Updating to OpenSSL 3.1.0

Adding all missing files.
Removing files that should not have been added by "OpenSSL 3.1.0".
All generated files are stored in repository, not generated on compile time + The templates are not in repository (the way we already did with the .asm files).
Some of the removed files might not have been needed anymore even before upgrade to OpenSSL 3.
So Perl is still needed for the generation only, not for the build.

Source commit: 53cb910ec00828fe1b1eefa6abf04fac3a4110db

libs/openssl/VERSION.dat

@@ -1,7 +0,0 @@
-MAJOR=3
-MINOR=1
-PATCH=0
-PRE_RELEASE_TAG=
-BUILD_METADATA=
-RELEASE_DATE="14 Mar 2023"
-SHLIB_VERSION=3

libs/openssl/crypto/aes/asm/aes-586.pl

@@ -1,2998 +0,0 @@
-#! /usr/bin/env perl
-# Copyright 2004-2020 The OpenSSL Project Authors. All Rights Reserved.
-#
-# Licensed under the Apache License 2.0 (the "License").  You may not use
-# this file except in compliance with the License.  You can obtain a copy
-# in the file LICENSE in the source distribution or at
-# https://www.openssl.org/source/license.html
-
-#
-# ====================================================================
-# Written by Andy Polyakov <[email protected]> for the OpenSSL
-# project. The module is, however, dual licensed under OpenSSL and
-# CRYPTOGAMS licenses depending on where you obtain it. For further
-# details see http://www.openssl.org/~appro/cryptogams/.
-# ====================================================================
-#
-# Version 4.3.
-#
-# You might fail to appreciate this module performance from the first
-# try. If compared to "vanilla" linux-ia32-icc target, i.e. considered
-# to be *the* best Intel C compiler without -KPIC, performance appears
-# to be virtually identical... But try to re-configure with shared
-# library support... Aha! Intel compiler "suddenly" lags behind by 30%
-# [on P4, more on others]:-) And if compared to position-independent
-# code generated by GNU C, this code performs *more* than *twice* as
-# fast! Yes, all this buzz about PIC means that unlike other hand-
-# coded implementations, this one was explicitly designed to be safe
-# to use even in shared library context... This also means that this
-# code isn't necessarily absolutely fastest "ever," because in order
-# to achieve position independence an extra register has to be
-# off-loaded to stack, which affects the benchmark result.
-#
-# Special note about instruction choice. Do you recall RC4_INT code
-# performing poorly on P4? It might be the time to figure out why.
-# RC4_INT code implies effective address calculations in base+offset*4
-# form. Trouble is that it seems that offset scaling turned to be
-# critical path... At least eliminating scaling resulted in 2.8x RC4
-# performance improvement [as you might recall]. As AES code is hungry
-# for scaling too, I [try to] avoid the latter by favoring off-by-2
-# shifts and masking the result with 0xFF<<2 instead of "boring" 0xFF.
-#
-# As was shown by Dean Gaudet, the above note turned out to be
-# void. Performance improvement with off-by-2 shifts was observed on
-# intermediate implementation, which was spilling yet another register
-# to stack... Final offset*4 code below runs just a tad faster on P4,
-# but exhibits up to 10% improvement on other cores.
-#
-# Second version is "monolithic" replacement for aes_core.c, which in
-# addition to AES_[de|en]crypt implements AES_set_[de|en]cryption_key.
-# This made it possible to implement little-endian variant of the
-# algorithm without modifying the base C code. Motivating factor for
-# the undertaken effort was that it appeared that in tight IA-32
-# register window little-endian flavor could achieve slightly higher
-# Instruction Level Parallelism, and it indeed resulted in up to 15%
-# better performance on most recent µ-archs...
-#
-# Third version adds AES_cbc_encrypt implementation, which resulted in
-# up to 40% performance improvement of CBC benchmark results. 40% was
-# observed on P4 core, where "overall" improvement coefficient, i.e. if
-# compared to PIC generated by GCC and in CBC mode, was observed to be
-# as large as 4x:-) CBC performance is virtually identical to ECB now
-# and on some platforms even better, e.g. 17.6 "small" cycles/byte on
-# Opteron, because certain function prologues and epilogues are
-# effectively taken out of the loop...
-#
-# Version 3.2 implements compressed tables and prefetch of these tables
-# in CBC[!] mode. Former means that 3/4 of table references are now
-# misaligned, which unfortunately has negative impact on elder IA-32
-# implementations, Pentium suffered 30% penalty, PIII - 10%.
-#
-# Version 3.3 avoids L1 cache aliasing between stack frame and
-# S-boxes, and 3.4 - L1 cache aliasing even between key schedule. The
-# latter is achieved by copying the key schedule to controlled place in
-# stack. This unfortunately has rather strong impact on small block CBC
-# performance, ~2x deterioration on 16-byte block if compared to 3.3.
-#
-# Version 3.5 checks if there is L1 cache aliasing between user-supplied
-# key schedule and S-boxes and abstains from copying the former if
-# there is no. This allows end-user to consciously retain small block
-# performance by aligning key schedule in specific manner.
-#
-# Version 3.6 compresses Td4 to 256 bytes and prefetches it in ECB.
-#
-# Current ECB performance numbers for 128-bit key in CPU cycles per
-# processed byte [measure commonly used by AES benchmarkers] are:
-#
-#		small footprint		fully unrolled
-# P4		24			22
-# AMD K8	20			19
-# PIII		25			23
-# Pentium	81			78
-#
-# Version 3.7 reimplements outer rounds as "compact." Meaning that
-# first and last rounds reference compact 256 bytes S-box. This means
-# that first round consumes a lot more CPU cycles and that encrypt
-# and decrypt performance becomes asymmetric. Encrypt performance
-# drops by 10-12%, while decrypt - by 20-25%:-( 256 bytes S-box is
-# aggressively pre-fetched.
-#
-# Version 4.0 effectively rolls back to 3.6 and instead implements
-# additional set of functions, _[x86|sse]_AES_[en|de]crypt_compact,
-# which use exclusively 256 byte S-box. These functions are to be
-# called in modes not concealing plain text, such as ECB, or when
-# we're asked to process smaller amount of data [or unconditionally
-# on hyper-threading CPU]. Currently it's called unconditionally from
-# AES_[en|de]crypt, which affects all modes, but CBC. CBC routine
-# still needs to be modified to switch between slower and faster
-# mode when appropriate... But in either case benchmark landscape
-# changes dramatically and below numbers are CPU cycles per processed
-# byte for 128-bit key.
-#
-#		ECB encrypt	ECB decrypt	CBC large chunk
-# P4		52[54]		83[95]		23
-# AMD K8	46[41]		66[70]		18
-# PIII		41[50]		60[77]		24
-# Core 2	31[36]		45[64]		18.5
-# Atom		76[100]		96[138]		60
-# Pentium	115		150		77
-#
-# Version 4.1 switches to compact S-box even in key schedule setup.
-#
-# Version 4.2 prefetches compact S-box in every SSE round or in other
-# words every cache-line is *guaranteed* to be accessed within ~50
-# cycles window. Why just SSE? Because it's needed on hyper-threading
-# CPU! Which is also why it's prefetched with 64 byte stride. Best
-# part is that it has no negative effect on performance:-)
-#
-# Version 4.3 implements switch between compact and non-compact block
-# functions in AES_cbc_encrypt depending on how much data was asked
-# to be processed in one stroke.
-#
-######################################################################
-# Timing attacks are classified in two classes: synchronous when
-# attacker consciously initiates cryptographic operation and collects
-# timing data of various character afterwards, and asynchronous when
-# malicious code is executed on same CPU simultaneously with AES,
-# instruments itself and performs statistical analysis of this data.
-#
-# As far as synchronous attacks go the root to the AES timing
-# vulnerability is twofold. Firstly, of 256 S-box elements at most 160
-# are referred to in single 128-bit block operation. Well, in C
-# implementation with 4 distinct tables it's actually as little as 40
-# references per 256 elements table, but anyway... Secondly, even
-# though S-box elements are clustered into smaller amount of cache-
-# lines, smaller than 160 and even 40, it turned out that for certain
-# plain-text pattern[s] or simply put chosen plain-text and given key
-# few cache-lines remain unaccessed during block operation. Now, if
-# attacker can figure out this access pattern, he can deduct the key
-# [or at least part of it]. The natural way to mitigate this kind of
-# attacks is to minimize the amount of cache-lines in S-box and/or
-# prefetch them to ensure that every one is accessed for more uniform
-# timing. But note that *if* plain-text was concealed in such way that
-# input to block function is distributed *uniformly*, then attack
-# wouldn't apply. Now note that some encryption modes, most notably
-# CBC, do mask the plain-text in this exact way [secure cipher output
-# is distributed uniformly]. Yes, one still might find input that
-# would reveal the information about given key, but if amount of
-# candidate inputs to be tried is larger than amount of possible key
-# combinations then attack becomes infeasible. This is why revised
-# AES_cbc_encrypt "dares" to switch to larger S-box when larger chunk
-# of data is to be processed in one stroke. The current size limit of
-# 512 bytes is chosen to provide same [diminishingly low] probability
-# for cache-line to remain untouched in large chunk operation with
-# large S-box as for single block operation with compact S-box and
-# surely needs more careful consideration...
-#
-# As for asynchronous attacks. There are two flavours: attacker code
-# being interleaved with AES on hyper-threading CPU at *instruction*
-# level, and two processes time sharing single core. As for latter.
-# Two vectors. 1. Given that attacker process has higher priority,
-# yield execution to process performing AES just before timer fires
-# off the scheduler, immediately regain control of CPU and analyze the
-# cache state. For this attack to be efficient attacker would have to
-# effectively slow down the operation by several *orders* of magnitude,
-# by ratio of time slice to duration of handful of AES rounds, which
-# unlikely to remain unnoticed. Not to mention that this also means
-# that he would spend correspondingly more time to collect enough
-# statistical data to mount the attack. It's probably appropriate to
-# say that if adversary reckons that this attack is beneficial and
-# risks to be noticed, you probably have larger problems having him
-# mere opportunity. In other words suggested code design expects you
-# to preclude/mitigate this attack by overall system security design.
-# 2. Attacker manages to make his code interrupt driven. In order for
-# this kind of attack to be feasible, interrupt rate has to be high
-# enough, again comparable to duration of handful of AES rounds. But
-# is there interrupt source of such rate? Hardly, not even 1Gbps NIC
-# generates interrupts at such raging rate...
-#
-# And now back to the former, hyper-threading CPU or more specifically
-# Intel P4. Recall that asynchronous attack implies that malicious
-# code instruments itself. And naturally instrumentation granularity
-# has be noticeably lower than duration of codepath accessing S-box.
-# Given that all cache-lines are accessed during that time that is.
-# Current implementation accesses *all* cache-lines within ~50 cycles
-# window, which is actually *less* than RDTSC latency on Intel P4!
-
-$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
-push(@INC,"${dir}","${dir}../../perlasm");
-require "x86asm.pl";
-
-$output = pop and open STDOUT,">$output";
-
-&asm_init($ARGV[0],$x86only = $ARGV[$#ARGV] eq "386");
-&static_label("AES_Te");
-&static_label("AES_Td");
-
-$s0="eax";
-$s1="ebx";
-$s2="ecx";
-$s3="edx";
-$key="edi";
-$acc="esi";
-$tbl="ebp";
-
-# stack frame layout in _[x86|sse]_AES_* routines, frame is allocated
-# by caller
-$__ra=&DWP(0,"esp");	# return address
-$__s0=&DWP(4,"esp");	# s0 backing store
-$__s1=&DWP(8,"esp");	# s1 backing store
-$__s2=&DWP(12,"esp");	# s2 backing store
-$__s3=&DWP(16,"esp");	# s3 backing store
-$__key=&DWP(20,"esp");	# pointer to key schedule
-$__end=&DWP(24,"esp");	# pointer to end of key schedule
-$__tbl=&DWP(28,"esp");	# %ebp backing store
-
-# stack frame layout in AES_[en|crypt] routines, which differs from
-# above by 4 and overlaps by %ebp backing store
-$_tbl=&DWP(24,"esp");
-$_esp=&DWP(28,"esp");
-
-sub _data_word() { my $i; while(defined($i=shift)) { &data_word($i,$i); } }
-
-$speed_limit=512;	# chunks smaller than $speed_limit are
-			# processed with compact routine in CBC mode
-$small_footprint=1;	# $small_footprint=1 code is ~5% slower [on
-			# recent µ-archs], but ~5 times smaller!
-			# I favor compact code to minimize cache
-			# contention and in hope to "collect" 5% back
-			# in real-life applications...
-
-$vertical_spin=0;	# shift "vertically" defaults to 0, because of
-			# its proof-of-concept status...
-# Note that there is no decvert(), as well as last encryption round is
-# performed with "horizontal" shifts. This is because this "vertical"
-# implementation [one which groups shifts on a given $s[i] to form a
-# "column," unlike "horizontal" one, which groups shifts on different
-# $s[i] to form a "row"] is work in progress. It was observed to run
-# few percents faster on Intel cores, but not AMD. On AMD K8 core it's
-# whole 12% slower:-( So we face a trade-off... Shall it be resolved
-# some day? Till then the code is considered experimental and by
-# default remains dormant...
-
-sub encvert()
-{ my ($te,@s) = @_;
-  my ($v0,$v1) = ($acc,$key);
-
-	&mov	($v0,$s[3]);				# copy s3
-	&mov	(&DWP(4,"esp"),$s[2]);			# save s2
-	&mov	($v1,$s[0]);				# copy s0
-	&mov	(&DWP(8,"esp"),$s[1]);			# save s1
-
-	&movz	($s[2],&HB($s[0]));
-	&and	($s[0],0xFF);
-	&mov	($s[0],&DWP(0,$te,$s[0],8));		# s0>>0
-	&shr	($v1,16);
-	&mov	($s[3],&DWP(3,$te,$s[2],8));		# s0>>8
-	&movz	($s[1],&HB($v1));
-	&and	($v1,0xFF);
-	&mov	($s[2],&DWP(2,$te,$v1,8));		# s0>>16
-	 &mov	($v1,$v0);
-	&mov	($s[1],&DWP(1,$te,$s[1],8));		# s0>>24
-
-	&and	($v0,0xFF);
-	&xor	($s[3],&DWP(0,$te,$v0,8));		# s3>>0
-	&movz	($v0,&HB($v1));
-	&shr	($v1,16);
-	&xor	($s[2],&DWP(3,$te,$v0,8));		# s3>>8
-	&movz	($v0,&HB($v1));
-	&and	($v1,0xFF);
-	&xor	($s[1],&DWP(2,$te,$v1,8));		# s3>>16
-	 &mov	($v1,&DWP(4,"esp"));			# restore s2
-	&xor	($s[0],&DWP(1,$te,$v0,8));		# s3>>24
-
-	&mov	($v0,$v1);
-	&and	($v1,0xFF);
-	&xor	($s[2],&DWP(0,$te,$v1,8));		# s2>>0
-	&movz	($v1,&HB($v0));
-	&shr	($v0,16);
-	&xor	($s[1],&DWP(3,$te,$v1,8));		# s2>>8
-	&movz	($v1,&HB($v0));
-	&and	($v0,0xFF);
-	&xor	($s[0],&DWP(2,$te,$v0,8));		# s2>>16
-	 &mov	($v0,&DWP(8,"esp"));			# restore s1
-	&xor	($s[3],&DWP(1,$te,$v1,8));		# s2>>24
-
-	&mov	($v1,$v0);
-	&and	($v0,0xFF);
-	&xor	($s[1],&DWP(0,$te,$v0,8));		# s1>>0
-	&movz	($v0,&HB($v1));
-	&shr	($v1,16);
-	&xor	($s[0],&DWP(3,$te,$v0,8));		# s1>>8
-	&movz	($v0,&HB($v1));
-	&and	($v1,0xFF);
-	&xor	($s[3],&DWP(2,$te,$v1,8));		# s1>>16
-	 &mov	($key,$__key);				# reincarnate v1 as key
-	&xor	($s[2],&DWP(1,$te,$v0,8));		# s1>>24
-}
-
-# Another experimental routine, which features "horizontal spin," but
-# eliminates one reference to stack. Strangely enough runs slower...
-sub enchoriz()
-{ my ($v0,$v1) = ($key,$acc);
-
-	&movz	($v0,&LB($s0));			#  3, 2, 1, 0*
-	&rotr	($s2,8);			#  8,11,10, 9
-	&mov	($v1,&DWP(0,$te,$v0,8));	#  0
-	&movz	($v0,&HB($s1));			#  7, 6, 5*, 4
-	&rotr	($s3,16);			# 13,12,15,14
-	&xor	($v1,&DWP(3,$te,$v0,8));	#  5
-	&movz	($v0,&HB($s2));			#  8,11,10*, 9
-	&rotr	($s0,16);			#  1, 0, 3, 2
-	&xor	($v1,&DWP(2,$te,$v0,8));	# 10
-	&movz	($v0,&HB($s3));			# 13,12,15*,14
-	&xor	($v1,&DWP(1,$te,$v0,8));	# 15, t[0] collected
-	&mov	($__s0,$v1);			# t[0] saved
-
-	&movz	($v0,&LB($s1));			#  7, 6, 5, 4*
-	&shr	($s1,16);			#  -, -, 7, 6
-	&mov	($v1,&DWP(0,$te,$v0,8));	#  4
-	&movz	($v0,&LB($s3));			# 13,12,15,14*
-	&xor	($v1,&DWP(2,$te,$v0,8));	# 14
-	&movz	($v0,&HB($s0));			#  1, 0, 3*, 2
-	&and	($s3,0xffff0000);		# 13,12, -, -
-	&xor	($v1,&DWP(1,$te,$v0,8));	#  3
-	&movz	($v0,&LB($s2));			#  8,11,10, 9*
-	&or	($s3,$s1);			# 13,12, 7, 6
-	&xor	($v1,&DWP(3,$te,$v0,8));	#  9, t[1] collected
-	&mov	($s1,$v1);			#  s[1]=t[1]
-
-	&movz	($v0,&LB($s0));			#  1, 0, 3, 2*
-	&shr	($s2,16);			#  -, -, 8,11
-	&mov	($v1,&DWP(2,$te,$v0,8));	#  2
-	&movz	($v0,&HB($s3));			# 13,12, 7*, 6
-	&xor	($v1,&DWP(1,$te,$v0,8));	#  7
-	&movz	($v0,&HB($s2));			#  -, -, 8*,11
-	&xor	($v1,&DWP(0,$te,$v0,8));	#  8
-	&mov	($v0,$s3);
-	&shr	($v0,24);			# 13
-	&xor	($v1,&DWP(3,$te,$v0,8));	# 13, t[2] collected
-
-	&movz	($v0,&LB($s2));			#  -, -, 8,11*
-	&shr	($s0,24);			#  1*
-	&mov	($s2,&DWP(1,$te,$v0,8));	# 11
-	&xor	($s2,&DWP(3,$te,$s0,8));	#  1
-	&mov	($s0,$__s0);			# s[0]=t[0]
-	&movz	($v0,&LB($s3));			# 13,12, 7, 6*
-	&shr	($s3,16);			#   ,  ,13,12
-	&xor	($s2,&DWP(2,$te,$v0,8));	#  6
-	&mov	($key,$__key);			# reincarnate v0 as key
-	&and	($s3,0xff);			#   ,  ,13,12*
-	&mov	($s3,&DWP(0,$te,$s3,8));	# 12
-	&xor	($s3,$s2);			# s[2]=t[3] collected
-	&mov	($s2,$v1);			# s[2]=t[2]
-}
-
-# More experimental code... SSE one... Even though this one eliminates
-# *all* references to stack, it's not faster...
-sub sse_encbody()
-{
-	&movz	($acc,&LB("eax"));		#  0
-	&mov	("ecx",&DWP(0,$tbl,$acc,8));	#  0
-	&pshufw	("mm2","mm0",0x0d);		#  7, 6, 3, 2
-	&movz	("edx",&HB("eax"));		#  1
-	&mov	("edx",&DWP(3,$tbl,"edx",8));	#  1
-	&shr	("eax",16);			#  5, 4
-
-	&movz	($acc,&LB("ebx"));		# 10
-	&xor	("ecx",&DWP(2,$tbl,$acc,8));	# 10
-	&pshufw	("mm6","mm4",0x08);		# 13,12, 9, 8
-	&movz	($acc,&HB("ebx"));		# 11
-	&xor	("edx",&DWP(1,$tbl,$acc,8));	# 11
-	&shr	("ebx",16);			# 15,14
-
-	&movz	($acc,&HB("eax"));		#  5
-	&xor	("ecx",&DWP(3,$tbl,$acc,8));	#  5
-	&movq	("mm3",QWP(16,$key));
-	&movz	($acc,&HB("ebx"));		# 15
-	&xor	("ecx",&DWP(1,$tbl,$acc,8));	# 15
-	&movd	("mm0","ecx");			# t[0] collected
-
-	&movz	($acc,&LB("eax"));		#  4
-	&mov	("ecx",&DWP(0,$tbl,$acc,8));	#  4
-	&movd	("eax","mm2");			#  7, 6, 3, 2
-	&movz	($acc,&LB("ebx"));		# 14
-	&xor	("ecx",&DWP(2,$tbl,$acc,8));	# 14
-	&movd	("ebx","mm6");			# 13,12, 9, 8
-
-	&movz	($acc,&HB("eax"));		#  3
-	&xor	("ecx",&DWP(1,$tbl,$acc,8));	#  3
-	&movz	($acc,&HB("ebx"));		#  9
-	&xor	("ecx",&DWP(3,$tbl,$acc,8));	#  9
-	&movd	("mm1","ecx");			# t[1] collected
-
-	&movz	($acc,&LB("eax"));		#  2
-	&mov	("ecx",&DWP(2,$tbl,$acc,8));	#  2
-	&shr	("eax",16);			#  7, 6
-	&punpckldq	("mm0","mm1");		# t[0,1] collected
-	&movz	($acc,&LB("ebx"));		#  8
-	&xor	("ecx",&DWP(0,$tbl,$acc,8));	#  8
-	&shr	("ebx",16);			# 13,12
-
-	&movz	($acc,&HB("eax"));		#  7
-	&xor	("ecx",&DWP(1,$tbl,$acc,8));	#  7
-	&pxor	("mm0","mm3");
-	&movz	("eax",&LB("eax"));		#  6
-	&xor	("edx",&DWP(2,$tbl,"eax",8));	#  6
-	&pshufw	("mm1","mm0",0x08);		#  5, 4, 1, 0
-	&movz	($acc,&HB("ebx"));		# 13
-	&xor	("ecx",&DWP(3,$tbl,$acc,8));	# 13
-	&xor	("ecx",&DWP(24,$key));		# t[2]
-	&movd	("mm4","ecx");			# t[2] collected
-	&movz	("ebx",&LB("ebx"));		# 12
-	&xor	("edx",&DWP(0,$tbl,"ebx",8));	# 12
-	&shr	("ecx",16);
-	&movd	("eax","mm1");			#  5, 4, 1, 0
-	&mov	("ebx",&DWP(28,$key));		# t[3]
-	&xor	("ebx","edx");
-	&movd	("mm5","ebx");			# t[3] collected
-	&and	("ebx",0xffff0000);
-	&or	("ebx","ecx");
-
-	&punpckldq	("mm4","mm5");		# t[2,3] collected
-}
-
-######################################################################
-# "Compact" block function
-######################################################################
-
-sub enccompact()
-{ my $Fn = \&mov;
-  while ($#_>5) { pop(@_); $Fn=sub{}; }
-  my ($i,$te,@s)=@_;
-  my $tmp = $key;
-  my $out = $i==3?$s[0]:$acc;
-
-	# $Fn is used in first compact round and its purpose is to
-	# void restoration of some values from stack, so that after
-	# 4xenccompact with extra argument $key value is left there...
-	if ($i==3)  {	&$Fn	($key,$__key);			}##%edx
-	else        {	&mov	($out,$s[0]);			}
-			&and	($out,0xFF);
-	if ($i==1)  {	&shr	($s[0],16);			}#%ebx[1]
-	if ($i==2)  {	&shr	($s[0],24);			}#%ecx[2]
-			&movz	($out,&BP(-128,$te,$out,1));
-
-	if ($i==3)  {	$tmp=$s[1];				}##%eax
-			&movz	($tmp,&HB($s[1]));
-			&movz	($tmp,&BP(-128,$te,$tmp,1));
-			&shl	($tmp,8);
-			&xor	($out,$tmp);
-
-	if ($i==3)  {	$tmp=$s[2]; &mov ($s[1],$__s0);		}##%ebx
-	else        {	&mov	($tmp,$s[2]);
-			&shr	($tmp,16);			}
-	if ($i==2)  {	&and	($s[1],0xFF);			}#%edx[2]
-			&and	($tmp,0xFF);
-			&movz	($tmp,&BP(-128,$te,$tmp,1));
-			&shl	($tmp,16);
-			&xor	($out,$tmp);
-
-	if ($i==3)  {	$tmp=$s[3]; &mov ($s[2],$__s1);		}##%ecx
-	elsif($i==2){	&movz	($tmp,&HB($s[3]));		}#%ebx[2]
-	else        {	&mov	($tmp,$s[3]);
-			&shr	($tmp,24);			}
-			&movz	($tmp,&BP(-128,$te,$tmp,1));
-			&shl	($tmp,24);
-			&xor	($out,$tmp);
-	if ($i<2)   {	&mov	(&DWP(4+4*$i,"esp"),$out);	}
-	if ($i==3)  {	&mov	($s[3],$acc);			}
-	&comment();
-}
-
-sub enctransform()
-{ my @s = ($s0,$s1,$s2,$s3);
-  my $i = shift;
-  my $tmp = $tbl;
-  my $r2  = $key ;
-
-	&and	($tmp,$s[$i]);
-	&lea	($r2,&DWP(0,$s[$i],$s[$i]));
-	&mov	($acc,$tmp);
-	&shr	($tmp,7);
-	&and	($r2,0xfefefefe);
-	&sub	($acc,$tmp);
-	&mov	($tmp,$s[$i]);
-	&and	($acc,0x1b1b1b1b);
-	&rotr	($tmp,16);
-	&xor	($acc,$r2);	# r2
-	&mov	($r2,$s[$i]);
-
-	&xor	($s[$i],$acc);	# r0 ^ r2
-	&rotr	($r2,16+8);
-	&xor	($acc,$tmp);
-	&rotl	($s[$i],24);
-	&xor	($acc,$r2);
-	&mov	($tmp,0x80808080)	if ($i!=1);
-	&xor	($s[$i],$acc);	# ROTATE(r2^r0,24) ^ r2
-}
-
-&function_begin_B("_x86_AES_encrypt_compact");
-	# note that caller is expected to allocate stack frame for me!
-	&mov	($__key,$key);			# save key
-
-	&xor	($s0,&DWP(0,$key));		# xor with key
-	&xor	($s1,&DWP(4,$key));
-	&xor	($s2,&DWP(8,$key));
-	&xor	($s3,&DWP(12,$key));
-
-	&mov	($acc,&DWP(240,$key));		# load key->rounds
-	&lea	($acc,&DWP(-2,$acc,$acc));
-	&lea	($acc,&DWP(0,$key,$acc,8));
-	&mov	($__end,$acc);			# end of key schedule
-
-	# prefetch Te4
-	&mov	($key,&DWP(0-128,$tbl));
-	&mov	($acc,&DWP(32-128,$tbl));
-	&mov	($key,&DWP(64-128,$tbl));
-	&mov	($acc,&DWP(96-128,$tbl));
-	&mov	($key,&DWP(128-128,$tbl));
-	&mov	($acc,&DWP(160-128,$tbl));
-	&mov	($key,&DWP(192-128,$tbl));
-	&mov	($acc,&DWP(224-128,$tbl));
-
-	&set_label("loop",16);
-
-		&enccompact(0,$tbl,$s0,$s1,$s2,$s3,1);
-		&enccompact(1,$tbl,$s1,$s2,$s3,$s0,1);
-		&enccompact(2,$tbl,$s2,$s3,$s0,$s1,1);
-		&enccompact(3,$tbl,$s3,$s0,$s1,$s2,1);
-		&mov	($tbl,0x80808080);
-		&enctransform(2);
-		&enctransform(3);
-		&enctransform(0);
-		&enctransform(1);
-		&mov 	($key,$__key);
-		&mov	($tbl,$__tbl);
-		&add	($key,16);		# advance rd_key
-		&xor	($s0,&DWP(0,$key));
-		&xor	($s1,&DWP(4,$key));
-		&xor	($s2,&DWP(8,$key));
-		&xor	($s3,&DWP(12,$key));
-
-	&cmp	($key,$__end);
-	&mov	($__key,$key);
-	&jb	(&label("loop"));
-
-	&enccompact(0,$tbl,$s0,$s1,$s2,$s3);
-	&enccompact(1,$tbl,$s1,$s2,$s3,$s0);
-	&enccompact(2,$tbl,$s2,$s3,$s0,$s1);
-	&enccompact(3,$tbl,$s3,$s0,$s1,$s2);
-
-	&xor	($s0,&DWP(16,$key));
-	&xor	($s1,&DWP(20,$key));
-	&xor	($s2,&DWP(24,$key));
-	&xor	($s3,&DWP(28,$key));
-
-	&ret	();
-&function_end_B("_x86_AES_encrypt_compact");
-
-######################################################################
-# "Compact" SSE block function.
-######################################################################
-#
-# Performance is not actually extraordinary in comparison to pure
-# x86 code. In particular encrypt performance is virtually the same.
-# Decrypt performance on the other hand is 15-20% better on newer
-# µ-archs [but we're thankful for *any* improvement here], and ~50%
-# better on PIII:-) And additionally on the pros side this code
-# eliminates redundant references to stack and thus relieves/
-# minimizes the pressure on the memory bus.
-#
-# MMX register layout                           lsb
-# +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-# |          mm4          |          mm0          |
-# +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-# |     s3    |     s2    |     s1    |     s0    |
-# +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-# |15|14|13|12|11|10| 9| 8| 7| 6| 5| 4| 3| 2| 1| 0|
-# +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-#
-# Indexes translate as s[N/4]>>(8*(N%4)), e.g. 5 means s1>>8.
-# In this terms encryption and decryption "compact" permutation
-# matrices can be depicted as following:
-#
-# encryption              lsb	# decryption              lsb
-# +----++----+----+----+----+	# +----++----+----+----+----+
-# | t0 || 15 | 10 |  5 |  0 |	# | t0 ||  7 | 10 | 13 |  0 |
-# +----++----+----+----+----+	# +----++----+----+----+----+
-# | t1 ||  3 | 14 |  9 |  4 |	# | t1 || 11 | 14 |  1 |  4 |
-# +----++----+----+----+----+	# +----++----+----+----+----+
-# | t2 ||  7 |  2 | 13 |  8 |	# | t2 || 15 |  2 |  5 |  8 |
-# +----++----+----+----+----+	# +----++----+----+----+----+
-# | t3 || 11 |  6 |  1 | 12 |	# | t3 ||  3 |  6 |  9 | 12 |
-# +----++----+----+----+----+	# +----++----+----+----+----+
-#
-######################################################################
-# Why not xmm registers? Short answer. It was actually tested and
-# was not any faster, but *contrary*, most notably on Intel CPUs.
-# Longer answer. Main advantage of using mm registers is that movd
-# latency is lower, especially on Intel P4. While arithmetic
-# instructions are twice as many, they can be scheduled every cycle
-# and not every second one when they are operating on xmm register,
-# so that "arithmetic throughput" remains virtually the same. And
-# finally the code can be executed even on elder SSE-only CPUs:-)
-
-sub sse_enccompact()
-{
-	&pshufw	("mm1","mm0",0x08);		#  5, 4, 1, 0
-	&pshufw	("mm5","mm4",0x0d);		# 15,14,11,10
-	&movd	("eax","mm1");			#  5, 4, 1, 0
-	&movd	("ebx","mm5");			# 15,14,11,10
-	&mov	($__key,$key);
-
-	&movz	($acc,&LB("eax"));		#  0
-	&movz	("edx",&HB("eax"));		#  1
-	&pshufw	("mm2","mm0",0x0d);		#  7, 6, 3, 2
-	&movz	("ecx",&BP(-128,$tbl,$acc,1));	#  0
-	&movz	($key,&LB("ebx"));		# 10
-	&movz	("edx",&BP(-128,$tbl,"edx",1));	#  1
-	&shr	("eax",16);			#  5, 4
-	&shl	("edx",8);			#  1
-
-	&movz	($acc,&BP(-128,$tbl,$key,1));	# 10
-	&movz	($key,&HB("ebx"));		# 11
-	&shl	($acc,16);			# 10
-	&pshufw	("mm6","mm4",0x08);		# 13,12, 9, 8
-	&or	("ecx",$acc);			# 10
-	&movz	($acc,&BP(-128,$tbl,$key,1));	# 11
-	&movz	($key,&HB("eax"));		#  5
-	&shl	($acc,24);			# 11
-	&shr	("ebx",16);			# 15,14
-	&or	("edx",$acc);			# 11
-
-	&movz	($acc,&BP(-128,$tbl,$key,1));	#  5
-	&movz	($key,&HB("ebx"));		# 15
-	&shl	($acc,8);			#  5
-	&or	("ecx",$acc);			#  5
-	&movz	($acc,&BP(-128,$tbl,$key,1));	# 15
-	&movz	($key,&LB("eax"));		#  4
-	&shl	($acc,24);			# 15
-	&or	("ecx",$acc);			# 15
-
-	&movz	($acc,&BP(-128,$tbl,$key,1));	#  4
-	&movz	($key,&LB("ebx"));		# 14
-	&movd	("eax","mm2");			#  7, 6, 3, 2
-	&movd	("mm0","ecx");			# t[0] collected
-	&movz	("ecx",&BP(-128,$tbl,$key,1));	# 14
-	&movz	($key,&HB("eax"));		#  3
-	&shl	("ecx",16);			# 14
-	&movd	("ebx","mm6");			# 13,12, 9, 8
-	&or	("ecx",$acc);			# 14
-
-	&movz	($acc,&BP(-128,$tbl,$key,1));	#  3
-	&movz	($key,&HB("ebx"));		#  9
-	&shl	($acc,24);			#  3
-	&or	("ecx",$acc);			#  3
-	&movz	($acc,&BP(-128,$tbl,$key,1));	#  9
-	&movz	($key,&LB("ebx"));		#  8
-	&shl	($acc,8);			#  9
-	&shr	("ebx",16);			# 13,12
-	&or	("ecx",$acc);			#  9
-
-	&movz	($acc,&BP(-128,$tbl,$key,1));	#  8
-	&movz	($key,&LB("eax"));		#  2
-	&shr	("eax",16);			#  7, 6
-	&movd	("mm1","ecx");			# t[1] collected
-	&movz	("ecx",&BP(-128,$tbl,$key,1));	#  2
-	&movz	($key,&HB("eax"));		#  7
-	&shl	("ecx",16);			#  2
-	&and	("eax",0xff);			#  6
-	&or	("ecx",$acc);			#  2
-
-	&punpckldq	("mm0","mm1");		# t[0,1] collected
-
-	&movz	($acc,&BP(-128,$tbl,$key,1));	#  7
-	&movz	($key,&HB("ebx"));		# 13
-	&shl	($acc,24);			#  7
-	&and	("ebx",0xff);			# 12
-	&movz	("eax",&BP(-128,$tbl,"eax",1));	#  6
-	&or	("ecx",$acc);			#  7
-	&shl	("eax",16);			#  6
-	&movz	($acc,&BP(-128,$tbl,$key,1));	# 13
-	&or	("edx","eax");			#  6
-	&shl	($acc,8);			# 13
-	&movz	("ebx",&BP(-128,$tbl,"ebx",1));	# 12
-	&or	("ecx",$acc);			# 13
-	&or	("edx","ebx");			# 12
-	&mov	($key,$__key);
-	&movd	("mm4","ecx");			# t[2] collected
-	&movd	("mm5","edx");			# t[3] collected
-
-	&punpckldq	("mm4","mm5");		# t[2,3] collected
-}
-
-					if (!$x86only) {
-&function_begin_B("_sse_AES_encrypt_compact");
-	&pxor	("mm0",&QWP(0,$key));	#  7, 6, 5, 4, 3, 2, 1, 0
-	&pxor	("mm4",&QWP(8,$key));	# 15,14,13,12,11,10, 9, 8
-
-	# note that caller is expected to allocate stack frame for me!
-	&mov	($acc,&DWP(240,$key));		# load key->rounds
-	&lea	($acc,&DWP(-2,$acc,$acc));
-	&lea	($acc,&DWP(0,$key,$acc,8));
-	&mov	($__end,$acc);			# end of key schedule
-
-	&mov	($s0,0x1b1b1b1b);		# magic constant
-	&mov	(&DWP(8,"esp"),$s0);
-	&mov	(&DWP(12,"esp"),$s0);
-
-	# prefetch Te4
-	&mov	($s0,&DWP(0-128,$tbl));
-	&mov	($s1,&DWP(32-128,$tbl));
-	&mov	($s2,&DWP(64-128,$tbl));
-	&mov	($s3,&DWP(96-128,$tbl));
-	&mov	($s0,&DWP(128-128,$tbl));
-	&mov	($s1,&DWP(160-128,$tbl));
-	&mov	($s2,&DWP(192-128,$tbl));
-	&mov	($s3,&DWP(224-128,$tbl));
-
-	&set_label("loop",16);
-		&sse_enccompact();
-		&add	($key,16);
-		&cmp	($key,$__end);
-		&ja	(&label("out"));
-
-		&movq	("mm2",&QWP(8,"esp"));
-		&pxor	("mm3","mm3");		&pxor	("mm7","mm7");
-		&movq	("mm1","mm0");		&movq	("mm5","mm4");	# r0
-		&pcmpgtb("mm3","mm0");		&pcmpgtb("mm7","mm4");
-		&pand	("mm3","mm2");		&pand	("mm7","mm2");
-		&pshufw	("mm2","mm0",0xb1);	&pshufw	("mm6","mm4",0xb1);# ROTATE(r0,16)
-		&paddb	("mm0","mm0");		&paddb	("mm4","mm4");
-		&pxor	("mm0","mm3");		&pxor	("mm4","mm7");	# = r2
-		&pshufw	("mm3","mm2",0xb1);	&pshufw	("mm7","mm6",0xb1);# r0
-		&pxor	("mm1","mm0");		&pxor	("mm5","mm4");	# r0^r2
-		&pxor	("mm0","mm2");		&pxor	("mm4","mm6");	# ^= ROTATE(r0,16)
-
-		&movq	("mm2","mm3");		&movq	("mm6","mm7");
-		&pslld	("mm3",8);		&pslld	("mm7",8);
-		&psrld	("mm2",24);		&psrld	("mm6",24);
-		&pxor	("mm0","mm3");		&pxor	("mm4","mm7");	# ^= r0<<8
-		&pxor	("mm0","mm2");		&pxor	("mm4","mm6");	# ^= r0>>24
-
-		&movq	("mm3","mm1");		&movq	("mm7","mm5");
-		&movq	("mm2",&QWP(0,$key));	&movq	("mm6",&QWP(8,$key));
-		&psrld	("mm1",8);		&psrld	("mm5",8);
-		&mov	($s0,&DWP(0-128,$tbl));
-		&pslld	("mm3",24);		&pslld	("mm7",24);
-		&mov	($s1,&DWP(64-128,$tbl));
-		&pxor	("mm0","mm1");		&pxor	("mm4","mm5");	# ^= (r2^r0)<<8
-		&mov	($s2,&DWP(128-128,$tbl));
-		&pxor	("mm0","mm3");		&pxor	("mm4","mm7");	# ^= (r2^r0)>>24
-		&mov	($s3,&DWP(192-128,$tbl));
-
-		&pxor	("mm0","mm2");		&pxor	("mm4","mm6");
-	&jmp	(&label("loop"));
-
-	&set_label("out",16);
-	&pxor	("mm0",&QWP(0,$key));
-	&pxor	("mm4",&QWP(8,$key));
-
-	&ret	();
-&function_end_B("_sse_AES_encrypt_compact");
-					}
-
-######################################################################
-# Vanilla block function.
-######################################################################
-
-sub encstep()
-{ my ($i,$te,@s) = @_;
-  my $tmp = $key;
-  my $out = $i==3?$s[0]:$acc;
-
-	# lines marked with #%e?x[i] denote "reordered" instructions...
-	if ($i==3)  {	&mov	($key,$__key);			}##%edx
-	else        {	&mov	($out,$s[0]);
-			&and	($out,0xFF);			}
-	if ($i==1)  {	&shr	($s[0],16);			}#%ebx[1]
-	if ($i==2)  {	&shr	($s[0],24);			}#%ecx[2]
-			&mov	($out,&DWP(0,$te,$out,8));
-
-	if ($i==3)  {	$tmp=$s[1];				}##%eax
-			&movz	($tmp,&HB($s[1]));
-			&xor	($out,&DWP(3,$te,$tmp,8));
-
-	if ($i==3)  {	$tmp=$s[2]; &mov ($s[1],$__s0);		}##%ebx
-	else        {	&mov	($tmp,$s[2]);
-			&shr	($tmp,16);			}
-	if ($i==2)  {	&and	($s[1],0xFF);			}#%edx[2]
-			&and	($tmp,0xFF);
-			&xor	($out,&DWP(2,$te,$tmp,8));
-
-	if ($i==3)  {	$tmp=$s[3]; &mov ($s[2],$__s1);		}##%ecx
-	elsif($i==2){	&movz	($tmp,&HB($s[3]));		}#%ebx[2]
-	else        {	&mov	($tmp,$s[3]);
-			&shr	($tmp,24)			}
-			&xor	($out,&DWP(1,$te,$tmp,8));
-	if ($i<2)   {	&mov	(&DWP(4+4*$i,"esp"),$out);	}
-	if ($i==3)  {	&mov	($s[3],$acc);			}
-			&comment();
-}
-
-sub enclast()
-{ my ($i,$te,@s)=@_;
-  my $tmp = $key;
-  my $out = $i==3?$s[0]:$acc;
-
-	if ($i==3)  {	&mov	($key,$__key);			}##%edx
-	else        {	&mov	($out,$s[0]);			}
-			&and	($out,0xFF);
-	if ($i==1)  {	&shr	($s[0],16);			}#%ebx[1]
-	if ($i==2)  {	&shr	($s[0],24);			}#%ecx[2]
-			&mov	($out,&DWP(2,$te,$out,8));
-			&and	($out,0x000000ff);
-
-	if ($i==3)  {	$tmp=$s[1];				}##%eax
-			&movz	($tmp,&HB($s[1]));
-			&mov	($tmp,&DWP(0,$te,$tmp,8));
-			&and	($tmp,0x0000ff00);
-			&xor	($out,$tmp);
-
-	if ($i==3)  {	$tmp=$s[2]; &mov ($s[1],$__s0);		}##%ebx
-	else        {	&mov	($tmp,$s[2]);
-			&shr	($tmp,16);			}
-	if ($i==2)  {	&and	($s[1],0xFF);			}#%edx[2]
-			&and	($tmp,0xFF);
-			&mov	($tmp,&DWP(0,$te,$tmp,8));
-			&and	($tmp,0x00ff0000);
-			&xor	($out,$tmp);
-
-	if ($i==3)  {	$tmp=$s[3]; &mov ($s[2],$__s1);		}##%ecx
-	elsif($i==2){	&movz	($tmp,&HB($s[3]));		}#%ebx[2]
-	else        {	&mov	($tmp,$s[3]);
-			&shr	($tmp,24);			}
-			&mov	($tmp,&DWP(2,$te,$tmp,8));
-			&and	($tmp,0xff000000);
-			&xor	($out,$tmp);
-	if ($i<2)   {	&mov	(&DWP(4+4*$i,"esp"),$out);	}
-	if ($i==3)  {	&mov	($s[3],$acc);			}
-}
-
-&function_begin_B("_x86_AES_encrypt");
-	if ($vertical_spin) {
-		# I need high parts of volatile registers to be accessible...
-		&exch	($s1="edi",$key="ebx");
-		&mov	($s2="esi",$acc="ecx");
-	}
-
-	# note that caller is expected to allocate stack frame for me!
-	&mov	($__key,$key);			# save key
-
-	&xor	($s0,&DWP(0,$key));		# xor with key
-	&xor	($s1,&DWP(4,$key));
-	&xor	($s2,&DWP(8,$key));
-	&xor	($s3,&DWP(12,$key));
-
-	&mov	($acc,&DWP(240,$key));		# load key->rounds
-
-	if ($small_footprint) {
-	    &lea	($acc,&DWP(-2,$acc,$acc));
-	    &lea	($acc,&DWP(0,$key,$acc,8));
-	    &mov	($__end,$acc);		# end of key schedule
-
-	    &set_label("loop",16);
-		if ($vertical_spin) {
-		    &encvert($tbl,$s0,$s1,$s2,$s3);
-		} else {
-		    &encstep(0,$tbl,$s0,$s1,$s2,$s3);
-		    &encstep(1,$tbl,$s1,$s2,$s3,$s0);
-		    &encstep(2,$tbl,$s2,$s3,$s0,$s1);
-		    &encstep(3,$tbl,$s3,$s0,$s1,$s2);
-		}
-		&add	($key,16);		# advance rd_key
-		&xor	($s0,&DWP(0,$key));
-		&xor	($s1,&DWP(4,$key));
-		&xor	($s2,&DWP(8,$key));
-		&xor	($s3,&DWP(12,$key));
-	    &cmp	($key,$__end);
-	    &mov	($__key,$key);
-	    &jb		(&label("loop"));
-	}
-	else {
-	    &cmp	($acc,10);
-	    &jle	(&label("10rounds"));
-	    &cmp	($acc,12);
-	    &jle	(&label("12rounds"));
-
-	&set_label("14rounds",4);
-	    for ($i=1;$i<3;$i++) {
-		if ($vertical_spin) {
-		    &encvert($tbl,$s0,$s1,$s2,$s3);
-		} else {
-		    &encstep(0,$tbl,$s0,$s1,$s2,$s3);
-		    &encstep(1,$tbl,$s1,$s2,$s3,$s0);
-		    &encstep(2,$tbl,$s2,$s3,$s0,$s1);
-		    &encstep(3,$tbl,$s3,$s0,$s1,$s2);
-		}
-		&xor	($s0,&DWP(16*$i+0,$key));
-		&xor	($s1,&DWP(16*$i+4,$key));
-		&xor	($s2,&DWP(16*$i+8,$key));
-		&xor	($s3,&DWP(16*$i+12,$key));
-	    }
-	    &add	($key,32);
-	    &mov	($__key,$key);		# advance rd_key
-	&set_label("12rounds",4);
-	    for ($i=1;$i<3;$i++) {
-		if ($vertical_spin) {
-		    &encvert($tbl,$s0,$s1,$s2,$s3);
-		} else {
-		    &encstep(0,$tbl,$s0,$s1,$s2,$s3);
-		    &encstep(1,$tbl,$s1,$s2,$s3,$s0);
-		    &encstep(2,$tbl,$s2,$s3,$s0,$s1);
-		    &encstep(3,$tbl,$s3,$s0,$s1,$s2);
-		}
-		&xor	($s0,&DWP(16*$i+0,$key));
-		&xor	($s1,&DWP(16*$i+4,$key));
-		&xor	($s2,&DWP(16*$i+8,$key));
-		&xor	($s3,&DWP(16*$i+12,$key));
-	    }
-	    &add	($key,32);
-	    &mov	($__key,$key);		# advance rd_key
-	&set_label("10rounds",4);
-	    for ($i=1;$i<10;$i++) {
-		if ($vertical_spin) {
-		    &encvert($tbl,$s0,$s1,$s2,$s3);
-		} else {
-		    &encstep(0,$tbl,$s0,$s1,$s2,$s3);
-		    &encstep(1,$tbl,$s1,$s2,$s3,$s0);
-		    &encstep(2,$tbl,$s2,$s3,$s0,$s1);
-		    &encstep(3,$tbl,$s3,$s0,$s1,$s2);
-		}
-		&xor	($s0,&DWP(16*$i+0,$key));
-		&xor	($s1,&DWP(16*$i+4,$key));
-		&xor	($s2,&DWP(16*$i+8,$key));
-		&xor	($s3,&DWP(16*$i+12,$key));
-	    }
-	}
-
-	if ($vertical_spin) {
-	    # "reincarnate" some registers for "horizontal" spin...
-	    &mov	($s1="ebx",$key="edi");
-	    &mov	($s2="ecx",$acc="esi");
-	}
-	&enclast(0,$tbl,$s0,$s1,$s2,$s3);
-	&enclast(1,$tbl,$s1,$s2,$s3,$s0);
-	&enclast(2,$tbl,$s2,$s3,$s0,$s1);
-	&enclast(3,$tbl,$s3,$s0,$s1,$s2);
-
-	&add	($key,$small_footprint?16:160);
-	&xor	($s0,&DWP(0,$key));
-	&xor	($s1,&DWP(4,$key));
-	&xor	($s2,&DWP(8,$key));
-	&xor	($s3,&DWP(12,$key));
-
-	&ret	();
-
-&set_label("AES_Te",64);	# Yes! I keep it in the code segment!
-	&_data_word(0xa56363c6, 0x847c7cf8, 0x997777ee, 0x8d7b7bf6);
-	&_data_word(0x0df2f2ff, 0xbd6b6bd6, 0xb16f6fde, 0x54c5c591);
-	&_data_word(0x50303060, 0x03010102, 0xa96767ce, 0x7d2b2b56);
-	&_data_word(0x19fefee7, 0x62d7d7b5, 0xe6abab4d, 0x9a7676ec);
-	&_data_word(0x45caca8f, 0x9d82821f, 0x40c9c989, 0x877d7dfa);
-	&_data_word(0x15fafaef, 0xeb5959b2, 0xc947478e, 0x0bf0f0fb);
-	&_data_word(0xecadad41, 0x67d4d4b3, 0xfda2a25f, 0xeaafaf45);
-	&_data_word(0xbf9c9c23, 0xf7a4a453, 0x967272e4, 0x5bc0c09b);
-	&_data_word(0xc2b7b775, 0x1cfdfde1, 0xae93933d, 0x6a26264c);
-	&_data_word(0x5a36366c, 0x413f3f7e, 0x02f7f7f5, 0x4fcccc83);
-	&_data_word(0x5c343468, 0xf4a5a551, 0x34e5e5d1, 0x08f1f1f9);
-	&_data_word(0x937171e2, 0x73d8d8ab, 0x53313162, 0x3f15152a);
-	&_data_word(0x0c040408, 0x52c7c795, 0x65232346, 0x5ec3c39d);
-	&_data_word(0x28181830, 0xa1969637, 0x0f05050a, 0xb59a9a2f);
-	&_data_word(0x0907070e, 0x36121224, 0x9b80801b, 0x3de2e2df);
-	&_data_word(0x26ebebcd, 0x6927274e, 0xcdb2b27f, 0x9f7575ea);
-	&_data_word(0x1b090912, 0x9e83831d, 0x742c2c58, 0x2e1a1a34);
-	&_data_word(0x2d1b1b36, 0xb26e6edc, 0xee5a5ab4, 0xfba0a05b);
-	&_data_word(0xf65252a4, 0x4d3b3b76, 0x61d6d6b7, 0xceb3b37d);
-	&_data_word(0x7b292952, 0x3ee3e3dd, 0x712f2f5e, 0x97848413);
-	&_data_word(0xf55353a6, 0x68d1d1b9, 0x00000000, 0x2cededc1);
-	&_data_word(0x60202040, 0x1ffcfce3, 0xc8b1b179, 0xed5b5bb6);
-	&_data_word(0xbe6a6ad4, 0x46cbcb8d, 0xd9bebe67, 0x4b393972);
-	&_data_word(0xde4a4a94, 0xd44c4c98, 0xe85858b0, 0x4acfcf85);
-	&_data_word(0x6bd0d0bb, 0x2aefefc5, 0xe5aaaa4f, 0x16fbfbed);
-	&_data_word(0xc5434386, 0xd74d4d9a, 0x55333366, 0x94858511);
-	&_data_word(0xcf45458a, 0x10f9f9e9, 0x06020204, 0x817f7ffe);
-	&_data_word(0xf05050a0, 0x443c3c78, 0xba9f9f25, 0xe3a8a84b);
-	&_data_word(0xf35151a2, 0xfea3a35d, 0xc0404080, 0x8a8f8f05);
-	&_data_word(0xad92923f, 0xbc9d9d21, 0x48383870, 0x04f5f5f1);
-	&_data_word(0xdfbcbc63, 0xc1b6b677, 0x75dadaaf, 0x63212142);
-	&_data_word(0x30101020, 0x1affffe5, 0x0ef3f3fd, 0x6dd2d2bf);
-	&_data_word(0x4ccdcd81, 0x140c0c18, 0x35131326, 0x2fececc3);
-	&_data_word(0xe15f5fbe, 0xa2979735, 0xcc444488, 0x3917172e);
-	&_data_word(0x57c4c493, 0xf2a7a755, 0x827e7efc, 0x473d3d7a);
-	&_data_word(0xac6464c8, 0xe75d5dba, 0x2b191932, 0x957373e6);
-	&_data_word(0xa06060c0, 0x98818119, 0xd14f4f9e, 0x7fdcdca3);
-	&_data_word(0x66222244, 0x7e2a2a54, 0xab90903b, 0x8388880b);
-	&_data_word(0xca46468c, 0x29eeeec7, 0xd3b8b86b, 0x3c141428);
-	&_data_word(0x79dedea7, 0xe25e5ebc, 0x1d0b0b16, 0x76dbdbad);
-	&_data_word(0x3be0e0db, 0x56323264, 0x4e3a3a74, 0x1e0a0a14);
-	&_data_word(0xdb494992, 0x0a06060c, 0x6c242448, 0xe45c5cb8);
-	&_data_word(0x5dc2c29f, 0x6ed3d3bd, 0xefacac43, 0xa66262c4);
-	&_data_word(0xa8919139, 0xa4959531, 0x37e4e4d3, 0x8b7979f2);
-	&_data_word(0x32e7e7d5, 0x43c8c88b, 0x5937376e, 0xb76d6dda);
-	&_data_word(0x8c8d8d01, 0x64d5d5b1, 0xd24e4e9c, 0xe0a9a949);
-	&_data_word(0xb46c6cd8, 0xfa5656ac, 0x07f4f4f3, 0x25eaeacf);
-	&_data_word(0xaf6565ca, 0x8e7a7af4, 0xe9aeae47, 0x18080810);
-	&_data_word(0xd5baba6f, 0x887878f0, 0x6f25254a, 0x722e2e5c);
-	&_data_word(0x241c1c38, 0xf1a6a657, 0xc7b4b473, 0x51c6c697);
-	&_data_word(0x23e8e8cb, 0x7cdddda1, 0x9c7474e8, 0x211f1f3e);
-	&_data_word(0xdd4b4b96, 0xdcbdbd61, 0x868b8b0d, 0x858a8a0f);
-	&_data_word(0x907070e0, 0x423e3e7c, 0xc4b5b571, 0xaa6666cc);
-	&_data_word(0xd8484890, 0x05030306, 0x01f6f6f7, 0x120e0e1c);
-	&_data_word(0xa36161c2, 0x5f35356a, 0xf95757ae, 0xd0b9b969);
-	&_data_word(0x91868617, 0x58c1c199, 0x271d1d3a, 0xb99e9e27);
-	&_data_word(0x38e1e1d9, 0x13f8f8eb, 0xb398982b, 0x33111122);
-	&_data_word(0xbb6969d2, 0x70d9d9a9, 0x898e8e07, 0xa7949433);
-	&_data_word(0xb69b9b2d, 0x221e1e3c, 0x92878715, 0x20e9e9c9);
-	&_data_word(0x49cece87, 0xff5555aa, 0x78282850, 0x7adfdfa5);
-	&_data_word(0x8f8c8c03, 0xf8a1a159, 0x80898909, 0x170d0d1a);
-	&_data_word(0xdabfbf65, 0x31e6e6d7, 0xc6424284, 0xb86868d0);
-	&_data_word(0xc3414182, 0xb0999929, 0x772d2d5a, 0x110f0f1e);
-	&_data_word(0xcbb0b07b, 0xfc5454a8, 0xd6bbbb6d, 0x3a16162c);
-
-#Te4	# four copies of Te4 to choose from to avoid L1 aliasing
-	&data_byte(0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5);
-	&data_byte(0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76);
-	&data_byte(0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0);
-	&data_byte(0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0);
-	&data_byte(0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc);
-	&data_byte(0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15);
-	&data_byte(0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a);
-	&data_byte(0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75);
-	&data_byte(0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0);
-	&data_byte(0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84);
-	&data_byte(0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b);
-	&data_byte(0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf);
-	&data_byte(0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85);
-	&data_byte(0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8);
-	&data_byte(0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5);
-	&data_byte(0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2);
-	&data_byte(0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17);
-	&data_byte(0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73);
-	&data_byte(0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88);
-	&data_byte(0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb);
-	&data_byte(0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c);
-	&data_byte(0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79);
-	&data_byte(0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9);
-	&data_byte(0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08);
-	&data_byte(0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6);
-	&data_byte(0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a);
-	&data_byte(0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e);
-	&data_byte(0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e);
-	&data_byte(0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94);
-	&data_byte(0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf);
-	&data_byte(0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68);
-	&data_byte(0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16);
-
-	&data_byte(0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5);
-	&data_byte(0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76);
-	&data_byte(0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0);
-	&data_byte(0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0);
-	&data_byte(0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc);
-	&data_byte(0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15);
-	&data_byte(0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a);
-	&data_byte(0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75);
-	&data_byte(0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0);
-	&data_byte(0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84);
-	&data_byte(0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b);
-	&data_byte(0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf);
-	&data_byte(0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85);
-	&data_byte(0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8);
-	&data_byte(0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5);
-	&data_byte(0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2);
-	&data_byte(0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17);
-	&data_byte(0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73);
-	&data_byte(0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88);
-	&data_byte(0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb);
-	&data_byte(0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c);
-	&data_byte(0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79);
-	&data_byte(0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9);
-	&data_byte(0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08);
-	&data_byte(0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6);
-	&data_byte(0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a);
-	&data_byte(0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e);
-	&data_byte(0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e);
-	&data_byte(0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94);
-	&data_byte(0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf);
-	&data_byte(0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68);
-	&data_byte(0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16);
-
-	&data_byte(0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5);
-	&data_byte(0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76);
-	&data_byte(0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0);
-	&data_byte(0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0);
-	&data_byte(0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc);
-	&data_byte(0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15);
-	&data_byte(0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a);
-	&data_byte(0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75);
-	&data_byte(0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0);
-	&data_byte(0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84);
-	&data_byte(0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b);
-	&data_byte(0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf);
-	&data_byte(0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85);
-	&data_byte(0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8);
-	&data_byte(0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5);
-	&data_byte(0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2);
-	&data_byte(0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17);
-	&data_byte(0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73);
-	&data_byte(0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88);
-	&data_byte(0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb);
-	&data_byte(0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c);
-	&data_byte(0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79);
-	&data_byte(0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9);
-	&data_byte(0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08);
-	&data_byte(0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6);
-	&data_byte(0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a);
-	&data_byte(0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e);
-	&data_byte(0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e);
-	&data_byte(0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94);
-	&data_byte(0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf);
-	&data_byte(0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68);
-	&data_byte(0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16);
-
-	&data_byte(0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5);
-	&data_byte(0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76);
-	&data_byte(0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0);
-	&data_byte(0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0);
-	&data_byte(0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc);
-	&data_byte(0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15);
-	&data_byte(0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a);
-	&data_byte(0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75);
-	&data_byte(0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0);
-	&data_byte(0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84);
-	&data_byte(0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b);
-	&data_byte(0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf);
-	&data_byte(0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85);
-	&data_byte(0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8);
-	&data_byte(0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5);
-	&data_byte(0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2);
-	&data_byte(0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17);
-	&data_byte(0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73);
-	&data_byte(0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88);
-	&data_byte(0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb);
-	&data_byte(0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c);
-	&data_byte(0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79);
-	&data_byte(0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9);
-	&data_byte(0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08);
-	&data_byte(0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6);
-	&data_byte(0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a);
-	&data_byte(0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e);
-	&data_byte(0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e);
-	&data_byte(0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94);
-	&data_byte(0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf);
-	&data_byte(0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68);
-	&data_byte(0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16);
-#rcon:
-	&data_word(0x00000001, 0x00000002, 0x00000004, 0x00000008);
-	&data_word(0x00000010, 0x00000020, 0x00000040, 0x00000080);
-	&data_word(0x0000001b, 0x00000036, 0x00000000, 0x00000000);
-	&data_word(0x00000000, 0x00000000, 0x00000000, 0x00000000);
-&function_end_B("_x86_AES_encrypt");
-
-# void AES_encrypt (const void *inp,void *out,const AES_KEY *key);
-&function_begin("AES_encrypt");
-	&mov	($acc,&wparam(0));		# load inp
-	&mov	($key,&wparam(2));		# load key
-
-	&mov	($s0,"esp");
-	&sub	("esp",36);
-	&and	("esp",-64);			# align to cache-line
-
-	# place stack frame just "above" the key schedule
-	&lea	($s1,&DWP(-64-63,$key));
-	&sub	($s1,"esp");
-	&neg	($s1);
-	&and	($s1,0x3C0);	# modulo 1024, but aligned to cache-line
-	&sub	("esp",$s1);
-	&add	("esp",4);	# 4 is reserved for caller's return address
-	&mov	($_esp,$s0);			# save stack pointer
-
-	&call   (&label("pic_point"));          # make it PIC!
-	&set_label("pic_point");
-	&blindpop($tbl);
-	&picmeup($s0,"OPENSSL_ia32cap_P",$tbl,&label("pic_point")) if (!$x86only);
-	&lea    ($tbl,&DWP(&label("AES_Te")."-".&label("pic_point"),$tbl));
-
-	# pick Te4 copy which can't "overlap" with stack frame or key schedule
-	&lea	($s1,&DWP(768-4,"esp"));
-	&sub	($s1,$tbl);
-	&and	($s1,0x300);
-	&lea	($tbl,&DWP(2048+128,$tbl,$s1));
-
-					if (!$x86only) {
-	&bt	(&DWP(0,$s0),25);	# check for SSE bit
-	&jnc	(&label("x86"));
-
-	&movq	("mm0",&QWP(0,$acc));
-	&movq	("mm4",&QWP(8,$acc));
-	&call	("_sse_AES_encrypt_compact");
-	&mov	("esp",$_esp);			# restore stack pointer
-	&mov	($acc,&wparam(1));		# load out
-	&movq	(&QWP(0,$acc),"mm0");		# write output data
-	&movq	(&QWP(8,$acc),"mm4");
-	&emms	();
-	&function_end_A();
-					}
-	&set_label("x86",16);
-	&mov	($_tbl,$tbl);
-	&mov	($s0,&DWP(0,$acc));		# load input data
-	&mov	($s1,&DWP(4,$acc));
-	&mov	($s2,&DWP(8,$acc));
-	&mov	($s3,&DWP(12,$acc));
-	&call	("_x86_AES_encrypt_compact");
-	&mov	("esp",$_esp);			# restore stack pointer
-	&mov	($acc,&wparam(1));		# load out
-	&mov	(&DWP(0,$acc),$s0);		# write output data
-	&mov	(&DWP(4,$acc),$s1);
-	&mov	(&DWP(8,$acc),$s2);
-	&mov	(&DWP(12,$acc),$s3);
-&function_end("AES_encrypt");
-
-#--------------------------------------------------------------------#
-
-######################################################################
-# "Compact" block function
-######################################################################
-
-sub deccompact()
-{ my $Fn = \&mov;
-  while ($#_>5) { pop(@_); $Fn=sub{}; }
-  my ($i,$td,@s)=@_;
-  my $tmp = $key;
-  my $out = $i==3?$s[0]:$acc;
-
-	# $Fn is used in first compact round and its purpose is to
-	# void restoration of some values from stack, so that after
-	# 4xdeccompact with extra argument $key, $s0 and $s1 values
-	# are left there...
-	if($i==3)   {	&$Fn	($key,$__key);			}
-	else        {	&mov	($out,$s[0]);			}
-			&and	($out,0xFF);
-			&movz	($out,&BP(-128,$td,$out,1));
-
-	if ($i==3)  {	$tmp=$s[1];				}
-			&movz	($tmp,&HB($s[1]));
-			&movz	($tmp,&BP(-128,$td,$tmp,1));
-			&shl	($tmp,8);
-			&xor	($out,$tmp);
-
-	if ($i==3)  {	$tmp=$s[2]; &mov ($s[1],$acc);		}
-	else        {	mov	($tmp,$s[2]);			}
-			&shr	($tmp,16);
-			&and	($tmp,0xFF);
-			&movz	($tmp,&BP(-128,$td,$tmp,1));
-			&shl	($tmp,16);
-			&xor	($out,$tmp);
-
-	if ($i==3)  {	$tmp=$s[3]; &$Fn ($s[2],$__s1);		}
-	else        {	&mov	($tmp,$s[3]);			}
-			&shr	($tmp,24);
-			&movz	($tmp,&BP(-128,$td,$tmp,1));
-			&shl	($tmp,24);
-			&xor	($out,$tmp);
-	if ($i<2)   {	&mov	(&DWP(4+4*$i,"esp"),$out);	}
-	if ($i==3)  {	&$Fn	($s[3],$__s0);			}
-}
-
-# must be called with 2,3,0,1 as argument sequence!!!
-sub dectransform()
-{ my @s = ($s0,$s1,$s2,$s3);
-  my $i = shift;
-  my $tmp = $key;
-  my $tp2 = @s[($i+2)%4]; $tp2 = @s[2] if ($i==1);
-  my $tp4 = @s[($i+3)%4]; $tp4 = @s[3] if ($i==1);
-  my $tp8 = $tbl;
-
-	&mov	($tmp,0x80808080);
-	&and	($tmp,$s[$i]);
-	&mov	($acc,$tmp);
-	&shr	($tmp,7);
-	&lea	($tp2,&DWP(0,$s[$i],$s[$i]));
-	&sub	($acc,$tmp);
-	&and	($tp2,0xfefefefe);
-	&and	($acc,0x1b1b1b1b);
-	&xor	($tp2,$acc);
-	&mov	($tmp,0x80808080);
-
-	&and	($tmp,$tp2);
-	&mov	($acc,$tmp);
-	&shr	($tmp,7);
-	&lea	($tp4,&DWP(0,$tp2,$tp2));
-	&sub	($acc,$tmp);
-	&and	($tp4,0xfefefefe);
-	&and	($acc,0x1b1b1b1b);
-	 &xor	($tp2,$s[$i]);	# tp2^tp1
-	&xor	($tp4,$acc);
-	&mov	($tmp,0x80808080);
-
-	&and	($tmp,$tp4);
-	&mov	($acc,$tmp);
-	&shr	($tmp,7);
-	&lea	($tp8,&DWP(0,$tp4,$tp4));
-	&sub	($acc,$tmp);
-	&and	($tp8,0xfefefefe);
-	&and	($acc,0x1b1b1b1b);
-	 &xor	($tp4,$s[$i]);	# tp4^tp1
-	 &rotl	($s[$i],8);	# = ROTATE(tp1,8)
-	&xor	($tp8,$acc);
-
-	&xor	($s[$i],$tp2);
-	&xor	($tp2,$tp8);
-	&xor	($s[$i],$tp4);
-	&xor	($tp4,$tp8);
-	&rotl	($tp2,24);
-	&xor	($s[$i],$tp8);	# ^= tp8^(tp4^tp1)^(tp2^tp1)
-	&rotl	($tp4,16);
-	&xor	($s[$i],$tp2);	# ^= ROTATE(tp8^tp2^tp1,24)
-	&rotl	($tp8,8);
-	&xor	($s[$i],$tp4);	# ^= ROTATE(tp8^tp4^tp1,16)
-	 &mov	($s[0],$__s0)			if($i==2); #prefetch $s0
-	 &mov	($s[1],$__s1)			if($i==3); #prefetch $s1
-	 &mov	($s[2],$__s2)			if($i==1);
-	&xor	($s[$i],$tp8);	# ^= ROTATE(tp8,8)
-
-	&mov	($s[3],$__s3)			if($i==1);
-	&mov	(&DWP(4+4*$i,"esp"),$s[$i])	if($i>=2);
-}
-
-&function_begin_B("_x86_AES_decrypt_compact");
-	# note that caller is expected to allocate stack frame for me!
-	&mov	($__key,$key);			# save key
-
-	&xor	($s0,&DWP(0,$key));		# xor with key
-	&xor	($s1,&DWP(4,$key));
-	&xor	($s2,&DWP(8,$key));
-	&xor	($s3,&DWP(12,$key));
-
-	&mov	($acc,&DWP(240,$key));		# load key->rounds
-
-	&lea	($acc,&DWP(-2,$acc,$acc));
-	&lea	($acc,&DWP(0,$key,$acc,8));
-	&mov	($__end,$acc);			# end of key schedule
-
-	# prefetch Td4
-	&mov	($key,&DWP(0-128,$tbl));
-	&mov	($acc,&DWP(32-128,$tbl));
-	&mov	($key,&DWP(64-128,$tbl));
-	&mov	($acc,&DWP(96-128,$tbl));
-	&mov	($key,&DWP(128-128,$tbl));
-	&mov	($acc,&DWP(160-128,$tbl));
-	&mov	($key,&DWP(192-128,$tbl));
-	&mov	($acc,&DWP(224-128,$tbl));
-
-	&set_label("loop",16);
-
-		&deccompact(0,$tbl,$s0,$s3,$s2,$s1,1);
-		&deccompact(1,$tbl,$s1,$s0,$s3,$s2,1);
-		&deccompact(2,$tbl,$s2,$s1,$s0,$s3,1);
-		&deccompact(3,$tbl,$s3,$s2,$s1,$s0,1);
-		&dectransform(2);
-		&dectransform(3);
-		&dectransform(0);
-		&dectransform(1);
-		&mov 	($key,$__key);
-		&mov	($tbl,$__tbl);
-		&add	($key,16);		# advance rd_key
-		&xor	($s0,&DWP(0,$key));
-		&xor	($s1,&DWP(4,$key));
-		&xor	($s2,&DWP(8,$key));
-		&xor	($s3,&DWP(12,$key));
-
-	&cmp	($key,$__end);
-	&mov	($__key,$key);
-	&jb	(&label("loop"));
-
-	&deccompact(0,$tbl,$s0,$s3,$s2,$s1);
-	&deccompact(1,$tbl,$s1,$s0,$s3,$s2);
-	&deccompact(2,$tbl,$s2,$s1,$s0,$s3);
-	&deccompact(3,$tbl,$s3,$s2,$s1,$s0);
-
-	&xor	($s0,&DWP(16,$key));
-	&xor	($s1,&DWP(20,$key));
-	&xor	($s2,&DWP(24,$key));
-	&xor	($s3,&DWP(28,$key));
-
-	&ret	();
-&function_end_B("_x86_AES_decrypt_compact");
-
-######################################################################
-# "Compact" SSE block function.
-######################################################################
-
-sub sse_deccompact()
-{
-	&pshufw	("mm1","mm0",0x0c);		#  7, 6, 1, 0
-	&pshufw	("mm5","mm4",0x09);		# 13,12,11,10
-	&movd	("eax","mm1");			#  7, 6, 1, 0
-	&movd	("ebx","mm5");			# 13,12,11,10
-	&mov	($__key,$key);
-
-	&movz	($acc,&LB("eax"));		#  0
-	&movz	("edx",&HB("eax"));		#  1
-	&pshufw	("mm2","mm0",0x06);		#  3, 2, 5, 4
-	&movz	("ecx",&BP(-128,$tbl,$acc,1));	#  0
-	&movz	($key,&LB("ebx"));		# 10
-	&movz	("edx",&BP(-128,$tbl,"edx",1));	#  1
-	&shr	("eax",16);			#  7, 6
-	&shl	("edx",8);			#  1
-
-	&movz	($acc,&BP(-128,$tbl,$key,1));	# 10
-	&movz	($key,&HB("ebx"));		# 11
-	&shl	($acc,16);			# 10
-	&pshufw	("mm6","mm4",0x03);		# 9, 8,15,14
-	&or	("ecx",$acc);			# 10
-	&movz	($acc,&BP(-128,$tbl,$key,1));	# 11
-	&movz	($key,&HB("eax"));		#  7
-	&shl	($acc,24);			# 11
-	&shr	("ebx",16);			# 13,12
-	&or	("edx",$acc);			# 11
-
-	&movz	($acc,&BP(-128,$tbl,$key,1));	#  7
-	&movz	($key,&HB("ebx"));		# 13
-	&shl	($acc,24);			#  7
-	&or	("ecx",$acc);			#  7
-	&movz	($acc,&BP(-128,$tbl,$key,1));	# 13
-	&movz	($key,&LB("eax"));		#  6
-	&shl	($acc,8);			# 13
-	&movd	("eax","mm2");			#  3, 2, 5, 4
-	&or	("ecx",$acc);			# 13
-
-	&movz	($acc,&BP(-128,$tbl,$key,1));	#  6
-	&movz	($key,&LB("ebx"));		# 12
-	&shl	($acc,16);			#  6
-	&movd	("ebx","mm6");			#  9, 8,15,14
-	&movd	("mm0","ecx");			# t[0] collected
-	&movz	("ecx",&BP(-128,$tbl,$key,1));	# 12
-	&movz	($key,&LB("eax"));		#  4
-	&or	("ecx",$acc);			# 12
-
-	&movz	($acc,&BP(-128,$tbl,$key,1));	#  4
-	&movz	($key,&LB("ebx"));		# 14
-	&or	("edx",$acc);			#  4
-	&movz	($acc,&BP(-128,$tbl,$key,1));	# 14
-	&movz	($key,&HB("eax"));		#  5
-	&shl	($acc,16);			# 14
-	&shr	("eax",16);			#  3, 2
-	&or	("edx",$acc);			# 14
-
-	&movz	($acc,&BP(-128,$tbl,$key,1));	#  5
-	&movz	($key,&HB("ebx"));		# 15
-	&shr	("ebx",16);			#  9, 8
-	&shl	($acc,8);			#  5
-	&movd	("mm1","edx");			# t[1] collected
-	&movz	("edx",&BP(-128,$tbl,$key,1));	# 15
-	&movz	($key,&HB("ebx"));		#  9
-	&shl	("edx",24);			# 15
-	&and	("ebx",0xff);			#  8
-	&or	("edx",$acc);			# 15
-
-	&punpckldq	("mm0","mm1");		# t[0,1] collected
-
-	&movz	($acc,&BP(-128,$tbl,$key,1));	#  9
-	&movz	($key,&LB("eax"));		#  2
-	&shl	($acc,8);			#  9
-	&movz	("eax",&HB("eax"));		#  3
-	&movz	("ebx",&BP(-128,$tbl,"ebx",1));	#  8
-	&or	("ecx",$acc);			#  9
-	&movz	($acc,&BP(-128,$tbl,$key,1));	#  2
-	&or	("edx","ebx");			#  8
-	&shl	($acc,16);			#  2
-	&movz	("eax",&BP(-128,$tbl,"eax",1));	#  3
-	&or	("edx",$acc);			#  2
-	&shl	("eax",24);			#  3
-	&or	("ecx","eax");			#  3
-	&mov	($key,$__key);
-	&movd	("mm4","edx");			# t[2] collected
-	&movd	("mm5","ecx");			# t[3] collected
-
-	&punpckldq	("mm4","mm5");		# t[2,3] collected
-}
-
-					if (!$x86only) {
-&function_begin_B("_sse_AES_decrypt_compact");
-	&pxor	("mm0",&QWP(0,$key));	#  7, 6, 5, 4, 3, 2, 1, 0
-	&pxor	("mm4",&QWP(8,$key));	# 15,14,13,12,11,10, 9, 8
-
-	# note that caller is expected to allocate stack frame for me!
-	&mov	($acc,&DWP(240,$key));		# load key->rounds
-	&lea	($acc,&DWP(-2,$acc,$acc));
-	&lea	($acc,&DWP(0,$key,$acc,8));
-	&mov	($__end,$acc);			# end of key schedule
-
-	&mov	($s0,0x1b1b1b1b);		# magic constant
-	&mov	(&DWP(8,"esp"),$s0);
-	&mov	(&DWP(12,"esp"),$s0);
-
-	# prefetch Td4
-	&mov	($s0,&DWP(0-128,$tbl));
-	&mov	($s1,&DWP(32-128,$tbl));
-	&mov	($s2,&DWP(64-128,$tbl));
-	&mov	($s3,&DWP(96-128,$tbl));
-	&mov	($s0,&DWP(128-128,$tbl));
-	&mov	($s1,&DWP(160-128,$tbl));
-	&mov	($s2,&DWP(192-128,$tbl));
-	&mov	($s3,&DWP(224-128,$tbl));
-
-	&set_label("loop",16);
-		&sse_deccompact();
-		&add	($key,16);
-		&cmp	($key,$__end);
-		&ja	(&label("out"));
-
-		# ROTATE(x^y,N) == ROTATE(x,N)^ROTATE(y,N)
-		&movq	("mm3","mm0");		&movq	("mm7","mm4");
-		&movq	("mm2","mm0",1);	&movq	("mm6","mm4",1);
-		&movq	("mm1","mm0");		&movq	("mm5","mm4");
-		&pshufw	("mm0","mm0",0xb1);	&pshufw	("mm4","mm4",0xb1);# = ROTATE(tp0,16)
-		&pslld	("mm2",8);		&pslld	("mm6",8);
-		&psrld	("mm3",8);		&psrld	("mm7",8);
-		&pxor	("mm0","mm2");		&pxor	("mm4","mm6");	# ^= tp0<<8
-		&pxor	("mm0","mm3");		&pxor	("mm4","mm7");	# ^= tp0>>8
-		&pslld	("mm2",16);		&pslld	("mm6",16);
-		&psrld	("mm3",16);		&psrld	("mm7",16);
-		&pxor	("mm0","mm2");		&pxor	("mm4","mm6");	# ^= tp0<<24
-		&pxor	("mm0","mm3");		&pxor	("mm4","mm7");	# ^= tp0>>24
-
-		&movq	("mm3",&QWP(8,"esp"));
-		&pxor	("mm2","mm2");		&pxor	("mm6","mm6");
-		&pcmpgtb("mm2","mm1");		&pcmpgtb("mm6","mm5");
-		&pand	("mm2","mm3");		&pand	("mm6","mm3");
-		&paddb	("mm1","mm1");		&paddb	("mm5","mm5");
-		&pxor	("mm1","mm2");		&pxor	("mm5","mm6");	# tp2
-		&movq	("mm3","mm1");		&movq	("mm7","mm5");
-		&movq	("mm2","mm1");		&movq	("mm6","mm5");
-		&pxor	("mm0","mm1");		&pxor	("mm4","mm5");	# ^= tp2
-		&pslld	("mm3",24);		&pslld	("mm7",24);
-		&psrld	("mm2",8);		&psrld	("mm6",8);
-		&pxor	("mm0","mm3");		&pxor	("mm4","mm7");	# ^= tp2<<24
-		&pxor	("mm0","mm2");		&pxor	("mm4","mm6");	# ^= tp2>>8
-
-		&movq	("mm2",&QWP(8,"esp"));
-		&pxor	("mm3","mm3");		&pxor	("mm7","mm7");
-		&pcmpgtb("mm3","mm1");		&pcmpgtb("mm7","mm5");
-		&pand	("mm3","mm2");		&pand	("mm7","mm2");
-		&paddb	("mm1","mm1");		&paddb	("mm5","mm5");
-		&pxor	("mm1","mm3");		&pxor	("mm5","mm7");	# tp4
-		&pshufw	("mm3","mm1",0xb1);	&pshufw	("mm7","mm5",0xb1);
-		&pxor	("mm0","mm1");		&pxor	("mm4","mm5");	# ^= tp4
-		&pxor	("mm0","mm3");		&pxor	("mm4","mm7");	# ^= ROTATE(tp4,16)
-
-		&pxor	("mm3","mm3");		&pxor	("mm7","mm7");
-		&pcmpgtb("mm3","mm1");		&pcmpgtb("mm7","mm5");
-		&pand	("mm3","mm2");		&pand	("mm7","mm2");
-		&paddb	("mm1","mm1");		&paddb	("mm5","mm5");
-		&pxor	("mm1","mm3");		&pxor	("mm5","mm7");	# tp8
-		&pxor	("mm0","mm1");		&pxor	("mm4","mm5");	# ^= tp8
-		&movq	("mm3","mm1");		&movq	("mm7","mm5");
-		&pshufw	("mm2","mm1",0xb1);	&pshufw	("mm6","mm5",0xb1);
-		&pxor	("mm0","mm2");		&pxor	("mm4","mm6");	# ^= ROTATE(tp8,16)
-		&pslld	("mm1",8);		&pslld	("mm5",8);
-		&psrld	("mm3",8);		&psrld	("mm7",8);
-		&movq	("mm2",&QWP(0,$key));	&movq	("mm6",&QWP(8,$key));
-		&pxor	("mm0","mm1");		&pxor	("mm4","mm5");	# ^= tp8<<8
-		&pxor	("mm0","mm3");		&pxor	("mm4","mm7");	# ^= tp8>>8
-		&mov	($s0,&DWP(0-128,$tbl));
-		&pslld	("mm1",16);		&pslld	("mm5",16);
-		&mov	($s1,&DWP(64-128,$tbl));
-		&psrld	("mm3",16);		&psrld	("mm7",16);
-		&mov	($s2,&DWP(128-128,$tbl));
-		&pxor	("mm0","mm1");		&pxor	("mm4","mm5");	# ^= tp8<<24
-		&mov	($s3,&DWP(192-128,$tbl));
-		&pxor	("mm0","mm3");		&pxor	("mm4","mm7");	# ^= tp8>>24
-
-		&pxor	("mm0","mm2");		&pxor	("mm4","mm6");
-	&jmp	(&label("loop"));
-
-	&set_label("out",16);
-	&pxor	("mm0",&QWP(0,$key));
-	&pxor	("mm4",&QWP(8,$key));
-
-	&ret	();
-&function_end_B("_sse_AES_decrypt_compact");
-					}
-
-######################################################################
-# Vanilla block function.
-######################################################################
-
-sub decstep()
-{ my ($i,$td,@s) = @_;
-  my $tmp = $key;
-  my $out = $i==3?$s[0]:$acc;
-
-	# no instructions are reordered, as performance appears
-	# optimal... or rather that all attempts to reorder didn't
-	# result in better performance [which by the way is not a
-	# bit lower than encryption].
-	if($i==3)   {	&mov	($key,$__key);			}
-	else        {	&mov	($out,$s[0]);			}
-			&and	($out,0xFF);
-			&mov	($out,&DWP(0,$td,$out,8));
-
-	if ($i==3)  {	$tmp=$s[1];				}
-			&movz	($tmp,&HB($s[1]));
-			&xor	($out,&DWP(3,$td,$tmp,8));
-
-	if ($i==3)  {	$tmp=$s[2]; &mov ($s[1],$acc);		}
-	else        {	&mov	($tmp,$s[2]);			}
-			&shr	($tmp,16);
-			&and	($tmp,0xFF);
-			&xor	($out,&DWP(2,$td,$tmp,8));
-
-	if ($i==3)  {	$tmp=$s[3]; &mov ($s[2],$__s1);		}
-	else        {	&mov	($tmp,$s[3]);			}
-			&shr	($tmp,24);
-			&xor	($out,&DWP(1,$td,$tmp,8));
-	if ($i<2)   {	&mov	(&DWP(4+4*$i,"esp"),$out);	}
-	if ($i==3)  {	&mov	($s[3],$__s0);			}
-			&comment();
-}
-
-sub declast()
-{ my ($i,$td,@s)=@_;
-  my $tmp = $key;
-  my $out = $i==3?$s[0]:$acc;
-
-	if($i==0)   {	&lea	($td,&DWP(2048+128,$td));
-			&mov	($tmp,&DWP(0-128,$td));
-			&mov	($acc,&DWP(32-128,$td));
-			&mov	($tmp,&DWP(64-128,$td));
-			&mov	($acc,&DWP(96-128,$td));
-			&mov	($tmp,&DWP(128-128,$td));
-			&mov	($acc,&DWP(160-128,$td));
-			&mov	($tmp,&DWP(192-128,$td));
-			&mov	($acc,&DWP(224-128,$td));
-			&lea	($td,&DWP(-128,$td));		}
-	if($i==3)   {	&mov	($key,$__key);			}
-	else        {	&mov	($out,$s[0]);			}
-			&and	($out,0xFF);
-			&movz	($out,&BP(0,$td,$out,1));
-
-	if ($i==3)  {	$tmp=$s[1];				}
-			&movz	($tmp,&HB($s[1]));
-			&movz	($tmp,&BP(0,$td,$tmp,1));
-			&shl	($tmp,8);
-			&xor	($out,$tmp);
-
-	if ($i==3)  {	$tmp=$s[2]; &mov ($s[1],$acc);		}
-	else        {	mov	($tmp,$s[2]);			}
-			&shr	($tmp,16);
-			&and	($tmp,0xFF);
-			&movz	($tmp,&BP(0,$td,$tmp,1));
-			&shl	($tmp,16);
-			&xor	($out,$tmp);
-
-	if ($i==3)  {	$tmp=$s[3]; &mov ($s[2],$__s1);		}
-	else        {	&mov	($tmp,$s[3]);			}
-			&shr	($tmp,24);
-			&movz	($tmp,&BP(0,$td,$tmp,1));
-			&shl	($tmp,24);
-			&xor	($out,$tmp);
-	if ($i<2)   {	&mov	(&DWP(4+4*$i,"esp"),$out);	}
-	if ($i==3)  {	&mov	($s[3],$__s0);
-			&lea	($td,&DWP(-2048,$td));		}
-}
-
-&function_begin_B("_x86_AES_decrypt");
-	# note that caller is expected to allocate stack frame for me!
-	&mov	($__key,$key);			# save key
-
-	&xor	($s0,&DWP(0,$key));		# xor with key
-	&xor	($s1,&DWP(4,$key));
-	&xor	($s2,&DWP(8,$key));
-	&xor	($s3,&DWP(12,$key));
-
-	&mov	($acc,&DWP(240,$key));		# load key->rounds
-
-	if ($small_footprint) {
-	    &lea	($acc,&DWP(-2,$acc,$acc));
-	    &lea	($acc,&DWP(0,$key,$acc,8));
-	    &mov	($__end,$acc);		# end of key schedule
-	    &set_label("loop",16);
-		&decstep(0,$tbl,$s0,$s3,$s2,$s1);
-		&decstep(1,$tbl,$s1,$s0,$s3,$s2);
-		&decstep(2,$tbl,$s2,$s1,$s0,$s3);
-		&decstep(3,$tbl,$s3,$s2,$s1,$s0);
-		&add	($key,16);		# advance rd_key
-		&xor	($s0,&DWP(0,$key));
-		&xor	($s1,&DWP(4,$key));
-		&xor	($s2,&DWP(8,$key));
-		&xor	($s3,&DWP(12,$key));
-	    &cmp	($key,$__end);
-	    &mov	($__key,$key);
-	    &jb		(&label("loop"));
-	}
-	else {
-	    &cmp	($acc,10);
-	    &jle	(&label("10rounds"));
-	    &cmp	($acc,12);
-	    &jle	(&label("12rounds"));
-
-	&set_label("14rounds",4);
-	    for ($i=1;$i<3;$i++) {
-		&decstep(0,$tbl,$s0,$s3,$s2,$s1);
-		&decstep(1,$tbl,$s1,$s0,$s3,$s2);
-		&decstep(2,$tbl,$s2,$s1,$s0,$s3);
-		&decstep(3,$tbl,$s3,$s2,$s1,$s0);
-		&xor	($s0,&DWP(16*$i+0,$key));
-		&xor	($s1,&DWP(16*$i+4,$key));
-		&xor	($s2,&DWP(16*$i+8,$key));
-		&xor	($s3,&DWP(16*$i+12,$key));
-	    }
-	    &add	($key,32);
-	    &mov	($__key,$key);		# advance rd_key
-	&set_label("12rounds",4);
-	    for ($i=1;$i<3;$i++) {
-		&decstep(0,$tbl,$s0,$s3,$s2,$s1);
-		&decstep(1,$tbl,$s1,$s0,$s3,$s2);
-		&decstep(2,$tbl,$s2,$s1,$s0,$s3);
-		&decstep(3,$tbl,$s3,$s2,$s1,$s0);
-		&xor	($s0,&DWP(16*$i+0,$key));
-		&xor	($s1,&DWP(16*$i+4,$key));
-		&xor	($s2,&DWP(16*$i+8,$key));
-		&xor	($s3,&DWP(16*$i+12,$key));
-	    }
-	    &add	($key,32);
-	    &mov	($__key,$key);		# advance rd_key
-	&set_label("10rounds",4);
-	    for ($i=1;$i<10;$i++) {
-		&decstep(0,$tbl,$s0,$s3,$s2,$s1);
-		&decstep(1,$tbl,$s1,$s0,$s3,$s2);
-		&decstep(2,$tbl,$s2,$s1,$s0,$s3);
-		&decstep(3,$tbl,$s3,$s2,$s1,$s0);
-		&xor	($s0,&DWP(16*$i+0,$key));
-		&xor	($s1,&DWP(16*$i+4,$key));
-		&xor	($s2,&DWP(16*$i+8,$key));
-		&xor	($s3,&DWP(16*$i+12,$key));
-	    }
-	}
-
-	&declast(0,$tbl,$s0,$s3,$s2,$s1);
-	&declast(1,$tbl,$s1,$s0,$s3,$s2);
-	&declast(2,$tbl,$s2,$s1,$s0,$s3);
-	&declast(3,$tbl,$s3,$s2,$s1,$s0);
-
-	&add	($key,$small_footprint?16:160);
-	&xor	($s0,&DWP(0,$key));
-	&xor	($s1,&DWP(4,$key));
-	&xor	($s2,&DWP(8,$key));
-	&xor	($s3,&DWP(12,$key));
-
-	&ret	();
-
-&set_label("AES_Td",64);	# Yes! I keep it in the code segment!
-	&_data_word(0x50a7f451, 0x5365417e, 0xc3a4171a, 0x965e273a);
-	&_data_word(0xcb6bab3b, 0xf1459d1f, 0xab58faac, 0x9303e34b);
-	&_data_word(0x55fa3020, 0xf66d76ad, 0x9176cc88, 0x254c02f5);
-	&_data_word(0xfcd7e54f, 0xd7cb2ac5, 0x80443526, 0x8fa362b5);
-	&_data_word(0x495ab1de, 0x671bba25, 0x980eea45, 0xe1c0fe5d);
-	&_data_word(0x02752fc3, 0x12f04c81, 0xa397468d, 0xc6f9d36b);
-	&_data_word(0xe75f8f03, 0x959c9215, 0xeb7a6dbf, 0xda595295);
-	&_data_word(0x2d83bed4, 0xd3217458, 0x2969e049, 0x44c8c98e);
-	&_data_word(0x6a89c275, 0x78798ef4, 0x6b3e5899, 0xdd71b927);
-	&_data_word(0xb64fe1be, 0x17ad88f0, 0x66ac20c9, 0xb43ace7d);
-	&_data_word(0x184adf63, 0x82311ae5, 0x60335197, 0x457f5362);
-	&_data_word(0xe07764b1, 0x84ae6bbb, 0x1ca081fe, 0x942b08f9);
-	&_data_word(0x58684870, 0x19fd458f, 0x876cde94, 0xb7f87b52);
-	&_data_word(0x23d373ab, 0xe2024b72, 0x578f1fe3, 0x2aab5566);
-	&_data_word(0x0728ebb2, 0x03c2b52f, 0x9a7bc586, 0xa50837d3);
-	&_data_word(0xf2872830, 0xb2a5bf23, 0xba6a0302, 0x5c8216ed);
-	&_data_word(0x2b1ccf8a, 0x92b479a7, 0xf0f207f3, 0xa1e2694e);
-	&_data_word(0xcdf4da65, 0xd5be0506, 0x1f6234d1, 0x8afea6c4);
-	&_data_word(0x9d532e34, 0xa055f3a2, 0x32e18a05, 0x75ebf6a4);
-	&_data_word(0x39ec830b, 0xaaef6040, 0x069f715e, 0x51106ebd);
-	&_data_word(0xf98a213e, 0x3d06dd96, 0xae053edd, 0x46bde64d);
-	&_data_word(0xb58d5491, 0x055dc471, 0x6fd40604, 0xff155060);
-	&_data_word(0x24fb9819, 0x97e9bdd6, 0xcc434089, 0x779ed967);
-	&_data_word(0xbd42e8b0, 0x888b8907, 0x385b19e7, 0xdbeec879);
-	&_data_word(0x470a7ca1, 0xe90f427c, 0xc91e84f8, 0x00000000);
-	&_data_word(0x83868009, 0x48ed2b32, 0xac70111e, 0x4e725a6c);
-	&_data_word(0xfbff0efd, 0x5638850f, 0x1ed5ae3d, 0x27392d36);
-	&_data_word(0x64d90f0a, 0x21a65c68, 0xd1545b9b, 0x3a2e3624);
-	&_data_word(0xb1670a0c, 0x0fe75793, 0xd296eeb4, 0x9e919b1b);
-	&_data_word(0x4fc5c080, 0xa220dc61, 0x694b775a, 0x161a121c);
-	&_data_word(0x0aba93e2, 0xe52aa0c0, 0x43e0223c, 0x1d171b12);
-	&_data_word(0x0b0d090e, 0xadc78bf2, 0xb9a8b62d, 0xc8a91e14);
-	&_data_word(0x8519f157, 0x4c0775af, 0xbbdd99ee, 0xfd607fa3);
-	&_data_word(0x9f2601f7, 0xbcf5725c, 0xc53b6644, 0x347efb5b);
-	&_data_word(0x7629438b, 0xdcc623cb, 0x68fcedb6, 0x63f1e4b8);
-	&_data_word(0xcadc31d7, 0x10856342, 0x40229713, 0x2011c684);
-	&_data_word(0x7d244a85, 0xf83dbbd2, 0x1132f9ae, 0x6da129c7);
-	&_data_word(0x4b2f9e1d, 0xf330b2dc, 0xec52860d, 0xd0e3c177);
-	&_data_word(0x6c16b32b, 0x99b970a9, 0xfa489411, 0x2264e947);
-	&_data_word(0xc48cfca8, 0x1a3ff0a0, 0xd82c7d56, 0xef903322);
-	&_data_word(0xc74e4987, 0xc1d138d9, 0xfea2ca8c, 0x360bd498);
-	&_data_word(0xcf81f5a6, 0x28de7aa5, 0x268eb7da, 0xa4bfad3f);
-	&_data_word(0xe49d3a2c, 0x0d927850, 0x9bcc5f6a, 0x62467e54);
-	&_data_word(0xc2138df6, 0xe8b8d890, 0x5ef7392e, 0xf5afc382);
-	&_data_word(0xbe805d9f, 0x7c93d069, 0xa92dd56f, 0xb31225cf);
-	&_data_word(0x3b99acc8, 0xa77d1810, 0x6e639ce8, 0x7bbb3bdb);
-	&_data_word(0x097826cd, 0xf418596e, 0x01b79aec, 0xa89a4f83);
-	&_data_word(0x656e95e6, 0x7ee6ffaa, 0x08cfbc21, 0xe6e815ef);
-	&_data_word(0xd99be7ba, 0xce366f4a, 0xd4099fea, 0xd67cb029);
-	&_data_word(0xafb2a431, 0x31233f2a, 0x3094a5c6, 0xc066a235);
-	&_data_word(0x37bc4e74, 0xa6ca82fc, 0xb0d090e0, 0x15d8a733);
-	&_data_word(0x4a9804f1, 0xf7daec41, 0x0e50cd7f, 0x2ff69117);
-	&_data_word(0x8dd64d76, 0x4db0ef43, 0x544daacc, 0xdf0496e4);
-	&_data_word(0xe3b5d19e, 0x1b886a4c, 0xb81f2cc1, 0x7f516546);
-	&_data_word(0x04ea5e9d, 0x5d358c01, 0x737487fa, 0x2e410bfb);
-	&_data_word(0x5a1d67b3, 0x52d2db92, 0x335610e9, 0x1347d66d);
-	&_data_word(0x8c61d79a, 0x7a0ca137, 0x8e14f859, 0x893c13eb);
-	&_data_word(0xee27a9ce, 0x35c961b7, 0xede51ce1, 0x3cb1477a);
-	&_data_word(0x59dfd29c, 0x3f73f255, 0x79ce1418, 0xbf37c773);
-	&_data_word(0xeacdf753, 0x5baafd5f, 0x146f3ddf, 0x86db4478);
-	&_data_word(0x81f3afca, 0x3ec468b9, 0x2c342438, 0x5f40a3c2);
-	&_data_word(0x72c31d16, 0x0c25e2bc, 0x8b493c28, 0x41950dff);
-	&_data_word(0x7101a839, 0xdeb30c08, 0x9ce4b4d8, 0x90c15664);
-	&_data_word(0x6184cb7b, 0x70b632d5, 0x745c6c48, 0x4257b8d0);
-
-#Td4:	# four copies of Td4 to choose from to avoid L1 aliasing
-	&data_byte(0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38);
-	&data_byte(0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb);
-	&data_byte(0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87);
-	&data_byte(0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb);
-	&data_byte(0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d);
-	&data_byte(0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e);
-	&data_byte(0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2);
-	&data_byte(0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25);
-	&data_byte(0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16);
-	&data_byte(0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92);
-	&data_byte(0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda);
-	&data_byte(0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84);
-	&data_byte(0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a);
-	&data_byte(0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06);
-	&data_byte(0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02);
-	&data_byte(0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b);
-	&data_byte(0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea);
-	&data_byte(0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73);
-	&data_byte(0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85);
-	&data_byte(0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e);
-	&data_byte(0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89);
-	&data_byte(0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b);
-	&data_byte(0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20);
-	&data_byte(0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4);
-	&data_byte(0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31);
-	&data_byte(0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f);
-	&data_byte(0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d);
-	&data_byte(0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef);
-	&data_byte(0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0);
-	&data_byte(0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61);
-	&data_byte(0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26);
-	&data_byte(0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d);
-
-	&data_byte(0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38);
-	&data_byte(0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb);
-	&data_byte(0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87);
-	&data_byte(0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb);
-	&data_byte(0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d);
-	&data_byte(0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e);
-	&data_byte(0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2);
-	&data_byte(0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25);
-	&data_byte(0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16);
-	&data_byte(0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92);
-	&data_byte(0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda);
-	&data_byte(0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84);
-	&data_byte(0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a);
-	&data_byte(0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06);
-	&data_byte(0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02);
-	&data_byte(0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b);
-	&data_byte(0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea);
-	&data_byte(0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73);
-	&data_byte(0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85);
-	&data_byte(0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e);
-	&data_byte(0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89);
-	&data_byte(0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b);
-	&data_byte(0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20);
-	&data_byte(0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4);
-	&data_byte(0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31);
-	&data_byte(0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f);
-	&data_byte(0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d);
-	&data_byte(0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef);
-	&data_byte(0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0);
-	&data_byte(0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61);
-	&data_byte(0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26);
-	&data_byte(0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d);
-
-	&data_byte(0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38);
-	&data_byte(0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb);
-	&data_byte(0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87);
-	&data_byte(0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb);
-	&data_byte(0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d);
-	&data_byte(0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e);
-	&data_byte(0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2);
-	&data_byte(0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25);
-	&data_byte(0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16);
-	&data_byte(0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92);
-	&data_byte(0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda);
-	&data_byte(0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84);
-	&data_byte(0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a);
-	&data_byte(0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06);
-	&data_byte(0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02);
-	&data_byte(0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b);
-	&data_byte(0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea);
-	&data_byte(0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73);
-	&data_byte(0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85);
-	&data_byte(0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e);
-	&data_byte(0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89);
-	&data_byte(0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b);
-	&data_byte(0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20);
-	&data_byte(0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4);
-	&data_byte(0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31);
-	&data_byte(0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f);
-	&data_byte(0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d);
-	&data_byte(0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef);
-	&data_byte(0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0);
-	&data_byte(0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61);
-	&data_byte(0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26);
-	&data_byte(0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d);
-
-	&data_byte(0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38);
-	&data_byte(0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb);
-	&data_byte(0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87);
-	&data_byte(0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb);
-	&data_byte(0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d);
-	&data_byte(0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e);
-	&data_byte(0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2);
-	&data_byte(0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25);
-	&data_byte(0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16);
-	&data_byte(0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92);
-	&data_byte(0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda);
-	&data_byte(0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84);
-	&data_byte(0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a);
-	&data_byte(0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06);
-	&data_byte(0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02);
-	&data_byte(0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b);
-	&data_byte(0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea);
-	&data_byte(0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73);
-	&data_byte(0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85);
-	&data_byte(0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e);
-	&data_byte(0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89);
-	&data_byte(0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b);
-	&data_byte(0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20);
-	&data_byte(0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4);
-	&data_byte(0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31);
-	&data_byte(0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f);
-	&data_byte(0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d);
-	&data_byte(0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef);
-	&data_byte(0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0);
-	&data_byte(0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61);
-	&data_byte(0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26);
-	&data_byte(0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d);
-&function_end_B("_x86_AES_decrypt");
-
-# void AES_decrypt (const void *inp,void *out,const AES_KEY *key);
-&function_begin("AES_decrypt");
-	&mov	($acc,&wparam(0));		# load inp
-	&mov	($key,&wparam(2));		# load key
-
-	&mov	($s0,"esp");
-	&sub	("esp",36);
-	&and	("esp",-64);			# align to cache-line
-
-	# place stack frame just "above" the key schedule
-	&lea	($s1,&DWP(-64-63,$key));
-	&sub	($s1,"esp");
-	&neg	($s1);
-	&and	($s1,0x3C0);	# modulo 1024, but aligned to cache-line
-	&sub	("esp",$s1);
-	&add	("esp",4);	# 4 is reserved for caller's return address
-	&mov	($_esp,$s0);	# save stack pointer
-
-	&call   (&label("pic_point"));          # make it PIC!
-	&set_label("pic_point");
-	&blindpop($tbl);
-	&picmeup($s0,"OPENSSL_ia32cap_P",$tbl,&label("pic_point")) if(!$x86only);
-	&lea    ($tbl,&DWP(&label("AES_Td")."-".&label("pic_point"),$tbl));
-
-	# pick Td4 copy which can't "overlap" with stack frame or key schedule
-	&lea	($s1,&DWP(768-4,"esp"));
-	&sub	($s1,$tbl);
-	&and	($s1,0x300);
-	&lea	($tbl,&DWP(2048+128,$tbl,$s1));
-
-					if (!$x86only) {
-	&bt	(&DWP(0,$s0),25);	# check for SSE bit
-	&jnc	(&label("x86"));
-
-	&movq	("mm0",&QWP(0,$acc));
-	&movq	("mm4",&QWP(8,$acc));
-	&call	("_sse_AES_decrypt_compact");
-	&mov	("esp",$_esp);			# restore stack pointer
-	&mov	($acc,&wparam(1));		# load out
-	&movq	(&QWP(0,$acc),"mm0");		# write output data
-	&movq	(&QWP(8,$acc),"mm4");
-	&emms	();
-	&function_end_A();
-					}
-	&set_label("x86",16);
-	&mov	($_tbl,$tbl);
-	&mov	($s0,&DWP(0,$acc));		# load input data
-	&mov	($s1,&DWP(4,$acc));
-	&mov	($s2,&DWP(8,$acc));
-	&mov	($s3,&DWP(12,$acc));
-	&call	("_x86_AES_decrypt_compact");
-	&mov	("esp",$_esp);			# restore stack pointer
-	&mov	($acc,&wparam(1));		# load out
-	&mov	(&DWP(0,$acc),$s0);		# write output data
-	&mov	(&DWP(4,$acc),$s1);
-	&mov	(&DWP(8,$acc),$s2);
-	&mov	(&DWP(12,$acc),$s3);
-&function_end("AES_decrypt");
-
-# void AES_cbc_encrypt (const void char *inp, unsigned char *out,
-#			size_t length, const AES_KEY *key,
-#			unsigned char *ivp,const int enc);
-{
-# stack frame layout
-#             -4(%esp)		# return address	 0(%esp)
-#              0(%esp)		# s0 backing store	 4(%esp)
-#              4(%esp)		# s1 backing store	 8(%esp)
-#              8(%esp)		# s2 backing store	12(%esp)
-#             12(%esp)		# s3 backing store	16(%esp)
-#             16(%esp)		# key backup		20(%esp)
-#             20(%esp)		# end of key schedule	24(%esp)
-#             24(%esp)		# %ebp backup		28(%esp)
-#             28(%esp)		# %esp backup
-my $_inp=&DWP(32,"esp");	# copy of wparam(0)
-my $_out=&DWP(36,"esp");	# copy of wparam(1)
-my $_len=&DWP(40,"esp");	# copy of wparam(2)
-my $_key=&DWP(44,"esp");	# copy of wparam(3)
-my $_ivp=&DWP(48,"esp");	# copy of wparam(4)
-my $_tmp=&DWP(52,"esp");	# volatile variable
-#
-my $ivec=&DWP(60,"esp");	# ivec[16]
-my $aes_key=&DWP(76,"esp");	# copy of aes_key
-my $mark=&DWP(76+240,"esp");	# copy of aes_key->rounds
-
-&function_begin("AES_cbc_encrypt");
-	&mov	($s2 eq "ecx"? $s2 : "",&wparam(2));	# load len
-	&cmp	($s2,0);
-	&je	(&label("drop_out"));
-
-	&call   (&label("pic_point"));		# make it PIC!
-	&set_label("pic_point");
-	&blindpop($tbl);
-	&picmeup($s0,"OPENSSL_ia32cap_P",$tbl,&label("pic_point")) if(!$x86only);
-
-	&cmp	(&wparam(5),0);
-	&lea    ($tbl,&DWP(&label("AES_Te")."-".&label("pic_point"),$tbl));
-	&jne	(&label("picked_te"));
-	&lea	($tbl,&DWP(&label("AES_Td")."-".&label("AES_Te"),$tbl));
-	&set_label("picked_te");
-
-	# one can argue if this is required
-	&pushf	();
-	&cld	();
-
-	&cmp	($s2,$speed_limit);
-	&jb	(&label("slow_way"));
-	&test	($s2,15);
-	&jnz	(&label("slow_way"));
-					if (!$x86only) {
-	&bt	(&DWP(0,$s0),28);	# check for hyper-threading bit
-	&jc	(&label("slow_way"));
-					}
-	# pre-allocate aligned stack frame...
-	&lea	($acc,&DWP(-80-244,"esp"));
-	&and	($acc,-64);
-
-	# ... and make sure it doesn't alias with $tbl modulo 4096
-	&mov	($s0,$tbl);
-	&lea	($s1,&DWP(2048+256,$tbl));
-	&mov	($s3,$acc);
-	&and	($s0,0xfff);		# s = %ebp&0xfff
-	&and	($s1,0xfff);		# e = (%ebp+2048+256)&0xfff
-	&and	($s3,0xfff);		# p = %esp&0xfff
-
-	&cmp	($s3,$s1);		# if (p>=e) %esp =- (p-e);
-	&jb	(&label("tbl_break_out"));
-	&sub	($s3,$s1);
-	&sub	($acc,$s3);
-	&jmp	(&label("tbl_ok"));
-	&set_label("tbl_break_out",4);	# else %esp -= (p-s)&0xfff + framesz;
-	&sub	($s3,$s0);
-	&and	($s3,0xfff);
-	&add	($s3,384);
-	&sub	($acc,$s3);
-	&set_label("tbl_ok",4);
-
-	&lea	($s3,&wparam(0));	# obtain pointer to parameter block
-	&exch	("esp",$acc);		# allocate stack frame
-	&add	("esp",4);		# reserve for return address!
-	&mov	($_tbl,$tbl);		# save %ebp
-	&mov	($_esp,$acc);		# save %esp
-
-	&mov	($s0,&DWP(0,$s3));	# load inp
-	&mov	($s1,&DWP(4,$s3));	# load out
-	#&mov	($s2,&DWP(8,$s3));	# load len
-	&mov	($key,&DWP(12,$s3));	# load key
-	&mov	($acc,&DWP(16,$s3));	# load ivp
-	&mov	($s3,&DWP(20,$s3));	# load enc flag
-
-	&mov	($_inp,$s0);		# save copy of inp
-	&mov	($_out,$s1);		# save copy of out
-	&mov	($_len,$s2);		# save copy of len
-	&mov	($_key,$key);		# save copy of key
-	&mov	($_ivp,$acc);		# save copy of ivp
-
-	&mov	($mark,0);		# copy of aes_key->rounds = 0;
-	# do we copy key schedule to stack?
-	&mov	($s1 eq "ebx" ? $s1 : "",$key);
-	&mov	($s2 eq "ecx" ? $s2 : "",244/4);
-	&sub	($s1,$tbl);
-	&mov	("esi",$key);
-	&and	($s1,0xfff);
-	&lea	("edi",$aes_key);
-	&cmp	($s1,2048+256);
-	&jb	(&label("do_copy"));
-	&cmp	($s1,4096-244);
-	&jb	(&label("skip_copy"));
-	&set_label("do_copy",4);
-		&mov	($_key,"edi");
-		&data_word(0xA5F3F689);	# rep movsd
-	&set_label("skip_copy");
-
-	&mov	($key,16);
-	&set_label("prefetch_tbl",4);
-		&mov	($s0,&DWP(0,$tbl));
-		&mov	($s1,&DWP(32,$tbl));
-		&mov	($s2,&DWP(64,$tbl));
-		&mov	($acc,&DWP(96,$tbl));
-		&lea	($tbl,&DWP(128,$tbl));
-		&sub	($key,1);
-	&jnz	(&label("prefetch_tbl"));
-	&sub	($tbl,2048);
-
-	&mov	($acc,$_inp);
-	&mov	($key,$_ivp);
-
-	&cmp	($s3,0);
-	&je	(&label("fast_decrypt"));
-
-#----------------------------- ENCRYPT -----------------------------#
-	&mov	($s0,&DWP(0,$key));		# load iv
-	&mov	($s1,&DWP(4,$key));
-
-	&set_label("fast_enc_loop",16);
-		&mov	($s2,&DWP(8,$key));
-		&mov	($s3,&DWP(12,$key));
-
-		&xor	($s0,&DWP(0,$acc));	# xor input data
-		&xor	($s1,&DWP(4,$acc));
-		&xor	($s2,&DWP(8,$acc));
-		&xor	($s3,&DWP(12,$acc));
-
-		&mov	($key,$_key);		# load key
-		&call	("_x86_AES_encrypt");
-
-		&mov	($acc,$_inp);		# load inp
-		&mov	($key,$_out);		# load out
-
-		&mov	(&DWP(0,$key),$s0);	# save output data
-		&mov	(&DWP(4,$key),$s1);
-		&mov	(&DWP(8,$key),$s2);
-		&mov	(&DWP(12,$key),$s3);
-
-		&lea	($acc,&DWP(16,$acc));	# advance inp
-		&mov	($s2,$_len);		# load len
-		&mov	($_inp,$acc);		# save inp
-		&lea	($s3,&DWP(16,$key));	# advance out
-		&mov	($_out,$s3);		# save out
-		&sub	($s2,16);		# decrease len
-		&mov	($_len,$s2);		# save len
-	&jnz	(&label("fast_enc_loop"));
-	&mov	($acc,$_ivp);		# load ivp
-	&mov	($s2,&DWP(8,$key));	# restore last 2 dwords
-	&mov	($s3,&DWP(12,$key));
-	&mov	(&DWP(0,$acc),$s0);	# save ivec
-	&mov	(&DWP(4,$acc),$s1);
-	&mov	(&DWP(8,$acc),$s2);
-	&mov	(&DWP(12,$acc),$s3);
-
-	&cmp	($mark,0);		# was the key schedule copied?
-	&mov	("edi",$_key);
-	&je	(&label("skip_ezero"));
-	# zero copy of key schedule
-	&mov	("ecx",240/4);
-	&xor	("eax","eax");
-	&align	(4);
-	&data_word(0xABF3F689);		# rep stosd
-	&set_label("skip_ezero");
-	&mov	("esp",$_esp);
-	&popf	();
-    &set_label("drop_out");
-	&function_end_A();
-	&pushf	();			# kludge, never executed
-
-#----------------------------- DECRYPT -----------------------------#
-&set_label("fast_decrypt",16);
-
-	&cmp	($acc,$_out);
-	&je	(&label("fast_dec_in_place"));	# in-place processing...
-
-	&mov	($_tmp,$key);
-
-	&align	(4);
-	&set_label("fast_dec_loop",16);
-		&mov	($s0,&DWP(0,$acc));	# read input
-		&mov	($s1,&DWP(4,$acc));
-		&mov	($s2,&DWP(8,$acc));
-		&mov	($s3,&DWP(12,$acc));
-
-		&mov	($key,$_key);		# load key
-		&call	("_x86_AES_decrypt");
-
-		&mov	($key,$_tmp);		# load ivp
-		&mov	($acc,$_len);		# load len
-		&xor	($s0,&DWP(0,$key));	# xor iv
-		&xor	($s1,&DWP(4,$key));
-		&xor	($s2,&DWP(8,$key));
-		&xor	($s3,&DWP(12,$key));
-
-		&mov	($key,$_out);		# load out
-		&mov	($acc,$_inp);		# load inp
-
-		&mov	(&DWP(0,$key),$s0);	# write output
-		&mov	(&DWP(4,$key),$s1);
-		&mov	(&DWP(8,$key),$s2);
-		&mov	(&DWP(12,$key),$s3);
-
-		&mov	($s2,$_len);		# load len
-		&mov	($_tmp,$acc);		# save ivp
-		&lea	($acc,&DWP(16,$acc));	# advance inp
-		&mov	($_inp,$acc);		# save inp
-		&lea	($key,&DWP(16,$key));	# advance out
-		&mov	($_out,$key);		# save out
-		&sub	($s2,16);		# decrease len
-		&mov	($_len,$s2);		# save len
-	&jnz	(&label("fast_dec_loop"));
-	&mov	($key,$_tmp);		# load temp ivp
-	&mov	($acc,$_ivp);		# load user ivp
-	&mov	($s0,&DWP(0,$key));	# load iv
-	&mov	($s1,&DWP(4,$key));
-	&mov	($s2,&DWP(8,$key));
-	&mov	($s3,&DWP(12,$key));
-	&mov	(&DWP(0,$acc),$s0);	# copy back to user
-	&mov	(&DWP(4,$acc),$s1);
-	&mov	(&DWP(8,$acc),$s2);
-	&mov	(&DWP(12,$acc),$s3);
-	&jmp	(&label("fast_dec_out"));
-
-    &set_label("fast_dec_in_place",16);
-	&set_label("fast_dec_in_place_loop");
-		&mov	($s0,&DWP(0,$acc));	# read input
-		&mov	($s1,&DWP(4,$acc));
-		&mov	($s2,&DWP(8,$acc));
-		&mov	($s3,&DWP(12,$acc));
-
-		&lea	($key,$ivec);
-		&mov	(&DWP(0,$key),$s0);	# copy to temp
-		&mov	(&DWP(4,$key),$s1);
-		&mov	(&DWP(8,$key),$s2);
-		&mov	(&DWP(12,$key),$s3);
-
-		&mov	($key,$_key);		# load key
-		&call	("_x86_AES_decrypt");
-
-		&mov	($key,$_ivp);		# load ivp
-		&mov	($acc,$_out);		# load out
-		&xor	($s0,&DWP(0,$key));	# xor iv
-		&xor	($s1,&DWP(4,$key));
-		&xor	($s2,&DWP(8,$key));
-		&xor	($s3,&DWP(12,$key));
-
-		&mov	(&DWP(0,$acc),$s0);	# write output
-		&mov	(&DWP(4,$acc),$s1);
-		&mov	(&DWP(8,$acc),$s2);
-		&mov	(&DWP(12,$acc),$s3);
-
-		&lea	($acc,&DWP(16,$acc));	# advance out
-		&mov	($_out,$acc);		# save out
-
-		&lea	($acc,$ivec);
-		&mov	($s0,&DWP(0,$acc));	# read temp
-		&mov	($s1,&DWP(4,$acc));
-		&mov	($s2,&DWP(8,$acc));
-		&mov	($s3,&DWP(12,$acc));
-
-		&mov	(&DWP(0,$key),$s0);	# copy iv
-		&mov	(&DWP(4,$key),$s1);
-		&mov	(&DWP(8,$key),$s2);
-		&mov	(&DWP(12,$key),$s3);
-
-		&mov	($acc,$_inp);		# load inp
-		&mov	($s2,$_len);		# load len
-		&lea	($acc,&DWP(16,$acc));	# advance inp
-		&mov	($_inp,$acc);		# save inp
-		&sub	($s2,16);		# decrease len
-		&mov	($_len,$s2);		# save len
-	&jnz	(&label("fast_dec_in_place_loop"));
-
-    &set_label("fast_dec_out",4);
-	&cmp	($mark,0);		# was the key schedule copied?
-	&mov	("edi",$_key);
-	&je	(&label("skip_dzero"));
-	# zero copy of key schedule
-	&mov	("ecx",240/4);
-	&xor	("eax","eax");
-	&align	(4);
-	&data_word(0xABF3F689);		# rep stosd
-	&set_label("skip_dzero");
-	&mov	("esp",$_esp);
-	&popf	();
-	&function_end_A();
-	&pushf	();			# kludge, never executed
-
-#--------------------------- SLOW ROUTINE ---------------------------#
-&set_label("slow_way",16);
-
-	&mov	($s0,&DWP(0,$s0)) if (!$x86only);# load OPENSSL_ia32cap
-	&mov	($key,&wparam(3));	# load key
-
-	# pre-allocate aligned stack frame...
-	&lea	($acc,&DWP(-80,"esp"));
-	&and	($acc,-64);
-
-	# ... and make sure it doesn't alias with $key modulo 1024
-	&lea	($s1,&DWP(-80-63,$key));
-	&sub	($s1,$acc);
-	&neg	($s1);
-	&and	($s1,0x3C0);	# modulo 1024, but aligned to cache-line
-	&sub	($acc,$s1);
-
-	# pick S-box copy which can't overlap with stack frame or $key
-	&lea	($s1,&DWP(768,$acc));
-	&sub	($s1,$tbl);
-	&and	($s1,0x300);
-	&lea	($tbl,&DWP(2048+128,$tbl,$s1));
-
-	&lea	($s3,&wparam(0));	# pointer to parameter block
-
-	&exch	("esp",$acc);
-	&add	("esp",4);		# reserve for return address!
-	&mov	($_tbl,$tbl);		# save %ebp
-	&mov	($_esp,$acc);		# save %esp
-	&mov	($_tmp,$s0);		# save OPENSSL_ia32cap
-
-	&mov	($s0,&DWP(0,$s3));	# load inp
-	&mov	($s1,&DWP(4,$s3));	# load out
-	#&mov	($s2,&DWP(8,$s3));	# load len
-	#&mov	($key,&DWP(12,$s3));	# load key
-	&mov	($acc,&DWP(16,$s3));	# load ivp
-	&mov	($s3,&DWP(20,$s3));	# load enc flag
-
-	&mov	($_inp,$s0);		# save copy of inp
-	&mov	($_out,$s1);		# save copy of out
-	&mov	($_len,$s2);		# save copy of len
-	&mov	($_key,$key);		# save copy of key
-	&mov	($_ivp,$acc);		# save copy of ivp
-
-	&mov	($key,$acc);
-	&mov	($acc,$s0);
-
-	&cmp	($s3,0);
-	&je	(&label("slow_decrypt"));
-
-#--------------------------- SLOW ENCRYPT ---------------------------#
-	&cmp	($s2,16);
-	&mov	($s3,$s1);
-	&jb	(&label("slow_enc_tail"));
-
-					if (!$x86only) {
-	&bt	($_tmp,25);		# check for SSE bit
-	&jnc	(&label("slow_enc_x86"));
-
-	&movq	("mm0",&QWP(0,$key));	# load iv
-	&movq	("mm4",&QWP(8,$key));
-
-	&set_label("slow_enc_loop_sse",16);
-		&pxor	("mm0",&QWP(0,$acc));	# xor input data
-		&pxor	("mm4",&QWP(8,$acc));
-
-		&mov	($key,$_key);
-		&call	("_sse_AES_encrypt_compact");
-
-		&mov	($acc,$_inp);		# load inp
-		&mov	($key,$_out);		# load out
-		&mov	($s2,$_len);		# load len
-
-		&movq	(&QWP(0,$key),"mm0");	# save output data
-		&movq	(&QWP(8,$key),"mm4");
-
-		&lea	($acc,&DWP(16,$acc));	# advance inp
-		&mov	($_inp,$acc);		# save inp
-		&lea	($s3,&DWP(16,$key));	# advance out
-		&mov	($_out,$s3);		# save out
-		&sub	($s2,16);		# decrease len
-		&cmp	($s2,16);
-		&mov	($_len,$s2);		# save len
-	&jae	(&label("slow_enc_loop_sse"));
-	&test	($s2,15);
-	&jnz	(&label("slow_enc_tail"));
-	&mov	($acc,$_ivp);		# load ivp
-	&movq	(&QWP(0,$acc),"mm0");	# save ivec
-	&movq	(&QWP(8,$acc),"mm4");
-	&emms	();
-	&mov	("esp",$_esp);
-	&popf	();
-	&function_end_A();
-	&pushf	();			# kludge, never executed
-					}
-    &set_label("slow_enc_x86",16);
-	&mov	($s0,&DWP(0,$key));	# load iv
-	&mov	($s1,&DWP(4,$key));
-
-	&set_label("slow_enc_loop_x86",4);
-		&mov	($s2,&DWP(8,$key));
-		&mov	($s3,&DWP(12,$key));
-
-		&xor	($s0,&DWP(0,$acc));	# xor input data
-		&xor	($s1,&DWP(4,$acc));
-		&xor	($s2,&DWP(8,$acc));
-		&xor	($s3,&DWP(12,$acc));
-
-		&mov	($key,$_key);		# load key
-		&call	("_x86_AES_encrypt_compact");
-
-		&mov	($acc,$_inp);		# load inp
-		&mov	($key,$_out);		# load out
-
-		&mov	(&DWP(0,$key),$s0);	# save output data
-		&mov	(&DWP(4,$key),$s1);
-		&mov	(&DWP(8,$key),$s2);
-		&mov	(&DWP(12,$key),$s3);
-
-		&mov	($s2,$_len);		# load len
-		&lea	($acc,&DWP(16,$acc));	# advance inp
-		&mov	($_inp,$acc);		# save inp
-		&lea	($s3,&DWP(16,$key));	# advance out
-		&mov	($_out,$s3);		# save out
-		&sub	($s2,16);		# decrease len
-		&cmp	($s2,16);
-		&mov	($_len,$s2);		# save len
-	&jae	(&label("slow_enc_loop_x86"));
-	&test	($s2,15);
-	&jnz	(&label("slow_enc_tail"));
-	&mov	($acc,$_ivp);		# load ivp
-	&mov	($s2,&DWP(8,$key));	# restore last dwords
-	&mov	($s3,&DWP(12,$key));
-	&mov	(&DWP(0,$acc),$s0);	# save ivec
-	&mov	(&DWP(4,$acc),$s1);
-	&mov	(&DWP(8,$acc),$s2);
-	&mov	(&DWP(12,$acc),$s3);
-
-	&mov	("esp",$_esp);
-	&popf	();
-	&function_end_A();
-	&pushf	();			# kludge, never executed
-
-    &set_label("slow_enc_tail",16);
-	&emms	()	if (!$x86only);
-	&mov	($key eq "edi"? $key:"",$s3);	# load out to edi
-	&mov	($s1,16);
-	&sub	($s1,$s2);
-	&cmp	($key,$acc eq "esi"? $acc:"");	# compare with inp
-	&je	(&label("enc_in_place"));
-	&align	(4);
-	&data_word(0xA4F3F689);	# rep movsb	# copy input
-	&jmp	(&label("enc_skip_in_place"));
-    &set_label("enc_in_place");
-	&lea	($key,&DWP(0,$key,$s2));
-    &set_label("enc_skip_in_place");
-	&mov	($s2,$s1);
-	&xor	($s0,$s0);
-	&align	(4);
-	&data_word(0xAAF3F689);	# rep stosb	# zero tail
-
-	&mov	($key,$_ivp);			# restore ivp
-	&mov	($acc,$s3);			# output as input
-	&mov	($s0,&DWP(0,$key));
-	&mov	($s1,&DWP(4,$key));
-	&mov	($_len,16);			# len=16
-	&jmp	(&label("slow_enc_loop_x86"));	# one more spin...
-
-#--------------------------- SLOW DECRYPT ---------------------------#
-&set_label("slow_decrypt",16);
-					if (!$x86only) {
-	&bt	($_tmp,25);		# check for SSE bit
-	&jnc	(&label("slow_dec_loop_x86"));
-
-	&set_label("slow_dec_loop_sse",4);
-		&movq	("mm0",&QWP(0,$acc));	# read input
-		&movq	("mm4",&QWP(8,$acc));
-
-		&mov	($key,$_key);
-		&call	("_sse_AES_decrypt_compact");
-
-		&mov	($acc,$_inp);		# load inp
-		&lea	($s0,$ivec);
-		&mov	($s1,$_out);		# load out
-		&mov	($s2,$_len);		# load len
-		&mov	($key,$_ivp);		# load ivp
-
-		&movq	("mm1",&QWP(0,$acc));	# re-read input
-		&movq	("mm5",&QWP(8,$acc));
-
-		&pxor	("mm0",&QWP(0,$key));	# xor iv
-		&pxor	("mm4",&QWP(8,$key));
-
-		&movq	(&QWP(0,$key),"mm1");	# copy input to iv
-		&movq	(&QWP(8,$key),"mm5");
-
-		&sub	($s2,16);		# decrease len
-		&jc	(&label("slow_dec_partial_sse"));
-
-		&movq	(&QWP(0,$s1),"mm0");	# write output
-		&movq	(&QWP(8,$s1),"mm4");
-
-		&lea	($s1,&DWP(16,$s1));	# advance out
-		&mov	($_out,$s1);		# save out
-		&lea	($acc,&DWP(16,$acc));	# advance inp
-		&mov	($_inp,$acc);		# save inp
-		&mov	($_len,$s2);		# save len
-	&jnz	(&label("slow_dec_loop_sse"));
-	&emms	();
-	&mov	("esp",$_esp);
-	&popf	();
-	&function_end_A();
-	&pushf	();			# kludge, never executed
-
-    &set_label("slow_dec_partial_sse",16);
-	&movq	(&QWP(0,$s0),"mm0");	# save output to temp
-	&movq	(&QWP(8,$s0),"mm4");
-	&emms	();
-
-	&add	($s2 eq "ecx" ? "ecx":"",16);
-	&mov	("edi",$s1);		# out
-	&mov	("esi",$s0);		# temp
-	&align	(4);
-	&data_word(0xA4F3F689);		# rep movsb # copy partial output
-
-	&mov	("esp",$_esp);
-	&popf	();
-	&function_end_A();
-	&pushf	();			# kludge, never executed
-					}
-	&set_label("slow_dec_loop_x86",16);
-		&mov	($s0,&DWP(0,$acc));	# read input
-		&mov	($s1,&DWP(4,$acc));
-		&mov	($s2,&DWP(8,$acc));
-		&mov	($s3,&DWP(12,$acc));
-
-		&lea	($key,$ivec);
-		&mov	(&DWP(0,$key),$s0);	# copy to temp
-		&mov	(&DWP(4,$key),$s1);
-		&mov	(&DWP(8,$key),$s2);
-		&mov	(&DWP(12,$key),$s3);
-
-		&mov	($key,$_key);		# load key
-		&call	("_x86_AES_decrypt_compact");
-
-		&mov	($key,$_ivp);		# load ivp
-		&mov	($acc,$_len);		# load len
-		&xor	($s0,&DWP(0,$key));	# xor iv
-		&xor	($s1,&DWP(4,$key));
-		&xor	($s2,&DWP(8,$key));
-		&xor	($s3,&DWP(12,$key));
-
-		&sub	($acc,16);
-		&jc	(&label("slow_dec_partial_x86"));
-
-		&mov	($_len,$acc);		# save len
-		&mov	($acc,$_out);		# load out
-
-		&mov	(&DWP(0,$acc),$s0);	# write output
-		&mov	(&DWP(4,$acc),$s1);
-		&mov	(&DWP(8,$acc),$s2);
-		&mov	(&DWP(12,$acc),$s3);
-
-		&lea	($acc,&DWP(16,$acc));	# advance out
-		&mov	($_out,$acc);		# save out
-
-		&lea	($acc,$ivec);
-		&mov	($s0,&DWP(0,$acc));	# read temp
-		&mov	($s1,&DWP(4,$acc));
-		&mov	($s2,&DWP(8,$acc));
-		&mov	($s3,&DWP(12,$acc));
-
-		&mov	(&DWP(0,$key),$s0);	# copy it to iv
-		&mov	(&DWP(4,$key),$s1);
-		&mov	(&DWP(8,$key),$s2);
-		&mov	(&DWP(12,$key),$s3);
-
-		&mov	($acc,$_inp);		# load inp
-		&lea	($acc,&DWP(16,$acc));	# advance inp
-		&mov	($_inp,$acc);		# save inp
-	&jnz	(&label("slow_dec_loop_x86"));
-	&mov	("esp",$_esp);
-	&popf	();
-	&function_end_A();
-	&pushf	();			# kludge, never executed
-
-    &set_label("slow_dec_partial_x86",16);
-	&lea	($acc,$ivec);
-	&mov	(&DWP(0,$acc),$s0);	# save output to temp
-	&mov	(&DWP(4,$acc),$s1);
-	&mov	(&DWP(8,$acc),$s2);
-	&mov	(&DWP(12,$acc),$s3);
-
-	&mov	($acc,$_inp);
-	&mov	($s0,&DWP(0,$acc));	# re-read input
-	&mov	($s1,&DWP(4,$acc));
-	&mov	($s2,&DWP(8,$acc));
-	&mov	($s3,&DWP(12,$acc));
-
-	&mov	(&DWP(0,$key),$s0);	# copy it to iv
-	&mov	(&DWP(4,$key),$s1);
-	&mov	(&DWP(8,$key),$s2);
-	&mov	(&DWP(12,$key),$s3);
-
-	&mov	("ecx",$_len);
-	&mov	("edi",$_out);
-	&lea	("esi",$ivec);
-	&align	(4);
-	&data_word(0xA4F3F689);		# rep movsb # copy partial output
-
-	&mov	("esp",$_esp);
-	&popf	();
-&function_end("AES_cbc_encrypt");
-}
-
-#------------------------------------------------------------------#
-
-sub enckey()
-{
-	&movz	("esi",&LB("edx"));		# rk[i]>>0
-	&movz	("ebx",&BP(-128,$tbl,"esi",1));
-	&movz	("esi",&HB("edx"));		# rk[i]>>8
-	&shl	("ebx",24);
-	&xor	("eax","ebx");
-
-	&movz	("ebx",&BP(-128,$tbl,"esi",1));
-	&shr	("edx",16);
-	&movz	("esi",&LB("edx"));		# rk[i]>>16
-	&xor	("eax","ebx");
-
-	&movz	("ebx",&BP(-128,$tbl,"esi",1));
-	&movz	("esi",&HB("edx"));		# rk[i]>>24
-	&shl	("ebx",8);
-	&xor	("eax","ebx");
-
-	&movz	("ebx",&BP(-128,$tbl,"esi",1));
-	&shl	("ebx",16);
-	&xor	("eax","ebx");
-
-	&xor	("eax",&DWP(1024-128,$tbl,"ecx",4));	# rcon
-}
-
-&function_begin("_x86_AES_set_encrypt_key");
-	&mov	("esi",&wparam(1));		# user supplied key
-	&mov	("edi",&wparam(3));		# private key schedule
-
-	&test	("esi",-1);
-	&jz	(&label("badpointer"));
-	&test	("edi",-1);
-	&jz	(&label("badpointer"));
-
-	&call	(&label("pic_point"));
-	&set_label("pic_point");
-	&blindpop($tbl);
-	&lea	($tbl,&DWP(&label("AES_Te")."-".&label("pic_point"),$tbl));
-	&lea	($tbl,&DWP(2048+128,$tbl));
-
-	# prefetch Te4
-	&mov	("eax",&DWP(0-128,$tbl));
-	&mov	("ebx",&DWP(32-128,$tbl));
-	&mov	("ecx",&DWP(64-128,$tbl));
-	&mov	("edx",&DWP(96-128,$tbl));
-	&mov	("eax",&DWP(128-128,$tbl));
-	&mov	("ebx",&DWP(160-128,$tbl));
-	&mov	("ecx",&DWP(192-128,$tbl));
-	&mov	("edx",&DWP(224-128,$tbl));
-
-	&mov	("ecx",&wparam(2));		# number of bits in key
-	&cmp	("ecx",128);
-	&je	(&label("10rounds"));
-	&cmp	("ecx",192);
-	&je	(&label("12rounds"));
-	&cmp	("ecx",256);
-	&je	(&label("14rounds"));
-	&mov	("eax",-2);			# invalid number of bits
-	&jmp	(&label("exit"));
-
-    &set_label("10rounds");
-	&mov	("eax",&DWP(0,"esi"));		# copy first 4 dwords
-	&mov	("ebx",&DWP(4,"esi"));
-	&mov	("ecx",&DWP(8,"esi"));
-	&mov	("edx",&DWP(12,"esi"));
-	&mov	(&DWP(0,"edi"),"eax");
-	&mov	(&DWP(4,"edi"),"ebx");
-	&mov	(&DWP(8,"edi"),"ecx");
-	&mov	(&DWP(12,"edi"),"edx");
-
-	&xor	("ecx","ecx");
-	&jmp	(&label("10shortcut"));
-
-	&align	(4);
-	&set_label("10loop");
-		&mov	("eax",&DWP(0,"edi"));		# rk[0]
-		&mov	("edx",&DWP(12,"edi"));		# rk[3]
-	&set_label("10shortcut");
-		&enckey	();
-
-		&mov	(&DWP(16,"edi"),"eax");		# rk[4]
-		&xor	("eax",&DWP(4,"edi"));
-		&mov	(&DWP(20,"edi"),"eax");		# rk[5]
-		&xor	("eax",&DWP(8,"edi"));
-		&mov	(&DWP(24,"edi"),"eax");		# rk[6]
-		&xor	("eax",&DWP(12,"edi"));
-		&mov	(&DWP(28,"edi"),"eax");		# rk[7]
-		&inc	("ecx");
-		&add	("edi",16);
-		&cmp	("ecx",10);
-	&jl	(&label("10loop"));
-
-	&mov	(&DWP(80,"edi"),10);		# setup number of rounds
-	&xor	("eax","eax");
-	&jmp	(&label("exit"));
-
-    &set_label("12rounds");
-	&mov	("eax",&DWP(0,"esi"));		# copy first 6 dwords
-	&mov	("ebx",&DWP(4,"esi"));
-	&mov	("ecx",&DWP(8,"esi"));
-	&mov	("edx",&DWP(12,"esi"));
-	&mov	(&DWP(0,"edi"),"eax");
-	&mov	(&DWP(4,"edi"),"ebx");
-	&mov	(&DWP(8,"edi"),"ecx");
-	&mov	(&DWP(12,"edi"),"edx");
-	&mov	("ecx",&DWP(16,"esi"));
-	&mov	("edx",&DWP(20,"esi"));
-	&mov	(&DWP(16,"edi"),"ecx");
-	&mov	(&DWP(20,"edi"),"edx");
-
-	&xor	("ecx","ecx");
-	&jmp	(&label("12shortcut"));
-
-	&align	(4);
-	&set_label("12loop");
-		&mov	("eax",&DWP(0,"edi"));		# rk[0]
-		&mov	("edx",&DWP(20,"edi"));		# rk[5]
-	&set_label("12shortcut");
-		&enckey	();
-
-		&mov	(&DWP(24,"edi"),"eax");		# rk[6]
-		&xor	("eax",&DWP(4,"edi"));
-		&mov	(&DWP(28,"edi"),"eax");		# rk[7]
-		&xor	("eax",&DWP(8,"edi"));
-		&mov	(&DWP(32,"edi"),"eax");		# rk[8]
-		&xor	("eax",&DWP(12,"edi"));
-		&mov	(&DWP(36,"edi"),"eax");		# rk[9]
-
-		&cmp	("ecx",7);
-		&je	(&label("12break"));
-		&inc	("ecx");
-
-		&xor	("eax",&DWP(16,"edi"));
-		&mov	(&DWP(40,"edi"),"eax");		# rk[10]
-		&xor	("eax",&DWP(20,"edi"));
-		&mov	(&DWP(44,"edi"),"eax");		# rk[11]
-
-		&add	("edi",24);
-	&jmp	(&label("12loop"));
-
-	&set_label("12break");
-	&mov	(&DWP(72,"edi"),12);		# setup number of rounds
-	&xor	("eax","eax");
-	&jmp	(&label("exit"));
-
-    &set_label("14rounds");
-	&mov	("eax",&DWP(0,"esi"));		# copy first 8 dwords
-	&mov	("ebx",&DWP(4,"esi"));
-	&mov	("ecx",&DWP(8,"esi"));
-	&mov	("edx",&DWP(12,"esi"));
-	&mov	(&DWP(0,"edi"),"eax");
-	&mov	(&DWP(4,"edi"),"ebx");
-	&mov	(&DWP(8,"edi"),"ecx");
-	&mov	(&DWP(12,"edi"),"edx");
-	&mov	("eax",&DWP(16,"esi"));
-	&mov	("ebx",&DWP(20,"esi"));
-	&mov	("ecx",&DWP(24,"esi"));
-	&mov	("edx",&DWP(28,"esi"));
-	&mov	(&DWP(16,"edi"),"eax");
-	&mov	(&DWP(20,"edi"),"ebx");
-	&mov	(&DWP(24,"edi"),"ecx");
-	&mov	(&DWP(28,"edi"),"edx");
-
-	&xor	("ecx","ecx");
-	&jmp	(&label("14shortcut"));
-
-	&align	(4);
-	&set_label("14loop");
-		&mov	("edx",&DWP(28,"edi"));		# rk[7]
-	&set_label("14shortcut");
-		&mov	("eax",&DWP(0,"edi"));		# rk[0]
-
-		&enckey	();
-
-		&mov	(&DWP(32,"edi"),"eax");		# rk[8]
-		&xor	("eax",&DWP(4,"edi"));
-		&mov	(&DWP(36,"edi"),"eax");		# rk[9]
-		&xor	("eax",&DWP(8,"edi"));
-		&mov	(&DWP(40,"edi"),"eax");		# rk[10]
-		&xor	("eax",&DWP(12,"edi"));
-		&mov	(&DWP(44,"edi"),"eax");		# rk[11]
-
-		&cmp	("ecx",6);
-		&je	(&label("14break"));
-		&inc	("ecx");
-
-		&mov	("edx","eax");
-		&mov	("eax",&DWP(16,"edi"));		# rk[4]
-		&movz	("esi",&LB("edx"));		# rk[11]>>0
-		&movz	("ebx",&BP(-128,$tbl,"esi",1));
-		&movz	("esi",&HB("edx"));		# rk[11]>>8
-		&xor	("eax","ebx");
-
-		&movz	("ebx",&BP(-128,$tbl,"esi",1));
-		&shr	("edx",16);
-		&shl	("ebx",8);
-		&movz	("esi",&LB("edx"));		# rk[11]>>16
-		&xor	("eax","ebx");
-
-		&movz	("ebx",&BP(-128,$tbl,"esi",1));
-		&movz	("esi",&HB("edx"));		# rk[11]>>24
-		&shl	("ebx",16);
-		&xor	("eax","ebx");
-
-		&movz	("ebx",&BP(-128,$tbl,"esi",1));
-		&shl	("ebx",24);
-		&xor	("eax","ebx");
-
-		&mov	(&DWP(48,"edi"),"eax");		# rk[12]
-		&xor	("eax",&DWP(20,"edi"));
-		&mov	(&DWP(52,"edi"),"eax");		# rk[13]
-		&xor	("eax",&DWP(24,"edi"));
-		&mov	(&DWP(56,"edi"),"eax");		# rk[14]
-		&xor	("eax",&DWP(28,"edi"));
-		&mov	(&DWP(60,"edi"),"eax");		# rk[15]
-
-		&add	("edi",32);
-	&jmp	(&label("14loop"));
-
-	&set_label("14break");
-	&mov	(&DWP(48,"edi"),14);		# setup number of rounds
-	&xor	("eax","eax");
-	&jmp	(&label("exit"));
-
-    &set_label("badpointer");
-	&mov	("eax",-1);
-    &set_label("exit");
-&function_end("_x86_AES_set_encrypt_key");
-
-# int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
-#                        AES_KEY *key)
-&function_begin_B("AES_set_encrypt_key");
-	&call	("_x86_AES_set_encrypt_key");
-	&ret	();
-&function_end_B("AES_set_encrypt_key");
-
-sub deckey()
-{ my ($i,$key,$tp1,$tp2,$tp4,$tp8) = @_;
-  my $tmp = $tbl;
-
-	&mov	($tmp,0x80808080);
-	&and	($tmp,$tp1);
-	&lea	($tp2,&DWP(0,$tp1,$tp1));
-	&mov	($acc,$tmp);
-	&shr	($tmp,7);
-	&sub	($acc,$tmp);
-	&and	($tp2,0xfefefefe);
-	&and	($acc,0x1b1b1b1b);
-	&xor	($tp2,$acc);
-	&mov	($tmp,0x80808080);
-
-	&and	($tmp,$tp2);
-	&lea	($tp4,&DWP(0,$tp2,$tp2));
-	&mov	($acc,$tmp);
-	&shr	($tmp,7);
-	&sub	($acc,$tmp);
-	&and	($tp4,0xfefefefe);
-	&and	($acc,0x1b1b1b1b);
-	 &xor	($tp2,$tp1);	# tp2^tp1
-	&xor	($tp4,$acc);
-	&mov	($tmp,0x80808080);
-
-	&and	($tmp,$tp4);
-	&lea	($tp8,&DWP(0,$tp4,$tp4));
-	&mov	($acc,$tmp);
-	&shr	($tmp,7);
-	 &xor	($tp4,$tp1);	# tp4^tp1
-	&sub	($acc,$tmp);
-	&and	($tp8,0xfefefefe);
-	&and	($acc,0x1b1b1b1b);
-	 &rotl	($tp1,8);	# = ROTATE(tp1,8)
-	&xor	($tp8,$acc);
-
-	&mov	($tmp,&DWP(4*($i+1),$key));	# modulo-scheduled load
-
-	&xor	($tp1,$tp2);
-	&xor	($tp2,$tp8);
-	&xor	($tp1,$tp4);
-	&rotl	($tp2,24);
-	&xor	($tp4,$tp8);
-	&xor	($tp1,$tp8);	# ^= tp8^(tp4^tp1)^(tp2^tp1)
-	&rotl	($tp4,16);
-	&xor	($tp1,$tp2);	# ^= ROTATE(tp8^tp2^tp1,24)
-	&rotl	($tp8,8);
-	&xor	($tp1,$tp4);	# ^= ROTATE(tp8^tp4^tp1,16)
-	&mov	($tp2,$tmp);
-	&xor	($tp1,$tp8);	# ^= ROTATE(tp8,8)
-
-	&mov	(&DWP(4*$i,$key),$tp1);
-}
-
-# int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
-#                        AES_KEY *key)
-&function_begin_B("AES_set_decrypt_key");
-	&call	("_x86_AES_set_encrypt_key");
-	&cmp	("eax",0);
-	&je	(&label("proceed"));
-	&ret	();
-
-    &set_label("proceed");
-	&push	("ebp");
-	&push	("ebx");
-	&push	("esi");
-	&push	("edi");
-
-	&mov	("esi",&wparam(2));
-	&mov	("ecx",&DWP(240,"esi"));	# pull number of rounds
-	&lea	("ecx",&DWP(0,"","ecx",4));
-	&lea	("edi",&DWP(0,"esi","ecx",4));	# pointer to last chunk
-
-	&set_label("invert",4);			# invert order of chunks
-		&mov	("eax",&DWP(0,"esi"));
-		&mov	("ebx",&DWP(4,"esi"));
-		&mov	("ecx",&DWP(0,"edi"));
-		&mov	("edx",&DWP(4,"edi"));
-		&mov	(&DWP(0,"edi"),"eax");
-		&mov	(&DWP(4,"edi"),"ebx");
-		&mov	(&DWP(0,"esi"),"ecx");
-		&mov	(&DWP(4,"esi"),"edx");
-		&mov	("eax",&DWP(8,"esi"));
-		&mov	("ebx",&DWP(12,"esi"));
-		&mov	("ecx",&DWP(8,"edi"));
-		&mov	("edx",&DWP(12,"edi"));
-		&mov	(&DWP(8,"edi"),"eax");
-		&mov	(&DWP(12,"edi"),"ebx");
-		&mov	(&DWP(8,"esi"),"ecx");
-		&mov	(&DWP(12,"esi"),"edx");
-		&add	("esi",16);
-		&sub	("edi",16);
-		&cmp	("esi","edi");
-	&jne	(&label("invert"));
-
-	&mov	($key,&wparam(2));
-	&mov	($acc,&DWP(240,$key));		# pull number of rounds
-	&lea	($acc,&DWP(-2,$acc,$acc));
-	&lea	($acc,&DWP(0,$key,$acc,8));
-	&mov	(&wparam(2),$acc);
-
-	&mov	($s0,&DWP(16,$key));		# modulo-scheduled load
-	&set_label("permute",4);		# permute the key schedule
-		&add	($key,16);
-		&deckey	(0,$key,$s0,$s1,$s2,$s3);
-		&deckey	(1,$key,$s1,$s2,$s3,$s0);
-		&deckey	(2,$key,$s2,$s3,$s0,$s1);
-		&deckey	(3,$key,$s3,$s0,$s1,$s2);
-		&cmp	($key,&wparam(2));
-	&jb	(&label("permute"));
-
-	&xor	("eax","eax");			# return success
-&function_end("AES_set_decrypt_key");
-&asciz("AES for x86, CRYPTOGAMS by <appro\@openssl.org>");
-
-&asm_finish();
-
-close STDOUT or die "error closing STDOUT: $!";

libs/openssl/crypto/aes/asm/aes-riscv32-zkn.pl

@@ -1,1061 +0,0 @@
-#! /usr/bin/env perl
-# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
-#
-# Licensed under the Apache License 2.0 (the "License").  You may not use
-# this file except in compliance with the License.  You can obtain a copy
-# in the file LICENSE in the source distribution or at
-# https://www.openssl.org/source/license.html
-
-# $output is the last argument if it looks like a file (it has an extension)
-# $flavour is the first argument if it doesn't look like a file
-$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef;
-$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef;
-
-$output and open STDOUT,">$output";
-
-################################################################################
-# Utility functions to help with keeping track of which registers to stack/
-# unstack when entering / exiting routines.
-################################################################################
-{
-    # Callee-saved registers
-    my @callee_saved = map("x$_",(2,8,9,18..27));
-    # Caller-saved registers
-    my @caller_saved = map("x$_",(1,5..7,10..17,28..31));
-    my @must_save;
-    sub use_reg {
-        my $reg = shift;
-        if (grep(/^$reg$/, @callee_saved)) {
-            push(@must_save, $reg);
-        } elsif (!grep(/^$reg$/, @caller_saved)) {
-            # Register is not usable!
-            die("Unusable register ".$reg);
-        }
-        return $reg;
-    }
-    sub use_regs {
-        return map(use_reg("x$_"), @_);
-    }
-    sub save_regs {
-        my $ret = '';
-        my $stack_reservation = ($#must_save + 1) * 8;
-        my $stack_offset = $stack_reservation;
-        if ($stack_reservation % 16) {
-            $stack_reservation += 8;
-        }
-        $ret.="    addi    sp,sp,-$stack_reservation\n";
-        foreach (@must_save) {
-            $stack_offset -= 8;
-            $ret.="    sw      $_,$stack_offset(sp)\n";
-        }
-        return $ret;
-    }
-    sub load_regs {
-        my $ret = '';
-        my $stack_reservation = ($#must_save + 1) * 8;
-        my $stack_offset = $stack_reservation;
-        if ($stack_reservation % 16) {
-            $stack_reservation += 8;
-        }
-        foreach (@must_save) {
-            $stack_offset -= 8;
-            $ret.="    lw      $_,$stack_offset(sp)\n";
-        }
-        $ret.="    addi    sp,sp,$stack_reservation\n";
-        return $ret;
-    }
-    sub clear_regs {
-        @must_save = ();
-    }
-}
-
-################################################################################
-# util for encoding scalar crypto extension instructions
-################################################################################
-
-my @regs = map("x$_",(0..31));
-my %reglookup;
-@reglookup{@regs} = @regs;
-
-# Takes a register name, possibly an alias, and converts it to a register index
-# from 0 to 31
-sub read_reg {
-    my $reg = lc shift;
-    if (!exists($reglookup{$reg})) {
-        die("Unknown register ".$reg);
-    }
-    my $regstr = $reglookup{$reg};
-    if (!($regstr =~ /^x([0-9]+)$/)) {
-        die("Could not process register ".$reg);
-    }
-    return $1;
-}
-
-sub aes32dsi {
-    # Encoding for aes32dsi rd, rs1, rs2, bs instruction on RV32
-    #                bs_XXXXX_ rs2 _ rs1 _XXX_ rd  _XXXXXXX
-    my $template = 0b00_10101_00000_00000_000_00000_0110011;
-    my $rd = read_reg shift;
-    my $rs1 = read_reg shift;
-    my $rs2 = read_reg shift;
-    my $bs = shift;
-
-    return ".word ".($template | ($bs << 30) | ($rs2 << 20) | ($rs1 << 15) | ($rd << 7));
-}
-
-sub aes32dsmi {
-    # Encoding for aes32dsmi rd, rs1, rs2, bs instruction on RV32
-    #                bs_XXXXX_ rs2 _ rs1 _XXX_ rd  _XXXXXXX
-    my $template = 0b00_10111_00000_00000_000_00000_0110011;
-    my $rd = read_reg shift;
-    my $rs1 = read_reg shift;
-    my $rs2 = read_reg shift;
-    my $bs = shift;
-
-    return ".word ".($template | ($bs << 30) | ($rs2 << 20) | ($rs1 << 15) | ($rd << 7));
-}
-
-sub aes32esi {
-    # Encoding for aes32esi rd, rs1, rs2, bs instruction on RV32
-    #                bs_XXXXX_ rs2 _ rs1 _XXX_ rd  _XXXXXXX
-    my $template = 0b00_10001_00000_00000_000_00000_0110011;
-    my $rd = read_reg shift;
-    my $rs1 = read_reg shift;
-    my $rs2 = read_reg shift;
-    my $bs = shift;
-
-    return ".word ".($template | ($bs << 30) | ($rs2 << 20) | ($rs1 << 15) | ($rd << 7));
-}
-
-sub aes32esmi {
-    # Encoding for aes32esmi rd, rs1, rs2, bs instruction on RV32
-    #                bs_XXXXX_ rs2 _ rs1 _XXX_ rd  _XXXXXXX
-    my $template = 0b00_10011_00000_00000_000_00000_0110011;
-    my $rd = read_reg shift;
-    my $rs1 = read_reg shift;
-    my $rs2 = read_reg shift;
-    my $bs = shift;
-
-    return ".word ".($template | ($bs << 30) | ($rs2 << 20) | ($rs1 << 15) | ($rd << 7));
-}
-
-sub rori {
-    # Encoding for ror rd, rs1, imm instruction on RV64
-    #                XXXXXXX_shamt_ rs1 _XXX_ rd  _XXXXXXX
-    my $template = 0b0110000_00000_00000_101_00000_0010011;
-    my $rd = read_reg shift;
-    my $rs1 = read_reg shift;
-    my $shamt = shift;
-
-    return ".word ".($template | ($shamt << 20) | ($rs1 << 15) | ($rd << 7));
-}
-
-################################################################################
-# Register assignment for rv32i_zkne_encrypt and rv32i_zknd_decrypt
-################################################################################
-
-# Registers initially to hold AES state (called s0-s3 or y0-y3 elsewhere)
-my ($Q0,$Q1,$Q2,$Q3) = use_regs(6..9);
-
-# Function arguments (x10-x12 are a0-a2 in the ABI)
-# Input block pointer, output block pointer, key pointer
-my ($INP,$OUTP,$KEYP) = use_regs(10..12);
-
-# Registers initially to hold Key
-my ($T0,$T1,$T2,$T3) = use_regs(13..16);
-
-# Loop counter
-my ($loopcntr) = use_regs(30);
-
-################################################################################
-# Utility for rv32i_zkne_encrypt and rv32i_zknd_decrypt
-################################################################################
-
-# outer product of whole state into one column of key
-sub outer {
-    my $inst = shift;
-    my $key = shift;
-    # state 0 to 3
-    my $s0 = shift;
-    my $s1 = shift;
-    my $s2 = shift;
-    my $s3 = shift;
-    my $ret = '';
-$ret .= <<___;
-    @{[$inst->($key,$key,$s0,0)]}
-    @{[$inst->($key,$key,$s1,1)]}
-    @{[$inst->($key,$key,$s2,2)]}
-    @{[$inst->($key,$key,$s3,3)]}
-___
-    return $ret;
-}
-
-sub aes32esmi4 {
-    return outer(\&aes32esmi, @_)
-}
-
-sub aes32esi4 {
-    return outer(\&aes32esi, @_)
-}
-
-sub aes32dsmi4 {
-    return outer(\&aes32dsmi, @_)
-}
-
-sub aes32dsi4 {
-    return outer(\&aes32dsi, @_)
-}
-
-################################################################################
-# void rv32i_zkne_encrypt(const unsigned char *in, unsigned char *out,
-#   const AES_KEY *key);
-################################################################################
-my $code .= <<___;
-.text
-.balign 16
-.globl rv32i_zkne_encrypt
-.type   rv32i_zkne_encrypt,\@function
-rv32i_zkne_encrypt:
-___
-
-$code .= save_regs();
-
-$code .= <<___;
-    # Load input to block cipher
-    lw      $Q0,0($INP)
-    lw      $Q1,4($INP)
-    lw      $Q2,8($INP)
-    lw      $Q3,12($INP)
-
-    # Load key
-    lw      $T0,0($KEYP)
-    lw      $T1,4($KEYP)
-    lw      $T2,8($KEYP)
-    lw      $T3,12($KEYP)
-
-    # Load number of rounds
-    lw      $loopcntr,240($KEYP)
-
-    # initial transformation
-    xor     $Q0,$Q0,$T0
-    xor     $Q1,$Q1,$T1
-    xor     $Q2,$Q2,$T2
-    xor     $Q3,$Q3,$T3
-
-    # The main loop only executes the first N-2 rounds, each loop consumes two rounds
-    add     $loopcntr,$loopcntr,-2
-    srli    $loopcntr,$loopcntr,1
-1:
-    # Grab next key in schedule
-    add     $KEYP,$KEYP,16
-    lw      $T0,0($KEYP)
-    lw      $T1,4($KEYP)
-    lw      $T2,8($KEYP)
-    lw      $T3,12($KEYP)
-
-    @{[aes32esmi4 $T0,$Q0,$Q1,$Q2,$Q3]}
-    @{[aes32esmi4 $T1,$Q1,$Q2,$Q3,$Q0]}
-    @{[aes32esmi4 $T2,$Q2,$Q3,$Q0,$Q1]}
-    @{[aes32esmi4 $T3,$Q3,$Q0,$Q1,$Q2]}
-    # now T0~T3 hold the new state
-
-    # Grab next key in schedule
-    add     $KEYP,$KEYP,16
-    lw      $Q0,0($KEYP)
-    lw      $Q1,4($KEYP)
-    lw      $Q2,8($KEYP)
-    lw      $Q3,12($KEYP)
-
-    @{[aes32esmi4 $Q0,$T0,$T1,$T2,$T3]}
-    @{[aes32esmi4 $Q1,$T1,$T2,$T3,$T0]}
-    @{[aes32esmi4 $Q2,$T2,$T3,$T0,$T1]}
-    @{[aes32esmi4 $Q3,$T3,$T0,$T1,$T2]}
-    # now Q0~Q3 hold the new state
-
-    add     $loopcntr,$loopcntr,-1
-    bgtz    $loopcntr,1b
-
-# final two rounds
-    # Grab next key in schedule
-    add     $KEYP,$KEYP,16
-    lw      $T0,0($KEYP)
-    lw      $T1,4($KEYP)
-    lw      $T2,8($KEYP)
-    lw      $T3,12($KEYP)
-
-    @{[aes32esmi4 $T0,$Q0,$Q1,$Q2,$Q3]}
-    @{[aes32esmi4 $T1,$Q1,$Q2,$Q3,$Q0]}
-    @{[aes32esmi4 $T2,$Q2,$Q3,$Q0,$Q1]}
-    @{[aes32esmi4 $T3,$Q3,$Q0,$Q1,$Q2]}
-    # now T0~T3 hold the new state
-
-    # Grab next key in schedule
-    add     $KEYP,$KEYP,16
-    lw      $Q0,0($KEYP)
-    lw      $Q1,4($KEYP)
-    lw      $Q2,8($KEYP)
-    lw      $Q3,12($KEYP)
-
-    # no mix column now
-    @{[aes32esi4 $Q0,$T0,$T1,$T2,$T3]}
-    @{[aes32esi4 $Q1,$T1,$T2,$T3,$T0]}
-    @{[aes32esi4 $Q2,$T2,$T3,$T0,$T1]}
-    @{[aes32esi4 $Q3,$T3,$T0,$T1,$T2]}
-    # now Q0~Q3 hold the new state
-
-    sw      $Q0,0($OUTP)
-    sw      $Q1,4($OUTP)
-    sw      $Q2,8($OUTP)
-    sw      $Q3,12($OUTP)
-
-    # Pop registers and return
-___
-
-$code .= load_regs();
-
-$code .= <<___;
-    ret
-___
-
-################################################################################
-# void rv32i_zknd_decrypt(const unsigned char *in, unsigned char *out,
-#   const AES_KEY *key);
-################################################################################
-$code .= <<___;
-.text
-.balign 16
-.globl rv32i_zknd_decrypt
-.type   rv32i_zknd_decrypt,\@function
-rv32i_zknd_decrypt:
-___
-
-$code .= save_regs();
-
-$code .= <<___;
-    # Load input to block cipher
-    lw      $Q0,0($INP)
-    lw      $Q1,4($INP)
-    lw      $Q2,8($INP)
-    lw      $Q3,12($INP)
-
-    # Load number of rounds
-    lw      $loopcntr,240($KEYP)
-
-    # Load the last key
-    # use T0 as temporary now
-    slli    $T0,$loopcntr,4
-    add     $KEYP,$KEYP,$T0
-    # Load key
-    lw      $T0,0($KEYP)
-    lw      $T1,4($KEYP)
-    lw      $T2,8($KEYP)
-    lw      $T3,12($KEYP)
-
-    # initial transformation
-    xor     $Q0,$Q0,$T0
-    xor     $Q1,$Q1,$T1
-    xor     $Q2,$Q2,$T2
-    xor     $Q3,$Q3,$T3
-
-    # The main loop only executes the first N-2 rounds, each loop consumes two rounds
-    add     $loopcntr,$loopcntr,-2
-    srli    $loopcntr,$loopcntr,1
-1:
-    # Grab next key in schedule
-    add     $KEYP,$KEYP,-16
-    lw      $T0,0($KEYP)
-    lw      $T1,4($KEYP)
-    lw      $T2,8($KEYP)
-    lw      $T3,12($KEYP)
-
-    @{[aes32dsmi4 $T0,$Q0,$Q3,$Q2,$Q1]}
-    @{[aes32dsmi4 $T1,$Q1,$Q0,$Q3,$Q2]}
-    @{[aes32dsmi4 $T2,$Q2,$Q1,$Q0,$Q3]}
-    @{[aes32dsmi4 $T3,$Q3,$Q2,$Q1,$Q0]}
-    # now T0~T3 hold the new state
-
-    # Grab next key in schedule
-    add     $KEYP,$KEYP,-16
-    lw      $Q0,0($KEYP)
-    lw      $Q1,4($KEYP)
-    lw      $Q2,8($KEYP)
-    lw      $Q3,12($KEYP)
-
-    @{[aes32dsmi4 $Q0,$T0,$T3,$T2,$T1]}
-    @{[aes32dsmi4 $Q1,$T1,$T0,$T3,$T2]}
-    @{[aes32dsmi4 $Q2,$T2,$T1,$T0,$T3]}
-    @{[aes32dsmi4 $Q3,$T3,$T2,$T1,$T0]}
-    # now Q0~Q3 hold the new state
-
-    add     $loopcntr,$loopcntr,-1
-    bgtz    $loopcntr,1b
-
-# final two rounds
-    # Grab next key in schedule
-    add     $KEYP,$KEYP,-16
-    lw      $T0,0($KEYP)
-    lw      $T1,4($KEYP)
-    lw      $T2,8($KEYP)
-    lw      $T3,12($KEYP)
-
-    @{[aes32dsmi4 $T0,$Q0,$Q3,$Q2,$Q1]}
-    @{[aes32dsmi4 $T1,$Q1,$Q0,$Q3,$Q2]}
-    @{[aes32dsmi4 $T2,$Q2,$Q1,$Q0,$Q3]}
-    @{[aes32dsmi4 $T3,$Q3,$Q2,$Q1,$Q0]}
-    # now T0~T3 hold the new state
-
-    # Grab next key in schedule
-    add     $KEYP,$KEYP,-16
-    lw      $Q0,0($KEYP)
-    lw      $Q1,4($KEYP)
-    lw      $Q2,8($KEYP)
-    lw      $Q3,12($KEYP)
-
-    # no mix column now
-    @{[aes32dsi4 $Q0,$T0,$T3,$T2,$T1]}
-    @{[aes32dsi4 $Q1,$T1,$T0,$T3,$T2]}
-    @{[aes32dsi4 $Q2,$T2,$T1,$T0,$T3]}
-    @{[aes32dsi4 $Q3,$T3,$T2,$T1,$T0]}
-    # now Q0~Q3 hold the new state
-
-    sw      $Q0,0($OUTP)
-    sw      $Q1,4($OUTP)
-    sw      $Q2,8($OUTP)
-    sw      $Q3,12($OUTP)
-
-    # Pop registers and return
-___
-
-$code .= load_regs();
-
-$code .= <<___;
-    ret
-___
-
-clear_regs();
-
-################################################################################
-# Register assignment for rv32i_zkn[e/d]_set_[en/de]crypt
-################################################################################
-
-# Function arguments (x10-x12 are a0-a2 in the ABI)
-# Pointer to user key, number of bits in key, key pointer
-my ($UKEY,$BITS,$KEYP) = use_regs(10..12);
-
-# Temporaries
-my ($T0,$T1,$T2,$T3,$T4,$T5,$T6,$T7,$T8) = use_regs(13..17,28..31);
-
-################################################################################
-# utility functions for rv32i_zkne_set_encrypt_key
-################################################################################
-
-my @rcon = (0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36);
-
-# do 4 sbox on 4 bytes of rs, (possibly mix), then xor with rd
-sub sbox4 {
-    my $inst = shift;
-    my $rd = shift;
-    my $rs = shift;
-    my $ret = <<___;
-    @{[$inst->($rd,$rd,$rs,0)]}
-    @{[$inst->($rd,$rd,$rs,1)]}
-    @{[$inst->($rd,$rd,$rs,2)]}
-    @{[$inst->($rd,$rd,$rs,3)]}
-___
-    return $ret;
-}
-
-sub fwdsbox4 {
-    return sbox4(\&aes32esi, @_);
-}
-
-sub ke128enc {
-    my $zbkb = shift;
-    my $rnum = 0;
-    my $ret = '';
-$ret .= <<___;
-    lw      $T0,0($UKEY)
-    lw      $T1,4($UKEY)
-    lw      $T2,8($UKEY)
-    lw      $T3,12($UKEY)
-
-    sw      $T0,0($KEYP)
-    sw      $T1,4($KEYP)
-    sw      $T2,8($KEYP)
-    sw      $T3,12($KEYP)
-___
-    while($rnum < 10) {
-$ret .= <<___;
-    # use T4 to store rcon
-    li      $T4,$rcon[$rnum]
-    # as xor is associative and commutative
-    # we fist xor T0 with RCON, then use T0 to
-    # xor the result of each SBOX result of T3
-    xor     $T0,$T0,$T4
-    # use T4 to store rotated T3
-___
-        # right rotate by 8
-        if ($zbkb) {
-$ret .= <<___;
-    @{[rori    $T4,$T3,8]}
-___
-        } else {
-$ret .= <<___;
-    srli    $T4,$T3,8
-    slli    $T5,$T3,24
-    or      $T4,$T4,$T5
-___
-        }
-$ret .= <<___;
-    # update T0
-    @{[fwdsbox4 $T0,$T4]}
-
-    # update new T1~T3
-    xor     $T1,$T1,$T0
-    xor     $T2,$T2,$T1
-    xor     $T3,$T3,$T2
-
-    add     $KEYP,$KEYP,16
-    sw      $T0,0($KEYP)
-    sw      $T1,4($KEYP)
-    sw      $T2,8($KEYP)
-    sw      $T3,12($KEYP)
-___
-        $rnum++;
-    }
-    return $ret;
-}
-
-sub ke192enc {
-    my $zbkb = shift;
-    my $rnum = 0;
-    my $ret = '';
-$ret .= <<___;
-    lw      $T0,0($UKEY)
-    lw      $T1,4($UKEY)
-    lw      $T2,8($UKEY)
-    lw      $T3,12($UKEY)
-    lw      $T4,16($UKEY)
-    lw      $T5,20($UKEY)
-
-    sw      $T0,0($KEYP)
-    sw      $T1,4($KEYP)
-    sw      $T2,8($KEYP)
-    sw      $T3,12($KEYP)
-    sw      $T4,16($KEYP)
-    sw      $T5,20($KEYP)
-___
-    while($rnum < 8) {
-$ret .= <<___;
-    # see the comment in ke128enc
-    li      $T6,$rcon[$rnum]
-    xor     $T0,$T0,$T6
-___
-        # right rotate by 8
-        if ($zbkb) {
-$ret .= <<___;
-    @{[rori    $T6,$T5,8]}
-___
-        } else {
-$ret .= <<___;
-    srli    $T6,$T5,8
-    slli    $T7,$T5,24
-    or      $T6,$T6,$T7
-___
-        }
-$ret .= <<___;
-    @{[fwdsbox4 $T0,$T6]}
-    xor     $T1,$T1,$T0
-    xor     $T2,$T2,$T1
-    xor     $T3,$T3,$T2
-___
-        if ($rnum != 7) {
-        # note that (8+1)*24 = 216, (12+1)*16 = 208
-        # thus the last 8 bytes can be dropped
-$ret .= <<___;
-    xor     $T4,$T4,$T3
-    xor     $T5,$T5,$T4
-___
-        }
-$ret .= <<___;
-    add     $KEYP,$KEYP,24
-    sw      $T0,0($KEYP)
-    sw      $T1,4($KEYP)
-    sw      $T2,8($KEYP)
-    sw      $T3,12($KEYP)
-___
-        if ($rnum != 7) {
-$ret .= <<___;
-    sw      $T4,16($KEYP)
-    sw      $T5,20($KEYP)
-___
-        }
-        $rnum++;
-    }
-    return $ret;
-}
-
-sub ke256enc {
-    my $zbkb = shift;
-    my $rnum = 0;
-    my $ret = '';
-$ret .= <<___;
-    lw      $T0,0($UKEY)
-    lw      $T1,4($UKEY)
-    lw      $T2,8($UKEY)
-    lw      $T3,12($UKEY)
-    lw      $T4,16($UKEY)
-    lw      $T5,20($UKEY)
-    lw      $T6,24($UKEY)
-    lw      $T7,28($UKEY)
-
-    sw      $T0,0($KEYP)
-    sw      $T1,4($KEYP)
-    sw      $T2,8($KEYP)
-    sw      $T3,12($KEYP)
-    sw      $T4,16($KEYP)
-    sw      $T5,20($KEYP)
-    sw      $T6,24($KEYP)
-    sw      $T7,28($KEYP)
-___
-    while($rnum < 7) {
-$ret .= <<___;
-    # see the comment in ke128enc
-    li      $T8,$rcon[$rnum]
-    xor     $T0,$T0,$T8
-___
-        # right rotate by 8
-        if ($zbkb) {
-$ret .= <<___;
-    @{[rori    $T8,$T7,8]}
-___
-        } else {
-$ret .= <<___;
-    srli    $T8,$T7,8
-    slli    $BITS,$T7,24
-    or      $T8,$T8,$BITS
-___
-        }
-$ret .= <<___;
-    @{[fwdsbox4 $T0,$T8]}
-    xor     $T1,$T1,$T0
-    xor     $T2,$T2,$T1
-    xor     $T3,$T3,$T2
-
-    add     $KEYP,$KEYP,32
-    sw      $T0,0($KEYP)
-    sw      $T1,4($KEYP)
-    sw      $T2,8($KEYP)
-    sw      $T3,12($KEYP)
-___
-        if ($rnum != 6) {
-        # note that (7+1)*32 = 256, (14+1)*16 = 240
-        # thus the last 16 bytes can be dropped
-$ret .= <<___;
-    # for aes256, T3->T4 needs 4sbox but no rotate/rcon
-    @{[fwdsbox4 $T4,$T3]}
-    xor     $T5,$T5,$T4
-    xor     $T6,$T6,$T5
-    xor     $T7,$T7,$T6
-    sw      $T4,16($KEYP)
-    sw      $T5,20($KEYP)
-    sw      $T6,24($KEYP)
-    sw      $T7,28($KEYP)
-___
-        }
-        $rnum++;
-    }
-    return $ret;
-}
-
-################################################################################
-# void rv32i_zkne_set_encrypt_key(const unsigned char *userKey, const int bits,
-#   AES_KEY *key)
-################################################################################
-sub AES_set_common {
-    my ($ke128, $ke192, $ke256) = @_;
-    my $ret = '';
-$ret .= <<___;
-    bnez    $UKEY,1f        # if (!userKey || !key) return -1;
-    bnez    $KEYP,1f
-    li      a0,-1
-    ret
-1:
-    # Determine number of rounds from key size in bits
-    li      $T0,128
-    bne     $BITS,$T0,1f
-    li      $T1,10          # key->rounds = 10 if bits == 128
-    sw      $T1,240($KEYP)  # store key->rounds
-$ke128
-    j       4f
-1:
-    li      $T0,192
-    bne     $BITS,$T0,2f
-    li      $T1,12          # key->rounds = 12 if bits == 192
-    sw      $T1,240($KEYP)  # store key->rounds
-$ke192
-    j       4f
-2:
-    li      $T1,14          # key->rounds = 14 if bits == 256
-    li      $T0,256
-    beq     $BITS,$T0,3f
-    li      a0,-2           # If bits != 128, 192, or 256, return -2
-    j       5f
-3:
-    sw      $T1,240($KEYP)  # store key->rounds
-$ke256
-4:  # return 0
-    li      a0,0
-5:  # return a0
-___
-    return $ret;
-}
-$code .= <<___;
-.text
-.balign 16
-.globl rv32i_zkne_set_encrypt_key
-.type rv32i_zkne_set_encrypt_key,\@function
-rv32i_zkne_set_encrypt_key:
-___
-
-$code .= save_regs();
-$code .= AES_set_common(ke128enc(0), ke192enc(0),ke256enc(0));
-$code .= load_regs();
-$code .= <<___;
-    ret
-___
-
-################################################################################
-# void rv32i_zbkb_zkne_set_encrypt_key(const unsigned char *userKey,
-#   const int bits, AES_KEY *key)
-################################################################################
-$code .= <<___;
-.text
-.balign 16
-.globl rv32i_zbkb_zkne_set_encrypt_key
-.type rv32i_zbkb_zkne_set_encrypt_key,\@function
-rv32i_zbkb_zkne_set_encrypt_key:
-___
-
-$code .= save_regs();
-$code .= AES_set_common(ke128enc(1), ke192enc(1),ke256enc(1));
-$code .= load_regs();
-$code .= <<___;
-    ret
-___
-
-################################################################################
-# utility functions for rv32i_zknd_zkne_set_decrypt_key
-################################################################################
-
-sub invm4 {
-    # fwd sbox then inv sbox then mix column
-    # the result is only mix column
-    # this simulates aes64im T0
-    my $rd = shift;
-    my $tmp = shift;
-    my $rs = shift;
-    my $ret = <<___;
-    li      $tmp,0
-    li      $rd,0
-    @{[fwdsbox4 $tmp,$rs]}
-    @{[sbox4(\&aes32dsmi, $rd,$tmp)]}
-___
-    return $ret;
-}
-
-sub ke128dec {
-    my $zbkb = shift;
-    my $rnum = 0;
-    my $ret = '';
-$ret .= <<___;
-    lw      $T0,0($UKEY)
-    lw      $T1,4($UKEY)
-    lw      $T2,8($UKEY)
-    lw      $T3,12($UKEY)
-
-    sw      $T0,0($KEYP)
-    sw      $T1,4($KEYP)
-    sw      $T2,8($KEYP)
-    sw      $T3,12($KEYP)
-___
-    while($rnum < 10) {
-$ret .= <<___;
-    # see comments in ke128enc
-    li      $T4,$rcon[$rnum]
-    xor     $T0,$T0,$T4
-___
-        # right rotate by 8
-        if ($zbkb) {
-$ret .= <<___;
-    @{[rori    $T4,$T3,8]}
-___
-        } else {
-$ret .= <<___;
-    srli    $T4,$T3,8
-    slli    $T5,$T3,24
-    or      $T4,$T4,$T5
-___
-        }
-$ret .= <<___;
-    @{[fwdsbox4 $T0,$T4]}
-    xor     $T1,$T1,$T0
-    xor     $T2,$T2,$T1
-    xor     $T3,$T3,$T2
-    add     $KEYP,$KEYP,16
-___
-    # need to mixcolumn only for [1:N-1] round keys
-    # this is from the fact that aes32dsmi subwords first then mix column
-    # intuitively decryption needs to first mix column then subwords
-    # however, for merging datapaths (encryption first subwords then mix column)
-    # aes32dsmi chooses to inverse the order of them, thus
-    # transform should then be done on the round key
-        if ($rnum < 9) {
-$ret .= <<___;
-    # T4 and T5 are temp variables
-    @{[invm4 $T5,$T4,$T0]}
-    sw      $T5,0($KEYP)
-    @{[invm4 $T5,$T4,$T1]}
-    sw      $T5,4($KEYP)
-    @{[invm4 $T5,$T4,$T2]}
-    sw      $T5,8($KEYP)
-    @{[invm4 $T5,$T4,$T3]}
-    sw      $T5,12($KEYP)
-___
-        } else {
-$ret .= <<___;
-    sw      $T0,0($KEYP)
-    sw      $T1,4($KEYP)
-    sw      $T2,8($KEYP)
-    sw      $T3,12($KEYP)
-___
-        }
-        $rnum++;
-    }
-    return $ret;
-}
-
-sub ke192dec {
-    my $zbkb = shift;
-    my $rnum = 0;
-    my $ret = '';
-$ret .= <<___;
-    lw      $T0,0($UKEY)
-    lw      $T1,4($UKEY)
-    lw      $T2,8($UKEY)
-    lw      $T3,12($UKEY)
-    lw      $T4,16($UKEY)
-    lw      $T5,20($UKEY)
-
-    sw      $T0,0($KEYP)
-    sw      $T1,4($KEYP)
-    sw      $T2,8($KEYP)
-    sw      $T3,12($KEYP)
-    # see the comment in ke128dec
-    # T7 and T6 are temp variables
-    @{[invm4 $T7,$T6,$T4]}
-    sw      $T7,16($KEYP)
-    @{[invm4 $T7,$T6,$T5]}
-    sw      $T7,20($KEYP)
-___
-    while($rnum < 8) {
-$ret .= <<___;
-    # see the comment in ke128enc
-    li      $T6,$rcon[$rnum]
-    xor     $T0,$T0,$T6
-___
-        # right rotate by 8
-        if ($zbkb) {
-$ret .= <<___;
-    @{[rori    $T6,$T5,8]}
-___
-        } else {
-$ret .= <<___;
-    srli    $T6,$T5,8
-    slli    $T7,$T5,24
-    or      $T6,$T6,$T7
-___
-        }
-$ret .= <<___;
-    @{[fwdsbox4 $T0,$T6]}
-    xor     $T1,$T1,$T0
-    xor     $T2,$T2,$T1
-    xor     $T3,$T3,$T2
-
-    add     $KEYP,$KEYP,24
-___
-        if ($rnum < 7) {
-$ret .= <<___;
-    xor     $T4,$T4,$T3
-    xor     $T5,$T5,$T4
-
-    # see the comment in ke128dec
-    # T7 and T6 are temp variables
-    @{[invm4 $T7,$T6,$T0]}
-    sw      $T7,0($KEYP)
-    @{[invm4 $T7,$T6,$T1]}
-    sw      $T7,4($KEYP)
-    @{[invm4 $T7,$T6,$T2]}
-    sw      $T7,8($KEYP)
-    @{[invm4 $T7,$T6,$T3]}
-    sw      $T7,12($KEYP)
-    @{[invm4 $T7,$T6,$T4]}
-    sw      $T7,16($KEYP)
-    @{[invm4 $T7,$T6,$T5]}
-    sw      $T7,20($KEYP)
-___
-        } else { # rnum == 7
-$ret .= <<___;
-    # the reason for dropping T4/T5 is in ke192enc
-    # the reason for not invm4 is in ke128dec
-    sw      $T0,0($KEYP)
-    sw      $T1,4($KEYP)
-    sw      $T2,8($KEYP)
-    sw      $T3,12($KEYP)
-___
-        }
-        $rnum++;
-    }
-    return $ret;
-}
-
-sub ke256dec {
-    my $zbkb = shift;
-    my $rnum = 0;
-    my $ret = '';
-$ret .= <<___;
-    lw      $T0,0($UKEY)
-    lw      $T1,4($UKEY)
-    lw      $T2,8($UKEY)
-    lw      $T3,12($UKEY)
-    lw      $T4,16($UKEY)
-    lw      $T5,20($UKEY)
-    lw      $T6,24($UKEY)
-    lw      $T7,28($UKEY)
-
-    sw      $T0,0($KEYP)
-    sw      $T1,4($KEYP)
-    sw      $T2,8($KEYP)
-    sw      $T3,12($KEYP)
-    # see the comment in ke128dec
-    # BITS and T8 are temp variables
-    # BITS are not used anymore
-    @{[invm4 $T8,$BITS,$T4]}
-    sw      $T8,16($KEYP)
-    @{[invm4 $T8,$BITS,$T5]}
-    sw      $T8,20($KEYP)
-    @{[invm4 $T8,$BITS,$T6]}
-    sw      $T8,24($KEYP)
-    @{[invm4 $T8,$BITS,$T7]}
-    sw      $T8,28($KEYP)
-___
-    while($rnum < 7) {
-$ret .= <<___;
-    # see the comment in ke128enc
-    li      $T8,$rcon[$rnum]
-    xor     $T0,$T0,$T8
-___
-        # right rotate by 8
-        if ($zbkb) {
-$ret .= <<___;
-    @{[rori    $T8,$T7,8]}
-___
-        } else {
-$ret .= <<___;
-    srli    $T8,$T7,8
-    slli    $BITS,$T7,24
-    or      $T8,$T8,$BITS
-___
-        }
-$ret .= <<___;
-    @{[fwdsbox4 $T0,$T8]}
-    xor     $T1,$T1,$T0
-    xor     $T2,$T2,$T1
-    xor     $T3,$T3,$T2
-
-    add     $KEYP,$KEYP,32
-___
-        if ($rnum < 6) {
-$ret .= <<___;
-    # for aes256, T3->T4 needs 4sbox but no rotate/rcon
-    @{[fwdsbox4 $T4,$T3]}
-    xor     $T5,$T5,$T4
-    xor     $T6,$T6,$T5
-    xor     $T7,$T7,$T6
-
-    # see the comment in ke128dec
-    # T8 and BITS are temp variables
-    @{[invm4 $T8,$BITS,$T0]}
-    sw      $T8,0($KEYP)
-    @{[invm4 $T8,$BITS,$T1]}
-    sw      $T8,4($KEYP)
-    @{[invm4 $T8,$BITS,$T2]}
-    sw      $T8,8($KEYP)
-    @{[invm4 $T8,$BITS,$T3]}
-    sw      $T8,12($KEYP)
-    @{[invm4 $T8,$BITS,$T4]}
-    sw      $T8,16($KEYP)
-    @{[invm4 $T8,$BITS,$T5]}
-    sw      $T8,20($KEYP)
-    @{[invm4 $T8,$BITS,$T6]}
-    sw      $T8,24($KEYP)
-    @{[invm4 $T8,$BITS,$T7]}
-    sw      $T8,28($KEYP)
-___
-        } else {
-$ret .= <<___;
-    sw      $T0,0($KEYP)
-    sw      $T1,4($KEYP)
-    sw      $T2,8($KEYP)
-    sw      $T3,12($KEYP)
-    # last 16 bytes are dropped
-    # see the comment in ke256enc
-___
-        }
-        $rnum++;
-    }
-    return $ret;
-}
-
-################################################################################
-# void rv32i_zknd_zkne_set_decrypt_key(const unsigned char *userKey, const int bits,
-#   AES_KEY *key)
-################################################################################
-# a note on naming: set_decrypt_key needs aes32esi thus add zkne on name
-$code .= <<___;
-.text
-.balign 16
-.globl rv32i_zknd_zkne_set_decrypt_key
-.type   rv32i_zknd_zkne_set_decrypt_key,\@function
-rv32i_zknd_zkne_set_decrypt_key:
-___
-$code .= save_regs();
-$code .= AES_set_common(ke128dec(0), ke192dec(0),ke256dec(0));
-$code .= load_regs();
-$code .= <<___;
-    ret
-___
-
-################################################################################
-# void rv32i_zbkb_zknd_zkne_set_decrypt_key(const unsigned char *userKey,
-#   const int bits, AES_KEY *key)
-################################################################################
-$code .= <<___;
-.text
-.balign 16
-.globl rv32i_zbkb_zknd_zkne_set_decrypt_key
-.type rv32i_zbkb_zknd_zkne_set_decrypt_key,\@function
-rv32i_zbkb_zknd_zkne_set_decrypt_key:
-___
-
-$code .= save_regs();
-$code .= AES_set_common(ke128dec(1), ke192dec(1),ke256dec(1));
-$code .= load_regs();
-$code .= <<___;
-    ret
-___
-
-
-
-print $code;
-close STDOUT or die "error closing STDOUT: $!";

