static int print_bin(BIO *fp, const char *name, const unsigned char *buf,
size_t len, int off)
{
size_t i;
char str[128];
if (buf == NULL)
return 1;
if (off) {
if (off > 128)
off = 128;
sgx_memset(str, ' ', off);
if (BIO_write(fp, str, off) <= 0)
return 0;
}
if (BIO_printf(fp, "%s", name) <= 0)
return 0;
for (i = 0; i < len; i++) {
if ((i % 15) == 0) {
str[0] = '\n';
sgx_memset(&(str[1]), ' ', off + 4);
if (BIO_write(fp, str, off + 1 + 4) <= 0)
return 0;
}
if (BIO_printf(fp, "%02x%s", buf[i], ((i + 1) == len) ? "" : ":") <=
0)
return 0;
}
if (BIO_write(fp, "\n", 1) <= 0)
return 0;
return 1;
}
int des_read_pw(char *buf, char *buff, int size, const char *prompt,
int verify)
{
sgx_memset(buf, 0, size);
sgx_memset(buff, 0, size);
return (0);
}
int BUF_MEM_grow(BUF_MEM *str, size_t len)
{
char *ret;
size_t n;
if (str->length >= len) {
str->length = len;
return (len);
}
if (str->max >= len) {
sgx_memset(&str->data[str->length], 0, len - str->length);
str->length = len;
return (len);
}
/* This limit is sufficient to ensure (len+3)/3*4 < 2**31 */
if (len > LIMIT_BEFORE_EXPANSION) {
BUFerr(BUF_F_BUF_MEM_GROW, ERR_R_MALLOC_FAILURE);
return 0;
}
n = (len + 3) / 3 * 4;
if (str->data == NULL)
ret = OPENSSL_malloc(n);
else
ret = OPENSSL_realloc(str->data, n);
if (ret == NULL) {
BUFerr(BUF_F_BUF_MEM_GROW, ERR_R_MALLOC_FAILURE);
len = 0;
} else {
str->data = ret;
str->max = n;
sgx_memset(&str->data[str->length], 0, len - str->length);
str->length = len;
}
return (len);
}
int CMAC_Init(CMAC_CTX *ctx, const void *key, size_t keylen,
const EVP_CIPHER *cipher, ENGINE *impl)
{
static unsigned char zero_iv[EVP_MAX_BLOCK_LENGTH];
#ifdef OPENSSL_FIPS
if (FIPS_mode()) {
/* If we have an ENGINE need to allow non FIPS */
if ((impl || ctx->cctx.engine)
&& !(ctx->cctx.flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)) {
EVPerr(EVP_F_CMAC_INIT, EVP_R_DISABLED_FOR_FIPS);
return 0;
}
/*
* Other algorithm blocking will be done in FIPS_cmac_init, via
* FIPS_cipherinit().
*/
if (!impl && !ctx->cctx.engine)
return FIPS_cmac_init(ctx, key, keylen, cipher, NULL);
}
#endif
/* All zeros means restart */
if (!key && !cipher && !impl && keylen == 0) {
/* Not initialised */
if (ctx->nlast_block == -1)
return 0;
if (!EVP_EncryptInit_ex(&ctx->cctx, NULL, NULL, NULL, zero_iv))
return 0;
sgx_memset(ctx->tbl, 0, EVP_CIPHER_CTX_block_size(&ctx->cctx));
ctx->nlast_block = 0;
return 1;
}
/* Initialiase context */
if (cipher && !EVP_EncryptInit_ex(&ctx->cctx, cipher, impl, NULL, NULL))
return 0;
/* Non-NULL key means initialisation complete */
if (key) {
int bl;
if (!EVP_CIPHER_CTX_cipher(&ctx->cctx))
return 0;
if (!EVP_CIPHER_CTX_set_key_length(&ctx->cctx, keylen))
return 0;
if (!EVP_EncryptInit_ex(&ctx->cctx, NULL, NULL, key, zero_iv))
return 0;
bl = EVP_CIPHER_CTX_block_size(&ctx->cctx);
if (!EVP_Cipher(&ctx->cctx, ctx->tbl, zero_iv, bl))
return 0;
make_kn(ctx->k1, ctx->tbl, bl);
make_kn(ctx->k2, ctx->k1, bl);
OPENSSL_cleanse(ctx->tbl, bl);
/* Reset context again ready for first data block */
if (!EVP_EncryptInit_ex(&ctx->cctx, NULL, NULL, NULL, zero_iv))
return 0;
/* Zero tbl so resume works */
sgx_memset(ctx->tbl, 0, bl);
ctx->nlast_block = 0;
}
return 1;
}
static BIGNUM *srp_Calc_k(BIGNUM *N, BIGNUM *g)
{
/* k = SHA1(N | PAD(g)) -- tls-srp draft 8 */
unsigned char digest[SHA_DIGEST_LENGTH];
unsigned char *tmp;
EVP_MD_CTX ctxt;
int longg;
int longN = BN_num_bytes(N);
if (BN_ucmp(g, N) >= 0)
return NULL;
if ((tmp = OPENSSL_malloc(longN)) == NULL)
return NULL;
BN_bn2bin(N, tmp);
EVP_MD_CTX_init(&ctxt);
EVP_DigestInit_ex(&ctxt, EVP_sha1(), NULL);
EVP_DigestUpdate(&ctxt, tmp, longN);
sgx_memset(tmp, 0, longN);
