEY_set1_DSA %xdefine EVP_PKEY_set1_EC_KEY BORINGSSL_PREFIX %+ _EVP_PKEY_set1_EC_KEY %xdefine EVP_PKEY_set1_RSA BORINGSSL_PREFIX %+ _EVP_PKEY_set1_RSA @@ -4788,6 +4993,7 @@ %xdefine EVP_hpke_aes_256_gcm BORINGSSL_PREFIX %+ _EVP_hpke_aes_256_gcm %xdefine EVP_hpke_chacha20_poly1305 BORINGSSL_PREFIX %+ _EVP_hpke_chacha20_poly1305 %xdefine EVP_hpke_hkdf_sha256 BORINGSSL_PREFIX %+ _EVP_hpke_hkdf_sha256 +%xdefine EVP_hpke_p256_hkdf_sha256 BORINGSSL_PREFIX %+ _EVP_hpke_p256_hkdf_sha256 %xdefine EVP_hpke_x25519_hkdf_sha256 BORINGSSL_PREFIX %+ _EVP_hpke_x25519_hkdf_sha256 %xdefine EVP_marshal_digest_algorithm BORINGSSL_PREFIX %+ _EVP_marshal_digest_algorithm %xdefine EVP_marshal_private_key BORINGSSL_PREFIX %+ _EVP_marshal_private_key @@ -4890,6 +5096,40 @@ %xdefine MD5_Update BORINGSSL_PREFIX %+ _MD5_Update %xdefine METHOD_ref BORINGSSL_PREFIX %+ _METHOD_ref %xdefine METHOD_unref BORINGSSL_PREFIX %+ _METHOD_unref +%xdefine MLDSA65_generate_key BORINGSSL_PREFIX %+ _MLDSA65_generate_key +%xdefine MLDSA65_generate_key_external_entropy BORINGSSL_PREFIX %+ _MLDSA65_generate_key_external_entropy +%xdefine MLDSA65_marshal_private_key BORINGSSL_PREFIX %+ _MLDSA65_marshal_private_key +%xdefine MLDSA65_marshal_public_key BORINGSSL_PREFIX %+ _MLDSA65_marshal_public_key +%xdefine MLDSA65_parse_private_key BORINGSSL_PREFIX %+ _MLDSA65_parse_private_key +%xdefine MLDSA65_parse_public_key BORINGSSL_PREFIX %+ _MLDSA65_parse_public_key +%xdefine MLDSA65_private_key_from_seed BORINGSSL_PREFIX %+ _MLDSA65_private_key_from_seed +%xdefine MLDSA65_public_from_private BORINGSSL_PREFIX %+ _MLDSA65_public_from_private +%xdefine MLDSA65_sign BORINGSSL_PREFIX %+ _MLDSA65_sign +%xdefine MLDSA65_sign_internal BORINGSSL_PREFIX %+ _MLDSA65_sign_internal +%xdefine MLDSA65_verify BORINGSSL_PREFIX %+ _MLDSA65_verify +%xdefine MLDSA65_verify_internal BORINGSSL_PREFIX %+ _MLDSA65_verify_internal +%xdefine MLKEM1024_decap BORINGSSL_PREFIX %+ _MLKEM1024_decap +%xdefine MLKEM1024_encap BORINGSSL_PREFIX %+ _MLKEM1024_encap +%xdefine MLKEM1024_encap_external_entropy BORINGSSL_PREFIX %+ _MLKEM1024_encap_external_entropy +%xdefine MLKEM1024_generate_key BORINGSSL_PREFIX %+ _MLKEM1024_generate_key +%xdefine MLKEM1024_generate_key_external_seed BORINGSSL_PREFIX %+ _MLKEM1024_generate_key_external_seed +%xdefine MLKEM1024_marshal_private_key BORINGSSL_PREFIX %+ _MLKEM1024_marshal_private_key +%xdefine MLKEM1024_marshal_public_key BORINGSSL_PREFIX %+ _MLKEM1024_marshal_public_key +%xdefine MLKEM1024_parse_private_key BORINGSSL_PREFIX %+ _MLKEM1024_parse_private_key +%xdefine MLKEM1024_parse_public_key BORINGSSL_PREFIX %+ _MLKEM1024_parse_public_key +%xdefine MLKEM1024_private_key_from_seed BORINGSSL_PREFIX %+ _MLKEM1024_private_key_from_seed +%xdefine MLKEM1024_public_from_private BORINGSSL_PREFIX %+ _MLKEM1024_public_from_private +%xdefine MLKEM768_decap BORINGSSL_PREFIX %+ _MLKEM768_decap +%xdefine MLKEM768_encap BORINGSSL_PREFIX %+ _MLKEM768_encap +%xdefine MLKEM768_encap_external_entropy BORINGSSL_PREFIX %+ _MLKEM768_encap_external_entropy +%xdefine MLKEM768_generate_key BORINGSSL_PREFIX %+ _MLKEM768_generate_key +%xdefine MLKEM768_generate_key_external_seed BORINGSSL_PREFIX %+ _MLKEM768_generate_key_external_seed +%xdefine MLKEM768_marshal_private_key BORINGSSL_PREFIX %+ _MLKEM768_marshal_private_key +%xdefine MLKEM768_marshal_public_key BORINGSSL_PREFIX %+ _MLKEM768_marshal_public_key +%xdefine MLKEM768_parse_private_key BORINGSSL_PREFIX %+ _MLKEM768_parse_private_key +%xdefine MLKEM768_parse_public_key BORINGSSL_PREFIX %+ _MLKEM768_parse_public_key +%xdefine MLKEM768_private_key_from_seed BORINGSSL_PREFIX %+ _MLKEM768_private_key_from_seed +%xdefine MLKEM768_public_from_private BORINGSSL_PREFIX %+ _MLKEM768_public_from_private %xdefine NAME_CONSTRAINTS_check BORINGSSL_PREFIX %+ _NAME_CONSTRAINTS_check %xdefine NAME_CONSTRAINTS_free BORINGSSL_PREFIX %+ _NAME_CONSTRAINTS_free %xdefine NAME_CONSTRAINTS_it BORINGSSL_PREFIX %+ _NAME_CONSTRAINTS_it @@ -4954,6 +5194,7 @@ %xdefine OPENSSL_gmtime_diff BORINGSSL_PREFIX %+ _OPENSSL_gmtime_diff %xdefine OPENSSL_hash32 BORINGSSL_PREFIX %+ _OPENSSL_hash32 %xdefine OPENSSL_ia32cap_P BORINGSSL_PREFIX %+ _OPENSSL_ia32cap_P +%xdefine OPENSSL_init_cpuid BORINGSSL_PREFIX %+ _OPENSSL_init_cpuid %xdefine OPENSSL_init_crypto BORINGSSL_PREFIX %+ _OPENSSL_init_crypto %xdefine OPENSSL_init_ssl BORINGSSL_PREFIX %+ _OPENSSL_init_ssl %xdefine OPENSSL_isalnum BORINGSSL_PREFIX %+ _OPENSSL_isalnum @@ -5168,7 +5409,6 @@ %xdefine RAND_SSLeay BORINGSSL_PREFIX %+ _RAND_SSLeay %xdefine RAND_add BORINGSSL_PREFIX %+ _RAND_add %xdefine RAND_bytes BORINGSSL_PREFIX %+ _RAND_bytes -%xdefine RAND_bytes_with_additional_data BORINGSSL_PREFIX %+ _RAND_bytes_with_additional_data %xdefine RAND_cleanup BORINGSSL_PREFIX %+ _RAND_cleanup %xdefine RAND_disable_fork_unsafe_buffering BORINGSSL_PREFIX %+ _RAND_disable_fork_unsafe_buffering %xdefine RAND_egd BORINGSSL_PREFIX %+ _RAND_egd @@ -5192,6 +5432,7 @@ %xdefine RSA_PSS_PARAMS_new BORINGSSL_PREFIX %+ _RSA_PSS_PARAMS_new %xdefine RSA_add_pkcs1_prefix BORINGSSL_PREFIX %+ _RSA_add_pkcs1_prefix %xdefine RSA_bits BORINGSSL_PREFIX %+ _RSA_bits +%xdefine RSA_blinding_off BORINGSSL_PREFIX %+ _RSA_blinding_off %xdefine RSA_blinding_on BORINGSSL_PREFIX %+ _RSA_blinding_on %xdefine RSA_check_fips BORINGSSL_PREFIX %+ _RSA_check_fips %xdefine RSA_check_key BORINGSSL_PREFIX %+ _RSA_check_key @@ -5288,10 +5529,21 @@ %xdefine SHA512_Transform BORINGSSL_PREFIX %+ _SHA512_Transform %xdefine SHA512_Update BORINGSSL_PREFIX %+ _SHA512_Update %xdefine SIPHASH_24 BORINGSSL_PREFIX %+ _SIPHASH_24 +%xdefine SLHDSA_SHA2_128S_generate_key BORINGSSL_PREFIX %+ _SLHDSA_SHA2_128S_generate_key +%xdefine SLHDSA_SHA2_128S_generate_key_from_seed BORINGSSL_PREFIX %+ _SLHDSA_SHA2_128S_generate_key_from_seed +%xdefine SLHDSA_SHA2_128S_public_from_private BORINGSSL_PREFIX %+ _SLHDSA_SHA2_128S_public_from_private +%xdefine SLHDSA_SHA2_128S_sign BORINGSSL_PREFIX %+ _SLHDSA_SHA2_128S_sign +%xdefine SLHDSA_SHA2_128S_sign_internal BORINGSSL_PREFIX %+ _SLHDSA_SHA2_128S_sign_internal +%xdefine SLHDSA_SHA2_128S_verify BORINGSSL_PREFIX %+ _SLHDSA_SHA2_128S_verify +%xdefine SLHDSA_SHA2_128S_verify_internal BORINGSSL_PREFIX %+ _SLHDSA_SHA2_128S_verify_internal %xdefine SPAKE2_CTX_free BORINGSSL_PREFIX %+ _SPAKE2_CTX_free %xdefine SPAKE2_CTX_new BORINGSSL_PREFIX %+ _SPAKE2_CTX_new %xdefine SPAKE2_generate_msg BORINGSSL_PREFIX %+ _SPAKE2_generate_msg %xdefine SPAKE2_process_msg BORINGSSL_PREFIX %+ _SPAKE2_process_msg +%xdefine SPX_generate_key BORINGSSL_PREFIX %+ _SPX_generate_key +%xdefine SPX_generate_key_from_seed BORINGSSL_PREFIX %+ _SPX_generate_key_from_seed +%xdefine SPX_sign BORINGSSL_PREFIX %+ _SPX_sign +%xdefine SPX_verify BORINGSSL_PREFIX %+ _SPX_verify %xdefine SSL_CIPHER_description BORINGSSL_PREFIX %+ _SSL_CIPHER_description %xdefine SSL_CIPHER_get_auth_nid BORINGSSL_PREFIX %+ _SSL_CIPHER_get_auth_nid %xdefine SSL_CIPHER_get_bits BORINGSSL_PREFIX %+ _SSL_CIPHER_get_bits @@ -5316,8 +5568,23 @@ %xdefine SSL_COMP_get_compression_methods BORINGSSL_PREFIX %+ _SSL_COMP_get_compression_methods %xdefine SSL_COMP_get_id BORINGSSL_PREFIX %+ _SSL_COMP_get_id %xdefine SSL_COMP_get_name BORINGSSL_PREFIX %+ _SSL_COMP_get_name +%xdefine SSL_CREDENTIAL_free BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_free +%xdefine SSL_CREDENTIAL_get_ex_data BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_get_ex_data +%xdefine SSL_CREDENTIAL_get_ex_new_index BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_get_ex_new_index +%xdefine SSL_CREDENTIAL_new_delegated BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_new_delegated +%xdefine SSL_CREDENTIAL_new_x509 BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_new_x509 +%xdefine SSL_CREDENTIAL_set1_cert_chain BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_set1_cert_chain +%xdefine SSL_CREDENTIAL_set1_delegated_credential BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_set1_delegated_credential +%xdefine SSL_CREDENTIAL_set1_ocsp_response BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_set1_ocsp_response +%xdefine SSL_CREDENTIAL_set1_private_key BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_set1_private_key +%xdefine SSL_CREDENTIAL_set1_signed_cert_timestamp_list BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_set1_signed_cert_timestamp_list +%xdefine SSL_CREDENTIAL_set1_signing_algorithm_prefs BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_set1_signing_algorithm_prefs +%xdefine SSL_CREDENTIAL_set_ex_data BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_set_ex_data +%xdefine SSL_CREDENTIAL_set_private_key_method BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_set_private_key_method +%xdefine SSL_CREDENTIAL_up_ref BORINGSSL_PREFIX %+ _SSL_CREDENTIAL_up_ref %xdefine SSL_CTX_add0_chain_cert BORINGSSL_PREFIX %+ _SSL_CTX_add0_chain_cert %xdefine SSL_CTX_add1_chain_cert BORINGSSL_PREFIX %+ _SSL_CTX_add1_chain_cert +%xdefine SSL_CTX_add1_credential BORINGSSL_PREFIX %+ _SSL_CTX_add1_credential %xdefine SSL_CTX_add_cert_compression_alg BORINGSSL_PREFIX %+ _SSL_CTX_add_cert_compression_alg %xdefine SSL_CTX_add_client_CA BORINGSSL_PREFIX %+ _SSL_CTX_add_client_CA %xdefine SSL_CTX_add_extra_chain_cert BORINGSSL_PREFIX %+ _SSL_CTX_add_extra_chain_cert @@ -5532,6 +5799,7 @@ %xdefine SSL_accept BORINGSSL_PREFIX %+ _SSL_accept %xdefine SSL_add0_chain_cert BORINGSSL_PREFIX %+ _SSL_add0_chain_cert %xdefine SSL_add1_chain_cert BORINGSSL_PREFIX %+ _SSL_add1_chain_cert +%xdefine SSL_add1_credential BORINGSSL_PREFIX %+ _SSL_add1_credential %xdefine SSL_add_application_settings BORINGSSL_PREFIX %+ _SSL_add_application_settings %xdefine SSL_add_bio_cert_subjects_to_stack BORINGSSL_PREFIX %+ _SSL_add_bio_cert_subjects_to_stack %xdefine SSL_add_client_CA BORINGSSL_PREFIX %+ _SSL_add_client_CA @@ -5551,7 +5819,6 @@ %xdefine SSL_clear_options BORINGSSL_PREFIX %+ _SSL_clear_options %xdefine SSL_connect BORINGSSL_PREFIX %+ _SSL_connect %xdefine SSL_cutthrough_complete BORINGSSL_PREFIX %+ _SSL_cutthrough_complete -%xdefine SSL_delegated_credential_used BORINGSSL_PREFIX %+ _SSL_delegated_credential_used %xdefine SSL_do_handshake BORINGSSL_PREFIX %+ _SSL_do_handshake %xdefine SSL_dup_CA_list BORINGSSL_PREFIX %+ _SSL_dup_CA_list %xdefine SSL_early_callback_ctx_extension_get BORINGSSL_PREFIX %+ _SSL_early_callback_ctx_extension_get @@ -5567,6 +5834,7 @@ %xdefine SSL_generate_key_block BORINGSSL_PREFIX %+ _SSL_generate_key_block %xdefine SSL_get0_alpn_selected BORINGSSL_PREFIX %+ _SSL_get0_alpn_selected %xdefine SSL_get0_certificate_types BORINGSSL_PREFIX %+ _SSL_get0_certificate_types +%xdefine SSL_get0_chain BORINGSSL_PREFIX %+ _SSL_get0_chain %xdefine SSL_get0_chain_certs BORINGSSL_PREFIX %+ _SSL_get0_chain_certs %xdefine SSL_get0_ech_name_override BORINGSSL_PREFIX %+ _SSL_get0_ech_name_override %xdefine SSL_get0_ech_retry_configs BORINGSSL_PREFIX %+ _SSL_get0_ech_retry_configs @@ -5577,6 +5845,7 @@ %xdefine SSL_get0_peer_certificates BORINGSSL_PREFIX %+ _SSL_get0_peer_certificates %xdefine SSL_get0_peer_delegation_algorithms BORINGSSL_PREFIX %+ _SSL_get0_peer_delegation_algorithms %xdefine SSL_get0_peer_verify_algorithms BORINGSSL_PREFIX %+ _SSL_get0_peer_verify_algorithms +%xdefine SSL_get0_selected_credential BORINGSSL_PREFIX %+ _SSL_get0_selected_credential %xdefine SSL_get0_server_requested_CAs BORINGSSL_PREFIX %+ _SSL_get0_server_requested_CAs %xdefine SSL_get0_session_id_context BORINGSSL_PREFIX %+ _SSL_get0_session_id_context %xdefine SSL_get0_signed_cert_timestamp_list BORINGSSL_PREFIX %+ _SSL_get0_signed_cert_timestamp_list @@ -5706,7 +5975,6 @@ %xdefine SSL_set1_chain BORINGSSL_PREFIX %+ _SSL_set1_chain %xdefine SSL_set1_curves BORINGSSL_PREFIX %+ _SSL_set1_curves %xdefine SSL_set1_curves_list BORINGSSL_PREFIX %+ _SSL_set1_curves_list -%xdefine SSL_set1_delegated_credential BORINGSSL_PREFIX %+ _SSL_set1_delegated_credential %xdefine SSL_set1_ech_config_list BORINGSSL_PREFIX %+ _SSL_set1_ech_config_list %xdefine SSL_set1_group_ids BORINGSSL_PREFIX %+ _SSL_set1_group_ids %xdefine SSL_set1_groups BORINGSSL_PREFIX %+ _SSL_set1_groups @@ -5724,6 +5992,8 @@ %xdefine SSL_set_bio BORINGSSL_PREFIX %+ _SSL_set_bio %xdefine SSL_set_cert_cb BORINGSSL_PREFIX %+ _SSL_set_cert_cb %xdefine SSL_set_chain_and_key BORINGSSL_PREFIX %+ _SSL_set_chain_and_key +%xdefine SSL_set_check_client_certificate_type BORINGSSL_PREFIX %+ _SSL_set_check_client_certificate_type +%xdefine SSL_set_check_ecdsa_curve BORINGSSL_PREFIX %+ _SSL_set_check_ecdsa_curve %xdefine SSL_set_cipher_list BORINGSSL_PREFIX %+ _SSL_set_cipher_list %xdefine SSL_set_client_CA_list BORINGSSL_PREFIX %+ _SSL_set_client_CA_list %xdefine SSL_set_compliance_policy BORINGSSL_PREFIX %+ _SSL_set_compliance_policy @@ -5873,7 +6143,6 @@ %xdefine X509V3_EXT_nconf_nid BORINGSSL_PREFIX %+ _X509V3_EXT_nconf_nid %xdefine X509V3_EXT_print BORINGSSL_PREFIX %+ _X509V3_EXT_print %xdefine X509V3_EXT_print_fp BORINGSSL_PREFIX %+ _X509V3_EXT_print_fp -%xdefine X509V3_EXT_val_prn BORINGSSL_PREFIX %+ _X509V3_EXT_val_prn %xdefine X509V3_NAME_from_section BORINGSSL_PREFIX %+ _X509V3_NAME_from_section %xdefine X509V3_add1_i2d BORINGSSL_PREFIX %+ _X509V3_add1_i2d %xdefine X509V3_add_standard_extensions BORINGSSL_PREFIX %+ _X509V3_add_standard_extensions @@ -5927,7 +6196,6 @@ %xdefine X509_CRL_add_ext BORINGSSL_PREFIX %+ _X509_CRL_add_ext %xdefine X509_CRL_cmp BORINGSSL_PREFIX %+ _X509_CRL_cmp %xdefine X509_CRL_delete_ext BORINGSSL_PREFIX %+ _X509_CRL_delete_ext -%xdefine X509_CRL_diff BORINGSSL_PREFIX %+ _X509_CRL_diff %xdefine X509_CRL_digest BORINGSSL_PREFIX %+ _X509_CRL_digest %xdefine X509_CRL_dup BORINGSSL_PREFIX %+ _X509_CRL_dup %xdefine X509_CRL_free BORINGSSL_PREFIX %+ _X509_CRL_free @@ -5979,15 +6247,12 @@ %xdefine X509_EXTENSION_set_data BORINGSSL_PREFIX %+ _X509_EXTENSION_set_data %xdefine X509_EXTENSION_set_object BORINGSSL_PREFIX %+ _X509_EXTENSION_set_object %xdefine X509_INFO_free BORINGSSL_PREFIX %+ _X509_INFO_free -%xdefine X509_INFO_new BORINGSSL_PREFIX %+ _X509_INFO_new -%xdefine X509_LOOKUP_by_subject BORINGSSL_PREFIX %+ _X509_LOOKUP_by_subject +%xdefine X509_LOOKUP_add_dir BORINGSSL_PREFIX %+ _X509_LOOKUP_add_dir %xdefine X509_LOOKUP_ctrl BORINGSSL_PREFIX %+ _X509_LOOKUP_ctrl %xdefine X509_LOOKUP_file BORINGSSL_PREFIX %+ _X509_LOOKUP_file %xdefine X509_LOOKUP_free BORINGSSL_PREFIX %+ _X509_LOOKUP_free %xdefine X509_LOOKUP_hash_dir BORINGSSL_PREFIX %+ _X509_LOOKUP_hash_dir -%xdefine X509_LOOKUP_init BORINGSSL_PREFIX %+ _X509_LOOKUP_init -%xdefine X509_LOOKUP_new BORINGSSL_PREFIX %+ _X509_LOOKUP_new -%xdefine X509_LOOKUP_shutdown BORINGSSL_PREFIX %+ _X509_LOOKUP_shutdown +%xdefine X509_LOOKUP_load_file BORINGSSL_PREFIX %+ _X509_LOOKUP_load_file %xdefine X509_NAME_ENTRIES_it BORINGSSL_PREFIX %+ _X509_NAME_ENTRIES_it %xdefine X509_NAME_ENTRY_create_by_NID BORINGSSL_PREFIX %+ _X509_NAME_ENTRY_create_by_NID %xdefine X509_NAME_ENTRY_create_by_OBJ BORINGSSL_PREFIX %+ _X509_NAME_ENTRY_create_by_OBJ @@ -6027,34 +6292,24 @@ %xdefine X509_NAME_print_ex BORINGSSL_PREFIX %+ _X509_NAME_print_ex %xdefine X509_NAME_print_ex_fp BORINGSSL_PREFIX %+ _X509_NAME_print_ex_fp %xdefine X509_NAME_set BORINGSSL_PREFIX %+ _X509_NAME_set +%xdefine X509_OBJECT_free BORINGSSL_PREFIX %+ _X509_OBJECT_free %xdefine X509_OBJECT_free_contents BORINGSSL_PREFIX %+ _X509_OBJECT_free_contents %xdefine X509_OBJECT_get0_X509 BORINGSSL_PREFIX %+ _X509_OBJECT_get0_X509 %xdefine X509_OBJECT_get_type BORINGSSL_PREFIX %+ _X509_OBJECT_get_type -%xdefine X509_OBJECT_idx_by_subject BORINGSSL_PREFIX %+ _X509_OBJECT_idx_by_subject -%xdefine X509_OBJECT_retrieve_by_subject BORINGSSL_PREFIX %+ _X509_OBJECT_retrieve_by_subject -%xdefine X509_OBJECT_retrieve_match BORINGSSL_PREFIX %+ _X509_OBJECT_retrieve_match -%xdefine X509_OBJECT_up_ref_count BORINGSSL_PREFIX %+ _X509_OBJECT_up_ref_count -%xdefine X509_PKEY_free BORINGSSL_PREFIX %+ _X509_PKEY_free -%xdefine X509_PKEY_new BORINGSSL_PREFIX %+ _X509_PKEY_new +%xdefine X509_OBJECT_new BORINGSSL_PREFIX %+ _X509_OBJECT_new %xdefine X509_PUBKEY_free BORINGSSL_PREFIX %+ _X509_PUBKEY_free %xdefine X509_PUBKEY_get BORINGSSL_PREFIX %+ _X509_PUBKEY_get +%xdefine X509_PUBKEY_get0 BORINGSSL_PREFIX %+ _X509_PUBKEY_get0 %xdefine X509_PUBKEY_get0_param BORINGSSL_PREFIX %+ _X509_PUBKEY_get0_param %xdefine X509_PUBKEY_get0_public_key BORINGSSL_PREFIX %+ _X509_PUBKEY_get0_public_key %xdefine X509_PUBKEY_it BORINGSSL_PREFIX %+ _X509_PUBKEY_it %xdefine X509_PUBKEY_new BORINGSSL_PREFIX %+ _X509_PUBKEY_new %xdefine X509_PUBKEY_set BORINGSSL_PREFIX %+ _X509_PUBKEY_set %xdefine X509_PUBKEY_set0_param BORINGSSL_PREFIX %+ _X509_PUBKEY_set0_param -%xdefine X509_PURPOSE_add BORINGSSL_PREFIX %+ _X509_PURPOSE_add -%xdefine X509_PURPOSE_cleanup BORINGSSL_PREFIX %+ _X509_PURPOSE_cleanup %xdefine X509_PURPOSE_get0 BORINGSSL_PREFIX %+ _X509_PURPOSE_get0 -%xdefine X509_PURPOSE_get0_name BORINGSSL_PREFIX %+ _X509_PURPOSE_get0_name -%xdefine X509_PURPOSE_get0_sname BORINGSSL_PREFIX %+ _X509_PURPOSE_get0_sname -%xdefine X509_PURPOSE_get_by_id BORINGSSL_PREFIX %+ _X509_PURPOSE_get_by_id %xdefine X509_PURPOSE_get_by_sname BORINGSSL_PREFIX %+ _X509_PURPOSE_get_by_sname -%xdefine X509_PURPOSE_get_count BORINGSSL_PREFIX %+ _X509_PURPOSE_get_count %xdefine X509_PURPOSE_get_id BORINGSSL_PREFIX %+ _X509_PURPOSE_get_id %xdefine X509_PURPOSE_get_trust BORINGSSL_PREFIX %+ _X509_PURPOSE_get_trust -%xdefine X509_PURPOSE_set BORINGSSL_PREFIX %+ _X509_PURPOSE_set %xdefine X509_REQ_INFO_free BORINGSSL_PREFIX %+ _X509_REQ_INFO_free %xdefine X509_REQ_INFO_it BORINGSSL_PREFIX %+ _X509_REQ_INFO_it %xdefine X509_REQ_INFO_new BORINGSSL_PREFIX %+ _X509_REQ_INFO_new @@ -6070,6 +6325,7 @@ %xdefine X509_REQ_dup BORINGSSL_PREFIX %+ _X509_REQ_dup %xdefine X509_REQ_extension_nid BORINGSSL_PREFIX %+ _X509_REQ_extension_nid %xdefine X509_REQ_free BORINGSSL_PREFIX %+ _X509_REQ_free +%xdefine X509_REQ_get0_pubkey BORINGSSL_PREFIX %+ _X509_REQ_get0_pubkey %xdefine X509_REQ_get0_signature BORINGSSL_PREFIX %+ _X509_REQ_get0_signature %xdefine X509_REQ_get1_email BORINGSSL_PREFIX %+ _X509_REQ_get1_email %xdefine X509_REQ_get_attr BORINGSSL_PREFIX %+ _X509_REQ_get_attr @@ -6122,13 +6378,15 @@ %xdefine X509_STORE_CTX_get0_cert BORINGSSL_PREFIX %+ _X509_STORE_CTX_get0_cert %xdefine X509_STORE_CTX_get0_chain BORINGSSL_PREFIX %+ _X509_STORE_CTX_get0_chain %xdefine X509_STORE_CTX_get0_current_crl BORINGSSL_PREFIX %+ _X509_STORE_CTX_get0_current_crl -%xdefine X509_STORE_CTX_get0_current_issuer BORINGSSL_PREFIX %+ _X509_STORE_CTX_get0_current_issuer %xdefine X509_STORE_CTX_get0_param BORINGSSL_PREFIX %+ _X509_STORE_CTX_get0_param %xdefine X509_STORE_CTX_get0_parent_ctx BORINGSSL_PREFIX %+ _X509_STORE_CTX_get0_parent_ctx %xdefine X509_STORE_CTX_get0_store BORINGSSL_PREFIX %+ _X509_STORE_CTX_get0_store %xdefine X509_STORE_CTX_get0_untrusted BORINGSSL_PREFIX %+ _X509_STORE_CTX_get0_untrusted +%xdefine X509_STORE_CTX_get1_certs BORINGSSL_PREFIX %+ _X509_STORE_CTX_get1_certs %xdefine X509_STORE_CTX_get1_chain BORINGSSL_PREFIX %+ _X509_STORE_CTX_get1_chain +%xdefine X509_STORE_CTX_get1_crls BORINGSSL_PREFIX %+ _X509_STORE_CTX_get1_crls %xdefine X509_STORE_CTX_get1_issuer BORINGSSL_PREFIX %+ _X509_STORE_CTX_get1_issuer +%xdefine X509_STORE_CTX_get_by_subject BORINGSSL_PREFIX %+ _X509_STORE_CTX_get_by_subject %xdefine X509_STORE_CTX_get_chain BORINGSSL_PREFIX %+ _X509_STORE_CTX_get_chain %xdefine X509_STORE_CTX_get_current_cert BORINGSSL_PREFIX %+ _X509_STORE_CTX_get_current_cert %xdefine X509_STORE_CTX_get_error BORINGSSL_PREFIX %+ _X509_STORE_CTX_get_error @@ -6137,11 +6395,9 @@ %xdefine X509_STORE_CTX_get_ex_new_index BORINGSSL_PREFIX %+ _X509_STORE_CTX_get_ex_new_index %xdefine X509_STORE_CTX_init BORINGSSL_PREFIX %+ _X509_STORE_CTX_init %xdefine X509_STORE_CTX_new BORINGSSL_PREFIX %+ _X509_STORE_CTX_new -%xdefine X509_STORE_CTX_purpose_inherit BORINGSSL_PREFIX %+ _X509_STORE_CTX_purpose_inherit %xdefine X509_STORE_CTX_set0_crls BORINGSSL_PREFIX %+ _X509_STORE_CTX_set0_crls %xdefine X509_STORE_CTX_set0_param BORINGSSL_PREFIX %+ _X509_STORE_CTX_set0_param %xdefine X509_STORE_CTX_set0_trusted_stack BORINGSSL_PREFIX %+ _X509_STORE_CTX_set0_trusted_stack -%xdefine X509_STORE_CTX_set_cert BORINGSSL_PREFIX %+ _X509_STORE_CTX_set_cert %xdefine X509_STORE_CTX_set_chain BORINGSSL_PREFIX %+ _X509_STORE_CTX_set_chain %xdefine X509_STORE_CTX_set_default BORINGSSL_PREFIX %+ _X509_STORE_CTX_set_default %xdefine X509_STORE_CTX_set_depth BORINGSSL_PREFIX %+ _X509_STORE_CTX_set_depth @@ -6154,56 +6410,23 @@ %xdefine X509_STORE_CTX_set_trust BORINGSSL_PREFIX %+ _X509_STORE_CTX_set_trust %xdefine X509_STORE_CTX_set_verify_cb BORINGSSL_PREFIX %+ _X509_STORE_CTX_set_verify_cb %xdefine X509_STORE_CTX_trusted_stack BORINGSSL_PREFIX %+ _X509_STORE_CTX_trusted_stack -%xdefine X509_STORE_CTX_zero BORINGSSL_PREFIX %+ _X509_STORE_CTX_zero %xdefine X509_STORE_add_cert BORINGSSL_PREFIX %+ _X509_STORE_add_cert %xdefine X509_STORE_add_crl BORINGSSL_PREFIX %+ _X509_STORE_add_crl %xdefine X509_STORE_add_lookup BORINGSSL_PREFIX %+ _X509_STORE_add_lookup %xdefine X509_STORE_free BORINGSSL_PREFIX %+ _X509_STORE_free %xdefine X509_STORE_get0_objects BORINGSSL_PREFIX %+ _X509_STORE_get0_objects %xdefine X509_STORE_get0_param BORINGSSL_PREFIX %+ _X509_STORE_get0_param -%xdefine X509_STORE_get1_certs BORINGSSL_PREFIX %+ _X509_STORE_get1_certs -%xdefine X509_STORE_get1_crls BORINGSSL_PREFIX %+ _X509_STORE_get1_crls -%xdefine X509_STORE_get_by_subject BORINGSSL_PREFIX %+ _X509_STORE_get_by_subject -%xdefine X509_STORE_get_cert_crl BORINGSSL_PREFIX %+ _X509_STORE_get_cert_crl -%xdefine X509_STORE_get_check_crl BORINGSSL_PREFIX %+ _X509_STORE_get_check_crl -%xdefine X509_STORE_get_check_issued BORINGSSL_PREFIX %+ _X509_STORE_get_check_issued -%xdefine X509_STORE_get_check_revocation BORINGSSL_PREFIX %+ _X509_STORE_get_check_revocation -%xdefine X509_STORE_get_cleanup BORINGSSL_PREFIX %+ _X509_STORE_get_cleanup -%xdefine X509_STORE_get_get_crl BORINGSSL_PREFIX %+ _X509_STORE_get_get_crl -%xdefine X509_STORE_get_get_issuer BORINGSSL_PREFIX %+ _X509_STORE_get_get_issuer -%xdefine X509_STORE_get_lookup_certs BORINGSSL_PREFIX %+ _X509_STORE_get_lookup_certs -%xdefine X509_STORE_get_lookup_crls BORINGSSL_PREFIX %+ _X509_STORE_get_lookup_crls -%xdefine X509_STORE_get_verify BORINGSSL_PREFIX %+ _X509_STORE_get_verify -%xdefine X509_STORE_get_verify_cb BORINGSSL_PREFIX %+ _X509_STORE_get_verify_cb +%xdefine X509_STORE_get1_objects BORINGSSL_PREFIX %+ _X509_STORE_get1_objects %xdefine X509_STORE_load_locations BORINGSSL_PREFIX %+ _X509_STORE_load_locations %xdefine X509_STORE_new BORINGSSL_PREFIX %+ _X509_STORE_new %xdefine X509_STORE_set1_param BORINGSSL_PREFIX %+ _X509_STORE_set1_param -%xdefine X509_STORE_set_cert_crl BORINGSSL_PREFIX %+ _X509_STORE_set_cert_crl -%xdefine X509_STORE_set_check_crl BORINGSSL_PREFIX %+ _X509_STORE_set_check_crl -%xdefine X509_STORE_set_check_issued BORINGSSL_PREFIX %+ _X509_STORE_set_check_issued -%xdefine X509_STORE_set_check_revocation BORINGSSL_PREFIX %+ _X509_STORE_set_check_revocation -%xdefine X509_STORE_set_cleanup BORINGSSL_PREFIX %+ _X509_STORE_set_cleanup %xdefine X509_STORE_set_default_paths BORINGSSL_PREFIX %+ _X509_STORE_set_default_paths %xdefine X509_STORE_set_depth BORINGSSL_PREFIX %+ _X509_STORE_set_depth %xdefine X509_STORE_set_flags BORINGSSL_PREFIX %+ _X509_STORE_set_flags -%xdefine X509_STORE_set_get_crl BORINGSSL_PREFIX %+ _X509_STORE_set_get_crl -%xdefine X509_STORE_set_get_issuer BORINGSSL_PREFIX %+ _X509_STORE_set_get_issuer -%xdefine X509_STORE_set_lookup_certs BORINGSSL_PREFIX %+ _X509_STORE_set_lookup_certs -%xdefine X509_STORE_set_lookup_crls BORINGSSL_PREFIX %+ _X509_STORE_set_lookup_crls %xdefine X509_STORE_set_purpose BORINGSSL_PREFIX %+ _X509_STORE_set_purpose %xdefine X509_STORE_set_trust BORINGSSL_PREFIX %+ _X509_STORE_set_trust -%xdefine X509_STORE_set_verify BORINGSSL_PREFIX %+ _X509_STORE_set_verify %xdefine X509_STORE_set_verify_cb BORINGSSL_PREFIX %+ _X509_STORE_set_verify_cb %xdefine X509_STORE_up_ref BORINGSSL_PREFIX %+ _X509_STORE_up_ref -%xdefine X509_TRUST_add BORINGSSL_PREFIX %+ _X509_TRUST_add -%xdefine X509_TRUST_cleanup BORINGSSL_PREFIX %+ _X509_TRUST_cleanup -%xdefine X509_TRUST_get0 BORINGSSL_PREFIX %+ _X509_TRUST_get0 -%xdefine X509_TRUST_get0_name BORINGSSL_PREFIX %+ _X509_TRUST_get0_name -%xdefine X509_TRUST_get_by_id BORINGSSL_PREFIX %+ _X509_TRUST_get_by_id -%xdefine X509_TRUST_get_count BORINGSSL_PREFIX %+ _X509_TRUST_get_count -%xdefine X509_TRUST_get_flags BORINGSSL_PREFIX %+ _X509_TRUST_get_flags -%xdefine X509_TRUST_get_trust BORINGSSL_PREFIX %+ _X509_TRUST_get_trust -%xdefine X509_TRUST_set BORINGSSL_PREFIX %+ _X509_TRUST_set %xdefine X509_VAL_free BORINGSSL_PREFIX %+ _X509_VAL_free %xdefine X509_VAL_it BORINGSSL_PREFIX %+ _X509_VAL_it %xdefine X509_VAL_new BORINGSSL_PREFIX %+ _X509_VAL_new @@ -6211,8 +6434,6 @@ %xdefine X509_VERIFY_PARAM_add1_host BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_add1_host %xdefine X509_VERIFY_PARAM_clear_flags BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_clear_flags %xdefine X509_VERIFY_PARAM_free BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_free -%xdefine X509_VERIFY_PARAM_get0_name BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_get0_name -%xdefine X509_VERIFY_PARAM_get0_peername BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_get0_peername %xdefine X509_VERIFY_PARAM_get_depth BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_get_depth %xdefine X509_VERIFY_PARAM_get_flags BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_get_flags %xdefine X509_VERIFY_PARAM_inherit BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_inherit @@ -6223,7 +6444,6 @@ %xdefine X509_VERIFY_PARAM_set1_host BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_set1_host %xdefine X509_VERIFY_PARAM_set1_ip BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_set1_ip %xdefine X509_VERIFY_PARAM_set1_ip_asc BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_set1_ip_asc -%xdefine X509_VERIFY_PARAM_set1_name BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_set1_name %xdefine X509_VERIFY_PARAM_set1_policies BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_set1_policies %xdefine X509_VERIFY_PARAM_set_depth BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_set_depth %xdefine X509_VERIFY_PARAM_set_flags BORINGSSL_PREFIX %+ _X509_VERIFY_PARAM_set_flags @@ -6266,6 +6486,7 @@ %xdefine X509_get0_extensions BORINGSSL_PREFIX %+ _X509_get0_extensions %xdefine X509_get0_notAfter BORINGSSL_PREFIX %+ _X509_get0_notAfter %xdefine X509_get0_notBefore BORINGSSL_PREFIX %+ _X509_get0_notBefore +%xdefine X509_get0_pubkey BORINGSSL_PREFIX %+ _X509_get0_pubkey %xdefine X509_get0_pubkey_bitstr BORINGSSL_PREFIX %+ _X509_get0_pubkey_bitstr %xdefine X509_get0_serialNumber BORINGSSL_PREFIX %+ _X509_get0_serialNumber %xdefine X509_get0_signature BORINGSSL_PREFIX %+ _X509_get0_signature @@ -6304,6 +6525,7 @@ %xdefine X509_getm_notAfter BORINGSSL_PREFIX %+ _X509_getm_notAfter %xdefine X509_getm_notBefore BORINGSSL_PREFIX %+ _X509_getm_notBefore %xdefine X509_gmtime_adj BORINGSSL_PREFIX %+ _X509_gmtime_adj +%xdefine X509_is_valid_trust_id BORINGSSL_PREFIX %+ _X509_is_valid_trust_id %xdefine X509_issuer_name_cmp BORINGSSL_PREFIX %+ _X509_issuer_name_cmp %xdefine X509_issuer_name_hash BORINGSSL_PREFIX %+ _X509_issuer_name_hash %xdefine X509_issuer_name_hash_old BORINGSSL_PREFIX %+ _X509_issuer_name_hash_old @@ -6357,7 +6579,6 @@ %xdefine X509v3_get_ext_by_critical BORINGSSL_PREFIX %+ _X509v3_get_ext_by_critical %xdefine X509v3_get_ext_count BORINGSSL_PREFIX %+ _X509v3_get_ext_count %xdefine __clang_call_terminate BORINGSSL_PREFIX %+ ___clang_call_terminate -%xdefine a2i_GENERAL_NAME BORINGSSL_PREFIX %+ _a2i_GENERAL_NAME %xdefine a2i_IPADDRESS BORINGSSL_PREFIX %+ _a2i_IPADDRESS %xdefine a2i_IPADDRESS_NC BORINGSSL_PREFIX %+ _a2i_IPADDRESS_NC %xdefine aes128gcmsiv_aes_ks BORINGSSL_PREFIX %+ _aes128gcmsiv_aes_ks @@ -6382,8 +6603,11 @@ %xdefine aes_hw_decrypt BORINGSSL_PREFIX %+ _aes_hw_decrypt %xdefine aes_hw_ecb_encrypt BORINGSSL_PREFIX %+ _aes_hw_ecb_encrypt %xdefine aes_hw_encrypt BORINGSSL_PREFIX %+ _aes_hw_encrypt +%xdefine aes_hw_encrypt_key_to_decrypt_key BORINGSSL_PREFIX %+ _aes_hw_encrypt_key_to_decrypt_key %xdefine aes_hw_set_decrypt_key BORINGSSL_PREFIX %+ _aes_hw_set_decrypt_key %xdefine aes_hw_set_encrypt_key BORINGSSL_PREFIX %+ _aes_hw_set_encrypt_key +%xdefine aes_hw_set_encrypt_key_alt BORINGSSL_PREFIX %+ _aes_hw_set_encrypt_key_alt +%xdefine aes_hw_set_encrypt_key_base BORINGSSL_PREFIX %+ _aes_hw_set_encrypt_key_base %xdefine aes_nohw_cbc_encrypt BORINGSSL_PREFIX %+ _aes_nohw_cbc_encrypt %xdefine aes_nohw_ctr32_encrypt_blocks BORINGSSL_PREFIX %+ _aes_nohw_ctr32_encrypt_blocks %xdefine aes_nohw_decrypt BORINGSSL_PREFIX %+ _aes_nohw_decrypt @@ -6412,6 +6636,7 @@ %xdefine asn1_refcount_set_one BORINGSSL_PREFIX %+ _asn1_refcount_set_one %xdefine asn1_set_choice_selector BORINGSSL_PREFIX %+ _asn1_set_choice_selector %xdefine asn1_type_cleanup BORINGSSL_PREFIX %+ _asn1_type_cleanup +%xdefine asn1_type_set0_string BORINGSSL_PREFIX %+ _asn1_type_set0_string %xdefine asn1_type_value_as_pointer BORINGSSL_PREFIX %+ _asn1_type_value_as_pointer %xdefine asn1_utctime_to_tm BORINGSSL_PREFIX %+ _asn1_utctime_to_tm %xdefine beeu_mod_inverse_vartime BORINGSSL_PREFIX %+ _beeu_mod_inverse_vartime @@ -6458,17 +6683,23 @@ %xdefine bn_mont_ctx_init BORINGSSL_PREFIX %+ _bn_mont_ctx_init %xdefine bn_mont_ctx_set_RR_consttime BORINGSSL_PREFIX %+ _bn_mont_ctx_set_RR_consttime %xdefine bn_mont_n0 BORINGSSL_PREFIX %+ _bn_mont_n0 +%xdefine bn_mul4x_mont BORINGSSL_PREFIX %+ _bn_mul4x_mont +%xdefine bn_mul4x_mont_gather5 BORINGSSL_PREFIX %+ _bn_mul4x_mont_gather5 %xdefine bn_mul_add_words BORINGSSL_PREFIX %+ _bn_mul_add_words %xdefine bn_mul_comba4 BORINGSSL_PREFIX %+ _bn_mul_comba4 %xdefine bn_mul_comba8 BORINGSSL_PREFIX %+ _bn_mul_comba8 %xdefine bn_mul_consttime BORINGSSL_PREFIX %+ _bn_mul_consttime %xdefine bn_mul_mont BORINGSSL_PREFIX %+ _bn_mul_mont -%xdefine bn_mul_mont_gather5 BORINGSSL_PREFIX %+ _bn_mul_mont_gather5 +%xdefine bn_mul_mont_gather5_nohw BORINGSSL_PREFIX %+ _bn_mul_mont_gather5_nohw +%xdefine bn_mul_mont_nohw BORINGSSL_PREFIX %+ _bn_mul_mont_nohw %xdefine bn_mul_small BORINGSSL_PREFIX %+ _bn_mul_small %xdefine bn_mul_words BORINGSSL_PREFIX %+ _bn_mul_words +%xdefine bn_mulx4x_mont BORINGSSL_PREFIX %+ _bn_mulx4x_mont +%xdefine bn_mulx4x_mont_gather5 BORINGSSL_PREFIX %+ _bn_mulx4x_mont_gather5 %xdefine bn_odd_number_is_obviously_composite BORINGSSL_PREFIX %+ _bn_odd_number_is_obviously_composite %xdefine bn_one_to_montgomery BORINGSSL_PREFIX %+ _bn_one_to_montgomery -%xdefine bn_power5 BORINGSSL_PREFIX %+ _bn_power5 +%xdefine bn_power5_nohw BORINGSSL_PREFIX %+ _bn_power5_nohw +%xdefine bn_powerx5 BORINGSSL_PREFIX %+ _bn_powerx5 %xdefine bn_rand_range_words BORINGSSL_PREFIX %+ _bn_rand_range_words %xdefine bn_rand_secret_range BORINGSSL_PREFIX %+ _bn_rand_secret_range %xdefine bn_reduce_once BORINGSSL_PREFIX %+ _bn_reduce_once @@ -6483,6 +6714,7 @@ %xdefine bn_set_static_words BORINGSSL_PREFIX %+ _bn_set_static_words %xdefine bn_set_words BORINGSSL_PREFIX %+ _bn_set_words %xdefine bn_sqr8x_internal BORINGSSL_PREFIX %+ _bn_sqr8x_internal +%xdefine bn_sqr8x_mont BORINGSSL_PREFIX %+ _bn_sqr8x_mont %xdefine bn_sqr_comba4 BORINGSSL_PREFIX %+ _bn_sqr_comba4 %xdefine bn_sqr_comba8 BORINGSSL_PREFIX %+ _bn_sqr_comba8 %xdefine bn_sqr_consttime BORINGSSL_PREFIX %+ _bn_sqr_consttime @@ -6502,9 +6734,12 @@ %xdefine c2i_ASN1_INTEGER BORINGSSL_PREFIX %+ _c2i_ASN1_INTEGER %xdefine c2i_ASN1_OBJECT BORINGSSL_PREFIX %+ _c2i_ASN1_OBJECT %xdefine chacha20_poly1305_open BORINGSSL_PREFIX %+ _chacha20_poly1305_open +%xdefine chacha20_poly1305_open_avx2 BORINGSSL_PREFIX %+ _chacha20_poly1305_open_avx2 +%xdefine chacha20_poly1305_open_nohw BORINGSSL_PREFIX %+ _chacha20_poly1305_open_nohw %xdefine chacha20_poly1305_seal BORINGSSL_PREFIX %+ _chacha20_poly1305_seal +%xdefine chacha20_poly1305_seal_avx2 BORINGSSL_PREFIX %+ _chacha20_poly1305_seal_avx2 +%xdefine chacha20_poly1305_seal_nohw BORINGSSL_PREFIX %+ _chacha20_poly1305_seal_nohw %xdefine crypto_gcm_clmul_enabled BORINGSSL_PREFIX %+ _crypto_gcm_clmul_enabled -%xdefine d2i_ACCESS_DESCRIPTION BORINGSSL_PREFIX %+ _d2i_ACCESS_DESCRIPTION %xdefine d2i_ASN1_BIT_STRING BORINGSSL_PREFIX %+ _d2i_ASN1_BIT_STRING %xdefine d2i_ASN1_BMPSTRING BORINGSSL_PREFIX %+ _d2i_ASN1_BMPSTRING %xdefine d2i_ASN1_BOOLEAN BORINGSSL_PREFIX %+ _d2i_ASN1_BOOLEAN @@ -6537,8 +6772,6 @@ %xdefine d2i_DHparams_bio BORINGSSL_PREFIX %+ _d2i_DHparams_bio %xdefine d2i_DIRECTORYSTRING BORINGSSL_PREFIX %+ _d2i_DIRECTORYSTRING %xdefine d2i_DISPLAYTEXT BORINGSSL_PREFIX %+ _d2i_DISPLAYTEXT -%xdefine d2i_DIST_POINT BORINGSSL_PREFIX %+ _d2i_DIST_POINT -%xdefine d2i_DIST_POINT_NAME BORINGSSL_PREFIX %+ _d2i_DIST_POINT_NAME %xdefine d2i_DSAPrivateKey BORINGSSL_PREFIX %+ _d2i_DSAPrivateKey %xdefine d2i_DSAPrivateKey_bio BORINGSSL_PREFIX %+ _d2i_DSAPrivateKey_bio %xdefine d2i_DSAPrivateKey_fp BORINGSSL_PREFIX %+ _d2i_DSAPrivateKey_fp @@ -6549,6 +6782,7 @@ %xdefine d2i_DSA_SIG BORINGSSL_PREFIX %+ _d2i_DSA_SIG %xdefine d2i_DSAparams BORINGSSL_PREFIX %+ _d2i_DSAparams %xdefine d2i_ECDSA_SIG BORINGSSL_PREFIX %+ _d2i_ECDSA_SIG +%xdefine d2i_ECPKParameters BORINGSSL_PREFIX %+ _d2i_ECPKParameters %xdefine d2i_ECParameters BORINGSSL_PREFIX %+ _d2i_ECParameters %xdefine d2i_ECPrivateKey BORINGSSL_PREFIX %+ _d2i_ECPrivateKey %xdefine d2i_ECPrivateKey_bio BORINGSSL_PREFIX %+ _d2i_ECPrivateKey_bio @@ -6556,15 +6790,12 @@ %xdefine d2i_EC_PUBKEY BORINGSSL_PREFIX %+ _d2i_EC_PUBKEY %xdefine d2i_EC_PUBKEY_bio BORINGSSL_PREFIX %+ _d2i_EC_PUBKEY_bio %xdefine d2i_EC_PUBKEY_fp BORINGSSL_PREFIX %+ _d2i_EC_PUBKEY_fp -%xdefine d2i_EDIPARTYNAME BORINGSSL_PREFIX %+ _d2i_EDIPARTYNAME %xdefine d2i_EXTENDED_KEY_USAGE BORINGSSL_PREFIX %+ _d2i_EXTENDED_KEY_USAGE %xdefine d2i_GENERAL_NAME BORINGSSL_PREFIX %+ _d2i_GENERAL_NAME %xdefine d2i_GENERAL_NAMES BORINGSSL_PREFIX %+ _d2i_GENERAL_NAMES %xdefine d2i_ISSUING_DIST_POINT BORINGSSL_PREFIX %+ _d2i_ISSUING_DIST_POINT %xdefine d2i_NETSCAPE_SPKAC BORINGSSL_PREFIX %+ _d2i_NETSCAPE_SPKAC %xdefine d2i_NETSCAPE_SPKI BORINGSSL_PREFIX %+ _d2i_NETSCAPE_SPKI -%xdefine d2i_NOTICEREF BORINGSSL_PREFIX %+ _d2i_NOTICEREF -%xdefine d2i_OTHERNAME BORINGSSL_PREFIX %+ _d2i_OTHERNAME %xdefine d2i_PKCS12 BORINGSSL_PREFIX %+ _d2i_PKCS12 %xdefine d2i_PKCS12_bio BORINGSSL_PREFIX %+ _d2i_PKCS12_bio %xdefine d2i_PKCS12_fp BORINGSSL_PREFIX %+ _d2i_PKCS12_fp @@ -6577,8 +6808,6 @@ %xdefine d2i_PKCS8_PRIV_KEY_INFO_fp BORINGSSL_PREFIX %+ _d2i_PKCS8_PRIV_KEY_INFO_fp %xdefine d2i_PKCS8_bio BORINGSSL_PREFIX %+ _d2i_PKCS8_bio %xdefine d2i_PKCS8_fp BORINGSSL_PREFIX %+ _d2i_PKCS8_fp -%xdefine d2i_POLICYINFO BORINGSSL_PREFIX %+ _d2i_POLICYINFO -%xdefine d2i_POLICYQUALINFO BORINGSSL_PREFIX %+ _d2i_POLICYQUALINFO %xdefine d2i_PUBKEY BORINGSSL_PREFIX %+ _d2i_PUBKEY %xdefine d2i_PUBKEY_bio BORINGSSL_PREFIX %+ _d2i_PUBKEY_bio %xdefine d2i_PUBKEY_fp BORINGSSL_PREFIX %+ _d2i_PUBKEY_fp @@ -6598,7 +6827,6 @@ %xdefine d2i_RSA_PUBKEY_fp BORINGSSL_PREFIX %+ _d2i_RSA_PUBKEY_fp %xdefine d2i_SSL_SESSION BORINGSSL_PREFIX %+ _d2i_SSL_SESSION %xdefine d2i_SSL_SESSION_bio BORINGSSL_PREFIX %+ _d2i_SSL_SESSION_bio -%xdefine d2i_USERNOTICE BORINGSSL_PREFIX %+ _d2i_USERNOTICE %xdefine d2i_X509 BORINGSSL_PREFIX %+ _d2i_X509 %xdefine d2i_X509_ALGOR BORINGSSL_PREFIX %+ _d2i_X509_ALGOR %xdefine d2i_X509_ATTRIBUTE BORINGSSL_PREFIX %+ _d2i_X509_ATTRIBUTE @@ -6612,7 +6840,6 @@ %xdefine d2i_X509_EXTENSION BORINGSSL_PREFIX %+ _d2i_X509_EXTENSION %xdefine d2i_X509_EXTENSIONS BORINGSSL_PREFIX %+ _d2i_X509_EXTENSIONS %xdefine d2i_X509_NAME BORINGSSL_PREFIX %+ _d2i_X509_NAME -%xdefine d2i_X509_NAME_ENTRY BORINGSSL_PREFIX %+ _d2i_X509_NAME_ENTRY %xdefine d2i_X509_PUBKEY BORINGSSL_PREFIX %+ _d2i_X509_PUBKEY %xdefine d2i_X509_REQ BORINGSSL_PREFIX %+ _d2i_X509_REQ %xdefine d2i_X509_REQ_INFO BORINGSSL_PREFIX %+ _d2i_X509_REQ_INFO @@ -6623,8 +6850,10 @@ %xdefine d2i_X509_VAL BORINGSSL_PREFIX %+ _d2i_X509_VAL %xdefine d2i_X509_bio BORINGSSL_PREFIX %+ _d2i_X509_bio %xdefine d2i_X509_fp BORINGSSL_PREFIX %+ _d2i_X509_fp +%xdefine dh_asn1_meth BORINGSSL_PREFIX %+ _dh_asn1_meth %xdefine dh_check_params_fast BORINGSSL_PREFIX %+ _dh_check_params_fast %xdefine dh_compute_key_padded_no_self_test BORINGSSL_PREFIX %+ _dh_compute_key_padded_no_self_test +%xdefine dh_pkey_meth BORINGSSL_PREFIX %+ _dh_pkey_meth %xdefine dsa_asn1_meth BORINGSSL_PREFIX %+ _dsa_asn1_meth %xdefine dsa_check_key BORINGSSL_PREFIX %+ _dsa_check_key %xdefine ec_GFp_mont_add BORINGSSL_PREFIX %+ _ec_GFp_mont_add @@ -6714,25 +6943,46 @@ %xdefine ec_set_to_safe_point BORINGSSL_PREFIX %+ _ec_set_to_safe_point %xdefine ec_simple_scalar_inv0_montgomery BORINGSSL_PREFIX %+ _ec_simple_scalar_inv0_montgomery %xdefine ec_simple_scalar_to_montgomery_inv_vartime BORINGSSL_PREFIX %+ _ec_simple_scalar_to_montgomery_inv_vartime -%xdefine ecdsa_do_verify_no_self_test BORINGSSL_PREFIX %+ _ecdsa_do_verify_no_self_test -%xdefine ecdsa_sign_with_nonce_for_known_answer_test BORINGSSL_PREFIX %+ _ecdsa_sign_with_nonce_for_known_answer_test -%xdefine ecp_nistz256_avx2_select_w7 BORINGSSL_PREFIX %+ _ecp_nistz256_avx2_select_w7 +%xdefine ecdsa_sign_fixed BORINGSSL_PREFIX %+ _ecdsa_sign_fixed +%xdefine ecdsa_sign_fixed_with_nonce_for_known_answer_test BORINGSSL_PREFIX %+ _ecdsa_sign_fixed_with_nonce_for_known_answer_test +%xdefine ecdsa_verify_fixed BORINGSSL_PREFIX %+ _ecdsa_verify_fixed +%xdefine ecdsa_verify_fixed_no_self_test BORINGSSL_PREFIX %+ _ecdsa_verify_fixed_no_self_test %xdefine ecp_nistz256_div_by_2 BORINGSSL_PREFIX %+ _ecp_nistz256_div_by_2 %xdefine ecp_nistz256_mul_by_2 BORINGSSL_PREFIX %+ _ecp_nistz256_mul_by_2 %xdefine ecp_nistz256_mul_by_3 BORINGSSL_PREFIX %+ _ecp_nistz256_mul_by_3 %xdefine ecp_nistz256_mul_mont BORINGSSL_PREFIX %+ _ecp_nistz256_mul_mont +%xdefine ecp_nistz256_mul_mont_adx BORINGSSL_PREFIX %+ _ecp_nistz256_mul_mont_adx +%xdefine ecp_nistz256_mul_mont_nohw BORINGSSL_PREFIX %+ _ecp_nistz256_mul_mont_nohw %xdefine ecp_nistz256_neg BORINGSSL_PREFIX %+ _ecp_nistz256_neg %xdefine ecp_nistz256_ord_mul_mont BORINGSSL_PREFIX %+ _ecp_nistz256_ord_mul_mont +%xdefine ecp_nistz256_ord_mul_mont_adx BORINGSSL_PREFIX %+ _ecp_nistz256_ord_mul_mont_adx +%xdefine ecp_nistz256_ord_mul_mont_nohw BORINGSSL_PREFIX %+ _ecp_nistz256_ord_mul_mont_nohw %xdefine ecp_nistz256_ord_sqr_mont BORINGSSL_PREFIX %+ _ecp_nistz256_ord_sqr_mont +%xdefine ecp_nistz256_ord_sqr_mont_adx BORINGSSL_PREFIX %+ _ecp_nistz256_ord_sqr_mont_adx +%xdefine ecp_nistz256_ord_sqr_mont_nohw BORINGSSL_PREFIX %+ _ecp_nistz256_ord_sqr_mont_nohw %xdefine ecp_nistz256_point_add BORINGSSL_PREFIX %+ _ecp_nistz256_point_add +%xdefine ecp_nistz256_point_add_adx BORINGSSL_PREFIX %+ _ecp_nistz256_point_add_adx %xdefine ecp_nistz256_point_add_affine BORINGSSL_PREFIX %+ _ecp_nistz256_point_add_affine +%xdefine ecp_nistz256_point_add_affine_adx BORINGSSL_PREFIX %+ _ecp_nistz256_point_add_affine_adx +%xdefine ecp_nistz256_point_add_affine_nohw BORINGSSL_PREFIX %+ _ecp_nistz256_point_add_affine_nohw +%xdefine ecp_nistz256_point_add_nohw BORINGSSL_PREFIX %+ _ecp_nistz256_point_add_nohw %xdefine ecp_nistz256_point_double BORINGSSL_PREFIX %+ _ecp_nistz256_point_double +%xdefine ecp_nistz256_point_double_adx BORINGSSL_PREFIX %+ _ecp_nistz256_point_double_adx +%xdefine ecp_nistz256_point_double_nohw BORINGSSL_PREFIX %+ _ecp_nistz256_point_double_nohw %xdefine ecp_nistz256_select_w5 BORINGSSL_PREFIX %+ _ecp_nistz256_select_w5 +%xdefine ecp_nistz256_select_w5_avx2 BORINGSSL_PREFIX %+ _ecp_nistz256_select_w5_avx2 +%xdefine ecp_nistz256_select_w5_nohw BORINGSSL_PREFIX %+ _ecp_nistz256_select_w5_nohw %xdefine ecp_nistz256_select_w7 BORINGSSL_PREFIX %+ _ecp_nistz256_select_w7 +%xdefine ecp_nistz256_select_w7_avx2 BORINGSSL_PREFIX %+ _ecp_nistz256_select_w7_avx2 +%xdefine ecp_nistz256_select_w7_nohw BORINGSSL_PREFIX %+ _ecp_nistz256_select_w7_nohw %xdefine ecp_nistz256_sqr_mont BORINGSSL_PREFIX %+ _ecp_nistz256_sqr_mont +%xdefine ecp_nistz256_sqr_mont_adx BORINGSSL_PREFIX %+ _ecp_nistz256_sqr_mont_adx +%xdefine ecp_nistz256_sqr_mont_nohw BORINGSSL_PREFIX %+ _ecp_nistz256_sqr_mont_nohw %xdefine ecp_nistz256_sub BORINGSSL_PREFIX %+ _ecp_nistz256_sub %xdefine ed25519_asn1_meth BORINGSSL_PREFIX %+ _ed25519_asn1_meth %xdefine ed25519_pkey_meth BORINGSSL_PREFIX %+ _ed25519_pkey_meth +%xdefine evp_md_md5_sha1 BORINGSSL_PREFIX %+ _evp_md_md5_sha1 +%xdefine evp_pkey_set_method BORINGSSL_PREFIX %+ _evp_pkey_set_method %xdefine fiat_curve25519_adx_mul BORINGSSL_PREFIX %+ _fiat_curve25519_adx_mul %xdefine fiat_curve25519_adx_square BORINGSSL_PREFIX %+ _fiat_curve25519_adx_square %xdefine fiat_p256_adx_mul BORINGSSL_PREFIX %+ _fiat_p256_adx_mul @@ -6756,14 +7006,12 @@ %xdefine gcm_init_ssse3 BORINGSSL_PREFIX %+ _gcm_init_ssse3 %xdefine gcm_init_v8 BORINGSSL_PREFIX %+ _gcm_init_v8 %xdefine hkdf_pkey_meth BORINGSSL_PREFIX %+ _hkdf_pkey_meth -%xdefine i2a_ACCESS_DESCRIPTION BORINGSSL_PREFIX %+ _i2a_ACCESS_DESCRIPTION %xdefine i2a_ASN1_ENUMERATED BORINGSSL_PREFIX %+ _i2a_ASN1_ENUMERATED %xdefine i2a_ASN1_INTEGER BORINGSSL_PREFIX %+ _i2a_ASN1_INTEGER %xdefine i2a_ASN1_OBJECT BORINGSSL_PREFIX %+ _i2a_ASN1_OBJECT %xdefine i2a_ASN1_STRING BORINGSSL_PREFIX %+ _i2a_ASN1_STRING %xdefine i2c_ASN1_BIT_STRING BORINGSSL_PREFIX %+ _i2c_ASN1_BIT_STRING %xdefine i2c_ASN1_INTEGER BORINGSSL_PREFIX %+ _i2c_ASN1_INTEGER -%xdefine i2d_ACCESS_DESCRIPTION BORINGSSL_PREFIX %+ _i2d_ACCESS_DESCRIPTION %xdefine i2d_ASN1_BIT_STRING BORINGSSL_PREFIX %+ _i2d_ASN1_BIT_STRING %xdefine i2d_ASN1_BMPSTRING BORINGSSL_PREFIX %+ _i2d_ASN1_BMPSTRING %xdefine i2d_ASN1_BOOLEAN BORINGSSL_PREFIX %+ _i2d_ASN1_BOOLEAN @@ -6795,8 +7043,6 @@ %xdefine i2d_DHparams_bio BORINGSSL_PREFIX %+ _i2d_DHparams_bio %xdefine i2d_DIRECTORYSTRING BORINGSSL_PREFIX %+ _i2d_DIRECTORYSTRING %xdefine i2d_DISPLAYTEXT BORINGSSL_PREFIX %+ _i2d_DISPLAYTEXT -%xdefine i2d_DIST_POINT BORINGSSL_PREFIX %+ _i2d_DIST_POINT -%xdefine i2d_DIST_POINT_NAME BORINGSSL_PREFIX %+ _i2d_DIST_POINT_NAME %xdefine i2d_DSAPrivateKey BORINGSSL_PREFIX %+ _i2d_DSAPrivateKey %xdefine i2d_DSAPrivateKey_bio BORINGSSL_PREFIX %+ _i2d_DSAPrivateKey_bio %xdefine i2d_DSAPrivateKey_fp BORINGSSL_PREFIX %+ _i2d_DSAPrivateKey_fp @@ -6807,6 +7053,7 @@ %xdefine i2d_DSA_SIG BORINGSSL_PREFIX %+ _i2d_DSA_SIG %xdefine i2d_DSAparams BORINGSSL_PREFIX %+ _i2d_DSAparams %xdefine i2d_ECDSA_SIG BORINGSSL_PREFIX %+ _i2d_ECDSA_SIG +%xdefine i2d_ECPKParameters BORINGSSL_PREFIX %+ _i2d_ECPKParameters %xdefine i2d_ECParameters BORINGSSL_PREFIX %+ _i2d_ECParameters %xdefine i2d_ECPrivateKey BORINGSSL_PREFIX %+ _i2d_ECPrivateKey %xdefine i2d_ECPrivateKey_bio BORINGSSL_PREFIX %+ _i2d_ECPrivateKey_bio @@ -6814,15 +7061,12 @@ %xdefine i2d_EC_PUBKEY BORINGSSL_PREFIX %+ _i2d_EC_PUBKEY %xdefine i2d_EC_PUBKEY_bio BORINGSSL_PREFIX %+ _i2d_EC_PUBKEY_bio %xdefine i2d_EC_PUBKEY_fp BORINGSSL_PREFIX %+ _i2d_EC_PUBKEY_fp -%xdefine i2d_EDIPARTYNAME BORINGSSL_PREFIX %+ _i2d_EDIPARTYNAME %xdefine i2d_EXTENDED_KEY_USAGE BORINGSSL_PREFIX %+ _i2d_EXTENDED_KEY_USAGE %xdefine i2d_GENERAL_NAME BORINGSSL_PREFIX %+ _i2d_GENERAL_NAME %xdefine i2d_GENERAL_NAMES BORINGSSL_PREFIX %+ _i2d_GENERAL_NAMES %xdefine i2d_ISSUING_DIST_POINT BORINGSSL_PREFIX %+ _i2d_ISSUING_DIST_POINT %xdefine i2d_NETSCAPE_SPKAC BORINGSSL_PREFIX %+ _i2d_NETSCAPE_SPKAC %xdefine i2d_NETSCAPE_SPKI BORINGSSL_PREFIX %+ _i2d_NETSCAPE_SPKI -%xdefine i2d_NOTICEREF BORINGSSL_PREFIX %+ _i2d_NOTICEREF -%xdefine i2d_OTHERNAME BORINGSSL_PREFIX %+ _i2d_OTHERNAME %xdefine i2d_PKCS12 BORINGSSL_PREFIX %+ _i2d_PKCS12 %xdefine i2d_PKCS12_bio BORINGSSL_PREFIX %+ _i2d_PKCS12_bio %xdefine i2d_PKCS12_fp BORINGSSL_PREFIX %+ _i2d_PKCS12_fp @@ -6839,8 +7083,6 @@ %xdefine i2d_PKCS8_PRIV_KEY_INFO_fp BORINGSSL_PREFIX %+ _i2d_PKCS8_PRIV_KEY_INFO_fp %xdefine i2d_PKCS8_bio BORINGSSL_PREFIX %+ _i2d_PKCS8_bio %xdefine i2d_PKCS8_fp BORINGSSL_PREFIX %+ _i2d_PKCS8_fp -%xdefine i2d_POLICYINFO BORINGSSL_PREFIX %+ _i2d_POLICYINFO -%xdefine i2d_POLICYQUALINFO BORINGSSL_PREFIX %+ _i2d_POLICYQUALINFO %xdefine i2d_PUBKEY BORINGSSL_PREFIX %+ _i2d_PUBKEY %xdefine i2d_PUBKEY_bio BORINGSSL_PREFIX %+ _i2d_PUBKEY_bio %xdefine i2d_PUBKEY_fp BORINGSSL_PREFIX %+ _i2d_PUBKEY_fp @@ -6860,7 +7102,6 @@ %xdefine i2d_RSA_PUBKEY_fp BORINGSSL_PREFIX %+ _i2d_RSA_PUBKEY_fp %xdefine i2d_SSL_SESSION BORINGSSL_PREFIX %+ _i2d_SSL_SESSION %xdefine i2d_SSL_SESSION_bio BORINGSSL_PREFIX %+ _i2d_SSL_SESSION_bio -%xdefine i2d_USERNOTICE BORINGSSL_PREFIX %+ _i2d_USERNOTICE %xdefine i2d_X509 BORINGSSL_PREFIX %+ _i2d_X509 %xdefine i2d_X509_ALGOR BORINGSSL_PREFIX %+ _i2d_X509_ALGOR %xdefine i2d_X509_ATTRIBUTE BORINGSSL_PREFIX %+ _i2d_X509_ATTRIBUTE @@ -6875,7 +7116,6 @@ %xdefine i2d_X509_EXTENSION BORINGSSL_PREFIX %+ _i2d_X509_EXTENSION %xdefine i2d_X509_EXTENSIONS BORINGSSL_PREFIX %+ _i2d_X509_EXTENSIONS %xdefine i2d_X509_NAME BORINGSSL_PREFIX %+ _i2d_X509_NAME -%xdefine i2d_X509_NAME_ENTRY BORINGSSL_PREFIX %+ _i2d_X509_NAME_ENTRY %xdefine i2d_X509_PUBKEY BORINGSSL_PREFIX %+ _i2d_X509_PUBKEY %xdefine i2d_X509_REQ BORINGSSL_PREFIX %+ _i2d_X509_REQ %xdefine i2d_X509_REQ_INFO BORINGSSL_PREFIX %+ _i2d_X509_REQ_INFO @@ -6961,14 +7201,24 @@ %xdefine rsaz_1024_sqr_avx2 BORINGSSL_PREFIX %+ _rsaz_1024_sqr_avx2 %xdefine s2i_ASN1_INTEGER BORINGSSL_PREFIX %+ _s2i_ASN1_INTEGER %xdefine s2i_ASN1_OCTET_STRING BORINGSSL_PREFIX %+ _s2i_ASN1_OCTET_STRING -%xdefine sha1_block_data_order BORINGSSL_PREFIX %+ _sha1_block_data_order -%xdefine sha256_block_data_order BORINGSSL_PREFIX %+ _sha256_block_data_order -%xdefine sha512_block_data_order BORINGSSL_PREFIX %+ _sha512_block_data_order +%xdefine sha1_block_data_order_avx BORINGSSL_PREFIX %+ _sha1_block_data_order_avx +%xdefine sha1_block_data_order_avx2 BORINGSSL_PREFIX %+ _sha1_block_data_order_avx2 +%xdefine sha1_block_data_order_hw BORINGSSL_PREFIX %+ _sha1_block_data_order_hw +%xdefine sha1_block_data_order_nohw BORINGSSL_PREFIX %+ _sha1_block_data_order_nohw +%xdefine sha1_block_data_order_ssse3 BORINGSSL_PREFIX %+ _sha1_block_data_order_ssse3 +%xdefine sha256_block_data_order_avx BORINGSSL_PREFIX %+ _sha256_block_data_order_avx +%xdefine sha256_block_data_order_hw BORINGSSL_PREFIX %+ _sha256_block_data_order_hw +%xdefine sha256_block_data_order_nohw BORINGSSL_PREFIX %+ _sha256_block_data_order_nohw +%xdefine sha256_block_data_order_ssse3 BORINGSSL_PREFIX %+ _sha256_block_data_order_ssse3 +%xdefine sha512_block_data_order_avx BORINGSSL_PREFIX %+ _sha512_block_data_order_avx +%xdefine sha512_block_data_order_hw BORINGSSL_PREFIX %+ _sha512_block_data_order_hw +%xdefine sha512_block_data_order_nohw BORINGSSL_PREFIX %+ _sha512_block_data_order_nohw %xdefine sk_CRYPTO_BUFFER_call_copy_func BORINGSSL_PREFIX %+ _sk_CRYPTO_BUFFER_call_copy_func %xdefine sk_CRYPTO_BUFFER_call_free_func BORINGSSL_PREFIX %+ _sk_CRYPTO_BUFFER_call_free_func %xdefine sk_CRYPTO_BUFFER_deep_copy BORINGSSL_PREFIX %+ _sk_CRYPTO_BUFFER_deep_copy %xdefine sk_CRYPTO_BUFFER_new_null BORINGSSL_PREFIX %+ _sk_CRYPTO_BUFFER_new_null %xdefine sk_CRYPTO_BUFFER_num BORINGSSL_PREFIX %+ _sk_CRYPTO_BUFFER_num +%xdefine sk_CRYPTO_BUFFER_pop BORINGSSL_PREFIX %+ _sk_CRYPTO_BUFFER_pop %xdefine sk_CRYPTO_BUFFER_push BORINGSSL_PREFIX %+ _sk_CRYPTO_BUFFER_push %xdefine sk_CRYPTO_BUFFER_set BORINGSSL_PREFIX %+ _sk_CRYPTO_BUFFER_set %xdefine sk_CRYPTO_BUFFER_value BORINGSSL_PREFIX %+ _sk_CRYPTO_BUFFER_value @@ -7010,6 +7260,57 @@ %xdefine sk_pop_free_ex BORINGSSL_PREFIX %+ _sk_pop_free_ex %xdefine sk_push BORINGSSL_PREFIX %+ _sk_push %xdefine sk_value BORINGSSL_PREFIX %+ _sk_value +%xdefine slhdsa_fors_pk_from_sig BORINGSSL_PREFIX %+ _slhdsa_fors_pk_from_sig +%xdefine slhdsa_fors_sign BORINGSSL_PREFIX %+ _slhdsa_fors_sign +%xdefine slhdsa_fors_sk_gen BORINGSSL_PREFIX %+ _slhdsa_fors_sk_gen +%xdefine slhdsa_fors_treehash BORINGSSL_PREFIX %+ _slhdsa_fors_treehash +%xdefine slhdsa_ht_sign BORINGSSL_PREFIX %+ _slhdsa_ht_sign +%xdefine slhdsa_ht_verify BORINGSSL_PREFIX %+ _slhdsa_ht_verify +%xdefine slhdsa_thash_f BORINGSSL_PREFIX %+ _slhdsa_thash_f +%xdefine slhdsa_thash_h BORINGSSL_PREFIX %+ _slhdsa_thash_h +%xdefine slhdsa_thash_hmsg BORINGSSL_PREFIX %+ _slhdsa_thash_hmsg +%xdefine slhdsa_thash_prf BORINGSSL_PREFIX %+ _slhdsa_thash_prf +%xdefine slhdsa_thash_prfmsg BORINGSSL_PREFIX %+ _slhdsa_thash_prfmsg +%xdefine slhdsa_thash_tk BORINGSSL_PREFIX %+ _slhdsa_thash_tk +%xdefine slhdsa_thash_tl BORINGSSL_PREFIX %+ _slhdsa_thash_tl +%xdefine slhdsa_treehash BORINGSSL_PREFIX %+ _slhdsa_treehash +%xdefine slhdsa_wots_pk_from_sig BORINGSSL_PREFIX %+ _slhdsa_wots_pk_from_sig +%xdefine slhdsa_wots_pk_gen BORINGSSL_PREFIX %+ _slhdsa_wots_pk_gen +%xdefine slhdsa_wots_sign BORINGSSL_PREFIX %+ _slhdsa_wots_sign +%xdefine slhdsa_xmss_pk_from_sig BORINGSSL_PREFIX %+ _slhdsa_xmss_pk_from_sig +%xdefine slhdsa_xmss_sign BORINGSSL_PREFIX %+ _slhdsa_xmss_sign +%xdefine spx_base_b BORINGSSL_PREFIX %+ _spx_base_b +%xdefine spx_copy_keypair_addr BORINGSSL_PREFIX %+ _spx_copy_keypair_addr +%xdefine spx_fors_pk_from_sig BORINGSSL_PREFIX %+ _spx_fors_pk_from_sig +%xdefine spx_fors_sign BORINGSSL_PREFIX %+ _spx_fors_sign +%xdefine spx_fors_sk_gen BORINGSSL_PREFIX %+ _spx_fors_sk_gen +%xdefine spx_fors_treehash BORINGSSL_PREFIX %+ _spx_fors_treehash +%xdefine spx_get_tree_index BORINGSSL_PREFIX %+ _spx_get_tree_index +%xdefine spx_ht_sign BORINGSSL_PREFIX %+ _spx_ht_sign +%xdefine spx_ht_verify BORINGSSL_PREFIX %+ _spx_ht_verify +%xdefine spx_set_chain_addr BORINGSSL_PREFIX %+ _spx_set_chain_addr +%xdefine spx_set_hash_addr BORINGSSL_PREFIX %+ _spx_set_hash_addr +%xdefine spx_set_keypair_addr BORINGSSL_PREFIX %+ _spx_set_keypair_addr +%xdefine spx_set_layer_addr BORINGSSL_PREFIX %+ _spx_set_layer_addr +%xdefine spx_set_tree_addr BORINGSSL_PREFIX %+ _spx_set_tree_addr +%xdefine spx_set_tree_height BORINGSSL_PREFIX %+ _spx_set_tree_height +%xdefine spx_set_tree_index BORINGSSL_PREFIX %+ _spx_set_tree_index +%xdefine spx_set_type BORINGSSL_PREFIX %+ _spx_set_type +%xdefine spx_thash_f BORINGSSL_PREFIX %+ _spx_thash_f +%xdefine spx_thash_h BORINGSSL_PREFIX %+ _spx_thash_h +%xdefine spx_thash_hmsg BORINGSSL_PREFIX %+ _spx_thash_hmsg +%xdefine spx_thash_prf BORINGSSL_PREFIX %+ _spx_thash_prf +%xdefine spx_thash_prfmsg BORINGSSL_PREFIX %+ _spx_thash_prfmsg +%xdefine spx_thash_tk BORINGSSL_PREFIX %+ _spx_thash_tk +%xdefine spx_thash_tl BORINGSSL_PREFIX %+ _spx_thash_tl +%xdefine spx_to_uint64 BORINGSSL_PREFIX %+ _spx_to_uint64 +%xdefine spx_treehash BORINGSSL_PREFIX %+ _spx_treehash +%xdefine spx_uint64_to_len_bytes BORINGSSL_PREFIX %+ _spx_uint64_to_len_bytes +%xdefine spx_wots_pk_from_sig