libs/openssl/crypto/aes/asm/bsaes-armv8.pl

@@ -1,2378 +0,0 @@
-#!/usr/bin/env perl
-# Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
-#
-# Licensed under the Apache License 2.0 (the "License").  You may not use
-# this file except in compliance with the License.  You can obtain a copy
-# in the file LICENSE in the source distribution or at
-# https://www.openssl.org/source/license.html
-
-use strict;
-
-my $output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef;
-my $flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef;
-my $xlate;
-
-$0 =~ m/(.*[\/\\])[^\/\\]+$/; my $dir=$1;
-( $xlate="${dir}arm-xlate.pl" and -f $xlate  ) or
-( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate ) or
-die "can't locate arm-xlate.pl";
-
-open OUT,"| \"$^X\" $xlate $flavour $output";
-*STDOUT=*OUT;
-
-my $code = data();
-print $code;
-
-close STDOUT or die "error closing STDOUT: $!"; # enforce flush
-
-sub data
-{
-    local $/;
-    return <DATA>;
-}
-
-__END__
-// Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved.
-//
-// Licensed under the OpenSSL license (the "License").  You may not use
-// this file except in compliance with the License.  You can obtain a copy
-// in the file LICENSE in the source distribution or at
-// https://www.openssl.org/source/license.html
-//
-// ====================================================================
-// Written by Ben Avison <[email protected]> for the OpenSSL
-// project. Rights for redistribution and usage in source and binary
-// forms are granted according to the OpenSSL license.
-// ====================================================================
-//
-// This implementation is a translation of bsaes-armv7 for AArch64.
-// No attempt has been made to carry across the build switches for
-// kernel targets, since the Linux kernel crypto support has moved on
-// from when it was based on OpenSSL.
-
-// A lot of hand-scheduling has been performed. Consequently, this code
-// doesn't factor out neatly into macros in the same way that the
-// AArch32 version did, and there is little to be gained by wrapping it
-// up in Perl, and it is presented as pure assembly.
-
-
-#include "crypto/arm_arch.h"
-
-.text
-
-.extern AES_cbc_encrypt
-.extern AES_encrypt
-.extern AES_decrypt
-
-.type   _bsaes_decrypt8,%function
-.align  4
-// On entry:
-//   x9 -> key (previously expanded using _bsaes_key_convert)
-//   x10 = number of rounds
-//   v0-v7 input data
-// On exit:
-//   x9-x11 corrupted
-//   other general-purpose registers preserved
-//   v0-v7 output data
-//   v11-v15 preserved
-//   other SIMD registers corrupted
-_bsaes_decrypt8:
-        ldr     q8, [x9], #16
-        adr     x11, .LM0ISR
-        movi    v9.16b, #0x55
-        ldr     q10, [x11], #16
-        movi    v16.16b, #0x33
-        movi    v17.16b, #0x0f
-        sub     x10, x10, #1
-        eor     v0.16b, v0.16b, v8.16b
-        eor     v1.16b, v1.16b, v8.16b
-        eor     v2.16b, v2.16b, v8.16b
-        eor     v4.16b, v4.16b, v8.16b
-        eor     v3.16b, v3.16b, v8.16b
-        eor     v5.16b, v5.16b, v8.16b
-        tbl     v0.16b, {v0.16b}, v10.16b
-        tbl     v1.16b, {v1.16b}, v10.16b
-        tbl     v2.16b, {v2.16b}, v10.16b
-        tbl     v4.16b, {v4.16b}, v10.16b
-        eor     v6.16b, v6.16b, v8.16b
-        eor     v7.16b, v7.16b, v8.16b
-        tbl     v3.16b, {v3.16b}, v10.16b
-        tbl     v5.16b, {v5.16b}, v10.16b
-        tbl     v6.16b, {v6.16b}, v10.16b
-        ushr    v8.2d, v0.2d, #1
-        tbl     v7.16b, {v7.16b}, v10.16b
-        ushr    v10.2d, v4.2d, #1
-        ushr    v18.2d, v2.2d, #1
-        eor     v8.16b, v8.16b, v1.16b
-        ushr    v19.2d, v6.2d, #1
-        eor     v10.16b, v10.16b, v5.16b
-        eor     v18.16b, v18.16b, v3.16b
-        and     v8.16b, v8.16b, v9.16b
-        eor     v19.16b, v19.16b, v7.16b
-        and     v10.16b, v10.16b, v9.16b
-        and     v18.16b, v18.16b, v9.16b
-        eor     v1.16b, v1.16b, v8.16b
-        shl     v8.2d, v8.2d, #1
-        and     v9.16b, v19.16b, v9.16b
-        eor     v5.16b, v5.16b, v10.16b
-        shl     v10.2d, v10.2d, #1
-        eor     v3.16b, v3.16b, v18.16b
-        shl     v18.2d, v18.2d, #1
-        eor     v0.16b, v0.16b, v8.16b
-        shl     v8.2d, v9.2d, #1
-        eor     v7.16b, v7.16b, v9.16b
-        eor     v4.16b, v4.16b, v10.16b
-        eor     v2.16b, v2.16b, v18.16b
-        ushr    v9.2d, v1.2d, #2
-        eor     v6.16b, v6.16b, v8.16b
-        ushr    v8.2d, v0.2d, #2
-        ushr    v10.2d, v5.2d, #2
-        ushr    v18.2d, v4.2d, #2
-        eor     v9.16b, v9.16b, v3.16b
-        eor     v8.16b, v8.16b, v2.16b
-        eor     v10.16b, v10.16b, v7.16b
-        eor     v18.16b, v18.16b, v6.16b
-        and     v9.16b, v9.16b, v16.16b
-        and     v8.16b, v8.16b, v16.16b
-        and     v10.16b, v10.16b, v16.16b
-        and     v16.16b, v18.16b, v16.16b
-        eor     v3.16b, v3.16b, v9.16b
-        shl     v9.2d, v9.2d, #2
-        eor     v2.16b, v2.16b, v8.16b
-        shl     v8.2d, v8.2d, #2
-        eor     v7.16b, v7.16b, v10.16b
-        shl     v10.2d, v10.2d, #2
-        eor     v6.16b, v6.16b, v16.16b
-        shl     v16.2d, v16.2d, #2
-        eor     v1.16b, v1.16b, v9.16b
-        eor     v0.16b, v0.16b, v8.16b
-        eor     v5.16b, v5.16b, v10.16b
-        eor     v4.16b, v4.16b, v16.16b
-        ushr    v8.2d, v3.2d, #4
-        ushr    v9.2d, v2.2d, #4
-        ushr    v10.2d, v1.2d, #4
-        ushr    v16.2d, v0.2d, #4
-        eor     v8.16b, v8.16b, v7.16b
-        eor     v9.16b, v9.16b, v6.16b
-        eor     v10.16b, v10.16b, v5.16b
-        eor     v16.16b, v16.16b, v4.16b
-        and     v8.16b, v8.16b, v17.16b
-        and     v9.16b, v9.16b, v17.16b
-        and     v10.16b, v10.16b, v17.16b
-        and     v16.16b, v16.16b, v17.16b
-        eor     v7.16b, v7.16b, v8.16b
-        shl     v8.2d, v8.2d, #4
-        eor     v6.16b, v6.16b, v9.16b
-        shl     v9.2d, v9.2d, #4
-        eor     v5.16b, v5.16b, v10.16b
-        shl     v10.2d, v10.2d, #4
-        eor     v4.16b, v4.16b, v16.16b
-        shl     v16.2d, v16.2d, #4
-        eor     v3.16b, v3.16b, v8.16b
-        eor     v2.16b, v2.16b, v9.16b
-        eor     v1.16b, v1.16b, v10.16b
-        eor     v0.16b, v0.16b, v16.16b
-        b       .Ldec_sbox
-.align  4
-.Ldec_loop:
-        ld1     {v16.16b, v17.16b, v18.16b, v19.16b}, [x9], #64
-        ldp     q8, q9, [x9], #32
-        eor     v0.16b, v16.16b, v0.16b
-        ldr     q10, [x9], #16
-        eor     v1.16b, v17.16b, v1.16b
-        ldr     q16, [x9], #16
-        eor     v2.16b, v18.16b, v2.16b
-        eor     v3.16b, v19.16b, v3.16b
-        eor     v4.16b, v8.16b, v4.16b
-        eor     v5.16b, v9.16b, v5.16b
-        eor     v6.16b, v10.16b, v6.16b
-        eor     v7.16b, v16.16b, v7.16b
-        tbl     v0.16b, {v0.16b}, v28.16b
-        tbl     v1.16b, {v1.16b}, v28.16b
-        tbl     v2.16b, {v2.16b}, v28.16b
-        tbl     v3.16b, {v3.16b}, v28.16b
-        tbl     v4.16b, {v4.16b}, v28.16b
-        tbl     v5.16b, {v5.16b}, v28.16b
-        tbl     v6.16b, {v6.16b}, v28.16b
-        tbl     v7.16b, {v7.16b}, v28.16b
-.Ldec_sbox:
-        eor     v1.16b, v1.16b, v4.16b
-        eor     v3.16b, v3.16b, v4.16b
-        subs    x10, x10, #1
-        eor     v4.16b, v4.16b, v7.16b
-        eor     v2.16b, v2.16b, v7.16b
-        eor     v1.16b, v1.16b, v6.16b
-        eor     v6.16b, v6.16b, v4.16b
-        eor     v2.16b, v2.16b, v5.16b
-        eor     v0.16b, v0.16b, v1.16b
-        eor     v7.16b, v7.16b, v6.16b
-        eor     v8.16b, v6.16b, v2.16b
-        and     v9.16b, v4.16b, v6.16b
-        eor     v10.16b, v2.16b, v6.16b
-        eor     v3.16b, v3.16b, v0.16b
-        eor     v5.16b, v5.16b, v0.16b
-        eor     v16.16b, v7.16b, v4.16b
-        eor     v17.16b, v4.16b, v0.16b
-        and     v18.16b, v0.16b, v2.16b
-        eor     v19.16b, v7.16b, v4.16b
-        eor     v1.16b, v1.16b, v3.16b
-        eor     v20.16b, v3.16b, v0.16b
-        eor     v21.16b, v5.16b, v2.16b
-        eor     v22.16b, v3.16b, v7.16b
-        and     v8.16b, v17.16b, v8.16b
-        orr     v17.16b, v3.16b, v5.16b
-        eor     v23.16b, v1.16b, v6.16b
-        eor     v24.16b, v20.16b, v16.16b
-        eor     v25.16b, v1.16b, v5.16b
-        orr     v26.16b, v20.16b, v21.16b
-        and     v20.16b, v20.16b, v21.16b
-        and     v27.16b, v7.16b, v1.16b
-        eor     v21.16b, v21.16b, v23.16b
-        orr     v28.16b, v16.16b, v23.16b
-        orr     v29.16b, v22.16b, v25.16b
-        eor     v26.16b, v26.16b, v8.16b
-        and     v16.16b, v16.16b, v23.16b
-        and     v22.16b, v22.16b, v25.16b
-        and     v21.16b, v24.16b, v21.16b
-        eor     v8.16b, v28.16b, v8.16b
-        eor     v23.16b, v5.16b, v2.16b
-        eor     v24.16b, v1.16b, v6.16b
-        eor     v16.16b, v16.16b, v22.16b
-        eor     v22.16b, v3.16b, v0.16b
-        eor     v25.16b, v29.16b, v21.16b
-        eor     v21.16b, v26.16b, v21.16b
-        eor     v8.16b, v8.16b, v20.16b
-        eor     v26.16b, v23.16b, v24.16b
-        eor     v16.16b, v16.16b, v20.16b
-        eor     v28.16b, v22.16b, v19.16b
-        eor     v20.16b, v25.16b, v20.16b
-        eor     v9.16b, v21.16b, v9.16b
-        eor     v8.16b, v8.16b, v18.16b
-        eor     v18.16b, v5.16b, v1.16b
-        eor     v21.16b, v16.16b, v17.16b
-        eor     v16.16b, v16.16b, v17.16b
-        eor     v17.16b, v20.16b, v27.16b
-        eor     v20.16b, v3.16b, v7.16b
-        eor     v25.16b, v9.16b, v8.16b
-        eor     v27.16b, v0.16b, v4.16b
-        and     v29.16b, v9.16b, v17.16b
-        eor     v30.16b, v8.16b, v29.16b
-        eor     v31.16b, v21.16b, v29.16b
-        eor     v29.16b, v21.16b, v29.16b
-        bsl     v30.16b, v17.16b, v21.16b
-        bsl     v31.16b, v9.16b, v8.16b
-        bsl     v16.16b, v30.16b, v29.16b
-        bsl     v21.16b, v29.16b, v30.16b
-        eor     v8.16b, v31.16b, v30.16b
-        and     v1.16b, v1.16b, v31.16b
-        and     v9.16b, v16.16b, v31.16b
-        and     v6.16b, v6.16b, v30.16b
-        eor     v16.16b, v17.16b, v21.16b
-        and     v4.16b, v4.16b, v30.16b
-        eor     v17.16b, v8.16b, v30.16b
-        and     v21.16b, v24.16b, v8.16b
-        eor     v9.16b, v9.16b, v25.16b
-        and     v19.16b, v19.16b, v8.16b
-        eor     v24.16b, v30.16b, v16.16b
-        eor     v25.16b, v30.16b, v16.16b
-        and     v7.16b, v7.16b, v17.16b
-        and     v10.16b, v10.16b, v16.16b
-        eor     v29.16b, v9.16b, v16.16b
-        eor     v30.16b, v31.16b, v9.16b
-        and     v0.16b, v24.16b, v0.16b
-        and     v9.16b, v18.16b, v9.16b
-        and     v2.16b, v25.16b, v2.16b
-        eor     v10.16b, v10.16b, v6.16b
-        eor     v18.16b, v29.16b, v16.16b
-        and     v5.16b, v30.16b, v5.16b
-        eor     v24.16b, v8.16b, v29.16b
-        and     v25.16b, v26.16b, v29.16b
-        and     v26.16b, v28.16b, v29.16b
-        eor     v8.16b, v8.16b, v29.16b
-        eor     v17.16b, v17.16b, v18.16b
-        eor     v5.16b, v1.16b, v5.16b
-        and     v23.16b, v24.16b, v23.16b
-        eor     v21.16b, v21.16b, v25.16b
-        eor     v19.16b, v19.16b, v26.16b
-        eor     v0.16b, v4.16b, v0.16b
-        and     v3.16b, v17.16b, v3.16b
-        eor     v1.16b, v9.16b, v1.16b
-        eor     v9.16b, v25.16b, v23.16b
-        eor     v5.16b, v5.16b, v21.16b
-        eor     v2.16b, v6.16b, v2.16b
-        and     v6.16b, v8.16b, v22.16b
-        eor     v3.16b, v7.16b, v3.16b
-        and     v8.16b, v20.16b, v18.16b
-        eor     v10.16b, v10.16b, v9.16b
-        eor     v0.16b, v0.16b, v19.16b
-        eor     v9.16b, v1.16b, v9.16b
-        eor     v1.16b, v2.16b, v21.16b
-        eor     v3.16b, v3.16b, v19.16b
-        and     v16.16b, v27.16b, v16.16b
-        eor     v17.16b, v26.16b, v6.16b
-        eor     v6.16b, v8.16b, v7.16b
-        eor     v7.16b, v1.16b, v9.16b
-        eor     v1.16b, v5.16b, v3.16b
-        eor     v2.16b, v10.16b, v3.16b
-        eor     v4.16b, v16.16b, v4.16b
-        eor     v8.16b, v6.16b, v17.16b
-        eor     v5.16b, v9.16b, v3.16b
-        eor     v9.16b, v0.16b, v1.16b
-        eor     v6.16b, v7.16b, v1.16b
-        eor     v0.16b, v4.16b, v17.16b
-        eor     v4.16b, v8.16b, v7.16b
-        eor     v7.16b, v9.16b, v2.16b
-        eor     v8.16b, v3.16b, v0.16b
-        eor     v7.16b, v7.16b, v5.16b
-        eor     v3.16b, v4.16b, v7.16b
-        eor     v4.16b, v7.16b, v0.16b
-        eor     v7.16b, v8.16b, v3.16b
-        bcc     .Ldec_done
-        ext     v8.16b, v0.16b, v0.16b, #8
-        ext     v9.16b, v1.16b, v1.16b, #8
-        ldr     q28, [x11]                  // load from .LISR in common case (x10 > 0)
-        ext     v10.16b, v6.16b, v6.16b, #8
-        ext     v16.16b, v3.16b, v3.16b, #8
-        ext     v17.16b, v5.16b, v5.16b, #8
-        ext     v18.16b, v4.16b, v4.16b, #8
-        eor     v8.16b, v8.16b, v0.16b
-        eor     v9.16b, v9.16b, v1.16b
-        eor     v10.16b, v10.16b, v6.16b
-        eor     v16.16b, v16.16b, v3.16b
-        eor     v17.16b, v17.16b, v5.16b
-        ext     v19.16b, v2.16b, v2.16b, #8
-        ext     v20.16b, v7.16b, v7.16b, #8
-        eor     v18.16b, v18.16b, v4.16b
-        eor     v6.16b, v6.16b, v8.16b
-        eor     v8.16b, v2.16b, v10.16b
-        eor     v4.16b, v4.16b, v9.16b
-        eor     v2.16b, v19.16b, v2.16b
-        eor     v9.16b, v20.16b, v7.16b
-        eor     v0.16b, v0.16b, v16.16b
-        eor     v1.16b, v1.16b, v16.16b
-        eor     v6.16b, v6.16b, v17.16b
-        eor     v8.16b, v8.16b, v16.16b
-        eor     v7.16b, v7.16b, v18.16b
-        eor     v4.16b, v4.16b, v16.16b
-        eor     v2.16b, v3.16b, v2.16b
-        eor     v1.16b, v1.16b, v17.16b
-        eor     v3.16b, v5.16b, v9.16b
-        eor     v5.16b, v8.16b, v17.16b
-        eor     v7.16b, v7.16b, v17.16b
-        ext     v8.16b, v0.16b, v0.16b, #12
-        ext     v9.16b, v6.16b, v6.16b, #12
-        ext     v10.16b, v4.16b, v4.16b, #12
-        ext     v16.16b, v1.16b, v1.16b, #12
-        ext     v17.16b, v5.16b, v5.16b, #12
-        ext     v18.16b, v7.16b, v7.16b, #12
-        eor     v0.16b, v0.16b, v8.16b
-        eor     v6.16b, v6.16b, v9.16b
-        eor     v4.16b, v4.16b, v10.16b
-        ext     v19.16b, v2.16b, v2.16b, #12
-        ext     v20.16b, v3.16b, v3.16b, #12
-        eor     v1.16b, v1.16b, v16.16b
-        eor     v5.16b, v5.16b, v17.16b
-        eor     v7.16b, v7.16b, v18.16b
-        eor     v2.16b, v2.16b, v19.16b
-        eor     v16.16b, v16.16b, v0.16b
-        eor     v3.16b, v3.16b, v20.16b
-        eor     v17.16b, v17.16b, v4.16b
-        eor     v10.16b, v10.16b, v6.16b
-        ext     v0.16b, v0.16b, v0.16b, #8
-        eor     v9.16b, v9.16b, v1.16b
-        ext     v1.16b, v1.16b, v1.16b, #8
-        eor     v8.16b, v8.16b, v3.16b
-        eor     v16.16b, v16.16b, v3.16b
-        eor     v18.16b, v18.16b, v5.16b
-        eor     v19.16b, v19.16b, v7.16b
-        ext     v21.16b, v5.16b, v5.16b, #8
-        ext     v5.16b, v7.16b, v7.16b, #8
-        eor     v7.16b, v20.16b, v2.16b
-        ext     v4.16b, v4.16b, v4.16b, #8
-        ext     v20.16b, v3.16b, v3.16b, #8
-        eor     v17.16b, v17.16b, v3.16b
-        ext     v2.16b, v2.16b, v2.16b, #8
-        eor     v3.16b, v10.16b, v3.16b
-        ext     v10.16b, v6.16b, v6.16b, #8
-        eor     v0.16b, v0.16b, v8.16b
-        eor     v1.16b, v1.16b, v16.16b
-        eor     v5.16b, v5.16b, v18.16b
-        eor     v3.16b, v3.16b, v4.16b
-        eor     v7.16b, v20.16b, v7.16b
-        eor     v6.16b, v2.16b, v19.16b
-        eor     v4.16b, v21.16b, v17.16b
-        eor     v2.16b, v10.16b, v9.16b
-        bne     .Ldec_loop
-        ldr     q28, [x11, #16]!            // load from .LISRM0 on last round (x10 == 0)
-        b       .Ldec_loop
-.align  4
-.Ldec_done:
-        ushr    v8.2d, v0.2d, #1
-        movi    v9.16b, #0x55
-        ldr     q10, [x9]
-        ushr    v16.2d, v2.2d, #1
-        movi    v17.16b, #0x33
-        ushr    v18.2d, v6.2d, #1
-        movi    v19.16b, #0x0f
-        eor     v8.16b, v8.16b, v1.16b
-        ushr    v20.2d, v3.2d, #1
-        eor     v16.16b, v16.16b, v7.16b
-        eor     v18.16b, v18.16b, v4.16b
-        and     v8.16b, v8.16b, v9.16b
-        eor     v20.16b, v20.16b, v5.16b
-        and     v16.16b, v16.16b, v9.16b
-        and     v18.16b, v18.16b, v9.16b
-        shl     v21.2d, v8.2d, #1
-        eor     v1.16b, v1.16b, v8.16b
-        and     v8.16b, v20.16b, v9.16b
-        eor     v7.16b, v7.16b, v16.16b
-        shl     v9.2d, v16.2d, #1
-        eor     v4.16b, v4.16b, v18.16b
-        shl     v16.2d, v18.2d, #1
-        eor     v0.16b, v0.16b, v21.16b
-        shl     v18.2d, v8.2d, #1
-        eor     v5.16b, v5.16b, v8.16b
-        eor     v2.16b, v2.16b, v9.16b
-        eor     v6.16b, v6.16b, v16.16b
-        ushr    v8.2d, v1.2d, #2
-        eor     v3.16b, v3.16b, v18.16b
-        ushr    v9.2d, v0.2d, #2
-        ushr    v16.2d, v7.2d, #2
-        ushr    v18.2d, v2.2d, #2
-        eor     v8.16b, v8.16b, v4.16b
-        eor     v9.16b, v9.16b, v6.16b
-        eor     v16.16b, v16.16b, v5.16b
-        eor     v18.16b, v18.16b, v3.16b
-        and     v8.16b, v8.16b, v17.16b
-        and     v9.16b, v9.16b, v17.16b
-        and     v16.16b, v16.16b, v17.16b
-        and     v17.16b, v18.16b, v17.16b
-        eor     v4.16b, v4.16b, v8.16b
-        shl     v8.2d, v8.2d, #2
-        eor     v6.16b, v6.16b, v9.16b
-        shl     v9.2d, v9.2d, #2
-        eor     v5.16b, v5.16b, v16.16b
-        shl     v16.2d, v16.2d, #2
-        eor     v3.16b, v3.16b, v17.16b
-        shl     v17.2d, v17.2d, #2
-        eor     v1.16b, v1.16b, v8.16b
-        eor     v0.16b, v0.16b, v9.16b
-        eor     v7.16b, v7.16b, v16.16b
-        eor     v2.16b, v2.16b, v17.16b
-        ushr    v8.2d, v4.2d, #4
-        ushr    v9.2d, v6.2d, #4
-        ushr    v16.2d, v1.2d, #4
-        ushr    v17.2d, v0.2d, #4
-        eor     v8.16b, v8.16b, v5.16b
-        eor     v9.16b, v9.16b, v3.16b
-        eor     v16.16b, v16.16b, v7.16b
-        eor     v17.16b, v17.16b, v2.16b
-        and     v8.16b, v8.16b, v19.16b
-        and     v9.16b, v9.16b, v19.16b
-        and     v16.16b, v16.16b, v19.16b
-        and     v17.16b, v17.16b, v19.16b
-        eor     v5.16b, v5.16b, v8.16b
-        shl     v8.2d, v8.2d, #4
-        eor     v3.16b, v3.16b, v9.16b
-        shl     v9.2d, v9.2d, #4
-        eor     v7.16b, v7.16b, v16.16b
-        shl     v16.2d, v16.2d, #4
-        eor     v2.16b, v2.16b, v17.16b
-        shl     v17.2d, v17.2d, #4
-        eor     v4.16b, v4.16b, v8.16b
-        eor     v6.16b, v6.16b, v9.16b
-        eor     v7.16b, v7.16b, v10.16b
-        eor     v1.16b, v1.16b, v16.16b
-        eor     v2.16b, v2.16b, v10.16b
-        eor     v0.16b, v0.16b, v17.16b
-        eor     v4.16b, v4.16b, v10.16b
-        eor     v6.16b, v6.16b, v10.16b
-        eor     v3.16b, v3.16b, v10.16b
-        eor     v5.16b, v5.16b, v10.16b
-        eor     v1.16b, v1.16b, v10.16b
-        eor     v0.16b, v0.16b, v10.16b
-        ret
-.size   _bsaes_decrypt8,.-_bsaes_decrypt8
-
-.type   _bsaes_const,%object
-.align  6
-_bsaes_const:
-// InvShiftRows constants
-// Used in _bsaes_decrypt8, which assumes contiguity
-// .LM0ISR used with round 0 key
-// .LISR   used with middle round keys
-// .LISRM0 used with final round key
-.LM0ISR:
-.quad   0x0a0e0206070b0f03, 0x0004080c0d010509
-.LISR:
-.quad   0x0504070602010003, 0x0f0e0d0c080b0a09
-.LISRM0:
-.quad   0x01040b0e0205080f, 0x0306090c00070a0d
-
-// ShiftRows constants
-// Used in _bsaes_encrypt8, which assumes contiguity
-// .LM0SR used with round 0 key
-// .LSR   used with middle round keys
-// .LSRM0 used with final round key
-.LM0SR:
-.quad   0x0a0e02060f03070b, 0x0004080c05090d01
-.LSR:
-.quad   0x0504070600030201, 0x0f0e0d0c0a09080b
-.LSRM0:
-.quad   0x0304090e00050a0f, 0x01060b0c0207080d
-
-.LM0_bigendian:
-.quad   0x02060a0e03070b0f, 0x0004080c0105090d
-.LM0_littleendian:
-.quad   0x0105090d0004080c, 0x03070b0f02060a0e
-
-// Used in ossl_bsaes_ctr32_encrypt_blocks, prior to dropping into
-// _bsaes_encrypt8_alt, for round 0 key in place of .LM0SR
-.LREVM0SR:
-.quad   0x090d01050c000408, 0x03070b0f060a0e02
-
-.align  6
-.size   _bsaes_const,.-_bsaes_const
-
-.type   _bsaes_encrypt8,%function
-.align  4
-// On entry:
-//   x9 -> key (previously expanded using _bsaes_key_convert)
-//   x10 = number of rounds
-//   v0-v7 input data
-// On exit:
-//   x9-x11 corrupted
-//   other general-purpose registers preserved
-//   v0-v7 output data
-//   v11-v15 preserved
-//   other SIMD registers corrupted
-_bsaes_encrypt8:
-        ldr     q8, [x9], #16
-        adr     x11, .LM0SR
-        ldr     q9, [x11], #16
-_bsaes_encrypt8_alt:
-        eor     v0.16b, v0.16b, v8.16b
-        eor     v1.16b, v1.16b, v8.16b
-        sub     x10, x10, #1
-        eor     v2.16b, v2.16b, v8.16b
-        eor     v4.16b, v4.16b, v8.16b
-        eor     v3.16b, v3.16b, v8.16b
-        eor     v5.16b, v5.16b, v8.16b
-        tbl     v0.16b, {v0.16b}, v9.16b
-        tbl     v1.16b, {v1.16b}, v9.16b
-        tbl     v2.16b, {v2.16b}, v9.16b
-        tbl     v4.16b, {v4.16b}, v9.16b
-        eor     v6.16b, v6.16b, v8.16b
-        eor     v7.16b, v7.16b, v8.16b
-        tbl     v3.16b, {v3.16b}, v9.16b
-        tbl     v5.16b, {v5.16b}, v9.16b
-        tbl     v6.16b, {v6.16b}, v9.16b
-        ushr    v8.2d, v0.2d, #1
-        movi    v10.16b, #0x55
-        tbl     v7.16b, {v7.16b}, v9.16b
-        ushr    v9.2d, v4.2d, #1
-        movi    v16.16b, #0x33
-        ushr    v17.2d, v2.2d, #1
-        eor     v8.16b, v8.16b, v1.16b
-        movi    v18.16b, #0x0f
-        ushr    v19.2d, v6.2d, #1
-        eor     v9.16b, v9.16b, v5.16b
-        eor     v17.16b, v17.16b, v3.16b
-        and     v8.16b, v8.16b, v10.16b
-        eor     v19.16b, v19.16b, v7.16b
-        and     v9.16b, v9.16b, v10.16b
-        and     v17.16b, v17.16b, v10.16b
-        eor     v1.16b, v1.16b, v8.16b
-        shl     v8.2d, v8.2d, #1
-        and     v10.16b, v19.16b, v10.16b
-        eor     v5.16b, v5.16b, v9.16b
-        shl     v9.2d, v9.2d, #1
-        eor     v3.16b, v3.16b, v17.16b
-        shl     v17.2d, v17.2d, #1
-        eor     v0.16b, v0.16b, v8.16b
-        shl     v8.2d, v10.2d, #1
-        eor     v7.16b, v7.16b, v10.16b
-        eor     v4.16b, v4.16b, v9.16b
-        eor     v2.16b, v2.16b, v17.16b
-        ushr    v9.2d, v1.2d, #2
-        eor     v6.16b, v6.16b, v8.16b
-        ushr    v8.2d, v0.2d, #2
-        ushr    v10.2d, v5.2d, #2
-        ushr    v17.2d, v4.2d, #2
-        eor     v9.16b, v9.16b, v3.16b
-        eor     v8.16b, v8.16b, v2.16b
-        eor     v10.16b, v10.16b, v7.16b
-        eor     v17.16b, v17.16b, v6.16b
-        and     v9.16b, v9.16b, v16.16b
-        and     v8.16b, v8.16b, v16.16b
-        and     v10.16b, v10.16b, v16.16b
-        and     v16.16b, v17.16b, v16.16b
-        eor     v3.16b, v3.16b, v9.16b
-        shl     v9.2d, v9.2d, #2
-        eor     v2.16b, v2.16b, v8.16b
-        shl     v8.2d, v8.2d, #2
-        eor     v7.16b, v7.16b, v10.16b
-        shl     v10.2d, v10.2d, #2
-        eor     v6.16b, v6.16b, v16.16b
-        shl     v16.2d, v16.2d, #2
-        eor     v1.16b, v1.16b, v9.16b
-        eor     v0.16b, v0.16b, v8.16b
-        eor     v5.16b, v5.16b, v10.16b
-        eor     v4.16b, v4.16b, v16.16b
-        ushr    v8.2d, v3.2d, #4
-        ushr    v9.2d, v2.2d, #4
-        ushr    v10.2d, v1.2d, #4
-        ushr    v16.2d, v0.2d, #4
-        eor     v8.16b, v8.16b, v7.16b
-        eor     v9.16b, v9.16b, v6.16b
-        eor     v10.16b, v10.16b, v5.16b
-        eor     v16.16b, v16.16b, v4.16b
-        and     v8.16b, v8.16b, v18.16b
-        and     v9.16b, v9.16b, v18.16b
-        and     v10.16b, v10.16b, v18.16b
-        and     v16.16b, v16.16b, v18.16b
-        eor     v7.16b, v7.16b, v8.16b
-        shl     v8.2d, v8.2d, #4
-        eor     v6.16b, v6.16b, v9.16b
-        shl     v9.2d, v9.2d, #4
-        eor     v5.16b, v5.16b, v10.16b
-        shl     v10.2d, v10.2d, #4
-        eor     v4.16b, v4.16b, v16.16b
-        shl     v16.2d, v16.2d, #4
-        eor     v3.16b, v3.16b, v8.16b
-        eor     v2.16b, v2.16b, v9.16b
-        eor     v1.16b, v1.16b, v10.16b
-        eor     v0.16b, v0.16b, v16.16b
-        b       .Lenc_sbox
-.align  4
-.Lenc_loop:
-        ld1     {v16.16b, v17.16b, v18.16b, v19.16b}, [x9], #64
-        ldp     q8, q9, [x9], #32
-        eor     v0.16b, v16.16b, v0.16b
-        ldr     q10, [x9], #16
-        eor     v1.16b, v17.16b, v1.16b
-        ldr     q16, [x9], #16
-        eor     v2.16b, v18.16b, v2.16b
-        eor     v3.16b, v19.16b, v3.16b
-        eor     v4.16b, v8.16b, v4.16b
-        eor     v5.16b, v9.16b, v5.16b
-        eor     v6.16b, v10.16b, v6.16b
-        eor     v7.16b, v16.16b, v7.16b
-        tbl     v0.16b, {v0.16b}, v28.16b
-        tbl     v1.16b, {v1.16b}, v28.16b
-        tbl     v2.16b, {v2.16b}, v28.16b
-        tbl     v3.16b, {v3.16b}, v28.16b
-        tbl     v4.16b, {v4.16b}, v28.16b
-        tbl     v5.16b, {v5.16b}, v28.16b
-        tbl     v6.16b, {v6.16b}, v28.16b
-        tbl     v7.16b, {v7.16b}, v28.16b
-.Lenc_sbox:
-        eor     v5.16b, v5.16b, v6.16b
-        eor     v3.16b, v3.16b, v0.16b
-        subs    x10, x10, #1
-        eor     v2.16b, v2.16b, v1.16b
-        eor     v5.16b, v5.16b, v0.16b
-        eor     v8.16b, v3.16b, v7.16b
-        eor     v6.16b, v6.16b, v2.16b
-        eor     v7.16b, v7.16b, v5.16b
-        eor     v8.16b, v8.16b, v4.16b
-        eor     v3.16b, v6.16b, v3.16b
-        eor     v4.16b, v4.16b, v5.16b
-        eor     v6.16b, v1.16b, v5.16b
-        eor     v2.16b, v2.16b, v7.16b
-        eor     v1.16b, v8.16b, v1.16b
-        eor     v8.16b, v7.16b, v4.16b
-        eor     v9.16b, v3.16b, v0.16b
-        eor     v10.16b, v7.16b, v6.16b
-        eor     v16.16b, v5.16b, v3.16b
-        eor     v17.16b, v6.16b, v2.16b
-        eor     v18.16b, v5.16b, v1.16b
-        eor     v19.16b, v2.16b, v4.16b
-        eor     v20.16b, v1.16b, v0.16b
-        orr     v21.16b, v8.16b, v9.16b
-        orr     v22.16b, v10.16b, v16.16b
-        eor     v23.16b, v8.16b, v17.16b
-        eor     v24.16b, v9.16b, v18.16b
-        and     v19.16b, v19.16b, v20.16b
-        orr     v20.16b, v17.16b, v18.16b
-        and     v8.16b, v8.16b, v9.16b
-        and     v9.16b, v17.16b, v18.16b
-        and     v17.16b, v23.16b, v24.16b
-        and     v10.16b, v10.16b, v16.16b
-        eor     v16.16b, v21.16b, v19.16b
-        eor     v18.16b, v20.16b, v19.16b
-        and     v19.16b, v2.16b, v1.16b
-        and     v20.16b, v6.16b, v5.16b
-        eor     v21.16b, v22.16b, v17.16b
-        eor     v9.16b, v9.16b, v10.16b
-        eor     v10.16b, v16.16b, v17.16b
-        eor     v16.16b, v18.16b, v8.16b
-        and     v17.16b, v4.16b, v0.16b
-        orr     v18.16b, v7.16b, v3.16b
-        eor     v21.16b, v21.16b, v8.16b
-        eor     v8.16b, v9.16b, v8.16b
-        eor     v9.16b, v10.16b, v19.16b
-        eor     v10.16b, v3.16b, v0.16b
-        eor     v16.16b, v16.16b, v17.16b
-        eor     v17.16b, v5.16b, v1.16b
-        eor     v19.16b, v21.16b, v20.16b
-        eor     v20.16b, v8.16b, v18.16b
-        eor     v8.16b, v8.16b, v18.16b
-        eor     v18.16b, v7.16b, v4.16b
-        eor     v21.16b, v9.16b, v16.16b
-        eor     v22.16b, v6.16b, v2.16b
-        and     v23.16b, v9.16b, v19.16b
-        eor     v24.16b, v10.16b, v17.16b
-        eor     v25.16b, v0.16b, v1.16b
-        eor     v26.16b, v7.16b, v6.16b
-        eor     v27.16b, v18.16b, v22.16b
-        eor     v28.16b, v3.16b, v5.16b
-        eor     v29.16b, v16.16b, v23.16b
-        eor     v30.16b, v20.16b, v23.16b
-        eor     v23.16b, v20.16b, v23.16b
-        eor     v31.16b, v4.16b, v2.16b
-        bsl     v29.16b, v19.16b, v20.16b
-        bsl     v30.16b, v9.16b, v16.16b
-        bsl     v8.16b, v29.16b, v23.16b
-        bsl     v20.16b, v23.16b, v29.16b
-        eor     v9.16b, v30.16b, v29.16b
-        and     v5.16b, v5.16b, v30.16b
-        and     v8.16b, v8.16b, v30.16b
-        and     v1.16b, v1.16b, v29.16b
-        eor     v16.16b, v19.16b, v20.16b
-        and     v2.16b, v2.16b, v29.16b
-        eor     v19.16b, v9.16b, v29.16b
-        and     v17.16b, v17.16b, v9.16b
-        eor     v8.16b, v8.16b, v21.16b
-        and     v20.16b, v22.16b, v9.16b
-        eor     v21.16b, v29.16b, v16.16b
-        eor     v22.16b, v29.16b, v16.16b
-        and     v23.16b, v25.16b, v16.16b
-        and     v6.16b, v6.16b, v19.16b
-        eor     v25.16b, v8.16b, v16.16b
-        eor     v29.16b, v30.16b, v8.16b
-        and     v4.16b, v21.16b, v4.16b
-        and     v8.16b, v28.16b, v8.16b
-        and     v0.16b, v22.16b, v0.16b
-        eor     v21.16b, v23.16b, v1.16b
-        eor     v22.16b, v9.16b, v25.16b
-        eor     v9.16b, v9.16b, v25.16b
-        eor     v23.16b, v25.16b, v16.16b
-        and     v3.16b, v29.16b, v3.16b
-        and     v24.16b, v24.16b, v25.16b
-        and     v25.16b, v27.16b, v25.16b
-        and     v10.16b, v22.16b, v10.16b
-        and     v9.16b, v9.16b, v18.16b
-        eor     v18.16b, v19.16b, v23.16b
-        and     v19.16b, v26.16b, v23.16b
-        eor     v3.16b, v5.16b, v3.16b
-        eor     v17.16b, v17.16b, v24.16b
-        eor     v10.16b, v24.16b, v10.16b
-        and     v16.16b, v31.16b, v16.16b
-        eor     v20.16b, v20.16b, v25.16b
-        eor     v9.16b, v25.16b, v9.16b
-        eor     v4.16b, v2.16b, v4.16b
-        and     v7.16b, v18.16b, v7.16b
-        eor     v18.16b, v19.16b, v6.16b
-        eor     v5.16b, v8.16b, v5.16b
-        eor     v0.16b, v1.16b, v0.16b
-        eor     v1.16b, v21.16b, v10.16b
-        eor     v8.16b, v3.16b, v17.16b
-        eor     v2.16b, v16.16b, v2.16b
-        eor     v3.16b, v6.16b, v7.16b
-        eor     v6.16b, v18.16b, v9.16b
-        eor     v4.16b, v4.16b, v20.16b
-        eor     v10.16b, v5.16b, v10.16b
-        eor     v0.16b, v0.16b, v17.16b
-        eor     v9.16b, v2.16b, v9.16b
-        eor     v3.16b, v3.16b, v20.16b
-        eor     v7.16b, v6.16b, v1.16b
-        eor     v5.16b, v8.16b, v4.16b
-        eor     v6.16b, v10.16b, v1.16b
-        eor     v2.16b, v4.16b, v0.16b
-        eor     v4.16b, v3.16b, v10.16b
-        eor     v9.16b, v9.16b, v7.16b
-        eor     v3.16b, v0.16b, v5.16b
-        eor     v0.16b, v1.16b, v4.16b
-        eor     v1.16b, v4.16b, v8.16b
-        eor     v4.16b, v9.16b, v5.16b
-        eor     v6.16b, v6.16b, v3.16b
-        bcc     .Lenc_done
-        ext     v8.16b, v0.16b, v0.16b, #12
-        ext     v9.16b, v4.16b, v4.16b, #12
-        ldr     q28, [x11]
-        ext     v10.16b, v6.16b, v6.16b, #12
-        ext     v16.16b, v1.16b, v1.16b, #12
-        ext     v17.16b, v3.16b, v3.16b, #12
-        ext     v18.16b, v7.16b, v7.16b, #12
-        eor     v0.16b, v0.16b, v8.16b
-        eor     v4.16b, v4.16b, v9.16b
-        eor     v6.16b, v6.16b, v10.16b
-        ext     v19.16b, v2.16b, v2.16b, #12
-        ext     v20.16b, v5.16b, v5.16b, #12
-        eor     v1.16b, v1.16b, v16.16b
-        eor     v3.16b, v3.16b, v17.16b
-        eor     v7.16b, v7.16b, v18.16b
-        eor     v2.16b, v2.16b, v19.16b
-        eor     v16.16b, v16.16b, v0.16b
-        eor     v5.16b, v5.16b, v20.16b
-        eor     v17.16b, v17.16b, v6.16b
-        eor     v10.16b, v10.16b, v4.16b
-        ext     v0.16b, v0.16b, v0.16b, #8
-        eor     v9.16b, v9.16b, v1.16b
-        ext     v1.16b, v1.16b, v1.16b, #8
-        eor     v8.16b, v8.16b, v5.16b
-        eor     v16.16b, v16.16b, v5.16b
-        eor     v18.16b, v18.16b, v3.16b
-        eor     v19.16b, v19.16b, v7.16b
-        ext     v3.16b, v3.16b, v3.16b, #8
-        ext     v7.16b, v7.16b, v7.16b, #8
-        eor     v20.16b, v20.16b, v2.16b
-        ext     v6.16b, v6.16b, v6.16b, #8
-        ext     v21.16b, v5.16b, v5.16b, #8
-        eor     v17.16b, v17.16b, v5.16b
-        ext     v2.16b, v2.16b, v2.16b, #8
-        eor     v10.16b, v10.16b, v5.16b
-        ext     v22.16b, v4.16b, v4.16b, #8
-        eor     v0.16b, v0.16b, v8.16b
-        eor     v1.16b, v1.16b, v16.16b
-        eor     v5.16b, v7.16b, v18.16b
-        eor     v4.16b, v3.16b, v17.16b
-        eor     v3.16b, v6.16b, v10.16b
-        eor     v7.16b, v21.16b, v20.16b
-        eor     v6.16b, v2.16b, v19.16b
-        eor     v2.16b, v22.16b, v9.16b
-        bne     .Lenc_loop
-        ldr     q28, [x11, #16]!            // load from .LSRM0 on last round (x10 == 0)
-        b       .Lenc_loop
-.align  4
-.Lenc_done:
-        ushr    v8.2d, v0.2d, #1
-        movi    v9.16b, #0x55
-        ldr     q10, [x9]
-        ushr    v16.2d, v3.2d, #1
-        movi    v17.16b, #0x33
-        ushr    v18.2d, v4.2d, #1
-        movi    v19.16b, #0x0f
-        eor     v8.16b, v8.16b, v1.16b
-        ushr    v20.2d, v2.2d, #1
-        eor     v16.16b, v16.16b, v7.16b
-        eor     v18.16b, v18.16b, v6.16b
-        and     v8.16b, v8.16b, v9.16b
-        eor     v20.16b, v20.16b, v5.16b
-        and     v16.16b, v16.16b, v9.16b
-        and     v18.16b, v18.16b, v9.16b
-        shl     v21.2d, v8.2d, #1
-        eor     v1.16b, v1.16b, v8.16b
-        and     v8.16b, v20.16b, v9.16b
-        eor     v7.16b, v7.16b, v16.16b
-        shl     v9.2d, v16.2d, #1
-        eor     v6.16b, v6.16b, v18.16b
-        shl     v16.2d, v18.2d, #1
-        eor     v0.16b, v0.16b, v21.16b
-        shl     v18.2d, v8.2d, #1
-        eor     v5.16b, v5.16b, v8.16b
-        eor     v3.16b, v3.16b, v9.16b
-        eor     v4.16b, v4.16b, v16.16b
-        ushr    v8.2d, v1.2d, #2
-        eor     v2.16b, v2.16b, v18.16b
-        ushr    v9.2d, v0.2d, #2
-        ushr    v16.2d, v7.2d, #2
-        ushr    v18.2d, v3.2d, #2
-        eor     v8.16b, v8.16b, v6.16b
-        eor     v9.16b, v9.16b, v4.16b
-        eor     v16.16b, v16.16b, v5.16b
-        eor     v18.16b, v18.16b, v2.16b
-        and     v8.16b, v8.16b, v17.16b
-        and     v9.16b, v9.16b, v17.16b
-        and     v16.16b, v16.16b, v17.16b
-        and     v17.16b, v18.16b, v17.16b
-        eor     v6.16b, v6.16b, v8.16b
-        shl     v8.2d, v8.2d, #2
-        eor     v4.16b, v4.16b, v9.16b
-        shl     v9.2d, v9.2d, #2
-        eor     v5.16b, v5.16b, v16.16b
-        shl     v16.2d, v16.2d, #2
-        eor     v2.16b, v2.16b, v17.16b
-        shl     v17.2d, v17.2d, #2
-        eor     v1.16b, v1.16b, v8.16b
-        eor     v0.16b, v0.16b, v9.16b
-        eor     v7.16b, v7.16b, v16.16b
-        eor     v3.16b, v3.16b, v17.16b
-        ushr    v8.2d, v6.2d, #4
-        ushr    v9.2d, v4.2d, #4
-        ushr    v16.2d, v1.2d, #4
-        ushr    v17.2d, v0.2d, #4
-        eor     v8.16b, v8.16b, v5.16b
-        eor     v9.16b, v9.16b, v2.16b
-        eor     v16.16b, v16.16b, v7.16b
-        eor     v17.16b, v17.16b, v3.16b
-        and     v8.16b, v8.16b, v19.16b
-        and     v9.16b, v9.16b, v19.16b
-        and     v16.16b, v16.16b, v19.16b
-        and     v17.16b, v17.16b, v19.16b
-        eor     v5.16b, v5.16b, v8.16b
-        shl     v8.2d, v8.2d, #4
-        eor     v2.16b, v2.16b, v9.16b
-        shl     v9.2d, v9.2d, #4
-        eor     v7.16b, v7.16b, v16.16b
-        shl     v16.2d, v16.2d, #4
-        eor     v3.16b, v3.16b, v17.16b
-        shl     v17.2d, v17.2d, #4
-        eor     v6.16b, v6.16b, v8.16b
-        eor     v4.16b, v4.16b, v9.16b
-        eor     v7.16b, v7.16b, v10.16b
-        eor     v1.16b, v1.16b, v16.16b
-        eor     v3.16b, v3.16b, v10.16b
-        eor     v0.16b, v0.16b, v17.16b
-        eor     v6.16b, v6.16b, v10.16b
-        eor     v4.16b, v4.16b, v10.16b
-        eor     v2.16b, v2.16b, v10.16b
-        eor     v5.16b, v5.16b, v10.16b
-        eor     v1.16b, v1.16b, v10.16b
-        eor     v0.16b, v0.16b, v10.16b
-        ret
-.size   _bsaes_encrypt8,.-_bsaes_encrypt8
-
-.type   _bsaes_key_convert,%function
-.align  4
-// On entry:
-//   x9 -> input key (big-endian)
-//   x10 = number of rounds
-//   x17 -> output key (native endianness)
-// On exit:
-//   x9, x10 corrupted
-//   x11 -> .LM0_bigendian
-//   x17 -> last quadword of output key
-//   other general-purpose registers preserved
-//   v2-v6 preserved
-//   v7.16b[] = 0x63
-//   v8-v14 preserved
-//   v15 = last round key (converted to native endianness)
-//   other SIMD registers corrupted
-_bsaes_key_convert:
-#ifdef __AARCH64EL__
-        adr     x11, .LM0_littleendian
-#else
-        adr     x11, .LM0_bigendian
-#endif
-        ldr     q0, [x9], #16               // load round 0 key
-        ldr     q1, [x11]                   // .LM0
-        ldr     q15, [x9], #16              // load round 1 key
-
-        movi    v7.16b, #0x63               // compose .L63
-        movi    v16.16b, #0x01              // bit masks
-        movi    v17.16b, #0x02
-        movi    v18.16b, #0x04
-        movi    v19.16b, #0x08
-        movi    v20.16b, #0x10
-        movi    v21.16b, #0x20
-        movi    v22.16b, #0x40
-        movi    v23.16b, #0x80
-
-#ifdef __AARCH64EL__
-        rev32   v0.16b, v0.16b
-#endif
-        sub     x10, x10, #1
-        str     q0, [x17], #16              // save round 0 key
-
-.align  4
-.Lkey_loop:
-        tbl     v0.16b, {v15.16b}, v1.16b
-        ldr     q15, [x9], #16              // load next round key
-
-        eor     v0.16b, v0.16b, v7.16b
-        cmtst   v24.16b, v0.16b, v16.16b
-        cmtst   v25.16b, v0.16b, v17.16b
-        cmtst   v26.16b, v0.16b, v18.16b
-        cmtst   v27.16b, v0.16b, v19.16b
-        cmtst   v28.16b, v0.16b, v20.16b
-        cmtst   v29.16b, v0.16b, v21.16b
-        cmtst   v30.16b, v0.16b, v22.16b
-        cmtst   v31.16b, v0.16b, v23.16b
-        sub     x10, x10, #1
-        st1     {v24.16b-v27.16b}, [x17], #64 // write bit-sliced round key
-        st1     {v28.16b-v31.16b}, [x17], #64
-        cbnz    x10, .Lkey_loop
-
-        // don't save last round key
-#ifdef __AARCH64EL__
-        rev32   v15.16b, v15.16b
-        adr     x11, .LM0_bigendian
-#endif
-        ret
-.size   _bsaes_key_convert,.-_bsaes_key_convert
-
-.globl  ossl_bsaes_cbc_encrypt
-.type   ossl_bsaes_cbc_encrypt,%function
-.align  4
-// On entry:
-//   x0 -> input ciphertext
-//   x1 -> output plaintext
-//   x2 = size of ciphertext and plaintext in bytes (assumed a multiple of 16)
-//   x3 -> key
-//   x4 -> 128-bit initialisation vector (or preceding 128-bit block of ciphertext if continuing after an earlier call)
-//   w5 must be == 0
-// On exit:
-//   Output plaintext filled in
-//   Initialisation vector overwritten with last quadword of ciphertext
-//   No output registers, usual AAPCS64 register preservation
-ossl_bsaes_cbc_encrypt:
-        cmp     x2, #128
-        bhs     .Lcbc_do_bsaes
-        b       AES_cbc_encrypt
-.Lcbc_do_bsaes:
-
-        // it is up to the caller to make sure we are called with enc == 0
-
-        stp     x29, x30, [sp, #-48]!
-        stp     d8, d9, [sp, #16]
-        stp     d10, d15, [sp, #32]
-        lsr     x2, x2, #4                  // len in 16 byte blocks
-
-        ldr     w15, [x3, #240]             // get # of rounds
-        mov     x14, sp
-
-        // allocate the key schedule on the stack
-        add     x17, sp, #96
-        sub     x17, x17, x15, lsl #7       // 128 bytes per inner round key, less 96 bytes
-
-        // populate the key schedule
-        mov     x9, x3                      // pass key
-        mov     x10, x15                    // pass # of rounds
-        mov     sp, x17                     // sp is sp
-        bl      _bsaes_key_convert
-        ldr     q6,  [sp]
-        str     q15, [x17]                  // save last round key
-        eor     v6.16b, v6.16b, v7.16b      // fix up round 0 key (by XORing with 0x63)
-        str     q6, [sp]
-
-        ldr     q15, [x4]                   // load IV
-        b       .Lcbc_dec_loop
-
-.align  4
-.Lcbc_dec_loop:
-        subs    x2, x2, #0x8
-        bmi     .Lcbc_dec_loop_finish
-
-        ldr     q0, [x0], #16               // load input
-        mov     x9, sp                      // pass the key
-        ldr     q1, [x0], #16
-        mov     x10, x15
-        ldr     q2, [x0], #16
-        ldr     q3, [x0], #16
-        ldr     q4, [x0], #16
-        ldr     q5, [x0], #16
-        ldr     q6, [x0], #16
-        ldr     q7, [x0], #-7*16
-
-        bl      _bsaes_decrypt8
-
-        ldr     q16, [x0], #16              // reload input
-        eor     v0.16b, v0.16b, v15.16b     // ^= IV
-        eor     v1.16b, v1.16b, v16.16b
-        str     q0, [x1], #16               // write output
-        ldr     q0, [x0], #16
-        str     q1, [x1], #16
-        ldr     q1, [x0], #16
-        eor     v1.16b, v4.16b, v1.16b
-        ldr     q4, [x0], #16
-        eor     v2.16b, v2.16b, v4.16b
-        eor     v0.16b, v6.16b, v0.16b
-        ldr     q4, [x0], #16
-        str     q0, [x1], #16
-        str     q1, [x1], #16
-        eor     v0.16b, v7.16b, v4.16b
-        ldr     q1, [x0], #16
-        str     q2, [x1], #16
-        ldr     q2, [x0], #16
-        ldr     q15, [x0], #16
-        str     q0, [x1], #16
-        eor     v0.16b, v5.16b, v2.16b
-        eor     v1.16b, v3.16b, v1.16b
-        str     q1, [x1], #16
-        str     q0, [x1], #16
-
-        b       .Lcbc_dec_loop
-
-.Lcbc_dec_loop_finish:
-        adds    x2, x2, #8
-        beq     .Lcbc_dec_done
-
-        ldr     q0, [x0], #16               // load input
-        cmp     x2, #2
-        blo     .Lcbc_dec_one
-        ldr     q1, [x0], #16
-        mov     x9, sp                      // pass the key
-        mov     x10, x15
-        beq     .Lcbc_dec_two
-        ldr     q2, [x0], #16
-        cmp     x2, #4
-        blo     .Lcbc_dec_three
-        ldr     q3, [x0], #16
-        beq     .Lcbc_dec_four
-        ldr     q4, [x0], #16
-        cmp     x2, #6
-        blo     .Lcbc_dec_five
-        ldr     q5, [x0], #16
-        beq     .Lcbc_dec_six
-        ldr     q6, [x0], #-6*16
-
-        bl      _bsaes_decrypt8
-
-        ldr     q5, [x0], #16               // reload input
-        eor     v0.16b, v0.16b, v15.16b     // ^= IV
-        ldr     q8, [x0], #16
-        ldr     q9, [x0], #16
-        ldr     q10, [x0], #16
-        str     q0, [x1], #16               // write output
-        ldr     q0, [x0], #16
-        eor     v1.16b, v1.16b, v5.16b
-        ldr     q5, [x0], #16
-        eor     v6.16b, v6.16b, v8.16b
-        ldr     q15, [x0]
-        eor     v4.16b, v4.16b, v9.16b
-        eor     v2.16b, v2.16b, v10.16b
-        str     q1, [x1], #16
-        eor     v0.16b, v7.16b, v0.16b
-        str     q6, [x1], #16
-        eor     v1.16b, v3.16b, v5.16b
-        str     q4, [x1], #16
-        str     q2, [x1], #16
-        str     q0, [x1], #16
-        str     q1, [x1]
-        b       .Lcbc_dec_done
-.align  4
-.Lcbc_dec_six:
-        sub     x0, x0, #0x60
-        bl      _bsaes_decrypt8
-        ldr     q3, [x0], #16               // reload input
-        eor     v0.16b, v0.16b, v15.16b     // ^= IV
-        ldr     q5, [x0], #16
-        ldr     q8, [x0], #16
-        ldr     q9, [x0], #16
-        str     q0, [x1], #16               // write output
-        ldr     q0, [x0], #16
-        eor     v1.16b, v1.16b, v3.16b
-        ldr     q15, [x0]
-        eor     v3.16b, v6.16b, v5.16b
-        eor     v4.16b, v4.16b, v8.16b
-        eor     v2.16b, v2.16b, v9.16b
-        str     q1, [x1], #16
-        eor     v0.16b, v7.16b, v0.16b
-        str     q3, [x1], #16
-        str     q4, [x1], #16
-        str     q2, [x1], #16
-        str     q0, [x1]
-        b       .Lcbc_dec_done
-.align  4
-.Lcbc_dec_five:
-        sub     x0, x0, #0x50
-        bl      _bsaes_decrypt8
-        ldr     q3, [x0], #16               // reload input
-        eor     v0.16b, v0.16b, v15.16b     // ^= IV
-        ldr     q5, [x0], #16
-        ldr     q7, [x0], #16
-        ldr     q8, [x0], #16
-        str     q0, [x1], #16               // write output
-        ldr     q15, [x0]
-        eor     v0.16b, v1.16b, v3.16b
-        eor     v1.16b, v6.16b, v5.16b
-        eor     v3.16b, v4.16b, v7.16b
-        str     q0, [x1], #16
-        eor     v0.16b, v2.16b, v8.16b
-        str     q1, [x1], #16
-        str     q3, [x1], #16
-        str     q0, [x1]
-        b       .Lcbc_dec_done
-.align  4
-.Lcbc_dec_four:
-        sub     x0, x0, #0x40
-        bl      _bsaes_decrypt8
-        ldr     q2, [x0], #16               // reload input
-        eor     v0.16b, v0.16b, v15.16b     // ^= IV
-        ldr     q3, [x0], #16
-        ldr     q5, [x0], #16
-        str     q0, [x1], #16               // write output
-        ldr     q15, [x0]
-        eor     v0.16b, v1.16b, v2.16b
-        eor     v1.16b, v6.16b, v3.16b
-        eor     v2.16b, v4.16b, v5.16b
-        str     q0, [x1], #16
-        str     q1, [x1], #16
-        str     q2, [x1]
-        b       .Lcbc_dec_done
-.align  4
-.Lcbc_dec_three:
-        sub     x0, x0, #0x30
-        bl      _bsaes_decrypt8
-        ldr     q2, [x0], #16               // reload input
-        eor     v0.16b, v0.16b, v15.16b     // ^= IV
-        ldr     q3, [x0], #16
-        ldr     q15, [x0]
-        str     q0, [x1], #16               // write output
-        eor     v0.16b, v1.16b, v2.16b
-        eor     v1.16b, v6.16b, v3.16b
-        str     q0, [x1], #16
-        str     q1, [x1]
-        b       .Lcbc_dec_done
-.align  4
-.Lcbc_dec_two:
-        sub     x0, x0, #0x20
-        bl      _bsaes_decrypt8
-        ldr     q2, [x0], #16               // reload input
-        eor     v0.16b, v0.16b, v15.16b     // ^= IV
-        ldr     q15, [x0]
-        str     q0, [x1], #16               // write output
-        eor     v0.16b, v1.16b, v2.16b
-        str     q0, [x1]
-        b       .Lcbc_dec_done
-.align  4
-.Lcbc_dec_one:
-        sub     x0, x0, #0x10
-        stp     x1, x4, [sp, #-32]!
-        str     x14, [sp, #16]
-        mov     v8.16b, v15.16b
-        mov     v15.16b, v0.16b
-        mov     x2, x3
-        bl      AES_decrypt
-        ldr     x14, [sp, #16]
-        ldp     x1, x4, [sp], #32
-        ldr     q0, [x1]                    // load result
-        eor     v0.16b, v0.16b, v8.16b      // ^= IV
-        str     q0, [x1]                    // write output
-
-.align  4
-.Lcbc_dec_done:
-        movi    v0.16b, #0
-        movi    v1.16b, #0
-.Lcbc_dec_bzero:// wipe key schedule [if any]
-        stp     q0, q1, [sp], #32
-        cmp     sp, x14
-        bne     .Lcbc_dec_bzero
-        str     q15, [x4]                   // return IV
-        ldp     d8, d9, [sp, #16]
-        ldp     d10, d15, [sp, #32]
-        ldp     x29, x30, [sp], #48
-        ret
-.size   ossl_bsaes_cbc_encrypt,.-ossl_bsaes_cbc_encrypt
-
-.globl  ossl_bsaes_ctr32_encrypt_blocks
-.type   ossl_bsaes_ctr32_encrypt_blocks,%function
-.align  4
-// On entry:
-//   x0 -> input text (whole 16-byte blocks)
-//   x1 -> output text (whole 16-byte blocks)
-//   x2 = number of 16-byte blocks to encrypt/decrypt (> 0)
-//   x3 -> key
-//   x4 -> initial value of 128-bit counter (stored big-endian) which increments, modulo 2^32, for each block
-// On exit:
-//   Output text filled in
-//   No output registers, usual AAPCS64 register preservation
-ossl_bsaes_ctr32_encrypt_blocks:
-
-        cmp     x2, #8                      // use plain AES for
-        blo     .Lctr_enc_short             // small sizes
-
-        stp     x29, x30, [sp, #-80]!
-        stp     d8, d9, [sp, #16]
-        stp     d10, d11, [sp, #32]
-        stp     d12, d13, [sp, #48]
-        stp     d14, d15, [sp, #64]
-
-        ldr     w15, [x3, #240]             // get # of rounds
-        mov     x14, sp
-
-        // allocate the key schedule on the stack
-        add     x17, sp, #96
-        sub     x17, x17, x15, lsl #7       // 128 bytes per inner round key, less 96 bytes
-
-        // populate the key schedule
-        mov     x9, x3                      // pass key
-        mov     x10, x15                    // pass # of rounds
-        mov     sp, x17                     // sp is sp
-        bl      _bsaes_key_convert
-        eor     v7.16b, v7.16b, v15.16b     // fix up last round key
-        str     q7, [x17]                   // save last round key
-
-        ldr     q0, [x4]                    // load counter
-        add     x13, x11, #.LREVM0SR-.LM0_bigendian
-        ldr     q4, [sp]                    // load round0 key
-
-        movi    v8.4s, #1                   // compose 1<<96
-        movi    v9.16b, #0
-        rev32   v15.16b, v0.16b
-        rev32   v0.16b, v0.16b
-        ext     v11.16b, v9.16b, v8.16b, #4
-        rev32   v4.16b, v4.16b
-        add     v12.4s, v11.4s, v11.4s      // compose 2<<96
-        str     q4, [sp]                    // save adjusted round0 key
-        add     v13.4s, v11.4s, v12.4s      // compose 3<<96
-        add     v14.4s, v12.4s, v12.4s      // compose 4<<96
-        b       .Lctr_enc_loop
-
-.align  4
-.Lctr_enc_loop:
-        // Intermix prologue from _bsaes_encrypt8 to use the opportunity
-        // to flip byte order in 32-bit counter
-
-        add     v1.4s, v15.4s, v11.4s       // +1
-        add     x9, sp, #0x10               // pass next round key
-        add     v2.4s, v15.4s, v12.4s       // +2
-        ldr     q9, [x13]                   // .LREVM0SR
-        ldr     q8, [sp]                    // load round0 key
-        add     v3.4s, v15.4s, v13.4s       // +3
-        mov     x10, x15                    // pass rounds
-        sub     x11, x13, #.LREVM0SR-.LSR   // pass constants
-        add     v6.4s, v2.4s, v14.4s
-        add     v4.4s, v15.4s, v14.4s       // +4
-        add     v7.4s, v3.4s, v14.4s
-        add     v15.4s, v4.4s, v14.4s       // next counter
-        add     v5.4s, v1.4s, v14.4s
-
-        bl      _bsaes_encrypt8_alt
-
-        subs    x2, x2, #8
-        blo     .Lctr_enc_loop_done
-
-        ldr     q16, [x0], #16
-        ldr     q17, [x0], #16
-        eor     v1.16b, v1.16b, v17.16b
-        ldr     q17, [x0], #16
-        eor     v0.16b, v0.16b, v16.16b
-        eor     v4.16b, v4.16b, v17.16b
-        str     q0, [x1], #16
-        ldr     q16, [x0], #16
-        str     q1, [x1], #16
-        mov     v0.16b, v15.16b
-        str     q4, [x1], #16
-        ldr     q1, [x0], #16
-        eor     v4.16b, v6.16b, v16.16b
-        eor     v1.16b, v3.16b, v1.16b
-        ldr     q3, [x0], #16
-        eor     v3.16b, v7.16b, v3.16b
-        ldr     q6, [x0], #16
-        eor     v2.16b, v2.16b, v6.16b
-        ldr     q6, [x0], #16
-        eor     v5.16b, v5.16b, v6.16b
-        str     q4, [x1], #16
-        str     q1, [x1], #16
-        str     q3, [x1], #16
-        str     q2, [x1], #16
-        str     q5, [x1], #16
-
-        bne     .Lctr_enc_loop
-        b       .Lctr_enc_done
-
-.align  4
-.Lctr_enc_loop_done:
-        add     x2, x2, #8
-        ldr     q16, [x0], #16              // load input
-        eor     v0.16b, v0.16b, v16.16b
-        str     q0, [x1], #16               // write output
-        cmp     x2, #2
-        blo     .Lctr_enc_done
-        ldr     q17, [x0], #16
-        eor     v1.16b, v1.16b, v17.16b
-        str     q1, [x1], #16
-        beq     .Lctr_enc_done
-        ldr     q18, [x0], #16
-        eor     v4.16b, v4.16b, v18.16b
-        str     q4, [x1], #16
-        cmp     x2, #4
-        blo     .Lctr_enc_done
-        ldr     q19, [x0], #16
-        eor     v6.16b, v6.16b, v19.16b
-        str     q6, [x1], #16
-        beq     .Lctr_enc_done
-        ldr     q20, [x0], #16
-        eor     v3.16b, v3.16b, v20.16b
-        str     q3, [x1], #16
-        cmp     x2, #6
-        blo     .Lctr_enc_done
-        ldr     q21, [x0], #16
-        eor     v7.16b, v7.16b, v21.16b
-        str     q7, [x1], #16
-        beq     .Lctr_enc_done
-        ldr     q22, [x0]
-        eor     v2.16b, v2.16b, v22.16b
-        str     q2, [x1], #16
-
-.Lctr_enc_done:
-        movi    v0.16b, #0
-        movi    v1.16b, #0
-.Lctr_enc_bzero: // wipe key schedule [if any]
-        stp     q0, q1, [sp], #32
-        cmp     sp, x14
-        bne     .Lctr_enc_bzero
-
-        ldp     d8, d9, [sp, #16]
-        ldp     d10, d11, [sp, #32]
-        ldp     d12, d13, [sp, #48]
-        ldp     d14, d15, [sp, #64]
-        ldp     x29, x30, [sp], #80
-        ret
-
-.Lctr_enc_short:
-        stp     x29, x30, [sp, #-96]!
-        stp     x19, x20, [sp, #16]
-        stp     x21, x22, [sp, #32]
-        str     x23, [sp, #48]
-
-        mov     x19, x0                     // copy arguments
-        mov     x20, x1
-        mov     x21, x2
-        mov     x22, x3
-        ldr     w23, [x4, #12]              // load counter .LSW
-        ldr     q1, [x4]                    // load whole counter value
-#ifdef __AARCH64EL__
-        rev     w23, w23
-#endif
-        str     q1, [sp, #80]               // copy counter value
-
-.Lctr_enc_short_loop:
-        add     x0, sp, #80                 // input counter value
-        add     x1, sp, #64                 // output on the stack
-        mov     x2, x22                     // key
-
-        bl      AES_encrypt
-
-        ldr     q0, [x19], #16              // load input
-        ldr     q1, [sp, #64]               // load encrypted counter
-        add     x23, x23, #1
-#ifdef __AARCH64EL__
-        rev     w0, w23
-        str     w0, [sp, #80+12]            // next counter value
-#else
-        str     w23, [sp, #80+12]           // next counter value
-#endif
-        eor     v0.16b, v0.16b, v1.16b
-        str     q0, [x20], #16              // store output
-        subs    x21, x21, #1
-        bne     .Lctr_enc_short_loop
-
-        movi    v0.16b, #0
-        movi    v1.16b, #0
-        stp     q0, q1, [sp, #64]
-
-        ldr     x23, [sp, #48]
-        ldp     x21, x22, [sp, #32]
-        ldp     x19, x20, [sp, #16]
-        ldp     x29, x30, [sp], #96
-        ret
-.size   ossl_bsaes_ctr32_encrypt_blocks,.-ossl_bsaes_ctr32_encrypt_blocks
-
-.globl  ossl_bsaes_xts_encrypt
-.type   ossl_bsaes_xts_encrypt,%function
-.align  4
-// On entry:
-//   x0 -> input plaintext
-//   x1 -> output ciphertext
-//   x2 -> length of text in bytes (must be at least 16)
-//   x3 -> key1 (used to encrypt the XORed plaintext blocks)
-//   x4 -> key2 (used to encrypt the initial vector to yield the initial tweak)
-//   x5 -> 16-byte initial vector (typically, sector number)
-// On exit:
-//   Output ciphertext filled in
-//   No output registers, usual AAPCS64 register preservation
-ossl_bsaes_xts_encrypt:
-        // Stack layout:
-        // sp ->
-        //        nrounds*128-96 bytes: key schedule
-        // x19 ->
-        //        16 bytes: frame record
-        //        4*16 bytes: tweak storage across _bsaes_encrypt8
-        //        6*8 bytes: storage for 5 callee-saved general-purpose registers
-        //        8*8 bytes: storage for 8 callee-saved SIMD registers
-        stp     x29, x30, [sp, #-192]!
-        stp     x19, x20, [sp, #80]
-        stp     x21, x22, [sp, #96]
-        str     x23, [sp, #112]
-        stp     d8, d9, [sp, #128]
-        stp     d10, d11, [sp, #144]
-        stp     d12, d13, [sp, #160]
-        stp     d14, d15, [sp, #176]
-
-        mov     x19, sp
-        mov     x20, x0
-        mov     x21, x1
-        mov     x22, x2
-        mov     x23, x3
-
-        // generate initial tweak
-        sub     sp, sp, #16
-        mov     x0, x5                      // iv[]
-        mov     x1, sp
-        mov     x2, x4                      // key2
-        bl      AES_encrypt
-        ldr     q11, [sp], #16
-
-        ldr     w1, [x23, #240]             // get # of rounds
-        // allocate the key schedule on the stack
-        add     x17, sp, #96
-        sub     x17, x17, x1, lsl #7        // 128 bytes per inner round key, less 96 bytes
-
-        // populate the key schedule
-        mov     x9, x23                     // pass key
-        mov     x10, x1                     // pass # of rounds
-        mov     sp, x17
-        bl      _bsaes_key_convert
-        eor     v15.16b, v15.16b, v7.16b    // fix up last round key
-        str     q15, [x17]                  // save last round key
-
-        subs    x22, x22, #0x80
-        blo     .Lxts_enc_short
-        b       .Lxts_enc_loop
-
-.align  4
-.Lxts_enc_loop:
-        ldr     q8, .Lxts_magic
-        mov     x10, x1                     // pass rounds
-        add     x2, x19, #16
-        ldr     q0, [x20], #16
-        sshr    v1.2d, v11.2d, #63
-        mov     x9, sp                      // pass key schedule
-        ldr     q6, .Lxts_magic+16
-        add     v2.2d, v11.2d, v11.2d
-        cmtst   v3.2d, v11.2d, v6.2d
-        and     v1.16b, v1.16b, v8.16b
-        ext     v1.16b, v1.16b, v1.16b, #8
-        and     v3.16b, v3.16b, v8.16b
-        ldr     q4, [x20], #16
-        eor     v12.16b, v2.16b, v1.16b
-        eor     v1.16b, v4.16b, v12.16b
-        eor     v0.16b, v0.16b, v11.16b
-        cmtst   v2.2d, v12.2d, v6.2d
-        add     v4.2d, v12.2d, v12.2d
-        add     x0, x19, #16
-        ext     v3.16b, v3.16b, v3.16b, #8
-        and     v2.16b, v2.16b, v8.16b
-        eor     v13.16b, v4.16b, v3.16b
-        ldr     q3, [x20], #16
-        ext     v4.16b, v2.16b, v2.16b, #8
-        eor     v2.16b, v3.16b, v13.16b
-        ldr     q3, [x20], #16
-        add     v5.2d, v13.2d, v13.2d
-        cmtst   v7.2d, v13.2d, v6.2d
-        and     v7.16b, v7.16b, v8.16b
-        ldr     q9, [x20], #16
-        ext     v7.16b, v7.16b, v7.16b, #8
-        ldr     q10, [x20], #16
-        eor     v14.16b, v5.16b, v4.16b
-        ldr     q16, [x20], #16
-        add     v4.2d, v14.2d, v14.2d
-        eor     v3.16b, v3.16b, v14.16b
-        eor     v15.16b, v4.16b, v7.16b
-        add     v5.2d, v15.2d, v15.2d
-        ldr     q7, [x20], #16
-        cmtst   v4.2d, v14.2d, v6.2d
-        and     v17.16b, v4.16b, v8.16b
-        cmtst   v18.2d, v15.2d, v6.2d
-        eor     v4.16b, v9.16b, v15.16b
-        ext     v9.16b, v17.16b, v17.16b, #8
-        eor     v9.16b, v5.16b, v9.16b
-        add     v17.2d, v9.2d, v9.2d
-        and     v18.16b, v18.16b, v8.16b
-        eor     v5.16b, v10.16b, v9.16b
-        str     q9, [x2], #16
-        ext     v10.16b, v18.16b, v18.16b, #8
-        cmtst   v9.2d, v9.2d, v6.2d
-        and     v9.16b, v9.16b, v8.16b
-        eor     v10.16b, v17.16b, v10.16b
-        cmtst   v17.2d, v10.2d, v6.2d
-        eor     v6.16b, v16.16b, v10.16b
-        str     q10, [x2], #16
-        ext     v9.16b, v9.16b, v9.16b, #8
-        add     v10.2d, v10.2d, v10.2d
-        eor     v9.16b, v10.16b, v9.16b
-        str     q9, [x2], #16
-        eor     v7.16b, v7.16b, v9.16b
-        add     v9.2d, v9.2d, v9.2d
-        and     v8.16b, v17.16b, v8.16b
-        ext     v8.16b, v8.16b, v8.16b, #8
-        eor     v8.16b, v9.16b, v8.16b
-        str     q8, [x2]                    // next round tweak
-
-        bl      _bsaes_encrypt8
-
-        ldr     q8, [x0], #16
-        eor     v0.16b, v0.16b, v11.16b
-        eor     v1.16b, v1.16b, v12.16b
-        ldr     q9, [x0], #16
-        eor     v4.16b, v4.16b, v13.16b
-        eor     v6.16b, v6.16b, v14.16b
-        ldr     q10, [x0], #16
-        eor     v3.16b, v3.16b, v15.16b
-        subs    x22, x22, #0x80
-        str     q0, [x21], #16
-        ldr     q11, [x0]                   // next round tweak
-        str     q1, [x21], #16
-        eor     v0.16b, v7.16b, v8.16b
-        eor     v1.16b, v2.16b, v9.16b
-        str     q4, [x21], #16
-        eor     v2.16b, v5.16b, v10.16b
-        str     q6, [x21], #16
-        str     q3, [x21], #16
-        str     q0, [x21], #16
-        str     q1, [x21], #16
-        str     q2, [x21], #16
-        bpl     .Lxts_enc_loop
-
-.Lxts_enc_short:
-        adds    x22, x22, #0x70
-        bmi     .Lxts_enc_done
-
-        ldr     q8, .Lxts_magic
-        sshr    v1.2d, v11.2d, #63
-        add     v2.2d, v11.2d, v11.2d
-        ldr     q9, .Lxts_magic+16
-        subs    x22, x22, #0x10
-        ldr     q0, [x20], #16
-        and     v1.16b, v1.16b, v8.16b
-        cmtst   v3.2d, v11.2d, v9.2d
-        ext     v1.16b, v1.16b, v1.16b, #8
-        and     v3.16b, v3.16b, v8.16b
-        eor     v12.16b, v2.16b, v1.16b
-        ext     v1.16b, v3.16b, v3.16b, #8
-        add     v2.2d, v12.2d, v12.2d
-        cmtst   v3.2d, v12.2d, v9.2d
-        eor     v13.16b, v2.16b, v1.16b
-        and     v22.16b, v3.16b, v8.16b
-        bmi     .Lxts_enc_1
-
-        ext     v2.16b, v22.16b, v22.16b, #8
-        add     v3.2d, v13.2d, v13.2d
-        ldr     q1, [x20], #16
-        cmtst   v4.2d, v13.2d, v9.2d
-        subs    x22, x22, #0x10
-        eor     v14.16b, v3.16b, v2.16b
-        and     v23.16b, v4.16b, v8.16b
-        bmi     .Lxts_enc_2
-
-        ext     v3.16b, v23.16b, v23.16b, #8
-        add     v4.2d, v14.2d, v14.2d
-        ldr     q2, [x20], #16
-        cmtst   v5.2d, v14.2d, v9.2d
-        eor     v0.16b, v0.16b, v11.16b
-        subs    x22, x22, #0x10
-        eor     v15.16b, v4.16b, v3.16b
-        and     v24.16b, v5.16b, v8.16b
-        bmi     .Lxts_enc_3
-
-        ext     v4.16b, v24.16b, v24.16b, #8
-        add     v5.2d, v15.2d, v15.2d
-        ldr     q3, [x20], #16
-        cmtst   v6.2d, v15.2d, v9.2d
-        eor     v1.16b, v1.16b, v12.16b
-        subs    x22, x22, #0x10
-        eor     v16.16b, v5.16b, v4.16b
-        and     v25.16b, v6.16b, v8.16b
-        bmi     .Lxts_enc_4
-
-        ext     v5.16b, v25.16b, v25.16b, #8
-        add     v6.2d, v16.2d, v16.2d
-        add     x0, x19, #16
-        cmtst   v7.2d, v16.2d, v9.2d
-        ldr     q4, [x20], #16
-        eor     v2.16b, v2.16b, v13.16b
-        str     q16, [x0], #16
-        subs    x22, x22, #0x10
-        eor     v17.16b, v6.16b, v5.16b
-        and     v26.16b, v7.16b, v8.16b
-        bmi     .Lxts_enc_5
-
-        ext     v7.16b, v26.16b, v26.16b, #8
-        add     v18.2d, v17.2d, v17.2d
-        ldr     q5, [x20], #16
-        eor     v3.16b, v3.16b, v14.16b
-        str     q17, [x0], #16
-        subs    x22, x22, #0x10
-        eor     v18.16b, v18.16b, v7.16b
-        bmi     .Lxts_enc_6
-
-        ldr     q6, [x20], #16
-        eor     v4.16b, v4.16b, v15.16b
-        eor     v5.16b, v5.16b, v16.16b
-        str     q18, [x0]                   // next round tweak
-        mov     x9, sp                      // pass key schedule
-        mov     x10, x1
-        add     x0, x19, #16
-        sub     x22, x22, #0x10
-        eor     v6.16b, v6.16b, v17.16b
-
-        bl      _bsaes_encrypt8
-
-        ldr     q16, [x0], #16
-        eor     v0.16b, v0.16b, v11.16b
-        eor     v1.16b, v1.16b, v12.16b
-        ldr     q17, [x0], #16
-        eor     v4.16b, v4.16b, v13.16b
-        eor     v6.16b, v6.16b, v14.16b
-        eor     v3.16b, v3.16b, v15.16b
-        ldr     q11, [x0]                   // next round tweak
-        str     q0, [x21], #16
-        str     q1, [x21], #16
-        eor     v0.16b, v7.16b, v16.16b
-        eor     v1.16b, v2.16b, v17.16b
-        str     q4, [x21], #16
-        str     q6, [x21], #16
-        str     q3, [x21], #16
-        str     q0, [x21], #16
-        str     q1, [x21], #16
-        b       .Lxts_enc_done
-
-.align  4
-.Lxts_enc_6:
-        eor     v4.16b, v4.16b, v15.16b
-        eor     v5.16b, v5.16b, v16.16b
-        mov     x9, sp                      // pass key schedule
-        mov     x10, x1                     // pass rounds
-        add     x0, x19, #16
-
-        bl      _bsaes_encrypt8
-
-        ldr     q16, [x0], #16
-        eor     v0.16b, v0.16b, v11.16b
-        eor     v1.16b, v1.16b, v12.16b
-        eor     v4.16b, v4.16b, v13.16b
-        eor     v6.16b, v6.16b, v14.16b
-        ldr     q11, [x0]                   // next round tweak
-        eor     v3.16b, v3.16b, v15.16b
-        str     q0, [x21], #16
-        str     q1, [x21], #16
-        eor     v0.16b, v7.16b, v16.16b
-        str     q4, [x21], #16
-        str     q6, [x21], #16
-        str     q3, [x21], #16
-        str     q0, [x21], #16
-        b       .Lxts_enc_done
-
-.align  4
-.Lxts_enc_5:
-        eor     v3.16b, v3.16b, v14.16b
-        eor     v4.16b, v4.16b, v15.16b
-        mov     x9, sp                      // pass key schedule
-        mov     x10, x1                     // pass rounds
-        add     x0, x19, #16
-
-        bl      _bsaes_encrypt8
-
-        eor     v0.16b, v0.16b, v11.16b
-        eor     v1.16b, v1.16b, v12.16b
-        ldr     q11, [x0]                   // next round tweak
-        eor     v4.16b, v4.16b, v13.16b
-        eor     v6.16b, v6.16b, v14.16b
-        eor     v3.16b, v3.16b, v15.16b
-        str     q0, [x21], #16
-        str     q1, [x21], #16
-        str     q4, [x21], #16
-        str     q6, [x21], #16
-        str     q3, [x21], #16
-        b       .Lxts_enc_done
-
-.align  4
-.Lxts_enc_4:
-        eor     v2.16b, v2.16b, v13.16b
-        eor     v3.16b, v3.16b, v14.16b
-        mov     x9, sp                      // pass key schedule
-        mov     x10, x1                     // pass rounds
-        add     x0, x19, #16
-
-        bl      _bsaes_encrypt8
-
-        eor     v0.16b, v0.16b, v11.16b
-        eor     v1.16b, v1.16b, v12.16b
-        eor     v4.16b, v4.16b, v13.16b
-        eor     v6.16b, v6.16b, v14.16b
-        mov     v11.16b, v15.16b            // next round tweak
-        str     q0, [x21], #16
-        str     q1, [x21], #16
-        str     q4, [x21], #16
-        str     q6, [x21], #16
-        b       .Lxts_enc_done
-
-.align  4
-.Lxts_enc_3:
-        eor     v1.16b, v1.16b, v12.16b
-        eor     v2.16b, v2.16b, v13.16b
-        mov     x9, sp                      // pass key schedule
-        mov     x10, x1                     // pass rounds
-        add     x0, x19, #16
-
-        bl      _bsaes_encrypt8
-
-        eor     v0.16b, v0.16b, v11.16b
-        eor     v1.16b, v1.16b, v12.16b
-        eor     v4.16b, v4.16b, v13.16b
-        mov     v11.16b, v14.16b            // next round tweak
-        str     q0, [x21], #16
-        str     q1, [x21], #16
-        str     q4, [x21], #16
-        b       .Lxts_enc_done
-
-.align  4
-.Lxts_enc_2:
-        eor     v0.16b, v0.16b, v11.16b
-        eor     v1.16b, v1.16b, v12.16b
-        mov     x9, sp                      // pass key schedule
-        mov     x10, x1                     // pass rounds
-        add     x0, x19, #16
-
-        bl      _bsaes_encrypt8
-
-        eor     v0.16b, v0.16b, v11.16b
-        eor     v1.16b, v1.16b, v12.16b
-        mov     v11.16b, v13.16b            // next round tweak
-        str     q0, [x21], #16
-        str     q1, [x21], #16
-        b       .Lxts_enc_done
-
-.align  4
-.Lxts_enc_1:
-        eor     v0.16b, v0.16b, v11.16b
-        sub     x0, sp, #16
-        sub     x1, sp, #16
-        mov     x2, x23
-        mov     v13.d[0], v11.d[1]          // just in case AES_encrypt corrupts top half of callee-saved SIMD registers
-        mov     v14.d[0], v12.d[1]
-        str     q0, [sp, #-16]!
-
-        bl      AES_encrypt
-
-        ldr     q0, [sp], #16
-        trn1    v13.2d, v11.2d, v13.2d
-        trn1    v11.2d, v12.2d, v14.2d      // next round tweak
-        eor     v0.16b, v0.16b, v13.16b
-        str     q0, [x21], #16
-
-.Lxts_enc_done:
-        adds    x22, x22, #0x10
-        beq     .Lxts_enc_ret
-
-        sub     x6, x21, #0x10
-        // Penultimate plaintext block produces final ciphertext part-block
-        // plus remaining part of final plaintext block. Move ciphertext part
-        // to final position and re-use penultimate ciphertext block buffer to
-        // construct final plaintext block
-.Lxts_enc_steal:
-        ldrb    w0, [x20], #1
-        ldrb    w1, [x21, #-0x10]
-        strb    w0, [x21, #-0x10]
-        strb    w1, [x21], #1
-
-        subs    x22, x22, #1
-        bhi     .Lxts_enc_steal
-
-        // Finally encrypt the penultimate ciphertext block using the
-        // last tweak
-        ldr     q0, [x6]
-        eor     v0.16b, v0.16b, v11.16b
-        str     q0, [sp, #-16]!
-        mov     x0, sp
-        mov     x1, sp
-        mov     x2, x23
-        mov     x21, x6
-        mov     v13.d[0], v11.d[1]          // just in case AES_encrypt corrupts top half of callee-saved SIMD registers
-
-        bl      AES_encrypt
-
-        trn1    v11.2d, v11.2d, v13.2d
-        ldr     q0, [sp], #16
-        eor     v0.16b, v0.16b, v11.16b
-        str     q0, [x21]
-
-.Lxts_enc_ret:
-
-        movi    v0.16b, #0
-        movi    v1.16b, #0
-.Lxts_enc_bzero: // wipe key schedule
-        stp     q0, q1, [sp], #32
-        cmp     sp, x19
-        bne     .Lxts_enc_bzero
-
-        ldp     x19, x20, [sp, #80]
-        ldp     x21, x22, [sp, #96]
-        ldr     x23, [sp, #112]
-        ldp     d8, d9, [sp, #128]
-        ldp     d10, d11, [sp, #144]
-        ldp     d12, d13, [sp, #160]
-        ldp     d14, d15, [sp, #176]
-        ldp     x29, x30, [sp], #192
-        ret
-.size   ossl_bsaes_xts_encrypt,.-ossl_bsaes_xts_encrypt
-
-// The assembler doesn't seem capable of de-duplicating these when expressed
-// using `ldr qd,=` syntax, so assign a symbolic address
-.align  5
-.Lxts_magic:
-.quad   1, 0x87, 0x4000000000000000, 0x4000000000000000
-
-.globl  ossl_bsaes_xts_decrypt
-.type   ossl_bsaes_xts_decrypt,%function
-.align  4
-// On entry:
-//   x0 -> input ciphertext
-//   x1 -> output plaintext
-//   x2 -> length of text in bytes (must be at least 16)
-//   x3 -> key1 (used to decrypt the XORed ciphertext blocks)
-//   x4 -> key2 (used to encrypt the initial vector to yield the initial tweak)
-//   x5 -> 16-byte initial vector (typically, sector number)
-// On exit:
-//   Output plaintext filled in
-//   No output registers, usual AAPCS64 register preservation
-ossl_bsaes_xts_decrypt:
-        // Stack layout:
-        // sp ->
-        //        nrounds*128-96 bytes: key schedule
-        // x19 ->
-        //        16 bytes: frame record
-        //        4*16 bytes: tweak storage across _bsaes_decrypt8
-        //        6*8 bytes: storage for 5 callee-saved general-purpose registers
-        //        8*8 bytes: storage for 8 callee-saved SIMD registers
-        stp     x29, x30, [sp, #-192]!
-        stp     x19, x20, [sp, #80]
-        stp     x21, x22, [sp, #96]
-        str     x23, [sp, #112]
-        stp     d8, d9, [sp, #128]
-        stp     d10, d11, [sp, #144]
-        stp     d12, d13, [sp, #160]
-        stp     d14, d15, [sp, #176]
-
-        mov     x19, sp
-        mov     x20, x0
-        mov     x21, x1
-        mov     x22, x2
-        mov     x23, x3
-
-        // generate initial tweak
-        sub     sp, sp, #16
-        mov     x0, x5                      // iv[]
-        mov     x1, sp
-        mov     x2, x4                      // key2
-        bl      AES_encrypt
-        ldr     q11, [sp], #16
-
-        ldr     w1, [x23, #240]             // get # of rounds
-        // allocate the key schedule on the stack
-        add     x17, sp, #96
-        sub     x17, x17, x1, lsl #7        // 128 bytes per inner round key, less 96 bytes
-
-        // populate the key schedule
-        mov     x9, x23                     // pass key
-        mov     x10, x1                     // pass # of rounds
-        mov     sp, x17
-        bl      _bsaes_key_convert
-        ldr     q6,  [sp]
-        str     q15, [x17]                  // save last round key
-        eor     v6.16b, v6.16b, v7.16b      // fix up round 0 key (by XORing with 0x63)
-        str     q6, [sp]
-
-        sub     x30, x22, #0x10
-        tst     x22, #0xf                   // if not multiple of 16
-        csel    x22, x30, x22, ne           // subtract another 16 bytes
-        subs    x22, x22, #0x80
-
-        blo     .Lxts_dec_short
-        b       .Lxts_dec_loop
-
-.align  4
-.Lxts_dec_loop:
-        ldr     q8, .Lxts_magic
-        mov     x10, x1                     // pass rounds
-        add     x2, x19, #16
-        ldr     q0, [x20], #16
-        sshr    v1.2d, v11.2d, #63
-        mov     x9, sp                      // pass key schedule
-        ldr     q6, .Lxts_magic+16
-        add     v2.2d, v11.2d, v11.2d
-        cmtst   v3.2d, v11.2d, v6.2d
-        and     v1.16b, v1.16b, v8.16b
-        ext     v1.16b, v1.16b, v1.16b, #8
-        and     v3.16b, v3.16b, v8.16b
-        ldr     q4, [x20], #16
-        eor     v12.16b, v2.16b, v1.16b
-        eor     v1.16b, v4.16b, v12.16b
-        eor     v0.16b, v0.16b, v11.16b
-        cmtst   v2.2d, v12.2d, v6.2d
-        add     v4.2d, v12.2d, v12.2d
-        add     x0, x19, #16
-        ext     v3.16b, v3.16b, v3.16b, #8
-        and     v2.16b, v2.16b, v8.16b
-        eor     v13.16b, v4.16b, v3.16b
-        ldr     q3, [x20], #16
-        ext     v4.16b, v2.16b, v2.16b, #8
-        eor     v2.16b, v3.16b, v13.16b
-        ldr     q3, [x20], #16
-        add     v5.2d, v13.2d, v13.2d
-        cmtst   v7.2d, v13.2d, v6.2d
-        and     v7.16b, v7.16b, v8.16b
-        ldr     q9, [x20], #16
-        ext     v7.16b, v7.16b, v7.16b, #8
-        ldr     q10, [x20], #16
-        eor     v14.16b, v5.16b, v4.16b
-        ldr     q16, [x20], #16
-        add     v4.2d, v14.2d, v14.2d
-        eor     v3.16b, v3.16b, v14.16b
-        eor     v15.16b, v4.16b, v7.16b
-        add     v5.2d, v15.2d, v15.2d
-        ldr     q7, [x20], #16
-        cmtst   v4.2d, v14.2d, v6.2d
-        and     v17.16b, v4.16b, v8.16b
-        cmtst   v18.2d, v15.2d, v6.2d
-        eor     v4.16b, v9.16b, v15.16b
-        ext     v9.16b, v17.16b, v17.16b, #8
-        eor     v9.16b, v5.16b, v9.16b
-        add     v17.2d, v9.2d, v9.2d
-        and     v18.16b, v18.16b, v8.16b
-        eor     v5.16b, v10.16b, v9.16b
-        str     q9, [x2], #16
-        ext     v10.16b, v18.16b, v18.16b, #8
-        cmtst   v9.2d, v9.2d, v6.2d
-        and     v9.16b, v9.16b, v8.16b
-        eor     v10.16b, v17.16b, v10.16b
-        cmtst   v17.2d, v10.2d, v6.2d
-        eor     v6.16b, v16.16b, v10.16b
-        str     q10, [x2], #16
-        ext     v9.16b, v9.16b, v9.16b, #8
-        add     v10.2d, v10.2d, v10.2d
-        eor     v9.16b, v10.16b, v9.16b
-        str     q9, [x2], #16
-        eor     v7.16b, v7.16b, v9.16b
-        add     v9.2d, v9.2d, v9.2d
-        and     v8.16b, v17.16b, v8.16b
-        ext     v8.16b, v8.16b, v8.16b, #8
-        eor     v8.16b, v9.16b, v8.16b
-        str     q8, [x2]                    // next round tweak
-
-        bl      _bsaes_decrypt8
-
-        eor     v6.16b, v6.16b, v13.16b
-        eor     v0.16b, v0.16b, v11.16b
-        ldr     q8, [x0], #16
-        eor     v7.16b, v7.16b, v8.16b
-        str     q0, [x21], #16
-        eor     v0.16b, v1.16b, v12.16b
-        ldr     q1, [x0], #16
-        eor     v1.16b, v3.16b, v1.16b
-        subs    x22, x22, #0x80
-        eor     v2.16b, v2.16b, v15.16b
-        eor     v3.16b, v4.16b, v14.16b
-        ldr     q4, [x0], #16
-        str     q0, [x21], #16
-        ldr     q11, [x0]                   // next round tweak
-        eor     v0.16b, v5.16b, v4.16b
-        str     q6, [x21], #16
-        str     q3, [x21], #16
-        str     q2, [x21], #16
-        str     q7, [x21], #16
-        str     q1, [x21], #16
-        str     q0, [x21], #16
-        bpl     .Lxts_dec_loop
-
-.Lxts_dec_short:
-        adds    x22, x22, #0x70
-        bmi     .Lxts_dec_done
-
-        ldr     q8, .Lxts_magic
-        sshr    v1.2d, v11.2d, #63
-        add     v2.2d, v11.2d, v11.2d
-        ldr     q9, .Lxts_magic+16
-        subs    x22, x22, #0x10
-        ldr     q0, [x20], #16
-        and     v1.16b, v1.16b, v8.16b
-        cmtst   v3.2d, v11.2d, v9.2d
-        ext     v1.16b, v1.16b, v1.16b, #8
-        and     v3.16b, v3.16b, v8.16b
-        eor     v12.16b, v2.16b, v1.16b
-        ext     v1.16b, v3.16b, v3.16b, #8
-        add     v2.2d, v12.2d, v12.2d
-        cmtst   v3.2d, v12.2d, v9.2d
-        eor     v13.16b, v2.16b, v1.16b
-        and     v22.16b, v3.16b, v8.16b
-        bmi     .Lxts_dec_1
-
-        ext     v2.16b, v22.16b, v22.16b, #8
-        add     v3.2d, v13.2d, v13.2d
-        ldr     q1, [x20], #16
-        cmtst   v4.2d, v13.2d, v9.2d
-        subs    x22, x22, #0x10
-        eor     v14.16b, v3.16b, v2.16b
-        and     v23.16b, v4.16b, v8.16b
-        bmi     .Lxts_dec_2
-
-        ext     v3.16b, v23.16b, v23.16b, #8
-        add     v4.2d, v14.2d, v14.2d
-        ldr     q2, [x20], #16
-        cmtst   v5.2d, v14.2d, v9.2d
-        eor     v0.16b, v0.16b, v11.16b
-        subs    x22, x22, #0x10
-        eor     v15.16b, v4.16b, v3.16b
-        and     v24.16b, v5.16b, v8.16b
-        bmi     .Lxts_dec_3
-
-        ext     v4.16b, v24.16b, v24.16b, #8
-        add     v5.2d, v15.2d, v15.2d
-        ldr     q3, [x20], #16
-        cmtst   v6.2d, v15.2d, v9.2d
-        eor     v1.16b, v1.16b, v12.16b
-        subs    x22, x22, #0x10
-        eor     v16.16b, v5.16b, v4.16b
-        and     v25.16b, v6.16b, v8.16b
-        bmi     .Lxts_dec_4
-
-        ext     v5.16b, v25.16b, v25.16b, #8
-        add     v6.2d, v16.2d, v16.2d
-        add     x0, x19, #16
-        cmtst   v7.2d, v16.2d, v9.2d
-        ldr     q4, [x20], #16
-        eor     v2.16b, v2.16b, v13.16b
-        str     q16, [x0], #16
-        subs    x22, x22, #0x10
-        eor     v17.16b, v6.16b, v5.16b
-        and     v26.16b, v7.16b, v8.16b
-        bmi     .Lxts_dec_5
-
-        ext     v7.16b, v26.16b, v26.16b, #8
-        add     v18.2d, v17.2d, v17.2d
-        ldr     q5, [x20], #16
-        eor     v3.16b, v3.16b, v14.16b
-        str     q17, [x0], #16
-        subs    x22, x22, #0x10
-        eor     v18.16b, v18.16b, v7.16b
-        bmi     .Lxts_dec_6
-
-        ldr     q6, [x20], #16
-        eor     v4.16b, v4.16b, v15.16b
-        eor     v5.16b, v5.16b, v16.16b
-        str     q18, [x0]                   // next round tweak
-        mov     x9, sp                      // pass key schedule
-        mov     x10, x1
-        add     x0, x19, #16
-        sub     x22, x22, #0x10
-        eor     v6.16b, v6.16b, v17.16b
-
-        bl      _bsaes_decrypt8
-
-        ldr     q16, [x0], #16
-        eor     v0.16b, v0.16b, v11.16b
-        eor     v1.16b, v1.16b, v12.16b
-        ldr     q17, [x0], #16
-        eor     v6.16b, v6.16b, v13.16b
-        eor     v4.16b, v4.16b, v14.16b
-        eor     v2.16b, v2.16b, v15.16b
-        ldr     q11, [x0]                   // next round tweak
-        str     q0, [x21], #16
-        str     q1, [x21], #16
-        eor     v0.16b, v7.16b, v16.16b
-        eor     v1.16b, v3.16b, v17.16b
-        str     q6, [x21], #16
-        str     q4, [x21], #16
-        str     q2, [x21], #16
-        str     q0, [x21], #16
-        str     q1, [x21], #16
-        b       .Lxts_dec_done
-
-.align  4
-.Lxts_dec_6:
-        eor     v4.16b, v4.16b, v15.16b
-        eor     v5.16b, v5.16b, v16.16b
-        mov     x9, sp                      // pass key schedule
-        mov     x10, x1                     // pass rounds
-        add     x0, x19, #16
-
-        bl      _bsaes_decrypt8
-
-        ldr     q16, [x0], #16
-        eor     v0.16b, v0.16b, v11.16b
-        eor     v1.16b, v1.16b, v12.16b
-        eor     v6.16b, v6.16b, v13.16b
-        eor     v4.16b, v4.16b, v14.16b
-        ldr     q11, [x0]                   // next round tweak
-        eor     v2.16b, v2.16b, v15.16b
-        str     q0, [x21], #16
-        str     q1, [x21], #16
-        eor     v0.16b, v7.16b, v16.16b
-        str     q6, [x21], #16
-        str     q4, [x21], #16
-        str     q2, [x21], #16
-        str     q0, [x21], #16
-        b       .Lxts_dec_done
-
-.align  4
-.Lxts_dec_5:
-        eor     v3.16b, v3.16b, v14.16b
-        eor     v4.16b, v4.16b, v15.16b
-        mov     x9, sp                      // pass key schedule
-        mov     x10, x1                     // pass rounds
-        add     x0, x19, #16
-
-        bl      _bsaes_decrypt8
-
-        eor     v0.16b, v0.16b, v11.16b
-        eor     v1.16b, v1.16b, v12.16b
-        ldr     q11, [x0]                   // next round tweak
-        eor     v6.16b, v6.16b, v13.16b
-        eor     v4.16b, v4.16b, v14.16b
-        eor     v2.16b, v2.16b, v15.16b
-        str     q0, [x21], #16
-        str     q1, [x21], #16
-        str     q6, [x21], #16
-        str     q4, [x21], #16
-        str     q2, [x21], #16
-        b       .Lxts_dec_done
-
-.align  4
-.Lxts_dec_4:
-        eor     v2.16b, v2.16b, v13.16b
-        eor     v3.16b, v3.16b, v14.16b
-        mov     x9, sp                      // pass key schedule
-        mov     x10, x1                     // pass rounds
-        add     x0, x19, #16
-
-        bl      _bsaes_decrypt8
-
-        eor     v0.16b, v0.16b, v11.16b
-        eor     v1.16b, v1.16b, v12.16b
-        eor     v6.16b, v6.16b, v13.16b
-        eor     v4.16b, v4.16b, v14.16b
-        mov     v11.16b, v15.16b            // next round tweak
-        str     q0, [x21], #16
-        str     q1, [x21], #16
-        str     q6, [x21], #16
-        str     q4, [x21], #16
-        b       .Lxts_dec_done
-
-.align  4
-.Lxts_dec_3:
-        eor     v1.16b, v1.16b, v12.16b
-        eor     v2.16b, v2.16b, v13.16b
-        mov     x9, sp                      // pass key schedule
-        mov     x10, x1                     // pass rounds
-        add     x0, x19, #16
-
-        bl      _bsaes_decrypt8
-
-        eor     v0.16b, v0.16b, v11.16b
-        eor     v1.16b, v1.16b, v12.16b
-        eor     v6.16b, v6.16b, v13.16b
-        mov     v11.16b, v14.16b            // next round tweak
-        str     q0, [x21], #16
-        str     q1, [x21], #16
-        str     q6, [x21], #16
-        b       .Lxts_dec_done
-
-.align  4
-.Lxts_dec_2:
-        eor     v0.16b, v0.16b, v11.16b
-        eor     v1.16b, v1.16b, v12.16b
-        mov     x9, sp                      // pass key schedule
-        mov     x10, x1                     // pass rounds
-        add     x0, x19, #16
-
-        bl      _bsaes_decrypt8
-
-        eor     v0.16b, v0.16b, v11.16b
-        eor     v1.16b, v1.16b, v12.16b
-        mov     v11.16b, v13.16b            // next round tweak
-        str     q0, [x21], #16
-        str     q1, [x21], #16
-        b       .Lxts_dec_done
-
-.align  4
-.Lxts_dec_1:
-        eor     v0.16b, v0.16b, v11.16b
-        sub     x0, sp, #16
-        sub     x1, sp, #16
-        mov     x2, x23
-        mov     v13.d[0], v11.d[1]          // just in case AES_decrypt corrupts top half of callee-saved SIMD registers
-        mov     v14.d[0], v12.d[1]
-        str     q0, [sp, #-16]!
-
-        bl      AES_decrypt
-
-        ldr     q0, [sp], #16
-        trn1    v13.2d, v11.2d, v13.2d
-        trn1    v11.2d, v12.2d, v14.2d      // next round tweak
-        eor     v0.16b, v0.16b, v13.16b
-        str     q0, [x21], #16
-
-.Lxts_dec_done:
-        adds    x22, x22, #0x10
-        beq     .Lxts_dec_ret
-
-        // calculate one round of extra tweak for the stolen ciphertext
-        ldr     q8, .Lxts_magic
-        sshr    v6.2d, v11.2d, #63
-        and     v6.16b, v6.16b, v8.16b
-        add     v12.2d, v11.2d, v11.2d
-        ext     v6.16b, v6.16b, v6.16b, #8
-        eor     v12.16b, v12.16b, v6.16b
-
-        // perform the final decryption with the last tweak value
-        ldr     q0, [x20], #16
-        eor     v0.16b, v0.16b, v12.16b
-        str     q0, [sp, #-16]!
-        mov     x0, sp
-        mov     x1, sp
-        mov     x2, x23
-        mov     v13.d[0], v11.d[1]          // just in case AES_decrypt corrupts top half of callee-saved SIMD registers
-        mov     v14.d[0], v12.d[1]
-
-        bl      AES_decrypt
-
-        trn1    v12.2d, v12.2d, v14.2d
-        trn1    v11.2d, v11.2d, v13.2d
-        ldr     q0, [sp], #16
-        eor     v0.16b, v0.16b, v12.16b
-        str     q0, [x21]
-
-        mov     x6, x21
-        // Penultimate ciphertext block produces final plaintext part-block
-        // plus remaining part of final ciphertext block. Move plaintext part
-        // to final position and re-use penultimate plaintext block buffer to
-        // construct final ciphertext block
-.Lxts_dec_steal:
-        ldrb    w1, [x21]
-        ldrb    w0, [x20], #1
-        strb    w1, [x21, #0x10]
-        strb    w0, [x21], #1
-
-        subs    x22, x22, #1
-        bhi     .Lxts_dec_steal
-
-        // Finally decrypt the penultimate plaintext block using the
-        // penultimate tweak
-        ldr     q0, [x6]
-        eor     v0.16b, v0.16b, v11.16b
-        str     q0, [sp, #-16]!
-        mov     x0, sp
-        mov     x1, sp
-        mov     x2, x23
-        mov     x21, x6
-
-        bl      AES_decrypt
-
-        trn1    v11.2d, v11.2d, v13.2d
-        ldr     q0, [sp], #16
-        eor     v0.16b, v0.16b, v11.16b
-        str     q0, [x21]
-
-.Lxts_dec_ret:
-
-        movi    v0.16b, #0
-        movi    v1.16b, #0
-.Lxts_dec_bzero: // wipe key schedule
-        stp     q0, q1, [sp], #32
-        cmp     sp, x19
-        bne     .Lxts_dec_bzero
-
-        ldp     x19, x20, [sp, #80]
-        ldp     x21, x22, [sp, #96]
-        ldr     x23, [sp, #112]
-        ldp     d8, d9, [sp, #128]
-        ldp     d10, d11, [sp, #144]
-        ldp     d12, d13, [sp, #160]
-        ldp     d14, d15, [sp, #176]
-        ldp     x29, x30, [sp], #192
-        ret
-.size   ossl_bsaes_xts_decrypt,.-ossl_bsaes_xts_decrypt

libs/openssl/crypto/arm_arch.h

@@ -1,194 +0,0 @@
-/*
- * Copyright 2011-2022 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#ifndef OSSL_CRYPTO_ARM_ARCH_H
-# define OSSL_CRYPTO_ARM_ARCH_H
-
-# if !defined(__ARM_ARCH__)
-#  if defined(__CC_ARM)
-#   define __ARM_ARCH__ __TARGET_ARCH_ARM
-#   if defined(__BIG_ENDIAN)
-#    define __ARMEB__
-#   else
-#    define __ARMEL__
-#   endif
-#  elif defined(__GNUC__)
-#   if   defined(__aarch64__)
-#    define __ARM_ARCH__ 8
-  /*
-   * Why doesn't gcc define __ARM_ARCH__? Instead it defines
-   * bunch of below macros. See all_architectures[] table in
-   * gcc/config/arm/arm.c. On a side note it defines
-   * __ARMEL__/__ARMEB__ for little-/big-endian.
-   */
-#   elif defined(__ARM_ARCH)
-#    define __ARM_ARCH__ __ARM_ARCH
-#   elif defined(__ARM_ARCH_8A__)
-#    define __ARM_ARCH__ 8
-#   elif defined(__ARM_ARCH_7__) || defined(__ARM_ARCH_7A__)     || \
-        defined(__ARM_ARCH_7R__)|| defined(__ARM_ARCH_7M__)     || \
-        defined(__ARM_ARCH_7EM__)
-#    define __ARM_ARCH__ 7
-#   elif defined(__ARM_ARCH_6__) || defined(__ARM_ARCH_6J__)     || \
-        defined(__ARM_ARCH_6K__)|| defined(__ARM_ARCH_6M__)     || \
-        defined(__ARM_ARCH_6Z__)|| defined(__ARM_ARCH_6ZK__)    || \
-        defined(__ARM_ARCH_6T2__)
-#    define __ARM_ARCH__ 6
-#   elif defined(__ARM_ARCH_5__) || defined(__ARM_ARCH_5T__)     || \
-        defined(__ARM_ARCH_5E__)|| defined(__ARM_ARCH_5TE__)    || \
-        defined(__ARM_ARCH_5TEJ__)
-#    define __ARM_ARCH__ 5
-#   elif defined(__ARM_ARCH_4__) || defined(__ARM_ARCH_4T__)
-#    define __ARM_ARCH__ 4
-#   else
-#    error "unsupported ARM architecture"
-#   endif
-#  endif
-# endif
-
-# if !defined(__ARM_MAX_ARCH__)
-#  define __ARM_MAX_ARCH__ __ARM_ARCH__
-# endif
-
-# if __ARM_MAX_ARCH__<__ARM_ARCH__
-#  error "__ARM_MAX_ARCH__ can't be less than __ARM_ARCH__"
-# elif __ARM_MAX_ARCH__!=__ARM_ARCH__
-#  if __ARM_ARCH__<7 && __ARM_MAX_ARCH__>=7 && defined(__ARMEB__)
-#   error "can't build universal big-endian binary"
-#  endif
-# endif
-
-# ifndef __ASSEMBLER__
-extern unsigned int OPENSSL_armcap_P;
-extern unsigned int OPENSSL_arm_midr;
-extern unsigned int OPENSSL_armv8_rsa_neonized;
-# endif
-
-# define ARMV7_NEON      (1<<0)
-# define ARMV7_TICK      (1<<1)
-# define ARMV8_AES       (1<<2)
-# define ARMV8_SHA1      (1<<3)
-# define ARMV8_SHA256    (1<<4)
-# define ARMV8_PMULL     (1<<5)
-# define ARMV8_SHA512    (1<<6)
-# define ARMV8_CPUID     (1<<7)
-# define ARMV8_RNG       (1<<8)
-# define ARMV8_SM3       (1<<9)
-# define ARMV8_SM4       (1<<10)
-# define ARMV8_SHA3      (1<<11)
-# define ARMV8_UNROLL8_EOR3      (1<<12)
-# define ARMV8_SVE       (1<<13)
-# define ARMV8_SVE2      (1<<14)
-
-/*
- * MIDR_EL1 system register
- *
- * 63___ _ ___32_31___ _ ___24_23_____20_19_____16_15__ _ __4_3_______0
- * |            |             |         |         |          |        |
- * |RES0        | Implementer | Variant | Arch    | PartNum  |Revision|
- * |____ _ _____|_____ _ _____|_________|_______ _|____ _ ___|________|
- *
- */
-
-# define ARM_CPU_IMP_ARM           0x41
-
-# define ARM_CPU_PART_CORTEX_A72   0xD08
-# define ARM_CPU_PART_N1           0xD0C
-# define ARM_CPU_PART_V1           0xD40
-# define ARM_CPU_PART_N2           0xD49
-
-# define MIDR_PARTNUM_SHIFT       4
-# define MIDR_PARTNUM_MASK        (0xfffU << MIDR_PARTNUM_SHIFT)
-# define MIDR_PARTNUM(midr)       \
-           (((midr) & MIDR_PARTNUM_MASK) >> MIDR_PARTNUM_SHIFT)
-
-# define MIDR_IMPLEMENTER_SHIFT   24
-# define MIDR_IMPLEMENTER_MASK    (0xffU << MIDR_IMPLEMENTER_SHIFT)
-# define MIDR_IMPLEMENTER(midr)   \
-           (((midr) & MIDR_IMPLEMENTER_MASK) >> MIDR_IMPLEMENTER_SHIFT)
-
-# define MIDR_ARCHITECTURE_SHIFT  16
-# define MIDR_ARCHITECTURE_MASK   (0xfU << MIDR_ARCHITECTURE_SHIFT)
-# define MIDR_ARCHITECTURE(midr)  \
-           (((midr) & MIDR_ARCHITECTURE_MASK) >> MIDR_ARCHITECTURE_SHIFT)
-
-# define MIDR_CPU_MODEL_MASK \
-           (MIDR_IMPLEMENTER_MASK | \
-            MIDR_PARTNUM_MASK     | \
-            MIDR_ARCHITECTURE_MASK)
-
-# define MIDR_CPU_MODEL(imp, partnum) \
-           (((imp)     << MIDR_IMPLEMENTER_SHIFT)  | \
-            (0xfU      << MIDR_ARCHITECTURE_SHIFT) | \
-            ((partnum) << MIDR_PARTNUM_SHIFT))
-
-# define MIDR_IS_CPU_MODEL(midr, imp, partnum) \
-           (((midr) & MIDR_CPU_MODEL_MASK) == MIDR_CPU_MODEL(imp, partnum))
-
-#if defined(__ASSEMBLER__)
-
-   /*
-    * Support macros for
-    *   - Armv8.3-A Pointer Authentication and
-    *   - Armv8.5-A Branch Target Identification
-    * features which require emitting a .note.gnu.property section with the
-    * appropriate architecture-dependent feature bits set.
-    * Read more: "ELF for the Arm® 64-bit Architecture"
-    */
-
-#  if defined(__ARM_FEATURE_BTI_DEFAULT) && __ARM_FEATURE_BTI_DEFAULT == 1
-#   define GNU_PROPERTY_AARCH64_BTI (1 << 0)   /* Has Branch Target Identification */
-#   define AARCH64_VALID_CALL_TARGET hint #34  /* BTI 'c' */
-#  else
-#   define GNU_PROPERTY_AARCH64_BTI 0  /* No Branch Target Identification */
-#   define AARCH64_VALID_CALL_TARGET
-#  endif
-
-#  if defined(__ARM_FEATURE_PAC_DEFAULT) && \
-       (__ARM_FEATURE_PAC_DEFAULT & 1) == 1  /* Signed with A-key */
-#   define GNU_PROPERTY_AARCH64_POINTER_AUTH \
-     (1 << 1)                                       /* Has Pointer Authentication */
-#   define AARCH64_SIGN_LINK_REGISTER hint #25      /* PACIASP */
-#   define AARCH64_VALIDATE_LINK_REGISTER hint #29  /* AUTIASP */
-#  elif defined(__ARM_FEATURE_PAC_DEFAULT) && \
-       (__ARM_FEATURE_PAC_DEFAULT & 2) == 2  /* Signed with B-key */
-#   define GNU_PROPERTY_AARCH64_POINTER_AUTH \
-     (1 << 1)                                       /* Has Pointer Authentication */
-#   define AARCH64_SIGN_LINK_REGISTER hint #27      /* PACIBSP */
-#   define AARCH64_VALIDATE_LINK_REGISTER hint #31  /* AUTIBSP */
-#  else
-#   define GNU_PROPERTY_AARCH64_POINTER_AUTH 0  /* No Pointer Authentication */
-#   if GNU_PROPERTY_AARCH64_BTI != 0
-#    define AARCH64_SIGN_LINK_REGISTER AARCH64_VALID_CALL_TARGET
-#   else
-#    define AARCH64_SIGN_LINK_REGISTER
-#   endif
-#   define AARCH64_VALIDATE_LINK_REGISTER
-#  endif
-
-#  if GNU_PROPERTY_AARCH64_POINTER_AUTH != 0 || GNU_PROPERTY_AARCH64_BTI != 0
-    .pushsection .note.gnu.property, "a";
-    .balign 8;
-    .long 4;
-    .long 0x10;
-    .long 0x5;
-    .asciz "GNU";
-    .long 0xc0000000; /* GNU_PROPERTY_AARCH64_FEATURE_1_AND */
-    .long 4;
-    .long (GNU_PROPERTY_AARCH64_POINTER_AUTH | GNU_PROPERTY_AARCH64_BTI);
-    .long 0;
-    .popsection;
-#  endif
-
-# endif  /* defined __ASSEMBLER__ */
-
-# define IS_CPU_SUPPORT_UNROLL8_EOR3() \
-           (OPENSSL_armcap_P & ARMV8_UNROLL8_EOR3)
-
-#endif

libs/openssl/crypto/asn1/d2i_param.c

@@ -1,65 +0,0 @@
-/*
- * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <stdio.h>
-#include "internal/cryptlib.h"
-#include <openssl/evp.h>
-#include <openssl/asn1.h>
-#include "internal/asn1.h"
-#include "crypto/asn1.h"
-#include "crypto/evp.h"
-
-EVP_PKEY *d2i_KeyParams(int type, EVP_PKEY **a, const unsigned char **pp,
-                        long length)
-{
-    EVP_PKEY *ret = NULL;
-
-    if ((a == NULL) || (*a == NULL)) {
-        if ((ret = EVP_PKEY_new()) == NULL)
-            return NULL;
-    } else
-        ret = *a;
-
-    if (type != EVP_PKEY_get_id(ret) && !EVP_PKEY_set_type(ret, type))
-        goto err;
-
-    if (ret->ameth == NULL || ret->ameth->param_decode == NULL) {
-        ERR_raise(ERR_LIB_ASN1, ASN1_R_UNSUPPORTED_TYPE);
-        goto err;
-    }
-
-    if (!ret->ameth->param_decode(ret, pp, length))
-        goto err;
-
-    if (a != NULL)
-        (*a) = ret;
-    return ret;
-err:
-    if (a == NULL || *a != ret)
-        EVP_PKEY_free(ret);
-    return NULL;
-}
-
-EVP_PKEY *d2i_KeyParams_bio(int type, EVP_PKEY **a, BIO *in)
-{
-    BUF_MEM *b = NULL;
-    const unsigned char *p;
-    void *ret = NULL;
-    int len;
-
-    len = asn1_d2i_read_bio(in, &b);
-    if (len < 0)
-        goto err;
-
-    p = (unsigned char *)b->data;
-    ret = d2i_KeyParams(type, a, &p, len);
-err:
-    BUF_MEM_free(b);
-    return ret;
-}

libs/openssl/crypto/bf/asm/bf_586.asm

@@ -1,3 +1,4 @@
+
 %ifidn __OUTPUT_FORMAT__,obj
 section	code	use32 class=code align=256
 %elifidn __OUTPUT_FORMAT__,win32
@@ -781,21 +782,56 @@ L$004PIC_point:
 	xor	edx,edx
 	jmp	ebp
 L$006ej7:
+	
+
+
+
+
 	mov	dh,BYTE [6+esi]
 	shl	edx,8
 L$007ej6:
+	
+
+
+
+
 	mov	dh,BYTE [5+esi]
 L$008ej5:
+	
+
+
+
+
 	mov	dl,BYTE [4+esi]
 L$009ej4:
+	
+
+
+
+
 	mov	ecx,DWORD [esi]
 	jmp	NEAR L$010ejend
 L$011ej3:
+	
+
+
+
+
 	mov	ch,BYTE [2+esi]
 	shl	ecx,8
 L$012ej2:
+	
+
+
+
+
 	mov	ch,BYTE [1+esi]
 L$013ej1:
+	
+
+
+
+
 	mov	cl,BYTE [esi]
 L$010ejend:
 	xor	eax,ecx

libs/openssl/crypto/bio/bf_prefix.c

@@ -0,0 +1,207 @@
+/*
+ * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <errno.h>
+#include "bio_local.h"
+
+static int prefix_write(BIO *b, const char *out, size_t outl,
+                        size_t *numwritten);
+static int prefix_read(BIO *b, char *buf, size_t size, size_t *numread);
+static int prefix_puts(BIO *b, const char *str);
+static int prefix_gets(BIO *b, char *str, int size);
+static long prefix_ctrl(BIO *b, int cmd, long arg1, void *arg2);
+static int prefix_create(BIO *b);
+static int prefix_destroy(BIO *b);
+static long prefix_callback_ctrl(BIO *b, int cmd, BIO_info_cb *fp);
+
+static const BIO_METHOD prefix_meth = {
+    BIO_TYPE_BUFFER,
+    "prefix",
+    prefix_write,
+    NULL,
+    prefix_read,
+    NULL,
+    prefix_puts,
+    prefix_gets,
+    prefix_ctrl,
+    prefix_create,
+    prefix_destroy,
+    prefix_callback_ctrl,
+};
+
+const BIO_METHOD *BIO_f_prefix(void)
+{
+    return &prefix_meth;
+}
+
+typedef struct prefix_ctx_st {
+    char *prefix;              /* Text prefix, given by user */
+    unsigned int indent;       /* Indentation amount, given by user */
+
+    int linestart;             /* flag to indicate we're at the line start */
+} PREFIX_CTX;
+
+static int prefix_create(BIO *b)
+{
+    PREFIX_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
+
+    if (ctx == NULL)
+        return 0;
+
+    ctx->prefix = NULL;
+    ctx->indent = 0;
+    ctx->linestart = 1;
+    BIO_set_data(b, ctx);
+    BIO_set_init(b, 1);
+    return 1;
+}
+
+static int prefix_destroy(BIO *b)
+{
+    PREFIX_CTX *ctx = BIO_get_data(b);
+
+    OPENSSL_free(ctx->prefix);
+    OPENSSL_free(ctx);
+    return 1;
+}
+
+static int prefix_read(BIO *b, char *in, size_t size, size_t *numread)
+{
+    return BIO_read_ex(BIO_next(b), in, size, numread);
+}
+
+static int prefix_write(BIO *b, const char *out, size_t outl,
+                        size_t *numwritten)
+{
+    PREFIX_CTX *ctx = BIO_get_data(b);
+
+    if (ctx == NULL)
+        return 0;
+
+    /*
+     * If no prefix is set or if it's empty, and no indentation amount is set,
+     * we've got nothing to do here
+     */
+    if ((ctx->prefix == NULL || *ctx->prefix == '\0')
+        && ctx->indent == 0) {
+        /*
+         * We do note if what comes next will be a new line, though, so we're
+         * prepared to handle prefix and indentation the next time around.
+         */
+        if (outl > 0)
+            ctx->linestart = (out[outl-1] == '\n');
+        return BIO_write_ex(BIO_next(b), out, outl, numwritten);
+    }
+
+    *numwritten = 0;
+
+    while (outl > 0) {
+        size_t i;
+        char c;
+
+        /*
+         * If we know that we're at the start of the line, output prefix and
+         * indentation.
+         */
+        if (ctx->linestart) {
+            size_t dontcare;
+
+            if (ctx->prefix != NULL
+                && !BIO_write_ex(BIO_next(b), ctx->prefix, strlen(ctx->prefix),
+                                 &dontcare))
+                return 0;
+            BIO_printf(BIO_next(b), "%*s", ctx->indent, "");
+            ctx->linestart = 0;
+        }
+
+        /* Now, go look for the next LF, or the end of the string */
+        for (i = 0, c = '\0'; i < outl && (c = out[i]) != '\n'; i++)
+            continue;
+        if (c == '\n')
+            i++;
+
+        /* Output what we found so far */
+        while (i > 0) {
+            size_t num = 0;
+
+            if (!BIO_write_ex(BIO_next(b), out, i, &num))
+                return 0;
+            out += num;
+            outl -= num;
+            *numwritten += num;
+            i -= num;
+        }
+
+        /* If we found a LF, what follows is a new line, so take note */
+        if (c == '\n')
+            ctx->linestart = 1;
+    }
+
+    return 1;
+}
+
+static long prefix_ctrl(BIO *b, int cmd, long num, void *ptr)
+{
+    long ret = 0;
+    PREFIX_CTX *ctx;
+
+    if (b == NULL || (ctx = BIO_get_data(b)) == NULL)
+        return -1;
+
+    switch (cmd) {
+    case BIO_CTRL_SET_PREFIX:
+        OPENSSL_free(ctx->prefix);
+        if (ptr == NULL) {
+            ctx->prefix = NULL;
+            ret = 1;
+        } else {
+            ctx->prefix = OPENSSL_strdup((const char *)ptr);
+            ret = ctx->prefix != NULL;
+        }
+        break;
+    case BIO_CTRL_SET_INDENT:
+        if (num >= 0) {
+            ctx->indent = (unsigned int)num;
+            ret = 1;
+        }
+        break;
+    case BIO_CTRL_GET_INDENT:
+        ret = (long)ctx->indent;
+        break;
+    default:
+        /* Commands that we intercept before passing them along */
+        switch (cmd) {
+        case BIO_C_FILE_SEEK:
+        case BIO_CTRL_RESET:
+            ctx->linestart = 1;
+            break;
+        }
+        if (BIO_next(b) != NULL)
+            ret = BIO_ctrl(BIO_next(b), cmd, num, ptr);
+        break;
+    }
+    return ret;
+}
+
+static long prefix_callback_ctrl(BIO *b, int cmd, BIO_info_cb *fp)
+{
+    return BIO_callback_ctrl(BIO_next(b), cmd, fp);
+}
+
+static int prefix_gets(BIO *b, char *buf, int size)
+{
+    return BIO_gets(BIO_next(b), buf, size);
+}
+
+static int prefix_puts(BIO *b, const char *str)
+{
+    return BIO_write(b, str, strlen(str));
+}

libs/openssl/crypto/bn/asm/rsaz-2k-avx512.pl

@@ -1,744 +0,0 @@
-# Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
-# Copyright (c) 2020, Intel Corporation. All Rights Reserved.
-#
-# Licensed under the Apache License 2.0 (the "License").  You may not use
-# this file except in compliance with the License.  You can obtain a copy
-# in the file LICENSE in the source distribution or at
-# https://www.openssl.org/source/license.html
-#
-#
-# Originally written by Sergey Kirillov and Andrey Matyukov.
-# Special thanks to Ilya Albrekht for his valuable hints.
-# Intel Corporation
-#
-# December 2020
-#
-# Initial release.
-#
-# Implementation utilizes 256-bit (ymm) registers to avoid frequency scaling issues.
-#
-# IceLake-Client @ 1.3GHz
-# |---------+----------------------+--------------+-------------|
-# |         | OpenSSL 3.0.0-alpha9 | this         | Unit        |
-# |---------+----------------------+--------------+-------------|
-# | rsa2048 | 2 127 659            | 1 015 625    | cycles/sign |
-# |         | 611                  | 1280 / +109% | sign/s      |
-# |---------+----------------------+--------------+-------------|
-#
-
-# $output is the last argument if it looks like a file (it has an extension)
-# $flavour is the first argument if it doesn't look like a file
-$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef;
-$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef;
-
-$win64=0; $win64=1 if ($flavour =~ /[nm]asm|mingw64/ || $output =~ /\.asm$/);
-$avx512ifma=0;
-
-$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
-( $xlate="${dir}x86_64-xlate.pl" and -f $xlate ) or
-( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
-die "can't locate x86_64-xlate.pl";
-
-if (`$ENV{CC} -Wa,-v -c -o /dev/null -x assembler /dev/null 2>&1`
-        =~ /GNU assembler version ([2-9]\.[0-9]+)/) {
-    $avx512ifma = ($1>=2.26);
-}
-
-if (!$avx512 && $win64 && ($flavour =~ /nasm/ || $ENV{ASM} =~ /nasm/) &&
-       `nasm -v 2>&1` =~ /NASM version ([2-9]\.[0-9]+)(?:\.([0-9]+))?/) {
-    $avx512ifma = ($1==2.11 && $2>=8) + ($1>=2.12);
-}
-
-if (!$avx512 && `$ENV{CC} -v 2>&1`
-    =~ /(Apple)?\s*((?:clang|LLVM) version|.*based on LLVM) ([0-9]+)\.([0-9]+)\.([0-9]+)?/) {
-    my $ver = $3 + $4/100.0 + $5/10000.0; # 3.1.0->3.01, 3.10.1->3.1001
-    if ($1) {
-        # Apple conditions, they use a different version series, see
-        # https://en.wikipedia.org/wiki/Xcode#Xcode_7.0_-_10.x_(since_Free_On-Device_Development)_2
-        # clang 7.0.0 is Apple clang 10.0.1
-        $avx512ifma = ($ver>=10.0001)
-    } else {
-        $avx512ifma = ($3>=7.0);
-    }
-}
-
-open OUT,"| \"$^X\" \"$xlate\" $flavour \"$output\""
-    or die "can't call $xlate: $!";
-*STDOUT=*OUT;
-
-if ($avx512ifma>0) {{{
-@_6_args_universal_ABI = ("%rdi","%rsi","%rdx","%rcx","%r8","%r9");
-
-$code.=<<___;
-.extern OPENSSL_ia32cap_P
-.globl  ossl_rsaz_avx512ifma_eligible
-.type   ossl_rsaz_avx512ifma_eligible,\@abi-omnipotent
-.align  32
-ossl_rsaz_avx512ifma_eligible:
-    mov OPENSSL_ia32cap_P+8(%rip), %ecx
-    xor %eax,%eax
-    and \$`1<<31|1<<21|1<<17|1<<16`, %ecx     # avx512vl + avx512ifma + avx512dq + avx512f
-    cmp \$`1<<31|1<<21|1<<17|1<<16`, %ecx
-    cmove %ecx,%eax
-    ret
-.size   ossl_rsaz_avx512ifma_eligible, .-ossl_rsaz_avx512ifma_eligible
-___
-
-###############################################################################
-# Almost Montgomery Multiplication (AMM) for 20-digit number in radix 2^52.
-#
-# AMM is defined as presented in the paper [1].
-#
-# The input and output are presented in 2^52 radix domain, i.e.
-#   |res|, |a|, |b|, |m| are arrays of 20 64-bit qwords with 12 high bits zeroed.
-#   |k0| is a Montgomery coefficient, which is here k0 = -1/m mod 2^64
-#
-# NB: the AMM implementation does not perform "conditional" subtraction step
-# specified in the original algorithm as according to the Lemma 1 from the paper
-# [2], the result will be always < 2*m and can be used as a direct input to
-# the next AMM iteration.  This post-condition is true, provided the correct
-# parameter |s| (notion of the Lemma 1 from [2]) is chosen, i.e.  s >= n + 2 * k,
-# which matches our case: 1040 > 1024 + 2 * 1.
-#
-# [1] Gueron, S. Efficient software implementations of modular exponentiation.
-#     DOI: 10.1007/s13389-012-0031-5
-# [2] Gueron, S. Enhanced Montgomery Multiplication.
-#     DOI: 10.1007/3-540-36400-5_5
-#
-# void ossl_rsaz_amm52x20_x1_ifma256(BN_ULONG *res,
-#                                    const BN_ULONG *a,
-#                                    const BN_ULONG *b,
-#                                    const BN_ULONG *m,
-#                                    BN_ULONG k0);
-###############################################################################
-{
-# input parameters ("%rdi","%rsi","%rdx","%rcx","%r8")
-my ($res,$a,$b,$m,$k0) = @_6_args_universal_ABI;
-
-my $mask52     = "%rax";
-my $acc0_0     = "%r9";
-my $acc0_0_low = "%r9d";
-my $acc0_1     = "%r15";
-my $acc0_1_low = "%r15d";
-my $b_ptr      = "%r11";
-
-my $iter = "%ebx";
-
-my $zero = "%ymm0";
-my $Bi   = "%ymm1";
-my $Yi   = "%ymm2";
-my ($R0_0,$R0_0h,$R1_0,$R1_0h,$R2_0) = ("%ymm3",map("%ymm$_",(16..19)));
-my ($R0_1,$R0_1h,$R1_1,$R1_1h,$R2_1) = ("%ymm4",map("%ymm$_",(20..23)));
-
-# Registers mapping for normalization.
-my ($T0,$T0h,$T1,$T1h,$T2) = ("$zero", "$Bi", "$Yi", map("%ymm$_", (25..26)));
-
-sub amm52x20_x1() {
-# _data_offset - offset in the |a| or |m| arrays pointing to the beginning
-#                of data for corresponding AMM operation;
-# _b_offset    - offset in the |b| array pointing to the next qword digit;
-my ($_data_offset,$_b_offset,$_acc,$_R0,$_R0h,$_R1,$_R1h,$_R2,$_k0) = @_;
-my $_R0_xmm = $_R0;
-$_R0_xmm =~ s/%y/%x/;
-$code.=<<___;
-    movq    $_b_offset($b_ptr), %r13             # b[i]
-
-    vpbroadcastq    %r13, $Bi                    # broadcast b[i]
-    movq    $_data_offset($a), %rdx
-    mulx    %r13, %r13, %r12                     # a[0]*b[i] = (t0,t2)
-    addq    %r13, $_acc                          # acc += t0
-    movq    %r12, %r10
-    adcq    \$0, %r10                            # t2 += CF
-
-    movq    $_k0, %r13
-    imulq   $_acc, %r13                          # acc * k0
-    andq    $mask52, %r13                        # yi = (acc * k0) & mask52
-
-    vpbroadcastq    %r13, $Yi                    # broadcast y[i]
-    movq    $_data_offset($m), %rdx
-    mulx    %r13, %r13, %r12                     # yi * m[0] = (t0,t1)
-    addq    %r13, $_acc                          # acc += t0
-    adcq    %r12, %r10                           # t2 += (t1 + CF)
-
-    shrq    \$52, $_acc
-    salq    \$12, %r10
-    or      %r10, $_acc                          # acc = ((acc >> 52) | (t2 << 12))
-
-    vpmadd52luq `$_data_offset+64*0`($a), $Bi, $_R0
-    vpmadd52luq `$_data_offset+64*0+32`($a), $Bi, $_R0h
-    vpmadd52luq `$_data_offset+64*1`($a), $Bi, $_R1
-    vpmadd52luq `$_data_offset+64*1+32`($a), $Bi, $_R1h
-    vpmadd52luq `$_data_offset+64*2`($a), $Bi, $_R2
-
-    vpmadd52luq `$_data_offset+64*0`($m), $Yi, $_R0
-    vpmadd52luq `$_data_offset+64*0+32`($m), $Yi, $_R0h
-    vpmadd52luq `$_data_offset+64*1`($m), $Yi, $_R1
-    vpmadd52luq `$_data_offset+64*1+32`($m), $Yi, $_R1h
-    vpmadd52luq `$_data_offset+64*2`($m), $Yi, $_R2
-
-    # Shift accumulators right by 1 qword, zero extending the highest one
-    valignq     \$1, $_R0, $_R0h, $_R0
-    valignq     \$1, $_R0h, $_R1, $_R0h
-    valignq     \$1, $_R1, $_R1h, $_R1
-    valignq     \$1, $_R1h, $_R2, $_R1h
-    valignq     \$1, $_R2, $zero, $_R2
-
-    vmovq   $_R0_xmm, %r13
-    addq    %r13, $_acc    # acc += R0[0]
-
-    vpmadd52huq `$_data_offset+64*0`($a), $Bi, $_R0
-    vpmadd52huq `$_data_offset+64*0+32`($a), $Bi, $_R0h
-    vpmadd52huq `$_data_offset+64*1`($a), $Bi, $_R1
-    vpmadd52huq `$_data_offset+64*1+32`($a), $Bi, $_R1h
-    vpmadd52huq `$_data_offset+64*2`($a), $Bi, $_R2
-
-    vpmadd52huq `$_data_offset+64*0`($m), $Yi, $_R0
-    vpmadd52huq `$_data_offset+64*0+32`($m), $Yi, $_R0h
-    vpmadd52huq `$_data_offset+64*1`($m), $Yi, $_R1
-    vpmadd52huq `$_data_offset+64*1+32`($m), $Yi, $_R1h
-    vpmadd52huq `$_data_offset+64*2`($m), $Yi, $_R2
-___
-}
-
-# Normalization routine: handles carry bits and gets bignum qwords to normalized
-# 2^52 representation.
-#
-# Uses %r8-14,%e[bcd]x
-sub amm52x20_x1_norm {
-my ($_acc,$_R0,$_R0h,$_R1,$_R1h,$_R2) = @_;
-$code.=<<___;
-    # Put accumulator to low qword in R0
-    vpbroadcastq    $_acc, $T0
-    vpblendd \$3, $T0, $_R0, $_R0
-
-    # Extract "carries" (12 high bits) from each QW of R0..R2
-    # Save them to LSB of QWs in T0..T2
-    vpsrlq    \$52, $_R0,   $T0
-    vpsrlq    \$52, $_R0h,  $T0h
-    vpsrlq    \$52, $_R1,   $T1
-    vpsrlq    \$52, $_R1h,  $T1h
-    vpsrlq    \$52, $_R2,   $T2
-
-    # "Shift left" T0..T2 by 1 QW
-    valignq \$3, $T1h,  $T2,  $T2
-    valignq \$3, $T1,   $T1h, $T1h
-    valignq \$3, $T0h,  $T1,  $T1
-    valignq \$3, $T0,   $T0h, $T0h
-    valignq \$3, .Lzeros(%rip), $T0,  $T0
-
-    # Drop "carries" from R0..R2 QWs
-    vpandq    .Lmask52x4(%rip), $_R0,  $_R0
-    vpandq    .Lmask52x4(%rip), $_R0h, $_R0h
-    vpandq    .Lmask52x4(%rip), $_R1,  $_R1
-    vpandq    .Lmask52x4(%rip), $_R1h, $_R1h
-    vpandq    .Lmask52x4(%rip), $_R2,  $_R2
-
-    # Sum R0..R2 with corresponding adjusted carries
-    vpaddq  $T0,  $_R0,  $_R0
-    vpaddq  $T0h, $_R0h, $_R0h
-    vpaddq  $T1,  $_R1,  $_R1
-    vpaddq  $T1h, $_R1h, $_R1h
-    vpaddq  $T2,  $_R2,  $_R2
-
-    # Now handle carry bits from this addition
-    # Get mask of QWs which 52-bit parts overflow...
-    vpcmpuq   \$6, .Lmask52x4(%rip), $_R0,  %k1 # OP=nle (i.e. gt)
-    vpcmpuq   \$6, .Lmask52x4(%rip), $_R0h, %k2
-    vpcmpuq   \$6, .Lmask52x4(%rip), $_R1,  %k3
-    vpcmpuq   \$6, .Lmask52x4(%rip), $_R1h, %k4
-    vpcmpuq   \$6, .Lmask52x4(%rip), $_R2,  %k5
-    kmovb   %k1, %r14d                   # k1
-    kmovb   %k2, %r13d                   # k1h
-    kmovb   %k3, %r12d                   # k2
-    kmovb   %k4, %r11d                   # k2h
-    kmovb   %k5, %r10d                   # k3
-
-    # ...or saturated
-    vpcmpuq   \$0, .Lmask52x4(%rip), $_R0,  %k1 # OP=eq
-    vpcmpuq   \$0, .Lmask52x4(%rip), $_R0h, %k2
-    vpcmpuq   \$0, .Lmask52x4(%rip), $_R1,  %k3
-    vpcmpuq   \$0, .Lmask52x4(%rip), $_R1h, %k4
-    vpcmpuq   \$0, .Lmask52x4(%rip), $_R2,  %k5
-    kmovb   %k1, %r9d                    # k4
-    kmovb   %k2, %r8d                    # k4h
-    kmovb   %k3, %ebx                    # k5
-    kmovb   %k4, %ecx                    # k5h
-    kmovb   %k5, %edx                    # k6
-
-    # Get mask of QWs where carries shall be propagated to.
-    # Merge 4-bit masks to 8-bit values to use add with carry.
-    shl   \$4, %r13b
-    or    %r13b, %r14b
-    shl   \$4, %r11b
-    or    %r11b, %r12b
-
-    add   %r14b, %r14b
-    adc   %r12b, %r12b
-    adc   %r10b, %r10b
-
-    shl   \$4, %r8b
-    or    %r8b,%r9b
-    shl   \$4, %cl
-    or    %cl, %bl
-
-    add   %r9b, %r14b
-    adc   %bl, %r12b
-    adc   %dl, %r10b
-
-    xor   %r9b, %r14b
-    xor   %bl, %r12b
-    xor   %dl, %r10b
-
-    kmovb   %r14d, %k1
-    shr     \$4, %r14b
-    kmovb   %r14d, %k2
-    kmovb   %r12d, %k3
-    shr     \$4, %r12b
-    kmovb   %r12d, %k4
-    kmovb   %r10d, %k5
-
-    # Add carries according to the obtained mask
-    vpsubq  .Lmask52x4(%rip), $_R0,  ${_R0}{%k1}
-    vpsubq  .Lmask52x4(%rip), $_R0h, ${_R0h}{%k2}
-    vpsubq  .Lmask52x4(%rip), $_R1,  ${_R1}{%k3}
-    vpsubq  .Lmask52x4(%rip), $_R1h, ${_R1h}{%k4}
-    vpsubq  .Lmask52x4(%rip), $_R2,  ${_R2}{%k5}
-
-    vpandq   .Lmask52x4(%rip), $_R0,  $_R0
-    vpandq   .Lmask52x4(%rip), $_R0h, $_R0h
-    vpandq   .Lmask52x4(%rip), $_R1,  $_R1
-    vpandq   .Lmask52x4(%rip), $_R1h, $_R1h
-    vpandq   .Lmask52x4(%rip), $_R2,  $_R2
-___
-}
-
-$code.=<<___;
-.text
-
-.globl  ossl_rsaz_amm52x20_x1_ifma256
-.type   ossl_rsaz_amm52x20_x1_ifma256,\@function,5
-.align 32
-ossl_rsaz_amm52x20_x1_ifma256:
-.cfi_startproc
-    endbranch
-    push    %rbx
-.cfi_push   %rbx
-    push    %rbp
-.cfi_push   %rbp
-    push    %r12
-.cfi_push   %r12
-    push    %r13
-.cfi_push   %r13
-    push    %r14
-.cfi_push   %r14
-    push    %r15
-.cfi_push   %r15
-.Lossl_rsaz_amm52x20_x1_ifma256_body:
-
-    # Zeroing accumulators
-    vpxord   $zero, $zero, $zero
-    vmovdqa64   $zero, $R0_0
-    vmovdqa64   $zero, $R0_0h
-    vmovdqa64   $zero, $R1_0
-    vmovdqa64   $zero, $R1_0h
-    vmovdqa64   $zero, $R2_0
-
-    xorl    $acc0_0_low, $acc0_0_low
-
-    movq    $b, $b_ptr                       # backup address of b
-    movq    \$0xfffffffffffff, $mask52       # 52-bit mask
-
-    # Loop over 20 digits unrolled by 4
-    mov     \$5, $iter
-
-.align 32
-.Lloop5:
-___
-    foreach my $idx (0..3) {
-        &amm52x20_x1(0,8*$idx,$acc0_0,$R0_0,$R0_0h,$R1_0,$R1_0h,$R2_0,$k0);
-    }
-$code.=<<___;
-    lea    `4*8`($b_ptr), $b_ptr
-    dec    $iter
-    jne    .Lloop5
-___
-    &amm52x20_x1_norm($acc0_0,$R0_0,$R0_0h,$R1_0,$R1_0h,$R2_0);
-$code.=<<___;
-
-    vmovdqu64   $R0_0,  `0*32`($res)
-    vmovdqu64   $R0_0h, `1*32`($res)
-    vmovdqu64   $R1_0,  `2*32`($res)
-    vmovdqu64   $R1_0h, `3*32`($res)
-    vmovdqu64   $R2_0,  `4*32`($res)
-
-    vzeroupper
-    mov  0(%rsp),%r15
-.cfi_restore    %r15
-    mov  8(%rsp),%r14
-.cfi_restore    %r14
-    mov  16(%rsp),%r13
-.cfi_restore    %r13
-    mov  24(%rsp),%r12
-.cfi_restore    %r12
-    mov  32(%rsp),%rbp
-.cfi_restore    %rbp
-    mov  40(%rsp),%rbx
-.cfi_restore    %rbx
-    lea  48(%rsp),%rsp
-.cfi_adjust_cfa_offset  -48
-.Lossl_rsaz_amm52x20_x1_ifma256_epilogue:
-    ret
-.cfi_endproc
-.size   ossl_rsaz_amm52x20_x1_ifma256, .-ossl_rsaz_amm52x20_x1_ifma256
-___
-
-$code.=<<___;
-.data
-.align 32
-.Lmask52x4:
-    .quad   0xfffffffffffff
-    .quad   0xfffffffffffff
-    .quad   0xfffffffffffff
-    .quad   0xfffffffffffff
-___
-
-###############################################################################
-# Dual Almost Montgomery Multiplication for 20-digit number in radix 2^52
-#
-# See description of ossl_rsaz_amm52x20_x1_ifma256() above for details about Almost
-# Montgomery Multiplication algorithm and function input parameters description.
-#
-# This function does two AMMs for two independent inputs, hence dual.
-#
-# void ossl_rsaz_amm52x20_x2_ifma256(BN_ULONG out[2][20],
-#                                    const BN_ULONG a[2][20],
-#                                    const BN_ULONG b[2][20],
-#                                    const BN_ULONG m[2][20],
-#                                    const BN_ULONG k0[2]);
-###############################################################################
-
-$code.=<<___;
-.text
-
-.globl  ossl_rsaz_amm52x20_x2_ifma256
-.type   ossl_rsaz_amm52x20_x2_ifma256,\@function,5
-.align 32
-ossl_rsaz_amm52x20_x2_ifma256:
-.cfi_startproc
-    endbranch
-    push    %rbx
-.cfi_push   %rbx
-    push    %rbp
-.cfi_push   %rbp
-    push    %r12
-.cfi_push   %r12
-    push    %r13
-.cfi_push   %r13
-    push    %r14
-.cfi_push   %r14
-    push    %r15
-.cfi_push   %r15
-.Lossl_rsaz_amm52x20_x2_ifma256_body:
-
-    # Zeroing accumulators
-    vpxord   $zero, $zero, $zero
-    vmovdqa64   $zero, $R0_0
-    vmovdqa64   $zero, $R0_0h
-    vmovdqa64   $zero, $R1_0
-    vmovdqa64   $zero, $R1_0h
-    vmovdqa64   $zero, $R2_0
-    vmovdqa64   $zero, $R0_1
-    vmovdqa64   $zero, $R0_1h
-    vmovdqa64   $zero, $R1_1
-    vmovdqa64   $zero, $R1_1h
-    vmovdqa64   $zero, $R2_1
-
-    xorl    $acc0_0_low, $acc0_0_low
-    xorl    $acc0_1_low, $acc0_1_low
-
-    movq    $b, $b_ptr                       # backup address of b
-    movq    \$0xfffffffffffff, $mask52       # 52-bit mask
-
-    mov    \$20, $iter
-
-.align 32
-.Lloop20:
-___
-    &amm52x20_x1(   0,   0,$acc0_0,$R0_0,$R0_0h,$R1_0,$R1_0h,$R2_0,"($k0)");
-    # 20*8 = offset of the next dimension in two-dimension array
-    &amm52x20_x1(20*8,20*8,$acc0_1,$R0_1,$R0_1h,$R1_1,$R1_1h,$R2_1,"8($k0)");
-$code.=<<___;
-    lea    8($b_ptr), $b_ptr
-    dec    $iter
-    jne    .Lloop20
-___
-    &amm52x20_x1_norm($acc0_0,$R0_0,$R0_0h,$R1_0,$R1_0h,$R2_0);
-    &amm52x20_x1_norm($acc0_1,$R0_1,$R0_1h,$R1_1,$R1_1h,$R2_1);
-$code.=<<___;
-
-    vmovdqu64   $R0_0,  `0*32`($res)
-    vmovdqu64   $R0_0h, `1*32`($res)
-    vmovdqu64   $R1_0,  `2*32`($res)
-    vmovdqu64   $R1_0h, `3*32`($res)
-    vmovdqu64   $R2_0,  `4*32`($res)
-
-    vmovdqu64   $R0_1,  `5*32`($res)
-    vmovdqu64   $R0_1h, `6*32`($res)
-    vmovdqu64   $R1_1,  `7*32`($res)
-    vmovdqu64   $R1_1h, `8*32`($res)
-    vmovdqu64   $R2_1,  `9*32`($res)
-
-    vzeroupper
-    mov  0(%rsp),%r15
-.cfi_restore    %r15
-    mov  8(%rsp),%r14
-.cfi_restore    %r14
-    mov  16(%rsp),%r13
-.cfi_restore    %r13
-    mov  24(%rsp),%r12
-.cfi_restore    %r12
-    mov  32(%rsp),%rbp
-.cfi_restore    %rbp
-    mov  40(%rsp),%rbx
-.cfi_restore    %rbx
-    lea  48(%rsp),%rsp
-.cfi_adjust_cfa_offset  -48
-.Lossl_rsaz_amm52x20_x2_ifma256_epilogue:
-    ret
-.cfi_endproc
-.size   ossl_rsaz_amm52x20_x2_ifma256, .-ossl_rsaz_amm52x20_x2_ifma256
-___
-}
-
-###############################################################################
-# Constant time extraction from the precomputed table of powers base^i, where
-#    i = 0..2^EXP_WIN_SIZE-1
-#
-# The input |red_table| contains precomputations for two independent base values.
-# |red_table_idx1| and |red_table_idx2| are corresponding power indexes.
-#
-# Extracted value (output) is 2 20 digit numbers in 2^52 radix.
-#
-# void ossl_extract_multiplier_2x20_win5(BN_ULONG *red_Y,
-#                                        const BN_ULONG red_table[1 << EXP_WIN_SIZE][2][20],
-#                                        int red_table_idx1, int red_table_idx2);
-#
-# EXP_WIN_SIZE = 5
-###############################################################################
-{
-# input parameters
-my ($out,$red_tbl,$red_tbl_idx1,$red_tbl_idx2)=$win64 ? ("%rcx","%rdx","%r8", "%r9") :  # Win64 order
-                                                        ("%rdi","%rsi","%rdx","%rcx");  # Unix order
-
-my ($t0,$t1,$t2,$t3,$t4,$t5) = map("%ymm$_", (0..5));
-my ($t6,$t7,$t8,$t9) = map("%ymm$_", (16..19));
-my ($tmp,$cur_idx,$idx1,$idx2,$ones) = map("%ymm$_", (20..24));
-
-my @t = ($t0,$t1,$t2,$t3,$t4,$t5,$t6,$t7,$t8,$t9);
-my $t0xmm = $t0;
-$t0xmm =~ s/%y/%x/;
-
-$code.=<<___;
-.text
-
-.align 32
-.globl  ossl_extract_multiplier_2x20_win5
-.type   ossl_extract_multiplier_2x20_win5,\@abi-omnipotent
-ossl_extract_multiplier_2x20_win5:
-.cfi_startproc
-    endbranch
-    vmovdqa64   .Lones(%rip), $ones         # broadcast ones
-    vpbroadcastq    $red_tbl_idx1, $idx1
-    vpbroadcastq    $red_tbl_idx2, $idx2
-    leaq   `(1<<5)*2*20*8`($red_tbl), %rax  # holds end of the tbl
-
-    # zeroing t0..n, cur_idx
-    vpxor   $t0xmm, $t0xmm, $t0xmm
-    vmovdqa64   $t0, $cur_idx
-___
-foreach (1..9) {
-    $code.="vmovdqa64   $t0, $t[$_] \n";
-}
-$code.=<<___;
-
-.align 32
-.Lloop:
-    vpcmpq  \$0, $cur_idx, $idx1, %k1      # mask of (idx1 == cur_idx)
-    vpcmpq  \$0, $cur_idx, $idx2, %k2      # mask of (idx2 == cur_idx)
-___
-foreach (0..9) {
-    my $mask = $_<5?"%k1":"%k2";
-$code.=<<___;
-    vmovdqu64  `${_}*32`($red_tbl), $tmp     # load data from red_tbl
-    vpblendmq  $tmp, $t[$_], ${t[$_]}{$mask} # extract data when mask is not zero
-___
-}
-$code.=<<___;
-    vpaddq  $ones, $cur_idx, $cur_idx      # increment cur_idx
-    addq    \$`2*20*8`, $red_tbl
-    cmpq    $red_tbl, %rax
-    jne .Lloop
-___
-# store t0..n
-foreach (0..9) {
-    $code.="vmovdqu64   $t[$_], `${_}*32`($out) \n";
-}
-$code.=<<___;
-    ret
-.cfi_endproc
-.size   ossl_extract_multiplier_2x20_win5, .-ossl_extract_multiplier_2x20_win5
-___
-$code.=<<___;
-.data
-.align 32
-.Lones:
-    .quad   1,1,1,1
-.Lzeros:
-    .quad   0,0,0,0
-___
-}
-
-if ($win64) {
-$rec="%rcx";
-$frame="%rdx";
-$context="%r8";
-$disp="%r9";
-
-$code.=<<___;
-.extern     __imp_RtlVirtualUnwind
-.type   rsaz_def_handler,\@abi-omnipotent
-.align  16
-rsaz_def_handler:
-    push    %rsi
-    push    %rdi
-    push    %rbx
-    push    %rbp
-    push    %r12
-    push    %r13
-    push    %r14
-    push    %r15
-    pushfq
-    sub     \$64,%rsp
-
-    mov     120($context),%rax # pull context->Rax
-    mov     248($context),%rbx # pull context->Rip
-
-    mov     8($disp),%rsi      # disp->ImageBase
-    mov     56($disp),%r11     # disp->HandlerData
-
-    mov     0(%r11),%r10d      # HandlerData[0]
-    lea     (%rsi,%r10),%r10   # prologue label
-    cmp     %r10,%rbx          # context->Rip<.Lprologue
-    jb  .Lcommon_seh_tail
-
-    mov     152($context),%rax # pull context->Rsp
-
-    mov     4(%r11),%r10d      # HandlerData[1]
-    lea     (%rsi,%r10),%r10   # epilogue label
-    cmp     %r10,%rbx          # context->Rip>=.Lepilogue
-    jae     .Lcommon_seh_tail
-
-    lea     48(%rax),%rax
-
-    mov     -8(%rax),%rbx
-    mov     -16(%rax),%rbp
-    mov     -24(%rax),%r12
-    mov     -32(%rax),%r13
-    mov     -40(%rax),%r14
-    mov     -48(%rax),%r15
-    mov     %rbx,144($context) # restore context->Rbx
-    mov     %rbp,160($context) # restore context->Rbp
-    mov     %r12,216($context) # restore context->R12
-    mov     %r13,224($context) # restore context->R13
-    mov     %r14,232($context) # restore context->R14
-    mov     %r15,240($context) # restore context->R14
-
-.Lcommon_seh_tail:
-    mov     8(%rax),%rdi
-    mov     16(%rax),%rsi
-    mov     %rax,152($context) # restore context->Rsp
-    mov     %rsi,168($context) # restore context->Rsi
-    mov     %rdi,176($context) # restore context->Rdi
-
-    mov     40($disp),%rdi     # disp->ContextRecord
-    mov     $context,%rsi      # context
-    mov     \$154,%ecx         # sizeof(CONTEXT)
-    .long   0xa548f3fc         # cld; rep movsq
-
-    mov     $disp,%rsi
-    xor     %rcx,%rcx          # arg1, UNW_FLAG_NHANDLER
-    mov     8(%rsi),%rdx       # arg2, disp->ImageBase
-    mov     0(%rsi),%r8        # arg3, disp->ControlPc
-    mov     16(%rsi),%r9       # arg4, disp->FunctionEntry
-    mov     40(%rsi),%r10      # disp->ContextRecord
-    lea     56(%rsi),%r11      # &disp->HandlerData
-    lea     24(%rsi),%r12      # &disp->EstablisherFrame
-    mov     %r10,32(%rsp)      # arg5
-    mov     %r11,40(%rsp)      # arg6
-    mov     %r12,48(%rsp)      # arg7
-    mov     %rcx,56(%rsp)      # arg8, (NULL)
-    call    *__imp_RtlVirtualUnwind(%rip)
-
-    mov     \$1,%eax           # ExceptionContinueSearch
-    add     \$64,%rsp
-    popfq
-    pop     %r15
-    pop     %r14
-    pop     %r13
-    pop     %r12
-    pop     %rbp
-    pop     %rbx
-    pop     %rdi
-    pop     %rsi
-    ret
-.size   rsaz_def_handler,.-rsaz_def_handler
-
-.section    .pdata
-.align  4
-    .rva    .LSEH_begin_ossl_rsaz_amm52x20_x1_ifma256
-    .rva    .LSEH_end_ossl_rsaz_amm52x20_x1_ifma256
-    .rva    .LSEH_info_ossl_rsaz_amm52x20_x1_ifma256
-
-    .rva    .LSEH_begin_ossl_rsaz_amm52x20_x2_ifma256
-    .rva    .LSEH_end_ossl_rsaz_amm52x20_x2_ifma256
-    .rva    .LSEH_info_ossl_rsaz_amm52x20_x2_ifma256
-
-.section    .xdata
-.align  8
-.LSEH_info_ossl_rsaz_amm52x20_x1_ifma256:
-    .byte   9,0,0,0
-    .rva    rsaz_def_handler
-    .rva    .Lossl_rsaz_amm52x20_x1_ifma256_body,.Lossl_rsaz_amm52x20_x1_ifma256_epilogue
-.LSEH_info_ossl_rsaz_amm52x20_x2_ifma256:
-    .byte   9,0,0,0
-    .rva    rsaz_def_handler
-    .rva    .Lossl_rsaz_amm52x20_x2_ifma256_body,.Lossl_rsaz_amm52x20_x2_ifma256_epilogue
-___
-}
-}}} else {{{                # fallback for old assembler
-$code.=<<___;
-.text
-
-.globl  ossl_rsaz_avx512ifma_eligible
-.type   ossl_rsaz_avx512ifma_eligible,\@abi-omnipotent
-ossl_rsaz_avx512ifma_eligible:
-    xor     %eax,%eax
-    ret
-.size   ossl_rsaz_avx512ifma_eligible, .-ossl_rsaz_avx512ifma_eligible
-
-.globl  ossl_rsaz_amm52x20_x1_ifma256
-.globl  ossl_rsaz_amm52x20_x2_ifma256
-.globl  ossl_extract_multiplier_2x20_win5
-.type   ossl_rsaz_amm52x20_x1_ifma256,\@abi-omnipotent
-ossl_rsaz_amm52x20_x1_ifma256:
-ossl_rsaz_amm52x20_x2_ifma256:
-ossl_extract_multiplier_2x20_win5:
-    .byte   0x0f,0x0b    # ud2
-    ret
-.size   ossl_rsaz_amm52x20_x1_ifma256, .-ossl_rsaz_amm52x20_x1_ifma256
-___
-}}}
-
-$code =~ s/\`([^\`]*)\`/eval $1/gem;
-print $code;
-close STDOUT or die "error closing STDOUT: $!";

libs/openssl/crypto/bn/asm/rsaz-3k-avx512.pl

@@ -1,874 +0,0 @@
-# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved.
-# Copyright (c) 2021, Intel Corporation. All Rights Reserved.
-#
-# Licensed under the Apache License 2.0 (the "License").  You may not use
-# this file except in compliance with the License.  You can obtain a copy
-# in the file LICENSE in the source distribution or at
-# https://www.openssl.org/source/license.html
-#
-#
-# Originally written by Sergey Kirillov and Andrey Matyukov
-# Intel Corporation
-#
-# March 2021
-#
-# Initial release.
-#
-# Implementation utilizes 256-bit (ymm) registers to avoid frequency scaling issues.
-#
-# IceLake-Client @ 1.3GHz
-# |---------+-----------------------+---------------+-------------|
-# |         | OpenSSL 3.0.0-alpha15 | this          | Unit        |
-# |---------+-----------------------+---------------+-------------|
-# | rsa3072 | 6 397 637             | 2 866 593     | cycles/sign |
-# |         | 203.2                 | 453.5 / +123% | sign/s      |
-# |---------+-----------------------+---------------+-------------|
-#
-
-# $output is the last argument if it looks like a file (it has an extension)
-# $flavour is the first argument if it doesn't look like a file
-$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef;
-$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef;
-
-$win64=0; $win64=1 if ($flavour =~ /[nm]asm|mingw64/ || $output =~ /\.asm$/);
-$avx512ifma=0;
-
-$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
-( $xlate="${dir}x86_64-xlate.pl" and -f $xlate ) or
-( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
-die "can't locate x86_64-xlate.pl";
-
-if (`$ENV{CC} -Wa,-v -c -o /dev/null -x assembler /dev/null 2>&1`
-        =~ /GNU assembler version ([2-9]\.[0-9]+)/) {
-    $avx512ifma = ($1>=2.26);
-}
-
-if (!$avx512 && $win64 && ($flavour =~ /nasm/ || $ENV{ASM} =~ /nasm/) &&
-       `nasm -v 2>&1` =~ /NASM version ([2-9]\.[0-9]+)(?:\.([0-9]+))?/) {
-    $avx512ifma = ($1==2.11 && $2>=8) + ($1>=2.12);
-}
-
-if (!$avx512 && `$ENV{CC} -v 2>&1` =~ /((?:clang|LLVM) version|.*based on LLVM) ([0-9]+\.[0-9]+)/) {
-    $avx512ifma = ($2>=7.0);
-}
-
-open OUT,"| \"$^X\" \"$xlate\" $flavour \"$output\""
-    or die "can't call $xlate: $!";
-*STDOUT=*OUT;
-
-if ($avx512ifma>0) {{{
-@_6_args_universal_ABI = ("%rdi","%rsi","%rdx","%rcx","%r8","%r9");
-
-###############################################################################
-# Almost Montgomery Multiplication (AMM) for 30-digit number in radix 2^52.
-#
-# AMM is defined as presented in the paper [1].
-#
-# The input and output are presented in 2^52 radix domain, i.e.
-#   |res|, |a|, |b|, |m| are arrays of 32 64-bit qwords with 12 high bits zeroed
-#
-#   NOTE: the function uses zero-padded data - 2 high QWs is a padding.
-#
-#   |k0| is a Montgomery coefficient, which is here k0 = -1/m mod 2^64
-#
-# NB: the AMM implementation does not perform "conditional" subtraction step
-# specified in the original algorithm as according to the Lemma 1 from the paper
-# [2], the result will be always < 2*m and can be used as a direct input to
-# the next AMM iteration.  This post-condition is true, provided the correct
-# parameter |s| (notion of the Lemma 1 from [2]) is chosen, i.e.  s >= n + 2 * k,
-# which matches our case: 1560 > 1536 + 2 * 1.
-#
-# [1] Gueron, S. Efficient software implementations of modular exponentiation.
-#     DOI: 10.1007/s13389-012-0031-5
-# [2] Gueron, S. Enhanced Montgomery Multiplication.
-#     DOI: 10.1007/3-540-36400-5_5
-#
-# void ossl_rsaz_amm52x30_x1_ifma256(BN_ULONG *res,
-#                                    const BN_ULONG *a,
-#                                    const BN_ULONG *b,
-#                                    const BN_ULONG *m,
-#                                    BN_ULONG k0);
-###############################################################################
-{
-# input parameters ("%rdi","%rsi","%rdx","%rcx","%r8")
-my ($res,$a,$b,$m,$k0) = @_6_args_universal_ABI;
-
-my $mask52     = "%rax";
-my $acc0_0     = "%r9";
-my $acc0_0_low = "%r9d";
-my $acc0_1     = "%r15";
-my $acc0_1_low = "%r15d";
-my $b_ptr      = "%r11";
-
-my $iter = "%ebx";
-
-my $zero = "%ymm0";
-my $Bi   = "%ymm1";
-my $Yi   = "%ymm2";
-my ($R0_0,$R0_0h,$R1_0,$R1_0h,$R2_0,$R2_0h,$R3_0,$R3_0h) = map("%ymm$_",(3..10));
-my ($R0_1,$R0_1h,$R1_1,$R1_1h,$R2_1,$R2_1h,$R3_1,$R3_1h) = map("%ymm$_",(11..18));
-
-# Registers mapping for normalization
-my ($T0,$T0h,$T1,$T1h,$T2,$T2h,$T3,$T3h) = ("$zero", "$Bi", "$Yi", map("%ymm$_", (19..23)));
-
-sub amm52x30_x1() {
-# _data_offset - offset in the |a| or |m| arrays pointing to the beginning
-#                of data for corresponding AMM operation;
-# _b_offset    - offset in the |b| array pointing to the next qword digit;
-my ($_data_offset,$_b_offset,$_acc,$_R0,$_R0h,$_R1,$_R1h,$_R2,$_R2h,$_R3,$_R3h,$_k0) = @_;
-my $_R0_xmm = $_R0;
-$_R0_xmm =~ s/%y/%x/;
-$code.=<<___;
-    movq    $_b_offset($b_ptr), %r13             # b[i]
-
-    vpbroadcastq    %r13, $Bi                    # broadcast b[i]
-    movq    $_data_offset($a), %rdx
-    mulx    %r13, %r13, %r12                     # a[0]*b[i] = (t0,t2)
-    addq    %r13, $_acc                          # acc += t0
-    movq    %r12, %r10
-    adcq    \$0, %r10                            # t2 += CF
-
-    movq    $_k0, %r13
-    imulq   $_acc, %r13                          # acc * k0
-    andq    $mask52, %r13                        # yi = (acc * k0) & mask52
-
-    vpbroadcastq    %r13, $Yi                    # broadcast y[i]
-    movq    $_data_offset($m), %rdx
-    mulx    %r13, %r13, %r12                     # yi * m[0] = (t0,t1)
-    addq    %r13, $_acc                          # acc += t0
-    adcq    %r12, %r10                           # t2 += (t1 + CF)
-
-    shrq    \$52, $_acc
-    salq    \$12, %r10
-    or      %r10, $_acc                          # acc = ((acc >> 52) | (t2 << 12))
-
-    vpmadd52luq `$_data_offset+64*0`($a), $Bi, $_R0
-    vpmadd52luq `$_data_offset+64*0+32`($a), $Bi, $_R0h
-    vpmadd52luq `$_data_offset+64*1`($a), $Bi, $_R1
-    vpmadd52luq `$_data_offset+64*1+32`($a), $Bi, $_R1h
-    vpmadd52luq `$_data_offset+64*2`($a), $Bi, $_R2
-    vpmadd52luq `$_data_offset+64*2+32`($a), $Bi, $_R2h
-    vpmadd52luq `$_data_offset+64*3`($a), $Bi, $_R3
-    vpmadd52luq `$_data_offset+64*3+32`($a), $Bi, $_R3h
-
-    vpmadd52luq `$_data_offset+64*0`($m), $Yi, $_R0
-    vpmadd52luq `$_data_offset+64*0+32`($m), $Yi, $_R0h
-    vpmadd52luq `$_data_offset+64*1`($m), $Yi, $_R1
-    vpmadd52luq `$_data_offset+64*1+32`($m), $Yi, $_R1h
-    vpmadd52luq `$_data_offset+64*2`($m), $Yi, $_R2
-    vpmadd52luq `$_data_offset+64*2+32`($m), $Yi, $_R2h
-    vpmadd52luq `$_data_offset+64*3`($m), $Yi, $_R3
-    vpmadd52luq `$_data_offset+64*3+32`($m), $Yi, $_R3h
-
-    # Shift accumulators right by 1 qword, zero extending the highest one
-    valignq     \$1, $_R0, $_R0h, $_R0
-    valignq     \$1, $_R0h, $_R1, $_R0h
-    valignq     \$1, $_R1, $_R1h, $_R1
-    valignq     \$1, $_R1h, $_R2, $_R1h
-    valignq     \$1, $_R2, $_R2h, $_R2
-    valignq     \$1, $_R2h, $_R3, $_R2h
-    valignq     \$1, $_R3, $_R3h, $_R3
-    valignq     \$1, $_R3h, $zero, $_R3h
-
-    vmovq   $_R0_xmm, %r13
-    addq    %r13, $_acc    # acc += R0[0]
-
-    vpmadd52huq `$_data_offset+64*0`($a), $Bi, $_R0
-    vpmadd52huq `$_data_offset+64*0+32`($a), $Bi, $_R0h
-    vpmadd52huq `$_data_offset+64*1`($a), $Bi, $_R1
-    vpmadd52huq `$_data_offset+64*1+32`($a), $Bi, $_R1h
-    vpmadd52huq `$_data_offset+64*2`($a), $Bi, $_R2
-    vpmadd52huq `$_data_offset+64*2+32`($a), $Bi, $_R2h
-    vpmadd52huq `$_data_offset+64*3`($a), $Bi, $_R3
-    vpmadd52huq `$_data_offset+64*3+32`($a), $Bi, $_R3h
-
-    vpmadd52huq `$_data_offset+64*0`($m), $Yi, $_R0
-    vpmadd52huq `$_data_offset+64*0+32`($m), $Yi, $_R0h
-    vpmadd52huq `$_data_offset+64*1`($m), $Yi, $_R1
-    vpmadd52huq `$_data_offset+64*1+32`($m), $Yi, $_R1h
-    vpmadd52huq `$_data_offset+64*2`($m), $Yi, $_R2
-    vpmadd52huq `$_data_offset+64*2+32`($m), $Yi, $_R2h
-    vpmadd52huq `$_data_offset+64*3`($m), $Yi, $_R3
-    vpmadd52huq `$_data_offset+64*3+32`($m), $Yi, $_R3h
-___
-}
-
-# Normalization routine: handles carry bits and gets bignum qwords to normalized
-# 2^52 representation.
-#
-# Uses %r8-14,%e[abcd]x
-sub amm52x30_x1_norm {
-my ($_acc,$_R0,$_R0h,$_R1,$_R1h,$_R2,$_R2h,$_R3,$_R3h) = @_;
-$code.=<<___;
-    # Put accumulator to low qword in R0
-    vpbroadcastq    $_acc, $T0
-    vpblendd \$3, $T0, $_R0, $_R0
-
-    # Extract "carries" (12 high bits) from each QW of the bignum
-    # Save them to LSB of QWs in T0..Tn
-    vpsrlq    \$52, $_R0,   $T0
-    vpsrlq    \$52, $_R0h,  $T0h
-    vpsrlq    \$52, $_R1,   $T1
-    vpsrlq    \$52, $_R1h,  $T1h
-    vpsrlq    \$52, $_R2,   $T2
-    vpsrlq    \$52, $_R2h,  $T2h
-    vpsrlq    \$52, $_R3,   $T3
-    vpsrlq    \$52, $_R3h,  $T3h
-
-    # "Shift left" T0..Tn by 1 QW
-    valignq \$3, $T3,  $T3h,  $T3h
-    valignq \$3, $T2h,  $T3,  $T3
-    valignq \$3, $T2,  $T2h,  $T2h
-    valignq \$3, $T1h,  $T2,  $T2
-    valignq \$3, $T1,   $T1h, $T1h
-    valignq \$3, $T0h,  $T1,  $T1
-    valignq \$3, $T0,   $T0h, $T0h
-    valignq \$3, .Lzeros(%rip), $T0,  $T0
-
-    # Drop "carries" from R0..Rn QWs
-    vpandq    .Lmask52x4(%rip), $_R0,  $_R0
-    vpandq    .Lmask52x4(%rip), $_R0h, $_R0h
-    vpandq    .Lmask52x4(%rip), $_R1,  $_R1
-    vpandq    .Lmask52x4(%rip), $_R1h, $_R1h
-    vpandq    .Lmask52x4(%rip), $_R2,  $_R2
-    vpandq    .Lmask52x4(%rip), $_R2h, $_R2h
-    vpandq    .Lmask52x4(%rip), $_R3,  $_R3
-    vpandq    .Lmask52x4(%rip), $_R3h, $_R3h
-
-    # Sum R0..Rn with corresponding adjusted carries
-    vpaddq  $T0,  $_R0,  $_R0
-    vpaddq  $T0h, $_R0h, $_R0h
-    vpaddq  $T1,  $_R1,  $_R1
-    vpaddq  $T1h, $_R1h, $_R1h
-    vpaddq  $T2,  $_R2,  $_R2
-    vpaddq  $T2h, $_R2h, $_R2h
-    vpaddq  $T3,  $_R3,  $_R3
-    vpaddq  $T3h, $_R3h, $_R3h
-
-    # Now handle carry bits from this addition
-    # Get mask of QWs whose 52-bit parts overflow
-    vpcmpuq    \$6,.Lmask52x4(%rip),${_R0},%k1    # OP=nle (i.e. gt)
-    vpcmpuq    \$6,.Lmask52x4(%rip),${_R0h},%k2
-    kmovb      %k1,%r14d
-    kmovb      %k2,%r13d
-    shl        \$4,%r13b
-    or         %r13b,%r14b
-
-    vpcmpuq    \$6,.Lmask52x4(%rip),${_R1},%k1
-    vpcmpuq    \$6,.Lmask52x4(%rip),${_R1h},%k2
-    kmovb      %k1,%r13d
-    kmovb      %k2,%r12d
-    shl        \$4,%r12b
-    or         %r12b,%r13b
-
-    vpcmpuq    \$6,.Lmask52x4(%rip),${_R2},%k1
-    vpcmpuq    \$6,.Lmask52x4(%rip),${_R2h},%k2
-    kmovb      %k1,%r12d
-    kmovb      %k2,%r11d
-    shl        \$4,%r11b
-    or         %r11b,%r12b
-
-    vpcmpuq    \$6,.Lmask52x4(%rip),${_R3},%k1
-    vpcmpuq    \$6,.Lmask52x4(%rip),${_R3h},%k2
-    kmovb      %k1,%r11d
-    kmovb      %k2,%r10d
-    shl        \$4,%r10b
-    or         %r10b,%r11b
-
-    addb       %r14b,%r14b
-    adcb       %r13b,%r13b
-    adcb       %r12b,%r12b
-    adcb       %r11b,%r11b
-
-    # Get mask of QWs whose 52-bit parts saturated
-    vpcmpuq    \$0,.Lmask52x4(%rip),${_R0},%k1    # OP=eq
-    vpcmpuq    \$0,.Lmask52x4(%rip),${_R0h},%k2
-    kmovb      %k1,%r9d
-    kmovb      %k2,%r8d
-    shl        \$4,%r8b
-    or         %r8b,%r9b
-
-    vpcmpuq    \$0,.Lmask52x4(%rip),${_R1},%k1
-    vpcmpuq    \$0,.Lmask52x4(%rip),${_R1h},%k2
-    kmovb      %k1,%r8d
-    kmovb      %k2,%edx
-    shl        \$4,%dl
-    or         %dl,%r8b
-
-    vpcmpuq    \$0,.Lmask52x4(%rip),${_R2},%k1
-    vpcmpuq    \$0,.Lmask52x4(%rip),${_R2h},%k2
-    kmovb      %k1,%edx
-    kmovb      %k2,%ecx
-    shl        \$4,%cl
-    or         %cl,%dl
-
-    vpcmpuq    \$0,.Lmask52x4(%rip),${_R3},%k1
-    vpcmpuq    \$0,.Lmask52x4(%rip),${_R3h},%k2
-    kmovb      %k1,%ecx
-    kmovb      %k2,%ebx
-    shl        \$4,%bl
-    or         %bl,%cl
-
-    addb     %r9b,%r14b
-    adcb     %r8b,%r13b
-    adcb     %dl,%r12b
-    adcb     %cl,%r11b
-
-    xor      %r9b,%r14b
-    xor      %r8b,%r13b
-    xor      %dl,%r12b
-    xor      %cl,%r11b
-
-    kmovb    %r14d,%k1
-    shr      \$4,%r14b
-    kmovb    %r14d,%k2
-    kmovb    %r13d,%k3
-    shr      \$4,%r13b
-    kmovb    %r13d,%k4
-    kmovb    %r12d,%k5
-    shr      \$4,%r12b
-    kmovb    %r12d,%k6
-    kmovb    %r11d,%k7
-
-    vpsubq  .Lmask52x4(%rip), $_R0,  ${_R0}{%k1}
-    vpsubq  .Lmask52x4(%rip), $_R0h, ${_R0h}{%k2}
-    vpsubq  .Lmask52x4(%rip), $_R1,  ${_R1}{%k3}
-    vpsubq  .Lmask52x4(%rip), $_R1h, ${_R1h}{%k4}
-    vpsubq  .Lmask52x4(%rip), $_R2,  ${_R2}{%k5}
-    vpsubq  .Lmask52x4(%rip), $_R2h, ${_R2h}{%k6}
-    vpsubq  .Lmask52x4(%rip), $_R3,  ${_R3}{%k7}
-
-    vpandq  .Lmask52x4(%rip), $_R0,  $_R0
-    vpandq  .Lmask52x4(%rip), $_R0h, $_R0h
-    vpandq  .Lmask52x4(%rip), $_R1,  $_R1
-    vpandq  .Lmask52x4(%rip), $_R1h, $_R1h
-    vpandq  .Lmask52x4(%rip), $_R2,  $_R2
-    vpandq  .Lmask52x4(%rip), $_R2h, $_R2h
-    vpandq  .Lmask52x4(%rip), $_R3,  $_R3
-
-    shr    \$4,%r11b
-    kmovb   %r11d,%k1
-
-    vpsubq  .Lmask52x4(%rip), $_R3h, ${_R3h}{%k1}
-
-    vpandq  .Lmask52x4(%rip), $_R3h, $_R3h
-___
-}
-
-$code.=<<___;
-.text
-
-.globl  ossl_rsaz_amm52x30_x1_ifma256
-.type   ossl_rsaz_amm52x30_x1_ifma256,\@function,5
-.align 32
-ossl_rsaz_amm52x30_x1_ifma256:
-.cfi_startproc
-    endbranch
-    push    %rbx
-.cfi_push   %rbx
-    push    %rbp
-.cfi_push   %rbp
-    push    %r12
-.cfi_push   %r12
-    push    %r13
-.cfi_push   %r13
-    push    %r14
-.cfi_push   %r14
-    push    %r15
-.cfi_push   %r15
-___
-$code.=<<___ if ($win64);
-    lea     -168(%rsp),%rsp                 # 16*10 + (8 bytes to get correct 16-byte SIMD alignment)
-    vmovdqa64   %xmm6, `0*16`(%rsp)         # save non-volatile registers
-    vmovdqa64   %xmm7, `1*16`(%rsp)
-    vmovdqa64   %xmm8, `2*16`(%rsp)
-    vmovdqa64   %xmm9, `3*16`(%rsp)
-    vmovdqa64   %xmm10,`4*16`(%rsp)
-    vmovdqa64   %xmm11,`5*16`(%rsp)
-    vmovdqa64   %xmm12,`6*16`(%rsp)
-    vmovdqa64   %xmm13,`7*16`(%rsp)
-    vmovdqa64   %xmm14,`8*16`(%rsp)
-    vmovdqa64   %xmm15,`9*16`(%rsp)
-.Lossl_rsaz_amm52x30_x1_ifma256_body:
-___
-$code.=<<___;
-    # Zeroing accumulators
-    vpxord   $zero, $zero, $zero
-    vmovdqa64   $zero, $R0_0
-    vmovdqa64   $zero, $R0_0h
-    vmovdqa64   $zero, $R1_0
-    vmovdqa64   $zero, $R1_0h
-    vmovdqa64   $zero, $R2_0
-    vmovdqa64   $zero, $R2_0h
-    vmovdqa64   $zero, $R3_0
-    vmovdqa64   $zero, $R3_0h
-
-    xorl    $acc0_0_low, $acc0_0_low
-
-    movq    $b, $b_ptr                       # backup address of b
-    movq    \$0xfffffffffffff, $mask52       # 52-bit mask
-
-    # Loop over 30 digits unrolled by 4
-    mov     \$7, $iter
-
-.align 32
-.Lloop7:
-___
-    foreach my $idx (0..3) {
-        &amm52x30_x1(0,8*$idx,$acc0_0,$R0_0,$R0_0h,$R1_0,$R1_0h,$R2_0,$R2_0h,$R3_0,$R3_0h,$k0);
-    }
-$code.=<<___;
-    lea    `4*8`($b_ptr), $b_ptr
-    dec    $iter
-    jne    .Lloop7
-___
-    &amm52x30_x1(0,8*0,$acc0_0,$R0_0,$R0_0h,$R1_0,$R1_0h,$R2_0,$R2_0h,$R3_0,$R3_0h,$k0);
-    &amm52x30_x1(0,8*1,$acc0_0,$R0_0,$R0_0h,$R1_0,$R1_0h,$R2_0,$R2_0h,$R3_0,$R3_0h,$k0);
-
-    &amm52x30_x1_norm($acc0_0,$R0_0,$R0_0h,$R1_0,$R1_0h,$R2_0,$R2_0h,$R3_0,$R3_0h);
-$code.=<<___;
-
-    vmovdqu64   $R0_0,  `0*32`($res)
-    vmovdqu64   $R0_0h, `1*32`($res)
-    vmovdqu64   $R1_0,  `2*32`($res)
-    vmovdqu64   $R1_0h, `3*32`($res)
-    vmovdqu64   $R2_0,  `4*32`($res)
-    vmovdqu64   $R2_0h, `5*32`($res)
-    vmovdqu64   $R3_0,  `6*32`($res)
-    vmovdqu64   $R3_0h, `7*32`($res)
-
-    vzeroupper
-    lea     (%rsp),%rax
-.cfi_def_cfa_register   %rax
-___
-$code.=<<___ if ($win64);
-    vmovdqa64   `0*16`(%rax),%xmm6
-    vmovdqa64   `1*16`(%rax),%xmm7
-    vmovdqa64   `2*16`(%rax),%xmm8
-    vmovdqa64   `3*16`(%rax),%xmm9
-    vmovdqa64   `4*16`(%rax),%xmm10
-    vmovdqa64   `5*16`(%rax),%xmm11
-    vmovdqa64   `6*16`(%rax),%xmm12
-    vmovdqa64   `7*16`(%rax),%xmm13
-    vmovdqa64   `8*16`(%rax),%xmm14
-    vmovdqa64   `9*16`(%rax),%xmm15
-    lea  168(%rsp),%rax
-___
-$code.=<<___;
-    mov  0(%rax),%r15
-.cfi_restore    %r15
-    mov  8(%rax),%r14
-.cfi_restore    %r14
-    mov  16(%rax),%r13
-.cfi_restore    %r13
-    mov  24(%rax),%r12
-.cfi_restore    %r12
-    mov  32(%rax),%rbp
-.cfi_restore    %rbp
-    mov  40(%rax),%rbx
-.cfi_restore    %rbx
-    lea  48(%rax),%rsp       # restore rsp
-.cfi_def_cfa %rsp,8
-.Lossl_rsaz_amm52x30_x1_ifma256_epilogue:
-    ret
-.cfi_endproc
-.size   ossl_rsaz_amm52x30_x1_ifma256, .-ossl_rsaz_amm52x30_x1_ifma256
-___
-
-$code.=<<___;
-.data
-.align 32
-.Lmask52x4:
-    .quad   0xfffffffffffff
-    .quad   0xfffffffffffff
-    .quad   0xfffffffffffff
-    .quad   0xfffffffffffff
-___
-
-###############################################################################
-# Dual Almost Montgomery Multiplication for 30-digit number in radix 2^52
-#
-# See description of ossl_rsaz_amm52x30_x1_ifma256() above for details about Almost
-# Montgomery Multiplication algorithm and function input parameters description.
-#
-# This function does two AMMs for two independent inputs, hence dual.
-#
-# NOTE: the function uses zero-padded data - 2 high QWs is a padding.
-#
-# void ossl_rsaz_amm52x30_x2_ifma256(BN_ULONG out[2][32],
-#                                    const BN_ULONG a[2][32],
-#                                    const BN_ULONG b[2][32],
-#                                    const BN_ULONG m[2][32],
-#                                    const BN_ULONG k0[2]);
-###############################################################################
-
-$code.=<<___;
-.text
-
-.globl  ossl_rsaz_amm52x30_x2_ifma256
-.type   ossl_rsaz_amm52x30_x2_ifma256,\@function,5
-.align 32
-ossl_rsaz_amm52x30_x2_ifma256:
-.cfi_startproc
-    endbranch
-    push    %rbx
-.cfi_push   %rbx
-    push    %rbp
-.cfi_push   %rbp
-    push    %r12
-.cfi_push   %r12
-    push    %r13
-.cfi_push   %r13
-    push    %r14
-.cfi_push   %r14
-    push    %r15
-.cfi_push   %r15
-___
-$code.=<<___ if ($win64);
-    lea     -168(%rsp),%rsp
-    vmovdqa64   %xmm6, `0*16`(%rsp)        # save non-volatile registers
-    vmovdqa64   %xmm7, `1*16`(%rsp)
-    vmovdqa64   %xmm8, `2*16`(%rsp)
-    vmovdqa64   %xmm9, `3*16`(%rsp)
-    vmovdqa64   %xmm10,`4*16`(%rsp)
-    vmovdqa64   %xmm11,`5*16`(%rsp)
-    vmovdqa64   %xmm12,`6*16`(%rsp)
-    vmovdqa64   %xmm13,`7*16`(%rsp)
-    vmovdqa64   %xmm14,`8*16`(%rsp)
-    vmovdqa64   %xmm15,`9*16`(%rsp)
-.Lossl_rsaz_amm52x30_x2_ifma256_body:
-___
-$code.=<<___;
-    # Zeroing accumulators
-    vpxord   $zero, $zero, $zero
-    vmovdqa64   $zero, $R0_0
-    vmovdqa64   $zero, $R0_0h
-    vmovdqa64   $zero, $R1_0
-    vmovdqa64   $zero, $R1_0h
-    vmovdqa64   $zero, $R2_0
-    vmovdqa64   $zero, $R2_0h
-    vmovdqa64   $zero, $R3_0
-    vmovdqa64   $zero, $R3_0h
-
-    vmovdqa64   $zero, $R0_1
-    vmovdqa64   $zero, $R0_1h
-    vmovdqa64   $zero, $R1_1
-    vmovdqa64   $zero, $R1_1h
-    vmovdqa64   $zero, $R2_1
-    vmovdqa64   $zero, $R2_1h
-    vmovdqa64   $zero, $R3_1
-    vmovdqa64   $zero, $R3_1h
-
-
-    xorl    $acc0_0_low, $acc0_0_low
-    xorl    $acc0_1_low, $acc0_1_low
-
-    movq    $b, $b_ptr                       # backup address of b
-    movq    \$0xfffffffffffff, $mask52       # 52-bit mask
-
-    mov    \$30, $iter
-
-.align 32
-.Lloop30:
-___
-    &amm52x30_x1(   0,   0,$acc0_0,$R0_0,$R0_0h,$R1_0,$R1_0h,$R2_0,$R2_0h,$R3_0,$R3_0h,"($k0)");
-    # 32*8 = offset of the next dimension in two-dimension array
-    &amm52x30_x1(32*8,32*8,$acc0_1,$R0_1,$R0_1h,$R1_1,$R1_1h,$R2_1,$R2_1h,$R3_1,$R3_1h,"8($k0)");
-$code.=<<___;
-    lea    8($b_ptr), $b_ptr
-    dec    $iter
-    jne    .Lloop30
-___
-    &amm52x30_x1_norm($acc0_0,$R0_0,$R0_0h,$R1_0,$R1_0h,$R2_0,$R2_0h,$R3_0,$R3_0h);
-    &amm52x30_x1_norm($acc0_1,$R0_1,$R0_1h,$R1_1,$R1_1h,$R2_1,$R2_1h,$R3_1,$R3_1h);
-$code.=<<___;
-
-    vmovdqu64   $R0_0,  `0*32`($res)
-    vmovdqu64   $R0_0h, `1*32`($res)
-    vmovdqu64   $R1_0,  `2*32`($res)
-    vmovdqu64   $R1_0h, `3*32`($res)
-    vmovdqu64   $R2_0,  `4*32`($res)
-    vmovdqu64   $R2_0h, `5*32`($res)
-    vmovdqu64   $R3_0,  `6*32`($res)
-    vmovdqu64   $R3_0h, `7*32`($res)
-
-    vmovdqu64   $R0_1,  `8*32`($res)
-    vmovdqu64   $R0_1h, `9*32`($res)
-    vmovdqu64   $R1_1,  `10*32`($res)
-    vmovdqu64   $R1_1h, `11*32`($res)
-    vmovdqu64   $R2_1,  `12*32`($res)
-    vmovdqu64   $R2_1h, `13*32`($res)
-    vmovdqu64   $R3_1,  `14*32`($res)
-    vmovdqu64   $R3_1h, `15*32`($res)
-
-    vzeroupper
-    lea     (%rsp),%rax
-.cfi_def_cfa_register   %rax
-___
-$code.=<<___ if ($win64);
-    vmovdqa64   `0*16`(%rax),%xmm6
-    vmovdqa64   `1*16`(%rax),%xmm7
-    vmovdqa64   `2*16`(%rax),%xmm8
-    vmovdqa64   `3*16`(%rax),%xmm9
-    vmovdqa64   `4*16`(%rax),%xmm10
-    vmovdqa64   `5*16`(%rax),%xmm11
-    vmovdqa64   `6*16`(%rax),%xmm12
-    vmovdqa64   `7*16`(%rax),%xmm13
-    vmovdqa64   `8*16`(%rax),%xmm14
-    vmovdqa64   `9*16`(%rax),%xmm15
-    lea     168(%rsp),%rax
-___
-$code.=<<___;
-    mov  0(%rax),%r15
-.cfi_restore    %r15
-    mov  8(%rax),%r14
-.cfi_restore    %r14
-    mov  16(%rax),%r13
-.cfi_restore    %r13
-    mov  24(%rax),%r12
-.cfi_restore    %r12
-    mov  32(%rax),%rbp
-.cfi_restore    %rbp
-    mov  40(%rax),%rbx
-.cfi_restore    %rbx
-    lea  48(%rax),%rsp
-.cfi_def_cfa    %rsp,8
-.Lossl_rsaz_amm52x30_x2_ifma256_epilogue:
-    ret
-.cfi_endproc
-.size   ossl_rsaz_amm52x30_x2_ifma256, .-ossl_rsaz_amm52x30_x2_ifma256
-___
-}
-
-###############################################################################
-# Constant time extraction from the precomputed table of powers base^i, where
-#    i = 0..2^EXP_WIN_SIZE-1
-#
-# The input |red_table| contains precomputations for two independent base values.
-# |red_table_idx1| and |red_table_idx2| are corresponding power indexes.
-#
-# Extracted value (output) is 2 (30 + 2) digits numbers in 2^52 radix.
-# (2 high QW is zero padding)
-#
-# void ossl_extract_multiplier_2x30_win5(BN_ULONG *red_Y,
-#                                        const BN_ULONG red_table[1 << EXP_WIN_SIZE][2][32],
-#                                        int red_table_idx1, int red_table_idx2);
-#
-# EXP_WIN_SIZE = 5
-###############################################################################
-{
-# input parameters
-my ($out,$red_tbl,$red_tbl_idx1,$red_tbl_idx2)=$win64 ? ("%rcx","%rdx","%r8", "%r9") :  # Win64 order
-                                                        ("%rdi","%rsi","%rdx","%rcx");  # Unix order
-
-my ($t0,$t1,$t2,$t3,$t4,$t5) = map("%ymm$_", (0..5));
-my ($t6,$t7,$t8,$t9,$t10,$t11,$t12,$t13,$t14,$t15) = map("%ymm$_", (16..25));
-my ($tmp,$cur_idx,$idx1,$idx2,$ones) = map("%ymm$_", (26..30));
-
-my @t = ($t0,$t1,$t2,$t3,$t4,$t5,$t6,$t7,$t8,$t9,$t10,$t11,$t12,$t13,$t14,$t15);
-my $t0xmm = $t0;
-$t0xmm =~ s/%y/%x/;
-
-$code.=<<___;
-.text
-
-.align 32
-.globl  ossl_extract_multiplier_2x30_win5
-.type   ossl_extract_multiplier_2x30_win5,\@abi-omnipotent
-ossl_extract_multiplier_2x30_win5:
-.cfi_startproc
-    endbranch
-    vmovdqa64   .Lones(%rip), $ones         # broadcast ones
-    vpbroadcastq    $red_tbl_idx1, $idx1
-    vpbroadcastq    $red_tbl_idx2, $idx2
-    leaq   `(1<<5)*2*32*8`($red_tbl), %rax  # holds end of the tbl
-
-    # zeroing t0..n, cur_idx
-    vpxor   $t0xmm, $t0xmm, $t0xmm
-    vmovdqa64   $t0, $cur_idx
-___
-foreach (1..15) {
-    $code.="vmovdqa64   $t0, $t[$_] \n";
-}
-$code.=<<___;
-
-.align 32
-.Lloop:
-    vpcmpq  \$0, $cur_idx, $idx1, %k1      # mask of (idx1 == cur_idx)
-    vpcmpq  \$0, $cur_idx, $idx2, %k2      # mask of (idx2 == cur_idx)
-___
-foreach (0..15) {
-    my $mask = $_<8?"%k1":"%k2";
-$code.=<<___;
-    vmovdqu64  `${_}*32`($red_tbl), $tmp     # load data from red_tbl
-    vpblendmq  $tmp, $t[$_], ${t[$_]}{$mask} # extract data when mask is not zero
-___
-}
-$code.=<<___;
-    vpaddq  $ones, $cur_idx, $cur_idx      # increment cur_idx
-    addq    \$`2*32*8`, $red_tbl
-    cmpq    $red_tbl, %rax
-    jne .Lloop
-___
-# store t0..n
-foreach (0..15) {
-    $code.="vmovdqu64   $t[$_], `${_}*32`($out) \n";
-}
-$code.=<<___;
-
-    ret
-.cfi_endproc
-.size   ossl_extract_multiplier_2x30_win5, .-ossl_extract_multiplier_2x30_win5
-___
-$code.=<<___;
-.data
-.align 32
-.Lones:
-    .quad   1,1,1,1
-.Lzeros:
-    .quad   0,0,0,0
-___
-}
-
-if ($win64) {
-$rec="%rcx";
-$frame="%rdx";
-$context="%r8";
-$disp="%r9";
-
-$code.=<<___;
-.extern     __imp_RtlVirtualUnwind
-.type   rsaz_avx_handler,\@abi-omnipotent
-.align  16
-rsaz_avx_handler:
-    push    %rsi
-    push    %rdi
-    push    %rbx
-    push    %rbp
-    push    %r12
-    push    %r13
-    push    %r14
-    push    %r15
-    pushfq
-    sub     \$64,%rsp
-
-    mov     120($context),%rax # pull context->Rax
-    mov     248($context),%rbx # pull context->Rip
-
-    mov     8($disp),%rsi      # disp->ImageBase
-    mov     56($disp),%r11     # disp->HandlerData
-
-    mov     0(%r11),%r10d      # HandlerData[0]
-    lea     (%rsi,%r10),%r10   # prologue label
-    cmp     %r10,%rbx          # context->Rip<.Lprologue
-    jb  .Lcommon_seh_tail
-
-    mov     4(%r11),%r10d      # HandlerData[1]
-    lea     (%rsi,%r10),%r10   # epilogue label
-    cmp     %r10,%rbx          # context->Rip>=.Lepilogue
-    jae     .Lcommon_seh_tail
-
-    mov     152($context),%rax # pull context->Rsp
-
-    lea     (%rax),%rsi         # %xmm save area
-    lea     512($context),%rdi  # & context.Xmm6
-    mov     \$20,%ecx           # 10*sizeof(%xmm0)/sizeof(%rax)
-    .long   0xa548f3fc          # cld; rep movsq
-
-    lea     `48+168`(%rax),%rax
-
-    mov     -8(%rax),%rbx
-    mov     -16(%rax),%rbp
-    mov     -24(%rax),%r12
-    mov     -32(%rax),%r13
-    mov     -40(%rax),%r14
-    mov     -48(%rax),%r15
-    mov     %rbx,144($context) # restore context->Rbx
-    mov     %rbp,160($context) # restore context->Rbp
-    mov     %r12,216($context) # restore context->R12
-    mov     %r13,224($context) # restore context->R13
-    mov     %r14,232($context) # restore context->R14
-    mov     %r15,240($context) # restore context->R14
-
-.Lcommon_seh_tail:
-    mov     8(%rax),%rdi
-    mov     16(%rax),%rsi
-    mov     %rax,152($context) # restore context->Rsp
-    mov     %rsi,168($context) # restore context->Rsi
-    mov     %rdi,176($context) # restore context->Rdi
-
-    mov     40($disp),%rdi     # disp->ContextRecord
-    mov     $context,%rsi      # context
-    mov     \$154,%ecx         # sizeof(CONTEXT)
-    .long   0xa548f3fc         # cld; rep movsq
-
-    mov     $disp,%rsi
-    xor     %rcx,%rcx          # arg1, UNW_FLAG_NHANDLER
-    mov     8(%rsi),%rdx       # arg2, disp->ImageBase
-    mov     0(%rsi),%r8        # arg3, disp->ControlPc
-    mov     16(%rsi),%r9       # arg4, disp->FunctionEntry
-    mov     40(%rsi),%r10      # disp->ContextRecord
-    lea     56(%rsi),%r11      # &disp->HandlerData
-    lea     24(%rsi),%r12      # &disp->EstablisherFrame
-    mov     %r10,32(%rsp)      # arg5
-    mov     %r11,40(%rsp)      # arg6
-    mov     %r12,48(%rsp)      # arg7
-    mov     %rcx,56(%rsp)      # arg8, (NULL)
-    call    *__imp_RtlVirtualUnwind(%rip)
-
-    mov     \$1,%eax           # ExceptionContinueSearch
-    add     \$64,%rsp
-    popfq
-    pop     %r15
-    pop     %r14
-    pop     %r13
-    pop     %r12
-    pop     %rbp
-    pop     %rbx
-    pop     %rdi
-    pop     %rsi
-    ret
-.size   rsaz_avx_handler,.-rsaz_avx_handler
-
-.section    .pdata
-.align  4
-    .rva    .LSEH_begin_ossl_rsaz_amm52x30_x1_ifma256
-    .rva    .LSEH_end_ossl_rsaz_amm52x30_x1_ifma256
-    .rva    .LSEH_info_ossl_rsaz_amm52x30_x1_ifma256
-
-    .rva    .LSEH_begin_ossl_rsaz_amm52x30_x2_ifma256
-    .rva    .LSEH_end_ossl_rsaz_amm52x30_x2_ifma256
-    .rva    .LSEH_info_ossl_rsaz_amm52x30_x2_ifma256
-
-.section    .xdata
-.align  8
-.LSEH_info_ossl_rsaz_amm52x30_x1_ifma256:
-    .byte   9,0,0,0
-    .rva    rsaz_avx_handler
-    .rva    .Lossl_rsaz_amm52x30_x1_ifma256_body,.Lossl_rsaz_amm52x30_x1_ifma256_epilogue
-.LSEH_info_ossl_rsaz_amm52x30_x2_ifma256:
-    .byte   9,0,0,0
-    .rva    rsaz_avx_handler
-    .rva    .Lossl_rsaz_amm52x30_x2_ifma256_body,.Lossl_rsaz_amm52x30_x2_ifma256_epilogue
-___
-}
-}}} else {{{                # fallback for old assembler
-$code.=<<___;
-.text
-
-.globl  ossl_rsaz_amm52x30_x1_ifma256
-.globl  ossl_rsaz_amm52x30_x2_ifma256
-.globl  ossl_extract_multiplier_2x30_win5
-.type   ossl_rsaz_amm52x30_x1_ifma256,\@abi-omnipotent
-ossl_rsaz_amm52x30_x1_ifma256:
-ossl_rsaz_amm52x30_x2_ifma256:
-ossl_extract_multiplier_2x30_win5:
-    .byte   0x0f,0x0b    # ud2
-    ret
-.size   ossl_rsaz_amm52x30_x1_ifma256, .-ossl_rsaz_amm52x30_x1_ifma256
-___
-}}}
-
-$code =~ s/\`([^\`]*)\`/eval $1/gem;
-print $code;
-close STDOUT or die "error closing STDOUT: $!";

libs/openssl/crypto/bn/asm/rsaz-4k-avx512.pl

@@ -1,930 +0,0 @@
-# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved.
-# Copyright (c) 2021, Intel Corporation. All Rights Reserved.
-#
-# Licensed under the Apache License 2.0 (the "License").  You may not use
-# this file except in compliance with the License.  You can obtain a copy
-# in the file LICENSE in the source distribution or at
-# https://www.openssl.org/source/license.html
-#
-#
-# Originally written by Sergey Kirillov and Andrey Matyukov
-# Intel Corporation
-#
-# March 2021
-#
-# Initial release.
-#
-# Implementation utilizes 256-bit (ymm) registers to avoid frequency scaling issues.
-#
-# IceLake-Client @ 1.3GHz
-# |---------+-----------------------+---------------+-------------|
-# |         | OpenSSL 3.0.0-alpha15 | this          | Unit        |
-# |---------+-----------------------+---------------+-------------|
-# | rsa4096 | 14 301 4300           | 5 813 953     | cycles/sign |
-# |         | 90.9                  | 223.6 / +146% | sign/s      |
-# |---------+-----------------------+---------------+-------------|
-#
-
-# $output is the last argument if it looks like a file (it has an extension)
-# $flavour is the first argument if it doesn't look like a file
-$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef;
-$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef;
-
-$win64=0; $win64=1 if ($flavour =~ /[nm]asm|mingw64/ || $output =~ /\.asm$/);
-$avx512ifma=0;
-
-$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
-( $xlate="${dir}x86_64-xlate.pl" and -f $xlate ) or
-( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
-die "can't locate x86_64-xlate.pl";
-
-if (`$ENV{CC} -Wa,-v -c -o /dev/null -x assembler /dev/null 2>&1`
-        =~ /GNU assembler version ([2-9]\.[0-9]+)/) {
-    $avx512ifma = ($1>=2.26);
-}
-
-if (!$avx512 && $win64 && ($flavour =~ /nasm/ || $ENV{ASM} =~ /nasm/) &&
-       `nasm -v 2>&1` =~ /NASM version ([2-9]\.[0-9]+)(?:\.([0-9]+))?/) {
-    $avx512ifma = ($1==2.11 && $2>=8) + ($1>=2.12);
-}
-
-if (!$avx512 && `$ENV{CC} -v 2>&1` =~ /((?:clang|LLVM) version|.*based on LLVM) ([0-9]+\.[0-9]+)/) {
-    $avx512ifma = ($2>=7.0);
-}
-
-open OUT,"| \"$^X\" \"$xlate\" $flavour \"$output\""
-    or die "can't call $xlate: $!";
-*STDOUT=*OUT;
-
-if ($avx512ifma>0) {{{
-@_6_args_universal_ABI = ("%rdi","%rsi","%rdx","%rcx","%r8","%r9");
-
-###############################################################################
-# Almost Montgomery Multiplication (AMM) for 40-digit number in radix 2^52.
-#
-# AMM is defined as presented in the paper [1].
-#
-# The input and output are presented in 2^52 radix domain, i.e.
-#   |res|, |a|, |b|, |m| are arrays of 40 64-bit qwords with 12 high bits zeroed.
-#   |k0| is a Montgomery coefficient, which is here k0 = -1/m mod 2^64
-#
-# NB: the AMM implementation does not perform "conditional" subtraction step
-# specified in the original algorithm as according to the Lemma 1 from the paper
-# [2], the result will be always < 2*m and can be used as a direct input to
-# the next AMM iteration.  This post-condition is true, provided the correct
-# parameter |s| (notion of the Lemma 1 from [2]) is chosen, i.e.  s >= n + 2 * k,
-# which matches our case: 2080 > 2048 + 2 * 1.
-#
-# [1] Gueron, S. Efficient software implementations of modular exponentiation.
-#     DOI: 10.1007/s13389-012-0031-5
-# [2] Gueron, S. Enhanced Montgomery Multiplication.
-#     DOI: 10.1007/3-540-36400-5_5
-#
-# void ossl_rsaz_amm52x40_x1_ifma256(BN_ULONG *res,
-#                                    const BN_ULONG *a,
-#                                    const BN_ULONG *b,
-#                                    const BN_ULONG *m,
-#                                    BN_ULONG k0);
-###############################################################################
-{
-# input parameters ("%rdi","%rsi","%rdx","%rcx","%r8")
-my ($res,$a,$b,$m,$k0) = @_6_args_universal_ABI;
-
-my $mask52     = "%rax";
-my $acc0_0     = "%r9";
-my $acc0_0_low = "%r9d";
-my $acc0_1     = "%r15";
-my $acc0_1_low = "%r15d";
-my $b_ptr      = "%r11";
-
-my $iter = "%ebx";
-
-my $zero = "%ymm0";
-my $Bi   = "%ymm1";
-my $Yi   = "%ymm2";
-my ($R0_0,$R0_0h,$R1_0,$R1_0h,$R2_0,$R2_0h,$R3_0,$R3_0h,$R4_0,$R4_0h) = map("%ymm$_",(3..12));
-my ($R0_1,$R0_1h,$R1_1,$R1_1h,$R2_1,$R2_1h,$R3_1,$R3_1h,$R4_1,$R4_1h) = map("%ymm$_",(13..22));
-
-# Registers mapping for normalization
-my ($T0,$T0h,$T1,$T1h,$T2,$T2h,$T3,$T3h,$T4,$T4h) = ("$zero", "$Bi", "$Yi", map("%ymm$_", (23..29)));
-
-sub amm52x40_x1() {
-# _data_offset - offset in the |a| or |m| arrays pointing to the beginning
-#                of data for corresponding AMM operation;
-# _b_offset    - offset in the |b| array pointing to the next qword digit;
-my ($_data_offset,$_b_offset,$_acc,$_R0,$_R0h,$_R1,$_R1h,$_R2,$_R2h,$_R3,$_R3h,$_R4,$_R4h,$_k0) = @_;
-my $_R0_xmm = $_R0;
-$_R0_xmm =~ s/%y/%x/;
-$code.=<<___;
-    movq    $_b_offset($b_ptr), %r13             # b[i]
-
-    vpbroadcastq    %r13, $Bi                    # broadcast b[i]
-    movq    $_data_offset($a), %rdx
-    mulx    %r13, %r13, %r12                     # a[0]*b[i] = (t0,t2)
-    addq    %r13, $_acc                          # acc += t0
-    movq    %r12, %r10
-    adcq    \$0, %r10                            # t2 += CF
-
-    movq    $_k0, %r13
-    imulq   $_acc, %r13                          # acc * k0
-    andq    $mask52, %r13                        # yi = (acc * k0) & mask52
-
-    vpbroadcastq    %r13, $Yi                    # broadcast y[i]
-    movq    $_data_offset($m), %rdx
-    mulx    %r13, %r13, %r12                     # yi * m[0] = (t0,t1)
-    addq    %r13, $_acc                          # acc += t0
-    adcq    %r12, %r10                           # t2 += (t1 + CF)
-
-    shrq    \$52, $_acc
-    salq    \$12, %r10
-    or      %r10, $_acc                          # acc = ((acc >> 52) | (t2 << 12))
-
-    vpmadd52luq `$_data_offset+64*0`($a), $Bi, $_R0
-    vpmadd52luq `$_data_offset+64*0+32`($a), $Bi, $_R0h
-    vpmadd52luq `$_data_offset+64*1`($a), $Bi, $_R1
-    vpmadd52luq `$_data_offset+64*1+32`($a), $Bi, $_R1h
-    vpmadd52luq `$_data_offset+64*2`($a), $Bi, $_R2
-    vpmadd52luq `$_data_offset+64*2+32`($a), $Bi, $_R2h
-    vpmadd52luq `$_data_offset+64*3`($a), $Bi, $_R3
-    vpmadd52luq `$_data_offset+64*3+32`($a), $Bi, $_R3h
-    vpmadd52luq `$_data_offset+64*4`($a), $Bi, $_R4
-    vpmadd52luq `$_data_offset+64*4+32`($a), $Bi, $_R4h
-
-    vpmadd52luq `$_data_offset+64*0`($m), $Yi, $_R0
-    vpmadd52luq `$_data_offset+64*0+32`($m), $Yi, $_R0h
-    vpmadd52luq `$_data_offset+64*1`($m), $Yi, $_R1
-    vpmadd52luq `$_data_offset+64*1+32`($m), $Yi, $_R1h
-    vpmadd52luq `$_data_offset+64*2`($m), $Yi, $_R2
-    vpmadd52luq `$_data_offset+64*2+32`($m), $Yi, $_R2h
-    vpmadd52luq `$_data_offset+64*3`($m), $Yi, $_R3
-    vpmadd52luq `$_data_offset+64*3+32`($m), $Yi, $_R3h
-    vpmadd52luq `$_data_offset+64*4`($m), $Yi, $_R4
-    vpmadd52luq `$_data_offset+64*4+32`($m), $Yi, $_R4h
-
-    # Shift accumulators right by 1 qword, zero extending the highest one
-    valignq     \$1, $_R0, $_R0h, $_R0
-    valignq     \$1, $_R0h, $_R1, $_R0h
-    valignq     \$1, $_R1, $_R1h, $_R1
-    valignq     \$1, $_R1h, $_R2, $_R1h
-    valignq     \$1, $_R2, $_R2h, $_R2
-    valignq     \$1, $_R2h, $_R3, $_R2h
-    valignq     \$1, $_R3, $_R3h, $_R3
-    valignq     \$1, $_R3h, $_R4, $_R3h
-    valignq     \$1, $_R4, $_R4h, $_R4
-    valignq     \$1, $_R4h, $zero, $_R4h
-
-    vmovq   $_R0_xmm, %r13
-    addq    %r13, $_acc    # acc += R0[0]
-
-    vpmadd52huq `$_data_offset+64*0`($a), $Bi, $_R0
-    vpmadd52huq `$_data_offset+64*0+32`($a), $Bi, $_R0h
-    vpmadd52huq `$_data_offset+64*1`($a), $Bi, $_R1
-    vpmadd52huq `$_data_offset+64*1+32`($a), $Bi, $_R1h
-    vpmadd52huq `$_data_offset+64*2`($a), $Bi, $_R2
-    vpmadd52huq `$_data_offset+64*2+32`($a), $Bi, $_R2h
-    vpmadd52huq `$_data_offset+64*3`($a), $Bi, $_R3
-    vpmadd52huq `$_data_offset+64*3+32`($a), $Bi, $_R3h
-    vpmadd52huq `$_data_offset+64*4`($a), $Bi, $_R4
-    vpmadd52huq `$_data_offset+64*4+32`($a), $Bi, $_R4h
-
-    vpmadd52huq `$_data_offset+64*0`($m), $Yi, $_R0
-    vpmadd52huq `$_data_offset+64*0+32`($m), $Yi, $_R0h
-    vpmadd52huq `$_data_offset+64*1`($m), $Yi, $_R1
-    vpmadd52huq `$_data_offset+64*1+32`($m), $Yi, $_R1h
-    vpmadd52huq `$_data_offset+64*2`($m), $Yi, $_R2
-    vpmadd52huq `$_data_offset+64*2+32`($m), $Yi, $_R2h
-    vpmadd52huq `$_data_offset+64*3`($m), $Yi, $_R3
-    vpmadd52huq `$_data_offset+64*3+32`($m), $Yi, $_R3h
-    vpmadd52huq `$_data_offset+64*4`($m), $Yi, $_R4
-    vpmadd52huq `$_data_offset+64*4+32`($m), $Yi, $_R4h
-___
-}
-
-# Normalization routine: handles carry bits and gets bignum qwords to normalized
-# 2^52 representation.
-#
-# Uses %r8-14,%e[abcd]x
-sub amm52x40_x1_norm {
-my ($_acc,$_R0,$_R0h,$_R1,$_R1h,$_R2,$_R2h,$_R3,$_R3h,$_R4,$_R4h) = @_;
-$code.=<<___;
-    # Put accumulator to low qword in R0
-    vpbroadcastq    $_acc, $T0
-    vpblendd \$3, $T0, $_R0, $_R0
-
-    # Extract "carries" (12 high bits) from each QW of the bignum
-    # Save them to LSB of QWs in T0..Tn
-    vpsrlq    \$52, $_R0,   $T0
-    vpsrlq    \$52, $_R0h,  $T0h
-    vpsrlq    \$52, $_R1,   $T1
-    vpsrlq    \$52, $_R1h,  $T1h
-    vpsrlq    \$52, $_R2,   $T2
-    vpsrlq    \$52, $_R2h,  $T2h
-    vpsrlq    \$52, $_R3,   $T3
-    vpsrlq    \$52, $_R3h,  $T3h
-    vpsrlq    \$52, $_R4,   $T4
-    vpsrlq    \$52, $_R4h,  $T4h
-
-    # "Shift left" T0..Tn by 1 QW
-    valignq \$3, $T4,  $T4h,  $T4h
-    valignq \$3, $T3h,  $T4,  $T4
-    valignq \$3, $T3,  $T3h,  $T3h
-    valignq \$3, $T2h,  $T3,  $T3
-    valignq \$3, $T2,  $T2h,  $T2h
-    valignq \$3, $T1h,  $T2,  $T2
-    valignq \$3, $T1,   $T1h, $T1h
-    valignq \$3, $T0h,  $T1,  $T1
-    valignq \$3, $T0,   $T0h, $T0h
-    valignq \$3, .Lzeros(%rip), $T0,  $T0
-
-    # Drop "carries" from R0..Rn QWs
-    vpandq    .Lmask52x4(%rip), $_R0,  $_R0
-    vpandq    .Lmask52x4(%rip), $_R0h, $_R0h
-    vpandq    .Lmask52x4(%rip), $_R1,  $_R1
-    vpandq    .Lmask52x4(%rip), $_R1h, $_R1h
-    vpandq    .Lmask52x4(%rip), $_R2,  $_R2
-    vpandq    .Lmask52x4(%rip), $_R2h, $_R2h
-    vpandq    .Lmask52x4(%rip), $_R3,  $_R3
-    vpandq    .Lmask52x4(%rip), $_R3h, $_R3h
-    vpandq    .Lmask52x4(%rip), $_R4,  $_R4
-    vpandq    .Lmask52x4(%rip), $_R4h, $_R4h
-
-    # Sum R0..Rn with corresponding adjusted carries
-    vpaddq  $T0,  $_R0,  $_R0
-    vpaddq  $T0h, $_R0h, $_R0h
-    vpaddq  $T1,  $_R1,  $_R1
-    vpaddq  $T1h, $_R1h, $_R1h
-    vpaddq  $T2,  $_R2,  $_R2
-    vpaddq  $T2h, $_R2h, $_R2h
-    vpaddq  $T3,  $_R3,  $_R3
-    vpaddq  $T3h, $_R3h, $_R3h
-    vpaddq  $T4,  $_R4,  $_R4
-    vpaddq  $T4h, $_R4h, $_R4h
-
-    # Now handle carry bits from this addition
-    # Get mask of QWs whose 52-bit parts overflow
-    vpcmpuq    \$6,.Lmask52x4(%rip),${_R0},%k1    # OP=nle (i.e. gt)
-    vpcmpuq    \$6,.Lmask52x4(%rip),${_R0h},%k2
-    kmovb      %k1,%r14d
-    kmovb      %k2,%r13d
-    shl        \$4,%r13b
-    or         %r13b,%r14b
-
-    vpcmpuq    \$6,.Lmask52x4(%rip),${_R1},%k1
-    vpcmpuq    \$6,.Lmask52x4(%rip),${_R1h},%k2
-    kmovb      %k1,%r13d
-    kmovb      %k2,%r12d
-    shl        \$4,%r12b
-    or         %r12b,%r13b
-
-    vpcmpuq    \$6,.Lmask52x4(%rip),${_R2},%k1
-    vpcmpuq    \$6,.Lmask52x4(%rip),${_R2h},%k2
-    kmovb      %k1,%r12d
-    kmovb      %k2,%r11d
-    shl        \$4,%r11b
-    or         %r11b,%r12b
-
-    vpcmpuq    \$6,.Lmask52x4(%rip),${_R3},%k1
-    vpcmpuq    \$6,.Lmask52x4(%rip),${_R3h},%k2
-    kmovb      %k1,%r11d
-    kmovb      %k2,%r10d
-    shl        \$4,%r10b
-    or         %r10b,%r11b
-
-    vpcmpuq    \$6,.Lmask52x4(%rip),${_R4},%k1
-    vpcmpuq    \$6,.Lmask52x4(%rip),${_R4h},%k2
-    kmovb      %k1,%r10d
-    kmovb      %k2,%r9d
-    shl        \$4,%r9b
-    or         %r9b,%r10b
-
-    addb       %r14b,%r14b
-    adcb       %r13b,%r13b
-    adcb       %r12b,%r12b
-    adcb       %r11b,%r11b
-    adcb       %r10b,%r10b
-
-    # Get mask of QWs whose 52-bit parts saturated
-    vpcmpuq    \$0,.Lmask52x4(%rip),${_R0},%k1    # OP=eq
-    vpcmpuq    \$0,.Lmask52x4(%rip),${_R0h},%k2
-    kmovb      %k1,%r9d
-    kmovb      %k2,%r8d
-    shl        \$4,%r8b
-    or         %r8b,%r9b
-
-    vpcmpuq    \$0,.Lmask52x4(%rip),${_R1},%k1
-    vpcmpuq    \$0,.Lmask52x4(%rip),${_R1h},%k2
-    kmovb      %k1,%r8d
-    kmovb      %k2,%edx
-    shl        \$4,%dl
-    or         %dl,%r8b
-
-    vpcmpuq    \$0,.Lmask52x4(%rip),${_R2},%k1
-    vpcmpuq    \$0,.Lmask52x4(%rip),${_R2h},%k2
-    kmovb      %k1,%edx
-    kmovb      %k2,%ecx
-    shl        \$4,%cl
-    or         %cl,%dl
-
-    vpcmpuq    \$0,.Lmask52x4(%rip),${_R3},%k1
-    vpcmpuq    \$0,.Lmask52x4(%rip),${_R3h},%k2
-    kmovb      %k1,%ecx
-    kmovb      %k2,%ebx
-    shl        \$4,%bl
-    or         %bl,%cl
-
-    vpcmpuq    \$0,.Lmask52x4(%rip),${_R4},%k1
-    vpcmpuq    \$0,.Lmask52x4(%rip),${_R4h},%k2
-    kmovb      %k1,%ebx
-    kmovb      %k2,%eax
-    shl        \$4,%al
-    or         %al,%bl
-
-    addb     %r9b,%r14b
-    adcb     %r8b,%r13b
-    adcb     %dl,%r12b
-    adcb     %cl,%r11b
-    adcb     %bl,%r10b
-
-    xor      %r9b,%r14b
-    xor      %r8b,%r13b
-    xor      %dl,%r12b
-    xor      %cl,%r11b
-    xor      %bl,%r10b
-
-    kmovb    %r14d,%k1
-    shr      \$4,%r14b
-    kmovb    %r14d,%k2
-    kmovb    %r13d,%k3
-    shr      \$4,%r13b
-    kmovb    %r13d,%k4
-    kmovb    %r12d,%k5
-    shr      \$4,%r12b
-    kmovb    %r12d,%k6
-    kmovb    %r11d,%k7
-
-    vpsubq  .Lmask52x4(%rip), $_R0,  ${_R0}{%k1}
-    vpsubq  .Lmask52x4(%rip), $_R0h, ${_R0h}{%k2}
-    vpsubq  .Lmask52x4(%rip), $_R1,  ${_R1}{%k3}
-    vpsubq  .Lmask52x4(%rip), $_R1h, ${_R1h}{%k4}
-    vpsubq  .Lmask52x4(%rip), $_R2,  ${_R2}{%k5}
-    vpsubq  .Lmask52x4(%rip), $_R2h, ${_R2h}{%k6}
-    vpsubq  .Lmask52x4(%rip), $_R3,  ${_R3}{%k7}
-
-    vpandq  .Lmask52x4(%rip), $_R0,  $_R0
-    vpandq  .Lmask52x4(%rip), $_R0h, $_R0h
-    vpandq  .Lmask52x4(%rip), $_R1,  $_R1
-    vpandq  .Lmask52x4(%rip), $_R1h, $_R1h
-    vpandq  .Lmask52x4(%rip), $_R2,  $_R2
-    vpandq  .Lmask52x4(%rip), $_R2h, $_R2h
-    vpandq  .Lmask52x4(%rip), $_R3,  $_R3
-
-    shr    \$4,%r11b
-    kmovb   %r11d,%k1
-    kmovb   %r10d,%k2
-    shr    \$4,%r10b
-    kmovb   %r10d,%k3
-
-    vpsubq  .Lmask52x4(%rip), $_R3h, ${_R3h}{%k1}
-    vpsubq  .Lmask52x4(%rip), $_R4,  ${_R4}{%k2}
-    vpsubq  .Lmask52x4(%rip), $_R4h, ${_R4h}{%k3}
-
-    vpandq  .Lmask52x4(%rip), $_R3h, $_R3h
-    vpandq  .Lmask52x4(%rip), $_R4,  $_R4
-    vpandq  .Lmask52x4(%rip), $_R4h, $_R4h
-___
-}
-
-$code.=<<___;
-.text
-
-.globl  ossl_rsaz_amm52x40_x1_ifma256
-.type   ossl_rsaz_amm52x40_x1_ifma256,\@function,5
-.align 32
-ossl_rsaz_amm52x40_x1_ifma256:
-.cfi_startproc
-    endbranch
-    push    %rbx
-.cfi_push   %rbx
-    push    %rbp
-.cfi_push   %rbp
-    push    %r12
-.cfi_push   %r12
-    push    %r13
-.cfi_push   %r13
-    push    %r14
-.cfi_push   %r14
-    push    %r15
-.cfi_push   %r15
-___
-$code.=<<___ if ($win64);
-    lea     -168(%rsp),%rsp                 # 16*10 + (8 bytes to get correct 16-byte SIMD alignment)
-    vmovdqa64   %xmm6, `0*16`(%rsp)         # save non-volatile registers
-    vmovdqa64   %xmm7, `1*16`(%rsp)
-    vmovdqa64   %xmm8, `2*16`(%rsp)
-    vmovdqa64   %xmm9, `3*16`(%rsp)
-    vmovdqa64   %xmm10,`4*16`(%rsp)
-    vmovdqa64   %xmm11,`5*16`(%rsp)
-    vmovdqa64   %xmm12,`6*16`(%rsp)
-    vmovdqa64   %xmm13,`7*16`(%rsp)
-    vmovdqa64   %xmm14,`8*16`(%rsp)
-    vmovdqa64   %xmm15,`9*16`(%rsp)
-.Lossl_rsaz_amm52x40_x1_ifma256_body:
-___
-$code.=<<___;
-    # Zeroing accumulators
-    vpxord   $zero, $zero, $zero
-    vmovdqa64   $zero, $R0_0
-    vmovdqa64   $zero, $R0_0h
-    vmovdqa64   $zero, $R1_0
-    vmovdqa64   $zero, $R1_0h
-    vmovdqa64   $zero, $R2_0
-    vmovdqa64   $zero, $R2_0h
-    vmovdqa64   $zero, $R3_0
-    vmovdqa64   $zero, $R3_0h
-    vmovdqa64   $zero, $R4_0
-    vmovdqa64   $zero, $R4_0h
-
-    xorl    $acc0_0_low, $acc0_0_low
-
-    movq    $b, $b_ptr                       # backup address of b
-    movq    \$0xfffffffffffff, $mask52       # 52-bit mask
-
-    # Loop over 40 digits unrolled by 4
-    mov     \$10, $iter
-
-.align 32
-.Lloop10:
-___
-    foreach my $idx (0..3) {
-        &amm52x40_x1(0,8*$idx,$acc0_0,$R0_0,$R0_0h,$R1_0,$R1_0h,$R2_0,$R2_0h,$R3_0,$R3_0h,$R4_0,$R4_0h,$k0);
-    }
-$code.=<<___;
-    lea    `4*8`($b_ptr), $b_ptr
-    dec    $iter
-    jne    .Lloop10
-___
-    &amm52x40_x1_norm($acc0_0,$R0_0,$R0_0h,$R1_0,$R1_0h,$R2_0,$R2_0h,$R3_0,$R3_0h,$R4_0,$R4_0h);
-$code.=<<___;
-
-    vmovdqu64   $R0_0,  `0*32`($res)
-    vmovdqu64   $R0_0h, `1*32`($res)
-    vmovdqu64   $R1_0,  `2*32`($res)
-    vmovdqu64   $R1_0h, `3*32`($res)
-    vmovdqu64   $R2_0,  `4*32`($res)
-    vmovdqu64   $R2_0h, `5*32`($res)
-    vmovdqu64   $R3_0,  `6*32`($res)
-    vmovdqu64   $R3_0h, `7*32`($res)
-    vmovdqu64   $R4_0,  `8*32`($res)
-    vmovdqu64   $R4_0h, `9*32`($res)
-
-    vzeroupper
-    lea     (%rsp),%rax
-.cfi_def_cfa_register   %rax
-___
-$code.=<<___ if ($win64);
-    vmovdqa64   `0*16`(%rax),%xmm6
-    vmovdqa64   `1*16`(%rax),%xmm7
-    vmovdqa64   `2*16`(%rax),%xmm8
-    vmovdqa64   `3*16`(%rax),%xmm9
-    vmovdqa64   `4*16`(%rax),%xmm10
-    vmovdqa64   `5*16`(%rax),%xmm11
-    vmovdqa64   `6*16`(%rax),%xmm12
-    vmovdqa64   `7*16`(%rax),%xmm13
-    vmovdqa64   `8*16`(%rax),%xmm14
-    vmovdqa64   `9*16`(%rax),%xmm15
-    lea  168(%rsp),%rax
-___
-$code.=<<___;
-    mov  0(%rax),%r15
-.cfi_restore    %r15
-    mov  8(%rax),%r14
-.cfi_restore    %r14
-    mov  16(%rax),%r13
-.cfi_restore    %r13
-    mov  24(%rax),%r12
-.cfi_restore    %r12
-    mov  32(%rax),%rbp
-.cfi_restore    %rbp
-    mov  40(%rax),%rbx
-.cfi_restore    %rbx
-    lea  48(%rax),%rsp       # restore rsp
-.cfi_def_cfa %rsp,8
-.Lossl_rsaz_amm52x40_x1_ifma256_epilogue:
-
-    ret
-.cfi_endproc
-.size   ossl_rsaz_amm52x40_x1_ifma256, .-ossl_rsaz_amm52x40_x1_ifma256
-___
-
-$code.=<<___;
-.data
-.align 32
-.Lmask52x4:
-    .quad   0xfffffffffffff
-    .quad   0xfffffffffffff
-    .quad   0xfffffffffffff
-    .quad   0xfffffffffffff
-___
-
-###############################################################################
-# Dual Almost Montgomery Multiplication for 40-digit number in radix 2^52
-#
-# See description of ossl_rsaz_amm52x40_x1_ifma256() above for details about Almost
-# Montgomery Multiplication algorithm and function input parameters description.
-#
-# This function does two AMMs for two independent inputs, hence dual.
-#
-# void ossl_rsaz_amm52x40_x2_ifma256(BN_ULONG out[2][40],
-#                                    const BN_ULONG a[2][40],
-#                                    const BN_ULONG b[2][40],
-#                                    const BN_ULONG m[2][40],
-#                                    const BN_ULONG k0[2]);
-###############################################################################
-
-$code.=<<___;
-.text
-
-.globl  ossl_rsaz_amm52x40_x2_ifma256
-.type   ossl_rsaz_amm52x40_x2_ifma256,\@function,5
-.align 32
-ossl_rsaz_amm52x40_x2_ifma256:
-.cfi_startproc
-    endbranch
-    push    %rbx
-.cfi_push   %rbx
-    push    %rbp
-.cfi_push   %rbp
-    push    %r12
-.cfi_push   %r12
-    push    %r13
-.cfi_push   %r13
-    push    %r14
-.cfi_push   %r14
-    push    %r15
-.cfi_push   %r15
-___
-$code.=<<___ if ($win64);
-    lea     -168(%rsp),%rsp
-    vmovdqa64   %xmm6, `0*16`(%rsp)        # save non-volatile registers
-    vmovdqa64   %xmm7, `1*16`(%rsp)
-    vmovdqa64   %xmm8, `2*16`(%rsp)
-    vmovdqa64   %xmm9, `3*16`(%rsp)
-    vmovdqa64   %xmm10,`4*16`(%rsp)
-    vmovdqa64   %xmm11,`5*16`(%rsp)
-    vmovdqa64   %xmm12,`6*16`(%rsp)
-    vmovdqa64   %xmm13,`7*16`(%rsp)
-    vmovdqa64   %xmm14,`8*16`(%rsp)
-    vmovdqa64   %xmm15,`9*16`(%rsp)
-.Lossl_rsaz_amm52x40_x2_ifma256_body:
-___
-$code.=<<___;
-    # Zeroing accumulators
-    vpxord   $zero, $zero, $zero
-    vmovdqa64   $zero, $R0_0
-    vmovdqa64   $zero, $R0_0h
-    vmovdqa64   $zero, $R1_0
-    vmovdqa64   $zero, $R1_0h
-    vmovdqa64   $zero, $R2_0
-    vmovdqa64   $zero, $R2_0h
-    vmovdqa64   $zero, $R3_0
-    vmovdqa64   $zero, $R3_0h
-    vmovdqa64   $zero, $R4_0
-    vmovdqa64   $zero, $R4_0h
-
-    vmovdqa64   $zero, $R0_1
-    vmovdqa64   $zero, $R0_1h
-    vmovdqa64   $zero, $R1_1
-    vmovdqa64   $zero, $R1_1h
-    vmovdqa64   $zero, $R2_1
-    vmovdqa64   $zero, $R2_1h
-    vmovdqa64   $zero, $R3_1
-    vmovdqa64   $zero, $R3_1h
-    vmovdqa64   $zero, $R4_1
-    vmovdqa64   $zero, $R4_1h
-
-
-    xorl    $acc0_0_low, $acc0_0_low
-    xorl    $acc0_1_low, $acc0_1_low
-
-    movq    $b, $b_ptr                       # backup address of b
-    movq    \$0xfffffffffffff, $mask52       # 52-bit mask
-
-    mov    \$40, $iter
-
-.align 32
-.Lloop40:
-___
-    &amm52x40_x1(   0,   0,$acc0_0,$R0_0,$R0_0h,$R1_0,$R1_0h,$R2_0,$R2_0h,$R3_0,$R3_0h,$R4_0,$R4_0h,"($k0)");
-    # 40*8 = offset of the next dimension in two-dimension array
-    &amm52x40_x1(40*8,40*8,$acc0_1,$R0_1,$R0_1h,$R1_1,$R1_1h,$R2_1,$R2_1h,$R3_1,$R3_1h,$R4_1,$R4_1h,"8($k0)");
-$code.=<<___;
-    lea    8($b_ptr), $b_ptr
-    dec    $iter
-    jne    .Lloop40
-___
-    &amm52x40_x1_norm($acc0_0,$R0_0,$R0_0h,$R1_0,$R1_0h,$R2_0,$R2_0h,$R3_0,$R3_0h,$R4_0,$R4_0h);
-    &amm52x40_x1_norm($acc0_1,$R0_1,$R0_1h,$R1_1,$R1_1h,$R2_1,$R2_1h,$R3_1,$R3_1h,$R4_1,$R4_1h);
-$code.=<<___;
-
-    vmovdqu64   $R0_0,  `0*32`($res)
-    vmovdqu64   $R0_0h, `1*32`($res)
-    vmovdqu64   $R1_0,  `2*32`($res)
-    vmovdqu64   $R1_0h, `3*32`($res)
-    vmovdqu64   $R2_0,  `4*32`($res)
-    vmovdqu64   $R2_0h, `5*32`($res)
-    vmovdqu64   $R3_0,  `6*32`($res)
-    vmovdqu64   $R3_0h, `7*32`($res)
-    vmovdqu64   $R4_0,  `8*32`($res)
-    vmovdqu64   $R4_0h, `9*32`($res)
-
-    vmovdqu64   $R0_1,  `10*32`($res)
-    vmovdqu64   $R0_1h, `11*32`($res)
-    vmovdqu64   $R1_1,  `12*32`($res)
-    vmovdqu64   $R1_1h, `13*32`($res)
-    vmovdqu64   $R2_1,  `14*32`($res)
-    vmovdqu64   $R2_1h, `15*32`($res)
-    vmovdqu64   $R3_1,  `16*32`($res)
-    vmovdqu64   $R3_1h, `17*32`($res)
-    vmovdqu64   $R4_1,  `18*32`($res)
-    vmovdqu64   $R4_1h, `19*32`($res)
-
-    vzeroupper
-    lea     (%rsp),%rax
-.cfi_def_cfa_register   %rax
-___
-$code.=<<___ if ($win64);
-    vmovdqa64   `0*16`(%rax),%xmm6
-    vmovdqa64   `1*16`(%rax),%xmm7
-    vmovdqa64   `2*16`(%rax),%xmm8
-    vmovdqa64   `3*16`(%rax),%xmm9
-    vmovdqa64   `4*16`(%rax),%xmm10
-    vmovdqa64   `5*16`(%rax),%xmm11
-    vmovdqa64   `6*16`(%rax),%xmm12
-    vmovdqa64   `7*16`(%rax),%xmm13
-    vmovdqa64   `8*16`(%rax),%xmm14
-    vmovdqa64   `9*16`(%rax),%xmm15
-    lea     168(%rsp),%rax
-___
-$code.=<<___;
-    mov  0(%rax),%r15
-.cfi_restore    %r15
-    mov  8(%rax),%r14
-.cfi_restore    %r14
-    mov  16(%rax),%r13
-.cfi_restore    %r13
-    mov  24(%rax),%r12
-.cfi_restore    %r12
-    mov  32(%rax),%rbp
-.cfi_restore    %rbp
-    mov  40(%rax),%rbx
-.cfi_restore    %rbx
-    lea  48(%rax),%rsp
-.cfi_def_cfa    %rsp,8
-.Lossl_rsaz_amm52x40_x2_ifma256_epilogue:
-    ret
-.cfi_endproc
-.size   ossl_rsaz_amm52x40_x2_ifma256, .-ossl_rsaz_amm52x40_x2_ifma256
-___
-}
-
-###############################################################################
-# Constant time extraction from the precomputed table of powers base^i, where
-#    i = 0..2^EXP_WIN_SIZE-1
-#
-# The input |red_table| contains precomputations for two independent base values.
-# |red_table_idx1| and |red_table_idx2| are corresponding power indexes.
-#
-# Extracted value (output) is 2 40 digits numbers in 2^52 radix.
-#
-# void ossl_extract_multiplier_2x40_win5(BN_ULONG *red_Y,
-#                                        const BN_ULONG red_table[1 << EXP_WIN_SIZE][2][40],
-#                                        int red_table_idx1, int red_table_idx2);
-#
-# EXP_WIN_SIZE = 5
-###############################################################################
-{
-# input parameters
-my ($out,$red_tbl,$red_tbl_idx1,$red_tbl_idx2)=$win64 ? ("%rcx","%rdx","%r8", "%r9") :  # Win64 order
-                                                        ("%rdi","%rsi","%rdx","%rcx");  # Unix order
-
-my ($t0,$t1,$t2,$t3,$t4,$t5) = map("%ymm$_", (0..5));
-my ($t6,$t7,$t8,$t9) = map("%ymm$_", (16..19));
-my ($tmp,$cur_idx,$idx1,$idx2,$ones) = map("%ymm$_", (20..24));
-
-my @t = ($t0,$t1,$t2,$t3,$t4,$t5,$t6,$t7,$t8,$t9);
-my $t0xmm = $t0;
-$t0xmm =~ s/%y/%x/;
-
-sub get_table_value_consttime() {
-my ($_idx,$_offset) = @_;
-$code.=<<___;
-    vpxorq   $cur_idx, $cur_idx, $cur_idx
-.align 32
-.Lloop_$_offset:
-    vpcmpq  \$0, $cur_idx, $_idx, %k1      # mask of (idx == cur_idx)
-___
-foreach (0..9) {
-$code.=<<___;
-    vmovdqu64  `$_offset+${_}*32`($red_tbl), $tmp   # load data from red_tbl
-    vpblendmq  $tmp, $t[$_], ${t[$_]}{%k1}          # extract data when mask is not zero
-___
-}
-$code.=<<___;
-    vpaddq  $ones, $cur_idx, $cur_idx # increment cur_idx
-    addq    \$`2*40*8`, $red_tbl
-    cmpq    $red_tbl, %rax
-    jne .Lloop_$_offset
-___
-}
-
-$code.=<<___;
-.text
-
-.align 32
-.globl  ossl_extract_multiplier_2x40_win5
-.type   ossl_extract_multiplier_2x40_win5,\@abi-omnipotent
-ossl_extract_multiplier_2x40_win5:
-.cfi_startproc
-    endbranch
-    vmovdqa64   .Lones(%rip), $ones         # broadcast ones
-    vpbroadcastq    $red_tbl_idx1, $idx1
-    vpbroadcastq    $red_tbl_idx2, $idx2
-    leaq   `(1<<5)*2*40*8`($red_tbl), %rax  # holds end of the tbl
-
-    # backup red_tbl address
-    movq    $red_tbl, %r10
-
-    # zeroing t0..n, cur_idx
-    vpxor   $t0xmm, $t0xmm, $t0xmm
-___
-foreach (1..9) {
-    $code.="vmovdqa64   $t0, $t[$_] \n";
-}
-
-&get_table_value_consttime($idx1, 0);
-foreach (0..9) {
-    $code.="vmovdqu64   $t[$_], `(0+$_)*32`($out) \n";
-}
-$code.="movq    %r10, $red_tbl \n";
-&get_table_value_consttime($idx2, 40*8);
-foreach (0..9) {
-    $code.="vmovdqu64   $t[$_], `(10+$_)*32`($out) \n";
-}
-$code.=<<___;
-
-    ret
-.cfi_endproc
-.size   ossl_extract_multiplier_2x40_win5, .-ossl_extract_multiplier_2x40_win5
-___
-$code.=<<___;
-.data
-.align 32
-.Lones:
-    .quad   1,1,1,1
-.Lzeros:
-    .quad   0,0,0,0
-___
-}
-
-if ($win64) {
-$rec="%rcx";
-$frame="%rdx";
-$context="%r8";
-$disp="%r9";
-
-$code.=<<___;
-.extern     __imp_RtlVirtualUnwind
-.type   rsaz_avx_handler,\@abi-omnipotent
-.align  16
-rsaz_avx_handler:
-    push    %rsi
-    push    %rdi
-    push    %rbx
-    push    %rbp
-    push    %r12
-    push    %r13
-    push    %r14
-    push    %r15
-    pushfq
-    sub     \$64,%rsp
-
-    mov     120($context),%rax # pull context->Rax
-    mov     248($context),%rbx # pull context->Rip
-
-    mov     8($disp),%rsi      # disp->ImageBase
-    mov     56($disp),%r11     # disp->HandlerData
-
-    mov     0(%r11),%r10d      # HandlerData[0]
-    lea     (%rsi,%r10),%r10   # prologue label
-    cmp     %r10,%rbx          # context->Rip<.Lprologue
-    jb  .Lcommon_seh_tail
-
-    mov     4(%r11),%r10d      # HandlerData[1]
-    lea     (%rsi,%r10),%r10   # epilogue label
-    cmp     %r10,%rbx          # context->Rip>=.Lepilogue
-    jae     .Lcommon_seh_tail
-
-    mov     152($context),%rax # pull context->Rsp
-
-    lea     (%rax),%rsi         # %xmm save area
-    lea     512($context),%rdi  # & context.Xmm6
-    mov     \$20,%ecx           # 10*sizeof(%xmm0)/sizeof(%rax)
-    .long   0xa548f3fc          # cld; rep movsq
-
-    lea     `48+168`(%rax),%rax
-
-    mov     -8(%rax),%rbx
-    mov     -16(%rax),%rbp
-    mov     -24(%rax),%r12
-    mov     -32(%rax),%r13
-    mov     -40(%rax),%r14
-    mov     -48(%rax),%r15
-    mov     %rbx,144($context) # restore context->Rbx
-    mov     %rbp,160($context) # restore context->Rbp
-    mov     %r12,216($context) # restore context->R12
-    mov     %r13,224($context) # restore context->R13
-    mov     %r14,232($context) # restore context->R14
-    mov     %r15,240($context) # restore context->R14
-
-.Lcommon_seh_tail:
-    mov     8(%rax),%rdi
-    mov     16(%rax),%rsi
-    mov     %rax,152($context) # restore context->Rsp
-    mov     %rsi,168($context) # restore context->Rsi
-    mov     %rdi,176($context) # restore context->Rdi
-
-    mov     40($disp),%rdi     # disp->ContextRecord
-    mov     $context,%rsi      # context
-    mov     \$154,%ecx         # sizeof(CONTEXT)
-    .long   0xa548f3fc         # cld; rep movsq
-
-    mov     $disp,%rsi
-    xor     %rcx,%rcx          # arg1, UNW_FLAG_NHANDLER
-    mov     8(%rsi),%rdx       # arg2, disp->ImageBase
-    mov     0(%rsi),%r8        # arg3, disp->ControlPc
-    mov     16(%rsi),%r9       # arg4, disp->FunctionEntry
-    mov     40(%rsi),%r10      # disp->ContextRecord
-    lea     56(%rsi),%r11      # &disp->HandlerData
-    lea     24(%rsi),%r12      # &disp->EstablisherFrame
-    mov     %r10,32(%rsp)      # arg5
-    mov     %r11,40(%rsp)      # arg6
-    mov     %r12,48(%rsp)      # arg7
-    mov     %rcx,56(%rsp)      # arg8, (NULL)
-    call    *__imp_RtlVirtualUnwind(%rip)
-
-    mov     \$1,%eax           # ExceptionContinueSearch
-    add     \$64,%rsp
-    popfq
-    pop     %r15
-    pop     %r14
-    pop     %r13
-    pop     %r12
-    pop     %rbp
-    pop     %rbx
-    pop     %rdi
-    pop     %rsi
-    ret
-.size   rsaz_avx_handler,.-rsaz_avx_handler
-
-.section    .pdata
-.align  4
-    .rva    .LSEH_begin_ossl_rsaz_amm52x40_x1_ifma256
-    .rva    .LSEH_end_ossl_rsaz_amm52x40_x1_ifma256
-    .rva    .LSEH_info_ossl_rsaz_amm52x40_x1_ifma256
-
-    .rva    .LSEH_begin_ossl_rsaz_amm52x40_x2_ifma256
-    .rva    .LSEH_end_ossl_rsaz_amm52x40_x2_ifma256
-    .rva    .LSEH_info_ossl_rsaz_amm52x40_x2_ifma256
-
-.section    .xdata
-.align  8
-.LSEH_info_ossl_rsaz_amm52x40_x1_ifma256:
-    .byte   9,0,0,0
-    .rva    rsaz_avx_handler
-    .rva    .Lossl_rsaz_amm52x40_x1_ifma256_body,.Lossl_rsaz_amm52x40_x1_ifma256_epilogue
-.LSEH_info_ossl_rsaz_amm52x40_x2_ifma256:
-    .byte   9,0,0,0
-    .rva    rsaz_avx_handler
-    .rva    .Lossl_rsaz_amm52x40_x2_ifma256_body,.Lossl_rsaz_amm52x40_x2_ifma256_epilogue
-___
-}
-}}} else {{{                # fallback for old assembler
-$code.=<<___;
-.text
-
-.globl  ossl_rsaz_amm52x40_x1_ifma256
-.globl  ossl_rsaz_amm52x40_x2_ifma256
-.globl  ossl_extract_multiplier_2x40_win5
-.type   ossl_rsaz_amm52x40_x1_ifma256,\@abi-omnipotent
-ossl_rsaz_amm52x40_x1_ifma256:
-ossl_rsaz_amm52x40_x2_ifma256:
-ossl_extract_multiplier_2x40_win5:
-    .byte   0x0f,0x0b    # ud2
-    ret
-.size   ossl_rsaz_amm52x40_x1_ifma256, .-ossl_rsaz_amm52x40_x1_ifma256
-___
-}}}
-
-$code =~ s/\`([^\`]*)\`/eval $1/gem;
-print $code;
-close STDOUT or die "error closing STDOUT: $!";

libs/openssl/crypto/bn/bn_const.c

@@ -9,6 +9,7 @@
 
 #include <openssl/bn.h>
 #include "crypto/bn_dh.h"
+#include "bn_local.h" // WINSCP
 
