From bd3234b9ab9861929344642d61460322de6fdab4 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 9 Oct 2023 10:32:44 +0200 Subject: [PATCH 01/11] Avoid using gets as an argument name in a prototype This otherwise breaks compilation of applications using ssl.h on MingW. Fixes #22296 Reviewed-by: Richard Levitte Reviewed-by: Paul Dale Reviewed-by: Tim Hudson Reviewed-by: Kurt Roeckx Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/22316) (cherry picked from commit 2e471a740b621481b3f3236f82fdd677414900a1) Signed-off-by: fly2x --- include/openssl/bio.h.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/openssl/bio.h.in b/include/openssl/bio.h.in index c521e41e4a..cdc395b783 100644 --- a/include/openssl/bio.h.in +++ b/include/openssl/bio.h.in @@ -844,7 +844,7 @@ int BIO_meth_set_puts(BIO_METHOD *biom, int (*puts) (BIO *, const char *)); int (*BIO_meth_get_gets(const BIO_METHOD *biom)) (BIO *, char *, int); int BIO_meth_set_gets(BIO_METHOD *biom, - int (*gets) (BIO *, char *, int)); + int (*ossl_gets) (BIO *, char *, int)); long (*BIO_meth_get_ctrl(const BIO_METHOD *biom)) (BIO *, int, long, void *); int BIO_meth_set_ctrl(BIO_METHOD *biom, long (*ctrl) (BIO *, int, long, void *)); -- Gitee From c4730204025db8e3ee8ae5631786c046ad2a047c Mon Sep 17 00:00:00 2001 From: Alexey Fofanov Date: Wed, 25 Oct 2023 14:29:06 +0300 Subject: [PATCH 02/11] return 0 if an error occurred Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale Reviewed-by: Hugo Landau (Merged from https://github.com/openssl/openssl/pull/22504) (cherry picked from commit f0d88b4d070426493749cfd6b657e42dc3c2f5dd) Signed-off-by: fly2x --- crypto/http/http_client.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/crypto/http/http_client.c b/crypto/http/http_client.c index 92481d4751..cd4266ae27 100644 --- a/crypto/http/http_client.c +++ b/crypto/http/http_client.c @@ -488,13 +488,17 @@ static int parse_http_line1(char *line, int *found_keep_alive) static int check_set_resp_len(OSSL_HTTP_REQ_CTX *rctx, size_t len) { - if (rctx->max_resp_len != 0 && len > rctx->max_resp_len) + if (rctx->max_resp_len != 0 && len > rctx->max_resp_len) { ERR_raise_data(ERR_LIB_HTTP, HTTP_R_MAX_RESP_LEN_EXCEEDED, "length=%zu, max=%zu", len, rctx->max_resp_len); - if (rctx->resp_len != 0 && rctx->resp_len != len) + return 0; + } + if (rctx->resp_len != 0 && rctx->resp_len != len) { ERR_raise_data(ERR_LIB_HTTP, HTTP_R_INCONSISTENT_CONTENT_LENGTH, "ASN.1 length=%zu, Content-Length=%zu", len, rctx->resp_len); + return 0; + } rctx->resp_len = len; return 1; } -- Gitee From 1d0cbdb0cf2b95ccdd7a2ac7e32e5a8871120ddc Mon Sep 17 00:00:00 2001 From: Khem Raj Date: Sat, 21 Oct 2023 13:03:52 -0700 Subject: [PATCH 03/11] Link libatomic on riscv32 GCC toolchains on linux are not able to build libcrypto without linking to libatomic as it does not have all needed atomics implemented as intrinsics Fixes errors like | ld: ./libcrypto.so: undefined reference to `__atomic_is_lock_free' CLA: trivial Signed-off-by: Khem Raj Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz Reviewed-by: Hugo Landau (Merged from https://github.com/openssl/openssl/pull/22460) (cherry picked from commit d2e03c60347e19509e18a33ecb7f74502feb42ef) Signed-off-by: fly2x --- Configurations/10-main.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf index aedfa370ca..ef49354f64 100644 --- a/Configurations/10-main.conf +++ b/Configurations/10-main.conf @@ -823,7 +823,7 @@ my %targets = ( }, "linux32-riscv32" => { - inherit_from => [ "linux-generic32"], + inherit_from => [ "linux-latomic" ], perlasm_scheme => "linux32", asm_arch => 'riscv32', }, -- Gitee From 6ccba39c0d9e0de5bb7030b75b77f21cbe666bca Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 18 Oct 2023 15:50:30 +0200 Subject: [PATCH 04/11] bn: Properly error out if aliasing return value with modulus Test case amended from code initially written by Bernd Edlinger. Fixes #21110 Reviewed-by: Dmitry Belyavskiy Reviewed-by: Paul Dale Reviewed-by: Hugo Landau (Merged from https://github.com/openssl/openssl/pull/22421) (cherry picked from commit af0025fc40779cc98c06db7e29936f9d5de8cc9e) Signed-off-by: fly2x --- crypto/bn/bn_exp.c | 21 ++++++++ crypto/bn/bn_mod.c | 10 ++++ doc/man3/BN_add.pod | 5 ++ doc/man3/BN_mod_inverse.pod | 6 ++- test/bntest.c | 104 ++++++++++++++++++++++++++++++++++++ 5 files changed, 145 insertions(+), 1 deletion(-) diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c index 4d02dcda53..8700a25a14 100644 --- a/crypto/bn/bn_exp.c +++ b/crypto/bn/bn_exp.c @@ -243,6 +243,14 @@ int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, wstart = bits - 1; /* The top bit of the window */ wend = 0; /* The bottom bit of the window */ + if (r == p) { + BIGNUM *p_dup = BN_CTX_get(ctx); + + if (p_dup == NULL || BN_copy(p_dup, p) == NULL) + goto err; + p = p_dup; + } + if (!BN_one(r)) goto err; @@ -1317,6 +1325,11 @@ int BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, return 0; } + if (r == m) { + ERR_raise(ERR_LIB_BN, ERR_R_PASSED_INVALID_ARGUMENT); + return 0; + } + bits = BN_num_bits(p); if (bits == 0) { /* x**0 mod 1, or x**0 mod -1 is still zero. */ @@ -1362,6 +1375,14 @@ int BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, wstart = bits - 1; /* The top bit of the window */ wend = 0; /* The bottom bit of the window */ + if (r == p) { + BIGNUM *p_dup = BN_CTX_get(ctx); + + if (p_dup == NULL || BN_copy(p_dup, p) == NULL) + goto err; + p = p_dup; + } + if (!BN_one(r)) goto err; diff --git a/crypto/bn/bn_mod.c b/crypto/bn/bn_mod.c index 7f5afa25ec..2dda2e3442 100644 --- a/crypto/bn/bn_mod.c +++ b/crypto/bn/bn_mod.c @@ -17,6 +17,11 @@ int BN_nnmod(BIGNUM *r, const BIGNUM *m, const BIGNUM *d, BN_CTX *ctx) * always holds) */ + if (r == d) { + ERR_raise(ERR_LIB_BN, ERR_R_PASSED_INVALID_ARGUMENT); + return 0; + } + if (!(BN_mod(r, m, d, ctx))) return 0; if (!r->neg) @@ -186,6 +191,11 @@ int bn_mod_sub_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, int BN_mod_sub_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m) { + if (r == m) { + ERR_raise(ERR_LIB_BN, ERR_R_PASSED_INVALID_ARGUMENT); + return 0; + } + if (!BN_sub(r, a, b)) return 0; if (r->neg) diff --git a/doc/man3/BN_add.pod b/doc/man3/BN_add.pod index 9561d55431..35cfdd1495 100644 --- a/doc/man3/BN_add.pod +++ b/doc/man3/BN_add.pod @@ -114,6 +114,11 @@ temporary variables; see L. Unless noted otherwise, the result B must be different from the arguments. +=head1 NOTES + +For modular operations such as BN_nnmod() or BN_mod_exp() it is an error +to use the same B object for the modulus as for the output. + =head1 RETURN VALUES The BN_mod_sqrt() returns the result (possibly incorrect if I

