aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJung-uk Kim <jkim@FreeBSD.org>2020-04-21 19:07:46 +0000
committerJung-uk Kim <jkim@FreeBSD.org>2020-04-21 19:07:46 +0000
commit65aa3028e51cba07879f3dc4608949c5c6b9fcc0 (patch)
tree310ff0dc688f5f84a478a310752abb888ac68e4e
parentb6cfecdc04a5a5e42ae4f2b025d8246cc16f3342 (diff)
downloadsrc-65aa3028e51cba07879f3dc4608949c5c6b9fcc0.tar.gz
src-65aa3028e51cba07879f3dc4608949c5c6b9fcc0.zip
Import OpenSSL 1.1.1g.vendor/openssl/1.1.1g
Notes
Notes: svn path=/vendor-crypto/openssl/dist/; revision=360173 svn path=/vendor-crypto/openssl/1.1.1g/; revision=360174; tag=vendor/openssl/1.1.1g
-rw-r--r--CHANGES21
-rw-r--r--FREEBSD-upgrade2
-rw-r--r--INSTALL6
-rw-r--r--NEWS4
-rw-r--r--README2
-rw-r--r--apps/build.info61
-rw-r--r--apps/dhparam.c63
-rw-r--r--apps/dsa.c55
-rw-r--r--apps/dsaparam.c35
-rw-r--r--apps/ec.c29
-rw-r--r--apps/ecparam.c36
-rw-r--r--apps/engine.c25
-rw-r--r--apps/gendsa.c35
-rw-r--r--apps/genrsa.c45
-rw-r--r--apps/ocsp.c165
-rw-r--r--apps/pkcs12.c54
-rw-r--r--apps/rsa.c59
-rw-r--r--apps/rsautl.c37
-rw-r--r--apps/s_time.c3
-rw-r--r--apps/srp.c41
-rw-r--r--apps/ts.c48
-rw-r--r--crypto/aes/aes_core.c985
-rw-r--r--crypto/aes/aes_local.h3
-rw-r--r--crypto/asn1/asn1_lib.c23
-rw-r--r--crypto/bio/bss_acpt.c13
-rw-r--r--crypto/ec/ec_asn1.c4
-rw-r--r--crypto/ec/ec_lib.c10
-rw-r--r--crypto/ec/ec_mult.c31
-rw-r--r--crypto/ec/ecp_smpl.c309
-rw-r--r--crypto/evp/e_aes.c5
-rw-r--r--crypto/rand/build.info2
-rw-r--r--crypto/rand/drbg_ctr.c27
-rw-r--r--crypto/x509/x509_vfy.c6
-rw-r--r--crypto/x509v3/v3_purp.c14
-rw-r--r--doc/man1/s_time.pod4
-rw-r--r--doc/man3/EVP_aes.pod9
-rw-r--r--doc/man3/RAND_set_rand_method.pod6
-rw-r--r--doc/man3/X509_check_purpose.pod74
-rw-r--r--include/openssl/opensslv.h4
-rw-r--r--ssl/t1_lib.c2
40 files changed, 1741 insertions, 616 deletions
diff --git a/CHANGES b/CHANGES
index f4230aaac031..057405b0bff9 100644
--- a/CHANGES
+++ b/CHANGES
@@ -7,6 +7,27 @@
https://github.com/openssl/openssl/commits/ and pick the appropriate
release branch.
+ Changes between 1.1.1f and 1.1.1g [21 Apr 2020]
+
+ *) Fixed segmentation fault in SSL_check_chain()
+ Server or client applications that call the SSL_check_chain() function
+ during or after a TLS 1.3 handshake may crash due to a NULL pointer
+ dereference as a result of incorrect handling of the
+ "signature_algorithms_cert" TLS extension. The crash occurs if an invalid
+ or unrecognised signature algorithm is received from the peer. This could
+ be exploited by a malicious peer in a Denial of Service attack.
+ (CVE-2020-1967)
+ [Benjamin Kaduk]
+
+ *) Added AES consttime code for no-asm configurations
+ an optional constant time support for AES was added
+ when building openssl for no-asm.
+ Enable with: ./config no-asm -DOPENSSL_AES_CONST_TIME
+ Disable with: ./config no-asm -DOPENSSL_NO_AES_CONST_TIME
+ At this time this feature is by default disabled.
+ It will be enabled by default in 3.0.
+ [Bernd Edlinger]
+
Changes between 1.1.1e and 1.1.1f [31 Mar 2020]
*) Revert the change of EOF detection while reading in libssl to avoid
diff --git a/FREEBSD-upgrade b/FREEBSD-upgrade
index fe4fdb9adb2e..01132629bf21 100644
--- a/FREEBSD-upgrade
+++ b/FREEBSD-upgrade
@@ -11,7 +11,7 @@ First, read http://wiki.freebsd.org/SubversionPrimer/VendorImports
# Xlist
setenv XLIST /FreeBSD/work/openssl/svn-FREEBSD-files/FREEBSD-Xlist
setenv FSVN "svn+ssh://repo.freebsd.org/base"
-setenv OSSLVER 1.1.1e
+setenv OSSLVER 1.1.1g
###setenv OSSLTAG v`echo ${OSSLVER} | tr . _`
diff --git a/INSTALL b/INSTALL
index 328ad2baf480..f5118428b3bc 100644
--- a/INSTALL
+++ b/INSTALL
@@ -535,9 +535,9 @@
conjunction with the "-DPEDANTIC" option (or the
--strict-warnings option).
- no-ui
- Don't build with the "UI" capability (i.e. the set of
- features enabling text based prompts).
+ no-ui-console
+ Don't build with the "UI" console method (i.e. the "UI"
+ method that enables text based console prompts).
enable-unit-test
Enable additional unit test APIs. This should not typically
diff --git a/NEWS b/NEWS
index 85470793b209..455b02dcb264 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,10 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
+ Major changes between OpenSSL 1.1.1f and OpenSSL 1.1.1g [21 Apr 2020]
+
+ o Fixed segmentation fault in SSL_check_chain() (CVE-2020-1967)
+
Major changes between OpenSSL 1.1.1e and OpenSSL 1.1.1f [31 Mar 2020]
o Revert the unexpected EOF reporting via SSL_ERROR_SSL
diff --git a/README b/README
index d7d44aa3a01b..46c2b537bed4 100644
--- a/README
+++ b/README
@@ -1,5 +1,5 @@
- OpenSSL 1.1.1f 31 Mar 2020
+ OpenSSL 1.1.1g 21 Apr 2020
Copyright (c) 1998-2020 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
diff --git a/apps/build.info b/apps/build.info
index 751d8da82818..01537361820e 100644
--- a/apps/build.info
+++ b/apps/build.info
@@ -1,16 +1,17 @@
{- our @apps_openssl_src =
qw(openssl.c
- asn1pars.c ca.c ciphers.c cms.c crl.c crl2p7.c dgst.c dhparam.c
- dsa.c dsaparam.c ec.c ecparam.c enc.c engine.c errstr.c gendsa.c
- genpkey.c genrsa.c nseq.c ocsp.c passwd.c pkcs12.c pkcs7.c pkcs8.c
- pkey.c pkeyparam.c pkeyutl.c prime.c rand.c req.c rsa.c rsautl.c
+ asn1pars.c ca.c ciphers.c cms.c crl.c crl2p7.c dgst.c
+ enc.c errstr.c
+ genpkey.c nseq.c passwd.c pkcs7.c pkcs8.c
+ pkey.c pkeyparam.c pkeyutl.c prime.c rand.c req.c
s_client.c s_server.c s_time.c sess_id.c smime.c speed.c spkac.c
- srp.c ts.c verify.c version.c x509.c rehash.c storeutl.c);
+ verify.c version.c x509.c rehash.c storeutl.c);
our @apps_lib_src =
( qw(apps.c opt.c s_cb.c s_socket.c app_rand.c bf_prefix.c),
split(/\s+/, $target{apps_aux_src}) );
our @apps_init_src = split(/\s+/, $target{apps_init_src});
"" -}
+
IF[{- !$disabled{apps} -}]
LIBS_NO_INST=libapps.a
SOURCE[libapps.a]={- join(" ", @apps_lib_src) -}
@@ -21,11 +22,51 @@ IF[{- !$disabled{apps} -}]
SOURCE[openssl]={- join(" ", @apps_openssl_src) -}
INCLUDE[openssl]=.. ../include
DEPEND[openssl]=libapps.a ../libssl
-
-IF[{- $config{target} =~ /^(?:Cygwin|mingw|VC-)/ -}]
- GENERATE[openssl.rc]=../util/mkrc.pl openssl
- SOURCE[openssl]=openssl.rc
-ENDIF
+ IF[{- !$disabled{'des'} -}]
+ SOURCE[openssl]=pkcs12.c
+ DEPEND[pkcs12.o]=progs.h
+ ENDIF
+ IF[{- !$disabled{'ec'} -}]
+ SOURCE[openssl]=ec.c ecparam.c
+ DEPEND[ec.o]=progs.h
+ DEPEND[ecparam.o]=progs.h
+ ENDIF
+ IF[{- !$disabled{'ocsp'} -}]
+ SOURCE[openssl]=ocsp.c
+ DEPEND[ocsp.o]=progs.h
+ ENDIF
+ IF[{- !$disabled{'srp'} -}]
+ SOURCE[openssl]=srp.c
+ DEPEND[srp.o]=progs.h
+ ENDIF
+ IF[{- !$disabled{'ts'} -}]
+ SOURCE[openssl]=ts.c
+ DEPEND[ts.o]=progs.h
+ ENDIF
+ IF[{- !$disabled{'dh'} -}]
+ SOURCE[openssl]=dhparam.c
+ DEPEND[dhparam.o]=progs.h
+ ENDIF
+ IF[{- !$disabled{'dsa'} -}]
+ SOURCE[openssl]=dsa.c dsaparam.c gendsa.c
+ DEPEND[dsa.o]=progs.h
+ DEPEND[dsaparam.o]=progs.h
+ DEPEND[gendsa.o]=progs.h
+ ENDIF
+ IF[{- !$disabled{'engine'} -}]
+ SOURCE[openssl]=engine.c
+ DEPEND[engine.o]=progs.h
+ ENDIF
+ IF[{- !$disabled{'rsa'} -}]
+ SOURCE[openssl]=rsa.c rsautl.c genrsa.c
+ DEPEND[rsa.o]=progs.h
+ DEPEND[rsautl.o]=progs.h
+ DEPEND[genrsa.o]=progs.h
+ ENDIF
+ IF[{- $config{target} =~ /^(?:Cygwin|mingw|VC-)/ -}]
+ GENERATE[openssl.rc]=../util/mkrc.pl openssl
+ SOURCE[openssl]=openssl.rc
+ ENDIF
{- join("\n ", map { (my $x = $_) =~ s|\.c$|.o|; "DEPEND[$x]=progs.h" }
@apps_openssl_src) -}
diff --git a/apps/dhparam.c b/apps/dhparam.c
index 13f76754d27c..98c73214b53e 100644
--- a/apps/dhparam.c
+++ b/apps/dhparam.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -8,28 +8,24 @@
*/
#include <openssl/opensslconf.h>
-#ifdef OPENSSL_NO_DH
-NON_EMPTY_TRANSLATION_UNIT
-#else
-
-# include <stdio.h>
-# include <stdlib.h>
-# include <time.h>
-# include <string.h>
-# include "apps.h"
-# include "progs.h"
-# include <openssl/bio.h>
-# include <openssl/err.h>
-# include <openssl/bn.h>
-# include <openssl/dh.h>
-# include <openssl/x509.h>
-# include <openssl/pem.h>
-
-# ifndef OPENSSL_NO_DSA
-# include <openssl/dsa.h>
-# endif
-
-# define DEFBITS 2048
+#include <stdio.h>
+#include <stdlib.h>
+#include <time.h>
+#include <string.h>
+#include "apps.h"
+#include "progs.h"
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/bn.h>
+#include <openssl/dh.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+
+#ifndef OPENSSL_NO_DSA
+# include <openssl/dsa.h>
+#endif
+
+#define DEFBITS 2048
static int dh_cb(int p, int n, BN_GENCB *cb);
@@ -56,13 +52,13 @@ const OPTIONS dhparam_options[] = {
{"C", OPT_C, '-', "Print C code"},
{"2", OPT_2, '-', "Generate parameters using 2 as the generator value"},
{"5", OPT_5, '-', "Generate parameters using 5 as the generator value"},
-# ifndef OPENSSL_NO_DSA
+#ifndef OPENSSL_NO_DSA
{"dsaparam", OPT_DSAPARAM, '-',
"Read or generate DSA parameters, convert to DH"},
-# endif
-# ifndef OPENSSL_NO_ENGINE
+#endif
+#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
-# endif
+#endif
{NULL}
};
@@ -146,13 +142,13 @@ int dhparam_main(int argc, char **argv)
if (g && !num)
num = DEFBITS;
-# ifndef OPENSSL_NO_DSA
+#ifndef OPENSSL_NO_DSA
if (dsaparam && g) {
BIO_printf(bio_err,
"generator may not be chosen for DSA parameters\n");
goto end;
}
-# endif
+#endif
out = bio_open_default(outfile, 'w', outformat);
if (out == NULL)
@@ -173,7 +169,7 @@ int dhparam_main(int argc, char **argv)
BN_GENCB_set(cb, dh_cb, bio_err);
-# ifndef OPENSSL_NO_DSA
+#ifndef OPENSSL_NO_DSA
if (dsaparam) {
DSA *dsa = DSA_new();
@@ -196,7 +192,7 @@ int dhparam_main(int argc, char **argv)
goto end;
}
} else
-# endif
+#endif
{
dh = DH_new();
BIO_printf(bio_err,
@@ -217,7 +213,7 @@ int dhparam_main(int argc, char **argv)
if (in == NULL)
goto end;
-# ifndef OPENSSL_NO_DSA
+#ifndef OPENSSL_NO_DSA
if (dsaparam) {
DSA *dsa;
@@ -239,7 +235,7 @@ int dhparam_main(int argc, char **argv)
goto end;
}
} else
-# endif
+#endif
{
if (informat == FORMAT_ASN1) {
/*
@@ -376,4 +372,3 @@ static int dh_cb(int p, int n, BN_GENCB *cb)
(void)BIO_flush(BN_GENCB_get_arg(cb));
return 1;
}
-#endif
diff --git a/apps/dsa.c b/apps/dsa.c
index 6022e64cd4ce..c7884df166b7 100644
--- a/apps/dsa.c
+++ b/apps/dsa.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -8,23 +8,19 @@
*/
#include <openssl/opensslconf.h>
-#ifdef OPENSSL_NO_DSA
-NON_EMPTY_TRANSLATION_UNIT
-#else
-
-# include <stdio.h>
-# include <stdlib.h>
-# include <string.h>
-# include <time.h>
-# include "apps.h"
-# include "progs.h"
-# include <openssl/bio.h>
-# include <openssl/err.h>
-# include <openssl/dsa.h>
-# include <openssl/evp.h>
-# include <openssl/x509.h>
-# include <openssl/pem.h>
-# include <openssl/bn.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include "apps.h"
+#include "progs.h"
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/dsa.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+#include <openssl/bn.h>
typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
@@ -49,14 +45,14 @@ const OPTIONS dsa_options[] = {
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
{"", OPT_CIPHER, '-', "Any supported cipher"},
-# ifndef OPENSSL_NO_RC4
+#ifndef OPENSSL_NO_RC4
{"pvk-strong", OPT_PVK_STRONG, '-', "Enable 'Strong' PVK encoding level (default)"},
{"pvk-weak", OPT_PVK_WEAK, '-', "Enable 'Weak' PVK encoding level"},
{"pvk-none", OPT_PVK_NONE, '-', "Don't enforce PVK encoding"},
-# endif
-# ifndef OPENSSL_NO_ENGINE
+#endif
+#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
-# endif
+#endif
{NULL}
};
@@ -71,9 +67,9 @@ int dsa_main(int argc, char **argv)
OPTION_CHOICE o;
int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, noout = 0;
int i, modulus = 0, pubin = 0, pubout = 0, ret = 1;
-# ifndef OPENSSL_NO_RC4
+#ifndef OPENSSL_NO_RC4
int pvk_encr = 2;
-# endif
+#endif
int private = 0;
prog = opt_init(argc, argv, dsa_options);
@@ -214,7 +210,7 @@ int dsa_main(int argc, char **argv)
i = PEM_write_bio_DSAPrivateKey(out, dsa, enc,
NULL, 0, NULL, passout);
}
-# ifndef OPENSSL_NO_RSA
+#ifndef OPENSSL_NO_RSA
} else if (outformat == FORMAT_MSBLOB || outformat == FORMAT_PVK) {
EVP_PKEY *pk;
pk = EVP_PKEY_new();
@@ -229,13 +225,13 @@ int dsa_main(int argc, char **argv)
goto end;
}
assert(private);
-# ifdef OPENSSL_NO_RC4
+# ifdef OPENSSL_NO_RC4
BIO_printf(bio_err, "PVK format not supported\n");
EVP_PKEY_free(pk);
goto end;
-# else
+# else
i = i2b_PVK_bio(out, pk, pvk_encr, 0, passout);
-# endif
+# endif
} else if (pubin || pubout) {
i = i2b_PublicKey_bio(out, pk);
} else {
@@ -243,7 +239,7 @@ int dsa_main(int argc, char **argv)
i = i2b_PrivateKey_bio(out, pk);
}
EVP_PKEY_free(pk);
-# endif
+#endif
} else {
BIO_printf(bio_err, "bad output format specified for outfile\n");
goto end;
@@ -262,4 +258,3 @@ int dsa_main(int argc, char **argv)
OPENSSL_free(passout);
return ret;
}
-#endif
diff --git a/apps/dsaparam.c b/apps/dsaparam.c
index b227b76a3723..75589ac6bc4e 100644
--- a/apps/dsaparam.c
+++ b/apps/dsaparam.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -8,22 +8,18 @@
*/
#include <openssl/opensslconf.h>
-#ifdef OPENSSL_NO_DSA
-NON_EMPTY_TRANSLATION_UNIT
-#else
-
-# include <stdio.h>
-# include <stdlib.h>
-# include <time.h>
-# include <string.h>
-# include "apps.h"
-# include "progs.h"
-# include <openssl/bio.h>
-# include <openssl/err.h>
-# include <openssl/bn.h>
-# include <openssl/dsa.h>
-# include <openssl/x509.h>
-# include <openssl/pem.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <time.h>
+#include <string.h>
+#include "apps.h"