 #define COPY_BN(dst, src) (dst != NULL) ? BN_copy(dst, &src) : BN_dup(&src)
 

libs/openssl/crypto/bn/bn_ppc.c

@@ -1,53 +0,0 @@
-/*
- * Copyright 2009-2022 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <openssl/crypto.h>
-#include <openssl/bn.h>
-#include "crypto/ppc_arch.h"
-#include "bn_local.h"
-
-int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
-                const BN_ULONG *np, const BN_ULONG *n0, int num)
-{
-    int bn_mul_mont_int(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
-                        const BN_ULONG *np, const BN_ULONG *n0, int num);
-    int bn_mul4x_mont_int(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
-                          const BN_ULONG *np, const BN_ULONG *n0, int num);
-    int bn_mul_mont_fixed_n6(BN_ULONG *rp, const BN_ULONG *ap,
-                             const BN_ULONG *bp, const BN_ULONG *np,
-                             const BN_ULONG *n0, int num);
-    int bn_mul_mont_300_fixed_n6(BN_ULONG *rp, const BN_ULONG *ap,
-                                 const BN_ULONG *bp, const BN_ULONG *np,
-                                 const BN_ULONG *n0, int num);
-
-    if (num < 4)
-        return 0;
-
-    if ((num & 3) == 0)
-        return bn_mul4x_mont_int(rp, ap, bp, np, n0, num);
-
-    /*
-     * There used to be [optional] call to bn_mul_mont_fpu64 here,
-     * but above subroutine is faster on contemporary processors.
-     * Formulation means that there might be old processors where
-     * FPU code path would be faster, POWER6 perhaps, but there was
-     * no opportunity to figure it out...
-     */
-
-#if defined(_ARCH_PPC64) && !defined(__ILP32__)
-    if (num == 6) {
-        if (OPENSSL_ppccap_P & PPC_MADD300)
-            return bn_mul_mont_300_fixed_n6(rp, ap, bp, np, n0, num);
-        else
-            return bn_mul_mont_fixed_n6(rp, ap, bp, np, n0, num);
-    }
-#endif
-
-    return bn_mul_mont_int(rp, ap, bp, np, n0, num);
-}

libs/openssl/crypto/bn/bn_sparc.c

@@ -1,77 +0,0 @@
-/*
- * Copyright 2005-2021 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <stdlib.h>
-#include <openssl/bn.h>
-#include "internal/cryptlib.h"
-#include "crypto/sparc_arch.h"
-#include "bn_local.h"    /* for definition of bn_mul_mont */
-
-int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
-                const BN_ULONG *np, const BN_ULONG *n0, int num)
-{
-    int bn_mul_mont_vis3(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
-                         const BN_ULONG *np, const BN_ULONG *n0, int num);
-    int bn_mul_mont_fpu(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
-                        const BN_ULONG *np, const BN_ULONG *n0, int num);
-    int bn_mul_mont_int(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
-                        const BN_ULONG *np, const BN_ULONG *n0, int num);
-
-    if (!(num & 1) && num >= 6) {
-        if ((num & 15) == 0 && num <= 64 &&
-            (OPENSSL_sparcv9cap_P[1] & (CFR_MONTMUL | CFR_MONTSQR)) ==
-            (CFR_MONTMUL | CFR_MONTSQR)) {
-            typedef int (*bn_mul_mont_f) (BN_ULONG *rp, const BN_ULONG *ap,
-                                          const BN_ULONG *bp,
-                                          const BN_ULONG *np,
-                                          const BN_ULONG *n0);
-            int bn_mul_mont_t4_8(BN_ULONG *rp, const BN_ULONG *ap,
-                                 const BN_ULONG *bp, const BN_ULONG *np,
-                                 const BN_ULONG *n0);
-            int bn_mul_mont_t4_16(BN_ULONG *rp, const BN_ULONG *ap,
-                                  const BN_ULONG *bp, const BN_ULONG *np,
-                                  const BN_ULONG *n0);
-            int bn_mul_mont_t4_24(BN_ULONG *rp, const BN_ULONG *ap,
-                                  const BN_ULONG *bp, const BN_ULONG *np,
-                                  const BN_ULONG *n0);
-            int bn_mul_mont_t4_32(BN_ULONG *rp, const BN_ULONG *ap,
-                                  const BN_ULONG *bp, const BN_ULONG *np,
-                                  const BN_ULONG *n0);
-            static const bn_mul_mont_f funcs[4] = {
-                bn_mul_mont_t4_8, bn_mul_mont_t4_16,
-                bn_mul_mont_t4_24, bn_mul_mont_t4_32
-            };
-            bn_mul_mont_f worker = funcs[num / 16 - 1];
-
-            if ((*worker) (rp, ap, bp, np, n0))
-                return 1;
-            /* retry once and fall back */
-            if ((*worker) (rp, ap, bp, np, n0))
-                return 1;
-            return bn_mul_mont_vis3(rp, ap, bp, np, n0, num);
-        }
-        if ((OPENSSL_sparcv9cap_P[0] & SPARCV9_VIS3))
-            return bn_mul_mont_vis3(rp, ap, bp, np, n0, num);
-        else if (num >= 8 &&
-                 /*
-                  * bn_mul_mont_fpu doesn't use FMADD, we just use the
-                  * flag to detect when FPU path is preferable in cases
-                  * when current heuristics is unreliable. [it works
-                  * out because FMADD-capable processors where FPU
-                  * code path is undesirable are also VIS3-capable and
-                  * VIS3 code path takes precedence.]
-                  */
-                 ( (OPENSSL_sparcv9cap_P[0] & SPARCV9_FMADD) ||
-                   (OPENSSL_sparcv9cap_P[0] &
-                    (SPARCV9_PREFER_FPU | SPARCV9_VIS1)) ==
-                   (SPARCV9_PREFER_FPU | SPARCV9_VIS1) ))
-            return bn_mul_mont_fpu(rp, ap, bp, np, n0, num);
-    }
-    return bn_mul_mont_int(rp, ap, bp, np, n0, num);
-}

libs/openssl/crypto/bn/rsaz_exp_x2.c

@@ -1,656 +0,0 @@
-/*
- * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
- * Copyright (c) 2020-2021, Intel Corporation. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- *
- *
- * Originally written by Sergey Kirillov and Andrey Matyukov.
- * Special thanks to Ilya Albrekht for his valuable hints.
- * Intel Corporation
- *
- */
-
-#include <openssl/opensslconf.h>
-#include <openssl/crypto.h>
-#include "rsaz_exp.h"
-
-#ifndef RSAZ_ENABLED
-NON_EMPTY_TRANSLATION_UNIT
-#else
-# include <assert.h>
-# include <string.h>
-
-# define ALIGN_OF(ptr, boundary) \
-    ((unsigned char *)(ptr) + (boundary - (((size_t)(ptr)) & (boundary - 1))))
-
-/* Internal radix */
-# define DIGIT_SIZE (52)
-/* 52-bit mask */
-# define DIGIT_MASK ((uint64_t)0xFFFFFFFFFFFFF)
-
-# define BITS2WORD8_SIZE(x)  (((x) + 7) >> 3)
-# define BITS2WORD64_SIZE(x) (((x) + 63) >> 6)
-
-/* Number of registers required to hold |digits_num| amount of qword digits */
-# define NUMBER_OF_REGISTERS(digits_num, register_size)            \
-    (((digits_num) * 64 + (register_size) - 1) / (register_size))
-
-static ossl_inline uint64_t get_digit(const uint8_t *in, int in_len);
-static ossl_inline void put_digit(uint8_t *out, int out_len, uint64_t digit);
-static void to_words52(BN_ULONG *out, int out_len, const BN_ULONG *in,
-                       int in_bitsize);
-static void from_words52(BN_ULONG *bn_out, int out_bitsize, const BN_ULONG *in);
-static ossl_inline void set_bit(BN_ULONG *a, int idx);
-
-/* Number of |digit_size|-bit digits in |bitsize|-bit value */
-static ossl_inline int number_of_digits(int bitsize, int digit_size)
-{
-    return (bitsize + digit_size - 1) / digit_size;
-}
-
-/*
- * For details of the methods declared below please refer to
- *    crypto/bn/asm/rsaz-avx512.pl
- *
- * Naming conventions:
- *  amm = Almost Montgomery Multiplication
- *  ams = Almost Montgomery Squaring
- *  52xZZ - data represented as array of ZZ digits in 52-bit radix
- *  _x1_/_x2_ - 1 or 2 independent inputs/outputs
- *  _ifma256 - uses 256-bit wide IFMA ISA (AVX512_IFMA256)
- */
-
-void ossl_rsaz_amm52x20_x1_ifma256(BN_ULONG *res, const BN_ULONG *a,
-                                   const BN_ULONG *b, const BN_ULONG *m,
-                                   BN_ULONG k0);
-void ossl_rsaz_amm52x20_x2_ifma256(BN_ULONG *out, const BN_ULONG *a,
-                                   const BN_ULONG *b, const BN_ULONG *m,
-                                   const BN_ULONG k0[2]);
-void ossl_extract_multiplier_2x20_win5(BN_ULONG *red_Y,
-                                       const BN_ULONG *red_table,
-                                       int red_table_idx1, int red_table_idx2);
-
-void ossl_rsaz_amm52x30_x1_ifma256(BN_ULONG *res, const BN_ULONG *a,
-                                   const BN_ULONG *b, const BN_ULONG *m,
-                                   BN_ULONG k0);
-void ossl_rsaz_amm52x30_x2_ifma256(BN_ULONG *out, const BN_ULONG *a,
-                                   const BN_ULONG *b, const BN_ULONG *m,
-                                   const BN_ULONG k0[2]);
-void ossl_extract_multiplier_2x30_win5(BN_ULONG *red_Y,
-                                       const BN_ULONG *red_table,
-                                       int red_table_idx1, int red_table_idx2);
-
-void ossl_rsaz_amm52x40_x1_ifma256(BN_ULONG *res, const BN_ULONG *a,
-                                   const BN_ULONG *b, const BN_ULONG *m,
-                                   BN_ULONG k0);
-void ossl_rsaz_amm52x40_x2_ifma256(BN_ULONG *out, const BN_ULONG *a,
-                                   const BN_ULONG *b, const BN_ULONG *m,
-                                   const BN_ULONG k0[2]);
-void ossl_extract_multiplier_2x40_win5(BN_ULONG *red_Y,
-                                       const BN_ULONG *red_table,
-                                       int red_table_idx1, int red_table_idx2);
-
-static int RSAZ_mod_exp_x2_ifma256(BN_ULONG *res, const BN_ULONG *base,
-                                   const BN_ULONG *exp[2], const BN_ULONG *m,
-                                   const BN_ULONG *rr, const BN_ULONG k0[2],
-                                   int modulus_bitsize);
-
-/*
- * Dual Montgomery modular exponentiation using prime moduli of the
- * same bit size, optimized with AVX512 ISA.
- *
- * Input and output parameters for each exponentiation are independent and
- * denoted here by index |i|, i = 1..2.
- *
- * Input and output are all in regular 2^64 radix.
- *
- * Each moduli shall be |factor_size| bit size.
- *
- * Supported cases:
- *   - 2x1024
- *   - 2x1536
- *   - 2x2048
- *
- *  [out] res|i|      - result of modular exponentiation: array of qword values
- *                      in regular (2^64) radix. Size of array shall be enough
- *                      to hold |factor_size| bits.
- *  [in]  base|i|     - base
- *  [in]  exp|i|      - exponent
- *  [in]  m|i|        - moduli
- *  [in]  rr|i|       - Montgomery parameter RR = R^2 mod m|i|
- *  [in]  k0_|i|      - Montgomery parameter k0 = -1/m|i| mod 2^64
- *  [in]  factor_size - moduli bit size
- *
- * \return 0 in case of failure,
- *         1 in case of success.
- */
-int ossl_rsaz_mod_exp_avx512_x2(BN_ULONG *res1,
-                                const BN_ULONG *base1,
-                                const BN_ULONG *exp1,
-                                const BN_ULONG *m1,
-                                const BN_ULONG *rr1,
-                                BN_ULONG k0_1,
-                                BN_ULONG *res2,
-                                const BN_ULONG *base2,
-                                const BN_ULONG *exp2,
-                                const BN_ULONG *m2,
-                                const BN_ULONG *rr2,
-                                BN_ULONG k0_2,
-                                int factor_size)
-{
-    typedef void (*AMM)(BN_ULONG *res, const BN_ULONG *a,
-                        const BN_ULONG *b, const BN_ULONG *m, BN_ULONG k0);
-    int ret = 0;
-
-    /*
-     * Number of word-size (BN_ULONG) digits to store exponent in redundant
-     * representation.
-     */
-    int exp_digits = number_of_digits(factor_size + 2, DIGIT_SIZE);
-    int coeff_pow = 4 * (DIGIT_SIZE * exp_digits - factor_size);
-
-    /*  Number of YMM registers required to store exponent's digits */
-    int ymm_regs_num = NUMBER_OF_REGISTERS(exp_digits, 256 /* ymm bit size */);
-    /* Capacity of the register set (in qwords) to store exponent */
-    int regs_capacity = ymm_regs_num * 4;
-
-    BN_ULONG *base1_red, *m1_red, *rr1_red;
-    BN_ULONG *base2_red, *m2_red, *rr2_red;
-    BN_ULONG *coeff_red;
-    BN_ULONG *storage = NULL;
-    BN_ULONG *storage_aligned = NULL;
-    int storage_len_bytes = 7 * regs_capacity * sizeof(BN_ULONG)
-                           + 64 /* alignment */;
-
-    const BN_ULONG *exp[2] = {0};
-    BN_ULONG k0[2] = {0};
-    /* AMM = Almost Montgomery Multiplication */
-    AMM amm = NULL;
-
-    switch (factor_size) {
-    case 1024:
-        amm = ossl_rsaz_amm52x20_x1_ifma256;
-        break;
-    case 1536:
-        amm = ossl_rsaz_amm52x30_x1_ifma256;
-        break;
-    case 2048:
-        amm = ossl_rsaz_amm52x40_x1_ifma256;
-        break;
-    default:
-        goto err;
-    }
-
-    storage = (BN_ULONG *)OPENSSL_malloc(storage_len_bytes);
-    if (storage == NULL)
-        goto err;
-    storage_aligned = (BN_ULONG *)ALIGN_OF(storage, 64);
-
-    /* Memory layout for red(undant) representations */
-    base1_red = storage_aligned;
-    base2_red = storage_aligned + 1 * regs_capacity;
-    m1_red    = storage_aligned + 2 * regs_capacity;
-    m2_red    = storage_aligned + 3 * regs_capacity;
-    rr1_red   = storage_aligned + 4 * regs_capacity;
-    rr2_red   = storage_aligned + 5 * regs_capacity;
-    coeff_red = storage_aligned + 6 * regs_capacity;
-
-    /* Convert base_i, m_i, rr_i, from regular to 52-bit radix */
-    to_words52(base1_red, regs_capacity, base1, factor_size);
-    to_words52(base2_red, regs_capacity, base2, factor_size);
-    to_words52(m1_red,    regs_capacity, m1,    factor_size);
-    to_words52(m2_red,    regs_capacity, m2,    factor_size);
-    to_words52(rr1_red,   regs_capacity, rr1,   factor_size);
-    to_words52(rr2_red,   regs_capacity, rr2,   factor_size);
-
-    /*
-     * Compute target domain Montgomery converters RR' for each modulus
-     * based on precomputed original domain's RR.
-     *
-     * RR -> RR' transformation steps:
-     *  (1) coeff = 2^k
-     *  (2) t = AMM(RR,RR) = RR^2 / R' mod m
-     *  (3) RR' = AMM(t, coeff) = RR^2 * 2^k / R'^2 mod m
-     * where
-     *  k = 4 * (52 * digits52 - modlen)
-     *  R  = 2^(64 * ceil(modlen/64)) mod m
-     *  RR = R^2 mod m
-     *  R' = 2^(52 * ceil(modlen/52)) mod m
-     *
-     *  EX/ modlen = 1024: k = 64, RR = 2^2048 mod m, RR' = 2^2080 mod m
-     */
-    memset(coeff_red, 0, exp_digits * sizeof(BN_ULONG));
-    /* (1) in reduced domain representation */
-    set_bit(coeff_red, 64 * (int)(coeff_pow / 52) + coeff_pow % 52);
-
-    amm(rr1_red, rr1_red, rr1_red, m1_red, k0_1);     /* (2) for m1 */
-    amm(rr1_red, rr1_red, coeff_red, m1_red, k0_1);   /* (3) for m1 */
-
-    amm(rr2_red, rr2_red, rr2_red, m2_red, k0_2);     /* (2) for m2 */
-    amm(rr2_red, rr2_red, coeff_red, m2_red, k0_2);   /* (3) for m2 */
-
-    exp[0] = exp1;
-    exp[1] = exp2;
-
-    k0[0] = k0_1;
-    k0[1] = k0_2;
-
-    /* Dual (2-exps in parallel) exponentiation */
-    ret = RSAZ_mod_exp_x2_ifma256(rr1_red, base1_red, exp, m1_red, rr1_red,
-                                  k0, factor_size);
-    if (!ret)
-        goto err;
-
-    /* Convert rr_i back to regular radix */
-    from_words52(res1, factor_size, rr1_red);
-    from_words52(res2, factor_size, rr2_red);
-
-    /* bn_reduce_once_in_place expects number of BN_ULONG, not bit size */
-    factor_size /= sizeof(BN_ULONG) * 8;
-
-    bn_reduce_once_in_place(res1, /*carry=*/0, m1, storage, factor_size);
-    bn_reduce_once_in_place(res2, /*carry=*/0, m2, storage, factor_size);
-err:
-    if (storage != NULL) {
-        OPENSSL_cleanse(storage, storage_len_bytes);
-        OPENSSL_free(storage);
-    }
-    return ret;
-}
-
-/*
- * Dual {1024,1536,2048}-bit w-ary modular exponentiation using prime moduli of
- * the same bit size using Almost Montgomery Multiplication, optimized with
- * AVX512_IFMA256 ISA.
- *
- * The parameter w (window size) = 5.
- *
- *  [out] res      - result of modular exponentiation: 2x{20,30,40} qword
- *                   values in 2^52 radix.
- *  [in]  base     - base (2x{20,30,40} qword values in 2^52 radix)
- *  [in]  exp      - array of 2 pointers to {16,24,32} qword values in 2^64 radix.
- *                   Exponent is not converted to redundant representation.
- *  [in]  m        - moduli (2x{20,30,40} qword values in 2^52 radix)
- *  [in]  rr       - Montgomery parameter for 2 moduli:
- *                     RR(1024) = 2^2080 mod m.
- *                     RR(1536) = 2^3120 mod m.
- *                     RR(2048) = 2^4160 mod m.
- *                   (2x{20,30,40} qword values in 2^52 radix)
- *  [in]  k0       - Montgomery parameter for 2 moduli: k0 = -1/m mod 2^64
- *
- * \return (void).
- */
-int RSAZ_mod_exp_x2_ifma256(BN_ULONG *out,
-                            const BN_ULONG *base,
-                            const BN_ULONG *exp[2],
-                            const BN_ULONG *m,
-                            const BN_ULONG *rr,
-                            const BN_ULONG k0[2],
-                            int modulus_bitsize)
-{
-    typedef void (*DAMM)(BN_ULONG *res, const BN_ULONG *a,
-                         const BN_ULONG *b, const BN_ULONG *m,
-                         const BN_ULONG k0[2]);
-    typedef void (*DEXTRACT)(BN_ULONG *res, const BN_ULONG *red_table,
-                             int red_table_idx, int tbl_idx);
-
-    int ret = 0;
-    int idx;
-
-    /* Exponent window size */
-    int exp_win_size = 5;
-    int exp_win_mask = (1U << exp_win_size) - 1;
-
-    /*
-    * Number of digits (64-bit words) in redundant representation to handle
-    * modulus bits
-    */
-    int red_digits = 0;
-    int exp_digits = 0;
-
-    BN_ULONG *storage = NULL;
-    BN_ULONG *storage_aligned = NULL;
-    int storage_len_bytes = 0;
-
-    /* Red(undant) result Y and multiplier X */
-    BN_ULONG *red_Y = NULL;     /* [2][red_digits] */
-    BN_ULONG *red_X = NULL;     /* [2][red_digits] */
-    /* Pre-computed table of base powers */
-    BN_ULONG *red_table = NULL; /* [1U << exp_win_size][2][red_digits] */
-    /* Expanded exponent */
-    BN_ULONG *expz = NULL;      /* [2][exp_digits + 1] */
-
-    /* Dual AMM */
-    DAMM damm = NULL;
-    /* Extractor from red_table */
-    DEXTRACT extract = NULL;
-
-/*
- * Squaring is done using multiplication now. That can be a subject of
- * optimization in future.
- */
-# define DAMS(r,a,m,k0) damm((r),(a),(a),(m),(k0))
-
-    switch (modulus_bitsize) {
-    case 1024:
-        red_digits = 20;
-        exp_digits = 16;
-        damm = ossl_rsaz_amm52x20_x2_ifma256;
-        extract = ossl_extract_multiplier_2x20_win5;
-        break;
-    case 1536:
-        /* Extended with 2 digits padding to avoid mask ops in high YMM register */
-        red_digits = 30 + 2;
-        exp_digits = 24;
-        damm = ossl_rsaz_amm52x30_x2_ifma256;
-        extract = ossl_extract_multiplier_2x30_win5;
-        break;
-    case 2048:
-        red_digits = 40;
-        exp_digits = 32;
-        damm = ossl_rsaz_amm52x40_x2_ifma256;
-        extract = ossl_extract_multiplier_2x40_win5;
-        break;
-    default:
-        goto err;
-    }
-
-    storage_len_bytes = (2 * red_digits                         /* red_Y     */
-                       + 2 * red_digits                         /* red_X     */
-                       + 2 * red_digits * (1U << exp_win_size)  /* red_table */
-                       + 2 * (exp_digits + 1))                  /* expz      */
-                       * sizeof(BN_ULONG)
-                       + 64;                                    /* alignment */
-
-    storage = (BN_ULONG *)OPENSSL_zalloc(storage_len_bytes);
-    if (storage == NULL)
-        goto err;
-    storage_aligned = (BN_ULONG *)ALIGN_OF(storage, 64);
-
-    red_Y     = storage_aligned;
-    red_X     = red_Y + 2 * red_digits;
-    red_table = red_X + 2 * red_digits;
-    expz      = red_table + 2 * red_digits * (1U << exp_win_size);
-
-    /*
-     * Compute table of powers base^i, i = 0, ..., (2^EXP_WIN_SIZE) - 1
-     *   table[0] = mont(x^0) = mont(1)
-     *   table[1] = mont(x^1) = mont(x)
-     */
-    red_X[0 * red_digits] = 1;
-    red_X[1 * red_digits] = 1;
-    damm(&red_table[0 * 2 * red_digits], (const BN_ULONG*)red_X, rr, m, k0);
-    damm(&red_table[1 * 2 * red_digits], base,  rr, m, k0);
-
-    for (idx = 1; idx < (int)((1U << exp_win_size) / 2); idx++) {
-        DAMS(&red_table[(2 * idx + 0) * 2 * red_digits],
-             &red_table[(1 * idx)     * 2 * red_digits], m, k0);
-        damm(&red_table[(2 * idx + 1) * 2 * red_digits],
-             &red_table[(2 * idx)     * 2 * red_digits],
-             &red_table[1 * 2 * red_digits], m, k0);
-    }
-
-    /* Copy and expand exponents */
-    memcpy(&expz[0 * (exp_digits + 1)], exp[0], exp_digits * sizeof(BN_ULONG));
-    expz[1 * (exp_digits + 1) - 1] = 0;
-    memcpy(&expz[1 * (exp_digits + 1)], exp[1], exp_digits * sizeof(BN_ULONG));
-    expz[2 * (exp_digits + 1) - 1] = 0;
-
-    /* Exponentiation */
-    {
-        int rem = modulus_bitsize % exp_win_size;
-        int delta = rem ? rem : exp_win_size;
-        BN_ULONG table_idx_mask = exp_win_mask;
-
-        int exp_bit_no = modulus_bitsize - delta;
-        int exp_chunk_no = exp_bit_no / 64;
-        int exp_chunk_shift = exp_bit_no % 64;
-
-        BN_ULONG red_table_idx_0, red_table_idx_1;
-
-        /*
-         * If rem == 0, then
-         *      exp_bit_no = modulus_bitsize - exp_win_size
-         * However, this isn't possible because rem is { 1024, 1536, 2048 } % 5
-         * which is { 4, 1, 3 } respectively.
-         *
-         * If this assertion ever fails the fix above is easy.
-         */
-        OPENSSL_assert(rem != 0);
-
-        /* Process 1-st exp window - just init result */
-        red_table_idx_0 = expz[exp_chunk_no + 0 * (exp_digits + 1)];
-        red_table_idx_1 = expz[exp_chunk_no + 1 * (exp_digits + 1)];
-        /*
-         * The function operates with fixed moduli sizes divisible by 64,
-         * thus table index here is always in supported range [0, EXP_WIN_SIZE).
-         */
-        red_table_idx_0 >>= exp_chunk_shift;
-        red_table_idx_1 >>= exp_chunk_shift;
-
-        extract(&red_Y[0 * red_digits], (const BN_ULONG*)red_table, (int)red_table_idx_0, (int)red_table_idx_1);
-
-        /* Process other exp windows */
-        for (exp_bit_no -= exp_win_size; exp_bit_no >= 0; exp_bit_no -= exp_win_size) {
-            /* Extract pre-computed multiplier from the table */
-            {
-                BN_ULONG T;
-
-                exp_chunk_no = exp_bit_no / 64;
-                exp_chunk_shift = exp_bit_no % 64;
-                {
-                    red_table_idx_0 = expz[exp_chunk_no + 0 * (exp_digits + 1)];
-                    T = expz[exp_chunk_no + 1 + 0 * (exp_digits + 1)];
-
-                    red_table_idx_0 >>= exp_chunk_shift;
-                    /*
-                     * Get additional bits from then next quadword
-                     * when 64-bit boundaries are crossed.
-                     */
-                    if (exp_chunk_shift > 64 - exp_win_size) {
-                        T <<= (64 - exp_chunk_shift);
-                        red_table_idx_0 ^= T;
-                    }
-                    red_table_idx_0 &= table_idx_mask;
-                }
-                {
-                    red_table_idx_1 = expz[exp_chunk_no + 1 * (exp_digits + 1)];
-                    T = expz[exp_chunk_no + 1 + 1 * (exp_digits + 1)];
-
-                    red_table_idx_1 >>= exp_chunk_shift;
-                    /*
-                     * Get additional bits from then next quadword
-                     * when 64-bit boundaries are crossed.
-                     */
-                    if (exp_chunk_shift > 64 - exp_win_size) {
-                        T <<= (64 - exp_chunk_shift);
-                        red_table_idx_1 ^= T;
-                    }
-                    red_table_idx_1 &= table_idx_mask;
-                }
-
-                extract(&red_X[0 * red_digits], (const BN_ULONG*)red_table, (int)red_table_idx_0, (int)red_table_idx_1);
-            }
-
-            /* Series of squaring */
-            DAMS((BN_ULONG*)red_Y, (const BN_ULONG*)red_Y, m, k0);
-            DAMS((BN_ULONG*)red_Y, (const BN_ULONG*)red_Y, m, k0);
-            DAMS((BN_ULONG*)red_Y, (const BN_ULONG*)red_Y, m, k0);
-            DAMS((BN_ULONG*)red_Y, (const BN_ULONG*)red_Y, m, k0);
-            DAMS((BN_ULONG*)red_Y, (const BN_ULONG*)red_Y, m, k0);
-
-            damm((BN_ULONG*)red_Y, (const BN_ULONG*)red_Y, (const BN_ULONG*)red_X, m, k0);
-        }
-    }
-
-    /*
-     *
-     * NB: After the last AMM of exponentiation in Montgomery domain, the result
-     * may be (modulus_bitsize + 1), but the conversion out of Montgomery domain
-     * performs an AMM(x,1) which guarantees that the final result is less than
-     * |m|, so no conditional subtraction is needed here. See [1] for details.
-     *
-     * [1] Gueron, S. Efficient software implementations of modular exponentiation.
-     *     DOI: 10.1007/s13389-012-0031-5
-     */
-
-    /* Convert result back in regular 2^52 domain */
-    memset(red_X, 0, 2 * red_digits * sizeof(BN_ULONG));
-    red_X[0 * red_digits] = 1;
-    red_X[1 * red_digits] = 1;
-    damm(out, (const BN_ULONG*)red_Y, (const BN_ULONG*)red_X, m, k0);
-
-    ret = 1;
-
-err:
-    if (storage != NULL) {
-        /* Clear whole storage */
-        OPENSSL_cleanse(storage, storage_len_bytes);
-        OPENSSL_free(storage);
-    }
-
-#undef DAMS
-    return ret;
-}
-
-static ossl_inline uint64_t get_digit(const uint8_t *in, int in_len)
-{
-    uint64_t digit = 0;
-
-    assert(in != NULL);
-    assert(in_len <= 8);
-
-    for (; in_len > 0; in_len--) {
-        digit <<= 8;
-        digit += (uint64_t)(in[in_len - 1]);
-    }
-    return digit;
-}
-
-/*
- * Convert array of words in regular (base=2^64) representation to array of
- * words in redundant (base=2^52) one.
- */
-static void to_words52(BN_ULONG *out, int out_len,
-                       const BN_ULONG *in, int in_bitsize)
-{
-    uint8_t *in_str = NULL;
-
-    assert(out != NULL);
-    assert(in != NULL);
-    /* Check destination buffer capacity */
-    assert(out_len >= number_of_digits(in_bitsize, DIGIT_SIZE));
-
-    in_str = (uint8_t *)in;
-
-    for (; in_bitsize >= (2 * DIGIT_SIZE); in_bitsize -= (2 * DIGIT_SIZE), out += 2) {
-        uint64_t digit;
-
-        memcpy(&digit, in_str, sizeof(digit));
-        out[0] = digit & DIGIT_MASK;
-        in_str += 6;
-        memcpy(&digit, in_str, sizeof(digit));
-        out[1] = (digit >> 4) & DIGIT_MASK;
-        in_str += 7;
-        out_len -= 2;
-    }
-
-    if (in_bitsize > DIGIT_SIZE) {
-        uint64_t digit = get_digit(in_str, 7);
-
-        out[0] = digit & DIGIT_MASK;
-        in_str += 6;
-        in_bitsize -= DIGIT_SIZE;
-        digit = get_digit(in_str, BITS2WORD8_SIZE(in_bitsize));
-        out[1] = digit >> 4;
-        out += 2;
-        out_len -= 2;
-    } else if (in_bitsize > 0) {
-        out[0] = get_digit(in_str, BITS2WORD8_SIZE(in_bitsize));
-        out++;
-        out_len--;
-    }
-
-    while (out_len > 0) {
-        *out = 0;
-        out_len--;
-        out++;
-    }
-}
-
-static ossl_inline void put_digit(uint8_t *out, int out_len, uint64_t digit)
-{
-    assert(out != NULL);
-    assert(out_len <= 8);
-
-    for (; out_len > 0; out_len--) {
-        *out++ = (uint8_t)(digit & 0xFF);
-        digit >>= 8;
-    }
-}
-
-/*
- * Convert array of words in redundant (base=2^52) representation to array of
- * words in regular (base=2^64) one.
- */
-static void from_words52(BN_ULONG *out, int out_bitsize, const BN_ULONG *in)
-{
-    int i;
-    int out_len = BITS2WORD64_SIZE(out_bitsize);
-
-    assert(out != NULL);
-    assert(in != NULL);
-
-    for (i = 0; i < out_len; i++)
-        out[i] = 0;
-
-    {
-        uint8_t *out_str = (uint8_t *)out;
-
-        for (; out_bitsize >= (2 * DIGIT_SIZE);
-               out_bitsize -= (2 * DIGIT_SIZE), in += 2) {
-            uint64_t digit;
-
-            digit = in[0];
-            memcpy(out_str, &digit, sizeof(digit));
-            out_str += 6;
-            digit = digit >> 48 | in[1] << 4;
-            memcpy(out_str, &digit, sizeof(digit));
-            out_str += 7;
-        }
-
-        if (out_bitsize > DIGIT_SIZE) {
-            put_digit(out_str, 7, in[0]);
-            out_str += 6;
-            out_bitsize -= DIGIT_SIZE;
-            put_digit(out_str, BITS2WORD8_SIZE(out_bitsize),
-                        (in[1] << 4 | in[0] >> 48));
-        } else if (out_bitsize) {
-            put_digit(out_str, BITS2WORD8_SIZE(out_bitsize), in[0]);
-        }
-    }
-}
-
-/*
- * Set bit at index |idx| in the words array |a|.
- * It does not do any boundaries checks, make sure the index is valid before
- * calling the function.
- */
-static ossl_inline void set_bit(BN_ULONG *a, int idx)
-{
-    assert(a != NULL);
-
-    {
-        int i, j;
-
-        i = idx / BN_BITS2;
-        j = idx % BN_BITS2;
-        a[i] |= (((BN_ULONG)1) << j);
-    }
-}
-
-#endif

libs/openssl/crypto/cast/asm/cast_586.asm

@@ -1,3 +1,4 @@
+
 %ifidn __OUTPUT_FORMAT__,obj
 section	code	use32 class=code align=256
 %elifidn __OUTPUT_FORMAT__,win32
@@ -826,21 +827,56 @@ L$006PIC_point:
 	xor	edx,edx
 	jmp	ebp
 L$008ej7:
+	
+
+
+
+
 	mov	dh,BYTE [6+esi]
 	shl	edx,8
 L$009ej6:
+	
+
+
+
+
 	mov	dh,BYTE [5+esi]
 L$010ej5:
+	
+
+
+
+
 	mov	dl,BYTE [4+esi]
 L$011ej4:
+	
+
+
+
+
 	mov	ecx,DWORD [esi]
 	jmp	NEAR L$012ejend
 L$013ej3:
+	
+
+
+
+
 	mov	ch,BYTE [2+esi]
 	shl	ecx,8
 L$014ej2:
+	
+
+
+
+
 	mov	ch,BYTE [1+esi]
 L$015ej1:
+	
+
+
+
+
 	mov	cl,BYTE [esi]
 L$012ejend:
 	xor	eax,ecx

libs/openssl/crypto/chacha/asm/chacha-armv8-sve.pl

@@ -1,1157 +0,0 @@
-#! /usr/bin/env perl
-# Copyright 2022-2023  The OpenSSL Project Authors. All Rights Reserved.
-#
-# Licensed under the Apache License 2.0 (the "License").  You may not use
-# this file except in compliance with the License.  You can obtain a copy
-# in the file LICENSE in the source distribution or at
-# https://www.openssl.org/source/license.html
-#
-#
-# ChaCha20 for ARMv8 via SVE
-#
-# $output is the last argument if it looks like a file (it has an extension)
-# $flavour is the first argument if it doesn't look like a file
-$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef;
-$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef;
-
-$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
-( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
-( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
-die "can't locate arm-xlate.pl";
-
-open OUT,"| \"$^X\" $xlate $flavour \"$output\""
-    or die "can't call $xlate: $!";
-*STDOUT=*OUT;
-
-sub AUTOLOAD()		# thunk [simplified] x86-style perlasm
-{ my $opcode = $AUTOLOAD; $opcode =~ s/.*:://; $opcode =~ s/_/\./;
-  my $arg = pop;
-    $arg = "#$arg" if ($arg*1 eq $arg);
-    $code .= "\t$opcode\t".join(',',@_,$arg)."\n";
-}
-
-my ($outp,$inp,$len,$key,$ctr) = map("x$_",(0..4));
-my ($veclen) = ("x5");
-my ($counter) = ("x6");
-my ($counter_w) = ("w6");
-my @xx=(7..22);
-my @sxx=map("x$_",@xx);
-my @sx=map("w$_",@xx);
-my @K=map("x$_",(23..30));
-my @elem=(0,4,8,12,1,5,9,13,2,6,10,14,3,7,11,15);
-my @KL=map("w$_",(23..30));
-my @mx=map("z$_",@elem);
-my @vx=map("v$_",@elem);
-my ($xa0,$xa1,$xa2,$xa3, $xb0,$xb1,$xb2,$xb3,
-    $xc0,$xc1,$xc2,$xc3, $xd0,$xd1,$xd2,$xd3) = @mx;
-my ($zctr) = ("z16");
-my @tt=(17..24);
-my @xt=map("z$_",@tt);
-my @vt=map("v$_",@tt);
-my @perm=map("z$_",(25..30));
-my ($rot8) = ("z31");
-my @bak=(@perm[0],@perm[1],@perm[2],@perm[3],@perm[4],@perm[5],@xt[4],@xt[5],@xt[6],@xt[7],@xt[0],@xt[1],$zctr,@xt[2],@xt[3],$rot8);
-my $debug_encoder=0;
-
-sub SVE_ADD() {
-	my $x = shift;
-	my $y = shift;
-
-$code.=<<___;
-	add	@mx[$x].s,@mx[$x].s,@mx[$y].s
-	.if mixin == 1
-		add	@sx[$x],@sx[$x],@sx[$y]
-	.endif
-___
-	if (@_) {
-		&SVE_ADD(@_);
-	}
-}
-
-sub SVE_EOR() {
-	my $x = shift;
-	my $y = shift;
-
-$code.=<<___;
-	eor	@mx[$x].d,@mx[$x].d,@mx[$y].d
-	.if mixin == 1
-		eor	@sx[$x],@sx[$x],@sx[$y]
-	.endif
-___
-	if (@_) {
-		&SVE_EOR(@_);
-	}
-}
-
-sub SVE_LSL() {
-	my $bits = shift;
-	my $x = shift;
-	my $y = shift;
-	my $next = $x + 1;
-
-$code.=<<___;
-	lsl	@xt[$x].s,@mx[$y].s,$bits
-___
-	if (@_) {
-		&SVE_LSL($bits,$next,@_);
-	}
-}
-
-sub SVE_LSR() {
-	my $bits = shift;
-	my $x = shift;
-
-$code.=<<___;
-	lsr	@mx[$x].s,@mx[$x].s,$bits
-	.if mixin == 1
-		ror	@sx[$x],@sx[$x],$bits
-	.endif
-___
-	if (@_) {
-		&SVE_LSR($bits,@_);
-	}
-}
-
-sub SVE_ORR() {
-	my $x = shift;
-	my $y = shift;
-	my $next = $x + 1;
-
-$code.=<<___;
-	orr	@mx[$y].d,@mx[$y].d,@xt[$x].d
-___
-	if (@_) {
-		&SVE_ORR($next,@_);
-	}
-}
-
-sub SVE_REV16() {
-	my $x = shift;
-
-$code.=<<___;
-	revh	@mx[$x].s,p0/m,@mx[$x].s
-	.if mixin == 1
-		ror	@sx[$x],@sx[$x],#16
-	.endif
-___
-	if (@_) {
-		&SVE_REV16(@_);
-	}
-}
-
-sub SVE_ROT8() {
-	my $x = shift;
-
-$code.=<<___;
-	tbl	@mx[$x].b,{@mx[$x].b},$rot8.b
-	.if mixin == 1
-		ror	@sx[$x],@sx[$x],#24
-	.endif
-___
-	if (@_) {
-		&SVE_ROT8(@_);
-	}
-}
-
-sub SVE2_XAR() {
-	my $bits = shift;
-	my $x = shift;
-	my $y = shift;
-	my $rbits = 32-$bits;
-
-$code.=<<___;
-	.if mixin == 1
-		eor	@sx[$x],@sx[$x],@sx[$y]
-	.endif
-	xar	@mx[$x].s,@mx[$x].s,@mx[$y].s,$rbits
-	.if mixin == 1
-		ror	@sx[$x],@sx[$x],$rbits
-	.endif
-___
-	if (@_) {
-		&SVE2_XAR($bits,@_);
-	}
-}
-
-sub SVE2_QR_GROUP() {
-	my ($a0,$b0,$c0,$d0,$a1,$b1,$c1,$d1,$a2,$b2,$c2,$d2,$a3,$b3,$c3,$d3) = @_;
-
-	&SVE_ADD($a0,$b0,$a1,$b1,$a2,$b2,$a3,$b3);
-	&SVE2_XAR(16,$d0,$a0,$d1,$a1,$d2,$a2,$d3,$a3);
-
-	&SVE_ADD($c0,$d0,$c1,$d1,$c2,$d2,$c3,$d3);
-	&SVE2_XAR(12,$b0,$c0,$b1,$c1,$b2,$c2,$b3,$c3);
-
-	&SVE_ADD($a0,$b0,$a1,$b1,$a2,$b2,$a3,$b3);
-	&SVE2_XAR(8,$d0,$a0,$d1,$a1,$d2,$a2,$d3,$a3);
-
-	&SVE_ADD($c0,$d0,$c1,$d1,$c2,$d2,$c3,$d3);
-	&SVE2_XAR(7,$b0,$c0,$b1,$c1,$b2,$c2,$b3,$c3);
-}
-
-sub SVE_QR_GROUP() {
-	my ($a0,$b0,$c0,$d0,$a1,$b1,$c1,$d1,$a2,$b2,$c2,$d2,$a3,$b3,$c3,$d3) = @_;
-
-	&SVE_ADD($a0,$b0,$a1,$b1,$a2,$b2,$a3,$b3);
-	&SVE_EOR($d0,$a0,$d1,$a1,$d2,$a2,$d3,$a3);
-	&SVE_REV16($d0,$d1,$d2,$d3);
-
-	&SVE_ADD($c0,$d0,$c1,$d1,$c2,$d2,$c3,$d3);
-	&SVE_EOR($b0,$c0,$b1,$c1,$b2,$c2,$b3,$c3);
-	&SVE_LSL(12,0,$b0,$b1,$b2,$b3);
-	&SVE_LSR(20,$b0,$b1,$b2,$b3);
-	&SVE_ORR(0,$b0,$b1,$b2,$b3);
-
-	&SVE_ADD($a0,$b0,$a1,$b1,$a2,$b2,$a3,$b3);
-	&SVE_EOR($d0,$a0,$d1,$a1,$d2,$a2,$d3,$a3);
-	&SVE_ROT8($d0,$d1,$d2,$d3);
-
-	&SVE_ADD($c0,$d0,$c1,$d1,$c2,$d2,$c3,$d3);
-	&SVE_EOR($b0,$c0,$b1,$c1,$b2,$c2,$b3,$c3);
-	&SVE_LSL(7,0,$b0,$b1,$b2,$b3);
-	&SVE_LSR(25,$b0,$b1,$b2,$b3);
-	&SVE_ORR(0,$b0,$b1,$b2,$b3);
-}
-
-sub SVE_INNER_BLOCK() {
-$code.=<<___;
-	mov	$counter,#10
-10:
-.align	5
-___
-	&SVE_QR_GROUP(0,4,8,12,1,5,9,13,2,6,10,14,3,7,11,15);
-	&SVE_QR_GROUP(0,5,10,15,1,6,11,12,2,7,8,13,3,4,9,14);
-$code.=<<___;
-	sub	$counter,$counter,1
-	cbnz	$counter,10b
-___
-}
-
-sub SVE2_INNER_BLOCK() {
-$code.=<<___;
-	mov	$counter,#10
-10:
-.align	5
-___
-	&SVE2_QR_GROUP(0,4,8,12,1,5,9,13,2,6,10,14,3,7,11,15);
-	&SVE2_QR_GROUP(0,5,10,15,1,6,11,12,2,7,8,13,3,4,9,14);
-$code.=<<___;
-	sub	$counter,$counter,1
-	cbnz	$counter,10b
-___
-}
-
-sub load_regs() {
-	my $offset = shift;
-	my $reg = shift;
-	my $next_offset = $offset + 1;
-$code.=<<___;
-	ld1w	{$reg.s},p0/z,[$inp,#$offset,MUL VL]
-#ifdef  __AARCH64EB__
-	revb    $reg.s,p0/m,$reg.s
-#endif
-___
-	if (@_) {
-		&load_regs($next_offset, @_);
-	} else {
-$code.=<<___;
-	addvl	$inp,$inp,$next_offset
-___
-	}
-}
-
-sub load() {
-	if (@_) {
-		&load_regs(0, @_);
-	}
-}
-
-sub store_regs() {
-	my $offset = shift;
-	my $reg = shift;
-	my $next_offset = $offset + 1;
-$code.=<<___;
-#ifdef  __AARCH64EB__
-	revb	$reg.s,p0/m,$reg.s
-#endif
-	st1w	{$reg.s},p0,[$outp,#$offset,MUL VL]
-___
-	if (@_) {
-		&store_regs($next_offset, @_);
-	} else {
-$code.=<<___;
-	addvl	$outp,$outp,$next_offset
-___
-	}
-}
-
-sub store() {
-	if (@_) {
-		&store_regs(0, @_);
-	}
-}
-
-sub transpose() {
-	my $xa = shift;
-	my $xb = shift;
-	my $xc = shift;
-	my $xd = shift;
-	my $xa1 = shift;
-	my $xb1 = shift;
-	my $xc1 = shift;
-	my $xd1 = shift;
-$code.=<<___;
-	zip1	@xt[0].s,$xa.s,$xb.s
-	zip2	@xt[1].s,$xa.s,$xb.s
-	zip1	@xt[2].s,$xc.s,$xd.s
-	zip2	@xt[3].s,$xc.s,$xd.s
-
-	zip1	@xt[4].s,$xa1.s,$xb1.s
-	zip2	@xt[5].s,$xa1.s,$xb1.s
-	zip1	@xt[6].s,$xc1.s,$xd1.s
-	zip2	@xt[7].s,$xc1.s,$xd1.s
-
-	zip1	$xa.d,@xt[0].d,@xt[2].d
-	zip2	$xb.d,@xt[0].d,@xt[2].d
-	zip1	$xc.d,@xt[1].d,@xt[3].d
-	zip2	$xd.d,@xt[1].d,@xt[3].d
-
-	zip1	$xa1.d,@xt[4].d,@xt[6].d
-	zip2	$xb1.d,@xt[4].d,@xt[6].d
-	zip1	$xc1.d,@xt[5].d,@xt[7].d
-	zip2	$xd1.d,@xt[5].d,@xt[7].d
-___
-}
-
-sub ACCUM() {
-	my $idx0 = shift;
-	my $idx1 = $idx0 + 1;
-	my $x0 = @sx[$idx0];
-	my $xx0 = @sxx[$idx0];
-	my $x1 = @sx[$idx1];
-	my $xx1 = @sxx[$idx1];
-	my $d = $idx0/2;
-	my ($tmp,$tmpw) = ($counter,$counter_w);
-	my $bk0 = @_ ? shift : @bak[$idx0];
-	my $bk1 = @_ ? shift : @bak[$idx1];
-
-$code.=<<___;
-	.if mixin == 1
-		add	@sx[$idx0],@sx[$idx0],@KL[$d]
-	.endif
-	add	@mx[$idx0].s,@mx[$idx0].s,$bk0.s
-	.if mixin == 1
-		add	@sxx[$idx1],@sxx[$idx1],@K[$d],lsr #32
-	.endif
-	add	@mx[$idx1].s,@mx[$idx1].s,$bk1.s
-	.if mixin == 1
-		add	@sxx[$idx0],@sxx[$idx0],$sxx[$idx1],lsl #32  // pack
-	.endif
-___
-}
-
-sub SCA_INP() {
-	my $idx0 = shift;
-	my $idx1 = $idx0 + 2;
-$code.=<<___;
-	.if mixin == 1
-		ldp	@sxx[$idx0],@sxx[$idx1],[$inp],#16
-	.endif
-___
-}
-
-sub SVE_ACCUM_STATES() {
-	my ($tmp,$tmpw) = ($counter,$counter_w);
-
-$code.=<<___;
-	lsr	$tmp,@K[5],#32
-	dup	@bak[10].s,@KL[5]
-	dup	@bak[11].s,$tmpw
-	lsr	$tmp,@K[6],#32
-	dup	@bak[13].s,$tmpw
-	lsr	$tmp,@K[7],#32
-___
-	&ACCUM(0);
-	&ACCUM(2);
-	&SCA_INP(1);
-	&ACCUM(4);
-	&ACCUM(6);
-	&SCA_INP(5);
-	&ACCUM(8);
-	&ACCUM(10);
-	&SCA_INP(9);
-$code.=<<___;
-	dup	@bak[14].s,@KL[7]
-	dup	@bak[0].s,$tmpw	// bak[15] not available for SVE
-___
-	&ACCUM(12);
-	&ACCUM(14, @bak[14],@bak[0]);
-	&SCA_INP(13);
-}
-
-sub SVE2_ACCUM_STATES() {
-	&ACCUM(0);
-	&ACCUM(2);
-	&SCA_INP(1);
-	&ACCUM(4);
-	&ACCUM(6);
-	&SCA_INP(5);
-	&ACCUM(8);
-	&ACCUM(10);
-	&SCA_INP(9);
-	&ACCUM(12);
-	&ACCUM(14);
-	&SCA_INP(13);
-}
-
-sub SCA_EOR() {
-	my $idx0 = shift;
-	my $idx1 = $idx0 + 1;
-$code.=<<___;
-	.if mixin == 1
-		eor	@sxx[$idx0],@sxx[$idx0],@sxx[$idx1]
-	.endif
-___
-}
-
-sub SCA_SAVE() {
-	my $idx0 = shift;
-	my $idx1 = shift;
-$code.=<<___;
-	.if mixin == 1
-		stp	@sxx[$idx0],@sxx[$idx1],[$outp],#16
-	.endif
-___
-}
-
-sub SVE_VL128_TRANSFORMS() {
-	&SCA_EOR(0);
-	&SCA_EOR(2);
-	&SCA_EOR(4);
-	&transpose($xa0,$xa1,$xa2,$xa3,$xb0,$xb1,$xb2,$xb3);
-	&SCA_EOR(6);
-	&SCA_EOR(8);
-	&SCA_EOR(10);
-	&transpose($xc0,$xc1,$xc2,$xc3,$xd0,$xd1,$xd2,$xd3);
-	&SCA_EOR(12);
-	&SCA_EOR(14);
-$code.=<<___;
-	ld1	{@vt[0].4s-@vt[3].4s},[$inp],#64
-	ld1	{@vt[4].4s-@vt[7].4s},[$inp],#64
-	eor	$xa0.d,$xa0.d,@xt[0].d
-	eor	$xb0.d,$xb0.d,@xt[1].d
-	eor	$xc0.d,$xc0.d,@xt[2].d
-	eor	$xd0.d,$xd0.d,@xt[3].d
-	eor	$xa1.d,$xa1.d,@xt[4].d
-	eor	$xb1.d,$xb1.d,@xt[5].d
-	eor	$xc1.d,$xc1.d,@xt[6].d
-	eor	$xd1.d,$xd1.d,@xt[7].d
-	ld1	{@vt[0].4s-@vt[3].4s},[$inp],#64
-	ld1	{@vt[4].4s-@vt[7].4s},[$inp],#64
-___
-	&SCA_SAVE(0,2);
-$code.=<<___;
-	eor	$xa2.d,$xa2.d,@xt[0].d
-	eor	$xb2.d,$xb2.d,@xt[1].d
-___
-	&SCA_SAVE(4,6);
-$code.=<<___;
-	eor	$xc2.d,$xc2.d,@xt[2].d
-	eor	$xd2.d,$xd2.d,@xt[3].d
-___
-	&SCA_SAVE(8,10);
-$code.=<<___;
-	eor	$xa3.d,$xa3.d,@xt[4].d
-	eor	$xb3.d,$xb3.d,@xt[5].d
-___
-	&SCA_SAVE(12,14);
-$code.=<<___;
-	eor	$xc3.d,$xc3.d,@xt[6].d
-	eor	$xd3.d,$xd3.d,@xt[7].d
-	st1	{@vx[0].4s-@vx[12].4s},[$outp],#64
-	st1	{@vx[1].4s-@vx[13].4s},[$outp],#64
-	st1	{@vx[2].4s-@vx[14].4s},[$outp],#64
-	st1	{@vx[3].4s-@vx[15].4s},[$outp],#64
-___
-}
-
-sub SVE_TRANSFORMS() {
-$code.=<<___;
-#ifdef	__AARCH64EB__
-	rev	@sxx[0],@sxx[0]
-	rev	@sxx[2],@sxx[2]
-	rev	@sxx[4],@sxx[4]
-	rev	@sxx[6],@sxx[6]
-	rev	@sxx[8],@sxx[8]
-	rev	@sxx[10],@sxx[10]
-	rev	@sxx[12],@sxx[12]
-	rev	@sxx[14],@sxx[14]
-#endif
-	.if mixin == 1
-		add	@K[6],@K[6],#1
-	.endif
-	cmp	$veclen,4
-	b.ne	200f
-___
-	&SVE_VL128_TRANSFORMS();
-$code.=<<___;
-	b	210f
-200:
-___
-	&transpose($xa0,$xb0,$xc0,$xd0,$xa1,$xb1,$xc1,$xd1);
-	&SCA_EOR(0);
-	&SCA_EOR(2);
-	&transpose($xa2,$xb2,$xc2,$xd2,$xa3,$xb3,$xc3,$xd3);
-	&SCA_EOR(4);
-	&SCA_EOR(6);
-	&transpose($xa0,$xa1,$xa2,$xa3,$xb0,$xb1,$xb2,$xb3);
-	&SCA_EOR(8);
-	&SCA_EOR(10);
-	&transpose($xc0,$xc1,$xc2,$xc3,$xd0,$xd1,$xd2,$xd3);
-	&SCA_EOR(12);
-	&SCA_EOR(14);
-	&load(@xt[0],@xt[1],@xt[2],@xt[3],@xt[4],@xt[5],@xt[6],@xt[7]);
-$code.=<<___;
-	eor	$xa0.d,$xa0.d,@xt[0].d
-	eor	$xa1.d,$xa1.d,@xt[1].d
-	eor	$xa2.d,$xa2.d,@xt[2].d
-	eor	$xa3.d,$xa3.d,@xt[3].d
-	eor	$xb0.d,$xb0.d,@xt[4].d
-	eor	$xb1.d,$xb1.d,@xt[5].d
-	eor	$xb2.d,$xb2.d,@xt[6].d
-	eor	$xb3.d,$xb3.d,@xt[7].d
-___
-	&load(@xt[0],@xt[1],@xt[2],@xt[3],@xt[4],@xt[5],@xt[6],@xt[7]);
-	&SCA_SAVE(0,2);
-$code.=<<___;
-	eor	$xc0.d,$xc0.d,@xt[0].d
-	eor	$xc1.d,$xc1.d,@xt[1].d
-___
-	&SCA_SAVE(4,6);
-$code.=<<___;
-	eor	$xc2.d,$xc2.d,@xt[2].d
-	eor	$xc3.d,$xc3.d,@xt[3].d
-___
-	&SCA_SAVE(8,10);
-$code.=<<___;
-	eor	$xd0.d,$xd0.d,@xt[4].d
-	eor	$xd1.d,$xd1.d,@xt[5].d
-___
-	&SCA_SAVE(12,14);
-$code.=<<___;
-	eor	$xd2.d,$xd2.d,@xt[6].d
-	eor	$xd3.d,$xd3.d,@xt[7].d
-___
-	&store($xa0,$xa1,$xa2,$xa3,$xb0,$xb1,$xb2,$xb3);
-	&store($xc0,$xc1,$xc2,$xc3,$xd0,$xd1,$xd2,$xd3);
-$code.=<<___;
-210:
-	incw	@K[6], ALL, MUL #1
-___
-}
-
-sub SET_STATE_BAK() {
-	my $idx0 = shift;
-	my $idx1 = $idx0 + 1;
-	my $x0 = @sx[$idx0];
-	my $xx0 = @sxx[$idx0];
-	my $x1 = @sx[$idx1];
-	my $xx1 = @sxx[$idx1];
-	my $d = $idx0/2;
-
-$code.=<<___;
-	lsr	$xx1,@K[$d],#32
-	dup	@mx[$idx0].s,@KL[$d]
-	dup	@bak[$idx0].s,@KL[$d]
-	.if mixin == 1
-		mov	$x0,@KL[$d]
-	.endif
-	dup	@mx[$idx1].s,$x1
-	dup	@bak[$idx1].s,$x1
-___
-}
-
-sub SET_STATE() {
-	my $idx0 = shift;
-	my $idx1 = $idx0 + 1;
-	my $x0 = @sx[$idx0];
-	my $xx0 = @sxx[$idx0];
-	my $x1 = @sx[$idx1];
-	my $xx1 = @sxx[$idx1];
-	my $d = $idx0/2;
-
-$code.=<<___;
-	lsr	$xx1,@K[$d],#32
-	dup	@mx[$idx0].s,@KL[$d]
-	.if mixin == 1
-		mov	$x0,@KL[$d]
-	.endif
-	dup	@mx[$idx1].s,$x1
-___
-}
-
-sub SVE_LOAD_STATES() {
-	&SET_STATE_BAK(0);
-	&SET_STATE_BAK(2);
-	&SET_STATE_BAK(4);
-	&SET_STATE_BAK(6);
-	&SET_STATE_BAK(8);
-	&SET_STATE(10);
-	&SET_STATE(14);
-$code.=<<___;
-	.if mixin == 1
-		add	@sx[13],@KL[6],#1
-		mov	@sx[12],@KL[6]
-		index	$zctr.s,@sx[13],1
-		index	@mx[12].s,@sx[13],1
-	.else
-		index	$zctr.s,@KL[6],1
-		index	@mx[12].s,@KL[6],1
-	.endif
-	lsr	@sxx[13],@K[6],#32
-	dup	@mx[13].s,@sx[13]
-___
-}
-
-sub SVE2_LOAD_STATES() {
-	&SET_STATE_BAK(0);
-	&SET_STATE_BAK(2);
-	&SET_STATE_BAK(4);
-	&SET_STATE_BAK(6);
-	&SET_STATE_BAK(8);
-	&SET_STATE_BAK(10);
-	&SET_STATE_BAK(14);
-
-$code.=<<___;
-	.if mixin == 1
-		add	@sx[13],@KL[6],#1
-		mov	@sx[12],@KL[6]
-		index	$zctr.s,@sx[13],1
-		index	@mx[12].s,@sx[13],1
-	.else
-		index	$zctr.s,@KL[6],1
-		index	@mx[12].s,@KL[6],1
-	.endif
-	lsr	@sxx[13],@K[6],#32
-	dup	@mx[13].s,@sx[13]
-	dup	@bak[13].s,@sx[13]
-___
-}
-
-sub chacha20_sve() {
-	my ($tmp) = (@sxx[0]);
-
-$code.=<<___;
-.align	5
-100:
-	subs	$tmp,$len,$veclen,lsl #6
-	b.lt	110f
-	mov	$len,$tmp
-	b.eq	101f
-	cmp	$len,64
-	b.lt	101f
-	mixin=1
-___
-	&SVE_LOAD_STATES();
-	&SVE_INNER_BLOCK();
-	&SVE_ACCUM_STATES();
-	&SVE_TRANSFORMS();
-$code.=<<___;
-	subs	$len,$len,64
-	b.gt	100b
-	b	110f
-101:
-	mixin=0
-___
-	&SVE_LOAD_STATES();
-	&SVE_INNER_BLOCK();
-	&SVE_ACCUM_STATES();
-	&SVE_TRANSFORMS();
-$code.=<<___;
-110:
-___
-}
-
-sub chacha20_sve2() {
-	my ($tmp) = (@sxx[0]);
-
-$code.=<<___;
-.align	5
-100:
-	subs	$tmp,$len,$veclen,lsl #6
-	b.lt	110f
-	mov	$len,$tmp
-	b.eq	101f
-	cmp	$len,64
-	b.lt	101f
-	mixin=1
-___
-	&SVE2_LOAD_STATES();
-	&SVE2_INNER_BLOCK();
-	&SVE2_ACCUM_STATES();
-	&SVE_TRANSFORMS();
-$code.=<<___;
-	subs	$len,$len,64
-	b.gt	100b
-	b	110f
-101:
-	mixin=0
-___
-	&SVE2_LOAD_STATES();
-	&SVE2_INNER_BLOCK();
-	&SVE2_ACCUM_STATES();
-	&SVE_TRANSFORMS();
-$code.=<<___;
-110:
-___
-}
-
-
-{{{
-	my ($tmp,$tmpw) = ("x6", "w6");
-	my ($tmpw0,$tmp0,$tmpw1,$tmp1) = ("w9","x9", "w10","x10");
-	my ($sve2flag) = ("x7");
-
-$code.=<<___;
-#include "arm_arch.h"
-
-.arch   armv8-a
-
-.extern	OPENSSL_armcap_P
-.hidden	OPENSSL_armcap_P
-
-.text
-.align	5
-.Lchacha20_consts:
-.quad	0x3320646e61707865,0x6b20657479622d32		// endian-neutral
-.Lrot8:
-	.word 0x02010003,0x04040404,0x02010003,0x04040404
-.globl	ChaCha20_ctr32_sve
-.type	ChaCha20_ctr32_sve,%function
-.align	5
-ChaCha20_ctr32_sve:
-	AARCH64_VALID_CALL_TARGET
-	cntw	$veclen, ALL, MUL #1
-	cmp	$len,$veclen,lsl #6
-	b.lt	.Lreturn
-	mov	$sve2flag,0
-	adrp	$tmp,OPENSSL_armcap_P
-	ldr	$tmpw,[$tmp,#:lo12:OPENSSL_armcap_P]
-	tst	$tmpw,#ARMV8_SVE2
-	b.eq	1f
-	mov	$sve2flag,1
-	b	2f
-1:
-	cmp	$veclen,4
-	b.le	.Lreturn
-	adr	$tmp,.Lrot8
-	ldp	$tmpw0,$tmpw1,[$tmp]
-	index	$rot8.s,$tmpw0,$tmpw1
-2:
-	AARCH64_SIGN_LINK_REGISTER
-	stp	d8,d9,[sp,-192]!
-	stp	d10,d11,[sp,16]
-	stp	d12,d13,[sp,32]
-	stp	d14,d15,[sp,48]
-	stp	x16,x17,[sp,64]
-	stp	x18,x19,[sp,80]
-	stp	x20,x21,[sp,96]
-	stp	x22,x23,[sp,112]
-	stp	x24,x25,[sp,128]
-	stp	x26,x27,[sp,144]
-	stp	x28,x29,[sp,160]
-	str	x30,[sp,176]
-
-	adr	$tmp,.Lchacha20_consts
-	ldp	@K[0],@K[1],[$tmp]
-	ldp	@K[2],@K[3],[$key]
-	ldp	@K[4],@K[5],[$key, 16]
-	ldp	@K[6],@K[7],[$ctr]
-	ptrues	p0.s,ALL
-#ifdef	__AARCH64EB__
-	ror	@K[2],@K[2],#32
-	ror	@K[3],@K[3],#32
-	ror	@K[4],@K[4],#32
-	ror	@K[5],@K[5],#32
-	ror	@K[6],@K[6],#32
-	ror	@K[7],@K[7],#32
-#endif
-	cbz	$sve2flag, 1f
-___
-	&chacha20_sve2();
-$code.=<<___;
-	b	2f
-1:
-___
-	&chacha20_sve();
-$code.=<<___;
-2:
-	str	@KL[6],[$ctr]
-	ldp	d10,d11,[sp,16]
-	ldp	d12,d13,[sp,32]
-	ldp	d14,d15,[sp,48]
-	ldp	x16,x17,[sp,64]
-	ldp	x18,x19,[sp,80]
-	ldp	x20,x21,[sp,96]
-	ldp	x22,x23,[sp,112]
-	ldp	x24,x25,[sp,128]
-	ldp	x26,x27,[sp,144]
-	ldp	x28,x29,[sp,160]
-	ldr	x30,[sp,176]
-	ldp	d8,d9,[sp],192
-	AARCH64_VALIDATE_LINK_REGISTER
-.Lreturn:
-	ret
-.size	ChaCha20_ctr32_sve,.-ChaCha20_ctr32_sve
-___
-
-}}}
-
-########################################
-{
-my  %opcode_unpred = (
-	"movprfx"      => 0x0420BC00,
-	"eor"          => 0x04a03000,
-	"add"          => 0x04200000,
-	"orr"          => 0x04603000,
-	"lsl"          => 0x04209C00,
-	"lsr"          => 0x04209400,
-	"incw"         => 0x04B00000,
-	"xar"          => 0x04203400,
-	"zip1"         => 0x05206000,
-	"zip2"         => 0x05206400,
-	"uzp1"         => 0x05206800,
-	"uzp2"         => 0x05206C00,
-	"index"        => 0x04204C00,
-	"mov"          => 0x05203800,
-	"dup"          => 0x05203800,
-	"cntw"         => 0x04A0E000,
-	"tbl"          => 0x05203000);
-
-my  %opcode_imm_unpred = (
-	"dup"          => 0x2538C000,
-	"index"        => 0x04204400);
-
-my %opcode_scalar_pred = (
-	"mov"          => 0x0528A000,
-	"cpy"          => 0x0528A000,
-	"st4w"         => 0xE5606000,
-	"st1w"         => 0xE5004000,
-	"ld1w"         => 0xA5404000);
-
-my %opcode_gather_pred = (
-	"ld1w"         => 0x85204000);
-
-my  %opcode_pred = (
-	"eor"          => 0x04190000,
-	"add"          => 0x04000000,
-	"orr"          => 0x04180000,
-	"whilelo"      => 0x25200C00,
-	"whilelt"      => 0x25200400,
-	"cntp"         => 0x25208000,
-	"addvl"        => 0x04205000,
-	"lsl"          => 0x04038000,
-	"lsr"          => 0x04018000,
-	"sel"          => 0x0520C000,
-	"mov"          => 0x0520C000,
-	"ptrue"        => 0x2518E000,
-	"pfalse"       => 0x2518E400,
-	"ptrues"       => 0x2519E000,
-	"pnext"        => 0x2519C400,
-	"ld4w"         => 0xA560E000,
-	"st4w"         => 0xE570E000,
-	"st1w"         => 0xE500E000,
-	"ld1w"         => 0xA540A000,
-	"ld1rw"        => 0x8540C000,
-	"lasta"        => 0x0520A000,
-	"revh"         => 0x05258000,
-	"revb"         => 0x05248000);
-
-my  %tsize = (
-	'b'          => 0,
-	'h'          => 1,
-	's'          => 2,
-	'd'          => 3);
-
-my %sf = (
-	"w"          => 0,
-	"x"          => 1);
-
-my %pattern = (
-	"POW2"       => 0,
-	"VL1"        => 1,
-	"VL2"        => 2,
-	"VL3"        => 3,
-	"VL4"        => 4,
-	"VL5"        => 5,
-	"VL6"        => 6,
-	"VL7"        => 7,
-	"VL8"        => 8,
-	"VL16"       => 9,
-	"VL32"       => 10,
-	"VL64"       => 11,
-	"VL128"      => 12,
-	"VL256"      => 13,
-	"MUL4"       => 29,
-	"MUL3"       => 30,
-	"ALL"        => 31);
-
-sub create_verifier {
-	my $filename="./compile_sve.sh";
-
-$scripts = <<___;
-#! /bin/bash
-set -e
-CROSS_COMPILE=\${CROSS_COMPILE:-'aarch64-none-linux-gnu-'}
-
-[ -z "\$1" ] && exit 1
-ARCH=`uname -p | xargs echo -n`
-
-# need gcc-10 and above to compile SVE code
-# change this according to your system during debugging
-if [ \$ARCH == 'aarch64' ]; then
-	CC=gcc-11
-	OBJDUMP=objdump
-else
-	CC=\${CROSS_COMPILE}gcc
-	OBJDUMP=\${CROSS_COMPILE}objdump
-fi
-TMPFILE=/tmp/\$\$
-cat > \$TMPFILE.c << EOF
-extern __attribute__((noinline, section("disasm_output"))) void dummy_func()
-{
-	asm("\$@\\t\\n");
-}
-int main(int argc, char *argv[])
-{
-}
-EOF
-\$CC -march=armv8.2-a+sve+sve2 -o \$TMPFILE.out \$TMPFILE.c
-\$OBJDUMP -d \$TMPFILE.out | awk -F"\\n" -v RS="\\n\\n" '\$1 ~ /dummy_func/' | awk 'FNR == 2 {printf "%s",\$2}'
-rm \$TMPFILE.c \$TMPFILE.out
-___
-	open(FH, '>', $filename) or die $!;
-	print FH $scripts;
-	close(FH);
-	system("chmod a+x ./compile_sve.sh");
-}
-
-sub compile_sve {
-	return `./compile_sve.sh '@_'`
-}
-
-sub verify_inst {
-	my ($code,$inst)=@_;
-	my $hexcode = (sprintf "%08x", $code);
-
-	if ($debug_encoder == 1) {
-		my $expect=&compile_sve($inst);
-		if ($expect ne $hexcode) {
-			return (sprintf "%s // Encode Error! expect [%s] actual [%s]", $inst, $expect, $hexcode);
-		}
-	}
-	return (sprintf ".inst\t0x%s\t//%s", $hexcode, $inst);
-}
-
-sub reg_code {
-	my $code = shift;
-
-	if ($code == "zr") {
-		return "31";
-	}
-	return $code;
-}
-
-sub encode_size_imm() {
-	my ($mnemonic, $isize, $const)=@_;
-	my $esize = (8<<$tsize{$isize});
-	my $tsize_imm = $esize + $const;
-
-	if ($mnemonic eq "lsr" || $mnemonic eq "xar") {
-		$tsize_imm = 2*$esize - $const;
-	}
-	return (($tsize_imm>>5)<<22)|(($tsize_imm&0x1f)<<16);
-}
-
-sub encode_shift_pred() {
-	my ($mnemonic, $isize, $const)=@_;
-	my $esize = (8<<$tsize{$isize});
-	my $tsize_imm = $esize + $const;
-
-	if ($mnemonic eq "lsr") {
-		$tsize_imm = 2*$esize - $const;
-	}
-	return (($tsize_imm>>5)<<22)|(($tsize_imm&0x1f)<<5);
-}
-
-sub sve_unpred {
-	my ($mnemonic,$arg)=@_;
-	my $inst = (sprintf "%s %s", $mnemonic,$arg);
-
-	if ($arg =~ m/z([0-9]+)\.([bhsd]),\s*\{\s*z([0-9]+)\.[bhsd].*\},\s*z([0-9]+)\.[bhsd].*/o) {
-		return &verify_inst($opcode_unpred{$mnemonic}|$1|($3<<5)|($tsize{$2}<<22)|($4<<16),
-					$inst)
-	} elsif ($arg =~ m/z([0-9]+)\.([bhsd]),\s*([zwx][0-9]+.*)/o) {
-       		my $regd = $1;
-		my $isize = $2;
-		my $regs=$3;
-
-		if (($mnemonic eq "lsl") || ($mnemonic eq "lsr")) {
-			if ($regs =~ m/z([0-9]+)[^,]*(?:,\s*#?([0-9]+))?/o
-				&& ((8<<$tsize{$isize}) > $2)) {
-				return &verify_inst($opcode_unpred{$mnemonic}|$regd|($1<<5)|&encode_size_imm($mnemonic,$isize,$2),
-					$inst);
-			}
-		} elsif($regs =~ m/[wx]([0-9]+),\s*[wx]([0-9]+)/o) {
-			return &verify_inst($opcode_unpred{$mnemonic}|$regd|($tsize{$isize}<<22)|($1<<5)|($2<<16), $inst);
-		} elsif ($regs =~ m/[wx]([0-9]+),\s*#?([0-9]+)/o) {
-			return &verify_inst($opcode_imm_unpred{$mnemonic}|$regd|($tsize{$isize}<<22)|($1<<5)|($2<<16), $inst);
-		} elsif ($regs =~ m/[wx]([0-9]+)/o) {
-			return &verify_inst($opcode_unpred{$mnemonic}|$regd|($tsize{$isize}<<22)|($1<<5), $inst);
-		} else {
-			my $encoded_size = 0;
-			if (($mnemonic eq "add") || ($mnemonic =~ /zip./) || ($mnemonic =~ /uzp./) ) {
-				$encoded_size = ($tsize{$isize}<<22);
-			}
-			if ($regs =~ m/z([0-9]+)\.[bhsd],\s*z([0-9]+)\.[bhsd],\s*([0-9]+)/o &&
-				$1 == $regd) {
-				return &verify_inst($opcode_unpred{$mnemonic}|$regd|($2<<5)|&encode_size_imm($mnemonic,$isize,$3), $inst);
-			} elsif ($regs =~ m/z([0-9]+)\.[bhsd],\s*z([0-9]+)\.[bhsd]/o) {
-				return &verify_inst($opcode_unpred{$mnemonic}|$regd|$encoded_size|($1<<5)|($2<<16), $inst);
-			}
-		}
-	} elsif ($arg =~ m/z([0-9]+)\.([bhsd]),\s*#?([0-9]+)/o) {
-		return &verify_inst($opcode_imm_unpred{$mnemonic}|$1|($3<<5)|($tsize{$2}<<22),
-					$inst)
-	}
-	sprintf "%s // fail to parse", $inst;
-}
-
-sub sve_pred {
-	my ($mnemonic,,$arg)=@_;
-	my $inst = (sprintf "%s %s", $mnemonic,$arg);
-
-	if ($arg =~ m/\{\s*z([0-9]+)\.([bhsd]).*\},\s*p([0-9])+(\/z)?,\s*\[(\s*[xs].*)\]/o) {
-		my $zt = $1;
-		my $size = $tsize{$2};
-		my $pg = $3;
-		my $addr = $5;
-		my $xn = 31;
-
-		if ($addr =~ m/x([0-9]+)\s*/o) {
-			$xn = $1;
-		}
-
-		if ($mnemonic =~m/ld1r[bhwd]/o) {
-			$size = 0;
-		}
-		if ($addr =~ m/\w+\s*,\s*x([0-9]+),.*/o) {
-			return &verify_inst($opcode_scalar_pred{$mnemonic}|($size<<21)|$zt|($pg<<10)|($1<<16)|($xn<<5),$inst);
-		} elsif ($addr =~ m/\w+\s*,\s*z([0-9]+)\.s,\s*([US]\w+)/o) {
-			my $xs = ($2 eq "SXTW") ? 1 : 0;
-			return &verify_inst($opcode_gather_pred{$mnemonic}|($xs<<22)|$zt|($pg<<10)|($1<<16)|($xn<<5),$inst);
-		} elsif($addr =~ m/\w+\s*,\s*#?([0-9]+)/o) {
-			return &verify_inst($opcode_pred{$mnemonic}|($size<<21)|$zt|($pg<<10)|($1<<16)|($xn<<5),$inst);
-		} else {
-			return &verify_inst($opcode_pred{$mnemonic}|($size<<21)|$zt|($pg<<10)|($xn<<5),$inst);
-		}
-	} elsif ($arg =~ m/z([0-9]+)\.([bhsd]),\s*p([0-9]+)\/([mz]),\s*([zwx][0-9]+.*)/o) {
-		my $regd = $1;
-		my $isize = $2;
-		my $pg = $3;
-		my $mod = $4;
-		my $regs = $5;
-
-		if (($mnemonic eq "lsl") || ($mnemonic eq "lsr")) {
-			if ($regs =~ m/z([0-9]+)[^,]*(?:,\s*#?([0-9]+))?/o
-				&& $regd == $1
-				&& $mode == 'm'
-				&& ((8<<$tsize{$isize}) > $2)) {
-				return &verify_inst($opcode_pred{$mnemonic}|$regd|($pg<<10)|&encode_shift_pred($mnemonic,$isize,$2), $inst);
-			}
-		} elsif($regs =~ m/[wx]([0-9]+)/o) {
-			return &verify_inst($opcode_scalar_pred{$mnemonic}|$regd|($tsize{$isize}<<22)|($pg<<10)|($1<<5), $inst);
-		} elsif ($regs =~ m/z([0-9]+)[^,]*(?:,\s*z([0-9]+))?/o) {
-			if ($mnemonic eq "sel") {
-				return &verify_inst($opcode_pred{$mnemonic}|$regd|($tsize{$isize}<<22)|($pg<<10)|($1<<5)|($2<<16), $inst);
-			} elsif ($mnemonic eq "mov") {
-				return &verify_inst($opcode_pred{$mnemonic}|$regd|($tsize{$isize}<<22)|($pg<<10)|($1<<5)|($regd<<16), $inst);
-			} elsif (length $2 > 0) {
-				return &verify_inst($opcode_pred{$mnemonic}|$regd|($tsize{$isize}<<22)|($pg<<10)|($2<<5), $inst);
-			} else {
-				return &verify_inst($opcode_pred{$mnemonic}|$regd|($tsize{$isize}<<22)|($pg<<10)|($1<<5), $inst);
-			}
-		}
-	} elsif ($arg =~ m/p([0-9]+)\.([bhsd]),\s*(\w+.*)/o) {
-		my $pg = $1;
-		my $isize = $2;
-		my $regs = $3;
-
-		if ($regs =~ m/([wx])(zr|[0-9]+),\s*[wx](zr|[0-9]+)/o) {
-			return &verify_inst($opcode_pred{$mnemonic}|($tsize{$isize}<<22)|$pg|($sf{$1}<<12)|(&reg_code($2)<<5)|(&reg_code($3)<<16), $inst);
-		} elsif ($regs =~ m/p([0-9]+),\s*p([0-9]+)\.[bhsd]/o) {
-			return &verify_inst($opcode_pred{$mnemonic}|($tsize{$isize}<<22)|$pg|($1<<5), $inst);
-		} else {
-			return &verify_inst($opcode_pred{$mnemonic}|($tsize{$isize}<<22)|$pg|($pattern{$regs}<<5), $inst);
-		}
-	} elsif ($arg =~ m/p([0-9]+)\.([bhsd])/o) {
-		return &verify_inst($opcode_pred{$mnemonic}|$1, $inst);
-	}
-
-	sprintf "%s // fail to parse", $inst;
-}
-
-sub sve_other {
-	my ($mnemonic,$arg)=@_;
-	my $inst = (sprintf "%s %s", $mnemonic,$arg);
-
-	if ($arg =~ m/x([0-9]+)[^,]*,\s*p([0-9]+)[^,]*,\s*p([0-9]+)\.([bhsd])/o) {
-		return &verify_inst($opcode_pred{$mnemonic}|($tsize{$4}<<22)|$1|($2<<10)|($3<<5), $inst);
-	} elsif ($arg =~ m/(x|w)([0-9]+)[^,]*,\s*p([0-9]+)[^,]*,\s*z([0-9]+)\.([bhsd])/o) {
-		return &verify_inst($opcode_pred{$mnemonic}|($tsize{$5}<<22)|$1|($3<<10)|($4<<5)|$2, $inst);
-	}elsif ($mnemonic =~ /inc[bhdw]/) {
-		if ($arg =~ m/x([0-9]+)[^,]*,\s*(\w+)[^,]*,\s*MUL\s*#?([0-9]+)/o) {
-			return &verify_inst($opcode_unpred{$mnemonic}|$1|($pattern{$2}<<5)|(2<<12)|(($3 - 1)<<16)|0xE000, $inst);
-		} elsif ($arg =~ m/z([0-9]+)[^,]*,\s*(\w+)[^,]*,\s*MUL\s*#?([0-9]+)/o) {
-			return &verify_inst($opcode_unpred{$mnemonic}|$1|($pattern{$2}<<5)|(($3 - 1)<<16)|0xC000, $inst);
-		} elsif ($arg =~ m/x([0-9]+)/o) {
-			return &verify_inst($opcode_unpred{$mnemonic}|$1|(31<<5)|(0<<16)|0xE000, $inst);
-		}
-	} elsif ($mnemonic =~ /cnt[bhdw]/) {
-		if ($arg =~ m/x([0-9]+)[^,]*,\s*(\w+)[^,]*,\s*MUL\s*#?([0-9]+)/o) {
-			return &verify_inst($opcode_unpred{$mnemonic}|$1|($pattern{$2}<<5)|(($3 - 1)<<16), $inst);
-		}
-	} elsif ($arg =~ m/x([0-9]+)[^,]*,\s*x([0-9]+)[^,]*,\s*#?([0-9]+)/o) {
-		return &verify_inst($opcode_pred{$mnemonic}|$1|($2<<16)|($3<<5), $inst);
-	} elsif ($arg =~ m/z([0-9]+)[^,]*,\s*z([0-9]+)/o) {
-		return &verify_inst($opcode_unpred{$mnemonic}|$1|($2<<5), $inst);
-	}
-	sprintf "%s // fail to parse", $inst;
-}
-}
-
-open SELF,$0;
-while(<SELF>) {
-	next if (/^#!/);
-	last if (!s/^#/\/\// and !/^$/);
-	print;
-}
-close SELF;
-
-if ($debug_encoder == 1) {
-	&create_verifier();
-}
-
-foreach(split("\n",$code)) {
-	s/\`([^\`]*)\`/eval($1)/ge;
-	s/\b(\w+)\s+(z[0-9]+\.[bhsd],\s*[#zwx]?[0-9]+.*)/sve_unpred($1,$2)/ge;
-	s/\b(\w+)\s+(z[0-9]+\.[bhsd],\s*\{.*\},\s*z[0-9]+.*)/sve_unpred($1,$2)/ge;
-	s/\b(\w+)\s+(z[0-9]+\.[bhsd],\s*p[0-9].*)/sve_pred($1,$2)/ge;
-	s/\b(\w+[1-4]r[bhwd])\s+(\{\s*z[0-9]+.*\},\s*p[0-9]+.*)/sve_pred($1,$2)/ge;
-	s/\b(\w+[1-4][bhwd])\s+(\{\s*z[0-9]+.*\},\s*p[0-9]+.*)/sve_pred($1,$2)/ge;
-	s/\b(\w+)\s+(p[0-9]+\.[bhsd].*)/sve_pred($1,$2)/ge;
-	s/\b(movprfx|lasta|cntp|cnt[bhdw]|addvl|inc[bhdw])\s+((x|z|w).*)/sve_other($1,$2)/ge;
-	print $_,"\n";
-}
-
-close STDOUT or die "error closing STDOUT: $!";

libs/openssl/crypto/chacha/asm/chachap10-ppc.pl

@@ -1,1288 +0,0 @@
-#! /usr/bin/env perl
-# Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
-#
-# Licensed under the Apache License 2.0 (the "License").  You may not use
-# this file except in compliance with the License.  You can obtain a copy
-# in the file LICENSE in the source distribution or at
-# https://www.openssl.org/source/license.html
-
-#
-# ====================================================================
-# Written by Andy Polyakov <[email protected]> for the OpenSSL
-# project. The module is, however, dual licensed under OpenSSL and
-# CRYPTOGAMS licenses depending on where you obtain it. For further
-# details see http://www.openssl.org/~appro/cryptogams/.
-# ====================================================================
-#
-# October 2015
-#
-# ChaCha20 for PowerPC/AltiVec.
-#
-# June 2018
-#
-# Add VSX 2.07 code path. Original 3xAltiVec+1xIALU is well-suited for
-# processors that can't issue more than one vector instruction per
-# cycle. But POWER8 (and POWER9) can issue a pair, and vector-only 4x
-# interleave would perform better. Incidentally PowerISA 2.07 (first
-# implemented by POWER8) defined new usable instructions, hence 4xVSX
-# code path...
-#
-# Performance in cycles per byte out of large buffer.
-#
-#			IALU/gcc-4.x    3xAltiVec+1xIALU	4xVSX
-#
-# Freescale e300	13.6/+115%	-			-
-# PPC74x0/G4e		6.81/+310%	3.81			-
-# PPC970/G5		9.29/+160%	?			-
-# POWER7		8.62/+61%	3.35			-
-# POWER8		8.70/+51%	2.91			2.09
-# POWER9		8.80/+29%	4.44(*)			2.45(**)
-#
-# (*)	this is trade-off result, it's possible to improve it, but
-#	then it would negatively affect all others;
-# (**)	POWER9 seems to be "allergic" to mixing vector and integer
-#	instructions, which is why switch to vector-only code pays
-#	off that much;
-
-# $output is the last argument if it looks like a file (it has an extension)
-# $flavour is the first argument if it doesn't look like a file
-$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef;
-$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef;
-
-if ($flavour =~ /64/) {
-	$SIZE_T	=8;
-	$LRSAVE	=2*$SIZE_T;
-	$STU	="stdu";
-	$POP	="ld";
-	$PUSH	="std";
-	$UCMP	="cmpld";
-} elsif ($flavour =~ /32/) {
-	$SIZE_T	=4;
-	$LRSAVE	=$SIZE_T;
-	$STU	="stwu";
-	$POP	="lwz";
-	$PUSH	="stw";
-	$UCMP	="cmplw";
-} else { die "nonsense $flavour"; }
-
-$LITTLE_ENDIAN = ($flavour=~/le$/) ? 1 : 0;
-
-$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
-( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or
-( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or
-die "can't locate ppc-xlate.pl";
-
-open STDOUT,"| $^X $xlate $flavour \"$output\""
-    or die "can't call $xlate: $!";
-
-$LOCALS=6*$SIZE_T;
-$FRAME=$LOCALS+64+18*$SIZE_T;	# 64 is for local variables
-
-sub AUTOLOAD()		# thunk [simplified] x86-style perlasm
-{ my $opcode = $AUTOLOAD; $opcode =~ s/.*:://; $opcode =~ s/_/\./;
-    $code .= "\t$opcode\t".join(',',@_)."\n";
-}
-
-my $sp = "r1";
-
-my ($out,$inp,$len,$key,$ctr) = map("r$_",(3..7));
-
-
-{{{
-my ($xa0,$xa1,$xa2,$xa3, $xb0,$xb1,$xb2,$xb3,
-    $xc0,$xc1,$xc2,$xc3, $xd0,$xd1,$xd2,$xd3) = map("v$_",(0..15));
-my @K = map("v$_",(16..19));
-my $CTR = "v26";
-my ($xt0,$xt1,$xt2,$xt3) = map("v$_",(27..30));
-my ($sixteen,$twelve,$eight,$seven) = ($xt0,$xt1,$xt2,$xt3);
-my $beperm = "v31";
-
-my ($x00,$x10,$x20,$x30) = (0, map("r$_",(8..10)));
-
-my $FRAME=$LOCALS+64+7*16;	# 7*16 is for v26-v31 offload
-
-
-sub VSX_lane_ROUND_4x {
-my ($a0,$b0,$c0,$d0)=@_;
-my ($a1,$b1,$c1,$d1)=map(($_&~3)+(($_+1)&3),($a0,$b0,$c0,$d0));
-my ($a2,$b2,$c2,$d2)=map(($_&~3)+(($_+1)&3),($a1,$b1,$c1,$d1));
-my ($a3,$b3,$c3,$d3)=map(($_&~3)+(($_+1)&3),($a2,$b2,$c2,$d2));
-my @x=map("\"v$_\"",(0..15));
-
-	(
-	"&vadduwm	(@x[$a0],@x[$a0],@x[$b0])",	# Q1
-	 "&vadduwm	(@x[$a1],@x[$a1],@x[$b1])",	# Q2
-	  "&vadduwm	(@x[$a2],@x[$a2],@x[$b2])",	# Q3
-	   "&vadduwm	(@x[$a3],@x[$a3],@x[$b3])",	# Q4
-	"&vxor		(@x[$d0],@x[$d0],@x[$a0])",
-	 "&vxor		(@x[$d1],@x[$d1],@x[$a1])",
-	  "&vxor	(@x[$d2],@x[$d2],@x[$a2])",
-	   "&vxor	(@x[$d3],@x[$d3],@x[$a3])",
-	"&vrlw		(@x[$d0],@x[$d0],'$sixteen')",
-	 "&vrlw		(@x[$d1],@x[$d1],'$sixteen')",
-	  "&vrlw	(@x[$d2],@x[$d2],'$sixteen')",
-	   "&vrlw	(@x[$d3],@x[$d3],'$sixteen')",
-
-	"&vadduwm	(@x[$c0],@x[$c0],@x[$d0])",
-	 "&vadduwm	(@x[$c1],@x[$c1],@x[$d1])",
-	  "&vadduwm	(@x[$c2],@x[$c2],@x[$d2])",
-	   "&vadduwm	(@x[$c3],@x[$c3],@x[$d3])",
-	"&vxor		(@x[$b0],@x[$b0],@x[$c0])",
-	 "&vxor		(@x[$b1],@x[$b1],@x[$c1])",
-	  "&vxor	(@x[$b2],@x[$b2],@x[$c2])",
-	   "&vxor	(@x[$b3],@x[$b3],@x[$c3])",
-	"&vrlw		(@x[$b0],@x[$b0],'$twelve')",
-	 "&vrlw		(@x[$b1],@x[$b1],'$twelve')",
-	  "&vrlw	(@x[$b2],@x[$b2],'$twelve')",
-	   "&vrlw	(@x[$b3],@x[$b3],'$twelve')",
-
-	"&vadduwm	(@x[$a0],@x[$a0],@x[$b0])",
-	 "&vadduwm	(@x[$a1],@x[$a1],@x[$b1])",
-	  "&vadduwm	(@x[$a2],@x[$a2],@x[$b2])",
-	   "&vadduwm	(@x[$a3],@x[$a3],@x[$b3])",
-	"&vxor		(@x[$d0],@x[$d0],@x[$a0])",
-	 "&vxor		(@x[$d1],@x[$d1],@x[$a1])",
-	  "&vxor	(@x[$d2],@x[$d2],@x[$a2])",
-	   "&vxor	(@x[$d3],@x[$d3],@x[$a3])",
-	"&vrlw		(@x[$d0],@x[$d0],'$eight')",
-	 "&vrlw		(@x[$d1],@x[$d1],'$eight')",
-	  "&vrlw	(@x[$d2],@x[$d2],'$eight')",
-	   "&vrlw	(@x[$d3],@x[$d3],'$eight')",
-
-	"&vadduwm	(@x[$c0],@x[$c0],@x[$d0])",
-	 "&vadduwm	(@x[$c1],@x[$c1],@x[$d1])",
-	  "&vadduwm	(@x[$c2],@x[$c2],@x[$d2])",
-	   "&vadduwm	(@x[$c3],@x[$c3],@x[$d3])",
-	"&vxor		(@x[$b0],@x[$b0],@x[$c0])",
-	 "&vxor		(@x[$b1],@x[$b1],@x[$c1])",
-	  "&vxor	(@x[$b2],@x[$b2],@x[$c2])",
-	   "&vxor	(@x[$b3],@x[$b3],@x[$c3])",
-	"&vrlw		(@x[$b0],@x[$b0],'$seven')",
-	 "&vrlw		(@x[$b1],@x[$b1],'$seven')",
-	  "&vrlw	(@x[$b2],@x[$b2],'$seven')",
-	   "&vrlw	(@x[$b3],@x[$b3],'$seven')"
-	);
-}
-
-$code.=<<___;
-
-.globl	.ChaCha20_ctr32_vsx_p10
-.align	5
-.ChaCha20_ctr32_vsx_p10:
-	${UCMP}i $len,255
-	bgt 	ChaCha20_ctr32_vsx_8x
-	$STU	$sp,-$FRAME($sp)
-	mflr	r0
-	li	r10,`15+$LOCALS+64`
-	li	r11,`31+$LOCALS+64`
-	mfspr	r12,256
-	stvx	v26,r10,$sp
-	addi	r10,r10,32
-	stvx	v27,r11,$sp
-	addi	r11,r11,32
-	stvx	v28,r10,$sp
-	addi	r10,r10,32
-	stvx	v29,r11,$sp
-	addi	r11,r11,32
-	stvx	v30,r10,$sp
-	stvx	v31,r11,$sp
-	stw	r12,`$FRAME-4`($sp)		# save vrsave
-	li	r12,-4096+63
-	$PUSH	r0, `$FRAME+$LRSAVE`($sp)
-	mtspr	256,r12				# preserve 29 AltiVec registers
-
-	bl	Lconsts				# returns pointer Lsigma in r12
-	lvx_4w	@K[0],0,r12			# load sigma
-	addi	r12,r12,0x70
-	li	$x10,16
-	li	$x20,32
-	li	$x30,48
-	li	r11,64
-
-	lvx_4w	@K[1],0,$key			# load key
-	lvx_4w	@K[2],$x10,$key
-	lvx_4w	@K[3],0,$ctr			# load counter
-
-	vxor	$xt0,$xt0,$xt0
-	lvx_4w	$xt1,r11,r12
-	vspltw	$CTR,@K[3],0
-	vsldoi	@K[3],@K[3],$xt0,4
-	vsldoi	@K[3],$xt0,@K[3],12		# clear @K[3].word[0]
-	vadduwm	$CTR,$CTR,$xt1
-
-	be?lvsl	$beperm,0,$x10			# 0x00..0f
-	be?vspltisb $xt0,3			# 0x03..03
-	be?vxor	$beperm,$beperm,$xt0		# swap bytes within words
-
-	li	r0,10				# inner loop counter
-	mtctr	r0
-	b	Loop_outer_vsx
-
-.align	5
-Loop_outer_vsx:
-	lvx	$xa0,$x00,r12			# load [smashed] sigma
-	lvx	$xa1,$x10,r12
-	lvx	$xa2,$x20,r12
-	lvx	$xa3,$x30,r12
-
-	vspltw	$xb0,@K[1],0			# smash the key
-	vspltw	$xb1,@K[1],1
-	vspltw	$xb2,@K[1],2
-	vspltw	$xb3,@K[1],3
-
-	vspltw	$xc0,@K[2],0
-	vspltw	$xc1,@K[2],1
-	vspltw	$xc2,@K[2],2
-	vspltw	$xc3,@K[2],3
-
-	vmr	$xd0,$CTR			# smash the counter
-	vspltw	$xd1,@K[3],1
-	vspltw	$xd2,@K[3],2
-	vspltw	$xd3,@K[3],3
-
-	vspltisw $sixteen,-16			# synthesize constants
-	vspltisw $twelve,12
-	vspltisw $eight,8
-	vspltisw $seven,7
-
-Loop_vsx_4x:
-___
-	foreach (&VSX_lane_ROUND_4x(0, 4, 8,12)) { eval; }
-	foreach (&VSX_lane_ROUND_4x(0, 5,10,15)) { eval; }
-$code.=<<___;
-
-	bdnz	Loop_vsx_4x
-
-	vadduwm	$xd0,$xd0,$CTR
-
-	vmrgew	$xt0,$xa0,$xa1			# transpose data
-	vmrgew	$xt1,$xa2,$xa3
-	vmrgow	$xa0,$xa0,$xa1
-	vmrgow	$xa2,$xa2,$xa3
-	vmrgew	$xt2,$xb0,$xb1
-	vmrgew	$xt3,$xb2,$xb3
-	vpermdi	$xa1,$xa0,$xa2,0b00
-	vpermdi	$xa3,$xa0,$xa2,0b11
-	vpermdi	$xa0,$xt0,$xt1,0b00
-	vpermdi	$xa2,$xt0,$xt1,0b11
-
-	vmrgow	$xb0,$xb0,$xb1
-	vmrgow	$xb2,$xb2,$xb3
-	vmrgew	$xt0,$xc0,$xc1
-	vmrgew	$xt1,$xc2,$xc3
-	vpermdi	$xb1,$xb0,$xb2,0b00
-	vpermdi	$xb3,$xb0,$xb2,0b11
-	vpermdi	$xb0,$xt2,$xt3,0b00
-	vpermdi	$xb2,$xt2,$xt3,0b11
-
-	vmrgow	$xc0,$xc0,$xc1
-	vmrgow	$xc2,$xc2,$xc3
-	vmrgew	$xt2,$xd0,$xd1
-	vmrgew	$xt3,$xd2,$xd3
-	vpermdi	$xc1,$xc0,$xc2,0b00
-	vpermdi	$xc3,$xc0,$xc2,0b11
-	vpermdi	$xc0,$xt0,$xt1,0b00
-	vpermdi	$xc2,$xt0,$xt1,0b11
-
-	vmrgow	$xd0,$xd0,$xd1
-	vmrgow	$xd2,$xd2,$xd3
-	vspltisw $xt0,4
-	vadduwm  $CTR,$CTR,$xt0		# next counter value
-	vpermdi	$xd1,$xd0,$xd2,0b00
-	vpermdi	$xd3,$xd0,$xd2,0b11
-	vpermdi	$xd0,$xt2,$xt3,0b00
-	vpermdi	$xd2,$xt2,$xt3,0b11
-
-	vadduwm	$xa0,$xa0,@K[0]
-	vadduwm	$xb0,$xb0,@K[1]
-	vadduwm	$xc0,$xc0,@K[2]
-	vadduwm	$xd0,$xd0,@K[3]
-
-	be?vperm $xa0,$xa0,$xa0,$beperm
-	be?vperm $xb0,$xb0,$xb0,$beperm
-	be?vperm $xc0,$xc0,$xc0,$beperm
-	be?vperm $xd0,$xd0,$xd0,$beperm
-
-	${UCMP}i $len,0x40
-	blt	Ltail_vsx
-
-	lvx_4w	$xt0,$x00,$inp
-	lvx_4w	$xt1,$x10,$inp
-	lvx_4w	$xt2,$x20,$inp
-	lvx_4w	$xt3,$x30,$inp
-
-	vxor	$xt0,$xt0,$xa0
-	vxor	$xt1,$xt1,$xb0
-	vxor	$xt2,$xt2,$xc0
-	vxor	$xt3,$xt3,$xd0
-
-	stvx_4w	$xt0,$x00,$out
-	stvx_4w	$xt1,$x10,$out
-	addi	$inp,$inp,0x40
-	stvx_4w	$xt2,$x20,$out
-	subi	$len,$len,0x40
-	stvx_4w	$xt3,$x30,$out
-	addi	$out,$out,0x40
-	beq	Ldone_vsx
-
-	vadduwm	$xa0,$xa1,@K[0]
-	vadduwm	$xb0,$xb1,@K[1]
-	vadduwm	$xc0,$xc1,@K[2]
-	vadduwm	$xd0,$xd1,@K[3]
-
-	be?vperm $xa0,$xa0,$xa0,$beperm
-	be?vperm $xb0,$xb0,$xb0,$beperm
-	be?vperm $xc0,$xc0,$xc0,$beperm
-	be?vperm $xd0,$xd0,$xd0,$beperm
-
-	${UCMP}i $len,0x40
-	blt	Ltail_vsx
-
-	lvx_4w	$xt0,$x00,$inp
-	lvx_4w	$xt1,$x10,$inp
-	lvx_4w	$xt2,$x20,$inp
-	lvx_4w	$xt3,$x30,$inp
-
-	vxor	$xt0,$xt0,$xa0
-	vxor	$xt1,$xt1,$xb0
-	vxor	$xt2,$xt2,$xc0
-	vxor	$xt3,$xt3,$xd0
-
-	stvx_4w	$xt0,$x00,$out
-	stvx_4w	$xt1,$x10,$out
-	addi	$inp,$inp,0x40
-	stvx_4w	$xt2,$x20,$out
-	subi	$len,$len,0x40
-	stvx_4w	$xt3,$x30,$out
-	addi	$out,$out,0x40
-	beq	Ldone_vsx
-
-	vadduwm	$xa0,$xa2,@K[0]
-	vadduwm	$xb0,$xb2,@K[1]
-	vadduwm	$xc0,$xc2,@K[2]
-	vadduwm	$xd0,$xd2,@K[3]
-
-	be?vperm $xa0,$xa0,$xa0,$beperm
-	be?vperm $xb0,$xb0,$xb0,$beperm
-	be?vperm $xc0,$xc0,$xc0,$beperm
-	be?vperm $xd0,$xd0,$xd0,$beperm
-
-	${UCMP}i $len,0x40
-	blt	Ltail_vsx
-
-	lvx_4w	$xt0,$x00,$inp
-	lvx_4w	$xt1,$x10,$inp
-	lvx_4w	$xt2,$x20,$inp
-	lvx_4w	$xt3,$x30,$inp
-
-	vxor	$xt0,$xt0,$xa0
-	vxor	$xt1,$xt1,$xb0
-	vxor	$xt2,$xt2,$xc0
-	vxor	$xt3,$xt3,$xd0
-
-	stvx_4w	$xt0,$x00,$out
-	stvx_4w	$xt1,$x10,$out
-	addi	$inp,$inp,0x40
-	stvx_4w	$xt2,$x20,$out
-	subi	$len,$len,0x40
-	stvx_4w	$xt3,$x30,$out
-	addi	$out,$out,0x40
-	beq	Ldone_vsx
-
-	vadduwm	$xa0,$xa3,@K[0]
-	vadduwm	$xb0,$xb3,@K[1]
-	vadduwm	$xc0,$xc3,@K[2]
-	vadduwm	$xd0,$xd3,@K[3]
-
-	be?vperm $xa0,$xa0,$xa0,$beperm
-	be?vperm $xb0,$xb0,$xb0,$beperm
-	be?vperm $xc0,$xc0,$xc0,$beperm
-	be?vperm $xd0,$xd0,$xd0,$beperm
-
-	${UCMP}i $len,0x40
-	blt	Ltail_vsx
-
-	lvx_4w	$xt0,$x00,$inp
-	lvx_4w	$xt1,$x10,$inp
-	lvx_4w	$xt2,$x20,$inp
-	lvx_4w	$xt3,$x30,$inp
-
-	vxor	$xt0,$xt0,$xa0
-	vxor	$xt1,$xt1,$xb0
-	vxor	$xt2,$xt2,$xc0
-	vxor	$xt3,$xt3,$xd0
-
-	stvx_4w	$xt0,$x00,$out
-	stvx_4w	$xt1,$x10,$out
-	addi	$inp,$inp,0x40
-	stvx_4w	$xt2,$x20,$out
-	subi	$len,$len,0x40
-	stvx_4w	$xt3,$x30,$out
-	addi	$out,$out,0x40
-	mtctr	r0
-	bne	Loop_outer_vsx
-
-Ldone_vsx:
-	lwz	r12,`$FRAME-4`($sp)		# pull vrsave
-	li	r10,`15+$LOCALS+64`
-	li	r11,`31+$LOCALS+64`
-	$POP	r0, `$FRAME+$LRSAVE`($sp)
-	mtspr	256,r12				# restore vrsave
-	lvx	v26,r10,$sp
-	addi	r10,r10,32
-	lvx	v27,r11,$sp
-	addi	r11,r11,32
-	lvx	v28,r10,$sp
-	addi	r10,r10,32
-	lvx	v29,r11,$sp
-	addi	r11,r11,32
-	lvx	v30,r10,$sp
-	lvx	v31,r11,$sp
-	mtlr	r0
-	addi	$sp,$sp,$FRAME
-	blr
-
-.align	4
-Ltail_vsx:
-	addi	r11,$sp,$LOCALS
-	mtctr	$len
-	stvx_4w	$xa0,$x00,r11			# offload block to stack
-	stvx_4w	$xb0,$x10,r11
-	stvx_4w	$xc0,$x20,r11
-	stvx_4w	$xd0,$x30,r11
-	subi	r12,r11,1			# prepare for *++ptr
-	subi	$inp,$inp,1
-	subi	$out,$out,1
-
-Loop_tail_vsx:
-	lbzu	r6,1(r12)
-	lbzu	r7,1($inp)
-	xor	r6,r6,r7
-	stbu	r6,1($out)
-	bdnz	Loop_tail_vsx
-
-	stvx_4w	$K[0],$x00,r11			# wipe copy of the block
-	stvx_4w	$K[0],$x10,r11
-	stvx_4w	$K[0],$x20,r11
-	stvx_4w	$K[0],$x30,r11
-
-	b	Ldone_vsx
-	.long	0
-	.byte	0,12,0x04,1,0x80,0,5,0
-	.long	0
-.size	.ChaCha20_ctr32_vsx_p10,.-.ChaCha20_ctr32_vsx_p10
-___
-}}}
-
-##This is 8 block in parallel implementation. The heart of chacha round uses vector instruction that has access to 
-# vsr[32+X]. To perform the 8 parallel block we tend to use all 32 register to hold the 8 block info.
-# WE need to store few register value on side, so we can use VSR{32+X} for few vector instructions used in round op and hold intermediate value.
-# WE use the VSR[0]-VSR[31] for holding intermediate value and perform 8 block in parallel.
-#
-{{{
-#### ($out,$inp,$len,$key,$ctr) = map("r$_",(3..7));
-my ($xa0,$xa1,$xa2,$xa3, $xb0,$xb1,$xb2,$xb3,
-    $xc0,$xc1,$xc2,$xc3, $xd0,$xd1,$xd2,$xd3,
-    $xa4,$xa5,$xa6,$xa7, $xb4,$xb5,$xb6,$xb7,
-    $xc4,$xc5,$xc6,$xc7, $xd4,$xd5,$xd6,$xd7) = map("v$_",(0..31));
-my ($xcn4,$xcn5,$xcn6,$xcn7, $xdn4,$xdn5,$xdn6,$xdn7) = map("v$_",(8..15));
-my ($xan0,$xbn0,$xcn0,$xdn0) = map("v$_",(0..3));
-my @K = map("v$_",27,(24..26));
-my ($xt0,$xt1,$xt2,$xt3,$xt4) = map("v$_",23,(28..31));
-my $xr0 = "v4";
-my $CTR0 = "v22";
-my $CTR1 = "v5";
-my $beperm = "v31";
-my ($x00,$x10,$x20,$x30) = (0, map("r$_",(8..10)));
-my ($xv0,$xv1,$xv2,$xv3,$xv4,$xv5,$xv6,$xv7) = map("v$_",(0..7));
-my ($xv8,$xv9,$xv10,$xv11,$xv12,$xv13,$xv14,$xv15,$xv16,$xv17) = map("v$_",(8..17));
-my ($xv18,$xv19,$xv20,$xv21) = map("v$_",(18..21));
-my ($xv22,$xv23,$xv24,$xv25,$xv26) = map("v$_",(22..26));
-
-my $FRAME=$LOCALS+64+9*16;	# 8*16 is for v24-v31 offload
-
-sub VSX_lane_ROUND_8x {
-my ($a0,$b0,$c0,$d0,$a4,$b4,$c4,$d4)=@_;
-my ($a1,$b1,$c1,$d1)=map(($_&~3)+(($_+1)&3),($a0,$b0,$c0,$d0));
-my ($a2,$b2,$c2,$d2)=map(($_&~3)+(($_+1)&3),($a1,$b1,$c1,$d1));
-my ($a3,$b3,$c3,$d3)=map(($_&~3)+(($_+1)&3),($a2,$b2,$c2,$d2));
-my ($a5,$b5,$c5,$d5)=map(($_&~3)+(($_+1)&3),($a4,$b4,$c4,$d4));
-my ($a6,$b6,$c6,$d6)=map(($_&~3)+(($_+1)&3),($a5,$b5,$c5,$d5));
-my ($a7,$b7,$c7,$d7)=map(($_&~3)+(($_+1)&3),($a6,$b6,$c6,$d6));
-my ($xv8,$xv9,$xv10,$xv11,$xv12,$xv13,$xv14,$xv15,$xv16,$xv17) = map("\"v$_\"",(8..17));
-my @x=map("\"v$_\"",(0..31));
-
-	(
-	"&vxxlor        ($xv15 ,@x[$c7],@x[$c7])",      #copy v30 to v13
-	"&vxxlorc       (@x[$c7], $xv9,$xv9)",
-
-	"&vadduwm	(@x[$a0],@x[$a0],@x[$b0])",	# Q1
-	 "&vadduwm	(@x[$a1],@x[$a1],@x[$b1])",	# Q2
-	  "&vadduwm	(@x[$a2],@x[$a2],@x[$b2])",	# Q3
-	   "&vadduwm	(@x[$a3],@x[$a3],@x[$b3])",	# Q4
-	"&vadduwm	(@x[$a4],@x[$a4],@x[$b4])",	# Q1
-	 "&vadduwm	(@x[$a5],@x[$a5],@x[$b5])",	# Q2
-	  "&vadduwm	(@x[$a6],@x[$a6],@x[$b6])",	# Q3
-	   "&vadduwm	(@x[$a7],@x[$a7],@x[$b7])",	# Q4
-
-	"&vxor		(@x[$d0],@x[$d0],@x[$a0])",
-	 "&vxor		(@x[$d1],@x[$d1],@x[$a1])",
-	  "&vxor	(@x[$d2],@x[$d2],@x[$a2])",
-	   "&vxor	(@x[$d3],@x[$d3],@x[$a3])",
-	"&vxor		(@x[$d4],@x[$d4],@x[$a4])",
-	 "&vxor		(@x[$d5],@x[$d5],@x[$a5])",
-	  "&vxor	(@x[$d6],@x[$d6],@x[$a6])",
-	   "&vxor	(@x[$d7],@x[$d7],@x[$a7])",
-
-	"&vrlw		(@x[$d0],@x[$d0],@x[$c7])",
-	 "&vrlw		(@x[$d1],@x[$d1],@x[$c7])",
-	  "&vrlw	(@x[$d2],@x[$d2],@x[$c7])",
-	   "&vrlw	(@x[$d3],@x[$d3],@x[$c7])",
-	"&vrlw		(@x[$d4],@x[$d4],@x[$c7])",
-	 "&vrlw		(@x[$d5],@x[$d5],@x[$c7])",
-	  "&vrlw	(@x[$d6],@x[$d6],@x[$c7])",
-	   "&vrlw	(@x[$d7],@x[$d7],@x[$c7])",
-
-	"&vxxlor        ($xv13 ,@x[$a7],@x[$a7])",
-	"&vxxlorc       (@x[$c7], $xv15,$xv15)",
-	"&vxxlorc       (@x[$a7], $xv10,$xv10)",
-
-	"&vadduwm	(@x[$c0],@x[$c0],@x[$d0])",
-	 "&vadduwm	(@x[$c1],@x[$c1],@x[$d1])",
-	  "&vadduwm	(@x[$c2],@x[$c2],@x[$d2])",
-	   "&vadduwm	(@x[$c3],@x[$c3],@x[$d3])",
-	"&vadduwm	(@x[$c4],@x[$c4],@x[$d4])",
-	 "&vadduwm	(@x[$c5],@x[$c5],@x[$d5])",
-	  "&vadduwm	(@x[$c6],@x[$c6],@x[$d6])",
-	   "&vadduwm	(@x[$c7],@x[$c7],@x[$d7])",
-
-	"&vxor		(@x[$b0],@x[$b0],@x[$c0])",
-	 "&vxor		(@x[$b1],@x[$b1],@x[$c1])",
-	  "&vxor	(@x[$b2],@x[$b2],@x[$c2])",
-	   "&vxor	(@x[$b3],@x[$b3],@x[$c3])",
-	"&vxor		(@x[$b4],@x[$b4],@x[$c4])",
-	 "&vxor		(@x[$b5],@x[$b5],@x[$c5])",
-	  "&vxor	(@x[$b6],@x[$b6],@x[$c6])",
-	   "&vxor	(@x[$b7],@x[$b7],@x[$c7])",
-
-	"&vrlw		(@x[$b0],@x[$b0],@x[$a7])",
-	 "&vrlw		(@x[$b1],@x[$b1],@x[$a7])",
-	  "&vrlw	(@x[$b2],@x[$b2],@x[$a7])",
-	   "&vrlw	(@x[$b3],@x[$b3],@x[$a7])",
-	"&vrlw		(@x[$b4],@x[$b4],@x[$a7])",
-	 "&vrlw		(@x[$b5],@x[$b5],@x[$a7])",
-	  "&vrlw	(@x[$b6],@x[$b6],@x[$a7])",
-	   "&vrlw	(@x[$b7],@x[$b7],@x[$a7])",
-
-	"&vxxlorc       (@x[$a7], $xv13,$xv13)",
-	"&vxxlor	($xv15 ,@x[$c7],@x[$c7])",                 
-	"&vxxlorc       (@x[$c7], $xv11,$xv11)",
-
-
-	"&vadduwm	(@x[$a0],@x[$a0],@x[$b0])",
-	 "&vadduwm	(@x[$a1],@x[$a1],@x[$b1])",
-	  "&vadduwm	(@x[$a2],@x[$a2],@x[$b2])",
-	   "&vadduwm	(@x[$a3],@x[$a3],@x[$b3])",
-	"&vadduwm	(@x[$a4],@x[$a4],@x[$b4])",
-	 "&vadduwm	(@x[$a5],@x[$a5],@x[$b5])",
-	  "&vadduwm	(@x[$a6],@x[$a6],@x[$b6])",
-	   "&vadduwm	(@x[$a7],@x[$a7],@x[$b7])",
-
-	"&vxor		(@x[$d0],@x[$d0],@x[$a0])",
-	 "&vxor		(@x[$d1],@x[$d1],@x[$a1])",
-	  "&vxor	(@x[$d2],@x[$d2],@x[$a2])",
-	   "&vxor	(@x[$d3],@x[$d3],@x[$a3])",
-	"&vxor		(@x[$d4],@x[$d4],@x[$a4])",
-	 "&vxor		(@x[$d5],@x[$d5],@x[$a5])",
-	  "&vxor	(@x[$d6],@x[$d6],@x[$a6])",
-	   "&vxor	(@x[$d7],@x[$d7],@x[$a7])",
-
-	"&vrlw		(@x[$d0],@x[$d0],@x[$c7])",
-	 "&vrlw		(@x[$d1],@x[$d1],@x[$c7])",
-	  "&vrlw	(@x[$d2],@x[$d2],@x[$c7])",
-	   "&vrlw	(@x[$d3],@x[$d3],@x[$c7])",
-	"&vrlw		(@x[$d4],@x[$d4],@x[$c7])",
-	 "&vrlw		(@x[$d5],@x[$d5],@x[$c7])",
-	  "&vrlw	(@x[$d6],@x[$d6],@x[$c7])",
-	   "&vrlw	(@x[$d7],@x[$d7],@x[$c7])",
-
-	"&vxxlorc       (@x[$c7], $xv15,$xv15)",
-	"&vxxlor        ($xv13 ,@x[$a7],@x[$a7])",               
-	"&vxxlorc       (@x[$a7], $xv12,$xv12)",
-
-	"&vadduwm	(@x[$c0],@x[$c0],@x[$d0])",
-	 "&vadduwm	(@x[$c1],@x[$c1],@x[$d1])",
-	  "&vadduwm	(@x[$c2],@x[$c2],@x[$d2])",
-	   "&vadduwm	(@x[$c3],@x[$c3],@x[$d3])",
-	"&vadduwm	(@x[$c4],@x[$c4],@x[$d4])",
-	 "&vadduwm	(@x[$c5],@x[$c5],@x[$d5])",
-	  "&vadduwm	(@x[$c6],@x[$c6],@x[$d6])",
-	   "&vadduwm	(@x[$c7],@x[$c7],@x[$d7])",
-	"&vxor		(@x[$b0],@x[$b0],@x[$c0])",
-	 "&vxor		(@x[$b1],@x[$b1],@x[$c1])",
-	  "&vxor	(@x[$b2],@x[$b2],@x[$c2])",
-	   "&vxor	(@x[$b3],@x[$b3],@x[$c3])",
-	"&vxor		(@x[$b4],@x[$b4],@x[$c4])",
-	 "&vxor		(@x[$b5],@x[$b5],@x[$c5])",
-	  "&vxor	(@x[$b6],@x[$b6],@x[$c6])",
-	   "&vxor	(@x[$b7],@x[$b7],@x[$c7])",
-	"&vrlw		(@x[$b0],@x[$b0],@x[$a7])",
-	 "&vrlw		(@x[$b1],@x[$b1],@x[$a7])",
-	  "&vrlw	(@x[$b2],@x[$b2],@x[$a7])",
-	   "&vrlw	(@x[$b3],@x[$b3],@x[$a7])",
-	"&vrlw		(@x[$b4],@x[$b4],@x[$a7])",
-	 "&vrlw		(@x[$b5],@x[$b5],@x[$a7])",
-	  "&vrlw	(@x[$b6],@x[$b6],@x[$a7])",
-	   "&vrlw	(@x[$b7],@x[$b7],@x[$a7])",
-
-	"&vxxlorc       (@x[$a7], $xv13,$xv13)",
-	);
-}
-
-$code.=<<___;
-
-.globl	.ChaCha20_ctr32_vsx_8x
-.align	5
-.ChaCha20_ctr32_vsx_8x:
-	$STU	$sp,-$FRAME($sp)
-	mflr	r0
-	li	r10,`15+$LOCALS+64`
-	li	r11,`31+$LOCALS+64`
-	mfspr	r12,256
-	stvx	v24,r10,$sp
-	addi	r10,r10,32
-	stvx	v25,r11,$sp
-	addi	r11,r11,32
-	stvx	v26,r10,$sp
-	addi	r10,r10,32
-	stvx	v27,r11,$sp
-	addi	r11,r11,32
-	stvx	v28,r10,$sp
-	addi	r10,r10,32
-	stvx	v29,r11,$sp
-	addi	r11,r11,32
-	stvx	v30,r10,$sp
-	stvx	v31,r11,$sp
-	stw	r12,`$FRAME-4`($sp)		# save vrsave
-	li	r12,-4096+63
-	$PUSH	r0, `$FRAME+$LRSAVE`($sp)
-	mtspr	256,r12				# preserve 29 AltiVec registers
-
-	bl	Lconsts				# returns pointer Lsigma in r12
-
-	lvx_4w	@K[0],0,r12			# load sigma
-	addi	r12,r12,0x70
-	li	$x10,16
-	li	$x20,32
-	li	$x30,48
-	li	r11,64
-
-	vspltisw $xa4,-16			# synthesize constants
-	vspltisw $xb4,12			# synthesize constants
-	vspltisw $xc4,8			# synthesize constants
-	vspltisw $xd4,7			# synthesize constants
-
-	lvx	$xa0,$x00,r12			# load [smashed] sigma
-	lvx	$xa1,$x10,r12
-	lvx	$xa2,$x20,r12
-	lvx	$xa3,$x30,r12
-
-	vxxlor	$xv9   ,$xa4,$xa4               #save shift val in vr9-12
-	vxxlor	$xv10  ,$xb4,$xb4
-	vxxlor	$xv11  ,$xc4,$xc4
-	vxxlor	$xv12  ,$xd4,$xd4
-	vxxlor	$xv22  ,$xa0,$xa0               #save sigma in vr22-25
-	vxxlor	$xv23  ,$xa1,$xa1
-	vxxlor	$xv24  ,$xa2,$xa2
-	vxxlor	$xv25  ,$xa3,$xa3
-
-	lvx_4w	@K[1],0,$key			# load key
-	lvx_4w	@K[2],$x10,$key
-	lvx_4w	@K[3],0,$ctr			# load counter
-	vspltisw $xt3,4
-
-
-	vxor	$xt2,$xt2,$xt2
-	lvx_4w	$xt1,r11,r12
-	vspltw	$xa2,@K[3],0			#save the original count after spltw
-	vsldoi	@K[3],@K[3],$xt2,4
-	vsldoi	@K[3],$xt2,@K[3],12		# clear @K[3].word[0]
-	vadduwm	$xt1,$xa2,$xt1
-	vadduwm $xt3,$xt1,$xt3     		# next counter value
-	vspltw	$xa0,@K[2],2                    # save the K[2] spltw 2 and save v8.
-
-	be?lvsl	  $beperm,0,$x10			# 0x00..0f
-	be?vspltisb $xt0,3			# 0x03..03
-	be?vxor   $beperm,$beperm,$xt0		# swap bytes within words
-	be?vxxlor $xv26 ,$beperm,$beperm
-
-	vxxlor	$xv0 ,@K[0],@K[0]               # K0,k1,k2 to vr0,1,2
-	vxxlor	$xv1 ,@K[1],@K[1]
-	vxxlor	$xv2 ,@K[2],@K[2]
-	vxxlor	$xv3 ,@K[3],@K[3]
-	vxxlor	$xv4 ,$xt1,$xt1                #CTR ->4, CTR+4-> 5
-	vxxlor	$xv5 ,$xt3,$xt3
-	vxxlor	$xv8 ,$xa0,$xa0
-
-	li	r0,10				# inner loop counter
-	mtctr	r0
-	b	Loop_outer_vsx_8x
-
-.align	5
-Loop_outer_vsx_8x:
-	vxxlorc	$xa0,$xv22,$xv22	        # load [smashed] sigma
-	vxxlorc	$xa1,$xv23,$xv23
-	vxxlorc	$xa2,$xv24,$xv24
-	vxxlorc	$xa3,$xv25,$xv25
-	vxxlorc	$xa4,$xv22,$xv22
-	vxxlorc	$xa5,$xv23,$xv23
-	vxxlorc	$xa6,$xv24,$xv24
-	vxxlorc	$xa7,$xv25,$xv25
-
-	vspltw	$xb0,@K[1],0			# smash the key
-	vspltw	$xb1,@K[1],1
-	vspltw	$xb2,@K[1],2
-	vspltw	$xb3,@K[1],3
-	vspltw	$xb4,@K[1],0			# smash the key
-	vspltw	$xb5,@K[1],1
-	vspltw	$xb6,@K[1],2
-	vspltw	$xb7,@K[1],3
-
-	vspltw	$xc0,@K[2],0
-	vspltw	$xc1,@K[2],1
-	vspltw	$xc2,@K[2],2
-	vspltw	$xc3,@K[2],3
-	vspltw	$xc4,@K[2],0
-	vspltw	$xc7,@K[2],3
-	vspltw	$xc5,@K[2],1
-
-	vxxlorc	$xd0,$xv4,$xv4			# smash the counter
-	vspltw	$xd1,@K[3],1
-	vspltw	$xd2,@K[3],2
-	vspltw	$xd3,@K[3],3
-	vxxlorc	$xd4,$xv5,$xv5			# smash the counter
-	vspltw	$xd5,@K[3],1
-	vspltw	$xd6,@K[3],2
-	vspltw	$xd7,@K[3],3
-	vxxlorc	$xc6,$xv8,$xv8                  #copy of vlspt k[2],2 is in v8.v26 ->k[3] so need to wait until k3 is done
-
-Loop_vsx_8x:
-___
-	foreach (&VSX_lane_ROUND_8x(0,4, 8,12,16,20,24,28)) { eval; }
-	foreach (&VSX_lane_ROUND_8x(0,5,10,15,16,21,26,31)) { eval; }
-$code.=<<___;
-
-	bdnz	        Loop_vsx_8x
-	vxxlor	        $xv13 ,$xd4,$xd4                # save the register vr24-31
-	vxxlor	        $xv14 ,$xd5,$xd5                #
-	vxxlor	        $xv15 ,$xd6,$xd6                #
-	vxxlor	        $xv16 ,$xd7,$xd7                #
-
-	vxxlor	        $xv18 ,$xc4,$xc4                #
-	vxxlor	        $xv19 ,$xc5,$xc5                #
-	vxxlor	        $xv20 ,$xc6,$xc6                #
-	vxxlor	        $xv21 ,$xc7,$xc7                #
-
-	vxxlor	        $xv6  ,$xb6,$xb6                # save vr23, so we get 8 regs
-	vxxlor	        $xv7  ,$xb7,$xb7                # save vr23, so we get 8 regs
-	be?vxxlorc      $beperm,$xv26,$xv26             # copy back the the beperm.
-
-	vxxlorc	   @K[0],$xv0,$xv0                #27
-	vxxlorc	   @K[1],$xv1,$xv1 		  #24
-	vxxlorc	   @K[2],$xv2,$xv2		  #25
-	vxxlorc	   @K[3],$xv3,$xv3		  #26
-	vxxlorc	   $CTR0,$xv4,$xv4
-###changing to vertical
-
-	vmrgew	$xt0,$xa0,$xa1			# transpose data
-	vmrgew	$xt1,$xa2,$xa3
-	vmrgow	$xa0,$xa0,$xa1
-	vmrgow	$xa2,$xa2,$xa3
-
-	vmrgew	$xt2,$xb0,$xb1
-	vmrgew	$xt3,$xb2,$xb3
-	vmrgow	$xb0,$xb0,$xb1
-	vmrgow	$xb2,$xb2,$xb3
-
-	vadduwm	$xd0,$xd0,$CTR0
-
-	vpermdi	$xa1,$xa0,$xa2,0b00
-	vpermdi	$xa3,$xa0,$xa2,0b11
-	vpermdi	$xa0,$xt0,$xt1,0b00
-	vpermdi	$xa2,$xt0,$xt1,0b11
-	vpermdi	$xb1,$xb0,$xb2,0b00
-	vpermdi	$xb3,$xb0,$xb2,0b11
-	vpermdi	$xb0,$xt2,$xt3,0b00
-	vpermdi	$xb2,$xt2,$xt3,0b11
-
-	vmrgew	$xt0,$xc0,$xc1
-	vmrgew	$xt1,$xc2,$xc3
-	vmrgow	$xc0,$xc0,$xc1
-	vmrgow	$xc2,$xc2,$xc3
-	vmrgew	$xt2,$xd0,$xd1
-	vmrgew	$xt3,$xd2,$xd3
-	vmrgow	$xd0,$xd0,$xd1
-	vmrgow	$xd2,$xd2,$xd3
-
-	vpermdi	$xc1,$xc0,$xc2,0b00
-	vpermdi	$xc3,$xc0,$xc2,0b11
-	vpermdi	$xc0,$xt0,$xt1,0b00
-	vpermdi	$xc2,$xt0,$xt1,0b11
-	vpermdi	$xd1,$xd0,$xd2,0b00
-	vpermdi	$xd3,$xd0,$xd2,0b11
-	vpermdi	$xd0,$xt2,$xt3,0b00
-	vpermdi	$xd2,$xt2,$xt3,0b11
-
-	vspltisw $xt0,8
-	vadduwm  $CTR0,$CTR0,$xt0		# next counter value
-	vxxlor	 $xv4 ,$CTR0,$CTR0	        #CTR+4-> 5
-
-	vadduwm	$xa0,$xa0,@K[0]
-	vadduwm	$xb0,$xb0,@K[1]
-	vadduwm	$xc0,$xc0,@K[2]
-	vadduwm	$xd0,$xd0,@K[3]
-
-	be?vperm $xa0,$xa0,$xa0,$beperm
-	be?vperm $xb0,$xb0,$xb0,$beperm
-	be?vperm $xc0,$xc0,$xc0,$beperm
-	be?vperm $xd0,$xd0,$xd0,$beperm
-
-	${UCMP}i $len,0x40
-	blt	Ltail_vsx_8x
-
-	lvx_4w	$xt0,$x00,$inp
-	lvx_4w	$xt1,$x10,$inp
-	lvx_4w	$xt2,$x20,$inp
-	lvx_4w	$xt3,$x30,$inp
-
-	vxor	$xt0,$xt0,$xa0
-	vxor	$xt1,$xt1,$xb0
-	vxor	$xt2,$xt2,$xc0
-	vxor	$xt3,$xt3,$xd0
-
-	stvx_4w	$xt0,$x00,$out
-	stvx_4w	$xt1,$x10,$out
-	addi	$inp,$inp,0x40
-	stvx_4w	$xt2,$x20,$out
-	subi	$len,$len,0x40
-	stvx_4w	$xt3,$x30,$out
-	addi	$out,$out,0x40
-	beq	Ldone_vsx_8x
-
-	vadduwm	$xa0,$xa1,@K[0]
-	vadduwm	$xb0,$xb1,@K[1]
-	vadduwm	$xc0,$xc1,@K[2]
-	vadduwm	$xd0,$xd1,@K[3]
-
-	be?vperm $xa0,$xa0,$xa0,$beperm
-	be?vperm $xb0,$xb0,$xb0,$beperm
-	be?vperm $xc0,$xc0,$xc0,$beperm
-	be?vperm $xd0,$xd0,$xd0,$beperm
-
-	${UCMP}i $len,0x40
-	blt	Ltail_vsx_8x
-
-	lvx_4w	$xt0,$x00,$inp
-	lvx_4w	$xt1,$x10,$inp
-	lvx_4w	$xt2,$x20,$inp
-	lvx_4w	$xt3,$x30,$inp
-
-	vxor	$xt0,$xt0,$xa0
-	vxor	$xt1,$xt1,$xb0
-	vxor	$xt2,$xt2,$xc0
-	vxor	$xt3,$xt3,$xd0
-
-	stvx_4w	$xt0,$x00,$out
-	stvx_4w	$xt1,$x10,$out
-	addi	$inp,$inp,0x40
-	stvx_4w	$xt2,$x20,$out
-	subi	$len,$len,0x40
-	stvx_4w	$xt3,$x30,$out
-	addi	$out,$out,0x40
-	beq	Ldone_vsx_8x
-
-	vadduwm	$xa0,$xa2,@K[0]
-	vadduwm	$xb0,$xb2,@K[1]
-	vadduwm	$xc0,$xc2,@K[2]
-	vadduwm	$xd0,$xd2,@K[3]
-
-	be?vperm $xa0,$xa0,$xa0,$beperm
-	be?vperm $xb0,$xb0,$xb0,$beperm
-	be?vperm $xc0,$xc0,$xc0,$beperm
-	be?vperm $xd0,$xd0,$xd0,$beperm
-
-	${UCMP}i $len,0x40
-	blt	Ltail_vsx_8x
-
-	lvx_4w	$xt0,$x00,$inp
-	lvx_4w	$xt1,$x10,$inp
-	lvx_4w	$xt2,$x20,$inp
-	lvx_4w	$xt3,$x30,$inp
-
-	vxor	$xt0,$xt0,$xa0
-	vxor	$xt1,$xt1,$xb0
-	vxor	$xt2,$xt2,$xc0
-	vxor	$xt3,$xt3,$xd0
-
-	stvx_4w	$xt0,$x00,$out
-	stvx_4w	$xt1,$x10,$out
-	addi	$inp,$inp,0x40
-	stvx_4w	$xt2,$x20,$out
-	subi	$len,$len,0x40
-	stvx_4w	$xt3,$x30,$out
-	addi	$out,$out,0x40
-	beq	Ldone_vsx_8x
-
-	vadduwm	$xa0,$xa3,@K[0]
-	vadduwm	$xb0,$xb3,@K[1]
-	vadduwm	$xc0,$xc3,@K[2]
-	vadduwm	$xd0,$xd3,@K[3]
-
-	be?vperm $xa0,$xa0,$xa0,$beperm
-	be?vperm $xb0,$xb0,$xb0,$beperm
-	be?vperm $xc0,$xc0,$xc0,$beperm
-	be?vperm $xd0,$xd0,$xd0,$beperm
-
-	${UCMP}i $len,0x40
-	blt	Ltail_vsx_8x
-
-	lvx_4w	$xt0,$x00,$inp
-	lvx_4w	$xt1,$x10,$inp
-	lvx_4w	$xt2,$x20,$inp
-	lvx_4w	$xt3,$x30,$inp
-
-	vxor	$xt0,$xt0,$xa0
-	vxor	$xt1,$xt1,$xb0
-	vxor	$xt2,$xt2,$xc0
-	vxor	$xt3,$xt3,$xd0
-
-	stvx_4w	$xt0,$x00,$out
-	stvx_4w	$xt1,$x10,$out
-	addi	$inp,$inp,0x40
-	stvx_4w	$xt2,$x20,$out
-	subi	$len,$len,0x40
-	stvx_4w	$xt3,$x30,$out
-	addi	$out,$out,0x40
-	beq	Ldone_vsx_8x
-
-#blk4-7: 24:31 remain the same as we can use the same logic above . Reg a4-b7 remain same.Load c4,d7--> position 8-15.we can reuse vr24-31.
-#VR0-3 : are used to load temp value, vr4 --> as xr0 instead of xt0.
-
-	vxxlorc	   $CTR1 ,$xv5,$xv5
-
-	vxxlorc	   $xcn4 ,$xv18,$xv18
-	vxxlorc	   $xcn5 ,$xv19,$xv19
-	vxxlorc	   $xcn6 ,$xv20,$xv20
-	vxxlorc	   $xcn7 ,$xv21,$xv21
-
-	vxxlorc	   $xdn4 ,$xv13,$xv13
-	vxxlorc	   $xdn5 ,$xv14,$xv14
-	vxxlorc	   $xdn6 ,$xv15,$xv15
-	vxxlorc	   $xdn7 ,$xv16,$xv16
-	vadduwm	   $xdn4,$xdn4,$CTR1
-
-	vxxlorc	   $xb6 ,$xv6,$xv6
-	vxxlorc	   $xb7 ,$xv7,$xv7
-#use xa1->xr0, as xt0...in the block 4-7
-
-	vmrgew	$xr0,$xa4,$xa5			# transpose data
-	vmrgew	$xt1,$xa6,$xa7
-	vmrgow	$xa4,$xa4,$xa5
-	vmrgow	$xa6,$xa6,$xa7
-	vmrgew	$xt2,$xb4,$xb5
-	vmrgew	$xt3,$xb6,$xb7
-	vmrgow	$xb4,$xb4,$xb5
-	vmrgow	$xb6,$xb6,$xb7
-
-	vpermdi	$xa5,$xa4,$xa6,0b00
-	vpermdi	$xa7,$xa4,$xa6,0b11
-	vpermdi	$xa4,$xr0,$xt1,0b00
-	vpermdi	$xa6,$xr0,$xt1,0b11
-	vpermdi	$xb5,$xb4,$xb6,0b00
-	vpermdi	$xb7,$xb4,$xb6,0b11
-	vpermdi	$xb4,$xt2,$xt3,0b00
-	vpermdi	$xb6,$xt2,$xt3,0b11
-
-	vmrgew	$xr0,$xcn4,$xcn5
-	vmrgew	$xt1,$xcn6,$xcn7
-	vmrgow	$xcn4,$xcn4,$xcn5
-	vmrgow	$xcn6,$xcn6,$xcn7
-	vmrgew	$xt2,$xdn4,$xdn5
-	vmrgew	$xt3,$xdn6,$xdn7
-	vmrgow	$xdn4,$xdn4,$xdn5
-	vmrgow	$xdn6,$xdn6,$xdn7
-
-	vpermdi	$xcn5,$xcn4,$xcn6,0b00
-	vpermdi	$xcn7,$xcn4,$xcn6,0b11
-	vpermdi	$xcn4,$xr0,$xt1,0b00
-	vpermdi	$xcn6,$xr0,$xt1,0b11
-	vpermdi	$xdn5,$xdn4,$xdn6,0b00
-	vpermdi	$xdn7,$xdn4,$xdn6,0b11
-	vpermdi	$xdn4,$xt2,$xt3,0b00
-	vpermdi	$xdn6,$xt2,$xt3,0b11
-
-	vspltisw $xr0,8
-	vadduwm  $CTR1,$CTR1,$xr0		# next counter value
-	vxxlor	 $xv5 ,$CTR1,$CTR1	        #CTR+4-> 5
-
-	vadduwm	$xan0,$xa4,@K[0]
-	vadduwm	$xbn0,$xb4,@K[1]
-	vadduwm	$xcn0,$xcn4,@K[2]
-	vadduwm	$xdn0,$xdn4,@K[3]
-
-	be?vperm $xan0,$xa4,$xa4,$beperm
-	be?vperm $xbn0,$xb4,$xb4,$beperm
-	be?vperm $xcn0,$xcn4,$xcn4,$beperm
-	be?vperm $xdn0,$xdn4,$xdn4,$beperm
-
-	${UCMP}i $len,0x40
-	blt	Ltail_vsx_8x_1
-
-	lvx_4w	$xr0,$x00,$inp
-	lvx_4w	$xt1,$x10,$inp
-	lvx_4w	$xt2,$x20,$inp
-	lvx_4w	$xt3,$x30,$inp
-
-	vxor	$xr0,$xr0,$xan0
-	vxor	$xt1,$xt1,$xbn0
-	vxor	$xt2,$xt2,$xcn0
-	vxor	$xt3,$xt3,$xdn0
-
-	stvx_4w	$xr0,$x00,$out
-	stvx_4w	$xt1,$x10,$out
-	addi	$inp,$inp,0x40
-	stvx_4w	$xt2,$x20,$out
-	subi	$len,$len,0x40
-	stvx_4w	$xt3,$x30,$out
-	addi	$out,$out,0x40
-	beq	Ldone_vsx_8x
-
-	vadduwm	$xan0,$xa5,@K[0]
-	vadduwm	$xbn0,$xb5,@K[1]
-	vadduwm	$xcn0,$xcn5,@K[2]
-	vadduwm	$xdn0,$xdn5,@K[3]
-
-	be?vperm $xan0,$xan0,$xan0,$beperm
-	be?vperm $xbn0,$xbn0,$xbn0,$beperm
-	be?vperm $xcn0,$xcn0,$xcn0,$beperm
-	be?vperm $xdn0,$xdn0,$xdn0,$beperm
-
-	${UCMP}i $len,0x40
-	blt	Ltail_vsx_8x_1
-
-	lvx_4w	$xr0,$x00,$inp
-	lvx_4w	$xt1,$x10,$inp
-	lvx_4w	$xt2,$x20,$inp
-	lvx_4w	$xt3,$x30,$inp
-
-	vxor	$xr0,$xr0,$xan0
-	vxor	$xt1,$xt1,$xbn0
-	vxor	$xt2,$xt2,$xcn0
-	vxor	$xt3,$xt3,$xdn0
-
-	stvx_4w	$xr0,$x00,$out
-	stvx_4w	$xt1,$x10,$out
-	addi	$inp,$inp,0x40
-	stvx_4w	$xt2,$x20,$out
-	subi	$len,$len,0x40
-	stvx_4w	$xt3,$x30,$out
-	addi	$out,$out,0x40
-	beq	Ldone_vsx_8x
-
-	vadduwm	$xan0,$xa6,@K[0]
-	vadduwm	$xbn0,$xb6,@K[1]
-	vadduwm	$xcn0,$xcn6,@K[2]
-	vadduwm	$xdn0,$xdn6,@K[3]
-
-	be?vperm $xan0,$xan0,$xan0,$beperm
-	be?vperm $xbn0,$xbn0,$xbn0,$beperm
-	be?vperm $xcn0,$xcn0,$xcn0,$beperm
-	be?vperm $xdn0,$xdn0,$xdn0,$beperm
-
-	${UCMP}i $len,0x40
-	blt	Ltail_vsx_8x_1
-
-	lvx_4w	$xr0,$x00,$inp
-	lvx_4w	$xt1,$x10,$inp
-	lvx_4w	$xt2,$x20,$inp
-	lvx_4w	$xt3,$x30,$inp
-
-	vxor	$xr0,$xr0,$xan0
-	vxor	$xt1,$xt1,$xbn0
-	vxor	$xt2,$xt2,$xcn0
-	vxor	$xt3,$xt3,$xdn0
-
-	stvx_4w	$xr0,$x00,$out
-	stvx_4w	$xt1,$x10,$out
-	addi	$inp,$inp,0x40
-	stvx_4w	$xt2,$x20,$out
-	subi	$len,$len,0x40
-	stvx_4w	$xt3,$x30,$out
-	addi	$out,$out,0x40
-	beq	Ldone_vsx_8x
-
-	vadduwm	$xan0,$xa7,@K[0]
-	vadduwm	$xbn0,$xb7,@K[1]
-	vadduwm	$xcn0,$xcn7,@K[2]
-	vadduwm	$xdn0,$xdn7,@K[3]
-
-	be?vperm $xan0,$xan0,$xan0,$beperm
-	be?vperm $xbn0,$xbn0,$xbn0,$beperm
-	be?vperm $xcn0,$xcn0,$xcn0,$beperm
-	be?vperm $xdn0,$xdn0,$xdn0,$beperm
-
-	${UCMP}i $len,0x40
-	blt	Ltail_vsx_8x_1
-
-	lvx_4w	$xr0,$x00,$inp
-	lvx_4w	$xt1,$x10,$inp
-	lvx_4w	$xt2,$x20,$inp
-	lvx_4w	$xt3,$x30,$inp
-
-	vxor	$xr0,$xr0,$xan0
-	vxor	$xt1,$xt1,$xbn0
-	vxor	$xt2,$xt2,$xcn0
-	vxor	$xt3,$xt3,$xdn0
-
-	stvx_4w	$xr0,$x00,$out
-	stvx_4w	$xt1,$x10,$out
-	addi	$inp,$inp,0x40
-	stvx_4w	$xt2,$x20,$out
-	subi	$len,$len,0x40
-	stvx_4w	$xt3,$x30,$out
-	addi	$out,$out,0x40
-	beq	Ldone_vsx_8x
-
-	mtctr	r0
-	bne	Loop_outer_vsx_8x
-
-Ldone_vsx_8x:
-	lwz	r12,`$FRAME-4`($sp)		# pull vrsave
-	li	r10,`15+$LOCALS+64`
-	li	r11,`31+$LOCALS+64`
-	$POP	r0, `$FRAME+$LRSAVE`($sp)
-	mtspr	256,r12				# restore vrsave
-	lvx	v24,r10,$sp
-	addi	r10,r10,32
-	lvx	v25,r11,$sp
-	addi	r11,r11,32
-	lvx	v26,r10,$sp
-	addi	r10,r10,32
-	lvx	v27,r11,$sp
-	addi	r11,r11,32
-	lvx	v28,r10,$sp
-	addi	r10,r10,32
-	lvx	v29,r11,$sp
-	addi	r11,r11,32
-	lvx	v30,r10,$sp
-	lvx	v31,r11,$sp
-	mtlr	r0
-	addi	$sp,$sp,$FRAME
-	blr
-
-.align	4
-Ltail_vsx_8x:
-	addi	r11,$sp,$LOCALS
-	mtctr	$len
-	stvx_4w	$xa0,$x00,r11			# offload block to stack
-	stvx_4w	$xb0,$x10,r11
-	stvx_4w	$xc0,$x20,r11
-	stvx_4w	$xd0,$x30,r11
-	subi	r12,r11,1			# prepare for *++ptr
-	subi	$inp,$inp,1
-	subi	$out,$out,1
-	bl      Loop_tail_vsx_8x
-Ltail_vsx_8x_1:
-	addi	r11,$sp,$LOCALS
-	mtctr	$len
-	stvx_4w	$xan0,$x00,r11			# offload block to stack
-	stvx_4w	$xbn0,$x10,r11
-	stvx_4w	$xcn0,$x20,r11
-	stvx_4w	$xdn0,$x30,r11
-	subi	r12,r11,1			# prepare for *++ptr
-	subi	$inp,$inp,1
-	subi	$out,$out,1
-        bl      Loop_tail_vsx_8x
-
-Loop_tail_vsx_8x:
-	lbzu	r6,1(r12)
-	lbzu	r7,1($inp)
-	xor	r6,r6,r7
-	stbu	r6,1($out)
-	bdnz	Loop_tail_vsx_8x
-
-	stvx_4w	$K[0],$x00,r11			# wipe copy of the block
-	stvx_4w	$K[0],$x10,r11
-	stvx_4w	$K[0],$x20,r11
-	stvx_4w	$K[0],$x30,r11
-
-	b	Ldone_vsx_8x
-	.long	0
-	.byte	0,12,0x04,1,0x80,0,5,0
-	.long	0
-.size	.ChaCha20_ctr32_vsx_8x,.-.ChaCha20_ctr32_vsx_8x
-___
-}}}
-
-
-$code.=<<___;
-.align	5
-Lconsts:
-	mflr	r0
-	bcl	20,31,\$+4
-	mflr	r12	#vvvvv "distance between . and Lsigma
-	addi	r12,r12,`64-8`
-	mtlr	r0
-	blr
-	.long	0
-	.byte	0,12,0x14,0,0,0,0,0
-	.space	`64-9*4`
-Lsigma:
-	.long   0x61707865,0x3320646e,0x79622d32,0x6b206574
-	.long	1,0,0,0
-	.long	2,0,0,0
-	.long	3,0,0,0
-	.long	4,0,0,0
-___
-$code.=<<___ 	if ($LITTLE_ENDIAN);
-	.long	0x0e0f0c0d,0x0a0b0809,0x06070405,0x02030001
-	.long	0x0d0e0f0c,0x090a0b08,0x05060704,0x01020300
-___
-$code.=<<___ 	if (!$LITTLE_ENDIAN);	# flipped words
-	.long	0x02030001,0x06070405,0x0a0b0809,0x0e0f0c0d
-	.long	0x01020300,0x05060704,0x090a0b08,0x0d0e0f0c
-___
-$code.=<<___;
-	.long	0x61707865,0x61707865,0x61707865,0x61707865
-	.long	0x3320646e,0x3320646e,0x3320646e,0x3320646e
-	.long	0x79622d32,0x79622d32,0x79622d32,0x79622d32
-	.long	0x6b206574,0x6b206574,0x6b206574,0x6b206574
-	.long	0,1,2,3
-        .long   0x03020100,0x07060504,0x0b0a0908,0x0f0e0d0c
-.asciz  "ChaCha20 for PowerPC/AltiVec, CRYPTOGAMS by <appro\@openssl.org>"
-.align	2
-___
-
-foreach (split("\n",$code)) {
-	s/\`([^\`]*)\`/eval $1/ge;
-
-	# instructions prefixed with '?' are endian-specific and need
-	# to be adjusted accordingly...
-	if ($flavour !~ /le$/) {	# big-endian
-	    s/be\?//		or
-	    s/le\?/#le#/	or
-	    s/\?lvsr/lvsl/	or
-	    s/\?lvsl/lvsr/	or
-	    s/\?(vperm\s+v[0-9]+,\s*)(v[0-9]+,\s*)(v[0-9]+,\s*)(v[0-9]+)/$1$3$2$4/ or
-	    s/vrldoi(\s+v[0-9]+,\s*)(v[0-9]+,)\s*([0-9]+)/vsldoi$1$2$2 16-$3/;
-	} else {			# little-endian
-	    s/le\?//		or
-	    s/be\?/#be#/	or
-	    s/\?([a-z]+)/$1/	or
-	    s/vrldoi(\s+v[0-9]+,\s*)(v[0-9]+,)\s*([0-9]+)/vsldoi$1$2$2 $3/;
-	}
-
-	print $_,"\n";
-}
-
-close STDOUT or die "error closing STDOUT: $!";

libs/openssl/crypto/chacha/chacha_ppc.c

@@ -1,42 +0,0 @@
-/*
- * Copyright 2009-2022 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <stdlib.h>
-#include <string.h>
-
-#include <openssl/opensslconf.h>
-#include "crypto/chacha.h"
-#include "crypto/ppc_arch.h"
-
-void ChaCha20_ctr32_int(unsigned char *out, const unsigned char *inp,
-                        size_t len, const unsigned int key[8],
-                        const unsigned int counter[4]);
-void ChaCha20_ctr32_vmx(unsigned char *out, const unsigned char *inp,
-                        size_t len, const unsigned int key[8],
-                        const unsigned int counter[4]);
-void ChaCha20_ctr32_vsx(unsigned char *out, const unsigned char *inp,
-                        size_t len, const unsigned int key[8],
-                        const unsigned int counter[4]);
-void ChaCha20_ctr32_vsx_p10(unsigned char *out, const unsigned char *inp,
-                        size_t len, const unsigned int key[8],
-                        const unsigned int counter[4]);
-void ChaCha20_ctr32(unsigned char *out, const unsigned char *inp,
-                    size_t len, const unsigned int key[8],
-                    const unsigned int counter[4])
-{
-#ifndef OPENSSL_SYS_AIX
-    OPENSSL_ppccap_P & PPC_BRD31
-        ? ChaCha20_ctr32_vsx_p10(out, inp, len, key, counter) :
-#endif
-          OPENSSL_ppccap_P & PPC_CRYPTO207
-            ? ChaCha20_ctr32_vsx(out, inp, len, key, counter)
-            : OPENSSL_ppccap_P & PPC_ALTIVEC
-                 ? ChaCha20_ctr32_vmx(out, inp, len, key, counter)
-                 : ChaCha20_ctr32_int(out, inp, len, key, counter);
-}

libs/openssl/crypto/cmp/cmp_asn.c

@@ -1,459 +0,0 @@
-/*
- * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved.
- * Copyright Nokia 2007-2019
- * Copyright Siemens AG 2015-2019
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <openssl/asn1t.h>
-
-#include "cmp_local.h"
-
-/* explicit #includes not strictly needed since implied by the above: */
-#include <openssl/cmp.h>
-#include <openssl/crmf.h>
-
-/* ASN.1 declarations from RFC4210 */
-ASN1_SEQUENCE(OSSL_CMP_REVANNCONTENT) = {
-    /* OSSL_CMP_PKISTATUS is effectively ASN1_INTEGER so it is used directly */
-    ASN1_SIMPLE(OSSL_CMP_REVANNCONTENT, status, ASN1_INTEGER),
-    ASN1_SIMPLE(OSSL_CMP_REVANNCONTENT, certId, OSSL_CRMF_CERTID),
-    ASN1_SIMPLE(OSSL_CMP_REVANNCONTENT, willBeRevokedAt, ASN1_GENERALIZEDTIME),
-    ASN1_SIMPLE(OSSL_CMP_REVANNCONTENT, badSinceDate, ASN1_GENERALIZEDTIME),
-    ASN1_OPT(OSSL_CMP_REVANNCONTENT, crlDetails, X509_EXTENSIONS)
-} ASN1_SEQUENCE_END(OSSL_CMP_REVANNCONTENT)
-IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_REVANNCONTENT)
-
-
-ASN1_SEQUENCE(OSSL_CMP_CHALLENGE) = {
-    ASN1_OPT(OSSL_CMP_CHALLENGE, owf, X509_ALGOR),
-    ASN1_SIMPLE(OSSL_CMP_CHALLENGE, witness, ASN1_OCTET_STRING),
-    ASN1_SIMPLE(OSSL_CMP_CHALLENGE, challenge, ASN1_OCTET_STRING)
-} ASN1_SEQUENCE_END(OSSL_CMP_CHALLENGE)
-IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CHALLENGE)
-
-
-ASN1_ITEM_TEMPLATE(OSSL_CMP_POPODECKEYCHALLCONTENT) =
-    ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
-                          OSSL_CMP_POPODECKEYCHALLCONTENT, OSSL_CMP_CHALLENGE)
-ASN1_ITEM_TEMPLATE_END(OSSL_CMP_POPODECKEYCHALLCONTENT)
-
-
-ASN1_ITEM_TEMPLATE(OSSL_CMP_POPODECKEYRESPCONTENT) =
-    ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
-                          OSSL_CMP_POPODECKEYRESPCONTENT, ASN1_INTEGER)
-ASN1_ITEM_TEMPLATE_END(OSSL_CMP_POPODECKEYRESPCONTENT)
-
-
-ASN1_SEQUENCE(OSSL_CMP_CAKEYUPDANNCONTENT) = {
-    /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
-    ASN1_SIMPLE(OSSL_CMP_CAKEYUPDANNCONTENT, oldWithNew, X509),
-    /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
-    ASN1_SIMPLE(OSSL_CMP_CAKEYUPDANNCONTENT, newWithOld, X509),
-    /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
-    ASN1_SIMPLE(OSSL_CMP_CAKEYUPDANNCONTENT, newWithNew, X509)
-} ASN1_SEQUENCE_END(OSSL_CMP_CAKEYUPDANNCONTENT)
-IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CAKEYUPDANNCONTENT)
-
-
-ASN1_SEQUENCE(OSSL_CMP_ERRORMSGCONTENT) = {
-    ASN1_SIMPLE(OSSL_CMP_ERRORMSGCONTENT, pKIStatusInfo, OSSL_CMP_PKISI),
-    ASN1_OPT(OSSL_CMP_ERRORMSGCONTENT, errorCode, ASN1_INTEGER),
-    /*
-     * OSSL_CMP_PKIFREETEXT is effectively a sequence of ASN1_UTF8STRING
-     * so it is used directly
-     *
-     */
-    ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ERRORMSGCONTENT, errorDetails,
-                         ASN1_UTF8STRING)
-} ASN1_SEQUENCE_END(OSSL_CMP_ERRORMSGCONTENT)
-IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_ERRORMSGCONTENT)
-
-ASN1_ADB_TEMPLATE(infotypeandvalue_default) = ASN1_OPT(OSSL_CMP_ITAV,
-                                                       infoValue.other,
-                                                       ASN1_ANY);
-/* ITAV means InfoTypeAndValue */
-ASN1_ADB(OSSL_CMP_ITAV) = {
-    /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
-    ADB_ENTRY(NID_id_it_caProtEncCert, ASN1_OPT(OSSL_CMP_ITAV,
-                                                infoValue.caProtEncCert, X509)),
-    ADB_ENTRY(NID_id_it_signKeyPairTypes,
-              ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ITAV,
-                                   infoValue.signKeyPairTypes, X509_ALGOR)),
-    ADB_ENTRY(NID_id_it_encKeyPairTypes,
-              ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ITAV,
-                                   infoValue.encKeyPairTypes, X509_ALGOR)),
-    ADB_ENTRY(NID_id_it_preferredSymmAlg,
-              ASN1_OPT(OSSL_CMP_ITAV, infoValue.preferredSymmAlg,
-                       X509_ALGOR)),
-    ADB_ENTRY(NID_id_it_caKeyUpdateInfo,
-              ASN1_OPT(OSSL_CMP_ITAV, infoValue.caKeyUpdateInfo,
-                       OSSL_CMP_CAKEYUPDANNCONTENT)),
-    ADB_ENTRY(NID_id_it_currentCRL,
-              ASN1_OPT(OSSL_CMP_ITAV, infoValue.currentCRL, X509_CRL)),
-    ADB_ENTRY(NID_id_it_unsupportedOIDs,
-              ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ITAV,
-                                   infoValue.unsupportedOIDs, ASN1_OBJECT)),
-    ADB_ENTRY(NID_id_it_keyPairParamReq,
-              ASN1_OPT(OSSL_CMP_ITAV, infoValue.keyPairParamReq,
-                       ASN1_OBJECT)),
-    ADB_ENTRY(NID_id_it_keyPairParamRep,
-              ASN1_OPT(OSSL_CMP_ITAV, infoValue.keyPairParamRep,
-                       X509_ALGOR)),
-    ADB_ENTRY(NID_id_it_revPassphrase,
-              ASN1_OPT(OSSL_CMP_ITAV, infoValue.revPassphrase,
-                       OSSL_CRMF_ENCRYPTEDVALUE)),
-    ADB_ENTRY(NID_id_it_implicitConfirm,
-              ASN1_OPT(OSSL_CMP_ITAV, infoValue.implicitConfirm,
-                       ASN1_NULL)),
-    ADB_ENTRY(NID_id_it_confirmWaitTime,
-              ASN1_OPT(OSSL_CMP_ITAV, infoValue.confirmWaitTime,
-                       ASN1_GENERALIZEDTIME)),
-    ADB_ENTRY(NID_id_it_origPKIMessage,
-              ASN1_OPT(OSSL_CMP_ITAV, infoValue.origPKIMessage,
-                       OSSL_CMP_MSGS)),
-    ADB_ENTRY(NID_id_it_suppLangTags,
-              ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ITAV, infoValue.suppLangTagsValue,
-                                   ASN1_UTF8STRING)),
-} ASN1_ADB_END(OSSL_CMP_ITAV, 0, infoType, 0,
-               &infotypeandvalue_default_tt, NULL);
-
-
-ASN1_SEQUENCE(OSSL_CMP_ITAV) = {
-    ASN1_SIMPLE(OSSL_CMP_ITAV, infoType, ASN1_OBJECT),
-    ASN1_ADB_OBJECT(OSSL_CMP_ITAV)
-} ASN1_SEQUENCE_END(OSSL_CMP_ITAV)
-IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_ITAV)
-IMPLEMENT_ASN1_DUP_FUNCTION(OSSL_CMP_ITAV)
-
-OSSL_CMP_ITAV *OSSL_CMP_ITAV_create(ASN1_OBJECT *type, ASN1_TYPE *value)
-{
-    OSSL_CMP_ITAV *itav;
-
-    if (type == NULL || (itav = OSSL_CMP_ITAV_new()) == NULL)
-        return NULL;
-    OSSL_CMP_ITAV_set0(itav, type, value);
-    return itav;
-}
-
-void OSSL_CMP_ITAV_set0(OSSL_CMP_ITAV *itav, ASN1_OBJECT *type,
-                        ASN1_TYPE *value)
-{
-    itav->infoType = type;
-    itav->infoValue.other = value;
-}
-
-ASN1_OBJECT *OSSL_CMP_ITAV_get0_type(const OSSL_CMP_ITAV *itav)
-{
-    if (itav == NULL)
-        return NULL;
-    return itav->infoType;
-}
-
-ASN1_TYPE *OSSL_CMP_ITAV_get0_value(const OSSL_CMP_ITAV *itav)
-{
-    if (itav == NULL)
-        return NULL;
-    return itav->infoValue.other;
-}
-
-int OSSL_CMP_ITAV_push0_stack_item(STACK_OF(OSSL_CMP_ITAV) **itav_sk_p,
-                                   OSSL_CMP_ITAV *itav)
-{
-    int created = 0;
-
-    if (itav_sk_p == NULL || itav == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        goto err;
-    }
-
-    if (*itav_sk_p == NULL) {
-        if ((*itav_sk_p = sk_OSSL_CMP_ITAV_new_null()) == NULL)
-            goto err;
-        created = 1;
-    }
-    if (!sk_OSSL_CMP_ITAV_push(*itav_sk_p, itav))
-        goto err;
-    return 1;
-
- err:
-    if (created != 0) {
-        sk_OSSL_CMP_ITAV_free(*itav_sk_p);
-        *itav_sk_p = NULL;
-    }
-    return 0;
-}
-
-/* get ASN.1 encoded integer, return -1 on error */
-int ossl_cmp_asn1_get_int(const ASN1_INTEGER *a)
-{
-    int64_t res;
-
-    if (!ASN1_INTEGER_get_int64(&res, a)) {
-        ERR_raise(ERR_LIB_CMP, ASN1_R_INVALID_NUMBER);
-        return -1;
-    }
-    if (res < INT_MIN) {
-        ERR_raise(ERR_LIB_CMP, ASN1_R_TOO_SMALL);
-        return -1;
-    }
-    if (res > INT_MAX) {
-        ERR_raise(ERR_LIB_CMP, ASN1_R_TOO_LARGE);
-        return -1;
-    }
-    return (int)res;
-}
-
-static int ossl_cmp_msg_cb(int operation, ASN1_VALUE **pval,
-                           const ASN1_ITEM *it, void *exarg)
-{
-    OSSL_CMP_MSG *msg = (OSSL_CMP_MSG *)*pval;
-
-    switch (operation) {
-    case ASN1_OP_FREE_POST:
-        OPENSSL_free(msg->propq);
-        break;
-
-    case ASN1_OP_DUP_POST:
-        {
-            OSSL_CMP_MSG *old = exarg;
-
-            if (!ossl_cmp_msg_set0_libctx(msg, old->libctx, old->propq))
-                return 0;
-        }
-        break;
-    case ASN1_OP_GET0_LIBCTX:
-        {
-            OSSL_LIB_CTX **libctx = exarg;
-
-            *libctx = msg->libctx;
-        }
-        break;
-    case ASN1_OP_GET0_PROPQ:
-        {
-            const char **propq = exarg;
-
-            *propq = msg->propq;
-        }
-        break;
-    default:
-        break;
-    }
-
-    return 1;
-}
-
-ASN1_CHOICE(OSSL_CMP_CERTORENCCERT) = {
-    /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
-    ASN1_EXP(OSSL_CMP_CERTORENCCERT, value.certificate, X509, 0),
-    ASN1_EXP(OSSL_CMP_CERTORENCCERT, value.encryptedCert,
-             OSSL_CRMF_ENCRYPTEDVALUE, 1),
-} ASN1_CHOICE_END(OSSL_CMP_CERTORENCCERT)
-IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CERTORENCCERT)
-
-
-ASN1_SEQUENCE(OSSL_CMP_CERTIFIEDKEYPAIR) = {
-    ASN1_SIMPLE(OSSL_CMP_CERTIFIEDKEYPAIR, certOrEncCert,
-                OSSL_CMP_CERTORENCCERT),
-    ASN1_EXP_OPT(OSSL_CMP_CERTIFIEDKEYPAIR, privateKey,
-                 OSSL_CRMF_ENCRYPTEDVALUE, 0),
-    ASN1_EXP_OPT(OSSL_CMP_CERTIFIEDKEYPAIR, publicationInfo,
-                 OSSL_CRMF_PKIPUBLICATIONINFO, 1)
-} ASN1_SEQUENCE_END(OSSL_CMP_CERTIFIEDKEYPAIR)
-IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CERTIFIEDKEYPAIR)
-
-
-ASN1_SEQUENCE(OSSL_CMP_REVDETAILS) = {
-    ASN1_SIMPLE(OSSL_CMP_REVDETAILS, certDetails, OSSL_CRMF_CERTTEMPLATE),
-    ASN1_OPT(OSSL_CMP_REVDETAILS, crlEntryDetails, X509_EXTENSIONS)
-} ASN1_SEQUENCE_END(OSSL_CMP_REVDETAILS)
-IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_REVDETAILS)
-
-
-ASN1_ITEM_TEMPLATE(OSSL_CMP_REVREQCONTENT) =
-    ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_CMP_REVREQCONTENT,
-                          OSSL_CMP_REVDETAILS)
-ASN1_ITEM_TEMPLATE_END(OSSL_CMP_REVREQCONTENT)
-
-
-ASN1_SEQUENCE(OSSL_CMP_REVREPCONTENT) = {
-    ASN1_SEQUENCE_OF(OSSL_CMP_REVREPCONTENT, status, OSSL_CMP_PKISI),
-    ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_REVREPCONTENT, revCerts, OSSL_CRMF_CERTID,
-                             0),
-    ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_REVREPCONTENT, crls, X509_CRL, 1)
-} ASN1_SEQUENCE_END(OSSL_CMP_REVREPCONTENT)
-IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_REVREPCONTENT)
-
-
-ASN1_SEQUENCE(OSSL_CMP_KEYRECREPCONTENT) = {
-    ASN1_SIMPLE(OSSL_CMP_KEYRECREPCONTENT, status, OSSL_CMP_PKISI),
-    ASN1_EXP_OPT(OSSL_CMP_KEYRECREPCONTENT, newSigCert, X509, 0),
-    ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_KEYRECREPCONTENT, caCerts, X509, 1),
-    ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_KEYRECREPCONTENT, keyPairHist,
-                             OSSL_CMP_CERTIFIEDKEYPAIR, 2)
-} ASN1_SEQUENCE_END(OSSL_CMP_KEYRECREPCONTENT)
-IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_KEYRECREPCONTENT)
-
-
-ASN1_ITEM_TEMPLATE(OSSL_CMP_PKISTATUS) =
-    ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_UNIVERSAL, 0, status, ASN1_INTEGER)
-ASN1_ITEM_TEMPLATE_END(OSSL_CMP_PKISTATUS)
-
-ASN1_SEQUENCE(OSSL_CMP_PKISI) = {
-    ASN1_SIMPLE(OSSL_CMP_PKISI, status, OSSL_CMP_PKISTATUS),
-    /*
-     * CMP_PKIFREETEXT is effectively a sequence of ASN1_UTF8STRING
-     * so it is used directly
-     */
-    ASN1_SEQUENCE_OF_OPT(OSSL_CMP_PKISI, statusString, ASN1_UTF8STRING),
-    /*
-     * OSSL_CMP_PKIFAILUREINFO is effectively ASN1_BIT_STRING so used directly
-     */
-    ASN1_OPT(OSSL_CMP_PKISI, failInfo, ASN1_BIT_STRING)
-} ASN1_SEQUENCE_END(OSSL_CMP_PKISI)
-IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_PKISI)
-IMPLEMENT_ASN1_DUP_FUNCTION(OSSL_CMP_PKISI)
-
-ASN1_SEQUENCE(OSSL_CMP_CERTSTATUS) = {
-    ASN1_SIMPLE(OSSL_CMP_CERTSTATUS, certHash, ASN1_OCTET_STRING),
-    ASN1_SIMPLE(OSSL_CMP_CERTSTATUS, certReqId, ASN1_INTEGER),
-    ASN1_OPT(OSSL_CMP_CERTSTATUS, statusInfo, OSSL_CMP_PKISI)
-} ASN1_SEQUENCE_END(OSSL_CMP_CERTSTATUS)
-IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CERTSTATUS)
-
-ASN1_ITEM_TEMPLATE(OSSL_CMP_CERTCONFIRMCONTENT) =
-    ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_CMP_CERTCONFIRMCONTENT,
-                          OSSL_CMP_CERTSTATUS)
-ASN1_ITEM_TEMPLATE_END(OSSL_CMP_CERTCONFIRMCONTENT)
-
-ASN1_SEQUENCE(OSSL_CMP_CERTRESPONSE) = {
-    ASN1_SIMPLE(OSSL_CMP_CERTRESPONSE, certReqId, ASN1_INTEGER),
-    ASN1_SIMPLE(OSSL_CMP_CERTRESPONSE, status, OSSL_CMP_PKISI),
-    ASN1_OPT(OSSL_CMP_CERTRESPONSE, certifiedKeyPair,
-             OSSL_CMP_CERTIFIEDKEYPAIR),
-    ASN1_OPT(OSSL_CMP_CERTRESPONSE, rspInfo, ASN1_OCTET_STRING)
-} ASN1_SEQUENCE_END(OSSL_CMP_CERTRESPONSE)
-IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CERTRESPONSE)
-
-ASN1_SEQUENCE(OSSL_CMP_POLLREQ) = {
-    ASN1_SIMPLE(OSSL_CMP_POLLREQ, certReqId, ASN1_INTEGER)
-} ASN1_SEQUENCE_END(OSSL_CMP_POLLREQ)
-IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_POLLREQ)
-
-ASN1_ITEM_TEMPLATE(OSSL_CMP_POLLREQCONTENT) =
-    ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_CMP_POLLREQCONTENT,
-                          OSSL_CMP_POLLREQ)
-ASN1_ITEM_TEMPLATE_END(OSSL_CMP_POLLREQCONTENT)
-
-ASN1_SEQUENCE(OSSL_CMP_POLLREP) = {
-    ASN1_SIMPLE(OSSL_CMP_POLLREP, certReqId, ASN1_INTEGER),
-    ASN1_SIMPLE(OSSL_CMP_POLLREP, checkAfter, ASN1_INTEGER),
-    ASN1_SEQUENCE_OF_OPT(OSSL_CMP_POLLREP, reason, ASN1_UTF8STRING),
-} ASN1_SEQUENCE_END(OSSL_CMP_POLLREP)
-IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_POLLREP)
-
-ASN1_ITEM_TEMPLATE(OSSL_CMP_POLLREPCONTENT) =
-    ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
-                          OSSL_CMP_POLLREPCONTENT,
-                          OSSL_CMP_POLLREP)
-ASN1_ITEM_TEMPLATE_END(OSSL_CMP_POLLREPCONTENT)
-
-ASN1_SEQUENCE(OSSL_CMP_CERTREPMESSAGE) = {
-    /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
-    ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_CERTREPMESSAGE, caPubs, X509, 1),
-    ASN1_SEQUENCE_OF(OSSL_CMP_CERTREPMESSAGE, response, OSSL_CMP_CERTRESPONSE)
-} ASN1_SEQUENCE_END(OSSL_CMP_CERTREPMESSAGE)
-IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CERTREPMESSAGE)
-
-ASN1_ITEM_TEMPLATE(OSSL_CMP_GENMSGCONTENT) =
-    ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_CMP_GENMSGCONTENT,
-                          OSSL_CMP_ITAV)
-ASN1_ITEM_TEMPLATE_END(OSSL_CMP_GENMSGCONTENT)
-
-ASN1_ITEM_TEMPLATE(OSSL_CMP_GENREPCONTENT) =
-    ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_CMP_GENREPCONTENT,
-                          OSSL_CMP_ITAV)
-ASN1_ITEM_TEMPLATE_END(OSSL_CMP_GENREPCONTENT)
-
-ASN1_ITEM_TEMPLATE(OSSL_CMP_CRLANNCONTENT) =
-    ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
-                          OSSL_CMP_CRLANNCONTENT, X509_CRL)
-ASN1_ITEM_TEMPLATE_END(OSSL_CMP_CRLANNCONTENT)
-
-ASN1_CHOICE(OSSL_CMP_PKIBODY) = {
-    ASN1_EXP(OSSL_CMP_PKIBODY, value.ir, OSSL_CRMF_MSGS, 0),
-    ASN1_EXP(OSSL_CMP_PKIBODY, value.ip, OSSL_CMP_CERTREPMESSAGE, 1),
-    ASN1_EXP(OSSL_CMP_PKIBODY, value.cr, OSSL_CRMF_MSGS, 2),
-    ASN1_EXP(OSSL_CMP_PKIBODY, value.cp, OSSL_CMP_CERTREPMESSAGE, 3),
-    ASN1_EXP(OSSL_CMP_PKIBODY, value.p10cr, X509_REQ, 4),
-    ASN1_EXP(OSSL_CMP_PKIBODY, value.popdecc,
-             OSSL_CMP_POPODECKEYCHALLCONTENT, 5),
-    ASN1_EXP(OSSL_CMP_PKIBODY, value.popdecr,
-             OSSL_CMP_POPODECKEYRESPCONTENT, 6),
-    ASN1_EXP(OSSL_CMP_PKIBODY, value.kur, OSSL_CRMF_MSGS, 7),
-    ASN1_EXP(OSSL_CMP_PKIBODY, value.kup, OSSL_CMP_CERTREPMESSAGE, 8),
-    ASN1_EXP(OSSL_CMP_PKIBODY, value.krr, OSSL_CRMF_MSGS, 9),
-    ASN1_EXP(OSSL_CMP_PKIBODY, value.krp, OSSL_CMP_KEYRECREPCONTENT, 10),
-    ASN1_EXP(OSSL_CMP_PKIBODY, value.rr, OSSL_CMP_REVREQCONTENT, 11),
-    ASN1_EXP(OSSL_CMP_PKIBODY, value.rp, OSSL_CMP_REVREPCONTENT, 12),
-    ASN1_EXP(OSSL_CMP_PKIBODY, value.ccr, OSSL_CRMF_MSGS, 13),
-    ASN1_EXP(OSSL_CMP_PKIBODY, value.ccp, OSSL_CMP_CERTREPMESSAGE, 14),
-    ASN1_EXP(OSSL_CMP_PKIBODY, value.ckuann, OSSL_CMP_CAKEYUPDANNCONTENT, 15),
-    ASN1_EXP(OSSL_CMP_PKIBODY, value.cann, X509, 16),
-    ASN1_EXP(OSSL_CMP_PKIBODY, value.rann, OSSL_CMP_REVANNCONTENT, 17),
-    ASN1_EXP(OSSL_CMP_PKIBODY, value.crlann, OSSL_CMP_CRLANNCONTENT, 18),
-    ASN1_EXP(OSSL_CMP_PKIBODY, value.pkiconf, ASN1_ANY, 19),
-    ASN1_EXP(OSSL_CMP_PKIBODY, value.nested, OSSL_CMP_MSGS, 20),
-    ASN1_EXP(OSSL_CMP_PKIBODY, value.genm, OSSL_CMP_GENMSGCONTENT, 21),
-    ASN1_EXP(OSSL_CMP_PKIBODY, value.genp, OSSL_CMP_GENREPCONTENT, 22),
-    ASN1_EXP(OSSL_CMP_PKIBODY, value.error, OSSL_CMP_ERRORMSGCONTENT, 23),
-    ASN1_EXP(OSSL_CMP_PKIBODY, value.certConf, OSSL_CMP_CERTCONFIRMCONTENT, 24),
-    ASN1_EXP(OSSL_CMP_PKIBODY, value.pollReq, OSSL_CMP_POLLREQCONTENT, 25),
-    ASN1_EXP(OSSL_CMP_PKIBODY, value.pollRep, OSSL_CMP_POLLREPCONTENT, 26),
-} ASN1_CHOICE_END(OSSL_CMP_PKIBODY)
-IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_PKIBODY)
-
-ASN1_SEQUENCE(OSSL_CMP_PKIHEADER) = {
-    ASN1_SIMPLE(OSSL_CMP_PKIHEADER, pvno, ASN1_INTEGER),
-    ASN1_SIMPLE(OSSL_CMP_PKIHEADER, sender, GENERAL_NAME),
-    ASN1_SIMPLE(OSSL_CMP_PKIHEADER, recipient, GENERAL_NAME),
-    ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, messageTime, ASN1_GENERALIZEDTIME, 0),
-    ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, protectionAlg, X509_ALGOR, 1),
-    ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, senderKID, ASN1_OCTET_STRING, 2),
-    ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, recipKID, ASN1_OCTET_STRING, 3),
-    ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, transactionID, ASN1_OCTET_STRING, 4),
-    ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, senderNonce, ASN1_OCTET_STRING, 5),
-    ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, recipNonce, ASN1_OCTET_STRING, 6),
-    /*
-     * OSSL_CMP_PKIFREETEXT is effectively a sequence of ASN1_UTF8STRING
-     * so it is used directly
-     */
-    ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_PKIHEADER, freeText, ASN1_UTF8STRING, 7),
-    ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_PKIHEADER, generalInfo,
-                             OSSL_CMP_ITAV, 8)
-} ASN1_SEQUENCE_END(OSSL_CMP_PKIHEADER)
-IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_PKIHEADER)
-
-ASN1_SEQUENCE(OSSL_CMP_PROTECTEDPART) = {
-    ASN1_SIMPLE(OSSL_CMP_MSG, header, OSSL_CMP_PKIHEADER),
-    ASN1_SIMPLE(OSSL_CMP_MSG, body, OSSL_CMP_PKIBODY)
-} ASN1_SEQUENCE_END(OSSL_CMP_PROTECTEDPART)
-IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_PROTECTEDPART)
-
-ASN1_SEQUENCE_cb(OSSL_CMP_MSG, ossl_cmp_msg_cb) = {
-    ASN1_SIMPLE(OSSL_CMP_MSG, header, OSSL_CMP_PKIHEADER),
-    ASN1_SIMPLE(OSSL_CMP_MSG, body, OSSL_CMP_PKIBODY),
-    ASN1_EXP_OPT(OSSL_CMP_MSG, protection, ASN1_BIT_STRING, 0),
-    /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
-    ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_MSG, extraCerts, X509, 1)
-} ASN1_SEQUENCE_END_cb(OSSL_CMP_MSG, OSSL_CMP_MSG)
-IMPLEMENT_ASN1_DUP_FUNCTION(OSSL_CMP_MSG)
-
-ASN1_ITEM_TEMPLATE(OSSL_CMP_MSGS) =
-    ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_CMP_MSGS,
-                          OSSL_CMP_MSG)
-ASN1_ITEM_TEMPLATE_END(OSSL_CMP_MSGS)

libs/openssl/crypto/cmp/cmp_client.c

@@ -1,918 +0,0 @@
-/*
- * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved.
- * Copyright Nokia 2007-2019
- * Copyright Siemens AG 2015-2019
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include "cmp_local.h"
-#include "internal/cryptlib.h"
-#include "internal/e_os.h" /* ossl_sleep() */
-
-/* explicit #includes not strictly needed since implied by the above: */
-#include <openssl/bio.h>
-#include <openssl/cmp.h>
-#include <openssl/err.h>
-#include <openssl/evp.h>
-#include <openssl/x509v3.h>
-#include <openssl/cmp_util.h>
-
-#define IS_CREP(t) ((t) == OSSL_CMP_PKIBODY_IP || (t) == OSSL_CMP_PKIBODY_CP \
-                        || (t) == OSSL_CMP_PKIBODY_KUP)
-
-/*-
- * Evaluate whether there's an exception (violating the standard) configured for
- * handling negative responses without protection or with invalid protection.
- * Returns 1 on acceptance, 0 on rejection, or -1 on (internal) error.
- */
-static int unprotected_exception(const OSSL_CMP_CTX *ctx,
-                                 const OSSL_CMP_MSG *rep,
-                                 int invalid_protection,
-                                 int expected_type /* ignored here */)
-{
-    int rcvd_type = OSSL_CMP_MSG_get_bodytype(rep /* may be NULL */);
-    const char *msg_type = NULL;
-
-    if (!ossl_assert(ctx != NULL && rep != NULL))
-        return -1;
-
-    if (!ctx->unprotectedErrors)
-        return 0;
-
-    switch (rcvd_type) {
-    case OSSL_CMP_PKIBODY_ERROR:
-        msg_type = "error response";
-        break;
-    case OSSL_CMP_PKIBODY_RP:
-        {
-            OSSL_CMP_PKISI *si =
-                ossl_cmp_revrepcontent_get_pkisi(rep->body->value.rp,
-                                                 OSSL_CMP_REVREQSID);
-
-            if (si == NULL)
-                return -1;
-            if (ossl_cmp_pkisi_get_status(si) == OSSL_CMP_PKISTATUS_rejection)
-                msg_type = "revocation response message with rejection status";
-            break;
-        }
-    case OSSL_CMP_PKIBODY_PKICONF:
-        msg_type = "PKI Confirmation message";
-        break;
-    default:
-        if (IS_CREP(rcvd_type)) {
-            OSSL_CMP_CERTREPMESSAGE *crepmsg = rep->body->value.ip;
-            OSSL_CMP_CERTRESPONSE *crep =
-                ossl_cmp_certrepmessage_get0_certresponse(crepmsg,
-                                                          -1 /* any rid */);
-
-            if (sk_OSSL_CMP_CERTRESPONSE_num(crepmsg->response) > 1)
-                return -1;
-            if (crep == NULL)
-                return -1;
-            if (ossl_cmp_pkisi_get_status(crep->status)
-                == OSSL_CMP_PKISTATUS_rejection)
-                msg_type = "CertRepMessage with rejection status";
-        }
-    }
-    if (msg_type == NULL)
-        return 0;
-    ossl_cmp_log2(WARN, ctx, "ignoring %s protection of %s",
-                  invalid_protection ? "invalid" : "missing", msg_type);
-    return 1;
-}
-
-/* Save error info from PKIStatusInfo field of a certresponse into ctx */
-static int save_statusInfo(OSSL_CMP_CTX *ctx, OSSL_CMP_PKISI *si)
-{
-    int i;
-    OSSL_CMP_PKIFREETEXT *ss;
-
-    if (!ossl_assert(ctx != NULL && si != NULL))
-        return 0;
-
-    ctx->status = ossl_cmp_pkisi_get_status(si);
-    if (ctx->status < OSSL_CMP_PKISTATUS_accepted)
-        return 0;
-
-    ctx->failInfoCode = ossl_cmp_pkisi_get_pkifailureinfo(si);
-
-    if (!ossl_cmp_ctx_set0_statusString(ctx, sk_ASN1_UTF8STRING_new_null())
-            || (ctx->statusString == NULL))
-        return 0;
-
-    ss = si->statusString; /* may be NULL */
-    for (i = 0; i < sk_ASN1_UTF8STRING_num(ss); i++) {
-        ASN1_UTF8STRING *str = sk_ASN1_UTF8STRING_value(ss, i);
-
-        if (!sk_ASN1_UTF8STRING_push(ctx->statusString, ASN1_STRING_dup(str)))
-            return 0;
-    }
-    return 1;
-}
-
-/*-
- * Perform the generic aspects of sending a request and receiving a response.
- * Returns 1 on success and provides the received PKIMESSAGE in *rep.
- * Returns 0 on error.
- * Regardless of success, caller is responsible for freeing *rep (unless NULL).
- */
-static int send_receive_check(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *req,
-                              OSSL_CMP_MSG **rep, int expected_type)
-{
-    int begin_transaction =
-        expected_type != OSSL_CMP_PKIBODY_POLLREP
-        && expected_type != OSSL_CMP_PKIBODY_PKICONF;
-    const char *req_type_str =
-        ossl_cmp_bodytype_to_string(OSSL_CMP_MSG_get_bodytype(req));
-    const char *expected_type_str = ossl_cmp_bodytype_to_string(expected_type);
-    int bak_msg_timeout = ctx->msg_timeout;
-    int bt;
-    time_t now = time(NULL);
-    int time_left;
-    OSSL_CMP_transfer_cb_t transfer_cb = ctx->transfer_cb;
-
-    if (transfer_cb == NULL)
-        transfer_cb = OSSL_CMP_MSG_http_perform;
-    *rep = NULL;
-
-    if (ctx->total_timeout != 0 /* not waiting indefinitely */) {
-        if (begin_transaction)
-            ctx->end_time = now + ctx->total_timeout;
-        if (now >= ctx->end_time) {
-            ERR_raise(ERR_LIB_CMP, CMP_R_TOTAL_TIMEOUT);
-            return 0;
-        }
-        if (!ossl_assert(ctx->end_time - now < INT_MAX)) {
-            /* actually cannot happen due to assignment in initial_certreq() */
-            ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS);
-            return 0;
-        }
-        time_left = (int)(ctx->end_time - now);
-        if (ctx->msg_timeout == 0 || time_left < ctx->msg_timeout)
-            ctx->msg_timeout = time_left;
-    }
-
-    /* should print error queue since transfer_cb may call ERR_clear_error() */
-    OSSL_CMP_CTX_print_errors(ctx);
-
-    ossl_cmp_log1(INFO, ctx, "sending %s", req_type_str);
-
-    *rep = (*transfer_cb)(ctx, req);
-    ctx->msg_timeout = bak_msg_timeout;
-
-    if (*rep == NULL) {
-        ERR_raise_data(ERR_LIB_CMP,
-                       ctx->total_timeout != 0 && time(NULL) >= ctx->end_time ?
-                       CMP_R_TOTAL_TIMEOUT : CMP_R_TRANSFER_ERROR,
-                       "request sent: %s, expected response: %s",
-                       req_type_str, expected_type_str);
-        return 0;
-    }
-
-    bt = OSSL_CMP_MSG_get_bodytype(*rep);
-    /*
-     * The body type in the 'bt' variable is not yet verified.
-     * Still we use this preliminary value already for a progress report because
-     * the following msg verification may also produce log entries and may fail.
-     */
-    ossl_cmp_log1(INFO, ctx, "received %s", ossl_cmp_bodytype_to_string(bt));
-
-    /* copy received extraCerts to ctx->extraCertsIn so they can be retrieved */
-    if (bt != OSSL_CMP_PKIBODY_POLLREP && bt != OSSL_CMP_PKIBODY_PKICONF
-            && !ossl_cmp_ctx_set1_extraCertsIn(ctx, (*rep)->extraCerts))
-        return 0;
-
-    if (!ossl_cmp_msg_check_update(ctx, *rep, unprotected_exception,
-                                   expected_type))
-        return 0;
-
-    if (bt == expected_type
-        /* as an answer to polling, there could be IP/CP/KUP: */
-            || (IS_CREP(bt) && expected_type == OSSL_CMP_PKIBODY_POLLREP))
-        return 1;
-
-    /* received message type is not one of the expected ones (e.g., error) */
-    ERR_raise(ERR_LIB_CMP, bt == OSSL_CMP_PKIBODY_ERROR ? CMP_R_RECEIVED_ERROR :
-              CMP_R_UNEXPECTED_PKIBODY); /* in next line for mkerr.pl */
-
-    if (bt != OSSL_CMP_PKIBODY_ERROR) {
-        ERR_add_error_data(3, "message type is '",
-                           ossl_cmp_bodytype_to_string(bt), "'");
-    } else {
-        OSSL_CMP_ERRORMSGCONTENT *emc = (*rep)->body->value.error;
-        OSSL_CMP_PKISI *si = emc->pKIStatusInfo;
-        char buf[OSSL_CMP_PKISI_BUFLEN];
-
-        if (save_statusInfo(ctx, si)
-                && OSSL_CMP_CTX_snprint_PKIStatus(ctx, buf,
-                                                  sizeof(buf)) != NULL)
-            ERR_add_error_data(1, buf);
-        if (emc->errorCode != NULL
-                && BIO_snprintf(buf, sizeof(buf), "; errorCode: %08lX",
-                                ASN1_INTEGER_get(emc->errorCode)) > 0)
-            ERR_add_error_data(1, buf);
-        if (emc->errorDetails != NULL) {
-            char *text = ossl_sk_ASN1_UTF8STRING2text(emc->errorDetails, ", ",
-                                                      OSSL_CMP_PKISI_BUFLEN - 1);
-
-            if (text != NULL && *text != '\0')
-                ERR_add_error_data(2, "; errorDetails: ", text);
-            OPENSSL_free(text);
-        }
-        if (ctx->status != OSSL_CMP_PKISTATUS_rejection) {
-            ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKISTATUS);
-            if (ctx->status == OSSL_CMP_PKISTATUS_waiting)
-                ctx->status = OSSL_CMP_PKISTATUS_rejection;
-        }
-    }
-    return 0;
-}
-
-/*-
- * When a 'waiting' PKIStatus has been received, this function is used to
- * poll, which should yield a pollRep or finally a CertRepMessage in ip/cp/kup.
- * On receiving a pollRep, which includes a checkAfter value, it return this
- * value if sleep == 0, else it sleeps as long as indicated and retries.
- *
- * A transaction timeout is enabled if ctx->total_timeout is != 0.
- * In this case polling will continue until the timeout is reached and then
- * polling is done a last time even if this is before the "checkAfter" time.
- *
- * Returns -1 on receiving pollRep if sleep == 0, setting the checkAfter value.
- * Returns 1 on success and provides the received PKIMESSAGE in *rep.
- *           In this case the caller is responsible for freeing *rep.
- * Returns 0 on error (which includes the case that timeout has been reached).
- */
-static int poll_for_response(OSSL_CMP_CTX *ctx, int sleep, int rid,
-                             OSSL_CMP_MSG **rep, int *checkAfter)
-{
-    OSSL_CMP_MSG *preq = NULL;
-    OSSL_CMP_MSG *prep = NULL;
-
-    ossl_cmp_info(ctx,
-                  "received 'waiting' PKIStatus, starting to poll for response");
-    *rep = NULL;
-    for (;;) {
-        if ((preq = ossl_cmp_pollReq_new(ctx, rid)) == NULL)
-            goto err;
-
-        if (!send_receive_check(ctx, preq, &prep, OSSL_CMP_PKIBODY_POLLREP))
-            goto err;
-
-        /* handle potential pollRep */
-        if (OSSL_CMP_MSG_get_bodytype(prep) == OSSL_CMP_PKIBODY_POLLREP) {
-            OSSL_CMP_POLLREPCONTENT *prc = prep->body->value.pollRep;
-            OSSL_CMP_POLLREP *pollRep = NULL;
-            int64_t check_after;
-            char str[OSSL_CMP_PKISI_BUFLEN];
-            int len;
-
-            if (sk_OSSL_CMP_POLLREP_num(prc) > 1) {
-                ERR_raise(ERR_LIB_CMP, CMP_R_MULTIPLE_RESPONSES_NOT_SUPPORTED);
-                goto err;
-            }
-            pollRep = ossl_cmp_pollrepcontent_get0_pollrep(prc, rid);
-            if (pollRep == NULL)
-                goto err;
-
-            if (!ASN1_INTEGER_get_int64(&check_after, pollRep->checkAfter)) {
-                ERR_raise(ERR_LIB_CMP, CMP_R_BAD_CHECKAFTER_IN_POLLREP);
-                goto err;
-            }
-            if (check_after < 0 || (uint64_t)check_after
-                > (sleep ? ULONG_MAX / 1000 : INT_MAX)) {
-                ERR_raise(ERR_LIB_CMP, CMP_R_CHECKAFTER_OUT_OF_RANGE);
-                if (BIO_snprintf(str, OSSL_CMP_PKISI_BUFLEN, "value = %jd",
-                                 check_after) >= 0)
-                    ERR_add_error_data(1, str);
-                goto err;
-            }
-
-            if (pollRep->reason == NULL
-                    || (len = BIO_snprintf(str, OSSL_CMP_PKISI_BUFLEN,
-                                           " with reason = '")) < 0) {
-                *str = '\0';
-            } else {
-                char *text = ossl_sk_ASN1_UTF8STRING2text(pollRep->reason, ", ",
-                                                          sizeof(str) - len - 2);
-
-                if (text == NULL
-                        || BIO_snprintf(str + len, sizeof(str) - len,
-                                        "%s'", text) < 0)
-                    *str = '\0';
-                OPENSSL_free(text);
-            }
-            ossl_cmp_log2(INFO, ctx,
-                          "received polling response%s; checkAfter = %ld seconds",
-                          str, check_after);
-
-            if (ctx->total_timeout != 0) { /* timeout is not infinite */
-                const int exp = 5; /* expected max time per msg round trip */
-                int64_t time_left = (int64_t)(ctx->end_time - exp - time(NULL));
-
-                if (time_left <= 0) {
-                    ERR_raise(ERR_LIB_CMP, CMP_R_TOTAL_TIMEOUT);
-                    goto err;
-                }
-                if (time_left < check_after)
-                    check_after = time_left;
-                /* poll one last time just when timeout was reached */
-            }
-
-            OSSL_CMP_MSG_free(preq);
-            preq = NULL;
-            OSSL_CMP_MSG_free(prep);
-            prep = NULL;
-            if (sleep) {
-                ossl_sleep((unsigned long)(1000 * check_after));
-            } else {
-                if (checkAfter != NULL)
-                    *checkAfter = (int)check_after;
-                return -1; /* exits the loop */
-            }
-        } else {
-            ossl_cmp_info(ctx, "received ip/cp/kup after polling");
-            /* any other body type has been rejected by send_receive_check() */
-            break;
-        }
-    }
-    if (prep == NULL)
-        goto err;
-
-    OSSL_CMP_MSG_free(preq);
-    *rep = prep;
-
-    return 1;
- err:
-    OSSL_CMP_MSG_free(preq);
-    OSSL_CMP_MSG_free(prep);
-    return 0;
-}
-
-/*
- * Send certConf for IR, CR or KUR sequences and check response,
- * not modifying ctx->status during the certConf exchange
- */
-int ossl_cmp_exchange_certConf(OSSL_CMP_CTX *ctx, int fail_info,
-                               const char *txt)
-{
-    OSSL_CMP_MSG *certConf;
-    OSSL_CMP_MSG *PKIconf = NULL;
-    int res = 0;
-
-    /* OSSL_CMP_certConf_new() also checks if all necessary options are set */
-    if ((certConf = ossl_cmp_certConf_new(ctx, fail_info, txt)) == NULL)
-        goto err;
-
-    res = send_receive_check(ctx, certConf, &PKIconf, OSSL_CMP_PKIBODY_PKICONF);
-
- err:
-    OSSL_CMP_MSG_free(certConf);
-    OSSL_CMP_MSG_free(PKIconf);
-    return res;
-}
-
-/* Send given error and check response */
-int ossl_cmp_exchange_error(OSSL_CMP_CTX *ctx, int status, int fail_info,
-                            const char *txt, int errorCode, const char *details)
-{
-    OSSL_CMP_MSG *error = NULL;
-    OSSL_CMP_PKISI *si = NULL;
-    OSSL_CMP_MSG *PKIconf = NULL;
-    int res = 0;
-
-    /* not overwriting ctx->status on error exchange */
-    if ((si = OSSL_CMP_STATUSINFO_new(status, fail_info, txt)) == NULL)
-        goto err;
-    /* ossl_cmp_error_new() also checks if all necessary options are set */
-    if ((error = ossl_cmp_error_new(ctx, si, errorCode, details, 0)) == NULL)
-        goto err;
-
-    res = send_receive_check(ctx, error, &PKIconf, OSSL_CMP_PKIBODY_PKICONF);
-
- err:
-    OSSL_CMP_MSG_free(error);
-    OSSL_CMP_PKISI_free(si);
-    OSSL_CMP_MSG_free(PKIconf);
-    return res;
-}
-
-/*-
- * Retrieve a copy of the certificate, if any, from the given CertResponse.
- * Take into account PKIStatusInfo of CertResponse in ctx, report it on error.
- * Returns NULL if not found or on error.
- */
-static X509 *get1_cert_status(OSSL_CMP_CTX *ctx, int bodytype,
-                              OSSL_CMP_CERTRESPONSE *crep)
-{
-    char buf[OSSL_CMP_PKISI_BUFLEN];
-    X509 *crt = NULL;
-    EVP_PKEY *privkey;
-
-    if (!ossl_assert(ctx != NULL && crep != NULL))
-        return NULL;
-
-    privkey = OSSL_CMP_CTX_get0_newPkey(ctx, 1);
-    switch (ossl_cmp_pkisi_get_status(crep->status)) {
-    case OSSL_CMP_PKISTATUS_waiting:
-        ossl_cmp_err(ctx,
-                     "received \"waiting\" status for cert when actually aiming to extract cert");
-        ERR_raise(ERR_LIB_CMP, CMP_R_ENCOUNTERED_WAITING);
-        goto err;
-    case OSSL_CMP_PKISTATUS_grantedWithMods:
-        ossl_cmp_warn(ctx, "received \"grantedWithMods\" for certificate");
-        break;
-    case OSSL_CMP_PKISTATUS_accepted:
-        break;
-        /* get all information in case of a rejection before going to error */
-    case OSSL_CMP_PKISTATUS_rejection:
-        ossl_cmp_err(ctx, "received \"rejection\" status rather than cert");
-        ERR_raise(ERR_LIB_CMP, CMP_R_REQUEST_REJECTED_BY_SERVER);
-        goto err;
-    case OSSL_CMP_PKISTATUS_revocationWarning:
-        ossl_cmp_warn(ctx,
-                      "received \"revocationWarning\" - a revocation of the cert is imminent");
-        break;
-    case OSSL_CMP_PKISTATUS_revocationNotification:
-        ossl_cmp_warn(ctx,
-                      "received \"revocationNotification\" - a revocation of the cert has occurred");
-        break;
-    case OSSL_CMP_PKISTATUS_keyUpdateWarning:
-        if (bodytype != OSSL_CMP_PKIBODY_KUR) {
-            ERR_raise(ERR_LIB_CMP, CMP_R_ENCOUNTERED_KEYUPDATEWARNING);
-            goto err;
-        }
-        break;
-    default:
-        ossl_cmp_log1(ERROR, ctx,
-                      "received unsupported PKIStatus %d for certificate",
-                      ctx->status);
-        ERR_raise(ERR_LIB_CMP, CMP_R_UNKNOWN_PKISTATUS);
-        goto err;
-    }
-    crt = ossl_cmp_certresponse_get1_cert(crep, ctx, privkey);
-    if (crt == NULL) /* according to PKIStatus, we can expect a cert */
-        ERR_raise(ERR_LIB_CMP, CMP_R_CERTIFICATE_NOT_FOUND);
-
-    return crt;
-
- err:
-    if (OSSL_CMP_CTX_snprint_PKIStatus(ctx, buf, sizeof(buf)) != NULL)
-        ERR_add_error_data(1, buf);
-    return NULL;
-}
-
-/*-
- * Callback fn validating that the new certificate can be verified, using
- * ctx->certConf_cb_arg, which has been initialized using opt_out_trusted, and
- * ctx->untrusted, which at this point already contains msg->extraCerts.
- * Returns 0 on acceptance, else a bit field reflecting PKIFailureInfo.
- * Quoting from RFC 4210 section 5.1. Overall PKI Message:
- *     The extraCerts field can contain certificates that may be useful to
- *     the recipient.  For example, this can be used by a CA or RA to
- *     present an end entity with certificates that it needs to verify its
- *     own new certificate (if, for example, the CA that issued the end
- *     entity's certificate is not a root CA for the end entity).  Note that
- *     this field does not necessarily contain a certification path; the
- *     recipient may have to sort, select from, or otherwise process the
- *     extra certificates in order to use them.
- * Note: While often handy, there is no hard requirement by CMP that
- * an EE must be able to validate the certificates it gets enrolled.
- */
-int OSSL_CMP_certConf_cb(OSSL_CMP_CTX *ctx, X509 *cert, int fail_info,
-                         const char **text)
-{
-    X509_STORE *out_trusted = OSSL_CMP_CTX_get_certConf_cb_arg(ctx);
-    STACK_OF(X509) *chain = NULL;
-    (void)text; /* make (artificial) use of var to prevent compiler warning */
-
-    if (fail_info != 0) /* accept any error flagged by CMP core library */
-        return fail_info;
-
-    if (out_trusted == NULL) {
-        ossl_cmp_debug(ctx, "trying to build chain for newly enrolled cert");
-        chain = X509_build_chain(cert, ctx->untrusted, out_trusted,
-                                 0, ctx->libctx, ctx->propq);
-    } else {
-        X509_STORE_CTX *csc = X509_STORE_CTX_new_ex(ctx->libctx, ctx->propq);
-
-        ossl_cmp_debug(ctx, "validating newly enrolled cert");
-        if (csc == NULL)
-            goto err;
-        if (!X509_STORE_CTX_init(csc, out_trusted, cert, ctx->untrusted))
-            goto err;
-        /* disable any cert status/revocation checking etc. */
-        X509_VERIFY_PARAM_clear_flags(X509_STORE_CTX_get0_param(csc),
-                                      ~(X509_V_FLAG_USE_CHECK_TIME
-                                        | X509_V_FLAG_NO_CHECK_TIME
-                                        | X509_V_FLAG_PARTIAL_CHAIN
-                                        | X509_V_FLAG_POLICY_CHECK));
-        if (X509_verify_cert(csc) <= 0)
-            goto err;
-
-        if (!ossl_x509_add_certs_new(&chain,  X509_STORE_CTX_get0_chain(csc),
-                                     X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP
-                                     | X509_ADD_FLAG_NO_SS)) {
-            sk_X509_free(chain);
-            chain = NULL;
-        }
-    err:
-        X509_STORE_CTX_free(csc);
-    }
-
-    if (sk_X509_num(chain) > 0)
-        X509_free(sk_X509_shift(chain)); /* remove leaf (EE) cert */
-    if (out_trusted != NULL) {
-        if (chain == NULL) {
-            ossl_cmp_err(ctx, "failed to validate newly enrolled cert");
-            fail_info = 1 << OSSL_CMP_PKIFAILUREINFO_incorrectData;
-        } else {
-            ossl_cmp_debug(ctx,
-                           "success validating newly enrolled cert");
-        }
-    } else if (chain == NULL) {
-        ossl_cmp_warn(ctx, "could not build approximate chain for newly enrolled cert, resorting to received extraCerts");
-        chain = OSSL_CMP_CTX_get1_extraCertsIn(ctx);
-    } else {
-        ossl_cmp_debug(ctx,
-                       "success building approximate chain for newly enrolled cert");
-    }
-    (void)ossl_cmp_ctx_set1_newChain(ctx, chain);
-    sk_X509_pop_free(chain, X509_free);
-
-    return fail_info;
-}
-
-/*-
- * Perform the generic handling of certificate responses for IR/CR/KUR/P10CR.
- * Returns -1 on receiving pollRep if sleep == 0, setting the checkAfter value.
- * Returns 1 on success and provides the received PKIMESSAGE in *resp.
- * Returns 0 on error (which includes the case that timeout has been reached).
- * Regardless of success, caller is responsible for freeing *resp (unless NULL).
- */
-static int cert_response(OSSL_CMP_CTX *ctx, int sleep, int rid,
-                         OSSL_CMP_MSG **resp, int *checkAfter,
-                         int req_type, int expected_type)
-{
-    EVP_PKEY *rkey = OSSL_CMP_CTX_get0_newPkey(ctx /* may be NULL */, 0);
-    int fail_info = 0; /* no failure */
-    const char *txt = NULL;
-    OSSL_CMP_CERTREPMESSAGE *crepmsg;
-    OSSL_CMP_CERTRESPONSE *crep;
-    OSSL_CMP_certConf_cb_t cb;
-    X509 *cert;
-    char *subj = NULL;
-    int ret = 1;
-
-    if (!ossl_assert(ctx != NULL))
-        return 0;
-
- retry:
-    crepmsg = (*resp)->body->value.ip; /* same for cp and kup */
-    if (sk_OSSL_CMP_CERTRESPONSE_num(crepmsg->response) > 1) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_MULTIPLE_RESPONSES_NOT_SUPPORTED);
-        return 0;
-    }
-    crep = ossl_cmp_certrepmessage_get0_certresponse(crepmsg, rid);
-    if (crep == NULL)
-        return 0;
-    if (!save_statusInfo(ctx, crep->status))
-        return 0;
-    if (rid == -1) {
-        /* for OSSL_CMP_PKIBODY_P10CR learn CertReqId from response */
-        rid = ossl_cmp_asn1_get_int(crep->certReqId);
-        if (rid == -1) {
-            ERR_raise(ERR_LIB_CMP, CMP_R_BAD_REQUEST_ID);
-            return 0;
-        }
-    }
-
-    if (ossl_cmp_pkisi_get_status(crep->status) == OSSL_CMP_PKISTATUS_waiting) {
-        OSSL_CMP_MSG_free(*resp);
-        *resp = NULL;
-        if ((ret = poll_for_response(ctx, sleep, rid, resp, checkAfter)) != 0) {
-            if (ret == -1) /* at this point implies sleep == 0 */
-                return ret; /* waiting */
-            goto retry; /* got ip/cp/kup, which may still indicate 'waiting' */
-        } else {
-            ERR_raise(ERR_LIB_CMP, CMP_R_POLLING_FAILED);
-            return 0;
-        }
-    }
-
-    cert = get1_cert_status(ctx, (*resp)->body->type, crep);
-    if (cert == NULL) {
-        ERR_add_error_data(1, "; cannot extract certificate from response");
-        return 0;
-    }
-    if (!ossl_cmp_ctx_set0_newCert(ctx, cert))
-        return 0;
-
-    /*
-     * if the CMP server returned certificates in the caPubs field, copy them
-     * to the context so that they can be retrieved if necessary
-     */
-    if (crepmsg->caPubs != NULL
-            && !ossl_cmp_ctx_set1_caPubs(ctx, crepmsg->caPubs))
-        return 0;
-
-    subj = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0);
-    if (rkey != NULL
-        /* X509_check_private_key() also works if rkey is just public key */
-            && !(X509_check_private_key(ctx->newCert, rkey))) {
-        fail_info = 1 << OSSL_CMP_PKIFAILUREINFO_incorrectData;
-        txt = "public key in new certificate does not match our enrollment key";
-        /*-
-         * not calling (void)ossl_cmp_exchange_error(ctx,
-         *                   OSSL_CMP_PKISTATUS_rejection, fail_info, txt)
-         * not throwing CMP_R_CERTIFICATE_NOT_ACCEPTED with txt
-         * not returning 0
-         * since we better leave this for the certConf_cb to decide
-         */
-    }
-
-    /*
-     * Execute the certification checking callback function,
-     * which can determine whether to accept a newly enrolled certificate.
-     * It may overrule the pre-decision reflected in 'fail_info' and '*txt'.
-     */
-    cb = ctx->certConf_cb != NULL ? ctx->certConf_cb : OSSL_CMP_certConf_cb;
-    if ((fail_info = cb(ctx, ctx->newCert, fail_info, &txt)) != 0
-            && txt == NULL)
-        txt = "CMP client did not accept it";
-    if (fail_info != 0) /* immediately log error before any certConf exchange */
-        ossl_cmp_log1(ERROR, ctx,
-                      "rejecting newly enrolled cert with subject: %s", subj);
-    if (!ctx->disableConfirm
-            && !ossl_cmp_hdr_has_implicitConfirm((*resp)->header)) {
-        if (!ossl_cmp_exchange_certConf(ctx, fail_info, txt))
-            ret = 0;
-    }
-
-    /* not throwing failure earlier as transfer_cb may call ERR_clear_error() */
-    if (fail_info != 0) {
-        ERR_raise_data(ERR_LIB_CMP, CMP_R_CERTIFICATE_NOT_ACCEPTED,
-                       "rejecting newly enrolled cert with subject: %s; %s",
-                       subj, txt);
-        ret = 0;
-    }
-    OPENSSL_free(subj);
-    return ret;
-}
-
-static int initial_certreq(OSSL_CMP_CTX *ctx,
-                           int req_type, const OSSL_CRMF_MSG *crm,
-                           OSSL_CMP_MSG **p_rep, int rep_type)
-{
-    OSSL_CMP_MSG *req;
-    int res;
-
-    ctx->status = OSSL_CMP_PKISTATUS_request;
-    if (!ossl_cmp_ctx_set0_newCert(ctx, NULL))
-        return 0;
-
-    /* also checks if all necessary options are set */
-    if ((req = ossl_cmp_certreq_new(ctx, req_type, crm)) == NULL)
-        return 0;
-
-    ctx->status = OSSL_CMP_PKISTATUS_trans;
-    res = send_receive_check(ctx, req, p_rep, rep_type);
-    OSSL_CMP_MSG_free(req);
-    return res;
-}
-
-int OSSL_CMP_try_certreq(OSSL_CMP_CTX *ctx, int req_type,
-                         const OSSL_CRMF_MSG *crm, int *checkAfter)
-{
-    OSSL_CMP_MSG *rep = NULL;
-    int is_p10 = req_type == OSSL_CMP_PKIBODY_P10CR;
-    int rid = is_p10 ? -1 : OSSL_CMP_CERTREQID;
-    int rep_type = is_p10 ? OSSL_CMP_PKIBODY_CP : req_type + 1;
-    int res = 0;
-
-    if (ctx == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return 0;
-    }
-
-    if (ctx->status != OSSL_CMP_PKISTATUS_waiting) { /* not polling already */
-        if (!initial_certreq(ctx, req_type, crm, &rep, rep_type))
-            goto err;
-    } else {
-        if (req_type < 0)
-            return ossl_cmp_exchange_error(ctx, OSSL_CMP_PKISTATUS_rejection,
-                                           0, "polling aborted",
-                                           0 /* errorCode */, "by application");
-        res = poll_for_response(ctx, 0 /* no sleep */, rid, &rep, checkAfter);
-        if (res <= 0) /* waiting or error */
-            return res;
-    }
-    res = cert_response(ctx, 0 /* no sleep */, rid, &rep, checkAfter,
-                        req_type, rep_type);
-
- err:
-    OSSL_CMP_MSG_free(rep);
-    return res;
-}
-
-/*-
- * Do the full sequence CR/IR/KUR/P10CR, CP/IP/KUP/CP,
- * certConf, PKIconf, and polling if required.
- * Will sleep as long as indicated by the server (according to checkAfter).
- * All enrollment options need to be present in the context.
- * Returns pointer to received certificate, or NULL if none was received.
- */
-X509 *OSSL_CMP_exec_certreq(OSSL_CMP_CTX *ctx, int req_type,
-                            const OSSL_CRMF_MSG *crm)
-{
-
-    OSSL_CMP_MSG *rep = NULL;
-    int is_p10 = req_type == OSSL_CMP_PKIBODY_P10CR;
-    int rid = is_p10 ? -1 : OSSL_CMP_CERTREQID;
-    int rep_type = is_p10 ? OSSL_CMP_PKIBODY_CP : req_type + 1;
-    X509 *result = NULL;
-
-    if (ctx == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return NULL;
-    }
-
-    if (!initial_certreq(ctx, req_type, crm, &rep, rep_type))
-        goto err;
-
-    if (cert_response(ctx, 1 /* sleep */, rid, &rep, NULL, req_type, rep_type)
-        <= 0)
-        goto err;
-
-    result = ctx->newCert;
- err:
-    OSSL_CMP_MSG_free(rep);
-    return result;
-}
-
-int OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx)
-{
-    OSSL_CMP_MSG *rr = NULL;
-    OSSL_CMP_MSG *rp = NULL;
-    const int num_RevDetails = 1;
-    const int rsid = OSSL_CMP_REVREQSID;
-    OSSL_CMP_REVREPCONTENT *rrep = NULL;
-    OSSL_CMP_PKISI *si = NULL;
-    char buf[OSSL_CMP_PKISI_BUFLEN];
-    int ret = 0;
-
-    if (ctx == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS);
-        return 0;
-    }
-    ctx->status = OSSL_CMP_PKISTATUS_request;
-    if (ctx->oldCert == NULL && ctx->p10CSR == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_REFERENCE_CERT);
-        return 0;
-    }
-
-    /* OSSL_CMP_rr_new() also checks if all necessary options are set */
-    if ((rr = ossl_cmp_rr_new(ctx)) == NULL)
-        goto end;
-
-    ctx->status = OSSL_CMP_PKISTATUS_trans;
-    if (!send_receive_check(ctx, rr, &rp, OSSL_CMP_PKIBODY_RP))
-        goto end;
-
-    rrep = rp->body->value.rp;
-#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
-    if (sk_OSSL_CMP_PKISI_num(rrep->status) != num_RevDetails) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_RP_COMPONENT_COUNT);
-        goto end;
-    }
-#else
-    if (sk_OSSL_CMP_PKISI_num(rrep->status) < 1) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_RP_COMPONENT_COUNT);
-        goto end;
-    }
-#endif
-
-    /* evaluate PKIStatus field */
-    si = ossl_cmp_revrepcontent_get_pkisi(rrep, rsid);
-    if (!save_statusInfo(ctx, si))
-        goto err;
-    switch (ossl_cmp_pkisi_get_status(si)) {
-    case OSSL_CMP_PKISTATUS_accepted:
-        ossl_cmp_info(ctx, "revocation accepted (PKIStatus=accepted)");
-        ret = 1;
-        break;
-    case OSSL_CMP_PKISTATUS_grantedWithMods:
-        ossl_cmp_info(ctx, "revocation accepted (PKIStatus=grantedWithMods)");
-        ret = 1;
-        break;
-    case OSSL_CMP_PKISTATUS_rejection:
-        ERR_raise(ERR_LIB_CMP, CMP_R_REQUEST_REJECTED_BY_SERVER);
-        goto err;
-    case OSSL_CMP_PKISTATUS_revocationWarning:
-        ossl_cmp_info(ctx, "revocation accepted (PKIStatus=revocationWarning)");
-        ret = 1;
-        break;
-    case OSSL_CMP_PKISTATUS_revocationNotification:
-        /* interpretation as warning or error depends on CA */
-        ossl_cmp_warn(ctx,
-                      "revocation accepted (PKIStatus=revocationNotification)");
-        ret = 1;
-        break;
-    case OSSL_CMP_PKISTATUS_waiting:
-    case OSSL_CMP_PKISTATUS_keyUpdateWarning:
-        ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKISTATUS);
-        goto err;
-    default:
-        ERR_raise(ERR_LIB_CMP, CMP_R_UNKNOWN_PKISTATUS);
-        goto err;
-    }
-
-    /* check any present CertId in optional revCerts field */
-    if (sk_OSSL_CRMF_CERTID_num(rrep->revCerts) >= 1) {
-        OSSL_CRMF_CERTID *cid;
-        OSSL_CRMF_CERTTEMPLATE *tmpl =
-            sk_OSSL_CMP_REVDETAILS_value(rr->body->value.rr, rsid)->certDetails;
-        const X509_NAME *issuer = OSSL_CRMF_CERTTEMPLATE_get0_issuer(tmpl);
-        const ASN1_INTEGER *serial = OSSL_CRMF_CERTTEMPLATE_get0_serialNumber(tmpl);
-
-        if (sk_OSSL_CRMF_CERTID_num(rrep->revCerts) != num_RevDetails) {
-            ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_RP_COMPONENT_COUNT);
-            ret = 0;
-            goto err;
-        }
-        if ((cid = ossl_cmp_revrepcontent_get_CertId(rrep, rsid)) == NULL) {
-            ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_CERTID);
-            ret = 0;
-            goto err;
-        }
-        if (X509_NAME_cmp(issuer, OSSL_CRMF_CERTID_get0_issuer(cid)) != 0) {
-#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
-            ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_CERTID_IN_RP);
-            ret = 0;
-            goto err;
-#endif
-        }
-        if (ASN1_INTEGER_cmp(serial,
-                             OSSL_CRMF_CERTID_get0_serialNumber(cid)) != 0) {
-#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
-            ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_SERIAL_IN_RP);
-            ret = 0;
-            goto err;
-#endif
-        }
-    }
-
-    /* check number of any optionally present crls */
-    if (rrep->crls != NULL && sk_X509_CRL_num(rrep->crls) != num_RevDetails) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_RP_COMPONENT_COUNT);
-        ret = 0;
-        goto err;
-    }
-
- err:
-    if (ret == 0
-            && OSSL_CMP_CTX_snprint_PKIStatus(ctx, buf, sizeof(buf)) != NULL)
-        ERR_add_error_data(1, buf);
-
- end:
-    OSSL_CMP_MSG_free(rr);
-    OSSL_CMP_MSG_free(rp);
-    return ret;
-}
-
-STACK_OF(OSSL_CMP_ITAV) *OSSL_CMP_exec_GENM_ses(OSSL_CMP_CTX *ctx)
-{
-    OSSL_CMP_MSG *genm;
-    OSSL_CMP_MSG *genp = NULL;
-    STACK_OF(OSSL_CMP_ITAV) *itavs = NULL;
-
-    if (ctx == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS);
-        return NULL;
-    }
-    ctx->status = OSSL_CMP_PKISTATUS_request;
-
-    if ((genm = ossl_cmp_genm_new(ctx)) == NULL)
-        goto err;
-
-    ctx->status = OSSL_CMP_PKISTATUS_trans;
-    if (!send_receive_check(ctx, genm, &genp, OSSL_CMP_PKIBODY_GENP))
-        goto err;
-    ctx->status = OSSL_CMP_PKISTATUS_accepted;
-
-    itavs = genp->body->value.genp;
-    if (itavs == NULL)
-        itavs = sk_OSSL_CMP_ITAV_new_null();
-    /* received stack of itavs not to be freed with the genp */
-    genp->body->value.genp = NULL;
-
- err:
-    OSSL_CMP_MSG_free(genm);
-    OSSL_CMP_MSG_free(genp);
-
-    return itavs; /* NULL indicates error case */
-}

