Commit 053fa39af62f5b3543ebec8592e4592965b18e26 - openssl

Conversion to UTF-8 where needed This leaves behind files with names ending with '.iso-8859-1'. These should be safe to remove. If something went wrong when re-encoding, there will be some files with names ending with '.utf8' left behind. Reviewed-by: Rich Salz <rsalz@openssl.org> Richard Levitte 8 years ago

28 changed file(s) with 176 addition(s) and 176 deletion(s). Raw diff Collapse all Expand all

+86

-86

CHANGES less more

9	9	*) Remove SSL_OP_TLS_BLOCK_PADDING_BUG. This is SSLeay legacy, we're
10	10	not aware of clients that still exhibit this bug, and the workaround
11	11	hasn't been working properly for a while.
12		[Emilia Käsper]
	12	[Emilia Käsper]
13	13
14	14	*) The return type of BIO_number_read() and BIO_number_written() as well as
15	15	the corresponding num_read and num_write members in the BIO structure has

400	400	This parameter will be set to 1 or 0 depending on the ciphersuite selected
401	401	by the SSL/TLS server library, indicating whether it can provide forward
402	402	security.
403		[Emilia Käsper <emilia.kasper@esat.kuleuven.be> (Google)]
	403	[Emilia Käsper <emilia.kasper@esat.kuleuven.be> (Google)]
404	404
405	405	*) New -verify_name option in command line utilities to set verification
406	406	parameters by name.

487	487	callbacks.
488	488
489	489	This issue was reported to OpenSSL by Robert Swiecki (Google), and
490		independently by Hanno Böck.
	490	independently by Hanno Böck.
491	491	(CVE-2015-1789)
492		[Emilia Käsper]
	492	[Emilia Käsper]
493	493
494	494	*) PKCS7 crash with missing EnvelopedContent
495	495

503	503
504	504	This issue was reported to OpenSSL by Michal Zalewski (Google).
505	505	(CVE-2015-1790)
506		[Emilia Käsper]
	506	[Emilia Käsper]
507	507
508	508	*) CMS verify infinite loop with unknown hash function
509	509

622	622
623	623	This issue was reported to OpenSSL by Michal Zalewski (Google).
624	624	(CVE-2015-0289)
625		[Emilia Käsper]
	625	[Emilia Käsper]
626	626
627	627	*) DoS via reachable assert in SSLv2 servers fix
628	628

630	630	servers that both support SSLv2 and enable export cipher suites by sending
631	631	a specially crafted SSLv2 CLIENT-MASTER-KEY message.
632	632
633		This issue was discovered by Sean Burford (Google) and Emilia Käsper
	633	This issue was discovered by Sean Burford (Google) and Emilia Käsper
634	634	(OpenSSL development team).
635	635	(CVE-2015-0293)
636		[Emilia Käsper]
	636	[Emilia Käsper]
637	637
638	638	*) Empty CKE with client auth and DHE fix
639	639

1138	1138	version does not match the session's version. Resuming with a different
1139	1139	version, while not strictly forbidden by the RFC, is of questionable
1140	1140	sanity and breaks all known clients.
1141		[David Benjamin, Emilia Käsper]
	1141	[David Benjamin, Emilia Käsper]
1142	1142
1143	1143	*) Tighten handling of the ChangeCipherSpec (CCS) message: reject
1144	1144	early CCS messages during renegotiation. (Note that because
1145	1145	renegotiation is encrypted, this early CCS was not exploitable.)
1146		[Emilia Käsper]
	1146	[Emilia Käsper]
1147	1147
1148	1148	*) Tighten client-side session ticket handling during renegotiation:
1149	1149	ensure that the client only accepts a session ticket if the server sends

1154	1154	Similarly, ensure that the client requires a session ticket if one
1155	1155	was advertised in the ServerHello. Previously, a TLS client would
1156	1156	ignore a missing NewSessionTicket message.
1157		[Emilia Käsper]
	1157	[Emilia Käsper]
1158	1158
1159	1159	Changes between 1.0.1i and 1.0.1j [15 Oct 2014]
1160	1160

1234	1234	with a null pointer dereference (read) by specifying an anonymous (EC)DH
1235	1235	ciphersuite and sending carefully crafted handshake messages.
1236	1236
1237		Thanks to Felix Gröbert (Google) for discovering and researching this
	1237	Thanks to Felix Gröbert (Google) for discovering and researching this
1238	1238	issue.
1239	1239	(CVE-2014-3510)
1240		[Emilia Käsper]
	1240	[Emilia Käsper]
1241	1241
1242	1242	*) By sending carefully crafted DTLS packets an attacker could cause openssl
1243	1243	to leak memory. This can be exploited through a Denial of Service attack.

1274	1274	properly negotiated with the client. This can be exploited through a
1275	1275	Denial of Service attack.
1276	1276
1277		Thanks to Joonas Kuorilehto and Riku Hietamäki (Codenomicon) for
	1277	Thanks to Joonas Kuorilehto and Riku Hietamäki (Codenomicon) for
1278	1278	discovering and researching this issue.
1279	1279	(CVE-2014-5139)
1280	1280	[Steve Henson]

1286	1286
1287	1287	Thanks to Ivan Fratric (Google) for discovering this issue.
1288	1288	(CVE-2014-3508)
1289		[Emilia Käsper, and Steve Henson]
	1289	[Emilia Käsper, and Steve Henson]
1290	1290
1291	1291	*) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.)
1292	1292	for corner cases. (Certain input points at infinity could lead to

1316	1316	client or server. This is potentially exploitable to run arbitrary
1317	1317	code on a vulnerable client or server.
1318	1318
1319		Thanks to Jüri Aedla for reporting this issue. (CVE-2014-0195)
1320		[Jüri Aedla, Steve Henson]
	1319	Thanks to Jüri Aedla for reporting this issue. (CVE-2014-0195)
	1320	[Jüri Aedla, Steve Henson]
1321	1321
1322	1322	*) Fix bug in TLS code where clients enable anonymous ECDH ciphersuites
1323	1323	are subject to a denial of service attack.
1324	1324
1325		Thanks to Felix Gröbert and Ivan Fratric at Google for discovering
	1325	Thanks to Felix Gröbert and Ivan Fratric at Google for discovering
1326	1326	this issue. (CVE-2014-3470)
1327		[Felix Gröbert, Ivan Fratric, Steve Henson]
	1327	[Felix Gröbert, Ivan Fratric, Steve Henson]
1328	1328
1329	1329	*) Harmonize version and its documentation. -f flag is used to display
1330	1330	compilation flags.

1403	1403	Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
1404	1404	Security Group at Royal Holloway, University of London
1405	1405	(www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
1406		Emilia Käsper for the initial patch.
	1406	Emilia Käsper for the initial patch.
1407	1407	(CVE-2013-0169)
1408		[Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]
	1408	[Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]
1409	1409
1410	1410	*) Fix flaw in AESNI handling of TLS 1.2 and 1.1 records for CBC mode
1411	1411	ciphersuites which can be exploited in a denial of service attack.

1580	1580	EC_GROUP_new_by_curve_name() will automatically use these (while
1581	1581	EC_GROUP_new_curve_GFp() currently prefers the more flexible
1582	1582	implementations).
1583		[Emilia Käsper, Adam Langley, Bodo Moeller (Google)]
	1583	[Emilia Käsper, Adam Langley, Bodo Moeller (Google)]
1584	1584
1585	1585	*) Use type ossl_ssize_t instad of ssize_t which isn't available on
1586	1586	all platforms. Move ssize_t definition from e_os.h to the public

1856	1856	[Adam Langley (Google)]
1857	1857
1858	1858	*) Fix spurious failures in ecdsatest.c.
1859		[Emilia Käsper (Google)]
	1859	[Emilia Käsper (Google)]
1860	1860
1861	1861	*) Fix the BIO_f_buffer() implementation (which was mixing different
1862	1862	interpretations of the '..._len' fields).

