From 5a71e1e561dab3fc17a073a32bad143d10357a0a Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 3 Nov 2020 06:49:12 -0500 Subject: [PATCH] import gnutls-3.6.14-6.el8 --- .gitignore | 4 +- .gnutls.metadata | 4 +- SOURCES/gnutls-3.6.12-dtls-random.patch | 29 - SOURCES/gnutls-3.6.13-enable-intel-cet.patch | 7849 +++++++++++++++++ SOURCES/gnutls-3.6.14-autogen-int.patch | 36 + SOURCES/gnutls-3.6.14-fips-dh-check.patch | 676 ++ SOURCES/gnutls-3.6.14-fips-dh-primes.patch | 1843 ++++ SOURCES/gnutls-3.6.14-fips-mode-check.patch | 42 + .../gnutls-3.6.14-fix-iovec-memory-leak.patch | 152 + SOURCES/gnutls-3.6.14-memcmp.patch | 131 + SOURCES/gnutls-3.6.14-totp-init.patch | 85 - SOURCES/gnutls-3.6.14.tar.xz.sig | Bin 0 -> 580 bytes ...gnutls-3.6.5-fix-fips-signature-post.patch | 728 -- .../gnutls-3.6.8-aead-cipher-encryptv2.patch | 1296 --- SOURCES/gnutls-3.6.8-decr-len.patch | 687 -- SOURCES/gnutls-3.6.8-fips-aes-cbc-kat.patch | 36 - ...nutls-3.6.8-fips-deterministic-ecdsa.patch | 1352 --- .../gnutls-3.6.8-fips-rng-continuous.patch | 203 - ...utls-3.6.8-fips-rsa-random-selftests.patch | 124 - ...utls-3.6.8-fix-aead-cipher-encryptv2.patch | 767 -- SOURCES/gnutls-3.6.8-fix-cfb8-decrypt.patch | 204 - .../gnutls-3.6.8-multiple-key-updates.patch | 286 - SOURCES/gnutls-3.6.8-pkcs11-login-error.patch | 265 - SOURCES/gnutls-3.6.8-session-ticket-ub.patch | 51 - SOURCES/gnutls-3.6.8.tar.xz.sig | Bin 310 -> 0 bytes SPECS/gnutls.spec | 57 +- 26 files changed, 10770 insertions(+), 6137 deletions(-) delete mode 100644 SOURCES/gnutls-3.6.12-dtls-random.patch create mode 100644 SOURCES/gnutls-3.6.13-enable-intel-cet.patch create mode 100644 SOURCES/gnutls-3.6.14-autogen-int.patch create mode 100644 SOURCES/gnutls-3.6.14-fips-dh-check.patch create mode 100644 SOURCES/gnutls-3.6.14-fips-dh-primes.patch create mode 100644 SOURCES/gnutls-3.6.14-fips-mode-check.patch create mode 100644 SOURCES/gnutls-3.6.14-fix-iovec-memory-leak.patch create mode 100644 SOURCES/gnutls-3.6.14-memcmp.patch delete mode 100644 SOURCES/gnutls-3.6.14-totp-init.patch create mode 100644 SOURCES/gnutls-3.6.14.tar.xz.sig delete mode 100644 SOURCES/gnutls-3.6.5-fix-fips-signature-post.patch delete mode 100644 SOURCES/gnutls-3.6.8-aead-cipher-encryptv2.patch delete mode 100644 SOURCES/gnutls-3.6.8-decr-len.patch delete mode 100644 SOURCES/gnutls-3.6.8-fips-aes-cbc-kat.patch delete mode 100644 SOURCES/gnutls-3.6.8-fips-deterministic-ecdsa.patch delete mode 100644 SOURCES/gnutls-3.6.8-fips-rng-continuous.patch delete mode 100644 SOURCES/gnutls-3.6.8-fips-rsa-random-selftests.patch delete mode 100644 SOURCES/gnutls-3.6.8-fix-aead-cipher-encryptv2.patch delete mode 100644 SOURCES/gnutls-3.6.8-fix-cfb8-decrypt.patch delete mode 100644 SOURCES/gnutls-3.6.8-multiple-key-updates.patch delete mode 100644 SOURCES/gnutls-3.6.8-pkcs11-login-error.patch delete mode 100644 SOURCES/gnutls-3.6.8-session-ticket-ub.patch delete mode 100644 SOURCES/gnutls-3.6.8.tar.xz.sig diff --git a/.gitignore b/.gitignore index 190b97a..14960ad 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/gnutls-3.6.8.tar.xz -SOURCES/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg +SOURCES/gnutls-3.6.14.tar.xz +SOURCES/gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg diff --git a/.gnutls.metadata b/.gnutls.metadata index af466d6..b23acfd 100644 --- a/.gnutls.metadata +++ b/.gnutls.metadata @@ -1,2 +1,2 @@ -e1243188791af409bca118d31faf3ec3d5f0a5ab SOURCES/gnutls-3.6.8.tar.xz -e6f8a1400839ce7b4021cdd0f8d08d71b0693486 SOURCES/gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg +bea1b5abcb691acf014e592f41d0a9580a41216a SOURCES/gnutls-3.6.14.tar.xz +648ec46f9539fe756fb90131b85ae4759ed2ed21 SOURCES/gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg diff --git a/SOURCES/gnutls-3.6.12-dtls-random.patch b/SOURCES/gnutls-3.6.12-dtls-random.patch deleted file mode 100644 index b308af7..0000000 --- a/SOURCES/gnutls-3.6.12-dtls-random.patch +++ /dev/null @@ -1,29 +0,0 @@ -From c01011c2d8533dbbbe754e49e256c109cb848d0d Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Stefan=20B=C3=BChler?= -Date: Fri, 27 Mar 2020 17:17:57 +0100 -Subject: [PATCH] dtls client hello: fix zeroed random (fixes #960) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This broke with bcf4de03 "handshake: treat reply to HRR as a reply to -hello verify request", which failed to "De Morgan" properly. - -Signed-off-by: Stefan Bühler ---- - lib/handshake.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -Index: gnutls-3.6.8/lib/handshake.c -=================================================================== ---- gnutls-3.6.8.orig/lib/handshake.c -+++ gnutls-3.6.8/lib/handshake.c -@@ -2164,7 +2164,7 @@ static int send_client_hello(gnutls_sess - /* Generate random data - */ - if (!(session->internals.hsk_flags & HSK_HRR_RECEIVED) && -- !(IS_DTLS(session) && session->internals.dtls.hsk_hello_verify_requests == 0)) { -+ !(IS_DTLS(session) && session->internals.dtls.hsk_hello_verify_requests != 0)) { - ret = _gnutls_gen_client_random(session); - if (ret < 0) { - gnutls_assert(); diff --git a/SOURCES/gnutls-3.6.13-enable-intel-cet.patch b/SOURCES/gnutls-3.6.13-enable-intel-cet.patch new file mode 100644 index 0000000..ca16882 --- /dev/null +++ b/SOURCES/gnutls-3.6.13-enable-intel-cet.patch @@ -0,0 +1,7849 @@ +From 7d969e296f4a8c39a8bdc642a3234b0957531201 Mon Sep 17 00:00:00 2001 +From: Anderson Toshiyuki Sasaki +Date: Wed, 20 May 2020 10:51:37 +0200 +Subject: [PATCH] accelerated: Enable Intel CET + +Signed-off-by: Anderson Toshiyuki Sasaki +--- + lib/accelerated/x86/coff/aes-ssse3-x86.s | 13 + + lib/accelerated/x86/coff/aes-ssse3-x86_64.s | 5 + + lib/accelerated/x86/coff/aesni-gcm-x86_64.s | 8 + + lib/accelerated/x86/coff/aesni-x86.s | 22 ++ + lib/accelerated/x86/coff/aesni-x86_64.s | 29 +- + lib/accelerated/x86/coff/e_padlock-x86.s | 276 +++++++++------- + lib/accelerated/x86/coff/e_padlock-x86_64.s | 218 ++++++++----- + lib/accelerated/x86/coff/ghash-x86_64.s | 6 + + lib/accelerated/x86/coff/sha1-ssse3-x86.s | 1 + + lib/accelerated/x86/coff/sha1-ssse3-x86_64.s | 2 +- + lib/accelerated/x86/coff/sha256-ssse3-x86.s | 1 + + .../x86/coff/sha256-ssse3-x86_64.s | 18 +- + lib/accelerated/x86/coff/sha512-ssse3-x86.s | 1 + + .../x86/coff/sha512-ssse3-x86_64.s | 20 +- + lib/accelerated/x86/elf/aes-ssse3-x86.s | 30 ++ + lib/accelerated/x86/elf/aes-ssse3-x86_64.s | 26 ++ + lib/accelerated/x86/elf/aesni-gcm-x86_64.s | 29 ++ + lib/accelerated/x86/elf/aesni-x86.s | 39 +++ + lib/accelerated/x86/elf/aesni-x86_64.s | 50 ++- + lib/accelerated/x86/elf/e_padlock-x86.s | 306 ++++++++++-------- + lib/accelerated/x86/elf/e_padlock-x86_64.s | 242 +++++++++----- + lib/accelerated/x86/elf/ghash-x86_64.s | 27 ++ + lib/accelerated/x86/elf/sha1-ssse3-x86.s | 18 ++ + lib/accelerated/x86/elf/sha1-ssse3-x86_64.s | 23 +- + lib/accelerated/x86/elf/sha256-ssse3-x86.s | 18 ++ + lib/accelerated/x86/elf/sha256-ssse3-x86_64.s | 51 ++- + lib/accelerated/x86/elf/sha512-ssse3-x86.s | 18 ++ + lib/accelerated/x86/elf/sha512-ssse3-x86_64.s | 49 ++- + lib/accelerated/x86/macosx/aes-ssse3-x86.s | 13 + + lib/accelerated/x86/macosx/aes-ssse3-x86_64.s | 5 + + lib/accelerated/x86/macosx/aesni-gcm-x86_64.s | 8 + + lib/accelerated/x86/macosx/aesni-x86.s | 22 ++ + lib/accelerated/x86/macosx/aesni-x86_64.s | 29 +- + lib/accelerated/x86/macosx/e_padlock-x86.s | 288 +++++++++-------- + lib/accelerated/x86/macosx/e_padlock-x86_64.s | 218 ++++++++----- + lib/accelerated/x86/macosx/ghash-x86_64.s | 6 + + lib/accelerated/x86/macosx/sha1-ssse3-x86.s | 1 + + .../x86/macosx/sha1-ssse3-x86_64.s | 2 +- + lib/accelerated/x86/macosx/sha256-ssse3-x86.s | 1 + + .../x86/macosx/sha256-ssse3-x86_64.s | 30 +- + lib/accelerated/x86/macosx/sha512-ssse3-x86.s | 1 + + .../x86/macosx/sha512-ssse3-x86_64.s | 28 +- + 42 files changed, 1541 insertions(+), 657 deletions(-) + +diff --git a/lib/accelerated/x86/coff/aes-ssse3-x86.s b/lib/accelerated/x86/coff/aes-ssse3-x86.s +index c58ea2359..1dced3b2a 100644 +--- a/lib/accelerated/x86/coff/aes-ssse3-x86.s ++++ b/lib/accelerated/x86/coff/aes-ssse3-x86.s +@@ -71,6 +71,7 @@ + .def __vpaes_preheat; .scl 3; .type 32; .endef + .align 16 + __vpaes_preheat: ++.byte 243,15,30,251 + addl (%esp),%ebp + movdqa -48(%ebp),%xmm7 + movdqa -16(%ebp),%xmm6 +@@ -78,6 +79,7 @@ __vpaes_preheat: + .def __vpaes_encrypt_core; .scl 3; .type 32; .endef + .align 16 + __vpaes_encrypt_core: ++.byte 243,15,30,251 + movl $16,%ecx + movl 240(%edx),%eax + movdqa %xmm6,%xmm1 +@@ -154,6 +156,7 @@ __vpaes_encrypt_core: + .def __vpaes_decrypt_core; .scl 3; .type 32; .endef + .align 16 + __vpaes_decrypt_core: ++.byte 243,15,30,251 + leal 608(%ebp),%ebx + movl 240(%edx),%eax + movdqa %xmm6,%xmm1 +@@ -241,6 +244,7 @@ __vpaes_decrypt_core: + .def __vpaes_schedule_core; .scl 3; .type 32; .endef + .align 16 + __vpaes_schedule_core: ++.byte 243,15,30,251 + addl (%esp),%ebp + movdqu (%esi),%xmm0 + movdqa 320(%ebp),%xmm2 +@@ -334,6 +338,7 @@ __vpaes_schedule_core: + .def __vpaes_schedule_192_smear; .scl 3; .type 32; .endef + .align 16 + __vpaes_schedule_192_smear: ++.byte 243,15,30,251 + pshufd $128,%xmm6,%xmm1 + pshufd $254,%xmm7,%xmm0 + pxor %xmm1,%xmm6 +@@ -345,6 +350,7 @@ __vpaes_schedule_192_smear: + .def __vpaes_schedule_round; .scl 3; .type 32; .endef + .align 16 + __vpaes_schedule_round: ++.byte 243,15,30,251 + movdqa 8(%esp),%xmm2 + pxor %xmm1,%xmm1 + .byte 102,15,58,15,202,15 +@@ -393,6 +399,7 @@ __vpaes_schedule_round: + .def __vpaes_schedule_transform; .scl 3; .type 32; .endef + .align 16 + __vpaes_schedule_transform: ++.byte 243,15,30,251 + movdqa -16(%ebp),%xmm2 + movdqa %xmm2,%xmm1 + pandn %xmm0,%xmm1 +@@ -407,6 +414,7 @@ __vpaes_schedule_transform: + .def __vpaes_schedule_mangle; .scl 3; .type 32; .endef + .align 16 + __vpaes_schedule_mangle: ++.byte 243,15,30,251 + movdqa %xmm0,%xmm4 + movdqa 128(%ebp),%xmm5 + testl %edi,%edi +@@ -467,6 +475,7 @@ __vpaes_schedule_mangle: + .align 16 + _vpaes_set_encrypt_key: + .L_vpaes_set_encrypt_key_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -499,6 +508,7 @@ _vpaes_set_encrypt_key: + .align 16 + _vpaes_set_decrypt_key: + .L_vpaes_set_decrypt_key_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -536,6 +546,7 @@ _vpaes_set_decrypt_key: + .align 16 + _vpaes_encrypt: + .L_vpaes_encrypt_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -564,6 +575,7 @@ _vpaes_encrypt: + .align 16 + _vpaes_decrypt: + .L_vpaes_decrypt_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -592,6 +604,7 @@ _vpaes_decrypt: + .align 16 + _vpaes_cbc_encrypt: + .L_vpaes_cbc_encrypt_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +diff --git a/lib/accelerated/x86/coff/aes-ssse3-x86_64.s b/lib/accelerated/x86/coff/aes-ssse3-x86_64.s +index 150c9921d..f3fee5629 100644 +--- a/lib/accelerated/x86/coff/aes-ssse3-x86_64.s ++++ b/lib/accelerated/x86/coff/aes-ssse3-x86_64.s +@@ -643,6 +643,7 @@ vpaes_set_encrypt_key: + movq %r8,%rdx + + ++.byte 243,15,30,250 + leaq -184(%rsp),%rsp + movaps %xmm6,16(%rsp) + movaps %xmm7,32(%rsp) +@@ -695,6 +696,7 @@ vpaes_set_decrypt_key: + movq %r8,%rdx + + ++.byte 243,15,30,250 + leaq -184(%rsp),%rsp + movaps %xmm6,16(%rsp) + movaps %xmm7,32(%rsp) +@@ -752,6 +754,7 @@ vpaes_encrypt: + movq %r8,%rdx + + ++.byte 243,15,30,250 + leaq -184(%rsp),%rsp + movaps %xmm6,16(%rsp) + movaps %xmm7,32(%rsp) +@@ -799,6 +802,7 @@ vpaes_decrypt: + movq %r8,%rdx + + ++.byte 243,15,30,250 + leaq -184(%rsp),%rsp + movaps %xmm6,16(%rsp) + movaps %xmm7,32(%rsp) +@@ -848,6 +852,7 @@ vpaes_cbc_encrypt: + movq 48(%rsp),%r9 + + ++.byte 243,15,30,250 + xchgq %rcx,%rdx + subq $16,%rcx + jc .Lcbc_abort +diff --git a/lib/accelerated/x86/coff/aesni-gcm-x86_64.s b/lib/accelerated/x86/coff/aesni-gcm-x86_64.s +index 7988004cb..5784e4bcf 100644 +--- a/lib/accelerated/x86/coff/aesni-gcm-x86_64.s ++++ b/lib/accelerated/x86/coff/aesni-gcm-x86_64.s +@@ -42,6 +42,8 @@ + .def _aesni_ctr32_ghash_6x; .scl 3; .type 32; .endef + .p2align 5 + _aesni_ctr32_ghash_6x: ++ ++.byte 243,15,30,250 + vmovdqu 32(%r11),%xmm2 + subq $6,%rdx + vpxor %xmm4,%xmm4,%xmm4 +@@ -350,6 +352,7 @@ _aesni_ctr32_ghash_6x: + + .byte 0xf3,0xc3 + ++ + .globl aesni_gcm_decrypt + .def aesni_gcm_decrypt; .scl 2; .type 32; .endef + .p2align 5 +@@ -366,6 +369,7 @@ aesni_gcm_decrypt: + movq 48(%rsp),%r9 + + ++.byte 243,15,30,250 + xorq %r10,%r10 + cmpq $0x60,%rdx + jb .Lgcm_dec_abort +@@ -490,6 +494,8 @@ aesni_gcm_decrypt: + .def _aesni_ctr32_6x; .scl 3; .type 32; .endef + .p2align 5 + _aesni_ctr32_6x: ++ ++.byte 243,15,30,250 + vmovdqu 0-128(%rcx),%xmm4 + vmovdqu 32(%r11),%xmm2 + leaq -1(%rbp),%r13 +@@ -578,6 +584,7 @@ _aesni_ctr32_6x: + jmp .Loop_ctr32 + + ++ + .globl aesni_gcm_encrypt + .def aesni_gcm_encrypt; .scl 2; .type 32; .endef + .p2align 5 +@@ -594,6 +601,7 @@ aesni_gcm_encrypt: + movq 48(%rsp),%r9 + + ++.byte 243,15,30,250 + xorq %r10,%r10 + cmpq $288,%rdx + jb .Lgcm_enc_abort +diff --git a/lib/accelerated/x86/coff/aesni-x86.s b/lib/accelerated/x86/coff/aesni-x86.s +index c6aa1a1e2..577dc4af2 100644 +--- a/lib/accelerated/x86/coff/aesni-x86.s ++++ b/lib/accelerated/x86/coff/aesni-x86.s +@@ -43,6 +43,7 @@ + .align 16 + _aesni_encrypt: + .L_aesni_encrypt_begin: ++.byte 243,15,30,251 + movl 4(%esp),%eax + movl 12(%esp),%edx + movups (%eax),%xmm2 +@@ -69,6 +70,7 @@ _aesni_encrypt: + .align 16 + _aesni_decrypt: + .L_aesni_decrypt_begin: ++.byte 243,15,30,251 + movl 4(%esp),%eax + movl 12(%esp),%edx + movups (%eax),%xmm2 +@@ -93,6 +95,7 @@ _aesni_decrypt: + .def __aesni_encrypt2; .scl 3; .type 32; .endef + .align 16 + __aesni_encrypt2: ++.byte 243,15,30,251 + movups (%edx),%xmm0 + shll $4,%ecx + movups 16(%edx),%xmm1 +@@ -119,6 +122,7 @@ __aesni_encrypt2: + .def __aesni_decrypt2; .scl 3; .type 32; .endef + .align 16 + __aesni_decrypt2: ++.byte 243,15,30,251 + movups (%edx),%xmm0 + shll $4,%ecx + movups 16(%edx),%xmm1 +@@ -145,6 +149,7 @@ __aesni_decrypt2: + .def __aesni_encrypt3; .scl 3; .type 32; .endef + .align 16 + __aesni_encrypt3: ++.byte 243,15,30,251 + movups (%edx),%xmm0 + shll $4,%ecx + movups 16(%edx),%xmm1 +@@ -176,6 +181,7 @@ __aesni_encrypt3: + .def __aesni_decrypt3; .scl 3; .type 32; .endef + .align 16 + __aesni_decrypt3: ++.byte 243,15,30,251 + movups (%edx),%xmm0 + shll $4,%ecx + movups 16(%edx),%xmm1 +@@ -207,6 +213,7 @@ __aesni_decrypt3: + .def __aesni_encrypt4; .scl 3; .type 32; .endef + .align 16 + __aesni_encrypt4: ++.byte 243,15,30,251 + movups (%edx),%xmm0 + movups 16(%edx),%xmm1 + shll $4,%ecx +@@ -244,6 +251,7 @@ __aesni_encrypt4: + .def __aesni_decrypt4; .scl 3; .type 32; .endef + .align 16 + __aesni_decrypt4: ++.byte 243,15,30,251 + movups (%edx),%xmm0 + movups 16(%edx),%xmm1 + shll $4,%ecx +@@ -281,6 +289,7 @@ __aesni_decrypt4: + .def __aesni_encrypt6; .scl 3; .type 32; .endef + .align 16 + __aesni_encrypt6: ++.byte 243,15,30,251 + movups (%edx),%xmm0 + shll $4,%ecx + movups 16(%edx),%xmm1 +@@ -334,6 +343,7 @@ __aesni_encrypt6: + .def __aesni_decrypt6; .scl 3; .type 32; .endef + .align 16 + __aesni_decrypt6: ++.byte 243,15,30,251 + movups (%edx),%xmm0 + shll $4,%ecx + movups 16(%edx),%xmm1 +@@ -389,6 +399,7 @@ __aesni_decrypt6: + .align 16 + _aesni_ecb_encrypt: + .L_aesni_ecb_encrypt_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -623,6 +634,7 @@ _aesni_ecb_encrypt: + .align 16 + _aesni_ccm64_encrypt_blocks: + .L_aesni_ccm64_encrypt_blocks_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -710,6 +722,7 @@ _aesni_ccm64_encrypt_blocks: + .align 16 + _aesni_ccm64_decrypt_blocks: + .L_aesni_ccm64_decrypt_blocks_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -832,6 +845,7 @@ _aesni_ccm64_decrypt_blocks: + .align 16 + _aesni_ctr32_encrypt_blocks: + .L_aesni_ctr32_encrypt_blocks_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -1069,6 +1083,7 @@ _aesni_ctr32_encrypt_blocks: + .align 16 + _aesni_xts_encrypt: + .L_aesni_xts_encrypt_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -1428,6 +1443,7 @@ _aesni_xts_encrypt: + .align 16 + _aesni_xts_decrypt: + .L_aesni_xts_decrypt_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -1817,6 +1833,7 @@ _aesni_xts_decrypt: + .align 16 + _aesni_ocb_encrypt: + .L_aesni_ocb_encrypt_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -2211,6 +2228,7 @@ _aesni_ocb_encrypt: + .align 16 + _aesni_ocb_decrypt: + .L_aesni_ocb_decrypt_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -2605,6 +2623,7 @@ _aesni_ocb_decrypt: + .align 16 + _aesni_cbc_encrypt: + .L_aesni_cbc_encrypt_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -2863,6 +2882,7 @@ _aesni_cbc_encrypt: + .def __aesni_set_encrypt_key; .scl 3; .type 32; .endef + .align 16 + __aesni_set_encrypt_key: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + testl %eax,%eax +@@ -3197,6 +3217,7 @@ __aesni_set_encrypt_key: + .align 16 + _aesni_set_encrypt_key: + .L_aesni_set_encrypt_key_begin: ++.byte 243,15,30,251 + movl 4(%esp),%eax + movl 8(%esp),%ecx + movl 12(%esp),%edx +@@ -3207,6 +3228,7 @@ _aesni_set_encrypt_key: + .align 16 + _aesni_set_decrypt_key: + .L_aesni_set_decrypt_key_begin: ++.byte 243,15,30,251 + movl 4(%esp),%eax + movl 8(%esp),%ecx + movl 12(%esp),%edx +diff --git a/lib/accelerated/x86/coff/aesni-x86_64.s b/lib/accelerated/x86/coff/aesni-x86_64.s +index 4e8de065f..ba2992903 100644 +--- a/lib/accelerated/x86/coff/aesni-x86_64.s ++++ b/lib/accelerated/x86/coff/aesni-x86_64.s +@@ -44,6 +44,7 @@ + .p2align 4 + aesni_encrypt: + ++.byte 243,15,30,250 + movups (%rcx),%xmm2 + movl 240(%r8),%eax + movups (%r8),%xmm0 +@@ -70,6 +71,7 @@ aesni_encrypt: + .p2align 4 + aesni_decrypt: + ++.byte 243,15,30,250 + movups (%rcx),%xmm2 + movl 240(%r8),%eax + movups (%r8),%xmm0 +@@ -567,6 +569,7 @@ aesni_ecb_encrypt: + movq 40(%rsp),%r8 + + ++.byte 243,15,30,250 + leaq -88(%rsp),%rsp + movaps %xmm6,(%rsp) + movaps %xmm7,16(%rsp) +@@ -939,6 +942,8 @@ aesni_ccm64_encrypt_blocks: + movq 40(%rsp),%r8 + movq 48(%rsp),%r9 + ++ ++.byte 243,15,30,250 + leaq -88(%rsp),%rsp + movaps %xmm6,(%rsp) + movaps %xmm7,16(%rsp) +@@ -1015,6 +1020,7 @@ aesni_ccm64_encrypt_blocks: + movq 8(%rsp),%rdi + movq 16(%rsp),%rsi + .byte 0xf3,0xc3 ++ + .LSEH_end_aesni_ccm64_encrypt_blocks: + .globl aesni_ccm64_decrypt_blocks + .def aesni_ccm64_decrypt_blocks; .scl 2; .type 32; .endef +@@ -1031,6 +1037,8 @@ aesni_ccm64_decrypt_blocks: + movq 40(%rsp),%r8 + movq 48(%rsp),%r9 + ++ ++.byte 243,15,30,250 + leaq -88(%rsp),%rsp + movaps %xmm6,(%rsp) + movaps %xmm7,16(%rsp) +@@ -1141,6 +1149,7 @@ aesni_ccm64_decrypt_blocks: + movq 8(%rsp),%rdi + movq 16(%rsp),%rsi + .byte 0xf3,0xc3 ++ + .LSEH_end_aesni_ccm64_decrypt_blocks: + .globl aesni_ctr32_encrypt_blocks + .def aesni_ctr32_encrypt_blocks; .scl 2; .type 32; .endef +@@ -1157,6 +1166,7 @@ aesni_ctr32_encrypt_blocks: + movq 40(%rsp),%r8 + + ++.byte 243,15,30,250 + cmpq $1,%rdx + jne .Lctr32_bulk + +@@ -1769,6 +1779,7 @@ aesni_xts_encrypt: + movq 48(%rsp),%r9 + + ++.byte 243,15,30,250 + leaq (%rsp),%r11 + + pushq %rbp +@@ -2273,6 +2284,7 @@ aesni_xts_decrypt: + movq 48(%rsp),%r9 + + ++.byte 243,15,30,250 + leaq (%rsp),%r11 + + pushq %rbp +@@ -2814,6 +2826,7 @@ aesni_ocb_encrypt: + movq 48(%rsp),%r9 + + ++.byte 243,15,30,250 + leaq (%rsp),%rax + pushq %rbx + +@@ -3046,6 +3059,7 @@ aesni_ocb_encrypt: + .def __ocb_encrypt6; .scl 3; .type 32; .endef + .p2align 5 + __ocb_encrypt6: ++ + pxor %xmm9,%xmm15 + movdqu (%rbx,%r12,1),%xmm11 + movdqa %xmm10,%xmm12 +@@ -3145,9 +3159,11 @@ __ocb_encrypt6: + .byte 0xf3,0xc3 + + ++ + .def __ocb_encrypt4; .scl 3; .type 32; .endef + .p2align 5 + __ocb_encrypt4: ++ + pxor %xmm9,%xmm15 + movdqu (%rbx,%r12,1),%xmm11 + movdqa %xmm10,%xmm12 +@@ -3214,9 +3230,11 @@ __ocb_encrypt4: + .byte 0xf3,0xc3 + + ++ + .def __ocb_encrypt1; .scl 3; .type 32; .endef + .p2align 5 + __ocb_encrypt1: ++ + pxor %xmm15,%xmm7 + pxor %xmm9,%xmm7 + pxor %xmm2,%xmm8 +@@ -3249,6 +3267,7 @@ __ocb_encrypt1: + .byte 0xf3,0xc3 + + ++ + .globl aesni_ocb_decrypt + .def aesni_ocb_decrypt; .scl 2; .type 32; .endef + .p2align 5 +@@ -3265,6 +3284,7 @@ aesni_ocb_decrypt: + movq 48(%rsp),%r9 + + ++.byte 243,15,30,250 + leaq (%rsp),%rax + pushq %rbx + +@@ -3519,6 +3539,7 @@ aesni_ocb_decrypt: + .def __ocb_decrypt6; .scl 3; .type 32; .endef + .p2align 5 + __ocb_decrypt6: ++ + pxor %xmm9,%xmm15 + movdqu (%rbx,%r12,1),%xmm11 + movdqa %xmm10,%xmm12 +@@ -3612,9 +3633,11 @@ __ocb_decrypt6: + .byte 0xf3,0xc3 + + ++ + .def __ocb_decrypt4; .scl 3; .type 32; .endef + .p2align 5 + __ocb_decrypt4: ++ + pxor %xmm9,%xmm15 + movdqu (%rbx,%r12,1),%xmm11 + movdqa %xmm10,%xmm12 +@@ -3677,9 +3700,11 @@ __ocb_decrypt4: + .byte 0xf3,0xc3 + + ++ + .def __ocb_decrypt1; .scl 3; .type 32; .endef + .p2align 5 + __ocb_decrypt1: ++ + pxor %xmm15,%xmm7 + pxor %xmm9,%xmm7 + pxor %xmm7,%xmm2 +@@ -3710,6 +3735,7 @@ __ocb_decrypt1: + .byte 102,15,56,223,215 + .byte 0xf3,0xc3 + ++ + .globl aesni_cbc_encrypt + .def aesni_cbc_encrypt; .scl 2; .type 32; .endef + .p2align 4 +@@ -3726,6 +3752,7 @@ aesni_cbc_encrypt: + movq 48(%rsp),%r9 + + ++.byte 243,15,30,250 + testq %rdx,%rdx + jz .Lcbc_ret + +@@ -4687,7 +4714,6 @@ __aesni_set_encrypt_key: + addq $8,%rsp + + .byte 0xf3,0xc3 +- + .LSEH_end_set_encrypt_key: + + .p2align 4 +@@ -4760,6 +4786,7 @@ __aesni_set_encrypt_key: + .byte 0xf3,0xc3 + + ++ + .p2align 6 + .Lbswap_mask: + .byte 15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0 +diff --git a/lib/accelerated/x86/coff/e_padlock-x86.s b/lib/accelerated/x86/coff/e_padlock-x86.s +index 41f87b117..9e27b9324 100644 +--- a/lib/accelerated/x86/coff/e_padlock-x86.s ++++ b/lib/accelerated/x86/coff/e_padlock-x86.s +@@ -1,4 +1,4 @@ +-# Copyright (c) 2011-2013, Andy Polyakov ++# Copyright (c) 2011-2016, Andy Polyakov + # All rights reserved. + # + # Redistribution and use in source and binary forms, with or without +@@ -37,13 +37,13 @@ + # + # *** This file is auto-generated *** + # +-.file "devel/perlasm/e_padlock-x86.s" + .text + .globl _padlock_capability + .def _padlock_capability; .scl 2; .type 32; .endef + .align 16 + _padlock_capability: + .L_padlock_capability_begin: ++.byte 243,15,30,251 + pushl %ebx + pushfl + popl %eax +@@ -60,11 +60,20 @@ _padlock_capability: + .byte 0x0f,0xa2 + xorl %eax,%eax + cmpl $0x746e6543,%ebx +- jne .L000noluck ++ jne .L001zhaoxin + cmpl $0x48727561,%edx + jne .L000noluck + cmpl $0x736c7561,%ecx + jne .L000noluck ++ jmp .L002zhaoxinEnd ++.L001zhaoxin: ++ cmpl $0x68532020,%ebx ++ jne .L000noluck ++ cmpl $0x68676e61,%edx ++ jne .L000noluck ++ cmpl $0x20206961,%ecx ++ jne .L000noluck ++.L002zhaoxinEnd: + movl $3221225472,%eax + .byte 0x0f,0xa2 + movl %eax,%edx +@@ -94,38 +103,41 @@ _padlock_capability: + .align 16 + _padlock_key_bswap: + .L_padlock_key_bswap_begin: ++.byte 243,15,30,251 + movl 4(%esp),%edx + movl 240(%edx),%ecx +-.L001bswap_loop: ++.L003bswap_loop: + movl (%edx),%eax + bswap %eax + movl %eax,(%edx) + leal 4(%edx),%edx + subl $1,%ecx +- jnz .L001bswap_loop ++ jnz .L003bswap_loop + ret + .globl _padlock_verify_context + .def _padlock_verify_context; .scl 2; .type 32; .endef + .align 16 + _padlock_verify_context: + .L_padlock_verify_context_begin: ++.byte 243,15,30,251 + movl 4(%esp),%edx + leal .Lpadlock_saved_context,%eax + pushfl + call __padlock_verify_ctx +-.L002verify_pic_point: ++.L004verify_pic_point: + leal 4(%esp),%esp + ret + .def __padlock_verify_ctx; .scl 3; .type 32; .endef + .align 16 + __padlock_verify_ctx: ++.byte 243,15,30,251 + btl $30,4(%esp) +- jnc .L003verified ++ jnc .L005verified + cmpl (%eax),%edx +- je .L003verified ++ je .L005verified + pushfl + popfl +-.L003verified: ++.L005verified: + movl %edx,(%eax) + ret + .globl _padlock_reload_key +@@ -133,6 +145,7 @@ __padlock_verify_ctx: + .align 16 + _padlock_reload_key: + .L_padlock_reload_key_begin: ++.byte 243,15,30,251 + pushfl + popfl + ret +@@ -141,6 +154,7 @@ _padlock_reload_key: + .align 16 + _padlock_aes_block: + .L_padlock_aes_block_begin: ++.byte 243,15,30,251 + pushl %edi + pushl %esi + pushl %ebx +@@ -160,6 +174,7 @@ _padlock_aes_block: + .align 16 + _padlock_ecb_encrypt: + .L_padlock_ecb_encrypt_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -169,25 +184,25 @@ _padlock_ecb_encrypt: + movl 28(%esp),%edx + movl 32(%esp),%ecx + testl $15,%edx +- jnz .L004ecb_abort ++ jnz .L006ecb_abort + testl $15,%ecx +- jnz .L004ecb_abort ++ jnz .L006ecb_abort + leal .Lpadlock_saved_context,%eax + pushfl + cld + call __padlock_verify_ctx +-.L005ecb_pic_point: ++.L007ecb_pic_point: + leal 16(%edx),%edx + xorl %eax,%eax + xorl %ebx,%ebx + testl $32,(%edx) +- jnz .L006ecb_aligned ++ jnz .L008ecb_aligned + testl $15,%edi + setz %al + testl $15,%esi + setz %bl + testl %ebx,%eax +- jnz .L006ecb_aligned ++ jnz .L008ecb_aligned + negl %eax + movl $512,%ebx + notl %eax +@@ -206,7 +221,7 @@ _padlock_ecb_encrypt: + andl $-16,%esp + movl %eax,16(%ebp) + cmpl %ebx,%ecx +- ja .L007ecb_loop ++ ja .L009ecb_loop + movl %esi,%eax + cmpl %esp,%ebp + cmovel %edi,%eax +@@ -217,10 +232,10 @@ _padlock_ecb_encrypt: + movl $-128,%eax + cmovael %ebx,%eax + andl %eax,%ebx +- jz .L008ecb_unaligned_tail +- jmp .L007ecb_loop ++ jz .L010ecb_unaligned_tail ++ jmp .L009ecb_loop + .align 16 +-.L007ecb_loop: ++.L009ecb_loop: + movl %edi,(%ebp) + movl %esi,4(%ebp) + movl %ecx,8(%ebp) +@@ -229,13 +244,13 @@ _padlock_ecb_encrypt: + testl $15,%edi + cmovnzl %esp,%edi + testl $15,%esi +- jz .L009ecb_inp_aligned ++ jz .L011ecb_inp_aligned + shrl $2,%ecx + .byte 243,165 + subl %ebx,%edi + movl %ebx,%ecx + movl %edi,%esi +-.L009ecb_inp_aligned: ++.L011ecb_inp_aligned: + leal -16(%edx),%eax + leal 16(%edx),%ebx + shrl $4,%ecx +@@ -243,23 +258,23 @@ _padlock_ecb_encrypt: + movl (%ebp),%edi + movl 12(%ebp),%ebx + testl $15,%edi +- jz .L010ecb_out_aligned ++ jz .L012ecb_out_aligned + movl %ebx,%ecx + leal (%esp),%esi + shrl $2,%ecx + .byte 243,165 + subl %ebx,%edi +-.L010ecb_out_aligned: ++.L012ecb_out_aligned: + movl 4(%ebp),%esi + movl 8(%ebp),%ecx + addl %ebx,%edi + addl %ebx,%esi + subl %ebx,%ecx + movl $512,%ebx +- jz .L011ecb_break ++ jz .L013ecb_break + cmpl %ebx,%ecx +- jae .L007ecb_loop +-.L008ecb_unaligned_tail: ++ jae .L009ecb_loop ++.L010ecb_unaligned_tail: + xorl %eax,%eax + cmpl %ebp,%esp + cmovel %ecx,%eax +@@ -272,24 +287,24 @@ _padlock_ecb_encrypt: + movl %esp,%esi + movl %eax,%edi + movl %ebx,%ecx +- jmp .L007ecb_loop ++ jmp .L009ecb_loop + .align 16 +-.L011ecb_break: ++.L013ecb_break: + cmpl %ebp,%esp +- je .L012ecb_done ++ je .L014ecb_done + pxor %xmm0,%xmm0 + leal (%esp),%eax +-.L013ecb_bzero: ++.L015ecb_bzero: + movaps %xmm0,(%eax) + leal 16(%eax),%eax + cmpl %eax,%ebp +- ja .L013ecb_bzero +-.L012ecb_done: ++ ja .L015ecb_bzero ++.L014ecb_done: + movl 16(%ebp),%ebp + leal 24(%ebp),%esp +- jmp .L014ecb_exit ++ jmp .L016ecb_exit + .align 16 +-.L006ecb_aligned: ++.L008ecb_aligned: + leal (%esi,%ecx,1),%ebp + negl %ebp + andl $4095,%ebp +@@ -299,14 +314,14 @@ _padlock_ecb_encrypt: + cmovael %eax,%ebp + andl %ecx,%ebp + subl %ebp,%ecx +- jz .L015ecb_aligned_tail ++ jz .L017ecb_aligned_tail + leal -16(%edx),%eax + leal 16(%edx),%ebx + shrl $4,%ecx + .byte 243,15,167,200 + testl %ebp,%ebp +- jz .L014ecb_exit +-.L015ecb_aligned_tail: ++ jz .L016ecb_exit ++.L017ecb_aligned_tail: + movl %ebp,%ecx + leal -24(%esp),%ebp + movl %ebp,%esp +@@ -323,11 +338,11 @@ _padlock_ecb_encrypt: + movl %esp,%esi + movl %eax,%edi + movl %ebx,%ecx +- jmp .L007ecb_loop +-.L014ecb_exit: ++ jmp .L009ecb_loop ++.L016ecb_exit: + movl $1,%eax + leal 4(%esp),%esp +-.L004ecb_abort: ++.L006ecb_abort: + popl %edi + popl %esi + popl %ebx +@@ -338,6 +353,7 @@ _padlock_ecb_encrypt: + .align 16 + _padlock_cbc_encrypt: + .L_padlock_cbc_encrypt_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -347,25 +363,25 @@ _padlock_cbc_encrypt: + movl 28(%esp),%edx + movl 32(%esp),%ecx + testl $15,%edx +- jnz .L016cbc_abort ++ jnz .L018cbc_abort + testl $15,%ecx +- jnz .L016cbc_abort ++ jnz .L018cbc_abort + leal .Lpadlock_saved_context,%eax + pushfl + cld + call __padlock_verify_ctx +-.L017cbc_pic_point: ++.L019cbc_pic_point: + leal 16(%edx),%edx + xorl %eax,%eax + xorl %ebx,%ebx + testl $32,(%edx) +- jnz .L018cbc_aligned ++ jnz .L020cbc_aligned + testl $15,%edi + setz %al + testl $15,%esi + setz %bl + testl %ebx,%eax +- jnz .L018cbc_aligned ++ jnz .L020cbc_aligned + negl %eax + movl $512,%ebx + notl %eax +@@ -384,7 +400,7 @@ _padlock_cbc_encrypt: + andl $-16,%esp + movl %eax,16(%ebp) + cmpl %ebx,%ecx +- ja .L019cbc_loop ++ ja .L021cbc_loop + movl %esi,%eax + cmpl %esp,%ebp + cmovel %edi,%eax +@@ -395,10 +411,10 @@ _padlock_cbc_encrypt: + movl $-64,%eax + cmovael %ebx,%eax + andl %eax,%ebx +- jz .L020cbc_unaligned_tail +- jmp .L019cbc_loop ++ jz .L022cbc_unaligned_tail ++ jmp .L021cbc_loop + .align 16 +-.L019cbc_loop: ++.L021cbc_loop: + movl %edi,(%ebp) + movl %esi,4(%ebp) + movl %ecx,8(%ebp) +@@ -407,13 +423,13 @@ _padlock_cbc_encrypt: + testl $15,%edi + cmovnzl %esp,%edi + testl $15,%esi +- jz .L021cbc_inp_aligned ++ jz .L023cbc_inp_aligned + shrl $2,%ecx + .byte 243,165 + subl %ebx,%edi + movl %ebx,%ecx + movl %edi,%esi +-.L021cbc_inp_aligned: ++.L023cbc_inp_aligned: + leal -16(%edx),%eax + leal 16(%edx),%ebx + shrl $4,%ecx +@@ -423,23 +439,23 @@ _padlock_cbc_encrypt: + movl (%ebp),%edi + movl 12(%ebp),%ebx + testl $15,%edi +- jz .L022cbc_out_aligned ++ jz .L024cbc_out_aligned + movl %ebx,%ecx + leal (%esp),%esi + shrl $2,%ecx + .byte 243,165 + subl %ebx,%edi +-.L022cbc_out_aligned: ++.L024cbc_out_aligned: + movl 4(%ebp),%esi + movl 8(%ebp),%ecx + addl %ebx,%edi + addl %ebx,%esi + subl %ebx,%ecx + movl $512,%ebx +- jz .L023cbc_break ++ jz .L025cbc_break + cmpl %ebx,%ecx +- jae .L019cbc_loop +-.L020cbc_unaligned_tail: ++ jae .L021cbc_loop ++.L022cbc_unaligned_tail: + xorl %eax,%eax + cmpl %ebp,%esp + cmovel %ecx,%eax +@@ -452,24 +468,24 @@ _padlock_cbc_encrypt: + movl %esp,%esi + movl %eax,%edi + movl %ebx,%ecx +- jmp .L019cbc_loop ++ jmp .L021cbc_loop + .align 16 +-.L023cbc_break: ++.L025cbc_break: + cmpl %ebp,%esp +- je .L024cbc_done ++ je .L026cbc_done + pxor %xmm0,%xmm0 + leal (%esp),%eax +-.L025cbc_bzero: ++.L027cbc_bzero: + movaps %xmm0,(%eax) + leal 16(%eax),%eax + cmpl %eax,%ebp +- ja .L025cbc_bzero +-.L024cbc_done: ++ ja .L027cbc_bzero ++.L026cbc_done: + movl 16(%ebp),%ebp + leal 24(%ebp),%esp +- jmp .L026cbc_exit ++ jmp .L028cbc_exit + .align 16 +-.L018cbc_aligned: ++.L020cbc_aligned: + leal (%esi,%ecx,1),%ebp + negl %ebp + andl $4095,%ebp +@@ -479,7 +495,7 @@ _padlock_cbc_encrypt: + cmovael %eax,%ebp + andl %ecx,%ebp + subl %ebp,%ecx +- jz .L027cbc_aligned_tail ++ jz .L029cbc_aligned_tail + leal -16(%edx),%eax + leal 16(%edx),%ebx + shrl $4,%ecx +@@ -487,8 +503,8 @@ _padlock_cbc_encrypt: + movaps (%eax),%xmm0 + movaps %xmm0,-16(%edx) + testl %ebp,%ebp +- jz .L026cbc_exit +-.L027cbc_aligned_tail: ++ jz .L028cbc_exit ++.L029cbc_aligned_tail: + movl %ebp,%ecx + leal -24(%esp),%ebp + movl %ebp,%esp +@@ -505,11 +521,11 @@ _padlock_cbc_encrypt: + movl %esp,%esi + movl %eax,%edi + movl %ebx,%ecx +- jmp .L019cbc_loop +-.L026cbc_exit: ++ jmp .L021cbc_loop ++.L028cbc_exit: + movl $1,%eax + leal 4(%esp),%esp +-.L016cbc_abort: ++.L018cbc_abort: + popl %edi + popl %esi + popl %ebx +@@ -520,6 +536,7 @@ _padlock_cbc_encrypt: + .align 16 + _padlock_cfb_encrypt: + .L_padlock_cfb_encrypt_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -529,25 +546,25 @@ _padlock_cfb_encrypt: + movl 28(%esp),%edx + movl 32(%esp),%ecx + testl $15,%edx +- jnz .L028cfb_abort ++ jnz .L030cfb_abort + testl $15,%ecx +- jnz .L028cfb_abort ++ jnz .L030cfb_abort + leal .Lpadlock_saved_context,%eax + pushfl + cld + call __padlock_verify_ctx +-.L029cfb_pic_point: ++.L031cfb_pic_point: + leal 16(%edx),%edx + xorl %eax,%eax + xorl %ebx,%ebx + testl $32,(%edx) +- jnz .L030cfb_aligned ++ jnz .L032cfb_aligned + testl $15,%edi + setz %al + testl $15,%esi + setz %bl + testl %ebx,%eax +- jnz .L030cfb_aligned ++ jnz .L032cfb_aligned + negl %eax + movl $512,%ebx + notl %eax +@@ -565,9 +582,9 @@ _padlock_cfb_encrypt: + andl $-16,%ebp + andl $-16,%esp + movl %eax,16(%ebp) +- jmp .L031cfb_loop ++ jmp .L033cfb_loop + .align 16 +-.L031cfb_loop: ++.L033cfb_loop: + movl %edi,(%ebp) + movl %esi,4(%ebp) + movl %ecx,8(%ebp) +@@ -576,13 +593,13 @@ _padlock_cfb_encrypt: + testl $15,%edi + cmovnzl %esp,%edi + testl $15,%esi +- jz .L032cfb_inp_aligned ++ jz .L034cfb_inp_aligned + shrl $2,%ecx + .byte 243,165 + subl %ebx,%edi + movl %ebx,%ecx + movl %edi,%esi +-.L032cfb_inp_aligned: ++.L034cfb_inp_aligned: + leal -16(%edx),%eax + leal 16(%edx),%ebx + shrl $4,%ecx +@@ -592,45 +609,45 @@ _padlock_cfb_encrypt: + movl (%ebp),%edi + movl 12(%ebp),%ebx + testl $15,%edi +- jz .L033cfb_out_aligned ++ jz .L035cfb_out_aligned + movl %ebx,%ecx + leal (%esp),%esi + shrl $2,%ecx + .byte 243,165 + subl %ebx,%edi +-.L033cfb_out_aligned: ++.L035cfb_out_aligned: + movl 4(%ebp),%esi + movl 8(%ebp),%ecx + addl %ebx,%edi + addl %ebx,%esi + subl %ebx,%ecx + movl $512,%ebx +- jnz .L031cfb_loop ++ jnz .L033cfb_loop + cmpl %ebp,%esp +- je .L034cfb_done ++ je .L036cfb_done + pxor %xmm0,%xmm0 + leal (%esp),%eax +-.L035cfb_bzero: ++.L037cfb_bzero: + movaps %xmm0,(%eax) + leal 16(%eax),%eax + cmpl %eax,%ebp +- ja .L035cfb_bzero +-.L034cfb_done: ++ ja .L037cfb_bzero ++.L036cfb_done: + movl 16(%ebp),%ebp + leal 24(%ebp),%esp +- jmp .L036cfb_exit ++ jmp .L038cfb_exit + .align 16 +-.L030cfb_aligned: ++.L032cfb_aligned: + leal -16(%edx),%eax + leal 16(%edx),%ebx + shrl $4,%ecx + .byte 243,15,167,224 + movaps (%eax),%xmm0 + movaps %xmm0,-16(%edx) +-.L036cfb_exit: ++.L038cfb_exit: + movl $1,%eax + leal 4(%esp),%esp +-.L028cfb_abort: ++.L030cfb_abort: + popl %edi + popl %esi + popl %ebx +@@ -641,6 +658,7 @@ _padlock_cfb_encrypt: + .align 16 + _padlock_ofb_encrypt: + .L_padlock_ofb_encrypt_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -650,25 +668,25 @@ _padlock_ofb_encrypt: + movl 28(%esp),%edx + movl 32(%esp),%ecx + testl $15,%edx +- jnz .L037ofb_abort ++ jnz .L039ofb_abort + testl $15,%ecx +- jnz .L037ofb_abort ++ jnz .L039ofb_abort + leal .Lpadlock_saved_context,%eax + pushfl + cld + call __padlock_verify_ctx +-.L038ofb_pic_point: ++.L040ofb_pic_point: + leal 16(%edx),%edx + xorl %eax,%eax + xorl %ebx,%ebx + testl $32,(%edx) +- jnz .L039ofb_aligned ++ jnz .L041ofb_aligned + testl $15,%edi + setz %al + testl $15,%esi + setz %bl + testl %ebx,%eax +- jnz .L039ofb_aligned ++ jnz .L041ofb_aligned + negl %eax + movl $512,%ebx + notl %eax +@@ -686,9 +704,9 @@ _padlock_ofb_encrypt: + andl $-16,%ebp + andl $-16,%esp + movl %eax,16(%ebp) +- jmp .L040ofb_loop ++ jmp .L042ofb_loop + .align 16 +-.L040ofb_loop: ++.L042ofb_loop: + movl %edi,(%ebp) + movl %esi,4(%ebp) + movl %ecx,8(%ebp) +@@ -697,13 +715,13 @@ _padlock_ofb_encrypt: + testl $15,%edi + cmovnzl %esp,%edi + testl $15,%esi +- jz .L041ofb_inp_aligned ++ jz .L043ofb_inp_aligned + shrl $2,%ecx + .byte 243,165 + subl %ebx,%edi + movl %ebx,%ecx + movl %edi,%esi +-.L041ofb_inp_aligned: ++.L043ofb_inp_aligned: + leal -16(%edx),%eax + leal 16(%edx),%ebx + shrl $4,%ecx +@@ -713,45 +731,45 @@ _padlock_ofb_encrypt: + movl (%ebp),%edi + movl 12(%ebp),%ebx + testl $15,%edi +- jz .L042ofb_out_aligned ++ jz .L044ofb_out_aligned + movl %ebx,%ecx + leal (%esp),%esi + shrl $2,%ecx + .byte 243,165 + subl %ebx,%edi +-.L042ofb_out_aligned: ++.L044ofb_out_aligned: + movl 4(%ebp),%esi + movl 8(%ebp),%ecx + addl %ebx,%edi + addl %ebx,%esi + subl %ebx,%ecx + movl $512,%ebx +- jnz .L040ofb_loop ++ jnz .L042ofb_loop + cmpl %ebp,%esp +- je .L043ofb_done ++ je .L045ofb_done + pxor %xmm0,%xmm0 + leal (%esp),%eax +-.L044ofb_bzero: ++.L046ofb_bzero: + movaps %xmm0,(%eax) + leal 16(%eax),%eax + cmpl %eax,%ebp +- ja .L044ofb_bzero +-.L043ofb_done: ++ ja .L046ofb_bzero ++.L045ofb_done: + movl 16(%ebp),%ebp + leal 24(%ebp),%esp +- jmp .L045ofb_exit ++ jmp .L047ofb_exit + .align 16 +-.L039ofb_aligned: ++.L041ofb_aligned: + leal -16(%edx),%eax + leal 16(%edx),%ebx + shrl $4,%ecx + .byte 243,15,167,232 + movaps (%eax),%xmm0 + movaps %xmm0,-16(%edx) +-.L045ofb_exit: ++.L047ofb_exit: + movl $1,%eax + leal 4(%esp),%esp +-.L037ofb_abort: ++.L039ofb_abort: + popl %edi + popl %esi + popl %ebx +@@ -762,6 +780,7 @@ _padlock_ofb_encrypt: + .align 16 + _padlock_ctr32_encrypt: + .L_padlock_ctr32_encrypt_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -771,14 +790,14 @@ _padlock_ctr32_encrypt: + movl 28(%esp),%edx + movl 32(%esp),%ecx + testl $15,%edx +- jnz .L046ctr32_abort ++ jnz .L048ctr32_abort + testl $15,%ecx +- jnz .L046ctr32_abort ++ jnz .L048ctr32_abort + leal .Lpadlock_saved_context,%eax + pushfl + cld + call __padlock_verify_ctx +-.L047ctr32_pic_point: ++.L049ctr32_pic_point: + leal 16(%edx),%edx + xorl %eax,%eax + movq -16(%edx),%mm0 +@@ -798,9 +817,9 @@ _padlock_ctr32_encrypt: + andl $-16,%ebp + andl $-16,%esp + movl %eax,16(%ebp) +- jmp .L048ctr32_loop ++ jmp .L050ctr32_loop + .align 16 +-.L048ctr32_loop: ++.L050ctr32_loop: + movl %edi,(%ebp) + movl %esi,4(%ebp) + movl %ecx,8(%ebp) +@@ -809,7 +828,7 @@ _padlock_ctr32_encrypt: + movl -4(%edx),%ecx + xorl %edi,%edi + movl -8(%edx),%eax +-.L049ctr32_prepare: ++.L051ctr32_prepare: + movl %ecx,12(%esp,%edi,1) + bswap %ecx + movq %mm0,(%esp,%edi,1) +@@ -818,7 +837,7 @@ _padlock_ctr32_encrypt: + bswap %ecx + leal 16(%edi),%edi + cmpl %ebx,%edi +- jb .L049ctr32_prepare ++ jb .L051ctr32_prepare + movl %ecx,-4(%edx) + leal (%esp),%esi + leal (%esp),%edi +@@ -831,33 +850,33 @@ _padlock_ctr32_encrypt: + movl 12(%ebp),%ebx + movl 4(%ebp),%esi + xorl %ecx,%ecx +-.L050ctr32_xor: ++.L052ctr32_xor: + movups (%esi,%ecx,1),%xmm1 + leal 16(%ecx),%ecx + pxor -16(%esp,%ecx,1),%xmm1 + movups %xmm1,-16(%edi,%ecx,1) + cmpl %ebx,%ecx +- jb .L050ctr32_xor ++ jb .L052ctr32_xor + movl 8(%ebp),%ecx + addl %ebx,%edi + addl %ebx,%esi + subl %ebx,%ecx + movl $512,%ebx +- jnz .L048ctr32_loop ++ jnz .L050ctr32_loop + pxor %xmm0,%xmm0 + leal (%esp),%eax +-.L051ctr32_bzero: ++.L053ctr32_bzero: + movaps %xmm0,(%eax) + leal 16(%eax),%eax + cmpl %eax,%ebp +- ja .L051ctr32_bzero +-.L052ctr32_done: ++ ja .L053ctr32_bzero ++.L054ctr32_done: + movl 16(%ebp),%ebp + leal 24(%ebp),%esp + movl $1,%eax + leal 4(%esp),%esp + emms +-.L046ctr32_abort: ++.L048ctr32_abort: + popl %edi + popl %esi + popl %ebx +@@ -868,6 +887,7 @@ _padlock_ctr32_encrypt: + .align 16 + _padlock_xstore: + .L_padlock_xstore_begin: ++.byte 243,15,30,251 + pushl %edi + movl 8(%esp),%edi + movl 12(%esp),%edx +@@ -877,20 +897,22 @@ _padlock_xstore: + .def __win32_segv_handler; .scl 3; .type 32; .endef + .align 16 + __win32_segv_handler: ++.byte 243,15,30,251 + movl $1,%eax + movl 4(%esp),%edx + movl 12(%esp),%ecx + cmpl $3221225477,(%edx) +- jne .L053ret ++ jne .L055ret + addl $4,184(%ecx) + movl $0,%eax +-.L053ret: ++.L055ret: + ret + .globl _padlock_sha1_oneshot + .def _padlock_sha1_oneshot; .scl 2; .type 32; .endef + .align 16 + _padlock_sha1_oneshot: + .L_padlock_sha1_oneshot_begin: ++.byte 243,15,30,251 + pushl %edi + pushl %esi + xorl %eax,%eax +@@ -926,6 +948,7 @@ _padlock_sha1_oneshot: + .align 16 + _padlock_sha1_blocks: + .L_padlock_sha1_blocks_begin: ++.byte 243,15,30,251 + pushl %edi + pushl %esi + movl 12(%esp),%edi +@@ -955,6 +978,7 @@ _padlock_sha1_blocks: + .align 16 + _padlock_sha256_oneshot: + .L_padlock_sha256_oneshot_begin: ++.byte 243,15,30,251 + pushl %edi + pushl %esi + xorl %eax,%eax +@@ -990,6 +1014,7 @@ _padlock_sha256_oneshot: + .align 16 + _padlock_sha256_blocks: + .L_padlock_sha256_blocks_begin: ++.byte 243,15,30,251 + pushl %edi + pushl %esi + movl 12(%esp),%edi +@@ -1019,6 +1044,7 @@ _padlock_sha256_blocks: + .align 16 + _padlock_sha512_blocks: + .L_padlock_sha512_blocks_begin: ++.byte 243,15,30,251 + pushl %edi + pushl %esi + movl 12(%esp),%edi +diff --git a/lib/accelerated/x86/coff/e_padlock-x86_64.s b/lib/accelerated/x86/coff/e_padlock-x86_64.s +index 7edee19f5..71c9e1aea 100644 +--- a/lib/accelerated/x86/coff/e_padlock-x86_64.s ++++ b/lib/accelerated/x86/coff/e_padlock-x86_64.s +@@ -1,4 +1,4 @@ +-# Copyright (c) 2011-2013, Andy Polyakov ++# Copyright (c) 2011-2016, Andy Polyakov + # All rights reserved. + # + # Redistribution and use in source and binary forms, with or without +@@ -42,36 +42,50 @@ + .def padlock_capability; .scl 2; .type 32; .endef + .p2align 4 + padlock_capability: ++ ++.byte 243,15,30,250 + movq %rbx,%r8 + xorl %eax,%eax + cpuid + xorl %eax,%eax +- cmpl $1953391939,%ebx ++ cmpl $0x746e6543,%ebx ++ jne .Lzhaoxin ++ cmpl $0x48727561,%edx ++ jne .Lnoluck ++ cmpl $0x736c7561,%ecx ++ jne .Lnoluck ++ jmp .LzhaoxinEnd ++.Lzhaoxin: ++ cmpl $0x68532020,%ebx + jne .Lnoluck +- cmpl $1215460705,%edx ++ cmpl $0x68676e61,%edx + jne .Lnoluck +- cmpl $1936487777,%ecx ++ cmpl $0x20206961,%ecx + jne .Lnoluck +- movl $3221225472,%eax ++.LzhaoxinEnd: ++ movl $0xC0000000,%eax + cpuid + movl %eax,%edx + xorl %eax,%eax +- cmpl $3221225473,%edx ++ cmpl $0xC0000001,%edx + jb .Lnoluck +- movl $3221225473,%eax ++ movl $0xC0000001,%eax + cpuid + movl %edx,%eax +- andl $4294967279,%eax +- orl $16,%eax ++ andl $0xffffffef,%eax ++ orl $0x10,%eax + .Lnoluck: + movq %r8,%rbx + .byte 0xf3,0xc3 + + ++ + .globl padlock_key_bswap + .def padlock_key_bswap; .scl 2; .type 32; .endef + .p2align 4 + padlock_key_bswap: ++ ++.byte 243,15,30,250 + movl 240(%rcx),%edx + .Lbswap_loop: + movl (%rcx),%eax +@@ -83,10 +97,13 @@ padlock_key_bswap: + .byte 0xf3,0xc3 + + ++ + .globl padlock_verify_context + .def padlock_verify_context; .scl 2; .type 32; .endef + .p2align 4 + padlock_verify_context: ++ ++.byte 243,15,30,250 + movq %rcx,%rdx + pushf + leaq .Lpadlock_saved_context(%rip),%rax +@@ -95,9 +112,12 @@ padlock_verify_context: + .byte 0xf3,0xc3 + + ++ + .def _padlock_verify_ctx; .scl 3; .type 32; .endef + .p2align 4 + _padlock_verify_ctx: ++ ++.byte 243,15,30,250 + movq 8(%rsp),%r8 + btq $30,%r8 + jnc .Lverified +@@ -110,15 +130,19 @@ _padlock_verify_ctx: + .byte 0xf3,0xc3 + + ++ + .globl padlock_reload_key + .def padlock_reload_key; .scl 2; .type 32; .endef + .p2align 4 + padlock_reload_key: ++ ++.byte 243,15,30,250 + pushf + popf + .byte 0xf3,0xc3 + + ++ + .globl padlock_aes_block + .def padlock_aes_block; .scl 2; .type 32; .endef + .p2align 4 +@@ -131,15 +155,18 @@ padlock_aes_block: + movq %rdx,%rsi + movq %r8,%rdx + ++ ++.byte 243,15,30,250 + movq %rbx,%r8 + movq $1,%rcx + leaq 32(%rdx),%rbx + leaq 16(%rdx),%rdx +-.byte 0xf3,0x0f,0xa7,0xc8 ++.byte 0xf3,0x0f,0xa7,0xc8 + movq %r8,%rbx + movq 8(%rsp),%rdi + movq 16(%rsp),%rsi + .byte 0xf3,0xc3 ++ + .LSEH_end_padlock_aes_block: + + .globl padlock_xstore +@@ -153,11 +180,14 @@ padlock_xstore: + movq %rcx,%rdi + movq %rdx,%rsi + ++ ++.byte 243,15,30,250 + movl %esi,%edx +-.byte 0x0f,0xa7,0xc0 ++.byte 0x0f,0xa7,0xc0 + movq 8(%rsp),%rdi + movq 16(%rsp),%rsi + .byte 0xf3,0xc3 ++ + .LSEH_end_padlock_xstore: + + .globl padlock_sha1_oneshot +@@ -172,6 +202,8 @@ padlock_sha1_oneshot: + movq %rdx,%rsi + movq %r8,%rdx + ++ ++.byte 243,15,30,250 + movq %rdx,%rcx + movq %rdi,%rdx + movups (%rdi),%xmm0 +@@ -181,7 +213,7 @@ padlock_sha1_oneshot: + movq %rsp,%rdi + movl %eax,16(%rsp) + xorq %rax,%rax +-.byte 0xf3,0x0f,0xa6,0xc8 ++.byte 0xf3,0x0f,0xa6,0xc8 + movaps (%rsp),%xmm0 + movl 16(%rsp),%eax + addq $128+8,%rsp +@@ -190,6 +222,7 @@ padlock_sha1_oneshot: + movq 8(%rsp),%rdi + movq 16(%rsp),%rsi + .byte 0xf3,0xc3 ++ + .LSEH_end_padlock_sha1_oneshot: + + .globl padlock_sha1_blocks +@@ -204,6 +237,8 @@ padlock_sha1_blocks: + movq %rdx,%rsi + movq %r8,%rdx + ++ ++.byte 243,15,30,250 + movq %rdx,%rcx + movq %rdi,%rdx + movups (%rdi),%xmm0 +@@ -213,7 +248,7 @@ padlock_sha1_blocks: + movq %rsp,%rdi + movl %eax,16(%rsp) + movq $-1,%rax +-.byte 0xf3,0x0f,0xa6,0xc8 ++.byte 0xf3,0x0f,0xa6,0xc8 + movaps (%rsp),%xmm0 + movl 16(%rsp),%eax + addq $128+8,%rsp +@@ -222,6 +257,7 @@ padlock_sha1_blocks: + movq 8(%rsp),%rdi + movq 16(%rsp),%rsi + .byte 0xf3,0xc3 ++ + .LSEH_end_padlock_sha1_blocks: + + .globl padlock_sha256_oneshot +@@ -236,6 +272,8 @@ padlock_sha256_oneshot: + movq %rdx,%rsi + movq %r8,%rdx + ++ ++.byte 243,15,30,250 + movq %rdx,%rcx + movq %rdi,%rdx + movups (%rdi),%xmm0 +@@ -245,7 +283,7 @@ padlock_sha256_oneshot: + movq %rsp,%rdi + movaps %xmm1,16(%rsp) + xorq %rax,%rax +-.byte 0xf3,0x0f,0xa6,0xd0 ++.byte 0xf3,0x0f,0xa6,0xd0 + movaps (%rsp),%xmm0 + movaps 16(%rsp),%xmm1 + addq $128+8,%rsp +@@ -254,6 +292,7 @@ padlock_sha256_oneshot: + movq 8(%rsp),%rdi + movq 16(%rsp),%rsi + .byte 0xf3,0xc3 ++ + .LSEH_end_padlock_sha256_oneshot: + + .globl padlock_sha256_blocks +@@ -268,6 +307,8 @@ padlock_sha256_blocks: + movq %rdx,%rsi + movq %r8,%rdx + ++ ++.byte 243,15,30,250 + movq %rdx,%rcx + movq %rdi,%rdx + movups (%rdi),%xmm0 +@@ -277,7 +318,7 @@ padlock_sha256_blocks: + movq %rsp,%rdi + movaps %xmm1,16(%rsp) + movq $-1,%rax +-.byte 0xf3,0x0f,0xa6,0xd0 ++.byte 0xf3,0x0f,0xa6,0xd0 + movaps (%rsp),%xmm0 + movaps 16(%rsp),%xmm1 + addq $128+8,%rsp +@@ -286,6 +327,7 @@ padlock_sha256_blocks: + movq 8(%rsp),%rdi + movq 16(%rsp),%rsi + .byte 0xf3,0xc3 ++ + .LSEH_end_padlock_sha256_blocks: + + .globl padlock_sha512_blocks +@@ -300,6 +342,8 @@ padlock_sha512_blocks: + movq %rdx,%rsi + movq %r8,%rdx + ++ ++.byte 243,15,30,250 + movq %rdx,%rcx + movq %rdi,%rdx + movups (%rdi),%xmm0 +@@ -312,7 +356,7 @@ padlock_sha512_blocks: + movaps %xmm1,16(%rsp) + movaps %xmm2,32(%rsp) + movaps %xmm3,48(%rsp) +-.byte 0xf3,0x0f,0xa6,0xe0 ++.byte 0xf3,0x0f,0xa6,0xe0 + movaps (%rsp),%xmm0 + movaps 16(%rsp),%xmm1 + movaps 32(%rsp),%xmm2 +@@ -325,6 +369,7 @@ padlock_sha512_blocks: + movq 8(%rsp),%rdi + movq 16(%rsp),%rsi + .byte 0xf3,0xc3 ++ + .LSEH_end_padlock_sha512_blocks: + .globl padlock_ecb_encrypt + .def padlock_ecb_encrypt; .scl 2; .type 32; .endef +@@ -339,6 +384,8 @@ padlock_ecb_encrypt: + movq %r8,%rdx + movq %r9,%rcx + ++ ++.byte 243,15,30,250 + pushq %rbp + pushq %rbx + +@@ -356,9 +403,9 @@ padlock_ecb_encrypt: + xorl %ebx,%ebx + testl $32,(%rdx) + jnz .Lecb_aligned +- testq $15,%rdi ++ testq $0x0f,%rdi + setz %al +- testq $15,%rsi ++ testq $0x0f,%rsi + setz %bl + testl %ebx,%eax + jnz .Lecb_aligned +@@ -382,7 +429,7 @@ padlock_ecb_encrypt: + cmoveq %rdi,%rax + addq %rcx,%rax + negq %rax +- andq $4095,%rax ++ andq $0xfff,%rax + cmpq $128,%rax + movq $-128,%rax + cmovaeq %rbx,%rax +@@ -398,12 +445,12 @@ padlock_ecb_encrypt: + movq %rcx,%r10 + movq %rbx,%rcx + movq %rbx,%r11 +- testq $15,%rdi ++ testq $0x0f,%rdi + cmovnzq %rsp,%rdi +- testq $15,%rsi ++ testq $0x0f,%rsi + jz .Lecb_inp_aligned + shrq $3,%rcx +-.byte 0xf3,0x48,0xa5 ++.byte 0xf3,0x48,0xa5 + subq %rbx,%rdi + movq %rbx,%rcx + movq %rdi,%rsi +@@ -411,15 +458,15 @@ padlock_ecb_encrypt: + leaq -16(%rdx),%rax + leaq 16(%rdx),%rbx + shrq $4,%rcx +-.byte 0xf3,0x0f,0xa7,200 ++.byte 0xf3,0x0f,0xa7,200 + movq %r8,%rdi + movq %r11,%rbx +- testq $15,%rdi ++ testq $0x0f,%rdi + jz .Lecb_out_aligned + movq %rbx,%rcx + leaq (%rsp),%rsi + shrq $3,%rcx +-.byte 0xf3,0x48,0xa5 ++.byte 0xf3,0x48,0xa5 + subq %rbx,%rdi + .Lecb_out_aligned: + movq %r9,%rsi +@@ -440,7 +487,7 @@ padlock_ecb_encrypt: + subq %rax,%rsp + shrq $3,%rcx + leaq (%rsp),%rdi +-.byte 0xf3,0x48,0xa5 ++.byte 0xf3,0x48,0xa5 + movq %rsp,%rsi + movq %r8,%rdi + movq %rbx,%rcx +@@ -466,7 +513,7 @@ padlock_ecb_encrypt: + .Lecb_aligned: + leaq (%rsi,%rcx,1),%rbp + negq %rbp +- andq $4095,%rbp ++ andq $0xfff,%rbp + xorl %eax,%eax + cmpq $128,%rbp + movq $128-1,%rbp +@@ -477,7 +524,7 @@ padlock_ecb_encrypt: + leaq -16(%rdx),%rax + leaq 16(%rdx),%rbx + shrq $4,%rcx +-.byte 0xf3,0x0f,0xa7,200 ++.byte 0xf3,0x0f,0xa7,200 + testq %rbp,%rbp + jz .Lecb_exit + +@@ -489,7 +536,7 @@ padlock_ecb_encrypt: + subq %rcx,%rsp + shrq $3,%rcx + leaq (%rsp),%rdi +-.byte 0xf3,0x48,0xa5 ++.byte 0xf3,0x48,0xa5 + leaq (%r8),%rdi + leaq (%rsp),%rsi + movq %rbx,%rcx +@@ -503,6 +550,7 @@ padlock_ecb_encrypt: + movq 8(%rsp),%rdi + movq 16(%rsp),%rsi + .byte 0xf3,0xc3 ++ + .LSEH_end_padlock_ecb_encrypt: + .globl padlock_cbc_encrypt + .def padlock_cbc_encrypt; .scl 2; .type 32; .endef +@@ -517,6 +565,8 @@ padlock_cbc_encrypt: + movq %r8,%rdx + movq %r9,%rcx + ++ ++.byte 243,15,30,250 + pushq %rbp + pushq %rbx + +@@ -534,9 +584,9 @@ padlock_cbc_encrypt: + xorl %ebx,%ebx + testl $32,(%rdx) + jnz .Lcbc_aligned +- testq $15,%rdi ++ testq $0x0f,%rdi + setz %al +- testq $15,%rsi ++ testq $0x0f,%rsi + setz %bl + testl %ebx,%eax + jnz .Lcbc_aligned +@@ -560,7 +610,7 @@ padlock_cbc_encrypt: + cmoveq %rdi,%rax + addq %rcx,%rax + negq %rax +- andq $4095,%rax ++ andq $0xfff,%rax + cmpq $64,%rax + movq $-64,%rax + cmovaeq %rbx,%rax +@@ -576,12 +626,12 @@ padlock_cbc_encrypt: + movq %rcx,%r10 + movq %rbx,%rcx + movq %rbx,%r11 +- testq $15,%rdi ++ testq $0x0f,%rdi + cmovnzq %rsp,%rdi +- testq $15,%rsi ++ testq $0x0f,%rsi + jz .Lcbc_inp_aligned + shrq $3,%rcx +-.byte 0xf3,0x48,0xa5 ++.byte 0xf3,0x48,0xa5 + subq %rbx,%rdi + movq %rbx,%rcx + movq %rdi,%rsi +@@ -589,17 +639,17 @@ padlock_cbc_encrypt: + leaq -16(%rdx),%rax + leaq 16(%rdx),%rbx + shrq $4,%rcx +-.byte 0xf3,0x0f,0xa7,208 ++.byte 0xf3,0x0f,0xa7,208 + movdqa (%rax),%xmm0 + movdqa %xmm0,-16(%rdx) + movq %r8,%rdi + movq %r11,%rbx +- testq $15,%rdi ++ testq $0x0f,%rdi + jz .Lcbc_out_aligned + movq %rbx,%rcx + leaq (%rsp),%rsi + shrq $3,%rcx +-.byte 0xf3,0x48,0xa5 ++.byte 0xf3,0x48,0xa5 + subq %rbx,%rdi + .Lcbc_out_aligned: + movq %r9,%rsi +@@ -620,7 +670,7 @@ padlock_cbc_encrypt: + subq %rax,%rsp + shrq $3,%rcx + leaq (%rsp),%rdi +-.byte 0xf3,0x48,0xa5 ++.byte 0xf3,0x48,0xa5 + movq %rsp,%rsi + movq %r8,%rdi + movq %rbx,%rcx +@@ -646,7 +696,7 @@ padlock_cbc_encrypt: + .Lcbc_aligned: + leaq (%rsi,%rcx,1),%rbp + negq %rbp +- andq $4095,%rbp ++ andq $0xfff,%rbp + xorl %eax,%eax + cmpq $64,%rbp + movq $64-1,%rbp +@@ -657,7 +707,7 @@ padlock_cbc_encrypt: + leaq -16(%rdx),%rax + leaq 16(%rdx),%rbx + shrq $4,%rcx +-.byte 0xf3,0x0f,0xa7,208 ++.byte 0xf3,0x0f,0xa7,208 + movdqa (%rax),%xmm0 + movdqa %xmm0,-16(%rdx) + testq %rbp,%rbp +@@ -671,7 +721,7 @@ padlock_cbc_encrypt: + subq %rcx,%rsp + shrq $3,%rcx + leaq (%rsp),%rdi +-.byte 0xf3,0x48,0xa5 ++.byte 0xf3,0x48,0xa5 + leaq (%r8),%rdi + leaq (%rsp),%rsi + movq %rbx,%rcx +@@ -685,6 +735,7 @@ padlock_cbc_encrypt: + movq 8(%rsp),%rdi + movq 16(%rsp),%rsi + .byte 0xf3,0xc3 ++ + .LSEH_end_padlock_cbc_encrypt: + .globl padlock_cfb_encrypt + .def padlock_cfb_encrypt; .scl 2; .type 32; .endef +@@ -699,6 +750,8 @@ padlock_cfb_encrypt: + movq %r8,%rdx + movq %r9,%rcx + ++ ++.byte 243,15,30,250 + pushq %rbp + pushq %rbx + +@@ -716,9 +769,9 @@ padlock_cfb_encrypt: + xorl %ebx,%ebx + testl $32,(%rdx) + jnz .Lcfb_aligned +- testq $15,%rdi ++ testq $0x0f,%rdi + setz %al +- testq $15,%rsi ++ testq $0x0f,%rsi + setz %bl + testl %ebx,%eax + jnz .Lcfb_aligned +@@ -745,12 +798,12 @@ padlock_cfb_encrypt: + movq %rcx,%r10 + movq %rbx,%rcx + movq %rbx,%r11 +- testq $15,%rdi ++ testq $0x0f,%rdi + cmovnzq %rsp,%rdi +- testq $15,%rsi ++ testq $0x0f,%rsi + jz .Lcfb_inp_aligned + shrq $3,%rcx +-.byte 0xf3,0x48,0xa5 ++.byte 0xf3,0x48,0xa5 + subq %rbx,%rdi + movq %rbx,%rcx + movq %rdi,%rsi +@@ -758,17 +811,17 @@ padlock_cfb_encrypt: + leaq -16(%rdx),%rax + leaq 16(%rdx),%rbx + shrq $4,%rcx +-.byte 0xf3,0x0f,0xa7,224 ++.byte 0xf3,0x0f,0xa7,224 + movdqa (%rax),%xmm0 + movdqa %xmm0,-16(%rdx) + movq %r8,%rdi + movq %r11,%rbx +- testq $15,%rdi ++ testq $0x0f,%rdi + jz .Lcfb_out_aligned + movq %rbx,%rcx + leaq (%rsp),%rsi + shrq $3,%rcx +-.byte 0xf3,0x48,0xa5 ++.byte 0xf3,0x48,0xa5 + subq %rbx,%rdi + .Lcfb_out_aligned: + movq %r9,%rsi +@@ -798,7 +851,7 @@ padlock_cfb_encrypt: + leaq -16(%rdx),%rax + leaq 16(%rdx),%rbx + shrq $4,%rcx +-.byte 0xf3,0x0f,0xa7,224 ++.byte 0xf3,0x0f,0xa7,224 + movdqa (%rax),%xmm0 + movdqa %xmm0,-16(%rdx) + .Lcfb_exit: +@@ -810,6 +863,7 @@ padlock_cfb_encrypt: + movq 8(%rsp),%rdi + movq 16(%rsp),%rsi + .byte 0xf3,0xc3 ++ + .LSEH_end_padlock_cfb_encrypt: + .globl padlock_ofb_encrypt + .def padlock_ofb_encrypt; .scl 2; .type 32; .endef +@@ -824,6 +878,8 @@ padlock_ofb_encrypt: + movq %r8,%rdx + movq %r9,%rcx + ++ ++.byte 243,15,30,250 + pushq %rbp + pushq %rbx + +@@ -841,9 +897,9 @@ padlock_ofb_encrypt: + xorl %ebx,%ebx + testl $32,(%rdx) + jnz .Lofb_aligned +- testq $15,%rdi ++ testq $0x0f,%rdi + setz %al +- testq $15,%rsi ++ testq $0x0f,%rsi + setz %bl + testl %ebx,%eax + jnz .Lofb_aligned +@@ -870,12 +926,12 @@ padlock_ofb_encrypt: + movq %rcx,%r10 + movq %rbx,%rcx + movq %rbx,%r11 +- testq $15,%rdi ++ testq $0x0f,%rdi + cmovnzq %rsp,%rdi +- testq $15,%rsi ++ testq $0x0f,%rsi + jz .Lofb_inp_aligned + shrq $3,%rcx +-.byte 0xf3,0x48,0xa5 ++.byte 0xf3,0x48,0xa5 + subq %rbx,%rdi + movq %rbx,%rcx + movq %rdi,%rsi +@@ -883,17 +939,17 @@ padlock_ofb_encrypt: + leaq -16(%rdx),%rax + leaq 16(%rdx),%rbx + shrq $4,%rcx +-.byte 0xf3,0x0f,0xa7,232 ++.byte 0xf3,0x0f,0xa7,232 + movdqa (%rax),%xmm0 + movdqa %xmm0,-16(%rdx) + movq %r8,%rdi + movq %r11,%rbx +- testq $15,%rdi ++ testq $0x0f,%rdi + jz .Lofb_out_aligned + movq %rbx,%rcx + leaq (%rsp),%rsi + shrq $3,%rcx +-.byte 0xf3,0x48,0xa5 ++.byte 0xf3,0x48,0xa5 + subq %rbx,%rdi + .Lofb_out_aligned: + movq %r9,%rsi +@@ -923,7 +979,7 @@ padlock_ofb_encrypt: + leaq -16(%rdx),%rax + leaq 16(%rdx),%rbx + shrq $4,%rcx +-.byte 0xf3,0x0f,0xa7,232 ++.byte 0xf3,0x0f,0xa7,232 + movdqa (%rax),%xmm0 + movdqa %xmm0,-16(%rdx) + .Lofb_exit: +@@ -935,6 +991,7 @@ padlock_ofb_encrypt: + movq 8(%rsp),%rdi + movq 16(%rsp),%rsi + .byte 0xf3,0xc3 ++ + .LSEH_end_padlock_ofb_encrypt: + .globl padlock_ctr32_encrypt + .def padlock_ctr32_encrypt; .scl 2; .type 32; .endef +@@ -949,6 +1006,8 @@ padlock_ctr32_encrypt: + movq %r8,%rdx + movq %r9,%rcx + ++ ++.byte 243,15,30,250 + pushq %rbp + pushq %rbx + +@@ -966,9 +1025,9 @@ padlock_ctr32_encrypt: + xorl %ebx,%ebx + testl $32,(%rdx) + jnz .Lctr32_aligned +- testq $15,%rdi ++ testq $0x0f,%rdi + setz %al +- testq $15,%rsi ++ testq $0x0f,%rsi + setz %bl + testl %ebx,%eax + jnz .Lctr32_aligned +@@ -1003,7 +1062,7 @@ padlock_ctr32_encrypt: + cmoveq %rdi,%rax + addq %rcx,%rax + negq %rax +- andq $4095,%rax ++ andq $0xfff,%rax + cmpq $32,%rax + movq $-32,%rax + cmovaeq %rbx,%rax +@@ -1019,12 +1078,12 @@ padlock_ctr32_encrypt: + movq %rcx,%r10 + movq %rbx,%rcx + movq %rbx,%r11 +- testq $15,%rdi ++ testq $0x0f,%rdi + cmovnzq %rsp,%rdi +- testq $15,%rsi ++ testq $0x0f,%rsi + jz .Lctr32_inp_aligned + shrq $3,%rcx +-.byte 0xf3,0x48,0xa5 ++.byte 0xf3,0x48,0xa5 + subq %rbx,%rdi + movq %rbx,%rcx + movq %rdi,%rsi +@@ -1032,23 +1091,23 @@ padlock_ctr32_encrypt: + leaq -16(%rdx),%rax + leaq 16(%rdx),%rbx + shrq $4,%rcx +-.byte 0xf3,0x0f,0xa7,216 ++.byte 0xf3,0x0f,0xa7,216 + movl -4(%rdx),%eax +- testl $4294901760,%eax ++ testl $0xffff0000,%eax + jnz .Lctr32_no_carry + bswapl %eax +- addl $65536,%eax ++ addl $0x10000,%eax + bswapl %eax + movl %eax,-4(%rdx) + .Lctr32_no_carry: + movq %r8,%rdi + movq %r11,%rbx +- testq $15,%rdi ++ testq $0x0f,%rdi + jz .Lctr32_out_aligned + movq %rbx,%rcx + leaq (%rsp),%rsi + shrq $3,%rcx +-.byte 0xf3,0x48,0xa5 ++.byte 0xf3,0x48,0xa5 + subq %rbx,%rdi + .Lctr32_out_aligned: + movq %r9,%rsi +@@ -1066,7 +1125,7 @@ padlock_ctr32_encrypt: + cmoveq %rdi,%rax + addq %rcx,%rax + negq %rax +- andq $4095,%rax ++ andq $0xfff,%rax + cmpq $32,%rax + movq $-32,%rax + cmovaeq %rbx,%rax +@@ -1081,7 +1140,7 @@ padlock_ctr32_encrypt: + subq %rax,%rsp + shrq $3,%rcx + leaq (%rsp),%rdi +-.byte 0xf3,0x48,0xa5 ++.byte 0xf3,0x48,0xa5 + movq %rsp,%rsi + movq %r8,%rdi + movq %rbx,%rcx +@@ -1108,7 +1167,7 @@ padlock_ctr32_encrypt: + movl -4(%rdx),%eax + bswapl %eax + negl %eax +- andl $65535,%eax ++ andl $0xffff,%eax + movq $1048576,%rbx + shll $4,%eax + cmovzq %rbx,%rax +@@ -1125,11 +1184,11 @@ padlock_ctr32_encrypt: + leaq -16(%rdx),%rax + leaq 16(%rdx),%rbx + shrq $4,%rcx +-.byte 0xf3,0x0f,0xa7,216 ++.byte 0xf3,0x0f,0xa7,216 + + movl -4(%rdx),%eax + bswapl %eax +- addl $65536,%eax ++ addl $0x10000,%eax + bswapl %eax + movl %eax,-4(%rdx) + +@@ -1143,7 +1202,7 @@ padlock_ctr32_encrypt: + .Lctr32_aligned_skip: + leaq (%rsi,%rcx,1),%rbp + negq %rbp +- andq $4095,%rbp ++ andq $0xfff,%rbp + xorl %eax,%eax + cmpq $32,%rbp + movq $32-1,%rbp +@@ -1154,7 +1213,7 @@ padlock_ctr32_encrypt: + leaq -16(%rdx),%rax + leaq 16(%rdx),%rbx + shrq $4,%rcx +-.byte 0xf3,0x0f,0xa7,216 ++.byte 0xf3,0x0f,0xa7,216 + testq %rbp,%rbp + jz .Lctr32_exit + +@@ -1166,7 +1225,7 @@ padlock_ctr32_encrypt: + subq %rcx,%rsp + shrq $3,%rcx + leaq (%rsp),%rdi +-.byte 0xf3,0x48,0xa5 ++.byte 0xf3,0x48,0xa5 + leaq (%r8),%rdi + leaq (%rsp),%rsi + movq %rbx,%rcx +@@ -1180,6 +1239,7 @@ padlock_ctr32_encrypt: + movq 8(%rsp),%rdi + movq 16(%rsp),%rsi + .byte 0xf3,0xc3 ++ + .LSEH_end_padlock_ctr32_encrypt: + .byte 86,73,65,32,80,97,100,108,111,99,107,32,120,56,54,95,54,52,32,109,111,100,117,108,101,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 + .p2align 4 +diff --git a/lib/accelerated/x86/coff/ghash-x86_64.s b/lib/accelerated/x86/coff/ghash-x86_64.s +index de207e400..cfe24252f 100644 +--- a/lib/accelerated/x86/coff/ghash-x86_64.s ++++ b/lib/accelerated/x86/coff/ghash-x86_64.s +@@ -52,6 +52,7 @@ gcm_gmult_4bit: + movq %rdx,%rsi + + ++.byte 243,15,30,250 + pushq %rbx + + pushq %rbp +@@ -168,6 +169,7 @@ gcm_ghash_4bit: + movq %r9,%rcx + + ++.byte 243,15,30,250 + pushq %rbx + + pushq %rbp +@@ -918,6 +920,7 @@ gcm_init_clmul: + .p2align 4 + gcm_gmult_clmul: + ++.byte 243,15,30,250 + .L_gmult_clmul: + movdqu (%rcx),%xmm0 + movdqa .Lbswap_mask(%rip),%xmm5 +@@ -971,6 +974,7 @@ gcm_gmult_clmul: + .p2align 5 + gcm_ghash_clmul: + ++.byte 243,15,30,250 + .L_ghash_clmul: + leaq -136(%rsp),%rax + .LSEH_begin_gcm_ghash_clmul: +@@ -1498,6 +1502,7 @@ gcm_init_avx: + .p2align 5 + gcm_gmult_avx: + ++.byte 243,15,30,250 + jmp .L_gmult_clmul + + +@@ -1506,6 +1511,7 @@ gcm_gmult_avx: + .p2align 5 + gcm_ghash_avx: + ++.byte 243,15,30,250 + leaq -136(%rsp),%rax + .LSEH_begin_gcm_ghash_avx: + +diff --git a/lib/accelerated/x86/coff/sha1-ssse3-x86.s b/lib/accelerated/x86/coff/sha1-ssse3-x86.s +index 30f9ded21..34b33601e 100644 +--- a/lib/accelerated/x86/coff/sha1-ssse3-x86.s ++++ b/lib/accelerated/x86/coff/sha1-ssse3-x86.s +@@ -43,6 +43,7 @@ + .align 16 + _sha1_block_data_order: + .L_sha1_block_data_order_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +diff --git a/lib/accelerated/x86/coff/sha1-ssse3-x86_64.s b/lib/accelerated/x86/coff/sha1-ssse3-x86_64.s +index cdfc88254..79f841f1a 100644 +--- a/lib/accelerated/x86/coff/sha1-ssse3-x86_64.s ++++ b/lib/accelerated/x86/coff/sha1-ssse3-x86_64.s +@@ -1490,10 +1490,10 @@ _shaext_shortcut: + movaps -8-16(%rax),%xmm9 + movq %rax,%rsp + .Lepilogue_shaext: +- + movq 8(%rsp),%rdi + movq 16(%rsp),%rsi + .byte 0xf3,0xc3 ++ + .LSEH_end_sha1_block_data_order_shaext: + .def sha1_block_data_order_ssse3; .scl 3; .type 32; .endef + .p2align 4 +diff --git a/lib/accelerated/x86/coff/sha256-ssse3-x86.s b/lib/accelerated/x86/coff/sha256-ssse3-x86.s +index 05cd61d1b..8109c6b51 100644 +--- a/lib/accelerated/x86/coff/sha256-ssse3-x86.s ++++ b/lib/accelerated/x86/coff/sha256-ssse3-x86.s +@@ -43,6 +43,7 @@ + .align 16 + _sha256_block_data_order: + .L_sha256_block_data_order_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +diff --git a/lib/accelerated/x86/coff/sha256-ssse3-x86_64.s b/lib/accelerated/x86/coff/sha256-ssse3-x86_64.s +index d2fc1957e..78fae2a62 100644 +--- a/lib/accelerated/x86/coff/sha256-ssse3-x86_64.s ++++ b/lib/accelerated/x86/coff/sha256-ssse3-x86_64.s +@@ -1832,6 +1832,7 @@ sha256_block_data_order_shaext: + movq %r8,%rdx + + _shaext_shortcut: ++ + leaq -88(%rsp),%rsp + movaps %xmm6,-8-80(%rax) + movaps %xmm7,-8-64(%rax) +@@ -2050,6 +2051,7 @@ _shaext_shortcut: + movq 8(%rsp),%rdi + movq 16(%rsp),%rsi + .byte 0xf3,0xc3 ++ + .LSEH_end_sha256_block_data_order_shaext: + .def sha256_block_data_order_ssse3; .scl 3; .type 32; .endef + .p2align 6 +@@ -5501,6 +5503,8 @@ sha256_block_data_order_avx2: + + leaq 448(%rsp),%rsp + ++ ++ + addl 0(%rdi),%eax + addl 4(%rdi),%ebx + addl 8(%rdi),%ecx +@@ -5526,15 +5530,17 @@ sha256_block_data_order_avx2: + jbe .Loop_avx2 + leaq (%rsp),%rbp + ++ ++ ++ + .Ldone_avx2: +- leaq (%rbp),%rsp +- movq 88(%rsp),%rsi ++ movq 88(%rbp),%rsi + + vzeroupper +- movaps 64+32(%rsp),%xmm6 +- movaps 64+48(%rsp),%xmm7 +- movaps 64+64(%rsp),%xmm8 +- movaps 64+80(%rsp),%xmm9 ++ movaps 64+32(%rbp),%xmm6 ++ movaps 64+48(%rbp),%xmm7 ++ movaps 64+64(%rbp),%xmm8 ++ movaps 64+80(%rbp),%xmm9 + movq -48(%rsi),%r15 + + movq -40(%rsi),%r14 +diff --git a/lib/accelerated/x86/coff/sha512-ssse3-x86.s b/lib/accelerated/x86/coff/sha512-ssse3-x86.s +index 72a7f73d7..321a18541 100644 +--- a/lib/accelerated/x86/coff/sha512-ssse3-x86.s ++++ b/lib/accelerated/x86/coff/sha512-ssse3-x86.s +@@ -43,6 +43,7 @@ + .align 16 + _sha512_block_data_order: + .L_sha512_block_data_order_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +diff --git a/lib/accelerated/x86/coff/sha512-ssse3-x86_64.s b/lib/accelerated/x86/coff/sha512-ssse3-x86_64.s +index 419fa2a98..836e0cf66 100644 +--- a/lib/accelerated/x86/coff/sha512-ssse3-x86_64.s ++++ b/lib/accelerated/x86/coff/sha512-ssse3-x86_64.s +@@ -5494,6 +5494,8 @@ sha512_block_data_order_avx2: + + leaq 1152(%rsp),%rsp + ++ ++ + addq 0(%rdi),%rax + addq 8(%rdi),%rbx + addq 16(%rdi),%rcx +@@ -5519,17 +5521,19 @@ sha512_block_data_order_avx2: + jbe .Loop_avx2 + leaq (%rsp),%rbp + ++ ++ ++ + .Ldone_avx2: +- leaq (%rbp),%rsp +- movq 152(%rsp),%rsi ++ movq 152(%rbp),%rsi + + vzeroupper +- movaps 128+32(%rsp),%xmm6 +- movaps 128+48(%rsp),%xmm7 +- movaps 128+64(%rsp),%xmm8 +- movaps 128+80(%rsp),%xmm9 +- movaps 128+96(%rsp),%xmm10 +- movaps 128+112(%rsp),%xmm11 ++ movaps 128+32(%rbp),%xmm6 ++ movaps 128+48(%rbp),%xmm7 ++ movaps 128+64(%rbp),%xmm8 ++ movaps 128+80(%rbp),%xmm9 ++ movaps 128+96(%rbp),%xmm10 ++ movaps 128+112(%rbp),%xmm11 + movq -48(%rsi),%r15 + + movq -40(%rsi),%r14 +diff --git a/lib/accelerated/x86/elf/aes-ssse3-x86.s b/lib/accelerated/x86/elf/aes-ssse3-x86.s +index 265e28a7e..7be53059f 100644 +--- a/lib/accelerated/x86/elf/aes-ssse3-x86.s ++++ b/lib/accelerated/x86/elf/aes-ssse3-x86.s +@@ -71,6 +71,7 @@ + .type _vpaes_preheat,@function + .align 16 + _vpaes_preheat: ++.byte 243,15,30,251 + addl (%esp),%ebp + movdqa -48(%ebp),%xmm7 + movdqa -16(%ebp),%xmm6 +@@ -79,6 +80,7 @@ _vpaes_preheat: + .type _vpaes_encrypt_core,@function + .align 16 + _vpaes_encrypt_core: ++.byte 243,15,30,251 + movl $16,%ecx + movl 240(%edx),%eax + movdqa %xmm6,%xmm1 +@@ -156,6 +158,7 @@ _vpaes_encrypt_core: + .type _vpaes_decrypt_core,@function + .align 16 + _vpaes_decrypt_core: ++.byte 243,15,30,251 + leal 608(%ebp),%ebx + movl 240(%edx),%eax + movdqa %xmm6,%xmm1 +@@ -244,6 +247,7 @@ _vpaes_decrypt_core: + .type _vpaes_schedule_core,@function + .align 16 + _vpaes_schedule_core: ++.byte 243,15,30,251 + addl (%esp),%ebp + movdqu (%esi),%xmm0 + movdqa 320(%ebp),%xmm2 +@@ -338,6 +342,7 @@ _vpaes_schedule_core: + .type _vpaes_schedule_192_smear,@function + .align 16 + _vpaes_schedule_192_smear: ++.byte 243,15,30,251 + pshufd $128,%xmm6,%xmm1 + pshufd $254,%xmm7,%xmm0 + pxor %xmm1,%xmm6 +@@ -350,6 +355,7 @@ _vpaes_schedule_192_smear: + .type _vpaes_schedule_round,@function + .align 16 + _vpaes_schedule_round: ++.byte 243,15,30,251 + movdqa 8(%esp),%xmm2 + pxor %xmm1,%xmm1 + .byte 102,15,58,15,202,15 +@@ -399,6 +405,7 @@ _vpaes_schedule_round: + .type _vpaes_schedule_transform,@function + .align 16 + _vpaes_schedule_transform: ++.byte 243,15,30,251 + movdqa -16(%ebp),%xmm2 + movdqa %xmm2,%xmm1 + pandn %xmm0,%xmm1 +@@ -414,6 +421,7 @@ _vpaes_schedule_transform: + .type _vpaes_schedule_mangle,@function + .align 16 + _vpaes_schedule_mangle: ++.byte 243,15,30,251 + movdqa %xmm0,%xmm4 + movdqa 128(%ebp),%xmm5 + testl %edi,%edi +@@ -475,6 +483,7 @@ _vpaes_schedule_mangle: + .align 16 + vpaes_set_encrypt_key: + .L_vpaes_set_encrypt_key_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -508,6 +517,7 @@ vpaes_set_encrypt_key: + .align 16 + vpaes_set_decrypt_key: + .L_vpaes_set_decrypt_key_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -546,6 +556,7 @@ vpaes_set_decrypt_key: + .align 16 + vpaes_encrypt: + .L_vpaes_encrypt_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -575,6 +586,7 @@ vpaes_encrypt: + .align 16 + vpaes_decrypt: + .L_vpaes_decrypt_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -604,6 +616,7 @@ vpaes_decrypt: + .align 16 + vpaes_cbc_encrypt: + .L_vpaes_cbc_encrypt_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -671,4 +684,21 @@ vpaes_cbc_encrypt: + ret + .size vpaes_cbc_encrypt,.