libs/openssl/crypto/cmp/cmp_ctx.c

@@ -1,1157 +0,0 @@
-/*
- * Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved.
- * Copyright Nokia 2007-2019
- * Copyright Siemens AG 2015-2019
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <openssl/trace.h>
-#include <openssl/bio.h>
-#include <openssl/ocsp.h> /* for OCSP_REVOKED_STATUS_* */
-
-#include "cmp_local.h"
-
-/* explicit #includes not strictly needed since implied by the above: */
-#include <openssl/cmp.h>
-#include <openssl/crmf.h>
-#include <openssl/err.h>
-
-/*
- * Get current certificate store containing trusted root CA certs
- */
-X509_STORE *OSSL_CMP_CTX_get0_trustedStore(const OSSL_CMP_CTX *ctx)
-{
-    if (ctx == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return NULL;
-    }
-    return ctx->trusted;
-}
-
-/*
- * Set certificate store containing trusted (root) CA certs and possibly CRLs
- * and a cert verification callback function used for CMP server authentication.
- * Any already existing store entry is freed. Given NULL, the entry is reset.
- */
-int OSSL_CMP_CTX_set0_trustedStore(OSSL_CMP_CTX *ctx, X509_STORE *store)
-{
-    if (ctx == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return 0;
-    }
-    X509_STORE_free(ctx->trusted);
-    ctx->trusted = store;
-    return 1;
-}
-
-/* Get current list of non-trusted intermediate certs */
-STACK_OF(X509) *OSSL_CMP_CTX_get0_untrusted(const OSSL_CMP_CTX *ctx)
-{
-    if (ctx == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return NULL;
-    }
-    return ctx->untrusted;
-}
-
-/*
- * Set untrusted certificates for path construction in authentication of
- * the CMP server and potentially others (TLS server, newly enrolled cert).
- */
-int OSSL_CMP_CTX_set1_untrusted(OSSL_CMP_CTX *ctx, STACK_OF(X509) *certs)
-{
-    STACK_OF(X509) *untrusted = NULL;
-
-    if (ctx == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return 0;
-    }
-    if (!ossl_x509_add_certs_new(&untrusted, certs,
-                                 X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP))
-        goto err;
-    sk_X509_pop_free(ctx->untrusted, X509_free);
-    ctx->untrusted = untrusted;
-    return 1;
- err:
-    sk_X509_pop_free(untrusted, X509_free);
-    return 0;
-}
-
-static int cmp_ctx_set_md(OSSL_CMP_CTX *ctx, EVP_MD **pmd, int nid)
-{
-    EVP_MD *md = EVP_MD_fetch(ctx->libctx, OBJ_nid2sn(nid), ctx->propq);
-    /* fetching in advance to be able to throw error early if unsupported */
-
-    if (md == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_UNSUPPORTED_ALGORITHM);
-        return 0;
-    }
-    EVP_MD_free(*pmd);
-    *pmd = md;
-    return 1;
-}
-
-/*
- * Allocates and initializes OSSL_CMP_CTX context structure with default values.
- * Returns new context on success, NULL on error
- */
-OSSL_CMP_CTX *OSSL_CMP_CTX_new(OSSL_LIB_CTX *libctx, const char *propq)
-{
-    OSSL_CMP_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
-
-    if (ctx == NULL)
-        goto err;
-
-    ctx->libctx = libctx;
-    if (propq != NULL && (ctx->propq = OPENSSL_strdup(propq)) == NULL)
-        goto oom;
-
-    ctx->log_verbosity = OSSL_CMP_LOG_INFO;
-
-    ctx->status = OSSL_CMP_PKISTATUS_unspecified;
-    ctx->failInfoCode = -1;
-
-    ctx->keep_alive = 1;
-    ctx->msg_timeout = -1;
-
-    if ((ctx->untrusted = sk_X509_new_null()) == NULL)
-        goto oom;
-
-    ctx->pbm_slen = 16;
-    if (!cmp_ctx_set_md(ctx, &ctx->pbm_owf, NID_sha256))
-        goto err;
-    ctx->pbm_itercnt = 500;
-    ctx->pbm_mac = NID_hmac_sha1;
-
-    if (!cmp_ctx_set_md(ctx, &ctx->digest, NID_sha256))
-        goto err;
-    ctx->popoMethod = OSSL_CRMF_POPO_SIGNATURE;
-    ctx->revocationReason = CRL_REASON_NONE;
-
-    /* all other elements are initialized to 0 or NULL, respectively */
-    return ctx;
-
- oom:
-    ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
- err:
-    OSSL_CMP_CTX_free(ctx);
-    return NULL;
-}
-
-#define OSSL_CMP_ITAVs_free(itavs) \
-    sk_OSSL_CMP_ITAV_pop_free(itavs, OSSL_CMP_ITAV_free);
-#define X509_EXTENSIONS_free(exts) \
-    sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free)
-#define OSSL_CMP_PKIFREETEXT_free(text) \
-    sk_ASN1_UTF8STRING_pop_free(text, ASN1_UTF8STRING_free)
-
-/* Prepare the OSSL_CMP_CTX for next use, partly re-initializing OSSL_CMP_CTX */
-int OSSL_CMP_CTX_reinit(OSSL_CMP_CTX *ctx)
-{
-    if (ctx == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return 0;
-    }
-
-    if (ctx->http_ctx != NULL) {
-        (void)OSSL_HTTP_close(ctx->http_ctx, 1);
-        ossl_cmp_debug(ctx, "disconnected from CMP server");
-        ctx->http_ctx = NULL;
-    }
-    ctx->status = OSSL_CMP_PKISTATUS_unspecified;
-    ctx->failInfoCode = -1;
-
-    OSSL_CMP_ITAVs_free(ctx->genm_ITAVs);
-    ctx->genm_ITAVs = NULL;
-
-    return ossl_cmp_ctx_set0_statusString(ctx, NULL)
-        && ossl_cmp_ctx_set0_newCert(ctx, NULL)
-        && ossl_cmp_ctx_set1_newChain(ctx, NULL)
-        && ossl_cmp_ctx_set1_caPubs(ctx, NULL)
-        && ossl_cmp_ctx_set1_extraCertsIn(ctx, NULL)
-        && ossl_cmp_ctx_set0_validatedSrvCert(ctx, NULL)
-        && OSSL_CMP_CTX_set1_transactionID(ctx, NULL)
-        && OSSL_CMP_CTX_set1_senderNonce(ctx, NULL)
-        && ossl_cmp_ctx_set1_recipNonce(ctx, NULL);
-}
-
-/* Frees OSSL_CMP_CTX variables allocated in OSSL_CMP_CTX_new() */
-void OSSL_CMP_CTX_free(OSSL_CMP_CTX *ctx)
-{
-    if (ctx == NULL)
-        return;
-
-    if (ctx->http_ctx != NULL) {
-        (void)OSSL_HTTP_close(ctx->http_ctx, 1);
-        ossl_cmp_debug(ctx, "disconnected from CMP server");
-    }
-    OPENSSL_free(ctx->propq);
-    OPENSSL_free(ctx->serverPath);
-    OPENSSL_free(ctx->server);
-    OPENSSL_free(ctx->proxy);
-    OPENSSL_free(ctx->no_proxy);
-
-    X509_free(ctx->srvCert);
-    X509_free(ctx->validatedSrvCert);
-    X509_NAME_free(ctx->expected_sender);
-    X509_STORE_free(ctx->trusted);
-    sk_X509_pop_free(ctx->untrusted, X509_free);
-
-    X509_free(ctx->cert);
-    sk_X509_pop_free(ctx->chain, X509_free);
-    EVP_PKEY_free(ctx->pkey);
-    ASN1_OCTET_STRING_free(ctx->referenceValue);
-    if (ctx->secretValue != NULL)
-        OPENSSL_cleanse(ctx->secretValue->data, ctx->secretValue->length);
-    ASN1_OCTET_STRING_free(ctx->secretValue);
-    EVP_MD_free(ctx->pbm_owf);
-
-    X509_NAME_free(ctx->recipient);
-    EVP_MD_free(ctx->digest);
-    ASN1_OCTET_STRING_free(ctx->transactionID);
-    ASN1_OCTET_STRING_free(ctx->senderNonce);
-    ASN1_OCTET_STRING_free(ctx->recipNonce);
-    sk_OSSL_CMP_ITAV_pop_free(ctx->geninfo_ITAVs, OSSL_CMP_ITAV_free);
-    sk_X509_pop_free(ctx->extraCertsOut, X509_free);
-
-    EVP_PKEY_free(ctx->newPkey);
-    X509_NAME_free(ctx->issuer);
-    X509_NAME_free(ctx->subjectName);
-    sk_GENERAL_NAME_pop_free(ctx->subjectAltNames, GENERAL_NAME_free);
-    sk_X509_EXTENSION_pop_free(ctx->reqExtensions, X509_EXTENSION_free);
-    sk_POLICYINFO_pop_free(ctx->policies, POLICYINFO_free);
-    X509_free(ctx->oldCert);
-    X509_REQ_free(ctx->p10CSR);
-
-    sk_OSSL_CMP_ITAV_pop_free(ctx->genm_ITAVs, OSSL_CMP_ITAV_free);
-
-    sk_ASN1_UTF8STRING_pop_free(ctx->statusString, ASN1_UTF8STRING_free);
-    X509_free(ctx->newCert);
-    sk_X509_pop_free(ctx->newChain, X509_free);
-    sk_X509_pop_free(ctx->caPubs, X509_free);
-    sk_X509_pop_free(ctx->extraCertsIn, X509_free);
-
-    OPENSSL_free(ctx);
-}
-
-int ossl_cmp_ctx_set_status(OSSL_CMP_CTX *ctx, int status)
-{
-    if (!ossl_assert(ctx != NULL))
-        return 0;
-    ctx->status = status;
-    return 1;
-}
-
-/*
- * Returns the PKIStatus from the last CertRepMessage
- * or Revocation Response or error message, -1 on error
- */
-int OSSL_CMP_CTX_get_status(const OSSL_CMP_CTX *ctx)
-{
-    if (ctx == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return -1;
-    }
-    return ctx->status;
-}
-
-/*
- * Returns the statusString from the last CertRepMessage
- * or Revocation Response or error message, NULL on error
- */
-OSSL_CMP_PKIFREETEXT *OSSL_CMP_CTX_get0_statusString(const OSSL_CMP_CTX *ctx)
-{
-    if (ctx == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return NULL;
-    }
-    return ctx->statusString;
-}
-
-int ossl_cmp_ctx_set0_statusString(OSSL_CMP_CTX *ctx,
-                                   OSSL_CMP_PKIFREETEXT *text)
-{
-    if (!ossl_assert(ctx != NULL))
-        return 0;
-    sk_ASN1_UTF8STRING_pop_free(ctx->statusString, ASN1_UTF8STRING_free);
-    ctx->statusString = text;
-    return 1;
-}
-
-int ossl_cmp_ctx_set0_validatedSrvCert(OSSL_CMP_CTX *ctx, X509 *cert)
-{
-    if (!ossl_assert(ctx != NULL))
-        return 0;
-    X509_free(ctx->validatedSrvCert);
-    ctx->validatedSrvCert = cert;
-    return 1;
-}
-
-/* Set callback function for checking if the cert is ok or should be rejected */
-int OSSL_CMP_CTX_set_certConf_cb(OSSL_CMP_CTX *ctx, OSSL_CMP_certConf_cb_t cb)
-{
-    if (ctx == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return 0;
-    }
-    ctx->certConf_cb = cb;
-    return 1;
-}
-
-/*
- * Set argument, respectively a pointer to a structure containing arguments,
- * optionally to be used by the certConf callback.
- */
-int OSSL_CMP_CTX_set_certConf_cb_arg(OSSL_CMP_CTX *ctx, void *arg)
-{
-    if (ctx == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return 0;
-    }
-    ctx->certConf_cb_arg = arg;
-    return 1;
-}
-
-/*
- * Get argument, respectively the pointer to a structure containing arguments,
- * optionally to be used by certConf callback.
- * Returns callback argument set previously (NULL if not set or on error)
- */
-void *OSSL_CMP_CTX_get_certConf_cb_arg(const OSSL_CMP_CTX *ctx)
-{
-    if (ctx == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return NULL;
-    }
-    return ctx->certConf_cb_arg;
-}
-
-#ifndef OPENSSL_NO_TRACE
-static size_t ossl_cmp_log_trace_cb(const char *buf, size_t cnt,
-                                    int category, int cmd, void *vdata)
-{
-    OSSL_CMP_CTX *ctx = vdata;
-    const char *msg;
-    OSSL_CMP_severity level = -1;
-    char *func = NULL;
-    char *file = NULL;
-    int line = 0;
-
-    if (buf == NULL || cnt == 0 || cmd != OSSL_TRACE_CTRL_WRITE || ctx == NULL)
-        return 0;
-    if (ctx->log_cb == NULL)
-        return 1; /* silently drop message */
-
-    msg = ossl_cmp_log_parse_metadata(buf, &level, &func, &file, &line);
-
-    if (level > ctx->log_verbosity) /* excludes the case level is unknown */
-        goto end; /* suppress output since severity is not sufficient */
-
-    if (!ctx->log_cb(func != NULL ? func : "(no func)",
-                     file != NULL ? file : "(no file)",
-                     line, level, msg))
-        cnt = 0;
-
- end:
-    OPENSSL_free(func);
-    OPENSSL_free(file);
-    return cnt;
-}
-#endif
-
-/* Print CMP log messages (i.e., diagnostic info) via the log cb of the ctx */
-int ossl_cmp_print_log(OSSL_CMP_severity level, const OSSL_CMP_CTX *ctx,
-                       const char *func, const char *file, int line,
-                       const char *level_str, const char *format, ...)
-{
-    va_list args;
-    char hugebuf[1024 * 2];
-    int res = 0;
-
-    if (ctx == NULL || ctx->log_cb == NULL)
-        return 1; /* silently drop message */
-
-    if (level > ctx->log_verbosity) /* excludes the case level is unknown */
-        return 1; /* suppress output since severity is not sufficient */
-
-    if (format == NULL)
-        return 0;
-
-    va_start(args, format);
-
-    if (func == NULL)
-        func = "(unset function name)";
-    if (file == NULL)
-        file = "(unset file name)";
-    if (level_str == NULL)
-        level_str = "(unset level string)";
-
-#ifndef OPENSSL_NO_TRACE
-    if (OSSL_TRACE_ENABLED(CMP)) {
-        OSSL_TRACE_BEGIN(CMP) {
-            int printed =
-                BIO_snprintf(hugebuf, sizeof(hugebuf),
-                             "%s:%s:%d:" OSSL_CMP_LOG_PREFIX "%s: ",
-                             func, file, line, level_str);
-            if (printed > 0 && (size_t)printed < sizeof(hugebuf)) {
-                if (BIO_vsnprintf(hugebuf + printed,
-                                  sizeof(hugebuf) - printed, format, args) > 0)
-                    res = BIO_puts(trc_out, hugebuf) > 0;
-            }
-        } OSSL_TRACE_END(CMP);
-    }
-#else /* compensate for disabled trace API */
-    {
-        if (BIO_vsnprintf(hugebuf, sizeof(hugebuf), format, args) > 0)
-            res = ctx->log_cb(func, file, line, level, hugebuf);
-    }
-#endif
-    va_end(args);
-    return res;
-}
-
-/* Set a callback function for error reporting and logging messages */
-int OSSL_CMP_CTX_set_log_cb(OSSL_CMP_CTX *ctx, OSSL_CMP_log_cb_t cb)
-{
-    if (ctx == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return 0;
-    }
-    ctx->log_cb = cb;
-
-#ifndef OPENSSL_NO_TRACE
-    /* do also in case cb == NULL, to switch off logging output: */
-    if (!OSSL_trace_set_callback(OSSL_TRACE_CATEGORY_CMP,
-                                 ossl_cmp_log_trace_cb, ctx))
-        return 0;
-#endif
-
-    return 1;
-}
-
-/* Print OpenSSL and CMP errors via the log cb of the ctx or ERR_print_errors */
-void OSSL_CMP_CTX_print_errors(const OSSL_CMP_CTX *ctx)
-{
-    if (ctx != NULL && OSSL_CMP_LOG_ERR > ctx->log_verbosity)
-        return; /* suppress output since severity is not sufficient */
-    OSSL_CMP_print_errors_cb(ctx == NULL ? NULL : ctx->log_cb);
-}
-
-/*
- * Set or clear the reference value to be used for identification
- * (i.e., the user name) when using PBMAC.
- */
-int OSSL_CMP_CTX_set1_referenceValue(OSSL_CMP_CTX *ctx,
-                                     const unsigned char *ref, int len)
-{
-    if (ctx == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return 0;
-    }
-    return ossl_cmp_asn1_octet_string_set1_bytes(&ctx->referenceValue, ref,
-                                                 len);
-}
-
-/* Set or clear the password to be used for protecting messages with PBMAC */
-int OSSL_CMP_CTX_set1_secretValue(OSSL_CMP_CTX *ctx, const unsigned char *sec,
-                                  const int len)
-{
-    ASN1_OCTET_STRING *secretValue = NULL;
-    if (ctx == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return 0;
-    }
-    if (ossl_cmp_asn1_octet_string_set1_bytes(&secretValue, sec, len) != 1)
-        return 0;
-    if (ctx->secretValue != NULL) {
-        OPENSSL_cleanse(ctx->secretValue->data, ctx->secretValue->length);
-        ASN1_OCTET_STRING_free(ctx->secretValue);
-    }
-    ctx->secretValue = secretValue;
-    return 1;
-}
-
-/* Returns the cert chain computed by OSSL_CMP_certConf_cb(), NULL on error */
-STACK_OF(X509) *OSSL_CMP_CTX_get1_newChain(const OSSL_CMP_CTX *ctx)
-{
-    if (ctx == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return NULL;
-    }
-    return X509_chain_up_ref(ctx->newChain);
-}
-
-/*
- * Copies any given stack of inbound X509 certificates to newChain
- * of the OSSL_CMP_CTX structure so that they may be retrieved later.
- */
-int ossl_cmp_ctx_set1_newChain(OSSL_CMP_CTX *ctx, STACK_OF(X509) *newChain)
-{
-    if (!ossl_assert(ctx != NULL))
-        return 0;
-
-    sk_X509_pop_free(ctx->newChain, X509_free);
-    ctx->newChain = NULL;
-    return newChain == NULL ||
-        (ctx->newChain = X509_chain_up_ref(newChain)) != NULL;
-}
-
-/* Returns the stack of extraCerts received in CertRepMessage, NULL on error */
-STACK_OF(X509) *OSSL_CMP_CTX_get1_extraCertsIn(const OSSL_CMP_CTX *ctx)
-{
-    if (ctx == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return NULL;
-    }
-    return X509_chain_up_ref(ctx->extraCertsIn);
-}
-
-/*
- * Copies any given stack of inbound X509 certificates to extraCertsIn
- * of the OSSL_CMP_CTX structure so that they may be retrieved later.
- */
-int ossl_cmp_ctx_set1_extraCertsIn(OSSL_CMP_CTX *ctx,
-                                   STACK_OF(X509) *extraCertsIn)
-{
-    if (!ossl_assert(ctx != NULL))
-        return 0;
-
-    sk_X509_pop_free(ctx->extraCertsIn, X509_free);
-    ctx->extraCertsIn = NULL;
-    return extraCertsIn == NULL
-        || (ctx->extraCertsIn = X509_chain_up_ref(extraCertsIn)) != NULL;
-}
-
-/*
- * Copies any given stack as the new stack of X509
- * certificates to send out in the extraCerts field.
- */
-int OSSL_CMP_CTX_set1_extraCertsOut(OSSL_CMP_CTX *ctx,
-                                    STACK_OF(X509) *extraCertsOut)
-{
-    if (ctx == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return 0;
-    }
-
-    sk_X509_pop_free(ctx->extraCertsOut, X509_free);
-    ctx->extraCertsOut = NULL;
-    return extraCertsOut == NULL
-        || (ctx->extraCertsOut = X509_chain_up_ref(extraCertsOut)) != NULL;
-}
-
-/*
- * Add the given policy info object
- * to the X509_EXTENSIONS of the requested certificate template.
- */
-int OSSL_CMP_CTX_push0_policy(OSSL_CMP_CTX *ctx, POLICYINFO *pinfo)
-{
-    if (ctx == NULL || pinfo == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return 0;
-    }
-
-    if (ctx->policies == NULL
-            && (ctx->policies = CERTIFICATEPOLICIES_new()) == NULL)
-        return 0;
-
-    return sk_POLICYINFO_push(ctx->policies, pinfo);
-}
-
-/* Add an ITAV for geninfo of the PKI message header */
-int OSSL_CMP_CTX_push0_geninfo_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav)
-{
-    if (ctx == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return 0;
-    }
-    return OSSL_CMP_ITAV_push0_stack_item(&ctx->geninfo_ITAVs, itav);
-}
-
-int OSSL_CMP_CTX_reset_geninfo_ITAVs(OSSL_CMP_CTX *ctx)
-{
-    if (ctx == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return 0;
-    }
-    OSSL_CMP_ITAVs_free(ctx->geninfo_ITAVs);
-    ctx->geninfo_ITAVs = NULL;
-    return 1;
-}
-
-/* Add an itav for the body of outgoing general messages */
-int OSSL_CMP_CTX_push0_genm_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav)
-{
-    if (ctx == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return 0;
-    }
-    return OSSL_CMP_ITAV_push0_stack_item(&ctx->genm_ITAVs, itav);
-}
-
-/*
- * Returns a duplicate of the stack of X509 certificates that
- * were received in the caPubs field of the last CertRepMessage.
- * Returns NULL on error
- */
-STACK_OF(X509) *OSSL_CMP_CTX_get1_caPubs(const OSSL_CMP_CTX *ctx)
-{
-    if (ctx == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return NULL;
-    }
-    return X509_chain_up_ref(ctx->caPubs);
-}
-
-/*
- * Copies any given stack of certificates to the given
- * OSSL_CMP_CTX structure so that they may be retrieved later.
- */
-int ossl_cmp_ctx_set1_caPubs(OSSL_CMP_CTX *ctx, STACK_OF(X509) *caPubs)
-{
-    if (!ossl_assert(ctx != NULL))
-        return 0;
-
-    sk_X509_pop_free(ctx->caPubs, X509_free);
-    ctx->caPubs = NULL;
-    return caPubs == NULL || (ctx->caPubs = X509_chain_up_ref(caPubs)) != NULL;
-}
-
-#define char_dup OPENSSL_strdup
-#define char_free OPENSSL_free
-#define DEFINE_OSSL_CMP_CTX_set1(FIELD, TYPE) /* this uses _dup */ \
-int OSSL_CMP_CTX_set1_##FIELD(OSSL_CMP_CTX *ctx, const TYPE *val) \
-{ \
-    TYPE *val_dup = NULL; \
-    \
-    if (ctx == NULL) { \
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); \
-        return 0; \
-    } \
-    \
-    if (val != NULL && (val_dup = TYPE##_dup(val)) == NULL) \
-        return 0; \
-    TYPE##_free(ctx->FIELD); \
-    ctx->FIELD = val_dup; \
-    return 1; \
-}
-
-#define X509_invalid(cert) (!ossl_x509v3_cache_extensions(cert))
-#define EVP_PKEY_invalid(key) 0
-#define DEFINE_OSSL_CMP_CTX_set1_up_ref(FIELD, TYPE) \
-int OSSL_CMP_CTX_set1_##FIELD(OSSL_CMP_CTX *ctx, TYPE *val) \
-{ \
-    if (ctx == NULL) { \
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); \
-        return 0; \
-    } \
-    \
-    /* prevent misleading error later on malformed cert or provider issue */ \
-    if (val != NULL && TYPE##_invalid(val)) { \
-        ERR_raise(ERR_LIB_CMP, CMP_R_POTENTIALLY_INVALID_CERTIFICATE); \
-        return 0; \
-    } \
-    if (val != NULL && !TYPE##_up_ref(val)) \
-        return 0; \
-    TYPE##_free(ctx->FIELD); \
-    ctx->FIELD = val; \
-    return 1; \
-}
-
-/*
- * Pins the server certificate to be directly trusted (even if it is expired)
- * for verifying response messages.
- * Cert pointer is not consumed. It may be NULL to clear the entry.
- */
-DEFINE_OSSL_CMP_CTX_set1_up_ref(srvCert, X509)
-
-/* Set the X509 name of the recipient. Set in the PKIHeader */
-DEFINE_OSSL_CMP_CTX_set1(recipient, X509_NAME)
-
-/* Store the X509 name of the expected sender in the PKIHeader of responses */
-DEFINE_OSSL_CMP_CTX_set1(expected_sender, X509_NAME)
-
-/* Set the X509 name of the issuer. Set in the PKIHeader */
-DEFINE_OSSL_CMP_CTX_set1(issuer, X509_NAME)
-
-/*
- * Set the subject name that will be placed in the certificate
- * request. This will be the subject name on the received certificate.
- */
-DEFINE_OSSL_CMP_CTX_set1(subjectName, X509_NAME)
-
-/* Set the X.509v3 certificate request extensions to be used in IR/CR/KUR */
-int OSSL_CMP_CTX_set0_reqExtensions(OSSL_CMP_CTX *ctx, X509_EXTENSIONS *exts)
-{
-    if (ctx == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return 0;
-    }
-
-    if (sk_GENERAL_NAME_num(ctx->subjectAltNames) > 0 && exts != NULL
-            && X509v3_get_ext_by_NID(exts, NID_subject_alt_name, -1) >= 0) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_MULTIPLE_SAN_SOURCES);
-        return 0;
-    }
-    sk_X509_EXTENSION_pop_free(ctx->reqExtensions, X509_EXTENSION_free);
-    ctx->reqExtensions = exts;
-    return 1;
-}
-
-/* returns 1 if ctx contains a Subject Alternative Name extension, else 0 */
-int OSSL_CMP_CTX_reqExtensions_have_SAN(OSSL_CMP_CTX *ctx)
-{
-    if (ctx == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return -1;
-    }
-    /* if one of the following conditions 'fail' this is not an error */
-    return ctx->reqExtensions != NULL
-        && X509v3_get_ext_by_NID(ctx->reqExtensions,
-                                 NID_subject_alt_name, -1) >= 0;
-}
-
-/*
- * Add a GENERAL_NAME structure that will be added to the CRMF
- * request's extensions field to request subject alternative names.
- */
-int OSSL_CMP_CTX_push1_subjectAltName(OSSL_CMP_CTX *ctx,
-                                      const GENERAL_NAME *name)
-{
-    GENERAL_NAME *name_dup;
-
-    if (ctx == NULL || name == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return 0;
-    }
-
-    if (OSSL_CMP_CTX_reqExtensions_have_SAN(ctx) == 1) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_MULTIPLE_SAN_SOURCES);
-        return 0;
-    }
-
-    if (ctx->subjectAltNames == NULL
-            && (ctx->subjectAltNames = sk_GENERAL_NAME_new_null()) == NULL)
-        return 0;
-    if ((name_dup = GENERAL_NAME_dup(name)) == NULL)
-        return 0;
-    if (!sk_GENERAL_NAME_push(ctx->subjectAltNames, name_dup)) {
-        GENERAL_NAME_free(name_dup);
-        return 0;
-    }
-    return 1;
-}
-
-/*
- * Set our own client certificate, used for example in KUR and when
- * doing the IR with existing certificate.
- */
-DEFINE_OSSL_CMP_CTX_set1_up_ref(cert, X509)
-
-int OSSL_CMP_CTX_build_cert_chain(OSSL_CMP_CTX *ctx, X509_STORE *own_trusted,
-                                  STACK_OF(X509) *candidates)
-{
-    STACK_OF(X509) *chain;
-
-    if (ctx == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return 0;
-    }
-
-    if (!ossl_x509_add_certs_new(&ctx->untrusted, candidates,
-                                 X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP))
-        return 0;
-
-    ossl_cmp_debug(ctx, "trying to build chain for own CMP signer cert");
-    chain = X509_build_chain(ctx->cert, ctx->untrusted, own_trusted, 0,
-                             ctx->libctx, ctx->propq);
-    if (chain == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_FAILED_BUILDING_OWN_CHAIN);
-        return 0;
-    }
-    ossl_cmp_debug(ctx, "success building chain for own CMP signer cert");
-    ctx->chain = chain;
-    return 1;
-}
-
-/*
- * Set the old certificate that we are updating in KUR
- * or the certificate to be revoked in RR, respectively.
- * Also used as reference cert (defaulting to cert) for deriving subject DN
- * and SANs. Its issuer is used as default recipient in the CMP message header.
- */
-DEFINE_OSSL_CMP_CTX_set1_up_ref(oldCert, X509)
-
-/* Set the PKCS#10 CSR to be sent in P10CR */
-DEFINE_OSSL_CMP_CTX_set1(p10CSR, X509_REQ)
-
-/*
- * Set the (newly received in IP/KUP/CP) certificate in the context.
- * This only permits for one cert to be enrolled at a time.
- */
-int ossl_cmp_ctx_set0_newCert(OSSL_CMP_CTX *ctx, X509 *cert)
-{
-    if (!ossl_assert(ctx != NULL))
-        return 0;
-
-    X509_free(ctx->newCert);
-    ctx->newCert = cert;
-    return 1;
-}
-
-/*
- * Get the (newly received in IP/KUP/CP) client certificate from the context
- * This only permits for one client cert to be received...
- */
-X509 *OSSL_CMP_CTX_get0_newCert(const OSSL_CMP_CTX *ctx)
-{
-    if (ctx == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return NULL;
-    }
-    return ctx->newCert;
-}
-
-/* Set the client's current private key */
-DEFINE_OSSL_CMP_CTX_set1_up_ref(pkey, EVP_PKEY)
-
-/* Set new key pair. Used e.g. when doing Key Update */
-int OSSL_CMP_CTX_set0_newPkey(OSSL_CMP_CTX *ctx, int priv, EVP_PKEY *pkey)
-{
-    if (ctx == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return 0;
-    }
-
-    EVP_PKEY_free(ctx->newPkey);
-    ctx->newPkey = pkey;
-    ctx->newPkey_priv = priv;
-    return 1;
-}
-
-/* Get the private/public key to use for cert enrollment, or NULL on error */
-EVP_PKEY *OSSL_CMP_CTX_get0_newPkey(const OSSL_CMP_CTX *ctx, int priv)
-{
-    if (ctx == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return NULL;
-    }
-
-    if (ctx->newPkey != NULL)
-        return priv && !ctx->newPkey_priv ? NULL : ctx->newPkey;
-    if (ctx->p10CSR != NULL)
-        return priv ? NULL : X509_REQ_get0_pubkey(ctx->p10CSR);
-    return ctx->pkey; /* may be NULL */
-}
-
-/* Set the given transactionID to the context */
-int OSSL_CMP_CTX_set1_transactionID(OSSL_CMP_CTX *ctx,
-                                    const ASN1_OCTET_STRING *id)
-{
-    if (ctx == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return 0;
-    }
-    return ossl_cmp_asn1_octet_string_set1(&ctx->transactionID, id);
-}
-
-/* Set the nonce to be used for the recipNonce in the message created next */
-int ossl_cmp_ctx_set1_recipNonce(OSSL_CMP_CTX *ctx,
-                                 const ASN1_OCTET_STRING *nonce)
-{
-    if (!ossl_assert(ctx != NULL))
-        return 0;
-    return ossl_cmp_asn1_octet_string_set1(&ctx->recipNonce, nonce);
-}
-
-/* Stores the given nonce as the last senderNonce sent out */
-int OSSL_CMP_CTX_set1_senderNonce(OSSL_CMP_CTX *ctx,
-                                  const ASN1_OCTET_STRING *nonce)
-{
-    if (ctx == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return 0;
-    }
-    return ossl_cmp_asn1_octet_string_set1(&ctx->senderNonce, nonce);
-}
-
-/* Set the proxy server to use for HTTP(S) connections */
-DEFINE_OSSL_CMP_CTX_set1(proxy, char)
-
-/* Set the (HTTP) hostname of the CMP server */
-DEFINE_OSSL_CMP_CTX_set1(server, char)
-
-/* Set the server exclusion list of the HTTP proxy server */
-DEFINE_OSSL_CMP_CTX_set1(no_proxy, char)
-
-/* Set the http connect/disconnect callback function to be used for HTTP(S) */
-int OSSL_CMP_CTX_set_http_cb(OSSL_CMP_CTX *ctx, OSSL_HTTP_bio_cb_t cb)
-{
-    if (ctx == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return 0;
-    }
-    ctx->http_cb = cb;
-    return 1;
-}
-
-/* Set argument optionally to be used by the http connect/disconnect callback */
-int OSSL_CMP_CTX_set_http_cb_arg(OSSL_CMP_CTX *ctx, void *arg)
-{
-    if (ctx == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return 0;
-    }
-    ctx->http_cb_arg = arg;
-    return 1;
-}
-
-/*
- * Get argument optionally to be used by the http connect/disconnect callback
- * Returns callback argument set previously (NULL if not set or on error)
- */
-void *OSSL_CMP_CTX_get_http_cb_arg(const OSSL_CMP_CTX *ctx)
-{
-    if (ctx == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return NULL;
-    }
-    return ctx->http_cb_arg;
-}
-
-/* Set callback function for sending CMP request and receiving response */
-int OSSL_CMP_CTX_set_transfer_cb(OSSL_CMP_CTX *ctx, OSSL_CMP_transfer_cb_t cb)
-{
-    if (ctx == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return 0;
-    }
-    ctx->transfer_cb = cb;
-    return 1;
-}
-
-/* Set argument optionally to be used by the transfer callback */
-int OSSL_CMP_CTX_set_transfer_cb_arg(OSSL_CMP_CTX *ctx, void *arg)
-{
-    if (ctx == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return 0;
-    }
-    ctx->transfer_cb_arg = arg;
-    return 1;
-}
-
-/*
- * Get argument optionally to be used by the transfer callback.
- * Returns callback argument set previously (NULL if not set or on error)
- */
-void *OSSL_CMP_CTX_get_transfer_cb_arg(const OSSL_CMP_CTX *ctx)
-{
-    if (ctx == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return NULL;
-    }
-    return ctx->transfer_cb_arg;
-}
-
-/** Set the HTTP server port to be used */
-int OSSL_CMP_CTX_set_serverPort(OSSL_CMP_CTX *ctx, int port)
-{
-    if (ctx == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return 0;
-    }
-    ctx->serverPort = port;
-    return 1;
-}
-
-/* Set the HTTP path to be used on the server (e.g "pkix/") */
-DEFINE_OSSL_CMP_CTX_set1(serverPath, char)
-
-/* Set the failInfo error code as bit encoding in OSSL_CMP_CTX */
-int ossl_cmp_ctx_set_failInfoCode(OSSL_CMP_CTX *ctx, int fail_info)
-{
-    if (!ossl_assert(ctx != NULL))
-        return 0;
-    ctx->failInfoCode = fail_info;
-    return 1;
-}
-
-/*
- * Get the failInfo error code in OSSL_CMP_CTX as bit encoding.
- * Returns bit string as integer on success, -1 on error
- */
-int OSSL_CMP_CTX_get_failInfoCode(const OSSL_CMP_CTX *ctx)
-{
-    if (ctx == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return -1;
-    }
-    return ctx->failInfoCode;
-}
-
-/* Set a Boolean or integer option of the context to the "val" arg */
-int OSSL_CMP_CTX_set_option(OSSL_CMP_CTX *ctx, int opt, int val)
-{
-    int min_val;
-
-    if (ctx == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return 0;
-    }
-
-    switch (opt) {
-    case OSSL_CMP_OPT_REVOCATION_REASON:
-        min_val = OCSP_REVOKED_STATUS_NOSTATUS;
-        break;
-    case OSSL_CMP_OPT_POPO_METHOD:
-        min_val = OSSL_CRMF_POPO_NONE;
-        break;
-    default:
-        min_val = 0;
-        break;
-    }
-    if (val < min_val) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_VALUE_TOO_SMALL);
-        return 0;
-    }
-
-    switch (opt) {
-    case OSSL_CMP_OPT_LOG_VERBOSITY:
-        if (val > OSSL_CMP_LOG_MAX) {
-            ERR_raise(ERR_LIB_CMP, CMP_R_VALUE_TOO_LARGE);
-            return 0;
-        }
-        ctx->log_verbosity = val;
-        break;
-    case OSSL_CMP_OPT_IMPLICIT_CONFIRM:
-        ctx->implicitConfirm = val;
-        break;
-    case OSSL_CMP_OPT_DISABLE_CONFIRM:
-        ctx->disableConfirm = val;
-        break;
-    case OSSL_CMP_OPT_UNPROTECTED_SEND:
-        ctx->unprotectedSend = val;
-        break;
-    case OSSL_CMP_OPT_UNPROTECTED_ERRORS:
-        ctx->unprotectedErrors = val;
-        break;
-    case OSSL_CMP_OPT_VALIDITY_DAYS:
-        ctx->days = val;
-        break;
-    case OSSL_CMP_OPT_SUBJECTALTNAME_NODEFAULT:
-        ctx->SubjectAltName_nodefault = val;
-        break;
-    case OSSL_CMP_OPT_SUBJECTALTNAME_CRITICAL:
-        ctx->setSubjectAltNameCritical = val;
-        break;
-    case OSSL_CMP_OPT_POLICIES_CRITICAL:
-        ctx->setPoliciesCritical = val;
-        break;
-    case OSSL_CMP_OPT_IGNORE_KEYUSAGE:
-        ctx->ignore_keyusage = val;
-        break;
-    case OSSL_CMP_OPT_POPO_METHOD:
-        if (val > OSSL_CRMF_POPO_KEYAGREE) {
-            ERR_raise(ERR_LIB_CMP, CMP_R_VALUE_TOO_LARGE);
-            return 0;
-        }
-        ctx->popoMethod = val;
-        break;
-    case OSSL_CMP_OPT_DIGEST_ALGNID:
-        if (!cmp_ctx_set_md(ctx, &ctx->digest, val))
-            return 0;
-        break;
-    case OSSL_CMP_OPT_OWF_ALGNID:
-        if (!cmp_ctx_set_md(ctx, &ctx->pbm_owf, val))
-            return 0;
-        break;
-    case OSSL_CMP_OPT_MAC_ALGNID:
-        ctx->pbm_mac = val;
-        break;
-    case OSSL_CMP_OPT_KEEP_ALIVE:
-        ctx->keep_alive = val;
-        break;
-    case OSSL_CMP_OPT_MSG_TIMEOUT:
-        ctx->msg_timeout = val;
-        break;
-    case OSSL_CMP_OPT_TOTAL_TIMEOUT:
-        ctx->total_timeout = val;
-        break;
-    case OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR:
-        ctx->permitTAInExtraCertsForIR = val;
-        break;
-    case OSSL_CMP_OPT_REVOCATION_REASON:
-        if (val > OCSP_REVOKED_STATUS_AACOMPROMISE) {
-            ERR_raise(ERR_LIB_CMP, CMP_R_VALUE_TOO_LARGE);
-            return 0;
-        }
-        ctx->revocationReason = val;
-        break;
-    default:
-        ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_OPTION);
-        return 0;
-    }
-
-    return 1;
-}
-
-/*
- * Reads a Boolean or integer option value from the context.
- * Returns -1 on error (which is the default OSSL_CMP_OPT_REVOCATION_REASON)
- */
-int OSSL_CMP_CTX_get_option(const OSSL_CMP_CTX *ctx, int opt)
-{
-    if (ctx == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return -1;
-    }
-
-    switch (opt) {
-    case OSSL_CMP_OPT_LOG_VERBOSITY:
-        return ctx->log_verbosity;
-    case OSSL_CMP_OPT_IMPLICIT_CONFIRM:
-        return ctx->implicitConfirm;
-    case OSSL_CMP_OPT_DISABLE_CONFIRM:
-        return ctx->disableConfirm;
-    case OSSL_CMP_OPT_UNPROTECTED_SEND:
-        return ctx->unprotectedSend;
-    case OSSL_CMP_OPT_UNPROTECTED_ERRORS:
-        return ctx->unprotectedErrors;
-    case OSSL_CMP_OPT_VALIDITY_DAYS:
-        return ctx->days;
-    case OSSL_CMP_OPT_SUBJECTALTNAME_NODEFAULT:
-        return ctx->SubjectAltName_nodefault;
-    case OSSL_CMP_OPT_SUBJECTALTNAME_CRITICAL:
-        return ctx->setSubjectAltNameCritical;
-    case OSSL_CMP_OPT_POLICIES_CRITICAL:
-        return ctx->setPoliciesCritical;
-    case OSSL_CMP_OPT_IGNORE_KEYUSAGE:
-        return ctx->ignore_keyusage;
-    case OSSL_CMP_OPT_POPO_METHOD:
-        return ctx->popoMethod;
-    case OSSL_CMP_OPT_DIGEST_ALGNID:
-        return EVP_MD_get_type(ctx->digest);
-    case OSSL_CMP_OPT_OWF_ALGNID:
-        return EVP_MD_get_type(ctx->pbm_owf);
-    case OSSL_CMP_OPT_MAC_ALGNID:
-        return ctx->pbm_mac;
-    case OSSL_CMP_OPT_KEEP_ALIVE:
-        return ctx->keep_alive;
-    case OSSL_CMP_OPT_MSG_TIMEOUT:
-        return ctx->msg_timeout;
-    case OSSL_CMP_OPT_TOTAL_TIMEOUT:
-        return ctx->total_timeout;
-    case OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR:
-        return ctx->permitTAInExtraCertsForIR;
-    case OSSL_CMP_OPT_REVOCATION_REASON:
-        return ctx->revocationReason;
-    default:
-        ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_OPTION);
-        return -1;
-    }
-}

libs/openssl/crypto/cmp/cmp_hdr.c

@@ -1,369 +0,0 @@
-/*
- * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved.
- * Copyright Nokia 2007-2019
- * Copyright Siemens AG 2015-2019
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-/* CMP functions for PKIHeader handling */
-
-#include "cmp_local.h"
-
-#include <openssl/rand.h>
-
-/* explicit #includes not strictly needed since implied by the above: */
-#include <openssl/asn1t.h>
-#include <openssl/cmp.h>
-#include <openssl/err.h>
-
-int ossl_cmp_hdr_set_pvno(OSSL_CMP_PKIHEADER *hdr, int pvno)
-{
-    if (!ossl_assert(hdr != NULL))
-        return 0;
-    return ASN1_INTEGER_set(hdr->pvno, pvno);
-}
-
-int ossl_cmp_hdr_get_pvno(const OSSL_CMP_PKIHEADER *hdr)
-{
-    int64_t pvno;
-
-    if (!ossl_assert(hdr != NULL))
-        return -1;
-    if (!ASN1_INTEGER_get_int64(&pvno, hdr->pvno) || pvno < 0 || pvno > INT_MAX)
-        return -1;
-    return (int)pvno;
-}
-
-int ossl_cmp_hdr_get_protection_nid(const OSSL_CMP_PKIHEADER *hdr)
-{
-    if (!ossl_assert(hdr != NULL)
-            || hdr->protectionAlg == NULL)
-        return NID_undef;
-    return OBJ_obj2nid(hdr->protectionAlg->algorithm);
-}
-
-ASN1_OCTET_STRING *OSSL_CMP_HDR_get0_transactionID(const
-                                                   OSSL_CMP_PKIHEADER *hdr)
-{
-    if (hdr == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return NULL;
-    }
-    return hdr->transactionID;
-}
-
-ASN1_OCTET_STRING *ossl_cmp_hdr_get0_senderNonce(const OSSL_CMP_PKIHEADER *hdr)
-{
-    if (!ossl_assert(hdr != NULL))
-        return NULL;
-    return hdr->senderNonce;
-}
-
-ASN1_OCTET_STRING *OSSL_CMP_HDR_get0_recipNonce(const OSSL_CMP_PKIHEADER *hdr)
-{
-    if (hdr == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return NULL;
-    }
-    return hdr->recipNonce;
-}
-
-/* a NULL-DN as an empty sequence of RDNs */
-int ossl_cmp_general_name_is_NULL_DN(GENERAL_NAME *name)
-{
-    return name == NULL
-        || (name->type == GEN_DIRNAME && IS_NULL_DN(name->d.directoryName));
-}
-
-/* assign to *tgt a copy of src (which may be NULL to indicate an empty DN) */
-static int set1_general_name(GENERAL_NAME **tgt, const X509_NAME *src)
-{
-    GENERAL_NAME *name;
-
-    if (!ossl_assert(tgt != NULL))
-        return 0;
-    if ((name = GENERAL_NAME_new()) == NULL)
-        goto err;
-    name->type = GEN_DIRNAME;
-
-    if (src == NULL) { /* NULL-DN */
-        if ((name->d.directoryName = X509_NAME_new()) == NULL)
-            goto err;
-    } else if (!X509_NAME_set(&name->d.directoryName, src)) {
-        goto err;
-    }
-
-    GENERAL_NAME_free(*tgt);
-    *tgt = name;
-
-    return 1;
-
- err:
-    GENERAL_NAME_free(name);
-    return 0;
-}
-
-/*
- * Set the sender name in PKIHeader.
- * when nm is NULL, sender is set to an empty string
- * returns 1 on success, 0 on error
- */
-int ossl_cmp_hdr_set1_sender(OSSL_CMP_PKIHEADER *hdr, const X509_NAME *nm)
-{
-    if (!ossl_assert(hdr != NULL))
-        return 0;
-    return set1_general_name(&hdr->sender, nm);
-}
-
-int ossl_cmp_hdr_set1_recipient(OSSL_CMP_PKIHEADER *hdr, const X509_NAME *nm)
-{
-    if (!ossl_assert(hdr != NULL))
-        return 0;
-    return set1_general_name(&hdr->recipient, nm);
-}
-
-int ossl_cmp_hdr_update_messageTime(OSSL_CMP_PKIHEADER *hdr)
-{
-    if (!ossl_assert(hdr != NULL))
-        return 0;
-    if (hdr->messageTime == NULL
-            && (hdr->messageTime = ASN1_GENERALIZEDTIME_new()) == NULL)
-        return 0;
-    return ASN1_GENERALIZEDTIME_set(hdr->messageTime, time(NULL)) != NULL;
-}
-
-/* assign to *tgt a random byte array of given length */
-static int set_random(ASN1_OCTET_STRING **tgt, OSSL_CMP_CTX *ctx, size_t len)
-{
-    unsigned char *bytes = OPENSSL_malloc(len);
-    int res = 0;
-
-    if (bytes == NULL || RAND_bytes_ex(ctx->libctx, bytes, len, 0) <= 0)
-        ERR_raise(ERR_LIB_CMP, CMP_R_FAILURE_OBTAINING_RANDOM);
-    else
-        res = ossl_cmp_asn1_octet_string_set1_bytes(tgt, bytes, len);
-    OPENSSL_free(bytes);
-    return res;
-}
-
-int ossl_cmp_hdr_set1_senderKID(OSSL_CMP_PKIHEADER *hdr,
-                                const ASN1_OCTET_STRING *senderKID)
-{
-    if (!ossl_assert(hdr != NULL))
-        return 0;
-    return ossl_cmp_asn1_octet_string_set1(&hdr->senderKID, senderKID);
-}
-
-/* push the given text string to the given PKIFREETEXT ft */
-int ossl_cmp_hdr_push0_freeText(OSSL_CMP_PKIHEADER *hdr, ASN1_UTF8STRING *text)
-{
-    if (!ossl_assert(hdr != NULL && text != NULL))
-        return 0;
-
-    if (hdr->freeText == NULL
-            && (hdr->freeText = sk_ASN1_UTF8STRING_new_null()) == NULL)
-        return 0;
-
-    return sk_ASN1_UTF8STRING_push(hdr->freeText, text);
-}
-
-int ossl_cmp_hdr_push1_freeText(OSSL_CMP_PKIHEADER *hdr, ASN1_UTF8STRING *text)
-{
-    if (!ossl_assert(hdr != NULL && text != NULL))
-        return 0;
-
-    if (hdr->freeText == NULL
-            && (hdr->freeText = sk_ASN1_UTF8STRING_new_null()) == NULL)
-        return 0;
-
-    return
-        ossl_cmp_sk_ASN1_UTF8STRING_push_str(hdr->freeText, (char *)text->data,
-                                             text->length);
-}
-
-int ossl_cmp_hdr_generalInfo_push0_item(OSSL_CMP_PKIHEADER *hdr,
-                                        OSSL_CMP_ITAV *itav)
-{
-    if (!ossl_assert(hdr != NULL && itav != NULL))
-        return 0;
-    return OSSL_CMP_ITAV_push0_stack_item(&hdr->generalInfo, itav);
-}
-
-int ossl_cmp_hdr_generalInfo_push1_items(OSSL_CMP_PKIHEADER *hdr,
-                                         const STACK_OF(OSSL_CMP_ITAV) *itavs)
-{
-    int i;
-    OSSL_CMP_ITAV *itav;
-
-    if (!ossl_assert(hdr != NULL))
-        return 0;
-
-    for (i = 0; i < sk_OSSL_CMP_ITAV_num(itavs); i++) {
-        itav = OSSL_CMP_ITAV_dup(sk_OSSL_CMP_ITAV_value(itavs, i));
-        if (itav == NULL)
-            return 0;
-
-        if (!ossl_cmp_hdr_generalInfo_push0_item(hdr, itav)) {
-            OSSL_CMP_ITAV_free(itav);
-            return 0;
-        }
-    }
-    return 1;
-}
-
-int ossl_cmp_hdr_set_implicitConfirm(OSSL_CMP_PKIHEADER *hdr)
-{
-    OSSL_CMP_ITAV *itav;
-    ASN1_TYPE *asn1null;
-
-    if (!ossl_assert(hdr != NULL))
-        return 0;
-    asn1null = (ASN1_TYPE *)ASN1_NULL_new();
-    if (asn1null == NULL)
-        return 0;
-    if ((itav = OSSL_CMP_ITAV_create(OBJ_nid2obj(NID_id_it_implicitConfirm),
-                                     asn1null)) == NULL)
-        goto err;
-    if (!ossl_cmp_hdr_generalInfo_push0_item(hdr, itav))
-        goto err;
-    return 1;
-
- err:
-    ASN1_TYPE_free(asn1null);
-    OSSL_CMP_ITAV_free(itav);
-    return 0;
-}
-
-/* return 1 if implicitConfirm in the generalInfo field of the header is set */
-int ossl_cmp_hdr_has_implicitConfirm(const OSSL_CMP_PKIHEADER *hdr)
-{
-    int itavCount;
-    int i;
-    OSSL_CMP_ITAV *itav;
-
-    if (!ossl_assert(hdr != NULL))
-        return 0;
-
-    itavCount = sk_OSSL_CMP_ITAV_num(hdr->generalInfo);
-    for (i = 0; i < itavCount; i++) {
-        itav = sk_OSSL_CMP_ITAV_value(hdr->generalInfo, i);
-        if (itav != NULL
-                && OBJ_obj2nid(itav->infoType) == NID_id_it_implicitConfirm)
-            return 1;
-    }
-
-    return 0;
-}
-
-/*
- * set ctx->transactionID in CMP header
- * if ctx->transactionID is NULL, a random one is created with 128 bit
- * according to section 5.1.1:
- *
- * It is RECOMMENDED that the clients fill the transactionID field with
- * 128 bits of (pseudo-) random data for the start of a transaction to
- * reduce the probability of having the transactionID in use at the server.
- */
-int ossl_cmp_hdr_set_transactionID(OSSL_CMP_CTX *ctx, OSSL_CMP_PKIHEADER *hdr)
-{
-    if (ctx->transactionID == NULL) {
-        char *tid;
-
-        if (!set_random(&ctx->transactionID, ctx,
-                        OSSL_CMP_TRANSACTIONID_LENGTH))
-            return 0;
-        tid = OPENSSL_buf2hexstr(ctx->transactionID->data,
-                                 ctx->transactionID->length);
-        if (tid != NULL)
-            ossl_cmp_log1(DEBUG, ctx,
-                          "Starting new transaction with ID=%s", tid);
-        OPENSSL_free(tid);
-    }
-
-    return ossl_cmp_asn1_octet_string_set1(&hdr->transactionID,
-                                           ctx->transactionID);
-}
-
-/* fill in all fields of the hdr according to the info given in ctx */
-int ossl_cmp_hdr_init(OSSL_CMP_CTX *ctx, OSSL_CMP_PKIHEADER *hdr)
-{
-    const X509_NAME *sender;
-    const X509_NAME *rcp = NULL;
-
-    if (!ossl_assert(ctx != NULL && hdr != NULL))
-        return 0;
-
-    /* set the CMP version */
-    if (!ossl_cmp_hdr_set_pvno(hdr, OSSL_CMP_PVNO))
-        return 0;
-
-    /*
-     * If neither protection cert nor oldCert nor subject are given,
-     * sender name is not known to the client and thus set to NULL-DN
-     */
-    sender = ctx->cert != NULL ? X509_get_subject_name(ctx->cert) :
-        ctx->oldCert != NULL ? X509_get_subject_name(ctx->oldCert) :
-        ctx->subjectName;
-    if (!ossl_cmp_hdr_set1_sender(hdr, sender))
-        return 0;
-
-    /* determine recipient entry in PKIHeader */
-    if (ctx->recipient != NULL)
-        rcp = ctx->recipient;
-    else if (ctx->srvCert != NULL)
-        rcp = X509_get_subject_name(ctx->srvCert);
-    else if (ctx->issuer != NULL)
-        rcp = ctx->issuer;
-    else if (ctx->oldCert != NULL)
-        rcp = X509_get_issuer_name(ctx->oldCert);
-    else if (ctx->cert != NULL)
-        rcp = X509_get_issuer_name(ctx->cert);
-    if (!ossl_cmp_hdr_set1_recipient(hdr, rcp))
-        return 0;
-
-    /* set current time as message time */
-    if (!ossl_cmp_hdr_update_messageTime(hdr))
-        return 0;
-
-    if (ctx->recipNonce != NULL
-            && !ossl_cmp_asn1_octet_string_set1(&hdr->recipNonce,
-                                                ctx->recipNonce))
-        return 0;
-
-    if (!ossl_cmp_hdr_set_transactionID(ctx, hdr))
-        return 0;
-
-    /*-
-     * set random senderNonce
-     * according to section 5.1.1:
-     *
-     * senderNonce                  present
-     *         -- 128 (pseudo-)random bits
-     * The senderNonce and recipNonce fields protect the PKIMessage against
-     * replay attacks. The senderNonce will typically be 128 bits of
-     * (pseudo-) random data generated by the sender, whereas the recipNonce
-     * is copied from the senderNonce of the previous message in the
-     * transaction.
-     */
-    if (!set_random(&hdr->senderNonce, ctx, OSSL_CMP_SENDERNONCE_LENGTH))
-        return 0;
-
-    /* store senderNonce - for cmp with recipNonce in next outgoing msg */
-    if (!OSSL_CMP_CTX_set1_senderNonce(ctx, hdr->senderNonce))
-        return 0;
-
-    /*-
-     * freeText                [7] PKIFreeText OPTIONAL,
-     * -- this may be used to indicate context-specific instructions
-     * -- (this field is intended for human consumption)
-     */
-    if (ctx->freeText != NULL
-            && !ossl_cmp_hdr_push1_freeText(hdr, ctx->freeText))
-        return 0;
-
-    return 1;
-}

libs/openssl/crypto/cmp/cmp_http.c

@@ -1,105 +0,0 @@
-/*
- * Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved.
- * Copyright Nokia 2007-2019
- * Copyright Siemens AG 2015-2019
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <string.h>
-#include <stdio.h>
-
-#include <openssl/asn1t.h>
-#include <openssl/http.h>
-#include "internal/sockets.h"
-
-#include <openssl/cmp.h>
-#include "cmp_local.h"
-
-/* explicit #includes not strictly needed since implied by the above: */
-#include <ctype.h>
-#include <fcntl.h>
-#include <stdlib.h>
-#include <openssl/bio.h>
-#include <openssl/buffer.h>
-#include <openssl/err.h>
-
-static int keep_alive(int keep_alive, int body_type)
-{
-    if (keep_alive != 0
-        /*
-         * Ask for persistent connection only if may need more round trips.
-         * Do so even with disableConfirm because polling might be needed.
-         */
-            && body_type != OSSL_CMP_PKIBODY_IR
-            && body_type != OSSL_CMP_PKIBODY_CR
-            && body_type != OSSL_CMP_PKIBODY_P10CR
-            && body_type != OSSL_CMP_PKIBODY_KUR
-            && body_type != OSSL_CMP_PKIBODY_POLLREQ)
-        keep_alive = 0;
-    return keep_alive;
-}
-
-/*
- * Send the PKIMessage req and on success return the response, else NULL.
- * Any previous error queue entries will likely be removed by ERR_clear_error().
- */
-OSSL_CMP_MSG *OSSL_CMP_MSG_http_perform(OSSL_CMP_CTX *ctx,
-                                        const OSSL_CMP_MSG *req)
-{
-    char server_port[32] = { '\0' };
-    STACK_OF(CONF_VALUE) *headers = NULL;
-    const char content_type_pkix[] = "application/pkixcmp";
-    int tls_used;
-    const ASN1_ITEM *it = ASN1_ITEM_rptr(OSSL_CMP_MSG);
-    BIO *req_mem, *rsp;
-    OSSL_CMP_MSG *res = NULL;
-
-    if (ctx == NULL || req == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return NULL;
-    }
-
-    if (!X509V3_add_value("Pragma", "no-cache", &headers))
-        return NULL;
-    if ((req_mem = ASN1_item_i2d_mem_bio(it, (const ASN1_VALUE *)req)) == NULL)
-        goto err;
-
-    if (ctx->serverPort != 0)
-        BIO_snprintf(server_port, sizeof(server_port), "%d", ctx->serverPort);
-    tls_used = OSSL_CMP_CTX_get_http_cb_arg(ctx) != NULL;
-    if (ctx->http_ctx == NULL)
-        ossl_cmp_log3(DEBUG, ctx, "connecting to CMP server %s:%s%s",
-                      ctx->server, server_port, tls_used ? " using TLS" : "");
-
-    rsp = OSSL_HTTP_transfer(&ctx->http_ctx, ctx->server, server_port,
-                             ctx->serverPath, tls_used,
-                             ctx->proxy, ctx->no_proxy,
-                             NULL /* bio */, NULL /* rbio */,
-                             ctx->http_cb, OSSL_CMP_CTX_get_http_cb_arg(ctx),
-                             0 /* buf_size */, headers,
-                             content_type_pkix, req_mem,
-                             content_type_pkix, 1 /* expect_asn1 */,
-                             OSSL_HTTP_DEFAULT_MAX_RESP_LEN,
-                             ctx->msg_timeout,
-                             keep_alive(ctx->keep_alive, req->body->type));
-    BIO_free(req_mem);
-    res = (OSSL_CMP_MSG *)ASN1_item_d2i_bio(it, rsp, NULL);
-    BIO_free(rsp);
-
-    if (ctx->http_ctx == NULL)
-        ossl_cmp_debug(ctx, "disconnected from CMP server");
-    /*
-     * Note that on normal successful end of the transaction the connection
-     * is not closed at this level, but this will be done by the CMP client
-     * application via OSSL_CMP_CTX_free() or OSSL_CMP_CTX_reinit().
-     */
-    if (res != NULL)
-        ossl_cmp_debug(ctx, "finished reading response from CMP server");
- err:
-    sk_CONF_VALUE_pop_free(headers, X509V3_conf_free);
-    return res;
-}

libs/openssl/crypto/cmp/cmp_msg.c

@@ -1,1170 +0,0 @@
-/*
- * Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved.
- * Copyright Nokia 2007-2019
- * Copyright Siemens AG 2015-2019
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-/* CMP functions for PKIMessage construction */
-
-#include "cmp_local.h"
-
-/* explicit #includes not strictly needed since implied by the above: */
-#include <openssl/asn1t.h>
-#include <openssl/cmp.h>
-#include <openssl/crmf.h>
-#include <openssl/err.h>
-#include <openssl/x509.h>
-
-OSSL_CMP_MSG *OSSL_CMP_MSG_new(OSSL_LIB_CTX *libctx, const char *propq)
-{
-    OSSL_CMP_MSG *msg = NULL;
-
-    msg = (OSSL_CMP_MSG *)ASN1_item_new_ex(ASN1_ITEM_rptr(OSSL_CMP_MSG),
-                                           libctx, propq);
-    if (!ossl_cmp_msg_set0_libctx(msg, libctx, propq)) {
-        OSSL_CMP_MSG_free(msg);
-        msg = NULL;
-    }
-    return msg;
-}
-
-void OSSL_CMP_MSG_free(OSSL_CMP_MSG *msg)
-{
-    ASN1_item_free((ASN1_VALUE *)msg, ASN1_ITEM_rptr(OSSL_CMP_MSG));
-}
-
-/*
- * This should only be used if the X509 object was embedded inside another
- * asn1 object and it needs a libctx to operate.
- * Use OSSL_CMP_MSG_new() instead if possible.
- */
-int ossl_cmp_msg_set0_libctx(OSSL_CMP_MSG *msg, OSSL_LIB_CTX *libctx,
-                             const char *propq)
-{
-    if (msg != NULL) {
-        msg->libctx = libctx;
-        OPENSSL_free(msg->propq);
-        msg->propq = NULL;
-        if (propq != NULL) {
-            msg->propq = OPENSSL_strdup(propq);
-            if (msg->propq == NULL)
-                return 0;
-        }
-    }
-    return 1;
-}
-
-
-OSSL_CMP_PKIHEADER *OSSL_CMP_MSG_get0_header(const OSSL_CMP_MSG *msg)
-{
-    if (msg == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return NULL;
-    }
-    return msg->header;
-}
-
-const char *ossl_cmp_bodytype_to_string(int type)
-{
-    static const char *type_names[] = {
-        "IR", "IP", "CR", "CP", "P10CR",
-        "POPDECC", "POPDECR", "KUR", "KUP",
-        "KRR", "KRP", "RR", "RP", "CCR", "CCP",
-        "CKUANN", "CANN", "RANN", "CRLANN", "PKICONF", "NESTED",
-        "GENM", "GENP", "ERROR", "CERTCONF", "POLLREQ", "POLLREP",
-    };
-
-    if (type < 0 || type > OSSL_CMP_PKIBODY_TYPE_MAX)
-        return "illegal body type";
-    return type_names[type];
-}
-
-int ossl_cmp_msg_set_bodytype(OSSL_CMP_MSG *msg, int type)
-{
-    if (!ossl_assert(msg != NULL && msg->body != NULL))
-        return 0;
-
-    msg->body->type = type;
-    return 1;
-}
-
-int OSSL_CMP_MSG_get_bodytype(const OSSL_CMP_MSG *msg)
-{
-    if (!ossl_assert(msg != NULL && msg->body != NULL))
-        return -1;
-
-    return msg->body->type;
-}
-
-/* Add an extension to the referenced extension stack, which may be NULL */
-static int add1_extension(X509_EXTENSIONS **pexts, int nid, int crit, void *ex)
-{
-    X509_EXTENSION *ext;
-    int res;
-
-    if (!ossl_assert(pexts != NULL)) /* pointer to var must not be NULL */
-        return 0;
-
-    if ((ext = X509V3_EXT_i2d(nid, crit, ex)) == NULL)
-        return 0;
-
-    res = X509v3_add_ext(pexts, ext, 0) != NULL;
-    X509_EXTENSION_free(ext);
-    return res;
-}
-
-/* Add extension list to the referenced extension stack, which may be NULL */
-static int add_extensions(STACK_OF(X509_EXTENSION) **target,
-                          const STACK_OF(X509_EXTENSION) *exts)
-{
-    int i;
-
-    if (target == NULL)
-        return 0;
-
-    for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
-        X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i);
-        ASN1_OBJECT *obj = X509_EXTENSION_get_object(ext);
-        int idx = X509v3_get_ext_by_OBJ(*target, obj, -1);
-
-        /* Does extension exist in target? */
-        if (idx != -1) {
-            /* Delete all extensions of same type */
-            do {
-                X509_EXTENSION_free(sk_X509_EXTENSION_delete(*target, idx));
-                idx = X509v3_get_ext_by_OBJ(*target, obj, -1);
-            } while (idx != -1);
-        }
-        if (!X509v3_add_ext(target, ext, -1))
-            return 0;
-    }
-    return 1;
-}
-
-/* Add a CRL revocation reason code to extension stack, which may be NULL */
-static int add_crl_reason_extension(X509_EXTENSIONS **pexts, int reason_code)
-{
-    ASN1_ENUMERATED *val = ASN1_ENUMERATED_new();
-    int res = 0;
-
-    if (val != NULL && ASN1_ENUMERATED_set(val, reason_code))
-        res = add1_extension(pexts, NID_crl_reason, 0 /* non-critical */, val);
-    ASN1_ENUMERATED_free(val);
-    return res;
-}
-
-OSSL_CMP_MSG *ossl_cmp_msg_create(OSSL_CMP_CTX *ctx, int bodytype)
-{
-    OSSL_CMP_MSG *msg = NULL;
-
-    if (!ossl_assert(ctx != NULL))
-        return NULL;
-
-    if ((msg = OSSL_CMP_MSG_new(ctx->libctx, ctx->propq)) == NULL)
-        return NULL;
-    if (!ossl_cmp_hdr_init(ctx, msg->header)
-            || !ossl_cmp_msg_set_bodytype(msg, bodytype))
-        goto err;
-    if (ctx->geninfo_ITAVs != NULL
-            && !ossl_cmp_hdr_generalInfo_push1_items(msg->header,
-                                                     ctx->geninfo_ITAVs))
-        goto err;
-
-    switch (bodytype) {
-    case OSSL_CMP_PKIBODY_IR:
-    case OSSL_CMP_PKIBODY_CR:
-    case OSSL_CMP_PKIBODY_KUR:
-        if ((msg->body->value.ir = OSSL_CRMF_MSGS_new()) == NULL)
-            goto err;
-        return msg;
-
-    case OSSL_CMP_PKIBODY_P10CR:
-        if (ctx->p10CSR == NULL) {
-            ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_P10CSR);
-            goto err;
-        }
-        if ((msg->body->value.p10cr = X509_REQ_dup(ctx->p10CSR)) == NULL)
-            goto err;
-        return msg;
-
-    case OSSL_CMP_PKIBODY_IP:
-    case OSSL_CMP_PKIBODY_CP:
-    case OSSL_CMP_PKIBODY_KUP:
-        if ((msg->body->value.ip = OSSL_CMP_CERTREPMESSAGE_new()) == NULL)
-            goto err;
-        return msg;
-
-    case OSSL_CMP_PKIBODY_RR:
-        if ((msg->body->value.rr = sk_OSSL_CMP_REVDETAILS_new_null()) == NULL)
-            goto err;
-        return msg;
-    case OSSL_CMP_PKIBODY_RP:
-        if ((msg->body->value.rp = OSSL_CMP_REVREPCONTENT_new()) == NULL)
-            goto err;
-        return msg;
-
-    case OSSL_CMP_PKIBODY_CERTCONF:
-        if ((msg->body->value.certConf =
-             sk_OSSL_CMP_CERTSTATUS_new_null()) == NULL)
-            goto err;
-        return msg;
-    case OSSL_CMP_PKIBODY_PKICONF:
-        if ((msg->body->value.pkiconf = ASN1_TYPE_new()) == NULL)
-            goto err;
-        ASN1_TYPE_set(msg->body->value.pkiconf, V_ASN1_NULL, NULL);
-        return msg;
-
-    case OSSL_CMP_PKIBODY_POLLREQ:
-        if ((msg->body->value.pollReq = sk_OSSL_CMP_POLLREQ_new_null()) == NULL)
-            goto err;
-        return msg;
-    case OSSL_CMP_PKIBODY_POLLREP:
-        if ((msg->body->value.pollRep = sk_OSSL_CMP_POLLREP_new_null()) == NULL)
-            goto err;
-        return msg;
-
-    case OSSL_CMP_PKIBODY_GENM:
-    case OSSL_CMP_PKIBODY_GENP:
-        if ((msg->body->value.genm = sk_OSSL_CMP_ITAV_new_null()) == NULL)
-            goto err;
-        return msg;
-
-    case OSSL_CMP_PKIBODY_ERROR:
-        if ((msg->body->value.error = OSSL_CMP_ERRORMSGCONTENT_new()) == NULL)
-            goto err;
-        return msg;
-
-    default:
-        ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY);
-        goto err;
-    }
-
- err:
-    OSSL_CMP_MSG_free(msg);
-    return NULL;
-}
-
-#define HAS_SAN(ctx) \
-    (sk_GENERAL_NAME_num((ctx)->subjectAltNames) > 0 \
-         || OSSL_CMP_CTX_reqExtensions_have_SAN(ctx) == 1)
-
-static const X509_NAME *determine_subj(OSSL_CMP_CTX *ctx, int for_KUR,
-                                       const X509_NAME *ref_subj)
-{
-    if (ctx->subjectName != NULL)
-        return IS_NULL_DN(ctx->subjectName) ? NULL : ctx->subjectName;
-    if (ctx->p10CSR != NULL) /* first default is from any given CSR */
-        return X509_REQ_get_subject_name(ctx->p10CSR);
-    if (for_KUR || !HAS_SAN(ctx))
-        /*
-         * For KUR, copy subject from any reference cert as fallback.
-         * For IR or CR, do the same only if there is no subjectAltName.
-         */
-        return ref_subj;
-    return NULL;
-}
-
-OSSL_CRMF_MSG *OSSL_CMP_CTX_setup_CRM(OSSL_CMP_CTX *ctx, int for_KUR, int rid)
-{
-    OSSL_CRMF_MSG *crm = NULL;
-    X509 *refcert = ctx->oldCert != NULL ? ctx->oldCert : ctx->cert;
-    /* refcert defaults to current client cert */
-    EVP_PKEY *rkey = OSSL_CMP_CTX_get0_newPkey(ctx, 0);
-    STACK_OF(GENERAL_NAME) *default_sans = NULL;
-    const X509_NAME *ref_subj =
-        refcert != NULL ? X509_get_subject_name(refcert) : NULL;
-    const X509_NAME *subject = determine_subj(ctx, for_KUR, ref_subj);
-    const X509_NAME *issuer = ctx->issuer != NULL || refcert == NULL
-        ? (IS_NULL_DN(ctx->issuer) ? NULL : ctx->issuer)
-        : X509_get_issuer_name(refcert);
-    int crit = ctx->setSubjectAltNameCritical || subject == NULL;
-    /* RFC5280: subjectAltName MUST be critical if subject is null */
-    X509_EXTENSIONS *exts = NULL;
-
-    if (rkey == NULL && ctx->p10CSR != NULL)
-        rkey = X509_REQ_get0_pubkey(ctx->p10CSR);
-    if (rkey == NULL && refcert != NULL)
-        rkey = X509_get0_pubkey(refcert);
-    if (rkey == NULL)
-        rkey = ctx->pkey; /* default is independent of ctx->oldCert */
-    if (rkey == NULL) {
-#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return NULL;
-#endif
-    }
-    if (for_KUR && refcert == NULL && ctx->p10CSR == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_REFERENCE_CERT);
-        return NULL;
-    }
-    if ((crm = OSSL_CRMF_MSG_new()) == NULL)
-        return NULL;
-    if (!OSSL_CRMF_MSG_set_certReqId(crm, rid)
-            /*
-             * fill certTemplate, corresponding to CertificationRequestInfo
-             * of PKCS#10. The rkey param cannot be NULL so far -
-             * it could be NULL if centralized key creation was supported
-             */
-            || !OSSL_CRMF_CERTTEMPLATE_fill(OSSL_CRMF_MSG_get0_tmpl(crm), rkey,
-                                            subject, issuer, NULL /* serial */))
-        goto err;
-    if (ctx->days != 0) {
-        time_t now = time(NULL);
-        ASN1_TIME *notBefore = ASN1_TIME_adj(NULL, now, 0, 0);
-        ASN1_TIME *notAfter = ASN1_TIME_adj(NULL, now, ctx->days, 0);
-
-        if (notBefore == NULL
-                || notAfter == NULL
-                || !OSSL_CRMF_MSG_set0_validity(crm, notBefore, notAfter)) {
-            ASN1_TIME_free(notBefore);
-            ASN1_TIME_free(notAfter);
-            goto err;
-        }
-    }
-
-    /* extensions */
-    if (ctx->p10CSR != NULL
-            && (exts = X509_REQ_get_extensions(ctx->p10CSR)) == NULL)
-        goto err;
-    if (!ctx->SubjectAltName_nodefault && !HAS_SAN(ctx) && refcert != NULL
-            && (default_sans = X509V3_get_d2i(X509_get0_extensions(refcert),
-                                              NID_subject_alt_name, NULL, NULL))
-            != NULL
-            && !add1_extension(&exts, NID_subject_alt_name, crit, default_sans))
-        goto err;
-    if (ctx->reqExtensions != NULL /* augment/override existing ones */
-            && !add_extensions(&exts, ctx->reqExtensions))
-        goto err;
-    if (sk_GENERAL_NAME_num(ctx->subjectAltNames) > 0
-            && !add1_extension(&exts, NID_subject_alt_name,
-                               crit, ctx->subjectAltNames))
-        goto err;
-    if (ctx->policies != NULL
-            && !add1_extension(&exts, NID_certificate_policies,
-                               ctx->setPoliciesCritical, ctx->policies))
-        goto err;
-    if (!OSSL_CRMF_MSG_set0_extensions(crm, exts))
-        goto err;
-    exts = NULL;
-    /* end fill certTemplate, now set any controls */
-
-    /* for KUR, set OldCertId according to D.6 */
-    if (for_KUR && refcert != NULL) {
-        OSSL_CRMF_CERTID *cid =
-            OSSL_CRMF_CERTID_gen(X509_get_issuer_name(refcert),
-                                 X509_get0_serialNumber(refcert));
-        int ret;
-
-        if (cid == NULL)
-            goto err;
-        ret = OSSL_CRMF_MSG_set1_regCtrl_oldCertID(crm, cid);
-        OSSL_CRMF_CERTID_free(cid);
-        if (ret == 0)
-            goto err;
-    }
-
-    goto end;
-
- err:
-    OSSL_CRMF_MSG_free(crm);
-    crm = NULL;
-
- end:
-    sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
-    sk_GENERAL_NAME_pop_free(default_sans, GENERAL_NAME_free);
-    return crm;
-}
-
-OSSL_CMP_MSG *ossl_cmp_certreq_new(OSSL_CMP_CTX *ctx, int type,
-                                   const OSSL_CRMF_MSG *crm)
-{
-    OSSL_CMP_MSG *msg;
-    OSSL_CRMF_MSG *local_crm = NULL;
-
-    if (!ossl_assert(ctx != NULL))
-        return NULL;
-
-    if (type != OSSL_CMP_PKIBODY_IR && type != OSSL_CMP_PKIBODY_CR
-            && type != OSSL_CMP_PKIBODY_KUR && type != OSSL_CMP_PKIBODY_P10CR) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS);
-        return NULL;
-    }
-    if (type == OSSL_CMP_PKIBODY_P10CR && crm != NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS);
-        return NULL;
-    }
-
-    if ((msg = ossl_cmp_msg_create(ctx, type)) == NULL)
-        goto err;
-
-    /* header */
-    if (ctx->implicitConfirm && !ossl_cmp_hdr_set_implicitConfirm(msg->header))
-        goto err;
-
-    /* body */
-    /* For P10CR the content has already been set in OSSL_CMP_MSG_create */
-    if (type != OSSL_CMP_PKIBODY_P10CR) {
-        EVP_PKEY *privkey = OSSL_CMP_CTX_get0_newPkey(ctx, 1);
-
-        /*
-         * privkey is NULL in case ctx->newPkey does not include a private key.
-         * We then may try to use ctx->pkey as fallback/default, but only
-         * if ctx-> newPkey does not include a (non-matching) public key:
-         */
-        if (privkey == NULL && OSSL_CMP_CTX_get0_newPkey(ctx, 0) == NULL)
-            privkey = ctx->pkey; /* default is independent of ctx->oldCert */
-        if (ctx->popoMethod == OSSL_CRMF_POPO_SIGNATURE && privkey == NULL) {
-            ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_PRIVATE_KEY);
-            goto err;
-        }
-        if (crm == NULL) {
-            local_crm = OSSL_CMP_CTX_setup_CRM(ctx,
-                                               type == OSSL_CMP_PKIBODY_KUR,
-                                               OSSL_CMP_CERTREQID);
-            if (local_crm == NULL
-                || !OSSL_CRMF_MSG_create_popo(ctx->popoMethod, local_crm,
-                                              privkey, ctx->digest,
-                                              ctx->libctx, ctx->propq))
-                goto err;
-        } else {
-            if ((local_crm = OSSL_CRMF_MSG_dup(crm)) == NULL)
-                goto err;
-        }
-
-        /* value.ir is same for cr and kur */
-        if (!sk_OSSL_CRMF_MSG_push(msg->body->value.ir, local_crm))
-            goto err;
-        local_crm = NULL;
-    }
-
-    if (!ossl_cmp_msg_protect(ctx, msg))
-        goto err;
-
-    return msg;
-
- err:
-    ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_CERTREQ);
-    OSSL_CRMF_MSG_free(local_crm);
-    OSSL_CMP_MSG_free(msg);
-    return NULL;
-}
-
-OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype,
-                                   int certReqId, const OSSL_CMP_PKISI *si,
-                                   X509 *cert, const X509 *encryption_recip,
-                                   STACK_OF(X509) *chain, STACK_OF(X509) *caPubs,
-                                   int unprotectedErrors)
-{
-    OSSL_CMP_MSG *msg = NULL;
-    OSSL_CMP_CERTREPMESSAGE *repMsg = NULL;
-    OSSL_CMP_CERTRESPONSE *resp = NULL;
-    int status = OSSL_CMP_PKISTATUS_unspecified;
-
-    if (!ossl_assert(ctx != NULL && si != NULL))
-        return NULL;
-
-    if ((msg = ossl_cmp_msg_create(ctx, bodytype)) == NULL)
-        goto err;
-    repMsg = msg->body->value.ip; /* value.ip is same for cp and kup */
-
-    /* header */
-    if (ctx->implicitConfirm && !ossl_cmp_hdr_set_implicitConfirm(msg->header))
-        goto err;
-
-    /* body */
-    if ((resp = OSSL_CMP_CERTRESPONSE_new()) == NULL)
-        goto err;
-    OSSL_CMP_PKISI_free(resp->status);
-    if ((resp->status = OSSL_CMP_PKISI_dup(si)) == NULL
-            || !ASN1_INTEGER_set(resp->certReqId, certReqId))
-        goto err;
-
-    status = ossl_cmp_pkisi_get_status(resp->status);
-    if (status != OSSL_CMP_PKISTATUS_rejection
-            && status != OSSL_CMP_PKISTATUS_waiting && cert != NULL) {
-        if (encryption_recip != NULL) {
-            ERR_raise(ERR_LIB_CMP, ERR_R_UNSUPPORTED);
-            goto err;
-        }
-
-        if ((resp->certifiedKeyPair = OSSL_CMP_CERTIFIEDKEYPAIR_new())
-            == NULL)
-            goto err;
-        resp->certifiedKeyPair->certOrEncCert->type =
-            OSSL_CMP_CERTORENCCERT_CERTIFICATE;
-        if (!X509_up_ref(cert))
-            goto err;
-        resp->certifiedKeyPair->certOrEncCert->value.certificate = cert;
-    }
-
-    if (!sk_OSSL_CMP_CERTRESPONSE_push(repMsg->response, resp))
-        goto err;
-    resp = NULL;
-
-    if (bodytype == OSSL_CMP_PKIBODY_IP && caPubs != NULL
-            && (repMsg->caPubs = X509_chain_up_ref(caPubs)) == NULL)
-        goto err;
-    if (sk_X509_num(chain) > 0
-        && !ossl_x509_add_certs_new(&msg->extraCerts, chain,
-                                    X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP))
-        goto err;
-
-    if (!unprotectedErrors
-            || ossl_cmp_pkisi_get_status(si) != OSSL_CMP_PKISTATUS_rejection)
-        if (!ossl_cmp_msg_protect(ctx, msg))
-            goto err;
-
-    return msg;
-
- err:
-    ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_CERTREP);
-    OSSL_CMP_CERTRESPONSE_free(resp);
-    OSSL_CMP_MSG_free(msg);
-    return NULL;
-}
-
-OSSL_CMP_MSG *ossl_cmp_rr_new(OSSL_CMP_CTX *ctx)
-{
-    OSSL_CMP_MSG *msg = NULL;
-    OSSL_CMP_REVDETAILS *rd;
-    int ret;
-
-    if (!ossl_assert(ctx != NULL && (ctx->oldCert != NULL
-                                     || ctx->p10CSR != NULL)))
-        return NULL;
-
-    if ((rd = OSSL_CMP_REVDETAILS_new()) == NULL)
-        goto err;
-
-    /* Fill the template from the contents of the certificate to be revoked */
-    ret = ctx->oldCert != NULL
-    ? OSSL_CRMF_CERTTEMPLATE_fill(rd->certDetails,
-                                  NULL /* pubkey would be redundant */,
-                                  NULL /* subject would be redundant */,
-                                  X509_get_issuer_name(ctx->oldCert),
-                                  X509_get0_serialNumber(ctx->oldCert))
-    : OSSL_CRMF_CERTTEMPLATE_fill(rd->certDetails,
-                                  X509_REQ_get0_pubkey(ctx->p10CSR),
-                                  X509_REQ_get_subject_name(ctx->p10CSR),
-                                  NULL, NULL);
-    if (!ret)
-        goto err;
-
-    /* revocation reason code is optional */
-    if (ctx->revocationReason != CRL_REASON_NONE
-            && !add_crl_reason_extension(&rd->crlEntryDetails,
-                                         ctx->revocationReason))
-        goto err;
-
-    if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_RR)) == NULL)
-        goto err;
-
-    if (!sk_OSSL_CMP_REVDETAILS_push(msg->body->value.rr, rd))
-        goto err;
-    rd = NULL;
-    /* Revocation Passphrase according to section 5.3.19.9 could be set here */
-
-    if (!ossl_cmp_msg_protect(ctx, msg))
-        goto err;
-
-    return msg;
-
- err:
-    ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_RR);
-    OSSL_CMP_MSG_free(msg);
-    OSSL_CMP_REVDETAILS_free(rd);
-    return NULL;
-}
-
-OSSL_CMP_MSG *ossl_cmp_rp_new(OSSL_CMP_CTX *ctx, const OSSL_CMP_PKISI *si,
-                              const OSSL_CRMF_CERTID *cid, int unprotectedErrors)
-{
-    OSSL_CMP_REVREPCONTENT *rep = NULL;
-    OSSL_CMP_PKISI *si1 = NULL;
-    OSSL_CRMF_CERTID *cid_copy = NULL;
-    OSSL_CMP_MSG *msg = NULL;
-
-    if (!ossl_assert(ctx != NULL && si != NULL))
-        return NULL;
-
-    if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_RP)) == NULL)
-        goto err;
-    rep = msg->body->value.rp;
-
-    if ((si1 = OSSL_CMP_PKISI_dup(si)) == NULL)
-        goto err;
-
-    if (!sk_OSSL_CMP_PKISI_push(rep->status, si1)) {
-        OSSL_CMP_PKISI_free(si1);
-        goto err;
-    }
-
-    if ((rep->revCerts = sk_OSSL_CRMF_CERTID_new_null()) == NULL)
-        goto err;
-    if (cid != NULL) {
-        if ((cid_copy = OSSL_CRMF_CERTID_dup(cid)) == NULL)
-            goto err;
-        if (!sk_OSSL_CRMF_CERTID_push(rep->revCerts, cid_copy)) {
-            OSSL_CRMF_CERTID_free(cid_copy);
-            goto err;
-        }
-    }
-
-    if (!unprotectedErrors
-            || ossl_cmp_pkisi_get_status(si) != OSSL_CMP_PKISTATUS_rejection)
-        if (!ossl_cmp_msg_protect(ctx, msg))
-            goto err;
-
-    return msg;
-
- err:
-    ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_RP);
-    OSSL_CMP_MSG_free(msg);
-    return NULL;
-}
-
-OSSL_CMP_MSG *ossl_cmp_pkiconf_new(OSSL_CMP_CTX *ctx)
-{
-    OSSL_CMP_MSG *msg;
-
-    if (!ossl_assert(ctx != NULL))
-        return NULL;
-
-    if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_PKICONF)) == NULL)
-        goto err;
-    if (ossl_cmp_msg_protect(ctx, msg))
-        return msg;
-
- err:
-    ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_PKICONF);
-    OSSL_CMP_MSG_free(msg);
-    return NULL;
-}
-
-int ossl_cmp_msg_gen_push0_ITAV(OSSL_CMP_MSG *msg, OSSL_CMP_ITAV *itav)
-{
-    int bodytype;
-
-    if (!ossl_assert(msg != NULL && itav != NULL))
-        return 0;
-
-    bodytype = OSSL_CMP_MSG_get_bodytype(msg);
-    if (bodytype != OSSL_CMP_PKIBODY_GENM
-            && bodytype != OSSL_CMP_PKIBODY_GENP) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS);
-        return 0;
-    }
-
-    /* value.genp has the same structure, so this works for genp as well */
-    return OSSL_CMP_ITAV_push0_stack_item(&msg->body->value.genm, itav);
-}
-
-int ossl_cmp_msg_gen_push1_ITAVs(OSSL_CMP_MSG *msg,
-                                 const STACK_OF(OSSL_CMP_ITAV) *itavs)
-{
-    int i;
-    OSSL_CMP_ITAV *itav = NULL;
-
-    if (!ossl_assert(msg != NULL))
-        return 0;
-
-    for (i = 0; i < sk_OSSL_CMP_ITAV_num(itavs); i++) {
-        itav = OSSL_CMP_ITAV_dup(sk_OSSL_CMP_ITAV_value(itavs, i));
-        if (itav == NULL
-                || !ossl_cmp_msg_gen_push0_ITAV(msg, itav)) {
-            OSSL_CMP_ITAV_free(itav);
-            return 0;
-        }
-    }
-    return 1;
-}
-
-/*
- * Creates a new General Message/Response with an empty itav stack
- * returns a pointer to the PKIMessage on success, NULL on error
- */
-static OSSL_CMP_MSG *gen_new(OSSL_CMP_CTX *ctx,
-                             const STACK_OF(OSSL_CMP_ITAV) *itavs,
-                             int body_type, int err_code)
-{
-    OSSL_CMP_MSG *msg = NULL;
-
-    if (!ossl_assert(ctx != NULL))
-        return NULL;
-
-    if ((msg = ossl_cmp_msg_create(ctx, body_type)) == NULL)
-        return NULL;
-
-    if (itavs != NULL && !ossl_cmp_msg_gen_push1_ITAVs(msg, itavs))
-        goto err;
-
-    if (!ossl_cmp_msg_protect(ctx, msg))
-        goto err;
-
-    return msg;
-
- err:
-    ERR_raise(ERR_LIB_CMP, err_code);
-    OSSL_CMP_MSG_free(msg);
-    return NULL;
-}
-
-OSSL_CMP_MSG *ossl_cmp_genm_new(OSSL_CMP_CTX *ctx)
-{
-    return gen_new(ctx, ctx->genm_ITAVs,
-                   OSSL_CMP_PKIBODY_GENM, CMP_R_ERROR_CREATING_GENM);
-}
-
-OSSL_CMP_MSG *ossl_cmp_genp_new(OSSL_CMP_CTX *ctx,
-                                const STACK_OF(OSSL_CMP_ITAV) *itavs)
-{
-    return gen_new(ctx, itavs,
-                   OSSL_CMP_PKIBODY_GENP, CMP_R_ERROR_CREATING_GENP);
-}
-
-OSSL_CMP_MSG *ossl_cmp_error_new(OSSL_CMP_CTX *ctx, const OSSL_CMP_PKISI *si,
-                                 int64_t errorCode, const char *details,
-                                 int unprotected)
-{
-    OSSL_CMP_MSG *msg = NULL;
-    const char *lib = NULL, *reason = NULL;
-    OSSL_CMP_PKIFREETEXT *ft;
-
-    if (!ossl_assert(ctx != NULL && si != NULL))
-        return NULL;
-
-    if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_ERROR)) == NULL)
-        goto err;
-
-    OSSL_CMP_PKISI_free(msg->body->value.error->pKIStatusInfo);
-    if ((msg->body->value.error->pKIStatusInfo = OSSL_CMP_PKISI_dup(si))
-        == NULL)
-        goto err;
-    if ((msg->body->value.error->errorCode = ASN1_INTEGER_new()) == NULL)
-        goto err;
-    if (!ASN1_INTEGER_set_int64(msg->body->value.error->errorCode, errorCode))
-        goto err;
-    if (errorCode > 0
-            && (uint64_t)errorCode < ((uint64_t)ERR_SYSTEM_FLAG << 1)) {
-        lib = ERR_lib_error_string((unsigned long)errorCode);
-        reason = ERR_reason_error_string((unsigned long)errorCode);
-    }
-    if (lib != NULL || reason != NULL || details != NULL) {
-        if ((ft = sk_ASN1_UTF8STRING_new_null()) == NULL)
-            goto err;
-        msg->body->value.error->errorDetails = ft;
-        if (lib != NULL && *lib != '\0'
-                && !ossl_cmp_sk_ASN1_UTF8STRING_push_str(ft, lib, -1))
-            goto err;
-        if (reason != NULL && *reason != '\0'
-                && !ossl_cmp_sk_ASN1_UTF8STRING_push_str(ft, reason, -1))
-            goto err;
-        if (details != NULL
-                && !ossl_cmp_sk_ASN1_UTF8STRING_push_str(ft, details, -1))
-            goto err;
-    }
-
-    if (!unprotected && !ossl_cmp_msg_protect(ctx, msg))
-        goto err;
-    return msg;
-
- err:
-    ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_ERROR);
-    OSSL_CMP_MSG_free(msg);
-    return NULL;
-}
-
-/*
- * Set the certHash field of a OSSL_CMP_CERTSTATUS structure.
- * This is used in the certConf message, for example,
- * to confirm that the certificate was received successfully.
- */
-int ossl_cmp_certstatus_set0_certHash(OSSL_CMP_CERTSTATUS *certStatus,
-                                      ASN1_OCTET_STRING *hash)
-{
-    if (!ossl_assert(certStatus != NULL))
-        return 0;
-    ASN1_OCTET_STRING_free(certStatus->certHash);
-    certStatus->certHash = hash;
-    return 1;
-}
-
-OSSL_CMP_MSG *ossl_cmp_certConf_new(OSSL_CMP_CTX *ctx, int fail_info,
-                                    const char *text)
-{
-    OSSL_CMP_MSG *msg = NULL;
-    OSSL_CMP_CERTSTATUS *certStatus = NULL;
-    ASN1_OCTET_STRING *certHash = NULL;
-    OSSL_CMP_PKISI *sinfo;
-
-    if (!ossl_assert(ctx != NULL && ctx->newCert != NULL))
-        return NULL;
-
-    if ((unsigned)fail_info > OSSL_CMP_PKIFAILUREINFO_MAX_BIT_PATTERN) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_FAIL_INFO_OUT_OF_RANGE);
-        return NULL;
-    }
-
-    if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_CERTCONF)) == NULL)
-        goto err;
-
-    if ((certStatus = OSSL_CMP_CERTSTATUS_new()) == NULL)
-        goto err;
-    /* consume certStatus into msg right away so it gets deallocated with msg */
-    if (!sk_OSSL_CMP_CERTSTATUS_push(msg->body->value.certConf, certStatus))
-        goto err;
-    /* set the ID of the certReq */
-    if (!ASN1_INTEGER_set(certStatus->certReqId, OSSL_CMP_CERTREQID))
-        goto err;
-    /*
-     * The hash of the certificate, using the same hash algorithm
-     * as is used to create and verify the certificate signature.
-     * If not available, a default hash algorithm is used.
-     */
-    if ((certHash = X509_digest_sig(ctx->newCert, NULL, NULL)) == NULL)
-        goto err;
-
-    if (!ossl_cmp_certstatus_set0_certHash(certStatus, certHash))
-        goto err;
-    certHash = NULL;
-    /*
-     * For any particular CertStatus, omission of the statusInfo field
-     * indicates ACCEPTANCE of the specified certificate.  Alternatively,
-     * explicit status details (with respect to acceptance or rejection) MAY
-     * be provided in the statusInfo field, perhaps for auditing purposes at
-     * the CA/RA.
-     */
-    sinfo = fail_info != 0 ?
-        OSSL_CMP_STATUSINFO_new(OSSL_CMP_PKISTATUS_rejection, fail_info, text) :
-        OSSL_CMP_STATUSINFO_new(OSSL_CMP_PKISTATUS_accepted, 0, text);
-    if (sinfo == NULL)
-        goto err;
-    certStatus->statusInfo = sinfo;
-
-    if (!ossl_cmp_msg_protect(ctx, msg))
-        goto err;
-
-    return msg;
-
- err:
-    ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_CERTCONF);
-    OSSL_CMP_MSG_free(msg);
-    ASN1_OCTET_STRING_free(certHash);
-    return NULL;
-}
-
-OSSL_CMP_MSG *ossl_cmp_pollReq_new(OSSL_CMP_CTX *ctx, int crid)
-{
-    OSSL_CMP_MSG *msg = NULL;
-    OSSL_CMP_POLLREQ *preq = NULL;
-
-    if (!ossl_assert(ctx != NULL))
-        return NULL;
-
-    if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_POLLREQ)) == NULL)
-        goto err;
-
-    if ((preq = OSSL_CMP_POLLREQ_new()) == NULL
-            || !ASN1_INTEGER_set(preq->certReqId, crid)
-            || !sk_OSSL_CMP_POLLREQ_push(msg->body->value.pollReq, preq))
-        goto err;
-
-    preq = NULL;
-    if (!ossl_cmp_msg_protect(ctx, msg))
-        goto err;
-
-    return msg;
-
- err:
-    ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_POLLREQ);
-    OSSL_CMP_POLLREQ_free(preq);
-    OSSL_CMP_MSG_free(msg);
-    return NULL;
-}
-
-OSSL_CMP_MSG *ossl_cmp_pollRep_new(OSSL_CMP_CTX *ctx, int crid,
-                                   int64_t poll_after)
-{
-    OSSL_CMP_MSG *msg;
-    OSSL_CMP_POLLREP *prep;
-
-    if (!ossl_assert(ctx != NULL))
-        return NULL;
-
-    if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_POLLREP)) == NULL)
-        goto err;
-    if ((prep = OSSL_CMP_POLLREP_new()) == NULL)
-        goto err;
-    if (!sk_OSSL_CMP_POLLREP_push(msg->body->value.pollRep, prep))
-        goto err;
-    if (!ASN1_INTEGER_set(prep->certReqId, crid))
-        goto err;
-    if (!ASN1_INTEGER_set_int64(prep->checkAfter, poll_after))
-        goto err;
-
-    if (!ossl_cmp_msg_protect(ctx, msg))
-        goto err;
-    return msg;
-
- err:
-    ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_POLLREP);
-    OSSL_CMP_MSG_free(msg);
-    return NULL;
-}
-
-/*-
- * returns the status field of the RevRepContent with the given
- * request/sequence id inside a revocation response.
- * RevRepContent has the revocation statuses in same order as they were sent in
- * RevReqContent.
- * returns NULL on error
- */
-OSSL_CMP_PKISI *
-ossl_cmp_revrepcontent_get_pkisi(OSSL_CMP_REVREPCONTENT *rrep, int rsid)
-{
-    OSSL_CMP_PKISI *status;
-
-    if (!ossl_assert(rrep != NULL))
-        return NULL;
-
-    if ((status = sk_OSSL_CMP_PKISI_value(rrep->status, rsid)) != NULL)
-        return status;
-
-    ERR_raise(ERR_LIB_CMP, CMP_R_PKISTATUSINFO_NOT_FOUND);
-    return NULL;
-}
-
-/*
- * returns the CertId field in the revCerts part of the RevRepContent
- * with the given request/sequence id inside a revocation response.
- * RevRepContent has the CertIds in same order as they were sent in
- * RevReqContent.
- * returns NULL on error
- */
-OSSL_CRMF_CERTID *
-ossl_cmp_revrepcontent_get_CertId(OSSL_CMP_REVREPCONTENT *rrep, int rsid)
-{
-    OSSL_CRMF_CERTID *cid = NULL;
-
-    if (!ossl_assert(rrep != NULL))
-        return NULL;
-
-    if ((cid = sk_OSSL_CRMF_CERTID_value(rrep->revCerts, rsid)) != NULL)
-        return cid;
-
-    ERR_raise(ERR_LIB_CMP, CMP_R_CERTID_NOT_FOUND);
-    return NULL;
-}
-
-static int suitable_rid(const ASN1_INTEGER *certReqId, int rid)
-{
-    int trid;
-
-    if (rid == -1)
-        return 1;
-
-    trid = ossl_cmp_asn1_get_int(certReqId);
-
-    if (trid == -1) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_BAD_REQUEST_ID);
-        return 0;
-    }
-    return rid == trid;
-}
-
-/*
- * returns a pointer to the PollResponse with the given CertReqId
- * (or the first one in case -1) inside a PollRepContent
- * returns NULL on error or if no suitable PollResponse available
- */
-OSSL_CMP_POLLREP *
-ossl_cmp_pollrepcontent_get0_pollrep(const OSSL_CMP_POLLREPCONTENT *prc,
-                                     int rid)
-{
-    OSSL_CMP_POLLREP *pollRep = NULL;
-    int i;
-
-    if (!ossl_assert(prc != NULL))
-        return NULL;
-
-    for (i = 0; i < sk_OSSL_CMP_POLLREP_num(prc); i++) {
-        pollRep = sk_OSSL_CMP_POLLREP_value(prc, i);
-        if (suitable_rid(pollRep->certReqId, rid))
-            return pollRep;
-    }
-
-    ERR_raise_data(ERR_LIB_CMP, CMP_R_CERTRESPONSE_NOT_FOUND,
-                   "expected certReqId = %d", rid);
-    return NULL;
-}
-
-/*
- * returns a pointer to the CertResponse with the given CertReqId
- * (or the first one in case -1) inside a CertRepMessage
- * returns NULL on error or if no suitable CertResponse available
- */
-OSSL_CMP_CERTRESPONSE *
-ossl_cmp_certrepmessage_get0_certresponse(const OSSL_CMP_CERTREPMESSAGE *crm,
-                                          int rid)
-{
-    OSSL_CMP_CERTRESPONSE *crep = NULL;
-    int i;
-
-    if (!ossl_assert(crm != NULL && crm->response != NULL))
-        return NULL;
-
-    for (i = 0; i < sk_OSSL_CMP_CERTRESPONSE_num(crm->response); i++) {
-        crep = sk_OSSL_CMP_CERTRESPONSE_value(crm->response, i);
-        if (suitable_rid(crep->certReqId, rid))
-            return crep;
-    }
-
-    ERR_raise_data(ERR_LIB_CMP, CMP_R_CERTRESPONSE_NOT_FOUND,
-                   "expected certReqId = %d", rid);
-    return NULL;
-}
-
-/*-
- * Retrieve the newly enrolled certificate from the given certResponse crep.
- * In case of indirect POPO uses the libctx and propq from ctx and private key.
- * Returns a pointer to a copy of the found certificate, or NULL if not found.
- */
-X509 *ossl_cmp_certresponse_get1_cert(const OSSL_CMP_CERTRESPONSE *crep,
-                                      const OSSL_CMP_CTX *ctx, EVP_PKEY *pkey)
-{
-    OSSL_CMP_CERTORENCCERT *coec;
-    X509 *crt = NULL;
-
-    if (!ossl_assert(crep != NULL && ctx != NULL))
-        return NULL;
-
-    if (crep->certifiedKeyPair
-            && (coec = crep->certifiedKeyPair->certOrEncCert) != NULL) {
-        switch (coec->type) {
-        case OSSL_CMP_CERTORENCCERT_CERTIFICATE:
-            crt = X509_dup(coec->value.certificate);
-            break;
-        case OSSL_CMP_CERTORENCCERT_ENCRYPTEDCERT:
-            /* cert encrypted for indirect PoP; RFC 4210, 5.2.8.2 */
-            if (pkey == NULL) {
-                ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_PRIVATE_KEY);
-                return NULL;
-            }
-            crt =
-                OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(coec->value.encryptedCert,
-                                                      ctx->libctx, ctx->propq,
-                                                      pkey);
-            break;
-        default:
-            ERR_raise(ERR_LIB_CMP, CMP_R_UNKNOWN_CERT_TYPE);
-            return NULL;
-        }
-    }
-    if (crt == NULL)
-        ERR_raise(ERR_LIB_CMP, CMP_R_CERTIFICATE_NOT_FOUND);
-    else
-        (void)ossl_x509_set0_libctx(crt, ctx->libctx, ctx->propq);
-    return crt;
-}
-
-int OSSL_CMP_MSG_update_transactionID(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg)
-{
-    if (ctx == NULL || msg == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return 0;
-    }
-    if (!ossl_cmp_hdr_set_transactionID(ctx, msg->header))
-        return 0;
-    return msg->header->protectionAlg == NULL
-            || ossl_cmp_msg_protect(ctx, msg);
-}
-
-OSSL_CMP_MSG *OSSL_CMP_MSG_read(const char *file, OSSL_LIB_CTX *libctx,
-                                const char *propq)
-{
-    OSSL_CMP_MSG *msg;
-    BIO *bio = NULL;
-
-    if (file == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return NULL;
-    }
-
-    msg = OSSL_CMP_MSG_new(libctx, propq);
-    if (msg == NULL){
-        ERR_raise(ERR_LIB_CMP, ERR_R_MALLOC_FAILURE);
-        return NULL;
-    }
-
-    if ((bio = BIO_new_file(file, "rb")) == NULL
-            || d2i_OSSL_CMP_MSG_bio(bio, &msg) == NULL) {
-        OSSL_CMP_MSG_free(msg);
-        msg = NULL;
-    }
-    BIO_free(bio);
-    return msg;
-}
-
-int OSSL_CMP_MSG_write(const char *file, const OSSL_CMP_MSG *msg)
-{
-    BIO *bio;
-    int res;
-
-    if (file == NULL || msg == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return -1;
-    }
-
-    bio = BIO_new_file(file, "wb");
-    if (bio == NULL)
-        return -2;
-    res = i2d_OSSL_CMP_MSG_bio(bio, msg);
-    BIO_free(bio);
-    return res;
-}
-
-OSSL_CMP_MSG *d2i_OSSL_CMP_MSG(OSSL_CMP_MSG **msg, const unsigned char **in,
-                               long len)
-{
-    OSSL_LIB_CTX *libctx = NULL;
-    const char *propq = NULL;
-
-    if (msg != NULL && *msg != NULL) {
-        libctx  = (*msg)->libctx;
-        propq = (*msg)->propq;
-    }
-
-    return (OSSL_CMP_MSG *)ASN1_item_d2i_ex((ASN1_VALUE **)msg, in, len,
-                                            ASN1_ITEM_rptr(OSSL_CMP_MSG),
-                                            libctx, propq);
-}
-
-int i2d_OSSL_CMP_MSG(const OSSL_CMP_MSG *msg, unsigned char **out)
-{
-    return ASN1_item_i2d((const ASN1_VALUE *)msg, out,
-                         ASN1_ITEM_rptr(OSSL_CMP_MSG));
-}
-
-OSSL_CMP_MSG *d2i_OSSL_CMP_MSG_bio(BIO *bio, OSSL_CMP_MSG **msg)
-{
-    OSSL_LIB_CTX *libctx = NULL;
-    const char *propq = NULL;
-
-    if (msg != NULL && *msg != NULL) {
-        libctx  = (*msg)->libctx;
-        propq = (*msg)->propq;
-    }
-
-    return ASN1_item_d2i_bio_ex(ASN1_ITEM_rptr(OSSL_CMP_MSG), bio, msg, libctx,
-                                propq);
-}
-
-int i2d_OSSL_CMP_MSG_bio(BIO *bio, const OSSL_CMP_MSG *msg)
-{
-    return ASN1_i2d_bio_of(OSSL_CMP_MSG, i2d_OSSL_CMP_MSG, bio, msg);
-}

libs/openssl/crypto/cmp/cmp_protect.c

@@ -1,332 +0,0 @@
-/*
- * Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved.
- * Copyright Nokia 2007-2019
- * Copyright Siemens AG 2015-2019
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include "cmp_local.h"
-
-/* explicit #includes not strictly needed since implied by the above: */
-#include <openssl/asn1t.h>
-#include <openssl/cmp.h>
-#include <openssl/crmf.h>
-#include <openssl/err.h>
-#include <openssl/x509.h>
-
-/*
- * This function is also used by the internal verify_PBMAC() in cmp_vfy.c.
- *
- * Calculate protection for given PKImessage according to
- * the algorithm and parameters in the message header's protectionAlg
- * using the credentials, library context, and property criteria in the ctx.
- *
- * returns ASN1_BIT_STRING representing the protection on success, else NULL
- */
-ASN1_BIT_STRING *ossl_cmp_calc_protection(const OSSL_CMP_CTX *ctx,
-                                          const OSSL_CMP_MSG *msg)
-{
-    ASN1_BIT_STRING *prot = NULL;
-    OSSL_CMP_PROTECTEDPART prot_part;
-    const ASN1_OBJECT *algorOID = NULL;
-    const void *ppval = NULL;
-    int pptype = 0;
-
-    if (!ossl_assert(ctx != NULL && msg != NULL))
-        return NULL;
-
-    /* construct data to be signed */
-    prot_part.header = msg->header;
-    prot_part.body = msg->body;
-
-    if (msg->header->protectionAlg == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_UNKNOWN_ALGORITHM_ID);
-        return NULL;
-    }
-    X509_ALGOR_get0(&algorOID, &pptype, &ppval, msg->header->protectionAlg);
-
-    if (OBJ_obj2nid(algorOID) == NID_id_PasswordBasedMAC) {
-        int len;
-        size_t prot_part_der_len;
-        unsigned char *prot_part_der = NULL;
-        size_t sig_len;
-        unsigned char *protection = NULL;
-        OSSL_CRMF_PBMPARAMETER *pbm = NULL;
-        ASN1_STRING *pbm_str = NULL;
-        const unsigned char *pbm_str_uc = NULL;
-
-        if (ctx->secretValue == NULL) {
-            ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_PBM_SECRET);
-            return NULL;
-        }
-        if (ppval == NULL) {
-            ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CALCULATING_PROTECTION);
-            return NULL;
-        }
-
-        len = i2d_OSSL_CMP_PROTECTEDPART(&prot_part, &prot_part_der);
-        if (len < 0 || prot_part_der == NULL) {
-            ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CALCULATING_PROTECTION);
-            goto end;
-        }
-        prot_part_der_len = (size_t)len;
-
-        pbm_str = (ASN1_STRING *)ppval;
-        pbm_str_uc = pbm_str->data;
-        pbm = d2i_OSSL_CRMF_PBMPARAMETER(NULL, &pbm_str_uc, pbm_str->length);
-        if (pbm == NULL) {
-            ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_ALGORITHM_OID);
-            goto end;
-        }
-
-        if (!OSSL_CRMF_pbm_new(ctx->libctx, ctx->propq,
-                               pbm, prot_part_der, prot_part_der_len,
-                               ctx->secretValue->data, ctx->secretValue->length,
-                               &protection, &sig_len))
-            goto end;
-
-        if ((prot = ASN1_BIT_STRING_new()) == NULL)
-            goto end;
-        /* OpenSSL defaults all bit strings to be encoded as ASN.1 NamedBitList */
-        prot->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07);
-        prot->flags |= ASN1_STRING_FLAG_BITS_LEFT;
-        if (!ASN1_BIT_STRING_set(prot, protection, sig_len)) {
-            ASN1_BIT_STRING_free(prot);
-            prot = NULL;
-        }
-    end:
-        OSSL_CRMF_PBMPARAMETER_free(pbm);
-        OPENSSL_free(protection);
-        OPENSSL_free(prot_part_der);
-        return prot;
-    } else {
-        int md_nid;
-        const EVP_MD *md = NULL;
-
-        if (ctx->pkey == NULL) {
-            ERR_raise(ERR_LIB_CMP,
-                      CMP_R_MISSING_KEY_INPUT_FOR_CREATING_PROTECTION);
-            return NULL;
-        }
-        if (!OBJ_find_sigid_algs(OBJ_obj2nid(algorOID), &md_nid, NULL)
-                || (md = EVP_get_digestbynid(md_nid)) == NULL) {
-            ERR_raise(ERR_LIB_CMP, CMP_R_UNKNOWN_ALGORITHM_ID);
-            return NULL;
-        }
-
-        if ((prot = ASN1_BIT_STRING_new()) == NULL)
-            return NULL;
-        if (ASN1_item_sign_ex(ASN1_ITEM_rptr(OSSL_CMP_PROTECTEDPART), NULL,
-                              NULL, prot, &prot_part, NULL, ctx->pkey, md,
-                              ctx->libctx, ctx->propq))
-            return prot;
-        ASN1_BIT_STRING_free(prot);
-        return NULL;
-    }
-}
-
-int ossl_cmp_msg_add_extraCerts(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg)
-{
-    if (!ossl_assert(ctx != NULL && msg != NULL))
-        return 0;
-
-    /* Add first ctx->cert and its chain if using signature-based protection */
-    if (!ctx->unprotectedSend && ctx->secretValue == NULL
-            && ctx->cert != NULL && ctx->pkey != NULL) {
-        int prepend = X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP
-            | X509_ADD_FLAG_PREPEND | X509_ADD_FLAG_NO_SS;
-
-        /* if not yet done try to build chain using available untrusted certs */
-        if (ctx->chain == NULL) {
-            ossl_cmp_debug(ctx,
-                           "trying to build chain for own CMP signer cert");
-            ctx->chain = X509_build_chain(ctx->cert, ctx->untrusted, NULL, 0,
-                                          ctx->libctx, ctx->propq);
-            if (ctx->chain != NULL) {
-                ossl_cmp_debug(ctx,
-                               "success building chain for own CMP signer cert");
-            } else {
-                /* dump errors to avoid confusion when printing further ones */
-                OSSL_CMP_CTX_print_errors(ctx);
-                ossl_cmp_warn(ctx,
-                              "could not build chain for own CMP signer cert");
-            }
-        }
-        if (ctx->chain != NULL) {
-            if (!ossl_x509_add_certs_new(&msg->extraCerts, ctx->chain, prepend))
-                return 0;
-        } else {
-            /* make sure that at least our own signer cert is included first */
-            if (!ossl_x509_add_cert_new(&msg->extraCerts, ctx->cert, prepend))
-                return 0;
-            ossl_cmp_debug(ctx, "fallback: adding just own CMP signer cert");
-        }
-    }
-
-    /* add any additional certificates from ctx->extraCertsOut */
-    if (!ossl_x509_add_certs_new(&msg->extraCerts, ctx->extraCertsOut,
-                                 X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP))
-        return 0;
-
-    /* in case extraCerts are empty list avoid empty ASN.1 sequence */
-    if (sk_X509_num(msg->extraCerts) == 0) {
-        sk_X509_free(msg->extraCerts);
-        msg->extraCerts = NULL;
-    }
-    return 1;
-}
-
-/*
- * Create an X509_ALGOR structure for PasswordBasedMAC protection based on
- * the pbm settings in the context
- */
-static int set_pbmac_algor(const OSSL_CMP_CTX *ctx, X509_ALGOR **alg)
-{
-    OSSL_CRMF_PBMPARAMETER *pbm = NULL;
-    unsigned char *pbm_der = NULL;
-    int pbm_der_len;
-    ASN1_STRING *pbm_str = NULL;
-
-    if (!ossl_assert(ctx != NULL))
-        return 0;
-
-    pbm = OSSL_CRMF_pbmp_new(ctx->libctx, ctx->pbm_slen,
-                             EVP_MD_get_type(ctx->pbm_owf), ctx->pbm_itercnt,
-                             ctx->pbm_mac);
-    pbm_str = ASN1_STRING_new();
-    if (pbm == NULL || pbm_str == NULL)
-        goto err;
-
-    if ((pbm_der_len = i2d_OSSL_CRMF_PBMPARAMETER(pbm, &pbm_der)) < 0)
-        goto err;
-
-    if (!ASN1_STRING_set(pbm_str, pbm_der, pbm_der_len))
-        goto err;
-    if (*alg == NULL && (*alg = X509_ALGOR_new()) == NULL)
-        goto err;
-    OPENSSL_free(pbm_der);
-
-    X509_ALGOR_set0(*alg, OBJ_nid2obj(NID_id_PasswordBasedMAC),
-                    V_ASN1_SEQUENCE, pbm_str);
-    OSSL_CRMF_PBMPARAMETER_free(pbm);
-    return 1;
-
- err:
-    ASN1_STRING_free(pbm_str);
-    OPENSSL_free(pbm_der);
-    OSSL_CRMF_PBMPARAMETER_free(pbm);
-    return 0;
-}
-
-static int set_sig_algor(const OSSL_CMP_CTX *ctx, X509_ALGOR **alg)
-{
-    int nid = 0;
-    ASN1_OBJECT *algo = NULL;
-
-    if (!OBJ_find_sigid_by_algs(&nid, EVP_MD_get_type(ctx->digest),
-                                EVP_PKEY_get_id(ctx->pkey))) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_UNSUPPORTED_KEY_TYPE);
-        return 0;
-    }
-    if ((algo = OBJ_nid2obj(nid)) == NULL)
-        return 0;
-    if (*alg == NULL && (*alg = X509_ALGOR_new()) == NULL)
-        return 0;
-
-    if (X509_ALGOR_set0(*alg, algo, V_ASN1_UNDEF, NULL))
-        return 1;
-    ASN1_OBJECT_free(algo);
-    return 0;
-}
-
-static int set_senderKID(const OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg,
-                         const ASN1_OCTET_STRING *id)
-{
-    if (id == NULL)
-        id = ctx->referenceValue; /* standard for PBM, fallback for sig-based */
-    return id == NULL || ossl_cmp_hdr_set1_senderKID(msg->header, id);
-}
-
-int ossl_cmp_msg_protect(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg)
-{
-    if (!ossl_assert(ctx != NULL && msg != NULL))
-        return 0;
-
-    /*
-     * For the case of re-protection remove pre-existing protection.
-     */
-    X509_ALGOR_free(msg->header->protectionAlg);
-    msg->header->protectionAlg = NULL;
-    ASN1_BIT_STRING_free(msg->protection);
-    msg->protection = NULL;
-
-    if (ctx->unprotectedSend) {
-        if (!set_senderKID(ctx, msg, NULL))
-            goto err;
-    } else if (ctx->secretValue != NULL) {
-        /* use PasswordBasedMac according to 5.1.3.1 if secretValue is given */
-        if (!set_pbmac_algor(ctx, &msg->header->protectionAlg))
-            goto err;
-        if (!set_senderKID(ctx, msg, NULL))
-            goto err;
-
-        /*
-         * will add any additional certificates from ctx->extraCertsOut
-         * while not needed to validate the protection certificate,
-         * the option to do this might be handy for certain use cases
-         */
-    } else if (ctx->cert != NULL && ctx->pkey != NULL) {
-        /* use MSG_SIG_ALG according to 5.1.3.3 if client cert and key given */
-
-        /* make sure that key and certificate match */
-        if (!X509_check_private_key(ctx->cert, ctx->pkey)) {
-            ERR_raise(ERR_LIB_CMP, CMP_R_CERT_AND_KEY_DO_NOT_MATCH);
-            goto err;
-        }
-
-        if (!set_sig_algor(ctx, &msg->header->protectionAlg))
-            goto err;
-        /* set senderKID to keyIdentifier of the cert according to 5.1.1 */
-        if (!set_senderKID(ctx, msg, X509_get0_subject_key_id(ctx->cert)))
-            goto err;
-
-        /*
-         * will add ctx->cert followed, if possible, by its chain built
-         * from ctx->untrusted, and then ctx->extraCertsOut
-         */
-    } else {
-        ERR_raise(ERR_LIB_CMP,
-                  CMP_R_MISSING_KEY_INPUT_FOR_CREATING_PROTECTION);
-        goto err;
-    }
-    if (!ctx->unprotectedSend
-            && ((msg->protection = ossl_cmp_calc_protection(ctx, msg)) == NULL))
-        goto err;
-
-    /*
-     * For signature-based protection add ctx->cert followed by its chain.
-     * Finally add any additional certificates from ctx->extraCertsOut;
-     * even if not needed to validate the protection
-     * the option to do this might be handy for certain use cases.
-     */
-    if (!ossl_cmp_msg_add_extraCerts(ctx, msg))
-        goto err;
-
-    /*
-     * As required by RFC 4210 section 5.1.1., if the sender name is not known
-     * to the client it set to NULL-DN. In this case for identification at least
-     * the senderKID must be set, where we took the referenceValue as fallback.
-     */
-    if (!(ossl_cmp_general_name_is_NULL_DN(msg->header->sender)
-          && msg->header->senderKID == NULL))
-        return 1;
-    ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_SENDER_IDENTIFICATION);
-
- err:
-    ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROTECTING_MESSAGE);
-    return 0;
-}

libs/openssl/crypto/cmp/cmp_server.c

@@ -1,644 +0,0 @@
-/*
- * Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved.
- * Copyright Nokia 2007-2019
- * Copyright Siemens AG 2015-2019
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-/* general CMP server functions */
-
-#include <openssl/asn1t.h>
-
-#include "cmp_local.h"
-
-/* explicit #includes not strictly needed since implied by the above: */
-#include <openssl/cmp.h>
-#include <openssl/err.h>
-
-/* the context for the generic CMP server */
-struct ossl_cmp_srv_ctx_st
-{
-    OSSL_CMP_CTX *ctx; /* Client CMP context, partly reused for srv */
-    void *custom_ctx;  /* pointer to specific server context */
-
-    OSSL_CMP_SRV_cert_request_cb_t process_cert_request;
-    OSSL_CMP_SRV_rr_cb_t process_rr;
-    OSSL_CMP_SRV_genm_cb_t process_genm;
-    OSSL_CMP_SRV_error_cb_t process_error;
-    OSSL_CMP_SRV_certConf_cb_t process_certConf;
-    OSSL_CMP_SRV_pollReq_cb_t process_pollReq;
-
-    int sendUnprotectedErrors; /* Send error and rejection msgs unprotected */
-    int acceptUnprotected;     /* Accept requests with no/invalid prot. */
-    int acceptRAVerified;      /* Accept ir/cr/kur with POPO RAVerified */
-    int grantImplicitConfirm;  /* Grant implicit confirmation if requested */
-
-}; /* OSSL_CMP_SRV_CTX */
-
-void OSSL_CMP_SRV_CTX_free(OSSL_CMP_SRV_CTX *srv_ctx)
-{
-    if (srv_ctx == NULL)
-        return;
-
-    OSSL_CMP_CTX_free(srv_ctx->ctx);
-    OPENSSL_free(srv_ctx);
-}
-
-OSSL_CMP_SRV_CTX *OSSL_CMP_SRV_CTX_new(OSSL_LIB_CTX *libctx, const char *propq)
-{
-    OSSL_CMP_SRV_CTX *ctx = OPENSSL_zalloc(sizeof(OSSL_CMP_SRV_CTX));
-
-    if (ctx == NULL)
-        goto err;
-
-    if ((ctx->ctx = OSSL_CMP_CTX_new(libctx, propq)) == NULL)
-        goto err;
-
-    /* all other elements are initialized to 0 or NULL, respectively */
-    return ctx;
- err:
-    OSSL_CMP_SRV_CTX_free(ctx);
-    return NULL;
-}
-
-int OSSL_CMP_SRV_CTX_init(OSSL_CMP_SRV_CTX *srv_ctx, void *custom_ctx,
-                          OSSL_CMP_SRV_cert_request_cb_t process_cert_request,
-                          OSSL_CMP_SRV_rr_cb_t process_rr,
-                          OSSL_CMP_SRV_genm_cb_t process_genm,
-                          OSSL_CMP_SRV_error_cb_t process_error,
-                          OSSL_CMP_SRV_certConf_cb_t process_certConf,
-                          OSSL_CMP_SRV_pollReq_cb_t process_pollReq)
-{
-    if (srv_ctx == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return 0;
-    }
-    srv_ctx->custom_ctx = custom_ctx;
-    srv_ctx->process_cert_request = process_cert_request;
-    srv_ctx->process_rr = process_rr;
-    srv_ctx->process_genm = process_genm;
-    srv_ctx->process_error = process_error;
-    srv_ctx->process_certConf = process_certConf;
-    srv_ctx->process_pollReq = process_pollReq;
-    return 1;
-}
-
-OSSL_CMP_CTX *OSSL_CMP_SRV_CTX_get0_cmp_ctx(const OSSL_CMP_SRV_CTX *srv_ctx)
-{
-    if (srv_ctx == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return NULL;
-    }
-    return srv_ctx->ctx;
-}
-
-void *OSSL_CMP_SRV_CTX_get0_custom_ctx(const OSSL_CMP_SRV_CTX *srv_ctx)
-{
-    if (srv_ctx == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return NULL;
-    }
-    return srv_ctx->custom_ctx;
-}
-
-int OSSL_CMP_SRV_CTX_set_send_unprotected_errors(OSSL_CMP_SRV_CTX *srv_ctx,
-                                                 int val)
-{
-    if (srv_ctx == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return 0;
-    }
-    srv_ctx->sendUnprotectedErrors = val != 0;
-    return 1;
-}
-
-int OSSL_CMP_SRV_CTX_set_accept_unprotected(OSSL_CMP_SRV_CTX *srv_ctx, int val)
-{
-    if (srv_ctx == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return 0;
-    }
-    srv_ctx->acceptUnprotected = val != 0;
-    return 1;
-}
-
-int OSSL_CMP_SRV_CTX_set_accept_raverified(OSSL_CMP_SRV_CTX *srv_ctx, int val)
-{
-    if (srv_ctx == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return 0;
-    }
-    srv_ctx->acceptRAVerified = val != 0;
-    return 1;
-}
-
-int OSSL_CMP_SRV_CTX_set_grant_implicit_confirm(OSSL_CMP_SRV_CTX *srv_ctx,
-                                                int val)
-{
-    if (srv_ctx == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return 0;
-    }
-    srv_ctx->grantImplicitConfirm = val != 0;
-    return 1;
-}
-
-/*
- * Processes an ir/cr/p10cr/kur and returns a certification response.
- * Only handles the first certification request contained in req
- * returns an ip/cp/kup on success and NULL on error
- */
-static OSSL_CMP_MSG *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
-                                          const OSSL_CMP_MSG *req)
-{
-    OSSL_CMP_MSG *msg = NULL;
-    OSSL_CMP_PKISI *si = NULL;
-    X509 *certOut = NULL;
-    STACK_OF(X509) *chainOut = NULL, *caPubs = NULL;
-    const OSSL_CRMF_MSG *crm = NULL;
-    const X509_REQ *p10cr = NULL;
-    int bodytype;
-    int certReqId;
-
-    if (!ossl_assert(srv_ctx != NULL && srv_ctx->ctx != NULL && req != NULL))
-        return NULL;
-
-    switch (OSSL_CMP_MSG_get_bodytype(req)) {
-    case OSSL_CMP_PKIBODY_P10CR:
-    case OSSL_CMP_PKIBODY_CR:
-        bodytype = OSSL_CMP_PKIBODY_CP;
-        break;
-    case OSSL_CMP_PKIBODY_IR:
-        bodytype = OSSL_CMP_PKIBODY_IP;
-        break;
-    case OSSL_CMP_PKIBODY_KUR:
-        bodytype = OSSL_CMP_PKIBODY_KUP;
-        break;
-    default:
-        ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY);
-        return NULL;
-    }
-
-    if (OSSL_CMP_MSG_get_bodytype(req) == OSSL_CMP_PKIBODY_P10CR) {
-        certReqId = OSSL_CMP_CERTREQID;
-        p10cr = req->body->value.p10cr;
-    } else {
-        OSSL_CRMF_MSGS *reqs = req->body->value.ir; /* same for cr and kur */
-
-        if (sk_OSSL_CRMF_MSG_num(reqs) != 1) {
-            ERR_raise(ERR_LIB_CMP, CMP_R_MULTIPLE_REQUESTS_NOT_SUPPORTED);
-            return NULL;
-        }
-
-        if ((crm = sk_OSSL_CRMF_MSG_value(reqs, OSSL_CMP_CERTREQID)) == NULL) {
-            ERR_raise(ERR_LIB_CMP, CMP_R_CERTREQMSG_NOT_FOUND);
-            return NULL;
-        }
-        certReqId = OSSL_CRMF_MSG_get_certReqId(crm);
-    }
-
-    if (!ossl_cmp_verify_popo(srv_ctx->ctx, req, srv_ctx->acceptRAVerified)) {
-        /* Proof of possession could not be verified */
-        si = OSSL_CMP_STATUSINFO_new(OSSL_CMP_PKISTATUS_rejection,
-                                     1 << OSSL_CMP_PKIFAILUREINFO_badPOP,
-                                     ERR_reason_error_string(ERR_peek_error()));
-        if (si == NULL)
-            return NULL;
-    } else {
-        OSSL_CMP_PKIHEADER *hdr = OSSL_CMP_MSG_get0_header(req);
-
-        si = srv_ctx->process_cert_request(srv_ctx, req, certReqId, crm, p10cr,
-                                           &certOut, &chainOut, &caPubs);
-        if (si == NULL)
-            goto err;
-        /* set OSSL_CMP_OPT_IMPLICIT_CONFIRM if and only if transaction ends */
-        if (!OSSL_CMP_CTX_set_option(srv_ctx->ctx,
-                                     OSSL_CMP_OPT_IMPLICIT_CONFIRM,
-                                     ossl_cmp_hdr_has_implicitConfirm(hdr)
-                                         && srv_ctx->grantImplicitConfirm
-                                         /* do not set if polling starts: */
-                                         && certOut != NULL))
-            goto err;
-    }
-
-    msg = ossl_cmp_certrep_new(srv_ctx->ctx, bodytype, certReqId, si,
-                               certOut, NULL /* enc */, chainOut, caPubs,
-                               srv_ctx->sendUnprotectedErrors);
-    if (msg == NULL)
-        ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_CERTREP);
-
- err:
-    OSSL_CMP_PKISI_free(si);
-    X509_free(certOut);
-    sk_X509_pop_free(chainOut, X509_free);
-    sk_X509_pop_free(caPubs, X509_free);
-    return msg;
-}
-
-static OSSL_CMP_MSG *process_rr(OSSL_CMP_SRV_CTX *srv_ctx,
-                                const OSSL_CMP_MSG *req)
-{
-    OSSL_CMP_MSG *msg = NULL;
-    OSSL_CMP_REVDETAILS *details;
-    OSSL_CRMF_CERTID *certId = NULL;
-    OSSL_CRMF_CERTTEMPLATE *tmpl;
-    const X509_NAME *issuer;
-    const ASN1_INTEGER *serial;
-    OSSL_CMP_PKISI *si;
-
-    if (!ossl_assert(srv_ctx != NULL && srv_ctx->ctx != NULL && req != NULL))
-        return NULL;
-
-    if (sk_OSSL_CMP_REVDETAILS_num(req->body->value.rr) != 1) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_MULTIPLE_REQUESTS_NOT_SUPPORTED);
-        return NULL;
-    }
-
-    if ((details = sk_OSSL_CMP_REVDETAILS_value(req->body->value.rr,
-                                                OSSL_CMP_REVREQSID)) == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
-        return NULL;
-    }
-
-    tmpl = details->certDetails;
-    issuer = OSSL_CRMF_CERTTEMPLATE_get0_issuer(tmpl);
-    serial = OSSL_CRMF_CERTTEMPLATE_get0_serialNumber(tmpl);
-    if (issuer != NULL && serial != NULL
-            && (certId = OSSL_CRMF_CERTID_gen(issuer, serial)) == NULL)
-        return NULL;
-    if ((si = srv_ctx->process_rr(srv_ctx, req, issuer, serial)) == NULL)
-        goto err;
-
-    if ((msg = ossl_cmp_rp_new(srv_ctx->ctx, si, certId,
-                               srv_ctx->sendUnprotectedErrors)) == NULL)
-        ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_RR);
-
- err:
-    OSSL_CRMF_CERTID_free(certId);
-    OSSL_CMP_PKISI_free(si);
-    return msg;
-}
-
-/*
- * Processes genm and creates a genp message mirroring the contents of the
- * incoming message
- */
-static OSSL_CMP_MSG *process_genm(OSSL_CMP_SRV_CTX *srv_ctx,
-                                  const OSSL_CMP_MSG *req)
-{
-    OSSL_CMP_GENMSGCONTENT *itavs;
-    OSSL_CMP_MSG *msg;
-
-    if (!ossl_assert(srv_ctx != NULL && srv_ctx->ctx != NULL && req != NULL))
-        return NULL;
-
-    if (!srv_ctx->process_genm(srv_ctx, req, req->body->value.genm, &itavs))
-        return NULL;
-
-    msg = ossl_cmp_genp_new(srv_ctx->ctx, itavs);
-    sk_OSSL_CMP_ITAV_pop_free(itavs, OSSL_CMP_ITAV_free);
-    return msg;
-}
-
-static OSSL_CMP_MSG *process_error(OSSL_CMP_SRV_CTX *srv_ctx,
-                                   const OSSL_CMP_MSG *req)
-{
-    OSSL_CMP_ERRORMSGCONTENT *errorContent;
-    OSSL_CMP_MSG *msg;
-
-    if (!ossl_assert(srv_ctx != NULL && srv_ctx->ctx != NULL && req != NULL))
-        return NULL;
-    errorContent = req->body->value.error;
-    srv_ctx->process_error(srv_ctx, req, errorContent->pKIStatusInfo,
-                           errorContent->errorCode, errorContent->errorDetails);
-
-    if ((msg = ossl_cmp_pkiconf_new(srv_ctx->ctx)) == NULL)
-        ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_PKICONF);
-    return msg;
-}
-
-static OSSL_CMP_MSG *process_certConf(OSSL_CMP_SRV_CTX *srv_ctx,
-                                      const OSSL_CMP_MSG *req)
-{
-    OSSL_CMP_CTX *ctx;
-    OSSL_CMP_CERTCONFIRMCONTENT *ccc;
-    int num;
-    OSSL_CMP_MSG *msg = NULL;
-    OSSL_CMP_CERTSTATUS *status = NULL;
-
-    if (!ossl_assert(srv_ctx != NULL && srv_ctx->ctx != NULL && req != NULL))
-        return NULL;
-
-    ctx = srv_ctx->ctx;
-    ccc = req->body->value.certConf;
-    num = sk_OSSL_CMP_CERTSTATUS_num(ccc);
-
-    if (OSSL_CMP_CTX_get_option(ctx, OSSL_CMP_OPT_IMPLICIT_CONFIRM) == 1
-            || ctx->status != OSSL_CMP_PKISTATUS_trans) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_UNEXPECTED_CERTCONF);
-        return NULL;
-    }
-
-    if (num == 0) {
-        ossl_cmp_err(ctx, "certificate rejected by client");
-    } else {
-        if (num > 1)
-            ossl_cmp_warn(ctx, "All CertStatus but the first will be ignored");
-        status = sk_OSSL_CMP_CERTSTATUS_value(ccc, OSSL_CMP_CERTREQID);
-    }
-
-    if (status != NULL) {
-        int certReqId = ossl_cmp_asn1_get_int(status->certReqId);
-        ASN1_OCTET_STRING *certHash = status->certHash;
-        OSSL_CMP_PKISI *si = status->statusInfo;
-
-        if (!srv_ctx->process_certConf(srv_ctx, req, certReqId, certHash, si))
-            return NULL; /* reason code may be: CMP_R_CERTHASH_UNMATCHED */
-
-        if (si != NULL
-            && ossl_cmp_pkisi_get_status(si) != OSSL_CMP_PKISTATUS_accepted) {
-            int pki_status = ossl_cmp_pkisi_get_status(si);
-            const char *str = ossl_cmp_PKIStatus_to_string(pki_status);
-
-            ossl_cmp_log2(INFO, ctx, "certificate rejected by client %s %s",
-                          str == NULL ? "without" : "with",
-                          str == NULL ? "PKIStatus" : str);
-        }
-    }
-
-    if ((msg = ossl_cmp_pkiconf_new(ctx)) == NULL)
-        ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_PKICONF);
-    return msg;
-}
-
-static OSSL_CMP_MSG *process_pollReq(OSSL_CMP_SRV_CTX *srv_ctx,
-                                     const OSSL_CMP_MSG *req)
-{
-    OSSL_CMP_POLLREQCONTENT *prc;
-    OSSL_CMP_POLLREQ *pr;
-    int certReqId;
-    OSSL_CMP_MSG *certReq;
-    int64_t check_after = 0;
-    OSSL_CMP_MSG *msg = NULL;
-
-    if (!ossl_assert(srv_ctx != NULL && srv_ctx->ctx != NULL && req != NULL))
-        return NULL;
-
-    prc = req->body->value.pollReq;
-    if (sk_OSSL_CMP_POLLREQ_num(prc) != 1) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_MULTIPLE_REQUESTS_NOT_SUPPORTED);
-        return NULL;
-    }
-
-    pr = sk_OSSL_CMP_POLLREQ_value(prc, 0);
-    certReqId = ossl_cmp_asn1_get_int(pr->certReqId);
-    if (!srv_ctx->process_pollReq(srv_ctx, req, certReqId,
-                                  &certReq, &check_after))
-        return NULL;
-
-    if (certReq != NULL) {
-        msg = process_cert_request(srv_ctx, certReq);
-        OSSL_CMP_MSG_free(certReq);
-    } else {
-        if ((msg = ossl_cmp_pollRep_new(srv_ctx->ctx, certReqId,
-                                        check_after)) == NULL)
-            ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_POLLREP);
-    }
-    return msg;
-}
-
-/*
- * Determine whether missing/invalid protection of request message is allowed.
- * Return 1 on acceptance, 0 on rejection, or -1 on (internal) error.
- */
-static int unprotected_exception(const OSSL_CMP_CTX *ctx,
-                                 const OSSL_CMP_MSG *req,
-                                 int invalid_protection,
-                                 int accept_unprotected_requests)
-{
-    if (!ossl_assert(ctx != NULL && req != NULL))
-        return -1;
-
-    if (accept_unprotected_requests) {
-        ossl_cmp_log1(WARN, ctx, "ignoring %s protection of request message",
-                      invalid_protection ? "invalid" : "missing");
-        return 1;
-    }
-    if (OSSL_CMP_MSG_get_bodytype(req) == OSSL_CMP_PKIBODY_ERROR
-        && OSSL_CMP_CTX_get_option(ctx, OSSL_CMP_OPT_UNPROTECTED_ERRORS) == 1) {
-        ossl_cmp_warn(ctx, "ignoring missing protection of error message");
-        return 1;
-    }
-    return 0;
-}
-
-/*
- * returns created message and NULL on internal error
- */
-OSSL_CMP_MSG *OSSL_CMP_SRV_process_request(OSSL_CMP_SRV_CTX *srv_ctx,
-                                           const OSSL_CMP_MSG *req)
-{
-    OSSL_CMP_CTX *ctx;
-    ASN1_OCTET_STRING *backup_secret;
-    OSSL_CMP_PKIHEADER *hdr;
-    int req_type, rsp_type;
-    int res;
-    OSSL_CMP_MSG *rsp = NULL;
-
-    if (srv_ctx == NULL || srv_ctx->ctx == NULL
-            || req == NULL || req->body == NULL
-            || (hdr = OSSL_CMP_MSG_get0_header(req)) == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return 0;
-    }
-    ctx = srv_ctx->ctx;
-    backup_secret = ctx->secretValue;
-    req_type = OSSL_CMP_MSG_get_bodytype(req);
-    ossl_cmp_log1(DEBUG, ctx,
-                  "received %s", ossl_cmp_bodytype_to_string(req_type));
-
-    /*
-     * Some things need to be done already before validating the message in
-     * order to be able to send an error message as far as needed and possible.
-     */
-    if (hdr->sender->type != GEN_DIRNAME) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_SENDER_GENERALNAME_TYPE_NOT_SUPPORTED);
-        goto err;
-    }
-    if (!OSSL_CMP_CTX_set1_recipient(ctx, hdr->sender->d.directoryName))
-        goto err;
-
-    switch (req_type) {
-    case OSSL_CMP_PKIBODY_IR:
-    case OSSL_CMP_PKIBODY_CR:
-    case OSSL_CMP_PKIBODY_P10CR:
-    case OSSL_CMP_PKIBODY_KUR:
-    case OSSL_CMP_PKIBODY_RR:
-    case OSSL_CMP_PKIBODY_GENM:
-    case OSSL_CMP_PKIBODY_ERROR:
-        if (ctx->transactionID != NULL) {
-            char *tid;
-
-            tid = OPENSSL_buf2hexstr(ctx->transactionID->data,
-                                     ctx->transactionID->length);
-            if (tid != NULL)
-                ossl_cmp_log1(WARN, ctx,
-                              "Assuming that last transaction with ID=%s got aborted",
-                              tid);
-            OPENSSL_free(tid);
-        }
-        /* start of a new transaction, reset transactionID and senderNonce */
-        if (!OSSL_CMP_CTX_set1_transactionID(ctx, NULL)
-                || !OSSL_CMP_CTX_set1_senderNonce(ctx, NULL))
-            goto err;
-        break;
-    default:
-        /* transactionID should be already initialized */
-        if (ctx->transactionID == NULL) {
-#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
-            ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY);
-            goto err;
-#endif
-        }
-    }
-
-    res = ossl_cmp_msg_check_update(ctx, req, unprotected_exception,
-                                    srv_ctx->acceptUnprotected);
-    if (ctx->secretValue != NULL && ctx->pkey != NULL
-            && ossl_cmp_hdr_get_protection_nid(hdr) != NID_id_PasswordBasedMAC)
-        ctx->secretValue = NULL; /* use MSG_SIG_ALG when protecting rsp */
-    if (!res)
-        goto err;
-
-    switch (req_type) {
-    case OSSL_CMP_PKIBODY_IR:
-    case OSSL_CMP_PKIBODY_CR:
-    case OSSL_CMP_PKIBODY_P10CR:
-    case OSSL_CMP_PKIBODY_KUR:
-        if (srv_ctx->process_cert_request == NULL)
-            ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY);
-        else
-            rsp = process_cert_request(srv_ctx, req);
-        break;
-    case OSSL_CMP_PKIBODY_RR:
-        if (srv_ctx->process_rr == NULL)
-            ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY);
-        else
-            rsp = process_rr(srv_ctx, req);
-        break;
-    case OSSL_CMP_PKIBODY_GENM:
-        if (srv_ctx->process_genm == NULL)
-            ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY);
-        else
-            rsp = process_genm(srv_ctx, req);
-        break;
-    case OSSL_CMP_PKIBODY_ERROR:
-        if (srv_ctx->process_error == NULL)
-            ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY);
-        else
-            rsp = process_error(srv_ctx, req);
-        break;
-    case OSSL_CMP_PKIBODY_CERTCONF:
-        if (srv_ctx->process_certConf == NULL)
-            ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY);
-        else
-            rsp = process_certConf(srv_ctx, req);
-        break;
-    case OSSL_CMP_PKIBODY_POLLREQ:
-        if (srv_ctx->process_pollReq == NULL)
-            ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY);
-        else
-            rsp = process_pollReq(srv_ctx, req);
-        break;
-    default:
-        ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY);
-        break;
-    }
-
- err:
-    if (rsp == NULL) {
-        /* on error, try to respond with CMP error message to client */
-        const char *data = NULL, *reason = NULL;
-        int flags = 0;
-        unsigned long err = ERR_peek_error_data(&data, &flags);
-        int fail_info = 1 << OSSL_CMP_PKIFAILUREINFO_badRequest;
-        OSSL_CMP_PKISI *si = NULL;
-
-        if (ctx->transactionID == NULL) {
-            /* ignore any (extra) error in next two function calls: */
-            (void)OSSL_CMP_CTX_set1_transactionID(ctx, hdr->transactionID);
-            (void)ossl_cmp_ctx_set1_recipNonce(ctx, hdr->senderNonce);
-        }
-
-        if ((flags & ERR_TXT_STRING) == 0 || *data == '\0')
-            data = NULL;
-        reason = ERR_reason_error_string(err);
-        if ((si = OSSL_CMP_STATUSINFO_new(OSSL_CMP_PKISTATUS_rejection,
-                                          fail_info, reason)) != NULL) {
-            rsp = ossl_cmp_error_new(srv_ctx->ctx, si, err,
-                                     data, srv_ctx->sendUnprotectedErrors);
-            OSSL_CMP_PKISI_free(si);
-        }
-    }
-    OSSL_CMP_CTX_print_errors(ctx);
-    ctx->secretValue = backup_secret;
-
-    rsp_type =
-        rsp != NULL ? OSSL_CMP_MSG_get_bodytype(rsp) : OSSL_CMP_PKIBODY_ERROR;
-    if (rsp != NULL)
-        ossl_cmp_log1(DEBUG, ctx,
-                      "sending %s", ossl_cmp_bodytype_to_string(rsp_type));
-    else
-        ossl_cmp_log(ERR, ctx, "cannot send proper CMP response");
-
-    /* determine whether to keep the transaction open or not */
-    ctx->status = OSSL_CMP_PKISTATUS_trans;
-    switch (rsp_type) {
-    case OSSL_CMP_PKIBODY_IP:
-    case OSSL_CMP_PKIBODY_CP:
-    case OSSL_CMP_PKIBODY_KUP:
-        if (OSSL_CMP_CTX_get_option(ctx, OSSL_CMP_OPT_IMPLICIT_CONFIRM) == 0)
-            break;
-        /* fall through */
-
-    case OSSL_CMP_PKIBODY_RP:
-    case OSSL_CMP_PKIBODY_PKICONF:
-    case OSSL_CMP_PKIBODY_GENP:
-    case OSSL_CMP_PKIBODY_ERROR:
-        (void)OSSL_CMP_CTX_set1_transactionID(ctx, NULL);
-        (void)OSSL_CMP_CTX_set1_senderNonce(ctx, NULL);
-        ctx->status = OSSL_CMP_PKISTATUS_unspecified; /* transaction closed */
-
-    default: /* not closing transaction in other cases */
-        break;
-    }
-    return rsp;
-}
-
-/*
- * Server interface that may substitute OSSL_CMP_MSG_http_perform at the client.
- * The OSSL_CMP_SRV_CTX must be set as client_ctx->transfer_cb_arg.
- * returns received message on success, else NULL and pushes an element on the
- * error stack.
- */
-OSSL_CMP_MSG *OSSL_CMP_CTX_server_perform(OSSL_CMP_CTX *client_ctx,
-                                          const OSSL_CMP_MSG *req)
-{
-    OSSL_CMP_SRV_CTX *srv_ctx = NULL;
-
-    if (client_ctx == NULL || req == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return NULL;
-    }
-
-    if ((srv_ctx = OSSL_CMP_CTX_get_transfer_cb_arg(client_ctx)) == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_TRANSFER_ERROR);
-        return NULL;
-    }
-
-    return OSSL_CMP_SRV_process_request(srv_ctx, req);
-}

libs/openssl/crypto/cmp/cmp_status.c

@@ -1,314 +0,0 @@
-/*
- * Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved.
- * Copyright Nokia 2007-2019
- * Copyright Siemens AG 2015-2019
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-/* CMP functions for PKIStatusInfo handling and PKIMessage decomposition */
-
-#include <string.h>
-
-#include "cmp_local.h"
-
-/* explicit #includes not strictly needed since implied by the above: */
-#include <time.h>
-#include <openssl/cmp.h>
-#include <openssl/crmf.h>
-#include <openssl/err.h> /* needed in case config no-deprecated */
-#include <openssl/engine.h>
-#include <openssl/evp.h>
-#include <openssl/objects.h>
-#include <openssl/x509.h>
-#include <openssl/asn1err.h> /* for ASN1_R_TOO_SMALL and ASN1_R_TOO_LARGE */
-
-/* CMP functions related to PKIStatus */
-
-int ossl_cmp_pkisi_get_status(const OSSL_CMP_PKISI *si)
-{
-    if (!ossl_assert(si != NULL && si->status != NULL))
-        return -1;
-    return ossl_cmp_asn1_get_int(si->status);
-}
-
-const char *ossl_cmp_PKIStatus_to_string(int status)
-{
-    switch (status) {
-    case OSSL_CMP_PKISTATUS_accepted:
-        return "PKIStatus: accepted";
-    case OSSL_CMP_PKISTATUS_grantedWithMods:
-        return "PKIStatus: granted with modifications";
-    case OSSL_CMP_PKISTATUS_rejection:
-        return "PKIStatus: rejection";
-    case OSSL_CMP_PKISTATUS_waiting:
-        return "PKIStatus: waiting";
-    case OSSL_CMP_PKISTATUS_revocationWarning:
-        return "PKIStatus: revocation warning - a revocation of the cert is imminent";
-    case OSSL_CMP_PKISTATUS_revocationNotification:
-        return "PKIStatus: revocation notification - a revocation of the cert has occurred";
-    case OSSL_CMP_PKISTATUS_keyUpdateWarning:
-        return "PKIStatus: key update warning - update already done for the cert";
-    default:
-        ERR_raise_data(ERR_LIB_CMP, CMP_R_ERROR_PARSING_PKISTATUS,
-                       "PKIStatus: invalid=%d", status);
-        return NULL;
-    }
-}
-
-OSSL_CMP_PKIFREETEXT *ossl_cmp_pkisi_get0_statusString(const OSSL_CMP_PKISI *si)
-{
-    if (!ossl_assert(si != NULL))
-        return NULL;
-    return si->statusString;
-}
-
-int ossl_cmp_pkisi_get_pkifailureinfo(const OSSL_CMP_PKISI *si)
-{
-    int i;
-    int res = 0;
-
-    if (!ossl_assert(si != NULL))
-        return -1;
-    if (si->failInfo != NULL)
-        for (i = 0; i <= OSSL_CMP_PKIFAILUREINFO_MAX; i++)
-            if (ASN1_BIT_STRING_get_bit(si->failInfo, i))
-                res |= 1 << i;
-    return res;
-}
-
-/*-
- * convert PKIFailureInfo number to human-readable string
- * returns pointer to static string, or NULL on error
- */
-static const char *CMP_PKIFAILUREINFO_to_string(int number)
-{
-    switch (number) {
-    case OSSL_CMP_PKIFAILUREINFO_badAlg:
-        return "badAlg";
-    case OSSL_CMP_PKIFAILUREINFO_badMessageCheck:
-        return "badMessageCheck";
-    case OSSL_CMP_PKIFAILUREINFO_badRequest:
-        return "badRequest";
-    case OSSL_CMP_PKIFAILUREINFO_badTime:
-        return "badTime";
-    case OSSL_CMP_PKIFAILUREINFO_badCertId:
-        return "badCertId";
-    case OSSL_CMP_PKIFAILUREINFO_badDataFormat:
-        return "badDataFormat";
-    case OSSL_CMP_PKIFAILUREINFO_wrongAuthority:
-        return "wrongAuthority";
-    case OSSL_CMP_PKIFAILUREINFO_incorrectData:
-        return "incorrectData";
-    case OSSL_CMP_PKIFAILUREINFO_missingTimeStamp:
-        return "missingTimeStamp";
-    case OSSL_CMP_PKIFAILUREINFO_badPOP:
-        return "badPOP";
-    case OSSL_CMP_PKIFAILUREINFO_certRevoked:
-        return "certRevoked";
-    case OSSL_CMP_PKIFAILUREINFO_certConfirmed:
-        return "certConfirmed";
-    case OSSL_CMP_PKIFAILUREINFO_wrongIntegrity:
-        return "wrongIntegrity";
-    case OSSL_CMP_PKIFAILUREINFO_badRecipientNonce:
-        return "badRecipientNonce";
-    case OSSL_CMP_PKIFAILUREINFO_timeNotAvailable:
-        return "timeNotAvailable";
-    case OSSL_CMP_PKIFAILUREINFO_unacceptedPolicy:
-        return "unacceptedPolicy";
-    case OSSL_CMP_PKIFAILUREINFO_unacceptedExtension:
-        return "unacceptedExtension";
-    case OSSL_CMP_PKIFAILUREINFO_addInfoNotAvailable:
-        return "addInfoNotAvailable";
-    case OSSL_CMP_PKIFAILUREINFO_badSenderNonce:
-        return "badSenderNonce";
-    case OSSL_CMP_PKIFAILUREINFO_badCertTemplate:
-        return "badCertTemplate";
-    case OSSL_CMP_PKIFAILUREINFO_signerNotTrusted:
-        return "signerNotTrusted";
-    case OSSL_CMP_PKIFAILUREINFO_transactionIdInUse:
-        return "transactionIdInUse";
-    case OSSL_CMP_PKIFAILUREINFO_unsupportedVersion:
-        return "unsupportedVersion";
-    case OSSL_CMP_PKIFAILUREINFO_notAuthorized:
-        return "notAuthorized";
-    case OSSL_CMP_PKIFAILUREINFO_systemUnavail:
-        return "systemUnavail";
-    case OSSL_CMP_PKIFAILUREINFO_systemFailure:
-        return "systemFailure";
-    case OSSL_CMP_PKIFAILUREINFO_duplicateCertReq:
-        return "duplicateCertReq";
-    default:
-        return NULL; /* illegal failure number */
-    }
-}
-
-int ossl_cmp_pkisi_check_pkifailureinfo(const OSSL_CMP_PKISI *si, int bit_index)
-{
-    if (!ossl_assert(si != NULL && si->failInfo != NULL))
-        return -1;
-    if (bit_index < 0 || bit_index > OSSL_CMP_PKIFAILUREINFO_MAX) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS);
-        return -1;
-    }
-
-    return ASN1_BIT_STRING_get_bit(si->failInfo, bit_index);
-}
-
-/*-
- * place human-readable error string created from PKIStatusInfo in given buffer
- * returns pointer to the same buffer containing the string, or NULL on error
- */
-static
-char *snprint_PKIStatusInfo_parts(int status, int fail_info,
-                                  const OSSL_CMP_PKIFREETEXT *status_strings,
-                                  char *buf, size_t bufsize)
-{
-    int failure;
-    const char *status_string, *failure_string;
-    ASN1_UTF8STRING *text;
-    int i;
-    int printed_chars;
-    int failinfo_found = 0;
-    int n_status_strings;
-    char *write_ptr = buf;
-
-    if (buf == NULL
-            || status < 0
-            || (status_string = ossl_cmp_PKIStatus_to_string(status)) == NULL)
-        return NULL;
-
-#define ADVANCE_BUFFER                                         \
-        if (printed_chars < 0 || (size_t)printed_chars >= bufsize) \
-            return NULL; \
-        write_ptr += printed_chars; \
-        bufsize -= printed_chars;
-
-    printed_chars = BIO_snprintf(write_ptr, bufsize, "%s", status_string);
-    ADVANCE_BUFFER;
-
-    /*
-     * failInfo is optional and may be empty;
-     * if present, print failInfo before statusString because it is more concise
-     */
-    if (fail_info != -1 && fail_info != 0) {
-        printed_chars = BIO_snprintf(write_ptr, bufsize, "; PKIFailureInfo: ");
-        ADVANCE_BUFFER;
-        for (failure = 0; failure <= OSSL_CMP_PKIFAILUREINFO_MAX; failure++) {
-            if ((fail_info & (1 << failure)) != 0) {
-                failure_string = CMP_PKIFAILUREINFO_to_string(failure);
-                if (failure_string != NULL) {
-                    printed_chars = BIO_snprintf(write_ptr, bufsize, "%s%s",
-                                                 failinfo_found ? ", " : "",
-                                                 failure_string);
-                    ADVANCE_BUFFER;
-                    failinfo_found = 1;
-                }
-            }
-        }
-    }
-    if (!failinfo_found && status != OSSL_CMP_PKISTATUS_accepted
-            && status != OSSL_CMP_PKISTATUS_grantedWithMods) {
-        printed_chars = BIO_snprintf(write_ptr, bufsize, "; <no failure info>");
-        ADVANCE_BUFFER;
-    }
-
-    /* statusString sequence is optional and may be empty */
-    n_status_strings = sk_ASN1_UTF8STRING_num(status_strings);
-    if (n_status_strings > 0) {
-        printed_chars = BIO_snprintf(write_ptr, bufsize, "; StatusString%s: ",
-                                     n_status_strings > 1 ? "s" : "");
-        ADVANCE_BUFFER;
-        for (i = 0; i < n_status_strings; i++) {
-            text = sk_ASN1_UTF8STRING_value(status_strings, i);
-            printed_chars = BIO_snprintf(write_ptr, bufsize, "\"%.*s\"%s",
-                                         ASN1_STRING_length(text),
-                                         ASN1_STRING_get0_data(text),
-                                         i < n_status_strings - 1 ? ", " : "");
-            ADVANCE_BUFFER;
-        }
-    }
-#undef ADVANCE_BUFFER
-    return buf;
-}
-
-char *OSSL_CMP_snprint_PKIStatusInfo(const OSSL_CMP_PKISI *statusInfo,
-                                     char *buf, size_t bufsize)
-{
-    int failure_info;
-
-    if (statusInfo == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return NULL;
-    }
-
-    failure_info = ossl_cmp_pkisi_get_pkifailureinfo(statusInfo);
-
-    return snprint_PKIStatusInfo_parts(ASN1_INTEGER_get(statusInfo->status),
-                                       failure_info,
-                                       statusInfo->statusString, buf, bufsize);
-}
-
-char *OSSL_CMP_CTX_snprint_PKIStatus(const OSSL_CMP_CTX *ctx, char *buf,
-                                     size_t bufsize)
-{
-    if (ctx == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return NULL;
-    }
-
-    return snprint_PKIStatusInfo_parts(OSSL_CMP_CTX_get_status(ctx),
-                                       OSSL_CMP_CTX_get_failInfoCode(ctx),
-                                       OSSL_CMP_CTX_get0_statusString(ctx),
-                                       buf, bufsize);
-}
-
-/*-
- * Creates a new PKIStatusInfo structure and fills it in
- * returns a pointer to the structure on success, NULL on error
- * note: strongly overlaps with TS_RESP_CTX_set_status_info()
- * and TS_RESP_CTX_add_failure_info() in ../ts/ts_rsp_sign.c
- */
-OSSL_CMP_PKISI *OSSL_CMP_STATUSINFO_new(int status, int fail_info,
-                                        const char *text)
-{
-    OSSL_CMP_PKISI *si = OSSL_CMP_PKISI_new();
-    ASN1_UTF8STRING *utf8_text = NULL;
-    int failure;
-
-    if (si == NULL)
-        goto err;
-    if (!ASN1_INTEGER_set(si->status, status))
-        goto err;
-
-    if (text != NULL) {
-        if ((utf8_text = ASN1_UTF8STRING_new()) == NULL
-                || !ASN1_STRING_set(utf8_text, text, -1))
-            goto err;
-        if ((si->statusString = sk_ASN1_UTF8STRING_new_null()) == NULL)
-            goto err;
-        if (!sk_ASN1_UTF8STRING_push(si->statusString, utf8_text))
-            goto err;
-        /* Ownership is lost. */
-        utf8_text = NULL;
-    }
-
-    for (failure = 0; failure <= OSSL_CMP_PKIFAILUREINFO_MAX; failure++) {
-        if ((fail_info & (1 << failure)) != 0) {
-            if (si->failInfo == NULL
-                    && (si->failInfo = ASN1_BIT_STRING_new()) == NULL)
-                goto err;
-            if (!ASN1_BIT_STRING_set_bit(si->failInfo, failure, 1))
-                goto err;
-        }
-    }
-    return si;
-
- err:
-    OSSL_CMP_PKISI_free(si);
-    ASN1_UTF8STRING_free(utf8_text);
-    return NULL;
-}

libs/openssl/crypto/cmp/cmp_vfy.c

@@ -1,856 +0,0 @@
-/*
- * Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved.
- * Copyright Nokia 2007-2020
- * Copyright Siemens AG 2015-2020
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-/* CMP functions for PKIMessage checking */
-
-#include "cmp_local.h"
-#include <openssl/cmp_util.h>
-
-/* explicit #includes not strictly needed since implied by the above: */
-#include <openssl/asn1t.h>
-#include <openssl/cmp.h>
-#include <openssl/crmf.h>
-#include <openssl/err.h>
-#include <openssl/x509.h>
-
-/* Verify a message protected by signature according to RFC section 5.1.3.3 */
-static int verify_signature(const OSSL_CMP_CTX *cmp_ctx,
-                            const OSSL_CMP_MSG *msg, X509 *cert)
-{
-    OSSL_CMP_PROTECTEDPART prot_part;
-    EVP_PKEY *pubkey = NULL;
-    BIO *bio;
-    int res = 0;
-
-    if (!ossl_assert(cmp_ctx != NULL && msg != NULL && cert != NULL))
-        return 0;
-
-    bio = BIO_new(BIO_s_mem()); /* may be NULL */
-
-    /* verify that keyUsage, if present, contains digitalSignature */
-    if (!cmp_ctx->ignore_keyusage
-            && (X509_get_key_usage(cert) & X509v3_KU_DIGITAL_SIGNATURE) == 0) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_KEY_USAGE_DIGITALSIGNATURE);
-        goto sig_err;
-    }
-
-    pubkey = X509_get_pubkey(cert);
-    if (pubkey == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_FAILED_EXTRACTING_PUBKEY);
-        goto sig_err;
-    }
-
-    prot_part.header = msg->header;
-    prot_part.body = msg->body;
-
-    if (ASN1_item_verify_ex(ASN1_ITEM_rptr(OSSL_CMP_PROTECTEDPART),
-                            msg->header->protectionAlg, msg->protection,
-                            &prot_part, NULL, pubkey, cmp_ctx->libctx,
-                            cmp_ctx->propq) > 0) {
-        res = 1;
-        goto end;
-    }
-
- sig_err:
-    res = ossl_x509_print_ex_brief(bio, cert, X509_FLAG_NO_EXTENSIONS);
-    ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_VALIDATING_SIGNATURE);
-    if (res)
-        ERR_add_error_mem_bio("\n", bio);
-    res = 0;
-
- end:
-    EVP_PKEY_free(pubkey);
-    BIO_free(bio);
-
-    return res;
-}
-
-/* Verify a message protected with PBMAC */
-static int verify_PBMAC(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg)
-{
-    ASN1_BIT_STRING *protection = NULL;
-    int valid = 0;
-
-    /* generate expected protection for the message */
-    if ((protection = ossl_cmp_calc_protection(ctx, msg)) == NULL)
-        return 0; /* failed to generate protection string! */
-
-    valid = msg->protection != NULL && msg->protection->length >= 0
-            && msg->protection->type == protection->type
-            && msg->protection->length == protection->length
-            && CRYPTO_memcmp(msg->protection->data, protection->data,
-                             protection->length) == 0;
-    ASN1_BIT_STRING_free(protection);
-    if (!valid)
-        ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_PBM_VALUE);
-
-    return valid;
-}
-
-/*-
- * Attempt to validate certificate and path using any given store with trusted
- * certs (possibly including CRLs and a cert verification callback function)
- * and non-trusted intermediate certs from the given ctx.
- *
- * Returns 1 on successful validation and 0 otherwise.
- */
-int OSSL_CMP_validate_cert_path(const OSSL_CMP_CTX *ctx,
-                                X509_STORE *trusted_store, X509 *cert)
-{
-    int valid = 0;
-    X509_STORE_CTX *csc = NULL;
-    int err;
-
-    if (ctx == NULL || cert == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return 0;
-    }
-
-    if (trusted_store == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_TRUST_STORE);
-        return 0;
-    }
-
-    if ((csc = X509_STORE_CTX_new_ex(ctx->libctx, ctx->propq)) == NULL
-            || !X509_STORE_CTX_init(csc, trusted_store,
-                                    cert, ctx->untrusted))
-        goto err;
-
-    valid = X509_verify_cert(csc) > 0;
-
-    /* make sure suitable error is queued even if callback did not do */
-    err = ERR_peek_last_error();
-    if (!valid && ERR_GET_REASON(err) != CMP_R_POTENTIALLY_INVALID_CERTIFICATE)
-        ERR_raise(ERR_LIB_CMP, CMP_R_POTENTIALLY_INVALID_CERTIFICATE);
-
- err:
-    /* directly output any fresh errors, needed for check_msg_find_cert() */
-    OSSL_CMP_CTX_print_errors(ctx);
-    X509_STORE_CTX_free(csc);
-    return valid;
-}
-
-/* Return 0 if expect_name != NULL and there is no matching actual_name */
-static int check_name(const OSSL_CMP_CTX *ctx, int log_success,
-                      const char *actual_desc, const X509_NAME *actual_name,
-                      const char *expect_desc, const X509_NAME *expect_name)
-{
-    char *str;
-
-    if (expect_name == NULL)
-        return 1; /* no expectation, thus trivially fulfilled */
-
-    /* make sure that a matching name is there */
-    if (actual_name == NULL) {
-        ossl_cmp_log1(WARN, ctx, "missing %s", actual_desc);
-        return 0;
-    }
-    str = X509_NAME_oneline(actual_name, NULL, 0);
-    if (X509_NAME_cmp(actual_name, expect_name) == 0) {
-        if (log_success && str != NULL)
-            ossl_cmp_log2(INFO, ctx, " subject matches %s: %s", expect_desc,
-                          str);
-        OPENSSL_free(str);
-        return 1;
-    }
-
-    if (str != NULL)
-        ossl_cmp_log2(INFO, ctx, " actual name in %s = %s", actual_desc, str);
-    OPENSSL_free(str);
-    if ((str = X509_NAME_oneline(expect_name, NULL, 0)) != NULL)
-        ossl_cmp_log2(INFO, ctx, " does not match %s = %s", expect_desc, str);
-    OPENSSL_free(str);
-    return 0;
-}
-
-/* Return 0 if skid != NULL and there is no matching subject key ID in cert */
-static int check_kid(const OSSL_CMP_CTX *ctx,
-                     const ASN1_OCTET_STRING *ckid,
-                     const ASN1_OCTET_STRING *skid)
-{
-    char *str;
-
-    if (skid == NULL)
-        return 1; /* no expectation, thus trivially fulfilled */
-
-    /* make sure that the expected subject key identifier is there */
-    if (ckid == NULL) {
-        ossl_cmp_warn(ctx, "missing Subject Key Identifier in certificate");
-        return 0;
-    }
-    str = OPENSSL_buf2hexstr(ckid->data, ckid->length);
-    if (ASN1_OCTET_STRING_cmp(ckid, skid) == 0) {
-        if (str != NULL)
-            ossl_cmp_log1(INFO, ctx, " subjectKID matches senderKID: %s", str);
-        OPENSSL_free(str);
-        return 1;
-    }
-
-    if (str != NULL)
-        ossl_cmp_log1(INFO, ctx, " cert Subject Key Identifier = %s", str);
-    OPENSSL_free(str);
-    if ((str = OPENSSL_buf2hexstr(skid->data, skid->length)) != NULL)
-        ossl_cmp_log1(INFO, ctx, " does not match senderKID    = %s", str);
-    OPENSSL_free(str);
-    return 0;
-}
-
-static int already_checked(const X509 *cert,
-                           const STACK_OF(X509) *already_checked)
-{
-    int i;
-
-    for (i = sk_X509_num(already_checked /* may be NULL */); i > 0; i--)
-        if (X509_cmp(sk_X509_value(already_checked, i - 1), cert) == 0)
-            return 1;
-    return 0;
-}
-
-/*-
- * Check if the given cert is acceptable as sender cert of the given message.
- * The subject DN must match, the subject key ID as well if present in the msg,
- * and the cert must be current (checked if ctx->trusted is not NULL).
- * Note that cert revocation etc. is checked by OSSL_CMP_validate_cert_path().
- *
- * Returns 0 on error or not acceptable, else 1.
- */
-static int cert_acceptable(const OSSL_CMP_CTX *ctx,
-                           const char *desc1, const char *desc2, X509 *cert,
-                           const STACK_OF(X509) *already_checked1,
-                           const STACK_OF(X509) *already_checked2,
-                           const OSSL_CMP_MSG *msg)
-{
-    X509_STORE *ts = ctx->trusted;
-    int self_issued = X509_check_issued(cert, cert) == X509_V_OK;
-    char *str;
-    X509_VERIFY_PARAM *vpm = ts != NULL ? X509_STORE_get0_param(ts) : NULL;
-    int time_cmp;
-
-    ossl_cmp_log3(INFO, ctx, " considering %s%s %s with..",
-                  self_issued ? "self-issued ": "", desc1, desc2);
-    if ((str = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0)) != NULL)
-        ossl_cmp_log1(INFO, ctx, "  subject = %s", str);
-    OPENSSL_free(str);
-    if (!self_issued) {
-        str = X509_NAME_oneline(X509_get_issuer_name(cert), NULL, 0);
-        if (str != NULL)
-            ossl_cmp_log1(INFO, ctx, "  issuer  = %s", str);
-        OPENSSL_free(str);
-    }
-
-    if (already_checked(cert, already_checked1)
-            || already_checked(cert, already_checked2)) {
-        ossl_cmp_info(ctx, " cert has already been checked");
-        return 0;
-    }
-
-    time_cmp = X509_cmp_timeframe(vpm, X509_get0_notBefore(cert),
-                                  X509_get0_notAfter(cert));
-    if (time_cmp != 0) {
-        ossl_cmp_warn(ctx, time_cmp > 0 ? "cert has expired"
-                                        : "cert is not yet valid");
-        return 0;
-    }
-
-    if (!check_name(ctx, 1,
-                    "cert subject", X509_get_subject_name(cert),
-                    "sender field", msg->header->sender->d.directoryName))
-        return 0;
-
-    if (!check_kid(ctx, X509_get0_subject_key_id(cert), msg->header->senderKID))
-        return 0;
-    /* prevent misleading error later in case x509v3_cache_extensions() fails */
-    if (!ossl_x509v3_cache_extensions(cert)) {
-        ossl_cmp_warn(ctx, "cert appears to be invalid");
-        return 0;
-    }
-    if (!verify_signature(ctx, msg, cert)) {
-        ossl_cmp_warn(ctx, "msg signature verification failed");
-        return 0;
-    }
-    /* acceptable also if there is no senderKID in msg header */
-    ossl_cmp_info(ctx, " cert seems acceptable");
-    return 1;
-}
-
-static int check_cert_path(const OSSL_CMP_CTX *ctx, X509_STORE *store,
-                           X509 *scrt)
-{
-    if (OSSL_CMP_validate_cert_path(ctx, store, scrt))
-        return 1;
-
-    ossl_cmp_warn(ctx,
-                  "msg signature validates but cert path validation failed");
-    return 0;
-}
-
-/*
- * Exceptional handling for 3GPP TS 33.310 [3G/LTE Network Domain Security
- * (NDS); Authentication Framework (AF)], only to use for IP messages
- * and if the ctx option is explicitly set: use self-issued certificates
- * from extraCerts as trust anchor to validate sender cert -
- * provided it also can validate the newly enrolled certificate
- */
-static int check_cert_path_3gpp(const OSSL_CMP_CTX *ctx,
-                                const OSSL_CMP_MSG *msg, X509 *scrt)
-{
-    int valid = 0;
-    X509_STORE *store;
-
-    if (!ctx->permitTAInExtraCertsForIR)
-        return 0;
-
-    if ((store = X509_STORE_new()) == NULL
-            || !ossl_cmp_X509_STORE_add1_certs(store, msg->extraCerts,
-                                               1 /* self-issued only */))
-        goto err;
-
-    /* store does not include CRLs */
-    valid = OSSL_CMP_validate_cert_path(ctx, store, scrt);
-    if (!valid) {
-        ossl_cmp_warn(ctx,
-                      "also exceptional 3GPP mode cert path validation failed");
-    } else {
-        /*
-         * verify that the newly enrolled certificate (which assumed rid ==
-         * OSSL_CMP_CERTREQID) can also be validated with the same trusted store
-         */
-        EVP_PKEY *pkey = OSSL_CMP_CTX_get0_newPkey(ctx, 1);
-        OSSL_CMP_CERTRESPONSE *crep =
-            ossl_cmp_certrepmessage_get0_certresponse(msg->body->value.ip,
-                                                      OSSL_CMP_CERTREQID);
-        X509 *newcrt = ossl_cmp_certresponse_get1_cert(crep, ctx, pkey);
-        /*
-         * maybe better use get_cert_status() from cmp_client.c, which catches
-         * errors
-         */
-        valid = OSSL_CMP_validate_cert_path(ctx, store, newcrt);
-        X509_free(newcrt);
-    }
-
- err:
-    X509_STORE_free(store);
-    return valid;
-}
-
-static int check_msg_given_cert(const OSSL_CMP_CTX *ctx, X509 *cert,
-                                const OSSL_CMP_MSG *msg)
-{
-    return cert_acceptable(ctx, "previously validated", "sender cert",
-                           cert, NULL, NULL, msg)
-        && (check_cert_path(ctx, ctx->trusted, cert)
-            || check_cert_path_3gpp(ctx, msg, cert));
-}
-
-/*-
- * Try all certs in given list for verifying msg, normally or in 3GPP mode.
- * If already_checked1 == NULL then certs are assumed to be the msg->extraCerts.
- * On success cache the found cert using ossl_cmp_ctx_set0_validatedSrvCert().
- */
-static int check_msg_with_certs(OSSL_CMP_CTX *ctx, const STACK_OF(X509) *certs,
-                                const char *desc,
-                                const STACK_OF(X509) *already_checked1,
-                                const STACK_OF(X509) *already_checked2,
-                                const OSSL_CMP_MSG *msg, int mode_3gpp)
-{
-    int in_extraCerts = already_checked1 == NULL;
-    int n_acceptable_certs = 0;
-    int i;
-
-    if (sk_X509_num(certs) <= 0) {
-        ossl_cmp_log1(WARN, ctx, "no %s", desc);
-        return 0;
-    }
-
-    for (i = 0; i < sk_X509_num(certs); i++) { /* certs may be NULL */
-        X509 *cert = sk_X509_value(certs, i);
-
-        if (!ossl_assert(cert != NULL))
-            return 0;
-        if (!cert_acceptable(ctx, "cert from", desc, cert,
-                             already_checked1, already_checked2, msg))
-            continue;
-        n_acceptable_certs++;
-        if (mode_3gpp ? check_cert_path_3gpp(ctx, msg, cert)
-                      : check_cert_path(ctx, ctx->trusted, cert)) {
-            /* store successful sender cert for further msgs in transaction */
-            if (!X509_up_ref(cert))
-                return 0;
-            if (!ossl_cmp_ctx_set0_validatedSrvCert(ctx, cert)) {
-                X509_free(cert);
-                return 0;
-            }
-            return 1;
-        }
-    }
-    if (in_extraCerts && n_acceptable_certs == 0)
-        ossl_cmp_warn(ctx, "no acceptable cert in extraCerts");
-    return 0;
-}
-
-/*-
- * Verify msg trying first ctx->untrusted, which should include extraCerts
- * at its front, then trying the trusted certs in truststore (if any) of ctx.
- * On success cache the found cert using ossl_cmp_ctx_set0_validatedSrvCert().
- */
-static int check_msg_all_certs(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg,
-                               int mode_3gpp)
-{
-    int ret = 0;
-
-    if (mode_3gpp
-            && ((!ctx->permitTAInExtraCertsForIR
-                     || OSSL_CMP_MSG_get_bodytype(msg) != OSSL_CMP_PKIBODY_IP)))
-        return 0;
-
-    ossl_cmp_info(ctx,
-                  mode_3gpp ? "normal mode failed; trying now 3GPP mode trusting extraCerts"
-                            : "trying first normal mode using trust store");
-    if (check_msg_with_certs(ctx, msg->extraCerts, "extraCerts",
-                             NULL, NULL, msg, mode_3gpp))
-        return 1;
-    if (check_msg_with_certs(ctx, ctx->untrusted, "untrusted certs",
-                             msg->extraCerts, NULL, msg, mode_3gpp))
-        return 1;
-
-    if (ctx->trusted == NULL) {
-        ossl_cmp_warn(ctx, mode_3gpp ? "no self-issued extraCerts"
-                                     : "no trusted store");
-    } else {
-        STACK_OF(X509) *trusted = X509_STORE_get1_all_certs(ctx->trusted);
-        ret = check_msg_with_certs(ctx, trusted,
-                                   mode_3gpp ? "self-issued extraCerts"
-                                             : "certs in trusted store",
-                                   msg->extraCerts, ctx->untrusted,
-                                   msg, mode_3gpp);
-        sk_X509_pop_free(trusted, X509_free);
-    }
-    return ret;
-}
-
-static int no_log_cb(const char *func, const char *file, int line,
-                     OSSL_CMP_severity level, const char *msg)
-{
-    return 1;
-}
-
-/*-
- * Verify message signature with any acceptable and valid candidate cert.
- * On success cache the found cert using ossl_cmp_ctx_set0_validatedSrvCert().
- */
-static int check_msg_find_cert(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg)
-{
-    X509 *scrt = ctx->validatedSrvCert; /* previous successful sender cert */
-    GENERAL_NAME *sender = msg->header->sender;
-    char *sname = NULL;
-    char *skid_str = NULL;
-    const ASN1_OCTET_STRING *skid = msg->header->senderKID;
-    OSSL_CMP_log_cb_t backup_log_cb = ctx->log_cb;
-    int res = 0;
-
-    if (sender == NULL || msg->body == NULL)
-        return 0; /* other NULL cases already have been checked */
-    if (sender->type != GEN_DIRNAME) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_SENDER_GENERALNAME_TYPE_NOT_SUPPORTED);
-        return 0;
-    }
-
-    /* dump any hitherto errors to avoid confusion when printing further ones */
-    OSSL_CMP_CTX_print_errors(ctx);
-
-    /* enable clearing irrelevant errors in attempts to validate sender certs */
-    (void)ERR_set_mark();
-    ctx->log_cb = no_log_cb; /* temporarily disable logging */
-
-    /*
-     * try first cached scrt, used successfully earlier in same transaction,
-     * for validating this and any further msgs where extraCerts may be left out
-     */
-    if (scrt != NULL) {
-        if (check_msg_given_cert(ctx, scrt, msg)) {
-            ctx->log_cb = backup_log_cb;
-            (void)ERR_pop_to_mark();
-            return 1;
-        }
-        /* cached sender cert has shown to be no more successfully usable */
-        (void)ossl_cmp_ctx_set0_validatedSrvCert(ctx, NULL);
-        /* re-do the above check (just) for adding diagnostic information */
-        ossl_cmp_info(ctx,
-                      "trying to verify msg signature with previously validated cert");
-        (void)check_msg_given_cert(ctx, scrt, msg);
-    }
-
-    res = check_msg_all_certs(ctx, msg, 0 /* using ctx->trusted */)
-            || check_msg_all_certs(ctx, msg, 1 /* 3gpp */);
-    ctx->log_cb = backup_log_cb;
-    if (res) {
-        /* discard any diagnostic information on trying to use certs */
-        (void)ERR_pop_to_mark();
-        goto end;
-    }
-    /* failed finding a sender cert that verifies the message signature */
-    (void)ERR_clear_last_mark();
-
-    sname = X509_NAME_oneline(sender->d.directoryName, NULL, 0);
-    skid_str = skid == NULL ? NULL
-                            : OPENSSL_buf2hexstr(skid->data, skid->length);
-    if (ctx->log_cb != NULL) {
-        ossl_cmp_info(ctx, "trying to verify msg signature with a valid cert that..");
-        if (sname != NULL)
-            ossl_cmp_log1(INFO, ctx, "matches msg sender    = %s", sname);
-        if (skid_str != NULL)
-            ossl_cmp_log1(INFO, ctx, "matches msg senderKID = %s", skid_str);
-        else
-            ossl_cmp_info(ctx, "while msg header does not contain senderKID");
-        /* re-do the above checks (just) for adding diagnostic information */
-        (void)check_msg_all_certs(ctx, msg, 0 /* using ctx->trusted */);
-        (void)check_msg_all_certs(ctx, msg, 1 /* 3gpp */);
-    }
-
-    ERR_raise(ERR_LIB_CMP, CMP_R_NO_SUITABLE_SENDER_CERT);
-    if (sname != NULL) {
-        ERR_add_error_txt(NULL, "for msg sender name = ");
-        ERR_add_error_txt(NULL, sname);
-    }
-    if (skid_str != NULL) {
-        ERR_add_error_txt(" and ", "for msg senderKID = ");
-        ERR_add_error_txt(NULL, skid_str);
-    }
-
- end:
-    OPENSSL_free(sname);
-    OPENSSL_free(skid_str);
-    return res;
-}
-
-/*-
- * Validate the protection of the given PKIMessage using either password-
- * based mac (PBM) or a signature algorithm. In the case of signature algorithm,
- * the sender certificate can have been pinned by providing it in ctx->srvCert,
- * else it is searched in msg->extraCerts, ctx->untrusted, in ctx->trusted
- * (in this order) and is path is validated against ctx->trusted.
- * On success cache the found cert using ossl_cmp_ctx_set0_validatedSrvCert().
- *
- * If ctx->permitTAInExtraCertsForIR is true and when validating a CMP IP msg,
- * the trust anchor for validating the IP msg may be taken from msg->extraCerts
- * if a self-issued certificate is found there that can be used to
- * validate the enrolled certificate returned in the IP.
- * This is according to the need given in 3GPP TS 33.310.
- *
- * Returns 1 on success, 0 on error or validation failed.
- */
-int OSSL_CMP_validate_msg(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg)
-{
-    X509 *scrt;
-
-    ossl_cmp_debug(ctx, "validating CMP message");
-    if (ctx == NULL || msg == NULL
-            || msg->header == NULL || msg->body == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return 0;
-    }
-
-    if (msg->header->protectionAlg == NULL /* unprotected message */
-            || msg->protection == NULL || msg->protection->data == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_PROTECTION);
-        return 0;
-    }
-
-    switch (ossl_cmp_hdr_get_protection_nid(msg->header)) {
-        /* 5.1.3.1.  Shared Secret Information */
-    case NID_id_PasswordBasedMAC:
-        if (ctx->secretValue == NULL) {
-            ossl_cmp_info(ctx, "no secret available for verifying PBM-based CMP message protection");
-            ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_SECRET);
-            return 0;
-        }
-        if (verify_PBMAC(ctx, msg)) {
-            /*
-             * RFC 4210, 5.3.2: 'Note that if the PKI Message Protection is
-             * "shared secret information", then any certificate transported in
-             * the caPubs field may be directly trusted as a root CA
-             * certificate by the initiator.'
-             */
-            switch (OSSL_CMP_MSG_get_bodytype(msg)) {
-            case -1:
-                return 0;
-            case OSSL_CMP_PKIBODY_IP:
-            case OSSL_CMP_PKIBODY_CP:
-            case OSSL_CMP_PKIBODY_KUP:
-            case OSSL_CMP_PKIBODY_CCP:
-                if (ctx->trusted != NULL) {
-                    STACK_OF(X509) *certs = msg->body->value.ip->caPubs;
-                    /* value.ip is same for cp, kup, and ccp */
-
-                    if (!ossl_cmp_X509_STORE_add1_certs(ctx->trusted, certs, 0))
-                        /* adds both self-issued and not self-issued certs */
-                        return 0;
-                }
-                break;
-            default:
-                break;
-            }
-            ossl_cmp_debug(ctx,
-                           "successfully validated PBM-based CMP message protection");
-            return 1;
-        }
-        ossl_cmp_warn(ctx, "verifying PBM-based CMP message protection failed");
-        break;
-
-        /*
-         * 5.1.3.2 DH Key Pairs
-         * Not yet supported
-         */
-    case NID_id_DHBasedMac:
-        ERR_raise(ERR_LIB_CMP, CMP_R_UNSUPPORTED_PROTECTION_ALG_DHBASEDMAC);
-        break;
-
-        /*
-         * 5.1.3.3.  Signature
-         */
-    default:
-        scrt = ctx->srvCert;
-        if (scrt == NULL) {
-            if (ctx->trusted == NULL) {
-                ossl_cmp_info(ctx, "no trust store nor pinned server cert available for verifying signature-based CMP message protection");
-                ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_TRUST_ANCHOR);
-                return 0;
-            }
-            if (check_msg_find_cert(ctx, msg))
-                return 1;
-        } else { /* use pinned sender cert */
-            /* use ctx->srvCert for signature check even if not acceptable */
-            if (verify_signature(ctx, msg, scrt)) {
-                ossl_cmp_debug(ctx,
-                               "successfully validated signature-based CMP message protection");
-
-                return 1;
-            }
-            ossl_cmp_warn(ctx, "CMP message signature verification failed");
-            ERR_raise(ERR_LIB_CMP, CMP_R_SRVCERT_DOES_NOT_VALIDATE_MSG);
-        }
-        break;
-    }
-    return 0;
-}
-
-
-/*-
- * Check received message (i.e., response by server or request from client)
- * Any msg->extraCerts are prepended to ctx->untrusted.
- *
- * Ensures that:
- * its sender is of appropriate type (currently only X509_NAME) and
- *     matches any expected sender or srvCert subject given in the ctx
- * it has a valid body type
- * its protection is valid (or invalid/absent, but only if a callback function
- *     is present and yields a positive result using also the supplied argument)
- * its transaction ID matches the previous transaction ID stored in ctx (if any)
- * its recipNonce matches the previous senderNonce stored in the ctx (if any)
- *
- * If everything is fine:
- * learns the senderNonce from the received message,
- * learns the transaction ID if it is not yet in ctx,
- * and makes any certs in caPubs directly trusted.
- *
- * Returns 1 on success, 0 on error.
- */
-int ossl_cmp_msg_check_update(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg,
-                              ossl_cmp_allow_unprotected_cb_t cb, int cb_arg)
-{
-    OSSL_CMP_PKIHEADER *hdr;
-    const X509_NAME *expected_sender;
-
-    if (!ossl_assert(ctx != NULL && msg != NULL && msg->header != NULL))
-        return 0;
-    hdr = OSSL_CMP_MSG_get0_header(msg);
-
-    /* validate sender name of received msg */
-    if (hdr->sender->type != GEN_DIRNAME) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_SENDER_GENERALNAME_TYPE_NOT_SUPPORTED);
-        return 0;
-    }
-    /*
-     * Compare actual sender name of response with expected sender name.
-     * Mitigates risk to accept misused PBM secret
-     * or misused certificate of an unauthorized entity of a trusted hierarchy.
-     */
-    expected_sender = ctx->expected_sender;
-    if (expected_sender == NULL && ctx->srvCert != NULL)
-        expected_sender = X509_get_subject_name(ctx->srvCert);
-    if (!check_name(ctx, 0, "sender DN field", hdr->sender->d.directoryName,
-                    "expected sender", expected_sender))
-        return 0;
-    /* Note: if recipient was NULL-DN it could be learned here if needed */
-
-    if (sk_X509_num(msg->extraCerts) > 10)
-        ossl_cmp_warn(ctx,
-                      "received CMP message contains more than 10 extraCerts");
-    /*
-     * Store any provided extraCerts in ctx for use in OSSL_CMP_validate_msg()
-     * and for future use, such that they are available to ctx->certConf_cb and
-     * the peer does not need to send them again in the same transaction.
-     * Note that it does not help validating the message before storing the
-     * extraCerts because they do not belong to the protected msg part anyway.
-     * For efficiency, the extraCerts are prepended so they get used first.
-     */
-    if (!X509_add_certs(ctx->untrusted, msg->extraCerts,
-                        /* this allows self-signed certs */
-                        X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP
-                        | X509_ADD_FLAG_PREPEND))
-        return 0;
-
-    /* validate message protection */
-    if (hdr->protectionAlg != NULL) {
-        /* detect explicitly permitted exceptions for invalid protection */
-        if (!OSSL_CMP_validate_msg(ctx, msg)
-                && (cb == NULL || (*cb)(ctx, msg, 1, cb_arg) <= 0)) {
-#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
-            ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_VALIDATING_PROTECTION);
-            return 0;
-#endif
-        }
-    } else {
-        /* detect explicitly permitted exceptions for missing protection */
-        if (cb == NULL || (*cb)(ctx, msg, 0, cb_arg) <= 0) {
-#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
-            ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_PROTECTION);
-            return 0;
-#endif
-        }
-    }
-
-    /* check CMP version number in header */
-    if (ossl_cmp_hdr_get_pvno(hdr) != OSSL_CMP_PVNO) {
-#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
-        ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PVNO);
-        return 0;
-#endif
-    }
-
-    if (OSSL_CMP_MSG_get_bodytype(msg) < 0) {
-#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
-        ERR_raise(ERR_LIB_CMP, CMP_R_PKIBODY_ERROR);
-        return 0;
-#endif
-    }
-
-    /* compare received transactionID with the expected one in previous msg */
-    if (ctx->transactionID != NULL
-            && (hdr->transactionID == NULL
-                || ASN1_OCTET_STRING_cmp(ctx->transactionID,
-                                         hdr->transactionID) != 0)) {
-#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
-        ERR_raise(ERR_LIB_CMP, CMP_R_TRANSACTIONID_UNMATCHED);
-        return 0;
-#endif
-    }
-
-    /* compare received nonce with the one we sent */
-    if (ctx->senderNonce != NULL
-            && (msg->header->recipNonce == NULL
-                || ASN1_OCTET_STRING_cmp(ctx->senderNonce,
-                                         hdr->recipNonce) != 0)) {
-#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
-        ERR_raise(ERR_LIB_CMP, CMP_R_RECIPNONCE_UNMATCHED);
-        return 0;
-#endif
-    }
-
-    /*
-     * RFC 4210 section 5.1.1 states: the recipNonce is copied from
-     * the senderNonce of the previous message in the transaction.
-     * --> Store for setting in next message
-     */
-    if (!ossl_cmp_ctx_set1_recipNonce(ctx, hdr->senderNonce))
-        return 0;
-
-    /* if not yet present, learn transactionID */
-    if (ctx->transactionID == NULL
-        && !OSSL_CMP_CTX_set1_transactionID(ctx, hdr->transactionID))
-        return -1;
-
-    /*
-     * Store any provided extraCerts in ctx for future use,
-     * such that they are available to ctx->certConf_cb and
-     * the peer does not need to send them again in the same transaction.
-     * For efficiency, the extraCerts are prepended so they get used first.
-     */
-    if (!X509_add_certs(ctx->untrusted, msg->extraCerts,
-                        /* this allows self-signed certs */
-                        X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP
-                        | X509_ADD_FLAG_PREPEND))
-        return -1;
-
-    if (ossl_cmp_hdr_get_protection_nid(hdr) == NID_id_PasswordBasedMAC) {
-        /*
-         * RFC 4210, 5.3.2: 'Note that if the PKI Message Protection is
-         * "shared secret information", then any certificate transported in
-         * the caPubs field may be directly trusted as a root CA
-         * certificate by the initiator.'
-         */
-        switch (OSSL_CMP_MSG_get_bodytype(msg)) {
-        case OSSL_CMP_PKIBODY_IP:
-        case OSSL_CMP_PKIBODY_CP:
-        case OSSL_CMP_PKIBODY_KUP:
-        case OSSL_CMP_PKIBODY_CCP:
-            if (ctx->trusted != NULL) {
-                STACK_OF(X509) *certs = msg->body->value.ip->caPubs;
-                /* value.ip is same for cp, kup, and ccp */
-
-                if (!ossl_cmp_X509_STORE_add1_certs(ctx->trusted, certs, 0))
-                    /* adds both self-issued and not self-issued certs */
-                    return 0;
-            }
-            break;
-        default:
-            break;
-        }
-    }
-    return 1;
-}
-
-int ossl_cmp_verify_popo(const OSSL_CMP_CTX *ctx,
-                         const OSSL_CMP_MSG *msg, int acceptRAVerified)
-{
-    if (!ossl_assert(msg != NULL && msg->body != NULL))
-        return 0;
-    switch (msg->body->type) {
-    case OSSL_CMP_PKIBODY_P10CR:
-        {
-            X509_REQ *req = msg->body->value.p10cr;
-
-            if (X509_REQ_verify_ex(req, X509_REQ_get0_pubkey(req), ctx->libctx,
-                                   ctx->propq) <= 0) {
-#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
-                ERR_raise(ERR_LIB_CMP, CMP_R_REQUEST_NOT_ACCEPTED);
-                return 0;
-#endif
-            }
-        }
-        break;
-    case OSSL_CMP_PKIBODY_IR:
-    case OSSL_CMP_PKIBODY_CR:
-    case OSSL_CMP_PKIBODY_KUR:
-        if (!OSSL_CRMF_MSGS_verify_popo(msg->body->value.ir, OSSL_CMP_CERTREQID,
-                                        acceptRAVerified,
-                                        ctx->libctx, ctx->propq)) {
-#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
-            return 0;
-#endif
-        }
-        break;
-    default:
-        ERR_raise(ERR_LIB_CMP, CMP_R_PKIBODY_ERROR);
-        return 0;
-    }
-    return 1;
-}

libs/openssl/crypto/cms/cms_dh.c

@@ -1,343 +0,0 @@
-/*
- * Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <assert.h>
-#include <openssl/cms.h>
-#include <openssl/dh.h>
-#include <openssl/err.h>
-#include <openssl/core_names.h>
-#include "internal/sizes.h"
-#include "crypto/evp.h"
-#include "cms_local.h"
-
-static int dh_cms_set_peerkey(EVP_PKEY_CTX *pctx,
-                              X509_ALGOR *alg, ASN1_BIT_STRING *pubkey)
-{
-    const ASN1_OBJECT *aoid;
-    int atype;
-    const void *aval;
-    ASN1_INTEGER *public_key = NULL;
-    int rv = 0;
-    EVP_PKEY *pkpeer = NULL, *pk = NULL;
-    BIGNUM *bnpub = NULL;
-    const unsigned char *p;
-    unsigned char *buf = NULL;
-    int plen;
-
-    X509_ALGOR_get0(&aoid, &atype, &aval, alg);
-    if (OBJ_obj2nid(aoid) != NID_dhpublicnumber)
-        goto err;
-    /* Only absent parameters allowed in RFC XXXX */
-    if (atype != V_ASN1_UNDEF && atype == V_ASN1_NULL)
-        goto err;
-
-    pk = EVP_PKEY_CTX_get0_pkey(pctx);
-    if (pk == NULL || !EVP_PKEY_is_a(pk, "DHX"))
-        goto err;
-
-    /* Get public key */
-    plen = ASN1_STRING_length(pubkey);
-    p = ASN1_STRING_get0_data(pubkey);
-    if (p == NULL || plen == 0)
-        goto err;
-
-    if ((public_key = d2i_ASN1_INTEGER(NULL, &p, plen)) == NULL)
-        goto err;
-    /*
-     * Pad to full p parameter size as that is checked by
-     * EVP_PKEY_set1_encoded_public_key()
-     */
-    plen = EVP_PKEY_get_size(pk);
-    if ((bnpub = ASN1_INTEGER_to_BN(public_key, NULL)) == NULL)
-        goto err;
-    if ((buf = OPENSSL_malloc(plen)) == NULL)
-        goto err;
-    if (BN_bn2binpad(bnpub, buf, plen) < 0)
-        goto err;
-
-    pkpeer = EVP_PKEY_new();
-    if (pkpeer == NULL
-            || !EVP_PKEY_copy_parameters(pkpeer, pk)
-            || !EVP_PKEY_set1_encoded_public_key(pkpeer, buf, plen))
-        goto err;
-
-    if (EVP_PKEY_derive_set_peer(pctx, pkpeer) > 0)
-        rv = 1;
- err:
-    ASN1_INTEGER_free(public_key);
-    BN_free(bnpub);
-    OPENSSL_free(buf);
-    EVP_PKEY_free(pkpeer);
-    return rv;
-}
-
-static int dh_cms_set_shared_info(EVP_PKEY_CTX *pctx, CMS_RecipientInfo *ri)
-{
-    int rv = 0;
-    X509_ALGOR *alg, *kekalg = NULL;
-    ASN1_OCTET_STRING *ukm;
-    const unsigned char *p;
-    unsigned char *dukm = NULL;
-    size_t dukmlen = 0;
-    int keylen, plen;
-    EVP_CIPHER *kekcipher = NULL;
-    EVP_CIPHER_CTX *kekctx;
-    char name[OSSL_MAX_NAME_SIZE];
-
-    if (!CMS_RecipientInfo_kari_get0_alg(ri, &alg, &ukm))
-        goto err;
-
-    /*
-     * For DH we only have one OID permissible. If ever any more get defined
-     * we will need something cleverer.
-     */
-    if (OBJ_obj2nid(alg->algorithm) != NID_id_smime_alg_ESDH) {
-        ERR_raise(ERR_LIB_CMS, CMS_R_KDF_PARAMETER_ERROR);
-        goto err;
-    }
-
-    if (EVP_PKEY_CTX_set_dh_kdf_type(pctx, EVP_PKEY_DH_KDF_X9_42) <= 0
-            || EVP_PKEY_CTX_set_dh_kdf_md(pctx, EVP_sha1()) <= 0)
-        goto err;
-
-    if (alg->parameter->type != V_ASN1_SEQUENCE)
-        goto err;
-
-    p = alg->parameter->value.sequence->data;
-    plen = alg->parameter->value.sequence->length;
-    kekalg = d2i_X509_ALGOR(NULL, &p, plen);
-    if (kekalg == NULL)
-        goto err;
-    kekctx = CMS_RecipientInfo_kari_get0_ctx(ri);
-    if (kekctx == NULL)
-        goto err;
-
-    if (OBJ_obj2txt(name, sizeof(name), kekalg->algorithm, 0) <= 0)
-        goto err;
-
-    kekcipher = EVP_CIPHER_fetch(pctx->libctx, name, pctx->propquery);
-    if (kekcipher == NULL 
-        || EVP_CIPHER_get_mode(kekcipher) != EVP_CIPH_WRAP_MODE)
-        goto err;
-    if (!EVP_EncryptInit_ex(kekctx, kekcipher, NULL, NULL, NULL))
-        goto err;
-    if (EVP_CIPHER_asn1_to_param(kekctx, kekalg->parameter) <= 0)
-        goto err;
-
-    keylen = EVP_CIPHER_CTX_get_key_length(kekctx);
-    if (EVP_PKEY_CTX_set_dh_kdf_outlen(pctx, keylen) <= 0)
-        goto err;
-    /* Use OBJ_nid2obj to ensure we use built in OID that isn't freed */
-    if (EVP_PKEY_CTX_set0_dh_kdf_oid(pctx,
-                                     OBJ_nid2obj(EVP_CIPHER_get_type(kekcipher)))
-        <= 0)
-        goto err;
-
-    if (ukm != NULL) {
-        dukmlen = ASN1_STRING_length(ukm);
-        dukm = OPENSSL_memdup(ASN1_STRING_get0_data(ukm), dukmlen);
-        if (dukm == NULL)
-            goto err;
-    }
-
-    if (EVP_PKEY_CTX_set0_dh_kdf_ukm(pctx, dukm, dukmlen) <= 0)
-        goto err;
-    dukm = NULL;
-
-    rv = 1;
- err:
-    X509_ALGOR_free(kekalg);
-    EVP_CIPHER_free(kekcipher);
-    OPENSSL_free(dukm);
-    return rv;
-}
-
-static int dh_cms_decrypt(CMS_RecipientInfo *ri)
-{
-    EVP_PKEY_CTX *pctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
-
-    if (pctx == NULL)
-        return 0;
-    /* See if we need to set peer key */
-    if (!EVP_PKEY_CTX_get0_peerkey(pctx)) {
-        X509_ALGOR *alg;
-        ASN1_BIT_STRING *pubkey;
-
-        if (!CMS_RecipientInfo_kari_get0_orig_id(ri, &alg, &pubkey,
-                                                 NULL, NULL, NULL))
-            return 0;
-        if (alg ==  NULL || pubkey == NULL)
-            return 0;
-        if (!dh_cms_set_peerkey(pctx, alg, pubkey)) {
-            ERR_raise(ERR_LIB_CMS, CMS_R_PEER_KEY_ERROR);
-            return 0;
-        }
-    }
-    /* Set DH derivation parameters and initialise unwrap context */
-    if (!dh_cms_set_shared_info(pctx, ri)) {
-        ERR_raise(ERR_LIB_CMS, CMS_R_SHARED_INFO_ERROR);
-        return 0;
-    }
-    return 1;
-}
-
-static int dh_cms_encrypt(CMS_RecipientInfo *ri)
-{
-    EVP_PKEY_CTX *pctx;
-    EVP_PKEY *pkey;
-    EVP_CIPHER_CTX *ctx;
-    int keylen;
-    X509_ALGOR *talg, *wrap_alg = NULL;
-    const ASN1_OBJECT *aoid;
-    ASN1_BIT_STRING *pubkey;
-    ASN1_STRING *wrap_str;
-    ASN1_OCTET_STRING *ukm;
-    unsigned char *penc = NULL, *dukm = NULL;
-    int penclen;
-    size_t dukmlen = 0;
-    int rv = 0;
-    int kdf_type, wrap_nid;
-    const EVP_MD *kdf_md;
-
-    pctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
-    if (pctx == NULL)
-        return 0;
-    /* Get ephemeral key */
-    pkey = EVP_PKEY_CTX_get0_pkey(pctx);
-    if (!CMS_RecipientInfo_kari_get0_orig_id(ri, &talg, &pubkey,
-                                             NULL, NULL, NULL))
-        goto err;
-
-    /* Is everything uninitialised? */
-    X509_ALGOR_get0(&aoid, NULL, NULL, talg);
-    if (aoid == OBJ_nid2obj(NID_undef)) {
-        BIGNUM *bn_pub_key = NULL;
-        ASN1_INTEGER *pubk;
-
-        if (!EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PUB_KEY, &bn_pub_key))
-            goto err;
-
-        pubk = BN_to_ASN1_INTEGER(bn_pub_key, NULL);
-        BN_free(bn_pub_key);
-        if (pubk == NULL)
-            goto err;
-
-        /* Set the key */
-        penclen = i2d_ASN1_INTEGER(pubk, &penc);
-        ASN1_INTEGER_free(pubk);
-        if (penclen <= 0)
-            goto err;
-        ASN1_STRING_set0(pubkey, penc, penclen);
-        pubkey->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07);
-        pubkey->flags |= ASN1_STRING_FLAG_BITS_LEFT;
-
-        penc = NULL;
-        X509_ALGOR_set0(talg, OBJ_nid2obj(NID_dhpublicnumber),
-                        V_ASN1_UNDEF, NULL);
-    }
-
-    /* See if custom parameters set */
-    kdf_type = EVP_PKEY_CTX_get_dh_kdf_type(pctx);
-    if (kdf_type <= 0 || EVP_PKEY_CTX_get_dh_kdf_md(pctx, &kdf_md) <= 0)
-        goto err;
-
-    if (kdf_type == EVP_PKEY_DH_KDF_NONE) {
-        kdf_type = EVP_PKEY_DH_KDF_X9_42;
-        if (EVP_PKEY_CTX_set_dh_kdf_type(pctx, kdf_type) <= 0)
-            goto err;
-    } else if (kdf_type != EVP_PKEY_DH_KDF_X9_42)
-        /* Unknown KDF */
-        goto err;
-    if (kdf_md == NULL) {
-        /* Only SHA1 supported */
-        kdf_md = EVP_sha1();
-        if (EVP_PKEY_CTX_set_dh_kdf_md(pctx, kdf_md) <= 0)
-            goto err;
-    } else if (EVP_MD_get_type(kdf_md) != NID_sha1)
-        /* Unsupported digest */
-        goto err;
-
-    if (!CMS_RecipientInfo_kari_get0_alg(ri, &talg, &ukm))
-        goto err;
-
-    /* Get wrap NID */
-    ctx = CMS_RecipientInfo_kari_get0_ctx(ri);
-    wrap_nid = EVP_CIPHER_CTX_get_type(ctx);
-    if (EVP_PKEY_CTX_set0_dh_kdf_oid(pctx, OBJ_nid2obj(wrap_nid)) <= 0)
-        goto err;
-    keylen = EVP_CIPHER_CTX_get_key_length(ctx);
-
-    /* Package wrap algorithm in an AlgorithmIdentifier */
-
-    wrap_alg = X509_ALGOR_new();
-    if (wrap_alg == NULL)
-        goto err;
-    wrap_alg->algorithm = OBJ_nid2obj(wrap_nid);
-    wrap_alg->parameter = ASN1_TYPE_new();
-    if (wrap_alg->parameter == NULL)
-        goto err;
-    if (EVP_CIPHER_param_to_asn1(ctx, wrap_alg->parameter) <= 0)
-        goto err;
-    if (ASN1_TYPE_get(wrap_alg->parameter) == NID_undef) {
-        ASN1_TYPE_free(wrap_alg->parameter);
-        wrap_alg->parameter = NULL;
-    }
-
-    if (EVP_PKEY_CTX_set_dh_kdf_outlen(pctx, keylen) <= 0)
-        goto err;
-
-    if (ukm != NULL) {
-        dukmlen = ASN1_STRING_length(ukm);
-        dukm = OPENSSL_memdup(ASN1_STRING_get0_data(ukm), dukmlen);
-        if (dukm == NULL)
-            goto err;
-    }
-
-    if (EVP_PKEY_CTX_set0_dh_kdf_ukm(pctx, dukm, dukmlen) <= 0)
-        goto err;
-    dukm = NULL;
-
-    /*
-     * Now need to wrap encoding of wrap AlgorithmIdentifier into parameter
-     * of another AlgorithmIdentifier.
-     */
-    penc = NULL;
-    penclen = i2d_X509_ALGOR(wrap_alg, &penc);
-    if (penc == NULL || penclen == 0)
-        goto err;
-    wrap_str = ASN1_STRING_new();
-    if (wrap_str == NULL)
-        goto err;
-    ASN1_STRING_set0(wrap_str, penc, penclen);
-    penc = NULL;
-    X509_ALGOR_set0(talg, OBJ_nid2obj(NID_id_smime_alg_ESDH),
-                    V_ASN1_SEQUENCE, wrap_str);
-
-    rv = 1;
-
- err:
-    OPENSSL_free(penc);
-    X509_ALGOR_free(wrap_alg);
-    OPENSSL_free(dukm);
-    return rv;
-}
-
-int ossl_cms_dh_envelope(CMS_RecipientInfo *ri, int decrypt)
-{
-    assert(decrypt == 0 || decrypt == 1);
-
-    if (decrypt == 1)
-        return dh_cms_decrypt(ri);
-
-    if (decrypt == 0)
-        return dh_cms_encrypt(ri);
-
-    ERR_raise(ERR_LIB_CMS, CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
-    return 0;
-}

libs/openssl/crypto/cms/cms_ec.c

@@ -1,390 +0,0 @@
-/*
- * Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <assert.h>
-#include <openssl/cms.h>
-#include <openssl/err.h>
-#include <openssl/decoder.h>
-#include "internal/sizes.h"
-#include "crypto/evp.h"
-#include "cms_local.h"
-
-static EVP_PKEY *pkey_type2param(int ptype, const void *pval,
-                                 OSSL_LIB_CTX *libctx, const char *propq)
-{
-    EVP_PKEY *pkey = NULL;
-    EVP_PKEY_CTX *pctx = NULL;
-    OSSL_DECODER_CTX *ctx = NULL;
-
-    if (ptype == V_ASN1_SEQUENCE) {
-        const ASN1_STRING *pstr = pval;
-        const unsigned char *pm = pstr->data;
-        size_t pmlen = (size_t)pstr->length;
-        int selection = OSSL_KEYMGMT_SELECT_ALL_PARAMETERS;
-
-        ctx = OSSL_DECODER_CTX_new_for_pkey(&pkey, "DER", NULL, "EC",
-                                            selection, libctx, propq);
-        if (ctx == NULL)
-            goto err;
-
-        if (!OSSL_DECODER_from_data(ctx, &pm, &pmlen)) {
-            ERR_raise(ERR_LIB_CMS, CMS_R_DECODE_ERROR);
-            goto err;
-        }
-        OSSL_DECODER_CTX_free(ctx);
-        return pkey;
-    } else if (ptype == V_ASN1_OBJECT) {
-        const ASN1_OBJECT *poid = pval;
-        char groupname[OSSL_MAX_NAME_SIZE];
-
-        /* type == V_ASN1_OBJECT => the parameters are given by an asn1 OID */
-        pctx = EVP_PKEY_CTX_new_from_name(libctx, "EC", propq);
-        if (pctx == NULL || EVP_PKEY_paramgen_init(pctx) <= 0)
-            goto err;
-        if (OBJ_obj2txt(groupname, sizeof(groupname), poid, 0) <= 0
-                || EVP_PKEY_CTX_set_group_name(pctx, groupname) <= 0) {
-            ERR_raise(ERR_LIB_CMS, CMS_R_DECODE_ERROR);
-            goto err;
-        }
-        if (EVP_PKEY_paramgen(pctx, &pkey) <= 0)
-            goto err;
-        EVP_PKEY_CTX_free(pctx);
-        return pkey;
-    }
-
-    ERR_raise(ERR_LIB_CMS, CMS_R_DECODE_ERROR);
-    return NULL;
-
- err:
-    EVP_PKEY_free(pkey);
-    EVP_PKEY_CTX_free(pctx);
-    OSSL_DECODER_CTX_free(ctx);
-    return NULL;
-}
-
-static int ecdh_cms_set_peerkey(EVP_PKEY_CTX *pctx,
-                                X509_ALGOR *alg, ASN1_BIT_STRING *pubkey)
-{
-    const ASN1_OBJECT *aoid;
-    int atype;
-    const void *aval;
-    int rv = 0;
-    EVP_PKEY *pkpeer = NULL;
-    const unsigned char *p;
-    int plen;
-
-    X509_ALGOR_get0(&aoid, &atype, &aval, alg);
-    if (OBJ_obj2nid(aoid) != NID_X9_62_id_ecPublicKey)
-        goto err;
-
-    /* If absent parameters get group from main key */
-    if (atype == V_ASN1_UNDEF || atype == V_ASN1_NULL) {
-        EVP_PKEY *pk;
-
-        pk = EVP_PKEY_CTX_get0_pkey(pctx);
-        if (pk == NULL)
-            goto err;
-
-        pkpeer = EVP_PKEY_new();
-        if (pkpeer == NULL)
-            goto err;
-        if (!EVP_PKEY_copy_parameters(pkpeer, pk))
-            goto err;
-    } else {
-        pkpeer = pkey_type2param(atype, aval,
-                                 EVP_PKEY_CTX_get0_libctx(pctx),
-                                 EVP_PKEY_CTX_get0_propq(pctx));
-        if (pkpeer == NULL)
-            goto err;
-    }
-    /* We have parameters now set public key */
-    plen = ASN1_STRING_length(pubkey);
-    p = ASN1_STRING_get0_data(pubkey);
-    if (p == NULL || plen == 0)
-        goto err;
-
-    if (!EVP_PKEY_set1_encoded_public_key(pkpeer, p, plen))
-        goto err;
-
-    if (EVP_PKEY_derive_set_peer(pctx, pkpeer) > 0)
-        rv = 1;
- err:
-    EVP_PKEY_free(pkpeer);
-    return rv;
-}
-
-/* Set KDF parameters based on KDF NID */
-static int ecdh_cms_set_kdf_param(EVP_PKEY_CTX *pctx, int eckdf_nid)
-{
-    int kdf_nid, kdfmd_nid, cofactor;
-    const EVP_MD *kdf_md;
-
-    if (eckdf_nid == NID_undef)
-        return 0;
-
-    /* Lookup KDF type, cofactor mode and digest */
-    if (!OBJ_find_sigid_algs(eckdf_nid, &kdfmd_nid, &kdf_nid))
-        return 0;
-
-    if (kdf_nid == NID_dh_std_kdf)
-        cofactor = 0;
-    else if (kdf_nid == NID_dh_cofactor_kdf)
-        cofactor = 1;
-    else
-        return 0;
-
-    if (EVP_PKEY_CTX_set_ecdh_cofactor_mode(pctx, cofactor) <= 0)
-        return 0;
-
-    if (EVP_PKEY_CTX_set_ecdh_kdf_type(pctx, EVP_PKEY_ECDH_KDF_X9_63) <= 0)
-        return 0;
-
-    kdf_md = EVP_get_digestbynid(kdfmd_nid);
-    if (!kdf_md)
-        return 0;
-
-    if (EVP_PKEY_CTX_set_ecdh_kdf_md(pctx, kdf_md) <= 0)
-        return 0;
-    return 1;
-}
-
-static int ecdh_cms_set_shared_info(EVP_PKEY_CTX *pctx, CMS_RecipientInfo *ri)
-{
-    int rv = 0;
-    X509_ALGOR *alg, *kekalg = NULL;
-    ASN1_OCTET_STRING *ukm;
-    const unsigned char *p;
-    unsigned char *der = NULL;
-    int plen, keylen;
-    EVP_CIPHER *kekcipher = NULL;
-    EVP_CIPHER_CTX *kekctx;
-    char name[OSSL_MAX_NAME_SIZE];
-
-    if (!CMS_RecipientInfo_kari_get0_alg(ri, &alg, &ukm))
-        return 0;
-
-    if (!ecdh_cms_set_kdf_param(pctx, OBJ_obj2nid(alg->algorithm))) {
-        ERR_raise(ERR_LIB_CMS, CMS_R_KDF_PARAMETER_ERROR);
-        return 0;
-    }
-
-    if (alg->parameter->type != V_ASN1_SEQUENCE)
-        return 0;
-
-    p = alg->parameter->value.sequence->data;
-    plen = alg->parameter->value.sequence->length;
-    kekalg = d2i_X509_ALGOR(NULL, &p, plen);
-    if (kekalg == NULL)
-        goto err;
-    kekctx = CMS_RecipientInfo_kari_get0_ctx(ri);
-    if (kekctx == NULL)
-        goto err;
-    OBJ_obj2txt(name, sizeof(name), kekalg->algorithm, 0);
-    kekcipher = EVP_CIPHER_fetch(pctx->libctx, name, pctx->propquery);
-    if (kekcipher == NULL || EVP_CIPHER_get_mode(kekcipher) != EVP_CIPH_WRAP_MODE)
-        goto err;
-    if (!EVP_EncryptInit_ex(kekctx, kekcipher, NULL, NULL, NULL))
-        goto err;
-    if (EVP_CIPHER_asn1_to_param(kekctx, kekalg->parameter) <= 0)
-        goto err;
-
-    keylen = EVP_CIPHER_CTX_get_key_length(kekctx);
-    if (EVP_PKEY_CTX_set_ecdh_kdf_outlen(pctx, keylen) <= 0)
-        goto err;
-
-    plen = CMS_SharedInfo_encode(&der, kekalg, ukm, keylen);
-
-    if (plen <= 0)
-        goto err;
-
-    if (EVP_PKEY_CTX_set0_ecdh_kdf_ukm(pctx, der, plen) <= 0)
-        goto err;
-    der = NULL;
-
-    rv = 1;
- err:
-    EVP_CIPHER_free(kekcipher);
-    X509_ALGOR_free(kekalg);
-    OPENSSL_free(der);
-    return rv;
-}
-
-static int ecdh_cms_decrypt(CMS_RecipientInfo *ri)
-{
-    EVP_PKEY_CTX *pctx;
-
-    pctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
-    if (pctx == NULL)
-        return 0;
-    /* See if we need to set peer key */
-    if (!EVP_PKEY_CTX_get0_peerkey(pctx)) {
-        X509_ALGOR *alg;
-        ASN1_BIT_STRING *pubkey;
-
-        if (!CMS_RecipientInfo_kari_get0_orig_id(ri, &alg, &pubkey,
-                                                 NULL, NULL, NULL))
-            return 0;
-        if (alg == NULL || pubkey == NULL)
-            return 0;
-        if (!ecdh_cms_set_peerkey(pctx, alg, pubkey)) {
-            ERR_raise(ERR_LIB_CMS, CMS_R_PEER_KEY_ERROR);
-            return 0;
-        }
-    }
-    /* Set ECDH derivation parameters and initialise unwrap context */
-    if (!ecdh_cms_set_shared_info(pctx, ri)) {
-        ERR_raise(ERR_LIB_CMS, CMS_R_SHARED_INFO_ERROR);
-        return 0;
-    }
-    return 1;
-}
-
-static int ecdh_cms_encrypt(CMS_RecipientInfo *ri)
-{
-    EVP_PKEY_CTX *pctx;
-    EVP_PKEY *pkey;
-    EVP_CIPHER_CTX *ctx;
-    int keylen;
-    X509_ALGOR *talg, *wrap_alg = NULL;
-    const ASN1_OBJECT *aoid;
-    ASN1_BIT_STRING *pubkey;
-    ASN1_STRING *wrap_str;
-    ASN1_OCTET_STRING *ukm;
-    unsigned char *penc = NULL;
-    size_t penclen;
-    int rv = 0;
-    int ecdh_nid, kdf_type, kdf_nid, wrap_nid;
-    const EVP_MD *kdf_md;
-
-    pctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
-    if (pctx == NULL)
-        return 0;
-    /* Get ephemeral key */
-    pkey = EVP_PKEY_CTX_get0_pkey(pctx);
-    if (!CMS_RecipientInfo_kari_get0_orig_id(ri, &talg, &pubkey,
-                                             NULL, NULL, NULL))
-        goto err;
-    X509_ALGOR_get0(&aoid, NULL, NULL, talg);
-    /* Is everything uninitialised? */
-    if (aoid == OBJ_nid2obj(NID_undef)) {
-        /* Set the key */
-
-        penclen = EVP_PKEY_get1_encoded_public_key(pkey, &penc);
-        ASN1_STRING_set0(pubkey, penc, penclen);
-        pubkey->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07);
-        pubkey->flags |= ASN1_STRING_FLAG_BITS_LEFT;
-
-        penc = NULL;
-        X509_ALGOR_set0(talg, OBJ_nid2obj(NID_X9_62_id_ecPublicKey),
-                        V_ASN1_UNDEF, NULL);
-    }
-
-    /* See if custom parameters set */
-    kdf_type = EVP_PKEY_CTX_get_ecdh_kdf_type(pctx);
-    if (kdf_type <= 0)
-        goto err;
-    if (EVP_PKEY_CTX_get_ecdh_kdf_md(pctx, &kdf_md) <= 0)
-        goto err;
-    ecdh_nid = EVP_PKEY_CTX_get_ecdh_cofactor_mode(pctx);
-    if (ecdh_nid < 0)
-        goto err;
-    else if (ecdh_nid == 0)
-        ecdh_nid = NID_dh_std_kdf;
-    else if (ecdh_nid == 1)
-        ecdh_nid = NID_dh_cofactor_kdf;
-
-    if (kdf_type == EVP_PKEY_ECDH_KDF_NONE) {
-        kdf_type = EVP_PKEY_ECDH_KDF_X9_63;
-        if (EVP_PKEY_CTX_set_ecdh_kdf_type(pctx, kdf_type) <= 0)
-            goto err;
-    } else
-        /* Unknown KDF */
-        goto err;
-    if (kdf_md == NULL) {
-        /* Fixme later for better MD */
-        kdf_md = EVP_sha1();
-        if (EVP_PKEY_CTX_set_ecdh_kdf_md(pctx, kdf_md) <= 0)
-            goto err;
-    }
-
-    if (!CMS_RecipientInfo_kari_get0_alg(ri, &talg, &ukm))
-        goto err;
-
-    /* Lookup NID for KDF+cofactor+digest */
-
-    if (!OBJ_find_sigid_by_algs(&kdf_nid, EVP_MD_get_type(kdf_md), ecdh_nid))
-        goto err;
-    /* Get wrap NID */
-    ctx = CMS_RecipientInfo_kari_get0_ctx(ri);
-    wrap_nid = EVP_CIPHER_CTX_get_type(ctx);
-    keylen = EVP_CIPHER_CTX_get_key_length(ctx);
-
-    /* Package wrap algorithm in an AlgorithmIdentifier */
-
-    wrap_alg = X509_ALGOR_new();
-    if (wrap_alg == NULL)
-        goto err;
-    wrap_alg->algorithm = OBJ_nid2obj(wrap_nid);
-    wrap_alg->parameter = ASN1_TYPE_new();
-    if (wrap_alg->parameter == NULL)
-        goto err;
-    if (EVP_CIPHER_param_to_asn1(ctx, wrap_alg->parameter) <= 0)
-        goto err;
-    if (ASN1_TYPE_get(wrap_alg->parameter) == NID_undef) {
-        ASN1_TYPE_free(wrap_alg->parameter);
-        wrap_alg->parameter = NULL;
-    }
-
-    if (EVP_PKEY_CTX_set_ecdh_kdf_outlen(pctx, keylen) <= 0)
-        goto err;
-
-    penclen = CMS_SharedInfo_encode(&penc, wrap_alg, ukm, keylen);
-
-    if (penclen <= 0)
-        goto err;
-
-    if (EVP_PKEY_CTX_set0_ecdh_kdf_ukm(pctx, penc, penclen) <= 0)
-        goto err;
-    penc = NULL;
-
-    /*
-     * Now need to wrap encoding of wrap AlgorithmIdentifier into parameter
-     * of another AlgorithmIdentifier.
-     */
-    penclen = i2d_X509_ALGOR(wrap_alg, &penc);
-    if (penc == NULL || penclen == 0)
-        goto err;
-    wrap_str = ASN1_STRING_new();
-    if (wrap_str == NULL)
-        goto err;
-    ASN1_STRING_set0(wrap_str, penc, penclen);
-    penc = NULL;
-    X509_ALGOR_set0(talg, OBJ_nid2obj(kdf_nid), V_ASN1_SEQUENCE, wrap_str);
-
-    rv = 1;
-
- err:
-    OPENSSL_free(penc);
-    X509_ALGOR_free(wrap_alg);
-    return rv;
-}
-
-int ossl_cms_ecdh_envelope(CMS_RecipientInfo *ri, int decrypt)
-{
-    assert(decrypt == 0 || decrypt == 1);
-
-    if (decrypt == 1)
-        return ecdh_cms_decrypt(ri);
-
-    if (decrypt == 0)
-        return ecdh_cms_encrypt(ri);
-
-    ERR_raise(ERR_LIB_CMS, CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
-    return 0;
-}