1870	1870	lock to call BN_BLINDING_invert_ex, and avoids one use of
1871	1871	BN_BLINDING_update for each BN_BLINDING structure (previously,
1872	1872	the last update always remained unused).
1873		[Emilia Käsper (Google)]
	1873	[Emilia Käsper (Google)]
1874	1874
1875	1875	*) In ssl3_clear, preserve s3->init_extra along with s3->rbuf.
1876	1876	[Bob Buckholz (Google)]

2679	2679
2680	2680	*) Add RFC 3161 compliant time stamp request creation, response generation
2681	2681	and response verification functionality.
2682		[Zoltán Glózik <zglozik@opentsa.org>, The OpenTSA Project]
	2682	[Zoltán Glózik <zglozik@opentsa.org>, The OpenTSA Project]
2683	2683
2684	2684	*) Add initial support for TLS extensions, specifically for the server_name
2685	2685	extension so far. The SSL_SESSION, SSL_CTX, and SSL data structures now

3847	3847
3848	3848	*) BN_CTX_get() should return zero-valued bignums, providing the same
3849	3849	initialised value as BN_new().
3850		[Geoff Thorpe, suggested by Ulf Möller]
	3850	[Geoff Thorpe, suggested by Ulf Möller]
3851	3851
3852	3852	*) Support for inhibitAnyPolicy certificate extension.
3853	3853	[Steve Henson]

3866	3866	some point, these tighter rules will become openssl's default to improve
3867	3867	maintainability, though the assert()s and other overheads will remain only
3868	3868	in debugging configurations. See bn.h for more details.
3869		[Geoff Thorpe, Nils Larsch, Ulf Möller]
	3869	[Geoff Thorpe, Nils Larsch, Ulf Möller]
3870	3870
3871	3871	*) BN_CTX_init() has been deprecated, as BN_CTX is an opaque structure
3872	3872	that can only be obtained through BN_CTX_new() (which implicitly

3933	3933	[Douglas Stebila (Sun Microsystems Laboratories)]
3934	3934
3935	3935	*) Add the possibility to load symbols globally with DSO.
3936		[Götz Babin-Ebell <babin-ebell@trustcenter.de> via Richard Levitte]
	3936	[Götz Babin-Ebell <babin-ebell@trustcenter.de> via Richard Levitte]
3937	3937
3938	3938	*) Add the functions ERR_set_mark() and ERR_pop_to_mark() for better
3939	3939	control of the error stack.

4648	4648	[Steve Henson]
4649	4649
4650	4650	*) Undo Cygwin change.
4651		[Ulf Möller]
	4651	[Ulf Möller]
4652	4652
4653	4653	*) Added support for proxy certificates according to RFC 3820.
4654	4654	Because they may be a security thread to unaware applications,

4681	4681	[Stephen Henson, reported by UK NISCC]
4682	4682
4683	4683	*) Use Windows randomness collection on Cygwin.
4684		[Ulf Möller]
	4684	[Ulf Möller]
4685	4685
4686	4686	*) Fix hang in EGD/PRNGD query when communication socket is closed
4687	4687	prematurely by EGD/PRNGD.
4688		[Darren Tucker <dtucker@zip.com.au> via Lutz Jänicke, resolves #1014]
	4688	[Darren Tucker <dtucker@zip.com.au> via Lutz Jänicke, resolves #1014]
4689	4689
4690	4690	*) Prompt for pass phrases when appropriate for PKCS12 input format.
4691	4691	[Steve Henson]

5147	5147	pointers passed to them whenever necessary. Otherwise it is possible
5148	5148	the caller may have overwritten (or deallocated) the original string
5149	5149	data when a later ENGINE operation tries to use the stored values.
5150		[Götz Babin-Ebell <babinebell@trustcenter.de>]
	5150	[Götz Babin-Ebell <babinebell@trustcenter.de>]
5151	5151
5152	5152	*) Improve diagnostics in file reading and command-line digests.
5153	5153	[Ben Laurie aided and abetted by Solar Designer <solar@openwall.com>]

7252	7252	[Bodo Moeller]
7253	7253
7254	7254	*) BN_sqr() bug fix.
7255		[Ulf Möller, reported by Jim Ellis <jim.ellis@cavium.com>]
	7255	[Ulf Möller, reported by Jim Ellis <jim.ellis@cavium.com>]
7256	7256
7257	7257	*) Rabin-Miller test analyses assume uniformly distributed witnesses,
7258	7258	so use BN_pseudo_rand_range() instead of using BN_pseudo_rand()

7412	7412	[Bodo Moeller]
7413	7413
7414	7414	*) Fix OAEP check.
7415		[Ulf Möller, Bodo Möller]
	7415	[Ulf Möller, Bodo Möller]
7416	7416
7417	7417	*) The countermeasure against Bleichbacher's attack on PKCS #1 v1.5
7418	7418	RSA encryption was accidentally removed in s3_srvr.c in OpenSSL 0.9.5

7674	7674	[Bodo Moeller]
7675	7675
7676	7676	*) Use better test patterns in bntest.
7677		[Ulf Möller]
	7677	[Ulf Möller]
7678	7678
7679	7679	*) rand_win.c fix for Borland C.
7680		[Ulf Möller]
	7680	[Ulf Möller]
7681	7681
7682	7682	*) BN_rshift bugfix for n == 0.
7683	7683	[Bodo Moeller]

7822	7822
7823	7823	*) New BIO_shutdown_wr macro, which invokes the BIO_C_SHUTDOWN_WR
7824	7824	BIO_ctrl (for BIO pairs).
7825		[Bodo Möller]
	7825	[Bodo Möller]
7826	7826
7827	7827	*) Add DSO method for VMS.
7828	7828	[Richard Levitte]
7829	7829
7830	7830	*) Bug fix: Montgomery multiplication could produce results with the
7831	7831	wrong sign.
7832		[Ulf Möller]
	7832	[Ulf Möller]
7833	7833
7834	7834	*) Add RPM specification openssl.spec and modify it to build three
7835	7835	packages. The default package contains applications, application

7847	7847
7848	7848	*) Don't set the two most significant bits to one when generating a
7849	7849	random number < q in the DSA library.
7850		[Ulf Möller]
	7850	[Ulf Möller]
7851	7851
7852	7852	*) New SSL API mode 'SSL_MODE_AUTO_RETRY'. This disables the default
7853	7853	behaviour that SSL_read may result in SSL_ERROR_WANT_READ (even if

8113	8113	*) Randomness polling function for Win9x, as described in:
8114	8114	Peter Gutmann, Software Generation of Practically Strong
8115	8115	Random Numbers.
8116		[Ulf Möller]
	8116	[Ulf Möller]
8117	8117
8118	8118	*) Fix so PRNG is seeded in req if using an already existing
8119	8119	DSA key.

8333	8333	[Steve Henson]
8334	8334
8335	8335	*) Eliminate non-ANSI declarations in crypto.h and stack.h.
8336		[Ulf Möller]
	8336	[Ulf Möller]
8337	8337
8338	8338	*) Fix for SSL server purpose checking. Server checking was
8339	8339	rejecting certificates which had extended key usage present

8365	8365	[Bodo Moeller]
8366	8366
8367	8367	*) Bugfix for linux-elf makefile.one.
8368		[Ulf Möller]
	8368	[Ulf Möller]
8369	8369
8370	8370	*) RSA_get_default_method() will now cause a default
8371	8371	RSA_METHOD to be chosen if one doesn't exist already.

8454	8454	[Steve Henson]
8455	8455
8456	8456	*) des_quad_cksum() byte order bug fix.
8457		[Ulf Möller, using the problem description in krb4-0.9.7, where
	8457	[Ulf Möller, using the problem description in krb4-0.9.7, where
8458	8458	the solution is attributed to Derrick J Brashear <shadow@DEMENTIA.ORG>]
8459	8459
8460	8460	*) Fix so V_ASN1_APP_CHOOSE works again: however its use is strongly

8555	8555	[Rolf Haberrecker <rolf@suse.de>]
8556	8556
8557	8557	*) Assembler module support for Mingw32.
8558		[Ulf Möller]
	8558	[Ulf Möller]
8559	8559
8560	8560	*) Shared library support for HPUX (in shlib/).
8561	8561	[Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE> and Anonymous]

8574	8574
8575	8575	*) BN_mul bugfix: In bn_mul_part_recursion() only the a>a[n] && b>b[n]
8576	8576	case was implemented. This caused BN_div_recp() to fail occasionally.
8577		[Ulf Möller]
	8577	[Ulf Möller]
8578	8578
8579	8579	*) Add an optional second argument to the set_label() in the perl
8580	8580	assembly language builder. If this argument exists and is set

8604	8604	[Steve Henson]
8605	8605
8606	8606	*) Fix potential buffer overrun problem in BIO_printf().
8607		[Ulf Möller, using public domain code by Patrick Powell; problem
	8607	[Ulf Möller, using public domain code by Patrick Powell; problem
8608	8608	pointed out by David Sacerdote <das33@cornell.edu>]
8609	8609
8610	8610	*) Support EGD <http://www.lothar.com/tech/crypto/>. New functions
8611	8611	RAND_egd() and RAND_status(). In the command line application,
8612	8612	the EGD socket can be specified like a seed file using RANDFILE
8613	8613	or -rand.
8614		[Ulf Möller]
	8614	[Ulf Möller]
8615	8615
8616	8616	*) Allow the string CERTIFICATE to be tolerated in PKCS#7 structures.
8617	8617	Some CAs (e.g. Verisign) distribute certificates in this form.