+#include "progs.h"
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/bn.h>
+#include <openssl/dsa.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
static int dsa_cb(int p, int n, BN_GENCB *cb);
@@ -44,9 +40,9 @@ const OPTIONS dsaparam_options[] = {
{"noout", OPT_NOOUT, '-', "No output"},
{"genkey", OPT_GENKEY, '-', "Generate a DSA key"},
OPT_R_OPTIONS,
-# ifndef OPENSSL_NO_ENGINE
+#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
-# endif
+#endif
{NULL}
};
@@ -255,4 +251,3 @@ static int dsa_cb(int p, int n, BN_GENCB *cb)
(void)BIO_flush(BN_GENCB_get_arg(cb));
return 1;
}
-#endif
diff --git a/apps/ec.c b/apps/ec.c
index 03abb0068337..0c8ed750cc17 100644
--- a/apps/ec.c
+++ b/apps/ec.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -8,19 +8,15 @@
*/
#include <openssl/opensslconf.h>
-#ifdef OPENSSL_NO_EC
-NON_EMPTY_TRANSLATION_UNIT
-#else
-
-# include <stdio.h>
-# include <stdlib.h>
-# include <string.h>
-# include "apps.h"
-# include "progs.h"
-# include <openssl/bio.h>
-# include <openssl/err.h>
-# include <openssl/evp.h>
-# include <openssl/pem.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "apps.h"
+#include "progs.h"
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/pem.h>
static OPT_PAIR conv_forms[] = {
{"compressed", POINT_CONVERSION_COMPRESSED},
@@ -62,9 +58,9 @@ const OPTIONS ec_options[] = {
"Specifies the way the ec parameters are encoded"},
{"conv_form", OPT_CONV_FORM, 's', "Specifies the point conversion form "},
{"", OPT_CIPHER, '-', "Any supported cipher"},
-# ifndef OPENSSL_NO_ENGINE
+#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
-# endif
+#endif
{NULL}
};
@@ -280,4 +276,3 @@ int ec_main(int argc, char **argv)
OPENSSL_free(passout);
return ret;
}
-#endif
diff --git a/apps/ecparam.c b/apps/ecparam.c
index 917f1a86b2e3..58fbeb95c9ce 100644
--- a/apps/ecparam.c
+++ b/apps/ecparam.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -9,22 +9,18 @@
*/
#include <openssl/opensslconf.h>
-#ifdef OPENSSL_NO_EC
-NON_EMPTY_TRANSLATION_UNIT
-#else
-
-# include <stdio.h>
-# include <stdlib.h>
-# include <time.h>
-# include <string.h>
-# include "apps.h"
-# include "progs.h"
-# include <openssl/bio.h>
-# include <openssl/err.h>
-# include <openssl/bn.h>
-# include <openssl/ec.h>
-# include <openssl/x509.h>
-# include <openssl/pem.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <time.h>
+#include <string.h>
+#include "apps.h"
+#include "progs.h"
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/bn.h>
+#include <openssl/ec.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
@@ -55,9 +51,9 @@ const OPTIONS ecparam_options[] = {
"Specifies the way the ec parameters are encoded"},
{"genkey", OPT_GENKEY, '-', "Generate ec key"},
OPT_R_OPTIONS,
-# ifndef OPENSSL_NO_ENGINE
+#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
-# endif
+#endif
{NULL}
};
@@ -446,5 +442,3 @@ int ecparam_main(int argc, char **argv)
BIO_free_all(out);
return ret;
}
-
-#endif
diff --git a/apps/engine.c b/apps/engine.c
index 83f9588a0ab1..746cace354b2 100644
--- a/apps/engine.c
+++ b/apps/engine.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -8,19 +8,15 @@
*/
#include <openssl/opensslconf.h>
-#ifdef OPENSSL_NO_ENGINE
-NON_EMPTY_TRANSLATION_UNIT
-#else
-
-# include "apps.h"
-# include "progs.h"
-# include <stdio.h>
-# include <stdlib.h>
-# include <string.h>
-# include <openssl/err.h>
-# include <openssl/engine.h>
-# include <openssl/ssl.h>
-# include <openssl/store.h>
+#include "apps.h"
+#include "progs.h"
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <openssl/err.h>
+#include <openssl/engine.h>
+#include <openssl/ssl.h>
+#include <openssl/store.h>
typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
@@ -486,4 +482,3 @@ int engine_main(int argc, char **argv)
BIO_free_all(out);
return ret;
}
-#endif
diff --git a/apps/gendsa.c b/apps/gendsa.c
index 401375420bff..ec57c92a9492 100644
--- a/apps/gendsa.c
+++ b/apps/gendsa.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -8,22 +8,18 @@
*/
#include <openssl/opensslconf.h>
-#ifdef OPENSSL_NO_DSA
-NON_EMPTY_TRANSLATION_UNIT
-#else
-
-# include <stdio.h>
-# include <string.h>
-# include <sys/types.h>
-# include <sys/stat.h>
-# include "apps.h"
-# include "progs.h"
-# include <openssl/bio.h>
-# include <openssl/err.h>
-# include <openssl/bn.h>
-# include <openssl/dsa.h>
-# include <openssl/x509.h>
-# include <openssl/pem.h>
+#include <stdio.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include "apps.h"
+#include "progs.h"
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/bn.h>
+#include <openssl/dsa.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
@@ -39,9 +35,9 @@ const OPTIONS gendsa_options[] = {
{"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
OPT_R_OPTIONS,
{"", OPT_CIPHER, '-', "Encrypt the output with any supported cipher"},
-# ifndef OPENSSL_NO_ENGINE
+#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
-# endif
+#endif
{NULL}
};
@@ -143,4 +139,3 @@ int gendsa_main(int argc, char **argv)
OPENSSL_free(passout);
return ret;
}
-#endif
diff --git a/apps/genrsa.c b/apps/genrsa.c
index c17cd147154e..e34a2f7ab9e8 100644
--- a/apps/genrsa.c
+++ b/apps/genrsa.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -8,27 +8,23 @@
*/
#include <openssl/opensslconf.h>
-#ifdef OPENSSL_NO_RSA
-NON_EMPTY_TRANSLATION_UNIT
-#else
-
-# include <stdio.h>
-# include <string.h>
-# include <sys/types.h>
-# include <sys/stat.h>
-# include "apps.h"
-# include "progs.h"
-# include <openssl/bio.h>
-# include <openssl/err.h>
-# include <openssl/bn.h>
-# include <openssl/rsa.h>
-# include <openssl/evp.h>
-# include <openssl/x509.h>
-# include <openssl/pem.h>
-# include <openssl/rand.h>
-
-# define DEFBITS 2048
-# define DEFPRIMES 2
+#include <stdio.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include "apps.h"
+#include "progs.h"
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/bn.h>
+#include <openssl/rsa.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+#include <openssl/rand.h>
+
+#define DEFBITS 2048
+#define DEFPRIMES 2
static int genrsa_cb(int p, int n, BN_GENCB *cb);
@@ -48,9 +44,9 @@ const OPTIONS genrsa_options[] = {
OPT_R_OPTIONS,
{"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
{"", OPT_CIPHER, '-', "Encrypt the output with any supported cipher"},
-# ifndef OPENSSL_NO_ENGINE
+#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
-# endif
+#endif
{"primes", OPT_PRIMES, 'p', "Specify number of primes"},
{NULL}
};
@@ -198,4 +194,3 @@ static int genrsa_cb(int p, int n, BN_GENCB *cb)
(void)BIO_flush(BN_GENCB_get_arg(cb));
return 1;
}
-#endif
diff --git a/apps/ocsp.c b/apps/ocsp.c
index b85a4d82c1bd..27ec94fa6b8d 100644
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -9,65 +9,62 @@
#include <openssl/opensslconf.h>
-#ifdef OPENSSL_NO_OCSP
-NON_EMPTY_TRANSLATION_UNIT
-#else
-# ifdef OPENSSL_SYS_VMS
-# define _XOPEN_SOURCE_EXTENDED/* So fd_set and friends get properly defined
+#ifdef OPENSSL_SYS_VMS
+# define _XOPEN_SOURCE_EXTENDED/* So fd_set and friends get properly defined
* on OpenVMS */
-# endif
+#endif
-# include <stdio.h>
-# include <stdlib.h>
-# include <string.h>
-# include <time.h>
-# include <ctype.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <ctype.h>
/* Needs to be included before the openssl headers */
-# include "apps.h"
-# include "progs.h"
-# include "internal/sockets.h"
-# include <openssl/e_os2.h>
-# include <openssl/crypto.h>
-# include <openssl/err.h>
-# include <openssl/ssl.h>
-# include <openssl/evp.h>
-# include <openssl/bn.h>
-# include <openssl/x509v3.h>
-# include <openssl/rand.h>
+#include "apps.h"
+#include "progs.h"
+#include "internal/sockets.h"
+#include <openssl/e_os2.h>
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+#include <openssl/ssl.h>
+#include <openssl/evp.h>
+#include <openssl/bn.h>
+#include <openssl/x509v3.h>
+#include <openssl/rand.h>
#ifndef HAVE_FORK
-# if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS)
-# define HAVE_FORK 0
-# else
-# define HAVE_FORK 1
-# endif
+#if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS)
+# define HAVE_FORK 0
+#else
+# define HAVE_FORK 1
+#endif
#endif
#if HAVE_FORK
-# undef NO_FORK
+#undef NO_FORK
#else
-# define NO_FORK
+#define NO_FORK
#endif
-# if !defined(NO_FORK) && !defined(OPENSSL_NO_SOCK) \
+#if !defined(NO_FORK) && !defined(OPENSSL_NO_SOCK) \
&& !defined(OPENSSL_NO_POSIX_IO)
-# define OCSP_DAEMON
-# include <sys/types.h>
-# include <sys/wait.h>
-# include <syslog.h>
-# include <signal.h>
-# define MAXERRLEN 1000 /* limit error text sent to syslog to 1000 bytes */
-# else
-# undef LOG_INFO
-# undef LOG_WARNING
-# undef LOG_ERR
-# define LOG_INFO 0
-# define LOG_WARNING 1
-# define LOG_ERR 2
-# endif
+# define OCSP_DAEMON
+# include <sys/types.h>
+# include <sys/wait.h>
+# include <syslog.h>
+# include <signal.h>
+# define MAXERRLEN 1000 /* limit error text sent to syslog to 1000 bytes */
+#else
+# undef LOG_INFO
+# undef LOG_WARNING
+# undef LOG_ERR
+# define LOG_INFO 0
+# define LOG_WARNING 1
+# define LOG_ERR 2
+#endif
-# if defined(OPENSSL_SYS_VXWORKS)
+#if defined(OPENSSL_SYS_VXWORKS)
/* not supported */
int setpgid(pid_t pid, pid_t pgid)
{
@@ -80,9 +77,9 @@ pid_t fork(void)
errno = ENOSYS;
return (pid_t) -1;
}
-# endif
+#endif
/* Maximum leeway in validity period: default 5 minutes */
-# define MAX_VALIDITY_PERIOD (5 * 60)
+#define MAX_VALIDITY_PERIOD (5 * 60)
static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert,
const EVP_MD *cert_id_md, X509 *issuer,
@@ -109,20 +106,20 @@ static void log_message(int level, const char *fmt, ...);
static char *prog;
static int multi = 0;
-# ifdef OCSP_DAEMON
+#ifdef OCSP_DAEMON
static int acfd = (int) INVALID_SOCKET;
static int index_changed(CA_DB *);
static void spawn_loop(void);
static int print_syslog(const char *str, size_t len, void *levPtr);
static void socket_timeout(int signum);
-# endif
+#endif
-# ifndef OPENSSL_NO_SOCK
+#ifndef OPENSSL_NO_SOCK
static OCSP_RESPONSE *query_responder(BIO *cbio, const char *host,
const char *path,
const STACK_OF(CONF_VALUE) *headers,
OCSP_REQUEST *req, int req_timeout);
-# endif
+#endif
typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
@@ -160,9 +157,9 @@ const OPTIONS ocsp_options[] = {
"Don't include any certificates in response"},
{"resp_key_id", OPT_RESP_KEY_ID, '-',
"Identify response by signing certificate key ID"},
-# ifdef OCSP_DAEMON
+#ifdef OCSP_DAEMON
{"multi", OPT_MULTI, 'p', "run multiple responder processes"},
-# endif
+#endif
{"no_certs", OPT_NO_CERTS, '-',
"Don't include any certificates in signed request"},
{"no_signature_verify", OPT_NO_SIGNATURE_VERIFY, '-',
@@ -511,9 +508,9 @@ int ocsp_main(int argc, char **argv)
trailing_md = 1;
break;
case OPT_MULTI:
-# ifdef OCSP_DAEMON
+#ifdef OCSP_DAEMON
multi = atoi(opt_arg());
-# endif
+#endif
break;
}
}
@@ -593,7 +590,7 @@ int ocsp_main(int argc, char **argv)
}
}
-# ifdef OCSP_DAEMON
+#ifdef OCSP_DAEMON
if (multi && acbio != NULL)
spawn_loop();
if (acbio != NULL && req_timeout > 0)
@@ -606,7 +603,7 @@ int ocsp_main(int argc, char **argv)
redo_accept:
if (acbio != NULL) {
-# ifdef OCSP_DAEMON
+#ifdef OCSP_DAEMON
if (index_changed(rdb)) {
CA_DB *newrdb = load_index(ridx_filename, NULL);
@@ -619,7 +616,7 @@ redo_accept:
ridx_filename);
}
}
-# endif
+#endif
req = NULL;
if (!do_responder(&req, &cbio, acbio, req_timeout))
@@ -688,16 +685,16 @@ redo_accept:
if (cbio != NULL)
send_ocsp_response(cbio, resp);
} else if (host != NULL) {
-# ifndef OPENSSL_NO_SOCK
+#ifndef OPENSSL_NO_SOCK
resp = process_responder(req, host, path,
port, use_ssl, headers, req_timeout);
if (resp == NULL)
goto end;
-# else
+#else
BIO_printf(bio_err,
"Error creating connect BIO - sockets not supported.\n");
goto end;
-# endif
+#endif
} else if (respin != NULL) {
derbio = bio_open_default(respin, 'r', FORMAT_ASN1);
if (derbio == NULL)
@@ -840,7 +837,7 @@ log_message(int level, const char *fmt, ...)
va_list ap;
va_start(ap, fmt);
-# ifdef OCSP_DAEMON
+#ifdef OCSP_DAEMON
if (multi) {
char buf[1024];
if (vsnprintf(buf, sizeof(buf), fmt, ap) > 0) {
@@ -849,7 +846,7 @@ log_message(int level, const char *fmt, ...)
if (level >= LOG_ERR)
ERR_print_errors_cb(print_syslog, &level);
}
-# endif
+#endif
if (!multi) {
BIO_printf(bio_err, "%s: ", prog);
BIO_vprintf(bio_err, fmt, ap);
@@ -858,7 +855,7 @@ log_message(int level, const char *fmt, ...)
va_end(ap);
}
-# ifdef OCSP_DAEMON
+#ifdef OCSP_DAEMON
static int print_syslog(const char *str, size_t len, void *levPtr)
{
@@ -1011,7 +1008,7 @@ static void spawn_loop(void)
syslog(LOG_INFO, "terminating on signal: %d", termsig);
killall(0, kidpids);
}
-# endif
+#endif
static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert,
const EVP_MD *cert_id_md, X509 *issuer,
@@ -1291,11 +1288,11 @@ static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser)
static BIO *init_responder(const char *port)
{
-# ifdef OPENSSL_NO_SOCK
+#ifdef OPENSSL_NO_SOCK
BIO_printf(bio_err,
"Error setting up accept BIO - sockets not supported.\n");
return NULL;
-# else
+#else
BIO *acbio = NULL, *bufbio = NULL;
bufbio = BIO_new(BIO_f_buffer());
@@ -1322,10 +1319,10 @@ static BIO *init_responder(const char *port)
BIO_free_all(acbio);
BIO_free(bufbio);
return NULL;
-# endif
+#endif
}
-# ifndef OPENSSL_NO_SOCK
+#ifndef OPENSSL_NO_SOCK
/*
* Decode %xx URL-decoding in-place. Ignores mal-formed sequences.