libs/openssl/crypto/cms/cms_rsa.c

@@ -1,264 +0,0 @@
-/*
- * Copyright 2006-2022 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <assert.h>
-#include <openssl/cms.h>
-#include <openssl/err.h>
-#include <openssl/core_names.h>
-#include "crypto/asn1.h"
-#include "crypto/rsa.h"
-#include "cms_local.h"
-
-static RSA_OAEP_PARAMS *rsa_oaep_decode(const X509_ALGOR *alg)
-{
-    RSA_OAEP_PARAMS *oaep;
-
-    oaep = ASN1_TYPE_unpack_sequence(ASN1_ITEM_rptr(RSA_OAEP_PARAMS),
-                                     alg->parameter);
-
-    if (oaep == NULL)
-        return NULL;
-
-    if (oaep->maskGenFunc != NULL) {
-        oaep->maskHash = ossl_x509_algor_mgf1_decode(oaep->maskGenFunc);
-        if (oaep->maskHash == NULL) {
-            RSA_OAEP_PARAMS_free(oaep);
-            return NULL;
-        }
-    }
-    return oaep;
-}
-
-static int rsa_cms_decrypt(CMS_RecipientInfo *ri)
-{
-    EVP_PKEY_CTX *pkctx;
-    X509_ALGOR *cmsalg;
-    int nid;
-    int rv = -1;
-    unsigned char *label = NULL;
-    int labellen = 0;
-    const EVP_MD *mgf1md = NULL, *md = NULL;
-    RSA_OAEP_PARAMS *oaep;
-
-    pkctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
-    if (pkctx == NULL)
-        return 0;
-    if (!CMS_RecipientInfo_ktri_get0_algs(ri, NULL, NULL, &cmsalg))
-        return -1;
-    nid = OBJ_obj2nid(cmsalg->algorithm);
-    if (nid == NID_rsaEncryption)
-        return 1;
-    if (nid != NID_rsaesOaep) {
-        ERR_raise(ERR_LIB_CMS, CMS_R_UNSUPPORTED_ENCRYPTION_TYPE);
-        return -1;
-    }
-    /* Decode OAEP parameters */
-    oaep = rsa_oaep_decode(cmsalg);
-
-    if (oaep == NULL) {
-        ERR_raise(ERR_LIB_CMS, CMS_R_INVALID_OAEP_PARAMETERS);
-        goto err;
-    }
-
-    mgf1md = ossl_x509_algor_get_md(oaep->maskHash);
-    if (mgf1md == NULL)
-        goto err;
-    md = ossl_x509_algor_get_md(oaep->hashFunc);
-    if (md == NULL)
-        goto err;
-
-    if (oaep->pSourceFunc != NULL) {
-        X509_ALGOR *plab = oaep->pSourceFunc;
-
-        if (OBJ_obj2nid(plab->algorithm) != NID_pSpecified) {
-            ERR_raise(ERR_LIB_CMS, CMS_R_UNSUPPORTED_LABEL_SOURCE);
-            goto err;
-        }
-        if (plab->parameter->type != V_ASN1_OCTET_STRING) {
-            ERR_raise(ERR_LIB_CMS, CMS_R_INVALID_LABEL);
-            goto err;
-        }
-
-        label = plab->parameter->value.octet_string->data;
-        /* Stop label being freed when OAEP parameters are freed */
-        plab->parameter->value.octet_string->data = NULL;
-        labellen = plab->parameter->value.octet_string->length;
-    }
-
-    if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_OAEP_PADDING) <= 0)
-        goto err;
-    if (EVP_PKEY_CTX_set_rsa_oaep_md(pkctx, md) <= 0)
-        goto err;
-    if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md) <= 0)
-        goto err;
-    if (label != NULL
-            && EVP_PKEY_CTX_set0_rsa_oaep_label(pkctx, label, labellen) <= 0)
-        goto err;
-    /* Carry on */
-    rv = 1;
-
- err:
-    RSA_OAEP_PARAMS_free(oaep);
-    return rv;
-}
-
-static int rsa_cms_encrypt(CMS_RecipientInfo *ri)
-{
-    const EVP_MD *md, *mgf1md;
-    RSA_OAEP_PARAMS *oaep = NULL;
-    ASN1_STRING *os = NULL;
-    X509_ALGOR *alg;
-    EVP_PKEY_CTX *pkctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
-    int pad_mode = RSA_PKCS1_PADDING, rv = 0, labellen;
-    unsigned char *label;
-
-    if (CMS_RecipientInfo_ktri_get0_algs(ri, NULL, NULL, &alg) <= 0)
-        return 0;
-    if (pkctx != NULL) {
-        if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0)
-            return 0;
-    }
-    if (pad_mode == RSA_PKCS1_PADDING) {
-        X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption), V_ASN1_NULL, 0);
-        return 1;
-    }
-    /* Not supported */
-    if (pad_mode != RSA_PKCS1_OAEP_PADDING)
-        return 0;
-    if (EVP_PKEY_CTX_get_rsa_oaep_md(pkctx, &md) <= 0)
-        goto err;
-    if (EVP_PKEY_CTX_get_rsa_mgf1_md(pkctx, &mgf1md) <= 0)
-        goto err;
-    labellen = EVP_PKEY_CTX_get0_rsa_oaep_label(pkctx, &label);
-    if (labellen < 0)
-        goto err;
-    oaep = RSA_OAEP_PARAMS_new();
-    if (oaep == NULL)
-        goto err;
-    if (!ossl_x509_algor_new_from_md(&oaep->hashFunc, md))
-        goto err;
-    if (!ossl_x509_algor_md_to_mgf1(&oaep->maskGenFunc, mgf1md))
-        goto err;
-    if (labellen > 0) {
-        ASN1_OCTET_STRING *los;
-
-        oaep->pSourceFunc = X509_ALGOR_new();
-        if (oaep->pSourceFunc == NULL)
-            goto err;
-        los = ASN1_OCTET_STRING_new();
-        if (los == NULL)
-            goto err;
-        if (!ASN1_OCTET_STRING_set(los, label, labellen)) {
-            ASN1_OCTET_STRING_free(los);
-            goto err;
-        }
-        X509_ALGOR_set0(oaep->pSourceFunc, OBJ_nid2obj(NID_pSpecified),
-                        V_ASN1_OCTET_STRING, los);
-    }
-    /* create string with pss parameter encoding. */
-    if (!ASN1_item_pack(oaep, ASN1_ITEM_rptr(RSA_OAEP_PARAMS), &os))
-         goto err;
-    X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaesOaep), V_ASN1_SEQUENCE, os);
-    os = NULL;
-    rv = 1;
- err:
-    RSA_OAEP_PARAMS_free(oaep);
-    ASN1_STRING_free(os);
-    return rv;
-}
-
-int ossl_cms_rsa_envelope(CMS_RecipientInfo *ri, int decrypt)
-{
-    assert(decrypt == 0 || decrypt == 1);
-
-    if (decrypt == 1)
-        return rsa_cms_decrypt(ri);
-
-    if (decrypt == 0)
-        return rsa_cms_encrypt(ri);
-
-    ERR_raise(ERR_LIB_CMS, CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
-    return 0;
-}
-
-static int rsa_cms_sign(CMS_SignerInfo *si)
-{
-    int pad_mode = RSA_PKCS1_PADDING;
-    X509_ALGOR *alg;
-    EVP_PKEY_CTX *pkctx = CMS_SignerInfo_get0_pkey_ctx(si);
-    unsigned char aid[128];
-    const unsigned char *pp = aid;
-    size_t aid_len = 0;
-    OSSL_PARAM params[2];
-
-    CMS_SignerInfo_get0_algs(si, NULL, NULL, NULL, &alg);
-    if (pkctx != NULL) {
-        if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0)
-            return 0;
-    }
-    if (pad_mode == RSA_PKCS1_PADDING) {
-        X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption), V_ASN1_NULL, 0);
-        return 1;
-    }
-    /* We don't support it */
-    if (pad_mode != RSA_PKCS1_PSS_PADDING)
-        return 0;
-
-    params[0] = OSSL_PARAM_construct_octet_string(
-        OSSL_SIGNATURE_PARAM_ALGORITHM_ID, aid, sizeof(aid));
-    params[1] = OSSL_PARAM_construct_end();
-
-    if (EVP_PKEY_CTX_get_params(pkctx, params) <= 0)
-        return 0;
-    if ((aid_len = params[0].return_size) == 0)
-        return 0;
-    if (d2i_X509_ALGOR(&alg, &pp, aid_len) == NULL)
-        return 0;
-    return 1;
-}
-
-static int rsa_cms_verify(CMS_SignerInfo *si)
-{
-    int nid, nid2;
-    X509_ALGOR *alg;
-    EVP_PKEY_CTX *pkctx = CMS_SignerInfo_get0_pkey_ctx(si);
-    EVP_PKEY *pkey = EVP_PKEY_CTX_get0_pkey(pkctx);
-
-    CMS_SignerInfo_get0_algs(si, NULL, NULL, NULL, &alg);
-    nid = OBJ_obj2nid(alg->algorithm);
-    if (nid == EVP_PKEY_RSA_PSS)
-        return ossl_rsa_pss_to_ctx(NULL, pkctx, alg, NULL) > 0;
-    /* Only PSS allowed for PSS keys */
-    if (EVP_PKEY_is_a(pkey, "RSA-PSS")) {
-        ERR_raise(ERR_LIB_RSA, RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE);
-        return 0;
-    }
-    if (nid == NID_rsaEncryption)
-        return 1;
-    /* Workaround for some implementation that use a signature OID */
-    if (OBJ_find_sigid_algs(nid, NULL, &nid2)) {
-        if (nid2 == NID_rsaEncryption)
-            return 1;
-    }
-    return 0;
-}
-
-int ossl_cms_rsa_sign(CMS_SignerInfo *si, int verify)
-{
-    assert(verify == 0 || verify == 1);
-
-    if (verify == 1)
-        return rsa_cms_verify(si);
-
-    if (verify == 0)
-        return rsa_cms_sign(si);
-
-    ERR_raise(ERR_LIB_CMS, CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
-    return 0;
-}

libs/openssl/crypto/crmf/crmf_asn.c

@@ -1,235 +0,0 @@
-/*-
- * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved.
- * Copyright Nokia 2007-2019
- * Copyright Siemens AG 2015-2019
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- *
- * CRMF implementation by Martin Peylo, Miikka Viljanen, and David von Oheimb.
- */
-
-#include <openssl/asn1t.h>
-
-#include "crmf_local.h"
-
-/* explicit #includes not strictly needed since implied by the above: */
-#include <openssl/crmf.h>
-
-ASN1_SEQUENCE(OSSL_CRMF_PRIVATEKEYINFO) = {
-    ASN1_SIMPLE(OSSL_CRMF_PRIVATEKEYINFO, version, ASN1_INTEGER),
-    ASN1_SIMPLE(OSSL_CRMF_PRIVATEKEYINFO, privateKeyAlgorithm, X509_ALGOR),
-    ASN1_SIMPLE(OSSL_CRMF_PRIVATEKEYINFO, privateKey, ASN1_OCTET_STRING),
-    ASN1_IMP_SET_OF_OPT(OSSL_CRMF_PRIVATEKEYINFO, attributes, X509_ATTRIBUTE, 0)
-} ASN1_SEQUENCE_END(OSSL_CRMF_PRIVATEKEYINFO)
-IMPLEMENT_ASN1_FUNCTIONS(OSSL_CRMF_PRIVATEKEYINFO)
-
-
-ASN1_CHOICE(OSSL_CRMF_ENCKEYWITHID_IDENTIFIER) = {
-    ASN1_SIMPLE(OSSL_CRMF_ENCKEYWITHID_IDENTIFIER, value.string, ASN1_UTF8STRING),
-    ASN1_SIMPLE(OSSL_CRMF_ENCKEYWITHID_IDENTIFIER, value.generalName, GENERAL_NAME)
-} ASN1_CHOICE_END(OSSL_CRMF_ENCKEYWITHID_IDENTIFIER)
-IMPLEMENT_ASN1_FUNCTIONS(OSSL_CRMF_ENCKEYWITHID_IDENTIFIER)
-
-
-ASN1_SEQUENCE(OSSL_CRMF_ENCKEYWITHID) = {
-    ASN1_SIMPLE(OSSL_CRMF_ENCKEYWITHID, privateKey, OSSL_CRMF_PRIVATEKEYINFO),
-    ASN1_OPT(OSSL_CRMF_ENCKEYWITHID, identifier,
-             OSSL_CRMF_ENCKEYWITHID_IDENTIFIER)
-} ASN1_SEQUENCE_END(OSSL_CRMF_ENCKEYWITHID)
-IMPLEMENT_ASN1_FUNCTIONS(OSSL_CRMF_ENCKEYWITHID)
-
-
-ASN1_SEQUENCE(OSSL_CRMF_CERTID) = {
-    ASN1_SIMPLE(OSSL_CRMF_CERTID, issuer, GENERAL_NAME),
-    ASN1_SIMPLE(OSSL_CRMF_CERTID, serialNumber, ASN1_INTEGER)
-} ASN1_SEQUENCE_END(OSSL_CRMF_CERTID)
-IMPLEMENT_ASN1_FUNCTIONS(OSSL_CRMF_CERTID)
-IMPLEMENT_ASN1_DUP_FUNCTION(OSSL_CRMF_CERTID)
-
-
-ASN1_SEQUENCE(OSSL_CRMF_ENCRYPTEDVALUE) = {
-    ASN1_IMP_OPT(OSSL_CRMF_ENCRYPTEDVALUE, intendedAlg, X509_ALGOR, 0),
-    ASN1_IMP_OPT(OSSL_CRMF_ENCRYPTEDVALUE, symmAlg, X509_ALGOR, 1),
-    ASN1_IMP_OPT(OSSL_CRMF_ENCRYPTEDVALUE, encSymmKey, ASN1_BIT_STRING, 2),
-    ASN1_IMP_OPT(OSSL_CRMF_ENCRYPTEDVALUE, keyAlg, X509_ALGOR, 3),
-    ASN1_IMP_OPT(OSSL_CRMF_ENCRYPTEDVALUE, valueHint, ASN1_OCTET_STRING, 4),
-    ASN1_SIMPLE(OSSL_CRMF_ENCRYPTEDVALUE, encValue, ASN1_BIT_STRING)
-} ASN1_SEQUENCE_END(OSSL_CRMF_ENCRYPTEDVALUE)
-IMPLEMENT_ASN1_FUNCTIONS(OSSL_CRMF_ENCRYPTEDVALUE)
-
-ASN1_SEQUENCE(OSSL_CRMF_SINGLEPUBINFO) = {
-    ASN1_SIMPLE(OSSL_CRMF_SINGLEPUBINFO, pubMethod, ASN1_INTEGER),
-    ASN1_SIMPLE(OSSL_CRMF_SINGLEPUBINFO, pubLocation, GENERAL_NAME)
-} ASN1_SEQUENCE_END(OSSL_CRMF_SINGLEPUBINFO)
-IMPLEMENT_ASN1_FUNCTIONS(OSSL_CRMF_SINGLEPUBINFO)
-
-
-ASN1_SEQUENCE(OSSL_CRMF_PKIPUBLICATIONINFO) = {
-    ASN1_SIMPLE(OSSL_CRMF_PKIPUBLICATIONINFO, action, ASN1_INTEGER),
-    ASN1_SEQUENCE_OF_OPT(OSSL_CRMF_PKIPUBLICATIONINFO, pubInfos,
-                         OSSL_CRMF_SINGLEPUBINFO)
-} ASN1_SEQUENCE_END(OSSL_CRMF_PKIPUBLICATIONINFO)
-IMPLEMENT_ASN1_FUNCTIONS(OSSL_CRMF_PKIPUBLICATIONINFO)
-IMPLEMENT_ASN1_DUP_FUNCTION(OSSL_CRMF_PKIPUBLICATIONINFO)
-
-
-ASN1_SEQUENCE(OSSL_CRMF_PKMACVALUE) = {
-    ASN1_SIMPLE(OSSL_CRMF_PKMACVALUE, algId, X509_ALGOR),
-    ASN1_SIMPLE(OSSL_CRMF_PKMACVALUE, value, ASN1_BIT_STRING)
-} ASN1_SEQUENCE_END(OSSL_CRMF_PKMACVALUE)
-IMPLEMENT_ASN1_FUNCTIONS(OSSL_CRMF_PKMACVALUE)
-
-
-ASN1_CHOICE(OSSL_CRMF_POPOPRIVKEY) = {
-    ASN1_IMP(OSSL_CRMF_POPOPRIVKEY, value.thisMessage, ASN1_BIT_STRING, 0),
-    ASN1_IMP(OSSL_CRMF_POPOPRIVKEY, value.subsequentMessage, ASN1_INTEGER, 1),
-    ASN1_IMP(OSSL_CRMF_POPOPRIVKEY, value.dhMAC, ASN1_BIT_STRING, 2),
-    ASN1_IMP(OSSL_CRMF_POPOPRIVKEY, value.agreeMAC, OSSL_CRMF_PKMACVALUE, 3),
-    ASN1_IMP(OSSL_CRMF_POPOPRIVKEY, value.encryptedKey, ASN1_NULL, 4),
-} ASN1_CHOICE_END(OSSL_CRMF_POPOPRIVKEY)
-IMPLEMENT_ASN1_FUNCTIONS(OSSL_CRMF_POPOPRIVKEY)
-
-
-ASN1_SEQUENCE(OSSL_CRMF_PBMPARAMETER) = {
-    ASN1_SIMPLE(OSSL_CRMF_PBMPARAMETER, salt, ASN1_OCTET_STRING),
-    ASN1_SIMPLE(OSSL_CRMF_PBMPARAMETER, owf, X509_ALGOR),
-    ASN1_SIMPLE(OSSL_CRMF_PBMPARAMETER, iterationCount, ASN1_INTEGER),
-    ASN1_SIMPLE(OSSL_CRMF_PBMPARAMETER, mac, X509_ALGOR)
-} ASN1_SEQUENCE_END(OSSL_CRMF_PBMPARAMETER)
-IMPLEMENT_ASN1_FUNCTIONS(OSSL_CRMF_PBMPARAMETER)
-
-
-ASN1_CHOICE(OSSL_CRMF_POPOSIGNINGKEYINPUT_AUTHINFO) = {
-    ASN1_EXP(OSSL_CRMF_POPOSIGNINGKEYINPUT_AUTHINFO, value.sender,
-             GENERAL_NAME, 0),
-    ASN1_SIMPLE(OSSL_CRMF_POPOSIGNINGKEYINPUT_AUTHINFO, value.publicKeyMAC,
-                OSSL_CRMF_PKMACVALUE)
-} ASN1_CHOICE_END(OSSL_CRMF_POPOSIGNINGKEYINPUT_AUTHINFO)
-IMPLEMENT_ASN1_FUNCTIONS(OSSL_CRMF_POPOSIGNINGKEYINPUT_AUTHINFO)
-
-
-ASN1_SEQUENCE(OSSL_CRMF_POPOSIGNINGKEYINPUT) = {
-    ASN1_SIMPLE(OSSL_CRMF_POPOSIGNINGKEYINPUT, authInfo,
-                OSSL_CRMF_POPOSIGNINGKEYINPUT_AUTHINFO),
-    ASN1_SIMPLE(OSSL_CRMF_POPOSIGNINGKEYINPUT, publicKey, X509_PUBKEY)
-} ASN1_SEQUENCE_END(OSSL_CRMF_POPOSIGNINGKEYINPUT)
-IMPLEMENT_ASN1_FUNCTIONS(OSSL_CRMF_POPOSIGNINGKEYINPUT)
-
-
-ASN1_SEQUENCE(OSSL_CRMF_POPOSIGNINGKEY) = {
-    ASN1_IMP_OPT(OSSL_CRMF_POPOSIGNINGKEY, poposkInput,
-                 OSSL_CRMF_POPOSIGNINGKEYINPUT, 0),
-    ASN1_SIMPLE(OSSL_CRMF_POPOSIGNINGKEY, algorithmIdentifier, X509_ALGOR),
-    ASN1_SIMPLE(OSSL_CRMF_POPOSIGNINGKEY, signature, ASN1_BIT_STRING)
-} ASN1_SEQUENCE_END(OSSL_CRMF_POPOSIGNINGKEY)
-IMPLEMENT_ASN1_FUNCTIONS(OSSL_CRMF_POPOSIGNINGKEY)
-
-
-ASN1_CHOICE(OSSL_CRMF_POPO) = {
-    ASN1_IMP(OSSL_CRMF_POPO, value.raVerified, ASN1_NULL, 0),
-    ASN1_IMP(OSSL_CRMF_POPO, value.signature, OSSL_CRMF_POPOSIGNINGKEY, 1),
-    ASN1_EXP(OSSL_CRMF_POPO, value.keyEncipherment, OSSL_CRMF_POPOPRIVKEY, 2),
-    ASN1_EXP(OSSL_CRMF_POPO, value.keyAgreement, OSSL_CRMF_POPOPRIVKEY, 3)
-} ASN1_CHOICE_END(OSSL_CRMF_POPO)
-IMPLEMENT_ASN1_FUNCTIONS(OSSL_CRMF_POPO)
-
-
-ASN1_ADB_TEMPLATE(attributetypeandvalue_default) =
-    ASN1_OPT(OSSL_CRMF_ATTRIBUTETYPEANDVALUE, value.other, ASN1_ANY);
-ASN1_ADB(OSSL_CRMF_ATTRIBUTETYPEANDVALUE) = {
-    ADB_ENTRY(NID_id_regCtrl_regToken,
-              ASN1_SIMPLE(OSSL_CRMF_ATTRIBUTETYPEANDVALUE,
-                          value.regToken, ASN1_UTF8STRING)),
-    ADB_ENTRY(NID_id_regCtrl_authenticator,
-              ASN1_SIMPLE(OSSL_CRMF_ATTRIBUTETYPEANDVALUE,
-                          value.authenticator, ASN1_UTF8STRING)),
-    ADB_ENTRY(NID_id_regCtrl_pkiPublicationInfo,
-              ASN1_SIMPLE(OSSL_CRMF_ATTRIBUTETYPEANDVALUE,
-                          value.pkiPublicationInfo,
-                          OSSL_CRMF_PKIPUBLICATIONINFO)),
-    ADB_ENTRY(NID_id_regCtrl_oldCertID,
-              ASN1_SIMPLE(OSSL_CRMF_ATTRIBUTETYPEANDVALUE,
-                          value.oldCertID, OSSL_CRMF_CERTID)),
-    ADB_ENTRY(NID_id_regCtrl_protocolEncrKey,
-              ASN1_SIMPLE(OSSL_CRMF_ATTRIBUTETYPEANDVALUE,
-                          value.protocolEncrKey, X509_PUBKEY)),
-    ADB_ENTRY(NID_id_regInfo_utf8Pairs,
-              ASN1_SIMPLE(OSSL_CRMF_ATTRIBUTETYPEANDVALUE,
-                          value.utf8Pairs, ASN1_UTF8STRING)),
-    ADB_ENTRY(NID_id_regInfo_certReq,
-              ASN1_SIMPLE(OSSL_CRMF_ATTRIBUTETYPEANDVALUE,
-                          value.certReq, OSSL_CRMF_CERTREQUEST)),
-} ASN1_ADB_END(OSSL_CRMF_ATTRIBUTETYPEANDVALUE, 0, type, 0,
-               &attributetypeandvalue_default_tt, NULL);
-
-
-ASN1_SEQUENCE(OSSL_CRMF_ATTRIBUTETYPEANDVALUE) = {
-    ASN1_SIMPLE(OSSL_CRMF_ATTRIBUTETYPEANDVALUE, type, ASN1_OBJECT),
-    ASN1_ADB_OBJECT(OSSL_CRMF_ATTRIBUTETYPEANDVALUE)
-} ASN1_SEQUENCE_END(OSSL_CRMF_ATTRIBUTETYPEANDVALUE)
-
-IMPLEMENT_ASN1_FUNCTIONS(OSSL_CRMF_ATTRIBUTETYPEANDVALUE)
-IMPLEMENT_ASN1_DUP_FUNCTION(OSSL_CRMF_ATTRIBUTETYPEANDVALUE)
-
-
-ASN1_SEQUENCE(OSSL_CRMF_OPTIONALVALIDITY) = {
-    ASN1_EXP_OPT(OSSL_CRMF_OPTIONALVALIDITY, notBefore, ASN1_TIME, 0),
-    ASN1_EXP_OPT(OSSL_CRMF_OPTIONALVALIDITY, notAfter,  ASN1_TIME, 1)
-} ASN1_SEQUENCE_END(OSSL_CRMF_OPTIONALVALIDITY)
-IMPLEMENT_ASN1_FUNCTIONS(OSSL_CRMF_OPTIONALVALIDITY)
-
-
-ASN1_SEQUENCE(OSSL_CRMF_CERTTEMPLATE) = {
-    ASN1_IMP_OPT(OSSL_CRMF_CERTTEMPLATE, version, ASN1_INTEGER, 0),
-    /*
-     * serialNumber MUST be omitted. This field is assigned by the CA
-     * during certificate creation.
-     */
-    ASN1_IMP_OPT(OSSL_CRMF_CERTTEMPLATE, serialNumber, ASN1_INTEGER, 1),
-    /*
-     * signingAlg MUST be omitted. This field is assigned by the CA
-     * during certificate creation.
-     */
-    ASN1_IMP_OPT(OSSL_CRMF_CERTTEMPLATE, signingAlg, X509_ALGOR, 2),
-    ASN1_EXP_OPT(OSSL_CRMF_CERTTEMPLATE, issuer, X509_NAME, 3),
-    ASN1_IMP_OPT(OSSL_CRMF_CERTTEMPLATE, validity,
-                 OSSL_CRMF_OPTIONALVALIDITY, 4),
-    ASN1_EXP_OPT(OSSL_CRMF_CERTTEMPLATE, subject, X509_NAME, 5),
-    ASN1_IMP_OPT(OSSL_CRMF_CERTTEMPLATE, publicKey, X509_PUBKEY, 6),
-    /* issuerUID is deprecated in version 2 */
-    ASN1_IMP_OPT(OSSL_CRMF_CERTTEMPLATE, issuerUID, ASN1_BIT_STRING, 7),
-    /* subjectUID is deprecated in version 2 */
-    ASN1_IMP_OPT(OSSL_CRMF_CERTTEMPLATE, subjectUID, ASN1_BIT_STRING, 8),
-    ASN1_IMP_SEQUENCE_OF_OPT(OSSL_CRMF_CERTTEMPLATE, extensions,
-                             X509_EXTENSION, 9),
-} ASN1_SEQUENCE_END(OSSL_CRMF_CERTTEMPLATE)
-IMPLEMENT_ASN1_FUNCTIONS(OSSL_CRMF_CERTTEMPLATE)
-
-
-ASN1_SEQUENCE(OSSL_CRMF_CERTREQUEST) = {
-    ASN1_SIMPLE(OSSL_CRMF_CERTREQUEST, certReqId, ASN1_INTEGER),
-    ASN1_SIMPLE(OSSL_CRMF_CERTREQUEST, certTemplate, OSSL_CRMF_CERTTEMPLATE),
-    ASN1_SEQUENCE_OF_OPT(OSSL_CRMF_CERTREQUEST, controls,
-                         OSSL_CRMF_ATTRIBUTETYPEANDVALUE)
-} ASN1_SEQUENCE_END(OSSL_CRMF_CERTREQUEST)
-IMPLEMENT_ASN1_FUNCTIONS(OSSL_CRMF_CERTREQUEST)
-IMPLEMENT_ASN1_DUP_FUNCTION(OSSL_CRMF_CERTREQUEST)
-
-
-ASN1_SEQUENCE(OSSL_CRMF_MSG) = {
-    ASN1_SIMPLE(OSSL_CRMF_MSG, certReq, OSSL_CRMF_CERTREQUEST),
-    ASN1_OPT(OSSL_CRMF_MSG, popo, OSSL_CRMF_POPO),
-    ASN1_SEQUENCE_OF_OPT(OSSL_CRMF_MSG, regInfo,
-                         OSSL_CRMF_ATTRIBUTETYPEANDVALUE)
-} ASN1_SEQUENCE_END(OSSL_CRMF_MSG)
-IMPLEMENT_ASN1_FUNCTIONS(OSSL_CRMF_MSG)
-IMPLEMENT_ASN1_DUP_FUNCTION(OSSL_CRMF_MSG)
-
-ASN1_ITEM_TEMPLATE(OSSL_CRMF_MSGS) =
-    ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
-                          OSSL_CRMF_MSGS, OSSL_CRMF_MSG)
-ASN1_ITEM_TEMPLATE_END(OSSL_CRMF_MSGS)
-IMPLEMENT_ASN1_FUNCTIONS(OSSL_CRMF_MSGS)

libs/openssl/crypto/crmf/crmf_lib.c

@@ -1,715 +0,0 @@
-/*-
- * Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved.
- * Copyright Nokia 2007-2018
- * Copyright Siemens AG 2015-2019
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- *
- * CRMF implementation by Martin Peylo, Miikka Viljanen, and David von Oheimb.
- */
-
-/*
- * This file contains the functions that handle the individual items inside
- * the CRMF structures
- */
-
-/*
- * NAMING
- *
- * The 0 functions use the supplied structure pointer directly in the parent and
- * it will be freed up when the parent is freed.
- *
- * The 1 functions use a copy of the supplied structure pointer (or in some
- * cases increases its link count) in the parent and so both should be freed up.
- */
-
-#include <openssl/asn1t.h>
-
-#include "crmf_local.h"
-#include "internal/constant_time.h"
-#include "internal/sizes.h"
-
-/* explicit #includes not strictly needed since implied by the above: */
-#include <openssl/crmf.h>
-#include <openssl/err.h>
-#include <openssl/evp.h>
-
-/*-
- * atyp = Attribute Type
- * valt = Value Type
- * ctrlinf = "regCtrl" or "regInfo"
- */
-#define IMPLEMENT_CRMF_CTRL_FUNC(atyp, valt, ctrlinf)                        \
-valt *OSSL_CRMF_MSG_get0_##ctrlinf##_##atyp(const OSSL_CRMF_MSG *msg)        \
-{                                                                            \
-    int i;                                                                   \
-    STACK_OF(OSSL_CRMF_ATTRIBUTETYPEANDVALUE) *controls;                     \
-    OSSL_CRMF_ATTRIBUTETYPEANDVALUE *atav = NULL;                            \
-                                                                             \
-    if (msg == NULL || msg->certReq == NULL)                                 \
-        return NULL;                                                         \
-    controls = msg->certReq->controls;                                       \
-    for (i = 0; i < sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_num(controls); i++) { \
-        atav = sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_value(controls, i);        \
-        if (OBJ_obj2nid(atav->type) == NID_id_##ctrlinf##_##atyp)            \
-            return atav->value.atyp;                                         \
-    }                                                                        \
-    return NULL;                                                             \
-}                                                                            \
- \
-int OSSL_CRMF_MSG_set1_##ctrlinf##_##atyp(OSSL_CRMF_MSG *msg, const valt *in) \
-{                                                                         \
-    OSSL_CRMF_ATTRIBUTETYPEANDVALUE *atav = NULL;                         \
-                                                                          \
-    if (msg == NULL || in == NULL)                                        \
-        goto err;                                                         \
-    if ((atav = OSSL_CRMF_ATTRIBUTETYPEANDVALUE_new()) == NULL)           \
-        goto err;                                                         \
-    if ((atav->type = OBJ_nid2obj(NID_id_##ctrlinf##_##atyp)) == NULL)    \
-        goto err;                                                         \
-    if ((atav->value.atyp = valt##_dup(in)) == NULL)                      \
-        goto err;                                                         \
-    if (!OSSL_CRMF_MSG_push0_##ctrlinf(msg, atav))                        \
-        goto err;                                                         \
-    return 1;                                                             \
- err:                                                                     \
-    OSSL_CRMF_ATTRIBUTETYPEANDVALUE_free(atav);                           \
-    return 0;                                                             \
-}
-
-
-/*-
- * Pushes the given control attribute into the controls stack of a CertRequest
- * (section 6)
- * returns 1 on success, 0 on error
- */
-static int OSSL_CRMF_MSG_push0_regCtrl(OSSL_CRMF_MSG *crm,
-                                       OSSL_CRMF_ATTRIBUTETYPEANDVALUE *ctrl)
-{
-    int new = 0;
-
-    if (crm == NULL || crm->certReq == NULL || ctrl == NULL) {
-        ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT);
-        return 0;
-    }
-
-    if (crm->certReq->controls == NULL) {
-        crm->certReq->controls = sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_new_null();
-        if (crm->certReq->controls == NULL)
-            goto err;
-        new = 1;
-    }
-    if (!sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_push(crm->certReq->controls, ctrl))
-        goto err;
-
-    return 1;
- err:
-    if (new != 0) {
-        sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_free(crm->certReq->controls);
-        crm->certReq->controls = NULL;
-    }
-    return 0;
-}
-
-/* id-regCtrl-regToken Control (section 6.1) */
-IMPLEMENT_CRMF_CTRL_FUNC(regToken, ASN1_STRING, regCtrl)
-
-/* id-regCtrl-authenticator Control (section 6.2) */
-#define ASN1_UTF8STRING_dup ASN1_STRING_dup
-IMPLEMENT_CRMF_CTRL_FUNC(authenticator, ASN1_UTF8STRING, regCtrl)
-
-int OSSL_CRMF_MSG_set0_SinglePubInfo(OSSL_CRMF_SINGLEPUBINFO *spi,
-                                     int method, GENERAL_NAME *nm)
-{
-    if (spi == NULL
-            || method < OSSL_CRMF_PUB_METHOD_DONTCARE
-            || method > OSSL_CRMF_PUB_METHOD_LDAP) {
-        ERR_raise(ERR_LIB_CRMF, ERR_R_PASSED_INVALID_ARGUMENT);
-        return 0;
-    }
-
-    if (!ASN1_INTEGER_set(spi->pubMethod, method))
-        return 0;
-    GENERAL_NAME_free(spi->pubLocation);
-    spi->pubLocation = nm;
-    return 1;
-}
-
-int
-OSSL_CRMF_MSG_PKIPublicationInfo_push0_SinglePubInfo(OSSL_CRMF_PKIPUBLICATIONINFO *pi,
-                                                     OSSL_CRMF_SINGLEPUBINFO *spi)
-{
-    if (pi == NULL || spi == NULL) {
-        ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT);
-        return 0;
-    }
-    if (pi->pubInfos == NULL)
-        pi->pubInfos = sk_OSSL_CRMF_SINGLEPUBINFO_new_null();
-    if (pi->pubInfos == NULL)
-        return 0;
-
-    return sk_OSSL_CRMF_SINGLEPUBINFO_push(pi->pubInfos, spi);
-}
-
-int OSSL_CRMF_MSG_set_PKIPublicationInfo_action(OSSL_CRMF_PKIPUBLICATIONINFO *pi,
-                                                int action)
-{
-    if (pi == NULL
-            || action < OSSL_CRMF_PUB_ACTION_DONTPUBLISH
-            || action > OSSL_CRMF_PUB_ACTION_PLEASEPUBLISH) {
-        ERR_raise(ERR_LIB_CRMF, ERR_R_PASSED_INVALID_ARGUMENT);
-        return 0;
-    }
-
-    return ASN1_INTEGER_set(pi->action, action);
-}
-
-/* id-regCtrl-pkiPublicationInfo Control (section 6.3) */
-IMPLEMENT_CRMF_CTRL_FUNC(pkiPublicationInfo, OSSL_CRMF_PKIPUBLICATIONINFO,
-                         regCtrl)
-
-/* id-regCtrl-oldCertID Control (section 6.5) from the given */
-IMPLEMENT_CRMF_CTRL_FUNC(oldCertID, OSSL_CRMF_CERTID, regCtrl)
-
-OSSL_CRMF_CERTID *OSSL_CRMF_CERTID_gen(const X509_NAME *issuer,
-                                       const ASN1_INTEGER *serial)
-{
-    OSSL_CRMF_CERTID *cid = NULL;
-
-    if (issuer == NULL || serial == NULL) {
-        ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT);
-        return NULL;
-    }
-
-    if ((cid = OSSL_CRMF_CERTID_new()) == NULL)
-        goto err;
-
-    if (!X509_NAME_set(&cid->issuer->d.directoryName, issuer))
-        goto err;
-    cid->issuer->type = GEN_DIRNAME;
-
-    ASN1_INTEGER_free(cid->serialNumber);
-    if ((cid->serialNumber = ASN1_INTEGER_dup(serial)) == NULL)
-        goto err;
-
-    return cid;
-
- err:
-    OSSL_CRMF_CERTID_free(cid);
-    return NULL;
-}
-
-/*
- * id-regCtrl-protocolEncrKey Control (section 6.6)
- */
-IMPLEMENT_CRMF_CTRL_FUNC(protocolEncrKey, X509_PUBKEY, regCtrl)
-
-/*-
- * Pushes the attribute given in regInfo in to the CertReqMsg->regInfo stack.
- * (section 7)
- * returns 1 on success, 0 on error
- */
-static int OSSL_CRMF_MSG_push0_regInfo(OSSL_CRMF_MSG *crm,
-                                       OSSL_CRMF_ATTRIBUTETYPEANDVALUE *ri)
-{
-    STACK_OF(OSSL_CRMF_ATTRIBUTETYPEANDVALUE) *info = NULL;
-
-    if (crm == NULL || ri == NULL) {
-        ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT);
-        return 0;
-    }
-
-    if (crm->regInfo == NULL)
-        crm->regInfo = info = sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_new_null();
-    if (crm->regInfo == NULL)
-        goto err;
-    if (!sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_push(crm->regInfo, ri))
-        goto err;
-    return 1;
-
- err:
-    if (info != NULL)
-        crm->regInfo = NULL;
-    sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_free(info);
-    return 0;
-}
-
-/* id-regInfo-utf8Pairs to regInfo (section 7.1) */
-IMPLEMENT_CRMF_CTRL_FUNC(utf8Pairs, ASN1_UTF8STRING, regInfo)
-
-/* id-regInfo-certReq to regInfo (section 7.2) */
-IMPLEMENT_CRMF_CTRL_FUNC(certReq, OSSL_CRMF_CERTREQUEST, regInfo)
-
-
-/* retrieves the certificate template of crm */
-OSSL_CRMF_CERTTEMPLATE *OSSL_CRMF_MSG_get0_tmpl(const OSSL_CRMF_MSG *crm)
-{
-    if (crm == NULL || crm->certReq == NULL) {
-        ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT);
-        return NULL;
-    }
-    return crm->certReq->certTemplate;
-}
-
-
-int OSSL_CRMF_MSG_set0_validity(OSSL_CRMF_MSG *crm,
-                                ASN1_TIME *notBefore, ASN1_TIME *notAfter)
-{
-    OSSL_CRMF_OPTIONALVALIDITY *vld;
-    OSSL_CRMF_CERTTEMPLATE *tmpl = OSSL_CRMF_MSG_get0_tmpl(crm);
-
-    if (tmpl == NULL) { /* also crm == NULL implies this */
-        ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT);
-        return 0;
-    }
-
-    if ((vld = OSSL_CRMF_OPTIONALVALIDITY_new()) == NULL)
-        return 0;
-    vld->notBefore = notBefore;
-    vld->notAfter = notAfter;
-    tmpl->validity = vld;
-    return 1;
-}
-
-
-int OSSL_CRMF_MSG_set_certReqId(OSSL_CRMF_MSG *crm, int rid)
-{
-    if (crm == NULL || crm->certReq == NULL || crm->certReq->certReqId == NULL) {
-        ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT);
-        return 0;
-    }
-
-    return ASN1_INTEGER_set(crm->certReq->certReqId, rid);
-}
-
-/* get ASN.1 encoded integer, return -1 on error */
-static int crmf_asn1_get_int(const ASN1_INTEGER *a)
-{
-    int64_t res;
-
-    if (!ASN1_INTEGER_get_int64(&res, a)) {
-        ERR_raise(ERR_LIB_CRMF, ASN1_R_INVALID_NUMBER);
-        return -1;
-    }
-    if (res < INT_MIN) {
-        ERR_raise(ERR_LIB_CRMF, ASN1_R_TOO_SMALL);
-        return -1;
-    }
-    if (res > INT_MAX) {
-        ERR_raise(ERR_LIB_CRMF, ASN1_R_TOO_LARGE);
-        return -1;
-    }
-    return (int)res;
-}
-
-int OSSL_CRMF_MSG_get_certReqId(const OSSL_CRMF_MSG *crm)
-{
-    if (crm == NULL || /* not really needed: */ crm->certReq == NULL) {
-        ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT);
-        return -1;
-    }
-    return crmf_asn1_get_int(crm->certReq->certReqId);
-}
-
-
-int OSSL_CRMF_MSG_set0_extensions(OSSL_CRMF_MSG *crm,
-                                  X509_EXTENSIONS *exts)
-{
-    OSSL_CRMF_CERTTEMPLATE *tmpl = OSSL_CRMF_MSG_get0_tmpl(crm);
-
-    if (tmpl == NULL) { /* also crm == NULL implies this */
-        ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT);
-        return 0;
-    }
-
-    if (sk_X509_EXTENSION_num(exts) == 0) {
-        sk_X509_EXTENSION_free(exts);
-        exts = NULL; /* do not include empty extensions list */
-    }
-
-    sk_X509_EXTENSION_pop_free(tmpl->extensions, X509_EXTENSION_free);
-    tmpl->extensions = exts;
-    return 1;
-}
-
-
-int OSSL_CRMF_MSG_push0_extension(OSSL_CRMF_MSG *crm,
-                                  X509_EXTENSION *ext)
-{
-    int new = 0;
-    OSSL_CRMF_CERTTEMPLATE *tmpl = OSSL_CRMF_MSG_get0_tmpl(crm);
-
-    if (tmpl == NULL || ext == NULL) { /* also crm == NULL implies this */
-        ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT);
-        return 0;
-    }
-
-    if (tmpl->extensions == NULL) {
-        if ((tmpl->extensions = sk_X509_EXTENSION_new_null()) == NULL)
-            goto err;
-        new = 1;
-    }
-
-    if (!sk_X509_EXTENSION_push(tmpl->extensions, ext))
-        goto err;
-    return 1;
- err:
-    if (new != 0) {
-        sk_X509_EXTENSION_free(tmpl->extensions);
-        tmpl->extensions = NULL;
-    }
-    return 0;
-}
-
-static int create_popo_signature(OSSL_CRMF_POPOSIGNINGKEY *ps,
-                                 const OSSL_CRMF_CERTREQUEST *cr,
-                                 EVP_PKEY *pkey, const EVP_MD *digest,
-                                 OSSL_LIB_CTX *libctx, const char *propq)
-{
-    char name[80] = "";
-
-    if (ps == NULL || cr == NULL || pkey == NULL) {
-        ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT);
-        return 0;
-    }
-    if (ps->poposkInput != NULL) {
-        /* We do not support cases 1+2 defined in RFC 4211, section 4.1 */
-        ERR_raise(ERR_LIB_CRMF, CRMF_R_POPOSKINPUT_NOT_SUPPORTED);
-        return 0;
-    }
-
-    if (EVP_PKEY_get_default_digest_name(pkey, name, sizeof(name)) > 0
-            && strcmp(name, "UNDEF") == 0) /* at least for Ed25519, Ed448 */
-        digest = NULL;
-
-    return ASN1_item_sign_ex(ASN1_ITEM_rptr(OSSL_CRMF_CERTREQUEST),
-                             ps->algorithmIdentifier, NULL, ps->signature, cr,
-                             NULL, pkey, digest, libctx, propq);
-}
-
-
-int OSSL_CRMF_MSG_create_popo(int meth, OSSL_CRMF_MSG *crm,
-                              EVP_PKEY *pkey, const EVP_MD *digest,
-                              OSSL_LIB_CTX *libctx, const char *propq)
-{
-    OSSL_CRMF_POPO *pp = NULL;
-    ASN1_INTEGER *tag = NULL;
-
-    if (crm == NULL || (meth == OSSL_CRMF_POPO_SIGNATURE && pkey == NULL)) {
-        ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT);
-        return 0;
-    }
-
-    if (meth == OSSL_CRMF_POPO_NONE)
-        goto end;
-    if ((pp = OSSL_CRMF_POPO_new()) == NULL)
-        goto err;
-    pp->type = meth;
-
-    switch (meth) {
-    case OSSL_CRMF_POPO_RAVERIFIED:
-        if ((pp->value.raVerified = ASN1_NULL_new()) == NULL)
-            goto err;
-        break;
-
-    case OSSL_CRMF_POPO_SIGNATURE:
-        {
-            OSSL_CRMF_POPOSIGNINGKEY *ps = OSSL_CRMF_POPOSIGNINGKEY_new();
-
-            if (ps == NULL)
-                goto err;
-            if (!create_popo_signature(ps, crm->certReq, pkey, digest,
-                                       libctx, propq)) {
-                OSSL_CRMF_POPOSIGNINGKEY_free(ps);
-                goto err;
-            }
-            pp->value.signature = ps;
-        }
-        break;
-
-    case OSSL_CRMF_POPO_KEYENC:
-        if ((pp->value.keyEncipherment = OSSL_CRMF_POPOPRIVKEY_new()) == NULL)
-            goto err;
-        tag = ASN1_INTEGER_new();
-        pp->value.keyEncipherment->type =
-            OSSL_CRMF_POPOPRIVKEY_SUBSEQUENTMESSAGE;
-        pp->value.keyEncipherment->value.subsequentMessage = tag;
-        if (tag == NULL
-                || !ASN1_INTEGER_set(tag, OSSL_CRMF_SUBSEQUENTMESSAGE_ENCRCERT))
-            goto err;
-        break;
-
-    default:
-        ERR_raise(ERR_LIB_CRMF, CRMF_R_UNSUPPORTED_METHOD_FOR_CREATING_POPO);
-        goto err;
-    }
-
- end:
-    OSSL_CRMF_POPO_free(crm->popo);
-    crm->popo = pp;
-
-    return 1;
- err:
-    OSSL_CRMF_POPO_free(pp);
-    return 0;
-}
-
-/* verifies the Proof-of-Possession of the request with the given rid in reqs */
-int OSSL_CRMF_MSGS_verify_popo(const OSSL_CRMF_MSGS *reqs,
-                               int rid, int acceptRAVerified,
-                               OSSL_LIB_CTX *libctx, const char *propq)
-{
-    OSSL_CRMF_MSG *req = NULL;
-    X509_PUBKEY *pubkey = NULL;
-    OSSL_CRMF_POPOSIGNINGKEY *sig = NULL;
-    const ASN1_ITEM *it;
-    void *asn;
-
-    if (reqs == NULL || (req = sk_OSSL_CRMF_MSG_value(reqs, rid)) == NULL) {
-        ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT);
-        return 0;
-    }
-
-    if (req->popo == NULL) {
-        ERR_raise(ERR_LIB_CRMF, CRMF_R_POPO_MISSING);
-        return 0;
-    }
-
-    switch (req->popo->type) {
-    case OSSL_CRMF_POPO_RAVERIFIED:
-        if (!acceptRAVerified) {
-            ERR_raise(ERR_LIB_CRMF, CRMF_R_POPO_RAVERIFIED_NOT_ACCEPTED);
-            return 0;
-        }
-        break;
-    case OSSL_CRMF_POPO_SIGNATURE:
-        pubkey = req->certReq->certTemplate->publicKey;
-        if (pubkey == NULL) {
-            ERR_raise(ERR_LIB_CRMF, CRMF_R_POPO_MISSING_PUBLIC_KEY);
-            return 0;
-        }
-        sig = req->popo->value.signature;
-        if (sig->poposkInput != NULL) {
-            /*
-             * According to RFC 4211: publicKey contains a copy of
-             * the public key from the certificate template. This MUST be
-             * exactly the same value as contained in the certificate template.
-             */
-            if (sig->poposkInput->publicKey == NULL) {
-                ERR_raise(ERR_LIB_CRMF, CRMF_R_POPO_MISSING_PUBLIC_KEY);
-                return 0;
-            }
-            if (X509_PUBKEY_eq(pubkey, sig->poposkInput->publicKey) != 1) {
-                ERR_raise(ERR_LIB_CRMF, CRMF_R_POPO_INCONSISTENT_PUBLIC_KEY);
-                return 0;
-            }
-            it = ASN1_ITEM_rptr(OSSL_CRMF_POPOSIGNINGKEYINPUT);
-            asn = sig->poposkInput;
-        } else {
-            if (req->certReq->certTemplate->subject == NULL) {
-                ERR_raise(ERR_LIB_CRMF, CRMF_R_POPO_MISSING_SUBJECT);
-                return 0;
-            }
-            it = ASN1_ITEM_rptr(OSSL_CRMF_CERTREQUEST);
-            asn = req->certReq;
-        }
-        if (ASN1_item_verify_ex(it, sig->algorithmIdentifier, sig->signature,
-                                asn, NULL, X509_PUBKEY_get0(pubkey), libctx,
-                                propq) < 1)
-            return 0;
-        break;
-    case OSSL_CRMF_POPO_KEYENC:
-    case OSSL_CRMF_POPO_KEYAGREE:
-    default:
-        ERR_raise(ERR_LIB_CRMF, CRMF_R_UNSUPPORTED_POPO_METHOD);
-        return 0;
-    }
-    return 1;
-}
-
-/* retrieves the serialNumber of the given cert template or NULL on error */
-const ASN1_INTEGER
-*OSSL_CRMF_CERTTEMPLATE_get0_serialNumber(const OSSL_CRMF_CERTTEMPLATE *tmpl)
-{
-    return tmpl != NULL ? tmpl->serialNumber : NULL;
-}
-
-const X509_NAME
-    *OSSL_CRMF_CERTTEMPLATE_get0_subject(const OSSL_CRMF_CERTTEMPLATE *tmpl)
-{
-    return tmpl != NULL ? tmpl->subject : NULL;
-}
-
-/* retrieves the issuer name of the given cert template or NULL on error */
-const X509_NAME
-    *OSSL_CRMF_CERTTEMPLATE_get0_issuer(const OSSL_CRMF_CERTTEMPLATE *tmpl)
-{
-    return tmpl != NULL ? tmpl->issuer : NULL;
-}
-
-X509_EXTENSIONS
-    *OSSL_CRMF_CERTTEMPLATE_get0_extensions(const OSSL_CRMF_CERTTEMPLATE *tmpl)
-{
-    return tmpl != NULL ? tmpl->extensions : NULL;
-}
-
-/* retrieves the issuer name of the given CertId or NULL on error */
-const X509_NAME *OSSL_CRMF_CERTID_get0_issuer(const OSSL_CRMF_CERTID *cid)
-{
-    return cid != NULL && cid->issuer->type == GEN_DIRNAME ?
-        cid->issuer->d.directoryName : NULL;
-}
-
-/* retrieves the serialNumber of the given CertId or NULL on error */
-const ASN1_INTEGER *OSSL_CRMF_CERTID_get0_serialNumber(const OSSL_CRMF_CERTID *cid)
-{
-    return cid != NULL ? cid->serialNumber : NULL;
-}
-
-/*-
- * fill in certificate template.
- * Any value argument that is NULL will leave the respective field unchanged.
- */
-int OSSL_CRMF_CERTTEMPLATE_fill(OSSL_CRMF_CERTTEMPLATE *tmpl,
-                                EVP_PKEY *pubkey,
-                                const X509_NAME *subject,
-                                const X509_NAME *issuer,
-                                const ASN1_INTEGER *serial)
-{
-    if (tmpl == NULL) {
-        ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT);
-        return 0;
-    }
-    if (subject != NULL && !X509_NAME_set((X509_NAME **)&tmpl->subject, subject))
-        return 0;
-    if (issuer != NULL && !X509_NAME_set((X509_NAME **)&tmpl->issuer, issuer))
-        return 0;
-    if (serial != NULL) {
-        ASN1_INTEGER_free(tmpl->serialNumber);
-        if ((tmpl->serialNumber = ASN1_INTEGER_dup(serial)) == NULL)
-            return 0;
-    }
-    if (pubkey != NULL && !X509_PUBKEY_set(&tmpl->publicKey, pubkey))
-        return 0;
-    return 1;
-}
-
-
-/*-
- * Decrypts the certificate in the given encryptedValue using private key pkey.
- * This is needed for the indirect PoP method as in RFC 4210 section 5.2.8.2.
- *
- * returns a pointer to the decrypted certificate
- * returns NULL on error or if no certificate available
- */
-X509
-*OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(const OSSL_CRMF_ENCRYPTEDVALUE *ecert,
-                                       OSSL_LIB_CTX *libctx, const char *propq,
-                                       EVP_PKEY *pkey)
-{
-    X509 *cert = NULL; /* decrypted certificate */
-    EVP_CIPHER_CTX *evp_ctx = NULL; /* context for symmetric encryption */
-    unsigned char *ek = NULL; /* decrypted symmetric encryption key */
-    size_t eksize = 0; /* size of decrypted symmetric encryption key */
-    EVP_CIPHER *cipher = NULL; /* used cipher */
-    int cikeysize = 0; /* key size from cipher */
-    unsigned char *iv = NULL; /* initial vector for symmetric encryption */
-    unsigned char *outbuf = NULL; /* decryption output buffer */
-    const unsigned char *p = NULL; /* needed for decoding ASN1 */
-    int n, outlen = 0;
-    EVP_PKEY_CTX *pkctx = NULL; /* private key context */
-    char name[OSSL_MAX_NAME_SIZE];
-
-    if (ecert == NULL || ecert->symmAlg == NULL || ecert->encSymmKey == NULL
-            || ecert->encValue == NULL || pkey == NULL) {
-        ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT);
-        return NULL;
-    }
-
-    /* select symmetric cipher based on algorithm given in message */
-    OBJ_obj2txt(name, sizeof(name), ecert->symmAlg->algorithm, 0);
-
-    (void)ERR_set_mark();
-    cipher = EVP_CIPHER_fetch(NULL, name, NULL);
-
-    if (cipher == NULL)
-        cipher = (EVP_CIPHER *)EVP_get_cipherbyname(name);
-
-    if (cipher == NULL) {
-        (void)ERR_clear_last_mark();
-        ERR_raise(ERR_LIB_CRMF, CRMF_R_UNSUPPORTED_CIPHER);
-        goto end;
-    }
-    (void)ERR_pop_to_mark();
-
-    cikeysize = EVP_CIPHER_get_key_length(cipher);
-    /* first the symmetric key needs to be decrypted */
-    pkctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, propq);
-    if (pkctx != NULL && EVP_PKEY_decrypt_init(pkctx) > 0) {
-        ASN1_BIT_STRING *encKey = ecert->encSymmKey;
-        size_t failure;
-        int retval;
-
-        if (EVP_PKEY_decrypt(pkctx, NULL, &eksize,
-                             encKey->data, encKey->length) <= 0
-                || (ek = OPENSSL_malloc(eksize)) == NULL)
-            goto end;
-        retval = EVP_PKEY_decrypt(pkctx, ek, &eksize,
-                                  encKey->data, encKey->length);
-        ERR_clear_error(); /* error state may have sensitive information */
-        failure = ~constant_time_is_zero_s(constant_time_msb(retval)
-                                           | constant_time_is_zero(retval));
-        failure |= ~constant_time_eq_s(eksize, (size_t)cikeysize);
-        if (failure) {
-            ERR_raise(ERR_LIB_CRMF, CRMF_R_ERROR_DECRYPTING_SYMMETRIC_KEY);
-            goto end;
-        }
-    } else {
-        goto end;
-    }
-    if ((iv = OPENSSL_malloc(EVP_CIPHER_get_iv_length(cipher))) == NULL)
-        goto end;
-    if (ASN1_TYPE_get_octetstring(ecert->symmAlg->parameter, iv,
-                                  EVP_CIPHER_get_iv_length(cipher))
-        != EVP_CIPHER_get_iv_length(cipher)) {
-        ERR_raise(ERR_LIB_CRMF, CRMF_R_MALFORMED_IV);
-        goto end;
-    }
-
-    /*
-     * d2i_X509 changes the given pointer, so use p for decoding the message and
-     * keep the original pointer in outbuf so the memory can be freed later
-     */
-    if ((p = outbuf = OPENSSL_malloc(ecert->encValue->length +
-                                     EVP_CIPHER_get_block_size(cipher))) == NULL
-            || (evp_ctx = EVP_CIPHER_CTX_new()) == NULL)
-        goto end;
-    EVP_CIPHER_CTX_set_padding(evp_ctx, 0);
-
-    if (!EVP_DecryptInit(evp_ctx, cipher, ek, iv)
-            || !EVP_DecryptUpdate(evp_ctx, outbuf, &outlen,
-                                  ecert->encValue->data,
-                                  ecert->encValue->length)
-            || !EVP_DecryptFinal(evp_ctx, outbuf + outlen, &n)) {
-        ERR_raise(ERR_LIB_CRMF, CRMF_R_ERROR_DECRYPTING_CERTIFICATE);
-        goto end;
-    }
-    outlen += n;
-
-    /* convert decrypted certificate from DER to internal ASN.1 structure */
-    if ((cert = X509_new_ex(libctx, propq)) == NULL)
-        goto end;
-    if (d2i_X509(&cert, &p, outlen) == NULL)
-        ERR_raise(ERR_LIB_CRMF, CRMF_R_ERROR_DECODING_CERTIFICATE);
- end:
-    EVP_PKEY_CTX_free(pkctx);
-    OPENSSL_free(outbuf);
-    EVP_CIPHER_CTX_free(evp_ctx);
-    EVP_CIPHER_free(cipher);
-    OPENSSL_clear_free(ek, eksize);
-    OPENSSL_free(iv);
-    return cert;
-}

libs/openssl/crypto/crmf/crmf_pbm.c

@@ -1,232 +0,0 @@
-/*-
- * Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved.
- * Copyright Nokia 2007-2019
- * Copyright Siemens AG 2015-2019
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- *
- * CRMF implementation by Martin Peylo, Miikka Viljanen, and David von Oheimb.
- */
-
-
-#include <string.h>
-
-#include <openssl/rand.h>
-#include <openssl/evp.h>
-#include <openssl/hmac.h>
-
-/* explicit #includes not strictly needed since implied by the above: */
-#include <openssl/asn1t.h>
-#include <openssl/crmf.h>
-#include <openssl/err.h>
-#include <openssl/params.h>
-#include <openssl/core_names.h>
-
-#include "internal/sizes.h"
-
-#include "crmf_local.h"
-
-/*-
- * creates and initializes OSSL_CRMF_PBMPARAMETER (section 4.4)
- * |slen| SHOULD be at least 8 (16 is common)
- * |owfnid| e.g., NID_sha256
- * |itercnt| MUST be >= 100 (e.g., 500) and <= OSSL_CRMF_PBM_MAX_ITERATION_COUNT
- * |macnid| e.g., NID_hmac_sha1
- * returns pointer to OSSL_CRMF_PBMPARAMETER on success, NULL on error
- */
-OSSL_CRMF_PBMPARAMETER *OSSL_CRMF_pbmp_new(OSSL_LIB_CTX *libctx, size_t slen,
-                                           int owfnid, size_t itercnt,
-                                           int macnid)
-{
-    OSSL_CRMF_PBMPARAMETER *pbm = NULL;
-    unsigned char *salt = NULL;
-
-    if ((pbm = OSSL_CRMF_PBMPARAMETER_new()) == NULL)
-        goto err;
-
-    /*
-     * salt contains a randomly generated value used in computing the key
-     * of the MAC process.  The salt SHOULD be at least 8 octets (64
-     * bits) long.
-     */
-    if ((salt = OPENSSL_malloc(slen)) == NULL)
-        goto err;
-    if (RAND_bytes_ex(libctx, salt, slen, 0) <= 0) {
-        ERR_raise(ERR_LIB_CRMF, CRMF_R_FAILURE_OBTAINING_RANDOM);
-        goto err;
-    }
-    if (!ASN1_OCTET_STRING_set(pbm->salt, salt, (int)slen))
-        goto err;
-
-    /*
-     * owf identifies the hash algorithm and associated parameters used to
-     * compute the key used in the MAC process.  All implementations MUST
-     * support SHA-1.
-     */
-    if (!X509_ALGOR_set0(pbm->owf, OBJ_nid2obj(owfnid), V_ASN1_UNDEF, NULL)) {
-        ERR_raise(ERR_LIB_CRMF, CRMF_R_SETTING_OWF_ALGOR_FAILURE);
-        goto err;
-    }
-
-    /*
-     * iterationCount identifies the number of times the hash is applied
-     * during the key computation process.  The iterationCount MUST be a
-     * minimum of 100. Many people suggest using values as high as 1000
-     * iterations as the minimum value.  The trade off here is between
-     * protection of the password from attacks and the time spent by the
-     * server processing all of the different iterations in deriving
-     * passwords.  Hashing is generally considered a cheap operation but
-     * this may not be true with all hash functions in the future.
-     */
-    if (itercnt < 100) {
-        ERR_raise(ERR_LIB_CRMF, CRMF_R_ITERATIONCOUNT_BELOW_100);
-        goto err;
-    }
-    if (itercnt > OSSL_CRMF_PBM_MAX_ITERATION_COUNT) {
-        ERR_raise(ERR_LIB_CRMF, CRMF_R_BAD_PBM_ITERATIONCOUNT);
-        goto err;
-    }
-
-    if (!ASN1_INTEGER_set(pbm->iterationCount, itercnt)) {
-        ERR_raise(ERR_LIB_CRMF, CRMF_R_CRMFERROR);
-        goto err;
-    }
-
-    /*
-     * mac identifies the algorithm and associated parameters of the MAC
-     * function to be used.  All implementations MUST support HMAC-SHA1 [HMAC].
-     * All implementations SHOULD support DES-MAC and Triple-DES-MAC [PKCS11].
-     */
-    if (!X509_ALGOR_set0(pbm->mac, OBJ_nid2obj(macnid), V_ASN1_UNDEF, NULL)) {
-        ERR_raise(ERR_LIB_CRMF, CRMF_R_SETTING_MAC_ALGOR_FAILURE);
-        goto err;
-    }
-
-    OPENSSL_free(salt);
-    return pbm;
- err:
-    OPENSSL_free(salt);
-    OSSL_CRMF_PBMPARAMETER_free(pbm);
-    return NULL;
-}
-
-/*-
- * calculates the PBM based on the settings of the given OSSL_CRMF_PBMPARAMETER
- * |pbmp| identifies the algorithms, salt to use
- * |msg| message to apply the PBM for
- * |msglen| length of the message
- * |sec| key to use
- * |seclen| length of the key
- * |out| pointer to the computed mac, will be set on success
- * |outlen| if not NULL, will set variable to the length of the mac on success
- * returns 1 on success, 0 on error
- */
-int OSSL_CRMF_pbm_new(OSSL_LIB_CTX *libctx, const char *propq,
-                      const OSSL_CRMF_PBMPARAMETER *pbmp,
-                      const unsigned char *msg, size_t msglen,
-                      const unsigned char *sec, size_t seclen,
-                      unsigned char **out, size_t *outlen)
-{
-    int mac_nid, hmac_md_nid = NID_undef;
-    char mdname[OSSL_MAX_NAME_SIZE];
-    char hmac_mdname[OSSL_MAX_NAME_SIZE];
-    EVP_MD *owf = NULL;
-    EVP_MD_CTX *ctx = NULL;
-    unsigned char basekey[EVP_MAX_MD_SIZE];
-    unsigned int bklen = EVP_MAX_MD_SIZE;
-    int64_t iterations;
-    unsigned char *mac_res = 0;
-    int ok = 0;
-
-    if (out == NULL || pbmp == NULL || pbmp->mac == NULL
-            || pbmp->mac->algorithm == NULL || msg == NULL || sec == NULL) {
-        ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT);
-        goto err;
-    }
-    if ((mac_res = OPENSSL_malloc(EVP_MAX_MD_SIZE)) == NULL)
-        goto err;
-
-    /*
-     * owf identifies the hash algorithm and associated parameters used to
-     * compute the key used in the MAC process.  All implementations MUST
-     * support SHA-1.
-     */
-    OBJ_obj2txt(mdname, sizeof(mdname), pbmp->owf->algorithm, 0);
-    if ((owf = EVP_MD_fetch(libctx, mdname, propq)) == NULL) {
-        ERR_raise(ERR_LIB_CRMF, CRMF_R_UNSUPPORTED_ALGORITHM);
-        goto err;
-    }
-
-    if ((ctx = EVP_MD_CTX_new()) == NULL)
-        goto err;
-
-    /* compute the basekey of the salted secret */
-    if (!EVP_DigestInit_ex(ctx, owf, NULL))
-        goto err;
-    /* first the secret */
-    if (!EVP_DigestUpdate(ctx, sec, seclen))
-        goto err;
-    /* then the salt */
-    if (!EVP_DigestUpdate(ctx, pbmp->salt->data, pbmp->salt->length))
-        goto err;
-    if (!EVP_DigestFinal_ex(ctx, basekey, &bklen))
-        goto err;
-    if (!ASN1_INTEGER_get_int64(&iterations, pbmp->iterationCount)
-            || iterations < 100 /* min from RFC */
-            || iterations > OSSL_CRMF_PBM_MAX_ITERATION_COUNT) {
-        ERR_raise(ERR_LIB_CRMF, CRMF_R_BAD_PBM_ITERATIONCOUNT);
-        goto err;
-    }
-
-    /* the first iteration was already done above */
-    while (--iterations > 0) {
-        if (!EVP_DigestInit_ex(ctx, owf, NULL))
-            goto err;
-        if (!EVP_DigestUpdate(ctx, basekey, bklen))
-            goto err;
-        if (!EVP_DigestFinal_ex(ctx, basekey, &bklen))
-            goto err;
-    }
-
-    /*
-     * mac identifies the algorithm and associated parameters of the MAC
-     * function to be used.  All implementations MUST support HMAC-SHA1 [HMAC].
-     * All implementations SHOULD support DES-MAC and Triple-DES-MAC [PKCS11].
-     */
-    mac_nid = OBJ_obj2nid(pbmp->mac->algorithm);
-
-    if (!EVP_PBE_find(EVP_PBE_TYPE_PRF, mac_nid, NULL, &hmac_md_nid, NULL)
-        || OBJ_obj2txt(hmac_mdname, sizeof(hmac_mdname),
-                        OBJ_nid2obj(hmac_md_nid), 0) <= 0) {
-        ERR_raise(ERR_LIB_CRMF, CRMF_R_UNSUPPORTED_ALGORITHM);
-        goto err;
-    }
-    if (EVP_Q_mac(libctx, "HMAC", propq, hmac_mdname, NULL, basekey, bklen,
-                  msg, msglen, mac_res, EVP_MAX_MD_SIZE, outlen) == NULL)
-        goto err;
-
-    ok = 1;
-
- err:
-    OPENSSL_cleanse(basekey, bklen);
-    EVP_MD_free(owf);
-    EVP_MD_CTX_free(ctx);
-
-    if (ok == 1) {
-        *out = mac_res;
-        return 1;
-    }
-
-    OPENSSL_free(mac_res);
-
-    if (pbmp != NULL && pbmp->mac != NULL) {
-        char buf[128];
-
-        if (OBJ_obj2txt(buf, sizeof(buf), pbmp->mac->algorithm, 0))
-            ERR_add_error_data(1, buf);
-    }
-    return 0;
-}

libs/openssl/crypto/des/asm/crypt586.asm

@@ -1,3 +1,4 @@
+
 %ifidn __OUTPUT_FORMAT__,obj
 section	code	use32 class=code align=256
 %elifidn __OUTPUT_FORMAT__,win32

libs/openssl/crypto/des/asm/des_586.asm

@@ -1,3 +1,4 @@
+
 %ifidn __OUTPUT_FORMAT__,obj
 section	code	use32 class=code align=256
 %elifidn __OUTPUT_FORMAT__,win32
@@ -1400,21 +1401,56 @@ L$010PIC_point:
 	xor	edx,edx
 	jmp	ebp
 L$012ej7:
+	
+
+
+
+
 	mov	dh,BYTE [6+esi]
 	shl	edx,8
 L$013ej6:
+	
+
+
+
+
 	mov	dh,BYTE [5+esi]
 L$014ej5:
+	
+
+
+
+
 	mov	dl,BYTE [4+esi]
 L$015ej4:
+	
+
+
+
+
 	mov	ecx,DWORD [esi]
 	jmp	NEAR L$016ejend
 L$017ej3:
+	
+
+
+
+
 	mov	ch,BYTE [2+esi]
 	shl	ecx,8
 L$018ej2:
+	
+
+
+
+
 	mov	ch,BYTE [1+esi]
 L$019ej1:
+	
+
+
+
+
 	mov	cl,BYTE [esi]
 L$016ejend:
 	xor	eax,ecx
@@ -1582,21 +1618,56 @@ L$034PIC_point:
 	xor	edx,edx
 	jmp	ebp
 L$036ej7:
+	
+
+
+
+
 	mov	dh,BYTE [6+esi]
 	shl	edx,8
 L$037ej6:
+	
+
+
+
+
 	mov	dh,BYTE [5+esi]
 L$038ej5:
+	
+
+
+
+
 	mov	dl,BYTE [4+esi]
 L$039ej4:
+	
+
+
+
+
 	mov	ecx,DWORD [esi]
 	jmp	NEAR L$040ejend
 L$041ej3:
+	
+
+
+
+
 	mov	ch,BYTE [2+esi]
 	shl	ecx,8
 L$042ej2:
+	
+
+
+
+
 	mov	ch,BYTE [1+esi]
 L$043ej1:
+	
+
+
+
+
 	mov	cl,BYTE [esi]
 L$040ejend:
 	xor	eax,ecx

libs/openssl/crypto/ec/ec_deprecated.c

@@ -1,78 +0,0 @@
-/*
- * Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-/*
- * Suppress deprecation warnings for EC low level implementations that are
- * kept until removal.
- */
-#define OPENSSL_SUPPRESS_DEPRECATED
-
-#include <openssl/crypto.h>
-#include <openssl/err.h>
-#include <openssl/ec.h>
-
-#ifndef OPENSSL_NO_DEPRECATED_3_0
-BIGNUM *EC_POINT_point2bn(const EC_GROUP *group,
-                          const EC_POINT *point,
-                          point_conversion_form_t form,
-                          BIGNUM *ret, BN_CTX *ctx)
-{
-    size_t buf_len = 0;
-    unsigned char *buf;
-
-    buf_len = EC_POINT_point2buf(group, point, form, &buf, ctx);
-
-    if (buf_len == 0)
-        return NULL;
-
-    ret = BN_bin2bn(buf, buf_len, ret);
-
-    OPENSSL_free(buf);
-
-    return ret;
-}
-
-EC_POINT *EC_POINT_bn2point(const EC_GROUP *group,
-                            const BIGNUM *bn, EC_POINT *point, BN_CTX *ctx)
-{
-    size_t buf_len = 0;
-    unsigned char *buf;
-    EC_POINT *ret;
-
-    if ((buf_len = BN_num_bytes(bn)) == 0)
-        buf_len = 1;
-    if ((buf = OPENSSL_malloc(buf_len)) == NULL) {
-        ECerr(EC_F_EC_POINT_BN2POINT, ERR_R_MALLOC_FAILURE);
-        return NULL;
-    }
-
-    if (BN_bn2binpad(bn, buf, buf_len) < 0) {
-        OPENSSL_free(buf);
-        return NULL;
-    }
-
-    if (point == NULL) {
-        if ((ret = EC_POINT_new(group)) == NULL) {
-            OPENSSL_free(buf);
-            return NULL;
-        }
-    } else
-        ret = point;
-
-    if (!EC_POINT_oct2point(group, ret, buf, buf_len, ctx)) {
-        if (ret != point)
-            EC_POINT_clear_free(ret);
-        OPENSSL_free(buf);
-        return NULL;
-    }
-
-    OPENSSL_free(buf);
-    return ret;
-}
-#endif /* OPENSSL_NO_DEPRECATED_3_0 */

libs/openssl/crypto/ec/ecp_nistp224.c

@@ -1,1748 +0,0 @@
-/*
- * Copyright 2010-2021 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-/* Copyright 2011 Google Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- *
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS,
- *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-/*
- * ECDSA low level APIs are deprecated for public use, but still ok for
- * internal use.
- */
-#include "internal/deprecated.h"
-
-/*
- * A 64-bit implementation of the NIST P-224 elliptic curve point multiplication
- *
- * Inspired by Daniel J. Bernstein's public domain nistp224 implementation
- * and Adam Langley's public domain 64-bit C implementation of curve25519
- */
-
-#include <openssl/opensslconf.h>
-
-#include <stdint.h>
-#include <string.h>
-#include <openssl/err.h>
-#include "ec_local.h"
-
-#include "internal/numbers.h"
-
-#ifndef INT128_MAX
-# error "Your compiler doesn't appear to support 128-bit integer types"
-#endif
-
-typedef uint8_t u8;
-typedef uint64_t u64;
-
-/******************************************************************************/
-/*-
- * INTERNAL REPRESENTATION OF FIELD ELEMENTS
- *
- * Field elements are represented as a_0 + 2^56*a_1 + 2^112*a_2 + 2^168*a_3
- * using 64-bit coefficients called 'limbs',
- * and sometimes (for multiplication results) as
- * b_0 + 2^56*b_1 + 2^112*b_2 + 2^168*b_3 + 2^224*b_4 + 2^280*b_5 + 2^336*b_6
- * using 128-bit coefficients called 'widelimbs'.
- * A 4-limb representation is an 'felem';
- * a 7-widelimb representation is a 'widefelem'.
- * Even within felems, bits of adjacent limbs overlap, and we don't always
- * reduce the representations: we ensure that inputs to each felem
- * multiplication satisfy a_i < 2^60, so outputs satisfy b_i < 4*2^60*2^60,
- * and fit into a 128-bit word without overflow. The coefficients are then
- * again partially reduced to obtain an felem satisfying a_i < 2^57.
- * We only reduce to the unique minimal representation at the end of the
- * computation.
- */
-
-typedef uint64_t limb;
-typedef uint64_t limb_aX __attribute((__aligned__(1)));
-typedef uint128_t widelimb;
-
-typedef limb felem[4];
-typedef widelimb widefelem[7];
-
-/*
- * Field element represented as a byte array. 28*8 = 224 bits is also the
- * group order size for the elliptic curve, and we also use this type for
- * scalars for point multiplication.
- */
-typedef u8 felem_bytearray[28];
-
-static const felem_bytearray nistp224_curve_params[5] = {
-    {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* p */
-     0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00,
-     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
-    {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* a */
-     0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF,
-     0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE},
-    {0xB4, 0x05, 0x0A, 0x85, 0x0C, 0x04, 0xB3, 0xAB, 0xF5, 0x41, /* b */
-     0x32, 0x56, 0x50, 0x44, 0xB0, 0xB7, 0xD7, 0xBF, 0xD8, 0xBA,
-     0x27, 0x0B, 0x39, 0x43, 0x23, 0x55, 0xFF, 0xB4},
-    {0xB7, 0x0E, 0x0C, 0xBD, 0x6B, 0xB4, 0xBF, 0x7F, 0x32, 0x13, /* x */
-     0x90, 0xB9, 0x4A, 0x03, 0xC1, 0xD3, 0x56, 0xC2, 0x11, 0x22,
-     0x34, 0x32, 0x80, 0xD6, 0x11, 0x5C, 0x1D, 0x21},
-    {0xbd, 0x37, 0x63, 0x88, 0xb5, 0xf7, 0x23, 0xfb, 0x4c, 0x22, /* y */
-     0xdf, 0xe6, 0xcd, 0x43, 0x75, 0xa0, 0x5a, 0x07, 0x47, 0x64,
-     0x44, 0xd5, 0x81, 0x99, 0x85, 0x00, 0x7e, 0x34}
-};
-
-/*-
- * Precomputed multiples of the standard generator
- * Points are given in coordinates (X, Y, Z) where Z normally is 1
- * (0 for the point at infinity).
- * For each field element, slice a_0 is word 0, etc.
- *
- * The table has 2 * 16 elements, starting with the following:
- * index | bits    | point
- * ------+---------+------------------------------
- *     0 | 0 0 0 0 | 0G
- *     1 | 0 0 0 1 | 1G
- *     2 | 0 0 1 0 | 2^56G
- *     3 | 0 0 1 1 | (2^56 + 1)G
- *     4 | 0 1 0 0 | 2^112G
- *     5 | 0 1 0 1 | (2^112 + 1)G
- *     6 | 0 1 1 0 | (2^112 + 2^56)G
- *     7 | 0 1 1 1 | (2^112 + 2^56 + 1)G
- *     8 | 1 0 0 0 | 2^168G
- *     9 | 1 0 0 1 | (2^168 + 1)G
- *    10 | 1 0 1 0 | (2^168 + 2^56)G
- *    11 | 1 0 1 1 | (2^168 + 2^56 + 1)G
- *    12 | 1 1 0 0 | (2^168 + 2^112)G
- *    13 | 1 1 0 1 | (2^168 + 2^112 + 1)G
- *    14 | 1 1 1 0 | (2^168 + 2^112 + 2^56)G
- *    15 | 1 1 1 1 | (2^168 + 2^112 + 2^56 + 1)G
- * followed by a copy of this with each element multiplied by 2^28.
- *
- * The reason for this is so that we can clock bits into four different
- * locations when doing simple scalar multiplies against the base point,
- * and then another four locations using the second 16 elements.
- */
-static const felem gmul[2][16][3] = {
-{{{0, 0, 0, 0},
-  {0, 0, 0, 0},
-  {0, 0, 0, 0}},
- {{0x3280d6115c1d21, 0xc1d356c2112234, 0x7f321390b94a03, 0xb70e0cbd6bb4bf},
-  {0xd5819985007e34, 0x75a05a07476444, 0xfb4c22dfe6cd43, 0xbd376388b5f723},
-  {1, 0, 0, 0}},
- {{0xfd9675666ebbe9, 0xbca7664d40ce5e, 0x2242df8d8a2a43, 0x1f49bbb0f99bc5},
-  {0x29e0b892dc9c43, 0xece8608436e662, 0xdc858f185310d0, 0x9812dd4eb8d321},
-  {1, 0, 0, 0}},
- {{0x6d3e678d5d8eb8, 0x559eed1cb362f1, 0x16e9a3bbce8a3f, 0xeedcccd8c2a748},
-  {0xf19f90ed50266d, 0xabf2b4bf65f9df, 0x313865468fafec, 0x5cb379ba910a17},
-  {1, 0, 0, 0}},
- {{0x0641966cab26e3, 0x91fb2991fab0a0, 0xefec27a4e13a0b, 0x0499aa8a5f8ebe},
-  {0x7510407766af5d, 0x84d929610d5450, 0x81d77aae82f706, 0x6916f6d4338c5b},
-  {1, 0, 0, 0}},
- {{0xea95ac3b1f15c6, 0x086000905e82d4, 0xdd323ae4d1c8b1, 0x932b56be7685a3},
-  {0x9ef93dea25dbbf, 0x41665960f390f0, 0xfdec76dbe2a8a7, 0x523e80f019062a},
-  {1, 0, 0, 0}},
- {{0x822fdd26732c73, 0xa01c83531b5d0f, 0x363f37347c1ba4, 0xc391b45c84725c},
-  {0xbbd5e1b2d6ad24, 0xddfbcde19dfaec, 0xc393da7e222a7f, 0x1efb7890ede244},
-  {1, 0, 0, 0}},
- {{0x4c9e90ca217da1, 0xd11beca79159bb, 0xff8d33c2c98b7c, 0x2610b39409f849},
-  {0x44d1352ac64da0, 0xcdbb7b2c46b4fb, 0x966c079b753c89, 0xfe67e4e820b112},
-  {1, 0, 0, 0}},
- {{0xe28cae2df5312d, 0xc71b61d16f5c6e, 0x79b7619a3e7c4c, 0x05c73240899b47},
-  {0x9f7f6382c73e3a, 0x18615165c56bda, 0x641fab2116fd56, 0x72855882b08394},
-  {1, 0, 0, 0}},
- {{0x0469182f161c09, 0x74a98ca8d00fb5, 0xb89da93489a3e0, 0x41c98768fb0c1d},
-  {0xe5ea05fb32da81, 0x3dce9ffbca6855, 0x1cfe2d3fbf59e6, 0x0e5e03408738a7},
-  {1, 0, 0, 0}},
- {{0xdab22b2333e87f, 0x4430137a5dd2f6, 0xe03ab9f738beb8, 0xcb0c5d0dc34f24},
-  {0x764a7df0c8fda5, 0x185ba5c3fa2044, 0x9281d688bcbe50, 0xc40331df893881},
-  {1, 0, 0, 0}},
- {{0xb89530796f0f60, 0xade92bd26909a3, 0x1a0c83fb4884da, 0x1765bf22a5a984},
-  {0x772a9ee75db09e, 0x23bc6c67cec16f, 0x4c1edba8b14e2f, 0xe2a215d9611369},
-  {1, 0, 0, 0}},
- {{0x571e509fb5efb3, 0xade88696410552, 0xc8ae85fada74fe, 0x6c7e4be83bbde3},
-  {0xff9f51160f4652, 0xb47ce2495a6539, 0xa2946c53b582f4, 0x286d2db3ee9a60},
-  {1, 0, 0, 0}},
- {{0x40bbd5081a44af, 0x0995183b13926c, 0xbcefba6f47f6d0, 0x215619e9cc0057},
-  {0x8bc94d3b0df45e, 0xf11c54a3694f6f, 0x8631b93cdfe8b5, 0xe7e3f4b0982db9},
-  {1, 0, 0, 0}},
- {{0xb17048ab3e1c7b, 0xac38f36ff8a1d8, 0x1c29819435d2c6, 0xc813132f4c07e9},
-  {0x2891425503b11f, 0x08781030579fea, 0xf5426ba5cc9674, 0x1e28ebf18562bc},
-  {1, 0, 0, 0}},
- {{0x9f31997cc864eb, 0x06cd91d28b5e4c, 0xff17036691a973, 0xf1aef351497c58},
-  {0xdd1f2d600564ff, 0xdead073b1402db, 0x74a684435bd693, 0xeea7471f962558},
-  {1, 0, 0, 0}}},
-{{{0, 0, 0, 0},
-  {0, 0, 0, 0},
-  {0, 0, 0, 0}},
- {{0x9665266dddf554, 0x9613d78b60ef2d, 0xce27a34cdba417, 0xd35ab74d6afc31},
-  {0x85ccdd22deb15e, 0x2137e5783a6aab, 0xa141cffd8c93c6, 0x355a1830e90f2d},
-  {1, 0, 0, 0}},
- {{0x1a494eadaade65, 0xd6da4da77fe53c, 0xe7992996abec86, 0x65c3553c6090e3},
-  {0xfa610b1fb09346, 0xf1c6540b8a4aaf, 0xc51a13ccd3cbab, 0x02995b1b18c28a},
-  {1, 0, 0, 0}},
- {{0x7874568e7295ef, 0x86b419fbe38d04, 0xdc0690a7550d9a, 0xd3966a44beac33},
-  {0x2b7280ec29132f, 0xbeaa3b6a032df3, 0xdc7dd88ae41200, 0xd25e2513e3a100},
-  {1, 0, 0, 0}},
- {{0x924857eb2efafd, 0xac2bce41223190, 0x8edaa1445553fc, 0x825800fd3562d5},
-  {0x8d79148ea96621, 0x23a01c3dd9ed8d, 0xaf8b219f9416b5, 0xd8db0cc277daea},
-  {1, 0, 0, 0}},
- {{0x76a9c3b1a700f0, 0xe9acd29bc7e691, 0x69212d1a6b0327, 0x6322e97fe154be},
-  {0x469fc5465d62aa, 0x8d41ed18883b05, 0x1f8eae66c52b88, 0xe4fcbe9325be51},
-  {1, 0, 0, 0}},
- {{0x825fdf583cac16, 0x020b857c7b023a, 0x683c17744b0165, 0x14ffd0a2daf2f1},
-  {0x323b36184218f9, 0x4944ec4e3b47d4, 0xc15b3080841acf, 0x0bced4b01a28bb},
-  {1, 0, 0, 0}},
- {{0x92ac22230df5c4, 0x52f33b4063eda8, 0xcb3f19870c0c93, 0x40064f2ba65233},
-  {0xfe16f0924f8992, 0x012da25af5b517, 0x1a57bb24f723a6, 0x06f8bc76760def},
-  {1, 0, 0, 0}},
- {{0x4a7084f7817cb9, 0xbcab0738ee9a78, 0x3ec11e11d9c326, 0xdc0fe90e0f1aae},
-  {0xcf639ea5f98390, 0x5c350aa22ffb74, 0x9afae98a4047b7, 0x956ec2d617fc45},
-  {1, 0, 0, 0}},
- {{0x4306d648c1be6a, 0x9247cd8bc9a462, 0xf5595e377d2f2e, 0xbd1c3caff1a52e},
-  {0x045e14472409d0, 0x29f3e17078f773, 0x745a602b2d4f7d, 0x191837685cdfbb},
-  {1, 0, 0, 0}},
- {{0x5b6ee254a8cb79, 0x4953433f5e7026, 0xe21faeb1d1def4, 0xc4c225785c09de},
-  {0x307ce7bba1e518, 0x31b125b1036db8, 0x47e91868839e8f, 0xc765866e33b9f3},
-  {1, 0, 0, 0}},
- {{0x3bfece24f96906, 0x4794da641e5093, 0xde5df64f95db26, 0x297ecd89714b05},
-  {0x701bd3ebb2c3aa, 0x7073b4f53cb1d5, 0x13c5665658af16, 0x9895089d66fe58},
-  {1, 0, 0, 0}},
- {{0x0fef05f78c4790, 0x2d773633b05d2e, 0x94229c3a951c94, 0xbbbd70df4911bb},
-  {0xb2c6963d2c1168, 0x105f47a72b0d73, 0x9fdf6111614080, 0x7b7e94b39e67b0},
-  {1, 0, 0, 0}},
- {{0xad1a7d6efbe2b3, 0xf012482c0da69d, 0x6b3bdf12438345, 0x40d7558d7aa4d9},
-  {0x8a09fffb5c6d3d, 0x9a356e5d9ffd38, 0x5973f15f4f9b1c, 0xdcd5f59f63c3ea},
-  {1, 0, 0, 0}},
- {{0xacf39f4c5ca7ab, 0x4c8071cc5fd737, 0xc64e3602cd1184, 0x0acd4644c9abba},
-  {0x6c011a36d8bf6e, 0xfecd87ba24e32a, 0x19f6f56574fad8, 0x050b204ced9405},
-  {1, 0, 0, 0}},
- {{0xed4f1cae7d9a96, 0x5ceef7ad94c40a, 0x778e4a3bf3ef9b, 0x7405783dc3b55e},
-  {0x32477c61b6e8c6, 0xb46a97570f018b, 0x91176d0a7e95d1, 0x3df90fbc4c7d0e},
-  {1, 0, 0, 0}}}
-};
-
-/* Precomputation for the group generator. */
-struct nistp224_pre_comp_st {
-    felem g_pre_comp[2][16][3];
-    CRYPTO_REF_COUNT references;
-    CRYPTO_RWLOCK *lock;
-};
-
-const EC_METHOD *EC_GFp_nistp224_method(void)
-{
-    static const EC_METHOD ret = {
-        EC_FLAGS_DEFAULT_OCT,
-        NID_X9_62_prime_field,
-        ossl_ec_GFp_nistp224_group_init,
-        ossl_ec_GFp_simple_group_finish,
-        ossl_ec_GFp_simple_group_clear_finish,
-        ossl_ec_GFp_nist_group_copy,
-        ossl_ec_GFp_nistp224_group_set_curve,
-        ossl_ec_GFp_simple_group_get_curve,
-        ossl_ec_GFp_simple_group_get_degree,
-        ossl_ec_group_simple_order_bits,
-        ossl_ec_GFp_simple_group_check_discriminant,
-        ossl_ec_GFp_simple_point_init,
-        ossl_ec_GFp_simple_point_finish,
-        ossl_ec_GFp_simple_point_clear_finish,
-        ossl_ec_GFp_simple_point_copy,
-        ossl_ec_GFp_simple_point_set_to_infinity,
-        ossl_ec_GFp_simple_point_set_affine_coordinates,
-        ossl_ec_GFp_nistp224_point_get_affine_coordinates,
-        0 /* point_set_compressed_coordinates */ ,
-        0 /* point2oct */ ,
-        0 /* oct2point */ ,
-        ossl_ec_GFp_simple_add,
-        ossl_ec_GFp_simple_dbl,
-        ossl_ec_GFp_simple_invert,
-        ossl_ec_GFp_simple_is_at_infinity,
-        ossl_ec_GFp_simple_is_on_curve,
-        ossl_ec_GFp_simple_cmp,
-        ossl_ec_GFp_simple_make_affine,
-        ossl_ec_GFp_simple_points_make_affine,
-        ossl_ec_GFp_nistp224_points_mul,
-        ossl_ec_GFp_nistp224_precompute_mult,
-        ossl_ec_GFp_nistp224_have_precompute_mult,
-        ossl_ec_GFp_nist_field_mul,
-        ossl_ec_GFp_nist_field_sqr,
-        0 /* field_div */ ,
-        ossl_ec_GFp_simple_field_inv,
-        0 /* field_encode */ ,
-        0 /* field_decode */ ,
-        0,                      /* field_set_to_one */
-        ossl_ec_key_simple_priv2oct,
-        ossl_ec_key_simple_oct2priv,
-        0, /* set private */
-        ossl_ec_key_simple_generate_key,
-        ossl_ec_key_simple_check_key,
-        ossl_ec_key_simple_generate_public_key,
-        0, /* keycopy */
-        0, /* keyfinish */
-        ossl_ecdh_simple_compute_key,
-        ossl_ecdsa_simple_sign_setup,
-        ossl_ecdsa_simple_sign_sig,
-        ossl_ecdsa_simple_verify_sig,
-        0, /* field_inverse_mod_ord */
-        0, /* blind_coordinates */
-        0, /* ladder_pre */
-        0, /* ladder_step */
-        0  /* ladder_post */
-    };
-
-    return &ret;
-}
-
-/*
- * Helper functions to convert field elements to/from internal representation
- */
-static void bin28_to_felem(felem out, const u8 in[28])
-{
-    out[0] = *((const limb *)(in)) & 0x00ffffffffffffff;
-    out[1] = (*((const limb_aX *)(in + 7))) & 0x00ffffffffffffff;
-    out[2] = (*((const limb_aX *)(in + 14))) & 0x00ffffffffffffff;
-    out[3] = (*((const limb_aX *)(in + 20))) >> 8;
-}
-
-static void felem_to_bin28(u8 out[28], const felem in)
-{
-    unsigned i;
-    for (i = 0; i < 7; ++i) {
-        out[i] = in[0] >> (8 * i);
-        out[i + 7] = in[1] >> (8 * i);
-        out[i + 14] = in[2] >> (8 * i);
-        out[i + 21] = in[3] >> (8 * i);
-    }
-}
-
-/* From OpenSSL BIGNUM to internal representation */
-static int BN_to_felem(felem out, const BIGNUM *bn)
-{
-    felem_bytearray b_out;
-    int num_bytes;
-
-    if (BN_is_negative(bn)) {
-        ERR_raise(ERR_LIB_EC, EC_R_BIGNUM_OUT_OF_RANGE);
-        return 0;
-    }
-    num_bytes = BN_bn2lebinpad(bn, b_out, sizeof(b_out));
-    if (num_bytes < 0) {
-        ERR_raise(ERR_LIB_EC, EC_R_BIGNUM_OUT_OF_RANGE);
-        return 0;
-    }
-    bin28_to_felem(out, b_out);
-    return 1;
-}
-
-/* From internal representation to OpenSSL BIGNUM */
-static BIGNUM *felem_to_BN(BIGNUM *out, const felem in)
-{
-    felem_bytearray b_out;
-    felem_to_bin28(b_out, in);
-    return BN_lebin2bn(b_out, sizeof(b_out), out);
-}
-
-/******************************************************************************/
-/*-
- *                              FIELD OPERATIONS
- *
- * Field operations, using the internal representation of field elements.
- * NB! These operations are specific to our point multiplication and cannot be
- * expected to be correct in general - e.g., multiplication with a large scalar
- * will cause an overflow.
- *
- */
-
-static void felem_one(felem out)
-{
-    out[0] = 1;
-    out[1] = 0;
-    out[2] = 0;
-    out[3] = 0;
-}
-
-static void felem_assign(felem out, const felem in)
-{
-    out[0] = in[0];
-    out[1] = in[1];
-    out[2] = in[2];
-    out[3] = in[3];
-}
-
-/* Sum two field elements: out += in */
-static void felem_sum(felem out, const felem in)
-{
-    out[0] += in[0];
-    out[1] += in[1];
-    out[2] += in[2];
-    out[3] += in[3];
-}
-
-/* Subtract field elements: out -= in */
-/* Assumes in[i] < 2^57 */
-static void felem_diff(felem out, const felem in)
-{
-    static const limb two58p2 = (((limb) 1) << 58) + (((limb) 1) << 2);
-    static const limb two58m2 = (((limb) 1) << 58) - (((limb) 1) << 2);
-    static const limb two58m42m2 = (((limb) 1) << 58) -
-        (((limb) 1) << 42) - (((limb) 1) << 2);
-
-    /* Add 0 mod 2^224-2^96+1 to ensure out > in */
-    out[0] += two58p2;
-    out[1] += two58m42m2;
-    out[2] += two58m2;
-    out[3] += two58m2;
-
-    out[0] -= in[0];
-    out[1] -= in[1];
-    out[2] -= in[2];
-    out[3] -= in[3];
-}
-
-/* Subtract in unreduced 128-bit mode: out -= in */
-/* Assumes in[i] < 2^119 */
-static void widefelem_diff(widefelem out, const widefelem in)
-{
-    static const widelimb two120 = ((widelimb) 1) << 120;
-    static const widelimb two120m64 = (((widelimb) 1) << 120) -
-        (((widelimb) 1) << 64);
-    static const widelimb two120m104m64 = (((widelimb) 1) << 120) -
-        (((widelimb) 1) << 104) - (((widelimb) 1) << 64);
-
-    /* Add 0 mod 2^224-2^96+1 to ensure out > in */
-    out[0] += two120;
-    out[1] += two120m64;
-    out[2] += two120m64;
-    out[3] += two120;
-    out[4] += two120m104m64;
-    out[5] += two120m64;
-    out[6] += two120m64;
-
-    out[0] -= in[0];
-    out[1] -= in[1];
-    out[2] -= in[2];
-    out[3] -= in[3];
-    out[4] -= in[4];
-    out[5] -= in[5];
-    out[6] -= in[6];
-}
-
-/* Subtract in mixed mode: out128 -= in64 */
-/* in[i] < 2^63 */
-static void felem_diff_128_64(widefelem out, const felem in)
-{
-    static const widelimb two64p8 = (((widelimb) 1) << 64) +
-        (((widelimb) 1) << 8);
-    static const widelimb two64m8 = (((widelimb) 1) << 64) -
-        (((widelimb) 1) << 8);
-    static const widelimb two64m48m8 = (((widelimb) 1) << 64) -
-        (((widelimb) 1) << 48) - (((widelimb) 1) << 8);
-
-    /* Add 0 mod 2^224-2^96+1 to ensure out > in */
-    out[0] += two64p8;
-    out[1] += two64m48m8;
-    out[2] += two64m8;
-    out[3] += two64m8;
-
-    out[0] -= in[0];
-    out[1] -= in[1];
-    out[2] -= in[2];
-    out[3] -= in[3];
-}
-
-/*
- * Multiply a field element by a scalar: out = out * scalar The scalars we
- * actually use are small, so results fit without overflow
- */
-static void felem_scalar(felem out, const limb scalar)
-{
-    out[0] *= scalar;
-    out[1] *= scalar;
-    out[2] *= scalar;
-    out[3] *= scalar;
-}
-
-/*
- * Multiply an unreduced field element by a scalar: out = out * scalar The
- * scalars we actually use are small, so results fit without overflow
- */
-static void widefelem_scalar(widefelem out, const widelimb scalar)
-{
-    out[0] *= scalar;
-    out[1] *= scalar;
-    out[2] *= scalar;
-    out[3] *= scalar;
-    out[4] *= scalar;
-    out[5] *= scalar;
-    out[6] *= scalar;
-}
-
-/* Square a field element: out = in^2 */
-static void felem_square(widefelem out, const felem in)
-{
-    limb tmp0, tmp1, tmp2;
-    tmp0 = 2 * in[0];
-    tmp1 = 2 * in[1];
-    tmp2 = 2 * in[2];
-    out[0] = ((widelimb) in[0]) * in[0];
-    out[1] = ((widelimb) in[0]) * tmp1;
-    out[2] = ((widelimb) in[0]) * tmp2 + ((widelimb) in[1]) * in[1];
-    out[3] = ((widelimb) in[3]) * tmp0 + ((widelimb) in[1]) * tmp2;
-    out[4] = ((widelimb) in[3]) * tmp1 + ((widelimb) in[2]) * in[2];
-    out[5] = ((widelimb) in[3]) * tmp2;
-    out[6] = ((widelimb) in[3]) * in[3];
-}
-
-/* Multiply two field elements: out = in1 * in2 */
-static void felem_mul(widefelem out, const felem in1, const felem in2)
-{
-    out[0] = ((widelimb) in1[0]) * in2[0];
-    out[1] = ((widelimb) in1[0]) * in2[1] + ((widelimb) in1[1]) * in2[0];
-    out[2] = ((widelimb) in1[0]) * in2[2] + ((widelimb) in1[1]) * in2[1] +
-             ((widelimb) in1[2]) * in2[0];
-    out[3] = ((widelimb) in1[0]) * in2[3] + ((widelimb) in1[1]) * in2[2] +
-             ((widelimb) in1[2]) * in2[1] + ((widelimb) in1[3]) * in2[0];
-    out[4] = ((widelimb) in1[1]) * in2[3] + ((widelimb) in1[2]) * in2[2] +
-             ((widelimb) in1[3]) * in2[1];
-    out[5] = ((widelimb) in1[2]) * in2[3] + ((widelimb) in1[3]) * in2[2];
-    out[6] = ((widelimb) in1[3]) * in2[3];
-}
-
-/*-
- * Reduce seven 128-bit coefficients to four 64-bit coefficients.
- * Requires in[i] < 2^126,
- * ensures out[0] < 2^56, out[1] < 2^56, out[2] < 2^56, out[3] <= 2^56 + 2^16 */
-static void felem_reduce(felem out, const widefelem in)
-{
-    static const widelimb two127p15 = (((widelimb) 1) << 127) +
-        (((widelimb) 1) << 15);
-    static const widelimb two127m71 = (((widelimb) 1) << 127) -
-        (((widelimb) 1) << 71);
-    static const widelimb two127m71m55 = (((widelimb) 1) << 127) -
-        (((widelimb) 1) << 71) - (((widelimb) 1) << 55);
-    widelimb output[5];
-
-    /* Add 0 mod 2^224-2^96+1 to ensure all differences are positive */
-    output[0] = in[0] + two127p15;
-    output[1] = in[1] + two127m71m55;
-    output[2] = in[2] + two127m71;
-    output[3] = in[3];
-    output[4] = in[4];
-
-    /* Eliminate in[4], in[5], in[6] */
-    output[4] += in[6] >> 16;
-    output[3] += (in[6] & 0xffff) << 40;
-    output[2] -= in[6];
-
-    output[3] += in[5] >> 16;
-    output[2] += (in[5] & 0xffff) << 40;
-    output[1] -= in[5];
-
-    output[2] += output[4] >> 16;
-    output[1] += (output[4] & 0xffff) << 40;
-    output[0] -= output[4];
-
-    /* Carry 2 -> 3 -> 4 */
-    output[3] += output[2] >> 56;
-    output[2] &= 0x00ffffffffffffff;
-
-    output[4] = output[3] >> 56;
-    output[3] &= 0x00ffffffffffffff;
-
-    /* Now output[2] < 2^56, output[3] < 2^56, output[4] < 2^72 */
-
-    /* Eliminate output[4] */
-    output[2] += output[4] >> 16;
-    /* output[2] < 2^56 + 2^56 = 2^57 */
-    output[1] += (output[4] & 0xffff) << 40;
-    output[0] -= output[4];
-
-    /* Carry 0 -> 1 -> 2 -> 3 */
-    output[1] += output[0] >> 56;
-    out[0] = output[0] & 0x00ffffffffffffff;
-
-    output[2] += output[1] >> 56;
-    /* output[2] < 2^57 + 2^72 */
-    out[1] = output[1] & 0x00ffffffffffffff;
-    output[3] += output[2] >> 56;
-    /* output[3] <= 2^56 + 2^16 */
-    out[2] = output[2] & 0x00ffffffffffffff;
-
-    /*-
-     * out[0] < 2^56, out[1] < 2^56, out[2] < 2^56,
-     * out[3] <= 2^56 + 2^16 (due to final carry),
-     * so out < 2*p
-     */
-    out[3] = output[3];
-}
-
-static void felem_square_reduce(felem out, const felem in)
-{
-    widefelem tmp;
-    felem_square(tmp, in);
-    felem_reduce(out, tmp);
-}
-
-static void felem_mul_reduce(felem out, const felem in1, const felem in2)
-{
-    widefelem tmp;
-    felem_mul(tmp, in1, in2);
-    felem_reduce(out, tmp);
-}
-
-/*
- * Reduce to unique minimal representation. Requires 0 <= in < 2*p (always
- * call felem_reduce first)
- */
-static void felem_contract(felem out, const felem in)
-{
-    static const int64_t two56 = ((limb) 1) << 56;
-    /* 0 <= in < 2*p, p = 2^224 - 2^96 + 1 */
-    /* if in > p , reduce in = in - 2^224 + 2^96 - 1 */
-    int64_t tmp[4], a;
-    tmp[0] = in[0];
-    tmp[1] = in[1];
-    tmp[2] = in[2];
-    tmp[3] = in[3];
-    /* Case 1: a = 1 iff in >= 2^224 */
-    a = (in[3] >> 56);
-    tmp[0] -= a;
-    tmp[1] += a << 40;
-    tmp[3] &= 0x00ffffffffffffff;
-    /*
-     * Case 2: a = 0 iff p <= in < 2^224, i.e., the high 128 bits are all 1
-     * and the lower part is non-zero
-     */
-    a = ((in[3] & in[2] & (in[1] | 0x000000ffffffffff)) + 1) |
-        (((int64_t) (in[0] + (in[1] & 0x000000ffffffffff)) - 1) >> 63);
-    a &= 0x00ffffffffffffff;
-    /* turn a into an all-one mask (if a = 0) or an all-zero mask */
-    a = (a - 1) >> 63;
-    /* subtract 2^224 - 2^96 + 1 if a is all-one */
-    tmp[3] &= a ^ 0xffffffffffffffff;
-    tmp[2] &= a ^ 0xffffffffffffffff;
-    tmp[1] &= (a ^ 0xffffffffffffffff) | 0x000000ffffffffff;
-    tmp[0] -= 1 & a;
-
-    /*
-     * eliminate negative coefficients: if tmp[0] is negative, tmp[1] must be
-     * non-zero, so we only need one step
-     */
-    a = tmp[0] >> 63;
-    tmp[0] += two56 & a;
-    tmp[1] -= 1 & a;
-
-    /* carry 1 -> 2 -> 3 */
-    tmp[2] += tmp[1] >> 56;
-    tmp[1] &= 0x00ffffffffffffff;
-
-    tmp[3] += tmp[2] >> 56;
-    tmp[2] &= 0x00ffffffffffffff;
-
-    /* Now 0 <= out < p */
-    out[0] = tmp[0];
-    out[1] = tmp[1];
-    out[2] = tmp[2];
-    out[3] = tmp[3];
-}
-
-/*
- * Get negative value: out = -in
- * Requires in[i] < 2^63,
- * ensures out[0] < 2^56, out[1] < 2^56, out[2] < 2^56, out[3] <= 2^56 + 2^16
- */
-static void felem_neg(felem out, const felem in)
-{
-    widefelem tmp;
-
-    memset(tmp, 0, sizeof(tmp));
-    felem_diff_128_64(tmp, in);
-    felem_reduce(out, tmp);
-}
-
-/*
- * Zero-check: returns 1 if input is 0, and 0 otherwise. We know that field
- * elements are reduced to in < 2^225, so we only need to check three cases:
- * 0, 2^224 - 2^96 + 1, and 2^225 - 2^97 + 2
- */
-static limb felem_is_zero(const felem in)
-{
-    limb zero, two224m96p1, two225m97p2;
-
-    zero = in[0] | in[1] | in[2] | in[3];
-    zero = (((int64_t) (zero) - 1) >> 63) & 1;
-    two224m96p1 = (in[0] ^ 1) | (in[1] ^ 0x00ffff0000000000)
-        | (in[2] ^ 0x00ffffffffffffff) | (in[3] ^ 0x00ffffffffffffff);
-    two224m96p1 = (((int64_t) (two224m96p1) - 1) >> 63) & 1;
-    two225m97p2 = (in[0] ^ 2) | (in[1] ^ 0x00fffe0000000000)
-        | (in[2] ^ 0x00ffffffffffffff) | (in[3] ^ 0x01ffffffffffffff);
-    two225m97p2 = (((int64_t) (two225m97p2) - 1) >> 63) & 1;
-    return (zero | two224m96p1 | two225m97p2);
-}
-
-static int felem_is_zero_int(const void *in)
-{
-    return (int)(felem_is_zero(in) & ((limb) 1));
-}
-
-/* Invert a field element */
-/* Computation chain copied from djb's code */
-static void felem_inv(felem out, const felem in)
-{
-    felem ftmp, ftmp2, ftmp3, ftmp4;
-    widefelem tmp;
-    unsigned i;
-
-    felem_square(tmp, in);
-    felem_reduce(ftmp, tmp);    /* 2 */
-    felem_mul(tmp, in, ftmp);
-    felem_reduce(ftmp, tmp);    /* 2^2 - 1 */
-    felem_square(tmp, ftmp);
-    felem_reduce(ftmp, tmp);    /* 2^3 - 2 */
-    felem_mul(tmp, in, ftmp);
-    felem_reduce(ftmp, tmp);    /* 2^3 - 1 */
-    felem_square(tmp, ftmp);
-    felem_reduce(ftmp2, tmp);   /* 2^4 - 2 */
-    felem_square(tmp, ftmp2);
-    felem_reduce(ftmp2, tmp);   /* 2^5 - 4 */
-    felem_square(tmp, ftmp2);
-    felem_reduce(ftmp2, tmp);   /* 2^6 - 8 */
-    felem_mul(tmp, ftmp2, ftmp);
-    felem_reduce(ftmp, tmp);    /* 2^6 - 1 */
-    felem_square(tmp, ftmp);
-    felem_reduce(ftmp2, tmp);   /* 2^7 - 2 */
-    for (i = 0; i < 5; ++i) {   /* 2^12 - 2^6 */
-        felem_square(tmp, ftmp2);
-        felem_reduce(ftmp2, tmp);
-    }
-    felem_mul(tmp, ftmp2, ftmp);
-    felem_reduce(ftmp2, tmp);   /* 2^12 - 1 */
-    felem_square(tmp, ftmp2);
-    felem_reduce(ftmp3, tmp);   /* 2^13 - 2 */
-    for (i = 0; i < 11; ++i) {  /* 2^24 - 2^12 */
-        felem_square(tmp, ftmp3);
-        felem_reduce(ftmp3, tmp);
-    }
-    felem_mul(tmp, ftmp3, ftmp2);
-    felem_reduce(ftmp2, tmp);   /* 2^24 - 1 */
-    felem_square(tmp, ftmp2);
-    felem_reduce(ftmp3, tmp);   /* 2^25 - 2 */
-    for (i = 0; i < 23; ++i) {  /* 2^48 - 2^24 */
-        felem_square(tmp, ftmp3);
-        felem_reduce(ftmp3, tmp);
-    }
-    felem_mul(tmp, ftmp3, ftmp2);
-    felem_reduce(ftmp3, tmp);   /* 2^48 - 1 */
-    felem_square(tmp, ftmp3);
-    felem_reduce(ftmp4, tmp);   /* 2^49 - 2 */
-    for (i = 0; i < 47; ++i) {  /* 2^96 - 2^48 */
-        felem_square(tmp, ftmp4);
-        felem_reduce(ftmp4, tmp);
-    }
-    felem_mul(tmp, ftmp3, ftmp4);
-    felem_reduce(ftmp3, tmp);   /* 2^96 - 1 */
-    felem_square(tmp, ftmp3);
-    felem_reduce(ftmp4, tmp);   /* 2^97 - 2 */
-    for (i = 0; i < 23; ++i) {  /* 2^120 - 2^24 */
-        felem_square(tmp, ftmp4);
-        felem_reduce(ftmp4, tmp);
-    }
-    felem_mul(tmp, ftmp2, ftmp4);
-    felem_reduce(ftmp2, tmp);   /* 2^120 - 1 */
-    for (i = 0; i < 6; ++i) {   /* 2^126 - 2^6 */
-        felem_square(tmp, ftmp2);
-        felem_reduce(ftmp2, tmp);
-    }
-    felem_mul(tmp, ftmp2, ftmp);
-    felem_reduce(ftmp, tmp);    /* 2^126 - 1 */
-    felem_square(tmp, ftmp);
-    felem_reduce(ftmp, tmp);    /* 2^127 - 2 */
-    felem_mul(tmp, ftmp, in);
-    felem_reduce(ftmp, tmp);    /* 2^127 - 1 */
-    for (i = 0; i < 97; ++i) {  /* 2^224 - 2^97 */
-        felem_square(tmp, ftmp);
-        felem_reduce(ftmp, tmp);
-    }
-    felem_mul(tmp, ftmp, ftmp3);
-    felem_reduce(out, tmp);     /* 2^224 - 2^96 - 1 */
-}
-
-/*
- * Copy in constant time: if icopy == 1, copy in to out, if icopy == 0, copy
- * out to itself.
- */
-static void copy_conditional(felem out, const felem in, limb icopy)
-{
-    unsigned i;
-    /*
-     * icopy is a (64-bit) 0 or 1, so copy is either all-zero or all-one
-     */
-    const limb copy = -icopy;
-    for (i = 0; i < 4; ++i) {
-        const limb tmp = copy & (in[i] ^ out[i]);
-        out[i] ^= tmp;
-    }
-}
-
-/******************************************************************************/
-/*-
- *                       ELLIPTIC CURVE POINT OPERATIONS
- *
- * Points are represented in Jacobian projective coordinates:
- * (X, Y, Z) corresponds to the affine point (X/Z^2, Y/Z^3),
- * or to the point at infinity if Z == 0.
- *
- */
-
-/*-
- * Double an elliptic curve point:
- * (X', Y', Z') = 2 * (X, Y, Z), where
- * X' = (3 * (X - Z^2) * (X + Z^2))^2 - 8 * X * Y^2
- * Y' = 3 * (X - Z^2) * (X + Z^2) * (4 * X * Y^2 - X') - 8 * Y^4
- * Z' = (Y + Z)^2 - Y^2 - Z^2 = 2 * Y * Z
- * Outputs can equal corresponding inputs, i.e., x_out == x_in is allowed,
- * while x_out == y_in is not (maybe this works, but it's not tested).
- */
-static void
-point_double(felem x_out, felem y_out, felem z_out,
-             const felem x_in, const felem y_in, const felem z_in)
-{
-    widefelem tmp, tmp2;
-    felem delta, gamma, beta, alpha, ftmp, ftmp2;
-
-    felem_assign(ftmp, x_in);
-    felem_assign(ftmp2, x_in);
-
-    /* delta = z^2 */
-    felem_square(tmp, z_in);
-    felem_reduce(delta, tmp);
-
-    /* gamma = y^2 */
-    felem_square(tmp, y_in);
-    felem_reduce(gamma, tmp);
-
-    /* beta = x*gamma */
-    felem_mul(tmp, x_in, gamma);
-    felem_reduce(beta, tmp);
-
-    /* alpha = 3*(x-delta)*(x+delta) */
-    felem_diff(ftmp, delta);
-    /* ftmp[i] < 2^57 + 2^58 + 2 < 2^59 */
-    felem_sum(ftmp2, delta);
-    /* ftmp2[i] < 2^57 + 2^57 = 2^58 */
-    felem_scalar(ftmp2, 3);
-    /* ftmp2[i] < 3 * 2^58 < 2^60 */
-    felem_mul(tmp, ftmp, ftmp2);
-    /* tmp[i] < 2^60 * 2^59 * 4 = 2^121 */
-    felem_reduce(alpha, tmp);
-
-    /* x' = alpha^2 - 8*beta */
-    felem_square(tmp, alpha);
-    /* tmp[i] < 4 * 2^57 * 2^57 = 2^116 */
-    felem_assign(ftmp, beta);
-    felem_scalar(ftmp, 8);
-    /* ftmp[i] < 8 * 2^57 = 2^60 */
-    felem_diff_128_64(tmp, ftmp);
-    /* tmp[i] < 2^116 + 2^64 + 8 < 2^117 */
-    felem_reduce(x_out, tmp);
-
-    /* z' = (y + z)^2 - gamma - delta */
-    felem_sum(delta, gamma);
-    /* delta[i] < 2^57 + 2^57 = 2^58 */
-    felem_assign(ftmp, y_in);
-    felem_sum(ftmp, z_in);
-    /* ftmp[i] < 2^57 + 2^57 = 2^58 */
-    felem_square(tmp, ftmp);
-    /* tmp[i] < 4 * 2^58 * 2^58 = 2^118 */
-    felem_diff_128_64(tmp, delta);
-    /* tmp[i] < 2^118 + 2^64 + 8 < 2^119 */
-    felem_reduce(z_out, tmp);
-
-    /* y' = alpha*(4*beta - x') - 8*gamma^2 */
-    felem_scalar(beta, 4);
-    /* beta[i] < 4 * 2^57 = 2^59 */
-    felem_diff(beta, x_out);
-    /* beta[i] < 2^59 + 2^58 + 2 < 2^60 */
-    felem_mul(tmp, alpha, beta);
-    /* tmp[i] < 4 * 2^57 * 2^60 = 2^119 */
-    felem_square(tmp2, gamma);
-    /* tmp2[i] < 4 * 2^57 * 2^57 = 2^116 */
-    widefelem_scalar(tmp2, 8);
-    /* tmp2[i] < 8 * 2^116 = 2^119 */
-    widefelem_diff(tmp, tmp2);
-    /* tmp[i] < 2^119 + 2^120 < 2^121 */
-    felem_reduce(y_out, tmp);
-}
-
-/*-
- * Add two elliptic curve points:
- * (X_1, Y_1, Z_1) + (X_2, Y_2, Z_2) = (X_3, Y_3, Z_3), where
- * X_3 = (Z_1^3 * Y_2 - Z_2^3 * Y_1)^2 - (Z_1^2 * X_2 - Z_2^2 * X_1)^3 -
- * 2 * Z_2^2 * X_1 * (Z_1^2 * X_2 - Z_2^2 * X_1)^2
- * Y_3 = (Z_1^3 * Y_2 - Z_2^3 * Y_1) * (Z_2^2 * X_1 * (Z_1^2 * X_2 - Z_2^2 * X_1)^2 - X_3) -
- *        Z_2^3 * Y_1 * (Z_1^2 * X_2 - Z_2^2 * X_1)^3
- * Z_3 = (Z_1^2 * X_2 - Z_2^2 * X_1) * (Z_1 * Z_2)
- *
- * This runs faster if 'mixed' is set, which requires Z_2 = 1 or Z_2 = 0.
- */
-
-/*
- * This function is not entirely constant-time: it includes a branch for
- * checking whether the two input points are equal, (while not equal to the
- * point at infinity). This case never happens during single point
- * multiplication, so there is no timing leak for ECDH or ECDSA signing.
- */
-static void point_add(felem x3, felem y3, felem z3,
-                      const felem x1, const felem y1, const felem z1,
-                      const int mixed, const felem x2, const felem y2,
-                      const felem z2)
-{
-    felem ftmp, ftmp2, ftmp3, ftmp4, ftmp5, x_out, y_out, z_out;
-    widefelem tmp, tmp2;
-    limb z1_is_zero, z2_is_zero, x_equal, y_equal;
-    limb points_equal;
-
-    if (!mixed) {
-        /* ftmp2 = z2^2 */
-        felem_square(tmp, z2);
-        felem_reduce(ftmp2, tmp);
-
-        /* ftmp4 = z2^3 */
-        felem_mul(tmp, ftmp2, z2);
-        felem_reduce(ftmp4, tmp);
-
-        /* ftmp4 = z2^3*y1 */
-        felem_mul(tmp2, ftmp4, y1);
-        felem_reduce(ftmp4, tmp2);
-
-        /* ftmp2 = z2^2*x1 */
-        felem_mul(tmp2, ftmp2, x1);
-        felem_reduce(ftmp2, tmp2);
-    } else {
-        /*
-         * We'll assume z2 = 1 (special case z2 = 0 is handled later)
-         */
-
-        /* ftmp4 = z2^3*y1 */
-        felem_assign(ftmp4, y1);
-
-        /* ftmp2 = z2^2*x1 */
-        felem_assign(ftmp2, x1);
-    }
-
-    /* ftmp = z1^2 */
-    felem_square(tmp, z1);
-    felem_reduce(ftmp, tmp);
-
-    /* ftmp3 = z1^3 */
-    felem_mul(tmp, ftmp, z1);
-    felem_reduce(ftmp3, tmp);
-
-    /* tmp = z1^3*y2 */
-    felem_mul(tmp, ftmp3, y2);
-    /* tmp[i] < 4 * 2^57 * 2^57 = 2^116 */
-
-    /* ftmp3 = z1^3*y2 - z2^3*y1 */
-    felem_diff_128_64(tmp, ftmp4);
-    /* tmp[i] < 2^116 + 2^64 + 8 < 2^117 */
-    felem_reduce(ftmp3, tmp);
-
-    /* tmp = z1^2*x2 */
-    felem_mul(tmp, ftmp, x2);
-    /* tmp[i] < 4 * 2^57 * 2^57 = 2^116 */
-
-    /* ftmp = z1^2*x2 - z2^2*x1 */
-    felem_diff_128_64(tmp, ftmp2);
-    /* tmp[i] < 2^116 + 2^64 + 8 < 2^117 */
-    felem_reduce(ftmp, tmp);
-
-    /*
-     * The formulae are incorrect if the points are equal, in affine coordinates
-     * (X_1, Y_1) == (X_2, Y_2), so we check for this and do doubling if this
-     * happens.
-     *
-     * We use bitwise operations to avoid potential side-channels introduced by
-     * the short-circuiting behaviour of boolean operators.
-     */
-    x_equal = felem_is_zero(ftmp);
-    y_equal = felem_is_zero(ftmp3);
-    /*
-     * The special case of either point being the point at infinity (z1 and/or
-     * z2 are zero), is handled separately later on in this function, so we
-     * avoid jumping to point_double here in those special cases.
-     */
-    z1_is_zero = felem_is_zero(z1);
-    z2_is_zero = felem_is_zero(z2);
-
-    /*
-     * Compared to `ecp_nistp256.c` and `ecp_nistp521.c`, in this
-     * specific implementation `felem_is_zero()` returns truth as `0x1`
-     * (rather than `0xff..ff`).
-     *
-     * This implies that `~true` in this implementation becomes
-     * `0xff..fe` (rather than `0x0`): for this reason, to be used in
-     * the if expression, we mask out only the last bit in the next
-     * line.
-     */
-    points_equal = (x_equal & y_equal & (~z1_is_zero) & (~z2_is_zero)) & 1;
-
-    if (points_equal) {
-        /*
-         * This is obviously not constant-time but, as mentioned before, this
-         * case never happens during single point multiplication, so there is no
-         * timing leak for ECDH or ECDSA signing.
-         */
-        point_double(x3, y3, z3, x1, y1, z1);
-        return;
-    }
-
-    /* ftmp5 = z1*z2 */
-    if (!mixed) {
-        felem_mul(tmp, z1, z2);
-        felem_reduce(ftmp5, tmp);
-    } else {
-        /* special case z2 = 0 is handled later */
-        felem_assign(ftmp5, z1);
-    }
-
-    /* z_out = (z1^2*x2 - z2^2*x1)*(z1*z2) */
-    felem_mul(tmp, ftmp, ftmp5);
-    felem_reduce(z_out, tmp);
-
-    /* ftmp = (z1^2*x2 - z2^2*x1)^2 */
-    felem_assign(ftmp5, ftmp);
-    felem_square(tmp, ftmp);
-    felem_reduce(ftmp, tmp);
-
-    /* ftmp5 = (z1^2*x2 - z2^2*x1)^3 */
-    felem_mul(tmp, ftmp, ftmp5);
-    felem_reduce(ftmp5, tmp);
-
-    /* ftmp2 = z2^2*x1*(z1^2*x2 - z2^2*x1)^2 */
-    felem_mul(tmp, ftmp2, ftmp);
-    felem_reduce(ftmp2, tmp);
-
-    /* tmp = z2^3*y1*(z1^2*x2 - z2^2*x1)^3 */
-    felem_mul(tmp, ftmp4, ftmp5);
-    /* tmp[i] < 4 * 2^57 * 2^57 = 2^116 */
-
-    /* tmp2 = (z1^3*y2 - z2^3*y1)^2 */
-    felem_square(tmp2, ftmp3);
-    /* tmp2[i] < 4 * 2^57 * 2^57 < 2^116 */
-
-    /* tmp2 = (z1^3*y2 - z2^3*y1)^2 - (z1^2*x2 - z2^2*x1)^3 */
-    felem_diff_128_64(tmp2, ftmp5);
-    /* tmp2[i] < 2^116 + 2^64 + 8 < 2^117 */
-
-    /* ftmp5 = 2*z2^2*x1*(z1^2*x2 - z2^2*x1)^2 */
-    felem_assign(ftmp5, ftmp2);
-    felem_scalar(ftmp5, 2);
-    /* ftmp5[i] < 2 * 2^57 = 2^58 */
-
-    /*-
-     * x_out = (z1^3*y2 - z2^3*y1)^2 - (z1^2*x2 - z2^2*x1)^3 -
-     *  2*z2^2*x1*(z1^2*x2 - z2^2*x1)^2
-     */
-    felem_diff_128_64(tmp2, ftmp5);
-    /* tmp2[i] < 2^117 + 2^64 + 8 < 2^118 */
-    felem_reduce(x_out, tmp2);
-
-    /* ftmp2 = z2^2*x1*(z1^2*x2 - z2^2*x1)^2 - x_out */
-    felem_diff(ftmp2, x_out);
-    /* ftmp2[i] < 2^57 + 2^58 + 2 < 2^59 */
-
-    /*
-     * tmp2 = (z1^3*y2 - z2^3*y1)*(z2^2*x1*(z1^2*x2 - z2^2*x1)^2 - x_out)
-     */
-    felem_mul(tmp2, ftmp3, ftmp2);
-    /* tmp2[i] < 4 * 2^57 * 2^59 = 2^118 */
-
-    /*-
-     * y_out = (z1^3*y2 - z2^3*y1)*(z2^2*x1*(z1^2*x2 - z2^2*x1)^2 - x_out) -
-     *  z2^3*y1*(z1^2*x2 - z2^2*x1)^3
-     */
-    widefelem_diff(tmp2, tmp);
-    /* tmp2[i] < 2^118 + 2^120 < 2^121 */
-    felem_reduce(y_out, tmp2);
-
-    /*
-     * the result (x_out, y_out, z_out) is incorrect if one of the inputs is
-     * the point at infinity, so we need to check for this separately
-     */
-
-    /*
-     * if point 1 is at infinity, copy point 2 to output, and vice versa
-     */
-    copy_conditional(x_out, x2, z1_is_zero);
-    copy_conditional(x_out, x1, z2_is_zero);
-    copy_conditional(y_out, y2, z1_is_zero);
-    copy_conditional(y_out, y1, z2_is_zero);
-    copy_conditional(z_out, z2, z1_is_zero);
-    copy_conditional(z_out, z1, z2_is_zero);
-    felem_assign(x3, x_out);
-    felem_assign(y3, y_out);
-    felem_assign(z3, z_out);
-}
-
-/*
- * select_point selects the |idx|th point from a precomputation table and
- * copies it to out.
- * The pre_comp array argument should be size of |size| argument
- */
-static void select_point(const u64 idx, unsigned int size,
-                         const felem pre_comp[][3], felem out[3])
-{
-    unsigned i, j;
-    limb *outlimbs = &out[0][0];
-
-    memset(out, 0, sizeof(*out) * 3);
-    for (i = 0; i < size; i++) {
-        const limb *inlimbs = &pre_comp[i][0][0];
-        u64 mask = i ^ idx;
-        mask |= mask >> 4;
-        mask |= mask >> 2;
-        mask |= mask >> 1;
-        mask &= 1;
-        mask--;
-        for (j = 0; j < 4 * 3; j++)
-            outlimbs[j] |= inlimbs[j] & mask;
-    }
-}
-
-/* get_bit returns the |i|th bit in |in| */
-static char get_bit(const felem_bytearray in, unsigned i)
-{
-    if (i >= 224)
-        return 0;
-    return (in[i >> 3] >> (i & 7)) & 1;
-}
-
-/*
- * Interleaved point multiplication using precomputed point multiples: The
- * small point multiples 0*P, 1*P, ..., 16*P are in pre_comp[], the scalars
- * in scalars[]. If g_scalar is non-NULL, we also add this multiple of the
- * generator, using certain (large) precomputed multiples in g_pre_comp.
- * Output point (X, Y, Z) is stored in x_out, y_out, z_out
- */
-static void batch_mul(felem x_out, felem y_out, felem z_out,
-                      const felem_bytearray scalars[],
-                      const unsigned num_points, const u8 *g_scalar,
-                      const int mixed, const felem pre_comp[][17][3],
-                      const felem g_pre_comp[2][16][3])
-{
-    int i, skip;
-    unsigned num;
-    unsigned gen_mul = (g_scalar != NULL);
-    felem nq[3], tmp[4];
-    u64 bits;
-    u8 sign, digit;
-
-    /* set nq to the point at infinity */
-    memset(nq, 0, sizeof(nq));
-
-    /*
-     * Loop over all scalars msb-to-lsb, interleaving additions of multiples
-     * of the generator (two in each of the last 28 rounds) and additions of
-     * other points multiples (every 5th round).
-     */
-    skip = 1;                   /* save two point operations in the first
-                                 * round */
-    for (i = (num_points ? 220 : 27); i >= 0; --i) {
-        /* double */
-        if (!skip)
-            point_double(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2]);
-
-        /* add multiples of the generator */
-        if (gen_mul && (i <= 27)) {
-            /* first, look 28 bits upwards */
-            bits = get_bit(g_scalar, i + 196) << 3;
-            bits |= get_bit(g_scalar, i + 140) << 2;
-            bits |= get_bit(g_scalar, i + 84) << 1;
-            bits |= get_bit(g_scalar, i + 28);
-            /* select the point to add, in constant time */
-            select_point(bits, 16, g_pre_comp[1], tmp);
-
-            if (!skip) {
-                /* value 1 below is argument for "mixed" */
-                point_add(nq[0], nq[1], nq[2],
-                          nq[0], nq[1], nq[2], 1, tmp[0], tmp[1], tmp[2]);
-            } else {
-                memcpy(nq, tmp, 3 * sizeof(felem));
-                skip = 0;
-            }
-
-            /* second, look at the current position */
-            bits = get_bit(g_scalar, i + 168) << 3;
-            bits |= get_bit(g_scalar, i + 112) << 2;
-            bits |= get_bit(g_scalar, i + 56) << 1;
-            bits |= get_bit(g_scalar, i);
-            /* select the point to add, in constant time */
-            select_point(bits, 16, g_pre_comp[0], tmp);
-            point_add(nq[0], nq[1], nq[2],
-                      nq[0], nq[1], nq[2],
-                      1 /* mixed */ , tmp[0], tmp[1], tmp[2]);
-        }
-
-        /* do other additions every 5 doublings */
-        if (num_points && (i % 5 == 0)) {
-            /* loop over all scalars */
-            for (num = 0; num < num_points; ++num) {
-                bits = get_bit(scalars[num], i + 4) << 5;
-                bits |= get_bit(scalars[num], i + 3) << 4;
-                bits |= get_bit(scalars[num], i + 2) << 3;
-                bits |= get_bit(scalars[num], i + 1) << 2;
-                bits |= get_bit(scalars[num], i) << 1;
-                bits |= get_bit(scalars[num], i - 1);
-                ossl_ec_GFp_nistp_recode_scalar_bits(&sign, &digit, bits);
-
-                /* select the point to add or subtract */
-                select_point(digit, 17, pre_comp[num], tmp);
-                felem_neg(tmp[3], tmp[1]); /* (X, -Y, Z) is the negative
-                                            * point */
-                copy_conditional(tmp[1], tmp[3], sign);
-
-                if (!skip) {
-                    point_add(nq[0], nq[1], nq[2],
-                              nq[0], nq[1], nq[2],
-                              mixed, tmp[0], tmp[1], tmp[2]);
-                } else {
-                    memcpy(nq, tmp, 3 * sizeof(felem));
-                    skip = 0;
-                }
-            }
-        }
-    }
-    felem_assign(x_out, nq[0]);
-    felem_assign(y_out, nq[1]);
-    felem_assign(z_out, nq[2]);
-}
-
-/******************************************************************************/
-/*
- * FUNCTIONS TO MANAGE PRECOMPUTATION
- */
-
-static NISTP224_PRE_COMP *nistp224_pre_comp_new(void)
-{
-    NISTP224_PRE_COMP *ret = OPENSSL_zalloc(sizeof(*ret));
-
-    if (!ret) {
-        ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE);
-        return ret;
-    }
-
-    ret->references = 1;
-
-    ret->lock = CRYPTO_THREAD_lock_new();
-    if (ret->lock == NULL) {
-        ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE);
-        OPENSSL_free(ret);
-        return NULL;
-    }
-    return ret;
-}
-
-NISTP224_PRE_COMP *EC_nistp224_pre_comp_dup(NISTP224_PRE_COMP *p)
-{
-    int i;
-    if (p != NULL)
-        CRYPTO_UP_REF(&p->references, &i, p->lock);
-    return p;
-}
-
-void EC_nistp224_pre_comp_free(NISTP224_PRE_COMP *p)
-{
-    int i;
-
-    if (p == NULL)
-        return;
-
-    CRYPTO_DOWN_REF(&p->references, &i, p->lock);
-    REF_PRINT_COUNT("EC_nistp224", p);
-    if (i > 0)
-        return;
-    REF_ASSERT_ISNT(i < 0);
-
-    CRYPTO_THREAD_lock_free(p->lock);
-    OPENSSL_free(p);
-}
-
-/******************************************************************************/
-/*
- * OPENSSL EC_METHOD FUNCTIONS
- */
-
-int ossl_ec_GFp_nistp224_group_init(EC_GROUP *group)
-{
-    int ret;
-    ret = ossl_ec_GFp_simple_group_init(group);
-    group->a_is_minus3 = 1;
-    return ret;
-}
-
-int ossl_ec_GFp_nistp224_group_set_curve(EC_GROUP *group, const BIGNUM *p,
-                                         const BIGNUM *a, const BIGNUM *b,
-                                         BN_CTX *ctx)
-{
-    int ret = 0;
-    BIGNUM *curve_p, *curve_a, *curve_b;
-#ifndef FIPS_MODULE
-    BN_CTX *new_ctx = NULL;
-
-    if (ctx == NULL)
-        ctx = new_ctx = BN_CTX_new();
-#endif
-    if (ctx == NULL)
-        return 0;
-
-    BN_CTX_start(ctx);
-    curve_p = BN_CTX_get(ctx);
-    curve_a = BN_CTX_get(ctx);
-    curve_b = BN_CTX_get(ctx);
-    if (curve_b == NULL)
-        goto err;
-    BN_bin2bn(nistp224_curve_params[0], sizeof(felem_bytearray), curve_p);
-    BN_bin2bn(nistp224_curve_params[1], sizeof(felem_bytearray), curve_a);
-    BN_bin2bn(nistp224_curve_params[2], sizeof(felem_bytearray), curve_b);
-    if ((BN_cmp(curve_p, p)) || (BN_cmp(curve_a, a)) || (BN_cmp(curve_b, b))) {
-        ERR_raise(ERR_LIB_EC, EC_R_WRONG_CURVE_PARAMETERS);
-        goto err;
-    }
-    group->field_mod_func = BN_nist_mod_224;
-    ret = ossl_ec_GFp_simple_group_set_curve(group, p, a, b, ctx);
- err:
-    BN_CTX_end(ctx);
-#ifndef FIPS_MODULE
-    BN_CTX_free(new_ctx);
-#endif
-    return ret;
-}
-
-/*
- * Takes the Jacobian coordinates (X, Y, Z) of a point and returns (X', Y') =
- * (X/Z^2, Y/Z^3)
- */
-int ossl_ec_GFp_nistp224_point_get_affine_coordinates(const EC_GROUP *group,
-                                                      const EC_POINT *point,
-                                                      BIGNUM *x, BIGNUM *y,
-                                                      BN_CTX *ctx)
-{
-    felem z1, z2, x_in, y_in, x_out, y_out;
-    widefelem tmp;
-
-    if (EC_POINT_is_at_infinity(group, point)) {
-        ERR_raise(ERR_LIB_EC, EC_R_POINT_AT_INFINITY);
-        return 0;
-    }
-    if ((!BN_to_felem(x_in, point->X)) || (!BN_to_felem(y_in, point->Y)) ||
-        (!BN_to_felem(z1, point->Z)))
-        return 0;
-    felem_inv(z2, z1);
-    felem_square(tmp, z2);
-    felem_reduce(z1, tmp);
-    felem_mul(tmp, x_in, z1);
-    felem_reduce(x_in, tmp);
-    felem_contract(x_out, x_in);
-    if (x != NULL) {
-        if (!felem_to_BN(x, x_out)) {
-            ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
-            return 0;
-        }
-    }
-    felem_mul(tmp, z1, z2);
-    felem_reduce(z1, tmp);
-    felem_mul(tmp, y_in, z1);
-    felem_reduce(y_in, tmp);
-    felem_contract(y_out, y_in);
-    if (y != NULL) {
-        if (!felem_to_BN(y, y_out)) {
-            ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
-            return 0;
-        }
-    }
-    return 1;
-}
-
-static void make_points_affine(size_t num, felem points[ /* num */ ][3],
-                               felem tmp_felems[ /* num+1 */ ])
-{
-    /*
-     * Runs in constant time, unless an input is the point at infinity (which
-     * normally shouldn't happen).
-     */
-    ossl_ec_GFp_nistp_points_make_affine_internal(num,
-                                                  points,
-                                                  sizeof(felem),
-                                                  tmp_felems,
-                                                  (void (*)(void *))felem_one,
-                                                  felem_is_zero_int,
-                                                  (void (*)(void *, const void *))
-                                                  felem_assign,
-                                                  (void (*)(void *, const void *))
-                                                  felem_square_reduce, (void (*)
-                                                                        (void *,
-                                                                         const void
-                                                                         *,
-                                                                         const void
-                                                                         *))
-                                                  felem_mul_reduce,
-                                                  (void (*)(void *, const void *))
-                                                  felem_inv,
-                                                  (void (*)(void *, const void *))
-                                                  felem_contract);
-}
-
-/*
- * Computes scalar*generator + \sum scalars[i]*points[i], ignoring NULL
- * values Result is stored in r (r can equal one of the inputs).
- */
-int ossl_ec_GFp_nistp224_points_mul(const EC_GROUP *group, EC_POINT *r,
-                                    const BIGNUM *scalar, size_t num,
-                                    const EC_POINT *points[],
-                                    const BIGNUM *scalars[], BN_CTX *ctx)
-{
-    int ret = 0;
-    int j;
-    unsigned i;
-    int mixed = 0;
-    BIGNUM *x, *y, *z, *tmp_scalar;
-    felem_bytearray g_secret;
-    felem_bytearray *secrets = NULL;
-    felem (*pre_comp)[17][3] = NULL;
-    felem *tmp_felems = NULL;
-    int num_bytes;
-    int have_pre_comp = 0;
-    size_t num_points = num;
-    felem x_in, y_in, z_in, x_out, y_out, z_out;
-    NISTP224_PRE_COMP *pre = NULL;
-    const felem(*g_pre_comp)[16][3] = NULL;
-    EC_POINT *generator = NULL;
-    const EC_POINT *p = NULL;
-    const BIGNUM *p_scalar = NULL;
-
-    BN_CTX_start(ctx);
-    x = BN_CTX_get(ctx);
-    y = BN_CTX_get(ctx);
-    z = BN_CTX_get(ctx);
-    tmp_scalar = BN_CTX_get(ctx);
-    if (tmp_scalar == NULL)
-        goto err;
-
-    if (scalar != NULL) {
-        pre = group->pre_comp.nistp224;
-        if (pre)
-            /* we have precomputation, try to use it */
-            g_pre_comp = (const felem(*)[16][3])pre->g_pre_comp;
-        else
-            /* try to use the standard precomputation */
-            g_pre_comp = &gmul[0];
-        generator = EC_POINT_new(group);
-        if (generator == NULL)
-            goto err;
-        /* get the generator from precomputation */
-        if (!felem_to_BN(x, g_pre_comp[0][1][0]) ||
-            !felem_to_BN(y, g_pre_comp[0][1][1]) ||
-            !felem_to_BN(z, g_pre_comp[0][1][2])) {
-            ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
-            goto err;
-        }
-        if (!ossl_ec_GFp_simple_set_Jprojective_coordinates_GFp(group,
-                                                                generator,
-                                                                x, y, z, ctx))
-            goto err;
-        if (0 == EC_POINT_cmp(group, generator, group->generator, ctx))
-            /* precomputation matches generator */
-            have_pre_comp = 1;
-        else
-            /*
-             * we don't have valid precomputation: treat the generator as a
-             * random point
-             */
-            num_points = num_points + 1;
-    }
-
-    if (num_points > 0) {
-        if (num_points >= 3) {
-            /*
-             * unless we precompute multiples for just one or two points,
-             * converting those into affine form is time well spent
-             */
-            mixed = 1;
-        }
-        secrets = OPENSSL_zalloc(sizeof(*secrets) * num_points);
-        pre_comp = OPENSSL_zalloc(sizeof(*pre_comp) * num_points);
-        if (mixed)
-            tmp_felems =
-                OPENSSL_malloc(sizeof(felem) * (num_points * 17 + 1));
-        if ((secrets == NULL) || (pre_comp == NULL)
-            || (mixed && (tmp_felems == NULL))) {
-            ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE);
-            goto err;
-        }
-
-        /*
-         * we treat NULL scalars as 0, and NULL points as points at infinity,
-         * i.e., they contribute nothing to the linear combination
-         */
-        for (i = 0; i < num_points; ++i) {
-            if (i == num) {
-                /* the generator */
-                p = EC_GROUP_get0_generator(group);
-                p_scalar = scalar;
-            } else {
-                /* the i^th point */
-                p = points[i];
-                p_scalar = scalars[i];
-            }
-            if ((p_scalar != NULL) && (p != NULL)) {
-                /* reduce scalar to 0 <= scalar < 2^224 */
-                if ((BN_num_bits(p_scalar) > 224)
-                    || (BN_is_negative(p_scalar))) {
-                    /*
-                     * this is an unusual input, and we don't guarantee
-                     * constant-timeness
-                     */
-                    if (!BN_nnmod(tmp_scalar, p_scalar, group->order, ctx)) {
-                        ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
-                        goto err;
-                    }
-                    num_bytes = BN_bn2lebinpad(tmp_scalar,
-                                               secrets[i], sizeof(secrets[i]));
-                } else {
-                    num_bytes = BN_bn2lebinpad(p_scalar,
-                                               secrets[i], sizeof(secrets[i]));
-                }
-                if (num_bytes < 0) {
-                    ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
-                    goto err;
-                }
-                /* precompute multiples */
-                if ((!BN_to_felem(x_out, p->X)) ||
-                    (!BN_to_felem(y_out, p->Y)) ||
-                    (!BN_to_felem(z_out, p->Z)))
-                    goto err;
-                felem_assign(pre_comp[i][1][0], x_out);
-                felem_assign(pre_comp[i][1][1], y_out);
-                felem_assign(pre_comp[i][1][2], z_out);
-                for (j = 2; j <= 16; ++j) {
-                    if (j & 1) {
-                        point_add(pre_comp[i][j][0], pre_comp[i][j][1],
-                                  pre_comp[i][j][2], pre_comp[i][1][0],
-                                  pre_comp[i][1][1], pre_comp[i][1][2], 0,
-                                  pre_comp[i][j - 1][0],
-                                  pre_comp[i][j - 1][1],
-                                  pre_comp[i][j - 1][2]);
-                    } else {
-                        point_double(pre_comp[i][j][0], pre_comp[i][j][1],
-                                     pre_comp[i][j][2], pre_comp[i][j / 2][0],
-                                     pre_comp[i][j / 2][1],
-                                     pre_comp[i][j / 2][2]);
-                    }
-                }
-            }
-        }
-        if (mixed)
-            make_points_affine(num_points * 17, pre_comp[0], tmp_felems);
-    }
-
-    /* the scalar for the generator */
-    if ((scalar != NULL) && (have_pre_comp)) {
-        memset(g_secret, 0, sizeof(g_secret));
-        /* reduce scalar to 0 <= scalar < 2^224 */
-        if ((BN_num_bits(scalar) > 224) || (BN_is_negative(scalar))) {
-            /*
-             * this is an unusual input, and we don't guarantee
-             * constant-timeness
-             */
-            if (!BN_nnmod(tmp_scalar, scalar, group->order, ctx)) {
-                ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
-                goto err;
-            }
-            num_bytes = BN_bn2lebinpad(tmp_scalar, g_secret, sizeof(g_secret));
-        } else {
-            num_bytes = BN_bn2lebinpad(scalar, g_secret, sizeof(g_secret));
-        }
-        /* do the multiplication with generator precomputation */
-        batch_mul(x_out, y_out, z_out,
-                  (const felem_bytearray(*))secrets, num_points,
-                  g_secret,
-                  mixed, (const felem(*)[17][3])pre_comp, g_pre_comp);
-    } else {
-        /* do the multiplication without generator precomputation */
-        batch_mul(x_out, y_out, z_out,
-                  (const felem_bytearray(*))secrets, num_points,
-                  NULL, mixed, (const felem(*)[17][3])pre_comp, NULL);
-    }
-    /* reduce the output to its unique minimal representation */
-    felem_contract(x_in, x_out);
-    felem_contract(y_in, y_out);
-    felem_contract(z_in, z_out);
-    if ((!felem_to_BN(x, x_in)) || (!felem_to_BN(y, y_in)) ||
-        (!felem_to_BN(z, z_in))) {
-        ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
-        goto err;
-    }
-    ret = ossl_ec_GFp_simple_set_Jprojective_coordinates_GFp(group, r, x, y, z,
-                                                             ctx);
-
- err:
-    BN_CTX_end(ctx);
-    EC_POINT_free(generator);
-    OPENSSL_free(secrets);
-    OPENSSL_free(pre_comp);
-    OPENSSL_free(tmp_felems);
-    return ret;
-}
-
-int ossl_ec_GFp_nistp224_precompute_mult(EC_GROUP *group, BN_CTX *ctx)
-{
-    int ret = 0;
-    NISTP224_PRE_COMP *pre = NULL;
-    int i, j;
-    BIGNUM *x, *y;
-    EC_POINT *generator = NULL;
-    felem tmp_felems[32];
-#ifndef FIPS_MODULE
-    BN_CTX *new_ctx = NULL;
-#endif
-
-    /* throw away old precomputation */
-    EC_pre_comp_free(group);
-
-#ifndef FIPS_MODULE
-    if (ctx == NULL)
-        ctx = new_ctx = BN_CTX_new();
-#endif
-    if (ctx == NULL)
-        return 0;
-
-    BN_CTX_start(ctx);
-    x = BN_CTX_get(ctx);
-    y = BN_CTX_get(ctx);
-    if (y == NULL)
-        goto err;
-    /* get the generator */
-    if (group->generator == NULL)
-        goto err;
-    generator = EC_POINT_new(group);
-    if (generator == NULL)
-        goto err;
-    BN_bin2bn(nistp224_curve_params[3], sizeof(felem_bytearray), x);
-    BN_bin2bn(nistp224_curve_params[4], sizeof(felem_bytearray), y);
-    if (!EC_POINT_set_affine_coordinates(group, generator, x, y, ctx))
-        goto err;
-    if ((pre = nistp224_pre_comp_new()) == NULL)
-        goto err;
-    /*
-     * if the generator is the standard one, use built-in precomputation
-     */
-    if (0 == EC_POINT_cmp(group, generator, group->generator, ctx)) {
-        memcpy(pre->g_pre_comp, gmul, sizeof(pre->g_pre_comp));
-        goto done;
-    }
-    if ((!BN_to_felem(pre->g_pre_comp[0][1][0], group->generator->X)) ||
-        (!BN_to_felem(pre->g_pre_comp[0][1][1], group->generator->Y)) ||
-        (!BN_to_felem(pre->g_pre_comp[0][1][2], group->generator->Z)))
-        goto err;
-    /*
-     * compute 2^56*G, 2^112*G, 2^168*G for the first table, 2^28*G, 2^84*G,
-     * 2^140*G, 2^196*G for the second one
-     */
-    for (i = 1; i <= 8; i <<= 1) {
-        point_double(pre->g_pre_comp[1][i][0], pre->g_pre_comp[1][i][1],
-                     pre->g_pre_comp[1][i][2], pre->g_pre_comp[0][i][0],
-                     pre->g_pre_comp[0][i][1], pre->g_pre_comp[0][i][2]);
-        for (j = 0; j < 27; ++j) {
-            point_double(pre->g_pre_comp[1][i][0], pre->g_pre_comp[1][i][1],
-                         pre->g_pre_comp[1][i][2], pre->g_pre_comp[1][i][0],
-                         pre->g_pre_comp[1][i][1], pre->g_pre_comp[1][i][2]);
-        }
-        if (i == 8)
-            break;
-        point_double(pre->g_pre_comp[0][2 * i][0],
-                     pre->g_pre_comp[0][2 * i][1],
-                     pre->g_pre_comp[0][2 * i][2], pre->g_pre_comp[1][i][0],
-                     pre->g_pre_comp[1][i][1], pre->g_pre_comp[1][i][2]);
-        for (j = 0; j < 27; ++j) {
-            point_double(pre->g_pre_comp[0][2 * i][0],
-                         pre->g_pre_comp[0][2 * i][1],
-                         pre->g_pre_comp[0][2 * i][2],
-                         pre->g_pre_comp[0][2 * i][0],
-                         pre->g_pre_comp[0][2 * i][1],
-                         pre->g_pre_comp[0][2 * i][2]);
-        }
-    }
-    for (i = 0; i < 2; i++) {
-        /* g_pre_comp[i][0] is the point at infinity */
-        memset(pre->g_pre_comp[i][0], 0, sizeof(pre->g_pre_comp[i][0]));
-        /* the remaining multiples */
-        /* 2^56*G + 2^112*G resp. 2^84*G + 2^140*G */
-        point_add(pre->g_pre_comp[i][6][0], pre->g_pre_comp[i][6][1],
-                  pre->g_pre_comp[i][6][2], pre->g_pre_comp[i][4][0],
-                  pre->g_pre_comp[i][4][1], pre->g_pre_comp[i][4][2],
-                  0, pre->g_pre_comp[i][2][0], pre->g_pre_comp[i][2][1],
-                  pre->g_pre_comp[i][2][2]);
-        /* 2^56*G + 2^168*G resp. 2^84*G + 2^196*G */
-        point_add(pre->g_pre_comp[i][10][0], pre->g_pre_comp[i][10][1],
-                  pre->g_pre_comp[i][10][2], pre->g_pre_comp[i][8][0],
-                  pre->g_pre_comp[i][8][1], pre->g_pre_comp[i][8][2],
-                  0, pre->g_pre_comp[i][2][0], pre->g_pre_comp[i][2][1],
-                  pre->g_pre_comp[i][2][2]);
-        /* 2^112*G + 2^168*G resp. 2^140*G + 2^196*G */
-        point_add(pre->g_pre_comp[i][12][0], pre->g_pre_comp[i][12][1],
-                  pre->g_pre_comp[i][12][2], pre->g_pre_comp[i][8][0],
-                  pre->g_pre_comp[i][8][1], pre->g_pre_comp[i][8][2],
-                  0, pre->g_pre_comp[i][4][0], pre->g_pre_comp[i][4][1],
-                  pre->g_pre_comp[i][4][2]);
-        /*
-         * 2^56*G + 2^112*G + 2^168*G resp. 2^84*G + 2^140*G + 2^196*G
-         */
-        point_add(pre->g_pre_comp[i][14][0], pre->g_pre_comp[i][14][1],
-                  pre->g_pre_comp[i][14][2], pre->g_pre_comp[i][12][0],
-                  pre->g_pre_comp[i][12][1], pre->g_pre_comp[i][12][2],
-                  0, pre->g_pre_comp[i][2][0], pre->g_pre_comp[i][2][1],
-                  pre->g_pre_comp[i][2][2]);
-        for (j = 1; j < 8; ++j) {
-            /* odd multiples: add G resp. 2^28*G */
-            point_add(pre->g_pre_comp[i][2 * j + 1][0],
-                      pre->g_pre_comp[i][2 * j + 1][1],
-                      pre->g_pre_comp[i][2 * j + 1][2],
-                      pre->g_pre_comp[i][2 * j][0],
-                      pre->g_pre_comp[i][2 * j][1],
-                      pre->g_pre_comp[i][2 * j][2], 0,
-                      pre->g_pre_comp[i][1][0], pre->g_pre_comp[i][1][1],
-                      pre->g_pre_comp[i][1][2]);
-        }
-    }
-    make_points_affine(31, &(pre->g_pre_comp[0][1]), tmp_felems);
-
- done:
-    SETPRECOMP(group, nistp224, pre);
-    pre = NULL;
-    ret = 1;
- err:
-    BN_CTX_end(ctx);
-    EC_POINT_free(generator);
-#ifndef FIPS_MODULE
-    BN_CTX_free(new_ctx);
-#endif
-    EC_nistp224_pre_comp_free(pre);
-    return ret;
-}
-
-int ossl_ec_GFp_nistp224_have_precompute_mult(const EC_GROUP *group)
-{
-    return HAVEPRECOMP(group, nistp224);
-}

libs/openssl/crypto/ec/ecp_nistp256.c

@@ -1,2378 +0,0 @@
-/*
- * Copyright 2011-2021 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-/* Copyright 2011 Google Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- *
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS,
- *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-/*
- * ECDSA low level APIs are deprecated for public use, but still ok for
- * internal use.
- */
-#include "internal/deprecated.h"
-
-/*
- * A 64-bit implementation of the NIST P-256 elliptic curve point multiplication
- *
- * OpenSSL integration was taken from Emilia Kasper's work in ecp_nistp224.c.
- * Otherwise based on Emilia's P224 work, which was inspired by my curve25519
- * work which got its smarts from Daniel J. Bernstein's work on the same.
- */
-
-#include <openssl/opensslconf.h>
-
-#include <stdint.h>
-#include <string.h>
-#include <openssl/err.h>
-#include "ec_local.h"
-
-#include "internal/numbers.h"
-
-#ifndef INT128_MAX
-# error "Your compiler doesn't appear to support 128-bit integer types"
-#endif
-
-typedef uint8_t u8;
-typedef uint32_t u32;
-typedef uint64_t u64;
-
-/*
- * The underlying field. P256 operates over GF(2^256-2^224+2^192+2^96-1). We
- * can serialize an element of this field into 32 bytes. We call this an
- * felem_bytearray.
- */
-
-typedef u8 felem_bytearray[32];
-
-/*
- * These are the parameters of P256, taken from FIPS 186-3, page 86. These
- * values are big-endian.
- */
-static const felem_bytearray nistp256_curve_params[5] = {
-    {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x01, /* p */
-     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-     0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
-     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
-    {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x01, /* a = -3 */
-     0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-     0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
-     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfc},
-    {0x5a, 0xc6, 0x35, 0xd8, 0xaa, 0x3a, 0x93, 0xe7, /* b */
-     0xb3, 0xeb, 0xbd, 0x55, 0x76, 0x98, 0x86, 0xbc,
-     0x65, 0x1d, 0x06, 0xb0, 0xcc, 0x53, 0xb0, 0xf6,
-     0x3b, 0xce, 0x3c, 0x3e, 0x27, 0xd2, 0x60, 0x4b},
-    {0x6b, 0x17, 0xd1, 0xf2, 0xe1, 0x2c, 0x42, 0x47, /* x */
-     0xf8, 0xbc, 0xe6, 0xe5, 0x63, 0xa4, 0x40, 0xf2,
-     0x77, 0x03, 0x7d, 0x81, 0x2d, 0xeb, 0x33, 0xa0,
-     0xf4, 0xa1, 0x39, 0x45, 0xd8, 0x98, 0xc2, 0x96},
-    {0x4f, 0xe3, 0x42, 0xe2, 0xfe, 0x1a, 0x7f, 0x9b, /* y */
-     0x8e, 0xe7, 0xeb, 0x4a, 0x7c, 0x0f, 0x9e, 0x16,
-     0x2b, 0xce, 0x33, 0x57, 0x6b, 0x31, 0x5e, 0xce,
-     0xcb, 0xb6, 0x40, 0x68, 0x37, 0xbf, 0x51, 0xf5}
-};
-
-/*-
- * The representation of field elements.
- * ------------------------------------
- *
- * We represent field elements with either four 128-bit values, eight 128-bit
- * values, or four 64-bit values. The field element represented is:
- *   v[0]*2^0 + v[1]*2^64 + v[2]*2^128 + v[3]*2^192  (mod p)
- * or:
- *   v[0]*2^0 + v[1]*2^64 + v[2]*2^128 + ... + v[8]*2^512  (mod p)
- *
- * 128-bit values are called 'limbs'. Since the limbs are spaced only 64 bits
- * apart, but are 128-bits wide, the most significant bits of each limb overlap
- * with the least significant bits of the next.
- *
- * A field element with four limbs is an 'felem'. One with eight limbs is a
- * 'longfelem'
- *
- * A field element with four, 64-bit values is called a 'smallfelem'. Small
- * values are used as intermediate values before multiplication.
- */
-
-#define NLIMBS 4
-
-typedef uint128_t limb;
-typedef limb felem[NLIMBS];
-typedef limb longfelem[NLIMBS * 2];
-typedef u64 smallfelem[NLIMBS];
-
-/* This is the value of the prime as four 64-bit words, little-endian. */
-static const u64 kPrime[4] =
-    { 0xfffffffffffffffful, 0xffffffff, 0, 0xffffffff00000001ul };
-static const u64 bottom63bits = 0x7ffffffffffffffful;
-
-/*
- * bin32_to_felem takes a little-endian byte array and converts it into felem
- * form. This assumes that the CPU is little-endian.
- */
-static void bin32_to_felem(felem out, const u8 in[32])
-{
-    out[0] = *((u64 *)&in[0]);
-    out[1] = *((u64 *)&in[8]);
-    out[2] = *((u64 *)&in[16]);
-    out[3] = *((u64 *)&in[24]);
-}
-
-/*
- * smallfelem_to_bin32 takes a smallfelem and serializes into a little
- * endian, 32 byte array. This assumes that the CPU is little-endian.
- */
-static void smallfelem_to_bin32(u8 out[32], const smallfelem in)
-{
-    *((u64 *)&out[0]) = in[0];
-    *((u64 *)&out[8]) = in[1];
-    *((u64 *)&out[16]) = in[2];
-    *((u64 *)&out[24]) = in[3];
-}
-
-/* BN_to_felem converts an OpenSSL BIGNUM into an felem */
-static int BN_to_felem(felem out, const BIGNUM *bn)
-{
-    felem_bytearray b_out;
-    int num_bytes;
-
-    if (BN_is_negative(bn)) {
-        ERR_raise(ERR_LIB_EC, EC_R_BIGNUM_OUT_OF_RANGE);
-        return 0;
-    }
-    num_bytes = BN_bn2lebinpad(bn, b_out, sizeof(b_out));
-    if (num_bytes < 0) {
-        ERR_raise(ERR_LIB_EC, EC_R_BIGNUM_OUT_OF_RANGE);
-        return 0;
-    }
-    bin32_to_felem(out, b_out);
-    return 1;
-}
-
-/* felem_to_BN converts an felem into an OpenSSL BIGNUM */
-static BIGNUM *smallfelem_to_BN(BIGNUM *out, const smallfelem in)
-{
-    felem_bytearray b_out;
-    smallfelem_to_bin32(b_out, in);
-    return BN_lebin2bn(b_out, sizeof(b_out), out);
-}
-
-/*-
- * Field operations
- * ----------------
- */
-
-static void smallfelem_one(smallfelem out)
-{
-    out[0] = 1;
-    out[1] = 0;
-    out[2] = 0;
-    out[3] = 0;
-}
-
-static void smallfelem_assign(smallfelem out, const smallfelem in)
-{
-    out[0] = in[0];
-    out[1] = in[1];
-    out[2] = in[2];
-    out[3] = in[3];
-}
-
-static void felem_assign(felem out, const felem in)
-{
-    out[0] = in[0];
-    out[1] = in[1];
-    out[2] = in[2];
-    out[3] = in[3];
-}
-
-/* felem_sum sets out = out + in. */
-static void felem_sum(felem out, const felem in)
-{
-    out[0] += in[0];
-    out[1] += in[1];
-    out[2] += in[2];
-    out[3] += in[3];
-}
-
-/* felem_small_sum sets out = out + in. */
-static void felem_small_sum(felem out, const smallfelem in)
-{
-    out[0] += in[0];
-    out[1] += in[1];
-    out[2] += in[2];
-    out[3] += in[3];
-}
-
-/* felem_scalar sets out = out * scalar */
-static void felem_scalar(felem out, const u64 scalar)
-{
-    out[0] *= scalar;
-    out[1] *= scalar;
-    out[2] *= scalar;
-    out[3] *= scalar;
-}
-
-/* longfelem_scalar sets out = out * scalar */
-static void longfelem_scalar(longfelem out, const u64 scalar)
-{
-    out[0] *= scalar;
-    out[1] *= scalar;
-    out[2] *= scalar;
-    out[3] *= scalar;
-    out[4] *= scalar;
-    out[5] *= scalar;
-    out[6] *= scalar;
-    out[7] *= scalar;
-}
-
-#define two105m41m9 (((limb)1) << 105) - (((limb)1) << 41) - (((limb)1) << 9)
-#define two105 (((limb)1) << 105)
-#define two105m41p9 (((limb)1) << 105) - (((limb)1) << 41) + (((limb)1) << 9)
-
-/* zero105 is 0 mod p */
-static const felem zero105 =
-    { two105m41m9, two105, two105m41p9, two105m41p9 };
-
-/*-
- * smallfelem_neg sets |out| to |-small|
- * On exit:
- *   out[i] < out[i] + 2^105
- */
-static void smallfelem_neg(felem out, const smallfelem small)
-{
-    /* In order to prevent underflow, we subtract from 0 mod p. */
-    out[0] = zero105[0] - small[0];
-    out[1] = zero105[1] - small[1];
-    out[2] = zero105[2] - small[2];
-    out[3] = zero105[3] - small[3];
-}
-
-/*-
- * felem_diff subtracts |in| from |out|
- * On entry:
- *   in[i] < 2^104
- * On exit:
- *   out[i] < out[i] + 2^105
- */
-static void felem_diff(felem out, const felem in)
-{
-    /*
-     * In order to prevent underflow, we add 0 mod p before subtracting.
-     */
-    out[0] += zero105[0];
-    out[1] += zero105[1];
-    out[2] += zero105[2];
-    out[3] += zero105[3];
-
-    out[0] -= in[0];
-    out[1] -= in[1];
-    out[2] -= in[2];
-    out[3] -= in[3];
-}
-
-#define two107m43m11 (((limb)1) << 107) - (((limb)1) << 43) - (((limb)1) << 11)
-#define two107 (((limb)1) << 107)
-#define two107m43p11 (((limb)1) << 107) - (((limb)1) << 43) + (((limb)1) << 11)
-
-/* zero107 is 0 mod p */
-static const felem zero107 =
-    { two107m43m11, two107, two107m43p11, two107m43p11 };
-
-/*-
- * An alternative felem_diff for larger inputs |in|
- * felem_diff_zero107 subtracts |in| from |out|
- * On entry:
- *   in[i] < 2^106
- * On exit:
- *   out[i] < out[i] + 2^107
- */
-static void felem_diff_zero107(felem out, const felem in)
-{
-    /*
-     * In order to prevent underflow, we add 0 mod p before subtracting.
-     */
-    out[0] += zero107[0];
-    out[1] += zero107[1];
-    out[2] += zero107[2];
-    out[3] += zero107[3];
-
-    out[0] -= in[0];
-    out[1] -= in[1];
-    out[2] -= in[2];
-    out[3] -= in[3];
-}
-
-/*-
- * longfelem_diff subtracts |in| from |out|
- * On entry:
- *   in[i] < 7*2^67
- * On exit:
- *   out[i] < out[i] + 2^70 + 2^40
- */
-static void longfelem_diff(longfelem out, const longfelem in)
-{
-    static const limb two70m8p6 =
-        (((limb) 1) << 70) - (((limb) 1) << 8) + (((limb) 1) << 6);
-    static const limb two70p40 = (((limb) 1) << 70) + (((limb) 1) << 40);
-    static const limb two70 = (((limb) 1) << 70);
-    static const limb two70m40m38p6 =
-        (((limb) 1) << 70) - (((limb) 1) << 40) - (((limb) 1) << 38) +
-        (((limb) 1) << 6);
-    static const limb two70m6 = (((limb) 1) << 70) - (((limb) 1) << 6);
-
-    /* add 0 mod p to avoid underflow */
-    out[0] += two70m8p6;
-    out[1] += two70p40;
-    out[2] += two70;
-    out[3] += two70m40m38p6;
-    out[4] += two70m6;
-    out[5] += two70m6;
-    out[6] += two70m6;
-    out[7] += two70m6;
-
-    /* in[i] < 7*2^67 < 2^70 - 2^40 - 2^38 + 2^6 */
-    out[0] -= in[0];
-    out[1] -= in[1];
-    out[2] -= in[2];
-    out[3] -= in[3];
-    out[4] -= in[4];
-    out[5] -= in[5];
-    out[6] -= in[6];
-    out[7] -= in[7];
-}
-
-#define two64m0 (((limb)1) << 64) - 1
-#define two110p32m0 (((limb)1) << 110) + (((limb)1) << 32) - 1
-#define two64m46 (((limb)1) << 64) - (((limb)1) << 46)
-#define two64m32 (((limb)1) << 64) - (((limb)1) << 32)
-
-/* zero110 is 0 mod p */
-static const felem zero110 = { two64m0, two110p32m0, two64m46, two64m32 };
-
-/*-
- * felem_shrink converts an felem into a smallfelem. The result isn't quite
- * minimal as the value may be greater than p.
- *
- * On entry:
- *   in[i] < 2^109
- * On exit:
- *   out[i] < 2^64
- */
-static void felem_shrink(smallfelem out, const felem in)
-{
-    felem tmp;
-    u64 a, b, mask;
-    u64 high, low;
-    static const u64 kPrime3Test = 0x7fffffff00000001ul; /* 2^63 - 2^32 + 1 */
-
-    /* Carry 2->3 */
-    tmp[3] = zero110[3] + in[3] + ((u64)(in[2] >> 64));
-    /* tmp[3] < 2^110 */
-
-    tmp[2] = zero110[2] + (u64)in[2];
-    tmp[0] = zero110[0] + in[0];
-    tmp[1] = zero110[1] + in[1];
-    /* tmp[0] < 2**110, tmp[1] < 2^111, tmp[2] < 2**65 */
-
-    /*
-     * We perform two partial reductions where we eliminate the high-word of
-     * tmp[3]. We don't update the other words till the end.
-     */
-    a = tmp[3] >> 64;           /* a < 2^46 */
-    tmp[3] = (u64)tmp[3];
-    tmp[3] -= a;
-    tmp[3] += ((limb) a) << 32;
-    /* tmp[3] < 2^79 */
-
-    b = a;
-    a = tmp[3] >> 64;           /* a < 2^15 */
-    b += a;                     /* b < 2^46 + 2^15 < 2^47 */
-    tmp[3] = (u64)tmp[3];
-    tmp[3] -= a;
-    tmp[3] += ((limb) a) << 32;
-    /* tmp[3] < 2^64 + 2^47 */
-
-    /*
-     * This adjusts the other two words to complete the two partial
-     * reductions.
-     */
-    tmp[0] += b;
-    tmp[1] -= (((limb) b) << 32);
-
-    /*
-     * In order to make space in tmp[3] for the carry from 2 -> 3, we
-     * conditionally subtract kPrime if tmp[3] is large enough.
-     */
-    high = (u64)(tmp[3] >> 64);
-    /* As tmp[3] < 2^65, high is either 1 or 0 */
-    high = 0 - high;
-    /*-
-     * high is:
-     *   all ones   if the high word of tmp[3] is 1
-     *   all zeros  if the high word of tmp[3] if 0
-     */
-    low = (u64)tmp[3];
-    mask = 0 - (low >> 63);
-    /*-
-     * mask is:
-     *   all ones   if the MSB of low is 1
-     *   all zeros  if the MSB of low if 0
-     */
-    low &= bottom63bits;
-    low -= kPrime3Test;
-    /* if low was greater than kPrime3Test then the MSB is zero */
-    low = ~low;
-    low = 0 - (low >> 63);
-    /*-
-     * low is:
-     *   all ones   if low was > kPrime3Test
-     *   all zeros  if low was <= kPrime3Test
-     */
-    mask = (mask & low) | high;
-    tmp[0] -= mask & kPrime[0];
-    tmp[1] -= mask & kPrime[1];
-    /* kPrime[2] is zero, so omitted */
-    tmp[3] -= mask & kPrime[3];
-    /* tmp[3] < 2**64 - 2**32 + 1 */
-
-    tmp[1] += ((u64)(tmp[0] >> 64));
-    tmp[0] = (u64)tmp[0];
-    tmp[2] += ((u64)(tmp[1] >> 64));
-    tmp[1] = (u64)tmp[1];
-    tmp[3] += ((u64)(tmp[2] >> 64));
-    tmp[2] = (u64)tmp[2];
-    /* tmp[i] < 2^64 */
-
-    out[0] = tmp[0];
-    out[1] = tmp[1];
-    out[2] = tmp[2];
-    out[3] = tmp[3];
-}
-
-/* smallfelem_expand converts a smallfelem to an felem */
-static void smallfelem_expand(felem out, const smallfelem in)
-{
-    out[0] = in[0];
-    out[1] = in[1];
-    out[2] = in[2];
-    out[3] = in[3];
-}
-
-/*-
- * smallfelem_square sets |out| = |small|^2
- * On entry:
- *   small[i] < 2^64
- * On exit:
- *   out[i] < 7 * 2^64 < 2^67
- */
-static void smallfelem_square(longfelem out, const smallfelem small)
-{
-    limb a;
-    u64 high, low;
-
-    a = ((uint128_t) small[0]) * small[0];
-    low = a;
-    high = a >> 64;
-    out[0] = low;
-    out[1] = high;
-
-    a = ((uint128_t) small[0]) * small[1];
-    low = a;
-    high = a >> 64;
-    out[1] += low;
-    out[1] += low;
-    out[2] = high;
-
-    a = ((uint128_t) small[0]) * small[2];
-    low = a;
-    high = a >> 64;
-    out[2] += low;
-    out[2] *= 2;
-    out[3] = high;
-
-    a = ((uint128_t) small[0]) * small[3];
-    low = a;
-    high = a >> 64;
-    out[3] += low;
-    out[4] = high;
-
-    a = ((uint128_t) small[1]) * small[2];
-    low = a;
-    high = a >> 64;
-    out[3] += low;
-    out[3] *= 2;
-    out[4] += high;
-
-    a = ((uint128_t) small[1]) * small[1];
-    low = a;
-    high = a >> 64;
-    out[2] += low;
-    out[3] += high;
-
-    a = ((uint128_t) small[1]) * small[3];
-    low = a;
-    high = a >> 64;
-    out[4] += low;
-    out[4] *= 2;
-    out[5] = high;
-
-    a = ((uint128_t) small[2]) * small[3];
-    low = a;
-    high = a >> 64;
-    out[5] += low;
-    out[5] *= 2;
-    out[6] = high;
-    out[6] += high;
-
-    a = ((uint128_t) small[2]) * small[2];
-    low = a;
-    high = a >> 64;
-    out[4] += low;
-    out[5] += high;
-
-    a = ((uint128_t) small[3]) * small[3];
-    low = a;
-    high = a >> 64;
-    out[6] += low;
-    out[7] = high;
-}
-
-/*-
- * felem_square sets |out| = |in|^2
- * On entry:
- *   in[i] < 2^109
- * On exit:
- *   out[i] < 7 * 2^64 < 2^67
- */
-static void felem_square(longfelem out, const felem in)
-{
-    u64 small[4];
-    felem_shrink(small, in);
-    smallfelem_square(out, small);
-}
-
-/*-
- * smallfelem_mul sets |out| = |small1| * |small2|
- * On entry:
- *   small1[i] < 2^64
- *   small2[i] < 2^64
- * On exit:
- *   out[i] < 7 * 2^64 < 2^67
- */
-static void smallfelem_mul(longfelem out, const smallfelem small1,
-                           const smallfelem small2)
-{
-    limb a;
-    u64 high, low;
-
-    a = ((uint128_t) small1[0]) * small2[0];
-    low = a;
-    high = a >> 64;
-    out[0] = low;
-    out[1] = high;
-
-    a = ((uint128_t) small1[0]) * small2[1];
-    low = a;
-    high = a >> 64;
-    out[1] += low;
-    out[2] = high;
-
-    a = ((uint128_t) small1[1]) * small2[0];
-    low = a;
-    high = a >> 64;
-    out[1] += low;
-    out[2] += high;
-
-    a = ((uint128_t) small1[0]) * small2[2];
-    low = a;
-    high = a >> 64;
-    out[2] += low;
-    out[3] = high;
-
-    a = ((uint128_t) small1[1]) * small2[1];
-    low = a;
-    high = a >> 64;
-    out[2] += low;
-    out[3] += high;
-
-    a = ((uint128_t) small1[2]) * small2[0];
-    low = a;
-    high = a >> 64;
-    out[2] += low;
-    out[3] += high;
-
-    a = ((uint128_t) small1[0]) * small2[3];
-    low = a;
-    high = a >> 64;
-    out[3] += low;
-    out[4] = high;
-
-    a = ((uint128_t) small1[1]) * small2[2];
-    low = a;
-    high = a >> 64;
-    out[3] += low;
-    out[4] += high;
-
-    a = ((uint128_t) small1[2]) * small2[1];
-    low = a;
-    high = a >> 64;
-    out[3] += low;
-    out[4] += high;
-
-    a = ((uint128_t) small1[3]) * small2[0];
-    low = a;
-    high = a >> 64;
-    out[3] += low;
-    out[4] += high;
-
-    a = ((uint128_t) small1[1]) * small2[3];
-    low = a;
-    high = a >> 64;
-    out[4] += low;
-    out[5] = high;
-
-    a = ((uint128_t) small1[2]) * small2[2];
-    low = a;
-    high = a >> 64;
-    out[4] += low;
-    out[5] += high;
-
-    a = ((uint128_t) small1[3]) * small2[1];
-    low = a;
-    high = a >> 64;
-    out[4] += low;
-    out[5] += high;
-
-    a = ((uint128_t) small1[2]) * small2[3];
-    low = a;
-    high = a >> 64;
-    out[5] += low;
-    out[6] = high;
-
-    a = ((uint128_t) small1[3]) * small2[2];
-    low = a;
-    high = a >> 64;
-    out[5] += low;
-    out[6] += high;
-
-    a = ((uint128_t) small1[3]) * small2[3];
-    low = a;
-    high = a >> 64;
-    out[6] += low;
-    out[7] = high;
-}
-
-/*-
- * felem_mul sets |out| = |in1| * |in2|
- * On entry:
- *   in1[i] < 2^109
- *   in2[i] < 2^109
- * On exit:
- *   out[i] < 7 * 2^64 < 2^67
- */
-static void felem_mul(longfelem out, const felem in1, const felem in2)
-{
-    smallfelem small1, small2;
-    felem_shrink(small1, in1);
-    felem_shrink(small2, in2);
-    smallfelem_mul(out, small1, small2);
-}
-
-/*-
- * felem_small_mul sets |out| = |small1| * |in2|
- * On entry:
- *   small1[i] < 2^64
- *   in2[i] < 2^109
- * On exit:
- *   out[i] < 7 * 2^64 < 2^67
- */
-static void felem_small_mul(longfelem out, const smallfelem small1,
-                            const felem in2)
-{
-    smallfelem small2;
-    felem_shrink(small2, in2);
-    smallfelem_mul(out, small1, small2);
-}
-
-#define two100m36m4 (((limb)1) << 100) - (((limb)1) << 36) - (((limb)1) << 4)
-#define two100 (((limb)1) << 100)
-#define two100m36p4 (((limb)1) << 100) - (((limb)1) << 36) + (((limb)1) << 4)
-/* zero100 is 0 mod p */
-static const felem zero100 =
-    { two100m36m4, two100, two100m36p4, two100m36p4 };
-
-/*-
- * Internal function for the different flavours of felem_reduce.
- * felem_reduce_ reduces the higher coefficients in[4]-in[7].
- * On entry:
- *   out[0] >= in[6] + 2^32*in[6] + in[7] + 2^32*in[7]
- *   out[1] >= in[7] + 2^32*in[4]
- *   out[2] >= in[5] + 2^32*in[5]
- *   out[3] >= in[4] + 2^32*in[5] + 2^32*in[6]
- * On exit:
- *   out[0] <= out[0] + in[4] + 2^32*in[5]
- *   out[1] <= out[1] + in[5] + 2^33*in[6]
- *   out[2] <= out[2] + in[7] + 2*in[6] + 2^33*in[7]
- *   out[3] <= out[3] + 2^32*in[4] + 3*in[7]
- */
-static void felem_reduce_(felem out, const longfelem in)
-{
-    int128_t c;
-    /* combine common terms from below */
-    c = in[4] + (in[5] << 32);
-    out[0] += c;
-    out[3] -= c;
-
-    c = in[5] - in[7];
-    out[1] += c;
-    out[2] -= c;
-
-    /* the remaining terms */
-    /* 256: [(0,1),(96,-1),(192,-1),(224,1)] */
-    out[1] -= (in[4] << 32);
-    out[3] += (in[4] << 32);
-
-    /* 320: [(32,1),(64,1),(128,-1),(160,-1),(224,-1)] */
-    out[2] -= (in[5] << 32);
-
-    /* 384: [(0,-1),(32,-1),(96,2),(128,2),(224,-1)] */
-    out[0] -= in[6];
-    out[0] -= (in[6] << 32);
-    out[1] += (in[6] << 33);
-    out[2] += (in[6] * 2);
-    out[3] -= (in[6] << 32);
-
-    /* 448: [(0,-1),(32,-1),(64,-1),(128,1),(160,2),(192,3)] */
-    out[0] -= in[7];
-    out[0] -= (in[7] << 32);
-    out[2] += (in[7] << 33);
-    out[3] += (in[7] * 3);
-}
-
-/*-
- * felem_reduce converts a longfelem into an felem.
- * To be called directly after felem_square or felem_mul.
- * On entry:
- *   in[0] < 2^64, in[1] < 3*2^64, in[2] < 5*2^64, in[3] < 7*2^64
- *   in[4] < 7*2^64, in[5] < 5*2^64, in[6] < 3*2^64, in[7] < 2*64
- * On exit:
- *   out[i] < 2^101
- */
-static void felem_reduce(felem out, const longfelem in)
-{
-    out[0] = zero100[0] + in[0];
-    out[1] = zero100[1] + in[1];
-    out[2] = zero100[2] + in[2];
-    out[3] = zero100[3] + in[3];
-
-    felem_reduce_(out, in);
-
-    /*-
-     * out[0] > 2^100 - 2^36 - 2^4 - 3*2^64 - 3*2^96 - 2^64 - 2^96 > 0
-     * out[1] > 2^100 - 2^64 - 7*2^96 > 0
-     * out[2] > 2^100 - 2^36 + 2^4 - 5*2^64 - 5*2^96 > 0
-     * out[3] > 2^100 - 2^36 + 2^4 - 7*2^64 - 5*2^96 - 3*2^96 > 0
-     *
-     * out[0] < 2^100 + 2^64 + 7*2^64 + 5*2^96 < 2^101
-     * out[1] < 2^100 + 3*2^64 + 5*2^64 + 3*2^97 < 2^101
-     * out[2] < 2^100 + 5*2^64 + 2^64 + 3*2^65 + 2^97 < 2^101
-     * out[3] < 2^100 + 7*2^64 + 7*2^96 + 3*2^64 < 2^101
-     */
-}
-
-/*-
- * felem_reduce_zero105 converts a larger longfelem into an felem.
- * On entry:
- *   in[0] < 2^71
- * On exit:
- *   out[i] < 2^106
- */
-static void felem_reduce_zero105(felem out, const longfelem in)
-{
-    out[0] = zero105[0] + in[0];
-    out[1] = zero105[1] + in[1];
-    out[2] = zero105[2] + in[2];
-    out[3] = zero105[3] + in[3];
-
-    felem_reduce_(out, in);
-
-    /*-
-     * out[0] > 2^105 - 2^41 - 2^9 - 2^71 - 2^103 - 2^71 - 2^103 > 0
-     * out[1] > 2^105 - 2^71 - 2^103 > 0
-     * out[2] > 2^105 - 2^41 + 2^9 - 2^71 - 2^103 > 0
-     * out[3] > 2^105 - 2^41 + 2^9 - 2^71 - 2^103 - 2^103 > 0
-     *
-     * out[0] < 2^105 + 2^71 + 2^71 + 2^103 < 2^106
-     * out[1] < 2^105 + 2^71 + 2^71 + 2^103 < 2^106
-     * out[2] < 2^105 + 2^71 + 2^71 + 2^71 + 2^103 < 2^106
-     * out[3] < 2^105 + 2^71 + 2^103 + 2^71 < 2^106
-     */
-}
-
-/*
- * subtract_u64 sets *result = *result - v and *carry to one if the
- * subtraction underflowed.
- */
-static void subtract_u64(u64 *result, u64 *carry, u64 v)
-{
-    uint128_t r = *result;
-    r -= v;
-    *carry = (r >> 64) & 1;
-    *result = (u64)r;
-}
-
-/*
- * felem_contract converts |in| to its unique, minimal representation. On
- * entry: in[i] < 2^109
- */
-static void felem_contract(smallfelem out, const felem in)
-{
-    unsigned i;
-    u64 all_equal_so_far = 0, result = 0, carry;
-
-    felem_shrink(out, in);
-    /* small is minimal except that the value might be > p */
-
-    all_equal_so_far--;
-    /*
-     * We are doing a constant time test if out >= kPrime. We need to compare
-     * each u64, from most-significant to least significant. For each one, if
-     * all words so far have been equal (m is all ones) then a non-equal
-     * result is the answer. Otherwise we continue.
-     */
-    for (i = 3; i < 4; i--) {
-        u64 equal;
-        uint128_t a = ((uint128_t) kPrime[i]) - out[i];
-        /*
-         * if out[i] > kPrime[i] then a will underflow and the high 64-bits
-         * will all be set.
-         */
-        result |= all_equal_so_far & ((u64)(a >> 64));
-
-        /*
-         * if kPrime[i] == out[i] then |equal| will be all zeros and the
-         * decrement will make it all ones.
-         */
-        equal = kPrime[i] ^ out[i];
-        equal--;
-        equal &= equal << 32;
-        equal &= equal << 16;
-        equal &= equal << 8;
-        equal &= equal << 4;
-        equal &= equal << 2;
-        equal &= equal << 1;
-        equal = 0 - (equal >> 63);
-
-        all_equal_so_far &= equal;
-    }
-
-    /*
-     * if all_equal_so_far is still all ones then the two values are equal
-     * and so out >= kPrime is true.
-     */
-    result |= all_equal_so_far;
-
-    /* if out >= kPrime then we subtract kPrime. */
-    subtract_u64(&out[0], &carry, result & kPrime[0]);
-    subtract_u64(&out[1], &carry, carry);
-    subtract_u64(&out[2], &carry, carry);
-    subtract_u64(&out[3], &carry, carry);
-
-    subtract_u64(&out[1], &carry, result & kPrime[1]);
-    subtract_u64(&out[2], &carry, carry);
-    subtract_u64(&out[3], &carry, carry);
-
-    subtract_u64(&out[2], &carry, result & kPrime[2]);
-    subtract_u64(&out[3], &carry, carry);
-
-    subtract_u64(&out[3], &carry, result & kPrime[3]);
-}
-
-static void smallfelem_square_contract(smallfelem out, const smallfelem in)
-{
-    longfelem longtmp;
-    felem tmp;
-
-    smallfelem_square(longtmp, in);
-    felem_reduce(tmp, longtmp);
-    felem_contract(out, tmp);
-}
-
-static void smallfelem_mul_contract(smallfelem out, const smallfelem in1,
-                                    const smallfelem in2)
-{
-    longfelem longtmp;
-    felem tmp;
-
-    smallfelem_mul(longtmp, in1, in2);
-    felem_reduce(tmp, longtmp);
-    felem_contract(out, tmp);
-}
-
-/*-
- * felem_is_zero returns a limb with all bits set if |in| == 0 (mod p) and 0
- * otherwise.
- * On entry:
- *   small[i] < 2^64
- */
-static limb smallfelem_is_zero(const smallfelem small)
-{
-    limb result;
-    u64 is_p;
-
-    u64 is_zero = small[0] | small[1] | small[2] | small[3];
-    is_zero--;
-    is_zero &= is_zero << 32;
-    is_zero &= is_zero << 16;
-    is_zero &= is_zero << 8;
-    is_zero &= is_zero << 4;
-    is_zero &= is_zero << 2;
-    is_zero &= is_zero << 1;
-    is_zero = 0 - (is_zero >> 63);
-
-    is_p = (small[0] ^ kPrime[0]) |
-        (small[1] ^ kPrime[1]) |
-        (small[2] ^ kPrime[2]) | (small[3] ^ kPrime[3]);
-    is_p--;
-    is_p &= is_p << 32;
-    is_p &= is_p << 16;
-    is_p &= is_p << 8;
-    is_p &= is_p << 4;
-    is_p &= is_p << 2;
-    is_p &= is_p << 1;
-    is_p = 0 - (is_p >> 63);
-
-    is_zero |= is_p;
-
-    result = is_zero;
-    result |= ((limb) is_zero) << 64;
-    return result;
-}
-
-static int smallfelem_is_zero_int(const void *small)
-{
-    return (int)(smallfelem_is_zero(small) & ((limb) 1));
-}
-
-/*-
- * felem_inv calculates |out| = |in|^{-1}
- *
- * Based on Fermat's Little Theorem:
- *   a^p = a (mod p)
- *   a^{p-1} = 1 (mod p)
- *   a^{p-2} = a^{-1} (mod p)
- */
-static void felem_inv(felem out, const felem in)
-{
-    felem ftmp, ftmp2;
-    /* each e_I will hold |in|^{2^I - 1} */
-    felem e2, e4, e8, e16, e32, e64;
-    longfelem tmp;
-    unsigned i;
-
-    felem_square(tmp, in);
-    felem_reduce(ftmp, tmp);    /* 2^1 */
-    felem_mul(tmp, in, ftmp);
-    felem_reduce(ftmp, tmp);    /* 2^2 - 2^0 */
-    felem_assign(e2, ftmp);
-    felem_square(tmp, ftmp);
-    felem_reduce(ftmp, tmp);    /* 2^3 - 2^1 */
-    felem_square(tmp, ftmp);
-    felem_reduce(ftmp, tmp);    /* 2^4 - 2^2 */
-    felem_mul(tmp, ftmp, e2);
-    felem_reduce(ftmp, tmp);    /* 2^4 - 2^0 */
-    felem_assign(e4, ftmp);
-    felem_square(tmp, ftmp);
-    felem_reduce(ftmp, tmp);    /* 2^5 - 2^1 */
-    felem_square(tmp, ftmp);
-    felem_reduce(ftmp, tmp);    /* 2^6 - 2^2 */
-    felem_square(tmp, ftmp);
-    felem_reduce(ftmp, tmp);    /* 2^7 - 2^3 */
-    felem_square(tmp, ftmp);
-    felem_reduce(ftmp, tmp);    /* 2^8 - 2^4 */
-    felem_mul(tmp, ftmp, e4);
-    felem_reduce(ftmp, tmp);    /* 2^8 - 2^0 */
-    felem_assign(e8, ftmp);
-    for (i = 0; i < 8; i++) {
-        felem_square(tmp, ftmp);
-        felem_reduce(ftmp, tmp);
-    }                           /* 2^16 - 2^8 */
-    felem_mul(tmp, ftmp, e8);
-    felem_reduce(ftmp, tmp);    /* 2^16 - 2^0 */
-    felem_assign(e16, ftmp);
-    for (i = 0; i < 16; i++) {
-        felem_square(tmp, ftmp);
-        felem_reduce(ftmp, tmp);
-    }                           /* 2^32 - 2^16 */
-    felem_mul(tmp, ftmp, e16);
-    felem_reduce(ftmp, tmp);    /* 2^32 - 2^0 */
-    felem_assign(e32, ftmp);
-    for (i = 0; i < 32; i++) {
-        felem_square(tmp, ftmp);
-        felem_reduce(ftmp, tmp);
-    }                           /* 2^64 - 2^32 */
-    felem_assign(e64, ftmp);
-    felem_mul(tmp, ftmp, in);
-    felem_reduce(ftmp, tmp);    /* 2^64 - 2^32 + 2^0 */
-    for (i = 0; i < 192; i++) {
-        felem_square(tmp, ftmp);
-        felem_reduce(ftmp, tmp);
-    }                           /* 2^256 - 2^224 + 2^192 */
-
-    felem_mul(tmp, e64, e32);
-    felem_reduce(ftmp2, tmp);   /* 2^64 - 2^0 */
-    for (i = 0; i < 16; i++) {
-        felem_square(tmp, ftmp2);
-        felem_reduce(ftmp2, tmp);
-    }                           /* 2^80 - 2^16 */
-    felem_mul(tmp, ftmp2, e16);
-    felem_reduce(ftmp2, tmp);   /* 2^80 - 2^0 */
-    for (i = 0; i < 8; i++) {
-        felem_square(tmp, ftmp2);
-        felem_reduce(ftmp2, tmp);
-    }                           /* 2^88 - 2^8 */
-    felem_mul(tmp, ftmp2, e8);
-    felem_reduce(ftmp2, tmp);   /* 2^88 - 2^0 */
-    for (i = 0; i < 4; i++) {
-        felem_square(tmp, ftmp2);
-        felem_reduce(ftmp2, tmp);
-    }                           /* 2^92 - 2^4 */
-    felem_mul(tmp, ftmp2, e4);
-    felem_reduce(ftmp2, tmp);   /* 2^92 - 2^0 */
-    felem_square(tmp, ftmp2);
-    felem_reduce(ftmp2, tmp);   /* 2^93 - 2^1 */
-    felem_square(tmp, ftmp2);
-    felem_reduce(ftmp2, tmp);   /* 2^94 - 2^2 */
-    felem_mul(tmp, ftmp2, e2);
-    felem_reduce(ftmp2, tmp);   /* 2^94 - 2^0 */
-    felem_square(tmp, ftmp2);
-    felem_reduce(ftmp2, tmp);   /* 2^95 - 2^1 */
-    felem_square(tmp, ftmp2);
-    felem_reduce(ftmp2, tmp);   /* 2^96 - 2^2 */
-    felem_mul(tmp, ftmp2, in);
-    felem_reduce(ftmp2, tmp);   /* 2^96 - 3 */
-
-    felem_mul(tmp, ftmp2, ftmp);
-    felem_reduce(out, tmp);     /* 2^256 - 2^224 + 2^192 + 2^96 - 3 */
-}
-
-static void smallfelem_inv_contract(smallfelem out, const smallfelem in)
-{
-    felem tmp;
-
-    smallfelem_expand(tmp, in);
-    felem_inv(tmp, tmp);
-    felem_contract(out, tmp);
-}
-
-/*-
- * Group operations
- * ----------------
- *
- * Building on top of the field operations we have the operations on the
- * elliptic curve group itself. Points on the curve are represented in Jacobian
- * coordinates
- */
-
-/*-
- * point_double calculates 2*(x_in, y_in, z_in)
- *
- * The method is taken from:
- *   http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2001-b
- *
- * Outputs can equal corresponding inputs, i.e., x_out == x_in is allowed.
- * while x_out == y_in is not (maybe this works, but it's not tested).
- */
-static void
-point_double(felem x_out, felem y_out, felem z_out,
-             const felem x_in, const felem y_in, const felem z_in)
-{
-    longfelem tmp, tmp2;
-    felem delta, gamma, beta, alpha, ftmp, ftmp2;
-    smallfelem small1, small2;
-
-    felem_assign(ftmp, x_in);
-    /* ftmp[i] < 2^106 */
-    felem_assign(ftmp2, x_in);
-    /* ftmp2[i] < 2^106 */
-
-    /* delta = z^2 */
-    felem_square(tmp, z_in);
-    felem_reduce(delta, tmp);
-    /* delta[i] < 2^101 */
-
-    /* gamma = y^2 */
-    felem_square(tmp, y_in);
-    felem_reduce(gamma, tmp);
-    /* gamma[i] < 2^101 */
-    felem_shrink(small1, gamma);
-
-    /* beta = x*gamma */
-    felem_small_mul(tmp, small1, x_in);
-    felem_reduce(beta, tmp);
-    /* beta[i] < 2^101 */
-
-    /* alpha = 3*(x-delta)*(x+delta) */
-    felem_diff(ftmp, delta);
-    /* ftmp[i] < 2^105 + 2^106 < 2^107 */
-    felem_sum(ftmp2, delta);
-    /* ftmp2[i] < 2^105 + 2^106 < 2^107 */
-    felem_scalar(ftmp2, 3);
-    /* ftmp2[i] < 3 * 2^107 < 2^109 */
-    felem_mul(tmp, ftmp, ftmp2);
-    felem_reduce(alpha, tmp);
-    /* alpha[i] < 2^101 */
-    felem_shrink(small2, alpha);
-
-    /* x' = alpha^2 - 8*beta */
-    smallfelem_square(tmp, small2);
-    felem_reduce(x_out, tmp);
-    felem_assign(ftmp, beta);
-    felem_scalar(ftmp, 8);
-    /* ftmp[i] < 8 * 2^101 = 2^104 */
-    felem_diff(x_out, ftmp);
-    /* x_out[i] < 2^105 + 2^101 < 2^106 */
-
-    /* z' = (y + z)^2 - gamma - delta */
-    felem_sum(delta, gamma);
-    /* delta[i] < 2^101 + 2^101 = 2^102 */
-    felem_assign(ftmp, y_in);
-    felem_sum(ftmp, z_in);
-    /* ftmp[i] < 2^106 + 2^106 = 2^107 */
-    felem_square(tmp, ftmp);
-    felem_reduce(z_out, tmp);
-    felem_diff(z_out, delta);
-    /* z_out[i] < 2^105 + 2^101 < 2^106 */
-
-    /* y' = alpha*(4*beta - x') - 8*gamma^2 */
-    felem_scalar(beta, 4);
-    /* beta[i] < 4 * 2^101 = 2^103 */
-    felem_diff_zero107(beta, x_out);
-    /* beta[i] < 2^107 + 2^103 < 2^108 */
-    felem_small_mul(tmp, small2, beta);
-    /* tmp[i] < 7 * 2^64 < 2^67 */
-    smallfelem_square(tmp2, small1);
-    /* tmp2[i] < 7 * 2^64 */
-    longfelem_scalar(tmp2, 8);
-    /* tmp2[i] < 8 * 7 * 2^64 = 7 * 2^67 */
-    longfelem_diff(tmp, tmp2);
-    /* tmp[i] < 2^67 + 2^70 + 2^40 < 2^71 */
-    felem_reduce_zero105(y_out, tmp);
-    /* y_out[i] < 2^106 */
-}
-
-/*
- * point_double_small is the same as point_double, except that it operates on
- * smallfelems
- */
-static void
-point_double_small(smallfelem x_out, smallfelem y_out, smallfelem z_out,
-                   const smallfelem x_in, const smallfelem y_in,
-                   const smallfelem z_in)
-{
-    felem felem_x_out, felem_y_out, felem_z_out;
-    felem felem_x_in, felem_y_in, felem_z_in;
-
-    smallfelem_expand(felem_x_in, x_in);
-    smallfelem_expand(felem_y_in, y_in);
-    smallfelem_expand(felem_z_in, z_in);
-    point_double(felem_x_out, felem_y_out, felem_z_out,
-                 felem_x_in, felem_y_in, felem_z_in);
-    felem_shrink(x_out, felem_x_out);
-    felem_shrink(y_out, felem_y_out);
-    felem_shrink(z_out, felem_z_out);
-}
-
-/* copy_conditional copies in to out iff mask is all ones. */
-static void copy_conditional(felem out, const felem in, limb mask)
-{
-    unsigned i;
-    for (i = 0; i < NLIMBS; ++i) {
-        const limb tmp = mask & (in[i] ^ out[i]);
-        out[i] ^= tmp;
-    }
-}
-
-/* copy_small_conditional copies in to out iff mask is all ones. */
-static void copy_small_conditional(felem out, const smallfelem in, limb mask)
-{
-    unsigned i;
-    const u64 mask64 = mask;
-    for (i = 0; i < NLIMBS; ++i) {
-        out[i] = ((limb) (in[i] & mask64)) | (out[i] & ~mask);
-    }
-}
-
-/*-
- * point_add calculates (x1, y1, z1) + (x2, y2, z2)
- *
- * The method is taken from:
- *   http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-2007-bl,
- * adapted for mixed addition (z2 = 1, or z2 = 0 for the point at infinity).
- *
- * This function includes a branch for checking whether the two input points
- * are equal, (while not equal to the point at infinity). This case never
- * happens during single point multiplication, so there is no timing leak for
- * ECDH or ECDSA signing.
- */
-static void point_add(felem x3, felem y3, felem z3,
-                      const felem x1, const felem y1, const felem z1,
-                      const int mixed, const smallfelem x2,
-                      const smallfelem y2, const smallfelem z2)
-{
-    felem ftmp, ftmp2, ftmp3, ftmp4, ftmp5, ftmp6, x_out, y_out, z_out;
-    longfelem tmp, tmp2;
-    smallfelem small1, small2, small3, small4, small5;
-    limb x_equal, y_equal, z1_is_zero, z2_is_zero;
-    limb points_equal;
-
-    felem_shrink(small3, z1);
-
-    z1_is_zero = smallfelem_is_zero(small3);
-    z2_is_zero = smallfelem_is_zero(z2);
-
-    /* ftmp = z1z1 = z1**2 */
-    smallfelem_square(tmp, small3);
-    felem_reduce(ftmp, tmp);
-    /* ftmp[i] < 2^101 */
-    felem_shrink(small1, ftmp);
-
-    if (!mixed) {
-        /* ftmp2 = z2z2 = z2**2 */
-        smallfelem_square(tmp, z2);
-        felem_reduce(ftmp2, tmp);
-        /* ftmp2[i] < 2^101 */
-        felem_shrink(small2, ftmp2);
-
-        felem_shrink(small5, x1);
-
-        /* u1 = ftmp3 = x1*z2z2 */
-        smallfelem_mul(tmp, small5, small2);
-        felem_reduce(ftmp3, tmp);
-        /* ftmp3[i] < 2^101 */
-
-        /* ftmp5 = z1 + z2 */
-        felem_assign(ftmp5, z1);
-        felem_small_sum(ftmp5, z2);
-        /* ftmp5[i] < 2^107 */
-
-        /* ftmp5 = (z1 + z2)**2 - (z1z1 + z2z2) = 2z1z2 */
-        felem_square(tmp, ftmp5);
-        felem_reduce(ftmp5, tmp);
-        /* ftmp2 = z2z2 + z1z1 */
-        felem_sum(ftmp2, ftmp);
-        /* ftmp2[i] < 2^101 + 2^101 = 2^102 */
-        felem_diff(ftmp5, ftmp2);
-        /* ftmp5[i] < 2^105 + 2^101 < 2^106 */
-
-        /* ftmp2 = z2 * z2z2 */
-        smallfelem_mul(tmp, small2, z2);
-        felem_reduce(ftmp2, tmp);
-
-        /* s1 = ftmp2 = y1 * z2**3 */
-        felem_mul(tmp, y1, ftmp2);
-        felem_reduce(ftmp6, tmp);
-        /* ftmp6[i] < 2^101 */
-    } else {
-        /*
-         * We'll assume z2 = 1 (special case z2 = 0 is handled later)
-         */
-
-        /* u1 = ftmp3 = x1*z2z2 */
-        felem_assign(ftmp3, x1);
-        /* ftmp3[i] < 2^106 */
-
-        /* ftmp5 = 2z1z2 */
-        felem_assign(ftmp5, z1);
-        felem_scalar(ftmp5, 2);
-        /* ftmp5[i] < 2*2^106 = 2^107 */
-
-        /* s1 = ftmp2 = y1 * z2**3 */
-        felem_assign(ftmp6, y1);
-        /* ftmp6[i] < 2^106 */
-    }
-
-    /* u2 = x2*z1z1 */
-    smallfelem_mul(tmp, x2, small1);
-    felem_reduce(ftmp4, tmp);
-
-    /* h = ftmp4 = u2 - u1 */
-    felem_diff_zero107(ftmp4, ftmp3);
-    /* ftmp4[i] < 2^107 + 2^101 < 2^108 */
-    felem_shrink(small4, ftmp4);
-
-    x_equal = smallfelem_is_zero(small4);
-
-    /* z_out = ftmp5 * h */
-    felem_small_mul(tmp, small4, ftmp5);
-    felem_reduce(z_out, tmp);
-    /* z_out[i] < 2^101 */
-
-    /* ftmp = z1 * z1z1 */
-    smallfelem_mul(tmp, small1, small3);
-    felem_reduce(ftmp, tmp);
-
-    /* s2 = tmp = y2 * z1**3 */
-    felem_small_mul(tmp, y2, ftmp);
-    felem_reduce(ftmp5, tmp);
-
-    /* r = ftmp5 = (s2 - s1)*2 */
-    felem_diff_zero107(ftmp5, ftmp6);
-    /* ftmp5[i] < 2^107 + 2^107 = 2^108 */
-    felem_scalar(ftmp5, 2);
-    /* ftmp5[i] < 2^109 */
-    felem_shrink(small1, ftmp5);
-    y_equal = smallfelem_is_zero(small1);
-
-    /*
-     * The formulae are incorrect if the points are equal, in affine coordinates
-     * (X_1, Y_1) == (X_2, Y_2), so we check for this and do doubling if this
-     * happens.
-     *
-     * We use bitwise operations to avoid potential side-channels introduced by
-     * the short-circuiting behaviour of boolean operators.
-     *
-     * The special case of either point being the point at infinity (z1 and/or
-     * z2 are zero), is handled separately later on in this function, so we
-     * avoid jumping to point_double here in those special cases.
-     */
-    points_equal = (x_equal & y_equal & (~z1_is_zero) & (~z2_is_zero));
-
-    if (points_equal) {
-        /*
-         * This is obviously not constant-time but, as mentioned before, this
-         * case never happens during single point multiplication, so there is no
-         * timing leak for ECDH or ECDSA signing.
-         */
-        point_double(x3, y3, z3, x1, y1, z1);
-        return;
-    }
-
-    /* I = ftmp = (2h)**2 */
-    felem_assign(ftmp, ftmp4);
-    felem_scalar(ftmp, 2);
-    /* ftmp[i] < 2*2^108 = 2^109 */
-    felem_square(tmp, ftmp);
-    felem_reduce(ftmp, tmp);
-
-    /* J = ftmp2 = h * I */
-    felem_mul(tmp, ftmp4, ftmp);
-    felem_reduce(ftmp2, tmp);
-
-    /* V = ftmp4 = U1 * I */
-    felem_mul(tmp, ftmp3, ftmp);
-    felem_reduce(ftmp4, tmp);
-
-    /* x_out = r**2 - J - 2V */
-    smallfelem_square(tmp, small1);
-    felem_reduce(x_out, tmp);
-    felem_assign(ftmp3, ftmp4);
-    felem_scalar(ftmp4, 2);
-    felem_sum(ftmp4, ftmp2);
-    /* ftmp4[i] < 2*2^101 + 2^101 < 2^103 */
-    felem_diff(x_out, ftmp4);
-    /* x_out[i] < 2^105 + 2^101 */
-
-    /* y_out = r(V-x_out) - 2 * s1 * J */
-    felem_diff_zero107(ftmp3, x_out);
-    /* ftmp3[i] < 2^107 + 2^101 < 2^108 */
-    felem_small_mul(tmp, small1, ftmp3);
-    felem_mul(tmp2, ftmp6, ftmp2);
-    longfelem_scalar(tmp2, 2);
-    /* tmp2[i] < 2*2^67 = 2^68 */
-    longfelem_diff(tmp, tmp2);
-    /* tmp[i] < 2^67 + 2^70 + 2^40 < 2^71 */
-    felem_reduce_zero105(y_out, tmp);
-    /* y_out[i] < 2^106 */
-
-    copy_small_conditional(x_out, x2, z1_is_zero);
-    copy_conditional(x_out, x1, z2_is_zero);
-    copy_small_conditional(y_out, y2, z1_is_zero);
-    copy_conditional(y_out, y1, z2_is_zero);
-    copy_small_conditional(z_out, z2, z1_is_zero);
-    copy_conditional(z_out, z1, z2_is_zero);
-    felem_assign(x3, x_out);
-    felem_assign(y3, y_out);
-    felem_assign(z3, z_out);
-}
-
-/*
- * point_add_small is the same as point_add, except that it operates on
- * smallfelems
- */
-static void point_add_small(smallfelem x3, smallfelem y3, smallfelem z3,
-                            smallfelem x1, smallfelem y1, smallfelem z1,
-                            smallfelem x2, smallfelem y2, smallfelem z2)
-{
-    felem felem_x3, felem_y3, felem_z3;
-    felem felem_x1, felem_y1, felem_z1;
-    smallfelem_expand(felem_x1, x1);
-    smallfelem_expand(felem_y1, y1);
-    smallfelem_expand(felem_z1, z1);
-    point_add(felem_x3, felem_y3, felem_z3, felem_x1, felem_y1, felem_z1, 0,
-              x2, y2, z2);
-    felem_shrink(x3, felem_x3);
-    felem_shrink(y3, felem_y3);
-    felem_shrink(z3, felem_z3);
-}
-
-/*-
- * Base point pre computation
- * --------------------------
- *
- * Two different sorts of precomputed tables are used in the following code.
- * Each contain various points on the curve, where each point is three field
- * elements (x, y, z).
- *
- * For the base point table, z is usually 1 (0 for the point at infinity).
- * This table has 2 * 16 elements, starting with the following:
- * index | bits    | point
- * ------+---------+------------------------------
- *     0 | 0 0 0 0 | 0G
- *     1 | 0 0 0 1 | 1G
- *     2 | 0 0 1 0 | 2^64G
- *     3 | 0 0 1 1 | (2^64 + 1)G
- *     4 | 0 1 0 0 | 2^128G
- *     5 | 0 1 0 1 | (2^128 + 1)G
- *     6 | 0 1 1 0 | (2^128 + 2^64)G
- *     7 | 0 1 1 1 | (2^128 + 2^64 + 1)G
- *     8 | 1 0 0 0 | 2^192G
- *     9 | 1 0 0 1 | (2^192 + 1)G
- *    10 | 1 0 1 0 | (2^192 + 2^64)G
- *    11 | 1 0 1 1 | (2^192 + 2^64 + 1)G
- *    12 | 1 1 0 0 | (2^192 + 2^128)G
- *    13 | 1 1 0 1 | (2^192 + 2^128 + 1)G
- *    14 | 1 1 1 0 | (2^192 + 2^128 + 2^64)G
- *    15 | 1 1 1 1 | (2^192 + 2^128 + 2^64 + 1)G
- * followed by a copy of this with each element multiplied by 2^32.
- *
- * The reason for this is so that we can clock bits into four different
- * locations when doing simple scalar multiplies against the base point,
- * and then another four locations using the second 16 elements.
- *
- * Tables for other points have table[i] = iG for i in 0 .. 16. */
-
-/* gmul is the table of precomputed base points */
-static const smallfelem gmul[2][16][3] = {
-    {{{0, 0, 0, 0},
-      {0, 0, 0, 0},
-      {0, 0, 0, 0}},
-     {{0xf4a13945d898c296, 0x77037d812deb33a0, 0xf8bce6e563a440f2,
-       0x6b17d1f2e12c4247},
-      {0xcbb6406837bf51f5, 0x2bce33576b315ece, 0x8ee7eb4a7c0f9e16,
-       0x4fe342e2fe1a7f9b},
-      {1, 0, 0, 0}},
-     {{0x90e75cb48e14db63, 0x29493baaad651f7e, 0x8492592e326e25de,
-       0x0fa822bc2811aaa5},
-      {0xe41124545f462ee7, 0x34b1a65050fe82f5, 0x6f4ad4bcb3df188b,
-       0xbff44ae8f5dba80d},
-      {1, 0, 0, 0}},
-     {{0x93391ce2097992af, 0xe96c98fd0d35f1fa, 0xb257c0de95e02789,
-       0x300a4bbc89d6726f},
-      {0xaa54a291c08127a0, 0x5bb1eeada9d806a5, 0x7f1ddb25ff1e3c6f,
-       0x72aac7e0d09b4644},
-      {1, 0, 0, 0}},
-     {{0x57c84fc9d789bd85, 0xfc35ff7dc297eac3, 0xfb982fd588c6766e,
-       0x447d739beedb5e67},
-      {0x0c7e33c972e25b32, 0x3d349b95a7fae500, 0xe12e9d953a4aaff7,
-       0x2d4825ab834131ee},
-      {1, 0, 0, 0}},
-     {{0x13949c932a1d367f, 0xef7fbd2b1a0a11b7, 0xddc6068bb91dfc60,
-       0xef9519328a9c72ff},
-      {0x196035a77376d8a8, 0x23183b0895ca1740, 0xc1ee9807022c219c,
-       0x611e9fc37dbb2c9b},
-      {1, 0, 0, 0}},
-     {{0xcae2b1920b57f4bc, 0x2936df5ec6c9bc36, 0x7dea6482e11238bf,
-       0x550663797b51f5d8},
-      {0x44ffe216348a964c, 0x9fb3d576dbdefbe1, 0x0afa40018d9d50e5,
-       0x157164848aecb851},
-      {1, 0, 0, 0}},
-     {{0xe48ecafffc5cde01, 0x7ccd84e70d715f26, 0xa2e8f483f43e4391,
-       0xeb5d7745b21141ea},
-      {0xcac917e2731a3479, 0x85f22cfe2844b645, 0x0990e6a158006cee,
-       0xeafd72ebdbecc17b},
-      {1, 0, 0, 0}},
-     {{0x6cf20ffb313728be, 0x96439591a3c6b94a, 0x2736ff8344315fc5,
-       0xa6d39677a7849276},
-      {0xf2bab833c357f5f4, 0x824a920c2284059b, 0x66b8babd2d27ecdf,
-       0x674f84749b0b8816},
-      {1, 0, 0, 0}},
-     {{0x2df48c04677c8a3e, 0x74e02f080203a56b, 0x31855f7db8c7fedb,
-       0x4e769e7672c9ddad},
-      {0xa4c36165b824bbb0, 0xfb9ae16f3b9122a5, 0x1ec0057206947281,
-       0x42b99082de830663},
-      {1, 0, 0, 0}},
-     {{0x6ef95150dda868b9, 0xd1f89e799c0ce131, 0x7fdc1ca008a1c478,
-       0x78878ef61c6ce04d},
-      {0x9c62b9121fe0d976, 0x6ace570ebde08d4f, 0xde53142c12309def,
-       0xb6cb3f5d7b72c321},
-      {1, 0, 0, 0}},
-     {{0x7f991ed2c31a3573, 0x5b82dd5bd54fb496, 0x595c5220812ffcae,
-       0x0c88bc4d716b1287},
-      {0x3a57bf635f48aca8, 0x7c8181f4df2564f3, 0x18d1b5b39c04e6aa,
-       0xdd5ddea3f3901dc6},
-      {1, 0, 0, 0}},
-     {{0xe96a79fb3e72ad0c, 0x43a0a28c42ba792f, 0xefe0a423083e49f3,
-       0x68f344af6b317466},
-      {0xcdfe17db3fb24d4a, 0x668bfc2271f5c626, 0x604ed93c24d67ff3,
-       0x31b9c405f8540a20},
-      {1, 0, 0, 0}},
-     {{0xd36b4789a2582e7f, 0x0d1a10144ec39c28, 0x663c62c3edbad7a0,
-       0x4052bf4b6f461db9},
-      {0x235a27c3188d25eb, 0xe724f33999bfcc5b, 0x862be6bd71d70cc8,
-       0xfecf4d5190b0fc61},
-      {1, 0, 0, 0}},
-     {{0x74346c10a1d4cfac, 0xafdf5cc08526a7a4, 0x123202a8f62bff7a,
-       0x1eddbae2c802e41a},
-      {0x8fa0af2dd603f844, 0x36e06b7e4c701917, 0x0c45f45273db33a0,
-       0x43104d86560ebcfc},
-      {1, 0, 0, 0}},
-     {{0x9615b5110d1d78e5, 0x66b0de3225c4744b, 0x0a4a46fb6aaf363a,
-       0xb48e26b484f7a21c},
-      {0x06ebb0f621a01b2d, 0xc004e4048b7b0f98, 0x64131bcdfed6f668,
-       0xfac015404d4d3dab},
-      {1, 0, 0, 0}}},
-    {{{0, 0, 0, 0},
-      {0, 0, 0, 0},
-      {0, 0, 0, 0}},
-     {{0x3a5a9e22185a5943, 0x1ab919365c65dfb6, 0x21656b32262c71da,
-       0x7fe36b40af22af89},
-      {0xd50d152c699ca101, 0x74b3d5867b8af212, 0x9f09f40407dca6f1,
-       0xe697d45825b63624},
-      {1, 0, 0, 0}},
-     {{0xa84aa9397512218e, 0xe9a521b074ca0141, 0x57880b3a18a2e902,
-       0x4a5b506612a677a6},
-      {0x0beada7a4c4f3840, 0x626db15419e26d9d, 0xc42604fbe1627d40,
-       0xeb13461ceac089f1},
-      {1, 0, 0, 0}},
-     {{0xf9faed0927a43281, 0x5e52c4144103ecbc, 0xc342967aa815c857,
-       0x0781b8291c6a220a},
-      {0x5a8343ceeac55f80, 0x88f80eeee54a05e3, 0x97b2a14f12916434,
-       0x690cde8df0151593},
-      {1, 0, 0, 0}},
-     {{0xaee9c75df7f82f2a, 0x9e4c35874afdf43a, 0xf5622df437371326,
-       0x8a535f566ec73617},
-      {0xc5f9a0ac223094b7, 0xcde533864c8c7669, 0x37e02819085a92bf,
-       0x0455c08468b08bd7},
-      {1, 0, 0, 0}},
-     {{0x0c0a6e2c9477b5d9, 0xf9a4bf62876dc444, 0x5050a949b6cdc279,
-       0x06bada7ab77f8276},
-      {0xc8b4aed1ea48dac9, 0xdebd8a4b7ea1070f, 0x427d49101366eb70,
-       0x5b476dfd0e6cb18a},
-      {1, 0, 0, 0}},
-     {{0x7c5c3e44278c340a, 0x4d54606812d66f3b, 0x29a751b1ae23c5d8,
-       0x3e29864e8a2ec908},
-      {0x142d2a6626dbb850, 0xad1744c4765bd780, 0x1f150e68e322d1ed,
-       0x239b90ea3dc31e7e},
-      {1, 0, 0, 0}},
-     {{0x78c416527a53322a, 0x305dde6709776f8e, 0xdbcab759f8862ed4,
-       0x820f4dd949f72ff7},
-      {0x6cc544a62b5debd4, 0x75be5d937b4e8cc4, 0x1b481b1b215c14d3,
-       0x140406ec783a05ec},
-      {1, 0, 0, 0}},
-     {{0x6a703f10e895df07, 0xfd75f3fa01876bd8, 0xeb5b06e70ce08ffe,
-       0x68f6b8542783dfee},
-      {0x90c76f8a78712655, 0xcf5293d2f310bf7f, 0xfbc8044dfda45028,
-       0xcbe1feba92e40ce6},
-      {1, 0, 0, 0}},
-     {{0xe998ceea4396e4c1, 0xfc82ef0b6acea274, 0x230f729f2250e927,
-       0xd0b2f94d2f420109},
-      {0x4305adddb38d4966, 0x10b838f8624c3b45, 0x7db2636658954e7a,
-       0x971459828b0719e5},
-      {1, 0, 0, 0}},
-     {{0x4bd6b72623369fc9, 0x57f2929e53d0b876, 0xc2d5cba4f2340687,
-       0x961610004a866aba},
-      {0x49997bcd2e407a5e, 0x69ab197d92ddcb24, 0x2cf1f2438fe5131c,
-       0x7acb9fadcee75e44},
-      {1, 0, 0, 0}},
-     {{0x254e839423d2d4c0, 0xf57f0c917aea685b, 0xa60d880f6f75aaea,
-       0x24eb9acca333bf5b},
-      {0xe3de4ccb1cda5dea, 0xfeef9341c51a6b4f, 0x743125f88bac4c4d,
-       0x69f891c5acd079cc},
-      {1, 0, 0, 0}},
-     {{0xeee44b35702476b5, 0x7ed031a0e45c2258, 0xb422d1e7bd6f8514,
-       0xe51f547c5972a107},
-      {0xa25bcd6fc9cf343d, 0x8ca922ee097c184e, 0xa62f98b3a9fe9a06,
-       0x1c309a2b25bb1387},
-      {1, 0, 0, 0}},
-     {{0x9295dbeb1967c459, 0xb00148833472c98e, 0xc504977708011828,
-       0x20b87b8aa2c4e503},
-      {0x3063175de057c277, 0x1bd539338fe582dd, 0x0d11adef5f69a044,
-       0xf5c6fa49919776be},
-      {1, 0, 0, 0}},
-     {{0x8c944e760fd59e11, 0x3876cba1102fad5f, 0xa454c3fad83faa56,
-       0x1ed7d1b9332010b9},
-      {0xa1011a270024b889, 0x05e4d0dcac0cd344, 0x52b520f0eb6a2a24,
-       0x3a2b03f03217257a},
-      {1, 0, 0, 0}},
-     {{0xf20fc2afdf1d043d, 0xf330240db58d5a62, 0xfc7d229ca0058c3b,
-       0x15fee545c78dd9f6},
-      {0x501e82885bc98cda, 0x41ef80e5d046ac04, 0x557d9f49461210fb,
-       0x4ab5b6b2b8753f81},
-      {1, 0, 0, 0}}}
-};
-
-/*
- * select_point selects the |idx|th point from a precomputation table and
- * copies it to out.
- */
-static void select_point(const u64 idx, unsigned int size,
-                         const smallfelem pre_comp[16][3], smallfelem out[3])
-{
-    unsigned i, j;
-    u64 *outlimbs = &out[0][0];
-
-    memset(out, 0, sizeof(*out) * 3);
-
-    for (i = 0; i < size; i++) {
-        const u64 *inlimbs = (u64 *)&pre_comp[i][0][0];
-        u64 mask = i ^ idx;
-        mask |= mask >> 4;
-        mask |= mask >> 2;
-        mask |= mask >> 1;
-        mask &= 1;
-        mask--;
-        for (j = 0; j < NLIMBS * 3; j++)
-            outlimbs[j] |= inlimbs[j] & mask;
-    }
-}
-
-/* get_bit returns the |i|th bit in |in| */
-static char get_bit(const felem_bytearray in, int i)
-{
-    if ((i < 0) || (i >= 256))
-        return 0;
-    return (in[i >> 3] >> (i & 7)) & 1;
-}
-
-/*
- * Interleaved point multiplication using precomputed point multiples: The
- * small point multiples 0*P, 1*P, ..., 17*P are in pre_comp[], the scalars
- * in scalars[]. If g_scalar is non-NULL, we also add this multiple of the
- * generator, using certain (large) precomputed multiples in g_pre_comp.
- * Output point (X, Y, Z) is stored in x_out, y_out, z_out
- */
-static void batch_mul(felem x_out, felem y_out, felem z_out,
-                      const felem_bytearray scalars[],
-                      const unsigned num_points, const u8 *g_scalar,
-                      const int mixed, const smallfelem pre_comp[][17][3],
-                      const smallfelem g_pre_comp[2][16][3])
-{
-    int i, skip;
-    unsigned num, gen_mul = (g_scalar != NULL);
-    felem nq[3], ftmp;
-    smallfelem tmp[3];
-    u64 bits;
-    u8 sign, digit;
-
-    /* set nq to the point at infinity */
-    memset(nq, 0, sizeof(nq));
-
-    /*
-     * Loop over all scalars msb-to-lsb, interleaving additions of multiples
-     * of the generator (two in each of the last 32 rounds) and additions of
-     * other points multiples (every 5th round).
-     */
-    skip = 1;                   /* save two point operations in the first
-                                 * round */
-    for (i = (num_points ? 255 : 31); i >= 0; --i) {
-        /* double */
-        if (!skip)
-            point_double(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2]);
-
-        /* add multiples of the generator */
-        if (gen_mul && (i <= 31)) {
-            /* first, look 32 bits upwards */
-            bits = get_bit(g_scalar, i + 224) << 3;
-            bits |= get_bit(g_scalar, i + 160) << 2;
-            bits |= get_bit(g_scalar, i + 96) << 1;
-            bits |= get_bit(g_scalar, i + 32);
-            /* select the point to add, in constant time */
-            select_point(bits, 16, g_pre_comp[1], tmp);
-
-            if (!skip) {
-                /* Arg 1 below is for "mixed" */
-                point_add(nq[0], nq[1], nq[2],
-                          nq[0], nq[1], nq[2], 1, tmp[0], tmp[1], tmp[2]);
-            } else {
-                smallfelem_expand(nq[0], tmp[0]);
-                smallfelem_expand(nq[1], tmp[1]);
-                smallfelem_expand(nq[2], tmp[2]);
-                skip = 0;
-            }
-
-            /* second, look at the current position */
-            bits = get_bit(g_scalar, i + 192) << 3;
-            bits |= get_bit(g_scalar, i + 128) << 2;
-            bits |= get_bit(g_scalar, i + 64) << 1;
-            bits |= get_bit(g_scalar, i);
-            /* select the point to add, in constant time */
-            select_point(bits, 16, g_pre_comp[0], tmp);
-            /* Arg 1 below is for "mixed" */
-            point_add(nq[0], nq[1], nq[2],
-                      nq[0], nq[1], nq[2], 1, tmp[0], tmp[1], tmp[2]);
-        }
-
-        /* do other additions every 5 doublings */
-        if (num_points && (i % 5 == 0)) {
-            /* loop over all scalars */
-            for (num = 0; num < num_points; ++num) {
-                bits = get_bit(scalars[num], i + 4) << 5;
-                bits |= get_bit(scalars[num], i + 3) << 4;
-                bits |= get_bit(scalars[num], i + 2) << 3;
-                bits |= get_bit(scalars[num], i + 1) << 2;
-                bits |= get_bit(scalars[num], i) << 1;
-                bits |= get_bit(scalars[num], i - 1);
-                ossl_ec_GFp_nistp_recode_scalar_bits(&sign, &digit, bits);
-
-                /*
-                 * select the point to add or subtract, in constant time
-                 */
-                select_point(digit, 17, pre_comp[num], tmp);
-                smallfelem_neg(ftmp, tmp[1]); /* (X, -Y, Z) is the negative
-                                               * point */
-                copy_small_conditional(ftmp, tmp[1], (((limb) sign) - 1));
-                felem_contract(tmp[1], ftmp);
-
-                if (!skip) {
-                    point_add(nq[0], nq[1], nq[2],
-                              nq[0], nq[1], nq[2],
-                              mixed, tmp[0], tmp[1], tmp[2]);
-                } else {
-                    smallfelem_expand(nq[0], tmp[0]);
-                    smallfelem_expand(nq[1], tmp[1]);
-                    smallfelem_expand(nq[2], tmp[2]);
-                    skip = 0;
-                }
-            }
-        }
-    }
-    felem_assign(x_out, nq[0]);
-    felem_assign(y_out, nq[1]);
-    felem_assign(z_out, nq[2]);
-}
-
-/* Precomputation for the group generator. */
-struct nistp256_pre_comp_st {
-    smallfelem g_pre_comp[2][16][3];
-    CRYPTO_REF_COUNT references;
-    CRYPTO_RWLOCK *lock;
-};
-
-const EC_METHOD *EC_GFp_nistp256_method(void)
-{
-    static const EC_METHOD ret = {
-        EC_FLAGS_DEFAULT_OCT,
-        NID_X9_62_prime_field,
-        ossl_ec_GFp_nistp256_group_init,
-        ossl_ec_GFp_simple_group_finish,
-        ossl_ec_GFp_simple_group_clear_finish,
-        ossl_ec_GFp_nist_group_copy,
-        ossl_ec_GFp_nistp256_group_set_curve,
-        ossl_ec_GFp_simple_group_get_curve,
-        ossl_ec_GFp_simple_group_get_degree,
-        ossl_ec_group_simple_order_bits,
-        ossl_ec_GFp_simple_group_check_discriminant,
-        ossl_ec_GFp_simple_point_init,
-        ossl_ec_GFp_simple_point_finish,
-        ossl_ec_GFp_simple_point_clear_finish,
-        ossl_ec_GFp_simple_point_copy,
-        ossl_ec_GFp_simple_point_set_to_infinity,
-        ossl_ec_GFp_simple_point_set_affine_coordinates,
-        ossl_ec_GFp_nistp256_point_get_affine_coordinates,
-        0 /* point_set_compressed_coordinates */ ,
-        0 /* point2oct */ ,
-        0 /* oct2point */ ,
-        ossl_ec_GFp_simple_add,
-        ossl_ec_GFp_simple_dbl,
-        ossl_ec_GFp_simple_invert,
-        ossl_ec_GFp_simple_is_at_infinity,
-        ossl_ec_GFp_simple_is_on_curve,
-        ossl_ec_GFp_simple_cmp,
-        ossl_ec_GFp_simple_make_affine,
-        ossl_ec_GFp_simple_points_make_affine,
-        ossl_ec_GFp_nistp256_points_mul,
-        ossl_ec_GFp_nistp256_precompute_mult,
-        ossl_ec_GFp_nistp256_have_precompute_mult,
-        ossl_ec_GFp_nist_field_mul,
-        ossl_ec_GFp_nist_field_sqr,
-        0 /* field_div */ ,
-        ossl_ec_GFp_simple_field_inv,
-        0 /* field_encode */ ,
-        0 /* field_decode */ ,
-        0,                      /* field_set_to_one */
-        ossl_ec_key_simple_priv2oct,
-        ossl_ec_key_simple_oct2priv,
-        0, /* set private */
-        ossl_ec_key_simple_generate_key,
-        ossl_ec_key_simple_check_key,
-        ossl_ec_key_simple_generate_public_key,
-        0, /* keycopy */
-        0, /* keyfinish */
-        ossl_ecdh_simple_compute_key,
-        ossl_ecdsa_simple_sign_setup,
-        ossl_ecdsa_simple_sign_sig,
-        ossl_ecdsa_simple_verify_sig,
-        0, /* field_inverse_mod_ord */
-        0, /* blind_coordinates */
-        0, /* ladder_pre */
-        0, /* ladder_step */
-        0  /* ladder_post */
-    };
-
-    return &ret;
-}
-
-/******************************************************************************/
-/*
- * FUNCTIONS TO MANAGE PRECOMPUTATION
- */
-
-static NISTP256_PRE_COMP *nistp256_pre_comp_new(void)
-{
-    NISTP256_PRE_COMP *ret = OPENSSL_zalloc(sizeof(*ret));
-
-    if (ret == NULL) {
-        ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE);
-        return ret;
-    }
-
-    ret->references = 1;
-
-    ret->lock = CRYPTO_THREAD_lock_new();
-    if (ret->lock == NULL) {
-        ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE);
-        OPENSSL_free(ret);
-        return NULL;
-    }
-    return ret;
-}
-
-NISTP256_PRE_COMP *EC_nistp256_pre_comp_dup(NISTP256_PRE_COMP *p)
-{
-    int i;
-    if (p != NULL)
-        CRYPTO_UP_REF(&p->references, &i, p->lock);
-    return p;
-}
-
-void EC_nistp256_pre_comp_free(NISTP256_PRE_COMP *pre)
-{
-    int i;
-
-    if (pre == NULL)
-        return;
-
-    CRYPTO_DOWN_REF(&pre->references, &i, pre->lock);
-    REF_PRINT_COUNT("EC_nistp256", pre);
-    if (i > 0)
-        return;
-    REF_ASSERT_ISNT(i < 0);
-
-    CRYPTO_THREAD_lock_free(pre->lock);
-    OPENSSL_free(pre);
-}
-
-/******************************************************************************/
-/*
- * OPENSSL EC_METHOD FUNCTIONS
- */
-
-int ossl_ec_GFp_nistp256_group_init(EC_GROUP *group)
-{
-    int ret;
-    ret = ossl_ec_GFp_simple_group_init(group);
-    group->a_is_minus3 = 1;
-    return ret;
-}
-
-int ossl_ec_GFp_nistp256_group_set_curve(EC_GROUP *group, const BIGNUM *p,
-                                         const BIGNUM *a, const BIGNUM *b,
-                                         BN_CTX *ctx)
-{
-    int ret = 0;
-    BIGNUM *curve_p, *curve_a, *curve_b;
-#ifndef FIPS_MODULE
-    BN_CTX *new_ctx = NULL;
-
-    if (ctx == NULL)
-        ctx = new_ctx = BN_CTX_new();
-#endif
-    if (ctx == NULL)
-        return 0;
-
-    BN_CTX_start(ctx);
-    curve_p = BN_CTX_get(ctx);
-    curve_a = BN_CTX_get(ctx);
-    curve_b = BN_CTX_get(ctx);
-    if (curve_b == NULL)
-        goto err;
-    BN_bin2bn(nistp256_curve_params[0], sizeof(felem_bytearray), curve_p);
-    BN_bin2bn(nistp256_curve_params[1], sizeof(felem_bytearray), curve_a);
-    BN_bin2bn(nistp256_curve_params[2], sizeof(felem_bytearray), curve_b);
-    if ((BN_cmp(curve_p, p)) || (BN_cmp(curve_a, a)) || (BN_cmp(curve_b, b))) {
-        ERR_raise(ERR_LIB_EC, EC_R_WRONG_CURVE_PARAMETERS);
-        goto err;
-    }
-    group->field_mod_func = BN_nist_mod_256;
-    ret = ossl_ec_GFp_simple_group_set_curve(group, p, a, b, ctx);
- err:
-    BN_CTX_end(ctx);
-#ifndef FIPS_MODULE
-    BN_CTX_free(new_ctx);
-#endif
-    return ret;
-}
-
-/*
- * Takes the Jacobian coordinates (X, Y, Z) of a point and returns (X', Y') =
- * (X/Z^2, Y/Z^3)
- */
-int ossl_ec_GFp_nistp256_point_get_affine_coordinates(const EC_GROUP *group,
-                                                      const EC_POINT *point,
-                                                      BIGNUM *x, BIGNUM *y,
-                                                      BN_CTX *ctx)
-{
-    felem z1, z2, x_in, y_in;
-    smallfelem x_out, y_out;
-    longfelem tmp;
-
-    if (EC_POINT_is_at_infinity(group, point)) {
-        ERR_raise(ERR_LIB_EC, EC_R_POINT_AT_INFINITY);
-        return 0;
-    }
-    if ((!BN_to_felem(x_in, point->X)) || (!BN_to_felem(y_in, point->Y)) ||
-        (!BN_to_felem(z1, point->Z)))
-        return 0;
-    felem_inv(z2, z1);
-    felem_square(tmp, z2);
-    felem_reduce(z1, tmp);
-    felem_mul(tmp, x_in, z1);
-    felem_reduce(x_in, tmp);
-    felem_contract(x_out, x_in);
-    if (x != NULL) {
-        if (!smallfelem_to_BN(x, x_out)) {
-            ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
-            return 0;
-        }
-    }
-    felem_mul(tmp, z1, z2);
-    felem_reduce(z1, tmp);
-    felem_mul(tmp, y_in, z1);
-    felem_reduce(y_in, tmp);
-    felem_contract(y_out, y_in);
-    if (y != NULL) {
-        if (!smallfelem_to_BN(y, y_out)) {
-            ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
-            return 0;
-        }
-    }
-    return 1;
-}
-
-/* points below is of size |num|, and tmp_smallfelems is of size |num+1| */
-static void make_points_affine(size_t num, smallfelem points[][3],
-                               smallfelem tmp_smallfelems[])
-{
-    /*
-     * Runs in constant time, unless an input is the point at infinity (which
-     * normally shouldn't happen).
-     */
-    ossl_ec_GFp_nistp_points_make_affine_internal(num,
-                                                  points,
-                                                  sizeof(smallfelem),
-                                                  tmp_smallfelems,
-                                                  (void (*)(void *))smallfelem_one,
-                                                  smallfelem_is_zero_int,
-                                                  (void (*)(void *, const void *))
-                                                  smallfelem_assign,
-                                                  (void (*)(void *, const void *))
-                                                  smallfelem_square_contract,
-                                                  (void (*)
-                                                   (void *, const void *,
-                                                    const void *))
-                                                  smallfelem_mul_contract,
-                                                  (void (*)(void *, const void *))
-                                                  smallfelem_inv_contract,
-                                                  /* nothing to contract */
-                                                  (void (*)(void *, const void *))
-                                                  smallfelem_assign);
-}
-
-/*
- * Computes scalar*generator + \sum scalars[i]*points[i], ignoring NULL
- * values Result is stored in r (r can equal one of the inputs).
- */
-int ossl_ec_GFp_nistp256_points_mul(const EC_GROUP *group, EC_POINT *r,
-                                    const BIGNUM *scalar, size_t num,
-                                    const EC_POINT *points[],
-                                    const BIGNUM *scalars[], BN_CTX *ctx)
-{
-    int ret = 0;
-    int j;
-    int mixed = 0;
-    BIGNUM *x, *y, *z, *tmp_scalar;
-    felem_bytearray g_secret;
-    felem_bytearray *secrets = NULL;
-    smallfelem (*pre_comp)[17][3] = NULL;
-    smallfelem *tmp_smallfelems = NULL;
-    unsigned i;
-    int num_bytes;
-    int have_pre_comp = 0;
-    size_t num_points = num;
-    smallfelem x_in, y_in, z_in;
-    felem x_out, y_out, z_out;
-    NISTP256_PRE_COMP *pre = NULL;
-    const smallfelem(*g_pre_comp)[16][3] = NULL;
-    EC_POINT *generator = NULL;
-    const EC_POINT *p = NULL;
-    const BIGNUM *p_scalar = NULL;
-
-    BN_CTX_start(ctx);
-    x = BN_CTX_get(ctx);
-    y = BN_CTX_get(ctx);
-    z = BN_CTX_get(ctx);
-    tmp_scalar = BN_CTX_get(ctx);
-    if (tmp_scalar == NULL)
-        goto err;
-
-    if (scalar != NULL) {
-        pre = group->pre_comp.nistp256;
-        if (pre)
-            /* we have precomputation, try to use it */
-            g_pre_comp = (const smallfelem(*)[16][3])pre->g_pre_comp;
-        else
-            /* try to use the standard precomputation */
-            g_pre_comp = &gmul[0];
-        generator = EC_POINT_new(group);
-        if (generator == NULL)
-            goto err;
-        /* get the generator from precomputation */
-        if (!smallfelem_to_BN(x, g_pre_comp[0][1][0]) ||
-            !smallfelem_to_BN(y, g_pre_comp[0][1][1]) ||
-            !smallfelem_to_BN(z, g_pre_comp[0][1][2])) {
-            ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
-            goto err;
-        }
-        if (!ossl_ec_GFp_simple_set_Jprojective_coordinates_GFp(group,
-                                                                generator,
-                                                                x, y, z, ctx))
-            goto err;
-        if (0 == EC_POINT_cmp(group, generator, group->generator, ctx))
-            /* precomputation matches generator */
-            have_pre_comp = 1;
-        else
-            /*
-             * we don't have valid precomputation: treat the generator as a
-             * random point
-             */
-            num_points++;
-    }
-    if (num_points > 0) {
-        if (num_points >= 3) {
-            /*
-             * unless we precompute multiples for just one or two points,
-             * converting those into affine form is time well spent
-             */
-            mixed = 1;
-        }
-        secrets = OPENSSL_malloc(sizeof(*secrets) * num_points);
-        pre_comp = OPENSSL_malloc(sizeof(*pre_comp) * num_points);
-        if (mixed)
-            tmp_smallfelems =
-              OPENSSL_malloc(sizeof(*tmp_smallfelems) * (num_points * 17 + 1));
-        if ((secrets == NULL) || (pre_comp == NULL)
-            || (mixed && (tmp_smallfelems == NULL))) {
-            ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE);
-            goto err;
-        }
-
-        /*
-         * we treat NULL scalars as 0, and NULL points as points at infinity,
-         * i.e., they contribute nothing to the linear combination
-         */
-        memset(secrets, 0, sizeof(*secrets) * num_points);
-        memset(pre_comp, 0, sizeof(*pre_comp) * num_points);
-        for (i = 0; i < num_points; ++i) {
-            if (i == num) {
-                /*
-                 * we didn't have a valid precomputation, so we pick the
-                 * generator
-                 */
-                p = EC_GROUP_get0_generator(group);
-                p_scalar = scalar;
-            } else {
-                /* the i^th point */
-                p = points[i];
-                p_scalar = scalars[i];
-            }
-            if ((p_scalar != NULL) && (p != NULL)) {
-                /* reduce scalar to 0 <= scalar < 2^256 */
-                if ((BN_num_bits(p_scalar) > 256)
-                    || (BN_is_negative(p_scalar))) {
-                    /*
-                     * this is an unusual input, and we don't guarantee
-                     * constant-timeness
-                     */
-                    if (!BN_nnmod(tmp_scalar, p_scalar, group->order, ctx)) {
-                        ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
-                        goto err;
-                    }
-                    num_bytes = BN_bn2lebinpad(tmp_scalar,
-                                               secrets[i], sizeof(secrets[i]));
-                } else {
-                    num_bytes = BN_bn2lebinpad(p_scalar,
-                                               secrets[i], sizeof(secrets[i]));
-                }
-                if (num_bytes < 0) {
-                    ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
-                    goto err;
-                }
-                /* precompute multiples */
-                if ((!BN_to_felem(x_out, p->X)) ||
-                    (!BN_to_felem(y_out, p->Y)) ||
-                    (!BN_to_felem(z_out, p->Z)))
-                    goto err;
-                felem_shrink(pre_comp[i][1][0], x_out);
-                felem_shrink(pre_comp[i][1][1], y_out);
-                felem_shrink(pre_comp[i][1][2], z_out);
-                for (j = 2; j <= 16; ++j) {
-                    if (j & 1) {
-                        point_add_small(pre_comp[i][j][0], pre_comp[i][j][1],
-                                        pre_comp[i][j][2], pre_comp[i][1][0],
-                                        pre_comp[i][1][1], pre_comp[i][1][2],
-                                        pre_comp[i][j - 1][0],
-                                        pre_comp[i][j - 1][1],
-                                        pre_comp[i][j - 1][2]);
-                    } else {
-                        point_double_small(pre_comp[i][j][0],
-                                           pre_comp[i][j][1],
-                                           pre_comp[i][j][2],
-                                           pre_comp[i][j / 2][0],
-                                           pre_comp[i][j / 2][1],
-                                           pre_comp[i][j / 2][2]);
-                    }
-                }
-            }
-        }
-        if (mixed)
-            make_points_affine(num_points * 17, pre_comp[0], tmp_smallfelems);
-    }
-
-    /* the scalar for the generator */
-    if ((scalar != NULL) && (have_pre_comp)) {
-        memset(g_secret, 0, sizeof(g_secret));
-        /* reduce scalar to 0 <= scalar < 2^256 */
-        if ((BN_num_bits(scalar) > 256) || (BN_is_negative(scalar))) {
-            /*
-             * this is an unusual input, and we don't guarantee
-             * constant-timeness
-             */
-            if (!BN_nnmod(tmp_scalar, scalar, group->order, ctx)) {
-                ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
-                goto err;
-            }
-            num_bytes = BN_bn2lebinpad(tmp_scalar, g_secret, sizeof(g_secret));
-        } else {
-            num_bytes = BN_bn2lebinpad(scalar, g_secret, sizeof(g_secret));
-        }
-        /* do the multiplication with generator precomputation */
-        batch_mul(x_out, y_out, z_out,
-                  (const felem_bytearray(*))secrets, num_points,
-                  g_secret,
-                  mixed, (const smallfelem(*)[17][3])pre_comp, g_pre_comp);
-    } else {
-        /* do the multiplication without generator precomputation */
-        batch_mul(x_out, y_out, z_out,
-                  (const felem_bytearray(*))secrets, num_points,
-                  NULL, mixed, (const smallfelem(*)[17][3])pre_comp, NULL);
-    }
-    /* reduce the output to its unique minimal representation */
-    felem_contract(x_in, x_out);
-    felem_contract(y_in, y_out);
-    felem_contract(z_in, z_out);
-    if ((!smallfelem_to_BN(x, x_in)) || (!smallfelem_to_BN(y, y_in)) ||
-        (!smallfelem_to_BN(z, z_in))) {
-        ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
-        goto err;
-    }
-    ret = ossl_ec_GFp_simple_set_Jprojective_coordinates_GFp(group, r, x, y, z,
-                                                             ctx);
-
- err:
-    BN_CTX_end(ctx);
-    EC_POINT_free(generator);
-    OPENSSL_free(secrets);
-    OPENSSL_free(pre_comp);
-    OPENSSL_free(tmp_smallfelems);
-    return ret;
-}
-
-int ossl_ec_GFp_nistp256_precompute_mult(EC_GROUP *group, BN_CTX *ctx)
-{
-    int ret = 0;
-    NISTP256_PRE_COMP *pre = NULL;
-    int i, j;
-    BIGNUM *x, *y;
-    EC_POINT *generator = NULL;
-    smallfelem tmp_smallfelems[32];
-    felem x_tmp, y_tmp, z_tmp;
-#ifndef FIPS_MODULE
-    BN_CTX *new_ctx = NULL;
-#endif
-
-    /* throw away old precomputation */
-    EC_pre_comp_free(group);
-
-#ifndef FIPS_MODULE
-    if (ctx == NULL)
-        ctx = new_ctx = BN_CTX_new();
-#endif
-    if (ctx == NULL)
-        return 0;
-
-    BN_CTX_start(ctx);
-    x = BN_CTX_get(ctx);
-    y = BN_CTX_get(ctx);
-    if (y == NULL)
-        goto err;
-    /* get the generator */
-    if (group->generator == NULL)
-        goto err;
-    generator = EC_POINT_new(group);
-    if (generator == NULL)
-        goto err;
-    BN_bin2bn(nistp256_curve_params[3], sizeof(felem_bytearray), x);
-    BN_bin2bn(nistp256_curve_params[4], sizeof(felem_bytearray), y);
-    if (!EC_POINT_set_affine_coordinates(group, generator, x, y, ctx))
-        goto err;
-    if ((pre = nistp256_pre_comp_new()) == NULL)
-        goto err;
-    /*
-     * if the generator is the standard one, use built-in precomputation
-     */
-    if (0 == EC_POINT_cmp(group, generator, group->generator, ctx)) {
-        memcpy(pre->g_pre_comp, gmul, sizeof(pre->g_pre_comp));
-        goto done;
-    }
-    if ((!BN_to_felem(x_tmp, group->generator->X)) ||
-        (!BN_to_felem(y_tmp, group->generator->Y)) ||
-        (!BN_to_felem(z_tmp, group->generator->Z)))
-        goto err;
-    felem_shrink(pre->g_pre_comp[0][1][0], x_tmp);
-    felem_shrink(pre->g_pre_comp[0][1][1], y_tmp);
-    felem_shrink(pre->g_pre_comp[0][1][2], z_tmp);
-    /*
-     * compute 2^64*G, 2^128*G, 2^192*G for the first table, 2^32*G, 2^96*G,
-     * 2^160*G, 2^224*G for the second one
-     */
-    for (i = 1; i <= 8; i <<= 1) {
-        point_double_small(pre->g_pre_comp[1][i][0], pre->g_pre_comp[1][i][1],
-                           pre->g_pre_comp[1][i][2], pre->g_pre_comp[0][i][0],
-                           pre->g_pre_comp[0][i][1],
-                           pre->g_pre_comp[0][i][2]);
-        for (j = 0; j < 31; ++j) {
-            point_double_small(pre->g_pre_comp[1][i][0],
-                               pre->g_pre_comp[1][i][1],
-                               pre->g_pre_comp[1][i][2],
-                               pre->g_pre_comp[1][i][0],
-                               pre->g_pre_comp[1][i][1],
-                               pre->g_pre_comp[1][i][2]);
-        }
-        if (i == 8)
-            break;
-        point_double_small(pre->g_pre_comp[0][2 * i][0],
-                           pre->g_pre_comp[0][2 * i][1],
-                           pre->g_pre_comp[0][2 * i][2],
-                           pre->g_pre_comp[1][i][0], pre->g_pre_comp[1][i][1],
-                           pre->g_pre_comp[1][i][2]);
-        for (j = 0; j < 31; ++j) {
-            point_double_small(pre->g_pre_comp[0][2 * i][0],
-                               pre->g_pre_comp[0][2 * i][1],
-                               pre->g_pre_comp[0][2 * i][2],
-                               pre->g_pre_comp[0][2 * i][0],
-                               pre->g_pre_comp[0][2 * i][1],
-                               pre->g_pre_comp[0][2 * i][2]);
-        }
-    }
-    for (i = 0; i < 2; i++) {
-        /* g_pre_comp[i][0] is the point at infinity */
-        memset(pre->g_pre_comp[i][0], 0, sizeof(pre->g_pre_comp[i][0]));
-        /* the remaining multiples */
-        /* 2^64*G + 2^128*G resp. 2^96*G + 2^160*G */
-        point_add_small(pre->g_pre_comp[i][6][0], pre->g_pre_comp[i][6][1],
-                        pre->g_pre_comp[i][6][2], pre->g_pre_comp[i][4][0],
-                        pre->g_pre_comp[i][4][1], pre->g_pre_comp[i][4][2],
-                        pre->g_pre_comp[i][2][0], pre->g_pre_comp[i][2][1],
-                        pre->g_pre_comp[i][2][2]);
-        /* 2^64*G + 2^192*G resp. 2^96*G + 2^224*G */
-        point_add_small(pre->g_pre_comp[i][10][0], pre->g_pre_comp[i][10][1],
-                        pre->g_pre_comp[i][10][2], pre->g_pre_comp[i][8][0],
-                        pre->g_pre_comp[i][8][1], pre->g_pre_comp[i][8][2],
-                        pre->g_pre_comp[i][2][0], pre->g_pre_comp[i][2][1],
-                        pre->g_pre_comp[i][2][2]);
-        /* 2^128*G + 2^192*G resp. 2^160*G + 2^224*G */
-        point_add_small(pre->g_pre_comp[i][12][0], pre->g_pre_comp[i][12][1],
-                        pre->g_pre_comp[i][12][2], pre->g_pre_comp[i][8][0],
-                        pre->g_pre_comp[i][8][1], pre->g_pre_comp[i][8][2],
-                        pre->g_pre_comp[i][4][0], pre->g_pre_comp[i][4][1],
-                        pre->g_pre_comp[i][4][2]);
-        /*
-         * 2^64*G + 2^128*G + 2^192*G resp. 2^96*G + 2^160*G + 2^224*G
-         */
-        point_add_small(pre->g_pre_comp[i][14][0], pre->g_pre_comp[i][14][1],
-                        pre->g_pre_comp[i][14][2], pre->g_pre_comp[i][12][0],
-                        pre->g_pre_comp[i][12][1], pre->g_pre_comp[i][12][2],
-                        pre->g_pre_comp[i][2][0], pre->g_pre_comp[i][2][1],
-                        pre->g_pre_comp[i][2][2]);
-        for (j = 1; j < 8; ++j) {
-            /* odd multiples: add G resp. 2^32*G */
-            point_add_small(pre->g_pre_comp[i][2 * j + 1][0],
-                            pre->g_pre_comp[i][2 * j + 1][1],
-                            pre->g_pre_comp[i][2 * j + 1][2],
-                            pre->g_pre_comp[i][2 * j][0],
-                            pre->g_pre_comp[i][2 * j][1],
-                            pre->g_pre_comp[i][2 * j][2],
-                            pre->g_pre_comp[i][1][0],
-                            pre->g_pre_comp[i][1][1],
-                            pre->g_pre_comp[i][1][2]);
-        }
-    }
-    make_points_affine(31, &(pre->g_pre_comp[0][1]), tmp_smallfelems);
-
- done:
-    SETPRECOMP(group, nistp256, pre);
-    pre = NULL;
-    ret = 1;
-
- err:
-    BN_CTX_end(ctx);
-    EC_POINT_free(generator);
-#ifndef FIPS_MODULE
-    BN_CTX_free(new_ctx);
-#endif
-    EC_nistp256_pre_comp_free(pre);
-    return ret;
-}
-
-int ossl_ec_GFp_nistp256_have_precompute_mult(const EC_GROUP *group)
-{
-    return HAVEPRECOMP(group, nistp256);
-}