8644	8644	#define OPENSSL_ALGORITHM_DEFINES
8645	8645	#include <openssl/opensslconf.h>
8646	8646	defines all pertinent NO_<algo> symbols, such as NO_IDEA, NO_RSA, etc.
8647		[Richard Levitte, Ulf and Bodo Möller]
	8647	[Richard Levitte, Ulf and Bodo Möller]
8648	8648
8649	8649	*) Bugfix: Tolerate fragmentation and interleaving in the SSL 3/TLS
8650	8650	record layer.

8695	8695
8696	8696	*) Bug fix for BN_div_recp() for numerators with an even number of
8697	8697	bits.
8698		[Ulf Möller]
	8698	[Ulf Möller]
8699	8699
8700	8700	*) More tests in bntest.c, and changed test_bn output.
8701		[Ulf Möller]
	8701	[Ulf Möller]
8702	8702
8703	8703	*) ./config recognizes MacOS X now.
8704	8704	[Andy Polyakov]
8705	8705
8706	8706	*) Bug fix for BN_div() when the first words of num and divsor are
8707	8707	equal (it gave wrong results if (rem=(n1-q*d0)&BN_MASK2) < d0).
8708		[Ulf Möller]
	8708	[Ulf Möller]
8709	8709
8710	8710	*) Add support for various broken PKCS#8 formats, and command line
8711	8711	options to produce them.

8713	8713
8714	8714	*) New functions BN_CTX_start(), BN_CTX_get() and BT_CTX_end() to
8715	8715	get temporary BIGNUMs from a BN_CTX.
8716		[Ulf Möller]
	8716	[Ulf Möller]
8717	8717
8718	8718	*) Correct return values in BN_mod_exp_mont() and BN_mod_exp2_mont()
8719	8719	for p == 0.
8720		[Ulf Möller]
	8720	[Ulf Möller]
8721	8721
8722	8722	) Change the SSLeay_add_all_() functions to OpenSSL_add_all_*() and
8723	8723	include a #define from the old name to the new. The original intent

8741	8741
8742	8742	*) Source code cleanups: use const where appropriate, eliminate casts,
8743	8743	use void * instead of char * in lhash.
8744		[Ulf Möller]
	8744	[Ulf Möller]
8745	8745
8746	8746	*) Bugfix: ssl3_send_server_key_exchange was not restartable
8747	8747	(the state was not changed to SSL3_ST_SW_KEY_EXCH_B, and because of

8786	8786	[Steve Henson]
8787	8787
8788	8788	*) New function BN_pseudo_rand().
8789		[Ulf Möller]
	8789	[Ulf Möller]
8790	8790
8791	8791	*) Clean up BN_mod_mul_montgomery(): replace the broken (and unreadable)
8792	8792	bignum version of BN_from_montgomery() with the working code from
8793	8793	SSLeay 0.9.0 (the word based version is faster anyway), and clean up
8794	8794	the comments.
8795		[Ulf Möller]
	8795	[Ulf Möller]
8796	8796
8797	8797	*) Avoid a race condition in s2_clnt.c (function get_server_hello) that
8798	8798	made it impossible to use the same SSL_SESSION data structure in

8802	8802	*) The return value of RAND_load_file() no longer counts bytes obtained
8803	8803	by stat(). RAND_load_file(..., -1) is new and uses the complete file
8804	8804	to seed the PRNG (previously an explicit byte count was required).
8805		[Ulf Möller, Bodo Möller]
	8805	[Ulf Möller, Bodo Möller]
8806	8806
8807	8807	*) Clean up CRYPTO_EX_DATA functions, some of these didn't have prototypes
8808	8808	used (char ) instead of (void ) and had casts all over the place.
8809	8809	[Steve Henson]
8810	8810
8811	8811	*) Make BN_generate_prime() return NULL on error if ret!=NULL.
8812		[Ulf Möller]
	8812	[Ulf Möller]
8813	8813
8814	8814	*) Retain source code compatibility for BN_prime_checks macro:
8815	8815	BN_is_prime(..., BN_prime_checks, ...) now uses
8816	8816	BN_prime_checks_for_size to determine the appropriate number of
8817	8817	Rabin-Miller iterations.
8818		[Ulf Möller]
	8818	[Ulf Möller]
8819	8819
8820	8820	*) Diffie-Hellman uses "safe" primes: DH_check() return code renamed to
8821	8821	DH_CHECK_P_NOT_SAFE_PRIME.
8822	8822	(Check if this is true? OpenPGP calls them "strong".)
8823		[Ulf Möller]
	8823	[Ulf Möller]
8824	8824
8825	8825	*) Merge the functionality of "dh" and "gendh" programs into a new program
8826	8826	"dhparam". The old programs are retained for now but will handle DH keys

8876	8876	*) Add missing #ifndefs that caused missing symbols when building libssl
8877	8877	as a shared library without RSA. Use #ifndef NO_SSL2 instead of
8878	8878	NO_RSA in ssl/s2*.c.
8879		[Kris Kennaway <kris@hub.freebsd.org>, modified by Ulf Möller]
	8879	[Kris Kennaway <kris@hub.freebsd.org>, modified by Ulf Möller]
8880	8880
8881	8881	*) Precautions against using the PRNG uninitialized: RAND_bytes() now
8882	8882	has a return value which indicates the quality of the random data

8885	8885	guaranteed to be unique but not unpredictable. RAND_add is like
8886	8886	RAND_seed, but takes an extra argument for an entropy estimate
8887	8887	(RAND_seed always assumes full entropy).
8888		[Ulf Möller]
	8888	[Ulf Möller]
8889	8889
8890	8890	*) Do more iterations of Rabin-Miller probable prime test (specifically,
8891	8891	3 for 1024-bit primes, 6 for 512-bit primes, 12 for 256-bit primes

8915	8915	[Steve Henson]
8916	8916
8917	8917	*) Honor the no-xxx Configure options when creating .DEF files.
8918		[Ulf Möller]
	8918	[Ulf Möller]
8919	8919
8920	8920	*) Add PKCS#10 attributes to field table: challengePassword,
8921	8921	unstructuredName and unstructuredAddress. These are taken from

9749	9749
9750	9750	*) More DES library cleanups: remove references to srand/rand and
9751	9751	delete an unused file.
9752		[Ulf Möller]
	9752	[Ulf Möller]
9753	9753
9754	9754	*) Add support for the the free Netwide assembler (NASM) under Win32,
9755	9755	since not many people have MASM (ml) and it can be hard to obtain.

9838	9838	worked.
9839	9839
9840	9840	*) Fix problems with no-hmac etc.
9841		[Ulf Möller, pointed out by Brian Wellington <bwelling@tislabs.com>]
	9841	[Ulf Möller, pointed out by Brian Wellington <bwelling@tislabs.com>]
9842	9842
9843	9843	*) New functions RSA_get_default_method(), RSA_set_method() and
9844	9844	RSA_get_method(). These allows replacement of RSA_METHODs without having

9955	9955	[Ben Laurie]
9956	9956
9957	9957	*) DES library cleanups.
9958		[Ulf Möller]
	9958	[Ulf Möller]
9959	9959
9960	9960	*) Add support for PKCS#5 v2.0 PBE algorithms. This will permit PKCS#8 to be
9961	9961	used with any cipher unlike PKCS#5 v1.5 which can at most handle 64 bit

9998	9998	[Christian Forster <fo@hawo.stw.uni-erlangen.de>]
9999	9999
10000	10000	*) config now generates no-xxx options for missing ciphers.
10001		[Ulf Möller]
	10001	[Ulf Möller]
10002	10002
10003	10003	*) Support the EBCDIC character set (work in progress).
10004	10004	File ebcdic.c not yet included because it has a different license.