*/
@@ -1349,22 +1346,22 @@ static int urldecode(char *p)
*out = '\0';
return (int)(out - save);
}
-# endif
+#endif
-# ifdef OCSP_DAEMON
+#ifdef OCSP_DAEMON
static void socket_timeout(int signum)
{
if (acfd != (int)INVALID_SOCKET)
(void)shutdown(acfd, SHUT_RD);
}
-# endif
+#endif
static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio,
int timeout)
{
-# ifdef OPENSSL_NO_SOCK
+#ifdef OPENSSL_NO_SOCK
return 0;
-# else
+#else
int len;
OCSP_REQUEST *req = NULL;
char inbuf[2048], reqbuf[2048];
@@ -1382,12 +1379,12 @@ static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio,
*pcbio = cbio;
client = BIO_get_peer_name(cbio);
-# ifdef OCSP_DAEMON
+# ifdef OCSP_DAEMON
if (timeout > 0) {
(void) BIO_get_fd(cbio, &acfd);
alarm(timeout);
}
-# endif
+# endif
/* Read the request line. */
len = BIO_gets(cbio, reqbuf, sizeof(reqbuf));
@@ -1450,11 +1447,11 @@ static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio,
break;
}
-# ifdef OCSP_DAEMON
+# ifdef OCSP_DAEMON
/* Clear alarm before we close the client socket */
alarm(0);
timeout = 0;
-# endif
+# endif
/* Try to read OCSP request */
if (getbio != NULL) {
@@ -1470,13 +1467,13 @@ static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio,
*preq = req;
out:
-# ifdef OCSP_DAEMON
+# ifdef OCSP_DAEMON
if (timeout > 0)
alarm(0);
acfd = (int)INVALID_SOCKET;
-# endif
- return 1;
# endif
+ return 1;
+#endif
}
static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp)
@@ -1492,7 +1489,7 @@ static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp)
return 1;
}
-# ifndef OPENSSL_NO_SOCK
+#ifndef OPENSSL_NO_SOCK
static OCSP_RESPONSE *query_responder(BIO *cbio, const char *host,
const char *path,
const STACK_OF(CONF_VALUE) *headers,
@@ -1623,6 +1620,4 @@ OCSP_RESPONSE *process_responder(OCSP_REQUEST *req,
SSL_CTX_free(ctx);
return resp;
}
-# endif
-
#endif
diff --git a/apps/pkcs12.c b/apps/pkcs12.c
index 3603b60c19b3..8c5d963b8c65 100644
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1999-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -8,25 +8,21 @@
*/
#include <openssl/opensslconf.h>
-#if defined(OPENSSL_NO_DES)
-NON_EMPTY_TRANSLATION_UNIT
-#else
-
-# include <stdio.h>
-# include <stdlib.h>
-# include <string.h>
-# include "apps.h"
-# include "progs.h"
-# include <openssl/crypto.h>
-# include <openssl/err.h>
-# include <openssl/pem.h>
-# include <openssl/pkcs12.h>
-
-# define NOKEYS 0x1
-# define NOCERTS 0x2
-# define INFO 0x4
-# define CLCERTS 0x8
-# define CACERTS 0x10
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "apps.h"
+#include "progs.h"
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+#include <openssl/pem.h>
+#include <openssl/pkcs12.h>
+
+#define NOKEYS 0x1
+#define NOCERTS 0x2
+#define INFO 0x4
+#define CLCERTS 0x8
+#define CACERTS 0x10
#define PASSWD_BUF_SIZE 2048
@@ -74,15 +70,15 @@ const OPTIONS pkcs12_options[] = {
{"chain", OPT_CHAIN, '-', "Add certificate chain"},
{"twopass", OPT_TWOPASS, '-', "Separate MAC, encryption passwords"},
{"nomacver", OPT_NOMACVER, '-', "Don't verify MAC"},
-# ifndef OPENSSL_NO_RC2
+#ifndef OPENSSL_NO_RC2
{"descert", OPT_DESCERT, '-',
"Encrypt output with 3DES (default RC2-40)"},
{"certpbe", OPT_CERTPBE, 's',
"Certificate PBE algorithm (default RC2-40)"},
-# else
+#else
{"descert", OPT_DESCERT, '-', "Encrypt output with 3DES (the default)"},
{"certpbe", OPT_CERTPBE, 's', "Certificate PBE algorithm (default 3DES)"},
-# endif
+#endif
{"export", OPT_EXPORT, '-', "Output PKCS12 file"},
{"noiter", OPT_NOITER, '-', "Don't use encryption iteration"},
{"maciter", OPT_MACITER, '-', "Use MAC iteration"},
@@ -113,9 +109,9 @@ const OPTIONS pkcs12_options[] = {
{"no-CApath", OPT_NOCAPATH, '-',
"Do not load certificates from the default certificates directory"},
{"", OPT_CIPHER, '-', "Any supported cipher"},
-# ifndef OPENSSL_NO_ENGINE
+#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
-# endif
+#endif
{NULL}
};
@@ -126,11 +122,11 @@ int pkcs12_main(int argc, char **argv)
char pass[PASSWD_BUF_SIZE] = "", macpass[PASSWD_BUF_SIZE] = "";
int export_cert = 0, options = 0, chain = 0, twopass = 0, keytype = 0;
int iter = PKCS12_DEFAULT_ITER, maciter = PKCS12_DEFAULT_ITER;
-# ifndef OPENSSL_NO_RC2
+#ifndef OPENSSL_NO_RC2
int cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
-# else
+#else
int cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
-# endif
+#endif
int key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
int ret = 1, macver = 1, add_lmk = 0, private = 0;
int noprompt = 0;
@@ -976,5 +972,3 @@ static int set_pbe(int *ppbe, const char *str)
}
return 1;
}
-
-#endif
diff --git a/apps/rsa.c b/apps/rsa.c
index fdd02dce3241..aeda917cc768 100644
--- a/apps/rsa.c
+++ b/apps/rsa.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -8,23 +8,19 @@
*/
#include <openssl/opensslconf.h>
-#ifdef OPENSSL_NO_RSA
-NON_EMPTY_TRANSLATION_UNIT
-#else
-
-# include <stdio.h>
-# include <stdlib.h>
-# include <string.h>
-# include <time.h>
-# include "apps.h"
-# include "progs.h"
-# include <openssl/bio.h>
-# include <openssl/err.h>
-# include <openssl/rsa.h>
-# include <openssl/evp.h>
-# include <openssl/x509.h>
-# include <openssl/pem.h>
-# include <openssl/bn.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include "apps.h"
+#include "progs.h"
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/rsa.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+#include <openssl/bn.h>
typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
@@ -53,14 +49,14 @@ const OPTIONS rsa_options[] = {
{"modulus", OPT_MODULUS, '-', "Print the RSA key modulus"},
{"check", OPT_CHECK, '-', "Verify key consistency"},
{"", OPT_CIPHER, '-', "Any supported cipher"},
-# if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_RC4)
+#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_RC4)
{"pvk-strong", OPT_PVK_STRONG, '-', "Enable 'Strong' PVK encoding level (default)"},
{"pvk-weak", OPT_PVK_WEAK, '-', "Enable 'Weak' PVK encoding level"},
{"pvk-none", OPT_PVK_NONE, '-', "Don't enforce PVK encoding"},
-# endif
-# ifndef OPENSSL_NO_ENGINE
+#endif
+#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
-# endif
+#endif
{NULL}
};
@@ -75,9 +71,9 @@ int rsa_main(int argc, char **argv)
int i, private = 0;
int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, check = 0;
int noout = 0, modulus = 0, pubin = 0, pubout = 0, ret = 1;
-# if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_RC4)
+#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_RC4)
int pvk_encr = 2;
-# endif
+#endif
OPTION_CHOICE o;
prog = opt_init(argc, argv, rsa_options);
@@ -130,9 +126,9 @@ int rsa_main(int argc, char **argv)
case OPT_PVK_STRONG: /* pvk_encr:= 2 */
case OPT_PVK_WEAK: /* pvk_encr:= 1 */
case OPT_PVK_NONE: /* pvk_encr:= 0 */
-# if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_RC4)
+#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_RC4)
pvk_encr = (o - OPT_PVK_NONE);
-# endif
+#endif
break;
case OPT_NOOUT:
noout = 1;
@@ -265,7 +261,7 @@ int rsa_main(int argc, char **argv)
i = PEM_write_bio_RSAPrivateKey(out, rsa,
enc, NULL, 0, NULL, passout);
}
-# ifndef OPENSSL_NO_DSA
+#ifndef OPENSSL_NO_DSA
} else if (outformat == FORMAT_MSBLOB || outformat == FORMAT_PVK) {
EVP_PKEY *pk;
pk = EVP_PKEY_new();
@@ -280,13 +276,13 @@ int rsa_main(int argc, char **argv)
goto end;
}
assert(private);
-# ifdef OPENSSL_NO_RC4
+# ifdef OPENSSL_NO_RC4
BIO_printf(bio_err, "PVK format not supported\n");
EVP_PKEY_free(pk);
goto end;
-# else
+# else
i = i2b_PVK_bio(out, pk, pvk_encr, 0, passout);
-# endif
+# endif
} else if (pubin || pubout) {
i = i2b_PublicKey_bio(out, pk);
} else {
@@ -294,7 +290,7 @@ int rsa_main(int argc, char **argv)
i = i2b_PrivateKey_bio(out, pk);
}
EVP_PKEY_free(pk);
-# endif
+#endif
} else {
BIO_printf(bio_err, "bad output format specified for outfile\n");
goto end;
@@ -313,4 +309,3 @@ int rsa_main(int argc, char **argv)
OPENSSL_free(passout);
return ret;
}
-#endif
diff --git a/apps/rsautl.c b/apps/rsautl.c
index 5da8504d3c06..0c0fa8eba30a 100644
--- a/apps/rsautl.c
+++ b/apps/rsautl.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -8,25 +8,21 @@
*/
#include <openssl/opensslconf.h>
-#ifdef OPENSSL_NO_RSA
-NON_EMPTY_TRANSLATION_UNIT
-#else
+#include "apps.h"
+#include "progs.h"
+#include <string.h>
+#include <openssl/err.h>
+#include <openssl/pem.h>
+#include <openssl/rsa.h>
-# include "apps.h"
-# include "progs.h"
-# include <string.h>
-# include <openssl/err.h>
-# include <openssl/pem.h>
-# include <openssl/rsa.h>
+#define RSA_SIGN 1
+#define RSA_VERIFY 2
+#define RSA_ENCRYPT 3
+#define RSA_DECRYPT 4
-# define RSA_SIGN 1
-# define RSA_VERIFY 2
-# define RSA_ENCRYPT 3
-# define RSA_DECRYPT 4
-
-# define KEY_PRIVKEY 1
-# define KEY_PUBKEY 2
-# define KEY_CERT 3
+#define KEY_PRIVKEY 1
+#define KEY_PUBKEY 2
+#define KEY_CERT 3
typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
@@ -60,9 +56,9 @@ const OPTIONS rsautl_options[] = {
{"decrypt", OPT_DECRYPT, '-', "Decrypt with private key"},
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
OPT_R_OPTIONS,
-# ifndef OPENSSL_NO_ENGINE
+#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
-# endif
+#endif
{NULL}
};
@@ -279,4 +275,3 @@ int rsautl_main(int argc, char **argv)
OPENSSL_free(passin);
return ret;
}
-#endif
diff --git a/apps/s_time.c b/apps/s_time.c
index 82d40a5a5132..628e65b26e19 100644
--- a/apps/s_time.c
+++ b/apps/s_time.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -62,6 +62,7 @@ const OPTIONS s_time_options[] = {
{"key", OPT_KEY, '<', "File with key, PEM; default is -cert file"},
{"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"},
{"cafile", OPT_CAFILE, '<', "PEM format file of CA's"},
+ {"CAfile", OPT_CAFILE, '<', "PEM format file of CA's"},
{"no-CAfile", OPT_NOCAFILE, '-',
"Do not load the default certificates file"},
{"no-CApath", OPT_NOCAPATH, '-',
diff --git a/apps/srp.c b/apps/srp.c
index 689574a4854c..6c5817387973 100644
--- a/apps/srp.c
+++ b/apps/srp.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2004-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2004-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2004, EdelKey Project. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -12,28 +12,24 @@
*/
#include <openssl/opensslconf.h>
-#ifdef OPENSSL_NO_SRP
-NON_EMPTY_TRANSLATION_UNIT
-#else
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <openssl/conf.h>
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/txt_db.h>
+#include <openssl/buffer.h>
+#include <openssl/srp.h>
+#include "apps.h"
+#include "progs.h"
-# include <stdio.h>
-# include <stdlib.h>
-# include <string.h>
-# include <openssl/conf.h>
-# include <openssl/bio.h>
-# include <openssl/err.h>
-# include <openssl/txt_db.h>
-# include <openssl/buffer.h>
-# include <openssl/srp.h>
-# include "apps.h"
-# include "progs.h"
+#define BASE_SECTION "srp"
+#define CONFIG_FILE "openssl.cnf"
-# define BASE_SECTION "srp"
-# define CONFIG_FILE "openssl.cnf"
-
-# define ENV_DATABASE "srpvfile"
-# define ENV_DEFAULT_SRP "default_srp"
+#define ENV_DATABASE "srpvfile"
+#define ENV_DEFAULT_SRP "default_srp"
static int get_index(CA_DB *db, char *id, char type)
{
@@ -212,9 +208,9 @@ const OPTIONS srp_options[] = {
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
OPT_R_OPTIONS,
-# ifndef OPENSSL_NO_ENGINE
+#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
-# endif
+#endif
{NULL}
};
@@ -610,4 +606,3 @@ int srp_main(int argc, char **argv)
release_engine(e);
return ret;
}
-#endif
diff --git a/apps/ts.c b/apps/ts.c
index 44a8f75d4a37..66a0c810e0c3 100644
--- a/apps/ts.c
+++ b/apps/ts.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -8,29 +8,26 @@
*/
#include <openssl/opensslconf.h>
-#ifdef OPENSSL_NO_TS
-NON_EMPTY_TRANSLATION_UNIT
-#else
-# include <stdio.h>
-# include <stdlib.h>
-# include <string.h>
-# include "apps.h"
-# include "progs.h"
-# include <openssl/bio.h>
-# include <openssl/err.h>
-# include <openssl/pem.h>
-# include <openssl/rand.h>
-# include <openssl/ts.h>
-# include <openssl/bn.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "apps.h"
+#include "progs.h"
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/pem.h>
+#include <openssl/rand.h>
+#include <openssl/ts.h>
+#include <openssl/bn.h>
/* Request nonce length, in bits (must be a multiple of 8). */
-# define NONCE_LENGTH 64
+#define NONCE_LENGTH 64
/* Name of config entry that defines the OID file. */
-# define ENV_OID_FILE "oid_file"
+#define ENV_OID_FILE "oid_file"
/* Is |EXACTLY_ONE| of three pointers set? */
-# define EXACTLY_ONE(a, b, c) \
+#define EXACTLY_ONE(a, b, c) \
(( a && !b && !c) || \
( b && !a && !c) || \
( c && !a && !b))
@@ -114,9 +111,9 @@ const OPTIONS ts_options[] = {
{"CAfile", OPT_CAFILE, '<', "File with trusted CA certs"},
{"untrusted", OPT_UNTRUSTED, '<', "File with untrusted certs"},
{"", OPT_MD, '-', "Any supported digest"},
-# ifndef OPENSSL_NO_ENGINE
+#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
-# endif
+#endif
{OPT_HELP_STR, 1, '-', "\nOptions specific to 'ts -verify': \n"},
OPT_V_OPTIONS,
{OPT_HELP_STR, 1, '-', "\n"},
@@ -137,11 +134,11 @@ static char* opt_helplist[] = {
" [-signer tsa_cert.pem] [-inkey private_key.pem]",
" [-chain certs_file.pem] [-tspolicy oid]",
" [-in file] [-token_in] [-out file] [-token_out]",
-# ifndef OPENSSL_NO_ENGINE
+#ifndef OPENSSL_NO_ENGINE
" [-text] [-engine id]",
-# else
+#else
" [-text]",
-# endif
+#endif
" or",
"ts -verify -CApath dir -CAfile file.pem -untrusted file.pem",
" [-data file] [-digest hexstring]",
@@ -682,10 +679,10 @@ static TS_RESP *create_response(CONF *conf, const char *section, const char *eng
goto end;
if (!TS_CONF_set_serial(conf, section, serial_cb, resp_ctx))
goto end;
-# ifndef OPENSSL_NO_ENGINE
+#ifndef OPENSSL_NO_ENGINE
if (!TS_CONF_set_crypto_device(conf, section, engine))
goto end;
-# endif
+#endif
if (!TS_CONF_set_signer_cert(conf, section, signer, resp_ctx))
goto end;
if (!TS_CONF_set_certs(conf, section, chain, resp_ctx))
@@ -984,4 +981,3 @@ static int verify_cb(int ok, X509_STORE_CTX *ctx)
{
return ok;
}
-#endif /* ndef OPENSSL_NO_TS */
diff --git a/crypto/aes/aes_core.c b/crypto/aes/aes_core.c
index e3e688f528a5..687dd5829baa 100644
--- a/crypto/aes/aes_core.c
+++ b/crypto/aes/aes_core.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -43,7 +43,988 @@
#include <openssl/aes.h>
#include "aes_local.h"
-#ifndef AES_ASM
+#if defined(OPENSSL_AES_CONST_TIME) && !defined(AES_ASM)
+typedef union {
+ unsigned char b[8];
+ u32 w[2];
+ u64 d;
+} uni;
+
+/*
+ * Compute w := (w * x) mod (x^8 + x^4 + x^3 + x^1 + 1)
+ * Therefore the name "xtime".