longg = BN_bn2bin(g, tmp);
/* use the zeros behind to pad on left */
EVP_DigestUpdate(&ctxt, tmp + longg, longN - longg);
EVP_DigestUpdate(&ctxt, tmp, longg);
OPENSSL_free(tmp);
EVP_DigestFinal_ex(&ctxt, digest, NULL);
EVP_MD_CTX_cleanup(&ctxt);
return BN_bin2bn(digest, sizeof(digest), NULL);
}
int CMAC_Final(CMAC_CTX *ctx, unsigned char *out, size_t *poutlen)
{
int i, bl, lb;
#ifdef OPENSSL_FIPS
if (FIPS_mode() && !ctx->cctx.engine)
return FIPS_cmac_final(ctx, out, poutlen);
#endif
if (ctx->nlast_block == -1)
return 0;
bl = EVP_CIPHER_CTX_block_size(&ctx->cctx);
*poutlen = (size_t)bl;
if (!out)
return 1;
lb = ctx->nlast_block;
/* Is last block complete? */
if (lb == bl) {
for (i = 0; i < bl; i++)
out[i] = ctx->last_block[i] ^ ctx->k1[i];
} else {
ctx->last_block[lb] = 0x80;
if (bl - lb > 1)
sgx_memset(ctx->last_block + lb + 1, 0, bl - lb - 1);
for (i = 0; i < bl; i++)
out[i] = ctx->last_block[i] ^ ctx->k2[i];
}
if (!EVP_Cipher(&ctx->cctx, out, out, bl)) {
OPENSSL_cleanse(out, bl);
return 0;
}
return 1;
}
static void pushsig(void)
{
int i;
# ifdef SIGACTION
struct sigaction sa;
sgx_memset(&sa, 0, sizeof sa);
sa.sa_handler = recsig;
# endif
for (i = 1; i < NX509_SIG; i++) {
# ifdef SIGUSR1
if (i == SIGUSR1)
continue;
# endif
# ifdef SIGUSR2
if (i == SIGUSR2)
continue;
# endif
# ifdef SIGACTION
sigaction(i, &sa, &savsig[i]);
# else
savsig[i] = signal(i, recsig);
# endif
}
# ifdef SIGWINCH
signal(SIGWINCH, SIG_DFL);
# endif
}
static char *sstrsep(char **string, const char *delim)
{
char isdelim[256];
char *token = *string;
if (**string == 0)
return NULL;
sgx_memset(isdelim, 0, 256);
isdelim[0] = 1;
while (*delim) {
isdelim[(unsigned char)(*delim)] = 1;
delim++;
}
while (!isdelim[(unsigned char)(**string)]) {
(*string)++;
}
if (**string) {
**string = 0;
(*string)++;
}
return token;
}
void OPENSSL_cpuid_setup(void)
{
sigset_t oset;
struct sigaction ill_act, oact;
if (OPENSSL_s390xcap_P[0])
return;
OPENSSL_s390xcap_P[0] = 1UL << (8 * sizeof(unsigned long) - 1);
sgx_memset(&ill_act, 0, sizeof(ill_act));
ill_act.sa_handler = ill_handler;
sigfillset(&ill_act.sa_mask);
sigdelset(&ill_act.sa_mask, SIGILL);
sigdelset(&ill_act.sa_mask, SIGTRAP);
sigprocmask(SIG_SETMASK, &ill_act.sa_mask, &oset);
sigaction(SIGILL, &ill_act, &oact);
/* protection against missing store-facility-list-extended */
if (sigsetjmp(ill_jmp, 1) == 0)
OPENSSL_s390x_facilities();
sigaction(SIGILL, &oact, NULL);
sigprocmask(SIG_SETMASK, &oset, NULL);
}
void sk_zero(_STACK *st)
{
if (st == NULL)
return;
if (st->num <= 0)
return;
sgx_memset((char *)st->data, 0, sizeof(st->data) * st->num);
st->num = 0;
}
X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void)
{
X509_VERIFY_PARAM *param;
X509_VERIFY_PARAM_ID *paramid;
param = OPENSSL_malloc(sizeof(X509_VERIFY_PARAM));
if (!param)
return NULL;
paramid = OPENSSL_malloc(sizeof(X509_VERIFY_PARAM));
if (!paramid) {
OPENSSL_free(param);
return NULL;
}
sgx_memset(param, 0, sizeof(X509_VERIFY_PARAM));
sgx_memset(paramid, 0, sizeof(X509_VERIFY_PARAM_ID));
param->id = paramid;
x509_verify_param_zero(param);
return param;
}
TS_VERIFY_CTX *TS_VERIFY_CTX_new(void)
{
TS_VERIFY_CTX *ctx =
(TS_VERIFY_CTX *)OPENSSL_malloc(sizeof(TS_VERIFY_CTX));
if (ctx)
sgx_memset(ctx, 0, sizeof(TS_VERIFY_CTX));
else
TSerr(TS_F_TS_VERIFY_CTX_NEW, ERR_R_MALLOC_FAILURE);
return ctx;
}
void BUF_MEM_free(BUF_MEM *a)
{
if (a == NULL)
return;
if (a->data != NULL) {
sgx_memset(a->data, 0, (unsigned int)a->max);
OPENSSL_free(a->data);
}
OPENSSL_free(a);
}
static BIO_ACCEPT *BIO_ACCEPT_new(void)
{
BIO_ACCEPT *ret;
if ((ret = (BIO_ACCEPT *)OPENSSL_malloc(sizeof(BIO_ACCEPT))) == NULL)
return (NULL);