BORINGSSL_PREFIX %+ _spx_wots_pk_from_sig +%xdefine spx_wots_pk_gen BORINGSSL_PREFIX %+ _spx_wots_pk_gen +%xdefine spx_wots_sign BORINGSSL_PREFIX %+ _spx_wots_sign +%xdefine spx_xmss_pk_from_sig BORINGSSL_PREFIX %+ _spx_xmss_pk_from_sig +%xdefine spx_xmss_sign BORINGSSL_PREFIX %+ _spx_xmss_sign %xdefine v2i_GENERAL_NAME BORINGSSL_PREFIX %+ _v2i_GENERAL_NAME %xdefine v2i_GENERAL_NAMES BORINGSSL_PREFIX %+ _v2i_GENERAL_NAMES %xdefine v2i_GENERAL_NAME_ex BORINGSSL_PREFIX %+ _v2i_GENERAL_NAME_ex @@ -7076,6 +7377,7 @@ %xdefine x25519_sc_reduce BORINGSSL_PREFIX %+ _x25519_sc_reduce %xdefine x25519_scalar_mult_adx BORINGSSL_PREFIX %+ _x25519_scalar_mult_adx %xdefine x509V3_add_value_asn1_string BORINGSSL_PREFIX %+ _x509V3_add_value_asn1_string +%xdefine x509_check_issued_with_callback BORINGSSL_PREFIX %+ _x509_check_issued_with_callback %xdefine x509_digest_sign_algorithm BORINGSSL_PREFIX %+ _x509_digest_sign_algorithm %xdefine x509_digest_verify_init BORINGSSL_PREFIX %+ _x509_digest_verify_init %xdefine x509_print_rsa_pss_params BORINGSSL_PREFIX %+ _x509_print_rsa_pss_params diff --git a/Sources/CNIOBoringSSL/include/experimental/CNIOBoringSSL_dilithium.h b/Sources/CNIOBoringSSL/include/experimental/CNIOBoringSSL_dilithium.h new file mode 100644 index 000000000..5162aa225 --- /dev/null +++ b/Sources/CNIOBoringSSL/include/experimental/CNIOBoringSSL_dilithium.h @@ -0,0 +1,129 @@ +/* Copyright (c) 2023, Google LLC + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#ifndef OPENSSL_HEADER_DILITHIUM_H +#define OPENSSL_HEADER_DILITHIUM_H + +#include "CNIOBoringSSL_base.h" + +#if defined(__cplusplus) +extern "C" { +#endif + + +#if defined(OPENSSL_UNSTABLE_EXPERIMENTAL_DILITHIUM) +// The ML-DSA spec has now been standardized and ML-DSA is available in +// BoringSSL. This code should no longer be used. It was intended for +// short-lived experiments and must not have been deployed anywhere durable. If +// you were using this you need to use the instead. This +// header and code will be removed from BoringSSL soon. + +// Dilithium3. + +// DILITHIUM_private_key contains a Dilithium3 private key. The contents of this +// object should never leave the address space since the format is unstable. +struct DILITHIUM_private_key { + union { + uint8_t bytes[32 + 32 + 64 + 256 * 4 * (5 + 6 + 6)]; + uint32_t alignment; + } opaque; +}; + +// DILITHIUM_public_key contains a Dilithium3 public key. The contents of this +// object should never leave the address space since the format is unstable. +struct DILITHIUM_public_key { + union { + uint8_t bytes[32 + 64 + 256 * 4 * 6]; + uint32_t alignment; + } opaque; +}; + +// DILITHIUM_PRIVATE_KEY_BYTES is the number of bytes in an encoded Dilithium3 +// private key. +#define DILITHIUM_PRIVATE_KEY_BYTES 4032 + +// DILITHIUM_PUBLIC_KEY_BYTES is the number of bytes in an encoded Dilithium3 +// public key. +#define DILITHIUM_PUBLIC_KEY_BYTES 1952 + +// DILITHIUM_SIGNATURE_BYTES is the number of bytes in an encoded Dilithium3 +// signature. +#define DILITHIUM_SIGNATURE_BYTES 3309 + +// DILITHIUM_generate_key generates a random public/private key pair, writes the +// encoded public key to |out_encoded_public_key| and sets |out_private_key| to +// the private key. Returns 1 on success and 0 on failure. +OPENSSL_EXPORT OPENSSL_DEPRECATED int DILITHIUM_generate_key( + uint8_t out_encoded_public_key[DILITHIUM_PUBLIC_KEY_BYTES], + struct DILITHIUM_private_key *out_private_key); + +// DILITHIUM_public_from_private sets |*out_public_key| to the public key that +// corresponds to |private_key|. Returns 1 on success and 0 on failure. +OPENSSL_EXPORT OPENSSL_DEPRECATED int DILITHIUM_public_from_private( + struct DILITHIUM_public_key *out_public_key, + const struct DILITHIUM_private_key *private_key); + +// DILITHIUM_sign generates a signature for the message |msg| of length +// |msg_len| using |private_key| following the randomized algorithm, and writes +// the encoded signature to |out_encoded_signature|. Returns 1 on success and 0 +// on failure. +OPENSSL_EXPORT OPENSSL_DEPRECATED int DILITHIUM_sign( + uint8_t out_encoded_signature[DILITHIUM_SIGNATURE_BYTES], + const struct DILITHIUM_private_key *private_key, const uint8_t *msg, + size_t msg_len); + +// DILITHIUM_verify verifies that |encoded_signature| constitutes a valid +// signature for the message |msg| of length |msg_len| using |public_key|. +OPENSSL_EXPORT OPENSSL_DEPRECATED int DILITHIUM_verify( + const struct DILITHIUM_public_key *public_key, + const uint8_t encoded_signature[DILITHIUM_SIGNATURE_BYTES], + const uint8_t *msg, size_t msg_len); + + +// Serialisation of keys. + +// DILITHIUM_marshal_public_key serializes |public_key| to |out| in the standard +// format for Dilithium public keys. It returns one on success or zero on +// allocation error. +OPENSSL_EXPORT OPENSSL_DEPRECATED int DILITHIUM_marshal_public_key( + CBB *out, const struct DILITHIUM_public_key *public_key); + +// DILITHIUM_parse_public_key parses a public key, in the format generated by +// |DILITHIUM_marshal_public_key|, from |in| and writes the result to +// |out_public_key|. It returns one on success or zero on parse error or if +// there are trailing bytes in |in|. +OPENSSL_EXPORT OPENSSL_DEPRECATED int DILITHIUM_parse_public_key( + struct DILITHIUM_public_key *public_key, CBS *in); + +// DILITHIUM_marshal_private_key serializes |private_key| to |out| in the +// standard format for Dilithium private keys. It returns one on success or zero +// on allocation error. +OPENSSL_EXPORT OPENSSL_DEPRECATED int DILITHIUM_marshal_private_key( + CBB *out, const struct DILITHIUM_private_key *private_key); + +// DILITHIUM_parse_private_key parses a private key, in the format generated by +// |DILITHIUM_marshal_private_key|, from |in| and writes the result to +// |out_private_key|. It returns one on success or zero on parse error or if +// there are trailing bytes in |in|. +OPENSSL_EXPORT OPENSSL_DEPRECATED int DILITHIUM_parse_private_key( + struct DILITHIUM_private_key *private_key, CBS *in); + +#endif // OPENSSL_UNSTABLE_EXPERIMENTAL_DILITHIUM + + +#if defined(__cplusplus) +} // extern C +#endif + +#endif // OPENSSL_HEADER_DILITHIUM_H diff --git a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_kyber.h b/Sources/CNIOBoringSSL/include/experimental/CNIOBoringSSL_kyber.h similarity index 67% rename from Sources/CNIOBoringSSL/include/CNIOBoringSSL_kyber.h rename to Sources/CNIOBoringSSL/include/experimental/CNIOBoringSSL_kyber.h index 5c0603738..f0113cf80 100644 --- a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_kyber.h +++ b/Sources/CNIOBoringSSL/include/experimental/CNIOBoringSSL_kyber.h @@ -22,7 +22,18 @@ extern "C" { #endif +#if defined(OPENSSL_UNSTABLE_EXPERIMENTAL_KYBER) +// This header implements experimental, draft versions of not-yet-standardized +// primitives. When the standard is complete, these functions will be removed +// and replaced with the final, incompatible standard version. They are +// available now for short-lived experiments, but must not be deployed anywhere +// durable, such as a long-lived key store. To use these functions define +// OPENSSL_UNSTABLE_EXPERIMENTAL_KYBER + // Kyber768. +// +// This implements the round-3 specification of Kyber, defined at +// https://pq-crystals.org/kyber/data/kyber-specification-round3-20210804.pdf // KYBER_public_key contains a Kyber768 public key. The contents of this @@ -47,6 +58,12 @@ struct KYBER_private_key { // key. #define KYBER_PUBLIC_KEY_BYTES 1184 +// KYBER_SHARED_SECRET_BYTES is the number of bytes in the Kyber768 shared +// secret. Although the round-3 specification has a variable-length output, the +// final ML-KEM construction is expected to use a fixed 32-byte output. To +// simplify the future transition, we apply the same restriction. +#define KYBER_SHARED_SECRET_BYTES 32 + // KYBER_generate_key generates a random public/private key pair, writes the // encoded public key to |out_encoded_public_key| and sets |out_private_key| to // the private key. @@ -65,25 +82,24 @@ OPENSSL_EXPORT void KYBER_public_from_private( // KYBER_CIPHERTEXT_BYTES is number of bytes in the Kyber768 ciphertext. #define KYBER_CIPHERTEXT_BYTES 1088 -// KYBER_encap encrypts a random secret key of length |out_shared_secret_len| to -// |public_key|, writes the ciphertext to |ciphertext|, and writes the random -// key to |out_shared_secret|. The party calling |KYBER_decap| must already know -// the correct value of |out_shared_secret_len|. -OPENSSL_EXPORT void KYBER_encap(uint8_t out_ciphertext[KYBER_CIPHERTEXT_BYTES], - uint8_t *out_shared_secret, - size_t out_shared_secret_len, - const struct KYBER_public_key *public_key); - -// KYBER_decap decrypts a key of length |out_shared_secret_len| from -// |ciphertext| using |private_key| and writes it to |out_shared_secret|. If -// |ciphertext| is invalid, |out_shared_secret| is filled with a key that -// will always be the same for the same |ciphertext| and |private_key|, but -// which appears to be random unless one has access to |private_key|. These -// alternatives occur in constant time. Any subsequent symmetric encryption -// using |out_shared_secret| must use an authenticated encryption scheme in -// order to discover the decapsulation failure. +// KYBER_encap encrypts a random shared secret for |public_key|, writes the +// ciphertext to |out_ciphertext|, and writes the random shared secret to +// |out_shared_secret|. +OPENSSL_EXPORT void KYBER_encap( + uint8_t out_ciphertext[KYBER_CIPHERTEXT_BYTES], + uint8_t out_shared_secret[KYBER_SHARED_SECRET_BYTES], + const struct KYBER_public_key *public_key); + +// KYBER_decap decrypts a shared secret from |ciphertext| using |private_key| +// and writes it to |out_shared_secret|. If |ciphertext| is invalid, +// |out_shared_secret| is filled with a key that will always be the same for the +// same |ciphertext| and |private_key|, but which appears to be random unless +// one has access to |private_key|. These alternatives occur in constant time. +// Any subsequent symmetric encryption using |out_shared_secret| must use an +// authenticated encryption scheme in order to discover the decapsulation +// failure. OPENSSL_EXPORT void KYBER_decap( - uint8_t *out_shared_secret, size_t out_shared_secret_len, + uint8_t out_shared_secret[KYBER_SHARED_SECRET_BYTES], const uint8_t ciphertext[KYBER_CIPHERTEXT_BYTES], const struct KYBER_private_key *private_key); @@ -120,6 +136,8 @@ OPENSSL_EXPORT int KYBER_marshal_private_key( OPENSSL_EXPORT int KYBER_parse_private_key( struct KYBER_private_key *out_private_key, CBS *in); +#endif // OPENSSL_UNSTABLE_EXPERIMENTAL_KYBER + #if defined(__cplusplus) } // extern C diff --git a/Sources/CNIOBoringSSL/include/experimental/CNIOBoringSSL_spx.h b/Sources/CNIOBoringSSL/include/experimental/CNIOBoringSSL_spx.h new file mode 100644 index 000000000..c5b45e4d1 --- /dev/null +++ b/Sources/CNIOBoringSSL/include/experimental/CNIOBoringSSL_spx.h @@ -0,0 +1,90 @@ +/* Copyright (c) 2023, Google LLC + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#ifndef OPENSSL_HEADER_SPX_H +#define OPENSSL_HEADER_SPX_H + +#include "CNIOBoringSSL_base.h" + +#if defined(__cplusplus) +extern "C" { +#endif + + +#if defined(OPENSSL_UNSTABLE_EXPERIMENTAL_SPX) +// This header implements experimental, draft versions of not-yet-standardized +// primitives. When the standard is complete, these functions will be removed +// and replaced with the final, incompatible standard version. They are +// available now for short-lived experiments, but must not be deployed anywhere +// durable, such as a long-lived key store. To use these functions define +// OPENSSL_UNSTABLE_EXPERIMENTAL_SPX + +// SPX_N is the number of bytes in the hash output +#define SPX_N 16 + +// SPX_PUBLIC_KEY_BYTES is the nNumber of bytes in the public key of +// SPHINCS+-SHA2-128s +#define SPX_PUBLIC_KEY_BYTES 32 + +// SPX_SECRET_KEY_BYTES is the number of bytes in the private key of +// SPHINCS+-SHA2-128s +#define SPX_SECRET_KEY_BYTES 64 + +// SPX_SIGNATURE_BYTES is the number of bytes in a signature of +// SPHINCS+-SHA2-128s +#define SPX_SIGNATURE_BYTES 7856 + +// SPX_generate_key generates a SPHINCS+-SHA2-128s key pair and writes the +// result to |out_public_key| and |out_secret_key|. +// Private key: SK.seed || SK.prf || PK.seed || PK.root +// Public key: PK.seed || PK.root +OPENSSL_EXPORT void SPX_generate_key( + uint8_t out_public_key[SPX_PUBLIC_KEY_BYTES], + uint8_t out_secret_key[SPX_SECRET_KEY_BYTES]); + +// SPX_generate_key_from_seed generates a SPHINCS+-SHA2-128s key pair from a +// 48-byte seed and writes the result to |out_public_key| and |out_secret_key|. +// Secret key: SK.seed || SK.prf || PK.seed || PK.root +// Public key: PK.seed || PK.root +OPENSSL_EXPORT void SPX_generate_key_from_seed( + uint8_t out_public_key[SPX_PUBLIC_KEY_BYTES], + uint8_t out_secret_key[SPX_SECRET_KEY_BYTES], + const uint8_t seed[3 * SPX_N]); + +// SPX_sign generates a SPHINCS+-SHA2-128s signature over |msg| or length +// |msg_len| using |secret_key| and writes the output to |out_signature|. +// +// if |randomized| is 0, deterministic signing is performed, otherwise, +// non-deterministic signing is performed. +OPENSSL_EXPORT void SPX_sign( + uint8_t out_snignature[SPX_SIGNATURE_BYTES], + const uint8_t secret_key[SPX_SECRET_KEY_BYTES], const uint8_t *msg, + size_t msg_len, int randomized); + +// SPX_verify verifies a SPHINCS+-SHA2-128s signature in |signature| over |msg| +// or length |msg_len| using |public_key|. 1 is returned if the signature +// matches, 0 otherwise. +OPENSSL_EXPORT int SPX_verify( + const uint8_t signature[SPX_SIGNATURE_BYTES], + const uint8_t public_key[SPX_SECRET_KEY_BYTES], const uint8_t *msg, + size_t msg_len); + +#endif //OPENSSL_UNSTABLE_EXPERIMENTAL_SPX + + +#if defined(__cplusplus) +} // extern C +#endif + +#endif // OPENSSL_HEADER_SPX_H diff --git a/Sources/CNIOBoringSSL/include/module.modulemap b/Sources/CNIOBoringSSL/include/module.modulemap new file mode 100644 index 000000000..8c02e21e9 --- /dev/null +++ b/Sources/CNIOBoringSSL/include/module.modulemap @@ -0,0 +1,4 @@ +module CNIOBoringSSL { + umbrella header "CNIOBoringSSL.h" + export * +} diff --git a/Sources/CNIOBoringSSL/ssl/d1_both.cc b/Sources/CNIOBoringSSL/ssl/d1_both.cc index dc746a5dc..363d8bd32 100644 --- a/Sources/CNIOBoringSSL/ssl/d1_both.cc +++ b/Sources/CNIOBoringSSL/ssl/d1_both.cc @@ -483,13 +483,8 @@ ssl_open_record_t dtls1_open_change_cipher_spec(SSL *ssl, size_t *out_consumed, // Sending handshake messages. -void DTLS_OUTGOING_MESSAGE::Clear() { data.Reset(); } - void dtls_clear_outgoing_messages(SSL *ssl) { - for (size_t i = 0; i < ssl->d1->outgoing_messages_len; i++) { - ssl->d1->outgoing_messages[i].Clear(); - } - ssl->d1->outgoing_messages_len = 0; + ssl->d1->outgoing_messages.clear(); ssl->d1->outgoing_written = 0; ssl->d1->outgoing_offset = 0; ssl->d1->outgoing_messages_complete = false; @@ -524,20 +519,6 @@ bool dtls1_finish_message(const SSL *ssl, CBB *cbb, Array *out_msg) { return true; } -// ssl_size_t_greater_than_32_bits returns whether |v| exceeds the bounds of a -// 32-bit value. The obvious thing doesn't work because, in some 32-bit build -// configurations, the compiler warns that the test is always false and breaks -// the build. -static bool ssl_size_t_greater_than_32_bits(size_t v) { -#if defined(OPENSSL_64_BIT) - return v > 0xffffffff; -#elif defined(OPENSSL_32_BIT) - return false; -#else -#error "Building for neither 32- nor 64-bits." -#endif -} - // add_outgoing adds a new handshake message or ChangeCipherSpec to the current // outgoing flight. It returns true on success and false on error. static bool add_outgoing(SSL *ssl, bool is_ccs, Array data) { @@ -548,16 +529,6 @@ static bool add_outgoing(SSL *ssl, bool is_ccs, Array data) { dtls_clear_outgoing_messages(ssl); } - static_assert(SSL_MAX_HANDSHAKE_FLIGHT < - (1 << 8 * sizeof(ssl->d1->outgoing_messages_len)), - "outgoing_messages_len is too small"); - if (ssl->d1->outgoing_messages_len >= SSL_MAX_HANDSHAKE_FLIGHT || - ssl_size_t_greater_than_32_bits(data.size())) { - assert(false); - OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); - return false; - } - if (!is_ccs) { // TODO(svaldez): Move this up a layer to fix abstraction for SSLTranscript // on hs. @@ -569,13 +540,16 @@ static bool add_outgoing(SSL *ssl, bool is_ccs, Array data) { ssl->d1->handshake_write_seq++; } - DTLS_OUTGOING_MESSAGE *msg = - &ssl->d1->outgoing_messages[ssl->d1->outgoing_messages_len]; - msg->data = std::move(data); - msg->epoch = ssl->d1->w_epoch; - msg->is_ccs = is_ccs; + DTLS_OUTGOING_MESSAGE msg; + msg.data = std::move(data); + msg.epoch = ssl->d1->w_epoch; + msg.is_ccs = is_ccs; + if (!ssl->d1->outgoing_messages.TryPushBack(std::move(msg))) { + assert(false); + OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); + return false; + } - ssl->d1->outgoing_messages_len++; return true; } @@ -584,6 +558,11 @@ bool dtls1_add_message(SSL *ssl, Array data) { } bool dtls1_add_change_cipher_spec(SSL *ssl) { + // DTLS 1.3 disables compatibility mode, which means that DTLS 1.3 never sends + // a ChangeCipherSpec message. + if (ssl_protocol_version(ssl) > TLS1_2_VERSION) { + return true; + } return add_outgoing(ssl, true /* ChangeCipherSpec */, Array()); } @@ -621,19 +600,11 @@ enum seal_result_t { static enum seal_result_t seal_next_message(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out, const DTLS_OUTGOING_MESSAGE *msg) { - assert(ssl->d1->outgoing_written < ssl->d1->outgoing_messages_len); + assert(ssl->d1->outgoing_written < ssl->d1->outgoing_messages.size()); assert(msg == &ssl->d1->outgoing_messages[ssl->d1->outgoing_written]); - enum dtls1_use_epoch_t use_epoch = dtls1_use_current_epoch; - if (ssl->d1->w_epoch >= 1 && msg->epoch == ssl->d1->w_epoch - 1) { - use_epoch = dtls1_use_previous_epoch; - } else if (msg->epoch != ssl->d1->w_epoch) { - OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); - return seal_error; - } - - size_t overhead = dtls_max_seal_overhead(ssl, use_epoch); - size_t prefix = dtls_seal_prefix_len(ssl, use_epoch); + size_t overhead = dtls_max_seal_overhead(ssl, msg->epoch); + size_t prefix = dtls_seal_prefix_len(ssl, msg->epoch); if (msg->is_ccs) { // Check there is room for the ChangeCipherSpec. @@ -644,7 +615,7 @@ static enum seal_result_t seal_next_message(SSL *ssl, uint8_t *out, if (!dtls_seal_record(ssl, out, out_len, max_out, SSL3_RT_CHANGE_CIPHER_SPEC, kChangeCipherSpec, - sizeof(kChangeCipherSpec), use_epoch)) { + sizeof(kChangeCipherSpec), msg->epoch)) { return seal_error; } @@ -697,7 +668,7 @@ static enum seal_result_t seal_next_message(SSL *ssl, uint8_t *out, MakeSpan(frag, frag_len)); if (!dtls_seal_record(ssl, out, out_len, max_out, SSL3_RT_HANDSHAKE, - out + prefix, frag_len, use_epoch)) { + out + prefix, frag_len, msg->epoch)) { return seal_error; } @@ -718,8 +689,8 @@ static bool seal_next_packet(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out) { bool made_progress = false; size_t total = 0; - assert(ssl->d1->outgoing_written < ssl->d1->outgoing_messages_len); - for (; ssl->d1->outgoing_written < ssl->d1->outgoing_messages_len; + assert(ssl->d1->outgoing_written < ssl->d1->outgoing_messages.size()); + for (; ssl->d1->outgoing_written < ssl->d1->outgoing_messages.size(); ssl->d1->outgoing_written++) { const DTLS_OUTGOING_MESSAGE *msg = &ssl->d1->outgoing_messages[ssl->d1->outgoing_written]; @@ -775,7 +746,7 @@ static int send_flight(SSL *ssl) { return -1; } - while (ssl->d1->outgoing_written < ssl->d1->outgoing_messages_len) { + while (ssl->d1->outgoing_written < ssl->d1->outgoing_messages.size()) { uint8_t old_written = ssl->d1->outgoing_written; uint32_t old_offset = ssl->d1->outgoing_offset; diff --git a/Sources/CNIOBoringSSL/ssl/d1_lib.cc b/Sources/CNIOBoringSSL/ssl/d1_lib.cc index ace0cfca4..097030874 100644 --- a/Sources/CNIOBoringSSL/ssl/d1_lib.cc +++ b/Sources/CNIOBoringSSL/ssl/d1_lib.cc @@ -95,14 +95,18 @@ bool dtls1_new(SSL *ssl) { return false; } - ssl->d1 = d1.release(); + d1->initial_epoch_state = MakeUnique(); + if (!d1->initial_epoch_state) { + tls_free(ssl); + return false; + } + d1->initial_epoch_state->aead_write_ctx = SSLAEADContext::CreateNullCipher(); + if (!d1->initial_epoch_state->aead_write_ctx) { + tls_free(ssl); + return false; + } - // Set the version to the highest supported version. - // - // TODO(davidben): Move this field into |s3|, have it store the normalized - // protocol version, and implement this pre-negotiation quirk in |SSL_version| - // at the API boundary rather than in internal state. - ssl->version = DTLS1_2_VERSION; + ssl->d1 = d1.release(); return true; } diff --git a/Sources/CNIOBoringSSL/ssl/d1_pkt.cc b/Sources/CNIOBoringSSL/ssl/d1_pkt.cc index a3e871b48..db0dc7f18 100644 --- a/Sources/CNIOBoringSSL/ssl/d1_pkt.cc +++ b/Sources/CNIOBoringSSL/ssl/d1_pkt.cc @@ -208,7 +208,7 @@ int dtls1_write_app_data(SSL *ssl, bool *out_needs_handshake, } int ret = dtls1_write_record(ssl, SSL3_RT_APPLICATION_DATA, in, - dtls1_use_current_epoch); + ssl->d1->w_epoch); if (ret <= 0) { return ret; } @@ -216,8 +216,13 @@ int dtls1_write_app_data(SSL *ssl, bool *out_needs_handshake, return 1; } +static size_t dtls_seal_align_prefix_len(const SSL *ssl, uint16_t epoch) { + return dtls_record_header_write_len(ssl, epoch) + + ssl->s3->aead_write_ctx->ExplicitNonceLen(); +} + int dtls1_write_record(SSL *ssl, int type, Span in, - enum dtls1_use_epoch_t use_epoch) { + uint16_t epoch) { SSLBuffer *buf = &ssl->s3->write_buffer; assert(in.size() <= SSL3_RT_MAX_PLAIN_LENGTH); // There should never be a pending write buffer in DTLS. One can't write half @@ -231,11 +236,11 @@ int dtls1_write_record(SSL *ssl, int type, Span in, } size_t ciphertext_len; - if (!buf->EnsureCap(ssl_seal_align_prefix_len(ssl), + if (!buf->EnsureCap(dtls_seal_align_prefix_len(ssl, epoch), in.size() + SSL_max_seal_overhead(ssl)) || !dtls_seal_record(ssl, buf->remaining().data(), &ciphertext_len, buf->remaining().size(), type, in.data(), in.size(), - use_epoch)) { + epoch)) { buf->Clear(); return -1; } @@ -250,7 +255,7 @@ int dtls1_write_record(SSL *ssl, int type, Span in, int dtls1_dispatch_alert(SSL *ssl) { int ret = dtls1_write_record(ssl, SSL3_RT_ALERT, ssl->s3->send_alert, - dtls1_use_current_epoch); + ssl->d1->w_epoch); if (ret <= 0) { return ret; } diff --git a/Sources/CNIOBoringSSL/ssl/dtls_method.cc b/Sources/CNIOBoringSSL/ssl/dtls_method.cc index f8d16fad5..e37fdc6ef 100644 --- a/Sources/CNIOBoringSSL/ssl/dtls_method.cc +++ b/Sources/CNIOBoringSSL/ssl/dtls_method.cc @@ -88,8 +88,17 @@ static bool dtls1_set_read_state(SSL *ssl, ssl_encryption_level_t level, return false; } - ssl->d1->r_epoch++; - OPENSSL_memset(&ssl->d1->bitmap, 0, sizeof(ssl->d1->bitmap)); + if (ssl_protocol_version(ssl) > TLS1_2_VERSION) { + // TODO(crbug.com/boringssl/715): Handle the additional epochs used for key + // update. + // TODO(crbug.com/boringssl/715): If we want to gracefully handle packet + // reordering around KeyUpdate (i.e. accept records from both epochs), we'll + // need a separate bitmap for each epoch. + ssl->d1->r_epoch = level; + } else { + ssl->d1->r_epoch++; + } + ssl->d1->bitmap = DTLS1_BITMAP(); ssl->s3->read_sequence = 0; ssl->s3->aead_read_ctx = std::move(aead_ctx); @@ -103,10 +112,13 @@ static bool dtls1_set_write_state(SSL *ssl, ssl_encryption_level_t level, Span secret_for_quic) { assert(secret_for_quic.empty()); // QUIC does not use DTLS. ssl->d1->w_epoch++; - ssl->d1->last_write_sequence = ssl->s3->write_sequence; ssl->s3->write_sequence = 0; - ssl->d1->last_aead_write_ctx = std::move(ssl->s3->aead_write_ctx); + if (ssl_protocol_version(ssl) > TLS1_2_VERSION) { + ssl->d1->w_epoch = level; + } + ssl->d1->last_epoch_state.aead_write_ctx = std::move(ssl->s3->aead_write_ctx); + ssl->d1->last_epoch_state.write_sequence = ssl->s3->write_sequence; ssl->s3->aead_write_ctx = std::move(aead_ctx); ssl->s3->write_level = level; return true; diff --git a/Sources/CNIOBoringSSL/ssl/dtls_record.cc b/Sources/CNIOBoringSSL/ssl/dtls_record.cc index 15116688c..6edd2a3db 100644 --- a/Sources/CNIOBoringSSL/ssl/dtls_record.cc +++ b/Sources/CNIOBoringSSL/ssl/dtls_record.cc @@ -127,26 +127,26 @@ BSSL_NAMESPACE_BEGIN // |bitmap| or is stale. Otherwise it returns zero. static bool dtls1_bitmap_should_discard(DTLS1_BITMAP *bitmap, uint64_t seq_num) { - const unsigned kWindowSize = sizeof(bitmap->map) * 8; + const size_t kWindowSize = bitmap->map.size(); if (seq_num > bitmap->max_seq_num) { return false; } uint64_t idx = bitmap->max_seq_num - seq_num; - return idx >= kWindowSize || (bitmap->map & (((uint64_t)1) << idx)); + return idx >= kWindowSize || bitmap->map[idx]; } // dtls1_bitmap_record updates |bitmap| to record receipt of sequence number // |seq_num|. It slides the window forward if needed. It is an error to call // this function on a stale sequence number. static void dtls1_bitmap_record(DTLS1_BITMAP *bitmap, uint64_t seq_num) { - const unsigned kWindowSize = sizeof(bitmap->map) * 8; + const size_t kWindowSize = bitmap->map.size(); // Shift the window if necessary. if (seq_num > bitmap->max_seq_num) { uint64_t shift = seq_num - bitmap->max_seq_num; if (shift >= kWindowSize) { - bitmap->map = 0; + bitmap->map.reset(); } else { bitmap->map <<= shift; } @@ -155,10 +155,164 @@ static void dtls1_bitmap_record(DTLS1_BITMAP *bitmap, uint64_t seq_num) { uint64_t idx = bitmap->max_seq_num - seq_num; if (idx < kWindowSize) { - bitmap->map |= ((uint64_t)1) << idx; + bitmap->map[idx] = true; } } +static uint16_t dtls_record_version(const SSL *ssl) { + if (ssl->s3->version == 0) { + // Before the version is determined, outgoing records use dTLS 1.0 for + // historical compatibility requirements. + return DTLS1_VERSION; + } + // DTLS 1.3 freezes the record version at DTLS 1.2. Previous ones use the + // version itself. + return ssl_protocol_version(ssl) >= TLS1_3_VERSION ? DTLS1_2_VERSION + : ssl->s3->version; +} + +// reconstruct_epoch finds the largest epoch that ends with the epoch bits from +// |wire_epoch| that is less than or equal to |current_epoch|, to match the +// epoch reconstruction algorithm described in RFC 9147 section 4.2.2. +static uint16_t reconstruct_epoch(uint8_t wire_epoch, uint16_t current_epoch) { + uint16_t current_epoch_high = current_epoch & 0xfffc; + uint16_t epoch = (wire_epoch & 0x3) | current_epoch_high; + if (epoch > current_epoch && current_epoch_high > 0) { + epoch -= 0x4; + } + return epoch; +} + +uint64_t reconstruct_seqnum(uint16_t wire_seq, uint64_t seq_mask, + uint64_t max_valid_seqnum) { + uint64_t max_seqnum_plus_one = max_valid_seqnum + 1; + uint64_t diff = (wire_seq - max_seqnum_plus_one) & seq_mask; + uint64_t step = seq_mask + 1; + uint64_t seqnum = max_seqnum_plus_one + diff; + // seqnum is computed as the addition of 3 non-negative values + // (max_valid_seqnum, 1, and diff). The values 1 and diff are small (relative + // to the size of a uint64_t), while max_valid_seqnum can span the range of + // all uint64_t values. If seqnum is less than max_valid_seqnum, then the + // addition overflowed. + bool overflowed = seqnum < max_valid_seqnum; + // If the diff is larger than half the step size, then the closest seqnum + // to max_seqnum_plus_one (in Z_{2^64}) is seqnum minus step instead of + // seqnum. + bool closer_is_less = diff > step / 2; + // Subtracting step from seqnum will cause underflow if seqnum is too small. + bool would_underflow = seqnum < step; + if (overflowed || (closer_is_less && !would_underflow)) { + seqnum -= step; + } + return seqnum; +} + +static bool parse_dtls13_record_header(SSL *ssl, CBS *in, Span packet, + uint8_t type, CBS *out_body, + uint64_t *out_sequence, + uint16_t *out_epoch, + size_t *out_header_len) { + // TODO(crbug.com/boringssl/715): Decrypt the sequence number before + // decoding it. + if ((type & 0x10) == 0x10) { + // Connection ID bit set, which we didn't negotiate. + return false; + } + + // TODO(crbug.com/boringssl/715): Add a runner test that performs many + // key updates to verify epoch reconstruction works for epochs larger than + // 3. + *out_epoch = reconstruct_epoch(type, ssl->d1->r_epoch); + size_t seqlen = 1; + if ((type & 0x08) == 0x08) { + // If this bit is set, the sequence number is 16 bits long, otherwise it is + // 8 bits. The seqlen variable tracks the length of the sequence number in + // bytes. + seqlen = 2; + } + if (!CBS_skip(in, seqlen)) { + // The record header was incomplete or malformed. + return false; + } + *out_header_len = packet.size() - CBS_len(in); + if ((type & 0x04) == 0x04) { + *out_header_len += 2; + // 16-bit length present + if (!CBS_get_u16_length_prefixed(in, out_body)) { + // The record header was incomplete or malformed. + return false; + } + } else { + // No length present - the remaining contents are the whole packet. + // CBS_get_bytes is used here to advance |in| to the end so that future + // code that computes the number of consumed bytes functions correctly. + if (!CBS_get_bytes(in, out_body, CBS_len(in))) { + return false; + } + } + + // Decrypt and reconstruct the sequence number: + uint8_t mask[AES_BLOCK_SIZE]; + SSLAEADContext *aead = ssl->s3->aead_read_ctx.get(); + if (!aead->GenerateRecordNumberMask(mask, *out_body)) { + // GenerateRecordNumberMask most likely failed because the record body was + // not long enough. + return false; + } + // Apply the mask to the sequence number as it exists in the header. The + // header (with the decrypted sequence number bytes) is used as the + // additional data for the AEAD function. Since we don't support Connection + // ID, the sequence number starts immediately after the type byte. + uint64_t seq = 0; + for (size_t i = 0; i < seqlen; i++) { + packet[i + 1] ^= mask[i]; + seq = (seq << 8) | packet[i + 1]; + } + *out_sequence = reconstruct_seqnum(seq, (1 << (seqlen * 8)) - 1, + ssl->d1->bitmap.max_seq_num); + return true; +} + +static bool parse_dtls_plaintext_record_header( + SSL *ssl, CBS *in, size_t packet_size, uint8_t type, CBS *out_body, + uint64_t *out_sequence, uint16_t *out_epoch, size_t *out_header_len, + uint16_t *out_version) { + SSLAEADContext *aead = ssl->s3->aead_read_ctx.get(); + uint8_t sequence_bytes[8]; + if (!CBS_get_u16(in, out_version) || + !CBS_copy_bytes(in, sequence_bytes, sizeof(sequence_bytes))) { + return false; + } + *out_header_len = packet_size - CBS_len(in) + 2; + if (!CBS_get_u16_length_prefixed(in, out_body) || + CBS_len(out_body) > SSL3_RT_MAX_ENCRYPTED_LENGTH) { + return false; + } + + bool version_ok; + if (aead->is_null_cipher()) { + // Only check the first byte. Enforcing beyond that can prevent decoding + // version negotiation failure alerts. + version_ok = (*out_version >> 8) == DTLS1_VERSION_MAJOR; + } else { + version_ok = *out_version == dtls_record_version(ssl); + } + + if (!version_ok) { + return false; + } + + *out_sequence = CRYPTO_load_u64_be(sequence_bytes); + *out_epoch = static_cast(*out_sequence >> 48); + + // Discard the packet if we're expecting an encrypted DTLS 1.3 record but we + // get the old record header format. + if (!aead->is_null_cipher() && ssl_protocol_version(ssl) >= TLS1_3_VERSION) { + return false; + } + return true; +} + enum ssl_open_record_t dtls_open_record(SSL *ssl, uint8_t *out_type, Span *out, size_t *out_consumed, @@ -174,41 +328,41 @@ enum ssl_open_record_t dtls_open_record(SSL *ssl, uint8_t *out_type, CBS cbs = CBS(in); - // Decode the record. uint8_t type; - uint16_t version; - uint8_t sequence_bytes[8]; - CBS body; - if (!CBS_get_u8(&cbs, &type) || - !CBS_get_u16(&cbs, &version) || - !CBS_copy_bytes(&cbs, sequence_bytes, sizeof(sequence_bytes)) || - !CBS_get_u16_length_prefixed(&cbs, &body) || - CBS_len(&body) > SSL3_RT_MAX_ENCRYPTED_LENGTH) { + size_t record_header_len; + if (!CBS_get_u8(&cbs, &type)) { // The record header was incomplete or malformed. Drop the entire packet. *out_consumed = in.size(); return ssl_open_record_discard; } - - bool version_ok; - if (ssl->s3->aead_read_ctx->is_null_cipher()) { - // Only check the first byte. Enforcing beyond that can prevent decoding - // version negotiation failure alerts. - version_ok = (version >> 8) == DTLS1_VERSION_MAJOR; + SSLAEADContext *aead = ssl->s3->aead_read_ctx.get(); + uint64_t sequence; + uint16_t epoch; + uint16_t version = 0; + CBS body; + bool valid_record_header; + // Decode the record header. If the 3 high bits of the type are 001, then the + // record header is the DTLS 1.3 format. The DTLS 1.3 format should only be + // used for encrypted records with DTLS 1.3. Plaintext records or DTLS 1.2 + // records use the old record header format. + if ((type & 0xe0) == 0x20 && !aead->is_null_cipher() && + ssl_protocol_version(ssl) >= TLS1_3_VERSION) { + valid_record_header = parse_dtls13_record_header( + ssl, &cbs, in, type, &body, &sequence, &epoch, &record_header_len); } else { - version_ok = version == ssl->s3->aead_read_ctx->RecordVersion(); + valid_record_header = parse_dtls_plaintext_record_header( + ssl, &cbs, in.size(), type, &body, &sequence, &epoch, + &record_header_len, &version); } - - if (!version_ok) { + if (!valid_record_header) { // The record header was incomplete or malformed. Drop the entire packet. *out_consumed = in.size(); return ssl_open_record_discard; } - Span header = in.subspan(0, DTLS1_RT_HEADER_LENGTH); + Span header = in.subspan(0, record_header_len); ssl_do_msg_callback(ssl, 0 /* read */, SSL3_RT_HEADER, header); - uint64_t sequence = CRYPTO_load_u64_be(sequence_bytes); - uint16_t epoch = static_cast(sequence >> 48); if (epoch != ssl->d1->r_epoch || dtls1_bitmap_should_discard(&ssl->d1->bitmap, sequence)) { // Drop this record. It's from the wrong epoch or is a replay. Note that if @@ -220,7 +374,7 @@ enum ssl_open_record_t dtls_open_record(SSL *ssl, uint8_t *out_type, } // discard the body in-place. - if (!ssl->s3->aead_read_ctx->Open( + if (!aead->Open( out, type, version, sequence, header, MakeSpan(const_cast(CBS_data(&body)), CBS_len(&body)))) { // Bad packets are silently dropped in DTLS. See section 4.2.1 of RFC 6347. @@ -235,13 +389,29 @@ enum ssl_open_record_t dtls_open_record(SSL *ssl, uint8_t *out_type, } *out_consumed = in.size() - CBS_len(&cbs); + // DTLS 1.3 hides the record type inside the encrypted data. + bool has_padding = + !aead->is_null_cipher() && ssl_protocol_version(ssl) >= TLS1_3_VERSION; // Check the plaintext length. - if (out->size() > SSL3_RT_MAX_PLAIN_LENGTH) { + size_t plaintext_limit = SSL3_RT_MAX_PLAIN_LENGTH + (has_padding ? 1 : 0); + if (out->size() > plaintext_limit) { OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG); *out_alert = SSL_AD_RECORD_OVERFLOW; return ssl_open_record_error; } + if (has_padding) { + do { + if (out->empty()) { + OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); + *out_alert = SSL_AD_DECRYPT_ERROR; + return ssl_open_record_error; + } + type = out->back(); + *out = out->subspan(0, out->size() - 1); + } while (type == 0); + } + dtls1_bitmap_record(&ssl->d1->bitmap, sequence); // TODO(davidben): Limit the number of empty records as in TLS? This is only @@ -257,30 +427,59 @@ enum ssl_open_record_t dtls_open_record(SSL *ssl, uint8_t *out_type, return ssl_open_record_success; } -static const SSLAEADContext *get_write_aead(const SSL *ssl, - enum dtls1_use_epoch_t use_epoch) { - if (use_epoch == dtls1_use_previous_epoch) { - assert(ssl->d1->w_epoch >= 1); - return ssl->d1->last_aead_write_ctx.get(); +static SSLAEADContext *get_write_aead(const SSL *ssl, uint16_t epoch) { + if (epoch == 0) { + return ssl->d1->initial_epoch_state->aead_write_ctx.get(); } + if (epoch < ssl->d1->w_epoch) { + BSSL_CHECK(epoch + 1 == ssl->d1->w_epoch); + return ssl->d1->last_epoch_state.aead_write_ctx.get(); + } + + BSSL_CHECK(epoch == ssl->d1->w_epoch); return ssl->s3->aead_write_ctx.get(); } +static bool use_dtls13_record_header(const SSL *ssl, uint16_t epoch) { + // Plaintext records in DTLS 1.3 also use the DTLSPlaintext structure for + // backwards compatibility. + return ssl->s3->version != 0 && ssl_protocol_version(ssl) > TLS1_2_VERSION && + epoch > 0; +} + +size_t dtls_record_header_write_len(const SSL *ssl, uint16_t epoch) { + if (!use_dtls13_record_header(ssl, epoch)) { + return DTLS_PLAINTEXT_RECORD_HEADER_LENGTH; + } + // The DTLS 1.3 has a variable length record header. We never send Connection + // ID, we always send 16-bit sequence numbers, and we send a length. (Length + // can be omitted, but only for the last record of a packet. Since we send + // multiple records in one packet, it's easier to implement always sending the + // length.) + return DTLS1_3_RECORD_HEADER_WRITE_LENGTH; +} + size_t dtls_max_seal_overhead(const SSL *ssl, - enum dtls1_use_epoch_t use_epoch) { - return DTLS1_RT_HEADER_LENGTH + get_write_aead(ssl, use_epoch)->MaxOverhead(); + uint16_t epoch) { + size_t ret = dtls_record_header_write_len(ssl, epoch) + + get_write_aead(ssl, epoch)->MaxOverhead(); + if (use_dtls13_record_header(ssl, epoch)) { + // Add 1 byte for the encrypted record type. + ret++; + } + return ret; } -size_t dtls_seal_prefix_len(const SSL *ssl, enum dtls1_use_epoch_t use_epoch) { - return DTLS1_RT_HEADER_LENGTH + - get_write_aead(ssl, use_epoch)->ExplicitNonceLen(); +size_t dtls_seal_prefix_len(const SSL *ssl, uint16_t epoch) { + return dtls_record_header_write_len(ssl, epoch) + + get_write_aead(ssl, epoch)->ExplicitNonceLen(); } bool dtls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out, uint8_t type, const uint8_t *in, size_t in_len, - enum dtls1_use_epoch_t use_epoch) { - const size_t prefix = dtls_seal_prefix_len(ssl, use_epoch); + uint16_t epoch) { + const size_t prefix = dtls_seal_prefix_len(ssl, epoch); if (buffers_alias(in, in_len, out, max_out) && (max_out < prefix || out + prefix != in)) { OPENSSL_PUT_ERROR(SSL, SSL_R_OUTPUT_ALIASES_INPUT); @@ -288,26 +487,15 @@ bool dtls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out, } // Determine the parameters for the current epoch. - uint16_t epoch = ssl->d1->w_epoch; - SSLAEADContext *aead = ssl->s3->aead_write_ctx.get(); + SSLAEADContext *aead = get_write_aead(ssl, epoch); uint64_t *seq = &ssl->s3->write_sequence; - if (use_epoch == dtls1_use_previous_epoch) { - assert(ssl->d1->w_epoch >= 1); - epoch = ssl->d1->w_epoch - 1; - aead = ssl->d1->last_aead_write_ctx.get(); - seq = &ssl->d1->last_write_sequence; - } - - if (max_out < DTLS1_RT_HEADER_LENGTH) { - OPENSSL_PUT_ERROR(SSL, SSL_R_BUFFER_TOO_SMALL); - return false; + if (epoch == 0) { + seq = &ssl->d1->initial_epoch_state->write_sequence; + } else if (epoch < ssl->d1->w_epoch) { + seq = &ssl->d1->last_epoch_state.write_sequence; } - out[0] = type; - - uint16_t record_version = ssl->s3->aead_write_ctx->RecordVersion(); - out[1] = record_version >> 8; - out[2] = record_version & 0xff; + const size_t record_header_len = dtls_record_header_write_len(ssl, epoch); // Ensure the sequence number update does not overflow. const uint64_t kMaxSequenceNumber = (uint64_t{1} << 48) - 1; @@ -316,28 +504,92 @@ bool dtls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out, return false; } + uint16_t record_version = dtls_record_version(ssl); uint64_t seq_with_epoch = (uint64_t{epoch} << 48) | *seq; - CRYPTO_store_u64_be(&out[3], seq_with_epoch); + + bool dtls13_header = use_dtls13_record_header(ssl, epoch); + uint8_t *extra_in = NULL; + size_t extra_in_len = 0; + if (dtls13_header) { + extra_in = &type; + extra_in_len = 1; + } size_t ciphertext_len; - if (!aead->CiphertextLen(&ciphertext_len, in_len, 0)) { + if (!aead->CiphertextLen(&ciphertext_len, in_len, extra_in_len)) { OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_TOO_LARGE); return false; } - out[11] = ciphertext_len >> 8; - out[12] = ciphertext_len & 0xff; - Span header = MakeConstSpan(out, DTLS1_RT_HEADER_LENGTH); + if (max_out < record_header_len + ciphertext_len) { + OPENSSL_PUT_ERROR(SSL, SSL_R_BUFFER_TOO_SMALL); + return false; + } + + if (dtls13_header) { + // The first byte of the DTLS 1.3 record header has the following format: + // 0 1 2 3 4 5 6 7 + // +-+-+-+-+-+-+-+-+ + // |0|0|1|C|S|L|E E| + // +-+-+-+-+-+-+-+-+ + // + // We set C=0 (no Connection ID), S=1 (16-bit sequence number), L=1 (length + // is present), which is a mask of 0x2c. The E E bits are the low-order two + // bits of the epoch. + // + // +-+-+-+-+-+-+-+-+ + // |0|0|1|0|1|1|E E| + // +-+-+-+-+-+-+-+-+ + out[0] = 0x2c | (epoch & 0x3); + // We always use a two-byte sequence number. A one-byte sequence number + // would require coordinating with the application on ACK feedback to know + // that the peer is not too far behind. + out[1] = *seq >> 8; + out[2] = *seq & 0xff; + // TODO(crbug.com/42290594): When we know the record is last in the packet, + // omit the length. + out[3] = ciphertext_len >> 8; + out[4] = ciphertext_len & 0xff; + // DTLS 1.3 uses the sequence number without the epoch for the AEAD. + seq_with_epoch = *seq; + } else { + out[0] = type; + out[1] = record_version >> 8; + out[2] = record_version & 0xff; + CRYPTO_store_u64_be(&out[3], seq_with_epoch); + out[11] = ciphertext_len >> 8; + out[12] = ciphertext_len & 0xff; + } + Span header = MakeConstSpan(out, record_header_len); + - size_t len_copy; - if (!aead->Seal(out + DTLS1_RT_HEADER_LENGTH, &len_copy, - max_out - DTLS1_RT_HEADER_LENGTH, type, record_version, - seq_with_epoch, header, in, in_len)) { + if (!aead->SealScatter(out + record_header_len, out + prefix, + out + prefix + in_len, type, record_version, + seq_with_epoch, header, in, in_len, extra_in, + extra_in_len)) { return false; } - assert(ciphertext_len == len_copy); + + // Perform record number encryption (RFC 9147 section 4.2.3). + if (dtls13_header) { + // Record number encryption uses bytes from the ciphertext as a sample to + // generate the mask used for encryption. For simplicity, pass in the whole + // ciphertext as the sample - GenerateRecordNumberMask will read only what + // it needs (and error if |sample| is too short). + Span sample = + MakeConstSpan(out + record_header_len, ciphertext_len); + // AES cipher suites require the mask be exactly AES_BLOCK_SIZE; ChaCha20 + // cipher suites have no requirements on the mask size. We only need the + // first two bytes from the mask. + uint8_t mask[AES_BLOCK_SIZE]; + if (!aead->GenerateRecordNumberMask(mask, sample)) { + return false; + } + out[1] ^= mask[0]; + out[2] ^= mask[1]; + } (*seq)++; - *out_len = DTLS1_RT_HEADER_LENGTH + ciphertext_len; + *out_len = record_header_len + ciphertext_len; ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_HEADER, header); return true; } diff --git a/Sources/CNIOBoringSSL/ssl/encrypted_client_hello.cc b/Sources/CNIOBoringSSL/ssl/encrypted_client_hello.cc index e20566c77..ae9edeaf8 100644 --- a/Sources/CNIOBoringSSL/ssl/encrypted_client_hello.cc +++ b/Sources/CNIOBoringSSL/ssl/encrypted_client_hello.cc @@ -1012,18 +1012,12 @@ int SSL_marshal_ech_config(uint8_t **out, size_t *out_len, uint8_t config_id, SSL_ECH_KEYS *SSL_ECH_KEYS_new() { return New(); } -void SSL_ECH_KEYS_up_ref(SSL_ECH_KEYS *keys) { - CRYPTO_refcount_inc(&keys->references); -} +void SSL_ECH_KEYS_up_ref(SSL_ECH_KEYS *keys) { keys->UpRefInternal(); } void SSL_ECH_KEYS_free(SSL_ECH_KEYS *keys) { - if (keys == nullptr || - !CRYPTO_refcount_dec_and_test_zero(&keys->references)) { - return; + if (keys != nullptr) { + keys->DecRefInternal(); } - - keys->~ssl_ech_keys_st(); - OPENSSL_free(keys); } int SSL_ECH_KEYS_add(SSL_ECH_KEYS *configs, int is_retry_config, diff --git a/Sources/CNIOBoringSSL/ssl/extensions.cc b/Sources/CNIOBoringSSL/ssl/extensions.cc index 7328349aa..59b6e4ac1 100644 --- a/Sources/CNIOBoringSSL/ssl/extensions.cc +++ b/Sources/CNIOBoringSSL/ssl/extensions.cc @@ -207,6 +207,7 @@ static bool tls1_check_duplicate_extensions(const CBS *cbs) { static bool is_post_quantum_group(uint16_t id) { switch (id) { case SSL_GROUP_X25519_KYBER768_DRAFT00: + case SSL_GROUP_X25519_MLKEM768: return true; default: return false; @@ -441,16 +442,18 @@ bool tls12_add_verify_sigalgs(const SSL_HANDSHAKE *hs, CBB *out) { } bool tls12_check_peer_sigalg(const SSL_HANDSHAKE *hs, uint8_t *out_alert, - uint16_t sigalg) { - for (uint16_t verify_sigalg : tls12_get_verify_sigalgs(hs)) { - if (verify_sigalg == sigalg) { - return true; - } + uint16_t sigalg, EVP_PKEY *pkey) { + // The peer must have selected an algorithm that is consistent with its public + // key, the TLS version, and what we advertised. + Span sigalgs = tls12_get_verify_sigalgs(hs); + if (std::find(sigalgs.begin(), sigalgs.end(), sigalg) == sigalgs.end() || + !ssl_pkey_supports_algorithm(hs->ssl, pkey, sigalg, /*is_verify=*/true)) { + OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE); + *out_alert = SSL_AD_ILLEGAL_PARAMETER; + return false; } - OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE); - *out_alert = SSL_AD_ILLEGAL_PARAMETER; - return false; + return true; } // tls_extension represents a TLS extension that is handled internally. @@ -706,14 +709,14 @@ static bool ext_ri_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out, } assert(ssl->s3->initial_handshake_complete == - (ssl->s3->previous_client_finished_len != 0)); + !ssl->s3->previous_client_finished.empty()); CBB contents, prev_finished; if (!CBB_add_u16(out, TLSEXT_TYPE_renegotiate) || !CBB_add_u16_length_prefixed(out, &contents) || !CBB_add_u8_length_prefixed(&contents, &prev_finished) || - !CBB_add_bytes(&prev_finished, ssl->s3->previous_client_finished, - ssl->s3->previous_client_finished_len) || + !CBB_add_bytes(&prev_finished, ssl->s3->previous_client_finished.data(), + ssl->s3->previous_client_finished.size()) || !CBB_flush(out)) { return false; } @@ -749,16 +752,11 @@ static bool ext_ri_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, return true; } - const size_t expected_len = ssl->s3->previous_client_finished_len + - ssl->s3->previous_server_finished_len; - - // Check for logic errors - assert(!expected_len || ssl->s3->previous_client_finished_len); - assert(!expected_len || ssl->s3->previous_server_finished_len); - assert(ssl->s3->initial_handshake_complete == - (ssl->s3->previous_client_finished_len != 0)); + // Check for logic errors. + assert(ssl->s3->previous_client_finished.size() == + ssl->s3->previous_server_finished.size()); assert(ssl->s3->initial_handshake_complete == - (ssl->s3->previous_server_finished_len != 0)); + !ssl->s3->previous_client_finished.empty()); // Parse out the extension contents. CBS renegotiated_connection; @@ -770,15 +768,22 @@ static bool ext_ri_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, } // Check that the extension matches. - if (CBS_len(&renegotiated_connection) != expected_len) { + CBS client_verify, server_verify; + if (!CBS_get_bytes(&renegotiated_connection, &client_verify, + ssl->s3->previous_client_finished.size()) || + !CBS_get_bytes(&renegotiated_connection, &server_verify, + ssl->s3->previous_server_finished.size()) || + CBS_len(&renegotiated_connection) != 0) { OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH); *out_alert = SSL_AD_HANDSHAKE_FAILURE; return false; } - const uint8_t *d = CBS_data(&renegotiated_connection); - bool ok = CRYPTO_memcmp(d, ssl->s3->previous_client_finished, - ssl->s3->previous_client_finished_len) == 0; + bool ok = + CBS_mem_equal(&client_verify, ssl->s3->previous_client_finished.data(), + ssl->s3->previous_client_finished.size()) && + CBS_mem_equal(&server_verify, ssl->s3->previous_server_finished.data(), + ssl->s3->previous_server_finished.size()); #if defined(BORINGSSL_UNSAFE_FUZZER_MODE) ok = true; #endif @@ -787,20 +792,8 @@ static bool ext_ri_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, *out_alert = SSL_AD_HANDSHAKE_FAILURE; return false; } - d += ssl->s3->previous_client_finished_len; - ok = CRYPTO_memcmp(d, ssl->s3->previous_server_finished, - ssl->s3->previous_server_finished_len) == 0; -#if defined(BORINGSSL_UNSAFE_FUZZER_MODE) - ok = true; -#endif - if (!ok) { - OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH); - *out_alert = SSL_AD_HANDSHAKE_FAILURE; - return false; - } ssl->s3->send_connection_binding = true; - return true; } @@ -1128,9 +1121,9 @@ static bool ext_ocsp_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert, static bool ext_ocsp_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { SSL *const ssl = hs->ssl; if (ssl_protocol_version(ssl) >= TLS1_3_VERSION || - !hs->ocsp_stapling_requested || hs->config->cert->ocsp_response == NULL || - ssl->s3->session_reused || - !ssl_cipher_uses_certificate_auth(hs->new_cipher)) { + !hs->ocsp_stapling_requested || ssl->s3->session_reused || + !ssl_cipher_uses_certificate_auth(hs->new_cipher) || + hs->credential->ocsp_response == nullptr) { return true; } @@ -1345,21 +1338,22 @@ static bool ext_sct_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert, static bool ext_sct_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { SSL *const ssl = hs->ssl; + assert(hs->scts_requested); // The extension shouldn't be sent when resuming sessions. if (ssl_protocol_version(ssl) >= TLS1_3_VERSION || ssl->s3->session_reused || - hs->config->cert->signed_cert_timestamp_list == NULL) { + !ssl_cipher_uses_certificate_auth(hs->new_cipher) || + hs->credential->signed_cert_timestamp_list == nullptr) { return true; } CBB contents; return CBB_add_u16(out, TLSEXT_TYPE_certificate_timestamp) && CBB_add_u16_length_prefixed(out, &contents) && - CBB_add_bytes( - &contents, - CRYPTO_BUFFER_data( - hs->config->cert->signed_cert_timestamp_list.get()), - CRYPTO_BUFFER_len( - hs->config->cert->signed_cert_timestamp_list.get())) && + CBB_add_bytes(&contents, + CRYPTO_BUFFER_data( + hs->credential->signed_cert_timestamp_list.get()), + CRYPTO_BUFFER_len( + hs->credential->signed_cert_timestamp_list.get())) && CBB_flush(out); } @@ -1473,16 +1467,19 @@ bool ssl_is_alpn_protocol_allowed(const SSL_HANDSHAKE *hs, } // Check that the protocol name is one of the ones we advertised. - CBS client_protocol_name_list = - MakeConstSpan(hs->config->alpn_client_proto_list), - client_protocol_name; - while (CBS_len(&client_protocol_name_list) > 0) { - if (!CBS_get_u8_length_prefixed(&client_protocol_name_list, - &client_protocol_name)) { + return ssl_alpn_list_contains_protocol(hs->config->alpn_client_proto_list, + protocol); +} + +bool ssl_alpn_list_contains_protocol(Span list, + Span protocol) { + CBS cbs = list, candidate; + while (CBS_len(&cbs) > 0) { + if (!CBS_get_u8_length_prefixed(&cbs, &candidate)) { return false; } - if (client_protocol_name == protocol) { + if (candidate == protocol) { return true; } } @@ -2752,7 +2749,7 @@ static