+ */
+static void XtimeWord(u32 *w)
+{
+ u32 a, b;
+
+ a = *w;
+ b = a & 0x80808080u;
+ a ^= b;
+ b -= b >> 7;
+ b &= 0x1B1B1B1Bu;
+ b ^= a << 1;
+ *w = b;
+}
+
+static void XtimeLong(u64 *w)
+{
+ u64 a, b;
+
+ a = *w;
+ b = a & 0x8080808080808080uLL;
+ a ^= b;
+ b -= b >> 7;
+ b &= 0x1B1B1B1B1B1B1B1BuLL;
+ b ^= a << 1;
+ *w = b;
+}
+
+/*
+ * This computes w := S * w ^ -1 + c, where c = {01100011}.
+ * Instead of using GF(2^8) mod (x^8+x^4+x^3+x+1} we do the inversion
+ * in GF(GF(GF(2^2)^2)^2) mod (X^2+X+8)
+ * and GF(GF(2^2)^2) mod (X^2+X+2)
+ * and GF(2^2) mod (X^2+X+1)
+ * The first part of the algorithm below transfers the coordinates
+ * {0x01,0x02,0x04,0x08,0x10,0x20,0x40,0x80} =>
+ * {1,Y,Y^2,Y^3,Y^4,Y^5,Y^6,Y^7} with Y=0x41:
+ * {0x01,0x41,0x66,0x6c,0x56,0x9a,0x58,0xc4}
+ * The last part undoes the coordinate transfer and the final affine
+ * transformation S:
+ * b[i] = b[i] + b[(i+4)%8] + b[(i+5)%8] + b[(i+6)%8] + b[(i+7)%8] + c[i]
+ * in one step.
+ * The multiplication in GF(2^2^2^2) is done in ordinary coords:
+ * A = (a0*1 + a1*x^4)
+ * B = (b0*1 + b1*x^4)
+ * AB = ((a0*b0 + 8*a1*b1)*1 + (a1*b0 + (a0+a1)*b1)*x^4)
+ * When A = (a0,a1) is given we want to solve AB = 1:
+ * (a) 1 = a0*b0 + 8*a1*b1
+ * (b) 0 = a1*b0 + (a0+a1)*b1
+ * => multiply (a) by a1 and (b) by a0
+ * (c) a1 = a1*a0*b0 + (8*a1*a1)*b1
+ * (d) 0 = a1*a0*b0 + (a0*a0+a1*a0)*b1
+ * => add (c) + (d)
+ * (e) a1 = (a0*a0 + a1*a0 + 8*a1*a1)*b1
+ * => therefore
+ * b1 = (a0*a0 + a1*a0 + 8*a1*a1)^-1 * a1
+ * => and adding (a1*b0) to (b) we get
+ * (f) a1*b0 = (a0+a1)*b1
+ * => therefore
+ * b0 = (a0*a0 + a1*a0 + 8*a1*a1)^-1 * (a0+a1)
+ * Note this formula also works for the case
+ * (a0+a1)*a0 + 8*a1*a1 = 0
+ * if the inverse element for 0^-1 is mapped to 0.
+ * Repeat the same for GF(2^2^2) and GF(2^2).
+ * We get the following algorithm:
+ * inv8(a0,a1):
+ * x0 = a0^a1
+ * [y0,y1] = mul4([x0,a1],[a0,a1]); (*)
+ * y1 = mul4(8,y1);
+ * t = inv4(y0^y1);
+ * [b0,b1] = mul4([x0,a1],[t,t]); (*)
+ * return [b0,b1];
+ * The non-linear multiplies (*) can be done in parallel at no extra cost.
+ */
+static void SubWord(u32 *w)
+{
+ u32 x, y, a1, a2, a3, a4, a5, a6;
+
+ x = *w;
+ y = ((x & 0xFEFEFEFEu) >> 1) | ((x & 0x01010101u) << 7);
+ x &= 0xDDDDDDDDu;
+ x ^= y & 0x57575757u;
+ y = ((y & 0xFEFEFEFEu) >> 1) | ((y & 0x01010101u) << 7);
+ x ^= y & 0x1C1C1C1Cu;
+ y = ((y & 0xFEFEFEFEu) >> 1) | ((y & 0x01010101u) << 7);
+ x ^= y & 0x4A4A4A4Au;
+ y = ((y & 0xFEFEFEFEu) >> 1) | ((y & 0x01010101u) << 7);
+ x ^= y & 0x42424242u;
+ y = ((y & 0xFEFEFEFEu) >> 1) | ((y & 0x01010101u) << 7);
+ x ^= y & 0x64646464u;
+ y = ((y & 0xFEFEFEFEu) >> 1) | ((y & 0x01010101u) << 7);
+ x ^= y & 0xE0E0E0E0u;
+ a1 = x;
+ a1 ^= (x & 0xF0F0F0F0u) >> 4;
+ a2 = ((x & 0xCCCCCCCCu) >> 2) | ((x & 0x33333333u) << 2);
+ a3 = x & a1;
+ a3 ^= (a3 & 0xAAAAAAAAu) >> 1;
+ a3 ^= (((x << 1) & a1) ^ ((a1 << 1) & x)) & 0xAAAAAAAAu;
+ a4 = a2 & a1;
+ a4 ^= (a4 & 0xAAAAAAAAu) >> 1;
+ a4 ^= (((a2 << 1) & a1) ^ ((a1 << 1) & a2)) & 0xAAAAAAAAu;
+ a5 = (a3 & 0xCCCCCCCCu) >> 2;
+ a3 ^= ((a4 << 2) ^ a4) & 0xCCCCCCCCu;
+ a4 = a5 & 0x22222222u;
+ a4 |= a4 >> 1;
+ a4 ^= (a5 << 1) & 0x22222222u;
+ a3 ^= a4;
+ a5 = a3 & 0xA0A0A0A0u;
+ a5 |= a5 >> 1;
+ a5 ^= (a3 << 1) & 0xA0A0A0A0u;
+ a4 = a5 & 0xC0C0C0C0u;
+ a6 = a4 >> 2;
+ a4 ^= (a5 << 2) & 0xC0C0C0C0u;
+ a5 = a6 & 0x20202020u;
+ a5 |= a5 >> 1;
+ a5 ^= (a6 << 1) & 0x20202020u;
+ a4 |= a5;
+ a3 ^= a4 >> 4;
+ a3 &= 0x0F0F0F0Fu;
+ a2 = a3;
+ a2 ^= (a3 & 0x0C0C0C0Cu) >> 2;
+ a4 = a3 & a2;
+ a4 ^= (a4 & 0x0A0A0A0A0Au) >> 1;
+ a4 ^= (((a3 << 1) & a2) ^ ((a2 << 1) & a3)) & 0x0A0A0A0Au;
+ a5 = a4 & 0x08080808u;
+ a5 |= a5 >> 1;
+ a5 ^= (a4 << 1) & 0x08080808u;
+ a4 ^= a5 >> 2;
+ a4 &= 0x03030303u;
+ a4 ^= (a4 & 0x02020202u) >> 1;
+ a4 |= a4 << 2;
+ a3 = a2 & a4;
+ a3 ^= (a3 & 0x0A0A0A0Au) >> 1;
+ a3 ^= (((a2 << 1) & a4) ^ ((a4 << 1) & a2)) & 0x0A0A0A0Au;
+ a3 |= a3 << 4;
+ a2 = ((a1 & 0xCCCCCCCCu) >> 2) | ((a1 & 0x33333333u) << 2);
+ x = a1 & a3;
+ x ^= (x & 0xAAAAAAAAu) >> 1;
+ x ^= (((a1 << 1) & a3) ^ ((a3 << 1) & a1)) & 0xAAAAAAAAu;
+ a4 = a2 & a3;
+ a4 ^= (a4 & 0xAAAAAAAAu) >> 1;
+ a4 ^= (((a2 << 1) & a3) ^ ((a3 << 1) & a2)) & 0xAAAAAAAAu;
+ a5 = (x & 0xCCCCCCCCu) >> 2;
+ x ^= ((a4 << 2) ^ a4) & 0xCCCCCCCCu;
+ a4 = a5 & 0x22222222u;
+ a4 |= a4 >> 1;
+ a4 ^= (a5 << 1) & 0x22222222u;
+ x ^= a4;
+ y = ((x & 0xFEFEFEFEu) >> 1) | ((x & 0x01010101u) << 7);
+ x &= 0x39393939u;
+ x ^= y & 0x3F3F3F3Fu;
+ y = ((y & 0xFCFCFCFCu) >> 2) | ((y & 0x03030303u) << 6);
+ x ^= y & 0x97979797u;
+ y = ((y & 0xFEFEFEFEu) >> 1) | ((y & 0x01010101u) << 7);
+ x ^= y & 0x9B9B9B9Bu;
+ y = ((y & 0xFEFEFEFEu) >> 1) | ((y & 0x01010101u) << 7);
+ x ^= y & 0x3C3C3C3Cu;
+ y = ((y & 0xFEFEFEFEu) >> 1) | ((y & 0x01010101u) << 7);
+ x ^= y & 0xDDDDDDDDu;
+ y = ((y & 0xFEFEFEFEu) >> 1) | ((y & 0x01010101u) << 7);
+ x ^= y & 0x72727272u;
+ x ^= 0x63636363u;
+ *w = x;
+}
+
+static void SubLong(u64 *w)
+{
+ u64 x, y, a1, a2, a3, a4, a5, a6;
+
+ x = *w;
+ y = ((x & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((x & 0x0101010101010101uLL) << 7);
+ x &= 0xDDDDDDDDDDDDDDDDuLL;
+ x ^= y & 0x5757575757575757uLL;
+ y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7);
+ x ^= y & 0x1C1C1C1C1C1C1C1CuLL;
+ y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7);
+ x ^= y & 0x4A4A4A4A4A4A4A4AuLL;
+ y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7);
+ x ^= y & 0x4242424242424242uLL;
+ y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7);
+ x ^= y & 0x6464646464646464uLL;
+ y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7);
+ x ^= y & 0xE0E0E0E0E0E0E0E0uLL;
+ a1 = x;
+ a1 ^= (x & 0xF0F0F0F0F0F0F0F0uLL) >> 4;
+ a2 = ((x & 0xCCCCCCCCCCCCCCCCuLL) >> 2) | ((x & 0x3333333333333333uLL) << 2);
+ a3 = x & a1;
+ a3 ^= (a3 & 0xAAAAAAAAAAAAAAAAuLL) >> 1;
+ a3 ^= (((x << 1) & a1) ^ ((a1 << 1) & x)) & 0xAAAAAAAAAAAAAAAAuLL;
+ a4 = a2 & a1;
+ a4 ^= (a4 & 0xAAAAAAAAAAAAAAAAuLL) >> 1;
+ a4 ^= (((a2 << 1) & a1) ^ ((a1 << 1) & a2)) & 0xAAAAAAAAAAAAAAAAuLL;
+ a5 = (a3 & 0xCCCCCCCCCCCCCCCCuLL) >> 2;
+ a3 ^= ((a4 << 2) ^ a4) & 0xCCCCCCCCCCCCCCCCuLL;
+ a4 = a5 & 0x2222222222222222uLL;
+ a4 |= a4 >> 1;
+ a4 ^= (a5 << 1) & 0x2222222222222222uLL;
+ a3 ^= a4;
+ a5 = a3 & 0xA0A0A0A0A0A0A0A0uLL;
+ a5 |= a5 >> 1;
+ a5 ^= (a3 << 1) & 0xA0A0A0A0A0A0A0A0uLL;
+ a4 = a5 & 0xC0C0C0C0C0C0C0C0uLL;
+ a6 = a4 >> 2;
+ a4 ^= (a5 << 2) & 0xC0C0C0C0C0C0C0C0uLL;
+ a5 = a6 & 0x2020202020202020uLL;
+ a5 |= a5 >> 1;
+ a5 ^= (a6 << 1) & 0x2020202020202020uLL;
+ a4 |= a5;
+ a3 ^= a4 >> 4;
+ a3 &= 0x0F0F0F0F0F0F0F0FuLL;
+ a2 = a3;
+ a2 ^= (a3 & 0x0C0C0C0C0C0C0C0CuLL) >> 2;
+ a4 = a3 & a2;
+ a4 ^= (a4 & 0x0A0A0A0A0A0A0A0AuLL) >> 1;
+ a4 ^= (((a3 << 1) & a2) ^ ((a2 << 1) & a3)) & 0x0A0A0A0A0A0A0A0AuLL;
+ a5 = a4 & 0x0808080808080808uLL;
+ a5 |= a5 >> 1;
+ a5 ^= (a4 << 1) & 0x0808080808080808uLL;
+ a4 ^= a5 >> 2;
+ a4 &= 0x0303030303030303uLL;
+ a4 ^= (a4 & 0x0202020202020202uLL) >> 1;
+ a4 |= a4 << 2;
+ a3 = a2 & a4;
+ a3 ^= (a3 & 0x0A0A0A0A0A0A0A0AuLL) >> 1;
+ a3 ^= (((a2 << 1) & a4) ^ ((a4 << 1) & a2)) & 0x0A0A0A0A0A0A0A0AuLL;
+ a3 |= a3 << 4;
+ a2 = ((a1 & 0xCCCCCCCCCCCCCCCCuLL) >> 2) | ((a1 & 0x3333333333333333uLL) << 2);
+ x = a1 & a3;
+ x ^= (x & 0xAAAAAAAAAAAAAAAAuLL) >> 1;
+ x ^= (((a1 << 1) & a3) ^ ((a3 << 1) & a1)) & 0xAAAAAAAAAAAAAAAAuLL;
+ a4 = a2 & a3;
+ a4 ^= (a4 & 0xAAAAAAAAAAAAAAAAuLL) >> 1;
+ a4 ^= (((a2 << 1) & a3) ^ ((a3 << 1) & a2)) & 0xAAAAAAAAAAAAAAAAuLL;
+ a5 = (x & 0xCCCCCCCCCCCCCCCCuLL) >> 2;
+ x ^= ((a4 << 2) ^ a4) & 0xCCCCCCCCCCCCCCCCuLL;
+ a4 = a5 & 0x2222222222222222uLL;
+ a4 |= a4 >> 1;
+ a4 ^= (a5 << 1) & 0x2222222222222222uLL;
+ x ^= a4;
+ y = ((x & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((x & 0x0101010101010101uLL) << 7);
+ x &= 0x3939393939393939uLL;
+ x ^= y & 0x3F3F3F3F3F3F3F3FuLL;
+ y = ((y & 0xFCFCFCFCFCFCFCFCuLL) >> 2) | ((y & 0x0303030303030303uLL) << 6);
+ x ^= y & 0x9797979797979797uLL;
+ y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7);
+ x ^= y & 0x9B9B9B9B9B9B9B9BuLL;
+ y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7);
+ x ^= y & 0x3C3C3C3C3C3C3C3CuLL;
+ y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7);
+ x ^= y & 0xDDDDDDDDDDDDDDDDuLL;
+ y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7);
+ x ^= y & 0x7272727272727272uLL;
+ x ^= 0x6363636363636363uLL;
+ *w = x;
+}
+
+/*
+ * This computes w := (S^-1 * (w + c))^-1
+ */
+static void InvSubLong(u64 *w)
+{
+ u64 x, y, a1, a2, a3, a4, a5, a6;
+
+ x = *w;
+ x ^= 0x6363636363636363uLL;
+ y = ((x & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((x & 0x0101010101010101uLL) << 7);
+ x &= 0xFDFDFDFDFDFDFDFDuLL;
+ x ^= y & 0x5E5E5E5E5E5E5E5EuLL;
+ y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7);
+ x ^= y & 0xF3F3F3F3F3F3F3F3uLL;
+ y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7);
+ x ^= y & 0xF5F5F5F5F5F5F5F5uLL;
+ y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7);
+ x ^= y & 0x7878787878787878uLL;
+ y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7);
+ x ^= y & 0x7777777777777777uLL;
+ y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7);
+ x ^= y & 0x1515151515151515uLL;
+ y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7);
+ x ^= y & 0xA5A5A5A5A5A5A5A5uLL;
+ a1 = x;
+ a1 ^= (x & 0xF0F0F0F0F0F0F0F0uLL) >> 4;
+ a2 = ((x & 0xCCCCCCCCCCCCCCCCuLL) >> 2) | ((x & 0x3333333333333333uLL) << 2);
+ a3 = x & a1;
+ a3 ^= (a3 & 0xAAAAAAAAAAAAAAAAuLL) >> 1;
+ a3 ^= (((x << 1) & a1) ^ ((a1 << 1) & x)) & 0xAAAAAAAAAAAAAAAAuLL;
+ a4 = a2 & a1;