is diff --git a/doc/man3/BN_mod_inverse.pod b/doc/man3/BN_mod_inverse.pod index 5dbb5c3cc2..f88e0e63fa 100644 --- a/doc/man3/BN_mod_inverse.pod +++ b/doc/man3/BN_mod_inverse.pod @@ -18,7 +18,11 @@ places the result in B (C<(a*r)%n==1>). If B is NULL, a new B is created. B is a previously allocated B used for temporary -variables. B may be the same B as B or B. +variables. B may be the same B as B. + +=head1 NOTES + +It is an error to use the same B as B. =head1 RETURN VALUES diff --git a/test/bntest.c b/test/bntest.c index a91ba7f4d1..e8c8ca4f8d 100644 --- a/test/bntest.c +++ b/test/bntest.c @@ -2963,6 +2963,108 @@ err: return res; } +static int test_mod_inverse(void) +{ + int res = 0; + char *str = NULL; + BIGNUM *a = NULL; + BIGNUM *b = NULL; + BIGNUM *r = NULL; + + if (!TEST_true(BN_dec2bn(&a, "5193817943"))) + goto err; + if (!TEST_true(BN_dec2bn(&b, "3259122431"))) + goto err; + if (!TEST_ptr(r = BN_new())) + goto err; + if (!TEST_ptr_eq(BN_mod_inverse(r, a, b, ctx), r)) + goto err; + if (!TEST_ptr_ne(str = BN_bn2dec(r), NULL)) + goto err; + if (!TEST_int_eq(strcmp(str, "2609653924"), 0)) + goto err; + + /* Note that this aliases the result with the modulus. */ + if (!TEST_ptr_null(BN_mod_inverse(b, a, b, ctx))) + goto err; + + res = 1; + +err: + BN_free(a); + BN_free(b); + BN_free(r); + OPENSSL_free(str); + return res; +} + +static int test_mod_exp_alias(int idx) +{ + int res = 0; + char *str = NULL; + BIGNUM *a = NULL; + BIGNUM *b = NULL; + BIGNUM *c = NULL; + BIGNUM *r = NULL; + + if (!TEST_true(BN_dec2bn(&a, "15"))) + goto err; + if (!TEST_true(BN_dec2bn(&b, "10"))) + goto err; + if (!TEST_true(BN_dec2bn(&c, "39"))) + goto err; + if (!TEST_ptr(r = BN_new())) + goto err; + + if (!TEST_int_eq((idx == 0 ? BN_mod_exp_simple + : BN_mod_exp_recp)(r, a, b, c, ctx), 1)) + goto err; + if (!TEST_ptr_ne(str = BN_bn2dec(r), NULL)) + goto err; + if (!TEST_str_eq(str, "36")) + goto err; + + OPENSSL_free(str); + str = NULL; + + BN_copy(r, b); + + /* Aliasing with exponent must work. */ + if (!TEST_int_eq((idx == 0 ? BN_mod_exp_simple + : BN_mod_exp_recp)(r, a, r, c, ctx), 1)) + goto err; + if (!TEST_ptr_ne(str = BN_bn2dec(r), NULL)) + goto err; + if (!TEST_str_eq(str, "36")) + goto err; + + OPENSSL_free(str); + str = NULL; + + /* Aliasing with modulus should return failure for the simple call. */ + if (idx == 0) { + if (!TEST_int_eq(BN_mod_exp_simple(c, a, b, c, ctx), 0)) + goto err; + } else { + if (!TEST_int_eq(BN_mod_exp_recp(c, a, b, c, ctx), 1)) + goto err; + if (!TEST_ptr_ne(str = BN_bn2dec(c), NULL)) + goto err; + if (!TEST_str_eq(str, "36")) + goto err; + } + + res = 1; + +err: + BN_free(a); + BN_free(b); + BN_free(c); + BN_free(r); + OPENSSL_free(str); + return res; +} + static int file_test_run(STANZA *s) { static const FILETEST filetests[] = { @@ -3072,6 +3174,8 @@ int setup_tests(void) ADD_ALL_TESTS(test_signed_mod_replace_ab, OSSL_NELEM(signed_mod_tests)); ADD_ALL_TESTS(test_signed_mod_replace_ba, OSSL_NELEM(signed_mod_tests)); ADD_TEST(test_mod); + ADD_TEST(test_mod_inverse); + ADD_ALL_TESTS(test_mod_exp_alias, 2); ADD_TEST(test_modexp_mont5); ADD_TEST(test_kronecker); ADD_TEST(test_rand); -- Gitee From 7aab9cdd16dad472b877860e522b2fa8c6cf8138 Mon Sep 17 00:00:00 2001 From: trigpolynom Date: Tue, 17 Oct 2023 22:44:45 -0400 Subject: [PATCH 05/11] aes-gcm-avx512.pl: fix non-reproducibility issue Replace the random suffix with a counter, to make the build reproducible. Fixes #20954 Reviewed-by: Richard Levitte Reviewed-by: Matthias St. Pierre Reviewed-by: Tom Cosgrove Reviewed-by: Hugo Landau (Merged from https://github.com/openssl/openssl/pull/22415) (cherry picked from commit 0fbc50ef0cb8894973d4739af62e95be825b7ccf) Signed-off-by: fly2x --- crypto/modes/asm/aes-gcm-avx512.pl | 324 ++++++++++++++--------------- 1 file changed, 159 insertions(+), 165 deletions(-) diff --git a/crypto/modes/asm/aes-gcm-avx512.pl b/crypto/modes/asm/aes-gcm-avx512.pl index 9d83abf4da..f404149e5e 100644 --- a/crypto/modes/asm/aes-gcm-avx512.pl +++ b/crypto/modes/asm/aes-gcm-avx512.pl @@ -155,6 +155,9 @@ my $STACK_LOCAL_OFFSET = ($STACK_HKEYS_OFFSET + $HKEYS_STORAGE); # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; my ($arg1, $arg2, $arg3, $arg4, $arg5, $arg6, $arg7, $arg8, $arg9, $arg10, $arg11); +# ; Counter used for assembly label generation +my $label_count = 0; + # ; This implementation follows the convention: for non-leaf functions (they # ; must call PROLOG) %rbp is used as a frame pointer, and has fixed offset from # ; the function entry: $GP_STORAGE + [8 bytes alignment (Windows only)]. This @@ -200,15 +203,6 @@ my $CTX_OFFSET_HTable = (16 * 6); # ; (Htable) Precomputed table (a # ;;; Helper functions # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; -# ; Generates "random" local labels -sub random_string() { - my @chars = ('a' .. 'z', 'A' .. 'Z', '0' .. '9', '_'); - my $length = 15; - my $str; - map { $str .= $chars[rand(33)] } 1 .. $length; - return $str; -} - sub BYTE { my ($reg) = @_; if ($reg =~ /%r[abcd]x/i) { @@ -417,7 +411,7 @@ ___ sub EPILOG { my ($hkeys_storage_on_stack, $payload_len) = @_; - my $rndsuffix = &random_string(); + my $label_suffix = $label_count++; if ($hkeys_storage_on_stack && $CLEAR_HKEYS_STORAGE_ON_EXIT) { @@ -425,13 +419,13 @@ sub EPILOG { # ; were stored in the local frame storage $code .= <<___; cmpq \$`16*16`,$payload_len - jbe .Lskip_hkeys_cleanup_${rndsuffix} + jbe .Lskip_hkeys_cleanup_${label_suffix} vpxor %xmm0,%xmm0,%xmm0 ___ for (my $i = 0; $i < int($HKEYS_STORAGE / 64); $i++) { $code .= "vmovdqa64 %zmm0,`$STACK_HKEYS_OFFSET + 64*$i`(%rsp)\n"; } - $code .= ".Lskip_hkeys_cleanup_${rndsuffix}:\n"; + $code .= ".Lskip_hkeys_cleanup_${label_suffix}:\n"; } if ($CLEAR_SCRATCH_REGISTERS) { @@ -537,11 +531,11 @@ sub precompute_hkeys_on_stack { && $HKEYS_RANGE ne "first32" && $HKEYS_RANGE ne "last32"); - my $rndsuffix = &random_string(); + my $label_suffix = $label_count++; $code .= <<___; test $HKEYS_READY,$HKEYS_READY - jnz .L_skip_hkeys_precomputation_${rndsuffix} + jnz .L_skip_hkeys_precomputation_${label_suffix} ___ if ($HKEYS_RANGE eq "first16" || $HKEYS_RANGE eq "first32" || $HKEYS_RANGE eq "all") { @@ -615,7 +609,7 @@ ___ } } - $code .