bool ext_quic_transport_params_add_serverhello_legacy(SSL_HANDSHAKE *hs, // Delegated credentials. // -// https://tools.ietf.org/html/draft-ietf-tls-subcerts +// https://www.rfc-editor.org/rfc/rfc9345.html static bool ext_delegated_credential_add_clienthello( const SSL_HANDSHAKE *hs, CBB *out, CBB *out_compressible, @@ -2779,7 +2776,6 @@ static bool ext_delegated_credential_parse_clienthello(SSL_HANDSHAKE *hs, return false; } - hs->delegated_credential_requested = true; return true; } @@ -3789,6 +3785,7 @@ static bool ssl_check_clienthello_tlsext(SSL_HANDSHAKE *hs) { return true; default: + hs->should_ack_sni = ssl->s3->hostname != nullptr; return true; } } @@ -4072,9 +4069,8 @@ enum ssl_ticket_aead_result_t ssl_process_ticket( // Envoy's tests expect the session to have a session ID that matches the // placeholder used by the client. It's unclear whether this is a good idea, // but we maintain it for now. - SHA256(ticket.data(), ticket.size(), session->session_id); - // Other consumers may expect a non-empty session ID to indicate resumption. - session->session_id_length = SHA256_DIGEST_LENGTH; + session->session_id.ResizeMaybeUninit(SHA256_DIGEST_LENGTH); + SHA256(ticket.data(), ticket.size(), session->session_id.data()); *out_session = std::move(session); return ssl_ticket_aead_success; @@ -4105,40 +4101,54 @@ bool tls1_get_legacy_signature_algorithm(uint16_t *out, const EVP_PKEY *pkey) { } } -bool tls1_choose_signature_algorithm(SSL_HANDSHAKE *hs, uint16_t *out) { +bool tls1_choose_signature_algorithm(SSL_HANDSHAKE *hs, + const SSL_CREDENTIAL *cred, + uint16_t *out) { SSL *const ssl = hs->ssl; - CERT *cert = hs->config->cert.get(); - DC *dc = cert->dc.get(); + if (!cred->UsesPrivateKey()) { + OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CERTIFICATE_TYPE); + return false; + } // Before TLS 1.2, the signature algorithm isn't negotiated as part of the // handshake. - if (ssl_protocol_version(ssl) < TLS1_2_VERSION) { - if (!tls1_get_legacy_signature_algorithm(out, hs->local_pubkey.get())) { + uint16_t version = ssl_protocol_version(ssl); + if (version < TLS1_2_VERSION) { + if (!tls1_get_legacy_signature_algorithm(out, cred->pubkey.get())) { OPENSSL_PUT_ERROR(SSL, SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS); return false; } return true; } - Span sigalgs = kSignSignatureAlgorithms; - if (ssl_signing_with_dc(hs)) { - sigalgs = MakeConstSpan(&dc->expected_cert_verify_algorithm, 1); - } else if (!cert->sigalgs.empty()) { - sigalgs = cert->sigalgs; + Span peer_sigalgs; + if (cred->type == SSLCredentialType::kDelegated) { + peer_sigalgs = hs->peer_delegated_credential_sigalgs; + } else { + peer_sigalgs = hs->peer_sigalgs; + if (peer_sigalgs.empty() && version == TLS1_2_VERSION) { + // If the client didn't specify any signature_algorithms extension, it is + // interpreted as SHA-1. See + // http://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 + static const uint16_t kTLS12Default[] = {SSL_SIGN_RSA_PKCS1_SHA1, + SSL_SIGN_ECDSA_SHA1}; + peer_sigalgs = kTLS12Default; + } } - Span peer_sigalgs = tls1_get_peer_verify_algorithms(hs); - + Span sigalgs = cred->sigalgs.empty() + ? MakeConstSpan(kSignSignatureAlgorithms) + : cred->sigalgs; for (uint16_t sigalg : sigalgs) { - if (!ssl_private_key_supports_signature_algorithm(hs, sigalg)) { + if (!ssl_pkey_supports_algorithm(ssl, cred->pubkey.get(), sigalg, + /*is_verify=*/false)) { continue; } - for (uint16_t peer_sigalg : peer_sigalgs) { - if (sigalg == peer_sigalg) { - *out = sigalg; - return true; - } + if (std::find(peer_sigalgs.begin(), peer_sigalgs.end(), sigalg) != + peer_sigalgs.end()) { + *out = sigalg; + return true; } } @@ -4146,19 +4156,6 @@ bool tls1_choose_signature_algorithm(SSL_HANDSHAKE *hs, uint16_t *out) { return false; } -Span tls1_get_peer_verify_algorithms(const SSL_HANDSHAKE *hs) { - Span peer_sigalgs = hs->peer_sigalgs; - if (peer_sigalgs.empty() && ssl_protocol_version(hs->ssl) < TLS1_3_VERSION) { - // If the client didn't specify any signature_algorithms extension then - // we can assume that it supports SHA1. See - // http://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 - static const uint16_t kDefaultPeerAlgorithms[] = {SSL_SIGN_RSA_PKCS1_SHA1, - SSL_SIGN_ECDSA_SHA1}; - peer_sigalgs = kDefaultPeerAlgorithms; - } - return peer_sigalgs; -} - bool tls1_verify_channel_id(SSL_HANDSHAKE *hs, const SSLMessage &msg) { SSL *const ssl = hs->ssl; // A Channel ID handshake message is structured to contain multiple @@ -4284,12 +4281,12 @@ bool tls1_channel_id_hash(SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len) { if (ssl->session != NULL) { static const char kResumptionMagic[] = "Resumption"; SHA256_Update(&ctx, kResumptionMagic, sizeof(kResumptionMagic)); - if (ssl->session->original_handshake_hash_len == 0) { + if (ssl->session->original_handshake_hash.empty()) { OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); return false; } - SHA256_Update(&ctx, ssl->session->original_handshake_hash, - ssl->session->original_handshake_hash_len); + SHA256_Update(&ctx, ssl->session->original_handshake_hash.data(), + ssl->session->original_handshake_hash.size()); } uint8_t hs_hash[EVP_MAX_MD_SIZE]; @@ -4312,20 +4309,14 @@ bool tls1_record_handshake_hashes_for_channel_id(SSL_HANDSHAKE *hs) { return false; } - static_assert( - sizeof(hs->new_session->original_handshake_hash) == EVP_MAX_MD_SIZE, - "original_handshake_hash is too small"); - size_t digest_len; - if (!hs->transcript.GetHash(hs->new_session->original_handshake_hash, + hs->new_session->original_handshake_hash.ResizeMaybeUninit( + hs->transcript.DigestLen()); + if (!hs->transcript.GetHash(hs->new_session->original_handshake_hash.data(), &digest_len)) { return false; } - - static_assert(EVP_MAX_MD_SIZE <= 0xff, - "EVP_MAX_MD_SIZE does not fit in uint8_t"); - hs->new_session->original_handshake_hash_len = (uint8_t)digest_len; - + assert(digest_len == hs->new_session->original_handshake_hash.size()); return true; } diff --git a/Sources/CNIOBoringSSL/ssl/handoff.cc b/Sources/CNIOBoringSSL/ssl/handoff.cc index 335a4cf15..3eec562bc 100644 --- a/Sources/CNIOBoringSSL/ssl/handoff.cc +++ b/Sources/CNIOBoringSSL/ssl/handoff.cc @@ -244,7 +244,7 @@ static bool apply_remote_features(SSL *ssl, CBS *in) { // uses_disallowed_feature returns true iff |ssl| enables a feature that // disqualifies it for split handshakes. static bool uses_disallowed_feature(const SSL *ssl) { - return ssl->method->is_dtls || (ssl->config->cert && ssl->config->cert->dc) || + return ssl->method->is_dtls || !ssl->config->cert->credentials.empty() || ssl->config->quic_transport_params.size() > 0 || ssl->ctx->ech_keys; } @@ -329,7 +329,7 @@ bool SSL_serialize_handback(const SSL *ssl, CBB *out) { const uint8_t *write_iv = nullptr; if ((type == handback_after_session_resumption || type == handback_after_handshake) && - ssl->version == TLS1_VERSION && + ssl->s3->version == TLS1_VERSION && SSL_CIPHER_is_block_cipher(s3->aead_write_ctx->cipher()) && !s3->aead_write_ctx->GetIV(&write_iv, &write_iv_len)) { return false; @@ -337,7 +337,7 @@ bool SSL_serialize_handback(const SSL *ssl, CBB *out) { size_t read_iv_len = 0; const uint8_t *read_iv = nullptr; if (type == handback_after_handshake && - ssl->version == TLS1_VERSION && + ssl->s3->version == TLS1_VERSION && SSL_CIPHER_is_block_cipher(s3->aead_read_ctx->cipher()) && !s3->aead_read_ctx->GetIV(&read_iv, &read_iv_len)) { return false; @@ -433,8 +433,8 @@ bool SSL_serialize_handback(const SSL *ssl, CBB *out) { hs->server_handshake_secret().size()) || !CBB_add_asn1_octet_string(&seq, hs->secret().data(), hs->secret().size()) || - !CBB_add_asn1_octet_string(&seq, s3->exporter_secret, - s3->exporter_secret_len) || + !CBB_add_asn1_octet_string(&seq, s3->exporter_secret.data(), + s3->exporter_secret.size()) || !CBB_add_asn1_bool(&seq, s3->used_hello_retry_request) || !CBB_add_asn1_bool(&seq, hs->accept_psk_mode) || !CBB_add_asn1_int64(&seq, s3->ticket_age_skew) || @@ -637,9 +637,8 @@ bool SSL_apply_handback(SSL *ssl, Span handback) { s3->early_data_reason = ssl_early_data_protocol_version; } - ssl->version = session->ssl_version; - s3->have_version = true; - if (!ssl_method_supports_version(ssl->method, ssl->version) || + ssl->s3->version = session->ssl_version; + if (!ssl_method_supports_version(ssl->method, ssl->s3->version) || session->cipher != hs->new_cipher || ssl_protocol_version(ssl) < SSL_CIPHER_get_min_version(session->cipher) || SSL_CIPHER_get_max_version(session->cipher) < ssl_protocol_version(ssl)) { @@ -690,7 +689,6 @@ bool SSL_apply_handback(SSL *ssl, Span handback) { hs->wait = ssl_hs_flush; hs->extended_master_secret = extended_master_secret; hs->ticket_expected = ticket_expected; - s3->aead_write_ctx->SetVersionIfNullCipher(ssl->version); hs->cert_request = cert_request; if (type != handback_after_handshake && @@ -706,11 +704,9 @@ bool SSL_apply_handback(SSL *ssl, Span handback) { !CopyExact(hs->client_handshake_secret(), &client_handshake_secret) || !CopyExact(hs->server_handshake_secret(), &server_handshake_secret) || !CopyExact(hs->secret(), &secret) || - !CopyExact({s3->exporter_secret, hs->transcript.DigestLen()}, - &exporter_secret)) { + !s3->exporter_secret.TryCopyFrom(exporter_secret)) { return false; } - s3->exporter_secret_len = CBS_len(&exporter_secret); if (s3->early_data_accepted && !CopyExact(hs->early_traffic_secret(), &early_traffic_secret)) { diff --git a/Sources/CNIOBoringSSL/ssl/handshake.cc b/Sources/CNIOBoringSSL/ssl/handshake.cc index d139975eb..75afea90b 100644 --- a/Sources/CNIOBoringSSL/ssl/handshake.cc +++ b/Sources/CNIOBoringSSL/ssl/handshake.cc @@ -134,7 +134,6 @@ SSL_HANDSHAKE::SSL_HANDSHAKE(SSL *ssl_arg) cert_request(false), certificate_status_expected(false), ocsp_stapling_requested(false), - delegated_credential_requested(false), should_ack_sni(false), in_false_start(false), in_early_data(false), @@ -150,7 +149,8 @@ SSL_HANDSHAKE::SSL_HANDSHAKE(SSL *ssl_arg) cert_compression_negotiated(false), apply_jdk11_workaround(false), can_release_private_key(false), - channel_id_negotiated(false) { + channel_id_negotiated(false), + received_hello_verify_request(false) { assert(ssl); // Draw entropy for all GREASE values at once. This avoids calling @@ -495,18 +495,18 @@ enum ssl_hs_wait_t ssl_get_finished(SSL_HANDSHAKE *hs) { } // Copy the Finished so we can use it for renegotiation checks. - if (finished_len > sizeof(ssl->s3->previous_client_finished) || - finished_len > sizeof(ssl->s3->previous_server_finished)) { + if (finished_len > ssl->s3->previous_client_finished.capacity() || + finished_len > ssl->s3->previous_server_finished.capacity()) { OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); return ssl_hs_error; } if (ssl->server) { - OPENSSL_memcpy(ssl->s3->previous_client_finished, finished, finished_len); - ssl->s3->previous_client_finished_len = finished_len; + ssl->s3->previous_client_finished.CopyFrom( + MakeConstSpan(finished, finished_len)); } else { - OPENSSL_memcpy(ssl->s3->previous_server_finished, finished, finished_len); - ssl->s3->previous_server_finished_len = finished_len; + ssl->s3->previous_server_finished.CopyFrom( + MakeConstSpan(finished, finished_len)); } // The Finished message should be the end of a flight. @@ -524,38 +524,32 @@ bool ssl_send_finished(SSL_HANDSHAKE *hs) { SSL *const ssl = hs->ssl; const SSL_SESSION *session = ssl_handshake_session(hs); - uint8_t finished[EVP_MAX_MD_SIZE]; + uint8_t finished_buf[EVP_MAX_MD_SIZE]; size_t finished_len; - if (!hs->transcript.GetFinishedMAC(finished, &finished_len, session, + if (!hs->transcript.GetFinishedMAC(finished_buf, &finished_len, session, ssl->server)) { return false; } + auto finished = MakeConstSpan(finished_buf, finished_len); // Log the master secret, if logging is enabled. - if (!ssl_log_secret(ssl, "CLIENT_RANDOM", - MakeConstSpan(session->secret, session->secret_length))) { + if (!ssl_log_secret(ssl, "CLIENT_RANDOM", session->secret)) { return false; } // Copy the Finished so we can use it for renegotiation checks. - if (finished_len > sizeof(ssl->s3->previous_client_finished) || - finished_len > sizeof(ssl->s3->previous_server_finished)) { + bool ok = ssl->server + ? ssl->s3->previous_server_finished.TryCopyFrom(finished) + : ssl->s3->previous_client_finished.TryCopyFrom(finished); + if (!ok) { OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); - return false; - } - - if (ssl->server) { - OPENSSL_memcpy(ssl->s3->previous_server_finished, finished, finished_len); - ssl->s3->previous_server_finished_len = finished_len; - } else { - OPENSSL_memcpy(ssl->s3->previous_client_finished, finished, finished_len); - ssl->s3->previous_client_finished_len = finished_len; + return ssl_hs_error; } ScopedCBB cbb; CBB body; if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_FINISHED) || - !CBB_add_bytes(&body, finished, finished_len) || + !CBB_add_bytes(&body, finished.data(), finished.size()) || !ssl_add_message_cbb(ssl, cbb.get())) { OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); return false; @@ -564,18 +558,29 @@ bool ssl_send_finished(SSL_HANDSHAKE *hs) { return true; } -bool ssl_output_cert_chain(SSL_HANDSHAKE *hs) { +bool ssl_send_tls12_certificate(SSL_HANDSHAKE *hs) { ScopedCBB cbb; - CBB body; + CBB body, certs, cert; if (!hs->ssl->method->init_message(hs->ssl, cbb.get(), &body, SSL3_MT_CERTIFICATE) || - !ssl_add_cert_chain(hs, &body) || - !ssl_add_message_cbb(hs->ssl, cbb.get())) { - OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); + !CBB_add_u24_length_prefixed(&body, &certs)) { return false; } - return true; + if (hs->credential != nullptr) { + assert(hs->credential->type == SSLCredentialType::kX509); + STACK_OF(CRYPTO_BUFFER) *chain = hs->credential->chain.get(); + for (size_t i = 0; i < sk_CRYPTO_BUFFER_num(chain); i++) { + CRYPTO_BUFFER *buffer = sk_CRYPTO_BUFFER_value(chain, i); + if (!CBB_add_u24_length_prefixed(&certs, &cert) || + !CBB_add_bytes(&cert, CRYPTO_BUFFER_data(buffer), + CRYPTO_BUFFER_len(buffer))) { + return false; + } + } + } + + return ssl_add_message_cbb(hs->ssl, cbb.get()); } const SSL_SESSION *ssl_handshake_session(const SSL_HANDSHAKE *hs) { diff --git a/Sources/CNIOBoringSSL/ssl/handshake_client.cc b/Sources/CNIOBoringSSL/ssl/handshake_client.cc index ec2bc9fec..c7d2e9f3e 100644 --- a/Sources/CNIOBoringSSL/ssl/handshake_client.cc +++ b/Sources/CNIOBoringSSL/ssl/handshake_client.cc @@ -153,6 +153,7 @@ #include #include +#include #include #include @@ -178,7 +179,6 @@ enum ssl_client_hs_state_t { state_start_connect = 0, state_enter_early_data, state_early_reverify_server_certificate, - state_read_hello_verify_request, state_read_server_hello, state_tls13, state_read_server_certificate, @@ -243,23 +243,36 @@ static bool ssl_write_client_cipher_list(const SSL_HANDSHAKE *hs, CBB *out, // Add TLS 1.3 ciphers. Order ChaCha20-Poly1305 relative to AES-GCM based on // hardware support. if (hs->max_version >= TLS1_3_VERSION) { + static const uint16_t kCiphersNoAESHardware[] = { + TLS1_3_CK_CHACHA20_POLY1305_SHA256 & 0xffff, + TLS1_3_CK_AES_128_GCM_SHA256 & 0xffff, + TLS1_3_CK_AES_256_GCM_SHA384 & 0xffff, + }; + static const uint16_t kCiphersAESHardware[] = { + TLS1_3_CK_AES_128_GCM_SHA256 & 0xffff, + TLS1_3_CK_AES_256_GCM_SHA384 & 0xffff, + TLS1_3_CK_CHACHA20_POLY1305_SHA256 & 0xffff, + }; + static const uint16_t kCiphersCNSA[] = { + TLS1_3_CK_AES_256_GCM_SHA384 & 0xffff, + TLS1_3_CK_AES_128_GCM_SHA256 & 0xffff, + TLS1_3_CK_CHACHA20_POLY1305_SHA256 & 0xffff, + }; + const bool has_aes_hw = ssl->config->aes_hw_override ? ssl->config->aes_hw_override_value : EVP_has_aes_hardware(); - - if ((!has_aes_hw && // - !ssl_add_tls13_cipher(&child, - TLS1_3_CK_CHACHA20_POLY1305_SHA256 & 0xffff, - ssl->config->tls13_cipher_policy)) || - !ssl_add_tls13_cipher(&child, TLS1_3_CK_AES_128_GCM_SHA256 & 0xffff, - ssl->config->tls13_cipher_policy) || - !ssl_add_tls13_cipher(&child, TLS1_3_CK_AES_256_GCM_SHA384 & 0xffff, - ssl->config->tls13_cipher_policy) || - (has_aes_hw && // - !ssl_add_tls13_cipher(&child, - TLS1_3_CK_CHACHA20_POLY1305_SHA256 & 0xffff, - ssl->config->tls13_cipher_policy))) { - return false; + const bssl::Span ciphers = + ssl->config->tls13_cipher_policy == ssl_compliance_policy_cnsa_202407 + ? bssl::Span(kCiphersCNSA) + : (has_aes_hw ? bssl::Span(kCiphersAESHardware) + : bssl::Span(kCiphersNoAESHardware)); + + for (auto cipher : ciphers) { + if (!ssl_add_tls13_cipher(&child, cipher, + ssl->config->tls13_cipher_policy)) { + return false; + } } } @@ -315,7 +328,7 @@ bool ssl_write_client_hello_without_extensions(const SSL_HANDSHAKE *hs, // Do not send a session ID on renegotiation. if (!ssl->s3->initial_handshake_complete && !empty_session_id && - !CBB_add_bytes(&child, hs->session_id, hs->session_id_len)) { + !CBB_add_bytes(&child, hs->session_id.data(), hs->session_id.size())) { return false; } @@ -371,9 +384,13 @@ bool ssl_add_client_hello(SSL_HANDSHAKE *hs) { static bool parse_server_version(const SSL_HANDSHAKE *hs, uint16_t *out_version, uint8_t *out_alert, const ParsedServerHello &server_hello) { + uint16_t legacy_version = TLS1_2_VERSION; + if (SSL_is_dtls(hs->ssl)) { + legacy_version = DTLS1_2_VERSION; + } // If the outer version is not TLS 1.2, use it. // TODO(davidben): This function doesn't quite match the RFC8446 formulation. - if (server_hello.legacy_version != TLS1_2_VERSION) { + if (server_hello.legacy_version != legacy_version) { *out_version = server_hello.legacy_version; return true; } @@ -508,25 +525,26 @@ static enum ssl_hs_wait_t do_start_connect(SSL_HANDSHAKE *hs) { return ssl_hs_error; } - // Never send a session ID in QUIC. QUIC uses TLS 1.3 at a minimum and - // disables TLS 1.3 middlebox compatibility mode. - if (ssl->quic_method == nullptr) { - const bool has_id_session = ssl->session != nullptr && - ssl->session->session_id_length > 0 && - ssl->session->ticket.empty(); - const bool has_ticket_session = - ssl->session != nullptr && !ssl->session->ticket.empty(); - if (has_id_session) { - hs->session_id_len = ssl->session->session_id_length; - OPENSSL_memcpy(hs->session_id, ssl->session->session_id, - hs->session_id_len); - } else if (has_ticket_session || hs->max_version >= TLS1_3_VERSION) { - // Send a random session ID. TLS 1.3 always sends one, and TLS 1.2 session - // tickets require a placeholder value to signal resumption. - hs->session_id_len = sizeof(hs->session_id); - if (!RAND_bytes(hs->session_id, hs->session_id_len)) { - return ssl_hs_error; - } + const bool has_id_session = ssl->session != nullptr && + !ssl->session->session_id.empty() && + ssl->session->ticket.empty(); + const bool has_ticket_session = + ssl->session != nullptr && !ssl->session->ticket.empty(); + // TLS 1.2 session tickets require a placeholder value to signal resumption. + const bool ticket_session_requires_random_id = + has_ticket_session && + ssl_session_protocol_version(ssl->session.get()) < TLS1_3_VERSION; + // Compatibility mode sends a random session ID. Compatibility mode is + // enabled for TLS 1.3, but not when it's run over QUIC or DTLS. + const bool enable_compatibility_mode = hs->max_version >= TLS1_3_VERSION && + ssl->quic_method == nullptr && + !SSL_is_dtls(hs->ssl); + if (has_id_session) { + hs->session_id = ssl->session->session_id; + } else if (ticket_session_requires_random_id || enable_compatibility_mode) { + hs->session_id.ResizeMaybeUninit(SSL_MAX_SSL_SESSION_ID_LENGTH); + if (!RAND_bytes(hs->session_id.data(), hs->session_id.size())) { + return ssl_hs_error; } } @@ -550,39 +568,27 @@ static enum ssl_hs_wait_t do_start_connect(SSL_HANDSHAKE *hs) { static enum ssl_hs_wait_t do_enter_early_data(SSL_HANDSHAKE *hs) { SSL *const ssl = hs->ssl; - - if (SSL_is_dtls(ssl)) { - hs->state = state_read_hello_verify_request; - return ssl_hs_ok; - } - if (!hs->early_data_offered) { hs->state = state_read_server_hello; return ssl_hs_ok; } - ssl->s3->aead_write_ctx->SetVersionIfNullCipher(ssl->session->ssl_version); - if (!ssl->method->add_change_cipher_spec(ssl)) { - return ssl_hs_error; - } - - if (!tls13_init_early_key_schedule(hs, ssl->session.get()) || - !tls13_derive_early_secret(hs)) { - return ssl_hs_error; - } - - // Stash the early data session, so connection properties may be queried out - // of it. + // Stash the early data session and activate the early version. This must + // happen before |do_early_reverify_server_certificate|, so early connection + // properties are available to the callback. Note the early version may be + // overwritten later by the final version. hs->early_session = UpRef(ssl->session); + ssl->s3->version = hs->early_session->ssl_version; hs->state = state_early_reverify_server_certificate; return ssl_hs_ok; } static enum ssl_hs_wait_t do_early_reverify_server_certificate(SSL_HANDSHAKE *hs) { - if (hs->ssl->ctx->reverify_on_resume) { - // Don't send an alert on error. The alert be in early data, which the - // server may not accept anyway. It would also be a mismatch between QUIC - // and TCP because the QUIC early keys are deferred below. + SSL *const ssl = hs->ssl; + if (ssl->ctx->reverify_on_resume) { + // Don't send an alert on error. The alert would be in the clear, which the + // server is not expecting anyway. Alerts in between ClientHello and + // ServerHello cannot usefully be delivered in TLS 1.3. // // TODO(davidben): The client behavior should be to verify the certificate // before deciding whether to offer the session and, if invalid, decline to @@ -598,9 +604,15 @@ static enum ssl_hs_wait_t do_early_reverify_server_certificate(SSL_HANDSHAKE *hs } } + if (!ssl->method->add_change_cipher_spec(ssl)) { + return ssl_hs_error; + } + // Defer releasing the 0-RTT key to after certificate reverification, so the // QUIC implementation does not accidentally write data too early. - if (!tls13_set_traffic_key(hs->ssl, ssl_encryption_early_data, evp_aead_seal, + if (!tls13_init_early_key_schedule(hs, hs->early_session.get()) || + !tls13_derive_early_secret(hs) || + !tls13_set_traffic_key(hs->ssl, ssl_encryption_early_data, evp_aead_seal, hs->early_session.get(), hs->early_traffic_secret())) { return ssl_hs_error; @@ -612,24 +624,12 @@ static enum ssl_hs_wait_t do_early_reverify_server_certificate(SSL_HANDSHAKE *hs return ssl_hs_early_return; } -static enum ssl_hs_wait_t do_read_hello_verify_request(SSL_HANDSHAKE *hs) { +static bool handle_hello_verify_request(SSL_HANDSHAKE *hs, + const SSLMessage &msg) { SSL *const ssl = hs->ssl; - assert(SSL_is_dtls(ssl)); - - // When implementing DTLS 1.3, we need to handle the interactions between - // HelloVerifyRequest, DTLS 1.3's HelloVerifyRequest removal, and ECH. - assert(hs->max_version < TLS1_3_VERSION); - - SSLMessage msg; - if (!ssl->method->get_message(ssl, &msg)) { - return ssl_hs_read_message; - } - - if (msg.type != DTLS1_MT_HELLO_VERIFY_REQUEST) { - hs->state = state_read_server_hello; - return ssl_hs_ok; - } + assert(msg.type == DTLS1_MT_HELLO_VERIFY_REQUEST); + assert(!hs->received_hello_verify_request); CBS hello_verify_request = msg.body, cookie; uint16_t server_version; @@ -638,27 +638,23 @@ static enum ssl_hs_wait_t do_read_hello_verify_request(SSL_HANDSHAKE *hs) { CBS_len(&hello_verify_request) != 0) { OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); - return ssl_hs_error; + return false; } if (!hs->dtls_cookie.CopyFrom(cookie)) { ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); - return ssl_hs_error; + return false; } + hs->received_hello_verify_request = true; ssl->method->next_message(ssl); // DTLS resets the handshake buffer after HelloVerifyRequest. if (!hs->transcript.Init()) { - return ssl_hs_error; - } - - if (!ssl_add_client_hello(hs)) { - return ssl_hs_error; + return false; } - hs->state = state_read_server_hello; - return ssl_hs_flush; + return ssl_add_client_hello(hs); } bool ssl_parse_server_hello(ParsedServerHello *out, uint8_t *out_alert, @@ -700,6 +696,16 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) { return ssl_hs_read_server_hello; } + if (SSL_is_dtls(ssl) && !hs->received_hello_verify_request && + msg.type == DTLS1_MT_HELLO_VERIFY_REQUEST) { + if (!handle_hello_verify_request(hs, msg)) { + return ssl_hs_error; + } + hs->received_hello_verify_request = true; + hs->state = state_read_server_hello; + return ssl_hs_flush; + } + ParsedServerHello server_hello; uint16_t server_version; uint8_t alert = SSL_AD_DECODE_ERROR; @@ -715,44 +721,67 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) { return ssl_hs_error; } - assert(ssl->s3->have_version == ssl->s3->initial_handshake_complete); - if (!ssl->s3->have_version) { - ssl->version = server_version; - // At this point, the connection's version is known and ssl->version is - // fixed. Begin enforcing the record-layer version. - ssl->s3->have_version = true; - ssl->s3->aead_write_ctx->SetVersionIfNullCipher(ssl->version); - } else if (server_version != ssl->version) { + if (!ssl->s3->initial_handshake_complete) { + // |ssl->s3->version| may be set due to 0-RTT. If it was to a different + // value, the check below will fire. + assert(ssl->s3->version == 0 || + (hs->early_data_offered && + ssl->s3->version == hs->early_session->ssl_version)); + ssl->s3->version = server_version; + } else if (server_version != ssl->s3->version) { OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SSL_VERSION); ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_PROTOCOL_VERSION); return ssl_hs_error; } - if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) { - hs->state = state_tls13; - return ssl_hs_ok; - } - - // Clear some TLS 1.3 state that no longer needs to be retained. - hs->key_shares[0].reset(); - hs->key_shares[1].reset(); - ssl_done_writing_client_hello(hs); - - // A TLS 1.2 server would not know to skip the early data we offered. Report - // an error code sooner. The caller may use this error code to implement the - // fallback described in RFC 8446 appendix D.3. - if (hs->early_data_offered) { + // If the version did not match, stop sending 0-RTT data. + if (hs->early_data_offered && + ssl->s3->version != hs->early_session->ssl_version) { + // This is currently only possible by reading a TLS 1.2 (or earlier) + // ServerHello in response to TLS 1.3. If there is ever a TLS 1.4, or + // another variant of TLS 1.3, the fatal error below will need to be a clean + // 0-RTT reject. + assert(ssl_protocol_version(ssl) < TLS1_3_VERSION); + assert(ssl_session_protocol_version(hs->early_session.get()) >= + TLS1_3_VERSION); + + // A TLS 1.2 server would not know to skip the early data we offered, so + // there is no point in continuing the handshake. Report an error code as + // soon as we detect this. The caller may use this error code to implement + // the fallback described in RFC 8446 appendix D.3. + // // Disconnect early writes. This ensures subsequent |SSL_write| calls query // the handshake which, in turn, will replay the error code rather than fail // at the |write_shutdown| check. See https://crbug.com/1078515. // TODO(davidben): Should all handshake errors do this? What about record // decryption failures? + // + // TODO(crbug.com/42290594): Although missing from the spec, a DTLS 1.2 + // server will already naturally skip 0-RTT data. If we implement DTLS 1.3 + // 0-RTT, we may want a clean reject. + assert(!SSL_is_dtls(ssl)); hs->can_early_write = false; OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_VERSION_ON_EARLY_DATA); ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_PROTOCOL_VERSION); return ssl_hs_error; } + if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) { + if (hs->received_hello_verify_request) { + OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_MESSAGE); + ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_PROTOCOL_VERSION); + return ssl_hs_error; + } + + hs->state = state_tls13; + return ssl_hs_ok; + } + + // Clear some TLS 1.3 state that no longer needs to be retained. + hs->key_shares[0].reset(); + hs->key_shares[1].reset(); + ssl_done_writing_client_hello(hs); + // TLS 1.2 handshakes cannot accept ECH. if (hs->selected_ech_config) { ssl->s3->ech_status = ssl_ech_rejected; @@ -799,9 +828,8 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) { hs->new_cipher = cipher; - if (hs->session_id_len != 0 && - CBS_mem_equal(&server_hello.session_id, hs->session_id, - hs->session_id_len)) { + if (!hs->session_id.empty() && + Span(server_hello.session_id) == hs->session_id) { // Echoing the ClientHello session ID in TLS 1.2, whether from the session // or a synthetic one, indicates resumption. If there was no session (or if // the session was only offered in ECH ClientHelloInner), this was the @@ -814,7 +842,7 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) { ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); return ssl_hs_error; } - if (ssl->session->ssl_version != ssl->version) { + if (ssl->session->ssl_version != ssl->s3->version) { OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_VERSION_NOT_RETURNED); ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); return ssl_hs_error; @@ -843,16 +871,9 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) { } // Save the session ID from the server. This may be empty if the session - // isn't resumable, or if we'll receive a session ticket later. - assert(CBS_len(&server_hello.session_id) <= SSL3_SESSION_ID_SIZE); - static_assert(SSL3_SESSION_ID_SIZE <= UINT8_MAX, - "max session ID is too large"); - hs->new_session->session_id_length = - static_cast(CBS_len(&server_hello.session_id)); - OPENSSL_memcpy(hs->new_session->session_id, - CBS_data(&server_hello.session_id), - CBS_len(&server_hello.session_id)); - + // isn't resumable, or if we'll receive a session ticket later. The + // ServerHello parser ensures |server_hello.session_id| is within bounds. + hs->new_session->session_id.CopyFrom(server_hello.session_id); hs->new_session->cipher = hs->new_cipher; } @@ -1168,7 +1189,8 @@ static enum ssl_hs_wait_t do_read_server_key_exchange(SSL_HANDSHAKE *hs) { return ssl_hs_error; } uint8_t alert = SSL_AD_DECODE_ERROR; - if (!tls12_check_peer_sigalg(hs, &alert, signature_algorithm)) { + if (!tls12_check_peer_sigalg(hs, &alert, signature_algorithm, + hs->peer_pubkey.get())) { ssl_send_alert(ssl, SSL3_AL_FATAL, alert); return ssl_hs_error; } @@ -1331,6 +1353,42 @@ static enum ssl_hs_wait_t do_read_server_hello_done(SSL_HANDSHAKE *hs) { return ssl_hs_ok; } +static bool check_credential(SSL_HANDSHAKE *hs, const SSL_CREDENTIAL *cred, + uint16_t *out_sigalg) { + if (cred->type != SSLCredentialType::kX509) { + OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CERTIFICATE_TYPE); + return false; + } + + if (hs->config->check_client_certificate_type) { + // Check the certificate types advertised by the peer. + uint8_t cert_type; + switch (EVP_PKEY_id(cred->pubkey.get())) { + case EVP_PKEY_RSA: + cert_type = SSL3_CT_RSA_SIGN; + break; + case EVP_PKEY_EC: + case EVP_PKEY_ED25519: + cert_type = TLS_CT_ECDSA_SIGN; + break; + default: + OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CERTIFICATE_TYPE); + return false; + } + if (std::find(hs->certificate_types.begin(), hs->certificate_types.end(), + cert_type) == hs->certificate_types.end()) { + OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CERTIFICATE_TYPE); + return false; + } + } + + // All currently supported credentials require a signature. Note this does not + // check the ECDSA curve. Prior to TLS 1.3, there is no way to determine which + // ECDSA curves are supported by the peer, so we must assume all curves are + // supported. + return tls1_choose_signature_algorithm(hs, cred, out_sigalg); +} + static enum ssl_hs_wait_t do_send_client_certificate(SSL_HANDSHAKE *hs) { SSL *const ssl = hs->ssl; @@ -1358,17 +1416,37 @@ static enum ssl_hs_wait_t do_send_client_certificate(SSL_HANDSHAKE *hs) { } } - if (!ssl_has_certificate(hs)) { - // Without a client certificate, the handshake buffer may be released. + Array creds; + if (!ssl_get_credential_list(hs, &creds)) { + return ssl_hs_error; + } + + if (creds.empty()) { + // If there were no credentials, proceed without a client certificate. In + // this case, the handshake buffer may be released early. hs->transcript.FreeBuffer(); + } else { + // Select the credential to use. + for (SSL_CREDENTIAL *cred : creds) { + ERR_clear_error(); + uint16_t sigalg; + if (check_credential(hs, cred, &sigalg)) { + hs->credential = UpRef(cred); + hs->signature_algorithm = sigalg; + break; + } + } + if (hs->credential == nullptr) { + // The error from the last attempt is in the error queue. + ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); + return ssl_hs_error; + } } - if (!ssl_on_certificate_selected(hs) || - !ssl_output_cert_chain(hs)) { + if (!ssl_send_tls12_certificate(hs)) { return ssl_hs_error; } - hs->state = state_send_client_key_exchange; return ssl_hs_ok; } @@ -1531,13 +1609,13 @@ static enum ssl_hs_wait_t do_send_client_key_exchange(SSL_HANDSHAKE *hs) { return ssl_hs_error; } - hs->new_session->secret_length = - tls1_generate_master_secret(hs, hs->new_session->secret, pms); - if (hs->new_session->secret_length == 0) { + hs->new_session->secret.ResizeMaybeUninit(SSL3_MASTER_SECRET_SIZE); + if (!tls1_generate_master_secret(hs, MakeSpan(hs->new_session->secret), + pms)) { return ssl_hs_error; } - hs->new_session->extended_master_secret = hs->extended_master_secret; + hs->new_session->extended_master_secret = hs->extended_master_secret; hs->state = state_send_client_certificate_verify; return ssl_hs_ok; } @@ -1545,12 +1623,11 @@ static enum ssl_hs_wait_t do_send_client_key_exchange(SSL_HANDSHAKE *hs) { static enum ssl_hs_wait_t do_send_client_certificate_verify(SSL_HANDSHAKE *hs) { SSL *const ssl = hs->ssl; - if (!hs->cert_request || !ssl_has_certificate(hs)) { + if (!hs->cert_request || hs->credential == nullptr) { hs->state = state_send_client_finished; return ssl_hs_ok; } - assert(ssl_has_private_key(hs)); ScopedCBB cbb; CBB body, child; if (!ssl->method->init_message(ssl, cbb.get(), &body, @@ -1558,21 +1635,17 @@ static enum ssl_hs_wait_t do_send_client_certificate_verify(SSL_HANDSHAKE *hs) { return ssl_hs_error; } - uint16_t signature_algorithm; - if (!tls1_choose_signature_algorithm(hs, &signature_algorithm)) { - ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); - return ssl_hs_error; - } + assert(hs->signature_algorithm != 0); if (ssl_protocol_version(ssl) >= TLS1_2_VERSION) { // Write out the digest type in TLS 1.2. - if (!CBB_add_u16(&body, signature_algorithm)) { + if (!CBB_add_u16(&body, hs->signature_algorithm)) { OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); return ssl_hs_error; } } // Set aside space for the signature. - const size_t max_sig_len = EVP_PKEY_size(hs->local_pubkey.get()); + const size_t max_sig_len = EVP_PKEY_size(hs->credential->pubkey.get()); uint8_t *ptr; if (!CBB_add_u16_length_prefixed(&body, &child) || !CBB_reserve(&child, &ptr, max_sig_len)) { @@ -1581,7 +1654,7 @@ static enum ssl_hs_wait_t do_send_client_certificate_verify(SSL_HANDSHAKE *hs) { size_t sig_len = max_sig_len; switch (ssl_private_key_sign(hs, ptr, &sig_len, max_sig_len, - signature_algorithm, + hs->signature_algorithm, hs->transcript.buffer())) { case ssl_private_key_success: break; @@ -1777,8 +1850,9 @@ static enum ssl_hs_wait_t do_read_session_ticket(SSL_HANDSHAKE *hs) { // Historically, OpenSSL filled in fake session IDs for ticket-based sessions. // TODO(davidben): Are external callers relying on this? Try removing this. - SHA256(CBS_data(&ticket), CBS_len(&ticket), hs->new_session->session_id); - hs->new_session->session_id_length = SHA256_DIGEST_LENGTH; + hs->new_session->session_id.ResizeMaybeUninit(SHA256_DIGEST_LENGTH); + SHA256(CBS_data(&ticket), CBS_len(&ticket), + hs->new_session->session_id.data()); ssl->method->next_message(ssl); hs->state = state_process_change_cipher_spec; @@ -1872,9 +1946,6 @@ enum ssl_hs_wait_t ssl_client_handshake(SSL_HANDSHAKE *hs) { case state_early_reverify_server_certificate: ret = do_early_reverify_server_certificate(hs); break; - case state_read_hello_verify_request: - ret = do_read_hello_verify_request(hs); - break; case state_read_server_hello: ret = do_read_server_hello(hs); break; @@ -1957,8 +2028,6 @@ const char *ssl_client_handshake_state(SSL_HANDSHAKE *hs) { return "TLS client enter_early_data"; case state_early_reverify_server_certificate: return "TLS client early_reverify_server_certificate"; - case state_read_hello_verify_request: - return "TLS client read_hello_verify_request"; case state_read_server_hello: return "TLS client read_server_hello"; case state_tls13: diff --git a/Sources/CNIOBoringSSL/ssl/handshake_server.cc b/Sources/CNIOBoringSSL/ssl/handshake_server.cc index 133acd5e9..a86b6c629 100644 --- a/Sources/CNIOBoringSSL/ssl/handshake_server.cc +++ b/Sources/CNIOBoringSSL/ssl/handshake_server.cc @@ -196,7 +196,7 @@ bool ssl_client_cipher_list_contains_cipher( static bool negotiate_version(SSL_HANDSHAKE *hs, uint8_t *out_alert, const SSL_CLIENT_HELLO *client_hello) { SSL *const ssl = hs->ssl; - assert(!ssl->s3->have_version); + assert(ssl->s3->version == 0); CBS supported_versions, versions; if (ssl_client_hello_get_extension(client_hello, &supported_versions, TLSEXT_TYPE_supported_versions)) { @@ -228,8 +228,7 @@ static bool negotiate_version(SSL_HANDSHAKE *hs, uint8_t *out_alert, } else if (client_hello->version <= DTLS1_VERSION) { versions_len = 2; } - CBS_init(&versions, kDTLSVersions + sizeof(kDTLSVersions) - versions_len, - versions_len); + versions = MakeConstSpan(kDTLSVersions).last(versions_len); } else { if (client_hello->version >= TLS1_2_VERSION) { versions_len = 6; @@ -238,20 +237,14 @@ static bool negotiate_version(SSL_HANDSHAKE *hs, uint8_t *out_alert, } else if (client_hello->version >= TLS1_VERSION) { versions_len = 2; } - CBS_init(&versions, kTLSVersions + sizeof(kTLSVersions) - versions_len, - versions_len); + versions = MakeConstSpan(kTLSVersions).last(versions_len); } } - if (!ssl_negotiate_version(hs, out_alert, &ssl->version, &versions)) { + if (!ssl_negotiate_version(hs, out_alert, &ssl->s3->version, &versions)) { return false; } - // At this point, the connection's version is known and |ssl->version| is - // fixed. Begin enforcing the record-layer version. - ssl->s3->have_version = true; - ssl->s3->aead_write_ctx->SetVersionIfNullCipher(ssl->version); - // Handle FALLBACK_SCSV. if (ssl_client_cipher_list_contains_cipher(client_hello, SSL3_CK_FALLBACK_SCSV & 0xffff) && @@ -292,42 +285,9 @@ static UniquePtr ssl_parse_client_cipher_list( return sk; } -// ssl_get_compatible_server_ciphers determines the key exchange and -// authentication cipher suite masks compatible with the server configuration -// and current ClientHello parameters of |hs|. It sets |*out_mask_k| to the key -// exchange mask and |*out_mask_a| to the authentication mask. -static void ssl_get_compatible_server_ciphers(SSL_HANDSHAKE *hs, - uint32_t *out_mask_k, - uint32_t *out_mask_a) { - uint32_t mask_k = 0; - uint32_t mask_a = 0; - - if (ssl_has_certificate(hs)) { - mask_a |= ssl_cipher_auth_mask_for_key(hs->local_pubkey.get()); - if (EVP_PKEY_id(hs->local_pubkey.get()) == EVP_PKEY_RSA) { - mask_k |= SSL_kRSA; - } - } - - // Check for a shared group to consider ECDHE ciphers. - uint16_t unused; - if (tls1_get_shared_group(hs, &unused)) { - mask_k |= SSL_kECDHE; - } - - // PSK requires a server callback. - if (hs->config->psk_server_callback != NULL) { - mask_k |= SSL_kPSK; - mask_a |= SSL_aPSK; - } - - *out_mask_k = mask_k; - *out_mask_a = mask_a; -} - -static const SSL_CIPHER *choose_cipher( - SSL_HANDSHAKE *hs, const SSL_CLIENT_HELLO *client_hello, - const SSLCipherPreferenceList *server_pref) { +static const SSL_CIPHER *choose_cipher(SSL_HANDSHAKE *hs, + const STACK_OF(SSL_CIPHER) *client_pref, + uint32_t mask_k, uint32_t mask_a) { SSL *const ssl = hs->ssl; const STACK_OF(SSL_CIPHER) *prio, *allow; // in_group_flags will either be NULL, or will point to an array of bytes @@ -339,25 +299,19 @@ static const SSL_CIPHER *choose_cipher( // such value exists yet. int group_min = -1; - UniquePtr client_pref = - ssl_parse_client_cipher_list(client_hello); - if (!client_pref) { - return nullptr; - } - + const SSLCipherPreferenceList *server_pref = + hs->config->cipher_list ? hs->config->cipher_list.get() + : ssl->ctx->cipher_list.get(); if (ssl->options & SSL_OP_CIPHER_SERVER_PREFERENCE) { prio = server_pref->ciphers.get(); in_group_flags = server_pref->in_group_flags; - allow = client_pref.get(); + allow = client_pref; } else { - prio = client_pref.get(); + prio = client_pref; in_group_flags = NULL; allow = server_pref->ciphers.get(); } - uint32_t mask_k, mask_a; - ssl_get_compatible_server_ciphers(hs, &mask_k, &mask_a); - for (size_t i = 0; i < sk_SSL_CIPHER_num(prio); i++) { const SSL_CIPHER *c = sk_SSL_CIPHER_value(prio, i); @@ -391,9 +345,76 @@ static const SSL_CIPHER *choose_cipher( } } + OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER); return nullptr; } +struct TLS12ServerParams { + bool ok() const { return cipher != nullptr; } + + const SSL_CIPHER *cipher = nullptr; + uint16_t signature_algorithm = 0; +}; + +static TLS12ServerParams choose_params(SSL_HANDSHAKE *hs, + const SSL_CREDENTIAL *cred, + const STACK_OF(SSL_CIPHER) *client_pref, + bool has_ecdhe_group) { + // Determine the usable cipher suites. + uint32_t mask_k = 0, mask_a = 0; + if (has_ecdhe_group) { + mask_k |= SSL_kECDHE; + } + if (hs->config->psk_server_callback != nullptr) { + mask_k |= SSL_kPSK; + mask_a |= SSL_aPSK; + } + uint16_t sigalg = 0; + if (cred != nullptr && cred->type == SSLCredentialType::kX509) { + bool sign_ok = tls1_choose_signature_algorithm(hs, cred, &sigalg); + ERR_clear_error(); + + // ECDSA keys must additionally be checked against the peer's supported + // curve list. + int key_type = EVP_PKEY_id(cred->pubkey.get()); + if (hs->config->check_ecdsa_curve && key_type == EVP_PKEY_EC) { + EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(cred->pubkey.get()); + uint16_t group_id; + if (!ssl_nid_to_group_id( + &group_id, EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key))) || + std::find(hs->peer_supported_group_list.begin(), + hs->peer_supported_group_list.end(), + group_id) == hs->peer_supported_group_list.end()) { + sign_ok = false; + + // If this would make us unable to pick any cipher, return an error. + // This is not strictly necessary, but it gives us a more specific + // error to help the caller diagnose issues. + if (mask_a == 0) { + OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE); + return TLS12ServerParams(); + } + } + } + + mask_a |= ssl_cipher_auth_mask_for_key(cred->pubkey.get(), sign_ok); + if (key_type == EVP_PKEY_RSA) { + mask_k |= SSL_kRSA; + } + } + + TLS12ServerParams params; + params.cipher = choose_cipher(hs, client_pref, mask_k, mask_a); + if (params.cipher == nullptr) { + return TLS12ServerParams(); + } + if (ssl_cipher_requires_server_key_exchange(params.cipher) && + ssl_cipher_uses_certificate_auth(params.cipher)) { + params.signature_algorithm = sigalg; + } + return params; +} + static enum ssl_hs_wait_t do_start_accept(SSL_HANDSHAKE *hs) { ssl_do_info_callback(hs->ssl, SSL_CB_HANDSHAKE_START, 1); hs->state = state12_read_client_hello; @@ -587,6 +608,9 @@ static bool extract_sni(SSL_HANDSHAKE *hs, uint8_t *out_alert, if (!ssl_client_hello_get_extension(client_hello, &sni, TLSEXT_TYPE_server_name)) { // No SNI extension to parse. + // + // Clear state in case we previously extracted SNI from ClientHelloOuter. + ssl->s3->hostname.reset(); return true; } @@ -623,8 +647,6 @@ static bool extract_sni(SSL_HANDSHAKE *hs, uint8_t *out_alert, return false; } ssl->s3->hostname.reset(raw); - - hs->should_ack_sni = true; return true; } @@ -660,7 +682,10 @@ static enum ssl_hs_wait_t do_read_client_hello(SSL_HANDSHAKE *hs) { } uint8_t alert = SSL_AD_DECODE_ERROR; - if (!decrypt_ech(hs, &alert, &client_hello)) { + // We check for rejection status in case we've rewound the state machine after + // determining `ClientHelloInner` is invalid. + if (ssl->s3->ech_status != ssl_ech_rejected && + !decrypt_ech(hs, &alert, &client_hello)) { ssl_send_alert(ssl, SSL3_AL_FATAL, alert); return ssl_hs_error; } @@ -696,6 +721,13 @@ static enum ssl_hs_wait_t do_read_client_hello_after_ech(SSL_HANDSHAKE *hs) { case ssl_select_cert_retry: return ssl_hs_certificate_selection_pending; + case ssl_select_cert_disable_ech: + hs->ech_client_hello_buf.Reset(); + hs->ech_keys = nullptr; + hs->state = state12_read_client_hello; + ssl->s3->ech_status = ssl_ech_rejected; + return ssl_hs_ok; + case ssl_select_cert_error: // Connection rejected. OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED); @@ -748,11 +780,11 @@ static enum ssl_hs_wait_t do_read_client_hello_after_ech(SSL_HANDSHAKE *hs) { return ssl_hs_error; } - hs->state = state12_select_certificate; + hs->state = state12_cert_callback; return ssl_hs_ok; } -static enum ssl_hs_wait_t do_select_certificate(SSL_HANDSHAKE *hs) { +static enum ssl_hs_wait_t do_cert_callback(SSL_HANDSHAKE *hs) { SSL *const ssl = hs->ssl; // Call |cert_cb| to update server certificates if required. @@ -768,10 +800,6 @@ static enum ssl_hs_wait_t do_select_certificate(SSL_HANDSHAKE *hs) { } } - if (!ssl_on_certificate_selected(hs)) { - return ssl_hs_error; - } - if (hs->ocsp_stapling_requested && ssl->ctx->legacy_ocsp_callback != nullptr) { switch (ssl->ctx->legacy_ocsp_callback( @@ -801,24 +829,6 @@ static enum ssl_hs_wait_t do_select_certificate(SSL_HANDSHAKE *hs) { ssl->s3->early_data_reason = ssl_early_data_protocol_version; - SSLMessage msg_unused; - SSL_CLIENT_HELLO client_hello; - if (!hs->GetClientHello(&msg_unused, &client_hello)) { - return ssl_hs_error; - } - - // Negotiate the cipher suite. This must be done after |cert_cb| so the - // certificate is finalized. - SSLCipherPreferenceList *prefs = hs->config->cipher_list - ? hs->config->cipher_list.get() - : ssl->ctx->cipher_list.get(); - hs->new_cipher = choose_cipher(hs, &client_hello, prefs); - if (hs->new_cipher == NULL) { - OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER); - ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); - return ssl_hs_error; - } - hs->state = state12_select_parameters; return ssl_hs_ok; } @@ -835,21 +845,59 @@ static enum ssl_hs_wait_t do_tls13(SSL_HANDSHAKE *hs) { static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) { SSL *const ssl = hs->ssl; - SSLMessage msg; - if (!ssl->method->get_message(ssl, &msg)) { - return ssl_hs_read_message; + SSL_CLIENT_HELLO client_hello; + if (!hs->GetClientHello(&msg, &client_hello)) { + return ssl_hs_error; } - SSL_CLIENT_HELLO client_hello; - if (!ssl_client_hello_init(ssl, &client_hello, msg.body)) { + // Determine the ECDHE group to use, if we are to use ECDHE. + uint16_t group_id = 0; + bool has_ecdhe_group = tls1_get_shared_group(hs, &group_id); + + // Select the credential and cipher suite. This must be done after |cert_cb| + // runs, so the final credential list is known. + // + // TODO(davidben): In the course of picking these, we also pick the ECDHE + // group and signature algorithm. It would be tidier if we saved that decision + // and avoided redoing it later. + UniquePtr client_pref = + ssl_parse_client_cipher_list(&client_hello); + if (client_pref == nullptr) { + return ssl_hs_error; + } + Array creds; + if (!ssl_get_credential_list(hs, &creds)) { + return ssl_hs_error; + } + TLS12ServerParams params; + if (creds.empty()) { + // The caller may have configured no credentials, but set a PSK callback. + params = + choose_params(hs, /*cred=*/nullptr, client_pref.get(), has_ecdhe_group); + } else { + // Select the first credential which works. + for (SSL_CREDENTIAL *cred : creds) { + ERR_clear_error(); + params = choose_params(hs, cred, client_pref.get(), has_ecdhe_group); + if (params.ok()) { + hs->credential = UpRef(cred); + break; + } + } + } + if (!params.ok()) { + // The error from the last attempt is in the error queue. + ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); return ssl_hs_error; } + hs->new_cipher = params.cipher; + hs->signature_algorithm = params.signature_algorithm; - hs->session_id_len = client_hello.session_id_len; - // This is checked in |ssl_client_hello_init|. - assert(hs->session_id_len <= sizeof(hs->session_id)); - OPENSSL_memcpy(hs->session_id, client_hello.session_id, hs->session_id_len); + // |ssl_client_hello_init| checks that |client_hello.session_id| is not too + // large. + hs->session_id.CopyFrom( + MakeConstSpan(client_hello.session_id, client_hello.session_id_len)); // Determine whether we are doing session resumption. UniquePtr session; @@ -893,9 +941,9 @@ static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) { // Assign a session ID if not using session tickets. if (!hs->ticket_expected && (ssl->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)) { - hs->new_session->session_id_length = SSL3_SSL_SESSION_ID_LENGTH; - RAND_bytes(hs->new_session->session_id, - hs->new_session->session_id_length); + hs->new_session->session_id.ResizeMaybeUninit(SSL3_SSL_SESSION_ID_LENGTH); + RAND_bytes(hs->new_session->session_id.data(), + hs->new_session->session_id.size()); } } @@ -909,6 +957,10 @@ static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) { if (ssl->session == NULL) { hs->new_session->cipher = hs->new_cipher; + if (hs->new_session->cipher->algorithm_mkey & SSL_kECDHE) { + assert(has_ecdhe_group); + hs->new_session->group_id = group_id; + } // Determine whether to request a client certificate. hs->cert_request = !!