libs/openssl/crypto/ec/ecp_nistp521.c

@@ -1,2236 +0,0 @@
-/*
- * Copyright 2011-2022 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-/* Copyright 2011 Google Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- *
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS,
- *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-
-/*
- * ECDSA low level APIs are deprecated for public use, but still ok for
- * internal use.
- */
-#include "internal/deprecated.h"
-
-/*
- * A 64-bit implementation of the NIST P-521 elliptic curve point multiplication
- *
- * OpenSSL integration was taken from Emilia Kasper's work in ecp_nistp224.c.
- * Otherwise based on Emilia's P224 work, which was inspired by my curve25519
- * work which got its smarts from Daniel J. Bernstein's work on the same.
- */
-
-#include <openssl/e_os2.h>
-
-#include <string.h>
-#include <openssl/err.h>
-#include "ec_local.h"
-
-#include "internal/numbers.h"
-
-#ifndef INT128_MAX
-# error "Your compiler doesn't appear to support 128-bit integer types"
-#endif
-
-typedef uint8_t u8;
-typedef uint64_t u64;
-
-/*
- * The underlying field. P521 operates over GF(2^521-1). We can serialize an
- * element of this field into 66 bytes where the most significant byte
- * contains only a single bit. We call this an felem_bytearray.
- */
-
-typedef u8 felem_bytearray[66];
-
-/*
- * These are the parameters of P521, taken from FIPS 186-3, section D.1.2.5.
- * These values are big-endian.
- */
-static const felem_bytearray nistp521_curve_params[5] = {
-    {0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, /* p */
-     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-     0xff, 0xff},
-    {0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, /* a = -3 */
-     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-     0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-     0xff, 0xfc},
-    {0x00, 0x51, 0x95, 0x3e, 0xb9, 0x61, 0x8e, 0x1c, /* b */
-     0x9a, 0x1f, 0x92, 0x9a, 0x21, 0xa0, 0xb6, 0x85,
-     0x40, 0xee, 0xa2, 0xda, 0x72, 0x5b, 0x99, 0xb3,
-     0x15, 0xf3, 0xb8, 0xb4, 0x89, 0x91, 0x8e, 0xf1,
-     0x09, 0xe1, 0x56, 0x19, 0x39, 0x51, 0xec, 0x7e,
-     0x93, 0x7b, 0x16, 0x52, 0xc0, 0xbd, 0x3b, 0xb1,
-     0xbf, 0x07, 0x35, 0x73, 0xdf, 0x88, 0x3d, 0x2c,
-     0x34, 0xf1, 0xef, 0x45, 0x1f, 0xd4, 0x6b, 0x50,
-     0x3f, 0x00},
-    {0x00, 0xc6, 0x85, 0x8e, 0x06, 0xb7, 0x04, 0x04, /* x */
-     0xe9, 0xcd, 0x9e, 0x3e, 0xcb, 0x66, 0x23, 0x95,
-     0xb4, 0x42, 0x9c, 0x64, 0x81, 0x39, 0x05, 0x3f,
-     0xb5, 0x21, 0xf8, 0x28, 0xaf, 0x60, 0x6b, 0x4d,
-     0x3d, 0xba, 0xa1, 0x4b, 0x5e, 0x77, 0xef, 0xe7,
-     0x59, 0x28, 0xfe, 0x1d, 0xc1, 0x27, 0xa2, 0xff,
-     0xa8, 0xde, 0x33, 0x48, 0xb3, 0xc1, 0x85, 0x6a,
-     0x42, 0x9b, 0xf9, 0x7e, 0x7e, 0x31, 0xc2, 0xe5,
-     0xbd, 0x66},
-    {0x01, 0x18, 0x39, 0x29, 0x6a, 0x78, 0x9a, 0x3b, /* y */
-     0xc0, 0x04, 0x5c, 0x8a, 0x5f, 0xb4, 0x2c, 0x7d,
-     0x1b, 0xd9, 0x98, 0xf5, 0x44, 0x49, 0x57, 0x9b,
-     0x44, 0x68, 0x17, 0xaf, 0xbd, 0x17, 0x27, 0x3e,
-     0x66, 0x2c, 0x97, 0xee, 0x72, 0x99, 0x5e, 0xf4,
-     0x26, 0x40, 0xc5, 0x50, 0xb9, 0x01, 0x3f, 0xad,
-     0x07, 0x61, 0x35, 0x3c, 0x70, 0x86, 0xa2, 0x72,
-     0xc2, 0x40, 0x88, 0xbe, 0x94, 0x76, 0x9f, 0xd1,
-     0x66, 0x50}
-};
-
-/*-
- * The representation of field elements.
- * ------------------------------------
- *
- * We represent field elements with nine values. These values are either 64 or
- * 128 bits and the field element represented is:
- *   v[0]*2^0 + v[1]*2^58 + v[2]*2^116 + ... + v[8]*2^464  (mod p)
- * Each of the nine values is called a 'limb'. Since the limbs are spaced only
- * 58 bits apart, but are greater than 58 bits in length, the most significant
- * bits of each limb overlap with the least significant bits of the next.
- *
- * A field element with 64-bit limbs is an 'felem'. One with 128-bit limbs is a
- * 'largefelem' */
-
-#define NLIMBS 9
-
-typedef uint64_t limb;
-typedef limb limb_aX __attribute((__aligned__(1)));
-typedef limb felem[NLIMBS];
-typedef uint128_t largefelem[NLIMBS];
-
-static const limb bottom57bits = 0x1ffffffffffffff;
-static const limb bottom58bits = 0x3ffffffffffffff;
-
-/*
- * bin66_to_felem takes a little-endian byte array and converts it into felem
- * form. This assumes that the CPU is little-endian.
- */
-static void bin66_to_felem(felem out, const u8 in[66])
-{
-    out[0] = (*((limb *) & in[0])) & bottom58bits;
-    out[1] = (*((limb_aX *) & in[7]) >> 2) & bottom58bits;
-    out[2] = (*((limb_aX *) & in[14]) >> 4) & bottom58bits;
-    out[3] = (*((limb_aX *) & in[21]) >> 6) & bottom58bits;
-    out[4] = (*((limb_aX *) & in[29])) & bottom58bits;
-    out[5] = (*((limb_aX *) & in[36]) >> 2) & bottom58bits;
-    out[6] = (*((limb_aX *) & in[43]) >> 4) & bottom58bits;
-    out[7] = (*((limb_aX *) & in[50]) >> 6) & bottom58bits;
-    out[8] = (*((limb_aX *) & in[58])) & bottom57bits;
-}
-
-/*
- * felem_to_bin66 takes an felem and serializes into a little endian, 66 byte
- * array. This assumes that the CPU is little-endian.
- */
-static void felem_to_bin66(u8 out[66], const felem in)
-{
-    memset(out, 0, 66);
-    (*((limb *) & out[0])) = in[0];
-    (*((limb_aX *) & out[7])) |= in[1] << 2;
-    (*((limb_aX *) & out[14])) |= in[2] << 4;
-    (*((limb_aX *) & out[21])) |= in[3] << 6;
-    (*((limb_aX *) & out[29])) = in[4];
-    (*((limb_aX *) & out[36])) |= in[5] << 2;
-    (*((limb_aX *) & out[43])) |= in[6] << 4;
-    (*((limb_aX *) & out[50])) |= in[7] << 6;
-    (*((limb_aX *) & out[58])) = in[8];
-}
-
-/* BN_to_felem converts an OpenSSL BIGNUM into an felem */
-static int BN_to_felem(felem out, const BIGNUM *bn)
-{
-    felem_bytearray b_out;
-    int num_bytes;
-
-    if (BN_is_negative(bn)) {
-        ERR_raise(ERR_LIB_EC, EC_R_BIGNUM_OUT_OF_RANGE);
-        return 0;
-    }
-    num_bytes = BN_bn2lebinpad(bn, b_out, sizeof(b_out));
-    if (num_bytes < 0) {
-        ERR_raise(ERR_LIB_EC, EC_R_BIGNUM_OUT_OF_RANGE);
-        return 0;
-    }
-    bin66_to_felem(out, b_out);
-    return 1;
-}
-
-/* felem_to_BN converts an felem into an OpenSSL BIGNUM */
-static BIGNUM *felem_to_BN(BIGNUM *out, const felem in)
-{
-    felem_bytearray b_out;
-    felem_to_bin66(b_out, in);
-    return BN_lebin2bn(b_out, sizeof(b_out), out);
-}
-
-/*-
- * Field operations
- * ----------------
- */
-
-static void felem_one(felem out)
-{
-    out[0] = 1;
-    out[1] = 0;
-    out[2] = 0;
-    out[3] = 0;
-    out[4] = 0;
-    out[5] = 0;
-    out[6] = 0;
-    out[7] = 0;
-    out[8] = 0;
-}
-
-static void felem_assign(felem out, const felem in)
-{
-    out[0] = in[0];
-    out[1] = in[1];
-    out[2] = in[2];
-    out[3] = in[3];
-    out[4] = in[4];
-    out[5] = in[5];
-    out[6] = in[6];
-    out[7] = in[7];
-    out[8] = in[8];
-}
-
-/* felem_sum64 sets out = out + in. */
-static void felem_sum64(felem out, const felem in)
-{
-    out[0] += in[0];
-    out[1] += in[1];
-    out[2] += in[2];
-    out[3] += in[3];
-    out[4] += in[4];
-    out[5] += in[5];
-    out[6] += in[6];
-    out[7] += in[7];
-    out[8] += in[8];
-}
-
-/* felem_scalar sets out = in * scalar */
-static void felem_scalar(felem out, const felem in, limb scalar)
-{
-    out[0] = in[0] * scalar;
-    out[1] = in[1] * scalar;
-    out[2] = in[2] * scalar;
-    out[3] = in[3] * scalar;
-    out[4] = in[4] * scalar;
-    out[5] = in[5] * scalar;
-    out[6] = in[6] * scalar;
-    out[7] = in[7] * scalar;
-    out[8] = in[8] * scalar;
-}
-
-/* felem_scalar64 sets out = out * scalar */
-static void felem_scalar64(felem out, limb scalar)
-{
-    out[0] *= scalar;
-    out[1] *= scalar;
-    out[2] *= scalar;
-    out[3] *= scalar;
-    out[4] *= scalar;
-    out[5] *= scalar;
-    out[6] *= scalar;
-    out[7] *= scalar;
-    out[8] *= scalar;
-}
-
-/* felem_scalar128 sets out = out * scalar */
-static void felem_scalar128(largefelem out, limb scalar)
-{
-    out[0] *= scalar;
-    out[1] *= scalar;
-    out[2] *= scalar;
-    out[3] *= scalar;
-    out[4] *= scalar;
-    out[5] *= scalar;
-    out[6] *= scalar;
-    out[7] *= scalar;
-    out[8] *= scalar;
-}
-
-/*-
- * felem_neg sets |out| to |-in|
- * On entry:
- *   in[i] < 2^59 + 2^14
- * On exit:
- *   out[i] < 2^62
- */
-static void felem_neg(felem out, const felem in)
-{
-    /* In order to prevent underflow, we subtract from 0 mod p. */
-    static const limb two62m3 = (((limb) 1) << 62) - (((limb) 1) << 5);
-    static const limb two62m2 = (((limb) 1) << 62) - (((limb) 1) << 4);
-
-    out[0] = two62m3 - in[0];
-    out[1] = two62m2 - in[1];
-    out[2] = two62m2 - in[2];
-    out[3] = two62m2 - in[3];
-    out[4] = two62m2 - in[4];
-    out[5] = two62m2 - in[5];
-    out[6] = two62m2 - in[6];
-    out[7] = two62m2 - in[7];
-    out[8] = two62m2 - in[8];
-}
-
-/*-
- * felem_diff64 subtracts |in| from |out|
- * On entry:
- *   in[i] < 2^59 + 2^14
- * On exit:
- *   out[i] < out[i] + 2^62
- */
-static void felem_diff64(felem out, const felem in)
-{
-    /*
-     * In order to prevent underflow, we add 0 mod p before subtracting.
-     */
-    static const limb two62m3 = (((limb) 1) << 62) - (((limb) 1) << 5);
-    static const limb two62m2 = (((limb) 1) << 62) - (((limb) 1) << 4);
-
-    out[0] += two62m3 - in[0];
-    out[1] += two62m2 - in[1];
-    out[2] += two62m2 - in[2];
-    out[3] += two62m2 - in[3];
-    out[4] += two62m2 - in[4];
-    out[5] += two62m2 - in[5];
-    out[6] += two62m2 - in[6];
-    out[7] += two62m2 - in[7];
-    out[8] += two62m2 - in[8];
-}
-
-/*-
- * felem_diff_128_64 subtracts |in| from |out|
- * On entry:
- *   in[i] < 2^62 + 2^17
- * On exit:
- *   out[i] < out[i] + 2^63
- */
-static void felem_diff_128_64(largefelem out, const felem in)
-{
-    /*
-     * In order to prevent underflow, we add 64p mod p (which is equivalent
-     * to 0 mod p) before subtracting. p is 2^521 - 1, i.e. in binary a 521
-     * digit number with all bits set to 1. See "The representation of field
-     * elements" comment above for a description of how limbs are used to
-     * represent a number. 64p is represented with 8 limbs containing a number
-     * with 58 bits set and one limb with a number with 57 bits set.
-     */
-    static const limb two63m6 = (((limb) 1) << 63) - (((limb) 1) << 6);
-    static const limb two63m5 = (((limb) 1) << 63) - (((limb) 1) << 5);
-
-    out[0] += two63m6 - in[0];
-    out[1] += two63m5 - in[1];
-    out[2] += two63m5 - in[2];
-    out[3] += two63m5 - in[3];
-    out[4] += two63m5 - in[4];
-    out[5] += two63m5 - in[5];
-    out[6] += two63m5 - in[6];
-    out[7] += two63m5 - in[7];
-    out[8] += two63m5 - in[8];
-}
-
-/*-
- * felem_diff_128_64 subtracts |in| from |out|
- * On entry:
- *   in[i] < 2^126
- * On exit:
- *   out[i] < out[i] + 2^127 - 2^69
- */
-static void felem_diff128(largefelem out, const largefelem in)
-{
-    /*
-     * In order to prevent underflow, we add 0 mod p before subtracting.
-     */
-    static const uint128_t two127m70 =
-        (((uint128_t) 1) << 127) - (((uint128_t) 1) << 70);
-    static const uint128_t two127m69 =
-        (((uint128_t) 1) << 127) - (((uint128_t) 1) << 69);
-
-    out[0] += (two127m70 - in[0]);
-    out[1] += (two127m69 - in[1]);
-    out[2] += (two127m69 - in[2]);
-    out[3] += (two127m69 - in[3]);
-    out[4] += (two127m69 - in[4]);
-    out[5] += (two127m69 - in[5]);
-    out[6] += (two127m69 - in[6]);
-    out[7] += (two127m69 - in[7]);
-    out[8] += (two127m69 - in[8]);
-}
-
-/*-
- * felem_square sets |out| = |in|^2
- * On entry:
- *   in[i] < 2^62
- * On exit:
- *   out[i] < 17 * max(in[i]) * max(in[i])
- */
-static void felem_square_ref(largefelem out, const felem in)
-{
-    felem inx2, inx4;
-    felem_scalar(inx2, in, 2);
-    felem_scalar(inx4, in, 4);
-
-    /*-
-     * We have many cases were we want to do
-     *   in[x] * in[y] +
-     *   in[y] * in[x]
-     * This is obviously just
-     *   2 * in[x] * in[y]
-     * However, rather than do the doubling on the 128 bit result, we
-     * double one of the inputs to the multiplication by reading from
-     * |inx2|
-     */
-
-    out[0] = ((uint128_t) in[0]) * in[0];
-    out[1] = ((uint128_t) in[0]) * inx2[1];
-    out[2] = ((uint128_t) in[0]) * inx2[2] + ((uint128_t) in[1]) * in[1];
-    out[3] = ((uint128_t) in[0]) * inx2[3] + ((uint128_t) in[1]) * inx2[2];
-    out[4] = ((uint128_t) in[0]) * inx2[4] +
-             ((uint128_t) in[1]) * inx2[3] + ((uint128_t) in[2]) * in[2];
-    out[5] = ((uint128_t) in[0]) * inx2[5] +
-             ((uint128_t) in[1]) * inx2[4] + ((uint128_t) in[2]) * inx2[3];
-    out[6] = ((uint128_t) in[0]) * inx2[6] +
-             ((uint128_t) in[1]) * inx2[5] +
-             ((uint128_t) in[2]) * inx2[4] + ((uint128_t) in[3]) * in[3];
-    out[7] = ((uint128_t) in[0]) * inx2[7] +
-             ((uint128_t) in[1]) * inx2[6] +
-             ((uint128_t) in[2]) * inx2[5] + ((uint128_t) in[3]) * inx2[4];
-    out[8] = ((uint128_t) in[0]) * inx2[8] +
-             ((uint128_t) in[1]) * inx2[7] +
-             ((uint128_t) in[2]) * inx2[6] +
-             ((uint128_t) in[3]) * inx2[5] + ((uint128_t) in[4]) * in[4];
-
-    /*
-     * The remaining limbs fall above 2^521, with the first falling at 2^522.
-     * They correspond to locations one bit up from the limbs produced above
-     * so we would have to multiply by two to align them. Again, rather than
-     * operate on the 128-bit result, we double one of the inputs to the
-     * multiplication. If we want to double for both this reason, and the
-     * reason above, then we end up multiplying by four.
-     */
-
-    /* 9 */
-    out[0] += ((uint128_t) in[1]) * inx4[8] +
-              ((uint128_t) in[2]) * inx4[7] +
-              ((uint128_t) in[3]) * inx4[6] + ((uint128_t) in[4]) * inx4[5];
-
-    /* 10 */
-    out[1] += ((uint128_t) in[2]) * inx4[8] +
-              ((uint128_t) in[3]) * inx4[7] +
-              ((uint128_t) in[4]) * inx4[6] + ((uint128_t) in[5]) * inx2[5];
-
-    /* 11 */
-    out[2] += ((uint128_t) in[3]) * inx4[8] +
-              ((uint128_t) in[4]) * inx4[7] + ((uint128_t) in[5]) * inx4[6];
-
-    /* 12 */
-    out[3] += ((uint128_t) in[4]) * inx4[8] +
-              ((uint128_t) in[5]) * inx4[7] + ((uint128_t) in[6]) * inx2[6];
-
-    /* 13 */
-    out[4] += ((uint128_t) in[5]) * inx4[8] + ((uint128_t) in[6]) * inx4[7];
-
-    /* 14 */
-    out[5] += ((uint128_t) in[6]) * inx4[8] + ((uint128_t) in[7]) * inx2[7];
-
-    /* 15 */
-    out[6] += ((uint128_t) in[7]) * inx4[8];
-
-    /* 16 */
-    out[7] += ((uint128_t) in[8]) * inx2[8];
-}
-
-/*-
- * felem_mul sets |out| = |in1| * |in2|
- * On entry:
- *   in1[i] < 2^64
- *   in2[i] < 2^63
- * On exit:
- *   out[i] < 17 * max(in1[i]) * max(in2[i])
- */
-static void felem_mul_ref(largefelem out, const felem in1, const felem in2)
-{
-    felem in2x2;
-    felem_scalar(in2x2, in2, 2);
-
-    out[0] = ((uint128_t) in1[0]) * in2[0];
-
-    out[1] = ((uint128_t) in1[0]) * in2[1] +
-             ((uint128_t) in1[1]) * in2[0];
-
-    out[2] = ((uint128_t) in1[0]) * in2[2] +
-             ((uint128_t) in1[1]) * in2[1] +
-             ((uint128_t) in1[2]) * in2[0];
-
-    out[3] = ((uint128_t) in1[0]) * in2[3] +
-             ((uint128_t) in1[1]) * in2[2] +
-             ((uint128_t) in1[2]) * in2[1] +
-             ((uint128_t) in1[3]) * in2[0];
-
-    out[4] = ((uint128_t) in1[0]) * in2[4] +
-             ((uint128_t) in1[1]) * in2[3] +
-             ((uint128_t) in1[2]) * in2[2] +
-             ((uint128_t) in1[3]) * in2[1] +
-             ((uint128_t) in1[4]) * in2[0];
-
-    out[5] = ((uint128_t) in1[0]) * in2[5] +
-             ((uint128_t) in1[1]) * in2[4] +
-             ((uint128_t) in1[2]) * in2[3] +
-             ((uint128_t) in1[3]) * in2[2] +
-             ((uint128_t) in1[4]) * in2[1] +
-             ((uint128_t) in1[5]) * in2[0];
-
-    out[6] = ((uint128_t) in1[0]) * in2[6] +
-             ((uint128_t) in1[1]) * in2[5] +
-             ((uint128_t) in1[2]) * in2[4] +
-             ((uint128_t) in1[3]) * in2[3] +
-             ((uint128_t) in1[4]) * in2[2] +
-             ((uint128_t) in1[5]) * in2[1] +
-             ((uint128_t) in1[6]) * in2[0];
-
-    out[7] = ((uint128_t) in1[0]) * in2[7] +
-             ((uint128_t) in1[1]) * in2[6] +
-             ((uint128_t) in1[2]) * in2[5] +
-             ((uint128_t) in1[3]) * in2[4] +
-             ((uint128_t) in1[4]) * in2[3] +
-             ((uint128_t) in1[5]) * in2[2] +
-             ((uint128_t) in1[6]) * in2[1] +
-             ((uint128_t) in1[7]) * in2[0];
-
-    out[8] = ((uint128_t) in1[0]) * in2[8] +
-             ((uint128_t) in1[1]) * in2[7] +
-             ((uint128_t) in1[2]) * in2[6] +
-             ((uint128_t) in1[3]) * in2[5] +
-             ((uint128_t) in1[4]) * in2[4] +
-             ((uint128_t) in1[5]) * in2[3] +
-             ((uint128_t) in1[6]) * in2[2] +
-             ((uint128_t) in1[7]) * in2[1] +
-             ((uint128_t) in1[8]) * in2[0];
-
-    /* See comment in felem_square about the use of in2x2 here */
-
-    out[0] += ((uint128_t) in1[1]) * in2x2[8] +
-              ((uint128_t) in1[2]) * in2x2[7] +
-              ((uint128_t) in1[3]) * in2x2[6] +
-              ((uint128_t) in1[4]) * in2x2[5] +
-              ((uint128_t) in1[5]) * in2x2[4] +
-              ((uint128_t) in1[6]) * in2x2[3] +
-              ((uint128_t) in1[7]) * in2x2[2] +
-              ((uint128_t) in1[8]) * in2x2[1];
-
-    out[1] += ((uint128_t) in1[2]) * in2x2[8] +
-              ((uint128_t) in1[3]) * in2x2[7] +
-              ((uint128_t) in1[4]) * in2x2[6] +
-              ((uint128_t) in1[5]) * in2x2[5] +
-              ((uint128_t) in1[6]) * in2x2[4] +
-              ((uint128_t) in1[7]) * in2x2[3] +
-              ((uint128_t) in1[8]) * in2x2[2];
-
-    out[2] += ((uint128_t) in1[3]) * in2x2[8] +
-              ((uint128_t) in1[4]) * in2x2[7] +
-              ((uint128_t) in1[5]) * in2x2[6] +
-              ((uint128_t) in1[6]) * in2x2[5] +
-              ((uint128_t) in1[7]) * in2x2[4] +
-              ((uint128_t) in1[8]) * in2x2[3];
-
-    out[3] += ((uint128_t) in1[4]) * in2x2[8] +
-              ((uint128_t) in1[5]) * in2x2[7] +
-              ((uint128_t) in1[6]) * in2x2[6] +
-              ((uint128_t) in1[7]) * in2x2[5] +
-              ((uint128_t) in1[8]) * in2x2[4];
-
-    out[4] += ((uint128_t) in1[5]) * in2x2[8] +
-              ((uint128_t) in1[6]) * in2x2[7] +
-              ((uint128_t) in1[7]) * in2x2[6] +
-              ((uint128_t) in1[8]) * in2x2[5];
-
-    out[5] += ((uint128_t) in1[6]) * in2x2[8] +
-              ((uint128_t) in1[7]) * in2x2[7] +
-              ((uint128_t) in1[8]) * in2x2[6];
-
-    out[6] += ((uint128_t) in1[7]) * in2x2[8] +
-              ((uint128_t) in1[8]) * in2x2[7];
-
-    out[7] += ((uint128_t) in1[8]) * in2x2[8];
-}
-
-static const limb bottom52bits = 0xfffffffffffff;
-
-/*-
- * felem_reduce converts a largefelem to an felem.
- * On entry:
- *   in[i] < 2^128
- * On exit:
- *   out[i] < 2^59 + 2^14
- */
-static void felem_reduce(felem out, const largefelem in)
-{
-    u64 overflow1, overflow2;
-
-    out[0] = ((limb) in[0]) & bottom58bits;
-    out[1] = ((limb) in[1]) & bottom58bits;
-    out[2] = ((limb) in[2]) & bottom58bits;
-    out[3] = ((limb) in[3]) & bottom58bits;
-    out[4] = ((limb) in[4]) & bottom58bits;
-    out[5] = ((limb) in[5]) & bottom58bits;
-    out[6] = ((limb) in[6]) & bottom58bits;
-    out[7] = ((limb) in[7]) & bottom58bits;
-    out[8] = ((limb) in[8]) & bottom58bits;
-
-    /* out[i] < 2^58 */
-
-    out[1] += ((limb) in[0]) >> 58;
-    out[1] += (((limb) (in[0] >> 64)) & bottom52bits) << 6;
-    /*-
-     * out[1] < 2^58 + 2^6 + 2^58
-     *        = 2^59 + 2^6
-     */
-    out[2] += ((limb) (in[0] >> 64)) >> 52;
-
-    out[2] += ((limb) in[1]) >> 58;
-    out[2] += (((limb) (in[1] >> 64)) & bottom52bits) << 6;
-    out[3] += ((limb) (in[1] >> 64)) >> 52;
-
-    out[3] += ((limb) in[2]) >> 58;
-    out[3] += (((limb) (in[2] >> 64)) & bottom52bits) << 6;
-    out[4] += ((limb) (in[2] >> 64)) >> 52;
-
-    out[4] += ((limb) in[3]) >> 58;
-    out[4] += (((limb) (in[3] >> 64)) & bottom52bits) << 6;
-    out[5] += ((limb) (in[3] >> 64)) >> 52;
-
-    out[5] += ((limb) in[4]) >> 58;
-    out[5] += (((limb) (in[4] >> 64)) & bottom52bits) << 6;
-    out[6] += ((limb) (in[4] >> 64)) >> 52;
-
-    out[6] += ((limb) in[5]) >> 58;
-    out[6] += (((limb) (in[5] >> 64)) & bottom52bits) << 6;
-    out[7] += ((limb) (in[5] >> 64)) >> 52;
-
-    out[7] += ((limb) in[6]) >> 58;
-    out[7] += (((limb) (in[6] >> 64)) & bottom52bits) << 6;
-    out[8] += ((limb) (in[6] >> 64)) >> 52;
-
-    out[8] += ((limb) in[7]) >> 58;
-    out[8] += (((limb) (in[7] >> 64)) & bottom52bits) << 6;
-    /*-
-     * out[x > 1] < 2^58 + 2^6 + 2^58 + 2^12
-     *            < 2^59 + 2^13
-     */
-    overflow1 = ((limb) (in[7] >> 64)) >> 52;
-
-    overflow1 += ((limb) in[8]) >> 58;
-    overflow1 += (((limb) (in[8] >> 64)) & bottom52bits) << 6;
-    overflow2 = ((limb) (in[8] >> 64)) >> 52;
-
-    overflow1 <<= 1;            /* overflow1 < 2^13 + 2^7 + 2^59 */
-    overflow2 <<= 1;            /* overflow2 < 2^13 */
-
-    out[0] += overflow1;        /* out[0] < 2^60 */
-    out[1] += overflow2;        /* out[1] < 2^59 + 2^6 + 2^13 */
-
-    out[1] += out[0] >> 58;
-    out[0] &= bottom58bits;
-    /*-
-     * out[0] < 2^58
-     * out[1] < 2^59 + 2^6 + 2^13 + 2^2
-     *        < 2^59 + 2^14
-     */
-}
-
-#if defined(ECP_NISTP521_ASM)
-void felem_square_wrapper(largefelem out, const felem in);
-void felem_mul_wrapper(largefelem out, const felem in1, const felem in2);
-
-static void (*felem_square_p)(largefelem out, const felem in) =
-    felem_square_wrapper;
-static void (*felem_mul_p)(largefelem out, const felem in1, const felem in2) =
-    felem_mul_wrapper;
-
-void p521_felem_square(largefelem out, const felem in);
-void p521_felem_mul(largefelem out, const felem in1, const felem in2);
-
-# if defined(_ARCH_PPC64)
-#  include "crypto/ppc_arch.h"
-# endif
-
-void felem_select(void)
-{
-# if defined(_ARCH_PPC64)
-    if ((OPENSSL_ppccap_P & PPC_MADD300) && (OPENSSL_ppccap_P & PPC_ALTIVEC)) {
-        felem_square_p = p521_felem_square;
-        felem_mul_p = p521_felem_mul;
-
-        return;
-    }
-# endif
-
-    /* Default */
-    felem_square_p = felem_square_ref;
-    felem_mul_p = felem_mul_ref;
-}
-
-void felem_square_wrapper(largefelem out, const felem in)
-{
-    felem_select();
-    felem_square_p(out, in);
-}
-
-void felem_mul_wrapper(largefelem out, const felem in1, const felem in2)
-{
-    felem_select();
-    felem_mul_p(out, in1, in2);
-}
-
-# define felem_square felem_square_p
-# define felem_mul felem_mul_p
-#else
-# define felem_square felem_square_ref
-# define felem_mul felem_mul_ref
-#endif
-
-static void felem_square_reduce(felem out, const felem in)
-{
-    largefelem tmp;
-    felem_square(tmp, in);
-    felem_reduce(out, tmp);
-}
-
-static void felem_mul_reduce(felem out, const felem in1, const felem in2)
-{
-    largefelem tmp;
-    felem_mul(tmp, in1, in2);
-    felem_reduce(out, tmp);
-}
-
-/*-
- * felem_inv calculates |out| = |in|^{-1}
- *
- * Based on Fermat's Little Theorem:
- *   a^p = a (mod p)
- *   a^{p-1} = 1 (mod p)
- *   a^{p-2} = a^{-1} (mod p)
- */
-static void felem_inv(felem out, const felem in)
-{
-    felem ftmp, ftmp2, ftmp3, ftmp4;
-    largefelem tmp;
-    unsigned i;
-
-    felem_square(tmp, in);
-    felem_reduce(ftmp, tmp);    /* 2^1 */
-    felem_mul(tmp, in, ftmp);
-    felem_reduce(ftmp, tmp);    /* 2^2 - 2^0 */
-    felem_assign(ftmp2, ftmp);
-    felem_square(tmp, ftmp);
-    felem_reduce(ftmp, tmp);    /* 2^3 - 2^1 */
-    felem_mul(tmp, in, ftmp);
-    felem_reduce(ftmp, tmp);    /* 2^3 - 2^0 */
-    felem_square(tmp, ftmp);
-    felem_reduce(ftmp, tmp);    /* 2^4 - 2^1 */
-
-    felem_square(tmp, ftmp2);
-    felem_reduce(ftmp3, tmp);   /* 2^3 - 2^1 */
-    felem_square(tmp, ftmp3);
-    felem_reduce(ftmp3, tmp);   /* 2^4 - 2^2 */
-    felem_mul(tmp, ftmp3, ftmp2);
-    felem_reduce(ftmp3, tmp);   /* 2^4 - 2^0 */
-
-    felem_assign(ftmp2, ftmp3);
-    felem_square(tmp, ftmp3);
-    felem_reduce(ftmp3, tmp);   /* 2^5 - 2^1 */
-    felem_square(tmp, ftmp3);
-    felem_reduce(ftmp3, tmp);   /* 2^6 - 2^2 */
-    felem_square(tmp, ftmp3);
-    felem_reduce(ftmp3, tmp);   /* 2^7 - 2^3 */
-    felem_square(tmp, ftmp3);
-    felem_reduce(ftmp3, tmp);   /* 2^8 - 2^4 */
-    felem_mul(tmp, ftmp3, ftmp);
-    felem_reduce(ftmp4, tmp);   /* 2^8 - 2^1 */
-    felem_square(tmp, ftmp4);
-    felem_reduce(ftmp4, tmp);   /* 2^9 - 2^2 */
-    felem_mul(tmp, ftmp3, ftmp2);
-    felem_reduce(ftmp3, tmp);   /* 2^8 - 2^0 */
-    felem_assign(ftmp2, ftmp3);
-
-    for (i = 0; i < 8; i++) {
-        felem_square(tmp, ftmp3);
-        felem_reduce(ftmp3, tmp); /* 2^16 - 2^8 */
-    }
-    felem_mul(tmp, ftmp3, ftmp2);
-    felem_reduce(ftmp3, tmp);   /* 2^16 - 2^0 */
-    felem_assign(ftmp2, ftmp3);
-
-    for (i = 0; i < 16; i++) {
-        felem_square(tmp, ftmp3);
-        felem_reduce(ftmp3, tmp); /* 2^32 - 2^16 */
-    }
-    felem_mul(tmp, ftmp3, ftmp2);
-    felem_reduce(ftmp3, tmp);   /* 2^32 - 2^0 */
-    felem_assign(ftmp2, ftmp3);
-
-    for (i = 0; i < 32; i++) {
-        felem_square(tmp, ftmp3);
-        felem_reduce(ftmp3, tmp); /* 2^64 - 2^32 */
-    }
-    felem_mul(tmp, ftmp3, ftmp2);
-    felem_reduce(ftmp3, tmp);   /* 2^64 - 2^0 */
-    felem_assign(ftmp2, ftmp3);
-
-    for (i = 0; i < 64; i++) {
-        felem_square(tmp, ftmp3);
-        felem_reduce(ftmp3, tmp); /* 2^128 - 2^64 */
-    }
-    felem_mul(tmp, ftmp3, ftmp2);
-    felem_reduce(ftmp3, tmp);   /* 2^128 - 2^0 */
-    felem_assign(ftmp2, ftmp3);
-
-    for (i = 0; i < 128; i++) {
-        felem_square(tmp, ftmp3);
-        felem_reduce(ftmp3, tmp); /* 2^256 - 2^128 */
-    }
-    felem_mul(tmp, ftmp3, ftmp2);
-    felem_reduce(ftmp3, tmp);   /* 2^256 - 2^0 */
-    felem_assign(ftmp2, ftmp3);
-
-    for (i = 0; i < 256; i++) {
-        felem_square(tmp, ftmp3);
-        felem_reduce(ftmp3, tmp); /* 2^512 - 2^256 */
-    }
-    felem_mul(tmp, ftmp3, ftmp2);
-    felem_reduce(ftmp3, tmp);   /* 2^512 - 2^0 */
-
-    for (i = 0; i < 9; i++) {
-        felem_square(tmp, ftmp3);
-        felem_reduce(ftmp3, tmp); /* 2^521 - 2^9 */
-    }
-    felem_mul(tmp, ftmp3, ftmp4);
-    felem_reduce(ftmp3, tmp);   /* 2^512 - 2^2 */
-    felem_mul(tmp, ftmp3, in);
-    felem_reduce(out, tmp);     /* 2^512 - 3 */
-}
-
-/* This is 2^521-1, expressed as an felem */
-static const felem kPrime = {
-    0x03ffffffffffffff, 0x03ffffffffffffff, 0x03ffffffffffffff,
-    0x03ffffffffffffff, 0x03ffffffffffffff, 0x03ffffffffffffff,
-    0x03ffffffffffffff, 0x03ffffffffffffff, 0x01ffffffffffffff
-};
-
-/*-
- * felem_is_zero returns a limb with all bits set if |in| == 0 (mod p) and 0
- * otherwise.
- * On entry:
- *   in[i] < 2^59 + 2^14
- */
-static limb felem_is_zero(const felem in)
-{
-    felem ftmp;
-    limb is_zero, is_p;
-    felem_assign(ftmp, in);
-
-    ftmp[0] += ftmp[8] >> 57;
-    ftmp[8] &= bottom57bits;
-    /* ftmp[8] < 2^57 */
-    ftmp[1] += ftmp[0] >> 58;
-    ftmp[0] &= bottom58bits;
-    ftmp[2] += ftmp[1] >> 58;
-    ftmp[1] &= bottom58bits;
-    ftmp[3] += ftmp[2] >> 58;
-    ftmp[2] &= bottom58bits;
-    ftmp[4] += ftmp[3] >> 58;
-    ftmp[3] &= bottom58bits;
-    ftmp[5] += ftmp[4] >> 58;
-    ftmp[4] &= bottom58bits;
-    ftmp[6] += ftmp[5] >> 58;
-    ftmp[5] &= bottom58bits;
-    ftmp[7] += ftmp[6] >> 58;
-    ftmp[6] &= bottom58bits;
-    ftmp[8] += ftmp[7] >> 58;
-    ftmp[7] &= bottom58bits;
-    /* ftmp[8] < 2^57 + 4 */
-
-    /*
-     * The ninth limb of 2*(2^521-1) is 0x03ffffffffffffff, which is greater
-     * than our bound for ftmp[8]. Therefore we only have to check if the
-     * zero is zero or 2^521-1.
-     */
-
-    is_zero = 0;
-    is_zero |= ftmp[0];
-    is_zero |= ftmp[1];
-    is_zero |= ftmp[2];
-    is_zero |= ftmp[3];
-    is_zero |= ftmp[4];
-    is_zero |= ftmp[5];
-    is_zero |= ftmp[6];
-    is_zero |= ftmp[7];
-    is_zero |= ftmp[8];
-
-    is_zero--;
-    /*
-     * We know that ftmp[i] < 2^63, therefore the only way that the top bit
-     * can be set is if is_zero was 0 before the decrement.
-     */
-    is_zero = 0 - (is_zero >> 63);
-
-    is_p = ftmp[0] ^ kPrime[0];
-    is_p |= ftmp[1] ^ kPrime[1];
-    is_p |= ftmp[2] ^ kPrime[2];
-    is_p |= ftmp[3] ^ kPrime[3];
-    is_p |= ftmp[4] ^ kPrime[4];
-    is_p |= ftmp[5] ^ kPrime[5];
-    is_p |= ftmp[6] ^ kPrime[6];
-    is_p |= ftmp[7] ^ kPrime[7];
-    is_p |= ftmp[8] ^ kPrime[8];
-
-    is_p--;
-    is_p = 0 - (is_p >> 63);
-
-    is_zero |= is_p;
-    return is_zero;
-}
-
-static int felem_is_zero_int(const void *in)
-{
-    return (int)(felem_is_zero(in) & ((limb) 1));
-}
-
-/*-
- * felem_contract converts |in| to its unique, minimal representation.
- * On entry:
- *   in[i] < 2^59 + 2^14
- */
-static void felem_contract(felem out, const felem in)
-{
-    limb is_p, is_greater, sign;
-    static const limb two58 = ((limb) 1) << 58;
-
-    felem_assign(out, in);
-
-    out[0] += out[8] >> 57;
-    out[8] &= bottom57bits;
-    /* out[8] < 2^57 */
-    out[1] += out[0] >> 58;
-    out[0] &= bottom58bits;
-    out[2] += out[1] >> 58;
-    out[1] &= bottom58bits;
-    out[3] += out[2] >> 58;
-    out[2] &= bottom58bits;
-    out[4] += out[3] >> 58;
-    out[3] &= bottom58bits;
-    out[5] += out[4] >> 58;
-    out[4] &= bottom58bits;
-    out[6] += out[5] >> 58;
-    out[5] &= bottom58bits;
-    out[7] += out[6] >> 58;
-    out[6] &= bottom58bits;
-    out[8] += out[7] >> 58;
-    out[7] &= bottom58bits;
-    /* out[8] < 2^57 + 4 */
-
-    /*
-     * If the value is greater than 2^521-1 then we have to subtract 2^521-1
-     * out. See the comments in felem_is_zero regarding why we don't test for
-     * other multiples of the prime.
-     */
-
-    /*
-     * First, if |out| is equal to 2^521-1, we subtract it out to get zero.
-     */
-
-    is_p = out[0] ^ kPrime[0];
-    is_p |= out[1] ^ kPrime[1];
-    is_p |= out[2] ^ kPrime[2];
-    is_p |= out[3] ^ kPrime[3];
-    is_p |= out[4] ^ kPrime[4];
-    is_p |= out[5] ^ kPrime[5];
-    is_p |= out[6] ^ kPrime[6];
-    is_p |= out[7] ^ kPrime[7];
-    is_p |= out[8] ^ kPrime[8];
-
-    is_p--;
-    is_p &= is_p << 32;
-    is_p &= is_p << 16;
-    is_p &= is_p << 8;
-    is_p &= is_p << 4;
-    is_p &= is_p << 2;
-    is_p &= is_p << 1;
-    is_p = 0 - (is_p >> 63);
-    is_p = ~is_p;
-
-    /* is_p is 0 iff |out| == 2^521-1 and all ones otherwise */
-
-    out[0] &= is_p;
-    out[1] &= is_p;
-    out[2] &= is_p;
-    out[3] &= is_p;
-    out[4] &= is_p;
-    out[5] &= is_p;
-    out[6] &= is_p;
-    out[7] &= is_p;
-    out[8] &= is_p;
-
-    /*
-     * In order to test that |out| >= 2^521-1 we need only test if out[8] >>
-     * 57 is greater than zero as (2^521-1) + x >= 2^522
-     */
-    is_greater = out[8] >> 57;
-    is_greater |= is_greater << 32;
-    is_greater |= is_greater << 16;
-    is_greater |= is_greater << 8;
-    is_greater |= is_greater << 4;
-    is_greater |= is_greater << 2;
-    is_greater |= is_greater << 1;
-    is_greater = 0 - (is_greater >> 63);
-
-    out[0] -= kPrime[0] & is_greater;
-    out[1] -= kPrime[1] & is_greater;
-    out[2] -= kPrime[2] & is_greater;
-    out[3] -= kPrime[3] & is_greater;
-    out[4] -= kPrime[4] & is_greater;
-    out[5] -= kPrime[5] & is_greater;
-    out[6] -= kPrime[6] & is_greater;
-    out[7] -= kPrime[7] & is_greater;
-    out[8] -= kPrime[8] & is_greater;
-
-    /* Eliminate negative coefficients */
-    sign = -(out[0] >> 63);
-    out[0] += (two58 & sign);
-    out[1] -= (1 & sign);
-    sign = -(out[1] >> 63);
-    out[1] += (two58 & sign);
-    out[2] -= (1 & sign);
-    sign = -(out[2] >> 63);
-    out[2] += (two58 & sign);
-    out[3] -= (1 & sign);
-    sign = -(out[3] >> 63);
-    out[3] += (two58 & sign);
-    out[4] -= (1 & sign);
-    sign = -(out[4] >> 63);
-    out[4] += (two58 & sign);
-    out[5] -= (1 & sign);
-    sign = -(out[0] >> 63);
-    out[5] += (two58 & sign);
-    out[6] -= (1 & sign);
-    sign = -(out[6] >> 63);
-    out[6] += (two58 & sign);
-    out[7] -= (1 & sign);
-    sign = -(out[7] >> 63);
-    out[7] += (two58 & sign);
-    out[8] -= (1 & sign);
-    sign = -(out[5] >> 63);
-    out[5] += (two58 & sign);
-    out[6] -= (1 & sign);
-    sign = -(out[6] >> 63);
-    out[6] += (two58 & sign);
-    out[7] -= (1 & sign);
-    sign = -(out[7] >> 63);
-    out[7] += (two58 & sign);
-    out[8] -= (1 & sign);
-}
-
-/*-
- * Group operations
- * ----------------
- *
- * Building on top of the field operations we have the operations on the
- * elliptic curve group itself. Points on the curve are represented in Jacobian
- * coordinates */
-
-/*-
- * point_double calculates 2*(x_in, y_in, z_in)
- *
- * The method is taken from:
- *   http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2001-b
- *
- * Outputs can equal corresponding inputs, i.e., x_out == x_in is allowed.
- * while x_out == y_in is not (maybe this works, but it's not tested). */
-static void
-point_double(felem x_out, felem y_out, felem z_out,
-             const felem x_in, const felem y_in, const felem z_in)
-{
-    largefelem tmp, tmp2;
-    felem delta, gamma, beta, alpha, ftmp, ftmp2;
-
-    felem_assign(ftmp, x_in);
-    felem_assign(ftmp2, x_in);
-
-    /* delta = z^2 */
-    felem_square(tmp, z_in);
-    felem_reduce(delta, tmp);   /* delta[i] < 2^59 + 2^14 */
-
-    /* gamma = y^2 */
-    felem_square(tmp, y_in);
-    felem_reduce(gamma, tmp);   /* gamma[i] < 2^59 + 2^14 */
-
-    /* beta = x*gamma */
-    felem_mul(tmp, x_in, gamma);
-    felem_reduce(beta, tmp);    /* beta[i] < 2^59 + 2^14 */
-
-    /* alpha = 3*(x-delta)*(x+delta) */
-    felem_diff64(ftmp, delta);
-    /* ftmp[i] < 2^61 */
-    felem_sum64(ftmp2, delta);
-    /* ftmp2[i] < 2^60 + 2^15 */
-    felem_scalar64(ftmp2, 3);
-    /* ftmp2[i] < 3*2^60 + 3*2^15 */
-    felem_mul(tmp, ftmp, ftmp2);
-    /*-
-     * tmp[i] < 17(3*2^121 + 3*2^76)
-     *        = 61*2^121 + 61*2^76
-     *        < 64*2^121 + 64*2^76
-     *        = 2^127 + 2^82
-     *        < 2^128
-     */
-    felem_reduce(alpha, tmp);
-
-    /* x' = alpha^2 - 8*beta */
-    felem_square(tmp, alpha);
-    /*
-     * tmp[i] < 17*2^120 < 2^125
-     */
-    felem_assign(ftmp, beta);
-    felem_scalar64(ftmp, 8);
-    /* ftmp[i] < 2^62 + 2^17 */
-    felem_diff_128_64(tmp, ftmp);
-    /* tmp[i] < 2^125 + 2^63 + 2^62 + 2^17 */
-    felem_reduce(x_out, tmp);
-
-    /* z' = (y + z)^2 - gamma - delta */
-    felem_sum64(delta, gamma);
-    /* delta[i] < 2^60 + 2^15 */
-    felem_assign(ftmp, y_in);
-    felem_sum64(ftmp, z_in);
-    /* ftmp[i] < 2^60 + 2^15 */
-    felem_square(tmp, ftmp);
-    /*
-     * tmp[i] < 17(2^122) < 2^127
-     */
-    felem_diff_128_64(tmp, delta);
-    /* tmp[i] < 2^127 + 2^63 */
-    felem_reduce(z_out, tmp);
-
-    /* y' = alpha*(4*beta - x') - 8*gamma^2 */
-    felem_scalar64(beta, 4);
-    /* beta[i] < 2^61 + 2^16 */
-    felem_diff64(beta, x_out);
-    /* beta[i] < 2^61 + 2^60 + 2^16 */
-    felem_mul(tmp, alpha, beta);
-    /*-
-     * tmp[i] < 17*((2^59 + 2^14)(2^61 + 2^60 + 2^16))
-     *        = 17*(2^120 + 2^75 + 2^119 + 2^74 + 2^75 + 2^30)
-     *        = 17*(2^120 + 2^119 + 2^76 + 2^74 + 2^30)
-     *        < 2^128
-     */
-    felem_square(tmp2, gamma);
-    /*-
-     * tmp2[i] < 17*(2^59 + 2^14)^2
-     *         = 17*(2^118 + 2^74 + 2^28)
-     */
-    felem_scalar128(tmp2, 8);
-    /*-
-     * tmp2[i] < 8*17*(2^118 + 2^74 + 2^28)
-     *         = 2^125 + 2^121 + 2^81 + 2^77 + 2^35 + 2^31
-     *         < 2^126
-     */
-    felem_diff128(tmp, tmp2);
-    /*-
-     * tmp[i] < 2^127 - 2^69 + 17(2^120 + 2^119 + 2^76 + 2^74 + 2^30)
-     *        = 2^127 + 2^124 + 2^122 + 2^120 + 2^118 + 2^80 + 2^78 + 2^76 +
-     *          2^74 + 2^69 + 2^34 + 2^30
-     *        < 2^128
-     */
-    felem_reduce(y_out, tmp);
-}
-
-/* copy_conditional copies in to out iff mask is all ones. */
-static void copy_conditional(felem out, const felem in, limb mask)
-{
-    unsigned i;
-    for (i = 0; i < NLIMBS; ++i) {
-        const limb tmp = mask & (in[i] ^ out[i]);
-        out[i] ^= tmp;
-    }
-}
-
-/*-
- * point_add calculates (x1, y1, z1) + (x2, y2, z2)
- *
- * The method is taken from
- *   http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-2007-bl,
- * adapted for mixed addition (z2 = 1, or z2 = 0 for the point at infinity).
- *
- * This function includes a branch for checking whether the two input points
- * are equal (while not equal to the point at infinity). See comment below
- * on constant-time.
- */
-static void point_add(felem x3, felem y3, felem z3,
-                      const felem x1, const felem y1, const felem z1,
-                      const int mixed, const felem x2, const felem y2,
-                      const felem z2)
-{
-    felem ftmp, ftmp2, ftmp3, ftmp4, ftmp5, ftmp6, x_out, y_out, z_out;
-    largefelem tmp, tmp2;
-    limb x_equal, y_equal, z1_is_zero, z2_is_zero;
-    limb points_equal;
-
-    z1_is_zero = felem_is_zero(z1);
-    z2_is_zero = felem_is_zero(z2);
-
-    /* ftmp = z1z1 = z1**2 */
-    felem_square(tmp, z1);
-    felem_reduce(ftmp, tmp);
-
-    if (!mixed) {
-        /* ftmp2 = z2z2 = z2**2 */
-        felem_square(tmp, z2);
-        felem_reduce(ftmp2, tmp);
-
-        /* u1 = ftmp3 = x1*z2z2 */
-        felem_mul(tmp, x1, ftmp2);
-        felem_reduce(ftmp3, tmp);
-
-        /* ftmp5 = z1 + z2 */
-        felem_assign(ftmp5, z1);
-        felem_sum64(ftmp5, z2);
-        /* ftmp5[i] < 2^61 */
-
-        /* ftmp5 = (z1 + z2)**2 - z1z1 - z2z2 = 2*z1z2 */
-        felem_square(tmp, ftmp5);
-        /* tmp[i] < 17*2^122 */
-        felem_diff_128_64(tmp, ftmp);
-        /* tmp[i] < 17*2^122 + 2^63 */
-        felem_diff_128_64(tmp, ftmp2);
-        /* tmp[i] < 17*2^122 + 2^64 */
-        felem_reduce(ftmp5, tmp);
-
-        /* ftmp2 = z2 * z2z2 */
-        felem_mul(tmp, ftmp2, z2);
-        felem_reduce(ftmp2, tmp);
-
-        /* s1 = ftmp6 = y1 * z2**3 */
-        felem_mul(tmp, y1, ftmp2);
-        felem_reduce(ftmp6, tmp);
-    } else {
-        /*
-         * We'll assume z2 = 1 (special case z2 = 0 is handled later)
-         */
-
-        /* u1 = ftmp3 = x1*z2z2 */
-        felem_assign(ftmp3, x1);
-
-        /* ftmp5 = 2*z1z2 */
-        felem_scalar(ftmp5, z1, 2);
-
-        /* s1 = ftmp6 = y1 * z2**3 */
-        felem_assign(ftmp6, y1);
-    }
-
-    /* u2 = x2*z1z1 */
-    felem_mul(tmp, x2, ftmp);
-    /* tmp[i] < 17*2^120 */
-
-    /* h = ftmp4 = u2 - u1 */
-    felem_diff_128_64(tmp, ftmp3);
-    /* tmp[i] < 17*2^120 + 2^63 */
-    felem_reduce(ftmp4, tmp);
-
-    x_equal = felem_is_zero(ftmp4);
-
-    /* z_out = ftmp5 * h */
-    felem_mul(tmp, ftmp5, ftmp4);
-    felem_reduce(z_out, tmp);
-
-    /* ftmp = z1 * z1z1 */
-    felem_mul(tmp, ftmp, z1);
-    felem_reduce(ftmp, tmp);
-
-    /* s2 = tmp = y2 * z1**3 */
-    felem_mul(tmp, y2, ftmp);
-    /* tmp[i] < 17*2^120 */
-
-    /* r = ftmp5 = (s2 - s1)*2 */
-    felem_diff_128_64(tmp, ftmp6);
-    /* tmp[i] < 17*2^120 + 2^63 */
-    felem_reduce(ftmp5, tmp);
-    y_equal = felem_is_zero(ftmp5);
-    felem_scalar64(ftmp5, 2);
-    /* ftmp5[i] < 2^61 */
-
-    /*
-     * The formulae are incorrect if the points are equal, in affine coordinates
-     * (X_1, Y_1) == (X_2, Y_2), so we check for this and do doubling if this
-     * happens.
-     *
-     * We use bitwise operations to avoid potential side-channels introduced by
-     * the short-circuiting behaviour of boolean operators.
-     *
-     * The special case of either point being the point at infinity (z1 and/or
-     * z2 are zero), is handled separately later on in this function, so we
-     * avoid jumping to point_double here in those special cases.
-     *
-     * Notice the comment below on the implications of this branching for timing
-     * leaks and why it is considered practically irrelevant.
-     */
-    points_equal = (x_equal & y_equal & (~z1_is_zero) & (~z2_is_zero));
-
-    if (points_equal) {
-        /*
-         * This is obviously not constant-time but it will almost-never happen
-         * for ECDH / ECDSA. The case where it can happen is during scalar-mult
-         * where the intermediate value gets very close to the group order.
-         * Since |ossl_ec_GFp_nistp_recode_scalar_bits| produces signed digits
-         * for the scalar, it's possible for the intermediate value to be a small
-         * negative multiple of the base point, and for the final signed digit
-         * to be the same value. We believe that this only occurs for the scalar
-         * 1fffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
-         * ffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb
-         * 71e913863f7, in that case the penultimate intermediate is -9G and
-         * the final digit is also -9G. Since this only happens for a single
-         * scalar, the timing leak is irrelevant. (Any attacker who wanted to
-         * check whether a secret scalar was that exact value, can already do
-         * so.)
-         */
-        point_double(x3, y3, z3, x1, y1, z1);
-        return;
-    }
-
-    /* I = ftmp = (2h)**2 */
-    felem_assign(ftmp, ftmp4);
-    felem_scalar64(ftmp, 2);
-    /* ftmp[i] < 2^61 */
-    felem_square(tmp, ftmp);
-    /* tmp[i] < 17*2^122 */
-    felem_reduce(ftmp, tmp);
-
-    /* J = ftmp2 = h * I */
-    felem_mul(tmp, ftmp4, ftmp);
-    felem_reduce(ftmp2, tmp);
-
-    /* V = ftmp4 = U1 * I */
-    felem_mul(tmp, ftmp3, ftmp);
-    felem_reduce(ftmp4, tmp);
-
-    /* x_out = r**2 - J - 2V */
-    felem_square(tmp, ftmp5);
-    /* tmp[i] < 17*2^122 */
-    felem_diff_128_64(tmp, ftmp2);
-    /* tmp[i] < 17*2^122 + 2^63 */
-    felem_assign(ftmp3, ftmp4);
-    felem_scalar64(ftmp4, 2);
-    /* ftmp4[i] < 2^61 */
-    felem_diff_128_64(tmp, ftmp4);
-    /* tmp[i] < 17*2^122 + 2^64 */
-    felem_reduce(x_out, tmp);
-
-    /* y_out = r(V-x_out) - 2 * s1 * J */
-    felem_diff64(ftmp3, x_out);
-    /*
-     * ftmp3[i] < 2^60 + 2^60 = 2^61
-     */
-    felem_mul(tmp, ftmp5, ftmp3);
-    /* tmp[i] < 17*2^122 */
-    felem_mul(tmp2, ftmp6, ftmp2);
-    /* tmp2[i] < 17*2^120 */
-    felem_scalar128(tmp2, 2);
-    /* tmp2[i] < 17*2^121 */
-    felem_diff128(tmp, tmp2);
-        /*-
-         * tmp[i] < 2^127 - 2^69 + 17*2^122
-         *        = 2^126 - 2^122 - 2^6 - 2^2 - 1
-         *        < 2^127
-         */
-    felem_reduce(y_out, tmp);
-
-    copy_conditional(x_out, x2, z1_is_zero);
-    copy_conditional(x_out, x1, z2_is_zero);
-    copy_conditional(y_out, y2, z1_is_zero);
-    copy_conditional(y_out, y1, z2_is_zero);
-    copy_conditional(z_out, z2, z1_is_zero);
-    copy_conditional(z_out, z1, z2_is_zero);
-    felem_assign(x3, x_out);
-    felem_assign(y3, y_out);
-    felem_assign(z3, z_out);
-}
-
-/*-
- * Base point pre computation
- * --------------------------
- *
- * Two different sorts of precomputed tables are used in the following code.
- * Each contain various points on the curve, where each point is three field
- * elements (x, y, z).
- *
- * For the base point table, z is usually 1 (0 for the point at infinity).
- * This table has 16 elements:
- * index | bits    | point
- * ------+---------+------------------------------
- *     0 | 0 0 0 0 | 0G
- *     1 | 0 0 0 1 | 1G
- *     2 | 0 0 1 0 | 2^130G
- *     3 | 0 0 1 1 | (2^130 + 1)G
- *     4 | 0 1 0 0 | 2^260G
- *     5 | 0 1 0 1 | (2^260 + 1)G
- *     6 | 0 1 1 0 | (2^260 + 2^130)G
- *     7 | 0 1 1 1 | (2^260 + 2^130 + 1)G
- *     8 | 1 0 0 0 | 2^390G
- *     9 | 1 0 0 1 | (2^390 + 1)G
- *    10 | 1 0 1 0 | (2^390 + 2^130)G
- *    11 | 1 0 1 1 | (2^390 + 2^130 + 1)G
- *    12 | 1 1 0 0 | (2^390 + 2^260)G
- *    13 | 1 1 0 1 | (2^390 + 2^260 + 1)G
- *    14 | 1 1 1 0 | (2^390 + 2^260 + 2^130)G
- *    15 | 1 1 1 1 | (2^390 + 2^260 + 2^130 + 1)G
- *
- * The reason for this is so that we can clock bits into four different
- * locations when doing simple scalar multiplies against the base point.
- *
- * Tables for other points have table[i] = iG for i in 0 .. 16. */
-
-/* gmul is the table of precomputed base points */
-static const felem gmul[16][3] = {
-{{0, 0, 0, 0, 0, 0, 0, 0, 0},
- {0, 0, 0, 0, 0, 0, 0, 0, 0},
- {0, 0, 0, 0, 0, 0, 0, 0, 0}},
-{{0x017e7e31c2e5bd66, 0x022cf0615a90a6fe, 0x00127a2ffa8de334,
-  0x01dfbf9d64a3f877, 0x006b4d3dbaa14b5e, 0x014fed487e0a2bd8,
-  0x015b4429c6481390, 0x03a73678fb2d988e, 0x00c6858e06b70404},
- {0x00be94769fd16650, 0x031c21a89cb09022, 0x039013fad0761353,
-  0x02657bd099031542, 0x03273e662c97ee72, 0x01e6d11a05ebef45,
-  0x03d1bd998f544495, 0x03001172297ed0b1, 0x011839296a789a3b},
- {1, 0, 0, 0, 0, 0, 0, 0, 0}},
-{{0x0373faacbc875bae, 0x00f325023721c671, 0x00f666fd3dbde5ad,
-  0x01a6932363f88ea7, 0x01fc6d9e13f9c47b, 0x03bcbffc2bbf734e,
-  0x013ee3c3647f3a92, 0x029409fefe75d07d, 0x00ef9199963d85e5},
- {0x011173743ad5b178, 0x02499c7c21bf7d46, 0x035beaeabb8b1a58,
-  0x00f989c4752ea0a3, 0x0101e1de48a9c1a3, 0x01a20076be28ba6c,
-  0x02f8052e5eb2de95, 0x01bfe8f82dea117c, 0x0160074d3c36ddb7},
- {1, 0, 0, 0, 0, 0, 0, 0, 0}},
-{{0x012f3fc373393b3b, 0x03d3d6172f1419fa, 0x02adc943c0b86873,
-  0x00d475584177952b, 0x012a4d1673750ee2, 0x00512517a0f13b0c,
-  0x02b184671a7b1734, 0x0315b84236f1a50a, 0x00a4afc472edbdb9},
- {0x00152a7077f385c4, 0x03044007d8d1c2ee, 0x0065829d61d52b52,
-  0x00494ff6b6631d0d, 0x00a11d94d5f06bcf, 0x02d2f89474d9282e,
-  0x0241c5727c06eeb9, 0x0386928710fbdb9d, 0x01f883f727b0dfbe},
- {1, 0, 0, 0, 0, 0, 0, 0, 0}},
-{{0x019b0c3c9185544d, 0x006243a37c9d97db, 0x02ee3cbe030a2ad2,
-  0x00cfdd946bb51e0d, 0x0271c00932606b91, 0x03f817d1ec68c561,
-  0x03f37009806a369c, 0x03c1f30baf184fd5, 0x01091022d6d2f065},
- {0x0292c583514c45ed, 0x0316fca51f9a286c, 0x00300af507c1489a,
-  0x0295f69008298cf1, 0x02c0ed8274943d7b, 0x016509b9b47a431e,
-  0x02bc9de9634868ce, 0x005b34929bffcb09, 0x000c1a0121681524},
- {1, 0, 0, 0, 0, 0, 0, 0, 0}},
-{{0x0286abc0292fb9f2, 0x02665eee9805b3f7, 0x01ed7455f17f26d6,
-  0x0346355b83175d13, 0x006284944cd0a097, 0x0191895bcdec5e51,
-  0x02e288370afda7d9, 0x03b22312bfefa67a, 0x01d104d3fc0613fe},
- {0x0092421a12f7e47f, 0x0077a83fa373c501, 0x03bd25c5f696bd0d,
-  0x035c41e4d5459761, 0x01ca0d1742b24f53, 0x00aaab27863a509c,
-  0x018b6de47df73917, 0x025c0b771705cd01, 0x01fd51d566d760a7},
- {1, 0, 0, 0, 0, 0, 0, 0, 0}},
-{{0x01dd92ff6b0d1dbd, 0x039c5e2e8f8afa69, 0x0261ed13242c3b27,
-  0x0382c6e67026e6a0, 0x01d60b10be2089f9, 0x03c15f3dce86723f,
-  0x03c764a32d2a062d, 0x017307eac0fad056, 0x018207c0b96c5256},
- {0x0196a16d60e13154, 0x03e6ce74c0267030, 0x00ddbf2b4e52a5aa,
-  0x012738241bbf31c8, 0x00ebe8dc04685a28, 0x024c2ad6d380d4a2,
-  0x035ee062a6e62d0e, 0x0029ed74af7d3a0f, 0x00eef32aec142ebd},
- {1, 0, 0, 0, 0, 0, 0, 0, 0}},
-{{0x00c31ec398993b39, 0x03a9f45bcda68253, 0x00ac733c24c70890,
-  0x00872b111401ff01, 0x01d178c23195eafb, 0x03bca2c816b87f74,
-  0x0261a9af46fbad7a, 0x0324b2a8dd3d28f9, 0x00918121d8f24e23},
- {0x032bc8c1ca983cd7, 0x00d869dfb08fc8c6, 0x01693cb61fce1516,
-  0x012a5ea68f4e88a8, 0x010869cab88d7ae3, 0x009081ad277ceee1,
-  0x033a77166d064cdc, 0x03955235a1fb3a95, 0x01251a4a9b25b65e},
- {1, 0, 0, 0, 0, 0, 0, 0, 0}},
-{{0x00148a3a1b27f40b, 0x0123186df1b31fdc, 0x00026e7beaad34ce,
-  0x01db446ac1d3dbba, 0x0299c1a33437eaec, 0x024540610183cbb7,
-  0x0173bb0e9ce92e46, 0x02b937e43921214b, 0x01ab0436a9bf01b5},
- {0x0383381640d46948, 0x008dacbf0e7f330f, 0x03602122bcc3f318,
-  0x01ee596b200620d6, 0x03bd0585fda430b3, 0x014aed77fd123a83,
-  0x005ace749e52f742, 0x0390fe041da2b842, 0x0189a8ceb3299242},
- {1, 0, 0, 0, 0, 0, 0, 0, 0}},
-{{0x012a19d6b3282473, 0x00c0915918b423ce, 0x023a954eb94405ae,
-  0x00529f692be26158, 0x0289fa1b6fa4b2aa, 0x0198ae4ceea346ef,
-  0x0047d8cdfbdedd49, 0x00cc8c8953f0f6b8, 0x001424abbff49203},
- {0x0256732a1115a03a, 0x0351bc38665c6733, 0x03f7b950fb4a6447,
-  0x000afffa94c22155, 0x025763d0a4dab540, 0x000511e92d4fc283,
-  0x030a7e9eda0ee96c, 0x004c3cd93a28bf0a, 0x017edb3a8719217f},
- {1, 0, 0, 0, 0, 0, 0, 0, 0}},
-{{0x011de5675a88e673, 0x031d7d0f5e567fbe, 0x0016b2062c970ae5,
-  0x03f4a2be49d90aa7, 0x03cef0bd13822866, 0x03f0923dcf774a6c,
-  0x0284bebc4f322f72, 0x016ab2645302bb2c, 0x01793f95dace0e2a},
- {0x010646e13527a28f, 0x01ca1babd59dc5e7, 0x01afedfd9a5595df,
-  0x01f15785212ea6b1, 0x0324e5d64f6ae3f4, 0x02d680f526d00645,
-  0x0127920fadf627a7, 0x03b383f75df4f684, 0x0089e0057e783b0a},
- {1, 0, 0, 0, 0, 0, 0, 0, 0}},
-{{0x00f334b9eb3c26c6, 0x0298fdaa98568dce, 0x01c2d24843a82292,
-  0x020bcb24fa1b0711, 0x02cbdb3d2b1875e6, 0x0014907598f89422,
-  0x03abe3aa43b26664, 0x02cbf47f720bc168, 0x0133b5e73014b79b},
- {0x034aab5dab05779d, 0x00cdc5d71fee9abb, 0x0399f16bd4bd9d30,
-  0x03582fa592d82647, 0x02be1cdfb775b0e9, 0x0034f7cea32e94cb,
-  0x0335a7f08f56f286, 0x03b707e9565d1c8b, 0x0015c946ea5b614f},
- {1, 0, 0, 0, 0, 0, 0, 0, 0}},
-{{0x024676f6cff72255, 0x00d14625cac96378, 0x00532b6008bc3767,
-  0x01fc16721b985322, 0x023355ea1b091668, 0x029de7afdc0317c3,
-  0x02fc8a7ca2da037c, 0x02de1217d74a6f30, 0x013f7173175b73bf},
- {0x0344913f441490b5, 0x0200f9e272b61eca, 0x0258a246b1dd55d2,
-  0x03753db9ea496f36, 0x025e02937a09c5ef, 0x030cbd3d14012692,
-  0x01793a67e70dc72a, 0x03ec1d37048a662e, 0x006550f700c32a8d},
- {1, 0, 0, 0, 0, 0, 0, 0, 0}},
-{{0x00d3f48a347eba27, 0x008e636649b61bd8, 0x00d3b93716778fb3,
-  0x004d1915757bd209, 0x019d5311a3da44e0, 0x016d1afcbbe6aade,
-  0x0241bf5f73265616, 0x0384672e5d50d39b, 0x005009fee522b684},
- {0x029b4fab064435fe, 0x018868ee095bbb07, 0x01ea3d6936cc92b8,
-  0x000608b00f78a2f3, 0x02db911073d1c20f, 0x018205938470100a,
-  0x01f1e4964cbe6ff2, 0x021a19a29eed4663, 0x01414485f42afa81},
- {1, 0, 0, 0, 0, 0, 0, 0, 0}},
-{{0x01612b3a17f63e34, 0x03813992885428e6, 0x022b3c215b5a9608,
-  0x029b4057e19f2fcb, 0x0384059a587af7e6, 0x02d6400ace6fe610,
-  0x029354d896e8e331, 0x00c047ee6dfba65e, 0x0037720542e9d49d},
- {0x02ce9eed7c5e9278, 0x0374ed703e79643b, 0x01316c54c4072006,
-  0x005aaa09054b2ee8, 0x002824000c840d57, 0x03d4eba24771ed86,
-  0x0189c50aabc3bdae, 0x0338c01541e15510, 0x00466d56e38eed42},
- {1, 0, 0, 0, 0, 0, 0, 0, 0}},
-{{0x007efd8330ad8bd6, 0x02465ed48047710b, 0x0034c6606b215e0c,
-  0x016ae30c53cbf839, 0x01fa17bd37161216, 0x018ead4e61ce8ab9,
-  0x005482ed5f5dee46, 0x037543755bba1d7f, 0x005e5ac7e70a9d0f},
- {0x0117e1bb2fdcb2a2, 0x03deea36249f40c4, 0x028d09b4a6246cb7,
-  0x03524b8855bcf756, 0x023d7d109d5ceb58, 0x0178e43e3223ef9c,
-  0x0154536a0c6e966a, 0x037964d1286ee9fe, 0x0199bcd90e125055},
- {1, 0, 0, 0, 0, 0, 0, 0, 0}}
-};
-
-/*
- * select_point selects the |idx|th point from a precomputation table and
- * copies it to out.
- */
- /* pre_comp below is of the size provided in |size| */
-static void select_point(const limb idx, unsigned int size,
-                         const felem pre_comp[][3], felem out[3])
-{
-    unsigned i, j;
-    limb *outlimbs = &out[0][0];
-
-    memset(out, 0, sizeof(*out) * 3);
-
-    for (i = 0; i < size; i++) {
-        const limb *inlimbs = &pre_comp[i][0][0];
-        limb mask = i ^ idx;
-        mask |= mask >> 4;
-        mask |= mask >> 2;
-        mask |= mask >> 1;
-        mask &= 1;
-        mask--;
-        for (j = 0; j < NLIMBS * 3; j++)
-            outlimbs[j] |= inlimbs[j] & mask;
-    }
-}
-
-/* get_bit returns the |i|th bit in |in| */
-static char get_bit(const felem_bytearray in, int i)
-{
-    if (i < 0)
-        return 0;
-    return (in[i >> 3] >> (i & 7)) & 1;
-}
-
-/*
- * Interleaved point multiplication using precomputed point multiples: The
- * small point multiples 0*P, 1*P, ..., 16*P are in pre_comp[], the scalars
- * in scalars[]. If g_scalar is non-NULL, we also add this multiple of the
- * generator, using certain (large) precomputed multiples in g_pre_comp.
- * Output point (X, Y, Z) is stored in x_out, y_out, z_out
- */
-static void batch_mul(felem x_out, felem y_out, felem z_out,
-                      const felem_bytearray scalars[],
-                      const unsigned num_points, const u8 *g_scalar,
-                      const int mixed, const felem pre_comp[][17][3],
-                      const felem g_pre_comp[16][3])
-{
-    int i, skip;
-    unsigned num, gen_mul = (g_scalar != NULL);
-    felem nq[3], tmp[4];
-    limb bits;
-    u8 sign, digit;
-
-    /* set nq to the point at infinity */
-    memset(nq, 0, sizeof(nq));
-
-    /*
-     * Loop over all scalars msb-to-lsb, interleaving additions of multiples
-     * of the generator (last quarter of rounds) and additions of other
-     * points multiples (every 5th round).
-     */
-    skip = 1;                   /* save two point operations in the first
-                                 * round */
-    for (i = (num_points ? 520 : 130); i >= 0; --i) {
-        /* double */
-        if (!skip)
-            point_double(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2]);
-
-        /* add multiples of the generator */
-        if (gen_mul && (i <= 130)) {
-            bits = get_bit(g_scalar, i + 390) << 3;
-            if (i < 130) {
-                bits |= get_bit(g_scalar, i + 260) << 2;
-                bits |= get_bit(g_scalar, i + 130) << 1;
-                bits |= get_bit(g_scalar, i);
-            }
-            /* select the point to add, in constant time */
-            select_point(bits, 16, g_pre_comp, tmp);
-            if (!skip) {
-                /* The 1 argument below is for "mixed" */
-                point_add(nq[0], nq[1], nq[2],
-                          nq[0], nq[1], nq[2], 1, tmp[0], tmp[1], tmp[2]);
-            } else {
-                memcpy(nq, tmp, 3 * sizeof(felem));
-                skip = 0;
-            }
-        }
-
-        /* do other additions every 5 doublings */
-        if (num_points && (i % 5 == 0)) {
-            /* loop over all scalars */
-            for (num = 0; num < num_points; ++num) {
-                bits = get_bit(scalars[num], i + 4) << 5;
-                bits |= get_bit(scalars[num], i + 3) << 4;
-                bits |= get_bit(scalars[num], i + 2) << 3;
-                bits |= get_bit(scalars[num], i + 1) << 2;
-                bits |= get_bit(scalars[num], i) << 1;
-                bits |= get_bit(scalars[num], i - 1);
-                ossl_ec_GFp_nistp_recode_scalar_bits(&sign, &digit, bits);
-
-                /*
-                 * select the point to add or subtract, in constant time
-                 */
-                select_point(digit, 17, pre_comp[num], tmp);
-                felem_neg(tmp[3], tmp[1]); /* (X, -Y, Z) is the negative
-                                            * point */
-                copy_conditional(tmp[1], tmp[3], (-(limb) sign));
-
-                if (!skip) {
-                    point_add(nq[0], nq[1], nq[2],
-                              nq[0], nq[1], nq[2],
-                              mixed, tmp[0], tmp[1], tmp[2]);
-                } else {
-                    memcpy(nq, tmp, 3 * sizeof(felem));
-                    skip = 0;
-                }
-            }
-        }
-    }
-    felem_assign(x_out, nq[0]);
-    felem_assign(y_out, nq[1]);
-    felem_assign(z_out, nq[2]);
-}
-
-/* Precomputation for the group generator. */
-struct nistp521_pre_comp_st {
-    felem g_pre_comp[16][3];
-    CRYPTO_REF_COUNT references;
-    CRYPTO_RWLOCK *lock;
-};
-
-const EC_METHOD *EC_GFp_nistp521_method(void)
-{
-    static const EC_METHOD ret = {
-        EC_FLAGS_DEFAULT_OCT,
-        NID_X9_62_prime_field,
-        ossl_ec_GFp_nistp521_group_init,
-        ossl_ec_GFp_simple_group_finish,
-        ossl_ec_GFp_simple_group_clear_finish,
-        ossl_ec_GFp_nist_group_copy,
-        ossl_ec_GFp_nistp521_group_set_curve,
-        ossl_ec_GFp_simple_group_get_curve,
-        ossl_ec_GFp_simple_group_get_degree,
-        ossl_ec_group_simple_order_bits,
-        ossl_ec_GFp_simple_group_check_discriminant,
-        ossl_ec_GFp_simple_point_init,
-        ossl_ec_GFp_simple_point_finish,
-        ossl_ec_GFp_simple_point_clear_finish,
-        ossl_ec_GFp_simple_point_copy,
-        ossl_ec_GFp_simple_point_set_to_infinity,
-        ossl_ec_GFp_simple_point_set_affine_coordinates,
-        ossl_ec_GFp_nistp521_point_get_affine_coordinates,
-        0 /* point_set_compressed_coordinates */ ,
-        0 /* point2oct */ ,
-        0 /* oct2point */ ,
-        ossl_ec_GFp_simple_add,
-        ossl_ec_GFp_simple_dbl,
-        ossl_ec_GFp_simple_invert,
-        ossl_ec_GFp_simple_is_at_infinity,
-        ossl_ec_GFp_simple_is_on_curve,
-        ossl_ec_GFp_simple_cmp,
-        ossl_ec_GFp_simple_make_affine,
-        ossl_ec_GFp_simple_points_make_affine,
-        ossl_ec_GFp_nistp521_points_mul,
-        ossl_ec_GFp_nistp521_precompute_mult,
-        ossl_ec_GFp_nistp521_have_precompute_mult,
-        ossl_ec_GFp_nist_field_mul,
-        ossl_ec_GFp_nist_field_sqr,
-        0 /* field_div */ ,
-        ossl_ec_GFp_simple_field_inv,
-        0 /* field_encode */ ,
-        0 /* field_decode */ ,
-        0,                      /* field_set_to_one */
-        ossl_ec_key_simple_priv2oct,
-        ossl_ec_key_simple_oct2priv,
-        0, /* set private */
-        ossl_ec_key_simple_generate_key,
-        ossl_ec_key_simple_check_key,
-        ossl_ec_key_simple_generate_public_key,
-        0, /* keycopy */
-        0, /* keyfinish */
-        ossl_ecdh_simple_compute_key,
-        ossl_ecdsa_simple_sign_setup,
-        ossl_ecdsa_simple_sign_sig,
-        ossl_ecdsa_simple_verify_sig,
-        0, /* field_inverse_mod_ord */
-        0, /* blind_coordinates */
-        0, /* ladder_pre */
-        0, /* ladder_step */
-        0  /* ladder_post */
-    };
-
-    return &ret;
-}
-
-/******************************************************************************/
-/*
- * FUNCTIONS TO MANAGE PRECOMPUTATION
- */
-
-static NISTP521_PRE_COMP *nistp521_pre_comp_new(void)
-{
-    NISTP521_PRE_COMP *ret = OPENSSL_zalloc(sizeof(*ret));
-
-    if (ret == NULL) {
-        ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE);
-        return ret;
-    }
-
-    ret->references = 1;
-
-    ret->lock = CRYPTO_THREAD_lock_new();
-    if (ret->lock == NULL) {
-        ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE);
-        OPENSSL_free(ret);
-        return NULL;
-    }
-    return ret;
-}
-
-NISTP521_PRE_COMP *EC_nistp521_pre_comp_dup(NISTP521_PRE_COMP *p)
-{
-    int i;
-    if (p != NULL)
-        CRYPTO_UP_REF(&p->references, &i, p->lock);
-    return p;
-}
-
-void EC_nistp521_pre_comp_free(NISTP521_PRE_COMP *p)
-{
-    int i;
-
-    if (p == NULL)
-        return;
-
-    CRYPTO_DOWN_REF(&p->references, &i, p->lock);
-    REF_PRINT_COUNT("EC_nistp521", p);
-    if (i > 0)
-        return;
-    REF_ASSERT_ISNT(i < 0);
-
-    CRYPTO_THREAD_lock_free(p->lock);
-    OPENSSL_free(p);
-}
-
-/******************************************************************************/
-/*
- * OPENSSL EC_METHOD FUNCTIONS
- */
-
-int ossl_ec_GFp_nistp521_group_init(EC_GROUP *group)
-{
-    int ret;
-    ret = ossl_ec_GFp_simple_group_init(group);
-    group->a_is_minus3 = 1;
-    return ret;
-}
-
-int ossl_ec_GFp_nistp521_group_set_curve(EC_GROUP *group, const BIGNUM *p,
-                                         const BIGNUM *a, const BIGNUM *b,
-                                         BN_CTX *ctx)
-{
-    int ret = 0;
-    BIGNUM *curve_p, *curve_a, *curve_b;
-#ifndef FIPS_MODULE
-    BN_CTX *new_ctx = NULL;
-
-    if (ctx == NULL)
-        ctx = new_ctx = BN_CTX_new();
-#endif
-    if (ctx == NULL)
-        return 0;
-
-    BN_CTX_start(ctx);
-    curve_p = BN_CTX_get(ctx);
-    curve_a = BN_CTX_get(ctx);
-    curve_b = BN_CTX_get(ctx);
-    if (curve_b == NULL)
-        goto err;
-    BN_bin2bn(nistp521_curve_params[0], sizeof(felem_bytearray), curve_p);
-    BN_bin2bn(nistp521_curve_params[1], sizeof(felem_bytearray), curve_a);
-    BN_bin2bn(nistp521_curve_params[2], sizeof(felem_bytearray), curve_b);
-    if ((BN_cmp(curve_p, p)) || (BN_cmp(curve_a, a)) || (BN_cmp(curve_b, b))) {
-        ERR_raise(ERR_LIB_EC, EC_R_WRONG_CURVE_PARAMETERS);
-        goto err;
-    }
-    group->field_mod_func = BN_nist_mod_521;
-    ret = ossl_ec_GFp_simple_group_set_curve(group, p, a, b, ctx);
- err:
-    BN_CTX_end(ctx);
-#ifndef FIPS_MODULE
-    BN_CTX_free(new_ctx);
-#endif
-    return ret;
-}
-
-/*
- * Takes the Jacobian coordinates (X, Y, Z) of a point and returns (X', Y') =
- * (X/Z^2, Y/Z^3)
- */
-int ossl_ec_GFp_nistp521_point_get_affine_coordinates(const EC_GROUP *group,
-                                                      const EC_POINT *point,
-                                                      BIGNUM *x, BIGNUM *y,
-                                                      BN_CTX *ctx)
-{
-    felem z1, z2, x_in, y_in, x_out, y_out;
-    largefelem tmp;
-
-    if (EC_POINT_is_at_infinity(group, point)) {
-        ERR_raise(ERR_LIB_EC, EC_R_POINT_AT_INFINITY);
-        return 0;
-    }
-    if ((!BN_to_felem(x_in, point->X)) || (!BN_to_felem(y_in, point->Y)) ||
-        (!BN_to_felem(z1, point->Z)))
-        return 0;
-    felem_inv(z2, z1);
-    felem_square(tmp, z2);
-    felem_reduce(z1, tmp);
-    felem_mul(tmp, x_in, z1);
-    felem_reduce(x_in, tmp);
-    felem_contract(x_out, x_in);
-    if (x != NULL) {
-        if (!felem_to_BN(x, x_out)) {
-            ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
-            return 0;
-        }
-    }
-    felem_mul(tmp, z1, z2);
-    felem_reduce(z1, tmp);
-    felem_mul(tmp, y_in, z1);
-    felem_reduce(y_in, tmp);
-    felem_contract(y_out, y_in);
-    if (y != NULL) {
-        if (!felem_to_BN(y, y_out)) {
-            ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
-            return 0;
-        }
-    }
-    return 1;
-}
-
-/* points below is of size |num|, and tmp_felems is of size |num+1/ */
-static void make_points_affine(size_t num, felem points[][3],
-                               felem tmp_felems[])
-{
-    /*
-     * Runs in constant time, unless an input is the point at infinity (which
-     * normally shouldn't happen).
-     */
-    ossl_ec_GFp_nistp_points_make_affine_internal(num,
-                                                  points,
-                                                  sizeof(felem),
-                                                  tmp_felems,
-                                                  (void (*)(void *))felem_one,
-                                                  felem_is_zero_int,
-                                                  (void (*)(void *, const void *))
-                                                  felem_assign,
-                                                  (void (*)(void *, const void *))
-                                                  felem_square_reduce, (void (*)
-                                                                        (void *,
-                                                                         const void
-                                                                         *,
-                                                                         const void
-                                                                         *))
-                                                  felem_mul_reduce,
-                                                  (void (*)(void *, const void *))
-                                                  felem_inv,
-                                                  (void (*)(void *, const void *))
-                                                  felem_contract);
-}
-
-/*
- * Computes scalar*generator + \sum scalars[i]*points[i], ignoring NULL
- * values Result is stored in r (r can equal one of the inputs).
- */
-int ossl_ec_GFp_nistp521_points_mul(const EC_GROUP *group, EC_POINT *r,
-                                    const BIGNUM *scalar, size_t num,
-                                    const EC_POINT *points[],
-                                    const BIGNUM *scalars[], BN_CTX *ctx)
-{
-    int ret = 0;
-    int j;
-    int mixed = 0;
-    BIGNUM *x, *y, *z, *tmp_scalar;
-    felem_bytearray g_secret;
-    felem_bytearray *secrets = NULL;
-    felem (*pre_comp)[17][3] = NULL;
-    felem *tmp_felems = NULL;
-    unsigned i;
-    int num_bytes;
-    int have_pre_comp = 0;
-    size_t num_points = num;
-    felem x_in, y_in, z_in, x_out, y_out, z_out;
-    NISTP521_PRE_COMP *pre = NULL;
-    felem(*g_pre_comp)[3] = NULL;
-    EC_POINT *generator = NULL;
-    const EC_POINT *p = NULL;
-    const BIGNUM *p_scalar = NULL;
-
-    BN_CTX_start(ctx);
-    x = BN_CTX_get(ctx);
-    y = BN_CTX_get(ctx);
-    z = BN_CTX_get(ctx);
-    tmp_scalar = BN_CTX_get(ctx);
-    if (tmp_scalar == NULL)
-        goto err;
-
-    if (scalar != NULL) {
-        pre = group->pre_comp.nistp521;
-        if (pre)
-            /* we have precomputation, try to use it */
-            g_pre_comp = &pre->g_pre_comp[0];
-        else
-            /* try to use the standard precomputation */
-            g_pre_comp = (felem(*)[3]) gmul;
-        generator = EC_POINT_new(group);
-        if (generator == NULL)
-            goto err;
-        /* get the generator from precomputation */
-        if (!felem_to_BN(x, g_pre_comp[1][0]) ||
-            !felem_to_BN(y, g_pre_comp[1][1]) ||
-            !felem_to_BN(z, g_pre_comp[1][2])) {
-            ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
-            goto err;
-        }
-        if (!ossl_ec_GFp_simple_set_Jprojective_coordinates_GFp(group,
-                                                                generator,
-                                                                x, y, z, ctx))
-            goto err;
-        if (0 == EC_POINT_cmp(group, generator, group->generator, ctx))
-            /* precomputation matches generator */
-            have_pre_comp = 1;
-        else
-            /*
-             * we don't have valid precomputation: treat the generator as a
-             * random point
-             */
-            num_points++;
-    }
-
-    if (num_points > 0) {
-        if (num_points >= 2) {
-            /*
-             * unless we precompute multiples for just one point, converting
-             * those into affine form is time well spent
-             */
-            mixed = 1;
-        }
-        secrets = OPENSSL_zalloc(sizeof(*secrets) * num_points);
-        pre_comp = OPENSSL_zalloc(sizeof(*pre_comp) * num_points);
-        if (mixed)
-            tmp_felems =
-                OPENSSL_malloc(sizeof(*tmp_felems) * (num_points * 17 + 1));
-        if ((secrets == NULL) || (pre_comp == NULL)
-            || (mixed && (tmp_felems == NULL))) {
-            ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE);
-            goto err;
-        }
-
-        /*
-         * we treat NULL scalars as 0, and NULL points as points at infinity,
-         * i.e., they contribute nothing to the linear combination
-         */
-        for (i = 0; i < num_points; ++i) {
-            if (i == num) {
-                /*
-                 * we didn't have a valid precomputation, so we pick the
-                 * generator
-                 */
-                p = EC_GROUP_get0_generator(group);
-                p_scalar = scalar;
-            } else {
-                /* the i^th point */
-                p = points[i];
-                p_scalar = scalars[i];
-            }
-            if ((p_scalar != NULL) && (p != NULL)) {
-                /* reduce scalar to 0 <= scalar < 2^521 */
-                if ((BN_num_bits(p_scalar) > 521)
-                    || (BN_is_negative(p_scalar))) {
-                    /*
-                     * this is an unusual input, and we don't guarantee
-                     * constant-timeness
-                     */
-                    if (!BN_nnmod(tmp_scalar, p_scalar, group->order, ctx)) {
-                        ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
-                        goto err;
-                    }
-                    num_bytes = BN_bn2lebinpad(tmp_scalar,
-                                               secrets[i], sizeof(secrets[i]));
-                } else {
-                    num_bytes = BN_bn2lebinpad(p_scalar,
-                                               secrets[i], sizeof(secrets[i]));
-                }
-                if (num_bytes < 0) {
-                    ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
-                    goto err;
-                }
-                /* precompute multiples */
-                if ((!BN_to_felem(x_out, p->X)) ||
-                    (!BN_to_felem(y_out, p->Y)) ||
-                    (!BN_to_felem(z_out, p->Z)))
-                    goto err;
-                memcpy(pre_comp[i][1][0], x_out, sizeof(felem));
-                memcpy(pre_comp[i][1][1], y_out, sizeof(felem));
-                memcpy(pre_comp[i][1][2], z_out, sizeof(felem));
-                for (j = 2; j <= 16; ++j) {
-                    if (j & 1) {
-                        point_add(pre_comp[i][j][0], pre_comp[i][j][1],
-                                  pre_comp[i][j][2], pre_comp[i][1][0],
-                                  pre_comp[i][1][1], pre_comp[i][1][2], 0,
-                                  pre_comp[i][j - 1][0],
-                                  pre_comp[i][j - 1][1],
-                                  pre_comp[i][j - 1][2]);
-                    } else {
-                        point_double(pre_comp[i][j][0], pre_comp[i][j][1],
-                                     pre_comp[i][j][2], pre_comp[i][j / 2][0],
-                                     pre_comp[i][j / 2][1],
-                                     pre_comp[i][j / 2][2]);
-                    }
-                }
-            }
-        }
-        if (mixed)
-            make_points_affine(num_points * 17, pre_comp[0], tmp_felems);
-    }
-
-    /* the scalar for the generator */
-    if ((scalar != NULL) && (have_pre_comp)) {
-        memset(g_secret, 0, sizeof(g_secret));
-        /* reduce scalar to 0 <= scalar < 2^521 */
-        if ((BN_num_bits(scalar) > 521) || (BN_is_negative(scalar))) {
-            /*
-             * this is an unusual input, and we don't guarantee
-             * constant-timeness
-             */
-            if (!BN_nnmod(tmp_scalar, scalar, group->order, ctx)) {
-                ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
-                goto err;
-            }
-            num_bytes = BN_bn2lebinpad(tmp_scalar, g_secret, sizeof(g_secret));
-        } else {
-            num_bytes = BN_bn2lebinpad(scalar, g_secret, sizeof(g_secret));
-        }
-        /* do the multiplication with generator precomputation */
-        batch_mul(x_out, y_out, z_out,
-                  (const felem_bytearray(*))secrets, num_points,
-                  g_secret,
-                  mixed, (const felem(*)[17][3])pre_comp,
-                  (const felem(*)[3])g_pre_comp);
-    } else {
-        /* do the multiplication without generator precomputation */
-        batch_mul(x_out, y_out, z_out,
-                  (const felem_bytearray(*))secrets, num_points,
-                  NULL, mixed, (const felem(*)[17][3])pre_comp, NULL);
-    }
-    /* reduce the output to its unique minimal representation */
-    felem_contract(x_in, x_out);
-    felem_contract(y_in, y_out);
-    felem_contract(z_in, z_out);
-    if ((!felem_to_BN(x, x_in)) || (!felem_to_BN(y, y_in)) ||
-        (!felem_to_BN(z, z_in))) {
-        ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
-        goto err;
-    }
-    ret = ossl_ec_GFp_simple_set_Jprojective_coordinates_GFp(group, r, x, y, z,
-                                                             ctx);
-
- err:
-    BN_CTX_end(ctx);
-    EC_POINT_free(generator);
-    OPENSSL_free(secrets);
-    OPENSSL_free(pre_comp);
-    OPENSSL_free(tmp_felems);
-    return ret;
-}
-
-int ossl_ec_GFp_nistp521_precompute_mult(EC_GROUP *group, BN_CTX *ctx)
-{
-    int ret = 0;
-    NISTP521_PRE_COMP *pre = NULL;
-    int i, j;
-    BIGNUM *x, *y;
-    EC_POINT *generator = NULL;
-    felem tmp_felems[16];
-#ifndef FIPS_MODULE
-    BN_CTX *new_ctx = NULL;
-#endif
-
-    /* throw away old precomputation */
-    EC_pre_comp_free(group);
-
-#ifndef FIPS_MODULE
-    if (ctx == NULL)
-        ctx = new_ctx = BN_CTX_new();
-#endif
-    if (ctx == NULL)
-        return 0;
-
-    BN_CTX_start(ctx);
-    x = BN_CTX_get(ctx);
-    y = BN_CTX_get(ctx);
-    if (y == NULL)
-        goto err;
-    /* get the generator */
-    if (group->generator == NULL)
-        goto err;
-    generator = EC_POINT_new(group);
-    if (generator == NULL)
-        goto err;
-    BN_bin2bn(nistp521_curve_params[3], sizeof(felem_bytearray), x);
-    BN_bin2bn(nistp521_curve_params[4], sizeof(felem_bytearray), y);
-    if (!EC_POINT_set_affine_coordinates(group, generator, x, y, ctx))
-        goto err;
-    if ((pre = nistp521_pre_comp_new()) == NULL)
-        goto err;
-    /*
-     * if the generator is the standard one, use built-in precomputation
-     */
-    if (0 == EC_POINT_cmp(group, generator, group->generator, ctx)) {
-        memcpy(pre->g_pre_comp, gmul, sizeof(pre->g_pre_comp));
-        goto done;
-    }
-    if ((!BN_to_felem(pre->g_pre_comp[1][0], group->generator->X)) ||
-        (!BN_to_felem(pre->g_pre_comp[1][1], group->generator->Y)) ||
-        (!BN_to_felem(pre->g_pre_comp[1][2], group->generator->Z)))
-        goto err;
-    /* compute 2^130*G, 2^260*G, 2^390*G */
-    for (i = 1; i <= 4; i <<= 1) {
-        point_double(pre->g_pre_comp[2 * i][0], pre->g_pre_comp[2 * i][1],
-                     pre->g_pre_comp[2 * i][2], pre->g_pre_comp[i][0],
-                     pre->g_pre_comp[i][1], pre->g_pre_comp[i][2]);
-        for (j = 0; j < 129; ++j) {
-            point_double(pre->g_pre_comp[2 * i][0],
-                         pre->g_pre_comp[2 * i][1],
-                         pre->g_pre_comp[2 * i][2],
-                         pre->g_pre_comp[2 * i][0],
-                         pre->g_pre_comp[2 * i][1],
-                         pre->g_pre_comp[2 * i][2]);
-        }
-    }
-    /* g_pre_comp[0] is the point at infinity */
-    memset(pre->g_pre_comp[0], 0, sizeof(pre->g_pre_comp[0]));
-    /* the remaining multiples */
-    /* 2^130*G + 2^260*G */
-    point_add(pre->g_pre_comp[6][0], pre->g_pre_comp[6][1],
-              pre->g_pre_comp[6][2], pre->g_pre_comp[4][0],
-              pre->g_pre_comp[4][1], pre->g_pre_comp[4][2],
-              0, pre->g_pre_comp[2][0], pre->g_pre_comp[2][1],
-              pre->g_pre_comp[2][2]);
-    /* 2^130*G + 2^390*G */
-    point_add(pre->g_pre_comp[10][0], pre->g_pre_comp[10][1],
-              pre->g_pre_comp[10][2], pre->g_pre_comp[8][0],
-              pre->g_pre_comp[8][1], pre->g_pre_comp[8][2],
-              0, pre->g_pre_comp[2][0], pre->g_pre_comp[2][1],
-              pre->g_pre_comp[2][2]);
-    /* 2^260*G + 2^390*G */
-    point_add(pre->g_pre_comp[12][0], pre->g_pre_comp[12][1],
-              pre->g_pre_comp[12][2], pre->g_pre_comp[8][0],
-              pre->g_pre_comp[8][1], pre->g_pre_comp[8][2],
-              0, pre->g_pre_comp[4][0], pre->g_pre_comp[4][1],
-              pre->g_pre_comp[4][2]);
-    /* 2^130*G + 2^260*G + 2^390*G */
-    point_add(pre->g_pre_comp[14][0], pre->g_pre_comp[14][1],
-              pre->g_pre_comp[14][2], pre->g_pre_comp[12][0],
-              pre->g_pre_comp[12][1], pre->g_pre_comp[12][2],
-              0, pre->g_pre_comp[2][0], pre->g_pre_comp[2][1],
-              pre->g_pre_comp[2][2]);
-    for (i = 1; i < 8; ++i) {
-        /* odd multiples: add G */
-        point_add(pre->g_pre_comp[2 * i + 1][0],
-                  pre->g_pre_comp[2 * i + 1][1],
-                  pre->g_pre_comp[2 * i + 1][2], pre->g_pre_comp[2 * i][0],
-                  pre->g_pre_comp[2 * i][1], pre->g_pre_comp[2 * i][2], 0,
-                  pre->g_pre_comp[1][0], pre->g_pre_comp[1][1],
-                  pre->g_pre_comp[1][2]);
-    }
-    make_points_affine(15, &(pre->g_pre_comp[1]), tmp_felems);
-
- done:
-    SETPRECOMP(group, nistp521, pre);
-    ret = 1;
-    pre = NULL;
- err:
-    BN_CTX_end(ctx);
-    EC_POINT_free(generator);
-#ifndef FIPS_MODULE
-    BN_CTX_free(new_ctx);
-#endif
-    EC_nistp521_pre_comp_free(pre);
-    return ret;
-}
-
-int ossl_ec_GFp_nistp521_have_precompute_mult(const EC_GROUP *group)
-{
-    return HAVEPRECOMP(group, nistp521);
-}

libs/openssl/crypto/ec/ecp_ppc.c

@@ -1,34 +0,0 @@
-/*
- * Copyright 2009-2021 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include "internal/cryptlib.h"
-#include "crypto/ppc_arch.h"
-#include "ec_local.h"
-
-void ecp_nistz256_mul_mont(unsigned long res[4], const unsigned long a[4],
-                           const unsigned long b[4]);
-
-void ecp_nistz256_to_mont(unsigned long res[4], const unsigned long in[4]);
-void ecp_nistz256_to_mont(unsigned long res[4], const unsigned long in[4])
-{
-    static const unsigned long RR[] = { 0x0000000000000003U,
-                                        0xfffffffbffffffffU,
-                                        0xfffffffffffffffeU,
-                                        0x00000004fffffffdU };
-
-    ecp_nistz256_mul_mont(res, in, RR);
-}
-
-void ecp_nistz256_from_mont(unsigned long res[4], const unsigned long in[4]);
-void ecp_nistz256_from_mont(unsigned long res[4], const unsigned long in[4])
-{
-    static const unsigned long one[] = { 1, 0, 0, 0 };
-
-    ecp_nistz256_mul_mont(res, in, one);
-}

libs/openssl/crypto/ec/ecp_s390x_nistp.c

@@ -1,400 +0,0 @@
-/*
- * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-/*
- * EC_METHOD low level APIs are deprecated for public use, but still ok for
- * internal use.
- */
-#include "internal/deprecated.h"
-
-#include <stdlib.h>
-#include <string.h>
-#include <openssl/err.h>
-#include <openssl/rand.h>
-#include "ec_local.h"
-#include "s390x_arch.h"
-
-/* Size of parameter blocks */
-#define S390X_SIZE_PARAM                4096
-
-/* Size of fields in parameter blocks */
-#define S390X_SIZE_P256                 32
-#define S390X_SIZE_P384                 48
-#define S390X_SIZE_P521                 80
-
-/* Offsets of fields in PCC parameter blocks */
-#define S390X_OFF_RES_X(n)              (0 * n)
-#define S390X_OFF_RES_Y(n)              (1 * n)
-#define S390X_OFF_SRC_X(n)              (2 * n)
-#define S390X_OFF_SRC_Y(n)              (3 * n)
-#define S390X_OFF_SCALAR(n)             (4 * n)
-
-/* Offsets of fields in KDSA parameter blocks */
-#define S390X_OFF_R(n)                  (0 * n)
-#define S390X_OFF_S(n)                  (1 * n)
-#define S390X_OFF_H(n)                  (2 * n)
-#define S390X_OFF_K(n)                  (3 * n)
-#define S390X_OFF_X(n)                  (3 * n)
-#define S390X_OFF_RN(n)                 (4 * n)
-#define S390X_OFF_Y(n)                  (4 * n)
-
-static int ec_GFp_s390x_nistp_mul(const EC_GROUP *group, EC_POINT *r,
-                                  const BIGNUM *scalar,
-                                  size_t num, const EC_POINT *points[],
-                                  const BIGNUM *scalars[],
-                                  BN_CTX *ctx, unsigned int fc, int len)
-{
-    unsigned char param[S390X_SIZE_PARAM];
-    BIGNUM *x, *y;
-    const EC_POINT *point_ptr = NULL;
-    const BIGNUM *scalar_ptr = NULL;
-    BN_CTX *new_ctx = NULL;
-    int rc = -1;
-
-    if (ctx == NULL) {
-        ctx = new_ctx = BN_CTX_new_ex(group->libctx);
-        if (ctx == NULL)
-            return 0;
-    }
-
-    BN_CTX_start(ctx);
-
-    x = BN_CTX_get(ctx);
-    y = BN_CTX_get(ctx);
-    if (x == NULL || y == NULL) {
-        rc = 0;
-        goto ret;
-    }
-
-    /*
-     * Use PCC for EC keygen and ECDH key derivation:
-     * scalar * generator and scalar * peer public key,
-     * scalar in [0,order).
-     */
-    if ((scalar != NULL && num == 0 && BN_is_negative(scalar) == 0)
-        || (scalar == NULL && num == 1 && BN_is_negative(scalars[0]) == 0)) {
-
-        if (num == 0) {
-            point_ptr = EC_GROUP_get0_generator(group);
-            scalar_ptr = scalar;
-        } else {
-            point_ptr = points[0];
-            scalar_ptr = scalars[0];
-        }
-
-        if (EC_POINT_is_at_infinity(group, point_ptr) == 1
-            || BN_is_zero(scalar_ptr)) {
-            rc = EC_POINT_set_to_infinity(group, r);
-            goto ret;
-        }
-
-        memset(&param, 0, sizeof(param));
-
-        if (group->meth->point_get_affine_coordinates(group, point_ptr,
-                                                      x, y, ctx) != 1
-            || BN_bn2binpad(x, param + S390X_OFF_SRC_X(len), len) == -1
-            || BN_bn2binpad(y, param + S390X_OFF_SRC_Y(len), len) == -1
-            || BN_bn2binpad(scalar_ptr,
-                            param + S390X_OFF_SCALAR(len), len) == -1
-            || s390x_pcc(fc, param) != 0
-            || BN_bin2bn(param + S390X_OFF_RES_X(len), len, x) == NULL
-            || BN_bin2bn(param + S390X_OFF_RES_Y(len), len, y) == NULL
-            || group->meth->point_set_affine_coordinates(group, r,
-                                                         x, y, ctx) != 1)
-            goto ret;
-
-        rc = 1;
-    }
-
-ret:
-    /* Otherwise use default. */
-    if (rc == -1)
-        rc = ossl_ec_wNAF_mul(group, r, scalar, num, points, scalars, ctx);
-    OPENSSL_cleanse(param, sizeof(param));
-    BN_CTX_end(ctx);
-    BN_CTX_free(new_ctx);
-    return rc;
-}
-
-static ECDSA_SIG *ecdsa_s390x_nistp_sign_sig(const unsigned char *dgst,
-                                             int dgstlen,
-                                             const BIGNUM *kinv,
-                                             const BIGNUM *r,
-                                             EC_KEY *eckey,
-                                             unsigned int fc, int len)
-{
-    unsigned char param[S390X_SIZE_PARAM];
-    int ok = 0;
-    BIGNUM *k;
-    ECDSA_SIG *sig;
-    const EC_GROUP *group;
-    const BIGNUM *privkey;
-    int off;
-
-    group = EC_KEY_get0_group(eckey);
-    privkey = EC_KEY_get0_private_key(eckey);
-    if (group == NULL || privkey == NULL) {
-        ERR_raise(ERR_LIB_EC, EC_R_MISSING_PARAMETERS);
-        return NULL;
-    }
-
-    if (!EC_KEY_can_sign(eckey)) {
-        ERR_raise(ERR_LIB_EC, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING);
-        return NULL;
-    }
-
-    k = BN_secure_new();
-    sig = ECDSA_SIG_new();
-    if (k == NULL || sig == NULL) {
-        ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE);
-        goto ret;
-    }
-
-    sig->r = BN_new();
-    sig->s = BN_new();
-    if (sig->r == NULL || sig->s == NULL) {
-        ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE);
-        goto ret;
-    }
-
-    memset(param, 0, sizeof(param));
-    off = len - (dgstlen > len ? len : dgstlen);
-    memcpy(param + S390X_OFF_H(len) + off, dgst, len - off);
-
-    if (BN_bn2binpad(privkey, param + S390X_OFF_K(len), len) == -1) {
-        ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
-        goto ret;
-    }
-
-    if (r == NULL || kinv == NULL) {
-        if (len < 0) {
-            ERR_raise(ERR_LIB_EC, EC_R_INVALID_LENGTH);
-            goto ret;
-        }
-        /*
-         * Generate random k and copy to param param block. RAND_priv_bytes_ex
-         * is used instead of BN_priv_rand_range or BN_generate_dsa_nonce
-         * because kdsa instruction constructs an in-range, invertible nonce
-         * internally implementing counter-measures for RNG weakness.
-         */
-         if (RAND_priv_bytes_ex(eckey->libctx, param + S390X_OFF_RN(len),
-                                (size_t)len, 0) != 1) {
-             ERR_raise(ERR_LIB_EC, EC_R_RANDOM_NUMBER_GENERATION_FAILED);
-             goto ret;
-         }
-    } else {
-        /* Reconstruct k = (k^-1)^-1. */
-        if (ossl_ec_group_do_inverse_ord(group, k, kinv, NULL) == 0
-            || BN_bn2binpad(k, param + S390X_OFF_RN(len), len) == -1) {
-            ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
-            goto ret;
-        }
-        /* Turns KDSA internal nonce-generation off. */
-        fc |= S390X_KDSA_D;
-    }
-
-    if (s390x_kdsa(fc, param, NULL, 0) != 0) {
-        ERR_raise(ERR_LIB_EC, ERR_R_ECDSA_LIB);
-        goto ret;
-    }
-
-    if (BN_bin2bn(param + S390X_OFF_R(len), len, sig->r) == NULL
-        || BN_bin2bn(param + S390X_OFF_S(len), len, sig->s) == NULL) {
-        ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
-        goto ret;
-    }
-
-    ok = 1;
-ret:
-    OPENSSL_cleanse(param, sizeof(param));
-    if (ok != 1) {
-        ECDSA_SIG_free(sig);
-        sig = NULL;
-    }
-    BN_clear_free(k);
-    return sig;
-}
-
-static int ecdsa_s390x_nistp_verify_sig(const unsigned char *dgst, int dgstlen,
-                                        const ECDSA_SIG *sig, EC_KEY *eckey,
-                                        unsigned int fc, int len)
-{
-    unsigned char param[S390X_SIZE_PARAM];
-    int rc = -1;
-    BN_CTX *ctx;
-    BIGNUM *x, *y;
-    const EC_GROUP *group;
-    const EC_POINT *pubkey;
-    int off;
-
-    group = EC_KEY_get0_group(eckey);
-    pubkey = EC_KEY_get0_public_key(eckey);
-    if (eckey == NULL || group == NULL || pubkey == NULL || sig == NULL) {
-        ERR_raise(ERR_LIB_EC, EC_R_MISSING_PARAMETERS);
-        return -1;
-    }
-
-    if (!EC_KEY_can_sign(eckey)) {
-        ERR_raise(ERR_LIB_EC, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING);
-        return -1;
-    }
-
-    ctx = BN_CTX_new_ex(group->libctx);
-    if (ctx == NULL) {
-        ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE);
-        return -1;
-    }
-
-    BN_CTX_start(ctx);
-
-    x = BN_CTX_get(ctx);
-    y = BN_CTX_get(ctx);
-    if (x == NULL || y == NULL) {
-        ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE);
-        goto ret;
-    }
-
-    memset(param, 0, sizeof(param));
-    off = len - (dgstlen > len ? len : dgstlen);
-    memcpy(param + S390X_OFF_H(len) + off, dgst, len - off);
-
-    if (group->meth->point_get_affine_coordinates(group, pubkey,
-                                                  x, y, ctx) != 1
-        || BN_bn2binpad(sig->r, param + S390X_OFF_R(len), len) == -1
-        || BN_bn2binpad(sig->s, param + S390X_OFF_S(len), len) == -1
-        || BN_bn2binpad(x, param + S390X_OFF_X(len), len) == -1
-        || BN_bn2binpad(y, param + S390X_OFF_Y(len), len) == -1) {
-        ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
-        goto ret;
-    }
-
-    rc = s390x_kdsa(fc, param, NULL, 0) == 0 ? 1 : 0;
-ret:
-    BN_CTX_end(ctx);
-    BN_CTX_free(ctx);
-    return rc;
-}
-
-#define EC_GFP_S390X_NISTP_METHOD(bits)                                 \
-                                                                        \
-static int ec_GFp_s390x_nistp##bits##_mul(const EC_GROUP *group,        \
-                                          EC_POINT *r,                  \
-                                          const BIGNUM *scalar,         \
-                                          size_t num,                   \
-                                          const EC_POINT *points[],     \
-                                          const BIGNUM *scalars[],      \
-                                          BN_CTX *ctx)                  \
-{                                                                       \
-    return ec_GFp_s390x_nistp_mul(group, r, scalar, num, points,        \
-                                  scalars, ctx,                         \
-                                  S390X_SCALAR_MULTIPLY_P##bits,        \
-                                  S390X_SIZE_P##bits);                  \
-}                                                                       \
-                                                                        \
-static ECDSA_SIG *ecdsa_s390x_nistp##bits##_sign_sig(const unsigned     \
-                                                     char *dgst,        \
-                                                     int dgstlen,       \
-                                                     const BIGNUM *kinv,\
-                                                     const BIGNUM *r,   \
-                                                     EC_KEY *eckey)     \
-{                                                                       \
-    return ecdsa_s390x_nistp_sign_sig(dgst, dgstlen, kinv, r, eckey,    \
-                                      S390X_ECDSA_SIGN_P##bits,         \
-                                      S390X_SIZE_P##bits);              \
-}                                                                       \
-                                                                        \
-static int ecdsa_s390x_nistp##bits##_verify_sig(const                   \
-                                                unsigned char *dgst,    \
-                                                int dgstlen,            \
-                                                const ECDSA_SIG *sig,   \
-                                                EC_KEY *eckey)          \
-{                                                                       \
-    return ecdsa_s390x_nistp_verify_sig(dgst, dgstlen, sig, eckey,      \
-                                        S390X_ECDSA_VERIFY_P##bits,     \
-                                        S390X_SIZE_P##bits);            \
-}                                                                       \
-                                                                        \
-const EC_METHOD *EC_GFp_s390x_nistp##bits##_method(void)                \
-{                                                                       \
-    static const EC_METHOD EC_GFp_s390x_nistp##bits##_meth = {          \
-        EC_FLAGS_DEFAULT_OCT,                                           \
-        NID_X9_62_prime_field,                                          \
-        ossl_ec_GFp_simple_group_init,                                  \
-        ossl_ec_GFp_simple_group_finish,                                \
-        ossl_ec_GFp_simple_group_clear_finish,                          \
-        ossl_ec_GFp_simple_group_copy,                                  \
-        ossl_ec_GFp_simple_group_set_curve,                             \
-        ossl_ec_GFp_simple_group_get_curve,                             \
-        ossl_ec_GFp_simple_group_get_degree,                            \
-        ossl_ec_group_simple_order_bits,                                \
-        ossl_ec_GFp_simple_group_check_discriminant,                    \
-        ossl_ec_GFp_simple_point_init,                                  \
-        ossl_ec_GFp_simple_point_finish,                                \
-        ossl_ec_GFp_simple_point_clear_finish,                          \
-        ossl_ec_GFp_simple_point_copy,                                  \
-        ossl_ec_GFp_simple_point_set_to_infinity,                       \
-        ossl_ec_GFp_simple_point_set_affine_coordinates,                \
-        ossl_ec_GFp_simple_point_get_affine_coordinates,                \
-        NULL, /* point_set_compressed_coordinates */                    \
-        NULL, /* point2oct */                                           \
-        NULL, /* oct2point */                                           \
-        ossl_ec_GFp_simple_add,                                         \
-        ossl_ec_GFp_simple_dbl,                                         \
-        ossl_ec_GFp_simple_invert,                                      \
-        ossl_ec_GFp_simple_is_at_infinity,                              \
-        ossl_ec_GFp_simple_is_on_curve,                                 \
-        ossl_ec_GFp_simple_cmp,                                         \
-        ossl_ec_GFp_simple_make_affine,                                 \
-        ossl_ec_GFp_simple_points_make_affine,                          \
-        ec_GFp_s390x_nistp##bits##_mul,                                 \
-        NULL, /* precompute_mult */                                     \
-        NULL, /* have_precompute_mult */                                \
-        ossl_ec_GFp_simple_field_mul,                                   \
-        ossl_ec_GFp_simple_field_sqr,                                   \
-        NULL, /* field_div */                                           \
-        ossl_ec_GFp_simple_field_inv,                                   \
-        NULL, /* field_encode */                                        \
-        NULL, /* field_decode */                                        \
-        NULL, /* field_set_to_one */                                    \
-        ossl_ec_key_simple_priv2oct,                                    \
-        ossl_ec_key_simple_oct2priv,                                    \
-        NULL, /* set_private */                                         \
-        ossl_ec_key_simple_generate_key,                                \
-        ossl_ec_key_simple_check_key,                                   \
-        ossl_ec_key_simple_generate_public_key,                         \
-        NULL, /* keycopy */                                             \
-        NULL, /* keyfinish */                                           \
-        ossl_ecdh_simple_compute_key,                                   \
-        ossl_ecdsa_simple_sign_setup,                                   \
-        ecdsa_s390x_nistp##bits##_sign_sig,                             \
-        ecdsa_s390x_nistp##bits##_verify_sig,                           \
-        NULL, /* field_inverse_mod_ord */                               \
-        ossl_ec_GFp_simple_blind_coordinates,                           \
-        ossl_ec_GFp_simple_ladder_pre,                                  \
-        ossl_ec_GFp_simple_ladder_step,                                 \
-        ossl_ec_GFp_simple_ladder_post                                  \
-    };                                                                  \
-    static const EC_METHOD *ret;                                        \
-                                                                        \
-    if ((OPENSSL_s390xcap_P.pcc[1]                                      \
-         & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P##bits))                 \
-        && (OPENSSL_s390xcap_P.kdsa[0]                                  \
-            & S390X_CAPBIT(S390X_ECDSA_VERIFY_P##bits))                 \
-        && (OPENSSL_s390xcap_P.kdsa[0]                                  \
-            & S390X_CAPBIT(S390X_ECDSA_SIGN_P##bits)))                  \
-        ret = &EC_GFp_s390x_nistp##bits##_meth;                         \
-    else                                                                \
-        ret = EC_GFp_mont_method();                                     \
-                                                                        \
-    return ret;                                                         \
-}
-
-EC_GFP_S390X_NISTP_METHOD(256)
-EC_GFP_S390X_NISTP_METHOD(384)
-EC_GFP_S390X_NISTP_METHOD(521)

libs/openssl/crypto/ec/ecx_s390x.c

@@ -1,217 +0,0 @@
-/*
- * Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <stdio.h>
-#include "internal/cryptlib.h"
-#include <openssl/ec.h>
-#include <openssl/rand.h>
-#include "crypto/ecx.h"
-#include "ec_local.h"
-#include "curve448/curve448_local.h"
-#include "ecx_backend.h"
-#include "s390x_arch.h"
-#include "internal/constant_time.h"
-
-static void s390x_x25519_mod_p(unsigned char u[32])
-{
-    unsigned char u_red[32];
-    unsigned int c = 0;
-    int i;
-
-    memcpy(u_red, u, sizeof(u_red));
-
-    c += (unsigned int)u_red[31] + 19;
-    u_red[31] = (unsigned char)c;
-    c >>= 8;
-
-    for (i = 30; i >= 0; i--) {
-        c += (unsigned int)u_red[i];
-        u_red[i] = (unsigned char)c;
-        c >>= 8;
-    }
-
-    c = (u_red[0] & 0x80) >> 7;
-    u_red[0] &= 0x7f;
-    constant_time_cond_swap_buff(0 - (unsigned char)c,
-                                 u, u_red, sizeof(u_red));
-}
-
-static void s390x_x448_mod_p(unsigned char u[56])
-{
-    unsigned char u_red[56];
-    unsigned int c = 0;
-    int i;
-
-    memcpy(u_red, u, sizeof(u_red));
-
-    c += (unsigned int)u_red[55] + 1;
-    u_red[55] = (unsigned char)c;
-    c >>= 8;
-
-    for (i = 54; i >= 28; i--) {
-        c += (unsigned int)u_red[i];
-        u_red[i] = (unsigned char)c;
-        c >>= 8;
-    }
-
-    c += (unsigned int)u_red[27] + 1;
-    u_red[27] = (unsigned char)c;
-    c >>= 8;
-
-    for (i = 26; i >= 0; i--) {
-        c += (unsigned int)u_red[i];
-        u_red[i] = (unsigned char)c;
-        c >>= 8;
-    }
-
-    constant_time_cond_swap_buff(0 - (unsigned char)c,
-                                 u, u_red, sizeof(u_red));
-}
-
-int s390x_x25519_mul(unsigned char u_dst[32],
-                     const unsigned char u_src[32],
-                     const unsigned char d_src[32])
-{
-    union {
-        struct {
-            unsigned char u_dst[32];
-            unsigned char u_src[32];
-            unsigned char d_src[32];
-        } x25519;
-        unsigned long long buff[512];
-    } param;
-    int rc;
-
-    memset(&param, 0, sizeof(param));
-
-    s390x_flip_endian32(param.x25519.u_src, u_src);
-    param.x25519.u_src[0] &= 0x7f;
-    s390x_x25519_mod_p(param.x25519.u_src);
-
-    s390x_flip_endian32(param.x25519.d_src, d_src);
-    param.x25519.d_src[31] &= 248;
-    param.x25519.d_src[0] &= 127;
-    param.x25519.d_src[0] |= 64;
-
-    rc = s390x_pcc(S390X_SCALAR_MULTIPLY_X25519, &param.x25519) ? 0 : 1;
-    if (rc == 1)
-        s390x_flip_endian32(u_dst, param.x25519.u_dst);
-
-    OPENSSL_cleanse(param.x25519.d_src, sizeof(param.x25519.d_src));
-    return rc;
-}
-
-int s390x_x448_mul(unsigned char u_dst[56],
-                   const unsigned char u_src[56],
-                   const unsigned char d_src[56])
-{
-    union {
-        struct {
-            unsigned char u_dst[64];
-            unsigned char u_src[64];
-            unsigned char d_src[64];
-        } x448;
-        unsigned long long buff[512];
-    } param;
-    int rc;
-
-    memset(&param, 0, sizeof(param));
-
-    memcpy(param.x448.u_src, u_src, 56);
-    memcpy(param.x448.d_src, d_src, 56);
-
-    s390x_flip_endian64(param.x448.u_src, param.x448.u_src);
-    s390x_x448_mod_p(param.x448.u_src + 8);
-
-    s390x_flip_endian64(param.x448.d_src, param.x448.d_src);
-    param.x448.d_src[63] &= 252;
-    param.x448.d_src[8] |= 128;
-
-    rc = s390x_pcc(S390X_SCALAR_MULTIPLY_X448, &param.x448) ? 0 : 1;
-    if (rc == 1) {
-        s390x_flip_endian64(param.x448.u_dst, param.x448.u_dst);
-        memcpy(u_dst, param.x448.u_dst, 56);
-    }
-
-    OPENSSL_cleanse(param.x448.d_src, sizeof(param.x448.d_src));
-    return rc;
-}
-
-int s390x_ed25519_mul(unsigned char x_dst[32],
-                      unsigned char y_dst[32],
-                      const unsigned char x_src[32],
-                      const unsigned char y_src[32],
-                      const unsigned char d_src[32])
-{
-    union {
-        struct {
-            unsigned char x_dst[32];
-            unsigned char y_dst[32];
-            unsigned char x_src[32];
-            unsigned char y_src[32];
-            unsigned char d_src[32];
-        } ed25519;
-        unsigned long long buff[512];
-    } param;
-    int rc;
-
-    memset(&param, 0, sizeof(param));
-
-    s390x_flip_endian32(param.ed25519.x_src, x_src);
-    s390x_flip_endian32(param.ed25519.y_src, y_src);
-    s390x_flip_endian32(param.ed25519.d_src, d_src);
-
-    rc = s390x_pcc(S390X_SCALAR_MULTIPLY_ED25519, &param.ed25519) ? 0 : 1;
-    if (rc == 1) {
-        s390x_flip_endian32(x_dst, param.ed25519.x_dst);
-        s390x_flip_endian32(y_dst, param.ed25519.y_dst);
-    }
-
-    OPENSSL_cleanse(param.ed25519.d_src, sizeof(param.ed25519.d_src));
-    return rc;
-}
-
-int s390x_ed448_mul(unsigned char x_dst[57],
-                    unsigned char y_dst[57],
-                    const unsigned char x_src[57],
-                    const unsigned char y_src[57],
-                    const unsigned char d_src[57])
-{
-    union {
-        struct {
-            unsigned char x_dst[64];
-            unsigned char y_dst[64];
-            unsigned char x_src[64];
-            unsigned char y_src[64];
-            unsigned char d_src[64];
-        } ed448;
-        unsigned long long buff[512];
-    } param;
-    int rc;
-
-    memset(&param, 0, sizeof(param));
-
-    memcpy(param.ed448.x_src, x_src, 57);
-    memcpy(param.ed448.y_src, y_src, 57);
-    memcpy(param.ed448.d_src, d_src, 57);
-    s390x_flip_endian64(param.ed448.x_src, param.ed448.x_src);
-    s390x_flip_endian64(param.ed448.y_src, param.ed448.y_src);
-    s390x_flip_endian64(param.ed448.d_src, param.ed448.d_src);
-
-    rc = s390x_pcc(S390X_SCALAR_MULTIPLY_ED448, &param.ed448) ? 0 : 1;
-    if (rc == 1) {
-        s390x_flip_endian64(param.ed448.x_dst, param.ed448.x_dst);
-        s390x_flip_endian64(param.ed448.y_dst, param.ed448.y_dst);
-        memcpy(x_dst, param.ed448.x_dst, 57);
-        memcpy(y_dst, param.ed448.y_dst, 57);
-    }
-
-    OPENSSL_cleanse(param.ed448.d_src, sizeof(param.ed448.d_src));
-    return rc;
-}

libs/openssl/crypto/encode_decode/decoder_err.c

@@ -1,36 +0,0 @@
-/*
- * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <openssl/err.h>
-#include <openssl/decodererr.h>
-#include "crypto/decodererr.h"
-
-#ifndef OPENSSL_NO_ERR
-
-static const ERR_STRING_DATA OSSL_DECODER_str_reasons[] = {
-    {ERR_PACK(ERR_LIB_OSSL_DECODER, 0, OSSL_DECODER_R_COULD_NOT_DECODE_OBJECT),
-    "could not decode object"},
-    {ERR_PACK(ERR_LIB_OSSL_DECODER, 0, OSSL_DECODER_R_DECODER_NOT_FOUND),
-    "decoder not found"},
-    {ERR_PACK(ERR_LIB_OSSL_DECODER, 0, OSSL_DECODER_R_MISSING_GET_PARAMS),
-    "missing get params"},
-    {0, NULL}
-};
-
-#endif
-
-int ossl_err_load_OSSL_DECODER_strings(void)
-{
-#ifndef OPENSSL_NO_ERR
-    if (ERR_reason_error_string(OSSL_DECODER_str_reasons[0].error) == NULL)
-        ERR_load_strings_const(OSSL_DECODER_str_reasons);
-#endif
-    return 1;
-}

libs/openssl/crypto/encode_decode/encoder_err.c

@@ -1,36 +0,0 @@
-/*
- * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <openssl/err.h>
-#include <openssl/encodererr.h>
-#include "crypto/encodererr.h"
-
-#ifndef OPENSSL_NO_ERR
-
-static const ERR_STRING_DATA OSSL_ENCODER_str_reasons[] = {
-    {ERR_PACK(ERR_LIB_OSSL_ENCODER, 0, OSSL_ENCODER_R_ENCODER_NOT_FOUND),
-    "encoder not found"},
-    {ERR_PACK(ERR_LIB_OSSL_ENCODER, 0, OSSL_ENCODER_R_INCORRECT_PROPERTY_QUERY),
-    "incorrect property query"},
-    {ERR_PACK(ERR_LIB_OSSL_ENCODER, 0, OSSL_ENCODER_R_MISSING_GET_PARAMS),
-    "missing get params"},
-    {0, NULL}
-};
-
-#endif
-
-int ossl_err_load_OSSL_ENCODER_strings(void)
-{
-#ifndef OPENSSL_NO_ERR
-    if (ERR_reason_error_string(OSSL_ENCODER_str_reasons[0].error) == NULL)
-        ERR_load_strings_const(OSSL_ENCODER_str_reasons);
-#endif
-    return 1;
-}

libs/openssl/crypto/err/README.md

@@ -1,55 +0,0 @@
-Adding new libraries
-====================
-
-When adding a new sub-library to OpenSSL, assign it a library number
-`ERR_LIB_XXX`, define a macro `XXXerr()` (both in `err.h`), add its
-name to `ERR_str_libraries[]` (in `crypto/err/err.c`), and add
-`ERR_load_XXX_strings()` to the `ERR_load_crypto_strings()` function
-(in `crypto/err/err_all.c`). Finally, add an entry:
-
-    L      XXX     xxx.h   xxx_err.c
-
-to `crypto/err/openssl.ec`, and add `xxx_err.c` to the `Makefile`.
-Running make errors will then generate a file `xxx_err.c`, and
-add all error codes used in the library to `xxx.h`.
-
-Additionally the library include file must have a certain form.
-Typically it will initially look like this:
-
-    #ifndef HEADER_XXX_H
-    #define HEADER_XXX_H
-
-    #ifdef __cplusplus
-    extern "C" {
-    #endif
-
-    /* Include files */
-
-    #include <openssl/bio.h>
-    #include <openssl/x509.h>
-
-    /* Macros, structures and function prototypes */
-
-
-    /* BEGIN ERROR CODES */
-
-The `BEGIN ERROR CODES` sequence is used by the error code
-generation script as the point to place new error codes, any text
-after this point will be overwritten when make errors is run.
-The closing `#endif` etc will be automatically added by the script.
-
-The generated C error code file `xxx_err.c` will load the header
-files `stdio.h`, `openssl/err.h` and `openssl/xxx.h` so the
-header file must load any additional header files containing any
-definitions it uses.
-
-Adding new error codes
-======================
-
-Instead of manually adding error codes into `crypto/err/openssl.txt`,
-it is recommended to leverage `make update` for error code generation.
-The target will process relevant sources and generate error codes for
-any *used* error codes.
-
-If an error code is added manually into `crypto/err/openssl.txt`,
-subsequent `make update` has no effect.

libs/openssl/crypto/err/err_all_legacy.c

@@ -1,106 +0,0 @@
-/*
- * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-/* This is the C source file where we include this header directly */
-#include <openssl/cryptoerr_legacy.h>
-
-#ifndef OPENSSL_NO_DEPRECATED_3_0
-
-# include "crypto/err.h"
-# include "crypto/asn1err.h"
-# include "crypto/asyncerr.h"
-# include "crypto/bnerr.h"
-# include "crypto/buffererr.h"
-# include "crypto/bioerr.h"
-# include "crypto/cmserr.h"
-# include "crypto/comperr.h"
-# include "crypto/conferr.h"
-# include "crypto/cryptoerr.h"
-# include "crypto/cterr.h"
-# include "crypto/dherr.h"
-# include "crypto/dsaerr.h"
-# include "internal/dsoerr.h"
-# include "crypto/ecerr.h"
-# include "crypto/engineerr.h"
-# include "crypto/evperr.h"
-# include "crypto/httperr.h"
-# include "crypto/objectserr.h"
-# include "crypto/ocsperr.h"
-# include "crypto/pemerr.h"
-# include "crypto/pkcs12err.h"
-# include "crypto/pkcs7err.h"
-# include "crypto/randerr.h"
-# include "crypto/rsaerr.h"
-# include "crypto/storeerr.h"
-# include "crypto/tserr.h"
-# include "crypto/uierr.h"
-# include "crypto/x509err.h"
-# include "crypto/x509v3err.h"
-
-# ifdef OPENSSL_NO_ERR
-#  define IMPLEMENT_LEGACY_ERR_LOAD(lib)        \
-    int ERR_load_##lib##_strings(void)          \
-    {                                           \
-        return 1;                               \
-    }
-# else
-#  define IMPLEMENT_LEGACY_ERR_LOAD(lib)        \
-    int ERR_load_##lib##_strings(void)          \
-    {                                           \
-        return ossl_err_load_##lib##_strings(); \
-    }
-# endif
-
-IMPLEMENT_LEGACY_ERR_LOAD(ASN1)
-IMPLEMENT_LEGACY_ERR_LOAD(ASYNC)
-IMPLEMENT_LEGACY_ERR_LOAD(BIO)
-IMPLEMENT_LEGACY_ERR_LOAD(BN)
-IMPLEMENT_LEGACY_ERR_LOAD(BUF)
-# ifndef OPENSSL_NO_CMS
-IMPLEMENT_LEGACY_ERR_LOAD(CMS)
-# endif
-# ifndef OPENSSL_NO_COMP
-IMPLEMENT_LEGACY_ERR_LOAD(COMP)
-# endif
-IMPLEMENT_LEGACY_ERR_LOAD(CONF)
-IMPLEMENT_LEGACY_ERR_LOAD(CRYPTO)
-# ifndef OPENSSL_NO_CT
-IMPLEMENT_LEGACY_ERR_LOAD(CT)
-# endif
-# ifndef OPENSSL_NO_DH
-IMPLEMENT_LEGACY_ERR_LOAD(DH)
-# endif
-# ifndef OPENSSL_NO_DSA
-IMPLEMENT_LEGACY_ERR_LOAD(DSA)
-# endif
-# ifndef OPENSSL_NO_EC
-IMPLEMENT_LEGACY_ERR_LOAD(EC)
-# endif
-# ifndef OPENSSL_NO_ENGINE
-IMPLEMENT_LEGACY_ERR_LOAD(ENGINE)
-# endif
-IMPLEMENT_LEGACY_ERR_LOAD(ERR)
-IMPLEMENT_LEGACY_ERR_LOAD(EVP)
-IMPLEMENT_LEGACY_ERR_LOAD(OBJ)
-# ifndef OPENSSL_NO_OCSP
-IMPLEMENT_LEGACY_ERR_LOAD(OCSP)
-# endif
-IMPLEMENT_LEGACY_ERR_LOAD(PEM)
-IMPLEMENT_LEGACY_ERR_LOAD(PKCS12)
-IMPLEMENT_LEGACY_ERR_LOAD(PKCS7)
-IMPLEMENT_LEGACY_ERR_LOAD(RAND)
-IMPLEMENT_LEGACY_ERR_LOAD(RSA)
-IMPLEMENT_LEGACY_ERR_LOAD(OSSL_STORE)
-# ifndef OPENSSL_NO_TS
-IMPLEMENT_LEGACY_ERR_LOAD(TS)
-# endif
-IMPLEMENT_LEGACY_ERR_LOAD(UI)
-IMPLEMENT_LEGACY_ERR_LOAD(X509)
-IMPLEMENT_LEGACY_ERR_LOAD(X509V3)
-#endif /* OPENSSL_NO_DEPRECATED_3_0 */