-.L_vpaes_cbc_encrypt_begin + ++ .section ".note.gnu.property", "a" ++ .p2align 2 ++ .long 1f - 0f ++ .long 4f - 1f ++ .long 5 ++0: ++ .asciz "GNU" ++1: ++ .p2align 2 ++ .long 0xc0000002 ++ .long 3f - 2f ++2: ++ .long 3 ++3: ++ .p2align 2 ++4: ++ + .section .note.GNU-stack,"",%progbits +diff --git a/lib/accelerated/x86/elf/aes-ssse3-x86_64.s b/lib/accelerated/x86/elf/aes-ssse3-x86_64.s +index ea1216baf..5a3f336f2 100644 +--- a/lib/accelerated/x86/elf/aes-ssse3-x86_64.s ++++ b/lib/accelerated/x86/elf/aes-ssse3-x86_64.s +@@ -635,6 +635,7 @@ _vpaes_schedule_mangle: + .align 16 + vpaes_set_encrypt_key: + .cfi_startproc ++.byte 243,15,30,250 + movl %esi,%eax + shrl $5,%eax + addl $5,%eax +@@ -653,6 +654,7 @@ vpaes_set_encrypt_key: + .align 16 + vpaes_set_decrypt_key: + .cfi_startproc ++.byte 243,15,30,250 + movl %esi,%eax + shrl $5,%eax + addl $5,%eax +@@ -676,6 +678,7 @@ vpaes_set_decrypt_key: + .align 16 + vpaes_encrypt: + .cfi_startproc ++.byte 243,15,30,250 + movdqu (%rdi),%xmm0 + call _vpaes_preheat + call _vpaes_encrypt_core +@@ -689,6 +692,7 @@ vpaes_encrypt: + .align 16 + vpaes_decrypt: + .cfi_startproc ++.byte 243,15,30,250 + movdqu (%rdi),%xmm0 + call _vpaes_preheat + call _vpaes_decrypt_core +@@ -701,6 +705,7 @@ vpaes_decrypt: + .align 16 + vpaes_cbc_encrypt: + .cfi_startproc ++.byte 243,15,30,250 + xchgq %rcx,%rdx + subq $16,%rcx + jc .Lcbc_abort +@@ -863,5 +868,26 @@ _vpaes_consts: + .byte 86,101,99,116,111,114,32,80,101,114,109,117,116,97,116,105,111,110,32,65,69,83,32,102,111,114,32,120,56,54,95,54,52,47,83,83,83,69,51,44,32,77,105,107,101,32,72,97,109,98,117,114,103,32,40,83,116,97,110,102,111,114,100,32,85,110,105,118,101,114,115,105,116,121,41,0 + .align 64 + .size _vpaes_consts,.-_vpaes_consts ++ .section ".note.gnu.property", "a" ++ .p2align 3 ++ .long 1f - 0f ++ .long 4f - 1f ++ .long 5 ++0: ++ # "GNU" encoded with .byte, since .asciz isn't supported ++ # on Solaris. ++ .byte 0x47 ++ .byte 0x4e ++ .byte 0x55 ++ .byte 0 ++1: ++ .p2align 3 ++ .long 0xc0000002 ++ .long 3f - 2f ++2: ++ .long 3 ++3: ++ .p2align 3 ++4: + + .section .note.GNU-stack,"",%progbits +diff --git a/lib/accelerated/x86/elf/aesni-gcm-x86_64.s b/lib/accelerated/x86/elf/aesni-gcm-x86_64.s +index e26d18d69..1a11222e7 100644 +--- a/lib/accelerated/x86/elf/aesni-gcm-x86_64.s ++++ b/lib/accelerated/x86/elf/aesni-gcm-x86_64.s +@@ -42,6 +42,8 @@ + .type _aesni_ctr32_ghash_6x,@function + .align 32 + _aesni_ctr32_ghash_6x: ++.cfi_startproc ++.byte 243,15,30,250 + vmovdqu 32(%r11),%xmm2 + subq $6,%rdx + vpxor %xmm4,%xmm4,%xmm4 +@@ -349,12 +351,14 @@ _aesni_ctr32_ghash_6x: + vpxor %xmm4,%xmm8,%xmm8 + + .byte 0xf3,0xc3 ++.cfi_endproc + .size _aesni_ctr32_ghash_6x,.-_aesni_ctr32_ghash_6x + .globl aesni_gcm_decrypt + .type aesni_gcm_decrypt,@function + .align 32 + aesni_gcm_decrypt: + .cfi_startproc ++.byte 243,15,30,250 + xorq %r10,%r10 + cmpq $0x60,%rdx + jb .Lgcm_dec_abort +@@ -455,6 +459,8 @@ aesni_gcm_decrypt: + .type _aesni_ctr32_6x,@function + .align 32 + _aesni_ctr32_6x: ++.cfi_startproc ++.byte 243,15,30,250 + vmovdqu 0-128(%rcx),%xmm4 + vmovdqu 32(%r11),%xmm2 + leaq -1(%rbp),%r13 +@@ -541,6 +547,7 @@ _aesni_ctr32_6x: + vpshufb %xmm0,%xmm1,%xmm1 + vpxor %xmm4,%xmm14,%xmm14 + jmp .Loop_ctr32 ++.cfi_endproc + .size _aesni_ctr32_6x,.-_aesni_ctr32_6x + + .globl aesni_gcm_encrypt +@@ -548,6 +555,7 @@ _aesni_ctr32_6x: + .align 32 + aesni_gcm_encrypt: + .cfi_startproc ++.byte 243,15,30,250 + xorq %r10,%r10 + cmpq $288,%rdx + jb .Lgcm_enc_abort +@@ -822,5 +830,26 @@ aesni_gcm_encrypt: + .byte 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 + .byte 65,69,83,45,78,73,32,71,67,77,32,109,111,100,117,108,101,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 + .align 64 ++ .section ".note.gnu.property", "a" ++ .p2align 3 ++ .long 1f - 0f ++ .long 4f - 1f ++ .long 5 ++0: ++ # "GNU" encoded with .byte, since .asciz isn't supported ++ # on Solaris. ++ .byte 0x47 ++ .byte 0x4e ++ .byte 0x55 ++ .byte 0 ++1: ++ .p2align 3 ++ .long 0xc0000002 ++ .long 3f - 2f ++2: ++ .long 3 ++3: ++ .p2align 3 ++4: + + .section .note.GNU-stack,"",%progbits +diff --git a/lib/accelerated/x86/elf/aesni-x86.s b/lib/accelerated/x86/elf/aesni-x86.s +index 6e4860209..f41d5f9ef 100644 +--- a/lib/accelerated/x86/elf/aesni-x86.s ++++ b/lib/accelerated/x86/elf/aesni-x86.s +@@ -43,6 +43,7 @@ + .align 16 + aesni_encrypt: + .L_aesni_encrypt_begin: ++.byte 243,15,30,251 + movl 4(%esp),%eax + movl 12(%esp),%edx + movups (%eax),%xmm2 +@@ -70,6 +71,7 @@ aesni_encrypt: + .align 16 + aesni_decrypt: + .L_aesni_decrypt_begin: ++.byte 243,15,30,251 + movl 4(%esp),%eax + movl 12(%esp),%edx + movups (%eax),%xmm2 +@@ -95,6 +97,7 @@ aesni_decrypt: + .type _aesni_encrypt2,@function + .align 16 + _aesni_encrypt2: ++.byte 243,15,30,251 + movups (%edx),%xmm0 + shll $4,%ecx + movups 16(%edx),%xmm1 +@@ -122,6 +125,7 @@ _aesni_encrypt2: + .type _aesni_decrypt2,@function + .align 16 + _aesni_decrypt2: ++.byte 243,15,30,251 + movups (%edx),%xmm0 + shll $4,%ecx + movups 16(%edx),%xmm1 +@@ -149,6 +153,7 @@ _aesni_decrypt2: + .type _aesni_encrypt3,@function + .align 16 + _aesni_encrypt3: ++.byte 243,15,30,251 + movups (%edx),%xmm0 + shll $4,%ecx + movups 16(%edx),%xmm1 +@@ -181,6 +186,7 @@ _aesni_encrypt3: + .type _aesni_decrypt3,@function + .align 16 + _aesni_decrypt3: ++.byte 243,15,30,251 + movups (%edx),%xmm0 + shll $4,%ecx + movups 16(%edx),%xmm1 +@@ -213,6 +219,7 @@ _aesni_decrypt3: + .type _aesni_encrypt4,@function + .align 16 + _aesni_encrypt4: ++.byte 243,15,30,251 + movups (%edx),%xmm0 + movups 16(%edx),%xmm1 + shll $4,%ecx +@@ -251,6 +258,7 @@ _aesni_encrypt4: + .type _aesni_decrypt4,@function + .align 16 + _aesni_decrypt4: ++.byte 243,15,30,251 + movups (%edx),%xmm0 + movups 16(%edx),%xmm1 + shll $4,%ecx +@@ -289,6 +297,7 @@ _aesni_decrypt4: + .type _aesni_encrypt6,@function + .align 16 + _aesni_encrypt6: ++.byte 243,15,30,251 + movups (%edx),%xmm0 + shll $4,%ecx + movups 16(%edx),%xmm1 +@@ -343,6 +352,7 @@ _aesni_encrypt6: + .type _aesni_decrypt6,@function + .align 16 + _aesni_decrypt6: ++.byte 243,15,30,251 + movups (%edx),%xmm0 + shll $4,%ecx + movups 16(%edx),%xmm1 +@@ -399,6 +409,7 @@ _aesni_decrypt6: + .align 16 + aesni_ecb_encrypt: + .L_aesni_ecb_encrypt_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -634,6 +645,7 @@ aesni_ecb_encrypt: + .align 16 + aesni_ccm64_encrypt_blocks: + .L_aesni_ccm64_encrypt_blocks_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -722,6 +734,7 @@ aesni_ccm64_encrypt_blocks: + .align 16 + aesni_ccm64_decrypt_blocks: + .L_aesni_ccm64_decrypt_blocks_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -845,6 +858,7 @@ aesni_ccm64_decrypt_blocks: + .align 16 + aesni_ctr32_encrypt_blocks: + .L_aesni_ctr32_encrypt_blocks_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -1083,6 +1097,7 @@ aesni_ctr32_encrypt_blocks: + .align 16 + aesni_xts_encrypt: + .L_aesni_xts_encrypt_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -1443,6 +1458,7 @@ aesni_xts_encrypt: + .align 16 + aesni_xts_decrypt: + .L_aesni_xts_decrypt_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -1833,6 +1849,7 @@ aesni_xts_decrypt: + .align 16 + aesni_ocb_encrypt: + .L_aesni_ocb_encrypt_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -2228,6 +2245,7 @@ aesni_ocb_encrypt: + .align 16 + aesni_ocb_decrypt: + .L_aesni_ocb_decrypt_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -2623,6 +2641,7 @@ aesni_ocb_decrypt: + .align 16 + aesni_cbc_encrypt: + .L_aesni_cbc_encrypt_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -2882,6 +2901,7 @@ aesni_cbc_encrypt: + .type _aesni_set_encrypt_key,@function + .align 16 + _aesni_set_encrypt_key: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + testl %eax,%eax +@@ -3217,6 +3237,7 @@ _aesni_set_encrypt_key: + .align 16 + aesni_set_encrypt_key: + .L_aesni_set_encrypt_key_begin: ++.byte 243,15,30,251 + movl 4(%esp),%eax + movl 8(%esp),%ecx + movl 12(%esp),%edx +@@ -3228,6 +3249,7 @@ aesni_set_encrypt_key: + .align 16 + aesni_set_decrypt_key: + .L_aesni_set_decrypt_key_begin: ++.byte 243,15,30,251 + movl 4(%esp),%eax + movl 8(%esp),%ecx + movl 12(%esp),%edx +@@ -3275,4 +3297,21 @@ aesni_set_decrypt_key: + .byte 115,108,46,111,114,103,62,0 + .comm _gnutls_x86_cpuid_s,16,4 + ++ .section ".note.gnu.property", "a" ++ .p2align 2 ++ .long 1f - 0f ++ .long 4f - 1f ++ .long 5 ++0: ++ .asciz "GNU" ++1: ++ .p2align 2 ++ .long 0xc0000002 ++ .long 3f - 2f ++2: ++ .long 3 ++3: ++ .p2align 2 ++4: ++ + .section .note.GNU-stack,"",%progbits +diff --git a/lib/accelerated/x86/elf/aesni-x86_64.s b/lib/accelerated/x86/elf/aesni-x86_64.s +index 43cf4e68d..e3f9d5a99 100644 +--- a/lib/accelerated/x86/elf/aesni-x86_64.s ++++ b/lib/accelerated/x86/elf/aesni-x86_64.s +@@ -44,6 +44,7 @@ + .align 16 + aesni_encrypt: + .cfi_startproc ++.byte 243,15,30,250 + movups (%rdi),%xmm2 + movl 240(%rdx),%eax + movups (%rdx),%xmm0 +@@ -70,6 +71,7 @@ aesni_encrypt: + .align 16 + aesni_decrypt: + .cfi_startproc ++.byte 243,15,30,250 + movups (%rdi),%xmm2 + movl 240(%rdx),%eax + movups (%rdx),%xmm0 +@@ -557,6 +559,7 @@ _aesni_decrypt8: + .align 16 + aesni_ecb_encrypt: + .cfi_startproc ++.byte 243,15,30,250 + andq $-16,%rdx + jz .Lecb_ret + +@@ -900,6 +903,8 @@ aesni_ecb_encrypt: + .type aesni_ccm64_encrypt_blocks,@function + .align 16 + aesni_ccm64_encrypt_blocks: ++.cfi_startproc ++.byte 243,15,30,250 + movl 240(%rcx),%eax + movdqu (%r8),%xmm6 + movdqa .Lincrement64(%rip),%xmm9 +@@ -958,11 +963,14 @@ aesni_ccm64_encrypt_blocks: + pxor %xmm8,%xmm8 + pxor %xmm6,%xmm6 + .byte 0xf3,0xc3 ++.cfi_endproc + .size aesni_ccm64_encrypt_blocks,.-aesni_ccm64_encrypt_blocks + .globl aesni_ccm64_decrypt_blocks + .type aesni_ccm64_decrypt_blocks,@function + .align 16 + aesni_ccm64_decrypt_blocks: ++.cfi_startproc ++.byte 243,15,30,250 + movl 240(%rcx),%eax + movups (%r8),%xmm6 + movdqu (%r9),%xmm3 +@@ -1055,12 +1063,14 @@ aesni_ccm64_decrypt_blocks: + pxor %xmm8,%xmm8 + pxor %xmm6,%xmm6 + .byte 0xf3,0xc3 ++.cfi_endproc + .size aesni_ccm64_decrypt_blocks,.-aesni_ccm64_decrypt_blocks + .globl aesni_ctr32_encrypt_blocks + .type aesni_ctr32_encrypt_blocks,@function + .align 16 + aesni_ctr32_encrypt_blocks: + .cfi_startproc ++.byte 243,15,30,250 + cmpq $1,%rdx + jne .Lctr32_bulk + +@@ -1639,6 +1649,7 @@ aesni_ctr32_encrypt_blocks: + .align 16 + aesni_xts_encrypt: + .cfi_startproc ++.byte 243,15,30,250 + leaq (%rsp),%r11 + .cfi_def_cfa_register %r11 + pushq %rbp +@@ -2109,6 +2120,7 @@ aesni_xts_encrypt: + .align 16 + aesni_xts_decrypt: + .cfi_startproc ++.byte 243,15,30,250 + leaq (%rsp),%r11 + .cfi_def_cfa_register %r11 + pushq %rbp +@@ -2616,6 +2628,7 @@ aesni_xts_decrypt: + .align 32 + aesni_ocb_encrypt: + .cfi_startproc ++.byte 243,15,30,250 + leaq (%rsp),%rax + pushq %rbx + .cfi_adjust_cfa_offset 8 +@@ -2829,6 +2842,7 @@ aesni_ocb_encrypt: + .type __ocb_encrypt6,@function + .align 32 + __ocb_encrypt6: ++.cfi_startproc + pxor %xmm9,%xmm15 + movdqu (%rbx,%r12,1),%xmm11 + movdqa %xmm10,%xmm12 +@@ -2926,11 +2940,13 @@ __ocb_encrypt6: + .byte 102,65,15,56,221,246 + .byte 102,65,15,56,221,255 + .byte 0xf3,0xc3 ++.cfi_endproc + .size __ocb_encrypt6,.-__ocb_encrypt6 + + .type __ocb_encrypt4,@function + .align 32 + __ocb_encrypt4: ++.cfi_startproc + pxor %xmm9,%xmm15 + movdqu (%rbx,%r12,1),%xmm11 + movdqa %xmm10,%xmm12 +@@ -2995,11 +3011,13 @@ __ocb_encrypt4: + .byte 102,65,15,56,221,228 + .byte 102,65,15,56,221,237 + .byte 0xf3,0xc3 ++.cfi_endproc + .size __ocb_encrypt4,.-__ocb_encrypt4 + + .type __ocb_encrypt1,@function + .align 32 + __ocb_encrypt1: ++.cfi_startproc + pxor %xmm15,%xmm7 + pxor %xmm9,%xmm7 + pxor %xmm2,%xmm8 +@@ -3030,6 +3048,7 @@ __ocb_encrypt1: + + .byte 102,15,56,221,215 + .byte 0xf3,0xc3 ++.cfi_endproc + .size __ocb_encrypt1,.-__ocb_encrypt1 + + .globl aesni_ocb_decrypt +@@ -3037,6 +3056,7 @@ __ocb_encrypt1: + .align 32 + aesni_ocb_decrypt: + .cfi_startproc ++.byte 243,15,30,250 + leaq (%rsp),%rax + pushq %rbx + .cfi_adjust_cfa_offset 8 +@@ -3272,6 +3292,7 @@ aesni_ocb_decrypt: + .type __ocb_decrypt6,@function + .align 32 + __ocb_decrypt6: ++.cfi_startproc + pxor %xmm9,%xmm15 + movdqu (%rbx,%r12,1),%xmm11 + movdqa %xmm10,%xmm12 +@@ -3363,11 +3384,13 @@ __ocb_decrypt6: + .byte 102,65,15,56,223,246 + .byte 102,65,15,56,223,255 + .byte 0xf3,0xc3 ++.cfi_endproc + .size __ocb_decrypt6,.-__ocb_decrypt6 + + .type __ocb_decrypt4,@function + .align 32 + __ocb_decrypt4: ++.cfi_startproc + pxor %xmm9,%xmm15 + movdqu (%rbx,%r12,1),%xmm11 + movdqa %xmm10,%xmm12 +@@ -3428,11 +3451,13 @@ __ocb_decrypt4: + .byte 102,65,15,56,223,228 + .byte 102,65,15,56,223,237 + .byte 0xf3,0xc3 ++.cfi_endproc + .size __ocb_decrypt4,.-__ocb_decrypt4 + + .type __ocb_decrypt1,@function + .align 32 + __ocb_decrypt1: ++.cfi_startproc + pxor %xmm15,%xmm7 + pxor %xmm9,%xmm7 + pxor %xmm7,%xmm2 +@@ -3462,12 +3487,14 @@ __ocb_decrypt1: + + .byte 102,15,56,223,215 + .byte 0xf3,0xc3 ++.cfi_endproc + .size __ocb_decrypt1,.-__ocb_decrypt1 + .globl aesni_cbc_encrypt + .type aesni_cbc_encrypt,@function + .align 16 + aesni_cbc_encrypt: + .cfi_startproc ++.byte 243,15,30,250 + testq %rdx,%rdx + jz .Lcbc_ret + +@@ -4400,7 +4427,6 @@ __aesni_set_encrypt_key: + addq $8,%rsp + .cfi_adjust_cfa_offset -8 + .byte 0xf3,0xc3 +-.cfi_endproc + .LSEH_end_set_encrypt_key: + + .align 16 +@@ -4471,6 +4497,7 @@ __aesni_set_encrypt_key: + shufps $170,%xmm1,%xmm1 + xorps %xmm1,%xmm2 + .byte 0xf3,0xc3 ++.cfi_endproc + .size aesni_set_encrypt_key,.-aesni_set_encrypt_key + .size __aesni_set_encrypt_key,.-__aesni_set_encrypt_key + .align 64 +@@ -4495,5 +4522,26 @@ __aesni_set_encrypt_key: + + .byte 65,69,83,32,102,111,114,32,73,110,116,101,108,32,65,69,83,45,78,73,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 + .align 64 ++ .section ".note.gnu.property", "a" ++ .p2align 3 ++ .long 1f - 0f ++ .long 4f - 1f ++ .long 5 ++0: ++ # "GNU" encoded with .byte, since .asciz isn't supported ++ # on Solaris. ++ .byte 0x47 ++ .byte 0x4e ++ .byte 0x55 ++ .byte 0 ++1: ++ .p2align 3 ++ .long 0xc0000002 ++ .long 3f - 2f ++2: ++ .long 3 ++3: ++ .p2align 3 ++4: + + .section .note.GNU-stack,"",%progbits +diff --git a/lib/accelerated/x86/elf/e_padlock-x86.s b/lib/accelerated/x86/elf/e_padlock-x86.s +index ed8681ee4..dd56518f6 100644 +--- a/lib/accelerated/x86/elf/e_padlock-x86.s ++++ b/lib/accelerated/x86/elf/e_padlock-x86.s +@@ -1,4 +1,4 @@ +-# Copyright (c) 2011-2013, Andy Polyakov ++# Copyright (c) 2011-2016, Andy Polyakov + # All rights reserved. + # + # Redistribution and use in source and binary forms, with or without +@@ -37,13 +37,13 @@ + # + # *** This file is auto-generated *** + # +-.file "devel/perlasm/e_padlock-x86.s" + .text + .globl padlock_capability + .type padlock_capability,@function + .align 16 + padlock_capability: + .L_padlock_capability_begin: ++.byte 243,15,30,251 + pushl %ebx + pushfl + popl %eax +@@ -60,11 +60,20 @@ padlock_capability: + .byte 0x0f,0xa2 + xorl %eax,%eax + cmpl $0x746e6543,%ebx +- jne .L000noluck ++ jne .L001zhaoxin + cmpl $0x48727561,%edx + jne .L000noluck + cmpl $0x736c7561,%ecx + jne .L000noluck ++ jmp .L002zhaoxinEnd ++.L001zhaoxin: ++ cmpl $0x68532020,%ebx ++ jne .L000noluck ++ cmpl $0x68676e61,%edx ++ jne .L000noluck ++ cmpl $0x20206961,%ecx ++ jne .L000noluck ++.L002zhaoxinEnd: + movl $3221225472,%eax + .byte 0x0f,0xa2 + movl %eax,%edx +@@ -95,15 +104,16 @@ padlock_capability: + .align 16 + padlock_key_bswap: + .L_padlock_key_bswap_begin: ++.byte 243,15,30,251 + movl 4(%esp),%edx + movl 240(%edx),%ecx +-.L001bswap_loop: ++.L003bswap_loop: + movl (%edx),%eax + bswap %eax + movl %eax,(%edx) + leal 4(%edx),%edx + subl $1,%ecx +- jnz .L001bswap_loop ++ jnz .L003bswap_loop + ret + .size padlock_key_bswap,.-.L_padlock_key_bswap_begin + .globl padlock_verify_context +@@ -111,25 +121,27 @@ padlock_key_bswap: + .align 16 + padlock_verify_context: + .L_padlock_verify_context_begin: ++.byte 243,15,30,251 + movl 4(%esp),%edx +- leal .Lpadlock_saved_context-.L002verify_pic_point,%eax ++ leal .Lpadlock_saved_context-.L004verify_pic_point,%eax + pushfl + call _padlock_verify_ctx +-.L002verify_pic_point: ++.L004verify_pic_point: + leal 4(%esp),%esp + ret + .size padlock_verify_context,.-.L_padlock_verify_context_begin + .type _padlock_verify_ctx,@function + .align 16 + _padlock_verify_ctx: ++.byte 243,15,30,251 + addl (%esp),%eax + btl $30,4(%esp) +- jnc .L003verified ++ jnc .L005verified + cmpl (%eax),%edx +- je .L003verified ++ je .L005verified + pushfl + popfl +-.L003verified: ++.L005verified: + movl %edx,(%eax) + ret + .size _padlock_verify_ctx,.-_padlock_verify_ctx +@@ -138,6 +150,7 @@ _padlock_verify_ctx: + .align 16 + padlock_reload_key: + .L_padlock_reload_key_begin: ++.byte 243,15,30,251 + pushfl + popfl + ret +@@ -147,6 +160,7 @@ padlock_reload_key: + .align 16 + padlock_aes_block: + .L_padlock_aes_block_begin: ++.byte 243,15,30,251 + pushl %edi + pushl %esi + pushl %ebx +@@ -167,6 +181,7 @@ padlock_aes_block: + .align 16 + padlock_ecb_encrypt: + .L_padlock_ecb_encrypt_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -176,25 +191,25 @@ padlock_ecb_encrypt: + movl 28(%esp),%edx + movl 32(%esp),%ecx + testl $15,%edx +- jnz .L004ecb_abort ++ jnz .L006ecb_abort + testl $15,%ecx +- jnz .L004ecb_abort +- leal .Lpadlock_saved_context-.L005ecb_pic_point,%eax ++ jnz .L006ecb_abort ++ leal .Lpadlock_saved_context-.L007ecb_pic_point,%eax + pushfl + cld + call _padlock_verify_ctx +-.L005ecb_pic_point: ++.L007ecb_pic_point: + leal 16(%edx),%edx + xorl %eax,%eax + xorl %ebx,%ebx + testl $32,(%edx) +- jnz .L006ecb_aligned ++ jnz .L008ecb_aligned + testl $15,%edi + setz %al + testl $15,%esi + setz %bl + testl %ebx,%eax +- jnz .L006ecb_aligned ++ jnz .L008ecb_aligned + negl %eax + movl $512,%ebx + notl %eax +@@ -213,7 +228,7 @@ padlock_ecb_encrypt: + andl $-16,%esp + movl %eax,16(%ebp) + cmpl %ebx,%ecx +- ja .L007ecb_loop ++ ja .L009ecb_loop + movl %esi,%eax + cmpl %esp,%ebp + cmovel %edi,%eax +@@ -224,10 +239,10 @@ padlock_ecb_encrypt: + movl $-128,%eax + cmovael %ebx,%eax + andl %eax,%ebx +- jz .L008ecb_unaligned_tail +- jmp .L007ecb_loop ++ jz .L010ecb_unaligned_tail ++ jmp .L009ecb_loop + .align 16 +-.L007ecb_loop: ++.L009ecb_loop: + movl %edi,(%ebp) + movl %esi,4(%ebp) + movl %ecx,8(%ebp) +@@ -236,13 +251,13 @@ padlock_ecb_encrypt: + testl $15,%edi + cmovnzl %esp,%edi + testl $15,%esi +- jz .L009ecb_inp_aligned ++ jz .L011ecb_inp_aligned + shrl $2,%ecx + .byte 243,165 + subl %ebx,%edi + movl %ebx,%ecx + movl %edi,%esi +-.L009ecb_inp_aligned: ++.L011ecb_inp_aligned: + leal -16(%edx),%eax + leal 16(%edx),%ebx + shrl $4,%ecx +@@ -250,23 +265,23 @@ padlock_ecb_encrypt: + movl (%ebp),%edi + movl 12(%ebp),%ebx + testl $15,%edi +- jz .L010ecb_out_aligned ++ jz .L012ecb_out_aligned + movl %ebx,%ecx + leal (%esp),%esi + shrl $2,%ecx + .byte 243,165 + subl %ebx,%edi +-.L010ecb_out_aligned: ++.L012ecb_out_aligned: + movl 4(%ebp),%esi + movl 8(%ebp),%ecx + addl %ebx,%edi + addl %ebx,%esi + subl %ebx,%ecx + movl $512,%ebx +- jz .L011ecb_break ++ jz .L013ecb_break + cmpl %ebx,%ecx +- jae .L007ecb_loop +-.L008ecb_unaligned_tail: ++ jae .L009ecb_loop ++.L010ecb_unaligned_tail: + xorl %eax,%eax + cmpl %ebp,%esp + cmovel %ecx,%eax +@@ -279,24 +294,24 @@ padlock_ecb_encrypt: + movl %esp,%esi + movl %eax,%edi + movl %ebx,%ecx +- jmp .L007ecb_loop ++ jmp .L009ecb_loop + .align 16 +-.L011ecb_break: ++.L013ecb_break: + cmpl %ebp,%esp +- je .L012ecb_done ++ je .L014ecb_done + pxor %xmm0,%xmm0 + leal (%esp),%eax +-.L013ecb_bzero: ++.L015ecb_bzero: + movaps %xmm0,(%eax) + leal 16(%eax),%eax + cmpl %eax,%ebp +- ja .L013ecb_bzero +-.L012ecb_done: ++ ja .L015ecb_bzero ++.L014ecb_done: + movl 16(%ebp),%ebp + leal 24(%ebp),%esp +- jmp .L014ecb_exit ++ jmp .L016ecb_exit + .align 16 +-.L006ecb_aligned: ++.L008ecb_aligned: + leal (%esi,%ecx,1),%ebp + negl %ebp + andl $4095,%ebp +@@ -306,14 +321,14 @@ padlock_ecb_encrypt: + cmovael %eax,%ebp + andl %ecx,%ebp + subl %ebp,%ecx +- jz .L015ecb_aligned_tail ++ jz .L017ecb_aligned_tail + leal -16(%edx),%eax + leal 16(%edx),%ebx + shrl $4,%ecx + .byte 243,15,167,200 + testl %ebp,%ebp +- jz .L014ecb_exit +-.L015ecb_aligned_tail: ++ jz .L016ecb_exit ++.L017ecb_aligned_tail: + movl %ebp,%ecx + leal -24(%esp),%ebp + movl %ebp,%esp +@@ -330,11 +345,11 @@ padlock_ecb_encrypt: + movl %esp,%esi + movl %eax,%edi + movl %ebx,%ecx +- jmp .L007ecb_loop +-.L014ecb_exit: ++ jmp .L009ecb_loop ++.L016ecb_exit: + movl $1,%eax + leal 4(%esp),%esp +-.L004ecb_abort: ++.L006ecb_abort: + popl %edi + popl %esi + popl %ebx +@@ -346,6 +361,7 @@ padlock_ecb_encrypt: + .align 16 + padlock_cbc_encrypt: + .L_padlock_cbc_encrypt_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -355,25 +371,25 @@ padlock_cbc_encrypt: + movl 28(%esp),%edx + movl 32(%esp),%ecx + testl $15,%edx +- jnz .L016cbc_abort ++ jnz .L018cbc_abort + testl $15,%ecx +- jnz .L016cbc_abort +- leal .Lpadlock_saved_context-.L017cbc_pic_point,%eax ++ jnz .L018cbc_abort ++ leal .Lpadlock_saved_context-.L019cbc_pic_point,%eax + pushfl + cld + call _padlock_verify_ctx +-.L017cbc_pic_point: ++.L019cbc_pic_point: + leal 16(%edx),%edx + xorl %eax,%eax + xorl %ebx,%ebx + testl $32,(%edx) +- jnz .L018cbc_aligned ++ jnz .L020cbc_aligned + testl $15,%edi + setz %al + testl $15,%esi + setz %bl + testl %ebx,%eax +- jnz .L018cbc_aligned ++ jnz .L020cbc_aligned + negl %eax + movl $512,%ebx + notl %eax +@@ -392,7 +408,7 @@ padlock_cbc_encrypt: + andl $-16,%esp + movl %eax,16(%ebp) + cmpl %ebx,%ecx +- ja .L019cbc_loop ++ ja .L021cbc_loop + movl %esi,%eax + cmpl %esp,%ebp + cmovel %edi,%eax +@@ -403,10 +419,10 @@ padlock_cbc_encrypt: + movl $-64,%eax + cmovael %ebx,%eax + andl %eax,%ebx +- jz .L020cbc_unaligned_tail +- jmp .L019cbc_loop ++ jz .L022cbc_unaligned_tail ++ jmp .L021cbc_loop + .align 16 +-.L019cbc_loop: ++.L021cbc_loop: + movl %edi,(%ebp) + movl %esi,4(%ebp) + movl %ecx,8(%ebp) +@@ -415,13 +431,13 @@ padlock_cbc_encrypt: + testl $15,%edi + cmovnzl %esp,%edi + testl $15,%esi +- jz .L021cbc_inp_aligned ++ jz .L023cbc_inp_aligned + shrl $2,%ecx + .byte 243,165 + subl %ebx,%edi + movl %ebx,%ecx + movl %edi,%esi +-.L021cbc_inp_aligned: ++.L023cbc_inp_aligned: + leal -16(%edx),%eax + leal 16(%edx),%ebx + shrl $4,%ecx +@@ -431,23 +447,23 @@ padlock_cbc_encrypt: + movl (%ebp),%edi + movl 12(%ebp),%ebx + testl $15,%edi +- jz .L022cbc_out_aligned ++ jz .L024cbc_out_aligned + movl %ebx,%ecx + leal (%esp),%esi + shrl $2,%ecx + .byte 243,165 + subl %ebx,%edi +-.L022cbc_out_aligned: ++.L024cbc_out_aligned: + movl 4(%ebp),%esi + movl 8(%ebp),%ecx + addl %ebx,%edi + addl %ebx,%esi + subl %ebx,%ecx + movl $512,%ebx +- jz .L023cbc_break ++ jz .L025cbc_break + cmpl %ebx,%ecx +- jae .L019cbc_loop +-.L020cbc_unaligned_tail: ++ jae .L021cbc_loop ++.L022cbc_unaligned_tail: + xorl %eax,%eax + cmpl %ebp,%esp + cmovel %ecx,%eax +@@ -460,24 +476,24 @@ padlock_cbc_encrypt: + movl %esp,%esi + movl %eax,%edi + movl %ebx,%ecx +- jmp .L019cbc_loop ++ jmp .L021cbc_loop + .align 16 +-.L023cbc_break: ++.L025cbc_break: + cmpl %ebp,%esp +- je .L024cbc_done ++ je .L026cbc_done + pxor %xmm0,%xmm0 + leal (%esp),%eax +-.L025cbc_bzero: ++.L027cbc_bzero: + movaps %xmm0,(%eax) + leal 16(%eax),%eax + cmpl %eax,%ebp +- ja .L025cbc_bzero +-.L024cbc_done: ++ ja .L027cbc_bzero ++.L026cbc_done: + movl 16(%ebp),%ebp + leal 24(%ebp),%esp +- jmp .L026cbc_exit ++ jmp .L028cbc_exit + .align 16 +-.L018cbc_aligned: ++.L020cbc_aligned: + leal (%esi,%ecx,1),%ebp + negl %ebp + andl $4095,%ebp +@@ -487,7 +503,7 @@ padlock_cbc_encrypt: + cmovael %eax,%ebp + andl %ecx,%ebp + subl %ebp,%ecx +- jz .L027cbc_aligned_tail ++ jz .L029cbc_aligned_tail + leal -16(%edx),%eax + leal 16(%edx),%ebx + shrl $4,%ecx +@@ -495,8 +511,8 @@ padlock_cbc_encrypt: + movaps (%eax),%xmm0 + movaps %xmm0,-16(%edx) + testl %ebp,%ebp +- jz .L026cbc_exit +-.L027cbc_aligned_tail: ++ jz .L028cbc_exit ++.L029cbc_aligned_tail: + movl %ebp,%ecx + leal -24(%esp),%ebp + movl %ebp,%esp +@@ -513,11 +529,11 @@ padlock_cbc_encrypt: + movl %esp,%esi + movl %eax,%edi + movl %ebx,%ecx +- jmp .L019cbc_loop +-.L026cbc_exit: ++ jmp .L021cbc_loop ++.L028cbc_exit: + movl $1,%eax + leal 4(%esp),%esp +-.L016cbc_abort: ++.L018cbc_abort: + popl %edi + popl %esi + popl %ebx +@@ -529,6 +545,7 @@ padlock_cbc_encrypt: + .align 16 + padlock_cfb_encrypt: + .L_padlock_cfb_encrypt_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -538,25 +555,25 @@ padlock_cfb_encrypt: + movl 28(%esp),%edx + movl 32(%esp),%ecx + testl $15,%edx +- jnz .L028cfb_abort ++ jnz .L030cfb_abort + testl $15,%ecx +- jnz .L028cfb_abort +- leal .Lpadlock_saved_context-.L029cfb_pic_point,%eax ++ jnz .L030cfb_abort ++ leal .Lpadlock_saved_context-.L031cfb_pic_point,%eax + pushfl + cld + call _padlock_verify_ctx +-.L029cfb_pic_point: ++.L031cfb_pic_point: + leal 16(%edx),%edx + xorl %eax,%eax + xorl %ebx,%ebx + testl $32,(%edx) +- jnz .L030cfb_aligned ++ jnz .L032cfb_aligned + testl $15,%edi + setz %al + testl $15,%esi + setz %bl + testl %ebx,%eax +- jnz .L030cfb_aligned ++ jnz .L032cfb_aligned + negl %eax + movl $512,%ebx + notl %eax +@@ -574,9 +591,9 @@ padlock_cfb_encrypt: + andl $-16,%ebp + andl $-16,%esp + movl %eax,16(%ebp) +- jmp .L031cfb_loop ++ jmp .L033cfb_loop + .align 16 +-.L031cfb_loop: ++.L033cfb_loop: + movl %edi,(%ebp) + movl %esi,4(%ebp) + movl %ecx,8(%ebp) +@@ -585,13 +602,13 @@ padlock_cfb_encrypt: + testl $15,%edi + cmovnzl %esp,%edi + testl $15,%esi +- jz .L032cfb_inp_aligned ++ jz .L034cfb_inp_aligned + shrl $2,%ecx + .byte 243,165 + subl %ebx,%edi + movl %ebx,%ecx + movl %edi,%esi +-.L032cfb_inp_aligned: ++.L034cfb_inp_aligned: + leal -16(%edx),%eax + leal 16(%edx),%ebx + shrl $4,%ecx +@@ -601,45 +618,45 @@ padlock_cfb_encrypt: + movl (%ebp),%edi + movl 12(%ebp),%ebx + testl $15,%edi +- jz .L033cfb_out_aligned ++ jz .L035cfb_out_aligned + movl %ebx,%ecx + leal (%esp),%esi + shrl $2,%ecx + .byte 243,165 + subl %ebx,%edi +-.L033cfb_out_aligned: ++.L035cfb_out_aligned: + movl 4(%ebp),%esi + movl 8(%ebp),%ecx + addl %ebx,%edi + addl %ebx,%esi + subl %ebx,%ecx + movl $512,%ebx +- jnz .L031cfb_loop ++ jnz .L033cfb_loop + cmpl %ebp,%esp +- je .L034cfb_done ++ je .L036cfb_done + pxor %xmm0,%xmm0 + leal (%esp),%eax +-.L035cfb_bzero: ++.L037cfb_bzero: + movaps %xmm0,(%eax) + leal 16(%eax),%eax + cmpl %eax,%ebp +- ja .L035cfb_bzero +-.L034cfb_done: ++ ja .L037cfb_bzero ++.L036cfb_done: + movl 16(%ebp),%ebp + leal 24(%ebp),%esp +- jmp .L036cfb_exit ++ jmp .L038cfb_exit + .align 16 +-.L030cfb_aligned: ++.L032cfb_aligned: + leal -16(%edx),%eax + leal 16(%edx),%ebx + shrl $4,%ecx + .byte 243,15,167,224 + movaps (%eax),%xmm0 + movaps %xmm0,-16(%edx) +-.L036cfb_exit: ++.L038cfb_exit: + movl $1,%eax + leal 4(%esp),%esp +-.L028cfb_abort: ++.L030cfb_abort: + popl %edi + popl %esi + popl %ebx +@@ -651,6 +668,7 @@ padlock_cfb_encrypt: + .align 16 + padlock_ofb_encrypt: + .L_padlock_ofb_encrypt_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -660,25 +678,25 @@ padlock_ofb_encrypt: + movl 28(%esp),%edx + movl 32(%esp),%ecx + testl $15,%edx +- jnz .L037ofb_abort ++ jnz .L039ofb_abort + testl $15,%ecx +- jnz .L037ofb_abort +- leal .Lpadlock_saved_context-.L038ofb_pic_point,%eax ++ jnz .L039ofb_abort ++ leal .Lpadlock_saved_context-.L040ofb_pic_point,%eax + pushfl + cld + call _padlock_verify_ctx +-.L038ofb_pic_point: ++.L040ofb_pic_point: + leal 16(%edx),%edx + xorl %eax,%eax + xorl %ebx,%ebx + testl $32,(%edx) +- jnz .L039ofb_aligned ++ jnz .L041ofb_aligned + testl $15,%edi + setz %al + testl $15,%esi + setz %bl + testl %ebx,%eax +- jnz .L039ofb_aligned ++ jnz .L041ofb_aligned + negl %eax + movl $512,%ebx + notl %eax +@@ -696,9 +714,9 @@ padlock_ofb_encrypt: + andl $-16,%ebp + andl $-16,%esp + movl %eax,16(%ebp) +- jmp .L040ofb_loop ++ jmp .L042ofb_loop + .align 16 +-.L040ofb_loop: ++.L042ofb_loop: + movl %edi,(%ebp) + movl %esi,4(%ebp) + movl %ecx,8(%ebp) +@@ -707,13 +725,13 @@ padlock_ofb_encrypt: + testl $15,%edi + cmovnzl %esp,%edi + testl $15,%esi +- jz .L041ofb_inp_aligned ++ jz .L043ofb_inp_aligned + shrl $2,%ecx + .byte 243,165 + subl %ebx,%edi + movl %ebx,%ecx + movl %edi,%esi +-.L041ofb_inp_aligned: ++.L043ofb_inp_aligned: + leal -16(%edx),%eax + leal 16(%edx),%ebx + shrl $4,%ecx +@@ -723,45 +741,45 @@ padlock_ofb_encrypt: + movl (%ebp),%edi + movl 12(%ebp),%ebx + testl $15,%edi +- jz .L042ofb_out_aligned ++ jz .L044ofb_out_aligned + movl %ebx,%ecx + leal (%esp),%esi + shrl $2,%ecx + .byte 243,165 + subl %ebx,%edi +-.L042ofb_out_aligned: ++.L044ofb_out_aligned: + movl 4(%ebp),%esi + movl 8(%ebp),%ecx + addl %ebx,%edi + addl %ebx,%esi + subl %ebx,%ecx + movl $512,%ebx +- jnz .L040ofb_loop ++ jnz .L042ofb_loop + cmpl %ebp,%esp +- je .L043ofb_done ++ je .L045ofb_done + pxor %xmm0,%xmm0 + leal (%esp),%eax +-.L044ofb_bzero: ++.L046ofb_bzero: + movaps %xmm0,(%eax) + leal 16(%eax),%eax + cmpl %eax,%ebp +- ja .L044ofb_bzero +-.L043ofb_done: ++ ja .L046ofb_bzero ++.L045ofb_done: + movl 16(%ebp),%ebp + leal 24(%ebp),%esp +- jmp .L045ofb_exit ++ jmp .L047ofb_exit + .align 16 +-.L039ofb_aligned: ++.L041ofb_aligned: + leal -16(%edx),%eax + leal 16(%edx),%ebx + shrl $4,%ecx + .byte 243,15,167,232 + movaps (%eax),%xmm0 + movaps %xmm0,-16(%edx) +-.L045ofb_exit: ++.L047ofb_exit: + movl $1,%eax + leal 4(%esp),%esp +-.L037ofb_abort: ++.L039ofb_abort: + popl %edi + popl %esi + popl %ebx +@@ -773,6 +791,7 @@ padlock_ofb_encrypt: + .align 16 + padlock_ctr32_encrypt: + .L_padlock_ctr32_encrypt_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -782,14 +801,14 @@ padlock_ctr32_encrypt: + movl 28(%esp),%edx + movl 32(%esp),%ecx + testl $15,%edx +- jnz .L046ctr32_abort ++ jnz .L048ctr32_abort + testl $15,%ecx +- jnz .L046ctr32_abort +- leal .Lpadlock_saved_context-.L047ctr32_pic_point,%eax ++ jnz .L048ctr32_abort ++ leal .Lpadlock_saved_context-.L049ctr32_pic_point,%eax + pushfl + cld + call _padlock_verify_ctx +-.L047ctr32_pic_point: ++.L049ctr32_pic_point: + leal 16(%edx),%edx + xorl %eax,%eax + movq -16(%edx),%mm0 +@@ -809,9 +828,9 @@ padlock_ctr32_encrypt: + andl $-16,%ebp + andl $-16,%esp + movl %eax,16(%ebp) +- jmp .L048ctr32_loop ++ jmp .L050ctr32_loop + .align 16 +-.L048ctr32_loop: ++.L050ctr32_loop: + movl %edi,(%ebp) + movl %esi,4(%ebp) + movl %ecx,8(%ebp) +@@ -820,7 +839,7 @@ padlock_ctr32_encrypt: + movl -4(%edx),%ecx + xorl %edi,%edi + movl -8(%edx),%eax +-.L049ctr32_prepare: ++.L051ctr32_prepare: + movl %ecx,12(%esp,%edi,1) + bswap %ecx + movq %mm0,(%esp,%edi,1) +@@ -829,7 +848,7 @@ padlock_ctr32_encrypt: + bswap %ecx + leal 16(%edi),%edi + cmpl %ebx,%edi +- jb .L049ctr32_prepare ++ jb .L051ctr32_prepare + movl %ecx,-4(%edx) + leal (%esp),%esi + leal (%esp),%edi +@@ -842,33 +861,33 @@ padlock_ctr32_encrypt: + movl 12(%ebp),%ebx + movl 4(%ebp),%esi + xorl %ecx,%ecx +-.L050ctr32_xor: ++.L052ctr32_xor: + movups (%esi,%ecx,1),%xmm1 + leal 16(%ecx),%ecx + pxor -16(%esp,%ecx,1),%xmm1 + movups %xmm1,-16(%edi,%ecx,1) + cmpl %ebx,%ecx +- jb .L050ctr32_xor ++ jb .L052ctr32_xor + movl 8(%ebp),%ecx + addl %ebx,%edi + addl %ebx,%esi + subl %ebx,%ecx + movl $512,%ebx +- jnz .L048ctr32_loop ++ jnz .L050ctr32_loop + pxor %xmm0,%xmm0 + leal (%esp),%eax +-.L051ctr32_bzero: ++.L053ctr32_bzero: + movaps %xmm0,(%eax) + leal 16(%eax),%eax + cmpl %eax,%ebp +- ja .L051ctr32_bzero +-.L052ctr32_done: ++ ja .L053ctr32_bzero ++.L054ctr32_done: + movl 16(%ebp),%ebp + leal 24(%ebp),%esp + movl $1,%eax + leal 4(%esp),%esp + emms +-.L046ctr32_abort: ++.L048ctr32_abort: + popl %edi + popl %esi + popl %ebx +@@ -880,6 +899,7 @@ padlock_ctr32_encrypt: + .align 16 + padlock_xstore: + .L_padlock_xstore_begin: ++.byte 243,15,30,251 + pushl %edi + movl 8(%esp),%edi + movl 12(%esp),%edx +@@ -890,14 +910,15 @@ padlock_xstore: + .type _win32_segv_handler,@function + .align 16 + _win32_segv_handler: ++.byte 243,15,30,251 + movl $1,%eax + movl 4(%esp),%edx + movl 12(%esp),%ecx + cmpl $3221225477,(%edx) +- jne .L053ret ++ jne .L055ret + addl $4,184(%ecx) + movl $0,%eax +-.L053ret: ++.L055ret: + ret + .size _win32_segv_handler,.-_win32_segv_handler + .globl padlock_sha1_oneshot +@@ -905,6 +926,7 @@ _win32_segv_handler: + .align 16 + padlock_sha1_oneshot: + .L_padlock_sha1_oneshot_begin: ++.byte 243,15,30,251 + pushl %edi + pushl %esi + xorl %eax,%eax +@@ -936,6 +958,7 @@ padlock_sha1_oneshot: + .align 16 + padlock_sha1_blocks: + .L_padlock_sha1_blocks_begin: ++.byte 243,15,30,251 + pushl %edi + pushl %esi + movl 12(%esp),%edi +@@ -966,6 +989,7 @@ padlock_sha1_blocks: + .align 16 + padlock_sha256_oneshot: + .L_padlock_sha256_oneshot_begin: ++.byte 243,15,30,251 + pushl %edi + pushl %esi + xorl %eax,%eax +@@ -997,6 +1021,7 @@ padlock_sha256_oneshot: + .align 16 + padlock_sha256_blocks: + .L_padlock_sha256_blocks_begin: ++.byte 243,15,30,251 + pushl %edi + pushl %esi + movl 12(%esp),%edi +@@ -1027,6 +1052,7 @@ padlock_sha256_blocks: + .align 16 + padlock_sha512_blocks: + .L_padlock_sha512_blocks_begin: ++.byte 243,15,30,251 + pushl %edi + pushl %esi + movl 12(%esp),%edi +@@ -1069,7 +1095,21 @@ padlock_sha512_blocks: + .Lpadlock_saved_context: + .long 0 + ++ .section ".note.gnu.property", "a" ++ .p2align 2 ++ .long 1f - 0f ++ .long 4f - 1f ++ .long 5 ++0: ++ .asciz "GNU" ++1: ++ .p2align 2 ++ .long 0xc0000002 ++ .long 3f - 2f ++2: ++ .long 3 ++3: ++ .p2align 2 ++4: + + .section .note.GNU-stack,"",%progbits +- +- +diff --git a/lib/accelerated/x86/elf/e_padlock-x86_64.s b/lib/accelerated/x86/elf/e_padlock-x86_64.s +index c161f0a73..f92da756c 100644 +--- a/lib/accelerated/x86/elf/e_padlock-x86_64.s ++++ b/lib/accelerated/x86/elf/e_padlock-x86_64.s +@@ -1,4 +1,4 @@ +-# Copyright (c) 2011-2013, Andy Polyakov ++# Copyright (c) 2011-2016, Andy Polyakov + # All rights reserved. + # + # Redistribution and use in source and binary forms, with or without +@@ -42,36 +42,50 @@ + .type padlock_capability,@function + .align 16 + padlock_capability: ++.cfi_startproc ++.byte 243,15,30,250 + movq %rbx,%r8 + xorl %eax,%eax + cpuid + xorl %eax,%eax +- cmpl $1953391939,%ebx ++ cmpl $0x746e6543,%ebx ++ jne .Lzhaoxin ++ cmpl $0x48727561,%edx + jne .Lnoluck +- cmpl $1215460705,%edx ++ cmpl $0x736c7561,%ecx + jne .Lnoluck +- cmpl $1936487777,%ecx ++ jmp .LzhaoxinEnd ++.Lzhaoxin: ++ cmpl $0x68532020,%ebx + jne .Lnoluck +- movl $3221225472,%eax ++ cmpl $0x68676e61,%edx ++ jne .Lnoluck ++ cmpl $0x20206961,%ecx ++ jne .Lnoluck ++.LzhaoxinEnd: ++ movl $0xC0000000,%eax + cpuid + movl %eax,%edx + xorl %eax,%eax +- cmpl $3221225473,%edx ++ cmpl $0xC0000001,%edx + jb .Lnoluck +- movl $3221225473,%eax ++ movl $0xC0000001,%eax + cpuid + movl %edx,%eax +- andl $4294967279,%eax +- orl $16,%eax ++ andl $0xffffffef,%eax ++ orl $0x10,%eax + .Lnoluck: + movq %r8,%rbx + .byte 0xf3,0xc3 ++.cfi_endproc + .size padlock_capability,.-padlock_capability + + .globl padlock_key_bswap + .type padlock_key_bswap,@function + .align 16 + padlock_key_bswap: ++.cfi_startproc ++.byte 243,15,30,250 + movl 240(%rdi),%edx + .Lbswap_loop: + movl (%rdi),%eax +@@ -81,23 +95,29 @@ padlock_key_bswap: + subl $1,%edx + jnz .Lbswap_loop + .byte 0xf3,0xc3 ++.cfi_endproc + .size padlock_key_bswap,.-padlock_key_bswap + + .globl padlock_verify_context + .type padlock_verify_context,@function + .align 16 + padlock_verify_context: ++.cfi_startproc ++.byte 243,15,30,250 + movq %rdi,%rdx + pushf + leaq .Lpadlock_saved_context(%rip),%rax + call _padlock_verify_ctx + leaq 8(%rsp),%rsp + .byte 0xf3,0xc3 ++.cfi_endproc + .size padlock_verify_context,.-padlock_verify_context + + .type _padlock_verify_ctx,@function + .align 16 + _padlock_verify_ctx: ++.cfi_startproc ++.byte 243,15,30,250 + movq 8(%rsp),%r8 + btq $30,%r8 + jnc .Lverified +@@ -108,43 +128,55 @@ _padlock_verify_ctx: + .Lverified: + movq %rdx,(%rax) + .byte 0xf3,0xc3 ++.cfi_endproc + .size _padlock_verify_ctx,.-_padlock_verify_ctx + + .globl padlock_reload_key + .type padlock_reload_key,@function + .align 16 + padlock_reload_key: ++.cfi_startproc ++.byte 243,15,30,250 + pushf + popf + .byte 0xf3,0xc3 ++.cfi_endproc + .size padlock_reload_key,.-padlock_reload_key + + .globl padlock_aes_block + .type padlock_aes_block,@function + .align 16 + padlock_aes_block: ++.cfi_startproc ++.byte 243,15,30,250 + movq %rbx,%r8 + movq $1,%rcx + leaq 32(%rdx),%rbx + leaq 16(%rdx),%rdx +-.byte 0xf3,0x0f,0xa7,0xc8 ++.byte 0xf3,0x0f,0xa7,0xc8 + movq %r8,%rbx + .byte 0xf3,0xc3 ++.cfi_endproc + .size padlock_aes_block,.-padlock_aes_block + + .globl padlock_xstore + .type padlock_xstore,@function + .align 16 + padlock_xstore: ++.cfi_startproc ++.byte 243,15,30,250 + movl %esi,%edx +-.byte 0x0f,0xa7,0xc0 ++.byte 0x0f,0xa7,0xc0 + .byte 0xf3,0xc3 ++.cfi_endproc + .size padlock_xstore,.-padlock_xstore + + .globl padlock_sha1_oneshot + .type padlock_sha1_oneshot,@function + .align 16 + padlock_sha1_oneshot: ++.cfi_startproc ++.byte 243,15,30,250 + movq %rdx,%rcx + movq %rdi,%rdx + movups (%rdi),%xmm0 +@@ -154,19 +186,22 @@ padlock_sha1_oneshot: + movq %rsp,%rdi + movl %eax,16(%rsp) + xorq %rax,%rax +-.byte 0xf3,0x0f,0xa6,0xc8 ++.byte 0xf3,0x0f,0xa6,0xc8 + movaps (%rsp),%xmm0 + movl 16(%rsp),%eax + addq $128+8,%rsp + movups %xmm0,(%rdx) + movl %eax,16(%rdx) + .byte 0xf3,0xc3 ++.cfi_endproc + .size padlock_sha1_oneshot,.-padlock_sha1_oneshot + + .globl padlock_sha1_blocks + .type padlock_sha1_blocks,@function + .align 16 + padlock_sha1_blocks: ++.cfi_startproc ++.byte 243,15,30,250 + movq %rdx,%rcx + movq %rdi,%rdx + movups (%rdi),%xmm0 +@@ -176,19 +211,22 @@ padlock_sha1_blocks: + movq %rsp,%rdi + movl %eax,16(%rsp) + movq $-1,%rax +-.byte 0xf3,0x0f,0xa6,0xc8 ++.byte 0xf3,0x0f,0xa6,0xc8 + movaps (%rsp),%xmm0 + movl 16(%rsp),%eax + addq $128+8,%rsp + movups %xmm0,(%rdx) + movl %eax,16(%rdx) + .byte 0xf3,0xc3 ++.cfi_endproc + .size padlock_sha1_blocks,.-padlock_sha1_blocks + + .globl padlock_sha256_oneshot + .type padlock_sha256_oneshot,@function + .align 16 + padlock_sha256_oneshot: ++.cfi_startproc ++.byte 243,15,30,250 + movq %rdx,%rcx + movq %rdi,%rdx + movups (%rdi),%xmm0 +@@ -198,19 +236,22 @@ padlock_sha256_oneshot: + movq %rsp,%rdi + movaps %xmm1,16(%rsp) + xorq %rax,%rax +-.byte 0xf3,0x0f,0xa6,0xd0 ++.byte 0xf3,0x0f,0xa6,0xd0 + movaps (%rsp),%xmm0 + movaps 16(%rsp),%xmm1 + addq $128+8,%rsp + movups %xmm0,(%rdx) + movups %xmm1,16(%rdx) + .byte 0xf3,0xc3 ++.cfi_endproc + .size padlock_sha256_oneshot,.-padlock_sha256_oneshot + + .globl padlock_sha256_blocks + .type padlock_sha256_blocks,@function + .align 16 + padlock_sha256_blocks: ++.cfi_startproc ++.byte 243,15,30,250 + movq %rdx,%rcx + movq %rdi,%rdx + movups (%rdi),%xmm0 +@@ -220,19 +261,22 @@ padlock_sha256_blocks: + movq %rsp,%rdi + movaps %xmm1,16(%rsp) + movq $-1,%rax +-.byte 0xf3,0x0f,0xa6,0xd0 ++.byte 0xf3,0x0f,0xa6,0xd0 + movaps (%rsp),%xmm0 + movaps 16(%rsp),%xmm1 + addq $128+8,%rsp + movups %xmm0,(%rdx) + movups %xmm1,16(%rdx) + .byte 0xf3,0xc3 ++.cfi_endproc + .size padlock_sha256_blocks,.-padlock_sha256_blocks + + .globl padlock_sha512_blocks + .type padlock_sha512_blocks,@function + .align 16 + padlock_sha512_blocks: ++.cfi_startproc ++.byte 243,15,30,250 + movq %rdx,%rcx + movq %rdi,%rdx + movups (%rdi),%xmm0 +@@ -245,7 +289,7 @@ padlock_sha512_blocks: + movaps %xmm1,16(%rsp) + movaps %xmm2,32(%rsp) + movaps %xmm3,48(%rsp) +-.byte 0xf3,0x0f,0xa6,0xe0 ++.byte 0xf3,0x0f,0xa6,0xe0 + movaps (%rsp),%xmm0 + movaps 16(%rsp),%xmm1 + movaps 32(%rsp),%xmm2 +@@ -256,11 +300,14 @@ padlock_sha512_blocks: + movups %xmm2,32(%rdx) + movups %xmm3,48(%rdx) + .byte 0xf3,0xc3 ++.cfi_endproc + .size padlock_sha512_blocks,.-padlock_sha512_blocks + .globl padlock_ecb_encrypt + .type padlock_ecb_encrypt,@function + .align 16 + padlock_ecb_encrypt: ++.cfi_startproc ++.byte 243,15,30,250 + pushq %rbp + pushq %rbx + +@@ -278,9 +325,9 @@ padlock_ecb_encrypt: + xorl %ebx,%ebx + testl $32,(%rdx) + jnz .Lecb_aligned +- testq $15,%rdi ++ testq $0x0f,%rdi + setz %al +- testq $15,%rsi ++ testq $0x0f,%rsi + setz %bl + testl %ebx,%eax + jnz .Lecb_aligned +@@ -304,7 +351,7 @@ padlock_ecb_encrypt: + cmoveq %rdi,%rax + addq %rcx,%rax + negq %rax +- andq $4095,%rax ++ andq $0xfff,%rax + cmpq $128,%rax + movq $-128,%rax + cmovaeq %rbx,%rax +@@ -320,12 +367,12 @@ padlock_ecb_encrypt: + movq %rcx,%r10 + movq %rbx,%rcx + movq %rbx,%r11 +- testq $15,%rdi ++ testq $0x0f,%rdi + cmovnzq %rsp,%rdi +- testq $15,%rsi ++ testq $0x0f,%rsi + jz .Lecb_inp_aligned + shrq $3,%rcx +-.byte 0xf3,0x48,0xa5 ++.byte 0xf3,0x48,0xa5 + subq %rbx,%rdi + movq %rbx,%rcx + movq %rdi,%rsi +@@ -333,15 +380,15 @@ padlock_ecb_encrypt: + leaq -16(%rdx),%rax + leaq 16(%rdx),%rbx + shrq $4,%rcx +-.byte 0xf3,0x0f,0xa7,200 ++.byte 0xf3,0x0f,0xa7,200 + movq %r8,%rdi + movq %r11,%rbx +- testq $15,%rdi ++ testq $0x0f,%rdi + jz .Lecb_out_aligned + movq %rbx,%rcx + leaq (%rsp),%rsi + shrq $3,%rcx +-.byte 0xf3,0x48,0xa5 ++.byte 0xf3,0x48,0xa5 + subq %rbx,%rdi + .Lecb_out_aligned: + movq %r9,%rsi +@@ -362,7 +409,7 @@ padlock_ecb_encrypt: + subq %rax,%rsp + shrq $3,%rcx + leaq (%rsp),%rdi +-.byte 0xf3,0x48,0xa5 ++.byte 0xf3,0x48,0xa5 + movq %rsp,%rsi + movq %r8,%rdi + movq %rbx,%rcx +@@ -388,7 +435,7 @@ padlock_ecb_encrypt: + .Lecb_aligned: + leaq (%rsi,%rcx,1),%rbp + negq %rbp +- andq $4095,%rbp ++ andq $0xfff,%rbp + xorl %eax,%eax + cmpq $128,%rbp + movq $128-1,%rbp +@@ -399,7 +446,7 @@ padlock_ecb_encrypt: + leaq -16(%rdx),%rax + leaq 16(%rdx),%rbx + shrq $4,%rcx +-.byte 0xf3,0x0f,0xa7,200 ++.byte 0xf3,0x0f,0xa7,200 + testq %rbp,%rbp + jz .Lecb_exit + +@@ -411,7 +458,7 @@ padlock_ecb_encrypt: + subq %rcx,%rsp + shrq $3,%rcx + leaq (%rsp),%rdi +-.byte 0xf3,0x48,0xa5 ++.byte 0xf3,0x48,0xa5 + leaq (%r8),%rdi + leaq (%rsp),%rsi + movq %rbx,%rcx +@@ -423,11 +470,14 @@ padlock_ecb_encrypt: + popq %rbx + popq %rbp + .byte 0xf3,0xc3 ++.cfi_endproc + .size padlock_ecb_encrypt,.-padlock_ecb_encrypt + .globl padlock_cbc_encrypt + .type padlock_cbc_encrypt,@function + .align 16 + padlock_cbc_encrypt: ++.cfi_startproc ++.byte 243,15,30,250 + pushq %rbp + pushq %rbx + +@@ -445,9 +495,9 @@ padlock_cbc_encrypt: + xorl %ebx,%ebx + testl $32,(%rdx) + jnz .Lcbc_aligned +- testq $15,%rdi ++ testq $0x0f,%rdi + setz %al +- testq $15,%rsi ++ testq $0x0f,%rsi + setz %bl + testl %ebx,%eax + jnz .Lcbc_aligned +@@ -471,7 +521,7 @@ padlock_cbc_encrypt: + cmoveq %rdi,%rax + addq %rcx,%rax + negq %rax +- andq $4095,%rax ++ andq $0xfff,%rax + cmpq $64,%rax + movq $-64,%rax + cmovaeq %rbx,%rax +@@ -487,12 +537,12 @@ padlock_cbc_encrypt: + movq %rcx,%r10 + movq %rbx,%rcx + movq %rbx,%r11 +- testq $15,%rdi ++ testq $0x0f,%rdi + cmovnzq %rsp,%rdi +- testq $15,%rsi ++ testq $0x0f,%rsi + jz .Lcbc_inp_aligned + shrq $3,%rcx +-.byte 0xf3,0x48,0xa5 ++.byte 0xf3,0x48,0xa5 + subq %rbx,%rdi + movq %rbx,%rcx + movq %rdi,%rsi +@@ -500,17 +550,17 @@ padlock_cbc_encrypt: + leaq -16(%rdx),%rax + leaq 16(%rdx),%rbx + shrq $4,%rcx +-.byte 0xf3,0x0f,0xa7,208 ++.byte 0xf3,0x0f,0xa7,208 + movdqa (%rax),%xmm0 + movdqa %xmm0,-16(%rdx) + movq %r8,%rdi + movq %r11,%rbx +- testq $15,%rdi ++ testq $0x0f,%rdi + jz .Lcbc_out_aligned + movq %rbx,%rcx + leaq (%rsp),%rsi + shrq $3,%rcx +-.byte 0xf3,0x48,0xa5 ++.byte 0xf3,0x48,0xa5 + subq %rbx,%rdi + .Lcbc_out_aligned: + movq %r9,%rsi +@@ -531,7 +581,7 @@ padlock_cbc_encrypt: + subq %rax,%rsp + shrq $3,%rcx + leaq (%rsp),%rdi +-.byte 0xf3,0x48,0xa5 ++.byte 0xf3,0x48,0xa5 + movq %rsp,%rsi + movq %r8,%rdi + movq %rbx,%rcx +@@ -557,7 +607,7 @@ padlock_cbc_encrypt: + .Lcbc_aligned: + leaq (%rsi,%rcx,1),%rbp + negq %rbp +- andq $4095,%rbp ++ andq $0xfff,%rbp + xorl %eax,%eax + cmpq $64,%rbp + movq $64-1,%rbp +@@ -568,7 +618,7 @@ padlock_cbc_encrypt: + leaq -16(%rdx),%rax + leaq 16(%rdx),%rbx + shrq $4,%rcx +-.byte 0xf3,0x0f,0xa7,208 ++.byte 0xf3,0x0f,0xa7,208 + movdqa (%rax),%xmm0 + movdqa %xmm0,-16(%rdx) + testq %rbp,%rbp +@@ -582,7 +632,7 @@ padlock_cbc_encrypt: + subq %rcx,%rsp + shrq $3,%rcx + leaq (%rsp),%rdi +-.byte 0xf3,0x48,0xa5 ++.byte 0xf3,0x48,0xa5 + leaq (%r8),%rdi + leaq (%rsp),%rsi + movq %rbx,%rcx +@@ -594,11 +644,14 @@ padlock_cbc_encrypt: + popq %rbx + popq %rbp + .byte 0xf3,0xc3 ++.cfi_endproc + .size padlock_cbc_encrypt,.-padlock_cbc_encrypt + .globl padlock_cfb_encrypt + .type padlock_cfb_encrypt,@function + .align 16 + padlock_cfb_encrypt: ++.cfi_startproc ++.byte 243,15,30,250 + pushq %rbp + pushq %rbx + +@@ -616,9 +669,9 @@ padlock_cfb_encrypt: + xorl %ebx,%ebx + testl $32,(%rdx) + jnz .Lcfb_aligned +- testq $15,%rdi ++ testq $0x0f,%rdi + setz %al +- testq $15,%rsi ++ testq $0x0f,%rsi + setz %bl + testl %ebx,%eax + jnz .Lcfb_aligned +@@ -645,12 +698,12 @@ padlock_cfb_encrypt: + movq %rcx,%r10 + movq %rbx,%rcx + movq %rbx,%r11 +- testq $15,%rdi ++ testq $0x0f,%rdi + cmovnzq %rsp,%rdi +- testq $15,%rsi ++ testq $0x0f,%rsi + jz .Lcfb_inp_aligned + shrq $3,%rcx +-.byte 0xf3,0x48,0xa5 ++.byte 0xf3,0x48,0xa5 + subq %rbx,%rdi + movq %rbx,%rcx + movq %rdi,%rsi +@@ -658,17 +711,17 @@ padlock_cfb_encrypt: + leaq -16(%rdx),%rax + leaq 16(%rdx),%rbx + shrq $4,%rcx +-.byte 0xf3,0x0f,0xa7,224 ++.byte 0xf3,0x0f,0xa7,224 + movdqa (%rax),%xmm0 + movdqa %xmm0,-16(%rdx) + movq %r8,%rdi + movq %r11,%rbx +- testq $15,%rdi ++ testq $0x0f,%rdi + jz .Lcfb_out_aligned + movq %rbx,%rcx + leaq (%rsp),%rsi + shrq $3,%rcx +-.byte 0xf3,0x48,0xa5 ++.byte 0xf3,0x48,0xa5 + subq %rbx,%rdi + .Lcfb_out_aligned: + movq %r9,%rsi +@@ -698,7 +751,7 @@ padlock_cfb_encrypt: + leaq -16(%rdx),%rax + leaq 16(%rdx),%rbx + shrq $4,%rcx +-.byte 0xf3,0x0f,0xa7,224 ++.byte 0xf3,0x0f,0xa7,224 + movdqa (%rax),%xmm0 + movdqa %xmm0,-16(%rdx) + .Lcfb_exit: +@@ -708,11 +761,14 @@ padlock_cfb_encrypt: + popq %rbx + popq %rbp + .byte 0xf3,0xc3 ++.cfi_endproc + .size padlock_cfb_encrypt,.-padlock_cfb_encrypt + .globl padlock_ofb_encrypt + .type padlock_ofb_encrypt,@function + .align 16 + padlock_ofb_encrypt: ++.cfi_startproc ++.byte 243,15,30,250 + pushq %rbp + pushq %rbx + +@@ -730,9 +786,9 @@ padlock_ofb_encrypt: + xorl %ebx,%ebx + testl $32,(%rdx) + jnz .Lofb_aligned +- testq $15,%rdi ++ testq $0x0f,%rdi + setz %al +- testq $15,%rsi ++ testq $0x0f,%rsi + setz %bl + testl %ebx,%eax + jnz .Lofb_aligned +@@ -759,12 +815,12 @@ padlock_ofb_encrypt: + movq %rcx,%r10 + movq %rbx,%rcx + movq %rbx,%r11 +- testq $15,%rdi ++ testq $0x0f,%rdi + cmovnzq %rsp,%rdi +- testq $15,%rsi ++ testq $0x0f,%rsi + jz .Lofb_inp_aligned + shrq $3,%rcx +-.byte 0xf3,0x48,0xa5 ++.byte 0xf3,0x48,0xa5 + subq %rbx,%rdi + movq %rbx,%rcx + movq %rdi,%rsi +@@ -772,17 +828,17 @@ padlock_ofb_encrypt: + leaq -16(%rdx),%rax + leaq 16(%rdx),%rbx + shrq $4,%rcx +-.byte 0xf3,0x0f,0xa7,232 ++.byte 0xf3,0x0f,0xa7,232 + movdqa (%rax),%xmm0 + movdqa %xmm0,-16(%rdx) + movq %r8,%rdi + movq %r11,%rbx +- testq $15,%rdi ++ testq $0x0f,%rdi + jz .Lofb_out_aligned + movq %rbx,%rcx + leaq (%rsp),%rsi + shrq $3,%rcx +-.byte 0xf3,0x48,0xa5 ++.byte 0xf3,0x48,0xa5 + subq %rbx,%rdi + .Lofb_out_aligned: + movq %r9,%rsi +@@ -812,7 +868,7 @@ padlock_ofb_encrypt: + leaq -16(%rdx),%rax + leaq 16(%rdx),%rbx + shrq $4,%rcx +-.byte 0xf3,0x0f,0xa7,232 ++.byte 0xf3,0x0f,0xa7,232 + movdqa (%rax),%xmm0 + movdqa %xmm0,-16(%rdx) + .Lofb_exit: +@@ -822,11 +878,14 @@ padlock_ofb_encrypt: + popq %rbx + popq %rbp + .byte 0xf3,0xc3 ++.cfi_endproc + .size padlock_ofb_encrypt,.-padlock_ofb_encrypt + .globl padlock_ctr32_encrypt + .type padlock_ctr32_encrypt,@function + .align 16 + padlock_ctr32_encrypt: ++.cfi_startproc ++.byte 243,15,30,250 + pushq %rbp + pushq %rbx + +@@ -844,9 +903,9 @@ padlock_ctr32_encrypt: + xorl %ebx,%ebx + testl $32,(%rdx) + jnz .Lctr32_aligned +- testq $15,%rdi ++ testq $0x0f,%rdi + setz %al +- testq $15,%rsi ++ testq $0x0f,%rsi + setz %bl + testl %ebx,%eax + jnz .Lctr32_aligned +@@ -881,7 +940,7 @@ padlock_ctr32_encrypt: + cmoveq %rdi,%rax + addq %rcx,%rax + negq %rax +- andq $4095,%rax ++ andq $0xfff,%rax + cmpq $32,%rax + movq $-32,%rax + cmovaeq %rbx,%rax +@@ -897,12 +956,12 @@ padlock_ctr32_encrypt: + movq %rcx,%r10 + movq %rbx,%rcx + movq %rbx,%r11 +- testq $15,%rdi ++ testq $0x0f,%rdi + cmovnzq %rsp,%rdi +- testq $15,%rsi ++ testq $0x0f,%rsi + jz .Lctr32_inp_aligned + shrq $3,%rcx +-.byte 0xf3,0x48,0xa5 ++.byte 0xf3,0x48,0xa5 + subq %rbx,%rdi + movq %rbx,%rcx + movq %rdi,%rsi +@@ -910,23 +969,23 @@ padlock_ctr32_encrypt: + leaq -16(%rdx),%rax + leaq 16(%rdx),%rbx + shrq $4,%rcx +-.byte 0xf3,0x0f,0xa7,216 ++.byte 0xf3,0x0f,0xa7,216 + movl -4(%rdx),%eax +- testl $4294901760,%eax ++ testl $0xffff0000,%eax + jnz .Lctr32_no_carry + bswapl %eax +- addl $65536,%eax ++ addl $0x10000,%eax + bswapl %eax + movl %eax,-4(%rdx) + .Lctr32_no_carry: + movq %r8,%rdi + movq %r11,%rbx +- testq $15,%rdi ++ testq $0x0f,%rdi + jz .Lctr32_out_aligned + movq %rbx,%rcx + leaq (%rsp),%rsi + shrq $3,%rcx +-.byte 0xf3,0x48,0xa5 ++.byte 0xf3,0x48,0xa5 + subq %rbx,%rdi + .Lctr32_out_aligned: + movq %r9,%rsi +@@ -944,7 +1003,7 @@ padlock_ctr32_encrypt: + cmoveq %rdi,%rax + addq %rcx,%rax + negq %rax +- andq $4095,%rax ++ andq $0xfff,%rax + cmpq $32,%rax + movq $-32,%rax + cmovaeq %rbx,%rax +@@ -959,7 +1018,7 @@ padlock_ctr32_encrypt: + subq %rax,%rsp + shrq $3,%rcx + leaq (%rsp),%rdi +-.byte 0xf3,0x48,0xa5 ++.byte 0xf3,0x48,0xa5 + movq %rsp,%rsi + movq %r8,%rdi + movq %rbx,%rcx +@@ -986,7 +1045,7 @@ padlock_ctr32_encrypt: + movl -4(%rdx),%eax + bswapl %eax + negl %eax +- andl $65535,%eax ++ andl $0xffff,%eax + movq $1048576,%rbx + shll $4,%eax + cmovzq %rbx,%rax +@@ -1003,11 +1062,11 @@ padlock_ctr32_encrypt: + leaq -16(%rdx),%rax + leaq 16(%rdx),%rbx + shrq $4,%rcx +-.byte 0xf3,0x0f,0xa7,216 ++.byte 0xf3,0x0f,0xa7,216 + + movl -4(%rdx),%eax + bswapl %eax +- addl $65536,%eax ++ addl $0x10000,%eax + bswapl %eax + movl %eax,-4(%rdx) + +@@ -1021,7 +1080,7 @@ padlock_ctr32_encrypt: + .Lctr32_aligned_skip: + leaq (%rsi,%rcx,1),%rbp + negq %rbp +- andq $4095,%rbp ++ andq $0xfff,%rbp + xorl %eax,%eax + cmpq $32,%rbp + movq $32-1,%rbp +@@ -1032,7 +1091,7 @@ padlock_ctr32_encrypt: + leaq -16(%rdx),%rax + leaq 16(%rdx),%rbx + shrq $4,%rcx +-.byte 0xf3,0x0f,0xa7,216 ++.byte 0xf3,0x0f,0xa7,216 + testq %rbp,%rbp + jz .Lctr32_exit + +@@ -1044,7 +1103,7 @@ padlock_ctr32_encrypt: + subq %rcx,%rsp + shrq $3,%rcx + leaq (%rsp),%rdi +-.byte 0xf3,0x48,0xa5 ++.byte 0xf3,0x48,0xa5 + leaq (%r8),%rdi + leaq (%rsp),%rsi + movq %rbx,%rcx +@@ -1056,6 +1115,7 @@ padlock_ctr32_encrypt: + popq %rbx + popq %rbp + .byte 0xf3,0xc3 ++.cfi_endproc + .size padlock_ctr32_encrypt,.-padlock_ctr32_encrypt + .byte 86,73,65,32,80,97,100,108,111,99,107,32,120,56,54,95,54,52,32,109,111,100,117,108,101,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 + .align 16 +@@ -1063,8 +1123,26 @@ padlock_ctr32_encrypt: + .align 8 + .Lpadlock_saved_context: + .quad 0 +- ++ .section ".note.gnu.property", "a" ++ .p2align 3 ++ .long 1f - 0f ++ .long 4f - 1f ++ .long 5 ++0: ++ # "GNU" encoded with .byte, since .asciz isn't supported ++ # on Solaris. ++ .byte 0x47 ++ .byte 0x4e ++ .byte 0x55 ++ .byte 0 ++1: ++ .p2align 3 ++ .long 0xc0000002 ++ .long 3f - 2f ++2: ++ .long 3 ++3: ++ .p2align 3 ++4: + + .section .note.GNU-stack,"",%progbits +- +- +diff --git a/lib/accelerated/x86/elf/ghash-x86_64.s b/lib/accelerated/x86/elf/ghash-x86_64.s +index 1e4d18b34..8da3f294c 100644 +--- a/lib/accelerated/x86/elf/ghash-x86_64.s ++++ b/lib/accelerated/x86/elf/ghash-x86_64.s +@@ -45,6 +45,7 @@ + .align 16 + gcm_gmult_4bit: + .cfi_startproc ++.byte 243,15,30,250 + pushq %rbx + .cfi_adjust_cfa_offset 8 + .cfi_offset %rbx,-16 +@@ -156,6 +157,7 @@ gcm_gmult_4bit: + .align 16 + gcm_ghash_4bit: + .cfi_startproc ++.byte 243,15,30,250 + pushq %rbx + .cfi_adjust_cfa_offset 8 + .cfi_offset %rbx,-16 +@@ -903,6 +905,7 @@ gcm_init_clmul: + .align 16 + gcm_gmult_clmul: + .cfi_startproc ++.byte 243,15,30,250 + .L_gmult_clmul: + movdqu (%rdi),%xmm0 + movdqa .Lbswap_mask(%rip),%xmm5 +@@ -956,6 +959,7 @@ gcm_gmult_clmul: + .align 32 + gcm_ghash_clmul: + .cfi_startproc ++.byte 243,15,30,250 + .L_ghash_clmul: + movdqa .Lbswap_mask(%rip),%xmm10 + +@@ -1450,6 +1454,7 @@ gcm_init_avx: + .align 32 + gcm_gmult_avx: + .cfi_startproc ++.byte 243,15,30,250 + jmp .L_gmult_clmul + .cfi_endproc + .size gcm_gmult_avx,.-gcm_gmult_avx +@@ -1458,6 +1463,7 @@ gcm_gmult_avx: + .align 32 + gcm_ghash_avx: + .cfi_startproc ++.byte 243,15,30,250 + vzeroupper + + vmovdqu (%rdi),%xmm10 +@@ -1884,5 +1890,26 @@ gcm_ghash_avx: + + .byte 71,72,65,83,72,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 + .align 64 ++ .section ".note.gnu.property", "a" ++ .p2align 3 ++ .long 1f - 0f ++ .long 4f - 1f ++ .long 5 ++0: ++ # "GNU" encoded with .byte, since .asciz isn't supported ++ # on Solaris. ++ .byte 0x47 ++ .byte 0x4e ++ .byte 0x55 ++ .byte 0 ++1: ++ .p2align 3 ++ .long 0xc0000002 ++ .long 3f - 2f ++2: ++ .long 3 ++3: ++ .p2align 3 ++4: + + .section .note.GNU-stack,"",%progbits +diff --git a/lib/accelerated/x86/elf/sha1-ssse3-x86.s b/lib/accelerated/x86/elf/sha1-ssse3-x86.s +index 8bfbcb6b3..57b6ba58f 100644 +--- a/lib/accelerated/x86/elf/sha1-ssse3-x86.s ++++ b/lib/accelerated/x86/elf/sha1-ssse3-x86.s +@@ -43,6 +43,7 @@ + .align 16 + sha1_block_data_order: + .L_sha1_block_data_order_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -1417,4 +1418,21 @@ sha1_block_data_order: + .byte 89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112 + .byte 114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 + ++ .section ".note.gnu.property", "a" ++ .p2align 2 ++ .long 1f - 0f ++ .long 4f - 1f ++ .long 5 ++0: ++ .asciz "GNU" ++1: ++ .p2align 2 ++ .long 0xc0000002 ++ .long 3f - 2f ++2: ++ .long 3 ++3: ++ .p2align 2 ++4: ++ + .section .note.GNU-stack,"",%progbits +diff --git a/lib/accelerated/x86/elf/sha1-ssse3-x86_64.s b/lib/accelerated/x86/elf/sha1-ssse3-x86_64.s +index 1e6546e11..54095050c 100644 +--- a/lib/accelerated/x86/elf/sha1-ssse3-x86_64.s ++++ b/lib/accelerated/x86/elf/sha1-ssse3-x86_64.s +@@ -1460,8 +1460,8 @@ _shaext_shortcut: + pshufd $27,%xmm1,%xmm1 + movdqu %xmm0,(%rdi) + movd %xmm1,16(%rdi) +-.cfi_endproc + .byte 0xf3,0xc3 ++.cfi_endproc + .size sha1_block_data_order_shaext,.-sha1_block_data_order_shaext + .type sha1_block_data_order_ssse3,@function + .align 16 +@@ -5487,5 +5487,26 @@ K_XX_XX: + .byte 0xf,0xe,0xd,0xc,0xb,0xa,0x9,0x8,0x7,0x6,0x5,0x4,0x3,0x2,0x1,0x0 + .byte 83,72,65,49,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 + .align 64 ++ .section ".note.gnu.property", "a" ++ .p2align 3 ++ .long 1f - 0f ++ .long 4f - 1f ++ .long 5 ++0: ++ # "GNU" encoded with .byte, since .asciz isn't supported ++ # on Solaris. ++ .byte 0x47 ++ .byte 0x4e ++ .byte 0x55 ++ .byte 0 ++1: ++ .p2align 3 ++ .long 0xc0000002 ++ .long 3f - 2f ++2: ++ .long 3 ++3: ++ .p2align 3 ++4: + + .section .note.GNU-stack,"",%progbits +diff --git a/lib/accelerated/x86/elf/sha256-ssse3-x86.s b/lib/accelerated/x86/elf/sha256-ssse3-x86.s +index 8d9aaa4a8..6d16b9140 100644 +--- a/lib/accelerated/x86/elf/sha256-ssse3-x86.s ++++ b/lib/accelerated/x86/elf/sha256-ssse3-x86.s +@@ -43,6 +43,7 @@ + .align 16 + sha256_block_data_order: + .L_sha256_block_data_order_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -3384,4 +3385,21 @@ sha256_block_data_order: + ret + .size sha256_block_data_order,.-.L_sha256_block_data_order_begin + ++ .section ".note.gnu.property", "a" ++ .p2align 2 ++ .long 1f - 0f ++ .long 4f - 1f ++ .long 5 ++0: ++ .asciz "GNU" ++1: ++ .p2align 2 ++ .long 0xc0000002 ++ .long 3f - 2f ++2: ++ .long 3 ++3: ++ .p2align 2 ++4: ++ + .section .note.GNU-stack,"",%progbits +diff --git a/lib/accelerated/x86/elf/sha256-ssse3-x86_64.s b/lib/accelerated/x86/elf/sha256-ssse3-x86_64.s +index 4b08e0c85..1514ee45c 100644 +--- a/lib/accelerated/x86/elf/sha256-ssse3-x86_64.s ++++ b/lib/accelerated/x86/elf/sha256-ssse3-x86_64.s +@@ -1814,6 +1814,7 @@ K256: + .align 64 + sha256_block_data_order_shaext: + _shaext_shortcut: ++.cfi_startproc + leaq K256+128(%rip),%rcx + movdqu (%rdi),%xmm1 + movdqu 16(%rdi),%xmm2 +@@ -2016,6 +2017,7 @@ _shaext_shortcut: + movdqu %xmm1,(%rdi) + movdqu %xmm2,16(%rdi) + .byte 0xf3,0xc3 ++.cfi_endproc + .size sha256_block_data_order_shaext,.-sha256_block_data_order_shaext + .type sha256_block_data_order_ssse3,@function + .align 64 +@@ -4277,7 +4279,15 @@ sha256_block_data_order_avx2: + vmovdqa %ymm4,0(%rsp) + xorl %r14d,%r14d + vmovdqa %ymm5,32(%rsp) ++ ++ movq 88(%rsp),%rdi ++.cfi_def_cfa %rdi,8 + leaq -64(%rsp),%rsp ++ ++ ++ ++ movq %rdi,-8(%rsp) ++.cfi_escape 0x0f,0x05,0x77,0x78,0x06,0x23,0x08 + movl %ebx,%edi + vmovdqa %ymm6,0(%rsp) + xorl %ecx,%edi +@@ -4289,6 +4299,12 @@ sha256_block_data_order_avx2: + .align 16 + .Lavx2_00_47: + leaq -64(%rsp),%rsp ++.cfi_escape 0x0f,0x05,0x77,0x38,0x06,0x23,0x08 ++ ++ pushq 64-8(%rsp) ++.cfi_escape 0x0f,0x05,0x77,0x00,0x06,0x23,0x08 ++ leaq 8(%rsp),%rsp ++.cfi_escape 0x0f,0x05,0x77,0x78,0x06,0x23,0x08 + vpalignr $4,%ymm0,%ymm1,%ymm4 + addl 0+128(%rsp),%r11d + andl %r8d,%r12d +@@ -4544,6 +4560,12 @@ sha256_block_data_order_avx2: + movl %r9d,%r12d + vmovdqa %ymm6,32(%rsp) + leaq -64(%rsp),%rsp ++.cfi_escape 0x0f,0x05,0x77,0x38,0x06,0x23,0x08 ++ ++ pushq 64-8(%rsp) ++.cfi_escape 0x0f,0x05,0x77,0x00,0x06,0x23,0x08 ++ leaq 8(%rsp),%rsp ++.cfi_escape 0x0f,0x05,0x77,0x78,0x06,0x23,0x08 + vpalignr $4,%ymm2,%ymm3,%ymm4 + addl 0+128(%rsp),%r11d + andl %r8d,%r12d +@@ -5419,6 +5441,8 @@ sha256_block_data_order_avx2: + + leaq 448(%rsp),%rsp + ++.cfi_escape 0x0f,0x06,0x77,0xd8,0x00,0x06,0x23,0x08 ++ + addl 0(%rdi),%eax + addl 4(%rdi),%ebx + addl 8(%rdi),%ecx +@@ -5444,9 +5468,11 @@ sha256_block_data_order_avx2: + jbe .Loop_avx2 + leaq (%rsp),%rbp + ++ ++.cfi_escape 0x0f,0x06,0x76,0xd8,0x00,0x06,0x23,0x08 ++ + .Ldone_avx2: +- leaq (%rbp),%rsp +- movq 88(%rsp),%rsi ++ movq 88(%rbp),%rsi + .cfi_def_cfa %rsi,8 + vzeroupper + movq -48(%rsi),%r15 +@@ -5467,5 +5493,26 @@ sha256_block_data_order_avx2: + .byte 0xf3,0xc3 + .cfi_endproc + .size sha256_block_data_order_avx2,.-sha256_block_data_order_avx2 ++ .section ".note.gnu.property", "a" ++ .p2align 3 ++ .long 1f - 0f ++ .long 4f - 1f ++ .long 5 ++0: ++ # "GNU" encoded with .byte, since .asciz isn't supported ++ # on Solaris. ++ .byte 0x47 ++ .byte 0x4e ++ .byte 0x55 ++ .byte 0 ++1: ++ .p2align 3 ++ .long 0xc0000002 ++ .long 3f - 2f ++2: ++ .long 3 ++3: ++ .p2align 3 ++4: + + .section .note.GNU-stack,"",%progbits +diff --git a/lib/accelerated/x86/elf/sha512-ssse3-x86.s b/lib/accelerated/x86/elf/sha512-ssse3-x86.s +index 481c77715..afca4eae7 100644 +--- a/lib/accelerated/x86/elf/sha512-ssse3-x86.s ++++ b/lib/accelerated/x86/elf/sha512-ssse3-x86.s +@@ -43,6 +43,7 @@ + .align 16 + sha512_block_data_order: + .L_sha512_block_data_order_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -602,4 +603,21 @@ sha512_block_data_order: + .byte 112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103 + .byte 62,0 + ++ .section ".note.gnu.property", "a" ++ .p2align 2 ++ .long 1f - 0f ++ .long 4f - 1f ++ .long 5 ++0: ++ .asciz "GNU" ++1: ++ .p2align 2 ++ .long 0xc0000002 ++ .long 3f - 2f ++2: ++ .long 3 ++3: ++ .p2align 2 ++4: ++ + .section .note.GNU-stack,"",%progbits +diff --git a/lib/accelerated/x86/elf/sha512-ssse3-x86_64.s b/lib/accelerated/x86/elf/sha512-ssse3-x86_64.s +index e384d7e9e..a7be2cd44 100644 +--- a/lib/accelerated/x86/elf/sha512-ssse3-x86_64.s ++++ b/lib/accelerated/x86/elf/sha512-ssse3-x86_64.s +@@ -4204,7 +4204,15 @@ sha512_block_data_order_avx2: + vmovdqa %ymm10,64(%rsp) + vpaddq 64(%rbp),%ymm6,%ymm10 + vmovdqa %ymm11,96(%rsp) ++ ++ movq 152(%rsp),%rdi ++.cfi_def_cfa %rdi,8 + leaq -128(%rsp),%rsp ++ ++ ++ ++ movq %rdi,-8(%rsp) ++.cfi_escape 0x0f,0x05,0x77,0x78,0x06,0x23,0x08 + vpaddq 96(%rbp),%ymm7,%ymm11 + vmovdqa %ymm8,0(%rsp) + xorq %r14,%r14 +@@ -4220,6 +4228,12 @@ sha512_block_data_order_avx2: + .align 16 + .Lavx2_00_47: + leaq -128(%rsp),%rsp ++.cfi_escape 0x0f,0x06,0x77,0xf8,0x00,0x06,0x23,0x08 ++ ++ pushq 128-8(%rsp) ++.cfi_escape 0x0f,0x05,0x77,0x00,0x06,0x23,0x08 ++ leaq 8(%rsp),%rsp ++.cfi_escape 0x0f,0x05,0x77,0x78,0x06,0x23,0x08 + vpalignr $8,%ymm0,%ymm1,%ymm8 + addq 0+256(%rsp),%r11 + andq %r8,%r12 +@@ -4513,6 +4527,12 @@ sha512_block_data_order_avx2: + movq %r9,%r12 + vmovdqa %ymm10,96(%rsp) + leaq -128(%rsp),%rsp ++.cfi_escape 0x0f,0x06,0x77,0xf8,0x00,0x06,0x23,0x08 ++ ++ pushq 128-8(%rsp) ++.cfi_escape 0x0f,0x05,0x77,0x00,0x06,0x23,0x08 ++ leaq 8(%rsp),%rsp ++.cfi_escape 0x0f,0x05,0x77,0x78,0x06,0x23,0x08 + vpalignr $8,%ymm4,%ymm5,%ymm8 + addq 0+256(%rsp),%r11 + andq %r8,%r12 +@@ -5426,6 +5446,8 @@ sha512_block_data_order_avx2: + + leaq 1152(%rsp),%rsp + ++.cfi_escape 0x0f,0x06,0x77,0x98,0x01,0x06,0x23,0x08 ++ + addq 0(%rdi),%rax + addq 8(%rdi),%rbx + addq 16(%rdi),%rcx +@@ -5451,9 +5473,11 @@ sha512_block_data_order_avx2: + jbe .Loop_avx2 + leaq (%rsp),%rbp + ++ ++.cfi_escape 0x0f,0x06,0x76,0x98,0x01,0x06,0x23,0x08 ++ + .Ldone_avx2: +- leaq (%rbp),%rsp +- movq 152(%rsp),%rsi ++ movq 152(%rbp),%rsi + .cfi_def_cfa %rsi,8 + vzeroupper + movq -48(%rsi),%r15 +@@ -5474,5 +5498,26 @@ sha512_block_data_order_avx2: + .byte 0xf3,0xc3 + .cfi_endproc + .size sha512_block_data_order_avx2,.