+ a4 ^= (a4 & 0xAAAAAAAAAAAAAAAAuLL) >> 1;
+ a4 ^= (((a2 << 1) & a1) ^ ((a1 << 1) & a2)) & 0xAAAAAAAAAAAAAAAAuLL;
+ a5 = (a3 & 0xCCCCCCCCCCCCCCCCuLL) >> 2;
+ a3 ^= ((a4 << 2) ^ a4) & 0xCCCCCCCCCCCCCCCCuLL;
+ a4 = a5 & 0x2222222222222222uLL;
+ a4 |= a4 >> 1;
+ a4 ^= (a5 << 1) & 0x2222222222222222uLL;
+ a3 ^= a4;
+ a5 = a3 & 0xA0A0A0A0A0A0A0A0uLL;
+ a5 |= a5 >> 1;
+ a5 ^= (a3 << 1) & 0xA0A0A0A0A0A0A0A0uLL;
+ a4 = a5 & 0xC0C0C0C0C0C0C0C0uLL;
+ a6 = a4 >> 2;
+ a4 ^= (a5 << 2) & 0xC0C0C0C0C0C0C0C0uLL;
+ a5 = a6 & 0x2020202020202020uLL;
+ a5 |= a5 >> 1;
+ a5 ^= (a6 << 1) & 0x2020202020202020uLL;
+ a4 |= a5;
+ a3 ^= a4 >> 4;
+ a3 &= 0x0F0F0F0F0F0F0F0FuLL;
+ a2 = a3;
+ a2 ^= (a3 & 0x0C0C0C0C0C0C0C0CuLL) >> 2;
+ a4 = a3 & a2;
+ a4 ^= (a4 & 0x0A0A0A0A0A0A0A0AuLL) >> 1;
+ a4 ^= (((a3 << 1) & a2) ^ ((a2 << 1) & a3)) & 0x0A0A0A0A0A0A0A0AuLL;
+ a5 = a4 & 0x0808080808080808uLL;
+ a5 |= a5 >> 1;
+ a5 ^= (a4 << 1) & 0x0808080808080808uLL;
+ a4 ^= a5 >> 2;
+ a4 &= 0x0303030303030303uLL;
+ a4 ^= (a4 & 0x0202020202020202uLL) >> 1;
+ a4 |= a4 << 2;
+ a3 = a2 & a4;
+ a3 ^= (a3 & 0x0A0A0A0A0A0A0A0AuLL) >> 1;
+ a3 ^= (((a2 << 1) & a4) ^ ((a4 << 1) & a2)) & 0x0A0A0A0A0A0A0A0AuLL;
+ a3 |= a3 << 4;
+ a2 = ((a1 & 0xCCCCCCCCCCCCCCCCuLL) >> 2) | ((a1 & 0x3333333333333333uLL) << 2);
+ x = a1 & a3;
+ x ^= (x & 0xAAAAAAAAAAAAAAAAuLL) >> 1;
+ x ^= (((a1 << 1) & a3) ^ ((a3 << 1) & a1)) & 0xAAAAAAAAAAAAAAAAuLL;
+ a4 = a2 & a3;
+ a4 ^= (a4 & 0xAAAAAAAAAAAAAAAAuLL) >> 1;
+ a4 ^= (((a2 << 1) & a3) ^ ((a3 << 1) & a2)) & 0xAAAAAAAAAAAAAAAAuLL;
+ a5 = (x & 0xCCCCCCCCCCCCCCCCuLL) >> 2;
+ x ^= ((a4 << 2) ^ a4) & 0xCCCCCCCCCCCCCCCCuLL;
+ a4 = a5 & 0x2222222222222222uLL;
+ a4 |= a4 >> 1;
+ a4 ^= (a5 << 1) & 0x2222222222222222uLL;
+ x ^= a4;
+ y = ((x & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((x & 0x0101010101010101uLL) << 7);
+ x &= 0xB5B5B5B5B5B5B5B5uLL;
+ x ^= y & 0x4040404040404040uLL;
+ y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7);
+ x ^= y & 0x8080808080808080uLL;
+ y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7);
+ x ^= y & 0x1616161616161616uLL;
+ y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7);
+ x ^= y & 0xEBEBEBEBEBEBEBEBuLL;
+ y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7);
+ x ^= y & 0x9797979797979797uLL;
+ y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7);
+ x ^= y & 0xFBFBFBFBFBFBFBFBuLL;
+ y = ((y & 0xFEFEFEFEFEFEFEFEuLL) >> 1) | ((y & 0x0101010101010101uLL) << 7);
+ x ^= y & 0x7D7D7D7D7D7D7D7DuLL;
+ *w = x;
+}
+
+static void ShiftRows(u64 *state)
+{
+ unsigned char s[4];
+ unsigned char *s0;
+ int r;
+
+ s0 = (unsigned char *)state;
+ for (r = 0; r < 4; r++) {
+ s[0] = s0[0*4 + r];
+ s[1] = s0[1*4 + r];
+ s[2] = s0[2*4 + r];
+ s[3] = s0[3*4 + r];
+ s0[0*4 + r] = s[(r+0) % 4];
+ s0[1*4 + r] = s[(r+1) % 4];
+ s0[2*4 + r] = s[(r+2) % 4];
+ s0[3*4 + r] = s[(r+3) % 4];
+ }
+}
+
+static void InvShiftRows(u64 *state)
+{
+ unsigned char s[4];
+ unsigned char *s0;
+ int r;
+
+ s0 = (unsigned char *)state;
+ for (r = 0; r < 4; r++) {
+ s[0] = s0[0*4 + r];
+ s[1] = s0[1*4 + r];
+ s[2] = s0[2*4 + r];
+ s[3] = s0[3*4 + r];
+ s0[0*4 + r] = s[(4-r) % 4];
+ s0[1*4 + r] = s[(5-r) % 4];
+ s0[2*4 + r] = s[(6-r) % 4];
+ s0[3*4 + r] = s[(7-r) % 4];
+ }
+}
+
+static void MixColumns(u64 *state)
+{
+ uni s1;
+ uni s;
+ int c;
+
+ for (c = 0; c < 2; c++) {
+ s1.d = state[c];
+ s.d = s1.d;
+ s.d ^= ((s.d & 0xFFFF0000FFFF0000uLL) >> 16)
+ | ((s.d & 0x0000FFFF0000FFFFuLL) << 16);
+ s.d ^= ((s.d & 0xFF00FF00FF00FF00uLL) >> 8)
+ | ((s.d & 0x00FF00FF00FF00FFuLL) << 8);
+ s.d ^= s1.d;
+ XtimeLong(&s1.d);
+ s.d ^= s1.d;
+ s.b[0] ^= s1.b[1];
+ s.b[1] ^= s1.b[2];
+ s.b[2] ^= s1.b[3];
+ s.b[3] ^= s1.b[0];
+ s.b[4] ^= s1.b[5];
+ s.b[5] ^= s1.b[6];
+ s.b[6] ^= s1.b[7];
+ s.b[7] ^= s1.b[4];
+ state[c] = s.d;
+ }
+}
+
+static void InvMixColumns(u64 *state)
+{
+ uni s1;
+ uni s;
+ int c;
+
+ for (c = 0; c < 2; c++) {
+ s1.d = state[c];
+ s.d = s1.d;
+ s.d ^= ((s.d & 0xFFFF0000FFFF0000uLL) >> 16)
+ | ((s.d & 0x0000FFFF0000FFFFuLL) << 16);
+ s.d ^= ((s.d & 0xFF00FF00FF00FF00uLL) >> 8)
+ | ((s.d & 0x00FF00FF00FF00FFuLL) << 8);
+ s.d ^= s1.d;
+ XtimeLong(&s1.d);
+ s.d ^= s1.d;
+ s.b[0] ^= s1.b[1];
+ s.b[1] ^= s1.b[2];
+ s.b[2] ^= s1.b[3];
+ s.b[3] ^= s1.b[0];
+ s.b[4] ^= s1.b[5];
+ s.b[5] ^= s1.b[6];
+ s.b[6] ^= s1.b[7];
+ s.b[7] ^= s1.b[4];
+ XtimeLong(&s1.d);
+ s1.d ^= ((s1.d & 0xFFFF0000FFFF0000uLL) >> 16)
+ | ((s1.d & 0x0000FFFF0000FFFFuLL) << 16);
+ s.d ^= s1.d;
+ XtimeLong(&s1.d);
+ s1.d ^= ((s1.d & 0xFF00FF00FF00FF00uLL) >> 8)
+ | ((s1.d & 0x00FF00FF00FF00FFuLL) << 8);
+ s.d ^= s1.d;
+ state[c] = s.d;
+ }
+}
+
+static void AddRoundKey(u64 *state, const u64 *w)
+{
+ state[0] ^= w[0];
+ state[1] ^= w[1];
+}
+
+static void Cipher(const unsigned char *in, unsigned char *out,
+ const u64 *w, int nr)
+{
+ u64 state[2];
+ int i;
+
+ memcpy(state, in, 16);
+
+ AddRoundKey(state, w);
+
+ for (i = 1; i < nr; i++) {
+ SubLong(&state[0]);
+ SubLong(&state[1]);
+ ShiftRows(state);
+ MixColumns(state);
+ AddRoundKey(state, w + i*2);
+ }
+
+ SubLong(&state[0]);
+ SubLong(&state[1]);
+ ShiftRows(state);
+ AddRoundKey(state, w + nr*2);
+
+ memcpy(out, state, 16);
+}
+
+static void InvCipher(const unsigned char *in, unsigned char *out,
+ const u64 *w, int nr)
+
+{
+ u64 state[2];
+ int i;
+
+ memcpy(state, in, 16);
+
+ AddRoundKey(state, w + nr*2);
+
+ for (i = nr - 1; i > 0; i--) {
+ InvShiftRows(state);
+ InvSubLong(&state[0]);
+ InvSubLong(&state[1]);
+ AddRoundKey(state, w + i*2);
+ InvMixColumns(state);
+ }
+
+ InvShiftRows(state);
+ InvSubLong(&state[0]);
+ InvSubLong(&state[1]);
+ AddRoundKey(state, w);
+
+ memcpy(out, state, 16);
+}
+
+static void RotWord(u32 *x)
+{
+ unsigned char *w0;
+ unsigned char tmp;
+
+ w0 = (unsigned char *)x;
+ tmp = w0[0];
+ w0[0] = w0[1];
+ w0[1] = w0[2];
+ w0[2] = w0[3];
+ w0[3] = tmp;
+}
+
+static void KeyExpansion(const unsigned char *key, u64 *w,
+ int nr, int nk)
+{
+ u32 rcon;
+ uni prev;
+ u32 temp;
+ int i, n;
+
+ memcpy(w, key, nk*4);
+ memcpy(&rcon, "\1\0\0\0", 4);
+ n = nk/2;
+ prev.d = w[n-1];
+ for (i = n; i < (nr+1)*2; i++) {
+ temp = prev.w[1];
+ if (i % n == 0) {
+ RotWord(&temp);
+ SubWord(&temp);
+ temp ^= rcon;
+ XtimeWord(&rcon);
+ } else if (nk > 6 && i % n == 2) {
+ SubWord(&temp);
+ }
+ prev.d = w[i-n];
+ prev.w[0] ^= temp;
+ prev.w[1] ^= prev.w[0];
+ w[i] = prev.d;
+ }
+}
+
+/**
+ * Expand the cipher key into the encryption key schedule.
+ */
+int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
+ AES_KEY *key)
+{
+ u64 *rk;
+
+ if (!userKey || !key)
+ return -1;
+ if (bits != 128 && bits != 192 && bits != 256)
+ return -2;
+
+ rk = (u64*)key->rd_key;
+
+ if (bits == 128)
+ key->rounds = 10;
+ else if (bits == 192)
+ key->rounds = 12;
+ else
+ key->rounds = 14;
+
+ KeyExpansion(userKey, rk, key->rounds, bits/32);
+ return 0;
+}
+
+/**
+ * Expand the cipher key into the decryption key schedule.
+ */
+int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
+ AES_KEY *key)
+{
+ return AES_set_encrypt_key(userKey, bits, key);
+}
+
+/*
+ * Encrypt a single block
+ * in and out can overlap
+ */
+void AES_encrypt(const unsigned char *in, unsigned char *out,
+ const AES_KEY *key)
+{
+ const u64 *rk;
+
+ assert(in && out && key);
+ rk = (u64*)key->rd_key;
+
+ Cipher(in, out, rk, key->rounds);
+}
+
+/*
+ * Decrypt a single block
+ * in and out can overlap
+ */
+void AES_decrypt(const unsigned char *in, unsigned char *out,
+ const AES_KEY *key)
+{
+ const u64 *rk;
+
+ assert(in && out && key);
+ rk = (u64*)key->rd_key;
+
+ InvCipher(in, out, rk, key->rounds);
+}
+
+# ifndef OPENSSL_SMALL_FOOTPRINT
+void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out,
+ size_t blocks, const AES_KEY *key,
+ const unsigned char *ivec);
+
+static void RawToBits(const u8 raw[64], u64 bits[8])
+{
+ int i, j;
+ u64 in, out;
+
+ memset(bits, 0, 64);
+ for (i = 0; i < 8; i++) {
+ in = 0;
+ for (j = 0; j < 8; j++)
+ in |= ((u64)raw[i * 8 + j]) << (8 * j);
+ out = in & 0xF0F0F0F00F0F0F0FuLL;
+ out |= (in & 0x0F0F0F0F00000000uLL) >> 28;
+ out |= (in & 0x00000000F0F0F0F0uLL) << 28;
+ in = out & 0xCCCC3333CCCC3333uLL;
+ in |= (out & 0x3333000033330000uLL) >> 14;
+ in |= (out & 0x0000CCCC0000CCCCuLL) << 14;
+ out = in & 0xAA55AA55AA55AA55uLL;
+ out |= (in & 0x5500550055005500uLL) >> 7;
+ out |= (in & 0x00AA00AA00AA00AAuLL) << 7;
+ for (j = 0; j < 8; j++) {
+ bits[j] |= (out & 0xFFuLL) << (8 * i);
+ out = out >> 8;
+ }
+ }
+}
+
+static void BitsToRaw(const u64 bits[8], u8 raw[64])
+{
+ int i, j;
+ u64 in, out;
+
+ for (i = 0; i < 8; i++) {
+ in = 0;
+ for (j = 0; j < 8; j++)
+ in |= ((bits[j] >> (8 * i)) & 0xFFuLL) << (8 * j);
+ out = in & 0xF0F0F0F00F0F0F0FuLL;
+ out |= (in & 0x0F0F0F0F00000000uLL) >> 28;
+ out |= (in & 0x00000000F0F0F0F0uLL) << 28;
+ in = out & 0xCCCC3333CCCC3333uLL;
+ in |= (out & 0x3333000033330000uLL) >> 14;
+ in |= (out & 0x0000CCCC0000CCCCuLL) << 14;
+ out = in & 0xAA55AA55AA55AA55uLL;
+ out |= (in & 0x5500550055005500uLL) >> 7;
+ out |= (in & 0x00AA00AA00AA00AAuLL) << 7;
+ for (j = 0; j < 8; j++) {
+ raw[i * 8 + j] = (u8)out;
+ out = out >> 8;
+ }
+ }
+}
+
+static void BitsXtime(u64 state[8])
+{
+ u64 b;
+
+ b = state[7];
+ state[7] = state[6];
+ state[6] = state[5];
+ state[5] = state[4];
+ state[4] = state[3] ^ b;
+ state[3] = state[2] ^ b;
+ state[2] = state[1];
+ state[1] = state[0] ^ b;
+ state[0] = b;
+}
+
+/*
+ * This S-box implementation follows a circuit described in
+ * Boyar and Peralta: "A new combinational logic minimization
+ * technique with applications to cryptology."