= ".L_skip_hkeys_precomputation_${rndsuffix}:\n"; + $code .= ".L_skip_hkeys_precomputation_${label_suffix}:\n"; } # ;; ============================================================================= @@ -1418,20 +1412,20 @@ sub CALC_AAD_HASH { my $SHFMSK = $ZT13; - my $rndsuffix = &random_string(); + my $label_suffix = $label_count++; $code .= <<___; mov $A_IN,$T1 # ; T1 = AAD mov $A_LEN,$T2 # ; T2 = aadLen or $T2,$T2 - jz .L_CALC_AAD_done_${rndsuffix} + jz .L_CALC_AAD_done_${label_suffix} xor $HKEYS_READY,$HKEYS_READY vmovdqa64 SHUF_MASK(%rip),$SHFMSK -.L_get_AAD_loop48x16_${rndsuffix}: +.L_get_AAD_loop48x16_${label_suffix}: cmp \$`(48*16)`,$T2 - jl .L_exit_AAD_loop48x16_${rndsuffix} + jl .L_exit_AAD_loop48x16_${label_suffix} ___ $code .= <<___; @@ -1499,15 +1493,15 @@ ___ $code .= <<___; sub \$`(48*16)`,$T2 - je .L_CALC_AAD_done_${rndsuffix} + je .L_CALC_AAD_done_${label_suffix} add \$`(48*16)`,$T1 - jmp .L_get_AAD_loop48x16_${rndsuffix} + jmp .L_get_AAD_loop48x16_${label_suffix} -.L_exit_AAD_loop48x16_${rndsuffix}: +.L_exit_AAD_loop48x16_${label_suffix}: # ; Less than 48x16 bytes remaining cmp \$`(32*16)`,$T2 - jl .L_less_than_32x16_${rndsuffix} + jl .L_less_than_32x16_${label_suffix} ___ $code .= <<___; @@ -1556,14 +1550,14 @@ ___ $code .= <<___; sub \$`(32*16)`,$T2 - je .L_CALC_AAD_done_${rndsuffix} + je .L_CALC_AAD_done_${label_suffix} add \$`(32*16)`,$T1 - jmp .L_less_than_16x16_${rndsuffix} + jmp .L_less_than_16x16_${label_suffix} -.L_less_than_32x16_${rndsuffix}: +.L_less_than_32x16_${label_suffix}: cmp \$`(16*16)`,$T2 - jl .L_less_than_16x16_${rndsuffix} + jl .L_less_than_16x16_${label_suffix} # ; Get next 16 blocks vmovdqu64 `64*0`($T1),$ZT1 vmovdqu64 `64*1`($T1),$ZT2 @@ -1588,11 +1582,11 @@ ___ $code .= <<___; sub \$`(16*16)`,$T2 - je .L_CALC_AAD_done_${rndsuffix} + je .L_CALC_AAD_done_${label_suffix} add \$`(16*16)`,$T1 # ; Less than 16x16 bytes remaining -.L_less_than_16x16_${rndsuffix}: +.L_less_than_16x16_${label_suffix}: # ;; prep mask source address lea byte64_len_to_mask_table(%rip),$T3 lea ($T3,$T2,8),$T3 @@ -1601,28 +1595,28 @@ ___ add \$15,@{[DWORD($T2)]} shr \$4,@{[DWORD($T2)]} cmp \$2,@{[DWORD($T2)]} - jb .L_AAD_blocks_1_${rndsuffix} - je .L_AAD_blocks_2_${rndsuffix} + jb .L_AAD_blocks_1_${label_suffix} + je .L_AAD_blocks_2_${label_suffix} cmp \$4,@{[DWORD($T2)]} - jb .L_AAD_blocks_3_${rndsuffix} - je .L_AAD_blocks_4_${rndsuffix} + jb .L_AAD_blocks_3_${label_suffix} + je .L_AAD_blocks_4_${label_suffix} cmp \$6,@{[DWORD($T2)]} - jb .L_AAD_blocks_5_${rndsuffix} - je .L_AAD_blocks_6_${rndsuffix} + jb .L_AAD_blocks_5_${label_suffix} + je .L_AAD_blocks_6_${label_suffix} cmp \$8,@{[DWORD($T2)]} - jb .L_AAD_blocks_7_${rndsuffix} - je .L_AAD_blocks_8_${rndsuffix} + jb .L_AAD_blocks_7_${label_suffix} + je .L_AAD_blocks_8_${label_suffix} cmp \$10,@{[DWORD($T2)]} - jb .L_AAD_blocks_9_${rndsuffix} - je .L_AAD_blocks_10_${rndsuffix} + jb .L_AAD_blocks_9_${label_suffix} + je .L_AAD_blocks_10_${label_suffix} cmp \$12,@{[DWORD($T2)]} - jb .L_AAD_blocks_11_${rndsuffix} - je .L_AAD_blocks_12_${rndsuffix} + jb .L_AAD_blocks_11_${label_suffix} + je .L_AAD_blocks_12_${label_suffix} cmp \$14,@{[DWORD($T2)]} - jb .L_AAD_blocks_13_${rndsuffix} - je .L_AAD_blocks_14_${rndsuffix} + jb .L_AAD_blocks_13_${label_suffix} + je .L_AAD_blocks_14_${label_suffix} cmp \$15,@{[DWORD($T2)]} - je .L_AAD_blocks_15_${rndsuffix} + je .L_AAD_blocks_15_${label_suffix} ___ # ;; fall through for 16 blocks @@ -1635,7 +1629,7 @@ ___ # ;; - jump to reduction code for (my $aad_blocks = 16; $aad_blocks > 0; $aad_blocks--) { - $code .= ".L_AAD_blocks_${aad_blocks}_${rndsuffix}:\n"; + $code .= ".L_AAD_blocks_${aad_blocks}_${label_suffix}:\n"; if ($aad_blocks > 12) { $code .= "sub \$`12*16*8`, $T3\n"; } elsif ($aad_blocks > 8) { @@ -1656,11 +1650,11 @@ ___ if ($aad_blocks > 1) { # ;; fall through to CALC_AAD_done in 1 block case - $code .= "jmp .L_CALC_AAD_done_${rndsuffix}\n"; + $code .= "jmp .L_CALC_AAD_done_${label_suffix}\n"; } } - $code .= ".L_CALC_AAD_done_${rndsuffix}:\n"; + $code .= ".L_CALC_AAD_done_${label_suffix}:\n"; # ;; result in AAD_HASH } @@ -1710,13 +1704,13 @@ sub PARTIAL_BLOCK { my $IA1 = $GPTMP2; my $IA2 = $GPTMP0; - my $rndsuffix = &random_string(); + my $label_suffix = $label_count++; $code .= <<___; # ;; if no partial block present then LENGTH/DATA_OFFSET will be set to zero mov ($PBLOCK_LEN),$LENGTH or $LENGTH,$LENGTH - je .L_partial_block_done_${rndsuffix} # ;Leave Macro if no partial blocks + je .L_partial_block_done_${label_suffix} # ;Leave Macro if no partial blocks ___ &READ_SMALL_DATA_INPUT($XTMP0, $PLAIN_CIPH_IN, $PLAIN_CIPH_LEN, $IA0, $IA2, $MASKREG); @@ -1755,9 +1749,9 @@ ___ } $code .= <<___; sub \$16,$IA1 - jge .L_no_extra_mask_${rndsuffix} + jge .L_no_extra_mask_${label_suffix} sub $IA1,$IA0 -.L_no_extra_mask_${rndsuffix}: +.L_no_extra_mask_${label_suffix}: # ;; get the appropriate mask to mask out bottom $LENGTH bytes of $XTMP1 # ;; - mask out bottom $LENGTH bytes of $XTMP1 # ;; sizeof(SHIFT_MASK) == 16 bytes @@ -1781,7 +1775,7 @@ ___ } $code .= <<___; cmp \$0,$IA1 - jl .L_partial_incomplete_${rndsuffix} + jl .L_partial_incomplete_${label_suffix} ___ # ;; GHASH computation for the last <16 Byte block @@ -1793,9 +1787,9 @@ ___ mov $LENGTH,$IA0 mov \$16,$LENGTH sub $IA0,$LENGTH - jmp .L_enc_dec_done_${rndsuffix} + jmp .L_enc_dec_done_${label_suffix} -.L_partial_incomplete_${rndsuffix}: +.L_partial_incomplete_${label_suffix}: ___ if ($win64) { $code .= <<___; @@ -1808,7 +1802,7 @@ ___ $code .= <<___; mov $PLAIN_CIPH_LEN,$LENGTH -.L_enc_dec_done_${rndsuffix}: +.L_enc_dec_done_${label_suffix}: # ;; output encrypted Bytes lea byte_len_to_mask_table(%rip),$IA0 @@ -1826,7 +1820,7 @@ ___ $code .