[rtems-libbsd commit] Update to FreeBSD stable/12 2019-03-11
Sebastian Huber
sebh at rtems.org
Mon Mar 11 09:05:30 UTC 2019
Module: rtems-libbsd
Branch: 5-freebsd-12
Commit: eb1d30ad351ed18116acbd8b224ed8e07d6627d0
Changeset: http://git.rtems.org/rtems-libbsd/commit/?id=eb1d30ad351ed18116acbd8b224ed8e07d6627d0
Author: Sebastian Huber <sebastian.huber at embedded-brains.de>
Date: Mon Mar 11 07:23:29 2019 +0100
Update to FreeBSD stable/12 2019-03-11
Git mirror commit 735fe7a0a5f9c265040e2e6654a01b081d6354f1.
---
freebsd-org | 2 +-
freebsd/crypto/openssl/crypto/asn1/a_digest.c | 12 +-
freebsd/crypto/openssl/crypto/asn1/a_sign.c | 32 +-
freebsd/crypto/openssl/crypto/asn1/a_verify.c | 18 +-
freebsd/crypto/openssl/crypto/asn1/ameth_lib.c | 28 +-
freebsd/crypto/openssl/crypto/asn1/charmap.h | 2 +-
freebsd/crypto/openssl/crypto/asn1/d2i_pu.c | 4 +-
freebsd/crypto/openssl/crypto/bio/b_addr.c | 7 +-
freebsd/crypto/openssl/crypto/bio/bss_file.c | 11 +-
freebsd/crypto/openssl/crypto/bio/bss_mem.c | 26 +-
freebsd/crypto/openssl/crypto/bn/bn_ctx.c | 8 +-
freebsd/crypto/openssl/crypto/bn/bn_depr.c | 4 +-
freebsd/crypto/openssl/crypto/bn/bn_div.c | 319 +-
freebsd/crypto/openssl/crypto/bn/bn_exp.c | 66 +-
freebsd/crypto/openssl/crypto/bn/bn_lib.c | 66 +-
freebsd/crypto/openssl/crypto/bn/bn_prime.h | 2 +-
freebsd/crypto/openssl/crypto/bn/bn_shift.c | 130 +-
freebsd/crypto/openssl/crypto/cms/cms_kari.c | 7 +-
freebsd/crypto/openssl/crypto/cms/cms_pwri.c | 1 +
freebsd/crypto/openssl/crypto/conf/conf_def.c | 9 +-
freebsd/crypto/openssl/crypto/conf/conf_def.h | 2 +-
freebsd/crypto/openssl/crypto/conf/conf_lib.c | 28 +-
freebsd/crypto/openssl/crypto/conf/conf_mod.c | 5 +-
freebsd/crypto/openssl/crypto/conf/conf_sap.c | 25 +-
freebsd/crypto/openssl/crypto/conf/conf_ssl.c | 4 +-
freebsd/crypto/openssl/crypto/cryptlib.c | 18 +-
freebsd/crypto/openssl/crypto/ec/curve25519.c | 4541 ++++++++++----------
freebsd/crypto/openssl/crypto/ec/curve448/eddsa.c | 30 +-
.../crypto/openssl/crypto/ec/curve448/point_448.h | 16 +-
freebsd/crypto/openssl/crypto/ec/ec2_smpl.c | 20 +-
freebsd/crypto/openssl/crypto/ec/ec_ameth.c | 2 +-
freebsd/crypto/openssl/crypto/ec/ec_err.c | 9 +-
freebsd/crypto/openssl/crypto/ec/ec_lcl.h | 14 +-
freebsd/crypto/openssl/crypto/ec/ecp_mont.c | 51 +-
freebsd/crypto/openssl/crypto/ec/ecp_nist.c | 3 +-
freebsd/crypto/openssl/crypto/ec/ecp_nistp224.c | 3 +-
freebsd/crypto/openssl/crypto/ec/ecp_nistp256.c | 3 +-
freebsd/crypto/openssl/crypto/ec/ecp_nistp521.c | 3 +-
freebsd/crypto/openssl/crypto/ec/ecp_nistz256.c | 3 +-
freebsd/crypto/openssl/crypto/ec/ecp_smpl.c | 51 +-
freebsd/crypto/openssl/crypto/ec/ecx_meth.c | 3 +-
.../crypto/openssl/crypto/engine/eng_devcrypto.c | 271 +-
freebsd/crypto/openssl/crypto/engine/eng_lib.c | 4 +-
freebsd/crypto/openssl/crypto/err/err.c | 112 +-
freebsd/crypto/openssl/crypto/evp/evp_enc.c | 45 +-
freebsd/crypto/openssl/crypto/evp/evp_err.c | 2 +
freebsd/crypto/openssl/crypto/evp/p_lib.c | 2 +-
.../openssl/crypto/include/internal/bn_int.h | 9 +-
freebsd/crypto/openssl/crypto/init.c | 141 +-
freebsd/crypto/openssl/crypto/objects/obj_dat.h | 2 +-
freebsd/crypto/openssl/crypto/objects/obj_xref.h | 2 +-
freebsd/crypto/openssl/crypto/pem/pem_info.c | 4 +-
freebsd/crypto/openssl/crypto/ppc_arch.h | 4 +-
freebsd/crypto/openssl/crypto/rand/rand_unix.c | 23 +-
freebsd/crypto/openssl/crypto/rsa/rsa_ameth.c | 9 +-
freebsd/crypto/openssl/crypto/rsa/rsa_oaep.c | 82 +-
freebsd/crypto/openssl/crypto/rsa/rsa_ossl.c | 17 +-
freebsd/crypto/openssl/crypto/rsa/rsa_pk1.c | 95 +-
freebsd/crypto/openssl/crypto/rsa/rsa_ssl.c | 133 +-
freebsd/crypto/openssl/crypto/rsa/rsa_x931g.c | 2 +
freebsd/crypto/openssl/crypto/srp/srp_lib.c | 6 +-
freebsd/crypto/openssl/crypto/srp/srp_vfy.c | 25 +-
freebsd/crypto/openssl/crypto/ui/ui_openssl.c | 8 +-
freebsd/crypto/openssl/crypto/uid.c | 5 +-
freebsd/crypto/openssl/crypto/x509/x509_vfy.c | 11 +-
freebsd/crypto/openssl/crypto/x509/x_crl.c | 14 +-
freebsd/crypto/openssl/crypto/x509/x_pubkey.c | 3 +-
freebsd/crypto/openssl/crypto/x509/x_x509.c | 25 +-
freebsd/crypto/openssl/e_os.h | 3 +
freebsd/crypto/openssl/engines/e_dasync.c | 21 +-
freebsd/crypto/openssl/include/internal/conf.h | 11 +-
.../openssl/include/internal/constant_time_locl.h | 6 +
freebsd/crypto/openssl/include/internal/cryptlib.h | 4 +-
freebsd/crypto/openssl/include/internal/sockets.h | 8 +-
.../crypto/openssl/include/internal/thread_once.h | 94 +-
.../crypto/openssl/include/internal/tsan_assist.h | 4 +-
freebsd/crypto/openssl/include/openssl/crypto.h | 18 +-
freebsd/crypto/openssl/include/openssl/e_os2.h | 9 +-
freebsd/crypto/openssl/include/openssl/ecerr.h | 6 +-
freebsd/crypto/openssl/include/openssl/evp.h | 13 +-
freebsd/crypto/openssl/include/openssl/evperr.h | 1 +
freebsd/crypto/openssl/include/openssl/lhash.h | 55 +-
freebsd/crypto/openssl/include/openssl/obj_mac.h | 2 +-
freebsd/crypto/openssl/include/openssl/opensslv.h | 4 +-
freebsd/crypto/openssl/include/openssl/safestack.h | 85 +-
freebsd/crypto/openssl/include/openssl/ssl.h | 35 +-
freebsd/crypto/openssl/include/openssl/sslerr.h | 3 +-
freebsd/crypto/openssl/include/openssl/x509_vfy.h | 6 +-
freebsd/crypto/openssl/ssl/record/rec_layer_d1.c | 15 +-
freebsd/crypto/openssl/ssl/record/rec_layer_s3.c | 10 +-
freebsd/crypto/openssl/ssl/s3_enc.c | 8 +-
freebsd/crypto/openssl/ssl/s3_lib.c | 2 +-
freebsd/crypto/openssl/ssl/ssl_ciph.c | 4 +-
freebsd/crypto/openssl/ssl/ssl_err.c | 4 +-
freebsd/crypto/openssl/ssl/ssl_init.c | 19 +-
freebsd/crypto/openssl/ssl/ssl_lib.c | 46 +-
freebsd/crypto/openssl/ssl/ssl_locl.h | 6 +-
freebsd/crypto/openssl/ssl/statem/extensions.c | 17 +-
freebsd/crypto/openssl/ssl/statem/statem.c | 8 +-
freebsd/crypto/openssl/ssl/statem/statem_clnt.c | 30 +-
freebsd/crypto/openssl/ssl/statem/statem_lib.c | 44 +-
freebsd/crypto/openssl/ssl/statem/statem_locl.h | 5 +-
freebsd/crypto/openssl/ssl/statem/statem_srvr.c | 39 +-
freebsd/crypto/openssl/ssl/t1_enc.c | 14 +-
freebsd/crypto/openssl/ssl/t1_lib.c | 21 +-
freebsd/crypto/openssl/ssl/tls13_enc.c | 81 +-
freebsd/sbin/dhclient/dhclient.c | 3 +-
freebsd/sbin/ifconfig/ifconfig.c | 57 +-
freebsd/sbin/ifconfig/ifieee80211.c | 4 +-
freebsd/sbin/ifconfig/ifpfsync.c | 6 +-
freebsd/sbin/pfctl/parse.y | 17 +-
freebsd/sbin/pfctl/pfctl.h | 1 -
freebsd/sbin/pfctl/pfctl_altq.c | 550 +--
freebsd/sbin/pfctl/pfctl_parser.c | 145 +-
freebsd/sbin/pfctl/pfctl_parser.h | 26 +-
freebsd/sbin/pfctl/rtems-bsd-pfctl-namespace.h | 5 +-
.../sbin/pfctl/rtems-bsd-pfctl-pfctl_altq-data.h | 5 +-
.../sbin/pfctl/rtems-bsd-pfctl-pfctl_parser-data.h | 1 +
freebsd/sbin/sysctl/sysctl.c | 19 +
freebsd/sys/dev/e1000/em_txrx.c | 9 +-
freebsd/sys/dev/e1000/if_em.c | 117 +-
freebsd/sys/dev/e1000/if_em.h | 4 -
freebsd/sys/dev/e1000/igb_txrx.c | 9 +-
freebsd/sys/dev/evdev/evdev.c | 93 +-
freebsd/sys/dev/evdev/evdev_private.h | 4 +
freebsd/sys/dev/rtwn/rtl8192c/r92c_init.c | 1 +
freebsd/sys/dev/usb/quirk/usb_quirk.c | 2 +
freebsd/sys/dev/usb/wlan/if_run.c | 6 +-
freebsd/sys/i386/include/machine/cpufunc.h | 50 +-
freebsd/sys/kern/sys_pipe.c | 8 +-
freebsd/sys/net/altq/altq_cbq.c | 5 +-
freebsd/sys/net/altq/altq_codel.c | 5 +-
freebsd/sys/net/altq/altq_fairq.c | 5 +-
freebsd/sys/net/altq/altq_hfsc.c | 15 +-
freebsd/sys/net/altq/altq_hfsc.h | 1 +
freebsd/sys/net/altq/altq_priq.c | 5 +-
freebsd/sys/net/altq/altq_subr.c | 12 +-
freebsd/sys/net/altq/altq_var.h | 12 +-
freebsd/sys/net/if_bridge.c | 8 +-
freebsd/sys/net/if_lagg.c | 4 +-
freebsd/sys/net/iflib.h | 4 +
freebsd/sys/net/pfvar.h | 10 +-
freebsd/sys/net80211/ieee80211_adhoc.c | 8 +-
freebsd/sys/net80211/ieee80211_hostap.c | 8 +-
freebsd/sys/net80211/ieee80211_ht.c | 5 +-
freebsd/sys/net80211/ieee80211_mesh.c | 7 +-
freebsd/sys/net80211/ieee80211_output.c | 10 +-
freebsd/sys/net80211/ieee80211_proto.c | 3 +
freebsd/sys/net80211/ieee80211_proto.h | 16 +
freebsd/sys/net80211/ieee80211_scan.c | 10 +-
freebsd/sys/net80211/ieee80211_scan_sta.c | 3 +
freebsd/sys/net80211/ieee80211_sta.c | 8 +-
freebsd/sys/net80211/ieee80211_tdma.c | 3 +
freebsd/sys/net80211/ieee80211_wds.c | 8 +-
freebsd/sys/netinet/if_ether.c | 4 +
freebsd/sys/netinet/in_pcb.c | 2 +
freebsd/sys/netinet/tcp_reass.c | 32 +-
freebsd/sys/netpfil/pf/pf.c | 14 +-
freebsd/sys/netpfil/pf/pf_if.c | 9 +-
freebsd/sys/netpfil/pf/pf_ioctl.c | 416 +-
freebsd/sys/netpfil/pf/pf_norm.c | 4 +-
freebsd/sys/sys/mouse.h | 1 +
freebsd/sys/vm/uma_core.c | 14 +-
freebsd/sys/vm/uma_int.h | 6 +-
.../include/machine/rtems-bsd-kernel-namespace.h | 8 +-
rtemsbsd/include/rtems/bsd/local/usbdevs.h | 1 +
rtemsbsd/include/rtems/bsd/local/usbdevs_data.h | 6 +
167 files changed, 5491 insertions(+), 3748 deletions(-)
diff --git a/freebsd-org b/freebsd-org
index 606b591..735fe7a 160000
--- a/freebsd-org
+++ b/freebsd-org
@@ -1 +1 @@
-Subproject commit 606b591dae1023a71ff020faf99789059eb6591f
+Subproject commit 735fe7a0a5f9c265040e2e6654a01b081d6354f1
diff --git a/freebsd/crypto/openssl/crypto/asn1/a_digest.c b/freebsd/crypto/openssl/crypto/asn1/a_digest.c
index 6c3fc0e..fbbe17f 100644
--- a/freebsd/crypto/openssl/crypto/asn1/a_digest.c
+++ b/freebsd/crypto/openssl/crypto/asn1/a_digest.c
@@ -25,18 +25,22 @@
int ASN1_digest(i2d_of_void *i2d, const EVP_MD *type, char *data,
unsigned char *md, unsigned int *len)
{
- int i;
+ int inl;
unsigned char *str, *p;
- i = i2d(data, NULL);
- if ((str = OPENSSL_malloc(i)) == NULL) {
+ inl = i2d(data, NULL);
+ if (inl <= 0) {
+ ASN1err(ASN1_F_ASN1_DIGEST, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ if ((str = OPENSSL_malloc(inl)) == NULL) {
ASN1err(ASN1_F_ASN1_DIGEST, ERR_R_MALLOC_FAILURE);
return 0;
}
p = str;
i2d(data, &p);
- if (!EVP_Digest(str, i, md, len, type, NULL)) {
+ if (!EVP_Digest(str, inl, md, len, type, NULL)) {
OPENSSL_free(str);
return 0;
}
diff --git a/freebsd/crypto/openssl/crypto/asn1/a_sign.c b/freebsd/crypto/openssl/crypto/asn1/a_sign.c
index 200e251..c1a849b 100644
--- a/freebsd/crypto/openssl/crypto/asn1/a_sign.c
+++ b/freebsd/crypto/openssl/crypto/asn1/a_sign.c
@@ -31,7 +31,8 @@ int ASN1_sign(i2d_of_void *i2d, X509_ALGOR *algor1, X509_ALGOR *algor2,
{
EVP_MD_CTX *ctx = EVP_MD_CTX_new();
unsigned char *p, *buf_in = NULL, *buf_out = NULL;
- int i, inl = 0, outl = 0, outll = 0;
+ int i, inl = 0, outl = 0;
+ size_t inll = 0, outll = 0;
X509_ALGOR *a;
if (ctx == NULL) {
@@ -72,10 +73,15 @@ int ASN1_sign(i2d_of_void *i2d, X509_ALGOR *algor1, X509_ALGOR *algor2,
}
}
inl = i2d(data, NULL);
- buf_in = OPENSSL_malloc((unsigned int)inl);
+ if (inl <= 0) {
+ ASN1err(ASN1_F_ASN1_SIGN, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
+ inll = (size_t)inl;
+ buf_in = OPENSSL_malloc(inll);
outll = outl = EVP_PKEY_size(pkey);
- buf_out = OPENSSL_malloc((unsigned int)outl);
- if ((buf_in == NULL) || (buf_out == NULL)) {
+ buf_out = OPENSSL_malloc(outll);
+ if (buf_in == NULL || buf_out == NULL) {
outl = 0;
ASN1err(ASN1_F_ASN1_SIGN, ERR_R_MALLOC_FAILURE);
goto err;
@@ -103,7 +109,7 @@ int ASN1_sign(i2d_of_void *i2d, X509_ALGOR *algor1, X509_ALGOR *algor2,
signature->flags |= ASN1_STRING_FLAG_BITS_LEFT;
err:
EVP_MD_CTX_free(ctx);
- OPENSSL_clear_free((char *)buf_in, (unsigned int)inl);
+ OPENSSL_clear_free((char *)buf_in, inll);
OPENSSL_clear_free((char *)buf_out, outll);
return outl;
}
@@ -140,7 +146,7 @@ int ASN1_item_sign_ctx(const ASN1_ITEM *it,
EVP_PKEY *pkey;
unsigned char *buf_in = NULL, *buf_out = NULL;
size_t inl = 0, outl = 0, outll = 0;
- int signid, paramtype;
+ int signid, paramtype, buf_len = 0;
int rv;
type = EVP_MD_CTX_md(ctx);
@@ -200,10 +206,16 @@ int ASN1_item_sign_ctx(const ASN1_ITEM *it,
}
- inl = ASN1_item_i2d(asn, &buf_in, it);
+ buf_len = ASN1_item_i2d(asn, &buf_in, it);
+ if (buf_len <= 0) {
+ outl = 0;
+ ASN1err(ASN1_F_ASN1_ITEM_SIGN_CTX, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
+ inl = buf_len;
outll = outl = EVP_PKEY_size(pkey);
- buf_out = OPENSSL_malloc((unsigned int)outl);
- if ((buf_in == NULL) || (buf_out == NULL)) {
+ buf_out = OPENSSL_malloc(outll);
+ if (buf_in == NULL || buf_out == NULL) {
outl = 0;
ASN1err(ASN1_F_ASN1_ITEM_SIGN_CTX, ERR_R_MALLOC_FAILURE);
goto err;
@@ -225,7 +237,7 @@ int ASN1_item_sign_ctx(const ASN1_ITEM *it,
signature->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07);
signature->flags |= ASN1_STRING_FLAG_BITS_LEFT;
err:
- OPENSSL_clear_free((char *)buf_in, (unsigned int)inl);
+ OPENSSL_clear_free((char *)buf_in, inl);
OPENSSL_clear_free((char *)buf_out, outll);
return outl;
}
diff --git a/freebsd/crypto/openssl/crypto/asn1/a_verify.c b/freebsd/crypto/openssl/crypto/asn1/a_verify.c
index 81fbb51..dbe28d8 100644
--- a/freebsd/crypto/openssl/crypto/asn1/a_verify.c
+++ b/freebsd/crypto/openssl/crypto/asn1/a_verify.c
@@ -50,6 +50,10 @@ int ASN1_verify(i2d_of_void *i2d, X509_ALGOR *a, ASN1_BIT_STRING *signature,
}
inl = i2d(data, NULL);
+ if (inl <= 0) {
+ ASN1err(ASN1_F_ASN1_VERIFY, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
buf_in = OPENSSL_malloc((unsigned int)inl);
if (buf_in == NULL) {
ASN1err(ASN1_F_ASN1_VERIFY, ERR_R_MALLOC_FAILURE);
@@ -89,8 +93,8 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a,
EVP_MD_CTX *ctx = NULL;
unsigned char *buf_in = NULL;
int ret = -1, inl = 0;
-
int mdnid, pknid;
+ size_t inll = 0;
if (!pkey) {
ASN1err(ASN1_F_ASN1_ITEM_VERIFY, ERR_R_PASSED_NULL_PARAMETER);
@@ -129,8 +133,8 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a,
goto err;
ret = -1;
} else {
- const EVP_MD *type;
- type = EVP_get_digestbynid(mdnid);
+ const EVP_MD *type = EVP_get_digestbynid(mdnid);
+
if (type == NULL) {
ASN1err(ASN1_F_ASN1_ITEM_VERIFY,
ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
@@ -152,11 +156,15 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a,
}
inl = ASN1_item_i2d(asn, &buf_in, it);
-
+ if (inl <= 0) {
+ ASN1err(ASN1_F_ASN1_ITEM_VERIFY, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
if (buf_in == NULL) {
ASN1err(ASN1_F_ASN1_ITEM_VERIFY, ERR_R_MALLOC_FAILURE);
goto err;
}
+ inll = inl;
ret = EVP_DigestVerify(ctx, signature->data, (size_t)signature->length,
buf_in, inl);
@@ -166,7 +174,7 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a,
}
ret = 1;
err:
- OPENSSL_clear_free(buf_in, (unsigned int)inl);
+ OPENSSL_clear_free(buf_in, inll);
EVP_MD_CTX_free(ctx);
return ret;
}
diff --git a/freebsd/crypto/openssl/crypto/asn1/ameth_lib.c b/freebsd/crypto/openssl/crypto/asn1/ameth_lib.c
index 7602a8e..71e5a68 100644
--- a/freebsd/crypto/openssl/crypto/asn1/ameth_lib.c
+++ b/freebsd/crypto/openssl/crypto/asn1/ameth_lib.c
@@ -142,6 +142,22 @@ int EVP_PKEY_asn1_add0(const EVP_PKEY_ASN1_METHOD *ameth)
{
EVP_PKEY_ASN1_METHOD tmp = { 0, };
+ /*
+ * One of the following must be true:
+ *
+ * pem_str == NULL AND ASN1_PKEY_ALIAS is set
+ * pem_str != NULL AND ASN1_PKEY_ALIAS is clear
+ *
+ * Anything else is an error and may lead to a corrupt ASN1 method table
+ */
+ if (!((ameth->pem_str == NULL
+ && (ameth->pkey_flags & ASN1_PKEY_ALIAS) != 0)
+ || (ameth->pem_str != NULL
+ && (ameth->pkey_flags & ASN1_PKEY_ALIAS) == 0))) {
+ EVPerr(EVP_F_EVP_PKEY_ASN1_ADD0, ERR_R_PASSED_INVALID_ARGUMENT);
+ return 0;
+ }
+
if (app_methods == NULL) {
app_methods = sk_EVP_PKEY_ASN1_METHOD_new(ameth_cmp);
if (app_methods == NULL)
@@ -218,18 +234,6 @@ EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_new(int id, int flags,
goto err;
}
- /*
- * One of the following must be true:
- *
- * pem_str == NULL AND ASN1_PKEY_ALIAS is set
- * pem_str != NULL AND ASN1_PKEY_ALIAS is clear
- *
- * Anything else is an error and may lead to a corrupt ASN1 method table
- */
- if (!((pem_str == NULL && (flags & ASN1_PKEY_ALIAS) != 0)
- || (pem_str != NULL && (flags & ASN1_PKEY_ALIAS) == 0)))
- goto err;
-
if (pem_str) {
ameth->pem_str = OPENSSL_strdup(pem_str);
if (!ameth->pem_str)
diff --git a/freebsd/crypto/openssl/crypto/asn1/charmap.h b/freebsd/crypto/openssl/crypto/asn1/charmap.h
index bfccac2..f15d72d 100644
--- a/freebsd/crypto/openssl/crypto/asn1/charmap.h
+++ b/freebsd/crypto/openssl/crypto/asn1/charmap.h
@@ -2,7 +2,7 @@
* WARNING: do not edit!
* Generated by crypto/asn1/charmap.pl
*
- * Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
diff --git a/freebsd/crypto/openssl/crypto/asn1/d2i_pu.c b/freebsd/crypto/openssl/crypto/asn1/d2i_pu.c
index 9f0e572..9dd6198 100644
--- a/freebsd/crypto/openssl/crypto/asn1/d2i_pu.c
+++ b/freebsd/crypto/openssl/crypto/asn1/d2i_pu.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -34,7 +34,7 @@ EVP_PKEY *d2i_PublicKey(int type, EVP_PKEY **a, const unsigned char **pp,
} else
ret = *a;
- if (!EVP_PKEY_set_type(ret, type)) {
+ if (type != EVP_PKEY_id(ret) && !EVP_PKEY_set_type(ret, type)) {
ASN1err(ASN1_F_D2I_PUBLICKEY, ERR_R_EVP_LIB);
goto err;
}
diff --git a/freebsd/crypto/openssl/crypto/bio/b_addr.c b/freebsd/crypto/openssl/crypto/bio/b_addr.c
index 950d87b..0818431 100644
--- a/freebsd/crypto/openssl/crypto/bio/b_addr.c
+++ b/freebsd/crypto/openssl/crypto/bio/b_addr.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -784,7 +784,12 @@ int BIO_lookup_ex(const char *host, const char *service, int lookup_type,
* anyway [above getaddrinfo/gai_strerror is]. We just let
* system administrator figure this out...
*/
+# if defined(OPENSSL_SYS_VXWORKS)
+ /* h_errno doesn't exist on VxWorks */
+ SYSerr(SYS_F_GETHOSTBYNAME, 1000 );
+# else
SYSerr(SYS_F_GETHOSTBYNAME, 1000 + h_errno);
+# endif
#else
SYSerr(SYS_F_GETHOSTBYNAME, WSAGetLastError());
#endif
diff --git a/freebsd/crypto/openssl/crypto/bio/bss_file.c b/freebsd/crypto/openssl/crypto/bio/bss_file.c
index 7818cf1..1411744 100644
--- a/freebsd/crypto/openssl/crypto/bio/bss_file.c
+++ b/freebsd/crypto/openssl/crypto/bio/bss_file.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -255,9 +255,7 @@ static long file_ctrl(BIO *b, int cmd, long num, void *ptr)
}
# elif defined(OPENSSL_SYS_WIN32_CYGWIN)
int fd = fileno((FILE *)ptr);
- if (num & BIO_FP_TEXT)
- setmode(fd, O_TEXT);
- else
+ if (!(num & BIO_FP_TEXT))
setmode(fd, O_BINARY);
# endif
}
@@ -281,11 +279,14 @@ static long file_ctrl(BIO *b, int cmd, long num, void *ptr)
ret = 0;
break;
}
-# if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32_CYGWIN)
+# if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS)
if (!(num & BIO_FP_TEXT))
OPENSSL_strlcat(p, "b", sizeof(p));
else
OPENSSL_strlcat(p, "t", sizeof(p));
+# elif defined(OPENSSL_SYS_WIN32_CYGWIN)
+ if (!(num & BIO_FP_TEXT))
+ OPENSSL_strlcat(p, "b", sizeof(p));
# endif
fp = openssl_fopen(ptr, p);
if (fp == NULL) {
diff --git a/freebsd/crypto/openssl/crypto/bio/bss_mem.c b/freebsd/crypto/openssl/crypto/bio/bss_mem.c
index 1aa581a..0e02d0c 100644
--- a/freebsd/crypto/openssl/crypto/bio/bss_mem.c
+++ b/freebsd/crypto/openssl/crypto/bio/bss_mem.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -22,7 +22,7 @@ static long mem_ctrl(BIO *h, int cmd, long arg1, void *arg2);
static int mem_new(BIO *h);
static int secmem_new(BIO *h);
static int mem_free(BIO *data);
-static int mem_buf_free(BIO *data, int free_all);
+static int mem_buf_free(BIO *data);
static int mem_buf_sync(BIO *h);
static const BIO_METHOD mem_method = {
@@ -142,10 +142,20 @@ static int secmem_new(BIO *bi)
static int mem_free(BIO *a)
{
- return mem_buf_free(a, 1);
+ BIO_BUF_MEM *bb;
+
+ if (a == NULL)
+ return 0;
+
+ bb = (BIO_BUF_MEM *)a->ptr;
+ if (!mem_buf_free(a))
+ return 0;
+ OPENSSL_free(bb->readp);
+ OPENSSL_free(bb);
+ return 1;
}
-static int mem_buf_free(BIO *a, int free_all)
+static int mem_buf_free(BIO *a)
{
if (a == NULL)
return 0;
@@ -157,11 +167,6 @@ static int mem_buf_free(BIO *a, int free_all)
if (a->flags & BIO_FLAGS_MEM_RDONLY)
b->data = NULL;
BUF_MEM_free(b);
- if (free_all) {
- OPENSSL_free(bb->readp);
- OPENSSL_free(bb);
- }
- a->ptr = NULL;
}
return 1;
}
@@ -268,11 +273,10 @@ static long mem_ctrl(BIO *b, int cmd, long num, void *ptr)
}
break;
case BIO_C_SET_BUF_MEM:
- mem_buf_free(b, 0);
+ mem_buf_free(b);
b->shutdown = (int)num;
bbm->buf = ptr;
*bbm->readp = *bbm->buf;
- b->ptr = bbm;
break;
case BIO_C_GET_BUF_MEM_PTR:
if (ptr != NULL) {
diff --git a/freebsd/crypto/openssl/crypto/bn/bn_ctx.c b/freebsd/crypto/openssl/crypto/bn/bn_ctx.c
index f328793..5db64ef 100644
--- a/freebsd/crypto/openssl/crypto/bn/bn_ctx.c
+++ b/freebsd/crypto/openssl/crypto/bn/bn_ctx.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -229,6 +229,8 @@ BIGNUM *BN_CTX_get(BN_CTX *ctx)
}
/* OK, make sure the returned bignum is "zero" */
BN_zero(ret);
+ /* clear BN_FLG_CONSTTIME if leaked from previous frames */
+ ret->flags &= (~BN_FLG_CONSTTIME);
ctx->used++;
CTXDBG_RET(ctx, ret);
return ret;
@@ -258,7 +260,7 @@ static int BN_STACK_push(BN_STACK *st, unsigned int idx)
unsigned int newsize =
st->size ? (st->size * 3 / 2) : BN_CTX_START_FRAMES;
unsigned int *newitems;
-
+
if ((newitems = OPENSSL_malloc(sizeof(*newitems) * newsize)) == NULL) {
BNerr(BN_F_BN_STACK_PUSH, ERR_R_MALLOC_FAILURE);
return 0;
@@ -312,7 +314,7 @@ static BIGNUM *BN_POOL_get(BN_POOL *p, int flag)
/* Full; allocate a new pool item and link it in. */
if (p->used == p->size) {
BN_POOL_ITEM *item;
-
+
if ((item = OPENSSL_malloc(sizeof(*item))) == NULL) {
BNerr(BN_F_BN_POOL_GET, ERR_R_MALLOC_FAILURE);
return NULL;
diff --git a/freebsd/crypto/openssl/crypto/bn/bn_depr.c b/freebsd/crypto/openssl/crypto/bn/bn_depr.c
index 7d1b1cf..d87fb15 100644
--- a/freebsd/crypto/openssl/crypto/bn/bn_depr.c
+++ b/freebsd/crypto/openssl/crypto/bn/bn_depr.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2002-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -42,7 +42,7 @@ BIGNUM *BN_generate_prime(BIGNUM *ret, int bits, int safe,
goto err;
/* we have a prime :-) */
- return ret;
+ return rnd;
err:
BN_free(rnd);
return NULL;
diff --git a/freebsd/crypto/openssl/crypto/bn/bn_div.c b/freebsd/crypto/openssl/crypto/bn/bn_div.c
index a4435c7..efb7142 100644
--- a/freebsd/crypto/openssl/crypto/bn/bn_div.c
+++ b/freebsd/crypto/openssl/crypto/bn/bn_div.c
@@ -9,6 +9,7 @@
* https://www.openssl.org/source/license.html
*/
+#include <assert.h>
#include <openssl/bn.h>
#include "internal/cryptlib.h"
#include "bn_lcl.h"
@@ -88,6 +89,77 @@ int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
#else
+# if defined(BN_DIV3W)
+BN_ULONG bn_div_3_words(const BN_ULONG *m, BN_ULONG d1, BN_ULONG d0);
+# elif 0
+/*
+ * This is #if-ed away, because it's a reference for assembly implementations,
+ * where it can and should be made constant-time. But if you want to test it,
+ * just replace 0 with 1.
+ */
+# if BN_BITS2 == 64 && defined(__SIZEOF_INT128__) && __SIZEOF_INT128__==16
+# undef BN_ULLONG
+# define BN_ULLONG __uint128_t
+# define BN_LLONG
+# endif
+
+# ifdef BN_LLONG
+# define BN_DIV3W
+/*
+ * Interface is somewhat quirky, |m| is pointer to most significant limb,
+ * and less significant limb is referred at |m[-1]|. This means that caller
+ * is responsible for ensuring that |m[-1]| is valid. Second condition that
+ * has to be met is that |d0|'s most significant bit has to be set. Or in
+ * other words divisor has to be "bit-aligned to the left." bn_div_fixed_top
+ * does all this. The subroutine considers four limbs, two of which are
+ * "overlapping," hence the name...
+ */
+static BN_ULONG bn_div_3_words(const BN_ULONG *m, BN_ULONG d1, BN_ULONG d0)
+{
+ BN_ULLONG R = ((BN_ULLONG)m[0] << BN_BITS2) | m[-1];
+ BN_ULLONG D = ((BN_ULLONG)d0 << BN_BITS2) | d1;
+ BN_ULONG Q = 0, mask;
+ int i;
+
+ for (i = 0; i < BN_BITS2; i++) {
+ Q <<= 1;
+ if (R >= D) {
+ Q |= 1;
+ R -= D;
+ }
+ D >>= 1;
+ }
+
+ mask = 0 - (Q >> (BN_BITS2 - 1)); /* does it overflow? */
+
+ Q <<= 1;
+ Q |= (R >= D);
+
+ return (Q | mask) & BN_MASK2;
+}
+# endif
+# endif
+
+static int bn_left_align(BIGNUM *num)
+{
+ BN_ULONG *d = num->d, n, m, rmask;
+ int top = num->top;
+ int rshift = BN_num_bits_word(d[top - 1]), lshift, i;
+
+ lshift = BN_BITS2 - rshift;
+ rshift %= BN_BITS2; /* say no to undefined behaviour */
+ rmask = (BN_ULONG)0 - rshift; /* rmask = 0 - (rshift != 0) */
+ rmask |= rmask >> 8;
+
+ for (i = 0, m = 0; i < top; i++) {
+ n = d[i];
+ d[i] = ((n << lshift) | m) & BN_MASK2;
+ m = (n >> rshift) & rmask;
+ }
+
+ return lshift;
+}
+
# if !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) \
&& !defined(PEDANTIC) && !defined(BN_DIV3W)
# if defined(__GNUC__) && __GNUC__>=2
@@ -139,55 +211,73 @@ int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
BN_CTX *ctx)
{
- int norm_shift, i, loop;
- BIGNUM *tmp, wnum, *snum, *sdiv, *res;
- BN_ULONG *resp, *wnump;
- BN_ULONG d0, d1;
- int num_n, div_n;
- int no_branch = 0;
+ int ret;
+
+ if (BN_is_zero(divisor)) {
+ BNerr(BN_F_BN_DIV, BN_R_DIV_BY_ZERO);
+ return 0;
+ }
/*
* Invalid zero-padding would have particularly bad consequences so don't
* just rely on bn_check_top() here (bn_check_top() works only for
* BN_DEBUG builds)
*/
- if ((num->top > 0 && num->d[num->top - 1] == 0) ||
- (divisor->top > 0 && divisor->d[divisor->top - 1] == 0)) {
+ if (divisor->d[divisor->top - 1] == 0) {
BNerr(BN_F_BN_DIV, BN_R_NOT_INITIALIZED);
return 0;
}
- bn_check_top(num);
- bn_check_top(divisor);
+ ret = bn_div_fixed_top(dv, rm, num, divisor, ctx);
- if ((BN_get_flags(num, BN_FLG_CONSTTIME) != 0)
- || (BN_get_flags(divisor, BN_FLG_CONSTTIME) != 0)) {
- no_branch = 1;
+ if (ret) {
+ if (dv != NULL)
+ bn_correct_top(dv);
+ if (rm != NULL)
+ bn_correct_top(rm);
}
- bn_check_top(dv);
- bn_check_top(rm);
- /*- bn_check_top(num); *//*
- * 'num' has been checked already
- */
- /*- bn_check_top(divisor); *//*
- * 'divisor' has been checked already
- */
+ return ret;
+}
- if (BN_is_zero(divisor)) {
- BNerr(BN_F_BN_DIV, BN_R_DIV_BY_ZERO);
- return 0;
- }
+/*
+ * It's argued that *length* of *significant* part of divisor is public.
+ * Even if it's private modulus that is. Again, *length* is assumed
+ * public, but not *value*. Former is likely to be pre-defined by
+ * algorithm with bit granularity, though below subroutine is invariant
+ * of limb length. Thanks to this assumption we can require that |divisor|
+ * may not be zero-padded, yet claim this subroutine "constant-time"(*).
+ * This is because zero-padded dividend, |num|, is tolerated, so that
+ * caller can pass dividend of public length(*), but with smaller amount
+ * of significant limbs. This naturally means that quotient, |dv|, would
+ * contain correspongly less significant limbs as well, and will be zero-
+ * padded accordingly. Returned remainder, |rm|, will have same bit length
+ * as divisor, also zero-padded if needed. These actually leave sign bits
+ * in ambiguous state. In sense that we try to avoid negative zeros, while
+ * zero-padded zeros would retain sign.
+ *
+ * (*) "Constant-time-ness" has two pre-conditions:
+ *
+ * - availability of constant-time bn_div_3_words;
+ * - dividend is at least as "wide" as divisor, limb-wise, zero-padded
+ * if so requied, which shouldn't be a privacy problem, because
+ * divisor's length is considered public;
+ */
+int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num,
+ const BIGNUM *divisor, BN_CTX *ctx)
+{
+ int norm_shift, i, j, loop;
+ BIGNUM *tmp, *snum, *sdiv, *res;
+ BN_ULONG *resp, *wnum, *wnumtop;
+ BN_ULONG d0, d1;
+ int num_n, div_n;
- if (!no_branch && BN_ucmp(num, divisor) < 0) {
- if (rm != NULL) {
- if (BN_copy(rm, num) == NULL)
- return 0;
- }
- if (dv != NULL)
- BN_zero(dv);
- return 1;
- }
+ assert(divisor->top > 0 && divisor->d[divisor->top - 1] != 0);
+
+ bn_check_top(num);
+ bn_check_top(divisor);
+ bn_check_top(dv);
+ bn_check_top(rm);
BN_CTX_start(ctx);
res = (dv == NULL) ? BN_CTX_get(ctx) : dv;
@@ -198,113 +288,72 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
goto err;
/* First we normalise the numbers */
- norm_shift = BN_BITS2 - ((BN_num_bits(divisor)) % BN_BITS2);
- if (!(BN_lshift(sdiv, divisor, norm_shift)))
+ if (!BN_copy(sdiv, divisor))
goto err;
+ norm_shift = bn_left_align(sdiv);
sdiv->neg = 0;
- norm_shift += BN_BITS2;
- if (!(BN_lshift(snum, num, norm_shift)))
+ /*
+ * Note that bn_lshift_fixed_top's output is always one limb longer
+ * than input, even when norm_shift is zero. This means that amount of
+ * inner loop iterations is invariant of dividend value, and that one
+ * doesn't need to compare dividend and divisor if they were originally
+ * of the same bit length.
+ */
+ if (!(bn_lshift_fixed_top(snum, num, norm_shift)))
goto err;
- snum->neg = 0;
-
- if (no_branch) {
- /*
- * Since we don't know whether snum is larger than sdiv, we pad snum
- * with enough zeroes without changing its value.
- */
- if (snum->top <= sdiv->top + 1) {
- if (bn_wexpand(snum, sdiv->top + 2) == NULL)
- goto err;
- for (i = snum->top; i < sdiv->top + 2; i++)
- snum->d[i] = 0;
- snum->top = sdiv->top + 2;
- } else {
- if (bn_wexpand(snum, snum->top + 1) == NULL)
- goto err;
- snum->d[snum->top] = 0;
- snum->top++;
- }
- }
div_n = sdiv->top;
num_n = snum->top;
+
+ if (num_n <= div_n) {
+ /* caller didn't pad dividend -> no constant-time guarantee... */
+ if (bn_wexpand(snum, div_n + 1) == NULL)
+ goto err;
+ memset(&(snum->d[num_n]), 0, (div_n - num_n + 1) * sizeof(BN_ULONG));
+ snum->top = num_n = div_n + 1;
+ }
+
loop = num_n - div_n;
/*
* Lets setup a 'window' into snum This is the part that corresponds to
* the current 'area' being divided
*/
- wnum.neg = 0;
- wnum.d = &(snum->d[loop]);
- wnum.top = div_n;
- wnum.flags = BN_FLG_STATIC_DATA;
- /*
- * only needed when BN_ucmp messes up the values between top and max
- */
- wnum.dmax = snum->dmax - loop; /* so we don't step out of bounds */
+ wnum = &(snum->d[loop]);
+ wnumtop = &(snum->d[num_n - 1]);
/* Get the top 2 words of sdiv */
- /* div_n=sdiv->top; */
d0 = sdiv->d[div_n - 1];
d1 = (div_n == 1) ? 0 : sdiv->d[div_n - 2];
- /* pointer to the 'top' of snum */
- wnump = &(snum->d[num_n - 1]);
-
- /* Setup to 'res' */
- if (!bn_wexpand(res, (loop + 1)))
+ /* Setup quotient */
+ if (!bn_wexpand(res, loop))
goto err;
res->neg = (num->neg ^ divisor->neg);
- res->top = loop - no_branch;
- resp = &(res->d[loop - 1]);
+ res->top = loop;
+ res->flags |= BN_FLG_FIXED_TOP;
+ resp = &(res->d[loop]);
/* space for temp */
if (!bn_wexpand(tmp, (div_n + 1)))
goto err;
- if (!no_branch) {
- if (BN_ucmp(&wnum, sdiv) >= 0) {
- /*
- * If BN_DEBUG_RAND is defined BN_ucmp changes (via bn_pollute)
- * the const bignum arguments => clean the values between top and
- * max again
- */
- bn_clear_top2max(&wnum);
- bn_sub_words(wnum.d, wnum.d, sdiv->d, div_n);
- *resp = 1;
- } else
- res->top--;
- }
-
- /* Increase the resp pointer so that we never create an invalid pointer. */
- resp++;
-
- /*
- * if res->top == 0 then clear the neg value otherwise decrease the resp
- * pointer
- */
- if (res->top == 0)
- res->neg = 0;
- else
- resp--;
-
- for (i = 0; i < loop - 1; i++, wnump--) {
+ for (i = 0; i < loop; i++, wnumtop--) {
BN_ULONG q, l0;
/*
* the first part of the loop uses the top two words of snum and sdiv
* to calculate a BN_ULONG q such that | wnum - sdiv * q | < sdiv
*/
-# if defined(BN_DIV3W) && !defined(OPENSSL_NO_ASM)
- BN_ULONG bn_div_3_words(BN_ULONG *, BN_ULONG, BN_ULONG);
- q = bn_div_3_words(wnump, d1, d0);
+# if defined(BN_DIV3W)
+ q = bn_div_3_words(wnumtop, d1, d0);
# else
BN_ULONG n0, n1, rem = 0;
- n0 = wnump[0];
- n1 = wnump[-1];
+ n0 = wnumtop[0];
+ n1 = wnumtop[-1];
if (n0 == d0)
q = BN_MASK2;
else { /* n0 < d0 */
-
+ BN_ULONG n2 = (wnumtop == wnum) ? 0 : wnumtop[-2];
# ifdef BN_LLONG
BN_ULLONG t2;
@@ -324,7 +373,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
t2 = (BN_ULLONG) d1 *q;
for (;;) {
- if (t2 <= ((((BN_ULLONG) rem) << BN_BITS2) | wnump[-2]))
+ if (t2 <= ((((BN_ULLONG) rem) << BN_BITS2) | n2))
break;
q--;
rem += d0;
@@ -357,7 +406,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
# endif
for (;;) {
- if ((t2h < rem) || ((t2h == rem) && (t2l <= wnump[-2])))
+ if ((t2h < rem) || ((t2h == rem) && (t2l <= n2)))
break;
q--;
rem += d0;
@@ -373,43 +422,33 @@ int BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor,
l0 = bn_mul_words(tmp->d, sdiv->d, div_n, q);
tmp->d[div_n] = l0;
- wnum.d--;
+ wnum--;
/*
- * ingore top values of the bignums just sub the two BN_ULONG arrays
+ * ignore top values of the bignums just sub the two BN_ULONG arrays
* with bn_sub_words
*/
- if (bn_sub_words(wnum.d, wnum.d, tmp->d, div_n + 1)) {
- /*
- * Note: As we have considered only the leading two BN_ULONGs in
- * the calculation of q, sdiv * q might be greater than wnum (but
- * then (q-1) * sdiv is less or equal than wnum)
- */
- q--;
- if (bn_add_words(wnum.d, wnum.d, sdiv->d, div_n))
- /*
- * we can't have an overflow here (assuming that q != 0, but
- * if q == 0 then tmp is zero anyway)
- */
- (*wnump)++;
- }
- /* store part of the result */
- resp--;
- *resp = q;
- }
- bn_correct_top(snum);
- if (rm != NULL) {
+ l0 = bn_sub_words(wnum, wnum, tmp->d, div_n + 1);
+ q -= l0;
/*
- * Keep a copy of the neg flag in num because if rm==num BN_rshift()
- * will overwrite it.
+ * Note: As we have considered only the leading two BN_ULONGs in
+ * the calculation of q, sdiv * q might be greater than wnum (but
+ * then (q-1) * sdiv is less or equal than wnum)
*/
- int neg = num->neg;
- BN_rshift(rm, snum, norm_shift);
- if (!BN_is_zero(rm))
- rm->neg = neg;
- bn_check_top(rm);
+ for (l0 = 0 - l0, j = 0; j < div_n; j++)
+ tmp->d[j] = sdiv->d[j] & l0;
+ l0 = bn_add_words(wnum, wnum, tmp->d, div_n);
+ (*wnumtop) += l0;
+ assert((*wnumtop) == 0);
+
+ /* store part of the result */
+ *--resp = q;
}
- if (no_branch)
- bn_correct_top(res);
+ /* snum holds remainder, it's as wide as divisor */
+ snum->neg = num->neg;
+ snum->top = div_n;
+ snum->flags |= BN_FLG_FIXED_TOP;
+ if (rm != NULL)
+ bn_rshift_fixed_top(rm, snum, norm_shift);
BN_CTX_end(ctx);
return 1;
err:
diff --git a/freebsd/crypto/openssl/crypto/bn/bn_exp.c b/freebsd/crypto/openssl/crypto/bn/bn_exp.c
index 7379621..ed5e604 100644
--- a/freebsd/crypto/openssl/crypto/bn/bn_exp.c
+++ b/freebsd/crypto/openssl/crypto/bn/bn_exp.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -650,34 +650,41 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
goto err;
}
+ if (a->neg || BN_ucmp(a, m) >= 0) {
+ BIGNUM *reduced = BN_CTX_get(ctx);
+ if (reduced == NULL
+ || !BN_nnmod(reduced, a, m, ctx)) {
+ goto err;
+ }
+ a = reduced;
+ }
+
#ifdef RSAZ_ENABLED
- if (!a->neg) {
- /*
- * If the size of the operands allow it, perform the optimized
- * RSAZ exponentiation. For further information see
- * crypto/bn/rsaz_exp.c and accompanying assembly modules.
- */
- if ((16 == a->top) && (16 == p->top) && (BN_num_bits(m) == 1024)
- && rsaz_avx2_eligible()) {
- if (NULL == bn_wexpand(rr, 16))
- goto err;
- RSAZ_1024_mod_exp_avx2(rr->d, a->d, p->d, m->d, mont->RR.d,
- mont->n0[0]);
- rr->top = 16;
- rr->neg = 0;
- bn_correct_top(rr);
- ret = 1;
+ /*
+ * If the size of the operands allow it, perform the optimized
+ * RSAZ exponentiation. For further information see
+ * crypto/bn/rsaz_exp.c and accompanying assembly modules.
+ */
+ if ((16 == a->top) && (16 == p->top) && (BN_num_bits(m) == 1024)
+ && rsaz_avx2_eligible()) {
+ if (NULL == bn_wexpand(rr, 16))
goto err;
- } else if ((8 == a->top) && (8 == p->top) && (BN_num_bits(m) == 512)) {
- if (NULL == bn_wexpand(rr, 8))
- goto err;
- RSAZ_512_mod_exp(rr->d, a->d, p->d, m->d, mont->n0[0], mont->RR.d);
- rr->top = 8;
- rr->neg = 0;
- bn_correct_top(rr);
- ret = 1;
+ RSAZ_1024_mod_exp_avx2(rr->d, a->d, p->d, m->d, mont->RR.d,
+ mont->n0[0]);
+ rr->top = 16;
+ rr->neg = 0;
+ bn_correct_top(rr);
+ ret = 1;
+ goto err;
+ } else if ((8 == a->top) && (8 == p->top) && (BN_num_bits(m) == 512)) {
+ if (NULL == bn_wexpand(rr, 8))
goto err;
- }
+ RSAZ_512_mod_exp(rr->d, a->d, p->d, m->d, mont->n0[0], mont->RR.d);
+ rr->top = 8;
+ rr->neg = 0;
+ bn_correct_top(rr);
+ ret = 1;
+ goto err;
}
#endif
@@ -749,12 +756,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
goto err;
/* prepare a^1 in Montgomery domain */
- if (a->neg || BN_ucmp(a, m) >= 0) {
- if (!BN_nnmod(&am, a, m, ctx))
- goto err;
- if (!bn_to_mont_fixed_top(&am, &am, mont, ctx))
- goto err;
- } else if (!bn_to_mont_fixed_top(&am, a, mont, ctx))
+ if (!bn_to_mont_fixed_top(&am, a, mont, ctx))
goto err;
#if defined(SPARC_T4_MONT)
diff --git a/freebsd/crypto/openssl/crypto/bn/bn_lib.c b/freebsd/crypto/openssl/crypto/bn/bn_lib.c
index 5521543..a37d544 100644
--- a/freebsd/crypto/openssl/crypto/bn/bn_lib.c
+++ b/freebsd/crypto/openssl/crypto/bn/bn_lib.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -697,6 +697,9 @@ int bn_cmp_words(const BN_ULONG *a, const BN_ULONG *b, int n)
int i;
BN_ULONG aa, bb;
+ if (n == 0)
+ return 0;
+
aa = a[n - 1];
bb = b[n - 1];
if (aa != bb)
@@ -739,26 +742,25 @@ int bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b, int cl, int dl)
return bn_cmp_words(a, b, cl);
}
-/*
+/*-
* Constant-time conditional swap of a and b.
- * a and b are swapped if condition is not 0. The code assumes that at most one bit of condition is set.
- * nwords is the number of words to swap. The code assumes that at least nwords are allocated in both a and b,
- * and that no more than nwords are used by either a or b.
- * a and b cannot be the same number
+ * a and b are swapped if condition is not 0.
+ * nwords is the number of words to swap.
+ * Assumes that at least nwords are allocated in both a and b.
+ * Assumes that no more than nwords are used by either a or b.
*/
void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords)
{
BN_ULONG t;
int i;
+ if (a == b)
+ return;
+
bn_wcheck_size(a, nwords);
bn_wcheck_size(b, nwords);
- assert(a != b);
- assert((condition & (condition - 1)) == 0);
- assert(sizeof(BN_ULONG) >= sizeof(int));
-
- condition = ((condition - 1) >> (BN_BITS2 - 1)) - 1;
+ condition = ((~condition & ((condition - 1))) >> (BN_BITS2 - 1)) - 1;
t = (a->top ^ b->top) & condition;
a->top ^= t;
@@ -796,42 +798,16 @@ void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords)
a->flags ^= t;
b->flags ^= t;
-#define BN_CONSTTIME_SWAP(ind) \
- do { \
- t = (a->d[ind] ^ b->d[ind]) & condition; \
- a->d[ind] ^= t; \
- b->d[ind] ^= t; \
- } while (0)
-
- switch (nwords) {
- default:
- for (i = 10; i < nwords; i++)
- BN_CONSTTIME_SWAP(i);
- /* Fallthrough */
- case 10:
- BN_CONSTTIME_SWAP(9); /* Fallthrough */
- case 9:
- BN_CONSTTIME_SWAP(8); /* Fallthrough */
- case 8:
- BN_CONSTTIME_SWAP(7); /* Fallthrough */
- case 7:
- BN_CONSTTIME_SWAP(6); /* Fallthrough */
- case 6:
- BN_CONSTTIME_SWAP(5); /* Fallthrough */
- case 5:
- BN_CONSTTIME_SWAP(4); /* Fallthrough */
- case 4:
- BN_CONSTTIME_SWAP(3); /* Fallthrough */
- case 3:
- BN_CONSTTIME_SWAP(2); /* Fallthrough */
- case 2:
- BN_CONSTTIME_SWAP(1); /* Fallthrough */
- case 1:
- BN_CONSTTIME_SWAP(0);
- }
-#undef BN_CONSTTIME_SWAP
+ /* conditionally swap the data */
+ for (i = 0; i < nwords; i++) {
+ t = (a->d[i] ^ b->d[i]) & condition;
+ a->d[i] ^= t;
+ b->d[i] ^= t;
+ }
}
+#undef BN_CONSTTIME_SWAP_FLAGS
+
/* Bits of security, see SP800-57 */
int BN_security_bits(int L, int N)
diff --git a/freebsd/crypto/openssl/crypto/bn/bn_prime.h b/freebsd/crypto/openssl/crypto/bn/bn_prime.h
index a64c963..2eb7b52 100644
--- a/freebsd/crypto/openssl/crypto/bn/bn_prime.h
+++ b/freebsd/crypto/openssl/crypto/bn/bn_prime.h
@@ -2,7 +2,7 @@
* WARNING: do not edit!
* Generated by crypto/bn/bn_prime.pl
*
- * Copyright 1998-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1998-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
diff --git a/freebsd/crypto/openssl/crypto/bn/bn_shift.c b/freebsd/crypto/openssl/crypto/bn/bn_shift.c
index a619eb5..389fa02 100644
--- a/freebsd/crypto/openssl/crypto/bn/bn_shift.c
+++ b/freebsd/crypto/openssl/crypto/bn/bn_shift.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -9,6 +9,7 @@
* https://www.openssl.org/source/license.html
*/
+#include <assert.h>
#include "internal/cryptlib.h"
#include "bn_lcl.h"
@@ -84,40 +85,70 @@ int BN_rshift1(BIGNUM *r, const BIGNUM *a)
int BN_lshift(BIGNUM *r, const BIGNUM *a, int n)
{
- int i, nw, lb, rb;
- BN_ULONG *t, *f;
- BN_ULONG l;
-
- bn_check_top(r);
- bn_check_top(a);
+ int ret;
if (n < 0) {
BNerr(BN_F_BN_LSHIFT, BN_R_INVALID_SHIFT);
return 0;
}
+ ret = bn_lshift_fixed_top(r, a, n);
+
+ bn_correct_top(r);
+ bn_check_top(r);
+
+ return ret;
+}
+
+/*
+ * In respect to shift factor the execution time is invariant of
+ * |n % BN_BITS2|, but not |n / BN_BITS2|. Or in other words pre-condition
+ * for constant-time-ness is |n < BN_BITS2| or |n / BN_BITS2| being
+ * non-secret.
+ */
+int bn_lshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n)
+{
+ int i, nw;
+ unsigned int lb, rb;
+ BN_ULONG *t, *f;
+ BN_ULONG l, m, rmask = 0;
+
+ assert(n >= 0);
+
+ bn_check_top(r);
+ bn_check_top(a);
+
nw = n / BN_BITS2;
if (bn_wexpand(r, a->top + nw + 1) == NULL)
return 0;
- r->neg = a->neg;
- lb = n % BN_BITS2;
- rb = BN_BITS2 - lb;
- f = a->d;
- t = r->d;
- t[a->top + nw] = 0;
- if (lb == 0)
- for (i = a->top - 1; i >= 0; i--)
- t[nw + i] = f[i];
- else
- for (i = a->top - 1; i >= 0; i--) {
- l = f[i];
- t[nw + i + 1] |= (l >> rb) & BN_MASK2;
- t[nw + i] = (l << lb) & BN_MASK2;
+
+ if (a->top != 0) {
+ lb = (unsigned int)n % BN_BITS2;
+ rb = BN_BITS2 - lb;
+ rb %= BN_BITS2; /* say no to undefined behaviour */
+ rmask = (BN_ULONG)0 - rb; /* rmask = 0 - (rb != 0) */
+ rmask |= rmask >> 8;
+ f = &(a->d[0]);
+ t = &(r->d[nw]);
+ l = f[a->top - 1];
+ t[a->top] = (l >> rb) & rmask;
+ for (i = a->top - 1; i > 0; i--) {
+ m = l << lb;
+ l = f[i - 1];
+ t[i] = (m | ((l >> rb) & rmask)) & BN_MASK2;
}
- memset(t, 0, sizeof(*t) * nw);
+ t[0] = (l << lb) & BN_MASK2;
+ } else {
+ /* shouldn't happen, but formally required */
+ r->d[nw] = 0;
+ }
+ if (nw != 0)
+ memset(r->d, 0, sizeof(*t) * nw);
+
+ r->neg = a->neg;
r->top = a->top + nw + 1;
- bn_correct_top(r);
- bn_check_top(r);
+ r->flags |= BN_FLG_FIXED_TOP;
+
return 1;
}
@@ -175,3 +206,54 @@ int BN_rshift(BIGNUM *r, const BIGNUM *a, int n)
bn_check_top(r);
return 1;
}
+
+/*
+ * In respect to shift factor the execution time is invariant of
+ * |n % BN_BITS2|, but not |n / BN_BITS2|. Or in other words pre-condition
+ * for constant-time-ness for sufficiently[!] zero-padded inputs is
+ * |n < BN_BITS2| or |n / BN_BITS2| being non-secret.
+ */
+int bn_rshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n)
+{
+ int i, top, nw;
+ unsigned int lb, rb;
+ BN_ULONG *t, *f;
+ BN_ULONG l, m, mask;
+
+ bn_check_top(r);
+ bn_check_top(a);
+
+ assert(n >= 0);
+
+ nw = n / BN_BITS2;
+ if (nw >= a->top) {
+ /* shouldn't happen, but formally required */
+ BN_zero(r);
+ return 1;
+ }
+
+ rb = (unsigned int)n % BN_BITS2;
+ lb = BN_BITS2 - rb;
+ lb %= BN_BITS2; /* say no to undefined behaviour */
+ mask = (BN_ULONG)0 - lb; /* mask = 0 - (lb != 0) */
+ mask |= mask >> 8;
+ top = a->top - nw;
+ if (r != a && bn_wexpand(r, top) == NULL)
+ return 0;
+
+ t = &(r->d[0]);
+ f = &(a->d[nw]);
+ l = f[0];
+ for (i = 0; i < top - 1; i++) {
+ m = f[i + 1];
+ t[i] = (l >> rb) | ((m << lb) & mask);
+ l = m;
+ }
+ t[i] = l >> rb;
+
+ r->neg = a->neg;
+ r->top = top;
+ r->flags |= BN_FLG_FIXED_TOP;
+
+ return 1;
+}
diff --git a/freebsd/crypto/openssl/crypto/cms/cms_kari.c b/freebsd/crypto/openssl/crypto/cms/cms_kari.c
index 0bff708..4c39c33 100644
--- a/freebsd/crypto/openssl/crypto/cms/cms_kari.c
+++ b/freebsd/crypto/openssl/crypto/cms/cms_kari.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 2013-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2013-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -284,7 +284,7 @@ static int cms_kari_create_ephemeral_key(CMS_KeyAgreeRecipientInfo *kari,
return rv;
}
-/* Initialise a ktri based on passed certificate and key */
+/* Initialise a kari based on passed certificate and key */
int cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip,
EVP_PKEY *pk, unsigned int flags)
@@ -301,6 +301,9 @@ int cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip,
kari->version = 3;
rek = M_ASN1_new_of(CMS_RecipientEncryptedKey);
+ if (rek == NULL)
+ return 0;
+
if (!sk_CMS_RecipientEncryptedKey_push(kari->recipientEncryptedKeys, rek)) {
M_ASN1_free_of(rek, CMS_RecipientEncryptedKey);
return 0;
diff --git a/freebsd/crypto/openssl/crypto/cms/cms_pwri.c b/freebsd/crypto/openssl/crypto/cms/cms_pwri.c
index 24b5e9e..cb575a0 100644
--- a/freebsd/crypto/openssl/crypto/cms/cms_pwri.c
+++ b/freebsd/crypto/openssl/crypto/cms/cms_pwri.c
@@ -375,6 +375,7 @@ int cms_RecipientInfo_pwri_crypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri,
goto err;
}
+ OPENSSL_clear_free(ec->key, ec->keylen);
ec->key = key;
ec->keylen = keylen;
diff --git a/freebsd/crypto/openssl/crypto/conf/conf_def.c b/freebsd/crypto/openssl/crypto/conf/conf_def.c
index 03bf930..c8e1068 100644
--- a/freebsd/crypto/openssl/crypto/conf/conf_def.c
+++ b/freebsd/crypto/openssl/crypto/conf/conf_def.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -350,10 +350,15 @@ static int def_load_bio(CONF *conf, BIO *in, long *line)
psection = section;
}
p = eat_ws(conf, end);
- if (strncmp(pname, ".include", 8) == 0 && p != pname + 8) {
+ if (strncmp(pname, ".include", 8) == 0
+ && (p != pname + 8 || *p == '=')) {
char *include = NULL;
BIO *next;
+ if (*p == '=') {
+ p++;
+ p = eat_ws(conf, p);
+ }
trim_ws(conf, p);
if (!str_copy(conf, psection, &include, p))
goto err;
diff --git a/freebsd/crypto/openssl/crypto/conf/conf_def.h b/freebsd/crypto/openssl/crypto/conf/conf_def.h
index 73e88ba..2016d31 100644
--- a/freebsd/crypto/openssl/crypto/conf/conf_def.h
+++ b/freebsd/crypto/openssl/crypto/conf/conf_def.h
@@ -2,7 +2,7 @@
* WARNING: do not edit!
* Generated by crypto/conf/keysets.pl
*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
diff --git a/freebsd/crypto/openssl/crypto/conf/conf_lib.c b/freebsd/crypto/openssl/crypto/conf/conf_lib.c
index 3e44551..5c029a1 100644
--- a/freebsd/crypto/openssl/crypto/conf/conf_lib.c
+++ b/freebsd/crypto/openssl/crypto/conf/conf_lib.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -360,11 +360,36 @@ OPENSSL_INIT_SETTINGS *OPENSSL_INIT_new(void)
if (ret != NULL)
memset(ret, 0, sizeof(*ret));
+ ret->flags = DEFAULT_CONF_MFLAGS;
+
return ret;
}
#ifndef OPENSSL_NO_STDIO
+int OPENSSL_INIT_set_config_filename(OPENSSL_INIT_SETTINGS *settings,
+ const char *filename)
+{
+ char *newfilename = NULL;
+
+ if (filename != NULL) {
+ newfilename = strdup(filename);
+ if (newfilename == NULL)
+ return 0;
+ }
+
+ free(settings->filename);
+ settings->filename = newfilename;
+
+ return 1;
+}
+
+void OPENSSL_INIT_set_config_file_flags(OPENSSL_INIT_SETTINGS *settings,
+ unsigned long flags)
+{
+ settings->flags = flags;
+}
+
int OPENSSL_INIT_set_config_appname(OPENSSL_INIT_SETTINGS *settings,
const char *appname)
{
@@ -385,6 +410,7 @@ int OPENSSL_INIT_set_config_appname(OPENSSL_INIT_SETTINGS *settings,
void OPENSSL_INIT_free(OPENSSL_INIT_SETTINGS *settings)
{
+ free(settings->filename);
free(settings->appname);
free(settings);
}
diff --git a/freebsd/crypto/openssl/crypto/conf/conf_mod.c b/freebsd/crypto/openssl/crypto/conf/conf_mod.c
index dd8ba39..c099e76 100644
--- a/freebsd/crypto/openssl/crypto/conf/conf_mod.c
+++ b/freebsd/crypto/openssl/crypto/conf/conf_mod.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2002-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -148,6 +148,9 @@ int CONF_modules_load_file(const char *filename, const char *appname,
OPENSSL_free(file);
NCONF_free(conf);
+ if (flags & CONF_MFLAGS_IGNORE_RETURN_CODES)
+ return 1;
+
return ret;
}
diff --git a/freebsd/crypto/openssl/crypto/conf/conf_sap.c b/freebsd/crypto/openssl/crypto/conf/conf_sap.c
index 8779ebf..a76b366 100644
--- a/freebsd/crypto/openssl/crypto/conf/conf_sap.c
+++ b/freebsd/crypto/openssl/crypto/conf/conf_sap.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2002-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -41,10 +41,24 @@ void OPENSSL_config(const char *appname)
}
#endif
-void openssl_config_int(const char *appname)
+int openssl_config_int(const OPENSSL_INIT_SETTINGS *settings)
{
+ int ret;
+ const char *filename;
+ const char *appname;
+ unsigned long flags;
+
if (openssl_configured)
- return;
+ return 1;
+
+ filename = settings ? settings->filename : NULL;
+ appname = settings ? settings->appname : NULL;
+ flags = settings ? settings->flags : DEFAULT_CONF_MFLAGS;
+
+#ifdef OPENSSL_INIT_DEBUG
+ fprintf(stderr, "OPENSSL_INIT: openssl_config_int(%s, %s, %lu)\n",
+ filename, appname, flags);
+#endif
OPENSSL_load_builtin_modules();
#ifndef OPENSSL_NO_ENGINE
@@ -53,11 +67,10 @@ void openssl_config_int(const char *appname)
#endif
ERR_clear_error();
#ifndef OPENSSL_SYS_UEFI
- CONF_modules_load_file(NULL, appname,
- CONF_MFLAGS_DEFAULT_SECTION |
- CONF_MFLAGS_IGNORE_MISSING_FILE);
+ ret = CONF_modules_load_file(filename, appname, flags);
#endif
openssl_configured = 1;
+ return ret;
}
void openssl_no_config_int(void)
diff --git a/freebsd/crypto/openssl/crypto/conf/conf_ssl.c b/freebsd/crypto/openssl/crypto/conf/conf_ssl.c
index 0899d0e..cc0ee24 100644
--- a/freebsd/crypto/openssl/crypto/conf/conf_ssl.c
+++ b/freebsd/crypto/openssl/crypto/conf/conf_ssl.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2015-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -80,6 +80,8 @@ static int ssl_module_init(CONF_IMODULE *md, const CONF *cnf)
cnt = sk_CONF_VALUE_num(cmd_lists);
ssl_module_free(md);
ssl_names = OPENSSL_zalloc(sizeof(*ssl_names) * cnt);
+ if (ssl_names == NULL)
+ goto err;
ssl_names_count = cnt;
for (i = 0; i < ssl_names_count; i++) {
struct ssl_conf_name_st *ssl_name = ssl_names + i;
diff --git a/freebsd/crypto/openssl/crypto/cryptlib.c b/freebsd/crypto/openssl/crypto/cryptlib.c
index 0262eb4..7f759e2 100644
--- a/freebsd/crypto/openssl/crypto/cryptlib.c
+++ b/freebsd/crypto/openssl/crypto/cryptlib.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 1998-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1998-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -354,9 +354,9 @@ void OPENSSL_showfatal(const char *fmta, ...)
/*
* TODO: (For non GUI and no std error cases)
- * Add event logging feature here.
+ * Add event logging feature here.
*/
-
+
# if !defined(NDEBUG)
/*
* We are in a situation where we tried to report a critical
@@ -395,7 +395,7 @@ void OPENSSL_showfatal(const char *fmta, ...)
# endif
# else
MessageBox(NULL, buf, _T("OpenSSL: FATAL"), MB_OK | MB_ICONERROR);
-# endif
+# endif
}
#else
void OPENSSL_showfatal(const char *fmta, ...)
@@ -462,4 +462,14 @@ uint32_t OPENSSL_rdtsc(void)
{
return 0;
}
+
+size_t OPENSSL_instrument_bus(unsigned int *out, size_t cnt)
+{
+ return 0;
+}
+
+size_t OPENSSL_instrument_bus2(unsigned int *out, size_t cnt, size_t max)
+{
+ return 0;
+}
#endif
diff --git a/freebsd/crypto/openssl/crypto/ec/curve25519.c b/freebsd/crypto/openssl/crypto/ec/curve25519.c
index d87e9e6..8594d4e 100644
--- a/freebsd/crypto/openssl/crypto/ec/curve25519.c
+++ b/freebsd/crypto/openssl/crypto/ec/curve25519.c
@@ -746,91 +746,99 @@ static void x25519_scalar_mult(uint8_t out[32], const uint8_t scalar[32],
/*
* Reference base 2^25.5 implementation.
- */
-/*
+ *
* This code is mostly taken from the ref10 version of Ed25519 in SUPERCOP
* 20141124 (http://bench.cr.yp.to/supercop.html).
*
* The field functions are shared by Ed25519 and X25519 where possible.
*/
-/* fe means field element. Here the field is \Z/(2^255-19). An element t,
+/*
+ * fe means field element. Here the field is \Z/(2^255-19). An element t,
* entries t[0]...t[9], represents the integer t[0]+2^26 t[1]+2^51 t[2]+2^77
* t[3]+2^102 t[4]+...+2^230 t[9]. Bounds on each t[i] vary depending on
- * context. */
+ * context.
+ */
typedef int32_t fe[10];
+static const int64_t kBottom21Bits = 0x1fffffLL;
static const int64_t kBottom25Bits = 0x1ffffffLL;
static const int64_t kBottom26Bits = 0x3ffffffLL;
static const int64_t kTop39Bits = 0xfffffffffe000000LL;
static const int64_t kTop38Bits = 0xfffffffffc000000LL;
-static uint64_t load_3(const uint8_t *in) {
- uint64_t result;
- result = (uint64_t)in[0];
- result |= ((uint64_t)in[1]) << 8;
- result |= ((uint64_t)in[2]) << 16;
- return result;
+static uint64_t load_3(const uint8_t *in)
+{
+ uint64_t result;
+
+ result = ((uint64_t)in[0]);
+ result |= ((uint64_t)in[1]) << 8;
+ result |= ((uint64_t)in[2]) << 16;
+ return result;
}
-static uint64_t load_4(const uint8_t *in) {
- uint64_t result;
- result = (uint64_t)in[0];
- result |= ((uint64_t)in[1]) << 8;
- result |= ((uint64_t)in[2]) << 16;
- result |= ((uint64_t)in[3]) << 24;
- return result;
+static uint64_t load_4(const uint8_t *in)
+{
+ uint64_t result;
+
+ result = ((uint64_t)in[0]);
+ result |= ((uint64_t)in[1]) << 8;
+ result |= ((uint64_t)in[2]) << 16;
+ result |= ((uint64_t)in[3]) << 24;
+ return result;
}
-static void fe_frombytes(fe h, const uint8_t *s) {
- /* Ignores top bit of h. */
- int64_t h0 = load_4(s);
- int64_t h1 = load_3(s + 4) << 6;
- int64_t h2 = load_3(s + 7) << 5;
- int64_t h3 = load_3(s + 10) << 3;
- int64_t h4 = load_3(s + 13) << 2;
- int64_t h5 = load_4(s + 16);
- int64_t h6 = load_3(s + 20) << 7;
- int64_t h7 = load_3(s + 23) << 5;
- int64_t h8 = load_3(s + 26) << 4;
- int64_t h9 = (load_3(s + 29) & 8388607) << 2;
- int64_t carry0;
- int64_t carry1;
- int64_t carry2;
- int64_t carry3;
- int64_t carry4;
- int64_t carry5;
- int64_t carry6;
- int64_t carry7;
- int64_t carry8;
- int64_t carry9;
-
- carry9 = h9 + (1 << 24); h0 += (carry9 >> 25) * 19; h9 -= carry9 & kTop39Bits;
- carry1 = h1 + (1 << 24); h2 += carry1 >> 25; h1 -= carry1 & kTop39Bits;
- carry3 = h3 + (1 << 24); h4 += carry3 >> 25; h3 -= carry3 & kTop39Bits;
- carry5 = h5 + (1 << 24); h6 += carry5 >> 25; h5 -= carry5 & kTop39Bits;
- carry7 = h7 + (1 << 24); h8 += carry7 >> 25; h7 -= carry7 & kTop39Bits;
-
- carry0 = h0 + (1 << 25); h1 += carry0 >> 26; h0 -= carry0 & kTop38Bits;
- carry2 = h2 + (1 << 25); h3 += carry2 >> 26; h2 -= carry2 & kTop38Bits;
- carry4 = h4 + (1 << 25); h5 += carry4 >> 26; h4 -= carry4 & kTop38Bits;
- carry6 = h6 + (1 << 25); h7 += carry6 >> 26; h6 -= carry6 & kTop38Bits;
- carry8 = h8 + (1 << 25); h9 += carry8 >> 26; h8 -= carry8 & kTop38Bits;
-
- h[0] = (int32_t)h0;
- h[1] = (int32_t)h1;
- h[2] = (int32_t)h2;
- h[3] = (int32_t)h3;
- h[4] = (int32_t)h4;
- h[5] = (int32_t)h5;
- h[6] = (int32_t)h6;
- h[7] = (int32_t)h7;
- h[8] = (int32_t)h8;
- h[9] = (int32_t)h9;
+static void fe_frombytes(fe h, const uint8_t *s)
+{
+ /* Ignores top bit of h. */
+ int64_t h0 = load_4(s);
+ int64_t h1 = load_3(s + 4) << 6;
+ int64_t h2 = load_3(s + 7) << 5;
+ int64_t h3 = load_3(s + 10) << 3;
+ int64_t h4 = load_3(s + 13) << 2;
+ int64_t h5 = load_4(s + 16);
+ int64_t h6 = load_3(s + 20) << 7;
+ int64_t h7 = load_3(s + 23) << 5;
+ int64_t h8 = load_3(s + 26) << 4;
+ int64_t h9 = (load_3(s + 29) & 0x7fffff) << 2;
+ int64_t carry0;
+ int64_t carry1;
+ int64_t carry2;
+ int64_t carry3;
+ int64_t carry4;
+ int64_t carry5;
+ int64_t carry6;
+ int64_t carry7;
+ int64_t carry8;
+ int64_t carry9;
+
+ carry9 = h9 + (1 << 24); h0 += (carry9 >> 25) * 19; h9 -= carry9 & kTop39Bits;
+ carry1 = h1 + (1 << 24); h2 += carry1 >> 25; h1 -= carry1 & kTop39Bits;
+ carry3 = h3 + (1 << 24); h4 += carry3 >> 25; h3 -= carry3 & kTop39Bits;
+ carry5 = h5 + (1 << 24); h6 += carry5 >> 25; h5 -= carry5 & kTop39Bits;
+ carry7 = h7 + (1 << 24); h8 += carry7 >> 25; h7 -= carry7 & kTop39Bits;
+
+ carry0 = h0 + (1 << 25); h1 += carry0 >> 26; h0 -= carry0 & kTop38Bits;
+ carry2 = h2 + (1 << 25); h3 += carry2 >> 26; h2 -= carry2 & kTop38Bits;
+ carry4 = h4 + (1 << 25); h5 += carry4 >> 26; h4 -= carry4 & kTop38Bits;
+ carry6 = h6 + (1 << 25); h7 += carry6 >> 26; h6 -= carry6 & kTop38Bits;
+ carry8 = h8 + (1 << 25); h9 += carry8 >> 26; h8 -= carry8 & kTop38Bits;
+
+ h[0] = (int32_t)h0;
+ h[1] = (int32_t)h1;
+ h[2] = (int32_t)h2;
+ h[3] = (int32_t)h3;
+ h[4] = (int32_t)h4;
+ h[5] = (int32_t)h5;
+ h[6] = (int32_t)h6;
+ h[7] = (int32_t)h7;
+ h[8] = (int32_t)h8;
+ h[9] = (int32_t)h9;
}
-/* Preconditions:
- * |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
+/*
+ * Preconditions:
+ * |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
*
* Write p=2^255-19; q=floor(h/p).
* Basic claim: q = floor(2^(-255)(h + 19 2^(-25)h9 + 2^(-1))).
@@ -850,102 +858,112 @@ static void fe_frombytes(fe h, const uint8_t *s) {
* Then 0<x<2^255 so floor(2^(-255)x) = 0 so floor(q+2^(-255)x) = q.
*
* Have q+2^(-255)x = 2^(-255)(h + 19 2^(-25) h9 + 2^(-1))
- * so floor(2^(-255)(h + 19 2^(-25) h9 + 2^(-1))) = q. */
-static void fe_tobytes(uint8_t *s, const fe h) {
- int32_t h0 = h[0];
- int32_t h1 = h[1];
- int32_t h2 = h[2];
- int32_t h3 = h[3];
- int32_t h4 = h[4];
- int32_t h5 = h[5];
- int32_t h6 = h[6];
- int32_t h7 = h[7];
- int32_t h8 = h[8];
- int32_t h9 = h[9];
- int32_t q;
-
- q = (19 * h9 + (((int32_t) 1) << 24)) >> 25;
- q = (h0 + q) >> 26;
- q = (h1 + q) >> 25;
- q = (h2 + q) >> 26;
- q = (h3 + q) >> 25;
- q = (h4 + q) >> 26;
- q = (h5 + q) >> 25;
- q = (h6 + q) >> 26;
- q = (h7 + q) >> 25;
- q = (h8 + q) >> 26;
- q = (h9 + q) >> 25;
-
- /* Goal: Output h-(2^255-19)q, which is between 0 and 2^255-20. */
- h0 += 19 * q;
- /* Goal: Output h-2^255 q, which is between 0 and 2^255-20. */
-
- h1 += h0 >> 26; h0 &= kBottom26Bits;
- h2 += h1 >> 25; h1 &= kBottom25Bits;
- h3 += h2 >> 26; h2 &= kBottom26Bits;
- h4 += h3 >> 25; h3 &= kBottom25Bits;
- h5 += h4 >> 26; h4 &= kBottom26Bits;
- h6 += h5 >> 25; h5 &= kBottom25Bits;
- h7 += h6 >> 26; h6 &= kBottom26Bits;
- h8 += h7 >> 25; h7 &= kBottom25Bits;
- h9 += h8 >> 26; h8 &= kBottom26Bits;
- h9 &= kBottom25Bits;
- /* h10 = carry9 */
-
- /* Goal: Output h0+...+2^255 h10-2^255 q, which is between 0 and 2^255-20.
- * Have h0+...+2^230 h9 between 0 and 2^255-1;
- * evidently 2^255 h10-2^255 q = 0.
- * Goal: Output h0+...+2^230 h9. */
-
- s[0] = (uint8_t)(h0 >> 0);
- s[1] = (uint8_t)(h0 >> 8);
- s[2] = (uint8_t)(h0 >> 16);
- s[3] = (uint8_t)((h0 >> 24) | ((uint32_t)(h1) << 2));
- s[4] = (uint8_t)(h1 >> 6);
- s[5] = (uint8_t)(h1 >> 14);
- s[6] = (uint8_t)((h1 >> 22) | ((uint32_t)(h2) << 3));
- s[7] = (uint8_t)(h2 >> 5);
- s[8] = (uint8_t)(h2 >> 13);
- s[9] = (uint8_t)((h2 >> 21) | ((uint32_t)(h3) << 5));
- s[10] = (uint8_t)(h3 >> 3);
- s[11] = (uint8_t)(h3 >> 11);
- s[12] = (uint8_t)((h3 >> 19) | ((uint32_t)(h4) << 6));
- s[13] = (uint8_t)(h4 >> 2);
- s[14] = (uint8_t)(h4 >> 10);
- s[15] = (uint8_t)(h4 >> 18);
- s[16] = (uint8_t)(h5 >> 0);
- s[17] = (uint8_t)(h5 >> 8);
- s[18] = (uint8_t)(h5 >> 16);
- s[19] = (uint8_t)((h5 >> 24) | ((uint32_t)(h6) << 1));
- s[20] = (uint8_t)(h6 >> 7);
- s[21] = (uint8_t)(h6 >> 15);
- s[22] = (uint8_t)((h6 >> 23) | ((uint32_t)(h7) << 3));
- s[23] = (uint8_t)(h7 >> 5);
- s[24] = (uint8_t)(h7 >> 13);
- s[25] = (uint8_t)((h7 >> 21) | ((uint32_t)(h8) << 4));
- s[26] = (uint8_t)(h8 >> 4);
- s[27] = (uint8_t)(h8 >> 12);
- s[28] = (uint8_t)((h8 >> 20) | ((uint32_t)(h9) << 6));
- s[29] = (uint8_t)(h9 >> 2);
- s[30] = (uint8_t)(h9 >> 10);
- s[31] = (uint8_t)(h9 >> 18);
+ * so floor(2^(-255)(h + 19 2^(-25) h9 + 2^(-1))) = q.