sgx_memset(ret, 0, sizeof(BIO_ACCEPT));
ret->accept_sock = INVALID_SOCKET;
ret->bind_mode = BIO_BIND_NORMAL;
return (ret);
}
int RSA_padding_check_none(unsigned char *to, int tlen,
const unsigned char *from, int flen, int num)
{
if (flen > tlen) {
RSAerr(RSA_F_RSA_PADDING_CHECK_NONE, RSA_R_DATA_TOO_LARGE);
return (-1);
}
sgx_memset(to, 0, tlen - flen);
sgx_memcpy(to + tlen - flen, from, flen);
return (tlen);
}
fips_md_init_ctx(SHA224, SHA256)
{
sgx_memset(c, 0, sizeof(*c));
c->h[0] = 0xc1059ed8UL;
c->h[1] = 0x367cd507UL;
c->h[2] = 0x3070dd17UL;
c->h[3] = 0xf70e5939UL;
c->h[4] = 0xffc00b31UL;
c->h[5] = 0x68581511UL;
c->h[6] = 0x64f98fa7UL;
c->h[7] = 0xbefa4fa4UL;
c->md_len = SHA224_DIGEST_LENGTH;
return 1;
}
int sgx_md_init_ctx( md_context_t *ctx, const md_info_t *md_info )
{
if( md_info == NULL || ctx == NULL )
return( POLARSSL_ERR_MD_BAD_INPUT_DATA );
sgx_memset( ctx, 0, sizeof( md_context_t ) );
if( ( ctx->md_ctx = md_info->ctx_alloc_func() ) == NULL )
return( POLARSSL_ERR_MD_ALLOC_FAILED );
ctx->md_info = md_info;
md_info->starts_func( ctx->md_ctx );
return( 0 );
}
/* Internal functions to handle signals and act on them */
static void pushsig(void)
{
# ifndef OPENSSL_SYS_WIN32
int i;
# endif
# ifdef SIGACTION
struct sigaction sa;
sgx_memset(&sa, 0, sizeof sa);
sa.sa_handler = recsig;
# endif
# ifdef OPENSSL_SYS_WIN32
savsig[SIGABRT] = signal(SIGABRT, recsig);
savsig[SIGFPE] = signal(SIGFPE, recsig);
savsig[SIGILL] = signal(SIGILL, recsig);
savsig[SIGINT] = signal(SIGINT, recsig);
savsig[SIGSEGV] = signal(SIGSEGV, recsig);
savsig[SIGTERM] = signal(SIGTERM, recsig);
# else
for (i = 1; i < NX509_SIG; i++) {
# ifdef SIGUSR1
if (i == SIGUSR1)
continue;
# endif
# ifdef SIGUSR2
if (i == SIGUSR2)
continue;
# endif
# ifdef SIGKILL
if (i == SIGKILL) /* We can't make any action on that. */
continue;
# endif
# ifdef SIGACTION
sigaction(i, &sa, &savsig[i]);
# else
savsig[i] = signal(i, recsig);
# endif
}
# endif
# ifdef SIGWINCH
signal(SIGWINCH, SIG_DFL);
# endif
}
static void JPAKE_CTX_release(JPAKE_CTX *ctx)
{
BN_CTX_free(ctx->ctx);
BN_clear_free(ctx->key);
BN_clear_free(ctx->xb);
BN_clear_free(ctx->xa);
BN_free(ctx->p.gxd);
BN_free(ctx->p.gxc);
BN_clear_free(ctx->secret);
BN_free(ctx->p.q);
BN_free(ctx->p.g);
BN_free(ctx->p.p);
OPENSSL_free(ctx->p.peer_name);
OPENSSL_free(ctx->p.name);
sgx_memset(ctx, '\0', sizeof *ctx);
}
static int aesni_cbc_hmac_sha256_init_key(EVP_CIPHER_CTX *ctx,
const unsigned char *inkey,
const unsigned char *iv, int enc)
{
EVP_AES_HMAC_SHA256 *key = data(ctx);
int ret;
if (enc)
sgx_memset(&key->ks, 0, sizeof(key->ks.rd_key)),
ret = aesni_set_encrypt_key(inkey, ctx->key_len * 8, &key->ks);
else
ret = aesni_set_decrypt_key(inkey, ctx->key_len * 8, &key->ks);
SHA256_Init(&key->head); /* handy when benchmarking */
key->tail = key->head;
key->md = key->head;
key->payload_length = NO_PAYLOAD_LENGTH;
return ret < 0 ? 0 : 1;
}
BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod)
{
BN_BLINDING *ret = NULL;
bn_check_top(mod);
if ((ret = (BN_BLINDING *)OPENSSL_malloc(sizeof(BN_BLINDING))) == NULL) {
BNerr(BN_F_BN_BLINDING_NEW, ERR_R_MALLOC_FAILURE);
return (NULL);
}
sgx_memset(ret, 0, sizeof(BN_BLINDING));
if (A != NULL) {
if ((ret->A = BN_dup(A)) == NULL)
goto err;
}
if (Ai != NULL) {
if ((ret->Ai = BN_dup(Ai)) == NULL)
goto err;
}
/* save a copy of mod in the BN_BLINDING structure */
if ((ret->mod = BN_dup(mod)) == NULL)
goto err;
if (BN_get_flags(mod, BN_FLG_CONSTTIME) != 0)
BN_set_flags(ret->mod, BN_FLG_CONSTTIME);
/*
* Set the counter to the special value -1 to indicate that this is
* never-used fresh blinding that does not need updating before first
* use.