-sha512_block_data_order_avx2 ++ .section ".note.gnu.property", "a" ++ .p2align 3 ++ .long 1f - 0f ++ .long 4f - 1f ++ .long 5 ++0: ++ # "GNU" encoded with .byte, since .asciz isn't supported ++ # on Solaris. ++ .byte 0x47 ++ .byte 0x4e ++ .byte 0x55 ++ .byte 0 ++1: ++ .p2align 3 ++ .long 0xc0000002 ++ .long 3f - 2f ++2: ++ .long 3 ++3: ++ .p2align 3 ++4: + + .section .note.GNU-stack,"",%progbits +diff --git a/lib/accelerated/x86/macosx/aes-ssse3-x86.s b/lib/accelerated/x86/macosx/aes-ssse3-x86.s +index 4be899281..6cc2b0390 100644 +--- a/lib/accelerated/x86/macosx/aes-ssse3-x86.s ++++ b/lib/accelerated/x86/macosx/aes-ssse3-x86.s +@@ -70,12 +70,14 @@ L_vpaes_consts: + .align 6,0x90 + .align 4 + __vpaes_preheat: ++.byte 243,15,30,251 + addl (%esp),%ebp + movdqa -48(%ebp),%xmm7 + movdqa -16(%ebp),%xmm6 + ret + .align 4 + __vpaes_encrypt_core: ++.byte 243,15,30,251 + movl $16,%ecx + movl 240(%edx),%eax + movdqa %xmm6,%xmm1 +@@ -151,6 +153,7 @@ L000enc_entry: + ret + .align 4 + __vpaes_decrypt_core: ++.byte 243,15,30,251 + leal 608(%ebp),%ebx + movl 240(%edx),%eax + movdqa %xmm6,%xmm1 +@@ -237,6 +240,7 @@ L002dec_entry: + ret + .align 4 + __vpaes_schedule_core: ++.byte 243,15,30,251 + addl (%esp),%ebp + movdqu (%esi),%xmm0 + movdqa 320(%ebp),%xmm2 +@@ -329,6 +333,7 @@ L013schedule_mangle_last_dec: + ret + .align 4 + __vpaes_schedule_192_smear: ++.byte 243,15,30,251 + pshufd $128,%xmm6,%xmm1 + pshufd $254,%xmm7,%xmm0 + pxor %xmm1,%xmm6 +@@ -339,6 +344,7 @@ __vpaes_schedule_192_smear: + ret + .align 4 + __vpaes_schedule_round: ++.byte 243,15,30,251 + movdqa 8(%esp),%xmm2 + pxor %xmm1,%xmm1 + .byte 102,15,58,15,202,15 +@@ -386,6 +392,7 @@ L_vpaes_schedule_low_round: + ret + .align 4 + __vpaes_schedule_transform: ++.byte 243,15,30,251 + movdqa -16(%ebp),%xmm2 + movdqa %xmm2,%xmm1 + pandn %xmm0,%xmm1 +@@ -399,6 +406,7 @@ __vpaes_schedule_transform: + ret + .align 4 + __vpaes_schedule_mangle: ++.byte 243,15,30,251 + movdqa %xmm0,%xmm4 + movdqa 128(%ebp),%xmm5 + testl %edi,%edi +@@ -458,6 +466,7 @@ L015schedule_mangle_both: + .align 4 + _vpaes_set_encrypt_key: + L_vpaes_set_encrypt_key_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -489,6 +498,7 @@ L016pic_point: + .align 4 + _vpaes_set_decrypt_key: + L_vpaes_set_decrypt_key_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -525,6 +535,7 @@ L017pic_point: + .align 4 + _vpaes_encrypt: + L_vpaes_encrypt_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -552,6 +563,7 @@ L018pic_point: + .align 4 + _vpaes_decrypt: + L_vpaes_decrypt_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -579,6 +591,7 @@ L019pic_point: + .align 4 + _vpaes_cbc_encrypt: + L_vpaes_cbc_encrypt_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +diff --git a/lib/accelerated/x86/macosx/aes-ssse3-x86_64.s b/lib/accelerated/x86/macosx/aes-ssse3-x86_64.s +index 3d5c65226..c2e2f2e02 100644 +--- a/lib/accelerated/x86/macosx/aes-ssse3-x86_64.s ++++ b/lib/accelerated/x86/macosx/aes-ssse3-x86_64.s +@@ -635,6 +635,7 @@ L$schedule_mangle_both: + .p2align 4 + _vpaes_set_encrypt_key: + ++.byte 243,15,30,250 + movl %esi,%eax + shrl $5,%eax + addl $5,%eax +@@ -653,6 +654,7 @@ _vpaes_set_encrypt_key: + .p2align 4 + _vpaes_set_decrypt_key: + ++.byte 243,15,30,250 + movl %esi,%eax + shrl $5,%eax + addl $5,%eax +@@ -676,6 +678,7 @@ _vpaes_set_decrypt_key: + .p2align 4 + _vpaes_encrypt: + ++.byte 243,15,30,250 + movdqu (%rdi),%xmm0 + call _vpaes_preheat + call _vpaes_encrypt_core +@@ -689,6 +692,7 @@ _vpaes_encrypt: + .p2align 4 + _vpaes_decrypt: + ++.byte 243,15,30,250 + movdqu (%rdi),%xmm0 + call _vpaes_preheat + call _vpaes_decrypt_core +@@ -701,6 +705,7 @@ _vpaes_decrypt: + .p2align 4 + _vpaes_cbc_encrypt: + ++.byte 243,15,30,250 + xchgq %rcx,%rdx + subq $16,%rcx + jc L$cbc_abort +diff --git a/lib/accelerated/x86/macosx/aesni-gcm-x86_64.s b/lib/accelerated/x86/macosx/aesni-gcm-x86_64.s +index d540930b5..be6d885d8 100644 +--- a/lib/accelerated/x86/macosx/aesni-gcm-x86_64.s ++++ b/lib/accelerated/x86/macosx/aesni-gcm-x86_64.s +@@ -42,6 +42,8 @@ + + .p2align 5 + _aesni_ctr32_ghash_6x: ++ ++.byte 243,15,30,250 + vmovdqu 32(%r11),%xmm2 + subq $6,%rdx + vpxor %xmm4,%xmm4,%xmm4 +@@ -350,11 +352,13 @@ L$6x_done: + + .byte 0xf3,0xc3 + ++ + .globl _aesni_gcm_decrypt + + .p2align 5 + _aesni_gcm_decrypt: + ++.byte 243,15,30,250 + xorq %r10,%r10 + cmpq $0x60,%rdx + jb L$gcm_dec_abort +@@ -455,6 +459,8 @@ L$gcm_dec_abort: + + .p2align 5 + _aesni_ctr32_6x: ++ ++.byte 243,15,30,250 + vmovdqu 0-128(%rcx),%xmm4 + vmovdqu 32(%r11),%xmm2 + leaq -1(%rbp),%r13 +@@ -543,11 +549,13 @@ L$handle_ctr32_2: + jmp L$oop_ctr32 + + ++ + .globl _aesni_gcm_encrypt + + .p2align 5 + _aesni_gcm_encrypt: + ++.byte 243,15,30,250 + xorq %r10,%r10 + cmpq $288,%rdx + jb L$gcm_enc_abort +diff --git a/lib/accelerated/x86/macosx/aesni-x86.s b/lib/accelerated/x86/macosx/aesni-x86.s +index ee5008914..64e4e52fc 100644 +--- a/lib/accelerated/x86/macosx/aesni-x86.s ++++ b/lib/accelerated/x86/macosx/aesni-x86.s +@@ -42,6 +42,7 @@ + .align 4 + _aesni_encrypt: + L_aesni_encrypt_begin: ++.byte 243,15,30,251 + movl 4(%esp),%eax + movl 12(%esp),%edx + movups (%eax),%xmm2 +@@ -67,6 +68,7 @@ L000enc1_loop_1: + .align 4 + _aesni_decrypt: + L_aesni_decrypt_begin: ++.byte 243,15,30,251 + movl 4(%esp),%eax + movl 12(%esp),%edx + movups (%eax),%xmm2 +@@ -90,6 +92,7 @@ L001dec1_loop_2: + ret + .align 4 + __aesni_encrypt2: ++.byte 243,15,30,251 + movups (%edx),%xmm0 + shll $4,%ecx + movups 16(%edx),%xmm1 +@@ -115,6 +118,7 @@ L002enc2_loop: + ret + .align 4 + __aesni_decrypt2: ++.byte 243,15,30,251 + movups (%edx),%xmm0 + shll $4,%ecx + movups 16(%edx),%xmm1 +@@ -140,6 +144,7 @@ L003dec2_loop: + ret + .align 4 + __aesni_encrypt3: ++.byte 243,15,30,251 + movups (%edx),%xmm0 + shll $4,%ecx + movups 16(%edx),%xmm1 +@@ -170,6 +175,7 @@ L004enc3_loop: + ret + .align 4 + __aesni_decrypt3: ++.byte 243,15,30,251 + movups (%edx),%xmm0 + shll $4,%ecx + movups 16(%edx),%xmm1 +@@ -200,6 +206,7 @@ L005dec3_loop: + ret + .align 4 + __aesni_encrypt4: ++.byte 243,15,30,251 + movups (%edx),%xmm0 + movups 16(%edx),%xmm1 + shll $4,%ecx +@@ -236,6 +243,7 @@ L006enc4_loop: + ret + .align 4 + __aesni_decrypt4: ++.byte 243,15,30,251 + movups (%edx),%xmm0 + movups 16(%edx),%xmm1 + shll $4,%ecx +@@ -272,6 +280,7 @@ L007dec4_loop: + ret + .align 4 + __aesni_encrypt6: ++.byte 243,15,30,251 + movups (%edx),%xmm0 + shll $4,%ecx + movups 16(%edx),%xmm1 +@@ -324,6 +333,7 @@ L_aesni_encrypt6_enter: + ret + .align 4 + __aesni_decrypt6: ++.byte 243,15,30,251 + movups (%edx),%xmm0 + shll $4,%ecx + movups 16(%edx),%xmm1 +@@ -378,6 +388,7 @@ L_aesni_decrypt6_enter: + .align 4 + _aesni_ecb_encrypt: + L_aesni_ecb_encrypt_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -611,6 +622,7 @@ L012ecb_ret: + .align 4 + _aesni_ccm64_encrypt_blocks: + L_aesni_ccm64_encrypt_blocks_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -697,6 +709,7 @@ L031ccm64_enc2_loop: + .align 4 + _aesni_ccm64_decrypt_blocks: + L_aesni_ccm64_decrypt_blocks_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -818,6 +831,7 @@ L036enc1_loop_6: + .align 4 + _aesni_ctr32_encrypt_blocks: + L_aesni_ctr32_encrypt_blocks_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -1054,6 +1068,7 @@ L040ctr32_ret: + .align 4 + _aesni_xts_encrypt: + L_aesni_xts_encrypt_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -1412,6 +1427,7 @@ L056xts_enc_ret: + .align 4 + _aesni_xts_decrypt: + L_aesni_xts_decrypt_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -1800,6 +1816,7 @@ L069xts_dec_ret: + .align 4 + _aesni_ocb_encrypt: + L_aesni_ocb_encrypt_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -2193,6 +2210,7 @@ L078done: + .align 4 + _aesni_ocb_decrypt: + L_aesni_ocb_decrypt_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -2586,6 +2604,7 @@ L088done: + .align 4 + _aesni_cbc_encrypt: + L_aesni_cbc_encrypt_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -2843,6 +2862,7 @@ L094cbc_abort: + ret + .align 4 + __aesni_set_encrypt_key: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + testl %eax,%eax +@@ -3176,6 +3196,7 @@ L115bad_keybits: + .align 4 + _aesni_set_encrypt_key: + L_aesni_set_encrypt_key_begin: ++.byte 243,15,30,251 + movl 4(%esp),%eax + movl 8(%esp),%ecx + movl 12(%esp),%edx +@@ -3185,6 +3206,7 @@ L_aesni_set_encrypt_key_begin: + .align 4 + _aesni_set_decrypt_key: + L_aesni_set_decrypt_key_begin: ++.byte 243,15,30,251 + movl 4(%esp),%eax + movl 8(%esp),%ecx + movl 12(%esp),%edx +diff --git a/lib/accelerated/x86/macosx/aesni-x86_64.s b/lib/accelerated/x86/macosx/aesni-x86_64.s +index f6145f166..484122c5e 100644 +--- a/lib/accelerated/x86/macosx/aesni-x86_64.s ++++ b/lib/accelerated/x86/macosx/aesni-x86_64.s +@@ -44,6 +44,7 @@ + .p2align 4 + _aesni_encrypt: + ++.byte 243,15,30,250 + movups (%rdi),%xmm2 + movl 240(%rdx),%eax + movups (%rdx),%xmm0 +@@ -70,6 +71,7 @@ L$oop_enc1_1: + .p2align 4 + _aesni_decrypt: + ++.byte 243,15,30,250 + movups (%rdi),%xmm2 + movl 240(%rdx),%eax + movups (%rdx),%xmm0 +@@ -557,6 +559,7 @@ L$dec_loop8_enter: + .p2align 4 + _aesni_ecb_encrypt: + ++.byte 243,15,30,250 + andq $-16,%rdx + jz L$ecb_ret + +@@ -900,6 +903,8 @@ L$ecb_ret: + + .p2align 4 + _aesni_ccm64_encrypt_blocks: ++ ++.byte 243,15,30,250 + movl 240(%rcx),%eax + movdqu (%r8),%xmm6 + movdqa L$increment64(%rip),%xmm9 +@@ -959,10 +964,13 @@ L$ccm64_enc2_loop: + pxor %xmm6,%xmm6 + .byte 0xf3,0xc3 + ++ + .globl _aesni_ccm64_decrypt_blocks + + .p2align 4 + _aesni_ccm64_decrypt_blocks: ++ ++.byte 243,15,30,250 + movl 240(%rcx),%eax + movups (%r8),%xmm6 + movdqu (%r9),%xmm3 +@@ -1056,11 +1064,13 @@ L$oop_enc1_6: + pxor %xmm6,%xmm6 + .byte 0xf3,0xc3 + ++ + .globl _aesni_ctr32_encrypt_blocks + + .p2align 4 + _aesni_ctr32_encrypt_blocks: + ++.byte 243,15,30,250 + cmpq $1,%rdx + jne L$ctr32_bulk + +@@ -1639,6 +1649,7 @@ L$ctr32_epilogue: + .p2align 4 + _aesni_xts_encrypt: + ++.byte 243,15,30,250 + leaq (%rsp),%r11 + + pushq %rbp +@@ -2109,6 +2120,7 @@ L$xts_enc_epilogue: + .p2align 4 + _aesni_xts_decrypt: + ++.byte 243,15,30,250 + leaq (%rsp),%r11 + + pushq %rbp +@@ -2616,6 +2628,7 @@ L$xts_dec_epilogue: + .p2align 5 + _aesni_ocb_encrypt: + ++.byte 243,15,30,250 + leaq (%rsp),%rax + pushq %rbx + +@@ -2824,6 +2837,7 @@ L$ocb_enc_epilogue: + + .p2align 5 + __ocb_encrypt6: ++ + pxor %xmm9,%xmm15 + movdqu (%rbx,%r12,1),%xmm11 + movdqa %xmm10,%xmm12 +@@ -2924,8 +2938,10 @@ L$ocb_enc_loop6: + + + ++ + .p2align 5 + __ocb_encrypt4: ++ + pxor %xmm9,%xmm15 + movdqu (%rbx,%r12,1),%xmm11 + movdqa %xmm10,%xmm12 +@@ -2993,8 +3009,10 @@ L$ocb_enc_loop4: + + + ++ + .p2align 5 + __ocb_encrypt1: ++ + pxor %xmm15,%xmm7 + pxor %xmm9,%xmm7 + pxor %xmm2,%xmm8 +@@ -3027,11 +3045,13 @@ L$ocb_enc_loop1: + .byte 0xf3,0xc3 + + ++ + .globl _aesni_ocb_decrypt + + .p2align 5 + _aesni_ocb_decrypt: + ++.byte 243,15,30,250 + leaq (%rsp),%rax + pushq %rbx + +@@ -3262,6 +3282,7 @@ L$ocb_dec_epilogue: + + .p2align 5 + __ocb_decrypt6: ++ + pxor %xmm9,%xmm15 + movdqu (%rbx,%r12,1),%xmm11 + movdqa %xmm10,%xmm12 +@@ -3356,8 +3377,10 @@ L$ocb_dec_loop6: + + + ++ + .p2align 5 + __ocb_decrypt4: ++ + pxor %xmm9,%xmm15 + movdqu (%rbx,%r12,1),%xmm11 + movdqa %xmm10,%xmm12 +@@ -3421,8 +3444,10 @@ L$ocb_dec_loop4: + + + ++ + .p2align 5 + __ocb_decrypt1: ++ + pxor %xmm15,%xmm7 + pxor %xmm9,%xmm7 + pxor %xmm7,%xmm2 +@@ -3453,11 +3478,13 @@ L$ocb_dec_loop1: + .byte 102,15,56,223,215 + .byte 0xf3,0xc3 + ++ + .globl _aesni_cbc_encrypt + + .p2align 4 + _aesni_cbc_encrypt: + ++.byte 243,15,30,250 + testq %rdx,%rdx + jz L$cbc_ret + +@@ -4390,7 +4417,6 @@ L$enc_key_ret: + addq $8,%rsp + + .byte 0xf3,0xc3 +- + L$SEH_end_set_encrypt_key: + + .p2align 4 +@@ -4463,6 +4489,7 @@ L$key_expansion_256b: + .byte 0xf3,0xc3 + + ++ + .p2align 6 + L$bswap_mask: + .byte 15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0 +diff --git a/lib/accelerated/x86/macosx/e_padlock-x86.s b/lib/accelerated/x86/macosx/e_padlock-x86.s +index 367962c7c..9a72938fe 100644 +--- a/lib/accelerated/x86/macosx/e_padlock-x86.s ++++ b/lib/accelerated/x86/macosx/e_padlock-x86.s +@@ -1,4 +1,4 @@ +-# Copyright (c) 2011-2013, Andy Polyakov ++# Copyright (c) 2011-2016, Andy Polyakov + # All rights reserved. + # + # Redistribution and use in source and binary forms, with or without +@@ -37,12 +37,12 @@ + # + # *** This file is auto-generated *** + # +-.file "devel/perlasm/e_padlock-x86.s" + .text + .globl _padlock_capability + .align 4 + _padlock_capability: + L_padlock_capability_begin: ++.byte 243,15,30,251 + pushl %ebx + pushfl + popl %eax +@@ -59,11 +59,20 @@ L_padlock_capability_begin: + .byte 0x0f,0xa2 + xorl %eax,%eax + cmpl $0x746e6543,%ebx +- jne L000noluck ++ jne L001zhaoxin + cmpl $0x48727561,%edx + jne L000noluck + cmpl $0x736c7561,%ecx + jne L000noluck ++ jmp L002zhaoxinEnd ++L001zhaoxin: ++ cmpl $0x68532020,%ebx ++ jne L000noluck ++ cmpl $0x68676e61,%edx ++ jne L000noluck ++ cmpl $0x20206961,%ecx ++ jne L000noluck ++L002zhaoxinEnd: + movl $3221225472,%eax + .byte 0x0f,0xa2 + movl %eax,%edx +@@ -92,43 +101,47 @@ L000noluck: + .align 4 + _padlock_key_bswap: + L_padlock_key_bswap_begin: ++.byte 243,15,30,251 + movl 4(%esp),%edx + movl 240(%edx),%ecx +-L001bswap_loop: ++L003bswap_loop: + movl (%edx),%eax + bswap %eax + movl %eax,(%edx) + leal 4(%edx),%edx + subl $1,%ecx +- jnz L001bswap_loop ++ jnz L003bswap_loop + ret + .globl _padlock_verify_context + .align 4 + _padlock_verify_context: + L_padlock_verify_context_begin: ++.byte 243,15,30,251 + movl 4(%esp),%edx +- leal Lpadlock_saved_context-L002verify_pic_point,%eax ++ leal Lpadlock_saved_context-L004verify_pic_point,%eax + pushfl + call __padlock_verify_ctx +-L002verify_pic_point: ++L004verify_pic_point: + leal 4(%esp),%esp + ret + .align 4 + __padlock_verify_ctx: ++.byte 243,15,30,251 + addl (%esp),%eax + btl $30,4(%esp) +- jnc L003verified ++ jnc L005verified + cmpl (%eax),%edx +- je L003verified ++ je L005verified + pushfl + popfl +-L003verified: ++L005verified: + movl %edx,(%eax) + ret + .globl _padlock_reload_key + .align 4 + _padlock_reload_key: + L_padlock_reload_key_begin: ++.byte 243,15,30,251 + pushfl + popfl + ret +@@ -136,6 +149,7 @@ L_padlock_reload_key_begin: + .align 4 + _padlock_aes_block: + L_padlock_aes_block_begin: ++.byte 243,15,30,251 + pushl %edi + pushl %esi + pushl %ebx +@@ -154,6 +168,7 @@ L_padlock_aes_block_begin: + .align 4 + _padlock_ecb_encrypt: + L_padlock_ecb_encrypt_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -163,25 +178,25 @@ L_padlock_ecb_encrypt_begin: + movl 28(%esp),%edx + movl 32(%esp),%ecx + testl $15,%edx +- jnz L004ecb_abort ++ jnz L006ecb_abort + testl $15,%ecx +- jnz L004ecb_abort +- leal Lpadlock_saved_context-L005ecb_pic_point,%eax ++ jnz L006ecb_abort ++ leal Lpadlock_saved_context-L007ecb_pic_point,%eax + pushfl + cld + call __padlock_verify_ctx +-L005ecb_pic_point: ++L007ecb_pic_point: + leal 16(%edx),%edx + xorl %eax,%eax + xorl %ebx,%ebx + testl $32,(%edx) +- jnz L006ecb_aligned ++ jnz L008ecb_aligned + testl $15,%edi + setz %al + testl $15,%esi + setz %bl + testl %ebx,%eax +- jnz L006ecb_aligned ++ jnz L008ecb_aligned + negl %eax + movl $512,%ebx + notl %eax +@@ -200,7 +215,7 @@ L005ecb_pic_point: + andl $-16,%esp + movl %eax,16(%ebp) + cmpl %ebx,%ecx +- ja L007ecb_loop ++ ja L009ecb_loop + movl %esi,%eax + cmpl %esp,%ebp + cmovel %edi,%eax +@@ -211,10 +226,10 @@ L005ecb_pic_point: + movl $-128,%eax + cmovael %ebx,%eax + andl %eax,%ebx +- jz L008ecb_unaligned_tail +- jmp L007ecb_loop ++ jz L010ecb_unaligned_tail ++ jmp L009ecb_loop + .align 4,0x90 +-L007ecb_loop: ++L009ecb_loop: + movl %edi,(%ebp) + movl %esi,4(%ebp) + movl %ecx,8(%ebp) +@@ -223,13 +238,13 @@ L007ecb_loop: + testl $15,%edi + cmovnzl %esp,%edi + testl $15,%esi +- jz L009ecb_inp_aligned ++ jz L011ecb_inp_aligned + shrl $2,%ecx + .byte 243,165 + subl %ebx,%edi + movl %ebx,%ecx + movl %edi,%esi +-L009ecb_inp_aligned: ++L011ecb_inp_aligned: + leal -16(%edx),%eax + leal 16(%edx),%ebx + shrl $4,%ecx +@@ -237,23 +252,23 @@ L009ecb_inp_aligned: + movl (%ebp),%edi + movl 12(%ebp),%ebx + testl $15,%edi +- jz L010ecb_out_aligned ++ jz L012ecb_out_aligned + movl %ebx,%ecx + leal (%esp),%esi + shrl $2,%ecx + .byte 243,165 + subl %ebx,%edi +-L010ecb_out_aligned: ++L012ecb_out_aligned: + movl 4(%ebp),%esi + movl 8(%ebp),%ecx + addl %ebx,%edi + addl %ebx,%esi + subl %ebx,%ecx + movl $512,%ebx +- jz L011ecb_break ++ jz L013ecb_break + cmpl %ebx,%ecx +- jae L007ecb_loop +-L008ecb_unaligned_tail: ++ jae L009ecb_loop ++L010ecb_unaligned_tail: + xorl %eax,%eax + cmpl %ebp,%esp + cmovel %ecx,%eax +@@ -266,24 +281,24 @@ L008ecb_unaligned_tail: + movl %esp,%esi + movl %eax,%edi + movl %ebx,%ecx +- jmp L007ecb_loop ++ jmp L009ecb_loop + .align 4,0x90 +-L011ecb_break: ++L013ecb_break: + cmpl %ebp,%esp +- je L012ecb_done ++ je L014ecb_done + pxor %xmm0,%xmm0 + leal (%esp),%eax +-L013ecb_bzero: ++L015ecb_bzero: + movaps %xmm0,(%eax) + leal 16(%eax),%eax + cmpl %eax,%ebp +- ja L013ecb_bzero +-L012ecb_done: ++ ja L015ecb_bzero ++L014ecb_done: + movl 16(%ebp),%ebp + leal 24(%ebp),%esp +- jmp L014ecb_exit ++ jmp L016ecb_exit + .align 4,0x90 +-L006ecb_aligned: ++L008ecb_aligned: + leal (%esi,%ecx,1),%ebp + negl %ebp + andl $4095,%ebp +@@ -293,14 +308,14 @@ L006ecb_aligned: + cmovael %eax,%ebp + andl %ecx,%ebp + subl %ebp,%ecx +- jz L015ecb_aligned_tail ++ jz L017ecb_aligned_tail + leal -16(%edx),%eax + leal 16(%edx),%ebx + shrl $4,%ecx + .byte 243,15,167,200 + testl %ebp,%ebp +- jz L014ecb_exit +-L015ecb_aligned_tail: ++ jz L016ecb_exit ++L017ecb_aligned_tail: + movl %ebp,%ecx + leal -24(%esp),%ebp + movl %ebp,%esp +@@ -317,11 +332,11 @@ L015ecb_aligned_tail: + movl %esp,%esi + movl %eax,%edi + movl %ebx,%ecx +- jmp L007ecb_loop +-L014ecb_exit: ++ jmp L009ecb_loop ++L016ecb_exit: + movl $1,%eax + leal 4(%esp),%esp +-L004ecb_abort: ++L006ecb_abort: + popl %edi + popl %esi + popl %ebx +@@ -331,6 +346,7 @@ L004ecb_abort: + .align 4 + _padlock_cbc_encrypt: + L_padlock_cbc_encrypt_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -340,25 +356,25 @@ L_padlock_cbc_encrypt_begin: + movl 28(%esp),%edx + movl 32(%esp),%ecx + testl $15,%edx +- jnz L016cbc_abort ++ jnz L018cbc_abort + testl $15,%ecx +- jnz L016cbc_abort +- leal Lpadlock_saved_context-L017cbc_pic_point,%eax ++ jnz L018cbc_abort ++ leal Lpadlock_saved_context-L019cbc_pic_point,%eax + pushfl + cld + call __padlock_verify_ctx +-L017cbc_pic_point: ++L019cbc_pic_point: + leal 16(%edx),%edx + xorl %eax,%eax + xorl %ebx,%ebx + testl $32,(%edx) +- jnz L018cbc_aligned ++ jnz L020cbc_aligned + testl $15,%edi + setz %al + testl $15,%esi + setz %bl + testl %ebx,%eax +- jnz L018cbc_aligned ++ jnz L020cbc_aligned + negl %eax + movl $512,%ebx + notl %eax +@@ -377,7 +393,7 @@ L017cbc_pic_point: + andl $-16,%esp + movl %eax,16(%ebp) + cmpl %ebx,%ecx +- ja L019cbc_loop ++ ja L021cbc_loop + movl %esi,%eax + cmpl %esp,%ebp + cmovel %edi,%eax +@@ -388,10 +404,10 @@ L017cbc_pic_point: + movl $-64,%eax + cmovael %ebx,%eax + andl %eax,%ebx +- jz L020cbc_unaligned_tail +- jmp L019cbc_loop ++ jz L022cbc_unaligned_tail ++ jmp L021cbc_loop + .align 4,0x90 +-L019cbc_loop: ++L021cbc_loop: + movl %edi,(%ebp) + movl %esi,4(%ebp) + movl %ecx,8(%ebp) +@@ -400,13 +416,13 @@ L019cbc_loop: + testl $15,%edi + cmovnzl %esp,%edi + testl $15,%esi +- jz L021cbc_inp_aligned ++ jz L023cbc_inp_aligned + shrl $2,%ecx + .byte 243,165 + subl %ebx,%edi + movl %ebx,%ecx + movl %edi,%esi +-L021cbc_inp_aligned: ++L023cbc_inp_aligned: + leal -16(%edx),%eax + leal 16(%edx),%ebx + shrl $4,%ecx +@@ -416,23 +432,23 @@ L021cbc_inp_aligned: + movl (%ebp),%edi + movl 12(%ebp),%ebx + testl $15,%edi +- jz L022cbc_out_aligned ++ jz L024cbc_out_aligned + movl %ebx,%ecx + leal (%esp),%esi + shrl $2,%ecx + .byte 243,165 + subl %ebx,%edi +-L022cbc_out_aligned: ++L024cbc_out_aligned: + movl 4(%ebp),%esi + movl 8(%ebp),%ecx + addl %ebx,%edi + addl %ebx,%esi + subl %ebx,%ecx + movl $512,%ebx +- jz L023cbc_break ++ jz L025cbc_break + cmpl %ebx,%ecx +- jae L019cbc_loop +-L020cbc_unaligned_tail: ++ jae L021cbc_loop ++L022cbc_unaligned_tail: + xorl %eax,%eax + cmpl %ebp,%esp + cmovel %ecx,%eax +@@ -445,24 +461,24 @@ L020cbc_unaligned_tail: + movl %esp,%esi + movl %eax,%edi + movl %ebx,%ecx +- jmp L019cbc_loop ++ jmp L021cbc_loop + .align 4,0x90 +-L023cbc_break: ++L025cbc_break: + cmpl %ebp,%esp +- je L024cbc_done ++ je L026cbc_done + pxor %xmm0,%xmm0 + leal (%esp),%eax +-L025cbc_bzero: ++L027cbc_bzero: + movaps %xmm0,(%eax) + leal 16(%eax),%eax + cmpl %eax,%ebp +- ja L025cbc_bzero +-L024cbc_done: ++ ja L027cbc_bzero ++L026cbc_done: + movl 16(%ebp),%ebp + leal 24(%ebp),%esp +- jmp L026cbc_exit ++ jmp L028cbc_exit + .align 4,0x90 +-L018cbc_aligned: ++L020cbc_aligned: + leal (%esi,%ecx,1),%ebp + negl %ebp + andl $4095,%ebp +@@ -472,7 +488,7 @@ L018cbc_aligned: + cmovael %eax,%ebp + andl %ecx,%ebp + subl %ebp,%ecx +- jz L027cbc_aligned_tail ++ jz L029cbc_aligned_tail + leal -16(%edx),%eax + leal 16(%edx),%ebx + shrl $4,%ecx +@@ -480,8 +496,8 @@ L018cbc_aligned: + movaps (%eax),%xmm0 + movaps %xmm0,-16(%edx) + testl %ebp,%ebp +- jz L026cbc_exit +-L027cbc_aligned_tail: ++ jz L028cbc_exit ++L029cbc_aligned_tail: + movl %ebp,%ecx + leal -24(%esp),%ebp + movl %ebp,%esp +@@ -498,11 +514,11 @@ L027cbc_aligned_tail: + movl %esp,%esi + movl %eax,%edi + movl %ebx,%ecx +- jmp L019cbc_loop +-L026cbc_exit: ++ jmp L021cbc_loop ++L028cbc_exit: + movl $1,%eax + leal 4(%esp),%esp +-L016cbc_abort: ++L018cbc_abort: + popl %edi + popl %esi + popl %ebx +@@ -512,6 +528,7 @@ L016cbc_abort: + .align 4 + _padlock_cfb_encrypt: + L_padlock_cfb_encrypt_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -521,25 +538,25 @@ L_padlock_cfb_encrypt_begin: + movl 28(%esp),%edx + movl 32(%esp),%ecx + testl $15,%edx +- jnz L028cfb_abort ++ jnz L030cfb_abort + testl $15,%ecx +- jnz L028cfb_abort +- leal Lpadlock_saved_context-L029cfb_pic_point,%eax ++ jnz L030cfb_abort ++ leal Lpadlock_saved_context-L031cfb_pic_point,%eax + pushfl + cld + call __padlock_verify_ctx +-L029cfb_pic_point: ++L031cfb_pic_point: + leal 16(%edx),%edx + xorl %eax,%eax + xorl %ebx,%ebx + testl $32,(%edx) +- jnz L030cfb_aligned ++ jnz L032cfb_aligned + testl $15,%edi + setz %al + testl $15,%esi + setz %bl + testl %ebx,%eax +- jnz L030cfb_aligned ++ jnz L032cfb_aligned + negl %eax + movl $512,%ebx + notl %eax +@@ -557,9 +574,9 @@ L029cfb_pic_point: + andl $-16,%ebp + andl $-16,%esp + movl %eax,16(%ebp) +- jmp L031cfb_loop ++ jmp L033cfb_loop + .align 4,0x90 +-L031cfb_loop: ++L033cfb_loop: + movl %edi,(%ebp) + movl %esi,4(%ebp) + movl %ecx,8(%ebp) +@@ -568,13 +585,13 @@ L031cfb_loop: + testl $15,%edi + cmovnzl %esp,%edi + testl $15,%esi +- jz L032cfb_inp_aligned ++ jz L034cfb_inp_aligned + shrl $2,%ecx + .byte 243,165 + subl %ebx,%edi + movl %ebx,%ecx + movl %edi,%esi +-L032cfb_inp_aligned: ++L034cfb_inp_aligned: + leal -16(%edx),%eax + leal 16(%edx),%ebx + shrl $4,%ecx +@@ -584,45 +601,45 @@ L032cfb_inp_aligned: + movl (%ebp),%edi + movl 12(%ebp),%ebx + testl $15,%edi +- jz L033cfb_out_aligned ++ jz L035cfb_out_aligned + movl %ebx,%ecx + leal (%esp),%esi + shrl $2,%ecx + .byte 243,165 + subl %ebx,%edi +-L033cfb_out_aligned: ++L035cfb_out_aligned: + movl 4(%ebp),%esi + movl 8(%ebp),%ecx + addl %ebx,%edi + addl %ebx,%esi + subl %ebx,%ecx + movl $512,%ebx +- jnz L031cfb_loop ++ jnz L033cfb_loop + cmpl %ebp,%esp +- je L034cfb_done ++ je L036cfb_done + pxor %xmm0,%xmm0 + leal (%esp),%eax +-L035cfb_bzero: ++L037cfb_bzero: + movaps %xmm0,(%eax) + leal 16(%eax),%eax + cmpl %eax,%ebp +- ja L035cfb_bzero +-L034cfb_done: ++ ja L037cfb_bzero ++L036cfb_done: + movl 16(%ebp),%ebp + leal 24(%ebp),%esp +- jmp L036cfb_exit ++ jmp L038cfb_exit + .align 4,0x90 +-L030cfb_aligned: ++L032cfb_aligned: + leal -16(%edx),%eax + leal 16(%edx),%ebx + shrl $4,%ecx + .byte 243,15,167,224 + movaps (%eax),%xmm0 + movaps %xmm0,-16(%edx) +-L036cfb_exit: ++L038cfb_exit: + movl $1,%eax + leal 4(%esp),%esp +-L028cfb_abort: ++L030cfb_abort: + popl %edi + popl %esi + popl %ebx +@@ -632,6 +649,7 @@ L028cfb_abort: + .align 4 + _padlock_ofb_encrypt: + L_padlock_ofb_encrypt_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -641,25 +659,25 @@ L_padlock_ofb_encrypt_begin: + movl 28(%esp),%edx + movl 32(%esp),%ecx + testl $15,%edx +- jnz L037ofb_abort ++ jnz L039ofb_abort + testl $15,%ecx +- jnz L037ofb_abort +- leal Lpadlock_saved_context-L038ofb_pic_point,%eax ++ jnz L039ofb_abort ++ leal Lpadlock_saved_context-L040ofb_pic_point,%eax + pushfl + cld + call __padlock_verify_ctx +-L038ofb_pic_point: ++L040ofb_pic_point: + leal 16(%edx),%edx + xorl %eax,%eax + xorl %ebx,%ebx + testl $32,(%edx) +- jnz L039ofb_aligned ++ jnz L041ofb_aligned + testl $15,%edi + setz %al + testl $15,%esi + setz %bl + testl %ebx,%eax +- jnz L039ofb_aligned ++ jnz L041ofb_aligned + negl %eax + movl $512,%ebx + notl %eax +@@ -677,9 +695,9 @@ L038ofb_pic_point: + andl $-16,%ebp + andl $-16,%esp + movl %eax,16(%ebp) +- jmp L040ofb_loop ++ jmp L042ofb_loop + .align 4,0x90 +-L040ofb_loop: ++L042ofb_loop: + movl %edi,(%ebp) + movl %esi,4(%ebp) + movl %ecx,8(%ebp) +@@ -688,13 +706,13 @@ L040ofb_loop: + testl $15,%edi + cmovnzl %esp,%edi + testl $15,%esi +- jz L041ofb_inp_aligned ++ jz L043ofb_inp_aligned + shrl $2,%ecx + .byte 243,165 + subl %ebx,%edi + movl %ebx,%ecx + movl %edi,%esi +-L041ofb_inp_aligned: ++L043ofb_inp_aligned: + leal -16(%edx),%eax + leal 16(%edx),%ebx + shrl $4,%ecx +@@ -704,45 +722,45 @@ L041ofb_inp_aligned: + movl (%ebp),%edi + movl 12(%ebp),%ebx + testl $15,%edi +- jz L042ofb_out_aligned ++ jz L044ofb_out_aligned + movl %ebx,%ecx + leal (%esp),%esi + shrl $2,%ecx + .byte 243,165 + subl %ebx,%edi +-L042ofb_out_aligned: ++L044ofb_out_aligned: + movl 4(%ebp),%esi + movl 8(%ebp),%ecx + addl %ebx,%edi + addl %ebx,%esi + subl %ebx,%ecx + movl $512,%ebx +- jnz L040ofb_loop ++ jnz L042ofb_loop + cmpl %ebp,%esp +- je L043ofb_done ++ je L045ofb_done + pxor %xmm0,%xmm0 + leal (%esp),%eax +-L044ofb_bzero: ++L046ofb_bzero: + movaps %xmm0,(%eax) + leal 16(%eax),%eax + cmpl %eax,%ebp +- ja L044ofb_bzero +-L043ofb_done: ++ ja L046ofb_bzero ++L045ofb_done: + movl 16(%ebp),%ebp + leal 24(%ebp),%esp +- jmp L045ofb_exit ++ jmp L047ofb_exit + .align 4,0x90 +-L039ofb_aligned: ++L041ofb_aligned: + leal -16(%edx),%eax + leal 16(%edx),%ebx + shrl $4,%ecx + .byte 243,15,167,232 + movaps (%eax),%xmm0 + movaps %xmm0,-16(%edx) +-L045ofb_exit: ++L047ofb_exit: + movl $1,%eax + leal 4(%esp),%esp +-L037ofb_abort: ++L039ofb_abort: + popl %edi + popl %esi + popl %ebx +@@ -752,6 +770,7 @@ L037ofb_abort: + .align 4 + _padlock_ctr32_encrypt: + L_padlock_ctr32_encrypt_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +@@ -761,14 +780,14 @@ L_padlock_ctr32_encrypt_begin: + movl 28(%esp),%edx + movl 32(%esp),%ecx + testl $15,%edx +- jnz L046ctr32_abort ++ jnz L048ctr32_abort + testl $15,%ecx +- jnz L046ctr32_abort +- leal Lpadlock_saved_context-L047ctr32_pic_point,%eax ++ jnz L048ctr32_abort ++ leal Lpadlock_saved_context-L049ctr32_pic_point,%eax + pushfl + cld + call __padlock_verify_ctx +-L047ctr32_pic_point: ++L049ctr32_pic_point: + leal 16(%edx),%edx + xorl %eax,%eax + movq -16(%edx),%mm0 +@@ -788,9 +807,9 @@ L047ctr32_pic_point: + andl $-16,%ebp + andl $-16,%esp + movl %eax,16(%ebp) +- jmp L048ctr32_loop ++ jmp L050ctr32_loop + .align 4,0x90 +-L048ctr32_loop: ++L050ctr32_loop: + movl %edi,(%ebp) + movl %esi,4(%ebp) + movl %ecx,8(%ebp) +@@ -799,7 +818,7 @@ L048ctr32_loop: + movl -4(%edx),%ecx + xorl %edi,%edi + movl -8(%edx),%eax +-L049ctr32_prepare: ++L051ctr32_prepare: + movl %ecx,12(%esp,%edi,1) + bswap %ecx + movq %mm0,(%esp,%edi,1) +@@ -808,7 +827,7 @@ L049ctr32_prepare: + bswap %ecx + leal 16(%edi),%edi + cmpl %ebx,%edi +- jb L049ctr32_prepare ++ jb L051ctr32_prepare + movl %ecx,-4(%edx) + leal (%esp),%esi + leal (%esp),%edi +@@ -821,33 +840,33 @@ L049ctr32_prepare: + movl 12(%ebp),%ebx + movl 4(%ebp),%esi + xorl %ecx,%ecx +-L050ctr32_xor: ++L052ctr32_xor: + movups (%esi,%ecx,1),%xmm1 + leal 16(%ecx),%ecx + pxor -16(%esp,%ecx,1),%xmm1 + movups %xmm1,-16(%edi,%ecx,1) + cmpl %ebx,%ecx +- jb L050ctr32_xor ++ jb L052ctr32_xor + movl 8(%ebp),%ecx + addl %ebx,%edi + addl %ebx,%esi + subl %ebx,%ecx + movl $512,%ebx +- jnz L048ctr32_loop ++ jnz L050ctr32_loop + pxor %xmm0,%xmm0 + leal (%esp),%eax +-L051ctr32_bzero: ++L053ctr32_bzero: + movaps %xmm0,(%eax) + leal 16(%eax),%eax + cmpl %eax,%ebp +- ja L051ctr32_bzero +-L052ctr32_done: ++ ja L053ctr32_bzero ++L054ctr32_done: + movl 16(%ebp),%ebp + leal 24(%ebp),%esp + movl $1,%eax + leal 4(%esp),%esp + emms +-L046ctr32_abort: ++L048ctr32_abort: + popl %edi + popl %esi + popl %ebx +@@ -857,6 +876,7 @@ L046ctr32_abort: + .align 4 + _padlock_xstore: + L_padlock_xstore_begin: ++.byte 243,15,30,251 + pushl %edi + movl 8(%esp),%edi + movl 12(%esp),%edx +@@ -865,19 +885,21 @@ L_padlock_xstore_begin: + ret + .align 4 + __win32_segv_handler: ++.byte 243,15,30,251 + movl $1,%eax + movl 4(%esp),%edx + movl 12(%esp),%ecx + cmpl $3221225477,(%edx) +- jne L053ret ++ jne L055ret + addl $4,184(%ecx) + movl $0,%eax +-L053ret: ++L055ret: + ret + .globl _padlock_sha1_oneshot + .align 4 + _padlock_sha1_oneshot: + L_padlock_sha1_oneshot_begin: ++.byte 243,15,30,251 + pushl %edi + pushl %esi + xorl %eax,%eax +@@ -907,6 +929,7 @@ L_padlock_sha1_oneshot_begin: + .align 4 + _padlock_sha1_blocks: + L_padlock_sha1_blocks_begin: ++.byte 243,15,30,251 + pushl %edi + pushl %esi + movl 12(%esp),%edi +@@ -935,6 +958,7 @@ L_padlock_sha1_blocks_begin: + .align 4 + _padlock_sha256_oneshot: + L_padlock_sha256_oneshot_begin: ++.byte 243,15,30,251 + pushl %edi + pushl %esi + xorl %eax,%eax +@@ -964,6 +988,7 @@ L_padlock_sha256_oneshot_begin: + .align 4 + _padlock_sha256_blocks: + L_padlock_sha256_blocks_begin: ++.byte 243,15,30,251 + pushl %edi + pushl %esi + movl 12(%esp),%edi +@@ -992,6 +1017,7 @@ L_padlock_sha256_blocks_begin: + .align 4 + _padlock_sha512_blocks: + L_padlock_sha512_blocks_begin: ++.byte 243,15,30,251 + pushl %edi + pushl %esi + movl 12(%esp),%edi +diff --git a/lib/accelerated/x86/macosx/e_padlock-x86_64.s b/lib/accelerated/x86/macosx/e_padlock-x86_64.s +index a73d7a6c1..64aff29fe 100644 +--- a/lib/accelerated/x86/macosx/e_padlock-x86_64.s ++++ b/lib/accelerated/x86/macosx/e_padlock-x86_64.s +@@ -1,4 +1,4 @@ +-# Copyright (c) 2011-2013, Andy Polyakov ++# Copyright (c) 2011-2016, Andy Polyakov + # All rights reserved. + # + # Redistribution and use in source and binary forms, with or without +@@ -42,36 +42,50 @@ + + .p2align 4 + _padlock_capability: ++ ++.byte 243,15,30,250 + movq %rbx,%r8 + xorl %eax,%eax + cpuid + xorl %eax,%eax +- cmpl $1953391939,%ebx ++ cmpl $0x746e6543,%ebx ++ jne L$zhaoxin ++ cmpl $0x48727561,%edx ++ jne L$noluck ++ cmpl $0x736c7561,%ecx ++ jne L$noluck ++ jmp L$zhaoxinEnd ++L$zhaoxin: ++ cmpl $0x68532020,%ebx + jne L$noluck +- cmpl $1215460705,%edx ++ cmpl $0x68676e61,%edx + jne L$noluck +- cmpl $1936487777,%ecx ++ cmpl $0x20206961,%ecx + jne L$noluck +- movl $3221225472,%eax ++L$zhaoxinEnd: ++ movl $0xC0000000,%eax + cpuid + movl %eax,%edx + xorl %eax,%eax +- cmpl $3221225473,%edx ++ cmpl $0xC0000001,%edx + jb L$noluck +- movl $3221225473,%eax ++ movl $0xC0000001,%eax + cpuid + movl %edx,%eax +- andl $4294967279,%eax +- orl $16,%eax ++ andl $0xffffffef,%eax ++ orl $0x10,%eax + L$noluck: + movq %r8,%rbx + .byte 0xf3,0xc3 + + ++ + .globl _padlock_key_bswap + + .p2align 4 + _padlock_key_bswap: ++ ++.byte 243,15,30,250 + movl 240(%rdi),%edx + L$bswap_loop: + movl (%rdi),%eax +@@ -83,10 +97,13 @@ L$bswap_loop: + .byte 0xf3,0xc3 + + ++ + .globl _padlock_verify_context + + .p2align 4 + _padlock_verify_context: ++ ++.byte 243,15,30,250 + movq %rdi,%rdx + pushf + leaq L$padlock_saved_context(%rip),%rax +@@ -96,8 +113,11 @@ _padlock_verify_context: + + + ++ + .p2align 4 + _padlock_verify_ctx: ++ ++.byte 243,15,30,250 + movq 8(%rsp),%r8 + btq $30,%r8 + jnc L$verified +@@ -110,41 +130,53 @@ L$verified: + .byte 0xf3,0xc3 + + ++ + .globl _padlock_reload_key + + .p2align 4 + _padlock_reload_key: ++ ++.byte 243,15,30,250 + pushf + popf + .byte 0xf3,0xc3 + + ++ + .globl _padlock_aes_block + + .p2align 4 + _padlock_aes_block: ++ ++.byte 243,15,30,250 + movq %rbx,%r8 + movq $1,%rcx + leaq 32(%rdx),%rbx + leaq 16(%rdx),%rdx +-.byte 0xf3,0x0f,0xa7,0xc8 ++.byte 0xf3,0x0f,0xa7,0xc8 + movq %r8,%rbx + .byte 0xf3,0xc3 + + ++ + .globl _padlock_xstore + + .p2align 4 + _padlock_xstore: ++ ++.byte 243,15,30,250 + movl %esi,%edx +-.byte 0x0f,0xa7,0xc0 ++.byte 0x0f,0xa7,0xc0 + .byte 0xf3,0xc3 + + ++ + .globl _padlock_sha1_oneshot + + .p2align 4 + _padlock_sha1_oneshot: ++ ++.byte 243,15,30,250 + movq %rdx,%rcx + movq %rdi,%rdx + movups (%rdi),%xmm0 +@@ -154,7 +186,7 @@ _padlock_sha1_oneshot: + movq %rsp,%rdi + movl %eax,16(%rsp) + xorq %rax,%rax +-.byte 0xf3,0x0f,0xa6,0xc8 ++.byte 0xf3,0x0f,0xa6,0xc8 + movaps (%rsp),%xmm0 + movl 16(%rsp),%eax + addq $128+8,%rsp +@@ -163,10 +195,13 @@ _padlock_sha1_oneshot: + .byte 0xf3,0xc3 + + ++ + .globl _padlock_sha1_blocks + + .p2align 4 + _padlock_sha1_blocks: ++ ++.byte 243,15,30,250 + movq %rdx,%rcx + movq %rdi,%rdx + movups (%rdi),%xmm0 +@@ -176,7 +211,7 @@ _padlock_sha1_blocks: + movq %rsp,%rdi + movl %eax,16(%rsp) + movq $-1,%rax +-.byte 0xf3,0x0f,0xa6,0xc8 ++.byte 0xf3,0x0f,0xa6,0xc8 + movaps (%rsp),%xmm0 + movl 16(%rsp),%eax + addq $128+8,%rsp +@@ -185,10 +220,13 @@ _padlock_sha1_blocks: + .byte 0xf3,0xc3 + + ++ + .globl _padlock_sha256_oneshot + + .p2align 4 + _padlock_sha256_oneshot: ++ ++.byte 243,15,30,250 + movq %rdx,%rcx + movq %rdi,%rdx + movups (%rdi),%xmm0 +@@ -198,7 +236,7 @@ _padlock_sha256_oneshot: + movq %rsp,%rdi + movaps %xmm1,16(%rsp) + xorq %rax,%rax +-.byte 0xf3,0x0f,0xa6,0xd0 ++.byte 0xf3,0x0f,0xa6,0xd0 + movaps (%rsp),%xmm0 + movaps 16(%rsp),%xmm1 + addq $128+8,%rsp +@@ -207,10 +245,13 @@ _padlock_sha256_oneshot: + .byte 0xf3,0xc3 + + ++ + .globl _padlock_sha256_blocks + + .p2align 4 + _padlock_sha256_blocks: ++ ++.byte 243,15,30,250 + movq %rdx,%rcx + movq %rdi,%rdx + movups (%rdi),%xmm0 +@@ -220,7 +261,7 @@ _padlock_sha256_blocks: + movq %rsp,%rdi + movaps %xmm1,16(%rsp) + movq $-1,%rax +-.byte 0xf3,0x0f,0xa6,0xd0 ++.byte 0xf3,0x0f,0xa6,0xd0 + movaps (%rsp),%xmm0 + movaps 16(%rsp),%xmm1 + addq $128+8,%rsp +@@ -229,10 +270,13 @@ _padlock_sha256_blocks: + .byte 0xf3,0xc3 + + ++ + .globl _padlock_sha512_blocks + + .p2align 4 + _padlock_sha512_blocks: ++ ++.byte 243,15,30,250 + movq %rdx,%rcx + movq %rdi,%rdx + movups (%rdi),%xmm0 +@@ -245,7 +289,7 @@ _padlock_sha512_blocks: + movaps %xmm1,16(%rsp) + movaps %xmm2,32(%rsp) + movaps %xmm3,48(%rsp) +-.byte 0xf3,0x0f,0xa6,0xe0 ++.byte 0xf3,0x0f,0xa6,0xe0 + movaps (%rsp),%xmm0 + movaps 16(%rsp),%xmm1 + movaps 32(%rsp),%xmm2 +@@ -257,10 +301,13 @@ _padlock_sha512_blocks: + movups %xmm3,48(%rdx) + .byte 0xf3,0xc3 + ++ + .globl _padlock_ecb_encrypt + + .p2align 4 + _padlock_ecb_encrypt: ++ ++.byte 243,15,30,250 + pushq %rbp + pushq %rbx + +@@ -278,9 +325,9 @@ _padlock_ecb_encrypt: + xorl %ebx,%ebx + testl $32,(%rdx) + jnz L$ecb_aligned +- testq $15,%rdi ++ testq $0x0f,%rdi + setz %al +- testq $15,%rsi ++ testq $0x0f,%rsi + setz %bl + testl %ebx,%eax + jnz L$ecb_aligned +@@ -304,7 +351,7 @@ _padlock_ecb_encrypt: + cmoveq %rdi,%rax + addq %rcx,%rax + negq %rax +- andq $4095,%rax ++ andq $0xfff,%rax + cmpq $128,%rax + movq $-128,%rax + cmovaeq %rbx,%rax +@@ -320,12 +367,12 @@ L$ecb_loop: + movq %rcx,%r10 + movq %rbx,%rcx + movq %rbx,%r11 +- testq $15,%rdi ++ testq $0x0f,%rdi + cmovnzq %rsp,%rdi +- testq $15,%rsi ++ testq $0x0f,%rsi + jz L$ecb_inp_aligned + shrq $3,%rcx +-.byte 0xf3,0x48,0xa5 ++.byte 0xf3,0x48,0xa5 + subq %rbx,%rdi + movq %rbx,%rcx + movq %rdi,%rsi +@@ -333,15 +380,15 @@ L$ecb_inp_aligned: + leaq -16(%rdx),%rax + leaq 16(%rdx),%rbx + shrq $4,%rcx +-.byte 0xf3,0x0f,0xa7,200 ++.byte 0xf3,0x0f,0xa7,200 + movq %r8,%rdi + movq %r11,%rbx +- testq $15,%rdi ++ testq $0x0f,%rdi + jz L$ecb_out_aligned + movq %rbx,%rcx + leaq (%rsp),%rsi + shrq $3,%rcx +-.byte 0xf3,0x48,0xa5 ++.byte 0xf3,0x48,0xa5 + subq %rbx,%rdi + L$ecb_out_aligned: + movq %r9,%rsi +@@ -362,7 +409,7 @@ L$ecb_unaligned_tail: + subq %rax,%rsp + shrq $3,%rcx + leaq (%rsp),%rdi +-.byte 0xf3,0x48,0xa5 ++.byte 0xf3,0x48,0xa5 + movq %rsp,%rsi + movq %r8,%rdi + movq %rbx,%rcx +@@ -388,7 +435,7 @@ L$ecb_done: + L$ecb_aligned: + leaq (%rsi,%rcx,1),%rbp + negq %rbp +- andq $4095,%rbp ++ andq $0xfff,%rbp + xorl %eax,%eax + cmpq $128,%rbp + movq $128-1,%rbp +@@ -399,7 +446,7 @@ L$ecb_aligned: + leaq -16(%rdx),%rax + leaq 16(%rdx),%rbx + shrq $4,%rcx +-.byte 0xf3,0x0f,0xa7,200 ++.byte 0xf3,0x0f,0xa7,200 + testq %rbp,%rbp + jz L$ecb_exit + +@@ -411,7 +458,7 @@ L$ecb_aligned_tail: + subq %rcx,%rsp + shrq $3,%rcx + leaq (%rsp),%rdi +-.byte 0xf3,0x48,0xa5 ++.byte 0xf3,0x48,0xa5 + leaq (%r8),%rdi + leaq (%rsp),%rsi + movq %rbx,%rcx +@@ -424,10 +471,13 @@ L$ecb_abort: + popq %rbp + .byte 0xf3,0xc3 + ++ + .globl _padlock_cbc_encrypt + + .p2align 4 + _padlock_cbc_encrypt: ++ ++.byte 243,15,30,250 + pushq %rbp + pushq %rbx + +@@ -445,9 +495,9 @@ _padlock_cbc_encrypt: + xorl %ebx,%ebx + testl $32,(%rdx) + jnz L$cbc_aligned +- testq $15,%rdi ++ testq $0x0f,%rdi + setz %al +- testq $15,%rsi ++ testq $0x0f,%rsi + setz %bl + testl %ebx,%eax + jnz L$cbc_aligned +@@ -471,7 +521,7 @@ _padlock_cbc_encrypt: + cmoveq %rdi,%rax + addq %rcx,%rax + negq %rax +- andq $4095,%rax ++ andq $0xfff,%rax + cmpq $64,%rax + movq $-64,%rax + cmovaeq %rbx,%rax +@@ -487,12 +537,12 @@ L$cbc_loop: + movq %rcx,%r10 + movq %rbx,%rcx + movq %rbx,%r11 +- testq $15,%rdi ++ testq $0x0f,%rdi + cmovnzq %rsp,%rdi +- testq $15,%rsi ++ testq $0x0f,%rsi + jz L$cbc_inp_aligned + shrq $3,%rcx +-.byte 0xf3,0x48,0xa5 ++.byte 0xf3,0x48,0xa5 + subq %rbx,%rdi + movq %rbx,%rcx + movq %rdi,%rsi +@@ -500,17 +550,17 @@ L$cbc_inp_aligned: + leaq -16(%rdx),%rax + leaq 16(%rdx),%rbx + shrq $4,%rcx +-.byte 0xf3,0x0f,0xa7,208 ++.byte 0xf3,0x0f,0xa7,208 + movdqa (%rax),%xmm0 + movdqa %xmm0,-16(%rdx) + movq %r8,%rdi + movq %r11,%rbx +- testq $15,%rdi ++ testq $0x0f,%rdi + jz L$cbc_out_aligned + movq %rbx,%rcx + leaq (%rsp),%rsi + shrq $3,%rcx +-.byte 0xf3,0x48,0xa5 ++.byte 0xf3,0x48,0xa5 + subq %rbx,%rdi + L$cbc_out_aligned: + movq %r9,%rsi +@@ -531,7 +581,7 @@ L$cbc_unaligned_tail: + subq %rax,%rsp + shrq $3,%rcx + leaq (%rsp),%rdi +-.byte 0xf3,0x48,0xa5 ++.byte 0xf3,0x48,0xa5 + movq %rsp,%rsi + movq %r8,%rdi + movq %rbx,%rcx +@@ -557,7 +607,7 @@ L$cbc_done: + L$cbc_aligned: + leaq (%rsi,%rcx,1),%rbp + negq %rbp +- andq $4095,%rbp ++ andq $0xfff,%rbp + xorl %eax,%eax + cmpq $64,%rbp + movq $64-1,%rbp +@@ -568,7 +618,7 @@ L$cbc_aligned: + leaq -16(%rdx),%rax + leaq 16(%rdx),%rbx + shrq $4,%rcx +-.byte 0xf3,0x0f,0xa7,208 ++.byte 0xf3,0x0f,0xa7,208 + movdqa (%rax),%xmm0 + movdqa %xmm0,-16(%rdx) + testq %rbp,%rbp +@@ -582,7 +632,7 @@ L$cbc_aligned_tail: + subq %rcx,%rsp + shrq $3,%rcx + leaq (%rsp),%rdi +-.byte 0xf3,0x48,0xa5 ++.byte 0xf3,0x48,0xa5 + leaq (%r8),%rdi + leaq (%rsp),%rsi + movq %rbx,%rcx +@@ -595,10 +645,13 @@ L$cbc_abort: + popq %rbp + .byte 0xf3,0xc3 + ++ + .globl _padlock_cfb_encrypt + + .p2align 4 + _padlock_cfb_encrypt: ++ ++.byte 243,15,30,250 + pushq %rbp + pushq %rbx + +@@ -616,9 +669,9 @@ _padlock_cfb_encrypt: + xorl %ebx,%ebx + testl $32,(%rdx) + jnz L$cfb_aligned +- testq $15,%rdi ++ testq $0x0f,%rdi + setz %al +- testq $15,%rsi ++ testq $0x0f,%rsi + setz %bl + testl %ebx,%eax + jnz L$cfb_aligned +@@ -645,12 +698,12 @@ L$cfb_loop: + movq %rcx,%r10 + movq %rbx,%rcx + movq %rbx,%r11 +- testq $15,%rdi ++ testq $0x0f,%rdi + cmovnzq %rsp,%rdi +- testq $15,%rsi ++ testq $0x0f,%rsi + jz L$cfb_inp_aligned + shrq $3,%rcx +-.byte 0xf3,0x48,0xa5 ++.byte 0xf3,0x48,0xa5 + subq %rbx,%rdi + movq %rbx,%rcx + movq %rdi,%rsi +@@ -658,17 +711,17 @@ L$cfb_inp_aligned: + leaq -16(%rdx),%rax + leaq 16(%rdx),%rbx + shrq $4,%rcx +-.byte 0xf3,0x0f,0xa7,224 ++.byte 0xf3,0x0f,0xa7,224 + movdqa (%rax),%xmm0 + movdqa %xmm0,-16(%rdx) + movq %r8,%rdi + movq %r11,%rbx +- testq $15,%rdi ++ testq $0x0f,%rdi + jz L$cfb_out_aligned + movq %rbx,%rcx + leaq (%rsp),%rsi + shrq $3,%rcx +-.byte 0xf3,0x48,0xa5 ++.byte 0xf3,0x48,0xa5 + subq %rbx,%rdi + L$cfb_out_aligned: + movq %r9,%rsi +@@ -698,7 +751,7 @@ L$cfb_aligned: + leaq -16(%rdx),%rax + leaq 16(%rdx),%rbx + shrq $4,%rcx +-.byte 0xf3,0x0f,0xa7,224 ++.byte 0xf3,0x0f,0xa7,224 + movdqa (%rax),%xmm0 + movdqa %xmm0,-16(%rdx) + L$cfb_exit: +@@ -709,10 +762,13 @@ L$cfb_abort: + popq %rbp + .byte 0xf3,0xc3 + ++ + .globl _padlock_ofb_encrypt + + .p2align 4 + _padlock_ofb_encrypt: ++ ++.byte 243,15,30,250 + pushq %rbp + pushq %rbx + +@@ -730,9 +786,9 @@ _padlock_ofb_encrypt: + xorl %ebx,%ebx + testl $32,(%rdx) + jnz L$ofb_aligned +- testq $15,%rdi ++ testq $0x0f,%rdi + setz %al +- testq $15,%rsi ++ testq $0x0f,%rsi + setz %bl + testl %ebx,%eax + jnz L$ofb_aligned +@@ -759,12 +815,12 @@ L$ofb_loop: + movq %rcx,%r10 + movq %rbx,%rcx + movq %rbx,%r11 +- testq $15,%rdi ++ testq $0x0f,%rdi + cmovnzq %rsp,%rdi +- testq $15,%rsi ++ testq $0x0f,%rsi + jz L$ofb_inp_aligned + shrq $3,%rcx +-.byte 0xf3,0x48,0xa5 ++.byte 0xf3,0x48,0xa5 + subq %rbx,%rdi + movq %rbx,%rcx + movq %rdi,%rsi +@@ -772,17 +828,17 @@ L$ofb_inp_aligned: + leaq -16(%rdx),%rax + leaq 16(%rdx),%rbx + shrq $4,%rcx +-.byte 0xf3,0x0f,0xa7,232 ++.byte 0xf3,0x0f,0xa7,232 + movdqa (%rax),%xmm0 + movdqa %xmm0,-16(%rdx) + movq %r8,%rdi + movq %r11,%rbx +- testq $15,%rdi ++ testq $0x0f,%rdi + jz L$ofb_out_aligned + movq %rbx,%rcx + leaq (%rsp),%rsi + shrq $3,%rcx +-.byte 0xf3,0x48,0xa5 ++.byte 0xf3,0x48,0xa5 + subq %rbx,%rdi + L$ofb_out_aligned: + movq %r9,%rsi +@@ -812,7 +868,7 @@ L$ofb_aligned: + leaq -16(%rdx),%rax + leaq 16(%rdx),%rbx + shrq $4,%rcx +-.byte 0xf3,0x0f,0xa7,232 ++.byte 0xf3,0x0f,0xa7,232 + movdqa (%rax),%xmm0 + movdqa %xmm0,-16(%rdx) + L$ofb_exit: +@@ -823,10 +879,13 @@ L$ofb_abort: + popq %rbp + .byte 0xf3,0xc3 + ++ + .globl _padlock_ctr32_encrypt + + .p2align 4 + _padlock_ctr32_encrypt: ++ ++.byte 243,15,30,250 + pushq %rbp + pushq %rbx + +@@ -844,9 +903,9 @@ _padlock_ctr32_encrypt: + xorl %ebx,%ebx + testl $32,(%rdx) + jnz L$ctr32_aligned +- testq $15,%rdi ++ testq $0x0f,%rdi + setz %al +- testq $15,%rsi ++ testq $0x0f,%rsi + setz %bl + testl %ebx,%eax + jnz L$ctr32_aligned +@@ -881,7 +940,7 @@ L$ctr32_reenter: + cmoveq %rdi,%rax + addq %rcx,%rax + negq %rax +- andq $4095,%rax ++ andq $0xfff,%rax + cmpq $32,%rax + movq $-32,%rax + cmovaeq %rbx,%rax +@@ -897,12 +956,12 @@ L$ctr32_loop: + movq %rcx,%r10 + movq %rbx,%rcx + movq %rbx,%r11 +- testq $15,%rdi ++ testq $0x0f,%rdi + cmovnzq %rsp,%rdi +- testq $15,%rsi ++ testq $0x0f,%rsi + jz L$ctr32_inp_aligned + shrq $3,%rcx +-.byte 0xf3,0x48,0xa5 ++.byte 0xf3,0x48,0xa5 + subq %rbx,%rdi + movq %rbx,%rcx + movq %rdi,%rsi +@@ -910,23 +969,23 @@ L$ctr32_inp_aligned: + leaq -16(%rdx),%rax + leaq 16(%rdx),%rbx + shrq $4,%rcx +-.byte 0xf3,0x0f,0xa7,216 ++.byte 0xf3,0x0f,0xa7,216 + movl -4(%rdx),%eax +- testl $4294901760,%eax ++ testl $0xffff0000,%eax + jnz L$ctr32_no_carry + bswapl %eax +- addl $65536,%eax ++ addl $0x10000,%eax + bswapl %eax + movl %eax,-4(%rdx) + L$ctr32_no_carry: + movq %r8,%rdi + movq %r11,%rbx +- testq $15,%rdi ++ testq $0x0f,%rdi + jz L$ctr32_out_aligned + movq %rbx,%rcx + leaq (%rsp),%rsi + shrq $3,%rcx +-.byte 0xf3,0x48,0xa5 ++.byte 0xf3,0x48,0xa5 + subq %rbx,%rdi + L$ctr32_out_aligned: + movq %r9,%rsi +@@ -944,7 +1003,7 @@ L$ctr32_out_aligned: + cmoveq %rdi,%rax + addq %rcx,%rax + negq %rax +- andq $4095,%rax ++ andq $0xfff,%rax + cmpq $32,%rax + movq $-32,%rax + cmovaeq %rbx,%rax +@@ -959,7 +1018,7 @@ L$ctr32_unaligned_tail: + subq %rax,%rsp + shrq $3,%rcx + leaq (%rsp),%rdi +-.byte 0xf3,0x48,0xa5 ++.byte 0xf3,0x48,0xa5 + movq %rsp,%rsi + movq %r8,%rdi + movq %rbx,%rcx +@@ -986,7 +1045,7 @@ L$ctr32_aligned: + movl -4(%rdx),%eax + bswapl %eax + negl %eax +- andl $65535,%eax ++ andl $0xffff,%eax + movq $1048576,%rbx + shll $4,%eax + cmovzq %rbx,%rax +@@ -1003,11 +1062,11 @@ L$ctr32_aligned_loop: + leaq -16(%rdx),%rax + leaq 16(%rdx),%rbx + shrq $4,%rcx +-.byte 0xf3,0x0f,0xa7,216 ++.byte 0xf3,0x0f,0xa7,216 + + movl -4(%rdx),%eax + bswapl %eax +- addl $65536,%eax ++ addl $0x10000,%eax + bswapl %eax + movl %eax,-4(%rdx) + +@@ -1021,7 +1080,7 @@ L$ctr32_aligned_loop: + L$ctr32_aligned_skip: + leaq (%rsi,%rcx,1),%rbp + negq %rbp +- andq $4095,%rbp ++ andq $0xfff,%rbp + xorl %eax,%eax + cmpq $32,%rbp + movq $32-1,%rbp +@@ -1032,7 +1091,7 @@ L$ctr32_aligned_skip: + leaq -16(%rdx),%rax + leaq 16(%rdx),%rbx + shrq $4,%rcx +-.byte 0xf3,0x0f,0xa7,216 ++.byte 0xf3,0x0f,0xa7,216 + testq %rbp,%rbp + jz L$ctr32_exit + +@@ -1044,7 +1103,7 @@ L$ctr32_aligned_tail: + subq %rcx,%rsp + shrq $3,%rcx + leaq (%rsp),%rdi +-.byte 0xf3,0x48,0xa5 ++.byte 0xf3,0x48,0xa5 + leaq (%r8),%rdi + leaq (%rsp),%rsi + movq %rbx,%rcx +@@ -1057,6 +1116,7 @@ L$ctr32_abort: + popq %rbp + .byte 0xf3,0xc3 + ++ + .byte 86,73,65,32,80,97,100,108,111,99,107,32,120,56,54,95,54,52,32,109,111,100,117,108,101,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 + .p2align 4 + .data +diff --git a/lib/accelerated/x86/macosx/ghash-x86_64.s b/lib/accelerated/x86/macosx/ghash-x86_64.s +index 5fd321675..974d34dc7 100644 +--- a/lib/accelerated/x86/macosx/ghash-x86_64.s ++++ b/lib/accelerated/x86/macosx/ghash-x86_64.s +@@ -45,6 +45,7 @@ + .p2align 4 + _gcm_gmult_4bit: + ++.byte 243,15,30,250 + pushq %rbx + + pushq %rbp +@@ -150,6 +151,7 @@ L$gmult_epilogue: + .p2align 4 + _gcm_ghash_4bit: + ++.byte 243,15,30,250 + pushq %rbx + + pushq %rbp +@@ -891,6 +893,7 @@ L$_init_clmul: + .p2align 4 + _gcm_gmult_clmul: + ++.byte 243,15,30,250 + L$_gmult_clmul: + movdqu (%rdi),%xmm0 + movdqa L$bswap_mask(%rip),%xmm5 +@@ -944,6 +947,7 @@ L$_gmult_clmul: + .p2align 5 + _gcm_ghash_clmul: + ++.byte 243,15,30,250 + L$_ghash_clmul: + movdqa L$bswap_mask(%rip),%xmm10 + +@@ -1438,6 +1442,7 @@ L$init_start_avx: + .p2align 5 + _gcm_gmult_avx: + ++.byte 243,15,30,250 + jmp L$_gmult_clmul + + +@@ -1446,6 +1451,7 @@ _gcm_gmult_avx: + .p2align 5 + _gcm_ghash_avx: + ++.byte 243,15,30,250 + vzeroupper + + vmovdqu (%rdi),%xmm10 +diff --git a/lib/accelerated/x86/macosx/sha1-ssse3-x86.s b/lib/accelerated/x86/macosx/sha1-ssse3-x86.s +index 985d4af8d..f51c5a318 100644 +--- a/lib/accelerated/x86/macosx/sha1-ssse3-x86.s ++++ b/lib/accelerated/x86/macosx/sha1-ssse3-x86.s +@@ -42,6 +42,7 @@ + .align 4 + _sha1_block_data_order: + L_sha1_block_data_order_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +diff --git a/lib/accelerated/x86/macosx/sha1-ssse3-x86_64.s b/lib/accelerated/x86/macosx/sha1-ssse3-x86_64.s +index a576acc25..7b5d9dfc9 100644 +--- a/lib/accelerated/x86/macosx/sha1-ssse3-x86_64.s ++++ b/lib/accelerated/x86/macosx/sha1-ssse3-x86_64.s +@@ -1460,10 +1460,10 @@ L$oop_shaext: + pshufd $27,%xmm1,%xmm1 + movdqu %xmm0,(%rdi) + movd %xmm1,16(%rdi) +- + .byte 0xf3,0xc3 + + ++ + .p2align 4 + sha1_block_data_order_ssse3: + _ssse3_shortcut: +diff --git a/lib/accelerated/x86/macosx/sha256-ssse3-x86.s b/lib/accelerated/x86/macosx/sha256-ssse3-x86.s +index 8d257109c..36781d480 100644 +--- a/lib/accelerated/x86/macosx/sha256-ssse3-x86.s ++++ b/lib/accelerated/x86/macosx/sha256-ssse3-x86.s +@@ -42,6 +42,7 @@ + .align 4 + _sha256_block_data_order: + L_sha256_block_data_order_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +diff --git a/lib/accelerated/x86/macosx/sha256-ssse3-x86_64.s b/lib/accelerated/x86/macosx/sha256-ssse3-x86_64.s +index fd0c24735..9fed36b9c 100644 +--- a/lib/accelerated/x86/macosx/sha256-ssse3-x86_64.s ++++ b/lib/accelerated/x86/macosx/sha256-ssse3-x86_64.s +@@ -1814,6 +1814,7 @@ K256: + .p2align 6 + sha256_block_data_order_shaext: + _shaext_shortcut: ++ + leaq K256+128(%rip),%rcx + movdqu (%rdi),%xmm1 + movdqu 16(%rdi),%xmm2 +@@ -2018,6 +2019,7 @@ L$oop_shaext: + .byte 0xf3,0xc3 + + ++ + .p2align 6 + sha256_block_data_order_ssse3: + +@@ -4277,7 +4279,15 @@ L$oop_avx2: + vmovdqa %ymm4,0(%rsp) + xorl %r14d,%r14d + vmovdqa %ymm5,32(%rsp) ++ ++ movq 88(%rsp),%rdi ++ + leaq -64(%rsp),%rsp ++ ++ ++ ++ movq %rdi,-8(%rsp) ++ + movl %ebx,%edi + vmovdqa %ymm6,0(%rsp) + xorl %ecx,%edi +@@ -4289,6 +4299,12 @@ L$oop_avx2: + .p2align 4 + L$avx2_00_47: + leaq -64(%rsp),%rsp ++ ++ ++ pushq 64-8(%rsp) ++ ++ leaq 8(%rsp),%rsp ++ + vpalignr $4,%ymm0,%ymm1,%ymm4 + addl 0+128(%rsp),%r11d + andl %r8d,%r12d +@@ -4544,6 +4560,12 @@ L$avx2_00_47: + movl %r9d,%r12d + vmovdqa %ymm6,32(%rsp) + leaq -64(%rsp),%rsp ++ ++ ++ pushq 64-8(%rsp) ++ ++ leaq 8(%rsp),%rsp ++ + vpalignr $4,%ymm2,%ymm3,%ymm4 + addl 0+128(%rsp),%r11d + andl %r8d,%r12d +@@ -5419,6 +5441,8 @@ L$ower_avx2: + + leaq 448(%rsp),%rsp + ++ ++ + addl 0(%rdi),%eax + addl 4(%rdi),%ebx + addl 8(%rdi),%ecx +@@ -5444,9 +5468,11 @@ L$ower_avx2: + jbe L$oop_avx2 + leaq (%rsp),%rbp + ++ ++ ++ + L$done_avx2: +- leaq (%rbp),%rsp +- movq 88(%rsp),%rsi ++ movq 88(%rbp),%rsi + + vzeroupper + movq -48(%rsi),%r15 +diff --git a/lib/accelerated/x86/macosx/sha512-ssse3-x86.s b/lib/accelerated/x86/macosx/sha512-ssse3-x86.s +index 4e60bb45f..248a35ee1 100644 +--- a/lib/accelerated/x86/macosx/sha512-ssse3-x86.s ++++ b/lib/accelerated/x86/macosx/sha512-ssse3-x86.s +@@ -42,6 +42,7 @@ + .align 4 + _sha512_block_data_order: + L_sha512_block_data_order_begin: ++.byte 243,15,30,251 + pushl %ebp + pushl %ebx + pushl %esi +diff --git a/lib/accelerated/x86/macosx/sha512-ssse3-x86_64.s b/lib/accelerated/x86/macosx/sha512-ssse3-x86_64.s +index 8bf161601..e78d90f2d 100644 +--- a/lib/accelerated/x86/macosx/sha512-ssse3-x86_64.s ++++ b/lib/accelerated/x86/macosx/sha512-ssse3-x86_64.s +@@ -4204,7 +4204,15 @@ L$oop_avx2: + vmovdqa %ymm10,64(%rsp) + vpaddq 64(%rbp),%ymm6,%ymm10 + vmovdqa %ymm11,96(%rsp) ++ ++ movq 152(%rsp),%rdi ++ + leaq -128(%rsp),%rsp ++ ++ ++ ++ movq %rdi,-8(%rsp) ++ + vpaddq 96(%rbp),%ymm7,%ymm11 + vmovdqa %ymm8,0(%rsp) + xorq %r14,%r14 +@@ -4220,6 +4228,12 @@ L$oop_avx2: + .p2align 4 + L$avx2_00_47: + leaq -128(%rsp),%rsp ++ ++ ++ pushq 128-8(%rsp) ++ ++ leaq 8(%rsp),%rsp ++ + vpalignr $8,%ymm0,%ymm1,%ymm8 + addq 0+256(%rsp),%r11 + andq %r8,%r12 +@@ -4513,6 +4527,12 @@ L$avx2_00_47: + movq %r9,%r12 + vmovdqa %ymm10,96(%rsp) + leaq -128(%rsp),%rsp ++ ++ ++ pushq 128-8(%rsp) ++ ++ leaq 8(%rsp),%rsp ++ + vpalignr $8,%ymm4,%ymm5,%ymm8 + addq 0+256(%rsp),%r11 + andq %r8,%r12 +@@ -5426,6 +5446,8 @@ L$ower_avx2: + + leaq 1152(%rsp),%rsp + ++ ++ + addq 0(%rdi),%rax + addq 8(%rdi),%rbx + addq 16(%rdi),%rcx +@@ -5451,9 +5473,11 @@ L$ower_avx2: + jbe L$oop_avx2 + leaq (%rsp),%rbp + ++ ++ ++ + L$done_avx2: +- leaq (%rbp),%rsp +- movq 152(%rsp),%rsi ++ movq 152(%rbp),%rsi + + vzeroupper + movq -48(%rsi),%r15 +-- +2.25.4 + diff --git a/SOURCES/gnutls-3.6.14-autogen-int.patch b/SOURCES/gnutls-3.6.14-autogen-int.patch new file mode 100644 index 0000000..6723acb --- /dev/null +++ b/SOURCES/gnutls-3.6.14-autogen-int.patch @@ -0,0 +1,36 @@ +From cf1de82bedd01c01e70921699c84a473b08d0dab Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Mon, 1 Jun 2020 17:23:59 +0200 +Subject: [PATCH] serv: omit upper bound of --maxearlydata option definition + +It turned out that AutoGen treats numbers that exceed INT_MAX in a +platform dependent way. In this case, 4294967295 (UINT_MAX) is +treated as is on 64-bit platforms, while it is interpreted as "-1" on +32-bit platforms. This causes a problem when the program +documentation is compiled under multilib environment. + +Reported by Ivan Molodetskikh in: +https://bugzilla.redhat.com/show_bug.cgi?id=1841844 +and the cause was identified by Anderson Toshiyuki Sasaki. + +Signed-off-by: Daiki Ueno +--- + src/serv-args.def | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/serv-args.def b/src/serv-args.def +index 996fbe36b..a584085e2 100644 +--- a/src/serv-args.def ++++ b/src/serv-args.def +@@ -51,7 +51,7 @@ flag = { + flag = { + name = maxearlydata; + arg-type = number; +- arg-range = "1->4294967295"; ++ arg-range = "1->"; + descrip = "The maximum early data size to accept"; + doc = ""; + }; +-- +2.26.2 + diff --git a/SOURCES/gnutls-3.6.14-fips-dh-check.patch b/SOURCES/gnutls-3.6.14-fips-dh-check.patch new file mode 100644 index 0000000..40d579f --- /dev/null +++ b/SOURCES/gnutls-3.6.14-fips-dh-check.patch @@ -0,0 +1,676 @@ +From bea53f1b46a64d6dcf5bbe4794740c4d4459f9bf Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Fri, 10 Jul 2020 09:35:49 +0200 +Subject: [PATCH 1/5] dh: check validity of Z before export + +SP800-56A rev3 section 5.7.1.1 step 2 mandates that the validity of the +calculated shared secret is verified before the data is returned to the +caller. This patch adds the validation check. + +Suggested by Stephan Mueller. + +Signed-off-by: Daiki Ueno +--- + lib/nettle/pk.c | 26 +++++++++++++++++--------- + 1 file changed, 17 insertions(+), 9 deletions(-) + +diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c +index 57a8560ed..08c7d4860 100644 +--- a/lib/nettle/pk.c ++++ b/lib/nettle/pk.c +@@ -288,7 +288,7 @@ static int _wrap_nettle_pk_derive(gnutls_pk_algorithm_t algo, + switch (algo) { + case GNUTLS_PK_DH: { + bigint_t f, x, q, prime; +- bigint_t k = NULL, ff = NULL, r = NULL; ++ bigint_t k = NULL, primesub1 = NULL, r = NULL; + unsigned int bits; + + if (nonce != NULL) +@@ -299,21 +299,20 @@ static int _wrap_nettle_pk_derive(gnutls_pk_algorithm_t algo, + q = priv->params[DH_Q]; + prime = priv->params[DH_P]; + +- ret = _gnutls_mpi_init_multi(&k, &ff, &r, NULL); ++ ret = _gnutls_mpi_init_multi(&k, &primesub1, &r, NULL); + if (ret < 0) + return gnutls_assert_val(ret); + +- ret = _gnutls_mpi_add_ui(ff, f, 1); ++ ret = _gnutls_mpi_sub_ui(primesub1, prime, 1); + if (ret < 0) { + gnutls_assert(); + goto dh_cleanup; + } + +- /* check if f==0,1, or f >= p-1. +- * or (ff=f+1) equivalently ff==1,2, ff >= p */ +- if ((_gnutls_mpi_cmp_ui(ff, 2) == 0) +- || (_gnutls_mpi_cmp_ui(ff, 1) == 0) +- || (_gnutls_mpi_cmp(ff, prime) >= 0)) { ++ /* check if f==0,1, or f >= p-1 */ ++ if ((_gnutls_mpi_cmp_ui(f, 1) == 0) ++ || (_gnutls_mpi_cmp_ui(f, 0) == 0) ++ || (_gnutls_mpi_cmp(f, primesub1) >= 0)) { + gnutls_assert(); + ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; + goto dh_cleanup; +@@ -354,6 +353,15 @@ static int _wrap_nettle_pk_derive(gnutls_pk_algorithm_t algo, + goto dh_cleanup; + } + ++ /* check if k==0,1, or k = p-1 */ ++ if ((_gnutls_mpi_cmp_ui(k, 1) == 0) ++ || (_gnutls_mpi_cmp_ui(k, 0) == 0) ++ || (_gnutls_mpi_cmp(k, primesub1) == 0)) { ++ gnutls_assert(); ++ ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; ++ goto dh_cleanup; ++ } ++ + if (flags & PK_DERIVE_TLS13) { + ret = + _gnutls_mpi_dprint_size(k, out, +@@ -370,7 +378,7 @@ static int _wrap_nettle_pk_derive(gnutls_pk_algorithm_t algo, + ret = 0; + dh_cleanup: + _gnutls_mpi_release(&r); +- _gnutls_mpi_release(&ff); ++ _gnutls_mpi_release(&primesub1); + zrelease_temp_mpi_key(&k); + if (ret < 0) + goto cleanup; +-- +2.26.2 + + +From 13202600d3e42258d8758b05ff45a3e3d0f07e4e Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Fri, 10 Jul 2020 09:42:30 +0200 +Subject: [PATCH 2/5] ecdh: check validity of P before export + +SP800-56A rev3 section 5.7.1.2 step 2 mandates that the validity of +the calculated shared secret is verified before the data is returned +to the caller. This patch adds the validation check. + +Suggested by Stephan Mueller. + +Signed-off-by: Daiki Ueno +--- + lib/nettle/pk.c | 27 +++++++++++++++++++++------ + 1 file changed, 21 insertions(+), 6 deletions(-) + +diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c +index 08c7d4860..7f0fa8e03 100644 +--- a/lib/nettle/pk.c ++++ b/lib/nettle/pk.c +@@ -229,25 +229,38 @@ _gost_params_to_pubkey(const gnutls_pk_params_st * pk_params, + } + #endif + +-static void ++static int + ecc_shared_secret(struct ecc_scalar *private_key, + struct ecc_point *public_key, void *out, unsigned size) + { + struct ecc_point r; +- mpz_t x; ++ mpz_t x, y; ++ int ret = 0; + + mpz_init(x); ++ mpz_init(y); + ecc_point_init(&r, public_key->ecc); + + ecc_point_mul(&r, private_key, public_key); + +- ecc_point_get(&r, x, NULL); ++ ecc_point_get(&r, x, y); ++ ++ /* Check if the point is not an identity element. Note that this cannot ++ * happen in nettle implementation, because it cannot represent an ++ * infinity point. */ ++ if (mpz_cmp_ui(x, 0) == 0 && mpz_cmp_ui(y, 0) == 0) { ++ ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER); ++ goto cleanup; ++ } ++ + nettle_mpz_get_str_256(size, out, x); + ++ cleanup: + mpz_clear(x); ++ mpz_clear(y); + ecc_point_clear(&r); + +- return; ++ return ret; + } + + #define MAX_DH_BITS DEFAULT_MAX_VERIFY_BITS +@@ -423,8 +436,10 @@ dh_cleanup: + goto ecc_cleanup; + } + +- ecc_shared_secret(&ecc_priv, &ecc_pub, out->data, +- out->size); ++ ret = ecc_shared_secret(&ecc_priv, &ecc_pub, out->data, ++ out->size); ++ if (ret < 0) ++ gnutls_free(out->data); + + ecc_cleanup: + ecc_point_clear(&ecc_pub); +-- +2.26.2 + + +From 245fb622e82bfa7b80d2cec7cafdbc65014ca3cb Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Fri, 17 Jul 2020 17:45:17 +0200 +Subject: [PATCH 3/5] dh-primes: make the FIPS approved check return Q value + +This is necessary for full public key validation in +SP800-56A (revision 3), section 5.6.2.3.1. + +Signed-off-by: Daiki Ueno +--- + lib/auth/dh_common.c | 2 +- + lib/dh-primes.c | 38 +++++++++++++++++++++++--------------- + lib/dh.h | 10 ++++++---- + 3 files changed, 30 insertions(+), 20 deletions(-) + +diff --git a/lib/auth/dh_common.c b/lib/auth/dh_common.c +index 252eea0cb..fcd696d4d 100644 +--- a/lib/auth/dh_common.c ++++ b/lib/auth/dh_common.c +@@ -259,7 +259,7 @@ _gnutls_proc_dh_common_server_kx(gnutls_session_t session, + + #ifdef ENABLE_FIPS140 + if (gnutls_fips140_mode_enabled() && +- !_gnutls_dh_prime_is_fips_approved(data_p, n_p, data_g, n_g)) { ++ !_gnutls_dh_prime_match_fips_approved(data_p, n_p, data_g, n_g, NULL, NULL)) { + gnutls_assert(); + return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; + } +diff --git a/lib/dh-primes.c b/lib/dh-primes.c +index a43a8e5de..a440b5b98 100644 +--- a/lib/dh-primes.c ++++ b/lib/dh-primes.c +@@ -1894,25 +1894,28 @@ const gnutls_datum_t gnutls_modp_8192_group_generator = { + const unsigned int gnutls_modp_8192_key_bits = 512; + + unsigned +-_gnutls_dh_prime_is_fips_approved(const uint8_t *prime, +- size_t prime_size, +- const uint8_t *generator, +- size_t generator_size) ++_gnutls_dh_prime_match_fips_approved(const uint8_t *prime, ++ size_t prime_size, ++ const uint8_t *generator, ++ size_t generator_size, ++ uint8_t **q, ++ size_t *q_size) + { + static const struct { + const gnutls_datum_t *prime; + const gnutls_datum_t *generator; ++ const gnutls_datum_t *q; + } primes[] = { +- { &gnutls_ffdhe_8192_group_prime, &gnutls_ffdhe_8192_group_generator }, +- { &gnutls_ffdhe_6144_group_prime, &gnutls_ffdhe_6144_group_generator }, +- { &gnutls_ffdhe_4096_group_prime, &gnutls_ffdhe_4096_group_generator }, +- { &gnutls_ffdhe_3072_group_prime, &gnutls_ffdhe_3072_group_generator }, +- { &gnutls_ffdhe_2048_group_prime, &gnutls_ffdhe_2048_group_generator }, +- { &gnutls_modp_8192_group_prime, &gnutls_modp_8192_group_generator }, +- { &gnutls_modp_6144_group_prime, &gnutls_modp_6144_group_generator }, +- { &gnutls_modp_4096_group_prime, &gnutls_modp_4096_group_generator }, +- { &gnutls_modp_3072_group_prime, &gnutls_modp_3072_group_generator }, +- { &gnutls_modp_2048_group_prime, &gnutls_modp_2048_group_generator }, ++ { &gnutls_ffdhe_8192_group_prime, &gnutls_ffdhe_8192_group_generator, &gnutls_ffdhe_8192_group_q }, ++ { &gnutls_ffdhe_6144_group_prime, &gnutls_ffdhe_6144_group_generator, &gnutls_ffdhe_6144_group_q }, ++ { &gnutls_ffdhe_4096_group_prime, &gnutls_ffdhe_4096_group_generator, &gnutls_ffdhe_4096_group_q }, ++ { &gnutls_ffdhe_3072_group_prime, &gnutls_ffdhe_3072_group_generator, &gnutls_ffdhe_3072_group_q }, ++ { &gnutls_ffdhe_2048_group_prime, &gnutls_ffdhe_2048_group_generator, &gnutls_ffdhe_2048_group_q }, ++ { &gnutls_modp_8192_group_prime, &gnutls_modp_8192_group_generator, &gnutls_modp_8192_group_q }, ++ { &gnutls_modp_6144_group_prime, &gnutls_modp_6144_group_generator, &gnutls_modp_6144_group_q }, ++ { &gnutls_modp_4096_group_prime, &gnutls_modp_4096_group_generator, &gnutls_modp_4096_group_q }, ++ { &gnutls_modp_3072_group_prime, &gnutls_modp_3072_group_generator, &gnutls_modp_3072_group_q }, ++ { &gnutls_modp_2048_group_prime, &gnutls_modp_2048_group_generator, &gnutls_modp_2048_group_q }, + }; + size_t i; + +@@ -1920,8 +1923,13 @@ _gnutls_dh_prime_is_fips_approved(const uint8_t *prime, + if (primes[i].prime->size == prime_size && + memcmp(primes[i].prime->data, prime, primes[i].prime->size) == 0 && + primes[i].generator->size == generator_size && +- memcmp(primes[i].generator->data, generator, primes[i].generator->size) == 0) ++ memcmp(primes[i].generator->data, generator, primes[i].generator->size) == 0) { ++ if (q) { ++ *q = primes[i].q->data; ++ *q_size = primes[i].q->size; ++ } + return 1; ++ } + } + + return 0; +diff --git a/lib/dh.h b/lib/dh.h +index 672451947..f5c2c0924 100644 +--- a/lib/dh.h ++++ b/lib/dh.h +@@ -61,9 +61,11 @@ extern const gnutls_datum_t gnutls_modp_2048_group_generator; + extern const unsigned int gnutls_modp_2048_key_bits; + + unsigned +-_gnutls_dh_prime_is_fips_approved(const uint8_t *prime, +- size_t prime_size, +- const uint8_t *generator, +- size_t generator_size); ++_gnutls_dh_prime_match_fips_approved(const uint8_t *prime, ++ size_t prime_size, ++ const uint8_t *generator, ++ size_t generator_size, ++ uint8_t **q, ++ size_t *q_size); + + #endif /* GNUTLS_LIB_DH_H */ +-- +2.26.2 + + +From 8b575625614fbe5a22b68dc8d1877efb1d44dd37 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Fri, 17 Jul 2020 17:47:06 +0200 +Subject: [PATCH 4/5] dh: perform SP800-56A rev3 full pubkey validation on + keygen + +This implements full public key validation required in SP800-56A rev3, +section 5.6.2.3.1. + +Signed-off-by: Daiki Ueno +--- + lib/nettle/pk.c | 90 +++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 90 insertions(+) + +diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c +index 7f0fa8e03..057836bc2 100644 +--- a/lib/nettle/pk.c ++++ b/lib/nettle/pk.c +@@ -71,6 +71,7 @@ + #include "int/dsa-compute-k.h" + #include + #include ++#include "dh.h" + + static inline const struct ecc_curve *get_supported_nist_curve(int curve); + static inline const struct ecc_curve *get_supported_gost_curve(int curve); +@@ -2131,6 +2132,53 @@ edwards_curve_mul_g(gnutls_pk_algorithm_t algo, + } + } + ++static inline int ++dh_find_q(const gnutls_pk_params_st *pk_params, mpz_t q) ++{ ++ gnutls_datum_t prime = { NULL, 0 }; ++ gnutls_datum_t generator = { NULL, 0 }; ++ uint8_t *data_q; ++ size_t n_q; ++ bigint_t _q; ++ int ret = 0; ++ ++ ret = _gnutls_mpi_dprint(pk_params->params[DSA_P], &prime); ++ if (ret < 0) { ++ gnutls_assert(); ++ goto cleanup; ++ } ++ ++ ret = _gnutls_mpi_dprint(pk_params->params[DSA_G], &generator); ++ if (ret < 0) { ++ gnutls_assert(); ++ goto cleanup; ++ } ++ ++ if (!