= <<___; mov $CIPH_PLAIN_OUT,$IA0 vmovdqu8 $XTMP1,($IA0){$MASKREG} -.L_partial_block_done_${rndsuffix}: +.L_partial_block_done_${label_suffix}: ___ } @@ -2016,7 +2010,7 @@ sub INITIAL_BLOCKS_PARTIAL_GHASH { my $GM = $_[23]; # [in] ZMM with mid prodcut part my $GL = $_[24]; # [in] ZMM with lo product part - my $rndsuffix = &random_string(); + my $label_suffix = $label_count++; # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; # ;;; - Hash all but the last partial block of data @@ -2034,7 +2028,7 @@ sub INITIAL_BLOCKS_PARTIAL_GHASH { # ;; NOTE: the 'jl' is always taken for num_initial_blocks = 16. # ;; This is run in the context of GCM_ENC_DEC_SMALL for length < 256. cmp \$16,$LENGTH - jl .L_small_initial_partial_block_${rndsuffix} + jl .L_small_initial_partial_block_${label_suffix} # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; # ;;; Handle a full length final block - encrypt and hash all blocks @@ -2056,11 +2050,11 @@ ___ &GHASH_1_TO_16($GCM128_CTX, $HASH_IN_OUT, $ZT0, $ZT1, $ZT2, $ZT3, $ZT4, $ZT5, $ZT6, $ZT7, $ZT8, &ZWORD($HASH_IN_OUT), $DAT0, $DAT1, $DAT2, $DAT3, $NUM_BLOCKS, $GH, $GM, $GL); } - $code .= "jmp .L_small_initial_compute_done_${rndsuffix}\n"; + $code .= "jmp .L_small_initial_compute_done_${label_suffix}\n"; } $code .= <<___; -.L_small_initial_partial_block_${rndsuffix}: +.L_small_initial_partial_block_${label_suffix}: # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; # ;;; Handle ghash for a <16B final block @@ -2125,7 +2119,7 @@ ___ # ;; a partial block of data, so xor that into the hash. vpxorq $LAST_GHASH_BLK,$HASH_IN_OUT,$HASH_IN_OUT # ;; The result is in $HASH_IN_OUT - jmp .L_after_reduction_${rndsuffix} + jmp .L_after_reduction_${label_suffix} ___ } @@ -2133,7 +2127,7 @@ ___ # ;;; After GHASH reduction # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; - $code .= ".L_small_initial_compute_done_${rndsuffix}:\n"; + $code .= ".L_small_initial_compute_done_${label_suffix}:\n"; # ;; If using init/update/finalize, we need to xor any partial block data # ;; into the hash. @@ -2144,13 +2138,13 @@ ___ $code .= <<___; # ;; NOTE: for $NUM_BLOCKS = 16, $LENGTH, stored in [PBlockLen] is never zero or $LENGTH,$LENGTH - je .L_after_reduction_${rndsuffix} + je .L_after_reduction_${label_suffix} ___ } $code .= "vpxorq $LAST_GHASH_BLK,$HASH_IN_OUT,$HASH_IN_OUT\n"; } - $code .= ".L_after_reduction_${rndsuffix}:\n"; + $code .= ".L_after_reduction_${label_suffix}:\n"; # ;; Final hash is now in HASH_IN_OUT } @@ -2266,7 +2260,7 @@ sub GHASH_16_ENCRYPT_N_GHASH_N { die "GHASH_16_ENCRYPT_N_GHASH_N: num_blocks is out of bounds = $NUM_BLOCKS\n" if ($NUM_BLOCKS > 16 || $NUM_BLOCKS < 0); - my $rndsuffix = &random_string(); + my $label_suffix = $label_count++; my $GH1H = $HASH_IN_OUT; @@ -2326,16 +2320,16 @@ ___ $code .= <<___; cmp \$`(256 - $NUM_BLOCKS)`,@{[DWORD($CTR_CHECK)]} - jae .L_16_blocks_overflow_${rndsuffix} + jae .L_16_blocks_overflow_${label_suffix} ___ &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16( $NUM_BLOCKS, "vpaddd", $B00_03, $B04_07, $B08_11, $B12_15, $CTR_BE, $B00_03, $B04_07, $B08_11, $ADDBE_1234, $ADDBE_4x4, $ADDBE_4x4, $ADDBE_4x4); $code .= <<___; - jmp .L_16_blocks_ok_${rndsuffix} + jmp .L_16_blocks_ok_${label_suffix} -.L_16_blocks_overflow_${rndsuffix}: +.L_16_blocks_overflow_${label_suffix}: vpshufb $SHFMSK,$CTR_BE,$CTR_BE vpaddd ddq_add_1234(%rip),$CTR_BE,$B00_03 ___ @@ -2355,7 +2349,7 @@ ___ $NUM_BLOCKS, "vpshufb", $B00_03, $B04_07, $B08_11, $B12_15, $B00_03, $B04_07, $B08_11, $B12_15, $SHFMSK, $SHFMSK, $SHFMSK, $SHFMSK); $code .= <<___; -.L_16_blocks_ok_${rndsuffix}: +.L_16_blocks_ok_${label_suffix}: # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; # ;; - pre-load constants @@ -2805,53 +2799,53 @@ sub GCM_ENC_DEC_LAST { my $MASKREG = $_[44]; # [clobbered] mask register my $PBLOCK_LEN = $_[45]; # [in] partial block length - my $rndsuffix = &random_string(); + my $label_suffix = $label_count++; $code .= <<___; mov @{[DWORD($LENGTH)]},@{[DWORD($IA0)]} add \$15,@{[DWORD($IA0)]} shr \$4,@{[DWORD($IA0)]} - je .L_last_num_blocks_is_0_${rndsuffix} + je .L_last_num_blocks_is_0_${label_suffix} cmp \$8,@{[DWORD($IA0)]} - je .L_last_num_blocks_is_8_${rndsuffix} - jb .L_last_num_blocks_is_7_1_${rndsuffix} + je .L_last_num_blocks_is_8_${label_suffix} + jb .L_last_num_blocks_is_7_1_${label_suffix} cmp \$12,@{[DWORD($IA0)]} - je .L_last_num_blocks_is_12_${rndsuffix} - jb .L_last_num_blocks_is_11_9_${rndsuffix} + je .L_last_num_blocks_is_12_${label_suffix} + jb .L_last_num_blocks_is_11_9_${label_suffix} # ;; 16, 15, 14 or 13 cmp \$15,@{[DWORD($IA0)]} - je .L_last_num_blocks_is_15_${rndsuffix} - ja .L_last_num_blocks_is_16_${rndsuffix} + je .L_last_num_blocks_is_15_${label_suffix} + ja .L_last_num_blocks_is_16_${label_suffix} cmp \$14,@{[DWORD($IA0)]} - je .L_last_num_blocks_is_14_${rndsuffix} - jmp .L_last_num_blocks_is_13_${rndsuffix} + je .L_last_num_blocks_is_14_${label_suffix} + jmp .L_last_num_blocks_is_13_${label_suffix} -.L_last_num_blocks_is_11_9_${rndsuffix}: +.L_last_num_blocks_is_11_9_${label_suffix}: # ;; 11, 10 or 9 cmp \$10,@{[DWORD($IA0)]} - je .L_last_num_blocks_is_10_${rndsuffix} - ja .L_last_num_blocks_is_11_${rndsuffix} - jmp .L_last_num_blocks_is_9_${rndsuffix} + je .L_last_num_blocks_is_10_${label_suffix} + ja .L_last_num_blocks_is_11_${label_suffix} + jmp .L_last_num_blocks_is_9_${label_suffix} -.L_last_num_blocks_is_7_1_${rndsuffix}: +.L_last_num_blocks_is_7_1_${label_suffix}: cmp \$4,@{[DWORD($IA0)]} - je .L_last_num_blocks_is_4_${rndsuffix} - jb .L_last_num_blocks_is_3_1_${rndsuffix} + je .L_last_num_blocks_is_4_${label_suffix} + jb .L_last_num_blocks_is_3_1_${label_suffix} # ;; 7, 6 or 5 cmp \$6,@{[DWORD($IA0)]} - ja .L_last_num_blocks_is_7_${rndsuffix} - je .L_last_num_blocks_is_6_${rndsuffix} - jmp .L_last_num_blocks_is_5_${rndsuffix} + ja .L_last_num_blocks_is_7_${label_suffix} + je .L_last_num_blocks_is_6_${label_suffix} + jmp .L_last_num_blocks_is_5_${label_suffix} -.L_last_num_blocks_is_3_1_${rndsuffix}: +.L_last_num_blocks_is_3_1_${label_suffix}: # ;; 3, 2 or 1 cmp \$2,@{[DWORD($IA0)]} - ja .L_last_num_blocks_is_3_${rndsuffix} - je .L_last_num_blocks_is_2_${rndsuffix} + ja .L_last_num_blocks_is_3_${label_suffix} + je .L_last_num_blocks_is_2_${label_suffix} ___ # ;; fall through for `jmp .L_last_num_blocks_is_1` @@ -2859,7 +2853,7 @@ ___ # ;; Use rep to generate different block size variants # ;; - one block size has to be the first one for my $num_blocks (1 .. 16) { - $code .= ".L_last_num_blocks_is_${num_blocks}_${rndsuffix}:\n"; + $code .= ".L_last_num_blocks_is_${num_blocks}_${label_suffix}:\n"; &GHASH_16_ENCRYPT_N_GHASH_N( $AES_KEYS, $GCM128_CTX, $CIPH_PLAIN_OUT, $PLAIN_CIPH_IN, $DATA_OFFSET, $LENGTH, $CTR_BE, $CTR_CHECK, $HASHKEY_OFFSET, $GHASHIN_BLK_OFFSET, @@ -2872,10 +2866,10 @@ ___ $ENC_DEC, $HASH_IN_OUT, $IA0, $IA1, $MASKREG, $num_blocks, $PBLOCK_LEN); - $code .