*/
ret->counter = -1;
CRYPTO_THREADID_current(&ret->tid);
return (ret);
err:
if (ret != NULL)
BN_BLINDING_free(ret);
return (NULL);
}
/*
* These next 2 functions from Goetz Babin-Ebell <*****@*****.**>
*/
int ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value)
{
int w, v, iv;
unsigned char *c;
w = n / 8;
v = 1 << (7 - (n & 0x07));
iv = ~v;
if (!value)
v = 0;
if (a == NULL)
return 0;
a->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07); /* clear, set on write */
if ((a->length < (w + 1)) || (a->data == NULL)) {
if (!value)
return (1); /* Don't need to set */
if (a->data == NULL)
c = (unsigned char *)OPENSSL_malloc(w + 1);
else
c = (unsigned char *)OPENSSL_realloc_clean(a->data,
a->length, w + 1);
if (c == NULL) {
ASN1err(ASN1_F_ASN1_BIT_STRING_SET_BIT, ERR_R_MALLOC_FAILURE);
return 0;
}
if (w + 1 - a->length > 0)
sgx_memset(c + a->length, 0, w + 1 - a->length);
a->data = c;
a->length = w + 1;
}
a->data[w] = ((a->data[w]) & iv) | v;
while ((a->length > 0) && (a->data[a->length - 1] == 0))
a->length--;
return (1);
}
BIGNUM *SRP_Calc_u(BIGNUM *A, BIGNUM *B, BIGNUM *N)
{
/* k = SHA1(PAD(A) || PAD(B) ) -- tls-srp draft 8 */
BIGNUM *u;
unsigned char cu[SHA_DIGEST_LENGTH];
unsigned char *cAB;
EVP_MD_CTX ctxt;
int longN;
if ((A == NULL) || (B == NULL) || (N == NULL))
return NULL;
if (BN_ucmp(A, N) >= 0 || BN_ucmp(B, N) >= 0)
return NULL;
longN = BN_num_bytes(N);
if ((cAB = OPENSSL_malloc(2 * longN)) == NULL)
return NULL;
sgx_memset(cAB, 0, longN);
EVP_MD_CTX_init(&ctxt);
EVP_DigestInit_ex(&ctxt, EVP_sha1(), NULL);
EVP_DigestUpdate(&ctxt, cAB + BN_bn2bin(A, cAB + longN), longN);
EVP_DigestUpdate(&ctxt, cAB + BN_bn2bin(B, cAB + longN), longN);
OPENSSL_free(cAB);
EVP_DigestFinal_ex(&ctxt, cu, NULL);
EVP_MD_CTX_cleanup(&ctxt);
if (!(u = BN_bin2bn(cu, sizeof(cu), NULL)))
return NULL;
if (!BN_is_zero(u))
return u;
BN_free(u);
return NULL;
}
static size_t tls1_1_multi_block_encrypt(EVP_AES_HMAC_SHA256 *key,
unsigned char *out,
const unsigned char *inp,
size_t inp_len, int n4x)
{ /* n4x is 1 or 2 */
HASH_DESC hash_d[8], edges[8];
CIPH_DESC ciph_d[8];
unsigned char storage[sizeof(SHA256_MB_CTX) + 32];
union {
u64 q[16];
u32 d[32];
u8 c[128];
} blocks[8];
SHA256_MB_CTX *ctx;
unsigned int frag, last, packlen, i, x4 = 4 * n4x, minblocks, processed =
0;
size_t ret = 0;
u8 *IVs;
# if defined(BSWAP8)
u64 seqnum;
# endif
/* ask for IVs in bulk */
if (RAND_bytes((IVs = blocks[0].c), 16 * x4) <= 0)
return 0;
/* align */
ctx = (SHA256_MB_CTX *) (storage + 32 - ((size_t)storage % 32));
frag = (unsigned int)inp_len >> (1 + n4x);
last = (unsigned int)inp_len + frag - (frag << (1 + n4x));
if (last > frag && ((last + 13 + 9) % 64) < (x4 - 1)) {
frag++;
last -= x4 - 1;
}
packlen = 5 + 16 + ((frag + 32 + 16) & -16);
/* populate descriptors with pointers and IVs */
hash_d[0].ptr = inp;
ciph_d[0].inp = inp;
/* 5+16 is place for header and explicit IV */
ciph_d[0].out = out + 5 + 16;
memcpy(ciph_d[0].out - 16, IVs, 16);
memcpy(ciph_d[0].iv, IVs, 16);
IVs += 16;
for (i = 1; i < x4; i++) {
ciph_d[i].inp = hash_d[i].ptr = hash_d[i - 1].ptr + frag;
ciph_d[i].out = ciph_d[i - 1].out + packlen;
memcpy(ciph_d[i].out - 16, IVs, 16);
memcpy(ciph_d[i].iv, IVs, 16);
IVs += 16;
}
# if defined(BSWAP8)
memcpy(blocks[0].c, key->md.data, 8);
seqnum = BSWAP8(blocks[0].q[0]);
# endif
for (i = 0; i < x4; i++) {
unsigned int len = (i == (x4 - 1) ? last : frag);
# if !defined(BSWAP8)
unsigned int carry, j;
# endif
ctx->A[i] = key->md.h[0];
ctx->B[i] = key->md.h[1];
ctx->C[i] = key->md.h[2];
ctx->D[i] = key->md.h[3];
ctx->E[i] = key->md.h[4];
ctx->F[i] = key->md.h[5];
ctx->G[i] = key->md.h[6];
ctx->H[i] = key->md.h[7];
/* fix seqnum */
# if defined(BSWAP8)
blocks[i].q[0] = BSWAP8(seqnum + i);
# else
for (carry = i, j = 8; j--;) {
blocks[i].c[j] = ((u8 *)key->md.data)[j] + carry;
carry = (blocks[i].c[j] - carry) >> (sizeof(carry) * 8 - 1);
}
# endif
blocks[i].c[8] = ((u8 *)key->md.data)[8];
blocks[i].c[9] = ((u8 *)key->md.data)[9];
blocks[i].c[10] = ((u8 *)key->md.data)[10];
/* fix length */