+ */
+static void fe_tobytes(uint8_t *s, const fe h)
+{
+ int32_t h0 = h[0];
+ int32_t h1 = h[1];
+ int32_t h2 = h[2];
+ int32_t h3 = h[3];
+ int32_t h4 = h[4];
+ int32_t h5 = h[5];
+ int32_t h6 = h[6];
+ int32_t h7 = h[7];
+ int32_t h8 = h[8];
+ int32_t h9 = h[9];
+ int32_t q;
+
+ q = (19 * h9 + (((int32_t) 1) << 24)) >> 25;
+ q = (h0 + q) >> 26;
+ q = (h1 + q) >> 25;
+ q = (h2 + q) >> 26;
+ q = (h3 + q) >> 25;
+ q = (h4 + q) >> 26;
+ q = (h5 + q) >> 25;
+ q = (h6 + q) >> 26;
+ q = (h7 + q) >> 25;
+ q = (h8 + q) >> 26;
+ q = (h9 + q) >> 25;
+
+ /* Goal: Output h-(2^255-19)q, which is between 0 and 2^255-20. */
+ h0 += 19 * q;
+ /* Goal: Output h-2^255 q, which is between 0 and 2^255-20. */
+
+ h1 += h0 >> 26; h0 &= kBottom26Bits;
+ h2 += h1 >> 25; h1 &= kBottom25Bits;
+ h3 += h2 >> 26; h2 &= kBottom26Bits;
+ h4 += h3 >> 25; h3 &= kBottom25Bits;
+ h5 += h4 >> 26; h4 &= kBottom26Bits;
+ h6 += h5 >> 25; h5 &= kBottom25Bits;
+ h7 += h6 >> 26; h6 &= kBottom26Bits;
+ h8 += h7 >> 25; h7 &= kBottom25Bits;
+ h9 += h8 >> 26; h8 &= kBottom26Bits;
+ h9 &= kBottom25Bits;
+ /* h10 = carry9 */
+
+ /*
+ * Goal: Output h0+...+2^255 h10-2^255 q, which is between 0 and 2^255-20.
+ * Have h0+...+2^230 h9 between 0 and 2^255-1;
+ * evidently 2^255 h10-2^255 q = 0.
+ * Goal: Output h0+...+2^230 h9.
+ */
+ s[ 0] = (uint8_t) (h0 >> 0);
+ s[ 1] = (uint8_t) (h0 >> 8);
+ s[ 2] = (uint8_t) (h0 >> 16);
+ s[ 3] = (uint8_t)((h0 >> 24) | ((uint32_t)(h1) << 2));
+ s[ 4] = (uint8_t) (h1 >> 6);
+ s[ 5] = (uint8_t) (h1 >> 14);
+ s[ 6] = (uint8_t)((h1 >> 22) | ((uint32_t)(h2) << 3));
+ s[ 7] = (uint8_t) (h2 >> 5);
+ s[ 8] = (uint8_t) (h2 >> 13);
+ s[ 9] = (uint8_t)((h2 >> 21) | ((uint32_t)(h3) << 5));
+ s[10] = (uint8_t) (h3 >> 3);
+ s[11] = (uint8_t) (h3 >> 11);
+ s[12] = (uint8_t)((h3 >> 19) | ((uint32_t)(h4) << 6));
+ s[13] = (uint8_t) (h4 >> 2);
+ s[14] = (uint8_t) (h4 >> 10);
+ s[15] = (uint8_t) (h4 >> 18);
+ s[16] = (uint8_t) (h5 >> 0);
+ s[17] = (uint8_t) (h5 >> 8);
+ s[18] = (uint8_t) (h5 >> 16);
+ s[19] = (uint8_t)((h5 >> 24) | ((uint32_t)(h6) << 1));
+ s[20] = (uint8_t) (h6 >> 7);
+ s[21] = (uint8_t) (h6 >> 15);
+ s[22] = (uint8_t)((h6 >> 23) | ((uint32_t)(h7) << 3));
+ s[23] = (uint8_t) (h7 >> 5);
+ s[24] = (uint8_t) (h7 >> 13);
+ s[25] = (uint8_t)((h7 >> 21) | ((uint32_t)(h8) << 4));
+ s[26] = (uint8_t) (h8 >> 4);
+ s[27] = (uint8_t) (h8 >> 12);
+ s[28] = (uint8_t)((h8 >> 20) | ((uint32_t)(h9) << 6));
+ s[29] = (uint8_t) (h9 >> 2);
+ s[30] = (uint8_t) (h9 >> 10);
+ s[31] = (uint8_t) (h9 >> 18);
}
/* h = f */
-static void fe_copy(fe h, const fe f) {
- memmove(h, f, sizeof(int32_t) * 10);
+static void fe_copy(fe h, const fe f)
+{
+ memmove(h, f, sizeof(int32_t) * 10);
}
/* h = 0 */
-static void fe_0(fe h) { memset(h, 0, sizeof(int32_t) * 10); }
+static void fe_0(fe h)
+{
+ memset(h, 0, sizeof(int32_t) * 10);
+}
/* h = 1 */
-static void fe_1(fe h) {
- memset(h, 0, sizeof(int32_t) * 10);
- h[0] = 1;
+static void fe_1(fe h)
+{
+ memset(h, 0, sizeof(int32_t) * 10);
+ h[0] = 1;
}
-/* h = f + g
+/*
+ * h = f + g
+ *
* Can overlap h with f or g.
*
* Preconditions:
@@ -953,15 +971,20 @@ static void fe_1(fe h) {
* |g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
*
* Postconditions:
- * |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. */
-static void fe_add(fe h, const fe f, const fe g) {
- unsigned i;
- for (i = 0; i < 10; i++) {
- h[i] = f[i] + g[i];
- }
+ * |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
+ */
+static void fe_add(fe h, const fe f, const fe g)
+{
+ unsigned i;
+
+ for (i = 0; i < 10; i++) {
+ h[i] = f[i] + g[i];
+ }
}
-/* h = f - g
+/*
+ * h = f - g
+ *
* Can overlap h with f or g.
*
* Preconditions:
@@ -969,15 +992,20 @@ static void fe_add(fe h, const fe f, const fe g) {
* |g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
*
* Postconditions:
- * |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. */
-static void fe_sub(fe h, const fe f, const fe g) {
- unsigned i;
- for (i = 0; i < 10; i++) {
- h[i] = f[i] - g[i];
- }
+ * |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
+ */
+static void fe_sub(fe h, const fe f, const fe g)
+{
+ unsigned i;
+
+ for (i = 0; i < 10; i++) {
+ h[i] = f[i] - g[i];
+ }
}
-/* h = f * g
+/*
+ * h = f * g
+ *
* Can overlap h with f or g.
*
* Preconditions:
@@ -1003,224 +1031,228 @@ static void fe_sub(fe h, const fe f, const fe g) {
* 10 of them are 2-way parallelizable and vectorizable.
* Can get away with 11 carries, but then data flow is much deeper.
*
- * With tighter constraints on inputs can squeeze carries into int32. */
-static void fe_mul(fe h, const fe f, const fe g) {
- int32_t f0 = f[0];
- int32_t f1 = f[1];
- int32_t f2 = f[2];
- int32_t f3 = f[3];
- int32_t f4 = f[4];
- int32_t f5 = f[5];
- int32_t f6 = f[6];
- int32_t f7 = f[7];
- int32_t f8 = f[8];
- int32_t f9 = f[9];
- int32_t g0 = g[0];
- int32_t g1 = g[1];
- int32_t g2 = g[2];
- int32_t g3 = g[3];
- int32_t g4 = g[4];
- int32_t g5 = g[5];
- int32_t g6 = g[6];
- int32_t g7 = g[7];
- int32_t g8 = g[8];
- int32_t g9 = g[9];
- int32_t g1_19 = 19 * g1; /* 1.959375*2^29 */
- int32_t g2_19 = 19 * g2; /* 1.959375*2^30; still ok */
- int32_t g3_19 = 19 * g3;
- int32_t g4_19 = 19 * g4;
- int32_t g5_19 = 19 * g5;
- int32_t g6_19 = 19 * g6;
- int32_t g7_19 = 19 * g7;
- int32_t g8_19 = 19 * g8;
- int32_t g9_19 = 19 * g9;
- int32_t f1_2 = 2 * f1;
- int32_t f3_2 = 2 * f3;
- int32_t f5_2 = 2 * f5;
- int32_t f7_2 = 2 * f7;
- int32_t f9_2 = 2 * f9;
- int64_t f0g0 = f0 * (int64_t) g0;
- int64_t f0g1 = f0 * (int64_t) g1;
- int64_t f0g2 = f0 * (int64_t) g2;
- int64_t f0g3 = f0 * (int64_t) g3;
- int64_t f0g4 = f0 * (int64_t) g4;
- int64_t f0g5 = f0 * (int64_t) g5;
- int64_t f0g6 = f0 * (int64_t) g6;
- int64_t f0g7 = f0 * (int64_t) g7;
- int64_t f0g8 = f0 * (int64_t) g8;
- int64_t f0g9 = f0 * (int64_t) g9;
- int64_t f1g0 = f1 * (int64_t) g0;
- int64_t f1g1_2 = f1_2 * (int64_t) g1;
- int64_t f1g2 = f1 * (int64_t) g2;
- int64_t f1g3_2 = f1_2 * (int64_t) g3;
- int64_t f1g4 = f1 * (int64_t) g4;
- int64_t f1g5_2 = f1_2 * (int64_t) g5;
- int64_t f1g6 = f1 * (int64_t) g6;
- int64_t f1g7_2 = f1_2 * (int64_t) g7;
- int64_t f1g8 = f1 * (int64_t) g8;
- int64_t f1g9_38 = f1_2 * (int64_t) g9_19;
- int64_t f2g0 = f2 * (int64_t) g0;
- int64_t f2g1 = f2 * (int64_t) g1;
- int64_t f2g2 = f2 * (int64_t) g2;
- int64_t f2g3 = f2 * (int64_t) g3;
- int64_t f2g4 = f2 * (int64_t) g4;
- int64_t f2g5 = f2 * (int64_t) g5;
- int64_t f2g6 = f2 * (int64_t) g6;
- int64_t f2g7 = f2 * (int64_t) g7;
- int64_t f2g8_19 = f2 * (int64_t) g8_19;
- int64_t f2g9_19 = f2 * (int64_t) g9_19;
- int64_t f3g0 = f3 * (int64_t) g0;
- int64_t f3g1_2 = f3_2 * (int64_t) g1;
- int64_t f3g2 = f3 * (int64_t) g2;
- int64_t f3g3_2 = f3_2 * (int64_t) g3;
- int64_t f3g4 = f3 * (int64_t) g4;
- int64_t f3g5_2 = f3_2 * (int64_t) g5;
- int64_t f3g6 = f3 * (int64_t) g6;
- int64_t f3g7_38 = f3_2 * (int64_t) g7_19;
- int64_t f3g8_19 = f3 * (int64_t) g8_19;
- int64_t f3g9_38 = f3_2 * (int64_t) g9_19;
- int64_t f4g0 = f4 * (int64_t) g0;
- int64_t f4g1 = f4 * (int64_t) g1;
- int64_t f4g2 = f4 * (int64_t) g2;
- int64_t f4g3 = f4 * (int64_t) g3;
- int64_t f4g4 = f4 * (int64_t) g4;
- int64_t f4g5 = f4 * (int64_t) g5;
- int64_t f4g6_19 = f4 * (int64_t) g6_19;
- int64_t f4g7_19 = f4 * (int64_t) g7_19;
- int64_t f4g8_19 = f4 * (int64_t) g8_19;
- int64_t f4g9_19 = f4 * (int64_t) g9_19;
- int64_t f5g0 = f5 * (int64_t) g0;
- int64_t f5g1_2 = f5_2 * (int64_t) g1;
- int64_t f5g2 = f5 * (int64_t) g2;
- int64_t f5g3_2 = f5_2 * (int64_t) g3;
- int64_t f5g4 = f5 * (int64_t) g4;
- int64_t f5g5_38 = f5_2 * (int64_t) g5_19;
- int64_t f5g6_19 = f5 * (int64_t) g6_19;
- int64_t f5g7_38 = f5_2 * (int64_t) g7_19;
- int64_t f5g8_19 = f5 * (int64_t) g8_19;
- int64_t f5g9_38 = f5_2 * (int64_t) g9_19;
- int64_t f6g0 = f6 * (int64_t) g0;
- int64_t f6g1 = f6 * (int64_t) g1;
- int64_t f6g2 = f6 * (int64_t) g2;
- int64_t f6g3 = f6 * (int64_t) g3;
- int64_t f6g4_19 = f6 * (int64_t) g4_19;
- int64_t f6g5_19 = f6 * (int64_t) g5_19;
- int64_t f6g6_19 = f6 * (int64_t) g6_19;
- int64_t f6g7_19 = f6 * (int64_t) g7_19;
- int64_t f6g8_19 = f6 * (int64_t) g8_19;
- int64_t f6g9_19 = f6 * (int64_t) g9_19;
- int64_t f7g0 = f7 * (int64_t) g0;
- int64_t f7g1_2 = f7_2 * (int64_t) g1;
- int64_t f7g2 = f7 * (int64_t) g2;
- int64_t f7g3_38 = f7_2 * (int64_t) g3_19;
- int64_t f7g4_19 = f7 * (int64_t) g4_19;
- int64_t f7g5_38 = f7_2 * (int64_t) g5_19;
- int64_t f7g6_19 = f7 * (int64_t) g6_19;
- int64_t f7g7_38 = f7_2 * (int64_t) g7_19;
- int64_t f7g8_19 = f7 * (int64_t) g8_19;
- int64_t f7g9_38 = f7_2 * (int64_t) g9_19;
- int64_t f8g0 = f8 * (int64_t) g0;
- int64_t f8g1 = f8 * (int64_t) g1;
- int64_t f8g2_19 = f8 * (int64_t) g2_19;
- int64_t f8g3_19 = f8 * (int64_t) g3_19;
- int64_t f8g4_19 = f8 * (int64_t) g4_19;
- int64_t f8g5_19 = f8 * (int64_t) g5_19;
- int64_t f8g6_19 = f8 * (int64_t) g6_19;
- int64_t f8g7_19 = f8 * (int64_t) g7_19;
- int64_t f8g8_19 = f8 * (int64_t) g8_19;
- int64_t f8g9_19 = f8 * (int64_t) g9_19;
- int64_t f9g0 = f9 * (int64_t) g0;
- int64_t f9g1_38 = f9_2 * (int64_t) g1_19;
- int64_t f9g2_19 = f9 * (int64_t) g2_19;
- int64_t f9g3_38 = f9_2 * (int64_t) g3_19;
- int64_t f9g4_19 = f9 * (int64_t) g4_19;
- int64_t f9g5_38 = f9_2 * (int64_t) g5_19;
- int64_t f9g6_19 = f9 * (int64_t) g6_19;
- int64_t f9g7_38 = f9_2 * (int64_t) g7_19;
- int64_t f9g8_19 = f9 * (int64_t) g8_19;
- int64_t f9g9_38 = f9_2 * (int64_t) g9_19;
- int64_t h0 = f0g0+f1g9_38+f2g8_19+f3g7_38+f4g6_19+f5g5_38+f6g4_19+f7g3_38+f8g2_19+f9g1_38;
- int64_t h1 = f0g1+f1g0 +f2g9_19+f3g8_19+f4g7_19+f5g6_19+f6g5_19+f7g4_19+f8g3_19+f9g2_19;
- int64_t h2 = f0g2+f1g1_2 +f2g0 +f3g9_38+f4g8_19+f5g7_38+f6g6_19+f7g5_38+f8g4_19+f9g3_38;
- int64_t h3 = f0g3+f1g2 +f2g1 +f3g0 +f4g9_19+f5g8_19+f6g7_19+f7g6_19+f8g5_19+f9g4_19;
- int64_t h4 = f0g4+f1g3_2 +f2g2 +f3g1_2 +f4g0 +f5g9_38+f6g8_19+f7g7_38+f8g6_19+f9g5_38;
- int64_t h5 = f0g5+f1g4 +f2g3 +f3g2 +f4g1 +f5g0 +f6g9_19+f7g8_19+f8g7_19+f9g6_19;
- int64_t h6 = f0g6+f1g5_2 +f2g4 +f3g3_2 +f4g2 +f5g1_2 +f6g0 +f7g9_38+f8g8_19+f9g7_38;
- int64_t h7 = f0g7+f1g6 +f2g5 +f3g4 +f4g3 +f5g2 +f6g1 +f7g0 +f8g9_19+f9g8_19;
- int64_t h8 = f0g8+f1g7_2 +f2g6 +f3g5_2 +f4g4 +f5g3_2 +f6g2 +f7g1_2 +f8g0 +f9g9_38;
- int64_t h9 = f0g9+f1g8 +f2g7 +f3g6 +f4g5 +f5g4 +f6g3 +f7g2 +f8g1 +f9g0 ;
- int64_t carry0;
- int64_t carry1;
- int64_t carry2;
- int64_t carry3;
- int64_t carry4;
- int64_t carry5;
- int64_t carry6;
- int64_t carry7;
- int64_t carry8;
- int64_t carry9;
-
- /* |h0| <= (1.65*1.65*2^52*(1+19+19+19+19)+1.65*1.65*2^50*(38+38+38+38+38))
- * i.e. |h0| <= 1.4*2^60; narrower ranges for h2, h4, h6, h8
- * |h1| <= (1.65*1.65*2^51*(1+1+19+19+19+19+19+19+19+19))
- * i.e. |h1| <= 1.7*2^59; narrower ranges for h3, h5, h7, h9 */
-
- carry0 = h0 + (1 << 25); h1 += carry0 >> 26; h0 -= carry0 & kTop38Bits;
- carry4 = h4 + (1 << 25); h5 += carry4 >> 26; h4 -= carry4 & kTop38Bits;
- /* |h0| <= 2^25 */
- /* |h4| <= 2^25 */
- /* |h1| <= 1.71*2^59 */
- /* |h5| <= 1.71*2^59 */
-
- carry1 = h1 + (1 << 24); h2 += carry1 >> 25; h1 -= carry1 & kTop39Bits;
- carry5 = h5 + (1 << 24); h6 += carry5 >> 25; h5 -= carry5 & kTop39Bits;
- /* |h1| <= 2^24; from now on fits into int32 */
- /* |h5| <= 2^24; from now on fits into int32 */
- /* |h2| <= 1.41*2^60 */
- /* |h6| <= 1.41*2^60 */
-
- carry2 = h2 + (1 << 25); h3 += carry2 >> 26; h2 -= carry2 & kTop38Bits;
- carry6 = h6 + (1 << 25); h7 += carry6 >> 26; h6 -= carry6 & kTop38Bits;
- /* |h2| <= 2^25; from now on fits into int32 unchanged */
- /* |h6| <= 2^25; from now on fits into int32 unchanged */
- /* |h3| <= 1.71*2^59 */
- /* |h7| <= 1.71*2^59 */
-
- carry3 = h3 + (1 << 24); h4 += carry3 >> 25; h3 -= carry3 & kTop39Bits;
- carry7 = h7 + (1 << 24); h8 += carry7 >> 25; h7 -= carry7 & kTop39Bits;
- /* |h3| <= 2^24; from now on fits into int32 unchanged */
- /* |h7| <= 2^24; from now on fits into int32 unchanged */
- /* |h4| <= 1.72*2^34 */
- /* |h8| <= 1.41*2^60 */
-
- carry4 = h4 + (1 << 25); h5 += carry4 >> 26; h4 -= carry4 & kTop38Bits;
- carry8 = h8 + (1 << 25); h9 += carry8 >> 26; h8 -= carry8 & kTop38Bits;
- /* |h4| <= 2^25; from now on fits into int32 unchanged */
- /* |h8| <= 2^25; from now on fits into int32 unchanged */
- /* |h5| <= 1.01*2^24 */
- /* |h9| <= 1.71*2^59 */
-
- carry9 = h9 + (1 << 24); h0 += (carry9 >> 25) * 19; h9 -= carry9 & kTop39Bits;
- /* |h9| <= 2^24; from now on fits into int32 unchanged */
- /* |h0| <= 1.1*2^39 */
-
- carry0 = h0 + (1 << 25); h1 += carry0 >> 26; h0 -= carry0 & kTop38Bits;
- /* |h0| <= 2^25; from now on fits into int32 unchanged */
- /* |h1| <= 1.01*2^24 */
-
- h[0] = (int32_t)h0;
- h[1] = (int32_t)h1;
- h[2] = (int32_t)h2;
- h[3] = (int32_t)h3;
- h[4] = (int32_t)h4;
- h[5] = (int32_t)h5;
- h[6] = (int32_t)h6;
- h[7] = (int32_t)h7;
- h[8] = (int32_t)h8;
- h[9] = (int32_t)h9;
+ * With tighter constraints on inputs can squeeze carries into int32.
+ */
+static void fe_mul(fe h, const fe f, const fe g)
+{
+ int32_t f0 = f[0];
+ int32_t f1 = f[1];
+ int32_t f2 = f[2];
+ int32_t f3 = f[3];
+ int32_t f4 = f[4];
+ int32_t f5 = f[5];
+ int32_t f6 = f[6];
+ int32_t f7 = f[7];
+ int32_t f8 = f[8];
+ int32_t f9 = f[9];
+ int32_t g0 = g[0];
+ int32_t g1 = g[1];
+ int32_t g2 = g[2];
+ int32_t g3 = g[3];
+ int32_t g4 = g[4];
+ int32_t g5 = g[5];
+ int32_t g6 = g[6];
+ int32_t g7 = g[7];
+ int32_t g8 = g[8];
+ int32_t g9 = g[9];
+ int32_t g1_19 = 19 * g1; /* 1.959375*2^29 */
+ int32_t g2_19 = 19 * g2; /* 1.959375*2^30; still ok */
+ int32_t g3_19 = 19 * g3;
+ int32_t g4_19 = 19 * g4;
+ int32_t g5_19 = 19 * g5;
+ int32_t g6_19 = 19 * g6;
+ int32_t g7_19 = 19 * g7;
+ int32_t g8_19 = 19 * g8;
+ int32_t g9_19 = 19 * g9;
+ int32_t f1_2 = 2 * f1;
+ int32_t f3_2 = 2 * f3;
+ int32_t f5_2 = 2 * f5;
+ int32_t f7_2 = 2 * f7;
+ int32_t f9_2 = 2 * f9;
+ int64_t f0g0 = f0 * (int64_t) g0;
+ int64_t f0g1 = f0 * (int64_t) g1;
+ int64_t f0g2 = f0 * (int64_t) g2;
+ int64_t f0g3 = f0 * (int64_t) g3;
+ int64_t f0g4 = f0 * (int64_t) g4;
+ int64_t f0g5 = f0 * (int64_t) g5;
+ int64_t f0g6 = f0 * (int64_t) g6;
+ int64_t f0g7 = f0 * (int64_t) g7;
+ int64_t f0g8 = f0 * (int64_t) g8;
+ int64_t f0g9 = f0 * (int64_t) g9;
+ int64_t f1g0 = f1 * (int64_t) g0;
+ int64_t f1g1_2 = f1_2 * (int64_t) g1;
+ int64_t f1g2 = f1 * (int64_t) g2;
+ int64_t f1g3_2 = f1_2 * (int64_t) g3;
+ int64_t f1g4 = f1 * (int64_t) g4;
+ int64_t f1g5_2 = f1_2 * (int64_t) g5;
+ int64_t f1g6 = f1 * (int64_t) g6;
+ int64_t f1g7_2 = f1_2 * (int64_t) g7;
+ int64_t f1g8 = f1 * (int64_t) g8;
+ int64_t f1g9_38 = f1_2 * (int64_t) g9_19;
+ int64_t f2g0 = f2 * (int64_t) g0;
+ int64_t f2g1 = f2 * (int64_t) g1;
+ int64_t f2g2 = f2 * (int64_t) g2;
+ int64_t f2g3 = f2 * (int64_t) g3;
+ int64_t f2g4 = f2 * (int64_t) g4;
+ int64_t f2g5 = f2 * (int64_t) g5;
+ int64_t f2g6 = f2 * (int64_t) g6;
+ int64_t f2g7 = f2 * (int64_t) g7;
+ int64_t f2g8_19 = f2 * (int64_t) g8_19;
+ int64_t f2g9_19 = f2 * (int64_t) g9_19;
+ int64_t f3g0 = f3 * (int64_t) g0;
+ int64_t f3g1_2 = f3_2 * (int64_t) g1;
+ int64_t f3g2 = f3 * (int64_t) g2;
+ int64_t f3g3_2 = f3_2 * (int64_t) g3;
+ int64_t f3g4 = f3 * (int64_t) g4;
+ int64_t f3g5_2 = f3_2 * (int64_t) g5;
+ int64_t f3g6 = f3 * (int64_t) g6;
+ int64_t f3g7_38 = f3_2 * (int64_t) g7_19;
+ int64_t f3g8_19 = f3 * (int64_t) g8_19;
+ int64_t f3g9_38 = f3_2 * (int64_t) g9_19;
+ int64_t f4g0 = f4 * (int64_t) g0;
+ int64_t f4g1 = f4 * (int64_t) g1;
+ int64_t f4g2 = f4 * (int64_t) g2;
+ int64_t f4g3 = f4 * (int64_t) g3;
+ int64_t f4g4 = f4 * (int64_t) g4;
+ int64_t f4g5 = f4 * (int64_t) g5;
+ int64_t f4g6_19 = f4 * (int64_t) g6_19;
+ int64_t f4g7_19 = f4 * (int64_t) g7_19;
+ int64_t f4g8_19 = f4 * (int64_t) g8_19;
+ int64_t f4g9_19 = f4 * (int64_t) g9_19;
+ int64_t f5g0 = f5 * (int64_t) g0;
+ int64_t f5g1_2 = f5_2 * (int64_t) g1;
+ int64_t f5g2 = f5 * (int64_t) g2;
+ int64_t f5g3_2 = f5_2 * (int64_t) g3;
+ int64_t f5g4 = f5 * (int64_t) g4;
+ int64_t f5g5_38 = f5_2 * (int64_t) g5_19;
+ int64_t f5g6_19 = f5 * (int64_t) g6_19;
+ int64_t f5g7_38 = f5_2 * (int64_t) g7_19;
+ int64_t f5g8_19 = f5 * (int64_t) g8_19;
+ int64_t f5g9_38 = f5_2 * (int64_t) g9_19;
+ int64_t f6g0 = f6 * (int64_t) g0;
+ int64_t f6g1 = f6 * (int64_t) g1;
+ int64_t f6g2 = f6 * (int64_t) g2;
+ int64_t f6g3 = f6 * (int64_t) g3;
+ int64_t f6g4_19 = f6 * (int64_t) g4_19;
+ int64_t f6g5_19 = f6 * (int64_t) g5_19;
+ int64_t f6g6_19 = f6 * (int64_t) g6_19;
+ int64_t f6g7_19 = f6 * (int64_t) g7_19;
+ int64_t f6g8_19 = f6 * (int64_t) g8_19;
+ int64_t f6g9_19 = f6 * (int64_t) g9_19;
+ int64_t f7g0 = f7 * (int64_t) g0;
+ int64_t f7g1_2 = f7_2 * (int64_t) g1;
+ int64_t f7g2 = f7 * (int64_t) g2;
+ int64_t f7g3_38 = f7_2 * (int64_t) g3_19;
+ int64_t f7g4_19 = f7 * (int64_t) g4_19;
+ int64_t f7g5_38 = f7_2 * (int64_t) g5_19;
+ int64_t f7g6_19 = f7 * (int64_t) g6_19;
+ int64_t f7g7_38 = f7_2 * (int64_t) g7_19;
+ int64_t f7g8_19 = f7 * (int64_t) g8_19;
+ int64_t f7g9_38 = f7_2 * (int64_t) g9_19;
+ int64_t f8g0 = f8 * (int64_t) g0;
+ int64_t f8g1 = f8 * (int64_t) g1;
+ int64_t f8g2_19 = f8 * (int64_t) g2_19;
+ int64_t f8g3_19 = f8 * (int64_t) g3_19;
+ int64_t f8g4_19 = f8 * (int64_t) g4_19;
+ int64_t f8g5_19 = f8 * (int64_t) g5_19;
+ int64_t f8g6_19 = f8 * (int64_t) g6_19;
+ int64_t f8g7_19 = f8 * (int64_t) g7_19;
+ int64_t f8g8_19 = f8 * (int64_t) g8_19;
+ int64_t f8g9_19 = f8 * (int64_t) g9_19;
+ int64_t f9g0 = f9 * (int64_t) g0;
+ int64_t f9g1_38 = f9_2 * (int64_t) g1_19;
+ int64_t f9g2_19 = f9 * (int64_t) g2_19;
+ int64_t f9g3_38 = f9_2 * (int64_t) g3_19;
+ int64_t f9g4_19 = f9 * (int64_t) g4_19;
+ int64_t f9g5_38 = f9_2 * (int64_t) g5_19;
+ int64_t f9g6_19 = f9 * (int64_t) g6_19;
+ int64_t f9g7_38 = f9_2 * (int64_t) g7_19;
+ int64_t f9g8_19 = f9 * (int64_t) g8_19;
+ int64_t f9g9_38 = f9_2 * (int64_t) g9_19;
+ int64_t h0 = f0g0 + f1g9_38 + f2g8_19 + f3g7_38 + f4g6_19 + f5g5_38 + f6g4_19 + f7g3_38 + f8g2_19 + f9g1_38;
+ int64_t h1 = f0g1 + f1g0 + f2g9_19 + f3g8_19 + f4g7_19 + f5g6_19 + f6g5_19 + f7g4_19 + f8g3_19 + f9g2_19;
+ int64_t h2 = f0g2 + f1g1_2 + f2g0 + f3g9_38 + f4g8_19 + f5g7_38 + f6g6_19 + f7g5_38 + f8g4_19 + f9g3_38;
+ int64_t h3 = f0g3 + f1g2 + f2g1 + f3g0 + f4g9_19 + f5g8_19 + f6g7_19 + f7g6_19 + f8g5_19 + f9g4_19;
+ int64_t h4 = f0g4 + f1g3_2 + f2g2 + f3g1_2 + f4g0 + f5g9_38 + f6g8_19 + f7g7_38 + f8g6_19 + f9g5_38;
+ int64_t h5 = f0g5 + f1g4 + f2g3 + f3g2 + f4g1 + f5g0 + f6g9_19 + f7g8_19 + f8g7_19 + f9g6_19;
+ int64_t h6 = f0g6 + f1g5_2 + f2g4 + f3g3_2 + f4g2 + f5g1_2 + f6g0 + f7g9_38 + f8g8_19 + f9g7_38;
+ int64_t h7 = f0g7 + f1g6 + f2g5 + f3g4 + f4g3 + f5g2 + f6g1 + f7g0 + f8g9_19 + f9g8_19;
+ int64_t h8 = f0g8 + f1g7_2 + f2g6 + f3g5_2 + f4g4 + f5g3_2 + f6g2 + f7g1_2 + f8g0 + f9g9_38;
+ int64_t h9 = f0g9 + f1g8 + f2g7 + f3g6 + f4g5 + f5g4 + f6g3 + f7g2 + f8g1 + f9g0 ;
+ int64_t carry0;
+ int64_t carry1;
+ int64_t carry2;
+ int64_t carry3;
+ int64_t carry4;
+ int64_t carry5;
+ int64_t carry6;
+ int64_t carry7;
+ int64_t carry8;
+ int64_t carry9;
+
+ /* |h0| <= (1.65*1.65*2^52*(1+19+19+19+19)+1.65*1.65*2^50*(38+38+38+38+38))
+ * i.e. |h0| <= 1.4*2^60; narrower ranges for h2, h4, h6, h8
+ * |h1| <= (1.65*1.65*2^51*(1+1+19+19+19+19+19+19+19+19))
+ * i.e. |h1| <= 1.7*2^59; narrower ranges for h3, h5, h7, h9 */
+
+ carry0 = h0 + (1 << 25); h1 += carry0 >> 26; h0 -= carry0 & kTop38Bits;
+ carry4 = h4 + (1 << 25); h5 += carry4 >> 26; h4 -= carry4 & kTop38Bits;
+ /* |h0| <= 2^25 */
+ /* |h4| <= 2^25 */
+ /* |h1| <= 1.71*2^59 */
+ /* |h5| <= 1.71*2^59 */
+
+ carry1 = h1 + (1 << 24); h2 += carry1 >> 25; h1 -= carry1 & kTop39Bits;
+ carry5 = h5 + (1 << 24); h6 += carry5 >> 25; h5 -= carry5 & kTop39Bits;
+ /* |h1| <= 2^24; from now on fits into int32 */
+ /* |h5| <= 2^24; from now on fits into int32 */
+ /* |h2| <= 1.41*2^60 */
+ /* |h6| <= 1.41*2^60 */
+
+ carry2 = h2 + (1 << 25); h3 += carry2 >> 26; h2 -= carry2 & kTop38Bits;
+ carry6 = h6 + (1 << 25); h7 += carry6 >> 26; h6 -= carry6 & kTop38Bits;
+ /* |h2| <= 2^25; from now on fits into int32 unchanged */
+ /* |h6| <= 2^25; from now on fits into int32 unchanged */
+ /* |h3| <= 1.71*2^59 */
+ /* |h7| <= 1.71*2^59 */
+
+ carry3 = h3 + (1 << 24); h4 += carry3 >> 25; h3 -= carry3 & kTop39Bits;
+ carry7 = h7 + (1 << 24); h8 += carry7 >> 25; h7 -= carry7 & kTop39Bits;
+ /* |h3| <= 2^24; from now on fits into int32 unchanged */
+ /* |h7| <= 2^24; from now on fits into int32 unchanged */
+ /* |h4| <= 1.72*2^34 */
+ /* |h8| <= 1.41*2^60 */
+
+ carry4 = h4 + (1 << 25); h5 += carry4 >> 26; h4 -= carry4 & kTop38Bits;
+ carry8 = h8 + (1 << 25); h9 += carry8 >> 26; h8 -= carry8 & kTop38Bits;
+ /* |h4| <= 2^25; from now on fits into int32 unchanged */
+ /* |h8| <= 2^25; from now on fits into int32 unchanged */
+ /* |h5| <= 1.01*2^24 */
+ /* |h9| <= 1.71*2^59 */
+
+ carry9 = h9 + (1 << 24); h0 += (carry9 >> 25) * 19; h9 -= carry9 & kTop39Bits;
+ /* |h9| <= 2^24; from now on fits into int32 unchanged */
+ /* |h0| <= 1.1*2^39 */
+
+ carry0 = h0 + (1 << 25); h1 += carry0 >> 26; h0 -= carry0 & kTop38Bits;
+ /* |h0| <= 2^25; from now on fits into int32 unchanged */
+ /* |h1| <= 1.01*2^24 */
+
+ h[0] = (int32_t)h0;
+ h[1] = (int32_t)h1;
+ h[2] = (int32_t)h2;
+ h[3] = (int32_t)h3;
+ h[4] = (int32_t)h4;
+ h[5] = (int32_t)h5;
+ h[6] = (int32_t)h6;
+ h[7] = (int32_t)h7;
+ h[8] = (int32_t)h8;
+ h[9] = (int32_t)h9;
}
-/* h = f * f
+/*
+ * h = f * f
+ *
* Can overlap h with f.
*
* Preconditions:
@@ -1229,286 +1261,307 @@ static void fe_mul(fe h, const fe f, const fe g) {
* Postconditions:
* |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
*
- * See fe_mul.c for discussion of implementation strategy. */
-static void fe_sq(fe h, const fe f) {
- int32_t f0 = f[0];
- int32_t f1 = f[1];
- int32_t f2 = f[2];
- int32_t f3 = f[3];
- int32_t f4 = f[4];
- int32_t f5 = f[5];
- int32_t f6 = f[6];
- int32_t f7 = f[7];
- int32_t f8 = f[8];
- int32_t f9 = f[9];
- int32_t f0_2 = 2 * f0;
- int32_t f1_2 = 2 * f1;
- int32_t f2_2 = 2 * f2;
- int32_t f3_2 = 2 * f3;
- int32_t f4_2 = 2 * f4;
- int32_t f5_2 = 2 * f5;
- int32_t f6_2 = 2 * f6;
- int32_t f7_2 = 2 * f7;
- int32_t f5_38 = 38 * f5; /* 1.959375*2^30 */
- int32_t f6_19 = 19 * f6; /* 1.959375*2^30 */
- int32_t f7_38 = 38 * f7; /* 1.959375*2^30 */
- int32_t f8_19 = 19 * f8; /* 1.959375*2^30 */
- int32_t f9_38 = 38 * f9; /* 1.959375*2^30 */
- int64_t f0f0 = f0 * (int64_t) f0;
- int64_t f0f1_2 = f0_2 * (int64_t) f1;
- int64_t f0f2_2 = f0_2 * (int64_t) f2;
- int64_t f0f3_2 = f0_2 * (int64_t) f3;
- int64_t f0f4_2 = f0_2 * (int64_t) f4;
- int64_t f0f5_2 = f0_2 * (int64_t) f5;
- int64_t f0f6_2 = f0_2 * (int64_t) f6;
- int64_t f0f7_2 = f0_2 * (int64_t) f7;
- int64_t f0f8_2 = f0_2 * (int64_t) f8;
- int64_t f0f9_2 = f0_2 * (int64_t) f9;
- int64_t f1f1_2 = f1_2 * (int64_t) f1;
- int64_t f1f2_2 = f1_2 * (int64_t) f2;
- int64_t f1f3_4 = f1_2 * (int64_t) f3_2;
- int64_t f1f4_2 = f1_2 * (int64_t) f4;
- int64_t f1f5_4 = f1_2 * (int64_t) f5_2;
- int64_t f1f6_2 = f1_2 * (int64_t) f6;
- int64_t f1f7_4 = f1_2 * (int64_t) f7_2;
- int64_t f1f8_2 = f1_2 * (int64_t) f8;
- int64_t f1f9_76 = f1_2 * (int64_t) f9_38;
- int64_t f2f2 = f2 * (int64_t) f2;
- int64_t f2f3_2 = f2_2 * (int64_t) f3;
- int64_t f2f4_2 = f2_2 * (int64_t) f4;
- int64_t f2f5_2 = f2_2 * (int64_t) f5;
- int64_t f2f6_2 = f2_2 * (int64_t) f6;
- int64_t f2f7_2 = f2_2 * (int64_t) f7;
- int64_t f2f8_38 = f2_2 * (int64_t) f8_19;
- int64_t f2f9_38 = f2 * (int64_t) f9_38;
- int64_t f3f3_2 = f3_2 * (int64_t) f3;
- int64_t f3f4_2 = f3_2 * (int64_t) f4;
- int64_t f3f5_4 = f3_2 * (int64_t) f5_2;
- int64_t f3f6_2 = f3_2 * (int64_t) f6;
- int64_t f3f7_76 = f3_2 * (int64_t) f7_38;
- int64_t f3f8_38 = f3_2 * (int64_t) f8_19;
- int64_t f3f9_76 = f3_2 * (int64_t) f9_38;
- int64_t f4f4 = f4 * (int64_t) f4;
- int64_t f4f5_2 = f4_2 * (int64_t) f5;
- int64_t f4f6_38 = f4_2 * (int64_t) f6_19;
- int64_t f4f7_38 = f4 * (int64_t) f7_38;
- int64_t f4f8_38 = f4_2 * (int64_t) f8_19;
- int64_t f4f9_38 = f4 * (int64_t) f9_38;
- int64_t f5f5_38 = f5 * (int64_t) f5_38;
- int64_t f5f6_38 = f5_2 * (int64_t) f6_19;
- int64_t f5f7_76 = f5_2 * (int64_t) f7_38;
- int64_t f5f8_38 = f5_2 * (int64_t) f8_19;
- int64_t f5f9_76 = f5_2 * (int64_t) f9_38;
- int64_t f6f6_19 = f6 * (int64_t) f6_19;
- int64_t f6f7_38 = f6 * (int64_t) f7_38;
- int64_t f6f8_38 = f6_2 * (int64_t) f8_19;
- int64_t f6f9_38 = f6 * (int64_t) f9_38;
- int64_t f7f7_38 = f7 * (int64_t) f7_38;
- int64_t f7f8_38 = f7_2 * (int64_t) f8_19;
- int64_t f7f9_76 = f7_2 * (int64_t) f9_38;
- int64_t f8f8_19 = f8 * (int64_t) f8_19;
- int64_t f8f9_38 = f8 * (int64_t) f9_38;
- int64_t f9f9_38 = f9 * (int64_t) f9_38;
- int64_t h0 = f0f0 +f1f9_76+f2f8_38+f3f7_76+f4f6_38+f5f5_38;
- int64_t h1 = f0f1_2+f2f9_38+f3f8_38+f4f7_38+f5f6_38;
- int64_t h2 = f0f2_2+f1f1_2 +f3f9_76+f4f8_38+f5f7_76+f6f6_19;
- int64_t h3 = f0f3_2+f1f2_2 +f4f9_38+f5f8_38+f6f7_38;
- int64_t h4 = f0f4_2+f1f3_4 +f2f2 +f5f9_76+f6f8_38+f7f7_38;
- int64_t h5 = f0f5_2+f1f4_2 +f2f3_2 +f6f9_38+f7f8_38;
- int64_t h6 = f0f6_2+f1f5_4 +f2f4_2 +f3f3_2 +f7f9_76+f8f8_19;
- int64_t h7 = f0f7_2+f1f6_2 +f2f5_2 +f3f4_2 +f8f9_38;
- int64_t h8 = f0f8_2+f1f7_4 +f2f6_2 +f3f5_4 +f4f4 +f9f9_38;
- int64_t h9 = f0f9_2+f1f8_2 +f2f7_2 +f3f6_2 +f4f5_2;
- int64_t carry0;
- int64_t carry1;
- int64_t carry2;
- int64_t carry3;
- int64_t carry4;
- int64_t carry5;
- int64_t carry6;
- int64_t carry7;
- int64_t carry8;
- int64_t carry9;
-
- carry0 = h0 + (1 << 25); h1 += carry0 >> 26; h0 -= carry0 & kTop38Bits;
- carry4 = h4 + (1 << 25); h5 += carry4 >> 26; h4 -= carry4 & kTop38Bits;
-
- carry1 = h1 + (1 << 24); h2 += carry1 >> 25; h1 -= carry1 & kTop39Bits;
- carry5 = h5 + (1 << 24); h6 += carry5 >> 25; h5 -= carry5 & kTop39Bits;
-
- carry2 = h2 + (1 << 25); h3 += carry2 >> 26; h2 -= carry2 & kTop38Bits;
- carry6 = h6 + (1 << 25); h7 += carry6 >> 26; h6 -= carry6 & kTop38Bits;
-
- carry3 = h3 + (1 << 24); h4 += carry3 >> 25; h3 -= carry3 & kTop39Bits;
- carry7 = h7 + (1 << 24); h8 += carry7 >> 25; h7 -= carry7 & kTop39Bits;
-
- carry4 = h4 + (1 << 25); h5 += carry4 >> 26; h4 -= carry4 & kTop38Bits;
- carry8 = h8 + (1 << 25); h9 += carry8 >> 26; h8 -= carry8 & kTop38Bits;
-
- carry9 = h9 + (1 << 24); h0 += (carry9 >> 25) * 19; h9 -= carry9 & kTop39Bits;
-
- carry0 = h0 + (1 << 25); h1 += carry0 >> 26; h0 -= carry0 & kTop38Bits;
-
- h[0] = (int32_t)h0;
- h[1] = (int32_t)h1;
- h[2] = (int32_t)h2;
- h[3] = (int32_t)h3;
- h[4] = (int32_t)h4;
- h[5] = (int32_t)h5;
- h[6] = (int32_t)h6;
- h[7] = (int32_t)h7;
- h[8] = (int32_t)h8;
- h[9] = (int32_t)h9;
+ * See fe_mul.c for discussion of implementation strategy.
+ */
+static void fe_sq(fe h, const fe f)
+{
+ int32_t f0 = f[0];
+ int32_t f1 = f[1];
+ int32_t f2 = f[2];
+ int32_t f3 = f[3];
+ int32_t f4 = f[4];
+ int32_t f5 = f[5];
+ int32_t f6 = f[6];
+ int32_t f7 = f[7];
+ int32_t f8 = f[8];
+ int32_t f9 = f[9];
+ int32_t f0_2 = 2 * f0;
+ int32_t f1_2 = 2 * f1;
+ int32_t f2_2 = 2 * f2;
+ int32_t f3_2 = 2 * f3;
+ int32_t f4_2 = 2 * f4;
+ int32_t f5_2 = 2 * f5;
+ int32_t f6_2 = 2 * f6;
+ int32_t f7_2 = 2 * f7;
+ int32_t f5_38 = 38 * f5; /* 1.959375*2^30 */
+ int32_t f6_19 = 19 * f6; /* 1.959375*2^30 */
+ int32_t f7_38 = 38 * f7; /* 1.959375*2^30 */
+ int32_t f8_19 = 19 * f8; /* 1.959375*2^30 */
+ int32_t f9_38 = 38 * f9; /* 1.959375*2^30 */
+ int64_t f0f0 = f0 * (int64_t) f0;
+ int64_t f0f1_2 = f0_2 * (int64_t) f1;
+ int64_t f0f2_2 = f0_2 * (int64_t) f2;
+ int64_t f0f3_2 = f0_2 * (int64_t) f3;
+ int64_t f0f4_2 = f0_2 * (int64_t) f4;
+ int64_t f0f5_2 = f0_2 * (int64_t) f5;
+ int64_t f0f6_2 = f0_2 * (int64_t) f6;
+ int64_t f0f7_2 = f0_2 * (int64_t) f7;
+ int64_t f0f8_2 = f0_2 * (int64_t) f8;
+ int64_t f0f9_2 = f0_2 * (int64_t) f9;
+ int64_t f1f1_2 = f1_2 * (int64_t) f1;
+ int64_t f1f2_2 = f1_2 * (int64_t) f2;
+ int64_t f1f3_4 = f1_2 * (int64_t) f3_2;
+ int64_t f1f4_2 = f1_2 * (int64_t) f4;
+ int64_t f1f5_4 = f1_2 * (int64_t) f5_2;
+ int64_t f1f6_2 = f1_2 * (int64_t) f6;
+ int64_t f1f7_4 = f1_2 * (int64_t) f7_2;
+ int64_t f1f8_2 = f1_2 * (int64_t) f8;
+ int64_t f1f9_76 = f1_2 * (int64_t) f9_38;
+ int64_t f2f2 = f2 * (int64_t) f2;
+ int64_t f2f3_2 = f2_2 * (int64_t) f3;
+ int64_t f2f4_2 = f2_2 * (int64_t) f4;
+ int64_t f2f5_2 = f2_2 * (int64_t) f5;
+ int64_t f2f6_2 = f2_2 * (int64_t) f6;
+ int64_t f2f7_2 = f2_2 * (int64_t) f7;
+ int64_t f2f8_38 = f2_2 * (int64_t) f8_19;
+ int64_t f2f9_38 = f2 * (int64_t) f9_38;
+ int64_t f3f3_2 = f3_2 * (int64_t) f3;
+ int64_t f3f4_2 = f3_2 * (int64_t) f4;
+ int64_t f3f5_4 = f3_2 * (int64_t) f5_2;
+ int64_t f3f6_2 = f3_2 * (int64_t) f6;
+ int64_t f3f7_76 = f3_2 * (int64_t) f7_38;
+ int64_t f3f8_38 = f3_2 * (int64_t) f8_19;
+ int64_t f3f9_76 = f3_2 * (int64_t) f9_38;
+ int64_t f4f4 = f4 * (int64_t) f4;
+ int64_t f4f5_2 = f4_2 * (int64_t) f5;
+ int64_t f4f6_38 = f4_2 * (int64_t) f6_19;
+ int64_t f4f7_38 = f4 * (int64_t) f7_38;
+ int64_t f4f8_38 = f4_2 * (int64_t) f8_19;
+ int64_t f4f9_38 = f4 * (int64_t) f9_38;
+ int64_t f5f5_38 = f5 * (int64_t) f5_38;
+ int64_t f5f6_38 = f5_2 * (int64_t) f6_19;
+ int64_t f5f7_76 = f5_2 * (int64_t) f7_38;
+ int64_t f5f8_38 = f5_2 * (int64_t) f8_19;
+ int64_t f5f9_76 = f5_2 * (int64_t) f9_38;
+ int64_t f6f6_19 = f6 * (int64_t) f6_19;
+ int64_t f6f7_38 = f6 * (int64_t) f7_38;
+ int64_t f6f8_38 = f6_2 * (int64_t) f8_19;
+ int64_t f6f9_38 = f6 * (int64_t) f9_38;
+ int64_t f7f7_38 = f7 * (int64_t) f7_38;
+ int64_t f7f8_38 = f7_2 * (int64_t) f8_19;
+ int64_t f7f9_76 = f7_2 * (int64_t) f9_38;
+ int64_t f8f8_19 = f8 * (int64_t) f8_19;
+ int64_t f8f9_38 = f8 * (int64_t) f9_38;
+ int64_t f9f9_38 = f9 * (int64_t) f9_38;
+ int64_t h0 = f0f0 + f1f9_76 + f2f8_38 + f3f7_76 + f4f6_38 + f5f5_38;
+ int64_t h1 = f0f1_2 + f2f9_38 + f3f8_38 + f4f7_38 + f5f6_38;
+ int64_t h2 = f0f2_2 + f1f1_2 + f3f9_76 + f4f8_38 + f5f7_76 + f6f6_19;
+ int64_t h3 = f0f3_2 + f1f2_2 + f4f9_38 + f5f8_38 + f6f7_38;
+ int64_t h4 = f0f4_2 + f1f3_4 + f2f2 + f5f9_76 + f6f8_38 + f7f7_38;
+ int64_t h5 = f0f5_2 + f1f4_2 + f2f3_2 + f6f9_38 + f7f8_38;
+ int64_t h6 = f0f6_2 + f1f5_4 + f2f4_2 + f3f3_2 + f7f9_76 + f8f8_19;
+ int64_t h7 = f0f7_2 + f1f6_2 + f2f5_2 + f3f4_2 + f8f9_38;
+ int64_t h8 = f0f8_2 + f1f7_4 + f2f6_2 + f3f5_4 + f4f4 + f9f9_38;
+ int64_t h9 = f0f9_2 + f1f8_2 + f2f7_2 + f3f6_2 + f4f5_2;
+ int64_t carry0;
+ int64_t carry1;
+ int64_t carry2;
+ int64_t carry3;
+ int64_t carry4;
+ int64_t carry5;
+ int64_t carry6;
+ int64_t carry7;
+ int64_t carry8;
+ int64_t carry9;
+
+ carry0 = h0 + (1 << 25); h1 += carry0 >> 26; h0 -= carry0 & kTop38Bits;
+ carry4 = h4 + (1 << 25); h5 += carry4 >> 26; h4 -= carry4 & kTop38Bits;
+
+ carry1 = h1 + (1 << 24); h2 += carry1 >> 25; h1 -= carry1 & kTop39Bits;
+ carry5 = h5 + (1 << 24); h6 += carry5 >> 25; h5 -= carry5 & kTop39Bits;
+
+ carry2 = h2 + (1 << 25); h3 += carry2 >> 26; h2 -= carry2 & kTop38Bits;
+ carry6 = h6 + (1 << 25); h7 += carry6 >> 26; h6 -= carry6 & kTop38Bits;
+
+ carry3 = h3 + (1 << 24); h4 += carry3 >> 25; h3 -= carry3 & kTop39Bits;
+ carry7 = h7 + (1 << 24); h8 += carry7 >> 25; h7 -= carry7 & kTop39Bits;
+
+ carry4 = h4 + (1 << 25); h5 += carry4 >> 26; h4 -= carry4 & kTop38Bits;
+ carry8 = h8 + (1 << 25); h9 += carry8 >> 26; h8 -= carry8 & kTop38Bits;
+
+ carry9 = h9 + (1 << 24); h0 += (carry9 >> 25) * 19; h9 -= carry9 & kTop39Bits;
+
+ carry0 = h0 + (1 << 25); h1 += carry0 >> 26; h0 -= carry0 & kTop38Bits;
+
+ h[0] = (int32_t)h0;
+ h[1] = (int32_t)h1;
+ h[2] = (int32_t)h2;
+ h[3] = (int32_t)h3;
+ h[4] = (int32_t)h4;
+ h[5] = (int32_t)h5;
+ h[6] = (int32_t)h6;
+ h[7] = (int32_t)h7;
+ h[8] = (int32_t)h8;
+ h[9] = (int32_t)h9;
}
-static void fe_invert(fe out, const fe z) {
- fe t0;
- fe t1;
- fe t2;
- fe t3;
- int i;
+static void fe_invert(fe out, const fe z)
+{
+ fe t0;
+ fe t1;
+ fe t2;
+ fe t3;
+ int i;
- /*
- * Compute z ** -1 = z ** (2 ** 255 - 19 - 2) with the exponent as
- * 2 ** 255 - 21 = (2 ** 5) * (2 ** 250 - 1) + 11.
- */
+ /*
+ * Compute z ** -1 = z ** (2 ** 255 - 19 - 2) with the exponent as
+ * 2 ** 255 - 21 = (2 ** 5) * (2 ** 250 - 1) + 11.
+ */
- /* t0 = z ** 2 */
- fe_sq(t0, z);
+ /* t0 = z ** 2 */
+ fe_sq(t0, z);
- /* t1 = t0 ** (2 ** 2) = z ** 8 */
- fe_sq(t1, t0);
- fe_sq(t1, t1);
+ /* t1 = t0 ** (2 ** 2) = z ** 8 */
+ fe_sq(t1, t0);
+ fe_sq(t1, t1);
- /* t1 = z * t1 = z ** 9 */
- fe_mul(t1, z, t1);
- /* t0 = t0 * t1 = z ** 11 -- stash t0 away for the end. */
- fe_mul(t0, t0, t1);
+ /* t1 = z * t1 = z ** 9 */
+ fe_mul(t1, z, t1);
+ /* t0 = t0 * t1 = z ** 11 -- stash t0 away for the end. */
+ fe_mul(t0, t0, t1);
- /* t2 = t0 ** 2 = z ** 22 */
- fe_sq(t2, t0);
+ /* t2 = t0 ** 2 = z ** 22 */
+ fe_sq(t2, t0);
- /* t1 = t1 * t2 = z ** (2 ** 5 - 1) */
- fe_mul(t1, t1, t2);
+ /* t1 = t1 * t2 = z ** (2 ** 5 - 1) */
+ fe_mul(t1, t1, t2);
- /* t2 = t1 ** (2 ** 5) = z ** ((2 ** 5) * (2 ** 5 - 1)) */
- fe_sq(t2, t1);
- for (i = 1; i < 5; ++i) {
- fe_sq(t2, t2);
- }
+ /* t2 = t1 ** (2 ** 5) = z ** ((2 ** 5) * (2 ** 5 - 1)) */
+ fe_sq(t2, t1);
+ for (i = 1; i < 5; ++i) {
+ fe_sq(t2, t2);
+ }
- /* t1 = t1 * t2 = z ** ((2 ** 5 + 1) * (2 ** 5 - 1)) = z ** (2 ** 10 - 1) */
- fe_mul(t1, t2, t1);
+ /* t1 = t1 * t2 = z ** ((2 ** 5 + 1) * (2 ** 5 - 1)) = z ** (2 ** 10 - 1) */
+ fe_mul(t1, t2, t1);
- /* Continuing similarly... */
+ /* Continuing similarly... */
- /* t2 = z ** (2 ** 20 - 1) */
- fe_sq(t2, t1);
- for (i = 1; i < 10; ++i) {
- fe_sq(t2, t2);
- }
- fe_mul(t2, t2, t1);
-
- /* t2 = z ** (2 ** 40 - 1) */
- fe_sq(t3, t2);
- for (i = 1; i < 20; ++i) {
- fe_sq(t3, t3);
- }
- fe_mul(t2, t3, t2);
-
- /* t2 = z ** (2 ** 10) * (2 ** 40 - 1) */
- for (i = 0; i < 10; ++i) {
- fe_sq(t2, t2);
- }
- /* t1 = z ** (2 ** 50 - 1) */
- fe_mul(t1, t2, t1);
+ /* t2 = z ** (2 ** 20 - 1) */
+ fe_sq(t2, t1);
+ for (i = 1; i < 10; ++i) {
+ fe_sq(t2, t2);
+ }
+ fe_mul(t2, t2, t1);
- /* t2 = z ** (2 ** 100 - 1) */
- fe_sq(t2, t1);
- for (i = 1; i < 50; ++i) {
- fe_sq(t2, t2);
- }
- fe_mul(t2, t2, t1);
-
- /* t2 = z ** (2 ** 200 - 1) */
- fe_sq(t3, t2);
- for (i = 1; i < 100; ++i) {
- fe_sq(t3, t3);
- }
- fe_mul(t2, t3, t2);
-
- /* t2 = z ** ((2 ** 50) * (2 ** 200 - 1) */
- fe_sq(t2, t2);
- for (i = 1; i < 50; ++i) {
+ /* t2 = z ** (2 ** 40 - 1) */
+ fe_sq(t3, t2);
+ for (i = 1; i < 20; ++i) {
+ fe_sq(t3, t3);
+ }
+ fe_mul(t2, t3, t2);
+
+ /* t2 = z ** (2 ** 10) * (2 ** 40 - 1) */
+ for (i = 0; i < 10; ++i) {
+ fe_sq(t2, t2);
+ }
+ /* t1 = z ** (2 ** 50 - 1) */
+ fe_mul(t1, t2, t1);
+
+ /* t2 = z ** (2 ** 100 - 1) */
+ fe_sq(t2, t1);
+ for (i = 1; i < 50; ++i) {
+ fe_sq(t2, t2);
+ }
+ fe_mul(t2, t2, t1);
+
+ /* t2 = z ** (2 ** 200 - 1) */
+ fe_sq(t3, t2);
+ for (i = 1; i < 100; ++i) {
+ fe_sq(t3, t3);
+ }
+ fe_mul(t2, t3, t2);
+
+ /* t2 = z ** ((2 ** 50) * (2 ** 200 - 1) */
fe_sq(t2, t2);
- }
+ for (i = 1; i < 50; ++i) {
+ fe_sq(t2, t2);
+ }
- /* t1 = z ** (2 ** 250 - 1) */
- fe_mul(t1, t2, t1);
+ /* t1 = z ** (2 ** 250 - 1) */
+ fe_mul(t1, t2, t1);
- /* t1 = z ** ((2 ** 5) * (2 ** 250 - 1)) */
- fe_sq(t1, t1);
- for (i = 1; i < 5; ++i) {
+ /* t1 = z ** ((2 ** 5) * (2 ** 250 - 1)) */
fe_sq(t1, t1);
- }
+ for (i = 1; i < 5; ++i) {
+ fe_sq(t1, t1);
+ }
- /* Recall t0 = z ** 11; out = z ** (2 ** 255 - 21) */
- fe_mul(out, t1, t0);
+ /* Recall t0 = z ** 11; out = z ** (2 ** 255 - 21) */
+ fe_mul(out, t1, t0);
}
-/* h = -f
+/*
+ * h = -f
*
* Preconditions:
* |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
*
* Postconditions:
- * |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. */
-static void fe_neg(fe h, const fe f) {
- unsigned i;
- for (i = 0; i < 10; i++) {
- h[i] = -f[i];
- }
+ * |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
+ */
+static void fe_neg(fe h, const fe f)
+{
+ unsigned i;
+
+ for (i = 0; i < 10; i++) {
+ h[i] = -f[i];
+ }
}
-/* Replace (f,g) with (g,g) if b == 1;
+/*
+ * Replace (f,g) with (g,g) if b == 1;
* replace (f,g) with (f,g) if b == 0.
*
- * Preconditions: b in {0,1}. */
-static void fe_cmov(fe f, const fe g, unsigned b) {
- size_t i;
- b = 0-b;
- for (i = 0; i < 10; i++) {
- int32_t x = f[i] ^ g[i];
- x &= b;
- f[i] ^= x;
- }
+ * Preconditions: b in {0,1}.
+ */
+static void fe_cmov(fe f, const fe g, unsigned b)
+{
+ size_t i;
+
+ b = 0-b;
+ for (i = 0; i < 10; i++) {
+ int32_t x = f[i] ^ g[i];
+ x &= b;
+ f[i] ^= x;
+ }
}
-/* return 0 if f == 0
+/*
+ * return 0 if f == 0
* return 1 if f != 0
*
* Preconditions:
- * |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. */
-static int fe_isnonzero(const fe f) {
- uint8_t s[32];
- static const uint8_t zero[32] = {0};
- fe_tobytes(s, f);
+ * |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
+ */
+static int fe_isnonzero(const fe f)
+{
+ uint8_t s[32];
+ static const uint8_t zero[32] = {0};
- return CRYPTO_memcmp(s, zero, sizeof(zero)) != 0;
+ fe_tobytes(s, f);
+
+ return CRYPTO_memcmp(s, zero, sizeof(zero)) != 0;
}
-/* return 1 if f is in {1,3,5,...,q-2}
+/*
+ * return 1 if f is in {1,3,5,...,q-2}
* return 0 if f is in {0,2,4,...,q-1}
*
* Preconditions:
- * |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. */
-static int fe_isnegative(const fe f) {
- uint8_t s[32];
- fe_tobytes(s, f);
- return s[0] & 1;
+ * |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
+ */
+static int fe_isnegative(const fe f)
+{
+ uint8_t s[32];
+
+ fe_tobytes(s, f);
+ return s[0] & 1;
}
-/* h = 2 * f * f
+/*
+ * h = 2 * f * f
+ *
* Can overlap h with f.
*
* Preconditions:
@@ -1517,208 +1570,212 @@ static int fe_isnegative(const fe f) {
* Postconditions:
* |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
*
- * See fe_mul.c for discussion of implementation strategy. */
-static void fe_sq2(fe h, const fe f) {
- int32_t f0 = f[0];
- int32_t f1 = f[1];
- int32_t f2 = f[2];
- int32_t f3 = f[3];
- int32_t f4 = f[4];
- int32_t f5 = f[5];
- int32_t f6 = f[6];
- int32_t f7 = f[7];
- int32_t f8 = f[8];
- int32_t f9 = f[9];
- int32_t f0_2 = 2 * f0;
- int32_t f1_2 = 2 * f1;
- int32_t f2_2 = 2 * f2;
- int32_t f3_2 = 2 * f3;
- int32_t f4_2 = 2 * f4;
- int32_t f5_2 = 2 * f5;
- int32_t f6_2 = 2 * f6;
- int32_t f7_2 = 2 * f7;
- int32_t f5_38 = 38 * f5; /* 1.959375*2^30 */
- int32_t f6_19 = 19 * f6; /* 1.959375*2^30 */
- int32_t f7_38 = 38 * f7; /* 1.959375*2^30 */
- int32_t f8_19 = 19 * f8; /* 1.959375*2^30 */
- int32_t f9_38 = 38 * f9; /* 1.959375*2^30 */
- int64_t f0f0 = f0 * (int64_t) f0;
- int64_t f0f1_2 = f0_2 * (int64_t) f1;
- int64_t f0f2_2 = f0_2 * (int64_t) f2;
- int64_t f0f3_2 = f0_2 * (int64_t) f3;
- int64_t f0f4_2 = f0_2 * (int64_t) f4;
- int64_t f0f5_2 = f0_2 * (int64_t) f5;
- int64_t f0f6_2 = f0_2 * (int64_t) f6;
- int64_t f0f7_2 = f0_2 * (int64_t) f7;
- int64_t f0f8_2 = f0_2 * (int64_t) f8;
- int64_t f0f9_2 = f0_2 * (int64_t) f9;
- int64_t f1f1_2 = f1_2 * (int64_t) f1;
- int64_t f1f2_2 = f1_2 * (int64_t) f2;
- int64_t f1f3_4 = f1_2 * (int64_t) f3_2;
- int64_t f1f4_2 = f1_2 * (int64_t) f4;
- int64_t f1f5_4 = f1_2 * (int64_t) f5_2;
- int64_t f1f6_2 = f1_2 * (int64_t) f6;
- int64_t f1f7_4 = f1_2 * (int64_t) f7_2;
- int64_t f1f8_2 = f1_2 * (int64_t) f8;
- int64_t f1f9_76 = f1_2 * (int64_t) f9_38;
- int64_t f2f2 = f2 * (int64_t) f2;
- int64_t f2f3_2 = f2_2 * (int64_t) f3;
- int64_t f2f4_2 = f2_2 * (int64_t) f4;
- int64_t f2f5_2 = f2_2 * (int64_t) f5;
- int64_t f2f6_2 = f2_2 * (int64_t) f6;
- int64_t f2f7_2 = f2_2 * (int64_t) f7;
- int64_t f2f8_38 = f2_2 * (int64_t) f8_19;
- int64_t f2f9_38 = f2 * (int64_t) f9_38;
- int64_t f3f3_2 = f3_2 * (int64_t) f3;
- int64_t f3f4_2 = f3_2 * (int64_t) f4;
- int64_t f3f5_4 = f3_2 * (int64_t) f5_2;
- int64_t f3f6_2 = f3_2 * (int64_t) f6;
- int64_t f3f7_76 = f3_2 * (int64_t) f7_38;
- int64_t f3f8_38 = f3_2 * (int64_t) f8_19;
- int64_t f3f9_76 = f3_2 * (int64_t) f9_38;
- int64_t f4f4 = f4 * (int64_t) f4;
- int64_t f4f5_2 = f4_2 * (int64_t) f5;
- int64_t f4f6_38 = f4_2 * (int64_t) f6_19;
- int64_t f4f7_38 = f4 * (int64_t) f7_38;
- int64_t f4f8_38 = f4_2 * (int64_t) f8_19;
- int64_t f4f9_38 = f4 * (int64_t) f9_38;
- int64_t f5f5_38 = f5 * (int64_t) f5_38;
- int64_t f5f6_38 = f5_2 * (int64_t) f6_19;
- int64_t f5f7_76 = f5_2 * (int64_t) f7_38;
- int64_t f5f8_38 = f5_2 * (int64_t) f8_19;
- int64_t f5f9_76 = f5_2 * (int64_t) f9_38;
- int64_t f6f6_19 = f6 * (int64_t) f6_19;
- int64_t f6f7_38 = f6 * (int64_t) f7_38;
- int64_t f6f8_38 = f6_2 * (int64_t) f8_19;
- int64_t f6f9_38 = f6 * (int64_t) f9_38;
- int64_t f7f7_38 = f7 * (int64_t) f7_38;
- int64_t f7f8_38 = f7_2 * (int64_t) f8_19;
- int64_t f7f9_76 = f7_2 * (int64_t) f9_38;
- int64_t f8f8_19 = f8 * (int64_t) f8_19;
- int64_t f8f9_38 = f8 * (int64_t) f9_38;
- int64_t f9f9_38 = f9 * (int64_t) f9_38;
- int64_t h0 = f0f0 +f1f9_76+f2f8_38+f3f7_76+f4f6_38+f5f5_38;
- int64_t h1 = f0f1_2+f2f9_38+f3f8_38+f4f7_38+f5f6_38;
- int64_t h2 = f0f2_2+f1f1_2 +f3f9_76+f4f8_38+f5f7_76+f6f6_19;
- int64_t h3 = f0f3_2+f1f2_2 +f4f9_38+f5f8_38+f6f7_38;
- int64_t h4 = f0f4_2+f1f3_4 +f2f2 +f5f9_76+f6f8_38+f7f7_38;
- int64_t h5 = f0f5_2+f1f4_2 +f2f3_2 +f6f9_38+f7f8_38;
- int64_t h6 = f0f6_2+f1f5_4 +f2f4_2 +f3f3_2 +f7f9_76+f8f8_19;
- int64_t h7 = f0f7_2+f1f6_2 +f2f5_2 +f3f4_2 +f8f9_38;
- int64_t h8 = f0f8_2+f1f7_4 +f2f6_2 +f3f5_4 +f4f4 +f9f9_38;
- int64_t h9 = f0f9_2+f1f8_2 +f2f7_2 +f3f6_2 +f4f5_2;
- int64_t carry0;
- int64_t carry1;
- int64_t carry2;
- int64_t carry3;
- int64_t carry4;
- int64_t carry5;
- int64_t carry6;
- int64_t carry7;
- int64_t carry8;
- int64_t carry9;
-
- h0 += h0;
- h1 += h1;
- h2 += h2;
- h3 += h3;
- h4 += h4;
- h5 += h5;
- h6 += h6;
- h7 += h7;
- h8 += h8;
- h9 += h9;
-
- carry0 = h0 + (1 << 25); h1 += carry0 >> 26; h0 -= carry0 & kTop38Bits;
- carry4 = h4 + (1 << 25); h5 += carry4 >> 26; h4 -= carry4 & kTop38Bits;
-
- carry1 = h1 + (1 << 24); h2 += carry1 >> 25; h1 -= carry1 & kTop39Bits;
- carry5 = h5 + (1 << 24); h6 += carry5 >> 25; h5 -= carry5 & kTop39Bits;
-
- carry2 = h2 + (1 << 25); h3 += carry2 >> 26; h2 -= carry2 & kTop38Bits;
- carry6 = h6 + (1 << 25); h7 += carry6 >> 26; h6 -= carry6 & kTop38Bits;
-
- carry3 = h3 + (1 << 24); h4 += carry3 >> 25; h3 -= carry3 & kTop39Bits;
- carry7 = h7 + (1 << 24); h8 += carry7 >> 25; h7 -= carry7 & kTop39Bits;
-
- carry4 = h4 + (1 << 25); h5 += carry4 >> 26; h4 -= carry4 & kTop38Bits;
- carry8 = h8 + (1 << 25); h9 += carry8 >> 26; h8 -= carry8 & kTop38Bits;
-
- carry9 = h9 + (1 << 24); h0 += (carry9 >> 25) * 19; h9 -= carry9 & kTop39Bits;
-
- carry0 = h0 + (1 << 25); h1 += carry0 >> 26; h0 -= carry0 & kTop38Bits;
-
- h[0] = (int32_t)h0;
- h[1] = (int32_t)h1;
- h[2] = (int32_t)h2;
- h[3] = (int32_t)h3;
- h[4] = (int32_t)h4;
- h[5] = (int32_t)h5;
- h[6] = (int32_t)h6;
- h[7] = (int32_t)h7;
- h[8] = (int32_t)h8;
- h[9] = (int32_t)h9;
+ * See fe_mul.c for discussion of implementation strategy.
+ */
+static void fe_sq2(fe h, const fe f)
+{
+ int32_t f0 = f[0];
+ int32_t f1 = f[1];
+ int32_t f2 = f[2];
+ int32_t f3 = f[3];
+ int32_t f4 = f[4];
+ int32_t f5 = f[5];
+ int32_t f6 = f[6];
+ int32_t f7 = f[7];
+ int32_t f8 = f[8];
+ int32_t f9 = f[9];
+ int32_t f0_2 = 2 * f0;
+ int32_t f1_2 = 2 * f1;
+ int32_t f2_2 = 2 * f2;
+ int32_t f3_2 = 2 * f3;
+ int32_t f4_2 = 2 * f4;
+ int32_t f5_2 = 2 * f5;
+ int32_t f6_2 = 2 * f6;
+ int32_t f7_2 = 2 * f7;
+ int32_t f5_38 = 38 * f5; /* 1.959375*2^30 */
+ int32_t f6_19 = 19 * f6; /* 1.959375*2^30 */
+ int32_t f7_38 = 38 * f7; /* 1.959375*2^30 */
+ int32_t f8_19 = 19 * f8; /* 1.959375*2^30 */
+ int32_t f9_38 = 38 * f9; /* 1.959375*2^30 */
+ int64_t f0f0 = f0 * (int64_t) f0;
+ int64_t f0f1_2 = f0_2 * (int64_t) f1;
+ int64_t f0f2_2 = f0_2 * (int64_t) f2;
+ int64_t f0f3_2 = f0_2 * (int64_t) f3;
+ int64_t f0f4_2 = f0_2 * (int64_t) f4;
+ int64_t f0f5_2 = f0_2 * (int64_t) f5;
+ int64_t f0f6_2 = f0_2 * (int64_t) f6;
+ int64_t f0f7_2 = f0_2 * (int64_t) f7;
+ int64_t f0f8_2 = f0_2 * (int64_t) f8;
+ int64_t f0f9_2 = f0_2 * (int64_t) f9;
+ int64_t f1f1_2 = f1_2 * (int64_t) f1;
+ int64_t f1f2_2 = f1_2 * (int64_t) f2;
+ int64_t f1f3_4 = f1_2 * (int64_t) f3_2;
+ int64_t f1f4_2 = f1_2 * (int64_t) f4;
+ int64_t f1f5_4 = f1_2 * (int64_t) f5_2;
+ int64_t f1f6_2 = f1_2 * (int64_t) f6;
+ int64_t f1f7_4 = f1_2 * (int64_t) f7_2;
+ int64_t f1f8_2 = f1_2 * (int64_t) f8;
+ int64_t f1f9_76 = f1_2 * (int64_t) f9_38;
+ int64_t f2f2 = f2 * (int64_t) f2;
+ int64_t f2f3_2 = f2_2 * (int64_t) f3;
+ int64_t f2f4_2 = f2_2 * (int64_t) f4;
+ int64_t f2f5_2 = f2_2 * (int64_t) f5;
+ int64_t f2f6_2 = f2_2 * (int64_t) f6;
+ int64_t f2f7_2 = f2_2 * (int64_t) f7;
+ int64_t f2f8_38 = f2_2 * (int64_t) f8_19;
+ int64_t f2f9_38 = f2 * (int64_t) f9_38;
+ int64_t f3f3_2 = f3_2 * (int64_t) f3;
+ int64_t f3f4_2 = f3_2 * (int64_t) f4;
+ int64_t f3f5_4 = f3_2 * (int64_t) f5_2;
+ int64_t f3f6_2 = f3_2 * (int64_t) f6;
+ int64_t f3f7_76 = f3_2 * (int64_t) f7_38;
+ int64_t f3f8_38 = f3_2 * (int64_t) f8_19;
+ int64_t f3f9_76 = f3_2 * (int64_t) f9_38;
+ int64_t f4f4 = f4 * (int64_t) f4;
+ int64_t f4f5_2 = f4_2 * (int64_t) f5;
+ int64_t f4f6_38 = f4_2 * (int64_t) f6_19;
+ int64_t f4f7_38 = f4 * (int64_t) f7_38;
+ int64_t f4f8_38 = f4_2 * (int64_t) f8_19;
+ int64_t f4f9_38 = f4 * (int64_t) f9_38;
+ int64_t f5f5_38 = f5 * (int64_t) f5_38;
+ int64_t f5f6_38 = f5_2 * (int64_t) f6_19;
+ int64_t f5f7_76 = f5_2 * (int64_t) f7_38;
+ int64_t f5f8_38 = f5_2 * (int64_t) f8_19;
+ int64_t f5f9_76 = f5_2 * (int64_t) f9_38;
+ int64_t f6f6_19 = f6 * (int64_t) f6_19;
+ int64_t f6f7_38 = f6 * (int64_t) f7_38;
+ int64_t f6f8_38 = f6_2 * (int64_t) f8_19;
+ int64_t f6f9_38 = f6 * (int64_t) f9_38;
+ int64_t f7f7_38 = f7 * (int64_t) f7_38;
+ int64_t f7f8_38 = f7_2 * (int64_t) f8_19;
+ int64_t f7f9_76 = f7_2 * (int64_t) f9_38;
+ int64_t f8f8_19 = f8 * (int64_t) f8_19;
+ int64_t f8f9_38 = f8 * (int64_t) f9_38;
+ int64_t f9f9_38 = f9 * (int64_t) f9_38;
+ int64_t h0 = f0f0 + f1f9_76 + f2f8_38 + f3f7_76 + f4f6_38 + f5f5_38;
+ int64_t h1 = f0f1_2 + f2f9_38 + f3f8_38 + f4f7_38 + f5f6_38;
+ int64_t h2 = f0f2_2 + f1f1_2 + f3f9_76 + f4f8_38 + f5f7_76 + f6f6_19;
+ int64_t h3 = f0f3_2 + f1f2_2 + f4f9_38 + f5f8_38 + f6f7_38;
+ int64_t h4 = f0f4_2 + f1f3_4 + f2f2 + f5f9_76 + f6f8_38 + f7f7_38;
+ int64_t h5 = f0f5_2 + f1f4_2 + f2f3_2 + f6f9_38 + f7f8_38;
+ int64_t h6 = f0f6_2 + f1f5_4 + f2f4_2 + f3f3_2 + f7f9_76 + f8f8_19;
+ int64_t h7 = f0f7_2 + f1f6_2 + f2f5_2 + f3f4_2 + f8f9_38;
+ int64_t h8 = f0f8_2 + f1f7_4 + f2f6_2 + f3f5_4 + f4f4 + f9f9_38;
+ int64_t h9 = f0f9_2 + f1f8_2 + f2f7_2 + f3f6_2 + f4f5_2;
+ int64_t carry0;
+ int64_t carry1;
+ int64_t carry2;
+ int64_t carry3;
+ int64_t carry4;
+ int64_t carry5;
+ int64_t carry6;
+ int64_t carry7;
+ int64_t carry8;
+ int64_t carry9;
+
+ h0 += h0;
+ h1 += h1;
+ h2 += h2;
+ h3 += h3;
+ h4 += h4;
+ h5 += h5;
+ h6 += h6;
+ h7 += h7;
+ h8 += h8;
+ h9 += h9;
+
+ carry0 = h0 + (1 << 25); h1 += carry0 >> 26; h0 -= carry0 & kTop38Bits;
+ carry4 = h4 + (1 << 25); h5 += carry4 >> 26; h4 -= carry4 & kTop38Bits;
+
+ carry1 = h1 + (1 << 24); h2 += carry1 >> 25; h1 -= carry1 & kTop39Bits;
+ carry5 = h5 + (1 << 24); h6 += carry5 >> 25; h5 -= carry5 & kTop39Bits;
+
+ carry2 = h2 + (1 << 25); h3 += carry2 >> 26; h2 -= carry2 & kTop38Bits;
+ carry6 = h6 + (1 << 25); h7 += carry6 >> 26; h6 -= carry6 & kTop38Bits;
+
+ carry3 = h3 + (1 << 24); h4 += carry3 >> 25; h3 -= carry3 & kTop39Bits;
+ carry7 = h7 + (1 << 24); h8 += carry7 >> 25; h7 -= carry7 & kTop39Bits;
+
+ carry4 = h4 + (1 << 25); h5 += carry4 >> 26; h4 -= carry4 & kTop38Bits;
+ carry8 = h8 + (1 << 25); h9 += carry8 >> 26; h8 -= carry8 & kTop38Bits;
+
+ carry9 = h9 + (1 << 24); h0 += (carry9 >> 25) * 19; h9 -= carry9 & kTop39Bits;
+
+ carry0 = h0 + (1 << 25); h1 += carry0 >> 26; h0 -= carry0 & kTop38Bits;
+
+ h[0] = (int32_t)h0;
+ h[1] = (int32_t)h1;
+ h[2] = (int32_t)h2;
+ h[3] = (int32_t)h3;
+ h[4] = (int32_t)h4;
+ h[5] = (int32_t)h5;
+ h[6] = (int32_t)h6;
+ h[7] = (int32_t)h7;
+ h[8] = (int32_t)h8;
+ h[9] = (int32_t)h9;
}
-static void fe_pow22523(fe out, const fe z) {
- fe t0;
- fe t1;
- fe t2;
- int i;
+static void fe_pow22523(fe out, const fe z)
+{
+ fe t0;
+ fe t1;
+ fe t2;
+ int i;
- fe_sq(t0, z);
- fe_sq(t1, t0);
- for (i = 1; i < 2; ++i) {
- fe_sq(t1, t1);
- }
- fe_mul(t1, z, t1);
- fe_mul(t0, t0, t1);
- fe_sq(t0, t0);
- fe_mul(t0, t1, t0);
- fe_sq(t1, t0);
- for (i = 1; i < 5; ++i) {
- fe_sq(t1, t1);
- }
- fe_mul(t0, t1, t0);
- fe_sq(t1, t0);
- for (i = 1; i < 10; ++i) {
- fe_sq(t1, t1);
- }
- fe_mul(t1, t1, t0);
- fe_sq(t2, t1);
- for (i = 1; i < 20; ++i) {
- fe_sq(t2, t2);
- }
- fe_mul(t1, t2, t1);
- fe_sq(t1, t1);
- for (i = 1; i < 10; ++i) {
- fe_sq(t1, t1);
- }
- fe_mul(t0, t1, t0);
- fe_sq(t1, t0);
- for (i = 1; i < 50; ++i) {
+ fe_sq(t0, z);
+ fe_sq(t1, t0);
+ for (i = 1; i < 2; ++i) {
+ fe_sq(t1, t1);
+ }
+ fe_mul(t1, z, t1);
+ fe_mul(t0, t0, t1);
+ fe_sq(t0, t0);
+ fe_mul(t0, t1, t0);
+ fe_sq(t1, t0);
+ for (i = 1; i < 5; ++i) {
+ fe_sq(t1, t1);
+ }
+ fe_mul(t0, t1, t0);
+ fe_sq(t1, t0);
+ for (i = 1; i < 10; ++i) {
+ fe_sq(t1, t1);
+ }
+ fe_mul(t1, t1, t0);
+ fe_sq(t2, t1);
+ for (i = 1; i < 20; ++i) {
+ fe_sq(t2, t2);
+ }
+ fe_mul(t1, t2, t1);
fe_sq(t1, t1);
- }
- fe_mul(t1, t1, t0);
- fe_sq(t2, t1);
- for (i = 1; i < 100; ++i) {
- fe_sq(t2, t2);
- }
- fe_mul(t1, t2, t1);
- fe_sq(t1, t1);
- for (i = 1; i < 50; ++i) {
+ for (i = 1; i < 10; ++i) {
+ fe_sq(t1, t1);
+ }
+ fe_mul(t0, t1, t0);
+ fe_sq(t1, t0);
+ for (i = 1; i < 50; ++i) {
+ fe_sq(t1, t1);
+ }
+ fe_mul(t1, t1, t0);
+ fe_sq(t2, t1);
+ for (i = 1; i < 100; ++i) {
+ fe_sq(t2, t2);
+ }
+ fe_mul(t1, t2, t1);
fe_sq(t1, t1);
- }
- fe_mul(t0, t1, t0);
- fe_sq(t0, t0);
- for (i = 1; i < 2; ++i) {
+ for (i = 1; i < 50; ++i) {
+ fe_sq(t1, t1);
+ }
+ fe_mul(t0, t1, t0);
fe_sq(t0, t0);
- }
- fe_mul(out, t0, z);
+ for (i = 1; i < 2; ++i) {
+ fe_sq(t0, t0);
+ }
+ fe_mul(out, t0, z);
}
-/* ge means group element.