+ * https://eprint.iacr.org/2009/191.pdf
+ *
+ * The math is similar to above, in that it uses
+ * a tower field of GF(2^2^2^2) but with a different
+ * basis representation, that is better suited to
+ * logic designs.
+ */
+static void BitsSub(u64 state[8])
+{
+ u64 x0, x1, x2, x3, x4, x5, x6, x7;
+ u64 y1, y2, y3, y4, y5, y6, y7, y8, y9, y10, y11;
+ u64 y12, y13, y14, y15, y16, y17, y18, y19, y20, y21;
+ u64 t0, t1, t2, t3, t4, t5, t6, t7, t8, t9, t10, t11;
+ u64 t12, t13, t14, t15, t16, t17, t18, t19, t20, t21;
+ u64 t22, t23, t24, t25, t26, t27, t28, t29, t30, t31;
+ u64 t32, t33, t34, t35, t36, t37, t38, t39, t40, t41;
+ u64 t42, t43, t44, t45, t46, t47, t48, t49, t50, t51;
+ u64 t52, t53, t54, t55, t56, t57, t58, t59, t60, t61;
+ u64 t62, t63, t64, t65, t66, t67;
+ u64 z0, z1, z2, z3, z4, z5, z6, z7, z8, z9, z10, z11;
+ u64 z12, z13, z14, z15, z16, z17;
+ u64 s0, s1, s2, s3, s4, s5, s6, s7;
+
+ x7 = state[0];
+ x6 = state[1];
+ x5 = state[2];
+ x4 = state[3];
+ x3 = state[4];
+ x2 = state[5];
+ x1 = state[6];
+ x0 = state[7];
+ y14 = x3 ^ x5;
+ y13 = x0 ^ x6;
+ y9 = x0 ^ x3;
+ y8 = x0 ^ x5;
+ t0 = x1 ^ x2;
+ y1 = t0 ^ x7;
+ y4 = y1 ^ x3;
+ y12 = y13 ^ y14;
+ y2 = y1 ^ x0;
+ y5 = y1 ^ x6;
+ y3 = y5 ^ y8;
+ t1 = x4 ^ y12;
+ y15 = t1 ^ x5;
+ y20 = t1 ^ x1;
+ y6 = y15 ^ x7;
+ y10 = y15 ^ t0;
+ y11 = y20 ^ y9;
+ y7 = x7 ^ y11;
+ y17 = y10 ^ y11;
+ y19 = y10 ^ y8;
+ y16 = t0 ^ y11;
+ y21 = y13 ^ y16;
+ y18 = x0 ^ y16;
+ t2 = y12 & y15;
+ t3 = y3 & y6;
+ t4 = t3 ^ t2;
+ t5 = y4 & x7;
+ t6 = t5 ^ t2;
+ t7 = y13 & y16;
+ t8 = y5 & y1;
+ t9 = t8 ^ t7;
+ t10 = y2 & y7;
+ t11 = t10 ^ t7;
+ t12 = y9 & y11;
+ t13 = y14 & y17;
+ t14 = t13 ^ t12;
+ t15 = y8 & y10;
+ t16 = t15 ^ t12;
+ t17 = t4 ^ t14;
+ t18 = t6 ^ t16;
+ t19 = t9 ^ t14;
+ t20 = t11 ^ t16;
+ t21 = t17 ^ y20;
+ t22 = t18 ^ y19;
+ t23 = t19 ^ y21;
+ t24 = t20 ^ y18;
+ t25 = t21 ^ t22;
+ t26 = t21 & t23;
+ t27 = t24 ^ t26;
+ t28 = t25 & t27;
+ t29 = t28 ^ t22;
+ t30 = t23 ^ t24;
+ t31 = t22 ^ t26;
+ t32 = t31 & t30;
+ t33 = t32 ^ t24;
+ t34 = t23 ^ t33;
+ t35 = t27 ^ t33;
+ t36 = t24 & t35;
+ t37 = t36 ^ t34;
+ t38 = t27 ^ t36;
+ t39 = t29 & t38;
+ t40 = t25 ^ t39;
+ t41 = t40 ^ t37;
+ t42 = t29 ^ t33;
+ t43 = t29 ^ t40;
+ t44 = t33 ^ t37;
+ t45 = t42 ^ t41;
+ z0 = t44 & y15;
+ z1 = t37 & y6;
+ z2 = t33 & x7;
+ z3 = t43 & y16;
+ z4 = t40 & y1;
+ z5 = t29 & y7;
+ z6 = t42 & y11;
+ z7 = t45 & y17;
+ z8 = t41 & y10;
+ z9 = t44 & y12;
+ z10 = t37 & y3;
+ z11 = t33 & y4;
+ z12 = t43 & y13;
+ z13 = t40 & y5;
+ z14 = t29 & y2;
+ z15 = t42 & y9;
+ z16 = t45 & y14;
+ z17 = t41 & y8;
+ t46 = z15 ^ z16;
+ t47 = z10 ^ z11;
+ t48 = z5 ^ z13;
+ t49 = z9 ^ z10;
+ t50 = z2 ^ z12;
+ t51 = z2 ^ z5;
+ t52 = z7 ^ z8;
+ t53 = z0 ^ z3;
+ t54 = z6 ^ z7;
+ t55 = z16 ^ z17;
+ t56 = z12 ^ t48;
+ t57 = t50 ^ t53;
+ t58 = z4 ^ t46;
+ t59 = z3 ^ t54;
+ t60 = t46 ^ t57;
+ t61 = z14 ^ t57;
+ t62 = t52 ^ t58;
+ t63 = t49 ^ t58;
+ t64 = z4 ^ t59;
+ t65 = t61 ^ t62;
+ t66 = z1 ^ t63;
+ s0 = t59 ^ t63;
+ s6 = ~(t56 ^ t62);
+ s7 = ~(t48 ^ t60);
+ t67 = t64 ^ t65;
+ s3 = t53 ^ t66;
+ s4 = t51 ^ t66;
+ s5 = t47 ^ t65;
+ s1 = ~(t64 ^ s3);
+ s2 = ~(t55 ^ t67);
+ state[0] = s7;
+ state[1] = s6;
+ state[2] = s5;
+ state[3] = s4;
+ state[4] = s3;
+ state[5] = s2;
+ state[6] = s1;
+ state[7] = s0;
+}
+
+static void BitsShiftRows(u64 state[8])
+{
+ u64 s, s0;
+ int i;
+
+ for (i = 0; i < 8; i++) {
+ s = state[i];
+ s0 = s & 0x1111111111111111uLL;
+ s0 |= ((s & 0x2220222022202220uLL) >> 4) | ((s & 0x0002000200020002uLL) << 12);
+ s0 |= ((s & 0x4400440044004400uLL) >> 8) | ((s & 0x0044004400440044uLL) << 8);
+ s0 |= ((s & 0x8000800080008000uLL) >> 12) | ((s & 0x0888088808880888uLL) << 4);
+ state[i] = s0;
+ }
+}
+
+static void BitsMixColumns(u64 state[8])
+{
+ u64 s1, s;
+ u64 s0[8];
+ int i;
+
+ for (i = 0; i < 8; i++) {
+ s1 = state[i];
+ s = s1;
+ s ^= ((s & 0xCCCCCCCCCCCCCCCCuLL) >> 2) | ((s & 0x3333333333333333uLL) << 2);
+ s ^= ((s & 0xAAAAAAAAAAAAAAAAuLL) >> 1) | ((s & 0x5555555555555555uLL) << 1);
+ s ^= s1;
+ s0[i] = s;
+ }
+ BitsXtime(state);
+ for (i = 0; i < 8; i++) {
+ s1 = state[i];
+ s = s0[i];
+ s ^= s1;
+ s ^= ((s1 & 0xEEEEEEEEEEEEEEEEuLL) >> 1) | ((s1 & 0x1111111111111111uLL) << 3);
+ state[i] = s;
+ }
+}
+
+static void BitsAddRoundKey(u64 state[8], const u64 key[8])
+{
+ int i;
+
+ for (i = 0; i < 8; i++)
+ state[i] ^= key[i];
+}
+
+void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out,
+ size_t blocks, const AES_KEY *key,
+ const unsigned char *ivec)
+{
+ struct {
+ u8 cipher[64];
+ u64 state[8];
+ u64 rd_key[AES_MAXNR + 1][8];
+ } *bs;
+ u32 ctr32;
+ int i;
+
+ ctr32 = GETU32(ivec + 12);
+ if (blocks >= 4
+ && (bs = OPENSSL_malloc(sizeof(*bs)))) {
+ for (i = 0; i < key->rounds + 1; i++) {
+ memcpy(bs->cipher + 0, &key->rd_key[4 * i], 16);
+ memcpy(bs->cipher + 16, bs->cipher, 16);
+ memcpy(bs->cipher + 32, bs->cipher, 32);
+ RawToBits(bs->cipher, bs->rd_key[i]);
+ }
+ while (blocks) {
+ memcpy(bs->cipher, ivec, 12);
+ PUTU32(bs->cipher + 12, ctr32);
+ ctr32++;
+ memcpy(bs->cipher + 16, ivec, 12);
+ PUTU32(bs->cipher + 28, ctr32);
+ ctr32++;
+ memcpy(bs->cipher + 32, ivec, 12);
+ PUTU32(bs->cipher + 44, ctr32);
+ ctr32++;
+ memcpy(bs->cipher + 48, ivec, 12);
+ PUTU32(bs->cipher + 60, ctr32);
+ ctr32++;
+ RawToBits(bs->cipher, bs->state);
+ BitsAddRoundKey(bs->state, bs->rd_key[0]);
+ for (i = 1; i < key->rounds; i++) {
+ BitsSub(bs->state);
+ BitsShiftRows(bs->state);
+ BitsMixColumns(bs->state);
+ BitsAddRoundKey(bs->state, bs->rd_key[i]);
+ }
+ BitsSub(bs->state);
+ BitsShiftRows(bs->state);
+ BitsAddRoundKey(bs->state, bs->rd_key[key->rounds]);
+ BitsToRaw(bs->state, bs->cipher);
+ for (i = 0; i < 64 && blocks; i++) {
+ out[i] = in[i] ^ bs->cipher[i];
+ if ((i & 15) == 15)
+ blocks--;
+ }
+ in += i;
+ out += i;
+ }
+ OPENSSL_clear_free(bs, sizeof(*bs));
+ } else {
+ unsigned char cipher[16];
+
+ while (blocks) {
+ memcpy(cipher, ivec, 12);
+ PUTU32(cipher + 12, ctr32);
+ AES_encrypt(cipher, cipher, key);
+ for (i = 0; i < 16; i++)
+ out[i] = in[i] ^ cipher[i];
+ in += 16;
+ out += 16;
+ ctr32++;
+ blocks--;
+ }
+ }
+}
+# endif
+#elif !defined(AES_ASM)
/*-
Te0[x] = S [x].[02, 01, 01, 03];
Te1[x] = S [x].[03, 02, 01, 01];
diff --git a/crypto/aes/aes_local.h b/crypto/aes/aes_local.h
index cc8456861d92..a9c0059e52cc 100644
--- a/crypto/aes/aes_local.h
+++ b/crypto/aes/aes_local.h
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -24,6 +24,7 @@
# define PUTU32(ct, st) { (ct)[0] = (u8)((st) >> 24); (ct)[1] = (u8)((st) >> 16); (ct)[2] = (u8)((st) >> 8); (ct)[3] = (u8)(st); }
# endif
+typedef unsigned long long u64;
# ifdef AES_LONG
typedef unsigned long u32;
# else
diff --git a/crypto/asn1/asn1_lib.c b/crypto/asn1/asn1_lib.c
index a7d32ae5e2c3..366afc5f6c6b 100644
--- a/crypto/asn1/asn1_lib.c
+++ b/crypto/asn1/asn1_lib.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -268,18 +268,29 @@ ASN1_STRING *ASN1_STRING_dup(const ASN1_STRING *str)
return ret;
}
-int ASN1_STRING_set(ASN1_STRING *str, const void *_data, int len)
+int ASN1_STRING_set(ASN1_STRING *str, const void *_data, int len_in)
{
unsigned char *c;
const char *data = _data;
+ size_t len;
- if (len < 0) {
+ if (len_in < 0) {
if (data == NULL)
return 0;
- else
- len = strlen(data);
+ len = strlen(data);
+ } else {
+ len = (size_t)len_in;
+ }
+ /*
+ * Verify that the length fits within an integer for assignment to
+ * str->length below. The additional 1 is subtracted to allow for the
+ * '\0' terminator even though this isn't strictly necessary.
+ */
+ if (len > INT_MAX - 1) {
+ ASN1err(0, ASN1_R_TOO_LARGE);
+ return 0;
}
- if ((str->length <= len) || (str->data == NULL)) {
+ if ((size_t)str->length <= len || str->data == NULL) {
c = str->data;
str->data = OPENSSL_realloc(c, len + 1);
if (str->data == NULL) {
diff --git a/crypto/bio/bss_acpt.c b/crypto/bio/bss_acpt.c
index b38e47a592f4..5a2cb50dfc39 100644
--- a/crypto/bio/bss_acpt.c
+++ b/crypto/bio/bss_acpt.c
@@ -222,10 +222,10 @@ static int acpt_state(BIO *b, BIO_ACCEPT *c)
break;
case ACPT_S_CREATE_SOCKET:
- ret = BIO_socket(BIO_ADDRINFO_family(c->addr_iter),
- BIO_ADDRINFO_socktype(c->addr_iter),
- BIO_ADDRINFO_protocol(c->addr_iter), 0);
- if (ret == (int)INVALID_SOCKET) {
+ s = BIO_socket(BIO_ADDRINFO_family(c->addr_iter),
+ BIO_ADDRINFO_socktype(c->addr_iter),
+ BIO_ADDRINFO_protocol(c->addr_iter), 0);
+ if (s == (int)INVALID_SOCKET) {
SYSerr(SYS_F_SOCKET, get_last_socket_error());
ERR_add_error_data(4,
"hostname=", c->param_addr,
@@ -233,9 +233,10 @@ static int acpt_state(BIO *b, BIO_ACCEPT *c)
BIOerr(BIO_F_ACPT_STATE, BIO_R_UNABLE_TO_CREATE_SOCKET);
goto exit_loop;
}
- c->accept_sock = ret;
- b->num = ret;
+ c->accept_sock = s;
+ b->num = s;
c->state = ACPT_S_LISTEN;
+ s = -1;
break;
case ACPT_S_LISTEN:
diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c
index 336afc989d30..006f9a5dea17 100644
--- a/crypto/ec/ec_asn1.c
+++ b/crypto/ec/ec_asn1.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -1297,5 +1297,7 @@ int ECDSA_size(const EC_KEY *r)
i = i2d_ASN1_INTEGER(&bs, NULL);
i += i; /* r and s */
ret = ASN1_object_size(1, i, V_ASN1_SEQUENCE);
+ if (ret < 0)
+ return 0;
return ret;
}
diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c
index 3554ada82797..6832383cad51 100644
--- a/crypto/ec/ec_lib.c
+++ b/crypto/ec/ec_lib.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -1007,14 +1007,14 @@ int EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
size_t i = 0;
BN_CTX *new_ctx = NULL;
- if ((scalar == NULL) && (num == 0)) {
- return EC_POINT_set_to_infinity(group, r);
- }
-
if (!ec_point_is_compat(r, group)) {
ECerr(EC_F_EC_POINTS_MUL, EC_R_INCOMPATIBLE_OBJECTS);
return 0;
}
+
+ if (scalar == NULL && num == 0)
+ return EC_POINT_set_to_infinity(group, r);
+
for (i = 0; i < num; i++) {
if (!ec_point_is_compat(points[i], group)) {
ECerr(EC_F_EC_POINTS_MUL, EC_R_INCOMPATIBLE_OBJECTS);
diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c
index 7980a6728288..9a1e3974ed9e 100644
--- a/crypto/ec/ec_mult.c
+++ b/crypto/ec/ec_mult.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -260,17 +260,10 @@ int ec_scalar_mul_ladder(const EC_GROUP *group, EC_POINT *r,
goto err;
}
- /*-
- * Apply coordinate blinding for EC_POINT.
- *
- * The underlying EC_METHOD can optionally implement this function:
- * ec_point_blind_coordinates() returns 0 in case of errors or 1 on
- * success or if coordinate blinding is not implemented for this
- * group.