10111	10111	[Bodo Moeller]
10112	10112
10113	10113	*) Move openssl.cnf out of lib/.
10114		[Ulf Möller]
	10114	[Ulf Möller]
10115	10115
10116	10116	*) Fix various things to let OpenSSL even pass ``egcc -pipe -O2 -Wall
10117	10117	-Wshadow -Wpointer-arith -Wcast-align -Wmissing-prototypes

10168	10168	[Ben Laurie]
10169	10169
10170	10170	*) Support Borland C++ builder.
10171		[Janez Jere <jj@void.si>, modified by Ulf Möller]
	10171	[Janez Jere <jj@void.si>, modified by Ulf Möller]
10172	10172
10173	10173	*) Support Mingw32.
10174		[Ulf Möller]
	10174	[Ulf Möller]
10175	10175
10176	10176	*) SHA-1 cleanups and performance enhancements.
10177	10177	[Andy Polyakov <appro@fy.chalmers.se>]

10180	10180	[Andy Polyakov <appro@fy.chalmers.se>]
10181	10181
10182	10182	*) Accept any -xxx and +xxx compiler options in Configure.
10183		[Ulf Möller]
	10183	[Ulf Möller]
10184	10184
10185	10185	*) Update HPUX configuration.
10186	10186	[Anonymous]

10213	10213	[Bodo Moeller]
10214	10214
10215	10215	*) OAEP decoding bug fix.
10216		[Ulf Möller]
	10216	[Ulf Möller]
10217	10217
10218	10218	*) Support INSTALL_PREFIX for package builders, as proposed by
10219	10219	David Harris.

10236	10236	[Niels Poppe <niels@netbox.org>]
10237	10237
10238	10238	*) New Configure option no-<cipher> (rsa, idea, rc5, ...).
10239		[Ulf Möller]
	10239	[Ulf Möller]
10240	10240
10241	10241	*) Add the PKCS#12 API documentation to openssl.txt. Preliminary support for
10242	10242	extension adding in x509 utility.
10243	10243	[Steve Henson]
10244	10244
10245	10245	*) Remove NOPROTO sections and error code comments.
10246		[Ulf Möller]
	10246	[Ulf Möller]
10247	10247
10248	10248	*) Partial rewrite of the DEF file generator to now parse the ANSI
10249	10249	prototypes.
10250	10250	[Steve Henson]
10251	10251
10252	10252	*) New Configure options --prefix=DIR and --openssldir=DIR.
10253		[Ulf Möller]
	10253	[Ulf Möller]
10254	10254
10255	10255	*) Complete rewrite of the error code script(s). It is all now handled
10256	10256	by one script at the top level which handles error code gathering,

10279	10279	[Steve Henson]
10280	10280
10281	10281	*) Move the autogenerated header file parts to crypto/opensslconf.h.
10282		[Ulf Möller]
	10282	[Ulf Möller]
10283	10283
10284	10284	*) Fix new 56-bit DES export ciphersuites: they were using 7 bytes instead of
10285	10285	8 of keying material. Merlin has also confirmed interop with this fix

10297	10297	[Andy Polyakov <appro@fy.chalmers.se>]
10298	10298
10299	10299	*) Change functions to ANSI C.
10300		[Ulf Möller]
	10300	[Ulf Möller]
10301	10301
10302	10302	*) Fix typos in error codes.
10303		[Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>, Ulf Möller]
	10303	[Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>, Ulf Möller]
10304	10304
10305	10305	*) Remove defunct assembler files from Configure.
10306		[Ulf Möller]
	10306	[Ulf Möller]
10307	10307
10308	10308	*) SPARC v8 assembler BIGNUM implementation.
10309	10309	[Andy Polyakov <appro@fy.chalmers.se>]

10340	10340	[Steve Henson]
10341	10341
10342	10342	*) New Configure option "rsaref".
10343		[Ulf Möller]
	10343	[Ulf Möller]
10344	10344
10345	10345	*) Don't auto-generate pem.h.
10346	10346	[Bodo Moeller]

10388	10388
10389	10389	*) New functions DSA_do_sign and DSA_do_verify to provide access to
10390	10390	the raw DSA values prior to ASN.1 encoding.
10391		[Ulf Möller]
	10391	[Ulf Möller]
10392	10392
10393	10393	*) Tweaks to Configure
10394	10394	[Niels Poppe <niels@netbox.org>]

10398	10398	[Steve Henson]
10399	10399
10400	10400	*) New variables $(RANLIB) and $(PERL) in the Makefiles.
10401		[Ulf Möller]
	10401	[Ulf Möller]
10402	10402
10403	10403	*) New config option to avoid instructions that are illegal on the 80386.
10404	10404	The default code is faster, but requires at least a 486.
10405		[Ulf Möller]
	10405	[Ulf Möller]
10406	10406
10407	10407	*) Got rid of old SSL2_CLIENT_VERSION (inconsistently used) and
10408	10408	SSL2_SERVER_VERSION (not used at all) macros, which are now the

10941	10941	Hagino <itojun@kame.net>]
10942	10942
10943	10943	*) File was opened incorrectly in randfile.c.
10944		[Ulf Möller <ulf@fitug.de>]
	10944	[Ulf Möller <ulf@fitug.de>]
10945	10945
10946	10946	*) Beginning of support for GeneralizedTime. d2i, i2d, check and print
10947	10947	functions. Also ASN1_TIME suite which is a CHOICE of UTCTime or

10951	10951	[Steve Henson]
10952	10952
10953	10953	*) Correct Linux 1 recognition in config.
10954		[Ulf Möller <ulf@fitug.de>]
	10954	[Ulf Möller <ulf@fitug.de>]
10955	10955
10956	10956	*) Remove pointless MD5 hash when using DSA keys in ca.
10957	10957	[Anonymous <nobody@replay.com>]

11098	11098
11099	11099	*) Fix the RSA header declarations that hid a bug I fixed in 0.9.0b but
11100	11100	was already fixed by Eric for 0.9.1 it seems.
11101		[Ben Laurie - pointed out by Ulf Möller <ulf@fitug.de>]
	11101	[Ben Laurie - pointed out by Ulf Möller <ulf@fitug.de>]
11102	11102
11103	11103	*) Autodetect FreeBSD3.
11104	11104	[Ben Laurie]

-3

crypto/aes/asm/aes-586.pl less more

44	44	# the undertaken effort was that it appeared that in tight IA-32
45	45	# register window little-endian flavor could achieve slightly higher
46	46	# Instruction Level Parallelism, and it indeed resulted in up to 15%
47		# better performance on most recent µ-archs...
	47	# better performance on most recent µ-archs...
48	48	#
49	49	# Third version adds AES_cbc_encrypt implementation, which resulted in
50	50	# up to 40% performance imrovement of CBC benchmark results. 40% was

223	223	$speed_limit=512; # chunks smaller than $speed_limit are
224	224	# processed with compact routine in CBC mode
225	225	$small_footprint=1; # $small_footprint=1 code is ~5% slower [on
226		# recent µ-archs], but ~5 times smaller!
	226	# recent µ-archs], but ~5 times smaller!
227	227	# I favor compact code to minimize cache
228	228	# contention and in hope to "collect" 5% back
229	229	# in real-life applications...

564	564	# Performance is not actually extraordinary in comparison to pure
565	565	# x86 code. In particular encrypt performance is virtually the same.
566	566	# Decrypt performance on the other hand is 15-20% better on newer
567		# µ-archs [but we're thankful for any improvement here], and ~50%
	567	# µ-archs [but we're thankful for any improvement here], and ~50%
568	568	# better on PIII:-) And additionally on the pros side this code
569	569	# eliminates redundant references to stack and thus relieves/
570	570	# minimizes the pressure on the memory bus.

-6

crypto/aes/asm/aes-c64xplus.pl less more

890	890	MVC B0,ILC
891	891	\|\| SUB B0,1,B0
892	892
893		GMPY4 $K[0],A24,$Kx9[0] ; ·0x09
	893	GMPY4 $K[0],A24,$Kx9[0] ; ·0x09
894	894	\|\| GMPY4 $K[1],A24,$Kx9[1]
895	895	\|\| MVK 0x00000D0D,A25
896	896	\|\| MVK 0x00000E0E,B25

899	899	\|\| MVKH 0x0D0D0000,A25
900	900	\|\| MVKH 0x0E0E0000,B25
901	901
902		GMPY4 $K[0],B24,$KxB[0] ; ·0x0B
	902	GMPY4 $K[0],B24,$KxB[0] ; ·0x0B
903	903	\|\| GMPY4 $K[1],B24,$KxB[1]
904	904	GMPY4 $K[2],B24,$KxB[2]
905	905	\|\| GMPY4 $K[3],B24,$KxB[3]
906	906
907	907	SPLOOP 11 ; InvMixColumns
908	908	;;====================================================================
909		GMPY4 $K[0],A25,$KxD[0] ; ·0x0D
	909	GMPY4 $K[0],A25,$KxD[0] ; ·0x0D
910	910	\|\| GMPY4 $K[1],A25,$KxD[1]
911	911	\|\| SWAP2 $Kx9[0],$Kx9[0] ; rotate by 16
912	912	\|\| SWAP2 $Kx9[1],$Kx9[1]