-
+/*
+ * ge means group element.
+ *
* Here the group is the set of pairs (x,y) of field elements (see fe.h)
* satisfying -x^2 + y^2 = 1 + d x^2y^2
* where d = -121665/121666.
@@ -1727,268 +1784,292 @@ static void fe_pow22523(fe out, const fe z) {
* ge_p2 (projective): (X:Y:Z) satisfying x=X/Z, y=Y/Z
* ge_p3 (extended): (X:Y:Z:T) satisfying x=X/Z, y=Y/Z, XY=ZT
* ge_p1p1 (completed): ((X:Z),(Y:T)) satisfying x=X/Z, y=Y/T
- * ge_precomp (Duif): (y+x,y-x,2dxy) */
-
+ * ge_precomp (Duif): (y+x,y-x,2dxy)
+ */
typedef struct {
- fe X;
- fe Y;
- fe Z;
+ fe X;
+ fe Y;
+ fe Z;
} ge_p2;
typedef struct {
- fe X;
- fe Y;
- fe Z;
- fe T;
+ fe X;
+ fe Y;
+ fe Z;
+ fe T;
} ge_p3;
typedef struct {
- fe X;
- fe Y;
- fe Z;
- fe T;
+ fe X;
+ fe Y;
+ fe Z;
+ fe T;
} ge_p1p1;
typedef struct {
- fe yplusx;
- fe yminusx;
- fe xy2d;
+ fe yplusx;
+ fe yminusx;
+ fe xy2d;
} ge_precomp;
typedef struct {
- fe YplusX;
- fe YminusX;
- fe Z;
- fe T2d;
+ fe YplusX;
+ fe YminusX;
+ fe Z;
+ fe T2d;
} ge_cached;
-static void ge_tobytes(uint8_t *s, const ge_p2 *h) {
- fe recip;
- fe x;
- fe y;
+static void ge_tobytes(uint8_t *s, const ge_p2 *h)
+{
+ fe recip;
+ fe x;
+ fe y;
+
+ fe_invert(recip, h->Z);
+ fe_mul(x, h->X, recip);
+ fe_mul(y, h->Y, recip);
+ fe_tobytes(s, y);
+ s[31] ^= fe_isnegative(x) << 7;
+}
- fe_invert(recip, h->Z);
- fe_mul(x, h->X, recip);
- fe_mul(y, h->Y, recip);
- fe_tobytes(s, y);
- s[31] ^= fe_isnegative(x) << 7;
+static void ge_p3_tobytes(uint8_t *s, const ge_p3 *h)
+{
+ fe recip;
+ fe x;
+ fe y;
+
+ fe_invert(recip, h->Z);
+ fe_mul(x, h->X, recip);
+ fe_mul(y, h->Y, recip);
+ fe_tobytes(s, y);
+ s[31] ^= fe_isnegative(x) << 7;
}
-static void ge_p3_tobytes(uint8_t *s, const ge_p3 *h) {
- fe recip;
- fe x;
- fe y;
+static const fe d = {
+ -10913610, 13857413, -15372611, 6949391, 114729,
+ -8787816, -6275908, -3247719, -18696448, -12055116
+};
- fe_invert(recip, h->Z);
- fe_mul(x, h->X, recip);
- fe_mul(y, h->Y, recip);
- fe_tobytes(s, y);
- s[31] ^= fe_isnegative(x) << 7;
-}
+static const fe sqrtm1 = {
+ -32595792, -7943725, 9377950, 3500415, 12389472,
+ -272473, -25146209, -2005654, 326686, 11406482
+};
-static const fe d = {-10913610, 13857413, -15372611, 6949391, 114729,
- -8787816, -6275908, -3247719, -18696448, -12055116};
-
-static const fe sqrtm1 = {-32595792, -7943725, 9377950, 3500415, 12389472,
- -272473, -25146209, -2005654, 326686, 11406482};
-
-static int ge_frombytes_vartime(ge_p3 *h, const uint8_t *s) {
- fe u;
- fe v;
- fe v3;
- fe vxx;
- fe check;
-
- fe_frombytes(h->Y, s);
- fe_1(h->Z);
- fe_sq(u, h->Y);
- fe_mul(v, u, d);
- fe_sub(u, u, h->Z); /* u = y^2-1 */
- fe_add(v, v, h->Z); /* v = dy^2+1 */
-
- fe_sq(v3, v);
- fe_mul(v3, v3, v); /* v3 = v^3 */
- fe_sq(h->X, v3);
- fe_mul(h->X, h->X, v);
- fe_mul(h->X, h->X, u); /* x = uv^7 */
-
- fe_pow22523(h->X, h->X); /* x = (uv^7)^((q-5)/8) */
- fe_mul(h->X, h->X, v3);
- fe_mul(h->X, h->X, u); /* x = uv^3(uv^7)^((q-5)/8) */
-
- fe_sq(vxx, h->X);
- fe_mul(vxx, vxx, v);
- fe_sub(check, vxx, u); /* vx^2-u */
- if (fe_isnonzero(check)) {
- fe_add(check, vxx, u); /* vx^2+u */
+static int ge_frombytes_vartime(ge_p3 *h, const uint8_t *s)
+{
+ fe u;
+ fe v;
+ fe v3;
+ fe vxx;
+ fe check;
+
+ fe_frombytes(h->Y, s);
+ fe_1(h->Z);
+ fe_sq(u, h->Y);
+ fe_mul(v, u, d);
+ fe_sub(u, u, h->Z); /* u = y^2-1 */
+ fe_add(v, v, h->Z); /* v = dy^2+1 */
+
+ fe_sq(v3, v);
+ fe_mul(v3, v3, v); /* v3 = v^3 */
+ fe_sq(h->X, v3);
+ fe_mul(h->X, h->X, v);
+ fe_mul(h->X, h->X, u); /* x = uv^7 */
+
+ fe_pow22523(h->X, h->X); /* x = (uv^7)^((q-5)/8) */
+ fe_mul(h->X, h->X, v3);
+ fe_mul(h->X, h->X, u); /* x = uv^3(uv^7)^((q-5)/8) */
+
+ fe_sq(vxx, h->X);
+ fe_mul(vxx, vxx, v);
+ fe_sub(check, vxx, u); /* vx^2-u */
if (fe_isnonzero(check)) {
- return -1;
+ fe_add(check, vxx, u); /* vx^2+u */
+ if (fe_isnonzero(check)) {
+ return -1;
+ }
+ fe_mul(h->X, h->X, sqrtm1);
}
- fe_mul(h->X, h->X, sqrtm1);
- }
- if (fe_isnegative(h->X) != (s[31] >> 7)) {
- fe_neg(h->X, h->X);
- }
+ if (fe_isnegative(h->X) != (s[31] >> 7)) {
+ fe_neg(h->X, h->X);
+ }
- fe_mul(h->T, h->X, h->Y);
- return 0;
+ fe_mul(h->T, h->X, h->Y);
+ return 0;
}
-static void ge_p2_0(ge_p2 *h) {
- fe_0(h->X);
- fe_1(h->Y);
- fe_1(h->Z);
+static void ge_p2_0(ge_p2 *h)
+{
+ fe_0(h->X);
+ fe_1(h->Y);
+ fe_1(h->Z);
}
-static void ge_p3_0(ge_p3 *h) {
- fe_0(h->X);
- fe_1(h->Y);
- fe_1(h->Z);
- fe_0(h->T);
+static void ge_p3_0(ge_p3 *h)
+{
+ fe_0(h->X);
+ fe_1(h->Y);
+ fe_1(h->Z);
+ fe_0(h->T);
}
-static void ge_precomp_0(ge_precomp *h) {
- fe_1(h->yplusx);
- fe_1(h->yminusx);
- fe_0(h->xy2d);
+static void ge_precomp_0(ge_precomp *h)
+{
+ fe_1(h->yplusx);
+ fe_1(h->yminusx);
+ fe_0(h->xy2d);
}
/* r = p */
-static void ge_p3_to_p2(ge_p2 *r, const ge_p3 *p) {
- fe_copy(r->X, p->X);
- fe_copy(r->Y, p->Y);
- fe_copy(r->Z, p->Z);
+static void ge_p3_to_p2(ge_p2 *r, const ge_p3 *p)
+{
+ fe_copy(r->X, p->X);
+ fe_copy(r->Y, p->Y);
+ fe_copy(r->Z, p->Z);
}
-static const fe d2 = {-21827239, -5839606, -30745221, 13898782, 229458,
- 15978800, -12551817, -6495438, 29715968, 9444199};
+static const fe d2 = {
+ -21827239, -5839606, -30745221, 13898782, 229458,
+ 15978800, -12551817, -6495438, 29715968, 9444199
+};
/* r = p */
-static void ge_p3_to_cached(ge_cached *r, const ge_p3 *p) {
- fe_add(r->YplusX, p->Y, p->X);
- fe_sub(r->YminusX, p->Y, p->X);
- fe_copy(r->Z, p->Z);
- fe_mul(r->T2d, p->T, d2);
+static void ge_p3_to_cached(ge_cached *r, const ge_p3 *p)
+{
+ fe_add(r->YplusX, p->Y, p->X);
+ fe_sub(r->YminusX, p->Y, p->X);
+ fe_copy(r->Z, p->Z);
+ fe_mul(r->T2d, p->T, d2);
}
/* r = p */
-static void ge_p1p1_to_p2(ge_p2 *r, const ge_p1p1 *p) {
- fe_mul(r->X, p->X, p->T);
- fe_mul(r->Y, p->Y, p->Z);
- fe_mul(r->Z, p->Z, p->T);
+static void ge_p1p1_to_p2(ge_p2 *r, const ge_p1p1 *p)
+{
+ fe_mul(r->X, p->X, p->T);
+ fe_mul(r->Y, p->Y, p->Z);
+ fe_mul(r->Z, p->Z, p->T);
}
/* r = p */
-static void ge_p1p1_to_p3(ge_p3 *r, const ge_p1p1 *p) {
- fe_mul(r->X, p->X, p->T);
- fe_mul(r->Y, p->Y, p->Z);
- fe_mul(r->Z, p->Z, p->T);
- fe_mul(r->T, p->X, p->Y);
+static void ge_p1p1_to_p3(ge_p3 *r, const ge_p1p1 *p)
+{
+ fe_mul(r->X, p->X, p->T);
+ fe_mul(r->Y, p->Y, p->Z);
+ fe_mul(r->Z, p->Z, p->T);
+ fe_mul(r->T, p->X, p->Y);
}
/* r = 2 * p */
-static void ge_p2_dbl(ge_p1p1 *r, const ge_p2 *p) {
- fe t0;
-
- fe_sq(r->X, p->X);
- fe_sq(r->Z, p->Y);
- fe_sq2(r->T, p->Z);
- fe_add(r->Y, p->X, p->Y);
- fe_sq(t0, r->Y);
- fe_add(r->Y, r->Z, r->X);
- fe_sub(r->Z, r->Z, r->X);
- fe_sub(r->X, t0, r->Y);
- fe_sub(r->T, r->T, r->Z);
+static void ge_p2_dbl(ge_p1p1 *r, const ge_p2 *p)
+{
+ fe t0;
+
+ fe_sq(r->X, p->X);
+ fe_sq(r->Z, p->Y);
+ fe_sq2(r->T, p->Z);
+ fe_add(r->Y, p->X, p->Y);
+ fe_sq(t0, r->Y);
+ fe_add(r->Y, r->Z, r->X);
+ fe_sub(r->Z, r->Z, r->X);
+ fe_sub(r->X, t0, r->Y);
+ fe_sub(r->T, r->T, r->Z);
}
/* r = 2 * p */
-static void ge_p3_dbl(ge_p1p1 *r, const ge_p3 *p) {
- ge_p2 q;
- ge_p3_to_p2(&q, p);
- ge_p2_dbl(r, &q);
+static void ge_p3_dbl(ge_p1p1 *r, const ge_p3 *p)
+{
+ ge_p2 q;
+ ge_p3_to_p2(&q, p);
+ ge_p2_dbl(r, &q);
}
/* r = p + q */
-static void ge_madd(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q) {
- fe t0;
-
- fe_add(r->X, p->Y, p->X);
- fe_sub(r->Y, p->Y, p->X);
- fe_mul(r->Z, r->X, q->yplusx);
- fe_mul(r->Y, r->Y, q->yminusx);
- fe_mul(r->T, q->xy2d, p->T);
- fe_add(t0, p->Z, p->Z);
- fe_sub(r->X, r->Z, r->Y);
- fe_add(r->Y, r->Z, r->Y);
- fe_add(r->Z, t0, r->T);
- fe_sub(r->T, t0, r->T);
+static void ge_madd(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q)
+{
+ fe t0;
+
+ fe_add(r->X, p->Y, p->X);
+ fe_sub(r->Y, p->Y, p->X);
+ fe_mul(r->Z, r->X, q->yplusx);
+ fe_mul(r->Y, r->Y, q->yminusx);
+ fe_mul(r->T, q->xy2d, p->T);
+ fe_add(t0, p->Z, p->Z);
+ fe_sub(r->X, r->Z, r->Y);
+ fe_add(r->Y, r->Z, r->Y);
+ fe_add(r->Z, t0, r->T);
+ fe_sub(r->T, t0, r->T);
}
/* r = p - q */
-static void ge_msub(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q) {
- fe t0;
-
- fe_add(r->X, p->Y, p->X);
- fe_sub(r->Y, p->Y, p->X);
- fe_mul(r->Z, r->X, q->yminusx);
- fe_mul(r->Y, r->Y, q->yplusx);
- fe_mul(r->T, q->xy2d, p->T);
- fe_add(t0, p->Z, p->Z);
- fe_sub(r->X, r->Z, r->Y);
- fe_add(r->Y, r->Z, r->Y);
- fe_sub(r->Z, t0, r->T);
- fe_add(r->T, t0, r->T);
+static void ge_msub(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q)
+{
+ fe t0;
+
+ fe_add(r->X, p->Y, p->X);
+ fe_sub(r->Y, p->Y, p->X);
+ fe_mul(r->Z, r->X, q->yminusx);
+ fe_mul(r->Y, r->Y, q->yplusx);
+ fe_mul(r->T, q->xy2d, p->T);
+ fe_add(t0, p->Z, p->Z);
+ fe_sub(r->X, r->Z, r->Y);
+ fe_add(r->Y, r->Z, r->Y);
+ fe_sub(r->Z, t0, r->T);
+ fe_add(r->T, t0, r->T);
}
/* r = p + q */
-static void ge_add(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q) {
- fe t0;
-
- fe_add(r->X, p->Y, p->X);
- fe_sub(r->Y, p->Y, p->X);
- fe_mul(r->Z, r->X, q->YplusX);
- fe_mul(r->Y, r->Y, q->YminusX);
- fe_mul(r->T, q->T2d, p->T);
- fe_mul(r->X, p->Z, q->Z);
- fe_add(t0, r->X, r->X);
- fe_sub(r->X, r->Z, r->Y);
- fe_add(r->Y, r->Z, r->Y);
- fe_add(r->Z, t0, r->T);
- fe_sub(r->T, t0, r->T);
+static void ge_add(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q)
+{
+ fe t0;
+
+ fe_add(r->X, p->Y, p->X);
+ fe_sub(r->Y, p->Y, p->X);
+ fe_mul(r->Z, r->X, q->YplusX);
+ fe_mul(r->Y, r->Y, q->YminusX);
+ fe_mul(r->T, q->T2d, p->T);
+ fe_mul(r->X, p->Z, q->Z);
+ fe_add(t0, r->X, r->X);
+ fe_sub(r->X, r->Z, r->Y);
+ fe_add(r->Y, r->Z, r->Y);
+ fe_add(r->Z, t0, r->T);
+ fe_sub(r->T, t0, r->T);
}
/* r = p - q */
-static void ge_sub(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q) {
- fe t0;
-
- fe_add(r->X, p->Y, p->X);
- fe_sub(r->Y, p->Y, p->X);
- fe_mul(r->Z, r->X, q->YminusX);
- fe_mul(r->Y, r->Y, q->YplusX);
- fe_mul(r->T, q->T2d, p->T);
- fe_mul(r->X, p->Z, q->Z);
- fe_add(t0, r->X, r->X);
- fe_sub(r->X, r->Z, r->Y);
- fe_add(r->Y, r->Z, r->Y);
- fe_sub(r->Z, t0, r->T);
- fe_add(r->T, t0, r->T);
+static void ge_sub(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q)
+{
+ fe t0;
+
+ fe_add(r->X, p->Y, p->X);
+ fe_sub(r->Y, p->Y, p->X);
+ fe_mul(r->Z, r->X, q->YminusX);
+ fe_mul(r->Y, r->Y, q->YplusX);
+ fe_mul(r->T, q->T2d, p->T);
+ fe_mul(r->X, p->Z, q->Z);
+ fe_add(t0, r->X, r->X);
+ fe_sub(r->X, r->Z, r->Y);
+ fe_add(r->Y, r->Z, r->Y);
+ fe_sub(r->Z, t0, r->T);
+ fe_add(r->T, t0, r->T);
}
-static uint8_t equal(signed char b, signed char c) {
- uint8_t ub = b;
- uint8_t uc = c;
- uint8_t x = ub ^ uc; /* 0: yes; 1..255: no */
- uint32_t y = x; /* 0: yes; 1..255: no */
- y -= 1; /* 4294967295: yes; 0..254: no */
- y >>= 31; /* 1: yes; 0: no */
- return y;
+static uint8_t equal(signed char b, signed char c)
+{
+ uint8_t ub = b;
+ uint8_t uc = c;
+ uint8_t x = ub ^ uc; /* 0: yes; 1..255: no */
+ uint32_t y = x; /* 0: yes; 1..255: no */
+ y -= 1; /* 4294967295: yes; 0..254: no */
+ y >>= 31; /* 1: yes; 0: no */
+ return y;
}
-static void cmov(ge_precomp *t, const ge_precomp *u, uint8_t b) {
- fe_cmov(t->yplusx, u->yplusx, b);
- fe_cmov(t->yminusx, u->yminusx, b);
- fe_cmov(t->xy2d, u->xy2d, b);
+static void cmov(ge_precomp *t, const ge_precomp *u, uint8_t b)
+{
+ fe_cmov(t->yplusx, u->yplusx, b);
+ fe_cmov(t->yminusx, u->yminusx, b);
+ fe_cmov(t->xy2d, u->xy2d, b);
}
/* k25519Precomp[i][j] = (j+1)*256^i*B */
@@ -4107,257 +4188,273 @@ static const ge_precomp k25519Precomp[32][8] = {
},
};
-static uint8_t negative(signed char b) {
- uint32_t x = b;
- x >>= 31; /* 1: yes; 0: no */
- return x;
+static uint8_t negative(signed char b)
+{
+ uint32_t x = b;
+
+ x >>= 31; /* 1: yes; 0: no */
+ return x;
}
-static void table_select(ge_precomp *t, int pos, signed char b) {
- ge_precomp minust;
- uint8_t bnegative = negative(b);
- uint8_t babs = b - ((uint8_t)((-bnegative) & b) << 1);
-
- ge_precomp_0(t);
- cmov(t, &k25519Precomp[pos][0], equal(babs, 1));
- cmov(t, &k25519Precomp[pos][1], equal(babs, 2));
- cmov(t, &k25519Precomp[pos][2], equal(babs, 3));
- cmov(t, &k25519Precomp[pos][3], equal(babs, 4));
- cmov(t, &k25519Precomp[pos][4], equal(babs, 5));
- cmov(t, &k25519Precomp[pos][5], equal(babs, 6));
- cmov(t, &k25519Precomp[pos][6], equal(babs, 7));
- cmov(t, &k25519Precomp[pos][7], equal(babs, 8));
- fe_copy(minust.yplusx, t->yminusx);
- fe_copy(minust.yminusx, t->yplusx);
- fe_neg(minust.xy2d, t->xy2d);
- cmov(t, &minust, bnegative);
+static void table_select(ge_precomp *t, int pos, signed char b)
+{
+ ge_precomp minust;
+ uint8_t bnegative = negative(b);
+ uint8_t babs = b - ((uint8_t)((-bnegative) & b) << 1);
+
+ ge_precomp_0(t);
+ cmov(t, &k25519Precomp[pos][0], equal(babs, 1));
+ cmov(t, &k25519Precomp[pos][1], equal(babs, 2));
+ cmov(t, &k25519Precomp[pos][2], equal(babs, 3));
+ cmov(t, &k25519Precomp[pos][3], equal(babs, 4));
+ cmov(t, &k25519Precomp[pos][4], equal(babs, 5));
+ cmov(t, &k25519Precomp[pos][5], equal(babs, 6));
+ cmov(t, &k25519Precomp[pos][6], equal(babs, 7));
+ cmov(t, &k25519Precomp[pos][7], equal(babs, 8));
+ fe_copy(minust.yplusx, t->yminusx);
+ fe_copy(minust.yminusx, t->yplusx);
+ fe_neg(minust.xy2d, t->xy2d);
+ cmov(t, &minust, bnegative);
}
-/* h = a * B
+/*
+ * h = a * B
+ *
* where a = a[0]+256*a[1]+...+256^31 a[31]
* B is the Ed25519 base point (x,4/5) with x positive.
*
* Preconditions:
- * a[31] <= 127 */
-static void ge_scalarmult_base(ge_p3 *h, const uint8_t *a) {
- signed char e[64];
- signed char carry;
- ge_p1p1 r;
- ge_p2 s;
- ge_precomp t;
- int i;
-
- for (i = 0; i < 32; ++i) {
- e[2 * i + 0] = (a[i] >> 0) & 15;
- e[2 * i + 1] = (a[i] >> 4) & 15;
- }
- /* each e[i] is between 0 and 15 */
- /* e[63] is between 0 and 7 */
-
- carry = 0;
- for (i = 0; i < 63; ++i) {
- e[i] += carry;
- carry = e[i] + 8;
- carry >>= 4;
- e[i] -= carry << 4;
- }
- e[63] += carry;
- /* each e[i] is between -8 and 8 */
-
- ge_p3_0(h);
- for (i = 1; i < 64; i += 2) {
- table_select(&t, i / 2, e[i]);
- ge_madd(&r, h, &t);
- ge_p1p1_to_p3(h, &r);
- }
-
- ge_p3_dbl(&r, h);
- ge_p1p1_to_p2(&s, &r);
- ge_p2_dbl(&r, &s);
- ge_p1p1_to_p2(&s, &r);
- ge_p2_dbl(&r, &s);
- ge_p1p1_to_p2(&s, &r);
- ge_p2_dbl(&r, &s);
- ge_p1p1_to_p3(h, &r);
-
- for (i = 0; i < 64; i += 2) {
- table_select(&t, i / 2, e[i]);
- ge_madd(&r, h, &t);
+ * a[31] <= 127
+ */
+static void ge_scalarmult_base(ge_p3 *h, const uint8_t *a)
+{
+ signed char e[64];
+ signed char carry;
+ ge_p1p1 r;
+ ge_p2 s;
+ ge_precomp t;
+ int i;
+
+ for (i = 0; i < 32; ++i) {
+ e[2 * i + 0] = (a[i] >> 0) & 15;
+ e[2 * i + 1] = (a[i] >> 4) & 15;
+ }
+ /* each e[i] is between 0 and 15 */
+ /* e[63] is between 0 and 7 */
+
+ carry = 0;
+ for (i = 0; i < 63; ++i) {
+ e[i] += carry;
+ carry = e[i] + 8;
+ carry >>= 4;
+ e[i] -= carry << 4;
+ }
+ e[63] += carry;
+ /* each e[i] is between -8 and 8 */
+
+ ge_p3_0(h);
+ for (i = 1; i < 64; i += 2) {
+ table_select(&t, i / 2, e[i]);
+ ge_madd(&r, h, &t);
+ ge_p1p1_to_p3(h, &r);
+ }
+
+ ge_p3_dbl(&r, h);
+ ge_p1p1_to_p2(&s, &r);
+ ge_p2_dbl(&r, &s);
+ ge_p1p1_to_p2(&s, &r);
+ ge_p2_dbl(&r, &s);
+ ge_p1p1_to_p2(&s, &r);
+ ge_p2_dbl(&r, &s);
ge_p1p1_to_p3(h, &r);
- }
- OPENSSL_cleanse(e, sizeof(e));
+ for (i = 0; i < 64; i += 2) {
+ table_select(&t, i / 2, e[i]);
+ ge_madd(&r, h, &t);
+ ge_p1p1_to_p3(h, &r);
+ }
+
+ OPENSSL_cleanse(e, sizeof(e));
}
#if !defined(BASE_2_51_IMPLEMENTED)
-/* Replace (f,g) with (g,f) if b == 1;
+/*
+ * Replace (f,g) with (g,f) if b == 1;
* replace (f,g) with (f,g) if b == 0.
*
- * Preconditions: b in {0,1}. */
-static void fe_cswap(fe f, fe g, unsigned int b) {
- size_t i;
- b = 0-b;
- for (i = 0; i < 10; i++) {
- int32_t x = f[i] ^ g[i];
- x &= b;
- f[i] ^= x;
- g[i] ^= x;
- }
+ * Preconditions: b in {0,1}.
+ */
+static void fe_cswap(fe f, fe g, unsigned int b)
+{
+ size_t i;
+
+ b = 0-b;
+ for (i = 0; i < 10; i++) {
+ int32_t x = f[i] ^ g[i];
+ x &= b;
+ f[i] ^= x;
+ g[i] ^= x;
+ }
}
-/* h = f * 121666
+/*
+ * h = f * 121666
+ *
* Can overlap h with f.
*
* Preconditions:
* |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
*
* Postconditions:
- * |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. */
-static void fe_mul121666(fe h, fe f) {
- int32_t f0 = f[0];
- int32_t f1 = f[1];
- int32_t f2 = f[2];
- int32_t f3 = f[3];
- int32_t f4 = f[4];
- int32_t f5 = f[5];
- int32_t f6 = f[6];
- int32_t f7 = f[7];
- int32_t f8 = f[8];
- int32_t f9 = f[9];
- int64_t h0 = f0 * (int64_t) 121666;
- int64_t h1 = f1 * (int64_t) 121666;
- int64_t h2 = f2 * (int64_t) 121666;
- int64_t h3 = f3 * (int64_t) 121666;
- int64_t h4 = f4 * (int64_t) 121666;
- int64_t h5 = f5 * (int64_t) 121666;
- int64_t h6 = f6 * (int64_t) 121666;
- int64_t h7 = f7 * (int64_t) 121666;
- int64_t h8 = f8 * (int64_t) 121666;
- int64_t h9 = f9 * (int64_t) 121666;
- int64_t carry0;
- int64_t carry1;
- int64_t carry2;
- int64_t carry3;
- int64_t carry4;
- int64_t carry5;
- int64_t carry6;
- int64_t carry7;
- int64_t carry8;
- int64_t carry9;
-
- carry9 = h9 + (1 << 24); h0 += (carry9 >> 25) * 19; h9 -= carry9 & kTop39Bits;
- carry1 = h1 + (1 << 24); h2 += carry1 >> 25; h1 -= carry1 & kTop39Bits;
- carry3 = h3 + (1 << 24); h4 += carry3 >> 25; h3 -= carry3 & kTop39Bits;
- carry5 = h5 + (1 << 24); h6 += carry5 >> 25; h5 -= carry5 & kTop39Bits;
- carry7 = h7 + (1 << 24); h8 += carry7 >> 25; h7 -= carry7 & kTop39Bits;
-
- carry0 = h0 + (1 << 25); h1 += carry0 >> 26; h0 -= carry0 & kTop38Bits;
- carry2 = h2 + (1 << 25); h3 += carry2 >> 26; h2 -= carry2 & kTop38Bits;
- carry4 = h4 + (1 << 25); h5 += carry4 >> 26; h4 -= carry4 & kTop38Bits;
- carry6 = h6 + (1 << 25); h7 += carry6 >> 26; h6 -= carry6 & kTop38Bits;
- carry8 = h8 + (1 << 25); h9 += carry8 >> 26; h8 -= carry8 & kTop38Bits;
-
- h[0] = (int32_t)h0;
- h[1] = (int32_t)h1;
- h[2] = (int32_t)h2;
- h[3] = (int32_t)h3;
- h[4] = (int32_t)h4;
- h[5] = (int32_t)h5;
- h[6] = (int32_t)h6;
- h[7] = (int32_t)h7;
- h[8] = (int32_t)h8;
- h[9] = (int32_t)h9;
+ * |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
+ */
+static void fe_mul121666(fe h, fe f)
+{
+ int32_t f0 = f[0];
+ int32_t f1 = f[1];
+ int32_t f2 = f[2];
+ int32_t f3 = f[3];
+ int32_t f4 = f[4];
+ int32_t f5 = f[5];
+ int32_t f6 = f[6];
+ int32_t f7 = f[7];
+ int32_t f8 = f[8];
+ int32_t f9 = f[9];
+ int64_t h0 = f0 * (int64_t) 121666;
+ int64_t h1 = f1 * (int64_t) 121666;
+ int64_t h2 = f2 * (int64_t) 121666;
+ int64_t h3 = f3 * (int64_t) 121666;
+ int64_t h4 = f4 * (int64_t) 121666;
+ int64_t h5 = f5 * (int64_t) 121666;
+ int64_t h6 = f6 * (int64_t) 121666;
+ int64_t h7 = f7 * (int64_t) 121666;
+ int64_t h8 = f8 * (int64_t) 121666;
+ int64_t h9 = f9 * (int64_t) 121666;
+ int64_t carry0;
+ int64_t carry1;
+ int64_t carry2;
+ int64_t carry3;
+ int64_t carry4;
+ int64_t carry5;
+ int64_t carry6;
+ int64_t carry7;
+ int64_t carry8;
+ int64_t carry9;
+
+ carry9 = h9 + (1 << 24); h0 += (carry9 >> 25) * 19; h9 -= carry9 & kTop39Bits;
+ carry1 = h1 + (1 << 24); h2 += carry1 >> 25; h1 -= carry1 & kTop39Bits;
+ carry3 = h3 + (1 << 24); h4 += carry3 >> 25; h3 -= carry3 & kTop39Bits;
+ carry5 = h5 + (1 << 24); h6 += carry5 >> 25; h5 -= carry5 & kTop39Bits;
+ carry7 = h7 + (1 << 24); h8 += carry7 >> 25; h7 -= carry7 & kTop39Bits;
+
+ carry0 = h0 + (1 << 25); h1 += carry0 >> 26; h0 -= carry0 & kTop38Bits;
+ carry2 = h2 + (1 << 25); h3 += carry2 >> 26; h2 -= carry2 & kTop38Bits;
+ carry4 = h4 + (1 << 25); h5 += carry4 >> 26; h4 -= carry4 & kTop38Bits;
+ carry6 = h6 + (1 << 25); h7 += carry6 >> 26; h6 -= carry6 & kTop38Bits;
+ carry8 = h8 + (1 << 25); h9 += carry8 >> 26; h8 -= carry8 & kTop38Bits;
+
+ h[0] = (int32_t)h0;
+ h[1] = (int32_t)h1;
+ h[2] = (int32_t)h2;
+ h[3] = (int32_t)h3;
+ h[4] = (int32_t)h4;
+ h[5] = (int32_t)h5;
+ h[6] = (int32_t)h6;
+ h[7] = (int32_t)h7;
+ h[8] = (int32_t)h8;
+ h[9] = (int32_t)h9;
}
static void x25519_scalar_mult_generic(uint8_t out[32],
const uint8_t scalar[32],
const uint8_t point[32]) {
- fe x1, x2, z2, x3, z3, tmp0, tmp1;
- uint8_t e[32];
- unsigned swap = 0;
- int pos;
-
- memcpy(e, scalar, 32);
- e[0] &= 248;
- e[31] &= 127;
- e[31] |= 64;
- fe_frombytes(x1, point);
- fe_1(x2);
- fe_0(z2);
- fe_copy(x3, x1);
- fe_1(z3);
-
- for (pos = 254; pos >= 0; --pos) {
- unsigned b = 1 & (e[pos / 8] >> (pos & 7));
- swap ^= b;
- fe_cswap(x2, x3, swap);
- fe_cswap(z2, z3, swap);
- swap = b;
- fe_sub(tmp0, x3, z3);
- fe_sub(tmp1, x2, z2);
- fe_add(x2, x2, z2);
- fe_add(z2, x3, z3);
- fe_mul(z3, tmp0, x2);
- fe_mul(z2, z2, tmp1);
- fe_sq(tmp0, tmp1);
- fe_sq(tmp1, x2);
- fe_add(x3, z3, z2);
- fe_sub(z2, z3, z2);
- fe_mul(x2, tmp1, tmp0);
- fe_sub(tmp1, tmp1, tmp0);
- fe_sq(z2, z2);
- fe_mul121666(z3, tmp1);
- fe_sq(x3, x3);
- fe_add(tmp0, tmp0, z3);
- fe_mul(z3, x1, z2);
- fe_mul(z2, tmp1, tmp0);
- }
-
- fe_invert(z2, z2);
- fe_mul(x2, x2, z2);
- fe_tobytes(out, x2);
-
- OPENSSL_cleanse(e, sizeof(e));
+ fe x1, x2, z2, x3, z3, tmp0, tmp1;
+ uint8_t e[32];
+ unsigned swap = 0;
+ int pos;
+
+ memcpy(e, scalar, 32);
+ e[0] &= 248;
+ e[31] &= 127;
+ e[31] |= 64;
+ fe_frombytes(x1, point);
+ fe_1(x2);
+ fe_0(z2);
+ fe_copy(x3, x1);
+ fe_1(z3);
+
+ for (pos = 254; pos >= 0; --pos) {
+ unsigned b = 1 & (e[pos / 8] >> (pos & 7));
+ swap ^= b;
+ fe_cswap(x2, x3, swap);
+ fe_cswap(z2, z3, swap);
+ swap = b;
+ fe_sub(tmp0, x3, z3);
+ fe_sub(tmp1, x2, z2);
+ fe_add(x2, x2, z2);
+ fe_add(z2, x3, z3);
+ fe_mul(z3, tmp0, x2);
+ fe_mul(z2, z2, tmp1);
+ fe_sq(tmp0, tmp1);
+ fe_sq(tmp1, x2);
+ fe_add(x3, z3, z2);
+ fe_sub(z2, z3, z2);
+ fe_mul(x2, tmp1, tmp0);
+ fe_sub(tmp1, tmp1, tmp0);
+ fe_sq(z2, z2);
+ fe_mul121666(z3, tmp1);
+ fe_sq(x3, x3);
+ fe_add(tmp0, tmp0, z3);
+ fe_mul(z3, x1, z2);
+ fe_mul(z2, tmp1, tmp0);
+ }
+
+ fe_invert(z2, z2);
+ fe_mul(x2, x2, z2);
+ fe_tobytes(out, x2);
+
+ OPENSSL_cleanse(e, sizeof(e));
}
static void x25519_scalar_mult(uint8_t out[32], const uint8_t scalar[32],
const uint8_t point[32]) {
- x25519_scalar_mult_generic(out, scalar, point);
+ x25519_scalar_mult_generic(out, scalar, point);
}
#endif
-static void slide(signed char *r, const uint8_t *a) {
- int i;
- int b;
- int k;
-
- for (i = 0; i < 256; ++i) {
- r[i] = 1 & (a[i >> 3] >> (i & 7));
- }
-
- for (i = 0; i < 256; ++i) {
- if (r[i]) {
- for (b = 1; b <= 6 && i + b < 256; ++b) {
- if (r[i + b]) {
- if (r[i] + (r[i + b] << b) <= 15) {
- r[i] += r[i + b] << b;
- r[i + b] = 0;
- } else if (r[i] - (r[i + b] << b) >= -15) {
- r[i] -= r[i + b] << b;
- for (k = i + b; k < 256; ++k) {
- if (!r[k]) {
- r[k] = 1;
- break;
- }
- r[k] = 0;
+static void slide(signed char *r, const uint8_t *a)
+{
+ int i;
+ int b;
+ int k;
+
+ for (i = 0; i < 256; ++i) {
+ r[i] = 1 & (a[i >> 3] >> (i & 7));
+ }
+
+ for (i = 0; i < 256; ++i) {
+ if (r[i]) {
+ for (b = 1; b <= 6 && i + b < 256; ++b) {
+ if (r[i + b]) {
+ if (r[i] + (r[i + b] << b) <= 15) {
+ r[i] += r[i + b] << b;
+ r[i + b] = 0;
+ } else if (r[i] - (r[i + b] << b) >= -15) {
+ r[i] -= r[i + b] << b;
+ for (k = i + b; k < 256; ++k) {
+ if (!r[k]) {
+ r[k] = 1;
+ break;
+ }
+ r[k] = 0;
+ }
+ } else {
+ break;
+ }
+ }
}
- } else {
- break;
- }
}
- }
}
- }
}
static const ge_precomp Bi[8] = {
@@ -4427,1033 +4524,1075 @@ static const ge_precomp Bi[8] = {
},
};
-/* r = a * A + b * B
+/*
+ * r = a * A + b * B
+ *
* where a = a[0]+256*a[1]+...+256^31 a[31].
* and b = b[0]+256*b[1]+...+256^31 b[31].
- * B is the Ed25519 base point (x,4/5) with x positive. */
+ * B is the Ed25519 base point (x,4/5) with x positive.
+ */
static void ge_double_scalarmult_vartime(ge_p2 *r, const uint8_t *a,
- const ge_p3 *A, const uint8_t *b) {
- signed char aslide[256];
- signed char bslide[256];
- ge_cached Ai[8]; /* A,3A,5A,7A,9A,11A,13A,15A */
- ge_p1p1 t;
- ge_p3 u;
- ge_p3 A2;
- int i;
-
- slide(aslide, a);
- slide(bslide, b);
-
- ge_p3_to_cached(&Ai[0], A);
- ge_p3_dbl(&t, A);
- ge_p1p1_to_p3(&A2, &t);
- ge_add(&t, &A2, &Ai[0]);
- ge_p1p1_to_p3(&u, &t);
- ge_p3_to_cached(&Ai[1], &u);
- ge_add(&t, &A2, &Ai[1]);
- ge_p1p1_to_p3(&u, &t);
- ge_p3_to_cached(&Ai[2], &u);
- ge_add(&t, &A2, &Ai[2]);
- ge_p1p1_to_p3(&u, &t);
- ge_p3_to_cached(&Ai[3], &u);
- ge_add(&t, &A2, &Ai[3]);
- ge_p1p1_to_p3(&u, &t);
- ge_p3_to_cached(&Ai[4], &u);
- ge_add(&t, &A2, &Ai[4]);
- ge_p1p1_to_p3(&u, &t);
- ge_p3_to_cached(&Ai[5], &u);
- ge_add(&t, &A2, &Ai[5]);
- ge_p1p1_to_p3(&u, &t);
- ge_p3_to_cached(&Ai[6], &u);
- ge_add(&t, &A2, &Ai[6]);
- ge_p1p1_to_p3(&u, &t);
- ge_p3_to_cached(&Ai[7], &u);
-
- ge_p2_0(r);
-
- for (i = 255; i >= 0; --i) {
- if (aslide[i] || bslide[i]) {
- break;
+ const ge_p3 *A, const uint8_t *b)
+{
+ signed char aslide[256];
+ signed char bslide[256];
+ ge_cached Ai[8]; /* A,3A,5A,7A,9A,11A,13A,15A */
+ ge_p1p1 t;
+ ge_p3 u;
+ ge_p3 A2;
+ int i;
+
+ slide(aslide, a);
+ slide(bslide, b);
+
+ ge_p3_to_cached(&Ai[0], A);
+ ge_p3_dbl(&t, A);
+ ge_p1p1_to_p3(&A2, &t);
+ ge_add(&t, &A2, &Ai[0]);
+ ge_p1p1_to_p3(&u, &t);
+ ge_p3_to_cached(&Ai[1], &u);
+ ge_add(&t, &A2, &Ai[1]);
+ ge_p1p1_to_p3(&u, &t);
+ ge_p3_to_cached(&Ai[2], &u);
+ ge_add(&t, &A2, &Ai[2]);
+ ge_p1p1_to_p3(&u, &t);
+ ge_p3_to_cached(&Ai[3], &u);
+ ge_add(&t, &A2, &Ai[3]);
+ ge_p1p1_to_p3(&u, &t);
+ ge_p3_to_cached(&Ai[4], &u);
+ ge_add(&t, &A2, &Ai[4]);
+ ge_p1p1_to_p3(&u, &t);
+ ge_p3_to_cached(&Ai[5], &u);
+ ge_add(&t, &A2, &Ai[5]);
+ ge_p1p1_to_p3(&u, &t);
+ ge_p3_to_cached(&Ai[6], &u);
+ ge_add(&t, &A2, &Ai[6]);
+ ge_p1p1_to_p3(&u, &t);
+ ge_p3_to_cached(&Ai[7], &u);
+
+ ge_p2_0(r);
+
+ for (i = 255; i >= 0; --i) {
+ if (aslide[i] || bslide[i]) {
+ break;
+ }
}
- }
- for (; i >= 0; --i) {
- ge_p2_dbl(&t, r);
+ for (; i >= 0; --i) {
+ ge_p2_dbl(&t, r);
- if (aslide[i] > 0) {
- ge_p1p1_to_p3(&u, &t);
- ge_add(&t, &u, &Ai[aslide[i] / 2]);
- } else if (aslide[i] < 0) {
- ge_p1p1_to_p3(&u, &t);
- ge_sub(&t, &u, &Ai[(-aslide[i]) / 2]);
- }
+ if (aslide[i] > 0) {
+ ge_p1p1_to_p3(&u, &t);
+ ge_add(&t, &u, &Ai[aslide[i] / 2]);
+ } else if (aslide[i] < 0) {
+ ge_p1p1_to_p3(&u, &t);
+ ge_sub(&t, &u, &Ai[(-aslide[i]) / 2]);
+ }
- if (bslide[i] > 0) {
- ge_p1p1_to_p3(&u, &t);
- ge_madd(&t, &u, &Bi[bslide[i] / 2]);
- } else if (bslide[i] < 0) {
- ge_p1p1_to_p3(&u, &t);
- ge_msub(&t, &u, &Bi[(-bslide[i]) / 2]);
- }
+ if (bslide[i] > 0) {
+ ge_p1p1_to_p3(&u, &t);
+ ge_madd(&t, &u, &Bi[bslide[i] / 2]);
+ } else if (bslide[i] < 0) {
+ ge_p1p1_to_p3(&u, &t);
+ ge_msub(&t, &u, &Bi[(-bslide[i]) / 2]);
+ }
- ge_p1p1_to_p2(r, &t);
- }
+ ge_p1p1_to_p2(r, &t);
+ }
}
-/* The set of scalars is \Z/l
- * where l = 2^252 + 27742317777372353535851937790883648493. */
-
-/* Input:
+/*
+ * The set of scalars is \Z/l
+ * where l = 2^252 + 27742317777372353535851937790883648493.
+ *
+ * Input:
* s[0]+256*s[1]+...+256^63*s[63] = s
*
* Output:
* s[0]+256*s[1]+...+256^31*s[31] = s mod l
* where l = 2^252 + 27742317777372353535851937790883648493.
- * Overwrites s in place. */
-static void x25519_sc_reduce(uint8_t *s) {
- int64_t s0 = 2097151 & load_3(s);
- int64_t s1 = 2097151 & (load_4(s + 2) >> 5);
- int64_t s2 = 2097151 & (load_3(s + 5) >> 2);
- int64_t s3 = 2097151 & (load_4(s + 7) >> 7);
- int64_t s4 = 2097151 & (load_4(s + 10) >> 4);
- int64_t s5 = 2097151 & (load_3(s + 13) >> 1);
- int64_t s6 = 2097151 & (load_4(s + 15) >> 6);
- int64_t s7 = 2097151 & (load_3(s + 18) >> 3);
- int64_t s8 = 2097151 & load_3(s + 21);
- int64_t s9 = 2097151 & (load_4(s + 23) >> 5);
- int64_t s10 = 2097151 & (load_3(s + 26) >> 2);
- int64_t s11 = 2097151 & (load_4(s + 28) >> 7);
- int64_t s12 = 2097151 & (load_4(s + 31) >> 4);
- int64_t s13 = 2097151 & (load_3(s + 34) >> 1);
- int64_t s14 = 2097151 & (load_4(s + 36) >> 6);
- int64_t s15 = 2097151 & (load_3(s + 39) >> 3);
- int64_t s16 = 2097151 & load_3(s + 42);
- int64_t s17 = 2097151 & (load_4(s + 44) >> 5);
- int64_t s18 = 2097151 & (load_3(s + 47) >> 2);
- int64_t s19 = 2097151 & (load_4(s + 49) >> 7);
- int64_t s20 = 2097151 & (load_4(s + 52) >> 4);
- int64_t s21 = 2097151 & (load_3(s + 55) >> 1);
- int64_t s22 = 2097151 & (load_4(s + 57) >> 6);
- int64_t s23 = (load_4(s + 60) >> 3);
- int64_t carry0;
- int64_t carry1;
- int64_t carry2;
- int64_t carry3;
- int64_t carry4;
- int64_t carry5;
- int64_t carry6;
- int64_t carry7;
- int64_t carry8;
- int64_t carry9;
- int64_t carry10;
- int64_t carry11;
- int64_t carry12;
- int64_t carry13;
- int64_t carry14;
- int64_t carry15;
- int64_t carry16;
-
- s11 += s23 * 666643;
- s12 += s23 * 470296;
- s13 += s23 * 654183;
- s14 -= s23 * 997805;
- s15 += s23 * 136657;
- s16 -= s23 * 683901;
- s23 = 0;
-
- s10 += s22 * 666643;
- s11 += s22 * 470296;
- s12 += s22 * 654183;
- s13 -= s22 * 997805;
- s14 += s22 * 136657;
- s15 -= s22 * 683901;
- s22 = 0;
-
- s9 += s21 * 666643;
- s10 += s21 * 470296;
- s11 += s21 * 654183;
- s12 -= s21 * 997805;
- s13 += s21 * 136657;
- s14 -= s21 * 683901;
- s21 = 0;
-
- s8 += s20 * 666643;
- s9 += s20 * 470296;
- s10 += s20 * 654183;
- s11 -= s20 * 997805;
- s12 += s20 * 136657;
- s13 -= s20 * 683901;
- s20 = 0;
-
- s7 += s19 * 666643;
- s8 += s19 * 470296;
- s9 += s19 * 654183;
- s10 -= s19 * 997805;
- s11 += s19 * 136657;
- s12 -= s19 * 683901;
- s19 = 0;
-
- s6 += s18 * 666643;
- s7 += s18 * 470296;
- s8 += s18 * 654183;
- s9 -= s18 * 997805;
- s10 += s18 * 136657;
- s11 -= s18 * 683901;
- s18 = 0;
-
- carry6 = (s6 + (1 << 20)) >> 21;
- s7 += carry6;
- s6 -= carry6 * (1 << 21);
- carry8 = (s8 + (1 << 20)) >> 21;
- s9 += carry8;
- s8 -= carry8 * (1 << 21);
- carry10 = (s10 + (1 << 20)) >> 21;
- s11 += carry10;
- s10 -= carry10 * (1 << 21);
- carry12 = (s12 + (1 << 20)) >> 21;
- s13 += carry12;
- s12 -= carry12 * (1 << 21);
- carry14 = (s14 + (1 << 20)) >> 21;
- s15 += carry14;
- s14 -= carry14 * (1 << 21);
- carry16 = (s16 + (1 << 20)) >> 21;
- s17 += carry16;
- s16 -= carry16 * (1 << 21);
-
- carry7 = (s7 + (1 << 20)) >> 21;
- s8 += carry7;
- s7 -= carry7 * (1 << 21);
- carry9 = (s9 + (1 << 20)) >> 21;
- s10 += carry9;
- s9 -= carry9 * (1 << 21);
- carry11 = (s11 + (1 << 20)) >> 21;
- s12 += carry11;
- s11 -= carry11 * (1 << 21);
- carry13 = (s13 + (1 << 20)) >> 21;
- s14 += carry13;
- s13 -= carry13 * (1 << 21);
- carry15 = (s15 + (1 << 20)) >> 21;
- s16 += carry15;
- s15 -= carry15 * (1 << 21);
-
- s5 += s17 * 666643;
- s6 += s17 * 470296;
- s7 += s17 * 654183;
- s8 -= s17 * 997805;
- s9 += s17 * 136657;
- s10 -= s17 * 683901;
- s17 = 0;
-
- s4 += s16 * 666643;
- s5 += s16 * 470296;
- s6 += s16 * 654183;
- s7 -= s16 * 997805;
- s8 += s16 * 136657;
- s9 -= s16 * 683901;
- s16 = 0;
-
- s3 += s15 * 666643;
- s4 += s15 * 470296;
- s5 += s15 * 654183;
- s6 -= s15 * 997805;
- s7 += s15 * 136657;
- s8 -= s15 * 683901;
- s15 = 0;
-
- s2 += s14 * 666643;
- s3 += s14 * 470296;
- s4 += s14 * 654183;
- s5 -= s14 * 997805;
- s6 += s14 * 136657;
- s7 -= s14 * 683901;
- s14 = 0;
-
- s1 += s13 * 666643;
- s2 += s13 * 470296;
- s3 += s13 * 654183;
- s4 -= s13 * 997805;
- s5 += s13 * 136657;
- s6 -= s13 * 683901;
- s13 = 0;
-
- s0 += s12 * 666643;
- s1 += s12 * 470296;
- s2 += s12 * 654183;
- s3 -= s12 * 997805;
- s4 += s12 * 136657;
- s5 -= s12 * 683901;
- s12 = 0;
-
- carry0 = (s0 + (1 << 20)) >> 21;
- s1 += carry0;
- s0 -= carry0 * (1 << 21);
- carry2 = (s2 + (1 << 20)) >> 21;
- s3 += carry2;
- s2 -= carry2 * (1 << 21);
- carry4 = (s4 + (1 << 20)) >> 21;
- s5 += carry4;
- s4 -= carry4 * (1 << 21);
- carry6 = (s6 + (1 << 20)) >> 21;
- s7 += carry6;
- s6 -= carry6 * (1 << 21);
- carry8 = (s8 + (1 << 20)) >> 21;
- s9 += carry8;
- s8 -= carry8 * (1 << 21);
- carry10 = (s10 + (1 << 20)) >> 21;
- s11 += carry10;
- s10 -= carry10 * (1 << 21);
-
- carry1 = (s1 + (1 << 20)) >> 21;
- s2 += carry1;
- s1 -= carry1 * (1 << 21);
- carry3 = (s3 + (1 << 20)) >> 21;
- s4 += carry3;
- s3 -= carry3 * (1 << 21);
- carry5 = (s5 + (1 << 20)) >> 21;
- s6 += carry5;
- s5 -= carry5 * (1 << 21);
- carry7 = (s7 + (1 << 20)) >> 21;
- s8 += carry7;
- s7 -= carry7 * (1 << 21);
- carry9 = (s9 + (1 << 20)) >> 21;
- s10 += carry9;
- s9 -= carry9 * (1 << 21);
- carry11 = (s11 + (1 << 20)) >> 21;
- s12 += carry11;
- s11 -= carry11 * (1 << 21);
-
- s0 += s12 * 666643;
- s1 += s12 * 470296;
- s2 += s12 * 654183;
- s3 -= s12 * 997805;
- s4 += s12 * 136657;
- s5 -= s12 * 683901;
- s12 = 0;
-
- carry0 = s0 >> 21;
- s1 += carry0;
- s0 -= carry0 * (1 << 21);
- carry1 = s1 >> 21;
- s2 += carry1;
- s1 -= carry1 * (1 << 21);
- carry2 = s2 >> 21;
- s3 += carry2;
- s2 -= carry2 * (1 << 21);
- carry3 = s3 >> 21;
- s4 += carry3;
- s3 -= carry3 * (1 << 21);
- carry4 = s4 >> 21;
- s5 += carry4;
- s4 -= carry4 * (1 << 21);
- carry5 = s5 >> 21;
- s6 += carry5;
- s5 -= carry5 * (1 << 21);
- carry6 = s6 >> 21;
- s7 += carry6;
- s6 -= carry6 * (1 << 21);
- carry7 = s7 >> 21;
- s8 += carry7;
- s7 -= carry7 * (1 << 21);
- carry8 = s8 >> 21;
- s9 += carry8;
- s8 -= carry8 * (1 << 21);
- carry9 = s9 >> 21;
- s10 += carry9;
- s9 -= carry9 * (1 << 21);
- carry10 = s10 >> 21;
- s11 += carry10;
- s10 -= carry10 * (1 << 21);
- carry11 = s11 >> 21;
- s12 += carry11;
- s11 -= carry11 * (1 << 21);
-
- s0 += s12 * 666643;
- s1 += s12 * 470296;
- s2 += s12 * 654183;
- s3 -= s12 * 997805;
- s4 += s12 * 136657;
- s5 -= s12 * 683901;
- s12 = 0;
-
- carry0 = s0 >> 21;
- s1 += carry0;
- s0 -= carry0 * (1 << 21);
- carry1 = s1 >> 21;
- s2 += carry1;
- s1 -= carry1 * (1 << 21);
- carry2 = s2 >> 21;
- s3 += carry2;
- s2 -= carry2 * (1 << 21);
- carry3 = s3 >> 21;
- s4 += carry3;
- s3 -= carry3 * (1 << 21);
- carry4 = s4 >> 21;
- s5 += carry4;
- s4 -= carry4 * (1 << 21);
- carry5 = s5 >> 21;
- s6 += carry5;
- s5 -= carry5 * (1 << 21);
- carry6 = s6 >> 21;
- s7 += carry6;
- s6 -= carry6 * (1 << 21);
- carry7 = s7 >> 21;
- s8 += carry7;
- s7 -= carry7 * (1 << 21);
- carry8 = s8 >> 21;
- s9 += carry8;
- s8 -= carry8 * (1 << 21);
- carry9 = s9 >> 21;
- s10 += carry9;
- s9 -= carry9 * (1 << 21);
- carry10 = s10 >> 21;
- s11 += carry10;
- s10 -= carry10 * (1 << 21);
-
- s[0] = (uint8_t)(s0 >> 0);
- s[1] = (uint8_t)(s0 >> 8);
- s[2] = (uint8_t)((s0 >> 16) | (s1 << 5));
- s[3] = (uint8_t)(s1 >> 3);
- s[4] = (uint8_t)(s1 >> 11);
- s[5] = (uint8_t)((s1 >> 19) | (s2 << 2));
- s[6] = (uint8_t)(s2 >> 6);
- s[7] = (uint8_t)((s2 >> 14) | (s3 << 7));
- s[8] = (uint8_t)(s3 >> 1);
- s[9] = (uint8_t)(s3 >> 9);
- s[10] = (uint8_t)((s3 >> 17) | (s4 << 4));
- s[11] = (uint8_t)(s4 >> 4);
- s[12] = (uint8_t)(s4 >> 12);
- s[13] = (uint8_t)((s4 >> 20) | (s5 << 1));
- s[14] = (uint8_t)(s5 >> 7);
- s[15] = (uint8_t)((s5 >> 15) | (s6 << 6));
- s[16] = (uint8_t)(s6 >> 2);
- s[17] = (uint8_t)(s6 >> 10);
- s[18] = (uint8_t)((s6 >> 18) | (s7 << 3));
- s[19] = (uint8_t)(s7 >> 5);
- s[20] = (uint8_t)(s7 >> 13);
- s[21] = (uint8_t)(s8 >> 0);
- s[22] = (uint8_t)(s8 >> 8);
- s[23] = (uint8_t)((s8 >> 16) | (s9 << 5));
- s[24] = (uint8_t)(s9 >> 3);
- s[25] = (uint8_t)(s9 >> 11);
- s[26] = (uint8_t)((s9 >> 19) | (s10 << 2));
- s[27] = (uint8_t)(s10 >> 6);
- s[28] = (uint8_t)((s10 >> 14) | (s11 << 7));
- s[29] = (uint8_t)(s11 >> 1);
- s[30] = (uint8_t)(s11 >> 9);
- s[31] = (uint8_t)(s11 >> 17);
+ * Overwrites s in place.
+*/
+static void x25519_sc_reduce(uint8_t *s)
+{
+ int64_t s0 = kBottom21Bits & load_3(s);
+ int64_t s1 = kBottom21Bits & (load_4(s + 2) >> 5);
+ int64_t s2 = kBottom21Bits & (load_3(s + 5) >> 2);
+ int64_t s3 = kBottom21Bits & (load_4(s + 7) >> 7);
+ int64_t s4 = kBottom21Bits & (load_4(s + 10) >> 4);
+ int64_t s5 = kBottom21Bits & (load_3(s + 13) >> 1);
+ int64_t s6 = kBottom21Bits & (load_4(s + 15) >> 6);
+ int64_t s7 = kBottom21Bits & (load_3(s + 18) >> 3);
+ int64_t s8 = kBottom21Bits & load_3(s + 21);
+ int64_t s9 = kBottom21Bits & (load_4(s + 23) >> 5);
+ int64_t s10 = kBottom21Bits & (load_3(s + 26) >> 2);
+ int64_t s11 = kBottom21Bits & (load_4(s + 28) >> 7);
+ int64_t s12 = kBottom21Bits & (load_4(s + 31) >> 4);
+ int64_t s13 = kBottom21Bits & (load_3(s + 34) >> 1);
+ int64_t s14 = kBottom21Bits & (load_4(s + 36) >> 6);
+ int64_t s15 = kBottom21Bits & (load_3(s + 39) >> 3);
+ int64_t s16 = kBottom21Bits & load_3(s + 42);
+ int64_t s17 = kBottom21Bits & (load_4(s + 44) >> 5);
+ int64_t s18 = kBottom21Bits & (load_3(s + 47) >> 2);
+ int64_t s19 = kBottom21Bits & (load_4(s + 49) >> 7);
+ int64_t s20 = kBottom21Bits & (load_4(s + 52) >> 4);
+ int64_t s21 = kBottom21Bits & (load_3(s + 55) >> 1);
+ int64_t s22 = kBottom21Bits & (load_4(s + 57) >> 6);
+ int64_t s23 = (load_4(s + 60) >> 3);
+ int64_t carry0;
+ int64_t carry1;
+ int64_t carry2;
+ int64_t carry3;
+ int64_t carry4;
+ int64_t carry5;
+ int64_t carry6;
+ int64_t carry7;
+ int64_t carry8;
+ int64_t carry9;
+ int64_t carry10;
+ int64_t carry11;
+ int64_t carry12;
+ int64_t carry13;
+ int64_t carry14;
+ int64_t carry15;
+ int64_t carry16;
+
+ s11 += s23 * 666643;
+ s12 += s23 * 470296;
+ s13 += s23 * 654183;
+ s14 -= s23 * 997805;
+ s15 += s23 * 136657;
+ s16 -= s23 * 683901;
+ s23 = 0;
+
+ s10 += s22 * 666643;
+ s11 += s22 * 470296;
+ s12 += s22 * 654183;
+ s13 -= s22 * 997805;
+ s14 += s22 * 136657;
+ s15 -= s22 * 683901;
+ s22 = 0;
+
+ s9 += s21 * 666643;
+ s10 += s21 * 470296;
+ s11 += s21 * 654183;
+ s12 -= s21 * 997805;
+ s13 += s21 * 136657;
+ s14 -= s21 * 683901;
+ s21 = 0;
+
+ s8 += s20 * 666643;
+ s9 += s20 * 470296;
+ s10 += s20 * 654183;
+ s11 -= s20 * 997805;
+ s12 += s20 * 136657;
+ s13 -= s20 * 683901;
+ s20 = 0;
+
+ s7 += s19 * 666643;
+ s8 += s19 * 470296;
+ s9 += s19 * 654183;
+ s10 -= s19 * 997805;
+ s11 += s19 * 136657;
+ s12 -= s19 * 683901;
+ s19 = 0;
+
+ s6 += s18 * 666643;
+ s7 += s18 * 470296;
+ s8 += s18 * 654183;
+ s9 -= s18 * 997805;
+ s10 += s18 * 136657;
+ s11 -= s18 * 683901;
+ s18 = 0;
+
+ carry6 = (s6 + (1 << 20)) >> 21;
+ s7 += carry6;
+ s6 -= carry6 * (1 << 21);
+ carry8 = (s8 + (1 << 20)) >> 21;
+ s9 += carry8;
+ s8 -= carry8 * (1 << 21);
+ carry10 = (s10 + (1 << 20)) >> 21;
+ s11 += carry10;
+ s10 -= carry10 * (1 << 21);
+ carry12 = (s12 + (1 << 20)) >> 21;
+ s13 += carry12;
+ s12 -= carry12 * (1 << 21);
+ carry14 = (s14 + (1 << 20)) >> 21;
+ s15 += carry14;
+ s14 -= carry14 * (1 << 21);
+ carry16 = (s16 + (1 << 20)) >> 21;
+ s17 += carry16;
+ s16 -= carry16 * (1 << 21);
+
+ carry7 = (s7 + (1 << 20)) >> 21;
+ s8 += carry7;
+ s7 -= carry7 * (1 << 21);
+ carry9 = (s9 + (1 << 20)) >> 21;
+ s10 += carry9;
+ s9 -= carry9 * (1 << 21);
+ carry11 = (s11 + (1 << 20)) >> 21;
+ s12 += carry11;
+ s11 -= carry11 * (1 << 21);
+ carry13 = (s13 + (1 << 20)) >> 21;
+ s14 += carry13;
+ s13 -= carry13 * (1 << 21);
+ carry15 = (s15 + (1 << 20)) >> 21;
+ s16 += carry15;
+ s15 -= carry15 * (1 << 21);
+
+ s5 += s17 * 666643;
+ s6 += s17 * 470296;
+ s7 += s17 * 654183;
+ s8 -= s17 * 997805;
+ s9 += s17 * 136657;
+ s10 -= s17 * 683901;
+ s17 = 0;
+
+ s4 += s16 * 666643;
+ s5 += s16 * 470296;
+ s6 += s16 * 654183;
+ s7 -= s16 * 997805;
+ s8 += s16 * 136657;
+ s9 -= s16 * 683901;
+ s16 = 0;
+
+ s3 += s15 * 666643;
+ s4 += s15 * 470296;
+ s5 += s15 * 654183;
+ s6 -= s15 * 997805;
+ s7 += s15 * 136657;
+ s8 -= s15 * 683901;
+ s15 = 0;
+
+ s2 += s14 * 666643;
+ s3 += s14 * 470296;
+ s4 += s14 * 654183;
+ s5 -= s14 * 997805;
+ s6 += s14 * 136657;
+ s7 -= s14 * 683901;
+ s14 = 0;
+
+ s1 += s13 * 666643;
+ s2 += s13 * 470296;
+ s3 += s13 * 654183;
+ s4 -= s13 * 997805;
+ s5 += s13 * 136657;
+ s6 -= s13 * 683901;
+ s13 = 0;
+
+ s0 += s12 * 666643;
+ s1 += s12 * 470296;
+ s2 += s12 * 654183;
+ s3 -= s12 * 997805;
+ s4 += s12 * 136657;
+ s5 -= s12 * 683901;
+ s12 = 0;
+
+ carry0 = (s0 + (1 << 20)) >> 21;
+ s1 += carry0;
+ s0 -= carry0 * (1 << 21);
+ carry2 = (s2 + (1 << 20)) >> 21;
+ s3 += carry2;
+ s2 -= carry2 * (1 << 21);
+ carry4 = (s4 + (1 << 20)) >> 21;
+ s5 += carry4;
+ s4 -= carry4 * (1 << 21);
+ carry6 = (s6 + (1 << 20)) >> 21;
+ s7 += carry6;
+ s6 -= carry6 * (1 << 21);
+ carry8 = (s8 + (1 << 20)) >> 21;
+ s9 += carry8;
+ s8 -= carry8 * (1 << 21);
+ carry10 = (s10 + (1 << 20)) >> 21;
+ s11 += carry10;
+ s10 -= carry10 * (1 << 21);
+
+ carry1 = (s1 + (1 << 20)) >> 21;
+ s2 += carry1;
+ s1 -= carry1 * (1 << 21);
+ carry3 = (s3 + (1 << 20)) >> 21;
+ s4 += carry3;
+ s3 -= carry3 * (1 << 21);
+ carry5 = (s5 + (1 << 20)) >> 21;
+ s6 += carry5;
+ s5 -= carry5 * (1 << 21);
+ carry7 = (s7 + (1 << 20)) >> 21;
+ s8 += carry7;
+ s7 -= carry7 * (1 << 21);
+ carry9 = (s9 + (1 << 20)) >> 21;
+ s10 += carry9;
+ s9 -= carry9 * (1 << 21);
+ carry11 = (s11 + (1 << 20)) >> 21;
+ s12 += carry11;
+ s11 -= carry11 * (1 << 21);
+
+ s0 += s12 * 666643;
+ s1 += s12 * 470296;
+ s2 += s12 * 654183;
+ s3 -= s12 * 997805;
+ s4 += s12 * 136657;
+ s5 -= s12 * 683901;
+ s12 = 0;
+
+ carry0 = s0 >> 21;
+ s1 += carry0;
+ s0 -= carry0 * (1 << 21);
+ carry1 = s1 >> 21;
+ s2 += carry1;
+ s1 -= carry1 * (1 << 21);
+ carry2 = s2 >> 21;
+ s3 += carry2;
+ s2 -= carry2 * (1 << 21);
+ carry3 = s3 >> 21;
+ s4 += carry3;
+ s3 -= carry3 * (1 << 21);
+ carry4 = s4 >> 21;
+ s5 += carry4;
+ s4 -= carry4 * (1 << 21);
+ carry5 = s5 >> 21;
+ s6 += carry5;
+ s5 -= carry5 * (1 << 21);
+ carry6 = s6 >> 21;
+ s7 += carry6;
+ s6 -= carry6 * (1 << 21);
+ carry7 = s7 >> 21;
+ s8 += carry7;
+ s7 -= carry7 * (1 << 21);
+ carry8 = s8 >> 21;
+ s9 += carry8;
+ s8 -= carry8 * (1 << 21);
+ carry9 = s9 >> 21;
+ s10 += carry9;
+ s9 -= carry9 * (1 << 21);
+ carry10 = s10 >> 21;
+ s11 += carry10;
+ s10 -= carry10 * (1 << 21);
+ carry11 = s11 >> 21;
+ s12 += carry11;
+ s11 -= carry11 * (1 << 21);
+
+ s0 += s12 * 666643;
+ s1 += s12 * 470296;
+ s2 += s12 * 654183;
+ s3 -= s12 * 997805;
+ s4 += s12 * 136657;
+ s5 -= s12 * 683901;
+ s12 = 0;
+
+ carry0 = s0 >> 21;
+ s1 += carry0;
+ s0 -= carry0 * (1 << 21);
+ carry1 = s1 >> 21;
+ s2 += carry1;
+ s1 -= carry1 * (1 << 21);
+ carry2 = s2 >> 21;
+ s3 += carry2;
+ s2 -= carry2 * (1 << 21);
+ carry3 = s3 >> 21;
+ s4 += carry3;
+ s3 -= carry3 * (1 << 21);
+ carry4 = s4 >> 21;
+ s5 += carry4;
+ s4 -= carry4 * (1 << 21);
+ carry5 = s5 >> 21;
+ s6 += carry5;
+ s5 -= carry5 * (1 << 21);
+ carry6 = s6 >> 21;
+ s7 += carry6;
+ s6 -= carry6 * (1 << 21);
+ carry7 = s7 >> 21;
+ s8 += carry7;
+ s7 -= carry7 * (1 << 21);
+ carry8 = s8 >> 21;
+ s9 += carry8;
+ s8 -= carry8 * (1 << 21);
+ carry9 = s9 >> 21;
+ s10 += carry9;
+ s9 -= carry9 * (1 << 21);
+ carry10 = s10 >> 21;
+ s11 += carry10;
+ s10 -= carry10 * (1 << 21);
+
+ s[ 0] = (uint8_t) (s0 >> 0);
+ s[ 1] = (uint8_t) (s0 >> 8);
+ s[ 2] = (uint8_t)((s0 >> 16) | (s1 << 5));
+ s[ 3] = (uint8_t) (s1 >> 3);
+ s[ 4] = (uint8_t) (s1 >> 11);
+ s[ 5] = (uint8_t)((s1 >> 19) | (s2 << 2));
+ s[ 6] = (uint8_t) (s2 >> 6);
+ s[ 7] = (uint8_t)((s2 >> 14) | (s3 << 7));
+ s[ 8] = (uint8_t) (s3 >> 1);
+ s[ 9] = (uint8_t) (s3 >> 9);
+ s[10] = (uint8_t)((s3 >> 17) | (s4 << 4));
+ s[11] = (uint8_t) (s4 >> 4);
+ s[12] = (uint8_t) (s4 >> 12);
+ s[13] = (uint8_t)((s4 >> 20) | (s5 << 1));
+ s[14] = (uint8_t) (s5 >> 7);
+ s[15] = (uint8_t)((s5 >> 15) | (s6 << 6));
+ s[16] = (uint8_t) (s6 >> 2);
+ s[17] = (uint8_t) (s6 >> 10);
+ s[18] = (uint8_t)((s6 >> 18) | (s7 << 3));
+ s[19] = (uint8_t) (s7 >> 5);
+ s[20] = (uint8_t) (s7 >> 13);
+ s[21] = (uint8_t) (s8 >> 0);
+ s[22] = (uint8_t) (s8 >> 8);
+ s[23] = (uint8_t)((s8 >> 16) | (s9 << 5));
+ s[24] = (uint8_t) (s9 >> 3);
+ s[25] = (uint8_t) (s9 >> 11);
+ s[26] = (uint8_t)((s9 >> 19) | (s10 << 2));
+ s[27] = (uint8_t) (s10 >> 6);
+ s[28] = (uint8_t)((s10 >> 14) | (s11 << 7));
+ s[29] = (uint8_t) (s11 >> 1);
+ s[30] = (uint8_t) (s11 >> 9);
+ s[31] = (uint8_t) (s11 >> 17);
}
-/* Input:
+/*
+ * Input:
* a[0]+256*a[1]+...+256^31*a[31] = a
* b[0]+256*b[1]+...+256^31*b[31] = b
* c[0]+256*c[1]+...+256^31*c[31] = c
*
* Output:
* s[0]+256*s[1]+...+256^31*s[31] = (ab+c) mod l
- * where l = 2^252 + 27742317777372353535851937790883648493. */
+ * where l = 2^252 + 27742317777372353535851937790883648493.