_gnutls_dh_prime_match_fips_approved(prime.data, ++ prime.size, ++ generator.data, ++ generator.size, ++ &data_q, ++ &n_q)) { ++ ret = gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); ++ goto cleanup; ++ } ++ ++ if (_gnutls_mpi_init_scan_nz(&_q, data_q, n_q) != 0) { ++ ret = gnutls_assert_val(GNUTLS_E_MPI_SCAN_FAILED); ++ goto cleanup; ++ } ++ ++ mpz_set(q, TOMPZ(_q)); ++ _gnutls_mpi_release(&_q); ++ ++ cleanup: ++ gnutls_free(prime.data); ++ gnutls_free(generator.data); ++ ++ return ret; ++} ++ + /* To generate a DH key either q must be set in the params or + * level should be set to the number of required bits. + */ +@@ -2212,6 +2260,9 @@ wrap_nettle_pk_generate_keys(gnutls_pk_algorithm_t algo, + mpz_t x, y; + int max_tries; + unsigned have_q = 0; ++ mpz_t q; ++ mpz_t primesub1; ++ mpz_t ypowq; + + if (algo != params->algo) + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); +@@ -2229,6 +2280,10 @@ wrap_nettle_pk_generate_keys(gnutls_pk_algorithm_t algo, + mpz_init(x); + mpz_init(y); + ++ mpz_init(q); ++ mpz_init(primesub1); ++ mpz_init(ypowq); ++ + max_tries = 3; + do { + if (have_q) { +@@ -2260,8 +2315,40 @@ wrap_nettle_pk_generate_keys(gnutls_pk_algorithm_t algo, + ret = GNUTLS_E_LIB_IN_ERROR_STATE; + goto dh_fail; + } ++ + } while(mpz_cmp_ui(y, 1) == 0); + ++#ifdef ENABLE_FIPS140 ++ if (_gnutls_fips_mode_enabled()) { ++ /* Perform FFC full public key validation checks ++ * according to SP800-56A (revision 3), 5.6.2.3.1. ++ */ ++ ++ /* Step 1: 2 <= y <= p - 2 */ ++ mpz_sub_ui(primesub1, pub.p, 1); ++ ++ if (mpz_cmp_ui(y, 2) < 0 || mpz_cmp(y, primesub1) >= 0) { ++ ret = gnutls_assert_val(GNUTLS_E_RANDOM_FAILED); ++ goto dh_fail; ++ } ++ ++ /* Step 2: 1 = y^q mod p */ ++ if (have_q) ++ mpz_set(q, pub.q); ++ else { ++ ret = dh_find_q(params, q); ++ if (ret < 0) ++ goto dh_fail; ++ } ++ ++ mpz_powm(ypowq, y, q, pub.p); ++ if (mpz_cmp_ui(ypowq, 1) != 0) { ++ ret = gnutls_assert_val(GNUTLS_E_RANDOM_FAILED); ++ goto dh_fail; ++ } ++ } ++#endif ++ + ret = _gnutls_mpi_init_multi(¶ms->params[DSA_Y], ¶ms->params[DSA_X], NULL); + if (ret < 0) { + gnutls_assert(); +@@ -2278,6 +2365,9 @@ wrap_nettle_pk_generate_keys(gnutls_pk_algorithm_t algo, + mpz_clear(r); + mpz_clear(x); + mpz_clear(y); ++ mpz_clear(q); ++ mpz_clear(primesub1); ++ mpz_clear(ypowq); + + if (ret < 0) + goto fail; +-- +2.26.2 + + +From 23756c8580dff99d0856adca49dd22a55352ad62 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Sat, 18 Jul 2020 08:26:48 +0200 +Subject: [PATCH 5/5] ecdh: perform SP800-56A rev3 full pubkey validation on + keygen + +This implements full public key validation required in +SP800-56A rev3, section 5.6.2.3.3. + +Signed-off-by: Daiki Ueno +--- + lib/nettle/pk.c | 182 +++++++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 180 insertions(+), 2 deletions(-) + +diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c +index 057836bc2..588e9df50 100644 +--- a/lib/nettle/pk.c ++++ b/lib/nettle/pk.c +@@ -1552,6 +1552,80 @@ static inline const struct ecc_curve *get_supported_nist_curve(int curve) + } + } + ++static inline const char *get_supported_nist_curve_order(int curve) ++{ ++ static const struct { ++ int curve; ++ const char *order; ++ } orders[] = { ++#ifdef ENABLE_NON_SUITEB_CURVES ++ { GNUTLS_ECC_CURVE_SECP192R1, ++ "ffffffffffffffffffffffff99def836" ++ "146bc9b1b4d22831" }, ++ { GNUTLS_ECC_CURVE_SECP224R1, ++ "ffffffffffffffffffffffffffff16a2" ++ "e0b8f03e13dd29455c5c2a3d" }, ++#endif ++ { GNUTLS_ECC_CURVE_SECP256R1, ++ "ffffffff00000000ffffffffffffffff" ++ "bce6faada7179e84f3b9cac2fc632551" }, ++ { GNUTLS_ECC_CURVE_SECP384R1, ++ "ffffffffffffffffffffffffffffffff" ++ "ffffffffffffffffc7634d81f4372ddf" ++ "581a0db248b0a77aecec196accc52973" }, ++ { GNUTLS_ECC_CURVE_SECP521R1, ++ "1fffffffffffffffffffffffffffffff" ++ "ffffffffffffffffffffffffffffffff" ++ "ffa51868783bf2f966b7fcc0148f709a" ++ "5d03bb5c9b8899c47aebb6fb71e91386" ++ "409" }, ++ }; ++ size_t i; ++ ++ for (i = 0; i < sizeof(orders)/sizeof(orders[0]); i++) { ++ if (orders[i].curve == curve) ++ return orders[i].order; ++ } ++ return NULL; ++} ++ ++static inline const char *get_supported_nist_curve_modulus(int curve) ++{ ++ static const struct { ++ int curve; ++ const char *order; ++ } orders[] = { ++#ifdef ENABLE_NON_SUITEB_CURVES ++ { GNUTLS_ECC_CURVE_SECP192R1, ++ "fffffffffffffffffffffffffffffffe" ++ "ffffffffffffffff" }, ++ { GNUTLS_ECC_CURVE_SECP224R1, ++ "ffffffffffffffffffffffffffffffff" ++ "000000000000000000000001" }, ++#endif ++ { GNUTLS_ECC_CURVE_SECP256R1, ++ "ffffffff000000010000000000000000" ++ "00000000ffffffffffffffffffffffff" }, ++ { GNUTLS_ECC_CURVE_SECP384R1, ++ "ffffffffffffffffffffffffffffffff" ++ "fffffffffffffffffffffffffffffffe" ++ "ffffffff0000000000000000ffffffff" }, ++ { GNUTLS_ECC_CURVE_SECP521R1, ++ "1ff" ++ "ffffffffffffffffffffffffffffffff" ++ "ffffffffffffffffffffffffffffffff" ++ "ffffffffffffffffffffffffffffffff" ++ "ffffffffffffffffffffffffffffffff" }, ++ }; ++ size_t i; ++ ++ for (i = 0; i < sizeof(orders)/sizeof(orders[0]); i++) { ++ if (orders[i].curve == curve) ++ return orders[i].order; ++ } ++ return NULL; ++} ++ + static inline const struct ecc_curve *get_supported_gost_curve(int curve) + { + switch (curve) { +@@ -2507,6 +2581,10 @@ wrap_nettle_pk_generate_keys(gnutls_pk_algorithm_t algo, + struct ecc_scalar key; + struct ecc_point pub; + const struct ecc_curve *curve; ++ struct ecc_scalar n; ++ struct ecc_scalar m; ++ struct ecc_point r; ++ mpz_t x, y, xx, yy, nn, mm; + + curve = get_supported_nist_curve(level); + if (curve == NULL) +@@ -2514,8 +2592,18 @@ wrap_nettle_pk_generate_keys(gnutls_pk_algorithm_t algo, + gnutls_assert_val + (GNUTLS_E_ECC_UNSUPPORTED_CURVE); + ++ mpz_init(x); ++ mpz_init(y); ++ mpz_init(xx); ++ mpz_init(yy); ++ mpz_init(nn); ++ mpz_init(mm); ++ + ecc_scalar_init(&key, curve); + ecc_point_init(&pub, curve); ++ ecc_scalar_init(&n, curve); ++ ecc_scalar_init(&m, curve); ++ ecc_point_init(&r, curve); + + ecdsa_generate_keypair(&pub, &key, NULL, rnd_func); + if (HAVE_LIB_ERROR()) { +@@ -2533,15 +2621,105 @@ wrap_nettle_pk_generate_keys(gnutls_pk_algorithm_t algo, + params->curve = level; + params->params_nr = ECC_PRIVATE_PARAMS; + +- ecc_point_get(&pub, TOMPZ(params->params[ECC_X]), +- TOMPZ(params->params[ECC_Y])); ++ ecc_point_get(&pub, x, y); ++ ++#ifdef ENABLE_FIPS140 ++ if (_gnutls_fips_mode_enabled()) { ++ /* Perform ECC full public key validation checks ++ * according to SP800-56A (revision 3), 5.6.2.3.3. ++ */ ++ ++ const char *order, *modulus; ++ ++ /* Step 1: verify that Q is not an identity ++ * element (an infinity point). Note that this ++ * cannot happen in the nettle implementation, ++ * because it cannot represent an infinity point ++ * on curves. */ ++ if (mpz_cmp_ui(x, 0) == 0 && mpz_cmp_ui(y, 0) == 0) { ++ ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER); ++ goto ecc_fail; ++ } ++ ++ /* Step 2: verify that both coordinates of Q are ++ * in the range [0, p - 1]. ++ * ++ * Step 3: verify that Q lie on the curve ++ * ++ * Both checks are performed in nettle. */ ++ if (!ecc_point_set(&r, x, y)) { ++ ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER); ++ goto ecc_fail; ++ } ++ ++ /* Step 4: verify that n * Q, where n is the ++ * curve order, result in an identity element ++ * ++ * Since nettle internally cannot represent an ++ * identity element on curves, we validate this ++ * instead: ++ * ++ * (n - 1) * Q = -Q ++ * ++ * That effectively means: n * Q = -Q + Q = O ++ */ ++ order = get_supported_nist_curve_order(level); ++ if (unlikely(order == NULL)) { ++ ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); ++ goto ecc_fail; ++ } ++ ++ ret = mpz_set_str(nn, order, 16); ++ if (unlikely(ret < 0)) { ++ ret = gnutls_assert_val(GNUTLS_E_MPI_SCAN_FAILED); ++ goto ecc_fail; ++ } ++ ++ modulus = get_supported_nist_curve_modulus(level); ++ if (unlikely(modulus == NULL)) { ++ ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); ++ goto ecc_fail; ++ } ++ ++ ret = mpz_set_str(mm, modulus, 16); ++ if (unlikely(ret < 0)) { ++ ret = gnutls_assert_val(GNUTLS_E_MPI_SCAN_FAILED); ++ goto ecc_fail; ++ } ++ ++ /* (n - 1) * Q = -Q */ ++ mpz_sub_ui (nn, nn, 1); ++ ecc_scalar_set(&n, nn); ++ ecc_point_mul(&r, &n, &r); ++ ecc_point_get(&r, xx, yy); ++ mpz_sub (mm, mm, y); ++ ++ if (mpz_cmp(xx, x) != 0 || mpz_cmp(yy, mm) != 0) { ++ ret = gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER); ++ goto ecc_fail; ++ } ++ } ++#endif ++ ++ mpz_set(TOMPZ(params->params[ECC_X]), x); ++ mpz_set(TOMPZ(params->params[ECC_Y]), y); ++ + ecc_scalar_get(&key, TOMPZ(params->params[ECC_K])); + + ret = 0; + + ecc_fail: ++ mpz_clear(x); ++ mpz_clear(y); ++ mpz_clear(xx); ++ mpz_clear(yy); ++ mpz_clear(nn); ++ mpz_clear(mm); + ecc_point_clear(&pub); + ecc_scalar_clear(&key); ++ ecc_point_clear(&r); ++ ecc_scalar_clear(&n); ++ ecc_scalar_clear(&m); + + if (ret < 0) + goto fail; +-- +2.26.2 + diff --git a/SOURCES/gnutls-3.6.14-fips-dh-primes.patch b/SOURCES/gnutls-3.6.14-fips-dh-primes.patch new file mode 100644 index 0000000..4aa5846 --- /dev/null +++ b/SOURCES/gnutls-3.6.14-fips-dh-primes.patch @@ -0,0 +1,1843 @@ +From 481e48f3236be42ff1fcb96f96c4efcbb2b69242 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Fri, 26 Jun 2020 09:43:02 +0200 +Subject: [PATCH 1/2] dh-primes: add MODP primes from RFC 3526 + +Signed-off-by: Daiki Ueno +--- + lib/dh-primes.c | 933 ++++++++++++++++++++++++++++++++++++++++++++++++ + lib/dh.h | 29 ++ + 2 files changed, 962 insertions(+) + +diff --git a/lib/dh-primes.c b/lib/dh-primes.c +index d785584d0..5d2dce0fb 100644 +--- a/lib/dh-primes.c ++++ b/lib/dh-primes.c +@@ -960,4 +960,937 @@ const gnutls_datum_t gnutls_ffdhe_8192_group_generator = { + }; + const unsigned int gnutls_ffdhe_8192_key_bits = 512; + ++static const unsigned char modp_generator = 0x02; ++ ++static const unsigned char modp_params_2048[] = { ++ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++ 0xFF, 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, ++ 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, ++ 0xDC, 0x1C, 0xD1, 0x29, 0x02, 0x4E, 0x08, ++ 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, ++ 0xA6, 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, ++ 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, 0xEF, ++ 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, ++ 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, ++ 0x37, 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, ++ 0xC2, 0x45, 0xE4, 0x85, 0xB5, 0x76, 0x62, ++ 0x5E, 0x7E, 0xC6, 0xF4, 0x4C, 0x42, 0xE9, ++ 0xA6, 0x37, 0xED, 0x6B, 0x0B, 0xFF, 0x5C, ++ 0xB6, 0xF4, 0x06, 0xB7, 0xED, 0xEE, 0x38, ++ 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, 0xAE, ++ 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, ++ 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, ++ 0x3D, 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, ++ 0xBF, 0x05, 0x98, 0xDA, 0x48, 0x36, 0x1C, ++ 0x55, 0xD3, 0x9A, 0x69, 0x16, 0x3F, 0xA8, ++ 0xFD, 0x24, 0xCF, 0x5F, 0x83, 0x65, 0x5D, ++ 0x23, 0xDC, 0xA3, 0xAD, 0x96, 0x1C, 0x62, ++ 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB, 0x9E, ++ 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, ++ 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, ++ 0x04, 0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, ++ 0x21, 0x7C, 0x32, 0x90, 0x5E, 0x46, 0x2E, ++ 0x36, 0xCE, 0x3B, 0xE3, 0x9E, 0x77, 0x2C, ++ 0x18, 0x0E, 0x86, 0x03, 0x9B, 0x27, 0x83, ++ 0xA2, 0xEC, 0x07, 0xA2, 0x8F, 0xB5, 0xC5, ++ 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, 0xDE, ++ 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, ++ 0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, ++ 0xE5, 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, ++ 0x05, 0x10, 0x15, 0x72, 0x8E, 0x5A, 0x8A, ++ 0xAC, 0xAA, 0x68, 0xFF, 0xFF, 0xFF, 0xFF, ++ 0xFF, 0xFF, 0xFF, 0xFF ++}; ++ ++static const unsigned char modp_q_2048[] = { ++ 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++ 0xFF, 0xE4, 0x87, 0xED, 0x51, 0x10, 0xB4, ++ 0x61, 0x1A, 0x62, 0x63, 0x31, 0x45, 0xC0, ++ 0x6E, 0x0E, 0x68, 0x94, 0x81, 0x27, 0x04, ++ 0x45, 0x33, 0xE6, 0x3A, 0x01, 0x05, 0xDF, ++ 0x53, 0x1D, 0x89, 0xCD, 0x91, 0x28, 0xA5, ++ 0x04, 0x3C, 0xC7, 0x1A, 0x02, 0x6E, 0xF7, ++ 0xCA, 0x8C, 0xD9, 0xE6, 0x9D, 0x21, 0x8D, ++ 0x98, 0x15, 0x85, 0x36, 0xF9, 0x2F, 0x8A, ++ 0x1B, 0xA7, 0xF0, 0x9A, 0xB6, 0xB6, 0xA8, ++ 0xE1, 0x22, 0xF2, 0x42, 0xDA, 0xBB, 0x31, ++ 0x2F, 0x3F, 0x63, 0x7A, 0x26, 0x21, 0x74, ++ 0xD3, 0x1B, 0xF6, 0xB5, 0x85, 0xFF, 0xAE, ++ 0x5B, 0x7A, 0x03, 0x5B, 0xF6, 0xF7, 0x1C, ++ 0x35, 0xFD, 0xAD, 0x44, 0xCF, 0xD2, 0xD7, ++ 0x4F, 0x92, 0x08, 0xBE, 0x25, 0x8F, 0xF3, ++ 0x24, 0x94, 0x33, 0x28, 0xF6, 0x72, 0x2D, ++ 0x9E, 0xE1, 0x00, 0x3E, 0x5C, 0x50, 0xB1, ++ 0xDF, 0x82, 0xCC, 0x6D, 0x24, 0x1B, 0x0E, ++ 0x2A, 0xE9, 0xCD, 0x34, 0x8B, 0x1F, 0xD4, ++ 0x7E, 0x92, 0x67, 0xAF, 0xC1, 0xB2, 0xAE, ++ 0x91, 0xEE, 0x51, 0xD6, 0xCB, 0x0E, 0x31, ++ 0x79, 0xAB, 0x10, 0x42, 0xA9, 0x5D, 0xCF, ++ 0x6A, 0x94, 0x83, 0xB8, 0x4B, 0x4B, 0x36, ++ 0xB3, 0x86, 0x1A, 0xA7, 0x25, 0x5E, 0x4C, ++ 0x02, 0x78, 0xBA, 0x36, 0x04, 0x65, 0x0C, ++ 0x10, 0xBE, 0x19, 0x48, 0x2F, 0x23, 0x17, ++ 0x1B, 0x67, 0x1D, 0xF1, 0xCF, 0x3B, 0x96, ++ 0x0C, 0x07, 0x43, 0x01, 0xCD, 0x93, 0xC1, ++ 0xD1, 0x76, 0x03, 0xD1, 0x47, 0xDA, 0xE2, ++ 0xAE, 0xF8, 0x37, 0xA6, 0x29, 0x64, 0xEF, ++ 0x15, 0xE5, 0xFB, 0x4A, 0xAC, 0x0B, 0x8C, ++ 0x1C, 0xCA, 0xA4, 0xBE, 0x75, 0x4A, 0xB5, ++ 0x72, 0x8A, 0xE9, 0x13, 0x0C, 0x4C, 0x7D, ++ 0x02, 0x88, 0x0A, 0xB9, 0x47, 0x2D, 0x45, ++ 0x56, 0x55, 0x34, 0x7F, 0xFF, 0xFF, 0xFF, ++ 0xFF, 0xFF, 0xFF, 0xFF ++}; ++ ++const gnutls_datum_t gnutls_modp_2048_group_prime = { ++ (void *) modp_params_2048, sizeof(modp_params_2048) ++}; ++const gnutls_datum_t gnutls_modp_2048_group_q = { ++ (void *) modp_q_2048, sizeof(modp_q_2048) ++}; ++const gnutls_datum_t gnutls_modp_2048_group_generator = { ++ (void *) &modp_generator, sizeof(modp_generator) ++}; ++const unsigned int gnutls_modp_2048_key_bits = 256; ++ ++static const unsigned char modp_params_3072[] = { ++ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++ 0xFF, 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, ++ 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, ++ 0xDC, 0x1C, 0xD1, 0x29, 0x02, 0x4E, 0x08, ++ 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, ++ 0xA6, 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, ++ 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, 0xEF, ++ 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, ++ 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, ++ 0x37, 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, ++ 0xC2, 0x45, 0xE4, 0x85, 0xB5, 0x76, 0x62, ++ 0x5E, 0x7E, 0xC6, 0xF4, 0x4C, 0x42, 0xE9, ++ 0xA6, 0x37, 0xED, 0x6B, 0x0B, 0xFF, 0x5C, ++ 0xB6, 0xF4, 0x06, 0xB7, 0xED, 0xEE, 0x38, ++ 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, 0xAE, ++ 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, ++ 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, ++ 0x3D, 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, ++ 0xBF, 0x05, 0x98, 0xDA, 0x48, 0x36, 0x1C, ++ 0x55, 0xD3, 0x9A, 0x69, 0x16, 0x3F, 0xA8, ++ 0xFD, 0x24, 0xCF, 0x5F, 0x83, 0x65, 0x5D, ++ 0x23, 0xDC, 0xA3, 0xAD, 0x96, 0x1C, 0x62, ++ 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB, 0x9E, ++ 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, ++ 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, ++ 0x04, 0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, ++ 0x21, 0x7C, 0x32, 0x90, 0x5E, 0x46, 0x2E, ++ 0x36, 0xCE, 0x3B, 0xE3, 0x9E, 0x77, 0x2C, ++ 0x18, 0x0E, 0x86, 0x03, 0x9B, 0x27, 0x83, ++ 0xA2, 0xEC, 0x07, 0xA2, 0x8F, 0xB5, 0xC5, ++ 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, 0xDE, ++ 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, ++ 0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, ++ 0xE5, 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, ++ 0x05, 0x10, 0x15, 0x72, 0x8E, 0x5A, 0x8A, ++ 0xAA, 0xC4, 0x2D, 0xAD, 0x33, 0x17, 0x0D, ++ 0x04, 0x50, 0x7A, 0x33, 0xA8, 0x55, 0x21, ++ 0xAB, 0xDF, 0x1C, 0xBA, 0x64, 0xEC, 0xFB, ++ 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A, 0x8A, ++ 0xEA, 0x71, 0x57, 0x5D, 0x06, 0x0C, 0x7D, ++ 0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, ++ 0xC7, 0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, ++ 0x33, 0xD7, 0x1E, 0x8C, 0x94, 0xE0, 0x4A, ++ 0x25, 0x61, 0x9D, 0xCE, 0xE3, 0xD2, 0x26, ++ 0x1A, 0xD2, 0xEE, 0x6B, 0xF1, 0x2F, 0xFA, ++ 0x06, 0xD9, 0x8A, 0x08, 0x64, 0xD8, 0x76, ++ 0x02, 0x73, 0x3E, 0xC8, 0x6A, 0x64, 0x52, ++ 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C, ++ 0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, ++ 0x6C, 0x77, 0x09, 0x88, 0xC0, 0xBA, 0xD9, ++ 0x46, 0xE2, 0x08, 0xE2, 0x4F, 0xA0, 0x74, ++ 0xE5, 0xAB, 0x31, 0x43, 0xDB, 0x5B, 0xFC, ++ 0xE0, 0xFD, 0x10, 0x8E, 0x4B, 0x82, 0xD1, ++ 0x20, 0xA9, 0x3A, 0xD2, 0xCA, 0xFF, 0xFF, ++ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ++}; ++ ++static const unsigned char modp_q_3072[] = { ++ 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++ 0xFF, 0xE4, 0x87, 0xED, 0x51, 0x10, 0xB4, ++ 0x61, 0x1A, 0x62, 0x63, 0x31, 0x45, 0xC0, ++ 0x6E, 0x0E, 0x68, 0x94, 0x81, 0x27, 0x04, ++ 0x45, 0x33, 0xE6, 0x3A, 0x01, 0x05, 0xDF, ++ 0x53, 0x1D, 0x89, 0xCD, 0x91, 0x28, 0xA5, ++ 0x04, 0x3C, 0xC7, 0x1A, 0x02, 0x6E, 0xF7, ++ 0xCA, 0x8C, 0xD9, 0xE6, 0x9D, 0x21, 0x8D, ++ 0x98, 0x15, 0x85, 0x36, 0xF9, 0x2F, 0x8A, ++ 0x1B, 0xA7, 0xF0, 0x9A, 0xB6, 0xB6, 0xA8, ++ 0xE1, 0x22, 0xF2, 0x42, 0xDA, 0xBB, 0x31, ++ 0x2F, 0x3F, 0x63, 0x7A, 0x26, 0x21, 0x74, ++ 0xD3, 0x1B, 0xF6, 0xB5, 0x85, 0xFF, 0xAE, ++ 0x5B, 0x7A, 0x03, 0x5B, 0xF6, 0xF7, 0x1C, ++ 0x35, 0xFD, 0xAD, 0x44, 0xCF, 0xD2, 0xD7, ++ 0x4F, 0x92, 0x08, 0xBE, 0x25, 0x8F, 0xF3, ++ 0x24, 0x94, 0x33, 0x28, 0xF6, 0x72, 0x2D, ++ 0x9E, 0xE1, 0x00, 0x3E, 0x5C, 0x50, 0xB1, ++ 0xDF, 0x82, 0xCC, 0x6D, 0x24, 0x1B, 0x0E, ++ 0x2A, 0xE9, 0xCD, 0x34, 0x8B, 0x1F, 0xD4, ++ 0x7E, 0x92, 0x67, 0xAF, 0xC1, 0xB2, 0xAE, ++ 0x91, 0xEE, 0x51, 0xD6, 0xCB, 0x0E, 0x31, ++ 0x79, 0xAB, 0x10, 0x42, 0xA9, 0x5D, 0xCF, ++ 0x6A, 0x94, 0x83, 0xB8, 0x4B, 0x4B, 0x36, ++ 0xB3, 0x86, 0x1A, 0xA7, 0x25, 0x5E, 0x4C, ++ 0x02, 0x78, 0xBA, 0x36, 0x04, 0x65, 0x0C, ++ 0x10, 0xBE, 0x19, 0x48, 0x2F, 0x23, 0x17, ++ 0x1B, 0x67, 0x1D, 0xF1, 0xCF, 0x3B, 0x96, ++ 0x0C, 0x07, 0x43, 0x01, 0xCD, 0x93, 0xC1, ++ 0xD1, 0x76, 0x03, 0xD1, 0x47, 0xDA, 0xE2, ++ 0xAE, 0xF8, 0x37, 0xA6, 0x29, 0x64, 0xEF, ++ 0x15, 0xE5, 0xFB, 0x4A, 0xAC, 0x0B, 0x8C, ++ 0x1C, 0xCA, 0xA4, 0xBE, 0x75, 0x4A, 0xB5, ++ 0x72, 0x8A, 0xE9, 0x13, 0x0C, 0x4C, 0x7D, ++ 0x02, 0x88, 0x0A, 0xB9, 0x47, 0x2D, 0x45, ++ 0x55, 0x62, 0x16, 0xD6, 0x99, 0x8B, 0x86, ++ 0x82, 0x28, 0x3D, 0x19, 0xD4, 0x2A, 0x90, ++ 0xD5, 0xEF, 0x8E, 0x5D, 0x32, 0x76, 0x7D, ++ 0xC2, 0x82, 0x2C, 0x6D, 0xF7, 0x85, 0x45, ++ 0x75, 0x38, 0xAB, 0xAE, 0x83, 0x06, 0x3E, ++ 0xD9, 0xCB, 0x87, 0xC2, 0xD3, 0x70, 0xF2, ++ 0x63, 0xD5, 0xFA, 0xD7, 0x46, 0x6D, 0x84, ++ 0x99, 0xEB, 0x8F, 0x46, 0x4A, 0x70, 0x25, ++ 0x12, 0xB0, 0xCE, 0xE7, 0x71, 0xE9, 0x13, ++ 0x0D, 0x69, 0x77, 0x35, 0xF8, 0x97, 0xFD, ++ 0x03, 0x6C, 0xC5, 0x04, 0x32, 0x6C, 0x3B, ++ 0x01, 0x39, 0x9F, 0x64, 0x35, 0x32, 0x29, ++ 0x0F, 0x95, 0x8C, 0x0B, 0xBD, 0x90, 0x06, ++ 0x5D, 0xF0, 0x8B, 0xAB, 0xBD, 0x30, 0xAE, ++ 0xB6, 0x3B, 0x84, 0xC4, 0x60, 0x5D, 0x6C, ++ 0xA3, 0x71, 0x04, 0x71, 0x27, 0xD0, 0x3A, ++ 0x72, 0xD5, 0x98, 0xA1, 0xED, 0xAD, 0xFE, ++ 0x70, 0x7E, 0x88, 0x47, 0x25, 0xC1, 0x68, ++ 0x90, 0x54, 0x9D, 0x69, 0x65, 0x7F, 0xFF, ++ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ++}; ++ ++const gnutls_datum_t gnutls_modp_3072_group_prime = { ++ (void *) modp_params_3072, sizeof(modp_params_3072) ++}; ++const gnutls_datum_t gnutls_modp_3072_group_q = { ++ (void *) modp_q_3072, sizeof(modp_q_3072) ++}; ++const gnutls_datum_t gnutls_modp_3072_group_generator = { ++ (void *) &modp_generator, sizeof(modp_generator) ++}; ++const unsigned int gnutls_modp_3072_key_bits = 276; ++ ++static const unsigned char modp_params_4096[] = { ++ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++ 0xFF, 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, ++ 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, ++ 0xDC, 0x1C, 0xD1, 0x29, 0x02, 0x4E, 0x08, ++ 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, ++ 0xA6, 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, ++ 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, 0xEF, ++ 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, ++ 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, ++ 0x37, 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, ++ 0xC2, 0x45, 0xE4, 0x85, 0xB5, 0x76, 0x62, ++ 0x5E, 0x7E, 0xC6, 0xF4, 0x4C, 0x42, 0xE9, ++ 0xA6, 0x37, 0xED, 0x6B, 0x0B, 0xFF, 0x5C, ++ 0xB6, 0xF4, 0x06, 0xB7, 0xED, 0xEE, 0x38, ++ 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, 0xAE, ++ 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, ++ 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, ++ 0x3D, 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, ++ 0xBF, 0x05, 0x98, 0xDA, 0x48, 0x36, 0x1C, ++ 0x55, 0xD3, 0x9A, 0x69, 0x16, 0x3F, 0xA8, ++ 0xFD, 0x24, 0xCF, 0x5F, 0x83, 0x65, 0x5D, ++ 0x23, 0xDC, 0xA3, 0xAD, 0x96, 0x1C, 0x62, ++ 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB, 0x9E, ++ 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, ++ 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, ++ 0x04, 0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, ++ 0x21, 0x7C, 0x32, 0x90, 0x5E, 0x46, 0x2E, ++ 0x36, 0xCE, 0x3B, 0xE3, 0x9E, 0x77, 0x2C, ++ 0x18, 0x0E, 0x86, 0x03, 0x9B, 0x27, 0x83, ++ 0xA2, 0xEC, 0x07, 0xA2, 0x8F, 0xB5, 0xC5, ++ 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, 0xDE, ++ 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, ++ 0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, ++ 0xE5, 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, ++ 0x05, 0x10, 0x15, 0x72, 0x8E, 0x5A, 0x8A, ++ 0xAA, 0xC4, 0x2D, 0xAD, 0x33, 0x17, 0x0D, ++ 0x04, 0x50, 0x7A, 0x33, 0xA8, 0x55, 0x21, ++ 0xAB, 0xDF, 0x1C, 0xBA, 0x64, 0xEC, 0xFB, ++ 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A, 0x8A, ++ 0xEA, 0x71, 0x57, 0x5D, 0x06, 0x0C, 0x7D, ++ 0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, ++ 0xC7, 0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, ++ 0x33, 0xD7, 0x1E, 0x8C, 0x94, 0xE0, 0x4A, ++ 0x25, 0x61, 0x9D, 0xCE, 0xE3, 0xD2, 0x26, ++ 0x1A, 0xD2, 0xEE, 0x6B, 0xF1, 0x2F, 0xFA, ++ 0x06, 0xD9, 0x8A, 0x08, 0x64, 0xD8, 0x76, ++ 0x02, 0x73, 0x3E, 0xC8, 0x6A, 0x64, 0x52, ++ 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C, ++ 0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, ++ 0x6C, 0x77, 0x09, 0x88, 0xC0, 0xBA, 0xD9, ++ 0x46, 0xE2, 0x08, 0xE2, 0x4F, 0xA0, 0x74, ++ 0xE5, 0xAB, 0x31, 0x43, 0xDB, 0x5B, 0xFC, ++ 0xE0, 0xFD, 0x10, 0x8E, 0x4B, 0x82, 0xD1, ++ 0x20, 0xA9, 0x21, 0x08, 0x01, 0x1A, 0x72, ++ 0x3C, 0x12, 0xA7, 0x87, 0xE6, 0xD7, 0x88, ++ 0x71, 0x9A, 0x10, 0xBD, 0xBA, 0x5B, 0x26, ++ 0x99, 0xC3, 0x27, 0x18, 0x6A, 0xF4, 0xE2, ++ 0x3C, 0x1A, 0x94, 0x68, 0x34, 0xB6, 0x15, ++ 0x0B, 0xDA, 0x25, 0x83, 0xE9, 0xCA, 0x2A, ++ 0xD4, 0x4C, 0xE8, 0xDB, 0xBB, 0xC2, 0xDB, ++ 0x04, 0xDE, 0x8E, 0xF9, 0x2E, 0x8E, 0xFC, ++ 0x14, 0x1F, 0xBE, 0xCA, 0xA6, 0x28, 0x7C, ++ 0x59, 0x47, 0x4E, 0x6B, 0xC0, 0x5D, 0x99, ++ 0xB2, 0x96, 0x4F, 0xA0, 0x90, 0xC3, 0xA2, ++ 0x23, 0x3B, 0xA1, 0x86, 0x51, 0x5B, 0xE7, ++ 0xED, 0x1F, 0x61, 0x29, 0x70, 0xCE, 0xE2, ++ 0xD7, 0xAF, 0xB8, 0x1B, 0xDD, 0x76, 0x21, ++ 0x70, 0x48, 0x1C, 0xD0, 0x06, 0x91, 0x27, ++ 0xD5, 0xB0, 0x5A, 0xA9, 0x93, 0xB4, 0xEA, ++ 0x98, 0x8D, 0x8F, 0xDD, 0xC1, 0x86, 0xFF, ++ 0xB7, 0xDC, 0x90, 0xA6, 0xC0, 0x8F, 0x4D, ++ 0xF4, 0x35, 0xC9, 0x34, 0x06, 0x31, 0x99, ++ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++ 0xFF ++}; ++ ++static const unsigned char modp_q_4096[] = { ++ 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++ 0xFF, 0xE4, 0x87, 0xED, 0x51, 0x10, 0xB4, ++ 0x61, 0x1A, 0x62, 0x63, 0x31, 0x45, 0xC0, ++ 0x6E, 0x0E, 0x68, 0x94, 0x81, 0x27, 0x04, ++ 0x45, 0x33, 0xE6, 0x3A, 0x01, 0x05, 0xDF, ++ 0x53, 0x1D, 0x89, 0xCD, 0x91, 0x28, 0xA5, ++ 0x04, 0x3C, 0xC7, 0x1A, 0x02, 0x6E, 0xF7, ++ 0xCA, 0x8C, 0xD9, 0xE6, 0x9D, 0x21, 0x8D, ++ 0x98, 0x15, 0x85, 0x36, 0xF9, 0x2F, 0x8A, ++ 0x1B, 0xA7, 0xF0, 0x9A, 0xB6, 0xB6, 0xA8, ++ 0xE1, 0x22, 0xF2, 0x42, 0xDA, 0xBB, 0x31, ++ 0x2F, 0x3F, 0x63, 0x7A, 0x26, 0x21, 0x74, ++ 0xD3, 0x1B, 0xF6, 0xB5, 0x85, 0xFF, 0xAE, ++ 0x5B, 0x7A, 0x03, 0x5B, 0xF6, 0xF7, 0x1C, ++ 0x35, 0xFD, 0xAD, 0x44, 0xCF, 0xD2, 0xD7, ++ 0x4F, 0x92, 0x08, 0xBE, 0x25, 0x8F, 0xF3, ++ 0x24, 0x94, 0x33, 0x28, 0xF6, 0x72, 0x2D, ++ 0x9E, 0xE1, 0x00, 0x3E, 0x5C, 0x50, 0xB1, ++ 0xDF, 0x82, 0xCC, 0x6D, 0x24, 0x1B, 0x0E, ++ 0x2A, 0xE9, 0xCD, 0x34, 0x8B, 0x1F, 0xD4, ++ 0x7E, 0x92, 0x67, 0xAF, 0xC1, 0xB2, 0xAE, ++ 0x91, 0xEE, 0x51, 0xD6, 0xCB, 0x0E, 0x31, ++ 0x79, 0xAB, 0x10, 0x42, 0xA9, 0x5D, 0xCF, ++ 0x6A, 0x94, 0x83, 0xB8, 0x4B, 0x4B, 0x36, ++ 0xB3, 0x86, 0x1A, 0xA7, 0x25, 0x5E, 0x4C, ++ 0x02, 0x78, 0xBA, 0x36, 0x04, 0x65, 0x0C, ++ 0x10, 0xBE, 0x19, 0x48, 0x2F, 0x23, 0x17, ++ 0x1B, 0x67, 0x1D, 0xF1, 0xCF, 0x3B, 0x96, ++ 0x0C, 0x07, 0x43, 0x01, 0xCD, 0x93, 0xC1, ++ 0xD1, 0x76, 0x03, 0xD1, 0x47, 0xDA, 0xE2, ++ 0xAE, 0xF8, 0x37, 0xA6, 0x29, 0x64, 0xEF, ++ 0x15, 0xE5, 0xFB, 0x4A, 0xAC, 0x0B, 0x8C, ++ 0x1C, 0xCA, 0xA4, 0xBE, 0x75, 0x4A, 0xB5, ++ 0x72, 0x8A, 0xE9, 0x13, 0x0C, 0x4C, 0x7D, ++ 0x02, 0x88, 0x0A, 0xB9, 0x47, 0x2D, 0x45, ++ 0x55, 0x62, 0x16, 0xD6, 0x99, 0x8B, 0x86, ++ 0x82, 0x28, 0x3D, 0x19, 0xD4, 0x2A, 0x90, ++ 0xD5, 0xEF, 0x8E, 0x5D, 0x32, 0x76, 0x7D, ++ 0xC2, 0x82, 0x2C, 0x6D, 0xF7, 0x85, 0x45, ++ 0x75, 0x38, 0xAB, 0xAE, 0x83, 0x06, 0x3E, ++ 0xD9, 0xCB, 0x87, 0xC2, 0xD3, 0x70, 0xF2, ++ 0x63, 0xD5, 0xFA, 0xD7, 0x46, 0x6D, 0x84, ++ 0x99, 0xEB, 0x8F, 0x46, 0x4A, 0x70, 0x25, ++ 0x12, 0xB0, 0xCE, 0xE7, 0x71, 0xE9, 0x13, ++ 0x0D, 0x69, 0x77, 0x35, 0xF8, 0x97, 0xFD, ++ 0x03, 0x6C, 0xC5, 0x04, 0x32, 0x6C, 0x3B, ++ 0x01, 0x39, 0x9F, 0x64, 0x35, 0x32, 0x29, ++ 0x0F, 0x95, 0x8C, 0x0B, 0xBD, 0x90, 0x06, ++ 0x5D, 0xF0, 0x8B, 0xAB, 0xBD, 0x30, 0xAE, ++ 0xB6, 0x3B, 0x84, 0xC4, 0x60, 0x5D, 0x6C, ++ 0xA3, 0x71, 0x04, 0x71, 0x27, 0xD0, 0x3A, ++ 0x72, 0xD5, 0x98, 0xA1, 0xED, 0xAD, 0xFE, ++ 0x70, 0x7E, 0x88, 0x47, 0x25, 0xC1, 0x68, ++ 0x90, 0x54, 0x90, 0x84, 0x00, 0x8D, 0x39, ++ 0x1E, 0x09, 0x53, 0xC3, 0xF3, 0x6B, 0xC4, ++ 0x38, 0xCD, 0x08, 0x5E, 0xDD, 0x2D, 0x93, ++ 0x4C, 0xE1, 0x93, 0x8C, 0x35, 0x7A, 0x71, ++ 0x1E, 0x0D, 0x4A, 0x34, 0x1A, 0x5B, 0x0A, ++ 0x85, 0xED, 0x12, 0xC1, 0xF4, 0xE5, 0x15, ++ 0x6A, 0x26, 0x74, 0x6D, 0xDD, 0xE1, 0x6D, ++ 0x82, 0x6F, 0x47, 0x7C, 0x97, 0x47, 0x7E, ++ 0x0A, 0x0F, 0xDF, 0x65, 0x53, 0x14, 0x3E, ++ 0x2C, 0xA3, 0xA7, 0x35, 0xE0, 0x2E, 0xCC, ++ 0xD9, 0x4B, 0x27, 0xD0, 0x48, 0x61, 0xD1, ++ 0x11, 0x9D, 0xD0, 0xC3, 0x28, 0xAD, 0xF3, ++ 0xF6, 0x8F, 0xB0, 0x94, 0xB8, 0x67, 0x71, ++ 0x6B, 0xD7, 0xDC, 0x0D, 0xEE, 0xBB, 0x10, ++ 0xB8, 0x24, 0x0E, 0x68, 0x03, 0x48, 0x93, ++ 0xEA, 0xD8, 0x2D, 0x54, 0xC9, 0xDA, 0x75, ++ 0x4C, 0x46, 0xC7, 0xEE, 0xE0, 0xC3, 0x7F, ++ 0xDB, 0xEE, 0x48, 0x53, 0x60, 0x47, 0xA6, ++ 0xFA, 0x1A, 0xE4, 0x9A, 0x03, 0x18, 0xCC, ++ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++ 0xFF ++}; ++ ++const gnutls_datum_t gnutls_modp_4096_group_prime = { ++ (void *) modp_params_4096, sizeof(modp_params_4096) ++}; ++const gnutls_datum_t gnutls_modp_4096_group_q = { ++ (void *) modp_q_4096, sizeof(modp_q_4096) ++}; ++const gnutls_datum_t gnutls_modp_4096_group_generator = { ++ (void *) &modp_generator, sizeof(modp_generator) ++}; ++const unsigned int gnutls_modp_4096_key_bits = 336; ++ ++static const unsigned char modp_params_6144[] = { ++ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++ 0xFF, 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, ++ 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, ++ 0xDC, 0x1C, 0xD1, 0x29, 0x02, 0x4E, 0x08, ++ 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, ++ 0xA6, 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, ++ 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, 0xEF, ++ 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, ++ 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, ++ 0x37, 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, ++ 0xC2, 0x45, 0xE4, 0x85, 0xB5, 0x76, 0x62, ++ 0x5E, 0x7E, 0xC6, 0xF4, 0x4C, 0x42, 0xE9, ++ 0xA6, 0x37, 0xED, 0x6B, 0x0B, 0xFF, 0x5C, ++ 0xB6, 0xF4, 0x06, 0xB7, 0xED, 0xEE, 0x38, ++ 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, 0xAE, ++ 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, ++ 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, ++ 0x3D, 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, ++ 0xBF, 0x05, 0x98, 0xDA, 0x48, 0x36, 0x1C, ++ 0x55, 0xD3, 0x9A, 0x69, 0x16, 0x3F, 0xA8, ++ 0xFD, 0x24, 0xCF, 0x5F, 0x83, 0x65, 0x5D, ++ 0x23, 0xDC, 0xA3, 0xAD, 0x96, 0x1C, 0x62, ++ 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB, 0x9E, ++ 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, ++ 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, ++ 0x04, 0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, ++ 0x21, 0x7C, 0x32, 0x90, 0x5E, 0x46, 0x2E, ++ 0x36, 0xCE, 0x3B, 0xE3, 0x9E, 0x77, 0x2C, ++ 0x18, 0x0E, 0x86, 0x03, 0x9B, 0x27, 0x83, ++ 0xA2, 0xEC, 0x07, 0xA2, 0x8F, 0xB5, 0xC5, ++ 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, 0xDE, ++ 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, ++ 0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, ++ 0xE5, 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, ++ 0x05, 0x10, 0x15, 0x72, 0x8E, 0x5A, 0x8A, ++ 0xAA, 0xC4, 0x2D, 0xAD, 0x33, 0x17, 0x0D, ++ 0x04, 0x50, 0x7A, 0x33, 0xA8, 0x55, 0x21, ++ 0xAB, 0xDF, 0x1C, 0xBA, 0x64, 0xEC, 0xFB, ++ 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A, 0x8A, ++ 0xEA, 0x71, 0x57, 0x5D, 0x06, 0x0C, 0x7D, ++ 0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, ++ 0xC7, 0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, ++ 0x33, 0xD7, 0x1E, 0x8C, 0x94, 0xE0, 0x4A, ++ 0x25, 0x61, 0x9D, 0xCE, 0xE3, 0xD2, 0x26, ++ 0x1A, 0xD2, 0xEE, 0x6B, 0xF1, 0x2F, 0xFA, ++ 0x06, 0xD9, 0x8A, 0x08, 0x64, 0xD8, 0x76, ++ 0x02, 0x73, 0x3E, 0xC8, 0x6A, 0x64, 0x52, ++ 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C, ++ 0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, ++ 0x6C, 0x77, 0x09, 0x88, 0xC0, 0xBA, 0xD9, ++ 0x46, 0xE2, 0x08, 0xE2, 0x4F, 0xA0, 0x74, ++ 0xE5, 0xAB, 0x31, 0x43, 0xDB, 0x5B, 0xFC, ++ 0xE0, 0xFD, 0x10, 0x8E, 0x4B, 0x82, 0xD1, ++ 0x20, 0xA9, 0x21, 0x08, 0x01, 0x1A, 0x72, ++ 0x3C, 0x12, 0xA7, 0x87, 0xE6, 0xD7, 0x88, ++ 0x71, 0x9A, 0x10, 0xBD, 0xBA, 0x5B, 0x26, ++ 0x99, 0xC3, 0x27, 0x18, 0x6A, 0xF4, 0xE2, ++ 0x3C, 0x1A, 0x94, 0x68, 0x34, 0xB6, 0x15, ++ 0x0B, 0xDA, 0x25, 0x83, 0xE9, 0xCA, 0x2A, ++ 0xD4, 0x4C, 0xE8, 0xDB, 0xBB, 0xC2, 0xDB, ++ 0x04, 0xDE, 0x8E, 0xF9, 0x2E, 0x8E, 0xFC, ++ 0x14, 0x1F, 0xBE, 0xCA, 0xA6, 0x28, 0x7C, ++ 0x59, 0x47, 0x4E, 0x6B, 0xC0, 0x5D, 0x99, ++ 0xB2, 0x96, 0x4F, 0xA0, 0x90, 0xC3, 0xA2, ++ 0x23, 0x3B, 0xA1, 0x86, 0x51, 0x5B, 0xE7, ++ 0xED, 0x1F, 0x61, 0x29, 0x70, 0xCE, 0xE2, ++ 0xD7, 0xAF, 0xB8, 0x1B, 0xDD, 0x76, 0x21, ++ 0x70, 0x48, 0x1C, 0xD0, 0x06, 0x91, 0x27, ++ 0xD5, 0xB0, 0x5A, 0xA9, 0x93, 0xB4, 0xEA, ++ 0x98, 0x8D, 0x8F, 0xDD, 0xC1, 0x86, 0xFF, ++ 0xB7, 0xDC, 0x90, 0xA6, 0xC0, 0x8F, 0x4D, ++ 0xF4, 0x35, 0xC9, 0x34, 0x02, 0x84, 0x92, ++ 0x36, 0xC3, 0xFA, 0xB4, 0xD2, 0x7C, 0x70, ++ 0x26, 0xC1, 0xD4, 0xDC, 0xB2, 0x60, 0x26, ++ 0x46, 0xDE, 0xC9, 0x75, 0x1E, 0x76, 0x3D, ++ 0xBA, 0x37, 0xBD, 0xF8, 0xFF, 0x94, 0x06, ++ 0xAD, 0x9E, 0x53, 0x0E, 0xE5, 0xDB, 0x38, ++ 0x2F, 0x41, 0x30, 0x01, 0xAE, 0xB0, 0x6A, ++ 0x53, 0xED, 0x90, 0x27, 0xD8, 0x31, 0x17, ++ 0x97, 0x27, 0xB0, 0x86, 0x5A, 0x89, 0x18, ++ 0xDA, 0x3E, 0xDB, 0xEB, 0xCF, 0x9B, 0x14, ++ 0xED, 0x44, 0xCE, 0x6C, 0xBA, 0xCE, 0xD4, ++ 0xBB, 0x1B, 0xDB, 0x7F, 0x14, 0x47, 0xE6, ++ 0xCC, 0x25, 0x4B, 0x33, 0x20, 0x51, 0x51, ++ 0x2B, 0xD7, 0xAF, 0x42, 0x6F, 0xB8, 0xF4, ++ 0x01, 0x37, 0x8C, 0xD2, 0xBF, 0x59, 0x83, ++ 0xCA, 0x01, 0xC6, 0x4B, 0x92, 0xEC, 0xF0, ++ 0x32, 0xEA, 0x15, 0xD1, 0x72, 0x1D, 0x03, ++ 0xF4, 0x82, 0xD7, 0xCE, 0x6E, 0x74, 0xFE, ++ 0xF6, 0xD5, 0x5E, 0x70, 0x2F, 0x46, 0x98, ++ 0x0C, 0x82, 0xB5, 0xA8, 0x40, 0x31, 0x90, ++ 0x0B, 0x1C, 0x9E, 0x59, 0xE7, 0xC9, 0x7F, ++ 0xBE, 0xC7, 0xE8, 0xF3, 0x23, 0xA9, 0x7A, ++ 0x7E, 0x36, 0xCC, 0x88, 0xBE, 0x0F, 0x1D, ++ 0x45, 0xB7, 0xFF, 0x58, 0x5A, 0xC5, 0x4B, ++ 0xD4, 0x07, 0xB2, 0x2B, 0x41, 0x54, 0xAA, ++ 0xCC, 0x8F, 0x6D, 0x7E, 0xBF, 0x48, 0xE1, ++ 0xD8, 0x14, 0xCC, 0x5E, 0xD2, 0x0F, 0x80, ++ 0x37, 0xE0, 0xA7, 0x97, 0x15, 0xEE, 0xF2, ++ 0x9B, 0xE3, 0x28, 0x06, 0xA1, 0xD5, 0x8B, ++ 0xB7, 0xC5, 0xDA, 0x76, 0xF5, 0x50, 0xAA, ++ 0x3D, 0x8A, 0x1F, 0xBF, 0xF0, 0xEB, 0x19, ++ 0xCC, 0xB1, 0xA3, 0x13, 0xD5, 0x5C, 0xDA, ++ 0x56, 0xC9, 0xEC, 0x2E, 0xF2, 0x96, 0x32, ++ 0x38, 0x7F, 0xE8, 0xD7, 0x6E, 0x3C, 0x04, ++ 0x68, 0x04, 0x3E, 0x8F, 0x66, 0x3F, 0x48, ++ 0x60, 0xEE, 0x12, 0xBF, 0x2D, 0x5B, 0x0B, ++ 0x74, 0x74, 0xD6, 0xE6, 0x94, 0xF9, 0x1E, ++ 0x6D, 0xCC, 0x40, 0x24, 0xFF, 0xFF, 0xFF, ++ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ++}; ++ ++static const unsigned char modp_q_6144[] = { ++ 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++ 0xFF, 0xE4, 0x87, 0xED, 0x51, 0x10, 0xB4, ++ 0x61, 0x1A, 0x62, 0x63, 0x31, 0x45, 0xC0, ++ 0x6E, 0x0E, 0x68, 0x94, 0x81, 0x27, 0x04, ++ 0x45, 0x33, 0xE6, 0x3A, 0x01, 0x05, 0xDF, ++ 0x53, 0x1D, 0x89, 0xCD, 0x91, 0x28, 0xA5, ++ 0x04, 0x3C, 0xC7, 0x1A, 0x02, 0x6E, 0xF7, ++ 0xCA, 0x8C, 0xD9, 0xE6, 0x9D, 0x21, 0x8D, ++ 0x98, 0x15, 0x85, 0x36, 0xF9, 0x2F, 0x8A, ++ 0x1B, 0xA7, 0xF0, 0x9A, 0xB6, 0xB6, 0xA8, ++ 0xE1, 0x22, 0xF2, 0x42, 0xDA, 0xBB, 0x31, ++ 0x2F, 0x3F, 0x63, 0x7A, 0x26, 0x21, 0x74, ++ 0xD3, 0x1B, 0xF6, 0xB5, 0x85, 0xFF, 0xAE, ++ 0x5B, 0x7A, 0x03, 0x5B, 0xF6, 0xF7, 0x1C, ++ 0x35, 0xFD, 0xAD, 0x44, 0xCF, 0xD2, 0xD7, ++ 0x4F, 0x92, 0x08, 0xBE, 0x25, 0x8F, 0xF3, ++ 0x24, 0x94, 0x33, 0x28, 0xF6, 0x72, 0x2D, ++ 0x9E, 0xE1, 0x00, 0x3E, 0x5C, 0x50, 0xB1, ++ 0xDF, 0x82, 0xCC, 0x6D, 0x24, 0x1B, 0x0E, ++ 0x2A, 0xE9, 0xCD, 0x34, 0x8B, 0x1F, 0xD4, ++ 0x7E, 0x92, 0x67, 0xAF, 0xC1, 0xB2, 0xAE, ++ 0x91, 0xEE, 0x51, 0xD6, 0xCB, 0x0E, 0x31, ++ 0x79, 0xAB, 0x10, 0x42, 0xA9, 0x5D, 0xCF, ++ 0x6A, 0x94, 0x83, 0xB8, 0x4B, 0x4B, 0x36, ++ 0xB3, 0x86, 0x1A, 0xA7, 0x25, 0x5E, 0x4C, ++ 0x02, 0x78, 0xBA, 0x36, 0x04, 0x65, 0x0C, ++ 0x10, 0xBE, 0x19, 0x48, 0x2F, 0x23, 0x17, ++ 0x1B, 0x67, 0x1D, 0xF1, 0xCF, 0x3B, 0x96, ++ 0x0C, 0x07, 0x43, 0x01, 0xCD, 0x93, 0xC1, ++ 0xD1, 0x76, 0x03, 0xD1, 0x47, 0xDA, 0xE2, ++ 0xAE, 0xF8, 0x37, 0xA6, 0x29, 0x64, 0xEF, ++ 0x15, 0xE5, 0xFB, 0x4A, 0xAC, 0x0B, 0x8C, ++ 0x1C, 0xCA, 0xA4, 0xBE, 0x75, 0x4A, 0xB5, ++ 0x72, 0x8A, 0xE9, 0x13, 0x0C, 0x4C, 0x7D, ++ 0x02, 0x88, 0x0A, 0xB9, 0x47, 0x2D, 0x45, ++ 0x55, 0x62, 0x16, 0xD6, 0x99, 0x8B, 0x86, ++ 0x82, 0x28, 0x3D, 0x19, 0xD4, 0x2A, 0x90, ++ 0xD5, 0xEF, 0x8E, 0x5D, 0x32, 0x76, 0x7D, ++ 0xC2, 0x82, 0x2C, 0x6D, 0xF7, 0x85, 0x45, ++ 0x75, 0x38, 0xAB, 0xAE, 0x83, 0x06, 0x3E, ++ 0xD9, 0xCB, 0x87, 0xC2, 0xD3, 0x70, 0xF2, ++ 0x63, 0xD5, 0xFA, 0xD7, 0x46, 0x6D, 0x84, ++ 0x99, 0xEB, 0x8F, 0x46, 0x4A, 0x70, 0x25, ++ 0x12, 0xB0, 0xCE, 0xE7, 0x71, 0xE9, 0x13, ++ 0x0D, 0x69, 0x77, 0x35, 0xF8, 0x97, 0xFD, ++ 0x03, 0x6C, 0xC5, 0x04, 0x32, 0x6C, 0x3B, ++ 0x01, 0x39, 0x9F, 0x64, 0x35, 0x32, 0x29, ++ 0x0F, 0x95, 0x8C, 0x0B, 0xBD, 0x90, 0x06, ++ 0x5D, 0xF0, 0x8B, 0xAB, 0xBD, 0x30, 0xAE, ++ 0xB6, 0x3B, 0x84, 0xC4, 0x60, 0x5D, 0x6C, ++ 0xA3, 0x71, 0x04, 0x71, 0x27, 0xD0, 0x3A, ++ 0x72, 0xD5, 0x98, 0xA1, 0xED, 0xAD, 0xFE, ++ 0x70, 0x7E, 0x88, 0x47, 0x25, 0xC1, 0x68, ++ 0x90, 0x54, 0x90, 0x84, 0x00, 0x8D, 0x39, ++ 0x1E, 0x09, 0x53, 0xC3, 0xF3, 0x6B, 0xC4, ++ 0x38, 0xCD, 0x08, 0x5E, 0xDD, 0x2D, 0x93, ++ 0x4C, 0xE1, 0x93, 0x8C, 0x35, 0x7A, 0x71, ++ 0x1E, 0x0D, 0x4A, 0x34, 0x1A, 0x5B, 0x0A, ++ 0x85, 0xED, 0x12, 0xC1, 0xF4, 0xE5, 0x15, ++ 0x6A, 0x26, 0x74, 0x6D, 0xDD, 0xE1, 0x6D, ++ 0x82, 0x6F, 0x47, 0x7C, 0x97, 0x47, 0x7E, ++ 0x0A, 0x0F, 0xDF, 0x65, 0x53, 0x14, 0x3E, ++ 0x2C, 0xA3, 0xA7, 0x35, 0xE0, 0x2E, 0xCC, ++ 0xD9, 0x4B, 0x27, 0xD0, 0x48, 0x61, 0xD1, ++ 0x11, 0x9D, 0xD0, 0xC3, 0x28, 0xAD, 0xF3, ++ 0xF6, 0x8F, 0xB0, 0x94, 0xB8, 0x67, 0x71, ++ 0x6B, 0xD7, 0xDC, 0x0D, 0xEE, 0xBB, 0x10, ++ 0xB8, 0x24, 0x0E, 0x68, 0x03, 0x48, 0x93, ++ 0xEA, 0xD8, 0x2D, 0x54, 0xC9, 0xDA, 0x75, ++ 0x4C, 0x46, 0xC7, 0xEE, 0xE0, 0xC3, 0x7F, ++ 0xDB, 0xEE, 0x48, 0x53, 0x60, 0x47, 0xA6, ++ 0xFA, 0x1A, 0xE4, 0x9A, 0x01, 0x42, 0x49, ++ 0x1B, 0x61, 0xFD, 0x5A, 0x69, 0x3E, 0x38, ++ 0x13, 0x60, 0xEA, 0x6E, 0x59, 0x30, 0x13, ++ 0x23, 0x6F, 0x64, 0xBA, 0x8F, 0x3B, 0x1E, ++ 0xDD, 0x1B, 0xDE, 0xFC, 0x7F, 0xCA, 0x03, ++ 0x56, 0xCF, 0x29, 0x87, 0x72, 0xED, 0x9C, ++ 0x17, 0xA0, 0x98, 0x00, 0xD7, 0x58, 0x35, ++ 0x29, 0xF6, 0xC8, 0x13, 0xEC, 0x18, 0x8B, ++ 0xCB, 0x93, 0xD8, 0x43, 0x2D, 0x44, 0x8C, ++ 0x6D, 0x1F, 0x6D, 0xF5, 0xE7, 0xCD, 0x8A, ++ 0x76, 0xA2, 0x67, 0x36, 0x5D, 0x67, 0x6A, ++ 0x5D, 0x8D, 0xED, 0xBF, 0x8A, 0x23, 0xF3, ++ 0x66, 0x12, 0xA5, 0x99, 0x90, 0x28, 0xA8, ++ 0x95, 0xEB, 0xD7, 0xA1, 0x37, 0xDC, 0x7A, ++ 0x00, 0x9B, 0xC6, 0x69, 0x5F, 0xAC, 0xC1, ++ 0xE5, 0x00, 0xE3, 0x25, 0xC9, 0x76, 0x78, ++ 0x19, 0x75, 0x0A, 0xE8, 0xB9, 0x0E, 0x81, ++ 0xFA, 0x41, 0x6B, 0xE7, 0x37, 0x3A, 0x7F, ++ 0x7B, 0x6A, 0xAF, 0x38, 0x17, 0xA3, 0x4C, ++ 0x06, 0x41, 0x5A, 0xD4, 0x20, 0x18, 0xC8, ++ 0x05, 0x8E, 0x4F, 0x2C, 0xF3, 0xE4, 0xBF, ++ 0xDF, 0x63, 0xF4, 0x79, 0x91, 0xD4, 0xBD, ++ 0x3F, 0x1B, 0x66, 0x44, 0x5F, 0x07, 0x8E, ++ 0xA2, 0xDB, 0xFF, 0xAC, 0x2D, 0x62, 0xA5, ++ 0xEA, 0x03, 0xD9, 0x15, 0xA0, 0xAA, 0x55, ++ 0x66, 0x47, 0xB6, 0xBF, 0x5F, 0xA4, 0x70, ++ 0xEC, 0x0A, 0x66, 0x2F, 0x69, 0x07, 0xC0, ++ 0x1B, 0xF0, 0x53, 0xCB, 0x8A, 0xF7, 0x79, ++ 0x4D, 0xF1, 0x94, 0x03, 0x50, 0xEA, 0xC5, ++ 0xDB, 0xE2, 0xED, 0x3B, 0x7A, 0xA8, 0x55, ++ 0x1E, 0xC5, 0x0F, 0xDF, 0xF8, 0x75, 0x8C, ++ 0xE6, 0x58, 0xD1, 0x89, 0xEA, 0xAE, 0x6D, ++ 0x2B, 0x64, 0xF6, 0x17, 0x79, 0x4B, 0x19, ++ 0x1C, 0x3F, 0xF4, 0x6B, 0xB7, 0x1E, 0x02, ++ 0x34, 0x02, 0x1F, 0x47, 0xB3, 0x1F, 0xA4, ++ 0x30, 0x77, 0x09, 0x5F, 0x96, 0xAD, 0x85, ++ 0xBA, 0x3A, 0x6B, 0x73, 0x4A, 0x7C, 0x8F, ++ 0x36, 0xE6, 0x20, 0x12, 0x7F, 0xFF, 0xFF, ++ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ++}; ++ ++const gnutls_datum_t gnutls_modp_6144_group_prime = { ++ (void *) modp_params_6144, sizeof(modp_params_6144) ++}; ++const gnutls_datum_t gnutls_modp_6144_group_q = { ++ (void *) modp_q_6144, sizeof(modp_q_6144) ++}; ++const gnutls_datum_t gnutls_modp_6144_group_generator = { ++ (void *) &modp_generator, sizeof(modp_generator) ++}; ++const unsigned int gnutls_modp_6144_key_bits = 376; ++ ++static const unsigned char modp_params_8192[] = { ++ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++ 0xFF, 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, ++ 0xC2, 0x34, 0xC4, 0xC6, 0x62, 0x8B, 0x80, ++ 0xDC, 0x1C, 0xD1, 0x29, 0x02, 0x4E, 0x08, ++ 0x8A, 0x67, 0xCC, 0x74, 0x02, 0x0B, 0xBE, ++ 0xA6, 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, ++ 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, 0xEF, ++ 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, ++ 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, ++ 0x37, 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, ++ 0xC2, 0x45, 0xE4, 0x85, 0xB5, 0x76, 0x62, ++ 0x5E, 0x7E, 0xC6, 0xF4, 0x4C, 0x42, 0xE9, ++ 0xA6, 0x37, 0xED, 0x6B, 0x0B, 0xFF, 0x5C, ++ 0xB6, 0xF4, 0x06, 0xB7, 0xED, 0xEE, 0x38, ++ 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, 0xAE, ++ 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, ++ 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, ++ 0x3D, 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, ++ 0xBF, 0x05, 0x98, 0xDA, 0x48, 0x36, 0x1C, ++ 0x55, 0xD3, 0x9A, 0x69, 0x16, 0x3F, 0xA8, ++ 0xFD, 0x24, 0xCF, 0x5F, 0x83, 0x65, 0x5D, ++ 0x23, 0xDC, 0xA3, 0xAD, 0x96, 0x1C, 0x62, ++ 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB, 0x9E, ++ 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, ++ 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, ++ 0x04, 0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, ++ 0x21, 0x7C, 0x32, 0x90, 0x5E, 0x46, 0x2E, ++ 0x36, 0xCE, 0x3B, 0xE3, 0x9E, 0x77, 0x2C, ++ 0x18, 0x0E, 0x86, 0x03, 0x9B, 0x27, 0x83, ++ 0xA2, 0xEC, 0x07, 0xA2, 0x8F, 0xB5, 0xC5, ++ 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, 0xDE, ++ 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, ++ 0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, ++ 0xE5, 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, ++ 0x05, 0x10, 0x15, 0x72, 0x8E, 0x5A, 0x8A, ++ 0xAA, 0xC4, 0x2D, 0xAD, 0x33, 0x17, 0x0D, ++ 0x04, 0x50, 0x7A, 0x33, 0xA8, 0x55, 0x21, ++ 0xAB, 0xDF, 0x1C, 0xBA, 0x64, 0xEC, 0xFB, ++ 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A, 0x8A, ++ 0xEA, 0x71, 0x57, 0x5D, 0x06, 0x0C, 0x7D, ++ 0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, ++ 0xC7, 0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, ++ 0x33, 0xD7, 0x1E, 0x8C, 0x94, 0xE0, 0x4A, ++ 0x25, 0x61, 0x9D, 0xCE, 0xE3, 0xD2, 0x26, ++ 0x1A, 0xD2, 0xEE, 0x6B, 0xF1, 0x2F, 0xFA, ++ 0x06, 0xD9, 0x8A, 0x08, 0x64, 0xD8, 0x76, ++ 0x02, 0x73, 0x3E, 0xC8, 0x6A, 0x64, 0x52, ++ 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C, ++ 0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, ++ 0x6C, 0x77, 0x09, 0x88, 0xC0, 0xBA, 0xD9, ++ 0x46, 0xE2, 0x08, 0xE2, 0x4F, 0xA0, 0x74, ++ 0xE5, 0xAB, 0x31, 0x43, 0xDB, 0x5B, 0xFC, ++ 0xE0, 0xFD, 0x10, 0x8E, 0x4B, 0x82, 0xD1, ++ 0x20, 0xA9, 0x21, 0x08, 0x01, 0x1A, 0x72, ++ 0x3C, 0x12, 0xA7, 0x87, 0xE6, 0xD7, 0x88, ++ 0x71, 0x9A, 0x10, 0xBD, 0xBA, 0x5B, 0x26, ++ 0x99, 0xC3, 0x27, 0x18, 0x6A, 0xF4, 0xE2, ++ 0x3C, 0x1A, 0x94, 0x68, 0x34, 0xB6, 0x15, ++ 0x0B, 0xDA, 0x25, 0x83, 0xE9, 0xCA, 0x2A, ++ 0xD4, 0x4C, 0xE8, 0xDB, 0xBB, 0xC2, 0xDB, ++ 0x04, 0xDE, 0x8E, 0xF9, 0x2E, 0x8E, 0xFC, ++ 0x14, 0x1F, 0xBE, 0xCA, 0xA6, 0x28, 0x7C, ++ 0x59, 0x47, 0x4E, 0x6B, 0xC0, 0x5D, 0x99, ++ 0xB2, 0x96, 0x4F, 0xA0, 0x90, 0xC3, 0xA2, ++ 0x23, 0x3B, 0xA1, 0x86, 0x51, 0x5B, 0xE7, ++ 0xED, 0x1F, 0x61, 0x29, 0x70, 0xCE, 0xE2, ++ 0xD7, 0xAF, 0xB8, 0x1B, 0xDD, 0x76, 0x21, ++ 0x70, 0x48, 0x1C, 0xD0, 0x06, 0x91, 0x27, ++ 0xD5, 0xB0, 0x5A, 0xA9, 0x93, 0xB4, 0xEA, ++ 0x98, 0x8D, 0x8F, 0xDD, 0xC1, 0x86, 0xFF, ++ 0xB7, 0xDC, 0x90, 0xA6, 0xC0, 0x8F, 0x4D, ++ 0xF4, 0x35, 0xC9, 0x34, 0x02, 0x84, 0x92, ++ 0x36, 0xC3, 0xFA, 0xB4, 0xD2, 0x7C, 0x70, ++ 0x26, 0xC1, 0xD4, 0xDC, 0xB2, 0x60, 0x26, ++ 0x46, 0xDE, 0xC9, 0x75, 0x1E, 0x76, 0x3D, ++ 0xBA, 0x37, 0xBD, 0xF8, 0xFF, 0x94, 0x06, ++ 0xAD, 0x9E, 0x53, 0x0E, 0xE5, 0xDB, 0x38, ++ 0x2F, 0x41, 0x30, 0x01, 0xAE, 0xB0, 0x6A, ++ 0x53, 0xED, 0x90, 0x27, 0xD8, 0x31, 0x17, ++ 0x97, 0x27, 0xB0, 0x86, 0x5A, 0x89, 0x18, ++ 0xDA, 0x3E, 0xDB, 0xEB, 0xCF, 0x9B, 0x14, ++ 0xED, 0x44, 0xCE, 0x6C, 0xBA, 0xCE, 0xD4, ++ 0xBB, 0x1B, 0xDB, 0x7F, 0x14, 0x47, 0xE6, ++ 0xCC, 0x25, 0x4B, 0x33, 0x20, 0x51, 0x51, ++ 0x2B, 0xD7, 0xAF, 0x42, 0x6F, 0xB8, 0xF4, ++ 0x01, 0x37, 0x8C, 0xD2, 0xBF, 0x59, 0x83, ++ 0xCA, 0x01, 0xC6, 0x4B, 0x92, 0xEC, 0xF0, ++ 0x32, 0xEA, 0x15, 0xD1, 0x72, 0x1D, 0x03, ++ 0xF4, 0x82, 0xD7, 0xCE, 0x6E, 0x74, 0xFE, ++ 0xF6, 0xD5, 0x5E, 0x70, 0x2F, 0x46, 0x98, ++ 0x0C, 0x82, 0xB5, 0xA8, 0x40, 0x31, 0x90, ++ 0x0B, 0x1C, 0x9E, 0x59, 0xE7, 0xC9, 0x7F, ++ 0xBE, 0xC7, 0xE8, 0xF3, 0x23, 0xA9, 0x7A, ++ 0x7E, 0x36, 0xCC, 0x88, 0xBE, 0x0F, 0x1D, ++ 0x45, 0xB7, 0xFF, 0x58, 0x5A, 0xC5, 0x4B, ++ 0xD4, 0x07, 0xB2, 0x2B, 0x41, 0x54, 0xAA, ++ 0xCC, 0x8F, 0x6D, 0x7E, 0xBF, 0x48, 0xE1, ++ 0xD8, 0x14, 0xCC, 0x5E, 0xD2, 0x0F, 0x80, ++ 0x37, 0xE0, 0xA7, 0x97, 0x15, 0xEE, 0xF2, ++ 0x9B, 0xE3, 0x28, 0x06, 0xA1, 0xD5, 0x8B, ++ 0xB7, 0xC5, 0xDA, 0x76, 0xF5, 0x50, 0xAA, ++ 0x3D, 0x8A, 0x1F, 0xBF, 0xF0, 0xEB, 0x19, ++ 0xCC, 0xB1, 0xA3, 0x13, 0xD5, 0x5C, 0xDA, ++ 0x56, 0xC9, 0xEC, 0x2E, 0xF2, 0x96, 0x32, ++ 0x38, 0x7F, 0xE8, 0xD7, 0x6E, 0x3C, 0x04, ++ 0x68, 0x04, 0x3E, 0x8F, 0x66, 0x3F, 0x48, ++ 0x60, 0xEE, 0x12, 0xBF, 0x2D, 0x5B, 0x0B, ++ 0x74, 0x74, 0xD6, 0xE6, 0x94, 0xF9, 0x1E, ++ 0x6D, 0xBE, 0x11, 0x59, 0x74, 0xA3, 0x92, ++ 0x6F, 0x12, 0xFE, 0xE5, 0xE4, 0x38, 0x77, ++ 0x7C, 0xB6, 0xA9, 0x32, 0xDF, 0x8C, 0xD8, ++ 0xBE, 0xC4, 0xD0, 0x73, 0xB9, 0x31, 0xBA, ++ 0x3B, 0xC8, 0x32, 0xB6, 0x8D, 0x9D, 0xD3, ++ 0x00, 0x74, 0x1F, 0xA7, 0xBF, 0x8A, 0xFC, ++ 0x47, 0xED, 0x25, 0x76, 0xF6, 0x93, 0x6B, ++ 0xA4, 0x24, 0x66, 0x3A, 0xAB, 0x63, 0x9C, ++ 0x5A, 0xE4, 0xF5, 0x68, 0x34, 0x23, 0xB4, ++ 0x74, 0x2B, 0xF1, 0xC9, 0x78, 0x23, 0x8F, ++ 0x16, 0xCB, 0xE3, 0x9D, 0x65, 0x2D, 0xE3, ++ 0xFD, 0xB8, 0xBE, 0xFC, 0x84, 0x8A, 0xD9, ++ 0x22, 0x22, 0x2E, 0x04, 0xA4, 0x03, 0x7C, ++ 0x07, 0x13, 0xEB, 0x57, 0xA8, 0x1A, 0x23, ++ 0xF0, 0xC7, 0x34, 0x73, 0xFC, 0x64, 0x6C, ++ 0xEA, 0x30, 0x6B, 0x4B, 0xCB, 0xC8, 0x86, ++ 0x2F, 0x83, 0x85, 0xDD, 0xFA, 0x9D, 0x4B, ++ 0x7F, 0xA2, 0xC0, 0x87, 0xE8, 0x79, 0x68, ++ 0x33, 0x03, 0xED, 0x5B, 0xDD, 0x3A, 0x06, ++ 0x2B, 0x3C, 0xF5, 0xB3, 0xA2, 0x78, 0xA6, ++ 0x6D, 0x2A, 0x13, 0xF8, 0x3F, 0x44, 0xF8, ++ 0x2D, 0xDF, 0x31, 0x0E, 0xE0, 0x74, 0xAB, ++ 0x6A, 0x36, 0x45, 0x97, 0xE8, 0x99, 0xA0, ++ 0x25, 0x5D, 0xC1, 0x64, 0xF3, 0x1C, 0xC5, ++ 0x08, 0x46, 0x85, 0x1D, 0xF9, 0xAB, 0x48, ++ 0x19, 0x5D, 0xED, 0x7E, 0xA1, 0xB1, 0xD5, ++ 0x10, 0xBD, 0x7E, 0xE7, 0x4D, 0x73, 0xFA, ++ 0xF3, 0x6B, 0xC3, 0x1E, 0xCF, 0xA2, 0x68, ++ 0x35, 0x90, 0x46, 0xF4, 0xEB, 0x87, 0x9F, ++ 0x92, 0x40, 0x09, 0x43, 0x8B, 0x48, 0x1C, ++ 0x6C, 0xD7, 0x88, 0x9A, 0x00, 0x2E, 0xD5, ++ 0xEE, 0x38, 0x2B, 0xC9, 0x19, 0x0D, 0xA6, ++ 0xFC, 0x02, 0x6E, 0x47, 0x95, 0x58, 0xE4, ++ 0x47, 0x56, 0x77, 0xE9, 0xAA, 0x9E, 0x30, ++ 0x50, 0xE2, 0x76, 0x56, 0x94, 0xDF, 0xC8, ++ 0x1F, 0x56, 0xE8, 0x80, 0xB9, 0x6E, 0x71, ++ 0x60, 0xC9, 0x80, 0xDD, 0x98, 0xED, 0xD3, ++ 0xDF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++ 0xFF, 0xFF ++}; ++ ++static const unsigned char modp_q_8192[] = { ++ 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++ 0xFF, 0xE4, 0x87, 0xED, 0x51, 0x10, 0xB4, ++ 0x61, 0x1A, 0x62, 0x63, 0x31, 0x45, 0xC0, ++ 0x6E, 0x0E, 0x68, 0x94, 0x81, 0x27, 0x04, ++ 0x45, 0x33, 0xE6, 0x3A, 0x01, 0x05, 0xDF, ++ 0x53, 0x1D, 0x89, 0xCD, 0x91, 0x28, 0xA5, ++ 0x04, 0x3C, 0xC7, 0x1A, 0x02, 0x6E, 0xF7, ++ 0xCA, 0x8C, 0xD9, 0xE6, 0x9D, 0x21, 0x8D, ++ 0x98, 0x15, 0x85, 0x36, 0xF9, 0x2F, 0x8A, ++ 0x1B, 0xA7, 0xF0, 0x9A, 0xB6, 0xB6, 0xA8, ++ 0xE1, 0x22, 0xF2, 0x42, 0xDA, 0xBB, 0x31, ++ 0x2F, 0x3F, 0x63, 0x7A, 0x26, 0x21, 0x74, ++ 0xD3, 0x1B, 0xF6, 0xB5, 0x85, 0xFF, 0xAE, ++ 0x5B, 0x7A, 0x03, 0x5B, 0xF6, 0xF7, 0x1C, ++ 0x35, 0xFD, 0xAD, 0x44, 0xCF, 0xD2, 0xD7, ++ 0x4F, 0x92, 0x08, 0xBE, 0x25, 0x8F, 0xF3, ++ 0x24, 0x94, 0x33, 0x28, 0xF6, 0x72, 0x2D, ++ 0x9E, 0xE1, 0x00, 0x3E, 0x5C, 0x50, 0xB1, ++ 0xDF, 0x82, 0xCC, 0x6D, 0x24, 0x1B, 0x0E, ++ 0x2A, 0xE9, 0xCD, 0x34, 0x8B, 0x1F, 0xD4, ++ 0x7E, 0x92, 0x67, 0xAF, 0xC1, 0xB2, 0xAE, ++ 0x91, 0xEE, 0x51, 0xD6, 0xCB, 0x0E, 0x31, ++ 0x79, 0xAB, 0x10, 0x42, 0xA9, 0x5D, 0xCF, ++ 0x6A, 0x94, 0x83, 0xB8, 0x4B, 0x4B, 0x36, ++ 0xB3, 0x86, 0x1A, 0xA7, 0x25, 0x5E, 0x4C, ++ 0x02, 0x78, 0xBA, 0x36, 0x04, 0x65, 0x0C, ++ 0x10, 0xBE, 0x19, 0x48, 0x2F, 0x23, 0x17, ++ 0x1B, 0x67, 0x1D, 0xF1, 0xCF, 0x3B, 0x96, ++ 0x0C, 0x07, 0x43, 0x01, 0xCD, 0x93, 0xC1, ++ 0xD1, 0x76, 0x03, 0xD1, 0x47, 0xDA, 0xE2, ++ 0xAE, 0xF8, 0x37, 0xA6, 0x29, 0x64, 0xEF, ++ 0x15, 0xE5, 0xFB, 0x4A, 0xAC, 0x0B, 0x8C, ++ 0x1C, 0xCA, 0xA4, 0xBE, 0x75, 0x4A, 0xB5, ++ 0x72, 0x8A, 0xE9, 0x13, 0x0C, 0x4C, 0x7D, ++ 0x02, 0x88, 0x0A, 0xB9, 0x47, 0x2D, 0x45, ++ 0x55, 0x62, 0x16, 0xD6, 0x99, 0x8B, 0x86, ++ 0x82, 0x28, 0x3D, 0x19, 0xD4, 0x2A, 0x90, ++ 0xD5, 0xEF, 0x8E, 0x5D, 0x32, 0x76, 0x7D, ++ 0xC2, 0x82, 0x2C, 0x6D, 0xF7, 0x85, 0x45, ++ 0x75, 0x38, 0xAB, 0xAE, 0x83, 0x06, 0x3E, ++ 0xD9, 0xCB, 0x87, 0xC2, 0xD3, 0x70, 0xF2, ++ 0x63, 0xD5, 0xFA, 0xD7, 0x46, 0x6D, 0x84, ++ 0x99, 0xEB, 0x8F, 0x46, 0x4A, 0x70, 0x25, ++ 0x12, 0xB0, 0xCE, 0xE7, 0x71, 0xE9, 0x13, ++ 0x0D, 0x69, 0x77, 0x35, 0xF8, 0x97, 0xFD, ++ 0x03, 0x6C, 0xC5, 0x04, 0x32, 0x6C, 0x3B, ++ 0x01, 0x39, 0x9F, 0x64, 0x35, 0x32, 0x29, ++ 0x0F, 0x95, 0x8C, 0x0B, 0xBD, 0x90, 0x06, ++ 0x5D, 0xF0, 0x8B, 0xAB, 0xBD, 0x30, 0xAE, ++ 0xB6, 0x3B, 0x84, 0xC4, 0x60, 0x5D, 0x6C, ++ 0xA3, 0x71, 0x04, 0x71, 0x27, 0xD0, 0x3A, ++ 0x72, 0xD5, 0x98, 0xA1, 0xED, 0xAD, 0xFE, ++ 0x70, 0x7E, 0x88, 0x47, 0x25, 0xC1, 0x68, ++ 0x90, 0x54, 0x90, 0x84, 0x00, 0x8D, 0x39, ++ 0x1E, 0x09, 0x53, 0xC3, 0xF3, 0x6B, 0xC4, ++ 0x38, 0xCD, 0x08, 0x5E, 0xDD, 0x2D, 0x93, ++ 0x4C, 0xE1, 0x93, 0x8C, 0x35, 0x7A, 0x71, ++ 0x1E, 0x0D, 0x4A, 0x34, 0x1A, 0x5B, 0x0A, ++ 0x85, 0xED, 0x12, 0xC1, 0xF4, 0xE5, 0x15, ++ 0x6A, 0x26, 0x74, 0x6D, 0xDD, 0xE1, 0x6D, ++ 0x82, 0x6F, 0x47, 0x7C, 0x97, 0x47, 0x7E, ++ 0x0A, 0x0F, 0xDF, 0x65, 0x53, 0x14, 0x3E, ++ 0x2C, 0xA3, 0xA7, 0x35, 0xE0, 0x2E, 0xCC, ++ 0xD9, 0x4B, 0x27, 0xD0, 0x48, 0x61, 0xD1, ++ 0x11, 0x9D, 0xD0, 0xC3, 0x28, 0xAD, 0xF3, ++ 0xF6, 0x8F, 0xB0, 0x94, 0xB8, 0x67, 0x71, ++ 0x6B, 0xD7, 0xDC, 0x0D, 0xEE, 0xBB, 0x10, ++ 0xB8, 0x24, 0x0E, 0x68, 0x03, 0x48, 0x93, ++ 0xEA, 0xD8, 0x2D, 0x54, 0xC9, 0xDA, 0x75, ++ 0x4C, 0x46, 0xC7, 0xEE, 0xE0, 0xC3, 0x7F, ++ 0xDB, 0xEE, 0x48, 0x53, 0x60, 0x47, 0xA6, ++ 0xFA, 0x1A, 0xE4, 0x9A, 0x01, 0x42, 0x49, ++ 0x1B, 0x61, 0xFD, 0x5A, 0x69, 0x3E, 0x38, ++ 0x13, 0x60, 0xEA, 0x6E, 0x59, 0x30, 0x13, ++ 0x23, 0x6F, 0x64, 0xBA, 0x8F, 0x3B, 0x1E, ++ 0xDD, 0x1B, 0xDE, 0xFC, 0x7F, 0xCA, 0x03, ++ 0x56, 0xCF, 0x29, 0x87, 0x72, 0xED, 0x9C, ++ 0x17, 0xA0, 0x98, 0x00, 0xD7, 0x58, 0x35, ++ 0x29, 0xF6, 0xC8, 0x13, 0xEC, 0x18, 0x8B, ++ 0xCB, 0x93, 0xD8, 0x43, 0x2D, 0x44, 0x8C, ++ 0x6D, 0x1F, 0x6D, 0xF5, 0xE7, 0xCD, 0x8A, ++ 0x76, 0xA2, 0x67, 0x36, 0x5D, 0x67, 0x6A, ++ 0x5D, 0x8D, 0xED, 0xBF, 0x8A, 0x23, 0xF3, ++ 0x66, 0x12, 0xA5, 0x99, 0x90, 0x28, 0xA8, ++ 0x95, 0xEB, 0xD7, 0xA1, 0x37, 0xDC, 0x7A, ++ 0x00, 0x9B, 0xC6, 0x69, 0x5F, 0xAC, 0xC1, ++ 0xE5, 0x00, 0xE3, 0x25, 0xC9, 0x76, 0x78, ++ 0x19, 0x75, 0x0A, 0xE8, 0xB9, 0x0E, 0x81, ++ 0xFA, 0x41, 0x6B, 0xE7, 0x37, 0x3A, 0x7F, ++ 0x7B, 0x6A, 0xAF, 0x38, 0x17, 0xA3, 0x4C, ++ 0x06, 0x41, 0x5A, 0xD4, 0x20, 0x18, 0xC8, ++ 0x05, 0x8E, 0x4F, 0x2C, 0xF3, 0xE4, 0xBF, ++ 0xDF, 0x63, 0xF4, 0x79, 0x91, 0xD4, 0xBD, ++ 0x3F, 0x1B, 0x66, 0x44, 0x5F, 0x07, 0x8E, ++ 0xA2, 0xDB, 0xFF, 0xAC, 0x2D, 0x62, 0xA5, ++ 0xEA, 0x03, 0xD9, 0x15, 0xA0, 0xAA, 0x55, ++ 0x66, 0x47, 0xB6, 0xBF, 0x5F, 0xA4, 0x70, ++ 0xEC, 0x0A, 0x66, 0x2F, 0x69, 0x07, 0xC0, ++ 0x1B, 0xF0, 0x53, 0xCB, 0x8A, 0xF7, 0x79, ++ 0x4D, 0xF1, 0x94, 0x03, 0x50, 0xEA, 0xC5, ++ 0xDB, 0xE2, 0xED, 0x3B, 0x7A, 0xA8, 0x55, ++ 0x1E, 0xC5, 0x0F, 0xDF, 0xF8, 0x75, 0x8C, ++ 0xE6, 0x58, 0xD1, 0x89, 0xEA, 0xAE, 0x6D, ++ 0x2B, 0x64, 0xF6, 0x17, 0x79, 0x4B, 0x19, ++ 0x1C, 0x3F, 0xF4, 0x6B, 0xB7, 0x1E, 0x02, ++ 0x34, 0x02, 0x1F, 0x47, 0xB3, 0x1F, 0xA4, ++ 0x30, 0x77, 0x09, 0x5F, 0x96, 0xAD, 0x85, ++ 0xBA, 0x3A, 0x6B, 0x73, 0x4A, 0x7C, 0x8F, ++ 0x36, 0xDF, 0x08, 0xAC, 0xBA, 0x51, 0xC9, ++ 0x37, 0x89, 0x7F, 0x72, 0xF2, 0x1C, 0x3B, ++ 0xBE, 0x5B, 0x54, 0x99, 0x6F, 0xC6, 0x6C, ++ 0x5F, 0x62, 0x68, 0x39, 0xDC, 0x98, 0xDD, ++ 0x1D, 0xE4, 0x19, 0x5B, 0x46, 0xCE, 0xE9, ++ 0x80, 0x3A, 0x0F, 0xD3, 0xDF, 0xC5, 0x7E, ++ 0x23, 0xF6, 0x92, 0xBB, 0x7B, 0x49, 0xB5, ++ 0xD2, 0x12, 0x33, 0x1D, 0x55, 0xB1, 0xCE, ++ 0x2D, 0x72, 0x7A, 0xB4, 0x1A, 0x11, 0xDA, ++ 0x3A, 0x15, 0xF8, 0xE4, 0xBC, 0x11, 0xC7, ++ 0x8B, 0x65, 0xF1, 0xCE, 0xB2, 0x96, 0xF1, ++ 0xFE, 0xDC, 0x5F, 0x7E, 0x42, 0x45, 0x6C, ++ 0x91, 0x11, 0x17, 0x02, 0x52, 0x01, 0xBE, ++ 0x03, 0x89, 0xF5, 0xAB, 0xD4, 0x0D, 0x11, ++ 0xF8, 0x63, 0x9A, 0x39, 0xFE, 0x32, 0x36, ++ 0x75, 0x18, 0x35, 0xA5, 0xE5, 0xE4, 0x43, ++ 0x17, 0xC1, 0xC2, 0xEE, 0xFD, 0x4E, 0xA5, ++ 0xBF, 0xD1, 0x60, 0x43, 0xF4, 0x3C, 0xB4, ++ 0x19, 0x81, 0xF6, 0xAD, 0xEE, 0x9D, 0x03, ++ 0x15, 0x9E, 0x7A, 0xD9, 0xD1, 0x3C, 0x53, ++ 0x36, 0x95, 0x09, 0xFC, 0x1F, 0xA2, 0x7C, ++ 0x16, 0xEF, 0x98, 0x87, 0x70, 0x3A, 0x55, ++ 0xB5, 0x1B, 0x22, 0xCB, 0xF4, 0x4C, 0xD0, ++ 0x12, 0xAE, 0xE0, 0xB2, 0x79, 0x8E, 0x62, ++ 0x84, 0x23, 0x42, 0x8E, 0xFC, 0xD5, 0xA4, ++ 0x0C, 0xAE, 0xF6, 0xBF, 0x50, 0xD8, 0xEA, ++ 0x88, 0x5E, 0xBF, 0x73, 0xA6, 0xB9, 0xFD, ++ 0x79, 0xB5, 0xE1, 0x8F, 0x67, 0xD1, 0x34, ++ 0x1A, 0xC8, 0x23, 0x7A, 0x75, 0xC3, 0xCF, ++ 0xC9, 0x20, 0x04, 0xA1, 0xC5, 0xA4, 0x0E, ++ 0x36, 0x6B, 0xC4, 0x4D, 0x00, 0x17, 0x6A, ++ 0xF7, 0x1C, 0x15, 0xE4, 0x8C, 0x86, 0xD3, ++ 0x7E, 0x01, 0x37, 0x23, 0xCA, 0xAC, 0x72, ++ 0x23, 0xAB, 0x3B, 0xF4, 0xD5, 0x4F, 0x18, ++ 0x28, 0x71, 0x3B, 0x2B, 0x4A, 0x6F, 0xE4, ++ 0x0F, 0xAB, 0x74, 0x40, 0x5C, 0xB7, 0x38, ++ 0xB0, 0x64, 0xC0, 0x6E, 0xCC, 0x76, 0xE9, ++ 0xEF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++ 0xFF, 0xFF ++}; ++ ++const gnutls_datum_t gnutls_modp_8192_group_prime = { ++ (void *) modp_params_8192, sizeof(modp_params_8192) ++}; ++const gnutls_datum_t gnutls_modp_8192_group_q = { ++ (void *) modp_q_8192, sizeof(modp_q_8192) ++}; ++const gnutls_datum_t gnutls_modp_8192_group_generator = { ++ (void *) &modp_generator, sizeof(modp_generator) ++}; ++const unsigned int gnutls_modp_8192_key_bits = 512; ++ + #endif +diff --git a/lib/dh.h b/lib/dh.h +index 9f3dc2a70..a64a4eb5e 100644 +--- a/lib/dh.h ++++ b/lib/dh.h +@@ -31,4 +31,33 @@ _gnutls_figure_dh_params(gnutls_session_t session, gnutls_dh_params_t dh_params, + + int _gnutls_set_cred_dh_params(gnutls_dh_params_t *cparams, gnutls_sec_param_t sec_param); + ++/* The static parameters defined in RFC 3526, used for the approved ++ * primes check in SP800-56A (Appendix D). ++ */ ++ ++extern const gnutls_datum_t gnutls_modp_8192_group_prime; ++extern const gnutls_datum_t gnutls_modp_8192_group_q; ++extern const gnutls_datum_t gnutls_modp_8192_group_generator; ++extern const unsigned int gnutls_modp_8192_key_bits; ++ ++extern const gnutls_datum_t gnutls_modp_6144_group_prime; ++extern const gnutls_datum_t gnutls_modp_6144_group_q; ++extern const gnutls_datum_t gnutls_modp_6144_group_generator; ++extern const unsigned int gnutls_modp_6144_key_bits; ++ ++extern const gnutls_datum_t gnutls_modp_4096_group_prime; ++extern const gnutls_datum_t gnutls_modp_4096_group_q; ++extern const gnutls_datum_t gnutls_modp_4096_group_generator; ++extern const unsigned int gnutls_modp_4096_key_bits; ++ ++extern const gnutls_datum_t gnutls_modp_3072_group_prime; ++extern const gnutls_datum_t gnutls_modp_3072_group_q; ++extern const gnutls_datum_t gnutls_modp_3072_group_generator; ++extern const unsigned int gnutls_modp_3072_key_bits; ++ ++extern const gnutls_datum_t gnutls_modp_2048_group_prime; ++extern const gnutls_datum_t gnutls_modp_2048_group_q; ++extern const gnutls_datum_t gnutls_modp_2048_group_generator; ++extern const unsigned int gnutls_modp_2048_key_bits; ++ + #endif /* GNUTLS_LIB_DH_H */ +-- +2.26.2 + + +From 3f4532862bf9140976d970ab14e102cede61d1c7 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Fri, 26 Jun 2020 10:21:26 +0200 +Subject: [PATCH 2/2] dhe: check if DH params in SKE match the FIPS approved + algorithms + +SP800-56A rev. 3 restricts the FIPS compliant clients to use only +approved DH parameters, defined in RFC 7919 and RFC 3526. This adds a +check in the handling of ServerKeyExchange if DHE is negotiated. + +Signed-off-by: Daiki Ueno +--- + doc/credentials/Makefile.am | 24 ++++ + .../dhparams/rfc2409-group-1-768.pem | 5 + + .../dhparams/rfc2409-group-2-1024.pem | 5 + + .../dhparams/rfc3526-group-14-2048.pem | 8 ++ + .../dhparams/rfc3526-group-15-3072.pem | 11 ++ + .../dhparams/rfc3526-group-16-4096.pem | 13 ++ + .../dhparams/rfc3526-group-17-6144.pem | 19 +++ + .../dhparams/rfc3526-group-18-8192.pem | 24 ++++ + .../dhparams/rfc3526-group-5-1536.pem | 7 + + doc/credentials/dhparams/rfc5054-1024.pem | 5 + + doc/credentials/dhparams/rfc5054-1536.pem | 7 + + doc/credentials/dhparams/rfc5054-2048.pem | 8 ++ + doc/credentials/dhparams/rfc5054-3072.pem | 11 ++ + doc/credentials/dhparams/rfc5054-4096.pem | 13 ++ + doc/credentials/dhparams/rfc5054-6144.pem | 19 +++ + doc/credentials/dhparams/rfc5054-8192.pem | 24 ++++ + .../dhparams/rfc5114-group-22-1024.pem | 8 ++ + .../dhparams/rfc5114-group-23-2048.pem | 13 ++ + .../dhparams/rfc5114-group-24-2048.pem | 13 ++ + .../dhparams/rfc7919-ffdhe2048.pem | 8 ++ + .../dhparams/rfc7919-ffdhe3072.pem | 11 ++ + .../dhparams/rfc7919-ffdhe4096.pem | 14 ++ + .../dhparams/rfc7919-ffdhe6144.pem | 19 +++ + .../dhparams/rfc7919-ffdhe8192.pem | 24 ++++ + lib/auth/dh_common.c | 8 ++ + lib/dh-primes.c | 34 +++++ + lib/dh.h | 6 + + tests/Makefile.am | 2 + + tests/client-sign-md5-rep.c | 5 + + tests/dh-fips-approved.sh | 127 ++++++++++++++++++ + tests/utils.c | 58 ++++---- + 31 files changed, 521 insertions(+), 32 deletions(-) + create mode 100644 doc/credentials/dhparams/rfc2409-group-1-768.pem + create mode 100644 doc/credentials/dhparams/rfc2409-group-2-1024.pem + create mode 100644 doc/credentials/dhparams/rfc3526-group-14-2048.pem + create mode 100644 doc/credentials/dhparams/rfc3526-group-15-3072.pem + create mode 100644 doc/credentials/dhparams/rfc3526-group-16-4096.pem + create mode 100644 doc/credentials/dhparams/rfc3526-group-17-6144.pem + create mode 100644 doc/credentials/dhparams/rfc3526-group-18-8192.pem + create mode 100644 doc/credentials/dhparams/rfc3526-group-5-1536.pem + create mode 100644 doc/credentials/dhparams/rfc5054-1024.pem + create mode 100644 doc/credentials/dhparams/rfc5054-1536.pem + create mode 100644 doc/credentials/dhparams/rfc5054-2048.pem + create mode 100644 doc/credentials/dhparams/rfc5054-3072.pem + create mode 100644 doc/credentials/dhparams/rfc5054-4096.pem + create mode 100644 doc/credentials/dhparams/rfc5054-6144.pem + create mode 100644 doc/credentials/dhparams/rfc5054-8192.pem + create mode 100644 doc/credentials/dhparams/rfc5114-group-22-1024.pem + create mode 100644 doc/credentials/dhparams/rfc5114-group-23-2048.pem + create mode 100644 doc/credentials/dhparams/rfc5114-group-24-2048.pem + create mode 100644 doc/credentials/dhparams/rfc7919-ffdhe2048.pem + create mode 100644 doc/credentials/dhparams/rfc7919-ffdhe3072.pem + create mode 100644 doc/credentials/dhparams/rfc7919-ffdhe4096.pem + create mode 100644 doc/credentials/dhparams/rfc7919-ffdhe6144.pem + create mode 100644 doc/credentials/dhparams/rfc7919-ffdhe8192.pem + create mode 100755 tests/dh-fips-approved.sh + +diff --git a/doc/credentials/Makefile.am b/doc/credentials/Makefile.am +index ecdd57a10..25778856f 100644 +--- a/doc/credentials/Makefile.am ++++ b/doc/credentials/Makefile.am +@@ -31,3 +31,27 @@ EXTRA_DIST += srp-passwd.txt srp-tpasswd.conf + + EXTRA_DIST += psk-passwd.txt + ++EXTRA_DIST += \ ++ dhparams/rfc2409-group-1-768.pem \ ++ dhparams/rfc2409-group-2-1024.pem \ ++ dhparams/rfc3526-group-14-2048.pem \ ++ dhparams/rfc3526-group-15-3072.pem \ ++ dhparams/rfc3526-group-16-4096.pem \ ++ dhparams/rfc3526-group-17-6144.pem \ ++ dhparams/rfc3526-group-18-8192.pem \ ++ dhparams/rfc3526-group-5-1536.pem \ ++ dhparams/rfc5054-1024.pem \ ++ dhparams/rfc5054-1536.pem \ ++ dhparams/rfc5054-2048.pem \ ++ dhparams/rfc5054-3072.pem \ ++ dhparams/rfc5054-4096.pem \ ++ dhparams/rfc5054-6144.pem \ ++ dhparams/rfc5054-8192.pem \ ++ dhparams/rfc5114-group-22-1024.pem \ ++ dhparams/rfc5114-group-23-2048.pem \ ++ dhparams/rfc5114-group-24-2048.pem \ ++ dhparams/rfc7919-ffdhe2048.pem \ ++ dhparams/rfc7919-ffdhe3072.pem \ ++ dhparams/rfc7919-ffdhe4096.pem \ ++ dhparams/rfc7919-ffdhe6144.pem \ ++ dhparams/rfc7919-ffdhe8192.pem +diff --git a/doc/credentials/dhparams/rfc2409-group-1-768.pem b/doc/credentials/dhparams/rfc2409-group-1-768.pem +new file mode 100644 +index 000000000..33a617018 +--- /dev/null ++++ b/doc/credentials/dhparams/rfc2409-group-1-768.pem +@@ -0,0 +1,5 @@ ++-----BEGIN DH PARAMETERS----- ++MGYCYQD//////////8kP2qIhaMI0xMZii4DcHNEpAk4IimfMdAILvqY7E5siUUoI ++eY40BN3vlRmzzTpDGzArCm3yXxQ3T+E1bW1RwkXkhbV2Yl5+xvRMQummOjYg//// ++//////8CAQI= ++-----END DH