923	923	\|\| [B0] LDW *${KPA}[6],$K[2]
924	924	\|\| [B0] LDW *${KPB}[7],$K[3]
925	925
926		GMPY4 $s[0],B25,$KxE[0] ; ·0x0E
	926	GMPY4 $s[0],B25,$KxE[0] ; ·0x0E
927	927	\|\| GMPY4 $s[1],B25,$KxE[1]
928	928	\|\| XOR $Kx9[0],$KxB[0],$KxB[0]
929	929	\|\| XOR $Kx9[1],$KxB[1],$KxB[1]

943	943
944	944	XOR $KxE[0],$KxD[0],$KxE[0]
945	945	\|\| XOR $KxE[1],$KxD[1],$KxE[1]
946		\|\| [B0] GMPY4 $K[0],A24,$Kx9[0] ; ·0x09
	946	\|\| [B0] GMPY4 $K[0],A24,$Kx9[0] ; ·0x09
947	947	\|\| [B0] GMPY4 $K[1],A24,$Kx9[1]
948	948	\|\| ADDAW $KPA,4,$KPA
949	949	XOR $KxE[2],$KxD[2],$KxE[2]

954	954
955	955	XOR $KxB[0],$KxE[0],$KxE[0]
956	956	\|\| XOR $KxB[1],$KxE[1],$KxE[1]
957		\|\| [B0] GMPY4 $K[0],B24,$KxB[0] ; ·0x0B
	957	\|\| [B0] GMPY4 $K[0],B24,$KxB[0] ; ·0x0B
958	958	\|\| [B0] GMPY4 $K[1],B24,$KxB[1]
959	959	XOR $KxB[2],$KxE[2],$KxE[2]
960	960	\|\| XOR $KxB[3],$KxE[3],$KxE[3]

-5

crypto/bn/asm/armv4-gf2m.pl less more

26	26	# referred below, which improves ECDH and ECDSA verify benchmarks
27	27	# by 18-40%.
28	28	#
29		# Câmara, D.; Gouvêa, C. P. L.; López, J. & Dahab, R.: Fast Software
	29	# Câmara, D.; Gouvêa, C. P. L.; López, J. & Dahab, R.: Fast Software
30	30	# Polynomial Multiplication on ARM Processors using the NEON Engine.
31	31	#
32	32	# http://conradoplg.cryptoland.net/files/2010/12/mocrysen13.pdf

147	147	################
148	148	# void bn_GF2m_mul_2x2(BN_ULONG *r,
149	149	# BN_ULONG a1,BN_ULONG a0,
150		# BN_ULONG b1,BN_ULONG b0); # r[3..0]=a1a0·b1b0
	150	# BN_ULONG b1,BN_ULONG b0); # r[3..0]=a1a0·b1b0
151	151	{
152	152	$code.=<<___;
153	153	.global bn_GF2m_mul_2x2

170	170	mov $mask,#7<<2
171	171	sub sp,sp,#32 @ allocate tab[8]
172	172
173		bl mul_1x1_ialu @ a1·b1
	173	bl mul_1x1_ialu @ a1·b1
174	174	str $lo,[$ret,#8]
175	175	str $hi,[$ret,#12]
176	176

180	180	eor r2,r2,$a
181	181	eor $b,$b,r3
182	182	eor $a,$a,r2
183		bl mul_1x1_ialu @ a0·b0
	183	bl mul_1x1_ialu @ a0·b0
184	184	str $lo,[$ret]
185	185	str $hi,[$ret,#4]
186	186
187	187	eor $a,$a,r2
188	188	eor $b,$b,r3
189		bl mul_1x1_ialu @ (a1+a0)·(b1+b0)
	189	bl mul_1x1_ialu @ (a1+a0)·(b1+b0)
190	190	___
191	191	@r=map("r$_",(6..9));
192	192	$code.=<<___;

-6

crypto/bn/asm/c64xplus-gf2m.pl less more

119	119	.asmfunc
120	120	MVK 0xFF,$xFF
121	121	___
122		&mul_1x1_upper($a0,$b0); # a0·b0
	122	&mul_1x1_upper($a0,$b0); # a0·b0
123	123	$code.=<<___;
124	124	\|\| MV $b1,$B
125	125	MV $a1,$A
126	126	___
127		&mul_1x1_merged("A28","B28",$A,$B); # a0·b0/a1·b1
	127	&mul_1x1_merged("A28","B28",$A,$B); # a0·b0/a1·b1
128	128	$code.=<<___;
129	129	\|\| XOR $b0,$b1,$B
130	130	XOR $a0,$a1,$A
131	131	___
132		&mul_1x1_merged("A31","B31",$A,$B); # a1·b1/(a0+a1)·(b0+b1)
	132	&mul_1x1_merged("A31","B31",$A,$B); # a1·b1/(a0+a1)·(b0+b1)
133	133	$code.=<<___;
134	134	XOR A28,A31,A29
135		\|\| XOR B28,B31,B29 ; a0·b0+a1·b1
	135	\|\| XOR B28,B31,B29 ; a0·b0+a1·b1
136	136	___
137		&mul_1x1_lower("A30","B30"); # (a0+a1)·(b0+b1)
	137	&mul_1x1_lower("A30","B30"); # (a0+a1)·(b0+b1)
138	138	$code.=<<___;
139	139	\|\| BNOP B3
140	140	XOR A29,A30,A30
141		\|\| XOR B29,B30,B30 ; (a0+a1)·(b0+b1)-a0·b0-a1·b1
	141	\|\| XOR B29,B30,B30 ; (a0+a1)·(b0+b1)-a0·b0-a1·b1
142	142	XOR B28,A30,A30
143	143	\|\| STW A28,*${rp}[0]
144	144	XOR B30,A31,A31

-1

crypto/bn/asm/ia64.S less more

567	567	// I've estimated this routine to run in ~120 ticks, but in reality
568	568	// (i.e. according to ar.itc) it takes ~160 ticks. Are those extra
569	569	// cycles consumed for instructions fetch? Or did I misinterpret some
570		// clause in Itanium µ-architecture manual? Comments are welcomed and
	570	// clause in Itanium µ-architecture manual? Comments are welcomed and
571	571	// highly appreciated.
572	572	//
573	573	// On Itanium 2 it takes ~190 ticks. This is because of stalls on

-3

crypto/bn/asm/s390x-gf2m.pl less more

171	171	if ($SIZE_T==8) {
172	172	my @r=map("%r$_",(6..9));
173	173	$code.=<<___;
174		bras $ra,_mul_1x1 # a1·b1
	174	bras $ra,_mul_1x1 # a1·b1
175	175	stmg $lo,$hi,16($rp)
176	176
177	177	lg $a,`$stdframe+128+4*$SIZE_T`($sp)
178	178	lg $b,`$stdframe+128+6*$SIZE_T`($sp)
179		bras $ra,_mul_1x1 # a0·b0
	179	bras $ra,_mul_1x1 # a0·b0
180	180	stmg $lo,$hi,0($rp)
181	181
182	182	lg $a,`$stdframe+128+3*$SIZE_T`($sp)
183	183	lg $b,`$stdframe+128+5*$SIZE_T`($sp)
184	184	xg $a,`$stdframe+128+4*$SIZE_T`($sp)
185	185	xg $b,`$stdframe+128+6*$SIZE_T`($sp)
186		bras $ra,_mul_1x1 # (a0+a1)·(b0+b1)
	186	bras $ra,_mul_1x1 # (a0+a1)·(b0+b1)
187	187	lmg @r[0],@r[3],0($rp)
188	188
189	189	xgr $lo,$hi

-8

crypto/bn/asm/x86-gf2m.pl less more

13	13	# the time being... Except that it has three code paths: pure integer
14	14	# code suitable for any x86 CPU, MMX code suitable for PIII and later
15	15	# and PCLMULQDQ suitable for Westmere and later. Improvement varies
16		# from one benchmark and µ-arch to another. Below are interval values
	16	# from one benchmark and µ-arch to another. Below are interval values
17	17	# for 163- and 571-bit ECDH benchmarks relative to compiler-generated
18	18	# code:
19	19	#