= "jmp .L_last_blocks_done_${rndsuffix}\n"; + $code .= "jmp .L_last_blocks_done_${label_suffix}\n"; } - $code .= ".L_last_num_blocks_is_0_${rndsuffix}:\n"; + $code .= ".L_last_num_blocks_is_0_${label_suffix}:\n"; # ;; if there is 0 blocks to cipher then there are only 16 blocks for ghash and reduction # ;; - convert mid into end_reduce @@ -2891,7 +2885,7 @@ ___ $GHASHIN_BLK_OFFSET, 0, "%rsp", $HASHKEY_OFFSET, 0, $HASH_IN_OUT, $ZT00, $ZT01, $ZT02, $ZT03, $ZT04, $ZT05, $ZT06, $ZT07, $ZT08, $ZT09); - $code .= ".L_last_blocks_done_${rndsuffix}:\n"; + $code .= ".L_last_blocks_done_${label_suffix}:\n"; } # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; @@ -2985,20 +2979,20 @@ sub GHASH_16_ENCRYPT_16_PARALLEL { my $GHDAT1 = $ZT21; my $GHDAT2 = $ZT22; - my $rndsuffix = &random_string(); + my $label_suffix = $label_count++; # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; # ;; prepare counter blocks $code .= <<___; cmpb \$`(256 - 16)`,@{[BYTE($CTR_CHECK)]} - jae .L_16_blocks_overflow_${rndsuffix} + jae .L_16_blocks_overflow_${label_suffix} vpaddd $ADDBE_1234,$CTR_BE,$B00_03 vpaddd $ADDBE_4x4,$B00_03,$B04_07 vpaddd $ADDBE_4x4,$B04_07,$B08_11 vpaddd $ADDBE_4x4,$B08_11,$B12_15 - jmp .L_16_blocks_ok_${rndsuffix} -.L_16_blocks_overflow_${rndsuffix}: + jmp .L_16_blocks_ok_${label_suffix} +.L_16_blocks_overflow_${label_suffix}: vpshufb $SHFMSK,$CTR_BE,$CTR_BE vmovdqa64 ddq_add_4444(%rip),$B12_15 vpaddd ddq_add_1234(%rip),$CTR_BE,$B00_03 @@ -3009,7 +3003,7 @@ sub GHASH_16_ENCRYPT_16_PARALLEL { vpshufb $SHFMSK,$B04_07,$B04_07 vpshufb $SHFMSK,$B08_11,$B08_11 vpshufb $SHFMSK,$B12_15,$B12_15 -.L_16_blocks_ok_${rndsuffix}: +.L_16_blocks_ok_${label_suffix}: ___ # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; @@ -3338,25 +3332,25 @@ sub ENCRYPT_SINGLE_BLOCK { my $XMM0 = $_[1]; # ; [in/out] my $GPR1 = $_[2]; # ; [clobbered] - my $rndsuffix = &random_string(); + my $label_suffix = $label_count++; $code .= <<___; # ; load number of rounds from AES_KEY structure (offset in bytes is # ; size of the |rd_key| buffer) mov `4*15*4`($AES_KEY),@{[DWORD($GPR1)]} cmp \$9,@{[DWORD($GPR1)]} - je .Laes_128_${rndsuffix} + je .Laes_128_${label_suffix} cmp \$11,@{[DWORD($GPR1)]} - je .Laes_192_${rndsuffix} + je .Laes_192_${label_suffix} cmp \$13,@{[DWORD($GPR1)]} - je .Laes_256_${rndsuffix} - jmp .Lexit_aes_${rndsuffix} + je .Laes_256_${label_suffix} + jmp .Lexit_aes_${label_suffix} ___ for my $keylen (sort keys %aes_rounds) { my $nr = $aes_rounds{$keylen}; $code .= <<___; .align 32 -.Laes_${keylen}_${rndsuffix}: +.Laes_${keylen}_${label_suffix}: ___ $code .= "vpxorq `16*0`($AES_KEY),$XMM0, $XMM0\n\n"; for (my $i = 1; $i <= $nr; $i++) { @@ -3364,10 +3358,10 @@ ___ } $code .= <<___; vaesenclast `16*($nr+1)`($AES_KEY),$XMM0,$XMM0 - jmp .Lexit_aes_${rndsuffix} + jmp .Lexit_aes_${label_suffix} ___ } - $code .= ".Lexit_aes_${rndsuffix}:\n\n"; + $code .= ".Lexit_aes_${label_suffix}:\n\n"; } sub CALC_J0 { @@ -3562,52 +3556,52 @@ sub GCM_ENC_DEC_SMALL { my $SHUFMASK = $_[29]; # [in] ZMM with BE/LE shuffle mask my $PBLOCK_LEN = $_[30]; # [in] partial block length - my $rndsuffix = &random_string(); + my $label_suffix = $label_count++; $code .= <<___; cmp \$8,$NUM_BLOCKS - je .L_small_initial_num_blocks_is_8_${rndsuffix} - jl .L_small_initial_num_blocks_is_7_1_${rndsuffix} + je .L_small_initial_num_blocks_is_8_${label_suffix} + jl .L_small_initial_num_blocks_is_7_1_${label_suffix} cmp \$12,$NUM_BLOCKS - je .L_small_initial_num_blocks_is_12_${rndsuffix} - jl .L_small_initial_num_blocks_is_11_9_${rndsuffix} + je .L_small_initial_num_blocks_is_12_${label_suffix} + jl .L_small_initial_num_blocks_is_11_9_${label_suffix} # ;; 16, 15, 14 or 13 cmp \$16,$NUM_BLOCKS - je .L_small_initial_num_blocks_is_16_${rndsuffix} + je .L_small_initial_num_blocks_is_16_${label_suffix} cmp \$15,$NUM_BLOCKS - je .L_small_initial_num_blocks_is_15_${rndsuffix} + je .L_small_initial_num_blocks_is_15_${label_suffix} cmp \$14,$NUM_BLOCKS - je .L_small_initial_num_blocks_is_14_${rndsuffix} - jmp .L_small_initial_num_blocks_is_13_${rndsuffix} + je .L_small_initial_num_blocks_is_14_${label_suffix} + jmp .L_small_initial_num_blocks_is_13_${label_suffix} -.L_small_initial_num_blocks_is_11_9_${rndsuffix}: +.L_small_initial_num_blocks_is_11_9_${label_suffix}: # ;; 11, 10 or 9 cmp \$11,$NUM_BLOCKS - je .L_small_initial_num_blocks_is_11_${rndsuffix} + je .L_small_initial_num_blocks_is_11_${label_suffix} cmp \$10,$NUM_BLOCKS - je .L_small_initial_num_blocks_is_10_${rndsuffix} - jmp .L_small_initial_num_blocks_is_9_${rndsuffix} + je .L_small_initial_num_blocks_is_10_${label_suffix} + jmp .L_small_initial_num_blocks_is_9_${label_suffix} -.L_small_initial_num_blocks_is_7_1_${rndsuffix}: +.L_small_initial_num_blocks_is_7_1_${label_suffix}: cmp \$4,$NUM_BLOCKS - je .L_small_initial_num_blocks_is_4_${rndsuffix} - jl .L_small_initial_num_blocks_is_3_1_${rndsuffix} + je .L_small_initial_num_blocks_is_4_${label_suffix} + jl .L_small_initial_num_blocks_is_3_1_${label_suffix} # ;; 7, 6 or 5 cmp \$7,$NUM_BLOCKS - je .L_small_initial_num_blocks_is_7_${rndsuffix} + je .L_small_initial_num_blocks_is_7_${label_suffix} cmp \$6,$NUM_BLOCKS - je .L_small_initial_num_blocks_is_6_${rndsuffix} - jmp .L_small_initial_num_blocks_is_5_${rndsuffix} + je .L_small_initial_num_blocks_is_6_${label_suffix} + jmp .L_small_initial_num_blocks_is_5_${label_suffix} -.L_small_initial_num_blocks_is_3_1_${rndsuffix}: +.L_small_initial_num_blocks_is_3_1_${label_suffix}: # ;; 3, 2 or 1 cmp \$3,$NUM_BLOCKS - je .L_small_initial_num_blocks_is_3_${rndsuffix} + je .L_small_initial_num_blocks_is_3_${label_suffix} cmp \$2,$NUM_BLOCKS - je .L_small_initial_num_blocks_is_2_${rndsuffix} + je .L_small_initial_num_blocks_is_2_${label_suffix} # ;; for $NUM_BLOCKS == 1, just fall through and no 'jmp' needed @@ -3616,7 +3610,7 @@ sub GCM_ENC_DEC_SMALL { ___ for (my $num_blocks = 1; $num_blocks <= 16; $num_blocks++) { - $code .= ".L_small_initial_num_blocks_is_${num_blocks}_${rndsuffix}:\n"; + $code .= ".L_small_initial_num_blocks_is_${num_blocks}_${label_suffix}:\n"; &INITIAL_BLOCKS_PARTIAL( $AES_KEYS, $GCM128_CTX, $CIPH_PLAIN_OUT, $PLAIN_CIPH_IN, $LENGTH, $DATA_OFFSET, $num_blocks, $CTR, $HASH_IN_OUT, $ENC_DEC, $ZTMP0, $ZTMP1, @@ -3625,11 +3619,11 @@ ___ $ZTMP14, $IA0, $IA1, $MASKREG, $SHUFMASK, $PBLOCK_LEN); if ($num_blocks != 16) { - $code .= "jmp .L_small_initial_blocks_encrypted_${rndsuffix}\n"; + $code .