PARAMETERS----- +diff --git a/doc/credentials/dhparams/rfc2409-group-2-1024.pem b/doc/credentials/dhparams/rfc2409-group-2-1024.pem +new file mode 100644 +index 000000000..bbfb1bfb6 +--- /dev/null ++++ b/doc/credentials/dhparams/rfc2409-group-2-1024.pem +@@ -0,0 +1,5 @@ ++-----BEGIN DH PARAMETERS----- ++MIGHAoGBAP//////////yQ/aoiFowjTExmKLgNwc0SkCTgiKZ8x0Agu+pjsTmyJRSgh5jjQE ++3e+VGbPNOkMbMCsKbfJfFDdP4TVtbVHCReSFtXZiXn7G9ExC6aY37WsL/1y29Aa37e44a/ta ++iZ+lrp8kEXxLH+ZJKGZR7OZTgf//////////AgEC ++-----END DH PARAMETERS----- +diff --git a/doc/credentials/dhparams/rfc3526-group-14-2048.pem b/doc/credentials/dhparams/rfc3526-group-14-2048.pem +new file mode 100644 +index 000000000..b15071532 +--- /dev/null ++++ b/doc/credentials/dhparams/rfc3526-group-14-2048.pem +@@ -0,0 +1,8 @@ ++-----BEGIN DH PARAMETERS----- ++MIIBCAKCAQEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb ++IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft ++awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT ++mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh ++fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq ++5RXSJhiY+gUQFXKOWoqsqmj//////////wIBAg== ++-----END DH PARAMETERS----- +diff --git a/doc/credentials/dhparams/rfc3526-group-15-3072.pem b/doc/credentials/dhparams/rfc3526-group-15-3072.pem +new file mode 100644 +index 000000000..f27b77820 +--- /dev/null ++++ b/doc/credentials/dhparams/rfc3526-group-15-3072.pem +@@ -0,0 +1,11 @@ ++-----BEGIN DH PARAMETERS----- ++MIIBiAKCAYEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb ++IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft ++awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT ++mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh ++fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq ++5RXSJhiY+gUQFXKOWoqqxC2tMxcNBFB6M6hVIavfHLpk7PuFBFjb7wqK6nFXXQYM ++fbOXD4Wm4eTHq/WujNsJM9cejJTgSiVhnc7j0iYa0u5r8S/6BtmKCGTYdgJzPshq ++ZFIfKxgXeyAMu+EXV3phXWx3CYjAutlG4gjiT6B05asxQ9tb/OD9EI5LgtEgqTrS ++yv//////////AgEC ++-----END DH PARAMETERS----- +diff --git a/doc/credentials/dhparams/rfc3526-group-16-4096.pem b/doc/credentials/dhparams/rfc3526-group-16-4096.pem +new file mode 100644 +index 000000000..a734b9050 +--- /dev/null ++++ b/doc/credentials/dhparams/rfc3526-group-16-4096.pem +@@ -0,0 +1,13 @@ ++-----BEGIN DH PARAMETERS----- ++MIICCAKCAgEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb ++IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft ++awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT ++mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh ++fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq ++5RXSJhiY+gUQFXKOWoqqxC2tMxcNBFB6M6hVIavfHLpk7PuFBFjb7wqK6nFXXQYM ++fbOXD4Wm4eTHq/WujNsJM9cejJTgSiVhnc7j0iYa0u5r8S/6BtmKCGTYdgJzPshq ++ZFIfKxgXeyAMu+EXV3phXWx3CYjAutlG4gjiT6B05asxQ9tb/OD9EI5LgtEgqSEI ++ARpyPBKnh+bXiHGaEL26WyaZwycYavTiPBqUaDS2FQvaJYPpyirUTOjbu8LbBN6O +++S6O/BQfvsqmKHxZR05rwF2ZspZPoJDDoiM7oYZRW+ftH2EpcM7i16+4G912IXBI ++HNAGkSfVsFqpk7TqmI2P3cGG/7fckKbAj030Nck0BjGZ//////////8CAQI= ++-----END DH PARAMETERS----- +diff --git a/doc/credentials/dhparams/rfc3526-group-17-6144.pem b/doc/credentials/dhparams/rfc3526-group-17-6144.pem +new file mode 100644 +index 000000000..d8307bda3 +--- /dev/null ++++ b/doc/credentials/dhparams/rfc3526-group-17-6144.pem +@@ -0,0 +1,19 @@ ++-----BEGIN DH PARAMETERS----- ++MIIDCAKCAwEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb ++IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft ++awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT ++mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh ++fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq ++5RXSJhiY+gUQFXKOWoqqxC2tMxcNBFB6M6hVIavfHLpk7PuFBFjb7wqK6nFXXQYM ++fbOXD4Wm4eTHq/WujNsJM9cejJTgSiVhnc7j0iYa0u5r8S/6BtmKCGTYdgJzPshq ++ZFIfKxgXeyAMu+EXV3phXWx3CYjAutlG4gjiT6B05asxQ9tb/OD9EI5LgtEgqSEI ++ARpyPBKnh+bXiHGaEL26WyaZwycYavTiPBqUaDS2FQvaJYPpyirUTOjbu8LbBN6O +++S6O/BQfvsqmKHxZR05rwF2ZspZPoJDDoiM7oYZRW+ftH2EpcM7i16+4G912IXBI ++HNAGkSfVsFqpk7TqmI2P3cGG/7fckKbAj030Nck0AoSSNsP6tNJ8cCbB1NyyYCZG ++3sl1HnY9uje9+P+UBq2eUw7l2zgvQTABrrBqU+2QJ9gxF5cnsIZaiRjaPtvrz5sU ++7UTObLrO1Lsb238UR+bMJUszIFFRK9evQm+49AE3jNK/WYPKAcZLkuzwMuoV0XId ++A/SC185udP721V5wL0aYDIK1qEAxkAscnlnnyX++x+jzI6l6fjbMiL4PHUW3/1ha ++xUvUB7IrQVSqzI9tfr9I4dgUzF7SD4A34KeXFe7ym+MoBqHVi7fF2nb1UKo9ih+/ ++8OsZzLGjE9Vc2lbJ7C7yljI4f+jXbjwEaAQ+j2Y/SGDuEr8tWwt0dNbmlPkebcxA ++JP//////////AgEC ++-----END DH PARAMETERS----- +diff --git a/doc/credentials/dhparams/rfc3526-group-18-8192.pem b/doc/credentials/dhparams/rfc3526-group-18-8192.pem +new file mode 100644 +index 000000000..af54dd656 +--- /dev/null ++++ b/doc/credentials/dhparams/rfc3526-group-18-8192.pem +@@ -0,0 +1,24 @@ ++-----BEGIN DH PARAMETERS----- ++MIIECAKCBAEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb ++IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft ++awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT ++mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh ++fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq ++5RXSJhiY+gUQFXKOWoqqxC2tMxcNBFB6M6hVIavfHLpk7PuFBFjb7wqK6nFXXQYM ++fbOXD4Wm4eTHq/WujNsJM9cejJTgSiVhnc7j0iYa0u5r8S/6BtmKCGTYdgJzPshq ++ZFIfKxgXeyAMu+EXV3phXWx3CYjAutlG4gjiT6B05asxQ9tb/OD9EI5LgtEgqSEI ++ARpyPBKnh+bXiHGaEL26WyaZwycYavTiPBqUaDS2FQvaJYPpyirUTOjbu8LbBN6O +++S6O/BQfvsqmKHxZR05rwF2ZspZPoJDDoiM7oYZRW+ftH2EpcM7i16+4G912IXBI ++HNAGkSfVsFqpk7TqmI2P3cGG/7fckKbAj030Nck0AoSSNsP6tNJ8cCbB1NyyYCZG ++3sl1HnY9uje9+P+UBq2eUw7l2zgvQTABrrBqU+2QJ9gxF5cnsIZaiRjaPtvrz5sU ++7UTObLrO1Lsb238UR+bMJUszIFFRK9evQm+49AE3jNK/WYPKAcZLkuzwMuoV0XId ++A/SC185udP721V5wL0aYDIK1qEAxkAscnlnnyX++x+jzI6l6fjbMiL4PHUW3/1ha ++xUvUB7IrQVSqzI9tfr9I4dgUzF7SD4A34KeXFe7ym+MoBqHVi7fF2nb1UKo9ih+/ ++8OsZzLGjE9Vc2lbJ7C7yljI4f+jXbjwEaAQ+j2Y/SGDuEr8tWwt0dNbmlPkebb4R ++WXSjkm8S/uXkOHd8tqky34zYvsTQc7kxujvIMraNndMAdB+nv4r8R+0ldvaTa6Qk ++ZjqrY5xa5PVoNCO0dCvxyXgjjxbL451lLeP9uL78hIrZIiIuBKQDfAcT61eoGiPw ++xzRz/GRs6jBrS8vIhi+Dhd36nUt/osCH6HloMwPtW906Bis89bOieKZtKhP4P0T4 ++Ld8xDuB0q2o2RZfomaAlXcFk8xzFCEaFHfmrSBld7X6hsdUQvX7nTXP682vDHs+i ++aDWQRvTrh5+SQAlDi0gcbNeImgAu1e44K8kZDab8Am5HlVjkR1Z36aqeMFDidlaU ++38gfVuiAuW5xYMmA3Zjt09///////////wIBAg== ++-----END DH PARAMETERS----- +diff --git a/doc/credentials/dhparams/rfc3526-group-5-1536.pem b/doc/credentials/dhparams/rfc3526-group-5-1536.pem +new file mode 100644 +index 000000000..44df6de65 +--- /dev/null ++++ b/doc/credentials/dhparams/rfc3526-group-5-1536.pem +@@ -0,0 +1,7 @@ ++-----BEGIN DH PARAMETERS----- ++MIHHAoHBAP//////////yQ/aoiFowjTExmKLgNwc0SkCTgiKZ8x0Agu+pjsTmyJR ++Sgh5jjQE3e+VGbPNOkMbMCsKbfJfFDdP4TVtbVHCReSFtXZiXn7G9ExC6aY37WsL ++/1y29Aa37e44a/taiZ+lrp8kEXxLH+ZJKGZR7ORbPcIAfLihY78FmNpINhxV05pp ++Fj+o/STPX4NlXSPco62WHGLzViCFUrue1SkHcJaWbWcMNU5KvJgE8XRsCMojcyf/ ++/////////wIBAg== ++-----END DH PARAMETERS----- +diff --git a/doc/credentials/dhparams/rfc5054-1024.pem b/doc/credentials/dhparams/rfc5054-1024.pem +new file mode 100644 +index 000000000..33aed9fab +--- /dev/null ++++ b/doc/credentials/dhparams/rfc5054-1024.pem +@@ -0,0 +1,5 @@ ++-----BEGIN DH PARAMETERS----- ++MIGHAoGBAO6vCrmts43WnDP4CvqPxehgcmGHdf88C56iMUycJWV21nTfdJbqgdM4 ++O0gT1pLG4ODV2OJQuYvkjklcHWCJ2tFdx9e0YVTWts6O9K1psV1JglWbKXvPGIXF ++KfVmZg5X7GjtvDwFcmzAL9TL9Jduqpr9UTj+g3ZDW5/GHS/A6wbjAgEC ++-----END DH PARAMETERS----- +diff --git a/doc/credentials/dhparams/rfc5054-1536.pem b/doc/credentials/dhparams/rfc5054-1536.pem +new file mode 100644 +index 000000000..dc2db6b42 +--- /dev/null ++++ b/doc/credentials/dhparams/rfc5054-1536.pem +@@ -0,0 +1,7 @@ ++-----BEGIN DH PARAMETERS----- ++MIHHAoHBAJ3vPK+5OSd6sfEqhheke7vbpR30maxMgL7uqWFLGcxNX09fVW4ny95R ++xqlL5GB6KRVYkDug0PhDgLZVu5oi6NzfAop87Gfw0IE0sci5eYkUm2CeC+O6tj1H ++VIOB28Wx/HZOP0tT3Z2hFYv9PiucjPVu3wGVOTSWJ9sv1T0kt8SGZXcuQ31sf4zk ++QnNK98y3roN8Jkrjqb64f4ov6bi1KS5aAh//XpFHnoznoowkQsbzFRgPk0maI03P ++duP+0TX5uwIBAg== ++-----END DH PARAMETERS----- +diff --git a/doc/credentials/dhparams/rfc5054-2048.pem b/doc/credentials/dhparams/rfc5054-2048.pem +new file mode 100644 +index 000000000..814e70ce6 +--- /dev/null ++++ b/doc/credentials/dhparams/rfc5054-2048.pem +@@ -0,0 +1,8 @@ ++-----BEGIN DH PARAMETERS----- ++MIIBCAKCAQEArGvbQTJKmpvxZt5eE4lYL69ytmUZh+4H/DGSlD21YFCjcynLtKCZ ++7YGT4HV3Z6E91SMSq0sDMQ3Nf0ip2gT9UOgIOWntt2ewz2CVF5oWOrNmGgX71fqq ++6CkYqZYvC5O4Vfl5k+yXXuqoDXQK2/T/dHNZ0EHVwz6nHSgeRGsUdzvKl7Q6I/uA ++Fna9IHpDbGSB8dK5B4cXRhpbnTLmiPh3SFRFI7UksNV9Xqd6J3XS7PoDLPvb9S+z ++eGFgJ5AE5Xrmr4dOcwPOUymczAQce8MI2CpWmPOo0MOCca41+Onb+7aUtcgD2J96 ++5DXeI21SX1R1m2XjcvzWjvIPpxEfnkr/cwIBAg== ++-----END DH PARAMETERS----- +diff --git a/doc/credentials/dhparams/rfc5054-3072.pem b/doc/credentials/dhparams/rfc5054-3072.pem +new file mode 100644 +index 000000000..d84b2424a +--- /dev/null ++++ b/doc/credentials/dhparams/rfc5054-3072.pem +@@ -0,0 +1,11 @@ ++-----BEGIN DH PARAMETERS----- ++MIIBiAKCAYEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb ++IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft ++awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT ++mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh ++fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq ++5RXSJhiY+gUQFXKOWoqqxC2tMxcNBFB6M6hVIavfHLpk7PuFBFjb7wqK6nFXXQYM ++fbOXD4Wm4eTHq/WujNsJM9cejJTgSiVhnc7j0iYa0u5r8S/6BtmKCGTYdgJzPshq ++ZFIfKxgXeyAMu+EXV3phXWx3CYjAutlG4gjiT6B05asxQ9tb/OD9EI5LgtEgqTrS ++yv//////////AgEF ++-----END DH PARAMETERS----- +diff --git a/doc/credentials/dhparams/rfc5054-4096.pem b/doc/credentials/dhparams/rfc5054-4096.pem +new file mode 100644 +index 000000000..99ca4456b +--- /dev/null ++++ b/doc/credentials/dhparams/rfc5054-4096.pem +@@ -0,0 +1,13 @@ ++-----BEGIN DH PARAMETERS----- ++MIICCAKCAgEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb ++IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft ++awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT ++mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh ++fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq ++5RXSJhiY+gUQFXKOWoqqxC2tMxcNBFB6M6hVIavfHLpk7PuFBFjb7wqK6nFXXQYM ++fbOXD4Wm4eTHq/WujNsJM9cejJTgSiVhnc7j0iYa0u5r8S/6BtmKCGTYdgJzPshq ++ZFIfKxgXeyAMu+EXV3phXWx3CYjAutlG4gjiT6B05asxQ9tb/OD9EI5LgtEgqSEI ++ARpyPBKnh+bXiHGaEL26WyaZwycYavTiPBqUaDS2FQvaJYPpyirUTOjbu8LbBN6O +++S6O/BQfvsqmKHxZR05rwF2ZspZPoJDDoiM7oYZRW+ftH2EpcM7i16+4G912IXBI ++HNAGkSfVsFqpk7TqmI2P3cGG/7fckKbAj030Nck0BjGZ//////////8CAQU= ++-----END DH PARAMETERS----- +diff --git a/doc/credentials/dhparams/rfc5054-6144.pem b/doc/credentials/dhparams/rfc5054-6144.pem +new file mode 100644 +index 000000000..97d8d21a9 +--- /dev/null ++++ b/doc/credentials/dhparams/rfc5054-6144.pem +@@ -0,0 +1,19 @@ ++-----BEGIN DH PARAMETERS----- ++MIIDCAKCAwEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb ++IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft ++awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT ++mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh ++fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq ++5RXSJhiY+gUQFXKOWoqqxC2tMxcNBFB6M6hVIavfHLpk7PuFBFjb7wqK6nFXXQYM ++fbOXD4Wm4eTHq/WujNsJM9cejJTgSiVhnc7j0iYa0u5r8S/6BtmKCGTYdgJzPshq ++ZFIfKxgXeyAMu+EXV3phXWx3CYjAutlG4gjiT6B05asxQ9tb/OD9EI5LgtEgqSEI ++ARpyPBKnh+bXiHGaEL26WyaZwycYavTiPBqUaDS2FQvaJYPpyirUTOjbu8LbBN6O +++S6O/BQfvsqmKHxZR05rwF2ZspZPoJDDoiM7oYZRW+ftH2EpcM7i16+4G912IXBI ++HNAGkSfVsFqpk7TqmI2P3cGG/7fckKbAj030Nck0AoSSNsP6tNJ8cCbB1NyyYCZG ++3sl1HnY9uje9+P+UBq2eUw7l2zgvQTABrrBqU+2QJ9gxF5cnsIZaiRjaPtvrz5sU ++7UTObLrO1Lsb238UR+bMJUszIFFRK9evQm+49AE3jNK/WYPKAcZLkuzwMuoV0XId ++A/SC185udP721V5wL0aYDIK1qEAxkAscnlnnyX++x+jzI6l6fjbMiL4PHUW3/1ha ++xUvUB7IrQVSqzI9tfr9I4dgUzF7SD4A34KeXFe7ym+MoBqHVi7fF2nb1UKo9ih+/ ++8OsZzLGjE9Vc2lbJ7C7yljI4f+jXbjwEaAQ+j2Y/SGDuEr8tWwt0dNbmlPkebcxA ++JP//////////AgEF ++-----END DH PARAMETERS----- +diff --git a/doc/credentials/dhparams/rfc5054-8192.pem b/doc/credentials/dhparams/rfc5054-8192.pem +new file mode 100644 +index 000000000..bb54575c7 +--- /dev/null ++++ b/doc/credentials/dhparams/rfc5054-8192.pem +@@ -0,0 +1,24 @@ ++-----BEGIN DH PARAMETERS----- ++MIIECAKCBAEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb ++IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft ++awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT ++mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh ++fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq ++5RXSJhiY+gUQFXKOWoqqxC2tMxcNBFB6M6hVIavfHLpk7PuFBFjb7wqK6nFXXQYM ++fbOXD4Wm4eTHq/WujNsJM9cejJTgSiVhnc7j0iYa0u5r8S/6BtmKCGTYdgJzPshq ++ZFIfKxgXeyAMu+EXV3phXWx3CYjAutlG4gjiT6B05asxQ9tb/OD9EI5LgtEgqSEI ++ARpyPBKnh+bXiHGaEL26WyaZwycYavTiPBqUaDS2FQvaJYPpyirUTOjbu8LbBN6O +++S6O/BQfvsqmKHxZR05rwF2ZspZPoJDDoiM7oYZRW+ftH2EpcM7i16+4G912IXBI ++HNAGkSfVsFqpk7TqmI2P3cGG/7fckKbAj030Nck0AoSSNsP6tNJ8cCbB1NyyYCZG ++3sl1HnY9uje9+P+UBq2eUw7l2zgvQTABrrBqU+2QJ9gxF5cnsIZaiRjaPtvrz5sU ++7UTObLrO1Lsb238UR+bMJUszIFFRK9evQm+49AE3jNK/WYPKAcZLkuzwMuoV0XId ++A/SC185udP721V5wL0aYDIK1qEAxkAscnlnnyX++x+jzI6l6fjbMiL4PHUW3/1ha ++xUvUB7IrQVSqzI9tfr9I4dgUzF7SD4A34KeXFe7ym+MoBqHVi7fF2nb1UKo9ih+/ ++8OsZzLGjE9Vc2lbJ7C7yljI4f+jXbjwEaAQ+j2Y/SGDuEr8tWwt0dNbmlPkebb4R ++WXSjkm8S/uXkOHd8tqky34zYvsTQc7kxujvIMraNndMAdB+nv4r8R+0ldvaTa6Qk ++ZjqrY5xa5PVoNCO0dCvxyXgjjxbL451lLeP9uL78hIrZIiIuBKQDfAcT61eoGiPw ++xzRz/GRs6jBrS8vIhi+Dhd36nUt/osCH6HloMwPtW906Bis89bOieKZtKhP4P0T4 ++Ld8xDuB0q2o2RZfomaAlXcFk8xzFCEaFHfmrSBld7X6hsdUQvX7nTXP682vDHs+i ++aDWQRvTrh5+SQAlDi0gcbNeImgAu1e44K8kZDab8Am5HlVjkR1Z36aqeMFDidlaU ++38gfVuiAuW5xYMmA3Zjt09///////////wIBEw== ++-----END DH PARAMETERS----- +diff --git a/doc/credentials/dhparams/rfc5114-group-22-1024.pem b/doc/credentials/dhparams/rfc5114-group-22-1024.pem +new file mode 100644 +index 000000000..759afcb2f +--- /dev/null ++++ b/doc/credentials/dhparams/rfc5114-group-22-1024.pem +@@ -0,0 +1,8 @@ ++-----BEGIN DH PARAMETERS----- ++MIIBCAKBgQCxC4+WoIDgHd6S3l6uXVTsUsmfvPsGo8aaap3KUtI7YWBz4oZ1oj0Y ++mDjvHi7mUsAT7LSuqQYRIySXXDzUm4O/rMvdfZDEvXCYSI6cIZpzck7/1vrlZEc4 +++qMaT/VbzMChUa9fDci0vUW/N982XBpl5oz9p21NpwjfH7K8LkpDcQKBgQCk0cvV ++w/00EmdlpELvuZkF+BBN0lisUH/WQGz/FCZtMSZv6h5cQVZLd35pD1UE8hMWAhe0 ++sBuIal6RVH+eJ0n01/vX07mpLuGQnQ0iY/gKdqaiTAh6CR9THb8KAWm2oorWYqTR ++jnOvoy13nVkY0IvIhY9Nzvl8KiSFXm7rIrOy5Q== ++-----END DH PARAMETERS----- +diff --git a/doc/credentials/dhparams/rfc5114-group-23-2048.pem b/doc/credentials/dhparams/rfc5114-group-23-2048.pem +new file mode 100644 +index 000000000..d4f360ef2 +--- /dev/null ++++ b/doc/credentials/dhparams/rfc5114-group-23-2048.pem +@@ -0,0 +1,13 @@ ++-----BEGIN DH PARAMETERS----- ++MIICCgKCAQEArRB+HpEjqdDWYPqnlVnFH6INZOVoO5/RtUsVl7YdCnXm+hQd+VpW ++26+aPEB7od8V6z1oijCcGA4d5rhaEnSgpm0/gVKtasISkDfJ7e/aTfjZHo/vVbc5 ++S3rVt9C2wSIHyfmNEe002/bGugssi7wnvmoA4KC5xJcIs7+KMXCRiDaBKGEwvImF ++2xYC5xRBXZMwJ4Jzx94x79xzEPcSH9WgdBWYfZrcCkhtzfk6zEQyg4cxXXXhmMZB ++pIDNhqG55YfovmDmnMkosrnFIXLkEwQumyPxCw4W55djybU9z0uoCinj+3PBa451 ++uX7zY+L/ox9xz53lOE5xuBwKxN/+DBDmTwKCAQEArEAy708tmuOd8wtcj/2sUGze ++vnuJmYyvdIZqCM/k/+OmgkpOELmm8N2SHwGnDEr6q3OddwDCn1LFfbF8YgqGUr5e ++kAGo1mrXwXZpEBmZAkr00CcnWsE0i7inYtBSG8mK4kcVBCLqHtQJk51U2nRgzbX2 ++xrJQcXy+8YDrNBGOmNEZUppF1vg0Vm4wJeMWozDvu3eobwwasVsFGuPUKMj4rLcK ++gTcVC47rEOGD7dGZY93Z4mPkdwWJ72qiHn9fL/OBtTnM40CdE81Wavu0jWwBkYHh ++vP6UswJp7f5y/ptqpL17Wg8ccc//TBnEGOH27AF5gbwIfypwZbOEuJDTGR8r+g== ++-----END DH PARAMETERS----- +diff --git a/doc/credentials/dhparams/rfc5114-group-24-2048.pem b/doc/credentials/dhparams/rfc5114-group-24-2048.pem +new file mode 100644 +index 000000000..dc0211648 +--- /dev/null ++++ b/doc/credentials/dhparams/rfc5114-group-24-2048.pem +@@ -0,0 +1,13 @@ ++-----BEGIN DH PARAMETERS----- ++MIICCQKCAQEAh6jmHbS2Zjz/u9GcZRlZmYzu9ghmDdDyXSzu1ENeOwDgDfjx1hlX ++1Pr330VhsqowFsPZETQJb6o79Cltgw6afCCeDGSXUXq9WoqdMGvPZ+2R+eZyW0dY ++wCLgse9Cdb97bFv8EdRfkIi5QfVOseWbuLw5oL8SMH9cT9twxYGyP3a2Osrhyqa3 ++kC1SUmc1SIoO8TxtmlG/pKs62DR3llJNjvahZ7WkGCXZZ+FE5RQFZCUcysuD5rSG ++9rPKP3lxUGAmwLhX9omWKFbe1AEKvQvmIcOjlgpU5xDDdfJjddcBQQOktUMwwZiv ++EmEW0iduEXFfaTh3+tfvCcrbCUrpHhoVlwKCAQA/syybcxNNCy53UGZg7b1ITKex ++jyHvIFQH9Hk6GguhJRDbwVB3vkY//0/tSqwLtVW+OmwbDGtHsbw3c79+jG9ikBIo +++MKMuxilWuMTQQAKZQGW+THHelfy3fRj5ensFEt3feYqqrioYorDdtKC1u04ZOZ5 ++gkKOvIMdFDSPby+Rk7UEWvJ2cWTh38lnwfs/LlWkvRv/6DucgNBSuYXRguoK2yo7 ++cxPT/hTISEseBSWIubfSu9LfAWGZ7NBuFVfNCRWzNTu7ZODsN3/QKDcN+StSx4kU ++KM3GfrYYS1I9HbJGwy9jB4SQ8A741kfRSNR5VFFeIyfP75jFgmZLTA9sxBZZ ++-----END DH PARAMETERS----- +diff --git a/doc/credentials/dhparams/rfc7919-ffdhe2048.pem b/doc/credentials/dhparams/rfc7919-ffdhe2048.pem +new file mode 100644 +index 000000000..9b182b720 +--- /dev/null ++++ b/doc/credentials/dhparams/rfc7919-ffdhe2048.pem +@@ -0,0 +1,8 @@ ++-----BEGIN DH PARAMETERS----- ++MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz +++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a ++87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 ++YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi ++7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD ++ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== ++-----END DH PARAMETERS----- +diff --git a/doc/credentials/dhparams/rfc7919-ffdhe3072.pem b/doc/credentials/dhparams/rfc7919-ffdhe3072.pem +new file mode 100644 +index 000000000..fb31ccda5 +--- /dev/null ++++ b/doc/credentials/dhparams/rfc7919-ffdhe3072.pem +@@ -0,0 +1,11 @@ ++-----BEGIN DH PARAMETERS----- ++MIIBiAKCAYEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz +++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a ++87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 ++YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi ++7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD ++ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3 ++7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32 ++nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZsYu ++N///////////AgEC ++-----END DH PARAMETERS----- +diff --git a/doc/credentials/dhparams/rfc7919-ffdhe4096.pem b/doc/credentials/dhparams/rfc7919-ffdhe4096.pem +new file mode 100644 +index 000000000..ad9f68b1e +--- /dev/null ++++ b/doc/credentials/dhparams/rfc7919-ffdhe4096.pem +@@ -0,0 +1,14 @@ ++-----BEGIN DH PARAMETERS----- ++MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz +++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a ++87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 ++YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi ++7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD ++ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3 ++7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32 ++nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e ++8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx ++iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K ++zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI= ++-----END DH PARAMETERS----- ++ +diff --git a/doc/credentials/dhparams/rfc7919-ffdhe6144.pem b/doc/credentials/dhparams/rfc7919-ffdhe6144.pem +new file mode 100644 +index 000000000..d8239bb05 +--- /dev/null ++++ b/doc/credentials/dhparams/rfc7919-ffdhe6144.pem +@@ -0,0 +1,19 @@ ++-----BEGIN DH PARAMETERS----- ++MIIDCAKCAwEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz +++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a ++87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 ++YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi ++7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD ++ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3 ++7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32 ++nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e ++8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx ++iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K ++zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eDdkCC/1ktkUDbHpOZ30sOFMq ++OiO6RELK9T6mO7RUMpt2JMiRe91kscD9TLOOjDNMcBw6za0GV/zP7HGbH1w+TkYE ++HziBR/tM/bR3pSRx96mpaRC4VTIu22NA2KAO8JI1BRHjCr7B//njom5/sp+MGDAj ++w1h+ONoAd9m0dj5OS5Syu8GUxmUed8r5ku6qwCMqKBv2s6c5wSJhFoIK6NtYR6Z8 ++vvnJCRtGLVOM1ysDdGrnf15iKSwxFWKoRlBdyC24VDOK5J9SNclbkReMzy3Vys70 ++A+ydGBDGJysEWztx+dxrgNY/3UqOmtseaWKmlSbUMWHBpB1XDXk42tSkDjKc0OQO ++Zf//////////AgEC ++-----END DH PARAMETERS----- +diff --git a/doc/credentials/dhparams/rfc7919-ffdhe8192.pem b/doc/credentials/dhparams/rfc7919-ffdhe8192.pem +new file mode 100644 +index 000000000..4484cf885 +--- /dev/null ++++ b/doc/credentials/dhparams/rfc7919-ffdhe8192.pem +@@ -0,0 +1,24 @@ ++-----BEGIN DH PARAMETERS----- ++MIIECAKCBAEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz +++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a ++87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 ++YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi ++7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD ++ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3 ++7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32 ++nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e ++8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx ++iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K ++zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eDdkCC/1ktkUDbHpOZ30sOFMq ++OiO6RELK9T6mO7RUMpt2JMiRe91kscD9TLOOjDNMcBw6za0GV/zP7HGbH1w+TkYE ++HziBR/tM/bR3pSRx96mpaRC4VTIu22NA2KAO8JI1BRHjCr7B//njom5/sp+MGDAj ++w1h+ONoAd9m0dj5OS5Syu8GUxmUed8r5ku6qwCMqKBv2s6c5wSJhFoIK6NtYR6Z8 ++vvnJCRtGLVOM1ysDdGrnf15iKSwxFWKoRlBdyC24VDOK5J9SNclbkReMzy3Vys70 ++A+ydGBDGJysEWztx+dxrgNY/3UqOmtseaWKmlSbUMWHBpB1XDXk42tSkDjKcz/Rq ++qjatAEz2AMg4HkJaMdlRrmT9sj/OyVCdQ2h/62nt0cxeC4zDvfZLEO+GtjFCo6uI ++KVVbL3R8kyZlyywPHMAb1wIpOIg50q8F5FRQSseLdYKCKEbAujXDX1xZFgzARv2C ++UVQfxoychrAiu3CZh2pGDnRRqKkxCXA/7hwhfmw4JuUsUappHg5CPPyZ6eMWUMEh ++e2JIFs2tmpX51bgBlIjZwKCh/jB1pXfiMYP4HUo/L6RXHvyM4LqKT+i2hV3+crCm ++bt7S+6v75Yow+vq+HF1xqH4vdB74wf6G/qa7/eUwZ38Nl9EdSfeoRD0IIuUGqfRh ++TgEeKpSDj/iM1oyLt8XGQkz//////////wIBAg== ++-----END DH PARAMETERS----- +diff --git a/lib/auth/dh_common.c b/lib/auth/dh_common.c +index 19c205bbe..252eea0cb 100644 +--- a/lib/auth/dh_common.c ++++ b/lib/auth/dh_common.c +@@ -257,6 +257,14 @@ _gnutls_proc_dh_common_server_kx(gnutls_session_t session, + } + } + ++#ifdef ENABLE_FIPS140 ++ if (gnutls_fips140_mode_enabled() && ++ !_gnutls_dh_prime_is_fips_approved(data_p, n_p, data_g, n_g)) { ++ gnutls_assert(); ++ return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; ++ } ++#endif ++ + if (_gnutls_mpi_init_scan_nz(&session->key.proto.tls12.dh.params.params[DH_G], data_g, _n_g) != 0) { + gnutls_assert(); + return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; +diff --git a/lib/dh-primes.c b/lib/dh-primes.c +index 5d2dce0fb..a43a8e5de 100644 +--- a/lib/dh-primes.c ++++ b/lib/dh-primes.c +@@ -1893,4 +1893,38 @@ const gnutls_datum_t gnutls_modp_8192_group_generator = { + }; + const unsigned int gnutls_modp_8192_key_bits = 512; + ++unsigned ++_gnutls_dh_prime_is_fips_approved(const uint8_t *prime, ++ size_t prime_size, ++ const uint8_t *generator, ++ size_t generator_size) ++{ ++ static const struct { ++ const gnutls_datum_t *prime; ++ const gnutls_datum_t *generator; ++ } primes[] = { ++ { &gnutls_ffdhe_8192_group_prime, &gnutls_ffdhe_8192_group_generator }, ++ { &gnutls_ffdhe_6144_group_prime, &gnutls_ffdhe_6144_group_generator }, ++ { &gnutls_ffdhe_4096_group_prime, &gnutls_ffdhe_4096_group_generator }, ++ { &gnutls_ffdhe_3072_group_prime, &gnutls_ffdhe_3072_group_generator }, ++ { &gnutls_ffdhe_2048_group_prime, &gnutls_ffdhe_2048_group_generator }, ++ { &gnutls_modp_8192_group_prime, &gnutls_modp_8192_group_generator }, ++ { &gnutls_modp_6144_group_prime, &gnutls_modp_6144_group_generator }, ++ { &gnutls_modp_4096_group_prime, &gnutls_modp_4096_group_generator }, ++ { &gnutls_modp_3072_group_prime, &gnutls_modp_3072_group_generator }, ++ { &gnutls_modp_2048_group_prime, &gnutls_modp_2048_group_generator }, ++ }; ++ size_t i; ++ ++ for (i = 0; i < sizeof(primes) / sizeof(primes[0]); i++) { ++ if (primes[i].prime->size == prime_size && ++ memcmp(primes[i].prime->data, prime, primes[i].prime->size) == 0 && ++ primes[i].generator->size == generator_size && ++ memcmp(primes[i].generator->data, generator, primes[i].generator->size) == 0) ++ return 1; ++ } ++ ++ return 0; ++} ++ + #endif +diff --git a/lib/dh.h b/lib/dh.h +index a64a4eb5e..672451947 100644 +--- a/lib/dh.h ++++ b/lib/dh.h +@@ -60,4 +60,10 @@ extern const gnutls_datum_t gnutls_modp_2048_group_q; + extern const gnutls_datum_t gnutls_modp_2048_group_generator; + extern const unsigned int gnutls_modp_2048_key_bits; + ++unsigned ++_gnutls_dh_prime_is_fips_approved(const uint8_t *prime, ++ size_t prime_size, ++ const uint8_t *generator, ++ size_t generator_size); ++ + #endif /* GNUTLS_LIB_DH_H */ +diff --git a/tests/Makefile.am b/tests/Makefile.am +index 7cdf828e0..13d7ba385 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -522,6 +522,8 @@ endif + + dist_check_SCRIPTS += gnutls-cli-self-signed.sh gnutls-cli-invalid-crl.sh gnutls-cli-rawpk.sh + ++dist_check_SCRIPTS += dh-fips-approved.sh ++ + if ENABLE_PKCS11 + dist_check_SCRIPTS += p11-kit-trust.sh testpkcs11.sh certtool-pkcs11.sh + +diff --git a/tests/client-sign-md5-rep.c b/tests/client-sign-md5-rep.c +index 1c7877fbd..b1ad46ce9 100644 +--- a/tests/client-sign-md5-rep.c ++++ b/tests/client-sign-md5-rep.c +@@ -468,6 +468,11 @@ void doit(void) + int sockets[2]; + int err; + ++ /* tls1_hello contains ServerKeyExchange with custom DH ++ * parameters */ ++ if (gnutls_fips140_mode_enabled()) ++ exit(77); ++ + signal(SIGPIPE, SIG_IGN); + + err = socketpair(AF_UNIX, SOCK_STREAM, 0, sockets); +diff --git a/tests/dh-fips-approved.sh b/tests/dh-fips-approved.sh +new file mode 100755 +index 000000000..136dd15f3 +--- /dev/null ++++ b/tests/dh-fips-approved.sh +@@ -0,0 +1,127 @@ ++#!/bin/sh ++ ++# Copyright (C) 2017 Nikos Mavrogiannopoulos ++# ++# Author: Nikos Mavrogiannopoulos ++# ++# This file is part of GnuTLS. ++# ++# GnuTLS is free software; you can redistribute it and/or modify it ++# under the terms of the GNU General Public License as published by the ++# Free Software Foundation; either version 3 of the License, or (at ++# your option) any later version. ++# ++# GnuTLS is distributed in the hope that it will be useful, but ++# WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++# General Public License for more details. ++# ++# You should have received a copy of the GNU Lesser General Public License ++# along with this program. If not, see ++ ++srcdir="${srcdir:-.}" ++SERV="${SERV:-../src/gnutls-serv${EXEEXT}}" ++CLI="${CLI:-../src/gnutls-cli${EXEEXT}}" ++unset RETCODE ++ ++if ! test -x "${SERV}"; then ++ exit 77 ++fi ++ ++if ! test -x "${CLI}"; then ++ exit 77 ++fi ++ ++if test "${WINDIR}" != ""; then ++ exit 77 ++fi ++ ++if ! test -z "${VALGRIND}"; then ++ VALGRIND="${LIBTOOL:-libtool} --mode=execute ${VALGRIND} --error-exitcode=15" ++fi ++ ++ ++SERV="${SERV} -q" ++ ++. "${srcdir}/scripts/common.sh" ++ ++KEY1=${srcdir}/../doc/credentials/x509/key-rsa.pem ++CERT1=${srcdir}/../doc/credentials/x509/cert-rsa.pem ++CA1=${srcdir}/../doc/credentials/x509/ca.pem ++ ++ALLOWED_PARAMS=" ++rfc3526-group-14-2048 ++rfc3526-group-15-3072 ++rfc3526-group-16-4096 ++rfc3526-group-17-6144 ++rfc3526-group-18-8192 ++rfc7919-ffdhe2048 ++rfc7919-ffdhe3072 ++rfc7919-ffdhe4096 ++rfc7919-ffdhe6144 ++rfc7919-ffdhe8192 ++" ++ ++DISALLOWED_PARAMS=" ++rfc2409-group-2-1024 ++rfc3526-group-5-1536 ++rfc5054-1024 ++rfc5054-1536 ++rfc5054-2048 ++rfc5054-3072 ++rfc5054-4096 ++rfc5054-6144 ++rfc5054-8192 ++rfc5114-group-22-1024 ++rfc5114-group-23-2048 ++rfc5114-group-24-2048 ++" ++ ++OPTS="--priority=NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+DHE-RSA:+AES-128-GCM:-GROUP-ALL" ++ ++for params in $ALLOWED_PARAMS; do ++ echo "Checking with approved DH params: $params" ++ ++ PARAMS=${srcdir}/../doc/credentials/dhparams/${params}.pem ++ ++ eval "${GETPORT}" ++ launch_server $$ ${OPTS} --x509keyfile ${KEY1} --x509certfile ${CERT1} --dhparams ${PARAMS} ++ PID=$! ++ wait_server ${PID} ++ ++ ${VALGRIND} "${CLI}" ${OPTS} -p "${PORT}" 127.0.0.1 --verify-hostname=localhost --x509cafile ${CA1} /dev/null || \ ++ fail ${PID} "handshake should have succeeded!" ++ ++ kill ${PID} ++ wait ++done ++ ++for params in $DISALLOWED_PARAMS; do ++ echo "Checking with non-approved DH params: $params" ++ ++ PARAMS=${srcdir}/../doc/credentials/dhparams/${params}.pem ++ ++ eval "${GETPORT}" ++ launch_server $$ ${OPTS} --x509keyfile ${KEY1} --x509certfile ${CERT1} --dhparams ${PARAMS} ++ PID=$! ++ wait_server ${PID} ++ ++ ${VALGRIND} "${CLI}" ${OPTS} -p "${PORT}" 127.0.0.1 --verify-hostname=localhost --x509cafile ${CA1} /dev/null ++ ++ RET=$? ++ ++ if test $RET -eq 0; then ++ if test "${GNUTLS_FORCE_FIPS_MODE}" = 1; then ++ fail ${PID} "handshake should have failed (FIPS mode 1)!" ++ fi ++ else ++ if test "${GNUTLS_FORCE_FIPS_MODE}" != 1; then ++ fail ${PID} "handshake should have succeeded (FIPS mode 0)!" ++ fi ++ fi ++ ++ kill ${PID} ++ wait ++done ++ ++exit 0 +diff --git a/tests/utils.c b/tests/utils.c +index 9186a1757..60cd79b35 100644 +--- a/tests/utils.c ++++ b/tests/utils.c +@@ -50,47 +50,41 @@ int debug = 0; + int error_count = 0; + int break_on_error = 0; + ++/* doc/credentials/dhparams/rfc3526-group-14-2048.pem */ + const char *pkcs3 = + "-----BEGIN DH PARAMETERS-----\n" +- "MIGGAoGAtkxw2jlsVCsrfLqxrN+IrF/3W8vVFvDzYbLmxi2GQv9s/PQGWP1d9i22\n" +- "P2DprfcJknWt7KhCI1SaYseOQIIIAYP78CfyIpGScW/vS8khrw0rlQiyeCvQgF3O\n" +- "GeGOEywcw+oQT4SmFOD7H0smJe2CNyjYpexBXQ/A0mbTF9QKm1cCAQU=\n" ++ "MIIBCAKCAQEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb\n" ++ "IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft\n" ++ "awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT\n" ++ "mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh\n" ++ "fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq\n" ++ "5RXSJhiY+gUQFXKOWoqsqmj//////////wIBAg==\n" + "-----END DH PARAMETERS-----\n"; + ++/* doc/credentials/dhparams/rfc7919-ffdhe2048.pem */ + const char *pkcs3_2048 = + "-----BEGIN DH PARAMETERS-----\n" +- "MIICDgKCAQEAvVNCqM8M9ZoVYBKEkV2KN8ELHHJ75aTZiK9z6170iKSgbITkOxsd\n" +- "aBCLzHZd7d6/2aNofUeuWdDGHm73d8v53ma2HRVCNESeC2LKsEDFG9FjjUeugvfl\n" +- "zb85TLZwWT9Lb35Ddhdk7CtxoukjS0/JkCE+8RGzmk5+57N8tNffs4aSSHSe4+cw\n" +- "i4wULDxiG2p052czAMP3YR5egWvMuiByhy0vKShiZmOy1/Os5r6E/GUF+298gDjG\n" +- "OeaEUF9snrTcoBwB4yNjVSEbuAh5fMd5zFtz2+dzrk9TYZ44u4DQYkgToW05WcmC\n" +- "+LG0bLAH6lrJR5OMgyheZEo6F20z/d2yyQKCAQEAtzcuTHW61SFQiDRouk6eD0Yx\n" +- "0k1RJdaQdlRf6/Dcc6lEqnbezL90THzvxkBwfJ5jG1VZE7JlVCvLRkBtgb0/6SCf\n" +- "MATfEKG2JMOnKsJxvidmKEp4uN32LketXRrrEBl7rS+HABEfKAzqx+J6trBaq25E\n" +- "7FVJFsyoa8IL8N8YUWwhE2UuEfmiqQQaeoIUYC/xD2arMXn9N0W84Nyy2S9IL4ct\n" +- "e3Azi1Wc8MMfpbxxDRxXCnM2uMkLYWs1lQmcUUX+Uygv3P8lgS+RJ1Pi3+BWMx0S\n" +- "ocsZXqOr6dbEF1WOLObQRK7h/MZp80iVUyrBgX0MbVFN9M5i2u4KKTG95VKRtgIC\n" +- "AQA=\n" "-----END DH PARAMETERS-----\n"; ++ "MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz\n" ++ "+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a\n" ++ "87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7\n" ++ "YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi\n" ++ "7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD\n" ++ "ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==\n" ++ "-----END DH PARAMETERS-----\n"; + ++/* doc/credentials/dhparams/rfc7919-ffdhe3072.pem */ + const char *pkcs3_3072 = + "-----BEGIN DH PARAMETERS-----\n" +- "MIIDDgKCAYEAtRUay8nDgwE5dSVzW525wEu/d0vrFolvYJSevxg2myj5S+gr3Fgq\n" +- "OGaZc4zrBxkxsELc7GuCqaXSOWL4yobT8N05yGbYWkWRPf4crRMx3P7/Gba9WsmH\n" +- "BlL71uPf1IN9CanAlabkhV89RKiYaCpUI19+/sq+N2dO874ToBZCNhxZnTgRZ+po\n" +- "Gdr6XWM0lQ8imIKSer0px3ZHI+/5gmyPry35tGpwlbyclJAg3wlTSdnqDcLxq7AF\n" +- "OZ23PzC3ij7SFErOX9EFBdS2bjtU47O3OkPc9EIYMEv5nwnXICLHslwVifmURAjV\n" +- "LfpObL8LYGN4Gac4tFxuDa0PMg0ES5ADugYBwdRFTAtCy5WOYXINzAAOrH9MommT\n" +- "rMkELf7JOCaV2ktBsvTlrgMAXeyqbf2YSG6CGjj4QnUuqPybSgwPru7VlahsS2lo\n" +- "qjutBPpgIxS53o97Wi3V5kQedKJiNuIDNnJMFNuTADAM+OYwClTH7ZSwTsxEgVpr\n" +- "tMH+WnTI7KTJAoIBgQCrELwIUB4oNbf0x+fIpVndhDpl/WcFc/lDtmiRuym5gWbb\n" +- "NPeI+1rdhnS2R3+nCJODFQTcPNMgIJuSu2EnDCSs5xJ2k08SAgSzyxEdjBpY7qJe\n" +- "+lJPJ12zhcl0vgcvMhb/YgqVe2MKz0RvnYZPwHM/aJbjYjq/6OpK3fVw4M1ZccBK\n" +- "QD4OHK8HOvGU7Wf6kRIcxUlfn15spMCIsrAZQBddWLmQgktsxJNUS+AnaPwTBoOv\n" +- "nGCr1vzw8OS1DtS03VCmtqt3otXhJ3D2oCIG6ogxVAKfHR30KIfzZLBfmCjdzHmH\n" +- "x4OwYTN1wy5juA438QtiDtcgK60ZqSzQO08ZklRncA/TkkyEH6kPn5KSh/hW9O3D\n" +- "KZeAY/KF0/Bc1XNtqPEYFb7Vo3rbTsyjXkICN1Hk9S0OIKL42K7rWBepO9KuddSd\n" +- "aXgH9staP0HXCyyW1VAyqo0TwcWDhE/R7IQQGGwGyd4rD0T+ySW/t09ox23O6X8J\n" +- "FSp6mOVNcuvhB5U2gW8CAgEA\n" "-----END DH PARAMETERS-----\n"; ++ "MIIBiAKCAYEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz\n" ++ "+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a\n" ++ "87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7\n" ++ "YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi\n" ++ "7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD\n" ++ "ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3\n" ++ "7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32\n" ++ "nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZsYu\n" ++ "N///////////AgEC\n" ++ "-----END DH PARAMETERS-----\n"; + + void _fail(const char *format, ...) + { +-- +2.26.2 + diff --git a/SOURCES/gnutls-3.6.14-fips-mode-check.patch b/SOURCES/gnutls-3.6.14-fips-mode-check.patch new file mode 100644 index 0000000..af9862f --- /dev/null +++ b/SOURCES/gnutls-3.6.14-fips-mode-check.patch @@ -0,0 +1,42 @@ +From d1dc655cd2c8ae417381e5f966941c75cfe287ee Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Thu, 4 Jun 2020 16:42:07 +0200 +Subject: [PATCH] _gnutls_fips_mode_enabled: treat selftest failure as FIPS + disabled + +Previously gnutls_fips140_mode_enabled() returned true, even after +selftests have failed and the library state has switched to error. +While later calls to crypto operations fails, it would be more +convenient to have a function to detect that state. + +Signed-off-by: Daiki Ueno +--- + lib/fips.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/lib/fips.c b/lib/fips.c +index acdd2ec23..f8b10f750 100644 +--- a/lib/fips.c ++++ b/lib/fips.c +@@ -491,8 +491,17 @@ unsigned gnutls_fips140_mode_enabled(void) + #ifdef ENABLE_FIPS140 + unsigned ret = _gnutls_fips_mode_enabled(); + +- if (ret > GNUTLS_FIPS140_DISABLED) ++ if (ret > GNUTLS_FIPS140_DISABLED) { ++ /* If the previous run of selftests has failed, return as if ++ * the FIPS mode is disabled. We could use HAVE_LIB_ERROR, if ++ * we can assume that all the selftests run atomically from ++ * the ELF constructor. ++ */ ++ if (_gnutls_get_lib_state() == LIB_STATE_ERROR) ++ return 0; ++ + return ret; ++ } + #endif + return 0; + } +-- +2.26.2 + diff --git a/SOURCES/gnutls-3.6.14-fix-iovec-memory-leak.patch b/SOURCES/gnutls-3.6.14-fix-iovec-memory-leak.patch new file mode 100644 index 0000000..15b2c51 --- /dev/null +++ b/SOURCES/gnutls-3.6.14-fix-iovec-memory-leak.patch @@ -0,0 +1,152 @@ +From 6fbff7fc8aabeee2254405f254220bbe8c05c67d Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Fri, 5 Jun 2020 16:26:33 +0200 +Subject: [PATCH] crypto-api: always allocate memory when serializing iovec_t + +The AEAD iov interface falls back to serializing the input buffers if +the low-level cipher doesn't support scatter/gather encryption. +However, there was a bug in the functions used for the serialization, +which causes memory leaks under a certain condition (i.e. the number +of input buffers is 1). + +This patch makes the logic of the functions simpler, by removing a +micro-optimization that tries to minimize the number of calls to +malloc/free. + +The original problem was reported by Marius Steffen in: +https://bugzilla.samba.org/show_bug.cgi?id=14399 +and the cause was investigated by Alexander Haase in: +https://gitlab.com/gnutls/gnutls/-/merge_requests/1277 + +Signed-off-by: Daiki Ueno +--- + lib/crypto-api.c | 36 +++++++++++------------------------- + tests/aead-cipher-vec.c | 33 ++++++++++++++++++--------------- + 2 files changed, 29 insertions(+), 40 deletions(-) + +diff --git a/lib/crypto-api.c b/lib/crypto-api.c +index 45be64ed1..8524f5ed4 100644 +--- a/lib/crypto-api.c ++++ b/lib/crypto-api.c +@@ -891,32 +891,23 @@ gnutls_aead_cipher_encrypt(gnutls_aead_cipher_hd_t handle, + struct iov_store_st { + void *data; + size_t size; +- unsigned allocated; + }; + + static void iov_store_free(struct iov_store_st *s) + { +- if (s->allocated) { +- gnutls_free(s->data); +- s->allocated = 0; +- } ++ gnutls_free(s->data); + } + + static int iov_store_grow(struct iov_store_st *s, size_t length) + { +- if (s->allocated || s->data == NULL) { +- s->size += length; +- s->data = gnutls_realloc(s->data, s->size); +- if (s->data == NULL) +- return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); +- s->allocated = 1; +- } else { +- void *data = s->data; +- size_t size = s->size + length; +- s->data = gnutls_malloc(size); +- memcpy(s->data, data, s->size); +- s->size += length; +- } ++ void *data; ++ ++ s->size += length; ++ data = gnutls_realloc(s->data, s->size); ++ if (data == NULL) ++ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); ++ ++ s->data = data; + return 0; + } + +@@ -926,11 +917,6 @@ copy_from_iov(struct iov_store_st *dst, const giovec_t *iov, int iovcnt) + memset(dst, 0, sizeof(*dst)); + if (iovcnt == 0) { + return 0; +- } else if (iovcnt == 1) { +- dst->data = iov[0].iov_base; +- dst->size = iov[0].iov_len; +- /* implies: dst->allocated = 0; */ +- return 0; + } else { + int i; + uint8_t *p; +@@ -944,11 +930,11 @@ copy_from_iov(struct iov_store_st *dst, const giovec_t *iov, int iovcnt) + + p = dst->data; + for (i=0;i 0) ++ memcpy(p, iov[i].iov_base, iov[i].iov_len); + p += iov[i].iov_len; + } + +- dst->allocated = 1; + return 0; + } + } +diff --git a/tests/aead-cipher-vec.c b/tests/aead-cipher-vec.c +index fba9010d9..6a30a35f7 100644 +--- a/tests/aead-cipher-vec.c ++++ b/tests/aead-cipher-vec.c +@@ -49,6 +49,7 @@ static void start(const char *name, int algo) + giovec_t auth_iov[2]; + uint8_t tag[64]; + size_t tag_size = 0; ++ size_t i; + + key.data = key16; + key.size = gnutls_cipher_get_key_size(algo); +@@ -82,21 +83,23 @@ static void start(const char *name, int algo) + if (ret < 0) + fail("gnutls_cipher_init: %s\n", gnutls_strerror(ret)); + +- ret = gnutls_aead_cipher_encryptv2(ch, +- iv.data, iv.size, +- auth_iov, 2, +- iov, 3, +- tag, &tag_size); +- if (ret < 0) +- fail("could not encrypt data: %s\n", gnutls_strerror(ret)); +- +- ret = gnutls_aead_cipher_decryptv2(ch, +- iv.data, iv.size, +- auth_iov, 2, +- iov, 3, +- tag, tag_size); +- if (ret < 0) +- fail("could not decrypt data: %s\n", gnutls_strerror(ret)); ++ for (i = 0; i < 2; i++) { ++ ret = gnutls_aead_cipher_encryptv2(ch, ++ iv.data, iv.size, ++ auth_iov, 2, ++ iov, i + 1, ++ tag, &tag_size); ++ if (ret < 0) ++ fail("could not encrypt data: %s\n", gnutls_strerror(ret)); ++ ++ ret = gnutls_aead_cipher_decryptv2(ch, ++ iv.data, iv.size, ++ auth_iov, 2, ++ iov, i + 1, ++ tag, tag_size); ++ if (ret < 0) ++ fail("could not decrypt data: %s\n", gnutls_strerror(ret)); ++ } + + gnutls_aead_cipher_deinit(ch); + } +-- +2.25.4 + diff --git a/SOURCES/gnutls-3.6.14-memcmp.patch b/SOURCES/gnutls-3.6.14-memcmp.patch new file mode 100644 index 0000000..a211c97 --- /dev/null +++ b/SOURCES/gnutls-3.6.14-memcmp.patch @@ -0,0 +1,131 @@ +From 9acc0f68320db4c7c6dadacb974e77c7fbca72a7 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Sun, 21 Jun 2020 16:03:54 +0200 +Subject: [PATCH] safe_memcmp: remove in favor of gnutls_memcmp + +Signed-off-by: Daiki Ueno +--- + lib/accelerated/x86/aes-xts-x86-aesni.c | 2 +- + lib/ext/pre_shared_key.c | 2 +- + lib/mem.h | 9 --------- + lib/nettle/cipher.c | 8 ++++---- + lib/tls13/finished.c | 2 +- + lib/x509/x509.c | 3 ++- + 6 files changed, 9 insertions(+), 17 deletions(-) + +diff --git a/lib/accelerated/x86/aes-xts-x86-aesni.c b/lib/accelerated/x86/aes-xts-x86-aesni.c +index 3371d0812..b904cbf00 100644 +--- a/lib/accelerated/x86/aes-xts-x86-aesni.c ++++ b/lib/accelerated/x86/aes-xts-x86-aesni.c +@@ -72,7 +72,7 @@ x86_aes_xts_cipher_setkey(void *_ctx, const void *userkey, size_t keysize) + + /* Check key block according to FIPS-140-2 IG A.9 */ + if (_gnutls_fips_mode_enabled()){ +- if (safe_memcmp(key, key + (keysize / 2), keysize / 2) == 0) { ++ if (gnutls_memcmp(key, key + (keysize / 2), keysize / 2) == 0) { + _gnutls_switch_lib_state(LIB_STATE_ERROR); + return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); + } +diff --git a/lib/ext/pre_shared_key.c b/lib/ext/pre_shared_key.c +index fef67d341..240be2162 100644 +--- a/lib/ext/pre_shared_key.c ++++ b/lib/ext/pre_shared_key.c +@@ -650,7 +650,7 @@ static int server_recv_params(gnutls_session_t session, + } + + if (_gnutls_mac_get_algo_len(prf) != binder_recvd.size || +- safe_memcmp(binder_value, binder_recvd.data, binder_recvd.size)) { ++ gnutls_memcmp(binder_value, binder_recvd.data, binder_recvd.size)) { + gnutls_assert(); + ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; + goto fail; +diff --git a/lib/mem.h b/lib/mem.h +index dc838a2b4..d3eea97a4 100644 +--- a/lib/mem.h ++++ b/lib/mem.h +@@ -35,15 +35,6 @@ char *_gnutls_strdup(const char *); + + unsigned _gnutls_mem_is_zero(const uint8_t *ptr, unsigned size); + +-/* To avoid undefined behavior when s1 or s2 are null and n = 0 */ +-inline static +-int safe_memcmp(const void *s1, const void *s2, size_t n) +-{ +- if (n == 0) +- return 0; +- return memcmp(s1, s2, n); +-} +- + #define zrelease_mpi_key(mpi) if (*mpi!=NULL) { \ + _gnutls_mpi_clear(*mpi); \ + _gnutls_mpi_release(mpi); \ +diff --git a/lib/nettle/cipher.c b/lib/nettle/cipher.c +index b0a52deb5..ec0c1ab04 100644 +--- a/lib/nettle/cipher.c ++++ b/lib/nettle/cipher.c +@@ -482,7 +482,7 @@ _xts_aes128_set_encrypt_key(struct xts_aes128_key *xts_key, + const uint8_t *key) + { + if (_gnutls_fips_mode_enabled() && +- safe_memcmp(key, key + AES128_KEY_SIZE, AES128_KEY_SIZE) == 0) ++ gnutls_memcmp(key, key + AES128_KEY_SIZE, AES128_KEY_SIZE) == 0) + _gnutls_switch_lib_state(LIB_STATE_ERROR); + + xts_aes128_set_encrypt_key(xts_key, key); +@@ -493,7 +493,7 @@ _xts_aes128_set_decrypt_key(struct xts_aes128_key *xts_key, + const uint8_t *key) + { + if (_gnutls_fips_mode_enabled() && +- safe_memcmp(key, key + AES128_KEY_SIZE, AES128_KEY_SIZE) == 0) ++ gnutls_memcmp(key, key + AES128_KEY_SIZE, AES128_KEY_SIZE) == 0) + _gnutls_switch_lib_state(LIB_STATE_ERROR); + + xts_aes128_set_decrypt_key(xts_key, key); +@@ -504,7 +504,7 @@ _xts_aes256_set_encrypt_key(struct xts_aes256_key *xts_key, + const uint8_t *key) + { + if (_gnutls_fips_mode_enabled() && +- safe_memcmp(key, key + AES256_KEY_SIZE, AES256_KEY_SIZE) == 0) ++ gnutls_memcmp(key, key + AES256_KEY_SIZE, AES256_KEY_SIZE) == 0) + _gnutls_switch_lib_state(LIB_STATE_ERROR); + + xts_aes256_set_encrypt_key(xts_key, key); +@@ -515,7 +515,7 @@ _xts_aes256_set_decrypt_key(struct xts_aes256_key *xts_key, + const uint8_t *key) + { + if (_gnutls_fips_mode_enabled() && +- safe_memcmp(key, key + AES256_KEY_SIZE, AES256_KEY_SIZE) == 0) ++ gnutls_memcmp(key, key + AES256_KEY_SIZE, AES256_KEY_SIZE) == 0) + _gnutls_switch_lib_state(LIB_STATE_ERROR); + + xts_aes256_set_decrypt_key(xts_key, key); +diff --git a/lib/tls13/finished.c b/lib/tls13/finished.c +index 68eab993e..ec646e673 100644 +--- a/lib/tls13/finished.c ++++ b/lib/tls13/finished.c +@@ -112,7 +112,7 @@ int _gnutls13_recv_finished(gnutls_session_t session) + #if defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION) + # warning This is unsafe for production builds + #else +- if (safe_memcmp(verifier, buf.data, buf.length) != 0) { ++ if (gnutls_memcmp(verifier, buf.data, buf.length) != 0) { + gnutls_assert(); + ret = GNUTLS_E_ERROR_IN_FINISHED_PACKET; + goto cleanup; +diff --git a/lib/x509/x509.c b/lib/x509/x509.c +index 2091f3ae6..2b68fe440 100644 +--- a/lib/x509/x509.c ++++ b/lib/x509/x509.c +@@ -360,7 +360,8 @@ static int compare_sig_algorithm(gnutls_x509_crt_t cert) + } + + if (empty1 != empty2 || +- sp1.size != sp2.size || safe_memcmp(sp1.data, sp2.data, sp1.size) != 0) { ++ sp1.size != sp2.size || ++ (sp1.size > 0 && memcmp(sp1.data, sp2.data, sp1.size) != 0)) { + gnutls_assert(); + ret = GNUTLS_E_CERTIFICATE_ERROR; + goto cleanup; +-- +2.26.2 + diff --git a/SOURCES/gnutls-3.6.14-totp-init.patch b/SOURCES/gnutls-3.6.14-totp-init.patch deleted file mode 100644 index f5f6d51..0000000 --- a/SOURCES/gnutls-3.6.14-totp-init.patch +++ /dev/null @@ -1,85 +0,0 @@ -From c2646aeee94e71cb15c90a3147cf3b5b0ca158ca Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Tue, 2 Jun 2020 20:53:11 +0200 -Subject: [PATCH] stek: differentiate initial state from valid time window of - TOTP - -There was a confusion in the TOTP implementation in stek.c. When the -mechanism is initialized at the first time, it records the timestamp -but doesn't initialize the key. This removes the timestamp recording -at the initialization phase, so the key is properly set later. - -Signed-off-by: Daiki Ueno ---- - lib/stek.c | 17 +++++------------ - tests/resume-with-previous-stek.c | 4 ++-- - tests/tls13/prf-early.c | 8 ++++---- - 3 files changed, 11 insertions(+), 18 deletions(-) - -diff --git a/lib/stek.c b/lib/stek.c -index 2f885cee3..5ab9e7d2d 100644 ---- a/lib/stek.c -+++ b/lib/stek.c -@@ -323,20 +323,13 @@ int _gnutls_initialize_session_ticket_key_rotation(gnutls_session_t session, con - if (unlikely(session == NULL || key == NULL)) - return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); - -- if (session->key.totp.last_result == 0) { -- int64_t t; -- memcpy(session->key.initial_stek, key->data, key->size); -- t = totp_next(session); -- if (t < 0) -- return gnutls_assert_val(t); -+ if (unlikely(session->key.totp.last_result != 0)) -+ return GNUTLS_E_INVALID_REQUEST; - -- session->key.totp.last_result = t; -- session->key.totp.was_rotated = 0; -- -- return GNUTLS_E_SUCCESS; -- } -+ memcpy(session->key.initial_stek, key->data, key->size); - -- return GNUTLS_E_INVALID_REQUEST; -+ session->key.totp.was_rotated = 0; -+ return 0; - } - - /* -diff --git a/tests/resume-with-previous-stek.c b/tests/resume-with-previous-stek.c -index f212b188b..05c1c9086 100644 ---- a/tests/resume-with-previous-stek.c -+++ b/tests/resume-with-previous-stek.c -@@ -196,8 +196,8 @@ static void server(int fd, unsigned rounds, const char *prio) - serverx509cred = NULL; - } - -- if (num_stek_rotations != 2) -- fail("STEK should be rotated exactly twice (%d)!\n", num_stek_rotations); -+ if (num_stek_rotations != 3) -+ fail("STEK should be rotated exactly three times (%d)!\n", num_stek_rotations); - - if (serverx509cred) - gnutls_certificate_free_credentials(serverx509cred); -diff --git a/tests/tls13/prf-early.c b/tests/tls13/prf-early.c -index 414b1db5e..bc3196248 100644 ---- a/tests/tls13/prf-early.c -+++ b/tests/tls13/prf-early.c -@@ -123,10 +123,10 @@ static void dump(const char *name, const uint8_t *data, unsigned data_size) - } \ - } - --#define KEY_EXP_VALUE "\xc0\x1e\xc2\xa4\xb7\xb4\x04\xaa\x91\x5d\xaf\xe8\xf7\x4d\x19\xdf\xd0\xe6\x08\xd6\xb4\x3b\xcf\xca\xc9\x32\x75\x3b\xe3\x11\x19\xb1\xac\x68" --#define HELLO_VALUE "\x77\xdb\x10\x0b\xe8\xd0\xb9\x38\xbc\x49\xe6\xbe\xf2\x47\x2a\xcc\x6b\xea\xce\x85\x04\xd3\x9e\xd8\x06\x16\xad\xff\xcd\xbf\x4b" --#define CONTEXT_VALUE "\xf2\x17\x9f\xf2\x66\x56\x87\x66\xf9\x5c\x8a\xd7\x4e\x1d\x46\xee\x0e\x44\x41\x4c\xcd\xac\xcb\xc0\x31\x41\x2a\xb6\xd7\x01\x62" --#define NULL_CONTEXT_VALUE "\xcd\x79\x07\x93\xeb\x96\x07\x3e\xec\x78\x90\x89\xf7\x16\x42\x6d\x27\x87\x56\x7c\x7b\x60\x2b\x20\x44\xd1\xea\x0c\x89\xfb\x8b" -+#define KEY_EXP_VALUE "\xc1\x6b\x6c\xb9\x88\x33\xd5\x28\x80\xec\x27\x87\xa2\x6f\x4b\xd0\x01\x5e\x7f\xca\xd7\xd4\x8a\x3f\xe2\x48\x92\xef\x02\x14\xfb\x81\x90\x04" -+#define HELLO_VALUE "\x2a\x73\xd9\x74\x04\x4e\x0a\x5f\x41\x8a\x09\xcb\x45\x33\x1a\xec\xd3\xfc\xdc\x1b\x2c\x67\x26\xe4\x9c\xfe\x1f\xa5\x74\xf1\x4f" -+#define CONTEXT_VALUE "\x87\xf6\x88\xe3\xd7\xf2\x05\xbc\xa4\x10\xa3\x48\x9f\xf5\xcf\x97\x06\x22\x4e\xfd\x18\x32\x52\x1d\xbd\x26\xf5\x5b\x21\x20\xec" -+#define NULL_CONTEXT_VALUE "\xf9\xca\xfe\x45\x44\x96\xdb\xc5\x41\x8f\x7e\x8e\xd7\xb0\x7d\x19\x45\xaf\x09\xbc\x1e\x82\x94\xac\x55\xe5\xb9\xb4\x3b\xe8\xc0" - - static int handshake_callback_called; - --- -2.26.2 - diff --git a/SOURCES/gnutls-3.6.14.tar.xz.sig b/SOURCES/gnutls-3.6.14.tar.xz.sig new file mode 100644 index 0000000000000000000000000000000000000000..3e8c89036896c82d37f3ffa1d51a79613d214b6d GIT binary patch literal 580 zcmV-K0=xZ*0zm`-0SEvq79j*iA|=DLZ#0LW$VqJ01%!^*=9qB>0$$go&J7%OWo~ak zXKr;aZ*pe<3JDO_1%!^*=9qB|CJ+B*p!()ZLu=}O_D5D^MH;B6YSJ)F%VI8zl)lEB zWR0(zFHx}~w-dg!?`hI_eAB=APqEmTs7~H>v`$>$EWTn5FhZVp;#hL9@G)%BnYaG6 zks_jclh6>(+0Z{Le6!EZZZ9~@HezQQh&YU?fXBH+txeQ6NDu-*&G7vVj)?89mDX>= zUVS^vs;MCX4~H@CXlnh5dJ`QUf=l0b>^+HAC1lD*XwxWMsqEawl<;UClai7hY1pkt zxv<7BB6^F447ePM6l3H}5>E7PgU*;zT|a$S=J9`GV-1^S(*M+X0fgDiv#L0VS|%5` zPylkjvGgj|!sF>KIiN2l6QmnH`j4gf^O}x35*p1coV_&wXg`WiSt;1kO1Jv6QAw-_ zMjc8jK8^b}nm7w~i#5h~NFU|64AL@trf!(*jtVi2^!EaLm#uM*Yj#;mlK5s7L!y%` z&N9U$h6fOF9t>?F^=8ms_1x6!`&&>NTD}*9zb@Uwd)osy|MnvF!A+e?2pIV?L{r`Q zgqf37JmSW(SlR+Ri~rBx3|fN&@8zB9y0ADK5~1;(R({CAE=$*%7Y*EU_`N}96HAO; zh|(9H5P$(x=F1Z%P7lDV{oaPc32gNI`6S`|9gV$CD*)C2gwrUAa@upIzavlGyKj7E S@sq6z&iwH&F6U3VtKh*E>>GRl literal 0 HcmV?d00001 diff --git a/SOURCES/gnutls-3.6.5-fix-fips-signature-post.patch b/SOURCES/gnutls-3.6.5-fix-fips-signature-post.patch deleted file mode 100644 index ce51cad..0000000 --- a/SOURCES/gnutls-3.6.5-fix-fips-signature-post.patch +++ /dev/null @@ -1,728 +0,0 @@ -From 2c44e9f8b2e7a1ebc65caeb03f9f106d31e30822 Mon Sep 17 00:00:00 2001 -From: Anderson Toshiyuki Sasaki -Date: Wed, 3 Apr 2019 13:40:04 +0200 -Subject: [PATCH 1/7] crypto-selftests-pk.c: Move hardcoded values to the top - -The objective of moving these values to the top is to allow them to be -used by other functions, in particular test_sig(). - -Signed-off-by: Anderson Toshiyuki Sasaki ---- - lib/crypto-selftests-pk.c | 224 +++++++++++++++++++------------------- - 1 file changed, 112 insertions(+), 112 deletions(-) - -diff --git a/lib/crypto-selftests-pk.c b/lib/crypto-selftests-pk.c -index 1aa53ea29..4fadd4161 100644 ---- a/lib/crypto-selftests-pk.c -+++ b/lib/crypto-selftests-pk.c -@@ -107,6 +107,118 @@ static const char gost12_512_key[] = - "KjL7CLBERDm7Yvlv\n" - "-----END PRIVATE KEY-----\n"; - -+/* A precomputed RSA-SHA256 signature using the rsa_key2048 */ -+static const char rsa_sig[] = -+ "\x7a\xb3\xf8\xb0\xf9\xf0\x52\x88\x37\x17\x97\x9f\xbe\x61\xb4\xd2\x43\x78\x9f\x79\x92\xd0\xad\x08\xdb\xbd\x3c\x72\x7a\xb5\x51\x59\x63\xd6\x7d\xf1\x9c\x1e\x10\x7b\x27\xab\xf8\xd4\x9d\xcd\xc5\xf9\xae\xf7\x09\x6b\x40\x93\xc5\xe9\x1c\x0f\xb4\x82\xa1\x47\x86\x54\x63\xd2\x4d\x40\x9a\x80\xb9\x38\x45\x69\xa2\xd6\x92\xb6\x69\x7f\x3f\xf3\x5b\xa5\x1d\xac\x06\xad\xdf\x4e\xbb\xe6\xda\x68\x0d\xe5\xab\xef\xd2\xf0\xc5\xd8\xc0\xed\x80\xe2\xd4\x76\x98\xec\x44\xa2\xfc\x3f\xce\x2e\x8b\xc4\x4b\xab\xb0\x70\x24\x52\x85\x2a\x36\xcd\x9a\xb5\x05\x00\xea\x98\x7c\x72\x06\x68\xb1\x38\x44\x16\x80\x6a\x3b\x64\x72\xbb\xfd\x4b\xc9\xdd\xda\x2a\x68\xde\x7f\x6e\x48\x28\xc1\x63\x57\x2b\xde\x83\xa3\x27\x34\xd7\xa6\x87\x18\x35\x10\xff\x31\xd9\x47\xc9\x84\x35\xe1\xaa\xe2\xf7\x98\xfa\x19\xd3\xf1\x94\x25\x2a\x96\xe4\xa8\xa7\x05\x10\x93\x87\xde\x96\x85\xe5\x68\xb8\xe5\x4e\xbf\x66\x85\x91\xbd\x52\x5b\x3d\x9f\x1b\x79\xea\xe3\x8b\xef\x62\x18\x39\x7a\x50\x01\x46\x1b\xde\x8d\x37\xbc\x90\x6c\x07\xc0\x07\xed\x60\xce\x2e\x31\xd6\x8f\xe8\x75\xdb\x45\x21\xc6\xcb"; -+ -+/* ECDSA key and signature */ -+static const char ecdsa_secp256r1_privkey[] = -+ "-----BEGIN EC PRIVATE KEY-----\n" -+ "MHcCAQEEIPAKWV7+pZe9c5EubMNfAEKWRQtP/MvlO9HehwHmJssNoAoGCCqGSM49\n" -+ "AwEHoUQDQgAE2CNONRio3ciuXtoomJKs3MdbzLbd44VPhtzJN30VLFm5gvnfiCj2\n" -+ "zzz7pl9Cv0ECHl6yedNI8QEKdcwCDgEmkQ==\n" -+ "-----END EC PRIVATE KEY-----\n"; -+ -+static const char ecdsa_secp256r1_sig[] = -+ "\x30\x45\x02\x21\x00\x9b\x8f\x60\xed\x9e\x40\x8d\x74\x82\x73\xab\x20\x1a\x69\xfc\xf9\xee\x3c\x41\x80\xc0\x39\xdd\x21\x1a\x64\xfd\xbf\x7e\xaa\x43\x70\x02\x20\x44\x28\x05\xdd\x30\x47\x58\x96\x18\x39\x94\x18\xba\xe7\x7a\xf6\x1e\x2d\xba\xb1\xe0\x7d\x73\x9e\x2f\x58\xee\x0c\x2a\x89\xe8\x35"; -+ -+#ifdef ENABLE_NON_SUITEB_CURVES -+/* sha256 */ -+static const char ecdsa_secp192r1_privkey[] = -+ "-----BEGIN EC PRIVATE KEY-----" -+ "MF8CAQEEGLjezFcbgDMeApVrdtZHvu/k1a8/tVZ41KAKBggqhkjOPQMBAaE0AzIA" -+ "BO1lciKdgxeRH8k64vxcaV1OYIK9akVrW02Dw21MXhRLP0l0wzCw6LGSr5rS6AaL" -+ "Fg==" "-----END EC PRIVATE KEY-----"; -+ -+static const char ecdsa_secp192r1_sig[] = -+ "\x30\x34\x02\x18\x5f\xb3\x10\x4b\x4d\x44\x48\x29\x4b\xfd\xa7\x8e\xce\x57\xac\x36\x38\x54\xab\x73\xdb\xed\xb8\x5f\x02\x18\x0b\x8b\xf3\xae\x49\x50\x0e\x47\xca\x89\x1a\x00\xca\x23\xf5\x8d\xd6\xe3\xce\x9a\xff\x2e\x4f\x5c"; -+ -+static const char ecdsa_secp224r1_privkey[] = -+ "-----BEGIN EC PRIVATE KEY-----" -+ "MGgCAQEEHOKWJFdWdrR/CgVrUeTeawOrJ9GozE9KKx2a8PmgBwYFK4EEACGhPAM6" -+ "AAQKQj3YpenWT7lFR41SnBvmj/+Bj+kgzQnaF65qWAtPRJsZXFlLTu3/IUNqSRu9" -+ "DqPsk8xBHAB7pA==" "-----END EC PRIVATE KEY-----"; -+ -+static const char ecdsa_secp224r1_sig[] = -+ "\x30\x3d\x02\x1c\x76\x03\x8d\x74\xf4\xd3\x09\x2a\xb5\xdf\x6b\x5b\xf4\x4b\x86\xb8\x62\x81\x5d\x7b\x7a\xbb\x37\xfc\xf1\x46\x1c\x2b\x02\x1d\x00\xa0\x98\x5d\x80\x43\x89\xe5\xee\x1a\xec\x46\x08\x04\x55\xbc\x50\xfa\x2a\xd5\xa6\x18\x92\x19\xdb\x68\xa0\x2a\xda"; -+#endif -+ -+static const char ecdsa_secp384r1_privkey[] = -+ "-----BEGIN EC PRIVATE KEY-----" -+ "MIGkAgEBBDDevshD6gb+4rZpC9vwFcIwNs4KmGzdqCxyyN40a8uOWRbyf7aHdiSS" -+ "03oAyKtc4JCgBwYFK4EEACKhZANiAARO1KkPMno2tnNXx1S9EZkp8SOpDCZ4aobH" -+ "IYv8RHnSmKf8I3OKD6TaoeR+1MwJmNJUH90Bj45WXla68/vsPiFcfVKboxsZYe/n" -+ "pv8e4ugXagVQVBXNZJ859iYPdJR24vo=" "-----END EC PRIVATE KEY-----"; -+ -+static const char ecdsa_secp384r1_sig[] = -+ "\x30\x66\x02\x31\x00\xbb\x4d\x25\x30\x13\x1b\x3b\x75\x60\x07\xed\x53\x8b\x52\xee\xd8\x6e\xf1\x9d\xa8\x36\x0e\x2e\x20\x31\x51\x11\x48\x78\xdd\xaf\x24\x38\x64\x81\x71\x6b\xa6\xb7\x29\x58\x28\x82\x32\xba\x29\x29\xd9\x02\x31\x00\xeb\x70\x09\x87\xac\x7b\x78\x0d\x4c\x4f\x08\x2b\x86\x27\xe2\x60\x1f\xc9\x11\x9f\x1d\xf5\x82\x4c\xc7\x3d\xb0\x27\xc8\x93\x29\xc7\xd0\x0e\x88\x02\x09\x93\xc2\x72\xce\xa5\x74\x8c\x3d\xe0\x8c\xad"; -+ -+static const char ecdsa_secp521r1_privkey[] = -+ "-----BEGIN EC PRIVATE KEY-----" -+ "MIHbAgEBBEGO2n7NN363qSCvJVdlQtCvudtaW4o0fEufXRjE1AsCrle+VXX0Zh0w" -+ "Y1slSeDHMndpakoiF+XkQ+bhcB867UV6aKAHBgUrgQQAI6GBiQOBhgAEAQb6jDpo" -+ "byy1tF8Zucg0TMGUzIN2DK+RZJ3QQRdWdirO25OIC3FoFi1Yird6rpoB6HlNyJ7R" -+ "0bNG9Uv34bSHMn8yAFoiqxUCdJZQbEenMoZsi6COaePe3e0QqvDMr0hEWT23Sr3t" -+ "LpEV7eZGFfFIJw5wSUp2KOcs+O9WjmoukTWtDKNV" -+ "-----END EC PRIVATE KEY-----"; -+ -+static const char ecdsa_secp521r1_sig[] = -+ "\x30\x81\x87\x02\x42\x01\xb8\xcb\x52\x9e\x10\xa8\x49\x3f\xe1\x9e\x14\x0a\xcf\x96\xed\x7e\xab\x7d\x0c\xe1\x9b\xa4\x97\xdf\x01\xf5\x35\x42\x5f\x5b\x28\x15\x24\x33\x6e\x59\x6c\xaf\x10\x8b\x98\x8e\xe9\x4c\x23\x0d\x76\x92\x03\xdd\x6d\x8d\x08\x47\x15\x5b\xf8\x66\x75\x75\x40\xe8\xf4\xa0\x52\x02\x41\x15\x27\x7c\x5f\xa6\x33\xa6\x29\x68\x3f\x55\x8d\x7f\x1d\x4f\x88\xc6\x61\x6e\xac\x21\xdf\x2b\x7b\xde\x76\x9a\xdc\xe6\x3b\x94\x3f\x03\x9c\xa2\xa6\xa3\x63\x39\x48\xbd\x79\x70\x21\xf2\x6b\xff\x58\x66\xf1\x58\xc2\x58\xad\x4f\x84\x14\x5d\x05\x12\x83\xd0\x87\xbd\xf3"; -+ -+/* DSA key and signature */ -+static const char dsa_privkey[] = -+ "-----BEGIN DSA PRIVATE KEY-----\n" -+ "MIIDTQIBAAKCAQEAh60B6yPMRIT7udq2kKuwnQDohvT1U0w+RJcSr23C05cM/Ovn\n" -+ "UP/8Rrj6T8K+uYhMbKgLaZiJJW9q04jaPQk0cfUphbLvRjzVHwE/0Bkb+Y1Rv7ni\n" -+ "Jot2IFMq5iuNraf889PC0WREvFCcIkSFY2Ac4WT7mCcBtfx/raGFXDUjcUrJ0HwZ\n" -+ "IOhjQDfcXUsztuyYsYA75ociEY8kyDZq/ixyr5++R1VjNf30Re8AbQlXOEGxEN5t\n" -+ "t+Tvpq8K5L3prQs2KNSzyOUmedjb/ojH4T4qe/RL9EVjjeuIGHDNUT6F197yZ91y\n" -+ "qLLTf1WjnUyZcKij5rryX0LJBBWawEZjNSHZawIdAMQlyycia4NigCdiDR+QptUn\n" -+ "2xrj9o14fXkIrXcCggEAXRZm1rbPhsjSTo6cpCVrmDzO1grv83EHiBH4MvRQQnP8\n" -+ "FpAREsBA5cYju97XvLaLhioZeMjLn08kU7TUbHRUB+ULTuVvE2dQbBpGuKiLRRt9\n" -+ "6U2T0eD3xGLoM+o8EY/kpqaWGEpZv7hzM9xuo4vy55+viAZgFWULqmltwfG/7w7V\n" -+ "NXUHNv5H4Ipw//fSDLTPqzUlNqSSswDLz6pCjWEs0rWAqNAMaOiLTz4id9pL48Oe\n" -+ "oAfpcQR9tgTEnwyXfZBnrJVclHhkHKGeXvU05IgCzpKO76Z5R+By50T0i/JV7vzM\n" -+ "l2yS9aAl/cprT6U7yI3oU/blldCVNpMcFAFb+fO8DAKCAQBVMo8xptyvQOJeSvbO\n" -+ "SSYdJ3IiI/0GdkcGWXblWg9z7mrPaWEnT7OquEm/+vYtWd3GHDtyNM+jzsN4Xgjc\n" -+ "TL3AEd2hLiozJQ1BFKw25VU08UHAYTzUxZhO4Vwtmp46Kwj8YLDQ3NHRWCBxpDQR\n" -+ "fbiFvyXP+qXap6plMfrydnUD1mae/JSOWOYgdB7tFIehstLxVXx/cAnjwgFU03Df\n" -+ "grjsad92zA1Hc9wIjbsgAQdTR5DWnFRkRt3UtayBwoyqm6QceZHsv1NAGvkQ4ion\n" -+ "bEjkHkjF9YCkR9/rspR8cLghRIXMjOpypuSbaRPeeWq0gP2UOxFL/d3iWH0ETr/L\n" -+ "kTlCAhxYGpVgtfB96qmJukyl9GOGvfkwFTgEyIDoV84M\n" -+ "-----END DSA PRIVATE KEY-----\n"; -+ -+static const char dsa_sig[] = -+ "\x30\x3d\x02\x1c\x2e\x40\x14\xb3\x7a\x3f\xc0\x4f\x06\x74\x4f\xa6\x5f\xc2\x0a\x46\x35\x38\x88\xb4\x1a\xcf\x94\x02\x40\x42\x7c\x7f\x02\x1d\x00\x98\xfc\xf1\x08\x66\xf1\x86\x28\xc9\x73\x9e\x2b\x5d\xce\x57\xe8\xb5\xeb\xcf\xa3\xf6\x60\xf6\x63\x16\x0e\xc0\x42"; -+ -+static const char gost01_privkey[] = -+ "-----BEGIN PRIVATE KEY-----\n" -+ "MEUCAQAwHAYGKoUDAgITMBIGByqFAwICIwEGByqFAwICHgEEIgQgdNfuHGmmTdPm\n" -+ "p5dAa3ea9UYxpdYQPP9lbDwzQwG2bJM=\n" -+ "-----END PRIVATE KEY-----\n"; -+ -+static const char gost01_sig[] = -+ "\xc5\xc8\xf8\xdc\x22\x51\xb0\x72\xe9\xa2\xbb\x84\x6c\xe2\x24\xd5\x72\x39\x2a\x5a\x0e\x7a\x43\xfc\x9c\xc3\x5d\x32\x92\xbb\xab\xc0\x4b\x99\xbd\xc8\x47\x24\x70\x06\x7e\xa1\xc6\xe3\xa0\xdc\x42\xed\xa0\x66\xf0\xcc\x50\x97\xe9\x5a\x7d\x3f\x65\x2d\x7b\x1b\x03\xcb"; -+ -+static const char gost12_256_privkey[] = -+ "-----BEGIN PRIVATE KEY-----\n" -+ "MEgCAQAwHwYIKoUDBwEBAQEwEwYHKoUDAgIjAQYIKoUDBwEBAgIEIgQgKOF96tom\n" -+ "D61rhSnzKjyrmO3fv0gdlHei+6ovrc8SnBk=\n" -+ "-----END PRIVATE KEY-----\n"; -+ -+static const char gost12_256_sig[] = -+ "\xb2\x51\x5a\x1a\xbd\x95\x4e\x71\x55\xad\x74\x74\x81\xa6\xca\x6c\x14\x01\xe0\x18\xda\xe4\x0d\x02\x4f\x14\xd2\x39\xd6\x3c\xb5\x85\xa8\x37\xfd\x7f\x2b\xfa\xe4\xf5\xbc\xbc\x15\x20\x8b\x83\x4b\x84\x0d\x5d\x02\x21\x8c\x0d\xb9\xc4\x2b\xc0\x3e\xfd\x42\x55\x1d\xb0"; -+ -+static const char gost12_512_privkey[] = -+ "-----BEGIN PRIVATE KEY-----\n" -+ "MGoCAQAwIQYIKoUDBwEBAQIwFQYJKoUDBwECAQIBBggqhQMHAQECAwRCBECjFpvp\n" -+ "B0vdc7u59b99TCNXhHiB69JJtUjvieNkGYJpoaaIvoKZTNCjpSZASsZcQZCHOTof\n" -+ "hsQ3JCCy4xnd5jWT\n" -+ "-----END PRIVATE KEY-----\n"; -+ -+static const char gost12_512_sig[] = -+ "\x52\x4f\xa2\x77\x51\xd2\xc5\xef\xd3\xa3\x99\x4e\xec\xff\xc6\xe9\xfc\x2f\xc0\x28\x42\x03\x95\x6c\x9a\x38\xee\xea\x89\x79\xae\x1a\xc3\x68\x5e\xe4\x15\x15\x4b\xec\x0f\xf1\x7e\x0f\xba\x01\xc7\x84\x16\xc7\xb5\xac\x9d\x0c\x22\xdd\x31\xf7\xb0\x9b\x59\x4b\xf0\x02\xa8\x7d\xfd\x6d\x02\x43\xc7\x4f\x65\xbd\x84\x5c\x54\x91\xba\x75\x9f\x5a\x61\x19\x5c\x9a\x10\x78\x34\xa0\xa6\xf6\xdc\xb6\xb0\x50\x22\x38\x5f\xb0\x16\x66\xf1\xd5\x46\x00\xd5\xe2\xa8\xe5\xd2\x11\x5f\xd1\xbe\x6e\xac\xb2\x9c\x14\x34\x96\xe7\x58\x94\xb8\xf4\x5f"; -+ - static int test_rsa_enc(gnutls_pk_algorithm_t pk, - unsigned bits, gnutls_digest_algorithm_t ign) - { -@@ -302,118 +414,6 @@ static int test_sig(gnutls_pk_algorithm_t pk, - return ret; - } - --/* A precomputed RSA-SHA1 signature using the rsa_key2048 */ --static const char rsa_sig[] = -- "\x7a\xb3\xf8\xb0\xf9\xf0\x52\x88\x37\x17\x97\x9f\xbe\x61\xb4\xd2\x43\x78\x9f\x79\x92\xd0\xad\x08\xdb\xbd\x3c\x72\x7a\xb5\x51\x59\x63\xd6\x7d\xf1\x9c\x1e\x10\x7b\x27\xab\xf8\xd4\x9d\xcd\xc5\xf9\xae\xf7\x09\x6b\x40\x93\xc5\xe9\x1c\x0f\xb4\x82\xa1\x47\x86\x54\x63\xd2\x4d\x40\x9a\x80\xb9\x38\x45\x69\xa2\xd6\x92\xb6\x69\x7f\x3f\xf3\x5b\xa5\x1d\xac\x06\xad\xdf\x4e\xbb\xe6\xda\x68\x0d\xe5\xab\xef\xd2\xf0\xc5\xd8\xc0\xed\x80\xe2\xd4\x76\x98\xec\x44\xa2\xfc\x3f\xce\x2e\x8b\xc4\x4b\xab\xb0\x70\x24\x52\x85\x2a\x36\xcd\x9a\xb5\x05\x00\xea\x98\x7c\x72\x06\x68\xb1\x38\x44\x16\x80\x6a\x3b\x64\x72\xbb\xfd\x4b\xc9\xdd\xda\x2a\x68\xde\x7f\x6e\x48\x28\xc1\x63\x57\x2b\xde\x83\xa3\x27\x34\xd7\xa6\x87\x18\x35\x10\xff\x31\xd9\x47\xc9\x84\x35\xe1\xaa\xe2\xf7\x98\xfa\x19\xd3\xf1\x94\x25\x2a\x96\xe4\xa8\xa7\x05\x10\x93\x87\xde\x96\x85\xe5\x68\xb8\xe5\x4e\xbf\x66\x85\x91\xbd\x52\x5b\x3d\x9f\x1b\x79\xea\xe3\x8b\xef\x62\x18\x39\x7a\x50\x01\x46\x1b\xde\x8d\x37\xbc\x90\x6c\x07\xc0\x07\xed\x60\xce\x2e\x31\xd6\x8f\xe8\x75\xdb\x45\x21\xc6\xcb"; -- --/* ECDSA key and signature */ --static const char ecdsa_secp256r1_privkey[] = -- "-----BEGIN EC PRIVATE KEY-----\n" -- "MHcCAQEEIPAKWV7+pZe9c5EubMNfAEKWRQtP/MvlO9HehwHmJssNoAoGCCqGSM49\n" -- "AwEHoUQDQgAE2CNONRio3ciuXtoomJKs3MdbzLbd44VPhtzJN30VLFm5gvnfiCj2\n" -- "zzz7pl9Cv0ECHl6yedNI8QEKdcwCDgEmkQ==\n" -- "-----END EC PRIVATE KEY-----\n"; -- --static const char ecdsa_secp256r1_sig[] = -- "\x30\x45\x02\x21\x00\x9b\x8f\x60\xed\x9e\x40\x8d\x74\x82\x73\xab\x20\x1a\x69\xfc\xf9\xee\x3c\x41\x80\xc0\x39\xdd\x21\x1a\x64\xfd\xbf\x7e\xaa\x43\x70\x02\x20\x44\x28\x05\xdd\x30\x47\x58\x96\x18\x39\x94\x18\xba\xe7\x7a\xf6\x1e\x2d\xba\xb1\xe0\x7d\x73\x9e\x2f\x58\xee\x0c\x2a\x89\xe8\x35"; -- --#ifdef ENABLE_NON_SUITEB_CURVES --/* sha256 */ --static const char ecdsa_secp192r1_privkey[] = -- "-----BEGIN EC PRIVATE KEY-----" -- "MF8CAQEEGLjezFcbgDMeApVrdtZHvu/k1a8/tVZ41KAKBggqhkjOPQMBAaE0AzIA" -- "BO1lciKdgxeRH8k64vxcaV1OYIK9akVrW02Dw21MXhRLP0l0wzCw6LGSr5rS6AaL" -- "Fg==" "-----END EC PRIVATE KEY-----"; -- --static const char ecdsa_secp192r1_sig[] = -- "\x30\x34\x02\x18\x5f\xb3\x10\x4b\x4d\x44\x48\x29\x4b\xfd\xa7\x8e\xce\x57\xac\x36\x38\x54\xab\x73\xdb\xed\xb8\x5f\x02\x18\x0b\x8b\xf3\xae\x49\x50\x0e\x47\xca\x89\x1a\x00\xca\x23\xf5\x8d\xd6\xe3\xce\x9a\xff\x2e\x4f\x5c"; -- --static const char ecdsa_secp224r1_privkey[] = -- "-----BEGIN EC PRIVATE KEY-----" -- "MGgCAQEEHOKWJFdWdrR/CgVrUeTeawOrJ9GozE9KKx2a8PmgBwYFK4EEACGhPAM6" -- "AAQKQj3YpenWT7lFR41SnBvmj/+Bj+kgzQnaF65qWAtPRJsZXFlLTu3/IUNqSRu9" -- "DqPsk8xBHAB7pA==" "-----END EC PRIVATE KEY-----"; -- --static const char