blocks[i].c[11] = (u8)(len >> 8);
blocks[i].c[12] = (u8)(len);
memcpy(blocks[i].c + 13, hash_d[i].ptr, 64 - 13);
hash_d[i].ptr += 64 - 13;
hash_d[i].blocks = (len - (64 - 13)) / 64;
edges[i].ptr = blocks[i].c;
edges[i].blocks = 1;
}
/* hash 13-byte headers and first 64-13 bytes of inputs */
sha256_multi_block(ctx, edges, n4x);
/* hash bulk inputs */
# define MAXCHUNKSIZE 2048
# if MAXCHUNKSIZE%64
# error "MAXCHUNKSIZE is not divisible by 64"
# elif MAXCHUNKSIZE
/*
* goal is to minimize pressure on L1 cache by moving in shorter steps,
* so that hashed data is still in the cache by the time we encrypt it
*/
minblocks = ((frag <= last ? frag : last) - (64 - 13)) / 64;
if (minblocks > MAXCHUNKSIZE / 64) {
for (i = 0; i < x4; i++) {
edges[i].ptr = hash_d[i].ptr;
edges[i].blocks = MAXCHUNKSIZE / 64;
ciph_d[i].blocks = MAXCHUNKSIZE / 16;
}
do {
sha256_multi_block(ctx, edges, n4x);
aesni_multi_cbc_encrypt(ciph_d, &key->ks, n4x);
for (i = 0; i < x4; i++) {
edges[i].ptr = hash_d[i].ptr += MAXCHUNKSIZE;
hash_d[i].blocks -= MAXCHUNKSIZE / 64;
edges[i].blocks = MAXCHUNKSIZE / 64;
ciph_d[i].inp += MAXCHUNKSIZE;
ciph_d[i].out += MAXCHUNKSIZE;
ciph_d[i].blocks = MAXCHUNKSIZE / 16;
memcpy(ciph_d[i].iv, ciph_d[i].out - 16, 16);
}
processed += MAXCHUNKSIZE;
minblocks -= MAXCHUNKSIZE / 64;
} while (minblocks > MAXCHUNKSIZE / 64);
}
# endif
# undef MAXCHUNKSIZE
sha256_multi_block(ctx, hash_d, n4x);
sgx_memset(blocks, 0, sizeof(blocks));
for (i = 0; i < x4; i++) {
unsigned int len = (i == (x4 - 1) ? last : frag),
off = hash_d[i].blocks * 64;
const unsigned char *ptr = hash_d[i].ptr + off;
off = (len - processed) - (64 - 13) - off; /* remainder actually */
memcpy(blocks[i].c, ptr, off);
blocks[i].c[off] = 0x80;
len += 64 + 13; /* 64 is HMAC header */
len *= 8; /* convert to bits */
if (off < (64 - 8)) {
# ifdef BSWAP4
blocks[i].d[15] = BSWAP4(len);
# else
PUTU32(blocks[i].c + 60, len);
# endif
edges[i].blocks = 1;
} else {
# ifdef BSWAP4
blocks[i].d[31] = BSWAP4(len);
# else
PUTU32(blocks[i].c + 124, len);
# endif
edges[i].blocks = 2;
}
edges[i].ptr = blocks[i].c;
}
/* hash input tails and finalize */
sha256_multi_block(ctx, edges, n4x);
sgx_memset(blocks, 0, sizeof(blocks));
for (i = 0; i < x4; i++) {
# ifdef BSWAP4
blocks[i].d[0] = BSWAP4(ctx->A[i]);
ctx->A[i] = key->tail.h[0];
blocks[i].d[1] = BSWAP4(ctx->B[i]);
ctx->B[i] = key->tail.h[1];
blocks[i].d[2] = BSWAP4(ctx->C[i]);
ctx->C[i] = key->tail.h[2];
blocks[i].d[3] = BSWAP4(ctx->D[i]);
ctx->D[i] = key->tail.h[3];
blocks[i].d[4] = BSWAP4(ctx->E[i]);
ctx->E[i] = key->tail.h[4];
blocks[i].d[5] = BSWAP4(ctx->F[i]);
ctx->F[i] = key->tail.h[5];
blocks[i].d[6] = BSWAP4(ctx->G[i]);
ctx->G[i] = key->tail.h[6];
blocks[i].d[7] = BSWAP4(ctx->H[i]);
ctx->H[i] = key->tail.h[7];
blocks[i].c[32] = 0x80;
blocks[i].d[15] = BSWAP4((64 + 32) * 8);
# else
PUTU32(blocks[i].c + 0, ctx->A[i]);
ctx->A[i] = key->tail.h[0];
PUTU32(blocks[i].c + 4, ctx->B[i]);
ctx->B[i] = key->tail.h[1];
PUTU32(blocks[i].c + 8, ctx->C[i]);
ctx->C[i] = key->tail.h[2];
PUTU32(blocks[i].c + 12, ctx->D[i]);
ctx->D[i] = key->tail.h[3];
PUTU32(blocks[i].c + 16, ctx->E[i]);
ctx->E[i] = key->tail.h[4];
PUTU32(blocks[i].c + 20, ctx->F[i]);
ctx->F[i] = key->tail.h[5];
PUTU32(blocks[i].c + 24, ctx->G[i]);
ctx->G[i] = key->tail.h[6];
PUTU32(blocks[i].c + 28, ctx->H[i]);
ctx->H[i] = key->tail.h[7];
blocks[i].c[32] = 0x80;
PUTU32(blocks[i].c + 60, (64 + 32) * 8);
# endif
edges[i].ptr = blocks[i].c;
edges[i].blocks = 1;
}
/* finalize MACs */
sha256_multi_block(ctx, edges, n4x);
for (i = 0; i < x4; i++) {
unsigned int len = (i == (x4 - 1) ? last : frag), pad, j;
unsigned char *out0 = out;
memcpy(ciph_d[i].out, ciph_d[i].inp, len - processed);
ciph_d[i].inp = ciph_d[i].out;
out += 5 + 16 + len;
/* write MAC */
PUTU32(out + 0, ctx->A[i]);
PUTU32(out + 4, ctx->B[i]);
PUTU32(out + 8, ctx->C[i]);
PUTU32(out + 12, ctx->D[i]);
PUTU32(out + 16, ctx->E[i]);
PUTU32(out + 20, ctx->F[i]);
PUTU32(out + 24, ctx->G[i]);
PUTU32(out + 28, ctx->H[i]);
out += 32;
len += 32;
/* pad */
pad = 15 - len % 16;