+ */
static void sc_muladd(uint8_t *s, const uint8_t *a, const uint8_t *b,
- const uint8_t *c) {
- int64_t a0 = 2097151 & load_3(a);
- int64_t a1 = 2097151 & (load_4(a + 2) >> 5);
- int64_t a2 = 2097151 & (load_3(a + 5) >> 2);
- int64_t a3 = 2097151 & (load_4(a + 7) >> 7);
- int64_t a4 = 2097151 & (load_4(a + 10) >> 4);
- int64_t a5 = 2097151 & (load_3(a + 13) >> 1);
- int64_t a6 = 2097151 & (load_4(a + 15) >> 6);
- int64_t a7 = 2097151 & (load_3(a + 18) >> 3);
- int64_t a8 = 2097151 & load_3(a + 21);
- int64_t a9 = 2097151 & (load_4(a + 23) >> 5);
- int64_t a10 = 2097151 & (load_3(a + 26) >> 2);
- int64_t a11 = (load_4(a + 28) >> 7);
- int64_t b0 = 2097151 & load_3(b);
- int64_t b1 = 2097151 & (load_4(b + 2) >> 5);
- int64_t b2 = 2097151 & (load_3(b + 5) >> 2);
- int64_t b3 = 2097151 & (load_4(b + 7) >> 7);
- int64_t b4 = 2097151 & (load_4(b + 10) >> 4);
- int64_t b5 = 2097151 & (load_3(b + 13) >> 1);
- int64_t b6 = 2097151 & (load_4(b + 15) >> 6);
- int64_t b7 = 2097151 & (load_3(b + 18) >> 3);
- int64_t b8 = 2097151 & load_3(b + 21);
- int64_t b9 = 2097151 & (load_4(b + 23) >> 5);
- int64_t b10 = 2097151 & (load_3(b + 26) >> 2);
- int64_t b11 = (load_4(b + 28) >> 7);
- int64_t c0 = 2097151 & load_3(c);
- int64_t c1 = 2097151 & (load_4(c + 2) >> 5);
- int64_t c2 = 2097151 & (load_3(c + 5) >> 2);
- int64_t c3 = 2097151 & (load_4(c + 7) >> 7);
- int64_t c4 = 2097151 & (load_4(c + 10) >> 4);
- int64_t c5 = 2097151 & (load_3(c + 13) >> 1);
- int64_t c6 = 2097151 & (load_4(c + 15) >> 6);
- int64_t c7 = 2097151 & (load_3(c + 18) >> 3);
- int64_t c8 = 2097151 & load_3(c + 21);
- int64_t c9 = 2097151 & (load_4(c + 23) >> 5);
- int64_t c10 = 2097151 & (load_3(c + 26) >> 2);
- int64_t c11 = (load_4(c + 28) >> 7);
- int64_t s0;
- int64_t s1;
- int64_t s2;
- int64_t s3;
- int64_t s4;
- int64_t s5;
- int64_t s6;
- int64_t s7;
- int64_t s8;
- int64_t s9;
- int64_t s10;
- int64_t s11;
- int64_t s12;
- int64_t s13;
- int64_t s14;
- int64_t s15;
- int64_t s16;
- int64_t s17;
- int64_t s18;
- int64_t s19;
- int64_t s20;
- int64_t s21;
- int64_t s22;
- int64_t s23;
- int64_t carry0;
- int64_t carry1;
- int64_t carry2;
- int64_t carry3;
- int64_t carry4;
- int64_t carry5;
- int64_t carry6;
- int64_t carry7;
- int64_t carry8;
- int64_t carry9;
- int64_t carry10;
- int64_t carry11;
- int64_t carry12;
- int64_t carry13;
- int64_t carry14;
- int64_t carry15;
- int64_t carry16;
- int64_t carry17;
- int64_t carry18;
- int64_t carry19;
- int64_t carry20;
- int64_t carry21;
- int64_t carry22;
-
- s0 = c0 + a0 * b0;
- s1 = c1 + a0 * b1 + a1 * b0;
- s2 = c2 + a0 * b2 + a1 * b1 + a2 * b0;
- s3 = c3 + a0 * b3 + a1 * b2 + a2 * b1 + a3 * b0;
- s4 = c4 + a0 * b4 + a1 * b3 + a2 * b2 + a3 * b1 + a4 * b0;
- s5 = c5 + a0 * b5 + a1 * b4 + a2 * b3 + a3 * b2 + a4 * b1 + a5 * b0;
- s6 = c6 + a0 * b6 + a1 * b5 + a2 * b4 + a3 * b3 + a4 * b2 + a5 * b1 + a6 * b0;
- s7 = c7 + a0 * b7 + a1 * b6 + a2 * b5 + a3 * b4 + a4 * b3 + a5 * b2 +
- a6 * b1 + a7 * b0;
- s8 = c8 + a0 * b8 + a1 * b7 + a2 * b6 + a3 * b5 + a4 * b4 + a5 * b3 +
- a6 * b2 + a7 * b1 + a8 * b0;
- s9 = c9 + a0 * b9 + a1 * b8 + a2 * b7 + a3 * b6 + a4 * b5 + a5 * b4 +
- a6 * b3 + a7 * b2 + a8 * b1 + a9 * b0;
- s10 = c10 + a0 * b10 + a1 * b9 + a2 * b8 + a3 * b7 + a4 * b6 + a5 * b5 +
- a6 * b4 + a7 * b3 + a8 * b2 + a9 * b1 + a10 * b0;
- s11 = c11 + a0 * b11 + a1 * b10 + a2 * b9 + a3 * b8 + a4 * b7 + a5 * b6 +
- a6 * b5 + a7 * b4 + a8 * b3 + a9 * b2 + a10 * b1 + a11 * b0;
- s12 = a1 * b11 + a2 * b10 + a3 * b9 + a4 * b8 + a5 * b7 + a6 * b6 + a7 * b5 +
- a8 * b4 + a9 * b3 + a10 * b2 + a11 * b1;
- s13 = a2 * b11 + a3 * b10 + a4 * b9 + a5 * b8 + a6 * b7 + a7 * b6 + a8 * b5 +
- a9 * b4 + a10 * b3 + a11 * b2;
- s14 = a3 * b11 + a4 * b10 + a5 * b9 + a6 * b8 + a7 * b7 + a8 * b6 + a9 * b5 +
- a10 * b4 + a11 * b3;
- s15 = a4 * b11 + a5 * b10 + a6 * b9 + a7 * b8 + a8 * b7 + a9 * b6 + a10 * b5 +
- a11 * b4;
- s16 = a5 * b11 + a6 * b10 + a7 * b9 + a8 * b8 + a9 * b7 + a10 * b6 + a11 * b5;
- s17 = a6 * b11 + a7 * b10 + a8 * b9 + a9 * b8 + a10 * b7 + a11 * b6;
- s18 = a7 * b11 + a8 * b10 + a9 * b9 + a10 * b8 + a11 * b7;
- s19 = a8 * b11 + a9 * b10 + a10 * b9 + a11 * b8;
- s20 = a9 * b11 + a10 * b10 + a11 * b9;
- s21 = a10 * b11 + a11 * b10;
- s22 = a11 * b11;
- s23 = 0;
-
- carry0 = (s0 + (1 << 20)) >> 21;
- s1 += carry0;
- s0 -= carry0 * (1 << 21);
- carry2 = (s2 + (1 << 20)) >> 21;
- s3 += carry2;
- s2 -= carry2 * (1 << 21);
- carry4 = (s4 + (1 << 20)) >> 21;
- s5 += carry4;
- s4 -= carry4 * (1 << 21);
- carry6 = (s6 + (1 << 20)) >> 21;
- s7 += carry6;
- s6 -= carry6 * (1 << 21);
- carry8 = (s8 + (1 << 20)) >> 21;
- s9 += carry8;
- s8 -= carry8 * (1 << 21);
- carry10 = (s10 + (1 << 20)) >> 21;
- s11 += carry10;
- s10 -= carry10 * (1 << 21);
- carry12 = (s12 + (1 << 20)) >> 21;
- s13 += carry12;
- s12 -= carry12 * (1 << 21);
- carry14 = (s14 + (1 << 20)) >> 21;
- s15 += carry14;
- s14 -= carry14 * (1 << 21);
- carry16 = (s16 + (1 << 20)) >> 21;
- s17 += carry16;
- s16 -= carry16 * (1 << 21);
- carry18 = (s18 + (1 << 20)) >> 21;
- s19 += carry18;
- s18 -= carry18 * (1 << 21);
- carry20 = (s20 + (1 << 20)) >> 21;
- s21 += carry20;
- s20 -= carry20 * (1 << 21);
- carry22 = (s22 + (1 << 20)) >> 21;
- s23 += carry22;
- s22 -= carry22 * (1 << 21);
-
- carry1 = (s1 + (1 << 20)) >> 21;
- s2 += carry1;
- s1 -= carry1 * (1 << 21);
- carry3 = (s3 + (1 << 20)) >> 21;
- s4 += carry3;
- s3 -= carry3 * (1 << 21);
- carry5 = (s5 + (1 << 20)) >> 21;
- s6 += carry5;
- s5 -= carry5 * (1 << 21);
- carry7 = (s7 + (1 << 20)) >> 21;
- s8 += carry7;
- s7 -= carry7 * (1 << 21);
- carry9 = (s9 + (1 << 20)) >> 21;
- s10 += carry9;
- s9 -= carry9 * (1 << 21);
- carry11 = (s11 + (1 << 20)) >> 21;
- s12 += carry11;
- s11 -= carry11 * (1 << 21);
- carry13 = (s13 + (1 << 20)) >> 21;
- s14 += carry13;
- s13 -= carry13 * (1 << 21);
- carry15 = (s15 + (1 << 20)) >> 21;
- s16 += carry15;
- s15 -= carry15 * (1 << 21);
- carry17 = (s17 + (1 << 20)) >> 21;
- s18 += carry17;
- s17 -= carry17 * (1 << 21);
- carry19 = (s19 + (1 << 20)) >> 21;
- s20 += carry19;
- s19 -= carry19 * (1 << 21);
- carry21 = (s21 + (1 << 20)) >> 21;
- s22 += carry21;
- s21 -= carry21 * (1 << 21);
-
- s11 += s23 * 666643;
- s12 += s23 * 470296;
- s13 += s23 * 654183;
- s14 -= s23 * 997805;
- s15 += s23 * 136657;
- s16 -= s23 * 683901;
- s23 = 0;
-
- s10 += s22 * 666643;
- s11 += s22 * 470296;
- s12 += s22 * 654183;
- s13 -= s22 * 997805;
- s14 += s22 * 136657;
- s15 -= s22 * 683901;
- s22 = 0;
-
- s9 += s21 * 666643;
- s10 += s21 * 470296;
- s11 += s21 * 654183;
- s12 -= s21 * 997805;
- s13 += s21 * 136657;
- s14 -= s21 * 683901;
- s21 = 0;
-
- s8 += s20 * 666643;
- s9 += s20 * 470296;
- s10 += s20 * 654183;
- s11 -= s20 * 997805;
- s12 += s20 * 136657;
- s13 -= s20 * 683901;
- s20 = 0;
-
- s7 += s19 * 666643;
- s8 += s19 * 470296;
- s9 += s19 * 654183;
- s10 -= s19 * 997805;
- s11 += s19 * 136657;
- s12 -= s19 * 683901;
- s19 = 0;
-
- s6 += s18 * 666643;
- s7 += s18 * 470296;
- s8 += s18 * 654183;
- s9 -= s18 * 997805;
- s10 += s18 * 136657;
- s11 -= s18 * 683901;
- s18 = 0;
-
- carry6 = (s6 + (1 << 20)) >> 21;
- s7 += carry6;
- s6 -= carry6 * (1 << 21);
- carry8 = (s8 + (1 << 20)) >> 21;
- s9 += carry8;
- s8 -= carry8 * (1 << 21);
- carry10 = (s10 + (1 << 20)) >> 21;
- s11 += carry10;
- s10 -= carry10 * (1 << 21);
- carry12 = (s12 + (1 << 20)) >> 21;
- s13 += carry12;
- s12 -= carry12 * (1 << 21);
- carry14 = (s14 + (1 << 20)) >> 21;
- s15 += carry14;
- s14 -= carry14 * (1 << 21);
- carry16 = (s16 + (1 << 20)) >> 21;
- s17 += carry16;
- s16 -= carry16 * (1 << 21);
-
- carry7 = (s7 + (1 << 20)) >> 21;
- s8 += carry7;
- s7 -= carry7 * (1 << 21);
- carry9 = (s9 + (1 << 20)) >> 21;
- s10 += carry9;
- s9 -= carry9 * (1 << 21);
- carry11 = (s11 + (1 << 20)) >> 21;
- s12 += carry11;
- s11 -= carry11 * (1 << 21);
- carry13 = (s13 + (1 << 20)) >> 21;
- s14 += carry13;
- s13 -= carry13 * (1 << 21);
- carry15 = (s15 + (1 << 20)) >> 21;
- s16 += carry15;
- s15 -= carry15 * (1 << 21);
-
- s5 += s17 * 666643;
- s6 += s17 * 470296;
- s7 += s17 * 654183;
- s8 -= s17 * 997805;
- s9 += s17 * 136657;
- s10 -= s17 * 683901;
- s17 = 0;
-
- s4 += s16 * 666643;
- s5 += s16 * 470296;
- s6 += s16 * 654183;
- s7 -= s16 * 997805;
- s8 += s16 * 136657;
- s9 -= s16 * 683901;
- s16 = 0;
-
- s3 += s15 * 666643;
- s4 += s15 * 470296;
- s5 += s15 * 654183;
- s6 -= s15 * 997805;
- s7 += s15 * 136657;
- s8 -= s15 * 683901;
- s15 = 0;
-
- s2 += s14 * 666643;
- s3 += s14 * 470296;
- s4 += s14 * 654183;
- s5 -= s14 * 997805;
- s6 += s14 * 136657;
- s7 -= s14 * 683901;
- s14 = 0;
-
- s1 += s13 * 666643;
- s2 += s13 * 470296;
- s3 += s13 * 654183;
- s4 -= s13 * 997805;
- s5 += s13 * 136657;
- s6 -= s13 * 683901;
- s13 = 0;
-
- s0 += s12 * 666643;
- s1 += s12 * 470296;
- s2 += s12 * 654183;
- s3 -= s12 * 997805;
- s4 += s12 * 136657;
- s5 -= s12 * 683901;
- s12 = 0;
-
- carry0 = (s0 + (1 << 20)) >> 21;
- s1 += carry0;
- s0 -= carry0 * (1 << 21);
- carry2 = (s2 + (1 << 20)) >> 21;
- s3 += carry2;
- s2 -= carry2 * (1 << 21);
- carry4 = (s4 + (1 << 20)) >> 21;
- s5 += carry4;
- s4 -= carry4 * (1 << 21);
- carry6 = (s6 + (1 << 20)) >> 21;
- s7 += carry6;
- s6 -= carry6 * (1 << 21);
- carry8 = (s8 + (1 << 20)) >> 21;
- s9 += carry8;
- s8 -= carry8 * (1 << 21);
- carry10 = (s10 + (1 << 20)) >> 21;
- s11 += carry10;
- s10 -= carry10 * (1 << 21);
-
- carry1 = (s1 + (1 << 20)) >> 21;
- s2 += carry1;
- s1 -= carry1 * (1 << 21);
- carry3 = (s3 + (1 << 20)) >> 21;
- s4 += carry3;
- s3 -= carry3 * (1 << 21);
- carry5 = (s5 + (1 << 20)) >> 21;
- s6 += carry5;
- s5 -= carry5 * (1 << 21);
- carry7 = (s7 + (1 << 20)) >> 21;
- s8 += carry7;
- s7 -= carry7 * (1 << 21);
- carry9 = (s9 + (1 << 20)) >> 21;
- s10 += carry9;
- s9 -= carry9 * (1 << 21);
- carry11 = (s11 + (1 << 20)) >> 21;
- s12 += carry11;
- s11 -= carry11 * (1 << 21);
-
- s0 += s12 * 666643;
- s1 += s12 * 470296;
- s2 += s12 * 654183;
- s3 -= s12 * 997805;
- s4 += s12 * 136657;
- s5 -= s12 * 683901;
- s12 = 0;
-
- carry0 = s0 >> 21;
- s1 += carry0;
- s0 -= carry0 * (1 << 21);
- carry1 = s1 >> 21;
- s2 += carry1;
- s1 -= carry1 * (1 << 21);
- carry2 = s2 >> 21;
- s3 += carry2;
- s2 -= carry2 * (1 << 21);
- carry3 = s3 >> 21;
- s4 += carry3;
- s3 -= carry3 * (1 << 21);
- carry4 = s4 >> 21;
- s5 += carry4;
- s4 -= carry4 * (1 << 21);
- carry5 = s5 >> 21;
- s6 += carry5;
- s5 -= carry5 * (1 << 21);
- carry6 = s6 >> 21;
- s7 += carry6;
- s6 -= carry6 * (1 << 21);
- carry7 = s7 >> 21;
- s8 += carry7;
- s7 -= carry7 * (1 << 21);
- carry8 = s8 >> 21;
- s9 += carry8;
- s8 -= carry8 * (1 << 21);
- carry9 = s9 >> 21;
- s10 += carry9;
- s9 -= carry9 * (1 << 21);
- carry10 = s10 >> 21;
- s11 += carry10;
- s10 -= carry10 * (1 << 21);
- carry11 = s11 >> 21;
- s12 += carry11;
- s11 -= carry11 * (1 << 21);
-
- s0 += s12 * 666643;
- s1 += s12 * 470296;
- s2 += s12 * 654183;
- s3 -= s12 * 997805;
- s4 += s12 * 136657;
- s5 -= s12 * 683901;
- s12 = 0;
-
- carry0 = s0 >> 21;
- s1 += carry0;
- s0 -= carry0 * (1 << 21);
- carry1 = s1 >> 21;
- s2 += carry1;
- s1 -= carry1 * (1 << 21);
- carry2 = s2 >> 21;
- s3 += carry2;
- s2 -= carry2 * (1 << 21);
- carry3 = s3 >> 21;
- s4 += carry3;
- s3 -= carry3 * (1 << 21);
- carry4 = s4 >> 21;
- s5 += carry4;
- s4 -= carry4 * (1 << 21);
- carry5 = s5 >> 21;
- s6 += carry5;
- s5 -= carry5 * (1 << 21);
- carry6 = s6 >> 21;
- s7 += carry6;
- s6 -= carry6 * (1 << 21);
- carry7 = s7 >> 21;
- s8 += carry7;
- s7 -= carry7 * (1 << 21);
- carry8 = s8 >> 21;
- s9 += carry8;
- s8 -= carry8 * (1 << 21);
- carry9 = s9 >> 21;
- s10 += carry9;
- s9 -= carry9 * (1 << 21);
- carry10 = s10 >> 21;
- s11 += carry10;
- s10 -= carry10 * (1 << 21);
-
- s[0] = (uint8_t)(s0 >> 0);
- s[1] = (uint8_t)(s0 >> 8);
- s[2] = (uint8_t)((s0 >> 16) | (s1 << 5));
- s[3] = (uint8_t)(s1 >> 3);
- s[4] = (uint8_t)(s1 >> 11);
- s[5] = (uint8_t)((s1 >> 19) | (s2 << 2));
- s[6] = (uint8_t)(s2 >> 6);
- s[7] = (uint8_t)((s2 >> 14) | (s3 << 7));
- s[8] = (uint8_t)(s3 >> 1);
- s[9] = (uint8_t)(s3 >> 9);
- s[10] = (uint8_t)((s3 >> 17) | (s4 << 4));
- s[11] = (uint8_t)(s4 >> 4);
- s[12] = (uint8_t)(s4 >> 12);
- s[13] = (uint8_t)((s4 >> 20) | (s5 << 1));
- s[14] = (uint8_t)(s5 >> 7);
- s[15] = (uint8_t)((s5 >> 15) | (s6 << 6));
- s[16] = (uint8_t)(s6 >> 2);
- s[17] = (uint8_t)(s6 >> 10);
- s[18] = (uint8_t)((s6 >> 18) | (s7 << 3));
- s[19] = (uint8_t)(s7 >> 5);
- s[20] = (uint8_t)(s7 >> 13);
- s[21] = (uint8_t)(s8 >> 0);
- s[22] = (uint8_t)(s8 >> 8);
- s[23] = (uint8_t)((s8 >> 16) | (s9 << 5));
- s[24] = (uint8_t)(s9 >> 3);
- s[25] = (uint8_t)(s9 >> 11);
- s[26] = (uint8_t)((s9 >> 19) | (s10 << 2));
- s[27] = (uint8_t)(s10 >> 6);
- s[28] = (uint8_t)((s10 >> 14) | (s11 << 7));
- s[29] = (uint8_t)(s11 >> 1);
- s[30] = (uint8_t)(s11 >> 9);
- s[31] = (uint8_t)(s11 >> 17);
+ const uint8_t *c)
+{
+ int64_t a0 = kBottom21Bits & load_3(a);
+ int64_t a1 = kBottom21Bits & (load_4(a + 2) >> 5);
+ int64_t a2 = kBottom21Bits & (load_3(a + 5) >> 2);
+ int64_t a3 = kBottom21Bits & (load_4(a + 7) >> 7);
+ int64_t a4 = kBottom21Bits & (load_4(a + 10) >> 4);
+ int64_t a5 = kBottom21Bits & (load_3(a + 13) >> 1);
+ int64_t a6 = kBottom21Bits & (load_4(a + 15) >> 6);
+ int64_t a7 = kBottom21Bits & (load_3(a + 18) >> 3);
+ int64_t a8 = kBottom21Bits & load_3(a + 21);
+ int64_t a9 = kBottom21Bits & (load_4(a + 23) >> 5);
+ int64_t a10 = kBottom21Bits & (load_3(a + 26) >> 2);
+ int64_t a11 = (load_4(a + 28) >> 7);
+ int64_t b0 = kBottom21Bits & load_3(b);
+ int64_t b1 = kBottom21Bits & (load_4(b + 2) >> 5);
+ int64_t b2 = kBottom21Bits & (load_3(b + 5) >> 2);
+ int64_t b3 = kBottom21Bits & (load_4(b + 7) >> 7);
+ int64_t b4 = kBottom21Bits & (load_4(b + 10) >> 4);
+ int64_t b5 = kBottom21Bits & (load_3(b + 13) >> 1);
+ int64_t b6 = kBottom21Bits & (load_4(b + 15) >> 6);
+ int64_t b7 = kBottom21Bits & (load_3(b + 18) >> 3);
+ int64_t b8 = kBottom21Bits & load_3(b + 21);
+ int64_t b9 = kBottom21Bits & (load_4(b + 23) >> 5);
+ int64_t b10 = kBottom21Bits & (load_3(b + 26) >> 2);
+ int64_t b11 = (load_4(b + 28) >> 7);
+ int64_t c0 = kBottom21Bits & load_3(c);
+ int64_t c1 = kBottom21Bits & (load_4(c + 2) >> 5);
+ int64_t c2 = kBottom21Bits & (load_3(c + 5) >> 2);
+ int64_t c3 = kBottom21Bits & (load_4(c + 7) >> 7);
+ int64_t c4 = kBottom21Bits & (load_4(c + 10) >> 4);
+ int64_t c5 = kBottom21Bits & (load_3(c + 13) >> 1);
+ int64_t c6 = kBottom21Bits & (load_4(c + 15) >> 6);
+ int64_t c7 = kBottom21Bits & (load_3(c + 18) >> 3);
+ int64_t c8 = kBottom21Bits & load_3(c + 21);
+ int64_t c9 = kBottom21Bits & (load_4(c + 23) >> 5);
+ int64_t c10 = kBottom21Bits & (load_3(c + 26) >> 2);
+ int64_t c11 = (load_4(c + 28) >> 7);
+ int64_t s0;
+ int64_t s1;
+ int64_t s2;
+ int64_t s3;
+ int64_t s4;
+ int64_t s5;
+ int64_t s6;
+ int64_t s7;
+ int64_t s8;
+ int64_t s9;
+ int64_t s10;
+ int64_t s11;
+ int64_t s12;
+ int64_t s13;
+ int64_t s14;
+ int64_t s15;
+ int64_t s16;
+ int64_t s17;
+ int64_t s18;
+ int64_t s19;
+ int64_t s20;
+ int64_t s21;
+ int64_t s22;
+ int64_t s23;
+ int64_t carry0;
+ int64_t carry1;
+ int64_t carry2;
+ int64_t carry3;
+ int64_t carry4;
+ int64_t carry5;
+ int64_t carry6;
+ int64_t carry7;
+ int64_t carry8;
+ int64_t carry9;
+ int64_t carry10;
+ int64_t carry11;
+ int64_t carry12;
+ int64_t carry13;
+ int64_t carry14;
+ int64_t carry15;
+ int64_t carry16;
+ int64_t carry17;
+ int64_t carry18;
+ int64_t carry19;
+ int64_t carry20;
+ int64_t carry21;
+ int64_t carry22;
+
+ s0 = c0 + a0 * b0;
+ s1 = c1 + a0 * b1 + a1 * b0;
+ s2 = c2 + a0 * b2 + a1 * b1 + a2 * b0;
+ s3 = c3 + a0 * b3 + a1 * b2 + a2 * b1 + a3 * b0;
+ s4 = c4 + a0 * b4 + a1 * b3 + a2 * b2 + a3 * b1 + a4 * b0;
+ s5 = c5 + a0 * b5 + a1 * b4 + a2 * b3 + a3 * b2 + a4 * b1 + a5 * b0;
+ s6 = c6 + a0 * b6 + a1 * b5 + a2 * b4 + a3 * b3 + a4 * b2 + a5 * b1 + a6 * b0;
+ s7 = c7 + a0 * b7 + a1 * b6 + a2 * b5 + a3 * b4 + a4 * b3 + a5 * b2 + a6 * b1 + a7 * b0;
+ s8 = c8 + a0 * b8 + a1 * b7 + a2 * b6 + a3 * b5 + a4 * b4 + a5 * b3 + a6 * b2 + a7 * b1 + a8 * b0;
+ s9 = c9 + a0 * b9 + a1 * b8 + a2 * b7 + a3 * b6 + a4 * b5 + a5 * b4 + a6 * b3 + a7 * b2 + a8 * b1 + a9 * b0;
+ s10 = c10 + a0 * b10 + a1 * b9 + a2 * b8 + a3 * b7 + a4 * b6 + a5 * b5 + a6 * b4 + a7 * b3 + a8 * b2 + a9 * b1 + a10 * b0;
+ s11 = c11 + a0 * b11 + a1 * b10 + a2 * b9 + a3 * b8 + a4 * b7 + a5 * b6 + a6 * b5 + a7 * b4 + a8 * b3 + a9 * b2 + a10 * b1 + a11 * b0;
+ s12 = a1 * b11 + a2 * b10 + a3 * b9 + a4 * b8 + a5 * b7 + a6 * b6 + a7 * b5 + a8 * b4 + a9 * b3 + a10 * b2 + a11 * b1;
+ s13 = a2 * b11 + a3 * b10 + a4 * b9 + a5 * b8 + a6 * b7 + a7 * b6 + a8 * b5 + a9 * b4 + a10 * b3 + a11 * b2;
+ s14 = a3 * b11 + a4 * b10 + a5 * b9 + a6 * b8 + a7 * b7 + a8 * b6 + a9 * b5 + a10 * b4 + a11 * b3;
+ s15 = a4 * b11 + a5 * b10 + a6 * b9 + a7 * b8 + a8 * b7 + a9 * b6 + a10 * b5 + a11 * b4;
+ s16 = a5 * b11 + a6 * b10 + a7 * b9 + a8 * b8 + a9 * b7 + a10 * b6 + a11 * b5;
+ s17 = a6 * b11 + a7 * b10 + a8 * b9 + a9 * b8 + a10 * b7 + a11 * b6;
+ s18 = a7 * b11 + a8 * b10 + a9 * b9 + a10 * b8 + a11 * b7;
+ s19 = a8 * b11 + a9 * b10 + a10 * b9 + a11 * b8;
+ s20 = a9 * b11 + a10 * b10 + a11 * b9;
+ s21 = a10 * b11 + a11 * b10;
+ s22 = a11 * b11;
+ s23 = 0;
+
+ carry0 = (s0 + (1 << 20)) >> 21;
+ s1 += carry0;
+ s0 -= carry0 * (1 << 21);
+ carry2 = (s2 + (1 << 20)) >> 21;
+ s3 += carry2;
+ s2 -= carry2 * (1 << 21);
+ carry4 = (s4 + (1 << 20)) >> 21;
+ s5 += carry4;
+ s4 -= carry4 * (1 << 21);
+ carry6 = (s6 + (1 << 20)) >> 21;
+ s7 += carry6;
+ s6 -= carry6 * (1 << 21);
+ carry8 = (s8 + (1 << 20)) >> 21;
+ s9 += carry8;
+ s8 -= carry8 * (1 << 21);
+ carry10 = (s10 + (1 << 20)) >> 21;
+ s11 += carry10;
+ s10 -= carry10 * (1 << 21);
+ carry12 = (s12 + (1 << 20)) >> 21;
+ s13 += carry12;
+ s12 -= carry12 * (1 << 21);
+ carry14 = (s14 + (1 << 20)) >> 21;
+ s15 += carry14;
+ s14 -= carry14 * (1 << 21);
+ carry16 = (s16 + (1 << 20)) >> 21;
+ s17 += carry16;
+ s16 -= carry16 * (1 << 21);
+ carry18 = (s18 + (1 << 20)) >> 21;
+ s19 += carry18;
+ s18 -= carry18 * (1 << 21);
+ carry20 = (s20 + (1 << 20)) >> 21;
+ s21 += carry20;
+ s20 -= carry20 * (1 << 21);
+ carry22 = (s22 + (1 << 20)) >> 21;
+ s23 += carry22;
+ s22 -= carry22 * (1 << 21);
+
+ carry1 = (s1 + (1 << 20)) >> 21;
+ s2 += carry1;
+ s1 -= carry1 * (1 << 21);
+ carry3 = (s3 + (1 << 20)) >> 21;
+ s4 += carry3;
+ s3 -= carry3 * (1 << 21);
+ carry5 = (s5 + (1 << 20)) >> 21;
+ s6 += carry5;
+ s5 -= carry5 * (1 << 21);
+ carry7 = (s7 + (1 << 20)) >> 21;
+ s8 += carry7;
+ s7 -= carry7 * (1 << 21);
+ carry9 = (s9 + (1 << 20)) >> 21;
+ s10 += carry9;
+ s9 -= carry9 * (1 << 21);
+ carry11 = (s11 + (1 << 20)) >> 21;
+ s12 += carry11;
+ s11 -= carry11 * (1 << 21);
+ carry13 = (s13 + (1 << 20)) >> 21;
+ s14 += carry13;
+ s13 -= carry13 * (1 << 21);
+ carry15 = (s15 + (1 << 20)) >> 21;
+ s16 += carry15;
+ s15 -= carry15 * (1 << 21);
+ carry17 = (s17 + (1 << 20)) >> 21;
+ s18 += carry17;
+ s17 -= carry17 * (1 << 21);
+ carry19 = (s19 + (1 << 20)) >> 21;
+ s20 += carry19;
+ s19 -= carry19 * (1 << 21);
+ carry21 = (s21 + (1 << 20)) >> 21;
+ s22 += carry21;
+ s21 -= carry21 * (1 << 21);
+
+ s11 += s23 * 666643;
+ s12 += s23 * 470296;
+ s13 += s23 * 654183;
+ s14 -= s23 * 997805;
+ s15 += s23 * 136657;
+ s16 -= s23 * 683901;
+ s23 = 0;
+
+ s10 += s22 * 666643;
+ s11 += s22 * 470296;
+ s12 += s22 * 654183;
+ s13 -= s22 * 997805;
+ s14 += s22 * 136657;
+ s15 -= s22 * 683901;
+ s22 = 0;
+
+ s9 += s21 * 666643;
+ s10 += s21 * 470296;
+ s11 += s21 * 654183;
+ s12 -= s21 * 997805;
+ s13 += s21 * 136657;
+ s14 -= s21 * 683901;
+ s21 = 0;
+
+ s8 += s20 * 666643;
+ s9 += s20 * 470296;
+ s10 += s20 * 654183;
+ s11 -= s20 * 997805;
+ s12 += s20 * 136657;
+ s13 -= s20 * 683901;
+ s20 = 0;
+
+ s7 += s19 * 666643;
+ s8 += s19 * 470296;
+ s9 += s19 * 654183;
+ s10 -= s19 * 997805;
+ s11 += s19 * 136657;
+ s12 -= s19 * 683901;
+ s19 = 0;
+
+ s6 += s18 * 666643;
+ s7 += s18 * 470296;
+ s8 += s18 * 654183;
+ s9 -= s18 * 997805;
+ s10 += s18 * 136657;
+ s11 -= s18 * 683901;
+ s18 = 0;
+
+ carry6 = (s6 + (1 << 20)) >> 21;
+ s7 += carry6;
+ s6 -= carry6 * (1 << 21);
+ carry8 = (s8 + (1 << 20)) >> 21;
+ s9 += carry8;
+ s8 -= carry8 * (1 << 21);
+ carry10 = (s10 + (1 << 20)) >> 21;
+ s11 += carry10;
+ s10 -= carry10 * (1 << 21);
+ carry12 = (s12 + (1 << 20)) >> 21;
+ s13 += carry12;
+ s12 -= carry12 * (1 << 21);
+ carry14 = (s14 + (1 << 20)) >> 21;
+ s15 += carry14;
+ s14 -= carry14 * (1 << 21);
+ carry16 = (s16 + (1 << 20)) >> 21;
+ s17 += carry16;
+ s16 -= carry16 * (1 << 21);
+
+ carry7 = (s7 + (1 << 20)) >> 21;
+ s8 += carry7;
+ s7 -= carry7 * (1 << 21);
+ carry9 = (s9 + (1 << 20)) >> 21;
+ s10 += carry9;
+ s9 -= carry9 * (1 << 21);
+ carry11 = (s11 + (1 << 20)) >> 21;
+ s12 += carry11;
+ s11 -= carry11 * (1 << 21);
+ carry13 = (s13 + (1 << 20)) >> 21;
+ s14 += carry13;
+ s13 -= carry13 * (1 << 21);
+ carry15 = (s15 + (1 << 20)) >> 21;
+ s16 += carry15;
+ s15 -= carry15 * (1 << 21);
+
+ s5 += s17 * 666643;
+ s6 += s17 * 470296;
+ s7 += s17 * 654183;
+ s8 -= s17 * 997805;
+ s9 += s17 * 136657;
+ s10 -= s17 * 683901;
+ s17 = 0;
+
+ s4 += s16 * 666643;
+ s5 += s16 * 470296;
+ s6 += s16 * 654183;
+ s7 -= s16 * 997805;
+ s8 += s16 * 136657;
+ s9 -= s16 * 683901;
+ s16 = 0;
+
+ s3 += s15 * 666643;
+ s4 += s15 * 470296;
+ s5 += s15 * 654183;
+ s6 -= s15 * 997805;
+ s7 += s15 * 136657;
+ s8 -= s15 * 683901;
+ s15 = 0;
+
+ s2 += s14 * 666643;
+ s3 += s14 * 470296;
+ s4 += s14 * 654183;
+ s5 -= s14 * 997805;
+ s6 += s14 * 136657;
+ s7 -= s14 * 683901;
+ s14 = 0;
+
+ s1 += s13 * 666643;
+ s2 += s13 * 470296;
+ s3 += s13 * 654183;
+ s4 -= s13 * 997805;
+ s5 += s13 * 136657;
+ s6 -= s13 * 683901;
+ s13 = 0;
+
+ s0 += s12 * 666643;
+ s1 += s12 * 470296;
+ s2 += s12 * 654183;
+ s3 -= s12 * 997805;
+ s4 += s12 * 136657;
+ s5 -= s12 * 683901;
+ s12 = 0;
+
+ carry0 = (s0 + (1 << 20)) >> 21;
+ s1 += carry0;
+ s0 -= carry0 * (1 << 21);
+ carry2 = (s2 + (1 << 20)) >> 21;
+ s3 += carry2;
+ s2 -= carry2 * (1 << 21);
+ carry4 = (s4 + (1 << 20)) >> 21;
+ s5 += carry4;
+ s4 -= carry4 * (1 << 21);
+ carry6 = (s6 + (1 << 20)) >> 21;
+ s7 += carry6;
+ s6 -= carry6 * (1 << 21);
+ carry8 = (s8 + (1 << 20)) >> 21;
+ s9 += carry8;
+ s8 -= carry8 * (1 << 21);
+ carry10 = (s10 + (1 << 20)) >> 21;
+ s11 += carry10;
+ s10 -= carry10 * (1 << 21);
+
+ carry1 = (s1 + (1 << 20)) >> 21;
+ s2 += carry1;
+ s1 -= carry1 * (1 << 21);
+ carry3 = (s3 + (1 << 20)) >> 21;
+ s4 += carry3;
+ s3 -= carry3 * (1 << 21);
+ carry5 = (s5 + (1 << 20)) >> 21;
+ s6 += carry5;
+ s5 -= carry5 * (1 << 21);
+ carry7 = (s7 + (1 << 20)) >> 21;
+ s8 += carry7;
+ s7 -= carry7 * (1 << 21);
+ carry9 = (s9 + (1 << 20)) >> 21;
+ s10 += carry9;
+ s9 -= carry9 * (1 << 21);
+ carry11 = (s11 + (1 << 20)) >> 21;
+ s12 += carry11;
+ s11 -= carry11 * (1 << 21);
+
+ s0 += s12 * 666643;
+ s1 += s12 * 470296;
+ s2 += s12 * 654183;
+ s3 -= s12 * 997805;
+ s4 += s12 * 136657;
+ s5 -= s12 * 683901;
+ s12 = 0;
+
+ carry0 = s0 >> 21;
+ s1 += carry0;
+ s0 -= carry0 * (1 << 21);
+ carry1 = s1 >> 21;
+ s2 += carry1;
+ s1 -= carry1 * (1 << 21);
+ carry2 = s2 >> 21;
+ s3 += carry2;
+ s2 -= carry2 * (1 << 21);
+ carry3 = s3 >> 21;
+ s4 += carry3;
+ s3 -= carry3 * (1 << 21);
+ carry4 = s4 >> 21;
+ s5 += carry4;
+ s4 -= carry4 * (1 << 21);
+ carry5 = s5 >> 21;
+ s6 += carry5;
+ s5 -= carry5 * (1 << 21);
+ carry6 = s6 >> 21;
+ s7 += carry6;
+ s6 -= carry6 * (1 << 21);
+ carry7 = s7 >> 21;
+ s8 += carry7;
+ s7 -= carry7 * (1 << 21);
+ carry8 = s8 >> 21;
+ s9 += carry8;
+ s8 -= carry8 * (1 << 21);
+ carry9 = s9 >> 21;
+ s10 += carry9;
+ s9 -= carry9 * (1 << 21);
+ carry10 = s10 >> 21;
+ s11 += carry10;
+ s10 -= carry10 * (1 << 21);
+ carry11 = s11 >> 21;
+ s12 += carry11;
+ s11 -= carry11 * (1 << 21);
+
+ s0 += s12 * 666643;
+ s1 += s12 * 470296;
+ s2 += s12 * 654183;
+ s3 -= s12 * 997805;
+ s4 += s12 * 136657;
+ s5 -= s12 * 683901;
+ s12 = 0;
+
+ carry0 = s0 >> 21;
+ s1 += carry0;
+ s0 -= carry0 * (1 << 21);
+ carry1 = s1 >> 21;
+ s2 += carry1;
+ s1 -= carry1 * (1 << 21);
+ carry2 = s2 >> 21;
+ s3 += carry2;
+ s2 -= carry2 * (1 << 21);
+ carry3 = s3 >> 21;
+ s4 += carry3;
+ s3 -= carry3 * (1 << 21);
+ carry4 = s4 >> 21;
+ s5 += carry4;
+ s4 -= carry4 * (1 << 21);
+ carry5 = s5 >> 21;
+ s6 += carry5;
+ s5 -= carry5 * (1 << 21);
+ carry6 = s6 >> 21;
+ s7 += carry6;
+ s6 -= carry6 * (1 << 21);
+ carry7 = s7 >> 21;
+ s8 += carry7;
+ s7 -= carry7 * (1 << 21);
+ carry8 = s8 >> 21;
+ s9 += carry8;
+ s8 -= carry8 * (1 << 21);
+ carry9 = s9 >> 21;
+ s10 += carry9;
+ s9 -= carry9 * (1 << 21);
+ carry10 = s10 >> 21;
+ s11 += carry10;
+ s10 -= carry10 * (1 << 21);
+
+ s[ 0] = (uint8_t) (s0 >> 0);
+ s[ 1] = (uint8_t) (s0 >> 8);
+ s[ 2] = (uint8_t)((s0 >> 16) | (s1 << 5));
+ s[ 3] = (uint8_t) (s1 >> 3);
+ s[ 4] = (uint8_t) (s1 >> 11);
+ s[ 5] = (uint8_t)((s1 >> 19) | (s2 << 2));
+ s[ 6] = (uint8_t) (s2 >> 6);
+ s[ 7] = (uint8_t)((s2 >> 14) | (s3 << 7));
+ s[ 8] = (uint8_t) (s3 >> 1);
+ s[ 9] = (uint8_t) (s3 >> 9);
+ s[10] = (uint8_t)((s3 >> 17) | (s4 << 4));
+ s[11] = (uint8_t) (s4 >> 4);
+ s[12] = (uint8_t) (s4 >> 12);
+ s[13] = (uint8_t)((s4 >> 20) | (s5 << 1));
+ s[14] = (uint8_t) (s5 >> 7);
+ s[15] = (uint8_t)((s5 >> 15) | (s6 << 6));
+ s[16] = (uint8_t) (s6 >> 2);
+ s[17] = (uint8_t) (s6 >> 10);
+ s[18] = (uint8_t)((s6 >> 18) | (s7 << 3));
+ s[19] = (uint8_t) (s7 >> 5);
+ s[20] = (uint8_t) (s7 >> 13);
+ s[21] = (uint8_t) (s8 >> 0);
+ s[22] = (uint8_t) (s8 >> 8);
+ s[23] = (uint8_t)((s8 >> 16) | (s9 << 5));
+ s[24] = (uint8_t) (s9 >> 3);
+ s[25] = (uint8_t) (s9 >> 11);
+ s[26] = (uint8_t)((s9 >> 19) | (s10 << 2));
+ s[27] = (uint8_t) (s10 >> 6);
+ s[28] = (uint8_t)((s10 >> 14) | (s11 << 7));
+ s[29] = (uint8_t) (s11 >> 1);
+ s[30] = (uint8_t) (s11 >> 9);
+ s[31] = (uint8_t) (s11 >> 17);
}
int ED25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len,
- const uint8_t public_key[32], const uint8_t private_key[32]) {
- uint8_t az[SHA512_DIGEST_LENGTH];
- uint8_t nonce[SHA512_DIGEST_LENGTH];
- ge_p3 R;
- uint8_t hram[SHA512_DIGEST_LENGTH];
- SHA512_CTX hash_ctx;
-
- SHA512_Init(&hash_ctx);
- SHA512_Update(&hash_ctx, private_key, 32);
- SHA512_Final(az, &hash_ctx);
-
- az[0] &= 248;
- az[31] &= 63;
- az[31] |= 64;
-
- SHA512_Init(&hash_ctx);
- SHA512_Update(&hash_ctx, az + 32, 32);
- SHA512_Update(&hash_ctx, message, message_len);
- SHA512_Final(nonce, &hash_ctx);
-
- x25519_sc_reduce(nonce);
- ge_scalarmult_base(&R, nonce);
- ge_p3_tobytes(out_sig, &R);
-
- SHA512_Init(&hash_ctx);
- SHA512_Update(&hash_ctx, out_sig, 32);
- SHA512_Update(&hash_ctx, public_key, 32);
- SHA512_Update(&hash_ctx, message, message_len);
- SHA512_Final(hram, &hash_ctx);
-
- x25519_sc_reduce(hram);
- sc_muladd(out_sig + 32, hram, az, nonce);
-
- OPENSSL_cleanse(&hash_ctx, sizeof(hash_ctx));
- OPENSSL_cleanse(nonce, sizeof(nonce));
- OPENSSL_cleanse(az, sizeof(az));
-
- return 1;
+ const uint8_t public_key[32], const uint8_t private_key[32])
+{
+ uint8_t az[SHA512_DIGEST_LENGTH];
+ uint8_t nonce[SHA512_DIGEST_LENGTH];
+ ge_p3 R;
+ uint8_t hram[SHA512_DIGEST_LENGTH];
+ SHA512_CTX hash_ctx;
+
+ SHA512_Init(&hash_ctx);
+ SHA512_Update(&hash_ctx, private_key, 32);
+ SHA512_Final(az, &hash_ctx);
+
+ az[0] &= 248;
+ az[31] &= 63;
+ az[31] |= 64;
+
+ SHA512_Init(&hash_ctx);
+ SHA512_Update(&hash_ctx, az + 32, 32);
+ SHA512_Update(&hash_ctx, message, message_len);
+ SHA512_Final(nonce, &hash_ctx);
+
+ x25519_sc_reduce(nonce);
+ ge_scalarmult_base(&R, nonce);
+ ge_p3_tobytes(out_sig, &R);
+
+ SHA512_Init(&hash_ctx);
+ SHA512_Update(&hash_ctx, out_sig, 32);
+ SHA512_Update(&hash_ctx, public_key, 32);
+ SHA512_Update(&hash_ctx, message, message_len);
+ SHA512_Final(hram, &hash_ctx);
+
+ x25519_sc_reduce(hram);
+ sc_muladd(out_sig + 32, hram, az, nonce);
+
+ OPENSSL_cleanse(&hash_ctx, sizeof(hash_ctx));
+ OPENSSL_cleanse(nonce, sizeof(nonce));
+ OPENSSL_cleanse(az, sizeof(az));
+
+ return 1;
}
+static const char allzeroes[15];
+
int ED25519_verify(const uint8_t *message, size_t message_len,
- const uint8_t signature[64], const uint8_t public_key[32]) {
- ge_p3 A;
- uint8_t rcopy[32];
- uint8_t scopy[32];
- SHA512_CTX hash_ctx;
- ge_p2 R;
- uint8_t rcheck[32];
- uint8_t h[SHA512_DIGEST_LENGTH];
-
- if ((signature[63] & 224) != 0 ||
- ge_frombytes_vartime(&A, public_key) != 0) {
- return 0;
- }
+ const uint8_t signature[64], const uint8_t public_key[32])
+{
+ int i;
+ ge_p3 A;
+ const uint8_t *r, *s;
+ SHA512_CTX hash_ctx;
+ ge_p2 R;
+ uint8_t rcheck[32];
+ uint8_t h[SHA512_DIGEST_LENGTH];
+ /* 27742317777372353535851937790883648493 in little endian format */
+ const uint8_t l_low[16] = {
+ 0xED, 0xD3, 0xF5, 0x5C, 0x1A, 0x63, 0x12, 0x58, 0xD6, 0x9C, 0xF7, 0xA2,
+ 0xDE, 0xF9, 0xDE, 0x14
+ };
+
+ r = signature;
+ s = signature + 32;
+
+ /*
+ * Check 0 <= s < L where L = 2^252 + 27742317777372353535851937790883648493
+ *
+ * If not the signature is publicly invalid. Since it's public we can do the
+ * check in variable time.
+ *
+ * First check the most significant byte
+ */
+ if (s[31] > 0x10)
+ return 0;
+ if (s[31] == 0x10) {
+ /*
+ * Most significant byte indicates a value close to 2^252 so check the
+ * rest
+ */
+ if (memcmp(s + 16, allzeroes, sizeof(allzeroes)) != 0)
+ return 0;
+ for (i = 15; i >= 0; i--) {
+ if (s[i] < l_low[i])
+ break;
+ if (s[i] > l_low[i])
+ return 0;
+ }
+ if (i < 0)
+ return 0;
+ }
- fe_neg(A.X, A.X);
- fe_neg(A.T, A.T);
+ if (ge_frombytes_vartime(&A, public_key) != 0) {
+ return 0;
+ }
- memcpy(rcopy, signature, 32);
- memcpy(scopy, signature + 32, 32);
+ fe_neg(A.X, A.X);
+ fe_neg(A.T, A.T);
- SHA512_Init(&hash_ctx);
- SHA512_Update(&hash_ctx, signature, 32);
- SHA512_Update(&hash_ctx, public_key, 32);
- SHA512_Update(&hash_ctx, message, message_len);
- SHA512_Final(h, &hash_ctx);
+ SHA512_Init(&hash_ctx);
+ SHA512_Update(&hash_ctx, r, 32);
+ SHA512_Update(&hash_ctx, public_key, 32);
+ SHA512_Update(&hash_ctx, message, message_len);
+ SHA512_Final(h, &hash_ctx);
- x25519_sc_reduce(h);
+ x25519_sc_reduce(h);
- ge_double_scalarmult_vartime(&R, h, &A, scopy);
+ ge_double_scalarmult_vartime(&R, h, &A, s);
- ge_tobytes(rcheck, &R);
+ ge_tobytes(rcheck, &R);
- return CRYPTO_memcmp(rcheck, rcopy, sizeof(rcheck)) == 0;
+ return CRYPTO_memcmp(rcheck, r, sizeof(rcheck)) == 0;
}
void ED25519_public_from_private(uint8_t out_public_key[32],
- const uint8_t private_key[32]) {
- uint8_t az[SHA512_DIGEST_LENGTH];
- ge_p3 A;
+ const uint8_t private_key[32])
+{
+ uint8_t az[SHA512_DIGEST_LENGTH];
+ ge_p3 A;
- SHA512(private_key, 32, az);
+ SHA512(private_key, 32, az);
- az[0] &= 248;
- az[31] &= 63;
- az[31] |= 64;
+ az[0] &= 248;
+ az[31] &= 63;
+ az[31] |= 64;
- ge_scalarmult_base(&A, az);
- ge_p3_tobytes(out_public_key, &A);
+ ge_scalarmult_base(&A, az);
+ ge_p3_tobytes(out_public_key, &A);
- OPENSSL_cleanse(az, sizeof(az));
+ OPENSSL_cleanse(az, sizeof(az));
}
int X25519(uint8_t out_shared_key[32], const uint8_t private_key[32],
- const uint8_t peer_public_value[32]) {
- static const uint8_t kZeros[32] = {0};
- x25519_scalar_mult(out_shared_key, private_key, peer_public_value);
- /* The all-zero output results when the input is a point of small order. */
- return CRYPTO_memcmp(kZeros, out_shared_key, 32) != 0;
+ const uint8_t peer_public_value[32])
+{
+ static const uint8_t kZeros[32] = {0};
+ x25519_scalar_mult(out_shared_key, private_key, peer_public_value);
+ /* The all-zero output results when the input is a point of small order. */
+ return CRYPTO_memcmp(kZeros, out_shared_key, 32) != 0;
}
void X25519_public_from_private(uint8_t out_public_value[32],
- const uint8_t private_key[32]) {
- uint8_t e[32];
- ge_p3 A;
- fe zplusy, zminusy, zminusy_inv;
-
- memcpy(e, private_key, 32);
- e[0] &= 248;
- e[31] &= 127;
- e[31] |= 64;
-
- ge_scalarmult_base(&A, e);
-
- /* We only need the u-coordinate of the curve25519 point. The map is
- * u=(y+1)/(1-y). Since y=Y/Z, this gives u=(Z+Y)/(Z-Y). */
- fe_add(zplusy, A.Z, A.Y);
- fe_sub(zminusy, A.Z, A.Y);
- fe_invert(zminusy_inv, zminusy);
- fe_mul(zplusy, zplusy, zminusy_inv);
- fe_tobytes(out_public_value, zplusy);
-
- OPENSSL_cleanse(e, sizeof(e));
+ const uint8_t private_key[32])
+{
+ uint8_t e[32];
+ ge_p3 A;
+ fe zplusy, zminusy, zminusy_inv;
+
+ memcpy(e, private_key, 32);
+ e[0] &= 248;
+ e[31] &= 127;
+ e[31] |= 64;
+
+ ge_scalarmult_base(&A, e);
+
+ /*
+ * We only need the u-coordinate of the curve25519 point.
+ * The map is u=(y+1)/(1-y). Since y=Y/Z, this gives
+ * u=(Z+Y)/(Z-Y).
+ */
+ fe_add(zplusy, A.Z, A.Y);
+ fe_sub(zminusy, A.Z, A.Y);
+ fe_invert(zminusy_inv, zminusy);
+ fe_mul(zplusy, zplusy, zminusy_inv);
+ fe_tobytes(out_public_value, zplusy);
+
+ OPENSSL_cleanse(e, sizeof(e));
}
diff --git a/freebsd/crypto/openssl/crypto/ec/curve448/eddsa.c b/freebsd/crypto/openssl/crypto/ec/curve448/eddsa.c
index 56911e5..4af630b 100644
--- a/freebsd/crypto/openssl/crypto/ec/curve448/eddsa.c
+++ b/freebsd/crypto/openssl/crypto/ec/curve448/eddsa.c
@@ -248,10 +248,36 @@ c448_error_t c448_ed448_verify(
uint8_t context_len)
{
curve448_point_t pk_point, r_point;
- c448_error_t error =
- curve448_point_decode_like_eddsa_and_mul_by_ratio(pk_point, pubkey);
+ c448_error_t error;
curve448_scalar_t challenge_scalar;
curve448_scalar_t response_scalar;
+ /* Order in little endian format */
+ static const uint8_t order[] = {
+ 0xF3, 0x44, 0x58, 0xAB, 0x92, 0xC2, 0x78, 0x23, 0x55, 0x8F, 0xC5, 0x8D,
+ 0x72, 0xC2, 0x6C, 0x21, 0x90, 0x36, 0xD6, 0xAE, 0x49, 0xDB, 0x4E, 0xC4,
+ 0xE9, 0x23, 0xCA, 0x7C, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x3F, 0x00
+ };
+ int i;
+
+ /*
+ * Check that s (second 57 bytes of the sig) is less than the order. Both
+ * s and the order are in little-endian format. This can be done in
+ * variable time, since if this is not the case the signature if publicly
+ * invalid.
+ */
+ for (i = EDDSA_448_PUBLIC_BYTES - 1; i >= 0; i--) {
+ if (signature[i + EDDSA_448_PUBLIC_BYTES] > order[i])
+ return C448_FAILURE;
+ if (signature[i + EDDSA_448_PUBLIC_BYTES] < order[i])
+ break;
+ }
+ if (i < 0)
+ return C448_FAILURE;
+
+ error =
+ curve448_point_decode_like_eddsa_and_mul_by_ratio(pk_point, pubkey);
if (C448_SUCCESS != error)
return error;
diff --git a/freebsd/crypto/openssl/crypto/ec/curve448/point_448.h b/freebsd/crypto/openssl/crypto/ec/curve448/point_448.h
index 0ef3b87..399f91b 100644
--- a/freebsd/crypto/openssl/crypto/ec/curve448/point_448.h
+++ b/freebsd/crypto/openssl/crypto/ec/curve448/point_448.h
@@ -1,5 +1,5 @@
/*
- * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2015-2016 Cryptography Research, Inc.
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -116,7 +116,7 @@ void curve448_scalar_encode(unsigned char ser[C448_SCALAR_BYTES],
/*
* Add two scalars. |a|, |b| and |out| may alias each other.
- *
+ *
* a (in): One scalar.
* b (in): Another scalar.
* out (out): a+b.
@@ -135,7 +135,7 @@ void curve448_scalar_sub(curve448_scalar_t out,
/*
* Multiply two scalars. |a|, |b| and |out| may alias each other.
- *
+ *
* a (in): One scalar.
* b (in): Another scalar.
* out (out): a*b.
@@ -145,7 +145,7 @@ void curve448_scalar_mul(curve448_scalar_t out,
/*
* Halve a scalar. |a| and |out| may alias each other.
-*
+*
* a (in): A scalar.
* out (out): a/2.
*/
@@ -154,7 +154,7 @@ void curve448_scalar_halve(curve448_scalar_t out, const curve448_scalar_t a);
/*
* Copy a scalar. The scalars may alias each other, in which case this
* function does nothing.
- *
+ *
* a (in): A scalar.
* out (out): Will become a copy of a.
*/
@@ -183,7 +183,7 @@ static ossl_inline void curve448_point_copy(curve448_point_t a,
*
* a (in): A point.
* b (in): Another point.
- *
+ *
* Returns:
* C448_TRUE: The points are equal.
* C448_FALSE: The points are not equal.
@@ -243,7 +243,7 @@ void curve448_point_mul_by_ratio_and_encode_like_x448(
/*
* RFC 7748 Diffie-Hellman base point scalarmul. This function uses a different
* (non-Decaf) encoding.
- *
+ *
* out (out): The scaled point base*scalar
* scalar (in): The scalar to multiply by.
*/
@@ -273,7 +273,7 @@ void curve448_precomputed_scalarmul(curve448_point_t scaled,
* base2 (in): A second point to be scaled.
* scalar2 (in) A second scalar to multiply by.
*
- * Warning: This function takes variable time, and may leak the scalars used.
+ * Warning: This function takes variable time, and may leak the scalars used.
* It is designed for signature verification.
*/
void curve448_base_double_scalarmul_non_secret(curve448_point_t combo,
diff --git a/freebsd/crypto/openssl/crypto/ec/ec2_smpl.c b/freebsd/crypto/openssl/crypto/ec/ec2_smpl.c
index 579ac0b..af351a8 100644
--- a/freebsd/crypto/openssl/crypto/ec/ec2_smpl.c
+++ b/freebsd/crypto/openssl/crypto/ec/ec2_smpl.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2002-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -812,7 +812,7 @@ int ec_GF2m_simple_ladder_post(const EC_GROUP *group,
|| !group->meth->field_mul(group, t2, t2, t0, ctx)
|| !BN_GF2m_add(t1, t2, t1)
|| !group->meth->field_mul(group, t2, p->X, t0, ctx)
- || !BN_GF2m_mod_inv(t2, t2, group->field, ctx)
+ || !group->meth->field_inv(group, t2, t2, ctx)
|| !group->meth->field_mul(group, t1, t1, t2, ctx)
|| !group->meth->field_mul(group, r->X, r->Z, t2, ctx)
|| !BN_GF2m_add(t2, p->X, r->X)
@@ -891,6 +891,21 @@ int ec_GF2m_simple_points_mul(const EC_GROUP *group, EC_POINT *r,
return ret;
}
+/*-
+ * Computes the multiplicative inverse of a in GF(2^m), storing the result in r.
+ * If a is zero (or equivalent), you'll get a EC_R_CANNOT_INVERT error.
+ * SCA hardening is with blinding: BN_GF2m_mod_inv does that.
+ */
+static int ec_GF2m_simple_field_inv(const EC_GROUP *group, BIGNUM *r,
+ const BIGNUM *a, BN_CTX *ctx)
+{
+ int ret;
+
+ if (!(ret = BN_GF2m_mod_inv(r, a, group->field, ctx)))
+ ECerr(EC_F_EC_GF2M_SIMPLE_FIELD_INV, EC_R_CANNOT_INVERT);
+ return ret;
+}
+
const EC_METHOD *EC_GF2m_simple_method(void)
{
static const EC_METHOD ret = {
@@ -931,6 +946,7 @@ const EC_METHOD *EC_GF2m_simple_method(void)
ec_GF2m_simple_field_mul,
ec_GF2m_simple_field_sqr,
ec_GF2m_simple_field_div,
+ ec_GF2m_simple_field_inv,
0, /* field_encode */
0, /* field_decode */
0, /* field_set_to_one */
diff --git a/freebsd/crypto/openssl/crypto/ec/ec_ameth.c b/freebsd/crypto/openssl/crypto/ec/ec_ameth.c
index 35e892e..5dbc6f4 100644
--- a/freebsd/crypto/openssl/crypto/ec/ec_ameth.c
+++ b/freebsd/crypto/openssl/crypto/ec/ec_ameth.c
@@ -507,7 +507,7 @@ static int ec_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2)
case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
*(int *)arg2 = NID_sha256;
- return 2;
+ return 1;
case ASN1_PKEY_CTRL_SET1_TLS_ENCPT:
return EC_KEY_oct2key(EVP_PKEY_get0_EC_KEY(pkey), arg2, arg1, NULL);
diff --git a/freebsd/crypto/openssl/crypto/ec/ec_err.c b/freebsd/crypto/openssl/crypto/ec/ec_err.c
index 4307530..7009d09 100644
--- a/freebsd/crypto/openssl/crypto/ec/ec_err.c
+++ b/freebsd/crypto/openssl/crypto/ec/ec_err.c
@@ -2,7 +2,7 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -68,6 +68,8 @@ static const ERR_STRING_DATA EC_str_functs[] = {
"ec_asn1_group2fieldid"},
{ERR_PACK(ERR_LIB_EC, EC_F_EC_GF2M_MONTGOMERY_POINT_MULTIPLY, 0),
"ec_GF2m_montgomery_point_multiply"},
+ {ERR_PACK(ERR_LIB_EC, EC_F_EC_GF2M_SIMPLE_FIELD_INV, 0),
+ "ec_GF2m_simple_field_inv"},
{ERR_PACK(ERR_LIB_EC, EC_F_EC_GF2M_SIMPLE_GROUP_CHECK_DISCRIMINANT, 0),
"ec_GF2m_simple_group_check_discriminant"},
{ERR_PACK(ERR_LIB_EC, EC_F_EC_GF2M_SIMPLE_GROUP_SET_CURVE, 0),
@@ -92,6 +94,8 @@ static const ERR_STRING_DATA EC_str_functs[] = {
"ec_GFp_mont_field_decode"},
{ERR_PACK(ERR_LIB_EC, EC_F_EC_GFP_MONT_FIELD_ENCODE, 0),
"ec_GFp_mont_field_encode"},
+ {ERR_PACK(ERR_LIB_EC, EC_F_EC_GFP_MONT_FIELD_INV, 0),
+ "ec_GFp_mont_field_inv"},
{ERR_PACK(ERR_LIB_EC, EC_F_EC_GFP_MONT_FIELD_MUL, 0),
"ec_GFp_mont_field_mul"},
{ERR_PACK(ERR_LIB_EC, EC_F_EC_GFP_MONT_FIELD_SET_TO_ONE, 0),
@@ -126,6 +130,8 @@ static const ERR_STRING_DATA EC_str_functs[] = {
"ec_GFp_nist_group_set_curve"},
{ERR_PACK(ERR_LIB_EC, EC_F_EC_GFP_SIMPLE_BLIND_COORDINATES, 0),
"ec_GFp_simple_blind_coordinates"},
+ {ERR_PACK(ERR_LIB_EC, EC_F_EC_GFP_SIMPLE_FIELD_INV, 0),
+ "ec_GFp_simple_field_inv"},
{ERR_PACK(ERR_LIB_EC, EC_F_EC_GFP_SIMPLE_GROUP_CHECK_DISCRIMINANT, 0),
"ec_GFp_simple_group_check_discriminant"},
{ERR_PACK(ERR_LIB_EC, EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE, 0),
@@ -289,6 +295,7 @@ static const ERR_STRING_DATA EC_str_reasons[] = {
{ERR_PACK(ERR_LIB_EC, 0, EC_R_BAD_SIGNATURE), "bad signature"},
{ERR_PACK(ERR_LIB_EC, 0, EC_R_BIGNUM_OUT_OF_RANGE), "bignum out of range"},
{ERR_PACK(ERR_LIB_EC, 0, EC_R_BUFFER_TOO_SMALL), "buffer too small"},
+ {ERR_PACK(ERR_LIB_EC, 0, EC_R_CANNOT_INVERT), "cannot invert"},
{ERR_PACK(ERR_LIB_EC, 0, EC_R_COORDINATES_OUT_OF_RANGE),
"coordinates out of range"},
{ERR_PACK(ERR_LIB_EC, 0, EC_R_CURVE_DOES_NOT_SUPPORT_ECDH),
diff --git a/freebsd/crypto/openssl/crypto/ec/ec_lcl.h b/freebsd/crypto/openssl/crypto/ec/ec_lcl.h
index e055dda..119255f 100644
--- a/freebsd/crypto/openssl/crypto/ec/ec_lcl.h
+++ b/freebsd/crypto/openssl/crypto/ec/ec_lcl.h
@@ -1,5 +1,5 @@
/*
- * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -15,7 +15,6 @@
#include <openssl/bn.h>
#include "internal/refcount.h"
#include "internal/ec_int.h"
-#include "curve448/curve448_lcl.h"
#if defined(__SUNPRO_C)
# if __SUNPRO_C >= 0x520
@@ -154,6 +153,13 @@ struct ec_method_st {
int (*field_sqr) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *);
int (*field_div) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
const BIGNUM *b, BN_CTX *);
+ /*-
+ * 'field_inv' computes the multipicative inverse of a in the field,
+ * storing the result in r.
+ *
+ * If 'a' is zero (or equivalent), you'll get an EC_R_CANNOT_INVERT error.
+ */
+ int (*field_inv) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *);
/* e.g. to Montgomery */
int (*field_encode) (const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
BN_CTX *);
@@ -390,6 +396,8 @@ int ec_GFp_simple_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
const BIGNUM *b, BN_CTX *);
int ec_GFp_simple_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
BN_CTX *);
+int ec_GFp_simple_field_inv(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
+ BN_CTX *);
int ec_GFp_simple_blind_coordinates(const EC_GROUP *group, EC_POINT *p,
BN_CTX *ctx);
int ec_GFp_simple_ladder_pre(const EC_GROUP *group,
@@ -413,6 +421,8 @@ int ec_GFp_mont_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
const BIGNUM *b, BN_CTX *);
int ec_GFp_mont_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
BN_CTX *);
+int ec_GFp_mont_field_inv(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
+ BN_CTX *);
int ec_GFp_mont_field_encode(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
BN_CTX *);
int ec_GFp_mont_field_decode(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
diff --git a/freebsd/crypto/openssl/crypto/ec/ecp_mont.c b/freebsd/crypto/openssl/crypto/ec/ecp_mont.c
index d63346d..5844288 100644
--- a/freebsd/crypto/openssl/crypto/ec/ecp_mont.c
+++ b/freebsd/crypto/openssl/crypto/ec/ecp_mont.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -52,6 +52,7 @@ const EC_METHOD *EC_GFp_mont_method(void)
ec_GFp_mont_field_mul,
ec_GFp_mont_field_sqr,
0 /* field_div */ ,
+ ec_GFp_mont_field_inv,
ec_GFp_mont_field_encode,
ec_GFp_mont_field_decode,
ec_GFp_mont_field_set_to_one,
@@ -208,6 +209,54 @@ int ec_GFp_mont_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
return BN_mod_mul_montgomery(r, a, a, group->field_data1, ctx);
}
+/*-
+ * Computes the multiplicative inverse of a in GF(p), storing the result in r.
+ * If a is zero (or equivalent), you'll get a EC_R_CANNOT_INVERT error.
+ * We have a Mont structure, so SCA hardening is FLT inversion.
+ */
+int ec_GFp_mont_field_inv(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
+ BN_CTX *ctx)
+{
+ BIGNUM *e = NULL;
+ BN_CTX *new_ctx = NULL;
+ int ret = 0;
+
+ if (group->field_data1 == NULL)
+ return 0;
+
+ if (ctx == NULL && (ctx = new_ctx = BN_CTX_secure_new()) == NULL)
+ return 0;
+
+ BN_CTX_start(ctx);
+ if ((e = BN_CTX_get(ctx)) == NULL)
+ goto err;
+
+ /* Inverse in constant time with Fermats Little Theorem */
+ if (!BN_set_word(e, 2))
+ goto err;
+ if (!BN_sub(e, group->field, e))
+ goto err;
+ /*-
+ * Exponent e is public.
+ * No need for scatter-gather or BN_FLG_CONSTTIME.
+ */
+ if (!BN_mod_exp_mont(r, a, e, group->field, ctx, group->field_data1))
+ goto err;
+
+ /* throw an error on zero */
+ if (BN_is_zero(r)) {
+ ECerr(EC_F_EC_GFP_MONT_FIELD_INV, EC_R_CANNOT_INVERT);
+ goto err;
+ }
+
+ ret = 1;
+
+ err:
+ BN_CTX_end(ctx);
+ BN_CTX_free(new_ctx);
+ return ret;
+}
+
int ec_GFp_mont_field_encode(const EC_GROUP *group, BIGNUM *r,
const BIGNUM *a, BN_CTX *ctx)
{
diff --git a/freebsd/crypto/openssl/crypto/ec/ecp_nist.c b/freebsd/crypto/openssl/crypto/ec/ecp_nist.c
index ed48b78..f0138df 100644
--- a/freebsd/crypto/openssl/crypto/ec/ecp_nist.c
+++ b/freebsd/crypto/openssl/crypto/ec/ecp_nist.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -54,6 +54,7 @@ const EC_METHOD *EC_GFp_nist_method(void)
ec_GFp_nist_field_mul,
ec_GFp_nist_field_sqr,
0 /* field_div */ ,
+ ec_GFp_simple_field_inv,
0 /* field_encode */ ,
0 /* field_decode */ ,
0, /* field_set_to_one */
diff --git a/freebsd/crypto/openssl/crypto/ec/ecp_nistp224.c b/freebsd/crypto/openssl/crypto/ec/ecp_nistp224.c
index 8df7241..badd762 100644
--- a/freebsd/crypto/openssl/crypto/ec/ecp_nistp224.c
+++ b/freebsd/crypto/openssl/crypto/ec/ecp_nistp224.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 2010-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2010-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -281,6 +281,7 @@ const EC_METHOD *EC_GFp_nistp224_method(void)
ec_GFp_nist_field_mul,
ec_GFp_nist_field_sqr,
0 /* field_div */ ,
+ ec_GFp_simple_field_inv,
0 /* field_encode */ ,
0 /* field_decode */ ,
0, /* field_set_to_one */
diff --git a/freebsd/crypto/openssl/crypto/ec/ecp_nistp256.c b/freebsd/crypto/openssl/crypto/ec/ecp_nistp256.c
index 7850a8d..4bfebe6 100644
--- a/freebsd/crypto/openssl/crypto/ec/ecp_nistp256.c
+++ b/freebsd/crypto/openssl/crypto/ec/ecp_nistp256.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2011-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -1812,6 +1812,7 @@ const EC_METHOD *EC_GFp_nistp256_method(void)
ec_GFp_nist_field_mul,
ec_GFp_nist_field_sqr,
0 /* field_div */ ,
+ ec_GFp_simple_field_inv,
0 /* field_encode */ ,
0 /* field_decode */ ,
0, /* field_set_to_one */
diff --git a/freebsd/crypto/openssl/crypto/ec/ecp_nistp521.c b/freebsd/crypto/openssl/crypto/ec/ecp_nistp521.c
index 0b7b47f..96e0d66 100644
--- a/freebsd/crypto/openssl/crypto/ec/ecp_nistp521.c
+++ b/freebsd/crypto/openssl/crypto/ec/ecp_nistp521.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 2011-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2011-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -1649,6 +1649,7 @@ const EC_METHOD *EC_GFp_nistp521_method(void)
ec_GFp_nist_field_mul,
ec_GFp_nist_field_sqr,
0 /* field_div */ ,
+ ec_GFp_simple_field_inv,
0 /* field_encode */ ,
0 /* field_decode */ ,
0, /* field_set_to_one */
diff --git a/freebsd/crypto/openssl/crypto/ec/ecp_nistz256.c b/freebsd/crypto/openssl/crypto/ec/ecp_nistz256.c
index 25b86e3..9a37064 100644
--- a/freebsd/crypto/openssl/crypto/ec/ecp_nistz256.c
+++ b/freebsd/crypto/openssl/crypto/ec/ecp_nistz256.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 2014-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2014-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2014, Intel Corporation. All Rights Reserved.
* Copyright (c) 2015, CloudFlare, Inc.
*
@@ -1679,6 +1679,7 @@ const EC_METHOD *EC_GFp_nistz256_method(void)
ec_GFp_mont_field_mul,
ec_GFp_mont_field_sqr,
0, /* field_div */
+ ec_GFp_mont_field_inv,
ec_GFp_mont_field_encode,
ec_GFp_mont_field_decode,
ec_GFp_mont_field_set_to_one,
diff --git a/freebsd/crypto/openssl/crypto/ec/ecp_smpl.c b/freebsd/crypto/openssl/crypto/ec/ecp_smpl.c
index c9af6f3..c1f456f 100644
--- a/freebsd/crypto/openssl/crypto/ec/ecp_smpl.c
+++ b/freebsd/crypto/openssl/crypto/ec/ecp_smpl.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -53,6 +53,7 @@ const EC_METHOD *EC_GFp_simple_method(void)
ec_GFp_simple_field_mul,
ec_GFp_simple_field_sqr,
0 /* field_div */ ,
+ ec_GFp_simple_field_inv,
0 /* field_encode */ ,
0 /* field_decode */ ,
0, /* field_set_to_one */
@@ -555,7 +556,7 @@ int ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP *group,
}
}
} else {
- if (!BN_mod_inverse(Z_1, Z_, group->field, ctx)) {
+ if (!group->meth->field_inv(group, Z_1, Z_, ctx)) {
ECerr(EC_F_EC_GFP_SIMPLE_POINT_GET_AFFINE_COORDINATES,
ERR_R_BN_LIB);
goto err;
@@ -1268,7 +1269,7 @@ int ec_GFp_simple_points_make_affine(const EC_GROUP *group, size_t num,
* points[i]->Z by its inverse.
*/
- if (!BN_mod_inverse(tmp, prod_Z[num - 1], group->field, ctx)) {
+ if (!group->meth->field_inv(group, tmp, prod_Z[num - 1], ctx)) {
ECerr(EC_F_EC_GFP_SIMPLE_POINTS_MAKE_AFFINE, ERR_R_BN_LIB);
goto err;
}
@@ -1372,6 +1373,50 @@ int ec_GFp_simple_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
}
/*-
+ * Computes the multiplicative inverse of a in GF(p), storing the result in r.
+ * If a is zero (or equivalent), you'll get a EC_R_CANNOT_INVERT error.
+ * Since we don't have a Mont structure here, SCA hardening is with blinding.
+ */
+int ec_GFp_simple_field_inv(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
+ BN_CTX *ctx)
+{
+ BIGNUM *e = NULL;
+ BN_CTX *new_ctx = NULL;
+ int ret = 0;
+
+ if (ctx == NULL && (ctx = new_ctx = BN_CTX_secure_new()) == NULL)
+ return 0;
+
+ BN_CTX_start(ctx);
+ if ((e = BN_CTX_get(ctx)) == NULL)
+ goto err;
+
+ do {
+ if (!BN_priv_rand_range(e, group->field))
+ goto err;
+ } while (BN_is_zero(e));
+
+ /* r := a * e */
+ if (!group->meth->field_mul(group, r, a, e, ctx))
+ goto err;
+ /* r := 1/(a * e) */
+ if (!BN_mod_inverse(r, r, group->field, ctx)) {
+ ECerr(EC_F_EC_GFP_SIMPLE_FIELD_INV, EC_R_CANNOT_INVERT);
+ goto err;
+ }
+ /* r := e/(a * e) = 1/a */
+ if (!group->meth->field_mul(group, r, r, e, ctx))
+ goto err;
+
+ ret = 1;
+
+ err:
+ BN_CTX_end(ctx);
+ BN_CTX_free(new_ctx);
+ return ret;
+}
+
+/*-
* Apply randomization of EC point projective coordinates:
*
* (X, Y ,Z ) = (lambda^2*X, lambda^3*Y, lambda*Z)
diff --git a/freebsd/crypto/openssl/crypto/ec/ecx_meth.c b/freebsd/crypto/openssl/crypto/ec/ecx_meth.c
index afa19e4..f00aba4 100644
--- a/freebsd/crypto/openssl/crypto/ec/ecx_meth.c
+++ b/freebsd/crypto/openssl/crypto/ec/ecx_meth.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -17,6 +17,7 @@
#include "internal/asn1_int.h"
#include "internal/evp_int.h"
#include "ec_lcl.h"
+#include "curve448/curve448_lcl.h"
#define X25519_BITS 253
#define X25519_SECURITY_BITS 128
diff --git a/freebsd/crypto/openssl/crypto/engine/eng_devcrypto.c b/freebsd/crypto/openssl/crypto/engine/eng_devcrypto.c
index 8c5e255..528d0bd 100644
--- a/freebsd/crypto/openssl/crypto/engine/eng_devcrypto.c
+++ b/freebsd/crypto/openssl/crypto/engine/eng_devcrypto.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -37,6 +37,15 @@
*/
static int cfd;
+static int clean_devcrypto_session(struct session_op *sess) {
+ if (ioctl(cfd, CIOCFSESSION, &sess->ses) < 0) {
+ SYSerr(SYS_F_IOCTL, errno);
+ return 0;
+ }
+ memset(sess, 0, sizeof(struct session_op));
+ return 1;
+}
+
/******************************************************************************
*
* Ciphers
@@ -49,10 +58,12 @@ static int cfd;
struct cipher_ctx {
struct session_op sess;
-
- /* to pass from init to do_cipher */
- const unsigned char *iv;
int op; /* COP_ENCRYPT or COP_DECRYPT */
+ unsigned long mode; /* EVP_CIPH_*_MODE */
+
+ /* to handle ctr mode being a stream cipher */
+ unsigned char partial[EVP_MAX_BLOCK_LENGTH];
+ unsigned int blocksize, num;
};
static const struct cipher_data_st {
@@ -89,9 +100,9 @@ static const struct cipher_data_st {
{ NID_aes_256_xts, 16, 256 / 8 * 2, 16, EVP_CIPH_XTS_MODE, CRYPTO_AES_XTS },
#endif
#if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_AES_ECB)
- { NID_aes_128_ecb, 16, 128 / 8, 16, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB },
- { NID_aes_192_ecb, 16, 192 / 8, 16, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB },
- { NID_aes_256_ecb, 16, 256 / 8, 16, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB },
+ { NID_aes_128_ecb, 16, 128 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB },
+ { NID_aes_192_ecb, 16, 192 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB },
+ { NID_aes_256_ecb, 16, 256 / 8, 0, EVP_CIPH_ECB_MODE, CRYPTO_AES_ECB },
#endif
#if 0 /* Not yet supported */
{ NID_aes_128_gcm, 16, 128 / 8, 16, EVP_CIPH_GCM_MODE, CRYPTO_AES_GCM },
@@ -143,11 +154,17 @@ static int cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
const struct cipher_data_st *cipher_d =
get_cipher_data(EVP_CIPHER_CTX_nid(ctx));
- memset(&cipher_ctx->sess, 0, sizeof(cipher_ctx->sess));
+ /* cleanup a previous session */
+ if (cipher_ctx->sess.ses != 0 &&
+ clean_devcrypto_session(&cipher_ctx->sess) == 0)
+ return 0;
+
cipher_ctx->sess.cipher = cipher_d->devcryptoid;
cipher_ctx->sess.keylen = cipher_d->keylen;
cipher_ctx->sess.key = (void *)key;
cipher_ctx->op = enc ? COP_ENCRYPT : COP_DECRYPT;
+ cipher_ctx->mode = cipher_d->flags & EVP_CIPH_MODE;
+ cipher_ctx->blocksize = cipher_d->blocksize;
if (ioctl(cfd, CIOCGSESSION, &cipher_ctx->sess) < 0) {
SYSerr(SYS_F_IOCTL, errno);
return 0;
@@ -162,8 +179,11 @@ static int cipher_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
struct cipher_ctx *cipher_ctx =
(struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx);
struct crypt_op cryp;
+ unsigned char *iv = EVP_CIPHER_CTX_iv_noconst(ctx);
#if !defined(COP_FLAG_WRITE_IV)
unsigned char saved_iv[EVP_MAX_IV_LENGTH];
+ const unsigned char *ivptr;
+ size_t nblocks, ivlen;
#endif
memset(&cryp, 0, sizeof(cryp));
@@ -171,19 +191,28 @@ static int cipher_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
cryp.len = inl;
cryp.src = (void *)in;
cryp.dst = (void *)out;
- cryp.iv = (void *)EVP_CIPHER_CTX_iv_noconst(ctx);
+ cryp.iv = (void *)iv;
cryp.op = cipher_ctx->op;
#if !defined(COP_FLAG_WRITE_IV)
cryp.flags = 0;
- if (EVP_CIPHER_CTX_iv_length(ctx) > 0) {
- assert(inl >= EVP_CIPHER_CTX_iv_length(ctx));
- if (!EVP_CIPHER_CTX_encrypting(ctx)) {
- unsigned char *ivptr = in + inl - EVP_CIPHER_CTX_iv_length(ctx);
-
- memcpy(saved_iv, ivptr, EVP_CIPHER_CTX_iv_length(ctx));
+ ivlen = EVP_CIPHER_CTX_iv_length(ctx);
+ if (ivlen > 0)
+ switch (cipher_ctx->mode) {
+ case EVP_CIPH_CBC_MODE:
+ assert(inl >= ivlen);
+ if (!EVP_CIPHER_CTX_encrypting(ctx)) {
+ ivptr = in + inl - ivlen;
+ memcpy(saved_iv, ivptr, ivlen);
+ }
+ break;
+
+ case EVP_CIPH_CTR_MODE:
+ break;
+
+ default: /* should not happen */
+ return 0;
}
- }
#else
cryp.flags = COP_FLAG_WRITE_IV;
#endif
@@ -194,32 +223,113 @@ static int cipher_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
}
#if !defined(COP_FLAG_WRITE_IV)
- if (EVP_CIPHER_CTX_iv_length(ctx) > 0) {
- unsigned char *ivptr = saved_iv;
+ if (ivlen > 0)
+ switch (cipher_ctx->mode) {
+ case EVP_CIPH_CBC_MODE:
+ assert(inl >= ivlen);
+ if (EVP_CIPHER_CTX_encrypting(ctx))
+ ivptr = out + inl - ivlen;
+ else
+ ivptr = saved_iv;
+
+ memcpy(iv, ivptr, ivlen);
+ break;
+
+ case EVP_CIPH_CTR_MODE:
+ nblocks = (inl + cipher_ctx->blocksize - 1)
+ / cipher_ctx->blocksize;
+ do {
+ ivlen--;
+ nblocks += iv[ivlen];
+ iv[ivlen] = (uint8_t) nblocks;
+ nblocks >>= 8;
+ } while (ivlen);
+ break;
+
+ default: /* should not happen */
+ return 0;
+ }
+#endif
+
+ return 1;
+}
+
+static int ctr_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+ const unsigned char *in, size_t inl)
+{
+ struct cipher_ctx *cipher_ctx =
+ (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx);
+ size_t nblocks, len;
- assert(inl >= EVP_CIPHER_CTX_iv_length(ctx));
- if (!EVP_CIPHER_CTX_encrypting(ctx))
- ivptr = out + inl - EVP_CIPHER_CTX_iv_length(ctx);
+ /* initial partial block */
+ while (cipher_ctx->num && inl) {
+ (*out++) = *(in++) ^ cipher_ctx->partial[cipher_ctx->num];
+ --inl;
+ cipher_ctx->num = (cipher_ctx->num + 1) % cipher_ctx->blocksize;
+ }
- memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), ivptr,
- EVP_CIPHER_CTX_iv_length(ctx));
+ /* full blocks */
+ if (inl > (unsigned int) cipher_ctx->blocksize) {
+ nblocks = inl/cipher_ctx->blocksize;
+ len = nblocks * cipher_ctx->blocksize;
+ if (cipher_do_cipher(ctx, out, in, len) < 1)
+ return 0;
+ inl -= len;
+ out += len;
+ in += len;
+ }
+
+ /* final partial block */
+ if (inl) {
+ memset(cipher_ctx->partial, 0, cipher_ctx->blocksize);
+ if (cipher_do_cipher(ctx, cipher_ctx->partial, cipher_ctx->partial,
+ cipher_ctx->blocksize) < 1)
+ return 0;
+ while (inl--) {
+ out[cipher_ctx->num] = in[cipher_ctx->num]
+ ^ cipher_ctx->partial[cipher_ctx->num];
+ cipher_ctx->num++;
+ }
}
-#endif
return 1;
}
-static int cipher_cleanup(EVP_CIPHER_CTX *ctx)
+static int cipher_ctrl(EVP_CIPHER_CTX *ctx, int type, int p1, void* p2)
{
struct cipher_ctx *cipher_ctx =
(struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx);
+ EVP_CIPHER_CTX *to_ctx = (EVP_CIPHER_CTX *)p2;
+ struct cipher_ctx *to_cipher_ctx;
+
+ switch (type) {
+ case EVP_CTRL_COPY:
+ if (cipher_ctx == NULL)
+ return 1;
+ /* when copying the context, a new session needs to be initialized */
+ to_cipher_ctx =
+ (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(to_ctx);
+ memset(&to_cipher_ctx->sess, 0, sizeof(to_cipher_ctx->sess));
+ return cipher_init(to_ctx, cipher_ctx->sess.key, EVP_CIPHER_CTX_iv(ctx),
+ (cipher_ctx->op == COP_ENCRYPT));
+
+ case EVP_CTRL_INIT:
+ memset(&cipher_ctx->sess, 0, sizeof(cipher_ctx->sess));
+ return 1;
- if (ioctl(cfd, CIOCFSESSION, &cipher_ctx->sess.ses) < 0) {
- SYSerr(SYS_F_IOCTL, errno);
- return 0;
+ default:
+ break;
}
- return 1;
+ return -1;
+}
+
+static int cipher_cleanup(EVP_CIPHER_CTX *ctx)
+{
+ struct cipher_ctx *cipher_ctx =
+ (struct cipher_ctx *)EVP_CIPHER_CTX_get_cipher_data(ctx);
+
+ return clean_devcrypto_session(&cipher_ctx->sess);
}
/*
@@ -235,6 +345,7 @@ static void prepare_cipher_methods(void)
{
size_t i;
struct session_op sess;
+ unsigned long cipher_mode;
memset(&sess, 0, sizeof(sess));
sess.key = (void *)"01234567890123456789012345678901234567890123456789";
@@ -252,18 +363,26 @@ static void prepare_cipher_methods(void)
|| ioctl(cfd, CIOCFSESSION, &sess.ses) < 0)
continue;
+ cipher_mode = cipher_data[i].flags & EVP_CIPH_MODE;
+
if ((known_cipher_methods[i] =
EVP_CIPHER_meth_new(cipher_data[i].nid,
- cipher_data[i].blocksize,
+ cipher_mode == EVP_CIPH_CTR_MODE ? 1 :
+ cipher_data[i].blocksize,
cipher_data[i].keylen)) == NULL
|| !EVP_CIPHER_meth_set_iv_length(known_cipher_methods[i],
cipher_data[i].ivlen)
|| !EVP_CIPHER_meth_set_flags(known_cipher_methods[i],
cipher_data[i].flags
+ | EVP_CIPH_CUSTOM_COPY
+ | EVP_CIPH_CTRL_INIT
| EVP_CIPH_FLAG_DEFAULT_ASN1)
|| !EVP_CIPHER_meth_set_init(known_cipher_methods[i], cipher_init)
|| !EVP_CIPHER_meth_set_do_cipher(known_cipher_methods[i],
+ cipher_mode == EVP_CIPH_CTR_MODE ?