libs/openssl/crypto/err/openssl.txt

@@ -1,1723 +0,0 @@
-# Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved.
-#
-# Licensed under the Apache License 2.0 (the "License").  You may not use
-# this file except in compliance with the License.  You can obtain a copy
-# in the file LICENSE in the source distribution or at
-# https://www.openssl.org/source/license.html
-
-#Reason codes
-ASN1_R_ADDING_OBJECT:171:adding object
-ASN1_R_ASN1_PARSE_ERROR:203:asn1 parse error
-ASN1_R_ASN1_SIG_PARSE_ERROR:204:asn1 sig parse error
-ASN1_R_AUX_ERROR:100:aux error
-ASN1_R_BAD_OBJECT_HEADER:102:bad object header
-ASN1_R_BAD_TEMPLATE:230:bad template
-ASN1_R_BMPSTRING_IS_WRONG_LENGTH:214:bmpstring is wrong length
-ASN1_R_BN_LIB:105:bn lib
-ASN1_R_BOOLEAN_IS_WRONG_LENGTH:106:boolean is wrong length
-ASN1_R_BUFFER_TOO_SMALL:107:buffer too small
-ASN1_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER:108:cipher has no object identifier
-ASN1_R_CONTEXT_NOT_INITIALISED:217:context not initialised
-ASN1_R_DATA_IS_WRONG:109:data is wrong
-ASN1_R_DECODE_ERROR:110:decode error
-ASN1_R_DEPTH_EXCEEDED:174:depth exceeded
-ASN1_R_DIGEST_AND_KEY_TYPE_NOT_SUPPORTED:198:digest and key type not supported
-ASN1_R_ENCODE_ERROR:112:encode error
-ASN1_R_ERROR_GETTING_TIME:173:error getting time
-ASN1_R_ERROR_LOADING_SECTION:172:error loading section
-ASN1_R_ERROR_SETTING_CIPHER_PARAMS:114:error setting cipher params
-ASN1_R_EXPECTING_AN_INTEGER:115:expecting an integer
-ASN1_R_EXPECTING_AN_OBJECT:116:expecting an object
-ASN1_R_EXPLICIT_LENGTH_MISMATCH:119:explicit length mismatch
-ASN1_R_EXPLICIT_TAG_NOT_CONSTRUCTED:120:explicit tag not constructed
-ASN1_R_FIELD_MISSING:121:field missing
-ASN1_R_FIRST_NUM_TOO_LARGE:122:first num too large
-ASN1_R_HEADER_TOO_LONG:123:header too long
-ASN1_R_ILLEGAL_BITSTRING_FORMAT:175:illegal bitstring format
-ASN1_R_ILLEGAL_BOOLEAN:176:illegal boolean
-ASN1_R_ILLEGAL_CHARACTERS:124:illegal characters
-ASN1_R_ILLEGAL_FORMAT:177:illegal format
-ASN1_R_ILLEGAL_HEX:178:illegal hex
-ASN1_R_ILLEGAL_IMPLICIT_TAG:179:illegal implicit tag
-ASN1_R_ILLEGAL_INTEGER:180:illegal integer
-ASN1_R_ILLEGAL_NEGATIVE_VALUE:226:illegal negative value
-ASN1_R_ILLEGAL_NESTED_TAGGING:181:illegal nested tagging
-ASN1_R_ILLEGAL_NULL:125:illegal null
-ASN1_R_ILLEGAL_NULL_VALUE:182:illegal null value
-ASN1_R_ILLEGAL_OBJECT:183:illegal object
-ASN1_R_ILLEGAL_OPTIONAL_ANY:126:illegal optional any
-ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE:170:illegal options on item template
-ASN1_R_ILLEGAL_PADDING:221:illegal padding
-ASN1_R_ILLEGAL_TAGGED_ANY:127:illegal tagged any
-ASN1_R_ILLEGAL_TIME_VALUE:184:illegal time value
-ASN1_R_ILLEGAL_ZERO_CONTENT:222:illegal zero content
-ASN1_R_INTEGER_NOT_ASCII_FORMAT:185:integer not ascii format
-ASN1_R_INTEGER_TOO_LARGE_FOR_LONG:128:integer too large for long
-ASN1_R_INVALID_BIT_STRING_BITS_LEFT:220:invalid bit string bits left
-ASN1_R_INVALID_BMPSTRING_LENGTH:129:invalid bmpstring length
-ASN1_R_INVALID_DIGIT:130:invalid digit
-ASN1_R_INVALID_MIME_TYPE:205:invalid mime type
-ASN1_R_INVALID_MODIFIER:186:invalid modifier
-ASN1_R_INVALID_NUMBER:187:invalid number
-ASN1_R_INVALID_OBJECT_ENCODING:216:invalid object encoding
-ASN1_R_INVALID_SCRYPT_PARAMETERS:227:invalid scrypt parameters
-ASN1_R_INVALID_SEPARATOR:131:invalid separator
-ASN1_R_INVALID_STRING_TABLE_VALUE:218:invalid string table value
-ASN1_R_INVALID_UNIVERSALSTRING_LENGTH:133:invalid universalstring length
-ASN1_R_INVALID_UTF8STRING:134:invalid utf8string
-ASN1_R_INVALID_VALUE:219:invalid value
-ASN1_R_LENGTH_TOO_LONG:231:length too long
-ASN1_R_LIST_ERROR:188:list error
-ASN1_R_MIME_NO_CONTENT_TYPE:206:mime no content type
-ASN1_R_MIME_PARSE_ERROR:207:mime parse error
-ASN1_R_MIME_SIG_PARSE_ERROR:208:mime sig parse error
-ASN1_R_MISSING_EOC:137:missing eoc
-ASN1_R_MISSING_SECOND_NUMBER:138:missing second number
-ASN1_R_MISSING_VALUE:189:missing value
-ASN1_R_MSTRING_NOT_UNIVERSAL:139:mstring not universal
-ASN1_R_MSTRING_WRONG_TAG:140:mstring wrong tag
-ASN1_R_NESTED_ASN1_STRING:197:nested asn1 string
-ASN1_R_NESTED_TOO_DEEP:201:nested too deep
-ASN1_R_NON_HEX_CHARACTERS:141:non hex characters
-ASN1_R_NOT_ASCII_FORMAT:190:not ascii format
-ASN1_R_NOT_ENOUGH_DATA:142:not enough data
-ASN1_R_NO_CONTENT_TYPE:209:no content type
-ASN1_R_NO_MATCHING_CHOICE_TYPE:143:no matching choice type
-ASN1_R_NO_MULTIPART_BODY_FAILURE:210:no multipart body failure
-ASN1_R_NO_MULTIPART_BOUNDARY:211:no multipart boundary
-ASN1_R_NO_SIG_CONTENT_TYPE:212:no sig content type
-ASN1_R_NULL_IS_WRONG_LENGTH:144:null is wrong length
-ASN1_R_OBJECT_NOT_ASCII_FORMAT:191:object not ascii format
-ASN1_R_ODD_NUMBER_OF_CHARS:145:odd number of chars
-ASN1_R_SECOND_NUMBER_TOO_LARGE:147:second number too large
-ASN1_R_SEQUENCE_LENGTH_MISMATCH:148:sequence length mismatch
-ASN1_R_SEQUENCE_NOT_CONSTRUCTED:149:sequence not constructed
-ASN1_R_SEQUENCE_OR_SET_NEEDS_CONFIG:192:sequence or set needs config
-ASN1_R_SHORT_LINE:150:short line
-ASN1_R_SIG_INVALID_MIME_TYPE:213:sig invalid mime type
-ASN1_R_STREAMING_NOT_SUPPORTED:202:streaming not supported
-ASN1_R_STRING_TOO_LONG:151:string too long
-ASN1_R_STRING_TOO_SHORT:152:string too short
-ASN1_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD:154:\
-	the asn1 object identifier is not known for this md
-ASN1_R_TIME_NOT_ASCII_FORMAT:193:time not ascii format
-ASN1_R_TOO_LARGE:223:too large
-ASN1_R_TOO_LONG:155:too long
-ASN1_R_TOO_SMALL:224:too small
-ASN1_R_TYPE_NOT_CONSTRUCTED:156:type not constructed
-ASN1_R_TYPE_NOT_PRIMITIVE:195:type not primitive
-ASN1_R_UNEXPECTED_EOC:159:unexpected eoc
-ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH:215:universalstring is wrong length
-ASN1_R_UNKNOWN_DIGEST:229:unknown digest
-ASN1_R_UNKNOWN_FORMAT:160:unknown format
-ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM:161:unknown message digest algorithm
-ASN1_R_UNKNOWN_OBJECT_TYPE:162:unknown object type
-ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE:163:unknown public key type
-ASN1_R_UNKNOWN_SIGNATURE_ALGORITHM:199:unknown signature algorithm
-ASN1_R_UNKNOWN_TAG:194:unknown tag
-ASN1_R_UNSUPPORTED_ANY_DEFINED_BY_TYPE:164:unsupported any defined by type
-ASN1_R_UNSUPPORTED_CIPHER:228:unsupported cipher
-ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE:167:unsupported public key type
-ASN1_R_UNSUPPORTED_TYPE:196:unsupported type
-ASN1_R_WRONG_INTEGER_TYPE:225:wrong integer type
-ASN1_R_WRONG_PUBLIC_KEY_TYPE:200:wrong public key type
-ASN1_R_WRONG_TAG:168:wrong tag
-ASYNC_R_FAILED_TO_SET_POOL:101:failed to set pool
-ASYNC_R_FAILED_TO_SWAP_CONTEXT:102:failed to swap context
-ASYNC_R_INIT_FAILED:105:init failed
-ASYNC_R_INVALID_POOL_SIZE:103:invalid pool size
-BIO_R_ACCEPT_ERROR:100:accept error
-BIO_R_ADDRINFO_ADDR_IS_NOT_AF_INET:141:addrinfo addr is not af inet
-BIO_R_AMBIGUOUS_HOST_OR_SERVICE:129:ambiguous host or service
-BIO_R_BAD_FOPEN_MODE:101:bad fopen mode
-BIO_R_BROKEN_PIPE:124:broken pipe
-BIO_R_CONNECT_ERROR:103:connect error
-BIO_R_CONNECT_TIMEOUT:147:connect timeout
-BIO_R_GETHOSTBYNAME_ADDR_IS_NOT_AF_INET:107:gethostbyname addr is not af inet
-BIO_R_GETSOCKNAME_ERROR:132:getsockname error
-BIO_R_GETSOCKNAME_TRUNCATED_ADDRESS:133:getsockname truncated address
-BIO_R_GETTING_SOCKTYPE:134:getting socktype
-BIO_R_INVALID_ARGUMENT:125:invalid argument
-BIO_R_INVALID_SOCKET:135:invalid socket
-BIO_R_IN_USE:123:in use
-BIO_R_LENGTH_TOO_LONG:102:length too long
-BIO_R_LISTEN_V6_ONLY:136:listen v6 only
-BIO_R_LOOKUP_RETURNED_NOTHING:142:lookup returned nothing
-BIO_R_MALFORMED_HOST_OR_SERVICE:130:malformed host or service
-BIO_R_NBIO_CONNECT_ERROR:110:nbio connect error
-BIO_R_NO_ACCEPT_ADDR_OR_SERVICE_SPECIFIED:143:\
-	no accept addr or service specified
-BIO_R_NO_HOSTNAME_OR_SERVICE_SPECIFIED:144:no hostname or service specified
-BIO_R_NO_PORT_DEFINED:113:no port defined
-BIO_R_NO_SUCH_FILE:128:no such file
-BIO_R_TRANSFER_ERROR:104:transfer error
-BIO_R_TRANSFER_TIMEOUT:105:transfer timeout
-BIO_R_UNABLE_TO_BIND_SOCKET:117:unable to bind socket
-BIO_R_UNABLE_TO_CREATE_SOCKET:118:unable to create socket
-BIO_R_UNABLE_TO_KEEPALIVE:137:unable to keepalive
-BIO_R_UNABLE_TO_LISTEN_SOCKET:119:unable to listen socket
-BIO_R_UNABLE_TO_NODELAY:138:unable to nodelay
-BIO_R_UNABLE_TO_REUSEADDR:139:unable to reuseaddr
-BIO_R_UNAVAILABLE_IP_FAMILY:145:unavailable ip family
-BIO_R_UNINITIALIZED:120:uninitialized
-BIO_R_UNKNOWN_INFO_TYPE:140:unknown info type
-BIO_R_UNSUPPORTED_IP_FAMILY:146:unsupported ip family
-BIO_R_UNSUPPORTED_METHOD:121:unsupported method
-BIO_R_UNSUPPORTED_PROTOCOL_FAMILY:131:unsupported protocol family
-BIO_R_WRITE_TO_READ_ONLY_BIO:126:write to read only BIO
-BIO_R_WSASTARTUP:122:WSAStartup
-BN_R_ARG2_LT_ARG3:100:arg2 lt arg3
-BN_R_BAD_RECIPROCAL:101:bad reciprocal
-BN_R_BIGNUM_TOO_LONG:114:bignum too long
-BN_R_BITS_TOO_SMALL:118:bits too small
-BN_R_CALLED_WITH_EVEN_MODULUS:102:called with even modulus
-BN_R_DIV_BY_ZERO:103:div by zero
-BN_R_ENCODING_ERROR:104:encoding error
-BN_R_EXPAND_ON_STATIC_BIGNUM_DATA:105:expand on static bignum data
-BN_R_INPUT_NOT_REDUCED:110:input not reduced
-BN_R_INVALID_LENGTH:106:invalid length
-BN_R_INVALID_RANGE:115:invalid range
-BN_R_INVALID_SHIFT:119:invalid shift
-BN_R_NOT_A_SQUARE:111:not a square
-BN_R_NOT_INITIALIZED:107:not initialized
-BN_R_NO_INVERSE:108:no inverse
-BN_R_NO_PRIME_CANDIDATE:121:no prime candidate
-BN_R_NO_SOLUTION:116:no solution
-BN_R_NO_SUITABLE_DIGEST:120:no suitable digest
-BN_R_PRIVATE_KEY_TOO_LARGE:117:private key too large
-BN_R_P_IS_NOT_PRIME:112:p is not prime
-BN_R_TOO_MANY_ITERATIONS:113:too many iterations
-BN_R_TOO_MANY_TEMPORARY_VARIABLES:109:too many temporary variables
-CMP_R_ALGORITHM_NOT_SUPPORTED:139:algorithm not supported
-CMP_R_BAD_CHECKAFTER_IN_POLLREP:167:bad checkafter in pollrep
-CMP_R_BAD_REQUEST_ID:108:bad request id
-CMP_R_CERTHASH_UNMATCHED:156:certhash unmatched
-CMP_R_CERTID_NOT_FOUND:109:certid not found
-CMP_R_CERTIFICATE_NOT_ACCEPTED:169:certificate not accepted
-CMP_R_CERTIFICATE_NOT_FOUND:112:certificate not found
-CMP_R_CERTREQMSG_NOT_FOUND:157:certreqmsg not found
-CMP_R_CERTRESPONSE_NOT_FOUND:113:certresponse not found
-CMP_R_CERT_AND_KEY_DO_NOT_MATCH:114:cert and key do not match
-CMP_R_CHECKAFTER_OUT_OF_RANGE:181:checkafter out of range
-CMP_R_ENCOUNTERED_KEYUPDATEWARNING:176:encountered keyupdatewarning
-CMP_R_ENCOUNTERED_WAITING:162:encountered waiting
-CMP_R_ERROR_CALCULATING_PROTECTION:115:error calculating protection
-CMP_R_ERROR_CREATING_CERTCONF:116:error creating certconf
-CMP_R_ERROR_CREATING_CERTREP:117:error creating certrep
-CMP_R_ERROR_CREATING_CERTREQ:163:error creating certreq
-CMP_R_ERROR_CREATING_ERROR:118:error creating error
-CMP_R_ERROR_CREATING_GENM:119:error creating genm
-CMP_R_ERROR_CREATING_GENP:120:error creating genp
-CMP_R_ERROR_CREATING_PKICONF:122:error creating pkiconf
-CMP_R_ERROR_CREATING_POLLREP:123:error creating pollrep
-CMP_R_ERROR_CREATING_POLLREQ:124:error creating pollreq
-CMP_R_ERROR_CREATING_RP:125:error creating rp
-CMP_R_ERROR_CREATING_RR:126:error creating rr
-CMP_R_ERROR_PARSING_PKISTATUS:107:error parsing pkistatus
-CMP_R_ERROR_PROCESSING_MESSAGE:158:error processing message
-CMP_R_ERROR_PROTECTING_MESSAGE:127:error protecting message
-CMP_R_ERROR_SETTING_CERTHASH:128:error setting certhash
-CMP_R_ERROR_UNEXPECTED_CERTCONF:160:error unexpected certconf
-CMP_R_ERROR_VALIDATING_PROTECTION:140:error validating protection
-CMP_R_ERROR_VALIDATING_SIGNATURE:171:error validating signature
-CMP_R_FAILED_BUILDING_OWN_CHAIN:164:failed building own chain
-CMP_R_FAILED_EXTRACTING_PUBKEY:141:failed extracting pubkey
-CMP_R_FAILURE_OBTAINING_RANDOM:110:failure obtaining random
-CMP_R_FAIL_INFO_OUT_OF_RANGE:129:fail info out of range
-CMP_R_INVALID_ARGS:100:invalid args
-CMP_R_INVALID_OPTION:174:invalid option
-CMP_R_MISSING_CERTID:165:missing certid
-CMP_R_MISSING_KEY_INPUT_FOR_CREATING_PROTECTION:130:\
-	missing key input for creating protection
-CMP_R_MISSING_KEY_USAGE_DIGITALSIGNATURE:142:missing key usage digitalsignature
-CMP_R_MISSING_P10CSR:121:missing p10csr
-CMP_R_MISSING_PBM_SECRET:166:missing pbm secret
-CMP_R_MISSING_PRIVATE_KEY:131:missing private key
-CMP_R_MISSING_PROTECTION:143:missing protection
-CMP_R_MISSING_REFERENCE_CERT:168:missing reference cert
-CMP_R_MISSING_SECRET:178:missing secret
-CMP_R_MISSING_SENDER_IDENTIFICATION:111:missing sender identification
-CMP_R_MISSING_TRUST_ANCHOR:179:missing trust anchor
-CMP_R_MISSING_TRUST_STORE:144:missing trust store
-CMP_R_MULTIPLE_REQUESTS_NOT_SUPPORTED:161:multiple requests not supported
-CMP_R_MULTIPLE_RESPONSES_NOT_SUPPORTED:170:multiple responses not supported
-CMP_R_MULTIPLE_SAN_SOURCES:102:multiple san sources
-CMP_R_NO_STDIO:194:no stdio
-CMP_R_NO_SUITABLE_SENDER_CERT:145:no suitable sender cert
-CMP_R_NULL_ARGUMENT:103:null argument
-CMP_R_PKIBODY_ERROR:146:pkibody error
-CMP_R_PKISTATUSINFO_NOT_FOUND:132:pkistatusinfo not found
-CMP_R_POLLING_FAILED:172:polling failed
-CMP_R_POTENTIALLY_INVALID_CERTIFICATE:147:potentially invalid certificate
-CMP_R_RECEIVED_ERROR:180:received error
-CMP_R_RECIPNONCE_UNMATCHED:148:recipnonce unmatched
-CMP_R_REQUEST_NOT_ACCEPTED:149:request not accepted
-CMP_R_REQUEST_REJECTED_BY_SERVER:182:request rejected by server
-CMP_R_SENDER_GENERALNAME_TYPE_NOT_SUPPORTED:150:\
-	sender generalname type not supported
-CMP_R_SRVCERT_DOES_NOT_VALIDATE_MSG:151:srvcert does not validate msg
-CMP_R_TOTAL_TIMEOUT:184:total timeout
-CMP_R_TRANSACTIONID_UNMATCHED:152:transactionid unmatched
-CMP_R_TRANSFER_ERROR:159:transfer error
-CMP_R_UNEXPECTED_PKIBODY:133:unexpected pkibody
-CMP_R_UNEXPECTED_PKISTATUS:185:unexpected pkistatus
-CMP_R_UNEXPECTED_PVNO:153:unexpected pvno
-CMP_R_UNKNOWN_ALGORITHM_ID:134:unknown algorithm id
-CMP_R_UNKNOWN_CERT_TYPE:135:unknown cert type
-CMP_R_UNKNOWN_PKISTATUS:186:unknown pkistatus
-CMP_R_UNSUPPORTED_ALGORITHM:136:unsupported algorithm
-CMP_R_UNSUPPORTED_KEY_TYPE:137:unsupported key type
-CMP_R_UNSUPPORTED_PROTECTION_ALG_DHBASEDMAC:154:\
-	unsupported protection alg dhbasedmac
-CMP_R_VALUE_TOO_LARGE:175:value too large
-CMP_R_VALUE_TOO_SMALL:177:value too small
-CMP_R_WRONG_ALGORITHM_OID:138:wrong algorithm oid
-CMP_R_WRONG_CERTID:189:wrong certid
-CMP_R_WRONG_CERTID_IN_RP:187:wrong certid in rp
-CMP_R_WRONG_PBM_VALUE:155:wrong pbm value
-CMP_R_WRONG_RP_COMPONENT_COUNT:188:wrong rp component count
-CMP_R_WRONG_SERIAL_IN_RP:173:wrong serial in rp
-CMS_R_ADD_SIGNER_ERROR:99:add signer error
-CMS_R_ATTRIBUTE_ERROR:161:attribute error
-CMS_R_CERTIFICATE_ALREADY_PRESENT:175:certificate already present
-CMS_R_CERTIFICATE_HAS_NO_KEYID:160:certificate has no keyid
-CMS_R_CERTIFICATE_VERIFY_ERROR:100:certificate verify error
-CMS_R_CIPHER_AEAD_SET_TAG_ERROR:184:cipher aead set tag error
-CMS_R_CIPHER_GET_TAG:185:cipher get tag
-CMS_R_CIPHER_INITIALISATION_ERROR:101:cipher initialisation error
-CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR:102:\
-	cipher parameter initialisation error
-CMS_R_CMS_DATAFINAL_ERROR:103:cms datafinal error
-CMS_R_CMS_LIB:104:cms lib
-CMS_R_CONTENTIDENTIFIER_MISMATCH:170:contentidentifier mismatch
-CMS_R_CONTENT_NOT_FOUND:105:content not found
-CMS_R_CONTENT_TYPE_MISMATCH:171:content type mismatch
-CMS_R_CONTENT_TYPE_NOT_COMPRESSED_DATA:106:content type not compressed data
-CMS_R_CONTENT_TYPE_NOT_ENVELOPED_DATA:107:content type not enveloped data
-CMS_R_CONTENT_TYPE_NOT_SIGNED_DATA:108:content type not signed data
-CMS_R_CONTENT_VERIFY_ERROR:109:content verify error
-CMS_R_CTRL_ERROR:110:ctrl error
-CMS_R_CTRL_FAILURE:111:ctrl failure
-CMS_R_DECODE_ERROR:187:decode error
-CMS_R_DECRYPT_ERROR:112:decrypt error
-CMS_R_ERROR_GETTING_PUBLIC_KEY:113:error getting public key
-CMS_R_ERROR_READING_MESSAGEDIGEST_ATTRIBUTE:114:\
-	error reading messagedigest attribute
-CMS_R_ERROR_SETTING_KEY:115:error setting key
-CMS_R_ERROR_SETTING_RECIPIENTINFO:116:error setting recipientinfo
-CMS_R_ESS_SIGNING_CERTID_MISMATCH_ERROR:183:ess signing certid mismatch error
-CMS_R_INVALID_ENCRYPTED_KEY_LENGTH:117:invalid encrypted key length
-CMS_R_INVALID_KEY_ENCRYPTION_PARAMETER:176:invalid key encryption parameter
-CMS_R_INVALID_KEY_LENGTH:118:invalid key length
-CMS_R_INVALID_LABEL:190:invalid label
-CMS_R_INVALID_OAEP_PARAMETERS:191:invalid oaep parameters
-CMS_R_KDF_PARAMETER_ERROR:186:kdf parameter error
-CMS_R_MD_BIO_INIT_ERROR:119:md bio init error
-CMS_R_MESSAGEDIGEST_ATTRIBUTE_WRONG_LENGTH:120:\
-	messagedigest attribute wrong length
-CMS_R_MESSAGEDIGEST_WRONG_LENGTH:121:messagedigest wrong length
-CMS_R_MSGSIGDIGEST_ERROR:172:msgsigdigest error
-CMS_R_MSGSIGDIGEST_VERIFICATION_FAILURE:162:msgsigdigest verification failure
-CMS_R_MSGSIGDIGEST_WRONG_LENGTH:163:msgsigdigest wrong length
-CMS_R_NEED_ONE_SIGNER:164:need one signer
-CMS_R_NOT_A_SIGNED_RECEIPT:165:not a signed receipt
-CMS_R_NOT_ENCRYPTED_DATA:122:not encrypted data
-CMS_R_NOT_KEK:123:not kek
-CMS_R_NOT_KEY_AGREEMENT:181:not key agreement
-CMS_R_NOT_KEY_TRANSPORT:124:not key transport
-CMS_R_NOT_PWRI:177:not pwri
-CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE:125:not supported for this key type
-CMS_R_NO_CIPHER:126:no cipher
-CMS_R_NO_CONTENT:127:no content
-CMS_R_NO_CONTENT_TYPE:173:no content type
-CMS_R_NO_DEFAULT_DIGEST:128:no default digest
-CMS_R_NO_DIGEST_SET:129:no digest set
-CMS_R_NO_KEY:130:no key
-CMS_R_NO_KEY_OR_CERT:174:no key or cert
-CMS_R_NO_MATCHING_DIGEST:131:no matching digest
-CMS_R_NO_MATCHING_RECIPIENT:132:no matching recipient
-CMS_R_NO_MATCHING_SIGNATURE:166:no matching signature
-CMS_R_NO_MSGSIGDIGEST:167:no msgsigdigest
-CMS_R_NO_PASSWORD:178:no password
-CMS_R_NO_PRIVATE_KEY:133:no private key
-CMS_R_NO_PUBLIC_KEY:134:no public key
-CMS_R_NO_RECEIPT_REQUEST:168:no receipt request
-CMS_R_NO_SIGNERS:135:no signers
-CMS_R_PEER_KEY_ERROR:188:peer key error
-CMS_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE:136:\
-	private key does not match certificate
-CMS_R_RECEIPT_DECODE_ERROR:169:receipt decode error
-CMS_R_RECIPIENT_ERROR:137:recipient error
-CMS_R_SHARED_INFO_ERROR:189:shared info error
-CMS_R_SIGNER_CERTIFICATE_NOT_FOUND:138:signer certificate not found
-CMS_R_SIGNFINAL_ERROR:139:signfinal error
-CMS_R_SMIME_TEXT_ERROR:140:smime text error
-CMS_R_STORE_INIT_ERROR:141:store init error
-CMS_R_TYPE_NOT_COMPRESSED_DATA:142:type not compressed data
-CMS_R_TYPE_NOT_DATA:143:type not data
-CMS_R_TYPE_NOT_DIGESTED_DATA:144:type not digested data
-CMS_R_TYPE_NOT_ENCRYPTED_DATA:145:type not encrypted data
-CMS_R_TYPE_NOT_ENVELOPED_DATA:146:type not enveloped data
-CMS_R_UNABLE_TO_FINALIZE_CONTEXT:147:unable to finalize context
-CMS_R_UNKNOWN_CIPHER:148:unknown cipher
-CMS_R_UNKNOWN_DIGEST_ALGORITHM:149:unknown digest algorithm
-CMS_R_UNKNOWN_ID:150:unknown id
-CMS_R_UNSUPPORTED_COMPRESSION_ALGORITHM:151:unsupported compression algorithm
-CMS_R_UNSUPPORTED_CONTENT_ENCRYPTION_ALGORITHM:194:\
-	unsupported content encryption algorithm
-CMS_R_UNSUPPORTED_CONTENT_TYPE:152:unsupported content type
-CMS_R_UNSUPPORTED_ENCRYPTION_TYPE:192:unsupported encryption type
-CMS_R_UNSUPPORTED_KEK_ALGORITHM:153:unsupported kek algorithm
-CMS_R_UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM:179:\
-	unsupported key encryption algorithm
-CMS_R_UNSUPPORTED_LABEL_SOURCE:193:unsupported label source
-CMS_R_UNSUPPORTED_RECIPIENTINFO_TYPE:155:unsupported recipientinfo type
-CMS_R_UNSUPPORTED_RECIPIENT_TYPE:154:unsupported recipient type
-CMS_R_UNSUPPORTED_TYPE:156:unsupported type
-CMS_R_UNWRAP_ERROR:157:unwrap error
-CMS_R_UNWRAP_FAILURE:180:unwrap failure
-CMS_R_VERIFICATION_FAILURE:158:verification failure
-CMS_R_WRAP_ERROR:159:wrap error
-COMP_R_ZLIB_DEFLATE_ERROR:99:zlib deflate error
-COMP_R_ZLIB_INFLATE_ERROR:100:zlib inflate error
-COMP_R_ZLIB_NOT_SUPPORTED:101:zlib not supported
-CONF_R_ERROR_LOADING_DSO:110:error loading dso
-CONF_R_INVALID_PRAGMA:122:invalid pragma
-CONF_R_LIST_CANNOT_BE_NULL:115:list cannot be null
-CONF_R_MANDATORY_BRACES_IN_VARIABLE_EXPANSION:123:\
-	mandatory braces in variable expansion
-CONF_R_MISSING_CLOSE_SQUARE_BRACKET:100:missing close square bracket
-CONF_R_MISSING_EQUAL_SIGN:101:missing equal sign
-CONF_R_MISSING_INIT_FUNCTION:112:missing init function
-CONF_R_MODULE_INITIALIZATION_ERROR:109:module initialization error
-CONF_R_NO_CLOSE_BRACE:102:no close brace
-CONF_R_NO_CONF:105:no conf
-CONF_R_NO_CONF_OR_ENVIRONMENT_VARIABLE:106:no conf or environment variable
-CONF_R_NO_SECTION:107:no section
-CONF_R_NO_SUCH_FILE:114:no such file
-CONF_R_NO_VALUE:108:no value
-CONF_R_NUMBER_TOO_LARGE:121:number too large
-CONF_R_OPENSSL_CONF_REFERENCES_MISSING_SECTION:124:\
-	openssl conf references missing section
-CONF_R_RECURSIVE_DIRECTORY_INCLUDE:111:recursive directory include
-CONF_R_RELATIVE_PATH:125:relative path
-CONF_R_SSL_COMMAND_SECTION_EMPTY:117:ssl command section empty
-CONF_R_SSL_COMMAND_SECTION_NOT_FOUND:118:ssl command section not found
-CONF_R_SSL_SECTION_EMPTY:119:ssl section empty
-CONF_R_SSL_SECTION_NOT_FOUND:120:ssl section not found
-CONF_R_UNABLE_TO_CREATE_NEW_SECTION:103:unable to create new section
-CONF_R_UNKNOWN_MODULE_NAME:113:unknown module name
-CONF_R_VARIABLE_EXPANSION_TOO_LONG:116:variable expansion too long
-CONF_R_VARIABLE_HAS_NO_VALUE:104:variable has no value
-CRMF_R_BAD_PBM_ITERATIONCOUNT:100:bad pbm iterationcount
-CRMF_R_CRMFERROR:102:crmferror
-CRMF_R_ERROR:103:error
-CRMF_R_ERROR_DECODING_CERTIFICATE:104:error decoding certificate
-CRMF_R_ERROR_DECRYPTING_CERTIFICATE:105:error decrypting certificate
-CRMF_R_ERROR_DECRYPTING_SYMMETRIC_KEY:106:error decrypting symmetric key
-CRMF_R_FAILURE_OBTAINING_RANDOM:107:failure obtaining random
-CRMF_R_ITERATIONCOUNT_BELOW_100:108:iterationcount below 100
-CRMF_R_MALFORMED_IV:101:malformed iv
-CRMF_R_NULL_ARGUMENT:109:null argument
-CRMF_R_POPOSKINPUT_NOT_SUPPORTED:113:poposkinput not supported
-CRMF_R_POPO_INCONSISTENT_PUBLIC_KEY:117:popo inconsistent public key
-CRMF_R_POPO_MISSING:121:popo missing
-CRMF_R_POPO_MISSING_PUBLIC_KEY:118:popo missing public key
-CRMF_R_POPO_MISSING_SUBJECT:119:popo missing subject
-CRMF_R_POPO_RAVERIFIED_NOT_ACCEPTED:120:popo raverified not accepted
-CRMF_R_SETTING_MAC_ALGOR_FAILURE:110:setting mac algor failure
-CRMF_R_SETTING_OWF_ALGOR_FAILURE:111:setting owf algor failure
-CRMF_R_UNSUPPORTED_ALGORITHM:112:unsupported algorithm
-CRMF_R_UNSUPPORTED_CIPHER:114:unsupported cipher
-CRMF_R_UNSUPPORTED_METHOD_FOR_CREATING_POPO:115:\
-	unsupported method for creating popo
-CRMF_R_UNSUPPORTED_POPO_METHOD:116:unsupported popo method
-CRYPTO_R_BAD_ALGORITHM_NAME:117:bad algorithm name
-CRYPTO_R_CONFLICTING_NAMES:118:conflicting names
-CRYPTO_R_HEX_STRING_TOO_SHORT:121:hex string too short
-CRYPTO_R_ILLEGAL_HEX_DIGIT:102:illegal hex digit
-CRYPTO_R_INSUFFICIENT_DATA_SPACE:106:insufficient data space
-CRYPTO_R_INSUFFICIENT_PARAM_SIZE:107:insufficient param size
-CRYPTO_R_INSUFFICIENT_SECURE_DATA_SPACE:108:insufficient secure data space
-CRYPTO_R_INTEGER_OVERFLOW:127:integer overflow
-CRYPTO_R_INVALID_NEGATIVE_VALUE:122:invalid negative value
-CRYPTO_R_INVALID_NULL_ARGUMENT:109:invalid null argument
-CRYPTO_R_INVALID_OSSL_PARAM_TYPE:110:invalid ossl param type
-CRYPTO_R_NO_PARAMS_TO_MERGE:131:no params to merge
-CRYPTO_R_NO_SPACE_FOR_TERMINATING_NULL:128:no space for terminating null
-CRYPTO_R_ODD_NUMBER_OF_DIGITS:103:odd number of digits
-CRYPTO_R_PARAM_CANNOT_BE_REPRESENTED_EXACTLY:123:\
-	param cannot be represented exactly
-CRYPTO_R_PARAM_NOT_INTEGER_TYPE:124:param not integer type
-CRYPTO_R_PARAM_OF_INCOMPATIBLE_TYPE:129:param of incompatible type
-CRYPTO_R_PARAM_UNSIGNED_INTEGER_NEGATIVE_VALUE_UNSUPPORTED:125:\
-	param unsigned integer negative value unsupported
-CRYPTO_R_PARAM_UNSUPPORTED_FLOATING_POINT_FORMAT:130:\
-	param unsupported floating point format
-CRYPTO_R_PARAM_VALUE_TOO_LARGE_FOR_DESTINATION:126:\
-	param value too large for destination
-CRYPTO_R_PROVIDER_ALREADY_EXISTS:104:provider already exists
-CRYPTO_R_PROVIDER_SECTION_ERROR:105:provider section error
-CRYPTO_R_RANDOM_SECTION_ERROR:119:random section error
-CRYPTO_R_SECURE_MALLOC_FAILURE:111:secure malloc failure
-CRYPTO_R_STRING_TOO_LONG:112:string too long
-CRYPTO_R_TOO_MANY_BYTES:113:too many bytes
-CRYPTO_R_TOO_MANY_RECORDS:114:too many records
-CRYPTO_R_TOO_SMALL_BUFFER:116:too small buffer
-CRYPTO_R_UNKNOWN_NAME_IN_RANDOM_SECTION:120:unknown name in random section
-CRYPTO_R_ZERO_LENGTH_NUMBER:115:zero length number
-CT_R_BASE64_DECODE_ERROR:108:base64 decode error
-CT_R_INVALID_LOG_ID_LENGTH:100:invalid log id length
-CT_R_LOG_CONF_INVALID:109:log conf invalid
-CT_R_LOG_CONF_INVALID_KEY:110:log conf invalid key
-CT_R_LOG_CONF_MISSING_DESCRIPTION:111:log conf missing description
-CT_R_LOG_CONF_MISSING_KEY:112:log conf missing key
-CT_R_LOG_KEY_INVALID:113:log key invalid
-CT_R_SCT_FUTURE_TIMESTAMP:116:sct future timestamp
-CT_R_SCT_INVALID:104:sct invalid
-CT_R_SCT_INVALID_SIGNATURE:107:sct invalid signature
-CT_R_SCT_LIST_INVALID:105:sct list invalid
-CT_R_SCT_LOG_ID_MISMATCH:114:sct log id mismatch
-CT_R_SCT_NOT_SET:106:sct not set
-CT_R_SCT_UNSUPPORTED_VERSION:115:sct unsupported version
-CT_R_UNRECOGNIZED_SIGNATURE_NID:101:unrecognized signature nid
-CT_R_UNSUPPORTED_ENTRY_TYPE:102:unsupported entry type
-CT_R_UNSUPPORTED_VERSION:103:unsupported version
-DH_R_BAD_FFC_PARAMETERS:127:bad ffc parameters
-DH_R_BAD_GENERATOR:101:bad generator
-DH_R_BN_DECODE_ERROR:109:bn decode error
-DH_R_BN_ERROR:106:bn error
-DH_R_CHECK_INVALID_J_VALUE:115:check invalid j value
-DH_R_CHECK_INVALID_Q_VALUE:116:check invalid q value
-DH_R_CHECK_PUBKEY_INVALID:122:check pubkey invalid
-DH_R_CHECK_PUBKEY_TOO_LARGE:123:check pubkey too large
-DH_R_CHECK_PUBKEY_TOO_SMALL:124:check pubkey too small
-DH_R_CHECK_P_NOT_PRIME:117:check p not prime
-DH_R_CHECK_P_NOT_SAFE_PRIME:118:check p not safe prime
-DH_R_CHECK_Q_NOT_PRIME:119:check q not prime
-DH_R_DECODE_ERROR:104:decode error
-DH_R_INVALID_PARAMETER_NAME:110:invalid parameter name
-DH_R_INVALID_PARAMETER_NID:114:invalid parameter nid
-DH_R_INVALID_PUBKEY:102:invalid public key
-DH_R_INVALID_SECRET:128:invalid secret
-DH_R_KDF_PARAMETER_ERROR:112:kdf parameter error
-DH_R_KEYS_NOT_SET:108:keys not set
-DH_R_MISSING_PUBKEY:125:missing pubkey
-DH_R_MODULUS_TOO_LARGE:103:modulus too large
-DH_R_MODULUS_TOO_SMALL:126:modulus too small
-DH_R_NOT_SUITABLE_GENERATOR:120:not suitable generator
-DH_R_NO_PARAMETERS_SET:107:no parameters set
-DH_R_NO_PRIVATE_VALUE:100:no private value
-DH_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error
-DH_R_PEER_KEY_ERROR:111:peer key error
-DH_R_SHARED_INFO_ERROR:113:shared info error
-DH_R_UNABLE_TO_CHECK_GENERATOR:121:unable to check generator
-DSA_R_BAD_FFC_PARAMETERS:114:bad ffc parameters
-DSA_R_BAD_Q_VALUE:102:bad q value
-DSA_R_BN_DECODE_ERROR:108:bn decode error
-DSA_R_BN_ERROR:109:bn error
-DSA_R_DECODE_ERROR:104:decode error
-DSA_R_INVALID_DIGEST_TYPE:106:invalid digest type
-DSA_R_INVALID_PARAMETERS:112:invalid parameters
-DSA_R_MISSING_PARAMETERS:101:missing parameters
-DSA_R_MISSING_PRIVATE_KEY:111:missing private key
-DSA_R_MODULUS_TOO_LARGE:103:modulus too large
-DSA_R_NO_PARAMETERS_SET:107:no parameters set
-DSA_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error
-DSA_R_P_NOT_PRIME:115:p not prime
-DSA_R_Q_NOT_PRIME:113:q not prime
-DSA_R_SEED_LEN_SMALL:110:seed_len is less than the length of q
-DSA_R_TOO_MANY_RETRIES:116:too many retries
-DSO_R_CTRL_FAILED:100:control command failed
-DSO_R_DSO_ALREADY_LOADED:110:dso already loaded
-DSO_R_EMPTY_FILE_STRUCTURE:113:empty file structure
-DSO_R_FAILURE:114:failure
-DSO_R_FILENAME_TOO_BIG:101:filename too big
-DSO_R_FINISH_FAILED:102:cleanup method function failed
-DSO_R_INCORRECT_FILE_SYNTAX:115:incorrect file syntax
-DSO_R_LOAD_FAILED:103:could not load the shared library
-DSO_R_NAME_TRANSLATION_FAILED:109:name translation failed
-DSO_R_NO_FILENAME:111:no filename
-DSO_R_NULL_HANDLE:104:a null shared library handle was used
-DSO_R_SET_FILENAME_FAILED:112:set filename failed
-DSO_R_STACK_ERROR:105:the meth_data stack is corrupt
-DSO_R_SYM_FAILURE:106:could not bind to the requested symbol name
-DSO_R_UNLOAD_FAILED:107:could not unload the shared library
-DSO_R_UNSUPPORTED:108:functionality not supported
-EC_R_ASN1_ERROR:115:asn1 error
-EC_R_BAD_SIGNATURE:156:bad signature
-EC_R_BIGNUM_OUT_OF_RANGE:144:bignum out of range
-EC_R_BUFFER_TOO_SMALL:100:buffer too small
-EC_R_CANNOT_INVERT:165:cannot invert
-EC_R_COORDINATES_OUT_OF_RANGE:146:coordinates out of range
-EC_R_CURVE_DOES_NOT_SUPPORT_ECDH:160:curve does not support ecdh
-EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA:170:curve does not support ecdsa
-EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING:159:curve does not support signing
-EC_R_DECODE_ERROR:142:decode error
-EC_R_DISCRIMINANT_IS_ZERO:118:discriminant is zero
-EC_R_EC_GROUP_NEW_BY_NAME_FAILURE:119:ec group new by name failure
-EC_R_EXPLICIT_PARAMS_NOT_SUPPORTED:127:explicit params not supported
-EC_R_FAILED_MAKING_PUBLIC_KEY:166:failed making public key
-EC_R_FIELD_TOO_LARGE:143:field too large
-EC_R_GF2M_NOT_SUPPORTED:147:gf2m not supported
-EC_R_GROUP2PKPARAMETERS_FAILURE:120:group2pkparameters failure
-EC_R_I2D_ECPKPARAMETERS_FAILURE:121:i2d ecpkparameters failure
-EC_R_INCOMPATIBLE_OBJECTS:101:incompatible objects
-EC_R_INVALID_A:168:invalid a
-EC_R_INVALID_ARGUMENT:112:invalid argument
-EC_R_INVALID_B:169:invalid b
-EC_R_INVALID_COFACTOR:171:invalid cofactor
-EC_R_INVALID_COMPRESSED_POINT:110:invalid compressed point
-EC_R_INVALID_COMPRESSION_BIT:109:invalid compression bit
-EC_R_INVALID_CURVE:141:invalid curve
-EC_R_INVALID_DIGEST:151:invalid digest
-EC_R_INVALID_DIGEST_TYPE:138:invalid digest type
-EC_R_INVALID_ENCODING:102:invalid encoding
-EC_R_INVALID_FIELD:103:invalid field
-EC_R_INVALID_FORM:104:invalid form
-EC_R_INVALID_GENERATOR:173:invalid generator
-EC_R_INVALID_GROUP_ORDER:122:invalid group order
-EC_R_INVALID_KEY:116:invalid key
-EC_R_INVALID_LENGTH:117:invalid length
-EC_R_INVALID_NAMED_GROUP_CONVERSION:174:invalid named group conversion
-EC_R_INVALID_OUTPUT_LENGTH:161:invalid output length
-EC_R_INVALID_P:172:invalid p
-EC_R_INVALID_PEER_KEY:133:invalid peer key
-EC_R_INVALID_PENTANOMIAL_BASIS:132:invalid pentanomial basis
-EC_R_INVALID_PRIVATE_KEY:123:invalid private key
-EC_R_INVALID_SEED:175:invalid seed
-EC_R_INVALID_TRINOMIAL_BASIS:137:invalid trinomial basis
-EC_R_KDF_PARAMETER_ERROR:148:kdf parameter error
-EC_R_KEYS_NOT_SET:140:keys not set
-EC_R_LADDER_POST_FAILURE:136:ladder post failure
-EC_R_LADDER_PRE_FAILURE:153:ladder pre failure
-EC_R_LADDER_STEP_FAILURE:162:ladder step failure
-EC_R_MISSING_OID:167:missing OID
-EC_R_MISSING_PARAMETERS:124:missing parameters
-EC_R_MISSING_PRIVATE_KEY:125:missing private key
-EC_R_NEED_NEW_SETUP_VALUES:157:need new setup values
-EC_R_NOT_A_NIST_PRIME:135:not a NIST prime
-EC_R_NOT_IMPLEMENTED:126:not implemented
-EC_R_NOT_INITIALIZED:111:not initialized
-EC_R_NO_PARAMETERS_SET:139:no parameters set
-EC_R_NO_PRIVATE_VALUE:154:no private value
-EC_R_OPERATION_NOT_SUPPORTED:152:operation not supported
-EC_R_PASSED_NULL_PARAMETER:134:passed null parameter
-EC_R_PEER_KEY_ERROR:149:peer key error
-EC_R_POINT_ARITHMETIC_FAILURE:155:point arithmetic failure
-EC_R_POINT_AT_INFINITY:106:point at infinity
-EC_R_POINT_COORDINATES_BLIND_FAILURE:163:point coordinates blind failure
-EC_R_POINT_IS_NOT_ON_CURVE:107:point is not on curve
-EC_R_RANDOM_NUMBER_GENERATION_FAILED:158:random number generation failed
-EC_R_SHARED_INFO_ERROR:150:shared info error
-EC_R_SLOT_FULL:108:slot full
-EC_R_TOO_MANY_RETRIES:176:too many retries
-EC_R_UNDEFINED_GENERATOR:113:undefined generator
-EC_R_UNDEFINED_ORDER:128:undefined order
-EC_R_UNKNOWN_COFACTOR:164:unknown cofactor
-EC_R_UNKNOWN_GROUP:129:unknown group
-EC_R_UNKNOWN_ORDER:114:unknown order
-EC_R_UNSUPPORTED_FIELD:131:unsupported field
-EC_R_WRONG_CURVE_PARAMETERS:145:wrong curve parameters
-EC_R_WRONG_ORDER:130:wrong order
-ENGINE_R_ALREADY_LOADED:100:already loaded
-ENGINE_R_ARGUMENT_IS_NOT_A_NUMBER:133:argument is not a number
-ENGINE_R_CMD_NOT_EXECUTABLE:134:cmd not executable
-ENGINE_R_COMMAND_TAKES_INPUT:135:command takes input
-ENGINE_R_COMMAND_TAKES_NO_INPUT:136:command takes no input
-ENGINE_R_CONFLICTING_ENGINE_ID:103:conflicting engine id
-ENGINE_R_CTRL_COMMAND_NOT_IMPLEMENTED:119:ctrl command not implemented
-ENGINE_R_DSO_FAILURE:104:DSO failure
-ENGINE_R_DSO_NOT_FOUND:132:dso not found
-ENGINE_R_ENGINES_SECTION_ERROR:148:engines section error
-ENGINE_R_ENGINE_CONFIGURATION_ERROR:102:engine configuration error
-ENGINE_R_ENGINE_IS_NOT_IN_LIST:105:engine is not in the list
-ENGINE_R_ENGINE_SECTION_ERROR:149:engine section error
-ENGINE_R_FAILED_LOADING_PRIVATE_KEY:128:failed loading private key
-ENGINE_R_FAILED_LOADING_PUBLIC_KEY:129:failed loading public key
-ENGINE_R_FINISH_FAILED:106:finish failed
-ENGINE_R_ID_OR_NAME_MISSING:108:'id' or 'name' missing
-ENGINE_R_INIT_FAILED:109:init failed
-ENGINE_R_INTERNAL_LIST_ERROR:110:internal list error
-ENGINE_R_INVALID_ARGUMENT:143:invalid argument
-ENGINE_R_INVALID_CMD_NAME:137:invalid cmd name
-ENGINE_R_INVALID_CMD_NUMBER:138:invalid cmd number
-ENGINE_R_INVALID_INIT_VALUE:151:invalid init value
-ENGINE_R_INVALID_STRING:150:invalid string
-ENGINE_R_NOT_INITIALISED:117:not initialised
-ENGINE_R_NOT_LOADED:112:not loaded
-ENGINE_R_NO_CONTROL_FUNCTION:120:no control function
-ENGINE_R_NO_INDEX:144:no index
-ENGINE_R_NO_LOAD_FUNCTION:125:no load function
-ENGINE_R_NO_REFERENCE:130:no reference
-ENGINE_R_NO_SUCH_ENGINE:116:no such engine
-ENGINE_R_UNIMPLEMENTED_CIPHER:146:unimplemented cipher
-ENGINE_R_UNIMPLEMENTED_DIGEST:147:unimplemented digest
-ENGINE_R_UNIMPLEMENTED_PUBLIC_KEY_METHOD:101:unimplemented public key method
-ENGINE_R_VERSION_INCOMPATIBILITY:145:version incompatibility
-ESS_R_EMPTY_ESS_CERT_ID_LIST:107:empty ess cert id list
-ESS_R_ESS_CERT_DIGEST_ERROR:103:ess cert digest error
-ESS_R_ESS_CERT_ID_NOT_FOUND:104:ess cert id not found
-ESS_R_ESS_CERT_ID_WRONG_ORDER:105:ess cert id wrong order
-ESS_R_ESS_DIGEST_ALG_UNKNOWN:106:ess digest alg unknown
-ESS_R_ESS_SIGNING_CERTIFICATE_ERROR:102:ess signing certificate error
-ESS_R_ESS_SIGNING_CERT_ADD_ERROR:100:ess signing cert add error
-ESS_R_ESS_SIGNING_CERT_V2_ADD_ERROR:101:ess signing cert v2 add error
-ESS_R_MISSING_SIGNING_CERTIFICATE_ATTRIBUTE:108:\
-	missing signing certificate attribute
-EVP_R_AES_KEY_SETUP_FAILED:143:aes key setup failed
-EVP_R_ARIA_KEY_SETUP_FAILED:176:aria key setup failed
-EVP_R_BAD_ALGORITHM_NAME:200:bad algorithm name
-EVP_R_BAD_DECRYPT:100:bad decrypt
-EVP_R_BAD_KEY_LENGTH:195:bad key length
-EVP_R_BUFFER_TOO_SMALL:155:buffer too small
-EVP_R_CACHE_CONSTANTS_FAILED:225:cache constants failed
-EVP_R_CAMELLIA_KEY_SETUP_FAILED:157:camellia key setup failed
-EVP_R_CANNOT_GET_PARAMETERS:197:cannot get parameters
-EVP_R_CANNOT_SET_PARAMETERS:198:cannot set parameters
-EVP_R_CIPHER_NOT_GCM_MODE:184:cipher not gcm mode
-EVP_R_CIPHER_PARAMETER_ERROR:122:cipher parameter error
-EVP_R_COMMAND_NOT_SUPPORTED:147:command not supported
-EVP_R_CONFLICTING_ALGORITHM_NAME:201:conflicting algorithm name
-EVP_R_COPY_ERROR:173:copy error
-EVP_R_CTRL_NOT_IMPLEMENTED:132:ctrl not implemented
-EVP_R_CTRL_OPERATION_NOT_IMPLEMENTED:133:ctrl operation not implemented
-EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH:138:data not multiple of block length
-EVP_R_DECODE_ERROR:114:decode error
-EVP_R_DEFAULT_QUERY_PARSE_ERROR:210:default query parse error
-EVP_R_DIFFERENT_KEY_TYPES:101:different key types
-EVP_R_DIFFERENT_PARAMETERS:153:different parameters
-EVP_R_ERROR_LOADING_SECTION:165:error loading section
-EVP_R_EXPECTING_AN_HMAC_KEY:174:expecting an hmac key
-EVP_R_EXPECTING_AN_RSA_KEY:127:expecting an rsa key
-EVP_R_EXPECTING_A_DH_KEY:128:expecting a dh key
-EVP_R_EXPECTING_A_DSA_KEY:129:expecting a dsa key
-EVP_R_EXPECTING_A_ECX_KEY:219:expecting an ecx key
-EVP_R_EXPECTING_A_EC_KEY:142:expecting an ec key
-EVP_R_EXPECTING_A_POLY1305_KEY:164:expecting a poly1305 key
-EVP_R_EXPECTING_A_SIPHASH_KEY:175:expecting a siphash key
-EVP_R_FINAL_ERROR:188:final error
-EVP_R_GENERATE_ERROR:214:generate error
-EVP_R_GET_RAW_KEY_FAILED:182:get raw key failed
-EVP_R_ILLEGAL_SCRYPT_PARAMETERS:171:illegal scrypt parameters
-EVP_R_INACCESSIBLE_DOMAIN_PARAMETERS:204:inaccessible domain parameters
-EVP_R_INACCESSIBLE_KEY:203:inaccessible key
-EVP_R_INITIALIZATION_ERROR:134:initialization error
-EVP_R_INPUT_NOT_INITIALIZED:111:input not initialized
-EVP_R_INVALID_CUSTOM_LENGTH:185:invalid custom length
-EVP_R_INVALID_DIGEST:152:invalid digest
-EVP_R_INVALID_IV_LENGTH:194:invalid iv length
-EVP_R_INVALID_KEY:163:invalid key
-EVP_R_INVALID_KEY_LENGTH:130:invalid key length
-EVP_R_INVALID_LENGTH:221:invalid length
-EVP_R_INVALID_NULL_ALGORITHM:218:invalid null algorithm
-EVP_R_INVALID_OPERATION:148:invalid operation
-EVP_R_INVALID_PROVIDER_FUNCTIONS:193:invalid provider functions
-EVP_R_INVALID_SALT_LENGTH:186:invalid salt length
-EVP_R_INVALID_SECRET_LENGTH:223:invalid secret length
-EVP_R_INVALID_SEED_LENGTH:220:invalid seed length
-EVP_R_INVALID_VALUE:222:invalid value
-EVP_R_KEYMGMT_EXPORT_FAILURE:205:keymgmt export failure
-EVP_R_KEY_SETUP_FAILED:180:key setup failed
-EVP_R_LOCKING_NOT_SUPPORTED:213:locking not supported
-EVP_R_MEMORY_LIMIT_EXCEEDED:172:memory limit exceeded
-EVP_R_MESSAGE_DIGEST_IS_NULL:159:message digest is null
-EVP_R_METHOD_NOT_SUPPORTED:144:method not supported
-EVP_R_MISSING_PARAMETERS:103:missing parameters
-EVP_R_NOT_ABLE_TO_COPY_CTX:190:not able to copy ctx
-EVP_R_NOT_XOF_OR_INVALID_LENGTH:178:not XOF or invalid length
-EVP_R_NO_CIPHER_SET:131:no cipher set
-EVP_R_NO_DEFAULT_DIGEST:158:no default digest
-EVP_R_NO_DIGEST_SET:139:no digest set
-EVP_R_NO_IMPORT_FUNCTION:206:no import function
-EVP_R_NO_KEYMGMT_AVAILABLE:199:no keymgmt available
-EVP_R_NO_KEYMGMT_PRESENT:196:no keymgmt present
-EVP_R_NO_KEY_SET:154:no key set
-EVP_R_NO_OPERATION_SET:149:no operation set
-EVP_R_NULL_MAC_PKEY_CTX:208:null mac pkey ctx
-EVP_R_ONLY_ONESHOT_SUPPORTED:177:only oneshot supported
-EVP_R_OPERATION_NOT_INITIALIZED:151:operation not initialized
-EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE:150:\
-	operation not supported for this keytype
-EVP_R_OUTPUT_WOULD_OVERFLOW:202:output would overflow
-EVP_R_PARAMETER_TOO_LARGE:187:parameter too large
-EVP_R_PARTIALLY_OVERLAPPING:162:partially overlapping buffers
-EVP_R_PBKDF2_ERROR:181:pbkdf2 error
-EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED:179:\
-	pkey application asn1 method already registered
-EVP_R_PRIVATE_KEY_DECODE_ERROR:145:private key decode error
-EVP_R_PRIVATE_KEY_ENCODE_ERROR:146:private key encode error
-EVP_R_PUBLIC_KEY_NOT_RSA:106:public key not rsa
-EVP_R_SETTING_XOF_FAILED:227:setting xof failed
-EVP_R_SET_DEFAULT_PROPERTY_FAILURE:209:set default property failure
-EVP_R_TOO_MANY_RECORDS:183:too many records
-EVP_R_UNABLE_TO_ENABLE_LOCKING:212:unable to enable locking
-EVP_R_UNABLE_TO_GET_MAXIMUM_REQUEST_SIZE:215:unable to get maximum request size
-EVP_R_UNABLE_TO_GET_RANDOM_STRENGTH:216:unable to get random strength
-EVP_R_UNABLE_TO_LOCK_CONTEXT:211:unable to lock context
-EVP_R_UNABLE_TO_SET_CALLBACKS:217:unable to set callbacks
-EVP_R_UNKNOWN_CIPHER:160:unknown cipher
-EVP_R_UNKNOWN_DIGEST:161:unknown digest
-EVP_R_UNKNOWN_KEY_TYPE:207:unknown key type
-EVP_R_UNKNOWN_OPTION:169:unknown option
-EVP_R_UNKNOWN_PBE_ALGORITHM:121:unknown pbe algorithm
-EVP_R_UNSUPPORTED_ALGORITHM:156:unsupported algorithm
-EVP_R_UNSUPPORTED_CIPHER:107:unsupported cipher
-EVP_R_UNSUPPORTED_KEYLENGTH:123:unsupported keylength
-EVP_R_UNSUPPORTED_KEY_DERIVATION_FUNCTION:124:\
-	unsupported key derivation function
-EVP_R_UNSUPPORTED_KEY_SIZE:108:unsupported key size
-EVP_R_UNSUPPORTED_KEY_TYPE:224:unsupported key type
-EVP_R_UNSUPPORTED_NUMBER_OF_ROUNDS:135:unsupported number of rounds
-EVP_R_UNSUPPORTED_PRF:125:unsupported prf
-EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM:118:unsupported private key algorithm
-EVP_R_UNSUPPORTED_SALT_TYPE:126:unsupported salt type
-EVP_R_UPDATE_ERROR:189:update error
-EVP_R_WRAP_MODE_NOT_ALLOWED:170:wrap mode not allowed
-EVP_R_WRONG_FINAL_BLOCK_LENGTH:109:wrong final block length
-EVP_R_XTS_DATA_UNIT_IS_TOO_LARGE:191:xts data unit is too large
-EVP_R_XTS_DUPLICATED_KEYS:192:xts duplicated keys
-HTTP_R_ASN1_LEN_EXCEEDS_MAX_RESP_LEN:108:asn1 len exceeds max resp len
-HTTP_R_CONNECT_FAILURE:100:connect failure
-HTTP_R_ERROR_PARSING_ASN1_LENGTH:109:error parsing asn1 length
-HTTP_R_ERROR_PARSING_CONTENT_LENGTH:119:error parsing content length
-HTTP_R_ERROR_PARSING_URL:101:error parsing url
-HTTP_R_ERROR_RECEIVING:103:error receiving
-HTTP_R_ERROR_SENDING:102:error sending
-HTTP_R_FAILED_READING_DATA:128:failed reading data
-HTTP_R_HEADER_PARSE_ERROR:126:header parse error
-HTTP_R_INCONSISTENT_CONTENT_LENGTH:120:inconsistent content length
-HTTP_R_INVALID_PORT_NUMBER:123:invalid port number
-HTTP_R_INVALID_URL_PATH:125:invalid url path
-HTTP_R_INVALID_URL_SCHEME:124:invalid url scheme
-HTTP_R_MAX_RESP_LEN_EXCEEDED:117:max resp len exceeded
-HTTP_R_MISSING_ASN1_ENCODING:110:missing asn1 encoding
-HTTP_R_MISSING_CONTENT_TYPE:121:missing content type
-HTTP_R_MISSING_REDIRECT_LOCATION:111:missing redirect location
-HTTP_R_RECEIVED_ERROR:105:received error
-HTTP_R_RECEIVED_WRONG_HTTP_VERSION:106:received wrong http version
-HTTP_R_REDIRECTION_FROM_HTTPS_TO_HTTP:112:redirection from https to http
-HTTP_R_REDIRECTION_NOT_ENABLED:116:redirection not enabled
-HTTP_R_RESPONSE_LINE_TOO_LONG:113:response line too long
-HTTP_R_RESPONSE_PARSE_ERROR:104:response parse error
-HTTP_R_RETRY_TIMEOUT:129:retry timeout
-HTTP_R_SERVER_CANCELED_CONNECTION:127:server canceled connection
-HTTP_R_SOCK_NOT_SUPPORTED:122:sock not supported
-HTTP_R_STATUS_CODE_UNSUPPORTED:114:status code unsupported
-HTTP_R_TLS_NOT_ENABLED:107:tls not enabled
-HTTP_R_TOO_MANY_REDIRECTIONS:115:too many redirections
-HTTP_R_UNEXPECTED_CONTENT_TYPE:118:unexpected content type
-OBJ_R_OID_EXISTS:102:oid exists
-OBJ_R_UNKNOWN_NID:101:unknown nid
-OBJ_R_UNKNOWN_OBJECT_NAME:103:unknown object name
-OCSP_R_CERTIFICATE_VERIFY_ERROR:101:certificate verify error
-OCSP_R_DIGEST_ERR:102:digest err
-OCSP_R_DIGEST_NAME_ERR:106:digest name err
-OCSP_R_DIGEST_SIZE_ERR:107:digest size err
-OCSP_R_ERROR_IN_NEXTUPDATE_FIELD:122:error in nextupdate field
-OCSP_R_ERROR_IN_THISUPDATE_FIELD:123:error in thisupdate field
-OCSP_R_MISSING_OCSPSIGNING_USAGE:103:missing ocspsigning usage
-OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE:124:nextupdate before thisupdate
-OCSP_R_NOT_BASIC_RESPONSE:104:not basic response
-OCSP_R_NO_CERTIFICATES_IN_CHAIN:105:no certificates in chain
-OCSP_R_NO_RESPONSE_DATA:108:no response data
-OCSP_R_NO_REVOKED_TIME:109:no revoked time
-OCSP_R_NO_SIGNER_KEY:130:no signer key
-OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE:110:\
-	private key does not match certificate
-OCSP_R_REQUEST_NOT_SIGNED:128:request not signed
-OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA:111:\
-	response contains no revocation data
-OCSP_R_ROOT_CA_NOT_TRUSTED:112:root ca not trusted
-OCSP_R_SIGNATURE_FAILURE:117:signature failure
-OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND:118:signer certificate not found
-OCSP_R_STATUS_EXPIRED:125:status expired
-OCSP_R_STATUS_NOT_YET_VALID:126:status not yet valid
-OCSP_R_STATUS_TOO_OLD:127:status too old
-OCSP_R_UNKNOWN_MESSAGE_DIGEST:119:unknown message digest
-OCSP_R_UNKNOWN_NID:120:unknown nid
-OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE:129:unsupported requestorname type
-OSSL_DECODER_R_COULD_NOT_DECODE_OBJECT:101:could not decode object
-OSSL_DECODER_R_DECODER_NOT_FOUND:102:decoder not found
-OSSL_DECODER_R_MISSING_GET_PARAMS:100:missing get params
-OSSL_ENCODER_R_ENCODER_NOT_FOUND:101:encoder not found
-OSSL_ENCODER_R_INCORRECT_PROPERTY_QUERY:100:incorrect property query
-OSSL_ENCODER_R_MISSING_GET_PARAMS:102:missing get params
-OSSL_STORE_R_AMBIGUOUS_CONTENT_TYPE:107:ambiguous content type
-OSSL_STORE_R_BAD_PASSWORD_READ:115:bad password read
-OSSL_STORE_R_ERROR_VERIFYING_PKCS12_MAC:113:error verifying pkcs12 mac
-OSSL_STORE_R_FINGERPRINT_SIZE_DOES_NOT_MATCH_DIGEST:121:\
-	fingerprint size does not match digest
-OSSL_STORE_R_INVALID_SCHEME:106:invalid scheme
-OSSL_STORE_R_IS_NOT_A:112:is not a
-OSSL_STORE_R_LOADER_INCOMPLETE:116:loader incomplete
-OSSL_STORE_R_LOADING_STARTED:117:loading started
-OSSL_STORE_R_NOT_A_CERTIFICATE:100:not a certificate
-OSSL_STORE_R_NOT_A_CRL:101:not a crl
-OSSL_STORE_R_NOT_A_NAME:103:not a name
-OSSL_STORE_R_NOT_A_PRIVATE_KEY:102:not a private key
-OSSL_STORE_R_NOT_A_PUBLIC_KEY:122:not a public key
-OSSL_STORE_R_NOT_PARAMETERS:104:not parameters
-OSSL_STORE_R_NO_LOADERS_FOUND:123:no loaders found
-OSSL_STORE_R_PASSPHRASE_CALLBACK_ERROR:114:passphrase callback error
-OSSL_STORE_R_PATH_MUST_BE_ABSOLUTE:108:path must be absolute
-OSSL_STORE_R_SEARCH_ONLY_SUPPORTED_FOR_DIRECTORIES:119:\
-	search only supported for directories
-OSSL_STORE_R_UI_PROCESS_INTERRUPTED_OR_CANCELLED:109:\
-	ui process interrupted or cancelled
-OSSL_STORE_R_UNREGISTERED_SCHEME:105:unregistered scheme
-OSSL_STORE_R_UNSUPPORTED_CONTENT_TYPE:110:unsupported content type
-OSSL_STORE_R_UNSUPPORTED_OPERATION:118:unsupported operation
-OSSL_STORE_R_UNSUPPORTED_SEARCH_TYPE:120:unsupported search type
-OSSL_STORE_R_URI_AUTHORITY_UNSUPPORTED:111:uri authority unsupported
-PEM_R_BAD_BASE64_DECODE:100:bad base64 decode
-PEM_R_BAD_DECRYPT:101:bad decrypt
-PEM_R_BAD_END_LINE:102:bad end line
-PEM_R_BAD_IV_CHARS:103:bad iv chars
-PEM_R_BAD_MAGIC_NUMBER:116:bad magic number
-PEM_R_BAD_PASSWORD_READ:104:bad password read
-PEM_R_BAD_VERSION_NUMBER:117:bad version number
-PEM_R_BIO_WRITE_FAILURE:118:bio write failure
-PEM_R_CIPHER_IS_NULL:127:cipher is null
-PEM_R_ERROR_CONVERTING_PRIVATE_KEY:115:error converting private key
-PEM_R_EXPECTING_DSS_KEY_BLOB:131:expecting dss key blob
-PEM_R_EXPECTING_PRIVATE_KEY_BLOB:119:expecting private key blob
-PEM_R_EXPECTING_PUBLIC_KEY_BLOB:120:expecting public key blob
-PEM_R_EXPECTING_RSA_KEY_BLOB:132:expecting rsa key blob
-PEM_R_HEADER_TOO_LONG:128:header too long
-PEM_R_INCONSISTENT_HEADER:121:inconsistent header
-PEM_R_KEYBLOB_HEADER_PARSE_ERROR:122:keyblob header parse error
-PEM_R_KEYBLOB_TOO_SHORT:123:keyblob too short
-PEM_R_MISSING_DEK_IV:129:missing dek iv
-PEM_R_NOT_DEK_INFO:105:not dek info
-PEM_R_NOT_ENCRYPTED:106:not encrypted
-PEM_R_NOT_PROC_TYPE:107:not proc type
-PEM_R_NO_START_LINE:108:no start line
-PEM_R_PROBLEMS_GETTING_PASSWORD:109:problems getting password
-PEM_R_PVK_DATA_TOO_SHORT:124:pvk data too short
-PEM_R_PVK_TOO_SHORT:125:pvk too short
-PEM_R_READ_KEY:111:read key
-PEM_R_SHORT_HEADER:112:short header
-PEM_R_UNEXPECTED_DEK_IV:130:unexpected dek iv
-PEM_R_UNSUPPORTED_CIPHER:113:unsupported cipher
-PEM_R_UNSUPPORTED_ENCRYPTION:114:unsupported encryption
-PEM_R_UNSUPPORTED_KEY_COMPONENTS:126:unsupported key components
-PEM_R_UNSUPPORTED_PUBLIC_KEY_TYPE:110:unsupported public key type
-PKCS12_R_CANT_PACK_STRUCTURE:100:cant pack structure
-PKCS12_R_CONTENT_TYPE_NOT_DATA:121:content type not data
-PKCS12_R_DECODE_ERROR:101:decode error
-PKCS12_R_ENCODE_ERROR:102:encode error
-PKCS12_R_ENCRYPT_ERROR:103:encrypt error
-PKCS12_R_ERROR_SETTING_ENCRYPTED_DATA_TYPE:120:error setting encrypted data type
-PKCS12_R_INVALID_NULL_ARGUMENT:104:invalid null argument
-PKCS12_R_INVALID_NULL_PKCS12_POINTER:105:invalid null pkcs12 pointer
-PKCS12_R_INVALID_TYPE:112:invalid type
-PKCS12_R_IV_GEN_ERROR:106:iv gen error
-PKCS12_R_KEY_GEN_ERROR:107:key gen error
-PKCS12_R_MAC_ABSENT:108:mac absent
-PKCS12_R_MAC_GENERATION_ERROR:109:mac generation error
-PKCS12_R_MAC_SETUP_ERROR:110:mac setup error
-PKCS12_R_MAC_STRING_SET_ERROR:111:mac string set error
-PKCS12_R_MAC_VERIFY_FAILURE:113:mac verify failure
-PKCS12_R_PARSE_ERROR:114:parse error
-PKCS12_R_PKCS12_CIPHERFINAL_ERROR:116:pkcs12 cipherfinal error
-PKCS12_R_UNKNOWN_DIGEST_ALGORITHM:118:unknown digest algorithm
-PKCS12_R_UNSUPPORTED_PKCS12_MODE:119:unsupported pkcs12 mode
-PKCS7_R_CERTIFICATE_VERIFY_ERROR:117:certificate verify error
-PKCS7_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER:144:cipher has no object identifier
-PKCS7_R_CIPHER_NOT_INITIALIZED:116:cipher not initialized
-PKCS7_R_CONTENT_AND_DATA_PRESENT:118:content and data present
-PKCS7_R_CTRL_ERROR:152:ctrl error
-PKCS7_R_DECRYPT_ERROR:119:decrypt error
-PKCS7_R_DIGEST_FAILURE:101:digest failure
-PKCS7_R_ENCRYPTION_CTRL_FAILURE:149:encryption ctrl failure
-PKCS7_R_ENCRYPTION_NOT_SUPPORTED_FOR_THIS_KEY_TYPE:150:\
-	encryption not supported for this key type
-PKCS7_R_ERROR_ADDING_RECIPIENT:120:error adding recipient
-PKCS7_R_ERROR_SETTING_CIPHER:121:error setting cipher
-PKCS7_R_INVALID_NULL_POINTER:143:invalid null pointer
-PKCS7_R_INVALID_SIGNED_DATA_TYPE:155:invalid signed data type
-PKCS7_R_NO_CONTENT:122:no content
-PKCS7_R_NO_DEFAULT_DIGEST:151:no default digest
-PKCS7_R_NO_MATCHING_DIGEST_TYPE_FOUND:154:no matching digest type found
-PKCS7_R_NO_RECIPIENT_MATCHES_CERTIFICATE:115:no recipient matches certificate
-PKCS7_R_NO_SIGNATURES_ON_DATA:123:no signatures on data
-PKCS7_R_NO_SIGNERS:142:no signers
-PKCS7_R_OPERATION_NOT_SUPPORTED_ON_THIS_TYPE:104:\
-	operation not supported on this type
-PKCS7_R_PKCS7_ADD_SIGNATURE_ERROR:124:pkcs7 add signature error
-PKCS7_R_PKCS7_ADD_SIGNER_ERROR:153:pkcs7 add signer error
-PKCS7_R_PKCS7_DATASIGN:145:pkcs7 datasign
-PKCS7_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE:127:\
-	private key does not match certificate
-PKCS7_R_SIGNATURE_FAILURE:105:signature failure
-PKCS7_R_SIGNER_CERTIFICATE_NOT_FOUND:128:signer certificate not found
-PKCS7_R_SIGNING_CTRL_FAILURE:147:signing ctrl failure
-PKCS7_R_SIGNING_NOT_SUPPORTED_FOR_THIS_KEY_TYPE:148:\
-	signing not supported for this key type
-PKCS7_R_SMIME_TEXT_ERROR:129:smime text error
-PKCS7_R_UNABLE_TO_FIND_CERTIFICATE:106:unable to find certificate
-PKCS7_R_UNABLE_TO_FIND_MEM_BIO:107:unable to find mem bio
-PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST:108:unable to find message digest
-PKCS7_R_UNKNOWN_DIGEST_TYPE:109:unknown digest type
-PKCS7_R_UNKNOWN_OPERATION:110:unknown operation
-PKCS7_R_UNSUPPORTED_CIPHER_TYPE:111:unsupported cipher type
-PKCS7_R_UNSUPPORTED_CONTENT_TYPE:112:unsupported content type
-PKCS7_R_WRONG_CONTENT_TYPE:113:wrong content type
-PKCS7_R_WRONG_PKCS7_TYPE:114:wrong pkcs7 type
-PROP_R_NAME_TOO_LONG:100:name too long
-PROP_R_NOT_AN_ASCII_CHARACTER:101:not an ascii character
-PROP_R_NOT_AN_HEXADECIMAL_DIGIT:102:not an hexadecimal digit
-PROP_R_NOT_AN_IDENTIFIER:103:not an identifier
-PROP_R_NOT_AN_OCTAL_DIGIT:104:not an octal digit
-PROP_R_NOT_A_DECIMAL_DIGIT:105:not a decimal digit
-PROP_R_NO_MATCHING_STRING_DELIMITER:106:no matching string delimiter
-PROP_R_NO_VALUE:107:no value
-PROP_R_PARSE_FAILED:108:parse failed
-PROP_R_STRING_TOO_LONG:109:string too long
-PROP_R_TRAILING_CHARACTERS:110:trailing characters
-PROV_R_ADDITIONAL_INPUT_TOO_LONG:184:additional input too long
-PROV_R_ALGORITHM_MISMATCH:173:algorithm mismatch
-PROV_R_ALREADY_INSTANTIATED:185:already instantiated
-PROV_R_BAD_DECRYPT:100:bad decrypt
-PROV_R_BAD_ENCODING:141:bad encoding
-PROV_R_BAD_LENGTH:142:bad length
-PROV_R_BAD_TLS_CLIENT_VERSION:161:bad tls client version
-PROV_R_BN_ERROR:160:bn error
-PROV_R_CIPHER_OPERATION_FAILED:102:cipher operation failed
-PROV_R_DERIVATION_FUNCTION_INIT_FAILED:205:derivation function init failed
-PROV_R_DIGEST_NOT_ALLOWED:174:digest not allowed
-PROV_R_EMS_NOT_ENABLED:233:ems not enabled
-PROV_R_ENTROPY_SOURCE_STRENGTH_TOO_WEAK:186:entropy source strength too weak
-PROV_R_ERROR_INSTANTIATING_DRBG:188:error instantiating drbg
-PROV_R_ERROR_RETRIEVING_ENTROPY:189:error retrieving entropy
-PROV_R_ERROR_RETRIEVING_NONCE:190:error retrieving nonce
-PROV_R_FAILED_DURING_DERIVATION:164:failed during derivation
-PROV_R_FAILED_TO_CREATE_LOCK:180:failed to create lock
-PROV_R_FAILED_TO_DECRYPT:162:failed to decrypt
-PROV_R_FAILED_TO_GENERATE_KEY:121:failed to generate key
-PROV_R_FAILED_TO_GET_PARAMETER:103:failed to get parameter
-PROV_R_FAILED_TO_SET_PARAMETER:104:failed to set parameter
-PROV_R_FAILED_TO_SIGN:175:failed to sign
-PROV_R_FIPS_MODULE_CONDITIONAL_ERROR:227:fips module conditional error
-PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE:224:fips module entering error state
-PROV_R_FIPS_MODULE_IN_ERROR_STATE:225:fips module in error state
-PROV_R_GENERATE_ERROR:191:generate error
-PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE:165:\
-	illegal or unsupported padding mode
-PROV_R_INDICATOR_INTEGRITY_FAILURE:210:indicator integrity failure
-PROV_R_INSUFFICIENT_DRBG_STRENGTH:181:insufficient drbg strength
-PROV_R_INVALID_AAD:108:invalid aad
-PROV_R_INVALID_CONFIG_DATA:211:invalid config data
-PROV_R_INVALID_CONSTANT_LENGTH:157:invalid constant length
-PROV_R_INVALID_CURVE:176:invalid curve
-PROV_R_INVALID_CUSTOM_LENGTH:111:invalid custom length
-PROV_R_INVALID_DATA:115:invalid data
-PROV_R_INVALID_DIGEST:122:invalid digest
-PROV_R_INVALID_DIGEST_LENGTH:166:invalid digest length
-PROV_R_INVALID_DIGEST_SIZE:218:invalid digest size
-PROV_R_INVALID_INPUT_LENGTH:230:invalid input length
-PROV_R_INVALID_ITERATION_COUNT:123:invalid iteration count
-PROV_R_INVALID_IV_LENGTH:109:invalid iv length
-PROV_R_INVALID_KEY:158:invalid key
-PROV_R_INVALID_KEY_LENGTH:105:invalid key length
-PROV_R_INVALID_MAC:151:invalid mac
-PROV_R_INVALID_MGF1_MD:167:invalid mgf1 md
-PROV_R_INVALID_MODE:125:invalid mode
-PROV_R_INVALID_OUTPUT_LENGTH:217:invalid output length
-PROV_R_INVALID_PADDING_MODE:168:invalid padding mode
-PROV_R_INVALID_PUBINFO:198:invalid pubinfo
-PROV_R_INVALID_SALT_LENGTH:112:invalid salt length
-PROV_R_INVALID_SEED_LENGTH:154:invalid seed length
-PROV_R_INVALID_SIGNATURE_SIZE:179:invalid signature size
-PROV_R_INVALID_STATE:212:invalid state
-PROV_R_INVALID_TAG:110:invalid tag
-PROV_R_INVALID_TAG_LENGTH:118:invalid tag length
-PROV_R_INVALID_UKM_LENGTH:200:invalid ukm length
-PROV_R_INVALID_X931_DIGEST:170:invalid x931 digest
-PROV_R_IN_ERROR_STATE:192:in error state
-PROV_R_KEY_SETUP_FAILED:101:key setup failed
-PROV_R_KEY_SIZE_TOO_SMALL:171:key size too small
-PROV_R_LENGTH_TOO_LARGE:202:length too large
-PROV_R_MISMATCHING_DOMAIN_PARAMETERS:203:mismatching domain parameters
-PROV_R_MISSING_CEK_ALG:144:missing cek alg
-PROV_R_MISSING_CIPHER:155:missing cipher
-PROV_R_MISSING_CONFIG_DATA:213:missing config data
-PROV_R_MISSING_CONSTANT:156:missing constant
-PROV_R_MISSING_KEY:128:missing key
-PROV_R_MISSING_MAC:150:missing mac
-PROV_R_MISSING_MESSAGE_DIGEST:129:missing message digest
-PROV_R_MISSING_OID:209:missing OID
-PROV_R_MISSING_PASS:130:missing pass
-PROV_R_MISSING_SALT:131:missing salt
-PROV_R_MISSING_SECRET:132:missing secret
-PROV_R_MISSING_SEED:140:missing seed
-PROV_R_MISSING_SESSION_ID:133:missing session id
-PROV_R_MISSING_TYPE:134:missing type
-PROV_R_MISSING_XCGHASH:135:missing xcghash
-PROV_R_MODULE_INTEGRITY_FAILURE:214:module integrity failure
-PROV_R_NOT_A_PRIVATE_KEY:221:not a private key
-PROV_R_NOT_A_PUBLIC_KEY:220:not a public key
-PROV_R_NOT_INSTANTIATED:193:not instantiated
-PROV_R_NOT_PARAMETERS:226:not parameters
-PROV_R_NOT_SUPPORTED:136:not supported
-PROV_R_NOT_XOF_OR_INVALID_LENGTH:113:not xof or invalid length
-PROV_R_NO_KEY_SET:114:no key set
-PROV_R_NO_PARAMETERS_SET:177:no parameters set
-PROV_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE:178:\
-	operation not supported for this keytype
-PROV_R_OUTPUT_BUFFER_TOO_SMALL:106:output buffer too small
-PROV_R_PARENT_CANNOT_GENERATE_RANDOM_NUMBERS:228:\
-	parent cannot generate random numbers
-PROV_R_PARENT_CANNOT_SUPPLY_ENTROPY_SEED:187:parent cannot supply entropy seed
-PROV_R_PARENT_LOCKING_NOT_ENABLED:182:parent locking not enabled
-PROV_R_PARENT_STRENGTH_TOO_WEAK:194:parent strength too weak
-PROV_R_PATH_MUST_BE_ABSOLUTE:219:path must be absolute
-PROV_R_PERSONALISATION_STRING_TOO_LONG:195:personalisation string too long
-PROV_R_PSS_SALTLEN_TOO_SMALL:172:pss saltlen too small
-PROV_R_REQUEST_TOO_LARGE_FOR_DRBG:196:request too large for drbg
-PROV_R_REQUIRE_CTR_MODE_CIPHER:206:require ctr mode cipher
-PROV_R_RESEED_ERROR:197:reseed error
-PROV_R_SEARCH_ONLY_SUPPORTED_FOR_DIRECTORIES:222:\
-	search only supported for directories
-PROV_R_SEED_SOURCES_MUST_NOT_HAVE_A_PARENT:229:\
-	seed sources must not have a parent
-PROV_R_SELF_TEST_KAT_FAILURE:215:self test kat failure
-PROV_R_SELF_TEST_POST_FAILURE:216:self test post failure
-PROV_R_TAG_NOT_NEEDED:120:tag not needed
-PROV_R_TAG_NOT_SET:119:tag not set
-PROV_R_TOO_MANY_RECORDS:126:too many records
-PROV_R_UNABLE_TO_FIND_CIPHERS:207:unable to find ciphers
-PROV_R_UNABLE_TO_GET_PARENT_STRENGTH:199:unable to get parent strength
-PROV_R_UNABLE_TO_GET_PASSPHRASE:159:unable to get passphrase
-PROV_R_UNABLE_TO_INITIALISE_CIPHERS:208:unable to initialise ciphers
-PROV_R_UNABLE_TO_LOAD_SHA256:147:unable to load sha256
-PROV_R_UNABLE_TO_LOCK_PARENT:201:unable to lock parent
-PROV_R_UNABLE_TO_RESEED:204:unable to reseed
-PROV_R_UNSUPPORTED_CEK_ALG:145:unsupported cek alg
-PROV_R_UNSUPPORTED_KEY_SIZE:153:unsupported key size
-PROV_R_UNSUPPORTED_MAC_TYPE:137:unsupported mac type
-PROV_R_UNSUPPORTED_NUMBER_OF_ROUNDS:152:unsupported number of rounds
-PROV_R_URI_AUTHORITY_UNSUPPORTED:223:uri authority unsupported
-PROV_R_VALUE_ERROR:138:value error
-PROV_R_WRONG_FINAL_BLOCK_LENGTH:107:wrong final block length
-PROV_R_WRONG_OUTPUT_BUFFER_SIZE:139:wrong output buffer size
-PROV_R_XOF_DIGESTS_NOT_ALLOWED:183:xof digests not allowed
-PROV_R_XTS_DATA_UNIT_IS_TOO_LARGE:148:xts data unit is too large
-PROV_R_XTS_DUPLICATED_KEYS:149:xts duplicated keys
-RAND_R_ADDITIONAL_INPUT_TOO_LONG:102:additional input too long
-RAND_R_ALREADY_INSTANTIATED:103:already instantiated
-RAND_R_ARGUMENT_OUT_OF_RANGE:105:argument out of range
-RAND_R_CANNOT_OPEN_FILE:121:Cannot open file
-RAND_R_DRBG_ALREADY_INITIALIZED:129:drbg already initialized
-RAND_R_DRBG_NOT_INITIALISED:104:drbg not initialised
-RAND_R_ENTROPY_INPUT_TOO_LONG:106:entropy input too long
-RAND_R_ENTROPY_OUT_OF_RANGE:124:entropy out of range
-RAND_R_ERROR_ENTROPY_POOL_WAS_IGNORED:127:error entropy pool was ignored
-RAND_R_ERROR_INITIALISING_DRBG:107:error initialising drbg
-RAND_R_ERROR_INSTANTIATING_DRBG:108:error instantiating drbg
-RAND_R_ERROR_RETRIEVING_ADDITIONAL_INPUT:109:error retrieving additional input
-RAND_R_ERROR_RETRIEVING_ENTROPY:110:error retrieving entropy
-RAND_R_ERROR_RETRIEVING_NONCE:111:error retrieving nonce
-RAND_R_FAILED_TO_CREATE_LOCK:126:failed to create lock
-RAND_R_FUNC_NOT_IMPLEMENTED:101:Function not implemented
-RAND_R_FWRITE_ERROR:123:Error writing file
-RAND_R_GENERATE_ERROR:112:generate error
-RAND_R_INSUFFICIENT_DRBG_STRENGTH:139:insufficient drbg strength
-RAND_R_INTERNAL_ERROR:113:internal error
-RAND_R_IN_ERROR_STATE:114:in error state
-RAND_R_NOT_A_REGULAR_FILE:122:Not a regular file
-RAND_R_NOT_INSTANTIATED:115:not instantiated
-RAND_R_NO_DRBG_IMPLEMENTATION_SELECTED:128:no drbg implementation selected
-RAND_R_PARENT_LOCKING_NOT_ENABLED:130:parent locking not enabled
-RAND_R_PARENT_STRENGTH_TOO_WEAK:131:parent strength too weak
-RAND_R_PERSONALISATION_STRING_TOO_LONG:116:personalisation string too long
-RAND_R_PREDICTION_RESISTANCE_NOT_SUPPORTED:133:\
-	prediction resistance not supported
-RAND_R_PRNG_NOT_SEEDED:100:PRNG not seeded
-RAND_R_RANDOM_POOL_OVERFLOW:125:random pool overflow
-RAND_R_RANDOM_POOL_UNDERFLOW:134:random pool underflow
-RAND_R_REQUEST_TOO_LARGE_FOR_DRBG:117:request too large for drbg
-RAND_R_RESEED_ERROR:118:reseed error
-RAND_R_SELFTEST_FAILURE:119:selftest failure
-RAND_R_TOO_LITTLE_NONCE_REQUESTED:135:too little nonce requested
-RAND_R_TOO_MUCH_NONCE_REQUESTED:136:too much nonce requested
-RAND_R_UNABLE_TO_CREATE_DRBG:143:unable to create drbg
-RAND_R_UNABLE_TO_FETCH_DRBG:144:unable to fetch drbg
-RAND_R_UNABLE_TO_GET_PARENT_RESEED_PROP_COUNTER:141:\
-	unable to get parent reseed prop counter
-RAND_R_UNABLE_TO_GET_PARENT_STRENGTH:138:unable to get parent strength
-RAND_R_UNABLE_TO_LOCK_PARENT:140:unable to lock parent
-RAND_R_UNSUPPORTED_DRBG_FLAGS:132:unsupported drbg flags
-RAND_R_UNSUPPORTED_DRBG_TYPE:120:unsupported drbg type
-RSA_R_ALGORITHM_MISMATCH:100:algorithm mismatch
-RSA_R_BAD_E_VALUE:101:bad e value
-RSA_R_BAD_FIXED_HEADER_DECRYPT:102:bad fixed header decrypt
-RSA_R_BAD_PAD_BYTE_COUNT:103:bad pad byte count
-RSA_R_BAD_SIGNATURE:104:bad signature
-RSA_R_BLOCK_TYPE_IS_NOT_01:106:block type is not 01
-RSA_R_BLOCK_TYPE_IS_NOT_02:107:block type is not 02
-RSA_R_DATA_GREATER_THAN_MOD_LEN:108:data greater than mod len
-RSA_R_DATA_TOO_LARGE:109:data too large
-RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE:110:data too large for key size
-RSA_R_DATA_TOO_LARGE_FOR_MODULUS:132:data too large for modulus
-RSA_R_DATA_TOO_SMALL:111:data too small
-RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE:122:data too small for key size
-RSA_R_DIGEST_DOES_NOT_MATCH:158:digest does not match
-RSA_R_DIGEST_NOT_ALLOWED:145:digest not allowed
-RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY:112:digest too big for rsa key
-RSA_R_DMP1_NOT_CONGRUENT_TO_D:124:dmp1 not congruent to d
-RSA_R_DMQ1_NOT_CONGRUENT_TO_D:125:dmq1 not congruent to d
-RSA_R_D_E_NOT_CONGRUENT_TO_1:123:d e not congruent to 1
-RSA_R_FIRST_OCTET_INVALID:133:first octet invalid
-RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE:144:\
-	illegal or unsupported padding mode
-RSA_R_INVALID_DIGEST:157:invalid digest
-RSA_R_INVALID_DIGEST_LENGTH:143:invalid digest length
-RSA_R_INVALID_HEADER:137:invalid header
-RSA_R_INVALID_KEYPAIR:171:invalid keypair
-RSA_R_INVALID_KEY_LENGTH:173:invalid key length
-RSA_R_INVALID_LABEL:160:invalid label
-RSA_R_INVALID_LENGTH:181:invalid length
-RSA_R_INVALID_MESSAGE_LENGTH:131:invalid message length
-RSA_R_INVALID_MGF1_MD:156:invalid mgf1 md
-RSA_R_INVALID_MODULUS:174:invalid modulus
-RSA_R_INVALID_MULTI_PRIME_KEY:167:invalid multi prime key
-RSA_R_INVALID_OAEP_PARAMETERS:161:invalid oaep parameters
-RSA_R_INVALID_PADDING:138:invalid padding
-RSA_R_INVALID_PADDING_MODE:141:invalid padding mode
-RSA_R_INVALID_PSS_PARAMETERS:149:invalid pss parameters
-RSA_R_INVALID_PSS_SALTLEN:146:invalid pss saltlen
-RSA_R_INVALID_REQUEST:175:invalid request
-RSA_R_INVALID_SALT_LENGTH:150:invalid salt length
-RSA_R_INVALID_STRENGTH:176:invalid strength
-RSA_R_INVALID_TRAILER:139:invalid trailer
-RSA_R_INVALID_X931_DIGEST:142:invalid x931 digest
-RSA_R_IQMP_NOT_INVERSE_OF_Q:126:iqmp not inverse of q
-RSA_R_KEY_PRIME_NUM_INVALID:165:key prime num invalid
-RSA_R_KEY_SIZE_TOO_SMALL:120:key size too small
-RSA_R_LAST_OCTET_INVALID:134:last octet invalid
-RSA_R_MGF1_DIGEST_NOT_ALLOWED:152:mgf1 digest not allowed
-RSA_R_MISSING_PRIVATE_KEY:179:missing private key
-RSA_R_MODULUS_TOO_LARGE:105:modulus too large
-RSA_R_MP_COEFFICIENT_NOT_INVERSE_OF_R:168:mp coefficient not inverse of r
-RSA_R_MP_EXPONENT_NOT_CONGRUENT_TO_D:169:mp exponent not congruent to d
-RSA_R_MP_R_NOT_PRIME:170:mp r not prime
-RSA_R_NO_PUBLIC_EXPONENT:140:no public exponent
-RSA_R_NULL_BEFORE_BLOCK_MISSING:113:null before block missing
-RSA_R_N_DOES_NOT_EQUAL_PRODUCT_OF_PRIMES:172:n does not equal product of primes
-RSA_R_N_DOES_NOT_EQUAL_P_Q:127:n does not equal p q
-RSA_R_OAEP_DECODING_ERROR:121:oaep decoding error
-RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE:148:\
-	operation not supported for this keytype
-RSA_R_PADDING_CHECK_FAILED:114:padding check failed
-RSA_R_PAIRWISE_TEST_FAILURE:177:pairwise test failure
-RSA_R_PKCS_DECODING_ERROR:159:pkcs decoding error
-RSA_R_PSS_SALTLEN_TOO_SMALL:164:pss saltlen too small
-RSA_R_PUB_EXPONENT_OUT_OF_RANGE:178:pub exponent out of range
-RSA_R_P_NOT_PRIME:128:p not prime
-RSA_R_Q_NOT_PRIME:129:q not prime
-RSA_R_RANDOMNESS_SOURCE_STRENGTH_INSUFFICIENT:180:\
-	randomness source strength insufficient
-RSA_R_RSA_OPERATIONS_NOT_SUPPORTED:130:rsa operations not supported
-RSA_R_SLEN_CHECK_FAILED:136:salt length check failed
-RSA_R_SLEN_RECOVERY_FAILED:135:salt length recovery failed
-RSA_R_SSLV3_ROLLBACK_ATTACK:115:sslv3 rollback attack
-RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD:116:\
-	the asn1 object identifier is not known for this md
-RSA_R_UNKNOWN_ALGORITHM_TYPE:117:unknown algorithm type
-RSA_R_UNKNOWN_DIGEST:166:unknown digest
-RSA_R_UNKNOWN_MASK_DIGEST:151:unknown mask digest
-RSA_R_UNKNOWN_PADDING_TYPE:118:unknown padding type
-RSA_R_UNSUPPORTED_ENCRYPTION_TYPE:162:unsupported encryption type
-RSA_R_UNSUPPORTED_LABEL_SOURCE:163:unsupported label source
-RSA_R_UNSUPPORTED_MASK_ALGORITHM:153:unsupported mask algorithm
-RSA_R_UNSUPPORTED_MASK_PARAMETER:154:unsupported mask parameter
-RSA_R_UNSUPPORTED_SIGNATURE_TYPE:155:unsupported signature type
-RSA_R_VALUE_MISSING:147:value missing
-RSA_R_WRONG_SIGNATURE_LENGTH:119:wrong signature length
-SM2_R_ASN1_ERROR:100:asn1 error
-SM2_R_BAD_SIGNATURE:101:bad signature
-SM2_R_BUFFER_TOO_SMALL:107:buffer too small
-SM2_R_DIST_ID_TOO_LARGE:110:dist id too large
-SM2_R_ID_NOT_SET:112:id not set
-SM2_R_ID_TOO_LARGE:111:id too large
-SM2_R_INVALID_CURVE:108:invalid curve
-SM2_R_INVALID_DIGEST:102:invalid digest
-SM2_R_INVALID_DIGEST_TYPE:103:invalid digest type
-SM2_R_INVALID_ENCODING:104:invalid encoding
-SM2_R_INVALID_FIELD:105:invalid field
-SM2_R_INVALID_PRIVATE_KEY:113:invalid private key
-SM2_R_NO_PARAMETERS_SET:109:no parameters set
-SM2_R_USER_ID_TOO_LARGE:106:user id too large
-SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY:291:\
-	application data after close notify
-SSL_R_APP_DATA_IN_HANDSHAKE:100:app data in handshake
-SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT:272:\
-	attempt to reuse session in different context
-SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE:158:\
-	at least (D)TLS 1.2 needed in Suite B mode
-SSL_R_BAD_CHANGE_CIPHER_SPEC:103:bad change cipher spec
-SSL_R_BAD_CIPHER:186:bad cipher
-SSL_R_BAD_DATA:390:bad data
-SSL_R_BAD_DATA_RETURNED_BY_CALLBACK:106:bad data returned by callback
-SSL_R_BAD_DECOMPRESSION:107:bad decompression
-SSL_R_BAD_DH_VALUE:102:bad dh value
-SSL_R_BAD_DIGEST_LENGTH:111:bad digest length
-SSL_R_BAD_EARLY_DATA:233:bad early data
-SSL_R_BAD_ECC_CERT:304:bad ecc cert
-SSL_R_BAD_ECPOINT:306:bad ecpoint
-SSL_R_BAD_EXTENSION:110:bad extension
-SSL_R_BAD_HANDSHAKE_LENGTH:332:bad handshake length
-SSL_R_BAD_HANDSHAKE_STATE:236:bad handshake state
-SSL_R_BAD_HELLO_REQUEST:105:bad hello request
-SSL_R_BAD_HRR_VERSION:263:bad hrr version
-SSL_R_BAD_KEY_SHARE:108:bad key share
-SSL_R_BAD_KEY_UPDATE:122:bad key update
-SSL_R_BAD_LEGACY_VERSION:292:bad legacy version
-SSL_R_BAD_LENGTH:271:bad length
-SSL_R_BAD_PACKET:240:bad packet
-SSL_R_BAD_PACKET_LENGTH:115:bad packet length
-SSL_R_BAD_PROTOCOL_VERSION_NUMBER:116:bad protocol version number
-SSL_R_BAD_PSK:219:bad psk
-SSL_R_BAD_PSK_IDENTITY:114:bad psk identity
-SSL_R_BAD_RECORD_TYPE:443:bad record type
-SSL_R_BAD_RSA_ENCRYPT:119:bad rsa encrypt
-SSL_R_BAD_SIGNATURE:123:bad signature
-SSL_R_BAD_SRP_A_LENGTH:347:bad srp a length
-SSL_R_BAD_SRP_PARAMETERS:371:bad srp parameters
-SSL_R_BAD_SRTP_MKI_VALUE:352:bad srtp mki value
-SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST:353:bad srtp protection profile list
-SSL_R_BAD_SSL_FILETYPE:124:bad ssl filetype
-SSL_R_BAD_VALUE:384:bad value
-SSL_R_BAD_WRITE_RETRY:127:bad write retry
-SSL_R_BINDER_DOES_NOT_VERIFY:253:binder does not verify
-SSL_R_BIO_NOT_SET:128:bio not set
-SSL_R_BLOCK_CIPHER_PAD_IS_WRONG:129:block cipher pad is wrong
-SSL_R_BN_LIB:130:bn lib
-SSL_R_CALLBACK_FAILED:234:callback failed
-SSL_R_CANNOT_CHANGE_CIPHER:109:cannot change cipher
-SSL_R_CANNOT_GET_GROUP_NAME:299:cannot get group name
-SSL_R_CA_DN_LENGTH_MISMATCH:131:ca dn length mismatch
-SSL_R_CA_KEY_TOO_SMALL:397:ca key too small
-SSL_R_CA_MD_TOO_WEAK:398:ca md too weak
-SSL_R_CCS_RECEIVED_EARLY:133:ccs received early
-SSL_R_CERTIFICATE_VERIFY_FAILED:134:certificate verify failed
-SSL_R_CERT_CB_ERROR:377:cert cb error
-SSL_R_CERT_LENGTH_MISMATCH:135:cert length mismatch
-SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED:218:ciphersuite digest has changed
-SSL_R_CIPHER_CODE_WRONG_LENGTH:137:cipher code wrong length
-SSL_R_CLIENTHELLO_TLSEXT:226:clienthello tlsext
-SSL_R_COMPRESSED_LENGTH_TOO_LONG:140:compressed length too long
-SSL_R_COMPRESSION_DISABLED:343:compression disabled
-SSL_R_COMPRESSION_FAILURE:141:compression failure
-SSL_R_COMPRESSION_ID_NOT_WITHIN_PRIVATE_RANGE:307:\
-	compression id not within private range
-SSL_R_COMPRESSION_LIBRARY_ERROR:142:compression library error
-SSL_R_CONNECTION_TYPE_NOT_SET:144:connection type not set
-SSL_R_CONTEXT_NOT_DANE_ENABLED:167:context not dane enabled
-SSL_R_COOKIE_GEN_CALLBACK_FAILURE:400:cookie gen callback failure
-SSL_R_COOKIE_MISMATCH:308:cookie mismatch
-SSL_R_COPY_PARAMETERS_FAILED:296:copy parameters failed
-SSL_R_CUSTOM_EXT_HANDLER_ALREADY_INSTALLED:206:\
-	custom ext handler already installed
-SSL_R_DANE_ALREADY_ENABLED:172:dane already enabled
-SSL_R_DANE_CANNOT_OVERRIDE_MTYPE_FULL:173:dane cannot override mtype full
-SSL_R_DANE_NOT_ENABLED:175:dane not enabled
-SSL_R_DANE_TLSA_BAD_CERTIFICATE:180:dane tlsa bad certificate
-SSL_R_DANE_TLSA_BAD_CERTIFICATE_USAGE:184:dane tlsa bad certificate usage
-SSL_R_DANE_TLSA_BAD_DATA_LENGTH:189:dane tlsa bad data length
-SSL_R_DANE_TLSA_BAD_DIGEST_LENGTH:192:dane tlsa bad digest length
-SSL_R_DANE_TLSA_BAD_MATCHING_TYPE:200:dane tlsa bad matching type
-SSL_R_DANE_TLSA_BAD_PUBLIC_KEY:201:dane tlsa bad public key
-SSL_R_DANE_TLSA_BAD_SELECTOR:202:dane tlsa bad selector
-SSL_R_DANE_TLSA_NULL_DATA:203:dane tlsa null data
-SSL_R_DATA_BETWEEN_CCS_AND_FINISHED:145:data between ccs and finished
-SSL_R_DATA_LENGTH_TOO_LONG:146:data length too long
-SSL_R_DECRYPTION_FAILED:147:decryption failed
-SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC:281:\
-	decryption failed or bad record mac
-SSL_R_DH_KEY_TOO_SMALL:394:dh key too small
-SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG:148:dh public value length is wrong
-SSL_R_DIGEST_CHECK_FAILED:149:digest check failed
-SSL_R_DTLS_MESSAGE_TOO_BIG:334:dtls message too big
-SSL_R_DUPLICATE_COMPRESSION_ID:309:duplicate compression id
-SSL_R_ECC_CERT_NOT_FOR_SIGNING:318:ecc cert not for signing
-SSL_R_ECDH_REQUIRED_FOR_SUITEB_MODE:374:ecdh required for suiteb mode
-SSL_R_EE_KEY_TOO_SMALL:399:ee key too small
-SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST:354:empty srtp protection profile list
-SSL_R_ENCRYPTED_LENGTH_TOO_LONG:150:encrypted length too long
-SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST:151:error in received cipher list
-SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN:204:error setting tlsa base domain
-SSL_R_EXCEEDS_MAX_FRAGMENT_SIZE:194:exceeds max fragment size
-SSL_R_EXCESSIVE_MESSAGE_SIZE:152:excessive message size
-SSL_R_EXTENSION_NOT_RECEIVED:279:extension not received
-SSL_R_EXTRA_DATA_IN_MESSAGE:153:extra data in message
-SSL_R_EXT_LENGTH_MISMATCH:163:ext length mismatch
-SSL_R_FAILED_TO_INIT_ASYNC:405:failed to init async
-SSL_R_FRAGMENTED_CLIENT_HELLO:401:fragmented client hello
-SSL_R_GOT_A_FIN_BEFORE_A_CCS:154:got a fin before a ccs
-SSL_R_HTTPS_PROXY_REQUEST:155:https proxy request
-SSL_R_HTTP_REQUEST:156:http request
-SSL_R_ILLEGAL_POINT_COMPRESSION:162:illegal point compression
-SSL_R_ILLEGAL_SUITEB_DIGEST:380:illegal Suite B digest
-SSL_R_INAPPROPRIATE_FALLBACK:373:inappropriate fallback
-SSL_R_INCONSISTENT_COMPRESSION:340:inconsistent compression
-SSL_R_INCONSISTENT_EARLY_DATA_ALPN:222:inconsistent early data alpn
-SSL_R_INCONSISTENT_EARLY_DATA_SNI:231:inconsistent early data sni
-SSL_R_INCONSISTENT_EXTMS:104:inconsistent extms
-SSL_R_INSUFFICIENT_SECURITY:241:insufficient security
-SSL_R_INVALID_ALERT:205:invalid alert
-SSL_R_INVALID_CCS_MESSAGE:260:invalid ccs message
-SSL_R_INVALID_CERTIFICATE_OR_ALG:238:invalid certificate or alg
-SSL_R_INVALID_COMMAND:280:invalid command
-SSL_R_INVALID_COMPRESSION_ALGORITHM:341:invalid compression algorithm
-SSL_R_INVALID_CONFIG:283:invalid config
-SSL_R_INVALID_CONFIGURATION_NAME:113:invalid configuration name
-SSL_R_INVALID_CONTEXT:282:invalid context
-SSL_R_INVALID_CT_VALIDATION_TYPE:212:invalid ct validation type
-SSL_R_INVALID_KEY_UPDATE_TYPE:120:invalid key update type
-SSL_R_INVALID_MAX_EARLY_DATA:174:invalid max early data
-SSL_R_INVALID_NULL_CMD_NAME:385:invalid null cmd name
-SSL_R_INVALID_SEQUENCE_NUMBER:402:invalid sequence number
-SSL_R_INVALID_SERVERINFO_DATA:388:invalid serverinfo data
-SSL_R_INVALID_SESSION_ID:999:invalid session id
-SSL_R_INVALID_SRP_USERNAME:357:invalid srp username
-SSL_R_INVALID_STATUS_RESPONSE:328:invalid status response
-SSL_R_INVALID_TICKET_KEYS_LENGTH:325:invalid ticket keys length
-SSL_R_LEGACY_SIGALG_DISALLOWED_OR_UNSUPPORTED:333:\
-	legacy sigalg disallowed or unsupported
-SSL_R_LENGTH_MISMATCH:159:length mismatch
-SSL_R_LENGTH_TOO_LONG:404:length too long
-SSL_R_LENGTH_TOO_SHORT:160:length too short
-SSL_R_LIBRARY_BUG:274:library bug
-SSL_R_LIBRARY_HAS_NO_CIPHERS:161:library has no ciphers
-SSL_R_MISSING_DSA_SIGNING_CERT:165:missing dsa signing cert
-SSL_R_MISSING_ECDSA_SIGNING_CERT:381:missing ecdsa signing cert
-SSL_R_MISSING_FATAL:256:missing fatal
-SSL_R_MISSING_PARAMETERS:290:missing parameters
-SSL_R_MISSING_PSK_KEX_MODES_EXTENSION:310:missing psk kex modes extension
-SSL_R_MISSING_RSA_CERTIFICATE:168:missing rsa certificate
-SSL_R_MISSING_RSA_ENCRYPTING_CERT:169:missing rsa encrypting cert
-SSL_R_MISSING_RSA_SIGNING_CERT:170:missing rsa signing cert
-SSL_R_MISSING_SIGALGS_EXTENSION:112:missing sigalgs extension
-SSL_R_MISSING_SIGNING_CERT:221:missing signing cert
-SSL_R_MISSING_SRP_PARAM:358:can't find SRP server param
-SSL_R_MISSING_SUPPORTED_GROUPS_EXTENSION:209:missing supported groups extension
-SSL_R_MISSING_TMP_DH_KEY:171:missing tmp dh key
-SSL_R_MISSING_TMP_ECDH_KEY:311:missing tmp ecdh key
-SSL_R_MIXED_HANDSHAKE_AND_NON_HANDSHAKE_DATA:293:\
-	mixed handshake and non handshake data
-SSL_R_NOT_ON_RECORD_BOUNDARY:182:not on record boundary
-SSL_R_NOT_REPLACING_CERTIFICATE:289:not replacing certificate
-SSL_R_NOT_SERVER:284:not server
-SSL_R_NO_APPLICATION_PROTOCOL:235:no application protocol
-SSL_R_NO_CERTIFICATES_RETURNED:176:no certificates returned
-SSL_R_NO_CERTIFICATE_ASSIGNED:177:no certificate assigned
-SSL_R_NO_CERTIFICATE_SET:179:no certificate set
-SSL_R_NO_CHANGE_FOLLOWING_HRR:214:no change following hrr
-SSL_R_NO_CIPHERS_AVAILABLE:181:no ciphers available
-SSL_R_NO_CIPHERS_SPECIFIED:183:no ciphers specified
-SSL_R_NO_CIPHER_MATCH:185:no cipher match
-SSL_R_NO_CLIENT_CERT_METHOD:331:no client cert method
-SSL_R_NO_COMPRESSION_SPECIFIED:187:no compression specified
-SSL_R_NO_COOKIE_CALLBACK_SET:287:no cookie callback set
-SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER:330:\
-	Peer haven't sent GOST certificate, required for selected ciphersuite
-SSL_R_NO_METHOD_SPECIFIED:188:no method specified
-SSL_R_NO_PEM_EXTENSIONS:389:no pem extensions
-SSL_R_NO_PRIVATE_KEY_ASSIGNED:190:no private key assigned
-SSL_R_NO_PROTOCOLS_AVAILABLE:191:no protocols available
-SSL_R_NO_RENEGOTIATION:339:no renegotiation
-SSL_R_NO_REQUIRED_DIGEST:324:no required digest
-SSL_R_NO_SHARED_CIPHER:193:no shared cipher
-SSL_R_NO_SHARED_GROUPS:410:no shared groups
-SSL_R_NO_SHARED_SIGNATURE_ALGORITHMS:376:no shared signature algorithms
-SSL_R_NO_SRTP_PROFILES:359:no srtp profiles
-SSL_R_NO_SUITABLE_DIGEST_ALGORITHM:297:no suitable digest algorithm
-SSL_R_NO_SUITABLE_GROUPS:295:no suitable groups
-SSL_R_NO_SUITABLE_KEY_SHARE:101:no suitable key share
-SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM:118:no suitable signature algorithm
-SSL_R_NO_VALID_SCTS:216:no valid scts
-SSL_R_NO_VERIFY_COOKIE_CALLBACK:403:no verify cookie callback
-SSL_R_NULL_SSL_CTX:195:null ssl ctx
-SSL_R_NULL_SSL_METHOD_PASSED:196:null ssl method passed
-SSL_R_OCSP_CALLBACK_FAILURE:305:ocsp callback failure
-SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED:197:old session cipher not returned
-SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED:344:\
-	old session compression algorithm not returned
-SSL_R_OVERFLOW_ERROR:237:overflow error
-SSL_R_PACKET_LENGTH_TOO_LONG:198:packet length too long
-SSL_R_PARSE_TLSEXT:227:parse tlsext
-SSL_R_PATH_TOO_LONG:270:path too long
-SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE:199:peer did not return a certificate
-SSL_R_PEM_NAME_BAD_PREFIX:391:pem name bad prefix
-SSL_R_PEM_NAME_TOO_SHORT:392:pem name too short
-SSL_R_PIPELINE_FAILURE:406:pipeline failure
-SSL_R_POST_HANDSHAKE_AUTH_ENCODING_ERR:278:post handshake auth encoding err
-SSL_R_PRIVATE_KEY_MISMATCH:288:private key mismatch
-SSL_R_PROTOCOL_IS_SHUTDOWN:207:protocol is shutdown
-SSL_R_PSK_IDENTITY_NOT_FOUND:223:psk identity not found
-SSL_R_PSK_NO_CLIENT_CB:224:psk no client cb
-SSL_R_PSK_NO_SERVER_CB:225:psk no server cb
-SSL_R_READ_BIO_NOT_SET:211:read bio not set
-SSL_R_READ_TIMEOUT_EXPIRED:312:read timeout expired
-SSL_R_RECORD_LENGTH_MISMATCH:213:record length mismatch
-SSL_R_RECORD_TOO_SMALL:298:record too small
-SSL_R_RENEGOTIATE_EXT_TOO_LONG:335:renegotiate ext too long
-SSL_R_RENEGOTIATION_ENCODING_ERR:336:renegotiation encoding err
-SSL_R_RENEGOTIATION_MISMATCH:337:renegotiation mismatch
-SSL_R_REQUEST_PENDING:285:request pending
-SSL_R_REQUEST_SENT:286:request sent
-SSL_R_REQUIRED_CIPHER_MISSING:215:required cipher missing
-SSL_R_REQUIRED_COMPRESSION_ALGORITHM_MISSING:342:\
-	required compression algorithm missing
-SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING:345:scsv received when renegotiating
-SSL_R_SCT_VERIFICATION_FAILED:208:sct verification failed
-SSL_R_SERVERHELLO_TLSEXT:275:serverhello tlsext
-SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED:277:session id context uninitialized
-SSL_R_SHUTDOWN_WHILE_IN_INIT:407:shutdown while in init
-SSL_R_SIGNATURE_ALGORITHMS_ERROR:360:signature algorithms error
-SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE:220:\
-	signature for non signing certificate
-SSL_R_SRP_A_CALC:361:error with the srp params
-SSL_R_SRTP_COULD_NOT_ALLOCATE_PROFILES:362:srtp could not allocate profiles
-SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG:363:\
-	srtp protection profile list too long
-SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE:364:srtp unknown protection profile
-SSL_R_SSL3_EXT_INVALID_MAX_FRAGMENT_LENGTH:232:\
-	ssl3 ext invalid max fragment length
-SSL_R_SSL3_EXT_INVALID_SERVERNAME:319:ssl3 ext invalid servername
-SSL_R_SSL3_EXT_INVALID_SERVERNAME_TYPE:320:ssl3 ext invalid servername type
-SSL_R_SSL3_SESSION_ID_TOO_LONG:300:ssl3 session id too long
-SSL_R_SSL_COMMAND_SECTION_EMPTY:117:ssl command section empty
-SSL_R_SSL_COMMAND_SECTION_NOT_FOUND:125:ssl command section not found
-SSL_R_SSL_CTX_HAS_NO_DEFAULT_SSL_VERSION:228:ssl ctx has no default ssl version
-SSL_R_SSL_HANDSHAKE_FAILURE:229:ssl handshake failure
-SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS:230:ssl library has no ciphers
-SSL_R_SSL_NEGATIVE_LENGTH:372:ssl negative length
-SSL_R_SSL_SECTION_EMPTY:126:ssl section empty
-SSL_R_SSL_SECTION_NOT_FOUND:136:ssl section not found
-SSL_R_SSL_SESSION_ID_CALLBACK_FAILED:301:ssl session id callback failed
-SSL_R_SSL_SESSION_ID_CONFLICT:302:ssl session id conflict
-SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG:273:ssl session id context too long
-SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH:303:ssl session id has bad length
-SSL_R_SSL_SESSION_ID_TOO_LONG:408:ssl session id too long
-SSL_R_SSL_SESSION_VERSION_MISMATCH:210:ssl session version mismatch
-SSL_R_STILL_IN_INIT:121:still in init
-SSL_R_TLS_ILLEGAL_EXPORTER_LABEL:367:tls illegal exporter label
-SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST:157:tls invalid ecpointformat list
-SSL_R_TOO_MANY_KEY_UPDATES:132:too many key updates
-SSL_R_TOO_MANY_WARN_ALERTS:409:too many warn alerts
-SSL_R_TOO_MUCH_EARLY_DATA:164:too much early data
-SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS:314:unable to find ecdh parameters
-SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS:239:\
-	unable to find public key parameters
-SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES:242:unable to load ssl3 md5 routines
-SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES:243:unable to load ssl3 sha1 routines
-SSL_R_UNEXPECTED_CCS_MESSAGE:262:unexpected ccs message
-SSL_R_UNEXPECTED_END_OF_EARLY_DATA:178:unexpected end of early data
-SSL_R_UNEXPECTED_EOF_WHILE_READING:294:unexpected eof while reading
-SSL_R_UNEXPECTED_MESSAGE:244:unexpected message
-SSL_R_UNEXPECTED_RECORD:245:unexpected record
-SSL_R_UNINITIALIZED:276:uninitialized
-SSL_R_UNKNOWN_ALERT_TYPE:246:unknown alert type
-SSL_R_UNKNOWN_CERTIFICATE_TYPE:247:unknown certificate type
-SSL_R_UNKNOWN_CIPHER_RETURNED:248:unknown cipher returned
-SSL_R_UNKNOWN_CIPHER_TYPE:249:unknown cipher type
-SSL_R_UNKNOWN_CMD_NAME:386:unknown cmd name
-SSL_R_UNKNOWN_COMMAND:139:unknown command
-SSL_R_UNKNOWN_DIGEST:368:unknown digest
-SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE:250:unknown key exchange type
-SSL_R_UNKNOWN_PKEY_TYPE:251:unknown pkey type
-SSL_R_UNKNOWN_PROTOCOL:252:unknown protocol
-SSL_R_UNKNOWN_SSL_VERSION:254:unknown ssl version
-SSL_R_UNKNOWN_STATE:255:unknown state
-SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED:338:\
-	unsafe legacy renegotiation disabled
-SSL_R_UNSOLICITED_EXTENSION:217:unsolicited extension
-SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM:257:unsupported compression algorithm
-SSL_R_UNSUPPORTED_ELLIPTIC_CURVE:315:unsupported elliptic curve
-SSL_R_UNSUPPORTED_PROTOCOL:258:unsupported protocol
-SSL_R_UNSUPPORTED_SSL_VERSION:259:unsupported ssl version
-SSL_R_UNSUPPORTED_STATUS_TYPE:329:unsupported status type
-SSL_R_USE_SRTP_NOT_NEGOTIATED:369:use srtp not negotiated
-SSL_R_VERSION_TOO_HIGH:166:version too high
-SSL_R_VERSION_TOO_LOW:396:version too low
-SSL_R_WRONG_CERTIFICATE_TYPE:383:wrong certificate type
-SSL_R_WRONG_CIPHER_RETURNED:261:wrong cipher returned
-SSL_R_WRONG_CURVE:378:wrong curve
-SSL_R_WRONG_SIGNATURE_LENGTH:264:wrong signature length
-SSL_R_WRONG_SIGNATURE_SIZE:265:wrong signature size
-SSL_R_WRONG_SIGNATURE_TYPE:370:wrong signature type
-SSL_R_WRONG_SSL_VERSION:266:wrong ssl version
-SSL_R_WRONG_VERSION_NUMBER:267:wrong version number
-SSL_R_X509_LIB:268:x509 lib
-SSL_R_X509_VERIFICATION_SETUP_PROBLEMS:269:x509 verification setup problems
-TS_R_BAD_PKCS7_TYPE:132:bad pkcs7 type
-TS_R_BAD_TYPE:133:bad type
-TS_R_CANNOT_LOAD_CERT:137:cannot load certificate
-TS_R_CANNOT_LOAD_KEY:138:cannot load private key
-TS_R_CERTIFICATE_VERIFY_ERROR:100:certificate verify error
-TS_R_COULD_NOT_SET_ENGINE:127:could not set engine
-TS_R_COULD_NOT_SET_TIME:115:could not set time
-TS_R_DETACHED_CONTENT:134:detached content
-TS_R_ESS_ADD_SIGNING_CERT_ERROR:116:ess add signing cert error
-TS_R_ESS_ADD_SIGNING_CERT_V2_ERROR:139:ess add signing cert v2 error
-TS_R_ESS_SIGNING_CERTIFICATE_ERROR:101:ess signing certificate error
-TS_R_INVALID_NULL_POINTER:102:invalid null pointer
-TS_R_INVALID_SIGNER_CERTIFICATE_PURPOSE:117:invalid signer certificate purpose
-TS_R_MESSAGE_IMPRINT_MISMATCH:103:message imprint mismatch
-TS_R_NONCE_MISMATCH:104:nonce mismatch
-TS_R_NONCE_NOT_RETURNED:105:nonce not returned
-TS_R_NO_CONTENT:106:no content
-TS_R_NO_TIME_STAMP_TOKEN:107:no time stamp token
-TS_R_PKCS7_ADD_SIGNATURE_ERROR:118:pkcs7 add signature error
-TS_R_PKCS7_ADD_SIGNED_ATTR_ERROR:119:pkcs7 add signed attr error
-TS_R_PKCS7_TO_TS_TST_INFO_FAILED:129:pkcs7 to ts tst info failed
-TS_R_POLICY_MISMATCH:108:policy mismatch
-TS_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE:120:\
-	private key does not match certificate
-TS_R_RESPONSE_SETUP_ERROR:121:response setup error
-TS_R_SIGNATURE_FAILURE:109:signature failure
-TS_R_THERE_MUST_BE_ONE_SIGNER:110:there must be one signer
-TS_R_TIME_SYSCALL_ERROR:122:time syscall error
-TS_R_TOKEN_NOT_PRESENT:130:token not present
-TS_R_TOKEN_PRESENT:131:token present
-TS_R_TSA_NAME_MISMATCH:111:tsa name mismatch
-TS_R_TSA_UNTRUSTED:112:tsa untrusted
-TS_R_TST_INFO_SETUP_ERROR:123:tst info setup error
-TS_R_TS_DATASIGN:124:ts datasign
-TS_R_UNACCEPTABLE_POLICY:125:unacceptable policy
-TS_R_UNSUPPORTED_MD_ALGORITHM:126:unsupported md algorithm
-TS_R_UNSUPPORTED_VERSION:113:unsupported version
-TS_R_VAR_BAD_VALUE:135:var bad value
-TS_R_VAR_LOOKUP_FAILURE:136:cannot find config variable
-TS_R_WRONG_CONTENT_TYPE:114:wrong content type
-UI_R_COMMON_OK_AND_CANCEL_CHARACTERS:104:common ok and cancel characters
-UI_R_INDEX_TOO_LARGE:102:index too large
-UI_R_INDEX_TOO_SMALL:103:index too small
-UI_R_NO_RESULT_BUFFER:105:no result buffer
-UI_R_PROCESSING_ERROR:107:processing error
-UI_R_RESULT_TOO_LARGE:100:result too large
-UI_R_RESULT_TOO_SMALL:101:result too small
-UI_R_SYSASSIGN_ERROR:109:sys$assign error
-UI_R_SYSDASSGN_ERROR:110:sys$dassgn error
-UI_R_SYSQIOW_ERROR:111:sys$qiow error
-UI_R_UNKNOWN_CONTROL_COMMAND:106:unknown control command
-UI_R_UNKNOWN_TTYGET_ERRNO_VALUE:108:unknown ttyget errno value
-UI_R_USER_DATA_DUPLICATION_UNSUPPORTED:112:user data duplication unsupported
-X509V3_R_BAD_IP_ADDRESS:118:bad ip address
-X509V3_R_BAD_OBJECT:119:bad object
-X509V3_R_BN_DEC2BN_ERROR:100:bn dec2bn error
-X509V3_R_BN_TO_ASN1_INTEGER_ERROR:101:bn to asn1 integer error
-X509V3_R_DIRNAME_ERROR:149:dirname error
-X509V3_R_DISTPOINT_ALREADY_SET:160:distpoint already set
-X509V3_R_DUPLICATE_ZONE_ID:133:duplicate zone id
-X509V3_R_EMPTY_KEY_USAGE:169:empty key usage
-X509V3_R_ERROR_CONVERTING_ZONE:131:error converting zone
-X509V3_R_ERROR_CREATING_EXTENSION:144:error creating extension
-X509V3_R_ERROR_IN_EXTENSION:128:error in extension
-X509V3_R_EXPECTED_A_SECTION_NAME:137:expected a section name
-X509V3_R_EXTENSION_EXISTS:145:extension exists
-X509V3_R_EXTENSION_NAME_ERROR:115:extension name error
-X509V3_R_EXTENSION_NOT_FOUND:102:extension not found
-X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED:103:extension setting not supported
-X509V3_R_EXTENSION_VALUE_ERROR:116:extension value error
-X509V3_R_ILLEGAL_EMPTY_EXTENSION:151:illegal empty extension
-X509V3_R_INCORRECT_POLICY_SYNTAX_TAG:152:incorrect policy syntax tag
-X509V3_R_INVALID_ASNUMBER:162:invalid asnumber
-X509V3_R_INVALID_ASRANGE:163:invalid asrange
-X509V3_R_INVALID_BOOLEAN_STRING:104:invalid boolean string
-X509V3_R_INVALID_CERTIFICATE:158:invalid certificate
-X509V3_R_INVALID_EMPTY_NAME:108:invalid empty name
-X509V3_R_INVALID_EXTENSION_STRING:105:invalid extension string
-X509V3_R_INVALID_INHERITANCE:165:invalid inheritance
-X509V3_R_INVALID_IPADDRESS:166:invalid ipaddress
-X509V3_R_INVALID_MULTIPLE_RDNS:161:invalid multiple rdns
-X509V3_R_INVALID_NAME:106:invalid name
-X509V3_R_INVALID_NULL_ARGUMENT:107:invalid null argument
-X509V3_R_INVALID_NULL_VALUE:109:invalid null value
-X509V3_R_INVALID_NUMBER:140:invalid number
-X509V3_R_INVALID_NUMBERS:141:invalid numbers
-X509V3_R_INVALID_OBJECT_IDENTIFIER:110:invalid object identifier
-X509V3_R_INVALID_OPTION:138:invalid option
-X509V3_R_INVALID_POLICY_IDENTIFIER:134:invalid policy identifier
-X509V3_R_INVALID_PROXY_POLICY_SETTING:153:invalid proxy policy setting
-X509V3_R_INVALID_PURPOSE:146:invalid purpose
-X509V3_R_INVALID_SAFI:164:invalid safi
-X509V3_R_INVALID_SECTION:135:invalid section
-X509V3_R_INVALID_SYNTAX:143:invalid syntax
-X509V3_R_ISSUER_DECODE_ERROR:126:issuer decode error
-X509V3_R_MISSING_VALUE:124:missing value
-X509V3_R_NEED_ORGANIZATION_AND_NUMBERS:142:need organization and numbers
-X509V3_R_NEGATIVE_PATHLEN:168:negative pathlen
-X509V3_R_NO_CONFIG_DATABASE:136:no config database
-X509V3_R_NO_ISSUER_CERTIFICATE:121:no issuer certificate
-X509V3_R_NO_ISSUER_DETAILS:127:no issuer details
-X509V3_R_NO_POLICY_IDENTIFIER:139:no policy identifier
-X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED:154:\
-	no proxy cert policy language defined
-X509V3_R_NO_PUBLIC_KEY:114:no public key
-X509V3_R_NO_SUBJECT_DETAILS:125:no subject details
-X509V3_R_OPERATION_NOT_DEFINED:148:operation not defined
-X509V3_R_OTHERNAME_ERROR:147:othername error
-X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED:155:policy language already defined
-X509V3_R_POLICY_PATH_LENGTH:156:policy path length
-X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED:157:\
-	policy path length already defined
-X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY:159:\
-	policy when proxy language requires no policy
-X509V3_R_SECTION_NOT_FOUND:150:section not found
-X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS:122:unable to get issuer details
-X509V3_R_UNABLE_TO_GET_ISSUER_KEYID:123:unable to get issuer keyid
-X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT:111:unknown bit string argument
-X509V3_R_UNKNOWN_EXTENSION:129:unknown extension
-X509V3_R_UNKNOWN_EXTENSION_NAME:130:unknown extension name
-X509V3_R_UNKNOWN_OPTION:120:unknown option
-X509V3_R_UNSUPPORTED_OPTION:117:unsupported option
-X509V3_R_UNSUPPORTED_TYPE:167:unsupported type
-X509V3_R_USER_TOO_LONG:132:user too long
-X509_R_AKID_MISMATCH:110:akid mismatch
-X509_R_BAD_SELECTOR:133:bad selector
-X509_R_BAD_X509_FILETYPE:100:bad x509 filetype
-X509_R_BASE64_DECODE_ERROR:118:base64 decode error
-X509_R_CANT_CHECK_DH_KEY:114:cant check dh key
-X509_R_CERTIFICATE_VERIFICATION_FAILED:139:certificate verification failed
-X509_R_CERT_ALREADY_IN_HASH_TABLE:101:cert already in hash table
-X509_R_CRL_ALREADY_DELTA:127:crl already delta
-X509_R_CRL_VERIFY_FAILURE:131:crl verify failure
-X509_R_ERROR_GETTING_MD_BY_NID:141:error getting md by nid
-X509_R_ERROR_USING_SIGINF_SET:142:error using siginf set
-X509_R_IDP_MISMATCH:128:idp mismatch
-X509_R_INVALID_ATTRIBUTES:138:invalid attributes
-X509_R_INVALID_DIRECTORY:113:invalid directory
-X509_R_INVALID_DISTPOINT:143:invalid distpoint
-X509_R_INVALID_FIELD_NAME:119:invalid field name
-X509_R_INVALID_TRUST:123:invalid trust
-X509_R_ISSUER_MISMATCH:129:issuer mismatch
-X509_R_KEY_TYPE_MISMATCH:115:key type mismatch
-X509_R_KEY_VALUES_MISMATCH:116:key values mismatch
-X509_R_LOADING_CERT_DIR:103:loading cert dir
-X509_R_LOADING_DEFAULTS:104:loading defaults
-X509_R_METHOD_NOT_SUPPORTED:124:method not supported
-X509_R_NAME_TOO_LONG:134:name too long
-X509_R_NEWER_CRL_NOT_NEWER:132:newer crl not newer
-X509_R_NO_CERTIFICATE_FOUND:135:no certificate found
-X509_R_NO_CERTIFICATE_OR_CRL_FOUND:136:no certificate or crl found
-X509_R_NO_CERT_SET_FOR_US_TO_VERIFY:105:no cert set for us to verify
-X509_R_NO_CRL_FOUND:137:no crl found
-X509_R_NO_CRL_NUMBER:130:no crl number
-X509_R_PUBLIC_KEY_DECODE_ERROR:125:public key decode error
-X509_R_PUBLIC_KEY_ENCODE_ERROR:126:public key encode error
-X509_R_SHOULD_RETRY:106:should retry
-X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN:107:unable to find parameters in chain
-X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY:108:unable to get certs public key
-X509_R_UNKNOWN_KEY_TYPE:117:unknown key type
-X509_R_UNKNOWN_NID:109:unknown nid
-X509_R_UNKNOWN_PURPOSE_ID:121:unknown purpose id
-X509_R_UNKNOWN_SIGID_ALGS:144:unknown sigid algs
-X509_R_UNKNOWN_TRUST_ID:120:unknown trust id
-X509_R_UNSUPPORTED_ALGORITHM:111:unsupported algorithm
-X509_R_WRONG_LOOKUP_TYPE:112:wrong lookup type
-X509_R_WRONG_TYPE:122:wrong type

libs/openssl/crypto/ess/ess_asn1.c

@@ -1,58 +0,0 @@
-/*
- * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <openssl/err.h>
-#include <openssl/asn1t.h>
-#include <openssl/cms.h>
-#include <openssl/ess.h>
-#include <openssl/x509v3.h>
-#include "crypto/ess.h"
-
-/* ASN1 stuff for ESS Structure */
-
-ASN1_SEQUENCE(ESS_ISSUER_SERIAL) = {
-        ASN1_SEQUENCE_OF(ESS_ISSUER_SERIAL, issuer, GENERAL_NAME),
-        ASN1_SIMPLE(ESS_ISSUER_SERIAL, serial, ASN1_INTEGER)
-} static_ASN1_SEQUENCE_END(ESS_ISSUER_SERIAL)
-
-IMPLEMENT_ASN1_FUNCTIONS(ESS_ISSUER_SERIAL)
-IMPLEMENT_ASN1_DUP_FUNCTION(ESS_ISSUER_SERIAL)
-
-ASN1_SEQUENCE(ESS_CERT_ID) = {
-        ASN1_SIMPLE(ESS_CERT_ID, hash, ASN1_OCTET_STRING),
-        ASN1_OPT(ESS_CERT_ID, issuer_serial, ESS_ISSUER_SERIAL)
-} static_ASN1_SEQUENCE_END(ESS_CERT_ID)
-
-IMPLEMENT_ASN1_FUNCTIONS(ESS_CERT_ID)
-IMPLEMENT_ASN1_DUP_FUNCTION(ESS_CERT_ID)
-
-ASN1_SEQUENCE(ESS_SIGNING_CERT) = {
-        ASN1_SEQUENCE_OF(ESS_SIGNING_CERT, cert_ids, ESS_CERT_ID),
-        ASN1_SEQUENCE_OF_OPT(ESS_SIGNING_CERT, policy_info, POLICYINFO)
-} ASN1_SEQUENCE_END(ESS_SIGNING_CERT)
-
-IMPLEMENT_ASN1_FUNCTIONS(ESS_SIGNING_CERT)
-IMPLEMENT_ASN1_DUP_FUNCTION(ESS_SIGNING_CERT)
-
-ASN1_SEQUENCE(ESS_CERT_ID_V2) = {
-        ASN1_OPT(ESS_CERT_ID_V2, hash_alg, X509_ALGOR),
-        ASN1_SIMPLE(ESS_CERT_ID_V2, hash, ASN1_OCTET_STRING),
-        ASN1_OPT(ESS_CERT_ID_V2, issuer_serial, ESS_ISSUER_SERIAL)
-} static_ASN1_SEQUENCE_END(ESS_CERT_ID_V2)
-
-IMPLEMENT_ASN1_FUNCTIONS(ESS_CERT_ID_V2)
-IMPLEMENT_ASN1_DUP_FUNCTION(ESS_CERT_ID_V2)
-
-ASN1_SEQUENCE(ESS_SIGNING_CERT_V2) = {
-        ASN1_SEQUENCE_OF(ESS_SIGNING_CERT_V2, cert_ids, ESS_CERT_ID_V2),
-        ASN1_SEQUENCE_OF_OPT(ESS_SIGNING_CERT_V2, policy_info, POLICYINFO)
-} ASN1_SEQUENCE_END(ESS_SIGNING_CERT_V2)
-
-IMPLEMENT_ASN1_FUNCTIONS(ESS_SIGNING_CERT_V2)
-IMPLEMENT_ASN1_DUP_FUNCTION(ESS_SIGNING_CERT_V2)

libs/openssl/crypto/ess/ess_lib.c

@@ -1,315 +0,0 @@
-/*
- * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <string.h>
-#include <openssl/x509v3.h>
-#include <openssl/err.h>
-#include <openssl/ess.h>
-#include "internal/sizes.h"
-#include "crypto/ess.h"
-#include "crypto/x509.h"
-
-static ESS_CERT_ID *ESS_CERT_ID_new_init(const X509 *cert,
-                                         int set_issuer_serial);
-static ESS_CERT_ID_V2 *ESS_CERT_ID_V2_new_init(const EVP_MD *hash_alg,
-                                               const X509 *cert,
-                                               int set_issuer_serial);
-
-ESS_SIGNING_CERT *OSSL_ESS_signing_cert_new_init(const X509 *signcert,
-                                                 const STACK_OF(X509) *certs,
-                                                 int set_issuer_serial)
-{
-    ESS_CERT_ID *cid = NULL;
-    ESS_SIGNING_CERT *sc;
-    int i;
-
-    if ((sc = ESS_SIGNING_CERT_new()) == NULL)
-        goto err;
-    if (sc->cert_ids == NULL
-        && (sc->cert_ids = sk_ESS_CERT_ID_new_null()) == NULL)
-        goto err;
-
-    if ((cid = ESS_CERT_ID_new_init(signcert, set_issuer_serial)) == NULL
-        || !sk_ESS_CERT_ID_push(sc->cert_ids, cid))
-        goto err;
-    for (i = 0; i < sk_X509_num(certs); ++i) {
-        X509 *cert = sk_X509_value(certs, i);
-
-        if ((cid = ESS_CERT_ID_new_init(cert, 1)) == NULL
-            || !sk_ESS_CERT_ID_push(sc->cert_ids, cid))
-            goto err;
-    }
-
-    return sc;
- err:
-    ESS_SIGNING_CERT_free(sc);
-    ESS_CERT_ID_free(cid);
-    ERR_raise(ERR_LIB_ESS, ERR_R_MALLOC_FAILURE);
-    return NULL;
-}
-
-static ESS_CERT_ID *ESS_CERT_ID_new_init(const X509 *cert,
-                                         int set_issuer_serial)
-{
-    ESS_CERT_ID *cid = NULL;
-    GENERAL_NAME *name = NULL;
-    unsigned char cert_sha1[SHA_DIGEST_LENGTH];
-
-    if ((cid = ESS_CERT_ID_new()) == NULL)
-        goto err;
-    if (!X509_digest(cert, EVP_sha1(), cert_sha1, NULL))
-        goto err;
-    if (!ASN1_OCTET_STRING_set(cid->hash, cert_sha1, SHA_DIGEST_LENGTH))
-        goto err;
-
-    /* Setting the issuer/serial if requested. */
-    if (!set_issuer_serial)
-        return cid;
-
-    if (cid->issuer_serial == NULL
-        && (cid->issuer_serial = ESS_ISSUER_SERIAL_new()) == NULL)
-        goto err;
-    if ((name = GENERAL_NAME_new()) == NULL)
-        goto err;
-    name->type = GEN_DIRNAME;
-    if ((name->d.dirn = X509_NAME_dup(X509_get_issuer_name(cert))) == NULL)
-        goto err;
-    if (!sk_GENERAL_NAME_push(cid->issuer_serial->issuer, name))
-        goto err;
-    name = NULL;            /* Ownership is lost. */
-    ASN1_INTEGER_free(cid->issuer_serial->serial);
-    if ((cid->issuer_serial->serial =
-          ASN1_INTEGER_dup(X509_get0_serialNumber(cert))) == NULL)
-        goto err;
-
-    return cid;
- err:
-    GENERAL_NAME_free(name);
-    ESS_CERT_ID_free(cid);
-    ERR_raise(ERR_LIB_ESS, ERR_R_MALLOC_FAILURE);
-    return NULL;
-}
-
-ESS_SIGNING_CERT_V2 *OSSL_ESS_signing_cert_v2_new_init(const EVP_MD *hash_alg,
-                                                       const X509 *signcert,
-                                                       const
-                                                       STACK_OF(X509) *certs,
-                                                       int set_issuer_serial)
-{
-    ESS_CERT_ID_V2 *cid = NULL;
-    ESS_SIGNING_CERT_V2 *sc;
-    int i;
-
-    if ((sc = ESS_SIGNING_CERT_V2_new()) == NULL)
-        goto err;
-    cid = ESS_CERT_ID_V2_new_init(hash_alg, signcert, set_issuer_serial);
-    if (cid == NULL)
-        goto err;
-    if (!sk_ESS_CERT_ID_V2_push(sc->cert_ids, cid))
-        goto err;
-    cid = NULL;
-
-    for (i = 0; i < sk_X509_num(certs); ++i) {
-        X509 *cert = sk_X509_value(certs, i);
-
-        if ((cid = ESS_CERT_ID_V2_new_init(hash_alg, cert, 1)) == NULL)
-            goto err;
-        if (!sk_ESS_CERT_ID_V2_push(sc->cert_ids, cid))
-            goto err;
-        cid = NULL;
-    }
-
-    return sc;
- err:
-    ESS_SIGNING_CERT_V2_free(sc);
-    ESS_CERT_ID_V2_free(cid);
-    ERR_raise(ERR_LIB_ESS, ERR_R_MALLOC_FAILURE);
-    return NULL;
-}
-
-static ESS_CERT_ID_V2 *ESS_CERT_ID_V2_new_init(const EVP_MD *hash_alg,
-                                               const X509 *cert,
-                                               int set_issuer_serial)
-{
-    ESS_CERT_ID_V2 *cid;
-    GENERAL_NAME *name = NULL;
-    unsigned char hash[EVP_MAX_MD_SIZE];
-    unsigned int hash_len = sizeof(hash);
-    X509_ALGOR *alg = NULL;
-
-    memset(hash, 0, sizeof(hash));
-
-    if ((cid = ESS_CERT_ID_V2_new()) == NULL)
-        goto err;
-
-    if (!EVP_MD_is_a(hash_alg, SN_sha256)) {
-        alg = X509_ALGOR_new();
-        if (alg == NULL)
-            goto err;
-        X509_ALGOR_set_md(alg, hash_alg);
-        if (alg->algorithm == NULL)
-            goto err;
-        cid->hash_alg = alg;
-        alg = NULL;
-    } else {
-        cid->hash_alg = NULL;
-    }
-
-    if (!X509_digest(cert, hash_alg, hash, &hash_len))
-        goto err;
-
-    if (!ASN1_OCTET_STRING_set(cid->hash, hash, hash_len))
-        goto err;
-
-    if (!set_issuer_serial)
-        return cid;
-
-    if ((cid->issuer_serial = ESS_ISSUER_SERIAL_new()) == NULL)
-        goto err;
-    if ((name = GENERAL_NAME_new()) == NULL)
-        goto err;
-    name->type = GEN_DIRNAME;
-    if ((name->d.dirn = X509_NAME_dup(X509_get_issuer_name(cert))) == NULL)
-        goto err;
-    if (!sk_GENERAL_NAME_push(cid->issuer_serial->issuer, name))
-        goto err;
-    name = NULL;            /* Ownership is lost. */
-    ASN1_INTEGER_free(cid->issuer_serial->serial);
-    cid->issuer_serial->serial = ASN1_INTEGER_dup(X509_get0_serialNumber(cert));
-    if (cid->issuer_serial->serial == NULL)
-        goto err;
-
-    return cid;
- err:
-    X509_ALGOR_free(alg);
-    GENERAL_NAME_free(name);
-    ESS_CERT_ID_V2_free(cid);
-    ERR_raise(ERR_LIB_ESS, ERR_R_MALLOC_FAILURE);
-    return NULL;
-}
-
-static int ess_issuer_serial_cmp(const ESS_ISSUER_SERIAL *is, const X509 *cert)
-{
-    GENERAL_NAME *issuer;
-
-    if (is == NULL || cert == NULL || sk_GENERAL_NAME_num(is->issuer) != 1)
-        return -1;
-
-    issuer = sk_GENERAL_NAME_value(is->issuer, 0);
-    if (issuer->type != GEN_DIRNAME
-        || X509_NAME_cmp(issuer->d.dirn, X509_get_issuer_name(cert)) != 0)
-        return -1;
-
-    return ASN1_INTEGER_cmp(is->serial, X509_get0_serialNumber(cert));
-}
-
-/*
- * Find the cert in |certs| referenced by |cid| if not NULL, else by |cid_v2|.
- * The cert must be the first one in |certs| if and only if |index| is 0.
- * Return 0 on not found, -1 on error, else 1 + the position in |certs|.
- */
-static int find(const ESS_CERT_ID *cid, const ESS_CERT_ID_V2 *cid_v2,
-                int index, const STACK_OF(X509) *certs)
-{
-    const X509 *cert;
-    EVP_MD *md = NULL;
-    char name[OSSL_MAX_NAME_SIZE];
-    unsigned char cert_digest[EVP_MAX_MD_SIZE];
-    unsigned int len, cid_hash_len;
-    const ESS_ISSUER_SERIAL *is;
-    int i;
-    int ret = -1;
-
-    if (cid == NULL && cid_v2 == NULL) {
-        ERR_raise(ERR_LIB_ESS, ERR_R_PASSED_INVALID_ARGUMENT);
-        return -1;
-    }
-
-    if (cid != NULL)
-        strcpy(name, "SHA1");
-    else if (cid_v2->hash_alg == NULL)
-        strcpy(name, "SHA256");
-    else
-        OBJ_obj2txt(name, sizeof(name), cid_v2->hash_alg->algorithm, 0);
-
-    (void)ERR_set_mark();
-    md = EVP_MD_fetch(NULL, name, NULL);
-
-    if (md == NULL)
-        md = (EVP_MD *)EVP_get_digestbyname(name);
-
-    if (md == NULL) {
-        (void)ERR_clear_last_mark();
-        ERR_raise(ERR_LIB_ESS, ESS_R_ESS_DIGEST_ALG_UNKNOWN);
-        goto end;
-    }
-    (void)ERR_pop_to_mark();
-
-    for (i = 0; i < sk_X509_num(certs); ++i) {
-        cert = sk_X509_value(certs, i);
-
-        cid_hash_len = cid != NULL ? cid->hash->length : cid_v2->hash->length;
-        if (!X509_digest(cert, md, cert_digest, &len)
-                || cid_hash_len != len) {
-            ERR_raise(ERR_LIB_ESS, ESS_R_ESS_CERT_DIGEST_ERROR);
-            goto end;
-        }
-
-        if (memcmp(cid != NULL ? cid->hash->data : cid_v2->hash->data,
-                   cert_digest, len) == 0) {
-            is = cid != NULL ? cid->issuer_serial : cid_v2->issuer_serial;
-            /* Well, it's not really required to match the serial numbers. */
-            if (is == NULL || ess_issuer_serial_cmp(is, cert) == 0) {
-                if ((i == 0) == (index == 0)) {
-                    ret = i + 1;
-                    goto end;
-                }
-                ERR_raise(ERR_LIB_ESS, ESS_R_ESS_CERT_ID_WRONG_ORDER);
-                goto end;
-            }
-        }
-    }
-
-    ret = 0;
-    ERR_raise(ERR_LIB_ESS, ESS_R_ESS_CERT_ID_NOT_FOUND);
-end:
-    EVP_MD_free(md);
-    return ret;
-}
-
-int OSSL_ESS_check_signing_certs(const ESS_SIGNING_CERT *ss,
-                                 const ESS_SIGNING_CERT_V2 *ssv2,
-                                 const STACK_OF(X509) *chain,
-                                 int require_signing_cert)
-{
-    int n_v1 = ss == NULL ? -1 : sk_ESS_CERT_ID_num(ss->cert_ids);
-    int n_v2 = ssv2 == NULL ? -1 : sk_ESS_CERT_ID_V2_num(ssv2->cert_ids);
-    int i, ret;
-
-    if (require_signing_cert && ss == NULL && ssv2 == NULL) {
-        ERR_raise(ERR_LIB_CMS, ESS_R_MISSING_SIGNING_CERTIFICATE_ATTRIBUTE);
-        return -1;
-    }
-    if (n_v1 == 0 || n_v2 == 0) {
-        ERR_raise(ERR_LIB_ESS, ESS_R_EMPTY_ESS_CERT_ID_LIST);
-        return -1;
-    }
-    /* If both ss and ssv2 exist, as required evaluate them independently. */
-    for (i = 0; i < n_v1; i++) {
-        ret = find(sk_ESS_CERT_ID_value(ss->cert_ids, i), NULL, i, chain);
-        if (ret <= 0)
-            return ret;
-    }
-    for (i = 0; i < n_v2; i++) {
-        ret = find(NULL, sk_ESS_CERT_ID_V2_value(ssv2->cert_ids, i), i, chain);
-        if (ret <= 0)
-            return ret;
-    }
-    return 1;
-}

libs/openssl/crypto/evp/legacy_md2.c

@@ -1,34 +0,0 @@
-/*
- * Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-/*
- * MD2 low level APIs are deprecated for public use, but still ok for
- * internal use.
- */
-#include "internal/deprecated.h"
-
-#include <openssl/md2.h>
-#include "crypto/evp.h"
-#include "legacy_meth.h"
-
-IMPLEMENT_LEGACY_EVP_MD_METH(md2, MD2)
-
-static const EVP_MD md2_md = {
-    NID_md2,
-    NID_md2WithRSAEncryption,
-    MD2_DIGEST_LENGTH,
-    0,
-    EVP_ORIG_GLOBAL,
-    LEGACY_EVP_MD_METH_TABLE(md2_init, md2_update, md2_final, NULL, MD2_BLOCK)
-};
-
-const EVP_MD *EVP_md2(void)
-{
-    return &md2_md;
-}

libs/openssl/crypto/evp/legacy_mdc2.c

@@ -1,35 +0,0 @@
-/*
- * Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-/*
- * MDC2 low level APIs are deprecated for public use, but still ok for
- * internal use.
- */
-#include "internal/deprecated.h"
-
-#include <openssl/mdc2.h>
-#include "crypto/evp.h"
-#include "legacy_meth.h"
-
-IMPLEMENT_LEGACY_EVP_MD_METH(mdc2, MDC2)
-
-static const EVP_MD mdc2_md = {
-    NID_mdc2,
-    NID_mdc2WithRSA,
-    MDC2_DIGEST_LENGTH,
-    0,
-    EVP_ORIG_GLOBAL,
-    LEGACY_EVP_MD_METH_TABLE(mdc2_init, mdc2_update, mdc2_final, NULL,
-                             MDC2_BLOCK),
-};
-
-const EVP_MD *EVP_mdc2(void)
-{
-    return &mdc2_md;
-}

libs/openssl/crypto/evp/legacy_wp.c

@@ -1,35 +0,0 @@
-/*
- * Copyright 2005-2021 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-/*
- * Whirlpool low level APIs are deprecated for public use, but still ok for
- * internal use.
- */
-#include "internal/deprecated.h"
-
-#include <openssl/whrlpool.h>
-#include "crypto/evp.h"
-#include "legacy_meth.h"
-
-IMPLEMENT_LEGACY_EVP_MD_METH(wp, WHIRLPOOL)
-
-static const EVP_MD whirlpool_md = {
-    NID_whirlpool,
-    0,
-    WHIRLPOOL_DIGEST_LENGTH,
-    0,
-    EVP_ORIG_GLOBAL,
-    LEGACY_EVP_MD_METH_TABLE(wp_init, wp_update, wp_final, NULL,
-                             WHIRLPOOL_BBLOCK / 8),
-};
-
-const EVP_MD *EVP_whirlpool(void)
-{
-    return &whirlpool_md;
-}

libs/openssl/crypto/ffc/ffc_dh.c

@@ -10,6 +10,7 @@
 #include "internal/ffc.h"
 #include "internal/nelem.h"
 #include "crypto/bn_dh.h"
+#include "../bn/bn_local.h" // WINSCP
 
 #ifndef OPENSSL_NO_DH
 

libs/openssl/crypto/info.c

@@ -1,211 +0,0 @@
-/*
- * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <openssl/crypto.h>
-#include "crypto/rand.h"
-#include "crypto/dso_conf.h"
-#include "internal/thread_once.h"
-#include "internal/cryptlib.h"
-#include "internal/e_os.h"
-#include "buildinf.h"
-
-#if defined(__arm__) || defined(__arm) || defined(__aarch64__)
-# include "arm_arch.h"
-# define CPU_INFO_STR_LEN 128
-#elif defined(__s390__) || defined(__s390x__)
-# include "s390x_arch.h"
-# define CPU_INFO_STR_LEN 2048
-#else
-# define CPU_INFO_STR_LEN 128
-#endif
-
-/* extern declaration to avoid warning */
-extern char ossl_cpu_info_str[];
-
-static char *seed_sources = NULL;
-
-char ossl_cpu_info_str[CPU_INFO_STR_LEN] = "";
-#define CPUINFO_PREFIX "CPUINFO: "
-
-static CRYPTO_ONCE init_info = CRYPTO_ONCE_STATIC_INIT;
-
-DEFINE_RUN_ONCE_STATIC(init_info_strings)
-{
-#if defined(OPENSSL_CPUID_OBJ)
-# if defined(__i386)   || defined(__i386__)   || defined(_M_IX86) || \
-     defined(__x86_64) || defined(__x86_64__) || \
-     defined(_M_AMD64) || defined(_M_X64)
-    const char *env;
-
-    BIO_snprintf(ossl_cpu_info_str, sizeof(ossl_cpu_info_str),
-                 CPUINFO_PREFIX "OPENSSL_ia32cap=0x%llx:0x%llx",
-                 (unsigned long long)OPENSSL_ia32cap_P[0] |
-                 (unsigned long long)OPENSSL_ia32cap_P[1] << 32,
-                 (unsigned long long)OPENSSL_ia32cap_P[2] |
-                 (unsigned long long)OPENSSL_ia32cap_P[3] << 32);
-    if ((env = getenv("OPENSSL_ia32cap")) != NULL)
-        BIO_snprintf(ossl_cpu_info_str + strlen(ossl_cpu_info_str),
-                     sizeof(ossl_cpu_info_str) - strlen(ossl_cpu_info_str),
-                     " env:%s", env);
-# elif defined(__arm__) || defined(__arm) || defined(__aarch64__)
-    const char *env;
-
-    BIO_snprintf(ossl_cpu_info_str, sizeof(ossl_cpu_info_str),
-                 CPUINFO_PREFIX "OPENSSL_armcap=0x%x", OPENSSL_armcap_P);
-    if ((env = getenv("OPENSSL_armcap")) != NULL)
-        BIO_snprintf(ossl_cpu_info_str + strlen(ossl_cpu_info_str),
-                     sizeof(ossl_cpu_info_str) - strlen(ossl_cpu_info_str),
-                     " env:%s", env);
-# elif defined(__s390__) || defined(__s390x__)
-    const char *env;
-
-    BIO_snprintf(ossl_cpu_info_str, sizeof(ossl_cpu_info_str),
-                 CPUINFO_PREFIX "OPENSSL_s390xcap="
-                 "stfle:0x%llx:0x%llx:0x%llx:0x%llx:"
-                 "kimd:0x%llx:0x%llx:"
-                 "klmd:0x%llx:0x%llx:"
-                 "km:0x%llx:0x%llx:"
-                 "kmc:0x%llx:0x%llx:"
-                 "kmac:0x%llx:0x%llx:"
-                 "kmctr:0x%llx:0x%llx:"
-                 "kmo:0x%llx:0x%llx:"
-                 "kmf:0x%llx:0x%llx:"
-                 "prno:0x%llx:0x%llx:"
-                 "kma:0x%llx:0x%llx:"
-                 "pcc:0x%llx:0x%llx:"
-                 "kdsa:0x%llx:0x%llx",
-                 OPENSSL_s390xcap_P.stfle[0], OPENSSL_s390xcap_P.stfle[1],
-                 OPENSSL_s390xcap_P.stfle[2], OPENSSL_s390xcap_P.stfle[3],
-                 OPENSSL_s390xcap_P.kimd[0], OPENSSL_s390xcap_P.kimd[1],
-                 OPENSSL_s390xcap_P.klmd[0], OPENSSL_s390xcap_P.klmd[1],
-                 OPENSSL_s390xcap_P.km[0], OPENSSL_s390xcap_P.km[1],
-                 OPENSSL_s390xcap_P.kmc[0], OPENSSL_s390xcap_P.kmc[1],
-                 OPENSSL_s390xcap_P.kmac[0], OPENSSL_s390xcap_P.kmac[1],
-                 OPENSSL_s390xcap_P.kmctr[0], OPENSSL_s390xcap_P.kmctr[1],
-                 OPENSSL_s390xcap_P.kmo[0], OPENSSL_s390xcap_P.kmo[1],
-                 OPENSSL_s390xcap_P.kmf[0], OPENSSL_s390xcap_P.kmf[1],
-                 OPENSSL_s390xcap_P.prno[0], OPENSSL_s390xcap_P.prno[1],
-                 OPENSSL_s390xcap_P.kma[0], OPENSSL_s390xcap_P.kma[1],
-                 OPENSSL_s390xcap_P.pcc[0], OPENSSL_s390xcap_P.pcc[1],
-                 OPENSSL_s390xcap_P.kdsa[0], OPENSSL_s390xcap_P.kdsa[1]);
-    if ((env = getenv("OPENSSL_s390xcap")) != NULL)
-        BIO_snprintf(ossl_cpu_info_str + strlen(ossl_cpu_info_str),
-                     sizeof(ossl_cpu_info_str) - strlen(ossl_cpu_info_str),
-                     " env:%s", env);
-# endif
-#endif
-
-    {
-        static char seeds[512] = "";
-
-#define add_seeds_string(str)                                           \
-        do {                                                            \
-            if (seeds[0] != '\0')                                       \
-                OPENSSL_strlcat(seeds, " ", sizeof(seeds));             \
-            OPENSSL_strlcat(seeds, str, sizeof(seeds));                 \
-        } while (0)
-#define add_seeds_stringlist(label, strlist)                            \
-        do {                                                            \
-            add_seeds_string(label "(");                                \
-            {                                                           \
-                const char *dev[] =  { strlist, NULL };                 \
-                const char **p;                                         \
-                int first = 1;                                          \
-                                                                        \
-                for (p = dev; *p != NULL; p++) {                        \
-                    if (!first)                                         \
-                        OPENSSL_strlcat(seeds, " ", sizeof(seeds));     \
-                    first = 0;                                          \
-                    OPENSSL_strlcat(seeds, *p, sizeof(seeds));          \
-                }                                                       \
-            }                                                           \
-            OPENSSL_strlcat(seeds, ")", sizeof(seeds));                 \
-        } while (0)
-
-#ifdef OPENSSL_RAND_SEED_NONE
-        add_seeds_string("none");
-#endif
-#ifdef OPENSSL_RAND_SEED_RDTSC
-        add_seeds_string("rdtsc");
-#endif
-#ifdef OPENSSL_RAND_SEED_RDCPU
-# ifdef __aarch64__
-        add_seeds_string("rndr ( rndrrs rndr )");
-# else
-        add_seeds_string("rdrand ( rdseed rdrand )");
-# endif
-#endif
-#ifdef OPENSSL_RAND_SEED_LIBRANDOM
-        add_seeds_string("C-library-random");
-#endif
-#ifdef OPENSSL_RAND_SEED_GETRANDOM
-        add_seeds_string("getrandom-syscall");
-#endif
-#ifdef OPENSSL_RAND_SEED_DEVRANDOM
-        add_seeds_stringlist("random-device", DEVRANDOM);
-#endif
-#ifdef OPENSSL_RAND_SEED_EGD
-        add_seeds_stringlist("EGD", DEVRANDOM_EGD);
-#endif
-#ifdef OPENSSL_RAND_SEED_OS
-        add_seeds_string("os-specific");
-#endif
-        seed_sources = seeds;
-    }
-    return 1;
-}
-
-const char *OPENSSL_info(int t)
-{
-    /*
-     * We don't care about the result.  Worst case scenario, the strings
-     * won't be initialised, i.e. remain NULL, which means that the info
-     * isn't available anyway...
-     */
-    (void)RUN_ONCE(&init_info, init_info_strings);
-
-    switch (t) {
-    case OPENSSL_INFO_CONFIG_DIR:
-        return OPENSSLDIR;
-    case OPENSSL_INFO_ENGINES_DIR:
-        return ENGINESDIR;
-    case OPENSSL_INFO_MODULES_DIR:
-        return MODULESDIR;
-    case OPENSSL_INFO_DSO_EXTENSION:
-        return DSO_EXTENSION;
-    case OPENSSL_INFO_DIR_FILENAME_SEPARATOR:
-#if defined(_WIN32)
-        return "\\";
-#elif defined(__VMS)
-        return "";
-#else  /* Assume POSIX */
-        return "/";
-#endif
-    case OPENSSL_INFO_LIST_SEPARATOR:
-        {
-            static const char list_sep[] = { LIST_SEPARATOR_CHAR, '\0' };
-            return list_sep;
-        }
-    case OPENSSL_INFO_SEED_SOURCE:
-        return seed_sources;
-    case OPENSSL_INFO_CPU_SETTINGS:
-        /*
-         * If successfully initialized, ossl_cpu_info_str will start
-         * with CPUINFO_PREFIX, if failed it will be an empty string.
-         * Strip away the CPUINFO_PREFIX which we don't need here.
-         */
-        if (ossl_cpu_info_str[0] != '\0')
-            return ossl_cpu_info_str + strlen(CPUINFO_PREFIX);
-        break;
-    default:
-        break;
-    }
-    /* Not an error */
-    return NULL;
-}

libs/openssl/crypto/loongarch_arch.h

@@ -1,17 +0,0 @@
-/*
- * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-#ifndef OSSL_CRYPTO_LOONGARCH_ARCH_H
-# define OSSL_CRYPTO_LOONGARCH_ARCH_H
-
-extern unsigned int OPENSSL_loongarchcap_P;
-# define LOONGARCH_CFG2      0x02
-# define LOONGARCH_CFG2_LSX  (1<<6)
-# define LOONGARCH_CFG2_LASX (1<<7)
-
-#endif

libs/openssl/crypto/loongarchcap.c

@@ -1,22 +0,0 @@
-/*
- * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-#include "loongarch_arch.h"
-
-unsigned int OPENSSL_loongarchcap_P = 0;
-
-void OPENSSL_cpuid_setup(void)
-{
-	unsigned int reg;
-	__asm__ volatile(
-	    "cpucfg %0, %1 \n\t"
-	    : "+&r"(reg)
-	    : "r"(LOONGARCH_CFG2)
-	);
-	OPENSSL_loongarchcap_P = reg;
-}

libs/openssl/crypto/md5/asm/md5_586.asm

@@ -1,3 +1,4 @@
+
 %ifidn __OUTPUT_FORMAT__,obj
 section	code	use32 class=code align=256
 %elifidn __OUTPUT_FORMAT__,win32
@@ -6,10 +7,10 @@ section	.text	code align=256
 %else
 section	.text	code
 %endif
-global	_md5_block_asm_data_order
+global	_ossl_md5_block_asm_data_order
 align	16
-_md5_block_asm_data_order:
-L$_md5_block_asm_data_order_begin:
+_ossl_md5_block_asm_data_order:
+L$_ossl_md5_block_asm_data_order_begin:
 	push	esi
 	push	edi
 	mov	edi,DWORD [12+esp]

libs/openssl/crypto/mips_arch.h

@@ -1,40 +0,0 @@
-/*
- * Copyright 2011-2016 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#ifndef OSSL_CRYPTO_MIPS_ARCH_H
-# define OSSL_CRYPTO_MIPS_ARCH_H
-
-# if (defined(__mips_smartmips) || defined(_MIPS_ARCH_MIPS32R3) || \
-      defined(_MIPS_ARCH_MIPS32R5) || defined(_MIPS_ARCH_MIPS32R6)) \
-      && !defined(_MIPS_ARCH_MIPS32R2)
-#  define _MIPS_ARCH_MIPS32R2
-# endif
-
-# if (defined(_MIPS_ARCH_MIPS64R3) || defined(_MIPS_ARCH_MIPS64R5) || \
-      defined(_MIPS_ARCH_MIPS64R6)) \
-      && !defined(_MIPS_ARCH_MIPS64R2)
-#  define _MIPS_ARCH_MIPS64R2
-# endif
-
-# if defined(_MIPS_ARCH_MIPS64R6)
-#  define dmultu(rs,rt)
-#  define mflo(rd,rs,rt)	dmulu	rd,rs,rt
-#  define mfhi(rd,rs,rt)	dmuhu	rd,rs,rt
-# elif defined(_MIPS_ARCH_MIPS32R6)
-#  define multu(rs,rt)
-#  define mflo(rd,rs,rt)	mulu	rd,rs,rt
-#  define mfhi(rd,rs,rt)	muhu	rd,rs,rt
-# else
-#  define dmultu(rs,rt)		dmultu	rs,rt
-#  define multu(rs,rt)		multu	rs,rt
-#  define mflo(rd,rs,rt)	mflo	rd
-#  define mfhi(rd,rs,rt)	mfhi	rd
-# endif
-
-#endif