for (j = 0; j <= pad; j++)
*(out++) = pad;
len += pad + 1;
ciph_d[i].blocks = (len - processed) / 16;
len += 16; /* account for explicit iv */
/* arrange header */
out0[0] = ((u8 *)key->md.data)[8];
out0[1] = ((u8 *)key->md.data)[9];
out0[2] = ((u8 *)key->md.data)[10];
out0[3] = (u8)(len >> 8);
out0[4] = (u8)(len);
ret += len + 5;
inp += frag;
}
aesni_multi_cbc_encrypt(ciph_d, &key->ks, n4x);
OPENSSL_cleanse(blocks, sizeof(blocks));
OPENSSL_cleanse(ctx, sizeof(*ctx));
return ret;
}
void sgx_md_init( md_context_t *ctx )
{
sgx_memset( ctx, 0, sizeof( md_context_t ) );
}
static int test(void)
{
unsigned char cbc_in[40], cbc_out[40], iv[8];
int i, n, err = 0;
BF_KEY key;
BF_LONG data[2];
unsigned char out[8];
BF_LONG len;
# ifdef CHARSET_EBCDIC
ebcdic2ascii(cbc_data, cbc_data, strlen(cbc_data));
# endif
printf("testing blowfish in raw ecb mode\n");
for (n = 0; n < 2; n++) {
# ifdef CHARSET_EBCDIC
ebcdic2ascii(bf_key[n], bf_key[n], strlen(bf_key[n]));
# endif
BF_set_key(&key, strlen(bf_key[n]), (unsigned char *)bf_key[n]);
data[0] = bf_plain[n][0];
data[1] = bf_plain[n][1];
BF_encrypt(data, &key);
if (memcmp(&(bf_cipher[n][0]), &(data[0]), 8) != 0) {
printf("BF_encrypt error encrypting\n");
printf("got :");
for (i = 0; i < 2; i++)
printf("%08lX ", (unsigned long)data[i]);
printf("\n");
printf("expected:");
for (i = 0; i < 2; i++)
printf("%08lX ", (unsigned long)bf_cipher[n][i]);
err = 1;
printf("\n");
}
BF_decrypt(&(data[0]), &key);
if (memcmp(&(bf_plain[n][0]), &(data[0]), 8) != 0) {
printf("BF_encrypt error decrypting\n");
printf("got :");
for (i = 0; i < 2; i++)
printf("%08lX ", (unsigned long)data[i]);
printf("\n");
printf("expected:");
for (i = 0; i < 2; i++)
printf("%08lX ", (unsigned long)bf_plain[n][i]);
printf("\n");
err = 1;
}
}
printf("testing blowfish in ecb mode\n");
for (n = 0; n < NUM_TESTS; n++) {
BF_set_key(&key, 8, ecb_data[n]);
BF_ecb_encrypt(&(plain_data[n][0]), out, &key, BF_ENCRYPT);
if (memcmp(&(cipher_data[n][0]), out, 8) != 0) {
printf("BF_ecb_encrypt blowfish error encrypting\n");
printf("got :");
for (i = 0; i < 8; i++)
printf("%02X ", out[i]);
printf("\n");
printf("expected:");
for (i = 0; i < 8; i++)
printf("%02X ", cipher_data[n][i]);
err = 1;
printf("\n");
}
BF_ecb_encrypt(out, out, &key, BF_DECRYPT);
if (memcmp(&(plain_data[n][0]), out, 8) != 0) {
printf("BF_ecb_encrypt error decrypting\n");
printf("got :");
for (i = 0; i < 8; i++)
printf("%02X ", out[i]);
printf("\n");
printf("expected:");
for (i = 0; i < 8; i++)
printf("%02X ", plain_data[n][i]);
printf("\n");
err = 1;
}
}
printf("testing blowfish set_key\n");
for (n = 1; n < KEY_TEST_NUM; n++) {
BF_set_key(&key, n, key_test);
BF_ecb_encrypt(key_data, out, &key, BF_ENCRYPT);
/* mips-sgi-irix6.5-gcc vv -mabi=64 bug workaround */
if (memcmp(out, &(key_out[i = n - 1][0]), 8) != 0) {
printf("blowfish setkey error\n");
err = 1;
}
}
printf("testing blowfish in cbc mode\n");
len = strlen(cbc_data) + 1;
BF_set_key(&key, 16, cbc_key);
sgx_memset(cbc_in, 0, sizeof cbc_in);
sgx_memset(cbc_out, 0, sizeof cbc_out);
memcpy(iv, cbc_iv, sizeof iv);
BF_cbc_encrypt((unsigned char *)cbc_data, cbc_out, len,
&key, iv, BF_ENCRYPT);
if (memcmp(cbc_out, cbc_ok, 32) != 0) {
err = 1;
printf("BF_cbc_encrypt encrypt error\n");
for (i = 0; i < 32; i++)
printf("0x%02X,", cbc_out[i]);
}
memcpy(iv, cbc_iv, 8);
BF_cbc_encrypt(cbc_out, cbc_in, len, &key, iv, BF_DECRYPT);
if (memcmp(cbc_in, cbc_data, strlen(cbc_data) + 1) != 0) {
printf("BF_cbc_encrypt decrypt error\n");
err = 1;
}
printf("testing blowfish in cfb64 mode\n");
BF_set_key(&key, 16, cbc_key);
sgx_memset(cbc_in, 0, 40);
sgx_memset(cbc_out, 0, 40);
memcpy(iv, cbc_iv, 8);
n = 0;
BF_cfb64_encrypt((unsigned char *)cbc_data, cbc_out, (long)13,
&key, iv, &n, BF_ENCRYPT);
BF_cfb64_encrypt((unsigned char *)&(cbc_data[13]), &(cbc_out[13]),
len - 13, &key, iv, &n, BF_ENCRYPT);
if (memcmp(cbc_out, cfb64_ok, (int)len) != 0) {
err = 1;
printf("BF_cfb64_encrypt encrypt error\n");
for (i = 0; i < (int)len; i++)
printf("0x%02X,", cbc_out[i]);
}
n = 0;
memcpy(iv, cbc_iv, 8);