- */
- if (!ec_point_blind_coordinates(group, p, ctx)) {
- ECerr(EC_F_EC_SCALAR_MUL_LADDER, EC_R_POINT_COORDINATES_BLIND_FAILURE);
- goto err;
+ /* ensure input point is in affine coords for ladder step efficiency */
+ if (!p->Z_is_one && !EC_POINT_make_affine(group, p, ctx)) {
+ ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_EC_LIB);
+ goto err;
}
/* Initialize the Montgomery ladder */
@@ -747,6 +740,20 @@ int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
if (r_is_at_infinity) {
if (!EC_POINT_copy(r, val_sub[i][digit >> 1]))
goto err;
+
+ /*-
+ * Apply coordinate blinding for EC_POINT.
+ *
+ * The underlying EC_METHOD can optionally implement this function:
+ * ec_point_blind_coordinates() returns 0 in case of errors or 1 on
+ * success or if coordinate blinding is not implemented for this
+ * group.
+ */
+ if (!ec_point_blind_coordinates(group, r, ctx)) {
+ ECerr(EC_F_EC_WNAF_MUL, EC_R_POINT_COORDINATES_BLIND_FAILURE);
+ goto err;
+ }
+
r_is_at_infinity = 0;
} else {
if (!EC_POINT_add
diff --git a/crypto/ec/ecp_smpl.c b/crypto/ec/ecp_smpl.c
index b354bfe9ce9e..b3110ec89dbe 100644
--- a/crypto/ec/ecp_smpl.c
+++ b/crypto/ec/ecp_smpl.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -1372,6 +1372,7 @@ int ec_GFp_simple_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
* Computes the multiplicative inverse of a in GF(p), storing the result in r.
* If a is zero (or equivalent), you'll get a EC_R_CANNOT_INVERT error.
* Since we don't have a Mont structure here, SCA hardening is with blinding.
+ * NB: "a" must be in _decoded_ form. (i.e. field_decode must precede.)
*/
int ec_GFp_simple_field_inv(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
BN_CTX *ctx)
@@ -1431,112 +1432,133 @@ int ec_GFp_simple_blind_coordinates(const EC_GROUP *group, EC_POINT *p,
temp = BN_CTX_get(ctx);
if (temp == NULL) {
ECerr(EC_F_EC_GFP_SIMPLE_BLIND_COORDINATES, ERR_R_MALLOC_FAILURE);
- goto err;
+ goto end;
}
- /* make sure lambda is not zero */
+ /*-
+ * Make sure lambda is not zero.
+ * If the RNG fails, we cannot blind but nevertheless want
+ * code to continue smoothly and not clobber the error stack.
+ */
do {
- if (!BN_priv_rand_range(lambda, group->field)) {
- ECerr(EC_F_EC_GFP_SIMPLE_BLIND_COORDINATES, ERR_R_BN_LIB);
- goto err;
+ ERR_set_mark();
+ ret = BN_priv_rand_range(lambda, group->field);
+ ERR_pop_to_mark();
+ if (ret == 0) {
+ ret = 1;
+ goto end;
}
} while (BN_is_zero(lambda));
/* if field_encode defined convert between representations */
- if (group->meth->field_encode != NULL
- && !group->meth->field_encode(group, lambda, lambda, ctx))
- goto err;
- if (!group->meth->field_mul(group, p->Z, p->Z, lambda, ctx))
- goto err;
- if (!group->meth->field_sqr(group, temp, lambda, ctx))
- goto err;
- if (!group->meth->field_mul(group, p->X, p->X, temp, ctx))
- goto err;
- if (!group->meth->field_mul(group, temp, temp, lambda, ctx))
- goto err;
- if (!group->meth->field_mul(group, p->Y, p->Y, temp, ctx))
- goto err;
- p->Z_is_one = 0;
+ if ((group->meth->field_encode != NULL
+ && !group->meth->field_encode(group, lambda, lambda, ctx))
+ || !group->meth->field_mul(group, p->Z, p->Z, lambda, ctx)
+ || !group->meth->field_sqr(group, temp, lambda, ctx)
+ || !group->meth->field_mul(group, p->X, p->X, temp, ctx)
+ || !group->meth->field_mul(group, temp, temp, lambda, ctx)
+ || !group->meth->field_mul(group, p->Y, p->Y, temp, ctx))
+ goto end;
+ p->Z_is_one = 0;
ret = 1;
- err:
+ end:
BN_CTX_end(ctx);
return ret;
}
/*-
- * Set s := p, r := 2p.
+ * Input:
+ * - p: affine coordinates
+ *
+ * Output:
+ * - s := p, r := 2p: blinded projective (homogeneous) coordinates
*
* For doubling we use Formula 3 from Izu-Takagi "A fast parallel elliptic curve
- * multiplication resistant against side channel attacks" appendix, as described
- * at
+ * multiplication resistant against side channel attacks" appendix, described at
* https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#doubling-dbl-2002-it-2
+ * simplified for Z1=1.
*
- * The input point p will be in randomized Jacobian projective coords:
- * x = X/Z**2, y=Y/Z**3
- *
- * The output points p, s, and r are converted to standard (homogeneous)
- * projective coords:
- * x = X/Z, y=Y/Z
+ * Blinding uses the equivalence relation (\lambda X, \lambda Y, \lambda Z)
+ * for any non-zero \lambda that holds for projective (homogeneous) coords.
*/
int ec_GFp_simple_ladder_pre(const EC_GROUP *group,
EC_POINT *r, EC_POINT *s,
EC_POINT *p, BN_CTX *ctx)
{
- BIGNUM *t1, *t2, *t3, *t4, *t5, *t6 = NULL;
+ BIGNUM *t1, *t2, *t3, *t4, *t5 = NULL;
- t1 = r->Z;
- t2 = r->Y;
+ t1 = s->Z;
+ t2 = r->Z;
t3 = s->X;
t4 = r->X;
t5 = s->Y;
- t6 = s->Z;
-
- /* convert p: (X,Y,Z) -> (XZ,Y,Z**3) */
- if (!group->meth->field_mul(group, p->X, p->X, p->Z, ctx)
- || !group->meth->field_sqr(group, t1, p->Z, ctx)
- || !group->meth->field_mul(group, p->Z, p->Z, t1, ctx)
- /* r := 2p */
- || !group->meth->field_sqr(group, t2, p->X, ctx)
- || !group->meth->field_sqr(group, t3, p->Z, ctx)
- || !group->meth->field_mul(group, t4, t3, group->a, ctx)
- || !BN_mod_sub_quick(t5, t2, t4, group->field)
- || !BN_mod_add_quick(t2, t2, t4, group->field)
- || !group->meth->field_sqr(group, t5, t5, ctx)
- || !group->meth->field_mul(group, t6, t3, group->b, ctx)
- || !group->meth->field_mul(group, t1, p->X, p->Z, ctx)
- || !group->meth->field_mul(group, t4, t1, t6, ctx)
- || !BN_mod_lshift_quick(t4, t4, 3, group->field)
+
+ if (!p->Z_is_one /* r := 2p */
+ || !group->meth->field_sqr(group, t3, p->X, ctx)
+ || !BN_mod_sub_quick(t4, t3, group->a, group->field)
+ || !group->meth->field_sqr(group, t4, t4, ctx)
+ || !group->meth->field_mul(group, t5, p->X, group->b, ctx)
+ || !BN_mod_lshift_quick(t5, t5, 3, group->field)
/* r->X coord output */
- || !BN_mod_sub_quick(r->X, t5, t4, group->field)
- || !group->meth->field_mul(group, t1, t1, t2, ctx)
- || !group->meth->field_mul(group, t2, t3, t6, ctx)
- || !BN_mod_add_quick(t1, t1, t2, group->field)
+ || !BN_mod_sub_quick(r->X, t4, t5, group->field)
+ || !BN_mod_add_quick(t1, t3, group->a, group->field)
+ || !group->meth->field_mul(group, t2, p->X, t1, ctx)
+ || !BN_mod_add_quick(t2, group->b, t2, group->field)
/* r->Z coord output */
- || !BN_mod_lshift_quick(r->Z, t1, 2, group->field)
- || !EC_POINT_copy(s, p))
+ || !BN_mod_lshift_quick(r->Z, t2, 2, group->field))
+ return 0;
+
+ /* make sure lambda (r->Y here for storage) is not zero */
+ do {
+ if (!BN_priv_rand_range(r->Y, group->field))
+ return 0;
+ } while (BN_is_zero(r->Y));
+
+ /* make sure lambda (s->Z here for storage) is not zero */
+ do {
+ if (!BN_priv_rand_range(s->Z, group->field))
+ return 0;
+ } while (BN_is_zero(s->Z));
+
+ /* if field_encode defined convert between representations */
+ if (group->meth->field_encode != NULL
+ && (!group->meth->field_encode(group, r->Y, r->Y, ctx)
+ || !group->meth->field_encode(group, s->Z, s->Z, ctx)))
+ return 0;
+
+ /* blind r and s independently */
+ if (!group->meth->field_mul(group, r->Z, r->Z, r->Y, ctx)
+ || !group->meth->field_mul(group, r->X, r->X, r->Y, ctx)
+ || !group->meth->field_mul(group, s->X, p->X, s->Z, ctx)) /* s := p */
return 0;
r->Z_is_one = 0;
s->Z_is_one = 0;
- p->Z_is_one = 0;
return 1;
}
/*-
- * Differential addition-and-doubling using Eq. (9) and (10) from Izu-Takagi
+ * Input:
+ * - s, r: projective (homogeneous) coordinates
+ * - p: affine coordinates
+ *
+ * Output:
+ * - s := r + s, r := 2r: projective (homogeneous) coordinates
+ *
+ * Differential addition-and-doubling using Eq. (9) and (10) from Izu-Takagi
* "A fast parallel elliptic curve multiplication resistant against side channel
* attacks", as described at
- * https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#ladder-ladd-2002-it-4
+ * https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#ladder-mladd-2002-it-4
*/
int ec_GFp_simple_ladder_step(const EC_GROUP *group,
EC_POINT *r, EC_POINT *s,
EC_POINT *p, BN_CTX *ctx)
{
int ret = 0;
- BIGNUM *t0, *t1, *t2, *t3, *t4, *t5, *t6, *t7 = NULL;
+ BIGNUM *t0, *t1, *t2, *t3, *t4, *t5, *t6 = NULL;
BN_CTX_start(ctx);
t0 = BN_CTX_get(ctx);
@@ -1546,50 +1568,47 @@ int ec_GFp_simple_ladder_step(const EC_GROUP *group,
t4 = BN_CTX_get(ctx);
t5 = BN_CTX_get(ctx);
t6 = BN_CTX_get(ctx);
- t7 = BN_CTX_get(ctx);
- if (t7 == NULL
- || !group->meth->field_mul(group, t0, r->X, s->X, ctx)
- || !group->meth->field_mul(group, t1, r->Z, s->Z, ctx)
- || !group->meth->field_mul(group, t2, r->X, s->Z, ctx)
+ if (t6 == NULL
+ || !group->meth->field_mul(group, t6, r->X, s->X, ctx)
+ || !group->meth->field_mul(group, t0, r->Z, s->Z, ctx)
+ || !group->meth->field_mul(group, t4, r->X, s->Z, ctx)
|| !group->meth->field_mul(group, t3, r->Z, s->X, ctx)
- || !group->meth->field_mul(group, t4, group->a, t1, ctx)
- || !BN_mod_add_quick(t0, t0, t4, group->field)
- || !BN_mod_add_quick(t4, t3, t2, group->field)
- || !group->meth->field_mul(group, t0, t4, t0, ctx)
- || !group->meth->field_sqr(group, t1, t1, ctx)
- || !BN_mod_lshift_quick(t7, group->b, 2, group->field)
- || !group->meth->field_mul(group, t1, t7, t1, ctx)
- || !BN_mod_lshift1_quick(t0, t0, group->field)
- || !BN_mod_add_quick(t0, t1, t0, group->field)
- || !BN_mod_sub_quick(t1, t2, t3, group->field)
- || !group->meth->field_sqr(group, t1, t1, ctx)
- || !group->meth->field_mul(group, t3, t1, p->X, ctx)
- || !group->meth->field_mul(group, t0, p->Z, t0, ctx)
- /* s->X coord output */
- || !BN_mod_sub_quick(s->X, t0, t3, group->field)
- /* s->Z coord output */
- || !group->meth->field_mul(group, s->Z, p->Z, t1, ctx)
- || !group->meth->field_sqr(group, t3, r->X, ctx)
- || !group->meth->field_sqr(group, t2, r->Z, ctx)
- || !group->meth->field_mul(group, t4, t2, group->a, ctx)
- || !BN_mod_add_quick(t5, r->X, r->Z, group->field)
- || !group->meth->field_sqr(group, t5, t5, ctx)
- || !BN_mod_sub_quick(t5, t5, t3, group->field)
- || !BN_mod_sub_quick(t5, t5, t2, group->field)
- || !BN_mod_sub_quick(t6, t3, t4, group->field)
- || !group->meth->field_sqr(group, t6, t6, ctx)
- || !group->meth->field_mul(group, t0, t2, t5, ctx)
- || !group->meth->field_mul(group, t0, t7, t0, ctx)
- /* r->X coord output */
- || !BN_mod_sub_quick(r->X, t6, t0, group->field)
+ || !group->meth->field_mul(group, t5, group->a, t0, ctx)
+ || !BN_mod_add_quick(t5, t6, t5, group->field)
|| !BN_mod_add_quick(t6, t3, t4, group->field)
- || !group->meth->field_sqr(group, t3, t2, ctx)
- || !group->meth->field_mul(group, t7, t3, t7, ctx)
- || !group->meth->field_mul(group, t5, t5, t6, ctx)
+ || !group->meth->field_mul(group, t5, t6, t5, ctx)
+ || !group->meth->field_sqr(group, t0, t0, ctx)
+ || !BN_mod_lshift_quick(t2, group->b, 2, group->field)
+ || !group->meth->field_mul(group, t0, t2, t0, ctx)
|| !BN_mod_lshift1_quick(t5, t5, group->field)
+ || !BN_mod_sub_quick(t3, t4, t3, group->field)
+ /* s->Z coord output */
+ || !group->meth->field_sqr(group, s->Z, t3, ctx)
+ || !group->meth->field_mul(group, t4, s->Z, p->X, ctx)
+ || !BN_mod_add_quick(t0, t0, t5, group->field)
+ /* s->X coord output */
+ || !BN_mod_sub_quick(s->X, t0, t4, group->field)
+ || !group->meth->field_sqr(group, t4, r->X, ctx)
+ || !group->meth->field_sqr(group, t5, r->Z, ctx)
+ || !group->meth->field_mul(group, t6, t5, group->a, ctx)
+ || !BN_mod_add_quick(t1, r->X, r->Z, group->field)
+ || !group->meth->field_sqr(group, t1, t1, ctx)
+ || !BN_mod_sub_quick(t1, t1, t4, group->field)
+ || !BN_mod_sub_quick(t1, t1, t5, group->field)
+ || !BN_mod_sub_quick(t3, t4, t6, group->field)
+ || !group->meth->field_sqr(group, t3, t3, ctx)
+ || !group->meth->field_mul(group, t0, t5, t1, ctx)
+ || !group->meth->field_mul(group, t0, t2, t0, ctx)
+ /* r->X coord output */
+ || !BN_mod_sub_quick(r->X, t3, t0, group->field)
+ || !BN_mod_add_quick(t3, t4, t6, group->field)
+ || !group->meth->field_sqr(group, t4, t5, ctx)
+ || !group->meth->field_mul(group, t4, t4, t2, ctx)
+ || !group->meth->field_mul(group, t1, t1, t3, ctx)
+ || !BN_mod_lshift1_quick(t1, t1, group->field)
/* r->Z coord output */
- || !BN_mod_add_quick(r->Z, t7, t5, group->field))
+ || !BN_mod_add_quick(r->Z, t4, t1, group->field))
goto err;
ret = 1;
@@ -1600,17 +1619,23 @@ int ec_GFp_simple_ladder_step(const EC_GROUP *group,
}
/*-
+ * Input:
+ * - s, r: projective (homogeneous) coordinates
+ * - p: affine coordinates
+ *
+ * Output:
+ * - r := (x,y): affine coordinates
+ *
* Recovers the y-coordinate of r using Eq. (8) from Brier-Joye, "Weierstrass
- * Elliptic Curves and Side-Channel Attacks", modified to work in projective
- * coordinates and return r in Jacobian projective coordinates.
+ * Elliptic Curves and Side-Channel Attacks", modified to work in mixed
+ * projective coords, i.e. p is affine and (r,s) in projective (homogeneous)
+ * coords, and return r in affine coordinates.