(hs->config->verify_mode & SSL_VERIFY_PEER); @@ -975,8 +1027,8 @@ static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) { // If this is a resumption and the original handshake didn't support // ChannelID then we didn't record the original handshake hashes in the // session and so cannot resume with ChannelIDs. - if (ssl->session != NULL && - ssl->session->original_handshake_hash_len == 0) { + if (ssl->session != nullptr && + ssl->session->original_handshake_hash.empty()) { hs->channel_id_negotiated = false; } @@ -1020,16 +1072,15 @@ static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) { Span session_id; if (ssl->session != nullptr) { // Echo the session ID from the ClientHello to indicate resumption. - session_id = MakeConstSpan(hs->session_id, hs->session_id_len); + session_id = hs->session_id; } else { - session_id = MakeConstSpan(hs->new_session->session_id, - hs->new_session->session_id_length); + session_id = hs->new_session->session_id; } ScopedCBB cbb; CBB body, session_id_bytes; if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_SERVER_HELLO) || - !CBB_add_u16(&body, ssl->version) || + !CBB_add_u16(&body, ssl->s3->version) || !CBB_add_bytes(&body, ssl->s3->server_random, SSL3_RANDOM_SIZE) || !CBB_add_u8_length_prefixed(&body, &session_id_bytes) || !CBB_add_bytes(&session_id_bytes, session_id.data(), session_id.size()) || @@ -1058,12 +1109,8 @@ static enum ssl_hs_wait_t do_send_server_certificate(SSL_HANDSHAKE *hs) { ScopedCBB cbb; if (ssl_cipher_uses_certificate_auth(hs->new_cipher)) { - if (!ssl_has_certificate(hs)) { - OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_SET); - return ssl_hs_error; - } - - if (!ssl_output_cert_chain(hs)) { + assert(hs->credential != nullptr); + if (!ssl_send_tls12_certificate(hs)) { return ssl_hs_error; } @@ -1075,8 +1122,8 @@ static enum ssl_hs_wait_t do_send_server_certificate(SSL_HANDSHAKE *hs) { !CBB_add_u24_length_prefixed(&body, &ocsp_response) || !CBB_add_bytes( &ocsp_response, - CRYPTO_BUFFER_data(hs->config->cert->ocsp_response.get()), - CRYPTO_BUFFER_len(hs->config->cert->ocsp_response.get())) || + CRYPTO_BUFFER_data(hs->credential->ocsp_response.get()), + CRYPTO_BUFFER_len(hs->credential->ocsp_response.get())) || !ssl_add_message_cbb(ssl, cbb.get())) { OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); return ssl_hs_error; @@ -1112,19 +1159,11 @@ static enum ssl_hs_wait_t do_send_server_certificate(SSL_HANDSHAKE *hs) { } if (alg_k & SSL_kECDHE) { - // Determine the group to use. - uint16_t group_id; - if (!tls1_get_shared_group(hs, &group_id)) { - OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); - ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); - return ssl_hs_error; - } - hs->new_session->group_id = group_id; - - hs->key_shares[0] = SSLKeyShare::Create(group_id); + assert(hs->new_session->group_id != 0); + hs->key_shares[0] = SSLKeyShare::Create(hs->new_session->group_id); if (!hs->key_shares[0] || !CBB_add_u8(cbb.get(), NAMED_CURVE_TYPE) || - !CBB_add_u16(cbb.get(), group_id) || + !CBB_add_u16(cbb.get(), hs->new_session->group_id) || !CBB_add_u8_length_prefixed(cbb.get(), &child)) { return ssl_hs_error; } @@ -1132,7 +1171,7 @@ static enum ssl_hs_wait_t do_send_server_certificate(SSL_HANDSHAKE *hs) { SSL_HANDSHAKE_HINTS *const hints = hs->hints.get(); bool hint_ok = false; if (hints && !hs->hints_requested && - hints->ecdhe_group_id == group_id && + hints->ecdhe_group_id == hs->new_session->group_id && !hints->ecdhe_public_key.empty() && !hints->ecdhe_private_key.empty()) { CBS cbs = MakeConstSpan(hints->ecdhe_private_key); @@ -1160,7 +1199,7 @@ static enum ssl_hs_wait_t do_send_server_certificate(SSL_HANDSHAKE *hs) { &hints->ecdhe_private_key)) { return ssl_hs_error; } - hints->ecdhe_group_id = group_id; + hints->ecdhe_group_id = hs->new_session->group_id; } } } else { @@ -1197,14 +1236,10 @@ static enum ssl_hs_wait_t do_send_server_key_exchange(SSL_HANDSHAKE *hs) { // Add a signature. if (ssl_cipher_uses_certificate_auth(hs->new_cipher)) { - if (!ssl_has_private_key(hs)) { - ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); - return ssl_hs_error; - } - // Determine the signature algorithm. uint16_t signature_algorithm; - if (!tls1_choose_signature_algorithm(hs, &signature_algorithm)) { + if (!tls1_choose_signature_algorithm(hs, hs->credential.get(), + &signature_algorithm)) { ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); return ssl_hs_error; } @@ -1217,7 +1252,7 @@ static enum ssl_hs_wait_t do_send_server_key_exchange(SSL_HANDSHAKE *hs) { } // Add space for the signature. - const size_t max_sig_len = EVP_PKEY_size(hs->local_pubkey.get()); + const size_t max_sig_len = EVP_PKEY_size(hs->credential->pubkey.get()); uint8_t *ptr; if (!CBB_add_u16_length_prefixed(&body, &child) || !CBB_reserve(&child, &ptr, max_sig_len)) { @@ -1425,7 +1460,7 @@ static enum ssl_hs_wait_t do_read_client_key_exchange(SSL_HANDSHAKE *hs) { // Allocate a buffer large enough for an RSA decryption. Array decrypt_buf; - if (!decrypt_buf.Init(EVP_PKEY_size(hs->local_pubkey.get()))) { + if (!decrypt_buf.Init(EVP_PKEY_size(hs->credential->pubkey.get()))) { return ssl_hs_error; } @@ -1566,13 +1601,18 @@ static enum ssl_hs_wait_t do_read_client_key_exchange(SSL_HANDSHAKE *hs) { } // Compute the master secret. - hs->new_session->secret_length = tls1_generate_master_secret( - hs, hs->new_session->secret, premaster_secret); - if (hs->new_session->secret_length == 0) { + hs->new_session->secret.ResizeMaybeUninit(SSL3_MASTER_SECRET_SIZE); + if (!tls1_generate_master_secret(hs, MakeSpan(hs->new_session->secret), + premaster_secret)) { return ssl_hs_error; } hs->new_session->extended_master_secret = hs->extended_master_secret; - CONSTTIME_DECLASSIFY(hs->new_session->secret, hs->new_session->secret_length); + // Declassify the secret to undo the RSA decryption validation above. We are + // not currently running most of the TLS library with constant-time + // validation. + // TODO(crbug.com/42290551): Remove this and cover the TLS library too. + CONSTTIME_DECLASSIFY(hs->new_session->secret.data(), + hs->new_session->secret.size()); hs->can_release_private_key = true; ssl->method->next_message(ssl); @@ -1620,7 +1660,8 @@ static enum ssl_hs_wait_t do_read_client_certificate_verify(SSL_HANDSHAKE *hs) { return ssl_hs_error; } uint8_t alert = SSL_AD_DECODE_ERROR; - if (!tls12_check_peer_sigalg(hs, &alert, signature_algorithm)) { + if (!tls12_check_peer_sigalg(hs, &alert, signature_algorithm, + hs->peer_pubkey.get())) { ssl_send_alert(ssl, SSL3_AL_FATAL, alert); return ssl_hs_error; } @@ -1860,8 +1901,8 @@ enum ssl_hs_wait_t ssl_server_handshake(SSL_HANDSHAKE *hs) { case state12_read_client_hello_after_ech: ret = do_read_client_hello_after_ech(hs); break; - case state12_select_certificate: - ret = do_select_certificate(hs); + case state12_cert_callback: + ret = do_cert_callback(hs); break; case state12_tls13: ret = do_tls13(hs); @@ -1942,8 +1983,8 @@ const char *ssl_server_handshake_state(SSL_HANDSHAKE *hs) { return "TLS server read_client_hello"; case state12_read_client_hello_after_ech: return "TLS server read_client_hello_after_ech"; - case state12_select_certificate: - return "TLS server select_certificate"; + case state12_cert_callback: + return "TLS server cert_callback"; case state12_tls13: return tls13_server_handshake_state(hs); case state12_select_parameters: diff --git a/Sources/CNIOBoringSSL/ssl/internal.h b/Sources/CNIOBoringSSL/ssl/internal.h index e94d1b73c..2ea609f54 100644 --- a/Sources/CNIOBoringSSL/ssl/internal.h +++ b/Sources/CNIOBoringSSL/ssl/internal.h @@ -146,6 +146,8 @@ #include +#include +#include #include #include #include @@ -153,6 +155,7 @@ #include #include +#include #include #include #include @@ -186,6 +189,53 @@ struct SSL_X509_METHOD; // C++ utilities. +// Fill-ins for various functions in C++17. +// TODO(crbug.com/42290600): Replace these with the standard ones when we +// require C++17. + +template +ForwardIt cxx17_uninitialized_default_construct_n(ForwardIt first, size_t n) { + using T = typename std::iterator_traits::value_type; + while (n > 0) { + new (std::addressof(*first)) T; + first++; + n--; + } + return first; +} + +template +ForwardIt cxx17_uninitialized_value_construct_n(ForwardIt first, size_t n) { + using T = typename std::iterator_traits::value_type; + while (n > 0) { + new (std::addressof(*first)) T(); + first++; + n--; + } + return first; +} + +template +InputIt cxx17_uninitialized_move(InputIt first, InputIt last, OutputIt out) { + using OutputT = typename std::iterator_traits::value_type; + for (; first != last; ++first) { + new (std::addressof(*out)) OutputT(std::move(*first)); + ++out; + } + return out; +} + +template +ForwardIt cxx17_destroy_n(ForwardIt first, size_t n) { + using T = typename std::iterator_traits::value_type; + while (n > 0) { + first->~T(); + first++; + n--; + } + return first; +} + // New behaves like |new| but uses |OPENSSL_malloc| for memory allocation. It // returns nullptr on allocation error. It only implements single-object // allocation and not new T[n]. @@ -227,23 +277,6 @@ UniquePtr MakeUnique(Args &&... args) { return UniquePtr(New(std::forward(args)...)); } -#if defined(BORINGSSL_ALLOW_CXX_RUNTIME) -#define HAS_VIRTUAL_DESTRUCTOR -#define PURE_VIRTUAL = 0 -#else -// HAS_VIRTUAL_DESTRUCTOR should be declared in any base class which defines a -// virtual destructor. This avoids a dependency on |_ZdlPv| and prevents the -// class from being used with |delete|. -#define HAS_VIRTUAL_DESTRUCTOR \ - void operator delete(void *) { abort(); } - -// PURE_VIRTUAL should be used instead of = 0 when defining pure-virtual -// functions. This avoids a dependency on |__cxa_pure_virtual| but loses -// compile-time checking. -#define PURE_VIRTUAL \ - { abort(); } -#endif - // Array is an owning array of elements of |T|. template class Array { @@ -267,8 +300,14 @@ class Array { size_t size() const { return size_; } bool empty() const { return size_ == 0; } - const T &operator[](size_t i) const { return data_[i]; } - T &operator[](size_t i) { return data_[i]; } + const T &operator[](size_t i) const { + BSSL_CHECK(i < size_); + return data_[i]; + } + T &operator[](size_t i) { + BSSL_CHECK(i < size_); + return data_[i]; + } T *begin() { return data_; } const T *begin() const { return data_; } @@ -280,9 +319,7 @@ class Array { // Reset releases the current contents of the array and takes ownership of the // raw pointer supplied by the caller. void Reset(T *new_data, size_t new_size) { - for (size_t i = 0; i < size_; i++) { - data_[i].~T(); - } + cxx17_destroy_n(data_, size_); OPENSSL_free(data_); data_ = new_data; size_ = new_size; @@ -303,33 +340,20 @@ class Array { // // Note that if |T| is a primitive type like |uint8_t|, it is uninitialized. bool Init(size_t new_size) { - Reset(); - if (new_size == 0) { - return true; - } - - if (new_size > std::numeric_limits::max() / sizeof(T)) { - OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW); - return false; - } - data_ = reinterpret_cast(OPENSSL_malloc(new_size * sizeof(T))); - if (data_ == nullptr) { + if (!InitUninitialized(new_size)) { return false; } - size_ = new_size; - for (size_t i = 0; i < size_; i++) { - new (&data_[i]) T; - } + cxx17_uninitialized_default_construct_n(data_, size_); return true; } // CopyFrom replaces the array with a newly-allocated copy of |in|. It returns // true on success and false on error. bool CopyFrom(Span in) { - if (!Init(in.size())) { + if (!InitUninitialized(in.size())) { return false; } - OPENSSL_memcpy(data_, in.data(), sizeof(T) * in.size()); + std::uninitialized_copy(in.begin(), in.end(), data_); return true; } @@ -339,55 +363,79 @@ class Array { if (new_size > size_) { abort(); } - for (size_t i = new_size; i < size_; i++) { - data_[i].~T(); - } + cxx17_destroy_n(data_ + new_size, size_ - new_size); size_ = new_size; } private: + // InitUninitialized replaces the array with a newly-allocated array of + // |new_size| elements, but whose constructor has not yet run. On success, the + // elements must be constructed before returning control to the caller. + bool InitUninitialized(size_t new_size) { + Reset(); + if (new_size == 0) { + return true; + } + + if (new_size > std::numeric_limits::max() / sizeof(T)) { + OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW); + return false; + } + data_ = reinterpret_cast(OPENSSL_malloc(new_size * sizeof(T))); + if (data_ == nullptr) { + return false; + } + size_ = new_size; + return true; + } + T *data_ = nullptr; size_t size_ = 0; }; -// GrowableArray is an array that owns elements of |T|, backed by an -// Array. When necessary, pushing will automatically trigger a resize. -// -// Note, for simplicity, this class currently differs from |std::vector| in that -// |T| must be efficiently default-constructible. Allocated elements beyond the -// end of the array are constructed and destructed. +// Vector is a resizable array of elements of |T|. template -class GrowableArray { +class Vector { public: - GrowableArray() = default; - GrowableArray(const GrowableArray &) = delete; - GrowableArray(GrowableArray &&other) { *this = std::move(other); } - ~GrowableArray() {} - - GrowableArray &operator=(const GrowableArray &) = delete; - GrowableArray &operator=(GrowableArray &&other) { - size_ = other.size_; - other.size_ = 0; - array_ = std::move(other.array_); + Vector() = default; + Vector(const Vector &) = delete; + Vector(Vector &&other) { *this = std::move(other); } + ~Vector() { clear(); } + + Vector &operator=(const Vector &) = delete; + Vector &operator=(Vector &&other) { + clear(); + std::swap(data_, other.data_); + std::swap(size_, other.size_); + std::swap(capacity_, other.capacity_); return *this; } - const T *data() const { return array_.data(); } - T *data() { return array_.data(); } + const T *data() const { return data_; } + T *data() { return data_; } size_t size() const { return size_; } bool empty() const { return size_ == 0; } - const T &operator[](size_t i) const { return array_[i]; } - T &operator[](size_t i) { return array_[i]; } + const T &operator[](size_t i) const { + BSSL_CHECK(i < size_); + return data_[i]; + } + T &operator[](size_t i) { + BSSL_CHECK(i < size_); + return data_[i]; + } - T *begin() { return array_.data(); } - const T *begin() const { return array_.data(); } - T *end() { return array_.data() + size_; } - const T *end() const { return array_.data() + size_; } + T *begin() { return data_; } + const T *begin() const { return data_; } + T *end() { return data_ + size_; } + const T *end() const { return data_ + size_; } void clear() { + cxx17_destroy_n(data_, size_); + OPENSSL_free(data_); + data_ = nullptr; size_ = 0; - array_.Reset(); + capacity_ = 0; } // Push adds |elem| at the end of the internal array, growing if necessary. It @@ -396,7 +444,7 @@ class GrowableArray { if (!MaybeGrow()) { return false; } - array_[size_] = std::move(elem); + new (&data_[size_]) T(std::move(elem)); size_++; return true; } @@ -404,10 +452,14 @@ class GrowableArray { // CopyFrom replaces the contents of the array with a copy of |in|. It returns // true on success and false on allocation error. bool CopyFrom(Span in) { - if (!array_.CopyFrom(in)) { + Array copy; + if (!copy.CopyFrom(in)) { return false; } - size_ = in.size(); + + clear(); + copy.Release(&data_, &size_); + capacity_ = size_; return true; } @@ -415,39 +467,177 @@ class GrowableArray { // If there is no room for one more element, creates a new backing array with // double the size of the old one and copies elements over. bool MaybeGrow() { - if (array_.size() == 0) { - return array_.Init(kDefaultSize); - } // No need to grow if we have room for one more T. - if (size_ < array_.size()) { + if (size_ < capacity_) { return true; } - // Double the array's size if it's safe to do so. - if (array_.size() > std::numeric_limits::max() / 2) { + size_t new_capacity = kDefaultSize; + if (capacity_ > 0) { + // Double the array's size if it's safe to do so. + if (capacity_ > std::numeric_limits::max() / 2) { + OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW); + return false; + } + new_capacity = capacity_ * 2; + } + if (new_capacity > std::numeric_limits::max() / sizeof(T)) { OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW); return false; } - Array new_array; - if (!new_array.Init(array_.size() * 2)) { + T *new_data = + reinterpret_cast(OPENSSL_malloc(new_capacity * sizeof(T))); + if (new_data == nullptr) { return false; } - for (size_t i = 0; i < array_.size(); i++) { - new_array[i] = std::move(array_[i]); - } - array_ = std::move(new_array); - + size_t new_size = size_; + cxx17_uninitialized_move(begin(), end(), new_data); + clear(); + data_ = new_data; + size_ = new_size; + capacity_ = new_capacity; return true; } - // |size_| is the number of elements stored in this GrowableArray. + // data_ is a pointer to |capacity_| objects of size |T|, the first |size_| of + // which are constructed. + T *data_ = nullptr; + // |size_| is the number of elements stored in this Vector. size_t size_ = 0; - // |array_| is the backing array. Note that |array_.size()| is this - // GrowableArray's current capacity and that |size_ <= array_.size()|. - Array array_; + // |capacity_| is the number of elements allocated in this Vector. + size_t capacity_ = 0; // |kDefaultSize| is the default initial size of the backing array. static constexpr size_t kDefaultSize = 16; }; +// A PackedSize is an integer that can store values from 0 to N, represented as +// a minimal-width integer. +template +using PackedSize = std::conditional_t< + N <= 0xff, uint8_t, + std::conditional_t>>; + +// An InplaceVector is like a Vector, but stores up to N elements inline in the +// object. It is inspired by std::inplace_vector in C++26. +template +class InplaceVector { + public: + InplaceVector() = default; + InplaceVector(const InplaceVector &other) { *this = other; } + InplaceVector(InplaceVector &&other) { *this = std::move(other); } + ~InplaceVector() { clear(); } + InplaceVector &operator=(const InplaceVector &other) { + if (this != &other) { + CopyFrom(other); + } + return *this; + } + InplaceVector &operator=(InplaceVector &&other) { + clear(); + cxx17_uninitialized_move(other.begin(), other.end(), data()); + size_ = other.size(); + return *this; + } + + const T *data() const { return reinterpret_cast(storage_); } + T *data() { return reinterpret_cast(storage_); } + size_t size() const { return size_; } + static constexpr size_t capacity() { return N; } + bool empty() const { return size_ == 0; } + + const T &operator[](size_t i) const { + BSSL_CHECK(i < size_); + return data()[i]; + } + T &operator[](size_t i) { + BSSL_CHECK(i < size_); + return data()[i]; + } + + T *begin() { return data(); } + const T *begin() const { return data(); } + T *end() { return data() + size_; } + const T *end() const { return data() + size_; } + + void clear() { + cxx17_destroy_n(data(), size_); + size_ = 0; + } + + // TryResize resizes the vector to |new_size| and returns true, or returns + // false if |new_size| is too large. Any newly-added elements are + // value-initialized. + bool TryResize(size_t new_size) { + if (new_size > capacity()) { + return false; + } + if (new_size < size_) { + cxx17_destroy_n(data() + new_size, size_ - new_size); + } else { + cxx17_uninitialized_value_construct_n(data() + size_, new_size - size_); + } + size_ = static_cast>(new_size); + return true; + } + + // TryResizeMaybeUninit behaves like |TryResize|, but newly-added elements are + // default-initialized, so POD types may contain uninitialized values that the + // caller is responsible for filling in. + bool TryResizeMaybeUninit(size_t new_size) { + if (new_size > capacity()) { + return false; + } + if (new_size < size_) { + cxx17_destroy_n(data() + new_size, size_ - new_size); + } else { + cxx17_uninitialized_default_construct_n(data() + size_, new_size - size_); + } + size_ = static_cast>(new_size); + return true; + } + + // TryCopyFrom sets the vector to a copy of |in| and returns true, or returns + // false if |in| is too large. + bool TryCopyFrom(Span in) { + if (in.size() > capacity()) { + return false; + } + clear(); + std::uninitialized_copy(in.begin(), in.end(), data()); + size_ = in.size(); + return true; + } + + // TryPushBack appends |val| to the vector and returns a pointer to the + // newly-inserted value, or nullptr if the vector is at capacity. + T *TryPushBack(T val) { + if (size() >= capacity()) { + return nullptr; + } + T *ret = &data()[size_]; + new (ret) T(std::move(val)); + size_++; + return ret; + } + + // The following methods behave like their |Try*| counterparts, but abort the + // program on failure. + void Resize(size_t size) { BSSL_CHECK(TryResize(size)); } + void ResizeMaybeUninit(size_t size) { + BSSL_CHECK(TryResizeMaybeUninit(size)); + } + void CopyFrom(Span in) { BSSL_CHECK(TryCopyFrom(in)); } + T &PushBack(T val) { + T *ret = TryPushBack(std::move(val)); + BSSL_CHECK(ret != nullptr); + return *ret; + } + + private: + alignas(T) char storage_[sizeof(T[N])]; + PackedSize size_ = 0; +}; + // CBBFinishArray behaves like |CBB_finish| but stores the result in an Array. OPENSSL_EXPORT bool CBBFinishArray(CBB *cbb, Array *out); @@ -472,6 +662,48 @@ inline size_t GetAllNames(const char **out, size_t max_out, return fixed_names.size() + objects.size(); } +// RefCounted is a common base for ref-counted types. This is an instance of the +// C++ curiously-recurring template pattern, so a type Foo must subclass +// RefCounted. It additionally must friend RefCounted to allow calling +// the destructor. +template +class RefCounted { + public: + RefCounted(const RefCounted &) = delete; + RefCounted &operator=(const RefCounted &) = delete; + + // These methods are intentionally named differently from `bssl::UpRef` to + // avoid a collision. Only the implementations of `FOO_up_ref` and `FOO_free` + // should call these. + void UpRefInternal() { CRYPTO_refcount_inc(&references_); } + void DecRefInternal() { + if (CRYPTO_refcount_dec_and_test_zero(&references_)) { + Derived *d = static_cast(this); + d->~Derived(); + OPENSSL_free(d); + } + } + + protected: + // Ensure that only `Derived`, which must inherit from `RefCounted`, + // can call the constructor. This catches bugs where someone inherited from + // the wrong base. + class CheckSubClass { + private: + friend Derived; + CheckSubClass() = default; + }; + RefCounted(CheckSubClass) { + static_assert(std::is_base_of::value, + "Derived must subclass RefCounted"); + } + + ~RefCounted() = default; + + private: + CRYPTO_refcount_t references_ = 1; +}; + // Protocol versions. // @@ -554,13 +786,14 @@ BSSL_NAMESPACE_BEGIN #define SSL_kGENERIC 0x00000008u // Bits for |algorithm_auth| (server authentication). -#define SSL_aRSA 0x00000001u -#define SSL_aECDSA 0x00000002u +#define SSL_aRSA_SIGN 0x00000001u +#define SSL_aRSA_DECRYPT 0x00000002u +#define SSL_aECDSA 0x00000004u // SSL_aPSK is set for both PSK and ECDHE_PSK. -#define SSL_aPSK 0x00000004u -#define SSL_aGENERIC 0x00000008u +#define SSL_aPSK 0x00000008u +#define SSL_aGENERIC 0x00000010u -#define SSL_aCERT (SSL_aRSA | SSL_aECDSA) +#define SSL_aCERT (SSL_aRSA_SIGN | SSL_aRSA_DECRYPT | SSL_aECDSA) // Bits for |algorithm_enc| (symmetric encryption). #define SSL_3DES 0x00000001u @@ -643,7 +876,7 @@ Span AllCiphers(); bool ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead, size_t *out_mac_secret_len, size_t *out_fixed_iv_len, const SSL_CIPHER *cipher, - uint16_t version, bool is_dtls); + uint16_t version); // ssl_get_handshake_digest returns the |EVP_MD| corresponding to |version| and // |cipher|. @@ -661,8 +894,9 @@ bool ssl_create_cipher_list(UniquePtr *out_cipher_list, bool strict); // ssl_cipher_auth_mask_for_key returns the mask of cipher |algorithm_auth| -// values suitable for use with |key| in TLS 1.2 and below. -uint32_t ssl_cipher_auth_mask_for_key(const EVP_PKEY *key); +// values suitable for use with |key| in TLS 1.2 and below. |sign_ok| indicates +// whether |key| may be used for signing. +uint32_t ssl_cipher_auth_mask_for_key(const EVP_PKEY *key, bool sign_ok); // ssl_cipher_uses_certificate_auth returns whether |cipher| authenticates the // server and, optionally, the client with a certificate. @@ -681,12 +915,11 @@ bool ssl_cipher_requires_server_key_exchange(const SSL_CIPHER *cipher); size_t ssl_cipher_get_record_split_len(const SSL_CIPHER *cipher); // ssl_choose_tls13_cipher returns an |SSL_CIPHER| corresponding with the best -// available from |cipher_suites| compatible with |version|, |group_id|, and -// |policy|. It returns NULL if there isn't a compatible cipher. |has_aes_hw| -// indicates if the choice should be made as if support for AES in hardware -// is available. +// available from |cipher_suites| compatible with |version| and |policy|. It +// returns NULL if there isn't a compatible cipher. |has_aes_hw| indicates if +// the choice should be made as if support for AES in hardware is available. const SSL_CIPHER *ssl_choose_tls13_cipher(CBS cipher_suites, bool has_aes_hw, - uint16_t version, uint16_t group_id, + uint16_t version, enum ssl_compliance_policy_t policy); // ssl_tls13_cipher_meets_policy returns true if |cipher_id| is acceptable given @@ -783,11 +1016,22 @@ bool tls1_prf(const EVP_MD *digest, Span out, // Encryption layer. +class RecordNumberEncrypter { + public: + virtual ~RecordNumberEncrypter() = default; + static constexpr bool kAllowUniquePtr = true; + static constexpr size_t kMaxKeySize = 32; + + virtual size_t KeySize() = 0; + virtual bool SetKey(Span key) = 0; + virtual bool GenerateMask(Span out, Span sample) = 0; +}; + // SSLAEADContext contains information about an AEAD that is being used to // encrypt an SSL connection. class SSLAEADContext { public: - SSLAEADContext(uint16_t version, bool is_dtls, const SSL_CIPHER *cipher); + explicit SSLAEADContext(const SSL_CIPHER *cipher); ~SSLAEADContext(); static constexpr bool kAllowUniquePtr = true; @@ -795,38 +1039,23 @@ class SSLAEADContext { SSLAEADContext &operator=(const SSLAEADContext &&) = delete; // CreateNullCipher creates an |SSLAEADContext| for the null cipher. - static UniquePtr CreateNullCipher(bool is_dtls); + static UniquePtr CreateNullCipher(); // Create creates an |SSLAEADContext| using the supplied key material. It // returns nullptr on error. Only one of |Open| or |Seal| may be used with the - // resulting object, depending on |direction|. |version| is the normalized - // protocol version, so DTLS 1.0 is represented as 0x0301, not 0xffef. + // resulting object, depending on |direction|. |version| is the wire version. static UniquePtr Create(enum evp_aead_direction_t direction, - uint16_t version, bool is_dtls, + uint16_t version, const SSL_CIPHER *cipher, Span enc_key, Span mac_key, Span fixed_iv); // CreatePlaceholderForQUIC creates a placeholder |SSLAEADContext| for the - // given cipher and version. The resulting object can be queried for various - // properties but cannot encrypt or decrypt data. + // given cipher. The resulting object can be queried for various properties + // but cannot encrypt or decrypt data. static UniquePtr CreatePlaceholderForQUIC( - uint16_t version, const SSL_CIPHER *cipher); - - // SetVersionIfNullCipher sets the version the SSLAEADContext for the null - // cipher, to make version-specific determinations in the record layer prior - // to a cipher being selected. - void SetVersionIfNullCipher(uint16_t version); - - // ProtocolVersion returns the protocol version associated with this - // SSLAEADContext. It can only be called once |version_| has been set to a - // valid value. - uint16_t ProtocolVersion() const; - - // RecordVersion returns the record version that should be used with this - // SSLAEADContext for record construction and crypto. - uint16_t RecordVersion() const; + const SSL_CIPHER *cipher); const SSL_CIPHER *cipher() const { return cipher_; } @@ -888,6 +1117,17 @@ class SSLAEADContext { bool GetIV(const uint8_t **out_iv, size_t *out_iv_len) const; + RecordNumberEncrypter *GetRecordNumberEncrypter() { + return rn_encrypter_.get(); + } + + // GenerateRecordNumberMask computes the mask used for DTLS 1.3 record number + // encryption (RFC 9147 section 4.2.3), writing it to |out|. The |out| buffer + // must be sized to AES_BLOCK_SIZE. The |sample| buffer must be at least 16 + // bytes, as required by the AES and ChaCha20 cipher suites in RFC 9147. Extra + // bytes in |sample| will be ignored. + bool GenerateRecordNumberMask(Span out, Span sample); + private: // GetAdditionalData returns the additional data, writing into |storage| if // necessary. @@ -896,16 +1136,15 @@ class SSLAEADContext { uint64_t seqnum, size_t plaintext_len, Span header); + void CreateRecordNumberEncrypter(); + const SSL_CIPHER *cipher_; ScopedEVP_AEAD_CTX ctx_; // fixed_nonce_ contains any bytes of the nonce that are fixed for all // records. - uint8_t fixed_nonce_[12]; - uint8_t fixed_nonce_len_ = 0, variable_nonce_len_ = 0; - // version_ is the wire version that should be used with this AEAD. - uint16_t version_; - // is_dtls_ is whether DTLS is being used with this AEAD. - bool is_dtls_; + InplaceVector fixed_nonce_; + uint8_t variable_nonce_len_ = 0; + UniquePtr rn_encrypter_; // variable_nonce_included_in_record_ is true if the variable nonce // for a record is included as a prefix before the ciphertext. bool variable_nonce_included_in_record_ : 1; @@ -923,20 +1162,70 @@ class SSLAEADContext { bool ad_is_header_ : 1; }; +class AESRecordNumberEncrypter : public RecordNumberEncrypter { + public: + bool SetKey(Span key) override; + bool GenerateMask(Span out, Span sample) override; + + private: + AES_KEY key_; +}; + +class AES128RecordNumberEncrypter : public AESRecordNumberEncrypter { + public: + size_t KeySize() override; +}; + +class AES256RecordNumberEncrypter : public AESRecordNumberEncrypter { + public: + size_t KeySize() override; +}; + +class ChaChaRecordNumberEncrypter : public RecordNumberEncrypter { + public: + size_t KeySize() override; + bool SetKey(Span key) override; + bool GenerateMask(Span out, Span sample) override; + + private: + static const size_t kKeySize = 32; + uint8_t key_[kKeySize]; +}; + +#if defined(BORINGSSL_UNSAFE_FUZZER_MODE) +class NullRecordNumberEncrypter : public RecordNumberEncrypter { + public: + size_t KeySize() override; + bool SetKey(Span key) override; + bool GenerateMask(Span out, Span sample) override; +}; +#endif // BORINGSSL_UNSAFE_FUZZER_MODE + // DTLS replay bitmap. // DTLS1_BITMAP maintains a sliding window of 64 sequence numbers to detect // replayed packets. It should be initialized by zeroing every field. struct DTLS1_BITMAP { - // map is a bit mask of the last 64 sequence numbers. Bit - // |1< map; // max_seq_num is the largest sequence number seen so far as a 64-bit // integer. uint64_t max_seq_num = 0; }; +// reconstruct_seqnum takes the low order bits of a record sequence number from +// the wire and reconstructs the full sequence number. It does so using the +// algorithm described in section 4.2.2 of RFC 9147, where |wire_seq| is the +// low bits of the sequence number as seen on the wire, |seq_mask| is a bitmask +// of 8 or 16 1 bits corresponding to the length of the sequence number on the +// wire, and |max_valid_seqnum| is the largest sequence number of a record +// successfully deprotected in this epoch. This function returns the sequence +// number that is numerically closest to one plus |max_valid_seqnum| that when +// bitwise and-ed with |seq_mask| equals |wire_seq|. +OPENSSL_EXPORT uint64_t reconstruct_seqnum(uint16_t wire_seq, uint64_t seq_mask, + uint64_t max_valid_seqnum); // Record layer. @@ -990,17 +1279,9 @@ enum ssl_open_record_t dtls_open_record(SSL *ssl, uint8_t *out_type, size_t *out_consumed, uint8_t *out_alert, Span in); -// ssl_seal_align_prefix_len returns the length of the prefix before the start -// of the bulk of the ciphertext when sealing a record with |ssl|. Callers may -// use this to align buffers. -// -// Note when TLS 1.0 CBC record-splitting is enabled, this includes the one byte -// record and is the offset into second record's ciphertext. Thus sealing a -// small record may result in a smaller output than this value. -// -// TODO(davidben): Is this alignment valuable? Record-splitting makes this a -// mess. -size_t ssl_seal_align_prefix_len(const SSL *ssl); +// ssl_needs_record_splitting returns one if |ssl|'s current outgoing cipher +// state needs record-splitting and zero otherwise. +bool ssl_needs_record_splitting(const SSL *ssl); // tls_seal_record seals a new record of type |type| and body |in| and writes it // to |out|. At most |max_out| bytes will be written. It returns true on success @@ -1008,7 +1289,7 @@ size_t ssl_seal_align_prefix_len(const SSL *ssl); // 1/n-1 record splitting and may write two records concatenated. // // For a large record, the bulk of the ciphertext will begin -// |ssl_seal_align_prefix_len| bytes into out. Aligning |out| appropriately may +// |tls_seal_align_prefix_len| bytes into out. Aligning |out| appropriately may // improve performance. It writes at most |in_len| + |SSL_max_seal_overhead| // bytes to |out|. // @@ -1016,26 +1297,25 @@ size_t ssl_seal_align_prefix_len(const SSL *ssl); bool tls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out, uint8_t type, const uint8_t *in, size_t in_len); -enum dtls1_use_epoch_t { - dtls1_use_previous_epoch, - dtls1_use_current_epoch, -}; +// dtls_record_header_write_len returns the length of the record header that +// will be written at |epoch|. +size_t dtls_record_header_write_len(const SSL *ssl, uint16_t epoch); // dtls_max_seal_overhead returns the maximum overhead, in bytes, of sealing a // record. -size_t dtls_max_seal_overhead(const SSL *ssl, enum dtls1_use_epoch_t use_epoch); +size_t dtls_max_seal_overhead(const SSL *ssl, uint16_t epoch); // dtls_seal_prefix_len returns the number of bytes of prefix to reserve in // front of the plaintext when sealing a record in-place. -size_t dtls_seal_prefix_len(const SSL *ssl, enum dtls1_use_epoch_t use_epoch); +size_t dtls_seal_prefix_len(const SSL *ssl, uint16_t epoch); -// dtls_seal_record implements |tls_seal_record| for DTLS. |use_epoch| selects -// which epoch's cipher state to use. Unlike |tls_seal_record|, |in| and |out| -// may alias but, if they do, |in| must be exactly |dtls_seal_prefix_len| bytes +// dtls_seal_record implements |tls_seal_record| for DTLS. |epoch| selects which +// epoch's cipher state to use. Unlike |tls_seal_record|, |in| and |out| may +// alias but, if they do, |in| must be exactly |dtls_seal_prefix_len| bytes // ahead of |out|. bool dtls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out, uint8_t type, const uint8_t *in, size_t in_len, - enum dtls1_use_epoch_t use_epoch); + uint16_t epoch); // ssl_process_alert processes |in| as an alert and updates |ssl|'s shutdown // state. It returns one of |ssl_open_record_discard|, |ssl_open_record_error|, @@ -1047,9 +1327,6 @@ enum ssl_open_record_t ssl_process_alert(SSL *ssl, uint8_t *out_alert, // Private key operations. -// ssl_has_private_key returns whether |hs| has a private key configured. -bool ssl_has_private_key(const SSL_HANDSHAKE *hs); - // ssl_private_key_* perform the corresponding operation on // |SSL_PRIVATE_KEY_METHOD|. If there is a custom private key configured, they // call the corresponding function or |complete| depending on whether there is a @@ -1066,10 +1343,10 @@ enum ssl_private_key_result_t ssl_private_key_decrypt(SSL_HANDSHAKE *hs, size_t max_out, Span in); -// ssl_private_key_supports_signature_algorithm returns whether |hs|'s private -// key supports |sigalg|. -bool ssl_private_key_supports_signature_algorithm(SSL_HANDSHAKE *hs, - uint16_t sigalg); +// ssl_pkey_supports_algorithm returns whether |pkey| may be used to sign +// |sigalg|. +bool ssl_pkey_supports_algorithm(const SSL *ssl, EVP_PKEY *pkey, + uint16_t sigalg, bool is_verify); // ssl_public_key_verify verifies that the |signature| is valid for the public // key |pkey| and input |in|, using the signature algorithm |sigalg|. @@ -1093,18 +1370,17 @@ class SSLKeyShare { public: virtual ~SSLKeyShare() {} static constexpr bool kAllowUniquePtr = true; - HAS_VIRTUAL_DESTRUCTOR // Create returns a SSLKeyShare instance for use with group |group_id| or // nullptr on error. static UniquePtr Create(uint16_t group_id); // GroupID returns the group ID. - virtual uint16_t GroupID() const PURE_VIRTUAL; + virtual uint16_t GroupID() const = 0; // Generate generates a keypair and writes the public key to |out_public_key|. // It returns true on success and false on error. - virtual bool Generate(CBB *out_public_key) PURE_VIRTUAL; + virtual bool Generate(CBB *out_public_key) = 0; // Encap generates an ephemeral, symmetric secret and encapsulates it with // |peer_key|. On success, it returns true, writes the encapsulated secret to @@ -1112,13 +1388,13 @@ class SSLKeyShare { // it returns false and sets |*out_alert| to an alert to send to the peer. virtual bool Encap(CBB *out_ciphertext, Array *out_secret, uint8_t *out_alert, - Span peer_key) PURE_VIRTUAL; + Span peer_key) = 0; // Decap decapsulates the symmetric secret in |ciphertext|. On success, it // returns true and sets |*out_secret| to the shared secret. On failure, it // returns false and sets |*out_alert| to an alert to send to the peer. virtual bool Decap(Array *out_secret, uint8_t *out_alert, - Span ciphertext) PURE_VIRTUAL; + Span ciphertext) = 0; // SerializePrivateKey writes the private key to |out|, returning true if // successful and false otherwise. It should be called after |Generate|. @@ -1199,12 +1475,6 @@ bool dtls_has_unprocessed_handshake_data(const SSL *ssl); bool tls_flush_pending_hs_data(SSL *ssl); struct DTLS_OUTGOING_MESSAGE { - DTLS_OUTGOING_MESSAGE() {} - DTLS_OUTGOING_MESSAGE(const DTLS_OUTGOING_MESSAGE &) = delete; - DTLS_OUTGOING_MESSAGE &operator=(const DTLS_OUTGOING_MESSAGE &) = delete; - - void Clear(); - Array data; uint16_t epoch = 0; bool is_ccs = false; @@ -1307,10 +1577,6 @@ int ssl_write_buffer_flush(SSL *ssl); // Certificate functions. -// ssl_has_certificate returns whether a certificate and private key are -// configured. -bool ssl_has_certificate(const SSL_HANDSHAKE *hs); - // ssl_parse_cert_chain parses a certificate list from |cbs| in the format used // by a TLS Certificate message. On success, it advances |cbs| and returns // true. Otherwise, it returns false and sets |*out_alert| to an alert to send @@ -1328,11 +1594,6 @@ bool ssl_parse_cert_chain(uint8_t *out_alert, uint8_t *out_leaf_sha256, CBS *cbs, CRYPTO_BUFFER_POOL *pool); -// ssl_add_cert_chain adds |hs->ssl|'s certificate chain to |cbb| in the format -// used by a TLS Certificate message. If there is no certificate chain, it emits -// an empty certificate list. It returns true on success and false on error. -bool ssl_add_cert_chain(SSL_HANDSHAKE *hs, CBB *cbb); - enum ssl_key_usage_t { key_usage_digital_signature = 0, key_usage_encipherment = 2, @@ -1371,11 +1632,6 @@ bool ssl_add_client_CA_list(SSL_HANDSHAKE *hs, CBB *cbb); bool ssl_check_leaf_certificate(SSL_HANDSHAKE *hs, EVP_PKEY *pkey, const CRYPTO_BUFFER *leaf); -// ssl_on_certificate_selected is called once the certificate has been selected. -// It finalizes the certificate and initializes |hs->local_pubkey|. It returns -// true on success and false on error. -bool ssl_on_certificate_selected(SSL_HANDSHAKE *hs); - // TLS 1.3 key derivation. @@ -1439,7 +1695,8 @@ bool tls13_finished_mac(SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len, // tls13_derive_session_psk calculates the PSK for this session based on the // resumption master secret and |nonce|. It returns true on success, and false // on failure. -bool tls13_derive_session_psk(SSL_SESSION *session, Span nonce); +bool tls13_derive_session_psk(SSL_SESSION *session, Span nonce, + bool is_dtls); // tls13_write_psk_binder calculates the PSK binder value over |transcript| and // |msg|, and replaces the last bytes of |msg| with the resulting value. It @@ -1584,43 +1841,117 @@ size_t ssl_ech_extension_body_length(const EVP_HPKE_AEAD *aead, size_t enc_len, bool ssl_encrypt_client_hello(SSL_HANDSHAKE *hs, Span enc); -// Delegated credentials. +// Credentials. -// This structure stores a delegated credential (DC) as defined by -// draft-ietf-tls-subcerts-03. -struct DC { - static constexpr bool kAllowUniquePtr = true; - ~DC(); +enum class SSLCredentialType { + kX509, + kDelegated, +}; + +BSSL_NAMESPACE_END + +// SSL_CREDENTIAL is exported to C, so it must be defined outside the namespace. +struct ssl_credential_st : public bssl::RefCounted { + explicit ssl_credential_st(bssl::SSLCredentialType type); + ssl_credential_st(const ssl_credential_st &) = delete; + ssl_credential_st &operator=(const ssl_credential_st &) = delete; + + // Dup returns a copy of the credential, or nullptr on error. The |ex_data| + // values are not copied. This is only used on the legacy credential, whose + // |ex_data| is inaccessible. + bssl::UniquePtr Dup() const; + + // ClearCertAndKey erases any certificate and private key on the credential. + void ClearCertAndKey(); + + // UsesX509 returns true if the credential type uses an X.509 certificate. + bool UsesX509() const; - // Dup returns a copy of this DC and takes references to |raw| and |pkey|. - UniquePtr Dup(); + // UsesPrivateKey returns true if the credential type uses an asymmetric + // private key. + bool UsesPrivateKey() const; - // Parse parses the delegated credential stored in |in|. If successful it - // returns the parsed structure, otherwise it returns |nullptr| and sets - // |*out_alert|. - static UniquePtr Parse(CRYPTO_BUFFER *in, uint8_t *out_alert); + // IsComplete returns whether all required fields in the credential have been + // filled in. + bool IsComplete() const; - // raw is the delegated credential encoded as specified in draft-ietf-tls- - // subcerts-03. - UniquePtr raw; + // SetLeafCert sets the leaf certificate to |leaf|, leaving the remaining + // certificates unmodified. It returns true on success and false on error. If + // |discard_key_on_mismatch| is true and the private key is inconsistent with + // the new leaf certificate, it is silently discarded. + bool SetLeafCert(bssl::UniquePtr leaf, + bool discard_key_on_mismatch); - // expected_cert_verify_algorithm is the signature scheme of the DC public - // key. - uint16_t expected_cert_verify_algorithm = 0; + // ClearIntermediateCerts clears intermediate certificates in the certificate + // chain, while preserving the leaf. + void ClearIntermediateCerts(); - // pkey is the public key parsed from |public_key|. - UniquePtr pkey; + // AppendIntermediateCert appends |cert| to the certificate chain. If there is + // no leaf certificate configured, it leaves a placeholder null in |chain|. It + // returns one on success and zero on error. + bool AppendIntermediateCert(bssl::UniquePtr cert); + + // type is the credential type and determines which other fields apply. + bssl::SSLCredentialType type; + + // pubkey is the cached public key of the credential. Unlike |privkey|, it is + // always present and is extracted from the certificate, delegated credential, + // etc. + bssl::UniquePtr pubkey; + + // privkey is the private key of the credential. It may be omitted in favor of + // |key_method|. + bssl::UniquePtr privkey; + + // key_method, if non-null, is a set of callbacks to call for private key + // operations. + const SSL_PRIVATE_KEY_METHOD *key_method = nullptr; + + // sigalgs, if non-empty, is the set of signature algorithms supported by the + // private key in decreasing order of preference. If empty, the default list + // is used. + // + // In delegated credentials, this field is not configurable and is instead + // computed from the dc_cert_verify_algorithm field. + bssl::Array sigalgs; + + // chain contains the certificate chain, with the leaf at the beginning. The + // first element of |chain| may be nullptr to indicate that the leaf + // certificate has not yet been set. + // If |chain| != nullptr -> len(chain) >= 1 + // If |chain[0]| == nullptr -> len(chain) >= 2. + // |chain[1..]| != nullptr + bssl::UniquePtr chain; + + // dc is the DelegatedCredential structure, if this is a delegated credential. + bssl::UniquePtr dc; + + // dc_algorithm is the signature scheme of the signature over the delegated + // credential itself, made by the end-entity certificate's public key. + uint16_t dc_algorithm = 0; + + // Signed certificate timestamp list to be sent to the client, if requested + bssl::UniquePtr signed_cert_timestamp_list; + + // OCSP response to be sent to the client, if requested. + bssl::UniquePtr ocsp_response; + + CRYPTO_EX_DATA ex_data; private: - friend DC* New(); - DC(); + friend RefCounted; + ~ssl_credential_st(); }; -// ssl_signing_with_dc returns true if the peer has indicated support for -// delegated credentials and this host has sent a delegated credential in -// response. If this is true then we've committed to using the DC in the -// handshake. -bool ssl_signing_with_dc(const SSL_HANDSHAKE *hs); +BSSL_NAMESPACE_BEGIN + +// ssl_get_credential_list computes |hs|'s credential list. On success, it +// writes it to |*out| and returns true. Otherwise, it returns false. The +// credential list may be empty, in which case this function will successfully +// return an empty array. +// +// The pointers in the result are only valid until |hs| is next mutated. +bool ssl_get_credential_list(SSL_HANDSHAKE *hs, Array *out); // Handshake functions. @@ -1661,7 +1992,7 @@ enum tls12_server_hs_state_t { state12_start_accept = 0, state12_read_client_hello, state12_read_client_hello_after_ech, - state12_select_certificate, + state12_cert_callback, state12_tls13, state12_select_parameters, state12_send_server_hello, @@ -1863,7 +2194,8 @@ struct SSL_HANDSHAKE { // dtls_cookie is the value of the cookie in DTLS HelloVerifyRequest. If // empty, either none was received or HelloVerifyRequest contained an empty - // cookie. + // cookie. Check the received_hello_verify_request field to distinguish an + // empty cookie from no HelloVerifyRequest message being received. Array dtls_cookie; // ech_client_outer contains the outer ECH extension to send in the @@ -1896,7 +2228,8 @@ struct SSL_HANDSHAKE { Array peer_supported_group_list; // peer_delegated_credential_sigalgs are the signature algorithms the peer - // supports with delegated credentials. + // supports with delegated credentials, or empty if the peer does not support + // delegated credentials. Array peer_delegated_credential_sigalgs; // peer_key is the peer's ECDH key for a TLS 1.2 client. @@ -1939,8 +2272,8 @@ struct SSL_HANDSHAKE { // received in a CertificateRequest message. Array certificate_types; - // local_pubkey is the public key we are authenticating as. - UniquePtr local_pubkey; + // credential is the credential we are using for the handshake. + UniquePtr credential; // peer_pubkey is the public key parsed from the peer's leaf certificate. UniquePtr peer_pubkey; @@ -2006,10 +2339,6 @@ struct SSL_HANDSHAKE { // ocsp_stapling_requested is true if a client requested OCSP stapling. bool ocsp_stapling_requested : 1; - // delegated_credential_requested is true if the peer indicated support for - // the delegated credential extension. - bool delegated_credential_requested : 1; - // should_ack_sni is used by a server and indicates that the SNI extension // should be echoed in the ServerHello. bool should_ack_sni : 1; @@ -2074,6 +2403,10 @@ struct SSL_HANDSHAKE { // handshake. bool channel_id_negotiated : 1; + // received_hello_verify_request is true if we received a HelloVerifyRequest + // message from the server. + bool received_hello_verify_request : 1; + // client_version is the value sent or received in the ClientHello version. uint16_t client_version = 0; @@ -2085,12 +2418,15 @@ struct SSL_HANDSHAKE { // record layer. uint16_t early_data_written = 0; + // signature_algorithm is the signature algorithm to be used in signing with + // the selected credential, or zero if not applicable or not yet selected. + uint16_t signature_algorithm = 0; + // ech_config_id is the ECH config sent by the client. uint8_t ech_config_id = 0; // session_id is the session ID in the ClientHello. - uint8_t session_id[SSL_MAX_SSL_SESSION_ID_LENGTH] = {0}; - uint8_t session_id_len = 0; + InplaceVector session_id; // grease_seed is the entropy for GREASE values. uint8_t grease_seed[ssl_grease_last_index + 1] = {0}; @@ -2239,6 +2575,11 @@ bool ssl_is_valid_alpn_list(Span in); bool ssl_is_alpn_protocol_allowed(const SSL_HANDSHAKE *hs, Span protocol); +// ssl_alpn_list_contains_protocol returns whether |list|, a serialized ALPN +// protocol list, contains |protocol|. +bool ssl_alpn_list_contains_protocol(Span list, + Span protocol); + // ssl_negotiate_alpn negotiates the ALPN extension, if applicable. It returns // true on successful negotiation or if nothing was negotiated. It returns false // and sets |*out_alert| to an alert on error. @@ -2287,8 +2628,14 @@ enum ssl_verify_result_t ssl_reverify_peer_cert(SSL_HANDSHAKE *hs, bool send_alert); enum ssl_hs_wait_t ssl_get_finished(SSL_HANDSHAKE *hs); + +// ssl_send_finished adds a Finished message to the current flight of messages. +// It returns true on success and false on error. bool ssl_send_finished(SSL_HANDSHAKE *hs); -bool ssl_output_cert_chain(SSL_HANDSHAKE *hs); + +// ssl_send_tls12_certificate adds a TLS 1.2 Certificate message to the current +// flight of messages. It returns true on success and false on error. +bool ssl_send_tls12_certificate(SSL_HANDSHAKE *hs); // ssl_handshake_session returns the |SSL_SESSION| corresponding to the current // handshake. Note, in TLS 1.2 resumptions, this session is immutable. @@ -2348,28 +2695,20 @@ bool tls1_parse_peer_sigalgs(SSL_HANDSHAKE *hs, const CBS *sigalgs); bool tls1_get_legacy_signature_algorithm(uint16_t *out, const EVP_PKEY *pkey); // tls1_choose_signature_algorithm sets |*out| to a signature algorithm for use -// with |hs|'s private key based on the peer's preferences and the algorithms -// supported. It returns true on success and false on error. -bool tls1_choose_signature_algorithm(SSL_HANDSHAKE *hs, uint16_t *out); - -// tls1_get_peer_verify_algorithms returns the signature schemes for which the -// peer indicated support. -// -// NOTE: The related function |SSL_get0_peer_verify_algorithms| only has -// well-defined behavior during the callbacks set by |SSL_CTX_set_cert_cb| and -// |SSL_CTX_set_client_cert_cb|, or when the handshake is paused because of -// them. -Span tls1_get_peer_verify_algorithms(const SSL_HANDSHAKE *hs); +// with |cred| based on the peer's preferences and the algorithms supported. It +// returns true on success and false on error. +bool tls1_choose_signature_algorithm(SSL_HANDSHAKE *hs, + const SSL_CREDENTIAL *cred, uint16_t *out); // tls12_add_verify_sigalgs adds the signature algorithms acceptable for the // peer signature to |out|. It returns true on success and false on error. bool tls12_add_verify_sigalgs(const SSL_HANDSHAKE *hs, CBB *out); // tls12_check_peer_sigalg checks if |sigalg| is acceptable for the peer -// signature. It returns true on success and false on error, setting +// signature from |pkey|. It returns true on success and false on error, setting // |*out_alert| to an alert to send. bool tls12_check_peer_sigalg(const SSL_HANDSHAKE *hs, uint8_t *out_alert, - uint16_t sigalg); + uint16_t sigalg, EVP_PKEY *pkey); // Underdocumented functions. @@ -2387,42 +2726,36 @@ struct CERT { explicit CERT(const SSL_X509_METHOD *x509_method); ~CERT(); - UniquePtr privatekey; - - // chain contains the certificate chain, with the leaf at the beginning. The - // first element of |chain| may be NULL to indicate that the leaf certificate - // has not yet been set. - // If |chain| != NULL -> len(chain) >= 1 - // If |chain[0]| == NULL -> len(chain) >= 2. - // |chain[1..]