BF_cfb64_encrypt(cbc_out, cbc_in, 17, &key, iv, &n, BF_DECRYPT);
BF_cfb64_encrypt(&(cbc_out[17]), &(cbc_in[17]), len - 17,
&key, iv, &n, BF_DECRYPT);
if (memcmp(cbc_in, cbc_data, (int)len) != 0) {
printf("BF_cfb64_encrypt decrypt error\n");
err = 1;
}
printf("testing blowfish in ofb64\n");
BF_set_key(&key, 16, cbc_key);
sgx_memset(cbc_in, 0, 40);
sgx_memset(cbc_out, 0, 40);
memcpy(iv, cbc_iv, 8);
n = 0;
BF_ofb64_encrypt((unsigned char *)cbc_data, cbc_out, (long)13, &key, iv,
&n);
BF_ofb64_encrypt((unsigned char *)&(cbc_data[13]), &(cbc_out[13]),
len - 13, &key, iv, &n);
if (memcmp(cbc_out, ofb64_ok, (int)len) != 0) {
err = 1;
printf("BF_ofb64_encrypt encrypt error\n");
for (i = 0; i < (int)len; i++)
printf("0x%02X,", cbc_out[i]);
}
n = 0;
memcpy(iv, cbc_iv, 8);
BF_ofb64_encrypt(cbc_out, cbc_in, 17, &key, iv, &n);
BF_ofb64_encrypt(&(cbc_out[17]), &(cbc_in[17]), len - 17, &key, iv, &n);
if (memcmp(cbc_in, cbc_data, (int)len) != 0) {
printf("BF_ofb64_encrypt decrypt error\n");
err = 1;
}
return (err);
}
const char *LP_find_file(LP_DIR_CTX **ctx, const char *directory)
{
int status;
char *p, *r;
size_t l;
unsigned long flags = 0;
/* Arrange 32-bit pointer to (copied) string storage, if needed. */
#if __INITIAL_POINTER_SIZE == 64
# pragma pointer_size save
# pragma pointer_size 32
char *ctx_filespec_32p;
# pragma pointer_size restore
char ctx_filespec_32[NAMX_MAXRSS + 1];
#endif /* __INITIAL_POINTER_SIZE == 64 */
#ifdef NAML$C_MAXRSS
flags |= LIB$M_FIL_LONG_NAMES;
#endif
if (ctx == NULL || directory == NULL) {
errno = EINVAL;
return 0;
}
errno = 0;
if (*ctx == NULL) {
size_t filespeclen = sgx_strlen(directory);
char *filespec = NULL;
if (filespeclen == 0) {
errno = ENOENT;
return 0;
}
/* MUST be a VMS directory specification! Let's estimate if it is. */
if (directory[filespeclen - 1] != ']'
&& directory[filespeclen - 1] != '>'
&& directory[filespeclen - 1] != ':') {
errno = EINVAL;
return 0;
}
filespeclen += 4; /* "*.*;" */
if (filespeclen > NAMX_MAXRSS) {
errno = ENAMETOOLONG;
return 0;
}
*ctx = (LP_DIR_CTX *)sgx_malloc(sizeof(LP_DIR_CTX));
if (*ctx == NULL) {
errno = ENOMEM;
return 0;
}
sgx_memset(*ctx, '\0', sizeof(LP_DIR_CTX));
sgx_strcpy((*ctx)->filespec, directory);
sgx_strcat((*ctx)->filespec, "*.*;");
/* Arrange 32-bit pointer to (copied) string storage, if needed. */
#if __INITIAL_POINTER_SIZE == 64
# define CTX_FILESPEC ctx_filespec_32p
/* Copy the file name to storage with a 32-bit pointer. */
ctx_filespec_32p = ctx_filespec_32;
sgx_strcpy(ctx_filespec_32p, (*ctx)->filespec);
#else /* __INITIAL_POINTER_SIZE == 64 */
# define CTX_FILESPEC (*ctx)->filespec
#endif /* __INITIAL_POINTER_SIZE == 64 [else] */
(*ctx)->filespec_dsc.dsc$w_length = filespeclen;
(*ctx)->filespec_dsc.dsc$b_dtype = DSC$K_DTYPE_T;
(*ctx)->filespec_dsc.dsc$b_class = DSC$K_CLASS_S;
(*ctx)->filespec_dsc.dsc$a_pointer = CTX_FILESPEC;
}
(*ctx)->result_dsc.dsc$w_length = 0;
(*ctx)->result_dsc.dsc$b_dtype = DSC$K_DTYPE_T;
(*ctx)->result_dsc.dsc$b_class = DSC$K_CLASS_D;
(*ctx)->result_dsc.dsc$a_pointer = 0;
status = lib$find_file(&(*ctx)->filespec_dsc, &(*ctx)->result_dsc,
&(*ctx)->VMS_context, 0, 0, 0, &flags);
if (status == RMS$_NMF) {
errno = 0;
vaxc$errno = status;
return NULL;
}
if (!$VMS_STATUS_SUCCESS(status)) {
errno = EVMSERR;
vaxc$errno = status;
return NULL;
}
/*
* Quick, cheap and dirty way to discard any device and directory, since
* we only want file names
*/
l = (*ctx)->result_dsc.dsc$w_length;
p = (*ctx)->result_dsc.dsc$a_pointer;
r = p;
for (; *p; p++) {
if (*p == '^' && p[1] != '\0') { /* Take care of ODS-5 escapes */
p++;
} else if (*p == ':' || *p == '>' || *p == ']') {
l -= p + 1 - r;
r = p + 1;
} else if (*p == ';') {
l = p - r;
break;
}
}
sgx_strncpy((*ctx)->result, r, l);
(*ctx)->result[l] = '\0';
str$free1_dx(&(*ctx)->result_dsc);
return (*ctx)->result;
}
void TS_VERIFY_CTX_init(TS_VERIFY_CTX *ctx)
{
OPENSSL_assert(ctx != NULL);
sgx_memset(ctx, 0, sizeof(TS_VERIFY_CTX));
}
/*-
* r is 2*n words in size,
* a and b are both n words in size. (There's not actually a 'b' here ...)