225	225	&push ("edi");
226	226	&mov ($a,&wparam(1));
227	227	&mov ($b,&wparam(3));
228		&call ("_mul_1x1_mmx"); # a1·b1
	228	&call ("_mul_1x1_mmx"); # a1·b1
229	229	&movq ("mm7",$R);
230	230
231	231	&mov ($a,&wparam(2));
232	232	&mov ($b,&wparam(4));
233		&call ("_mul_1x1_mmx"); # a0·b0
	233	&call ("_mul_1x1_mmx"); # a0·b0
234	234	&movq ("mm6",$R);
235	235
236	236	&mov ($a,&wparam(1));
237	237	&mov ($b,&wparam(3));
238	238	&xor ($a,&wparam(2));
239	239	&xor ($b,&wparam(4));
240		&call ("_mul_1x1_mmx"); # (a0+a1)·(b0+b1)
	240	&call ("_mul_1x1_mmx"); # (a0+a1)·(b0+b1)
241	241	&pxor ($R,"mm7");
242	242	&mov ($a,&wparam(0));
243		&pxor ($R,"mm6"); # (a0+a1)·(b0+b1)-a1·b1-a0·b0
	243	&pxor ($R,"mm6"); # (a0+a1)·(b0+b1)-a1·b1-a0·b0
244	244
245	245	&movq ($A,$R);
246	246	&psllq ($R,32);

265	265
266	266	&mov ($a,&wparam(1));
267	267	&mov ($b,&wparam(3));
268		&call ("_mul_1x1_ialu"); # a1·b1
	268	&call ("_mul_1x1_ialu"); # a1·b1
269	269	&mov (&DWP(8,"esp"),$lo);
270	270	&mov (&DWP(12,"esp"),$hi);
271	271
272	272	&mov ($a,&wparam(2));
273	273	&mov ($b,&wparam(4));
274		&call ("_mul_1x1_ialu"); # a0·b0
	274	&call ("_mul_1x1_ialu"); # a0·b0
275	275	&mov (&DWP(0,"esp"),$lo);
276	276	&mov (&DWP(4,"esp"),$hi);
277	277

279	279	&mov ($b,&wparam(3));
280	280	&xor ($a,&wparam(2));
281	281	&xor ($b,&wparam(4));
282		&call ("_mul_1x1_ialu"); # (a0+a1)·(b0+b1)
	282	&call ("_mul_1x1_ialu"); # (a0+a1)·(b0+b1)
283	283
284	284	&mov ("ebp",&wparam(0));
285	285	@r=("ebx","ecx","edi","esi");

-1

crypto/bn/asm/x86_64-gcc.c less more

64	64	# undef mul_add
65	65
66	66	/*-
67		* "m"(a), "+m"(r) is the way to favor DirectPath µ-code;
	67	* "m"(a), "+m"(r) is the way to favor DirectPath µ-code;
68	68	* "g"(0) let the compiler to decide where does it
69	69	* want to keep the value of zero;
70	70	*/

-8

crypto/bn/asm/x86_64-gf2m.pl less more

12	12	# in bn_gf2m.c. It's kind of low-hanging mechanical port from C for
13	13	# the time being... Except that it has two code paths: code suitable
14	14	# for any x86_64 CPU and PCLMULQDQ one suitable for Westmere and
15		# later. Improvement varies from one benchmark and µ-arch to another.
	15	# later. Improvement varies from one benchmark and µ-arch to another.
16	16	# Vanilla code path is at most 20% faster than compiler-generated code
17	17	# [not very impressive], while PCLMULQDQ - whole 85%-160% better on
18	18	# 163- and 571-bit ECDH benchmarks on Intel CPUs. Keep in mind that

183	183	$code.=<<___;
184	184	movdqa %xmm0,%xmm4
185	185	movdqa %xmm1,%xmm5
186		pclmulqdq \$0,%xmm1,%xmm0 # a1·b1
	186	pclmulqdq \$0,%xmm1,%xmm0 # a1·b1
187	187	pxor %xmm2,%xmm4
188	188	pxor %xmm3,%xmm5
189		pclmulqdq \$0,%xmm3,%xmm2 # a0·b0
190		pclmulqdq \$0,%xmm5,%xmm4 # (a0+a1)·(b0+b1)
	189	pclmulqdq \$0,%xmm3,%xmm2 # a0·b0
	190	pclmulqdq \$0,%xmm5,%xmm4 # (a0+a1)·(b0+b1)
191	191	xorps %xmm0,%xmm4
192		xorps %xmm2,%xmm4 # (a0+a1)·(b0+b1)-a0·b0-a1·b1
	192	xorps %xmm2,%xmm4 # (a0+a1)·(b0+b1)-a0·b0-a1·b1
193	193	movdqa %xmm4,%xmm5
194	194	pslldq \$8,%xmm4
195	195	psrldq \$8,%xmm5

224	224	mov \$0xf,$mask
225	225	mov $a1,$a
226	226	mov $b1,$b
227		call _mul_1x1 # a1·b1
	227	call _mul_1x1 # a1·b1
228	228	mov $lo,16(%rsp)
229	229	mov $hi,24(%rsp)
230	230
231	231	mov 48(%rsp),$a
232	232	mov 64(%rsp),$b
233		call _mul_1x1 # a0·b0
	233	call _mul_1x1 # a0·b0
234	234	mov $lo,0(%rsp)
235	235	mov $hi,8(%rsp)
236	236

238	238	mov 56(%rsp),$b
239	239	xor 48(%rsp),$a
240	240	xor 64(%rsp),$b
241		call _mul_1x1 # (a0+a1)·(b0+b1)
	241	call _mul_1x1 # (a0+a1)·(b0+b1)
242	242	___
243	243	@r=("%rbx","%rcx","%rdi","%rsi");
244	244	$code.=<<___;

-4

crypto/modes/asm/ghash-armv4.pl less more

44	44	# processes one byte in 8.45 cycles, A9 - in 10.2, A15 - in 7.63,
45	45	# Snapdragon S4 - in 9.33.
46	46	#
47		# Câmara, D.; Gouvêa, C. P. L.; López, J. & Dahab, R.: Fast Software
	47	# Câmara, D.; Gouvêa, C. P. L.; López, J. & Dahab, R.: Fast Software
48	48	# Polynomial Multiplication on ARM Processors using the NEON Engine.
49	49	#
50	50	# http://conradoplg.cryptoland.net/files/2010/12/mocrysen13.pdf

448	448	veor $IN,$Xl @ inp^=Xi
449	449	.Lgmult_neon:
450	450	___
451		&clmul64x64 ($Xl,$Hlo,"$IN#lo"); # H.lo·Xi.lo
	451	&clmul64x64 ($Xl,$Hlo,"$IN#lo"); # H.lo·Xi.lo
452	452	$code.=<<___;
453	453	veor $IN#lo,$IN#lo,$IN#hi @ Karatsuba pre-processing
454	454	___
455		&clmul64x64 ($Xm,$Hhl,"$IN#lo"); # (H.lo+H.hi)·(Xi.lo+Xi.hi)
456		&clmul64x64 ($Xh,$Hhi,"$IN#hi"); # H.hi·Xi.hi
	455	&clmul64x64 ($Xm,$Hhl,"$IN#lo"); # (H.lo+H.hi)·(Xi.lo+Xi.hi)
	456	&clmul64x64 ($Xh,$Hhi,"$IN#hi"); # H.hi·Xi.hi
457	457	$code.=<<___;
458	458	veor $Xm,$Xm,$Xl @ Karatsuba post-processing
459	459	veor $Xm,$Xm,$Xh

-2

crypto/modes/asm/ghash-c64xplus.pl less more

152	152	# 8/2 S1 L1x S2 \| ....
153	153	#####... ................\|............
154	154	$code.=<<___;
155		XORMPY $H0,$xia,$H0x ; 0 ; H·(Xi[i]<<1)
	155	XORMPY $H0,$xia,$H0x ; 0 ; H·(Xi[i]<<1)
156	156	\|\| XORMPY $H01u,$xib,$H01y
157	157	\|\| [A0] LDBU *--${xip},$x0
158	158	XORMPY $H1,$xia,$H1x ; 1

161	161	XORMPY $H3,$xia,$H3x ; 3
162	162	\|\| XORMPY $H3u,$xib,$H3y
163	163	\|\|[!A0] MVK.D 15,A0 ; *--${xip} counter
164		XOR.L $H0x,$Z0,$Z0 ; 4 ; Z^=H·(Xi[i]<<1)
	164	XOR.L $H0x,$Z0,$Z0 ; 4 ; Z^=H·(Xi[i]<<1)
165	165	\|\| [A0] SUB.S A0,1,A0
166	166	XOR.L $H1x,$Z1,$Z1 ; 5
167	167	\|\| AND.D $H01y,$FF000000,$H0z

-9

crypto/modes/asm/ghash-sparcv9.pl less more

378	378	or $V,%lo(0xA0406080),$V
379	379	or %l0,%lo(0x20C0E000),%l0
380	380	sllx $V,32,$V
381		or %l0,$V,$V ! (0xE0·i)&0xff=0xA040608020C0E000
	381	or %l0,$V,$V ! (0xE0·i)&0xff=0xA040608020C0E000
382	382	stx $V,[%i0+16]
383	383
384	384	ret