ecdsa_secp224r1_sig[] = -- "\x30\x3d\x02\x1c\x76\x03\x8d\x74\xf4\xd3\x09\x2a\xb5\xdf\x6b\x5b\xf4\x4b\x86\xb8\x62\x81\x5d\x7b\x7a\xbb\x37\xfc\xf1\x46\x1c\x2b\x02\x1d\x00\xa0\x98\x5d\x80\x43\x89\xe5\xee\x1a\xec\x46\x08\x04\x55\xbc\x50\xfa\x2a\xd5\xa6\x18\x92\x19\xdb\x68\xa0\x2a\xda"; --#endif -- --static const char ecdsa_secp384r1_privkey[] = -- "-----BEGIN EC PRIVATE KEY-----" -- "MIGkAgEBBDDevshD6gb+4rZpC9vwFcIwNs4KmGzdqCxyyN40a8uOWRbyf7aHdiSS" -- "03oAyKtc4JCgBwYFK4EEACKhZANiAARO1KkPMno2tnNXx1S9EZkp8SOpDCZ4aobH" -- "IYv8RHnSmKf8I3OKD6TaoeR+1MwJmNJUH90Bj45WXla68/vsPiFcfVKboxsZYe/n" -- "pv8e4ugXagVQVBXNZJ859iYPdJR24vo=" "-----END EC PRIVATE KEY-----"; -- --static const char ecdsa_secp384r1_sig[] = -- "\x30\x66\x02\x31\x00\xbb\x4d\x25\x30\x13\x1b\x3b\x75\x60\x07\xed\x53\x8b\x52\xee\xd8\x6e\xf1\x9d\xa8\x36\x0e\x2e\x20\x31\x51\x11\x48\x78\xdd\xaf\x24\x38\x64\x81\x71\x6b\xa6\xb7\x29\x58\x28\x82\x32\xba\x29\x29\xd9\x02\x31\x00\xeb\x70\x09\x87\xac\x7b\x78\x0d\x4c\x4f\x08\x2b\x86\x27\xe2\x60\x1f\xc9\x11\x9f\x1d\xf5\x82\x4c\xc7\x3d\xb0\x27\xc8\x93\x29\xc7\xd0\x0e\x88\x02\x09\x93\xc2\x72\xce\xa5\x74\x8c\x3d\xe0\x8c\xad"; -- --static const char ecdsa_secp521r1_privkey[] = -- "-----BEGIN EC PRIVATE KEY-----" -- "MIHbAgEBBEGO2n7NN363qSCvJVdlQtCvudtaW4o0fEufXRjE1AsCrle+VXX0Zh0w" -- "Y1slSeDHMndpakoiF+XkQ+bhcB867UV6aKAHBgUrgQQAI6GBiQOBhgAEAQb6jDpo" -- "byy1tF8Zucg0TMGUzIN2DK+RZJ3QQRdWdirO25OIC3FoFi1Yird6rpoB6HlNyJ7R" -- "0bNG9Uv34bSHMn8yAFoiqxUCdJZQbEenMoZsi6COaePe3e0QqvDMr0hEWT23Sr3t" -- "LpEV7eZGFfFIJw5wSUp2KOcs+O9WjmoukTWtDKNV" -- "-----END EC PRIVATE KEY-----"; -- --static const char ecdsa_secp521r1_sig[] = -- "\x30\x81\x87\x02\x42\x01\xb8\xcb\x52\x9e\x10\xa8\x49\x3f\xe1\x9e\x14\x0a\xcf\x96\xed\x7e\xab\x7d\x0c\xe1\x9b\xa4\x97\xdf\x01\xf5\x35\x42\x5f\x5b\x28\x15\x24\x33\x6e\x59\x6c\xaf\x10\x8b\x98\x8e\xe9\x4c\x23\x0d\x76\x92\x03\xdd\x6d\x8d\x08\x47\x15\x5b\xf8\x66\x75\x75\x40\xe8\xf4\xa0\x52\x02\x41\x15\x27\x7c\x5f\xa6\x33\xa6\x29\x68\x3f\x55\x8d\x7f\x1d\x4f\x88\xc6\x61\x6e\xac\x21\xdf\x2b\x7b\xde\x76\x9a\xdc\xe6\x3b\x94\x3f\x03\x9c\xa2\xa6\xa3\x63\x39\x48\xbd\x79\x70\x21\xf2\x6b\xff\x58\x66\xf1\x58\xc2\x58\xad\x4f\x84\x14\x5d\x05\x12\x83\xd0\x87\xbd\xf3"; -- --/* DSA key and signature */ --static const char dsa_privkey[] = -- "-----BEGIN DSA PRIVATE KEY-----\n" -- "MIIDTQIBAAKCAQEAh60B6yPMRIT7udq2kKuwnQDohvT1U0w+RJcSr23C05cM/Ovn\n" -- "UP/8Rrj6T8K+uYhMbKgLaZiJJW9q04jaPQk0cfUphbLvRjzVHwE/0Bkb+Y1Rv7ni\n" -- "Jot2IFMq5iuNraf889PC0WREvFCcIkSFY2Ac4WT7mCcBtfx/raGFXDUjcUrJ0HwZ\n" -- "IOhjQDfcXUsztuyYsYA75ociEY8kyDZq/ixyr5++R1VjNf30Re8AbQlXOEGxEN5t\n" -- "t+Tvpq8K5L3prQs2KNSzyOUmedjb/ojH4T4qe/RL9EVjjeuIGHDNUT6F197yZ91y\n" -- "qLLTf1WjnUyZcKij5rryX0LJBBWawEZjNSHZawIdAMQlyycia4NigCdiDR+QptUn\n" -- "2xrj9o14fXkIrXcCggEAXRZm1rbPhsjSTo6cpCVrmDzO1grv83EHiBH4MvRQQnP8\n" -- "FpAREsBA5cYju97XvLaLhioZeMjLn08kU7TUbHRUB+ULTuVvE2dQbBpGuKiLRRt9\n" -- "6U2T0eD3xGLoM+o8EY/kpqaWGEpZv7hzM9xuo4vy55+viAZgFWULqmltwfG/7w7V\n" -- "NXUHNv5H4Ipw//fSDLTPqzUlNqSSswDLz6pCjWEs0rWAqNAMaOiLTz4id9pL48Oe\n" -- "oAfpcQR9tgTEnwyXfZBnrJVclHhkHKGeXvU05IgCzpKO76Z5R+By50T0i/JV7vzM\n" -- "l2yS9aAl/cprT6U7yI3oU/blldCVNpMcFAFb+fO8DAKCAQBVMo8xptyvQOJeSvbO\n" -- "SSYdJ3IiI/0GdkcGWXblWg9z7mrPaWEnT7OquEm/+vYtWd3GHDtyNM+jzsN4Xgjc\n" -- "TL3AEd2hLiozJQ1BFKw25VU08UHAYTzUxZhO4Vwtmp46Kwj8YLDQ3NHRWCBxpDQR\n" -- "fbiFvyXP+qXap6plMfrydnUD1mae/JSOWOYgdB7tFIehstLxVXx/cAnjwgFU03Df\n" -- "grjsad92zA1Hc9wIjbsgAQdTR5DWnFRkRt3UtayBwoyqm6QceZHsv1NAGvkQ4ion\n" -- "bEjkHkjF9YCkR9/rspR8cLghRIXMjOpypuSbaRPeeWq0gP2UOxFL/d3iWH0ETr/L\n" -- "kTlCAhxYGpVgtfB96qmJukyl9GOGvfkwFTgEyIDoV84M\n" -- "-----END DSA PRIVATE KEY-----\n"; -- --static const char dsa_sig[] = -- "\x30\x3d\x02\x1c\x2e\x40\x14\xb3\x7a\x3f\xc0\x4f\x06\x74\x4f\xa6\x5f\xc2\x0a\x46\x35\x38\x88\xb4\x1a\xcf\x94\x02\x40\x42\x7c\x7f\x02\x1d\x00\x98\xfc\xf1\x08\x66\xf1\x86\x28\xc9\x73\x9e\x2b\x5d\xce\x57\xe8\xb5\xeb\xcf\xa3\xf6\x60\xf6\x63\x16\x0e\xc0\x42"; -- --static const char gost01_privkey[] = -- "-----BEGIN PRIVATE KEY-----\n" -- "MEUCAQAwHAYGKoUDAgITMBIGByqFAwICIwEGByqFAwICHgEEIgQgdNfuHGmmTdPm\n" -- "p5dAa3ea9UYxpdYQPP9lbDwzQwG2bJM=\n" -- "-----END PRIVATE KEY-----\n"; -- --static const char gost01_sig[] = -- "\xc5\xc8\xf8\xdc\x22\x51\xb0\x72\xe9\xa2\xbb\x84\x6c\xe2\x24\xd5\x72\x39\x2a\x5a\x0e\x7a\x43\xfc\x9c\xc3\x5d\x32\x92\xbb\xab\xc0\x4b\x99\xbd\xc8\x47\x24\x70\x06\x7e\xa1\xc6\xe3\xa0\xdc\x42\xed\xa0\x66\xf0\xcc\x50\x97\xe9\x5a\x7d\x3f\x65\x2d\x7b\x1b\x03\xcb"; -- --static const char gost12_256_privkey[] = -- "-----BEGIN PRIVATE KEY-----\n" -- "MEgCAQAwHwYIKoUDBwEBAQEwEwYHKoUDAgIjAQYIKoUDBwEBAgIEIgQgKOF96tom\n" -- "D61rhSnzKjyrmO3fv0gdlHei+6ovrc8SnBk=\n" -- "-----END PRIVATE KEY-----\n"; -- --static const char gost12_256_sig[] = -- "\xb2\x51\x5a\x1a\xbd\x95\x4e\x71\x55\xad\x74\x74\x81\xa6\xca\x6c\x14\x01\xe0\x18\xda\xe4\x0d\x02\x4f\x14\xd2\x39\xd6\x3c\xb5\x85\xa8\x37\xfd\x7f\x2b\xfa\xe4\xf5\xbc\xbc\x15\x20\x8b\x83\x4b\x84\x0d\x5d\x02\x21\x8c\x0d\xb9\xc4\x2b\xc0\x3e\xfd\x42\x55\x1d\xb0"; -- --static const char gost12_512_privkey[] = -- "-----BEGIN PRIVATE KEY-----\n" -- "MGoCAQAwIQYIKoUDBwEBAQIwFQYJKoUDBwECAQIBBggqhQMHAQECAwRCBECjFpvp\n" -- "B0vdc7u59b99TCNXhHiB69JJtUjvieNkGYJpoaaIvoKZTNCjpSZASsZcQZCHOTof\n" -- "hsQ3JCCy4xnd5jWT\n" -- "-----END PRIVATE KEY-----\n"; -- --static const char gost12_512_sig[] = -- "\x52\x4f\xa2\x77\x51\xd2\xc5\xef\xd3\xa3\x99\x4e\xec\xff\xc6\xe9\xfc\x2f\xc0\x28\x42\x03\x95\x6c\x9a\x38\xee\xea\x89\x79\xae\x1a\xc3\x68\x5e\xe4\x15\x15\x4b\xec\x0f\xf1\x7e\x0f\xba\x01\xc7\x84\x16\xc7\xb5\xac\x9d\x0c\x22\xdd\x31\xf7\xb0\x9b\x59\x4b\xf0\x02\xa8\x7d\xfd\x6d\x02\x43\xc7\x4f\x65\xbd\x84\x5c\x54\x91\xba\x75\x9f\x5a\x61\x19\x5c\x9a\x10\x78\x34\xa0\xa6\xf6\xdc\xb6\xb0\x50\x22\x38\x5f\xb0\x16\x66\xf1\xd5\x46\x00\xd5\xe2\xa8\xe5\xd2\x11\x5f\xd1\xbe\x6e\xac\xb2\x9c\x14\x34\x96\xe7\x58\x94\xb8\xf4\x5f"; -- - static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits, - gnutls_digest_algorithm_t dig, - const void *privkey, size_t privkey_size, --- -2.20.1 - - -From 4b04d899849ea566ae33862289276d9b297cd493 Mon Sep 17 00:00:00 2001 -From: Anderson Toshiyuki Sasaki -Date: Wed, 3 Apr 2019 13:44:56 +0200 -Subject: [PATCH 2/7] crypto-selftests-pk.c: Add a comparison with a known - signature - -For RSA, compare the generated signature with a stored known value in -test_sig(). - -Signed-off-by: Anderson Toshiyuki Sasaki ---- - lib/crypto-selftests-pk.c | 13 +++++++++++++ - 1 file changed, 13 insertions(+) - -diff --git a/lib/crypto-selftests-pk.c b/lib/crypto-selftests-pk.c -index 4fadd4161..0233e6b9f 100644 ---- a/lib/crypto-selftests-pk.c -+++ b/lib/crypto-selftests-pk.c -@@ -313,6 +313,7 @@ static int test_sig(gnutls_pk_algorithm_t pk, - { - int ret; - gnutls_datum_t sig = { NULL, 0 }; -+ gnutls_datum_t known_sig = { NULL, 0 }; - gnutls_datum_t raw_rsa_key = { (void*)rsa_key2048, sizeof(rsa_key2048)-1 }; - gnutls_datum_t raw_dsa_key = { (void*)dsa_key, sizeof(dsa_key)-1 }; - gnutls_datum_t raw_ecc_key = { (void*)ecc_key, sizeof(ecc_key)-1 }; -@@ -343,6 +344,8 @@ static int test_sig(gnutls_pk_algorithm_t pk, - } - - if (pk == GNUTLS_PK_RSA) { -+ known_sig.data = (void *)rsa_sig; -+ known_sig.size = sizeof(rsa_sig) - 1; - ret = gnutls_privkey_import_x509_raw(key, &raw_rsa_key, GNUTLS_X509_FMT_PEM, NULL, 0); - } else if (pk == GNUTLS_PK_RSA_PSS) { - ret = gnutls_privkey_import_x509_raw(key, &raw_rsa_key, GNUTLS_X509_FMT_PEM, NULL, 0); -@@ -378,6 +381,16 @@ static int test_sig(gnutls_pk_algorithm_t pk, - goto cleanup; - } - -+ /* Compare with a stored known signature */ -+ if (known_sig.data != NULL) { -+ if (sig.size != known_sig.size -+ || memcmp(sig.data, known_sig.data, sig.size) != 0) { -+ ret = GNUTLS_E_SELF_TEST_ERROR; -+ gnutls_assert(); -+ goto cleanup; -+ } -+ } -+ - ret = - gnutls_pubkey_verify_data2(pub, sigalgo, 0, - &signed_data, &sig); --- -2.20.1 - - -From db2b308fdbe98420b722eaf678c1a911bc51b0a5 Mon Sep 17 00:00:00 2001 -From: Anderson Toshiyuki Sasaki -Date: Thu, 18 Apr 2019 17:22:18 +0200 -Subject: [PATCH 4/7] tests: Run rng-no-onload test in FIPS mode - -This changes the function used in the test to override gnutls_rnd() to -fill the given buffer with a different value each time it is called. -This allows the test to run when FIPS mode is enabled. - -Previously the rng-no-onload test could get stuck if FIPS mode was -enabled. This happened if gnutls_rnd() function was called during -global_init() in a loop that checks the generated value (e.g. if ECDSA -signature generation is called during self tests). - -Signed-off-by: Anderson Toshiyuki Sasaki ---- - tests/rng-no-onload.c | 12 +++++++----- - 1 file changed, 7 insertions(+), 5 deletions(-) - -diff --git a/tests/rng-no-onload.c b/tests/rng-no-onload.c -index ac01be214..a485a440d 100644 ---- a/tests/rng-no-onload.c -+++ b/tests/rng-no-onload.c -@@ -50,18 +50,20 @@ static int _rnd_called = 0; - int __attribute__ ((visibility ("protected"))) - gnutls_rnd(gnutls_rnd_level_t level, void *data, size_t len) - { -+ static unsigned int value = 0; -+ - _rnd_called = 1; - -- memset(data, 0xff, len); -+ /* Increment 'value' in each call up to 255, then start again from 0 */ -+ value = (value + 1) & 0xFF; -+ -+ memset(data, value, len); -+ - return 0; - } - - void doit(void) - { -- if (gnutls_fips140_mode_enabled()) { -- exit(77); -- } -- - global_init(); - - if (_rnd_called != 0) --- -2.20.1 - - -From fc926cd65f1de06f359315c6693c1a9c9899ba8c Mon Sep 17 00:00:00 2001 -From: Anderson Toshiyuki Sasaki -Date: Thu, 4 Apr 2019 15:45:02 +0200 -Subject: [PATCH 5/7] crypto-selftests-pk.c: Fix test_known_sig - -Previously a new signature was generated only for deterministic -algorithms (i.e. only RSA). With this, a new signature is always -generated (and compared with a stored signature for deterministic -algorithms). The signature verification is tested for both generated -and stored signatures. - -Signed-off-by: Anderson Toshiyuki Sasaki ---- - lib/crypto-selftests-pk.c | 31 ++++++++++++++++++++----------- - 1 file changed, 20 insertions(+), 11 deletions(-) - -diff --git a/lib/crypto-selftests-pk.c b/lib/crypto-selftests-pk.c -index 0233e6b9f..ba8f5e376 100644 ---- a/lib/crypto-selftests-pk.c -+++ b/lib/crypto-selftests-pk.c -@@ -475,19 +475,17 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits, - goto cleanup; - } - -- /* Test if the signature we generate matches the stored */ -+ ret = gnutls_privkey_sign_data(key, dig, 0, &signed_data, &sig); -+ if (ret < 0) { -+ gnutls_assert(); -+ goto cleanup; -+ } -+ -+ /* Test if the generated signature matches the stored */ - ssig.data = (void *) stored_sig; - ssig.size = stored_sig_size; - - if (deterministic_sigs != 0) { /* do not compare against stored signature if not provided */ -- ret = -- gnutls_privkey_sign_data(key, dig, 0, &signed_data, -- &sig); -- if (ret < 0) { -- gnutls_assert(); -- goto cleanup; -- } -- - if (sig.size != ssig.size - || memcmp(sig.data, ssig.data, sig.size) != 0) { - ret = GNUTLS_E_SELF_TEST_ERROR; -@@ -507,7 +505,7 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits, - } - } - -- /* Test if we can verify the signature */ -+ /* Test if we can verify the generated signature */ - - ret = gnutls_pubkey_import_privkey(pub, key, 0, 0); - if (ret < 0) { -@@ -515,6 +513,17 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits, - goto cleanup; - } - -+ ret = -+ gnutls_pubkey_verify_data2(pub, gnutls_pk_to_sign(pk, dig), 0, -+ &signed_data, &sig); -+ if (ret < 0) { -+ ret = GNUTLS_E_SELF_TEST_ERROR; -+ gnutls_assert(); -+ goto cleanup; -+ } -+ -+ /* Test if we can verify the stored signature */ -+ - ret = - gnutls_pubkey_verify_data2(pub, gnutls_pk_to_sign(pk, dig), 0, - &signed_data, &ssig); -@@ -528,7 +537,7 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits, - - ret = - gnutls_pubkey_verify_data2(pub, gnutls_pk_to_sign(pk, dig), 0, -- &bad_data, &ssig); -+ &bad_data, &sig); - - if (ret != GNUTLS_E_PK_SIG_VERIFY_FAILED) { - ret = GNUTLS_E_SELF_TEST_ERROR; --- -2.20.1 - - -From 7e49999db264556ac73ff498bd8f7edce401cdd1 Mon Sep 17 00:00:00 2001 -From: Anderson Toshiyuki Sasaki -Date: Thu, 4 Apr 2019 17:22:04 +0200 -Subject: [PATCH 6/7] crypto-selftests-pk.c: Fix PK_KNOWN_TEST and PK_TEST - -Remove the flag check from the end of the macros. This change allows -more than one test to run in sequence when GNUTLS_SELF_TEST_FLAG_ALL is -not set. Move the flags checks to run the minimal set of tests required -for FIPS and keep the previous behaviour for GOST (run the first test -for each algorithm). - -Signed-off-by: Anderson Toshiyuki Sasaki ---- - lib/crypto-selftests-pk.c | 37 ++++++++++++++++++++----------------- - 1 file changed, 20 insertions(+), 17 deletions(-) - -diff --git a/lib/crypto-selftests-pk.c b/lib/crypto-selftests-pk.c -index ba8f5e376..fc8ee2525 100644 ---- a/lib/crypto-selftests-pk.c -+++ b/lib/crypto-selftests-pk.c -@@ -568,18 +568,14 @@ static int test_known_sig(gnutls_pk_algorithm_t pk, unsigned bits, - if (ret < 0) { \ - gnutls_assert(); \ - goto cleanup; \ -- } \ -- if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) \ -- return 0 -+ } - - #define PK_KNOWN_TEST(pk, det, bits, dig, pkey, sig) \ - ret = test_known_sig(pk, bits, dig, pkey, sizeof(pkey)-1, sig, sizeof(sig)-1, det); \ - if (ret < 0) { \ - gnutls_assert(); \ - goto cleanup; \ -- } \ -- if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) \ -- return 0 -+ } - - - /* This file is also included by the test app in tests/slow/cipher-test, so in that -@@ -812,11 +808,12 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk) - PK_KNOWN_TEST(GNUTLS_PK_RSA, 1, 2048, GNUTLS_DIG_SHA256, - rsa_key2048, rsa_sig); - PK_TEST(GNUTLS_PK_RSA, test_rsa_enc, 2048, 0); -- PK_TEST(GNUTLS_PK_RSA, test_sig, 3072, GNUTLS_SIGN_RSA_SHA256); - - if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) - return 0; - -+ PK_TEST(GNUTLS_PK_RSA, test_sig, 3072, GNUTLS_SIGN_RSA_SHA256); -+ - FALLTHROUGH; - case GNUTLS_PK_RSA_PSS: - PK_TEST(GNUTLS_PK_RSA_PSS, test_sig, 2048, GNUTLS_SIGN_RSA_PSS_RSAE_SHA256); -@@ -828,11 +825,12 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk) - case GNUTLS_PK_DSA: - PK_KNOWN_TEST(GNUTLS_PK_DSA, 0, 2048, GNUTLS_DIG_SHA256, - dsa_privkey, dsa_sig); -- PK_TEST(GNUTLS_PK_DSA, test_sig, 3072, GNUTLS_SIGN_DSA_SHA256); - - if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) - return 0; - -+ PK_TEST(GNUTLS_PK_DSA, test_sig, 3072, GNUTLS_SIGN_DSA_SHA256); -+ - FALLTHROUGH; - case GNUTLS_PK_EC: - /* Test ECDH and ECDSA */ -@@ -850,13 +848,14 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk) - (GNUTLS_ECC_CURVE_SECP256R1), - GNUTLS_DIG_SHA256, ecdsa_secp256r1_privkey, - ecdsa_secp256r1_sig); -- PK_TEST(GNUTLS_PK_EC, test_sig, -- GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP256R1), -- GNUTLS_SIGN_ECDSA_SHA256); - - if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) - return 0; - -+ PK_TEST(GNUTLS_PK_EC, test_sig, -+ GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP256R1), -+ GNUTLS_SIGN_ECDSA_SHA256); -+ - PK_KNOWN_TEST(GNUTLS_PK_EC, 0, - GNUTLS_CURVE_TO_BITS - (GNUTLS_ECC_CURVE_SECP384R1), -@@ -900,31 +899,35 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk) - case GNUTLS_PK_GOST_01: - PK_KNOWN_TEST(GNUTLS_PK_GOST_01, 0, GNUTLS_ECC_CURVE_GOST256CPA, GNUTLS_DIG_GOSTR_94, - gost01_privkey, gost01_sig); -- PK_TEST(GNUTLS_PK_GOST_01, test_sig, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST256CPA), -- GNUTLS_SIGN_GOST_94); - - if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) - return 0; - -+ PK_TEST(GNUTLS_PK_GOST_01, test_sig, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST256CPA), -+ GNUTLS_SIGN_GOST_94); -+ - FALLTHROUGH; - case GNUTLS_PK_GOST_12_256: - PK_KNOWN_TEST(GNUTLS_PK_GOST_12_256, 0, GNUTLS_ECC_CURVE_GOST256CPA, GNUTLS_DIG_STREEBOG_256, - gost12_256_privkey, gost12_256_sig); -- PK_TEST(GNUTLS_PK_GOST_12_256, test_sig, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST256CPA), -- GNUTLS_SIGN_GOST_256); - - if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) - return 0; - -+ PK_TEST(GNUTLS_PK_GOST_12_256, test_sig, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST256CPA), -+ GNUTLS_SIGN_GOST_256); -+ - FALLTHROUGH; - case GNUTLS_PK_GOST_12_512: - PK_KNOWN_TEST(GNUTLS_PK_GOST_12_512, 0, GNUTLS_ECC_CURVE_GOST512A, GNUTLS_DIG_STREEBOG_512, - gost12_512_privkey, gost12_512_sig); -- PK_TEST(GNUTLS_PK_GOST_12_512, test_sig, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST512A), -- GNUTLS_SIGN_GOST_512); - - if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) - return 0; -+ -+ PK_TEST(GNUTLS_PK_GOST_12_512, test_sig, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_GOST512A), -+ GNUTLS_SIGN_GOST_512); -+ - #endif - - break; --- -2.20.1 - - -From c2e83d2110b98d93588f1b6187bc932feb958ca4 Mon Sep 17 00:00:00 2001 -From: Anderson Toshiyuki Sasaki -Date: Mon, 8 Apr 2019 14:21:57 +0200 -Subject: [PATCH 7/7] crypto-selftests-pk.c: Cleanup self tests - -test_sig() always uses the same key for RSA, DSA, and ECDSA regardless -of the value provided in the "bits" parameter. Therefore, avoid -printing specific information (number of bits or name of the curve). - -Changes test_sig() to use 2048 bits key for DSA; deleted hardcoded 512 -bits DSA key; - -Avoid calling test_sig() multiple times for ECDSA: the same key is -used regardless of the curve provided in the parameters. - -Signed-off-by: Anderson Toshiyuki Sasaki ---- - lib/crypto-selftests-pk.c | 42 +++++++++------------------------------ - 1 file changed, 9 insertions(+), 33 deletions(-) - -diff --git a/lib/crypto-selftests-pk.c b/lib/crypto-selftests-pk.c -index fc8ee2525..3d665b723 100644 ---- a/lib/crypto-selftests-pk.c -+++ b/lib/crypto-selftests-pk.c -@@ -78,16 +78,6 @@ static const char ecc_key[] = - "MSHpe5vd0TQz+/GAa1zxle8mB/Cdh0JaTrA=\n" - "-----END EC PRIVATE KEY-----\n"; - --static const char dsa_key[] = -- "-----BEGIN DSA PRIVATE KEY-----\n" -- "MIH4AgEAAkEA6KUOSXfFNcInFLPdOlLlKNCe79zJrkxnsQN+lllxuk1ifZrE07r2\n" -- "3edTrc4riQNnZ2nZ372tYUAMJg+5jM6IIwIVAOa58exwZ+42Tl+p3b4Kbpyu2Ron\n" -- "AkBocj7gkiBYHtv6HMIIzooaxn4vpGR0Ns6wBfroBUGvrnSAgfT3WyiNaHkIF28e\n" -- "quWcEeOJjUgFvatcM8gcY288AkEAyKWlgzBurIYST8TM3j4PuQJDTvdHDaGoAUAa\n" -- "EfjmOw2UXKwqTmwPiT5BYKgCo2ILS87ttlTpd8vndH37pmnmVQIUQIVuKpZ8y9Bw\n" -- "VzO8qcrLCFvTOXY=\n" -- "-----END DSA PRIVATE KEY-----\n"; -- - static const char gost01_key[] = - "-----BEGIN PRIVATE KEY-----\n" - "MEUCAQAwHAYGKoUDAgITMBIGByqFAwICJAAGByqFAwICHgEEIgQgR1lBLIr4WBpn\n" -@@ -315,22 +305,20 @@ static int test_sig(gnutls_pk_algorithm_t pk, - gnutls_datum_t sig = { NULL, 0 }; - gnutls_datum_t known_sig = { NULL, 0 }; - gnutls_datum_t raw_rsa_key = { (void*)rsa_key2048, sizeof(rsa_key2048)-1 }; -- gnutls_datum_t raw_dsa_key = { (void*)dsa_key, sizeof(dsa_key)-1 }; -+ gnutls_datum_t raw_dsa_key = { (void*)dsa_privkey, sizeof(dsa_privkey)-1 }; - gnutls_datum_t raw_ecc_key = { (void*)ecc_key, sizeof(ecc_key)-1 }; - gnutls_datum_t raw_gost01_key = { (void*)gost01_key, sizeof(gost01_key)-1 }; - gnutls_datum_t raw_gost12_256_key = { (void*)gost12_256_key, sizeof(gost12_256_key)-1 }; - gnutls_datum_t raw_gost12_512_key = { (void*)gost12_512_key, sizeof(gost12_512_key)-1 }; - gnutls_privkey_t key; - gnutls_pubkey_t pub = NULL; -- char param_name[32]; -+ char param_name[32] = ""; - -- if (pk == GNUTLS_PK_EC || pk == GNUTLS_PK_GOST_01 || -- pk == GNUTLS_PK_GOST_12_256 || pk == GNUTLS_PK_GOST_12_512) { -- snprintf(param_name, sizeof(param_name), "%s", -+ if (pk == GNUTLS_PK_GOST_01 || pk == GNUTLS_PK_GOST_12_256 || -+ pk == GNUTLS_PK_GOST_12_512) { -+ snprintf(param_name, sizeof(param_name), "-%s", - gnutls_ecc_curve_get_name(GNUTLS_BITS_TO_CURVE - (bits))); -- } else { -- snprintf(param_name, sizeof(param_name), "%u", bits); - } - - ret = gnutls_privkey_init(&key); -@@ -418,10 +406,10 @@ static int test_sig(gnutls_pk_algorithm_t pk, - gnutls_free(sig.data); - - if (ret == 0) -- _gnutls_debug_log("%s-%s-sig self test succeeded\n", -+ _gnutls_debug_log("%s%s-sig self test succeeded\n", - gnutls_pk_get_name(pk), param_name); - else -- _gnutls_debug_log("%s-%s-sig self test failed\n", -+ _gnutls_debug_log("%s%s-sig self test failed\n", - gnutls_pk_get_name(pk), param_name); - - return ret; -@@ -812,7 +800,7 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk) - if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) - return 0; - -- PK_TEST(GNUTLS_PK_RSA, test_sig, 3072, GNUTLS_SIGN_RSA_SHA256); -+ PK_TEST(GNUTLS_PK_RSA, test_sig, 2048, GNUTLS_SIGN_RSA_SHA256); - - FALLTHROUGH; - case GNUTLS_PK_RSA_PSS: -@@ -829,7 +817,7 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk) - if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL)) - return 0; - -- PK_TEST(GNUTLS_PK_DSA, test_sig, 3072, GNUTLS_SIGN_DSA_SHA256); -+ PK_TEST(GNUTLS_PK_DSA, test_sig, 2048, GNUTLS_SIGN_DSA_SHA256); - - FALLTHROUGH; - case GNUTLS_PK_EC: -@@ -861,18 +849,12 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk) - (GNUTLS_ECC_CURVE_SECP384R1), - GNUTLS_DIG_SHA256, ecdsa_secp384r1_privkey, - ecdsa_secp384r1_sig); -- PK_TEST(GNUTLS_PK_EC, test_sig, -- GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP384R1), -- GNUTLS_SIGN_ECDSA_SHA384); - - PK_KNOWN_TEST(GNUTLS_PK_EC, 0, - GNUTLS_CURVE_TO_BITS - (GNUTLS_ECC_CURVE_SECP521R1), - GNUTLS_DIG_SHA512, ecdsa_secp521r1_privkey, - ecdsa_secp521r1_sig); -- PK_TEST(GNUTLS_PK_EC, test_sig, -- GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP521R1), -- GNUTLS_SIGN_ECDSA_SHA512); - - #ifdef ENABLE_NON_SUITEB_CURVES - PK_KNOWN_TEST(GNUTLS_PK_EC, 0, -@@ -880,18 +862,12 @@ int gnutls_pk_self_test(unsigned flags, gnutls_pk_algorithm_t pk) - (GNUTLS_ECC_CURVE_SECP192R1), - GNUTLS_DIG_SHA256, ecdsa_secp192r1_privkey, - ecdsa_secp192r1_sig); -- PK_TEST(GNUTLS_PK_EC, test_sig, -- GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP192R1), -- GNUTLS_SIGN_ECDSA_SHA256); - - PK_KNOWN_TEST(GNUTLS_PK_EC, 0, - GNUTLS_CURVE_TO_BITS - (GNUTLS_ECC_CURVE_SECP224R1), - GNUTLS_DIG_SHA256, ecdsa_secp224r1_privkey, - ecdsa_secp224r1_sig); -- PK_TEST(GNUTLS_PK_EC, test_sig, -- GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP224R1), -- GNUTLS_SIGN_ECDSA_SHA256); - #endif - - #if ENABLE_GOST --- -2.20.1 diff --git a/SOURCES/gnutls-3.6.8-aead-cipher-encryptv2.patch b/SOURCES/gnutls-3.6.8-aead-cipher-encryptv2.patch deleted file mode 100644 index 8ed9aa6..0000000 --- a/SOURCES/gnutls-3.6.8-aead-cipher-encryptv2.patch +++ /dev/null @@ -1,1296 +0,0 @@ -From 38c8dc4317296624cba5b2c8ddba6e9047048180 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Thu, 1 Aug 2019 17:41:45 +0200 -Subject: [PATCH 1/3] iov: add iterator interface for giovec_t - -This adds an iterator interface over giovec_t array, extracting a -fixed sized block. - -Signed-off-by: Daiki Ueno ---- - .gitignore | 1 + - lib/Makefile.am | 3 +- - lib/iov.c | 120 ++++++++++++++++++++++++++++++++ - lib/iov.h | 46 +++++++++++++ - lib/libgnutls.map | 3 + - tests/Makefile.am | 6 +- - tests/iov.c | 170 ++++++++++++++++++++++++++++++++++++++++++++++ - 7 files changed, 347 insertions(+), 2 deletions(-) - create mode 100644 lib/iov.c - create mode 100644 lib/iov.h - create mode 100644 tests/iov.c - -diff --git a/lib/Makefile.am b/lib/Makefile.am -index ffc72e4c2..9fe78afbd 100644 ---- a/lib/Makefile.am -+++ b/lib/Makefile.am -@@ -80,7 +80,8 @@ COBJECTS = range.c record.c compress.c debug.c cipher.c gthreads.h handshake-tls - system-keys.h urls.c urls.h prf.c auto-verify.c dh-session.c \ - cert-session.c handshake-checks.c dtls-sw.c dh-primes.c openpgp_compat.c \ - crypto-selftests.c crypto-selftests-pk.c secrets.c extv.c extv.h \ -- hello_ext_lib.c hello_ext_lib.h ocsp-api.c stek.c cert-cred-rawpk.c -+ hello_ext_lib.c hello_ext_lib.h ocsp-api.c stek.c cert-cred-rawpk.c \ -+ iov.c iov.h - - if WINDOWS - COBJECTS += system/keys-win.c -diff --git a/lib/iov.c b/lib/iov.c -new file mode 100644 -index 000000000..5dc29c54b ---- /dev/null -+++ b/lib/iov.c -@@ -0,0 +1,120 @@ -+/* -+ * Copyright (C) 2019 Red Hat, Inc. -+ * -+ * Author: Daiki Ueno -+ * -+ * This file is part of GnuTLS. -+ * -+ * The GnuTLS is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU Lesser General Public License -+ * as published by the Free Software Foundation; either version 2.1 of -+ * the License, or (at your option) any later version. -+ * -+ * This library is distributed in the hope that it will be useful, but -+ * WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * Lesser General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General Public License -+ * along with this program. If not, see -+ * -+ */ -+ -+#include "gnutls_int.h" -+#include "iov.h" -+ -+/** -+ * _gnutls_iov_iter_init: -+ * @iter: the iterator -+ * @iov: the data buffers -+ * @iov_count: the number of data buffers -+ * @block_size: block size to iterate -+ * -+ * Initialize the iterator. -+ * -+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise -+ * an error code is returned -+ */ -+int -+_gnutls_iov_iter_init(struct iov_iter_st *iter, -+ const giovec_t *iov, size_t iov_count, -+ size_t block_size) -+{ -+ if (unlikely(block_size > MAX_CIPHER_BLOCK_SIZE)) -+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); -+ -+ iter->iov = iov; -+ iter->iov_count = iov_count; -+ iter->iov_index = 0; -+ iter->iov_offset = 0; -+ iter->block_size = block_size; -+ iter->block_offset = 0; -+ return 0; -+} -+ -+/** -+ * _gnutls_iov_iter_next: -+ * @iter: the iterator -+ * @data: the return location of extracted data -+ * -+ * Retrieve block(s) pointed by @iter and advance it to the next -+ * position. It returns the number of consecutive blocks in @data. -+ * At the end of iteration, 0 is returned. -+ * -+ * If the data stored in @iter is not multiple of the block size, the -+ * remaining data is stored in the "block" field of @iter with the -+ * size stored in the "block_offset" field. -+ * -+ * Returns: On success, a value greater than or equal to zero is -+ * returned, otherwise a negative error code is returned -+ */ -+ssize_t -+_gnutls_iov_iter_next(struct iov_iter_st *iter, uint8_t **data) -+{ -+ while (iter->iov_index < iter->iov_count) { -+ const giovec_t *iov = &iter->iov[iter->iov_index]; -+ uint8_t *p = iov->iov_base; -+ size_t len = iov->iov_len; -+ size_t block_left; -+ -+ if (unlikely(len < iter->iov_offset)) -+ return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); -+ len -= iter->iov_offset; -+ p += iter->iov_offset; -+ -+ /* We have at least one full block, return a whole set -+ * of full blocks immediately. */ -+ if (iter->block_offset == 0 && len >= iter->block_size) { -+ if ((len % iter->block_size) == 0) { -+ iter->iov_index++; -+ iter->iov_offset = 0; -+ } else -+ iter->iov_offset += -+ len - (len % iter->block_size); -+ -+ /* Return the blocks. */ -+ *data = p; -+ return len / iter->block_size; -+ } -+ -+ /* We can complete one full block to return. */ -+ block_left = iter->block_size - iter->block_offset; -+ if (len >= block_left) { -+ memcpy(iter->block + iter->block_offset, p, block_left); -+ iter->iov_offset += block_left; -+ iter->block_offset = 0; -+ -+ /* Return the filled block. */ -+ *data = iter->block; -+ return 1; -+ } -+ -+ /* Not enough data for a full block, store in temp -+ * memory and continue. */ -+ memcpy(iter->block + iter->block_offset, p, len); -+ iter->block_offset += len; -+ iter->iov_index++; -+ iter->iov_offset = 0; -+ } -+ return 0; -+} -diff --git a/lib/iov.h b/lib/iov.h -new file mode 100644 -index 000000000..47fba559a ---- /dev/null -+++ b/lib/iov.h -@@ -0,0 +1,46 @@ -+/* -+ * Copyright (C) 2019 Red Hat, Inc. -+ * -+ * Author: Daiki Ueno -+ * -+ * This file is part of GnuTLS. -+ * -+ * The GnuTLS is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU Lesser General Public License -+ * as published by the Free Software Foundation; either version 2.1 of -+ * the License, or (at your option) any later version. -+ * -+ * This library is distributed in the hope that it will be useful, but -+ * WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * Lesser General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General Public License -+ * along with this program. If not, see -+ * -+ */ -+ -+#ifndef GNUTLS_LIB_IOV_H -+#define GNUTLS_LIB_IOV_H -+ -+#include "gnutls_int.h" -+ -+struct iov_iter_st { -+ const giovec_t *iov; -+ size_t iov_count; /* the number of iov */ -+ size_t iov_index; /* index of the current buffer */ -+ size_t iov_offset; /* byte offset in the current buffer */ -+ -+ uint8_t block[MAX_CIPHER_BLOCK_SIZE]; /* incomplete block for reading */ -+ size_t block_size; /* actual block size of the cipher */ -+ size_t block_offset; /* offset in block */ -+ -+}; -+ -+int _gnutls_iov_iter_init(struct iov_iter_st *iter, -+ const giovec_t *iov, size_t iov_count, -+ size_t block_size); -+ -+ssize_t _gnutls_iov_iter_next(struct iov_iter_st *iter, uint8_t **data); -+ -+#endif /* GNUTLS_LIB_IOV_H */ -diff --git a/lib/libgnutls.map b/lib/libgnutls.map -index 0f31f4aef..fc93c0857 100644 ---- a/lib/libgnutls.map -+++ b/lib/libgnutls.map -@@ -1374,4 +1374,7 @@ GNUTLS_PRIVATE_3_4 { - _gnutls_global_set_gettime_function; - # Internal symbols needed by tests/tls13/anti_replay.c - _gnutls_anti_replay_check; -+ # needed by tests/iov: -+ _gnutls_iov_iter_init; -+ _gnutls_iov_iter_next; - } GNUTLS_3_4; -diff --git a/tests/Makefile.am b/tests/Makefile.am -index a8c2d152e..a2883570f 100644 ---- a/tests/Makefile.am -+++ b/tests/Makefile.am -@@ -212,7 +212,7 @@ ctests += mini-record-2 simple gnutls_hm - null_retrieve_function tls-record-size-limit tls-crt_type-neg \ - resume-with-stek-expiration resume-with-previous-stek rawpk-api \ - tls-record-size-limit-asym dh-compute ecdh-compute \ -- sign-verify-deterministic -+ sign-verify-deterministic iov - - if HAVE_SECCOMP_TESTS - ctests += dtls-with-seccomp tls-with-seccomp dtls-client-with-seccomp tls-client-with-seccomp -@@ -460,6 +460,10 @@ tls13_anti_replay_CPPFLAGS = $(AM_CPPFLAGS) \ - -I$(top_builddir)/gl \ - $(NETTLE_CFLAGS) - -+iov_CPPFLAGS = $(AM_CPPFLAGS) \ -+ -I$(top_srcdir)/gl \ -+ -I$(top_builddir)/gl -+ - if ENABLE_PKCS11 - if !WINDOWS - ctests += tls13/post-handshake-with-cert-pkcs11 pkcs11/tls-neg-pkcs11-no-key -diff --git a/tests/iov.c b/tests/iov.c -new file mode 100644 -index 000000000..eda5583a7 ---- /dev/null -+++ b/tests/iov.c -@@ -0,0 +1,170 @@ -+/* -+ * Copyright (C) 2019 Red Hat, Inc. -+ * -+ * Author: Daiki Ueno -+ * -+ * This file is part of GnuTLS. -+ * -+ * GnuTLS is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License as published by -+ * the Free Software Foundation; either version 3 of the License, or -+ * (at your option) any later version. -+ * -+ * GnuTLS is distributed in the hope that it will be useful, but -+ * WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General Public License -+ * along with this program. If not, see -+ */ -+ -+#ifdef HAVE_CONFIG_H -+#include -+#endif -+ -+#include "gnutls_int.h" -+#include "../lib/iov.h" -+ -+#include "utils.h" -+ -+struct exp_st { -+ ssize_t ret; -+ size_t iov_index; -+ size_t iov_offset; -+ size_t block_offset; -+}; -+ -+struct test_st { -+ const char *name; -+ const giovec_t *iov; -+ size_t iovcnt; -+ size_t block_size; -+ const struct exp_st *exp; -+ size_t expcnt; -+ size_t remaining; -+}; -+ -+static const giovec_t iov16[] = { -+ {(void *) "0123456789abcdef", 16}, -+ {(void *) "0123456789abcdef", 16}, -+ {(void *) "0123456789abcdef", 16}, -+ {(void *) "0123456789abcdef", 16} -+}; -+ -+static const struct exp_st exp16_64[] = { -+ {1, 3, 16, 0}, -+ {0, 0, 0, 0} -+}; -+ -+static const struct exp_st exp16_32[] = { -+ {1, 1, 16, 0}, -+ {1, 3, 16, 0}, -+ {0, 0, 0, 0} -+}; -+ -+static const struct exp_st exp16_16[] = { -+ {1, 1, 0, 0}, -+ {1, 2, 0, 0}, -+ {1, 3, 0, 0}, -+ {1, 4, 0, 0}, -+ {0, 0, 0, 0} -+}; -+ -+static const struct exp_st exp16_4[] = { -+ {4, 1, 0, 0}, -+ {4, 2, 0, 0}, -+ {4, 3, 0, 0}, -+ {4, 4, 0, 0}, -+ {0, 0, 0, 0} -+}; -+ -+static const struct exp_st exp16_3[] = { -+ {5, 0, 15, 0}, -+ {1, 1, 2, 0}, -+ {4, 1, 14, 0}, -+ {1, 2, 1, 0}, -+ {5, 3, 0, 0}, -+ {5, 3, 15, 0}, -+ {0, 0, 0, 1} -+}; -+ -+static const giovec_t iov8[] = { -+ {(void *) "01234567", 8}, -+ {(void *) "01234567", 8}, -+ {(void *) "01234567", 8}, -+ {(void *) "01234567", 8} -+}; -+ -+static const struct exp_st exp8_64[] = { -+ {0, 0, 0, 32} -+}; -+ -+static const struct test_st tests[] = { -+ { "16/64", iov16, sizeof(iov16)/sizeof(iov16[0]), 64, -+ exp16_64, sizeof(exp16_64)/sizeof(exp16_64[0]), 0 }, -+ { "16/32", iov16, sizeof(iov16)/sizeof(iov16[0]), 32, -+ exp16_32, sizeof(exp16_32)/sizeof(exp16_32[0]), 0 }, -+ { "16/16", iov16, sizeof(iov16)/sizeof(iov16[0]), 16, -+ exp16_16, sizeof(exp16_16)/sizeof(exp16_16[0]), 0 }, -+ { "16/4", iov16, sizeof(iov16)/sizeof(iov16[0]), 4, -+ exp16_4, sizeof(exp16_4)/sizeof(exp16_4[0]), 0 }, -+ { "16/3", iov16, sizeof(iov16)/sizeof(iov16[0]), 3, -+ exp16_3, sizeof(exp16_3)/sizeof(exp16_3[0]), 1 }, -+ { "8/64", iov8, sizeof(iov8)/sizeof(iov8[0]), 64, -+ exp8_64, sizeof(exp8_64)/sizeof(exp8_64[0]), 32 } -+}; -+ -+void -+doit (void) -+{ -+ size_t i; -+ -+ for (i = 0; i < sizeof(tests)/sizeof(tests[0]); i++) { -+ struct iov_iter_st iter; -+ const struct exp_st *exp = tests[i].exp; -+ uint8_t *data; -+ size_t j; -+ -+ success("%s\n", tests[i].name); -+ assert(_gnutls_iov_iter_init(&iter, -+ tests[i].iov, tests[i].iovcnt, -+ tests[i].block_size) == 0); -+ for (j = 0; j < tests[i].expcnt; j++) { -+ ssize_t ret; -+ -+ ret = _gnutls_iov_iter_next(&iter, &data); -+ if (ret != exp[j].ret) -+ fail("iov_iter_next: %d != %d\n", -+ (int) ret, (int) exp[j].ret); -+ else if (debug) -+ success("iov_iter_next: %d == %d\n", -+ (int) ret, (int) exp[j].ret); -+ if (ret == 0) -+ break; -+ if (ret > 0) { -+ if (iter.iov_index != exp[j].iov_index) -+ fail("iter.iov_index: %u != %u\n", -+ (unsigned) iter.iov_index, (unsigned) exp[j].iov_index); -+ else if (debug) -+ success("iter.iov_index: %u == %u\n", -+ (unsigned) iter.iov_index, (unsigned) exp[j].iov_index); -+ if (iter.iov_offset != exp[j].iov_offset) -+ fail("iter.iov_offset: %u != %u\n", -+ (unsigned) iter.iov_offset, (unsigned) exp[j].iov_offset); -+ else if (debug) -+ success("iter.iov_offset: %u == %u\n", -+ (unsigned) iter.iov_offset, (unsigned) exp[j].iov_offset); -+ if (iter.block_offset != exp[j].block_offset) -+ fail("iter.block_offset: %u != %u\n", -+ (unsigned) iter.block_offset, (unsigned) exp[j].block_offset); -+ else if (debug) -+ success("iter.block_offset: %u == %u\n", -+ (unsigned) iter.block_offset, (unsigned) exp[j].block_offset); -+ } -+ } -+ if (iter.block_offset != tests[i].remaining) -+ fail("remaining: %u != %u\n", -+ (unsigned) iter.block_offset, (unsigned) tests[i].remaining); -+ } -+} --- -2.21.0 - - -From 9ca7a2b42168d356126e306e25211d43ea3c2e7d Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Thu, 1 Aug 2019 18:13:38 +0200 -Subject: [PATCH 2/3] crypto-api: use giovec_t iterator interface for - aead_encryptv - -This replaces the macros AUTH_UPDATE and ENCRYPT used in -gnutls_aead_cipher_encryptv() with the iov_iter interface. - -Signed-off-by: Daiki Ueno ---- - lib/crypto-api.c | 167 ++++++++++++++++------------------------------- - 1 file changed, 57 insertions(+), 110 deletions(-) - -diff --git a/lib/crypto-api.c b/lib/crypto-api.c -index 8af3f3b7d..70107fed0 100644 ---- a/lib/crypto-api.c -+++ b/lib/crypto-api.c -@@ -31,6 +31,7 @@ - #include - #include - #include "crypto-api.h" -+#include "iov.h" - - typedef struct api_cipher_hd_st { - cipher_hd_st ctx_enc; -@@ -916,98 +917,6 @@ static int copy_iov(struct iov_store_st *dst, const giovec_t *iov, int iovcnt) - } - } - --#define AUTH_UPDATE_FINAL(ctx) do { \ -- if (index) { \ -- ret = _gnutls_cipher_auth(ctx, cache, index); \ -- if (unlikely(ret < 0)) \ -- return gnutls_assert_val(ret); \ -- } \ -- } while(0) -- --#define AUTH_UPDATE(ctx, data, length) do { \ -- if (index) { \ -- ssize_t left = blocksize - index; \ -- if (length < left) { \ -- memcpy(cache+index, data, \ -- length); \ -- index += length; \ -- goto __update_done; \ -- } else { \ -- memcpy(cache+index, data, left); \ -- ret = _gnutls_cipher_auth(ctx, cache, blocksize); \ -- if (unlikely(ret < 0)) \ -- return gnutls_assert_val(ret); \ -- data += left; \ -- length -= left; \ -- } \ -- } \ -- if (length >= blocksize) { \ -- ssize_t to_proc = (length/blocksize)*blocksize; \ -- ret = _gnutls_cipher_auth(ctx, data, to_proc); \ -- if (unlikely(ret < 0)) \ -- return gnutls_assert_val(ret); \ -- data += to_proc; \ -- length -= to_proc; \ -- } \ -- if (length) \ -- memcpy(cache, data, length); \ -- index = length; \ -- __update_done: \ -- ; \ -- } while(0) -- --#define ENCRYPT_FINAL(ctx, dst, dst_size) do { \ -- if (index) { \ -- if (unlikely(dst_size < (ssize_t)index)) \ -- return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); \ -- ret = _gnutls_cipher_encrypt2(ctx, cache, index, dst, dst_size); \ -- if (unlikely(ret < 0)) \ -- return gnutls_assert_val(ret); \ -- dst += index; \ -- dst_size -= index; \ -- } \ -- } while(0) -- --#define ENCRYPT(ctx, data, length, dst, dst_size) do { \ -- if (index) { \ -- ssize_t left = blocksize - index; \ -- if (length < left) { \ -- memcpy(cache+index, data, \ -- length); \ -- index += length; \ -- goto __encrypt_done; \ -- } else { \ -- if (unlikely(dst_size < blocksize)) \ -- return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); \ -- memcpy(cache+index, data, left); \ -- ret = _gnutls_cipher_encrypt2(ctx, cache, blocksize, dst, dst_size); \ -- if (unlikely(ret < 0)) \ -- return gnutls_assert_val(ret); \ -- data += left; \ -- length -= left; \ -- dst += blocksize; \ -- dst_size -= blocksize; \ -- } \ -- } \ -- if (length >= blocksize) { \ -- ssize_t to_proc = (length/blocksize)*blocksize; \ -- if (unlikely(dst_size < to_proc)) \ -- return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); \ -- ret = _gnutls_cipher_encrypt2(ctx, data, to_proc, dst, dst_size); \ -- if (unlikely(ret < 0)) \ -- return gnutls_assert_val(ret); \ -- data += to_proc; \ -- length -= to_proc; \ -- dst += to_proc; \ -- dst_size -= to_proc; \ -- } \ -- if (length) \ -- memcpy(cache, data, length); \ -- index = length; \ -- __encrypt_done: \ -- ; \ -- } while(0) -- - - /** - * gnutls_aead_cipher_encryptv: -@@ -1039,14 +948,13 @@ gnutls_aead_cipher_encryptv(gnutls_aead_cipher_hd_t handle, - void *ctext, size_t *ctext_len) - { - api_aead_cipher_hd_st *h = handle; -- int ret; -+ ssize_t ret; - uint8_t *dst; -- ssize_t dst_size, total = 0, len; -+ ssize_t dst_size, total = 0; - uint8_t *p; -- unsigned i; -- uint8_t cache[MAX_CIPHER_BLOCK_SIZE]; -- unsigned index; - ssize_t blocksize = handle->ctx_enc.e->blocksize; -+ struct iov_iter_st iter; -+ size_t blocks; - - /* Limitation: this function provides an optimization under the internally registered - * AEAD ciphers. When an AEAD cipher is used registered with gnutls_crypto_register_aead_cipher(), -@@ -1088,25 +996,64 @@ gnutls_aead_cipher_encryptv(gnutls_aead_cipher_hd_t handle, - if (unlikely(ret < 0)) - return gnutls_assert_val(ret); - -- index = 0; -- for (i = 0; i < (unsigned)auth_iovcnt; i++) { -- p = auth_iov[i].iov_base; -- len = auth_iov[i].iov_len; -- AUTH_UPDATE(&handle->ctx_enc, p, len); -+ ret = _gnutls_iov_iter_init(&iter, auth_iov, auth_iovcnt, blocksize); -+ if (unlikely(ret < 0)) -+ return gnutls_assert_val(ret); -+ while (1) { -+ ret = _gnutls_iov_iter_next(&iter, &p); -+ if (unlikely(ret < 0)) -+ return gnutls_assert_val(ret); -+ if (ret == 0) -+ break; -+ blocks = ret; -+ ret = _gnutls_cipher_auth(&handle->ctx_enc, p, -+ blocksize * blocks); -+ if (unlikely(ret < 0)) -+ return gnutls_assert_val(ret); -+ } -+ if (iter.block_offset > 0) { -+ ret = _gnutls_cipher_auth(&handle->ctx_enc, -+ iter.block, iter.block_offset); -+ if (unlikely(ret < 0)) -+ return gnutls_assert_val(ret); - } -- AUTH_UPDATE_FINAL(&handle->ctx_enc); - - dst = ctext; - dst_size = *ctext_len; - -- index = 0; -- for (i = 0; i < (unsigned)iovcnt; i++) { -- p = iov[i].iov_base; -- len = iov[i].iov_len; -- ENCRYPT(&handle->ctx_enc, p, len, dst, dst_size); -- total += iov[i].iov_len; -+ ret = _gnutls_iov_iter_init(&iter, iov, iovcnt, blocksize); -+ if (unlikely(ret < 0)) -+ return gnutls_assert_val(ret); -+ while (1) { -+ ret = _gnutls_iov_iter_next(&iter, &p); -+ if (unlikely(ret < 0)) -+ return gnutls_assert_val(ret); -+ if (ret == 0) -+ break; -+ blocks = ret; -+ if (unlikely((size_t) dst_size < blocksize * blocks)) -+ return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); -+ ret = _gnutls_cipher_encrypt2(&handle->ctx_enc, p, -+ blocksize * blocks, -+ dst, dst_size); -+ if (unlikely(ret < 0)) -+ return gnutls_assert_val(ret); -+ DECR_LEN(dst_size, blocksize * blocks); -+ dst += blocksize * blocks; -+ total += blocksize * blocks; -+ } -+ if (iter.block_offset > 0) { -+ if (unlikely((size_t) dst_size < iter.block_offset)) -+ return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); -+ ret = _gnutls_cipher_encrypt2(&handle->ctx_enc, -+ iter.block, iter.block_offset, -+ dst, dst_size); -+ if (unlikely(ret < 0)) -+ return gnutls_assert_val(ret); -+ DECR_LEN(dst_size, iter.block_offset); -+ dst += iter.block_offset; -+ total += iter.block_offset; - } -- ENCRYPT_FINAL(&handle->ctx_enc, dst, dst_size); - - if ((size_t)dst_size < tag_size) - return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); --- -2.21.0 - - -From d230011cdbbe55f429b43d818c75c8f6687cbc78 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Fri, 2 Aug 2019 07:40:44 +0200 -Subject: [PATCH 3/3] crypto-api: add gnutls_aead_cipher_{en,de}cryptv2 - -This adds an in-place equivalent of gnutls_aead_cipher_encrypt() and -gnutls_aead_cipher_decrypt(), that works on data buffers. - -Signed-off-by: Daiki Ueno ---- - .gitignore | 1 + - NEWS | 7 + - devel/libgnutls-latest-x86_64.abi | 26 +++ - devel/symbols.last | 3 + - doc/Makefile.am | 4 + - doc/manpages/Makefile.am | 2 + - lib/crypto-api.c | 356 +++++++++++++++++++++++++++++- - lib/includes/gnutls/crypto.h | 14 ++ - lib/libgnutls.map | 7 + - tests/Makefile.am | 2 +- - tests/aead-cipher-vec.c | 123 +++++++++++ - 11 files changed, 541 insertions(+), 4 deletions(-) - create mode 100644 tests/aead-cipher-vec.c - -diff --git a/doc/Makefile.am b/doc/Makefile.am -index 6d21d7482..add63c23d 100644 ---- a/doc/Makefile.am -+++ b/doc/Makefile.am -@@ -635,12 +635,16 @@ FUNCS += functions/dane_verify_session_crt - FUNCS += functions/dane_verify_session_crt.short - FUNCS += functions/gnutls_aead_cipher_decrypt - FUNCS += functions/gnutls_aead_cipher_decrypt.short -+FUNCS += functions/gnutls_aead_cipher_decryptv2 -+FUNCS += functions/gnutls_aead_cipher_decryptv2.short - FUNCS += functions/gnutls_aead_cipher_deinit - FUNCS += functions/gnutls_aead_cipher_deinit.short - FUNCS += functions/gnutls_aead_cipher_encrypt - FUNCS += functions/gnutls_aead_cipher_encrypt.short - FUNCS += functions/gnutls_aead_cipher_encryptv - FUNCS += functions/gnutls_aead_cipher_encryptv.short -+FUNCS += functions/gnutls_aead_cipher_encryptv2 -+FUNCS += functions/gnutls_aead_cipher_encryptv2.short - FUNCS += functions/gnutls_aead_cipher_init - FUNCS += functions/gnutls_aead_cipher_init.short - FUNCS += functions/gnutls_alert_get -diff --git a/doc/manpages/Makefile.am b/doc/manpages/Makefile.am -index d06c18013..ee855adf3 100644 ---- a/doc/manpages/Makefile.am -+++ b/doc/manpages/Makefile.am -@@ -119,9 +119,11 @@ APIMANS += dane_verify_crt.3 - APIMANS += dane_verify_crt_raw.3 - APIMANS += dane_verify_session_crt.3 - APIMANS += gnutls_aead_cipher_decrypt.3 -+APIMANS += gnutls_aead_cipher_decryptv2.3 - APIMANS += gnutls_aead_cipher_deinit.3 - APIMANS += gnutls_aead_cipher_encrypt.3 - APIMANS += gnutls_aead_cipher_encryptv.3 -+APIMANS += gnutls_aead_cipher_encryptv2.3 - APIMANS += gnutls_aead_cipher_init.3 - APIMANS += gnutls_alert_get.3 - APIMANS += gnutls_alert_get_name.3 -diff --git a/lib/crypto-api.c b/lib/crypto-api.c -index 70107fed0..2834c0199 100644 ---- a/lib/crypto-api.c -+++ b/lib/crypto-api.c -@@ -885,7 +885,26 @@ static void iov_store_free(struct iov_store_st *s) - } - } - --static int copy_iov(struct iov_store_st *dst, const giovec_t *iov, int iovcnt) -+static int iov_store_grow(struct iov_store_st *s, size_t length) -+{ -+ if (s->allocated || s->data == NULL) { -+ s->size += length; -+ s->data = gnutls_realloc(s->data, s->size); -+ if (s->data == NULL) -+ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR); -+ s->allocated = 1; -+ } else { -+ void *data = s->data; -+ size_t size = s->size + length; -+ s->data = gnutls_malloc(size); -+ memcpy(s->data, data, s->size); -+ s->size += length; -+ } -+ return 0; -+} -+ -+static int -+copy_from_iov(struct iov_store_st *dst, const giovec_t *iov, int iovcnt) - { - memset(dst, 0, sizeof(*dst)); - if (iovcnt == 0) { -@@ -917,6 +936,27 @@ static int copy_iov(struct iov_store_st *dst, const giovec_t *iov, int iovcnt) - } - } - -+static int -+copy_to_iov(struct iov_store_st *src, size_t size, -+ const giovec_t *iov, int iovcnt) -+{ -+ size_t offset = 0; -+ int i; -+ -+ if (unlikely(src->size < size)) -+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); -+ -+ for (i = 0; i < iovcnt && size > 0; i++) { -+ size_t to_copy = MIN(size, iov[i].iov_len); -+ memcpy(iov[i].iov_base, (uint8_t *) src->data + offset, to_copy); -+ offset += to_copy; -+ size -= to_copy; -+ } -+ if (size > 0) -+ return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); -+ return 0; -+} -+ - - /** - * gnutls_aead_cipher_encryptv: -@@ -971,11 +1011,11 @@ gnutls_aead_cipher_encryptv(gnutls_aead_cipher_hd_t handle, - struct iov_store_st auth; - struct iov_store_st ptext; - -- ret = copy_iov(&auth, auth_iov, auth_iovcnt); -+ ret = copy_from_iov(&auth, auth_iov, auth_iovcnt); - if (ret < 0) - return gnutls_assert_val(ret); - -- ret = copy_iov(&ptext, iov, iovcnt); -+ ret = copy_from_iov(&ptext, iov, iovcnt); - if (ret < 0) { - iov_store_free(&auth); - return gnutls_assert_val(ret); -@@ -1066,6 +1106,316 @@ gnutls_aead_cipher_encryptv(gnutls_aead_cipher_hd_t handle, - return 0; - } - -+/** -+ * gnutls_aead_cipher_encryptv2: -+ * @handle: is a #gnutls_aead_cipher_hd_t type. -+ * @nonce: the nonce to set -+ * @nonce_len: The length of the nonce -+ * @auth_iov: additional data to be authenticated -+ * @auth_iovcnt: The number of buffers in @auth_iov -+ * @iov: the data to be encrypted -+ * @iovcnt: The number of buffers in @iov -+ * @tag: The authentication tag -+ * @tag_size: The size of the tag to use (use zero for the default) -+ * -+ * This is similar to gnutls_aead_cipher_encrypt(), but it performs -+ * in-place encryption on the provided data buffers. -+ * -+ * Returns: Zero or a negative error code on error. -+ * -+ * Since: 3.6.10 -+ **/ -+int -+gnutls_aead_cipher_encryptv2(gnutls_aead_cipher_hd_t handle, -+ const void *nonce, size_t nonce_len, -+ const giovec_t *auth_iov, int auth_iovcnt, -+ const giovec_t *iov, int iovcnt, -+ void *tag, size_t *tag_size) -+{ -+ api_aead_cipher_hd_st *h = handle; -+ ssize_t ret; -+ uint8_t *p; -+ ssize_t blocksize = handle->ctx_enc.e->blocksize; -+ struct iov_iter_st iter; -+ size_t blocks; -+ size_t _tag_size; -+ -+ if (tag_size == NULL || *tag_size == 0) -+ _tag_size = _gnutls_cipher_get_tag_size(h->ctx_enc.e); -+ else -+ _tag_size = *tag_size; -+ -+ if (_tag_size > (unsigned)_gnutls_cipher_get_tag_size(h->ctx_enc.e)) -+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); -+ -+ /* Limitation: this function provides an optimization under the internally registered -+ * AEAD ciphers. When an AEAD cipher is used registered with gnutls_crypto_register_aead_cipher(), -+ * then this becomes a convenience function as it missed the lower-level primitives -+ * necessary for piecemeal encryption. */ -+ if (handle->ctx_enc.e->only_aead || handle->ctx_enc.encrypt == NULL) { -+ /* ciphertext cannot be produced in a piecemeal approach */ -+ struct iov_store_st auth; -+ struct iov_store_st ptext; -+ size_t ptext_size; -+ -+ ret = copy_from_iov(&auth, auth_iov, auth_iovcnt); -+ if (ret < 0) -+ return gnutls_assert_val(ret); -+ -+ ret = copy_from_iov(&ptext, iov, iovcnt); -+ if (ret < 0) { -+ gnutls_assert(); -+ goto fallback_fail; -+ } -+ -+ ptext_size = ptext.size; -+ -+ /* append space for tag */ -+ ret = iov_store_grow(&ptext, _tag_size); -+ if (ret < 0) { -+ gnutls_assert(); -+ goto fallback_fail; -+ } -+ -+ ret = gnutls_aead_cipher_encrypt(handle, nonce, nonce_len, -+ auth.data, auth.size, -+ _tag_size, -+ ptext.data, ptext_size, -+ ptext.data, &ptext.size); -+ if (ret < 0) { -+ gnutls_assert(); -+ goto fallback_fail; -+ } -+ -+ ret = copy_to_iov(&ptext, ptext_size, iov, iovcnt); -+ if (ret < 0) { -+ gnutls_assert(); -+ goto fallback_fail; -+ } -+ -+ if (tag != NULL) -+ memcpy(tag, -+ (uint8_t *) ptext.data + ptext_size, -+ _tag_size); -+ if (tag_size != NULL) -+ *tag_size = _tag_size; -+ -+ fallback_fail: -+ iov_store_free(&auth); -+ iov_store_free(&ptext); -+ -+ return ret; -+ } -+ -+ ret = _gnutls_cipher_setiv(&handle->ctx_enc, nonce, nonce_len); -+ if (unlikely(ret < 0)) -+ return gnutls_assert_val(ret); -+ -+ ret = _gnutls_iov_iter_init(&iter, auth_iov, auth_iovcnt, blocksize); -+ if (unlikely(ret < 0)) -+ return gnutls_assert_val(ret); -+ while (1) { -+ ret = _gnutls_iov_iter_next(&iter, &p); -+ if (unlikely(ret < 0)) -+ return gnutls_assert_val(ret); -+ if (ret == 0) -+ break; -+ blocks = ret; -+ ret = _gnutls_cipher_auth(&handle->ctx_enc, p, -+ blocksize * blocks); -+ if (unlikely(ret < 0)) -+ return gnutls_assert_val(ret); -+ } -+ if (iter.block_offset > 0) { -+ ret = _gnutls_cipher_auth(&handle->ctx_enc, -+ iter.block, iter.block_offset); -+ if (unlikely(ret < 0)) -+ return gnutls_assert_val(ret); -+ } -+ -+ ret = _gnutls_iov_iter_init(&iter, iov, iovcnt, blocksize); -+ if (unlikely(ret < 0)) -+ return gnutls_assert_val(ret); -+ while (1) { -+ ret = _gnutls_iov_iter_next(&iter, &p); -+ if (unlikely(ret < 0)) -+ return gnutls_assert_val(ret); -+ if (ret == 0) -+ break; -+ blocks = ret; -+ ret = _gnutls_cipher_encrypt2(&handle->ctx_enc, -+ p, blocksize * blocks, -+ p, blocksize * blocks); -+ if (unlikely(ret < 0)) -+ return gnutls_assert_val(ret); -+ } -+ if (iter.block_offset > 0) { -+ ret = _gnutls_cipher_encrypt2(&handle->ctx_enc, -+ iter.block, iter.block_offset, -+ iter.block, iter.block_offset); -+ if (unlikely(ret < 0)) -+ return gnutls_assert_val(ret); -+ } -+ -+ if (tag != NULL) -+ _gnutls_cipher_tag(&handle->ctx_enc, tag, _tag_size); -+ if (tag_size != NULL) -+ *tag_size = _tag_size; -+ -+ return 0; -+} -+ -+/** -+ * gnutls_aead_cipher_decryptv2: -+ * @handle: is a #gnutls_aead_cipher_hd_t type. -+ * @nonce: the nonce to set -+ * @nonce_len: The length of the nonce -+ * @auth_iov: additional data to be authenticated -+ * @auth_iovcnt: The number of buffers in @auth_iov -+ * @iov: the data to decrypt -+ * @iovcnt: The number of buffers in @iov -+ * @tag: The authentication tag -+ * @tag_size: The size of the tag to use (use zero for the default) -+ * -+ * This is similar to gnutls_aead_cipher_decrypt(), but it performs -+ * in-place encryption on the provided data buffers. -+ * -+ * Returns: Zero or a negative error code on error. -+ * -+ * Since: 3.6.10 -+ **/ -+int -+gnutls_aead_cipher_decryptv2(gnutls_aead_cipher_hd_t handle, -+ const void *nonce, size_t nonce_len, -+ const giovec_t *auth_iov, int auth_iovcnt, -+ const giovec_t *iov, int iovcnt, -+ void *tag, size_t tag_size) -+{ -+ api_aead_cipher_hd_st *h = handle; -+ ssize_t ret; -+ uint8_t *p; -+ ssize_t blocksize = handle->ctx_enc.e->blocksize; -+ struct iov_iter_st iter; -+ size_t blocks; -+ uint8_t _tag[MAX_HASH_SIZE]; -+ -+ if (tag_size == 0) -+ tag_size = _gnutls_cipher_get_tag_size(h->ctx_enc.e); -+ else if (tag_size > (unsigned)_gnutls_cipher_get_tag_size(h->ctx_enc.e)) -+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); -+ -+ /* Limitation: this function provides an optimization under the internally registered -+ * AEAD ciphers. When an AEAD cipher is used registered with gnutls_crypto_register_aead_cipher(), -+ * then this becomes a convenience function as it missed the lower-level primitives -+ * necessary for piecemeal encryption. */ -+ if (handle->ctx_enc.e->only_aead || handle->ctx_enc.encrypt == NULL) { -+ /* ciphertext cannot be produced in a piecemeal approach */ -+ struct iov_store_st auth; -+ struct iov_store_st ctext; -+ size_t ctext_size; -+ -+ ret = copy_from_iov(&auth, auth_iov, auth_iovcnt); -+ if (ret < 0) -+ return gnutls_assert_val(ret); -+ -+ ret = copy_from_iov(&ctext, iov, iovcnt); -+ if (ret < 0) { -+ gnutls_assert(); -+ goto fallback_fail; -+ } -+ -+ ctext_size = ctext.size; -+ -+ /* append tag */ -+ ret = iov_store_grow(&ctext, tag_size); -+ if (ret < 0) { -+ gnutls_assert(); -+ goto fallback_fail; -+ } -+ memcpy((uint8_t *) ctext.data + ctext_size, tag, tag_size); -+ -+ ret = gnutls_aead_cipher_decrypt(handle, nonce, nonce_len, -+ auth.data, auth.size, -+ tag_size, -+ ctext.data, ctext.size, -+ ctext.data, &ctext_size); -+ if (ret < 0) { -+ gnutls_assert(); -+ goto fallback_fail; -+ } -+ -+ ret = copy_to_iov(&ctext, ctext_size, iov, iovcnt); -+ if (ret < 0) { -+ gnutls_assert(); -+ goto fallback_fail; -+ } -+ -+ fallback_fail: -+ iov_store_free(&auth); -+ iov_store_free(&ctext); -+ -+ return ret; -+ } -+ -+ ret = _gnutls_cipher_setiv(&handle->ctx_enc, nonce, nonce_len); -+ if (unlikely(ret < 0)) -+ return gnutls_assert_val(ret); -+ -+ ret = _gnutls_iov_iter_init(&iter, auth_iov, auth_iovcnt, blocksize); -+ if (unlikely(ret < 0)) -+ return gnutls_assert_val(ret); -+ while (1) { -+ ret = _gnutls_iov_iter_next(&iter, &p); -+ if (unlikely(ret < 0)) -+ return gnutls_assert_val(ret); -+ if (ret == 0) -+ break; -+ blocks = ret; -+ ret = _gnutls_cipher_auth(&handle->ctx_enc, p, -+ blocksize * blocks); -+ if (unlikely(ret < 0)) -+ return gnutls_assert_val(ret); -+ } -+ if (iter.block_offset > 0) { -+ ret = _gnutls_cipher_auth(&handle->ctx_enc, -+ iter.block, iter.block_offset); -+ if (unlikely(ret < 0)) -+ return gnutls_assert_val(ret); -+ } -+ -+ ret = _gnutls_iov_iter_init(&iter, iov, iovcnt, blocksize); -+ if (unlikely(ret < 0)) -+ return gnutls_assert_val(ret); -+ while (1) { -+ ret = _gnutls_iov_iter_next(&iter, &p); -+ if (unlikely(ret < 0)) -+ return gnutls_assert_val(ret); -+ if (ret == 0) -+ break; -+ blocks = ret; -+ ret = _gnutls_cipher_decrypt2(&handle->ctx_enc, -+ p, blocksize * blocks, -+ p, blocksize * blocks); -+ if (unlikely(ret < 0)) -+ return gnutls_assert_val(ret); -+ } -+ if (iter.block_offset > 0) { -+ ret = _gnutls_cipher_decrypt2(&handle->ctx_enc, -+ iter.block, iter.block_offset, -+ iter.block, iter.block_offset); -+ if (unlikely(ret < 0)) -+ return gnutls_assert_val(ret); -+ } -+ -+ if (tag != NULL) { -+ _gnutls_cipher_tag(&handle->ctx_enc, _tag, tag_size); -+ if (gnutls_memcmp(_tag, tag, tag_size) != 0) -+ return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED); -+ } -+ -+ return 0; -+} -+ - /** - * gnutls_aead_cipher_deinit: - * @handle: is a #gnutls_aead_cipher_hd_t type. -diff --git a/lib/includes/gnutls/crypto.h b/lib/includes/gnutls/crypto.h -index d2b8cae8f..4d4926c86 100644 ---- a/lib/includes/gnutls/crypto.h -+++ b/lib/includes/gnutls/crypto.h -@@ -92,6 +92,20 @@ gnutls_aead_cipher_encryptv(gnutls_aead_cipher_hd_t handle, - const giovec_t *iov, int iovcnt, - void *ctext, size_t *ctext_len); - -+int -+gnutls_aead_cipher_encryptv2(gnutls_aead_cipher_hd_t handle, -+ const void *nonce, size_t nonce_len, -+ const giovec_t *auth_iov, int auth_iovcnt, -+ const giovec_t *iov, int iovcnt, -+ void *tag, size_t *tag_size); -+ -+int -+gnutls_aead_cipher_decryptv2(gnutls_aead_cipher_hd_t handle, -+ const void *nonce, size_t nonce_len, -+ const giovec_t *auth_iov, int auth_iovcnt, -+ const giovec_t *iov, int iovcnt, -+ void *tag, size_t tag_size); -+ - void gnutls_aead_cipher_deinit(gnutls_aead_cipher_hd_t handle); - - /* Hash - MAC API */ -diff --git a/lib/libgnutls.map b/lib/libgnutls.map -index fc93c0857..f83a21e9b 100644 ---- a/lib/libgnutls.map -+++ b/lib/libgnutls.map -@@ -1286,6 +1286,13 @@ GNUTLS_3_6_8 - gnutls_ffdhe_8192_group_q; - } GNUTLS_3_6_6; - -+GNUTLS_3_6_10 -+{ -+ global: -+ gnutls_aead_cipher_encryptv2; -+ gnutls_aead_cipher_decryptv2; -+} GNUTLS_3_6_8; -+ - GNUTLS_FIPS140_3_4 { - global: - gnutls_cipher_self_test; -diff --git a/tests/Makefile.am b/tests/Makefile.am -index a2883570f..075c2728f 100644 ---- a/tests/Makefile.am -+++ b/tests/Makefile.am -@@ -212,7 +212,7 @@ ctests += mini-record-2 simple gnutls_hm - null_retrieve_function tls-record-size-limit tls-crt_type-neg \ - resume-with-stek-expiration resume-with-previous-stek rawpk-api \ - tls-record-size-limit-asym dh-compute ecdh-compute \ -- sign-verify-deterministic iov -+ sign-verify-deterministic iov aead-cipher-vec - - if HAVE_SECCOMP_TESTS - ctests += dtls-with-seccomp tls-with-seccomp dtls-client-with-seccomp tls-client-with-seccomp -diff --git a/tests/aead-cipher-vec.c b/tests/aead-cipher-vec.c -new file mode 100644 -index 000000000..6c2542cf1 ---- /dev/null -+++ b/tests/aead-cipher-vec.c -@@ -0,0 +1,123 @@ -+/* -+ * Copyright (C) 2019 Red Hat, Inc. -+ * -+ * Author: Daiki Ueno -+ * -+ * This file is part of GnuTLS. -+ * -+ * GnuTLS is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License as published by -+ * the Free Software Foundation; either version 3 of the License, or -+ * (at your option) any later version. -+ * -+ * GnuTLS is distributed in the hope that it will be useful, but -+ * WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General Public License -+ * along with this program. If not, see -+ */ -+ -+#ifdef HAVE_CONFIG_H -+#include -+#endif -+ -+#include -+ -+#include -+#include -+#include -+#include "utils.h" -+ -+static void tls_log_func(int level, const char *str) -+{ -+ fprintf(stderr, "<%d>| %s", level, str); -+} -+ -+/* Test whether gnutls_aead_cipher_{en,de}crypt_vec works */ -+static void start(const char *name, int algo) -+{ -+ int ret; -+ gnutls_aead_cipher_hd_t ch; -+ uint8_t key16[64]; -+ uint8_t iv16[32]; -+ uint8_t auth[128]; -+ uint8_t data[128+64]; -+ gnutls_datum_t key, iv; -+ giovec_t iov[2]; -+ giovec_t auth_iov[2]; -+ uint8_t tag[64]; -+ size_t tag_size = 0; -+ -+ key.data = key16; -+ key.size = gnutls_cipher_get_key_size(algo); -+ assert(key.size <= sizeof(key16)); -+ -+ iv.data = iv16; -+ iv.size = gnutls_cipher_get_iv_size(algo); -+ assert(iv.size <= sizeof(iv16)); -+ -+ memset(iv.data, 0xff, iv.size); -+ memset(key.data, 0xfe, key.size); -+ memset(data, 0xfa, 128); -+ memset(auth, 0xaa, sizeof(auth)); -+ -+ iov[0].iov_base = data; -+ iov[0].iov_len = 64; -+ iov[1].iov_base = data + 64; -+ iov[1].iov_len = 64; -+ -+ auth_iov[0].iov_base = auth; -+ auth_iov[0].iov_len = 64; -+ auth_iov[1].iov_base = auth + 64; -+ auth_iov[1].iov_len = 64; -+ -+ success("trying %s\n", name); -+ -+ ret = -+ gnutls_aead_cipher_init(&ch, algo, &key); -+ if (ret < 0) -+ fail("gnutls_cipher_init: %s\n", gnutls_strerror(ret)); -+ -+ ret = gnutls_aead_cipher_encryptv2(ch, -+ iv.data, iv.size, -+ auth_iov, 2, -+ iov, 2, -+ tag, &tag_size); -+ if (ret < 0) -+ fail("could not encrypt data: %s\n", gnutls_strerror(ret)); -+ -+ ret = gnutls_aead_cipher_decryptv2(ch, -+ iv.data, iv.size, -+ auth_iov, 2, -+ iov, 2, -+ tag, tag_size); -+ if (ret < 0) -+ fail("could not decrypt data: %s\n", gnutls_strerror(ret)); -+ -+ gnutls_aead_cipher_deinit(ch); -+} -+ -+void -+doit(void) -+{ -+ int ret; -+ -+ gnutls_global_set_log_function(tls_log_func); -+ if (debug) -+ gnutls_global_set_log_level(4711); -+ -+ ret = global_init(); -+ if (ret < 0) { -+ fail("Cannot initialize library\n"); /*errcode 1 */ -+ } -+ -+ start("aes-128-gcm", GNUTLS_CIPHER_AES_128_GCM); -+ start("aes-256-gcm", GNUTLS_CIPHER_AES_256_GCM); -+ start("aes-128-ccm", GNUTLS_CIPHER_AES_128_CCM); -+ if (!gnutls_fips140_mode_enabled()) -+ start("chacha20-poly1305", GNUTLS_CIPHER_CHACHA20_POLY1305); -+ -+ gnutls_global_deinit(); -+} --- -2.21.0 - diff --git a/SOURCES/gnutls-3.6.8-decr-len.patch b/SOURCES/gnutls-3.6.8-decr-len.patch deleted file mode 100644 index 30272a1..0000000 --- a/SOURCES/gnutls-3.6.8-decr-len.patch +++ /dev/null @@ -1,687 +0,0 @@ -From e0fe31f1fc2ba13ada1d6bc35231847b75be4ee9 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Thu, 8 Aug 2019 18:02:08 +0200 -Subject: [PATCH 1/2] gnutls_int.h: make DECR_LEN neutral to signedness - -DECR_LEN was previously implemented in a way that it first decrements -the given length and then checks whether the result is negative. This -requires the caller to properly coerce the length argument to a signed -integer, before invoking the macro. - -Signed-off-by: Daiki Ueno ---- - lib/gnutls_int.h | 11 ++++++----- - 1 file changed, 6 insertions(+), 5 deletions(-) - -diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h -index 179d71b4a..7f7b6a7c9 100644 ---- a/lib/gnutls_int.h -+++ b/lib/gnutls_int.h -@@ -256,14 +256,15 @@ typedef enum record_send_state_t { - - #define MEMSUB(x,y) ((ssize_t)((ptrdiff_t)x-(ptrdiff_t)y)) - --#define DECR_LEN(len, x) do { len-=x; if (len<0) {gnutls_assert(); return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;} } while (0) -+#define DECR_LEN(len, x) DECR_LENGTH_RET(len, x, GNUTLS_E_UNEXPECTED_PACKET_LENGTH) - #define DECR_LEN_FINAL(len, x) do { \ -- len-=x; \ -- if (len != 0) \ -+ if (len != x) \ - return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); \ -+ else \ -+ len = 0; \ - } while (0) --#define DECR_LENGTH_RET(len, x, RET) do { len-=x; if (len<0) {gnutls_assert(); return RET;} } while (0) --#define DECR_LENGTH_COM(len, x, COM) do { len-=x; if (len<0) {gnutls_assert(); COM;} } while (0) -+#define DECR_LENGTH_RET(len, x, RET) DECR_LENGTH_COM(len, x, return RET) -+#define DECR_LENGTH_COM(len, x, COM) do { if (len -Date: Thu, 8 Aug 2019 18:04:18 +0200 -Subject: [PATCH 2/2] lib/*: remove unnecessary cast to ssize_t - -Signed-off-by: Daiki Ueno ---- - lib/crypto-api.c | 10 +++++----- - lib/ext/alpn.c | 3 +-- - lib/ext/client_cert_type.c | 9 ++++----- - lib/ext/cookie.c | 5 ++--- - lib/ext/ec_point_formats.c | 7 +++---- - lib/ext/key_share.c | 5 ++--- - lib/ext/max_record.c | 3 +-- - lib/ext/psk_ke_modes.c | 3 +-- - lib/ext/record_size_limit.c | 3 +-- - lib/ext/safe_renegotiation.c | 3 +-- - lib/ext/server_cert_type.c | 9 ++++----- - lib/ext/server_name.c | 3 +-- - lib/ext/session_ticket.c | 5 ++--- - lib/ext/signature.c | 3 +-- - lib/ext/srp.c | 3 +-- - lib/ext/srtp.c | 5 ++--- - lib/ext/status_request.c | 3 +-- - lib/ext/supported_groups.c | 3 +-- - lib/ext/supported_versions.c | 5 ++--- - lib/extv.c | 8 ++++---- - lib/sslv2_compat.c | 3 +-- - lib/supplemental.c | 4 ++-- - lib/tls13/certificate.c | 21 +++++++++++---------- - lib/tls13/psk_ext_parser.c | 4 +--- - lib/tls13/psk_ext_parser.h | 4 ++-- - lib/tls13/session_ticket.c | 2 +- - 26 files changed, 58 insertions(+), 78 deletions(-) - -diff --git a/lib/crypto-api.c b/lib/crypto-api.c -index 2834c0199..09b3d7bfc 100644 ---- a/lib/crypto-api.c -+++ b/lib/crypto-api.c -@@ -990,9 +990,9 @@ gnutls_aead_cipher_encryptv(gnutls_aead_cipher_hd_t handle, - api_aead_cipher_hd_st *h = handle; - ssize_t ret; - uint8_t *dst; -- ssize_t dst_size, total = 0; -+ size_t dst_size, total = 0; - uint8_t *p; -- ssize_t blocksize = handle->ctx_enc.e->blocksize; -+ size_t blocksize = handle->ctx_enc.e->blocksize; - struct iov_iter_st iter; - size_t blocks; - -@@ -1071,7 +1071,7 @@ gnutls_aead_cipher_encryptv(gnutls_aead_cipher_hd_t handle, - if (ret == 0) - break; - blocks = ret; -- if (unlikely((size_t) dst_size < blocksize * blocks)) -+ if (unlikely(dst_size < blocksize * blocks)) - return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); - ret = _gnutls_cipher_encrypt2(&handle->ctx_enc, p, - blocksize * blocks, -@@ -1083,7 +1083,7 @@ gnutls_aead_cipher_encryptv(gnutls_aead_cipher_hd_t handle, - total += blocksize * blocks; - } - if (iter.block_offset > 0) { -- if (unlikely((size_t) dst_size < iter.block_offset)) -+ if (unlikely(dst_size < iter.block_offset)) - return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); - ret = _gnutls_cipher_encrypt2(&handle->ctx_enc, - iter.block, iter.block_offset, -@@ -1095,7 +1095,7 @@ gnutls_aead_cipher_encryptv(gnutls_aead_cipher_hd_t handle, - total += iter.block_offset; - } - -- if ((size_t)dst_size < tag_size) -+ if (dst_size < tag_size) - return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); - - _gnutls_cipher_tag(&handle->ctx_enc, dst, tag_size); -diff --git a/lib/ext/alpn.c b/lib/ext/alpn.c -index 34f6ce09d..b9991f0a1 100644 ---- a/lib/ext/alpn.c -+++ b/lib/ext/alpn.c -@@ -51,13 +51,12 @@ const hello_ext_entry_st ext_mod_alpn = { - - static int - _gnutls_alpn_recv_params(gnutls_session_t session, -- const uint8_t * data, size_t _data_size) -+ const uint8_t * data, size_t data_size) - { - unsigned int i; - int ret; - const uint8_t *p = data; - unsigned len1, len; -- ssize_t data_size = _data_size; - alpn_ext_st *priv; - gnutls_ext_priv_data_t epriv; - int selected_protocol_index; -diff --git a/lib/ext/client_cert_type.c b/lib/ext/client_cert_type.c -index 471d42c5f..b627b71f9 100644 ---- a/lib/ext/client_cert_type.c -+++ b/lib/ext/client_cert_type.c -@@ -73,7 +73,6 @@ static int _gnutls_client_cert_type_recv_params(gnutls_session_t session, - gnutls_certificate_type_t cert_type; - - uint8_t i, found = 0; -- ssize_t len = data_size; - const uint8_t* pdata = data; - - /* Only activate this extension if we have cert credentials set -@@ -86,7 +85,7 @@ static int _gnutls_client_cert_type_recv_params(gnutls_session_t session, - - /* Compare packet length with expected packet length. For the - * client this is a single byte. */ -- if (len != 1) { -+ if (data_size != 1) { - return - gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); - } -@@ -136,8 +135,8 @@ static int _gnutls_client_cert_type_recv_params(gnutls_session_t session, - - } else { // server mode - // Compare packet length with expected packet length. -- DECR_LEN(len, 1); -- if (data[0] != len) { -+ DECR_LEN(data_size, 1); -+ if (data[0] != data_size) { - return - gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); - } -@@ -145,7 +144,7 @@ static int _gnutls_client_cert_type_recv_params(gnutls_session_t session, - - // Assign the contents of our data buffer to a gnutls_datum_t - cert_types.data = (uint8_t*)pdata; // Need casting to get rid of 'discards const qualifier' warning -- cert_types.size = len; -+ cert_types.size = data_size; - - // Store the client certificate types in our session - _gnutls_hello_ext_set_datum(session, -diff --git a/lib/ext/cookie.c b/lib/ext/cookie.c -index 1e66c3d49..0feb2f0e5 100644 ---- a/lib/ext/cookie.c -+++ b/lib/ext/cookie.c -@@ -53,10 +53,9 @@ const hello_ext_entry_st ext_mod_cookie = { - /* Only client sends this extension. */ - static int - cookie_recv_params(gnutls_session_t session, -- const uint8_t * data, size_t _data_size) -+ const uint8_t * data, size_t data_size) - { -- ssize_t data_size = _data_size; -- ssize_t csize; -+ size_t csize; - int ret; - gnutls_datum_t tmp; - -diff --git a/lib/ext/ec_point_formats.c b/lib/ext/ec_point_formats.c -index eb59ec139..c702d434c 100644 ---- a/lib/ext/ec_point_formats.c -+++ b/lib/ext/ec_point_formats.c -@@ -57,11 +57,10 @@ const hello_ext_entry_st ext_mod_supported_ec_point_formats = { - static int - _gnutls_supported_ec_point_formats_recv_params(gnutls_session_t session, - const uint8_t * data, -- size_t _data_size) -+ size_t data_size) - { -- int len, i; -+ size_t len, i; - int uncompressed = 0; -- int data_size = _data_size; - - if (session->security_parameters.entity == GNUTLS_CLIENT) { - if (data_size < 1) -@@ -91,7 +90,7 @@ _gnutls_supported_ec_point_formats_recv_params(gnutls_session_t session, - /* only sanity check here. We only support uncompressed points - * and a client must support it thus nothing to check. - */ -- if (_data_size < 1) -+ if (data_size < 1) - return - gnutls_assert_val - (GNUTLS_E_RECEIVED_ILLEGAL_EXTENSION); -diff --git a/lib/ext/key_share.c b/lib/ext/key_share.c -index 599eff8fb..8f0912e69 100644 ---- a/lib/ext/key_share.c -+++ b/lib/ext/key_share.c -@@ -504,11 +504,10 @@ client_use_key_share(gnutls_session_t session, const gnutls_group_entry_st *grou - - static int - key_share_recv_params(gnutls_session_t session, -- const uint8_t * data, size_t _data_size) -+ const uint8_t * data, size_t data_size) - { - int ret; -- ssize_t data_size = _data_size; -- ssize_t size; -+ size_t size; - unsigned gid; - const version_entry_st *ver; - const gnutls_group_entry_st *group; -diff --git a/lib/ext/max_record.c b/lib/ext/max_record.c -index dbb98cf62..3cada69be 100644 ---- a/lib/ext/max_record.c -+++ b/lib/ext/max_record.c -@@ -65,10 +65,9 @@ const hello_ext_entry_st ext_mod_max_record_size = { - - static int - _gnutls_max_record_recv_params(gnutls_session_t session, -- const uint8_t * data, size_t _data_size) -+ const uint8_t * data, size_t data_size) - { - ssize_t new_size; -- ssize_t data_size = _data_size; - - if (session->internals.hsk_flags & HSK_RECORD_SIZE_LIMIT_NEGOTIATED) - return 0; -diff --git a/lib/ext/psk_ke_modes.c b/lib/ext/psk_ke_modes.c -index da7a55098..8d8effb43 100644 ---- a/lib/ext/psk_ke_modes.c -+++ b/lib/ext/psk_ke_modes.c -@@ -106,10 +106,9 @@ psk_ke_modes_send_params(gnutls_session_t session, - */ - static int - psk_ke_modes_recv_params(gnutls_session_t session, -- const unsigned char *data, size_t _len) -+ const unsigned char *data, size_t len) - { - uint8_t ke_modes_len; -- ssize_t len = _len; - const version_entry_st *vers = get_version(session); - gnutls_psk_server_credentials_t cred; - int dhpsk_pos = MAX_POS; -diff --git a/lib/ext/record_size_limit.c b/lib/ext/record_size_limit.c -index e9fe6a1d8..0e94fece3 100644 ---- a/lib/ext/record_size_limit.c -+++ b/lib/ext/record_size_limit.c -@@ -48,10 +48,9 @@ const hello_ext_entry_st ext_mod_record_size_limit = { - - static int - _gnutls_record_size_limit_recv_params(gnutls_session_t session, -- const uint8_t * data, size_t _data_size) -+ const uint8_t * data, size_t data_size) - { - ssize_t new_size; -- ssize_t data_size = _data_size; - const version_entry_st *vers; - - DECR_LEN(data_size, 2); -diff --git a/lib/ext/safe_renegotiation.c b/lib/ext/safe_renegotiation.c -index 6424f45b5..bb4a57e45 100644 ---- a/lib/ext/safe_renegotiation.c -+++ b/lib/ext/safe_renegotiation.c -@@ -265,10 +265,9 @@ int _gnutls_ext_sr_send_cs(gnutls_session_t session) - - static int - _gnutls_sr_recv_params(gnutls_session_t session, -- const uint8_t * data, size_t _data_size) -+ const uint8_t * data, size_t data_size) - { - unsigned int len; -- ssize_t data_size = _data_size; - sr_ext_st *priv; - gnutls_ext_priv_data_t epriv; - int set = 0, ret; -diff --git a/lib/ext/server_cert_type.c b/lib/ext/server_cert_type.c -index dbcb3971b..864a44bbc 100644 ---- a/lib/ext/server_cert_type.c -+++ b/lib/ext/server_cert_type.c -@@ -73,7 +73,6 @@ static int _gnutls_server_cert_type_recv_params(gnutls_session_t session, - gnutls_certificate_type_t cert_type; - - uint8_t i, found = 0; -- ssize_t len = data_size; - const uint8_t* pdata = data; - - /* Only activate this extension if we have cert credentials set -@@ -86,7 +85,7 @@ static int _gnutls_server_cert_type_recv_params(gnutls_session_t session, - - /* Compare packet length with expected packet length. For the - * client this is a single byte. */ -- if (len != 1) { -+ if (data_size != 1) { - return - gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); - } -@@ -135,8 +134,8 @@ static int _gnutls_server_cert_type_recv_params(gnutls_session_t session, - - } else { // server mode - // Compare packet length with expected packet length. -- DECR_LEN(len, 1); -- if (data[0] != len) { -+ DECR_LEN(data_size, 1); -+ if (data[0] != data_size) { - return - gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); - } -@@ -144,7 +143,7 @@ static int _gnutls_server_cert_type_recv_params(gnutls_session_t session, - - // Assign the contents of our data buffer to a gnutls_datum_t - cert_types.data = (uint8_t*)pdata; // Need casting to get rid of 'discards const qualifier' warning -- cert_types.size = len; -+ cert_types.size = data_size; - - // Store the server certificate types in our session - _gnutls_hello_ext_set_datum(session, -diff --git a/lib/ext/server_name.c b/lib/ext/server_name.c -index 259dc998e..0c6331569 100644 ---- a/lib/ext/server_name.c -+++ b/lib/ext/server_name.c -@@ -66,11 +66,10 @@ const hello_ext_entry_st ext_mod_server_name = { - */ - static int - _gnutls_server_name_recv_params(gnutls_session_t session, -- const uint8_t * data, size_t _data_size) -+ const uint8_t * data, size_t data_size) - { - const unsigned char *p; - uint16_t len, type; -- ssize_t data_size = _data_size; - gnutls_datum_t name; - - if (session->security_parameters.entity == GNUTLS_SERVER) { -diff --git a/lib/ext/session_ticket.c b/lib/ext/session_ticket.c -index 98db39ff8..263273fa2 100644 ---- a/lib/ext/session_ticket.c -+++ b/lib/ext/session_ticket.c -@@ -78,7 +78,7 @@ static int - unpack_ticket(const gnutls_datum_t *ticket_data, struct ticket_st *ticket) - { - const uint8_t * data = ticket_data->data; -- ssize_t data_size = ticket_data->size; -+ size_t data_size = ticket_data->size; - const uint8_t *encrypted_state; - - /* Format: -@@ -371,11 +371,10 @@ unpack_session(gnutls_session_t session, const gnutls_datum_t *state) - - static int - session_ticket_recv_params(gnutls_session_t session, -- const uint8_t * data, size_t _data_size) -+ const uint8_t * data, size_t data_size) - { - gnutls_datum_t ticket_data; - gnutls_datum_t state; -- ssize_t data_size = _data_size; - int ret; - - if (session->internals.flags & GNUTLS_NO_TICKETS) -diff --git a/lib/ext/signature.c b/lib/ext/signature.c -index e734d2c7d..a90f58d53 100644 ---- a/lib/ext/signature.c -+++ b/lib/ext/signature.c -@@ -187,9 +187,8 @@ _gnutls_sign_algorithm_parse_data(gnutls_session_t session, - static int - _gnutls_signature_algorithm_recv_params(gnutls_session_t session, - const uint8_t * data, -- size_t _data_size) -+ size_t data_size) - { -- ssize_t data_size = _data_size; - int ret; - - if (session->security_parameters.entity == GNUTLS_CLIENT) { -diff --git a/lib/ext/srp.c b/lib/ext/srp.c -index 8b58222e0..07f6e6883 100644 ---- a/lib/ext/srp.c -+++ b/lib/ext/srp.c -@@ -59,10 +59,9 @@ const hello_ext_entry_st ext_mod_srp = { - - static int - _gnutls_srp_recv_params(gnutls_session_t session, const uint8_t * data, -- size_t _data_size) -+ size_t data_size) - { - uint8_t len; -- ssize_t data_size = _data_size; - gnutls_ext_priv_data_t epriv; - srp_ext_st *priv; - -diff --git a/lib/ext/srtp.c b/lib/ext/srtp.c -index 3fc7ed35a..412e26d45 100644 ---- a/lib/ext/srtp.c -+++ b/lib/ext/srtp.c -@@ -162,13 +162,12 @@ const char *gnutls_srtp_get_profile_name(gnutls_srtp_profile_t profile) - - static int - _gnutls_srtp_recv_params(gnutls_session_t session, -- const uint8_t * data, size_t _data_size) -+ const uint8_t * data, size_t data_size) - { - unsigned int i; - int ret; - const uint8_t *p = data; -- int len; -- ssize_t data_size = _data_size; -+ size_t len; - srtp_ext_st *priv; - gnutls_ext_priv_data_t epriv; - uint16_t profile; -diff --git a/lib/ext/status_request.c b/lib/ext/status_request.c -index d8779e8cf..cf9d5bd03 100644 ---- a/lib/ext/status_request.c -+++ b/lib/ext/status_request.c -@@ -86,9 +86,8 @@ client_send(gnutls_session_t session, - static int - server_recv(gnutls_session_t session, - status_request_ext_st * priv, -- const uint8_t * data, size_t size) -+ const uint8_t * data, size_t data_size) - { -- ssize_t data_size = size; - unsigned rid_bytes = 0; - - /* minimum message is type (1) + responder_id_list (2) + -diff --git a/lib/ext/supported_groups.c b/lib/ext/supported_groups.c -index 952d3bb0c..ef7859f73 100644 ---- a/lib/ext/supported_groups.c -+++ b/lib/ext/supported_groups.c -@@ -93,10 +93,9 @@ static unsigned get_min_dh(gnutls_session_t session) - */ - static int - _gnutls_supported_groups_recv_params(gnutls_session_t session, -- const uint8_t * data, size_t _data_size) -+ const uint8_t * data, size_t data_size) - { - int i; -- ssize_t data_size = _data_size; - uint16_t len; - const uint8_t *p = data; - const gnutls_group_entry_st *group = NULL; -diff --git a/lib/ext/supported_versions.c b/lib/ext/supported_versions.c -index 52828ee37..8d52fad5c 100644 ---- a/lib/ext/supported_versions.c -+++ b/lib/ext/supported_versions.c -@@ -54,12 +54,11 @@ const hello_ext_entry_st ext_mod_supported_versions = { - - static int - supported_versions_recv_params(gnutls_session_t session, -- const uint8_t * data, size_t _data_size) -+ const uint8_t * data, size_t data_size) - { - const version_entry_st *vers; -- ssize_t data_size = _data_size; - uint8_t major, minor; -- ssize_t bytes; -+ size_t bytes; - int ret; - - if (session->security_parameters.entity == GNUTLS_SERVER) { -diff --git a/lib/extv.c b/lib/extv.c -index bfdfdf974..0c0c46f32 100644 ---- a/lib/extv.c -+++ b/lib/extv.c -@@ -105,7 +105,7 @@ int gnutls_ext_raw_parse(void *ctx, gnutls_ext_raw_process_func cb, - const gnutls_datum_t *data, unsigned int flags) - { - if (flags & GNUTLS_EXT_RAW_FLAG_TLS_CLIENT_HELLO) { -- ssize_t size = data->size; -+ size_t size = data->size; - size_t len; - uint8_t *p = data->data; - -@@ -137,12 +137,12 @@ int gnutls_ext_raw_parse(void *ctx, gnutls_ext_raw_process_func cb, - DECR_LEN(size, len); - p += len; - -- if (size <= 0) -+ if (size == 0) - return gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE); - - return _gnutls_extv_parse(ctx, cb, p, size); - } else if (flags & GNUTLS_EXT_RAW_FLAG_DTLS_CLIENT_HELLO) { -- ssize_t size = data->size; -+ size_t size = data->size; - size_t len; - uint8_t *p = data->data; - -@@ -181,7 +181,7 @@ int gnutls_ext_raw_parse(void *ctx, gnutls_ext_raw_process_func cb, - DECR_LEN(size, len); - p += len; - -- if (size <= 0) -+ if (size == 0) - return gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE); - - return _gnutls_extv_parse(ctx, cb, p, size); -diff --git a/lib/sslv2_compat.c b/lib/sslv2_compat.c -index 6122d1098..9d247ba4c 100644 ---- a/lib/sslv2_compat.c -+++ b/lib/sslv2_compat.c -@@ -87,14 +87,13 @@ _gnutls_handshake_select_v2_suite(gnutls_session_t session, - */ - int - _gnutls_read_client_hello_v2(gnutls_session_t session, uint8_t * data, -- unsigned int datalen) -+ unsigned int len) - { - uint16_t session_id_len = 0; - int pos = 0; - int ret = 0, sret = 0; - uint16_t sizeOfSuites; - uint8_t rnd[GNUTLS_RANDOM_SIZE], major, minor; -- int len = datalen; - int neg_version; - const version_entry_st *vers; - uint16_t challenge; -diff --git a/lib/supplemental.c b/lib/supplemental.c -index cd90fa1fb..07b38cc93 100644 ---- a/lib/supplemental.c -+++ b/lib/supplemental.c -@@ -192,14 +192,14 @@ _gnutls_parse_supplemental(gnutls_session_t session, - const uint8_t * data, int datalen) - { - const uint8_t *p = data; -- ssize_t dsize = datalen; -+ size_t dsize = datalen; - size_t total_size; - - DECR_LEN(dsize, 3); - total_size = _gnutls_read_uint24(p); - p += 3; - -- if (dsize != (ssize_t) total_size) { -+ if (dsize != total_size) { - gnutls_assert(); - return GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; - } -diff --git a/lib/tls13/certificate.c b/lib/tls13/certificate.c -index bd257237f..8a1a11872 100644 ---- a/lib/tls13/certificate.c -+++ b/lib/tls13/certificate.c -@@ -360,11 +360,12 @@ static int parse_cert_extension(void *_ctx, unsigned tls_id, const uint8_t *data - static int - parse_cert_list(gnutls_session_t session, uint8_t * data, size_t data_size) - { -- int len, ret; -+ int ret; -+ size_t len; - uint8_t *p = data; - cert_auth_info_t info; - gnutls_certificate_credentials_t cred; -- ssize_t dsize = data_size, size; -+ size_t size; - int i; - unsigned npeer_certs, npeer_ocsp, j; - crt_cert_ctx_st ctx; -@@ -395,31 +396,31 @@ parse_cert_list(gnutls_session_t session, uint8_t * data, size_t data_size) - if (info == NULL) - return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_CREDENTIALS); - -- DECR_LEN(dsize, 3); -+ DECR_LEN(data_size, 3); - size = _gnutls_read_uint24(p); - p += 3; - -- if (size != dsize) -+ if (size != data_size) - return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); - - if (size == 0) - return gnutls_assert_val(GNUTLS_E_NO_CERTIFICATE_FOUND); - -- i = dsize; -+ i = data_size; - - while (i > 0) { -- DECR_LEN(dsize, 3); -+ DECR_LEN(data_size, 3); - len = _gnutls_read_uint24(p); - if (len == 0) - return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); - -- DECR_LEN(dsize, len); -+ DECR_LEN(data_size, len); - p += len + 3; - i -= len + 3; - -- DECR_LEN(dsize, 2); -+ DECR_LEN(data_size, 2); - len = _gnutls_read_uint16(p); -- DECR_LEN(dsize, len); -+ DECR_LEN(data_size, len); - - i -= len + 2; - p += len + 2; -@@ -427,7 +428,7 @@ parse_cert_list(gnutls_session_t session, uint8_t * data, size_t data_size) - nentries++; - } - -- if (dsize != 0) -+ if (data_size != 0) - return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET_LENGTH); - - /* this is unnecessary - keeping to avoid a regression due to a re-org -diff --git a/lib/tls13/psk_ext_parser.c b/lib/tls13/psk_ext_parser.c -index 6e3a12f90..33ebc0461 100644 ---- a/lib/tls13/psk_ext_parser.c -+++ b/lib/tls13/psk_ext_parser.c -@@ -28,10 +28,8 @@ - * are present, or 0, on success. - */ - int _gnutls13_psk_ext_parser_init(psk_ext_parser_st *p, -- const unsigned char *data, size_t _len) -+ const unsigned char *data, size_t len) - { -- ssize_t len = _len; -- - if (!p || !data || !len) - return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); - -diff --git a/lib/tls13/psk_ext_parser.h b/lib/tls13/psk_ext_parser.h -index 30b47e904..f46b211e0 100644 ---- a/lib/tls13/psk_ext_parser.h -+++ b/lib/tls13/psk_ext_parser.h -@@ -25,10 +25,10 @@ - - struct psk_ext_parser_st { - const unsigned char *identities_data; -- ssize_t identities_len; -+ size_t identities_len; - - const unsigned char *binders_data; -- ssize_t binders_len; -+ size_t binders_len; - }; - - typedef struct psk_ext_parser_st psk_ext_parser_st; -diff --git a/lib/tls13/session_ticket.c b/lib/tls13/session_ticket.c -index 146aee9b1..072a56d9c 100644 ---- a/lib/tls13/session_ticket.c -+++ b/lib/tls13/session_ticket.c -@@ -105,7 +105,7 @@ unpack_ticket(gnutls_session_t session, gnutls_datum_t *packed, tls13_ticket_st - gnutls_mac_algorithm_t kdf; - const mac_entry_st *prf; - uint8_t *p; -- ssize_t len; -+ size_t len; - uint64_t v; - int ret; - --- -2.21.0 - diff --git a/SOURCES/gnutls-3.6.8-fips-aes-cbc-kat.patch b/SOURCES/gnutls-3.6.8-fips-aes-cbc-kat.patch deleted file mode 100644 index 016a6bf..0000000 --- a/SOURCES/gnutls-3.6.8-fips-aes-cbc-kat.patch +++ /dev/null @@ -1,36 +0,0 @@ -From facea2b7659e11efce7014bda8800574d35dd05d Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Wed, 12 Jun 2019 14:02:05 +0200 -Subject: [PATCH] fips: run selftests over overridden AES-CBC algorithm - -Previously, we only tested nettle's AES-CBC in -_gnutls_fips_perform_self_checks1(), which is called before the -implementation is overridden. This adds an AES-CBC self-test in -_gnutls_fips_perform_self_checks2() so it can test the actual -implementation. - -Signed-off-by: Daiki Ueno ---- - lib/fips.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/lib/fips.c b/lib/fips.c -index b92edbbd7..902af5674 100644 ---- a/lib/fips.c -+++ b/lib/fips.c -@@ -317,6 +317,12 @@ int _gnutls_fips_perform_self_checks2(void) - goto error; - } - -+ ret = gnutls_cipher_self_test(0, GNUTLS_CIPHER_AES_256_CBC); -+ if (ret < 0) { -+ gnutls_assert(); -+ goto error; -+ } -+ - ret = gnutls_cipher_self_test(0, GNUTLS_CIPHER_AES_256_GCM); - if (ret < 0) { - gnutls_assert(); --- -2.20.1 - diff --git a/SOURCES/gnutls-3.6.8-fips-deterministic-ecdsa.patch b/SOURCES/gnutls-3.6.8-fips-deterministic-ecdsa.patch deleted file mode 100644 index 5be6209..0000000 --- a/SOURCES/gnutls-3.6.8-fips-deterministic-ecdsa.patch +++ /dev/null @@ -1,1352 +0,0 @@ -From e94ab6b703ee50ea020565e1b8729a9b1d524d84 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Mon, 29 Jul 2019 14:00:30 +0200 -Subject: [PATCH 1/6] nettle: add functions for deterministic ECDSA/DSA - -This adds functions to perform deterministic ECDSA/DSA, namely -_gnutls_{ecdsa,dsa}_compute_k(), which computes the k value according -to RFC 6979. The retrieved k value can be given to -nettle_{ecdsa,dsa}_sign() through a wrapper random function. - -Signed-off-by: Daiki Ueno ---- - lib/nettle/Makefile.am | 5 +- - lib/nettle/int/dsa-compute-k.c | 209 +++++++++++++++++++++++++++++++ - lib/nettle/int/dsa-compute-k.h | 37 ++++++ - lib/nettle/int/ecdsa-compute-k.c | 95 ++++++++++++++ - lib/nettle/int/ecdsa-compute-k.h | 37 ++++++ - lib/nettle/int/mpn-base256.c | 97 ++++++++++++++ - lib/nettle/int/mpn-base256.h | 48 +++++++ - 7 files changed, 527 insertions(+), 1 deletion(-) - create mode 100644 lib/nettle/int/dsa-compute-k.c - create mode 100644 lib/nettle/int/dsa-compute-k.h - create mode 100644 lib/nettle/int/ecdsa-compute-k.c - create mode 100644 lib/nettle/int/ecdsa-compute-k.h - create mode 100644 lib/nettle/int/mpn-base256.c - create mode 100644 lib/nettle/int/mpn-base256.h - -diff --git a/lib/nettle/Makefile.am b/lib/nettle/Makefile.am -index 1c60d3244..bd9dd753a 100644 ---- a/lib/nettle/Makefile.am -+++ b/lib/nettle/Makefile.am -@@ -45,7 +45,10 @@ libcrypto_la_SOURCES = pk.c mpi.c mac.c cipher.c init.c \ - backport/xts.c backport/xts.h \ - rnd.c int/rsa-fips.h int/rsa-keygen-fips186.c int/provable-prime.c \ - int/dsa-fips.h int/dsa-keygen-fips186.c int/dsa-validate.c \ -- int/tls1-prf.c int/tls1-prf.h -+ int/tls1-prf.c int/tls1-prf.h \ -+ int/dsa-compute-k.c int/dsa-compute-k.h \ -+ int/ecdsa-compute-k.c int/ecdsa-compute-k.h \ -+ int/mpn-base256.c int/mpn-base256.h - - if WINDOWS - libcrypto_la_SOURCES += sysrng-windows.c -diff --git a/lib/nettle/int/dsa-compute-k.c b/lib/nettle/int/dsa-compute-k.c -new file mode 100644 -index 000000000..17d63318c ---- /dev/null -+++ b/lib/nettle/int/dsa-compute-k.c -@@ -0,0 +1,209 @@ -+/* -+ * Copyright (C) 2019 Red Hat, Inc. -+ * -+ * Author: Daiki Ueno -+ * -+ * This file is part of GNUTLS. -+ * -+ * The GNUTLS library is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU Lesser General Public License -+ * as published by the Free Software Foundation; either version 2.1 of -+ * the License, or (at your option) any later version. -+ * -+ * This library is distributed in the hope that it will be useful, but -+ * WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * Lesser General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General Public License -+ * along with this program. If not, see -+ * -+ */ -+ -+#if HAVE_CONFIG_H -+# include "config.h" -+#endif -+ -+#include "dsa-compute-k.h" -+ -+#include "gnutls_int.h" -+#include "mem.h" -+#include "mpn-base256.h" -+#include -+ -+#define BITS_TO_LIMBS(bits) (((bits) + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS) -+ -+/* The maximum size of q, choosen from the fact that we support -+ * 521-bit elliptic curve generator and 512-bit DSA subgroup at -+ * maximum. */ -+#define MAX_Q_BITS 521 -+#define MAX_Q_SIZE ((MAX_Q_BITS + 7) / 8) -+#define MAX_Q_LIMBS BITS_TO_LIMBS(MAX_Q_BITS) -+ -+#define MAX_HASH_BITS (MAX_HASH_SIZE * 8) -+#define MAX_HASH_LIMBS BITS_TO_LIMBS(MAX_HASH_BITS) -+ -+int -+_gnutls_dsa_compute_k(mpz_t k, -+ const mpz_t q, -+ const mpz_t x, -+ gnutls_mac_algorithm_t mac, -+ const uint8_t *digest, -+ size_t length) -+{ -+ uint8_t V[MAX_HASH_SIZE]; -+ uint8_t K[MAX_HASH_SIZE]; -+ uint8_t xp[MAX_Q_SIZE]; -+ uint8_t tp[MAX_Q_SIZE]; -+ mp_limb_t h[MAX(MAX_Q_LIMBS, MAX_HASH_LIMBS)]; -+ mp_bitcnt_t q_bits = mpz_sizeinbase (q, 2); -+ mp_size_t qn = mpz_size(q); -+ mp_bitcnt_t h_bits = length * 8; -+ mp_size_t hn = BITS_TO_LIMBS(h_bits); -+ size_t nbytes = (q_bits + 7) / 8; -+ const uint8_t c0 = 0x00; -+ const uint8_t c1 = 0x01; -+ mp_limb_t cy; -+ gnutls_hmac_hd_t hd; -+ int ret = 0; -+ -+ if (unlikely(q_bits > MAX_Q_BITS)) -+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); -+ if (unlikely(length > MAX_HASH_SIZE)) -+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); -+ -+ /* int2octets(x) */ -+ mpn_get_base256(xp, nbytes, mpz_limbs_read(x), qn); -+ -+ /* bits2octets(h) */ -+ mpn_set_base256(h, hn, digest, length); -+ -+ if (hn < qn) -+ /* qlen > blen: add zero bits to the left */ -+ mpn_zero(&h[hn], qn - hn); -+ else if (h_bits > q_bits) { -+ /* qlen < blen: keep the leftmost qlen bits. We do this in 2 -+ * steps because mpn_rshift only accepts shift count in the -+ * range 1 to mp_bits_per_limb-1. -+ */ -+ mp_bitcnt_t shift = h_bits - q_bits; -+ -+ if (shift / GMP_NUMB_BITS > 0) { -+ mpn_copyi(h, &h[shift / GMP_NUMB_BITS], qn); -+ hn -= shift / GMP_NUMB_BITS; -+ } -+ -+ if (shift % GMP_NUMB_BITS > 0) -+ mpn_rshift(h, h, hn, shift % GMP_NUMB_BITS); -+ } -+ -+ cy = mpn_sub_n(h, h, mpz_limbs_read(q), qn); -+ /* Fall back to addmul_1, if nettle is linked with mini-gmp. */ -+#ifdef mpn_cnd_add_n -+ mpn_cnd_add_n(cy, h, h, mpz_limbs_read(q), qn); -+#else -+ mpn_addmul_1(h, mpz_limbs_read(q), qn, cy != 0); -+#endif -+ mpn_get_base256(tp, nbytes, h, qn); -+ -+ /* Step b */ -+ memset(V, c1, length); -+ -+ /* Step c */ -+ memset(K, c0, length); -+ -+ /* Step d */ -+ ret = gnutls_hmac_init(&hd, mac, K, length); -+ if (ret < 0) -+ goto out; -+ ret = gnutls_hmac(hd, V, length); -+ if (ret < 0) -+ goto out; -+ ret = gnutls_hmac(hd, &c0, 1); -+ if (ret < 0) -+ goto out; -+ ret = gnutls_hmac(hd, xp, nbytes); -+ if (ret < 0) -+ goto out; -+ ret = gnutls_hmac(hd, tp, nbytes); -+ if (ret < 0) -+ goto out; -+ gnutls_hmac_deinit(hd, K); -+ -+ /* Step e */ -+ ret = gnutls_hmac_fast(mac, K, length, V, length, V); -+ if (ret < 0) -+ goto out; -+ -+ /* Step f */ -+ ret = gnutls_hmac_init(&hd, mac, K, length); -+ if (ret < 0) -+ goto out; -+ ret = gnutls_hmac(hd, V, length); -+ if (ret < 0) -+ goto out; -+ ret = gnutls_hmac(hd, &c1, 1); -+ if (ret < 0) -+ goto out; -+ ret = gnutls_hmac(hd, xp, nbytes); -+ if (ret < 0) -+ goto out; -+ ret = gnutls_hmac(hd, tp, nbytes); -+ if (ret < 0) -+ goto out; -+ gnutls_hmac_deinit(hd, K); -+ -+ /* Step g */ -+ ret = gnutls_hmac_fast(mac, K, length, V, length, V); -+ if (ret < 0) -+ goto out; -+ -+ /* Step h */ -+ for (;;) { -+ /* Step 1 */ -+ size_t tlen = 0; -+ -+ /* Step 2 */ -+ while (tlen < nbytes) { -+ size_t remaining = MIN(nbytes - tlen, length); -+ ret = gnutls_hmac_fast(mac, K, length, V, length, V); -+ if (ret < 0) -+ goto out; -+ memcpy (&tp[tlen], V, remaining); -+ tlen += remaining; -+ } -+ -+ /* Step 3 */ -+ mpn_set_base256 (h, qn, tp, tlen); -+ if (tlen * 8 > q_bits) -+ mpn_rshift (h, h, qn, tlen * 8 - q_bits); -+ /* Check if k is in [1,q-1] */ -+ if (!mpn_zero_p (h, qn) && -+ mpn_cmp (h, mpz_limbs_read(q), qn) < 0) { -+ mpn_copyi(mpz_limbs_write(k, qn), h, qn); -+ mpz_limbs_finish(k, qn); -+ break; -+ } -+ -+ ret = gnutls_hmac_init(&hd, mac, K, length); -+ if (ret < 0) -+ goto out; -+ ret = gnutls_hmac(hd, V, length); -+ if (ret < 0) -+ goto out; -+ ret = gnutls_hmac(hd, &c0, 1); -+ if (ret < 0) -+ goto out; -+ gnutls_hmac_deinit(hd, K); -+ -+ ret = gnutls_hmac_fast(mac, K, length, V, length, V); -+ if (ret < 0) -+ goto out; -+ } -+ -+ out: -+ zeroize_key(xp, sizeof(xp)); -+ zeroize_key(tp, sizeof(tp)); -+ -+ return ret; -+} -diff --git a/lib/nettle/int/dsa-compute-k.h b/lib/nettle/int/dsa-compute-k.h -new file mode 100644 -index 000000000..64e90e0ca ---- /dev/null -+++ b/lib/nettle/int/dsa-compute-k.h -@@ -0,0 +1,37 @@ -+/* -+ * Copyright (C) 2019 Red Hat, Inc. -+ * -+ * Author: Daiki Ueno -+ * -+ * This file is part of GnuTLS. -+ * -+ * The GnuTLS is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU Lesser General Public License -+ * as published by the Free Software Foundation; either version 2.1 of -+ * the License, or (at your option) any later version. -+ * -+ * This library is distributed in the hope that it will be useful, but -+ * WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * Lesser General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General Public License -+ * along with this program. If not, see -+ * -+ */ -+ -+#ifndef GNUTLS_LIB_NETTLE_INT_DSA_COMPUTE_K_H -+#define GNUTLS_LIB_NETTLE_INT_DSA_COMPUTE_K_H -+ -+#include -+#include /* includes gmp.h */ -+ -+int -+_gnutls_dsa_compute_k(mpz_t k, -+ const mpz_t q, -+ const mpz_t x, -+ gnutls_mac_algorithm_t mac, -+ const uint8_t *digest, -+ size_t length); -+ -+#endif /* GNUTLS_LIB_NETTLE_INT_DSA_COMPUTE_K_H */ -diff --git a/lib/nettle/int/ecdsa-compute-k.c b/lib/nettle/int/ecdsa-compute-k.c -new file mode 100644 -index 000000000..94914ebdf ---- /dev/null -+++ b/lib/nettle/int/ecdsa-compute-k.c -@@ -0,0 +1,95 @@ -+/* -+ * Copyright (C) 2019 Red Hat, Inc. -+ * -+ * Author: Daiki Ueno -+ * -+ * This file is part of GNUTLS. -+ * -+ * The GNUTLS library is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU Lesser General Public License -+ * as published by the Free Software Foundation; either version 2.1 of -+ * the License, or (at your option) any later version. -+ * -+ * This library is distributed in the hope that it will be useful, but -+ * WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * Lesser General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General Public License -+ * along with this program. If not, see -+ * -+ */ -+ -+#if HAVE_CONFIG_H -+# include "config.h" -+#endif -+ -+#include "ecdsa-compute-k.h" -+ -+#include "dsa-compute-k.h" -+#include "gnutls_int.h" -+ -+static inline int -+_gnutls_ecc_curve_to_dsa_q(mpz_t *q, gnutls_ecc_curve_t curve) -+{ -+ switch (curve) { -+#ifdef ENABLE_NON_SUITEB_CURVES -+ case GNUTLS_ECC_CURVE_SECP192R1: -+ mpz_init_set_str(*q, -+ "FFFFFFFFFFFFFFFFFFFFFFFF99DEF836" -+ "146BC9B1B4D22831", -+ 16); -+ return 0; -+ case GNUTLS_ECC_CURVE_SECP224R1: -+ mpz_init_set_str(*q, -+ "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2" -+ "E0B8F03E13DD29455C5C2A3D", -+ 16); -+ return 0; -+#endif -+ case GNUTLS_ECC_CURVE_SECP256R1: -+ mpz_init_set_str(*q, -+ "FFFFFFFF00000000FFFFFFFFFFFFFFFF" -+ "BCE6FAADA7179E84F3B9CAC2FC632551", -+ 16); -+ return 0; -+ case GNUTLS_ECC_CURVE_SECP384R1: -+ mpz_init_set_str(*q, -+ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" -+ "FFFFFFFFFFFFFFFFC7634D81F4372DDF" -+ "581A0DB248B0A77AECEC196ACCC52973", -+ 16); -+ return 0; -+ case GNUTLS_ECC_CURVE_SECP521R1: -+ mpz_init_set_str(*q, -+ "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" -+ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" -+ "FFA51868783BF2F966B7FCC0148F709A" -+ "5D03BB5C9B8899C47AEBB6FB71E91386" -+ "409", -+ 16); -+ return 0; -+ default: -+ return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM); -+ } -+} -+ -+int -+_gnutls_ecdsa_compute_k (mpz_t k, -+ gnutls_ecc_curve_t curve, -+ const mpz_t x, -+ gnutls_mac_algorithm_t mac, -+ const uint8_t *digest, -+ size_t length) -+{ -+ mpz_t q; -+ int ret; -+ -+ ret = _gnutls_ecc_curve_to_dsa_q(&q, curve); -+ if (ret < 0) -+ return gnutls_assert_val(ret); -+ -+ ret = _gnutls_dsa_compute_k (k, q, x, mac, digest, length); -+ mpz_clear(q); -+ return ret; -+} -diff --git a/lib/nettle/int/ecdsa-compute-k.h b/lib/nettle/int/ecdsa-compute-k.h -new file mode 100644 -index 000000000..7ca401d6e ---- /dev/null -+++ b/lib/nettle/int/ecdsa-compute-k.h -@@ -0,0 +1,37 @@ -+/* -+ * Copyright (C) 2019 Red Hat, Inc. -+ * -+ * Author: Daiki Ueno -+ * -+ * This file is part of GnuTLS. -+ * -+ * The GnuTLS is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU Lesser General Public License -+ * as published by the Free Software Foundation; either version 2.1 of -+ * the License, or (at your option) any later version. -+ * -+ * This library is distributed in the hope that it will be useful, but -+ * WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * Lesser General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General Public License -+ * along with this program. If not, see -+ * -+ */ -+ -+#ifndef GNUTLS_LIB_NETTLE_INT_ECDSA_COMPUTE_K_H -+#define GNUTLS_LIB_NETTLE_INT_ECDSA_COMPUTE_K_H -+ -+#include -+#include /* includes gmp.h */ -+ -+int -+_gnutls_ecdsa_compute_k (mpz_t k, -+ gnutls_ecc_curve_t curve, -+ const mpz_t x, -+ gnutls_mac_algorithm_t mac, -+ const uint8_t *digest, -+ size_t length); -+ -+#endif /* GNUTLS_LIB_NETTLE_INT_ECDSA_COMPUTE_K_H */ -diff --git a/lib/nettle/int/mpn-base256.c b/lib/nettle/int/mpn-base256.c -new file mode 100644 -index 000000000..88dd00bd2 ---- /dev/null -+++ b/lib/nettle/int/mpn-base256.c -@@ -0,0 +1,97 @@ -+/* gmp-glue.c -+ -+ Copyright (C) 2013 Niels Möller -+ Copyright (C) 2013 Red Hat -+ -+ This file is part of GNU Nettle. -+ -+ GNU Nettle is free software: you can redistribute it and/or -+ modify it under the terms of either: -+ -+ * the GNU Lesser General Public License as published by the Free -+ Software Foundation; either version 3 of the License, or (at your -+ option) any later version. -+ -+ or -+ -+ * the GNU General Public License as published by the Free -+ Software Foundation; either version 2 of the License, or (at your -+ option) any later version. -+ -+ or both in parallel, as here. -+ -+ GNU Nettle is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ General Public License for more details. -+ -+ You should have received copies of the GNU General Public License and -+ the GNU Lesser General Public License along with this program. If -+ not, see http://www.gnu.org/licenses/. -+*/ -+ -+#if HAVE_CONFIG_H -+# include "config.h" -+#endif -+ -+#include "mpn-base256.h" -+ -+void -+mpn_set_base256 (mp_limb_t *rp, mp_size_t rn, -+ const uint8_t *xp, size_t xn) -+{ -+ size_t xi; -+ mp_limb_t out; -+ unsigned bits; -+ for (xi = xn, out = bits = 0; xi > 0 && rn > 0; ) -+ { -+ mp_limb_t in = xp[--xi]; -+ out |= (in << bits) & GMP_NUMB_MASK; -+ bits += 8; -+ if (bits >= GMP_NUMB_BITS) -+ { -+ *rp++ = out; -+ rn--; -+ -+ bits -= GMP_NUMB_BITS; -+ out = in >> (8 - bits); -+ } -+ } -+ if (rn > 0) -+ { -+ *rp++ = out; -+ if (--rn > 0) -+ mpn_zero (rp, rn); -+ } -+} -+ -+void -+mpn_get_base256 (uint8_t *rp, size_t rn, -+ const mp_limb_t *xp, mp_size_t xn) -+{ -+ unsigned bits; -+ mp_limb_t in; -+ for (bits = in = 0; xn > 0 && rn > 0; ) -+ { -+ if (bits >= 8) -+ { -+ rp[--rn] = in; -+ in >>= 8; -+ bits -= 8; -+ } -+ else -+ { -+ uint8_t old = in; -+ in = *xp++; -+ xn--; -+ rp[--rn] = old | (in << bits); -+ in >>= (8 - bits); -+ bits += GMP_NUMB_BITS - 8; -+ } -+ } -+ while (rn > 0) -+ { -+ rp[--rn] = in; -+ in >>= 8; -+ } -+} -diff --git a/lib/nettle/int/mpn-base256.h b/lib/nettle/int/mpn-base256.h -new file mode 100644 -index 000000000..b5ca4af03 ---- /dev/null -+++ b/lib/nettle/int/mpn-base256.h -@@ -0,0 +1,48 @@ -+/* gmp-glue.h -+ -+ Copyright (C) 2013 Niels Möller -+ Copyright (C) 2013 Red Hat -+ -+ This file is part of GNU Nettle. -+ -+ GNU Nettle is free software: you can redistribute it and/or -+ modify it under the terms of either: -+ -+ * the GNU Lesser General Public License as published by the Free -+ Software Foundation; either version 3 of the License, or (at your -+ option) any later version. -+ -+ or -+ -+ * the GNU General Public License as published by the Free -+ Software Foundation; either version 2 of the License, or (at your -+ option) any later version. -+ -+ or both in parallel, as here. -+ -+ GNU Nettle is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ General Public License for more details. -+ -+ You should have received copies of the GNU General Public License and -+ the GNU Lesser General Public License along with this program. If -+ not, see http://www.gnu.org/licenses/. -+*/ -+ -+#ifndef NETTLE_GMP_GLUE_H_INCLUDED -+#define NETTLE_GMP_GLUE_H_INCLUDED -+ -+#include -+ -+/* Like mpn_set_str, but always writes rn limbs. If input is larger, -+ higher bits are ignored. */ -+void -+mpn_set_base256 (mp_limb_t *rp, mp_size_t rn, -+ const uint8_t *xp, size_t xn); -+ -+void -+mpn_get_base256 (uint8_t *rp, size_t rn, -+ const mp_limb_t *xp, mp_size_t xn); -+ -+#endif /* NETTLE_GMP_GLUE_H_INCLUDED */ --- -2.21.0 - - -From f42d96451a654ccc3523b0a0086e18f19ba3fecc Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Mon, 29 Jul 2019 15:10:51 +0200 -Subject: [PATCH 2/6] privkey_sign_raw_data: remove unnecessary local variable - -Signed-off-by: Daiki Ueno ---- - lib/privkey.c | 4 +--- - 1 file changed, 1 insertion(+), 3 deletions(-) - -diff --git a/lib/privkey.c b/lib/privkey.c -index 8e353c5e5..2fee8777a 100644 ---- a/lib/privkey.c -+++ b/lib/privkey.c -@@ -1492,8 +1492,6 @@ privkey_sign_raw_data(gnutls_privkey_t key, - 0, - data, signature); - } else if (key->key.ext.sign_hash_func) { -- unsigned int flags = 0; -- - if (se->pk == GNUTLS_PK_RSA) { - se = _gnutls_sign_to_entry(GNUTLS_SIGN_RSA_RAW); - assert(se != NULL); -@@ -1502,7 +1500,7 @@ privkey_sign_raw_data(gnutls_privkey_t key, - /* se may not be set here if we are doing legacy RSA */ - return key->key.ext.sign_hash_func(key, se->id, - key->key.ext.userdata, -- flags, -+ 0, - data, signature); - } else { - if (!PK_IS_OK_FOR_EXT2(se->pk)) --- -2.21.0 - - -From 3dd0df9e1a499c7b31bf7b4a315e797d2195c1ba Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Wed, 7 Aug 2019 14:37:00 +0200 -Subject: [PATCH 3/6] privkey_sign_prehashed: remove unused argument - -Signed-off-by: Daiki Ueno ---- - lib/privkey.c | 9 ++++----- - 1 file changed, 4 insertions(+), 5 deletions(-) - -diff --git a/lib/privkey.c b/lib/privkey.c -index 2fee8777a..8683b4e20 100644 ---- a/lib/privkey.c -+++ b/lib/privkey.c -@@ -43,7 +43,7 @@ privkey_sign_prehashed(gnutls_privkey_t signer, - const gnutls_sign_entry_st *se, - const gnutls_datum_t * hash_data, - gnutls_datum_t * signature, -- gnutls_x509_spki_st * params, unsigned flags); -+ gnutls_x509_spki_st * params); - - /** - * gnutls_privkey_get_type: -@@ -1253,7 +1253,7 @@ gnutls_privkey_sign_hash2(gnutls_privkey_t signer, - return ret; - } - -- return privkey_sign_prehashed(signer, se, hash_data, signature, ¶ms, flags); -+ return privkey_sign_prehashed(signer, se, hash_data, signature, ¶ms); - } - - int -@@ -1377,7 +1377,7 @@ gnutls_privkey_sign_hash(gnutls_privkey_t signer, - return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); - - return privkey_sign_prehashed(signer, se, -- hash_data, signature, ¶ms, flags); -+ hash_data, signature, ¶ms); - } - - static int -@@ -1385,8 +1385,7 @@ privkey_sign_prehashed(gnutls_privkey_t signer, - const gnutls_sign_entry_st *se, - const gnutls_datum_t * hash_data, - gnutls_datum_t * signature, -- gnutls_x509_spki_st * params, -- unsigned flags) -+ gnutls_x509_spki_st * params) - { - int ret; - gnutls_datum_t digest; --- -2.21.0 - - -From 8eb3a29336ea11f6b417ce7e25d53513509bdd87 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Mon, 29 Jul 2019 14:01:11 +0200 -Subject: [PATCH 4/6] pk: implement deterministic ECDSA/DSA - -This exposes the deterministic ECDSA/DSA functionality through the -GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag. - -Signed-off-by: Daiki Ueno ---- - .gitignore | 1 + - NEWS | 7 ++ - lib/crypto-backend.h | 16 ++- - lib/includes/gnutls/abstract.h | 5 +- - lib/nettle/pk.c | 54 +++++++- - lib/privkey.c | 8 ++ - lib/x509/crq.c | 2 + - lib/x509/pkcs7.c | 2 + - lib/x509/sign.c | 2 + - tests/Makefile.am | 2 +- - tests/sign-verify-deterministic.c | 196 ++++++++++++++++++++++++++++++ - 11 files changed, 290 insertions(+), 5 deletions(-) - create mode 100644 tests/sign-verify-deterministic.c - -diff --git a/lib/crypto-backend.h b/lib/crypto-backend.h -index 43124abaf..33eca6031 100644 ---- a/lib/crypto-backend.h -+++ b/lib/crypto-backend.h -@@ -187,6 +187,13 @@ typedef struct gnutls_x509_spki_st { - /* if non-zero, the legacy value for PKCS#7 signatures will be - * written for RSA signatures. */ - unsigned int legacy; -+ -+ /* the digest used by ECDSA/DSA */ -+ gnutls_digest_algorithm_t dsa_dig; -+ -+ /* flags may include GNUTLS_PK_FLAG_REPRODUCIBLE for -+ * deterministic ECDSA/DSA */ -+ unsigned int flags; - } gnutls_x509_spki_st; - - #define GNUTLS_MAX_PK_PARAMS 16 -@@ -219,9 +226,16 @@ typedef struct { - */ - typedef enum { - GNUTLS_PK_FLAG_NONE = 0, -- GNUTLS_PK_FLAG_PROVABLE = 1 -+ GNUTLS_PK_FLAG_PROVABLE = 1, -+ GNUTLS_PK_FLAG_REPRODUCIBLE = 2 - } gnutls_pk_flag_t; - -+#define FIX_SIGN_PARAMS(params, flags, dig) do { \ -+ if ((flags) & GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE) { \ -+ (params).flags |= GNUTLS_PK_FLAG_REPRODUCIBLE; \ -+ (params).dsa_dig = (dig); \ -+ } \ -+} while (0) - - void gnutls_pk_params_release(gnutls_pk_params_st * p); - void gnutls_pk_params_clear(gnutls_pk_params_st * p); -diff --git a/lib/includes/gnutls/abstract.h b/lib/includes/gnutls/abstract.h -index d4b7da68b..d8805681a 100644 ---- a/lib/includes/gnutls/abstract.h -+++ b/lib/includes/gnutls/abstract.h -@@ -371,7 +371,10 @@ int gnutls_privkey_status(gnutls_privkey_t key); - * gnutls_privkey_flags: - * @GNUTLS_PRIVKEY_SIGN_FLAG_TLS1_RSA: Make an RSA signature on the hashed data as in the TLS protocol. - * @GNUTLS_PRIVKEY_SIGN_FLAG_RSA_PSS: Make an RSA signature on the hashed data with the PSS padding. -- * @GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE: Make an RSA-PSS signature on the hashed data with reproducible parameters (zero salt). -+ * @GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE: Make a signature on the hashed data with reproducible parameters. -+ * For RSA-PSS, that means to use empty salt instead of random value. For ECDSA/DSA, it uses the deterministic -+ * construction of random parameter according to RFC 6979. Note that -+ * this only supports the NIST curves and DSA subgroup bits up to 512. - * @GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE: When importing a private key, automatically - * release it when the structure it was imported is released. - * @GNUTLS_PRIVKEY_IMPORT_COPY: Copy required values during import. -diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c -index 08117c2d8..ebd6481cf 100644 ---- a/lib/nettle/pk.c -+++ b/lib/nettle/pk.c -@@ -54,6 +54,8 @@ - #include "gost/gostdsa.h" - #include "gost/ecc-gost-curve.h" - #endif -+#include "int/ecdsa-compute-k.h" -+#include "int/dsa-compute-k.h" - #include - #include - -@@ -86,6 +88,12 @@ static void rnd_nonce_func(void *_ctx, size_t length, uint8_t * data) - } - } - -+static void rnd_mpz_func(void *_ctx, size_t length, uint8_t * data) -+{ -+ mpz_t *k = _ctx; -+ nettle_mpz_get_str_256 (length, data, *k); -+} -+ - static void - ecc_scalar_zclear (struct ecc_scalar *s) - { -@@ -782,6 +790,9 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, - struct dsa_signature sig; - int curve_id = pk_params->curve; - const struct ecc_curve *curve; -+ mpz_t k; -+ void *random_ctx; -+ nettle_random_func *random_func; - - curve = get_supported_nist_curve(curve_id); - if (curve == NULL) -@@ -808,7 +819,23 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, - hash_len = vdata->size; - } - -- ecdsa_sign(&priv, NULL, rnd_nonce_func, hash_len, -+ mpz_init(k); -+ if (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE) { -+ ret = _gnutls_ecdsa_compute_k(k, -+ curve_id, -+ pk_params->params[ECC_K], -+ sign_params->dsa_dig, -+ vdata->data, -+ vdata->size); -+ if (ret < 0) -+ goto ecdsa_cleanup; -+ random_ctx = &k; -+ random_func = rnd_mpz_func; -+ } else { -+ random_ctx = NULL; -+ random_func = rnd_nonce_func; -+ } -+ ecdsa_sign(&priv, random_ctx, random_func, hash_len, - vdata->data, &sig); - - /* prevent memory leaks */ -@@ -824,6 +851,7 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, - ecdsa_cleanup: - dsa_signature_clear(&sig); - ecc_scalar_zclear(&priv); -+ mpz_clear(k); - - if (ret < 0) { - gnutls_assert(); -@@ -836,6 +864,9 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, - struct dsa_params pub; - bigint_t priv; - struct dsa_signature sig; -+ mpz_t k; -+ void *random_ctx; -+ nettle_random_func *random_func; - - memset(&priv, 0, sizeof(priv)); - memset(&pub, 0, sizeof(pub)); -@@ -856,8 +887,26 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, - hash_len = vdata->size; - } - -+ mpz_init(k); -+ if (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE) { -+ ret = _gnutls_dsa_compute_k(k, -+ pub.q, -+ TOMPZ(priv), -+ sign_params->dsa_dig, -+ vdata->data, -+ vdata->size); -+ if (ret < 0) -+ goto dsa_fail; -+ /* cancel-out dsa_sign's addition of 1 to random data */ -+ mpz_sub_ui (k, k, 1); -+ random_ctx = &k; -+ random_func = rnd_mpz_func; -+ } else { -+ random_ctx = NULL; -+ random_func = rnd_nonce_func; -+ } - ret = -- dsa_sign(&pub, TOMPZ(priv), NULL, rnd_nonce_func, -+ dsa_sign(&pub, TOMPZ(priv), random_ctx, random_func, - hash_len, vdata->data, &sig); - if (ret == 0 || HAVE_LIB_ERROR()) { - gnutls_assert(); -@@ -871,6 +920,7 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, - - dsa_fail: - dsa_signature_clear(&sig); -+ mpz_clear(k); - - if (ret < 0) { - gnutls_assert(); -diff --git a/lib/privkey.c b/lib/privkey.c -index 8683b4e20..4ef07c8b0 100644 ---- a/lib/privkey.c -+++ b/lib/privkey.c -@@ -1134,6 +1134,8 @@ gnutls_privkey_sign_data(gnutls_privkey_t signer, - return ret; - } - -+ FIX_SIGN_PARAMS(params, flags, hash); -+ - return privkey_sign_and_hash_data(signer, _gnutls_pk_to_sign_entry(params.pk, hash), data, signature, ¶ms); - } - -@@ -1186,6 +1188,8 @@ gnutls_privkey_sign_data2(gnutls_privkey_t signer, - return ret; - } - -+ FIX_SIGN_PARAMS(params, flags, se->hash); -+ - return privkey_sign_and_hash_data(signer, se, data, signature, ¶ms); - } - -@@ -1253,6 +1257,8 @@ gnutls_privkey_sign_hash2(gnutls_privkey_t signer, - return ret; - } - -+ FIX_SIGN_PARAMS(params, flags, se->hash); -+ - return privkey_sign_prehashed(signer, se, hash_data, signature, ¶ms); - } - -@@ -1376,6 +1382,8 @@ gnutls_privkey_sign_hash(gnutls_privkey_t signer, - if (unlikely(se == NULL)) - return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); - -+ FIX_SIGN_PARAMS(params, flags, hash_algo); -+ - return privkey_sign_prehashed(signer, se, - hash_data, signature, ¶ms); - } -diff --git a/lib/x509/crq.c b/lib/x509/crq.c -index c8899f81a..4ca67535d 100644 ---- a/lib/x509/crq.c -+++ b/lib/x509/crq.c -@@ -2642,6 +2642,8 @@ gnutls_x509_crq_privkey_sign(gnutls_x509_crq_t crq, gnutls_privkey_t key, - if (se == NULL) - return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); - -+ FIX_SIGN_PARAMS(params, flags, dig); -+ - result = privkey_sign_and_hash_data(key, se, - &tbs, &signature, ¶ms); - gnutls_free(tbs.data); -diff --git a/lib/x509/pkcs7.c b/lib/x509/pkcs7.c -index 21fff7b07..98669e887 100644 ---- a/lib/x509/pkcs7.c -+++ b/lib/x509/pkcs7.c -@@ -2532,6 +2532,8 @@ int gnutls_pkcs7_sign(gnutls_pkcs7_t pkcs7, - goto cleanup; - } - -+ FIX_SIGN_PARAMS(params, flags, dig); -+ - ret = privkey_sign_and_hash_data(signer_key, se, - &sigdata, &signature, ¶ms); - if (ret < 0) { -diff --git a/lib/x509/sign.c b/lib/x509/sign.c -index 8f7a96f21..461524f5b 100644 ---- a/lib/x509/sign.c -+++ b/lib/x509/sign.c -@@ -175,6 +175,8 @@ _gnutls_x509_pkix_sign(ASN1_TYPE src, const char *src_name, - return result; - } - -+ FIX_SIGN_PARAMS(params, flags, dig); -+ - if (_gnutls_pk_is_not_prehashed(params.pk)) { - result = privkey_sign_raw_data(issuer_key, se, &tbs, &signature, ¶ms); - } else { -diff --git a/tests/Makefile.am b/tests/Makefile.am -index 7970ad6b3..a8c2d152e 100644 ---- a/tests/Makefile.am -+++ b/tests/Makefile.am -@@ -211,7 +211,8 @@ ctests += mini-record-2 simple gnutls_hm - tls13-server-kx-neg gnutls_ext_raw_parse_dtls key-export-pkcs8 \ - null_retrieve_function tls-record-size-limit tls-crt_type-neg \ - resume-with-stek-expiration resume-with-previous-stek rawpk-api \ -- tls-record-size-limit-asym dh-compute ecdh-compute -+ tls-record-size-limit-asym dh-compute ecdh-compute \ -+ sign-verify-deterministic - - if HAVE_SECCOMP_TESTS - ctests += dtls-with-seccomp tls-with-seccomp dtls-client-with-seccomp tls-client-with-seccomp -diff --git a/tests/sign-verify-deterministic.c b/tests/sign-verify-deterministic.c -new file mode 100644 -index 000000000..fe4873fc8 ---- /dev/null -+++ b/tests/sign-verify-deterministic.c -@@ -0,0 +1,196 @@ -+/* -+ * Copyright (C) 2017-2019 Red Hat, Inc. -+ * -+ * Author: Nikos Mavrogiannopoulos, Daiki Ueno -+ * -+ * This file is part of GnuTLS. -+ * -+ * GnuTLS is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License as published by -+ * the Free Software Foundation; either version 3 of the License, or -+ * (at your option) any later version. -+ * -+ * GnuTLS is distributed in the hope that it will be useful, but -+ * WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with GnuTLS; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA -+ */ -+ -+#ifdef HAVE_CONFIG_H -+#include -+#endif -+ -+#include -+#include -+#include -+#include -+#ifndef _WIN32 -+# include -+# include -+# include -+#endif -+#include -+#include -+#include -+#include -+#include "utils.h" -+ -+/* verifies whether the sign-data and verify-data APIs -+ * operate as expected with deterministic ECDSA/DSA (RFC 6979) */ -+ -+static void tls_log_func(int level, const char *str) -+{ -+ fprintf(stderr, "<%d> %s", level, str); -+} -+ -+struct _key_tests_st { -+ const char *name; -+ gnutls_datum_t key; -+ gnutls_datum_t msg; -+ gnutls_datum_t sig; -+ gnutls_pk_algorithm_t pk; -+ gnutls_digest_algorithm_t digest; -+ gnutls_sign_algorithm_t sigalgo; -+ unsigned int sign_flags; -+}; -+ -+/* Test vectors from RFC 6979 */ -+static const char dsa_privkey_rfc6979[] = -+ "-----BEGIN DSA PRIVATE KEY-----\n" -+ "MIIBugIBAAKBgQCG9coD3P6yJQY/+DCgx2m53Z1hU62R184n94fEMni0R+ZTO4ax\n" -+ "i+1uiki3hKFMJSxb4Nv2C4bWOFvS8S+3Y+2Ic6v9P1ui4KjApZCC6sBWk15Sna98\n" -+ "YQRniZx3re38hGyIGHC3sZsrWPm+BSGhcALjvda4ZoXukLPZobAreCsXeQIVAJlv\n" -+ "ln9sjjiNnijQHiBfupV6VpixAoGAB7D5JUYVC2JRS7dx4qDAzjh/A72mxWtQUgn/\n" -+ "Jf08Ez2Ju82X6QTgkRTZp9796t/JB46lRNLkAa7sxAu5+794/YeZWhChwny3eJtZ\n" -+ "S6fvtcQyap/lmgcOE223cXVGStykF75dzi9A0QpGo6OUPyarf9nAOY/4x27gpWgm\n" -+ "qKiPHb0CgYBd9eAd7THQKX4nThaRwZL+WGj++eGahHdkVLEAzxb2U5IZWji5BSPi\n" -+ "VC7mGHHARAy4fDIvxLTS7F4efsdm4b6NTOk1Q33BHDyP1CYziTPr/nOcs0ZfTTZo\n" -+ "xeRzUIJTseaC9ly9xPrpPC6iEjkOVJBahuIiMXC0Tqp9pd2f/Pt/OwIUQRYCyxmm\n" -+ "zMNElNedmO8eftWvJfc=\n" -+ "-----END DSA PRIVATE KEY-----\n"; -+ -+static const char ecdsa_secp256r1_privkey_rfc6979[] = -+ "-----BEGIN EC PRIVATE KEY-----\n" -+ "MHgCAQEEIQDJr6nYRbp1FmtcIVdnsdaTTlDD2zbomxJ7imIrEg9nIaAKBggqhkjO\n" -+ "PQMBB6FEA0IABGD+1LolWp0xyWHrdMY1bWjASbiSO2H6bOZpYi5g8p+2eQP+EAi4\n" -+ "vJmkGunpVii8ZPLxsgwtfp9Rd6PClNRGIpk=\n" -+ "-----END EC PRIVATE KEY-----\n"; -+ -+static const char sample[] = "sample"; -+ -+static const -+struct _key_tests_st tests[] = { -+ { -+ .name = "dsa key", -+ .key = {(void *) dsa_privkey_rfc6979, sizeof(dsa_privkey_rfc6979)-1}, -+ .msg = {(void *) sample, sizeof(sample)-1}, -+ .sig = {(void *) "\x30\x2d\x02\x15\x00\x81\xf2\xf5\x85\x0b\xe5\xbc\x12\x3c\x43\xf7\x1a\x30\x33\xe9\x38\x46\x11\xc5\x45\x02\x14\x4c\xdd\x91\x4b\x65\xeb\x6c\x66\xa8\xaa\xad\x27\x29\x9b\xee\x6b\x03\x5f\x5e\x89", 47}, -+ .pk = GNUTLS_PK_DSA, -+ .digest = GNUTLS_DIG_SHA256, -+ .sigalgo = GNUTLS_SIGN_DSA_SHA256, -+ .sign_flags = GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE -+ }, -+ { -+ .name = "ecdsa key", -+ .key = {(void *) ecdsa_secp256r1_privkey_rfc6979, sizeof(ecdsa_secp256r1_privkey_rfc6979)-1}, -+ .msg = {(void *) sample, sizeof(sample)-1}, -+ .sig = {(void *) "\x30\x46\x02\x21\x00\xef\xd4\x8b\x2a\xac\xb6\xa8\xfd\x11\x40\xdd\x9c\xd4\x5e\x81\xd6\x9d\x2c\x87\x7b\x56\xaa\xf9\x91\xc3\x4d\x0e\xa8\x4e\xaf\x37\x16\x02\x21\x00\xf7\xcb\x1c\x94\x2d\x65\x7c\x41\xd4\x36\xc7\xa1\xb6\xe2\x9f\x65\xf3\xe9\x00\xdb\xb9\xaf\xf4\x06\x4d\xc4\xab\x2f\x84\x3a\xcd\xa8", 72}, -+ .pk = GNUTLS_PK_ECDSA, -+ .digest = GNUTLS_DIG_SHA256, -+ .sigalgo = GNUTLS_SIGN_ECDSA_SECP256R1_SHA256, -+ .sign_flags = GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE -+ }, -+ { -+ .name = "ecdsa key", -+ .key = {(void *) ecdsa_secp256r1_privkey_rfc6979, sizeof(ecdsa_secp256r1_privkey_rfc6979)-1}, -+ .msg = {(void *) sample, sizeof(sample)-1}, -+ .sig = {(void *) "\x30\x46\x02\x21\x00\xef\xd4\x8b\x2a\xac\xb6\xa8\xfd\x11\x40\xdd\x9c\xd4\x5e\x81\xd6\x9d\x2c\x87\x7b\x56\xaa\xf9\x91\xc3\x4d\x0e\xa8\x4e\xaf\x37\x16\x02\x21\x00\xf7\xcb\x1c\x94\x2d\x65\x7c\x41\xd4\x36\xc7\xa1\xb6\xe2\x9f\x65\xf3\xe9\x00\xdb\xb9\xaf\xf4\x06\x4d\xc4\xab\x2f\x84\x3a\xcd\xa8", 72}, -+ .pk = GNUTLS_PK_ECDSA, -+ .digest = GNUTLS_DIG_SHA256, -+ .sigalgo = GNUTLS_SIGN_ECDSA_SHA256, -+ .sign_flags = GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE -+ }, -+ { -+ .name = "ecdsa key (q bits < h bits)", -+ .key = {(void *) ecdsa_secp256r1_privkey_rfc6979, sizeof(ecdsa_secp256r1_privkey_rfc6979)-1}, -+ .msg = {(void *) sample, sizeof(sample)-1}, -+ .sig = {(void *) "\x30\x44\x02\x20\x0e\xaf\xea\x03\x9b\x20\xe9\xb4\x23\x09\xfb\x1d\x89\xe2\x13\x05\x7c\xbf\x97\x3d\xc0\xcf\xc8\xf1\x29\xed\xdd\xc8\x00\xef\x77\x19\x02\x20\x48\x61\xf0\x49\x1e\x69\x98\xb9\x45\x51\x93\xe3\x4e\x7b\x0d\x28\x4d\xdd\x71\x49\xa7\x4b\x95\xb9\x26\x1f\x13\xab\xde\x94\x09\x54", 70}, -+ .pk = GNUTLS_PK_ECDSA, -+ .digest = GNUTLS_DIG_SHA384, -+ .sigalgo = GNUTLS_SIGN_ECDSA_SHA384, -+ .sign_flags = GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE -+ }, -+ { -+ .name = "ecdsa key (q bits > h bits)", -+ .key = {(void *) ecdsa_secp256r1_privkey_rfc6979, sizeof(ecdsa_secp256r1_privkey_rfc6979)-1}, -+ .msg = {(void *) sample, sizeof(sample)-1}, -+ .sig = {(void *) "\x30\x45\x02\x20\x53\xb2\xff\xf5\xd1\x75\x2b\x2c\x68\x9d\xf2\x57\xc0\x4c\x40\xa5\x87\xfa\xba\xbb\x3f\x6f\xc2\x70\x2f\x13\x43\xaf\x7c\xa9\xaa\x3f\x02\x21\x00\xb9\xaf\xb6\x4f\xdc\x03\xdc\x1a\x13\x1c\x7d\x23\x86\xd1\x1e\x34\x9f\x07\x0a\xa4\x32\xa4\xac\xc9\x18\xbe\xa9\x88\xbf\x75\xc7\x4c", 71}, -+ .pk = GNUTLS_PK_ECDSA, -+ .digest = GNUTLS_DIG_SHA224, -+ .sigalgo = GNUTLS_SIGN_ECDSA_SHA224, -+ .sign_flags = GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE -+ } -+}; -+ -+#define testfail(fmt, ...) \ -+ fail("%s: "fmt, tests[i].name, ##__VA_ARGS__) -+ -+void doit(void) -+{ -+ gnutls_pubkey_t pubkey; -+ gnutls_privkey_t privkey; -+ gnutls_datum_t signature; -+ int ret; -+ size_t i; -+ -+ global_init(); -+ -+ gnutls_global_set_log_function(tls_log_func); -+ if (debug) -+ gnutls_global_set_log_level(6); -+ -+ for (i = 0; i < sizeof(tests) / sizeof(tests[0]); i++) { -+ success("testing: %s - %s\n", tests[i].name, gnutls_sign_algorithm_get_name(tests[i].sigalgo)); -+ -+ ret = gnutls_privkey_init(&privkey); -+ if (ret < 0) -+ testfail("gnutls_privkey_init\n"); -+ -+ ret = gnutls_privkey_import_x509_raw(privkey, &tests[i].key, GNUTLS_X509_FMT_PEM, NULL, 0); -+ if (ret < 0) -+ testfail("gnutls_privkey_import_x509_raw\n"); -+ -+ ret = gnutls_privkey_sign_data(privkey, tests[i].digest, tests[i].sign_flags, -+ &tests[i].msg, &signature); -+ if (ret < 0) -+ testfail("gnutls_privkey_sign_data\n"); -+ -+ if (signature.size != tests[i].sig.size || -+ memcmp(signature.data, tests[i].sig.data, signature.size) != 0) -+ testfail("signature does not match"); -+ -+ ret = gnutls_pubkey_init(&pubkey); -+ if (ret < 0) -+ testfail("gnutls_pubkey_init\n"); -+ -+ ret = gnutls_pubkey_import_privkey(pubkey, privkey, 0, 0); -+ if (ret < 0) -+ testfail("gnutls_pubkey_import_privkey\n"); -+ -+ ret = -+ gnutls_pubkey_verify_data2(pubkey, tests[i].sigalgo, 0, &tests[i].msg, -+ &signature); -+ if (ret < 0) -+ testfail("gnutls_pubkey_verify_data2\n"); -+ -+ gnutls_free(signature.data); -+ gnutls_privkey_deinit(privkey); -+ gnutls_pubkey_deinit(pubkey); -+ } -+ -+ gnutls_global_deinit(); -+} --- -2.21.0 - - -From 1adee9e136176a8fe26bae036ebb275fe4c26f64 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Mon, 5 Aug 2019 15:21:55 +0200 -Subject: [PATCH 5/6] nettle: enable deterministic ECDSA/DSA during FIPS - selftests - -Signed-off-by: Daiki Ueno ---- - lib/nettle/pk.