+ ctr_do_cipher :
cipher_do_cipher)
+ || !EVP_CIPHER_meth_set_ctrl(known_cipher_methods[i], cipher_ctrl)
|| !EVP_CIPHER_meth_set_cleanup(known_cipher_methods[i],
cipher_cleanup)
|| !EVP_CIPHER_meth_set_impl_ctx_size(known_cipher_methods[i],
@@ -340,34 +459,36 @@ static int devcrypto_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
struct digest_ctx {
struct session_op sess;
- int init;
+ /* This signals that the init function was called, not that it succeeded. */
+ int init_called;
};
static const struct digest_data_st {
int nid;
+ int blocksize;
int digestlen;
int devcryptoid;
} digest_data[] = {
#ifndef OPENSSL_NO_MD5
- { NID_md5, 16, CRYPTO_MD5 },
+ { NID_md5, /* MD5_CBLOCK */ 64, 16, CRYPTO_MD5 },
#endif
- { NID_sha1, 20, CRYPTO_SHA1 },
+ { NID_sha1, SHA_CBLOCK, 20, CRYPTO_SHA1 },
#ifndef OPENSSL_NO_RMD160
# if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_RIPEMD160)
- { NID_ripemd160, 20, CRYPTO_RIPEMD160 },
+ { NID_ripemd160, /* RIPEMD160_CBLOCK */ 64, 20, CRYPTO_RIPEMD160 },
# endif
#endif
#if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_SHA2_224)
- { NID_sha224, 224 / 8, CRYPTO_SHA2_224 },
+ { NID_sha224, SHA256_CBLOCK, 224 / 8, CRYPTO_SHA2_224 },
#endif
#if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_SHA2_256)
- { NID_sha256, 256 / 8, CRYPTO_SHA2_256 },
+ { NID_sha256, SHA256_CBLOCK, 256 / 8, CRYPTO_SHA2_256 },
#endif
#if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_SHA2_384)
- { NID_sha384, 384 / 8, CRYPTO_SHA2_384 },
+ { NID_sha384, SHA512_CBLOCK, 384 / 8, CRYPTO_SHA2_384 },
#endif
#if !defined(CHECK_BSD_STYLE_MACROS) || defined(CRYPTO_SHA2_512)
- { NID_sha512, 512 / 8, CRYPTO_SHA2_512 },
+ { NID_sha512, SHA512_CBLOCK, 512 / 8, CRYPTO_SHA2_512 },
#endif
};
@@ -405,7 +526,7 @@ static int digest_init(EVP_MD_CTX *ctx)
const struct digest_data_st *digest_d =
get_digest_data(EVP_MD_CTX_type(ctx));
- digest_ctx->init = 1;
+ digest_ctx->init_called = 1;
memset(&digest_ctx->sess, 0, sizeof(digest_ctx->sess));
digest_ctx->sess.mac = digest_d->devcryptoid;
@@ -440,6 +561,9 @@ static int digest_update(EVP_MD_CTX *ctx, const void *data, size_t count)
if (count == 0)
return 1;
+ if (digest_ctx == NULL)
+ return 0;
+
if (digest_op(digest_ctx, data, count, NULL, COP_FLAG_UPDATE) < 0) {
SYSerr(SYS_F_IOCTL, errno);
return 0;
@@ -453,11 +577,9 @@ static int digest_final(EVP_MD_CTX *ctx, unsigned char *md)
struct digest_ctx *digest_ctx =
(struct digest_ctx *)EVP_MD_CTX_md_data(ctx);
- if (digest_op(digest_ctx, NULL, 0, md, COP_FLAG_FINAL) < 0) {
- SYSerr(SYS_F_IOCTL, errno);
+ if (md == NULL || digest_ctx == NULL)
return 0;
- }
- if (ioctl(cfd, CIOCFSESSION, &digest_ctx->sess.ses) < 0) {
+ if (digest_op(digest_ctx, NULL, 0, md, COP_FLAG_FINAL) < 0) {
SYSerr(SYS_F_IOCTL, errno);
return 0;
}
@@ -473,14 +595,9 @@ static int digest_copy(EVP_MD_CTX *to, const EVP_MD_CTX *from)
(struct digest_ctx *)EVP_MD_CTX_md_data(to);
struct cphash_op cphash;
- if (digest_from == NULL)
+ if (digest_from == NULL || digest_from->init_called != 1)
return 1;
- if (digest_from->init != 1) {
- SYSerr(SYS_F_IOCTL, EINVAL);
- return 0;
- }
-
if (!digest_init(to)) {
SYSerr(SYS_F_IOCTL, errno);
return 0;
@@ -497,7 +614,37 @@ static int digest_copy(EVP_MD_CTX *to, const EVP_MD_CTX *from)
static int digest_cleanup(EVP_MD_CTX *ctx)
{
- return 1;
+ struct digest_ctx *digest_ctx =
+ (struct digest_ctx *)EVP_MD_CTX_md_data(ctx);
+
+ if (digest_ctx == NULL)
+ return 1;
+
+ return clean_devcrypto_session(&digest_ctx->sess);
+}
+
+static int devcrypto_test_digest(size_t digest_data_index)
+{
+ struct session_op sess1, sess2;
+ struct cphash_op cphash;
+ int ret=0;
+
+ memset(&sess1, 0, sizeof(sess1));
+ memset(&sess2, 0, sizeof(sess2));
+ sess1.mac = digest_data[digest_data_index].devcryptoid;
+ if (ioctl(cfd, CIOCGSESSION, &sess1) < 0)
+ return 0;
+ /* Make sure the driver is capable of hash state copy */
+ sess2.mac = sess1.mac;
+ if (ioctl(cfd, CIOCGSESSION, &sess2) >= 0) {
+ cphash.src_ses = sess1.ses;
+ cphash.dst_ses = sess2.ses;
+ if (ioctl(cfd, CIOCCPHASH, &cphash) >= 0)
+ ret = 1;
+ ioctl(cfd, CIOCFSESSION, &sess2.ses);
+ }
+ ioctl(cfd, CIOCFSESSION, &sess1.ses);
+ return ret;
}
/*
@@ -512,24 +659,20 @@ static EVP_MD *known_digest_methods[OSSL_NELEM(digest_data)] = { NULL, };
static void prepare_digest_methods(void)
{
size_t i;
- struct session_op sess;
-
- memset(&sess, 0, sizeof(sess));
for (i = 0, known_digest_nids_amount = 0; i < OSSL_NELEM(digest_data);
i++) {
/*
- * Check that the algo is really availably by trying to open and close
- * a session.
+ * Check that the algo is usable
*/
- sess.mac = digest_data[i].devcryptoid;
- if (ioctl(cfd, CIOCGSESSION, &sess) < 0
- || ioctl(cfd, CIOCFSESSION, &sess.ses) < 0)
+ if (!devcrypto_test_digest(i))
continue;
if ((known_digest_methods[i] = EVP_MD_meth_new(digest_data[i].nid,
NID_undef)) == NULL
+ || !EVP_MD_meth_set_input_blocksize(known_digest_methods[i],
+ digest_data[i].blocksize)
|| !EVP_MD_meth_set_result_size(known_digest_methods[i],
digest_data[i].digestlen)
|| !EVP_MD_meth_set_init(known_digest_methods[i], digest_init)
@@ -617,15 +760,10 @@ void engine_load_devcrypto_int()
ENGINE *e = NULL;
if ((cfd = open("/dev/crypto", O_RDWR, 0)) < 0) {
- fprintf(stderr, "Could not open /dev/crypto: %s\n", strerror(errno));
+ fprintf(stderr, "Could not open /dev/crypto: %s\n", strerror(errno));
return;
}
- prepare_cipher_methods();
-#ifdef IMPLEMENT_DIGEST
- prepare_digest_methods();
-#endif
-
if ((e = ENGINE_new()) == NULL
|| !ENGINE_set_destroy_function(e, devcrypto_unload)) {
ENGINE_free(e);
@@ -638,6 +776,11 @@ void engine_load_devcrypto_int()
return;
}
+ prepare_cipher_methods();
+#ifdef IMPLEMENT_DIGEST
+ prepare_digest_methods();
+#endif
+
if (!ENGINE_set_id(e, "devcrypto")
|| !ENGINE_set_name(e, "/dev/crypto engine")
diff --git a/freebsd/crypto/openssl/crypto/engine/eng_lib.c b/freebsd/crypto/openssl/crypto/engine/eng_lib.c
index a098c6d..3401ed8 100644
--- a/freebsd/crypto/openssl/crypto/engine/eng_lib.c
+++ b/freebsd/crypto/openssl/crypto/engine/eng_lib.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -126,7 +126,7 @@ static int int_cleanup_check(int create)
static ENGINE_CLEANUP_ITEM *int_cleanup_item(ENGINE_CLEANUP_CB *cb)
{
ENGINE_CLEANUP_ITEM *item;
-
+
if ((item = OPENSSL_malloc(sizeof(*item))) == NULL) {
ENGINEerr(ENGINE_F_INT_CLEANUP_ITEM, ERR_R_MALLOC_FAILURE);
return NULL;
diff --git a/freebsd/crypto/openssl/crypto/err/err.c b/freebsd/crypto/openssl/crypto/err/err.c
index d646254..36f9579 100644
--- a/freebsd/crypto/openssl/crypto/err/err.c
+++ b/freebsd/crypto/openssl/crypto/err/err.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -21,6 +21,9 @@
#include <openssl/bio.h>
#include <openssl/opensslconf.h>
#include "internal/thread_once.h"
+#include "internal/ctype.h"
+#include "internal/constant_time_locl.h"
+#include "e_os.h"
static int err_load_strings(const ERR_STRING_DATA *str);
@@ -183,8 +186,9 @@ static ERR_STRING_DATA *int_err_get_item(const ERR_STRING_DATA *d)
}
#ifndef OPENSSL_NO_ERR
+/* A measurement on Linux 2018-11-21 showed about 3.5kib */
+# define SPACE_SYS_STR_REASONS 4 * 1024
# define NUM_SYS_STR_REASONS 127
-# define LEN_SYS_STR_REASON 32
static ERR_STRING_DATA SYS_str_reasons[NUM_SYS_STR_REASONS + 1];
/*
@@ -200,9 +204,12 @@ static ERR_STRING_DATA SYS_str_reasons[NUM_SYS_STR_REASONS + 1];
static void build_SYS_str_reasons(void)
{
/* OPENSSL_malloc cannot be used here, use static storage instead */
- static char strerror_tab[NUM_SYS_STR_REASONS][LEN_SYS_STR_REASON];
+ static char strerror_pool[SPACE_SYS_STR_REASONS];
+ char *cur = strerror_pool;
+ size_t cnt = 0;
static int init = 1;
int i;
+ int saveerrno = get_last_sys_error();
CRYPTO_THREAD_write_lock(err_string_lock);
if (!init) {
@@ -215,9 +222,26 @@ static void build_SYS_str_reasons(void)
str->error = ERR_PACK(ERR_LIB_SYS, 0, i);
if (str->string == NULL) {
- char (*dest)[LEN_SYS_STR_REASON] = &(strerror_tab[i - 1]);
- if (openssl_strerror_r(i, *dest, sizeof(*dest)))
- str->string = *dest;
+ if (openssl_strerror_r(i, cur, sizeof(strerror_pool) - cnt)) {
+ size_t l = strlen(cur);
+
+ str->string = cur;
+ cnt += l;
+ if (cnt > sizeof(strerror_pool))
+ cnt = sizeof(strerror_pool);
+ cur += l;
+
+ /*
+ * VMS has an unusual quirk of adding spaces at the end of
+ * some (most? all?) messages. Lets trim them off.
+ */
+ while (ossl_isspace(cur[-1])) {
+ cur--;
+ cnt--;
+ }
+ *cur++ = '\0';
+ cnt++;
+ }
}
if (str->string == NULL)
str->string = "unknown";
@@ -231,6 +255,8 @@ static void build_SYS_str_reasons(void)
init = 0;
CRYPTO_THREAD_unlock(err_string_lock);
+ /* openssl_strerror_r could change errno, but we want to preserve it */
+ set_sys_error(saveerrno);
err_load_strings(SYS_str_reasons);
}
#endif
@@ -673,6 +699,7 @@ DEFINE_RUN_ONCE_STATIC(err_do_init)
ERR_STATE *ERR_get_state(void)
{
ERR_STATE *state;
+ int saveerrno = get_last_sys_error();
if (!OPENSSL_init_crypto(OPENSSL_INIT_BASE_ONLY, NULL))
return NULL;
@@ -704,6 +731,7 @@ ERR_STATE *ERR_get_state(void)
OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
}
+ set_sys_error(saveerrno);
return state;
}
@@ -713,6 +741,20 @@ ERR_STATE *ERR_get_state(void)
*/
int err_shelve_state(void **state)
{
+ int saveerrno = get_last_sys_error();
+
+ /*
+ * Note, at present our only caller is OPENSSL_init_crypto(), indirectly
+ * via ossl_init_load_crypto_nodelete(), by which point the requested
+ * "base" initialization has already been performed, so the below call is a
+ * NOOP, that re-enters OPENSSL_init_crypto() only to quickly return.
+ *
+ * If are no other valid callers of this function, the call below can be
+ * removed, avoiding the re-entry into OPENSSL_init_crypto(). If there are
+ * potential uses that are not from inside OPENSSL_init_crypto(), then this
+ * call is needed, but some care is required to make sure that the re-entry
+ * remains a NOOP.
+ */
if (!OPENSSL_init_crypto(OPENSSL_INIT_BASE_ONLY, NULL))
return 0;
@@ -723,6 +765,7 @@ int err_shelve_state(void **state)
if (!CRYPTO_THREAD_set_local(&err_thread_local, (ERR_STATE*)-1))
return 0;
+ set_sys_error(saveerrno);
return 1;
}
@@ -749,20 +792,31 @@ int ERR_get_next_error_library(void)
return ret;
}
-void ERR_set_error_data(char *data, int flags)
+static int err_set_error_data_int(char *data, int flags)
{
ERR_STATE *es;
int i;
es = ERR_get_state();
if (es == NULL)
- return;
+ return 0;
i = es->top;
err_clear_data(es, i);
es->err_data[i] = data;
es->err_data_flags[i] = flags;
+
+ return 1;
+}
+
+void ERR_set_error_data(char *data, int flags)
+{
+ /*
+ * This function is void so we cannot propagate the error return. Since it
+ * is also in the public API we can't change the return type.
+ */
+ err_set_error_data_int(data, flags);
}
void ERR_add_error_data(int num, ...)
@@ -802,7 +856,8 @@ void ERR_add_error_vdata(int num, va_list args)
}
OPENSSL_strlcat(str, a, (size_t)s + 1);
}
- ERR_set_error_data(str, ERR_TXT_MALLOCED | ERR_TXT_STRING);
+ if (!err_set_error_data_int(str, ERR_TXT_MALLOCED | ERR_TXT_STRING))
+ OPENSSL_free(str);
}
int ERR_set_mark(void)
@@ -859,3 +914,42 @@ int ERR_clear_last_mark(void)
es->err_flags[top] &= ~ERR_FLAG_MARK;
return 1;
}
+
+#ifdef UINTPTR_T
+# undef UINTPTR_T
+#endif
+/*
+ * uintptr_t is the answer, but unfortunately C89, current "least common
+ * denominator" doesn't define it. Most legacy platforms typedef it anyway,
+ * so that attempt to fill the gaps means that one would have to identify
+ * that track these gaps, which would be undesirable. Macro it is...
+ */
+#if defined(__VMS) && __INITIAL_POINTER_SIZE==64
+/*
+ * But we can't use size_t on VMS, because it adheres to sizeof(size_t)==4
+ * even in 64-bit builds, which means that it won't work as mask.
+ */
+# define UINTPTR_T unsigned long long
+#else
+# define UINTPTR_T size_t
+#endif
+
+void err_clear_last_constant_time(int clear)
+{
+ ERR_STATE *es;
+ int top;
+
+ es = ERR_get_state();
+ if (es == NULL)
+ return;
+
+ top = es->top;
+
+ es->err_flags[top] &= ~(0 - clear);
+ es->err_buffer[top] &= ~(0UL - clear);
+ es->err_file[top] = (const char *)((UINTPTR_T)es->err_file[top] &
+ ~((UINTPTR_T)0 - clear));
+ es->err_line[top] |= 0 - clear;
+
+ es->top = (top + ERR_NUM_ERRORS - clear) % ERR_NUM_ERRORS;
+}
diff --git a/freebsd/crypto/openssl/crypto/evp/evp_enc.c b/freebsd/crypto/openssl/crypto/evp/evp_enc.c
index e284e32..cdf800b 100644
--- a/freebsd/crypto/openssl/crypto/evp/evp_enc.c
+++ b/freebsd/crypto/openssl/crypto/evp/evp_enc.c
@@ -296,8 +296,9 @@ int is_partially_overlapping(const void *ptr1, const void *ptr2, int len)
return overlapped;
}
-int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
- const unsigned char *in, int inl)
+static int evp_EncryptDecryptUpdate(EVP_CIPHER_CTX *ctx,
+ unsigned char *out, int *outl,
+ const unsigned char *in, int inl)
{
int i, j, bl, cmpl = inl;
@@ -309,7 +310,7 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
/* If block size > 1 then the cipher will have to do this check */
if (bl == 1 && is_partially_overlapping(out, in, cmpl)) {
- EVPerr(EVP_F_EVP_ENCRYPTUPDATE, EVP_R_PARTIALLY_OVERLAPPING);
+ EVPerr(EVP_F_EVP_ENCRYPTDECRYPTUPDATE, EVP_R_PARTIALLY_OVERLAPPING);
return 0;
}
@@ -326,7 +327,7 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
return inl == 0;
}
if (is_partially_overlapping(out + ctx->buf_len, in, cmpl)) {
- EVPerr(EVP_F_EVP_ENCRYPTUPDATE, EVP_R_PARTIALLY_OVERLAPPING);
+ EVPerr(EVP_F_EVP_ENCRYPTDECRYPTUPDATE, EVP_R_PARTIALLY_OVERLAPPING);
return 0;
}
@@ -373,6 +374,19 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
return 1;
}
+
+int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
+ const unsigned char *in, int inl)
+{
+ /* Prevent accidental use of decryption context when encrypting */
+ if (!ctx->encrypt) {
+ EVPerr(EVP_F_EVP_ENCRYPTUPDATE, EVP_R_INVALID_OPERATION);
+ return 0;
+ }
+
+ return evp_EncryptDecryptUpdate(ctx, out, outl, in, inl);
+}
+
int EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
{
int ret;
@@ -385,6 +399,12 @@ int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
int n, ret;
unsigned int i, b, bl;
+ /* Prevent accidental use of decryption context when encrypting */
+ if (!ctx->encrypt) {
+ EVPerr(EVP_F_EVP_ENCRYPTFINAL_EX, EVP_R_INVALID_OPERATION);
+ return 0;
+ }
+
if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
ret = ctx->cipher->do_cipher(ctx, out, NULL, 0);
if (ret < 0)
@@ -428,6 +448,12 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
int fix_len, cmpl = inl;
unsigned int b;
+ /* Prevent accidental use of encryption context when decrypting */
+ if (ctx->encrypt) {
+ EVPerr(EVP_F_EVP_DECRYPTUPDATE, EVP_R_INVALID_OPERATION);
+ return 0;
+ }
+
b = ctx->cipher->block_size;
if (EVP_CIPHER_CTX_test_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS))
@@ -454,7 +480,7 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
}
if (ctx->flags & EVP_CIPH_NO_PADDING)
- return EVP_EncryptUpdate(ctx, out, outl, in, inl);
+ return evp_EncryptDecryptUpdate(ctx, out, outl, in, inl);
OPENSSL_assert(b <= sizeof(ctx->final));
@@ -471,7 +497,7 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
} else
fix_len = 0;
- if (!EVP_EncryptUpdate(ctx, out, outl, in, inl))
+ if (!evp_EncryptDecryptUpdate(ctx, out, outl, in, inl))
return 0;
/*
@@ -502,6 +528,13 @@ int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
{
int i, n;
unsigned int b;
+
+ /* Prevent accidental use of encryption context when decrypting */
+ if (ctx->encrypt) {
+ EVPerr(EVP_F_EVP_DECRYPTFINAL_EX, EVP_R_INVALID_OPERATION);
+ return 0;
+ }
+
*outl = 0;
if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) {
diff --git a/freebsd/crypto/openssl/crypto/evp/evp_err.c b/freebsd/crypto/openssl/crypto/evp/evp_err.c
index d83e3b7..94adca9 100644
--- a/freebsd/crypto/openssl/crypto/evp/evp_err.c
+++ b/freebsd/crypto/openssl/crypto/evp/evp_err.c
@@ -52,6 +52,8 @@ static const ERR_STRING_DATA EVP_str_functs[] = {
{ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_DECRYPTUPDATE, 0), "EVP_DecryptUpdate"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_DIGESTFINALXOF, 0), "EVP_DigestFinalXOF"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_DIGESTINIT_EX, 0), "EVP_DigestInit_ex"},
+ {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_ENCRYPTDECRYPTUPDATE, 0),
+ "evp_EncryptDecryptUpdate"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_ENCRYPTFINAL_EX, 0),
"EVP_EncryptFinal_ex"},
{ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_ENCRYPTUPDATE, 0), "EVP_EncryptUpdate"},
diff --git a/freebsd/crypto/openssl/crypto/evp/p_lib.c b/freebsd/crypto/openssl/crypto/evp/p_lib.c
index 59c3782..47135f0 100644
--- a/freebsd/crypto/openssl/crypto/evp/p_lib.c
+++ b/freebsd/crypto/openssl/crypto/evp/p_lib.c
@@ -44,7 +44,7 @@ int EVP_PKEY_security_bits(const EVP_PKEY *pkey)
return pkey->ameth->pkey_security_bits(pkey);
}
-int EVP_PKEY_size(EVP_PKEY *pkey)
+int EVP_PKEY_size(const EVP_PKEY *pkey)
{
if (pkey && pkey->ameth && pkey->ameth->pkey_size)
return pkey->ameth->pkey_size(pkey);
diff --git a/freebsd/crypto/openssl/crypto/include/internal/bn_int.h b/freebsd/crypto/openssl/crypto/include/internal/bn_int.h
index cffe5cf..30be7ef 100644
--- a/freebsd/crypto/openssl/crypto/include/internal/bn_int.h
+++ b/freebsd/crypto/openssl/crypto/include/internal/bn_int.h
@@ -65,7 +65,10 @@ int bn_set_words(BIGNUM *a, const BN_ULONG *words, int num_words);
* is customarily arranged by bn_correct_top. Output from below functions
* is not processed with bn_correct_top, and for this reason it may not be
* returned out of public API. It may only be passed internally into other
- * functions known to support non-minimal or zero-padded BIGNUMs.
+ * functions known to support non-minimal or zero-padded BIGNUMs. Even
+ * though the goal is to facilitate constant-time-ness, not each subroutine
+ * is constant-time by itself. They all have pre-conditions, consult source
+ * code...
*/
int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
BN_MONT_CTX *mont, BN_CTX *ctx);
@@ -79,5 +82,9 @@ int bn_mod_sub_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
const BIGNUM *m);
int bn_mul_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
int bn_sqr_fixed_top(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx);
+int bn_lshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n);
+int bn_rshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n);
+int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m,
+ const BIGNUM *d, BN_CTX *ctx);
#endif
diff --git a/freebsd/crypto/openssl/crypto/init.c b/freebsd/crypto/openssl/crypto/init.c
index cb32ff7..e409911 100644
--- a/freebsd/crypto/openssl/crypto/init.c
+++ b/freebsd/crypto/openssl/crypto/init.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -104,12 +104,6 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_base)
return 0;
if ((init_lock = CRYPTO_THREAD_lock_new()) == NULL)
goto err;
-#ifndef OPENSSL_SYS_UEFI
-#ifndef __rtems__
- if (atexit(OPENSSL_cleanup) != 0)
- goto err;
-#endif /* __rtems__ */
-#endif
OPENSSL_cpuid_setup();
destructor_key.value = key;
@@ -127,13 +121,55 @@ err:
return 0;
}
+#ifndef __rtems__
+static CRYPTO_ONCE register_atexit = CRYPTO_ONCE_STATIC_INIT;
+#if !defined(OPENSSL_SYS_UEFI) && defined(_WIN32)
+static int win32atexit(void)
+{
+ OPENSSL_cleanup();
+ return 0;
+}
+#endif
+
+DEFINE_RUN_ONCE_STATIC(ossl_init_register_atexit)
+{
+#ifdef OPENSSL_INIT_DEBUG
+ fprintf(stderr, "OPENSSL_INIT: ossl_init_register_atexit()\n");
+#endif
+#ifndef OPENSSL_SYS_UEFI
+# ifdef _WIN32
+ /* We use _onexit() in preference because it gets called on DLL unload */
+ if (_onexit(win32atexit) == NULL)
+ return 0;
+# else
+ if (atexit(OPENSSL_cleanup) != 0)
+ return 0;
+# endif
+#endif
+
+ return 1;
+}
+
+DEFINE_RUN_ONCE_STATIC_ALT(ossl_init_no_register_atexit,
+ ossl_init_register_atexit)
+{
+#ifdef OPENSSL_INIT_DEBUG
+ fprintf(stderr, "OPENSSL_INIT: ossl_init_no_register_atexit ok!\n");
+#endif
+ /* Do nothing in this case */
+ return 1;
+}
+#endif /* __rtems__ */
+
static CRYPTO_ONCE load_crypto_nodelete = CRYPTO_ONCE_STATIC_INIT;
DEFINE_RUN_ONCE_STATIC(ossl_init_load_crypto_nodelete)
{
#ifdef OPENSSL_INIT_DEBUG
fprintf(stderr, "OPENSSL_INIT: ossl_init_load_crypto_nodelete()\n");
#endif
-#if !defined(OPENSSL_NO_DSO) && !defined(OPENSSL_USE_NODELETE)
+#if !defined(OPENSSL_NO_DSO) \
+ && !defined(OPENSSL_USE_NODELETE) \
+ && !defined(OPENSSL_NO_PINSHARED)
# ifdef DSO_WIN32
{
HMODULE handle = NULL;
@@ -183,12 +219,6 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_load_crypto_nodelete)
static CRYPTO_ONCE load_crypto_strings = CRYPTO_ONCE_STATIC_INIT;
static int load_crypto_strings_inited = 0;
-DEFINE_RUN_ONCE_STATIC(ossl_init_no_load_crypto_strings)
-{
- /* Do nothing in this case */
- return 1;
-}
-
DEFINE_RUN_ONCE_STATIC(ossl_init_load_crypto_strings)
{
int ret = 1;
@@ -207,6 +237,13 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_load_crypto_strings)
return ret;
}
+DEFINE_RUN_ONCE_STATIC_ALT(ossl_init_no_load_crypto_strings,
+ ossl_init_load_crypto_strings)
+{
+ /* Do nothing in this case */
+ return 1;
+}
+
static CRYPTO_ONCE add_all_ciphers = CRYPTO_ONCE_STATIC_INIT;
DEFINE_RUN_ONCE_STATIC(ossl_init_add_all_ciphers)
{
@@ -224,6 +261,13 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_add_all_ciphers)
return 1;
}
+DEFINE_RUN_ONCE_STATIC_ALT(ossl_init_no_add_all_ciphers,
+ ossl_init_add_all_ciphers)
+{
+ /* Do nothing */
+ return 1;
+}
+
static CRYPTO_ONCE add_all_digests = CRYPTO_ONCE_STATIC_INIT;
DEFINE_RUN_ONCE_STATIC(ossl_init_add_all_digests)
{
@@ -241,7 +285,8 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_add_all_digests)
return 1;
}
-DEFINE_RUN_ONCE_STATIC(ossl_init_no_add_algs)
+DEFINE_RUN_ONCE_STATIC_ALT(ossl_init_no_add_all_digests,
+ ossl_init_add_all_digests)
{
/* Do nothing */
return 1;
@@ -249,19 +294,14 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_no_add_algs)
static CRYPTO_ONCE config = CRYPTO_ONCE_STATIC_INIT;
static int config_inited = 0;
-static const char *appname;
+static const OPENSSL_INIT_SETTINGS *conf_settings = NULL;
DEFINE_RUN_ONCE_STATIC(ossl_init_config)
{
-#ifdef OPENSSL_INIT_DEBUG
- fprintf(stderr,
- "OPENSSL_INIT: ossl_init_config: openssl_config(%s)\n",
- appname == NULL ? "NULL" : appname);
-#endif
- openssl_config_int(appname);
+ int ret = openssl_config_int(conf_settings);
config_inited = 1;
- return 1;
+ return ret;
}
-DEFINE_RUN_ONCE_STATIC(ossl_init_no_config)
+DEFINE_RUN_ONCE_STATIC_ALT(ossl_init_no_config, ossl_init_config)
{
#ifdef OPENSSL_INIT_DEBUG
fprintf(stderr,
@@ -596,17 +636,45 @@ int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings)
return 0;
}
+ /*
+ * When the caller specifies OPENSSL_INIT_BASE_ONLY, that should be the
+ * *only* option specified. With that option we return immediately after
+ * doing the requested limited initialization. Note that
+ * err_shelve_state() called by us via ossl_init_load_crypto_nodelete()
+ * re-enters OPENSSL_init_crypto() with OPENSSL_INIT_BASE_ONLY, but with
+ * base already initialized this is a harmless NOOP.
+ *
+ * If we remain the only caller of err_shelve_state() the recursion should
+ * perhaps be removed, but if in doubt, it can be left in place.
+ */
if (!RUN_ONCE(&base, ossl_init_base))
return 0;
+ if (opts & OPENSSL_INIT_BASE_ONLY)
+ return 1;
+
+#ifndef __rtems__
+ /*
+ * Now we don't always set up exit handlers, the INIT_BASE_ONLY calls
+ * should not have the side-effect of setting up exit handlers, and
+ * therefore, this code block is below the INIT_BASE_ONLY-conditioned early
+ * return above.
+ */
+ if ((opts & OPENSSL_INIT_NO_ATEXIT) != 0) {
+ if (!RUN_ONCE_ALT(®ister_atexit, ossl_init_no_register_atexit,
+ ossl_init_register_atexit))
+ return 0;
+ } else if (!RUN_ONCE(®ister_atexit, ossl_init_register_atexit)) {
+ return 0;
+ }
+#endif /* __rtems__ */
- if (!(opts & OPENSSL_INIT_BASE_ONLY)
- && !RUN_ONCE(&load_crypto_nodelete,
- ossl_init_load_crypto_nodelete))
+ if (!RUN_ONCE(&load_crypto_nodelete, ossl_init_load_crypto_nodelete))
return 0;
if ((opts & OPENSSL_INIT_NO_LOAD_CRYPTO_STRINGS)
- && !RUN_ONCE(&load_crypto_strings,
- ossl_init_no_load_crypto_strings))
+ && !RUN_ONCE_ALT(&load_crypto_strings,
+ ossl_init_no_load_crypto_strings,
+ ossl_init_load_crypto_strings))
return 0;
if ((opts & OPENSSL_INIT_LOAD_CRYPTO_STRINGS)
@@ -614,7 +682,8 @@ int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings)
return 0;
if ((opts & OPENSSL_INIT_NO_ADD_ALL_CIPHERS)
- && !RUN_ONCE(&add_all_ciphers, ossl_init_no_add_algs))
+ && !RUN_ONCE_ALT(&add_all_ciphers, ossl_init_no_add_all_ciphers,
+ ossl_init_add_all_ciphers))
return 0;
if ((opts & OPENSSL_INIT_ADD_ALL_CIPHERS)
@@ -622,7 +691,8 @@ int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings)
return 0;
if ((opts & OPENSSL_INIT_NO_ADD_ALL_DIGESTS)
- && !RUN_ONCE(&add_all_digests, ossl_init_no_add_algs))
+ && !RUN_ONCE_ALT(&add_all_digests, ossl_init_no_add_all_digests,
+ ossl_init_add_all_digests))
return 0;
if ((opts & OPENSSL_INIT_ADD_ALL_DIGESTS)
@@ -634,14 +704,15 @@ int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings)
return 0;
if ((opts & OPENSSL_INIT_NO_LOAD_CONFIG)
- && !RUN_ONCE(&config, ossl_init_no_config))
+ && !RUN_ONCE_ALT(&config, ossl_init_no_config, ossl_init_config))
return 0;
if (opts & OPENSSL_INIT_LOAD_CONFIG) {
int ret;
CRYPTO_THREAD_write_lock(init_lock);
- appname = (settings == NULL) ? NULL : settings->appname;
+ conf_settings = settings;
ret = RUN_ONCE(&config, ossl_init_config);
+ conf_settings = NULL;
CRYPTO_THREAD_unlock(init_lock);
if (!ret)
return 0;
@@ -708,7 +779,9 @@ int OPENSSL_atexit(void (*handler)(void))
{
OPENSSL_INIT_STOP *newhand;
-#if !defined(OPENSSL_NO_DSO) && !defined(OPENSSL_USE_NODELETE)
+#if !defined(OPENSSL_NO_DSO) \
+ && !defined(OPENSSL_USE_NODELETE)\
+ && !defined(OPENSSL_NO_PINSHARED)
{
union {
void *sym;
diff --git a/freebsd/crypto/openssl/crypto/objects/obj_dat.h b/freebsd/crypto/openssl/crypto/objects/obj_dat.h
index e931f7f..9ab1a14 100644
--- a/freebsd/crypto/openssl/crypto/objects/obj_dat.h
+++ b/freebsd/crypto/openssl/crypto/objects/obj_dat.h
@@ -2,7 +2,7 @@
* WARNING: do not edit!
* Generated by crypto/objects/obj_dat.pl
*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
diff --git a/freebsd/crypto/openssl/crypto/objects/obj_xref.h b/freebsd/crypto/openssl/crypto/objects/obj_xref.h
index 9606e57..9144d56 100644
--- a/freebsd/crypto/openssl/crypto/objects/obj_xref.h
+++ b/freebsd/crypto/openssl/crypto/objects/obj_xref.h
@@ -2,7 +2,7 @@
* WARNING: do not edit!
* Generated by objxref.pl
*
- * Copyright 1998-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1998-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
diff --git a/freebsd/crypto/openssl/crypto/pem/pem_info.c b/freebsd/crypto/openssl/crypto/pem/pem_info.c
index 16e182c..21b0bf4 100644
--- a/freebsd/crypto/openssl/crypto/pem/pem_info.c
+++ b/freebsd/crypto/openssl/crypto/pem/pem_info.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -299,7 +299,7 @@ int PEM_X509_INFO_write_bio(BIO *bp, X509_INFO *xi, EVP_CIPHER *enc,
goto err;
}
- /* Create the right magic header stuff */
+ /* Create the right magic header stuff */
buf[0] = '\0';
PEM_proc_type(buf, PEM_TYPE_ENCRYPTED);
PEM_dek_info(buf, objstr, EVP_CIPHER_iv_length(enc),
diff --git a/freebsd/crypto/openssl/crypto/ppc_arch.h b/freebsd/crypto/openssl/crypto/ppc_arch.h
index 65cf96f..72bd746 100644
--- a/freebsd/crypto/openssl/crypto/ppc_arch.h
+++ b/freebsd/crypto/openssl/crypto/ppc_arch.h
@@ -1,5 +1,5 @@
/*
- * Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2014-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -22,5 +22,7 @@ extern unsigned int OPENSSL_ppccap_P;
# define PPC_CRYPTO207 (1<<2)
# define PPC_FPU (1<<3)
# define PPC_MADD300 (1<<4)
+# define PPC_MFTB (1<<5)
+# define PPC_MFSPR268 (1<<6)
#endif
diff --git a/freebsd/crypto/openssl/crypto/rand/rand_unix.c b/freebsd/crypto/openssl/crypto/rand/rand_unix.c
index 7a93ceb..d6eae34 100644
--- a/freebsd/crypto/openssl/crypto/rand/rand_unix.c
+++ b/freebsd/crypto/openssl/crypto/rand/rand_unix.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -95,6 +95,27 @@ static uint64_t get_timer_bits(void);
# error "UEFI and VXWorks only support seeding NONE"
#endif
+#if defined(OPENSSL_SYS_VXWORKS)
+/* empty implementation */
+int rand_pool_init(void)
+{
+ return 1;
+}
+
+void rand_pool_cleanup(void)
+{
+}
+
+void rand_pool_keep_random_devices_open(int keep)
+{
+}
+
+size_t rand_pool_acquire_entropy(RAND_POOL *pool)
+{
+ return rand_pool_entropy_available(pool);
+}
+#endif
+
#if !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32) \
|| defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_VXWORKS) \
|| defined(OPENSSL_SYS_UEFI))
diff --git a/freebsd/crypto/openssl/crypto/rsa/rsa_ameth.c b/freebsd/crypto/openssl/crypto/rsa/rsa_ameth.c
index 59e841c..ce3d0ee 100644
--- a/freebsd/crypto/openssl/crypto/rsa/rsa_ameth.c
+++ b/freebsd/crypto/openssl/crypto/rsa/rsa_ameth.c
@@ -36,7 +36,7 @@ static int rsa_param_encode(const EVP_PKEY *pkey,
*pstr = NULL;
/* If RSA it's just NULL type */
- if (pkey->ameth->pkey_id == EVP_PKEY_RSA) {
+ if (pkey->ameth->pkey_id != EVP_PKEY_RSA_PSS) {
*pstrtype = V_ASN1_NULL;
return 1;
}
@@ -60,7 +60,7 @@ static int rsa_param_decode(RSA *rsa, const X509_ALGOR *alg)
int algptype;
X509_ALGOR_get0(&algoid, &algptype, &algp, alg);
- if (OBJ_obj2nid(algoid) == EVP_PKEY_RSA)
+ if (OBJ_obj2nid(algoid) != EVP_PKEY_RSA_PSS)
return 1;
if (algptype == V_ASN1_UNDEF)
return 1;
@@ -111,7 +111,10 @@ static int rsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
RSA_free(rsa);
return 0;
}
- EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa);
+ if (!EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa)) {
+ RSA_free(rsa);
+ return 0;
+ }
return 1;
}
diff --git a/freebsd/crypto/openssl/crypto/rsa/rsa_oaep.c b/freebsd/crypto/openssl/crypto/rsa/rsa_oaep.c
index 7e00779..ca0314f 100644
--- a/freebsd/crypto/openssl/crypto/rsa/rsa_oaep.c
+++ b/freebsd/crypto/openssl/crypto/rsa/rsa_oaep.c
@@ -122,7 +122,7 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
const EVP_MD *mgf1md)
{
int i, dblen = 0, mlen = -1, one_index = 0, msg_index;
- unsigned int good, found_one_byte;
+ unsigned int good = 0, found_one_byte, mask;
const unsigned char *maskedseed, *maskeddb;
/*
* |em| is the encoded message, zero-padded to exactly |num| bytes: em =
@@ -149,8 +149,11 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
* the ciphertext, see PKCS #1 v2.2, section 7.1.2.
* This does not leak any side-channel information.
*/
- if (num < flen || num < 2 * mdlen + 2)
- goto decoding_err;
+ if (num < flen || num < 2 * mdlen + 2) {
+ RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1,
+ RSA_R_OAEP_DECODING_ERROR);
+ return -1;
+ }
dblen = num - mdlen - 1;
db = OPENSSL_malloc(dblen);
@@ -159,25 +162,26 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
goto cleanup;
}
- if (flen != num) {
- em = OPENSSL_zalloc(num);
- if (em == NULL) {
- RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1,
- ERR_R_MALLOC_FAILURE);
- goto cleanup;
- }
+ em = OPENSSL_malloc(num);
+ if (em == NULL) {
+ RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1,
+ ERR_R_MALLOC_FAILURE);
+ goto cleanup;
+ }
- /*
- * Caller is encouraged to pass zero-padded message created with
- * BN_bn2binpad, but if it doesn't, we do this zero-padding copy
- * to avoid leaking that information. The copy still leaks some
- * side-channel information, but it's impossible to have a fixed
- * memory access pattern since we can't read out of the bounds of
- * |from|.
- */
- memcpy(em + num - flen, from, flen);
- from = em;
+ /*
+ * Caller is encouraged to pass zero-padded message created with
+ * BN_bn2binpad. Trouble is that since we can't read out of |from|'s
+ * bounds, it's impossible to have an invariant memory access pattern
+ * in case |from| was not zero-padded in advance.
+ */
+ for (from += flen, em += num, i = 0; i < num; i++) {
+ mask = ~constant_time_is_zero(flen);
+ flen -= 1 & mask;
+ from -= 1 & mask;
+ *--em = *from & mask;
}
+ from = em;
/*
* The first byte must be zero, however we must not leak if this is
@@ -224,32 +228,48 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
* so plaintext-awareness ensures timing side-channels are no longer a
* concern.
*/
- if (!good)
- goto decoding_err;
-
msg_index = one_index + 1;
mlen = dblen - msg_index;
- if (tlen < mlen) {
- RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1, RSA_R_DATA_TOO_LARGE);
- mlen = -1;
- } else {
- memcpy(to, db + msg_index, mlen);
- goto cleanup;
+ /*
+ * For good measure, do this check in constant tine as well.
+ */
+ good &= constant_time_ge(tlen, mlen);
+
+ /*
+ * Even though we can't fake result's length, we can pretend copying
+ * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |dblen|
+ * bytes are viewed as circular buffer with start at |tlen|-|mlen'|,
+ * where |mlen'| is "saturated" |mlen| value. Deducing information
+ * about failure or |mlen| would take attacker's ability to observe
+ * memory access pattern with byte granularity *as it occurs*. It
+ * should be noted that failure is indistinguishable from normal
+ * operation if |tlen| is fixed by protocol.
+ */
+ tlen = constant_time_select_int(constant_time_lt(dblen, tlen), dblen, tlen);
+ msg_index = constant_time_select_int(good, msg_index, dblen - tlen);
+ mlen = dblen - msg_index;
+ for (from = db + msg_index, mask = good, i = 0; i < tlen; i++) {
+ unsigned int equals = constant_time_eq(i, mlen);
+
+ from -= dblen & equals; /* if (i == dblen) rewind */
+ mask &= mask ^ equals; /* if (i == dblen) mask = 0 */
+ to[i] = constant_time_select_8(mask, from[i], to[i]);
}
- decoding_err:
/*
* To avoid chosen ciphertext attacks, the error message should not
* reveal which kind of decoding error happened.
*/
RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1,
RSA_R_OAEP_DECODING_ERROR);
+ err_clear_last_constant_time(1 & good);
cleanup:
OPENSSL_cleanse(seed, sizeof(seed));
OPENSSL_clear_free(db, dblen);
OPENSSL_clear_free(em, num);
- return mlen;
+
+ return constant_time_select_int(good, mlen, -1);
}
int PKCS1_MGF1(unsigned char *mask, long len,
diff --git a/freebsd/crypto/openssl/crypto/rsa/rsa_ossl.c b/freebsd/crypto/openssl/crypto/rsa/rsa_ossl.c
index 43fc5a6..2257ba1 100644
--- a/freebsd/crypto/openssl/crypto/rsa/rsa_ossl.c
+++ b/freebsd/crypto/openssl/crypto/rsa/rsa_ossl.c
@@ -12,6 +12,7 @@
#include "internal/cryptlib.h"
#include "internal/bn_int.h"
#include "rsa_locl.h"
+#include "internal/constant_time_locl.h"
static int rsa_ossl_public_encrypt(int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding);
@@ -288,6 +289,11 @@ static int rsa_ossl_private_encrypt(int flen, const unsigned char *from,
goto err;
}
+ if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
+ if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,
+ rsa->n, ctx))
+ goto err;
+
if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
if (blinding == NULL) {
@@ -320,13 +326,6 @@ static int rsa_ossl_private_encrypt(int flen, const unsigned char *from,
}
BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
- if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
- if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,
- rsa->n, ctx)) {
- BN_free(d);
- goto err;
- }
-
if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
rsa->_method_mod_n)) {
BN_free(d);
@@ -483,8 +482,8 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from,
RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
goto err;
}
- if (r < 0)
- RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_PADDING_CHECK_FAILED);
+ RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_PADDING_CHECK_FAILED);
+ err_clear_last_constant_time(r >= 0);
err:
if (ctx != NULL)
diff --git a/freebsd/crypto/openssl/crypto/rsa/rsa_pk1.c b/freebsd/crypto/openssl/crypto/rsa/rsa_pk1.c
index 1b28578..09b47e5 100644
--- a/freebsd/crypto/openssl/crypto/rsa/rsa_pk1.c
+++ b/freebsd/crypto/openssl/crypto/rsa/rsa_pk1.c
@@ -160,10 +160,10 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
int i;
/* |em| is the encoded message, zero-padded to exactly |num| bytes */
unsigned char *em = NULL;
- unsigned int good, found_zero_byte;
+ unsigned int good, found_zero_byte, mask;
int zero_index = 0, msg_index, mlen = -1;
- if (tlen < 0 || flen < 0)
+ if (tlen <= 0 || flen <= 0)
return -1;
/*
@@ -171,39 +171,41 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
* section 7.2.2.
*/
- if (flen > num)
- goto err;
-
- if (num < 11)
- goto err;
+ if (flen > num || num < 11) {
+ RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,
+ RSA_R_PKCS_DECODING_ERROR);
+ return -1;
+ }
- if (flen != num) {
- em = OPENSSL_zalloc(num);
- if (em == NULL) {
- RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, ERR_R_MALLOC_FAILURE);
- return -1;
- }
- /*
- * Caller is encouraged to pass zero-padded message created with
- * BN_bn2binpad, but if it doesn't, we do this zero-padding copy
- * to avoid leaking that information. The copy still leaks some
- * side-channel information, but it's impossible to have a fixed
- * memory access pattern since we can't read out of the bounds of
- * |from|.
- */
- memcpy(em + num - flen, from, flen);
- from = em;
+ em = OPENSSL_malloc(num);
+ if (em == NULL) {
+ RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, ERR_R_MALLOC_FAILURE);
+ return -1;
+ }
+ /*
+ * Caller is encouraged to pass zero-padded message created with
+ * BN_bn2binpad. Trouble is that since we can't read out of |from|'s
+ * bounds, it's impossible to have an invariant memory access pattern
+ * in case |from| was not zero-padded in advance.
+ */
+ for (from += flen, em += num, i = 0; i < num; i++) {
+ mask = ~constant_time_is_zero(flen);
+ flen -= 1 & mask;
+ from -= 1 & mask;
+ *--em = *from & mask;
}
+ from = em;
good = constant_time_is_zero(from[0]);
good &= constant_time_eq(from[1], 2);
+ /* scan over padding data */
found_zero_byte = 0;
for (i = 2; i < num; i++) {
unsigned int equals0 = constant_time_is_zero(from[i]);
- zero_index =
- constant_time_select_int(~found_zero_byte & equals0, i,
- zero_index);
+
+ zero_index = constant_time_select_int(~found_zero_byte & equals0,
+ i, zero_index);
found_zero_byte |= equals0;
}
@@ -212,7 +214,7 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
* If we never found a 0-byte, then |zero_index| is 0 and the check
* also fails.
*/
- good &= constant_time_ge((unsigned int)(zero_index), 2 + 8);
+ good &= constant_time_ge(zero_index, 2 + 8);
/*
* Skip the zero byte. This is incorrect if we never found a zero-byte
@@ -222,27 +224,34 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
mlen = num - msg_index;
/*
- * For good measure, do this check in constant time as well; it could
- * leak something if |tlen| was assuming valid padding.
+ * For good measure, do this check in constant time as well.
*/
- good &= constant_time_ge((unsigned int)(tlen), (unsigned int)(mlen));
+ good &= constant_time_ge(tlen, mlen);
/*
- * We can't continue in constant-time because we need to copy the result
- * and we cannot fake its length. This unavoidably leaks timing
- * information at the API boundary.
+ * Even though we can't fake result's length, we can pretend copying
+ * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |num|
+ * bytes are viewed as circular buffer with start at |tlen|-|mlen'|,
+ * where |mlen'| is "saturated" |mlen| value. Deducing information
+ * about failure or |mlen| would take attacker's ability to observe
+ * memory access pattern with byte granularity *as it occurs*. It
+ * should be noted that failure is indistinguishable from normal
+ * operation if |tlen| is fixed by protocol.
*/
- if (!good) {
- mlen = -1;
- goto err;
- }
+ tlen = constant_time_select_int(constant_time_lt(num, tlen), num, tlen);
+ msg_index = constant_time_select_int(good, msg_index, num - tlen);
+ mlen = num - msg_index;
+ for (from += msg_index, mask = good, i = 0; i < tlen; i++) {
+ unsigned int equals = constant_time_eq(i, mlen);
- memcpy(to, from + msg_index, mlen);
+ from -= tlen & equals; /* if (i == mlen) rewind */
+ mask &= mask ^ equals; /* if (i == mlen) mask = 0 */
+ to[i] = constant_time_select_8(mask, from[i], to[i]);
+ }
- err:
OPENSSL_clear_free(em, num);
- if (mlen == -1)
- RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2,
- RSA_R_PKCS_DECODING_ERROR);
- return mlen;
+ RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2, RSA_R_PKCS_DECODING_ERROR);
+ err_clear_last_constant_time(1 & good);
+
+ return constant_time_select_int(good, mlen, -1);
}
diff --git a/freebsd/crypto/openssl/crypto/rsa/rsa_ssl.c b/freebsd/crypto/openssl/crypto/rsa/rsa_ssl.c
index d57a43e..9b0edb3 100644
--- a/freebsd/crypto/openssl/crypto/rsa/rsa_ssl.c
+++ b/freebsd/crypto/openssl/crypto/rsa/rsa_ssl.c
@@ -14,6 +14,7 @@
#include <openssl/bn.h>
#include <openssl/rsa.h>
#include <openssl/rand.h>
+#include "internal/constant_time_locl.h"
int RSA_padding_add_SSLv23(unsigned char *to, int tlen,
const unsigned char *from, int flen)
@@ -54,57 +55,115 @@ int RSA_padding_add_SSLv23(unsigned char *to, int tlen,
return 1;
}
+/*
+ * Copy of RSA_padding_check_PKCS1_type_2 with a twist that rejects padding
+ * if nul delimiter is preceded by 8 consecutive 0x03 bytes. It also
+ * preserves error code reporting for backward compatibility.
+ */
int RSA_padding_check_SSLv23(unsigned char *to, int tlen,
const unsigned char *from, int flen, int num)
{
- int i, j, k;
- const unsigned char *p;
+ int i;
+ /* |em| is the encoded message, zero-padded to exactly |num| bytes */
+ unsigned char *em = NULL;
+ unsigned int good, found_zero_byte, mask, threes_in_row;
+ int zero_index = 0, msg_index, mlen = -1, err;
- p = from;
if (flen < 10) {
RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_DATA_TOO_SMALL);
return -1;
}
- /* Accept even zero-padded input */
- if (flen == num) {
- if (*(p++) != 0) {
- RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_BLOCK_TYPE_IS_NOT_02);
- return -1;
- }
- flen--;
- }
- if ((num != (flen + 1)) || (*(p++) != 02)) {
- RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_BLOCK_TYPE_IS_NOT_02);
- return -1;
- }
- /* scan over padding data */
- j = flen - 1; /* one for type */
- for (i = 0; i < j; i++)
- if (*(p++) == 0)
- break;
-
- if ((i == j) || (i < 8)) {
- RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,
- RSA_R_NULL_BEFORE_BLOCK_MISSING);
+ em = OPENSSL_malloc(num);
+ if (em == NULL) {
+ RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, ERR_R_MALLOC_FAILURE);
return -1;
}
- for (k = -9; k < -1; k++) {
- if (p[k] != 0x03)
- break;
+ /*
+ * Caller is encouraged to pass zero-padded message created with
+ * BN_bn2binpad. Trouble is that since we can't read out of |from|'s
+ * bounds, it's impossible to have an invariant memory access pattern
+ * in case |from| was not zero-padded in advance.
+ */
+ for (from += flen, em += num, i = 0; i < num; i++) {
+ mask = ~constant_time_is_zero(flen);
+ flen -= 1 & mask;
+ from -= 1 & mask;
+ *--em = *from & mask;
}
- if (k == -1) {
- RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_SSLV3_ROLLBACK_ATTACK);
- return -1;
+ from = em;
+
+ good = constant_time_is_zero(from[0]);
+ good &= constant_time_eq(from[1], 2);
+ err = constant_time_select_int(good, 0, RSA_R_BLOCK_TYPE_IS_NOT_02);
+ mask = ~good;
+
+ /* scan over padding data */
+ found_zero_byte = 0;
+ threes_in_row = 0;
+ for (i = 2; i < num; i++) {
+ unsigned int equals0 = constant_time_is_zero(from[i]);
+
+ zero_index = constant_time_select_int(~found_zero_byte & equals0,
+ i, zero_index);
+ found_zero_byte |= equals0;
+
+ threes_in_row += 1 & ~found_zero_byte;
+ threes_in_row &= found_zero_byte | constant_time_eq(from[i], 3);
}
- i++; /* Skip over the '\0' */
- j -= i;
- if (j > tlen) {
- RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, RSA_R_DATA_TOO_LARGE);
- return -1;
+ /*
+ * PS must be at least 8 bytes long, and it starts two bytes into |from|.
+ * If we never found a 0-byte, then |zero_index| is 0 and the check
+ * also fails.
+ */
+ good &= constant_time_ge(zero_index, 2 + 8);
+ err = constant_time_select_int(mask | good, err,
+ RSA_R_NULL_BEFORE_BLOCK_MISSING);
+ mask = ~good;
+
+ good &= constant_time_lt(threes_in_row, 8);
+ err = constant_time_select_int(mask | good, err,
+ RSA_R_SSLV3_ROLLBACK_ATTACK);
+ mask = ~good;
+
+ /*
+ * Skip the zero byte. This is incorrect if we never found a zero-byte
+ * but in this case we also do not copy the message out.
+ */
+ msg_index = zero_index + 1;
+ mlen = num - msg_index;
+
+ /*
+ * For good measure, do this check in constant time as well.
+ */
+ good &= constant_time_ge(tlen, mlen);
+ err = constant_time_select_int(mask | good, err, RSA_R_DATA_TOO_LARGE);
+
+ /*
+ * Even though we can't fake result's length, we can pretend copying
+ * |tlen| bytes where |mlen| bytes would be real. Last |tlen| of |num|
+ * bytes are viewed as circular buffer with start at |tlen|-|mlen'|,
+ * where |mlen'| is "saturated" |mlen| value. Deducing information
+ * about failure or |mlen| would take attacker's ability to observe
+ * memory access pattern with byte granularity *as it occurs*. It
+ * should be noted that failure is indistinguishable from normal
+ * operation if |tlen| is fixed by protocol.
+ */
+ tlen = constant_time_select_int(constant_time_lt(num, tlen), num, tlen);
+ msg_index = constant_time_select_int(good, msg_index, num - tlen);
+ mlen = num - msg_index;
+ for (from += msg_index, mask = good, i = 0; i < tlen; i++) {
+ unsigned int equals = constant_time_eq(i, mlen);
+
+ from -= tlen & equals; /* if (i == mlen) rewind */
+ mask &= mask ^ equals; /* if (i == mlen) mask = 0 */
+ to[i] = constant_time_select_8(mask, from[i], to[i]);
}
- memcpy(to, p, (unsigned int)j);
- return j;
+ OPENSSL_clear_free(em, num);
+ RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23, err);
+ err_clear_last_constant_time(1 & good);
+
+ return constant_time_select_int(good, mlen, -1);
}
diff --git a/freebsd/crypto/openssl/crypto/rsa/rsa_x931g.c b/freebsd/crypto/openssl/crypto/rsa/rsa_x931g.c
index 5858ecb..9435cad 100644
--- a/freebsd/crypto/openssl/crypto/rsa/rsa_x931g.c
+++ b/freebsd/crypto/openssl/crypto/rsa/rsa_x931g.c
@@ -130,6 +130,8 @@ int RSA_X931_derive_ex(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1,
/* calculate inverse of q mod p */
rsa->iqmp = BN_mod_inverse(NULL, rsa->q, rsa->p, ctx2);
+ if (rsa->iqmp == NULL)
+ goto err;
ret = 1;
err:
diff --git a/freebsd/crypto/openssl/crypto/srp/srp_lib.c b/freebsd/crypto/openssl/crypto/srp/srp_lib.c
index 534a288..efc69a1 100644
--- a/freebsd/crypto/openssl/crypto/srp/srp_lib.c
+++ b/freebsd/crypto/openssl/crypto/srp/srp_lib.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 2004-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2004-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2004, EdelKey Project. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -28,6 +28,7 @@ static BIGNUM *srp_Calc_xy(const BIGNUM *x, const BIGNUM *y, const BIGNUM *N)
unsigned char *tmp = NULL;
int numN = BN_num_bytes(N);
BIGNUM *res = NULL;
+
if (x != N && BN_ucmp(x, N) >= 0)
return NULL;
if (y != N && BN_ucmp(y, N) >= 0)
@@ -141,7 +142,8 @@ BIGNUM *SRP_Calc_x(const BIGNUM *s, const char *user, const char *pass)
|| !EVP_DigestFinal_ex(ctxt, dig, NULL)
|| !EVP_DigestInit_ex(ctxt, EVP_sha1(), NULL))
goto err;
- BN_bn2bin(s, cs);
+ if (BN_bn2bin(s, cs) < 0)
+ goto err;
if (!EVP_DigestUpdate(ctxt, cs, BN_num_bytes(s)))
goto err;
diff --git a/freebsd/crypto/openssl/crypto/srp/srp_vfy.c b/freebsd/crypto/openssl/crypto/srp/srp_vfy.c
index d2f124a..3241011 100644
--- a/freebsd/crypto/openssl/crypto/srp/srp_vfy.c
+++ b/freebsd/crypto/openssl/crypto/srp/srp_vfy.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 2004-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2004-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2004, EdelKey Project. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -189,7 +189,7 @@ void SRP_user_pwd_free(SRP_user_pwd *user_pwd)
static SRP_user_pwd *SRP_user_pwd_new(void)
{
SRP_user_pwd *ret;
-
+
if ((ret = OPENSSL_malloc(sizeof(*ret))) == NULL) {
/* SRPerr(SRP_F_SRP_USER_PWD_NEW, ERR_R_MALLOC_FAILURE); */ /*ckerr_ignore*/
return NULL;
@@ -600,10 +600,14 @@ char *SRP_create_verifier(const char *user, const char *pass, char **salt,
if ((len = t_fromb64(tmp, sizeof(tmp), N)) <= 0)
goto err;
N_bn_alloc = BN_bin2bn(tmp, len, NULL);
+ if (N_bn_alloc == NULL)
+ goto err;
N_bn = N_bn_alloc;
if ((len = t_fromb64(tmp, sizeof(tmp) ,g)) <= 0)
goto err;
g_bn_alloc = BN_bin2bn(tmp, len, NULL);
+ if (g_bn_alloc == NULL)
+ goto err;
g_bn = g_bn_alloc;
defgNid = "*";
} else {
@@ -625,15 +629,19 @@ char *SRP_create_verifier(const char *user, const char *pass, char **salt,
goto err;
s = BN_bin2bn(tmp2, len, NULL);
}
+ if (s == NULL)
+ goto err;
if (!SRP_create_verifier_BN(user, pass, &s, &v, N_bn, g_bn))
goto err;
- BN_bn2bin(v, tmp);
+ if (BN_bn2bin(v, tmp) < 0)
+ goto err;
vfsize = BN_num_bytes(v) * 2;
if (((vf = OPENSSL_malloc(vfsize)) == NULL))
goto err;
- t_tob64(vf, tmp, BN_num_bytes(v));
+ if (!t_tob64(vf, tmp, BN_num_bytes(v)))
+ goto err;
if (*salt == NULL) {
char *tmp_salt;
@@ -641,7 +649,10 @@ char *SRP_create_verifier(const char *user, const char *pass, char **salt,
if ((tmp_salt = OPENSSL_malloc(SRP_RANDOM_SALT_LEN * 2)) == NULL) {
goto err;
}
- t_tob64(tmp_salt, tmp2, SRP_RANDOM_SALT_LEN);
+ if (!t_tob64(tmp_salt, tmp2, SRP_RANDOM_SALT_LEN)) {
+ OPENSSL_free(tmp_salt);
+ goto err;
+ }
*salt = tmp_salt;
}
@@ -688,11 +699,15 @@ int SRP_create_verifier_BN(const char *user, const char *pass, BIGNUM **salt,
goto err;
salttmp = BN_bin2bn(tmp2, SRP_RANDOM_SALT_LEN, NULL);
+ if (salttmp == NULL)
+ goto err;
} else {
salttmp = *salt;
}
x = SRP_Calc_x(salttmp, user, pass);
+ if (x == NULL)
+ goto err;
*verifier = BN_new();
if (*verifier == NULL)
diff --git a/freebsd/crypto/openssl/crypto/ui/ui_openssl.c b/freebsd/crypto/openssl/crypto/ui/ui_openssl.c
index 3d07aff..5edcec1 100644
--- a/freebsd/crypto/openssl/crypto/ui/ui_openssl.c
+++ b/freebsd/crypto/openssl/crypto/ui/ui_openssl.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -103,6 +103,12 @@
# endif
+# if defined(OPENSSL_SYS_VXWORKS)
+# undef TERMIOS
+# undef TERMIO
+# undef SGTTY
+# endif
+
# ifdef TERMIOS
# include <termios.h>
# define TTY_STRUCT struct termios
diff --git a/freebsd/crypto/openssl/crypto/uid.c b/freebsd/crypto/openssl/crypto/uid.c
index aed5a5e..b51a685 100644
--- a/freebsd/crypto/openssl/crypto/uid.c
+++ b/freebsd/crypto/openssl/crypto/uid.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -36,12 +36,13 @@ int OPENSSL_issetugid(void)
# if defined(__GLIBC__) && defined(__GLIBC_PREREQ)
# if __GLIBC_PREREQ(2, 16)
# include <sys/auxv.h>
+# define OSSL_IMPLEMENT_GETAUXVAL
# endif
# endif
int OPENSSL_issetugid(void)
{
-# ifdef AT_SECURE
+# ifdef OSSL_IMPLEMENT_GETAUXVAL
return getauxval(AT_SECURE) != 0;
# else
return getuid() != geteuid() || getgid() != getegid();
diff --git a/freebsd/crypto/openssl/crypto/x509/x509_vfy.c b/freebsd/crypto/openssl/crypto/x509/x509_vfy.c
index 00b33f3..7614e8a 100644
--- a/freebsd/crypto/openssl/crypto/x509/x509_vfy.c
+++ b/freebsd/crypto/openssl/crypto/x509/x509_vfy.c
@@ -3234,12 +3234,19 @@ static int check_key_level(X509_STORE_CTX *ctx, X509 *cert)
EVP_PKEY *pkey = X509_get0_pubkey(cert);
int level = ctx->param->auth_level;
+ /*
+ * At security level zero, return without checking for a supported public
+ * key type. Some engines support key types not understood outside the
+ * engine, and we only need to understand the key when enforcing a security
+ * floor.
+ */
+ if (level <= 0)
+ return 1;
+
/* Unsupported or malformed keys are not secure */
if (pkey == NULL)
return 0;
- if (level <= 0)
- return 1;
if (level > NUM_AUTH_LEVELS)
level = NUM_AUTH_LEVELS;
diff --git a/freebsd/crypto/openssl/crypto/x509/x_crl.c b/freebsd/crypto/openssl/crypto/x509/x_crl.c
index 0f08e66..b986bd7 100644
--- a/freebsd/crypto/openssl/crypto/x509/x_crl.c
+++ b/freebsd/crypto/openssl/crypto/x509/x_crl.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -160,6 +160,18 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
int idx;
switch (operation) {
+ case ASN1_OP_D2I_PRE:
+ if (crl->meth->crl_free) {
+ if (!crl->meth->crl_free(crl))
+ return 0;
+ }
+ AUTHORITY_KEYID_free(crl->akid);
+ ISSUING_DIST_POINT_free(crl->idp);
+ ASN1_INTEGER_free(crl->crl_number);
+ ASN1_INTEGER_free(crl->base_crl_number);
+ sk_GENERAL_NAMES_pop_free(crl->issuers, GENERAL_NAMES_free);
+ /* fall thru */
+
case ASN1_OP_NEW_POST:
crl->idp = NULL;
crl->akid = NULL;
diff --git a/freebsd/crypto/openssl/crypto/x509/x_pubkey.c b/freebsd/crypto/openssl/crypto/x509/x_pubkey.c
index bb85212..d598d56 100644
--- a/freebsd/crypto/openssl/crypto/x509/x_pubkey.c
+++ b/freebsd/crypto/openssl/crypto/x509/x_pubkey.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -38,6 +38,7 @@ static int pubkey_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
/* Attempt to decode public key and cache in pubkey structure. */
X509_PUBKEY *pubkey = (X509_PUBKEY *)*pval;
EVP_PKEY_free(pubkey->pkey);
+ pubkey->pkey = NULL;
/*
* Opportunistically decode the key but remove any non fatal errors
* from the queue. Subsequent explicit attempts to decode/use the key
diff --git a/freebsd/crypto/openssl/crypto/x509/x_x509.c b/freebsd/crypto/openssl/crypto/x509/x_x509.c
index d63d3e8..cffbd44 100644
--- a/freebsd/crypto/openssl/crypto/x509/x_x509.c
+++ b/freebsd/crypto/openssl/crypto/x509/x_x509.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -42,12 +42,35 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
switch (operation) {
+ case ASN1_OP_D2I_PRE:
+ CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509, ret, &ret->ex_data);
+ X509_CERT_AUX_free(ret->aux);
+ ASN1_OCTET_STRING_free(ret->skid);
+ AUTHORITY_KEYID_free(ret->akid);
+ CRL_DIST_POINTS_free(ret->crldp);
+ policy_cache_free(ret->policy_cache);
+ GENERAL_NAMES_free(ret->altname);
+ NAME_CONSTRAINTS_free(ret->nc);
+#ifndef OPENSSL_NO_RFC3779
+ sk_IPAddressFamily_pop_free(ret->rfc3779_addr, IPAddressFamily_free);
+ ASIdentifiers_free(ret->rfc3779_asid);
+#endif
+
+ /* fall thru */
+
case ASN1_OP_NEW_POST:
+ ret->ex_cached = 0;
+ ret->ex_kusage = 0;
+ ret->ex_xkusage = 0;
+ ret->ex_nscert = 0;
ret->ex_flags = 0;
ret->ex_pathlen = -1;
ret->ex_pcpathlen = -1;
ret->skid = NULL;
ret->akid = NULL;
+ ret->policy_cache = NULL;
+ ret->altname = NULL;
+ ret->nc = NULL;
#ifndef OPENSSL_NO_RFC3779
ret->rfc3779_addr = NULL;
ret->rfc3779_asid = NULL;
diff --git a/freebsd/crypto/openssl/e_os.h b/freebsd/crypto/openssl/e_os.h
index 5340593..8e6efa9 100644
--- a/freebsd/crypto/openssl/e_os.h
+++ b/freebsd/crypto/openssl/e_os.h
@@ -49,6 +49,7 @@
# define get_last_sys_error() errno
# define clear_sys_error() errno=0
+# define set_sys_error(e) errno=(e)
/********************************************************************
The Microsoft section
@@ -66,8 +67,10 @@
# ifdef WIN32
# undef get_last_sys_error
# undef clear_sys_error
+# undef set_sys_error
# define get_last_sys_error() GetLastError()
# define clear_sys_error() SetLastError(0)
+# define set_sys_error(e) SetLastError(e)
# if !defined(WINNT)
# define WIN_CONSOLE_BUG
# endif
diff --git a/freebsd/crypto/openssl/engines/e_dasync.c b/freebsd/crypto/openssl/engines/e_dasync.c
index e7091b9..ae0ea41 100644
--- a/freebsd/crypto/openssl/engines/e_dasync.c
+++ b/freebsd/crypto/openssl/engines/e_dasync.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2015-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -140,7 +140,6 @@ struct dasync_pipeline_ctx {
unsigned char **inbufs;
unsigned char **outbufs;
size_t *lens;
- int enc;
unsigned char tlsaad[SSL_MAX_PIPELINES][EVP_AEAD_TLS1_AAD_LEN];
unsigned int aadctr;
};
@@ -158,6 +157,14 @@ static const EVP_CIPHER *dasync_aes_128_cbc(void)
/*
* Holds the EVP_CIPHER object for aes_128_cbc_hmac_sha1 in this engine. Set up
* once only during engine bind and can then be reused many times.
+ *
+ * This 'stitched' cipher depends on the EVP_aes_128_cbc_hmac_sha1() cipher,
+ * which is implemented only if the AES-NI instruction set extension is available
+ * (see OPENSSL_IA32CAP(3)). If that's not the case, then this cipher will not
+ * be available either.
+ *
+ * Note: Since it is a legacy mac-then-encrypt cipher, modern TLS peers (which
+ * negotiate the encrypt-then-mac extension) won't negotiate it anyway.
*/
static EVP_CIPHER *_hidden_aes_128_cbc_hmac_sha1 = NULL;
static const EVP_CIPHER *dasync_aes_128_cbc_hmac_sha1(void)
@@ -605,7 +612,7 @@ static int dasync_cipher_ctrl_helper(EVP_CIPHER_CTX *ctx, int type, int arg,
len = p[arg - 2] << 8 | p[arg - 1];
- if (pipe_ctx->enc) {
+ if (EVP_CIPHER_CTX_encrypting(ctx)) {
if ((p[arg - 4] << 8 | p[arg - 3]) >= TLS1_1_VERSION) {
if (len < AES_BLOCK_SIZE)
return 0;
@@ -754,6 +761,10 @@ static int dasync_aes128_cbc_hmac_sha1_init_key(EVP_CIPHER_CTX *ctx,
const unsigned char *iv,
int enc)
{
+ /*
+ * We can safely assume that EVP_aes_128_cbc_hmac_sha1() != NULL,
+ * see comment before the definition of dasync_aes_128_cbc_hmac_sha1().
+ */
return dasync_cipher_init_key_helper(ctx, key, iv, enc,
EVP_aes_128_cbc_hmac_sha1());
}
@@ -768,5 +779,9 @@ static int dasync_aes128_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx,
static int dasync_aes128_cbc_hmac_sha1_cleanup(EVP_CIPHER_CTX *ctx)
{
+ /*
+ * We can safely assume that EVP_aes_128_cbc_hmac_sha1() != NULL,
+ * see comment before the definition of dasync_aes_128_cbc_hmac_sha1().
+ */
return dasync_cipher_cleanup_helper(ctx, EVP_aes_128_cbc_hmac_sha1());
}
diff --git a/freebsd/crypto/openssl/include/internal/conf.h b/freebsd/crypto/openssl/include/internal/conf.h
index dc1e725..29bc9f9 100644
--- a/freebsd/crypto/openssl/include/internal/conf.h
+++ b/freebsd/crypto/openssl/include/internal/conf.h
@@ -1,5 +1,5 @@
/*
- * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -12,11 +12,18 @@
#include <openssl/conf.h>
+#define DEFAULT_CONF_MFLAGS \
+ (CONF_MFLAGS_DEFAULT_SECTION | \
+ CONF_MFLAGS_IGNORE_MISSING_FILE | \
+ CONF_MFLAGS_IGNORE_RETURN_CODES)
+
struct ossl_init_settings_st {
+ char *filename;
char *appname;
+ unsigned long flags;
};
-void openssl_config_int(const char *appname);
+int openssl_config_int(const OPENSSL_INIT_SETTINGS *);
void openssl_no_config_int(void);
void conf_modules_free_int(void);
diff --git a/freebsd/crypto/openssl/include/internal/constant_time_locl.h b/freebsd/crypto/openssl/include/internal/constant_time_locl.h
index 82ff746..cde30f4 100644
--- a/freebsd/crypto/openssl/include/internal/constant_time_locl.h
+++ b/freebsd/crypto/openssl/include/internal/constant_time_locl.h
@@ -324,4 +324,10 @@ static ossl_inline void constant_time_lookup(void *out,
}
}
+/*
+ * Expected usage pattern is to unconditionally set error and then
+ * wipe it if there was no actual error. |clear| is 1 or 0.
+ */
+void err_clear_last_constant_time(int clear);
+
#endif /* HEADER_CONSTANT_TIME_LOCL_H */
diff --git a/freebsd/crypto/openssl/include/internal/cryptlib.h b/freebsd/crypto/openssl/include/internal/cryptlib.h
index 329ef62..b4d76d5 100644
--- a/freebsd/crypto/openssl/include/internal/cryptlib.h
+++ b/freebsd/crypto/openssl/include/internal/cryptlib.h
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -92,5 +92,7 @@ void *openssl_fopen(const char *filename, const char *mode);
# endif
uint32_t OPENSSL_rdtsc(void);
+size_t OPENSSL_instrument_bus(unsigned int *, size_t);
+size_t OPENSSL_instrument_bus2(unsigned int *, size_t, size_t);
#endif
diff --git a/freebsd/crypto/openssl/include/internal/sockets.h b/freebsd/crypto/openssl/include/internal/sockets.h
index a6026da..5bb0355 100644
--- a/freebsd/crypto/openssl/include/internal/sockets.h
+++ b/freebsd/crypto/openssl/include/internal/sockets.h
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -72,11 +72,7 @@ struct servent *PASCAL getservbyname(const char *, const char *);
# else
# include <sys/socket.h>
# ifndef NO_SYS_UN_H
-# ifdef OPENSSL_SYS_VXWORKS
-# include <streams/un.h>
-# else
-# include <sys/un.h>
-# endif
+# include <sys/un.h>
# ifndef UNIX_PATH_MAX
# define UNIX_PATH_MAX sizeof(((struct sockaddr_un *)NULL)->sun_path)
# endif
diff --git a/freebsd/crypto/openssl/include/internal/thread_once.h b/freebsd/crypto/openssl/include/internal/thread_once.h
index 2242443..8a25d04 100644
--- a/freebsd/crypto/openssl/include/internal/thread_once.h
+++ b/freebsd/crypto/openssl/include/internal/thread_once.h
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -9,6 +9,20 @@
#include <openssl/crypto.h>
+/*
+ * DEFINE_RUN_ONCE: Define an initialiser function that should be run exactly
+ * once. It takes no arguments and returns and int result (1 for success or
+ * 0 for failure). Typical usage might be:
+ *
+ * DEFINE_RUN_ONCE(myinitfunc)
+ * {
+ * do_some_initialisation();
+ * if (init_is_successful())
+ * return 1;
+ *
+ * return 0;
+ * }
+ */
#define DEFINE_RUN_ONCE(init) \
static int init(void); \
int init##_ossl_ret_ = 0; \
@@ -17,10 +31,30 @@
init##_ossl_ret_ = init(); \
} \
static int init(void)
+
+/*
+ * DECLARE_RUN_ONCE: Declare an initialiser function that should be run exactly
+ * once that has been defined in another file via DEFINE_RUN_ONCE().
+ */
#define DECLARE_RUN_ONCE(init) \
extern int init##_ossl_ret_; \
void init##_ossl_(void);
+/*
+ * DEFINE_RUN_ONCE_STATIC: Define an initialiser function that should be run
+ * exactly once. This function will be declared as static within the file. It
+ * takes no arguments and returns and int result (1 for success or 0 for
+ * failure). Typical usage might be:
+ *
+ * DEFINE_RUN_ONCE_STATIC(myinitfunc)
+ * {
+ * do_some_initialisation();
+ * if (init_is_successful())
+ * return 1;
+ *
+ * return 0;
+ * }
+ */
#define DEFINE_RUN_ONCE_STATIC(init) \
static int init(void); \
static int init##_ossl_ret_ = 0; \
@@ -31,6 +65,46 @@
static int init(void)
/*
+ * DEFINE_RUN_ONCE_STATIC_ALT: Define an alternative initialiser function. This
+ * function will be declared as static within the file. It takes no arguments
+ * and returns an int result (1 for success or 0 for failure). An alternative
+ * initialiser function is expected to be associated with a primary initialiser
+ * function defined via DEFINE_ONCE_STATIC where both functions use the same
+ * CRYPTO_ONCE object to synchronise. Where an alternative initialiser function
+ * is used only one of the primary or the alternative initialiser function will
+ * ever be called - and that function will be called exactly once. Definitition
+ * of an alternative initialiser function MUST occur AFTER the definition of the
+ * primary initialiser function.
+ *
+ * Typical usage might be:
+ *
+ * DEFINE_RUN_ONCE_STATIC(myinitfunc)
+ * {
+ * do_some_initialisation();
+ * if (init_is_successful())
+ * return 1;
+ *
+ * return 0;
+ * }
+ *
+ * DEFINE_RUN_ONCE_STATIC_ALT(myaltinitfunc, myinitfunc)
+ * {
+ * do_some_alternative_initialisation();
+ * if (init_is_successful())
+ * return 1;
+ *
+ * return 0;
+ * }
+ */
+#define DEFINE_RUN_ONCE_STATIC_ALT(initalt, init) \
+ static int initalt(void); \
+ static void initalt##_ossl_(void) \
+ { \
+ init##_ossl_ret_ = initalt(); \
+ } \
+ static int initalt(void)
+
+/*
* RUN_ONCE - use CRYPTO_THREAD_run_once, and check if the init succeeded
* @once: pointer to static object of type CRYPTO_ONCE
* @init: function name that was previously given to DEFINE_RUN_ONCE,
@@ -43,3 +117,21 @@
*/
#define RUN_ONCE(once, init) \
(CRYPTO_THREAD_run_once(once, init##_ossl_) ? init##_ossl_ret_ : 0)
+
+/*
+ * RUN_ONCE_ALT - use CRYPTO_THREAD_run_once, to run an alternative initialiser
+ * function and check if that initialisation succeeded
+ * @once: pointer to static object of type CRYPTO_ONCE
+ * @initalt: alternative initialiser function name that was previously given to
+ * DEFINE_RUN_ONCE_STATIC_ALT. This function must return 1 for
+ * success or 0 for failure.
+ * @init: primary initialiser function name that was previously given to
+ * DEFINE_RUN_ONCE_STATIC. This function must return 1 for success or
+ * 0 for failure.
+ *
+ * The return value is 1 on success (*) or 0 in case of error.
+ *
+ * (*) by convention, since the init function must return 1 on success.
+ */
+#define RUN_ONCE_ALT(once, initalt, init) \
+ (CRYPTO_THREAD_run_once(once, initalt##_ossl_) ? init##_ossl_ret_ : 0)
diff --git a/freebsd/crypto/openssl/include/internal/tsan_assist.h b/freebsd/crypto/openssl/include/internal/tsan_assist.h
index f30ffe3..38ba0c7 100644
--- a/freebsd/crypto/openssl/include/internal/tsan_assist.h
+++ b/freebsd/crypto/openssl/include/internal/tsan_assist.h
@@ -1,12 +1,12 @@
/*
- * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
-
+
/*
* Contemporary compilers implement lock-free atomic memory access
* primitives that facilitate writing "thread-opportunistic" or even real
diff --git a/freebsd/crypto/openssl/include/openssl/crypto.h b/freebsd/crypto/openssl/include/openssl/crypto.h
index 7e50b1b..7d0b526 100644
--- a/freebsd/crypto/openssl/include/openssl/crypto.h
+++ b/freebsd/crypto/openssl/include/openssl/crypto.h
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -109,13 +109,8 @@ DEFINE_STACK_OF(void)
# define CRYPTO_EX_INDEX_DRBG 15
# define CRYPTO_EX_INDEX__COUNT 16
-/*
- * This is the default callbacks, but we can have others as well: this is
- * needed in Win32 where the application malloc and the library malloc may
- * not be the same.