* n must be a power of 2.
* We multiply and return the result.
* t must be 2*n words in size
* We calculate
* a[0]*b[0]
* a[0]*b[0]+a[1]*b[1]+(a[0]-a[1])*(b[1]-b[0])
* a[1]*b[1]
*/
void bn_sqr_recursive(BN_ULONG *r, const BN_ULONG *a, int n2, BN_ULONG *t)
{
int n = n2 / 2;
int zero, c1;
BN_ULONG ln, lo, *p;
# ifdef BN_COUNT
fprintf(stderr, " bn_sqr_recursive %d * %d\n", n2, n2);
# endif
if (n2 == 4) {
# ifndef BN_SQR_COMBA
bn_sqr_normal(r, a, 4, t);
# else
bn_sqr_comba4(r, a);
# endif
return;
} else if (n2 == 8) {
# ifndef BN_SQR_COMBA
bn_sqr_normal(r, a, 8, t);
# else
bn_sqr_comba8(r, a);
# endif
return;
}
if (n2 < BN_SQR_RECURSIVE_SIZE_NORMAL) {
bn_sqr_normal(r, a, n2, t);
return;
}
/* r=(a[0]-a[1])*(a[1]-a[0]) */
c1 = bn_cmp_words(a, &(a[n]), n);
zero = 0;
if (c1 > 0)
bn_sub_words(t, a, &(a[n]), n);
else if (c1 < 0)
bn_sub_words(t, &(a[n]), a, n);
else
zero = 1;
/* The result will always be negative unless it is zero */
p = &(t[n2 * 2]);
if (!zero)
bn_sqr_recursive(&(t[n2]), t, n, p);
else
sgx_memset(&(t[n2]), 0, n2 * sizeof(BN_ULONG));
bn_sqr_recursive(r, a, n, p);
bn_sqr_recursive(&(r[n2]), &(a[n]), n, p);
/*-
* t[32] holds (a[0]-a[1])*(a[1]-a[0]), it is negative or zero
* r[10] holds (a[0]*b[0])
* r[32] holds (b[1]*b[1])
*/
c1 = (int)(bn_add_words(t, r, &(r[n2]), n2));
/* t[32] is negative */
c1 -= (int)(bn_sub_words(&(t[n2]), t, &(t[n2]), n2));
/*-
* t[32] holds (a[0]-a[1])*(a[1]-a[0])+(a[0]*a[0])+(a[1]*a[1])
* r[10] holds (a[0]*a[0])
* r[32] holds (a[1]*a[1])
* c1 holds the carry bits
*/
c1 += (int)(bn_add_words(&(r[n]), &(r[n]), &(t[n2]), n2));
if (c1) {
p = &(r[n + n2]);
lo = *p;
ln = (lo + c1) & BN_MASK2;
*p = ln;
/*
* The overflow will stop before we over write words we should not
* overwrite
*/
if (ln < (BN_ULONG)c1) {
do {
p++;
lo = *p;
ln = (lo + 1) & BN_MASK2;
*p = ln;
} while (ln == 0);
}
}
}
void OPENSSL_cpuid_setup(void)
{
char *e;
struct sigaction ill_oact, ill_act;
sigset_t oset;
static int trigger = 0;
if (trigger)
return;
trigger = 1;
sigfillset(&all_masked);
sigdelset(&all_masked, SIGILL);
sigdelset(&all_masked, SIGTRAP);
#ifdef SIGEMT
sigdelset(&all_masked, SIGEMT);
#endif
sigdelset(&all_masked, SIGFPE);
sigdelset(&all_masked, SIGBUS);
sigdelset(&all_masked, SIGSEGV);
if ((e = getenv("OPENSSL_ppccap"))) {
OPENSSL_ppccap_P = strtoul(e, NULL, 0);
return;
}
OPENSSL_ppccap_P = 0;
#if defined(_AIX)
if (sizeof(size_t) == 4) {
struct utsname uts;
# if defined(_SC_AIX_KERNEL_BITMODE)
if (sysconf(_SC_AIX_KERNEL_BITMODE) != 64)
return;
# endif
if (uname(&uts) != 0 || atoi(uts.version) < 6)
return;
}
#endif
sgx_memset(&ill_act, 0, sizeof(ill_act));
ill_act.sa_handler = ill_handler;
ill_act.sa_mask = all_masked;
sigprocmask(SIG_SETMASK, &ill_act.sa_mask, &oset);
sigaction(SIGILL, &ill_act, &ill_oact);
if (sizeof(size_t) == 4) {
#ifdef __linux
struct utsname uts;
if (uname(&uts) == 0 && sgx_strcmp(uts.machine, "ppc64") == 0)
#endif
if (sigsetjmp(ill_jmp, 1) == 0) {
OPENSSL_ppc64_probe();
OPENSSL_ppccap_P |= PPC_FPU64;
}
} else {
/*
* Wanted code detecting POWER6 CPU and setting PPC_FPU64
*/
}
if (sigsetjmp(ill_jmp, 1) == 0) {
OPENSSL_altivec_probe();
OPENSSL_ppccap_P |= PPC_ALTIVEC;
if (sigsetjmp(ill_jmp, 1) == 0) {
OPENSSL_crypto207_probe();
OPENSSL_ppccap_P |= PPC_CRYPTO207;
}
}
sigaction(SIGILL, &ill_oact, NULL);
sigprocmask(SIG_SETMASK, &oset, NULL);
}