| != NULL - UniquePtr chain; - - // x509_chain may contain a parsed copy of |chain[1..]|. This is only used as - // a cache in order to implement “get0” functions that return a non-owning - // pointer to the certificate chain. - STACK_OF(X509) *x509_chain = nullptr; + bool is_valid() const { return legacy_credential != nullptr; } - // x509_leaf may contain a parsed copy of the first element of |chain|. This - // is only used as a cache in order to implement “get0” functions that return - // a non-owning pointer to the certificate chain. - X509 *x509_leaf = nullptr; + // credentials is the list of credentials to select between. Elements of this + // array immutable. + Vector> credentials; - // x509_stash contains the last |X509| object append to the chain. This is a - // workaround for some third-party code that continue to use an |X509| object - // even after passing ownership with an “add0” function. - X509 *x509_stash = nullptr; - - // key_method, if non-NULL, is a set of callbacks to call for private key - // operations. - const SSL_PRIVATE_KEY_METHOD *key_method = nullptr; + // legacy_credential is the credential configured by the legacy + // non-credential-based APIs. If IsComplete() returns true, it is appended to + // the list of credentials. + UniquePtr legacy_credential; // x509_method contains pointers to functions that might deal with |X509| // compatibility, or might be a no-op, depending on the application. const SSL_X509_METHOD *x509_method = nullptr; - // sigalgs, if non-empty, is the set of signature algorithms supported by - // |privatekey| in decreasing order of preference. - Array sigalgs; + // x509_chain may contain a parsed copy of |chain[1..]| from the legacy + // credential. This is only used as a cache in order to implement “get0” + // functions that return a non-owning pointer to the certificate chain. + STACK_OF(X509) *x509_chain = nullptr; + + // x509_leaf may contain a parsed copy of the first element of |chain| from + // the legacy credential. This is only used as a cache in order to implement + // “get0” functions that return a non-owning pointer to the certificate chain. + X509 *x509_leaf = nullptr; + + // x509_stash contains the last |X509| object append to the legacy + // credential's chain. This is a workaround for some third-party code that + // continue to use an |X509| object even after passing ownership with an + // “add0” function. + X509 *x509_stash = nullptr; // Certificate setup callback: if set is called whenever a // certificate may be required (client or server). the callback @@ -2437,29 +2770,9 @@ struct CERT { // store is used instead. X509_STORE *verify_store = nullptr; - // Signed certificate timestamp list to be sent to the client, if requested - UniquePtr signed_cert_timestamp_list; - - // OCSP response to be sent to the client, if requested. - UniquePtr ocsp_response; - // sid_ctx partitions the session space within a shared session cache or // ticket key. Only sessions with a matching value will be accepted. - uint8_t sid_ctx_length = 0; - uint8_t sid_ctx[SSL_MAX_SID_CTX_LENGTH] = {0}; - - // Delegated credentials. - - // dc is the delegated credential to send to the peer (if requested). - UniquePtr dc = nullptr; - - // dc_privatekey is used instead of |privatekey| or |key_method| to - // authenticate the host if a delegated credential is used in the handshake. - UniquePtr dc_privatekey = nullptr; - - // dc_key_method, if not NULL, is used instead of |dc_privatekey| to - // authenticate the host. - const SSL_PRIVATE_KEY_METHOD *dc_key_method = nullptr; + InplaceVector sid_ctx; }; // |SSL_PROTOCOL_METHOD| abstracts between TLS and DTLS. @@ -2719,6 +3032,11 @@ struct SSL3_STATE { enum ssl_encryption_level_t read_level = ssl_encryption_initial; enum ssl_encryption_level_t write_level = ssl_encryption_initial; + // version is the protocol version, or zero if the version has not yet been + // set. In clients offering 0-RTT, this version will initially be set to the + // early version, then switched to the final version. + uint16_t version = 0; + // early_data_skipped is the amount of early data that has been skipped by the // record layer. uint16_t early_data_skipped = 0; @@ -2740,10 +3058,6 @@ struct SSL3_STATE { // messages when 0RTT is rejected. bool skip_early_data : 1; - // have_version is true if the connection's final version is known. Otherwise - // the version has not been negotiated yet. - bool have_version : 1; - // v2_hello_done is true if the peer's V2ClientHello, if any, has been handled // and future messages should use the record layer. bool v2_hello_done : 1; @@ -2763,10 +3077,6 @@ struct SSL3_STATE { // session_reused indicates whether a session was resumed. bool session_reused : 1; - // delegated_credential_used is whether we presented a delegated credential to - // the peer. - bool delegated_credential_used : 1; - bool send_connection_binding : 1; // channel_id_valid is true if, on the server, the client has negotiated a @@ -2831,18 +3141,13 @@ struct SSL3_STATE { // one. UniquePtr hs; - uint8_t write_traffic_secret[SSL_MAX_MD_SIZE] = {0}; - uint8_t read_traffic_secret[SSL_MAX_MD_SIZE] = {0}; - uint8_t exporter_secret[SSL_MAX_MD_SIZE] = {0}; - uint8_t write_traffic_secret_len = 0; - uint8_t read_traffic_secret_len = 0; - uint8_t exporter_secret_len = 0; + InplaceVector write_traffic_secret; + InplaceVector read_traffic_secret; + InplaceVector exporter_secret; // Connection binding to prevent renegotiation attacks - uint8_t previous_client_finished[12] = {0}; - uint8_t previous_client_finished_len = 0; - uint8_t previous_server_finished_len = 0; - uint8_t previous_server_finished[12] = {0}; + InplaceVector previous_client_finished; + InplaceVector previous_server_finished; uint8_t send_alert[2] = {0}; @@ -2885,7 +3190,23 @@ struct SSL3_STATE { }; // lengths of messages -#define DTLS1_RT_HEADER_LENGTH 13 +#define DTLS1_RT_MAX_HEADER_LENGTH 13 + +// DTLS_PLAINTEXT_RECORD_HEADER_LENGTH is the length of the DTLS record header +// for plaintext records (in DTLS 1.3) or DTLS versions <= 1.2. +#define DTLS_PLAINTEXT_RECORD_HEADER_LENGTH 13 + +// DTLS1_3_RECORD_HEADER_LENGTH is the length of the DTLS 1.3 record header +// sent by BoringSSL for encrypted records. Note that received encrypted DTLS +// 1.3 records might have a different length header. +#define DTLS1_3_RECORD_HEADER_WRITE_LENGTH 5 + +static_assert(DTLS1_RT_MAX_HEADER_LENGTH >= DTLS_PLAINTEXT_RECORD_HEADER_LENGTH, + "DTLS1_RT_MAX_HEADER_LENGTH must not be smaller than defined " + "record header lengths"); +static_assert(DTLS1_RT_MAX_HEADER_LENGTH >= DTLS1_3_RECORD_HEADER_WRITE_LENGTH, + "DTLS1_RT_MAX_HEADER_LENGTH must not be smaller than defined " + "record header lengths"); #define DTLS1_HM_HEADER_LENGTH 12 @@ -2930,6 +3251,14 @@ struct OPENSSL_timeval { uint32_t tv_usec; }; +// A DTLSEpochState object contains state about a DTLS epoch. +struct DTLSEpochState { + static constexpr bool kAllowUniquePtr = true; + + UniquePtr aead_write_ctx; + uint64_t write_sequence = 0; +}; + struct DTLS1_STATE { static constexpr bool kAllowUniquePtr = true; @@ -2961,9 +3290,12 @@ struct DTLS1_STATE { uint16_t handshake_write_seq = 0; uint16_t handshake_read_seq = 0; - // save last sequence number for retransmissions - uint64_t last_write_sequence = 0; - UniquePtr last_aead_write_ctx; + // state from the last epoch + DTLSEpochState last_epoch_state; + + // In DTLS 1.3, this contains the write AEAD for the initial encryption level. + // TODO(crbug.com/boringssl/715): Drop this when it is no longer needed. + UniquePtr initial_epoch_state; // incoming_messages is a ring buffer of incoming handshake messages that have // yet to be processed. The front of the ring buffer is message number @@ -2973,8 +3305,8 @@ struct DTLS1_STATE { // outgoing_messages is the queue of outgoing messages from the last handshake // flight. - DTLS_OUTGOING_MESSAGE outgoing_messages[SSL_MAX_HANDSHAKE_FLIGHT]; - uint8_t outgoing_messages_len = 0; + InplaceVector + outgoing_messages; // outgoing_written is the number of outgoing messages that have been // written. @@ -3072,7 +3404,7 @@ struct SSL_CONFIG { // alps_configs contains the list of supported protocols to use with ALPS, // along with their corresponding ALPS values. - GrowableArray alps_configs; + Vector alps_configs; // Contains the QUIC transport params that this endpoint will send. Array quic_transport_params; @@ -3157,6 +3489,15 @@ struct SSL_CONFIG { // alps_use_new_codepoint if set indicates we use new ALPS extension codepoint // to negotiate and convey application settings. bool alps_use_new_codepoint : 1; + + // check_client_certificate_type indicates whether the client, in TLS 1.2 and + // below, will check its certificate against the server's requested + // certificate types. + bool check_client_certificate_type : 1; + + // check_ecdsa_curve indicates whether the server, in TLS 1.2 and below, will + // check its certificate against the client's supported ECDSA curves. + bool check_ecdsa_curve : 1; }; // From RFC 8446, used in determining PSK modes. @@ -3168,7 +3509,6 @@ struct SSL_CONFIG { static const size_t kMaxEarlyDataAccepted = 14336; UniquePtr ssl_cert_dup(CERT *cert); -void ssl_cert_clear_certs(CERT *cert); bool ssl_set_cert(CERT *cert, UniquePtr buffer); bool ssl_is_key_type_supported(int key_type); // ssl_compare_public_and_private_key returns true if |pubkey| is the public @@ -3176,7 +3516,6 @@ bool ssl_is_key_type_supported(int key_type); // message on the error queue. bool ssl_compare_public_and_private_key(const EVP_PKEY *pubkey, const EVP_PKEY *privkey); -bool ssl_cert_check_private_key(const CERT *cert, const EVP_PKEY *privkey); bool ssl_get_new_session(SSL_HANDSHAKE *hs); bool ssl_encrypt_ticket(SSL_HANDSHAKE *hs, CBB *out, const SSL_SESSION *session); @@ -3313,7 +3652,7 @@ int dtls1_write_app_data(SSL *ssl, bool *out_needs_handshake, // dtls1_write_record sends a record. It returns one on success and <= 0 on // error. int dtls1_write_record(SSL *ssl, int type, Span in, - enum dtls1_use_epoch_t use_epoch); + uint16_t epoch); int dtls1_retransmit_outgoing_messages(SSL *ssl); bool dtls1_parse_fragment(CBS *cbs, struct hm_header_st *out_hdr, @@ -3346,8 +3685,11 @@ bool tls1_configure_aead(SSL *ssl, evp_aead_direction_t direction, bool tls1_change_cipher_state(SSL_HANDSHAKE *hs, evp_aead_direction_t direction); -int tls1_generate_master_secret(SSL_HANDSHAKE *hs, uint8_t *out, - Span premaster); + +// tls1_generate_master_secret computes the master secret from |premaster| and +// writes it to |out|. |out| must have size |SSL3_MASTER_SECRET_SIZE|. +bool tls1_generate_master_secret(SSL_HANDSHAKE *hs, Span out, + Span premaster); // tls1_get_grouplist returns the locally-configured group preference list. Span tls1_get_grouplist(const SSL_HANDSHAKE *ssl); @@ -3459,7 +3801,7 @@ struct ssl_method_st { const bssl::SSL_X509_METHOD *x509_method; }; -struct ssl_ctx_st { +struct ssl_ctx_st : public bssl::RefCounted { explicit ssl_ctx_st(const SSL_METHOD *ssl_method); ssl_ctx_st(const ssl_ctx_st &) = delete; ssl_ctx_st &operator=(const ssl_ctx_st &) = delete; @@ -3529,8 +3871,6 @@ struct ssl_ctx_st { SSL_SESSION *(*get_session_cb)(SSL *ssl, const uint8_t *data, int len, int *copy) = nullptr; - CRYPTO_refcount_t references = 1; - // if defined, these override the X509_verify_cert() calls int (*app_verify_callback)(X509_STORE_CTX *store_ctx, void *arg) = nullptr; void *app_verify_arg = nullptr; @@ -3670,7 +4010,7 @@ struct ssl_ctx_st { bssl::UniquePtr srtp_profiles; // Defined compression algorithms for certificates. - bssl::GrowableArray cert_compression_algs; + bssl::Vector cert_compression_algs; // Supported group values inherited by SSL structure bssl::Array supported_group_list; @@ -3767,8 +4107,8 @@ struct ssl_ctx_st { bool aes_hw_override_value : 1; private: + friend RefCounted; ~ssl_ctx_st(); - friend OPENSSL_EXPORT void SSL_CTX_free(SSL_CTX *); }; struct ssl_st { @@ -3787,9 +4127,6 @@ struct ssl_st { // that instead, and skip the null check.) bssl::UniquePtr config; - // version is the protocol version. - uint16_t version = 0; - uint16_t max_send_fragment = 0; // There are 2 BIO's even though they are normally both the same. This is so @@ -3860,13 +4197,11 @@ struct ssl_st { bool enable_early_data : 1; }; -struct ssl_session_st { +struct ssl_session_st : public bssl::RefCounted { explicit ssl_session_st(const bssl::SSL_X509_METHOD *method); ssl_session_st(const ssl_session_st &) = delete; ssl_session_st &operator=(const ssl_session_st &) = delete; - CRYPTO_refcount_t references = 1; - // ssl_version is the (D)TLS version that established the session. uint16_t ssl_version = 0; @@ -3882,17 +4217,14 @@ struct ssl_session_st { // session. In TLS 1.3 and up, it is the resumption PSK for sessions handed to // the caller, but it stores the resumption secret when stored on |SSL| // objects. - uint8_t secret_length = 0; - uint8_t secret[SSL_MAX_MASTER_KEY_LENGTH] = {0}; + bssl::InplaceVector secret; + + bssl::InplaceVector session_id; - // session_id - valid? - uint8_t session_id_length = 0; - uint8_t session_id[SSL_MAX_SSL_SESSION_ID_LENGTH] = {0}; // this is used to determine whether the session is being reused in // the appropriate context. It is up to the application to set this, // via SSL_new - uint8_t sid_ctx_length = 0; - uint8_t sid_ctx[SSL_MAX_SID_CTX_LENGTH] = {0}; + bssl::InplaceVector sid_ctx; bssl::UniquePtr psk_identity; @@ -3955,8 +4287,7 @@ struct ssl_session_st { // original_handshake_hash contains the handshake hash (either SHA-1+MD5 or // SHA-2, depending on TLS version) for the original, full handshake that // created a session. This is used by Channel IDs during resumption. - uint8_t original_handshake_hash[EVP_MAX_MD_SIZE] = {0}; - uint8_t original_handshake_hash_len = 0; + bssl::InplaceVector original_handshake_hash; uint32_t ticket_lifetime_hint = 0; // Session lifetime hint in seconds @@ -4009,21 +4340,18 @@ struct ssl_session_st { bssl::Array quic_early_data_context; private: + friend RefCounted; ~ssl_session_st(); - friend OPENSSL_EXPORT void SSL_SESSION_free(SSL_SESSION *); }; -struct ssl_ech_keys_st { - ssl_ech_keys_st() = default; - ssl_ech_keys_st(const ssl_ech_keys_st &) = delete; - ssl_ech_keys_st &operator=(const ssl_ech_keys_st &) = delete; +struct ssl_ech_keys_st : public bssl::RefCounted { + ssl_ech_keys_st() : RefCounted(CheckSubClass()) {} - bssl::GrowableArray> configs; - CRYPTO_refcount_t references = 1; + bssl::Vector> configs; private: + friend RefCounted; ~ssl_ech_keys_st() = default; - friend OPENSSL_EXPORT void SSL_ECH_KEYS_free(SSL_ECH_KEYS *); }; #endif // OPENSSL_HEADER_SSL_INTERNAL_H diff --git a/Sources/CNIOBoringSSL/ssl/s3_both.cc b/Sources/CNIOBoringSSL/ssl/s3_both.cc index 04f14f77b..d7c141df9 100644 --- a/Sources/CNIOBoringSSL/ssl/s3_both.cc +++ b/Sources/CNIOBoringSSL/ssl/s3_both.cc @@ -659,36 +659,60 @@ void tls_next_message(SSL *ssl) { } } -// CipherScorer produces a "score" for each possible cipher suite offered by -// the client. +namespace { + class CipherScorer { public: - CipherScorer(bool has_aes_hw) : aes_is_fine_(has_aes_hw) {} + using Score = int; + static constexpr Score kMinScore = 0; - typedef std::tuple Score; + virtual ~CipherScorer() = default; - // MinScore returns a |Score| that will compare less than the score of all - // cipher suites. - Score MinScore() const { - return Score(false, false); - } + virtual Score Evaluate(const SSL_CIPHER *cipher) const = 0; +}; + +// AesHwCipherScorer scores cipher suites based on whether AES is supported in +// hardware. +class AesHwCipherScorer : public CipherScorer { + public: + explicit AesHwCipherScorer(bool has_aes_hw) : aes_is_fine_(has_aes_hw) {} + + virtual ~AesHwCipherScorer() override = default; - Score Evaluate(const SSL_CIPHER *a) const { - return Score( + Score Evaluate(const SSL_CIPHER *a) const override { + return // Something is always preferable to nothing. - true, + 1 + // Either AES is fine, or else ChaCha20 is preferred. - aes_is_fine_ || a->algorithm_enc == SSL_CHACHA20POLY1305); + ((aes_is_fine_ || a->algorithm_enc == SSL_CHACHA20POLY1305) ? 1 : 0); } private: const bool aes_is_fine_; }; +// CNsaCipherScorer prefers AES-256-GCM over AES-128-GCM over anything else. +class CNsaCipherScorer : public CipherScorer { + public: + virtual ~CNsaCipherScorer() override = default; + + Score Evaluate(const SSL_CIPHER *a) const override { + if (a->id == TLS1_3_CK_AES_256_GCM_SHA384) { + return 3; + } else if (a->id == TLS1_3_CK_AES_128_GCM_SHA256) { + return 2; + } + return 1; + } +}; + +} + bool ssl_tls13_cipher_meets_policy(uint16_t cipher_id, enum ssl_compliance_policy_t policy) { switch (policy) { case ssl_compliance_policy_none: + case ssl_compliance_policy_cnsa_202407: return true; case ssl_compliance_policy_fips_202205: @@ -721,15 +745,19 @@ bool ssl_tls13_cipher_meets_policy(uint16_t cipher_id, } const SSL_CIPHER *ssl_choose_tls13_cipher(CBS cipher_suites, bool has_aes_hw, - uint16_t version, uint16_t group_id, + uint16_t version, enum ssl_compliance_policy_t policy) { if (CBS_len(&cipher_suites) % 2 != 0) { return nullptr; } const SSL_CIPHER *best = nullptr; - CipherScorer scorer(has_aes_hw); - CipherScorer::Score best_score = scorer.MinScore(); + AesHwCipherScorer aes_hw_scorer(has_aes_hw); + CNsaCipherScorer cnsa_scorer; + CipherScorer *const scorer = (policy == ssl_compliance_policy_cnsa_202407) + ? static_cast(&cnsa_scorer) + : static_cast(&aes_hw_scorer); + CipherScorer::Score best_score = CipherScorer::kMinScore; while (CBS_len(&cipher_suites) > 0) { uint16_t cipher_suite; @@ -750,7 +778,7 @@ const SSL_CIPHER *ssl_choose_tls13_cipher(CBS cipher_suites, bool has_aes_hw, continue; } - const CipherScorer::Score candidate_score = scorer.Evaluate(candidate); + const CipherScorer::Score candidate_score = scorer->Evaluate(candidate); // |candidate_score| must be larger to displace the current choice. That way // the client's order controls between ciphers with an equal score. if (candidate_score > best_score) { diff --git a/Sources/CNIOBoringSSL/ssl/s3_lib.cc b/Sources/CNIOBoringSSL/ssl/s3_lib.cc index 54170076d..d1ad499b0 100644 --- a/Sources/CNIOBoringSSL/ssl/s3_lib.cc +++ b/Sources/CNIOBoringSSL/ssl/s3_lib.cc @@ -165,13 +165,11 @@ BSSL_NAMESPACE_BEGIN SSL3_STATE::SSL3_STATE() : skip_early_data(false), - have_version(false), v2_hello_done(false), is_v2_hello(false), has_message(false), initial_handshake_complete(false), session_reused(false), - delegated_credential_used(false), send_connection_binding(false), channel_id_valid(false), key_update_pending(false), @@ -189,21 +187,14 @@ bool tls_new(SSL *ssl) { return false; } - s3->aead_read_ctx = SSLAEADContext::CreateNullCipher(SSL_is_dtls(ssl)); - s3->aead_write_ctx = SSLAEADContext::CreateNullCipher(SSL_is_dtls(ssl)); + s3->aead_read_ctx = SSLAEADContext::CreateNullCipher(); + s3->aead_write_ctx = SSLAEADContext::CreateNullCipher(); s3->hs = ssl_handshake_new(ssl); if (!s3->aead_read_ctx || !s3->aead_write_ctx || !s3->hs) { return false; } ssl->s3 = s3.release(); - - // Set the version to the highest supported version. - // - // TODO(davidben): Move this field into |s3|, have it store the normalized - // protocol version, and implement this pre-negotiation quirk in |SSL_version| - // at the API boundary rather than in internal state. - ssl->version = TLS1_2_VERSION; return true; } diff --git a/Sources/CNIOBoringSSL/ssl/s3_pkt.cc b/Sources/CNIOBoringSSL/ssl/s3_pkt.cc index b2f1c087e..35a8cf553 100644 --- a/Sources/CNIOBoringSSL/ssl/s3_pkt.cc +++ b/Sources/CNIOBoringSSL/ssl/s3_pkt.cc @@ -198,6 +198,26 @@ int tls_write_app_data(SSL *ssl, bool *out_needs_handshake, } } +// tls_seal_align_prefix_len returns the length of the prefix before the start +// of the bulk of the ciphertext when sealing a record with |ssl|. Callers may +// use this to align buffers. +// +// Note when TLS 1.0 CBC record-splitting is enabled, this includes the one byte +// record and is the offset into second record's ciphertext. Thus sealing a +// small record may result in a smaller output than this value. +// +// TODO(davidben): Is this alignment valuable? Record-splitting makes this a +// mess. +static size_t tls_seal_align_prefix_len(const SSL *ssl) { + size_t ret = + SSL3_RT_HEADER_LENGTH + ssl->s3->aead_write_ctx->ExplicitNonceLen(); + if (ssl_needs_record_splitting(ssl)) { + ret += SSL3_RT_HEADER_LENGTH; + ret += ssl_cipher_get_record_split_len(ssl->s3->aead_write_ctx->cipher()); + } + return ret; +} + // do_tls_write writes an SSL record of the given type. On success, it sets // |*out_bytes_written| to number of bytes successfully written and returns one. // On error, it returns a value <= 0 from the underlying |BIO|. @@ -265,7 +285,7 @@ static int do_tls_write(SSL *ssl, size_t *out_bytes_written, uint8_t type, return 1; } - if (!buf->EnsureCap(pending_flight.size() + ssl_seal_align_prefix_len(ssl), + if (!buf->EnsureCap(pending_flight.size() + tls_seal_align_prefix_len(ssl), max_out)) { return -1; } diff --git a/Sources/CNIOBoringSSL/ssl/ssl_aead_ctx.cc b/Sources/CNIOBoringSSL/ssl/ssl_aead_ctx.cc index 005c2c346..4155f580c 100644 --- a/Sources/CNIOBoringSSL/ssl/ssl_aead_ctx.cc +++ b/Sources/CNIOBoringSSL/ssl/ssl_aead_ctx.cc @@ -18,6 +18,7 @@ #include #include +#include #include #include @@ -33,28 +34,24 @@ BSSL_NAMESPACE_BEGIN -SSLAEADContext::SSLAEADContext(uint16_t version_arg, bool is_dtls_arg, - const SSL_CIPHER *cipher_arg) +SSLAEADContext::SSLAEADContext(const SSL_CIPHER *cipher_arg) : cipher_(cipher_arg), - version_(version_arg), - is_dtls_(is_dtls_arg), variable_nonce_included_in_record_(false), random_variable_nonce_(false), xor_fixed_nonce_(false), omit_length_in_ad_(false), ad_is_header_(false) { - OPENSSL_memset(fixed_nonce_, 0, sizeof(fixed_nonce_)); + CreateRecordNumberEncrypter(); } SSLAEADContext::~SSLAEADContext() {} -UniquePtr SSLAEADContext::CreateNullCipher(bool is_dtls) { - return MakeUnique(0 /* version */, is_dtls, - nullptr /* cipher */); +UniquePtr SSLAEADContext::CreateNullCipher() { + return MakeUnique(/*cipher=*/nullptr); } UniquePtr SSLAEADContext::Create( - enum evp_aead_direction_t direction, uint16_t version, bool is_dtls, + enum evp_aead_direction_t direction, uint16_t version, const SSL_CIPHER *cipher, Span enc_key, Span mac_key, Span fixed_iv) { const EVP_AEAD *aead; @@ -62,8 +59,8 @@ UniquePtr SSLAEADContext::Create( size_t expected_mac_key_len, expected_fixed_iv_len; if (!ssl_protocol_version_from_wire(&protocol_version, version) || !ssl_cipher_get_evp_aead(&aead, &expected_mac_key_len, - &expected_fixed_iv_len, cipher, protocol_version, - is_dtls) || + &expected_fixed_iv_len, cipher, + protocol_version) || // Ensure the caller returned correct key sizes. expected_fixed_iv_len != fixed_iv.size() || expected_mac_key_len != mac_key.size()) { @@ -71,111 +68,89 @@ UniquePtr SSLAEADContext::Create( return nullptr; } - uint8_t merged_key[EVP_AEAD_MAX_KEY_LENGTH]; - if (!mac_key.empty()) { - // This is a "stateful" AEAD (for compatibility with pre-AEAD cipher - // suites). - if (mac_key.size() + enc_key.size() + fixed_iv.size() > - sizeof(merged_key)) { - OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); - return nullptr; - } - OPENSSL_memcpy(merged_key, mac_key.data(), mac_key.size()); - OPENSSL_memcpy(merged_key + mac_key.size(), enc_key.data(), enc_key.size()); - OPENSSL_memcpy(merged_key + mac_key.size() + enc_key.size(), - fixed_iv.data(), fixed_iv.size()); - enc_key = MakeConstSpan(merged_key, - enc_key.size() + mac_key.size() + fixed_iv.size()); - } - - UniquePtr aead_ctx = - MakeUnique(version, is_dtls, cipher); + UniquePtr aead_ctx = MakeUnique(cipher); if (!aead_ctx) { return nullptr; } - assert(aead_ctx->ProtocolVersion() == protocol_version); - - if (!EVP_AEAD_CTX_init_with_direction( - aead_ctx->ctx_.get(), aead, enc_key.data(), enc_key.size(), - EVP_AEAD_DEFAULT_TAG_LENGTH, direction)) { - return nullptr; - } - + uint8_t merged_key[EVP_AEAD_MAX_KEY_LENGTH]; assert(EVP_AEAD_nonce_length(aead) <= EVP_AEAD_MAX_NONCE_LENGTH); static_assert(EVP_AEAD_MAX_NONCE_LENGTH < 256, "variable_nonce_len doesn't fit in uint8_t"); aead_ctx->variable_nonce_len_ = (uint8_t)EVP_AEAD_nonce_length(aead); if (mac_key.empty()) { - assert(fixed_iv.size() <= sizeof(aead_ctx->fixed_nonce_)); - OPENSSL_memcpy(aead_ctx->fixed_nonce_, fixed_iv.data(), fixed_iv.size()); - aead_ctx->fixed_nonce_len_ = fixed_iv.size(); + // This is an actual AEAD. + aead_ctx->fixed_nonce_.CopyFrom(fixed_iv); - if (cipher->algorithm_enc & SSL_CHACHA20POLY1305) { - // The fixed nonce into the actual nonce (the sequence number). + if (protocol_version >= TLS1_3_VERSION || + cipher->algorithm_enc & SSL_CHACHA20POLY1305) { + // TLS 1.3, and TLS 1.2 ChaCha20-Poly1305, XOR the fixed IV with the + // sequence number to form the nonce. aead_ctx->xor_fixed_nonce_ = true; aead_ctx->variable_nonce_len_ = 8; + assert(fixed_iv.size() >= aead_ctx->variable_nonce_len_); } else { - // The fixed IV is prepended to the nonce. + // TLS 1.2 AES-GCM prepends the fixed IV to an explicit nonce. assert(fixed_iv.size() <= aead_ctx->variable_nonce_len_); + assert(cipher->algorithm_enc & (SSL_AES128GCM | SSL_AES256GCM)); aead_ctx->variable_nonce_len_ -= fixed_iv.size(); - } - - // AES-GCM uses an explicit nonce. - if (cipher->algorithm_enc & (SSL_AES128GCM | SSL_AES256GCM)) { aead_ctx->variable_nonce_included_in_record_ = true; } - // The TLS 1.3 construction XORs the fixed nonce into the sequence number - // and omits the additional data. + // Starting TLS 1.3, the AAD is the whole record header. if (protocol_version >= TLS1_3_VERSION) { - aead_ctx->xor_fixed_nonce_ = true; - aead_ctx->variable_nonce_len_ = 8; - aead_ctx->variable_nonce_included_in_record_ = false; aead_ctx->ad_is_header_ = true; - assert(fixed_iv.size() >= aead_ctx->variable_nonce_len_); } } else { + // This is a CBC cipher suite that implements the |EVP_AEAD| interface. The + // |EVP_AEAD| takes the MAC key, encryption key, and fixed IV concatenated + // as its input key. assert(protocol_version < TLS1_3_VERSION); + BSSL_CHECK(mac_key.size() + enc_key.size() + fixed_iv.size() <= + sizeof(merged_key)); + OPENSSL_memcpy(merged_key, mac_key.data(), mac_key.size()); + OPENSSL_memcpy(merged_key + mac_key.size(), enc_key.data(), enc_key.size()); + OPENSSL_memcpy(merged_key + mac_key.size() + enc_key.size(), + fixed_iv.data(), fixed_iv.size()); + enc_key = MakeConstSpan(merged_key, + enc_key.size() + mac_key.size() + fixed_iv.size()); + + // The |EVP_AEAD|'s per-encryption nonce, if any, is actually the CBC IV. It + // must be generated randomly and prepended to the record. aead_ctx->variable_nonce_included_in_record_ = true; aead_ctx->random_variable_nonce_ = true; aead_ctx->omit_length_in_ad_ = true; } - return aead_ctx; -} - -UniquePtr SSLAEADContext::CreatePlaceholderForQUIC( - uint16_t version, const SSL_CIPHER *cipher) { - return MakeUnique(version, false, cipher); -} - -void SSLAEADContext::SetVersionIfNullCipher(uint16_t version) { - if (is_null_cipher()) { - version_ = version; + if (!EVP_AEAD_CTX_init_with_direction( + aead_ctx->ctx_.get(), aead, enc_key.data(), enc_key.size(), + EVP_AEAD_DEFAULT_TAG_LENGTH, direction)) { + return nullptr; } -} -uint16_t SSLAEADContext::ProtocolVersion() const { - uint16_t protocol_version; - if(!ssl_protocol_version_from_wire(&protocol_version, version_)) { - assert(false); - return 0; - } - return protocol_version; + return aead_ctx; } -uint16_t SSLAEADContext::RecordVersion() const { - if (version_ == 0) { - assert(is_null_cipher()); - return is_dtls_ ? DTLS1_VERSION : TLS1_VERSION; - } - - if (ProtocolVersion() <= TLS1_2_VERSION) { - return version_; +void SSLAEADContext::CreateRecordNumberEncrypter() { + if (!cipher_) { + return; } +#if defined(BORINGSSL_UNSAFE_FUZZER_MODE) + rn_encrypter_ = MakeUnique(); +#else + if (cipher_->algorithm_enc == SSL_AES128GCM) { + rn_encrypter_ = MakeUnique(); + } else if (cipher_->algorithm_enc == SSL_AES256GCM) { + rn_encrypter_ = MakeUnique(); + } else if (cipher_->algorithm_enc == SSL_CHACHA20POLY1305) { + rn_encrypter_ = MakeUnique(); + } +#endif // BORINGSSL_UNSAFE_FUZZER_MODE +} - return TLS1_2_VERSION; +UniquePtr SSLAEADContext::CreatePlaceholderForQUIC( + const SSL_CIPHER *cipher) { + return MakeUnique(cipher); } size_t SSLAEADContext::ExplicitNonceLen() const { @@ -269,11 +244,11 @@ bool SSLAEADContext::Open(Span *out, uint8_t type, // Prepend the fixed nonce, or left-pad with zeros if XORing. if (xor_fixed_nonce_) { - nonce_len = fixed_nonce_len_ - variable_nonce_len_; + nonce_len = fixed_nonce_.size() - variable_nonce_len_; OPENSSL_memset(nonce, 0, nonce_len); } else { - OPENSSL_memcpy(nonce, fixed_nonce_, fixed_nonce_len_); - nonce_len += fixed_nonce_len_; + OPENSSL_memcpy(nonce, fixed_nonce_.data(), fixed_nonce_.size()); + nonce_len += fixed_nonce_.size(); } // Add the variable nonce. @@ -293,8 +268,8 @@ bool SSLAEADContext::Open(Span *out, uint8_t type, // XOR the fixed nonce, if necessary. if (xor_fixed_nonce_) { - assert(nonce_len == fixed_nonce_len_); - for (size_t i = 0; i < fixed_nonce_len_; i++) { + assert(nonce_len == fixed_nonce_.size()); + for (size_t i = 0; i < fixed_nonce_.size(); i++) { nonce[i] ^= fixed_nonce_[i]; } } @@ -346,11 +321,11 @@ bool SSLAEADContext::SealScatter(uint8_t *out_prefix, uint8_t *out, // Prepend the fixed nonce, or left-pad with zeros if XORing. if (xor_fixed_nonce_) { - nonce_len = fixed_nonce_len_ - variable_nonce_len_; + nonce_len = fixed_nonce_.size() - variable_nonce_len_; OPENSSL_memset(nonce, 0, nonce_len); } else { - OPENSSL_memcpy(nonce, fixed_nonce_, fixed_nonce_len_); - nonce_len += fixed_nonce_len_; + OPENSSL_memcpy(nonce, fixed_nonce_.data(), fixed_nonce_.size()); + nonce_len += fixed_nonce_.size(); } // Select the variable nonce. @@ -374,14 +349,14 @@ bool SSLAEADContext::SealScatter(uint8_t *out_prefix, uint8_t *out, OPENSSL_PUT_ERROR(SSL, SSL_R_OUTPUT_ALIASES_INPUT); return false; } - OPENSSL_memcpy(out_prefix, nonce + fixed_nonce_len_, + OPENSSL_memcpy(out_prefix, nonce + fixed_nonce_.size(), variable_nonce_len_); } // XOR the fixed nonce, if necessary. if (xor_fixed_nonce_) { - assert(nonce_len == fixed_nonce_len_); - for (size_t i = 0; i < fixed_nonce_len_; i++) { + assert(nonce_len == fixed_nonce_.size()); + for (size_t i = 0; i < fixed_nonce_.size(); i++) { nonce[i] ^= fixed_nonce_[i]; } } @@ -427,4 +402,67 @@ bool SSLAEADContext::GetIV(const uint8_t **out_iv, size_t *out_iv_len) const { EVP_AEAD_CTX_get_iv(ctx_.get(), out_iv, out_iv_len); } +bool SSLAEADContext::GenerateRecordNumberMask(Span out, + Span sample) { + if (!rn_encrypter_) { + return false; + } + return rn_encrypter_->GenerateMask(out, sample); +} + +size_t AES128RecordNumberEncrypter::KeySize() { return 16; } + +size_t AES256RecordNumberEncrypter::KeySize() { return 32; } + +bool AESRecordNumberEncrypter::SetKey(Span key) { + return AES_set_encrypt_key(key.data(), key.size() * 8, &key_) == 0; +} + +bool AESRecordNumberEncrypter::GenerateMask(Span out, + Span sample) { + if (sample.size() < AES_BLOCK_SIZE || out.size() != AES_BLOCK_SIZE) { + return false; + } + AES_encrypt(sample.data(), out.data(), &key_); + return true; +} + +size_t ChaChaRecordNumberEncrypter::KeySize() { return kKeySize; } + +bool ChaChaRecordNumberEncrypter::SetKey(Span key) { + if (key.size() != kKeySize) { + return false; + } + OPENSSL_memcpy(key_, key.data(), key.size()); + return true; +} + +bool ChaChaRecordNumberEncrypter::GenerateMask(Span out, + Span sample) { + // RFC 9147 section 4.2.3 uses the first 4 bytes of the sample as the counter + // and the next 12 bytes as the nonce. If we have less than 4+12=16 bytes in + // the sample, then we'll read past the end of the |sample| buffer. The + // counter is interpreted as little-endian per RFC 8439. + if (sample.size() < 16) { + return false; + } + uint32_t counter = CRYPTO_load_u32_le(sample.data()); + Span nonce = sample.subspan(4); + OPENSSL_memset(out.data(), 0, out.size()); + CRYPTO_chacha_20(out.data(), out.data(), out.size(), key_, nonce.data(), + counter); + return true; +} + +#if defined(BORINGSSL_UNSAFE_FUZZER_MODE) +size_t NullRecordNumberEncrypter::KeySize() { return 0; } +bool NullRecordNumberEncrypter::SetKey(Span key) { return true; } + +bool NullRecordNumberEncrypter::GenerateMask(Span out, + Span sample) { + OPENSSL_memset(out.data(), 0, out.size()); + return true; +} +#endif // BORINGSSL_UNSAFE_FUZZER_MODE + BSSL_NAMESPACE_END diff --git a/Sources/CNIOBoringSSL/ssl/ssl_asn1.cc b/Sources/CNIOBoringSSL/ssl/ssl_asn1.cc index f43530f2d..dd863a1ca 100644 --- a/Sources/CNIOBoringSSL/ssl/ssl_asn1.cc +++ b/Sources/CNIOBoringSSL/ssl/ssl_asn1.cc @@ -216,9 +216,10 @@ static int SSL_SESSION_to_bytes_full(const SSL_SESSION *in, CBB *cbb, !CBB_add_asn1(&session, &child, CBS_ASN1_OCTETSTRING) || !CBB_add_u16(&child, (uint16_t)(in->cipher->id & 0xffff)) || // The session ID is irrelevant for a session ticket. - !CBB_add_asn1_octet_string(&session, in->session_id, - for_ticket ? 0 : in->session_id_length) || - !CBB_add_asn1_octet_string(&session, in->secret, in->secret_length) || + !CBB_add_asn1_octet_string(&session, in->session_id.data(), + for_ticket ? 0 : in->session_id.size()) || + !CBB_add_asn1_octet_string(&session, in->secret.data(), + in->secret.size()) || !CBB_add_asn1(&session, &child, kTimeTag) || !CBB_add_asn1_uint64(&child, in->time) || !CBB_add_asn1(&session, &child, kTimeoutTag) || @@ -240,7 +241,8 @@ static int SSL_SESSION_to_bytes_full(const SSL_SESSION *in, CBB *cbb, // Although it is OPTIONAL and usually empty, OpenSSL has // historically always encoded the sid_ctx. if (!CBB_add_asn1(&session, &child, kSessionIDContextTag) || - !CBB_add_asn1_octet_string(&child, in->sid_ctx, in->sid_ctx_length)) { + !CBB_add_asn1_octet_string(&child, in->sid_ctx.data(), + in->sid_ctx.size())) { return 0; } @@ -283,10 +285,10 @@ static int SSL_SESSION_to_bytes_full(const SSL_SESSION *in, CBB *cbb, } } - if (in->original_handshake_hash_len > 0) { + if (!in->original_handshake_hash.empty()) { if (!CBB_add_asn1(&session, &child, kOriginalHandshakeHashTag) || - !CBB_add_asn1_octet_string(&child, in->original_handshake_hash, - in->original_handshake_hash_len)) { + !CBB_add_asn1_octet_string(&child, in->original_handshake_hash.data(), + in->original_handshake_hash.size())) { return 0; } } @@ -473,23 +475,6 @@ static int SSL_SESSION_parse_crypto_buffer(CBS *cbs, return 1; } -// SSL_SESSION_parse_bounded_octet_string parses an optional ASN.1 OCTET STRING -// explicitly tagged with |tag| of size at most |max_out|. -static int SSL_SESSION_parse_bounded_octet_string(CBS *cbs, uint8_t *out, - uint8_t *out_len, - uint8_t max_out, - CBS_ASN1_TAG tag) { - CBS value; - if (!CBS_get_optional_asn1_octet_string(cbs, &value, NULL, tag) || - CBS_len(&value) > max_out) { - OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION); - return 0; - } - OPENSSL_memcpy(out, CBS_data(&value), CBS_len(&value)); - *out_len = static_cast(CBS_len(&value)); - return 1; -} - static int SSL_SESSION_parse_long(CBS *cbs, long *out, CBS_ASN1_TAG tag, long default_value) { uint64_t value; @@ -569,29 +554,16 @@ UniquePtr SSL_SESSION_parse(CBS *cbs, return nullptr; } - CBS session_id, secret; + CBS session_id, secret, child; + uint64_t timeout; if (!CBS_get_asn1(&session, &session_id, CBS_ASN1_OCTETSTRING) || - CBS_len(&session_id) > SSL3_MAX_SSL_SESSION_ID_LENGTH || + !ret->session_id.TryCopyFrom(session_id) || !CBS_get_asn1(&session, &secret, CBS_ASN1_OCTETSTRING) || - CBS_len(&secret) > SSL_MAX_MASTER_KEY_LENGTH) { - OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION); - return nullptr; - } - OPENSSL_memcpy(ret->session_id, CBS_data(&session_id), CBS_len(&session_id)); - static_assert(SSL3_MAX_SSL_SESSION_ID_LENGTH <= UINT8_MAX, - "max session ID is too large"); - ret->session_id_length = static_cast(CBS_len(&session_id)); - OPENSSL_memcpy(ret->secret, CBS_data(&secret), CBS_len(&secret)); - static_assert(SSL_MAX_MASTER_KEY_LENGTH <= UINT8_MAX, - "max secret is too large"); - ret->secret_length = static_cast(CBS_len(&secret)); - - CBS child; - uint64_t timeout; - if (!CBS_get_asn1(&session, &child, kTimeTag) || + !ret->secret.TryCopyFrom(secret) || + !CBS_get_asn1(&session, &child, kTimeTag) || !CBS_get_asn1_uint64(&child, &ret->time) || !CBS_get_asn1(&session, &child, kTimeoutTag) || - !CBS_get_asn1_uint64(&child, &timeout) || + !CBS_get_asn1_uint64(&child, &timeout) || // timeout > UINT32_MAX) { OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION); return nullptr; @@ -608,9 +580,10 @@ UniquePtr SSL_SESSION_parse(CBS *cbs, } // |peer| is processed with the certificate chain. - if (!SSL_SESSION_parse_bounded_octet_string( - &session, ret->sid_ctx, &ret->sid_ctx_length, sizeof(ret->sid_ctx), - kSessionIDContextTag) || + CBS sid_ctx; + if (!CBS_get_optional_asn1_octet_string( + &session, &sid_ctx, /*out_present=*/nullptr, kSessionIDContextTag) || + !ret->sid_ctx.TryCopyFrom(sid_ctx) || !SSL_SESSION_parse_long(&session, &ret->verify_result, kVerifyResultTag, X509_V_OK)) { return nullptr; @@ -648,10 +621,11 @@ UniquePtr SSL_SESSION_parse(CBS *cbs, ret->peer_sha256_valid = false; } - if (!SSL_SESSION_parse_bounded_octet_string( - &session, ret->original_handshake_hash, - &ret->original_handshake_hash_len, - sizeof(ret->original_handshake_hash), kOriginalHandshakeHashTag) || + CBS original_handshake_hash; + if (!CBS_get_optional_asn1_octet_string(&session, &original_handshake_hash, + /*out_present=*/nullptr, + kOriginalHandshakeHashTag) || + !ret->original_handshake_hash.TryCopyFrom(original_handshake_hash) || !SSL_SESSION_parse_crypto_buffer(&session, &ret->signed_cert_timestamp_list, kSignedCertTimestampListTag, pool) || diff --git a/Sources/CNIOBoringSSL/ssl/ssl_buffer.cc b/Sources/CNIOBoringSSL/ssl/ssl_buffer.cc index 7da92247d..bd9429044 100644 --- a/Sources/CNIOBoringSSL/ssl/ssl_buffer.cc +++ b/Sources/CNIOBoringSSL/ssl/ssl_buffer.cc @@ -172,14 +172,17 @@ int ssl_read_buffer_extend_to(SSL *ssl, size_t len) { if (SSL_is_dtls(ssl)) { static_assert( - DTLS1_RT_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH <= 0xffff, + DTLS1_RT_MAX_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH <= 0xffff, "DTLS read buffer is too large"); // The |len| parameter is ignored in DTLS. - len = DTLS1_RT_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH; + len = DTLS1_RT_MAX_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH; } - if (!ssl->s3->read_buffer.EnsureCap(ssl_record_prefix_len(ssl), len)) { + // The DTLS record header can have a variable length, so the |header_len| + // value provided for buffer alignment only works if the header is the maximum + // length. + if (!ssl->s3->read_buffer.EnsureCap(DTLS1_RT_MAX_HEADER_LENGTH, len)) { return -1; } @@ -252,7 +255,7 @@ static_assert(SSL3_RT_HEADER_LENGTH * 2 + 0xffff, "maximum TLS write buffer is too large"); -static_assert(DTLS1_RT_HEADER_LENGTH + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD + +static_assert(DTLS1_RT_MAX_HEADER_LENGTH + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD + SSL3_RT_MAX_PLAIN_LENGTH <= 0xffff, "maximum DTLS write buffer is too large"); diff --git a/Sources/CNIOBoringSSL/ssl/ssl_cert.cc b/Sources/CNIOBoringSSL/ssl/ssl_cert.cc index 969731f95..9a18e13d9 100644 --- a/Sources/CNIOBoringSSL/ssl/ssl_cert.cc +++ b/Sources/CNIOBoringSSL/ssl/ssl_cert.cc @@ -135,17 +135,10 @@ BSSL_NAMESPACE_BEGIN CERT::CERT(const SSL_X509_METHOD *x509_method_arg) - : x509_method(x509_method_arg) {} + : legacy_credential(MakeUnique(SSLCredentialType::kX509)), + x509_method(x509_method_arg) {} -CERT::~CERT() { - ssl_cert_clear_certs(this); - x509_method->cert_free(this); -} - -static CRYPTO_BUFFER *buffer_up_ref(const CRYPTO_BUFFER *buffer) { - CRYPTO_BUFFER_up_ref(const_cast(buffer)); - return const_cast(buffer); -} +CERT::~CERT() { x509_method->cert_free(this); } UniquePtr ssl_cert_dup(CERT *cert) { UniquePtr ret = MakeUnique(cert->x509_method); @@ -153,18 +146,17 @@ UniquePtr ssl_cert_dup(CERT *cert) { return nullptr; } - if (cert->chain) { - ret->chain.reset(sk_CRYPTO_BUFFER_deep_copy( - cert->chain.get(), buffer_up_ref, CRYPTO_BUFFER_free)); - if (!ret->chain) { + // TODO(crbug.com/boringssl/431): This should just be |CopyFrom|. + for (const auto &cred : cert->credentials) { + if (!ret->credentials.Push(UpRef(cred))) { return nullptr; } } - ret->privatekey = UpRef(cert->privatekey); - ret->key_method = cert->key_method; - - if (!ret->sigalgs.CopyFrom(cert->sigalgs)) { + // |legacy_credential| is mutable, so it must be copied. We cannot simply + // bump the reference count. + ret->legacy_credential = cert->legacy_credential->Dup(); + if (ret->legacy_credential == nullptr) { return nullptr; } @@ -173,93 +165,16 @@ UniquePtr ssl_cert_dup(CERT *cert) { ret->x509_method->cert_dup(ret.get(), cert); - ret->signed_cert_timestamp_list = UpRef(cert->signed_cert_timestamp_list); - ret->ocsp_response = UpRef(cert->ocsp_response); - - ret->sid_ctx_length = cert->sid_ctx_length; - OPENSSL_memcpy(ret->sid_ctx, cert->sid_ctx, sizeof(ret->sid_ctx)); - - if (cert->dc) { - ret->dc = cert->dc->Dup(); - if (!ret->dc) { - return nullptr; - } - } - - ret->dc_privatekey = UpRef(cert->dc_privatekey); - ret->dc_key_method = cert->dc_key_method; - + ret->sid_ctx = cert->sid_ctx; return ret; } -// Free up and clear all certificates and chains -void ssl_cert_clear_certs(CERT *cert) { - if (cert == NULL) { - return; - } - - cert->x509_method->cert_clear(cert); - - cert->chain.reset(); - cert->privatekey.reset(); - cert->key_method = nullptr; - - cert->dc.reset(); - cert->dc_privatekey.reset(); - cert->dc_key_method = nullptr; -} - static void ssl_cert_set_cert_cb(CERT *cert, int (*cb)(SSL *ssl, void *arg), void *arg) { cert->cert_cb = cb; cert->cert_cb_arg = arg; } -enum leaf_cert_and_privkey_result_t { - leaf_cert_and_privkey_error, - leaf_cert_and_privkey_ok, - leaf_cert_and_privkey_mismatch, -}; - -// check_leaf_cert_and_privkey checks whether the certificate in |leaf_buffer| -// and the private key in |privkey| are suitable and coherent. It returns -// |leaf_cert_and_privkey_error| and pushes to the error queue if a problem is -// found. If the certificate and private key are valid, but incoherent, it -// returns |leaf_cert_and_privkey_mismatch|. Otherwise it returns -// |leaf_cert_and_privkey_ok|. -static enum leaf_cert_and_privkey_result_t check_leaf_cert_and_privkey( - CRYPTO_BUFFER *leaf_buffer, EVP_PKEY *privkey) { - CBS cert_cbs; - CRYPTO_BUFFER_init_CBS(leaf_buffer, &cert_cbs); - UniquePtr pubkey = ssl_cert_parse_pubkey(&cert_cbs); - if (!pubkey) { - OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); - return leaf_cert_and_privkey_error; - } - - if (!ssl_is_key_type_supported(EVP_PKEY_id(pubkey.get()))) { - OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CERTIFICATE_TYPE); - return leaf_cert_and_privkey_error; - } - - // An ECC certificate may be usable for ECDH or ECDSA. We only support ECDSA - // certificates, so sanity-check the key usage extension. - if (EVP_PKEY_id(pubkey.get()) == EVP_PKEY_EC && - !ssl_cert_check_key_usage(&cert_cbs, key_usage_digital_signature)) { - OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CERTIFICATE_TYPE); - return leaf_cert_and_privkey_error; - } - - if (privkey != NULL && - // Sanity-check that the private key and the certificate match. - !ssl_compare_public_and_private_key(pubkey.get(), privkey)) { - ERR_clear_error(); - return leaf_cert_and_privkey_mismatch; - } - - return leaf_cert_and_privkey_ok; -} - static int cert_set_chain_and_key( CERT *cert, CRYPTO_BUFFER *const *certs, size_t num_certs, EVP_PKEY *privkey, const SSL_PRIVATE_KEY_METHOD *privkey_method) { @@ -274,75 +189,35 @@ static int cert_set_chain_and_key( return 0; } - switch (check_leaf_cert_and_privkey(certs[0], privkey)) { - case leaf_cert_and_privkey_error: - return 0; - case leaf_cert_and_privkey_mismatch: - OPENSSL_PUT_ERROR(SSL, SSL_R_CERTIFICATE_AND_PRIVATE_KEY_MISMATCH); - return 0; - case leaf_cert_and_privkey_ok: - break; - } - - UniquePtr certs_sk(sk_CRYPTO_BUFFER_new_null()); - if (!certs_sk) { + cert->legacy_credential->ClearCertAndKey(); + if (!SSL_CREDENTIAL_set1_cert_chain(cert->legacy_credential.get(), certs, + num_certs)) { return 0; } - for (size_t i = 0; i < num_certs; i++) { - if (!PushToStack(certs_sk.get(), UpRef(certs[i]))) { - return 0; - } - } - - cert->privatekey = UpRef(privkey); - cert->key_method = privkey_method; + cert->x509_method->cert_flush_cached_leaf(cert); + cert->x509_method->cert_flush_cached_chain(cert); - cert->chain = std::move(certs_sk); - return 1; + return privkey != nullptr + ? SSL_CREDENTIAL_set1_private_key(cert->legacy_credential.get(), + privkey) + : SSL_CREDENTIAL_set_private_key_method( + cert->legacy_credential.get(), privkey_method); } bool ssl_set_cert(CERT *cert, UniquePtr buffer) { - switch (check_leaf_cert_and_privkey(buffer.get(), cert->privatekey.get())) { - case leaf_cert_and_privkey_error: - return false; - case leaf_cert_and_privkey_mismatch: - // don't fail for a cert/key mismatch, just free current private key - // (when switching to a different cert & key, first this function should - // be used, then |ssl_set_pkey|. - cert->privatekey.reset(); - break; - case leaf_cert_and_privkey_ok: - break; - } - - cert->x509_method->cert_flush_cached_leaf(cert); - - if (cert->chain != nullptr) { - CRYPTO_BUFFER_free(sk_CRYPTO_BUFFER_value(cert->chain.get(), 0)); - sk_CRYPTO_BUFFER_set(cert->chain.get(), 0, buffer.release()); - return true; - } - - cert->chain.reset(sk_CRYPTO_BUFFER_new_null()); - if (cert->chain == nullptr) { - return false; - } - - if (!PushToStack(cert->chain.get(), std::move(buffer))) { - cert->chain.reset(); + // Don't fail for a cert/key mismatch, just free the current private key. + // (When switching to a different keypair, the caller should switch the + // certificate, then the key.) + if (!cert->legacy_credential->SetLeafCert(std::move(buffer), + /*discard_key_on_mismatch=*/true)) { return false; } + cert->x509_method->cert_flush_cached_leaf(cert); return true; } -bool ssl_has_certificate(const SSL_HANDSHAKE *hs) { - return hs->config->cert->chain != nullptr && - sk_CRYPTO_BUFFER_value(hs->config->cert->chain.get(), 0) != nullptr && - ssl_has_private_key(hs); -} - bool ssl_parse_cert_chain(uint8_t *out_alert, UniquePtr *out_chain, UniquePtr *out_pubkey, @@ -405,33 +280,6 @@ bool ssl_parse_cert_chain(uint8_t *out_alert, return true; } -bool ssl_add_cert_chain(SSL_HANDSHAKE *hs, CBB *cbb) { - if (!ssl_has_certificate(hs)) { - return CBB_add_u24(cbb, 0); - } - - CBB certs; - if (!CBB_add_u24_length_prefixed(cbb, &certs)) { - OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); - return false; - } - - STACK_OF(CRYPTO_BUFFER) *chain = hs->config->cert->chain.get(); - for (size_t i = 0; i < sk_CRYPTO_BUFFER_num(chain); i++) { - CRYPTO_BUFFER *buffer = sk_CRYPTO_BUFFER_value(chain, i); - CBB child; - if (!CBB_add_u24_length_prefixed(&certs, &child) || - !CBB_add_bytes(&child, CRYPTO_BUFFER_data(buffer), - CRYPTO_BUFFER_len(buffer)) || - !CBB_flush(&certs)) { - OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); - return false; - } - } - - return CBB_flush(cbb); -} - // ssl_cert_skip_to_spki parses a DER-encoded, X.509 certificate from |in| and // positions |*out_tbs_cert| to cover the TBSCertificate, starting at the // subjectPublicKeyInfo. @@ -513,30 +361,6 @@ bool ssl_compare_public_and_private_key(const EVP_PKEY *pubkey, return false; } -bool ssl_cert_check_private_key(const CERT *cert, const EVP_PKEY *privkey) { - if (privkey == nullptr) { - OPENSSL_PUT_ERROR(SSL, SSL_R_NO_PRIVATE_KEY_ASSIGNED); - return false; - } - - if (cert->chain == nullptr || - sk_CRYPTO_BUFFER_value(cert->chain.get(), 0) == nullptr) { - OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_ASSIGNED); - return false; - } - - CBS cert_cbs; - CRYPTO_BUFFER_init_CBS(sk_CRYPTO_BUFFER_value(cert->chain.get(), 0), - &cert_cbs); - UniquePtr pubkey = ssl_cert_parse_pubkey(&cert_cbs); - if (!pubkey) { - OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_KEY_TYPE); - return false; - } - - return ssl_compare_public_and_private_key(pubkey.get(), privkey); -} - bool ssl_cert_check_key_usage(const CBS *in, enum ssl_key_usage_t bit) { CBS buf = *in; @@ -697,8 +521,12 @@ bool ssl_check_leaf_certificate(SSL_HANDSHAKE *hs, EVP_PKEY *pkey, const CRYPTO_BUFFER *leaf) { assert(ssl_protocol_version(hs->ssl) < TLS1_3_VERSION); - // Check the certificate's type matches the cipher. - if (!(hs->new_cipher->algorithm_auth & ssl_cipher_auth_mask_for_key(pkey))) { + // Check the certificate's type matches the cipher. This does not check key + // usage restrictions, which are handled separately. + // + // TODO(davidben): Put the key type and key usage checks in one place. + if (!