- */
-#define OPENSSL_malloc_init() \
- CRYPTO_set_mem_functions(CRYPTO_malloc, CRYPTO_realloc, CRYPTO_free)
+/* No longer needed, so this is a no-op */
+#define OPENSSL_malloc_init() while(0) continue
int CRYPTO_mem_ctrl(int mode);
@@ -377,6 +372,7 @@ int CRYPTO_memcmp(const void * in_a, const void * in_b, size_t len);
/* OPENSSL_INIT_ZLIB 0x00010000L */
# define OPENSSL_INIT_ATFORK 0x00020000L
/* OPENSSL_INIT_BASE_ONLY 0x00040000L */
+# define OPENSSL_INIT_NO_ATEXIT 0x00080000L
/* OPENSSL_INIT flag range 0xfff00000 reserved for OPENSSL_init_ssl() */
/* Max OPENSSL_INIT flag value is 0x80000000 */
@@ -396,8 +392,12 @@ void OPENSSL_thread_stop(void);
/* Low-level control of initialization */
OPENSSL_INIT_SETTINGS *OPENSSL_INIT_new(void);
# ifndef OPENSSL_NO_STDIO
+int OPENSSL_INIT_set_config_filename(OPENSSL_INIT_SETTINGS *settings,
+ const char *config_filename);
+void OPENSSL_INIT_set_config_file_flags(OPENSSL_INIT_SETTINGS *settings,
+ unsigned long flags);
int OPENSSL_INIT_set_config_appname(OPENSSL_INIT_SETTINGS *settings,
- const char *config_file);
+ const char *config_appname);
# endif
void OPENSSL_INIT_free(OPENSSL_INIT_SETTINGS *settings);
diff --git a/freebsd/crypto/openssl/include/openssl/e_os2.h b/freebsd/crypto/openssl/include/openssl/e_os2.h
index eeae215..97a776c 100644
--- a/freebsd/crypto/openssl/include/openssl/e_os2.h
+++ b/freebsd/crypto/openssl/include/openssl/e_os2.h
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -287,6 +287,13 @@ typedef unsigned __int64 uint64_t;
# define ossl_noreturn
# endif
+/* ossl_unused: portable unused attribute for use in public headers */
+# if defined(__GNUC__)
+# define ossl_unused __attribute__((unused))
+# else
+# define ossl_unused
+# endif
+
#ifdef __cplusplus
}
#endif
diff --git a/freebsd/crypto/openssl/include/openssl/ecerr.h b/freebsd/crypto/openssl/include/openssl/ecerr.h
index 8d42938..be313d2 100644
--- a/freebsd/crypto/openssl/include/openssl/ecerr.h
+++ b/freebsd/crypto/openssl/include/openssl/ecerr.h
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -62,6 +62,7 @@ int ERR_load_EC_strings(void);
# define EC_F_EC_ASN1_GROUP2CURVE 153
# define EC_F_EC_ASN1_GROUP2FIELDID 154
# define EC_F_EC_GF2M_MONTGOMERY_POINT_MULTIPLY 208
+# define EC_F_EC_GF2M_SIMPLE_FIELD_INV 296
# define EC_F_EC_GF2M_SIMPLE_GROUP_CHECK_DISCRIMINANT 159
# define EC_F_EC_GF2M_SIMPLE_GROUP_SET_CURVE 195
# define EC_F_EC_GF2M_SIMPLE_LADDER_POST 285
@@ -74,6 +75,7 @@ int ERR_load_EC_strings(void);
# define EC_F_EC_GF2M_SIMPLE_SET_COMPRESSED_COORDINATES 164
# define EC_F_EC_GFP_MONT_FIELD_DECODE 133
# define EC_F_EC_GFP_MONT_FIELD_ENCODE 134
+# define EC_F_EC_GFP_MONT_FIELD_INV 297
# define EC_F_EC_GFP_MONT_FIELD_MUL 131
# define EC_F_EC_GFP_MONT_FIELD_SET_TO_ONE 209
# define EC_F_EC_GFP_MONT_FIELD_SQR 132
@@ -91,6 +93,7 @@ int ERR_load_EC_strings(void);
# define EC_F_EC_GFP_NIST_FIELD_SQR 201
# define EC_F_EC_GFP_NIST_GROUP_SET_CURVE 202
# define EC_F_EC_GFP_SIMPLE_BLIND_COORDINATES 287
+# define EC_F_EC_GFP_SIMPLE_FIELD_INV 298
# define EC_F_EC_GFP_SIMPLE_GROUP_CHECK_DISCRIMINANT 165
# define EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE 166
# define EC_F_EC_GFP_SIMPLE_MAKE_AFFINE 102
@@ -202,6 +205,7 @@ int ERR_load_EC_strings(void);
# define EC_R_BAD_SIGNATURE 156
# define EC_R_BIGNUM_OUT_OF_RANGE 144
# define EC_R_BUFFER_TOO_SMALL 100
+# define EC_R_CANNOT_INVERT 165
# define EC_R_COORDINATES_OUT_OF_RANGE 146
# define EC_R_CURVE_DOES_NOT_SUPPORT_ECDH 160
# define EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING 159
diff --git a/freebsd/crypto/openssl/include/openssl/evp.h b/freebsd/crypto/openssl/include/openssl/evp.h
index 8c80519..9f05b5a 100644
--- a/freebsd/crypto/openssl/include/openssl/evp.h
+++ b/freebsd/crypto/openssl/include/openssl/evp.h
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -945,14 +945,9 @@ const EVP_CIPHER *EVP_sm4_ctr(void);
| OPENSSL_INIT_ADD_ALL_DIGESTS, NULL)
# ifdef OPENSSL_LOAD_CONF
-# define OpenSSL_add_all_algorithms() \
- OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS \
- | OPENSSL_INIT_ADD_ALL_DIGESTS \
- | OPENSSL_INIT_LOAD_CONFIG, NULL)
+# define OpenSSL_add_all_algorithms() OPENSSL_add_all_algorithms_conf()
# else
-# define OpenSSL_add_all_algorithms() \
- OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS \
- | OPENSSL_INIT_ADD_ALL_DIGESTS, NULL)
+# define OpenSSL_add_all_algorithms() OPENSSL_add_all_algorithms_noconf()
# endif
# define OpenSSL_add_all_ciphers() \
@@ -994,7 +989,7 @@ int EVP_PKEY_id(const EVP_PKEY *pkey);
int EVP_PKEY_base_id(const EVP_PKEY *pkey);
int EVP_PKEY_bits(const EVP_PKEY *pkey);
int EVP_PKEY_security_bits(const EVP_PKEY *pkey);
-int EVP_PKEY_size(EVP_PKEY *pkey);
+int EVP_PKEY_size(const EVP_PKEY *pkey);
int EVP_PKEY_set_type(EVP_PKEY *pkey, int type);
int EVP_PKEY_set_type_str(EVP_PKEY *pkey, const char *str, int len);
int EVP_PKEY_set_alias_type(EVP_PKEY *pkey, int type);
diff --git a/freebsd/crypto/openssl/include/openssl/evperr.h b/freebsd/crypto/openssl/include/openssl/evperr.h
index 3484fa8..84f03eb 100644
--- a/freebsd/crypto/openssl/include/openssl/evperr.h
+++ b/freebsd/crypto/openssl/include/openssl/evperr.h
@@ -47,6 +47,7 @@ int ERR_load_EVP_strings(void);
# define EVP_F_EVP_DECRYPTUPDATE 166
# define EVP_F_EVP_DIGESTFINALXOF 174
# define EVP_F_EVP_DIGESTINIT_EX 128
+# define EVP_F_EVP_ENCRYPTDECRYPTUPDATE 219
# define EVP_F_EVP_ENCRYPTFINAL_EX 127
# define EVP_F_EVP_ENCRYPTUPDATE 167
# define EVP_F_EVP_MD_CTX_COPY_EX 110
diff --git a/freebsd/crypto/openssl/include/openssl/lhash.h b/freebsd/crypto/openssl/include/openssl/lhash.h
index 88d7d97..47b99d1 100644
--- a/freebsd/crypto/openssl/include/openssl/lhash.h
+++ b/freebsd/crypto/openssl/include/openssl/lhash.h
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -127,52 +127,52 @@ void OPENSSL_LH_node_usage_stats_bio(const OPENSSL_LHASH *lh, BIO *out);
return (LHASH_OF(type) *) \
OPENSSL_LH_new((OPENSSL_LH_HASHFUNC)hfn, (OPENSSL_LH_COMPFUNC)cfn); \
} \
- static ossl_inline void lh_##type##_free(LHASH_OF(type) *lh) \
+ static ossl_unused ossl_inline void lh_##type##_free(LHASH_OF(type) *lh) \
{ \
OPENSSL_LH_free((OPENSSL_LHASH *)lh); \
} \
- static ossl_inline type *lh_##type##_insert(LHASH_OF(type) *lh, type *d) \
+ static ossl_unused ossl_inline type *lh_##type##_insert(LHASH_OF(type) *lh, type *d) \
{ \
return (type *)OPENSSL_LH_insert((OPENSSL_LHASH *)lh, d); \
} \
- static ossl_inline type *lh_##type##_delete(LHASH_OF(type) *lh, const type *d) \
+ static ossl_unused ossl_inline type *lh_##type##_delete(LHASH_OF(type) *lh, const type *d) \
{ \
return (type *)OPENSSL_LH_delete((OPENSSL_LHASH *)lh, d); \
} \
- static ossl_inline type *lh_##type##_retrieve(LHASH_OF(type) *lh, const type *d) \
+ static ossl_unused ossl_inline type *lh_##type##_retrieve(LHASH_OF(type) *lh, const type *d) \
{ \
return (type *)OPENSSL_LH_retrieve((OPENSSL_LHASH *)lh, d); \
} \
- static ossl_inline int lh_##type##_error(LHASH_OF(type) *lh) \
+ static ossl_unused ossl_inline int lh_##type##_error(LHASH_OF(type) *lh) \
{ \
return OPENSSL_LH_error((OPENSSL_LHASH *)lh); \
} \
- static ossl_inline unsigned long lh_##type##_num_items(LHASH_OF(type) *lh) \
+ static ossl_unused ossl_inline unsigned long lh_##type##_num_items(LHASH_OF(type) *lh) \
{ \
return OPENSSL_LH_num_items((OPENSSL_LHASH *)lh); \
} \
- static ossl_inline void lh_##type##_node_stats_bio(const LHASH_OF(type) *lh, BIO *out) \
+ static ossl_unused ossl_inline void lh_##type##_node_stats_bio(const LHASH_OF(type) *lh, BIO *out) \
{ \
OPENSSL_LH_node_stats_bio((const OPENSSL_LHASH *)lh, out); \
} \
- static ossl_inline void lh_##type##_node_usage_stats_bio(const LHASH_OF(type) *lh, BIO *out) \
+ static ossl_unused ossl_inline void lh_##type##_node_usage_stats_bio(const LHASH_OF(type) *lh, BIO *out) \
{ \
OPENSSL_LH_node_usage_stats_bio((const OPENSSL_LHASH *)lh, out); \
} \
- static ossl_inline void lh_##type##_stats_bio(const LHASH_OF(type) *lh, BIO *out) \
+ static ossl_unused ossl_inline void lh_##type##_stats_bio(const LHASH_OF(type) *lh, BIO *out) \
{ \
OPENSSL_LH_stats_bio((const OPENSSL_LHASH *)lh, out); \
} \
- static ossl_inline unsigned long lh_##type##_get_down_load(LHASH_OF(type) *lh) \
+ static ossl_unused ossl_inline unsigned long lh_##type##_get_down_load(LHASH_OF(type) *lh) \
{ \
return OPENSSL_LH_get_down_load((OPENSSL_LHASH *)lh); \
} \
- static ossl_inline void lh_##type##_set_down_load(LHASH_OF(type) *lh, unsigned long dl) \
+ static ossl_unused ossl_inline void lh_##type##_set_down_load(LHASH_OF(type) *lh, unsigned long dl) \
{ \
OPENSSL_LH_set_down_load((OPENSSL_LHASH *)lh, dl); \
} \
- static ossl_inline void lh_##type##_doall(LHASH_OF(type) *lh, \
- void (*doall)(type *)) \
+ static ossl_unused ossl_inline void lh_##type##_doall(LHASH_OF(type) *lh, \
+ void (*doall)(type *)) \
{ \
OPENSSL_LH_doall((OPENSSL_LHASH *)lh, (OPENSSL_LH_DOALL_FUNC)doall); \
} \
@@ -185,7 +185,7 @@ void OPENSSL_LH_node_usage_stats_bio(const OPENSSL_LHASH *lh, BIO *out);
int_implement_lhash_doall(type, argtype, type)
#define int_implement_lhash_doall(type, argtype, cbargtype) \
- static ossl_inline void \
+ static ossl_unused ossl_inline void \
lh_##type##_doall_##argtype(LHASH_OF(type) *lh, \
void (*fn)(cbargtype *, argtype *), \
argtype *arg) \
@@ -210,6 +210,31 @@ DEFINE_LHASH_OF(OPENSSL_CSTRING);
# pragma warning (pop)
# endif
+/*
+ * If called without higher optimization (min. -xO3) the Oracle Developer
+ * Studio compiler generates code for the defined (static inline) functions
+ * above.
+ * This would later lead to the linker complaining about missing symbols when
+ * this header file is included but the resulting object is not linked against
+ * the Crypto library (openssl#6912).
+ */
+# ifdef __SUNPRO_C
+# pragma weak OPENSSL_LH_new
+# pragma weak OPENSSL_LH_free
+# pragma weak OPENSSL_LH_insert
+# pragma weak OPENSSL_LH_delete
+# pragma weak OPENSSL_LH_retrieve
+# pragma weak OPENSSL_LH_error
+# pragma weak OPENSSL_LH_num_items
+# pragma weak OPENSSL_LH_node_stats_bio
+# pragma weak OPENSSL_LH_node_usage_stats_bio
+# pragma weak OPENSSL_LH_stats_bio
+# pragma weak OPENSSL_LH_get_down_load
+# pragma weak OPENSSL_LH_set_down_load
+# pragma weak OPENSSL_LH_doall
+# pragma weak OPENSSL_LH_doall_arg
+# endif /* __SUNPRO_C */
+
#ifdef __cplusplus
}
#endif
diff --git a/freebsd/crypto/openssl/include/openssl/obj_mac.h b/freebsd/crypto/openssl/include/openssl/obj_mac.h
index 80ff5a7..31fad46 100644
--- a/freebsd/crypto/openssl/include/openssl/obj_mac.h
+++ b/freebsd/crypto/openssl/include/openssl/obj_mac.h
@@ -2,7 +2,7 @@
* WARNING: do not edit!
* Generated by crypto/objects/objects.pl
*
- * Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
diff --git a/freebsd/crypto/openssl/include/openssl/opensslv.h b/freebsd/crypto/openssl/include/openssl/opensslv.h
index e879031..e1e4f22 100644
--- a/freebsd/crypto/openssl/include/openssl/opensslv.h
+++ b/freebsd/crypto/openssl/include/openssl/opensslv.h
@@ -39,8 +39,8 @@ extern "C" {
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
-# define OPENSSL_VERSION_NUMBER 0x1010101fL
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1a-freebsd 20 Nov 2018"
+# define OPENSSL_VERSION_NUMBER 0x1010102fL
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1b-freebsd 26 Feb 2019"
/*-
* The macros below are to be used for shared library (.so, .dll, ...)
diff --git a/freebsd/crypto/openssl/include/openssl/safestack.h b/freebsd/crypto/openssl/include/openssl/safestack.h
index 7438b19..38b5578 100644
--- a/freebsd/crypto/openssl/include/openssl/safestack.h
+++ b/freebsd/crypto/openssl/include/openssl/safestack.h
@@ -1,5 +1,5 @@
/*
- * Copyright 1999-2017 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -24,96 +24,96 @@ extern "C" {
typedef int (*sk_##t1##_compfunc)(const t3 * const *a, const t3 *const *b); \
typedef void (*sk_##t1##_freefunc)(t3 *a); \
typedef t3 * (*sk_##t1##_copyfunc)(const t3 *a); \
- static ossl_inline int sk_##t1##_num(const STACK_OF(t1) *sk) \
+ static ossl_unused ossl_inline int sk_##t1##_num(const STACK_OF(t1) *sk) \
{ \
return OPENSSL_sk_num((const OPENSSL_STACK *)sk); \
} \
- static ossl_inline t2 *sk_##t1##_value(const STACK_OF(t1) *sk, int idx) \
+ static ossl_unused ossl_inline t2 *sk_##t1##_value(const STACK_OF(t1) *sk, int idx) \
{ \
return (t2 *)OPENSSL_sk_value((const OPENSSL_STACK *)sk, idx); \
} \
- static ossl_inline STACK_OF(t1) *sk_##t1##_new(sk_##t1##_compfunc compare) \
+ static ossl_unused ossl_inline STACK_OF(t1) *sk_##t1##_new(sk_##t1##_compfunc compare) \
{ \
return (STACK_OF(t1) *)OPENSSL_sk_new((OPENSSL_sk_compfunc)compare); \
} \
- static ossl_inline STACK_OF(t1) *sk_##t1##_new_null(void) \
+ static ossl_unused ossl_inline STACK_OF(t1) *sk_##t1##_new_null(void) \
{ \
return (STACK_OF(t1) *)OPENSSL_sk_new_null(); \
} \
- static ossl_inline STACK_OF(t1) *sk_##t1##_new_reserve(sk_##t1##_compfunc compare, int n) \
+ static ossl_unused ossl_inline STACK_OF(t1) *sk_##t1##_new_reserve(sk_##t1##_compfunc compare, int n) \
{ \
return (STACK_OF(t1) *)OPENSSL_sk_new_reserve((OPENSSL_sk_compfunc)compare, n); \
} \
- static ossl_inline int sk_##t1##_reserve(STACK_OF(t1) *sk, int n) \
+ static ossl_unused ossl_inline int sk_##t1##_reserve(STACK_OF(t1) *sk, int n) \
{ \
return OPENSSL_sk_reserve((OPENSSL_STACK *)sk, n); \
} \
- static ossl_inline void sk_##t1##_free(STACK_OF(t1) *sk) \
+ static ossl_unused ossl_inline void sk_##t1##_free(STACK_OF(t1) *sk) \
{ \
OPENSSL_sk_free((OPENSSL_STACK *)sk); \
} \
- static ossl_inline void sk_##t1##_zero(STACK_OF(t1) *sk) \
+ static ossl_unused ossl_inline void sk_##t1##_zero(STACK_OF(t1) *sk) \
{ \
OPENSSL_sk_zero((OPENSSL_STACK *)sk); \
} \
- static ossl_inline t2 *sk_##t1##_delete(STACK_OF(t1) *sk, int i) \
+ static ossl_unused ossl_inline t2 *sk_##t1##_delete(STACK_OF(t1) *sk, int i) \
{ \
return (t2 *)OPENSSL_sk_delete((OPENSSL_STACK *)sk, i); \
} \
- static ossl_inline t2 *sk_##t1##_delete_ptr(STACK_OF(t1) *sk, t2 *ptr) \
+ static ossl_unused ossl_inline t2 *sk_##t1##_delete_ptr(STACK_OF(t1) *sk, t2 *ptr) \
{ \
return (t2 *)OPENSSL_sk_delete_ptr((OPENSSL_STACK *)sk, \
(const void *)ptr); \
} \
- static ossl_inline int sk_##t1##_push(STACK_OF(t1) *sk, t2 *ptr) \
+ static ossl_unused ossl_inline int sk_##t1##_push(STACK_OF(t1) *sk, t2 *ptr) \
{ \
return OPENSSL_sk_push((OPENSSL_STACK *)sk, (const void *)ptr); \
} \
- static ossl_inline int sk_##t1##_unshift(STACK_OF(t1) *sk, t2 *ptr) \
+ static ossl_unused ossl_inline int sk_##t1##_unshift(STACK_OF(t1) *sk, t2 *ptr) \
{ \
return OPENSSL_sk_unshift((OPENSSL_STACK *)sk, (const void *)ptr); \
} \
- static ossl_inline t2 *sk_##t1##_pop(STACK_OF(t1) *sk) \
+ static ossl_unused ossl_inline t2 *sk_##t1##_pop(STACK_OF(t1) *sk) \
{ \
return (t2 *)OPENSSL_sk_pop((OPENSSL_STACK *)sk); \
} \
- static ossl_inline t2 *sk_##t1##_shift(STACK_OF(t1) *sk) \
+ static ossl_unused ossl_inline t2 *sk_##t1##_shift(STACK_OF(t1) *sk) \
{ \
return (t2 *)OPENSSL_sk_shift((OPENSSL_STACK *)sk); \
} \
- static ossl_inline void sk_##t1##_pop_free(STACK_OF(t1) *sk, sk_##t1##_freefunc freefunc) \
+ static ossl_unused ossl_inline void sk_##t1##_pop_free(STACK_OF(t1) *sk, sk_##t1##_freefunc freefunc) \
{ \
OPENSSL_sk_pop_free((OPENSSL_STACK *)sk, (OPENSSL_sk_freefunc)freefunc); \
} \
- static ossl_inline int sk_##t1##_insert(STACK_OF(t1) *sk, t2 *ptr, int idx) \
+ static ossl_unused ossl_inline int sk_##t1##_insert(STACK_OF(t1) *sk, t2 *ptr, int idx) \
{ \
return OPENSSL_sk_insert((OPENSSL_STACK *)sk, (const void *)ptr, idx); \
} \
- static ossl_inline t2 *sk_##t1##_set(STACK_OF(t1) *sk, int idx, t2 *ptr) \
+ static ossl_unused ossl_inline t2 *sk_##t1##_set(STACK_OF(t1) *sk, int idx, t2 *ptr) \
{ \
return (t2 *)OPENSSL_sk_set((OPENSSL_STACK *)sk, idx, (const void *)ptr); \
} \
- static ossl_inline int sk_##t1##_find(STACK_OF(t1) *sk, t2 *ptr) \
+ static ossl_unused ossl_inline int sk_##t1##_find(STACK_OF(t1) *sk, t2 *ptr) \
{ \
return OPENSSL_sk_find((OPENSSL_STACK *)sk, (const void *)ptr); \
} \
- static ossl_inline int sk_##t1##_find_ex(STACK_OF(t1) *sk, t2 *ptr) \
+ static ossl_unused ossl_inline int sk_##t1##_find_ex(STACK_OF(t1) *sk, t2 *ptr) \
{ \
return OPENSSL_sk_find_ex((OPENSSL_STACK *)sk, (const void *)ptr); \
} \
- static ossl_inline void sk_##t1##_sort(STACK_OF(t1) *sk) \
+ static ossl_unused ossl_inline void sk_##t1##_sort(STACK_OF(t1) *sk) \
{ \
OPENSSL_sk_sort((OPENSSL_STACK *)sk); \
} \
- static ossl_inline int sk_##t1##_is_sorted(const STACK_OF(t1) *sk) \
+ static ossl_unused ossl_inline int sk_##t1##_is_sorted(const STACK_OF(t1) *sk) \
{ \
return OPENSSL_sk_is_sorted((const OPENSSL_STACK *)sk); \
} \
- static ossl_inline STACK_OF(t1) * sk_##t1##_dup(const STACK_OF(t1) *sk) \
+ static ossl_unused ossl_inline STACK_OF(t1) * sk_##t1##_dup(const STACK_OF(t1) *sk) \
{ \
return (STACK_OF(t1) *)OPENSSL_sk_dup((const OPENSSL_STACK *)sk); \
} \
- static ossl_inline STACK_OF(t1) *sk_##t1##_deep_copy(const STACK_OF(t1) *sk, \
+ static ossl_unused ossl_inline STACK_OF(t1) *sk_##t1##_deep_copy(const STACK_OF(t1) *sk, \
sk_##t1##_copyfunc copyfunc, \
sk_##t1##_freefunc freefunc) \
{ \
@@ -121,7 +121,7 @@ extern "C" {
(OPENSSL_sk_copyfunc)copyfunc, \
(OPENSSL_sk_freefunc)freefunc); \
} \
- static ossl_inline sk_##t1##_compfunc sk_##t1##_set_cmp_func(STACK_OF(t1) *sk, sk_##t1##_compfunc compare) \
+ static ossl_unused ossl_inline sk_##t1##_compfunc sk_##t1##_set_cmp_func(STACK_OF(t1) *sk, sk_##t1##_compfunc compare) \
{ \
return (sk_##t1##_compfunc)OPENSSL_sk_set_cmp_func((OPENSSL_STACK *)sk, (OPENSSL_sk_compfunc)compare); \
}
@@ -166,6 +166,41 @@ DEFINE_SPECIAL_STACK_OF_CONST(OPENSSL_CSTRING, char)
typedef void *OPENSSL_BLOCK;
DEFINE_SPECIAL_STACK_OF(OPENSSL_BLOCK, void)
+/*
+ * If called without higher optimization (min. -xO3) the Oracle Developer
+ * Studio compiler generates code for the defined (static inline) functions
+ * above.
+ * This would later lead to the linker complaining about missing symbols when
+ * this header file is included but the resulting object is not linked against
+ * the Crypto library (openssl#6912).
+ */
+# ifdef __SUNPRO_C
+# pragma weak OPENSSL_sk_num
+# pragma weak OPENSSL_sk_value
+# pragma weak OPENSSL_sk_new
+# pragma weak OPENSSL_sk_new_null
+# pragma weak OPENSSL_sk_new_reserve
+# pragma weak OPENSSL_sk_reserve
+# pragma weak OPENSSL_sk_free
+# pragma weak OPENSSL_sk_zero
+# pragma weak OPENSSL_sk_delete
+# pragma weak OPENSSL_sk_delete_ptr
+# pragma weak OPENSSL_sk_push
+# pragma weak OPENSSL_sk_unshift
+# pragma weak OPENSSL_sk_pop
+# pragma weak OPENSSL_sk_shift
+# pragma weak OPENSSL_sk_pop_free
+# pragma weak OPENSSL_sk_insert
+# pragma weak OPENSSL_sk_set
+# pragma weak OPENSSL_sk_find
+# pragma weak OPENSSL_sk_find_ex
+# pragma weak OPENSSL_sk_sort
+# pragma weak OPENSSL_sk_is_sorted
+# pragma weak OPENSSL_sk_dup
+# pragma weak OPENSSL_sk_deep_copy
+# pragma weak OPENSSL_sk_set_cmp_func
+# endif /* __SUNPRO_C */
+
# ifdef __cplusplus
}
# endif
diff --git a/freebsd/crypto/openssl/include/openssl/ssl.h b/freebsd/crypto/openssl/include/openssl/ssl.h
index d6b1b4e..48e1152 100644
--- a/freebsd/crypto/openssl/include/openssl/ssl.h
+++ b/freebsd/crypto/openssl/include/openssl/ssl.h
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
* Copyright 2005 Nokia. All rights reserved.
*
@@ -494,6 +494,19 @@ typedef int (*SSL_verify_cb)(int preverify_ok, X509_STORE_CTX *x509_ctx);
*/
# define SSL_MODE_ASYNC 0x00000100U
+/*
+ * When using DTLS/SCTP, include the terminating zero in the label
+ * used for computing the endpoint-pair shared secret. Required for
+ * interoperability with implementations having this bug like these
+ * older version of OpenSSL:
+ * - OpenSSL 1.0.0 series
+ * - OpenSSL 1.0.1 series
+ * - OpenSSL 1.0.2 series
+ * - OpenSSL 1.1.0 series
+ * - OpenSSL 1.1.1 and 1.1.1a
+ */
+# define SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG 0x00000400U
+
/* Cert related flags */
/*
* Many implementations ignore some aspects of the TLS standards such as
@@ -1904,17 +1917,17 @@ __owur STACK_OF(SSL_CIPHER) *SSL_get1_supported_ciphers(SSL *s);
__owur int SSL_do_handshake(SSL *s);
int SSL_key_update(SSL *s, int updatetype);
-int SSL_get_key_update_type(SSL *s);
+int SSL_get_key_update_type(const SSL *s);
int SSL_renegotiate(SSL *s);
int SSL_renegotiate_abbreviated(SSL *s);
-__owur int SSL_renegotiate_pending(SSL *s);
+__owur int SSL_renegotiate_pending(const SSL *s);
int SSL_shutdown(SSL *s);
__owur int SSL_verify_client_post_handshake(SSL *s);
void SSL_CTX_set_post_handshake_auth(SSL_CTX *ctx, int val);
void SSL_set_post_handshake_auth(SSL *s, int val);
-__owur const SSL_METHOD *SSL_CTX_get_ssl_method(SSL_CTX *ctx);
-__owur const SSL_METHOD *SSL_get_ssl_method(SSL *s);
+__owur const SSL_METHOD *SSL_CTX_get_ssl_method(const SSL_CTX *ctx);
+__owur const SSL_METHOD *SSL_get_ssl_method(const SSL *s);
__owur int SSL_set_ssl_method(SSL *s, const SSL_METHOD *method);
__owur const char *SSL_alert_type_string_long(int value);
__owur const char *SSL_alert_type_string(int value);
@@ -2062,8 +2075,8 @@ void SSL_set_tmp_dh_callback(SSL *ssl,
int keylength));
# endif
-__owur const COMP_METHOD *SSL_get_current_compression(SSL *s);
-__owur const COMP_METHOD *SSL_get_current_expansion(SSL *s);
+__owur const COMP_METHOD *SSL_get_current_compression(const SSL *s);
+__owur const COMP_METHOD *SSL_get_current_expansion(const SSL *s);
__owur const char *SSL_COMP_get_name(const COMP_METHOD *comp);
__owur const char *SSL_COMP_get0_name(const SSL_COMP *comp);
__owur int SSL_COMP_get_id(const SSL_COMP *comp);
@@ -2107,20 +2120,20 @@ void SSL_CTX_set_record_padding_callback(SSL_CTX *ctx,
size_t (*cb) (SSL *ssl, int type,
size_t len, void *arg));
void SSL_CTX_set_record_padding_callback_arg(SSL_CTX *ctx, void *arg);
-void *SSL_CTX_get_record_padding_callback_arg(SSL_CTX *ctx);
+void *SSL_CTX_get_record_padding_callback_arg(const SSL_CTX *ctx);
int SSL_CTX_set_block_padding(SSL_CTX *ctx, size_t block_size);
void SSL_set_record_padding_callback(SSL *ssl,
size_t (*cb) (SSL *ssl, int type,
size_t len, void *arg));
void SSL_set_record_padding_callback_arg(SSL *ssl, void *arg);
-void *SSL_get_record_padding_callback_arg(SSL *ssl);
+void *SSL_get_record_padding_callback_arg(const SSL *ssl);
int SSL_set_block_padding(SSL *ssl, size_t block_size);
int SSL_set_num_tickets(SSL *s, size_t num_tickets);
-size_t SSL_get_num_tickets(SSL *s);
+size_t SSL_get_num_tickets(const SSL *s);
int SSL_CTX_set_num_tickets(SSL_CTX *ctx, size_t num_tickets);
-size_t SSL_CTX_get_num_tickets(SSL_CTX *ctx);
+size_t SSL_CTX_get_num_tickets(const SSL_CTX *ctx);
# if OPENSSL_API_COMPAT < 0x10100000L
# define SSL_cache_hit(s) SSL_session_reused(s)
diff --git a/freebsd/crypto/openssl/include/openssl/sslerr.h b/freebsd/crypto/openssl/include/openssl/sslerr.h
index 87b295c..a50a075 100644
--- a/freebsd/crypto/openssl/include/openssl/sslerr.h
+++ b/freebsd/crypto/openssl/include/openssl/sslerr.h
@@ -1,6 +1,6 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -596,6 +596,7 @@ int ERR_load_SSL_strings(void);
# define SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION 209
# define SSL_R_MISSING_TMP_DH_KEY 171
# define SSL_R_MISSING_TMP_ECDH_KEY 311
+# define SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA 293
# define SSL_R_NOT_ON_RECORD_BOUNDARY 182
# define SSL_R_NOT_REPLACING_CERTIFICATE 289
# define SSL_R_NOT_SERVER 284
diff --git a/freebsd/crypto/openssl/include/openssl/x509_vfy.h b/freebsd/crypto/openssl/include/openssl/x509_vfy.h
index 2adb155..adb8bce 100644
--- a/freebsd/crypto/openssl/include/openssl/x509_vfy.h
+++ b/freebsd/crypto/openssl/include/openssl/x509_vfy.h
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -362,7 +362,11 @@ X509_STORE_CTX_cleanup_fn X509_STORE_CTX_get_cleanup(X509_STORE_CTX *ctx);
# define X509_STORE_CTX_set_chain X509_STORE_CTX_set0_untrusted
# define X509_STORE_CTX_trusted_stack X509_STORE_CTX_set0_trusted_stack
# define X509_STORE_get_by_subject X509_STORE_CTX_get_by_subject
+# define X509_STORE_get1_certs X509_STORE_CTX_get1_certs
+# define X509_STORE_get1_crls X509_STORE_CTX_get1_crls
+/* the following macro is misspelled; use X509_STORE_get1_certs instead */
# define X509_STORE_get1_cert X509_STORE_CTX_get1_certs
+/* the following macro is misspelled; use X509_STORE_get1_crls instead */
# define X509_STORE_get1_crl X509_STORE_CTX_get1_crls
#endif
diff --git a/freebsd/crypto/openssl/ssl/record/rec_layer_d1.c b/freebsd/crypto/openssl/ssl/record/rec_layer_d1.c
index ff3d01a..20b6dbd 100644
--- a/freebsd/crypto/openssl/ssl/record/rec_layer_d1.c
+++ b/freebsd/crypto/openssl/ssl/record/rec_layer_d1.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 2005-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2005-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -442,19 +442,6 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
&& SSL3_RECORD_get_length(rr) != 0)
s->rlayer.alert_count = 0;
- if (SSL3_RECORD_get_type(rr) != SSL3_RT_HANDSHAKE
- && SSL3_RECORD_get_type(rr) != SSL3_RT_CHANGE_CIPHER_SPEC
- && !SSL_in_init(s)
- && (s->d1->next_timeout.tv_sec != 0
- || s->d1->next_timeout.tv_usec != 0)) {
- /*
- * The timer is still running but we've received something that isn't
- * handshake data - so the peer must have finished processing our
- * last handshake flight. Stop the timer.
- */
- dtls1_stop_timer(s);
- }
-
/* we now have a packet which can be read and processed */
if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
diff --git a/freebsd/crypto/openssl/ssl/record/rec_layer_s3.c b/freebsd/crypto/openssl/ssl/record/rec_layer_s3.c
index fdc374a..6b63d21 100644
--- a/freebsd/crypto/openssl/ssl/record/rec_layer_s3.c
+++ b/freebsd/crypto/openssl/ssl/record/rec_layer_s3.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -1317,6 +1317,14 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
} while (num_recs == 0);
rr = &rr[curr_rec];
+ if (s->rlayer.handshake_fragment_len > 0
+ && SSL3_RECORD_get_type(rr) != SSL3_RT_HANDSHAKE
+ && SSL_IS_TLS13(s)) {
+ SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_SSL3_READ_BYTES,
+ SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA);
+ return -1;
+ }
+
/*
* Reset the count of consecutive warning alerts if we've got a non-empty
* record that isn't an alert.
diff --git a/freebsd/crypto/openssl/ssl/s3_enc.c b/freebsd/crypto/openssl/ssl/s3_enc.c
index baaec95..ff0c445 100644
--- a/freebsd/crypto/openssl/ssl/s3_enc.c
+++ b/freebsd/crypto/openssl/ssl/s3_enc.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2005 Nokia. All rights reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -92,8 +92,6 @@ static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
int ssl3_change_cipher_state(SSL *s, int which)
{
unsigned char *p, *mac_secret;
- unsigned char exp_key[EVP_MAX_KEY_LENGTH];
- unsigned char exp_iv[EVP_MAX_IV_LENGTH];
unsigned char *ms, *key, *iv;
EVP_CIPHER_CTX *dd;
const EVP_CIPHER *c;
@@ -241,12 +239,8 @@ int ssl3_change_cipher_state(SSL *s, int which)
}
s->statem.enc_write_state = ENC_WRITE_STATE_VALID;
- OPENSSL_cleanse(exp_key, sizeof(exp_key));
- OPENSSL_cleanse(exp_iv, sizeof(exp_iv));
return 1;
err:
- OPENSSL_cleanse(exp_key, sizeof(exp_key));
- OPENSSL_cleanse(exp_iv, sizeof(exp_iv));
return 0;
}
diff --git a/freebsd/crypto/openssl/ssl/s3_lib.c b/freebsd/crypto/openssl/ssl/s3_lib.c
index e1a10f0..02e1236 100644
--- a/freebsd/crypto/openssl/ssl/s3_lib.c
+++ b/freebsd/crypto/openssl/ssl/s3_lib.c
@@ -3783,7 +3783,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
EVP_PKEY_security_bits(pkdh), 0, pkdh)) {
SSLerr(SSL_F_SSL3_CTX_CTRL, SSL_R_DH_KEY_TOO_SMALL);
EVP_PKEY_free(pkdh);
- return 1;
+ return 0;
}
EVP_PKEY_free(ctx->cert->dh_tmp);
ctx->cert->dh_tmp = pkdh;
diff --git a/freebsd/crypto/openssl/ssl/ssl_ciph.c b/freebsd/crypto/openssl/ssl/ssl_ciph.c
index 1b1fd6d..9328d54 100644
--- a/freebsd/crypto/openssl/ssl/ssl_ciph.c
+++ b/freebsd/crypto/openssl/ssl/ssl_ciph.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
* Copyright 2005 Nokia. All rights reserved.
*
@@ -173,6 +173,8 @@ static int ssl_mac_pkey_id[SSL_MD_NUM_IDX] = {
EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_HMAC, NID_undef,
/* GOST2012_512 */
EVP_PKEY_HMAC,
+ /* MD5/SHA1, SHA224, SHA512 */
+ NID_undef, NID_undef, NID_undef
};
static size_t ssl_mac_secret_size[SSL_MD_NUM_IDX];
diff --git a/freebsd/crypto/openssl/ssl/ssl_err.c b/freebsd/crypto/openssl/ssl/ssl_err.c
index 265b155..5c0cd06 100644
--- a/freebsd/crypto/openssl/ssl/ssl_err.c
+++ b/freebsd/crypto/openssl/ssl/ssl_err.c
@@ -2,7 +2,7 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -967,6 +967,8 @@ static const ERR_STRING_DATA SSL_str_reasons[] = {
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_TMP_DH_KEY), "missing tmp dh key"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MISSING_TMP_ECDH_KEY),
"missing tmp ecdh key"},
+ {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA),
+ "mixed handshake and non handshake data"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NOT_ON_RECORD_BOUNDARY),
"not on record boundary"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_NOT_REPLACING_CERTIFICATE),
diff --git a/freebsd/crypto/openssl/ssl/ssl_init.c b/freebsd/crypto/openssl/ssl/ssl_init.c
index cd1bfec..251b048 100644
--- a/freebsd/crypto/openssl/ssl/ssl_init.c
+++ b/freebsd/crypto/openssl/ssl/ssl_init.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -140,7 +140,8 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_load_ssl_strings)
return 1;
}
-DEFINE_RUN_ONCE_STATIC(ossl_init_no_load_ssl_strings)
+DEFINE_RUN_ONCE_STATIC_ALT(ossl_init_no_load_ssl_strings,
+ ossl_init_load_ssl_strings)
{
/* Do nothing in this case */
return 1;
@@ -202,20 +203,22 @@ int OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS * settings)
return 0;
}
- if (!OPENSSL_init_crypto(opts
+ opts |= OPENSSL_INIT_ADD_ALL_CIPHERS
+ | OPENSSL_INIT_ADD_ALL_DIGESTS;
#ifndef OPENSSL_NO_AUTOLOAD_CONFIG
- | OPENSSL_INIT_LOAD_CONFIG
+ if ((opts & OPENSSL_INIT_NO_LOAD_CONFIG) == 0)
+ opts |= OPENSSL_INIT_LOAD_CONFIG;
#endif
- | OPENSSL_INIT_ADD_ALL_CIPHERS
- | OPENSSL_INIT_ADD_ALL_DIGESTS,
- settings))
+
+ if (!OPENSSL_init_crypto(opts, settings))
return 0;
if (!RUN_ONCE(&ssl_base, ossl_init_ssl_base))
return 0;
if ((opts & OPENSSL_INIT_NO_LOAD_SSL_STRINGS)
- && !RUN_ONCE(&ssl_strings, ossl_init_no_load_ssl_strings))
+ && !RUN_ONCE_ALT(&ssl_strings, ossl_init_no_load_ssl_strings,
+ ossl_init_load_ssl_strings))
return 0;
if ((opts & OPENSSL_INIT_LOAD_SSL_STRINGS)
diff --git a/freebsd/crypto/openssl/ssl/ssl_lib.c b/freebsd/crypto/openssl/ssl/ssl_lib.c
index b9b4da4..1516f49 100644
--- a/freebsd/crypto/openssl/ssl/ssl_lib.c
+++ b/freebsd/crypto/openssl/ssl/ssl_lib.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
* Copyright 2005 Nokia. All rights reserved.
*
@@ -2109,7 +2109,7 @@ int SSL_key_update(SSL *s, int updatetype)
return 1;
}
-int SSL_get_key_update_type(SSL *s)
+int SSL_get_key_update_type(const SSL *s)
{
return s->key_update;
}
@@ -2150,7 +2150,7 @@ int SSL_renegotiate_abbreviated(SSL *s)
return s->method->ssl_renegotiate(s);
}
-int SSL_renegotiate_pending(SSL *s)
+int SSL_renegotiate_pending(const SSL *s)
{
/*
* becomes true when negotiation is requested; false again once a
@@ -2510,6 +2510,26 @@ STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx)
return NULL;
}
+/*
+ * Distinguish between ciphers controlled by set_ciphersuite() and
+ * set_cipher_list() when counting.
+ */
+static int cipher_list_tls12_num(STACK_OF(SSL_CIPHER) *sk)
+{
+ int i, num = 0;
+ const SSL_CIPHER *c;
+
+ if (sk == NULL)
+ return 0;
+ for (i = 0; i < sk_SSL_CIPHER_num(sk); ++i) {
+ c = sk_SSL_CIPHER_value(sk, i);
+ if (c->min_tls >= TLS1_3_VERSION)
+ continue;
+ num++;
+ }
+ return num;
+}
+
/** specify the ciphers to be used by default by the SSL_CTX */
int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str)
{
@@ -2527,7 +2547,7 @@ int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str)
*/
if (sk == NULL)
return 0;
- else if (sk_SSL_CIPHER_num(sk) == 0) {
+ else if (cipher_list_tls12_num(sk) == 0) {
SSLerr(SSL_F_SSL_CTX_SET_CIPHER_LIST, SSL_R_NO_CIPHER_MATCH);
return 0;
}
@@ -2545,7 +2565,7 @@ int SSL_set_cipher_list(SSL *s, const char *str)
/* see comment in SSL_CTX_set_cipher_list */
if (sk == NULL)
return 0;
- else if (sk_SSL_CIPHER_num(sk) == 0) {
+ else if (cipher_list_tls12_num(sk) == 0) {
SSLerr(SSL_F_SSL_SET_CIPHER_LIST, SSL_R_NO_CIPHER_MATCH);
return 0;
}
@@ -3430,12 +3450,12 @@ void ssl_update_cache(SSL *s, int mode)
}
}
-const SSL_METHOD *SSL_CTX_get_ssl_method(SSL_CTX *ctx)
+const SSL_METHOD *SSL_CTX_get_ssl_method(const SSL_CTX *ctx)
{
return ctx->method;
}
-const SSL_METHOD *SSL_get_ssl_method(SSL *s)
+const SSL_METHOD *SSL_get_ssl_method(const SSL *s)
{
return s->method;
}
@@ -3873,7 +3893,7 @@ const SSL_CIPHER *SSL_get_pending_cipher(const SSL *s)
return s->s3->tmp.new_cipher;
}
-const COMP_METHOD *SSL_get_current_compression(SSL *s)
+const COMP_METHOD *SSL_get_current_compression(const SSL *s)
{
#ifndef OPENSSL_NO_COMP
return s->compress ? COMP_CTX_get_method(s->compress) : NULL;
@@ -3882,7 +3902,7 @@ const COMP_METHOD *SSL_get_current_compression(SSL *s)
#endif
}
-const COMP_METHOD *SSL_get_current_expansion(SSL *s)
+const COMP_METHOD *SSL_get_current_expansion(const SSL *s)
{
#ifndef OPENSSL_NO_COMP
return s->expand ? COMP_CTX_get_method(s->expand) : NULL;
@@ -4330,7 +4350,7 @@ void SSL_CTX_set_record_padding_callback_arg(SSL_CTX *ctx, void *arg)
ctx->record_padding_arg = arg;
}
-void *SSL_CTX_get_record_padding_callback_arg(SSL_CTX *ctx)
+void *SSL_CTX_get_record_padding_callback_arg(const SSL_CTX *ctx)
{
return ctx->record_padding_arg;
}
@@ -4359,7 +4379,7 @@ void SSL_set_record_padding_callback_arg(SSL *ssl, void *arg)
ssl->record_padding_arg = arg;
}
-void *SSL_get_record_padding_callback_arg(SSL *ssl)
+void *SSL_get_record_padding_callback_arg(const SSL *ssl)
{
return ssl->record_padding_arg;
}
@@ -4383,7 +4403,7 @@ int SSL_set_num_tickets(SSL *s, size_t num_tickets)
return 1;
}
-size_t SSL_get_num_tickets(SSL *s)
+size_t SSL_get_num_tickets(const SSL *s)
{
return s->num_tickets;
}
@@ -4395,7 +4415,7 @@ int SSL_CTX_set_num_tickets(SSL_CTX *ctx, size_t num_tickets)
return 1;
}
-size_t SSL_CTX_get_num_tickets(SSL_CTX *ctx)
+size_t SSL_CTX_get_num_tickets(const SSL_CTX *ctx)
{
return ctx->num_tickets;
}
diff --git a/freebsd/crypto/openssl/ssl/ssl_locl.h b/freebsd/crypto/openssl/ssl/ssl_locl.h
index 70e5a17..f326399 100644
--- a/freebsd/crypto/openssl/ssl/ssl_locl.h
+++ b/freebsd/crypto/openssl/ssl/ssl_locl.h
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
* Copyright 2005 Nokia. All rights reserved.
*
@@ -1170,8 +1170,6 @@ struct ssl_st {
EVP_CIPHER_CTX *enc_write_ctx; /* cryptographic state */
unsigned char write_iv[EVP_MAX_IV_LENGTH]; /* TLSv1.3 static write IV */
EVP_MD_CTX *write_hash; /* used for mac generation */
- /* Count of how many KeyUpdate messages we have received */
- unsigned int key_update_count;
/* session info */
/* client cert? */
/* This is used to hold the server certificate used */
@@ -2461,7 +2459,7 @@ __owur int tls13_hkdf_expand(SSL *s, const EVP_MD *md,
const unsigned char *secret,
const unsigned char *label, size_t labellen,
const unsigned char *data, size_t datalen,
- unsigned char *out, size_t outlen);
+ unsigned char *out, size_t outlen, int fatal);
__owur int tls13_derive_key(SSL *s, const EVP_MD *md,
const unsigned char *secret, unsigned char *key,
size_t keylen);
diff --git a/freebsd/crypto/openssl/ssl/statem/extensions.c b/freebsd/crypto/openssl/ssl/statem/extensions.c
index d75460f..f105ea7 100644
--- a/freebsd/crypto/openssl/ssl/statem/extensions.c
+++ b/freebsd/crypto/openssl/ssl/statem/extensions.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -350,10 +350,12 @@ static const EXTENSION_DEFINITION ext_defs[] = {
{
/*
* Special unsolicited ServerHello extension only used when
- * SSL_OP_CRYPTOPRO_TLSEXT_BUG is set
+ * SSL_OP_CRYPTOPRO_TLSEXT_BUG is set. We allow it in a ClientHello but
+ * ignore it.
*/
TLSEXT_TYPE_cryptopro_bug,
- SSL_EXT_TLS1_2_SERVER_HELLO | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
+ SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO
+ | SSL_EXT_TLS1_2_AND_BELOW_ONLY,
NULL, NULL, NULL, tls_construct_stoc_cryptopro_bug, NULL, NULL
},
{
@@ -625,7 +627,12 @@ int tls_collect_extensions(SSL *s, PACKET *packet, unsigned int context,
&& type != TLSEXT_TYPE_cookie
&& type != TLSEXT_TYPE_renegotiate
&& type != TLSEXT_TYPE_signed_certificate_timestamp
- && (s->ext.extflags[idx] & SSL_EXT_FLAG_SENT) == 0) {
+ && (s->ext.extflags[idx] & SSL_EXT_FLAG_SENT) == 0
+#ifndef OPENSSL_NO_GOST
+ && !((context & SSL_EXT_TLS1_2_SERVER_HELLO) != 0
+ && type == TLSEXT_TYPE_cryptopro_bug)
+#endif
+ ) {
SSLfatal(s, SSL_AD_UNSUPPORTED_EXTENSION,
SSL_F_TLS_COLLECT_EXTENSIONS, SSL_R_UNSOLICITED_EXTENSION);
goto err;
@@ -1508,7 +1515,7 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart,
/* Generate the binder key */
if (!tls13_hkdf_expand(s, md, early_secret, label, labelsize, hash,
- hashsize, binderkey, hashsize)) {
+ hashsize, binderkey, hashsize, 1)) {
/* SSLfatal() already called */
goto err;
}
diff --git a/freebsd/crypto/openssl/ssl/statem/statem.c b/freebsd/crypto/openssl/ssl/statem/statem.c
index ad50677..70c71cc 100644
--- a/freebsd/crypto/openssl/ssl/statem/statem.c
+++ b/freebsd/crypto/openssl/ssl/statem/statem.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2015-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -344,8 +344,10 @@ static int state_machine(SSL *s, int server)
}
s->server = server;
- if (cb != NULL)
- cb(s, SSL_CB_HANDSHAKE_START, 1);
+ if (cb != NULL) {
+ if (SSL_IS_FIRST_HANDSHAKE(s) || !SSL_IS_TLS13(s))
+ cb(s, SSL_CB_HANDSHAKE_START, 1);
+ }
/*
* Fatal errors in this block don't send an alert because we have
diff --git a/freebsd/crypto/openssl/ssl/statem/statem_clnt.c b/freebsd/crypto/openssl/ssl/statem/statem_clnt.c
index 154a9d4..5ddbebd 100644
--- a/freebsd/crypto/openssl/ssl/statem/statem_clnt.c
+++ b/freebsd/crypto/openssl/ssl/statem/statem_clnt.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
* Copyright 2005 Nokia. All rights reserved.
*
@@ -1114,13 +1114,6 @@ int tls_construct_client_hello(SSL *s, WPACKET *pkt)
SSL_SESSION *sess = s->session;
unsigned char *session_id;
- if (!WPACKET_set_max_size(pkt, SSL3_RT_MAX_PLAIN_LENGTH)) {
- /* Should not happen */
- SSLfatal(s, SSL_AD_INTERNAL_ERROR,
- SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
- return 0;
- }
-
/* Work out what SSL/TLS/DTLS version to use */
protverr = ssl_set_client_hello_version(s);
if (protverr != 0) {
@@ -1716,6 +1709,7 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
if (SSL_IS_DTLS(s) && s->hit) {
unsigned char sctpauthkey[64];
char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
+ size_t labellen;
/*
* Add new shared key for SCTP-Auth, will be ignored if
@@ -1724,10 +1718,15 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
sizeof(DTLS1_SCTP_AUTH_LABEL));
+ /* Don't include the terminating zero. */
+ labellen = sizeof(labelbuffer) - 1;
+ if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG)
+ labellen += 1;
+
if (SSL_export_keying_material(s, sctpauthkey,
sizeof(sctpauthkey),
labelbuffer,
- sizeof(labelbuffer), NULL, 0, 0) <= 0) {
+ labellen, NULL, 0, 0) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO,
ERR_R_INTERNAL_ERROR);
goto err;
@@ -2355,7 +2354,8 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt)
}
#ifdef SSL_DEBUG
if (SSL_USE_SIGALGS(s))
- fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
+ fprintf(stderr, "USING TLSv1.2 HASH %s\n",
+ md == NULL ? "n/a" : EVP_MD_name(md));
#endif
if (!PACKET_get_length_prefixed_2(pkt, &signature)
@@ -2741,7 +2741,7 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt)
PACKET_data(&nonce),
PACKET_remaining(&nonce),
s->session->master_key,
- hashlen)) {
+ hashlen, 1)) {
/* SSLfatal() already called */
goto err;
}
@@ -3405,6 +3405,7 @@ int tls_client_key_exchange_post_work(SSL *s)
if (SSL_IS_DTLS(s)) {
unsigned char sctpauthkey[64];
char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
+ size_t labellen;
/*
* Add new shared key for SCTP-Auth, will be ignored if no SCTP
@@ -3413,9 +3414,14 @@ int tls_client_key_exchange_post_work(SSL *s)
memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
sizeof(DTLS1_SCTP_AUTH_LABEL));
+ /* Don't include the terminating zero. */
+ labellen = sizeof(labelbuffer) - 1;
+ if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG)
+ labellen += 1;
+
if (SSL_export_keying_material(s, sctpauthkey,
sizeof(sctpauthkey), labelbuffer,
- sizeof(labelbuffer), NULL, 0, 0) <= 0) {
+ labellen, NULL, 0, 0) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_CLIENT_KEY_EXCHANGE_POST_WORK,
ERR_R_INTERNAL_ERROR);
diff --git a/freebsd/crypto/openssl/ssl/statem/statem_lib.c b/freebsd/crypto/openssl/ssl/statem/statem_lib.c
index e8c96f2..74d380a 100644
--- a/freebsd/crypto/openssl/ssl/statem/statem_lib.c
+++ b/freebsd/crypto/openssl/ssl/statem/statem_lib.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -398,7 +398,8 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
#ifdef SSL_DEBUG
if (SSL_USE_SIGALGS(s))
- fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
+ fprintf(stderr, "USING TLSv1.2 HASH %s\n",
+ md == NULL ? "n/a" : EVP_MD_name(md));
#endif
/* Check for broken implementations of GOST ciphersuites */
@@ -441,7 +442,8 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
}
#ifdef SSL_DEBUG
- fprintf(stderr, "Using client verify alg %s\n", EVP_MD_name(md));
+ fprintf(stderr, "Using client verify alg %s\n",
+ md == NULL ? "n/a" : EVP_MD_name(md));
#endif
if (EVP_DigestVerifyInit(mctx, &pctx, md, NULL, pkey) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
@@ -614,13 +616,6 @@ MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt)
{
unsigned int updatetype;
- s->key_update_count++;
- if (s->key_update_count > MAX_KEY_UPDATE_MESSAGES) {
- SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_KEY_UPDATE,
- SSL_R_TOO_MANY_KEY_UPDATES);
- return MSG_PROCESS_ERROR;
- }
-
/*
* A KeyUpdate message signals a key change so the end of the message must
* be on a record boundary.
@@ -1030,6 +1025,7 @@ unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk)
WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, int clearbufs, int stop)
{
void (*cb) (const SSL *ssl, int type, int val) = NULL;
+ int cleanuphand = s->statem.cleanuphand;
if (clearbufs) {
if (!SSL_IS_DTLS(s)) {
@@ -1056,7 +1052,7 @@ WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, int clearbufs, int stop)
* Only set if there was a Finished message and this isn't after a TLSv1.3
* post handshake exchange
*/
- if (s->statem.cleanuphand) {
+ if (cleanuphand) {
/* skipped if we just sent a HelloRequest */
s->renegotiate = 0;
s->new_session = 0;
@@ -1076,15 +1072,6 @@ WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, int clearbufs, int stop)
/* N.B. s->ctx may not equal s->session_ctx */
tsan_counter(&s->ctx->stats.sess_accept_good);
s->handshake_func = ossl_statem_accept;
-
- if (SSL_IS_DTLS(s) && !s->hit) {
- /*
- * We are finishing after the client. We start the timer going
- * in case there are any retransmits of our final flight
- * required.
- */
- dtls1_start_timer(s);
- }
} else {
if (SSL_IS_TLS13(s)) {
/*
@@ -1106,15 +1093,6 @@ WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, int clearbufs, int stop)
s->handshake_func = ossl_statem_connect;
tsan_counter(&s->session_ctx->stats.sess_connect_good);
-
- if (SSL_IS_DTLS(s) && s->hit) {
- /*
- * We are finishing after the server. We start the timer going
- * in case there are any retransmits of our final flight
- * required.
- */
- dtls1_start_timer(s);
- }
}
if (SSL_IS_DTLS(s)) {
@@ -1134,8 +1112,12 @@ WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, int clearbufs, int stop)
/* The callback may expect us to not be in init at handshake done */
ossl_statem_set_in_init(s, 0);
- if (cb != NULL)
- cb(s, SSL_CB_HANDSHAKE_DONE, 1);
+ if (cb != NULL) {
+ if (cleanuphand
+ || !SSL_IS_TLS13(s)
+ || SSL_IS_FIRST_HANDSHAKE(s))
+ cb(s, SSL_CB_HANDSHAKE_DONE, 1);
+ }
if (!stop) {
/* If we've got more work to do we go back into init */
diff --git a/freebsd/crypto/openssl/ssl/statem/statem_locl.h b/freebsd/crypto/openssl/ssl/statem/statem_locl.h
index 6b8cf37..e27c0c1 100644
--- a/freebsd/crypto/openssl/ssl/statem/statem_locl.h
+++ b/freebsd/crypto/openssl/ssl/statem/statem_locl.h
@@ -1,5 +1,5 @@
/*
- * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2015-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -29,9 +29,6 @@
/* Max should actually be 36 but we are generous */
#define FINISHED_MAX_LENGTH 64
-/* The maximum number of incoming KeyUpdate messages we will accept */
-#define MAX_KEY_UPDATE_MESSAGES 32
-
/* Dummy message type */
#define SSL3_MT_DUMMY -1
diff --git a/freebsd/crypto/openssl/ssl/statem/statem_srvr.c b/freebsd/crypto/openssl/ssl/statem/statem_srvr.c
index c9bee6b..f00623d 100644
--- a/freebsd/crypto/openssl/ssl/statem/statem_srvr.c
+++ b/freebsd/crypto/openssl/ssl/statem/statem_srvr.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
* Copyright 2005 Nokia. All rights reserved.
*
@@ -832,6 +832,7 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst)
if (SSL_IS_DTLS(s) && s->hit) {
unsigned char sctpauthkey[64];
char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
+ size_t labellen;
/*
* Add new shared key for SCTP-Auth, will be ignored if no
@@ -840,9 +841,14 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst)
memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
sizeof(DTLS1_SCTP_AUTH_LABEL));
+ /* Don't include the terminating zero. */
+ labellen = sizeof(labelbuffer) - 1;
+ if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG)
+ labellen += 1;
+
if (SSL_export_keying_material(s, sctpauthkey,
sizeof(sctpauthkey), labelbuffer,
- sizeof(labelbuffer), NULL, 0,
+ labellen, NULL, 0,
0) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_OSSL_STATEM_SERVER_POST_WORK,
@@ -3502,6 +3508,7 @@ WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst)
if (SSL_IS_DTLS(s)) {
unsigned char sctpauthkey[64];
char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
+ size_t labellen;
/*
* Add new shared key for SCTP-Auth, will be ignored if no SCTP
* used.
@@ -3509,9 +3516,14 @@ WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst)
memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
sizeof(DTLS1_SCTP_AUTH_LABEL));
+ /* Don't include the terminating zero. */
+ labellen = sizeof(labelbuffer) - 1;
+ if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG)
+ labellen += 1;
+
if (SSL_export_keying_material(s, sctpauthkey,
sizeof(sctpauthkey), labelbuffer,
- sizeof(labelbuffer), NULL, 0,
+ labellen, NULL, 0,
0) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE,
@@ -4030,7 +4042,6 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
uint64_t nonce;
static const unsigned char nonce_label[] = "resumption";
const EVP_MD *md = ssl_handshake_md(s);
- void (*cb) (const SSL *ssl, int type, int val) = NULL;
int hashleni = EVP_MD_size(md);
/* Ensure cast to size_t is safe */
@@ -4042,24 +4053,6 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
}
hashlen = (size_t)hashleni;
- if (s->info_callback != NULL)
- cb = s->info_callback;
- else if (s->ctx->info_callback != NULL)
- cb = s->ctx->info_callback;
-
- if (cb != NULL) {
- /*
- * We don't start and stop the handshake in between each ticket when
- * sending more than one - but it should appear that way to the info
- * callback.
- */
- if (s->sent_tickets != 0) {
- ossl_statem_set_in_init(s, 0);
- cb(s, SSL_CB_HANDSHAKE_DONE, 1);
- ossl_statem_set_in_init(s, 1);
- }
- cb(s, SSL_CB_HANDSHAKE_START, 1);
- }
/*
* If we already sent one NewSessionTicket, or we resumed then
* s->session may already be in a cache and so we must not modify it.
@@ -4101,7 +4094,7 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
tick_nonce,
TICKET_NONCE_SIZE,
s->session->master_key,
- hashlen)) {
+ hashlen, 1)) {
/* SSLfatal() already called */
goto err;
}
diff --git a/freebsd/crypto/openssl/ssl/t1_enc.c b/freebsd/crypto/openssl/ssl/t1_enc.c
index 0fab8eb..80247d3 100644
--- a/freebsd/crypto/openssl/ssl/t1_enc.c
+++ b/freebsd/crypto/openssl/ssl/t1_enc.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2005 Nokia. All rights reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -83,10 +83,6 @@ static int tls1_generate_key_block(SSL *s, unsigned char *km, size_t num)
int tls1_change_cipher_state(SSL *s, int which)
{
unsigned char *p, *mac_secret;
- unsigned char tmp1[EVP_MAX_KEY_LENGTH];
- unsigned char tmp2[EVP_MAX_KEY_LENGTH];
- unsigned char iv1[EVP_MAX_IV_LENGTH * 2];
- unsigned char iv2[EVP_MAX_IV_LENGTH * 2];
unsigned char *ms, *key, *iv;
EVP_CIPHER_CTX *dd;
const EVP_CIPHER *c;
@@ -336,16 +332,8 @@ int tls1_change_cipher_state(SSL *s, int which)
printf("\n");
#endif
- OPENSSL_cleanse(tmp1, sizeof(tmp1));
- OPENSSL_cleanse(tmp2, sizeof(tmp1));
- OPENSSL_cleanse(iv1, sizeof(iv1));
- OPENSSL_cleanse(iv2, sizeof(iv2));
return 1;
err:
- OPENSSL_cleanse(tmp1, sizeof(tmp1));
- OPENSSL_cleanse(tmp2, sizeof(tmp1));
- OPENSSL_cleanse(iv1, sizeof(iv1));
- OPENSSL_cleanse(iv2, sizeof(iv2));
return 0;
}
diff --git a/freebsd/crypto/openssl/ssl/t1_lib.c b/freebsd/crypto/openssl/ssl/t1_lib.c
index 88f26f0..087fd0b 100644
--- a/freebsd/crypto/openssl/ssl/t1_lib.c
+++ b/freebsd/crypto/openssl/ssl/t1_lib.c
@@ -2539,7 +2539,8 @@ static int tls12_get_cert_sigalg_idx(const SSL *s, const SIGALG_LOOKUP *lu)
static int has_usable_cert(SSL *s, const SIGALG_LOOKUP *sig, int idx)
{
const SIGALG_LOOKUP *lu;
- int mdnid, pknid;
+ int mdnid, pknid, default_mdnid;
+ int mandatory_md = 0;
size_t i;
/* TLS 1.2 callers can override lu->sig_idx, but not TLS 1.3 callers. */
@@ -2547,12 +2548,26 @@ static int has_usable_cert(SSL *s, const SIGALG_LOOKUP *sig, int idx)
idx = sig->sig_idx;
if (!ssl_has_cert(s, idx))
return 0;
+ /* If the EVP_PKEY reports a mandatory digest, allow nothing else. */
+ ERR_set_mark();
+ switch (EVP_PKEY_get_default_digest_nid(s->cert->pkeys[idx].privatekey,
+ &default_mdnid)) {
+ case 2:
+ mandatory_md = 1;
+ break;
+ case 1:
+ break;
+ default: /* If it didn't report a mandatory NID, for whatever reasons,
+ * just clear the error and allow all hashes to be used. */
+ ERR_pop_to_mark();
+ }
if (s->s3->tmp.peer_cert_sigalgs != NULL) {
for (i = 0; i < s->s3->tmp.peer_cert_sigalgslen; i++) {
lu = tls1_lookup_sigalg(s->s3->tmp.peer_cert_sigalgs[i]);
if (lu == NULL
|| !X509_get_signature_info(s->cert->pkeys[idx].x509, &mdnid,
- &pknid, NULL, NULL))
+ &pknid, NULL, NULL)
+ || (mandatory_md && mdnid != default_mdnid))
continue;
/*
* TODO this does not differentiate between the
@@ -2565,7 +2580,7 @@ static int has_usable_cert(SSL *s, const SIGALG_LOOKUP *sig, int idx)
}
return 0;
}
- return 1;
+ return !mandatory_md || sig->hash == default_mdnid;
}
/*
diff --git a/freebsd/crypto/openssl/ssl/tls13_enc.c b/freebsd/crypto/openssl/ssl/tls13_enc.c
index 0e8c4bc..d3062e7 100644
--- a/freebsd/crypto/openssl/ssl/tls13_enc.c
+++ b/freebsd/crypto/openssl/ssl/tls13_enc.c
@@ -1,7 +1,7 @@
#include <machine/rtems-bsd-user-space.h>
/*
- * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -15,14 +15,7 @@
#include <openssl/evp.h>
#include <openssl/kdf.h>
-/*
- * RFC 8446, 7.1 Key Schedule, says:
- * Note: With common hash functions, any label longer than 12 characters
- * requires an additional iteration of the hash function to compute.
- * The labels in this specification have all been chosen to fit within
- * this limit.
- */
-#define TLS13_MAX_LABEL_LEN 12
+#define TLS13_MAX_LABEL_LEN 249
/* Always filled with zeros */
static const unsigned char default_zeros[EVP_MAX_MD_SIZE];
@@ -31,12 +24,13 @@ static const unsigned char default_zeros[EVP_MAX_MD_SIZE];
* Given a |secret|; a |label| of length |labellen|; and |data| of length
* |datalen| (e.g. typically a hash of the handshake messages), derive a new
* secret |outlen| bytes long and store it in the location pointed to be |out|.
- * The |data| value may be zero length. Returns 1 on success 0 on failure.
+ * The |data| value may be zero length. Any errors will be treated as fatal if
+ * |fatal| is set. Returns 1 on success 0 on failure.
*/
int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret,
const unsigned char *label, size_t labellen,
const unsigned char *data, size_t datalen,
- unsigned char *out, size_t outlen)
+ unsigned char *out, size_t outlen, int fatal)
{
static const unsigned char label_prefix[] = "tls13 ";
EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
@@ -49,13 +43,28 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret,
* + bytes for the hash itself
*/
unsigned char hkdflabel[sizeof(uint16_t) + sizeof(uint8_t) +
- + sizeof(label_prefix) + TLS13_MAX_LABEL_LEN
- + EVP_MAX_MD_SIZE];
+ + (sizeof(label_prefix) - 1) + TLS13_MAX_LABEL_LEN
+ + 1 + EVP_MAX_MD_SIZE];
WPACKET pkt;
if (pctx == NULL)
return 0;
+ if (labellen > TLS13_MAX_LABEL_LEN) {
+ if (fatal) {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND,
+ ERR_R_INTERNAL_ERROR);
+ } else {
+ /*
+ * Probably we have been called from SSL_export_keying_material(),
+ * or SSL_export_keying_material_early().
+ */
+ SSLerr(SSL_F_TLS13_HKDF_EXPAND, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL);
+ }
+ EVP_PKEY_CTX_free(pctx);
+ return 0;
+ }
+
hashlen = EVP_MD_size(md);
if (!WPACKET_init_static_len(&pkt, hkdflabel, sizeof(hkdflabel), 0)
@@ -69,8 +78,11 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret,
|| !WPACKET_finish(&pkt)) {
EVP_PKEY_CTX_free(pctx);
WPACKET_cleanup(&pkt);
- SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND,
- ERR_R_INTERNAL_ERROR);
+ if (fatal)
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND,
+ ERR_R_INTERNAL_ERROR);
+ else
+ SSLerr(SSL_F_TLS13_HKDF_EXPAND, ERR_R_INTERNAL_ERROR);
return 0;
}
@@ -84,9 +96,13 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret,
EVP_PKEY_CTX_free(pctx);
- if (ret != 0)
- SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND,
- ERR_R_INTERNAL_ERROR);
+ if (ret != 0) {
+ if (fatal)
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND,
+ ERR_R_INTERNAL_ERROR);
+ else
+ SSLerr(SSL_F_TLS13_HKDF_EXPAND, ERR_R_INTERNAL_ERROR);
+ }
return ret == 0;
}
@@ -101,7 +117,7 @@ int tls13_derive_key(SSL *s, const EVP_MD *md, const unsigned char *secret,
static const unsigned char keylabel[] = "key";
return tls13_hkdf_expand(s, md, secret, keylabel, sizeof(keylabel) - 1,
- NULL, 0, key, keylen);
+ NULL, 0, key, keylen, 1);
}
/*
@@ -114,7 +130,7 @@ int tls13_derive_iv(SSL *s, const EVP_MD *md, const unsigned char *secret,
static const unsigned char ivlabel[] = "iv";
return tls13_hkdf_expand(s, md, secret, ivlabel, sizeof(ivlabel) - 1,
- NULL, 0, iv, ivlen);
+ NULL, 0, iv, ivlen, 1);
}
int tls13_derive_finishedkey(SSL *s, const EVP_MD *md,
@@ -124,7 +140,7 @@ int tls13_derive_finishedkey(SSL *s, const EVP_MD *md,
static const unsigned char finishedlabel[] = "finished";
return tls13_hkdf_expand(s, md, secret, finishedlabel,
- sizeof(finishedlabel) - 1, NULL, 0, fin, finlen);
+ sizeof(finishedlabel) - 1, NULL, 0, fin, finlen, 1);
}
/*
@@ -187,7 +203,7 @@ int tls13_generate_secret(SSL *s, const EVP_MD *md,
if (!tls13_hkdf_expand(s, md, prevsecret,
(unsigned char *)derived_secret_label,
sizeof(derived_secret_label) - 1, hash, mdlen,
- preextractsec, mdlen)) {
+ preextractsec, mdlen, 1)) {
/* SSLfatal() already called */
EVP_PKEY_CTX_free(pctx);
return 0;
@@ -309,11 +325,9 @@ int tls13_setup_key_block(SSL *s)
{
const EVP_CIPHER *c;
const EVP_MD *hash;
- int mac_type = NID_undef;
s->session->cipher = s->s3->tmp.new_cipher;
- if (!ssl_cipher_get_evp
- (s->session, &c, &hash, &mac_type, NULL, NULL, 0)) {
+ if (!ssl_cipher_get_evp(s->session, &c, &hash, NULL, NULL, NULL, 0)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_SETUP_KEY_BLOCK,
SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
return 0;
@@ -347,7 +361,7 @@ static int derive_secret_key_and_iv(SSL *s, int sending, const EVP_MD *md,
hashlen = (size_t)hashleni;
if (!tls13_hkdf_expand(s, md, insecret, label, labellen, hash, hashlen,
- secret, hashlen)) {
+ secret, hashlen, 1)) {
/* SSLfatal() already called */
goto err;
}
@@ -527,7 +541,8 @@ int tls13_change_cipher_state(SSL *s, int which)
early_exporter_master_secret,
sizeof(early_exporter_master_secret) - 1,
hashval, hashlen,
- s->early_exporter_master_secret, hashlen)) {
+ s->early_exporter_master_secret, hashlen,
+ 1)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
goto err;
@@ -614,7 +629,7 @@ int tls13_change_cipher_state(SSL *s, int which)
resumption_master_secret,
sizeof(resumption_master_secret) - 1,
hashval, hashlen, s->resumption_master_secret,
- hashlen)) {
+ hashlen, 1)) {
/* SSLfatal() already called */
goto err;
}
@@ -634,7 +649,7 @@ int tls13_change_cipher_state(SSL *s, int which)
exporter_master_secret,
sizeof(exporter_master_secret) - 1,
hash, hashlen, s->exporter_master_secret,
- hashlen)) {
+ hashlen, 1)) {
/* SSLfatal() already called */
goto err;
}
@@ -748,10 +763,10 @@ int tls13_export_keying_material(SSL *s, unsigned char *out, size_t olen,
|| EVP_DigestFinal_ex(ctx, data, &datalen) <= 0
|| !tls13_hkdf_expand(s, md, s->exporter_master_secret,
(const unsigned char *)label, llen,
- data, datalen, exportsecret, hashsize)
+ data, datalen, exportsecret, hashsize, 0)
|| !tls13_hkdf_expand(s, md, exportsecret, exporterlabel,
sizeof(exporterlabel) - 1, hash, hashsize,
- out, olen))
+ out, olen, 0))
goto err;
ret = 1;
@@ -807,10 +822,10 @@ int tls13_export_keying_material_early(SSL *s, unsigned char *out, size_t olen,
|| EVP_DigestFinal_ex(ctx, data, &datalen) <= 0
|| !tls13_hkdf_expand(s, md, s->early_exporter_master_secret,
(const unsigned char *)label, llen,
- data, datalen, exportsecret, hashsize)
+ data, datalen, exportsecret, hashsize, 0)
|| !tls13_hkdf_expand(s, md, exportsecret, exporterlabel,
sizeof(exporterlabel) - 1, hash, hashsize,
- out, olen))
+ out, olen, 0))
goto err;
ret = 1;
diff --git a/freebsd/sbin/dhclient/dhclient.c b/freebsd/sbin/dhclient/dhclient.c
index d155d45..0e654e9 100644
--- a/freebsd/sbin/dhclient/dhclient.c
+++ b/freebsd/sbin/dhclient/dhclient.c
@@ -2352,7 +2352,8 @@ priv_script_go(void)
if (ip)
script_flush_env(ip->client);
- return (wstatus & 0xff);
+ return (WIFEXITED(wstatus) ?
+ WEXITSTATUS(wstatus) : 128 + WTERMSIG(wstatus));
}
void
diff --git a/freebsd/sbin/ifconfig/ifconfig.c b/freebsd/sbin/ifconfig/ifconfig.c
index 1e79e0c..dad7ace 100644
--- a/freebsd/sbin/ifconfig/ifconfig.c
+++ b/freebsd/sbin/ifconfig/ifconfig.c
@@ -129,6 +129,8 @@ static void status(const struct afswtch *afp, const struct sockaddr_dl *sdl,
static void tunnel_status(int s);
static _Noreturn void usage(void);
+static int getifflags(const char *ifname, int us);
+
static struct afswtch *af_getbyname(const char *name);
static struct afswtch *af_getbyfamily(int af);
static void af_other_status(int);
@@ -437,6 +439,7 @@ main(int argc, char *argv[])
const char *ifname;
struct option *p;
size_t iflen;
+ int flags;
#ifdef __rtems__
struct getopt_data getopt_data;
memset(&getopt_data, 0, sizeof(getopt_data));
@@ -607,6 +610,25 @@ main(int argc, char *argv[])
argc--, argv++;
}
+ /*
+ * Check for a requested configuration action on a single interface,
+ * which doesn't require building, sorting, and searching the entire
+ * system address list
+ */
+ if ((argc > 0) && (ifname != NULL)) {
+ iflen = strlcpy(name, ifname, sizeof(name));
+ if (iflen >= sizeof(name)) {
+ warnx("%s: interface name too long, skipping", ifname);
+ } else {
+ flags = getifflags(name, -1);
+ if (!(((flags & IFF_CANTCONFIG) != 0) ||
+ (downonly && (flags & IFF_UP) != 0) ||
+ (uponly && (flags & IFF_UP) == 0)))
+ ifconfig(argc, argv, 0, afp);
+ }
+ goto done;
+ }
+
if (getifaddrs(&ifap) != 0)
err(EXIT_FAILURE, "getifaddrs");
@@ -690,6 +712,7 @@ main(int argc, char *argv[])
printf("\n");
freeifaddrs(ifap);
+done:
freeformat();
exit(exit_code);
}
@@ -1101,6 +1124,28 @@ setifdstaddr(const char *addr, int param __unused, int s,
afp->af_getaddr(addr, DSTADDR);
}
+static int
+getifflags(const char *ifname, int us)
+{
+ struct ifreq my_ifr;
+ int s;
+
+ memset(&my_ifr, 0, sizeof(my_ifr));
+ (void) strlcpy(my_ifr.ifr_name, ifname, sizeof(my_ifr.ifr_name));
+ if (us < 0) {
+ if ((s = socket(AF_LOCAL, SOCK_DGRAM, 0)) < 0)
+ err(1, "socket(family AF_LOCAL,SOCK_DGRAM");
+ } else
+ s = us;
+ if (ioctl(s, SIOCGIFFLAGS, (caddr_t)&my_ifr) < 0) {
+ Perror("ioctl (SIOCGIFFLAGS)");
+ exit(1);
+ }
+ if (us < 0)
+ close(s);
+ return ((my_ifr.ifr_flags & 0xffff) | (my_ifr.ifr_flagshigh << 16));
+}
+
/*
* Note: doing an SIOCIGIFFLAGS scribbles on the union portion
* of the ifreq structure, which may confuse other parts of ifconfig.