= "jmp .L_small_initial_blocks_encrypted_${label_suffix}\n"; } } - $code .= ".L_small_initial_blocks_encrypted_${rndsuffix}:\n"; + $code .= ".L_small_initial_blocks_encrypted_${label_suffix}:\n"; } # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; @@ -3710,7 +3704,7 @@ sub GCM_ENC_DEC { my $MASKREG = "%k1"; - my $rndsuffix = &random_string(); + my $label_suffix = $label_count++; # ;; reduction every 48 blocks, depth 32 blocks # ;; @note 48 blocks is the maximum capacity of the stack frame @@ -3751,7 +3745,7 @@ sub GCM_ENC_DEC { } else { $code .= "or $PLAIN_CIPH_LEN,$PLAIN_CIPH_LEN\n"; } - $code .= "je .L_enc_dec_done_${rndsuffix}\n"; + $code .= "je .L_enc_dec_done_${label_suffix}\n"; # Length value from context $CTX_OFFSET_InLen`($GCM128_CTX) is updated in # 'providers/implementations/ciphers/cipher_aes_gcm_hw_vaes_avx512.inc' @@ -3778,12 +3772,12 @@ sub GCM_ENC_DEC { # ;; There may be no more data if it was consumed in the partial block. $code .= <<___; sub $DATA_OFFSET,$LENGTH - je .L_enc_dec_done_${rndsuffix} + je .L_enc_dec_done_${label_suffix} ___ $code .= <<___; cmp \$`(16 * 16)`,$LENGTH - jbe .L_message_below_equal_16_blocks_${rndsuffix} + jbe .L_message_below_equal_16_blocks_${label_suffix} vmovdqa64 SHUF_MASK(%rip),$SHUF_MASK vmovdqa64 ddq_addbe_4444(%rip),$ADDBE_4x4 @@ -3815,7 +3809,7 @@ ___ $code .= <<___; cmp \$`(32 * 16)`,$LENGTH - jb .L_message_below_32_blocks_${rndsuffix} + jb .L_message_below_32_blocks_${label_suffix} ___ # ;; ==== AES-CTR - next 16 blocks @@ -3836,13 +3830,13 @@ ___ sub \$`(32 * 16)`,$LENGTH cmp \$`($big_loop_nblocks * 16)`,$LENGTH - jb .L_no_more_big_nblocks_${rndsuffix} + jb .L_no_more_big_nblocks_${label_suffix} ___ # ;; ==== # ;; ==== AES-CTR + GHASH - 48 blocks loop # ;; ==== - $code .= ".L_encrypt_big_nblocks_${rndsuffix}:\n"; + $code .= ".L_encrypt_big_nblocks_${label_suffix}:\n"; # ;; ==== AES-CTR + GHASH - 16 blocks, start $aesout_offset = ($STACK_LOCAL_OFFSET + (32 * 16)); @@ -3893,15 +3887,15 @@ ___ add \$`($big_loop_nblocks * 16)`,$DATA_OFFSET sub \$`($big_loop_nblocks * 16)`,$LENGTH cmp \$`($big_loop_nblocks * 16)`,$LENGTH - jae .L_encrypt_big_nblocks_${rndsuffix} + jae .L_encrypt_big_nblocks_${label_suffix} -.L_no_more_big_nblocks_${rndsuffix}: +.L_no_more_big_nblocks_${label_suffix}: cmp \$`(32 * 16)`,$LENGTH - jae .L_encrypt_32_blocks_${rndsuffix} + jae .L_encrypt_32_blocks_${label_suffix} cmp \$`(16 * 16)`,$LENGTH - jae .L_encrypt_16_blocks_${rndsuffix} + jae .L_encrypt_16_blocks_${label_suffix} ___ # ;; ===================================================== @@ -3909,7 +3903,7 @@ ___ # ;; ==== GHASH 1 x 16 blocks # ;; ==== GHASH 1 x 16 blocks (reduction) & encrypt N blocks # ;; ==== then GHASH N blocks - $code .= ".L_encrypt_0_blocks_ghash_32_${rndsuffix}:\n"; + $code .= ".L_encrypt_0_blocks_ghash_32_${label_suffix}:\n"; # ;; calculate offset to the right hash key $code .= <<___; @@ -3937,7 +3931,7 @@ ___ $IA0, $IA5, $MASKREG, $PBLOCK_LEN); $code .= "vpshufb @{[XWORD($SHUF_MASK)]},$CTR_BLOCKx,$CTR_BLOCKx\n"; - $code .= "jmp .L_ghash_done_${rndsuffix}\n"; + $code .= "jmp .L_ghash_done_${label_suffix}\n"; # ;; ===================================================== # ;; ===================================================== @@ -3946,7 +3940,7 @@ ___ # ;; ==== GHASH 1 x 16 blocks (reduction) # ;; ==== GHASH 1 x 16 blocks (reduction) & encrypt N blocks # ;; ==== then GHASH N blocks - $code .= ".L_encrypt_32_blocks_${rndsuffix}:\n"; + $code .= ".L_encrypt_32_blocks_${label_suffix}:\n"; # ;; ==== AES-CTR + GHASH - 16 blocks, start $aesout_offset = ($STACK_LOCAL_OFFSET + (32 * 16)); @@ -4007,7 +4001,7 @@ ___ $IA0, $IA5, $MASKREG, $PBLOCK_LEN); $code .= "vpshufb @{[XWORD($SHUF_MASK)]},$CTR_BLOCKx,$CTR_BLOCKx\n"; - $code .= "jmp .L_ghash_done_${rndsuffix}\n"; + $code .= "jmp .L_ghash_done_${label_suffix}\n"; # ;; ===================================================== # ;; ===================================================== @@ -4015,7 +4009,7 @@ ___ # ;; ==== GHASH 1 x 16 blocks # ;; ==== GHASH 1 x 16 blocks (reduction) & encrypt N blocks # ;; ==== then GHASH N blocks - $code .= ".L_encrypt_16_blocks_${rndsuffix}:\n"; + $code .= ".L_encrypt_16_blocks_${label_suffix}:\n"; # ;; ==== AES-CTR + GHASH - 16 blocks, start $aesout_offset = ($STACK_LOCAL_OFFSET + (32 * 16)); @@ -4059,9 +4053,9 @@ ___ $code .= "vpshufb @{[XWORD($SHUF_MASK)]},$CTR_BLOCKx,$CTR_BLOCKx\n"; $code .= <<___; - jmp .L_ghash_done_${rndsuffix} + jmp .L_ghash_done_${label_suffix} -.L_message_below_32_blocks_${rndsuffix}: +.L_message_below_32_blocks_${label_suffix}: # ;; 32 > number of blocks > 16 sub \$`(16 * 16)`,$LENGTH @@ -4094,9 +4088,9 @@ ___ $code .= "vpshufb @{[XWORD($SHUF_MASK)]},$CTR_BLOCKx,$CTR_BLOCKx\n"; $code .= <<___; - jmp .L_ghash_done_${rndsuffix} + jmp .L_ghash_done_${label_suffix} -.L_message_below_equal_16_blocks_${rndsuffix}: +.L_message_below_equal_16_blocks_${label_suffix}: # ;; Determine how many blocks to process # ;; - process one additional block if there is a partial block mov @{[DWORD($LENGTH)]},@{[DWORD($IA1)]} @@ -4113,13 +4107,13 @@ ___ # ;; fall through to exit - $code .= ".L_ghash_done_${rndsuffix}:\n"; + $code .= ".L_ghash_done_${label_suffix}:\n"; # ;; save the last counter block $code .= "vmovdqu64 $CTR_BLOCKx,`$CTX_OFFSET_CurCount`($GCM128_CTX)\n"; $code .= <<___; vmovdqu64 $AAD_HASHx,`$CTX_OFFSET_AadHash`($GCM128_CTX) -.L_enc_dec_done_${rndsuffix}: +.L_enc_dec_done_${label_suffix}: ___ } @@ -4155,7 +4149,7 @@ sub INITIAL_BLOCKS_16 { my $B08_11 = $T7; my $B12_15 = $T8; - my $rndsuffix = &random_string(); + my $label_suffix = $label_count++; my $stack_offset = $BLK_OFFSET; $code .= <<___; @@ -4163,13 +4157,13 @@ sub INITIAL_BLOCKS_16 { # ;; prepare counter blocks cmpb \$`(256 - 16)`,@{[BYTE($CTR_CHECK)]} - jae .L_next_16_overflow_${rndsuffix} + jae .L_next_16_overflow_${label_suffix} vpaddd $ADDBE_1234,$CTR,$B00_03 vpaddd $ADDBE_4x4,$B00_03,$B04_07 vpaddd $ADDBE_4x4,$B04_07,$B08_11 vpaddd $ADDBE_4x4,$B08_11,$B12_15 - jmp .L_next_16_ok_${rndsuffix} -.L_next_16_overflow_${rndsuffix}: + jmp .L_next_16_ok_${label_suffix} +.L_next_16_overflow_${label_suffix}: vpshufb $SHUF_MASK,$CTR,$CTR vmovdqa64 ddq_add_4444(%rip),$B12_15 vpaddd ddq_add_1234(%rip),$CTR,$B00_03 @@ -4180,7 +4174,7 @@ sub INITIAL_BLOCKS_16 { vpshufb $SHUF_MASK,$B04_07,$B04_07 vpshufb $SHUF_MASK,$B08_11,$B08_11 vpshufb $SHUF_MASK,$B12_15,$B12_15 -.L_next_16_ok_${rndsuffix}: +.L_next_16_ok_${label_suffix}: vshufi64x2 \$0b11111111,$B12_15,$B12_15,$CTR addb \$16,@{[BYTE($CTR_CHECK)]} # ;; === load 16 blocks of data @@ -4264,7 +4258,7 @@ sub GCM_COMPLETE { my $GCM128_CTX = $_[0]; my $PBLOCK_LEN = $_[1]; - my $rndsuffix = &random_string(); + my $label_suffix = $label_count++; $code .