(hs->new_cipher->algorithm_auth & + ssl_cipher_auth_mask_for_key(pkey, /*sign_ok=*/true))) { OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CERTIFICATE_TYPE); return false; } @@ -719,153 +547,6 @@ bool ssl_check_leaf_certificate(SSL_HANDSHAKE *hs, EVP_PKEY *pkey, return true; } -bool ssl_on_certificate_selected(SSL_HANDSHAKE *hs) { - SSL *const ssl = hs->ssl; - if (!ssl_has_certificate(hs)) { - // Nothing to do. - return true; - } - - if (!ssl->ctx->x509_method->ssl_auto_chain_if_needed(hs)) { - return false; - } - - CBS leaf; - CRYPTO_BUFFER_init_CBS( - sk_CRYPTO_BUFFER_value(hs->config->cert->chain.get(), 0), &leaf); - - if (ssl_signing_with_dc(hs)) { - hs->local_pubkey = UpRef(hs->config->cert->dc->pkey); - } else { - hs->local_pubkey = ssl_cert_parse_pubkey(&leaf); - } - return hs->local_pubkey != NULL; -} - - -// Delegated credentials. - -DC::DC() = default; -DC::~DC() = default; - -UniquePtr DC::Dup() { - bssl::UniquePtr ret = MakeUnique(); - if (!ret) { - return nullptr; - } - - ret->raw = UpRef(raw); - ret->expected_cert_verify_algorithm = expected_cert_verify_algorithm; - ret->pkey = UpRef(pkey); - return ret; -} - -// static -UniquePtr DC::Parse(CRYPTO_BUFFER *in, uint8_t *out_alert) { - UniquePtr dc = MakeUnique(); - if (!dc) { - *out_alert = SSL_AD_INTERNAL_ERROR; - return nullptr; - } - - dc->raw = UpRef(in); - - CBS pubkey, deleg, sig; - uint32_t valid_time; - uint16_t algorithm; - CRYPTO_BUFFER_init_CBS(dc->raw.get(), &deleg); - if (!CBS_get_u32(&deleg, &valid_time) || - !CBS_get_u16(&deleg, &dc->expected_cert_verify_algorithm) || - !CBS_get_u24_length_prefixed(&deleg, &pubkey) || - !CBS_get_u16(&deleg, &algorithm) || - !CBS_get_u16_length_prefixed(&deleg, &sig) || - CBS_len(&deleg) != 0) { - OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); - *out_alert = SSL_AD_DECODE_ERROR; - return nullptr; - } - - dc->pkey.reset(EVP_parse_public_key(&pubkey)); - if (dc->pkey == nullptr) { - OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); - *out_alert = SSL_AD_DECODE_ERROR; - return nullptr; - } - - return dc; -} - -// ssl_can_serve_dc returns true if the host has configured a DC that it can -// serve in the handshake. Specifically, it checks that a DC has been -// configured and that the DC signature algorithm is supported by the peer. -static bool ssl_can_serve_dc(const SSL_HANDSHAKE *hs) { - // Check that a DC has been configured. - const CERT *cert = hs->config->cert.get(); - if (cert->dc == nullptr || - cert->dc->raw == nullptr || - (cert->dc_privatekey == nullptr && cert->dc_key_method == nullptr)) { - return false; - } - - // Check that 1.3 or higher has been negotiated. - const DC *dc = cert->dc.get(); - assert(hs->ssl->s3->have_version); - if (ssl_protocol_version(hs->ssl) < TLS1_3_VERSION) { - return false; - } - - // Check that the DC signature algorithm is supported by the peer. - Span peer_sigalgs = hs->peer_delegated_credential_sigalgs; - for (uint16_t peer_sigalg : peer_sigalgs) { - if (dc->expected_cert_verify_algorithm == peer_sigalg) { - return true; - } - } - return false; -} - -bool ssl_signing_with_dc(const SSL_HANDSHAKE *hs) { - // As of draft-ietf-tls-subcert-03, only the server may use delegated - // credentials to authenticate itself. - return hs->ssl->server && - hs->delegated_credential_requested && - ssl_can_serve_dc(hs); -} - -static int cert_set_dc(CERT *cert, CRYPTO_BUFFER *const raw, EVP_PKEY *privkey, - const SSL_PRIVATE_KEY_METHOD *key_method) { - if (privkey == nullptr && key_method == nullptr) { - OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER); - return 0; - } - - if (privkey != nullptr && key_method != nullptr) { - OPENSSL_PUT_ERROR(SSL, SSL_R_CANNOT_HAVE_BOTH_PRIVKEY_AND_METHOD); - return 0; - } - - uint8_t alert; - UniquePtr dc = DC::Parse(raw, &alert); - if (dc == nullptr) { - OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_DELEGATED_CREDENTIAL); - return 0; - } - - if (privkey) { - // Check that the public and private keys match. - if (!ssl_compare_public_and_private_key(dc->pkey.get(), privkey)) { - OPENSSL_PUT_ERROR(SSL, SSL_R_CERTIFICATE_AND_PRIVATE_KEY_MISMATCH); - return 0; - } - } - - cert->dc = std::move(dc); - cert->dc_privatekey = UpRef(privkey); - cert->dc_key_method = key_method; - - return 1; -} - BSSL_NAMESPACE_END using namespace bssl; @@ -887,8 +568,26 @@ int SSL_CTX_set_chain_and_key(SSL_CTX *ctx, CRYPTO_BUFFER *const *certs, privkey_method); } -const STACK_OF(CRYPTO_BUFFER)* SSL_CTX_get0_chain(const SSL_CTX *ctx) { - return ctx->cert->chain.get(); +void SSL_certs_clear(SSL *ssl) { + if (!ssl->config) { + return; + } + + CERT *cert = ssl->config->cert.get(); + cert->x509_method->cert_clear(cert); + cert->credentials.clear(); + cert->legacy_credential->ClearCertAndKey(); +} + +const STACK_OF(CRYPTO_BUFFER) *SSL_CTX_get0_chain(const SSL_CTX *ctx) { + return ctx->cert->legacy_credential->chain.get(); +} + +const STACK_OF(CRYPTO_BUFFER) *SSL_get0_chain(const SSL *ssl) { + if (!ssl->config) { + return nullptr; + } + return ssl->config->cert->legacy_credential->chain.get(); } int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, size_t der_len, @@ -938,23 +637,11 @@ const STACK_OF(CRYPTO_BUFFER) *SSL_get0_server_requested_CAs(const SSL *ssl) { return ssl->s3->hs->ca_names.get(); } -static int set_signed_cert_timestamp_list(CERT *cert, const uint8_t *list, - size_t list_len) { - CBS sct_list; - CBS_init(&sct_list, list, list_len); - if (!ssl_is_sct_list_valid(&sct_list)) { - OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SCT_LIST); - return 0; - } - - cert->signed_cert_timestamp_list.reset( - CRYPTO_BUFFER_new(CBS_data(&sct_list), CBS_len(&sct_list), nullptr)); - return cert->signed_cert_timestamp_list != nullptr; -} - int SSL_CTX_set_signed_cert_timestamp_list(SSL_CTX *ctx, const uint8_t *list, size_t list_len) { - return set_signed_cert_timestamp_list(ctx->cert.get(), list, list_len); + UniquePtr buf(CRYPTO_BUFFER_new(list, list_len, nullptr)); + return buf != nullptr && SSL_CREDENTIAL_set1_signed_cert_timestamp_list( + ctx->cert->legacy_credential.get(), buf.get()); } int SSL_set_signed_cert_timestamp_list(SSL *ssl, const uint8_t *list, @@ -962,15 +649,18 @@ int SSL_set_signed_cert_timestamp_list(SSL *ssl, const uint8_t *list, if (!ssl->config) { return 0; } - return set_signed_cert_timestamp_list(ssl->config->cert.get(), list, - list_len); + UniquePtr buf(CRYPTO_BUFFER_new(list, list_len, nullptr)); + return buf != nullptr && + SSL_CREDENTIAL_set1_signed_cert_timestamp_list( + ssl->config->cert->legacy_credential.get(), buf.get()); } int SSL_CTX_set_ocsp_response(SSL_CTX *ctx, const uint8_t *response, size_t response_len) { - ctx->cert->ocsp_response.reset( + UniquePtr buf( CRYPTO_BUFFER_new(response, response_len, nullptr)); - return ctx->cert->ocsp_response != nullptr; + return buf != nullptr && SSL_CREDENTIAL_set1_ocsp_response( + ctx->cert->legacy_credential.get(), buf.get()); } int SSL_set_ocsp_response(SSL *ssl, const uint8_t *response, @@ -978,9 +668,11 @@ int SSL_set_ocsp_response(SSL *ssl, const uint8_t *response, if (!ssl->config) { return 0; } - ssl->config->cert->ocsp_response.reset( + UniquePtr buf( CRYPTO_BUFFER_new(response, response_len, nullptr)); - return ssl->config->cert->ocsp_response != nullptr; + return buf != nullptr && + SSL_CREDENTIAL_set1_ocsp_response( + ssl->config->cert->legacy_credential.get(), buf.get()); } void SSL_CTX_set0_client_CAs(SSL_CTX *ctx, STACK_OF(CRYPTO_BUFFER) *name_list) { @@ -995,16 +687,3 @@ void SSL_set0_client_CAs(SSL *ssl, STACK_OF(CRYPTO_BUFFER) *name_list) { ssl->ctx->x509_method->ssl_flush_cached_client_CA(ssl->config.get()); ssl->config->client_CA.reset(name_list); } - -int SSL_set1_delegated_credential(SSL *ssl, CRYPTO_BUFFER *dc, EVP_PKEY *pkey, - const SSL_PRIVATE_KEY_METHOD *key_method) { - if (!ssl->config) { - return 0; - } - - return cert_set_dc(ssl->config->cert.get(), dc, pkey, key_method); -} - -int SSL_delegated_credential_used(const SSL *ssl) { - return ssl->s3->delegated_credential_used; -} diff --git a/Sources/CNIOBoringSSL/ssl/ssl_cipher.cc b/Sources/CNIOBoringSSL/ssl/ssl_cipher.cc index c02cf99b4..dbbac703c 100644 --- a/Sources/CNIOBoringSSL/ssl/ssl_cipher.cc +++ b/Sources/CNIOBoringSSL/ssl/ssl_cipher.cc @@ -164,7 +164,7 @@ static constexpr SSL_CIPHER kCiphers[] = { "TLS_RSA_WITH_3DES_EDE_CBC_SHA", SSL3_CK_RSA_DES_192_CBC3_SHA, SSL_kRSA, - SSL_aRSA, + SSL_aRSA_DECRYPT, SSL_3DES, SSL_SHA1, SSL_HANDSHAKE_MAC_DEFAULT, @@ -179,7 +179,7 @@ static constexpr SSL_CIPHER kCiphers[] = { "TLS_RSA_WITH_AES_128_CBC_SHA", TLS1_CK_RSA_WITH_AES_128_SHA, SSL_kRSA, - SSL_aRSA, + SSL_aRSA_DECRYPT, SSL_AES128, SSL_SHA1, SSL_HANDSHAKE_MAC_DEFAULT, @@ -191,7 +191,7 @@ static constexpr SSL_CIPHER kCiphers[] = { "TLS_RSA_WITH_AES_256_CBC_SHA", TLS1_CK_RSA_WITH_AES_256_SHA, SSL_kRSA, - SSL_aRSA, + SSL_aRSA_DECRYPT, SSL_AES256, SSL_SHA1, SSL_HANDSHAKE_MAC_DEFAULT, @@ -231,7 +231,7 @@ static constexpr SSL_CIPHER kCiphers[] = { "TLS_RSA_WITH_AES_128_GCM_SHA256", TLS1_CK_RSA_WITH_AES_128_GCM_SHA256, SSL_kRSA, - SSL_aRSA, + SSL_aRSA_DECRYPT, SSL_AES128GCM, SSL_AEAD, SSL_HANDSHAKE_MAC_SHA256, @@ -243,7 +243,7 @@ static constexpr SSL_CIPHER kCiphers[] = { "TLS_RSA_WITH_AES_256_GCM_SHA384", TLS1_CK_RSA_WITH_AES_256_GCM_SHA384, SSL_kRSA, - SSL_aRSA, + SSL_aRSA_DECRYPT, SSL_AES256GCM, SSL_AEAD, SSL_HANDSHAKE_MAC_SHA384, @@ -317,7 +317,7 @@ static constexpr SSL_CIPHER kCiphers[] = { "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_kECDHE, - SSL_aRSA, + SSL_aRSA_SIGN, SSL_AES128, SSL_SHA1, SSL_HANDSHAKE_MAC_DEFAULT, @@ -329,7 +329,7 @@ static constexpr SSL_CIPHER kCiphers[] = { "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_kECDHE, - SSL_aRSA, + SSL_aRSA_SIGN, SSL_AES256, SSL_SHA1, SSL_HANDSHAKE_MAC_DEFAULT, @@ -341,7 +341,7 @@ static constexpr SSL_CIPHER kCiphers[] = { "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_kECDHE, - SSL_aRSA, + SSL_aRSA_SIGN, SSL_AES128, SSL_SHA256, SSL_HANDSHAKE_MAC_SHA256, @@ -379,7 +379,7 @@ static constexpr SSL_CIPHER kCiphers[] = { "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", TLS1_CK_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_kECDHE, - SSL_aRSA, + SSL_aRSA_SIGN, SSL_AES128GCM, SSL_AEAD, SSL_HANDSHAKE_MAC_SHA256, @@ -391,7 +391,7 @@ static constexpr SSL_CIPHER kCiphers[] = { "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", TLS1_CK_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_kECDHE, - SSL_aRSA, + SSL_aRSA_SIGN, SSL_AES256GCM, SSL_AEAD, SSL_HANDSHAKE_MAC_SHA384, @@ -431,7 +431,7 @@ static constexpr SSL_CIPHER kCiphers[] = { "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", TLS1_CK_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, SSL_kECDHE, - SSL_aRSA, + SSL_aRSA_SIGN, SSL_CHACHA20POLY1305, SSL_AEAD, SSL_HANDSHAKE_MAC_SHA256, @@ -528,7 +528,7 @@ static const CIPHER_ALIAS kCipherAliases[] = { {"kPSK", SSL_kPSK, ~0u, ~0u, ~0u, 0}, // server authentication aliases - {"aRSA", ~0u, SSL_aRSA, ~0u, ~0u, 0}, + {"aRSA", ~0u, SSL_aRSA_SIGN | SSL_aRSA_DECRYPT, ~0u, ~0u, 0}, {"aECDSA", ~0u, SSL_aECDSA, ~0u, ~0u, 0}, {"ECDSA", ~0u, SSL_aECDSA, ~0u, ~0u, 0}, {"aPSK", ~0u, SSL_aPSK, ~0u, ~0u, 0}, @@ -536,7 +536,7 @@ static const CIPHER_ALIAS kCipherAliases[] = { // aliases combining key exchange and server authentication {"ECDHE", SSL_kECDHE, ~0u, ~0u, ~0u, 0}, {"EECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0}, - {"RSA", SSL_kRSA, SSL_aRSA, ~0u, ~0u, 0}, + {"RSA", SSL_kRSA, SSL_aRSA_SIGN | SSL_aRSA_DECRYPT, ~0u, ~0u, 0}, {"PSK", SSL_kPSK, SSL_aPSK, ~0u, ~0u, 0}, // symmetric encryption aliases @@ -576,31 +576,24 @@ static const size_t kCipherAliasesLen = OPENSSL_ARRAY_SIZE(kCipherAliases); bool ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead, size_t *out_mac_secret_len, size_t *out_fixed_iv_len, const SSL_CIPHER *cipher, - uint16_t version, bool is_dtls) { + uint16_t version) { *out_aead = NULL; *out_mac_secret_len = 0; *out_fixed_iv_len = 0; - const bool is_tls12 = version == TLS1_2_VERSION && !is_dtls; - const bool is_tls13 = version == TLS1_3_VERSION && !is_dtls; - if (cipher->algorithm_mac == SSL_AEAD) { if (cipher->algorithm_enc == SSL_AES128GCM) { - if (is_tls12) { + if (version < TLS1_3_VERSION) { *out_aead = EVP_aead_aes_128_gcm_tls12(); - } else if (is_tls13) { - *out_aead = EVP_aead_aes_128_gcm_tls13(); } else { - *out_aead = EVP_aead_aes_128_gcm(); + *out_aead = EVP_aead_aes_128_gcm_tls13(); } *out_fixed_iv_len = 4; } else if (cipher->algorithm_enc == SSL_AES256GCM) { - if (is_tls12) { + if (version < TLS1_3_VERSION) { *out_aead = EVP_aead_aes_256_gcm_tls12(); - } else if (is_tls13) { - *out_aead = EVP_aead_aes_256_gcm_tls13(); } else { - *out_aead = EVP_aead_aes_256_gcm(); + *out_aead = EVP_aead_aes_256_gcm_tls13(); } *out_fixed_iv_len = 4; } else if (cipher->algorithm_enc == SSL_CHACHA20POLY1305) { @@ -1275,14 +1268,14 @@ bool ssl_create_cipher_list(UniquePtr *out_cipher_list, return true; } -uint32_t ssl_cipher_auth_mask_for_key(const EVP_PKEY *key) { +uint32_t ssl_cipher_auth_mask_for_key(const EVP_PKEY *key, bool sign_ok) { switch (EVP_PKEY_id(key)) { case EVP_PKEY_RSA: - return SSL_aRSA; + return sign_ok ? (SSL_aRSA_SIGN | SSL_aRSA_DECRYPT) : SSL_aRSA_DECRYPT; case EVP_PKEY_EC: case EVP_PKEY_ED25519: // Ed25519 keys in TLS 1.2 repurpose the ECDSA ciphers. - return SSL_aECDSA; + return sign_ok ? SSL_aECDSA : 0; default: return 0; } @@ -1423,7 +1416,8 @@ int SSL_CIPHER_get_kx_nid(const SSL_CIPHER *cipher) { int SSL_CIPHER_get_auth_nid(const SSL_CIPHER *cipher) { switch (cipher->algorithm_auth) { - case SSL_aRSA: + case SSL_aRSA_DECRYPT: + case SSL_aRSA_SIGN: return NID_auth_rsa; case SSL_aECDSA: return NID_auth_ecdsa; @@ -1511,7 +1505,7 @@ const char *SSL_CIPHER_get_kx_name(const SSL_CIPHER *cipher) { switch (cipher->algorithm_auth) { case SSL_aECDSA: return "ECDHE_ECDSA"; - case SSL_aRSA: + case SSL_aRSA_SIGN: return "ECDHE_RSA"; case SSL_aPSK: return "ECDHE_PSK"; @@ -1603,7 +1597,8 @@ const char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, } switch (alg_auth) { - case SSL_aRSA: + case SSL_aRSA_DECRYPT: + case SSL_aRSA_SIGN: au = "RSA"; break; diff --git a/Sources/CNIOBoringSSL/ssl/ssl_credential.cc b/Sources/CNIOBoringSSL/ssl/ssl_credential.cc new file mode 100644 index 000000000..3357baba4 --- /dev/null +++ b/Sources/CNIOBoringSSL/ssl/ssl_credential.cc @@ -0,0 +1,423 @@ +/* Copyright (c) 2024, Google Inc. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#include + +#include + +#include + +#include "internal.h" +#include "../crypto/internal.h" + + +BSSL_NAMESPACE_BEGIN + +// new_leafless_chain returns a fresh stack of buffers set to {nullptr}. +static UniquePtr new_leafless_chain(void) { + UniquePtr chain(sk_CRYPTO_BUFFER_new_null()); + if (!chain || + !sk_CRYPTO_BUFFER_push(chain.get(), nullptr)) { + return nullptr; + } + + return chain; +} + +bool ssl_get_credential_list(SSL_HANDSHAKE *hs, Array *out) { + CERT *cert = hs->config->cert.get(); + // Finish filling in the legacy credential if needed. + if (!cert->x509_method->ssl_auto_chain_if_needed(hs)) { + return false; + } + + size_t num_creds = cert->credentials.size(); + bool include_legacy = cert->legacy_credential->IsComplete(); + if (include_legacy) { + num_creds++; + } + + if (!out->Init(num_creds)) { + return false; + } + + for (size_t i = 0; i < cert->credentials.size(); i++) { + (*out)[i] = cert->credentials[i].get(); + } + if (include_legacy) { + (*out)[num_creds - 1] = cert->legacy_credential.get(); + } + return true; +} + +BSSL_NAMESPACE_END + +using namespace bssl; + +static CRYPTO_EX_DATA_CLASS g_ex_data_class = CRYPTO_EX_DATA_CLASS_INIT; + +ssl_credential_st::ssl_credential_st(SSLCredentialType type_arg) + : RefCounted(CheckSubClass()), type(type_arg) { + CRYPTO_new_ex_data(&ex_data); +} + +ssl_credential_st::~ssl_credential_st() { + CRYPTO_free_ex_data(&g_ex_data_class, this, &ex_data); +} + +static CRYPTO_BUFFER *buffer_up_ref(const CRYPTO_BUFFER *buffer) { + CRYPTO_BUFFER_up_ref(const_cast(buffer)); + return const_cast(buffer); +} + +UniquePtr ssl_credential_st::Dup() const { + assert(type == SSLCredentialType::kX509); + UniquePtr ret = MakeUnique(type); + if (ret == nullptr) { + return nullptr; + } + + ret->pubkey = UpRef(pubkey); + ret->privkey = UpRef(privkey); + ret->key_method = key_method; + if (!ret->sigalgs.CopyFrom(sigalgs)) { + return nullptr; + } + + if (chain) { + ret->chain.reset(sk_CRYPTO_BUFFER_deep_copy(chain.get(), buffer_up_ref, + CRYPTO_BUFFER_free)); + if (!ret->chain) { + return nullptr; + } + } + + ret->dc = UpRef(dc); + ret->signed_cert_timestamp_list = UpRef(signed_cert_timestamp_list); + ret->ocsp_response = UpRef(ocsp_response); + ret->dc_algorithm = dc_algorithm; + return ret; +} + +void ssl_credential_st::ClearCertAndKey() { + pubkey = nullptr; + privkey = nullptr; + key_method = nullptr; + chain = nullptr; +} + +bool ssl_credential_st::UsesX509() const { + // Currently, all credential types use X.509. However, we may add other + // certificate types in the future. Add the checks in the setters now, so we + // don't forget. + return true; +} + +bool ssl_credential_st::UsesPrivateKey() const { + // Currently, all credential types use private keys. However, we may add PSK + return true; +} + +bool ssl_credential_st::IsComplete() const { + // APIs like |SSL_use_certificate| and |SSL_set1_chain| configure the leaf and + // other certificates separately. It is possible for |chain| have a null leaf. + if (UsesX509() && (sk_CRYPTO_BUFFER_num(chain.get()) == 0 || + sk_CRYPTO_BUFFER_value(chain.get(), 0) == nullptr)) { + return false; + } + // We must have successfully extracted a public key from the certificate, + // delegated credential, etc. + if (UsesPrivateKey() && pubkey == nullptr) { + return false; + } + if (UsesPrivateKey() && privkey == nullptr && key_method == nullptr) { + return false; + } + if (type == SSLCredentialType::kDelegated && dc == nullptr) { + return false; + } + return true; +} + +bool ssl_credential_st::SetLeafCert(UniquePtr leaf, + bool discard_key_on_mismatch) { + if (!UsesX509()) { + OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return false; + } + + const bool private_key_matches_leaf = type != SSLCredentialType::kDelegated; + + CBS cbs; + CRYPTO_BUFFER_init_CBS(leaf.get(), &cbs); + UniquePtr new_pubkey = ssl_cert_parse_pubkey(&cbs); + if (new_pubkey == nullptr) { + return false; + } + + if (!ssl_is_key_type_supported(EVP_PKEY_id(new_pubkey.get()))) { + OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CERTIFICATE_TYPE); + return false; + } + + // An ECC certificate may be usable for ECDH or ECDSA. We only support ECDSA + // certificates, so sanity-check the key usage extension. + if (EVP_PKEY_id(new_pubkey.get()) == EVP_PKEY_EC && + !ssl_cert_check_key_usage(&cbs, key_usage_digital_signature)) { + OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CERTIFICATE_TYPE); + return false; + } + + if (private_key_matches_leaf && privkey != nullptr && + !ssl_compare_public_and_private_key(new_pubkey.get(), privkey.get())) { + if (!discard_key_on_mismatch) { + return false; + } + ERR_clear_error(); + privkey = nullptr; + } + + if (chain == nullptr) { + chain = new_leafless_chain(); + if (chain == nullptr) { + return false; + } + } + + CRYPTO_BUFFER_free(sk_CRYPTO_BUFFER_value(chain.get(), 0)); + sk_CRYPTO_BUFFER_set(chain.get(), 0, leaf.release()); + if (private_key_matches_leaf) { + pubkey = std::move(new_pubkey); + } + return true; +} + +void ssl_credential_st::ClearIntermediateCerts() { + if (chain == nullptr) { + return; + } + + while (sk_CRYPTO_BUFFER_num(chain.get()) > 1) { + CRYPTO_BUFFER_free(sk_CRYPTO_BUFFER_pop(chain.get())); + } +} + +bool ssl_credential_st::AppendIntermediateCert(UniquePtr cert) { + if (!UsesX509()) { + OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return false; + } + + if (chain == nullptr) { + chain = new_leafless_chain(); + if (chain == nullptr) { + return false; + } + } + + return PushToStack(chain.get(), std::move(cert)); +} + +SSL_CREDENTIAL *SSL_CREDENTIAL_new_x509(void) { + return New(SSLCredentialType::kX509); +} + +SSL_CREDENTIAL *SSL_CREDENTIAL_new_delegated(void) { + return New(SSLCredentialType::kDelegated); +} + +void SSL_CREDENTIAL_up_ref(SSL_CREDENTIAL *cred) { cred->UpRefInternal(); } + +void SSL_CREDENTIAL_free(SSL_CREDENTIAL *cred) { + if (cred != nullptr) { + cred->DecRefInternal(); + } +} + +int SSL_CREDENTIAL_set1_private_key(SSL_CREDENTIAL *cred, EVP_PKEY *key) { + if (!cred->UsesPrivateKey()) { + OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return 0; + } + + // If the public half has been configured, check |key| matches. |pubkey| will + // have been extracted from the certificate, delegated credential, etc. + if (cred->pubkey != nullptr && + !ssl_compare_public_and_private_key(cred->pubkey.get(), key)) { + return false; + } + + cred->privkey = UpRef(key); + cred->key_method = nullptr; + return 1; +} + +int SSL_CREDENTIAL_set_private_key_method( + SSL_CREDENTIAL *cred, const SSL_PRIVATE_KEY_METHOD *key_method) { + if (!cred->UsesPrivateKey()) { + OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return 0; + } + + cred->privkey = nullptr; + cred->key_method = key_method; + return 1; +} + +int SSL_CREDENTIAL_set1_cert_chain(SSL_CREDENTIAL *cred, + CRYPTO_BUFFER *const *certs, + size_t num_certs) { + if (!cred->UsesX509() || num_certs == 0) { + OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return 0; + } + + if (!cred->SetLeafCert(UpRef(certs[0]), /*discard_key_on_mismatch=*/false)) { + return 0; + } + + cred->ClearIntermediateCerts(); + for (size_t i = 1; i < num_certs; i++) { + if (!cred->AppendIntermediateCert(UpRef(certs[i]))) { + return 0; + } + } + + return 1; +} + +int SSL_CREDENTIAL_set1_delegated_credential( + SSL_CREDENTIAL *cred, CRYPTO_BUFFER *dc) { + if (cred->type != SSLCredentialType::kDelegated) { + OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return 0; + } + + // Parse the delegated credential to check for validity, and extract a few + // fields from it. See RFC 9345, section 4. + CBS cbs, spki, sig; + uint32_t valid_time; + uint16_t dc_cert_verify_algorithm, algorithm; + CRYPTO_BUFFER_init_CBS(dc, &cbs); + if (!CBS_get_u32(&cbs, &valid_time) || + !CBS_get_u16(&cbs, &dc_cert_verify_algorithm) || + !CBS_get_u24_length_prefixed(&cbs, &spki) || + !CBS_get_u16(&cbs, &algorithm) || + !CBS_get_u16_length_prefixed(&cbs, &sig) || // + CBS_len(&sig) == 0 || // + CBS_len(&cbs) != 0) { + OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); + return 0; + } + + // RFC 9345 forbids algorithms that use the rsaEncryption OID. As the + // RSASSA-PSS OID is unusably complicated, this effectively means we will not + // support RSA delegated credentials. + if (SSL_get_signature_algorithm_key_type(dc_cert_verify_algorithm) == + EVP_PKEY_RSA) { + OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SIGNATURE_ALGORITHM); + return 0; + } + + UniquePtr pubkey(EVP_parse_public_key(&spki)); + if (pubkey == nullptr || CBS_len(&spki) != 0) { + OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); + return 0; + } + + if (!cred->sigalgs.CopyFrom(MakeConstSpan(&dc_cert_verify_algorithm, 1))) { + return 0; + } + + if (cred->privkey != nullptr && + !ssl_compare_public_and_private_key(pubkey.get(), cred->privkey.get())) { + return 0; + } + + cred->dc = UpRef(dc); + cred->pubkey = std::move(pubkey); + cred->dc_algorithm = algorithm; + return 1; +} + +int SSL_CREDENTIAL_set1_ocsp_response(SSL_CREDENTIAL *cred, + CRYPTO_BUFFER *ocsp) { + if (!cred->UsesX509()) { + OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return 0; + } + + cred->ocsp_response = UpRef(ocsp); + return 1; +} + +int SSL_CREDENTIAL_set1_signed_cert_timestamp_list(SSL_CREDENTIAL *cred, + CRYPTO_BUFFER *sct_list) { + if (!cred->UsesX509()) { + OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return 0; + } + + CBS cbs; + CRYPTO_BUFFER_init_CBS(sct_list, &cbs); + if (!ssl_is_sct_list_valid(&cbs)) { + OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SCT_LIST); + return 0; + } + + cred->signed_cert_timestamp_list = UpRef(sct_list); + return 1; +} + +int SSL_CTX_add1_credential(SSL_CTX *ctx, SSL_CREDENTIAL *cred) { + if (!cred->IsComplete()) { + OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return 0; + } + return ctx->cert->credentials.Push(UpRef(cred)); +} + +int SSL_add1_credential(SSL *ssl, SSL_CREDENTIAL *cred) { + if (ssl->config == nullptr) { + return 0; + } + + if (!cred->IsComplete()) { + OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return 0; + } + return ssl->config->cert->credentials.Push(UpRef(cred)); +} + +const SSL_CREDENTIAL *SSL_get0_selected_credential(const SSL *ssl) { + if (ssl->s3->hs == nullptr) { + return nullptr; + } + return ssl->s3->hs->credential.get(); +} + +int SSL_CREDENTIAL_get_ex_new_index(long argl, void *argp, + CRYPTO_EX_unused *unused, + CRYPTO_EX_dup *dup_unused, + CRYPTO_EX_free *free_func) { + return CRYPTO_get_ex_new_index_ex(&g_ex_data_class, argl, argp, free_func); +} + +int SSL_CREDENTIAL_set_ex_data(SSL_CREDENTIAL *cred, int idx, void *arg) { + return CRYPTO_set_ex_data(&cred->ex_data, idx, arg); +} + +void *SSL_CREDENTIAL_get_ex_data(const SSL_CREDENTIAL *cred, int idx) { + return CRYPTO_get_ex_data(&cred->ex_data, idx); +} diff --git a/Sources/CNIOBoringSSL/ssl/ssl_file.cc b/Sources/CNIOBoringSSL/ssl/ssl_file.cc index eb33d952f..ba41319fe 100644 --- a/Sources/CNIOBoringSSL/ssl/ssl_file.cc +++ b/Sources/CNIOBoringSSL/ssl/ssl_file.cc @@ -204,7 +204,7 @@ int SSL_add_bio_cert_subjects_to_stack(STACK_OF(X509_NAME) *out, BIO *bio) { } STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file) { - bssl::UniquePtr in(BIO_new_file(file, "r")); + bssl::UniquePtr in(BIO_new_file(file, "rb")); if (in == nullptr) { return nullptr; } @@ -219,7 +219,7 @@ STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file) { int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *out, const char *file) { - bssl::UniquePtr in(BIO_new_file(file, "r")); + bssl::UniquePtr in(BIO_new_file(file, "rb")); if (in == nullptr) { return 0; } diff --git a/Sources/CNIOBoringSSL/ssl/ssl_key_share.cc b/Sources/CNIOBoringSSL/ssl/ssl_key_share.cc index 3aeb7d323..dd7b3b419 100644 --- a/Sources/CNIOBoringSSL/ssl/ssl_key_share.cc +++ b/Sources/CNIOBoringSSL/ssl/ssl_key_share.cc @@ -24,9 +24,11 @@ #include #include #include -#include +#define OPENSSL_UNSTABLE_EXPERIMENTAL_KYBER +#include #include #include +#include #include #include #include @@ -92,7 +94,7 @@ class ECKeyShare : public SSLKeyShare { !EC_POINT_oct2point(group_, peer_point.get(), ciphertext.data(), ciphertext.size(), /*ctx=*/nullptr)) { OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ECPOINT); - *out_alert = SSL_AD_DECODE_ERROR; + *out_alert = SSL_AD_ILLEGAL_PARAMETER; return false; } @@ -166,7 +168,7 @@ class X25519KeyShare : public SSLKeyShare { if (ciphertext.size() != 32 || // !X25519(secret.data(), private_key_, ciphertext.data())) { - *out_alert = SSL_AD_DECODE_ERROR; + *out_alert = SSL_AD_ILLEGAL_PARAMETER; OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ECPOINT); return false; } @@ -191,6 +193,7 @@ class X25519KeyShare : public SSLKeyShare { uint8_t private_key_[32]; }; +// draft-tls-westerbaan-xyber768d00-03 class X25519Kyber768KeyShare : public SSLKeyShare { public: X25519Kyber768KeyShare() {} @@ -217,16 +220,14 @@ class X25519Kyber768KeyShare : public SSLKeyShare { bool Encap(CBB *out_ciphertext, Array *out_secret, uint8_t *out_alert, Span peer_key) override { Array secret; - if (!secret.Init(32 + 32)) { + if (!secret.Init(32 + KYBER_SHARED_SECRET_BYTES)) { return false; } uint8_t x25519_public_key[32]; X25519_keypair(x25519_public_key, x25519_private_key_); KYBER_public_key peer_kyber_pub; - CBS peer_key_cbs; - CBS peer_x25519_cbs; - CBS peer_kyber_cbs; + CBS peer_key_cbs, peer_x25519_cbs, peer_kyber_cbs; CBS_init(&peer_key_cbs, peer_key.data(), peer_key.size()); if (!CBS_get_bytes(&peer_key_cbs, &peer_x25519_cbs, 32) || !CBS_get_bytes(&peer_key_cbs, &peer_kyber_cbs, @@ -235,14 +236,13 @@ class X25519Kyber768KeyShare : public SSLKeyShare { !X25519(secret.data(), x25519_private_key_, CBS_data(&peer_x25519_cbs)) || !KYBER_parse_public_key(&peer_kyber_pub, &peer_kyber_cbs)) { - *out_alert = SSL_AD_DECODE_ERROR; + *out_alert = SSL_AD_ILLEGAL_PARAMETER; OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ECPOINT); return false; } uint8_t kyber_ciphertext[KYBER_CIPHERTEXT_BYTES]; - KYBER_encap(kyber_ciphertext, secret.data() + 32, secret.size() - 32, - &peer_kyber_pub); + KYBER_encap(kyber_ciphertext, secret.data() + 32, &peer_kyber_pub); if (!CBB_add_bytes(out_ciphertext, x25519_public_key, sizeof(x25519_public_key)) || @@ -260,18 +260,18 @@ class X25519Kyber768KeyShare : public SSLKeyShare { *out_alert = SSL_AD_INTERNAL_ERROR; Array secret; - if (!secret.Init(32 + 32)) { + if (!secret.Init(32 + KYBER_SHARED_SECRET_BYTES)) { return false; } if (ciphertext.size() != 32 + KYBER_CIPHERTEXT_BYTES || !X25519(secret.data(), x25519_private_key_, ciphertext.data())) { - *out_alert = SSL_AD_DECODE_ERROR; + *out_alert = SSL_AD_ILLEGAL_PARAMETER; OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ECPOINT); return false; } - KYBER_decap(secret.data() + 32, secret.size() - 32, ciphertext.data() + 32, + KYBER_decap(secret.data() + 32, ciphertext.data() + 32, &kyber_private_key_); *out_secret = std::move(secret); return true; @@ -282,6 +282,97 @@ class X25519Kyber768KeyShare : public SSLKeyShare { KYBER_private_key kyber_private_key_; }; +// draft-kwiatkowski-tls-ecdhe-mlkem-01 +class X25519MLKEM768KeyShare : public SSLKeyShare { + public: + X25519MLKEM768KeyShare() {} + + uint16_t GroupID() const override { return SSL_GROUP_X25519_MLKEM768; } + + bool Generate(CBB *out) override { + uint8_t mlkem_public_key[MLKEM768_PUBLIC_KEY_BYTES]; + MLKEM768_generate_key(mlkem_public_key, /*optional_out_seed=*/nullptr, + &mlkem_private_key_); + + uint8_t x25519_public_key[X25519_PUBLIC_VALUE_LEN]; + X25519_keypair(x25519_public_key, x25519_private_key_); + + if (!CBB_add_bytes(out, mlkem_public_key, sizeof(mlkem_public_key)) || + !CBB_add_bytes(out, x25519_public_key, sizeof(x25519_public_key))) { + return false; + } + + return true; + } + + bool Encap(CBB *out_ciphertext, Array *out_secret, + uint8_t *out_alert, Span peer_key) override { + Array secret; + if (!secret.Init(MLKEM_SHARED_SECRET_BYTES + X25519_SHARED_KEY_LEN)) { + return false; + } + + MLKEM768_public_key peer_mlkem_pub; + uint8_t x25519_public_key[X25519_PUBLIC_VALUE_LEN]; + X25519_keypair(x25519_public_key, x25519_private_key_); + CBS peer_key_cbs, peer_mlkem_cbs, peer_x25519_cbs; + CBS_init(&peer_key_cbs, peer_key.data(), peer_key.size()); + if (!CBS_get_bytes(&peer_key_cbs, &peer_mlkem_cbs, + MLKEM768_PUBLIC_KEY_BYTES) || + !MLKEM768_parse_public_key(&peer_mlkem_pub, &peer_mlkem_cbs) || + !CBS_get_bytes(&peer_key_cbs, &peer_x25519_cbs, + X25519_PUBLIC_VALUE_LEN) || + CBS_len(&peer_key_cbs) != 0 || + !X25519(secret.data() + MLKEM_SHARED_SECRET_BYTES, x25519_private_key_, + CBS_data(&peer_x25519_cbs))) { + *out_alert = SSL_AD_ILLEGAL_PARAMETER; + OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ECPOINT); + return false; + } + + uint8_t mlkem_ciphertext[MLKEM768_CIPHERTEXT_BYTES]; + MLKEM768_encap(mlkem_ciphertext, secret.data(), &peer_mlkem_pub); + + if (!CBB_add_bytes(out_ciphertext, mlkem_ciphertext, + sizeof(mlkem_ciphertext)) || + !CBB_add_bytes(out_ciphertext, x25519_public_key, + sizeof(x25519_public_key))) { + return false; + } + + *out_secret = std::move(secret); + return true; + } + + bool Decap(Array *out_secret, uint8_t *out_alert, + Span ciphertext) override { + *out_alert = SSL_AD_INTERNAL_ERROR; + + Array secret; + if (!secret.Init(MLKEM_SHARED_SECRET_BYTES + X25519_SHARED_KEY_LEN)) { + return false; + } + + if (ciphertext.size() != + MLKEM768_CIPHERTEXT_BYTES + X25519_PUBLIC_VALUE_LEN || + !MLKEM768_decap(secret.data(), ciphertext.data(), + MLKEM768_CIPHERTEXT_BYTES, &mlkem_private_key_) || + !X25519(secret.data() + MLKEM_SHARED_SECRET_BYTES, x25519_private_key_, + ciphertext.data() + MLKEM768_CIPHERTEXT_BYTES)) { + *out_alert = SSL_AD_ILLEGAL_PARAMETER; + OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ECPOINT); + return false; + } + + *out_secret = std::move(secret); + return true; + } + + private: + uint8_t x25519_private_key_[32]; + MLKEM768_private_key mlkem_private_key_; +}; + constexpr NamedGroup kNamedGroups[] = { {NID_secp224r1, SSL_GROUP_SECP224R1, "P-224", "secp224r1"}, {NID_X9_62_prime256v1, SSL_GROUP_SECP256R1, "P-256", "prime256v1"}, @@ -290,6 +381,7 @@ constexpr NamedGroup kNamedGroups[] = { {NID_X25519, SSL_GROUP_X25519, "X25519", "x25519"}, {NID_X25519Kyber768Draft00, SSL_GROUP_X25519_KYBER768_DRAFT00, "X25519Kyber768Draft00", ""}, + {NID_X25519MLKEM768, SSL_GROUP_X25519_MLKEM768, "X25519MLKEM768", ""}, }; } // namespace @@ -312,6 +404,8 @@ UniquePtr SSLKeyShare::Create(uint16_t group_id) { return MakeUnique(); case SSL_GROUP_X25519_KYBER768_DRAFT00: return MakeUnique(); + case SSL_GROUP_X25519_MLKEM768: + return MakeUnique(); default: return nullptr; } diff --git a/Sources/CNIOBoringSSL/ssl/ssl_lib.cc b/Sources/CNIOBoringSSL/ssl/ssl_lib.cc index 0f8a79189..2eb67c651 100644 --- a/Sources/CNIOBoringSSL/ssl/ssl_lib.cc +++ b/Sources/CNIOBoringSSL/ssl/ssl_lib.cc @@ -279,17 +279,21 @@ ssl_open_record_t ssl_open_app_data(SSL *ssl, Span *out, return ret; } -static bool cbb_add_hex(CBB *cbb, Span in) { - static const char hextable[] = "0123456789abcdef"; - uint8_t *out; +static uint8_t hex_char_consttime(uint8_t b) { + declassify_assert(b < 16); + return constant_time_select_8(constant_time_lt_8(b, 10), b + '0', + b - 10 + 'a'); +} - if (!CBB_add_space(cbb, &out, in.size() * 2)) { +static bool cbb_add_hex_consttime(CBB *cbb, Span in) { + uint8_t *out; +if (!CBB_add_space(cbb, &out, in.size() * 2)) { return false; } for (uint8_t b : in) { - *(out++) = (uint8_t)hextable[b >> 4]; - *(out++) = (uint8_t)hextable[b & 0xf]; + *(out++) = hex_char_consttime(b >> 4); + *(out++) = hex_char_consttime(b & 0xf); } return true; @@ -308,9 +312,11 @@ bool ssl_log_secret(const SSL *ssl, const char *label, !CBB_add_bytes(cbb.get(), reinterpret_cast(label), strlen(label)) || !CBB_add_u8(cbb.get(), ' ') || - !cbb_add_hex(cbb.get(), ssl->s3->client_random) || + !cbb_add_hex_consttime(cbb.get(), ssl->s3->client_random) || !CBB_add_u8(cbb.get(), ' ') || - !cbb_add_hex(cbb.get(), secret) || + // Convert to hex in constant time to avoid leaking |secret|. If the + // callback discards the data, we should not introduce side channels. + !cbb_add_hex_consttime(cbb.get(), secret) || !CBB_add_u8(cbb.get(), 0 /* NUL */) || !CBBFinishArray(cbb.get(), &line)) { return false; @@ -419,7 +425,7 @@ static bool ssl_can_renegotiate(const SSL *ssl) { return false; } - if (ssl->s3->have_version && + if (ssl->s3->version != 0 && ssl_protocol_version(ssl) >= TLS1_3_VERSION) { return false; } @@ -466,8 +472,10 @@ void SSL_set_handoff_mode(SSL *ssl, bool on) { bool SSL_get_traffic_secrets(const SSL *ssl, Span *out_read_traffic_secret, Span *out_write_traffic_secret) { - if (SSL_version(ssl) < TLS1_3_VERSION) { - OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SSL_VERSION); + // This API is not well-defined for DTLS 1.3 (see https://crbug.com/42290608) + // or QUIC, where multiple epochs may be alive at once. + if (SSL_is_dtls(ssl) || ssl->quic_method != nullptr) { + OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return false; } @@ -476,11 +484,13 @@ bool SSL_get_traffic_secrets(const SSL *ssl, return false; } - *out_read_traffic_secret = Span( - ssl->s3->read_traffic_secret, ssl->s3->read_traffic_secret_len); - *out_write_traffic_secret = Span( - ssl->s3->write_traffic_secret, ssl->s3->write_traffic_secret_len); + if (SSL_version(ssl) < TLS1_3_VERSION) { + OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SSL_VERSION); + return false; + } + *out_read_traffic_secret = ssl->s3->read_traffic_secret; + *out_write_traffic_secret = ssl->s3->write_traffic_secret; return true; } @@ -499,31 +509,23 @@ BSSL_NAMESPACE_END using namespace bssl; -int SSL_library_init(void) { - CRYPTO_library_init(); - return 1; -} +int SSL_library_init(void) { return 1; } int OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings) { - CRYPTO_library_init(); return 1; } static uint32_t ssl_session_hash(const SSL_SESSION *sess) { - return ssl_hash_session_id( - MakeConstSpan(sess->session_id, sess->session_id_length)); + return ssl_hash_session_id(sess->session_id); } static int ssl_session_cmp(const SSL_SESSION *a, const SSL_SESSION *b) { - if (a->session_id_length != b->session_id_length) { - return 1; - } - - return OPENSSL_memcmp(a->session_id, b->session_id, a->session_id_length); + return MakeConstSpan(a->session_id) == b->session_id ? 0 : 1; } ssl_ctx_st::ssl_ctx_st(const SSL_METHOD *ssl_method) - : method(ssl_method->method), + : RefCounted(CheckSubClass()), + method(ssl_method->method), x509_method(ssl_method->x509_method), retain_only_sha256_of_client_certs(false), quiet_shutdown(false), @@ -569,9 +571,10 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *method) { ret->cert = MakeUnique(method->x509_method); ret->sessions = lh_SSL_SESSION_new(ssl_session_hash, ssl_session_cmp); ret->client_CA.reset(sk_CRYPTO_BUFFER_new_null()); - if (ret->cert == nullptr || - ret->sessions == nullptr || - ret->client_CA == nullptr || + if (ret->cert == nullptr || // + !ret->cert->is_valid() || // + ret->sessions == nullptr || // + ret->client_CA == nullptr || // !ret->x509_method->ssl_ctx_new(ret.get())) { return nullptr; } @@ -589,18 +592,14 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *method) { } int SSL_CTX_up_ref(SSL_CTX *ctx) { - CRYPTO_refcount_inc(&ctx->references); + ctx->UpRefInternal(); return 1; } void SSL_CTX_free(SSL_CTX *ctx) { - if (ctx == NULL || - !CRYPTO_refcount_dec_and_test_zero(&ctx->references)) { - return; + if (ctx != nullptr) { + ctx->DecRefInternal(); } - - ctx->~ssl_ctx_st(); - OPENSSL_free(ctx); } ssl_st::ssl_st(SSL_CTX *ctx_arg) @@ -708,7 +707,9 @@ SSL_CONFIG::SSL_CONFIG(SSL *ssl_arg) jdk11_workaround(false), quic_use_legacy_codepoint(false), permute_extensions(false), - alps_use_new_codepoint(false) { + alps_use_new_codepoint(false), + check_client_certificate_type(true), + check_ecdsa_curve(true) { assert(ssl); } @@ -1513,36 +1514,31 @@ int SSL_get_tls_unique(const SSL *ssl, uint8_t *out, size_t *out_len, // The tls-unique value is the first Finished message in the handshake, which // is the client's in a full handshake and the server's for a resumption. See // https://tools.ietf.org/html/rfc5929#section-3.1. - const uint8_t *finished = ssl->s3->previous_client_finished; - size_t finished_len = ssl->s3->previous_client_finished_len; + Span finished = ssl->s3->previous_client_finished; if (ssl->session != NULL) { // tls-unique is broken for resumed sessions unless EMS is used. if (!ssl->session->extended_master_secret) { return 0; } finished = ssl->s3->previous_server_finished; - finished_len = ssl->s3->previous_server_finished_len; } - *out_len = finished_len; - if (finished_len > max_out) { + *out_len = finished.size(); + if (finished.size() > max_out) { *out_len = max_out; } - OPENSSL_memcpy(out, finished, *out_len); + OPENSSL_memcpy(out, finished.data(), *out_len); return 1; } static int set_session_id_context(CERT *cert, const uint8_t *sid_ctx, - size_t sid_ctx_len) { - if (sid_ctx_len > sizeof(cert->sid_ctx)) { + size_t sid_ctx_len) { + if (!cert->sid_ctx.TryCopyFrom(MakeConstSpan(sid_ctx, sid_ctx_len))) { OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG); return 0; } - static_assert(sizeof(cert->sid_ctx) < 256, "sid_ctx too large"); - cert->sid_ctx_length = (uint8_t)sid_ctx_len; - OPENSSL_memcpy(cert->sid_ctx, sid_ctx, sid_ctx_len); return 1; } @@ -1565,15 +1561,8 @@ const uint8_t *SSL_get0_session_id_context(const SSL *ssl, size_t *out_len) { *out_len = 0; return NULL; } - *out_len = ssl->config->cert->sid_ctx_length; - return ssl->config->cert->sid_ctx; -} - -void SSL_certs_clear(SSL *ssl) { - if (!ssl->config) { - return; - } - ssl_cert_clear_certs(ssl->config->cert.get()); + *out_len = ssl->config->cert->sid_ctx.size(); + return ssl->config->cert->sid_ctx.data(); } int SSL_get_fd(const SSL *ssl) { return SSL_get_rfd(ssl); } @@ -1648,13 +1637,12 @@ int SSL_set_rfd(SSL *ssl, int fd) { } #endif // !OPENSSL_NO_SOCK -static size_t copy_finished(void *out, size_t out_len, const uint8_t *in, - size_t in_len) { - if (out_len > in_len) { - out_len = in_len; +static size_t copy_finished(void *out, size_t out_len, Span in) { + if (out_len > in.size()) { + out_len = in.size(); } - OPENSSL_memcpy(out, in, out_len); - return in_len; + OPENSSL_memcpy(out, in.data(), out_len); + return in.size(); } size_t SSL_get_finished(const SSL *ssl, void *buf, size_t count) { @@ -1664,12 +1652,10 @@ size_t SSL_get_finished(const SSL *ssl, void *buf, size_t count) { } if (ssl->server) { - return copy_finished(buf, count, ssl->s3->previous_server_finished, - ssl->s3->previous_server_finished_len); + return copy_finished(buf, count, ssl->s3->previous_server_finished); } - return copy_finished(buf, count, ssl->s3->previous_client_finished, - ssl->s3->previous_client_finished_len); + return copy_finished(buf, count, ssl->s3->previous_client_finished); } size_t SSL_get_peer_finished(const SSL *ssl, void *buf, size_t count) { @@ -1679,12 +1665,10 @@ size_t SSL_get_peer_finished(const SSL *ssl, void *buf, size_t count) { } if (ssl->server) { - return copy_finished(buf, count, ssl->s3->previous_client_finished, - ssl->s3->previous_client_finished_len); + return copy_finished(buf, count, ssl->s3->previous_client_finished); } - return copy_finished(buf, count, ssl->s3->previous_server_finished, - ssl->s3->previous_server_finished_len); + return copy_finished(buf, count, ssl->s3->previous_server_finished); } int SSL_get_verify_mode(const SSL *ssl) { @@ -1698,7 +1682,7 @@ int SSL_get_verify_mode(const SSL *ssl) { int SSL_get_extms_support(const SSL *ssl) { // TLS 1.3 does not require extended master secret and always reports as // supporting it. - if (!ssl->s3->have_version) { + if (ssl->s3->version == 0) { return 0; } if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) { @@ -1734,17 +1718,36 @@ int SSL_has_pending(const SSL *ssl) { return SSL_pending(ssl) != 0 || !ssl->s3->read_buffer.empty(); } +static bool has_cert_and_key(const SSL_CREDENTIAL *cred) { + // TODO(davidben): If |cred->key_method| is set, that should be fine too. + if (cred->privkey == nullptr) { + OPENSSL_PUT_ERROR(SSL, SSL_R_NO_PRIVATE_KEY_ASSIGNED); + return false; + } + + if (cred->chain == nullptr || + sk_CRYPTO_BUFFER_value(cred->chain.get(), 0) == nullptr) { + OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_ASSIGNED); + return false; + } + + return true; +} + int SSL_CTX_check_private_key(const SSL_CTX *ctx) { - return ssl_cert_check_private_key(ctx->cert.get(), - ctx->cert->privatekey.get()); + // There is no need to actually check consistency because inconsistent values + // can never be configured. + return has_cert_and_key(ctx->cert->legacy_credential.get()); } int SSL_check_private_key(const SSL *ssl) { if (!ssl->config) { return 0; } - return ssl_cert_check_private_key(ssl->config->cert.get(), - ssl->config->cert->privatekey.get()); + + // There is no need to actually check consistency because inconsistent values + // can never be configured. + return has_cert_and_key(ssl->config->cert->legacy_credential.get()); } long SSL_get_default_timeout(const SSL *ssl) { @@ -1854,7 +1857,7 @@ int SSL_set_mtu(SSL *ssl, unsigned mtu) { } int SSL_get_secure_renegotiation_support(const SSL *ssl) { - if (!ssl->s3->have_version) { + if (ssl->s3->version == 0) { return 0; } return ssl_protocol_version(ssl) >= TLS1_3_VERSION || @@ -2268,34 +2271,49 @@ int SSL_CTX_set_tlsext_servername_arg(SSL_CTX *ctx, void *arg) { int SSL_select_next_proto(uint8_t **out, uint8_t *out_len, const uint8_t *peer, unsigned peer_len, const uint8_t *supported, unsigned supported_len) { - const uint8_t *result; - int status; + *out = nullptr; + *out_len = 0; + + // Both |peer| and |supported| must be valid protocol lists, but |peer| may be + // empty in NPN. + auto peer_span = MakeConstSpan(peer, peer_len); + auto supported_span = MakeConstSpan(supported, supported_len); + if ((!peer_span.empty() && !ssl_is_valid_alpn_list(peer_span)) || + !ssl_is_valid_alpn_list(supported_span)) { + return OPENSSL_NPN_NO_OVERLAP; + } // For each protocol in peer preference order, see if we support it. - for (unsigned i = 0; i < peer_len;) { - for (unsigned j = 0; j < supported_len;) { - if (peer[i] == supported[j] && - OPENSSL_memcmp(&peer[i + 1], &supported[j + 1], peer[i]) == 0) { - // We found a match - result = &peer[i]; - status = OPENSSL_NPN_NEGOTIATED; - goto found; - } - j += supported[j]; - j++; + CBS cbs = peer_span, proto; + while (CBS_len(&cbs) != 0) { + if (!CBS_get_u8_length_prefixed(&cbs, &proto) || CBS_len(&proto) == 0) { + return OPENSSL_NPN_NO_OVERLAP; + } + + if (ssl_alpn_list_contains_protocol(MakeConstSpan(supported, supported_len), + proto)) { + // This function is not const-correct for compatibility with existing + // callers. + *out = const_cast(CBS_data(&proto)); + // A u8 length prefix will fit in |uint8_t|. + *out_len = static_cast(CBS_len(&proto)); + return OPENSSL_NPN_NEGOTIATED; } - i += peer[i]; - i++; } - // There's no overlap between our protocols and the peer's list. - result = supported; - status = OPENSSL_NPN_NO_OVERLAP; + // There's no overlap between our protocols and the peer's list. In ALPN, the + // caller is expected to fail the connection with no_application_protocol. In + // NPN, the caller is expected to opportunistically select the first protocol. + // See draft-agl-tls-nextprotoneg-04, section 6. + cbs = supported_span; + if (!CBS_get_u8_length_prefixed(&cbs, &proto) || CBS_len(&proto) == 0) { + return OPENSSL_NPN_NO_OVERLAP; + } -found: - *out = (uint8_t *)result + 1; - *out_len = result[0]; - return status; + // See above. + *out = const_cast(CBS_data(&proto)); + *out_len = static_cast(CBS_len(&proto)); + return OPENSSL_NPN_NO_OVERLAP; } void SSL_get0_next_proto_negotiated(const SSL *ssl, const uint8_t **out_data, @@ -2519,21 +2537,13 @@ size_t SSL_get0_peer_delegation_algorithms(const SSL *ssl, EVP_PKEY *SSL_get_privatekey(const SSL *ssl) { if (!ssl->config) { assert(ssl->config); - return NULL; - } - if (ssl->config->cert != NULL) { - return ssl->config->cert->privatekey.get(); + return nullptr; } - - return NULL; + return ssl->config->cert->legacy_credential->privkey.get(); } EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx) { - if (ctx->cert != NULL) { - return ctx->cert->privatekey.get(); - } - - return NULL; + return ctx->cert->legacy_credential->privkey.get(); } const SSL_CIPHER *SSL_get_current_cipher(const SSL *ssl) { @@ -2670,12 +2680,8 @@ int SSL_set_quic_method(SSL *ssl, const SSL_QUIC_METHOD *quic_method) { int SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused, CRYPTO_EX_dup *dup_unused, CRYPTO_EX_free *free_func) { - int index; - if (!CRYPTO_get_ex_new_index(&g_ex_data_class_ssl, &index, argl, argp, - free_func)) { - return -1; - } - return index; + return CRYPTO_get_ex_new_index_ex(&g_ex_data_class_ssl, argl, argp, + free_func); } int SSL_set_ex_data(SSL *ssl, int idx, void *data) { @@ -2689,12 +2695,8 @@ void *SSL_get_ex_data(const SSL *ssl, int idx) { int SSL_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused, CRYPTO_EX_dup *dup_unused, CRYPTO_EX_free *free_func) { - int index; - if (!CRYPTO_get_ex_new_index(&g_ex_data_class_ssl_ctx, &index, argl, argp, - free_func)) { - return -1; - } - return index; + return CRYPTO_get_ex_new_index_ex(&g_ex_data_class_ssl_ctx, argl, argp, + free_func); } int SSL_CTX_set_ex_data(SSL_CTX *ctx, int idx, void *data) { @@ -2941,8 +2943,18 @@ int SSL_get_ivs(const SSL *ssl, const uint8_t **out_read_iv, uint64_t SSL_get_read_sequence(const SSL *ssl) { if (SSL_is_dtls(ssl)) { - // max_seq_num already includes the epoch. - assert(ssl->d1->r_epoch == (ssl->d1->bitmap.max_seq_num >> 48)); + // TODO(crbug.com/42290608): The API for read sequences in DTLS 1.3 needs to + // reworked. In DTLS 1.3, the read epoch is updated once new keys are + // derived (before we receive a message encrypted with those keys), which + // results in the read epoch being ahead of the highest record received. + // Additionally, when we process a KeyUpdate, we will install new read keys + // for the new epoch, but we may receive messages from the old epoch for + // some time if the ACK gets lost or there is reordering. + + // max_seq_num already includes the epoch. However, the current epoch may + // be one ahead of the highest record received, immediately after a key + // change. + assert(ssl->d1->r_epoch >= ssl->d1->bitmap.max_seq_num >> 48); return ssl->d1->bitmap.max_seq_num; } return ssl->s3->read_sequence; @@ -3048,6 +3060,20 @@ void SSL_set_jdk11_workaround(SSL *ssl, int enable) { ssl->config->jdk11_workaround = !!enable; } +void SSL_set_check_client_certificate_type(SSL *ssl, int enable) { + if (!ssl->config) { + return; + } + ssl->config->check_client_certificate_type = !!enable; +} + +void SSL_set_check_ecdsa_curve(SSL *ssl, int enable) { + if (!ssl->config) { + return; + } + ssl->config->check_ecdsa_curve = !!enable; +} + void SSL_set_quic_use_legacy_codepoint(SSL *ssl, int use_legacy) { if (!ssl->config) { return; @@ -3366,6 +3392,21 @@ static int Configure(SSL *ssl) { } // namespace wpa202304 +namespace cnsa202407 { + +static int Configure(SSL_CTX *ctx) { + ctx->tls13_cipher_policy = ssl_compliance_policy_cnsa_202407; + return 1; +} + +static int Configure(SSL *ssl) { + ssl->config->tls13_cipher_policy = + ssl_compliance_policy_cnsa_202407; + return 1; +} + +} + int SSL_CTX_set_compliance_policy(SSL_CTX *ctx, enum ssl_compliance_policy_t policy) { switch (policy) { @@ -3373,6 +3414,8 @@ int SSL_CTX_set_compliance_policy(SSL_CTX *ctx, return fips202205::Configure(ctx); case ssl_compliance_policy_wpa3_192_202304: return wpa202304::Configure(ctx); + case ssl_compliance_policy_cnsa_202407: + return cnsa202407::Configure(ctx); default: return 0; } @@ -3384,6 +3427,8 @@ int SSL_set_compliance_policy(SSL *ssl, enum ssl_compliance_policy_t policy) { return fips202205::Configure(ssl); case ssl_compliance_policy_wpa3_192_202304: return wpa202304::Configure(ssl); + case ssl_compliance_policy_cnsa_202407: + return cnsa202407::Configure(ssl); default: return 0; } diff --git a/Sources/CNIOBoringSSL/ssl/ssl_privkey.cc b/Sources/CNIOBoringSSL/ssl/ssl_privkey.cc index daffc732a..afff2c072 100644 --- a/Sources/CNIOBoringSSL/ssl/ssl_privkey.cc +++ b/Sources/CNIOBoringSSL/ssl/ssl_privkey.cc @@ -59,6 +59,8 @@ #include #include +#include + #include #include #include @@ -77,52 +79,67 @@ bool ssl_is_key_type_supported(int key_type) { key_type == EVP_PKEY_ED25519; } -static bool ssl_set_pkey(CERT *cert, EVP_PKEY *pkey) { - if (!ssl_is_key_type_supported(EVP_PKEY_id(pkey))) { - OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CERTIFICATE_TYPE); - return false; - } - - if (cert->chain != nullptr && - sk_CRYPTO_BUFFER_value(cert->chain.get(), 0) != nullptr && - // Sanity-check that the private key and the certificate match. - !ssl_cert_check_private_key(cert, pkey)) { - return false; - } - - cert->privatekey = UpRef(pkey); - return true; -} - typedef struct { uint16_t sigalg; int pkey_type; int curve; const EVP_MD *(*digest_func)(void); bool is_rsa_pss; + bool tls12_ok; + bool tls13_ok; + bool client_only; } SSL_SIGNATURE_ALGORITHM; static const SSL_SIGNATURE_ALGORITHM kSignatureAlgorithms[] = { + // PKCS#1 v1.5 code points are only allowed in TLS 1.2. {SSL_SIGN_RSA_PKCS1_MD5_SHA1, EVP_PKEY_RSA, NID_undef, &EVP_md5_sha1, - false}, - {SSL_SIGN_RSA_PKCS1_SHA1, EVP_PKEY_RSA, NID_undef, &EVP_sha1, false}, - {SSL_SIGN_RSA_PKCS1_SHA256, EVP_PKEY_RSA, NID_undef, &EVP_sha256, false}, - {SSL_SIGN_RSA_PKCS1_SHA384, EVP_PKEY_RSA, NID_undef, &EVP_sha384, false}, - {SSL_SIGN_RSA_PKCS1_SHA512, EVP_PKEY_RSA, NID_undef, &EVP_sha512, false}, - - {SSL_SIGN_RSA_PSS_RSAE_SHA256, EVP_PKEY_RSA, NID_undef, &EVP_sha256, true}, - {SSL_SIGN_RSA_PSS_RSAE_SHA384, EVP_PKEY_RSA, NID_undef, &EVP_sha384, true}, - {SSL_SIGN_RSA_PSS_RSAE_SHA512, EVP_PKEY_RSA, NID_undef, &EVP_sha512, true}, - - {SSL_SIGN_ECDSA_SHA1, EVP_PKEY_EC, NID_undef, &EVP_sha1, false}, + /*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/false, + /*client_only=*/false}, + {SSL_SIGN_RSA_PKCS1_SHA1, EVP_PKEY_RSA, NID_undef, &EVP_sha1, + /*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/false, + /*client_only=*/false}, + {SSL_SIGN_RSA_PKCS1_SHA256, EVP_PKEY_RSA, NID_undef, &EVP_sha256, + /*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/false, + /*client_only=*/false}, + {SSL_SIGN_RSA_PKCS1_SHA384, EVP_PKEY_RSA, NID_undef, &EVP_sha384, + /*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/false, + /*client_only=*/false}, + {SSL_SIGN_RSA_PKCS1_SHA512, EVP_PKEY_RSA, NID_undef, &EVP_sha512, + /*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/false, + /*client_only=*/false}, + + // Legacy PKCS#1 v1.5 code points are only allowed in TLS 1.3 and + // client-only. See draft-ietf-tls-tls13-pkcs1-00. + {SSL_SIGN_RSA_PKCS1_SHA256_LEGACY, EVP_PKEY_RSA, NID_undef, &EVP_sha256, + /*is_rsa_pss=*/false, /*tls12_ok=*/false, /*tls13_ok=*/true, + /*client_only=*/true}, + + {SSL_SIGN_RSA_PSS_RSAE_SHA256, EVP_PKEY_RSA, NID_undef, &EVP_sha256, + /*is_rsa_pss=*/true, /*tls12_ok=*/true, /*tls13_ok=*/true, + /*client_only=*/false}, + {SSL_SIGN_RSA_PSS_RSAE_SHA384, EVP_PKEY_RSA, NID_undef, &EVP_sha384, + /*is_rsa_pss=*/true, /*tls12_ok=*/true, /*tls13_ok=*/true, + /*client_only=*/false}, + {SSL_SIGN_RSA_PSS_RSAE_SHA512, EVP_PKEY_RSA, NID_undef, &EVP_sha512, + /*is_rsa_pss=*/true, /*tls12_ok=*/true, /*tls13_ok=*/true, + /*client_only=*/false}, + + {SSL_SIGN_ECDSA_SHA1, EVP_PKEY_EC, NID_undef, &EVP_sha1, + /*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/false, + /*client_only=*/false}, {SSL_SIGN_ECDSA_SECP256R1_SHA256, EVP_PKEY_EC, NID_X9_62_prime256v1, - &EVP_sha256, false}, + &EVP_sha256, /*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/true, + /*client_only=*/false}, {SSL_SIGN_ECDSA_SECP384R1_SHA384, EVP_PKEY_EC, NID_secp384r1, &EVP_sha384, - false}, + /*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/true, + /*client_only=*/false}, {SSL_SIGN_ECDSA_SECP521R1_SHA512, EVP_PKEY_EC, NID_secp521r1, &EVP_sha512, - false}, + /*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/true, + /*client_only=*/false}, - {SSL_SIGN_ED25519, EVP_PKEY_ED25519, NID_undef, nullptr, false}, + {SSL_SIGN_ED25519, EVP_PKEY_ED25519, NID_undef, nullptr, + /*is_rsa_pss=*/false, /*tls12_ok=*/true, /*tls13_ok=*/true, + /*client_only=*/false}, }; static const SSL_SIGNATURE_ALGORITHM *get_signature_algorithm(uint16_t sigalg) { @@ -134,21 +151,21 @@ static const SSL_SIGNATURE_ALGORITHM *get_signature_algorithm(uint16_t sigalg) { return NULL; } -bool ssl_has_private_key(const SSL_HANDSHAKE *hs) { - if (hs->config->cert->privatekey != nullptr || - hs->config->cert->key_method != nullptr || - ssl_signing_with_dc(hs)) { - return true; +bool ssl_pkey_supports_algorithm(const SSL *ssl, EVP_PKEY *pkey, + uint16_t sigalg, bool is_verify) { + const SSL_SIGNATURE_ALGORITHM *alg = get_signature_algorithm(sigalg); + if (alg == NULL || EVP_PKEY_id(pkey) != alg->pkey_type) { + return false; } - return false; -} - -static bool pkey_supports_algorithm(const SSL *ssl, EVP_PKEY *pkey, - uint16_t sigalg) { - const SSL_SIGNATURE_ALGORITHM *alg = get_signature_algorithm(sigalg); - if (alg == NULL || - EVP_PKEY_id(pkey) != alg->pkey_type) { + // Ensure the RSA key is large enough for the hash. RSASSA-PSS requires that + // emLen be at least hLen + sLen + 2. Both hLen and sLen are the size of the + // hash in TLS. Reasonable RSA key sizes are large enough for the largest + // defined RSASSA-PSS algorithm, but 1024-bit RSA is slightly too small for + // SHA-512. 