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c -index ebd6481cf..1f8e7f931 100644 ---- a/lib/nettle/pk.c -+++ b/lib/nettle/pk.c -@@ -820,7 +820,8 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, - } - - mpz_init(k); -- if (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE) { -+ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST || -+ (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE)) { - ret = _gnutls_ecdsa_compute_k(k, - curve_id, - pk_params->params[ECC_K], -@@ -888,7 +889,8 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, - } - - mpz_init(k); -- if (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE) { -+ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST || -+ (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE)) { - ret = _gnutls_dsa_compute_k(k, - pub.q, - TOMPZ(priv), --- -2.21.0 - - -From 3beaa23ef5852e2d8aaa610aac9cde9b46be4f77 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Wed, 7 Aug 2019 15:55:44 +0200 -Subject: [PATCH 6/6] nettle: prohibit deterministic ECDSA/DSA under FIPS - except selftests - -Signed-off-by: Daiki Ueno ---- - lib/nettle/pk.c | 8 ++++++++ - tests/sign-verify-deterministic.c | 27 ++++++++++++++++++++------- - 2 files changed, 28 insertions(+), 7 deletions(-) - -diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c -index 1f8e7f931..b2d27cf74 100644 ---- a/lib/nettle/pk.c -+++ b/lib/nettle/pk.c -@@ -703,6 +703,14 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, - return gnutls_assert_val(GNUTLS_E_ECC_UNSUPPORTED_CURVE); - } - -+ /* deterministic ECDSA/DSA is prohibited under FIPS except in -+ * the selftests */ -+ if (_gnutls_fips_mode_enabled() && -+ _gnutls_get_lib_state() != LIB_STATE_SELFTEST && -+ (algo == GNUTLS_PK_DSA || algo == GNUTLS_PK_ECDSA) && -+ (sign_params->flags & GNUTLS_PK_FLAG_REPRODUCIBLE)) -+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); -+ - switch (algo) { - case GNUTLS_PK_EDDSA_ED25519: /* we do EdDSA */ - { -diff --git a/tests/sign-verify-deterministic.c b/tests/sign-verify-deterministic.c -index fe4873fc8..6e907288e 100644 ---- a/tests/sign-verify-deterministic.c -+++ b/tests/sign-verify-deterministic.c -@@ -154,29 +154,40 @@ void doit(void) - gnutls_global_set_log_level(6); - - for (i = 0; i < sizeof(tests) / sizeof(tests[0]); i++) { -- success("testing: %s - %s\n", tests[i].name, gnutls_sign_algorithm_get_name(tests[i].sigalgo)); -+ success("testing: %s - %s", tests[i].name, gnutls_sign_algorithm_get_name(tests[i].sigalgo)); -+ -+ ret = gnutls_pubkey_init(&pubkey); -+ if (ret < 0) -+ testfail("gnutls_pubkey_init\n"); - - ret = gnutls_privkey_init(&privkey); - if (ret < 0) - testfail("gnutls_privkey_init\n"); - -+ signature.data = NULL; -+ signature.size = 0; -+ - ret = gnutls_privkey_import_x509_raw(privkey, &tests[i].key, GNUTLS_X509_FMT_PEM, NULL, 0); - if (ret < 0) - testfail("gnutls_privkey_import_x509_raw\n"); - - ret = gnutls_privkey_sign_data(privkey, tests[i].digest, tests[i].sign_flags, - &tests[i].msg, &signature); -- if (ret < 0) -- testfail("gnutls_privkey_sign_data\n"); -+ if (gnutls_fips140_mode_enabled()) { -+ /* deterministic ECDSA/DSA is prohibited under FIPS */ -+ if (ret != GNUTLS_E_INVALID_REQUEST) -+ testfail("gnutls_privkey_sign_data unexpectedly succeeds\n"); -+ success(" - skipping\n"); -+ goto next; -+ } else { -+ if (ret < 0) -+ testfail("gnutls_privkey_sign_data\n"); -+ } - - if (signature.size != tests[i].sig.size || - memcmp(signature.data, tests[i].sig.data, signature.size) != 0) - testfail("signature does not match"); - -- ret = gnutls_pubkey_init(&pubkey); -- if (ret < 0) -- testfail("gnutls_pubkey_init\n"); -- - ret = gnutls_pubkey_import_privkey(pubkey, privkey, 0, 0); - if (ret < 0) - testfail("gnutls_pubkey_import_privkey\n"); -@@ -186,7 +197,9 @@ void doit(void) - &signature); - if (ret < 0) - testfail("gnutls_pubkey_verify_data2\n"); -+ success(" - pass"); - -+ next: - gnutls_free(signature.data); - gnutls_privkey_deinit(privkey); - gnutls_pubkey_deinit(pubkey); --- -2.21.0 - -From 6cb58f18280bedfec9d7c8ac411574b868b3d758 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Fri, 16 Aug 2019 14:59:03 +0200 -Subject: [PATCH] crypto-backend: always set sign_params.dsa_sig when ECDSA/DSA - -In FIPS selftests we create deterministic signature and the -information about the digest algorithm is necessary. - -Signed-off-by: Daiki Ueno ---- - lib/crypto-backend.h | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/lib/crypto-backend.h b/lib/crypto-backend.h -index 33eca6031..664ba4377 100644 ---- a/lib/crypto-backend.h -+++ b/lib/crypto-backend.h -@@ -233,6 +233,9 @@ typedef enum { - #define FIX_SIGN_PARAMS(params, flags, dig) do { \ - if ((flags) & GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE) { \ - (params).flags |= GNUTLS_PK_FLAG_REPRODUCIBLE; \ -+ } \ -+ if ((params).pk == GNUTLS_PK_DSA || \ -+ (params).pk == GNUTLS_PK_ECDSA) { \ - (params).dsa_dig = (dig); \ - } \ - } while (0) --- -2.21.0 - diff --git a/SOURCES/gnutls-3.6.8-fips-rng-continuous.patch b/SOURCES/gnutls-3.6.8-fips-rng-continuous.patch deleted file mode 100644 index 6a88e65..0000000 --- a/SOURCES/gnutls-3.6.8-fips-rng-continuous.patch +++ /dev/null @@ -1,203 +0,0 @@ -From c7a419e7868fd9342c1799a04d21c2ff6292c405 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Fri, 21 Jun 2019 15:49:26 +0200 -Subject: [PATCH] nettle/rnd-fips: add FIPS 140-2 continuous RNG test - -This adds a continuous random number generator test as defined in FIPS -140-2 4.9.2, by iteratively fetching fixed sized block from the system -and comparing consecutive blocks. - -Signed-off-by: Daiki Ueno ---- - lib/nettle/rnd-fips.c | 102 +++++++++++++++++++++++++++++++++--------- - 1 file changed, 81 insertions(+), 21 deletions(-) - -diff --git a/lib/nettle/rnd-fips.c b/lib/nettle/rnd-fips.c -index ee68cf68d..ccb92d25a 100644 ---- a/lib/nettle/rnd-fips.c -+++ b/lib/nettle/rnd-fips.c -@@ -27,12 +27,13 @@ - - #include "gnutls_int.h" - #include "errors.h" --#include --#include --#include -+#include - #include - #include - -+/* The block size is chosen arbitrarily */ -+#define ENTROPY_BLOCK_SIZE SHA256_DIGEST_SIZE -+ - /* This provides a random generator for gnutls. It uses - * two instances of the DRBG-AES-CTR generator, one for - * nonce level and another for the other levels of randomness. -@@ -41,11 +42,13 @@ struct fips_ctx { - struct drbg_aes_ctx nonce_context; - struct drbg_aes_ctx normal_context; - unsigned int forkid; -+ uint8_t entropy_hash[SHA256_DIGEST_SIZE]; - }; - - static int _rngfips_ctx_reinit(struct fips_ctx *fctx); - static int _rngfips_ctx_init(struct fips_ctx *fctx); --static int drbg_reseed(struct drbg_aes_ctx *ctx); -+static int drbg_reseed(struct fips_ctx *fctx, struct drbg_aes_ctx *ctx); -+static int get_entropy(struct fips_ctx *fctx, uint8_t *buffer, size_t length); - - static int get_random(struct drbg_aes_ctx *ctx, struct fips_ctx *fctx, - void *buffer, size_t length) -@@ -59,7 +62,7 @@ static int get_random(struct drbg_aes_ctx *ctx, struct fips_ctx *fctx, - } - - if (ctx->reseed_counter > DRBG_AES_RESEED_TIME) { -- ret = drbg_reseed(ctx); -+ ret = drbg_reseed(fctx, ctx); - if (ret < 0) - return gnutls_assert_val(ret); - } -@@ -71,54 +74,111 @@ static int get_random(struct drbg_aes_ctx *ctx, struct fips_ctx *fctx, - return 0; - } - -+static int get_entropy(struct fips_ctx *fctx, uint8_t *buffer, size_t length) -+{ -+ int ret; -+ uint8_t block[ENTROPY_BLOCK_SIZE]; -+ uint8_t hash[SHA256_DIGEST_SIZE]; -+ struct sha256_ctx ctx; -+ size_t total = 0; -+ -+ /* For FIPS 140-2 4.9.2 continuous random number generator -+ * test, iteratively fetch fixed sized block from the system -+ * RNG and compare consecutive blocks. -+ * -+ * Note that we store the hash of the entropy block rather -+ * than the block itself for backward secrecy. -+ */ -+ while (total < length) { -+ ret = _rnd_get_system_entropy(block, ENTROPY_BLOCK_SIZE); -+ if (ret < 0) -+ return gnutls_assert_val(ret); -+ -+ sha256_init(&ctx); -+ sha256_update(&ctx, sizeof(block), block); -+ sha256_digest(&ctx, sizeof(hash), hash); -+ -+ if (memcmp(hash, fctx->entropy_hash, sizeof(hash)) == 0) { -+ _gnutls_switch_lib_state(LIB_STATE_ERROR); -+ return gnutls_assert_val(GNUTLS_E_RANDOM_FAILED); -+ } -+ memcpy(fctx->entropy_hash, hash, sizeof(hash)); -+ -+ memcpy(buffer, block, MIN(length - total, sizeof(block))); -+ total += sizeof(block); -+ buffer += sizeof(block); -+ } -+ zeroize_key(block, sizeof(block)); -+ -+ return 0; -+} -+ - #define PSTRING "gnutls-rng" - #define PSTRING_SIZE (sizeof(PSTRING)-1) --static int drbg_init(struct drbg_aes_ctx *ctx) -+static int drbg_init(struct fips_ctx *fctx, struct drbg_aes_ctx *ctx) - { - uint8_t buffer[DRBG_AES_SEED_SIZE]; - int ret; - -- /* Get a key from the standard RNG or from the entropy source. */ -- ret = _rnd_get_system_entropy(buffer, sizeof(buffer)); -+ ret = get_entropy(fctx, buffer, sizeof(buffer)); - if (ret < 0) - return gnutls_assert_val(ret); - -- ret = drbg_aes_init(ctx, sizeof(buffer), buffer, PSTRING_SIZE, (void*)PSTRING); -+ ret = drbg_aes_init(ctx, sizeof(buffer), buffer, -+ PSTRING_SIZE, (void*)PSTRING); -+ zeroize_key(buffer, sizeof(buffer)); - if (ret == 0) - return gnutls_assert_val(GNUTLS_E_RANDOM_FAILED); - -- zeroize_key(buffer, sizeof(buffer)); -- -- return 0; -+ return GNUTLS_E_SUCCESS; - } - - /* Reseed a generator. */ --static int drbg_reseed(struct drbg_aes_ctx *ctx) -+static int drbg_reseed(struct fips_ctx *fctx, struct drbg_aes_ctx *ctx) - { - uint8_t buffer[DRBG_AES_SEED_SIZE]; - int ret; - -- /* The other two generators are seeded from /dev/random. */ -- ret = _rnd_get_system_entropy(buffer, sizeof(buffer)); -+ ret = get_entropy(fctx, buffer, sizeof(buffer)); - if (ret < 0) - return gnutls_assert_val(ret); - -- drbg_aes_reseed(ctx, sizeof(buffer), buffer, 0, NULL); -+ ret = drbg_aes_reseed(ctx, sizeof(buffer), buffer, 0, NULL); -+ zeroize_key(buffer, sizeof(buffer)); -+ if (ret == 0) -+ return gnutls_assert_val(GNUTLS_E_RANDOM_FAILED); - -- return 0; -+ return GNUTLS_E_SUCCESS; - } - - static int _rngfips_ctx_init(struct fips_ctx *fctx) - { -+ uint8_t block[ENTROPY_BLOCK_SIZE]; -+ struct sha256_ctx ctx; - int ret; - -+ /* For FIPS 140-2 4.9.2 continuous random number generator -+ * test, get the initial entropy from the system RNG and keep -+ * it for comparison. -+ * -+ * Note that we store the hash of the entropy block rather -+ * than the block itself for backward secrecy. -+ */ -+ ret = _rnd_get_system_entropy(block, sizeof(block)); -+ if (ret < 0) -+ return gnutls_assert_val(ret); -+ sha256_init(&ctx); -+ sha256_update(&ctx, sizeof(block), block); -+ zeroize_key(block, sizeof(block)); -+ sha256_digest(&ctx, sizeof(fctx->entropy_hash), fctx->entropy_hash); -+ - /* normal */ -- ret = drbg_init(&fctx->normal_context); -+ ret = drbg_init(fctx, &fctx->normal_context); - if (ret < 0) - return gnutls_assert_val(ret); - - /* nonce */ -- ret = drbg_init(&fctx->nonce_context); -+ ret = drbg_init(fctx, &fctx->nonce_context); - if (ret < 0) - return gnutls_assert_val(ret); - -@@ -132,12 +192,12 @@ static int _rngfips_ctx_reinit(struct fips_ctx *fctx) - int ret; - - /* normal */ -- ret = drbg_reseed(&fctx->normal_context); -+ ret = drbg_reseed(fctx, &fctx->normal_context); - if (ret < 0) - return gnutls_assert_val(ret); - - /* nonce */ -- ret = drbg_reseed(&fctx->nonce_context); -+ ret = drbg_reseed(fctx, &fctx->nonce_context); - if (ret < 0) - return gnutls_assert_val(ret); - --- -2.21.0 - diff --git a/SOURCES/gnutls-3.6.8-fips-rsa-random-selftests.patch b/SOURCES/gnutls-3.6.8-fips-rsa-random-selftests.patch deleted file mode 100644 index 93fdfe3..0000000 --- a/SOURCES/gnutls-3.6.8-fips-rsa-random-selftests.patch +++ /dev/null @@ -1,124 +0,0 @@ -From fbb6dd2a65c6fc7a2e9bd82fe66fde54f6cf2952 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Fri, 16 Aug 2019 17:01:05 +0200 -Subject: [PATCH] nettle: disable RSA blinding in FIPS selftests - -Nettle's RSA signing, encryption and decryption functions still -require randomness for blinding, so fallback to use a fixed buffer in -selftests where entropy might not be available. - -Signed-off-by: Daiki Ueno ---- - lib/nettle/pk.c | 37 +++++++++++++++++++++++++++++++++---- - 1 file changed, 33 insertions(+), 4 deletions(-) - -diff --git a/lib/nettle/pk.c b/lib/nettle/pk.c -index b2d27cf74..772fcdc21 100644 ---- a/lib/nettle/pk.c -+++ b/lib/nettle/pk.c -@@ -94,6 +94,15 @@ static void rnd_mpz_func(void *_ctx, size_t length, uint8_t * data) - nettle_mpz_get_str_256 (length, data, *k); - } - -+static void rnd_nonce_func_fallback(void *_ctx, size_t length, uint8_t * data) -+{ -+ if (unlikely(_gnutls_get_lib_state() != LIB_STATE_SELFTEST)) { -+ _gnutls_switch_lib_state(LIB_STATE_ERROR); -+ } -+ -+ memset(data, 0xAA, length); -+} -+ - static void - ecc_scalar_zclear (struct ecc_scalar *s) - { -@@ -435,6 +444,7 @@ _wrap_nettle_pk_encrypt(gnutls_pk_algorithm_t algo, - case GNUTLS_PK_RSA: - { - struct rsa_public_key pub; -+ nettle_random_func *random_func; - - ret = _rsa_params_to_pubkey(pk_params, &pub); - if (ret < 0) { -@@ -442,8 +452,12 @@ _wrap_nettle_pk_encrypt(gnutls_pk_algorithm_t algo, - goto cleanup; - } - -+ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST) -+ random_func = rnd_nonce_func_fallback; -+ else -+ random_func = rnd_nonce_func; - ret = -- rsa_encrypt(&pub, NULL, rnd_nonce_func, -+ rsa_encrypt(&pub, NULL, random_func, - plaintext->size, plaintext->data, - p); - if (ret == 0 || HAVE_LIB_ERROR()) { -@@ -496,6 +510,7 @@ _wrap_nettle_pk_decrypt(gnutls_pk_algorithm_t algo, - struct rsa_public_key pub; - size_t length; - bigint_t c; -+ nettle_random_func *random_func; - - _rsa_params_to_privkey(pk_params, &priv); - ret = _rsa_params_to_pubkey(pk_params, &pub); -@@ -526,8 +541,12 @@ _wrap_nettle_pk_decrypt(gnutls_pk_algorithm_t algo, - goto cleanup; - } - -+ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST) -+ random_func = rnd_nonce_func_fallback; -+ else -+ random_func = rnd_nonce_func; - ret = -- rsa_decrypt_tr(&pub, &priv, NULL, rnd_nonce_func, -+ rsa_decrypt_tr(&pub, &priv, NULL, random_func, - &length, plaintext->data, - TOMPZ(c)); - _gnutls_mpi_release(&c); -@@ -573,6 +592,7 @@ _wrap_nettle_pk_decrypt2(gnutls_pk_algorithm_t algo, - bigint_t c; - uint32_t is_err; - int ret; -+ nettle_random_func *random_func; - - if (algo != GNUTLS_PK_RSA || plaintext == NULL) { - gnutls_assert(); -@@ -592,7 +612,11 @@ _wrap_nettle_pk_decrypt2(gnutls_pk_algorithm_t algo, - return gnutls_assert_val (GNUTLS_E_MPI_SCAN_FAILED); - } - -- ret = rsa_sec_decrypt(&pub, &priv, NULL, rnd_nonce_func, -+ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST) -+ random_func = rnd_nonce_func_fallback; -+ else -+ random_func = rnd_nonce_func; -+ ret = rsa_sec_decrypt(&pub, &priv, NULL, random_func, - plaintext_size, plaintext, TOMPZ(c)); - /* after this point, any conditional on failure that cause differences - * in execution may create a timing or cache access pattern side -@@ -942,6 +966,7 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, - { - struct rsa_private_key priv; - struct rsa_public_key pub; -+ nettle_random_func *random_func; - mpz_t s; - - _rsa_params_to_privkey(pk_params, &priv); -@@ -952,8 +977,12 @@ _wrap_nettle_pk_sign(gnutls_pk_algorithm_t algo, - - mpz_init(s); - -+ if (_gnutls_get_lib_state() == LIB_STATE_SELFTEST) -+ random_func = rnd_nonce_func_fallback; -+ else -+ random_func = rnd_nonce_func; - ret = -- rsa_pkcs1_sign_tr(&pub, &priv, NULL, rnd_nonce_func, -+ rsa_pkcs1_sign_tr(&pub, &priv, NULL, random_func, - vdata->size, vdata->data, s); - if (ret == 0 || HAVE_LIB_ERROR()) { - gnutls_assert(); --- -2.21.0 - diff --git a/SOURCES/gnutls-3.6.8-fix-aead-cipher-encryptv2.patch b/SOURCES/gnutls-3.6.8-fix-aead-cipher-encryptv2.patch deleted file mode 100644 index 0194c6c..0000000 --- a/SOURCES/gnutls-3.6.8-fix-aead-cipher-encryptv2.patch +++ /dev/null @@ -1,767 +0,0 @@ -From bbb312749780928cc10b45662c6d7eadcaa98f0b Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Thu, 3 Oct 2019 10:34:18 +0200 -Subject: [PATCH 1/3] iov: _gnutls_iov_iter_next: return bytes instead of - blocks - -This eliminates the need of special handling of final block. Also -adds more tests in exceptional cases. - -Signed-off-by: Daiki Ueno ---- - lib/crypto-api.c | 82 +++++------------------------- - lib/iov.c | 31 +++++++++--- - tests/iov.c | 126 ++++++++++++++++++++++++++++++++--------------- - 3 files changed, 121 insertions(+), 118 deletions(-) - -diff --git a/lib/crypto-api.c b/lib/crypto-api.c -index 09b3d7bfc..41e759b74 100644 ---- a/lib/crypto-api.c -+++ b/lib/crypto-api.c -@@ -992,9 +992,9 @@ gnutls_aead_cipher_encryptv(gnutls_aead_cipher_hd_t handle, - uint8_t *dst; - size_t dst_size, total = 0; - uint8_t *p; -+ size_t len; - size_t blocksize = handle->ctx_enc.e->blocksize; - struct iov_iter_st iter; -- size_t blocks; - - /* Limitation: this function provides an optimization under the internally registered - * AEAD ciphers. When an AEAD cipher is used registered with gnutls_crypto_register_aead_cipher(), -@@ -1045,15 +1045,7 @@ gnutls_aead_cipher_encryptv(gnutls_aead_cipher_hd_t handle, - return gnutls_assert_val(ret); - if (ret == 0) - break; -- blocks = ret; -- ret = _gnutls_cipher_auth(&handle->ctx_enc, p, -- blocksize * blocks); -- if (unlikely(ret < 0)) -- return gnutls_assert_val(ret); -- } -- if (iter.block_offset > 0) { -- ret = _gnutls_cipher_auth(&handle->ctx_enc, -- iter.block, iter.block_offset); -+ ret = _gnutls_cipher_auth(&handle->ctx_enc, p, ret); - if (unlikely(ret < 0)) - return gnutls_assert_val(ret); - } -@@ -1070,29 +1062,15 @@ gnutls_aead_cipher_encryptv(gnutls_aead_cipher_hd_t handle, - return gnutls_assert_val(ret); - if (ret == 0) - break; -- blocks = ret; -- if (unlikely(dst_size < blocksize * blocks)) -- return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); -- ret = _gnutls_cipher_encrypt2(&handle->ctx_enc, p, -- blocksize * blocks, -- dst, dst_size); -- if (unlikely(ret < 0)) -- return gnutls_assert_val(ret); -- DECR_LEN(dst_size, blocksize * blocks); -- dst += blocksize * blocks; -- total += blocksize * blocks; -- } -- if (iter.block_offset > 0) { -- if (unlikely(dst_size < iter.block_offset)) -- return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER); -+ len = ret; - ret = _gnutls_cipher_encrypt2(&handle->ctx_enc, -- iter.block, iter.block_offset, -+ p, len, - dst, dst_size); - if (unlikely(ret < 0)) - return gnutls_assert_val(ret); -- DECR_LEN(dst_size, iter.block_offset); -- dst += iter.block_offset; -- total += iter.block_offset; -+ DECR_LEN(dst_size, len); -+ dst += len; -+ total += len; - } - - if (dst_size < tag_size) -@@ -1137,7 +1115,6 @@ gnutls_aead_cipher_encryptv2(gnutls_aead_cipher_hd_t handle, - uint8_t *p; - ssize_t blocksize = handle->ctx_enc.e->blocksize; - struct iov_iter_st iter; -- size_t blocks; - size_t _tag_size; - - if (tag_size == NULL || *tag_size == 0) -@@ -1220,15 +1197,7 @@ gnutls_aead_cipher_encryptv2(gnutls_aead_cipher_hd_t handle, - return gnutls_assert_val(ret); - if (ret == 0) - break; -- blocks = ret; -- ret = _gnutls_cipher_auth(&handle->ctx_enc, p, -- blocksize * blocks); -- if (unlikely(ret < 0)) -- return gnutls_assert_val(ret); -- } -- if (iter.block_offset > 0) { -- ret = _gnutls_cipher_auth(&handle->ctx_enc, -- iter.block, iter.block_offset); -+ ret = _gnutls_cipher_auth(&handle->ctx_enc, p, ret); - if (unlikely(ret < 0)) - return gnutls_assert_val(ret); - } -@@ -1242,17 +1211,7 @@ gnutls_aead_cipher_encryptv2(gnutls_aead_cipher_hd_t handle, - return gnutls_assert_val(ret); - if (ret == 0) - break; -- blocks = ret; -- ret = _gnutls_cipher_encrypt2(&handle->ctx_enc, -- p, blocksize * blocks, -- p, blocksize * blocks); -- if (unlikely(ret < 0)) -- return gnutls_assert_val(ret); -- } -- if (iter.block_offset > 0) { -- ret = _gnutls_cipher_encrypt2(&handle->ctx_enc, -- iter.block, iter.block_offset, -- iter.block, iter.block_offset); -+ ret = _gnutls_cipher_encrypt2(&handle->ctx_enc, p, ret, p, ret); - if (unlikely(ret < 0)) - return gnutls_assert_val(ret); - } -@@ -1296,7 +1255,6 @@ gnutls_aead_cipher_decryptv2(gnutls_aead_cipher_hd_t handle, - uint8_t *p; - ssize_t blocksize = handle->ctx_enc.e->blocksize; - struct iov_iter_st iter; -- size_t blocks; - uint8_t _tag[MAX_HASH_SIZE]; - - if (tag_size == 0) -@@ -1370,15 +1328,7 @@ gnutls_aead_cipher_decryptv2(gnutls_aead_cipher_hd_t handle, - return gnutls_assert_val(ret); - if (ret == 0) - break; -- blocks = ret; -- ret = _gnutls_cipher_auth(&handle->ctx_enc, p, -- blocksize * blocks); -- if (unlikely(ret < 0)) -- return gnutls_assert_val(ret); -- } -- if (iter.block_offset > 0) { -- ret = _gnutls_cipher_auth(&handle->ctx_enc, -- iter.block, iter.block_offset); -+ ret = _gnutls_cipher_auth(&handle->ctx_enc, p, ret); - if (unlikely(ret < 0)) - return gnutls_assert_val(ret); - } -@@ -1392,17 +1342,7 @@ gnutls_aead_cipher_decryptv2(gnutls_aead_cipher_hd_t handle, - return gnutls_assert_val(ret); - if (ret == 0) - break; -- blocks = ret; -- ret = _gnutls_cipher_decrypt2(&handle->ctx_enc, -- p, blocksize * blocks, -- p, blocksize * blocks); -- if (unlikely(ret < 0)) -- return gnutls_assert_val(ret); -- } -- if (iter.block_offset > 0) { -- ret = _gnutls_cipher_decrypt2(&handle->ctx_enc, -- iter.block, iter.block_offset, -- iter.block, iter.block_offset); -+ ret = _gnutls_cipher_decrypt2(&handle->ctx_enc, p, ret, p, ret); - if (unlikely(ret < 0)) - return gnutls_assert_val(ret); - } -diff --git a/lib/iov.c b/lib/iov.c -index 5dc29c54b..17272886c 100644 ---- a/lib/iov.c -+++ b/lib/iov.c -@@ -58,8 +58,8 @@ _gnutls_iov_iter_init(struct iov_iter_st *iter, - * @data: the return location of extracted data - * - * Retrieve block(s) pointed by @iter and advance it to the next -- * position. It returns the number of consecutive blocks in @data. -- * At the end of iteration, 0 is returned. -+ * position. It returns the number of bytes in @data. At the end of -+ * iteration, 0 is returned. - * - * If the data stored in @iter is not multiple of the block size, the - * remaining data is stored in the "block" field of @iter with the -@@ -88,25 +88,30 @@ _gnutls_iov_iter_next(struct iov_iter_st *iter, uint8_t **data) - if ((len % iter->block_size) == 0) { - iter->iov_index++; - iter->iov_offset = 0; -- } else -- iter->iov_offset += -- len - (len % iter->block_size); -+ } else { -+ len -= (len % iter->block_size); -+ iter->iov_offset += len; -+ } - - /* Return the blocks. */ - *data = p; -- return len / iter->block_size; -+ return len; - } - - /* We can complete one full block to return. */ - block_left = iter->block_size - iter->block_offset; - if (len >= block_left) { - memcpy(iter->block + iter->block_offset, p, block_left); -- iter->iov_offset += block_left; -+ if (len == block_left) { -+ iter->iov_index++; -+ iter->iov_offset = 0; -+ } else -+ iter->iov_offset += block_left; - iter->block_offset = 0; - - /* Return the filled block. */ - *data = iter->block; -- return 1; -+ return iter->block_size; - } - - /* Not enough data for a full block, store in temp -@@ -116,5 +121,15 @@ _gnutls_iov_iter_next(struct iov_iter_st *iter, uint8_t **data) - iter->iov_index++; - iter->iov_offset = 0; - } -+ -+ if (iter->block_offset > 0) { -+ size_t len = iter->block_offset; -+ -+ /* Return the incomplete block. */ -+ *data = iter->block; -+ iter->block_offset = 0; -+ return len; -+ } -+ - return 0; - } -diff --git a/tests/iov.c b/tests/iov.c -index eda5583a7..3d116b471 100644 ---- a/tests/iov.c -+++ b/tests/iov.c -@@ -32,7 +32,6 @@ struct exp_st { - ssize_t ret; - size_t iov_index; - size_t iov_offset; -- size_t block_offset; - }; - - struct test_st { -@@ -42,7 +41,6 @@ struct test_st { - size_t block_size; - const struct exp_st *exp; - size_t expcnt; -- size_t remaining; - }; - - static const giovec_t iov16[] = { -@@ -53,40 +51,41 @@ static const giovec_t iov16[] = { - }; - - static const struct exp_st exp16_64[] = { -- {1, 3, 16, 0}, -- {0, 0, 0, 0} -+ {64, 4, 0}, -+ {0, 0, 0} - }; - - static const struct exp_st exp16_32[] = { -- {1, 1, 16, 0}, -- {1, 3, 16, 0}, -- {0, 0, 0, 0} -+ {32, 2, 0}, -+ {32, 4, 0}, -+ {0, 0, 0} - }; - - static const struct exp_st exp16_16[] = { -- {1, 1, 0, 0}, -- {1, 2, 0, 0}, -- {1, 3, 0, 0}, -- {1, 4, 0, 0}, -- {0, 0, 0, 0} -+ {16, 1, 0}, -+ {16, 2, 0}, -+ {16, 3, 0}, -+ {16, 4, 0}, -+ {0, 0, 0} - }; - - static const struct exp_st exp16_4[] = { -- {4, 1, 0, 0}, -- {4, 2, 0, 0}, -- {4, 3, 0, 0}, -- {4, 4, 0, 0}, -- {0, 0, 0, 0} -+ {16, 1, 0}, -+ {16, 2, 0}, -+ {16, 3, 0}, -+ {16, 4, 0}, -+ {0, 0, 0} - }; - - static const struct exp_st exp16_3[] = { -- {5, 0, 15, 0}, -- {1, 1, 2, 0}, -- {4, 1, 14, 0}, -- {1, 2, 1, 0}, -- {5, 3, 0, 0}, -- {5, 3, 15, 0}, -- {0, 0, 0, 1} -+ {15, 0, 15}, -+ {3, 1, 2}, -+ {12, 1, 14}, -+ {3, 2, 1}, -+ {15, 3, 0}, -+ {15, 3, 15}, -+ {1, 4, 0}, -+ {0, 0, 0} - }; - - static const giovec_t iov8[] = { -@@ -97,22 +96,74 @@ static const giovec_t iov8[] = { - }; - - static const struct exp_st exp8_64[] = { -- {0, 0, 0, 32} -+ {32, 4, 0}, -+ {0, 0, 0} -+}; -+ -+static const giovec_t iov_odd[] = { -+ {(void *) "0", 1}, -+ {(void *) "012", 3}, -+ {(void *) "01234", 5}, -+ {(void *) "0123456", 7}, -+ {(void *) "012345678", 9}, -+ {(void *) "01234567890", 11}, -+ {(void *) "0123456789012", 13}, -+ {(void *) "012345678901234", 15} -+}; -+ -+static const struct exp_st exp_odd_16[] = { -+ {16, 4, 0}, -+ {16, 5, 7}, -+ {16, 6, 12}, -+ {16, 8, 0}, -+ {0, 0, 0} -+}; -+ -+static const giovec_t iov_skip[] = { -+ {(void *) "0123456789012345", 16}, -+ {(void *) "01234567", 8}, -+ {(void *) "", 0}, -+ {(void *) "", 0}, -+ {(void *) "0123456789012345", 16} -+}; -+ -+static const struct exp_st exp_skip_16[] = { -+ {16, 1, 0}, -+ {16, 4, 8}, -+ {8, 5, 0}, -+ {0, 0, 0} -+}; -+ -+static const giovec_t iov_empty[] = { -+ {(void *) "", 0}, -+ {(void *) "", 0}, -+ {(void *) "", 0}, -+ {(void *) "", 0} -+}; -+ -+static const struct exp_st exp_empty_16[] = { -+ {0, 0, 0} - }; - - static const struct test_st tests[] = { - { "16/64", iov16, sizeof(iov16)/sizeof(iov16[0]), 64, -- exp16_64, sizeof(exp16_64)/sizeof(exp16_64[0]), 0 }, -+ exp16_64, sizeof(exp16_64)/sizeof(exp16_64[0]) }, - { "16/32", iov16, sizeof(iov16)/sizeof(iov16[0]), 32, -- exp16_32, sizeof(exp16_32)/sizeof(exp16_32[0]), 0 }, -+ exp16_32, sizeof(exp16_32)/sizeof(exp16_32[0]) }, - { "16/16", iov16, sizeof(iov16)/sizeof(iov16[0]), 16, -- exp16_16, sizeof(exp16_16)/sizeof(exp16_16[0]), 0 }, -+ exp16_16, sizeof(exp16_16)/sizeof(exp16_16[0]) }, - { "16/4", iov16, sizeof(iov16)/sizeof(iov16[0]), 4, -- exp16_4, sizeof(exp16_4)/sizeof(exp16_4[0]), 0 }, -+ exp16_4, sizeof(exp16_4)/sizeof(exp16_4[0]) }, - { "16/3", iov16, sizeof(iov16)/sizeof(iov16[0]), 3, -- exp16_3, sizeof(exp16_3)/sizeof(exp16_3[0]), 1 }, -+ exp16_3, sizeof(exp16_3)/sizeof(exp16_3[0]) }, - { "8/64", iov8, sizeof(iov8)/sizeof(iov8[0]), 64, -- exp8_64, sizeof(exp8_64)/sizeof(exp8_64[0]), 32 } -+ exp8_64, sizeof(exp8_64)/sizeof(exp8_64[0]) }, -+ { "odd/16", iov_odd, sizeof(iov_odd)/sizeof(iov_odd[0]), 16, -+ exp_odd_16, sizeof(exp_odd_16)/sizeof(exp_odd_16[0]) }, -+ { "skip/16", iov_skip, sizeof(iov_skip)/sizeof(iov_skip[0]), 16, -+ exp_skip_16, sizeof(exp_skip_16)/sizeof(exp_skip_16[0]) }, -+ { "empty/16", iov_empty, sizeof(iov_empty)/sizeof(iov_empty[0]), 16, -+ exp_empty_16, sizeof(exp_empty_16)/sizeof(exp_empty_16[0]) }, - }; - - void -@@ -155,16 +206,13 @@ doit (void) - else if (debug) - success("iter.iov_offset: %u == %u\n", - (unsigned) iter.iov_offset, (unsigned) exp[j].iov_offset); -- if (iter.block_offset != exp[j].block_offset) -- fail("iter.block_offset: %u != %u\n", -- (unsigned) iter.block_offset, (unsigned) exp[j].block_offset); -+ if (iter.block_offset != 0) -+ fail("iter.block_offset: %u != 0\n", -+ (unsigned) iter.block_offset); - else if (debug) -- success("iter.block_offset: %u == %u\n", -- (unsigned) iter.block_offset, (unsigned) exp[j].block_offset); -+ success("iter.block_offset: %u == 0\n", -+ (unsigned) iter.block_offset); - } - } -- if (iter.block_offset != tests[i].remaining) -- fail("remaining: %u != %u\n", -- (unsigned) iter.block_offset, (unsigned) tests[i].remaining); - } - } --- -2.21.0 - - -From c684814cc456a9792a9183ce77d32d435f29e6b7 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Tue, 1 Oct 2019 18:14:48 +0200 -Subject: [PATCH 2/3] iov: add _gnutls_iov_iter_sync to write back cached data - to iov - -Signed-off-by: Daiki Ueno ---- - lib/iov.c | 59 +++++++++++++++++++++++++++++++++++++++++++++ - lib/iov.h | 4 +++- - lib/libgnutls.map | 1 + - tests/iov.c | 61 +++++++++++++++++++++++++++++++++++++++++++---- - 4 files changed, 119 insertions(+), 6 deletions(-) - -diff --git a/lib/iov.c b/lib/iov.c -index 17272886c..1cd8d46dd 100644 ---- a/lib/iov.c -+++ b/lib/iov.c -@@ -133,3 +133,62 @@ _gnutls_iov_iter_next(struct iov_iter_st *iter, uint8_t **data) - - return 0; - } -+ -+/** -+ * _gnutls_iov_iter_sync: -+ * @iter: the iterator -+ * @data: data returned by _gnutls_iov_iter_next -+ * @data_size: size of @data -+ * -+ * Flush the content of temp buffer (if any) to the data buffer. -+ */ -+int -+_gnutls_iov_iter_sync(struct iov_iter_st *iter, const uint8_t *data, -+ size_t data_size) -+{ -+ size_t iov_index; -+ size_t iov_offset; -+ -+ /* We didn't return the cached block. */ -+ if (data != iter->block) -+ return 0; -+ -+ iov_index = iter->iov_index; -+ iov_offset = iter->iov_offset; -+ -+ /* When syncing a cache block we walk backwards because we only have a -+ * pointer to were the block ends in the iovec, walking backwards is -+ * fine as we are always writing a full block, so the whole content -+ * is written in the right places: -+ * iovec: |--0--|---1---|--2--|-3-| -+ * block: |-----------------------| -+ * 1st write |---| -+ * 2nd write |----- -+ * 3rd write |------- -+ * last write |----- -+ */ -+ while (data_size > 0) { -+ const giovec_t *iov; -+ uint8_t *p; -+ size_t to_write; -+ -+ while (iov_offset == 0) { -+ if (unlikely(iov_index == 0)) -+ return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); -+ -+ iov_index--; -+ iov_offset = iter->iov[iov_index].iov_len; -+ } -+ -+ iov = &iter->iov[iov_index]; -+ p = iov->iov_base; -+ to_write = MIN(data_size, iov_offset); -+ -+ iov_offset -= to_write; -+ data_size -= to_write; -+ -+ memcpy(p + iov_offset, &iter->block[data_size], to_write); -+ } -+ -+ return 0; -+} -diff --git a/lib/iov.h b/lib/iov.h -index 47fba559a..5b9903460 100644 ---- a/lib/iov.h -+++ b/lib/iov.h -@@ -34,7 +34,6 @@ struct iov_iter_st { - uint8_t block[MAX_CIPHER_BLOCK_SIZE]; /* incomplete block for reading */ - size_t block_size; /* actual block size of the cipher */ - size_t block_offset; /* offset in block */ -- - }; - - int _gnutls_iov_iter_init(struct iov_iter_st *iter, -@@ -43,4 +42,7 @@ int _gnutls_iov_iter_init(struct iov_iter_st *iter, - - ssize_t _gnutls_iov_iter_next(struct iov_iter_st *iter, uint8_t **data); - -+int _gnutls_iov_iter_sync(struct iov_iter_st *iter, const uint8_t *data, -+ size_t data_size); -+ - #endif /* GNUTLS_LIB_IOV_H */ -diff --git a/lib/libgnutls.map b/lib/libgnutls.map -index f83a21e9b..d6973f72e 100644 ---- a/lib/libgnutls.map -+++ b/lib/libgnutls.map -@@ -1394,4 +1394,5 @@ GNUTLS_PRIVATE_3_4 { - # needed by tests/iov: - _gnutls_iov_iter_init; - _gnutls_iov_iter_next; -+ _gnutls_iov_iter_sync; - } GNUTLS_3_4; -diff --git a/tests/iov.c b/tests/iov.c -index 3d116b471..2acd2b5f5 100644 ---- a/tests/iov.c -+++ b/tests/iov.c -@@ -44,10 +44,10 @@ struct test_st { - }; - - static const giovec_t iov16[] = { -- {(void *) "0123456789abcdef", 16}, -- {(void *) "0123456789abcdef", 16}, -- {(void *) "0123456789abcdef", 16}, -- {(void *) "0123456789abcdef", 16} -+ {(void *) "0123456789012345", 16}, -+ {(void *) "0123456789012345", 16}, -+ {(void *) "0123456789012345", 16}, -+ {(void *) "0123456789012345", 16} - }; - - static const struct exp_st exp16_64[] = { -@@ -166,20 +166,53 @@ static const struct test_st tests[] = { - exp_empty_16, sizeof(exp_empty_16)/sizeof(exp_empty_16[0]) }, - }; - -+static void -+copy(giovec_t *dst, uint8_t *buffer, const giovec_t *src, size_t iovcnt) -+{ -+ uint8_t *p = buffer; -+ size_t i; -+ -+ for (i = 0; i < iovcnt; i++) { -+ dst[i].iov_base = p; -+ dst[i].iov_len = src[i].iov_len; -+ memcpy(dst[i].iov_base, src[i].iov_base, src[i].iov_len); -+ p += src[i].iov_len; -+ } -+} -+ -+static void -+translate(uint8_t *data, size_t len) -+{ -+ for (; len > 0; len--) { -+ uint8_t *p = &data[len - 1]; -+ if (*p >= '0' && *p <= '9') -+ *p = 'A' + *p - '0'; -+ else if (*p >= 'A' && *p <= 'Z') -+ *p = '0' + *p - 'A'; -+ } -+} -+ -+#define MAX_BUF 1024 -+#define MAX_IOV 16 -+ - void - doit (void) - { -+ uint8_t buffer[MAX_BUF]; - size_t i; - - for (i = 0; i < sizeof(tests)/sizeof(tests[0]); i++) { -+ giovec_t iov[MAX_IOV]; - struct iov_iter_st iter; - const struct exp_st *exp = tests[i].exp; - uint8_t *data; - size_t j; - -+ copy(iov, buffer, tests[i].iov, tests[i].iovcnt); -+ - success("%s\n", tests[i].name); - assert(_gnutls_iov_iter_init(&iter, -- tests[i].iov, tests[i].iovcnt, -+ iov, tests[i].iovcnt, - tests[i].block_size) == 0); - for (j = 0; j < tests[i].expcnt; j++) { - ssize_t ret; -@@ -212,7 +245,25 @@ doit (void) - else if (debug) - success("iter.block_offset: %u == 0\n", - (unsigned) iter.block_offset); -+ -+ translate(data, ret); -+ -+ ret = _gnutls_iov_iter_sync(&iter, data, ret); -+ if (ret < 0) -+ fail("sync failed\n"); - } - } -+ -+ for (j = 0; j < tests[i].iovcnt; j++) { -+ translate(iov[j].iov_base, iov[j].iov_len); -+ -+ if (memcmp(iov[j].iov_base, tests[i].iov[j].iov_base, -+ iov[j].iov_len) != 0) -+ fail("iov doesn't match: %*s != %*s\n", -+ (int)iov[j].iov_len, -+ (char *)iov[j].iov_base, -+ (int)tests[i].iov[j].iov_len, -+ (char *)tests[i].iov[j].iov_len); -+ } - } - } --- -2.21.0 - - -From 6df0cf1c0ec727fc237a9b429684c8f2ef5d34b7 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Tue, 1 Oct 2019 18:15:19 +0200 -Subject: [PATCH 3/3] gnutls_aead_cipher_{en,de}cryptv2: write back cached data - to buffers - -Previously, those functions failed to write the output to the buffers -if the buffer length is not multiple of cipher block size. This makes -sure that the cached data is always flushed. - -Signed-off-by: Daiki Ueno ---- - lib/crypto-api.c | 18 ++++++++++++++++-- - tests/aead-cipher-vec.c | 14 ++++++++------ - 2 files changed, 24 insertions(+), 8 deletions(-) - -diff --git a/lib/crypto-api.c b/lib/crypto-api.c -index 41e759b74..7308d7e7b 100644 ---- a/lib/crypto-api.c -+++ b/lib/crypto-api.c -@@ -1113,6 +1113,7 @@ gnutls_aead_cipher_encryptv2(gnutls_aead_cipher_hd_t handle, - api_aead_cipher_hd_st *h = handle; - ssize_t ret; - uint8_t *p; -+ size_t len; - ssize_t blocksize = handle->ctx_enc.e->blocksize; - struct iov_iter_st iter; - size_t _tag_size; -@@ -1211,7 +1212,13 @@ gnutls_aead_cipher_encryptv2(gnutls_aead_cipher_hd_t handle, - return gnutls_assert_val(ret); - if (ret == 0) - break; -- ret = _gnutls_cipher_encrypt2(&handle->ctx_enc, p, ret, p, ret); -+ -+ len = ret; -+ ret = _gnutls_cipher_encrypt2(&handle->ctx_enc, p, len, p, len); -+ if (unlikely(ret < 0)) -+ return gnutls_assert_val(ret); -+ -+ ret = _gnutls_iov_iter_sync(&iter, p, len); - if (unlikely(ret < 0)) - return gnutls_assert_val(ret); - } -@@ -1253,6 +1260,7 @@ gnutls_aead_cipher_decryptv2(gnutls_aead_cipher_hd_t handle, - api_aead_cipher_hd_st *h = handle; - ssize_t ret; - uint8_t *p; -+ size_t len; - ssize_t blocksize = handle->ctx_enc.e->blocksize; - struct iov_iter_st iter; - uint8_t _tag[MAX_HASH_SIZE]; -@@ -1342,7 +1350,13 @@ gnutls_aead_cipher_decryptv2(gnutls_aead_cipher_hd_t handle, - return gnutls_assert_val(ret); - if (ret == 0) - break; -- ret = _gnutls_cipher_decrypt2(&handle->ctx_enc, p, ret, p, ret); -+ -+ len = ret; -+ ret = _gnutls_cipher_decrypt2(&handle->ctx_enc, p, len, p, len); -+ if (unlikely(ret < 0)) -+ return gnutls_assert_val(ret); -+ -+ ret = _gnutls_iov_iter_sync(&iter, p, len); - if (unlikely(ret < 0)) - return gnutls_assert_val(ret); - } -diff --git a/tests/aead-cipher-vec.c b/tests/aead-cipher-vec.c -index 6c2542cf1..10e3db862 100644 ---- a/tests/aead-cipher-vec.c -+++ b/tests/aead-cipher-vec.c -@@ -43,9 +43,9 @@ static void start(const char *name, int algo) - uint8_t key16[64]; - uint8_t iv16[32]; - uint8_t auth[128]; -- uint8_t data[128+64]; -+ uint8_t data[64+56+36]; - gnutls_datum_t key, iv; -- giovec_t iov[2]; -+ giovec_t iov[3]; - giovec_t auth_iov[2]; - uint8_t tag[64]; - size_t tag_size = 0; -@@ -60,13 +60,15 @@ static void start(const char *name, int algo) - - memset(iv.data, 0xff, iv.size); - memset(key.data, 0xfe, key.size); -- memset(data, 0xfa, 128); -+ memset(data, 0xfa, sizeof(data)); - memset(auth, 0xaa, sizeof(auth)); - - iov[0].iov_base = data; - iov[0].iov_len = 64; - iov[1].iov_base = data + 64; -- iov[1].iov_len = 64; -+ iov[1].iov_len = 56; -+ iov[2].iov_base = data + 64 + 56; -+ iov[2].iov_len = 36; - - auth_iov[0].iov_base = auth; - auth_iov[0].iov_len = 64; -@@ -83,7 +85,7 @@ static void start(const char *name, int algo) - ret = gnutls_aead_cipher_encryptv2(ch, - iv.data, iv.size, - auth_iov, 2, -- iov, 2, -+ iov, 3, - tag, &tag_size); - if (ret < 0) - fail("could not encrypt data: %s\n", gnutls_strerror(ret)); -@@ -91,7 +93,7 @@ static void start(const char *name, int algo) - ret = gnutls_aead_cipher_decryptv2(ch, - iv.data, iv.size, - auth_iov, 2, -- iov, 2, -+ iov, 3, - tag, tag_size); - if (ret < 0) - fail("could not decrypt data: %s\n", gnutls_strerror(ret)); --- -2.21.0 - diff --git a/SOURCES/gnutls-3.6.8-fix-cfb8-decrypt.patch b/SOURCES/gnutls-3.6.8-fix-cfb8-decrypt.patch deleted file mode 100644 index 738069b..0000000 --- a/SOURCES/gnutls-3.6.8-fix-cfb8-decrypt.patch +++ /dev/null @@ -1,204 +0,0 @@ -From 1c2135506825ae80966fe2797613806916b7e3c0 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Wed, 6 Nov 2019 12:07:24 +0100 -Subject: [PATCH 1/2] nettle: backport fixes to cfb8_decrypt - -cfb8: don't truncate output IV if input is shorter than block size: -https://git.lysator.liu.se/nettle/nettle/commit/f4a9c842621baf5d71aa9cc3989851f44dc46861 - -Signed-off-by: Daiki Ueno ---- - lib/nettle/backport/cfb8.c | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) - -diff --git a/lib/nettle/backport/cfb8.c b/lib/nettle/backport/cfb8.c -index e9816feb7..1762192f4 100644 ---- a/lib/nettle/backport/cfb8.c -+++ b/lib/nettle/backport/cfb8.c -@@ -110,10 +110,12 @@ cfb8_decrypt(const void *ctx, nettle_cipher_func *f, - src += i; - dst += i; - -- memcpy(buffer, buffer + block_size, block_size); -- memcpy(buffer + block_size, src, -- length < block_size ? length : block_size); -- -+ if (i == block_size) -+ { -+ memcpy(buffer, buffer + block_size, block_size); -+ memcpy(buffer + block_size, src, -+ length < block_size ? length : block_size); -+ } - } - - memcpy(iv, buffer + i, block_size); --- -2.21.0 - - -From cc01347302678719f0bcfb4f3383fe0f1e905ed8 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= -Date: Wed, 6 Nov 2019 13:17:57 +0100 -Subject: [PATCH 2/2] crypto-selftests: test CFB8 ciphers with different - chunksizes - -Signed-off-by: Guenther Deschner -Signed-off-by: Daiki Ueno ---- - lib/crypto-selftests.c | 124 +++++++++++++++++++++++++++++++++++++++-- - 1 file changed, 118 insertions(+), 6 deletions(-) - -diff --git a/lib/crypto-selftests.c b/lib/crypto-selftests.c -index 6caf817e8..5f0a4ec8b 100644 ---- a/lib/crypto-selftests.c -+++ b/lib/crypto-selftests.c -@@ -710,6 +710,107 @@ static int test_cipher(gnutls_cipher_algorithm_t cipher, - return 0; - } - -+static int test_cipher_all_block_sizes(gnutls_cipher_algorithm_t cipher, -+ const struct cipher_vectors_st *vectors, -+ size_t vectors_size, unsigned flags) -+{ -+ gnutls_cipher_hd_t hd; -+ int ret; -+ unsigned int i; -+ uint8_t tmp[384]; -+ gnutls_datum_t key, iv = {NULL, 0}; -+ size_t block; -+ size_t offset; -+ -+ for (i = 0; i < vectors_size; i++) { -+ for (block = 1; block <= vectors[i].plaintext_size; block++) { -+ key.data = (void *) vectors[i].key; -+ key.size = vectors[i].key_size; -+ -+ iv.data = (void *) vectors[i].iv; -+ iv.size = gnutls_cipher_get_iv_size(cipher); -+ -+ if (iv.size != vectors[i].iv_size) -+ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); -+ -+ ret = gnutls_cipher_init(&hd, cipher, &key, &iv); -+ if (ret < 0) { -+ _gnutls_debug_log("error initializing: %s\n", -+ gnutls_cipher_get_name(cipher)); -+ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); -+ } -+ -+ for (offset = 0; -+ offset < vectors[i].plaintext_size; -+ offset += block) { -+ ret = -+ gnutls_cipher_encrypt2(hd, -+ vectors[i].plaintext + offset, -+ MIN(block, vectors[i].plaintext_size - offset), -+ tmp + offset, -+ sizeof(tmp) - offset); -+ if (ret < 0) -+ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); -+ } -+ -+ if (memcmp -+ (tmp, vectors[i].ciphertext, -+ vectors[i].plaintext_size) != 0) { -+ _gnutls_debug_log("%s encryption of test vector %d failed with block size %d/%d!\n", -+ gnutls_cipher_get_name(cipher), -+ i, (int)block, (int)vectors[i].plaintext_size); -+ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); -+ } -+ -+ gnutls_cipher_deinit(hd); -+ } -+ } -+ -+ for (i = 0; i < vectors_size; i++) { -+ for (block = 1; block <= vectors[i].plaintext_size; block++) { -+ key.data = (void *) vectors[i].key; -+ key.size = vectors[i].key_size; -+ -+ iv.data = (void *) vectors[i].iv; -+ iv.size = gnutls_cipher_get_iv_size(cipher); -+ -+ ret = gnutls_cipher_init(&hd, cipher, &key, &iv); -+ if (ret < 0) -+ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); -+ -+ for (offset = 0; -+ offset + block <= vectors[i].plaintext_size; -+ offset += block) { -+ ret = -+ gnutls_cipher_decrypt2(hd, -+ vectors[i].ciphertext + offset, -+ MIN(block, vectors[i].plaintext_size - offset), -+ tmp + offset, -+ sizeof(tmp) - offset); -+ if (ret < 0) -+ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); -+ } -+ -+ if (memcmp -+ (tmp, vectors[i].plaintext, -+ vectors[i].plaintext_size) != 0) { -+ _gnutls_debug_log("%s decryption of test vector %d failed with block size %d!\n", -+ gnutls_cipher_get_name(cipher), -+ i, (int)block); -+ return gnutls_assert_val(GNUTLS_E_SELF_TEST_ERROR); -+ } -+ -+ gnutls_cipher_deinit(hd); -+ } -+ } -+ -+ _gnutls_debug_log -+ ("%s self check succeeded\n", -+ gnutls_cipher_get_name(cipher)); -+ -+ return 0; -+} -+ - /* AEAD modes (compat APIs) */ - static int test_cipher_aead_compat(gnutls_cipher_algorithm_t cipher, - const struct cipher_aead_vectors_st *vectors, -@@ -1721,6 +1822,14 @@ static int test_mac(gnutls_mac_algorithm_t mac, - if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL) || ret < 0) \ - return ret - -+#define CASE2(x, func, func2, vectors) case x: \ -+ ret = func(x, V(vectors), flags); \ -+ if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL) || ret < 0) \ -+ return ret; \ -+ ret = func2(x, V(vectors), flags); \ -+ if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL) || ret < 0) \ -+ return ret -+ - #define NON_FIPS_CASE(x, func, vectors) case x: \ - if (_gnutls_fips_mode_enabled() == 0) { \ - ret = func(x, V(vectors), flags); \ -@@ -1786,14 +1895,17 @@ int gnutls_cipher_self_test(unsigned flags, gnutls_cipher_algorithm_t cipher) - NON_FIPS_CASE(GNUTLS_CIPHER_CHACHA20_POLY1305, test_cipher_aead, - chacha_poly1305_vectors); - FALLTHROUGH; -- CASE(GNUTLS_CIPHER_AES_128_CFB8, test_cipher, -- aes128_cfb8_vectors); -+ CASE2(GNUTLS_CIPHER_AES_128_CFB8, test_cipher, -+ test_cipher_all_block_sizes, -+ aes128_cfb8_vectors); - FALLTHROUGH; -- CASE(GNUTLS_CIPHER_AES_192_CFB8, test_cipher, -- aes192_cfb8_vectors); -+ CASE2(GNUTLS_CIPHER_AES_192_CFB8, test_cipher, -+ test_cipher_all_block_sizes, -+ aes192_cfb8_vectors); - FALLTHROUGH; -- CASE(GNUTLS_CIPHER_AES_256_CFB8, test_cipher, -- aes256_cfb8_vectors); -+ CASE2(GNUTLS_CIPHER_AES_256_CFB8, test_cipher, -+ test_cipher_all_block_sizes, -+ aes256_cfb8_vectors); - FALLTHROUGH; - CASE(GNUTLS_CIPHER_AES_128_XTS, test_cipher, - aes128_xts_vectors); --- -2.21.0 - diff --git a/SOURCES/gnutls-3.6.8-multiple-key-updates.patch b/SOURCES/gnutls-3.6.8-multiple-key-updates.patch deleted file mode 100644 index 720ada3..0000000 --- a/SOURCES/gnutls-3.6.8-multiple-key-updates.patch +++ /dev/null @@ -1,286 +0,0 @@ -From 6023c69c616d866e19ab1c0bb87931e5143c79d3 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Wed, 5 Jun 2019 16:48:39 +0200 -Subject: [PATCH] tls13/key_update: ignore multiple key updates instead of - error - -This fixes the multiple KeyUpdate messages handling in commit -65e2aa80d114d4bef095d129c2eda475e473244a, where illegal_parameter is -sent even if the limit doesn't exceed. - -Signed-off-by: Daiki Ueno ---- - .gitignore | 1 + - lib/tls13/key_update.c | 2 - - tests/Makefile.am | 2 + - tests/tls13/key_update_multiple.c | 232 ++++++++++++++++++++++++++++++ - 4 files changed, 235 insertions(+), 2 deletions(-) - create mode 100644 tests/tls13/key_update_multiple.c - -diff --git a/lib/tls13/key_update.c b/lib/tls13/key_update.c -index d542a214b..c6f6e0aa1 100644 ---- a/lib/tls13/key_update.c -+++ b/lib/tls13/key_update.c -@@ -117,8 +117,6 @@ int _gnutls13_recv_key_update(gnutls_session_t session, gnutls_buffer_st *buf) - session->internals.rsend_state = RECORD_SEND_KEY_UPDATE_1; - else if (session->internals.rsend_state == RECORD_SEND_CORKED) - session->internals.rsend_state = RECORD_SEND_CORKED_TO_KU; -- else -- return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); - - break; - default: -diff --git a/tests/Makefile.am b/tests/Makefile.am -index ca0481879..4ffa69825 100644 ---- a/tests/Makefile.am -+++ b/tests/Makefile.am -@@ -119,6 +119,8 @@ ctests += tls13/psk-ext - - ctests += tls13/key_update - -+ctests += tls13/key_update_multiple -+ - ctests += tls13/key_limits - - ctests += tls13/multi-ocsp -diff --git a/tests/tls13/key_update_multiple.c b/tests/tls13/key_update_multiple.c -new file mode 100644 -index 000000000..8b2c2db4b ---- /dev/null -+++ b/tests/tls13/key_update_multiple.c -@@ -0,0 +1,232 @@ -+/* -+ * Copyright (C) 2017-2019 Red Hat, Inc. -+ * -+ * Author: Daiki Ueno -+ * -+ * This file is part of GnuTLS. -+ * -+ * GnuTLS is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License as published by -+ * the Free Software Foundation; either version 3 of the License, or -+ * (at your option) any later version. -+ * -+ * GnuTLS is distributed in the hope that it will be useful, but -+ * WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General Public License -+ * along with this program. If not, see -+ */ -+ -+#ifdef HAVE_CONFIG_H -+#include -+#endif -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include "cert-common.h" -+ -+#include "utils.h" -+#include "virt-time.h" -+#define RANDOMIZE -+#include "eagain-common.h" -+ -+const char *side = ""; -+ -+/* This program tests whether multiple key update messages are handled -+ * properly with rate-limit. */ -+ -+static void tls_log_func(int level, const char *str) -+{ -+ fprintf(stderr, "%s|<%d>| %s", side, level, str); -+} -+ -+#define MAX_BUF 1024 -+#define MSG "Hello TLS, and hi and how are you and more data here... and more... and even more and even more more data..." -+ -+/* These must match the definitions in lib/tls13/key_update.c. */ -+#define KEY_UPDATES_WINDOW 1000 -+#define KEY_UPDATES_PER_WINDOW 8 -+ -+static unsigned key_update_msg_inc = 0; -+static unsigned key_update_msg_out = 0; -+ -+static int hsk_callback(gnutls_session_t session, unsigned int htype, -+ unsigned post, unsigned int incoming, const gnutls_datum_t *msg) -+{ -+ assert(post == GNUTLS_HOOK_PRE); -+ -+ assert(msg->size == 1); -+ -+ if (htype == GNUTLS_HANDSHAKE_KEY_UPDATE) { -+ if (incoming) -+ key_update_msg_inc++; -+ else -+ key_update_msg_out++; -+ } -+ -+ return 0; -+} -+ -+static void run(const char *name, bool exceed_limit) -+{ -+ /* Server stuff. */ -+ gnutls_certificate_credentials_t ccred; -+ gnutls_certificate_credentials_t scred; -+ gnutls_session_t server; -+ int sret, cret; -+ /* Client stuff. */ -+ gnutls_session_t client; -+ /* Need to enable anonymous KX specifically. */ -+ char buffer[MAX_BUF + 1]; -+ int ret, transferred = 0; -+ size_t i; -+ -+ success("%s\n", name); -+ -+ /* General init. */ -+ global_init(); -+ gnutls_global_set_log_function(tls_log_func); -+ if (debug) -+ gnutls_global_set_log_level(9); -+ -+ /* Init server */ -+ assert(gnutls_certificate_allocate_credentials(&scred) >= 0); -+ assert(gnutls_certificate_set_x509_key_mem(scred, -+ &server_ca3_localhost_cert, -+ &server_ca3_key, -+ GNUTLS_X509_FMT_PEM) >= 0); -+ -+ assert(gnutls_init(&server, GNUTLS_SERVER) >= 0); -+ ret = -+ gnutls_priority_set_direct(server, -+ "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3", -+ NULL); -+ if (ret < 0) -+ exit(1); -+ -+ gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, scred); -+ gnutls_transport_set_push_function(server, server_push); -+ gnutls_transport_set_pull_function(server, server_pull); -+ gnutls_transport_set_ptr(server, server); -+ -+ /* Init client */ -+ assert(gnutls_certificate_allocate_credentials(&ccred) >= 0); -+ assert(gnutls_certificate_set_x509_trust_mem -+ (ccred, &ca3_cert, GNUTLS_X509_FMT_PEM) >= 0); -+ -+ gnutls_init(&client, GNUTLS_CLIENT); -+ ret = -+ gnutls_priority_set_direct(client, -+ "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3", -+ NULL); -+ assert(ret >= 0); -+ -+ ret = gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE, ccred); -+ if (ret < 0) -+ exit(1); -+ -+ gnutls_transport_set_push_function(client, client_push); -+ gnutls_transport_set_pull_function(client, client_pull); -+ gnutls_transport_set_ptr(client, client); -+ -+ -+ HANDSHAKE(client, server); -+ if (debug) -+ success("Handshake established\n"); -+ -+ key_update_msg_inc = 0; -+ key_update_msg_out = 0; -+ -+ gnutls_handshake_set_hook_function(client, -1, GNUTLS_HOOK_PRE, hsk_callback); -+ -+ /* schedule multiple key updates */ -+ for (i = 0; i < KEY_UPDATES_PER_WINDOW; i++) { -+ do { -+ ret = gnutls_session_key_update(client, 1); -+ } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); -+ if (ret < 0) -+ fail("error in key update: %s\n", gnutls_strerror(ret)); -+ } -+ -+ /* server receives the client key update and sends data */ -+ TRANSFER(client, server, MSG, strlen(MSG), buffer, MAX_BUF); -+ TRANSFER(server, client, MSG, strlen(MSG), buffer, MAX_BUF); -+ EMPTY_BUF(server, client, buffer, MAX_BUF); -+ -+ if (key_update_msg_out != KEY_UPDATES_PER_WINDOW) -+ fail("unexpected number of key updates are sent: %d\n", -+ key_update_msg_out); -+ else { -+ if (debug) -+ success("successfully sent %d key updates\n", -+ KEY_UPDATES_PER_WINDOW); -+ } -+ if (key_update_msg_inc != 1) -+ fail("unexpected number of key updates received: %d\n", -+ key_update_msg_inc); -+ else { -+ if (debug) -+ success("successfully received 1 key update\n"); -+ } -+ -+ if (exceed_limit) { -+ /* excessive key update in the same time window should -+ * be rejected by the peer */ -+ do { -+ ret = gnutls_session_key_update(client, 1); -+ } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); -+ -+ /* server receives the client key update and sends data */ -+ ret = record_send_loop(client, MSG, strlen(MSG), 0); -+ assert(ret == strlen(MSG)); -+ ret = gnutls_record_recv(server, buffer, MAX_BUF); -+ if (ret != GNUTLS_E_TOO_MANY_HANDSHAKE_PACKETS) -+ fail("server didn't reject excessive number of key updates\n"); -+ else { -+ if (debug) -+ success("server rejected excessive number of key updates\n"); -+ } -+ } else { -+ virt_sec_sleep(KEY_UPDATES_WINDOW / 1000 + 1); -+ -+ /* the time window should be rolled over now */ -+ do { -+ ret = gnutls_session_key_update(client, 1); -+ } while (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED); -+ if (ret < 0) -+ fail("error in key update: %s\n", gnutls_strerror(ret)); -+ -+ /* server receives the client key update and sends data */ -+ TRANSFER(client, server, MSG, strlen(MSG), buffer, MAX_BUF); -+ TRANSFER(server, client, MSG, strlen(MSG), buffer, MAX_BUF); -+ EMPTY_BUF(server, client, buffer, MAX_BUF); -+ } -+ -+ gnutls_bye(client, GNUTLS_SHUT_WR); -+ gnutls_bye(server, GNUTLS_SHUT_WR); -+ -+ gnutls_deinit(client); -+ gnutls_deinit(server); -+ -+ gnutls_certificate_free_credentials(scred); -+ gnutls_certificate_free_credentials(ccred); -+ -+ gnutls_global_deinit(); -+ reset_buffers(); -+} -+ -+void doit(void) -+{ -+ virt_time_init(); -+ -+ run("not exceeding limit", 0); -+ run("exceeding limit", 1); -+} --- -2.20.1 - diff --git a/SOURCES/gnutls-3.6.8-pkcs11-login-error.patch b/SOURCES/gnutls-3.6.8-pkcs11-login-error.patch deleted file mode 100644 index 6135dca..0000000 --- a/SOURCES/gnutls-3.6.8-pkcs11-login-error.patch +++ /dev/null @@ -1,265 +0,0 @@ -From fa5147c86941512921282b84819b896a0d4f29bb Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Wed, 19 Jun 2019 17:21:16 +0200 -Subject: [PATCH] pkcs11: ignore login error when traversing tokens - -If a token is a general access device, it is expected that login -attempt to that token returns error: -https://github.com/p11-glue/p11-kit/blob/master/trust/module.c#L852 - -On the other hand, _pkcs11_traverse_tokens treats the error as fatal -and stops iteration. This behavior prevents object search without -token specifier if such tokens are registered in the system. - -Reported by Stanislav Zidek in -https://bugzilla.redhat.com/show_bug.cgi?id=1705478 - -Signed-off-by: Daiki Ueno ---- - .gitignore | 1 + - lib/pkcs11.c | 8 +- - tests/Makefile.am | 2 +- - tests/p11-kit-load.sh | 23 ++++++ - tests/pkcs11/list-objects.c | 150 ++++++++++++++++++++++++++++++++++++ - 5 files changed, 182 insertions(+), 2 deletions(-) - create mode 100644 tests/pkcs11/list-objects.c - -diff --git a/lib/pkcs11.c b/lib/pkcs11.c -index de5309b29..2ef0e3e02 100644 ---- a/lib/pkcs11.c -+++ b/lib/pkcs11.c -@@ -1617,7 +1617,13 @@ _pkcs11_traverse_tokens(find_func_t find_func, void *input, - info, flags); - if (ret < 0) { - gnutls_assert(); -- return ret; -+ pkcs11_close_session(&sinfo); -+ -+ /* treat the error as fatal only if -+ * the token requires login */ -+ if (l_tinfo.flags & CKF_LOGIN_REQUIRED) -+ return ret; -+ continue; - } - - ret = -diff --git a/tests/Makefile.am b/tests/Makefile.am -index a67f1549c..7fe954f63 100644 ---- a/tests/Makefile.am -+++ b/tests/Makefile.am -@@ -496,7 +496,7 @@ dist_check_SCRIPTS += p11-kit-trust.sh testpkcs11.sh certtool-pkcs11.sh - if HAVE_PKCS11_TRUST_STORE - if P11KIT_0_23_11_API - dist_check_SCRIPTS += p11-kit-load.sh --indirect_tests += pkcs11/list-tokens -+indirect_tests += pkcs11/list-tokens pkcs11/list-objects - endif - endif - -diff --git a/tests/p11-kit-load.sh b/tests/p11-kit-load.sh -index 3201a2c5f..419900f6a 100755 ---- a/tests/p11-kit-load.sh -+++ b/tests/p11-kit-load.sh -@@ -22,6 +22,7 @@ - srcdir="${srcdir:-.}" - builddir="${builddir:-.}" - CERTTOOL="${CERTTOOL:-../src/certtool${EXEEXT}}" -+P11TOOL="${P11TOOL:-../src/p11tool${EXEEXT}}" - DIFF="${DIFF:-diff}" - PKGCONFIG="${PKG_CONFIG:-$(which pkg-config)}" - TMP_SOFTHSM_DIR="./softhsm-load.$$.tmp" -@@ -90,6 +91,12 @@ if test $? != 0; then - exit 1 - fi - -+GNUTLS_PIN="${PIN}" ${P11TOOL} --login --label GnuTLS-Test-RSA --generate-privkey rsa --provider "${SOFTHSM_MODULE}" pkcs11: --outfile /dev/null -+if test $? != 0; then -+ echo "failed to generate privkey" -+ exit 1 -+fi -+ - FILTERTOKEN="sed s/token=.*//g" - - # Check whether both are listed -@@ -175,6 +182,22 @@ if test "$nr" != 2;then - exit 1 - fi - -+# Check whether public key and privkey are listed. -+nr=$(GNUTLS_PIN="${PIN}" ${builddir}/pkcs11/list-objects -o ${P11DIR} -t all pkcs11:token=GnuTLS-Test|sort -u|wc -l) -+if test "$nr" != 2;then -+ echo "Error in test 8: did not find all objects" -+ ${builddir}/pkcs11/list-objects -o ${P11DIR} -t all pkcs11:token=GnuTLS-Test -+ exit 1 -+fi -+ -+# Check whether all privkeys are listed even if trust module is registered. -+nr=$(GNUTLS_PIN="${PIN}" ${builddir}/pkcs11/list-objects -o ${P11DIR} -t privkey pkcs11:|sort -u|wc -l) -+if test "$nr" != 1;then -+ echo "Error in test 9: did not find privkey objects" -+ ${builddir}/pkcs11/list-objects -o ${P11DIR} -t privkey pkcs11: -+ exit 1 -+fi -+ - rm -f ${P11DIR}/* - rm -rf ${TMP_SOFTHSM_DIR} - -diff --git a/tests/pkcs11/list-objects.c b/tests/pkcs11/list-objects.c -new file mode 100644 -index 000000000..ab30cd568 ---- /dev/null -+++ b/tests/pkcs11/list-objects.c -@@ -0,0 +1,150 @@ -+/* -+ * Copyright (C) 2016-2017 Red Hat, Inc. -+ * -+ * Author: Nikos Mavrogiannopoulos -+ * -+ * This file is part of GnuTLS. -+ * -+ * GnuTLS is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License as published by -+ * the Free Software Foundation; either version 3 of the License, or -+ * (at your option) any later version. -+ * -+ * GnuTLS is distributed in the hope that it will be useful, but -+ * WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ * General Public License for more details. -+ * -+ * You should have received a copy of the GNU Lesser General Public License -+ * along with this program. If not, see -+ */ -+ -+#ifdef HAVE_CONFIG_H -+#include -+#endif -+ -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include -+#include -+#include -+#include -+#define P11_KIT_FUTURE_UNSTABLE_API -+#include -+#include "cert-common.h" -+ -+/* lists the registered PKCS#11 modules by p11-kit. -+ */ -+ -+static void tls_log_func(int level, const char *str) -+{ -+ fprintf(stderr, "|<%d>| %s", level, str); -+} -+ -+static const char *opt_pin; -+ -+static -+int pin_func(void* userdata, int attempt, const char* url, const char *label, -+ unsigned flags, char *pin, size_t pin_max) -+{ -+ if (attempt == 0) { -+ strcpy(pin, opt_pin); -+ return 0; -+ } -+ return -1; -+} -+ -+int main(int argc, char **argv) -+{ -+ int ret; -+ unsigned i; -+ int opt; -+ char *url, *mod; -+ unsigned flags; -+ unsigned obj_flags = 0; -+ int attrs = GNUTLS_PKCS11_OBJ_ATTR_ALL; -+ gnutls_pkcs11_obj_t *crt_list; -+ unsigned int crt_list_size = 0; -+ const char *envvar; -+ -+ ret = gnutls_global_init(); -+ if (ret != 0) { -+ fprintf(stderr, "error at %d: %s\n", __LINE__, gnutls_strerror(ret)); -+ exit(1); -+ } -+ -+ gnutls_global_set_log_function(tls_log_func); -+ -+ while((opt = getopt(argc, argv, "o:t:")) != -1) { -+ switch(opt) { -+ case 'o': -+ mod = strdup(optarg); -+ p11_kit_override_system_files(NULL, NULL, mod, mod, NULL); -+ break; -+ case 't': -+ /* specify the object type to list */ -+ if (strcmp(optarg, "all") == 0) -+ attrs = GNUTLS_PKCS11_OBJ_ATTR_ALL; -+ else if (strcmp(optarg, "privkey") == 0) -+ attrs = GNUTLS_PKCS11_OBJ_ATTR_PRIVKEY; -+ else { -+ fprintf(stderr, "Unknown object type %s\n", optarg); -+ exit(1); -+ } -+ break; -+ default: -+ fprintf(stderr, "Unknown option %c\n", (char)opt); -+ exit(1); -+ } -+ } -+ -+ if (optind == argc) { -+ fprintf(stderr, "specify URL\n"); -+ exit(1); -+ } -+ url = argv[optind]; -+ -+ envvar = getenv("GNUTLS_PIN"); -+ if (envvar && *envvar != '\0') { -+ opt_pin = envvar; -+ obj_flags |= GNUTLS_PKCS11_OBJ_FLAG_LOGIN; -+ gnutls_pkcs11_set_pin_function(pin_func, NULL); -+ } -+ -+ ret = gnutls_pkcs11_token_get_flags(url, &flags); -+ if (ret < 0) { -+ flags = 0; -+ } -+ -+ ret = -+ gnutls_pkcs11_obj_list_import_url2(&crt_list, &crt_list_size, -+ url, attrs, obj_flags); -+ if (ret != 0) { -+ fprintf(stderr, "error at %d: %s\n", __LINE__, gnutls_strerror(ret)); -+ exit(1); -+ } -+ -+ for (i = 0; i < crt_list_size; i++) { -+ char *output; -+ -+ ret = -+ gnutls_pkcs11_obj_export_url(crt_list[i], 0, -+ &output); -+ if (ret != 0) { -+ fprintf(stderr, "error at %d: %s\n", __LINE__, gnutls_strerror(ret)); -+ exit(1); -+ } -+ -+ fprintf(stdout, "%s\n", output); -+ gnutls_free(output); -+ gnutls_pkcs11_obj_deinit(crt_list[i]); -+ } -+ gnutls_free(crt_list); -+ -+ gnutls_global_deinit(); -+} --- -2.21.0 - diff --git a/SOURCES/gnutls-3.6.8-session-ticket-ub.patch b/SOURCES/gnutls-3.6.8-session-ticket-ub.patch deleted file mode 100644 index 96e11f7..0000000 --- a/SOURCES/gnutls-3.6.8-session-ticket-ub.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 1f6bbceeeeb613cf4d790874bdd1e917a7071159 Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Mon, 8 Jul 2019 16:54:56 +0200 -Subject: [PATCH] ext/session_ticket: avoid calling memcpy on overlapping - memory areas - -In _gnutls_encrypt_session_ticket, ticket.encrypted_state is allocated -from ticket_data->data, thus those memory areas may overlap. Using -memcpy here leads to undefined behavior. - -Spotted by valgrind run on ppc64le. - -==95231== Source and destination overlap in memcpy(0x47ce3a2, 0x47ce3a2, 160) -==95231== at 0x408A840: memcpy (vg_replace_strmem.c:1023) -==95231== by 0x424EE9F: pack_ticket (session_ticket.c:139) -==95231== by 0x424FA4F: _gnutls_encrypt_session_ticket (session_ticket.c:335) -==95231== by 0x4199E3B: generate_session_ticket (session_ticket.c:249) -==95231== by 0x419A333: _gnutls13_send_session_ticket (session_ticket.c:307) -==95231== by 0x40F8817: _gnutls13_handshake_server (handshake-tls13.c:511) -==95231== by 0x4110DEB: handshake_server (handshake.c:3331) -==95231== by 0x410C70B: gnutls_handshake (handshake.c:2727) -==95231== by 0x10009EBF: retry_handshake (serv.c:1306) -==95231== by 0x1000AB67: tcp_server (serv.c:1500) -==95231== by 0x10009E5B: main (serv.c:1297) -==95231== - -Signed-off-by: Daiki Ueno ---- - lib/ext/session_ticket.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/lib/ext/session_ticket.c b/lib/ext/session_ticket.c -index 09e240c2d..98db39ff8 100644 ---- a/lib/ext/session_ticket.c -+++ b/lib/ext/session_ticket.c -@@ -136,7 +136,11 @@ pack_ticket(const struct ticket_st *ticket, gnutls_datum_t *ticket_data) - _gnutls_write_uint16(ticket->encrypted_state_len, p); - p += 2; - -- memcpy(p, ticket->encrypted_state, ticket->encrypted_state_len); -+ /* We use memmove instead of memcpy here because -+ * ticket->encrypted_state is allocated from -+ * ticket_data->data, and thus both memory areas may overlap. -+ */ -+ memmove(p, ticket->encrypted_state, ticket->encrypted_state_len); - p += ticket->encrypted_state_len; - - memcpy(p, ticket->mac, TICKET_MAC_SIZE); --- -2.21.0 - diff --git a/SOURCES/gnutls-3.6.8.tar.xz.sig b/SOURCES/gnutls-3.6.8.tar.xz.sig deleted file mode 100644 index d2f386200e2f07c88cbafdf31687882fcbc3b7bd..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 310 zcmV-60m=S}0W$;u0SEvc79j*#`?XxB^Qfx~P&aef97u=pXPRXN0$l9JzyJyf5ZD|@ zhw*2cWr0)&`v?6YCBW><2XE4(TD}~2;g_C1@fZ2SjZ%Hr7s= zcz{U=K|Z3)X*wacYRTi1u`^ba>AO*&w(-KazuQ%gfpl9E)1&9MxK$!zLRpmP$pmPt z61!2(kj1nR&M)t0u9p&5Tvd7DL&%~&0uD~U(YzFc&e!q7x$|^A{JD;e(Vup)yn0gK z!uyBn8R}yoh9cXtk?dX)iS-lmj5ZsT9b=#gQlh7!8OTs@fFq3w`%n?Mz;2HYTm-p! I+Q>za_#~>DQ2+n{ diff --git a/SPECS/gnutls.spec b/SPECS/gnutls.spec index 3a28df8..9ec2d80 100644 --- a/SPECS/gnutls.spec +++ b/SPECS/gnutls.spec @@ -1,21 +1,14 @@ -Version: 3.6.8 -Release: 11%{?dist} +Version: 3.6.14 +Release: 6%{?dist} Patch1: gnutls-3.2.7-rpath.patch Patch2: gnutls-3.6.4-no-now-guile.patch -Patch3: gnutls-3.6.5-fix-fips-signature-post.patch -Patch4: gnutls-3.6.8-fips-aes-cbc-kat.patch -Patch5: gnutls-3.6.8-multiple-key-updates.patch -Patch6: gnutls-3.6.8-fips-rng-continuous.patch -Patch7: gnutls-3.6.8-session-ticket-ub.patch -Patch8: gnutls-3.6.8-pkcs11-login-error.patch -Patch9: gnutls-3.6.8-fips-deterministic-ecdsa.patch -Patch10: gnutls-3.6.8-aead-cipher-encryptv2.patch -Patch11: gnutls-3.6.8-fips-rsa-random-selftests.patch -Patch12: gnutls-3.6.8-decr-len.patch -Patch13: gnutls-3.6.8-fix-aead-cipher-encryptv2.patch -Patch14: gnutls-3.6.8-fix-cfb8-decrypt.patch -Patch15: gnutls-3.6.12-dtls-random.patch -Patch16: gnutls-3.6.14-totp-init.patch +Patch3: gnutls-3.6.13-enable-intel-cet.patch +Patch4: gnutls-3.6.14-autogen-int.patch +Patch5: gnutls-3.6.14-fips-mode-check.patch +Patch6: gnutls-3.6.14-fips-dh-primes.patch +Patch7: gnutls-3.6.14-memcmp.patch +Patch8: gnutls-3.6.14-fips-dh-check.patch +Patch9: gnutls-3.6.14-fix-iovec-memory-leak.patch %bcond_without dane %if 0%{?rhel} %bcond_with guile @@ -61,7 +54,7 @@ BuildRequires: guile-devel URL: http://www.gnutls.org/ Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz Source1: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz.sig -Source2: gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg +Source2: gpgkey-462225C3B46F34879FC8496CD605848ED7E69871.gpg # Wildcard bundling exception https://fedorahosted.org/fpc/ticket/174 Provides: bundled(gnulib) = 20130424 @@ -299,11 +292,35 @@ fi %endif %changelog -* Mon Jun 8 2020 Daiki Ueno - 3.6.8-11 -- Fix CVE-2020-13777 (#1844147) +* Mon Aug 24 2020 Daiki Ueno - 3.6.14-6 +- Fix memory leak when serializing iovec_t (#1844112) + +* Sat Jul 18 2020 Daiki Ueno - 3.6.14-5 +- Perform validation checks on (EC)DH public keys and share secrets (#1855803) + +* Mon Jun 29 2020 Daiki Ueno - 3.6.14-4 +- Tighten FIPS DH primes check according to SP800-56A (rev 3) (#1849079) + +* Fri Jun 5 2020 Daiki Ueno - 3.6.14-3 +- Update gnutls-3.6.14-fips-mode-check.patch + +* Thu Jun 4 2020 Daiki Ueno - 3.6.14-2 +- Return false from gnutls_fips140_mode_enabled() if selftests failed (#1827687) + +* Thu Jun 4 2020 Daiki Ueno - 3.6.14-1 +- Update to upstream 3.6.14 release + +* Mon May 25 2020 Anderson Sasaki - 3.6.13-3 +- Add an option to gnutls-cli to wait for resumption under TLS 1.3 (#1677754) + +* Wed May 20 2020 Anderson Sasaki - 3.6.13-2 +- Enable Intel CET (#1838476) + +* Tue May 5 2020 Daiki Ueno - 3.6.13-1 +- Update to upstream 3.6.13 release * Tue Apr 21 2020 Daiki Ueno - 3.6.8-10 -- Fix CVE-2020-11501 (#1826176) +- Fix CVE-2020-11501 (#1822005) * Wed Nov 6 2019 Daiki Ueno - 3.6.8-9 - Fix CFB8 decryption when repeatedly called (#1757848)