= <<___; vmovdqu @{[HashKeyByIdx(1,$GCM128_CTX)]},%xmm2 @@ -4276,14 +4270,14 @@ ___ # ;; Process the final partial block. cmp \$0,$PBLOCK_LEN - je .L_partial_done_${rndsuffix} + je .L_partial_done_${label_suffix} ___ # ;GHASH computation for the last <16 Byte block &GHASH_MUL("%xmm4", "%xmm2", "%xmm0", "%xmm16", "%xmm17"); $code .= <<___; -.L_partial_done_${rndsuffix}: +.L_partial_done_${label_suffix}: vmovq `$CTX_OFFSET_InLen`($GCM128_CTX), %xmm5 vpinsrq \$1, `$CTX_OFFSET_AadLen`($GCM128_CTX), %xmm5, %xmm5 # ; xmm5 = len(A)||len(C) vpsllq \$3, %xmm5, %xmm5 # ; convert bytes into bits @@ -4297,7 +4291,7 @@ ___ vpshufb SHUF_MASK(%rip),%xmm4,%xmm4 # ; perform a 16Byte swap vpxor %xmm4,%xmm3,%xmm3 -.L_return_T_${rndsuffix}: +.L_return_T_${label_suffix}: vmovdqu %xmm3,`$CTX_OFFSET_AadHash`($GCM128_CTX) ___ } -- Gitee From bc03d0dae958fd4fdfe8de8ce745ebe24cd7c63e Mon Sep 17 00:00:00 2001 From: Todd Short Date: Fri, 13 Oct 2023 10:18:52 -0400 Subject: [PATCH 06/11] Fix potential NULL deref in ssl_old_test.c Fix #22367 Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale Reviewed-by: Hugo Landau (Merged from https://github.com/openssl/openssl/pull/22383) (cherry picked from commit 42772df59bef7422060fbe70551c72d804bc669a) Signed-off-by: fly2x --- test/ssl_old_test.c | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/test/ssl_old_test.c b/test/ssl_old_test.c index 0a7d78d564..2f141d00df 100644 --- a/test/ssl_old_test.c +++ b/test/ssl_old_test.c @@ -894,7 +894,8 @@ int main(int argc, char *argv[]) { APP_CALLBACK_STRING, 0 }; SSL_CTX *c_ctx = NULL; const SSL_METHOD *meth = NULL; - SSL *c_ssl, *s_ssl; + SSL *c_ssl = NULL; + SSL *s_ssl = NULL; int number = 1, reuse = 0; int should_reuse = -1; int no_ticket = 0; @@ -1759,6 +1760,8 @@ int main(int argc, char *argv[]) c_ssl = SSL_new(c_ctx); s_ssl = SSL_new(s_ctx); + if (c_ssl == NULL || s_ssl == NULL) + goto end; if (sn_client) SSL_set_tlsext_host_name(c_ssl, sn_client); @@ -1819,10 +1822,11 @@ int main(int argc, char *argv[]) case BIO_IPV4: case BIO_IPV6: ret = EXIT_FAILURE; - goto err; + goto end; #endif } - if (ret != EXIT_SUCCESS) break; + if (ret != EXIT_SUCCESS) + break; } if (should_negotiate && ret == EXIT_SUCCESS && @@ -1832,13 +1836,13 @@ int main(int argc, char *argv[]) if (version < 0) { BIO_printf(bio_err, "Error parsing: %s\n", should_negotiate); ret = EXIT_FAILURE; - goto err; + goto end; } if (SSL_version(c_ssl) != version) { BIO_printf(bio_err, "Unexpected version negotiated. " "Expected: %s, got %s\n", should_negotiate, SSL_get_version(c_ssl)); ret = EXIT_FAILURE; - goto err; + goto end; } } @@ -1849,20 +1853,20 @@ int main(int argc, char *argv[]) "Expected: %d, server: %d, client: %d\n", should_reuse, SSL_session_reused(s_ssl), SSL_session_reused(c_ssl)); ret = EXIT_FAILURE; - goto err; + goto end; } } if (server_sess_out != NULL) { if (write_session(server_sess_out, SSL_get_session(s_ssl)) == 0) { ret = EXIT_FAILURE; - goto err; + goto end; } } if (client_sess_out != NULL) { if (write_session(client_sess_out, SSL_get_session(c_ssl)) == 0) { ret = EXIT_FAILURE; - goto err; + goto end; } } @@ -1888,11 +1892,9 @@ int main(int argc, char *argv[]) #endif } - err: + end: SSL_free(s_ssl); SSL_free(c_ssl); - - end: SSL_CTX_free(s_ctx); SSL_CTX_free(s_ctx2); SSL_CTX_free(c_ctx); -- Gitee From 20de7fdc6063c05135d778520bf2bd7a0034a56f Mon Sep 17 00:00:00 2001 From: Damian Hobson-Garcia Date: Thu, 22 Dec 2022 16:36:05 -0500 Subject: [PATCH 07/11] x509_print_ex:Use correct constant for nmflag comparison The X509_FLAG_COMPAT constant is defined as a value of the X509_print_ex() cflags argument, and so it should not be used to compare against values for use with X509_NAME_print flags. Use XN_FLAG_COMPAT, which has the same value, instead. Reviewed-by: Tomas Mraz Reviewed-by: Todd Short (Merged from https://github.com/openssl/openssl/pull/19963) (cherry picked from commit da2dd3b51ddd69aae0fd840c0d23afa954c24ded) Signed-off-by: fly2x --- crypto/x509/t_req.c | 2 +- crypto/x509/t_x509.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/crypto/x509/t_req.c b/crypto/x509/t_req.c index 095c165100..f9cbbecd36 100644 --- a/crypto/x509/t_req.c +++ b/crypto/x509/t_req.c @@ -49,7 +49,7 @@ int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags, nmindent = 12; } - if (nmflags == X509_FLAG_COMPAT) + if (nmflags == XN_FLAG_COMPAT) nmindent = 16; if (!(cflag & X509_FLAG_NO_HEADER)) { diff --git a/crypto/x509/t_x509.c b/crypto/x509/t_x509.c index 46311377f5..d407b44c75 100644 --- a/crypto/x509/t_x509.c +++ b/crypto/x509/t_x509.c @@ -60,7 +60,7 @@ int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, nmindent = 12; } - if (nmflags == X509_FLAG_COMPAT) { + if (nmflags == XN_FLAG_COMPAT) { nmindent = 16; printok = 1; } -- Gitee From e18883f9b0095e21bf68bbce6a14af47dd7428b5 Mon Sep 17 00:00:00 2001 From: Damian Hobson-Garcia Date: Thu, 22 Dec 2022 17:04:39 -0500 Subject: [PATCH 08/11] Fix X509_REQ_print_ex bug Similar to the bug fixed in 02db7354fe7 (Fix bug in X509_print_ex). The error return value from X509_NAME_print_ex() is different depending on whether the flags are XN_FLAG_COMPAT or not. Apply a similar fix to what was done for X509_print_ex here as well. Reviewed-by: Tomas Mraz Reviewed-by: Todd Short (Merged from https://github.com/openssl/openssl/pull/19963) (cherry picked from commit 2b5e028a2f70de216458a5140bcf4ec3d9236eeb) Signed-off-by: fly2x --- crypto/x509/t_req.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/crypto/x509/t_req.c b/crypto/x509/t_req.c index f9cbbecd36..22f824ee48 100644 --- a/crypto/x509/t_req.c +++ b/crypto/x509/t_req.c @@ -42,15 +42,17 @@ int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags, EVP_PKEY *pkey; STACK_OF(X509_EXTENSION) *exts; char mlch = ' '; - int nmindent = 0; + int nmindent = 0, printok = 0; if ((nmflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) { mlch = '\n'; nmindent = 12; } - if (nmflags == XN_FLAG_COMPAT) + if (nmflags == XN_FLAG_COMPAT) { nmindent = 16; + printok = 1; + } if (!