1024-bit RSA is sometimes used for test credentials, so check the + // size so that we can fall back to another algorithm in that case. + if (alg->is_rsa_pss && + (size_t)EVP_PKEY_size(pkey) < 2 * EVP_MD_size(alg->digest_func()) + 2) { return false; } @@ -167,8 +184,12 @@ static bool pkey_supports_algorithm(const SSL *ssl, EVP_PKEY *pkey, } if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) { - // RSA keys may only be used with RSA-PSS. - if (alg->pkey_type == EVP_PKEY_RSA && !alg->is_rsa_pss) { + if (!alg->tls13_ok) { + return false; + } + + bool is_client_sign = ssl->server == is_verify; + if (alg->client_only && !is_client_sign) { return false; } @@ -179,6 +200,8 @@ static bool pkey_supports_algorithm(const SSL *ssl, EVP_PKEY *pkey, EC_KEY_get0_group(EVP_PKEY_get0_EC_KEY(pkey))) != alg->curve)) { return false; } + } else if (!alg->tls12_ok) { + return false; } return true; @@ -186,7 +209,7 @@ static bool pkey_supports_algorithm(const SSL *ssl, EVP_PKEY *pkey, static bool setup_ctx(SSL *ssl, EVP_MD_CTX *ctx, EVP_PKEY *pkey, uint16_t sigalg, bool is_verify) { - if (!pkey_supports_algorithm(ssl, pkey, sigalg)) { + if (!ssl_pkey_supports_algorithm(ssl, pkey, sigalg, is_verify)) { OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SIGNATURE_TYPE); return false; } @@ -216,12 +239,13 @@ enum ssl_private_key_result_t ssl_private_key_sign( SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len, size_t max_out, uint16_t sigalg, Span in) { SSL *const ssl = hs->ssl; + const SSL_CREDENTIAL *const cred = hs->credential.get(); SSL_HANDSHAKE_HINTS *const hints = hs->hints.get(); Array spki; if (hints) { ScopedCBB spki_cbb; if (!CBB_init(spki_cbb.get(), 64) || - !EVP_marshal_public_key(spki_cbb.get(), hs->local_pubkey.get()) || + !EVP_marshal_public_key(spki_cbb.get(), cred->pubkey.get()) || !CBBFinishArray(spki_cbb.get(), &spki)) { ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); return ssl_private_key_failure; @@ -241,13 +265,9 @@ enum ssl_private_key_result_t ssl_private_key_sign( return ssl_private_key_success; } - const SSL_PRIVATE_KEY_METHOD *key_method = hs->config->cert->key_method; - EVP_PKEY *privatekey = hs->config->cert->privatekey.get(); + const SSL_PRIVATE_KEY_METHOD *key_method = cred->key_method; + EVP_PKEY *privkey = cred->privkey.get(); assert(!hs->can_release_private_key); - if (ssl_signing_with_dc(hs)) { - key_method = hs->config->cert->dc_key_method; - privatekey = hs->config->cert->dc_privatekey.get(); - } if (key_method != NULL) { enum ssl_private_key_result_t ret; @@ -267,7 +287,7 @@ enum ssl_private_key_result_t ssl_private_key_sign( } else { *out_len = max_out; ScopedEVP_MD_CTX ctx; - if (!setup_ctx(ssl, ctx.get(), privatekey, sigalg, false /* sign */) || + if (!setup_ctx(ssl, ctx.get(), privkey, sigalg, false /* sign */) || !EVP_DigestSign(ctx.get(), out, out_len, in.data(), in.size())) { return ssl_private_key_failure; } @@ -307,14 +327,15 @@ enum ssl_private_key_result_t ssl_private_key_decrypt(SSL_HANDSHAKE *hs, size_t max_out, Span in) { SSL *const ssl = hs->ssl; + const SSL_CREDENTIAL *const cred = hs->credential.get(); assert(!hs->can_release_private_key); - if (hs->config->cert->key_method != NULL) { + if (cred->key_method != NULL) { enum ssl_private_key_result_t ret; if (hs->pending_private_key_op) { - ret = hs->config->cert->key_method->complete(ssl, out, out_len, max_out); + ret = cred->key_method->complete(ssl, out, out_len, max_out); } else { - ret = hs->config->cert->key_method->decrypt(ssl, out, out_len, max_out, - in.data(), in.size()); + ret = cred->key_method->decrypt(ssl, out, out_len, max_out, in.data(), + in.size()); } if (ret == ssl_private_key_failure) { OPENSSL_PUT_ERROR(SSL, SSL_R_PRIVATE_KEY_OPERATION_FAILED); @@ -323,7 +344,7 @@ enum ssl_private_key_result_t ssl_private_key_decrypt(SSL_HANDSHAKE *hs, return ret; } - RSA *rsa = EVP_PKEY_get0_RSA(hs->config->cert->privatekey.get()); + RSA *rsa = EVP_PKEY_get0_RSA(cred->privkey.get()); if (rsa == NULL) { // Decrypt operations are only supported for RSA keys. OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); @@ -339,28 +360,6 @@ enum ssl_private_key_result_t ssl_private_key_decrypt(SSL_HANDSHAKE *hs, return ssl_private_key_success; } -bool ssl_private_key_supports_signature_algorithm(SSL_HANDSHAKE *hs, - uint16_t sigalg) { - SSL *const ssl = hs->ssl; - if (!pkey_supports_algorithm(ssl, hs->local_pubkey.get(), sigalg)) { - return false; - } - - // Ensure the RSA key is large enough for the hash. RSASSA-PSS requires that - // emLen be at least hLen + sLen + 2. Both hLen and sLen are the size of the - // hash in TLS. Reasonable RSA key sizes are large enough for the largest - // defined RSASSA-PSS algorithm, but 1024-bit RSA is slightly too small for - // SHA-512. 1024-bit RSA is sometimes used for test credentials, so check the - // size so that we can fall back to another algorithm in that case. - const SSL_SIGNATURE_ALGORITHM *alg = get_signature_algorithm(sigalg); - if (alg->is_rsa_pss && (size_t)EVP_PKEY_size(hs->local_pubkey.get()) < - 2 * EVP_MD_size(alg->digest_func()) + 2) { - return false; - } - - return true; -} - BSSL_NAMESPACE_END using namespace bssl; @@ -378,7 +377,7 @@ int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa) { return 0; } - return ssl_set_pkey(ssl->config->cert.get(), pkey.get()); + return SSL_use_PrivateKey(ssl, pkey.get()); } int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, const uint8_t *der, size_t der_len) { @@ -397,7 +396,8 @@ int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey) { return 0; } - return ssl_set_pkey(ssl->config->cert.get(), pkey); + return SSL_CREDENTIAL_set1_private_key( + ssl->config->cert->legacy_credential.get(), pkey); } int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const uint8_t *der, @@ -430,7 +430,7 @@ int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa) { return 0; } - return ssl_set_pkey(ctx->cert.get(), pkey.get()); + return SSL_CTX_use_PrivateKey(ctx, pkey.get()); } int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const uint8_t *der, @@ -450,7 +450,8 @@ int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey) { return 0; } - return ssl_set_pkey(ctx->cert.get(), pkey); + return SSL_CREDENTIAL_set1_private_key(ctx->cert->legacy_credential.get(), + pkey); } int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, const uint8_t *der, @@ -475,15 +476,17 @@ void SSL_set_private_key_method(SSL *ssl, if (!ssl->config) { return; } - ssl->config->cert->key_method = key_method; + BSSL_CHECK(SSL_CREDENTIAL_set_private_key_method( + ssl->config->cert->legacy_credential.get(), key_method)); } void SSL_CTX_set_private_key_method(SSL_CTX *ctx, const SSL_PRIVATE_KEY_METHOD *key_method) { - ctx->cert->key_method = key_method; + BSSL_CHECK(SSL_CREDENTIAL_set_private_key_method( + ctx->cert->legacy_credential.get(), key_method)); } -static constexpr size_t kMaxSignatureAlgorithmNameLen = 23; +static constexpr size_t kMaxSignatureAlgorithmNameLen = 24; struct SignatureAlgorithmName { uint16_t signature_algorithm; @@ -496,6 +499,7 @@ static const SignatureAlgorithmName kSignatureAlgorithmNames[] = { {SSL_SIGN_RSA_PKCS1_MD5_SHA1, "rsa_pkcs1_md5_sha1"}, {SSL_SIGN_RSA_PKCS1_SHA1, "rsa_pkcs1_sha1"}, {SSL_SIGN_RSA_PKCS1_SHA256, "rsa_pkcs1_sha256"}, + {SSL_SIGN_RSA_PKCS1_SHA256_LEGACY, "rsa_pkcs1_sha256_legacy"}, {SSL_SIGN_RSA_PKCS1_SHA384, "rsa_pkcs1_sha384"}, {SSL_SIGN_RSA_PKCS1_SHA512, "rsa_pkcs1_sha512"}, {SSL_SIGN_ECDSA_SHA1, "ecdsa_sha1"}, @@ -632,9 +636,28 @@ static bool set_sigalg_prefs(Array *out, Span prefs) { return true; } +int SSL_CREDENTIAL_set1_signing_algorithm_prefs(SSL_CREDENTIAL *cred, + const uint16_t *prefs, + size_t num_prefs) { + if (!cred->UsesPrivateKey()) { + OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return 0; + } + + // Delegated credentials are constrained to a single algorithm, so there is no + // need to configure this. + if (cred->type == SSLCredentialType::kDelegated) { + OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return 0; + } + + return set_sigalg_prefs(&cred->sigalgs, MakeConstSpan(prefs, num_prefs)); +} + int SSL_CTX_set_signing_algorithm_prefs(SSL_CTX *ctx, const uint16_t *prefs, size_t num_prefs) { - return set_sigalg_prefs(&ctx->cert->sigalgs, MakeConstSpan(prefs, num_prefs)); + return SSL_CREDENTIAL_set1_signing_algorithm_prefs( + ctx->cert->legacy_credential.get(), prefs, num_prefs); } int SSL_set_signing_algorithm_prefs(SSL *ssl, const uint16_t *prefs, @@ -642,8 +665,8 @@ int SSL_set_signing_algorithm_prefs(SSL *ssl, const uint16_t *prefs, if (!ssl->config) { return 0; } - return set_sigalg_prefs(&ssl->config->cert->sigalgs, - MakeConstSpan(prefs, num_prefs)); + return SSL_CREDENTIAL_set1_signing_algorithm_prefs( + ssl->config->cert->legacy_credential.get(), prefs, num_prefs); } static constexpr struct { diff --git a/Sources/CNIOBoringSSL/ssl/ssl_session.cc b/Sources/CNIOBoringSSL/ssl/ssl_session.cc index b5acb4511..c4c4a3231 100644 --- a/Sources/CNIOBoringSSL/ssl/ssl_session.cc +++ b/Sources/CNIOBoringSSL/ssl/ssl_session.cc @@ -197,12 +197,10 @@ UniquePtr SSL_SESSION_dup(SSL_SESSION *session, int dup_flags) { new_session->is_server = session->is_server; new_session->ssl_version = session->ssl_version; new_session->is_quic = session->is_quic; - new_session->sid_ctx_length = session->sid_ctx_length; - OPENSSL_memcpy(new_session->sid_ctx, session->sid_ctx, session->sid_ctx_length); + new_session->sid_ctx = session->sid_ctx; // Copy the key material. - new_session->secret_length = session->secret_length; - OPENSSL_memcpy(new_session->secret, session->secret, session->secret_length); + new_session->secret = session->secret; new_session->cipher = session->cipher; // Copy authentication state. @@ -247,17 +245,9 @@ UniquePtr SSL_SESSION_dup(SSL_SESSION *session, int dup_flags) { // Copy non-authentication connection properties. if (dup_flags & SSL_SESSION_INCLUDE_NONAUTH) { - new_session->session_id_length = session->session_id_length; - OPENSSL_memcpy(new_session->session_id, session->session_id, - session->session_id_length); - + new_session->session_id = session->session_id; new_session->group_id = session->group_id; - - OPENSSL_memcpy(new_session->original_handshake_hash, - session->original_handshake_hash, - session->original_handshake_hash_len); - new_session->original_handshake_hash_len = - session->original_handshake_hash_len; + new_session->original_handshake_hash = session->original_handshake_hash; new_session->ticket_lifetime_hint = session->ticket_lifetime_hint; new_session->ticket_age_add = session->ticket_age_add; new_session->ticket_max_early_data = session->ticket_max_early_data; @@ -362,7 +352,7 @@ bool ssl_get_new_session(SSL_HANDSHAKE *hs) { } session->is_server = ssl->server; - session->ssl_version = ssl->version; + session->ssl_version = ssl->s3->version; session->is_quic = ssl->quic_method != nullptr; // Fill in the time from the |SSL_CTX|'s clock. @@ -383,13 +373,10 @@ bool ssl_get_new_session(SSL_HANDSHAKE *hs) { session->auth_timeout = ssl->session_ctx->session_timeout; } - if (hs->config->cert->sid_ctx_length > sizeof(session->sid_ctx)) { + if (!session->sid_ctx.TryCopyFrom(hs->config->cert->sid_ctx)) { OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); return false; } - OPENSSL_memcpy(session->sid_ctx, hs->config->cert->sid_ctx, - hs->config->cert->sid_ctx_length); - session->sid_ctx_length = hs->config->cert->sid_ctx_length; // The session is marked not resumable until it is completely filled in. session->not_resumable = true; @@ -580,13 +567,8 @@ bool ssl_encrypt_ticket(SSL_HANDSHAKE *hs, CBB *out, bool ssl_session_is_context_valid(const SSL_HANDSHAKE *hs, const SSL_SESSION *session) { - if (session == NULL) { - return false; - } - - return session->sid_ctx_length == hs->config->cert->sid_ctx_length && - OPENSSL_memcmp(session->sid_ctx, hs->config->cert->sid_ctx, - hs->config->cert->sid_ctx_length) == 0; + return session != nullptr && + MakeConstSpan(session->sid_ctx) == hs->config->cert->sid_ctx; } bool ssl_session_is_time_valid(const SSL *ssl, const SSL_SESSION *session) { @@ -616,7 +598,7 @@ bool ssl_session_is_resumable(const SSL_HANDSHAKE *hs, ssl_session_is_time_valid(ssl, session) && // Only resume if the session's version matches the negotiated // version. - ssl->version == session->ssl_version && + ssl->s3->version == session->ssl_version && // Only resume if the session's cipher matches the negotiated one. This // is stricter than necessary for TLS 1.3, which allows cross-cipher // resumption if the PRF hashes match. We require an exact match for @@ -655,9 +637,7 @@ static enum ssl_hs_wait_t ssl_lookup_session( auto cmp = [](const void *key, const SSL_SESSION *sess) -> int { Span key_id = *reinterpret_cast *>(key); - Span sess_id = - MakeConstSpan(sess->session_id, sess->session_id_length); - return key_id == sess_id ? 0 : 1; + return key_id == sess->session_id ? 0 : 1; }; MutexReadLock lock(&ssl->session_ctx->lock); // |lh_SSL_SESSION_retrieve_key| returns a non-owning pointer. @@ -752,7 +732,7 @@ enum ssl_hs_wait_t ssl_get_prev_session(SSL_HANDSHAKE *hs, } static bool remove_session(SSL_CTX *ctx, SSL_SESSION *session, bool lock) { - if (session == nullptr || session->session_id_length == 0) { + if (session == nullptr || session->session_id.empty()) { return false; } @@ -935,7 +915,8 @@ BSSL_NAMESPACE_END using namespace bssl; ssl_session_st::ssl_session_st(const SSL_X509_METHOD *method) - : x509_method(method), + : RefCounted(CheckSubClass()), + x509_method(method), extended_master_secret(false), peer_sha256_valid(false), not_resumable(false), @@ -957,38 +938,31 @@ SSL_SESSION *SSL_SESSION_new(const SSL_CTX *ctx) { } int SSL_SESSION_up_ref(SSL_SESSION *session) { - CRYPTO_refcount_inc(&session->references); + session->UpRefInternal(); return 1; } void SSL_SESSION_free(SSL_SESSION *session) { - if (session == NULL || - !CRYPTO_refcount_dec_and_test_zero(&session->references)) { - return; + if (session != nullptr) { + session->DecRefInternal(); } - - session->~ssl_session_st(); - OPENSSL_free(session); } const uint8_t *SSL_SESSION_get_id(const SSL_SESSION *session, unsigned *out_len) { if (out_len != NULL) { - *out_len = session->session_id_length; + *out_len = session->session_id.size(); } - return session->session_id; + return session->session_id.data(); } int SSL_SESSION_set1_id(SSL_SESSION *session, const uint8_t *sid, size_t sid_len) { - if (sid_len > SSL_MAX_SSL_SESSION_ID_LENGTH) { + if (!session->session_id.TryCopyFrom(MakeConstSpan(sid, sid_len))) { OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_SESSION_ID_TOO_LONG); return 0; } - // Use memmove in case someone passes in the output of |SSL_SESSION_get_id|. - OPENSSL_memmove(session->session_id, sid, sid_len); - session->session_id_length = sid_len; return 1; } @@ -1038,14 +1012,13 @@ void SSL_SESSION_get0_ocsp_response(const SSL_SESSION *session, size_t SSL_SESSION_get_master_key(const SSL_SESSION *session, uint8_t *out, size_t max_out) { - // TODO(davidben): Fix secret_length's type and remove these casts. if (max_out == 0) { - return (size_t)session->secret_length; + return session->secret.size(); } - if (max_out > (size_t)session->secret_length) { - max_out = (size_t)session->secret_length; + if (max_out > session->secret.size()) { + max_out = session->secret.size(); } - OPENSSL_memcpy(out, session->secret, max_out); + OPENSSL_memcpy(out, session->secret.data(), max_out); return max_out; } @@ -1071,22 +1044,18 @@ uint32_t SSL_SESSION_set_timeout(SSL_SESSION *session, uint32_t timeout) { const uint8_t *SSL_SESSION_get0_id_context(const SSL_SESSION *session, unsigned *out_len) { if (out_len != NULL) { - *out_len = session->sid_ctx_length; + *out_len = session->sid_ctx.size(); } - return session->sid_ctx; + return session->sid_ctx.data(); } int SSL_SESSION_set1_id_context(SSL_SESSION *session, const uint8_t *sid_ctx, size_t sid_ctx_len) { - if (sid_ctx_len > sizeof(session->sid_ctx)) { + if (!session->sid_ctx.TryCopyFrom(MakeConstSpan(sid_ctx, sid_ctx_len))) { OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG); return 0; } - static_assert(sizeof(session->sid_ctx) < 256, "sid_ctx_len does not fit"); - session->sid_ctx_length = (uint8_t)sid_ctx_len; - OPENSSL_memcpy(session->sid_ctx, sid_ctx, sid_ctx_len); - return 1; } @@ -1096,7 +1065,7 @@ int SSL_SESSION_should_be_single_use(const SSL_SESSION *session) { int SSL_SESSION_is_resumable(const SSL_SESSION *session) { return !session->not_resumable && - (session->session_id_length != 0 || !session->ticket.empty()); + (!session->session_id.empty() || !session->ticket.empty()); } int SSL_SESSION_has_ticket(const SSL_SESSION *session) { @@ -1206,12 +1175,7 @@ int SSL_SESSION_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused, CRYPTO_EX_dup *dup_unused, CRYPTO_EX_free *free_func) { - int index; - if (!CRYPTO_get_ex_new_index(&g_ex_data_class, &index, argl, argp, - free_func)) { - return -1; - } - return index; + return CRYPTO_get_ex_new_index_ex(&g_ex_data_class, argl, argp, free_func); } int SSL_SESSION_set_ex_data(SSL_SESSION *session, int idx, void *arg) { diff --git a/Sources/CNIOBoringSSL/ssl/ssl_transcript.cc b/Sources/CNIOBoringSSL/ssl/ssl_transcript.cc index 288fbb5fc..dcfff389a 100644 --- a/Sources/CNIOBoringSSL/ssl/ssl_transcript.cc +++ b/Sources/CNIOBoringSSL/ssl/ssl_transcript.cc @@ -259,8 +259,7 @@ bool SSLTranscript::GetFinishedMAC(uint8_t *out, size_t *out_len, } static const size_t kFinishedLen = 12; - if (!tls1_prf(Digest(), MakeSpan(out, kFinishedLen), - MakeConstSpan(session->secret, session->secret_length), label, + if (!tls1_prf(Digest(), MakeSpan(out, kFinishedLen), session->secret, label, MakeConstSpan(digest, digest_len), {})) { return false; } diff --git a/Sources/CNIOBoringSSL/ssl/ssl_versions.cc b/Sources/CNIOBoringSSL/ssl/ssl_versions.cc index d9e40f97c..9e4222942 100644 --- a/Sources/CNIOBoringSSL/ssl/ssl_versions.cc +++ b/Sources/CNIOBoringSSL/ssl/ssl_versions.cc @@ -46,6 +46,10 @@ bool ssl_protocol_version_from_wire(uint16_t *out, uint16_t version) { *out = TLS1_2_VERSION; return true; + case DTLS1_3_EXPERIMENTAL_VERSION: + *out = TLS1_3_VERSION; + return true; + default: return false; } @@ -62,6 +66,7 @@ static const uint16_t kTLSVersions[] = { }; static const uint16_t kDTLSVersions[] = { + DTLS1_3_EXPERIMENTAL_VERSION, DTLS1_2_VERSION, DTLS1_VERSION, }; @@ -99,6 +104,7 @@ static const VersionInfo kVersionNames[] = { {TLS1_VERSION, "TLSv1"}, {DTLS1_VERSION, "DTLSv1"}, {DTLS1_2_VERSION, "DTLSv1.2"}, + {DTLS1_3_EXPERIMENTAL_VERSION, "DTLSv1.3"}, }; static const char *ssl_version_to_string(uint16_t version) { @@ -142,7 +148,7 @@ static bool set_min_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out, uint16_t version) { // Zero is interpreted as the default minimum version. if (version == 0) { - *out = method->is_dtls ? DTLS1_VERSION : TLS1_VERSION; + *out = method->is_dtls ? DTLS1_2_VERSION : TLS1_2_VERSION; return true; } @@ -244,18 +250,27 @@ bool ssl_get_version_range(const SSL_HANDSHAKE *hs, uint16_t *out_min_version, } static uint16_t ssl_version(const SSL *ssl) { - // In early data, we report the predicted version. + // In early data, we report the predicted version. Note it is possible that we + // have a predicted version and a *different* true version. This means 0-RTT + // has been rejected, but until the reject has reported to the application and + // applied with |SSL_reset_early_data_reject|, we continue reporting a + // self-consistent connection. if (SSL_in_early_data(ssl) && !ssl->server) { return ssl->s3->hs->early_session->ssl_version; } - return ssl->version; + if (ssl->s3->version != 0) { + return ssl->s3->version; + } + // The TLS versions has not yet been negotiated. Historically, we would return + // (D)TLS 1.2, so preserve that behavior. + return SSL_is_dtls(ssl) ? DTLS1_2_VERSION : TLS1_2_VERSION; } uint16_t ssl_protocol_version(const SSL *ssl) { - assert(ssl->s3->have_version); + assert(ssl->s3->version != 0); uint16_t version; - if (!ssl_protocol_version_from_wire(&version, ssl->version)) { - // |ssl->version| will always be set to a valid version. + if (!ssl_protocol_version_from_wire(&version, ssl->s3->version)) { + // |ssl->s3->version| will always be set to a valid version. assert(0); return 0; } diff --git a/Sources/CNIOBoringSSL/ssl/ssl_x509.cc b/Sources/CNIOBoringSSL/ssl/ssl_x509.cc index 368473506..35abb83d4 100644 --- a/Sources/CNIOBoringSSL/ssl/ssl_x509.cc +++ b/Sources/CNIOBoringSSL/ssl/ssl_x509.cc @@ -148,7 +148,6 @@ #include #include #include -#include #include "internal.h" #include "../crypto/internal.h" @@ -184,66 +183,34 @@ static UniquePtr x509_to_buffer(X509 *x509) { return buffer; } -// new_leafless_chain returns a fresh stack of buffers set to {NULL}. -static UniquePtr new_leafless_chain(void) { - UniquePtr chain(sk_CRYPTO_BUFFER_new_null()); - if (!chain || - !sk_CRYPTO_BUFFER_push(chain.get(), nullptr)) { - return nullptr; - } +static void ssl_crypto_x509_cert_flush_cached_leaf(CERT *cert) { + X509_free(cert->x509_leaf); + cert->x509_leaf = nullptr; +} - return chain; +static void ssl_crypto_x509_cert_flush_cached_chain(CERT *cert) { + sk_X509_pop_free(cert->x509_chain, X509_free); + cert->x509_chain = nullptr; } -// ssl_cert_set_chain sets elements 1.. of |cert->chain| to the serialised +// ssl_cert_set1_chain sets elements 1.. of |cert->chain| to the serialised // forms of elements of |chain|. It returns one on success or zero on error, in // which case no change to |cert->chain| is made. It preverses the existing // leaf from |cert->chain|, if any. -static bool ssl_cert_set_chain(CERT *cert, STACK_OF(X509) *chain) { - UniquePtr new_chain; - - if (cert->chain != nullptr) { - new_chain.reset(sk_CRYPTO_BUFFER_new_null()); - if (!new_chain) { - return false; - } - - // |leaf| might be NULL if it's a “leafless” chain. - CRYPTO_BUFFER *leaf = sk_CRYPTO_BUFFER_value(cert->chain.get(), 0); - if (!PushToStack(new_chain.get(), UpRef(leaf))) { - return false; - } - } - +static bool ssl_cert_set1_chain(CERT *cert, STACK_OF(X509) *chain) { + cert->legacy_credential->ClearIntermediateCerts(); for (X509 *x509 : chain) { - if (!new_chain) { - new_chain = new_leafless_chain(); - if (!new_chain) { - return false; - } - } - UniquePtr buffer = x509_to_buffer(x509); if (!buffer || - !PushToStack(new_chain.get(), std::move(buffer))) { + !cert->legacy_credential->AppendIntermediateCert(std::move(buffer))) { return false; } } - cert->chain = std::move(new_chain); + ssl_crypto_x509_cert_flush_cached_chain(cert); return true; } -static void ssl_crypto_x509_cert_flush_cached_leaf(CERT *cert) { - X509_free(cert->x509_leaf); - cert->x509_leaf = nullptr; -} - -static void ssl_crypto_x509_cert_flush_cached_chain(CERT *cert) { - sk_X509_pop_free(cert->x509_chain, X509_free); - cert->x509_chain = nullptr; -} - static bool ssl_crypto_x509_check_client_CA_list( STACK_OF(CRYPTO_BUFFER) *names) { for (const CRYPTO_BUFFER *buffer : names) { @@ -445,24 +412,25 @@ static void ssl_crypto_x509_ssl_config_free(SSL_CONFIG *cfg) { } static bool ssl_crypto_x509_ssl_auto_chain_if_needed(SSL_HANDSHAKE *hs) { - // Only build a chain if there are no intermediates configured and the feature - // isn't disabled. - if ((hs->ssl->mode & SSL_MODE_NO_AUTO_CHAIN) || - !ssl_has_certificate(hs) || hs->config->cert->chain == NULL || - sk_CRYPTO_BUFFER_num(hs->config->cert->chain.get()) > 1) { + // Only build a chain if the feature isn't disabled, the legacy credential + // exists but has no intermediates configured. + SSL *ssl = hs->ssl; + SSL_CREDENTIAL *cred = hs->config->cert->legacy_credential.get(); + if ((ssl->mode & SSL_MODE_NO_AUTO_CHAIN) || !cred->IsComplete() || + sk_CRYPTO_BUFFER_num(cred->chain.get()) != 1) { return true; } - UniquePtr leaf(X509_parse_from_buffer( - sk_CRYPTO_BUFFER_value(hs->config->cert->chain.get(), 0))); + UniquePtr leaf( + X509_parse_from_buffer(sk_CRYPTO_BUFFER_value(cred->chain.get(), 0))); if (!leaf) { OPENSSL_PUT_ERROR(SSL, ERR_R_X509_LIB); return false; } UniquePtr ctx(X509_STORE_CTX_new()); - if (!ctx || !X509_STORE_CTX_init(ctx.get(), hs->ssl->ctx->cert_store, - leaf.get(), nullptr)) { + if (!ctx || !X509_STORE_CTX_init(ctx.get(), ssl->ctx->cert_store, leaf.get(), + nullptr)) { OPENSSL_PUT_ERROR(SSL, ERR_R_X509_LIB); return false; } @@ -478,13 +446,7 @@ static bool ssl_crypto_x509_ssl_auto_chain_if_needed(SSL_HANDSHAKE *hs) { } X509_free(sk_X509_shift(chain.get())); - if (!ssl_cert_set_chain(hs->config->cert.get(), chain.get())) { - return false; - } - - ssl_crypto_x509_cert_flush_cached_chain(hs->config->cert.get()); - - return true; + return SSL_set1_chain(ssl, chain.get()); } static void ssl_crypto_x509_ssl_ctx_flush_cached_client_CA(SSL_CTX *ctx) { @@ -758,12 +720,12 @@ int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x) { static int ssl_cert_cache_leaf_cert(CERT *cert) { assert(cert->x509_method); - if (cert->x509_leaf != NULL || - cert->chain == NULL) { + const SSL_CREDENTIAL *cred = cert->legacy_credential.get(); + if (cert->x509_leaf != NULL || cred->chain == NULL) { return 1; } - CRYPTO_BUFFER *leaf = sk_CRYPTO_BUFFER_value(cert->chain.get(), 0); + CRYPTO_BUFFER *leaf = sk_CRYPTO_BUFFER_value(cred->chain.get(), 0); if (!leaf) { return 1; } @@ -796,72 +758,38 @@ X509 *SSL_CTX_get0_certificate(const SSL_CTX *ctx) { return ssl_cert_get0_leaf(ctx->cert.get()); } -static int ssl_cert_set0_chain(CERT *cert, STACK_OF(X509) *chain) { - if (!ssl_cert_set_chain(cert, chain)) { - return 0; - } - - sk_X509_pop_free(chain, X509_free); - ssl_crypto_x509_cert_flush_cached_chain(cert); - return 1; -} - -static int ssl_cert_set1_chain(CERT *cert, STACK_OF(X509) *chain) { - if (!ssl_cert_set_chain(cert, chain)) { - return 0; - } - - ssl_crypto_x509_cert_flush_cached_chain(cert); - return 1; -} - -static int ssl_cert_append_cert(CERT *cert, X509 *x509) { +static int ssl_cert_add1_chain_cert(CERT *cert, X509 *x509) { assert(cert->x509_method); UniquePtr buffer = x509_to_buffer(x509); - if (!buffer) { - return 0; - } - - if (cert->chain != NULL) { - return PushToStack(cert->chain.get(), std::move(buffer)); - } - - cert->chain = new_leafless_chain(); - if (!cert->chain || - !PushToStack(cert->chain.get(), std::move(buffer))) { - cert->chain.reset(); + if (!buffer || + !cert->legacy_credential->AppendIntermediateCert(std::move(buffer))) { return 0; } + ssl_crypto_x509_cert_flush_cached_chain(cert); return 1; } static int ssl_cert_add0_chain_cert(CERT *cert, X509 *x509) { - if (!ssl_cert_append_cert(cert, x509)) { + if (!ssl_cert_add1_chain_cert(cert, x509)) { return 0; } X509_free(cert->x509_stash); cert->x509_stash = x509; - ssl_crypto_x509_cert_flush_cached_chain(cert); return 1; } -static int ssl_cert_add1_chain_cert(CERT *cert, X509 *x509) { - if (!ssl_cert_append_cert(cert, x509)) { +int SSL_CTX_set0_chain(SSL_CTX *ctx, STACK_OF(X509) *chain) { + check_ssl_ctx_x509_method(ctx); + if (!ssl_cert_set1_chain(ctx->cert.get(), chain)) { return 0; } - - ssl_crypto_x509_cert_flush_cached_chain(cert); + sk_X509_pop_free(chain, X509_free); return 1; } -int SSL_CTX_set0_chain(SSL_CTX *ctx, STACK_OF(X509) *chain) { - check_ssl_ctx_x509_method(ctx); - return ssl_cert_set0_chain(ctx->cert.get(), chain); -} - int SSL_CTX_set1_chain(SSL_CTX *ctx, STACK_OF(X509) *chain) { check_ssl_ctx_x509_method(ctx); return ssl_cert_set1_chain(ctx->cert.get(), chain); @@ -872,7 +800,11 @@ int SSL_set0_chain(SSL *ssl, STACK_OF(X509) *chain) { if (!ssl->config) { return 0; } - return ssl_cert_set0_chain(ssl->config->cert.get(), chain); + if (!ssl_cert_set1_chain(ssl->config->cert.get(), chain)) { + return 0; + } + sk_X509_pop_free(chain, X509_free); + return 1; } int SSL_set1_chain(SSL *ssl, STACK_OF(X509) *chain) { @@ -934,9 +866,9 @@ int SSL_clear_chain_certs(SSL *ssl) { static int ssl_cert_cache_chain_certs(CERT *cert) { assert(cert->x509_method); - if (cert->x509_chain != nullptr || - cert->chain == nullptr || - sk_CRYPTO_BUFFER_num(cert->chain.get()) < 2) { + const SSL_CREDENTIAL *cred = cert->legacy_credential.get(); + if (cert->x509_chain != nullptr || cred->chain == nullptr || + sk_CRYPTO_BUFFER_num(cred->chain.get()) < 2) { return 1; } @@ -945,8 +877,8 @@ static int ssl_cert_cache_chain_certs(CERT *cert) { return 0; } - for (size_t i = 1; i < sk_CRYPTO_BUFFER_num(cert->chain.get()); i++) { - CRYPTO_BUFFER *buffer = sk_CRYPTO_BUFFER_value(cert->chain.get(), i); + for (size_t i = 1; i < sk_CRYPTO_BUFFER_num(cred->chain.get()); i++) { + CRYPTO_BUFFER *buffer = sk_CRYPTO_BUFFER_value(cred->chain.get(), i); UniquePtr x509(X509_parse_from_buffer(buffer)); if (!x509 || !PushToStack(chain.get(), std::move(x509))) { @@ -1219,13 +1151,10 @@ int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x509) { static int do_client_cert_cb(SSL *ssl, void *arg) { // Should only be called during handshake, but check to be sure. - if (!ssl->config) { - assert(ssl->config); - return -1; - } + BSSL_CHECK(ssl->config); - if (ssl_has_certificate(ssl->s3->hs.get()) || - ssl->ctx->client_cert_cb == NULL) { + if (ssl->config->cert->legacy_credential->IsComplete() || + ssl->ctx->client_cert_cb == nullptr) { return 1; } diff --git a/Sources/CNIOBoringSSL/ssl/t1_enc.cc b/Sources/CNIOBoringSSL/ssl/t1_enc.cc index dab576456..5a1d4e44f 100644 --- a/Sources/CNIOBoringSSL/ssl/t1_enc.cc +++ b/Sources/CNIOBoringSSL/ssl/t1_enc.cc @@ -169,7 +169,7 @@ static bool get_key_block_lengths(const SSL *ssl, size_t *out_mac_secret_len, const SSL_CIPHER *cipher) { const EVP_AEAD *aead = NULL; if (!ssl_cipher_get_evp_aead(&aead, out_mac_secret_len, out_iv_len, cipher, - ssl_protocol_version(ssl), SSL_is_dtls(ssl))) { + ssl_protocol_version(ssl))) { OPENSSL_PUT_ERROR(SSL, SSL_R_CIPHER_OR_HASH_UNAVAILABLE); return false; } @@ -191,14 +191,13 @@ static bool get_key_block_lengths(const SSL *ssl, size_t *out_mac_secret_len, static bool generate_key_block(const SSL *ssl, Span out, const SSL_SESSION *session) { - auto secret = MakeConstSpan(session->secret, session->secret_length); static const char kLabel[] = "key expansion"; auto label = MakeConstSpan(kLabel, sizeof(kLabel) - 1); const EVP_MD *digest = ssl_session_get_digest(session); // Note this function assumes that |session|'s key material corresponds to // |ssl->s3->client_random| and |ssl->s3->server_random|. - return tls1_prf(digest, out, secret, label, ssl->s3->server_random, + return tls1_prf(digest, out, session->secret, label, ssl->s3->server_random, ssl->s3->client_random); } @@ -243,9 +242,8 @@ bool tls1_configure_aead(SSL *ssl, evp_aead_direction_t direction, iv = iv_override; } - UniquePtr aead_ctx = - SSLAEADContext::Create(direction, ssl->version, SSL_is_dtls(ssl), - session->cipher, key, mac_secret, iv); + UniquePtr aead_ctx = SSLAEADContext::Create( + direction, ssl->s3->version, session->cipher, key, mac_secret, iv); if (!aead_ctx) { return false; } @@ -267,33 +265,33 @@ bool tls1_change_cipher_state(SSL_HANDSHAKE *hs, ssl_handshake_session(hs), {}); } -int tls1_generate_master_secret(SSL_HANDSHAKE *hs, uint8_t *out, - Span premaster) { +bool tls1_generate_master_secret(SSL_HANDSHAKE *hs, Span out, + Span premaster) { static const char kMasterSecretLabel[] = "master secret"; static const char kExtendedMasterSecretLabel[] = "extended master secret"; + BSSL_CHECK(out.size() == SSL3_MASTER_SECRET_SIZE); const SSL *ssl = hs->ssl; - auto out_span = MakeSpan(out, SSL3_MASTER_SECRET_SIZE); if (hs->extended_master_secret) { auto label = MakeConstSpan(kExtendedMasterSecretLabel, sizeof(kExtendedMasterSecretLabel) - 1); uint8_t digests[EVP_MAX_MD_SIZE]; size_t digests_len; if (!hs->transcript.GetHash(digests, &digests_len) || - !tls1_prf(hs->transcript.Digest(), out_span, premaster, label, + !tls1_prf(hs->transcript.Digest(), out, premaster, label, MakeConstSpan(digests, digests_len), {})) { - return 0; + return false; } } else { auto label = MakeConstSpan(kMasterSecretLabel, sizeof(kMasterSecretLabel) - 1); - if (!tls1_prf(hs->transcript.Digest(), out_span, premaster, label, + if (!tls1_prf(hs->transcript.Digest(), out, premaster, label, ssl->s3->client_random, ssl->s3->server_random)) { - return 0; + return false; } } - return SSL3_MASTER_SECRET_SIZE; + return true; } BSSL_NAMESPACE_END @@ -334,8 +332,8 @@ int SSL_export_keying_material(SSL *ssl, uint8_t *out, size_t out_len, const uint8_t *context, size_t context_len, int use_context) { // In TLS 1.3, the exporter may be used whenever the secret has been derived. - if (ssl->s3->have_version && ssl_protocol_version(ssl) >= TLS1_3_VERSION) { - if (ssl->s3->exporter_secret_len == 0) { + if (ssl->s3->version != 0 && ssl_protocol_version(ssl) >= TLS1_3_VERSION) { + if (ssl->s3->exporter_secret.empty()) { OPENSSL_PUT_ERROR(SSL, SSL_R_HANDSHAKE_NOT_COMPLETE); return 0; } @@ -344,8 +342,7 @@ int SSL_export_keying_material(SSL *ssl, uint8_t *out, size_t out_len, context_len = 0; } return tls13_export_keying_material( - ssl, MakeSpan(out, out_len), - MakeConstSpan(ssl->s3->exporter_secret, ssl->s3->exporter_secret_len), + ssl, MakeSpan(out, out_len), ssl->s3->exporter_secret, MakeConstSpan(label, label_len), MakeConstSpan(context, context_len)); } @@ -380,7 +377,6 @@ int SSL_export_keying_material(SSL *ssl, uint8_t *out, size_t out_len, const SSL_SESSION *session = SSL_get_session(ssl); const EVP_MD *digest = ssl_session_get_digest(session); - return tls1_prf(digest, MakeSpan(out, out_len), - MakeConstSpan(session->secret, session->secret_length), + return tls1_prf(digest, MakeSpan(out, out_len), session->secret, MakeConstSpan(label, label_len), seed, {}); } diff --git a/Sources/CNIOBoringSSL/ssl/tls13_both.cc b/Sources/CNIOBoringSSL/ssl/tls13_both.cc index dcaa50475..75ac9042d 100644 --- a/Sources/CNIOBoringSSL/ssl/tls13_both.cc +++ b/Sources/CNIOBoringSSL/ssl/tls13_both.cc @@ -335,7 +335,8 @@ bool tls13_process_certificate_verify(SSL_HANDSHAKE *hs, const SSLMessage &msg) } uint8_t alert = SSL_AD_DECODE_ERROR; - if (!tls12_check_peer_sigalg(hs, &alert, signature_algorithm)) { + if (!tls12_check_peer_sigalg(hs, &alert, signature_algorithm, + hs->peer_pubkey.get())) { ssl_send_alert(ssl, SSL3_AL_FATAL, alert); return false; } @@ -391,8 +392,7 @@ bool tls13_process_finished(SSL_HANDSHAKE *hs, const SSLMessage &msg, bool tls13_add_certificate(SSL_HANDSHAKE *hs) { SSL *const ssl = hs->ssl; - CERT *const cert = hs->config->cert.get(); - DC *const dc = cert->dc.get(); + const SSL_CREDENTIAL *cred = hs->credential.get(); ScopedCBB cbb; CBB *body, body_storage, certificate_list; @@ -416,11 +416,12 @@ bool tls13_add_certificate(SSL_HANDSHAKE *hs) { return false; } - if (!ssl_has_certificate(hs)) { + if (hs->credential == nullptr) { return ssl_add_message_cbb(ssl, cbb.get()); } - CRYPTO_BUFFER *leaf_buf = sk_CRYPTO_BUFFER_value(cert->chain.get(), 0); + assert(hs->credential->UsesX509()); + CRYPTO_BUFFER *leaf_buf = sk_CRYPTO_BUFFER_value(cred->chain.get(), 0); CBB leaf, extensions; if (!CBB_add_u24_length_prefixed(&certificate_list, &leaf) || !CBB_add_bytes(&leaf, CRYPTO_BUFFER_data(leaf_buf), @@ -430,51 +431,49 @@ bool tls13_add_certificate(SSL_HANDSHAKE *hs) { return false; } - if (hs->scts_requested && cert->signed_cert_timestamp_list != nullptr) { + if (hs->scts_requested && cred->signed_cert_timestamp_list != nullptr) { CBB contents; if (!CBB_add_u16(&extensions, TLSEXT_TYPE_certificate_timestamp) || !CBB_add_u16_length_prefixed(&extensions, &contents) || !CBB_add_bytes( &contents, - CRYPTO_BUFFER_data(cert->signed_cert_timestamp_list.get()), - CRYPTO_BUFFER_len(cert->signed_cert_timestamp_list.get())) || + CRYPTO_BUFFER_data(cred->signed_cert_timestamp_list.get()), + CRYPTO_BUFFER_len(cred->signed_cert_timestamp_list.get())) || !CBB_flush(&extensions)) { OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); return false; } } - if (hs->ocsp_stapling_requested && cert->ocsp_response != NULL) { + if (hs->ocsp_stapling_requested && cred->ocsp_response != NULL) { CBB contents, ocsp_response; if (!CBB_add_u16(&extensions, TLSEXT_TYPE_status_request) || !CBB_add_u16_length_prefixed(&extensions, &contents) || !CBB_add_u8(&contents, TLSEXT_STATUSTYPE_ocsp) || !CBB_add_u24_length_prefixed(&contents, &ocsp_response) || !CBB_add_bytes(&ocsp_response, - CRYPTO_BUFFER_data(cert->ocsp_response.get()), - CRYPTO_BUFFER_len(cert->ocsp_response.get())) || + CRYPTO_BUFFER_data(cred->ocsp_response.get()), + CRYPTO_BUFFER_len(cred->ocsp_response.get())) || !CBB_flush(&extensions)) { OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); return false; } } - if (ssl_signing_with_dc(hs)) { - const CRYPTO_BUFFER *raw = dc->raw.get(); + if (cred->type == SSLCredentialType::kDelegated) { CBB child; if (!CBB_add_u16(&extensions, TLSEXT_TYPE_delegated_credential) || !CBB_add_u16_length_prefixed(&extensions, &child) || - !CBB_add_bytes(&child, CRYPTO_BUFFER_data(raw), - CRYPTO_BUFFER_len(raw)) || + !CBB_add_bytes(&child, CRYPTO_BUFFER_data(cred->dc.get()), + CRYPTO_BUFFER_len(cred->dc.get())) || !CBB_flush(&extensions)) { OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); return false; } - ssl->s3->delegated_credential_used = true; } - for (size_t i = 1; i < sk_CRYPTO_BUFFER_num(cert->chain.get()); i++) { - CRYPTO_BUFFER *cert_buf = sk_CRYPTO_BUFFER_value(cert->chain.get(), i); + for (size_t i = 1; i < sk_CRYPTO_BUFFER_num(cred->chain.get()); i++) { + CRYPTO_BUFFER *cert_buf = sk_CRYPTO_BUFFER_value(cred->chain.get(), i); CBB child; if (!CBB_add_u24_length_prefixed(&certificate_list, &child) || !CBB_add_bytes(&child, CRYPTO_BUFFER_data(cert_buf), @@ -555,23 +554,18 @@ bool tls13_add_certificate(SSL_HANDSHAKE *hs) { enum ssl_private_key_result_t tls13_add_certificate_verify(SSL_HANDSHAKE *hs) { SSL *const ssl = hs->ssl; - uint16_t signature_algorithm; - if (!tls1_choose_signature_algorithm(hs, &signature_algorithm)) { - ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); - return ssl_private_key_failure; - } - + assert(hs->signature_algorithm != 0); ScopedCBB cbb; CBB body; if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_CERTIFICATE_VERIFY) || - !CBB_add_u16(&body, signature_algorithm)) { + !CBB_add_u16(&body, hs->signature_algorithm)) { OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); return ssl_private_key_failure; } CBB child; - const size_t max_sig_len = EVP_PKEY_size(hs->local_pubkey.get()); + const size_t max_sig_len = EVP_PKEY_size(hs->credential->pubkey.get()); uint8_t *sig; size_t sig_len; if (!CBB_add_u16_length_prefixed(&body, &child) || @@ -589,7 +583,7 @@ enum ssl_private_key_result_t tls13_add_certificate_verify(SSL_HANDSHAKE *hs) { } enum ssl_private_key_result_t sign_result = ssl_private_key_sign( - hs, sig, &sig_len, max_sig_len, signature_algorithm, msg); + hs, sig, &sig_len, max_sig_len, hs->signature_algorithm, msg); if (sign_result != ssl_private_key_success) { return sign_result; } diff --git a/Sources/CNIOBoringSSL/ssl/tls13_client.cc b/Sources/CNIOBoringSSL/ssl/tls13_client.cc index ac508099a..e743a4e0b 100644 --- a/Sources/CNIOBoringSSL/ssl/tls13_client.cc +++ b/Sources/CNIOBoringSSL/ssl/tls13_client.cc @@ -73,20 +73,22 @@ static bool close_early_data(SSL_HANDSHAKE *hs, ssl_encryption_level_t level) { // write state. The two ClientHello sequence numbers must align, and handshake // write keys must be installed early to ACK the EncryptedExtensions. // - // We do not currently implement DTLS 1.3 and, in QUIC, the caller handles - // 0-RTT data, so we can skip installing 0-RTT keys and act as if there is one - // write level. If we implement DTLS 1.3, we'll need to model this better. + // TODO(crbug.com/42290594): We do not currently implement DTLS 1.3 and, in + // QUIC, the caller handles 0-RTT data, so we can skip installing 0-RTT keys + // and act as if there is one write level. Now that we're implementing + // DTLS 1.3, switch the abstraction to the DTLS/QUIC model where handshake + // keys write keys are installed immediately, but the TLS record layer + // internally waits to activate that epoch until the 0-RTT channel is closed. if (ssl->quic_method == nullptr) { if (level == ssl_encryption_initial) { bssl::UniquePtr null_ctx = - SSLAEADContext::CreateNullCipher(SSL_is_dtls(ssl)); + SSLAEADContext::CreateNullCipher(); if (!null_ctx || !ssl->method->set_write_state(ssl, ssl_encryption_initial, std::move(null_ctx), /*secret_for_quic=*/{})) { return false; } - ssl->s3->aead_write_ctx->SetVersionIfNullCipher(ssl->version); } else { assert(level == ssl_encryption_handshake); if (!tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_seal, @@ -107,11 +109,21 @@ static bool parse_server_hello_tls13(const SSL_HANDSHAKE *hs, if (!ssl_parse_server_hello(out, out_alert, msg)) { return false; } - // The RFC8446 version of the structure fixes some legacy values. - // Additionally, the session ID must echo the original one. - if (out->legacy_version != TLS1_2_VERSION || + uint16_t expected_version = + SSL_is_dtls(hs->ssl) ? DTLS1_2_VERSION : TLS1_2_VERSION; + // DTLS 1.3 disables "compatibility mode" (RFC 8446, appendix D.4). When + // disabled, servers MUST NOT echo the legacy_session_id (RFC 9147, section + // 5). The client could have sent a session ID indicating its willingness to + // resume a DTLS 1.2 session, so just checking that the session IDs match is + // incorrect. + Span expected_session_id = SSL_is_dtls(hs->ssl) + ? Span() + : MakeConstSpan(hs->session_id); + + // RFC 8446 fixes some legacy values. Check them. + if (out->legacy_version != expected_version || // out->compression_method != 0 || - !CBS_mem_equal(&out->session_id, hs->session_id, hs->session_id_len) || + Span(out->session_id) != expected_session_id || CBS_len(&out->extensions) == 0) { OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); *out_alert = SSL_AD_DECODE_ERROR; @@ -170,7 +182,7 @@ static bool check_ech_confirmation(const SSL_HANDSHAKE *hs, bool *out_accepted, static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) { SSL *const ssl = hs->ssl; - assert(ssl->s3->have_version); + assert(ssl->s3->version != 0); SSLMessage msg; if (!ssl->method->get_message(ssl, &msg)) { return ssl_hs_read_message; @@ -424,7 +436,7 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) { if (!supported_versions.present || !CBS_get_u16(&supported_versions.data, &version) || CBS_len(&supported_versions.data) != 0 || - version != ssl->version) { + version != ssl->s3->version) { OPENSSL_PUT_ERROR(SSL, SSL_R_SECOND_SERVERHELLO_VERSION_MISMATCH); ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); return ssl_hs_error; @@ -438,7 +450,7 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) { return ssl_hs_error; } - if (ssl->session->ssl_version != ssl->version) { + if (ssl->session->ssl_version != ssl->s3->version) { OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_VERSION_NOT_RETURNED); ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); return ssl_hs_error; @@ -482,11 +494,9 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) { // Set up the key schedule and incorporate the PSK into the running secret. size_t hash_len = EVP_MD_size( ssl_get_handshake_digest(ssl_protocol_version(ssl), hs->new_cipher)); - if (!tls13_init_key_schedule( - hs, ssl->s3->session_reused - ? MakeConstSpan(hs->new_session->secret, - hs->new_session->secret_length) - : MakeConstSpan(kZeroes, hash_len))) { + if (!tls13_init_key_schedule(hs, ssl->s3->session_reused + ? MakeConstSpan(hs->new_session->secret) + : MakeConstSpan(kZeroes, hash_len))) { return ssl_hs_error; } @@ -782,8 +792,9 @@ static enum ssl_hs_wait_t do_send_end_of_early_data(SSL_HANDSHAKE *hs) { SSL *const ssl = hs->ssl; if (ssl->s3->early_data_accepted) { - // QUIC omits the EndOfEarlyData message. See RFC 9001, section 8.3. - if (ssl->quic_method == nullptr) { + // DTLS and QUIC omit the EndOfEarlyData message. See RFC 9001, section 8.3, + // and RFC 9147, section 5.6. + if (ssl->quic_method == nullptr && !SSL_is_dtls(ssl)) { ScopedCBB cbb; CBB body; if (!ssl->method->init_message(ssl, cbb.get(), &body, @@ -832,6 +843,17 @@ static enum ssl_hs_wait_t do_send_client_encrypted_extensions( return ssl_hs_ok; } +static bool check_credential(SSL_HANDSHAKE *hs, const SSL_CREDENTIAL *cred, + uint16_t *out_sigalg) { + if (cred->type != SSLCredentialType::kX509) { + OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CERTIFICATE_TYPE); + return false; + } + + // All currently supported credentials require a signature. + return tls1_choose_signature_algorithm(hs, cred, out_sigalg); +} + static enum ssl_hs_wait_t do_send_client_certificate(SSL_HANDSHAKE *hs) { SSL *const ssl = hs->ssl; @@ -859,8 +881,30 @@ static enum ssl_hs_wait_t do_send_client_certificate(SSL_HANDSHAKE *hs) { } } - if (!ssl_on_certificate_selected(hs) || - !tls13_add_certificate(hs)) { + Array creds; + if (!ssl_get_credential_list(hs, &creds)) { + return ssl_hs_error; + } + + if (!creds.empty()) { + // Select the credential to use. + for (SSL_CREDENTIAL *cred : creds) { + ERR_clear_error(); + uint16_t sigalg; + if (check_credential(hs, cred, &sigalg)) { + hs->credential = UpRef(cred); + hs->signature_algorithm = sigalg; + break; + } + } + if (hs->credential == nullptr) { + // The error from the last attempt is in the error queue. + ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); + return ssl_hs_error; + } + } + + if (!tls13_add_certificate(hs)) { return ssl_hs_error; } @@ -870,7 +914,7 @@ static enum ssl_hs_wait_t do_send_client_certificate(SSL_HANDSHAKE *hs) { static enum ssl_hs_wait_t do_send_client_certificate_verify(SSL_HANDSHAKE *hs) { // Don't send CertificateVerify if there is no certificate. - if (!ssl_has_certificate(hs)) { + if (hs->credential == nullptr) { hs->tls13_state = state_complete_second_flight; return ssl_hs_ok; } @@ -1084,7 +1128,8 @@ UniquePtr tls13_create_session_with_ticket(SSL *ssl, CBS *body) { session->timeout = server_timeout; } - if (!tls13_derive_session_psk(session.get(), ticket_nonce)) { + if (!tls13_derive_session_psk(session.get(), ticket_nonce, + SSL_is_dtls(ssl))) { return nullptr; } @@ -1116,8 +1161,8 @@ UniquePtr tls13_create_session_with_ticket(SSL *ssl, CBS *body) { // Historically, OpenSSL filled in fake session IDs for ticket-based sessions. // Envoy's tests depend on this, although perhaps they shouldn't. - SHA256(CBS_data(&ticket), CBS_len(&ticket), session->session_id); - session->session_id_length = SHA256_DIGEST_LENGTH; + session->session_id.ResizeMaybeUninit(SHA256_DIGEST_LENGTH); + SHA256(CBS_data(&ticket), CBS_len(&ticket), session->session_id.data()); session->ticket_age_add_valid = true; session->not_resumable = false; diff --git a/Sources/CNIOBoringSSL/ssl/tls13_enc.cc b/Sources/CNIOBoringSSL/ssl/tls13_enc.cc index 97a2d3c13..e711a0a69 100644 --- a/Sources/CNIOBoringSSL/ssl/tls13_enc.cc +++ b/Sources/CNIOBoringSSL/ssl/tls13_enc.cc @@ -83,19 +83,57 @@ bool tls13_init_early_key_schedule(SSL_HANDSHAKE *hs, return init_key_schedule(hs, transcript, ssl_session_protocol_version(session), session->cipher) && - hkdf_extract_to_secret( - hs, *transcript, - MakeConstSpan(session->secret, session->secret_length)); + hkdf_extract_to_secret(hs, *transcript, session->secret); } static Span label_to_span(const char *label) { return MakeConstSpan(label, strlen(label)); } +static bool hkdf_expand_label_with_prefix(Span out, + const EVP_MD *digest, + Span secret, + Span label_prefix, + Span label, + Span hash) { + // This is a copy of CRYPTO_tls13_hkdf_expand_label, but modified to take an + // arbitrary prefix for the label instead of using the hardcoded "tls13 " + // prefix. + CBB cbb, child; + uint8_t *hkdf_label = NULL; + size_t hkdf_label_len; + CBB_zero(&cbb); + if (!CBB_init(&cbb, + 2 + 1 + label_prefix.size() + label.size() + 1 + hash.size()) || + !CBB_add_u16(&cbb, out.size()) || + !CBB_add_u8_length_prefixed(&cbb, &child) || + !CBB_add_bytes(&child, label_prefix.data(), label_prefix.size()) || + !CBB_add_bytes(&child, reinterpret_cast(label.data()), + label.size()) || + !CBB_add_u8_length_prefixed(&cbb, &child) || + !CBB_add_bytes(&child, hash.data(), hash.size()) || + !CBB_finish(&cbb, &hkdf_label, &hkdf_label_len)) { + CBB_cleanup(&cbb); + return false; + } + + const int ret = HKDF_expand(out.data(), out.size(), digest, secret.data(), + secret.size(), hkdf_label, hkdf_label_len); + OPENSSL_free(hkdf_label); + return ret == 1; +} + static bool hkdf_expand_label(Span out, const EVP_MD *digest, Span secret, - Span label, - Span hash) { + Span label, Span hash, + bool is_dtls) { + if (is_dtls) { + static const uint8_t kDTLS13LabelPrefix[] = "dtls13"; + return hkdf_expand_label_with_prefix( + out, digest, secret, + MakeConstSpan(kDTLS13LabelPrefix, sizeof(kDTLS13LabelPrefix) - 1), + label, hash); + } return CRYPTO_tls13_hkdf_expand_label( out.data(), out.size(), digest, secret.data(), secret.size(), reinterpret_cast(label.data()), label.size(), @@ -111,7 +149,8 @@ bool tls13_advance_key_schedule(SSL_HANDSHAKE *hs, Span in) { hs->transcript.Digest(), nullptr) && hkdf_expand_label(hs->secret(), hs->transcript.Digest(), hs->secret(), label_to_span(kTLS13LabelDerived), - MakeConstSpan(derive_context, derive_context_len)) && + MakeConstSpan(derive_context, derive_context_len), + SSL_is_dtls(hs->ssl)) && hkdf_extract_to_secret(hs, hs->transcript, in); } @@ -129,7 +168,8 @@ static bool derive_secret_with_transcript(const SSL_HANDSHAKE *hs, } return hkdf_expand_label(out, transcript.Digest(), hs->secret(), label, - MakeConstSpan(context_hash, context_hash_len)); + MakeConstSpan(context_hash, context_hash_len), + SSL_is_dtls(hs->ssl)); } static bool derive_secret(SSL_HANDSHAKE *hs, Span out, @@ -142,52 +182,58 @@ bool tls13_set_traffic_key(SSL *ssl, enum ssl_encryption_level_t level, const SSL_SESSION *session, Span traffic_secret) { uint16_t version = ssl_session_protocol_version(session); + const EVP_MD *digest = ssl_session_get_digest(session); + bool is_dtls = SSL_is_dtls(ssl); UniquePtr traffic_aead; Span secret_for_quic; if (ssl->quic_method != nullptr) { // Install a placeholder SSLAEADContext so that SSL accessors work. The // encryption itself will be handled by the SSL_QUIC_METHOD. - traffic_aead = - SSLAEADContext::CreatePlaceholderForQUIC(version, session->cipher); + traffic_aead = SSLAEADContext::CreatePlaceholderForQUIC(session->cipher); secret_for_quic = traffic_secret; } else { // Look up cipher suite properties. const EVP_AEAD *aead; size_t discard; if (!ssl_cipher_get_evp_aead(&aead, &discard, &discard, session->cipher, - version, SSL_is_dtls(ssl))) { + version)) { return false; } - const EVP_MD *digest = ssl_session_get_digest(session); - - // Derive the key. - size_t key_len = EVP_AEAD_key_length(aead); - uint8_t key_buf[EVP_AEAD_MAX_KEY_LENGTH]; - auto key = MakeSpan(key_buf, key_len); + // Derive the key and IV. + uint8_t key_buf[EVP_AEAD_MAX_KEY_LENGTH], iv_buf[EVP_AEAD_MAX_NONCE_LENGTH]; + auto key = MakeSpan(key_buf).first(EVP_AEAD_key_length(aead)); + auto iv = MakeSpan(iv_buf).first(EVP_AEAD_nonce_length(aead)); if (!hkdf_expand_label(key, digest, traffic_secret, label_to_span("key"), - {})) { - return false; - } - - // Derive the IV. - size_t iv_len = EVP_AEAD_nonce_length(aead); - uint8_t iv_buf[EVP_AEAD_MAX_NONCE_LENGTH]; - auto iv = MakeSpan(iv_buf, iv_len); - if (!hkdf_expand_label(iv, digest, traffic_secret, label_to_span("iv"), - {})) { + {}, is_dtls) || + !hkdf_expand_label(iv, digest, traffic_secret, label_to_span("iv"), {}, + is_dtls)) { return false; } traffic_aead = SSLAEADContext::Create(direction, session->ssl_version, - SSL_is_dtls(ssl), session->cipher, - key, Span(), iv); + session->cipher, key, {}, iv); } if (!traffic_aead) { return false; } + if (is_dtls) { + RecordNumberEncrypter *rn_encrypter = + traffic_aead->GetRecordNumberEncrypter(); + if (!rn_encrypter) { + return false; + } + uint8_t rne_key_buf[RecordNumberEncrypter::kMaxKeySize]; + auto rne_key = MakeSpan(rne_key_buf).first(rn_encrypter->KeySize()); + if (!hkdf_expand_label(rne_key, digest, traffic_secret, label_to_span("sn"), + {}, is_dtls) || + !rn_encrypter->SetKey(rne_key)) { + return false; + } + } + if (traffic_secret.size() > OPENSSL_ARRAY_SIZE(ssl->s3->read_traffic_secret) || traffic_secret.size() > @@ -201,17 +247,13 @@ bool tls13_set_traffic_key(SSL *ssl, enum ssl_encryption_level_t level, secret_for_quic)) { return false; } - OPENSSL_memmove(ssl->s3->read_traffic_secret, traffic_secret.data(), - traffic_secret.size()); - ssl->s3->read_traffic_secret_len = traffic_secret.size(); + ssl->s3->read_traffic_secret.CopyFrom(traffic_secret); } else { if (!ssl->method->set_write_state(ssl, level, std::move(traffic_aead), secret_for_quic)) { return false; } - OPENSSL_memmove(ssl->s3->write_traffic_secret, traffic_secret.data(), - traffic_secret.size()); - ssl->s3->write_traffic_secret_len = traffic_secret.size(); + ssl->s3->write_traffic_secret.CopyFrom(traffic_secret); } return true; @@ -261,7 +303,6 @@ bool tls13_derive_handshake_secrets(SSL_HANDSHAKE *hs) { bool tls13_derive_application_secrets(SSL_HANDSHAKE *hs) { SSL *const ssl = hs->ssl; - ssl->s3->exporter_secret_len = hs->transcript.DigestLen(); if (!derive_secret(hs, hs->client_traffic_secret_0(), label_to_span(kTLS13LabelClientApplicationTraffic)) || !ssl_log_secret(ssl, "CLIENT_TRAFFIC_SECRET_0", @@ -269,13 +310,13 @@ bool tls13_derive_application_secrets(SSL_HANDSHAKE *hs) { !derive_secret(hs, hs->server_traffic_secret_0(), label_to_span(kTLS13LabelServerApplicationTraffic)) || !ssl_log_secret(ssl, "SERVER_TRAFFIC_SECRET_0", - hs->server_traffic_secret_0()) || - !derive_secret( - hs, MakeSpan(ssl->s3->exporter_secret, ssl->s3->exporter_secret_len), - label_to_span(kTLS13LabelExporter)) || - !ssl_log_secret(ssl, "EXPORTER_SECRET", - MakeConstSpan(ssl->s3->exporter_secret, - ssl->s3->exporter_secret_len))) { + hs->server_traffic_secret_0())) { + return false; + } + ssl->s3->exporter_secret.ResizeMaybeUninit(hs->transcript.DigestLen()); + if (!derive_secret(hs, MakeSpan(ssl->s3->exporter_secret), + label_to_span(kTLS13LabelExporter)) || + !ssl_log_secret(ssl, "EXPORTER_SECRET", ssl->s3->exporter_secret)) { return false; } @@ -285,19 +326,15 @@ bool tls13_derive_application_secrets(SSL_HANDSHAKE *hs) { static const char kTLS13LabelApplicationTraffic[] = "traffic upd"; bool tls13_rotate_traffic_key(SSL *ssl, enum evp_aead_direction_t direction) { - Span secret; - if (direction == evp_aead_open) { - secret = MakeSpan(ssl->s3->read_traffic_secret, - ssl->s3->read_traffic_secret_len); - } else { - secret = MakeSpan(ssl->s3->write_traffic_secret, - ssl->s3->write_traffic_secret_len); - } + Span secret = direction == evp_aead_open + ? MakeSpan(ssl->s3->read_traffic_secret) + : MakeSpan(ssl->s3->write_traffic_secret); const SSL_SESSION *session = SSL_get_session(ssl); const EVP_MD *digest = ssl_session_get_digest(session); return hkdf_expand_label(secret, digest, secret, - label_to_span(kTLS13LabelApplicationTraffic), {}) && + label_to_span(kTLS13LabelApplicationTraffic), {}, + SSL_is_dtls(ssl)) && tls13_set_traffic_key(ssl, ssl_encryption_application, direction, session, secret); } @@ -305,14 +342,9 @@ bool tls13_rotate_traffic_key(SSL *ssl, enum evp_aead_direction_t direction) { static const char kTLS13LabelResumption[] = "res master"; bool tls13_derive_resumption_secret(SSL_HANDSHAKE *hs) { - if (hs->transcript.DigestLen() > SSL_MAX_MASTER_KEY_LENGTH) { - OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); - return false; - } - hs->new_session->secret_length = hs->transcript.DigestLen(); - return derive_secret( - hs, MakeSpan(hs->new_session->secret, hs->new_session->secret_length), - label_to_span(kTLS13LabelResumption)); + hs->new_session->secret.ResizeMaybeUninit(hs->transcript.DigestLen()); + return derive_secret(hs, MakeSpan(hs->new_session->secret), + label_to_span(kTLS13LabelResumption)); } static const char kTLS13LabelFinished[] = "finished"; @@ -323,12 +355,12 @@ static const char kTLS13LabelFinished[] = "finished"; static bool tls13_verify_data(uint8_t *out, size_t *out_len, const EVP_MD *digest, uint16_t version, Span secret, - Span context) { + Span context, bool is_dtls) { uint8_t key_buf[EVP_MAX_MD_SIZE]; auto key = MakeSpan(key_buf, EVP_MD_size(digest)); unsigned len; if (!hkdf_expand_label(key, digest, secret, - label_to_span(kTLS13LabelFinished), {}) || + label_to_span(kTLS13LabelFinished), {}, is_dtls) || HMAC(digest, key.data(), key.size(), context.data(), context.size(), out, &len) == nullptr) { return false; @@ -346,8 +378,9 @@ bool tls13_finished_mac(SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len, size_t context_hash_len; if (!hs->transcript.GetHash(context_hash, &context_hash_len) || !tls13_verify_data(out, out_len, hs->transcript.Digest(), - hs->ssl->version, traffic_secret, - MakeConstSpan(context_hash, context_hash_len))) { + hs->ssl->s3->version, traffic_secret, + MakeConstSpan(context_hash, context_hash_len), + SSL_is_dtls(hs->ssl))) { return false; } return true; @@ -355,13 +388,15 @@ bool tls13_finished_mac(SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len, static const char kTLS13LabelResumptionPSK[] = "resumption"; -bool tls13_derive_session_psk(SSL_SESSION *session, Span nonce) { +bool tls13_derive_session_psk(SSL_SESSION *session, Span nonce, + bool is_dtls) { const EVP_MD *digest = ssl_session_get_digest(session); // The session initially stores the resumption_master_secret, which we // override with the PSK. - auto session_secret = MakeSpan(session->secret, session->secret_length); - return hkdf_expand_label(session_secret, digest, session_secret, - label_to_span(kTLS13LabelResumptionPSK), nonce); + assert(session->secret.size() == EVP_MD_size(digest)); + return hkdf_expand_label(MakeSpan(session->secret), digest, session->secret, + label_to_span(kTLS13LabelResumptionPSK), nonce, + is_dtls); } static const char kTLS13LabelExportKeying[] = "exporter"; @@ -394,9 +429,10 @@ bool tls13_export_keying_material(SSL *ssl, Span out, uint8_t derived_secret_buf[EVP_MAX_MD_SIZE]; auto derived_secret = MakeSpan(derived_secret_buf, EVP_MD_size(digest)); return hkdf_expand_label(derived_secret, digest, secret, label, - export_context) && + export_context, SSL_is_dtls(ssl)) && hkdf_expand_label(out, digest, derived_secret, - label_to_span(kTLS13LabelExportKeying), hash); + label_to_span(kTLS13LabelExportKeying), hash, + SSL_is_dtls(ssl)); } static const char kTLS13LabelPSKBinder[] = "res binder"; @@ -405,7 +441,7 @@ static bool tls13_psk_binder(uint8_t *out, size_t *out_len, const SSL_SESSION *session, const SSLTranscript &transcript, Span client_hello, - size_t binders_len) { + size_t binders_len, bool is_dtls) { const EVP_MD *digest = ssl_session_get_digest(session); // Compute the binder key. @@ -420,12 +456,13 @@ static bool tls13_psk_binder(uint8_t *out, size_t *out_len, auto binder_key = MakeSpan(binder_key_buf, EVP_MD_size(digest)); if (!EVP_Digest(nullptr, 0, binder_context, &binder_context_len, digest, nullptr) || - !HKDF_extract(early_secret, &early_secret_len, digest, session->secret, - session->secret_length, nullptr, 0) || - !hkdf_expand_label(binder_key, digest, - MakeConstSpan(early_secret, early_secret_len), - label_to_span(kTLS13LabelPSKBinder), - MakeConstSpan(binder_context, binder_context_len))) { + !HKDF_extract(early_secret, &early_secret_len, digest, + session->secret.data(), session->secret.size(), nullptr, + 0) || + !hkdf_expand_label( + binder_key, digest, MakeConstSpan(early_secret, early_secret_len), + label_to_span(kTLS13LabelPSKBinder), + MakeConstSpan(binder_context, binder_context_len), is_dtls)) { return false; } @@ -446,7 +483,7 @@ static bool tls13_psk_binder(uint8_t *out, size_t *out_len, } if (!tls13_verify_data(out, out_len, digest, session->ssl_version, binder_key, - MakeConstSpan(context, context_len))) { + MakeConstSpan(context, context_len), is_dtls)) { return false; } @@ -467,7 +504,7 @@ bool tls13_write_psk_binder(const SSL_HANDSHAKE *hs, uint8_t verify_data[EVP_MAX_MD_SIZE]; size_t verify_data_len; if (!tls13_psk_binder(verify_data, &verify_data_len, ssl->session.get(), - transcript, msg, binders_len) || + transcript, msg, binders_len, SSL_is_dtls(hs->ssl)) || verify_data_len != hash_len) { OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); return false; @@ -491,7 +528,7 @@ bool tls13_verify_psk_binder(const SSL_HANDSHAKE *hs, // prefix removed. The caller is assumed to have parsed |msg|, extracted // |binders|, and verified the PSK extension is last. if (!tls13_psk_binder(verify_data, &verify_data_len, session, hs->transcript, - msg.raw, 2 + CBS_len(binders)) || + msg.raw, 2 + CBS_len(binders), SSL_is_dtls(hs->ssl)) || // We only consider the first PSK, so compare against the first binder. !CBS_get_u8_length_prefixed(binders, &binder)) { OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); @@ -556,11 +593,11 @@ bool ssl_ech_accept_confirmation(const SSL_HANDSHAKE *hs, Span out, } assert(out.size() == ECH_CONFIRMATION_SIGNAL_LEN); - return hkdf_expand_label(out, transcript.Digest(), - MakeConstSpan(secret, secret_len), - is_hrr ? label_to_span("hrr ech accept confirmation") - : label_to_span("ech accept confirmation"), - MakeConstSpan(context, context_len)); + return hkdf_expand_label( + out, transcript.Digest(), MakeConstSpan(secret, secret_len), + is_hrr ? label_to_span("hrr ech accept confirmation") + : label_to_span("ech accept confirmation"), + MakeConstSpan(context, context_len), SSL_is_dtls(hs->ssl)); } BSSL_NAMESPACE_END diff --git a/Sources/CNIOBoringSSL/ssl/tls13_server.cc b/Sources/CNIOBoringSSL/ssl/tls13_server.cc index 105ddd176..9bd9efa3a 100644 --- a/Sources/CNIOBoringSSL/ssl/tls13_server.cc +++ b/Sources/CNIOBoringSSL/ssl/tls13_server.cc @@ -17,6 +17,7 @@ #include #include +#include #include #include @@ -100,7 +101,7 @@ static int ssl_ext_supported_versions_add_serverhello(SSL_HANDSHAKE *hs, CBB contents; if (!CBB_add_u16(out, TLSEXT_TYPE_supported_versions) || !CBB_add_u16_length_prefixed(out, &contents) || - !CBB_add_u16(&contents, hs->ssl->version) || + !CBB_add_u16(&contents, hs->ssl->s3->version) || !CBB_flush(out)) { return 0; } @@ -109,18 +110,18 @@ static int ssl_ext_supported_versions_add_serverhello(SSL_HANDSHAKE *hs, } static const SSL_CIPHER *choose_tls13_cipher( - const SSL *ssl, const SSL_CLIENT_HELLO *client_hello, uint16_t group_id) { + const SSL *ssl, const SSL_CLIENT_HELLO *client_hello) { CBS cipher_suites; CBS_init(&cipher_suites, client_hello->cipher_suites, client_hello->cipher_suites_len); const uint16_t version = ssl_protocol_version(ssl); - return ssl_choose_tls13_cipher( - cipher_suites, - ssl->config->aes_hw_override ? ssl->config->aes_hw_override_value - : EVP_has_aes_hardware(), - version, group_id, ssl->config->tls13_cipher_policy); + return ssl_choose_tls13_cipher(cipher_suites, + ssl->config->aes_hw_override + ? ssl->config->aes_hw_override_value + : EVP_has_aes_hardware(), + version, ssl->config->tls13_cipher_policy); } static bool add_new_session_tickets(SSL_HANDSHAKE *hs, bool *out_sent_tickets) { @@ -174,7 +175,7 @@ static bool add_new_session_tickets(SSL_HANDSHAKE *hs, bool *out_sent_tickets) { !CBB_add_u8_length_prefixed(&body, &nonce_cbb) || !CBB_add_bytes(&nonce_cbb, nonce, sizeof(nonce)) || !CBB_add_u16_length_prefixed(&body, &ticket) || - !tls13_derive_session_psk(session.get(), nonce) || + !tls13_derive_session_psk(session.get(), nonce, SSL_is_dtls(ssl)) || !ssl_encrypt_ticket(hs, &ticket, session.get()) || !CBB_add_u16_length_prefixed(&body, &extensions)) { return false; @@ -206,6 +207,28 @@ static bool add_new_session_tickets(SSL_HANDSHAKE *hs, bool *out_sent_tickets) { return true; } +static bool check_credential(SSL_HANDSHAKE *hs, const SSL_CREDENTIAL *cred, + uint16_t *out_sigalg) { + switch (cred->type) { + case SSLCredentialType::kX509: + break; + case SSLCredentialType::kDelegated: + // Check that the peer supports the signature over the delegated + // credential. + if (std::find(hs->peer_sigalgs.begin(), hs->peer_sigalgs.end(), + cred->dc_algorithm) == hs->peer_sigalgs.end()) { + OPENSSL_PUT_ERROR(SSL, SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS); + return false; + } + break; + } + + // All currently supported credentials require a signature. If |cred| is a + // delegated credential, this also checks that the peer supports delegated + // credentials and matched |dc_cert_verify_algorithm|. + return tls1_choose_signature_algorithm(hs, cred, out_sigalg); +} + static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) { // At this point, most ClientHello extensions have already been processed by // the common handshake logic. Resolve the remaining non-PSK parameters. @@ -221,19 +244,43 @@ static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) { ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); return ssl_hs_error; } - OPENSSL_memcpy(hs->session_id, client_hello.session_id, - client_hello.session_id_len); - hs->session_id_len = client_hello.session_id_len; + // DTLS 1.3 disables compatibility mode, and even if the client advertised a + // session ID (for resumption in DTLS 1.2), the server "MUST NOT echo the + // 'legacy_session_id' value from the client" (RFC 9147, section 5) as it + // would in a TLS 1.3 handshake. + if (!SSL_is_dtls(ssl)) { + hs->session_id.CopyFrom( + MakeConstSpan(client_hello.session_id, client_hello.session_id_len)); + } - uint16_t group_id; - if (!tls1_get_shared_group(hs, &group_id)) { - OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_GROUP); + Array creds; + if (!ssl_get_credential_list(hs, &creds)) { + return ssl_hs_error; + } + if (creds.empty()) { + OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_SET); + ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); + return ssl_hs_error; + } + + // Select the credential to use. + for (SSL_CREDENTIAL *cred : creds) { + ERR_clear_error(); + uint16_t sigalg; + if (check_credential(hs, cred, &sigalg)) { + hs->credential = UpRef(cred); + hs->signature_algorithm = sigalg; + break; + } + } + if (hs->credential == nullptr) { + // The error from the last attempt is in the error queue. ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); return ssl_hs_error; } // Negotiate the cipher suite. - hs->new_cipher = choose_tls13_cipher(ssl, &client_hello, group_id); + hs->new_cipher = choose_tls13_cipher(ssl, &client_hello); if (hs->new_cipher == NULL) { OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER); ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); @@ -513,11 +560,9 @@ static enum ssl_hs_wait_t do_select_session(SSL_HANDSHAKE *hs) { ssl_get_handshake_digest(ssl_protocol_version(ssl), hs->new_cipher)); // Set up the key schedule and incorporate the PSK into the running secret. - if (!tls13_init_key_schedule( - hs, ssl->s3->session_reused - ? MakeConstSpan(hs->new_session->secret, - hs->new_session->secret_length) - : MakeConstSpan(kZeroes, hash_len)) || + if (!tls13_init_key_schedule(hs, ssl->s3->session_reused + ? MakeConstSpan(hs->new_session->secret) + : MakeConstSpan(kZeroes, hash_len)) || !ssl_hash_message(hs, msg)) { return ssl_hs_error; } @@ -557,22 +602,21 @@ static enum ssl_hs_wait_t do_send_hello_retry_request(SSL_HANDSHAKE *hs) { ScopedCBB cbb; CBB body, session_id, extensions; - uint16_t group_id; if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_SERVER_HELLO) || !CBB_add_u16(&body, TLS1_2_VERSION) || !CBB_add_bytes(&body, kHelloRetryRequest, SSL3_RANDOM_SIZE) || !CBB_add_u8_length_prefixed(&body, &session_id) || - !CBB_add_bytes(&session_id, hs->session_id, hs->session_id_len) || + !CBB_add_bytes(&session_id, hs->session_id.data(), + hs->session_id.size()) || !CBB_add_u16(&body, SSL_CIPHER_get_protocol_id(hs->new_cipher)) || !CBB_add_u8(&body, 0 /* no compression */) || - !tls1_get_shared_group(hs, &group_id) || !CBB_add_u16_length_prefixed(&body, &extensions) || !CBB_add_u16(&extensions, TLSEXT_TYPE_supported_versions) || !CBB_add_u16(&extensions, 2 /* length */) || - !CBB_add_u16(&extensions, ssl->version) || + !CBB_add_u16(&extensions, ssl->s3->version) || !CBB_add_u16(&extensions, TLSEXT_TYPE_key_share) || !CBB_add_u16(&extensions, 2 /* length */) || - !CBB_add_u16(&extensions, group_id)) { + !CBB_add_u16(&extensions, hs->new_session->group_id)) { return ssl_hs_error; } if (hs->ech_is_inner) { @@ -752,15 +796,20 @@ static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) { } } + uint16_t server_hello_version = TLS1_2_VERSION; + if (SSL_is_dtls(ssl)) { + server_hello_version = DTLS1_2_VERSION; + } Array server_hello; ScopedCBB cbb; CBB body, extensions, session_id; if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_SERVER_HELLO) || - !CBB_add_u16(&body, TLS1_2_VERSION) || + !CBB_add_u16(&body, server_hello_version) || !CBB_add_bytes(&body, ssl->s3->server_random, sizeof(ssl->s3->server_random)) || !CBB_add_u8_length_prefixed(&body, &session_id) || - !CBB_add_bytes(&session_id, hs->session_id, hs->session_id_len) || + !CBB_add_bytes(&session_id, hs->session_id.data(), + hs->session_id.size()) || !CBB_add_u16(&body, SSL_CIPHER_get_protocol_id(hs->new_cipher)) || !CBB_add_u8(&body, 0) || !CBB_add_u16_length_prefixed(&body, &extensions) || @@ -860,11 +909,6 @@ static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) { // Send the server Certificate message, if necessary. if (!ssl->s3->session_reused) { - if (!ssl_has_certificate(hs)) { - OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_SET); - return ssl_hs_error; - } - if (!tls13_add_certificate(hs)) { return ssl_hs_error; } @@ -966,6 +1010,12 @@ static enum ssl_hs_wait_t do_send_half_rtt_ticket(SSL_HANDSHAKE *hs) { return ssl_hs_flush; } +static bool uses_end_of_early_data(const SSL *ssl) { + // DTLS and QUIC omit the EndOfEarlyData message. See RFC 9001, section 8.3, + // and RFC 9147, section 5.6. + return ssl->quic_method == nullptr && !SSL_is_dtls(ssl); +} + static enum ssl_hs_wait_t do_read_second_client_flight(SSL_HANDSHAKE *hs) { SSL *const ssl = hs->ssl; if (ssl->s3->early_data_accepted) { @@ -979,9 +1029,9 @@ static enum ssl_hs_wait_t do_read_second_client_flight(SSL_HANDSHAKE *hs) { hs->in_early_data = true; } - // QUIC doesn't use an EndOfEarlyData message (RFC 9001, section 8.3), so we - // switch to client_handshake_secret before the early return. - if (ssl->quic_method != nullptr) { + // If the EndOfEarlyData message is not used, switch to + // client_handshake_secret before the early return. + if (!uses_end_of_early_data(ssl)) { if (!tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_open, hs->new_session.get(), hs->client_handshake_secret())) { @@ -1000,7 +1050,7 @@ static enum ssl_hs_wait_t do_process_end_of_early_data(SSL_HANDSHAKE *hs) { SSL *const ssl = hs->ssl; // In protocols that use EndOfEarlyData, we must consume the extra message and // switch to client_handshake_secret after the early return. - if (ssl->quic_method == nullptr) { + if (uses_end_of_early_data(ssl)) { // If early data was not accepted, the EndOfEarlyData will be in the // discarded early data. if (hs->ssl->s3->early_data_accepted) { diff --git a/Sources/CNIOBoringSSL/ssl/tls_record.cc b/Sources/CNIOBoringSSL/ssl/tls_record.cc index 3b7d7e5cf..fd2cfb2a3 100644 --- a/Sources/CNIOBoringSSL/ssl/tls_record.cc +++ b/Sources/CNIOBoringSSL/ssl/tls_record.cc @@ -140,10 +140,10 @@ static const uint8_t kMaxWarningAlerts = 4; // ssl_needs_record_splitting returns one if |ssl|'s current outgoing cipher // state needs record-splitting and zero otherwise. -static bool ssl_needs_record_splitting(const SSL *ssl) { +bool ssl_needs_record_splitting(const SSL *ssl) { #if !defined(BORINGSSL_UNSAFE_FUZZER_MODE) return !ssl->s3->aead_write_ctx->is_null_cipher() && - ssl->s3->aead_write_ctx->ProtocolVersion() < TLS1_1_VERSION && + ssl_protocol_version(ssl) < TLS1_1_VERSION && (ssl->mode & SSL_MODE_CBC_RECORD_SPLITTING) != 0 && SSL_CIPHER_is_block_cipher(ssl->s3->aead_write_ctx->cipher()); #else @@ -152,28 +152,8 @@ static bool ssl_needs_record_splitting(const SSL *ssl) { } size_t ssl_record_prefix_len(const SSL *ssl) { - size_t header_len; - if (SSL_is_dtls(ssl)) { - header_len = DTLS1_RT_HEADER_LENGTH; - } else { - header_len = SSL3_RT_HEADER_LENGTH; - } - - return header_len + ssl->s3->aead_read_ctx->ExplicitNonceLen(); -} - -size_t ssl_seal_align_prefix_len(const SSL *ssl) { - if (SSL_is_dtls(ssl)) { - return DTLS1_RT_HEADER_LENGTH + ssl->s3->aead_write_ctx->ExplicitNonceLen(); - } - - size_t ret = - SSL3_RT_HEADER_LENGTH + ssl->s3->aead_write_ctx->ExplicitNonceLen(); - if (ssl_needs_record_splitting(ssl)) { - ret += SSL3_RT_HEADER_LENGTH; - ret += ssl_cipher_get_record_split_len(ssl->s3->aead_write_ctx->cipher()); - } - return ret; + assert(!SSL_is_dtls(ssl)); + return SSL3_RT_HEADER_LENGTH + ssl->s3->aead_read_ctx->ExplicitNonceLen(); } static ssl_open_record_t skip_early_data(SSL *ssl, uint8_t *out_alert, @@ -192,6 +172,19 @@ static ssl_open_record_t skip_early_data(SSL *ssl, uint8_t *out_alert, return ssl_open_record_discard; } +static uint16_t tls_record_version(const SSL *ssl) { + if (ssl->s3->version == 0) { + // Before the version is determined, outgoing records use TLS 1.0 for + // historical compatibility requirements. + return TLS1_VERSION; + } + + // TLS 1.3 freezes the record version at TLS 1.2. Previous ones use the + // version itself. + return ssl_protocol_version(ssl) >= TLS1_3_VERSION ? TLS1_2_VERSION + : ssl->s3->version; +} + ssl_open_record_t tls_open_record(SSL *ssl, uint8_t *out_type, Span *out, size_t *out_consumed, uint8_t *out_alert, Span in) { @@ -224,7 +217,7 @@ ssl_open_record_t tls_open_record(SSL *ssl, uint8_t *out_type, // version negotiation failure alerts. version_ok = (version >> 8) == SSL3_VERSION_MAJOR; } else { - version_ok = version == ssl->s3->aead_read_ctx->RecordVersion(); + version_ok = version == tls_record_version(ssl); } if (!version_ok) { @@ -252,12 +245,10 @@ ssl_open_record_t tls_open_record(SSL *ssl, uint8_t *out_type, *out_consumed = in.size() - CBS_len(&cbs); - if (ssl->s3->have_version && - ssl_protocol_version(ssl) >= TLS1_3_VERSION && - SSL_in_init(ssl) && - type == SSL3_RT_CHANGE_CIPHER_SPEC && - ciphertext_len == 1 && - CBS_data(&body)[0] == 1) { + // In TLS 1.3, during the handshake, skip ChangeCipherSpec records. + if (ssl->s3->version != 0 && ssl_protocol_version(ssl) >= TLS1_3_VERSION && + SSL_in_init(ssl) && type == SSL3_RT_CHANGE_CIPHER_SPEC && + Span(body) == Span({SSL3_MT_CCS})) { ssl->s3->empty_record_count++; if (ssl->s3->empty_record_count > kMaxEmptyRecords) { OPENSSL_PUT_ERROR(SSL, SSL_R_TOO_MANY_EMPTY_FRAGMENTS); @@ -300,9 +291,8 @@ ssl_open_record_t tls_open_record(SSL *ssl, uint8_t *out_type, ssl->s3->read_sequence++; // TLS 1.3 hides the record type inside the encrypted data. - bool has_padding = - !ssl->s3->aead_read_ctx->is_null_cipher() && - ssl->s3->aead_read_ctx->ProtocolVersion() >= TLS1_3_VERSION; + bool has_padding = !ssl->s3->aead_read_ctx->is_null_cipher() && + ssl_protocol_version(ssl) >= TLS1_3_VERSION; // If there is padding, the plaintext limit includes the padding, but includes // extra room for the inner content type. @@ -371,8 +361,7 @@ static bool do_seal_record(SSL *ssl, uint8_t *out_prefix, uint8_t *out, SSLAEADContext *aead = ssl->s3->aead_write_ctx.get(); uint8_t *extra_in = NULL; size_t extra_in_len = 0; - if (!aead->is_null_cipher() && - aead->ProtocolVersion() >= TLS1_3_VERSION) { + if (!aead->is_null_cipher() && ssl_protocol_version(ssl) >= TLS1_3_VERSION) { // TLS 1.3 hides the actual record type inside the encrypted data. extra_in = &type; extra_in_len = 1; @@ -395,8 +384,7 @@ static bool do_seal_record(SSL *ssl, uint8_t *out_prefix, uint8_t *out, out_prefix[0] = type; } - uint16_t record_version = aead->RecordVersion(); - + uint16_t record_version = tls_record_version(ssl); out_prefix[1] = record_version >> 8; out_prefix[2] = record_version & 0xff; out_prefix[3] = ciphertext_len >> 8; @@ -441,7 +429,7 @@ static bool tls_seal_scatter_suffix_len(const SSL *ssl, size_t *out_suffix_len, uint8_t type, size_t in_len) { size_t extra_in_len = 0; if (!ssl->s3->aead_write_ctx->is_null_cipher() && - ssl->s3->aead_write_ctx->ProtocolVersion() >= TLS1_3_VERSION) { + ssl_protocol_version(ssl) >= TLS1_3_VERSION) { // TLS 1.3 adds an extra byte for encrypted record type. extra_in_len = 1; } @@ -571,8 +559,7 @@ enum ssl_open_record_t ssl_process_alert(SSL *ssl, uint8_t *out_alert, // without specifying how to handle it. JDK11 misuses it to signal // full-duplex connection close after the handshake. As a workaround, skip // user_canceled as in TLS 1.2. This matches NSS and OpenSSL. - if (ssl->s3->have_version && - ssl_protocol_version(ssl) >= TLS1_3_VERSION && + if (ssl->s3->version != 0 && ssl_protocol_version(ssl) >= TLS1_3_VERSION && alert_descr != SSL_AD_USER_CANCELLED) { *out_alert = SSL_AD_DECODE_ERROR; OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ALERT); @@ -606,14 +593,14 @@ using namespace bssl; size_t SSL_max_seal_overhead(const SSL *ssl) { if (SSL_is_dtls(ssl)) { - return dtls_max_seal_overhead(ssl, dtls1_use_current_epoch); + return dtls_max_seal_overhead(ssl, ssl->d1->w_epoch); } size_t ret = SSL3_RT_HEADER_LENGTH; ret += ssl->s3->aead_write_ctx->MaxOverhead(); // TLS 1.3 needs an extra byte for the encrypted record type. if (!ssl->s3->aead_write_ctx->is_null_cipher() && - ssl->s3->aead_write_ctx->ProtocolVersion() >= TLS1_3_VERSION) { + ssl_protocol_version(ssl) >= TLS1_3_VERSION) { ret += 1; } if (ssl_needs_record_splitting(ssl)) { diff --git a/Sources/CNIOBoringSSL/third_party/fiat/asm/fiat_p256_adx_mul.S b/Sources/CNIOBoringSSL/third_party/fiat/asm/fiat_p256_adx_mul.S index 5288439d8..3f59411d4 100644 --- a/Sources/CNIOBoringSSL/third_party/fiat/asm/fiat_p256_adx_mul.S +++ b/Sources/CNIOBoringSSL/third_party/fiat/asm/fiat_p256_adx_mul.S @@ -4,7 +4,6 @@ #if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && \ (defined(__APPLE__) || defined(__ELF__)) -.intel_syntax noprefix .text #if defined(__APPLE__) .private_extern _fiat_p256_adx_mul @@ -19,158 +18,158 @@ fiat_p256_adx_mul: .cfi_startproc _CET_ENDBR -push rbp -.cfi_adjust_cfa_offset 8 +pushq %rbp +;.cfi_adjust_cfa_offset 8 .cfi_offset rbp, -16 -mov rbp, rsp -mov rax, rdx -mov rdx, [ rsi + 0x0 ] -test al, al -mulx r8, rcx, [ rax + 0x0 ] -mov [ rsp - 0x80 ], rbx +movq %rsp, %rbp +movq %rdx, %rax +movq (%rsi), %rdx +testb %al, %al +mulxq (%rax), %rcx, %r8 +movq %rbx, -0x80(%rsp) .cfi_offset rbx, -16-0x80 -mulx rbx, r9, [ rax + 0x8 ] -mov [ rsp - 0x68 ], r14 +mulxq 0x8(%rax), %r9, %rbx +movq %r14, -0x68(%rsp) .cfi_offset r14, -16-0x68 -adc r9, r8 -mov [ rsp - 0x60 ], r15 +adcq %r8, %r9 +movq %r15, -0x60(%rsp) .cfi_offset r15, -16-0x60 -mulx r15, r14, [ rax + 0x10 ] -mov [ rsp - 0x78 ], r12 +mulxq 0x10(%rax), %r14, %r15 +movq %r12, -0x78(%rsp) .cfi_offset r12, -16-0x78 -adc r14, rbx -mulx r11, r10, [ rax + 0x18 ] -mov [ rsp - 0x70 ], r13 +adcq %rbx, %r14 +mulxq 0x18(%rax), %r10, %r11 +movq %r13, -0x70(%rsp) .cfi_offset r13, -16-0x70 -adc r10, r15 -mov rdx, [ rsi + 0x8 ] -mulx rbx, r8, [ rax + 0x0 ] -adc r11, 0x0 -xor r15, r15 -adcx r8, r9 -adox rbx, r14 -mov [ rsp - 0x58 ], rdi -mulx rdi, r9, [ rax + 0x8 ] -adcx r9, rbx -adox rdi, r10 -mulx rbx, r14, [ rax + 0x10 ] -adcx r14, rdi -adox rbx, r11 -mulx r13, r12, [ rax + 0x18 ] -adcx r12, rbx -mov rdx, 0x100000000 -mulx r11, r10, rcx -adox r13, r15 -adcx r13, r15 -xor rdi, rdi -adox r10, r8 -mulx r8, rbx, r10 -adox r11, r9 -adcx rbx, r11 -adox r8, r14 -mov rdx, 0xffffffff00000001 -mulx r9, r15, rcx -adcx r15, r8 -adox r9, r12 -mulx r14, rcx, r10 -mov rdx, [ rsi + 0x10 ] -mulx r10, r12, [ rax + 0x8 ] -adcx rcx, r9 -adox r14, r13 -mulx r11, r13, [ rax + 0x0 ] -mov r9, rdi -adcx r14, r9 -adox rdi, rdi -adc rdi, 0x0 -xor r9, r9 -adcx r13, rbx -adox r11, r15 -mov rdx, [ rsi + 0x10 ] -mulx r15, r8, [ rax + 0x10 ] -adox r10, rcx -mulx rcx, rbx, [ rax + 0x18 ] -mov rdx, [ rsi + 0x18 ] -adcx r12, r11 -mulx rsi, r11, [ rax + 0x8 ] -adcx r8, r10 -adox r15, r14 -adcx rbx, r15 -adox rcx, r9 -adcx rcx, r9 -mulx r15, r10, [ rax + 0x0 ] -add rcx, rdi -mov r14, r9 -adc r14, 0 -xor r9, r9 -adcx r10, r12 -adox r15, r8 -adcx r11, r15 -adox rsi, rbx -mulx r8, r12, [ rax + 0x10 ] -adox r8, rcx -mulx rcx, rbx, [ rax + 0x18 ] -adcx r12, rsi -adox rcx, r9 -mov rdx, 0x100000000 -adcx rbx, r8 -adc rcx, 0 -mulx rdi, r15, r13 -xor rax, rax -adcx rcx, r14 -adc rax, 0 -xor r9, r9 -adox r15, r10 -mulx r14, r10, r15 -adox rdi, r11 -mov rdx, 0xffffffff00000001 -adox r14, r12 -adcx r10, rdi -mulx r12, r11, r13 -adcx r11, r14 -adox r12, rbx -mulx rbx, r13, r15 -adcx r13, r12 -adox rbx, rcx -mov r8, r9 -adox rax, r9 -adcx r8, rbx -adc rax, 0x0 -mov rcx, rax -mov r15, 0xffffffffffffffff -mov rdi, r10 -sub rdi, r15 -mov r14, 0xffffffff -mov r12, r11 -sbb r12, r14 -mov rbx, r13 -sbb rbx, r9 -mov rax, rax -mov rax, r8 -sbb rax, rdx -sbb rcx, r9 -cmovc rdi, r10 -mov r10, [ rsp - 0x58 ] -cmovc rbx, r13 -mov r13, [ rsp - 0x70 ] +adcq %r15, %r10 +movq 0x8(%rsi), %rdx +mulxq (%rax), %r8, %rbx +adcq $0x0, %r11 +xorq %r15, %r15 +adcxq %r9, %r8 +adoxq %r14, %rbx +movq %rdi, -0x58(%rsp) +mulxq 0x8(%rax), %r9, %rdi +adcxq %rbx, %r9 +adoxq %r10, %rdi +mulxq 0x10(%rax), %r14, %rbx +adcxq %rdi, %r14 +adoxq %r11, %rbx +mulxq 0x18(%rax), %r12, %r13 +adcxq %rbx, %r12 +movq $0x100000000, %rdx +mulxq %rcx, %r10, %r11 +adoxq %r15, %r13 +adcxq %r15, %r13 +xorq %rdi, %rdi +adoxq %r8, %r10 +mulxq %r10, %rbx, %r8 +adoxq %r9, %r11 +adcxq %r11, %rbx +adoxq %r14, %r8 +movq $0xffffffff00000001, %rdx +mulxq %rcx, %r15, %r9 +adcxq %r8, %r15 +adoxq %r12, %r9 +mulxq %r10, %rcx, %r14 +movq 0x10(%rsi), %rdx +mulxq 0x8(%rax), %r12, %r10 +adcxq %r9, %rcx +adoxq %r13, %r14 +mulxq (%rax), %r13, %r11 +movq %rdi, %r9 +adcxq %r9, %r14 +adoxq %rdi, %rdi +adcq $0x0, %rdi +xorq %r9, %r9 +adcxq %rbx, %r13 +adoxq %r15, %r11 +movq 0x10(%rsi), %rdx +mulxq 0x10(%rax), %r8, %r15 +adoxq %rcx, %r10 +mulxq 0x18(%rax), %rbx, %rcx +movq 0x18(%rsi), %rdx +adcxq %r11, %r12 +mulxq 0x8(%rax), %r11, %rsi +adcxq %r10, %r8 +adoxq %r14, %r15 +adcxq %r15, %rbx +adoxq %r9, %rcx +adcxq %r9, %rcx +mulxq (%rax), %r10, %r15 +addq %rdi, %rcx +movq %r9, %r14 +adcq $0x0, %r14 +xorq %r9, %r9 +adcxq %r12, %r10 +adoxq %r8, %r15 +adcxq %r15, %r11 +adoxq %rbx, %rsi +mulxq 0x10(%rax), %r12, %r8 +adoxq %rcx, %r8 +mulxq 0x18(%rax), %rbx, %rcx +adcxq %rsi, %r12 +adoxq %r9, %rcx +movq $0x100000000, %rdx +adcxq %r8, %rbx +adcq $0x0, %rcx +mulxq %r13, %r15, %rdi +xorq %rax, %rax +adcxq %r14, %rcx +adcq $0x0, %rax +xorq %r9, %r9 +adoxq %r10, %r15 +mulxq %r15, %r10, %r14 +adoxq %r11, %rdi +movq $0xffffffff00000001, %rdx +adoxq %r12, %r14 +adcxq %rdi, %r10 +mulxq %r13, %r11, %r12 +adcxq %r14, %r11 +adoxq %rbx, %r12 +mulxq %r15, %r13, %rbx +adcxq %r12, %r13 +adoxq %rcx, %rbx +movq %r9, %r8 +adoxq %r9, %rax +adcxq %rbx, %r8 +adcq $0x0, %rax +movq %rax, %rcx +movq $0xffffffffffffffff, %r15 +movq %r10, %rdi +subq %r15, %rdi +movq $0xffffffff, %r14 +movq %r11, %r12 +sbbq %r14, %r12 +movq %r13, %rbx +sbbq %r9, %rbx +movq %rax, %rax +movq %r8, %rax +sbbq %rdx, %rax +sbbq %r9, %rcx +cmovcq %r10, %rdi +movq -0x58(%rsp), %r10 +cmovcq %r13, %rbx +movq -0x70(%rsp), %r13 .cfi_restore r13 -cmovc r12, r11 -cmovc rax, r8 -mov [ r10 + 0x10 ], rbx -mov rbx, [ rsp - 0x80 ] +cmovcq %r11, %r12 +cmovcq %r8, %rax +movq %rbx, 0x10(%r10) +movq -0x80(%rsp), %rbx .cfi_restore rbx -mov [ r10 + 0x0 ], rdi -mov [ r10 + 0x8 ], r12 -mov [ r10 + 0x18 ], rax -mov r12, [ rsp - 0x78 ] +movq %rdi, (%r10) +movq %r12, 0x8(%r10) +movq %rax, 0x18(%r10) +movq -0x78(%rsp), %r12 .cfi_restore r12 -mov r14, [ rsp - 0x68 ] +movq -0x68(%rsp), %r14 .cfi_restore r14 -mov r15, [ rsp - 0x60 ] +movq -0x60(%rsp), %r15 .cfi_restore r15 -pop rbp +popq %rbp .cfi_restore rbp .cfi_adjust_cfa_offset -8 -ret +retq .cfi_endproc #if defined(__ELF__) .size fiat_p256_adx_mul, .-fiat_p256_adx_mul diff --git a/Sources/CNIOBoringSSL/third_party/fiat/asm/fiat_p256_adx_sqr.S b/Sources/CNIOBoringSSL/third_party/fiat/asm/fiat_p256_adx_sqr.S index 947d5ede8..9e722d2cc 100644 --- a/Sources/CNIOBoringSSL/third_party/fiat/asm/fiat_p256_adx_sqr.S +++ b/Sources/CNIOBoringSSL/third_party/fiat/asm/fiat_p256_adx_sqr.S @@ -4,7 +4,6 @@ #if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && \ (defined(__APPLE__) || defined(__ELF__)) -.intel_syntax noprefix .text #if defined(__APPLE__) .private_extern _fiat_p256_adx_sqr @@ -19,147 +18,147 @@ fiat_p256_adx_sqr: .cfi_startproc _CET_ENDBR -push rbp +pushq %rbp .cfi_adjust_cfa_offset 8 .cfi_offset rbp, -16 -mov rbp, rsp -mov rdx, [ rsi + 0x0 ] -mulx r10, rax, [ rsi + 0x18 ] -mulx rcx, r11, rdx -mulx r9, r8, [ rsi + 0x8 ] -mov [ rsp - 0x80 ], rbx +movq %rsp, %rbp +movq (%rsi), %rdx +mulxq 0x18(%rsi), %rax, %r10 +mulxq %rdx, %r11, %rcx +mulxq 0x8(%rsi), %r8, %r9 +movq %rbx, -0x80(%rsp) .cfi_offset rbx, -16-0x80 -xor rbx, rbx -adox r8, r8 -mov [ rsp - 0x78 ], r12 +xorq %rbx, %rbx +adoxq %r8, %r8 +movq %r12, -0x78(%rsp) .cfi_offset r12, -16-0x78 -mulx r12, rbx, [ rsi + 0x10 ] -mov rdx, [ rsi + 0x8 ] -mov [ rsp - 0x70 ], r13 +mulxq 0x10(%rsi), %rbx, %r12 +movq 0x8(%rsi), %rdx +movq %r13, -0x70(%rsp) .cfi_offset r13, -16-0x70 -mov [ rsp - 0x68 ], r14 +movq %r14, -0x68(%rsp) .cfi_offset r14, -16-0x68 -mulx r14, r13, rdx -mov [ rsp - 0x60 ], r15 +mulxq %rdx, %r13, %r14 +movq %r15, -0x60(%rsp) .cfi_offset r15, -16-0x60 -mov [ rsp - 0x58 ], rdi -mulx rdi, r15, [ rsi + 0x10 ] -adcx r12, r15 -mov [ rsp - 0x50 ], r11 -mulx r11, r15, [ rsi + 0x18 ] -adcx r10, rdi -mov rdi, 0x0 -adcx r11, rdi +movq %rdi, -0x58(%rsp) +mulxq 0x10(%rsi), %r15, %rdi +adcxq %r15, %r12 +movq %r11, -0x50(%rsp) +mulxq 0x18(%rsi), %r15, %r11 +adcxq %rdi, %r10 +movq $0x0, %rdi +adcxq %rdi, %r11 clc -adcx rbx, r9 -adox rbx, rbx -adcx rax, r12 -adox rax, rax -adcx r15, r10 -adox r15, r15 -mov rdx, [ rsi + 0x10 ] -mulx r12, r9, [ rsi + 0x18 ] -adcx r9, r11 -adcx r12, rdi -mulx r11, r10, rdx +adcxq %r9, %rbx +adoxq %rbx, %rbx +adcxq %r12, %rax +adoxq %rax, %rax +adcxq %r10, %r15 +adoxq %r15, %r15 +movq 0x10(%rsi), %rdx +mulxq 0x18(%rsi), %r9, %r12 +adcxq %r11, %r9 +adcxq %rdi, %r12 +mulxq %rdx, %r10, %r11 clc -adcx rcx, r8 -adcx r13, rbx -adcx r14, rax -adox r9, r9 -adcx r10, r15 -mov rdx, [ rsi + 0x18 ] -mulx rbx, r8, rdx -adox r12, r12 -adcx r11, r9 -mov rsi, [ rsp - 0x50 ] -adcx r8, r12 -mov rax, 0x100000000 -mov rdx, rax -mulx r15, rax, rsi -adcx rbx, rdi -adox rbx, rdi -xor r9, r9 -adox rax, rcx -adox r15, r13 -mulx rcx, rdi, rax -adcx rdi, r15 -adox rcx, r14 -mov rdx, 0xffffffff00000001 -mulx r14, r13, rsi -adox r14, r10 -adcx r13, rcx -mulx r12, r10, rax -adox r12, r11 -mov r11, r9 -adox r11, r8 -adcx r10, r14 -mov r8, r9 -adcx r8, r12 -mov rax, r9 -adcx rax, r11 -mov r15, r9 -adox r15, rbx -mov rdx, 0x100000000 -mulx rcx, rbx, rdi -mov r14, r9 -adcx r14, r15 -mov r12, r9 -adox r12, r12 -adcx r12, r9 -adox rbx, r13 -mulx r11, r13, rbx -mov r15, 0xffffffff00000001 -mov rdx, r15 -mulx rsi, r15, rbx -adox rcx, r10 -adox r11, r8 -mulx r8, r10, rdi -adcx r13, rcx -adox r8, rax -adcx r10, r11 -adox rsi, r14 -mov rdi, r12 -mov rax, r9 -adox rdi, rax -adcx r15, r8 -mov r14, rax -adcx r14, rsi -adcx rdi, r9 -dec r9 -mov rbx, r13 -sub rbx, r9 -mov rcx, 0xffffffff -mov r11, r10 -sbb r11, rcx -mov r8, r15 -sbb r8, rax -mov rsi, r14 -sbb rsi, rdx -sbb rdi, rax -cmovc rbx, r13 -cmovc r8, r15 -cmovc r11, r10 -cmovc rsi, r14 -mov rdi, [ rsp - 0x58 ] -mov [ rdi + 0x18 ], rsi -mov [ rdi + 0x0 ], rbx -mov [ rdi + 0x8 ], r11 -mov [ rdi + 0x10 ], r8 -mov rbx, [ rsp - 0x80 ] +adcxq %r8, %rcx +adcxq %rbx, %r13 +adcxq %rax, %r14 +adoxq %r9, %r9 +adcxq %r15, %r10 +movq 0x18(%rsi), %rdx +mulxq %rdx, %r8, %rbx +adoxq %r12, %r12 +adcxq %r9, %r11 +movq -0x50(%rsp), %rsi +adcxq %r12, %r8 +movq $0x100000000, %rax +movq %rax, %rdx +mulxq %rsi, %rax, %r15 +adcxq %rdi, %rbx +adoxq %rdi, %rbx +xorq %r9, %r9 +adoxq %rcx, %rax +adoxq %r13, %r15 +mulxq %rax, %rdi, %rcx +adcxq %r15, %rdi +adoxq %r14, %rcx +movq $0xffffffff00000001, %rdx +mulxq %rsi, %r13, %r14 +adoxq %r10, %r14 +adcxq %rcx, %r13 +mulxq %rax, %r10, %r12 +adoxq %r11, %r12 +movq %r9, %r11 +adoxq %r8, %r11 +adcxq %r14, %r10 +movq %r9, %r8 +adcxq %r12, %r8 +movq %r9, %rax +adcxq %r11, %rax +movq %r9, %r15 +adoxq %rbx, %r15 +movq $0x100000000, %rdx +mulxq %rdi, %rbx, %rcx +movq %r9, %r14 +adcxq %r15, %r14 +movq %r9, %r12 +adoxq %r12, %r12 +adcxq %r9, %r12 +adoxq %r13, %rbx +mulxq %rbx, %r13, %r11 +movq $0xffffffff00000001, %r15 +movq %r15, %rdx +mulxq %rbx, %r15, %rsi +adoxq %r10, %rcx +adoxq %r8, %r11 +mulxq %rdi, %r10, %r8 +adcxq %rcx, %r13 +adoxq %rax, %r8 +adcxq %r11, %r10 +adoxq %r14, %rsi +movq %r12, %rdi +movq %r9, %rax +adoxq %rax, %rdi +adcxq %r8, %r15 +movq %rax, %r14 +adcxq %rsi, %r14 +adcxq %r9, %rdi +decq %r9 +movq %r13, %rbx +subq %r9, %rbx +movq $0xffffffff, %rcx +movq %r10, %r11 +sbbq %rcx, %r11 +movq %r15, %r8 +sbbq %rax, %r8 +movq %r14, %rsi +sbbq %rdx, %rsi +sbbq %rax, %rdi +cmovcq %r13, %rbx +cmovcq %r15, %r8 +cmovcq %r10, %r11 +cmovcq %r14, %rsi +movq -0x58(%rsp), %rdi +movq %rsi, 0x18(%rdi) +movq %rbx, (%rdi) +movq %r11, 0x8(%rdi) +movq %r8, 0x10(%rdi) +movq -0x80(%rsp), %rbx .cfi_restore rbx -mov r12, [ rsp - 0x78 ] +movq -0x78(%rsp), %r12 .cfi_restore r12 -mov r13, [ rsp - 0x70 ] +movq -0x70(%rsp), %r13 .cfi_restore r13 -mov r14, [ rsp - 0x68 ] +movq -0x68(%rsp), %r14 .cfi_restore r14 -mov r15, [ rsp - 0x60 ] +movq -0x60(%rsp), %r15 .cfi_restore r15 -pop rbp +popq %rbp .cfi_restore rbp .cfi_adjust_cfa_offset -8 -ret +retq .cfi_endproc #if defined(__ELF__) .size fiat_p256_adx_sqr, .-fiat_p256_adx_sqr diff --git a/Sources/CNIOBoringSSL/third_party/fiat/curve25519_64_adx.h b/Sources/CNIOBoringSSL/third_party/fiat/curve25519_64_adx.h index f50f5b837..68dd391d6 100644 --- a/Sources/CNIOBoringSSL/third_party/fiat/curve25519_64_adx.h +++ b/Sources/CNIOBoringSSL/third_party/fiat/curve25519_64_adx.h @@ -1,7 +1,9 @@ +#include +#include "../../crypto/internal.h" + #include #include #include -#include typedef uint64_t fe4[4]; typedef uint8_t fiat_uint1; @@ -468,7 +470,7 @@ __attribute__((target("adx,bmi2"))) void x25519_scalar_mult_adx(uint8_t out[32], const uint8_t scalar[32], const uint8_t point[32]) { uint8_t e[32]; - memcpy(e, scalar, 32); + OPENSSL_memcpy(e, scalar, 32); e[0] &= 248; e[31] &= 127; e[31] |= 64; diff --git a/Sources/CNIOBoringSSL/third_party/fiat/p256_64.h b/Sources/CNIOBoringSSL/third_party/fiat/p256_64.h index a691407b6..bc5829ea0 100644 --- a/Sources/CNIOBoringSSL/third_party/fiat/p256_64.h +++ b/Sources/CNIOBoringSSL/third_party/fiat/p256_64.h @@ -1,3 +1,4 @@ +#include #include "../../crypto/internal.h" #if !defined(OPENSSL_NO_ASM) && defined(__GNUC__) && defined(__x86_64__) void fiat_p256_adx_mul(uint64_t*, const uint64_t*, const uint64_t*); diff --git a/Sources/NIOSSL/SSLCertificate.swift b/Sources/NIOSSL/SSLCertificate.swift index cfa37bb72..97efa29f7 100644 --- a/Sources/NIOSSL/SSLCertificate.swift +++ b/Sources/NIOSSL/SSLCertificate.swift @@ -186,7 +186,7 @@ public final class NIOSSLCertificate { /// Extracts the SHA1 hash of the subject name before it has been truncated. /// /// - returns: Numeric hash of the subject name. - internal func getSubjectNameHash() -> UInt { + internal func getSubjectNameHash() -> UInt32 { return CNIOBoringSSL_X509_subject_name_hash(self.ref) } diff --git a/scripts/vendor-boringssl.sh b/scripts/vendor-boringssl.sh index 8c59321c3..f7c747830 100755 --- a/scripts/vendor-boringssl.sh +++ b/scripts/vendor-boringssl.sh @@ -166,9 +166,9 @@ function mangle_cpp_structures { # The nm command grabs all global defined symbols. We then run the C++ demangler over them and look for methods with '::' in them: # these are C++ methods. We then exclude any that contain CNIOBoringSSL (as those are already namespaced!) and any that contain swift # (as those were put there by the Swift runtime, not us). This gives us a list of symbols. The following cut command - # grabs the type name from each of those (the bit preceding the '::'). Finally, we sort and uniqify that list. This gives us all the - # structures that need to be renamed. - structures=$(nm -gUj "$(swift build --show-bin-path)/libCNIOBoringSSL.a" | c++filt | grep "::" | grep -v -e "CNIOBoringSSL" -e "swift" | cut -d : -f1 | sort | uniq) + # grabs the type name from each of those (the bit preceding the '::'). Then, we sort and uniqify that list. + # Finally, we remove any symbol that ends in std. This gives us all the structures that need to be renamed. + structures=$(nm -gUj "$(swift build --show-bin-path)/libCNIOBoringSSL.a" | c++filt | grep "::" | grep -v -e "CNIOBoringSSL" -e "swift" | cut -d : -f1 | sort | uniq | grep -v "std$") for struct in ${structures}; do echo "#define ${struct} BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ${struct})" >> "${DSTROOT}/include/CNIOBoringSSL_boringssl_prefix_symbols.h" @@ -226,17 +226,22 @@ echo "GENERATING assembly helpers" PATTERNS=( 'include/openssl/*.h' +'include/openssl/*/*.h' 'ssl/*.h' 'ssl/*.cc' 'crypto/*.h' 'crypto/*.c' 'crypto/*/*.h' 'crypto/*/*.c' +'crypto/*/*.cc' 'crypto/*/*.S' 'crypto/*/*/*.h' -'crypto/*/*/*.c' +'crypto/*/*/*.c.inc' 'crypto/*/*/*.S' -'crypto/*/*/*/*.c' +'crypto/*/*/*/*.c.inc' +'gen/crypto/*.c' +'gen/crypto/*.S' +'gen/bcm/*.S' 'third_party/fiat/*.h' 'third_party/fiat/asm/*.S' #'third_party/fiat/*.c' @@ -267,25 +272,8 @@ do find $DSTROOT -d -name "$exclude" -exec rm -rf {} \; done -echo "GENERATING err_data.c" -( - cd "$SRCROOT/crypto/err" - go mod tidy -modcacherw - go run err_data_generate.go > "${HERE}/${DSTROOT}/crypto/err/err_data.c" -) - -echo "DELETING crypto/fipsmodule/bcm.c" -rm -f $DSTROOT/crypto/fipsmodule/bcm.c - -echo "FIXING missing include" -perl -pi -e '$_ .= qq(\n#include \n) if /#include /' "$DSTROOT/crypto/fipsmodule/self_check/self_check.c" - mangle_symbols -# Removing ASM on 32 bit Apple platforms -echo "REMOVING assembly on 32-bit Apple platforms" -$sed -i "/#define OPENSSL_HEADER_BASE_H/a#if defined(__APPLE__) && defined(__i386__)\n#define OPENSSL_NO_ASM\n#endif" "$DSTROOT/include/openssl/base.h" - echo "RENAMING header files" ( # We need to rearrange a coouple of things here, the end state will be: @@ -299,14 +287,19 @@ echo "RENAMING header files" mv include/openssl/* include/ rmdir "include/openssl" + # Now let's remove the pki subdirectory, as we don't need it. + rm -rf include/pki + # Now change the imports from " to "", apply the same prefix to the 'boringssl_prefix_symbols' headers. - find . -name "*.[ch]" -or -name "*.cc" -or -name "*.S" | xargs $sed -i -e 's+include ]+/)*)(.+.h)>#include <\1CNIOBoringSSL_\3>#' -e 's+include ]+/)*)(.+.h)"#include "\1CNIOBoringSSL_\3"#' # Okay now we need to rename the headers adding the prefix "CNIOBoringSSL_". pushd include - find . -name "*.h" | $sed -e "s_./__" | xargs -I {} mv {} CNIOBoringSSL_{} + for x in *.h; do mv -- "$x" "CNIOBoringSSL_${x}"; done + for x in **/*.h; do mv -- "$x" "${x%/*}/CNIOBoringSSL_${x##*/}"; done + # Finally, make sure we refer to them by their prefixed names, and change any includes from angle brackets to quotation marks. - find . -name "*.h" | xargs $sed -i -e 's/include "/include "CNIOBoringSSL_/' -e 's/include /include "CNIOBoringSSL_\1"/' + find . -name "*.h" | xargs $sed -i -r -e 's#include "(([^/"]+/)*)(.+.h)"#include "\1CNIOBoringSSL_\3"#' -e 's/include /include "CNIOBoringSSL_\1"/' popd ) @@ -343,6 +336,7 @@ cat << EOF > "$DSTROOT/include/CNIOBoringSSL.h" #ifndef C_NIO_BORINGSSL_H #define C_NIO_BORINGSSL_H +#include "CNIOBoringSSL_aead.h" #include "CNIOBoringSSL_aes.h" #include "CNIOBoringSSL_arm_arch.h" #include "CNIOBoringSSL_asm_base.h" @@ -352,6 +346,7 @@ cat << EOF > "$DSTROOT/include/CNIOBoringSSL.h" #include "CNIOBoringSSL_bio.h" #include "CNIOBoringSSL_blake2.h" #include "CNIOBoringSSL_blowfish.h" +#include "CNIOBoringSSL_bn.h" #include "CNIOBoringSSL_boringssl_prefix_symbols.h" #include "CNIOBoringSSL_boringssl_prefix_symbols_asm.h" #include "CNIOBoringSSL_cast.h" @@ -374,9 +369,10 @@ cat << EOF > "$DSTROOT/include/CNIOBoringSSL.h" #include "CNIOBoringSSL_hpke.h" #include "CNIOBoringSSL_hrss.h" #include "CNIOBoringSSL_kdf.h" -#include "CNIOBoringSSL_kyber.h" #include "CNIOBoringSSL_md4.h" #include "CNIOBoringSSL_md5.h" +#include "CNIOBoringSSL_mldsa.h" +#include "CNIOBoringSSL_mlkem.h" #include "CNIOBoringSSL_obj_mac.h" #include "CNIOBoringSSL_objects.h" #include "CNIOBoringSSL_opensslv.h" @@ -391,6 +387,7 @@ cat << EOF > "$DSTROOT/include/CNIOBoringSSL.h" #include "CNIOBoringSSL_service_indicator.h" #include "CNIOBoringSSL_sha.h" #include "CNIOBoringSSL_siphash.h" +#include "CNIOBoringSSL_slhdsa.h" #include "CNIOBoringSSL_srtp.h" #include "CNIOBoringSSL_ssl.h" #include "CNIOBoringSSL_time.h" @@ -398,9 +395,18 @@ cat << EOF > "$DSTROOT/include/CNIOBoringSSL.h" #include "CNIOBoringSSL_type_check.h" #include "CNIOBoringSSL_x509_vfy.h" #include "CNIOBoringSSL_x509v3.h" +#include "experimental/CNIOBoringSSL_dilithium.h" +#include "experimental/CNIOBoringSSL_kyber.h" +#include "experimental/CNIOBoringSSL_spx.h" #endif // C_NIO_BORINGSSL_H EOF +cat << EOF > "$DSTROOT/include/module.modulemap" +module CNIOBoringSSL { + umbrella header "CNIOBoringSSL.h" + export * +} +EOF echo "RECORDING BoringSSL revision" $sed -i -e "s/BoringSSL Commit: [0-9a-f]\+/BoringSSL Commit: ${BORINGSSL_REVISION}/" "$HERE/Package"*.swift