398	398
399	399	mov 0xE1,%l7
400	400	sllx %l7,57,$xE1 ! 57 is not a typo
401		ldx [$Htable+16],$V ! (0xE0·i)&0xff=0xA040608020C0E000
	401	ldx [$Htable+16],$V ! (0xE0·i)&0xff=0xA040608020C0E000
402	402
403	403	xor $Hhi,$Hlo,$Hhl ! Karatsuba pre-processing
404	404	xmulx $Xlo,$Hlo,$C0

410	410	xmulx $Xhi,$Hhi,$Xhi
411	411
412	412	sll $C0,3,$sqr
413		srlx $V,$sqr,$sqr ! ·0xE0 [implicit &(7<<3)]
	413	srlx $V,$sqr,$sqr ! ·0xE0 [implicit &(7<<3)]
414	414	xor $C0,$sqr,$sqr
415		sllx $sqr,57,$sqr ! ($C0·0xE1)<<1<<56 [implicit &0x7f]
	415	sllx $sqr,57,$sqr ! ($C0·0xE1)<<1<<56 [implicit &0x7f]
416	416
417	417	xor $C0,$C1,$C1 ! Karatsuba post-processing
418	418	xor $Xlo,$C2,$C2

422	422	xor $Xhi,$C2,$C2
423	423	xor $Xhi,$C1,$C1
424	424
425		xmulxhi $C0,$xE1,$Xlo ! ·0xE1<<1<<56
	425	xmulxhi $C0,$xE1,$Xlo ! ·0xE1<<1<<56
426	426	xor $C0,$C2,$C2
427	427	xmulx $C1,$xE1,$C0
428	428	xor $C1,$C3,$C3

452	452
453	453	mov 0xE1,%l7
454	454	sllx %l7,57,$xE1 ! 57 is not a typo
455		ldx [$Htable+16],$V ! (0xE0·i)&0xff=0xA040608020C0E000
	455	ldx [$Htable+16],$V ! (0xE0·i)&0xff=0xA040608020C0E000
456	456
457	457	and $inp,7,$shl
458	458	andn $inp,7,$inp

489	489	xmulx $Xhi,$Hhi,$Xhi
490	490
491	491	sll $C0,3,$sqr
492		srlx $V,$sqr,$sqr ! ·0xE0 [implicit &(7<<3)]
	492	srlx $V,$sqr,$sqr ! ·0xE0 [implicit &(7<<3)]
493	493	xor $C0,$sqr,$sqr
494		sllx $sqr,57,$sqr ! ($C0·0xE1)<<1<<56 [implicit &0x7f]
	494	sllx $sqr,57,$sqr ! ($C0·0xE1)<<1<<56 [implicit &0x7f]
495	495
496	496	xor $C0,$C1,$C1 ! Karatsuba post-processing
497	497	xor $Xlo,$C2,$C2

501	501	xor $Xhi,$C2,$C2
502	502	xor $Xhi,$C1,$C1
503	503
504		xmulxhi $C0,$xE1,$Xlo ! ·0xE1<<1<<56
	504	xmulxhi $C0,$xE1,$Xlo ! ·0xE1<<1<<56
505	505	xor $C0,$C2,$C2
506	506	xmulx $C1,$xE1,$C0
507	507	xor $C1,$C3,$C3

-1

crypto/modes/asm/ghash-x86.pl less more

357	357	# effective address calculation and finally merge of value to Z.hi.
358	358	# Reference to rem_4bit is scheduled so late that I had to >>4
359	359	# rem_4bit elements. This resulted in 20-45% procent improvement
360		# on contemporary µ-archs.
	360	# on contemporary µ-archs.
361	361	{
362	362	my $cnt;
363	363	my $rem_4bit = "eax";

-4

crypto/modes/asm/ghash-x86_64.pl less more

575	575	# experimental alternative. special thing about is that there
576	576	# no dependency between the two multiplications...
577	577	mov \$`0xE1<<1`,%eax
578		mov \$0xA040608020C0E000,%r10 # ((7..0)·0xE0)&0xff
	578	mov \$0xA040608020C0E000,%r10 # ((7..0)·0xE0)&0xff
579	579	mov \$0x07,%r11d
580	580	movq %rax,$T1
581	581	movq %r10,$T2
582	582	movq %r11,$T3 # borrow $T3
583	583	pand $Xi,$T3
584		pshufb $T3,$T2 # ($Xi&7)·0xE0
	584	pshufb $T3,$T2 # ($Xi&7)·0xE0
585	585	movq %rax,$T3
586		pclmulqdq \$0x00,$Xi,$T1 # ·(0xE1<<1)
	586	pclmulqdq \$0x00,$Xi,$T1 # ·(0xE1<<1)
587	587	pxor $Xi,$T2
588	588	pslldq \$15,$T2
589	589	paddd $T2,$T2 # <<(64+56+1)

656	656	je .Lskip4x
657	657
658	658	sub \$0x30,$len
659		mov \$0xA040608020C0E000,%rax # ((7..0)·0xE0)&0xff
	659	mov \$0xA040608020C0E000,%rax # ((7..0)·0xE0)&0xff
660	660	movdqu 0x30($Htbl),$Hkey3
661	661	movdqu 0x40($Htbl),$Hkey4
662	662

-6

crypto/modes/asm/ghashp8-ppc.pl less more

117	117	le?vperm $IN,$IN,$IN,$lemask
118	118	vxor $zero,$zero,$zero
119	119
120		vpmsumd $Xl,$IN,$Hl # H.lo·Xi.lo
121		vpmsumd $Xm,$IN,$H # H.hi·Xi.lo+H.lo·Xi.hi
122		vpmsumd $Xh,$IN,$Hh # H.hi·Xi.hi
	120	vpmsumd $Xl,$IN,$Hl # H.lo·Xi.lo
	121	vpmsumd $Xm,$IN,$H # H.hi·Xi.lo+H.lo·Xi.hi
	122	vpmsumd $Xh,$IN,$Hh # H.hi·Xi.hi
123	123
124	124	vpmsumd $t2,$Xl,$xC2 # 1st phase
125	125

177	177	.align 5
178	178	Loop:
179	179	subic $len,$len,16
180		vpmsumd $Xl,$IN,$Hl # H.lo·Xi.lo
	180	vpmsumd $Xl,$IN,$Hl # H.lo·Xi.lo
181	181	subfe. r0,r0,r0 # borrow?-1:0
182		vpmsumd $Xm,$IN,$H # H.hi·Xi.lo+H.lo·Xi.hi
	182	vpmsumd $Xm,$IN,$H # H.hi·Xi.lo+H.lo·Xi.hi
183	183	and r0,r0,$len
184		vpmsumd $Xh,$IN,$Hh # H.hi·Xi.hi
	184	vpmsumd $Xh,$IN,$Hh # H.hi·Xi.hi
185	185	add $inp,$inp,r0
186	186
187	187	vpmsumd $t2,$Xl,$xC2 # 1st phase

+11

-11

crypto/modes/asm/ghashv8-armx.pl less more

143	143	#endif
144	144	vext.8 $IN,$t1,$t1,#8
145	145
146		vpmull.p64 $Xl,$H,$IN @ H.lo·Xi.lo
	146	vpmull.p64 $Xl,$H,$IN @ H.lo·Xi.lo
147	147	veor $t1,$t1,$IN @ Karatsuba pre-processing
148		vpmull2.p64 $Xh,$H,$IN @ H.hi·Xi.hi
149		vpmull.p64 $Xm,$Hhl,$t1 @ (H.lo+H.hi)·(Xi.lo+Xi.hi)
	148	vpmull2.p64 $Xh,$H,$IN @ H.hi·Xi.hi
	149	vpmull.p64 $Xm,$Hhl,$t1 @ (H.lo+H.hi)·(Xi.lo+Xi.hi)
150	150
151	151	vext.8 $t1,$Xl,$Xh,#8 @ Karatsuba post-processing
152	152	veor $t2,$Xl,$Xh

234	234	#endif
235	235	vext.8 $In,$t1,$t1,#8
236	236	veor $IN,$IN,$Xl @ I[i]^=Xi
237		vpmull.p64 $Xln,$H,$In @ H·Ii+1
	237	vpmull.p64 $Xln,$H,$In @ H·Ii+1
238	238	veor $t1,$t1,$In @ Karatsuba pre-processing
239	239	vpmull2.p64 $Xhn,$H,$In
240	240	b .Loop_mod2x_v8