(cflag & X509_FLAG_NO_HEADER)) { if (BIO_write(bp, "Certificate Request:\n", 21) <= 0) @@ -72,7 +74,7 @@ int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags, if (BIO_printf(bp, " Subject:%c", mlch) <= 0) goto err; if (X509_NAME_print_ex(bp, X509_REQ_get_subject_name(x), - nmindent, nmflags) < 0) + nmindent, nmflags) < printok) goto err; if (BIO_write(bp, "\n", 1) <= 0) goto err; -- Gitee From dc7591ba4a580f3f22a064dfb362290befc03c31 Mon Sep 17 00:00:00 2001 From: Damian Hobson-Garcia Date: Thu, 22 Dec 2022 17:15:55 -0500 Subject: [PATCH 09/11] x509_print_ex: Remove unused setting when XN_FLAG_COMPAT is set Calling X509_NAME_print_ex with XN_FLAG_COMPAT falls back to calling X509_NAME_print(). The obase parameter to X509_NAME_print() is not used, so setting it to a different value has no effect. Reviewed-by: Tomas Mraz Reviewed-by: Todd Short (Merged from https://github.com/openssl/openssl/pull/19963) (cherry picked from commit 2126ca3dba3907f49b232442c06db1cae8bee0c3) Signed-off-by: fly2x --- crypto/x509/t_req.c | 4 +--- crypto/x509/t_x509.c | 4 +--- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/crypto/x509/t_req.c b/crypto/x509/t_req.c index 22f824ee48..63626c0d98 100644 --- a/crypto/x509/t_req.c +++ b/crypto/x509/t_req.c @@ -49,10 +49,8 @@ int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags, nmindent = 12; } - if (nmflags == XN_FLAG_COMPAT) { - nmindent = 16; + if (nmflags == XN_FLAG_COMPAT) printok = 1; - } if (!(cflag & X509_FLAG_NO_HEADER)) { if (BIO_write(bp, "Certificate Request:\n", 21) <= 0) diff --git a/crypto/x509/t_x509.c b/crypto/x509/t_x509.c index d407b44c75..d7f54dced3 100644 --- a/crypto/x509/t_x509.c +++ b/crypto/x509/t_x509.c @@ -60,10 +60,8 @@ int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, nmindent = 12; } - if (nmflags == XN_FLAG_COMPAT) { - nmindent = 16; + if (nmflags == XN_FLAG_COMPAT) printok = 1; - } if (!(cflag & X509_FLAG_NO_HEADER)) { if (BIO_write(bp, "Certificate:\n", 13) <= 0) -- Gitee From a813e063b8e0fbef3b8851ad2f2642389ed8ada4 Mon Sep 17 00:00:00 2001 From: James Muir Date: Tue, 24 Oct 2023 20:08:54 -0400 Subject: [PATCH 10/11] free oaep label-octet-string on error When X509_ALGOR_set0() fails, ownership of the the ASN1 object "los" (label octet string) has not been passed on to the X509_ALGOR object "oaep->pSourceFunc", so we need to free "los" in that case. Check return value of X509_ALGOR_set0(), change the scope of "los" and ensure it is freed on failure (on success, set it to NULL so it is not freed inside the function). Fixes #22336 Testing: You can use the following script to test cms encryption with rsa-oaep: #!/bin/bash -x OSSLCMD="apps/openssl" # check we are calling the right openssl app LD_LIBRARY_PATH=. valgrind $OSSLCMD version echo "this is a confidential message." > msg.txt LD_LIBRARY_PATH=. valgrind $OSSLCMD cms -encrypt -in msg.txt \ -stream -out msg.txt.cms \ -recip test/smime-certs/smrsa1.pem \ -keyopt rsa_padding_mode:oaep \ -keyopt rsa_oaep_md:sha256 \ -keyopt rsa_oaep_label:deadbeef Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/22556) (cherry picked from commit a9a1b3da876456e1eecffbba15fb6d1820e8f379) Signed-off-by: fly2x --- crypto/cms/cms_rsa.c | 31 +++++++++++++++++-------------- 1 file changed, 17 insertions(+), 14 deletions(-) diff --git a/crypto/cms/cms_rsa.c b/crypto/cms/cms_rsa.c index 61fd43fb54..68545e5fb7 100644 --- a/crypto/cms/cms_rsa.c +++ b/crypto/cms/cms_rsa.c @@ -114,6 +114,7 @@ static int rsa_cms_encrypt(CMS_RecipientInfo *ri) const EVP_MD *md, *mgf1md; RSA_OAEP_PARAMS *oaep = NULL; ASN1_STRING *os = NULL; + ASN1_OCTET_STRING *los = NULL; X509_ALGOR *alg; EVP_PKEY_CTX *pkctx = CMS_RecipientInfo_get0_pkey_ctx(ri); int pad_mode = RSA_PKCS1_PADDING, rv = 0, labellen; @@ -125,10 +126,10 @@ static int rsa_cms_encrypt(CMS_RecipientInfo *ri) if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0) return 0; } - if (pad_mode == RSA_PKCS1_PADDING) { - X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption), V_ASN1_NULL, 0); - return 1; - } + if (pad_mode == RSA_PKCS1_PADDING) + return X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption), + V_ASN1_NULL, NULL); + /* Not supported */ if (pad_mode != RSA_PKCS1_OAEP_PADDING) return 0; @@ -147,30 +148,32 @@ static int rsa_cms_encrypt(CMS_RecipientInfo *ri) if (!ossl_x509_algor_md_to_mgf1(&oaep->maskGenFunc, mgf1md)) goto err; if (labellen > 0) { - ASN1_OCTET_STRING *los; - oaep->pSourceFunc = X509_ALGOR_new(); if (oaep->pSourceFunc == NULL) goto err; los = ASN1_OCTET_STRING_new(); if (los == NULL) goto err; - if (!ASN1_OCTET_STRING_set(los, label, labellen)) { - ASN1_OCTET_STRING_free(los); + if (!ASN1_OCTET_STRING_set(los, label, labellen)) goto err; - } - X509_ALGOR_set0(oaep->pSourceFunc, OBJ_nid2obj(NID_pSpecified), - V_ASN1_OCTET_STRING, los); + + if (!X509_ALGOR_set0(oaep->pSourceFunc, OBJ_nid2obj(NID_pSpecified), + V_ASN1_OCTET_STRING, los)) + goto err; + + los = NULL; } - /* create string with pss parameter encoding. */ + /* create string with oaep parameter encoding. */ if (!ASN1_item_pack(oaep, ASN1_ITEM_rptr(RSA_OAEP_PARAMS), &os)) - goto err; - X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaesOaep), V_ASN1_SEQUENCE, os); + goto err; + if (!X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaesOaep), V_ASN1_SEQUENCE, os)) + goto err; os = NULL; rv = 1; err: RSA_OAEP_PARAMS_free(oaep); ASN1_STRING_free(os); + ASN1_OCTET_STRING_free(los); return rv; } -- Gitee From 95128abf0a5ee84551917e43649be8671bd0ebb6 Mon Sep 17 00:00:00 2001 From: Bernd Edlinger Date: Wed, 1 Nov 2023 08:05:30 +0100 Subject: [PATCH 11/11] Fix a possible memory leak in load_builtin_compressions Reviewed-by: Dmitry Belyavskiy Reviewed-by: Paul Dale Reviewed-by: Hugo Landau (Merged from https://github.com/openssl/openssl/pull/22585) (cherry picked from commit daf26c2d7a4d29ec1040fc0d5d4215cfc2dcf4a7) Signed-off-by: fly2x --- ssl/ssl_ciph.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 93de9cf8fd..e3c2b1c196 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -465,7 +465,8 @@ DEFINE_RUN_ONCE_STATIC(do_load_builtin_compressions) comp->method = method; comp->id = SSL_COMP_ZLIB_IDX; comp->name = COMP_get_name(method); - sk_SSL_COMP_push(ssl_comp_methods, comp); + if (!sk_SSL_COMP_push(ssl_comp_methods, comp)) + OPENSSL_free(comp); sk_SSL_COMP_sort(ssl_comp_methods); } } -- Gitee