@@ -1112,20 +1157,14 @@ setifflags(const char *vname, int value, int s, const struct afswtch *afp)
struct ifreq my_ifr;
int flags;
- memset(&my_ifr, 0, sizeof(my_ifr));
- (void) strlcpy(my_ifr.ifr_name, name, sizeof(my_ifr.ifr_name));
-
- if (ioctl(s, SIOCGIFFLAGS, (caddr_t)&my_ifr) < 0) {
- Perror("ioctl (SIOCGIFFLAGS)");
- exit(1);
- }
- flags = (my_ifr.ifr_flags & 0xffff) | (my_ifr.ifr_flagshigh << 16);
-
+ flags = getifflags(name, s);
if (value < 0) {
value = -value;
flags &= ~value;
} else
flags |= value;
+ memset(&my_ifr, 0, sizeof(my_ifr));
+ (void) strlcpy(my_ifr.ifr_name, name, sizeof(my_ifr.ifr_name));
my_ifr.ifr_flags = flags & 0xffff;
my_ifr.ifr_flagshigh = flags >> 16;
if (ioctl(s, SIOCSIFFLAGS, (caddr_t)&my_ifr) < 0)
diff --git a/freebsd/sbin/ifconfig/ifieee80211.c b/freebsd/sbin/ifconfig/ifieee80211.c
index c53d111..08c9144 100644
--- a/freebsd/sbin/ifconfig/ifieee80211.c
+++ b/freebsd/sbin/ifconfig/ifieee80211.c
@@ -5096,7 +5096,9 @@ end:
LINE_CHECK("roam:rssi %u.5", rp->rssi/2);
else
LINE_CHECK("roam:rssi %u", rp->rssi/2);
- LINE_CHECK("roam:rate %u", rp->rate/2);
+ LINE_CHECK("roam:rate %s%u",
+ (rp->rate & IEEE80211_RATE_MCS) ? "MCS " : "",
+ get_rate_value(rp->rate));
} else {
LINE_BREAK();
list_roam(s);
diff --git a/freebsd/sbin/ifconfig/ifpfsync.c b/freebsd/sbin/ifconfig/ifpfsync.c
index c2c9168..944a1b2 100644
--- a/freebsd/sbin/ifconfig/ifpfsync.c
+++ b/freebsd/sbin/ifconfig/ifpfsync.c
@@ -207,16 +207,16 @@ pfsync_status(int s)
return;
if (preq.pfsyncr_syncdev[0] != '\0' ||
- preq.pfsyncr_syncpeer.s_addr != INADDR_PFSYNC_GROUP)
+ preq.pfsyncr_syncpeer.s_addr != htonl(INADDR_PFSYNC_GROUP))
printf("\t");
if (preq.pfsyncr_syncdev[0] != '\0')
printf("pfsync: syncdev: %s ", preq.pfsyncr_syncdev);
- if (preq.pfsyncr_syncpeer.s_addr != INADDR_PFSYNC_GROUP)
+ if (preq.pfsyncr_syncpeer.s_addr != htonl(INADDR_PFSYNC_GROUP))
printf("syncpeer: %s ", inet_ntoa(preq.pfsyncr_syncpeer));
if (preq.pfsyncr_syncdev[0] != '\0' ||
- preq.pfsyncr_syncpeer.s_addr != INADDR_PFSYNC_GROUP) {
+ preq.pfsyncr_syncpeer.s_addr != htonl(INADDR_PFSYNC_GROUP)) {
printf("maxupd: %d ", preq.pfsyncr_maxupdates);
printf("defer: %s\n", preq.pfsyncr_defer ? "on" : "off");
}
diff --git a/freebsd/sbin/pfctl/parse.y b/freebsd/sbin/pfctl/parse.y
index adb6e1c..9170699 100644
--- a/freebsd/sbin/pfctl/parse.y
+++ b/freebsd/sbin/pfctl/parse.y
@@ -4756,6 +4756,8 @@ process_tabledef(char *name, struct table_opts *opts)
{
struct pfr_buffer ab;
struct node_tinit *ti;
+ unsigned long maxcount;
+ size_t s = sizeof(maxcount);
bzero(&ab, sizeof(ab));
ab.pfrb_type = PFRB_ADDRS;
@@ -4783,8 +4785,19 @@ process_tabledef(char *name, struct table_opts *opts)
if (!(pf->opts & PF_OPT_NOACTION) &&
pfctl_define_table(name, opts->flags, opts->init_addr,
pf->anchor->name, &ab, pf->anchor->ruleset.tticket)) {
- yyerror("cannot define table %s: %s", name,
- pfr_strerror(errno));
+
+ if (sysctlbyname("net.pf.request_maxcount", &maxcount, &s,
+ NULL, 0) == -1)
+ maxcount = 65535;
+
+ if (ab.pfrb_size > maxcount)
+ yyerror("cannot define table %s: too many elements.\n"
+ "Consider increasing net.pf.request_maxcount.",
+ name);
+ else
+ yyerror("cannot define table %s: %s", name,
+ pfr_strerror(errno));
+
goto _error;
}
pf->tdirty = 1;
diff --git a/freebsd/sbin/pfctl/pfctl.h b/freebsd/sbin/pfctl/pfctl.h
index a432f10..f43b71e 100644
--- a/freebsd/sbin/pfctl/pfctl.h
+++ b/freebsd/sbin/pfctl/pfctl.h
@@ -114,7 +114,6 @@ extern int loadopt;
int check_commit_altq(int, int);
void pfaltq_store(struct pf_altq *);
-struct pf_altq *pfaltq_lookup(const char *);
char *rate2str(double);
void print_addr(struct pf_addr_wrap *, sa_family_t, int);
diff --git a/freebsd/sbin/pfctl/pfctl_altq.c b/freebsd/sbin/pfctl/pfctl_altq.c
index 1220cfc..7cf72b4 100644
--- a/freebsd/sbin/pfctl/pfctl_altq.c
+++ b/freebsd/sbin/pfctl/pfctl_altq.c
@@ -33,6 +33,7 @@ __FBSDID("$FreeBSD$");
#define PFIOC_USE_LATEST
#include <sys/types.h>
+#include <sys/bitset.h>
#include <sys/ioctl.h>
#include <sys/socket.h>
@@ -45,6 +46,7 @@ __FBSDID("$FreeBSD$");
#include <inttypes.h>
#include <limits.h>
#include <math.h>
+#include <search.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
@@ -65,38 +67,44 @@ __FBSDID("$FreeBSD$");
#define is_sc_null(sc) (((sc) == NULL) || ((sc)->m1 == 0 && (sc)->m2 == 0))
-static TAILQ_HEAD(altqs, pf_altq) altqs = TAILQ_HEAD_INITIALIZER(altqs);
-static LIST_HEAD(gen_sc, segment) rtsc, lssc;
+static STAILQ_HEAD(interfaces, pfctl_altq) interfaces = STAILQ_HEAD_INITIALIZER(interfaces);
+static struct hsearch_data queue_map;
+static struct hsearch_data if_map;
+static struct hsearch_data qid_map;
-struct pf_altq *qname_to_pfaltq(const char *, const char *);
-u_int32_t qname_to_qid(const char *);
+static struct pfctl_altq *pfaltq_lookup(char *ifname);
+static struct pfctl_altq *qname_to_pfaltq(const char *, const char *);
+static u_int32_t qname_to_qid(char *);
-static int eval_pfqueue_cbq(struct pfctl *, struct pf_altq *);
+static int eval_pfqueue_cbq(struct pfctl *, struct pf_altq *,
+ struct pfctl_altq *);
static int cbq_compute_idletime(struct pfctl *, struct pf_altq *);
-static int check_commit_cbq(int, int, struct pf_altq *);
+static int check_commit_cbq(int, int, struct pfctl_altq *);
static int print_cbq_opts(const struct pf_altq *);
static int print_codel_opts(const struct pf_altq *,
const struct node_queue_opt *);
-static int eval_pfqueue_priq(struct pfctl *, struct pf_altq *);
-static int check_commit_priq(int, int, struct pf_altq *);
+static int eval_pfqueue_priq(struct pfctl *, struct pf_altq *,
+ struct pfctl_altq *);
+static int check_commit_priq(int, int, struct pfctl_altq *);
static int print_priq_opts(const struct pf_altq *);
-static int eval_pfqueue_hfsc(struct pfctl *, struct pf_altq *);
-static int check_commit_hfsc(int, int, struct pf_altq *);
+static int eval_pfqueue_hfsc(struct pfctl *, struct pf_altq *,
+ struct pfctl_altq *, struct pfctl_altq *);
+static int check_commit_hfsc(int, int, struct pfctl_altq *);
static int print_hfsc_opts(const struct pf_altq *,
const struct node_queue_opt *);
-static int eval_pfqueue_fairq(struct pfctl *, struct pf_altq *);
+static int eval_pfqueue_fairq(struct pfctl *, struct pf_altq *,
+ struct pfctl_altq *, struct pfctl_altq *);
static int print_fairq_opts(const struct pf_altq *,
const struct node_queue_opt *);
-static int check_commit_fairq(int, int, struct pf_altq *);
+static int check_commit_fairq(int, int, struct pfctl_altq *);
static void gsc_add_sc(struct gen_sc *, struct service_curve *);
static int is_gsc_under_sc(struct gen_sc *,
struct service_curve *);
-static void gsc_destroy(struct gen_sc *);
static struct segment *gsc_getentry(struct gen_sc *, double);
static int gsc_add_seg(struct gen_sc *, double, double, double,
double);
@@ -116,59 +124,101 @@ void print_hfsc_sc(const char *, u_int, u_int, u_int,
void print_fairq_sc(const char *, u_int, u_int, u_int,
const struct node_fairq_sc *);
+static __attribute__((constructor)) void
+pfctl_altq_init(void)
+{
+ /*
+ * As hdestroy() will never be called on these tables, it will be
+ * safe to use references into the stored data as keys.
+ */
+ if (hcreate_r(0, &queue_map) == 0)
+ err(1, "Failed to create altq queue map");
+ if (hcreate_r(0, &if_map) == 0)
+ err(1, "Failed to create altq interface map");
+ if (hcreate_r(0, &qid_map) == 0)
+ err(1, "Failed to create altq queue id map");
+}
+
void
pfaltq_store(struct pf_altq *a)
{
- struct pf_altq *altq;
-
+ struct pfctl_altq *altq;
+ ENTRY item;
+ ENTRY *ret_item;
+ size_t key_size;
+
if ((altq = malloc(sizeof(*altq))) == NULL)
- err(1, "malloc");
- memcpy(altq, a, sizeof(struct pf_altq));
- TAILQ_INSERT_TAIL(&altqs, altq, entries);
+ err(1, "queue malloc");
+ memcpy(&altq->pa, a, sizeof(struct pf_altq));
+ memset(&altq->meta, 0, sizeof(altq->meta));
+
+ if (a->qname[0] == 0) {
+ item.key = altq->pa.ifname;
+ item.data = altq;
+ if (hsearch_r(item, ENTER, &ret_item, &if_map) == 0)
+ err(1, "interface map insert");
+ STAILQ_INSERT_TAIL(&interfaces, altq, meta.link);
+ } else {
+ key_size = sizeof(a->ifname) + sizeof(a->qname);
+ if ((item.key = malloc(key_size)) == NULL)
+ err(1, "queue map key malloc");
+ snprintf(item.key, key_size, "%s:%s", a->ifname, a->qname);
+ item.data = altq;
+ if (hsearch_r(item, ENTER, &ret_item, &queue_map) == 0)
+ err(1, "queue map insert");
+
+ item.key = altq->pa.qname;
+ item.data = &altq->pa.qid;
+ if (hsearch_r(item, ENTER, &ret_item, &qid_map) == 0)
+ err(1, "qid map insert");
+ }
}
-struct pf_altq *
-pfaltq_lookup(const char *ifname)
+static struct pfctl_altq *
+pfaltq_lookup(char *ifname)
{
- struct pf_altq *altq;
+ ENTRY item;
+ ENTRY *ret_item;
- TAILQ_FOREACH(altq, &altqs, entries) {
- if (strncmp(ifname, altq->ifname, IFNAMSIZ) == 0 &&
- altq->qname[0] == 0)
- return (altq);
- }
- return (NULL);
+ item.key = ifname;
+ if (hsearch_r(item, FIND, &ret_item, &if_map) == 0)
+ return (NULL);
+
+ return (ret_item->data);
}
-struct pf_altq *
+static struct pfctl_altq *
qname_to_pfaltq(const char *qname, const char *ifname)
{
- struct pf_altq *altq;
+ ENTRY item;
+ ENTRY *ret_item;
+ char key[IFNAMSIZ + PF_QNAME_SIZE];
- TAILQ_FOREACH(altq, &altqs, entries) {
- if (strncmp(ifname, altq->ifname, IFNAMSIZ) == 0 &&
- strncmp(qname, altq->qname, PF_QNAME_SIZE) == 0)
- return (altq);
- }
- return (NULL);
+ item.key = key;
+ snprintf(item.key, sizeof(key), "%s:%s", ifname, qname);
+ if (hsearch_r(item, FIND, &ret_item, &queue_map) == 0)
+ return (NULL);
+
+ return (ret_item->data);
}
-u_int32_t
-qname_to_qid(const char *qname)
+static u_int32_t
+qname_to_qid(char *qname)
{
- struct pf_altq *altq;
-
+ ENTRY item;
+ ENTRY *ret_item;
+ uint32_t qid;
+
/*
* We guarantee that same named queues on different interfaces
- * have the same qid, so we do NOT need to limit matching on
- * one interface!
+ * have the same qid.
*/
+ item.key = qname;
+ if (hsearch_r(item, FIND, &ret_item, &qid_map) == 0)
+ return (0);
- TAILQ_FOREACH(altq, &altqs, entries) {
- if (strncmp(qname, altq->qname, PF_QNAME_SIZE) == 0)
- return (altq->qid);
- }
- return (0);
+ qid = *(uint32_t *)ret_item->data;
+ return (qid);
}
void
@@ -327,28 +377,26 @@ eval_pfaltq(struct pfctl *pf, struct pf_altq *pa, struct node_queue_bw *bw,
int
check_commit_altq(int dev, int opts)
{
- struct pf_altq *altq;
- int error = 0;
+ struct pfctl_altq *if_ppa;
+ int error = 0;
/* call the discipline check for each interface. */
- TAILQ_FOREACH(altq, &altqs, entries) {
- if (altq->qname[0] == 0) {
- switch (altq->scheduler) {
- case ALTQT_CBQ:
- error = check_commit_cbq(dev, opts, altq);
- break;
- case ALTQT_PRIQ:
- error = check_commit_priq(dev, opts, altq);
- break;
- case ALTQT_HFSC:
- error = check_commit_hfsc(dev, opts, altq);
- break;
- case ALTQT_FAIRQ:
- error = check_commit_fairq(dev, opts, altq);
- break;
- default:
- break;
- }
+ STAILQ_FOREACH(if_ppa, &interfaces, meta.link) {
+ switch (if_ppa->pa.scheduler) {
+ case ALTQT_CBQ:
+ error = check_commit_cbq(dev, opts, if_ppa);
+ break;
+ case ALTQT_PRIQ:
+ error = check_commit_priq(dev, opts, if_ppa);
+ break;
+ case ALTQT_HFSC:
+ error = check_commit_hfsc(dev, opts, if_ppa);
+ break;
+ case ALTQT_FAIRQ:
+ error = check_commit_fairq(dev, opts, if_ppa);
+ break;
+ default:
+ break;
}
}
return (error);
@@ -362,17 +410,16 @@ eval_pfqueue(struct pfctl *pf, struct pf_altq *pa, struct node_queue_bw *bw,
struct node_queue_opt *opts)
{
/* should be merged with expand_queue */
- struct pf_altq *if_pa, *parent, *altq;
- u_int64_t bwsum;
- int error = 0;
+ struct pfctl_altq *if_ppa, *parent;
+ int error = 0;
/* find the corresponding interface and copy fields used by queues */
- if ((if_pa = pfaltq_lookup(pa->ifname)) == NULL) {
+ if ((if_ppa = pfaltq_lookup(pa->ifname)) == NULL) {
fprintf(stderr, "altq not defined on %s\n", pa->ifname);
return (1);
}
- pa->scheduler = if_pa->scheduler;
- pa->ifbandwidth = if_pa->ifbandwidth;
+ pa->scheduler = if_ppa->pa.scheduler;
+ pa->ifbandwidth = if_ppa->pa.ifbandwidth;
if (qname_to_pfaltq(pa->qname, pa->ifname) != NULL) {
fprintf(stderr, "queue %s already exists on interface %s\n",
@@ -389,7 +436,7 @@ eval_pfqueue(struct pfctl *pf, struct pf_altq *pa, struct node_queue_bw *bw,
pa->parent, pa->qname);
return (1);
}
- pa->parent_qid = parent->qid;
+ pa->parent_qid = parent->pa.qid;
}
if (pa->qlimit == 0)
pa->qlimit = DEFAULT_QLIMIT;
@@ -397,53 +444,56 @@ eval_pfqueue(struct pfctl *pf, struct pf_altq *pa, struct node_queue_bw *bw,
if (pa->scheduler == ALTQT_CBQ || pa->scheduler == ALTQT_HFSC ||
pa->scheduler == ALTQT_FAIRQ) {
pa->bandwidth = eval_bwspec(bw,
- parent == NULL ? pa->ifbandwidth : parent->bandwidth);
+ parent == NULL ? pa->ifbandwidth : parent->pa.bandwidth);
if (pa->bandwidth > pa->ifbandwidth) {
fprintf(stderr, "bandwidth for %s higher than "
"interface\n", pa->qname);
return (1);
}
- /* check the sum of the child bandwidth is under parent's */
- if (parent != NULL) {
- if (pa->bandwidth > parent->bandwidth) {
+ /*
+ * If not HFSC, then check that the sum of the child
+ * bandwidths is less than the parent's bandwidth. For
+ * HFSC, the equivalent concept is to check that the sum of
+ * the child linkshare service curves are under the parent's
+ * linkshare service curve, and that check is performed by
+ * eval_pfqueue_hfsc().
+ */
+ if ((parent != NULL) && (pa->scheduler != ALTQT_HFSC)) {
+ if (pa->bandwidth > parent->pa.bandwidth) {
warnx("bandwidth for %s higher than parent",
pa->qname);
return (1);
}
- bwsum = 0;
- TAILQ_FOREACH(altq, &altqs, entries) {
- if (strncmp(altq->ifname, pa->ifname,
- IFNAMSIZ) == 0 &&
- altq->qname[0] != 0 &&
- strncmp(altq->parent, pa->parent,
- PF_QNAME_SIZE) == 0)
- bwsum += altq->bandwidth;
- }
- bwsum += pa->bandwidth;
- if (bwsum > parent->bandwidth) {
- warnx("the sum of the child bandwidth higher"
- " than parent \"%s\"", parent->qname);
+ parent->meta.bwsum += pa->bandwidth;
+ if (parent->meta.bwsum > parent->pa.bandwidth) {
+ warnx("the sum of the child bandwidth (%" PRIu64
+ ") higher than parent \"%s\" (%" PRIu64 ")",
+ parent->meta.bwsum, parent->pa.qname,
+ parent->pa.bandwidth);
}
}
}
if (eval_queue_opts(pa, opts,
- parent == NULL ? pa->ifbandwidth : parent->bandwidth))
+ parent == NULL ? pa->ifbandwidth : parent->pa.bandwidth))
return (1);
+ if (parent != NULL)
+ parent->meta.children++;
+
switch (pa->scheduler) {
case ALTQT_CBQ:
- error = eval_pfqueue_cbq(pf, pa);
+ error = eval_pfqueue_cbq(pf, pa, if_ppa);
break;
case ALTQT_PRIQ:
- error = eval_pfqueue_priq(pf, pa);
+ error = eval_pfqueue_priq(pf, pa, if_ppa);
break;
case ALTQT_HFSC:
- error = eval_pfqueue_hfsc(pf, pa);
+ error = eval_pfqueue_hfsc(pf, pa, if_ppa, parent);
break;
case ALTQT_FAIRQ:
- error = eval_pfqueue_fairq(pf, pa);
+ error = eval_pfqueue_fairq(pf, pa, if_ppa, parent);
break;
default:
break;
@@ -458,7 +508,7 @@ eval_pfqueue(struct pfctl *pf, struct pf_altq *pa, struct node_queue_bw *bw,
#define RM_NS_PER_SEC (1000000000)
static int
-eval_pfqueue_cbq(struct pfctl *pf, struct pf_altq *pa)
+eval_pfqueue_cbq(struct pfctl *pf, struct pf_altq *pa, struct pfctl_altq *if_ppa)
{
struct cbq_opts *opts;
u_int ifmtu;
@@ -488,6 +538,11 @@ eval_pfqueue_cbq(struct pfctl *pf, struct pf_altq *pa)
if (pa->parent[0] == 0)
opts->flags |= (CBQCLF_ROOTCLASS | CBQCLF_WRR);
+ if (pa->pq_u.cbq_opts.flags & CBQCLF_ROOTCLASS)
+ if_ppa->meta.root_classes++;
+ if (pa->pq_u.cbq_opts.flags & CBQCLF_DEFCLASS)
+ if_ppa->meta.default_classes++;
+
cbq_compute_idletime(pf, pa);
return (0);
}
@@ -580,33 +635,20 @@ cbq_compute_idletime(struct pfctl *pf, struct pf_altq *pa)
}
static int
-check_commit_cbq(int dev, int opts, struct pf_altq *pa)
+check_commit_cbq(int dev, int opts, struct pfctl_altq *if_ppa)
{
- struct pf_altq *altq;
- int root_class, default_class;
- int error = 0;
+ int error = 0;
/*
* check if cbq has one root queue and one default queue
* for this interface
*/
- root_class = default_class = 0;
- TAILQ_FOREACH(altq, &altqs, entries) {
- if (strncmp(altq->ifname, pa->ifname, IFNAMSIZ) != 0)
- continue;
- if (altq->qname[0] == 0) /* this is for interface */
- continue;
- if (altq->pq_u.cbq_opts.flags & CBQCLF_ROOTCLASS)
- root_class++;
- if (altq->pq_u.cbq_opts.flags & CBQCLF_DEFCLASS)
- default_class++;
- }
- if (root_class != 1) {
- warnx("should have one root queue on %s", pa->ifname);
+ if (if_ppa->meta.root_classes != 1) {
+ warnx("should have one root queue on %s", if_ppa->pa.ifname);
error++;
}
- if (default_class != 1) {
- warnx("should have one default queue on %s", pa->ifname);
+ if (if_ppa->meta.default_classes != 1) {
+ warnx("should have one default queue on %s", if_ppa->pa.ifname);
error++;
}
return (error);
@@ -653,51 +695,37 @@ print_cbq_opts(const struct pf_altq *a)
* PRIQ support functions
*/
static int
-eval_pfqueue_priq(struct pfctl *pf, struct pf_altq *pa)
+eval_pfqueue_priq(struct pfctl *pf, struct pf_altq *pa, struct pfctl_altq *if_ppa)
{
- struct pf_altq *altq;
if (pa->priority >= PRIQ_MAXPRI) {
warnx("priority out of range: max %d", PRIQ_MAXPRI - 1);
return (-1);
}
- /* the priority should be unique for the interface */
- TAILQ_FOREACH(altq, &altqs, entries) {
- if (strncmp(altq->ifname, pa->ifname, IFNAMSIZ) == 0 &&
- altq->qname[0] != 0 && altq->priority == pa->priority) {
- warnx("%s and %s have the same priority",
- altq->qname, pa->qname);
- return (-1);
- }
- }
+ if (BIT_ISSET(QPRI_BITSET_SIZE, pa->priority, &if_ppa->meta.qpris)) {
+ warnx("%s does not have a unique priority on interface %s",
+ pa->qname, pa->ifname);
+ return (-1);
+ } else
+ BIT_SET(QPRI_BITSET_SIZE, pa->priority, &if_ppa->meta.qpris);
+ if (pa->pq_u.priq_opts.flags & PRCF_DEFAULTCLASS)
+ if_ppa->meta.default_classes++;
return (0);
}
static int
-check_commit_priq(int dev, int opts, struct pf_altq *pa)
+check_commit_priq(int dev, int opts, struct pfctl_altq *if_ppa)
{
- struct pf_altq *altq;
- int default_class;
- int error = 0;
/*
* check if priq has one default class for this interface
*/
- default_class = 0;
- TAILQ_FOREACH(altq, &altqs, entries) {
- if (strncmp(altq->ifname, pa->ifname, IFNAMSIZ) != 0)
- continue;
- if (altq->qname[0] == 0) /* this is for interface */
- continue;
- if (altq->pq_u.priq_opts.flags & PRCF_DEFAULTCLASS)
- default_class++;
- }
- if (default_class != 1) {
- warnx("should have one default queue on %s", pa->ifname);
- error++;
+ if (if_ppa->meta.default_classes != 1) {
+ warnx("should have one default queue on %s", if_ppa->pa.ifname);
+ return (1);
}
- return (error);
+ return (0);
}
static int
@@ -732,15 +760,15 @@ print_priq_opts(const struct pf_altq *a)
* HFSC support functions
*/
static int
-eval_pfqueue_hfsc(struct pfctl *pf, struct pf_altq *pa)
+eval_pfqueue_hfsc(struct pfctl *pf, struct pf_altq *pa, struct pfctl_altq *if_ppa,
+ struct pfctl_altq *parent)
{
- struct pf_altq *altq, *parent;
struct hfsc_opts_v1 *opts;
struct service_curve sc;
opts = &pa->pq_u.hfsc_opts;
- if (pa->parent[0] == 0) {
+ if (parent == NULL) {
/* root queue */
opts->lssc_m1 = pa->ifbandwidth;
opts->lssc_m2 = pa->ifbandwidth;
@@ -748,9 +776,21 @@ eval_pfqueue_hfsc(struct pfctl *pf, struct pf_altq *pa)
return (0);
}
- LIST_INIT(&rtsc);
- LIST_INIT(&lssc);
+ /* First child initializes the parent's service curve accumulators. */
+ if (parent->meta.children == 1) {
+ LIST_INIT(&parent->meta.rtsc);
+ LIST_INIT(&parent->meta.lssc);
+ }
+ if (parent->pa.pq_u.hfsc_opts.flags & HFCF_DEFAULTCLASS) {
+ warnx("adding %s would make default queue %s not a leaf",
+ pa->qname, pa->parent);
+ return (-1);
+ }
+
+ if (pa->pq_u.hfsc_opts.flags & HFCF_DEFAULTCLASS)
+ if_ppa->meta.default_classes++;
+
/* if link_share is not specified, use bandwidth */
if (opts->lssc_m2 == 0)
opts->lssc_m2 = pa->bandwidth;
@@ -780,51 +820,22 @@ eval_pfqueue_hfsc(struct pfctl *pf, struct pf_altq *pa)
* be smaller than the interface bandwidth, and the upper-limit should
* be larger than the real-time service curve when both are defined.
*/
- parent = qname_to_pfaltq(pa->parent, pa->ifname);
- if (parent == NULL)
- errx(1, "parent %s not found for %s", pa->parent, pa->qname);
-
- TAILQ_FOREACH(altq, &altqs, entries) {
- if (strncmp(altq->ifname, pa->ifname, IFNAMSIZ) != 0)
- continue;
- if (altq->qname[0] == 0) /* this is for interface */
- continue;
-
- /* if the class has a real-time service curve, add it. */
- if (opts->rtsc_m2 != 0 && altq->pq_u.hfsc_opts.rtsc_m2 != 0) {
- sc.m1 = altq->pq_u.hfsc_opts.rtsc_m1;
- sc.d = altq->pq_u.hfsc_opts.rtsc_d;
- sc.m2 = altq->pq_u.hfsc_opts.rtsc_m2;
- gsc_add_sc(&rtsc, &sc);
- }
-
- if (strncmp(altq->parent, pa->parent, PF_QNAME_SIZE) != 0)
- continue;
-
- /* if the class has a linkshare service curve, add it. */
- if (opts->lssc_m2 != 0 && altq->pq_u.hfsc_opts.lssc_m2 != 0) {
- sc.m1 = altq->pq_u.hfsc_opts.lssc_m1;
- sc.d = altq->pq_u.hfsc_opts.lssc_d;
- sc.m2 = altq->pq_u.hfsc_opts.lssc_m2;
- gsc_add_sc(&lssc, &sc);
- }
- }
-
+
/* check the real-time service curve. reserve 20% of interface bw */
if (opts->rtsc_m2 != 0) {
/* add this queue to the sum */
sc.m1 = opts->rtsc_m1;
sc.d = opts->rtsc_d;
sc.m2 = opts->rtsc_m2;
- gsc_add_sc(&rtsc, &sc);
+ gsc_add_sc(&parent->meta.rtsc, &sc);
/* compare the sum with 80% of the interface */
sc.m1 = 0;
sc.d = 0;
sc.m2 = pa->ifbandwidth / 100 * 80;
- if (!is_gsc_under_sc(&rtsc, &sc)) {
+ if (!is_gsc_under_sc(&parent->meta.rtsc, &sc)) {
warnx("real-time sc exceeds 80%% of the interface "
"bandwidth (%s)", rate2str((double)sc.m2));
- goto err_ret;
+ return (-1);
}
}
@@ -834,14 +845,14 @@ eval_pfqueue_hfsc(struct pfctl *pf, struct pf_altq *pa)
sc.m1 = opts->lssc_m1;
sc.d = opts->lssc_d;
sc.m2 = opts->lssc_m2;
- gsc_add_sc(&lssc, &sc);
+ gsc_add_sc(&parent->meta.lssc, &sc);
/* compare the sum of the children with parent's sc */
- sc.m1 = parent->pq_u.hfsc_opts.lssc_m1;
- sc.d = parent->pq_u.hfsc_opts.lssc_d;
- sc.m2 = parent->pq_u.hfsc_opts.lssc_m2;
- if (!is_gsc_under_sc(&lssc, &sc)) {
+ sc.m1 = parent->pa.pq_u.hfsc_opts.lssc_m1;
+ sc.d = parent->pa.pq_u.hfsc_opts.lssc_d;
+ sc.m2 = parent->pa.pq_u.hfsc_opts.lssc_m2;
+ if (!is_gsc_under_sc(&parent->meta.lssc, &sc)) {
warnx("linkshare sc exceeds parent's sc");
- goto err_ret;
+ return (-1);
}
}
@@ -850,38 +861,30 @@ eval_pfqueue_hfsc(struct pfctl *pf, struct pf_altq *pa)
if (opts->ulsc_m1 > pa->ifbandwidth ||
opts->ulsc_m2 > pa->ifbandwidth) {
warnx("upper-limit larger than interface bandwidth");
- goto err_ret;
+ return (-1);
}
if (opts->rtsc_m2 != 0 && opts->rtsc_m2 > opts->ulsc_m2) {
warnx("upper-limit sc smaller than real-time sc");
- goto err_ret;
+ return (-1);
}
}
- gsc_destroy(&rtsc);
- gsc_destroy(&lssc);
-
return (0);
-
-err_ret:
- gsc_destroy(&rtsc);
- gsc_destroy(&lssc);
- return (-1);
}
/*
* FAIRQ support functions
*/
static int
-eval_pfqueue_fairq(struct pfctl *pf __unused, struct pf_altq *pa)
+eval_pfqueue_fairq(struct pfctl *pf __unused, struct pf_altq *pa,
+ struct pfctl_altq *if_ppa, struct pfctl_altq *parent)
{
- struct pf_altq *altq, *parent;
struct fairq_opts *opts;
struct service_curve sc;
opts = &pa->pq_u.fairq_opts;
- if (pa->parent[0] == 0) {
+ if (pa->parent == NULL) {
/* root queue */
opts->lssc_m1 = pa->ifbandwidth;
opts->lssc_m2 = pa->ifbandwidth;
@@ -889,7 +892,18 @@ eval_pfqueue_fairq(struct pfctl *pf __unused, struct pf_altq *pa)
return (0);
}
- LIST_INIT(&lssc);
+ /* First child initializes the parent's service curve accumulator. */
+ if (parent->meta.children == 1)
+ LIST_INIT(&parent->meta.lssc);
+
+ if (parent->pa.pq_u.fairq_opts.flags & FARF_DEFAULTCLASS) {
+ warnx("adding %s would make default queue %s not a leaf",
+ pa->qname, pa->parent);
+ return (-1);
+ }
+
+ if (pa->pq_u.fairq_opts.flags & FARF_DEFAULTCLASS)
+ if_ppa->meta.default_classes++;
/* if link_share is not specified, use bandwidth */
if (opts->lssc_m2 == 0)
@@ -906,122 +920,49 @@ eval_pfqueue_fairq(struct pfctl *pf __unused, struct pf_altq *pa)
* be smaller than the interface bandwidth, and the upper-limit should
* be larger than the real-time service curve when both are defined.
*/
- parent = qname_to_pfaltq(pa->parent, pa->ifname);
- if (parent == NULL)
- errx(1, "parent %s not found for %s", pa->parent, pa->qname);
-
- TAILQ_FOREACH(altq, &altqs, entries) {
- if (strncmp(altq->ifname, pa->ifname, IFNAMSIZ) != 0)
- continue;
- if (altq->qname[0] == 0) /* this is for interface */
- continue;
-
- if (strncmp(altq->parent, pa->parent, PF_QNAME_SIZE) != 0)
- continue;
-
- /* if the class has a link-sharing service curve, add it. */
- if (opts->lssc_m2 != 0 && altq->pq_u.fairq_opts.lssc_m2 != 0) {
- sc.m1 = altq->pq_u.fairq_opts.lssc_m1;
- sc.d = altq->pq_u.fairq_opts.lssc_d;
- sc.m2 = altq->pq_u.fairq_opts.lssc_m2;
- gsc_add_sc(&lssc, &sc);
- }
- }
- /* check the link-sharing service curve. */
+ /* check the linkshare service curve. */
if (opts->lssc_m2 != 0) {
- sc.m1 = parent->pq_u.fairq_opts.lssc_m1;
- sc.d = parent->pq_u.fairq_opts.lssc_d;
- sc.m2 = parent->pq_u.fairq_opts.lssc_m2;
- if (!is_gsc_under_sc(&lssc, &sc)) {
+ /* add this queue to the child sum */
+ sc.m1 = opts->lssc_m1;
+ sc.d = opts->lssc_d;
+ sc.m2 = opts->lssc_m2;
+ gsc_add_sc(&parent->meta.lssc, &sc);
+ /* compare the sum of the children with parent's sc */
+ sc.m1 = parent->pa.pq_u.fairq_opts.lssc_m1;
+ sc.d = parent->pa.pq_u.fairq_opts.lssc_d;
+ sc.m2 = parent->pa.pq_u.fairq_opts.lssc_m2;
+ if (!is_gsc_under_sc(&parent->meta.lssc, &sc)) {
warnx("link-sharing sc exceeds parent's sc");
- goto err_ret;
+ return (-1);
}
}
- gsc_destroy(&lssc);
-
return (0);
-
-err_ret:
- gsc_destroy(&lssc);
- return (-1);
}
static int
-check_commit_hfsc(int dev, int opts, struct pf_altq *pa)
+check_commit_hfsc(int dev, int opts, struct pfctl_altq *if_ppa)
{
- struct pf_altq *altq, *def = NULL;
- int default_class;
- int error = 0;
/* check if hfsc has one default queue for this interface */
- default_class = 0;
- TAILQ_FOREACH(altq, &altqs, entries) {
- if (strncmp(altq->ifname, pa->ifname, IFNAMSIZ) != 0)
- continue;
- if (altq->qname[0] == 0) /* this is for interface */
- continue;
- if (altq->parent[0] == 0) /* dummy root */
- continue;
- if (altq->pq_u.hfsc_opts.flags & HFCF_DEFAULTCLASS) {
- default_class++;
- def = altq;
- }
- }
- if (default_class != 1) {
- warnx("should have one default queue on %s", pa->ifname);
+ if (if_ppa->meta.default_classes != 1) {
+ warnx("should have one default queue on %s", if_ppa->pa.ifname);
return (1);
}
- /* make sure the default queue is a leaf */
- TAILQ_FOREACH(altq, &altqs, entries) {
- if (strncmp(altq->ifname, pa->ifname, IFNAMSIZ) != 0)
- continue;
- if (altq->qname[0] == 0) /* this is for interface */
- continue;
- if (strncmp(altq->parent, def->qname, PF_QNAME_SIZE) == 0) {
- warnx("default queue is not a leaf");
- error++;
- }
- }
- return (error);
+ return (0);
}
static int
-check_commit_fairq(int dev __unused, int opts __unused, struct pf_altq *pa)
+check_commit_fairq(int dev __unused, int opts __unused, struct pfctl_altq *if_ppa)
{
- struct pf_altq *altq, *def = NULL;
- int default_class;
- int error = 0;
/* check if fairq has one default queue for this interface */
- default_class = 0;
- TAILQ_FOREACH(altq, &altqs, entries) {
- if (strncmp(altq->ifname, pa->ifname, IFNAMSIZ) != 0)
- continue;
- if (altq->qname[0] == 0) /* this is for interface */
- continue;
- if (altq->pq_u.fairq_opts.flags & FARF_DEFAULTCLASS) {
- default_class++;
- def = altq;
- }
- }
- if (default_class != 1) {
- warnx("should have one default queue on %s", pa->ifname);
+ if (if_ppa->meta.default_classes != 1) {
+ warnx("should have one default queue on %s", if_ppa->pa.ifname);
return (1);
}
- /* make sure the default queue is a leaf */
- TAILQ_FOREACH(altq, &altqs, entries) {
- if (strncmp(altq->ifname, pa->ifname, IFNAMSIZ) != 0)
- continue;
- if (altq->qname[0] == 0) /* this is for interface */
- continue;
- if (strncmp(altq->parent, def->qname, PF_QNAME_SIZE) == 0) {
- warnx("default queue is not a leaf");
- error++;
- }
- }
- return (error);
+ return (0);
}
static int
@@ -1194,17 +1135,6 @@ is_gsc_under_sc(struct gen_sc *gsc, struct service_curve *sc)
return (1);
}
-static void
-gsc_destroy(struct gen_sc *gsc)
-{
- struct segment *s;
-
- while ((s = LIST_FIRST(gsc)) != NULL) {
- LIST_REMOVE(s, _next);
- free(s);
- }
-}
-
/*
* return a segment entry starting at x.
* if gsc has no entry starting at x, a new entry is created at x.
@@ -1369,8 +1299,7 @@ getifspeed(char *ifname)
struct ifreq ifr;
struct if_data ifrdat;
- if ((s = socket(get_socket_domain(), SOCK_DGRAM, 0)) < 0)
- err(1, "socket");
+ s = get_query_socket();
bzero(&ifr, sizeof(ifr));
if (strlcpy(ifr.ifr_name, ifname, sizeof(ifr.ifr_name)) >=
sizeof(ifr.ifr_name))
@@ -1378,8 +1307,6 @@ getifspeed(char *ifname)
ifr.ifr_data = (caddr_t)&ifrdat;
if (ioctl(s, SIOCGIFDATA, (caddr_t)&ifr) == -1)
err(1, "SIOCGIFDATA");
- if (close(s))
- err(1, "close");
return ((u_int32_t)ifrdat.ifi_baudrate);
}
#endif
@@ -1390,8 +1317,7 @@ getifmtu(char *ifname)
int s;
struct ifreq ifr;
- if ((s = socket(get_socket_domain(), SOCK_DGRAM, 0)) < 0)
- err(1, "socket");
+ s = get_query_socket();
bzero(&ifr, sizeof(ifr));
if (strlcpy(ifr.ifr_name, ifname, sizeof(ifr.ifr_name)) >=
sizeof(ifr.ifr_name))
@@ -1402,8 +1328,6 @@ getifmtu(char *ifname)
#else
err(1, "SIOCGIFMTU");
#endif
- if (close(s))
- err(1, "close");
if (ifr.ifr_mtu > 0)
return (ifr.ifr_mtu);
else {
diff --git a/freebsd/sbin/pfctl/pfctl_parser.c b/freebsd/sbin/pfctl/pfctl_parser.c
index 6631955..56f548b 100644
--- a/freebsd/sbin/pfctl/pfctl_parser.c
+++ b/freebsd/sbin/pfctl/pfctl_parser.c
@@ -61,6 +61,7 @@ __FBSDID("$FreeBSD$");
#include <net/pfvar.h>
#include <arpa/inet.h>
+#include <search.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
@@ -86,7 +87,6 @@ void print_fromto(struct pf_rule_addr *, pf_osfp_t,
struct pf_rule_addr *, u_int8_t, u_int8_t, int, int);
int ifa_skip_if(const char *filter, struct node_host *p);
-struct node_host *ifa_grouplookup(const char *, int);
struct node_host *host_if(const char *, int);
struct node_host *host_v4(const char *, int);
struct node_host *host_v6(const char *, int);
@@ -223,6 +223,19 @@ const struct pf_timeout pf_timeouts[] = {
{ NULL, 0 }
};
+static struct hsearch_data isgroup_map;
+
+static __attribute__((constructor)) void
+pfctl_parser_init(void)
+{
+ /*
+ * As hdestroy() will never be called on these tables, it will be
+ * safe to use references into the stored data as keys.
+ */
+ if (hcreate_r(0, &isgroup_map) == 0)
+ err(1, "Failed to create interface group query response map");
+}
+
const struct icmptypeent *
geticmptypebynumber(u_int8_t type, sa_family_t af)
{
@@ -1167,6 +1180,71 @@ check_netmask(struct node_host *h, sa_family_t af)
static struct node_host *iftab;
+/*
+ * Retrieve the list of groups this interface is a member of and make sure
+ * each group is in the group map.
+ */
+static void
+ifa_add_groups_to_map(char *ifa_name)
+{
+ int s, len;
+ struct ifgroupreq ifgr;
+ struct ifg_req *ifg;
+
+ s = get_query_socket();
+
+ /* Get size of group list for this interface */
+ memset(&ifgr, 0, sizeof(ifgr));
+ strlcpy(ifgr.ifgr_name, ifa_name, IFNAMSIZ);
+ if (ioctl(s, SIOCGIFGROUP, (caddr_t)&ifgr) == -1)
+ err(1, "SIOCGIFGROUP");
+
+ /* Retrieve group list for this interface */
+ len = ifgr.ifgr_len;
+ ifgr.ifgr_groups =
+ (struct ifg_req *)calloc(len / sizeof(struct ifg_req),
+ sizeof(struct ifg_req));
+ if (ifgr.ifgr_groups == NULL)
+ err(1, "calloc");
+ if (ioctl(s, SIOCGIFGROUP, (caddr_t)&ifgr) == -1)
+ err(1, "SIOCGIFGROUP");
+
+ ifg = ifgr.ifgr_groups;
+ for (; ifg && len >= sizeof(struct ifg_req); ifg++) {
+ len -= sizeof(struct ifg_req);
+ if (strcmp(ifg->ifgrq_group, "all")) {
+ ENTRY item;
+ ENTRY *ret_item;
+ int *answer;
+
+ item.key = ifg->ifgrq_group;
+ if (hsearch_r(item, FIND, &ret_item, &isgroup_map) == 0) {
+ struct ifgroupreq ifgr2;
+
+ /* Don't know the answer yet */
+ if ((answer = malloc(sizeof(int))) == NULL)
+ err(1, "malloc");
+
+ bzero(&ifgr2, sizeof(ifgr2));
+ strlcpy(ifgr2.ifgr_name, ifg->ifgrq_group,
+ sizeof(ifgr2.ifgr_name));
+ if (ioctl(s, SIOCGIFGMEMB, (caddr_t)&ifgr2) == 0)
+ *answer = ifgr2.ifgr_len;
+ else
+ *answer = 0;
+
+ item.key = strdup(ifg->ifgrq_group);
+ item.data = answer;
+ if (hsearch_r(item, ENTER, &ret_item,
+ &isgroup_map) == 0)
+ err(1, "interface group query response"
+ " map insert");
+ }
+ }
+ }
+ free(ifgr.ifgr_groups);
+}
+
void
ifa_load(void)
{
@@ -1234,6 +1312,8 @@ ifa_load(void)
sizeof(struct in6_addr));
n->ifindex = ((struct sockaddr_in6 *)
ifa->ifa_addr)->sin6_scope_id;
+ } else if (n->af == AF_LINK) {
+ ifa_add_groups_to_map(ifa->ifa_name);
}
if ((n->ifname = strdup(ifa->ifa_name)) == NULL)
err(1, "ifa_load: strdup");
@@ -1251,7 +1331,7 @@ ifa_load(void)
freeifaddrs(ifap);
}
-int
+static int
get_socket_domain(void)
{
int sdom;
@@ -1271,31 +1351,54 @@ get_socket_domain(void)
return (sdom);
}
+int
+get_query_socket(void)
+{
+ static int s = -1;
+
+ if (s == -1) {
+ if ((s = socket(get_socket_domain(), SOCK_DGRAM, 0)) == -1)
+ err(1, "socket");
+ }
+
+ return (s);
+}
+
+/*
+ * Returns the response len if the name is a group, otherwise returns 0.
+ */
+static int
+is_a_group(char *name)
+{
+ ENTRY item;
+ ENTRY *ret_item;
+
+ item.key = name;
+ if (hsearch_r(item, FIND, &ret_item, &isgroup_map) == 0)
+ return (0);
+
+ return (*(int *)ret_item->data);
+}
+
struct node_host *
-ifa_exists(const char *ifa_name)
+ifa_exists(char *ifa_name)
{
struct node_host *n;
- struct ifgroupreq ifgr;
int s;
if (iftab == NULL)
ifa_load();
- /* check wether this is a group */
- if ((s = socket(get_socket_domain(), SOCK_DGRAM, 0)) == -1)
- err(1, "socket");
- bzero(&ifgr, sizeof(ifgr));
- strlcpy(ifgr.ifgr_name, ifa_name, sizeof(ifgr.ifgr_name));
- if (ioctl(s, SIOCGIFGMEMB, (caddr_t)&ifgr) == 0) {
+ /* check whether this is a group */
+ s = get_query_socket();
+ if (is_a_group(ifa_name)) {
/* fake a node_host */
if ((n = calloc(1, sizeof(*n))) == NULL)
err(1, "calloc");
if ((n->ifname = strdup(ifa_name)) == NULL)
err(1, "strdup");
- close(s);
return (n);
}
- close(s);
for (n = iftab; n; n = n->next) {
if (n->af == AF_LINK && !strncmp(n->ifname, ifa_name, IFNAMSIZ))
@@ -1306,23 +1409,20 @@ ifa_exists(const char *ifa_name)
}
struct node_host *
-ifa_grouplookup(const char *ifa_name, int flags)
+ifa_grouplookup(char *ifa_name, int flags)
{
struct ifg_req *ifg;
struct ifgroupreq ifgr;
int s, len;
struct node_host *n, *h = NULL;
- if ((s = socket(get_socket_domain(), SOCK_DGRAM, 0)) == -1)
- err(1, "socket");
+ s = get_query_socket();
+ len = is_a_group(ifa_name);
+ if (len == 0)
+ return (NULL);
bzero(&ifgr, sizeof(ifgr));
strlcpy(ifgr.ifgr_name, ifa_name, sizeof(ifgr.ifgr_name));
- if (ioctl(s, SIOCGIFGMEMB, (caddr_t)&ifgr) == -1) {
- close(s);
- return (NULL);
- }
-
- len = ifgr.ifgr_len;
+ ifgr.ifgr_len = len;
if ((ifgr.ifgr_groups = calloc(1, len)) == NULL)
err(1, "calloc");
if (ioctl(s, SIOCGIFGMEMB, (caddr_t)&ifgr) == -1)
@@ -1341,13 +1441,12 @@ ifa_grouplookup(const char *ifa_name, int flags)
}
}
free(ifgr.ifgr_groups);
- close(s);
return (h);
}
struct node_host *
-ifa_lookup(const char *ifa_name, int flags)
+ifa_lookup(char *ifa_name, int flags)
{
struct node_host *p = NULL, *h = NULL, *n = NULL;
int got4 = 0, got6 = 0;
diff --git a/freebsd/sbin/pfctl/pfctl_parser.h b/freebsd/sbin/pfctl/pfctl_parser.h
index 05ebdf2..aa6d98d 100644
--- a/freebsd/sbin/pfctl/pfctl_parser.h
+++ b/freebsd/sbin/pfctl/pfctl_parser.h
@@ -177,6 +177,24 @@ struct node_queue_opt {
} data;
};
+#define QPRI_BITSET_SIZE 256
+BITSET_DEFINE(qpri_bitset, QPRI_BITSET_SIZE);
+LIST_HEAD(gen_sc, segment);
+
+struct pfctl_altq {
+ struct pf_altq pa;
+ struct {
+ STAILQ_ENTRY(pfctl_altq) link;
+ u_int64_t bwsum;
+ struct qpri_bitset qpris;
+ int children;
+ int root_classes;
+ int default_classes;
+ struct gen_sc lssc;
+ struct gen_sc rtsc;
+ } meta;
+};
+
#ifdef __FreeBSD__
/*
* XXX
@@ -313,10 +331,10 @@ void set_ipmask(struct node_host *, u_int8_t);
int check_netmask(struct node_host *, sa_family_t);
int unmask(struct pf_addr *, sa_family_t);
void ifa_load(void);
-int get_socket_domain(void);
-struct node_host *ifa_exists(const char *);
-struct node_host *ifa_grouplookup(const char *ifa_name, int flags);
-struct node_host *ifa_lookup(const char *, int);
+int get_query_socket(void);
+struct node_host *ifa_exists(char *);
+struct node_host *ifa_grouplookup(char *ifa_name, int flags);
+struct node_host *ifa_lookup(char *, int);
struct node_host *host(const char *);
int append_addr(struct pfr_buffer *, char *, int);
diff --git a/freebsd/sbin/pfctl/rtems-bsd-pfctl-namespace.h b/freebsd/sbin/pfctl/rtems-bsd-pfctl-namespace.h
index 1712b9e..3d805ea 100644
--- a/freebsd/sbin/pfctl/rtems-bsd-pfctl-namespace.h
+++ b/freebsd/sbin/pfctl/rtems-bsd-pfctl-namespace.h
@@ -62,14 +62,11 @@
#define eval_queue_opts _bsd_pfctl_eval_queue_opts
#define getifmtu _bsd_pfctl_getifmtu
#define getifspeed _bsd_pfctl_getifspeed
-#define pfaltq_lookup _bsd_pfctl_pfaltq_lookup
#define pfaltq_store _bsd_pfctl_pfaltq_store
#define print_altq _bsd_pfctl_print_altq
#define print_fairq_sc _bsd_pfctl_print_fairq_sc
#define print_hfsc_sc _bsd_pfctl_print_hfsc_sc
#define print_queue _bsd_pfctl_print_queue
-#define qname_to_pfaltq _bsd_pfctl_qname_to_pfaltq
-#define qname_to_qid _bsd_pfctl_qname_to_qid
#define rate2str _bsd_pfctl_rate2str
/* pfctl.c */
#define altqsupport _bsd_pfctl_altqsupport
@@ -186,7 +183,7 @@
#define append_addr _bsd_pfctl_append_addr
#define append_addr_host _bsd_pfctl_append_addr_host
#define check_netmask _bsd_pfctl_check_netmask
-#define get_socket_domain _bsd_pfctl_get_socket_domain
+#define get_query_socket _bsd_pfctl_get_query_socket
#define geticmpcodebyname _bsd_pfctl_geticmpcodebyname
#define geticmpcodebynumber _bsd_pfctl_geticmpcodebynumber
#define geticmptypebyname _bsd_pfctl_geticmptypebyname
diff --git a/freebsd/sbin/pfctl/rtems-bsd-pfctl-pfctl_altq-data.h b/freebsd/sbin/pfctl/rtems-bsd-pfctl-pfctl_altq-data.h
index fb03f2b..4c39bea 100644
--- a/freebsd/sbin/pfctl/rtems-bsd-pfctl-pfctl_altq-data.h
+++ b/freebsd/sbin/pfctl/rtems-bsd-pfctl-pfctl_altq-data.h
@@ -4,6 +4,9 @@
/* pfctl_altq.c */
RTEMS_LINKER_RWSET_CONTENT(bsd_prog_pfctl, static char r2sbuf[][16]);
RTEMS_LINKER_RWSET_CONTENT(bsd_prog_pfctl, static int idx);
-RTEMS_LINKER_RWSET_CONTENT(bsd_prog_pfctl, static struct altqs altqs);
RTEMS_LINKER_RWSET_CONTENT(bsd_prog_pfctl, static struct gen_sc lssc);
RTEMS_LINKER_RWSET_CONTENT(bsd_prog_pfctl, static struct gen_sc rtsc);
+RTEMS_LINKER_RWSET_CONTENT(bsd_prog_pfctl, static struct hsearch_data if_map);
+RTEMS_LINKER_RWSET_CONTENT(bsd_prog_pfctl, static struct hsearch_data qid_map);
+RTEMS_LINKER_RWSET_CONTENT(bsd_prog_pfctl, static struct hsearch_data queue_map);
+RTEMS_LINKER_RWSET_CONTENT(bsd_prog_pfctl, static struct interfaces interfaces);
diff --git a/freebsd/sbin/pfctl/rtems-bsd-pfctl-pfctl_parser-data.h b/freebsd/sbin/pfctl/rtems-bsd-pfctl-pfctl_parser-data.h
index bb8832a..f9a7f49 100644
--- a/freebsd/sbin/pfctl/rtems-bsd-pfctl-pfctl_parser-data.h
+++ b/freebsd/sbin/pfctl/rtems-bsd-pfctl-pfctl_parser-data.h
@@ -2,4 +2,5 @@
#include <rtems/linkersets.h>
#include "rtems-bsd-pfctl-data.h"
/* pfctl_parser.c */
+RTEMS_LINKER_RWSET_CONTENT(bsd_prog_pfctl, static struct hsearch_data isgroup_map);
RTEMS_LINKER_RWSET_CONTENT(bsd_prog_pfctl, static struct node_host *iftab);
diff --git a/freebsd/sbin/sysctl/sysctl.c b/freebsd/sbin/sysctl/sysctl.c
index f298da0..30ebe5f 100644
--- a/freebsd/sbin/sysctl/sysctl.c
+++ b/freebsd/sbin/sysctl/sysctl.c
@@ -61,6 +61,7 @@ static const char rcsid[] =
#include <sys/stat.h>
#include <sys/sysctl.h>
#include <sys/vmmeter.h>
+#include <dev/evdev/input.h>
#ifdef __amd64__
#include <sys/efi.h>
@@ -729,6 +730,22 @@ S_vmtotal(size_t l2, void *p)
return (0);
}
+static int
+S_input_id(size_t l2, void *p)
+{
+ struct input_id *id = p;
+
+ if (l2 != sizeof(*id)) {
+ warnx("S_input_id %zu != %zu", l2, sizeof(*id));
+ return (1);
+ }
+
+ printf("{ bustype = 0x%04x, vendor = 0x%04x, "
+ "product = 0x%04x, version = 0x%04x }",
+ id->bustype, id->vendor, id->product, id->version);
+ return (0);
+}
+
#ifdef __amd64__
static int
S_efi_map(size_t l2, void *p)
@@ -1036,6 +1053,8 @@ show_var(int *oid, int nlen)
func = S_loadavg;
else if (strcmp(fmt, "S,vmtotal") == 0)
func = S_vmtotal;
+ else if (strcmp(fmt, "S,input_id") == 0)
+ func = S_input_id;
#ifdef __amd64__
else if (strcmp(fmt, "S,efi_map_header") == 0)
func = S_efi_map;
diff --git a/freebsd/sys/dev/e1000/em_txrx.c b/freebsd/sys/dev/e1000/em_txrx.c
index c2b6074..4faf806 100644
--- a/freebsd/sys/dev/e1000/em_txrx.c
+++ b/freebsd/sys/dev/e1000/em_txrx.c
@@ -459,16 +459,11 @@ em_isc_txd_credits_update(void *arg, uint16_t txqid, bool clear)
prev = txr->tx_cidx_processed;
ntxd = scctx->isc_ntxd[0];
do {
+ MPASS(prev != cur);
delta = (int32_t)cur - (int32_t)prev;
- /*
- * XXX This appears to be a hack for first-packet.
- * A correct fix would prevent prev == cur in the first place.
- */
- MPASS(prev == 0 || delta != 0);
- if (prev == 0 && cur == 0)
- delta += 1;
if (delta < 0)
delta += ntxd;
+ MPASS(delta > 0);
DPRINTF(iflib_get_dev(adapter->ctx),
"%s: cidx_processed=%u cur=%u clear=%d delta=%d\n",
__FUNCTION__, prev, cur, clear, delta);
diff --git a/freebsd/sys/dev/e1000/if_em.c b/freebsd/sys/dev/e1000/if_em.c
index 564a1ee..68e78ef 100644
--- a/freebsd/sys/dev/e1000/if_em.c
+++ b/freebsd/sys/dev/e1000/if_em.c
@@ -251,6 +251,7 @@ static int em_if_mtu_set(if_ctx_t ctx, uint32_t mtu);
static void em_if_timer(if_ctx_t ctx, uint16_t qid);
static void em_if_vlan_register(if_ctx_t ctx, u16 vtag);
static void em_if_vlan_unregister(if_ctx_t ctx, u16 vtag);
+static void em_if_watchdog_reset(if_ctx_t ctx);
static void em_identify_hardware(if_ctx_t ctx);
static int em_allocate_pci_resources(if_ctx_t ctx);
@@ -388,6 +389,7 @@ static device_method_t em_if_methods[] = {
DEVMETHOD(ifdi_mtu_set, em_if_mtu_set),
DEVMETHOD(ifdi_promisc_set, em_if_set_promisc),
DEVMETHOD(ifdi_timer, em_if_timer),
+ DEVMETHOD(ifdi_watchdog_reset, em_if_watchdog_reset),
DEVMETHOD(ifdi_vlan_register, em_if_vlan_register),
DEVMETHOD(ifdi_vlan_unregister, em_if_vlan_unregister),
DEVMETHOD(ifdi_get_counter, em_if_get_counter),
@@ -723,7 +725,6 @@ em_set_num_queues(if_ctx_t ctx)
*
* return 0 on success, positive on failure
*********************************************************************/
-
static int
em_if_attach_pre(if_ctx_t ctx)
{
@@ -733,15 +734,10 @@ em_if_attach_pre(if_ctx_t ctx)
struct e1000_hw *hw;
int error = 0;
- INIT_DEBUGOUT("em_if_attach_pre begin");
+ INIT_DEBUGOUT("em_if_attach_pre: begin");
dev = iflib_get_dev(ctx);
adapter = iflib_get_softc(ctx);
- if (resource_disabled("em", device_get_unit(dev))) {
- device_printf(dev, "Disabled by device hint\n");
- return (ENXIO);
- }
-
adapter->ctx = adapter->osdep.ctx = ctx;
adapter->dev = adapter->osdep.dev = dev;
scctx = adapter->shared = iflib_get_softc_ctx(ctx);
@@ -779,7 +775,6 @@ em_if_attach_pre(if_ctx_t ctx)
/* Determine hardware and mac info */
em_identify_hardware(ctx);
- scctx->isc_msix_bar = PCIR_BAR(EM_MSIX_BAR);
scctx->isc_tx_nsegments = EM_MAX_SCATTER;
scctx->isc_nrxqsets_max = scctx->isc_ntxqsets_max = em_set_num_queues(ctx);
if (bootverbose)
@@ -787,8 +782,6 @@ em_if_attach_pre(if_ctx_t ctx)
scctx->isc_ntxqsets_max);
if (adapter->hw.mac.type >= igb_mac_min) {
- int try_second_bar;
-
scctx->isc_txqsizes[0] = roundup2(scctx->isc_ntxd[0] * sizeof(union e1000_adv_tx_desc), EM_DBA_ALIGN);
scctx->isc_rxqsizes[0] = roundup2(scctx->isc_nrxd[0] * sizeof(union e1000_adv_rx_desc), EM_DBA_ALIGN);
scctx->isc_txd_size[0] = sizeof(union e1000_adv_tx_desc);
@@ -802,14 +795,13 @@ em_if_attach_pre(if_ctx_t ctx)
CSUM_IP6_TCP | CSUM_IP6_UDP;
if (adapter->hw.mac.type != e1000_82575)
scctx->isc_tx_csum_flags |= CSUM_SCTP | CSUM_IP6_SCTP;
-
/*
** Some new devices, as with ixgbe, now may
** use a different BAR, so we need to keep
** track of which is used.
*/
- try_second_bar = pci_read_config(dev, scctx->isc_msix_bar, 4);
- if (try_second_bar == 0)
+ scctx->isc_msix_bar = PCIR_BAR(EM_MSIX_BAR);
+ if (pci_read_config(dev, scctx->isc_msix_bar, 4) == 0)
scctx->isc_msix_bar += 4;
} else if (adapter->hw.mac.type >= em_mac_min) {
scctx->isc_txqsizes[0] = roundup2(scctx->isc_ntxd[0]* sizeof(struct e1000_tx_desc), EM_DBA_ALIGN);
@@ -839,6 +831,16 @@ em_if_attach_pre(if_ctx_t ctx)
*/
scctx->isc_capenable &= ~(IFCAP_TSO4 | IFCAP_VLAN_HWTSO);
scctx->isc_tx_csum_flags = CSUM_TCP | CSUM_UDP | CSUM_IP_TSO;
+ /*
+ * We support MSI-X with 82574 only, but indicate to iflib(4)
+ * that it shall give MSI at least a try with other devices.
+ */
+ if (adapter->hw.mac.type == e1000_82574) {
+ scctx->isc_msix_bar = PCIR_BAR(EM_MSIX_BAR);
+ } else {
+ scctx->isc_msix_bar = -1;
+ scctx->isc_disable_msix = 1;
+ }
} else {
scctx->isc_txqsizes[0] = roundup2((scctx->isc_ntxd[0] + 1) * sizeof(struct e1000_tx_desc), EM_DBA_ALIGN);
scctx->isc_rxqsizes[0] = roundup2((scctx->isc_nrxd[0] + 1) * sizeof(struct e1000_rx_desc), EM_DBA_ALIGN);
@@ -849,6 +851,7 @@ em_if_attach_pre(if_ctx_t ctx)
scctx->isc_capabilities = scctx->isc_capenable = LEM_CAPS;
if (adapter->hw.mac.type < e1000_82543)
scctx->isc_capenable &= ~(IFCAP_HWCSUM|IFCAP_VLAN_HWCSUM);
+ /* INTx only */
scctx->isc_msix_bar = 0;
}
@@ -1094,13 +1097,12 @@ err_late:
*
* return 0 on success, positive on failure
*********************************************************************/
-
static int
em_if_detach(if_ctx_t ctx)
{
struct adapter *adapter = iflib_get_softc(ctx);
- INIT_DEBUGOUT("em_detach: begin");
+ INIT_DEBUGOUT("em_if_detach: begin");
e1000_phy_hw_reset(&adapter->hw);
@@ -1205,16 +1207,16 @@ em_if_mtu_set(if_ctx_t ctx, uint32_t mtu)
* by the driver as a hw/sw initialization routine to get to a
* consistent state.
*
- * return 0 on success, positive on failure
**********************************************************************/
-
static void
em_if_init(if_ctx_t ctx)
{
struct adapter *adapter = iflib_get_softc(ctx);
+ if_softc_ctx_t scctx = adapter->shared;
struct ifnet *ifp = iflib_get_ifp(ctx);
struct em_tx_queue *tx_que;
int i;
+
INIT_DEBUGOUT("em_if_init: begin");
/* Get the latest mac address, User can use a LAA */
@@ -1244,7 +1246,14 @@ em_if_init(if_ctx_t ctx)
for (i = 0, tx_que = adapter->tx_queues; i < adapter->tx_num_queues; i++, tx_que++) {
struct tx_ring *txr = &tx_que->txr;
- txr->tx_rs_cidx = txr->tx_rs_pidx = txr->tx_cidx_processed = 0;
+ txr->tx_rs_cidx = txr->tx_rs_pidx;
+
+ /* Initialize the last processed descriptor to be the end of
+ * the ring, rather than the start, so that we avoid an
+ * off-by-one error when calculating how many descriptors are
+ * done in the credits_update function.
+ */
+ txr->tx_cidx_processed = scctx->isc_ntxd[0] - 1;
}
/* Setup VLAN support, basic and offload if available */
@@ -1691,37 +1700,24 @@ em_if_multi_set(if_ctx_t ctx)
}
}
-
/*********************************************************************
* Timer routine
*
- * This routine checks for link status and updates statistics.
+ * This routine schedules em_if_update_admin_status() to check for
+ * link status and to gather statistics as well as to perform some
+ * controller-specific hardware patting.
*
**********************************************************************/
-
static void
em_if_timer(if_ctx_t ctx, uint16_t qid)
{
- struct adapter *adapter = iflib_get_softc(ctx);
- struct em_rx_queue *que;
- int i;
- int trigger = 0;
if (qid != 0)
return;
iflib_admin_intr_deferred(ctx);
-
- /* Mask to use in the irq trigger */
- if (adapter->intr_type == IFLIB_INTR_MSIX) {
- for (i = 0, que = adapter->rx_queues; i < adapter->rx_num_queues; i++, que++)
- trigger |= que->eims;
- } else {
- trigger = E1000_ICS_RXDMT0;
- }
}
-
static void
em_if_update_admin_status(if_ctx_t ctx)
{
@@ -1827,21 +1823,30 @@ em_if_update_admin_status(if_ctx_t ctx)
E1000_WRITE_REG(&adapter->hw, E1000_IMS, EM_MSIX_LINK | E1000_IMS_LSC);
}
+static void
+em_if_watchdog_reset(if_ctx_t ctx)
+{
+ struct adapter *adapter = iflib_get_softc(ctx);
+
+ /*
+ * Just count the event; iflib(4) will already trigger a
+ * sufficient reset of the controller.
+ */
+ adapter->watchdog_events++;
+}
+
/*********************************************************************
*
* This routine disables all traffic on the adapter by issuing a
- * global reset on the MAC and deallocates TX/RX buffers.
+ * global reset on the MAC.
*
- * This routine should always be called with BOTH the CORE
- * and TX locks.
**********************************************************************/
-
static void
em_if_stop(if_ctx_t ctx)
{
struct adapter *adapter = iflib_get_softc(ctx);
- INIT_DEBUGOUT("em_stop: begin");
+ INIT_DEBUGOUT("em_if_stop: begin");
e1000_reset_hw(&adapter->hw);
if (adapter->hw.mac.type >= e1000_82544)
@@ -1851,7 +1856,6 @@ em_if_stop(if_ctx_t ctx)
e1000_cleanup_led(&adapter->hw);
}
-
/*********************************************************************
*
* Determine hardware revision.
@@ -1990,7 +1994,7 @@ em_if_msix_intr_assign(if_ctx_t ctx, int msix)
&adapter->rx_queues[i % adapter->rx_num_queues].que_irq,
IFLIB_INTR_TX, tx_que, tx_que->me, buf);
- tx_que->msix = (vector % adapter->tx_num_queues);
+ tx_que->msix = (vector % adapter->rx_num_queues);
/*
* Set the bit to enable interrupt
@@ -2003,9 +2007,9 @@ em_if_msix_intr_assign(if_ctx_t ctx, int msix)
adapter->ims |= tx_que->eims;
adapter->ivars |= (8 | tx_que->msix) << (8 + (i * 4));
} else if (adapter->hw.mac.type == e1000_82575) {
- tx_que->eims = E1000_EICR_TX_QUEUE0 << (i % adapter->tx_num_queues);
+ tx_que->eims = E1000_EICR_TX_QUEUE0 << i;
} else {
- tx_que->eims = 1 << (i % adapter->tx_num_queues);
+ tx_que->eims = 1 << i;
}
}
@@ -2220,11 +2224,9 @@ em_setup_msix(if_ctx_t ctx)
/*********************************************************************
*
- * Initialize the hardware to a configuration
- * as specified by the adapter structure.
+ * Workaround for SmartSpeed on 82541 and 82547 controllers
*
**********************************************************************/
-
static void
lem_smartspeed(struct adapter *adapter)
{
@@ -2389,6 +2391,12 @@ igb_init_dmac(struct adapter *adapter, u32 pba)
}
}
+/*********************************************************************
+ *
+ * Initialize the hardware to a configuration as specified by the
+ * adapter structure.
+ *
+ **********************************************************************/
static void
em_reset(if_ctx_t ctx)
{
@@ -2623,6 +2631,11 @@ em_reset(if_ctx_t ctx)
e1000_check_for_link(hw);
}
+/*
+ * Initialise the RSS mapping for NICs that support multiple transmit/
+ * receive rings.
+ */
+
#define RSSKEYLEN 10
static void
em_initialize_rss_mapping(struct adapter *adapter)
@@ -2663,7 +2676,6 @@ em_initialize_rss_mapping(struct adapter *adapter)
E1000_MRQC_RSS_FIELD_IPV6_TCP_EX |
E1000_MRQC_RSS_FIELD_IPV6_EX |
E1000_MRQC_RSS_FIELD_IPV6);
-
}
static void
@@ -2763,7 +2775,7 @@ igb_initialize_rss_mapping(struct adapter *adapter)
/*********************************************************************
*
- * Setup networking device structure and register an interface.
+ * Setup networking device structure and register interface media.
*
**********************************************************************/
static int
@@ -4009,12 +4021,6 @@ em_add_hw_stats(struct adapter *adapter)
SYSCTL_ADD_ULONG(ctx, child, OID_AUTO, "link_irq",
CTLFLAG_RD, &adapter->link_irq,
"Link MSI-X IRQ Handled");
- SYSCTL_ADD_ULONG(ctx, child, OID_AUTO, "mbuf_defrag_fail",
- CTLFLAG_RD, &adapter->mbuf_defrag_failed,
- "Defragmenting mbuf chain failed");
- SYSCTL_ADD_ULONG(ctx, child, OID_AUTO, "tx_dma_fail",
- CTLFLAG_RD, &adapter->no_tx_dma_setup,
- "Driver tx dma failure in xmit");
SYSCTL_ADD_ULONG(ctx, child, OID_AUTO, "rx_overruns",
CTLFLAG_RD, &adapter->rx_overruns,
"RX overruns");
@@ -4537,7 +4543,8 @@ em_enable_vectors_82574(if_ctx_t ctx)
u16 edata;
e1000_read_nvm(hw, EM_NVM_PCIE_CTRL, 1, &edata);
- printf("Current cap: %#06x\n", edata);
+ if (bootverbose)
+ device_printf(dev, "EM_NVM_PCIE_CTRL = %#06x\n", edata);
if (((edata & EM_NVM_MSIX_N_MASK) >> EM_NVM_MSIX_N_SHIFT) != 4) {
device_printf(dev, "Writing to eeprom: increasing "
"reported MSI-X vectors from 3 to 5...\n");
diff --git a/freebsd/sys/dev/e1000/if_em.h b/freebsd/sys/dev/e1000/if_em.h
index 55ca62d..392f6b3 100644
--- a/freebsd/sys/dev/e1000/if_em.h
+++ b/freebsd/sys/dev/e1000/if_em.h
@@ -519,7 +519,6 @@ struct adapter {
u64 que_mask;
-
struct em_int_delay_info tx_int_delay;
struct em_int_delay_info tx_abs_int_delay;
struct em_int_delay_info rx_int_delay;
@@ -529,9 +528,6 @@ struct adapter {
/* Misc stats maintained by the driver */
unsigned long dropped_pkts;
unsigned long link_irq;
- unsigned long mbuf_defrag_failed;
- unsigned long no_tx_dma_setup;
- unsigned long no_tx_map_avail;
unsigned long rx_overruns;
unsigned long watchdog_events;
diff --git a/freebsd/sys/dev/e1000/igb_txrx.c b/freebsd/sys/dev/e1000/igb_txrx.c
index c54315f..6da52b7 100644
--- a/freebsd/sys/dev/e1000/igb_txrx.c
+++ b/freebsd/sys/dev/e1000/igb_txrx.c
@@ -334,16 +334,11 @@ igb_isc_txd_credits_update(void *arg, uint16_t txqid, bool clear)
prev = txr->tx_cidx_processed;
ntxd = scctx->isc_ntxd[0];
do {
+ MPASS(prev != cur);
delta = (int32_t)cur - (int32_t)prev;
- /*
- * XXX This appears to be a hack for first-packet.
- * A correct fix would prevent prev == cur in the first place.
- */
- MPASS(prev == 0 || delta != 0);
- if (prev == 0 && cur == 0)
- delta += 1;
if (delta < 0)
delta += ntxd;
+ MPASS(delta > 0);
processed += delta;
prev = cur;
diff --git a/freebsd/sys/dev/evdev/evdev.c b/freebsd/sys/dev/evdev/evdev.c
index 63e651a..90d6423 100644
--- a/freebsd/sys/dev/evdev/evdev.c
+++ b/freebsd/sys/dev/evdev/evdev.c
@@ -75,14 +75,16 @@ int evdev_rcpt_mask = EVDEV_RCPT_HW_MOUSE | EVDEV_RCPT_HW_KBD;
#endif /* __rtems__ */
int evdev_sysmouse_t_axis = 0;
-#ifdef EVDEV_SUPPORT
SYSCTL_NODE(_kern, OID_AUTO, evdev, CTLFLAG_RW, 0, "Evdev args");
+#ifdef EVDEV_SUPPORT
SYSCTL_INT(_kern_evdev, OID_AUTO, rcpt_mask, CTLFLAG_RW, &evdev_rcpt_mask, 0,
"Who is receiving events: bit0 - sysmouse, bit1 - kbdmux, "
"bit2 - mouse hardware, bit3 - keyboard hardware");
SYSCTL_INT(_kern_evdev, OID_AUTO, sysmouse_t_axis, CTLFLAG_RW,
&evdev_sysmouse_t_axis, 0, "Extract T-axis from 0-none, 1-ums, 2-psm");
#endif
+SYSCTL_NODE(_kern_evdev, OID_AUTO, input, CTLFLAG_RD, 0,
+ "Evdev input devices");
static void evdev_start_repeat(struct evdev_dev *, uint16_t);
static void evdev_stop_repeat(struct evdev_dev *);
@@ -202,6 +204,87 @@ evdev_estimate_report_size(struct evdev_dev *evdev)
return (size);
}
+static void
+evdev_sysctl_create(struct evdev_dev *evdev)
+{
+ struct sysctl_oid *ev_sysctl_tree;
+ char ev_unit_str[8];
+
+ snprintf(ev_unit_str, sizeof(ev_unit_str), "%d", evdev->ev_unit);
+ sysctl_ctx_init(&evdev->ev_sysctl_ctx);
+
+ ev_sysctl_tree = SYSCTL_ADD_NODE_WITH_LABEL(&evdev->ev_sysctl_ctx,
+ SYSCTL_STATIC_CHILDREN(_kern_evdev_input), OID_AUTO,
+ ev_unit_str, CTLFLAG_RD, NULL, "", "device index");
+
+ SYSCTL_ADD_STRING(&evdev->ev_sysctl_ctx,
+ SYSCTL_CHILDREN(ev_sysctl_tree), OID_AUTO, "name", CTLFLAG_RD,
+ evdev->ev_name, 0,
+ "Input device name");
+
+ SYSCTL_ADD_STRUCT(&evdev->ev_sysctl_ctx,
+ SYSCTL_CHILDREN(ev_sysctl_tree), OID_AUTO, "id", CTLFLAG_RD,
+ &evdev->ev_id, input_id,
+ "Input device identification");
+
+ /* ioctl returns ENOENT if phys is not set. sysctl returns "" here */
+ SYSCTL_ADD_STRING(&evdev->ev_sysctl_ctx,
+ SYSCTL_CHILDREN(ev_sysctl_tree), OID_AUTO, "phys", CTLFLAG_RD,
+ evdev->ev_shortname, 0,
+ "Input device short name");
+
+ /* ioctl returns ENOENT if uniq is not set. sysctl returns "" here */
+ SYSCTL_ADD_STRING(&evdev->ev_sysctl_ctx,
+ SYSCTL_CHILDREN(ev_sysctl_tree), OID_AUTO, "uniq", CTLFLAG_RD,
+ evdev->ev_serial, 0,
+ "Input device unique number");
+
+ SYSCTL_ADD_OPAQUE(&evdev->ev_sysctl_ctx,
+ SYSCTL_CHILDREN(ev_sysctl_tree), OID_AUTO, "props", CTLFLAG_RD,
+ evdev->ev_prop_flags, sizeof(evdev->ev_prop_flags), "",
+ "Input device properties");
+
+ SYSCTL_ADD_OPAQUE(&evdev->ev_sysctl_ctx,
+ SYSCTL_CHILDREN(ev_sysctl_tree), OID_AUTO, "type_bits", CTLFLAG_RD,
+ evdev->ev_type_flags, sizeof(evdev->ev_type_flags), "",
+ "Input device supported events types");
+
+ SYSCTL_ADD_OPAQUE(&evdev->ev_sysctl_ctx,
+ SYSCTL_CHILDREN(ev_sysctl_tree), OID_AUTO, "key_bits", CTLFLAG_RD,
+ evdev->ev_key_flags, sizeof(evdev->ev_key_flags),
+ "", "Input device supported keys");
+
+ SYSCTL_ADD_OPAQUE(&evdev->ev_sysctl_ctx,
+ SYSCTL_CHILDREN(ev_sysctl_tree), OID_AUTO, "rel_bits", CTLFLAG_RD,
+ evdev->ev_rel_flags, sizeof(evdev->ev_rel_flags), "",
+ "Input device supported relative events");
+
+ SYSCTL_ADD_OPAQUE(&evdev->ev_sysctl_ctx,
+ SYSCTL_CHILDREN(ev_sysctl_tree), OID_AUTO, "abs_bits", CTLFLAG_RD,
+ evdev->ev_abs_flags, sizeof(evdev->ev_abs_flags), "",
+ "Input device supported absolute events");
+
+ SYSCTL_ADD_OPAQUE(&evdev->ev_sysctl_ctx,
+ SYSCTL_CHILDREN(ev_sysctl_tree), OID_AUTO, "msc_bits", CTLFLAG_RD,
+ evdev->ev_msc_flags, sizeof(evdev->ev_msc_flags), "",
+ "Input device supported miscellaneous events");
+
+ SYSCTL_ADD_OPAQUE(&evdev->ev_sysctl_ctx,
+ SYSCTL_CHILDREN(ev_sysctl_tree), OID_AUTO, "led_bits", CTLFLAG_RD,
+ evdev->ev_led_flags, sizeof(evdev->ev_led_flags), "",
+ "Input device supported LED events");
+
+ SYSCTL_ADD_OPAQUE(&evdev->ev_sysctl_ctx,
+ SYSCTL_CHILDREN(ev_sysctl_tree), OID_AUTO, "snd_bits", CTLFLAG_RD,
+ evdev->ev_snd_flags, sizeof(evdev->ev_snd_flags), "",
+ "Input device supported sound events");
+
+ SYSCTL_ADD_OPAQUE(&evdev->ev_sysctl_ctx,
+ SYSCTL_CHILDREN(ev_sysctl_tree), OID_AUTO, "sw_bits", CTLFLAG_RD,
+ evdev->ev_sw_flags, sizeof(evdev->ev_sw_flags), "",
+ "Input device supported switch events");
+}
+
static int
evdev_register_common(struct evdev_dev *evdev)
{
@@ -241,6 +324,12 @@ evdev_register_common(struct evdev_dev *evdev)
/* Create char device node */
ret = evdev_cdev_create(evdev);
+ if (ret != 0)
+ goto bail_out;
+
+ /* Create sysctls (for device enumeration without /dev/input access rights) */
+ evdev_sysctl_create(evdev);
+
bail_out:
return (ret);
}
@@ -278,6 +367,8 @@ evdev_unregister(struct evdev_dev *evdev)
debugf(evdev, "%s: unregistered evdev provider: %s\n",
evdev->ev_shortname, evdev->ev_name);
+ sysctl_ctx_free(&evdev->ev_sysctl_ctx);
+
EVDEV_LOCK(evdev);
evdev->ev_cdev->si_drv1 = NULL;
/* Wake up sleepers */
diff --git a/freebsd/sys/dev/evdev/evdev_private.h b/freebsd/sys/dev/evdev/evdev_private.h
index 71bdeca..7e74bb3 100644
--- a/freebsd/sys/dev/evdev/evdev_private.h
+++ b/freebsd/sys/dev/evdev/evdev_private.h
@@ -35,6 +35,7 @@
#include <sys/malloc.h>
#include <sys/queue.h>
#include <sys/selinfo.h>
+#include <sys/sysctl.h>
#include <dev/evdev/evdev.h>
#include <dev/evdev/input.h>
@@ -132,6 +133,9 @@ struct evdev_dev
const struct evdev_methods * ev_methods;
void * ev_softc;
+ /* Sysctl: */
+ struct sysctl_ctx_list ev_sysctl_ctx;
+
LIST_ENTRY(evdev_dev) ev_link;
LIST_HEAD(, evdev_client) ev_clients;
};
diff --git a/freebsd/sys/dev/rtwn/rtl8192c/r92c_init.c b/freebsd/sys/dev/rtwn/rtl8192c/r92c_init.c
index 199a419..8cd55fb 100644
--- a/freebsd/sys/dev/rtwn/rtl8192c/r92c_init.c
+++ b/freebsd/sys/dev/rtwn/rtl8192c/r92c_init.c
@@ -324,6 +324,7 @@ r92c_init_antsel(struct rtwn_softc *sc)
rtwn_bb_setbits(sc, R92C_FPGA0_RFPARAM(0), 0, 0x2000);
reg = rtwn_bb_read(sc, R92C_FPGA0_RFIFACEOE(0));
sc->sc_ant = MS(reg, R92C_FPGA0_RFIFACEOE0_ANT); /* XXX */
+ rtwn_setbits_1(sc, R92C_LEDCFG2, 0x80, 0);
}
void
diff --git a/freebsd/sys/dev/usb/quirk/usb_quirk.c b/freebsd/sys/dev/usb/quirk/usb_quirk.c
index 946ec7e..1f58aa2 100644
--- a/freebsd/sys/dev/usb/quirk/usb_quirk.c
+++ b/freebsd/sys/dev/usb/quirk/usb_quirk.c
@@ -395,6 +395,8 @@ static struct usb_quirk_entry usb_quirks[USB_DEV_QUIRKS_MAX] = {
UQ_MSC_FORCE_PROTO_SCSI, UQ_MSC_IGNORE_RESIDUE),
USB_QUIRK(SANDISK, SDCZ4_256, 0x0000, 0xffff, UQ_MSC_FORCE_WIRE_BBB,
UQ_MSC_FORCE_PROTO_SCSI, UQ_MSC_IGNORE_RESIDUE),
+ USB_QUIRK(SANDISK, SDCZ48_32, 0x0000, 0xffff, UQ_MSC_NO_SYNC_CACHE,
+ UQ_MSC_NO_TEST_UNIT_READY),
USB_QUIRK(SANDISK, SDDR31, 0x0000, 0xffff, UQ_MSC_FORCE_WIRE_BBB,
UQ_MSC_FORCE_PROTO_SCSI, UQ_MSC_READ_CAP_OFFBY1),
USB_QUIRK(SANDISK, IMAGEMATE_SDDR289, 0x0000, 0xffff,
diff --git a/freebsd/sys/dev/usb/wlan/if_run.c b/freebsd/sys/dev/usb/wlan/if_run.c
index 3211f1e..5cec460 100644
--- a/freebsd/sys/dev/usb/wlan/if_run.c
+++ b/freebsd/sys/dev/usb/wlan/if_run.c
@@ -3371,11 +3371,7 @@ run_tx(struct run_softc *sc, struct mbuf *m, struct ieee80211_node *ni)
if ((hasqos = IEEE80211_QOS_HAS_SEQ(wh))) {
uint8_t *frm;
- if(IEEE80211_HAS_ADDR4(wh))
- frm = ((struct ieee80211_qosframe_addr4 *)wh)->i_qos;
- else
- frm =((struct ieee80211_qosframe *)wh)->i_qos;
-
+ frm = ieee80211_getqos(wh);
qos = le16toh(*(const uint16_t *)frm);
tid = qos & IEEE80211_QOS_TID;
qid = TID_TO_WME_AC(tid);
diff --git a/freebsd/sys/i386/include/machine/cpufunc.h b/freebsd/sys/i386/include/machine/cpufunc.h
index c640b56..a029da3 100644
--- a/freebsd/sys/i386/include/machine/cpufunc.h
+++ b/freebsd/sys/i386/include/machine/cpufunc.h
@@ -110,23 +110,49 @@ disable_intr(void)
__asm __volatile("cli" : : : "memory");
}
+#ifdef _KERNEL
static __inline void
do_cpuid(u_int ax, u_int *p)
{
__asm __volatile("cpuid"
- : "=a" (p[0]), "=b" (p[1]), "=c" (p[2]), "=d" (p[3])
- : "0" (ax));
+ : "=a" (p[0]), "=b" (p[1]), "=c" (p[2]), "=d" (p[3])
+ : "0" (ax));
}
static __inline void
cpuid_count(u_int ax, u_int cx, u_int *p)
{
__asm __volatile("cpuid"
- : "=a" (p[0]), "=b" (p[1]), "=c" (p[2]), "=d" (p[3])
- : "0" (ax), "c" (cx));
+ : "=a" (p[0]), "=b" (p[1]), "=c" (p[2]), "=d" (p[3])
+ : "0" (ax), "c" (cx));
+}
+#else
+static __inline void
+do_cpuid(u_int ax, u_int *p)
+{
+ __asm __volatile(
+ "pushl\t%%ebx\n\t"
+ "cpuid\n\t"
+ "movl\t%%ebx,%1\n\t"
+ "popl\t%%ebx"
+ : "=a" (p[0]), "=DS" (p[1]), "=c" (p[2]), "=d" (p[3])
+ : "0" (ax));
}
static __inline void
+cpuid_count(u_int ax, u_int cx, u_int *p)
+{
+ __asm __volatile(
+ "pushl\t%%ebx\n\t"
+ "cpuid\n\t"
+ "movl\t%%ebx,%1\n\t"
+ "popl\t%%ebx"
+ : "=a" (p[0]), "=DS" (p[1]), "=c" (p[2]), "=d" (p[3])
+ : "0" (ax), "c" (cx));
+}
+#endif
+
+static __inline void
enable_intr(void)
{
@@ -708,6 +734,22 @@ intr_restore(register_t eflags)
}
#endif /* __rtems__ */
+static __inline uint32_t
+rdpkru(void)
+{
+ uint32_t res;
+
+ __asm __volatile("rdpkru" : "=a" (res) : "c" (0) : "edx");
+ return (res);
+}
+
+static __inline void
+wrpkru(uint32_t mask)
+{
+
+ __asm __volatile("wrpkru" : : "a" (mask), "c" (0), "d" (0));
+}
+
#else /* !(__GNUCLIKE_ASM && __CC_SUPPORTS___INLINE) */
#ifndef __rtems__
diff --git a/freebsd/sys/kern/sys_pipe.c b/freebsd/sys/kern/sys_pipe.c
index 050d63a..817190b 100755
--- a/freebsd/sys/kern/sys_pipe.c
+++ b/freebsd/sys/kern/sys_pipe.c
@@ -2099,15 +2099,19 @@ static int
filt_pipewrite(struct knote *kn, long hint)
{
struct pipe *wpipe;
-
+
+ /*
+ * If this end of the pipe is closed, the knote was removed from the
+ * knlist and the list lock (i.e., the pipe lock) is therefore not held.