*
- * X4 = two*Y1*X2*Z3*Z2*Z1;
- * Y4 = two*b*Z3*SQR(Z2*Z1) + Z3*(a*Z2*Z1+X1*X2)*(X1*Z2+X2*Z1) - X3*SQR(X1*Z2-X2*Z1);
- * Z4 = two*Y1*Z3*SQR(Z2)*Z1;
+ * X4 = two*Y1*X2*Z3*Z2;
+ * Y4 = two*b*Z3*SQR(Z2) + Z3*(a*Z2+X1*X2)*(X1*Z2+X2) - X3*SQR(X1*Z2-X2);
+ * Z4 = two*Y1*Z3*SQR(Z2);
*
* Z4 != 0 because:
- * - Z1==0 implies p is at infinity, which would have caused an early exit in
- * the caller;
* - Z2==0 implies r is at infinity (handled by the BN_is_zero(r->Z) branch);
* - Z3==0 implies s is at infinity (handled by the BN_is_zero(s->Z) branch);
* - Y1==0 implies p has order 2, so either r or s are infinity and handled by
@@ -1627,11 +1652,7 @@ int ec_GFp_simple_ladder_post(const EC_GROUP *group,
return EC_POINT_set_to_infinity(group, r);
if (BN_is_zero(s->Z)) {
- /* (X,Y,Z) -> (XZ,YZ**2,Z) */
- if (!group->meth->field_mul(group, r->X, p->X, p->Z, ctx)
- || !group->meth->field_sqr(group, r->Z, p->Z, ctx)
- || !group->meth->field_mul(group, r->Y, p->Y, r->Z, ctx)
- || !BN_copy(r->Z, p->Z)
+ if (!EC_POINT_copy(r, p)
|| !EC_POINT_invert(group, r, ctx))
return 0;
return 1;
@@ -1647,38 +1668,46 @@ int ec_GFp_simple_ladder_post(const EC_GROUP *group,
t6 = BN_CTX_get(ctx);
if (t6 == NULL
- || !BN_mod_lshift1_quick(t0, p->Y, group->field)
- || !group->meth->field_mul(group, t1, r->X, p->Z, ctx)
- || !group->meth->field_mul(group, t2, r->Z, s->Z, ctx)
- || !group->meth->field_mul(group, t2, t1, t2, ctx)
- || !group->meth->field_mul(group, t3, t2, t0, ctx)
- || !group->meth->field_mul(group, t2, r->Z, p->Z, ctx)
- || !group->meth->field_sqr(group, t4, t2, ctx)
- || !BN_mod_lshift1_quick(t5, group->b, group->field)
- || !group->meth->field_mul(group, t4, t4, t5, ctx)
- || !group->meth->field_mul(group, t6, t2, group->a, ctx)
- || !group->meth->field_mul(group, t5, r->X, p->X, ctx)
- || !BN_mod_add_quick(t5, t6, t5, group->field)
- || !group->meth->field_mul(group, t6, r->Z, p->X, ctx)
- || !BN_mod_add_quick(t2, t6, t1, group->field)
- || !group->meth->field_mul(group, t5, t5, t2, ctx)
- || !BN_mod_sub_quick(t6, t6, t1, group->field)
- || !group->meth->field_sqr(group, t6, t6, ctx)
- || !group->meth->field_mul(group, t6, t6, s->X, ctx)
- || !BN_mod_add_quick(t4, t5, t4, group->field)
- || !group->meth->field_mul(group, t4, t4, s->Z, ctx)
- || !BN_mod_sub_quick(t4, t4, t6, group->field)
- || !group->meth->field_sqr(group, t5, r->Z, ctx)
- || !group->meth->field_mul(group, r->Z, p->Z, s->Z, ctx)
- || !group->meth->field_mul(group, r->Z, t5, r->Z, ctx)
- || !group->meth->field_mul(group, r->Z, r->Z, t0, ctx)
- /* t3 := X, t4 := Y */
- /* (X,Y,Z) -> (XZ,YZ**2,Z) */
- || !group->meth->field_mul(group, r->X, t3, r->Z, ctx)
+ || !BN_mod_lshift1_quick(t4, p->Y, group->field)
+ || !group->meth->field_mul(group, t6, r->X, t4, ctx)
+ || !group->meth->field_mul(group, t6, s->Z, t6, ctx)
+ || !group->meth->field_mul(group, t5, r->Z, t6, ctx)
+ || !BN_mod_lshift1_quick(t1, group->b, group->field)
+ || !group->meth->field_mul(group, t1, s->Z, t1, ctx)
|| !group->meth->field_sqr(group, t3, r->Z, ctx)
- || !group->meth->field_mul(group, r->Y, t4, t3, ctx))
+ || !group->meth->field_mul(group, t2, t3, t1, ctx)
+ || !group->meth->field_mul(group, t6, r->Z, group->a, ctx)
+ || !group->meth->field_mul(group, t1, p->X, r->X, ctx)
+ || !BN_mod_add_quick(t1, t1, t6, group->field)
+ || !group->meth->field_mul(group, t1, s->Z, t1, ctx)
+ || !group->meth->field_mul(group, t0, p->X, r->Z, ctx)
+ || !BN_mod_add_quick(t6, r->X, t0, group->field)
+ || !group->meth->field_mul(group, t6, t6, t1, ctx)
+ || !BN_mod_add_quick(t6, t6, t2, group->field)
+ || !BN_mod_sub_quick(t0, t0, r->X, group->field)
+ || !group->meth->field_sqr(group, t0, t0, ctx)
+ || !group->meth->field_mul(group, t0, t0, s->X, ctx)
+ || !BN_mod_sub_quick(t0, t6, t0, group->field)
+ || !group->meth->field_mul(group, t1, s->Z, t4, ctx)
+ || !group->meth->field_mul(group, t1, t3, t1, ctx)
+ || (group->meth->field_decode != NULL
+ && !group->meth->field_decode(group, t1, t1, ctx))
+ || !group->meth->field_inv(group, t1, t1, ctx)
+ || (group->meth->field_encode != NULL
+ && !group->meth->field_encode(group, t1, t1, ctx))
+ || !group->meth->field_mul(group, r->X, t5, t1, ctx)
+ || !group->meth->field_mul(group, r->Y, t0, t1, ctx))
goto err;
+ if (group->meth->field_set_to_one != NULL) {
+ if (!group->meth->field_set_to_one(group, r->Z, ctx))
+ goto err;
+ } else {
+ if (!BN_one(r->Z))
+ goto err;
+ }
+
+ r->Z_is_one = 1;
ret = 1;
err:
diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c
index 405ddbf9bf09..a1b7d50bbff8 100644
--- a/crypto/evp/e_aes.c
+++ b/crypto/evp/e_aes.c
@@ -130,6 +130,11 @@ void bsaes_xts_decrypt(const unsigned char *inp, unsigned char *out,
size_t len, const AES_KEY *key1,
const AES_KEY *key2, const unsigned char iv[16]);
#endif
+#if !defined(AES_ASM) && !defined(AES_CTR_ASM) \
+ && defined(OPENSSL_AES_CONST_TIME) \
+ && !defined(OPENSSL_SMALL_FOOTPRINT)
+# define AES_CTR_ASM
+#endif
#ifdef AES_CTR_ASM
void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out,
size_t blocks, const AES_KEY *key,
diff --git a/crypto/rand/build.info b/crypto/rand/build.info
index df9bac67f04c..a4e7900bdbff 100644
--- a/crypto/rand/build.info
+++ b/crypto/rand/build.info
@@ -2,3 +2,5 @@ LIBS=../../libcrypto
SOURCE[../../libcrypto]=\
randfile.c rand_lib.c rand_err.c rand_egd.c \
rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c
+
+INCLUDE[drbg_ctr.o]=../modes
diff --git a/crypto/rand/drbg_ctr.c b/crypto/rand/drbg_ctr.c
index 93b82f34ceda..0f0ad1b37be4 100644
--- a/crypto/rand/drbg_ctr.c
+++ b/crypto/rand/drbg_ctr.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2011-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -12,28 +12,25 @@
#include <openssl/crypto.h>
#include <openssl/err.h>
#include <openssl/rand.h>
-#include "internal/thread_once.h"
+#include "modes_local.h"
#include "internal/thread_once.h"
#include "rand_local.h"
+
/*
* Implementation of NIST SP 800-90A CTR DRBG.
*/
static void inc_128(RAND_DRBG_CTR *ctr)
{
- int i;
- unsigned char c;
- unsigned char *p = &ctr->V[15];
-
- for (i = 0; i < 16; i++, p--) {
- c = *p;
- c++;
- *p = c;
- if (c != 0) {
- /* If we didn't wrap around, we're done. */
- break;
- }
- }
+ unsigned char *p = &ctr->V[0];
+ u32 n = 16, c = 1;
+
+ do {
+ --n;
+ c += p[n];
+ p[n] = (u8)c;
+ c >>= 8;
+ } while (n);
}
static void ctr_XOR(RAND_DRBG_CTR *ctr, const unsigned char *in, size_t inlen)
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index f28f2d2610f6..41625e75ad6a 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -508,6 +508,12 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
ret = 1;
break;
}
+ if ((x->ex_flags & EXFLAG_CA) == 0
+ && x->ex_pathlen != -1
+ && (ctx->param->flags & X509_V_FLAG_X509_STRICT)) {
+ ctx->error = X509_V_ERR_INVALID_EXTENSION;
+ ret = 0;
+ }
if (ret == 0 && !verify_cb_cert(ctx, x, i, X509_V_OK))
return 0;
/* check_purpose() makes the callback as needed */
diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
index 2bc8253d2dab..f023c6489548 100644
--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@@ -384,12 +384,16 @@ static void x509v3_cache_extensions(X509 *x)
if (bs->ca)
x->ex_flags |= EXFLAG_CA;
if (bs->pathlen) {
- if ((bs->pathlen->type == V_ASN1_NEG_INTEGER)
- || !bs->ca) {
+ if (bs->pathlen->type == V_ASN1_NEG_INTEGER) {
x->ex_flags |= EXFLAG_INVALID;
x->ex_pathlen = 0;
- } else
+ } else {
x->ex_pathlen = ASN1_INTEGER_get(bs->pathlen);
+ if (!bs->ca && x->ex_pathlen != 0) {
+ x->ex_flags |= EXFLAG_INVALID;
+ x->ex_pathlen = 0;
+ }
+ }
} else
x->ex_pathlen = -1;
BASIC_CONSTRAINTS_free(bs);
@@ -545,9 +549,11 @@ static void x509v3_cache_extensions(X509 *x)
* return codes:
* 0 not a CA
* 1 is a CA
- * 2 basicConstraints absent so "maybe" a CA
+ * 2 Only possible in older versions of openSSL when basicConstraints are absent
+ * new versions will not return this value. May be a CA
* 3 basicConstraints absent but self signed V1.
* 4 basicConstraints absent but keyUsage present and keyCertSign asserted.
+ * 5 Netscape specific CA Flags present
*/
static int check_ca(const X509 *x)
diff --git a/doc/man1/s_time.pod b/doc/man1/s_time.pod
index ac32f36bc789..e1a3bef41cfc 100644
--- a/doc/man1/s_time.pod
+++ b/doc/man1/s_time.pod
@@ -14,7 +14,7 @@ B<openssl> B<s_time>
[B<-cert filename>]
[B<-key filename>]
[B<-CApath directory>]
-[B<-cafile filename>]
+[B<-CAfile filename>]
[B<-no-CAfile>]
[B<-no-CApath>]
[B<-reuse>]
@@ -202,7 +202,7 @@ L<s_client(1)>, L<s_server(1)>, L<ciphers(1)>
=head1 COPYRIGHT
-Copyright 2004-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2004-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff --git a/doc/man3/EVP_aes.pod b/doc/man3/EVP_aes.pod
index 4192a9ec369f..6377fc9a21b0 100644
--- a/doc/man3/EVP_aes.pod
+++ b/doc/man3/EVP_aes.pod
@@ -160,6 +160,13 @@ In particular, XTS-AES-128 (B<EVP_aes_128_xts>) takes input of a 256-bit key to
achieve AES 128-bit security, and XTS-AES-256 (B<EVP_aes_256_xts>) takes input
of a 512-bit key to achieve AES 256-bit security.
+The XTS implementation in OpenSSL does not support streaming. That is there must
+only be one L<EVP_EncryptUpdate(3)> call per L<EVP_EncryptInit_ex(3)> call (and
+similarly with the "Decrypt" functions).
+
+The I<iv> parameter to L<EVP_EncryptInit_ex(3)> or L<EVP_DecryptInit_ex(3)> is
+the XTS "tweak" value.
+
=back
=head1 RETURN VALUES
@@ -176,7 +183,7 @@ L<EVP_CIPHER_meth_new(3)>
=head1 COPYRIGHT
-Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff --git a/doc/man3/RAND_set_rand_method.pod b/doc/man3/RAND_set_rand_method.pod
index b120e712e6f3..1e9360d220dc 100644
--- a/doc/man3/RAND_set_rand_method.pod
+++ b/doc/man3/RAND_set_rand_method.pod
@@ -33,10 +33,10 @@ RAND_get_rand_method() returns a pointer to the current B<RAND_METHOD>.
=head1 THE RAND_METHOD STRUCTURE
typedef struct rand_meth_st {
- void (*seed)(const void *buf, int num);
+ int (*seed)(const void *buf, int num);
int (*bytes)(unsigned char *buf, int num);
void (*cleanup)(void);
- void (*add)(const void *buf, int num, int randomness);
+ int (*add)(const void *buf, int num, double entropy);
int (*pseudorand)(unsigned char *buf, int num);
int (*status)(void);
} RAND_METHOD;
@@ -60,7 +60,7 @@ L<RAND(7)>
=head1 COPYRIGHT
-Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff --git a/doc/man3/X509_check_purpose.pod b/doc/man3/X509_check_purpose.pod
new file mode 100644
index 000000000000..bc38138743cd
--- /dev/null
+++ b/doc/man3/X509_check_purpose.pod
@@ -0,0 +1,74 @@
+=pod
+
+=head1 NAME
+
+X509_check_purpose - Check the purpose of a certificate
+
+=head1 SYNOPSIS
+
+ #include <openssl/x509v3.h>
+
+ int X509_check_purpose(X509 *x, int id, int ca)
+
+=head1 DESCRIPTION
+
+This function checks if certificate I<x> was created with the purpose
+represented by I<id>. If I<ca> is nonzero, then certificate I<x> is
+checked to determine if it's a possible CA with various levels of certainty
+possibly returned.
+
+Below are the potential ID's that can be checked:
+
+ # define X509_PURPOSE_SSL_CLIENT 1
+ # define X509_PURPOSE_SSL_SERVER 2
+ # define X509_PURPOSE_NS_SSL_SERVER 3
+ # define X509_PURPOSE_SMIME_SIGN 4
+ # define X509_PURPOSE_SMIME_ENCRYPT 5
+ # define X509_PURPOSE_CRL_SIGN 6
+ # define X509_PURPOSE_ANY 7
+ # define X509_PURPOSE_OCSP_HELPER 8
+ # define X509_PURPOSE_TIMESTAMP_SIGN 9
+
+=head1 RETURN VALUES
+
+For non-CA checks
+
+=over 4
+
+=item -1 an error condition has occured
+
+=item E<32>1 if the certificate was created to perform the purpose represented by I<id>
+
+=item E<32>0 if the certificate was not created to perform the purpose represented by I<id>
+
+=back
+
+For CA checks the below integers could be returned with the following meanings:
+
+=over 4
+
+=item -1 an error condition has occured
+
+=item E<32>0 not a CA or does not have the purpose represented by I<id>
+
+=item E<32>1 is a CA.
+
+=item E<32>2 Only possible in old versions of openSSL when basicConstraints are absent.
+ New versions will not return this value. May be a CA
+
+=item E<32>3 basicConstraints absent but self signed V1.
+
+=item E<32>4 basicConstraints absent but keyUsage present and keyCertSign asserted.
+
+=item E<32>5 legacy Netscape specific CA Flags present
+
+=back
+
+=head1 COPYRIGHT
+
+Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
+Licensed under the Apache License 2.0 (the "License"). You may not use this
+file except in compliance with the License. You can obtain a copy in the file
+LICENSE in the source distribution or at L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h
index 8c697f5f7acc..17d271f54c7f 100644
--- a/include/openssl/opensslv.h
+++ b/include/openssl/opensslv.h
@@ -39,8 +39,8 @@ extern "C" {
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
-# define OPENSSL_VERSION_NUMBER 0x1010106fL
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1f 31 Mar 2020"
+# define OPENSSL_VERSION_NUMBER 0x1010107fL
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1g 21 Apr 2020"
/*-
* The macros below are to be used for shared library (.so, .dll, ...)
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index a254fd5a0559..76b4baa38893 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2130,7 +2130,7 @@ static int tls1_check_sig_alg(SSL *s, X509 *x, int default_nid)
sigalg = use_pc_sigalgs
? tls1_lookup_sigalg(s->s3->tmp.peer_cert_sigalgs[i])
: s->shared_sigalgs[i];
- if (sig_nid == sigalg->sigandhash)
+ if (sigalg != NULL && sig_nid == sigalg->sigandhash)
return 1;
}
return 0;