243	243	.Loop_mod2x_v8:
244	244	vext.8 $t2,$IN,$IN,#8
245	245	subs $len,$len,#32 @ is there more data?
246		vpmull.p64 $Xl,$H2,$IN @ H^2.lo·Xi.lo
	246	vpmull.p64 $Xl,$H2,$IN @ H^2.lo·Xi.lo
247	247	cclr $inc,lo @ is it time to zero $inc?
248	248
249	249	vpmull.p64 $Xmn,$Hhl,$t1
250	250	veor $t2,$t2,$IN @ Karatsuba pre-processing
251		vpmull2.p64 $Xh,$H2,$IN @ H^2.hi·Xi.hi
	251	vpmull2.p64 $Xh,$H2,$IN @ H^2.hi·Xi.hi
252	252	veor $Xl,$Xl,$Xln @ accumulate
253		vpmull2.p64 $Xm,$Hhl,$t2 @ (H^2.lo+H^2.hi)·(Xi.lo+Xi.hi)
	253	vpmull2.p64 $Xm,$Hhl,$t2 @ (H^2.lo+H^2.hi)·(Xi.lo+Xi.hi)
254	254	vld1.64 {$t0},[$inp],$inc @ load [rotated] I[i+2]
255	255
256	256	veor $Xh,$Xh,$Xhn

275	275	vext.8 $In,$t1,$t1,#8
276	276	vext.8 $IN,$t0,$t0,#8
277	277	veor $Xl,$Xm,$t2
278		vpmull.p64 $Xln,$H,$In @ H·Ii+1
	278	vpmull.p64 $Xln,$H,$In @ H·Ii+1
279	279	veor $IN,$IN,$Xh @ accumulate $IN early
280	280
281	281	vext.8 $t2,$Xl,$Xl,#8 @ 2nd phase of reduction

299	299	veor $IN,$IN,$Xl @ inp^=Xi
300	300	veor $t1,$t0,$t2 @ $t1 is rotated inp^Xi
301	301
302		vpmull.p64 $Xl,$H,$IN @ H.lo·Xi.lo
	302	vpmull.p64 $Xl,$H,$IN @ H.lo·Xi.lo
303	303	veor $t1,$t1,$IN @ Karatsuba pre-processing
304		vpmull2.p64 $Xh,$H,$IN @ H.hi·Xi.hi
305		vpmull.p64 $Xm,$Hhl,$t1 @ (H.lo+H.hi)·(Xi.lo+Xi.hi)
	304	vpmull2.p64 $Xh,$H,$IN @ H.hi·Xi.hi
	305	vpmull.p64 $Xm,$Hhl,$t1 @ (H.lo+H.hi)·(Xi.lo+Xi.hi)
306	306
307	307	vext.8 $t1,$Xl,$Xh,#8 @ Karatsuba post-processing
308	308	veor $t2,$Xl,$Xh

-1

crypto/rc4/asm/rc4-586.pl less more

43	43	# Sandy Bridge 5.0/+8%
44	44	# Atom 12.6/+6%
45	45	# VIA Nano 6.4/+9%
46		# Ivy Bridge 4.9/±0%
	46	# Ivy Bridge 4.9/±0%
47	47	# Bulldozer 4.9/+15%
48	48	#
49	49	# (*) PIII can actually deliver 6.6 cycles per byte with MMX code,

-1

crypto/rc4/asm/rc4-x86_64.pl less more

55	55	# achieves respectful 432MBps on 2.8GHz processor now. For reference.
56	56	# If executed on Xeon, current RC4_CHAR code-path is 2.7x faster than
57	57	# RC4_INT code-path. While if executed on Opteron, it's only 25%
58		# slower than the RC4_INT one [meaning that if CPU µ-arch detection
	58	# slower than the RC4_INT one [meaning that if CPU µ-arch detection
59	59	# is not implemented, then this final RC4_CHAR code-path should be
60	60	# preferred, as it provides better all-round performance].
61	61

-2

crypto/sha/asm/sha1-586.pl less more

65	65	# switch to AVX alone improves performance by as little as 4% in
66	66	# comparison to SSSE3 code path. But below result doesn't look like
67	67	# 4% improvement... Trouble is that Sandy Bridge decodes 'ro[rl]' as
68		# pair of µ-ops, and it's the additional µ-ops, two per round, that
	68	# pair of µ-ops, and it's the additional µ-ops, two per round, that
69	69	# make it run slower than Core2 and Westmere. But 'sh[rl]d' is decoded
70		# as single µ-op by Sandy Bridge and it's replacing 'ro[rl]' with
	70	# as single µ-op by Sandy Bridge and it's replacing 'ro[rl]' with
71	71	# equivalent 'sh[rl]d' that is responsible for the impressive 5.1
72	72	# cycles per processed byte. But 'sh[rl]d' is not something that used
73	73	# to be fast, nor does it appear to be fast in upcoming Bulldozer

-1

crypto/sha/asm/sha256-586.pl less more

9	9	# SHA256 block transform for x86. September 2007.
10	10	#
11	11	# Performance improvement over compiler generated code varies from
12		# 10% to 40% [see below]. Not very impressive on some µ-archs, but
	12	# 10% to 40% [see below]. Not very impressive on some µ-archs, but
13	13	# it's 5 times smaller and optimizies amount of writes.
14	14	#
15	15	# May 2012.

-1

crypto/sha/asm/sha512-586.pl less more

36	36	#
37	37	# IALU code-path is optimized for elder Pentiums. On vanilla Pentium
38	38	# performance improvement over compiler generated code reaches ~60%,
39		# while on PIII - ~35%. On newer µ-archs improvement varies from 15%
	39	# while on PIII - ~35%. On newer µ-archs improvement varies from 15%
40	40	# to 50%, but it's less important as they are expected to execute SSE2
41	41	# code-path, which is commonly ~2-3x faster [than compiler generated
42	42	# code]. SSE2 code-path is as fast as original sha512-sse2.pl, even

-1

crypto/sparccpuid.S less more

126	126	fmovs %f1,%f3
127	127	fmovs %f0,%f2
128	128
129		add %fp,BIAS,%i0 ! return pointer to caller´s top of stack
	129	add %fp,BIAS,%i0 ! return pointer to caller´s top of stack
130	130
131	131	ret
132	132	restore

-1

crypto/whrlpool/asm/wp-mmx.pl less more

15	15	# table]. I stick to value of 2 for two reasons: 1. smaller table
16	16	# minimizes cache trashing and thus mitigates the hazard of side-
17	17	# channel leakage similar to AES cache-timing one; 2. performance
18		# gap among different µ-archs is smaller.
	18	# gap among different µ-archs is smaller.
19	19	#
20	20	# Performance table lists rounded amounts of CPU cycles spent by
21	21	# whirlpool_block_mmx routine on single 64 byte input block, i.e.

-1

crypto/x509v3/v3_pci.c less more

2	2	* Contributed to the OpenSSL Project 2004 by Richard Levitte
3	3	* (richard@levitte.org)
4	4	*/
5		/* Copyright (c) 2004 Kungliga Tekniska Högskolan
	5	/* Copyright (c) 2004 Kungliga Tekniska Högskolan
6	6	* (Royal Institute of Technology, Stockholm, Sweden).
7	7	* All rights reserved.
8	8	*

-1

crypto/x509v3/v3_pcia.c less more

2	2	* Contributed to the OpenSSL Project 2004 by Richard Levitte
3	3	* (richard@levitte.org)
4	4	*/
5		/* Copyright (c) 2004 Kungliga Tekniska Högskolan
	5	/* Copyright (c) 2004 Kungliga Tekniska Högskolan
6	6	* (Royal Institute of Technology, Stockholm, Sweden).
7	7	* All rights reserved.
8	8	*

-1

demos/easy_tls/README less more

61	61	day, which means that future revisions will not be fully compatible to
62	62	the current version.
63	63
64		Bodo Möller <bodo@openssl.org>
	64	Bodo Möller <bodo@openssl.org>

-1

util/mkrc.pl less more

56	56	VALUE "ProductVersion", "$version\\0"
57	57	// Optional:
58	58	//VALUE "Comments", "\\0"
59		VALUE "LegalCopyright", "Copyright © 1998-2006 The OpenSSL Project. Copyright © 1995-1998 Eric A. Young, Tim J. Hudson. All rights reserved.\\0"
	59	VALUE "LegalCopyright", "Copyright © 1998-2006 The OpenSSL Project. Copyright © 1995-1998 Eric A. Young, Tim J. Hudson. All rights reserved.\\0"
60	60	//VALUE "LegalTrademarks", "\\0"
61	61	//VALUE "PrivateBuild", "\\0"
62	62	//VALUE "SpecialBuild", "\\0"