+ */
wpipe = kn->kn_hook;
- PIPE_LOCK_ASSERT(wpipe, MA_OWNED);
if (wpipe->pipe_present != PIPE_ACTIVE ||
(wpipe->pipe_state & PIPE_EOF)) {
kn->kn_data = 0;
kn->kn_flags |= EV_EOF;
return (1);
}
+ PIPE_LOCK_ASSERT(wpipe, MA_OWNED);
kn->kn_data = (wpipe->pipe_buffer.size > 0) ?
(wpipe->pipe_buffer.size - wpipe->pipe_buffer.cnt) : PIPE_BUF;
if (wpipe->pipe_state & PIPE_DIRECTW)
diff --git a/freebsd/sys/net/altq/altq_cbq.c b/freebsd/sys/net/altq/altq_cbq.c
index ac108bd..33a11a7 100644
--- a/freebsd/sys/net/altq/altq_cbq.c
+++ b/freebsd/sys/net/altq/altq_cbq.c
@@ -261,12 +261,11 @@ cbq_pfattach(struct pf_altq *a)
}
int
-cbq_add_altq(struct pf_altq *a)
+cbq_add_altq(struct ifnet *ifp, struct pf_altq *a)
{
cbq_state_t *cbqp;
- struct ifnet *ifp;
- if ((ifp = ifunit(a->ifname)) == NULL)
+ if (ifp == NULL)
return (EINVAL);
if (!ALTQ_IS_READY(&ifp->if_snd))
return (ENODEV);
diff --git a/freebsd/sys/net/altq/altq_codel.c b/freebsd/sys/net/altq/altq_codel.c
index 4a55cdb..375fc38 100644
--- a/freebsd/sys/net/altq/altq_codel.c
+++ b/freebsd/sys/net/altq/altq_codel.c
@@ -91,13 +91,12 @@ codel_pfattach(struct pf_altq *a)
}
int
-codel_add_altq(struct pf_altq *a)
+codel_add_altq(struct ifnet *ifp, struct pf_altq *a)
{
struct codel_if *cif;
- struct ifnet *ifp;
struct codel_opts *opts;
- if ((ifp = ifunit(a->ifname)) == NULL)
+ if (ifp == NULL)
return (EINVAL);
if (!ALTQ_IS_READY(&ifp->if_snd))
return (ENODEV);
diff --git a/freebsd/sys/net/altq/altq_fairq.c b/freebsd/sys/net/altq/altq_fairq.c
index a1bc3fd..5b7646e 100644
--- a/freebsd/sys/net/altq/altq_fairq.c
+++ b/freebsd/sys/net/altq/altq_fairq.c
@@ -150,12 +150,11 @@ fairq_pfattach(struct pf_altq *a)
}
int
-fairq_add_altq(struct pf_altq *a)
+fairq_add_altq(struct ifnet *ifp, struct pf_altq *a)
{
struct fairq_if *pif;
- struct ifnet *ifp;
- if ((ifp = ifunit(a->ifname)) == NULL)
+ if (ifp == NULL)
return (EINVAL);
if (!ALTQ_IS_READY(&ifp->if_snd))
return (ENODEV);
diff --git a/freebsd/sys/net/altq/altq_hfsc.c b/freebsd/sys/net/altq/altq_hfsc.c
index 8d8fdfd..3c289cf 100644
--- a/freebsd/sys/net/altq/altq_hfsc.c
+++ b/freebsd/sys/net/altq/altq_hfsc.c
@@ -185,12 +185,11 @@ hfsc_pfattach(struct pf_altq *a)
}
int
-hfsc_add_altq(struct pf_altq *a)
+hfsc_add_altq(struct ifnet *ifp, struct pf_altq *a)
{
struct hfsc_if *hif;
- struct ifnet *ifp;
- if ((ifp = ifunit(a->ifname)) == NULL)
+ if (ifp == NULL)
return (EINVAL);
if (!ALTQ_IS_READY(&ifp->if_snd))
return (ENODEV);
@@ -536,6 +535,7 @@ hfsc_class_create(struct hfsc_if *hif, struct service_curve *rsc,
goto err_ret;
}
}
+ cl->cl_slot = i;
if (flags & HFCF_DEFAULTCLASS)
hif->hif_defaultclass = cl;
@@ -588,7 +588,7 @@ hfsc_class_create(struct hfsc_if *hif, struct service_curve *rsc,
static int
hfsc_class_destroy(struct hfsc_class *cl)
{
- int i, s;
+ int s;
if (cl == NULL)
return (0);
@@ -623,12 +623,7 @@ hfsc_class_destroy(struct hfsc_class *cl)
ASSERT(p != NULL);
}
- for (i = 0; i < HFSC_MAX_CLASSES; i++)
- if (cl->cl_hif->hif_class_tbl[i] == cl) {
- cl->cl_hif->hif_class_tbl[i] = NULL;
- break;
- }
-
+ cl->cl_hif->hif_class_tbl[cl->cl_slot] = NULL;
cl->cl_hif->hif_classes--;
IFQ_UNLOCK(cl->cl_hif->hif_ifq);
splx(s);
diff --git a/freebsd/sys/net/altq/altq_hfsc.h b/freebsd/sys/net/altq/altq_hfsc.h
index 67ec003..bd35b6b 100644
--- a/freebsd/sys/net/altq/altq_hfsc.h
+++ b/freebsd/sys/net/altq/altq_hfsc.h
@@ -282,6 +282,7 @@ struct runtime_sc {
struct hfsc_class {
u_int cl_id; /* class id (just for debug) */
+ u_int cl_slot; /* slot in hif class table */
u_int32_t cl_handle; /* class handle */
struct hfsc_if *cl_hif; /* back pointer to struct hfsc_if */
int cl_flags; /* misc flags */
diff --git a/freebsd/sys/net/altq/altq_priq.c b/freebsd/sys/net/altq/altq_priq.c
index ce0830e..c524f4c 100644
--- a/freebsd/sys/net/altq/altq_priq.c
+++ b/freebsd/sys/net/altq/altq_priq.c
@@ -120,12 +120,11 @@ priq_pfattach(struct pf_altq *a)
}
int
-priq_add_altq(struct pf_altq *a)
+priq_add_altq(struct ifnet * ifp, struct pf_altq *a)
{
struct priq_if *pif;
- struct ifnet *ifp;
- if ((ifp = ifunit(a->ifname)) == NULL)
+ if (ifp == NULL)
return (EINVAL);
if (!ALTQ_IS_READY(&ifp->if_snd))
return (ENODEV);
diff --git a/freebsd/sys/net/altq/altq_subr.c b/freebsd/sys/net/altq/altq_subr.c
index 6da3612..cd34d0e 100644
--- a/freebsd/sys/net/altq/altq_subr.c
+++ b/freebsd/sys/net/altq/altq_subr.c
@@ -552,7 +552,7 @@ altq_pfdetach(struct pf_altq *a)
* malloc with WAITOK, also it is not yet clear which lock to use.
*/
int
-altq_add(struct pf_altq *a)
+altq_add(struct ifnet *ifp, struct pf_altq *a)
{
int error = 0;
@@ -567,27 +567,27 @@ altq_add(struct pf_altq *a)
switch (a->scheduler) {
#ifdef ALTQ_CBQ
case ALTQT_CBQ:
- error = cbq_add_altq(a);
+ error = cbq_add_altq(ifp, a);
break;
#endif
#ifdef ALTQ_PRIQ
case ALTQT_PRIQ:
- error = priq_add_altq(a);
+ error = priq_add_altq(ifp, a);
break;
#endif
#ifdef ALTQ_HFSC
case ALTQT_HFSC:
- error = hfsc_add_altq(a);
+ error = hfsc_add_altq(ifp, a);
break;
#endif
#ifdef ALTQ_FAIRQ
case ALTQT_FAIRQ:
- error = fairq_add_altq(a);
+ error = fairq_add_altq(ifp, a);
break;
#endif
#ifdef ALTQ_CODEL
case ALTQT_CODEL:
- error = codel_add_altq(a);
+ error = codel_add_altq(ifp, a);
break;
#endif
default:
diff --git a/freebsd/sys/net/altq/altq_var.h b/freebsd/sys/net/altq/altq_var.h
index 47326a0..f711e09 100644
--- a/freebsd/sys/net/altq/altq_var.h
+++ b/freebsd/sys/net/altq/altq_var.h
@@ -199,40 +199,40 @@ int tbr_set(struct ifaltq *, struct tb_profile *);
int altq_pfattach(struct pf_altq *);
int altq_pfdetach(struct pf_altq *);
-int altq_add(struct pf_altq *);
+int altq_add(struct ifnet *, struct pf_altq *);
int altq_remove(struct pf_altq *);
int altq_add_queue(struct pf_altq *);
int altq_remove_queue(struct pf_altq *);
int altq_getqstats(struct pf_altq *, void *, int *, int);
int cbq_pfattach(struct pf_altq *);
-int cbq_add_altq(struct pf_altq *);
+int cbq_add_altq(struct ifnet *, struct pf_altq *);
int cbq_remove_altq(struct pf_altq *);
int cbq_add_queue(struct pf_altq *);
int cbq_remove_queue(struct pf_altq *);
int cbq_getqstats(struct pf_altq *, void *, int *, int);
int codel_pfattach(struct pf_altq *);
-int codel_add_altq(struct pf_altq *);
+int codel_add_altq(struct ifnet *, struct pf_altq *);
int codel_remove_altq(struct pf_altq *);
int codel_getqstats(struct pf_altq *, void *, int *, int);
int priq_pfattach(struct pf_altq *);
-int priq_add_altq(struct pf_altq *);
+int priq_add_altq(struct ifnet *, struct pf_altq *);
int priq_remove_altq(struct pf_altq *);
int priq_add_queue(struct pf_altq *);
int priq_remove_queue(struct pf_altq *);
int priq_getqstats(struct pf_altq *, void *, int *, int);
int hfsc_pfattach(struct pf_altq *);
-int hfsc_add_altq(struct pf_altq *);
+int hfsc_add_altq(struct ifnet *, struct pf_altq *);
int hfsc_remove_altq(struct pf_altq *);
int hfsc_add_queue(struct pf_altq *);
int hfsc_remove_queue(struct pf_altq *);
int hfsc_getqstats(struct pf_altq *, void *, int *, int);
int fairq_pfattach(struct pf_altq *);
-int fairq_add_altq(struct pf_altq *);
+int fairq_add_altq(struct ifnet *, struct pf_altq *);
int fairq_remove_altq(struct pf_altq *);
int fairq_add_queue(struct pf_altq *);
int fairq_remove_queue(struct pf_altq *);
diff --git a/freebsd/sys/net/if_bridge.c b/freebsd/sys/net/if_bridge.c
index aa56be4..b5e231b 100644
--- a/freebsd/sys/net/if_bridge.c
+++ b/freebsd/sys/net/if_bridge.c
@@ -927,7 +927,7 @@ bridge_set_ifcap(struct bridge_softc *sc, struct bridge_iflist *bif, int set)
{
struct ifnet *ifp = bif->bif_ifp;
struct ifreq ifr;
- int error;
+ int error, mask, stuck;
BRIDGE_UNLOCK_ASSERT(sc);
@@ -940,10 +940,12 @@ bridge_set_ifcap(struct bridge_softc *sc, struct bridge_iflist *bif, int set)
if_printf(sc->sc_ifp,
"error setting capabilities on %s: %d\n",
ifp->if_xname, error);
- if ((ifp->if_capenable & ~set) != 0)
+ mask = BRIDGE_IFCAPS_MASK | BRIDGE_IFCAPS_STRIP;
+ stuck = ifp->if_capenable & mask & ~set;
+ if (stuck != 0)
if_printf(sc->sc_ifp,
"can't disable some capabilities on %s: 0x%x\n",
- ifp->if_xname, ifp->if_capenable & ~set);
+ ifp->if_xname, stuck);
}
}
diff --git a/freebsd/sys/net/if_lagg.c b/freebsd/sys/net/if_lagg.c
index 8509911..c9c1e8f 100644
--- a/freebsd/sys/net/if_lagg.c
+++ b/freebsd/sys/net/if_lagg.c
@@ -516,10 +516,8 @@ lagg_clone_create(struct if_clone *ifc, int unit, caddr_t params)
ifp->if_flags = IFF_SIMPLEX | IFF_BROADCAST | IFF_MULTICAST;
#ifdef RATELIMIT
ifp->if_snd_tag_alloc = lagg_snd_tag_alloc;
- ifp->if_capenable = ifp->if_capabilities = IFCAP_HWSTATS | IFCAP_TXRTLMT;
-#else
- ifp->if_capenable = ifp->if_capabilities = IFCAP_HWSTATS;
#endif
+ ifp->if_capenable = ifp->if_capabilities = IFCAP_HWSTATS;
/*
* Attach as an ordinary ethernet device, children will be attached
diff --git a/freebsd/sys/net/iflib.h b/freebsd/sys/net/iflib.h
index 8c2be41..f852485 100644
--- a/freebsd/sys/net/iflib.h
+++ b/freebsd/sys/net/iflib.h
@@ -69,6 +69,9 @@ typedef struct if_rxd_frag {
uint16_t irf_len;
} *if_rxd_frag_t;
+/* bnxt supports 64 with hardware LRO enabled */
+#define IFLIB_MAX_RX_SEGS 64
+
typedef struct if_rxd_info {
/* set by iflib */
uint16_t iri_qsidx; /* qset index */
@@ -428,6 +431,7 @@ void iflib_iov_intr_deferred(if_ctx_t ctx);
void iflib_link_state_change(if_ctx_t ctx, int linkstate, uint64_t baudrate);
int iflib_dma_alloc(if_ctx_t ctx, int size, iflib_dma_info_t dma, int mapflags);
+int iflib_dma_alloc_align(if_ctx_t ctx, int size, int align, iflib_dma_info_t dma, int mapflags);
void iflib_dma_free(iflib_dma_info_t dma);
int iflib_dma_alloc_multi(if_ctx_t ctx, int *sizes, iflib_dma_info_t *dmalist, int mapflags, int count);
diff --git a/freebsd/sys/net/pfvar.h b/freebsd/sys/net/pfvar.h
index 25139a9..22159bd 100644
--- a/freebsd/sys/net/pfvar.h
+++ b/freebsd/sys/net/pfvar.h
@@ -41,6 +41,7 @@
#include <sys/cpuset.h>
#include <sys/malloc.h>
#include <sys/refcount.h>
+#include <sys/sysctl.h>
#include <sys/lock.h>
#include <sys/rmlock.h>
#include <sys/tree.h>
@@ -95,6 +96,9 @@ struct pf_addr_wrap {
#ifdef _KERNEL
+SYSCTL_DECL(_net_pf);
+MALLOC_DECLARE(M_PFHASH);
+
struct pfi_dynaddr {
TAILQ_ENTRY(pfi_dynaddr) entry;
struct pf_addr pfid_addr4;
@@ -1588,7 +1592,7 @@ VNET_DECLARE(uint64_t, pf_stateid[MAXCPU]);
#define V_pf_stateid VNET(pf_stateid)
TAILQ_HEAD(pf_altqqueue, pf_altq);
-VNET_DECLARE(struct pf_altqqueue, pf_altqs[2]);
+VNET_DECLARE(struct pf_altqqueue, pf_altqs[4]);
#define V_pf_altqs VNET(pf_altqs)
VNET_DECLARE(struct pf_palist, pf_pabuf);
#define V_pf_pabuf VNET(pf_pabuf)
@@ -1603,8 +1607,12 @@ VNET_DECLARE(u_int32_t, ticket_pabuf);
#define V_ticket_pabuf VNET(ticket_pabuf)
VNET_DECLARE(struct pf_altqqueue *, pf_altqs_active);
#define V_pf_altqs_active VNET(pf_altqs_active)
+VNET_DECLARE(struct pf_altqqueue *, pf_altq_ifs_active);
+#define V_pf_altq_ifs_active VNET(pf_altq_ifs_active)
VNET_DECLARE(struct pf_altqqueue *, pf_altqs_inactive);
#define V_pf_altqs_inactive VNET(pf_altqs_inactive)
+VNET_DECLARE(struct pf_altqqueue *, pf_altq_ifs_inactive);
+#define V_pf_altq_ifs_inactive VNET(pf_altq_ifs_inactive)
VNET_DECLARE(struct pf_rulequeue, pf_unlinked_rules);
#define V_pf_unlinked_rules VNET(pf_unlinked_rules)
diff --git a/freebsd/sys/net80211/ieee80211_adhoc.c b/freebsd/sys/net80211/ieee80211_adhoc.c
index fdd02e4..3f3b6d1 100644
--- a/freebsd/sys/net80211/ieee80211_adhoc.c
+++ b/freebsd/sys/net80211/ieee80211_adhoc.c
@@ -524,11 +524,9 @@ adhoc_input(struct ieee80211_node *ni, struct mbuf *m,
/*
* Save QoS bits for use below--before we strip the header.
*/
- if (subtype == IEEE80211_FC0_SUBTYPE_QOS) {
- qos = (dir == IEEE80211_FC1_DIR_DSTODS) ?
- ((struct ieee80211_qosframe_addr4 *)wh)->i_qos[0] :
- ((struct ieee80211_qosframe *)wh)->i_qos[0];
- } else
+ if (subtype == IEEE80211_FC0_SUBTYPE_QOS)
+ qos = ieee80211_getqos(wh)[0];
+ else
qos = 0;
/*
diff --git a/freebsd/sys/net80211/ieee80211_hostap.c b/freebsd/sys/net80211/ieee80211_hostap.c
index 0cc4374..2671547 100644
--- a/freebsd/sys/net80211/ieee80211_hostap.c
+++ b/freebsd/sys/net80211/ieee80211_hostap.c
@@ -710,11 +710,9 @@ hostap_input(struct ieee80211_node *ni, struct mbuf *m,
/*
* Save QoS bits for use below--before we strip the header.
*/
- if (subtype == IEEE80211_FC0_SUBTYPE_QOS) {
- qos = (dir == IEEE80211_FC1_DIR_DSTODS) ?
- ((struct ieee80211_qosframe_addr4 *)wh)->i_qos[0] :
- ((struct ieee80211_qosframe *)wh)->i_qos[0];
- } else
+ if (subtype == IEEE80211_FC0_SUBTYPE_QOS)
+ qos = ieee80211_getqos(wh)[0];
+ else
qos = 0;
/*
diff --git a/freebsd/sys/net80211/ieee80211_ht.c b/freebsd/sys/net80211/ieee80211_ht.c
index c6a3a20..c5ce444 100644
--- a/freebsd/sys/net80211/ieee80211_ht.c
+++ b/freebsd/sys/net80211/ieee80211_ht.c
@@ -888,10 +888,7 @@ ieee80211_ampdu_reorder(struct ieee80211_node *ni, struct mbuf *m,
if (IEEE80211_IS_MULTICAST(wh->i_addr1))
return PROCESS;
- if (IEEE80211_IS_DSTODS(wh))
- tid = ((struct ieee80211_qosframe_addr4 *)wh)->i_qos[0];
- else
- tid = wh->i_qos[0];
+ tid = ieee80211_getqos(wh)[0];
tid &= IEEE80211_QOS_TID;
rap = &ni->ni_rx_ampdu[tid];
if ((rap->rxa_flags & IEEE80211_AGGR_XCHGPEND) == 0) {
diff --git a/freebsd/sys/net80211/ieee80211_mesh.c b/freebsd/sys/net80211/ieee80211_mesh.c
index f747c21..3572239 100644
--- a/freebsd/sys/net80211/ieee80211_mesh.c
+++ b/freebsd/sys/net80211/ieee80211_mesh.c
@@ -1657,12 +1657,7 @@ mesh_input(struct ieee80211_node *ni, struct mbuf *m,
* in the Mesh Control field and a 3 address qos frame
* is used.
*/
- if (IEEE80211_IS_DSTODS(wh))
- *(uint16_t *)qos = *(uint16_t *)
- ((struct ieee80211_qosframe_addr4 *)wh)->i_qos;
- else
- *(uint16_t *)qos = *(uint16_t *)
- ((struct ieee80211_qosframe *)wh)->i_qos;
+ *(uint16_t *)qos = *(uint16_t *)ieee80211_getqos(wh);
/*
* NB: The mesh STA sets the Mesh Control Present
diff --git a/freebsd/sys/net80211/ieee80211_output.c b/freebsd/sys/net80211/ieee80211_output.c
index 4c4d8da..7784a90 100644
--- a/freebsd/sys/net80211/ieee80211_output.c
+++ b/freebsd/sys/net80211/ieee80211_output.c
@@ -1950,14 +1950,8 @@ ieee80211_fragment(struct ieee80211vap *vap, struct mbuf *m0,
whf = mtod(m, struct ieee80211_frame *);
memcpy(whf, wh, hdrsize);
#ifdef IEEE80211_SUPPORT_MESH
- if (vap->iv_opmode == IEEE80211_M_MBSS) {
- if (IEEE80211_IS_DSTODS(wh))
- ((struct ieee80211_qosframe_addr4 *)
- whf)->i_qos[1] &= ~IEEE80211_QOS_MC;
- else
- ((struct ieee80211_qosframe *)
- whf)->i_qos[1] &= ~IEEE80211_QOS_MC;
- }
+ if (vap->iv_opmode == IEEE80211_M_MBSS)
+ ieee80211_getqos(wh)[1] &= ~IEEE80211_QOS_MC;
#endif
*(uint16_t *)&whf->i_seq[0] |= htole16(
(fragno & IEEE80211_SEQ_FRAG_MASK) <<
diff --git a/freebsd/sys/net80211/ieee80211_proto.c b/freebsd/sys/net80211/ieee80211_proto.c
index 129e11e..c62d087 100644
--- a/freebsd/sys/net80211/ieee80211_proto.c
+++ b/freebsd/sys/net80211/ieee80211_proto.c
@@ -349,6 +349,9 @@ ieee80211_proto_vattach(struct ieee80211vap *vap)
* driver and/or user applications.
*/
for (i = IEEE80211_MODE_11A; i < IEEE80211_MODE_MAX; i++) {
+ if (isclr(ic->ic_modecaps, i))
+ continue;
+
const struct ieee80211_rateset *rs = &ic->ic_sup_rates[i];
vap->iv_txparms[i].ucastrate = IEEE80211_FIXED_RATE_NONE;
diff --git a/freebsd/sys/net80211/ieee80211_proto.h b/freebsd/sys/net80211/ieee80211_proto.h
index c1637c5..717de30 100644
--- a/freebsd/sys/net80211/ieee80211_proto.h
+++ b/freebsd/sys/net80211/ieee80211_proto.h
@@ -303,6 +303,22 @@ void ieee80211_wme_ic_getparams(struct ieee80211com *ic,
int ieee80211_wme_vap_ac_is_noack(struct ieee80211vap *vap, int ac);
/*
+ * Return pointer to the QoS field from a Qos frame.
+ */
+static __inline uint8_t *
+ieee80211_getqos(void *data)
+{
+ struct ieee80211_frame *wh = data;
+
+ KASSERT(IEEE80211_QOS_HAS_SEQ(wh), ("QoS field is absent!"));
+
+ if (IEEE80211_IS_DSTODS(wh))
+ return (((struct ieee80211_qosframe_addr4 *)wh)->i_qos);
+ else
+ return (((struct ieee80211_qosframe *)wh)->i_qos);
+}
+
+/*
* Return the WME TID from a QoS frame. If no TID
* is present return the index for the "non-QoS" entry.
*/
diff --git a/freebsd/sys/net80211/ieee80211_scan.c b/freebsd/sys/net80211/ieee80211_scan.c
index 8605641..c6f03fe 100644
--- a/freebsd/sys/net80211/ieee80211_scan.c
+++ b/freebsd/sys/net80211/ieee80211_scan.c
@@ -132,13 +132,21 @@ void
ieee80211_scan_vattach(struct ieee80211vap *vap)
{
struct ieee80211com *ic = vap->iv_ic;
+ int m;
vap->iv_bgscanidle = (IEEE80211_BGSCAN_IDLE_DEFAULT*1000)/hz;
vap->iv_bgscanintvl = IEEE80211_BGSCAN_INTVAL_DEFAULT*hz;
vap->iv_scanvalid = IEEE80211_SCAN_VALID_DEFAULT*hz;
vap->iv_roaming = IEEE80211_ROAMING_AUTO;
- memcpy(vap->iv_roamparms, defroam, sizeof(defroam));
+
+ memset(vap->iv_roamparms, 0, sizeof(vap->iv_roamparms));
+ for (m = IEEE80211_MODE_AUTO + 1; m < IEEE80211_MODE_MAX; m++) {
+ if (isclr(ic->ic_modecaps, m))
+ continue;
+
+ memcpy(&vap->iv_roamparms[m], &defroam[m], sizeof(defroam[m]));
+ }
ic->ic_scan_methods->sc_vattach(vap);
}
diff --git a/freebsd/sys/net80211/ieee80211_scan_sta.c b/freebsd/sys/net80211/ieee80211_scan_sta.c
index 926504f..8dda849 100644
--- a/freebsd/sys/net80211/ieee80211_scan_sta.c
+++ b/freebsd/sys/net80211/ieee80211_scan_sta.c
@@ -1356,6 +1356,9 @@ sta_roam_check(struct ieee80211_scan_state *ss, struct ieee80211vap *vap)
mode = ieee80211_chan2mode(ic->ic_bsschan);
roamRate = vap->iv_roamparms[mode].rate;
roamRssi = vap->iv_roamparms[mode].rssi;
+ KASSERT(roamRate != 0 && roamRssi != 0, ("iv_roamparms are not"
+ "initialized for %s mode!", ieee80211_phymode_name[mode]));
+
ucastRate = vap->iv_txparms[mode].ucastrate;
/* NB: the most up to date rssi is in the node, not the scan cache */
curRssi = ic->ic_node_getrssi(ni);
diff --git a/freebsd/sys/net80211/ieee80211_sta.c b/freebsd/sys/net80211/ieee80211_sta.c
index 1993f56..3dc9ee1 100644
--- a/freebsd/sys/net80211/ieee80211_sta.c
+++ b/freebsd/sys/net80211/ieee80211_sta.c
@@ -788,11 +788,9 @@ sta_input(struct ieee80211_node *ni, struct mbuf *m,
/*
* Save QoS bits for use below--before we strip the header.
*/
- if (subtype == IEEE80211_FC0_SUBTYPE_QOS) {
- qos = (dir == IEEE80211_FC1_DIR_DSTODS) ?
- ((struct ieee80211_qosframe_addr4 *)wh)->i_qos[0] :
- ((struct ieee80211_qosframe *)wh)->i_qos[0];
- } else
+ if (subtype == IEEE80211_FC0_SUBTYPE_QOS)
+ qos = ieee80211_getqos(wh)[0];
+ else
qos = 0;
/*
diff --git a/freebsd/sys/net80211/ieee80211_tdma.c b/freebsd/sys/net80211/ieee80211_tdma.c
index b18803f..c675af9 100644
--- a/freebsd/sys/net80211/ieee80211_tdma.c
+++ b/freebsd/sys/net80211/ieee80211_tdma.c
@@ -129,6 +129,9 @@ static int tdma_process_params(struct ieee80211_node *ni,
static void
settxparms(struct ieee80211vap *vap, enum ieee80211_phymode mode, int rate)
{
+ if (isclr(vap->iv_ic->ic_modecaps, mode))
+ return;
+
vap->iv_txparms[mode].ucastrate = rate;
vap->iv_txparms[mode].mcastrate = rate;
}
diff --git a/freebsd/sys/net80211/ieee80211_wds.c b/freebsd/sys/net80211/ieee80211_wds.c
index 1bceace..b74a299 100644
--- a/freebsd/sys/net80211/ieee80211_wds.c
+++ b/freebsd/sys/net80211/ieee80211_wds.c
@@ -585,11 +585,9 @@ wds_input(struct ieee80211_node *ni, struct mbuf *m,
/*
* Save QoS bits for use below--before we strip the header.
*/
- if (subtype == IEEE80211_FC0_SUBTYPE_QOS) {
- qos = (dir == IEEE80211_FC1_DIR_DSTODS) ?
- ((struct ieee80211_qosframe_addr4 *)wh)->i_qos[0] :
- ((struct ieee80211_qosframe *)wh)->i_qos[0];
- } else
+ if (subtype == IEEE80211_FC0_SUBTYPE_QOS)
+ qos = ieee80211_getqos(wh)[0];
+ else
qos = 0;
/*
diff --git a/freebsd/sys/netinet/if_ether.c b/freebsd/sys/netinet/if_ether.c
index 6ee6b71..5539e97 100644
--- a/freebsd/sys/netinet/if_ether.c
+++ b/freebsd/sys/netinet/if_ether.c
@@ -1347,6 +1347,8 @@ garp_rexmit(void *arg)
return;
}
+ CURVNET_SET(ia->ia_ifa.ifa_ifp->if_vnet);
+
/*
* Drop lock while the ARP request is generated.
*/
@@ -1374,6 +1376,8 @@ garp_rexmit(void *arg)
ifa_free(&ia->ia_ifa);
}
}
+
+ CURVNET_RESTORE();
}
/*
diff --git a/freebsd/sys/netinet/in_pcb.c b/freebsd/sys/netinet/in_pcb.c
index 666f630..0bebb9e 100644
--- a/freebsd/sys/netinet/in_pcb.c
+++ b/freebsd/sys/netinet/in_pcb.c
@@ -1578,6 +1578,7 @@ in_pcbfree_deferred(epoch_context_t ctx)
inp = __containerof(ctx, struct inpcb, inp_epoch_ctx);
INP_WLOCK(inp);
+ CURVNET_SET(inp->inp_vnet);
#ifdef INET
struct ip_moptions *imo = inp->inp_moptions;
inp->inp_moptions = NULL;
@@ -1610,6 +1611,7 @@ in_pcbfree_deferred(epoch_context_t ctx)
#ifdef INET
inp_freemoptions(imo);
#endif
+ CURVNET_RESTORE();
}
/*
diff --git a/freebsd/sys/netinet/tcp_reass.c b/freebsd/sys/netinet/tcp_reass.c
index 6318289..9d4bf3b 100644
--- a/freebsd/sys/netinet/tcp_reass.c
+++ b/freebsd/sys/netinet/tcp_reass.c
@@ -40,6 +40,10 @@ __FBSDID("$FreeBSD$");
#include <rtems/bsd/local/opt_inet6.h>
#include <rtems/bsd/local/opt_tcpdebug.h>
+/* For debugging we want counters and BB logging */
+/* #define TCP_REASS_COUNTERS 1 */
+/* #define TCP_REASS_LOGGING 1 */
+
#include <sys/param.h>
#include <sys/kernel.h>
#include <sys/eventhandler.h>
@@ -74,8 +78,10 @@ __FBSDID("$FreeBSD$");
#include <netinet/tcp_seq.h>
#include <netinet/tcp_timer.h>
#include <netinet/tcp_var.h>
+#ifdef TCP_REASS_LOGGING
#include <netinet/tcp_log_buf.h>
#include <netinet/tcp_hpts.h>
+#endif
#include <netinet6/tcp6_var.h>
#include <netinet/tcpip.h>
#ifdef TCPDEBUG
@@ -94,10 +100,6 @@ __FBSDID("$FreeBSD$");
#define TCP_R_LOG_DUMP 10
#define TCP_R_LOG_TRIM 11
-/* For debugging we want counters and BB logging */
-/* #define TCP_REASS_COUNTERS 1 */
-/* #define TCP_REASS_LOGGING 1 */
-
static SYSCTL_NODE(_net_inet_tcp, OID_AUTO, reass, CTLFLAG_RW, 0,
"TCP Segment Reassembly Queue");
@@ -542,6 +544,10 @@ tcp_reass(struct tcpcb *tp, struct tcphdr *th, tcp_seq *seq_start,
* and should be rewritten (see NetBSD for optimizations).
*/
+ KASSERT(th == NULL || (seq_start != NULL && tlenp != NULL),
+ ("tcp_reass called with illegal parameter combination "
+ "(tp=%p, th=%p, seq_start=%p, tlenp=%p, m=%p)",
+ tp, th, seq_start, tlenp, m));
/*
* Call with th==NULL after become established to
* force pre-ESTABLISHED data up to user socket.
@@ -1062,12 +1068,20 @@ present:
} else {
#ifdef TCP_REASS_LOGGING
tcp_reass_log_new_in(tp, q->tqe_start, q->tqe_len, q->tqe_m, TCP_R_LOG_READ, q);
- tcp_log_reassm(tp, q, NULL, th->th_seq, *tlenp, TCP_R_LOG_READ, 1);
+ if (th != NULL) {
+ tcp_log_reassm(tp, q, NULL, th->th_seq, *tlenp, TCP_R_LOG_READ, 1);
+ } else {
+ tcp_log_reassm(tp, q, NULL, 0, 0, TCP_R_LOG_READ, 1);
+ }
#endif
sbappendstream_locked(&so->so_rcv, q->tqe_m, 0);
}
#ifdef TCP_REASS_LOGGING
- tcp_log_reassm(tp, q, NULL, th->th_seq, *tlenp, TCP_R_LOG_READ, 2);
+ if (th != NULL) {
+ tcp_log_reassm(tp, q, NULL, th->th_seq, *tlenp, TCP_R_LOG_READ, 2);
+ } else {
+ tcp_log_reassm(tp, q, NULL, 0, 0, TCP_R_LOG_READ, 2);
+ }
#endif
KASSERT(tp->t_segqmbuflen >= q->tqe_mbuf_cnt,
("tp:%p seg queue goes negative", tp));
@@ -1083,7 +1097,11 @@ present:
tp, &tp->t_segq, tp->t_segqmbuflen);
#else
#ifdef TCP_REASS_LOGGING
- tcp_log_reassm(tp, NULL, NULL, th->th_seq, *tlenp, TCP_R_LOG_ZERO, 0);
+ if (th != NULL) {
+ tcp_log_reassm(tp, NULL, NULL, th->th_seq, *tlenp, TCP_R_LOG_ZERO, 0);
+ } else {
+ tcp_log_reassm(tp, NULL, NULL, 0, 0, TCP_R_LOG_ZERO, 0);
+ }
#endif
tp->t_segqmbuflen = 0;
#endif
diff --git a/freebsd/sys/netpfil/pf/pf.c b/freebsd/sys/netpfil/pf/pf.c
index 9b4653e..98e339a 100644
--- a/freebsd/sys/netpfil/pf/pf.c
+++ b/freebsd/sys/netpfil/pf/pf.c
@@ -115,10 +115,12 @@ __FBSDID("$FreeBSD$");
*/
/* state tables */
-VNET_DEFINE(struct pf_altqqueue, pf_altqs[2]);
+VNET_DEFINE(struct pf_altqqueue, pf_altqs[4]);
VNET_DEFINE(struct pf_palist, pf_pabuf);
VNET_DEFINE(struct pf_altqqueue *, pf_altqs_active);
+VNET_DEFINE(struct pf_altqqueue *, pf_altq_ifs_active);
VNET_DEFINE(struct pf_altqqueue *, pf_altqs_inactive);
+VNET_DEFINE(struct pf_altqqueue *, pf_altq_ifs_inactive);
VNET_DEFINE(struct pf_kstatus, pf_status);
VNET_DEFINE(u_int32_t, ticket_altqs_active);
@@ -360,7 +362,7 @@ VNET_DEFINE(struct pf_limit, pf_limits[PF_LIMIT_MAX]);
counter_u64_add(s->rule.ptr->states_cur, -1); \
} while (0)
-static MALLOC_DEFINE(M_PFHASH, "pf_hash", "pf(4) hash header structures");
+MALLOC_DEFINE(M_PFHASH, "pf_hash", "pf(4) hash header structures");
VNET_DEFINE(struct pf_keyhash *, pf_keyhash);
VNET_DEFINE(struct pf_idhash *, pf_idhash);
VNET_DEFINE(struct pf_srchash *, pf_srchash);
@@ -862,9 +864,13 @@ pf_initialize()
/* ALTQ */
TAILQ_INIT(&V_pf_altqs[0]);
TAILQ_INIT(&V_pf_altqs[1]);
+ TAILQ_INIT(&V_pf_altqs[2]);
+ TAILQ_INIT(&V_pf_altqs[3]);
TAILQ_INIT(&V_pf_pabuf);
V_pf_altqs_active = &V_pf_altqs[0];
- V_pf_altqs_inactive = &V_pf_altqs[1];
+ V_pf_altq_ifs_active = &V_pf_altqs[1];
+ V_pf_altqs_inactive = &V_pf_altqs[2];
+ V_pf_altq_ifs_inactive = &V_pf_altqs[3];
/* Send & overload+flush queues. */
STAILQ_INIT(&V_pf_sendqueue);
@@ -1560,7 +1566,7 @@ pf_state_expires(const struct pf_state *state)
if (!timeout)
timeout = V_pf_default_rule.timeout[state->timeout];
start = state->rule.ptr->timeout[PFTM_ADAPTIVE_START];
- if (start) {
+ if (start && state->rule.ptr != &V_pf_default_rule) {
end = state->rule.ptr->timeout[PFTM_ADAPTIVE_END];
states = counter_u64_fetch(state->rule.ptr->states_cur);
} else {
diff --git a/freebsd/sys/netpfil/pf/pf_if.c b/freebsd/sys/netpfil/pf/pf_if.c
index 8281bbd..8f36a8e 100644
--- a/freebsd/sys/netpfil/pf/pf_if.c
+++ b/freebsd/sys/netpfil/pf/pf_if.c
@@ -167,8 +167,10 @@ pfi_cleanup_vnet(void)
RB_REMOVE(pfi_ifhead, &V_pfi_ifs, kif);
if (kif->pfik_group)
kif->pfik_group->ifg_pf_kif = NULL;
- if (kif->pfik_ifp)
+ if (kif->pfik_ifp) {
+ if_rele(kif->pfik_ifp);
kif->pfik_ifp->if_pf_kif = NULL;
+ }
free(kif, PFI_MTYPE);
}
@@ -324,6 +326,8 @@ pfi_attach_ifnet(struct ifnet *ifp)
V_pfi_update++;
kif = pfi_kif_attach(kif, ifp->if_xname);
+ if_ref(ifp);
+
kif->pfik_ifp = ifp;
ifp->if_pf_kif = kif;
@@ -850,6 +854,9 @@ pfi_detach_ifnet_event(void *arg __unused, struct ifnet *ifp)
V_pfi_update++;
pfi_kif_update(kif);
+ if (kif->pfik_ifp)
+ if_rele(kif->pfik_ifp);
+
kif->pfik_ifp = NULL;
ifp->if_pf_kif = NULL;
#ifdef ALTQ
diff --git a/freebsd/sys/netpfil/pf/pf_ioctl.c b/freebsd/sys/netpfil/pf/pf_ioctl.c
index 695e838..bf195c7 100644
--- a/freebsd/sys/netpfil/pf/pf_ioctl.c
+++ b/freebsd/sys/netpfil/pf/pf_ioctl.c
@@ -48,11 +48,14 @@ __FBSDID("$FreeBSD$");
#include <rtems/bsd/local/opt_pf.h>
#include <sys/param.h>
+#include <sys/_bitset.h>
+#include <sys/bitset.h>
#include <sys/bus.h>
#include <sys/conf.h>
#include <sys/endian.h>
#include <sys/fcntl.h>
#include <sys/filio.h>
+#include <sys/hash.h>
#include <sys/interrupt.h>
#include <sys/jail.h>
#include <sys/kernel.h>
@@ -131,18 +134,40 @@ VNET_DEFINE_STATIC(int, pf_altq_running);
#define TAGID_MAX 50000
struct pf_tagname {
- TAILQ_ENTRY(pf_tagname) entries;
+ TAILQ_ENTRY(pf_tagname) namehash_entries;
+ TAILQ_ENTRY(pf_tagname) taghash_entries;
char name[PF_TAG_NAME_SIZE];
uint16_t tag;
int ref;
};
-TAILQ_HEAD(pf_tags, pf_tagname);
-#define V_pf_tags VNET(pf_tags)
-VNET_DEFINE(struct pf_tags, pf_tags);
-#define V_pf_qids VNET(pf_qids)
-VNET_DEFINE(struct pf_tags, pf_qids);
-static MALLOC_DEFINE(M_PFTAG, "pf_tag", "pf(4) tag names");
+struct pf_tagset {
+ TAILQ_HEAD(, pf_tagname) *namehash;
+ TAILQ_HEAD(, pf_tagname) *taghash;
+ unsigned int mask;
+ uint32_t seed;
+ BITSET_DEFINE(, TAGID_MAX) avail;
+};
+
+VNET_DEFINE(struct pf_tagset, pf_tags);
+#define V_pf_tags VNET(pf_tags)
+static unsigned int pf_rule_tag_hashsize;
+#define PF_RULE_TAG_HASH_SIZE_DEFAULT 128
+SYSCTL_UINT(_net_pf, OID_AUTO, rule_tag_hashsize, CTLFLAG_RDTUN,
+ &pf_rule_tag_hashsize, PF_RULE_TAG_HASH_SIZE_DEFAULT,
+ "Size of pf(4) rule tag hashtable");
+
+#ifdef ALTQ
+VNET_DEFINE(struct pf_tagset, pf_qids);
+#define V_pf_qids VNET(pf_qids)
+static unsigned int pf_queue_tag_hashsize;
+#define PF_QUEUE_TAG_HASH_SIZE_DEFAULT 128
+SYSCTL_UINT(_net_pf, OID_AUTO, queue_tag_hashsize, CTLFLAG_RDTUN,
+ &pf_queue_tag_hashsize, PF_QUEUE_TAG_HASH_SIZE_DEFAULT,
+ "Size of pf(4) queue tag hashtable");
+#endif
+VNET_DEFINE(uma_zone_t, pf_tag_z);
+#define V_pf_tag_z VNET(pf_tag_z)
static MALLOC_DEFINE(M_PFALTQ, "pf_altq", "pf(4) altq configuration db");
static MALLOC_DEFINE(M_PFRULE, "pf_rule", "pf(4) rules");
@@ -150,9 +175,14 @@ static MALLOC_DEFINE(M_PFRULE, "pf_rule", "pf(4) rules");
#error PF_QNAME_SIZE must be equal to PF_TAG_NAME_SIZE
#endif
-static u_int16_t tagname2tag(struct pf_tags *, char *);
+static void pf_init_tagset(struct pf_tagset *, unsigned int *,
+ unsigned int);
+static void pf_cleanup_tagset(struct pf_tagset *);
+static uint16_t tagname2hashindex(const struct pf_tagset *, const char *);
+static uint16_t tag2hashindex(const struct pf_tagset *, uint16_t);
+static u_int16_t tagname2tag(struct pf_tagset *, char *);
static u_int16_t pf_tagname2tag(char *);
-static void tag_unref(struct pf_tags *, u_int16_t);
+static void tag_unref(struct pf_tagset *, u_int16_t);
#define DPFPRINTF(n, x) if (V_pf_status.debug >= (n)) printf x
@@ -438,68 +468,141 @@ pf_free_rule(struct pf_rule *rule)
free(rule, M_PFRULE);
}
+static void
+pf_init_tagset(struct pf_tagset *ts, unsigned int *tunable_size,
+ unsigned int default_size)
+{
+ unsigned int i;
+ unsigned int hashsize;
+
+ if (*tunable_size == 0 || !powerof2(*tunable_size))
+ *tunable_size = default_size;
+
+ hashsize = *tunable_size;
+ ts->namehash = mallocarray(hashsize, sizeof(*ts->namehash), M_PFHASH,
+ M_WAITOK);
+ ts->taghash = mallocarray(hashsize, sizeof(*ts->taghash), M_PFHASH,
+ M_WAITOK);
+ ts->mask = hashsize - 1;
+ ts->seed = arc4random();
+ for (i = 0; i < hashsize; i++) {
+ TAILQ_INIT(&ts->namehash[i]);
+ TAILQ_INIT(&ts->taghash[i]);
+ }
+ BIT_FILL(TAGID_MAX, &ts->avail);
+}
+
+static void
+pf_cleanup_tagset(struct pf_tagset *ts)
+{
+ unsigned int i;
+ unsigned int hashsize;
+ struct pf_tagname *t, *tmp;
+
+ /*
+ * Only need to clean up one of the hashes as each tag is hashed
+ * into each table.
+ */
+ hashsize = ts->mask + 1;
+ for (i = 0; i < hashsize; i++)
+ TAILQ_FOREACH_SAFE(t, &ts->namehash[i], namehash_entries, tmp)
+ uma_zfree(V_pf_tag_z, t);
+
+ free(ts->namehash, M_PFHASH);
+ free(ts->taghash, M_PFHASH);
+}
+
+static uint16_t
+tagname2hashindex(const struct pf_tagset *ts, const char *tagname)
+{
+
+ return (murmur3_32_hash(tagname, strlen(tagname), ts->seed) & ts->mask);
+}
+
+static uint16_t
+tag2hashindex(const struct pf_tagset *ts, uint16_t tag)
+{
+
+ return (tag & ts->mask);
+}
+
static u_int16_t
-tagname2tag(struct pf_tags *head, char *tagname)
+tagname2tag(struct pf_tagset *ts, char *tagname)
{
- struct pf_tagname *tag, *p = NULL;
- u_int16_t new_tagid = 1;
+ struct pf_tagname *tag;
+ u_int32_t index;
+ u_int16_t new_tagid;
PF_RULES_WASSERT();
- TAILQ_FOREACH(tag, head, entries)
+ index = tagname2hashindex(ts, tagname);
+ TAILQ_FOREACH(tag, &ts->namehash[index], namehash_entries)
if (strcmp(tagname, tag->name) == 0) {
tag->ref++;
return (tag->tag);
}
/*
+ * new entry
+ *
* to avoid fragmentation, we do a linear search from the beginning
- * and take the first free slot we find. if there is none or the list
- * is empty, append a new entry at the end.
+ * and take the first free slot we find.
*/
-
- /* new entry */
- if (!TAILQ_EMPTY(head))
- for (p = TAILQ_FIRST(head); p != NULL &&
- p->tag == new_tagid; p = TAILQ_NEXT(p, entries))
- new_tagid = p->tag + 1;
-
- if (new_tagid > TAGID_MAX)
+ new_tagid = BIT_FFS(TAGID_MAX, &ts->avail);
+ /*
+ * Tags are 1-based, with valid tags in the range [1..TAGID_MAX].
+ * BIT_FFS() returns a 1-based bit number, with 0 indicating no bits
+ * set. It may also return a bit number greater than TAGID_MAX due
+ * to rounding of the number of bits in the vector up to a multiple
+ * of the vector word size at declaration/allocation time.
+ */
+ if ((new_tagid == 0) || (new_tagid > TAGID_MAX))
return (0);
+ /* Mark the tag as in use. Bits are 0-based for BIT_CLR() */
+ BIT_CLR(TAGID_MAX, new_tagid - 1, &ts->avail);
+
/* allocate and fill new struct pf_tagname */
- tag = malloc(sizeof(*tag), M_PFTAG, M_NOWAIT|M_ZERO);
+ tag = uma_zalloc(V_pf_tag_z, M_NOWAIT);
if (tag == NULL)
return (0);
strlcpy(tag->name, tagname, sizeof(tag->name));
tag->tag = new_tagid;
- tag->ref++;
+ tag->ref = 1;
- if (p != NULL) /* insert new entry before p */
- TAILQ_INSERT_BEFORE(p, tag, entries);
- else /* either list empty or no free slot in between */
- TAILQ_INSERT_TAIL(head, tag, entries);
+ /* Insert into namehash */
+ TAILQ_INSERT_TAIL(&ts->namehash[index], tag, namehash_entries);
+ /* Insert into taghash */
+ index = tag2hashindex(ts, new_tagid);
+ TAILQ_INSERT_TAIL(&ts->taghash[index], tag, taghash_entries);
+
return (tag->tag);
}
static void
-tag_unref(struct pf_tags *head, u_int16_t tag)
+tag_unref(struct pf_tagset *ts, u_int16_t tag)
{
- struct pf_tagname *p, *next;
-
+ struct pf_tagname *t;
+ uint16_t index;
+
PF_RULES_WASSERT();
- for (p = TAILQ_FIRST(head); p != NULL; p = next) {
- next = TAILQ_NEXT(p, entries);
- if (tag == p->tag) {
- if (--p->ref == 0) {
- TAILQ_REMOVE(head, p, entries);
- free(p, M_PFTAG);
+ index = tag2hashindex(ts, tag);
+ TAILQ_FOREACH(t, &ts->taghash[index], taghash_entries)
+ if (tag == t->tag) {
+ if (--t->ref == 0) {
+ TAILQ_REMOVE(&ts->taghash[index], t,
+ taghash_entries);
+ index = tagname2hashindex(ts, t->name);
+ TAILQ_REMOVE(&ts->namehash[index], t,
+ namehash_entries);
+ /* Bits are 0-based for BIT_SET() */
+ BIT_SET(TAGID_MAX, tag - 1, &ts->avail);
+ uma_zfree(V_pf_tag_z, t);
}
break;
}
- }
}
static u_int16_t
@@ -524,22 +627,25 @@ pf_qid_unref(u_int32_t qid)
static int
pf_begin_altq(u_int32_t *ticket)
{
- struct pf_altq *altq;
+ struct pf_altq *altq, *tmp;
int error = 0;
PF_RULES_WASSERT();
- /* Purge the old altq list */
- while ((altq = TAILQ_FIRST(V_pf_altqs_inactive)) != NULL) {
- TAILQ_REMOVE(V_pf_altqs_inactive, altq, entries);
- if (altq->qname[0] == 0 &&
- (altq->local_flags & PFALTQ_FLAG_IF_REMOVED) == 0) {
+ /* Purge the old altq lists */
+ TAILQ_FOREACH_SAFE(altq, V_pf_altq_ifs_inactive, entries, tmp) {
+ if ((altq->local_flags & PFALTQ_FLAG_IF_REMOVED) == 0) {
/* detach and destroy the discipline */
error = altq_remove(altq);
- } else
- pf_qid_unref(altq->qid);
+ }
free(altq, M_PFALTQ);
}
+ TAILQ_INIT(V_pf_altq_ifs_inactive);
+ TAILQ_FOREACH_SAFE(altq, V_pf_altqs_inactive, entries, tmp) {
+ pf_qid_unref(altq->qid);
+ free(altq, M_PFALTQ);
+ }
+ TAILQ_INIT(V_pf_altqs_inactive);
if (error)
return (error);
*ticket = ++V_ticket_altqs_inactive;
@@ -550,24 +656,27 @@ pf_begin_altq(u_int32_t *ticket)
static int
pf_rollback_altq(u_int32_t ticket)
{
- struct pf_altq *altq;
+ struct pf_altq *altq, *tmp;
int error = 0;
PF_RULES_WASSERT();
if (!V_altqs_inactive_open || ticket != V_ticket_altqs_inactive)
return (0);
- /* Purge the old altq list */
- while ((altq = TAILQ_FIRST(V_pf_altqs_inactive)) != NULL) {
- TAILQ_REMOVE(V_pf_altqs_inactive, altq, entries);
- if (altq->qname[0] == 0 &&
- (altq->local_flags & PFALTQ_FLAG_IF_REMOVED) == 0) {
+ /* Purge the old altq lists */
+ TAILQ_FOREACH_SAFE(altq, V_pf_altq_ifs_inactive, entries, tmp) {
+ if ((altq->local_flags & PFALTQ_FLAG_IF_REMOVED) == 0) {
/* detach and destroy the discipline */
error = altq_remove(altq);
- } else
- pf_qid_unref(altq->qid);
+ }
free(altq, M_PFALTQ);
}
+ TAILQ_INIT(V_pf_altq_ifs_inactive);
+ TAILQ_FOREACH_SAFE(altq, V_pf_altqs_inactive, entries, tmp) {
+ pf_qid_unref(altq->qid);
+ free(altq, M_PFALTQ);
+ }
+ TAILQ_INIT(V_pf_altqs_inactive);
V_altqs_inactive_open = 0;
return (error);
}
@@ -575,8 +684,8 @@ pf_rollback_altq(u_int32_t ticket)
static int
pf_commit_altq(u_int32_t ticket)
{
- struct pf_altqqueue *old_altqs;
- struct pf_altq *altq;
+ struct pf_altqqueue *old_altqs, *old_altq_ifs;
+ struct pf_altq *altq, *tmp;
int err, error = 0;
PF_RULES_WASSERT();
@@ -586,14 +695,16 @@ pf_commit_altq(u_int32_t ticket)
/* swap altqs, keep the old. */
old_altqs = V_pf_altqs_active;
+ old_altq_ifs = V_pf_altq_ifs_active;
V_pf_altqs_active = V_pf_altqs_inactive;
+ V_pf_altq_ifs_active = V_pf_altq_ifs_inactive;
V_pf_altqs_inactive = old_altqs;
+ V_pf_altq_ifs_inactive = old_altq_ifs;
V_ticket_altqs_active = V_ticket_altqs_inactive;
/* Attach new disciplines */
- TAILQ_FOREACH(altq, V_pf_altqs_active, entries) {
- if (altq->qname[0] == 0 &&
- (altq->local_flags & PFALTQ_FLAG_IF_REMOVED) == 0) {
+ TAILQ_FOREACH(altq, V_pf_altq_ifs_active, entries) {
+ if ((altq->local_flags & PFALTQ_FLAG_IF_REMOVED) == 0) {
/* attach the discipline */
error = altq_pfattach(altq);
if (error == 0 && V_pf_altq_running)
@@ -603,11 +714,9 @@ pf_commit_altq(u_int32_t ticket)
}
}
- /* Purge the old altq list */
- while ((altq = TAILQ_FIRST(V_pf_altqs_inactive)) != NULL) {
- TAILQ_REMOVE(V_pf_altqs_inactive, altq, entries);
- if (altq->qname[0] == 0 &&
- (altq->local_flags & PFALTQ_FLAG_IF_REMOVED) == 0) {
+ /* Purge the old altq lists */
+ TAILQ_FOREACH_SAFE(altq, V_pf_altq_ifs_inactive, entries, tmp) {
+ if ((altq->local_flags & PFALTQ_FLAG_IF_REMOVED) == 0) {
/* detach and destroy the discipline */
if (V_pf_altq_running)
error = pf_disable_altq(altq);
@@ -617,10 +726,15 @@ pf_commit_altq(u_int32_t ticket)
err = altq_remove(altq);
if (err != 0 && error == 0)
error = err;
- } else
- pf_qid_unref(altq->qid);
+ }
+ free(altq, M_PFALTQ);
+ }
+ TAILQ_INIT(V_pf_altq_ifs_inactive);
+ TAILQ_FOREACH_SAFE(altq, V_pf_altqs_inactive, entries, tmp) {
+ pf_qid_unref(altq->qid);
free(altq, M_PFALTQ);
}
+ TAILQ_INIT(V_pf_altqs_inactive);
V_altqs_inactive_open = 0;
return (error);
@@ -677,14 +791,46 @@ pf_disable_altq(struct pf_altq *altq)
return (error);
}
+static int
+pf_altq_ifnet_event_add(struct ifnet *ifp, int remove, u_int32_t ticket,
+ struct pf_altq *altq)
+{
+ struct ifnet *ifp1;
+ int error = 0;
+
+ /* Deactivate the interface in question */
+ altq->local_flags &= ~PFALTQ_FLAG_IF_REMOVED;
+ if ((ifp1 = ifunit(altq->ifname)) == NULL ||
+ (remove && ifp1 == ifp)) {
+ altq->local_flags |= PFALTQ_FLAG_IF_REMOVED;
+ } else {
+ error = altq_add(ifp1, altq);
+
+ if (ticket != V_ticket_altqs_inactive)
+ error = EBUSY;
+
+ if (error)
+ free(altq, M_PFALTQ);
+ }
+
+ return (error);
+}
+
void
pf_altq_ifnet_event(struct ifnet *ifp, int remove)
{
- struct ifnet *ifp1;
struct pf_altq *a1, *a2, *a3;
u_int32_t ticket;
int error = 0;
+ /*
+ * No need to re-evaluate the configuration for events on interfaces
+ * that do not support ALTQ, as it's not possible for such
+ * interfaces to be part of the configuration.
+ */
+ if (!ALTQ_IS_READY(&ifp->if_snd))
+ return;
+
/* Interrupt userland queue modifications */
if (V_altqs_inactive_open)
pf_rollback_altq(V_ticket_altqs_inactive);
@@ -694,7 +840,7 @@ pf_altq_ifnet_event(struct ifnet *ifp, int remove)
return;
/* Copy the current active set */
- TAILQ_FOREACH(a1, V_pf_altqs_active, entries) {
+ TAILQ_FOREACH(a1, V_pf_altq_ifs_active, entries) {
a2 = malloc(sizeof(*a2), M_PFALTQ, M_NOWAIT);
if (a2 == NULL) {
error = ENOMEM;
@@ -702,41 +848,43 @@ pf_altq_ifnet_event(struct ifnet *ifp, int remove)
}
bcopy(a1, a2, sizeof(struct pf_altq));
- if (a2->qname[0] != 0) {
- if ((a2->qid = pf_qname2qid(a2->qname)) == 0) {
- error = EBUSY;
- free(a2, M_PFALTQ);
- break;
- }
- a2->altq_disc = NULL;
- TAILQ_FOREACH(a3, V_pf_altqs_inactive, entries) {
- if (strncmp(a3->ifname, a2->ifname,
- IFNAMSIZ) == 0 && a3->qname[0] == 0) {
- a2->altq_disc = a3->altq_disc;
- break;
- }
- }
- }
- /* Deactivate the interface in question */
- a2->local_flags &= ~PFALTQ_FLAG_IF_REMOVED;
- if ((ifp1 = ifunit(a2->ifname)) == NULL ||
- (remove && ifp1 == ifp)) {
- a2->local_flags |= PFALTQ_FLAG_IF_REMOVED;
- } else {
- error = altq_add(a2);
+ error = pf_altq_ifnet_event_add(ifp, remove, ticket, a2);
+ if (error)
+ break;
- if (ticket != V_ticket_altqs_inactive)
- error = EBUSY;
+ TAILQ_INSERT_TAIL(V_pf_altq_ifs_inactive, a2, entries);
+ }
+ if (error)
+ goto out;
+ TAILQ_FOREACH(a1, V_pf_altqs_active, entries) {
+ a2 = malloc(sizeof(*a2), M_PFALTQ, M_NOWAIT);
+ if (a2 == NULL) {
+ error = ENOMEM;
+ break;
+ }
+ bcopy(a1, a2, sizeof(struct pf_altq));
- if (error) {
- free(a2, M_PFALTQ);
+ if ((a2->qid = pf_qname2qid(a2->qname)) == 0) {
+ error = EBUSY;
+ free(a2, M_PFALTQ);
+ break;
+ }
+ a2->altq_disc = NULL;
+ TAILQ_FOREACH(a3, V_pf_altq_ifs_inactive, entries) {
+ if (strncmp(a3->ifname, a2->ifname,
+ IFNAMSIZ) == 0) {
+ a2->altq_disc = a3->altq_disc;
break;
}
}
+ error = pf_altq_ifnet_event_add(ifp, remove, ticket, a2);
+ if (error)
+ break;
TAILQ_INSERT_TAIL(V_pf_altqs_inactive, a2, entries);
}
+out:
if (error != 0)
pf_rollback_altq(ticket);
else
@@ -1214,6 +1362,28 @@ pf_import_kaltq(struct pfioc_altq_v1 *pa, struct pf_altq *q, size_t ioc_size)
return (0);
}
+
+static struct pf_altq *
+pf_altq_get_nth_active(u_int32_t n)
+{
+ struct pf_altq *altq;
+ u_int32_t nr;
+
+ nr = 0;
+ TAILQ_FOREACH(altq, V_pf_altq_ifs_active, entries) {
+ if (nr == n)
+ return (altq);
+ nr++;
+ }
+
+ TAILQ_FOREACH(altq, V_pf_altqs_active, entries) {
+ if (nr == n)
+ return (altq);
+ nr++;
+ }
+
+ return (NULL);
+}
#endif /* ALTQ */
static int
@@ -2273,9 +2443,8 @@ DIOCGETSTATES_full:
PF_RULES_WLOCK();
/* enable all altq interfaces on active list */
- TAILQ_FOREACH(altq, V_pf_altqs_active, entries) {
- if (altq->qname[0] == 0 && (altq->local_flags &
- PFALTQ_FLAG_IF_REMOVED) == 0) {
+ TAILQ_FOREACH(altq, V_pf_altq_ifs_active, entries) {
+ if ((altq->local_flags & PFALTQ_FLAG_IF_REMOVED) == 0) {
error = pf_enable_altq(altq);
if (error != 0)
break;
@@ -2293,9 +2462,8 @@ DIOCGETSTATES_full:
PF_RULES_WLOCK();
/* disable all altq interfaces on active list */
- TAILQ_FOREACH(altq, V_pf_altqs_active, entries) {
- if (altq->qname[0] == 0 && (altq->local_flags &
- PFALTQ_FLAG_IF_REMOVED) == 0) {
+ TAILQ_FOREACH(altq, V_pf_altq_ifs_active, entries) {
+ if ((altq->local_flags & PFALTQ_FLAG_IF_REMOVED) == 0) {
error = pf_disable_altq(altq);
if (error != 0)
break;
@@ -2340,9 +2508,9 @@ DIOCGETSTATES_full:
break;
}
altq->altq_disc = NULL;
- TAILQ_FOREACH(a, V_pf_altqs_inactive, entries) {
+ TAILQ_FOREACH(a, V_pf_altq_ifs_inactive, entries) {
if (strncmp(a->ifname, altq->ifname,
- IFNAMSIZ) == 0 && a->qname[0] == 0) {
+ IFNAMSIZ) == 0) {
altq->altq_disc = a->altq_disc;
break;
}
@@ -2352,7 +2520,7 @@ DIOCGETSTATES_full:
if ((ifp = ifunit(altq->ifname)) == NULL)
altq->local_flags |= PFALTQ_FLAG_IF_REMOVED;
else
- error = altq_add(altq);
+ error = altq_add(ifp, altq);
if (error) {
PF_RULES_WUNLOCK();
@@ -2360,7 +2528,10 @@ DIOCGETSTATES_full:
break;
}
- TAILQ_INSERT_TAIL(V_pf_altqs_inactive, altq, entries);
+ if (altq->qname[0] != 0)
+ TAILQ_INSERT_TAIL(V_pf_altqs_inactive, altq, entries);
+ else
+ TAILQ_INSERT_TAIL(V_pf_altq_ifs_inactive, altq, entries);
/* version error check done on import above */
pf_export_kaltq(altq, pa, IOCPARM_LEN(cmd));
PF_RULES_WUNLOCK();
@@ -2374,6 +2545,8 @@ DIOCGETSTATES_full:
PF_RULES_RLOCK();
pa->nr = 0;
+ TAILQ_FOREACH(altq, V_pf_altq_ifs_active, entries)
+ pa->nr++;
TAILQ_FOREACH(altq, V_pf_altqs_active, entries)
pa->nr++;
pa->ticket = V_ticket_altqs_active;
@@ -2385,7 +2558,6 @@ DIOCGETSTATES_full:
case DIOCGETALTQV1: {
struct pfioc_altq_v1 *pa = (struct pfioc_altq_v1 *)addr;
struct pf_altq *altq;
- u_int32_t nr;
PF_RULES_RLOCK();
if (pa->ticket != V_ticket_altqs_active) {
@@ -2393,12 +2565,7 @@ DIOCGETSTATES_full:
error = EBUSY;
break;
}
- nr = 0;
- altq = TAILQ_FIRST(V_pf_altqs_active);
- while ((altq != NULL) && (nr < pa->nr)) {
- altq = TAILQ_NEXT(altq, entries);
- nr++;
- }
+ altq = pf_altq_get_nth_active(pa->nr);
if (altq == NULL) {
PF_RULES_RUNLOCK();
error = EBUSY;
@@ -2419,7 +2586,6 @@ DIOCGETSTATES_full:
case DIOCGETQSTATSV1: {
struct pfioc_qstats_v1 *pq = (struct pfioc_qstats_v1 *)addr;
struct pf_altq *altq;
- u_int32_t nr;
int nbytes;
u_int32_t version;
@@ -2430,12 +2596,7 @@ DIOCGETSTATES_full:
break;
}
nbytes = pq->nbytes;
- nr = 0;
- altq = TAILQ_FIRST(V_pf_altqs_active);
- while ((altq != NULL) && (nr < pq->nr)) {
- altq = TAILQ_NEXT(altq, entries);
- nr++;
- }
+ altq = pf_altq_get_nth_active(pq->nr);
if (altq == NULL) {
PF_RULES_RUNLOCK();
error = EBUSY;
@@ -4163,8 +4324,15 @@ dehook_pf(void)
static void
pf_load_vnet(void)
{
- TAILQ_INIT(&V_pf_tags);
- TAILQ_INIT(&V_pf_qids);
+ V_pf_tag_z = uma_zcreate("pf tags", sizeof(struct pf_tagname),
+ NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, 0);
+
+ pf_init_tagset(&V_pf_tags, &pf_rule_tag_hashsize,
+ PF_RULE_TAG_HASH_SIZE_DEFAULT);
+#ifdef ALTQ
+ pf_init_tagset(&V_pf_qids, &pf_queue_tag_hashsize,
+ PF_QUEUE_TAG_HASH_SIZE_DEFAULT);
+#endif
pfattach_vnet();
V_pf_vnet_active = 1;
@@ -4231,6 +4399,12 @@ pf_unload_vnet(void)
if (IS_DEFAULT_VNET(curvnet))
pf_mtag_cleanup();
+ pf_cleanup_tagset(&V_pf_tags);
+#ifdef ALTQ
+ pf_cleanup_tagset(&V_pf_qids);
+#endif
+ uma_zdestroy(V_pf_tag_z);
+
/* Free counters last as we updated them during shutdown. */
counter_u64_free(V_pf_default_rule.states_cur);
counter_u64_free(V_pf_default_rule.states_tot);
diff --git a/freebsd/sys/netpfil/pf/pf_norm.c b/freebsd/sys/netpfil/pf/pf_norm.c
index 0f98c66..b4749e5 100644
--- a/freebsd/sys/netpfil/pf/pf_norm.c
+++ b/freebsd/sys/netpfil/pf/pf_norm.c
@@ -670,11 +670,11 @@ pf_reassemble6(struct mbuf **m0, struct ip6_hdr *ip6, struct ip6_frag *fraghdr,
}
/* We have all the data. */
+ frent = TAILQ_FIRST(&frag->fr_queue);
+ KASSERT(frent != NULL, ("frent != NULL"));
extoff = frent->fe_extoff;
maxlen = frag->fr_maxlen;
frag_id = frag->fr_id;
- frent = TAILQ_FIRST(&frag->fr_queue);
- KASSERT(frent != NULL, ("frent != NULL"));
total = TAILQ_LAST(&frag->fr_queue, pf_fragq)->fe_off +
TAILQ_LAST(&frag->fr_queue, pf_fragq)->fe_len;
hdrlen = frent->fe_hdrlen - sizeof(struct ip6_frag);
diff --git a/freebsd/sys/sys/mouse.h b/freebsd/sys/sys/mouse.h
index 882d59c..c2e41fe 100644
--- a/freebsd/sys/sys/mouse.h
+++ b/freebsd/sys/sys/mouse.h
@@ -136,6 +136,7 @@ typedef struct synapticshw {
int infoXupmm;
int infoYupmm;
int forcePad;
+ int topButtonPad;
} synapticshw_t;
/* iftype */
diff --git a/freebsd/sys/vm/uma_core.c b/freebsd/sys/vm/uma_core.c
index 740dea4..b553821 100644
--- a/freebsd/sys/vm/uma_core.c
+++ b/freebsd/sys/vm/uma_core.c
@@ -694,7 +694,7 @@ zone_timeout(uma_zone_t zone)
static int
hash_alloc(struct uma_hash *hash)
{
- int oldsize;
+ u_int oldsize;
size_t alloc;
oldsize = hash->uh_hashsize;
@@ -738,8 +738,8 @@ static int
hash_expand(struct uma_hash *oldhash, struct uma_hash *newhash)
{
uma_slab_t slab;
- int hval;
- int i;
+ u_int hval;
+ u_int idx;
if (!newhash->uh_slab_hash)
return (0);
@@ -752,10 +752,10 @@ hash_expand(struct uma_hash *oldhash, struct uma_hash *newhash)
* full rehash.
*/
- for (i = 0; i < oldhash->uh_hashsize; i++)
- while (!SLIST_EMPTY(&oldhash->uh_slab_hash[i])) {
- slab = SLIST_FIRST(&oldhash->uh_slab_hash[i]);
- SLIST_REMOVE_HEAD(&oldhash->uh_slab_hash[i], us_hlink);
+ for (idx = 0; idx < oldhash->uh_hashsize; idx++)
+ while (!SLIST_EMPTY(&oldhash->uh_slab_hash[idx])) {
+ slab = SLIST_FIRST(&oldhash->uh_slab_hash[idx]);
+ SLIST_REMOVE_HEAD(&oldhash->uh_slab_hash[idx], us_hlink);
hval = UMA_HASH(newhash, slab->us_data);
SLIST_INSERT_HEAD(&newhash->uh_slab_hash[hval],
slab, us_hlink);
diff --git a/freebsd/sys/vm/uma_int.h b/freebsd/sys/vm/uma_int.h
index 0fbc051..153fbcc 100644
--- a/freebsd/sys/vm/uma_int.h
+++ b/freebsd/sys/vm/uma_int.h
@@ -170,8 +170,8 @@ SLIST_HEAD(slabhead, uma_slab);
struct uma_hash {
struct slabhead *uh_slab_hash; /* Hash table for slabs */
- int uh_hashsize; /* Current size of the hash table */
- int uh_hashmask; /* Mask used during hashing */
+ u_int uh_hashsize; /* Current size of the hash table */
+ u_int uh_hashmask; /* Mask used during hashing */
};
/*
@@ -459,7 +459,7 @@ static __inline uma_slab_t
hash_sfind(struct uma_hash *hash, uint8_t *data)
{
uma_slab_t slab;
- int hval;
+ u_int hval;
hval = UMA_HASH(hash, data);
diff --git a/rtemsbsd/include/machine/rtems-bsd-kernel-namespace.h b/rtemsbsd/include/machine/rtems-bsd-kernel-namespace.h
index 29aeebc..1345e7e 100644
--- a/rtemsbsd/include/machine/rtems-bsd-kernel-namespace.h
+++ b/rtemsbsd/include/machine/rtems-bsd-kernel-namespace.h
@@ -2808,6 +2808,7 @@
#define M_OFWPROP _bsd_M_OFWPROP
#define m_pad _bsd_m_pad
#define M_PCB _bsd_M_PCB
+#define M_PFHASH _bsd_M_PFHASH
#define m_pkthdr_init _bsd_m_pkthdr_init
#define m_prepend _bsd_m_prepend
#define m_print _bsd_m_print
@@ -3164,6 +3165,8 @@
#define pf_addr_cmp _bsd_pf_addr_cmp
#define pf_addrcpy _bsd_pf_addrcpy
#define pf_addr_inc _bsd_pf_addr_inc
+#define pf_altq_ifs_active _bsd_pf_altq_ifs_active
+#define pf_altq_ifs_inactive _bsd_pf_altq_ifs_inactive
#define pf_altqs _bsd_pf_altqs
#define pf_altqs_active _bsd_pf_altqs_active
#define pf_altqs_inactive _bsd_pf_altqs_inactive
@@ -3320,7 +3323,6 @@
#define pf_purge_fragments _bsd_pf_purge_fragments
#define pf_purge_proc _bsd_pf_purge_proc
#define pf_purge_thread _bsd_pf_purge_thread
-#define pf_qids _bsd_pf_qids
#define pfr_add_addrs _bsd_pfr_add_addrs
#define pfr_add_tables _bsd_pfr_add_tables
#define pfr_attach_table _bsd_pfr_attach_table
@@ -3388,6 +3390,7 @@
#define pfsync_update_state_ptr _bsd_pfsync_update_state_ptr
#define pf_tag_packet _bsd_pf_tag_packet
#define pf_tags _bsd_pf_tags
+#define pf_tag_z _bsd_pf_tag_z
#define pf_tcp_iss_off _bsd_pf_tcp_iss_off
#define pf_tcp_secret _bsd_pf_tcp_secret
#define pf_tcp_secret_ctx _bsd_pf_tcp_secret_ctx
@@ -4501,8 +4504,6 @@
#define Skein_512_Output _bsd_Skein_512_Output
#define Skein_512_Process_Block _bsd_Skein_512_Process_Block
#define Skein_512_Update _bsd_Skein_512_Update
-#define Skein_Get64_LSB_First _bsd_Skein_Get64_LSB_First
-#define Skein_Put64_LSB_First _bsd_Skein_Put64_LSB_First
#define skipjack_backwards _bsd_skipjack_backwards
#define skipjack_forwards _bsd_skipjack_forwards
#define sl_compress_init _bsd_sl_compress_init
@@ -4712,6 +4713,7 @@
#define sysctl___kern _bsd_sysctl___kern
#define sysctl___kern_cam _bsd_sysctl___kern_cam
#define sysctl___kern_evdev _bsd_sysctl___kern_evdev
+#define sysctl___kern_evdev_input _bsd_sysctl___kern_evdev_input
#define sysctl___kern_features _bsd_sysctl___kern_features
#define sysctl___kern_ipc _bsd_sysctl___kern_ipc
#define sysctl_move_oid _bsd_sysctl_move_oid
diff --git a/rtemsbsd/include/rtems/bsd/local/usbdevs.h b/rtemsbsd/include/rtems/bsd/local/usbdevs.h
index 9cf8432..f0d49d9 100644
--- a/rtemsbsd/include/rtems/bsd/local/usbdevs.h
+++ b/rtemsbsd/include/rtems/bsd/local/usbdevs.h
@@ -4070,6 +4070,7 @@
#define USB_PRODUCT_SANDISK_SDCZ2_256 0x7104 /* Cruzer Mini 256MB */
#define USB_PRODUCT_SANDISK_SDCZ4_128 0x7112 /* Cruzer Micro 128MB */
#define USB_PRODUCT_SANDISK_SDCZ4_256 0x7113 /* Cruzer Micro 256MB */
+#define USB_PRODUCT_SANDISK_SDCZ48_32 0x5581 /* Ultra 32GB */
#define USB_PRODUCT_SANDISK_IMAGEMATE_SDDR289 0xb6ba /* ImageMate SDDR-289 */
/* Sanwa Electric Instrument Co., Ltd. products */
diff --git a/rtemsbsd/include/rtems/bsd/local/usbdevs_data.h b/rtemsbsd/include/rtems/bsd/local/usbdevs_data.h
index 9262659..3c7f334 100644
--- a/rtemsbsd/include/rtems/bsd/local/usbdevs_data.h
+++ b/rtemsbsd/include/rtems/bsd/local/usbdevs_data.h
@@ -15080,6 +15080,12 @@ const struct usb_knowndev usb_knowndevs[] = {
"Cruzer Micro 256MB",
},
{
+ USB_VENDOR_SANDISK, USB_PRODUCT_SANDISK_SDCZ48_32,
+ 0,
+ "SanDisk",
+ "Ultra 32GB",
+ },
+ {
USB_VENDOR_SANDISK, USB_PRODUCT_SANDISK_IMAGEMATE_SDDR289,
0,
"SanDisk",
More information about the vc
mailing list