libs/openssl/crypto/modes/asm/aes-gcm-avx512.pl

@@ -1,4975 +0,0 @@
-# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved.
-# Copyright (c) 2021, Intel Corporation. All Rights Reserved.
-#
-# Licensed under the Apache License 2.0 (the "License").  You may not use
-# this file except in compliance with the License.  You can obtain a copy
-# in the file LICENSE in the source distribution or at
-# https://www.openssl.org/source/license.html
-#
-#
-# This implementation is based on the AES-GCM code (AVX512VAES + VPCLMULQDQ)
-# from Intel(R) Multi-Buffer Crypto for IPsec Library v1.1
-# (https://github.com/intel/intel-ipsec-mb).
-# Original author is Tomasz Kantecki <[email protected]>.
-#
-# References:
-#  [1] Vinodh Gopal et. al. Optimized Galois-Counter-Mode Implementation on
-#      Intel Architecture Processors. August, 2010.
-#  [2] Erdinc Ozturk et. al. Enabling High-Performance Galois-Counter-Mode on
-#      Intel Architecture Processors. October, 2012.
-#  [3] Shay Gueron et. al. Intel Carry-Less Multiplication Instruction and its
-#      Usage for Computing the GCM Mode. May, 2010.
-#
-#
-# December 2021
-#
-# Initial release.
-#
-# GCM128_CONTEXT structure has storage for 16 hkeys only, but this
-# implementation can use up to 48.  To avoid extending the context size,
-# precompute and store in the context first 16 hkeys only, and compute the rest
-# on demand keeping them in the local frame.
-#
-#======================================================================
-# $output is the last argument if it looks like a file (it has an extension)
-# $flavour is the first argument if it doesn't look like a file
-$output  = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop   : undef;
-$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.|          ? shift : undef;
-
-$win64 = 0;
-$win64 = 1 if ($flavour =~ /[nm]asm|mingw64/ || $output =~ /\.asm$/);
-
-$avx512vaes = 0;
-
-$0 =~ m/(.*[\/\\])[^\/\\]+$/;
-$dir = $1;
-($xlate = "${dir}x86_64-xlate.pl" and -f $xlate)
-  or ($xlate = "${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate)
-  or die "can't locate x86_64-xlate.pl";
-
-if (`$ENV{CC} -Wa,-v -c -o /dev/null -x assembler /dev/null 2>&1` =~ /GNU assembler version ([2-9]\.[0-9]+)/) {
-  $avx512vaes = ($1 >= 2.30);
-}
-
-if (!$avx512vaes
-  && $win64
-  && ($flavour =~ /nasm/ || $ENV{ASM} =~ /nasm/)
-  && `nasm -v 2>&1` =~ /NASM version ([2-9]\.[0-9]+)(?:\.([0-9]+))?/)
-{
-  $avx512vaes = ($1 == 2.13 && $2 >= 3) + ($1 >= 2.14);
-}
-
-if (!$avx512vaes && `$ENV{CC} -v 2>&1` =~ /((?:clang|LLVM) version|.*based on LLVM) ([0-9]+\.[0-9]+)/) {
-  $avx512vaes = ($2 >= 7.0);
-}
-
-open OUT, "| \"$^X\" \"$xlate\" $flavour \"$output\""
-  or die "can't call $xlate: $!";
-*STDOUT = *OUT;
-
-#======================================================================
-if ($avx512vaes>0) { #<<<
-
-$code .= <<___;
-.extern OPENSSL_ia32cap_P
-.globl  ossl_vaes_vpclmulqdq_capable
-.type   ossl_vaes_vpclmulqdq_capable,\@abi-omnipotent
-.align 32
-ossl_vaes_vpclmulqdq_capable:
-    mov OPENSSL_ia32cap_P+8(%rip), %rcx
-    # avx512vpclmulqdq + avx512vaes + avx512vl + avx512bw + avx512dq + avx512f
-    mov \$`1<<42|1<<41|1<<31|1<<30|1<<17|1<<16`,%rdx
-    xor %eax,%eax
-    and %rdx,%rcx
-    cmp %rdx,%rcx
-    cmove %rcx,%rax
-    ret
-.size   ossl_vaes_vpclmulqdq_capable, .-ossl_vaes_vpclmulqdq_capable
-___
-
-# ; Mapping key length -> AES rounds count
-my %aes_rounds = (
-  128 => 9,
-  192 => 11,
-  256 => 13);
-
-# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-# ;;; Code generation control switches
-# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-
-# ; ABI-aware zeroing of volatile registers in EPILOG().
-# ; Disabled due to performance reasons.
-my $CLEAR_SCRATCH_REGISTERS = 0;
-
-# ; Zero HKeys storage from the stack if they are stored there
-my $CLEAR_HKEYS_STORAGE_ON_EXIT = 1;
-
-# ; Enable / disable check of function arguments for null pointer
-# ; Currently disabled, as this check is handled outside.
-my $CHECK_FUNCTION_ARGUMENTS = 0;
-
-# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-# ;;; Global constants
-# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-
-# AES block size in bytes
-my $AES_BLOCK_SIZE = 16;
-
-# Storage capacity in elements
-my $HKEYS_STORAGE_CAPACITY = 48;
-my $LOCAL_STORAGE_CAPACITY = 48;
-my $HKEYS_CONTEXT_CAPACITY = 16;
-
-# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-# ;;; Stack frame definition
-# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-
-# (1) -> +64(Win)/+48(Lin)-byte space for pushed GPRs
-# (2) -> +8-byte space for 16-byte alignment of XMM storage
-# (3) -> Frame pointer (%RBP)
-# (4) -> +160-byte XMM storage (Windows only, zero on Linux)
-# (5) -> +48-byte space for 64-byte alignment of %RSP from p.8
-# (6) -> +768-byte LOCAL storage (optional, can be omitted in some functions)
-# (7) -> +768-byte HKEYS storage
-# (8) -> Stack pointer (%RSP) aligned on 64-byte boundary
-
-my $GP_STORAGE  = $win64 ? 8 * 8     : 8 * 6;    # ; space for saved non-volatile GP registers (pushed on stack)
-my $XMM_STORAGE = $win64 ? (10 * 16) : 0;        # ; space for saved XMM registers
-my $HKEYS_STORAGE = ($HKEYS_STORAGE_CAPACITY * $AES_BLOCK_SIZE);    # ; space for HKeys^i, i=1..48
-my $LOCAL_STORAGE = ($LOCAL_STORAGE_CAPACITY * $AES_BLOCK_SIZE);    # ; space for up to 48 AES blocks
-
-my $STACK_HKEYS_OFFSET = 0;
-my $STACK_LOCAL_OFFSET = ($STACK_HKEYS_OFFSET + $HKEYS_STORAGE);
-
-# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-# ;;; Function arguments abstraction
-# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-my ($arg1, $arg2, $arg3, $arg4, $arg5, $arg6, $arg7, $arg8, $arg9, $arg10, $arg11);
-
-# ; This implementation follows the convention: for non-leaf functions (they
-# ; must call PROLOG) %rbp is used as a frame pointer, and has fixed offset from
-# ; the function entry: $GP_STORAGE + [8 bytes alignment (Windows only)].  This
-# ; helps to facilitate SEH handlers writing.
-#
-# ; Leaf functions here do not use more than 4 input arguments.
-if ($win64) {
-  $arg1  = "%rcx";
-  $arg2  = "%rdx";
-  $arg3  = "%r8";
-  $arg4  = "%r9";
-  $arg5  = "`$GP_STORAGE + 8 + 8*5`(%rbp)";    # +8 - alignment bytes
-  $arg6  = "`$GP_STORAGE + 8 + 8*6`(%rbp)";
-  $arg7  = "`$GP_STORAGE + 8 + 8*7`(%rbp)";
-  $arg8  = "`$GP_STORAGE + 8 + 8*8`(%rbp)";
-  $arg9  = "`$GP_STORAGE + 8 + 8*9`(%rbp)";
-  $arg10 = "`$GP_STORAGE + 8 + 8*10`(%rbp)";
-  $arg11 = "`$GP_STORAGE + 8 + 8*11`(%rbp)";
-} else {
-  $arg1  = "%rdi";
-  $arg2  = "%rsi";
-  $arg3  = "%rdx";
-  $arg4  = "%rcx";
-  $arg5  = "%r8";
-  $arg6  = "%r9";
-  $arg7  = "`$GP_STORAGE + 8*1`(%rbp)";
-  $arg8  = "`$GP_STORAGE + 8*2`(%rbp)";
-  $arg9  = "`$GP_STORAGE + 8*3`(%rbp)";
-  $arg10 = "`$GP_STORAGE + 8*4`(%rbp)";
-  $arg11 = "`$GP_STORAGE + 8*5`(%rbp)";
-}
-
-# ; Offsets in gcm128_context structure (see include/crypto/modes.h)
-my $CTX_OFFSET_CurCount  = (16 * 0);          #  ; (Yi) Current counter for generation of encryption key
-my $CTX_OFFSET_PEncBlock = (16 * 1);          #  ; (repurposed EKi field) Partial block buffer
-my $CTX_OFFSET_EK0       = (16 * 2);          #  ; (EK0) Encrypted Y0 counter (see gcm spec notation)
-my $CTX_OFFSET_AadLen    = (16 * 3);          #  ; (len.u[0]) Length of Hash which has been input
-my $CTX_OFFSET_InLen     = ((16 * 3) + 8);    #  ; (len.u[1]) Length of input data which will be encrypted or decrypted
-my $CTX_OFFSET_AadHash   = (16 * 4);          #  ; (Xi) Current hash
-my $CTX_OFFSET_HTable    = (16 * 6);          #  ; (Htable) Precomputed table (allows 16 values)
-
-# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-# ;;; Helper functions
-# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-
-# ; Generates "random" local labels
-sub random_string() {
-  my @chars  = ('a' .. 'z', 'A' .. 'Z', '0' .. '9', '_');
-  my $length = 15;
-  my $str;
-  map { $str .= $chars[rand(33)] } 1 .. $length;
-  return $str;
-}
-
-sub BYTE {
-  my ($reg) = @_;
-  if ($reg =~ /%r[abcd]x/i) {
-    $reg =~ s/%r([abcd])x/%${1}l/i;
-  } elsif ($reg =~ /%r[sdb][ip]/i) {
-    $reg =~ s/%r([sdb][ip])/%${1}l/i;
-  } elsif ($reg =~ /%r[0-9]{1,2}/i) {
-    $reg =~ s/%(r[0-9]{1,2})/%${1}b/i;
-  } else {
-    die "BYTE: unknown register: $reg\n";
-  }
-  return $reg;
-}
-
-sub WORD {
-  my ($reg) = @_;
-  if ($reg =~ /%r[abcdsdb][xip]/i) {
-    $reg =~ s/%r([abcdsdb])([xip])/%${1}${2}/i;
-  } elsif ($reg =~ /%r[0-9]{1,2}/) {
-    $reg =~ s/%(r[0-9]{1,2})/%${1}w/i;
-  } else {
-    die "WORD: unknown register: $reg\n";
-  }
-  return $reg;
-}
-
-sub DWORD {
-  my ($reg) = @_;
-  if ($reg =~ /%r[abcdsdb][xip]/i) {
-    $reg =~ s/%r([abcdsdb])([xip])/%e${1}${2}/i;
-  } elsif ($reg =~ /%r[0-9]{1,2}/i) {
-    $reg =~ s/%(r[0-9]{1,2})/%${1}d/i;
-  } else {
-    die "DWORD: unknown register: $reg\n";
-  }
-  return $reg;
-}
-
-sub XWORD {
-  my ($reg) = @_;
-  if ($reg =~ /%[xyz]mm/i) {
-    $reg =~ s/%[xyz]mm/%xmm/i;
-  } else {
-    die "XWORD: unknown register: $reg\n";
-  }
-  return $reg;
-}
-
-sub YWORD {
-  my ($reg) = @_;
-  if ($reg =~ /%[xyz]mm/i) {
-    $reg =~ s/%[xyz]mm/%ymm/i;
-  } else {
-    die "YWORD: unknown register: $reg\n";
-  }
-  return $reg;
-}
-
-sub ZWORD {
-  my ($reg) = @_;
-  if ($reg =~ /%[xyz]mm/i) {
-    $reg =~ s/%[xyz]mm/%zmm/i;
-  } else {
-    die "ZWORD: unknown register: $reg\n";
-  }
-  return $reg;
-}
-
-# ; Helper function to construct effective address based on two kinds of
-# ; offsets: numerical or located in the register
-sub EffectiveAddress {
-  my ($base, $offset, $displacement) = @_;
-  $displacement = 0 if (!$displacement);
-
-  if ($offset =~ /^\d+\z/) {    # numerical offset
-    return "`$offset + $displacement`($base)";
-  } else {                      # offset resides in register
-    return "$displacement($base,$offset,1)";
-  }
-}
-
-# ; Provides memory location of corresponding HashKey power
-sub HashKeyByIdx {
-  my ($idx, $base) = @_;
-  my $base_str = ($base eq "%rsp") ? "frame" : "context";
-
-  my $offset = &HashKeyOffsetByIdx($idx, $base_str);
-  return "$offset($base)";
-}
-
-# ; Provides offset (in bytes) of corresponding HashKey power from the highest key in the storage
-sub HashKeyOffsetByIdx {
-  my ($idx, $base) = @_;
-  die "HashKeyOffsetByIdx: base should be either 'frame' or 'context'; base = $base"
-    if (($base ne "frame") && ($base ne "context"));
-
-  my $offset_base;
-  my $offset_idx;
-  if ($base eq "frame") {    # frame storage
-    die "HashKeyOffsetByIdx: idx out of bounds (1..48)! idx = $idx\n" if ($idx > $HKEYS_STORAGE_CAPACITY || $idx < 1);
-    $offset_base = $STACK_HKEYS_OFFSET;
-    $offset_idx  = ($AES_BLOCK_SIZE * ($HKEYS_STORAGE_CAPACITY - $idx));
-  } else {                   # context storage
-    die "HashKeyOffsetByIdx: idx out of bounds (1..16)! idx = $idx\n" if ($idx > $HKEYS_CONTEXT_CAPACITY || $idx < 1);
-    $offset_base = $CTX_OFFSET_HTable;
-    $offset_idx  = ($AES_BLOCK_SIZE * ($HKEYS_CONTEXT_CAPACITY - $idx));
-  }
-  return $offset_base + $offset_idx;
-}
-
-# ; Creates local frame and does back up of non-volatile registers.
-# ; Holds stack unwinding directives.
-sub PROLOG {
-  my ($need_hkeys_stack_storage, $need_aes_stack_storage, $func_name) = @_;
-
-  my $DYNAMIC_STACK_ALLOC_SIZE            = 0;
-  my $DYNAMIC_STACK_ALLOC_ALIGNMENT_SPACE = $win64 ? 48 : 52;
-
-  if ($need_hkeys_stack_storage) {
-    $DYNAMIC_STACK_ALLOC_SIZE += $HKEYS_STORAGE;
-  }
-
-  if ($need_aes_stack_storage) {
-    if (!$need_hkeys_stack_storage) {
-      die "PROLOG: unsupported case - aes storage without hkeys one";
-    }
-    $DYNAMIC_STACK_ALLOC_SIZE += $LOCAL_STORAGE;
-  }
-
-  $code .= <<___;
-    push    %rbx
-.cfi_push   %rbx
-.L${func_name}_seh_push_rbx:
-    push    %rbp
-.cfi_push   %rbp
-.L${func_name}_seh_push_rbp:
-    push    %r12
-.cfi_push   %r12
-.L${func_name}_seh_push_r12:
-    push    %r13
-.cfi_push   %r13
-.L${func_name}_seh_push_r13:
-    push    %r14
-.cfi_push   %r14
-.L${func_name}_seh_push_r14:
-    push    %r15
-.cfi_push   %r15
-.L${func_name}_seh_push_r15:
-___
-
-  if ($win64) {
-    $code .= <<___;
-    push    %rdi
-.L${func_name}_seh_push_rdi:
-    push    %rsi
-.L${func_name}_seh_push_rsi:
-
-    sub     \$`$XMM_STORAGE+8`,%rsp   # +8 alignment
-.L${func_name}_seh_allocstack_xmm:
-___
-  }
-  $code .= <<___;
-    # ; %rbp contains stack pointer right after GP regs pushed at stack + [8
-    # ; bytes of alignment (Windows only)].  It serves as a frame pointer in SEH
-    # ; handlers. The requirement for a frame pointer is that its offset from
-    # ; RSP shall be multiple of 16, and not exceed 240 bytes. The frame pointer
-    # ; itself seems to be reasonable to use here, because later we do 64-byte stack
-    # ; alignment which gives us non-determinate offsets and complicates writing
-    # ; SEH handlers.
-    #
-    # ; It also serves as an anchor for retrieving stack arguments on both Linux
-    # ; and Windows.
-    lea     `$XMM_STORAGE`(%rsp),%rbp
-.cfi_def_cfa_register %rbp
-.L${func_name}_seh_setfp:
-___
-  if ($win64) {
-
-    # ; xmm6:xmm15 need to be preserved on Windows
-    foreach my $reg_idx (6 .. 15) {
-      my $xmm_reg_offset = ($reg_idx - 6) * 16;
-      $code .= <<___;
-        vmovdqu           %xmm${reg_idx},$xmm_reg_offset(%rsp)
-.L${func_name}_seh_save_xmm${reg_idx}:
-___
-    }
-  }
-
-  $code .= <<___;
-# Prolog ends here. Next stack allocation is treated as "dynamic".
-.L${func_name}_seh_prolog_end:
-___
-
-  if ($DYNAMIC_STACK_ALLOC_SIZE) {
-    $code .= <<___;
-        sub               \$`$DYNAMIC_STACK_ALLOC_SIZE + $DYNAMIC_STACK_ALLOC_ALIGNMENT_SPACE`,%rsp
-        and               \$(-64),%rsp
-___
-  }
-}
-
-# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-# ;;; Restore register content for the caller.
-# ;;; And cleanup stack.
-# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-sub EPILOG {
-  my ($hkeys_storage_on_stack, $payload_len) = @_;
-
-  my $rndsuffix = &random_string();
-
-  if ($hkeys_storage_on_stack && $CLEAR_HKEYS_STORAGE_ON_EXIT) {
-
-    # ; There is no need in hkeys cleanup if payload len was small, i.e. no hkeys
-    # ; were stored in the local frame storage
-    $code .= <<___;
-        cmpq              \$`16*16`,$payload_len
-        jbe               .Lskip_hkeys_cleanup_${rndsuffix}
-        vpxor             %xmm0,%xmm0,%xmm0
-___
-    for (my $i = 0; $i < int($HKEYS_STORAGE / 64); $i++) {
-      $code .= "vmovdqa64         %zmm0,`$STACK_HKEYS_OFFSET + 64*$i`(%rsp)\n";
-    }
-    $code .= ".Lskip_hkeys_cleanup_${rndsuffix}:\n";
-  }
-
-  if ($CLEAR_SCRATCH_REGISTERS) {
-    &clear_scratch_gps_asm();
-    &clear_scratch_zmms_asm();
-  } else {
-    $code .= "vzeroupper\n";
-  }
-
-  if ($win64) {
-
-    # ; restore xmm15:xmm6
-    for (my $reg_idx = 15; $reg_idx >= 6; $reg_idx--) {
-      my $xmm_reg_offset = -$XMM_STORAGE + ($reg_idx - 6) * 16;
-      $code .= <<___;
-        vmovdqu           $xmm_reg_offset(%rbp),%xmm${reg_idx},
-___
-    }
-  }
-
-  if ($win64) {
-
-    # Forming valid epilog for SEH with use of frame pointer.
-    # https://docs.microsoft.com/en-us/cpp/build/prolog-and-epilog?view=msvc-160#epilog-code
-    $code .= "lea      8(%rbp),%rsp\n";
-  } else {
-    $code .= "lea      (%rbp),%rsp\n";
-    $code .= ".cfi_def_cfa_register %rsp\n";
-  }
-
-  if ($win64) {
-    $code .= <<___;
-     pop     %rsi
-.cfi_pop     %rsi
-     pop     %rdi
-.cfi_pop     %rdi
-___
-  }
-  $code .= <<___;
-     pop     %r15
-.cfi_pop     %r15
-     pop     %r14
-.cfi_pop     %r14
-     pop     %r13
-.cfi_pop     %r13
-     pop     %r12
-.cfi_pop     %r12
-     pop     %rbp
-.cfi_pop     %rbp
-     pop     %rbx
-.cfi_pop     %rbx
-___
-}
-
-# ; Clears all scratch ZMM registers
-# ;
-# ; It should be called before restoring the XMM registers
-# ; for Windows (XMM6-XMM15).
-# ;
-sub clear_scratch_zmms_asm {
-
-  # ; On Linux, all ZMM registers are scratch registers
-  if (!$win64) {
-    $code .= "vzeroall\n";
-  } else {
-    foreach my $i (0 .. 5) {
-      $code .= "vpxorq  %xmm${i},%xmm${i},%xmm${i}\n";
-    }
-  }
-  foreach my $i (16 .. 31) {
-    $code .= "vpxorq  %xmm${i},%xmm${i},%xmm${i}\n";
-  }
-}
-
-# Clears all scratch GP registers
-sub clear_scratch_gps_asm {
-  foreach my $reg ("%rax", "%rcx", "%rdx", "%r8", "%r9", "%r10", "%r11") {
-    $code .= "xor $reg,$reg\n";
-  }
-  if (!$win64) {
-    foreach my $reg ("%rsi", "%rdi") {
-      $code .= "xor $reg,$reg\n";
-    }
-  }
-}
-
-sub precompute_hkeys_on_stack {
-  my $GCM128_CTX  = $_[0];
-  my $HKEYS_READY = $_[1];
-  my $ZTMP0       = $_[2];
-  my $ZTMP1       = $_[3];
-  my $ZTMP2       = $_[4];
-  my $ZTMP3       = $_[5];
-  my $ZTMP4       = $_[6];
-  my $ZTMP5       = $_[7];
-  my $ZTMP6       = $_[8];
-  my $HKEYS_RANGE = $_[9];    # ; "first16", "mid16", "all", "first32", "last32"
-
-  die "precompute_hkeys_on_stack: Unexpected value of HKEYS_RANGE: $HKEYS_RANGE"
-    if ($HKEYS_RANGE ne "first16"
-    && $HKEYS_RANGE ne "mid16"
-    && $HKEYS_RANGE ne "all"
-    && $HKEYS_RANGE ne "first32"
-    && $HKEYS_RANGE ne "last32");
-
-  my $rndsuffix = &random_string();
-
-  $code .= <<___;
-        test              $HKEYS_READY,$HKEYS_READY
-        jnz               .L_skip_hkeys_precomputation_${rndsuffix}
-___
-
-  if ($HKEYS_RANGE eq "first16" || $HKEYS_RANGE eq "first32" || $HKEYS_RANGE eq "all") {
-
-    # ; Fill the stack with the first 16 hkeys from the context
-    $code .= <<___;
-        # ; Move 16 hkeys from the context to stack
-        vmovdqu64         @{[HashKeyByIdx(4,$GCM128_CTX)]},$ZTMP0
-        vmovdqu64         $ZTMP0,@{[HashKeyByIdx(4,"%rsp")]}
-
-        vmovdqu64         @{[HashKeyByIdx(8,$GCM128_CTX)]},$ZTMP1
-        vmovdqu64         $ZTMP1,@{[HashKeyByIdx(8,"%rsp")]}
-
-        # ; broadcast HashKey^8
-        vshufi64x2        \$0x00,$ZTMP1,$ZTMP1,$ZTMP1
-
-        vmovdqu64         @{[HashKeyByIdx(12,$GCM128_CTX)]},$ZTMP2
-        vmovdqu64         $ZTMP2,@{[HashKeyByIdx(12,"%rsp")]}
-
-        vmovdqu64         @{[HashKeyByIdx(16,$GCM128_CTX)]},$ZTMP3
-        vmovdqu64         $ZTMP3,@{[HashKeyByIdx(16,"%rsp")]}
-___
-  }
-
-  if ($HKEYS_RANGE eq "mid16" || $HKEYS_RANGE eq "last32") {
-    $code .= <<___;
-        vmovdqu64         @{[HashKeyByIdx(8,"%rsp")]},$ZTMP1
-
-        # ; broadcast HashKey^8
-        vshufi64x2        \$0x00,$ZTMP1,$ZTMP1,$ZTMP1
-
-        vmovdqu64         @{[HashKeyByIdx(12,"%rsp")]},$ZTMP2
-        vmovdqu64         @{[HashKeyByIdx(16,"%rsp")]},$ZTMP3
-___
-
-  }
-
-  if ($HKEYS_RANGE eq "mid16" || $HKEYS_RANGE eq "first32" || $HKEYS_RANGE eq "last32" || $HKEYS_RANGE eq "all") {
-
-    # ; Precompute hkeys^i, i=17..32
-    my $i = 20;
-    foreach (1 .. int((32 - 16) / 8)) {
-
-      # ;; compute HashKey^(4 + n), HashKey^(3 + n), ... HashKey^(1 + n)
-      &GHASH_MUL($ZTMP2, $ZTMP1, $ZTMP4, $ZTMP5, $ZTMP6);
-      $code .= "vmovdqu64         $ZTMP2,@{[HashKeyByIdx($i,\"%rsp\")]}\n";
-      $i += 4;
-
-      # ;; compute HashKey^(8 + n), HashKey^(7 + n), ... HashKey^(5 + n)
-      &GHASH_MUL($ZTMP3, $ZTMP1, $ZTMP4, $ZTMP5, $ZTMP6);
-      $code .= "vmovdqu64         $ZTMP3,@{[HashKeyByIdx($i,\"%rsp\")]}\n";
-      $i += 4;
-    }
-  }
-
-  if ($HKEYS_RANGE eq "last32" || $HKEYS_RANGE eq "all") {
-
-    # ; Precompute hkeys^i, i=33..48 (HKEYS_STORAGE_CAPACITY = 48)
-    my $i = 36;
-    foreach (1 .. int((48 - 32) / 8)) {
-
-      # ;; compute HashKey^(4 + n), HashKey^(3 + n), ... HashKey^(1 + n)
-      &GHASH_MUL($ZTMP2, $ZTMP1, $ZTMP4, $ZTMP5, $ZTMP6);
-      $code .= "vmovdqu64         $ZTMP2,@{[HashKeyByIdx($i,\"%rsp\")]}\n";
-      $i += 4;
-
-      # ;; compute HashKey^(8 + n), HashKey^(7 + n), ... HashKey^(5 + n)
-      &GHASH_MUL($ZTMP3, $ZTMP1, $ZTMP4, $ZTMP5, $ZTMP6);
-      $code .= "vmovdqu64         $ZTMP3,@{[HashKeyByIdx($i,\"%rsp\")]}\n";
-      $i += 4;
-    }
-  }
-
-  $code .= ".L_skip_hkeys_precomputation_${rndsuffix}:\n";
-}
-
-# ;; =============================================================================
-# ;; Generic macro to produce code that executes $OPCODE instruction
-# ;; on selected number of AES blocks (16 bytes long ) between 0 and 16.
-# ;; All three operands of the instruction come from registers.
-# ;; Note: if 3 blocks are left at the end instruction is produced to operate all
-# ;;       4 blocks (full width of ZMM)
-sub ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16 {
-  my $NUM_BLOCKS = $_[0];    # [in] numerical value, number of AES blocks (0 to 16)
-  my $OPCODE     = $_[1];    # [in] instruction name
-  my @DST;
-  $DST[0] = $_[2];           # [out] destination ZMM register
-  $DST[1] = $_[3];           # [out] destination ZMM register
-  $DST[2] = $_[4];           # [out] destination ZMM register
-  $DST[3] = $_[5];           # [out] destination ZMM register
-  my @SRC1;
-  $SRC1[0] = $_[6];          # [in] source 1 ZMM register
-  $SRC1[1] = $_[7];          # [in] source 1 ZMM register
-  $SRC1[2] = $_[8];          # [in] source 1 ZMM register
-  $SRC1[3] = $_[9];          # [in] source 1 ZMM register
-  my @SRC2;
-  $SRC2[0] = $_[10];         # [in] source 2 ZMM register
-  $SRC2[1] = $_[11];         # [in] source 2 ZMM register
-  $SRC2[2] = $_[12];         # [in] source 2 ZMM register
-  $SRC2[3] = $_[13];         # [in] source 2 ZMM register
-
-  die "ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16: num_blocks is out of bounds = $NUM_BLOCKS\n"
-    if ($NUM_BLOCKS > 16 || $NUM_BLOCKS < 0);
-
-  my $reg_idx     = 0;
-  my $blocks_left = $NUM_BLOCKS;
-
-  foreach (1 .. ($NUM_BLOCKS / 4)) {
-    $code .= "$OPCODE        $SRC2[$reg_idx],$SRC1[$reg_idx],$DST[$reg_idx]\n";
-    $reg_idx++;
-    $blocks_left -= 4;
-  }
-
-  my $DSTREG  = $DST[$reg_idx];
-  my $SRC1REG = $SRC1[$reg_idx];
-  my $SRC2REG = $SRC2[$reg_idx];
-
-  if ($blocks_left == 1) {
-    $code .= "$OPCODE         @{[XWORD($SRC2REG)]},@{[XWORD($SRC1REG)]},@{[XWORD($DSTREG)]}\n";
-  } elsif ($blocks_left == 2) {
-    $code .= "$OPCODE         @{[YWORD($SRC2REG)]},@{[YWORD($SRC1REG)]},@{[YWORD($DSTREG)]}\n";
-  } elsif ($blocks_left == 3) {
-    $code .= "$OPCODE         $SRC2REG,$SRC1REG,$DSTREG\n";
-  }
-}
-
-# ;; =============================================================================
-# ;; Loads specified number of AES blocks into ZMM registers using mask register
-# ;; for the last loaded register (xmm, ymm or zmm).
-# ;; Loads take place at 1 byte granularity.
-sub ZMM_LOAD_MASKED_BLOCKS_0_16 {
-  my $NUM_BLOCKS  = $_[0];    # [in] numerical value, number of AES blocks (0 to 16)
-  my $INP         = $_[1];    # [in] input data pointer to read from
-  my $DATA_OFFSET = $_[2];    # [in] offset to the output pointer (GP or numerical)
-  my @DST;
-  $DST[0] = $_[3];            # [out] ZMM register with loaded data
-  $DST[1] = $_[4];            # [out] ZMM register with loaded data
-  $DST[2] = $_[5];            # [out] ZMM register with loaded data
-  $DST[3] = $_[6];            # [out] ZMM register with loaded data
-  my $MASK = $_[7];           # [in] mask register
-
-  die "ZMM_LOAD_MASKED_BLOCKS_0_16: num_blocks is out of bounds = $NUM_BLOCKS\n"
-    if ($NUM_BLOCKS > 16 || $NUM_BLOCKS < 0);
-
-  my $src_offset  = 0;
-  my $dst_idx     = 0;
-  my $blocks_left = $NUM_BLOCKS;
-
-  if ($NUM_BLOCKS > 0) {
-    foreach (1 .. (int(($NUM_BLOCKS + 3) / 4) - 1)) {
-      $code .= "vmovdqu8          @{[EffectiveAddress($INP,$DATA_OFFSET,$src_offset)]},$DST[$dst_idx]\n";
-      $src_offset += 64;
-      $dst_idx++;
-      $blocks_left -= 4;
-    }
-  }
-
-  my $DSTREG = $DST[$dst_idx];
-
-  if ($blocks_left == 1) {
-    $code .= "vmovdqu8          @{[EffectiveAddress($INP,$DATA_OFFSET,$src_offset)]},@{[XWORD($DSTREG)]}\{$MASK\}{z}\n";
-  } elsif ($blocks_left == 2) {
-    $code .= "vmovdqu8          @{[EffectiveAddress($INP,$DATA_OFFSET,$src_offset)]},@{[YWORD($DSTREG)]}\{$MASK\}{z}\n";
-  } elsif (($blocks_left == 3 || $blocks_left == 4)) {
-    $code .= "vmovdqu8          @{[EffectiveAddress($INP,$DATA_OFFSET,$src_offset)]},$DSTREG\{$MASK\}{z}\n";
-  }
-}
-
-# ;; =============================================================================
-# ;; Stores specified number of AES blocks from ZMM registers with mask register
-# ;; for the last loaded register (xmm, ymm or zmm).
-# ;; Stores take place at 1 byte granularity.
-sub ZMM_STORE_MASKED_BLOCKS_0_16 {
-  my $NUM_BLOCKS  = $_[0];    # [in] numerical value, number of AES blocks (0 to 16)
-  my $OUTP        = $_[1];    # [in] output data pointer to write to
-  my $DATA_OFFSET = $_[2];    # [in] offset to the output pointer (GP or numerical)
-  my @SRC;
-  $SRC[0] = $_[3];            # [in] ZMM register with data to store
-  $SRC[1] = $_[4];            # [in] ZMM register with data to store
-  $SRC[2] = $_[5];            # [in] ZMM register with data to store
-  $SRC[3] = $_[6];            # [in] ZMM register with data to store
-  my $MASK = $_[7];           # [in] mask register
-
-  die "ZMM_STORE_MASKED_BLOCKS_0_16: num_blocks is out of bounds = $NUM_BLOCKS\n"
-    if ($NUM_BLOCKS > 16 || $NUM_BLOCKS < 0);
-
-  my $dst_offset  = 0;
-  my $src_idx     = 0;
-  my $blocks_left = $NUM_BLOCKS;
-
-  if ($NUM_BLOCKS > 0) {
-    foreach (1 .. (int(($NUM_BLOCKS + 3) / 4) - 1)) {
-      $code .= "vmovdqu8          $SRC[$src_idx],`$dst_offset`($OUTP,$DATA_OFFSET,1)\n";
-      $dst_offset += 64;
-      $src_idx++;
-      $blocks_left -= 4;
-    }
-  }
-
-  my $SRCREG = $SRC[$src_idx];
-
-  if ($blocks_left == 1) {
-    $code .= "vmovdqu8          @{[XWORD($SRCREG)]},`$dst_offset`($OUTP,$DATA_OFFSET,1){$MASK}\n";
-  } elsif ($blocks_left == 2) {
-    $code .= "vmovdqu8          @{[YWORD($SRCREG)]},`$dst_offset`($OUTP,$DATA_OFFSET,1){$MASK}\n";
-  } elsif ($blocks_left == 3 || $blocks_left == 4) {
-    $code .= "vmovdqu8          $SRCREG,`$dst_offset`($OUTP,$DATA_OFFSET,1){$MASK}\n";
-  }
-}
-
-# ;;; ===========================================================================
-# ;;; Handles AES encryption rounds
-# ;;; It handles special cases: the last and first rounds
-# ;;; Optionally, it performs XOR with data after the last AES round.
-# ;;; Uses NROUNDS parameter to check what needs to be done for the current round.
-# ;;; If 3 blocks are trailing then operation on whole ZMM is performed (4 blocks).
-sub ZMM_AESENC_ROUND_BLOCKS_0_16 {
-  my $L0B0_3   = $_[0];     # [in/out] zmm; blocks 0 to 3
-  my $L0B4_7   = $_[1];     # [in/out] zmm; blocks 4 to 7
-  my $L0B8_11  = $_[2];     # [in/out] zmm; blocks 8 to 11
-  my $L0B12_15 = $_[3];     # [in/out] zmm; blocks 12 to 15
-  my $KEY      = $_[4];     # [in] zmm containing round key
-  my $ROUND    = $_[5];     # [in] round number
-  my $D0_3     = $_[6];     # [in] zmm or no_data; plain/cipher text blocks 0-3
-  my $D4_7     = $_[7];     # [in] zmm or no_data; plain/cipher text blocks 4-7
-  my $D8_11    = $_[8];     # [in] zmm or no_data; plain/cipher text blocks 8-11
-  my $D12_15   = $_[9];     # [in] zmm or no_data; plain/cipher text blocks 12-15
-  my $NUMBL    = $_[10];    # [in] number of blocks; numerical value
-  my $NROUNDS  = $_[11];    # [in] number of rounds; numerical value
-
-  # ;;; === first AES round
-  if ($ROUND < 1) {
-
-    # ;;  round 0
-    &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16(
-      $NUMBL,  "vpxorq", $L0B0_3,   $L0B4_7, $L0B8_11, $L0B12_15, $L0B0_3,
-      $L0B4_7, $L0B8_11, $L0B12_15, $KEY,    $KEY,     $KEY,      $KEY);
-  }
-
-  # ;;; === middle AES rounds
-  if ($ROUND >= 1 && $ROUND <= $NROUNDS) {
-
-    # ;; rounds 1 to 9/11/13
-    &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16(
-      $NUMBL,  "vaesenc", $L0B0_3,   $L0B4_7, $L0B8_11, $L0B12_15, $L0B0_3,
-      $L0B4_7, $L0B8_11,  $L0B12_15, $KEY,    $KEY,     $KEY,      $KEY);
-  }
-
-  # ;;; === last AES round
-  if ($ROUND > $NROUNDS) {
-
-    # ;; the last round - mix enclast with text xor's
-    &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16(
-      $NUMBL,  "vaesenclast", $L0B0_3,   $L0B4_7, $L0B8_11, $L0B12_15, $L0B0_3,
-      $L0B4_7, $L0B8_11,      $L0B12_15, $KEY,    $KEY,     $KEY,      $KEY);
-
-    # ;;; === XOR with data
-    if ( ($D0_3 ne "no_data")
-      && ($D4_7 ne "no_data")
-      && ($D8_11 ne "no_data")
-      && ($D12_15 ne "no_data"))
-    {
-      &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16(
-        $NUMBL,  "vpxorq", $L0B0_3,   $L0B4_7, $L0B8_11, $L0B12_15, $L0B0_3,
-        $L0B4_7, $L0B8_11, $L0B12_15, $D0_3,   $D4_7,    $D8_11,    $D12_15);
-    }
-  }
-}
-
-# ;;; Horizontal XOR - 4 x 128bits xored together
-sub VHPXORI4x128 {
-  my $REG = $_[0];    # [in/out] ZMM with 4x128bits to xor; 128bit output
-  my $TMP = $_[1];    # [clobbered] ZMM temporary register
-  $code .= <<___;
-        vextracti64x4     \$1,$REG,@{[YWORD($TMP)]}
-        vpxorq            @{[YWORD($TMP)]},@{[YWORD($REG)]},@{[YWORD($REG)]}
-        vextracti32x4     \$1,@{[YWORD($REG)]},@{[XWORD($TMP)]}
-        vpxorq            @{[XWORD($TMP)]},@{[XWORD($REG)]},@{[XWORD($REG)]}
-___
-}
-
-# ;;; AVX512 reduction macro
-sub VCLMUL_REDUCE {
-  my $OUT   = $_[0];    # [out] zmm/ymm/xmm: result (must not be $TMP1 or $HI128)
-  my $POLY  = $_[1];    # [in] zmm/ymm/xmm: polynomial
-  my $HI128 = $_[2];    # [in] zmm/ymm/xmm: high 128b of hash to reduce
-  my $LO128 = $_[3];    # [in] zmm/ymm/xmm: low 128b of hash to reduce
-  my $TMP0  = $_[4];    # [in] zmm/ymm/xmm: temporary register
-  my $TMP1  = $_[5];    # [in] zmm/ymm/xmm: temporary register
-
-  $code .= <<___;
-        # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-        # ;; first phase of the reduction
-        vpclmulqdq        \$0x01,$LO128,$POLY,$TMP0
-        vpslldq           \$8,$TMP0,$TMP0         # ; shift-L 2 DWs
-        vpxorq            $TMP0,$LO128,$TMP0      # ; first phase of the reduction complete
-        # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-        # ;; second phase of the reduction
-        vpclmulqdq        \$0x00,$TMP0,$POLY,$TMP1
-        vpsrldq           \$4,$TMP1,$TMP1          # ; shift-R only 1-DW to obtain 2-DWs shift-R
-        vpclmulqdq        \$0x10,$TMP0,$POLY,$OUT
-        vpslldq           \$4,$OUT,$OUT            # ; shift-L 1-DW to obtain result with no shifts
-        vpternlogq        \$0x96,$HI128,$TMP1,$OUT # ; OUT/GHASH = OUT xor TMP1 xor HI128
-        # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-___
-}
-
-# ;; ===========================================================================
-# ;; schoolbook multiply of 16 blocks (16 x 16 bytes)
-# ;; - it is assumed that data read from $INPTR is already shuffled and
-# ;;   $INPTR address is 64 byte aligned
-# ;; - there is an option to pass ready blocks through ZMM registers too.
-# ;;   4 extra parameters need to be passed in such case and 21st ($ZTMP9) argument can be empty
-sub GHASH_16 {
-  my $TYPE  = $_[0];     # [in] ghash type: start (xor hash), mid, end (same as mid; no reduction),
-                         # end_reduce (end with reduction), start_reduce
-  my $GH    = $_[1];     # [in/out] ZMM ghash sum: high 128-bits
-  my $GM    = $_[2];     # [in/out] ZMM ghash sum: middle 128-bits
-  my $GL    = $_[3];     # [in/out] ZMM ghash sum: low 128-bits
-  my $INPTR = $_[4];     # [in] data input pointer
-  my $INOFF = $_[5];     # [in] data input offset
-  my $INDIS = $_[6];     # [in] data input displacement
-  my $HKPTR = $_[7];     # [in] hash key pointer
-  my $HKOFF = $_[8];     # [in] hash key offset (can be either numerical offset, or register containing offset)
-  my $HKDIS = $_[9];     # [in] hash key displacement
-  my $HASH  = $_[10];    # [in/out] ZMM hash value in/out
-  my $ZTMP0 = $_[11];    # [clobbered] temporary ZMM
-  my $ZTMP1 = $_[12];    # [clobbered] temporary ZMM
-  my $ZTMP2 = $_[13];    # [clobbered] temporary ZMM
-  my $ZTMP3 = $_[14];    # [clobbered] temporary ZMM
-  my $ZTMP4 = $_[15];    # [clobbered] temporary ZMM
-  my $ZTMP5 = $_[16];    # [clobbered] temporary ZMM
-  my $ZTMP6 = $_[17];    # [clobbered] temporary ZMM
-  my $ZTMP7 = $_[18];    # [clobbered] temporary ZMM
-  my $ZTMP8 = $_[19];    # [clobbered] temporary ZMM
-  my $ZTMP9 = $_[20];    # [clobbered] temporary ZMM, can be empty if 4 extra parameters below are provided
-  my $DAT0  = $_[21];    # [in] ZMM with 4 blocks of input data (INPTR, INOFF, INDIS unused)
-  my $DAT1  = $_[22];    # [in] ZMM with 4 blocks of input data (INPTR, INOFF, INDIS unused)
-  my $DAT2  = $_[23];    # [in] ZMM with 4 blocks of input data (INPTR, INOFF, INDIS unused)
-  my $DAT3  = $_[24];    # [in] ZMM with 4 blocks of input data (INPTR, INOFF, INDIS unused)
-
-  my $start_ghash  = 0;
-  my $do_reduction = 0;
-  if ($TYPE eq "start") {
-    $start_ghash = 1;
-  }
-
-  if ($TYPE eq "start_reduce") {
-    $start_ghash  = 1;
-    $do_reduction = 1;
-  }
-
-  if ($TYPE eq "end_reduce") {
-    $do_reduction = 1;
-  }
-
-  # ;; ghash blocks 0-3
-  if (scalar(@_) == 21) {
-    $code .= "vmovdqa64         @{[EffectiveAddress($INPTR,$INOFF,($INDIS+0*64))]},$ZTMP9\n";
-  } else {
-    $ZTMP9 = $DAT0;
-  }
-
-  if ($start_ghash != 0) {
-    $code .= "vpxorq            $HASH,$ZTMP9,$ZTMP9\n";
-  }
-  $code .= <<___;
-        vmovdqu64         @{[EffectiveAddress($HKPTR,$HKOFF,($HKDIS+0*64))]},$ZTMP8
-        vpclmulqdq        \$0x11,$ZTMP8,$ZTMP9,$ZTMP0      # ; T0H = a1*b1
-        vpclmulqdq        \$0x00,$ZTMP8,$ZTMP9,$ZTMP1      # ; T0L = a0*b0
-        vpclmulqdq        \$0x01,$ZTMP8,$ZTMP9,$ZTMP2      # ; T0M1 = a1*b0
-        vpclmulqdq        \$0x10,$ZTMP8,$ZTMP9,$ZTMP3      # ; T0M2 = a0*b1
-___
-
-  # ;; ghash blocks 4-7
-  if (scalar(@_) == 21) {
-    $code .= "vmovdqa64         @{[EffectiveAddress($INPTR,$INOFF,($INDIS+1*64))]},$ZTMP9\n";
-  } else {
-    $ZTMP9 = $DAT1;
-  }
-  $code .= <<___;
-        vmovdqu64         @{[EffectiveAddress($HKPTR,$HKOFF,($HKDIS+1*64))]},$ZTMP8
-        vpclmulqdq        \$0x11,$ZTMP8,$ZTMP9,$ZTMP4      # ; T1H = a1*b1
-        vpclmulqdq        \$0x00,$ZTMP8,$ZTMP9,$ZTMP5      # ; T1L = a0*b0
-        vpclmulqdq        \$0x01,$ZTMP8,$ZTMP9,$ZTMP6      # ; T1M1 = a1*b0
-        vpclmulqdq        \$0x10,$ZTMP8,$ZTMP9,$ZTMP7      # ; T1M2 = a0*b1
-___
-
-  # ;; update sums
-  if ($start_ghash != 0) {
-    $code .= <<___;
-        vpxorq            $ZTMP6,$ZTMP2,$GM             # ; GM = T0M1 + T1M1
-        vpxorq            $ZTMP4,$ZTMP0,$GH             # ; GH = T0H + T1H
-        vpxorq            $ZTMP5,$ZTMP1,$GL             # ; GL = T0L + T1L
-        vpternlogq        \$0x96,$ZTMP7,$ZTMP3,$GM      # ; GM = T0M2 + T1M1
-___
-  } else {    # ;; mid, end, end_reduce
-    $code .= <<___;
-        vpternlogq        \$0x96,$ZTMP6,$ZTMP2,$GM      # ; GM += T0M1 + T1M1
-        vpternlogq        \$0x96,$ZTMP4,$ZTMP0,$GH      # ; GH += T0H + T1H
-        vpternlogq        \$0x96,$ZTMP5,$ZTMP1,$GL      # ; GL += T0L + T1L
-        vpternlogq        \$0x96,$ZTMP7,$ZTMP3,$GM      # ; GM += T0M2 + T1M1
-___
-  }
-
-  # ;; ghash blocks 8-11
-  if (scalar(@_) == 21) {
-    $code .= "vmovdqa64         @{[EffectiveAddress($INPTR,$INOFF,($INDIS+2*64))]},$ZTMP9\n";
-  } else {
-    $ZTMP9 = $DAT2;
-  }
-  $code .= <<___;
-        vmovdqu64         @{[EffectiveAddress($HKPTR,$HKOFF,($HKDIS+2*64))]},$ZTMP8
-        vpclmulqdq        \$0x11,$ZTMP8,$ZTMP9,$ZTMP0      # ; T0H = a1*b1
-        vpclmulqdq        \$0x00,$ZTMP8,$ZTMP9,$ZTMP1      # ; T0L = a0*b0
-        vpclmulqdq        \$0x01,$ZTMP8,$ZTMP9,$ZTMP2      # ; T0M1 = a1*b0
-        vpclmulqdq        \$0x10,$ZTMP8,$ZTMP9,$ZTMP3      # ; T0M2 = a0*b1
-___
-
-  # ;; ghash blocks 12-15
-  if (scalar(@_) == 21) {
-    $code .= "vmovdqa64         @{[EffectiveAddress($INPTR,$INOFF,($INDIS+3*64))]},$ZTMP9\n";
-  } else {
-    $ZTMP9 = $DAT3;
-  }
-  $code .= <<___;
-        vmovdqu64         @{[EffectiveAddress($HKPTR,$HKOFF,($HKDIS+3*64))]},$ZTMP8
-        vpclmulqdq        \$0x11,$ZTMP8,$ZTMP9,$ZTMP4      # ; T1H = a1*b1
-        vpclmulqdq        \$0x00,$ZTMP8,$ZTMP9,$ZTMP5      # ; T1L = a0*b0
-        vpclmulqdq        \$0x01,$ZTMP8,$ZTMP9,$ZTMP6      # ; T1M1 = a1*b0
-        vpclmulqdq        \$0x10,$ZTMP8,$ZTMP9,$ZTMP7      # ; T1M2 = a0*b1
-        # ;; update sums
-        vpternlogq        \$0x96,$ZTMP6,$ZTMP2,$GM         # ; GM += T0M1 + T1M1
-        vpternlogq        \$0x96,$ZTMP4,$ZTMP0,$GH         # ; GH += T0H + T1H
-        vpternlogq        \$0x96,$ZTMP5,$ZTMP1,$GL         # ; GL += T0L + T1L
-        vpternlogq        \$0x96,$ZTMP7,$ZTMP3,$GM         # ; GM += T0M2 + T1M1
-___
-  if ($do_reduction != 0) {
-    $code .= <<___;
-        # ;; integrate GM into GH and GL
-        vpsrldq           \$8,$GM,$ZTMP0
-        vpslldq           \$8,$GM,$ZTMP1
-        vpxorq            $ZTMP0,$GH,$GH
-        vpxorq            $ZTMP1,$GL,$GL
-___
-
-    # ;; add GH and GL 128-bit words horizontally
-    &VHPXORI4x128($GH, $ZTMP0);
-    &VHPXORI4x128($GL, $ZTMP1);
-
-    # ;; reduction
-    $code .= "vmovdqa64         POLY2(%rip),@{[XWORD($ZTMP2)]}\n";
-    &VCLMUL_REDUCE(&XWORD($HASH), &XWORD($ZTMP2), &XWORD($GH), &XWORD($GL), &XWORD($ZTMP0), &XWORD($ZTMP1));
-  }
-}
-
-# ;; ===========================================================================
-# ;; GHASH 1 to 16 blocks of cipher text
-# ;; - performs reduction at the end
-# ;; - it doesn't load the data and it assumed it is already loaded and shuffled
-sub GHASH_1_TO_16 {
-  my $GCM128_CTX  = $_[0];     # [in] pointer to expanded keys
-  my $GHASH       = $_[1];     # [out] ghash output
-  my $T0H         = $_[2];     # [clobbered] temporary ZMM
-  my $T0L         = $_[3];     # [clobbered] temporary ZMM
-  my $T0M1        = $_[4];     # [clobbered] temporary ZMM
-  my $T0M2        = $_[5];     # [clobbered] temporary ZMM
-  my $T1H         = $_[6];     # [clobbered] temporary ZMM
-  my $T1L         = $_[7];     # [clobbered] temporary ZMM
-  my $T1M1        = $_[8];     # [clobbered] temporary ZMM
-  my $T1M2        = $_[9];     # [clobbered] temporary ZMM
-  my $HK          = $_[10];    # [clobbered] temporary ZMM
-  my $AAD_HASH_IN = $_[11];    # [in] input hash value
-  my @CIPHER_IN;
-  $CIPHER_IN[0] = $_[12];      # [in] ZMM with cipher text blocks 0-3
-  $CIPHER_IN[1] = $_[13];      # [in] ZMM with cipher text blocks 4-7
-  $CIPHER_IN[2] = $_[14];      # [in] ZMM with cipher text blocks 8-11
-  $CIPHER_IN[3] = $_[15];      # [in] ZMM with cipher text blocks 12-15
-  my $NUM_BLOCKS = $_[16];     # [in] numerical value, number of blocks
-  my $GH         = $_[17];     # [in] ZMM with hi product part
-  my $GM         = $_[18];     # [in] ZMM with mid product part
-  my $GL         = $_[19];     # [in] ZMM with lo product part
-
-  die "GHASH_1_TO_16: num_blocks is out of bounds = $NUM_BLOCKS\n" if ($NUM_BLOCKS > 16 || $NUM_BLOCKS < 0);
-
-  if (scalar(@_) == 17) {
-    $code .= "vpxorq            $AAD_HASH_IN,$CIPHER_IN[0],$CIPHER_IN[0]\n";
-  }
-
-  if ($NUM_BLOCKS == 16) {
-    $code .= <<___;
-        vmovdqu64         @{[HashKeyByIdx($NUM_BLOCKS, $GCM128_CTX)]},$HK
-        vpclmulqdq        \$0x11,$HK,$CIPHER_IN[0],$T0H        # ; H = a1*b1
-        vpclmulqdq        \$0x00,$HK,$CIPHER_IN[0],$T0L        # ; L = a0*b0
-        vpclmulqdq        \$0x01,$HK,$CIPHER_IN[0],$T0M1       # ; M1 = a1*b0
-        vpclmulqdq        \$0x10,$HK,$CIPHER_IN[0],$T0M2       # ; M2 = a0*b1
-        vmovdqu64         @{[HashKeyByIdx($NUM_BLOCKS-1*4, $GCM128_CTX)]},$HK
-        vpclmulqdq        \$0x11,$HK,$CIPHER_IN[1],$T1H        # ; H = a1*b1
-        vpclmulqdq        \$0x00,$HK,$CIPHER_IN[1],$T1L        # ; L = a0*b0
-        vpclmulqdq        \$0x01,$HK,$CIPHER_IN[1],$T1M1       # ; M1 = a1*b0
-        vpclmulqdq        \$0x10,$HK,$CIPHER_IN[1],$T1M2       # ; M2 = a0*b1
-        vmovdqu64         @{[HashKeyByIdx($NUM_BLOCKS-2*4, $GCM128_CTX)]},$HK
-        vpclmulqdq        \$0x11,$HK,$CIPHER_IN[2],$CIPHER_IN[0] # ; H = a1*b1
-        vpclmulqdq        \$0x00,$HK,$CIPHER_IN[2],$CIPHER_IN[1] # ; L = a0*b0
-        vpternlogq        \$0x96,$T1H,$CIPHER_IN[0],$T0H
-        vpternlogq        \$0x96,$T1L,$CIPHER_IN[1],$T0L
-        vpclmulqdq        \$0x01,$HK,$CIPHER_IN[2],$CIPHER_IN[0] # ; M1 = a1*b0
-        vpclmulqdq        \$0x10,$HK,$CIPHER_IN[2],$CIPHER_IN[1] # ; M2 = a0*b1
-        vpternlogq        \$0x96,$T1M1,$CIPHER_IN[0],$T0M1
-        vpternlogq        \$0x96,$T1M2,$CIPHER_IN[1],$T0M2
-        vmovdqu64         @{[HashKeyByIdx($NUM_BLOCKS-3*4, $GCM128_CTX)]},$HK
-        vpclmulqdq        \$0x11,$HK,$CIPHER_IN[3],$T1H        # ; H = a1*b1
-        vpclmulqdq        \$0x00,$HK,$CIPHER_IN[3],$T1L        # ; L = a0*b0
-        vpclmulqdq        \$0x01,$HK,$CIPHER_IN[3],$T1M1       # ; M1 = a1*b0
-        vpclmulqdq        \$0x10,$HK,$CIPHER_IN[3],$T1M2       # ; M2 = a0*b1
-        vpxorq            $T1H,$T0H,$T1H
-        vpxorq            $T1L,$T0L,$T1L
-        vpxorq            $T1M1,$T0M1,$T1M1
-        vpxorq            $T1M2,$T0M2,$T1M2
-___
-  } elsif ($NUM_BLOCKS >= 12) {
-    $code .= <<___;
-        vmovdqu64         @{[HashKeyByIdx($NUM_BLOCKS, $GCM128_CTX)]},$HK
-        vpclmulqdq        \$0x11,$HK,$CIPHER_IN[0],$T0H        # ; H = a1*b1
-        vpclmulqdq        \$0x00,$HK,$CIPHER_IN[0],$T0L        # ; L = a0*b0
-        vpclmulqdq        \$0x01,$HK,$CIPHER_IN[0],$T0M1       # ; M1 = a1*b0
-        vpclmulqdq        \$0x10,$HK,$CIPHER_IN[0],$T0M2       # ; M2 = a0*b1
-        vmovdqu64         @{[HashKeyByIdx($NUM_BLOCKS-1*4, $GCM128_CTX)]},$HK
-        vpclmulqdq        \$0x11,$HK,$CIPHER_IN[1],$T1H        # ; H = a1*b1
-        vpclmulqdq        \$0x00,$HK,$CIPHER_IN[1],$T1L        # ; L = a0*b0
-        vpclmulqdq        \$0x01,$HK,$CIPHER_IN[1],$T1M1       # ; M1 = a1*b0
-        vpclmulqdq        \$0x10,$HK,$CIPHER_IN[1],$T1M2       # ; M2 = a0*b1
-        vmovdqu64         @{[HashKeyByIdx($NUM_BLOCKS-2*4, $GCM128_CTX)]},$HK
-        vpclmulqdq        \$0x11,$HK,$CIPHER_IN[2],$CIPHER_IN[0] # ; H = a1*b1
-        vpclmulqdq        \$0x00,$HK,$CIPHER_IN[2],$CIPHER_IN[1] # ; L = a0*b0
-        vpternlogq        \$0x96,$T0H,$CIPHER_IN[0],$T1H
-        vpternlogq        \$0x96,$T0L,$CIPHER_IN[1],$T1L
-        vpclmulqdq        \$0x01,$HK,$CIPHER_IN[2],$CIPHER_IN[0] # ; M1 = a1*b0
-        vpclmulqdq        \$0x10,$HK,$CIPHER_IN[2],$CIPHER_IN[1] # ; M2 = a0*b1
-        vpternlogq        \$0x96,$T0M1,$CIPHER_IN[0],$T1M1
-        vpternlogq        \$0x96,$T0M2,$CIPHER_IN[1],$T1M2
-___
-  } elsif ($NUM_BLOCKS >= 8) {
-    $code .= <<___;
-        vmovdqu64         @{[HashKeyByIdx($NUM_BLOCKS, $GCM128_CTX)]},$HK
-        vpclmulqdq        \$0x11,$HK,$CIPHER_IN[0],$T0H        # ; H = a1*b1
-        vpclmulqdq        \$0x00,$HK,$CIPHER_IN[0],$T0L        # ; L = a0*b0
-        vpclmulqdq        \$0x01,$HK,$CIPHER_IN[0],$T0M1       # ; M1 = a1*b0
-        vpclmulqdq        \$0x10,$HK,$CIPHER_IN[0],$T0M2       # ; M2 = a0*b1
-        vmovdqu64         @{[HashKeyByIdx($NUM_BLOCKS-1*4, $GCM128_CTX)]},$HK
-        vpclmulqdq        \$0x11,$HK,$CIPHER_IN[1],$T1H        # ; H = a1*b1
-        vpclmulqdq        \$0x00,$HK,$CIPHER_IN[1],$T1L        # ; L = a0*b0
-        vpclmulqdq        \$0x01,$HK,$CIPHER_IN[1],$T1M1       # ; M1 = a1*b0
-        vpclmulqdq        \$0x10,$HK,$CIPHER_IN[1],$T1M2       # ; M2 = a0*b1
-        vpxorq            $T1H,$T0H,$T1H
-        vpxorq            $T1L,$T0L,$T1L
-        vpxorq            $T1M1,$T0M1,$T1M1
-        vpxorq            $T1M2,$T0M2,$T1M2
-___
-  } elsif ($NUM_BLOCKS >= 4) {
-    $code .= <<___;
-        vmovdqu64         @{[HashKeyByIdx($NUM_BLOCKS, $GCM128_CTX)]},$HK
-        vpclmulqdq        \$0x11,$HK,$CIPHER_IN[0],$T1H        # ; H = a1*b1
-        vpclmulqdq        \$0x00,$HK,$CIPHER_IN[0],$T1L        # ; L = a0*b0
-        vpclmulqdq        \$0x01,$HK,$CIPHER_IN[0],$T1M1       # ; M1 = a1*b0
-        vpclmulqdq        \$0x10,$HK,$CIPHER_IN[0],$T1M2       # ; M2 = a0*b1
-___
-  }
-
-  # ;; T1H/L/M1/M2 - hold current product sums (provided $NUM_BLOCKS >= 4)
-  my $blocks_left = ($NUM_BLOCKS % 4);
-  if ($blocks_left > 0) {
-
-    # ;; =====================================================
-    # ;; There are 1, 2 or 3 blocks left to process.
-    # ;; It may also be that they are the only blocks to process.
-
-    # ;; Set hash key and register index position for the remaining 1 to 3 blocks
-    my $reg_idx = ($NUM_BLOCKS / 4);
-    my $REG_IN  = $CIPHER_IN[$reg_idx];
-
-    if ($blocks_left == 1) {
-      $code .= <<___;
-        vmovdqu64         @{[HashKeyByIdx($blocks_left, $GCM128_CTX)]},@{[XWORD($HK)]}
-        vpclmulqdq        \$0x01,@{[XWORD($HK)]},@{[XWORD($REG_IN)]},@{[XWORD($T0M1)]} # ; M1 = a1*b0
-        vpclmulqdq        \$0x10,@{[XWORD($HK)]},@{[XWORD($REG_IN)]},@{[XWORD($T0M2)]} # ; M2 = a0*b1
-        vpclmulqdq        \$0x11,@{[XWORD($HK)]},@{[XWORD($REG_IN)]},@{[XWORD($T0H)]}  # ; H = a1*b1
-        vpclmulqdq        \$0x00,@{[XWORD($HK)]},@{[XWORD($REG_IN)]},@{[XWORD($T0L)]}  # ; L = a0*b0
-___
-    } elsif ($blocks_left == 2) {
-      $code .= <<___;
-        vmovdqu64         @{[HashKeyByIdx($blocks_left, $GCM128_CTX)]},@{[YWORD($HK)]}
-        vpclmulqdq        \$0x01,@{[YWORD($HK)]},@{[YWORD($REG_IN)]},@{[YWORD($T0M1)]} # ; M1 = a1*b0
-        vpclmulqdq        \$0x10,@{[YWORD($HK)]},@{[YWORD($REG_IN)]},@{[YWORD($T0M2)]} # ; M2 = a0*b1
-        vpclmulqdq        \$0x11,@{[YWORD($HK)]},@{[YWORD($REG_IN)]},@{[YWORD($T0H)]}  # ; H = a1*b1
-        vpclmulqdq        \$0x00,@{[YWORD($HK)]},@{[YWORD($REG_IN)]},@{[YWORD($T0L)]}  # ; L = a0*b0
-___
-    } else {    # ; blocks_left == 3
-      $code .= <<___;
-        vmovdqu64         @{[HashKeyByIdx($blocks_left, $GCM128_CTX)]},@{[YWORD($HK)]}
-        vinserti64x2      \$2,@{[HashKeyByIdx($blocks_left-2, $GCM128_CTX)]},$HK,$HK
-        vpclmulqdq        \$0x01,$HK,$REG_IN,$T0M1                                     # ; M1 = a1*b0
-        vpclmulqdq        \$0x10,$HK,$REG_IN,$T0M2                                     # ; M2 = a0*b1
-        vpclmulqdq        \$0x11,$HK,$REG_IN,$T0H                                      # ; H = a1*b1
-        vpclmulqdq        \$0x00,$HK,$REG_IN,$T0L                                      # ; L = a0*b0
-___
-    }
-
-    if (scalar(@_) == 20) {
-
-      # ;; *** GH/GM/GL passed as arguments
-      if ($NUM_BLOCKS >= 4) {
-        $code .= <<___;
-        # ;; add ghash product sums from the first 4, 8 or 12 blocks
-        vpxorq            $T1M1,$T0M1,$T0M1
-        vpternlogq        \$0x96,$T1M2,$GM,$T0M2
-        vpternlogq        \$0x96,$T1H,$GH,$T0H
-        vpternlogq        \$0x96,$T1L,$GL,$T0L
-___
-      } else {
-        $code .= <<___;
-        vpxorq            $GM,$T0M1,$T0M1
-        vpxorq            $GH,$T0H,$T0H
-        vpxorq            $GL,$T0L,$T0L
-___
-      }
-    } else {
-
-      # ;; *** GH/GM/GL NOT passed as arguments
-      if ($NUM_BLOCKS >= 4) {
-        $code .= <<___;
-        # ;; add ghash product sums from the first 4, 8 or 12 blocks
-        vpxorq            $T1M1,$T0M1,$T0M1
-        vpxorq            $T1M2,$T0M2,$T0M2
-        vpxorq            $T1H,$T0H,$T0H
-        vpxorq            $T1L,$T0L,$T0L
-___
-      }
-    }
-    $code .= <<___;
-        # ;; integrate TM into TH and TL
-        vpxorq            $T0M2,$T0M1,$T0M1
-        vpsrldq           \$8,$T0M1,$T1M1
-        vpslldq           \$8,$T0M1,$T1M2
-        vpxorq            $T1M1,$T0H,$T0H
-        vpxorq            $T1M2,$T0L,$T0L
-___
-  } else {
-
-    # ;; =====================================================
-    # ;; number of blocks is 4, 8, 12 or 16
-    # ;; T1H/L/M1/M2 include product sums not T0H/L/M1/M2
-    if (scalar(@_) == 20) {
-      $code .= <<___;
-        # ;; *** GH/GM/GL passed as arguments
-        vpxorq            $GM,$T1M1,$T1M1
-        vpxorq            $GH,$T1H,$T1H
-        vpxorq            $GL,$T1L,$T1L
-___
-    }
-    $code .= <<___;
-        # ;; integrate TM into TH and TL
-        vpxorq            $T1M2,$T1M1,$T1M1
-        vpsrldq           \$8,$T1M1,$T0M1
-        vpslldq           \$8,$T1M1,$T0M2
-        vpxorq            $T0M1,$T1H,$T0H
-        vpxorq            $T0M2,$T1L,$T0L
-___
-  }
-
-  # ;; add TH and TL 128-bit words horizontally
-  &VHPXORI4x128($T0H, $T1M1);
-  &VHPXORI4x128($T0L, $T1M2);
-
-  # ;; reduction
-  $code .= "vmovdqa64         POLY2(%rip),@{[XWORD($HK)]}\n";
-  &VCLMUL_REDUCE(
-    @{[XWORD($GHASH)]},
-    @{[XWORD($HK)]},
-    @{[XWORD($T0H)]},
-    @{[XWORD($T0L)]},
-    @{[XWORD($T0M1)]},
-    @{[XWORD($T0M2)]});
-}
-
-# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-# ;; GHASH_MUL MACRO to implement: Data*HashKey mod (x^128 + x^127 + x^126 +x^121 + 1)
-# ;; Input: A and B (128-bits each, bit-reflected)
-# ;; Output: C = A*B*x mod poly, (i.e. >>1 )
-# ;; To compute GH = GH*HashKey mod poly, give HK = HashKey<<1 mod poly as input
-# ;; GH = GH * HK * x mod poly which is equivalent to GH*HashKey mod poly.
-# ;;
-# ;; Refer to [3] for more detals.
-# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-sub GHASH_MUL {
-  my $GH = $_[0];    #; [in/out] xmm/ymm/zmm with multiply operand(s) (128-bits)
-  my $HK = $_[1];    #; [in] xmm/ymm/zmm with hash key value(s) (128-bits)
-  my $T1 = $_[2];    #; [clobbered] xmm/ymm/zmm
-  my $T2 = $_[3];    #; [clobbered] xmm/ymm/zmm
-  my $T3 = $_[4];    #; [clobbered] xmm/ymm/zmm
-
-  $code .= <<___;
-        # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-        vpclmulqdq        \$0x11,$HK,$GH,$T1 # ; $T1 = a1*b1
-        vpclmulqdq        \$0x00,$HK,$GH,$T2 # ; $T2 = a0*b0
-        vpclmulqdq        \$0x01,$HK,$GH,$T3 # ; $T3 = a1*b0
-        vpclmulqdq        \$0x10,$HK,$GH,$GH # ; $GH = a0*b1
-        vpxorq            $T3,$GH,$GH
-
-        vpsrldq           \$8,$GH,$T3        # ; shift-R $GH 2 DWs
-        vpslldq           \$8,$GH,$GH        # ; shift-L $GH 2 DWs
-        vpxorq            $T3,$T1,$T1
-        vpxorq            $T2,$GH,$GH
-
-        # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-        # ;first phase of the reduction
-        vmovdqu64         POLY2(%rip),$T3
-
-        vpclmulqdq        \$0x01,$GH,$T3,$T2
-        vpslldq           \$8,$T2,$T2        # ; shift-L $T2 2 DWs
-        vpxorq            $T2,$GH,$GH        # ; first phase of the reduction complete
-
-        # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-        # ;second phase of the reduction
-        vpclmulqdq        \$0x00,$GH,$T3,$T2
-        vpsrldq           \$4,$T2,$T2        # ; shift-R only 1-DW to obtain 2-DWs shift-R
-        vpclmulqdq        \$0x10,$GH,$T3,$GH
-        vpslldq           \$4,$GH,$GH        # ; Shift-L 1-DW to obtain result with no shifts
-                                             # ; second phase of the reduction complete, the result is in $GH
-        vpternlogq        \$0x96,$T2,$T1,$GH # ; GH = GH xor T1 xor T2
-        # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-___
-}
-
-# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-# ;;; PRECOMPUTE computes HashKey_i
-sub PRECOMPUTE {
-  my $GCM128_CTX = $_[0];    #; [in/out] context pointer, hkeys content updated
-  my $HK         = $_[1];    #; [in] xmm, hash key
-  my $T1         = $_[2];    #; [clobbered] xmm
-  my $T2         = $_[3];    #; [clobbered] xmm
-  my $T3         = $_[4];    #; [clobbered] xmm
-  my $T4         = $_[5];    #; [clobbered] xmm
-  my $T5         = $_[6];    #; [clobbered] xmm
-  my $T6         = $_[7];    #; [clobbered] xmm
-
-  my $ZT1 = &ZWORD($T1);
-  my $ZT2 = &ZWORD($T2);
-  my $ZT3 = &ZWORD($T3);
-  my $ZT4 = &ZWORD($T4);
-  my $ZT5 = &ZWORD($T5);
-  my $ZT6 = &ZWORD($T6);
-
-  my $YT1 = &YWORD($T1);
-  my $YT2 = &YWORD($T2);
-  my $YT3 = &YWORD($T3);
-  my $YT4 = &YWORD($T4);
-  my $YT5 = &YWORD($T5);
-  my $YT6 = &YWORD($T6);
-
-  $code .= <<___;
-        vshufi32x4   \$0x00,@{[YWORD($HK)]},@{[YWORD($HK)]},$YT5
-        vmovdqa      $YT5,$YT4
-___
-
-  # ;; calculate HashKey^2<<1 mod poly
-  &GHASH_MUL($YT4, $YT5, $YT1, $YT2, $YT3);
-
-  $code .= <<___;
-        vmovdqu64         $T4,@{[HashKeyByIdx(2,$GCM128_CTX)]}
-        vinserti64x2      \$1,$HK,$YT4,$YT5
-        vmovdqa64         $YT5,$YT6                             # ;; YT6 = HashKey | HashKey^2
-___
-
-  # ;; use 2x128-bit computation
-  # ;; calculate HashKey^4<<1 mod poly, HashKey^3<<1 mod poly
-  &GHASH_MUL($YT5, $YT4, $YT1, $YT2, $YT3);    # ;; YT5 = HashKey^3 | HashKey^4
-
-  $code .= <<___;
-        vmovdqu64         $YT5,@{[HashKeyByIdx(4,$GCM128_CTX)]}
-
-        vinserti64x4      \$1,$YT6,$ZT5,$ZT5                    # ;; ZT5 = YT6 | YT5
-
-        # ;; switch to 4x128-bit computations now
-        vshufi64x2        \$0x00,$ZT5,$ZT5,$ZT4                 # ;; broadcast HashKey^4 across all ZT4
-        vmovdqa64         $ZT5,$ZT6                             # ;; save HashKey^4 to HashKey^1 in ZT6
-___
-
-  # ;; calculate HashKey^5<<1 mod poly, HashKey^6<<1 mod poly, ... HashKey^8<<1 mod poly
-  &GHASH_MUL($ZT5, $ZT4, $ZT1, $ZT2, $ZT3);
-  $code .= <<___;
-        vmovdqu64         $ZT5,@{[HashKeyByIdx(8,$GCM128_CTX)]} # ;; HashKey^8 to HashKey^5 in ZT5 now
-        vshufi64x2        \$0x00,$ZT5,$ZT5,$ZT4                 # ;; broadcast HashKey^8 across all ZT4
-___
-
-  # ;; calculate HashKey^9<<1 mod poly, HashKey^10<<1 mod poly, ... HashKey^16<<1 mod poly
-  # ;; use HashKey^8 as multiplier against ZT6 and ZT5 - this allows deeper ooo execution
-
-  # ;; compute HashKey^(12), HashKey^(11), ... HashKey^(9)
-  &GHASH_MUL($ZT6, $ZT4, $ZT1, $ZT2, $ZT3);
-  $code .= "vmovdqu64         $ZT6,@{[HashKeyByIdx(12,$GCM128_CTX)]}\n";
-
-  # ;; compute HashKey^(16), HashKey^(15), ... HashKey^(13)
-  &GHASH_MUL($ZT5, $ZT4, $ZT1, $ZT2, $ZT3);
-  $code .= "vmovdqu64         $ZT5,@{[HashKeyByIdx(16,$GCM128_CTX)]}\n";
-
-  # ; Hkeys 17..48 will be precomputed somewhere else as context can hold only 16 hkeys
-}
-
-# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-# ;; READ_SMALL_DATA_INPUT
-# ;; Packs xmm register with data when data input is less or equal to 16 bytes
-# ;; Returns 0 if data has length 0
-# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-sub READ_SMALL_DATA_INPUT {
-  my $OUTPUT = $_[0];    # [out] xmm register
-  my $INPUT  = $_[1];    # [in] buffer pointer to read from
-  my $LENGTH = $_[2];    # [in] number of bytes to read
-  my $TMP1   = $_[3];    # [clobbered]
-  my $TMP2   = $_[4];    # [clobbered]
-  my $MASK   = $_[5];    # [out] k1 to k7 register to store the partial block mask
-
-  $code .= <<___;
-        mov               \$16,@{[DWORD($TMP2)]}
-        lea               byte_len_to_mask_table(%rip),$TMP1
-        cmp               $TMP2,$LENGTH
-        cmovc             $LENGTH,$TMP2
-___
-  if ($win64) {
-    $code .= <<___;
-        add               $TMP2,$TMP1
-        add               $TMP2,$TMP1
-        kmovw             ($TMP1),$MASK
-___
-  } else {
-    $code .= "kmovw           ($TMP1,$TMP2,2),$MASK\n";
-  }
-  $code .= "vmovdqu8          ($INPUT),${OUTPUT}{$MASK}{z}\n";
-}
-
-# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-#  CALC_AAD_HASH: Calculates the hash of the data which will not be encrypted.
-#  Input: The input data (A_IN), that data's length (A_LEN), and the hash key (HASH_KEY).
-#  Output: The hash of the data (AAD_HASH).
-# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-sub CALC_AAD_HASH {
-  my $A_IN       = $_[0];     # [in] AAD text pointer
-  my $A_LEN      = $_[1];     # [in] AAD length
-  my $AAD_HASH   = $_[2];     # [in/out] xmm ghash value
-  my $GCM128_CTX = $_[3];     # [in] pointer to context
-  my $ZT0        = $_[4];     # [clobbered] ZMM register
-  my $ZT1        = $_[5];     # [clobbered] ZMM register
-  my $ZT2        = $_[6];     # [clobbered] ZMM register
-  my $ZT3        = $_[7];     # [clobbered] ZMM register
-  my $ZT4        = $_[8];     # [clobbered] ZMM register
-  my $ZT5        = $_[9];     # [clobbered] ZMM register
-  my $ZT6        = $_[10];    # [clobbered] ZMM register
-  my $ZT7        = $_[11];    # [clobbered] ZMM register
-  my $ZT8        = $_[12];    # [clobbered] ZMM register
-  my $ZT9        = $_[13];    # [clobbered] ZMM register
-  my $ZT10       = $_[14];    # [clobbered] ZMM register
-  my $ZT11       = $_[15];    # [clobbered] ZMM register
-  my $ZT12       = $_[16];    # [clobbered] ZMM register
-  my $ZT13       = $_[17];    # [clobbered] ZMM register
-  my $ZT14       = $_[18];    # [clobbered] ZMM register
-  my $ZT15       = $_[19];    # [clobbered] ZMM register
-  my $ZT16       = $_[20];    # [clobbered] ZMM register
-  my $T1         = $_[21];    # [clobbered] GP register
-  my $T2         = $_[22];    # [clobbered] GP register
-  my $T3         = $_[23];    # [clobbered] GP register
-  my $MASKREG    = $_[24];    # [clobbered] mask register
-
-  my $HKEYS_READY = "%rbx";
-
-  my $SHFMSK = $ZT13;
-
-  my $rndsuffix = &random_string();
-
-  $code .= <<___;
-        mov               $A_IN,$T1      # ; T1 = AAD
-        mov               $A_LEN,$T2     # ; T2 = aadLen
-        or                $T2,$T2
-        jz                .L_CALC_AAD_done_${rndsuffix}
-
-        xor               $HKEYS_READY,$HKEYS_READY
-        vmovdqa64         SHUF_MASK(%rip),$SHFMSK
-
-.L_get_AAD_loop48x16_${rndsuffix}:
-        cmp               \$`(48*16)`,$T2
-        jl                .L_exit_AAD_loop48x16_${rndsuffix}
-___
-
-  $code .= <<___;
-        vmovdqu64         `64*0`($T1),$ZT1      # ; Blocks 0-3
-        vmovdqu64         `64*1`($T1),$ZT2      # ; Blocks 4-7
-        vmovdqu64         `64*2`($T1),$ZT3      # ; Blocks 8-11
-        vmovdqu64         `64*3`($T1),$ZT4      # ; Blocks 12-15
-        vpshufb           $SHFMSK,$ZT1,$ZT1
-        vpshufb           $SHFMSK,$ZT2,$ZT2
-        vpshufb           $SHFMSK,$ZT3,$ZT3
-        vpshufb           $SHFMSK,$ZT4,$ZT4
-___
-
-  &precompute_hkeys_on_stack($GCM128_CTX, $HKEYS_READY, $ZT0, $ZT8, $ZT9, $ZT10, $ZT11, $ZT12, $ZT14, "all");
-  $code .= "mov     \$1,$HKEYS_READY\n";
-
-  &GHASH_16(
-    "start",        $ZT5,           $ZT6,           $ZT7,
-    "NO_INPUT_PTR", "NO_INPUT_PTR", "NO_INPUT_PTR", "%rsp",
-    &HashKeyOffsetByIdx(48, "frame"), 0, "@{[ZWORD($AAD_HASH)]}", $ZT0,
-    $ZT8,     $ZT9,  $ZT10, $ZT11,
-    $ZT12,    $ZT14, $ZT15, $ZT16,
-    "NO_ZMM", $ZT1,  $ZT2,  $ZT3,
-    $ZT4);
-
-  $code .= <<___;
-        vmovdqu64         `16*16 + 64*0`($T1),$ZT1      # ; Blocks 16-19
-        vmovdqu64         `16*16 + 64*1`($T1),$ZT2      # ; Blocks 20-23
-        vmovdqu64         `16*16 + 64*2`($T1),$ZT3      # ; Blocks 24-27
-        vmovdqu64         `16*16 + 64*3`($T1),$ZT4      # ; Blocks 28-31
-        vpshufb           $SHFMSK,$ZT1,$ZT1
-        vpshufb           $SHFMSK,$ZT2,$ZT2
-        vpshufb           $SHFMSK,$ZT3,$ZT3
-        vpshufb           $SHFMSK,$ZT4,$ZT4
-___
-
-  &GHASH_16(
-    "mid",          $ZT5,           $ZT6,           $ZT7,
-    "NO_INPUT_PTR", "NO_INPUT_PTR", "NO_INPUT_PTR", "%rsp",
-    &HashKeyOffsetByIdx(32, "frame"), 0, "NO_HASH_IN_OUT", $ZT0,
-    $ZT8,     $ZT9,  $ZT10, $ZT11,
-    $ZT12,    $ZT14, $ZT15, $ZT16,
-    "NO_ZMM", $ZT1,  $ZT2,  $ZT3,
-    $ZT4);
-
-  $code .= <<___;
-        vmovdqu64         `32*16 + 64*0`($T1),$ZT1      # ; Blocks 32-35
-        vmovdqu64         `32*16 + 64*1`($T1),$ZT2      # ; Blocks 36-39
-        vmovdqu64         `32*16 + 64*2`($T1),$ZT3      # ; Blocks 40-43
-        vmovdqu64         `32*16 + 64*3`($T1),$ZT4      # ; Blocks 44-47
-        vpshufb           $SHFMSK,$ZT1,$ZT1
-        vpshufb           $SHFMSK,$ZT2,$ZT2
-        vpshufb           $SHFMSK,$ZT3,$ZT3
-        vpshufb           $SHFMSK,$ZT4,$ZT4
-___
-
-  &GHASH_16(
-    "end_reduce",   $ZT5,           $ZT6,           $ZT7,
-    "NO_INPUT_PTR", "NO_INPUT_PTR", "NO_INPUT_PTR", "%rsp",
-    &HashKeyOffsetByIdx(16, "frame"), 0, &ZWORD($AAD_HASH), $ZT0,
-    $ZT8,     $ZT9,  $ZT10, $ZT11,
-    $ZT12,    $ZT14, $ZT15, $ZT16,
-    "NO_ZMM", $ZT1,  $ZT2,  $ZT3,
-    $ZT4);
-
-  $code .= <<___;
-        sub               \$`(48*16)`,$T2
-        je                .L_CALC_AAD_done_${rndsuffix}
-
-        add               \$`(48*16)`,$T1
-        jmp               .L_get_AAD_loop48x16_${rndsuffix}
-
-.L_exit_AAD_loop48x16_${rndsuffix}:
-        # ; Less than 48x16 bytes remaining
-        cmp               \$`(32*16)`,$T2
-        jl                .L_less_than_32x16_${rndsuffix}
-___
-
-  $code .= <<___;
-        # ; Get next 16 blocks
-        vmovdqu64         `64*0`($T1),$ZT1
-        vmovdqu64         `64*1`($T1),$ZT2
-        vmovdqu64         `64*2`($T1),$ZT3
-        vmovdqu64         `64*3`($T1),$ZT4
-        vpshufb           $SHFMSK,$ZT1,$ZT1
-        vpshufb           $SHFMSK,$ZT2,$ZT2
-        vpshufb           $SHFMSK,$ZT3,$ZT3
-        vpshufb           $SHFMSK,$ZT4,$ZT4
-___
-
-  &precompute_hkeys_on_stack($GCM128_CTX, $HKEYS_READY, $ZT0, $ZT8, $ZT9, $ZT10, $ZT11, $ZT12, $ZT14, "first32");
-  $code .= "mov     \$1,$HKEYS_READY\n";
-
-  &GHASH_16(
-    "start",        $ZT5,           $ZT6,           $ZT7,
-    "NO_INPUT_PTR", "NO_INPUT_PTR", "NO_INPUT_PTR", "%rsp",
-    &HashKeyOffsetByIdx(32, "frame"), 0, &ZWORD($AAD_HASH), $ZT0,
-    $ZT8,     $ZT9,  $ZT10, $ZT11,
-    $ZT12,    $ZT14, $ZT15, $ZT16,
-    "NO_ZMM", $ZT1,  $ZT2,  $ZT3,
-    $ZT4);
-
-  $code .= <<___;
-        vmovdqu64         `16*16 + 64*0`($T1),$ZT1
-        vmovdqu64         `16*16 + 64*1`($T1),$ZT2
-        vmovdqu64         `16*16 + 64*2`($T1),$ZT3
-        vmovdqu64         `16*16 + 64*3`($T1),$ZT4
-        vpshufb           $SHFMSK,$ZT1,$ZT1
-        vpshufb           $SHFMSK,$ZT2,$ZT2
-        vpshufb           $SHFMSK,$ZT3,$ZT3
-        vpshufb           $SHFMSK,$ZT4,$ZT4
-___
-
-  &GHASH_16(
-    "end_reduce",   $ZT5,           $ZT6,           $ZT7,
-    "NO_INPUT_PTR", "NO_INPUT_PTR", "NO_INPUT_PTR", "%rsp",
-    &HashKeyOffsetByIdx(16, "frame"), 0, &ZWORD($AAD_HASH), $ZT0,
-    $ZT8,     $ZT9,  $ZT10, $ZT11,
-    $ZT12,    $ZT14, $ZT15, $ZT16,
-    "NO_ZMM", $ZT1,  $ZT2,  $ZT3,
-    $ZT4);
-
-  $code .= <<___;
-        sub               \$`(32*16)`,$T2
-        je                .L_CALC_AAD_done_${rndsuffix}
-
-        add               \$`(32*16)`,$T1
-        jmp               .L_less_than_16x16_${rndsuffix}
-
-.L_less_than_32x16_${rndsuffix}:
-        cmp               \$`(16*16)`,$T2
-        jl                .L_less_than_16x16_${rndsuffix}
-        # ; Get next 16 blocks
-        vmovdqu64         `64*0`($T1),$ZT1
-        vmovdqu64         `64*1`($T1),$ZT2
-        vmovdqu64         `64*2`($T1),$ZT3
-        vmovdqu64         `64*3`($T1),$ZT4
-        vpshufb           $SHFMSK,$ZT1,$ZT1
-        vpshufb           $SHFMSK,$ZT2,$ZT2
-        vpshufb           $SHFMSK,$ZT3,$ZT3
-        vpshufb           $SHFMSK,$ZT4,$ZT4
-___
-
-  # ; This code path does not use more than 16 hkeys, so they can be taken from the context
-  # ; (not from the stack storage)
-  &GHASH_16(
-    "start_reduce", $ZT5,           $ZT6,           $ZT7,
-    "NO_INPUT_PTR", "NO_INPUT_PTR", "NO_INPUT_PTR", $GCM128_CTX,
-    &HashKeyOffsetByIdx(16, "context"), 0, &ZWORD($AAD_HASH), $ZT0,
-    $ZT8,     $ZT9,  $ZT10, $ZT11,
-    $ZT12,    $ZT14, $ZT15, $ZT16,
-    "NO_ZMM", $ZT1,  $ZT2,  $ZT3,
-    $ZT4);
-
-  $code .= <<___;
-        sub               \$`(16*16)`,$T2
-        je                .L_CALC_AAD_done_${rndsuffix}
-
-        add               \$`(16*16)`,$T1
-        # ; Less than 16x16 bytes remaining
-.L_less_than_16x16_${rndsuffix}:
-        # ;; prep mask source address
-        lea               byte64_len_to_mask_table(%rip),$T3
-        lea               ($T3,$T2,8),$T3
-
-        # ;; calculate number of blocks to ghash (including partial bytes)
-        add               \$15,@{[DWORD($T2)]}
-        shr               \$4,@{[DWORD($T2)]}
-        cmp               \$2,@{[DWORD($T2)]}
-        jb                .L_AAD_blocks_1_${rndsuffix}
-        je                .L_AAD_blocks_2_${rndsuffix}
-        cmp               \$4,@{[DWORD($T2)]}
-        jb                .L_AAD_blocks_3_${rndsuffix}
-        je                .L_AAD_blocks_4_${rndsuffix}
-        cmp               \$6,@{[DWORD($T2)]}
-        jb                .L_AAD_blocks_5_${rndsuffix}
-        je                .L_AAD_blocks_6_${rndsuffix}
-        cmp               \$8,@{[DWORD($T2)]}
-        jb                .L_AAD_blocks_7_${rndsuffix}
-        je                .L_AAD_blocks_8_${rndsuffix}
-        cmp               \$10,@{[DWORD($T2)]}
-        jb                .L_AAD_blocks_9_${rndsuffix}
-        je                .L_AAD_blocks_10_${rndsuffix}
-        cmp               \$12,@{[DWORD($T2)]}
-        jb                .L_AAD_blocks_11_${rndsuffix}
-        je                .L_AAD_blocks_12_${rndsuffix}
-        cmp               \$14,@{[DWORD($T2)]}
-        jb                .L_AAD_blocks_13_${rndsuffix}
-        je                .L_AAD_blocks_14_${rndsuffix}
-        cmp               \$15,@{[DWORD($T2)]}
-        je                .L_AAD_blocks_15_${rndsuffix}
-___
-
-  # ;; fall through for 16 blocks
-
-  # ;; The flow of each of these cases is identical:
-  # ;; - load blocks plain text
-  # ;; - shuffle loaded blocks
-  # ;; - xor in current hash value into block 0
-  # ;; - perform up multiplications with ghash keys
-  # ;; - jump to reduction code
-
-  for (my $aad_blocks = 16; $aad_blocks > 0; $aad_blocks--) {
-    $code .= ".L_AAD_blocks_${aad_blocks}_${rndsuffix}:\n";
-    if ($aad_blocks > 12) {
-      $code .= "sub               \$`12*16*8`, $T3\n";
-    } elsif ($aad_blocks > 8) {
-      $code .= "sub               \$`8*16*8`, $T3\n";
-    } elsif ($aad_blocks > 4) {
-      $code .= "sub               \$`4*16*8`, $T3\n";
-    }
-    $code .= "kmovq             ($T3),$MASKREG\n";
-
-    &ZMM_LOAD_MASKED_BLOCKS_0_16($aad_blocks, $T1, 0, $ZT1, $ZT2, $ZT3, $ZT4, $MASKREG);
-
-    &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16($aad_blocks, "vpshufb", $ZT1, $ZT2, $ZT3, $ZT4,
-      $ZT1, $ZT2, $ZT3, $ZT4, $SHFMSK, $SHFMSK, $SHFMSK, $SHFMSK);
-
-    &GHASH_1_TO_16($GCM128_CTX, &ZWORD($AAD_HASH),
-      $ZT0, $ZT5, $ZT6, $ZT7, $ZT8, $ZT9, $ZT10, $ZT11, $ZT12, &ZWORD($AAD_HASH), $ZT1, $ZT2, $ZT3, $ZT4, $aad_blocks);
-
-    if ($aad_blocks > 1) {
-
-      # ;; fall through to CALC_AAD_done in 1 block case
-      $code .= "jmp           .L_CALC_AAD_done_${rndsuffix}\n";
-    }
-
-  }
-  $code .= ".L_CALC_AAD_done_${rndsuffix}:\n";
-
-  # ;; result in AAD_HASH
-}
-
-# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-# ;; PARTIAL_BLOCK
-# ;; Handles encryption/decryption and the tag partial blocks between
-# ;; update calls.
-# ;; Requires the input data be at least 1 byte long.
-# ;; Output:
-# ;; A cipher/plain of the first partial block (CIPH_PLAIN_OUT),
-# ;; AAD_HASH and updated GCM128_CTX
-# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-sub PARTIAL_BLOCK {
-  my $GCM128_CTX     = $_[0];     # [in] key pointer
-  my $PBLOCK_LEN     = $_[1];     # [in] partial block length
-  my $CIPH_PLAIN_OUT = $_[2];     # [in] output buffer
-  my $PLAIN_CIPH_IN  = $_[3];     # [in] input buffer
-  my $PLAIN_CIPH_LEN = $_[4];     # [in] buffer length
-  my $DATA_OFFSET    = $_[5];     # [out] data offset (gets set)
-  my $AAD_HASH       = $_[6];     # [out] updated GHASH value
-  my $ENC_DEC        = $_[7];     # [in] cipher direction
-  my $GPTMP0         = $_[8];     # [clobbered] GP temporary register
-  my $GPTMP1         = $_[9];     # [clobbered] GP temporary register
-  my $GPTMP2         = $_[10];    # [clobbered] GP temporary register
-  my $ZTMP0          = $_[11];    # [clobbered] ZMM temporary register
-  my $ZTMP1          = $_[12];    # [clobbered] ZMM temporary register
-  my $ZTMP2          = $_[13];    # [clobbered] ZMM temporary register
-  my $ZTMP3          = $_[14];    # [clobbered] ZMM temporary register
-  my $ZTMP4          = $_[15];    # [clobbered] ZMM temporary register
-  my $ZTMP5          = $_[16];    # [clobbered] ZMM temporary register
-  my $ZTMP6          = $_[17];    # [clobbered] ZMM temporary register
-  my $ZTMP7          = $_[18];    # [clobbered] ZMM temporary register
-  my $MASKREG        = $_[19];    # [clobbered] mask temporary register
-
-  my $XTMP0 = &XWORD($ZTMP0);
-  my $XTMP1 = &XWORD($ZTMP1);
-  my $XTMP2 = &XWORD($ZTMP2);
-  my $XTMP3 = &XWORD($ZTMP3);
-  my $XTMP4 = &XWORD($ZTMP4);
-  my $XTMP5 = &XWORD($ZTMP5);
-  my $XTMP6 = &XWORD($ZTMP6);
-  my $XTMP7 = &XWORD($ZTMP7);
-
-  my $LENGTH = $DATA_OFFSET;
-  my $IA0    = $GPTMP1;
-  my $IA1    = $GPTMP2;
-  my $IA2    = $GPTMP0;
-
-  my $rndsuffix = &random_string();
-
-  $code .= <<___;
-        # ;; if no partial block present then LENGTH/DATA_OFFSET will be set to zero
-        mov             ($PBLOCK_LEN),$LENGTH
-        or              $LENGTH,$LENGTH
-        je              .L_partial_block_done_${rndsuffix}         #  ;Leave Macro if no partial blocks
-___
-
-  &READ_SMALL_DATA_INPUT($XTMP0, $PLAIN_CIPH_IN, $PLAIN_CIPH_LEN, $IA0, $IA2, $MASKREG);
-
-  $code .= <<___;
-        # ;; XTMP1 = my_ctx_data.partial_block_enc_key
-        vmovdqu64         $CTX_OFFSET_PEncBlock($GCM128_CTX),$XTMP1
-        vmovdqu64         @{[HashKeyByIdx(1,$GCM128_CTX)]},$XTMP2
-
-        # ;; adjust the shuffle mask pointer to be able to shift right $LENGTH bytes
-        # ;; (16 - $LENGTH) is the number of bytes in plaintext mod 16)
-        lea               SHIFT_MASK(%rip),$IA0
-        add               $LENGTH,$IA0
-        vmovdqu64         ($IA0),$XTMP3         # ; shift right shuffle mask
-        vpshufb           $XTMP3,$XTMP1,$XTMP1
-___
-
-  if ($ENC_DEC eq "DEC") {
-    $code .= <<___;
-        # ;;  keep copy of cipher text in $XTMP4
-        vmovdqa64         $XTMP0,$XTMP4
-___
-  }
-  $code .= <<___;
-        vpxorq            $XTMP0,$XTMP1,$XTMP1  # ; Ciphertext XOR E(K, Yn)
-        # ;; Set $IA1 to be the amount of data left in CIPH_PLAIN_IN after filling the block
-        # ;; Determine if partial block is not being filled and shift mask accordingly
-___
-  if ($win64) {
-    $code .= <<___;
-        mov               $PLAIN_CIPH_LEN,$IA1
-        add               $LENGTH,$IA1
-___
-  } else {
-    $code .= "lea               ($PLAIN_CIPH_LEN, $LENGTH, 1),$IA1\n";
-  }
-  $code .= <<___;
-        sub               \$16,$IA1
-        jge               .L_no_extra_mask_${rndsuffix}
-        sub               $IA1,$IA0
-.L_no_extra_mask_${rndsuffix}:
-        # ;; get the appropriate mask to mask out bottom $LENGTH bytes of $XTMP1
-        # ;; - mask out bottom $LENGTH bytes of $XTMP1
-        # ;; sizeof(SHIFT_MASK) == 16 bytes
-        vmovdqu64         16($IA0),$XTMP0
-        vpand             $XTMP0,$XTMP1,$XTMP1
-___
-
-  if ($ENC_DEC eq "DEC") {
-    $code .= <<___;
-        vpand             $XTMP0,$XTMP4,$XTMP4
-        vpshufb           SHUF_MASK(%rip),$XTMP4,$XTMP4
-        vpshufb           $XTMP3,$XTMP4,$XTMP4
-        vpxorq            $XTMP4,$AAD_HASH,$AAD_HASH
-___
-  } else {
-    $code .= <<___;
-        vpshufb           SHUF_MASK(%rip),$XTMP1,$XTMP1
-        vpshufb           $XTMP3,$XTMP1,$XTMP1
-        vpxorq            $XTMP1,$AAD_HASH,$AAD_HASH
-___
-  }
-  $code .= <<___;
-        cmp               \$0,$IA1
-        jl                .L_partial_incomplete_${rndsuffix}
-___
-
-  # ;; GHASH computation for the last <16 Byte block
-  &GHASH_MUL($AAD_HASH, $XTMP2, $XTMP5, $XTMP6, $XTMP7);
-
-  $code .= <<___;
-        movq              \$0, ($PBLOCK_LEN)
-        # ;;  Set $LENGTH to be the number of bytes to write out
-        mov               $LENGTH,$IA0
-        mov               \$16,$LENGTH
-        sub               $IA0,$LENGTH
-        jmp               .L_enc_dec_done_${rndsuffix}
-
-.L_partial_incomplete_${rndsuffix}:
-___
-  if ($win64) {
-    $code .= <<___;
-        mov               $PLAIN_CIPH_LEN,$IA0
-        add               $IA0,($PBLOCK_LEN)
-___
-  } else {
-    $code .= "add               $PLAIN_CIPH_LEN,($PBLOCK_LEN)\n";
-  }
-  $code .= <<___;
-        mov               $PLAIN_CIPH_LEN,$LENGTH
-
-.L_enc_dec_done_${rndsuffix}:
-        # ;; output encrypted Bytes
-
-        lea               byte_len_to_mask_table(%rip),$IA0
-        kmovw             ($IA0,$LENGTH,2),$MASKREG
-        vmovdqu64         $AAD_HASH,$CTX_OFFSET_AadHash($GCM128_CTX)
-___
-
-  if ($ENC_DEC eq "ENC") {
-    $code .= <<___;
-        # ;; shuffle XTMP1 back to output as ciphertext
-        vpshufb           SHUF_MASK(%rip),$XTMP1,$XTMP1
-        vpshufb           $XTMP3,$XTMP1,$XTMP1
-___
-  }
-  $code .= <<___;
-        mov               $CIPH_PLAIN_OUT,$IA0
-        vmovdqu8          $XTMP1,($IA0){$MASKREG}
-.L_partial_block_done_${rndsuffix}:
-___
-}
-
-# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-# ;; Ciphers 1 to 16 blocks and prepares them for later GHASH compute operation
-sub INITIAL_BLOCKS_PARTIAL_CIPHER {
-  my $AES_KEYS        = $_[0];     # [in] key pointer
-  my $GCM128_CTX      = $_[1];     # [in] context pointer
-  my $CIPH_PLAIN_OUT  = $_[2];     # [in] text output pointer
-  my $PLAIN_CIPH_IN   = $_[3];     # [in] text input pointer
-  my $LENGTH          = $_[4];     # [in/clobbered] length in bytes
-  my $DATA_OFFSET     = $_[5];     # [in/out] current data offset (updated)
-  my $NUM_BLOCKS      = $_[6];     # [in] can only be 1, 2, 3, 4, 5, ..., 15 or 16 (not 0)
-  my $CTR             = $_[7];     # [in/out] current counter value
-  my $ENC_DEC         = $_[8];     # [in] cipher direction (ENC/DEC)
-  my $DAT0            = $_[9];     # [out] ZMM with cipher text shuffled for GHASH
-  my $DAT1            = $_[10];    # [out] ZMM with cipher text shuffled for GHASH
-  my $DAT2            = $_[11];    # [out] ZMM with cipher text shuffled for GHASH
-  my $DAT3            = $_[12];    # [out] ZMM with cipher text shuffled for GHASH
-  my $LAST_CIPHER_BLK = $_[13];    # [out] XMM to put ciphered counter block partially xor'ed with text
-  my $LAST_GHASH_BLK  = $_[14];    # [out] XMM to put last cipher text block shuffled for GHASH
-  my $CTR0            = $_[15];    # [clobbered] ZMM temporary
-  my $CTR1            = $_[16];    # [clobbered] ZMM temporary
-  my $CTR2            = $_[17];    # [clobbered] ZMM temporary
-  my $CTR3            = $_[18];    # [clobbered] ZMM temporary
-  my $ZT1             = $_[19];    # [clobbered] ZMM temporary
-  my $IA0             = $_[20];    # [clobbered] GP temporary
-  my $IA1             = $_[21];    # [clobbered] GP temporary
-  my $MASKREG         = $_[22];    # [clobbered] mask register
-  my $SHUFMASK        = $_[23];    # [out] ZMM loaded with BE/LE shuffle mask
-
-  if ($NUM_BLOCKS == 1) {
-    $code .= "vmovdqa64         SHUF_MASK(%rip),@{[XWORD($SHUFMASK)]}\n";
-  } elsif ($NUM_BLOCKS == 2) {
-    $code .= "vmovdqa64         SHUF_MASK(%rip),@{[YWORD($SHUFMASK)]}\n";
-  } else {
-    $code .= "vmovdqa64         SHUF_MASK(%rip),$SHUFMASK\n";
-  }
-
-  # ;; prepare AES counter blocks
-  if ($NUM_BLOCKS == 1) {
-    $code .= "vpaddd            ONE(%rip),$CTR,@{[XWORD($CTR0)]}\n";
-  } elsif ($NUM_BLOCKS == 2) {
-    $code .= <<___;
-        vshufi64x2        \$0,@{[YWORD($CTR)]},@{[YWORD($CTR)]},@{[YWORD($CTR0)]}
-        vpaddd            ddq_add_1234(%rip),@{[YWORD($CTR0)]},@{[YWORD($CTR0)]}
-___
-  } else {
-    $code .= <<___;
-        vshufi64x2        \$0,@{[ZWORD($CTR)]},@{[ZWORD($CTR)]},@{[ZWORD($CTR)]}
-        vpaddd            ddq_add_1234(%rip),@{[ZWORD($CTR)]},$CTR0
-___
-    if ($NUM_BLOCKS > 4) {
-      $code .= "vpaddd            ddq_add_5678(%rip),@{[ZWORD($CTR)]},$CTR1\n";
-    }
-    if ($NUM_BLOCKS > 8) {
-      $code .= "vpaddd            ddq_add_8888(%rip),$CTR0,$CTR2\n";
-    }
-    if ($NUM_BLOCKS > 12) {
-      $code .= "vpaddd            ddq_add_8888(%rip),$CTR1,$CTR3\n";
-    }
-  }
-
-  # ;; get load/store mask
-  $code .= <<___;
-        lea               byte64_len_to_mask_table(%rip),$IA0
-        mov               $LENGTH,$IA1
-___
-  if ($NUM_BLOCKS > 12) {
-    $code .= "sub               \$`3*64`,$IA1\n";
-  } elsif ($NUM_BLOCKS > 8) {
-    $code .= "sub               \$`2*64`,$IA1\n";
-  } elsif ($NUM_BLOCKS > 4) {
-    $code .= "sub               \$`1*64`,$IA1\n";
-  }
-  $code .= "kmovq             ($IA0,$IA1,8),$MASKREG\n";
-
-  # ;; extract new counter value
-  # ;; shuffle the counters for AES rounds
-  if ($NUM_BLOCKS <= 4) {
-    $code .= "vextracti32x4     \$`($NUM_BLOCKS - 1)`,$CTR0,$CTR\n";
-  } elsif ($NUM_BLOCKS <= 8) {
-    $code .= "vextracti32x4     \$`($NUM_BLOCKS - 5)`,$CTR1,$CTR\n";
-  } elsif ($NUM_BLOCKS <= 12) {
-    $code .= "vextracti32x4     \$`($NUM_BLOCKS - 9)`,$CTR2,$CTR\n";
-  } else {
-    $code .= "vextracti32x4     \$`($NUM_BLOCKS - 13)`,$CTR3,$CTR\n";
-  }
-  &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16(
-    $NUM_BLOCKS, "vpshufb", $CTR0, $CTR1,     $CTR2,     $CTR3,     $CTR0,
-    $CTR1,       $CTR2,     $CTR3, $SHUFMASK, $SHUFMASK, $SHUFMASK, $SHUFMASK);
-
-  # ;; load plain/cipher text
-  &ZMM_LOAD_MASKED_BLOCKS_0_16($NUM_BLOCKS, $PLAIN_CIPH_IN, $DATA_OFFSET, $DAT0, $DAT1, $DAT2, $DAT3, $MASKREG);
-
-  # ;; AES rounds and XOR with plain/cipher text
-  foreach my $j (0 .. ($NROUNDS + 1)) {
-    $code .= "vbroadcastf64x2    `($j * 16)`($AES_KEYS),$ZT1\n";
-    &ZMM_AESENC_ROUND_BLOCKS_0_16($CTR0, $CTR1, $CTR2, $CTR3, $ZT1, $j,
-      $DAT0, $DAT1, $DAT2, $DAT3, $NUM_BLOCKS, $NROUNDS);
-  }
-
-  # ;; retrieve the last cipher counter block (partially XOR'ed with text)
-  # ;; - this is needed for partial block cases
-  if ($NUM_BLOCKS <= 4) {
-    $code .= "vextracti32x4     \$`($NUM_BLOCKS - 1)`,$CTR0,$LAST_CIPHER_BLK\n";
-  } elsif ($NUM_BLOCKS <= 8) {
-    $code .= "vextracti32x4     \$`($NUM_BLOCKS - 5)`,$CTR1,$LAST_CIPHER_BLK\n";
-  } elsif ($NUM_BLOCKS <= 12) {
-    $code .= "vextracti32x4     \$`($NUM_BLOCKS - 9)`,$CTR2,$LAST_CIPHER_BLK\n";
-  } else {
-    $code .= "vextracti32x4     \$`($NUM_BLOCKS - 13)`,$CTR3,$LAST_CIPHER_BLK\n";
-  }
-
-  # ;; write cipher/plain text back to output and
-  $code .= "mov       $CIPH_PLAIN_OUT,$IA0\n";
-  &ZMM_STORE_MASKED_BLOCKS_0_16($NUM_BLOCKS, $IA0, $DATA_OFFSET, $CTR0, $CTR1, $CTR2, $CTR3, $MASKREG);
-
-  # ;; zero bytes outside the mask before hashing
-  if ($NUM_BLOCKS <= 4) {
-    $code .= "vmovdqu8          $CTR0,${CTR0}{$MASKREG}{z}\n";
-  } elsif ($NUM_BLOCKS <= 8) {
-    $code .= "vmovdqu8          $CTR1,${CTR1}{$MASKREG}{z}\n";
-  } elsif ($NUM_BLOCKS <= 12) {
-    $code .= "vmovdqu8          $CTR2,${CTR2}{$MASKREG}{z}\n";
-  } else {
-    $code .= "vmovdqu8          $CTR3,${CTR3}{$MASKREG}{z}\n";
-  }
-
-  # ;; Shuffle the cipher text blocks for hashing part
-  # ;; ZT5 and ZT6 are expected outputs with blocks for hashing
-  if ($ENC_DEC eq "DEC") {
-
-    # ;; Decrypt case
-    # ;; - cipher blocks are in ZT5 & ZT6
-    &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16(
-      $NUM_BLOCKS, "vpshufb", $DAT0, $DAT1,     $DAT2,     $DAT3,     $DAT0,
-      $DAT1,       $DAT2,     $DAT3, $SHUFMASK, $SHUFMASK, $SHUFMASK, $SHUFMASK);
-  } else {
-
-    # ;; Encrypt case
-    # ;; - cipher blocks are in CTR0-CTR3
-    &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16(
-      $NUM_BLOCKS, "vpshufb", $DAT0, $DAT1,     $DAT2,     $DAT3,     $CTR0,
-      $CTR1,       $CTR2,     $CTR3, $SHUFMASK, $SHUFMASK, $SHUFMASK, $SHUFMASK);
-  }
-
-  # ;; Extract the last block for partials and multi_call cases
-  if ($NUM_BLOCKS <= 4) {
-    $code .= "vextracti32x4     \$`($NUM_BLOCKS-1)`,$DAT0,$LAST_GHASH_BLK\n";
-  } elsif ($NUM_BLOCKS <= 8) {
-    $code .= "vextracti32x4     \$`($NUM_BLOCKS-5)`,$DAT1,$LAST_GHASH_BLK\n";
-  } elsif ($NUM_BLOCKS <= 12) {
-    $code .= "vextracti32x4     \$`($NUM_BLOCKS-9)`,$DAT2,$LAST_GHASH_BLK\n";
-  } else {
-    $code .= "vextracti32x4     \$`($NUM_BLOCKS-13)`,$DAT3,$LAST_GHASH_BLK\n";
-  }
-
-}
-
-# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-# ;; Computes GHASH on 1 to 16 blocks
-sub INITIAL_BLOCKS_PARTIAL_GHASH {
-  my $AES_KEYS        = $_[0];     # [in] key pointer
-  my $GCM128_CTX      = $_[1];     # [in] context pointer
-  my $LENGTH          = $_[2];     # [in/clobbered] length in bytes
-  my $NUM_BLOCKS      = $_[3];     # [in] can only be 1, 2, 3, 4, 5, ..., 15 or 16 (not 0)
-  my $HASH_IN_OUT     = $_[4];     # [in/out] XMM ghash in/out value
-  my $ENC_DEC         = $_[5];     # [in] cipher direction (ENC/DEC)
-  my $DAT0            = $_[6];     # [in] ZMM with cipher text shuffled for GHASH
-  my $DAT1            = $_[7];     # [in] ZMM with cipher text shuffled for GHASH
-  my $DAT2            = $_[8];     # [in] ZMM with cipher text shuffled for GHASH
-  my $DAT3            = $_[9];     # [in] ZMM with cipher text shuffled for GHASH
-  my $LAST_CIPHER_BLK = $_[10];    # [in] XMM with ciphered counter block partially xor'ed with text
-  my $LAST_GHASH_BLK  = $_[11];    # [in] XMM with last cipher text block shuffled for GHASH
-  my $ZT0             = $_[12];    # [clobbered] ZMM temporary
-  my $ZT1             = $_[13];    # [clobbered] ZMM temporary
-  my $ZT2             = $_[14];    # [clobbered] ZMM temporary
-  my $ZT3             = $_[15];    # [clobbered] ZMM temporary
-  my $ZT4             = $_[16];    # [clobbered] ZMM temporary
-  my $ZT5             = $_[17];    # [clobbered] ZMM temporary
-  my $ZT6             = $_[18];    # [clobbered] ZMM temporary
-  my $ZT7             = $_[19];    # [clobbered] ZMM temporary
-  my $ZT8             = $_[20];    # [clobbered] ZMM temporary
-  my $PBLOCK_LEN      = $_[21];    # [in] partial block length
-  my $GH              = $_[22];    # [in] ZMM with hi product part
-  my $GM              = $_[23];    # [in] ZMM with mid prodcut part
-  my $GL              = $_[24];    # [in] ZMM with lo product part
-
-  my $rndsuffix = &random_string();
-
-  # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-  # ;;; - Hash all but the last partial block of data
-  # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-
-  # ;; update data offset
-  if ($NUM_BLOCKS > 1) {
-
-    # ;; The final block of data may be <16B
-    $code .= "sub               \$16 * ($NUM_BLOCKS - 1),$LENGTH\n";
-  }
-
-  if ($NUM_BLOCKS < 16) {
-    $code .= <<___;
-        # ;; NOTE: the 'jl' is always taken for num_initial_blocks = 16.
-        # ;;      This is run in the context of GCM_ENC_DEC_SMALL for length < 256.
-        cmp               \$16,$LENGTH
-        jl                .L_small_initial_partial_block_${rndsuffix}
-
-        # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-        # ;;; Handle a full length final block - encrypt and hash all blocks
-        # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-
-        sub               \$16,$LENGTH
-        movq              \$0,($PBLOCK_LEN)
-___
-
-    # ;; Hash all of the data
-    if (scalar(@_) == 22) {
-
-      # ;; start GHASH compute
-      &GHASH_1_TO_16($GCM128_CTX, $HASH_IN_OUT, $ZT0, $ZT1, $ZT2, $ZT3, $ZT4,
-        $ZT5, $ZT6, $ZT7, $ZT8, &ZWORD($HASH_IN_OUT), $DAT0, $DAT1, $DAT2, $DAT3, $NUM_BLOCKS);
-    } elsif (scalar(@_) == 25) {
-
-      # ;; continue GHASH compute
-      &GHASH_1_TO_16($GCM128_CTX, $HASH_IN_OUT, $ZT0, $ZT1, $ZT2, $ZT3, $ZT4,
-        $ZT5, $ZT6, $ZT7, $ZT8, &ZWORD($HASH_IN_OUT), $DAT0, $DAT1, $DAT2, $DAT3, $NUM_BLOCKS, $GH, $GM, $GL);
-    }
-    $code .= "jmp           .L_small_initial_compute_done_${rndsuffix}\n";
-  }
-
-  $code .= <<___;
-.L_small_initial_partial_block_${rndsuffix}:
-
-        # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-        # ;;; Handle ghash for a <16B final block
-        # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-
-        # ;; As it's an init / update / finalize series we need to leave the
-        # ;; last block if it's less than a full block of data.
-
-        mov               $LENGTH,($PBLOCK_LEN)
-        vmovdqu64         $LAST_CIPHER_BLK,$CTX_OFFSET_PEncBlock($GCM128_CTX)
-___
-
-  my $k                  = ($NUM_BLOCKS - 1);
-  my $last_block_to_hash = 1;
-  if (($NUM_BLOCKS > $last_block_to_hash)) {
-
-    # ;; ZT12-ZT20 - temporary registers
-    if (scalar(@_) == 22) {
-
-      # ;; start GHASH compute
-      &GHASH_1_TO_16($GCM128_CTX, $HASH_IN_OUT, $ZT0, $ZT1, $ZT2, $ZT3, $ZT4,
-        $ZT5, $ZT6, $ZT7, $ZT8, &ZWORD($HASH_IN_OUT), $DAT0, $DAT1, $DAT2, $DAT3, $k);
-    } elsif (scalar(@_) == 25) {
-
-      # ;; continue GHASH compute
-      &GHASH_1_TO_16($GCM128_CTX, $HASH_IN_OUT, $ZT0, $ZT1, $ZT2, $ZT3, $ZT4,
-        $ZT5, $ZT6, $ZT7, $ZT8, &ZWORD($HASH_IN_OUT), $DAT0, $DAT1, $DAT2, $DAT3, $k, $GH, $GM, $GL);
-    }
-
-    # ;; just fall through no jmp needed
-  } else {
-
-    if (scalar(@_) == 25) {
-      $code .= <<___;
-        # ;; Reduction is required in this case.
-        # ;; Integrate GM into GH and GL.
-        vpsrldq           \$8,$GM,$ZT0
-        vpslldq           \$8,$GM,$ZT1
-        vpxorq            $ZT0,$GH,$GH
-        vpxorq            $ZT1,$GL,$GL
-___
-
-      # ;; Add GH and GL 128-bit words horizontally
-      &VHPXORI4x128($GH, $ZT0);
-      &VHPXORI4x128($GL, $ZT1);
-
-      # ;; 256-bit to 128-bit reduction
-      $code .= "vmovdqa64         POLY2(%rip),@{[XWORD($ZT0)]}\n";
-      &VCLMUL_REDUCE(&XWORD($HASH_IN_OUT), &XWORD($ZT0), &XWORD($GH), &XWORD($GL), &XWORD($ZT1), &XWORD($ZT2));
-    }
-    $code .= <<___;
-        # ;; Record that a reduction is not needed -
-        # ;; In this case no hashes are computed because there
-        # ;; is only one initial block and it is < 16B in length.
-        # ;; We only need to check if a reduction is needed if
-        # ;; initial_blocks == 1 and init/update/final is being used.
-        # ;; In this case we may just have a partial block, and that
-        # ;; gets hashed in finalize.
-
-        # ;; The hash should end up in HASH_IN_OUT.
-        # ;; The only way we should get here is if there is
-        # ;; a partial block of data, so xor that into the hash.
-        vpxorq            $LAST_GHASH_BLK,$HASH_IN_OUT,$HASH_IN_OUT
-        # ;; The result is in $HASH_IN_OUT
-        jmp               .L_after_reduction_${rndsuffix}
-___
-  }
-
-  # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-  # ;;; After GHASH reduction
-  # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-
-  $code .= ".L_small_initial_compute_done_${rndsuffix}:\n";
-
-  # ;; If using init/update/finalize, we need to xor any partial block data
-  # ;; into the hash.
-  if ($NUM_BLOCKS > 1) {
-
-    # ;; NOTE: for $NUM_BLOCKS = 0 the xor never takes place
-    if ($NUM_BLOCKS != 16) {
-      $code .= <<___;
-        # ;; NOTE: for $NUM_BLOCKS = 16, $LENGTH, stored in [PBlockLen] is never zero
-        or                $LENGTH,$LENGTH
-        je                .L_after_reduction_${rndsuffix}
-___
-    }
-    $code .= "vpxorq            $LAST_GHASH_BLK,$HASH_IN_OUT,$HASH_IN_OUT\n";
-  }
-
-  $code .= ".L_after_reduction_${rndsuffix}:\n";
-
-  # ;; Final hash is now in HASH_IN_OUT
-}
-
-# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-# ;; INITIAL_BLOCKS_PARTIAL macro with support for a partial final block.
-# ;; It may look similar to INITIAL_BLOCKS but its usage is different:
-# ;; - first encrypts/decrypts required number of blocks and then
-# ;;   ghashes these blocks
-# ;; - Small packets or left over data chunks (<256 bytes)
-# ;; - Remaining data chunks below 256 bytes (multi buffer code)
-# ;;
-# ;; num_initial_blocks is expected to include the partial final block
-# ;; in the count.
-sub INITIAL_BLOCKS_PARTIAL {
-  my $AES_KEYS        = $_[0];     # [in] key pointer
-  my $GCM128_CTX      = $_[1];     # [in] context pointer
-  my $CIPH_PLAIN_OUT  = $_[2];     # [in] text output pointer
-  my $PLAIN_CIPH_IN   = $_[3];     # [in] text input pointer
-  my $LENGTH          = $_[4];     # [in/clobbered] length in bytes
-  my $DATA_OFFSET     = $_[5];     # [in/out] current data offset (updated)
-  my $NUM_BLOCKS      = $_[6];     # [in] can only be 1, 2, 3, 4, 5, ..., 15 or 16 (not 0)
-  my $CTR             = $_[7];     # [in/out] current counter value
-  my $HASH_IN_OUT     = $_[8];     # [in/out] XMM ghash in/out value
-  my $ENC_DEC         = $_[9];     # [in] cipher direction (ENC/DEC)
-  my $CTR0            = $_[10];    # [clobbered] ZMM temporary
-  my $CTR1            = $_[11];    # [clobbered] ZMM temporary
-  my $CTR2            = $_[12];    # [clobbered] ZMM temporary
-  my $CTR3            = $_[13];    # [clobbered] ZMM temporary
-  my $DAT0            = $_[14];    # [clobbered] ZMM temporary
-  my $DAT1            = $_[15];    # [clobbered] ZMM temporary
-  my $DAT2            = $_[16];    # [clobbered] ZMM temporary
-  my $DAT3            = $_[17];    # [clobbered] ZMM temporary
-  my $LAST_CIPHER_BLK = $_[18];    # [clobbered] ZMM temporary
-  my $LAST_GHASH_BLK  = $_[19];    # [clobbered] ZMM temporary
-  my $ZT0             = $_[20];    # [clobbered] ZMM temporary
-  my $ZT1             = $_[21];    # [clobbered] ZMM temporary
-  my $ZT2             = $_[22];    # [clobbered] ZMM temporary
-  my $ZT3             = $_[23];    # [clobbered] ZMM temporary
-  my $ZT4             = $_[24];    # [clobbered] ZMM temporary
-  my $IA0             = $_[25];    # [clobbered] GP temporary
-  my $IA1             = $_[26];    # [clobbered] GP temporary
-  my $MASKREG         = $_[27];    # [clobbered] mask register
-  my $SHUFMASK        = $_[28];    # [clobbered] ZMM for BE/LE shuffle mask
-  my $PBLOCK_LEN      = $_[29];    # [in] partial block length
-
-  &INITIAL_BLOCKS_PARTIAL_CIPHER(
-    $AES_KEYS, $GCM128_CTX,              $CIPH_PLAIN_OUT,         $PLAIN_CIPH_IN,
-    $LENGTH,   $DATA_OFFSET,             $NUM_BLOCKS,             $CTR,
-    $ENC_DEC,  $DAT0,                    $DAT1,                   $DAT2,
-    $DAT3,     &XWORD($LAST_CIPHER_BLK), &XWORD($LAST_GHASH_BLK), $CTR0,
-    $CTR1,     $CTR2,                    $CTR3,                   $ZT0,
-    $IA0,      $IA1,                     $MASKREG,                $SHUFMASK);
-
-  &INITIAL_BLOCKS_PARTIAL_GHASH($AES_KEYS, $GCM128_CTX, $LENGTH, $NUM_BLOCKS, $HASH_IN_OUT, $ENC_DEC, $DAT0,
-    $DAT1, $DAT2, $DAT3, &XWORD($LAST_CIPHER_BLK),
-    &XWORD($LAST_GHASH_BLK), $CTR0, $CTR1, $CTR2, $CTR3, $ZT0, $ZT1, $ZT2, $ZT3, $ZT4, $PBLOCK_LEN);
-}
-
-# ;; ===========================================================================
-# ;; Stitched GHASH of 16 blocks (with reduction) with encryption of N blocks
-# ;; followed with GHASH of the N blocks.
-sub GHASH_16_ENCRYPT_N_GHASH_N {
-  my $AES_KEYS           = $_[0];     # [in] key pointer
-  my $GCM128_CTX         = $_[1];     # [in] context pointer
-  my $CIPH_PLAIN_OUT     = $_[2];     # [in] pointer to output buffer
-  my $PLAIN_CIPH_IN      = $_[3];     # [in] pointer to input buffer
-  my $DATA_OFFSET        = $_[4];     # [in] data offset
-  my $LENGTH             = $_[5];     # [in] data length
-  my $CTR_BE             = $_[6];     # [in/out] ZMM counter blocks (last 4) in big-endian
-  my $CTR_CHECK          = $_[7];     # [in/out] GP with 8-bit counter for overflow check
-  my $HASHKEY_OFFSET     = $_[8];     # [in] numerical offset for the highest hash key
-                                      # (can be in form of register or numerical value)
-  my $GHASHIN_BLK_OFFSET = $_[9];     # [in] numerical offset for GHASH blocks in
-  my $SHFMSK             = $_[10];    # [in] ZMM with byte swap mask for pshufb
-  my $B00_03             = $_[11];    # [clobbered] temporary ZMM
-  my $B04_07             = $_[12];    # [clobbered] temporary ZMM
-  my $B08_11             = $_[13];    # [clobbered] temporary ZMM
-  my $B12_15             = $_[14];    # [clobbered] temporary ZMM
-  my $GH1H_UNUSED        = $_[15];    # [clobbered] temporary ZMM
-  my $GH1L               = $_[16];    # [clobbered] temporary ZMM
-  my $GH1M               = $_[17];    # [clobbered] temporary ZMM
-  my $GH1T               = $_[18];    # [clobbered] temporary ZMM
-  my $GH2H               = $_[19];    # [clobbered] temporary ZMM
-  my $GH2L               = $_[20];    # [clobbered] temporary ZMM
-  my $GH2M               = $_[21];    # [clobbered] temporary ZMM
-  my $GH2T               = $_[22];    # [clobbered] temporary ZMM
-  my $GH3H               = $_[23];    # [clobbered] temporary ZMM
-  my $GH3L               = $_[24];    # [clobbered] temporary ZMM
-  my $GH3M               = $_[25];    # [clobbered] temporary ZMM
-  my $GH3T               = $_[26];    # [clobbered] temporary ZMM
-  my $AESKEY1            = $_[27];    # [clobbered] temporary ZMM
-  my $AESKEY2            = $_[28];    # [clobbered] temporary ZMM
-  my $GHKEY1             = $_[29];    # [clobbered] temporary ZMM
-  my $GHKEY2             = $_[30];    # [clobbered] temporary ZMM
-  my $GHDAT1             = $_[31];    # [clobbered] temporary ZMM
-  my $GHDAT2             = $_[32];    # [clobbered] temporary ZMM
-  my $ZT01               = $_[33];    # [clobbered] temporary ZMM
-  my $ADDBE_4x4          = $_[34];    # [in] ZMM with 4x128bits 4 in big-endian
-  my $ADDBE_1234         = $_[35];    # [in] ZMM with 4x128bits 1, 2, 3 and 4 in big-endian
-  my $GHASH_TYPE         = $_[36];    # [in] "start", "start_reduce", "mid", "end_reduce"
-  my $TO_REDUCE_L        = $_[37];    # [in] ZMM for low 4x128-bit GHASH sum
-  my $TO_REDUCE_H        = $_[38];    # [in] ZMM for hi 4x128-bit GHASH sum
-  my $TO_REDUCE_M        = $_[39];    # [in] ZMM for medium 4x128-bit GHASH sum
-  my $ENC_DEC            = $_[40];    # [in] cipher direction
-  my $HASH_IN_OUT        = $_[41];    # [in/out] XMM ghash in/out value
-  my $IA0                = $_[42];    # [clobbered] GP temporary
-  my $IA1                = $_[43];    # [clobbered] GP temporary
-  my $MASKREG            = $_[44];    # [clobbered] mask register
-  my $NUM_BLOCKS         = $_[45];    # [in] numerical value with number of blocks to be encrypted/ghashed (1 to 16)
-  my $PBLOCK_LEN         = $_[46];    # [in] partial block length
-
-  die "GHASH_16_ENCRYPT_N_GHASH_N: num_blocks is out of bounds = $NUM_BLOCKS\n"
-    if ($NUM_BLOCKS > 16 || $NUM_BLOCKS < 0);
-
-  my $rndsuffix = &random_string();
-
-  my $GH1H = $HASH_IN_OUT;
-
-  # ; this is to avoid additional move in do_reduction case
-
-  my $LAST_GHASH_BLK  = $GH1L;
-  my $LAST_CIPHER_BLK = $GH1T;
-
-  my $RED_POLY = $GH2T;
-  my $RED_P1   = $GH2L;
-  my $RED_T1   = $GH2H;
-  my $RED_T2   = $GH2M;
-
-  my $DATA1 = $GH3H;
-  my $DATA2 = $GH3L;
-  my $DATA3 = $GH3M;
-  my $DATA4 = $GH3T;
-
-  # ;; do reduction after the 16 blocks ?
-  my $do_reduction = 0;
-
-  # ;; is 16 block chunk a start?
-  my $is_start = 0;
-
-  if ($GHASH_TYPE eq "start_reduce") {
-    $is_start     = 1;
-    $do_reduction = 1;
-  }
-
-  if ($GHASH_TYPE eq "start") {
-    $is_start = 1;
-  }
-
-  if ($GHASH_TYPE eq "end_reduce") {
-    $do_reduction = 1;
-  }
-
-  # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-  # ;; - get load/store mask
-  # ;; - load plain/cipher text
-  # ;; get load/store mask
-  $code .= <<___;
-        lea               byte64_len_to_mask_table(%rip),$IA0
-        mov               $LENGTH,$IA1
-___
-  if ($NUM_BLOCKS > 12) {
-    $code .= "sub               \$`3*64`,$IA1\n";
-  } elsif ($NUM_BLOCKS > 8) {
-    $code .= "sub               \$`2*64`,$IA1\n";
-  } elsif ($NUM_BLOCKS > 4) {
-    $code .= "sub               \$`1*64`,$IA1\n";
-  }
-  $code .= "kmovq             ($IA0,$IA1,8),$MASKREG\n";
-
-  # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-  # ;; prepare counter blocks
-
-  $code .= <<___;
-        cmp               \$`(256 - $NUM_BLOCKS)`,@{[DWORD($CTR_CHECK)]}
-        jae               .L_16_blocks_overflow_${rndsuffix}
-___
-
-  &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16(
-    $NUM_BLOCKS, "vpaddd", $B00_03, $B04_07,     $B08_11,    $B12_15,    $CTR_BE,
-    $B00_03,     $B04_07,  $B08_11, $ADDBE_1234, $ADDBE_4x4, $ADDBE_4x4, $ADDBE_4x4);
-  $code .= <<___;
-        jmp               .L_16_blocks_ok_${rndsuffix}
-
-.L_16_blocks_overflow_${rndsuffix}:
-        vpshufb           $SHFMSK,$CTR_BE,$CTR_BE
-        vpaddd            ddq_add_1234(%rip),$CTR_BE,$B00_03
-___
-  if ($NUM_BLOCKS > 4) {
-    $code .= <<___;
-        vmovdqa64         ddq_add_4444(%rip),$B12_15
-        vpaddd            $B12_15,$B00_03,$B04_07
-___
-  }
-  if ($NUM_BLOCKS > 8) {
-    $code .= "vpaddd            $B12_15,$B04_07,$B08_11\n";
-  }
-  if ($NUM_BLOCKS > 12) {
-    $code .= "vpaddd            $B12_15,$B08_11,$B12_15\n";
-  }
-  &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16(
-    $NUM_BLOCKS, "vpshufb", $B00_03, $B04_07, $B08_11, $B12_15, $B00_03,
-    $B04_07,     $B08_11,   $B12_15, $SHFMSK, $SHFMSK, $SHFMSK, $SHFMSK);
-  $code .= <<___;
-.L_16_blocks_ok_${rndsuffix}:
-
-        # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-        # ;; - pre-load constants
-        # ;; - add current hash into the 1st block
-        vbroadcastf64x2    `(16 * 0)`($AES_KEYS),$AESKEY1
-___
-  if ($is_start != 0) {
-    $code .= "vpxorq            `$GHASHIN_BLK_OFFSET + (0*64)`(%rsp),$HASH_IN_OUT,$GHDAT1\n";
-  } else {
-    $code .= "vmovdqa64         `$GHASHIN_BLK_OFFSET + (0*64)`(%rsp),$GHDAT1\n";
-  }
-
-  $code .= "vmovdqu64         @{[EffectiveAddress(\"%rsp\",$HASHKEY_OFFSET,0*64)]},$GHKEY1\n";
-
-  # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-  # ;; save counter for the next round
-  # ;; increment counter overflow check register
-  if ($NUM_BLOCKS <= 4) {
-    $code .= "vextracti32x4     \$`($NUM_BLOCKS - 1)`,$B00_03,@{[XWORD($CTR_BE)]}\n";
-  } elsif ($NUM_BLOCKS <= 8) {
-    $code .= "vextracti32x4     \$`($NUM_BLOCKS - 5)`,$B04_07,@{[XWORD($CTR_BE)]}\n";
-  } elsif ($NUM_BLOCKS <= 12) {
-    $code .= "vextracti32x4     \$`($NUM_BLOCKS - 9)`,$B08_11,@{[XWORD($CTR_BE)]}\n";
-  } else {
-    $code .= "vextracti32x4     \$`($NUM_BLOCKS - 13)`,$B12_15,@{[XWORD($CTR_BE)]}\n";
-  }
-  $code .= "vshufi64x2        \$0b00000000,$CTR_BE,$CTR_BE,$CTR_BE\n";
-
-  $code .= <<___;
-        # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-        # ;; pre-load constants
-        vbroadcastf64x2    `(16 * 1)`($AES_KEYS),$AESKEY2
-        vmovdqu64         @{[EffectiveAddress("%rsp",$HASHKEY_OFFSET,1*64)]},$GHKEY2
-        vmovdqa64         `$GHASHIN_BLK_OFFSET + (1*64)`(%rsp),$GHDAT2
-___
-
-  # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-  # ;; stitch AES rounds with GHASH
-
-  # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-  # ;; AES round 0 - ARK
-
-  &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16(
-    $NUM_BLOCKS, "vpxorq", $B00_03, $B04_07,  $B08_11,  $B12_15,  $B00_03,
-    $B04_07,     $B08_11,  $B12_15, $AESKEY1, $AESKEY1, $AESKEY1, $AESKEY1);
-  $code .= "vbroadcastf64x2    `(16 * 2)`($AES_KEYS),$AESKEY1\n";
-
-  $code .= <<___;
-        # ;;==================================================
-        # ;; GHASH 4 blocks (15 to 12)
-        vpclmulqdq        \$0x11,$GHKEY1,$GHDAT1,$GH1H      # ; a1*b1
-        vpclmulqdq        \$0x00,$GHKEY1,$GHDAT1,$GH1L      # ; a0*b0
-        vpclmulqdq        \$0x01,$GHKEY1,$GHDAT1,$GH1M      # ; a1*b0
-        vpclmulqdq        \$0x10,$GHKEY1,$GHDAT1,$GH1T      # ; a0*b1
-        vmovdqu64         @{[EffectiveAddress("%rsp",$HASHKEY_OFFSET,2*64)]},$GHKEY1
-        vmovdqa64         `$GHASHIN_BLK_OFFSET + (2*64)`(%rsp),$GHDAT1
-___
-
-  # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-  # ;; AES round 1
-  &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16(
-    $NUM_BLOCKS, "vaesenc", $B00_03, $B04_07,  $B08_11,  $B12_15,  $B00_03,
-    $B04_07,     $B08_11,   $B12_15, $AESKEY2, $AESKEY2, $AESKEY2, $AESKEY2);
-  $code .= "vbroadcastf64x2    `(16 * 3)`($AES_KEYS),$AESKEY2\n";
-
-  $code .= <<___;
-        # ;; =================================================
-        # ;; GHASH 4 blocks (11 to 8)
-        vpclmulqdq        \$0x10,$GHKEY2,$GHDAT2,$GH2M      # ; a0*b1
-        vpclmulqdq        \$0x01,$GHKEY2,$GHDAT2,$GH2T      # ; a1*b0
-        vpclmulqdq        \$0x11,$GHKEY2,$GHDAT2,$GH2H      # ; a1*b1
-        vpclmulqdq        \$0x00,$GHKEY2,$GHDAT2,$GH2L      # ; a0*b0
-        vmovdqu64         @{[EffectiveAddress("%rsp",$HASHKEY_OFFSET,3*64)]},$GHKEY2
-        vmovdqa64         `$GHASHIN_BLK_OFFSET + (3*64)`(%rsp),$GHDAT2
-___
-
-  # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-  # ;; AES round 2
-  &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16(
-    $NUM_BLOCKS, "vaesenc", $B00_03, $B04_07,  $B08_11,  $B12_15,  $B00_03,
-    $B04_07,     $B08_11,   $B12_15, $AESKEY1, $AESKEY1, $AESKEY1, $AESKEY1);
-  $code .= "vbroadcastf64x2    `(16 * 4)`($AES_KEYS),$AESKEY1\n";
-
-  $code .= <<___;
-        # ;; =================================================
-        # ;; GHASH 4 blocks (7 to 4)
-        vpclmulqdq        \$0x10,$GHKEY1,$GHDAT1,$GH3M      # ; a0*b1
-        vpclmulqdq        \$0x01,$GHKEY1,$GHDAT1,$GH3T      # ; a1*b0
-        vpclmulqdq        \$0x11,$GHKEY1,$GHDAT1,$GH3H      # ; a1*b1
-        vpclmulqdq        \$0x00,$GHKEY1,$GHDAT1,$GH3L      # ; a0*b0
-___
-
-  # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-  # ;; AES rounds 3
-  &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16(
-    $NUM_BLOCKS, "vaesenc", $B00_03, $B04_07,  $B08_11,  $B12_15,  $B00_03,
-    $B04_07,     $B08_11,   $B12_15, $AESKEY2, $AESKEY2, $AESKEY2, $AESKEY2);
-  $code .= "vbroadcastf64x2    `(16 * 5)`($AES_KEYS),$AESKEY2\n";
-
-  $code .= <<___;
-        # ;; =================================================
-        # ;; Gather (XOR) GHASH for 12 blocks
-        vpternlogq        \$0x96,$GH3H,$GH2H,$GH1H
-        vpternlogq        \$0x96,$GH3L,$GH2L,$GH1L
-        vpternlogq        \$0x96,$GH3T,$GH2T,$GH1T
-        vpternlogq        \$0x96,$GH3M,$GH2M,$GH1M
-___
-
-  # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-  # ;; AES rounds 4
-  &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16(
-    $NUM_BLOCKS, "vaesenc", $B00_03, $B04_07,  $B08_11,  $B12_15,  $B00_03,
-    $B04_07,     $B08_11,   $B12_15, $AESKEY1, $AESKEY1, $AESKEY1, $AESKEY1);
-  $code .= "vbroadcastf64x2    `(16 * 6)`($AES_KEYS),$AESKEY1\n";
-
-  # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-  # ;; load plain/cipher text
-  &ZMM_LOAD_MASKED_BLOCKS_0_16($NUM_BLOCKS, $PLAIN_CIPH_IN, $DATA_OFFSET, $DATA1, $DATA2, $DATA3, $DATA4, $MASKREG);
-
-  # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-  # ;; AES rounds 5
-  &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16(
-    $NUM_BLOCKS, "vaesenc", $B00_03, $B04_07,  $B08_11,  $B12_15,  $B00_03,
-    $B04_07,     $B08_11,   $B12_15, $AESKEY2, $AESKEY2, $AESKEY2, $AESKEY2);
-  $code .= "vbroadcastf64x2    `(16 * 7)`($AES_KEYS),$AESKEY2\n";
-
-  $code .= <<___;
-        # ;; =================================================
-        # ;; GHASH 4 blocks (3 to 0)
-        vpclmulqdq        \$0x10,$GHKEY2,$GHDAT2,$GH2M      # ; a0*b1
-        vpclmulqdq        \$0x01,$GHKEY2,$GHDAT2,$GH2T      # ; a1*b0
-        vpclmulqdq        \$0x11,$GHKEY2,$GHDAT2,$GH2H      # ; a1*b1
-        vpclmulqdq        \$0x00,$GHKEY2,$GHDAT2,$GH2L      # ; a0*b0
-___
-
-  # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-  # ;; AES round 6
-  &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16(
-    $NUM_BLOCKS, "vaesenc", $B00_03, $B04_07,  $B08_11,  $B12_15,  $B00_03,
-    $B04_07,     $B08_11,   $B12_15, $AESKEY1, $AESKEY1, $AESKEY1, $AESKEY1);
-  $code .= "vbroadcastf64x2    `(16 * 8)`($AES_KEYS),$AESKEY1\n";
-
-  # ;; =================================================
-  # ;; gather GHASH in GH1L (low), GH1H (high), GH1M (mid)
-  # ;; - add GH2[MTLH] to GH1[MTLH]
-  $code .= "vpternlogq        \$0x96,$GH2T,$GH1T,$GH1M\n";
-  if ($do_reduction != 0) {
-
-    if ($is_start != 0) {
-      $code .= "vpxorq            $GH2M,$GH1M,$GH1M\n";
-    } else {
-      $code .= <<___;
-        vpternlogq        \$0x96,$GH2H,$TO_REDUCE_H,$GH1H
-        vpternlogq        \$0x96,$GH2L,$TO_REDUCE_L,$GH1L
-        vpternlogq        \$0x96,$GH2M,$TO_REDUCE_M,$GH1M
-___
-    }
-
-  } else {
-
-    # ;; Update H/M/L hash sums if not carrying reduction
-    if ($is_start != 0) {
-      $code .= <<___;
-        vpxorq            $GH2H,$GH1H,$TO_REDUCE_H
-        vpxorq            $GH2L,$GH1L,$TO_REDUCE_L
-        vpxorq            $GH2M,$GH1M,$TO_REDUCE_M
-___
-    } else {
-      $code .= <<___;
-        vpternlogq        \$0x96,$GH2H,$GH1H,$TO_REDUCE_H
-        vpternlogq        \$0x96,$GH2L,$GH1L,$TO_REDUCE_L
-        vpternlogq        \$0x96,$GH2M,$GH1M,$TO_REDUCE_M
-___
-    }
-
-  }
-
-  # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-  # ;; AES round 7
-  &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16(
-    $NUM_BLOCKS, "vaesenc", $B00_03, $B04_07,  $B08_11,  $B12_15,  $B00_03,
-    $B04_07,     $B08_11,   $B12_15, $AESKEY2, $AESKEY2, $AESKEY2, $AESKEY2);
-  $code .= "vbroadcastf64x2    `(16 * 9)`($AES_KEYS),$AESKEY2\n";
-
-  # ;; =================================================
-  # ;; prepare mid sum for adding to high & low
-  # ;; load polynomial constant for reduction
-  if ($do_reduction != 0) {
-    $code .= <<___;
-        vpsrldq           \$8,$GH1M,$GH2M
-        vpslldq           \$8,$GH1M,$GH1M
-
-        vmovdqa64         POLY2(%rip),@{[XWORD($RED_POLY)]}
-___
-  }
-
-  # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-  # ;; AES round 8
-  &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16(
-    $NUM_BLOCKS, "vaesenc", $B00_03, $B04_07,  $B08_11,  $B12_15,  $B00_03,
-    $B04_07,     $B08_11,   $B12_15, $AESKEY1, $AESKEY1, $AESKEY1, $AESKEY1);
-  $code .= "vbroadcastf64x2    `(16 * 10)`($AES_KEYS),$AESKEY1\n";
-
-  # ;; =================================================
-  # ;; Add mid product to high and low
-  if ($do_reduction != 0) {
-    if ($is_start != 0) {
-      $code .= <<___;
-        vpternlogq        \$0x96,$GH2M,$GH2H,$GH1H      # ; TH = TH1 + TH2 + TM>>64
-        vpternlogq        \$0x96,$GH1M,$GH2L,$GH1L      # ; TL = TL1 + TL2 + TM<<64
-___
-    } else {
-      $code .= <<___;
-        vpxorq            $GH2M,$GH1H,$GH1H      # ; TH = TH1 + TM>>64
-        vpxorq            $GH1M,$GH1L,$GH1L      # ; TL = TL1 + TM<<64
-___
-    }
-  }
-
-  # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-  # ;; AES round 9
-  &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16(
-    $NUM_BLOCKS, "vaesenc", $B00_03, $B04_07,  $B08_11,  $B12_15,  $B00_03,
-    $B04_07,     $B08_11,   $B12_15, $AESKEY2, $AESKEY2, $AESKEY2, $AESKEY2);
-
-  # ;; =================================================
-  # ;; horizontal xor of low and high 4x128
-  if ($do_reduction != 0) {
-    &VHPXORI4x128($GH1H, $GH2H);
-    &VHPXORI4x128($GH1L, $GH2L);
-  }
-
-  if (($NROUNDS >= 11)) {
-    $code .= "vbroadcastf64x2    `(16 * 11)`($AES_KEYS),$AESKEY2\n";
-  }
-
-  # ;; =================================================
-  # ;; first phase of reduction
-  if ($do_reduction != 0) {
-    $code .= <<___;
-        vpclmulqdq        \$0x01,@{[XWORD($GH1L)]},@{[XWORD($RED_POLY)]},@{[XWORD($RED_P1)]}
-        vpslldq           \$8,@{[XWORD($RED_P1)]},@{[XWORD($RED_P1)]}                    # ; shift-L 2 DWs
-        vpxorq            @{[XWORD($RED_P1)]},@{[XWORD($GH1L)]},@{[XWORD($RED_P1)]}      # ; first phase of the reduct
-___
-  }
-
-  # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-  # ;; AES rounds up to 11 (AES192) or 13 (AES256)
-  # ;; AES128 is done
-  if (($NROUNDS >= 11)) {
-    &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16(
-      $NUM_BLOCKS, "vaesenc", $B00_03, $B04_07,  $B08_11,  $B12_15,  $B00_03,
-      $B04_07,     $B08_11,   $B12_15, $AESKEY1, $AESKEY1, $AESKEY1, $AESKEY1);
-    $code .= "vbroadcastf64x2    `(16 * 12)`($AES_KEYS),$AESKEY1\n";
-
-    &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16(
-      $NUM_BLOCKS, "vaesenc", $B00_03, $B04_07,  $B08_11,  $B12_15,  $B00_03,
-      $B04_07,     $B08_11,   $B12_15, $AESKEY2, $AESKEY2, $AESKEY2, $AESKEY2);
-    if (($NROUNDS == 13)) {
-      $code .= "vbroadcastf64x2    `(16 * 13)`($AES_KEYS),$AESKEY2\n";
-
-      &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16(
-        $NUM_BLOCKS, "vaesenc", $B00_03, $B04_07,  $B08_11,  $B12_15,  $B00_03,
-        $B04_07,     $B08_11,   $B12_15, $AESKEY1, $AESKEY1, $AESKEY1, $AESKEY1);
-      $code .= "vbroadcastf64x2    `(16 * 14)`($AES_KEYS),$AESKEY1\n";
-
-      &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16(
-        $NUM_BLOCKS, "vaesenc", $B00_03, $B04_07,  $B08_11,  $B12_15,  $B00_03,
-        $B04_07,     $B08_11,   $B12_15, $AESKEY2, $AESKEY2, $AESKEY2, $AESKEY2);
-    }
-  }
-
-  # ;; =================================================
-  # ;; second phase of the reduction
-  if ($do_reduction != 0) {
-    $code .= <<___;
-        vpclmulqdq        \$0x00,@{[XWORD($RED_P1)]},@{[XWORD($RED_POLY)]},@{[XWORD($RED_T1)]}
-        vpsrldq           \$4,@{[XWORD($RED_T1)]},@{[XWORD($RED_T1)]}      # ; shift-R 1-DW to obtain 2-DWs shift-R
-        vpclmulqdq        \$0x10,@{[XWORD($RED_P1)]},@{[XWORD($RED_POLY)]},@{[XWORD($RED_T2)]}
-        vpslldq           \$4,@{[XWORD($RED_T2)]},@{[XWORD($RED_T2)]}      # ; shift-L 1-DW for result without shifts
-        # ;; GH1H = GH1H + RED_T1 + RED_T2
-        vpternlogq        \$0x96,@{[XWORD($RED_T1)]},@{[XWORD($RED_T2)]},@{[XWORD($GH1H)]}
-___
-  }
-
-  # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-  # ;; the last AES round
-  &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16(
-    $NUM_BLOCKS, "vaesenclast", $B00_03, $B04_07,  $B08_11,  $B12_15,  $B00_03,
-    $B04_07,     $B08_11,       $B12_15, $AESKEY1, $AESKEY1, $AESKEY1, $AESKEY1);
-
-  # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-  # ;; XOR against plain/cipher text
-  &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16(
-    $NUM_BLOCKS, "vpxorq", $B00_03, $B04_07, $B08_11, $B12_15, $B00_03,
-    $B04_07,     $B08_11,  $B12_15, $DATA1,  $DATA2,  $DATA3,  $DATA4);
-
-  # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-  # ;; retrieve the last cipher counter block (partially XOR'ed with text)
-  # ;; - this is needed for partial block cases
-  if ($NUM_BLOCKS <= 4) {
-    $code .= "vextracti32x4     \$`($NUM_BLOCKS - 1)`,$B00_03,@{[XWORD($LAST_CIPHER_BLK)]}\n";
-  } elsif ($NUM_BLOCKS <= 8) {
-    $code .= "vextracti32x4     \$`($NUM_BLOCKS - 5)`,$B04_07,@{[XWORD($LAST_CIPHER_BLK)]}\n";
-  } elsif ($NUM_BLOCKS <= 12) {
-    $code .= "vextracti32x4     \$`($NUM_BLOCKS - 9)`,$B08_11,@{[XWORD($LAST_CIPHER_BLK)]}\n";
-  } else {
-    $code .= "vextracti32x4     \$`($NUM_BLOCKS - 13)`,$B12_15,@{[XWORD($LAST_CIPHER_BLK)]}\n";
-  }
-
-  # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-  # ;; store cipher/plain text
-  $code .= "mov       $CIPH_PLAIN_OUT,$IA0\n";
-  &ZMM_STORE_MASKED_BLOCKS_0_16($NUM_BLOCKS, $IA0, $DATA_OFFSET, $B00_03, $B04_07, $B08_11, $B12_15, $MASKREG);
-
-  # ;; =================================================
-  # ;; shuffle cipher text blocks for GHASH computation
-  if ($ENC_DEC eq "ENC") {
-
-    # ;; zero bytes outside the mask before hashing
-    if ($NUM_BLOCKS <= 4) {
-      $code .= "vmovdqu8           $B00_03,${B00_03}{$MASKREG}{z}\n";
-    } elsif ($NUM_BLOCKS <= 8) {
-      $code .= "vmovdqu8          $B04_07,${B04_07}{$MASKREG}{z}\n";
-    } elsif ($NUM_BLOCKS <= 12) {
-      $code .= "vmovdqu8          $B08_11,${B08_11}{$MASKREG}{z}\n";
-    } else {
-      $code .= "vmovdqu8          $B12_15,${B12_15}{$MASKREG}{z}\n";
-    }
-
-    &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16(
-      $NUM_BLOCKS, "vpshufb", $DATA1,  $DATA2,  $DATA3,  $DATA4,  $B00_03,
-      $B04_07,     $B08_11,   $B12_15, $SHFMSK, $SHFMSK, $SHFMSK, $SHFMSK);
-  } else {
-
-    # ;; zero bytes outside the mask before hashing
-    if ($NUM_BLOCKS <= 4) {
-      $code .= "vmovdqu8          $DATA1,${DATA1}{$MASKREG}{z}\n";
-    } elsif ($NUM_BLOCKS <= 8) {
-      $code .= "vmovdqu8          $DATA2,${DATA2}{$MASKREG}{z}\n";
-    } elsif ($NUM_BLOCKS <= 12) {
-      $code .= "vmovdqu8          $DATA3,${DATA3}{$MASKREG}{z}\n";
-    } else {
-      $code .= "vmovdqu8          $DATA4,${DATA4}{$MASKREG}{z}\n";
-    }
-
-    &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16(
-      $NUM_BLOCKS, "vpshufb", $DATA1, $DATA2,  $DATA3,  $DATA4,  $DATA1,
-      $DATA2,      $DATA3,    $DATA4, $SHFMSK, $SHFMSK, $SHFMSK, $SHFMSK);
-  }
-
-  # ;; =================================================
-  # ;; Extract the last block for partial / multi_call cases
-  if ($NUM_BLOCKS <= 4) {
-    $code .= "vextracti32x4     \$`($NUM_BLOCKS-1)`,$DATA1,@{[XWORD($LAST_GHASH_BLK)]}\n";
-  } elsif ($NUM_BLOCKS <= 8) {
-    $code .= "vextracti32x4     \$`($NUM_BLOCKS-5)`,$DATA2,@{[XWORD($LAST_GHASH_BLK)]}\n";
-  } elsif ($NUM_BLOCKS <= 12) {
-    $code .= "vextracti32x4     \$`($NUM_BLOCKS-9)`,$DATA3,@{[XWORD($LAST_GHASH_BLK)]}\n";
-  } else {
-    $code .= "vextracti32x4     \$`($NUM_BLOCKS-13)`,$DATA4,@{[XWORD($LAST_GHASH_BLK)]}\n";
-  }
-
-  if ($do_reduction != 0) {
-
-    # ;; GH1H holds reduced hash value
-    # ;; - normally do "vmovdqa64 &XWORD($GH1H), &XWORD($HASH_IN_OUT)"
-    # ;; - register rename trick obsoletes the above move
-  }
-
-  # ;; =================================================
-  # ;; GHASH last N blocks
-  # ;; - current hash value in HASH_IN_OUT or
-  # ;;   product parts in TO_REDUCE_H/M/L
-  # ;; - DATA1-DATA4 include blocks for GHASH
-
-  if ($do_reduction == 0) {
-    &INITIAL_BLOCKS_PARTIAL_GHASH(
-      $AES_KEYS,            $GCM128_CTX, $LENGTH,                  $NUM_BLOCKS,
-      &XWORD($HASH_IN_OUT), $ENC_DEC,    $DATA1,                   $DATA2,
-      $DATA3,               $DATA4,      &XWORD($LAST_CIPHER_BLK), &XWORD($LAST_GHASH_BLK),
-      $B00_03,              $B04_07,     $B08_11,                  $B12_15,
-      $GHDAT1,              $GHDAT2,     $AESKEY1,                 $AESKEY2,
-      $GHKEY1,              $PBLOCK_LEN, $TO_REDUCE_H,             $TO_REDUCE_M,
-      $TO_REDUCE_L);
-  } else {
-    &INITIAL_BLOCKS_PARTIAL_GHASH(
-      $AES_KEYS,            $GCM128_CTX, $LENGTH,                  $NUM_BLOCKS,
-      &XWORD($HASH_IN_OUT), $ENC_DEC,    $DATA1,                   $DATA2,
-      $DATA3,               $DATA4,      &XWORD($LAST_CIPHER_BLK), &XWORD($LAST_GHASH_BLK),
-      $B00_03,              $B04_07,     $B08_11,                  $B12_15,
-      $GHDAT1,              $GHDAT2,     $AESKEY1,                 $AESKEY2,
-      $GHKEY1,              $PBLOCK_LEN);
-  }
-}
-
-# ;; ===========================================================================
-# ;; ===========================================================================
-# ;; Stitched GHASH of 16 blocks (with reduction) with encryption of N blocks
-# ;; followed with GHASH of the N blocks.
-sub GCM_ENC_DEC_LAST {
-  my $AES_KEYS           = $_[0];     # [in] key pointer
-  my $GCM128_CTX         = $_[1];     # [in] context pointer
-  my $CIPH_PLAIN_OUT     = $_[2];     # [in] pointer to output buffer
-  my $PLAIN_CIPH_IN      = $_[3];     # [in] pointer to input buffer
-  my $DATA_OFFSET        = $_[4];     # [in] data offset
-  my $LENGTH             = $_[5];     # [in/clobbered] data length
-  my $CTR_BE             = $_[6];     # [in/out] ZMM counter blocks (last 4) in big-endian
-  my $CTR_CHECK          = $_[7];     # [in/out] GP with 8-bit counter for overflow check
-  my $HASHKEY_OFFSET     = $_[8];     # [in] numerical offset for the highest hash key
-                                      # (can be register or numerical offset)
-  my $GHASHIN_BLK_OFFSET = $_[9];     # [in] numerical offset for GHASH blocks in
-  my $SHFMSK             = $_[10];    # [in] ZMM with byte swap mask for pshufb
-  my $ZT00               = $_[11];    # [clobbered] temporary ZMM
-  my $ZT01               = $_[12];    # [clobbered] temporary ZMM
-  my $ZT02               = $_[13];    # [clobbered] temporary ZMM
-  my $ZT03               = $_[14];    # [clobbered] temporary ZMM
-  my $ZT04               = $_[15];    # [clobbered] temporary ZMM
-  my $ZT05               = $_[16];    # [clobbered] temporary ZMM
-  my $ZT06               = $_[17];    # [clobbered] temporary ZMM
-  my $ZT07               = $_[18];    # [clobbered] temporary ZMM
-  my $ZT08               = $_[19];    # [clobbered] temporary ZMM
-  my $ZT09               = $_[20];    # [clobbered] temporary ZMM
-  my $ZT10               = $_[21];    # [clobbered] temporary ZMM
-  my $ZT11               = $_[22];    # [clobbered] temporary ZMM
-  my $ZT12               = $_[23];    # [clobbered] temporary ZMM
-  my $ZT13               = $_[24];    # [clobbered] temporary ZMM
-  my $ZT14               = $_[25];    # [clobbered] temporary ZMM
-  my $ZT15               = $_[26];    # [clobbered] temporary ZMM
-  my $ZT16               = $_[27];    # [clobbered] temporary ZMM
-  my $ZT17               = $_[28];    # [clobbered] temporary ZMM
-  my $ZT18               = $_[29];    # [clobbered] temporary ZMM
-  my $ZT19               = $_[30];    # [clobbered] temporary ZMM
-  my $ZT20               = $_[31];    # [clobbered] temporary ZMM
-  my $ZT21               = $_[32];    # [clobbered] temporary ZMM
-  my $ZT22               = $_[33];    # [clobbered] temporary ZMM
-  my $ADDBE_4x4          = $_[34];    # [in] ZMM with 4x128bits 4 in big-endian
-  my $ADDBE_1234         = $_[35];    # [in] ZMM with 4x128bits 1, 2, 3 and 4 in big-endian
-  my $GHASH_TYPE         = $_[36];    # [in] "start", "start_reduce", "mid", "end_reduce"
-  my $TO_REDUCE_L        = $_[37];    # [in] ZMM for low 4x128-bit GHASH sum
-  my $TO_REDUCE_H        = $_[38];    # [in] ZMM for hi 4x128-bit GHASH sum
-  my $TO_REDUCE_M        = $_[39];    # [in] ZMM for medium 4x128-bit GHASH sum
-  my $ENC_DEC            = $_[40];    # [in] cipher direction
-  my $HASH_IN_OUT        = $_[41];    # [in/out] XMM ghash in/out value
-  my $IA0                = $_[42];    # [clobbered] GP temporary
-  my $IA1                = $_[43];    # [clobbered] GP temporary
-  my $MASKREG            = $_[44];    # [clobbered] mask register
-  my $PBLOCK_LEN         = $_[45];    # [in] partial block length
-
-  my $rndsuffix = &random_string();
-
-  $code .= <<___;
-        mov               @{[DWORD($LENGTH)]},@{[DWORD($IA0)]}
-        add               \$15,@{[DWORD($IA0)]}
-        shr               \$4,@{[DWORD($IA0)]}
-        je                .L_last_num_blocks_is_0_${rndsuffix}
-
-        cmp               \$8,@{[DWORD($IA0)]}
-        je                .L_last_num_blocks_is_8_${rndsuffix}
-        jb                .L_last_num_blocks_is_7_1_${rndsuffix}
-
-
-        cmp               \$12,@{[DWORD($IA0)]}
-        je                .L_last_num_blocks_is_12_${rndsuffix}
-        jb                .L_last_num_blocks_is_11_9_${rndsuffix}
-
-        # ;; 16, 15, 14 or 13
-        cmp               \$15,@{[DWORD($IA0)]}
-        je                .L_last_num_blocks_is_15_${rndsuffix}
-        ja                .L_last_num_blocks_is_16_${rndsuffix}
-        cmp               \$14,@{[DWORD($IA0)]}
-        je                .L_last_num_blocks_is_14_${rndsuffix}
-        jmp               .L_last_num_blocks_is_13_${rndsuffix}
-
-.L_last_num_blocks_is_11_9_${rndsuffix}:
-        # ;; 11, 10 or 9
-        cmp               \$10,@{[DWORD($IA0)]}
-        je                .L_last_num_blocks_is_10_${rndsuffix}
-        ja                .L_last_num_blocks_is_11_${rndsuffix}
-        jmp               .L_last_num_blocks_is_9_${rndsuffix}
-
-.L_last_num_blocks_is_7_1_${rndsuffix}:
-        cmp               \$4,@{[DWORD($IA0)]}
-        je                .L_last_num_blocks_is_4_${rndsuffix}
-        jb                .L_last_num_blocks_is_3_1_${rndsuffix}
-        # ;; 7, 6 or 5
-        cmp               \$6,@{[DWORD($IA0)]}
-        ja                .L_last_num_blocks_is_7_${rndsuffix}
-        je                .L_last_num_blocks_is_6_${rndsuffix}
-        jmp               .L_last_num_blocks_is_5_${rndsuffix}
-
-.L_last_num_blocks_is_3_1_${rndsuffix}:
-        # ;; 3, 2 or 1
-        cmp               \$2,@{[DWORD($IA0)]}
-        ja                .L_last_num_blocks_is_3_${rndsuffix}
-        je                .L_last_num_blocks_is_2_${rndsuffix}
-___
-
-  # ;; fall through for `jmp .L_last_num_blocks_is_1`
-
-  # ;; Use rep to generate different block size variants
-  # ;; - one block size has to be the first one
-  for my $num_blocks (1 .. 16) {
-    $code .= ".L_last_num_blocks_is_${num_blocks}_${rndsuffix}:\n";
-    &GHASH_16_ENCRYPT_N_GHASH_N(
-      $AES_KEYS,   $GCM128_CTX,  $CIPH_PLAIN_OUT, $PLAIN_CIPH_IN,  $DATA_OFFSET,
-      $LENGTH,     $CTR_BE,      $CTR_CHECK,      $HASHKEY_OFFSET, $GHASHIN_BLK_OFFSET,
-      $SHFMSK,     $ZT00,        $ZT01,           $ZT02,           $ZT03,
-      $ZT04,       $ZT05,        $ZT06,           $ZT07,           $ZT08,
-      $ZT09,       $ZT10,        $ZT11,           $ZT12,           $ZT13,
-      $ZT14,       $ZT15,        $ZT16,           $ZT17,           $ZT18,
-      $ZT19,       $ZT20,        $ZT21,           $ZT22,           $ADDBE_4x4,
-      $ADDBE_1234, $GHASH_TYPE,  $TO_REDUCE_L,    $TO_REDUCE_H,    $TO_REDUCE_M,
-      $ENC_DEC,    $HASH_IN_OUT, $IA0,            $IA1,            $MASKREG,
-      $num_blocks, $PBLOCK_LEN);
-
-    $code .= "jmp           .L_last_blocks_done_${rndsuffix}\n";
-  }
-
-  $code .= ".L_last_num_blocks_is_0_${rndsuffix}:\n";
-
-  # ;; if there is 0 blocks to cipher then there are only 16 blocks for ghash and reduction
-  # ;; - convert mid into end_reduce
-  # ;; - convert start into start_reduce
-  if ($GHASH_TYPE eq "mid") {
-    $GHASH_TYPE = "end_reduce";
-  }
-  if ($GHASH_TYPE eq "start") {
-    $GHASH_TYPE = "start_reduce";
-  }
-
-  &GHASH_16($GHASH_TYPE, $TO_REDUCE_H, $TO_REDUCE_M, $TO_REDUCE_L, "%rsp",
-    $GHASHIN_BLK_OFFSET, 0, "%rsp", $HASHKEY_OFFSET, 0, $HASH_IN_OUT, $ZT00, $ZT01,
-    $ZT02, $ZT03, $ZT04, $ZT05, $ZT06, $ZT07, $ZT08, $ZT09);
-
-  $code .= ".L_last_blocks_done_${rndsuffix}:\n";
-}
-
-# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-# ;; Main GCM macro stitching cipher with GHASH
-# ;; - operates on single stream
-# ;; - encrypts 16 blocks at a time
-# ;; - ghash the 16 previously encrypted ciphertext blocks
-# ;; - no partial block or multi_call handling here
-sub GHASH_16_ENCRYPT_16_PARALLEL {
-  my $AES_KEYS           = $_[0];     # [in] key pointer
-  my $CIPH_PLAIN_OUT     = $_[1];     # [in] pointer to output buffer
-  my $PLAIN_CIPH_IN      = $_[2];     # [in] pointer to input buffer
-  my $DATA_OFFSET        = $_[3];     # [in] data offset
-  my $CTR_BE             = $_[4];     # [in/out] ZMM counter blocks (last 4) in big-endian
-  my $CTR_CHECK          = $_[5];     # [in/out] GP with 8-bit counter for overflow check
-  my $HASHKEY_OFFSET     = $_[6];     # [in] numerical offset for the highest hash key (hash key index value)
-  my $AESOUT_BLK_OFFSET  = $_[7];     # [in] numerical offset for AES-CTR out
-  my $GHASHIN_BLK_OFFSET = $_[8];     # [in] numerical offset for GHASH blocks in
-  my $SHFMSK             = $_[9];     # [in] ZMM with byte swap mask for pshufb
-  my $ZT1                = $_[10];    # [clobbered] temporary ZMM (cipher)
-  my $ZT2                = $_[11];    # [clobbered] temporary ZMM (cipher)
-  my $ZT3                = $_[12];    # [clobbered] temporary ZMM (cipher)
-  my $ZT4                = $_[13];    # [clobbered] temporary ZMM (cipher)
-  my $ZT5                = $_[14];    # [clobbered/out] temporary ZMM or GHASH OUT (final_reduction)
-  my $ZT6                = $_[15];    # [clobbered] temporary ZMM (cipher)
-  my $ZT7                = $_[16];    # [clobbered] temporary ZMM (cipher)
-  my $ZT8                = $_[17];    # [clobbered] temporary ZMM (cipher)
-  my $ZT9                = $_[18];    # [clobbered] temporary ZMM (cipher)
-  my $ZT10               = $_[19];    # [clobbered] temporary ZMM (ghash)
-  my $ZT11               = $_[20];    # [clobbered] temporary ZMM (ghash)
-  my $ZT12               = $_[21];    # [clobbered] temporary ZMM (ghash)
-  my $ZT13               = $_[22];    # [clobbered] temporary ZMM (ghash)
-  my $ZT14               = $_[23];    # [clobbered] temporary ZMM (ghash)
-  my $ZT15               = $_[24];    # [clobbered] temporary ZMM (ghash)
-  my $ZT16               = $_[25];    # [clobbered] temporary ZMM (ghash)
-  my $ZT17               = $_[26];    # [clobbered] temporary ZMM (ghash)
-  my $ZT18               = $_[27];    # [clobbered] temporary ZMM (ghash)
-  my $ZT19               = $_[28];    # [clobbered] temporary ZMM
-  my $ZT20               = $_[29];    # [clobbered] temporary ZMM
-  my $ZT21               = $_[30];    # [clobbered] temporary ZMM
-  my $ZT22               = $_[31];    # [clobbered] temporary ZMM
-  my $ZT23               = $_[32];    # [clobbered] temporary ZMM
-  my $ADDBE_4x4          = $_[33];    # [in] ZMM with 4x128bits 4 in big-endian
-  my $ADDBE_1234         = $_[34];    # [in] ZMM with 4x128bits 1, 2, 3 and 4 in big-endian
-  my $TO_REDUCE_L        = $_[35];    # [in/out] ZMM for low 4x128-bit GHASH sum
-  my $TO_REDUCE_H        = $_[36];    # [in/out] ZMM for hi 4x128-bit GHASH sum
-  my $TO_REDUCE_M        = $_[37];    # [in/out] ZMM for medium 4x128-bit GHASH sum
-  my $DO_REDUCTION       = $_[38];    # [in] "no_reduction", "final_reduction", "first_time"
-  my $ENC_DEC            = $_[39];    # [in] cipher direction
-  my $DATA_DISPL         = $_[40];    # [in] fixed numerical data displacement/offset
-  my $GHASH_IN           = $_[41];    # [in] current GHASH value or "no_ghash_in"
-  my $IA0                = $_[42];    # [clobbered] temporary GPR
-
-  my $B00_03 = $ZT1;
-  my $B04_07 = $ZT2;
-  my $B08_11 = $ZT3;
-  my $B12_15 = $ZT4;
-
-  my $GH1H = $ZT5;
-
-  # ; @note: do not change this mapping
-  my $GH1L = $ZT6;
-  my $GH1M = $ZT7;
-  my $GH1T = $ZT8;
-
-  my $GH2H = $ZT9;
-  my $GH2L = $ZT10;
-  my $GH2M = $ZT11;
-  my $GH2T = $ZT12;
-
-  my $RED_POLY = $GH2T;
-  my $RED_P1   = $GH2L;
-  my $RED_T1   = $GH2H;
-  my $RED_T2   = $GH2M;
-
-  my $GH3H = $ZT13;
-  my $GH3L = $ZT14;
-  my $GH3M = $ZT15;
-  my $GH3T = $ZT16;
-
-  my $DATA1 = $ZT13;
-  my $DATA2 = $ZT14;
-  my $DATA3 = $ZT15;
-  my $DATA4 = $ZT16;
-
-  my $AESKEY1 = $ZT17;
-  my $AESKEY2 = $ZT18;
-
-  my $GHKEY1 = $ZT19;
-  my $GHKEY2 = $ZT20;
-  my $GHDAT1 = $ZT21;
-  my $GHDAT2 = $ZT22;
-
-  my $rndsuffix = &random_string();
-
-  # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-  # ;; prepare counter blocks
-
-  $code .= <<___;
-        cmpb              \$`(256 - 16)`,@{[BYTE($CTR_CHECK)]}
-        jae               .L_16_blocks_overflow_${rndsuffix}
-        vpaddd            $ADDBE_1234,$CTR_BE,$B00_03
-        vpaddd            $ADDBE_4x4,$B00_03,$B04_07
-        vpaddd            $ADDBE_4x4,$B04_07,$B08_11
-        vpaddd            $ADDBE_4x4,$B08_11,$B12_15
-        jmp               .L_16_blocks_ok_${rndsuffix}
-.L_16_blocks_overflow_${rndsuffix}:
-        vpshufb           $SHFMSK,$CTR_BE,$CTR_BE
-        vmovdqa64         ddq_add_4444(%rip),$B12_15
-        vpaddd            ddq_add_1234(%rip),$CTR_BE,$B00_03
-        vpaddd            $B12_15,$B00_03,$B04_07
-        vpaddd            $B12_15,$B04_07,$B08_11
-        vpaddd            $B12_15,$B08_11,$B12_15
-        vpshufb           $SHFMSK,$B00_03,$B00_03
-        vpshufb           $SHFMSK,$B04_07,$B04_07
-        vpshufb           $SHFMSK,$B08_11,$B08_11
-        vpshufb           $SHFMSK,$B12_15,$B12_15
-.L_16_blocks_ok_${rndsuffix}:
-___
-
-  # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-  # ;; pre-load constants
-  $code .= "vbroadcastf64x2    `(16 * 0)`($AES_KEYS),$AESKEY1\n";
-  if ($GHASH_IN ne "no_ghash_in") {
-    $code .= "vpxorq            `$GHASHIN_BLK_OFFSET + (0*64)`(%rsp),$GHASH_IN,$GHDAT1\n";
-  } else {
-    $code .= "vmovdqa64         `$GHASHIN_BLK_OFFSET + (0*64)`(%rsp),$GHDAT1\n";
-  }
-
-  $code .= <<___;
-        vmovdqu64         @{[HashKeyByIdx(($HASHKEY_OFFSET - (0*4)),"%rsp")]},$GHKEY1
-
-        # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-        # ;; save counter for the next round
-        # ;; increment counter overflow check register
-        vshufi64x2        \$0b11111111,$B12_15,$B12_15,$CTR_BE
-        addb              \$16,@{[BYTE($CTR_CHECK)]}
-        # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-        # ;; pre-load constants
-        vbroadcastf64x2    `(16 * 1)`($AES_KEYS),$AESKEY2
-        vmovdqu64         @{[HashKeyByIdx(($HASHKEY_OFFSET - (1*4)),"%rsp")]},$GHKEY2
-        vmovdqa64         `$GHASHIN_BLK_OFFSET + (1*64)`(%rsp),$GHDAT2
-
-        # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-        # ;; stitch AES rounds with GHASH
-
-        # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-        # ;; AES round 0 - ARK
-
-        vpxorq            $AESKEY1,$B00_03,$B00_03
-        vpxorq            $AESKEY1,$B04_07,$B04_07
-        vpxorq            $AESKEY1,$B08_11,$B08_11
-        vpxorq            $AESKEY1,$B12_15,$B12_15
-        vbroadcastf64x2    `(16 * 2)`($AES_KEYS),$AESKEY1
-
-        # ;;==================================================
-        # ;; GHASH 4 blocks (15 to 12)
-        vpclmulqdq        \$0x11,$GHKEY1,$GHDAT1,$GH1H      # ; a1*b1
-        vpclmulqdq        \$0x00,$GHKEY1,$GHDAT1,$GH1L      # ; a0*b0
-        vpclmulqdq        \$0x01,$GHKEY1,$GHDAT1,$GH1M      # ; a1*b0
-        vpclmulqdq        \$0x10,$GHKEY1,$GHDAT1,$GH1T      # ; a0*b1
-        vmovdqu64         @{[HashKeyByIdx(($HASHKEY_OFFSET - (2*4)),"%rsp")]},$GHKEY1
-        vmovdqa64         `$GHASHIN_BLK_OFFSET + (2*64)`(%rsp),$GHDAT1
-
-        # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-        # ;; AES round 1
-        vaesenc           $AESKEY2,$B00_03,$B00_03
-        vaesenc           $AESKEY2,$B04_07,$B04_07
-        vaesenc           $AESKEY2,$B08_11,$B08_11
-        vaesenc           $AESKEY2,$B12_15,$B12_15
-        vbroadcastf64x2    `(16 * 3)`($AES_KEYS),$AESKEY2
-
-        # ;; =================================================
-        # ;; GHASH 4 blocks (11 to 8)
-        vpclmulqdq        \$0x10,$GHKEY2,$GHDAT2,$GH2M      # ; a0*b1
-        vpclmulqdq        \$0x01,$GHKEY2,$GHDAT2,$GH2T      # ; a1*b0
-        vpclmulqdq        \$0x11,$GHKEY2,$GHDAT2,$GH2H      # ; a1*b1
-        vpclmulqdq        \$0x00,$GHKEY2,$GHDAT2,$GH2L      # ; a0*b0
-        vmovdqu64         @{[HashKeyByIdx(($HASHKEY_OFFSET - (3*4)),"%rsp")]},$GHKEY2
-        vmovdqa64         `$GHASHIN_BLK_OFFSET + (3*64)`(%rsp),$GHDAT2
-
-        # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-        # ;; AES round 2
-        vaesenc           $AESKEY1,$B00_03,$B00_03
-        vaesenc           $AESKEY1,$B04_07,$B04_07
-        vaesenc           $AESKEY1,$B08_11,$B08_11
-        vaesenc           $AESKEY1,$B12_15,$B12_15
-        vbroadcastf64x2    `(16 * 4)`($AES_KEYS),$AESKEY1
-
-        # ;; =================================================
-        # ;; GHASH 4 blocks (7 to 4)
-        vpclmulqdq        \$0x10,$GHKEY1,$GHDAT1,$GH3M      # ; a0*b1
-        vpclmulqdq        \$0x01,$GHKEY1,$GHDAT1,$GH3T      # ; a1*b0
-        vpclmulqdq        \$0x11,$GHKEY1,$GHDAT1,$GH3H      # ; a1*b1
-        vpclmulqdq        \$0x00,$GHKEY1,$GHDAT1,$GH3L      # ; a0*b0
-        # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-        # ;; AES rounds 3
-        vaesenc           $AESKEY2,$B00_03,$B00_03
-        vaesenc           $AESKEY2,$B04_07,$B04_07
-        vaesenc           $AESKEY2,$B08_11,$B08_11
-        vaesenc           $AESKEY2,$B12_15,$B12_15
-        vbroadcastf64x2    `(16 * 5)`($AES_KEYS),$AESKEY2
-
-        # ;; =================================================
-        # ;; Gather (XOR) GHASH for 12 blocks
-        vpternlogq        \$0x96,$GH3H,$GH2H,$GH1H
-        vpternlogq        \$0x96,$GH3L,$GH2L,$GH1L
-        vpternlogq        \$0x96,$GH3T,$GH2T,$GH1T
-        vpternlogq        \$0x96,$GH3M,$GH2M,$GH1M
-
-        # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-        # ;; AES rounds 4
-        vaesenc           $AESKEY1,$B00_03,$B00_03
-        vaesenc           $AESKEY1,$B04_07,$B04_07
-        vaesenc           $AESKEY1,$B08_11,$B08_11
-        vaesenc           $AESKEY1,$B12_15,$B12_15
-        vbroadcastf64x2    `(16 * 6)`($AES_KEYS),$AESKEY1
-
-        # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-        # ;; load plain/cipher text (recycle GH3xx registers)
-        vmovdqu8          `$DATA_DISPL + (0 * 64)`($PLAIN_CIPH_IN,$DATA_OFFSET),$DATA1
-        vmovdqu8          `$DATA_DISPL + (1 * 64)`($PLAIN_CIPH_IN,$DATA_OFFSET),$DATA2
-        vmovdqu8          `$DATA_DISPL + (2 * 64)`($PLAIN_CIPH_IN,$DATA_OFFSET),$DATA3
-        vmovdqu8          `$DATA_DISPL + (3 * 64)`($PLAIN_CIPH_IN,$DATA_OFFSET),$DATA4
-
-        # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-        # ;; AES rounds 5
-        vaesenc           $AESKEY2,$B00_03,$B00_03
-        vaesenc           $AESKEY2,$B04_07,$B04_07
-        vaesenc           $AESKEY2,$B08_11,$B08_11
-        vaesenc           $AESKEY2,$B12_15,$B12_15
-        vbroadcastf64x2    `(16 * 7)`($AES_KEYS),$AESKEY2
-
-        # ;; =================================================
-        # ;; GHASH 4 blocks (3 to 0)
-        vpclmulqdq        \$0x10,$GHKEY2,$GHDAT2,$GH2M      # ; a0*b1
-        vpclmulqdq        \$0x01,$GHKEY2,$GHDAT2,$GH2T      # ; a1*b0
-        vpclmulqdq        \$0x11,$GHKEY2,$GHDAT2,$GH2H      # ; a1*b1
-        vpclmulqdq        \$0x00,$GHKEY2,$GHDAT2,$GH2L      # ; a0*b0
-        # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-        # ;; AES round 6
-        vaesenc           $AESKEY1,$B00_03,$B00_03
-        vaesenc           $AESKEY1,$B04_07,$B04_07
-        vaesenc           $AESKEY1,$B08_11,$B08_11
-        vaesenc           $AESKEY1,$B12_15,$B12_15
-        vbroadcastf64x2    `(16 * 8)`($AES_KEYS),$AESKEY1
-___
-
-  # ;; =================================================
-  # ;; gather GHASH in GH1L (low) and GH1H (high)
-  if ($DO_REDUCTION eq "first_time") {
-    $code .= <<___;
-        vpternlogq        \$0x96,$GH2T,$GH1T,$GH1M      # ; TM
-        vpxorq            $GH2M,$GH1M,$TO_REDUCE_M      # ; TM
-        vpxorq            $GH2H,$GH1H,$TO_REDUCE_H      # ; TH
-        vpxorq            $GH2L,$GH1L,$TO_REDUCE_L      # ; TL
-___
-  }
-  if ($DO_REDUCTION eq "no_reduction") {
-    $code .= <<___;
-        vpternlogq        \$0x96,$GH2T,$GH1T,$GH1M             # ; TM
-        vpternlogq        \$0x96,$GH2M,$GH1M,$TO_REDUCE_M      # ; TM
-        vpternlogq        \$0x96,$GH2H,$GH1H,$TO_REDUCE_H      # ; TH
-        vpternlogq        \$0x96,$GH2L,$GH1L,$TO_REDUCE_L      # ; TL
-___
-  }
-  if ($DO_REDUCTION eq "final_reduction") {
-    $code .= <<___;
-        # ;; phase 1: add mid products together
-        # ;; also load polynomial constant for reduction
-        vpternlogq        \$0x96,$GH2T,$GH1T,$GH1M      # ; TM
-        vpternlogq        \$0x96,$GH2M,$TO_REDUCE_M,$GH1M
-
-        vpsrldq           \$8,$GH1M,$GH2M
-        vpslldq           \$8,$GH1M,$GH1M
-
-        vmovdqa64         POLY2(%rip),@{[XWORD($RED_POLY)]}
-___
-  }
-
-  # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-  # ;; AES round 7
-  $code .= <<___;
-        vaesenc           $AESKEY2,$B00_03,$B00_03
-        vaesenc           $AESKEY2,$B04_07,$B04_07
-        vaesenc           $AESKEY2,$B08_11,$B08_11
-        vaesenc           $AESKEY2,$B12_15,$B12_15
-        vbroadcastf64x2    `(16 * 9)`($AES_KEYS),$AESKEY2
-___
-
-  # ;; =================================================
-  # ;; Add mid product to high and low
-  if ($DO_REDUCTION eq "final_reduction") {
-    $code .= <<___;
-        vpternlogq        \$0x96,$GH2M,$GH2H,$GH1H      # ; TH = TH1 + TH2 + TM>>64
-        vpxorq            $TO_REDUCE_H,$GH1H,$GH1H
-        vpternlogq        \$0x96,$GH1M,$GH2L,$GH1L      # ; TL = TL1 + TL2 + TM<<64
-        vpxorq            $TO_REDUCE_L,$GH1L,$GH1L
-___
-  }
-
-  # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-  # ;; AES round 8
-  $code .= <<___;
-        vaesenc           $AESKEY1,$B00_03,$B00_03
-        vaesenc           $AESKEY1,$B04_07,$B04_07
-        vaesenc           $AESKEY1,$B08_11,$B08_11
-        vaesenc           $AESKEY1,$B12_15,$B12_15
-        vbroadcastf64x2    `(16 * 10)`($AES_KEYS),$AESKEY1
-___
-
-  # ;; =================================================
-  # ;; horizontal xor of low and high 4x128
-  if ($DO_REDUCTION eq "final_reduction") {
-    &VHPXORI4x128($GH1H, $GH2H);
-    &VHPXORI4x128($GH1L, $GH2L);
-  }
-
-  # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-  # ;; AES round 9
-  $code .= <<___;
-        vaesenc           $AESKEY2,$B00_03,$B00_03
-        vaesenc           $AESKEY2,$B04_07,$B04_07
-        vaesenc           $AESKEY2,$B08_11,$B08_11
-        vaesenc           $AESKEY2,$B12_15,$B12_15
-___
-  if (($NROUNDS >= 11)) {
-    $code .= "vbroadcastf64x2    `(16 * 11)`($AES_KEYS),$AESKEY2\n";
-  }
-
-  # ;; =================================================
-  # ;; first phase of reduction
-  if ($DO_REDUCTION eq "final_reduction") {
-    $code .= <<___;
-        vpclmulqdq        \$0x01,@{[XWORD($GH1L)]},@{[XWORD($RED_POLY)]},@{[XWORD($RED_P1)]}
-        vpslldq           \$8,@{[XWORD($RED_P1)]},@{[XWORD($RED_P1)]}                    # ; shift-L 2 DWs
-        vpxorq            @{[XWORD($RED_P1)]},@{[XWORD($GH1L)]},@{[XWORD($RED_P1)]}      # ; first phase of the reduct
-___
-  }
-
-  # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-  # ;; AES rounds up to 11 (AES192) or 13 (AES256)
-  # ;; AES128 is done
-  if (($NROUNDS >= 11)) {
-    $code .= <<___;
-        vaesenc           $AESKEY1,$B00_03,$B00_03
-        vaesenc           $AESKEY1,$B04_07,$B04_07
-        vaesenc           $AESKEY1,$B08_11,$B08_11
-        vaesenc           $AESKEY1,$B12_15,$B12_15
-        vbroadcastf64x2    `(16 * 12)`($AES_KEYS),$AESKEY1
-
-        vaesenc           $AESKEY2,$B00_03,$B00_03
-        vaesenc           $AESKEY2,$B04_07,$B04_07
-        vaesenc           $AESKEY2,$B08_11,$B08_11
-        vaesenc           $AESKEY2,$B12_15,$B12_15
-___
-    if (($NROUNDS == 13)) {
-      $code .= <<___;
-        vbroadcastf64x2    `(16 * 13)`($AES_KEYS),$AESKEY2
-
-        vaesenc           $AESKEY1,$B00_03,$B00_03
-        vaesenc           $AESKEY1,$B04_07,$B04_07
-        vaesenc           $AESKEY1,$B08_11,$B08_11
-        vaesenc           $AESKEY1,$B12_15,$B12_15
-        vbroadcastf64x2    `(16 * 14)`($AES_KEYS),$AESKEY1
-
-        vaesenc           $AESKEY2,$B00_03,$B00_03
-        vaesenc           $AESKEY2,$B04_07,$B04_07
-        vaesenc           $AESKEY2,$B08_11,$B08_11
-        vaesenc           $AESKEY2,$B12_15,$B12_15
-___
-    }
-  }
-
-  # ;; =================================================
-  # ;; second phase of the reduction
-  if ($DO_REDUCTION eq "final_reduction") {
-    $code .= <<___;
-        vpclmulqdq        \$0x00,@{[XWORD($RED_P1)]},@{[XWORD($RED_POLY)]},@{[XWORD($RED_T1)]}
-        vpsrldq           \$4,@{[XWORD($RED_T1)]},@{[XWORD($RED_T1)]}      # ; shift-R 1-DW to obtain 2-DWs shift-R
-        vpclmulqdq        \$0x10,@{[XWORD($RED_P1)]},@{[XWORD($RED_POLY)]},@{[XWORD($RED_T2)]}
-        vpslldq           \$4,@{[XWORD($RED_T2)]},@{[XWORD($RED_T2)]}      # ; shift-L 1-DW for result without shifts
-        # ;; GH1H = GH1H x RED_T1 x RED_T2
-        vpternlogq        \$0x96,@{[XWORD($RED_T1)]},@{[XWORD($RED_T2)]},@{[XWORD($GH1H)]}
-___
-  }
-
-  # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-  # ;; the last AES round
-  $code .= <<___;
-        vaesenclast       $AESKEY1,$B00_03,$B00_03
-        vaesenclast       $AESKEY1,$B04_07,$B04_07
-        vaesenclast       $AESKEY1,$B08_11,$B08_11
-        vaesenclast       $AESKEY1,$B12_15,$B12_15
-
-        # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-        # ;; XOR against plain/cipher text
-        vpxorq            $DATA1,$B00_03,$B00_03
-        vpxorq            $DATA2,$B04_07,$B04_07
-        vpxorq            $DATA3,$B08_11,$B08_11
-        vpxorq            $DATA4,$B12_15,$B12_15
-
-        # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-        # ;; store cipher/plain text
-        mov               $CIPH_PLAIN_OUT,$IA0
-        vmovdqu8          $B00_03,`$DATA_DISPL + (0 * 64)`($IA0,$DATA_OFFSET,1)
-        vmovdqu8          $B04_07,`$DATA_DISPL + (1 * 64)`($IA0,$DATA_OFFSET,1)
-        vmovdqu8          $B08_11,`$DATA_DISPL + (2 * 64)`($IA0,$DATA_OFFSET,1)
-        vmovdqu8          $B12_15,`$DATA_DISPL + (3 * 64)`($IA0,$DATA_OFFSET,1)
-___
-
-  # ;; =================================================
-  # ;; shuffle cipher text blocks for GHASH computation
-  if ($ENC_DEC eq "ENC") {
-    $code .= <<___;
-        vpshufb           $SHFMSK,$B00_03,$B00_03
-        vpshufb           $SHFMSK,$B04_07,$B04_07
-        vpshufb           $SHFMSK,$B08_11,$B08_11
-        vpshufb           $SHFMSK,$B12_15,$B12_15
-___
-  } else {
-    $code .= <<___;
-        vpshufb           $SHFMSK,$DATA1,$B00_03
-        vpshufb           $SHFMSK,$DATA2,$B04_07
-        vpshufb           $SHFMSK,$DATA3,$B08_11
-        vpshufb           $SHFMSK,$DATA4,$B12_15
-___
-  }
-
-  # ;; =================================================
-  # ;; store shuffled cipher text for ghashing
-  $code .= <<___;
-        vmovdqa64         $B00_03,`$AESOUT_BLK_OFFSET + (0*64)`(%rsp)
-        vmovdqa64         $B04_07,`$AESOUT_BLK_OFFSET + (1*64)`(%rsp)
-        vmovdqa64         $B08_11,`$AESOUT_BLK_OFFSET + (2*64)`(%rsp)
-        vmovdqa64         $B12_15,`$AESOUT_BLK_OFFSET + (3*64)`(%rsp)
-___
-}
-
-# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-# ;;; Encryption of a single block
-sub ENCRYPT_SINGLE_BLOCK {
-  my $AES_KEY = $_[0];    # ; [in]
-  my $XMM0    = $_[1];    # ; [in/out]
-  my $GPR1    = $_[2];    # ; [clobbered]
-
-  my $rndsuffix = &random_string();
-
-  $code .= <<___;
-        # ; load number of rounds from AES_KEY structure (offset in bytes is
-        # ; size of the |rd_key| buffer)
-        mov             `4*15*4`($AES_KEY),@{[DWORD($GPR1)]}
-        cmp             \$9,@{[DWORD($GPR1)]}
-        je              .Laes_128_${rndsuffix}
-        cmp             \$11,@{[DWORD($GPR1)]}
-        je              .Laes_192_${rndsuffix}
-        cmp             \$13,@{[DWORD($GPR1)]}
-        je              .Laes_256_${rndsuffix}
-        jmp             .Lexit_aes_${rndsuffix}
-___
-  for my $keylen (sort keys %aes_rounds) {
-    my $nr = $aes_rounds{$keylen};
-    $code .= <<___;
-.align 32
-.Laes_${keylen}_${rndsuffix}:
-___
-    $code .= "vpxorq          `16*0`($AES_KEY),$XMM0, $XMM0\n\n";
-    for (my $i = 1; $i <= $nr; $i++) {
-      $code .= "vaesenc         `16*$i`($AES_KEY),$XMM0,$XMM0\n\n";
-    }
-    $code .= <<___;
-        vaesenclast     `16*($nr+1)`($AES_KEY),$XMM0,$XMM0
-        jmp .Lexit_aes_${rndsuffix}
-___
-  }
-  $code .= ".Lexit_aes_${rndsuffix}:\n\n";
-}
-
-sub CALC_J0 {
-  my $GCM128_CTX = $_[0];     #; [in] Pointer to GCM context
-  my $IV         = $_[1];     #; [in] Pointer to IV
-  my $IV_LEN     = $_[2];     #; [in] IV length
-  my $J0         = $_[3];     #; [out] XMM reg to contain J0
-  my $ZT0        = $_[4];     #; [clobbered] ZMM register
-  my $ZT1        = $_[5];     #; [clobbered] ZMM register
-  my $ZT2        = $_[6];     #; [clobbered] ZMM register
-  my $ZT3        = $_[7];     #; [clobbered] ZMM register
-  my $ZT4        = $_[8];     #; [clobbered] ZMM register
-  my $ZT5        = $_[9];     #; [clobbered] ZMM register
-  my $ZT6        = $_[10];    #; [clobbered] ZMM register
-  my $ZT7        = $_[11];    #; [clobbered] ZMM register
-  my $ZT8        = $_[12];    #; [clobbered] ZMM register
-  my $ZT9        = $_[13];    #; [clobbered] ZMM register
-  my $ZT10       = $_[14];    #; [clobbered] ZMM register
-  my $ZT11       = $_[15];    #; [clobbered] ZMM register
-  my $ZT12       = $_[16];    #; [clobbered] ZMM register
-  my $ZT13       = $_[17];    #; [clobbered] ZMM register
-  my $ZT14       = $_[18];    #; [clobbered] ZMM register
-  my $ZT15       = $_[19];    #; [clobbered] ZMM register
-  my $ZT16       = $_[20];    #; [clobbered] ZMM register
-  my $T1         = $_[21];    #; [clobbered] GP register
-  my $T2         = $_[22];    #; [clobbered] GP register
-  my $T3         = $_[23];    #; [clobbered] GP register
-  my $MASKREG    = $_[24];    #; [clobbered] mask register
-
-  # ;; J0 = GHASH(IV || 0s+64 || len(IV)64)
-  # ;; s = 16 * RoundUp(len(IV)/16) -  len(IV) */
-
-  # ;; Calculate GHASH of (IV || 0s)
-  $code .= "vpxor             $J0,$J0,$J0\n";
-  &CALC_AAD_HASH($IV, $IV_LEN, $J0, $GCM128_CTX, $ZT0, $ZT1, $ZT2, $ZT3, $ZT4,
-    $ZT5, $ZT6, $ZT7, $ZT8, $ZT9, $ZT10, $ZT11, $ZT12, $ZT13, $ZT14, $ZT15, $ZT16, $T1, $T2, $T3, $MASKREG);
-
-  # ;; Calculate GHASH of last 16-byte block (0 || len(IV)64)
-  $code .= <<___;
-        mov               $IV_LEN,$T1
-        shl               \$3,$T1      # ; IV length in bits
-        vmovq             $T1,@{[XWORD($ZT2)]}
-
-        # ;; Might need shuffle of ZT2
-        vpxorq            $J0,@{[XWORD($ZT2)]},$J0
-
-        vmovdqu64         @{[HashKeyByIdx(1,$GCM128_CTX)]},@{[XWORD($ZT0)]}
-___
-  &GHASH_MUL($J0, @{[XWORD($ZT0)]}, @{[XWORD($ZT1)]}, @{[XWORD($ZT2)]}, @{[XWORD($ZT3)]});
-
-  $code .= "vpshufb           SHUF_MASK(%rip),$J0,$J0      # ; perform a 16Byte swap\n";
-}
-
-# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-# ;;; GCM_INIT_IV performs an initialization of gcm128_ctx struct to prepare for
-# ;;; encoding/decoding.
-# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-sub GCM_INIT_IV {
-  my $AES_KEYS   = $_[0];     # [in] AES key schedule
-  my $GCM128_CTX = $_[1];     # [in/out] GCM context
-  my $IV         = $_[2];     # [in] IV pointer
-  my $IV_LEN     = $_[3];     # [in] IV length
-  my $GPR1       = $_[4];     # [clobbered] GP register
-  my $GPR2       = $_[5];     # [clobbered] GP register
-  my $GPR3       = $_[6];     # [clobbered] GP register
-  my $MASKREG    = $_[7];     # [clobbered] mask register
-  my $CUR_COUNT  = $_[8];     # [out] XMM with current counter
-  my $ZT0        = $_[9];     # [clobbered] ZMM register
-  my $ZT1        = $_[10];    # [clobbered] ZMM register
-  my $ZT2        = $_[11];    # [clobbered] ZMM register
-  my $ZT3        = $_[12];    # [clobbered] ZMM register
-  my $ZT4        = $_[13];    # [clobbered] ZMM register
-  my $ZT5        = $_[14];    # [clobbered] ZMM register
-  my $ZT6        = $_[15];    # [clobbered] ZMM register
-  my $ZT7        = $_[16];    # [clobbered] ZMM register
-  my $ZT8        = $_[17];    # [clobbered] ZMM register
-  my $ZT9        = $_[18];    # [clobbered] ZMM register
-  my $ZT10       = $_[19];    # [clobbered] ZMM register
-  my $ZT11       = $_[20];    # [clobbered] ZMM register
-  my $ZT12       = $_[21];    # [clobbered] ZMM register
-  my $ZT13       = $_[22];    # [clobbered] ZMM register
-  my $ZT14       = $_[23];    # [clobbered] ZMM register
-  my $ZT15       = $_[24];    # [clobbered] ZMM register
-  my $ZT16       = $_[25];    # [clobbered] ZMM register
-
-  my $ZT0x = $ZT0;
-  $ZT0x =~ s/zmm/xmm/;
-
-  $code .= <<___;
-        cmp     \$12,$IV_LEN
-        je      iv_len_12_init_IV
-___
-
-  # ;; IV is different than 12 bytes
-  &CALC_J0($GCM128_CTX, $IV, $IV_LEN, $CUR_COUNT, $ZT0, $ZT1, $ZT2, $ZT3, $ZT4, $ZT5, $ZT6, $ZT7,
-    $ZT8, $ZT9, $ZT10, $ZT11, $ZT12, $ZT13, $ZT14, $ZT15, $ZT16, $GPR1, $GPR2, $GPR3, $MASKREG);
-  $code .= <<___;
-       jmp      skip_iv_len_12_init_IV
-iv_len_12_init_IV:   # ;; IV is 12 bytes
-        # ;; read 12 IV bytes and pad with 0x00000001
-        vmovdqu8          ONEf(%rip),$CUR_COUNT
-        mov               $IV,$GPR2
-        mov               \$0x0000000000000fff,@{[DWORD($GPR1)]}
-        kmovq             $GPR1,$MASKREG
-        vmovdqu8          ($GPR2),${CUR_COUNT}{$MASKREG}         # ; ctr = IV | 0x1
-skip_iv_len_12_init_IV:
-        vmovdqu           $CUR_COUNT,$ZT0x
-___
-  &ENCRYPT_SINGLE_BLOCK($AES_KEYS, "$ZT0x", "$GPR1");    # ; E(K, Y0)
-  $code .= <<___;
-        vmovdqu           $ZT0x,`$CTX_OFFSET_EK0`($GCM128_CTX)   # ; save EK0 for finalization stage
-
-        # ;; store IV as counter in LE format
-        vpshufb           SHUF_MASK(%rip),$CUR_COUNT,$CUR_COUNT
-        vmovdqu           $CUR_COUNT,`$CTX_OFFSET_CurCount`($GCM128_CTX)   # ; save current counter Yi
-___
-}
-
-sub GCM_UPDATE_AAD {
-  my $GCM128_CTX = $_[0];  # [in] GCM context pointer
-  my $A_IN       = $_[1];  # [in] AAD pointer
-  my $A_LEN      = $_[2];  # [in] AAD length in bytes
-  my $GPR1       = $_[3];  # [clobbered] GP register
-  my $GPR2       = $_[4];  # [clobbered] GP register
-  my $GPR3       = $_[5];  # [clobbered] GP register
-  my $MASKREG    = $_[6];  # [clobbered] mask register
-  my $AAD_HASH   = $_[7];  # [out] XMM for AAD_HASH value
-  my $ZT0        = $_[8];  # [clobbered] ZMM register
-  my $ZT1        = $_[9];  # [clobbered] ZMM register
-  my $ZT2        = $_[10]; # [clobbered] ZMM register
-  my $ZT3        = $_[11]; # [clobbered] ZMM register
-  my $ZT4        = $_[12]; # [clobbered] ZMM register
-  my $ZT5        = $_[13]; # [clobbered] ZMM register
-  my $ZT6        = $_[14]; # [clobbered] ZMM register
-  my $ZT7        = $_[15]; # [clobbered] ZMM register
-  my $ZT8        = $_[16]; # [clobbered] ZMM register
-  my $ZT9        = $_[17]; # [clobbered] ZMM register
-  my $ZT10       = $_[18]; # [clobbered] ZMM register
-  my $ZT11       = $_[19]; # [clobbered] ZMM register
-  my $ZT12       = $_[20]; # [clobbered] ZMM register
-  my $ZT13       = $_[21]; # [clobbered] ZMM register
-  my $ZT14       = $_[22]; # [clobbered] ZMM register
-  my $ZT15       = $_[23]; # [clobbered] ZMM register
-  my $ZT16       = $_[24]; # [clobbered] ZMM register
-
-  # ; load current hash
-  $code .= "vmovdqu64         $CTX_OFFSET_AadHash($GCM128_CTX),$AAD_HASH\n";
-
-  &CALC_AAD_HASH($A_IN, $A_LEN, $AAD_HASH, $GCM128_CTX, $ZT0, $ZT1, $ZT2,
-    $ZT3, $ZT4, $ZT5, $ZT6, $ZT7, $ZT8, $ZT9, $ZT10, $ZT11, $ZT12, $ZT13,
-    $ZT14, $ZT15, $ZT16, $GPR1, $GPR2, $GPR3, $MASKREG);
-
-  # ; load current hash
-  $code .= "vmovdqu64         $AAD_HASH,$CTX_OFFSET_AadHash($GCM128_CTX)\n";
-}
-
-# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-# ;;; Cipher and ghash of payloads shorter than 256 bytes
-# ;;; - number of blocks in the message comes as argument
-# ;;; - depending on the number of blocks an optimized variant of
-# ;;;   INITIAL_BLOCKS_PARTIAL is invoked
-sub GCM_ENC_DEC_SMALL {
-  my $AES_KEYS       = $_[0];     # [in] key pointer
-  my $GCM128_CTX     = $_[1];     # [in] context pointer
-  my $CIPH_PLAIN_OUT = $_[2];     # [in] output buffer
-  my $PLAIN_CIPH_IN  = $_[3];     # [in] input buffer
-  my $PLAIN_CIPH_LEN = $_[4];     # [in] buffer length
-  my $ENC_DEC        = $_[5];     # [in] cipher direction
-  my $DATA_OFFSET    = $_[6];     # [in] data offset
-  my $LENGTH         = $_[7];     # [in] data length
-  my $NUM_BLOCKS     = $_[8];     # [in] number of blocks to process 1 to 16
-  my $CTR            = $_[9];     # [in/out] XMM counter block
-  my $HASH_IN_OUT    = $_[10];    # [in/out] XMM GHASH value
-  my $ZTMP0          = $_[11];    # [clobbered] ZMM register
-  my $ZTMP1          = $_[12];    # [clobbered] ZMM register
-  my $ZTMP2          = $_[13];    # [clobbered] ZMM register
-  my $ZTMP3          = $_[14];    # [clobbered] ZMM register
-  my $ZTMP4          = $_[15];    # [clobbered] ZMM register
-  my $ZTMP5          = $_[16];    # [clobbered] ZMM register
-  my $ZTMP6          = $_[17];    # [clobbered] ZMM register
-  my $ZTMP7          = $_[18];    # [clobbered] ZMM register
-  my $ZTMP8          = $_[19];    # [clobbered] ZMM register
-  my $ZTMP9          = $_[20];    # [clobbered] ZMM register
-  my $ZTMP10         = $_[21];    # [clobbered] ZMM register
-  my $ZTMP11         = $_[22];    # [clobbered] ZMM register
-  my $ZTMP12         = $_[23];    # [clobbered] ZMM register
-  my $ZTMP13         = $_[24];    # [clobbered] ZMM register
-  my $ZTMP14         = $_[25];    # [clobbered] ZMM register
-  my $IA0            = $_[26];    # [clobbered] GP register
-  my $IA1            = $_[27];    # [clobbered] GP register
-  my $MASKREG        = $_[28];    # [clobbered] mask register
-  my $SHUFMASK       = $_[29];    # [in] ZMM with BE/LE shuffle mask
-  my $PBLOCK_LEN     = $_[30];    # [in] partial block length
-
-  my $rndsuffix = &random_string();
-
-  $code .= <<___;
-        cmp               \$8,$NUM_BLOCKS
-        je                .L_small_initial_num_blocks_is_8_${rndsuffix}
-        jl                .L_small_initial_num_blocks_is_7_1_${rndsuffix}
-
-
-        cmp               \$12,$NUM_BLOCKS
-        je                .L_small_initial_num_blocks_is_12_${rndsuffix}
-        jl                .L_small_initial_num_blocks_is_11_9_${rndsuffix}
-
-        # ;; 16, 15, 14 or 13
-        cmp               \$16,$NUM_BLOCKS
-        je                .L_small_initial_num_blocks_is_16_${rndsuffix}
-        cmp               \$15,$NUM_BLOCKS
-        je                .L_small_initial_num_blocks_is_15_${rndsuffix}
-        cmp               \$14,$NUM_BLOCKS
-        je                .L_small_initial_num_blocks_is_14_${rndsuffix}
-        jmp               .L_small_initial_num_blocks_is_13_${rndsuffix}
-
-.L_small_initial_num_blocks_is_11_9_${rndsuffix}:
-        # ;; 11, 10 or 9
-        cmp               \$11,$NUM_BLOCKS
-        je                .L_small_initial_num_blocks_is_11_${rndsuffix}
-        cmp               \$10,$NUM_BLOCKS
-        je                .L_small_initial_num_blocks_is_10_${rndsuffix}
-        jmp               .L_small_initial_num_blocks_is_9_${rndsuffix}
-
-.L_small_initial_num_blocks_is_7_1_${rndsuffix}:
-        cmp               \$4,$NUM_BLOCKS
-        je                .L_small_initial_num_blocks_is_4_${rndsuffix}
-        jl                .L_small_initial_num_blocks_is_3_1_${rndsuffix}
-        # ;; 7, 6 or 5
-        cmp               \$7,$NUM_BLOCKS
-        je                .L_small_initial_num_blocks_is_7_${rndsuffix}
-        cmp               \$6,$NUM_BLOCKS
-        je                .L_small_initial_num_blocks_is_6_${rndsuffix}
-        jmp               .L_small_initial_num_blocks_is_5_${rndsuffix}
-
-.L_small_initial_num_blocks_is_3_1_${rndsuffix}:
-        # ;; 3, 2 or 1
-        cmp               \$3,$NUM_BLOCKS
-        je                .L_small_initial_num_blocks_is_3_${rndsuffix}
-        cmp               \$2,$NUM_BLOCKS
-        je                .L_small_initial_num_blocks_is_2_${rndsuffix}
-
-        # ;; for $NUM_BLOCKS == 1, just fall through and no 'jmp' needed
-
-        # ;; Generation of different block size variants
-        # ;; - one block size has to be the first one
-___
-
-  for (my $num_blocks = 1; $num_blocks <= 16; $num_blocks++) {
-    $code .= ".L_small_initial_num_blocks_is_${num_blocks}_${rndsuffix}:\n";
-    &INITIAL_BLOCKS_PARTIAL(
-      $AES_KEYS,   $GCM128_CTX, $CIPH_PLAIN_OUT, $PLAIN_CIPH_IN, $LENGTH,   $DATA_OFFSET,
-      $num_blocks, $CTR,        $HASH_IN_OUT,    $ENC_DEC,       $ZTMP0,    $ZTMP1,
-      $ZTMP2,      $ZTMP3,      $ZTMP4,          $ZTMP5,         $ZTMP6,    $ZTMP7,
-      $ZTMP8,      $ZTMP9,      $ZTMP10,         $ZTMP11,        $ZTMP12,   $ZTMP13,
-      $ZTMP14,     $IA0,        $IA1,            $MASKREG,       $SHUFMASK, $PBLOCK_LEN);
-
-    if ($num_blocks != 16) {
-      $code .= "jmp           .L_small_initial_blocks_encrypted_${rndsuffix}\n";
-    }
-  }
-
-  $code .= ".L_small_initial_blocks_encrypted_${rndsuffix}:\n";
-}
-
-# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-# ; GCM_ENC_DEC Encrypts/Decrypts given data. Assumes that the passed gcm128_context
-# ; struct has been initialized by GCM_INIT_IV
-# ; Requires the input data be at least 1 byte long because of READ_SMALL_INPUT_DATA.
-# ; Clobbers rax, r10-r15, and zmm0-zmm31, k1
-# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-sub GCM_ENC_DEC {
-  my $AES_KEYS       = $_[0];    # [in] AES Key schedule
-  my $GCM128_CTX     = $_[1];    # [in] context pointer
-  my $PBLOCK_LEN     = $_[2];    # [in] length of partial block at the moment of previous update
-  my $PLAIN_CIPH_IN  = $_[3];    # [in] input buffer pointer
-  my $PLAIN_CIPH_LEN = $_[4];    # [in] buffer length
-  my $CIPH_PLAIN_OUT = $_[5];    # [in] output buffer pointer
-  my $ENC_DEC        = $_[6];    # [in] cipher direction
-
-  my $IA0 = "%r10";
-  my $IA1 = "%r12";
-  my $IA2 = "%r13";
-  my $IA3 = "%r15";
-  my $IA4 = "%r11";
-  my $IA5 = "%rax";
-  my $IA6 = "%rbx";
-  my $IA7 = "%r14";
-
-  my $LENGTH = $win64 ? $IA2 : $PLAIN_CIPH_LEN;
-
-  my $CTR_CHECK   = $IA3;
-  my $DATA_OFFSET = $IA4;
-  my $HASHK_PTR   = $IA6;
-
-  my $HKEYS_READY = $IA7;
-
-  my $CTR_BLOCKz = "%zmm2";
-  my $CTR_BLOCKx = "%xmm2";
-
-  # ; hardcoded in GCM_INIT
-
-  my $AAD_HASHz = "%zmm14";
-  my $AAD_HASHx = "%xmm14";
-
-  # ; hardcoded in GCM_COMPLETE
-
-  my $ZTMP0  = "%zmm0";
-  my $ZTMP1  = "%zmm3";
-  my $ZTMP2  = "%zmm4";
-  my $ZTMP3  = "%zmm5";
-  my $ZTMP4  = "%zmm6";
-  my $ZTMP5  = "%zmm7";
-  my $ZTMP6  = "%zmm10";
-  my $ZTMP7  = "%zmm11";
-  my $ZTMP8  = "%zmm12";
-  my $ZTMP9  = "%zmm13";
-  my $ZTMP10 = "%zmm15";
-  my $ZTMP11 = "%zmm16";
-  my $ZTMP12 = "%zmm17";
-
-  my $ZTMP13 = "%zmm19";
-  my $ZTMP14 = "%zmm20";
-  my $ZTMP15 = "%zmm21";
-  my $ZTMP16 = "%zmm30";
-  my $ZTMP17 = "%zmm31";
-  my $ZTMP18 = "%zmm1";
-  my $ZTMP19 = "%zmm18";
-  my $ZTMP20 = "%zmm8";
-  my $ZTMP21 = "%zmm22";
-  my $ZTMP22 = "%zmm23";
-
-  my $GH        = "%zmm24";
-  my $GL        = "%zmm25";
-  my $GM        = "%zmm26";
-  my $SHUF_MASK = "%zmm29";
-
-  # ; Unused in the small packet path
-  my $ADDBE_4x4  = "%zmm27";
-  my $ADDBE_1234 = "%zmm28";
-
-  my $MASKREG = "%k1";
-
-  my $rndsuffix = &random_string();
-
-  # ;; reduction every 48 blocks, depth 32 blocks
-  # ;; @note 48 blocks is the maximum capacity of the stack frame
-  my $big_loop_nblocks = 48;
-  my $big_loop_depth   = 32;
-
-  # ;;; Macro flow depending on packet size
-  # ;;; - LENGTH <= 16 blocks
-  # ;;;   - cipher followed by hashing (reduction)
-  # ;;; - 16 blocks < LENGTH < 32 blocks
-  # ;;;   - cipher 16 blocks
-  # ;;;   - cipher N blocks & hash 16 blocks, hash N blocks (reduction)
-  # ;;; - 32 blocks < LENGTH < 48 blocks
-  # ;;;   - cipher 2 x 16 blocks
-  # ;;;   - hash 16 blocks
-  # ;;;   - cipher N blocks & hash 16 blocks, hash N blocks (reduction)
-  # ;;; - LENGTH >= 48 blocks
-  # ;;;   - cipher 2 x 16 blocks
-  # ;;;   - while (data_to_cipher >= 48 blocks):
-  # ;;;     - cipher 16 blocks & hash 16 blocks
-  # ;;;     - cipher 16 blocks & hash 16 blocks
-  # ;;;     - cipher 16 blocks & hash 16 blocks (reduction)
-  # ;;;   - if (data_to_cipher >= 32 blocks):
-  # ;;;     - cipher 16 blocks & hash 16 blocks
-  # ;;;     - cipher 16 blocks & hash 16 blocks
-  # ;;;     - hash 16 blocks (reduction)
-  # ;;;     - cipher N blocks & hash 16 blocks, hash N blocks (reduction)
-  # ;;;   - elif (data_to_cipher >= 16 blocks):
-  # ;;;     - cipher 16 blocks & hash 16 blocks
-  # ;;;     - hash 16 blocks
-  # ;;;     - cipher N blocks & hash 16 blocks, hash N blocks (reduction)
-  # ;;;   - else:
-  # ;;;     - hash 16 blocks
-  # ;;;     - cipher N blocks & hash 16 blocks, hash N blocks (reduction)
-
-  if ($win64) {
-    $code .= "cmpq              \$0,$PLAIN_CIPH_LEN\n";
-  } else {
-    $code .= "or                $PLAIN_CIPH_LEN,$PLAIN_CIPH_LEN\n";
-  }
-  $code .= "je            .L_enc_dec_done_${rndsuffix}\n";
-
-  # Length value from context $CTX_OFFSET_InLen`($GCM128_CTX) is updated in
-  # 'providers/implementations/ciphers/cipher_aes_gcm_hw_vaes_avx512.inc'
-
-  $code .= "xor                $HKEYS_READY, $HKEYS_READY\n";
-  $code .= "vmovdqu64         `$CTX_OFFSET_AadHash`($GCM128_CTX),$AAD_HASHx\n";
-
-  # ;; Used for the update flow - if there was a previous partial
-  # ;; block fill the remaining bytes here.
-  &PARTIAL_BLOCK(
-    $GCM128_CTX,  $PBLOCK_LEN, $CIPH_PLAIN_OUT, $PLAIN_CIPH_IN, $PLAIN_CIPH_LEN,
-    $DATA_OFFSET, $AAD_HASHx,  $ENC_DEC,        $IA0,           $IA1,
-    $IA2,         $ZTMP0,      $ZTMP1,          $ZTMP2,         $ZTMP3,
-    $ZTMP4,       $ZTMP5,      $ZTMP6,          $ZTMP7,         $MASKREG);
-
-  $code .= "vmovdqu64         `$CTX_OFFSET_CurCount`($GCM128_CTX),$CTR_BLOCKx\n";
-
-  # ;; Save the amount of data left to process in $LENGTH
-  # ;; NOTE: PLAIN_CIPH_LEN is a register on linux;
-  if ($win64) {
-    $code .= "mov               $PLAIN_CIPH_LEN,$LENGTH\n";
-  }
-
-  # ;; There may be no more data if it was consumed in the partial block.
-  $code .= <<___;
-        sub               $DATA_OFFSET,$LENGTH
-        je                .L_enc_dec_done_${rndsuffix}
-___
-
-  $code .= <<___;
-        cmp               \$`(16 * 16)`,$LENGTH
-        jbe              .L_message_below_equal_16_blocks_${rndsuffix}
-
-        vmovdqa64         SHUF_MASK(%rip),$SHUF_MASK
-        vmovdqa64         ddq_addbe_4444(%rip),$ADDBE_4x4
-        vmovdqa64         ddq_addbe_1234(%rip),$ADDBE_1234
-
-        # ;; start the pipeline
-        # ;; - 32 blocks aes-ctr
-        # ;; - 16 blocks ghash + aes-ctr
-
-        # ;; set up CTR_CHECK
-        vmovd             $CTR_BLOCKx,@{[DWORD($CTR_CHECK)]}
-        and               \$255,@{[DWORD($CTR_CHECK)]}
-        # ;; in LE format after init, convert to BE
-        vshufi64x2        \$0,$CTR_BLOCKz,$CTR_BLOCKz,$CTR_BLOCKz
-        vpshufb           $SHUF_MASK,$CTR_BLOCKz,$CTR_BLOCKz
-___
-
-  # ;; ==== AES-CTR - first 16 blocks
-  my $aesout_offset      = ($STACK_LOCAL_OFFSET + (0 * 16));
-  my $data_in_out_offset = 0;
-  &INITIAL_BLOCKS_16(
-    $PLAIN_CIPH_IN, $CIPH_PLAIN_OUT, $AES_KEYS,      $DATA_OFFSET,        "no_ghash", $CTR_BLOCKz,
-    $CTR_CHECK,     $ADDBE_4x4,      $ADDBE_1234,    $ZTMP0,              $ZTMP1,     $ZTMP2,
-    $ZTMP3,         $ZTMP4,          $ZTMP5,         $ZTMP6,              $ZTMP7,     $ZTMP8,
-    $SHUF_MASK,     $ENC_DEC,        $aesout_offset, $data_in_out_offset, $IA0);
-
-  &precompute_hkeys_on_stack($GCM128_CTX, $HKEYS_READY, $ZTMP0, $ZTMP1, $ZTMP2, $ZTMP3, $ZTMP4, $ZTMP5, $ZTMP6,
-    "first16");
-
-  $code .= <<___;
-        cmp               \$`(32 * 16)`,$LENGTH
-        jb                .L_message_below_32_blocks_${rndsuffix}
-___
-
-  # ;; ==== AES-CTR - next 16 blocks
-  $aesout_offset      = ($STACK_LOCAL_OFFSET + (16 * 16));
-  $data_in_out_offset = (16 * 16);
-  &INITIAL_BLOCKS_16(
-    $PLAIN_CIPH_IN, $CIPH_PLAIN_OUT, $AES_KEYS,      $DATA_OFFSET,        "no_ghash", $CTR_BLOCKz,
-    $CTR_CHECK,     $ADDBE_4x4,      $ADDBE_1234,    $ZTMP0,              $ZTMP1,     $ZTMP2,
-    $ZTMP3,         $ZTMP4,          $ZTMP5,         $ZTMP6,              $ZTMP7,     $ZTMP8,
-    $SHUF_MASK,     $ENC_DEC,        $aesout_offset, $data_in_out_offset, $IA0);
-
-  &precompute_hkeys_on_stack($GCM128_CTX, $HKEYS_READY, $ZTMP0, $ZTMP1, $ZTMP2, $ZTMP3, $ZTMP4, $ZTMP5, $ZTMP6,
-    "last32");
-  $code .= "mov     \$1,$HKEYS_READY\n";
-
-  $code .= <<___;
-        add               \$`(32 * 16)`,$DATA_OFFSET
-        sub               \$`(32 * 16)`,$LENGTH
-
-        cmp               \$`($big_loop_nblocks * 16)`,$LENGTH
-        jb                .L_no_more_big_nblocks_${rndsuffix}
-___
-
-  # ;; ====
-  # ;; ==== AES-CTR + GHASH - 48 blocks loop
-  # ;; ====
-  $code .= ".L_encrypt_big_nblocks_${rndsuffix}:\n";
-
-  # ;; ==== AES-CTR + GHASH - 16 blocks, start
-  $aesout_offset      = ($STACK_LOCAL_OFFSET + (32 * 16));
-  $data_in_out_offset = (0 * 16);
-  my $ghashin_offset = ($STACK_LOCAL_OFFSET + (0 * 16));
-  &GHASH_16_ENCRYPT_16_PARALLEL(
-    $AES_KEYS, $CIPH_PLAIN_OUT, $PLAIN_CIPH_IN,  $DATA_OFFSET, $CTR_BLOCKz,         $CTR_CHECK,
-    48,        $aesout_offset,  $ghashin_offset, $SHUF_MASK,   $ZTMP0,              $ZTMP1,
-    $ZTMP2,    $ZTMP3,          $ZTMP4,          $ZTMP5,       $ZTMP6,              $ZTMP7,
-    $ZTMP8,    $ZTMP9,          $ZTMP10,         $ZTMP11,      $ZTMP12,             $ZTMP13,
-    $ZTMP14,   $ZTMP15,         $ZTMP16,         $ZTMP17,      $ZTMP18,             $ZTMP19,
-    $ZTMP20,   $ZTMP21,         $ZTMP22,         $ADDBE_4x4,   $ADDBE_1234,         $GL,
-    $GH,       $GM,             "first_time",    $ENC_DEC,     $data_in_out_offset, $AAD_HASHz,
-    $IA0);
-
-  # ;; ==== AES-CTR + GHASH - 16 blocks, no reduction
-  $aesout_offset      = ($STACK_LOCAL_OFFSET + (0 * 16));
-  $data_in_out_offset = (16 * 16);
-  $ghashin_offset     = ($STACK_LOCAL_OFFSET + (16 * 16));
-  &GHASH_16_ENCRYPT_16_PARALLEL(
-    $AES_KEYS, $CIPH_PLAIN_OUT, $PLAIN_CIPH_IN,  $DATA_OFFSET, $CTR_BLOCKz,         $CTR_CHECK,
-    32,        $aesout_offset,  $ghashin_offset, $SHUF_MASK,   $ZTMP0,              $ZTMP1,
-    $ZTMP2,    $ZTMP3,          $ZTMP4,          $ZTMP5,       $ZTMP6,              $ZTMP7,
-    $ZTMP8,    $ZTMP9,          $ZTMP10,         $ZTMP11,      $ZTMP12,             $ZTMP13,
-    $ZTMP14,   $ZTMP15,         $ZTMP16,         $ZTMP17,      $ZTMP18,             $ZTMP19,
-    $ZTMP20,   $ZTMP21,         $ZTMP22,         $ADDBE_4x4,   $ADDBE_1234,         $GL,
-    $GH,       $GM,             "no_reduction",  $ENC_DEC,     $data_in_out_offset, "no_ghash_in",
-    $IA0);
-
-  # ;; ==== AES-CTR + GHASH - 16 blocks, reduction
-  $aesout_offset      = ($STACK_LOCAL_OFFSET + (16 * 16));
-  $data_in_out_offset = (32 * 16);
-  $ghashin_offset     = ($STACK_LOCAL_OFFSET + (32 * 16));
-  &GHASH_16_ENCRYPT_16_PARALLEL(
-    $AES_KEYS, $CIPH_PLAIN_OUT, $PLAIN_CIPH_IN,    $DATA_OFFSET, $CTR_BLOCKz,         $CTR_CHECK,
-    16,        $aesout_offset,  $ghashin_offset,   $SHUF_MASK,   $ZTMP0,              $ZTMP1,
-    $ZTMP2,    $ZTMP3,          $ZTMP4,            $ZTMP5,       $ZTMP6,              $ZTMP7,
-    $ZTMP8,    $ZTMP9,          $ZTMP10,           $ZTMP11,      $ZTMP12,             $ZTMP13,
-    $ZTMP14,   $ZTMP15,         $ZTMP16,           $ZTMP17,      $ZTMP18,             $ZTMP19,
-    $ZTMP20,   $ZTMP21,         $ZTMP22,           $ADDBE_4x4,   $ADDBE_1234,         $GL,
-    $GH,       $GM,             "final_reduction", $ENC_DEC,     $data_in_out_offset, "no_ghash_in",
-    $IA0);
-
-  # ;; === xor cipher block 0 with GHASH (ZT4)
-  $code .= <<___;
-        vmovdqa64         $ZTMP4,$AAD_HASHz
-
-        add               \$`($big_loop_nblocks * 16)`,$DATA_OFFSET
-        sub               \$`($big_loop_nblocks * 16)`,$LENGTH
-        cmp               \$`($big_loop_nblocks * 16)`,$LENGTH
-        jae               .L_encrypt_big_nblocks_${rndsuffix}
-
-.L_no_more_big_nblocks_${rndsuffix}:
-
-        cmp               \$`(32 * 16)`,$LENGTH
-        jae               .L_encrypt_32_blocks_${rndsuffix}
-
-        cmp               \$`(16 * 16)`,$LENGTH
-        jae               .L_encrypt_16_blocks_${rndsuffix}
-___
-
-  # ;; =====================================================
-  # ;; =====================================================
-  # ;; ==== GHASH 1 x 16 blocks
-  # ;; ==== GHASH 1 x 16 blocks (reduction) & encrypt N blocks
-  # ;; ====      then GHASH N blocks
-  $code .= ".L_encrypt_0_blocks_ghash_32_${rndsuffix}:\n";
-
-  # ;; calculate offset to the right hash key
-  $code .= <<___;
-mov               @{[DWORD($LENGTH)]},@{[DWORD($IA0)]}
-and               \$~15,@{[DWORD($IA0)]}
-mov               \$`@{[HashKeyOffsetByIdx(32,"frame")]}`,@{[DWORD($HASHK_PTR)]}
-sub               @{[DWORD($IA0)]},@{[DWORD($HASHK_PTR)]}
-___
-
-  # ;; ==== GHASH 32 blocks and follow with reduction
-  &GHASH_16("start", $GH, $GM, $GL, "%rsp", $STACK_LOCAL_OFFSET, (0 * 16),
-    "%rsp", $HASHK_PTR, 0, $AAD_HASHz, $ZTMP0, $ZTMP1, $ZTMP2, $ZTMP3, $ZTMP4, $ZTMP5, $ZTMP6, $ZTMP7, $ZTMP8, $ZTMP9);
-
-  # ;; ==== GHASH 1 x 16 blocks with reduction + cipher and ghash on the reminder
-  $ghashin_offset = ($STACK_LOCAL_OFFSET + (16 * 16));
-  $code .= "add               \$`(16 * 16)`,@{[DWORD($HASHK_PTR)]}\n";
-  &GCM_ENC_DEC_LAST(
-    $AES_KEYS,   $GCM128_CTX, $CIPH_PLAIN_OUT, $PLAIN_CIPH_IN,  $DATA_OFFSET, $LENGTH,
-    $CTR_BLOCKz, $CTR_CHECK,  $HASHK_PTR,      $ghashin_offset, $SHUF_MASK,   $ZTMP0,
-    $ZTMP1,      $ZTMP2,      $ZTMP3,          $ZTMP4,          $ZTMP5,       $ZTMP6,
-    $ZTMP7,      $ZTMP8,      $ZTMP9,          $ZTMP10,         $ZTMP11,      $ZTMP12,
-    $ZTMP13,     $ZTMP14,     $ZTMP15,         $ZTMP16,         $ZTMP17,      $ZTMP18,
-    $ZTMP19,     $ZTMP20,     $ZTMP21,         $ZTMP22,         $ADDBE_4x4,   $ADDBE_1234,
-    "mid",       $GL,         $GH,             $GM,             $ENC_DEC,     $AAD_HASHz,
-    $IA0,        $IA5,        $MASKREG,        $PBLOCK_LEN);
-
-  $code .= "vpshufb           @{[XWORD($SHUF_MASK)]},$CTR_BLOCKx,$CTR_BLOCKx\n";
-  $code .= "jmp           .L_ghash_done_${rndsuffix}\n";
-
-  # ;; =====================================================
-  # ;; =====================================================
-  # ;; ==== GHASH & encrypt 1 x 16 blocks
-  # ;; ==== GHASH & encrypt 1 x 16 blocks
-  # ;; ==== GHASH 1 x 16 blocks (reduction)
-  # ;; ==== GHASH 1 x 16 blocks (reduction) & encrypt N blocks
-  # ;; ====      then GHASH N blocks
-  $code .= ".L_encrypt_32_blocks_${rndsuffix}:\n";
-
-  # ;; ==== AES-CTR + GHASH - 16 blocks, start
-  $aesout_offset  = ($STACK_LOCAL_OFFSET + (32 * 16));
-  $ghashin_offset = ($STACK_LOCAL_OFFSET + (0 * 16));
-  $data_in_out_offset = (0 * 16);
-  &GHASH_16_ENCRYPT_16_PARALLEL(
-    $AES_KEYS, $CIPH_PLAIN_OUT, $PLAIN_CIPH_IN,  $DATA_OFFSET, $CTR_BLOCKz,         $CTR_CHECK,
-    48,        $aesout_offset,  $ghashin_offset, $SHUF_MASK,   $ZTMP0,              $ZTMP1,
-    $ZTMP2,    $ZTMP3,          $ZTMP4,          $ZTMP5,       $ZTMP6,              $ZTMP7,
-    $ZTMP8,    $ZTMP9,          $ZTMP10,         $ZTMP11,      $ZTMP12,             $ZTMP13,
-    $ZTMP14,   $ZTMP15,         $ZTMP16,         $ZTMP17,      $ZTMP18,             $ZTMP19,
-    $ZTMP20,   $ZTMP21,         $ZTMP22,         $ADDBE_4x4,   $ADDBE_1234,         $GL,
-    $GH,       $GM,             "first_time",    $ENC_DEC,     $data_in_out_offset, $AAD_HASHz,
-    $IA0);
-
-  # ;; ==== AES-CTR + GHASH - 16 blocks, no reduction
-  $aesout_offset  = ($STACK_LOCAL_OFFSET + (0 * 16));
-  $ghashin_offset = ($STACK_LOCAL_OFFSET + (16 * 16));
-  $data_in_out_offset = (16 * 16);
-  &GHASH_16_ENCRYPT_16_PARALLEL(
-    $AES_KEYS, $CIPH_PLAIN_OUT, $PLAIN_CIPH_IN,  $DATA_OFFSET, $CTR_BLOCKz,         $CTR_CHECK,
-    32,        $aesout_offset,  $ghashin_offset, $SHUF_MASK,   $ZTMP0,              $ZTMP1,
-    $ZTMP2,    $ZTMP3,          $ZTMP4,          $ZTMP5,       $ZTMP6,              $ZTMP7,
-    $ZTMP8,    $ZTMP9,          $ZTMP10,         $ZTMP11,      $ZTMP12,             $ZTMP13,
-    $ZTMP14,   $ZTMP15,         $ZTMP16,         $ZTMP17,      $ZTMP18,             $ZTMP19,
-    $ZTMP20,   $ZTMP21,         $ZTMP22,         $ADDBE_4x4,   $ADDBE_1234,         $GL,
-    $GH,       $GM,             "no_reduction",  $ENC_DEC,     $data_in_out_offset, "no_ghash_in",
-    $IA0);
-
-  # ;; ==== GHASH 16 blocks with reduction
-  &GHASH_16(
-    "end_reduce", $GH, $GM, $GL, "%rsp", $STACK_LOCAL_OFFSET, (32 * 16),
-    "%rsp", &HashKeyOffsetByIdx(16, "frame"),
-    0, $AAD_HASHz, $ZTMP0, $ZTMP1, $ZTMP2, $ZTMP3, $ZTMP4, $ZTMP5, $ZTMP6, $ZTMP7, $ZTMP8, $ZTMP9);
-
-  # ;; ==== GHASH 1 x 16 blocks with reduction + cipher and ghash on the reminder
-  $ghashin_offset = ($STACK_LOCAL_OFFSET + (0 * 16));
-  $code .= <<___;
-        sub               \$`(32 * 16)`,$LENGTH
-        add               \$`(32 * 16)`,$DATA_OFFSET
-___
-
-  # ;; calculate offset to the right hash key
-  $code .= "mov               @{[DWORD($LENGTH)]},@{[DWORD($IA0)]}\n";
-  $code .= <<___;
-        and               \$~15,@{[DWORD($IA0)]}
-        mov               \$`@{[HashKeyOffsetByIdx(16,"frame")]}`,@{[DWORD($HASHK_PTR)]}
-        sub               @{[DWORD($IA0)]},@{[DWORD($HASHK_PTR)]}
-___
-  &GCM_ENC_DEC_LAST(
-    $AES_KEYS,   $GCM128_CTX, $CIPH_PLAIN_OUT, $PLAIN_CIPH_IN,  $DATA_OFFSET, $LENGTH,
-    $CTR_BLOCKz, $CTR_CHECK,  $HASHK_PTR,      $ghashin_offset, $SHUF_MASK,   $ZTMP0,
-    $ZTMP1,      $ZTMP2,      $ZTMP3,          $ZTMP4,          $ZTMP5,       $ZTMP6,
-    $ZTMP7,      $ZTMP8,      $ZTMP9,          $ZTMP10,         $ZTMP11,      $ZTMP12,
-    $ZTMP13,     $ZTMP14,     $ZTMP15,         $ZTMP16,         $ZTMP17,      $ZTMP18,
-    $ZTMP19,     $ZTMP20,     $ZTMP21,         $ZTMP22,         $ADDBE_4x4,   $ADDBE_1234,
-    "start",     $GL,         $GH,             $GM,             $ENC_DEC,     $AAD_HASHz,
-    $IA0,        $IA5,        $MASKREG,        $PBLOCK_LEN);
-
-  $code .= "vpshufb           @{[XWORD($SHUF_MASK)]},$CTR_BLOCKx,$CTR_BLOCKx\n";
-  $code .= "jmp           .L_ghash_done_${rndsuffix}\n";
-
-  # ;; =====================================================
-  # ;; =====================================================
-  # ;; ==== GHASH & encrypt 16 blocks (done before)
-  # ;; ==== GHASH 1 x 16 blocks
-  # ;; ==== GHASH 1 x 16 blocks (reduction) & encrypt N blocks
-  # ;; ====      then GHASH N blocks
-  $code .= ".L_encrypt_16_blocks_${rndsuffix}:\n";
-
-  # ;; ==== AES-CTR + GHASH - 16 blocks, start
-  $aesout_offset  = ($STACK_LOCAL_OFFSET + (32 * 16));
-  $ghashin_offset = ($STACK_LOCAL_OFFSET + (0 * 16));
-  $data_in_out_offset = (0 * 16);
-  &GHASH_16_ENCRYPT_16_PARALLEL(
-    $AES_KEYS, $CIPH_PLAIN_OUT, $PLAIN_CIPH_IN,  $DATA_OFFSET, $CTR_BLOCKz,         $CTR_CHECK,
-    48,        $aesout_offset,  $ghashin_offset, $SHUF_MASK,   $ZTMP0,              $ZTMP1,
-    $ZTMP2,    $ZTMP3,          $ZTMP4,          $ZTMP5,       $ZTMP6,              $ZTMP7,
-    $ZTMP8,    $ZTMP9,          $ZTMP10,         $ZTMP11,      $ZTMP12,             $ZTMP13,
-    $ZTMP14,   $ZTMP15,         $ZTMP16,         $ZTMP17,      $ZTMP18,             $ZTMP19,
-    $ZTMP20,   $ZTMP21,         $ZTMP22,         $ADDBE_4x4,   $ADDBE_1234,         $GL,
-    $GH,       $GM,             "first_time",    $ENC_DEC,     $data_in_out_offset, $AAD_HASHz,
-    $IA0);
-
-  # ;; ==== GHASH 1 x 16 blocks
-  &GHASH_16(
-    "mid", $GH, $GM, $GL, "%rsp", $STACK_LOCAL_OFFSET, (16 * 16),
-    "%rsp", &HashKeyOffsetByIdx(32, "frame"),
-    0, "no_hash_input", $ZTMP0, $ZTMP1, $ZTMP2, $ZTMP3, $ZTMP4, $ZTMP5, $ZTMP6, $ZTMP7, $ZTMP8, $ZTMP9);
-
-  # ;; ==== GHASH 1 x 16 blocks with reduction + cipher and ghash on the reminder
-  $ghashin_offset = ($STACK_LOCAL_OFFSET + (32 * 16));
-  $code .= <<___;
-        sub               \$`(16 * 16)`,$LENGTH
-        add               \$`(16 * 16)`,$DATA_OFFSET
-___
-  &GCM_ENC_DEC_LAST(
-    $AES_KEYS,    $GCM128_CTX, $CIPH_PLAIN_OUT, $PLAIN_CIPH_IN,
-    $DATA_OFFSET, $LENGTH,     $CTR_BLOCKz,     $CTR_CHECK,
-    &HashKeyOffsetByIdx(16, "frame"), $ghashin_offset, $SHUF_MASK, $ZTMP0,
-    $ZTMP1,       $ZTMP2,     $ZTMP3,     $ZTMP4,
-    $ZTMP5,       $ZTMP6,     $ZTMP7,     $ZTMP8,
-    $ZTMP9,       $ZTMP10,    $ZTMP11,    $ZTMP12,
-    $ZTMP13,      $ZTMP14,    $ZTMP15,    $ZTMP16,
-    $ZTMP17,      $ZTMP18,    $ZTMP19,    $ZTMP20,
-    $ZTMP21,      $ZTMP22,    $ADDBE_4x4, $ADDBE_1234,
-    "end_reduce", $GL,        $GH,        $GM,
-    $ENC_DEC,     $AAD_HASHz, $IA0,       $IA5,
-    $MASKREG,     $PBLOCK_LEN);
-
-  $code .= "vpshufb           @{[XWORD($SHUF_MASK)]},$CTR_BLOCKx,$CTR_BLOCKx\n";
-  $code .= <<___;
-        jmp               .L_ghash_done_${rndsuffix}
-
-.L_message_below_32_blocks_${rndsuffix}:
-        # ;; 32 > number of blocks > 16
-
-        sub               \$`(16 * 16)`,$LENGTH
-        add               \$`(16 * 16)`,$DATA_OFFSET
-___
-  $ghashin_offset = ($STACK_LOCAL_OFFSET + (0 * 16));
-
-  # ;; calculate offset to the right hash key
-  $code .= "mov               @{[DWORD($LENGTH)]},@{[DWORD($IA0)]}\n";
-
-  &precompute_hkeys_on_stack($GCM128_CTX, $HKEYS_READY, $ZTMP0, $ZTMP1, $ZTMP2, $ZTMP3, $ZTMP4, $ZTMP5, $ZTMP6,
-    "mid16");
-  $code .= "mov     \$1,$HKEYS_READY\n";
-
-  $code .= <<___;
-and               \$~15,@{[DWORD($IA0)]}
-mov               \$`@{[HashKeyOffsetByIdx(16,"frame")]}`,@{[DWORD($HASHK_PTR)]}
-sub               @{[DWORD($IA0)]},@{[DWORD($HASHK_PTR)]}
-___
-
-  &GCM_ENC_DEC_LAST(
-    $AES_KEYS,   $GCM128_CTX, $CIPH_PLAIN_OUT, $PLAIN_CIPH_IN,  $DATA_OFFSET, $LENGTH,
-    $CTR_BLOCKz, $CTR_CHECK,  $HASHK_PTR,      $ghashin_offset, $SHUF_MASK,   $ZTMP0,
-    $ZTMP1,      $ZTMP2,      $ZTMP3,          $ZTMP4,          $ZTMP5,       $ZTMP6,
-    $ZTMP7,      $ZTMP8,      $ZTMP9,          $ZTMP10,         $ZTMP11,      $ZTMP12,
-    $ZTMP13,     $ZTMP14,     $ZTMP15,         $ZTMP16,         $ZTMP17,      $ZTMP18,
-    $ZTMP19,     $ZTMP20,     $ZTMP21,         $ZTMP22,         $ADDBE_4x4,   $ADDBE_1234,
-    "start",     $GL,         $GH,             $GM,             $ENC_DEC,     $AAD_HASHz,
-    $IA0,        $IA5,        $MASKREG,        $PBLOCK_LEN);
-
-  $code .= "vpshufb           @{[XWORD($SHUF_MASK)]},$CTR_BLOCKx,$CTR_BLOCKx\n";
-  $code .= <<___;
-        jmp           .L_ghash_done_${rndsuffix}
-
-.L_message_below_equal_16_blocks_${rndsuffix}:
-        # ;; Determine how many blocks to process
-        # ;; - process one additional block if there is a partial block
-        mov               @{[DWORD($LENGTH)]},@{[DWORD($IA1)]}
-        add               \$15,@{[DWORD($IA1)]}
-        shr               \$4, @{[DWORD($IA1)]}     # ; $IA1 can be in the range from 0 to 16
-___
-  &GCM_ENC_DEC_SMALL(
-    $AES_KEYS,    $GCM128_CTX, $CIPH_PLAIN_OUT, $PLAIN_CIPH_IN, $PLAIN_CIPH_LEN, $ENC_DEC,
-    $DATA_OFFSET, $LENGTH,     $IA1,            $CTR_BLOCKx,    $AAD_HASHx,      $ZTMP0,
-    $ZTMP1,       $ZTMP2,      $ZTMP3,          $ZTMP4,         $ZTMP5,          $ZTMP6,
-    $ZTMP7,       $ZTMP8,      $ZTMP9,          $ZTMP10,        $ZTMP11,         $ZTMP12,
-    $ZTMP13,      $ZTMP14,     $IA0,            $IA3,           $MASKREG,        $SHUF_MASK,
-    $PBLOCK_LEN);
-
-  # ;; fall through to exit
-
-  $code .= ".L_ghash_done_${rndsuffix}:\n";
-
-  # ;; save the last counter block
-  $code .= "vmovdqu64         $CTR_BLOCKx,`$CTX_OFFSET_CurCount`($GCM128_CTX)\n";
-  $code .= <<___;
-        vmovdqu64         $AAD_HASHx,`$CTX_OFFSET_AadHash`($GCM128_CTX)
-.L_enc_dec_done_${rndsuffix}:
-___
-}
-
-# ;;; ===========================================================================
-# ;;; Encrypt/decrypt the initial 16 blocks
-sub INITIAL_BLOCKS_16 {
-  my $IN          = $_[0];     # [in] input buffer
-  my $OUT         = $_[1];     # [in] output buffer
-  my $AES_KEYS    = $_[2];     # [in] pointer to expanded keys
-  my $DATA_OFFSET = $_[3];     # [in] data offset
-  my $GHASH       = $_[4];     # [in] ZMM with AAD (low 128 bits)
-  my $CTR         = $_[5];     # [in] ZMM with CTR BE blocks 4x128 bits
-  my $CTR_CHECK   = $_[6];     # [in/out] GPR with counter overflow check
-  my $ADDBE_4x4   = $_[7];     # [in] ZMM 4x128bits with value 4 (big endian)
-  my $ADDBE_1234  = $_[8];     # [in] ZMM 4x128bits with values 1, 2, 3 & 4 (big endian)
-  my $T0          = $_[9];     # [clobered] temporary ZMM register
-  my $T1          = $_[10];    # [clobered] temporary ZMM register
-  my $T2          = $_[11];    # [clobered] temporary ZMM register
-  my $T3          = $_[12];    # [clobered] temporary ZMM register
-  my $T4          = $_[13];    # [clobered] temporary ZMM register
-  my $T5          = $_[14];    # [clobered] temporary ZMM register
-  my $T6          = $_[15];    # [clobered] temporary ZMM register
-  my $T7          = $_[16];    # [clobered] temporary ZMM register
-  my $T8          = $_[17];    # [clobered] temporary ZMM register
-  my $SHUF_MASK   = $_[18];    # [in] ZMM with BE/LE shuffle mask
-  my $ENC_DEC     = $_[19];    # [in] ENC (encrypt) or DEC (decrypt) selector
-  my $BLK_OFFSET  = $_[20];    # [in] stack frame offset to ciphered blocks
-  my $DATA_DISPL  = $_[21];    # [in] fixed numerical data displacement/offset
-  my $IA0         = $_[22];    # [clobered] temporary GP register
-
-  my $B00_03 = $T5;
-  my $B04_07 = $T6;
-  my $B08_11 = $T7;
-  my $B12_15 = $T8;
-
-  my $rndsuffix = &random_string();
-
-  my $stack_offset = $BLK_OFFSET;
-  $code .= <<___;
-        # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-        # ;; prepare counter blocks
-
-        cmpb              \$`(256 - 16)`,@{[BYTE($CTR_CHECK)]}
-        jae               .L_next_16_overflow_${rndsuffix}
-        vpaddd            $ADDBE_1234,$CTR,$B00_03
-        vpaddd            $ADDBE_4x4,$B00_03,$B04_07
-        vpaddd            $ADDBE_4x4,$B04_07,$B08_11
-        vpaddd            $ADDBE_4x4,$B08_11,$B12_15
-        jmp               .L_next_16_ok_${rndsuffix}
-.L_next_16_overflow_${rndsuffix}:
-        vpshufb           $SHUF_MASK,$CTR,$CTR
-        vmovdqa64         ddq_add_4444(%rip),$B12_15
-        vpaddd            ddq_add_1234(%rip),$CTR,$B00_03
-        vpaddd            $B12_15,$B00_03,$B04_07
-        vpaddd            $B12_15,$B04_07,$B08_11
-        vpaddd            $B12_15,$B08_11,$B12_15
-        vpshufb           $SHUF_MASK,$B00_03,$B00_03
-        vpshufb           $SHUF_MASK,$B04_07,$B04_07
-        vpshufb           $SHUF_MASK,$B08_11,$B08_11
-        vpshufb           $SHUF_MASK,$B12_15,$B12_15
-.L_next_16_ok_${rndsuffix}:
-        vshufi64x2        \$0b11111111,$B12_15,$B12_15,$CTR
-        addb               \$16,@{[BYTE($CTR_CHECK)]}
-        # ;; === load 16 blocks of data
-        vmovdqu8          `$DATA_DISPL + (64*0)`($IN,$DATA_OFFSET,1),$T0
-        vmovdqu8          `$DATA_DISPL + (64*1)`($IN,$DATA_OFFSET,1),$T1
-        vmovdqu8          `$DATA_DISPL + (64*2)`($IN,$DATA_OFFSET,1),$T2
-        vmovdqu8          `$DATA_DISPL + (64*3)`($IN,$DATA_OFFSET,1),$T3
-
-        # ;; move to AES encryption rounds
-        vbroadcastf64x2    `(16*0)`($AES_KEYS),$T4
-        vpxorq            $T4,$B00_03,$B00_03
-        vpxorq            $T4,$B04_07,$B04_07
-        vpxorq            $T4,$B08_11,$B08_11
-        vpxorq            $T4,$B12_15,$B12_15
-___
-  foreach (1 .. ($NROUNDS)) {
-    $code .= <<___;
-        vbroadcastf64x2    `(16*$_)`($AES_KEYS),$T4
-        vaesenc            $T4,$B00_03,$B00_03
-        vaesenc            $T4,$B04_07,$B04_07
-        vaesenc            $T4,$B08_11,$B08_11
-        vaesenc            $T4,$B12_15,$B12_15
-___
-  }
-  $code .= <<___;
-        vbroadcastf64x2    `(16*($NROUNDS+1))`($AES_KEYS),$T4
-        vaesenclast         $T4,$B00_03,$B00_03
-        vaesenclast         $T4,$B04_07,$B04_07
-        vaesenclast         $T4,$B08_11,$B08_11
-        vaesenclast         $T4,$B12_15,$B12_15
-
-        # ;;  xor against text
-        vpxorq            $T0,$B00_03,$B00_03
-        vpxorq            $T1,$B04_07,$B04_07
-        vpxorq            $T2,$B08_11,$B08_11
-        vpxorq            $T3,$B12_15,$B12_15
-
-        # ;; store
-        mov               $OUT, $IA0
-        vmovdqu8          $B00_03,`$DATA_DISPL + (64*0)`($IA0,$DATA_OFFSET,1)
-        vmovdqu8          $B04_07,`$DATA_DISPL + (64*1)`($IA0,$DATA_OFFSET,1)
-        vmovdqu8          $B08_11,`$DATA_DISPL + (64*2)`($IA0,$DATA_OFFSET,1)
-        vmovdqu8          $B12_15,`$DATA_DISPL + (64*3)`($IA0,$DATA_OFFSET,1)
-___
-  if ($ENC_DEC eq "DEC") {
-    $code .= <<___;
-        # ;; decryption - cipher text needs to go to GHASH phase
-        vpshufb           $SHUF_MASK,$T0,$B00_03
-        vpshufb           $SHUF_MASK,$T1,$B04_07
-        vpshufb           $SHUF_MASK,$T2,$B08_11
-        vpshufb           $SHUF_MASK,$T3,$B12_15
-___
-  } else {
-    $code .= <<___;
-        # ;; encryption
-        vpshufb           $SHUF_MASK,$B00_03,$B00_03
-        vpshufb           $SHUF_MASK,$B04_07,$B04_07
-        vpshufb           $SHUF_MASK,$B08_11,$B08_11
-        vpshufb           $SHUF_MASK,$B12_15,$B12_15
-___
-  }
-
-  if ($GHASH ne "no_ghash") {
-    $code .= <<___;
-        # ;; === xor cipher block 0 with GHASH for the next GHASH round
-        vpxorq            $GHASH,$B00_03,$B00_03
-___
-  }
-  $code .= <<___;
-        vmovdqa64         $B00_03,`$stack_offset + (0 * 64)`(%rsp)
-        vmovdqa64         $B04_07,`$stack_offset + (1 * 64)`(%rsp)
-        vmovdqa64         $B08_11,`$stack_offset + (2 * 64)`(%rsp)
-        vmovdqa64         $B12_15,`$stack_offset + (3 * 64)`(%rsp)
-___
-}
-
-# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-# ; GCM_COMPLETE Finishes ghash calculation
-# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-sub GCM_COMPLETE {
-  my $GCM128_CTX = $_[0];
-  my $PBLOCK_LEN = $_[1];
-
-  my $rndsuffix = &random_string();
-
-  $code .= <<___;
-        vmovdqu           @{[HashKeyByIdx(1,$GCM128_CTX)]},%xmm2
-        vmovdqu           $CTX_OFFSET_EK0($GCM128_CTX),%xmm3      # ; xmm3 = E(K,Y0)
-___
-
-  $code .= <<___;
-        vmovdqu           `$CTX_OFFSET_AadHash`($GCM128_CTX),%xmm4
-
-        # ;; Process the final partial block.
-        cmp               \$0,$PBLOCK_LEN
-        je                .L_partial_done_${rndsuffix}
-___
-
-  #  ;GHASH computation for the last <16 Byte block
-  &GHASH_MUL("%xmm4", "%xmm2", "%xmm0", "%xmm16", "%xmm17");
-
-  $code .= <<___;
-.L_partial_done_${rndsuffix}:
-        vmovq           `$CTX_OFFSET_InLen`($GCM128_CTX), %xmm5
-        vpinsrq         \$1, `$CTX_OFFSET_AadLen`($GCM128_CTX), %xmm5, %xmm5    #  ; xmm5 = len(A)||len(C)
-        vpsllq          \$3, %xmm5, %xmm5                                       #  ; convert bytes into bits
-
-        vpxor           %xmm5,%xmm4,%xmm4
-___
-
-  &GHASH_MUL("%xmm4", "%xmm2", "%xmm0", "%xmm16", "%xmm17");
-
-  $code .= <<___;
-        vpshufb         SHUF_MASK(%rip),%xmm4,%xmm4      # ; perform a 16Byte swap
-        vpxor           %xmm4,%xmm3,%xmm3
-
-.L_return_T_${rndsuffix}:
-        vmovdqu           %xmm3,`$CTX_OFFSET_AadHash`($GCM128_CTX)
-___
-}
-
-# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-# ;;; Functions definitions
-# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-
-$code .= ".text\n";
-{
-  # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-  # ;void   ossl_aes_gcm_init_avx512 /
-  # ;       (const void *aes_keys,
-  # ;        void *gcm128ctx)
-  # ;
-  # ; Precomputes hashkey table for GHASH optimization.
-  # ; Leaf function (does not allocate stack space, does not use non-volatile registers).
-  # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-  $code .= <<___;
-.globl ossl_aes_gcm_init_avx512
-.type ossl_aes_gcm_init_avx512,\@abi-omnipotent
-.align 32
-ossl_aes_gcm_init_avx512:
-.cfi_startproc
-        endbranch
-___
-  if ($CHECK_FUNCTION_ARGUMENTS) {
-    $code .= <<___;
-        # ;; Check aes_keys != NULL
-        test               $arg1,$arg1
-        jz                .Labort_init
-
-        # ;; Check gcm128ctx != NULL
-        test               $arg2,$arg2
-        jz                .Labort_init
-___
-  }
-  $code .= "vpxorq            %xmm16,%xmm16,%xmm16\n";
-  &ENCRYPT_SINGLE_BLOCK("$arg1", "%xmm16", "%rax");    # ; xmm16 = HashKey
-  $code .= <<___;
-        vpshufb           SHUF_MASK(%rip),%xmm16,%xmm16
-        # ;;;  PRECOMPUTATION of HashKey<<1 mod poly from the HashKey ;;;
-        vmovdqa64         %xmm16,%xmm2
-        vpsllq            \$1,%xmm16,%xmm16
-        vpsrlq            \$63,%xmm2,%xmm2
-        vmovdqa           %xmm2,%xmm1
-        vpslldq           \$8,%xmm2,%xmm2
-        vpsrldq           \$8,%xmm1,%xmm1
-        vporq             %xmm2,%xmm16,%xmm16
-        # ;reduction
-        vpshufd           \$0b00100100,%xmm1,%xmm2
-        vpcmpeqd          TWOONE(%rip),%xmm2,%xmm2
-        vpand             POLY(%rip),%xmm2,%xmm2
-        vpxorq            %xmm2,%xmm16,%xmm16                  # ; xmm16 holds the HashKey<<1 mod poly
-        # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-        vmovdqu64         %xmm16,@{[HashKeyByIdx(1,$arg2)]} # ; store HashKey<<1 mod poly
-___
-  &PRECOMPUTE("$arg2", "%xmm16", "%xmm0", "%xmm1", "%xmm2", "%xmm3", "%xmm4", "%xmm5");
-  if ($CLEAR_SCRATCH_REGISTERS) {
-    &clear_scratch_gps_asm();
-    &clear_scratch_zmms_asm();
-  } else {
-    $code .= "vzeroupper\n";
-  }
-  $code .= <<___;
-.Labort_init:
-ret
-.cfi_endproc
-.size ossl_aes_gcm_init_avx512, .-ossl_aes_gcm_init_avx512
-___
-}
-
-# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-# ;void   ossl_aes_gcm_setiv_avx512
-# ;       (const void *aes_keys,
-# ;        void *gcm128ctx,
-# ;        const unsigned char *iv,
-# ;        size_t ivlen)
-# ;
-# ; Computes E(K,Y0) for finalization, updates current counter Yi in gcm128_context structure.
-# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-$code .= <<___;
-.globl ossl_aes_gcm_setiv_avx512
-.type ossl_aes_gcm_setiv_avx512,\@abi-omnipotent
-.align 32
-ossl_aes_gcm_setiv_avx512:
-.cfi_startproc
-.Lsetiv_seh_begin:
-        endbranch
-___
-if ($CHECK_FUNCTION_ARGUMENTS) {
-  $code .= <<___;
-        # ;; Check aes_keys != NULL
-        test               $arg1,$arg1
-        jz                 .Labort_setiv
-
-        # ;; Check gcm128ctx != NULL
-        test               $arg2,$arg2
-        jz                 .Labort_setiv
-
-        # ;; Check iv != NULL
-        test               $arg3,$arg3
-        jz                 .Labort_setiv
-
-        # ;; Check ivlen != 0
-        test               $arg4,$arg4
-        jz                 .Labort_setiv
-___
-}
-
-# ; NOTE: code before PROLOG() must not modify any registers
-&PROLOG(
-  1,    # allocate stack space for hkeys
-  0,    # do not allocate stack space for AES blocks
-  "setiv");
-&GCM_INIT_IV(
-  "$arg1",  "$arg2",  "$arg3",  "$arg4",  "%r10",   "%r11",  "%r12",  "%k1",   "%xmm2",  "%zmm1",
-  "%zmm11", "%zmm3",  "%zmm4",  "%zmm5",  "%zmm6",  "%zmm7", "%zmm8", "%zmm9", "%zmm10", "%zmm12",
-  "%zmm13", "%zmm15", "%zmm16", "%zmm17", "%zmm18", "%zmm19");
-&EPILOG(
-  1,    # hkeys were allocated
-  $arg4);
-$code .= <<___;
-.Labort_setiv:
-ret
-.Lsetiv_seh_end:
-.cfi_endproc
-.size ossl_aes_gcm_setiv_avx512, .-ossl_aes_gcm_setiv_avx512
-___
-
-# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-# ;void ossl_aes_gcm_update_aad_avx512
-# ;     (unsigned char *gcm128ctx,
-# ;      const unsigned char *aad,
-# ;      size_t aadlen)
-# ;
-# ; Updates AAD hash in gcm128_context structure.
-# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-$code .= <<___;
-.globl ossl_aes_gcm_update_aad_avx512
-.type ossl_aes_gcm_update_aad_avx512,\@abi-omnipotent
-.align 32
-ossl_aes_gcm_update_aad_avx512:
-.cfi_startproc
-.Lghash_seh_begin:
-        endbranch
-___
-if ($CHECK_FUNCTION_ARGUMENTS) {
-  $code .= <<___;
-        # ;; Check gcm128ctx != NULL
-        test               $arg1,$arg1
-        jz                 .Lexit_update_aad
-
-        # ;; Check aad != NULL
-        test               $arg2,$arg2
-        jz                 .Lexit_update_aad
-
-        # ;; Check aadlen != 0
-        test               $arg3,$arg3
-        jz                 .Lexit_update_aad
-___
-}
-
-# ; NOTE: code before PROLOG() must not modify any registers
-&PROLOG(
-  1,    # allocate stack space for hkeys,
-  0,    # do not allocate stack space for AES blocks
-  "ghash");
-&GCM_UPDATE_AAD(
-  "$arg1",  "$arg2",  "$arg3",  "%r10",   "%r11",  "%r12",  "%k1",   "%xmm14", "%zmm1",  "%zmm11",
-  "%zmm3",  "%zmm4",  "%zmm5",  "%zmm6",  "%zmm7", "%zmm8", "%zmm9", "%zmm10", "%zmm12", "%zmm13",
-  "%zmm15", "%zmm16", "%zmm17", "%zmm18", "%zmm19");
-&EPILOG(
-  1,    # hkeys were allocated
-  $arg3);
-$code .= <<___;
-.Lexit_update_aad:
-ret
-.Lghash_seh_end:
-.cfi_endproc
-.size ossl_aes_gcm_update_aad_avx512, .-ossl_aes_gcm_update_aad_avx512
-___
-
-# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-# ;void   ossl_aes_gcm_encrypt_avx512
-# ;       (const void* aes_keys,
-# ;        void *gcm128ctx,
-# ;        unsigned int *pblocklen,
-# ;        const unsigned char *in,
-# ;        size_t len,
-# ;        unsigned char *out);
-# ;
-# ; Performs encryption of data |in| of len |len|, and stores the output in |out|.
-# ; Stores encrypted partial block (if any) in gcm128ctx and its length in |pblocklen|.
-# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-$code .= <<___;
-.globl ossl_aes_gcm_encrypt_avx512
-.type ossl_aes_gcm_encrypt_avx512,\@abi-omnipotent
-.align 32
-ossl_aes_gcm_encrypt_avx512:
-.cfi_startproc
-.Lencrypt_seh_begin:
-        endbranch
-___
-
-# ; NOTE: code before PROLOG() must not modify any registers
-&PROLOG(
-  1,    # allocate stack space for hkeys
-  1,    # allocate stack space for AES blocks
-  "encrypt");
-if ($CHECK_FUNCTION_ARGUMENTS) {
-  $code .= <<___;
-        # ;; Check aes_keys != NULL
-        test               $arg1,$arg1
-        jz                 .Lexit_gcm_encrypt
-
-        # ;; Check gcm128ctx != NULL
-        test               $arg2,$arg2
-        jz                 .Lexit_gcm_encrypt
-
-        # ;; Check pblocklen != NULL
-        test               $arg3,$arg3
-        jz                 .Lexit_gcm_encrypt
-
-        # ;; Check in != NULL
-        test               $arg4,$arg4
-        jz                 .Lexit_gcm_encrypt
-
-        # ;; Check if len != 0
-        cmp                \$0,$arg5
-        jz                 .Lexit_gcm_encrypt
-
-        # ;; Check out != NULL
-        cmp                \$0,$arg6
-        jz                 .Lexit_gcm_encrypt
-___
-}
-$code .= <<___;
-        # ; load number of rounds from AES_KEY structure (offset in bytes is
-        # ; size of the |rd_key| buffer)
-        mov             `4*15*4`($arg1),%eax
-        cmp             \$9,%eax
-        je              .Laes_gcm_encrypt_128_avx512
-        cmp             \$11,%eax
-        je              .Laes_gcm_encrypt_192_avx512
-        cmp             \$13,%eax
-        je              .Laes_gcm_encrypt_256_avx512
-        xor             %eax,%eax
-        jmp             .Lexit_gcm_encrypt
-___
-for my $keylen (sort keys %aes_rounds) {
-  $NROUNDS = $aes_rounds{$keylen};
-  $code .= <<___;
-.align 32
-.Laes_gcm_encrypt_${keylen}_avx512:
-___
-  &GCM_ENC_DEC("$arg1", "$arg2", "$arg3", "$arg4", "$arg5", "$arg6", "ENC");
-  $code .= "jmp .Lexit_gcm_encrypt\n";
-}
-$code .= ".Lexit_gcm_encrypt:\n";
-&EPILOG(1, $arg5);
-$code .= <<___;
-ret
-.Lencrypt_seh_end:
-.cfi_endproc
-.size ossl_aes_gcm_encrypt_avx512, .-ossl_aes_gcm_encrypt_avx512
-___
-
-# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-# ;void   ossl_aes_gcm_decrypt_avx512
-# ;       (const void* keys,
-# ;        void *gcm128ctx,
-# ;        unsigned int *pblocklen,
-# ;        const unsigned char *in,
-# ;        size_t len,
-# ;        unsigned char *out);
-# ;
-# ; Performs decryption of data |in| of len |len|, and stores the output in |out|.
-# ; Stores decrypted partial block (if any) in gcm128ctx and its length in |pblocklen|.
-# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-$code .= <<___;
-.globl ossl_aes_gcm_decrypt_avx512
-.type ossl_aes_gcm_decrypt_avx512,\@abi-omnipotent
-.align 32
-ossl_aes_gcm_decrypt_avx512:
-.cfi_startproc
-.Ldecrypt_seh_begin:
-        endbranch
-___
-
-# ; NOTE: code before PROLOG() must not modify any registers
-&PROLOG(
-  1,    # allocate stack space for hkeys
-  1,    # allocate stack space for AES blocks
-  "decrypt");
-if ($CHECK_FUNCTION_ARGUMENTS) {
-  $code .= <<___;
-        # ;; Check keys != NULL
-        test               $arg1,$arg1
-        jz                 .Lexit_gcm_decrypt
-
-        # ;; Check gcm128ctx != NULL
-        test               $arg2,$arg2
-        jz                 .Lexit_gcm_decrypt
-
-        # ;; Check pblocklen != NULL
-        test               $arg3,$arg3
-        jz                 .Lexit_gcm_decrypt
-
-        # ;; Check in != NULL
-        test               $arg4,$arg4
-        jz                 .Lexit_gcm_decrypt
-
-        # ;; Check if len != 0
-        cmp                \$0,$arg5
-        jz                 .Lexit_gcm_decrypt
-
-        # ;; Check out != NULL
-        cmp                \$0,$arg6
-        jz                 .Lexit_gcm_decrypt
-___
-}
-$code .= <<___;
-        # ; load number of rounds from AES_KEY structure (offset in bytes is
-        # ; size of the |rd_key| buffer)
-        mov             `4*15*4`($arg1),%eax
-        cmp             \$9,%eax
-        je              .Laes_gcm_decrypt_128_avx512
-        cmp             \$11,%eax
-        je              .Laes_gcm_decrypt_192_avx512
-        cmp             \$13,%eax
-        je              .Laes_gcm_decrypt_256_avx512
-        xor             %eax,%eax
-        jmp             .Lexit_gcm_decrypt
-___
-for my $keylen (sort keys %aes_rounds) {
-  $NROUNDS = $aes_rounds{$keylen};
-  $code .= <<___;
-.align 32
-.Laes_gcm_decrypt_${keylen}_avx512:
-___
-  &GCM_ENC_DEC("$arg1", "$arg2", "$arg3", "$arg4", "$arg5", "$arg6", "DEC");
-  $code .= "jmp .Lexit_gcm_decrypt\n";
-}
-$code .= ".Lexit_gcm_decrypt:\n";
-&EPILOG(1, $arg5);
-$code .= <<___;
-ret
-.Ldecrypt_seh_end:
-.cfi_endproc
-.size ossl_aes_gcm_decrypt_avx512, .-ossl_aes_gcm_decrypt_avx512
-___
-
-# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-# ;void   ossl_aes_gcm_finalize_vaes_avx512
-# ;       (void *gcm128ctx,
-# ;       unsigned int pblocklen);
-# ;
-# ; Finalizes encryption / decryption
-# ; Leaf function (does not allocate stack space, does not use non-volatile registers).
-# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-$code .= <<___;
-.globl ossl_aes_gcm_finalize_avx512
-.type ossl_aes_gcm_finalize_avx512,\@abi-omnipotent
-.align 32
-ossl_aes_gcm_finalize_avx512:
-.cfi_startproc
-        endbranch
-___
-if ($CHECK_FUNCTION_ARGUMENTS) {
-  $code .= <<___;
-        # ;; Check gcm128ctx != NULL
-        test               $arg1,$arg1
-        jz                 .Labort_finalize
-___
-}
-
-&GCM_COMPLETE("$arg1", "$arg2");
-
-$code .= <<___;
-.Labort_finalize:
-ret
-.cfi_endproc
-.size ossl_aes_gcm_finalize_avx512, .-ossl_aes_gcm_finalize_avx512
-___
-
-# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-# ;void ossl_gcm_gmult_avx512(u64 Xi[2],
-# ;                           const void* gcm128ctx)
-# ;
-# ; Leaf function (does not allocate stack space, does not use non-volatile registers).
-# ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
-$code .= <<___;
-.globl ossl_gcm_gmult_avx512
-.hidden ossl_gcm_gmult_avx512
-.type ossl_gcm_gmult_avx512,\@abi-omnipotent
-.align 32
-ossl_gcm_gmult_avx512:
-.cfi_startproc
-        endbranch
-___
-if ($CHECK_FUNCTION_ARGUMENTS) {
-  $code .= <<___;
-        # ;; Check Xi != NULL
-        test               $arg1,$arg1
-        jz                 .Labort_gmult
-
-        # ;; Check gcm128ctx != NULL
-        test               $arg2,$arg2
-        jz                 .Labort_gmult
-___
-}
-$code .= "vmovdqu64         ($arg1),%xmm1\n";
-$code .= "vmovdqu64         @{[HashKeyByIdx(1,$arg2)]},%xmm2\n";
-
-&GHASH_MUL("%xmm1", "%xmm2", "%xmm3", "%xmm4", "%xmm5");
-
-$code .= "vmovdqu64         %xmm1,($arg1)\n";
-if ($CLEAR_SCRATCH_REGISTERS) {
-  &clear_scratch_gps_asm();
-  &clear_scratch_zmms_asm();
-} else {
-  $code .= "vzeroupper\n";
-}
-$code .= <<___;
-.Labort_gmult:
-ret
-.cfi_endproc
-.size ossl_gcm_gmult_avx512, .-ossl_gcm_gmult_avx512
-___
-
-if ($win64) {
-
-  # Add unwind metadata for SEH.
-
-  # See https://docs.microsoft.com/en-us/cpp/build/exception-handling-x64?view=msvc-160
-  my $UWOP_PUSH_NONVOL = 0;
-  my $UWOP_ALLOC_LARGE = 1;
-  my $UWOP_SET_FPREG   = 3;
-  my $UWOP_SAVE_XMM128 = 8;
-  my %UWOP_REG_NUMBER  = (
-    rax => 0,
-    rcx => 1,
-    rdx => 2,
-    rbx => 3,
-    rsp => 4,
-    rbp => 5,
-    rsi => 6,
-    rdi => 7,
-    map(("r$_" => $_), (8 .. 15)));
-
-  $code .= <<___;
-.section    .pdata
-.align  4
-    .rva    .Lsetiv_seh_begin
-    .rva    .Lsetiv_seh_end
-    .rva    .Lsetiv_seh_info
-
-    .rva    .Lghash_seh_begin
-    .rva    .Lghash_seh_end
-    .rva    .Lghash_seh_info
-
-    .rva    .Lencrypt_seh_begin
-    .rva    .Lencrypt_seh_end
-    .rva    .Lencrypt_seh_info
-
-    .rva    .Ldecrypt_seh_begin
-    .rva    .Ldecrypt_seh_end
-    .rva    .Ldecrypt_seh_info
-
-.section    .xdata
-___
-
-  foreach my $func_name ("setiv", "ghash", "encrypt", "decrypt") {
-    $code .= <<___;
-.align  8
-.L${func_name}_seh_info:
-    .byte   1   # version 1, no flags
-    .byte   .L${func_name}_seh_prolog_end-.L${func_name}_seh_begin
-    .byte   31 # num_slots = 1*8 + 2 + 1 + 2*10
-    # FR = rbp; Offset from RSP = $XMM_STORAGE scaled on 16
-    .byte   @{[$UWOP_REG_NUMBER{rbp} | (($XMM_STORAGE / 16 ) << 4)]}
-___
-
-    # Metadata for %xmm15-%xmm6
-    # Occupy 2 slots each
-    for (my $reg_idx = 15; $reg_idx >= 6; $reg_idx--) {
-
-      # Scaled-by-16 stack offset
-      my $xmm_reg_offset = ($reg_idx - 6);
-      $code .= <<___;
-    .byte   .L${func_name}_seh_save_xmm${reg_idx}-.L${func_name}_seh_begin
-    .byte   @{[$UWOP_SAVE_XMM128 | (${reg_idx} << 4)]}
-    .value  $xmm_reg_offset
-___
-    }
-
-    $code .= <<___;
-    # Frame pointer (occupy 1 slot)
-    .byte   .L${func_name}_seh_setfp-.L${func_name}_seh_begin
-    .byte   $UWOP_SET_FPREG
-
-    # Occupy 2 slots, as stack allocation < 512K, but > 128 bytes
-    .byte   .L${func_name}_seh_allocstack_xmm-.L${func_name}_seh_begin
-    .byte   $UWOP_ALLOC_LARGE
-    .value  `($XMM_STORAGE + 8) / 8`
-___
-
-    # Metadata for GPR regs
-    # Occupy 1 slot each
-    foreach my $reg ("rsi", "rdi", "r15", "r14", "r13", "r12", "rbp", "rbx") {
-      $code .= <<___;
-    .byte   .L${func_name}_seh_push_${reg}-.L${func_name}_seh_begin
-    .byte   @{[$UWOP_PUSH_NONVOL | ($UWOP_REG_NUMBER{$reg} << 4)]}
-___
-    }
-  }
-}
-
-$code .= <<___;
-.data
-.align 16
-POLY:   .quad     0x0000000000000001, 0xC200000000000000
-
-.align 64
-POLY2:
-        .quad     0x00000001C2000000, 0xC200000000000000
-        .quad     0x00000001C2000000, 0xC200000000000000
-        .quad     0x00000001C2000000, 0xC200000000000000
-        .quad     0x00000001C2000000, 0xC200000000000000
-
-.align 16
-TWOONE: .quad     0x0000000000000001, 0x0000000100000000
-
-# ;;; Order of these constants should not change.
-# ;;; More specifically, ALL_F should follow SHIFT_MASK, and ZERO should follow ALL_F
-.align 64
-SHUF_MASK:
-        .quad     0x08090A0B0C0D0E0F, 0x0001020304050607
-        .quad     0x08090A0B0C0D0E0F, 0x0001020304050607
-        .quad     0x08090A0B0C0D0E0F, 0x0001020304050607
-        .quad     0x08090A0B0C0D0E0F, 0x0001020304050607
-
-.align 16
-SHIFT_MASK:
-        .quad     0x0706050403020100, 0x0f0e0d0c0b0a0908
-
-ALL_F:
-        .quad     0xffffffffffffffff, 0xffffffffffffffff
-
-ZERO:
-        .quad     0x0000000000000000, 0x0000000000000000
-
-.align 16
-ONE:
-        .quad     0x0000000000000001, 0x0000000000000000
-
-.align 16
-ONEf:
-        .quad     0x0000000000000000, 0x0100000000000000
-
-.align 64
-ddq_add_1234:
-        .quad  0x0000000000000001, 0x0000000000000000
-        .quad  0x0000000000000002, 0x0000000000000000
-        .quad  0x0000000000000003, 0x0000000000000000
-        .quad  0x0000000000000004, 0x0000000000000000
-
-.align 64
-ddq_add_5678:
-        .quad  0x0000000000000005, 0x0000000000000000
-        .quad  0x0000000000000006, 0x0000000000000000
-        .quad  0x0000000000000007, 0x0000000000000000
-        .quad  0x0000000000000008, 0x0000000000000000
-
-.align 64
-ddq_add_4444:
-        .quad  0x0000000000000004, 0x0000000000000000
-        .quad  0x0000000000000004, 0x0000000000000000
-        .quad  0x0000000000000004, 0x0000000000000000
-        .quad  0x0000000000000004, 0x0000000000000000
-
-.align 64
-ddq_add_8888:
-        .quad  0x0000000000000008, 0x0000000000000000
-        .quad  0x0000000000000008, 0x0000000000000000
-        .quad  0x0000000000000008, 0x0000000000000000
-        .quad  0x0000000000000008, 0x0000000000000000
-
-.align 64
-ddq_addbe_1234:
-        .quad  0x0000000000000000, 0x0100000000000000
-        .quad  0x0000000000000000, 0x0200000000000000
-        .quad  0x0000000000000000, 0x0300000000000000
-        .quad  0x0000000000000000, 0x0400000000000000
-
-.align 64
-ddq_addbe_4444:
-        .quad  0x0000000000000000, 0x0400000000000000
-        .quad  0x0000000000000000, 0x0400000000000000
-        .quad  0x0000000000000000, 0x0400000000000000
-        .quad  0x0000000000000000, 0x0400000000000000
-
-.align 64
-byte_len_to_mask_table:
-        .value      0x0000, 0x0001, 0x0003, 0x0007
-        .value      0x000f, 0x001f, 0x003f, 0x007f
-        .value      0x00ff, 0x01ff, 0x03ff, 0x07ff
-        .value      0x0fff, 0x1fff, 0x3fff, 0x7fff
-        .value      0xffff
-
-.align 64
-byte64_len_to_mask_table:
-        .quad      0x0000000000000000, 0x0000000000000001
-        .quad      0x0000000000000003, 0x0000000000000007
-        .quad      0x000000000000000f, 0x000000000000001f
-        .quad      0x000000000000003f, 0x000000000000007f
-        .quad      0x00000000000000ff, 0x00000000000001ff
-        .quad      0x00000000000003ff, 0x00000000000007ff
-        .quad      0x0000000000000fff, 0x0000000000001fff
-        .quad      0x0000000000003fff, 0x0000000000007fff
-        .quad      0x000000000000ffff, 0x000000000001ffff
-        .quad      0x000000000003ffff, 0x000000000007ffff
-        .quad      0x00000000000fffff, 0x00000000001fffff
-        .quad      0x00000000003fffff, 0x00000000007fffff
-        .quad      0x0000000000ffffff, 0x0000000001ffffff
-        .quad      0x0000000003ffffff, 0x0000000007ffffff
-        .quad      0x000000000fffffff, 0x000000001fffffff
-        .quad      0x000000003fffffff, 0x000000007fffffff
-        .quad      0x00000000ffffffff, 0x00000001ffffffff
-        .quad      0x00000003ffffffff, 0x00000007ffffffff
-        .quad      0x0000000fffffffff, 0x0000001fffffffff
-        .quad      0x0000003fffffffff, 0x0000007fffffffff
-        .quad      0x000000ffffffffff, 0x000001ffffffffff
-        .quad      0x000003ffffffffff, 0x000007ffffffffff
-        .quad      0x00000fffffffffff, 0x00001fffffffffff
-        .quad      0x00003fffffffffff, 0x00007fffffffffff
-        .quad      0x0000ffffffffffff, 0x0001ffffffffffff
-        .quad      0x0003ffffffffffff, 0x0007ffffffffffff
-        .quad      0x000fffffffffffff, 0x001fffffffffffff
-        .quad      0x003fffffffffffff, 0x007fffffffffffff
-        .quad      0x00ffffffffffffff, 0x01ffffffffffffff
-        .quad      0x03ffffffffffffff, 0x07ffffffffffffff
-        .quad      0x0fffffffffffffff, 0x1fffffffffffffff
-        .quad      0x3fffffffffffffff, 0x7fffffffffffffff
-        .quad      0xffffffffffffffff
-___
-
-} else {
-# Fallback for old assembler
-$code .= <<___;
-.text
-.globl  ossl_vaes_vpclmulqdq_capable
-.type   ossl_vaes_vpclmulqdq_capable,\@abi-omnipotent
-ossl_vaes_vpclmulqdq_capable:
-    xor     %eax,%eax
-    ret
-.size   ossl_vaes_vpclmulqdq_capable, .-ossl_vaes_vpclmulqdq_capable
-
-.globl ossl_aes_gcm_init_avx512
-.globl ossl_aes_gcm_setiv_avx512
-.globl ossl_aes_gcm_update_aad_avx512
-.globl ossl_aes_gcm_encrypt_avx512
-.globl ossl_aes_gcm_decrypt_avx512
-.globl ossl_aes_gcm_finalize_avx512
-.globl ossl_gcm_gmult_avx512
-
-.type ossl_aes_gcm_init_avx512,\@abi-omnipotent
-ossl_aes_gcm_init_avx512:
-ossl_aes_gcm_setiv_avx512:
-ossl_aes_gcm_update_aad_avx512:
-ossl_aes_gcm_encrypt_avx512:
-ossl_aes_gcm_decrypt_avx512:
-ossl_aes_gcm_finalize_avx512:
-ossl_gcm_gmult_avx512:
-    .byte   0x0f,0x0b    # ud2
-    ret
-.size   ossl_aes_gcm_init_avx512, .-ossl_aes_gcm_init_avx512
-___
-}
-
-$code =~ s/\`([^\`]*)\`/eval $1/gem;
-print $code;
-close STDOUT or die "error closing STDOUT: $!";

libs/openssl/crypto/modes/asm/aes-gcm-ppc.pl

@@ -1,1438 +0,0 @@
-#! /usr/bin/env perl
-# Copyright 2014-2022 The OpenSSL Project Authors. All Rights Reserved.
-# Copyright 2021- IBM Inc. All rights reserved
-#
-# Licensed under the Apache License 2.0 (the "License").  You may not use
-# this file except in compliance with the License.  You can obtain a copy
-# in the file LICENSE in the source distribution or at
-# https://www.openssl.org/source/license.html
-#
-#===================================================================================
-# Written by Danny Tsen <[email protected]> for OpenSSL Project,
-#
-# GHASH is based on the Karatsuba multiplication method.
-#
-#    Xi xor X1
-#
-#    X1 * H^4 + X2 * H^3 + x3 * H^2 + X4 * H =
-#      (X1.h * H4.h + xX.l * H4.l + X1 * H4) +
-#      (X2.h * H3.h + X2.l * H3.l + X2 * H3) +
-#      (X3.h * H2.h + X3.l * H2.l + X3 * H2) +
-#      (X4.h * H.h + X4.l * H.l + X4 * H)
-#
-# Xi = v0
-# H Poly = v2
-# Hash keys = v3 - v14
-#     ( H.l, H, H.h)
-#     ( H^2.l, H^2, H^2.h)
-#     ( H^3.l, H^3, H^3.h)
-#     ( H^4.l, H^4, H^4.h)
-#
-# v30 is IV
-# v31 - counter 1
-#
-# AES used,
-#     vs0 - vs14 for round keys
-#     v15, v16, v17, v18, v19, v20, v21, v22 for 8 blocks (encrypted)
-#
-# This implementation uses stitched AES-GCM approach to improve overall performance.
-# AES is implemented with 8x blocks and GHASH is using 2 4x blocks.
-#
-# Current large block (16384 bytes) performance per second with 128 bit key --
-#
-#                        Encrypt  Decrypt
-# Power10[le] (3.5GHz)   5.32G    5.26G
-#
-# ===================================================================================
-#
-# $output is the last argument if it looks like a file (it has an extension)
-# $flavour is the first argument if it doesn't look like a file
-$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef;
-$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef;
-
-if ($flavour =~ /64/) {
-	$SIZE_T=8;
-	$LRSAVE=2*$SIZE_T;
-	$STU="stdu";
-	$POP="ld";
-	$PUSH="std";
-	$UCMP="cmpld";
-	$SHRI="srdi";
-} elsif ($flavour =~ /32/) {
-	$SIZE_T=4;
-	$LRSAVE=$SIZE_T;
-	$STU="stwu";
-	$POP="lwz";
-	$PUSH="stw";
-	$UCMP="cmplw";
-	$SHRI="srwi";
-} else { die "nonsense $flavour"; }
-
-$sp="r1";
-$FRAME=6*$SIZE_T+13*16;	# 13*16 is for v20-v31 offload
-
-$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
-( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or
-( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or
-die "can't locate ppc-xlate.pl";
-
-open STDOUT,"| $^X $xlate $flavour \"$output\""
-    or die "can't call $xlate: $!";
-
-$code=<<___;
-.machine        "any"
-.text
-
-# 4x loops
-# v15 - v18 - input states
-# vs1 - vs9 - round keys
-#
-.macro Loop_aes_middle4x
-	xxlor	19+32, 1, 1
-	xxlor	20+32, 2, 2
-	xxlor	21+32, 3, 3
-	xxlor	22+32, 4, 4
-
-	vcipher	15, 15, 19
-	vcipher	16, 16, 19
-	vcipher	17, 17, 19
-	vcipher	18, 18, 19
-
-	vcipher	15, 15, 20
-	vcipher	16, 16, 20
-	vcipher	17, 17, 20
-	vcipher	18, 18, 20
-
-	vcipher	15, 15, 21
-	vcipher	16, 16, 21
-	vcipher	17, 17, 21
-	vcipher	18, 18, 21
-
-	vcipher	15, 15, 22
-	vcipher	16, 16, 22
-	vcipher	17, 17, 22
-	vcipher	18, 18, 22
-
-	xxlor	19+32, 5, 5
-	xxlor	20+32, 6, 6
-	xxlor	21+32, 7, 7
-	xxlor	22+32, 8, 8
-
-	vcipher	15, 15, 19
-	vcipher	16, 16, 19
-	vcipher	17, 17, 19
-	vcipher	18, 18, 19
-
-	vcipher	15, 15, 20
-	vcipher	16, 16, 20
-	vcipher	17, 17, 20
-	vcipher	18, 18, 20
-
-	vcipher	15, 15, 21
-	vcipher	16, 16, 21
-	vcipher	17, 17, 21
-	vcipher	18, 18, 21
-
-	vcipher	15, 15, 22
-	vcipher	16, 16, 22
-	vcipher	17, 17, 22
-	vcipher	18, 18, 22
-
-	xxlor	23+32, 9, 9
-	vcipher	15, 15, 23
-	vcipher	16, 16, 23
-	vcipher	17, 17, 23
-	vcipher	18, 18, 23
-.endm
-
-# 8x loops
-# v15 - v22 - input states
-# vs1 - vs9 - round keys
-#
-.macro Loop_aes_middle8x
-	xxlor	23+32, 1, 1
-	xxlor	24+32, 2, 2
-	xxlor	25+32, 3, 3
-	xxlor	26+32, 4, 4
-
-	vcipher	15, 15, 23
-	vcipher	16, 16, 23
-	vcipher	17, 17, 23
-	vcipher	18, 18, 23
-	vcipher	19, 19, 23
-	vcipher	20, 20, 23
-	vcipher	21, 21, 23
-	vcipher	22, 22, 23
-
-	vcipher	15, 15, 24
-	vcipher	16, 16, 24
-	vcipher	17, 17, 24
-	vcipher	18, 18, 24
-	vcipher	19, 19, 24
-	vcipher	20, 20, 24
-	vcipher	21, 21, 24
-	vcipher	22, 22, 24
-
-	vcipher	15, 15, 25
-	vcipher	16, 16, 25
-	vcipher	17, 17, 25
-	vcipher	18, 18, 25
-	vcipher	19, 19, 25
-	vcipher	20, 20, 25
-	vcipher	21, 21, 25
-	vcipher	22, 22, 25
-
-	vcipher	15, 15, 26
-	vcipher	16, 16, 26
-	vcipher	17, 17, 26
-	vcipher	18, 18, 26
-	vcipher	19, 19, 26
-	vcipher	20, 20, 26
-	vcipher	21, 21, 26
-	vcipher	22, 22, 26
-
-	xxlor	23+32, 5, 5
-	xxlor	24+32, 6, 6
-	xxlor	25+32, 7, 7
-	xxlor	26+32, 8, 8
-
-	vcipher	15, 15, 23
-	vcipher	16, 16, 23
-	vcipher	17, 17, 23
-	vcipher	18, 18, 23
-	vcipher	19, 19, 23
-	vcipher	20, 20, 23
-	vcipher	21, 21, 23
-	vcipher	22, 22, 23
-
-	vcipher	15, 15, 24
-	vcipher	16, 16, 24
-	vcipher	17, 17, 24
-	vcipher	18, 18, 24
-	vcipher	19, 19, 24
-	vcipher	20, 20, 24
-	vcipher	21, 21, 24
-	vcipher	22, 22, 24
-
-	vcipher	15, 15, 25
-	vcipher	16, 16, 25
-	vcipher	17, 17, 25
-	vcipher	18, 18, 25
-	vcipher	19, 19, 25
-	vcipher	20, 20, 25
-	vcipher	21, 21, 25
-	vcipher	22, 22, 25
-
-	vcipher	15, 15, 26
-	vcipher	16, 16, 26
-	vcipher	17, 17, 26
-	vcipher	18, 18, 26
-	vcipher	19, 19, 26
-	vcipher	20, 20, 26
-	vcipher	21, 21, 26
-	vcipher	22, 22, 26
-
-	xxlor	23+32, 9, 9
-	vcipher	15, 15, 23
-	vcipher	16, 16, 23
-	vcipher	17, 17, 23
-	vcipher	18, 18, 23
-	vcipher	19, 19, 23
-	vcipher	20, 20, 23
-	vcipher	21, 21, 23
-	vcipher	22, 22, 23
-.endm
-
-#
-# Compute 4x hash values based on Karatsuba method.
-#
-ppc_aes_gcm_ghash:
-	vxor		15, 15, 0
-
-	xxlxor		29, 29, 29
-
-	vpmsumd		23, 12, 15		# H4.L * X.L
-	vpmsumd		24, 9, 16
-	vpmsumd		25, 6, 17
-	vpmsumd		26, 3, 18
-
-	vxor		23, 23, 24
-	vxor		23, 23, 25
-	vxor		23, 23, 26		# L
-
-	vpmsumd		24, 13, 15		# H4.L * X.H + H4.H * X.L
-	vpmsumd		25, 10, 16		# H3.L * X1.H + H3.H * X1.L
-	vpmsumd		26, 7, 17
-	vpmsumd		27, 4, 18
-
-	vxor		24, 24, 25
-	vxor		24, 24, 26
-	vxor		24, 24, 27		# M
-
-	# sum hash and reduction with H Poly
-	vpmsumd		28, 23, 2		# reduction
-
-	xxlor		29+32, 29, 29
-	vsldoi		26, 24, 29, 8		# mL
-	vsldoi		29, 29, 24, 8		# mH
-	vxor		23, 23, 26		# mL + L
-
-	vsldoi		23, 23, 23, 8		# swap
-	vxor		23, 23, 28
-
-	vpmsumd		24, 14, 15		# H4.H * X.H
-	vpmsumd		25, 11, 16
-	vpmsumd		26, 8, 17
-	vpmsumd		27, 5, 18
-
-	vxor		24, 24, 25
-	vxor		24, 24, 26
-	vxor		24, 24, 27
-
-	vxor		24, 24, 29
-
-	# sum hash and reduction with H Poly
-	vsldoi		27, 23, 23, 8		# swap
-	vpmsumd		23, 23, 2
-	vxor		27, 27, 24
-	vxor		23, 23, 27
-
-	xxlor		32, 23+32, 23+32		# update hash
-
-	blr
-
-#
-# Combine two 4x ghash
-# v15 - v22 - input blocks
-#
-.macro ppc_aes_gcm_ghash2_4x
-	# first 4x hash
-	vxor		15, 15, 0		# Xi + X
-
-	xxlxor		29, 29, 29
-
-	vpmsumd		23, 12, 15		# H4.L * X.L
-	vpmsumd		24, 9, 16
-	vpmsumd		25, 6, 17
-	vpmsumd		26, 3, 18
-
-	vxor		23, 23, 24
-	vxor		23, 23, 25
-	vxor		23, 23, 26		# L
-
-	vpmsumd		24, 13, 15		# H4.L * X.H + H4.H * X.L
-	vpmsumd		25, 10, 16		# H3.L * X1.H + H3.H * X1.L
-	vpmsumd		26, 7, 17
-	vpmsumd		27, 4, 18
-
-	vxor		24, 24, 25
-	vxor		24, 24, 26
-
-	# sum hash and reduction with H Poly
-	vpmsumd		28, 23, 2		# reduction
-
-	xxlor		29+32, 29, 29
-
-	vxor		24, 24, 27		# M
-	vsldoi		26, 24, 29, 8		# mL
-	vsldoi		29, 29, 24, 8		# mH
-	vxor		23, 23, 26		# mL + L
-
-	vsldoi		23, 23, 23, 8		# swap
-	vxor		23, 23, 28
-
-	vpmsumd		24, 14, 15		# H4.H * X.H
-	vpmsumd		25, 11, 16
-	vpmsumd		26, 8, 17
-	vpmsumd		27, 5, 18
-
-	vxor		24, 24, 25
-	vxor		24, 24, 26
-	vxor		24, 24, 27		# H
-
-	vxor		24, 24, 29		# H + mH
-
-	# sum hash and reduction with H Poly
-	vsldoi		27, 23, 23, 8		# swap
-	vpmsumd		23, 23, 2
-	vxor		27, 27, 24
-	vxor		27, 23, 27		# 1st Xi
-
-	# 2nd 4x hash
-	vpmsumd		24, 9, 20
-	vpmsumd		25, 6, 21
-	vpmsumd		26, 3, 22
-	vxor		19, 19, 27		# Xi + X
-	vpmsumd		23, 12, 19		# H4.L * X.L
-
-	vxor		23, 23, 24
-	vxor		23, 23, 25
-	vxor		23, 23, 26		# L
-
-	vpmsumd		24, 13, 19		# H4.L * X.H + H4.H * X.L
-	vpmsumd		25, 10, 20		# H3.L * X1.H + H3.H * X1.L
-	vpmsumd		26, 7, 21
-	vpmsumd		27, 4, 22
-
-	vxor		24, 24, 25
-	vxor		24, 24, 26
-
-	# sum hash and reduction with H Poly
-	vpmsumd		28, 23, 2		# reduction
-
-	xxlor		29+32, 29, 29
-
-	vxor		24, 24, 27		# M
-	vsldoi		26, 24, 29, 8		# mL
-	vsldoi		29, 29, 24, 8		# mH
-	vxor		23, 23, 26		# mL + L
-
-	vsldoi		23, 23, 23, 8		# swap
-	vxor		23, 23, 28
-
-	vpmsumd		24, 14, 19		# H4.H * X.H
-	vpmsumd		25, 11, 20
-	vpmsumd		26, 8, 21
-	vpmsumd		27, 5, 22
-
-	vxor		24, 24, 25
-	vxor		24, 24, 26
-	vxor		24, 24, 27		# H
-
-	vxor		24, 24, 29		# H + mH
-
-	# sum hash and reduction with H Poly
-	vsldoi		27, 23, 23, 8		# swap
-	vpmsumd		23, 23, 2
-	vxor		27, 27, 24
-	vxor		23, 23, 27
-
-	xxlor		32, 23+32, 23+32		# update hash
-
-.endm
-
-#
-# Compute update single hash
-#
-.macro ppc_update_hash_1x
-	vxor		28, 28, 0
-
-	vxor		19, 19, 19
-
-	vpmsumd		22, 3, 28		# L
-	vpmsumd		23, 4, 28		# M
-	vpmsumd		24, 5, 28		# H
-
-	vpmsumd		27, 22, 2		# reduction
-
-	vsldoi		25, 23, 19, 8		# mL
-	vsldoi		26, 19, 23, 8		# mH
-	vxor		22, 22, 25		# LL + LL
-	vxor		24, 24, 26		# HH + HH
-
-	vsldoi		22, 22, 22, 8		# swap
-	vxor		22, 22, 27
-
-	vsldoi		20, 22, 22, 8		# swap
-	vpmsumd		22, 22, 2		# reduction
-	vxor		20, 20, 24
-	vxor		22, 22, 20
-
-	vmr		0, 22			# update hash
-
-.endm
-
-#
-# ppc_aes_gcm_encrypt (const void *inp, void *out, size_t len,
-#               const AES_KEY *key, unsigned char iv[16],
-#               void *Xip);
-#
-#    r3 - inp
-#    r4 - out
-#    r5 - len
-#    r6 - AES round keys
-#    r7 - iv
-#    r8 - Xi, HPoli, hash keys
-#
-.global ppc_aes_gcm_encrypt
-.align 5
-ppc_aes_gcm_encrypt:
-_ppc_aes_gcm_encrypt:
-
-	stdu 1,-512(1)
-	mflr 0
-
-	std	14,112(1)
-	std	15,120(1)
-	std	16,128(1)
-	std	17,136(1)
-	std	18,144(1)
-	std	19,152(1)
-	std	20,160(1)
-	std	21,168(1)
-	li	9, 256
-	stvx	20, 9, 1
-	addi	9, 9, 16
-	stvx	21, 9, 1
-	addi	9, 9, 16
-	stvx	22, 9, 1
-	addi	9, 9, 16
-	stvx	23, 9, 1
-	addi	9, 9, 16
-	stvx	24, 9, 1
-	addi	9, 9, 16
-	stvx	25, 9, 1
-	addi	9, 9, 16
-	stvx	26, 9, 1
-	addi	9, 9, 16
-	stvx	27, 9, 1
-	addi	9, 9, 16
-	stvx	28, 9, 1
-	addi	9, 9, 16
-	stvx	29, 9, 1
-	addi	9, 9, 16
-	stvx	30, 9, 1
-	addi	9, 9, 16
-	stvx	31, 9, 1
-	std	0, 528(1)
-
-	# Load Xi
-	lxvb16x	32, 0, 8	# load Xi
-
-	# load Hash - h^4, h^3, h^2, h
-	li	10, 32
-	lxvd2x	2+32, 10, 8	# H Poli
-	li	10, 48
-	lxvd2x	3+32, 10, 8	# Hl
-	li	10, 64
-	lxvd2x	4+32, 10, 8	# H
-	li	10, 80
-	lxvd2x	5+32, 10, 8	# Hh
-
-	li	10, 96
-	lxvd2x	6+32, 10, 8	# H^2l
-	li	10, 112
-	lxvd2x	7+32, 10, 8	# H^2
-	li	10, 128
-	lxvd2x	8+32, 10, 8	# H^2h
-
-	li	10, 144
-	lxvd2x	9+32, 10, 8	# H^3l
-	li	10, 160
-	lxvd2x	10+32, 10, 8	# H^3
-	li	10, 176
-	lxvd2x	11+32, 10, 8	# H^3h
-
-	li	10, 192
-	lxvd2x	12+32, 10, 8	# H^4l
-	li	10, 208
-	lxvd2x	13+32, 10, 8	# H^4
-	li	10, 224
-	lxvd2x	14+32, 10, 8	# H^4h
-
-	# initialize ICB: GHASH( IV ), IV - r7
-	lxvb16x	30+32, 0, 7	# load IV  - v30
-
-	mr	12, 5		# length
-	li	11, 0		# block index
-
-	# counter 1
-	vxor	31, 31, 31
-	vspltisb 22, 1
-	vsldoi	31, 31, 22,1	# counter 1
-
-	# load round key to VSR
-	lxv	0, 0(6)
-	lxv	1, 0x10(6)
-	lxv	2, 0x20(6)
-	lxv	3, 0x30(6)
-	lxv	4, 0x40(6)
-	lxv	5, 0x50(6)
-	lxv	6, 0x60(6)
-	lxv	7, 0x70(6)
-	lxv	8, 0x80(6)
-	lxv	9, 0x90(6)
-	lxv	10, 0xa0(6)
-
-	# load rounds - 10 (128), 12 (192), 14 (256)
-	lwz	9,240(6)
-
-	#
-	# vxor	state, state, w # addroundkey
-	xxlor	32+29, 0, 0
-	vxor	15, 30, 29	# IV + round key - add round key 0
-
-	cmpdi	9, 10
-	beq	Loop_aes_gcm_8x
-
-	# load 2 more round keys (v11, v12)
-	lxv	11, 0xb0(6)
-	lxv	12, 0xc0(6)
-
-	cmpdi	9, 12
-	beq	Loop_aes_gcm_8x
-
-	# load 2 more round keys (v11, v12, v13, v14)
-	lxv	13, 0xd0(6)
-	lxv	14, 0xe0(6)
-	cmpdi	9, 14
-	beq	Loop_aes_gcm_8x
-
-	b	aes_gcm_out
-
-.align 5
-Loop_aes_gcm_8x:
-	mr	14, 3
-	mr	9, 4
-
-	# n blocks
-	li	10, 128
-	divdu	10, 5, 10	# n 128 bytes-blocks
-	cmpdi	10, 0
-	beq	Loop_last_block
-
-	vaddudm	30, 30, 31	# IV + counter
-	vxor	16, 30, 29
-	vaddudm	30, 30, 31
-	vxor	17, 30, 29
-	vaddudm	30, 30, 31
-	vxor	18, 30, 29
-	vaddudm	30, 30, 31
-	vxor	19, 30, 29
-	vaddudm	30, 30, 31
-	vxor	20, 30, 29
-	vaddudm	30, 30, 31
-	vxor	21, 30, 29
-	vaddudm	30, 30, 31
-	vxor	22, 30, 29
-
-	mtctr	10
-
-	li	15, 16
-	li	16, 32
-	li	17, 48
-	li	18, 64
-	li	19, 80
-	li	20, 96
-	li	21, 112
-
-	lwz	10, 240(6)
-
-Loop_8x_block:
-
-	lxvb16x		15, 0, 14	# load block
-	lxvb16x		16, 15, 14	# load block
-	lxvb16x		17, 16, 14	# load block
-	lxvb16x		18, 17, 14	# load block
-	lxvb16x		19, 18, 14	# load block
-	lxvb16x		20, 19, 14	# load block
-	lxvb16x		21, 20, 14	# load block
-	lxvb16x		22, 21, 14	# load block
-	addi		14, 14, 128
-
-	Loop_aes_middle8x
-
-	xxlor	23+32, 10, 10
-
-	cmpdi	10, 10
-	beq	Do_next_ghash
-
-	# 192 bits
-	xxlor	24+32, 11, 11
-
-	vcipher	15, 15, 23
-	vcipher	16, 16, 23
-	vcipher	17, 17, 23
-	vcipher	18, 18, 23
-	vcipher	19, 19, 23
-	vcipher	20, 20, 23
-	vcipher	21, 21, 23
-	vcipher	22, 22, 23
-
-	vcipher	15, 15, 24
-	vcipher	16, 16, 24
-	vcipher	17, 17, 24
-	vcipher	18, 18, 24
-	vcipher	19, 19, 24
-	vcipher	20, 20, 24
-	vcipher	21, 21, 24
-	vcipher	22, 22, 24
-
-	xxlor	23+32, 12, 12
-
-	cmpdi	10, 12
-	beq	Do_next_ghash
-
-	# 256 bits
-	xxlor	24+32, 13, 13
-
-	vcipher	15, 15, 23
-	vcipher	16, 16, 23
-	vcipher	17, 17, 23
-	vcipher	18, 18, 23
-	vcipher	19, 19, 23
-	vcipher	20, 20, 23
-	vcipher	21, 21, 23
-	vcipher	22, 22, 23
-
-	vcipher	15, 15, 24
-	vcipher	16, 16, 24
-	vcipher	17, 17, 24
-	vcipher	18, 18, 24
-	vcipher	19, 19, 24
-	vcipher	20, 20, 24
-	vcipher	21, 21, 24
-	vcipher	22, 22, 24
-
-	xxlor	23+32, 14, 14
-
-	cmpdi	10, 14
-	beq	Do_next_ghash
-	b	aes_gcm_out
-
-Do_next_ghash:
-
-	#
-	# last round
-	vcipherlast     15, 15, 23
-	vcipherlast     16, 16, 23
-
-	xxlxor		47, 47, 15
-	stxvb16x        47, 0, 9	# store output
-	xxlxor		48, 48, 16
-	stxvb16x        48, 15, 9	# store output
-
-	vcipherlast     17, 17, 23
-	vcipherlast     18, 18, 23
-
-	xxlxor		49, 49, 17
-	stxvb16x        49, 16, 9	# store output
-	xxlxor		50, 50, 18
-	stxvb16x        50, 17, 9	# store output
-
-	vcipherlast     19, 19, 23
-	vcipherlast     20, 20, 23
-
-	xxlxor		51, 51, 19
-	stxvb16x        51, 18, 9	# store output
-	xxlxor		52, 52, 20
-	stxvb16x        52, 19, 9	# store output
-
-	vcipherlast     21, 21, 23
-	vcipherlast     22, 22, 23
-
-	xxlxor		53, 53, 21
-	stxvb16x        53, 20, 9	# store output
-	xxlxor		54, 54, 22
-	stxvb16x        54, 21, 9	# store output
-
-	addi		9, 9, 128
-
-	# ghash here
-	ppc_aes_gcm_ghash2_4x
-
-	xxlor	27+32, 0, 0
-	vaddudm 30, 30, 31		# IV + counter
-	vmr	29, 30
-	vxor    15, 30, 27		# add round key
-	vaddudm 30, 30, 31
-	vxor    16, 30, 27
-	vaddudm 30, 30, 31
-	vxor    17, 30, 27
-	vaddudm 30, 30, 31
-	vxor    18, 30, 27
-	vaddudm 30, 30, 31
-	vxor    19, 30, 27
-	vaddudm 30, 30, 31
-	vxor    20, 30, 27
-	vaddudm 30, 30, 31
-	vxor    21, 30, 27
-	vaddudm 30, 30, 31
-	vxor    22, 30, 27
-
-	addi    12, 12, -128
-	addi    11, 11, 128
-
-	bdnz	Loop_8x_block
-
-	vmr	30, 29
-
-Loop_last_block:
-	cmpdi   12, 0
-	beq     aes_gcm_out
-
-	# loop last few blocks
-	li      10, 16
-	divdu   10, 12, 10
-
-	mtctr   10
-
-	lwz	10, 240(6)
-
-	cmpdi   12, 16
-	blt     Final_block
-
-.macro Loop_aes_middle_1x
-	xxlor	19+32, 1, 1
-	xxlor	20+32, 2, 2
-	xxlor	21+32, 3, 3
-	xxlor	22+32, 4, 4
-
-	vcipher 15, 15, 19
-	vcipher 15, 15, 20
-	vcipher 15, 15, 21
-	vcipher 15, 15, 22
-
-	xxlor	19+32, 5, 5
-	xxlor	20+32, 6, 6
-	xxlor	21+32, 7, 7
-	xxlor	22+32, 8, 8
-
-	vcipher 15, 15, 19
-	vcipher 15, 15, 20
-	vcipher 15, 15, 21
-	vcipher 15, 15, 22
-
-	xxlor	19+32, 9, 9
-	vcipher 15, 15, 19
-.endm
-
-Next_rem_block:
-	lxvb16x 15, 0, 14		# load block
-
-	Loop_aes_middle_1x
-
-	xxlor	23+32, 10, 10
-
-	cmpdi	10, 10
-	beq	Do_next_1x
-
-	# 192 bits
-	xxlor	24+32, 11, 11
-
-	vcipher	15, 15, 23
-	vcipher	15, 15, 24
-
-	xxlor	23+32, 12, 12
-
-	cmpdi	10, 12
-	beq	Do_next_1x
-
-	# 256 bits
-	xxlor	24+32, 13, 13
-
-	vcipher	15, 15, 23
-	vcipher	15, 15, 24
-
-	xxlor	23+32, 14, 14
-
-	cmpdi	10, 14
-	beq	Do_next_1x
-
-Do_next_1x:
-	vcipherlast     15, 15, 23
-
-	xxlxor		47, 47, 15
-	stxvb16x	47, 0, 9	# store output
-	addi		14, 14, 16
-	addi		9, 9, 16
-
-	vmr		28, 15
-	ppc_update_hash_1x
-
-	addi		12, 12, -16
-	addi		11, 11, 16
-	xxlor		19+32, 0, 0
-	vaddudm		30, 30, 31		# IV + counter
-	vxor		15, 30, 19		# add round key
-
-	bdnz	Next_rem_block
-
-	cmpdi	12, 0
-	beq	aes_gcm_out
-
-Final_block:
-	Loop_aes_middle_1x
-
-	xxlor	23+32, 10, 10
-
-	cmpdi	10, 10
-	beq	Do_final_1x
-
-	# 192 bits
-	xxlor	24+32, 11, 11
-
-	vcipher	15, 15, 23
-	vcipher	15, 15, 24
-
-	xxlor	23+32, 12, 12
-
-	cmpdi	10, 12
-	beq	Do_final_1x
-
-	# 256 bits
-	xxlor	24+32, 13, 13
-
-	vcipher	15, 15, 23
-	vcipher	15, 15, 24
-
-	xxlor	23+32, 14, 14
-
-	cmpdi	10, 14
-	beq	Do_final_1x
-
-Do_final_1x:
-	vcipherlast     15, 15, 23
-
-	lxvb16x	15, 0, 14		# load last block
-	xxlxor	47, 47, 15
-
-	# create partial block mask
-	li	15, 16
-	sub	15, 15, 12		# index to the mask
-
-	vspltisb	16, -1		# first 16 bytes - 0xffff...ff
-	vspltisb	17, 0		# second 16 bytes - 0x0000...00
-	li	10, 192
-	stvx	16, 10, 1
-	addi	10, 10, 16
-	stvx	17, 10, 1
-
-	addi	10, 1, 192
-	lxvb16x	16, 15, 10		# load partial block mask
-	xxland	47, 47, 16
-
-	vmr	28, 15
-	ppc_update_hash_1x
-
-	# * should store only the remaining bytes.
-	bl	Write_partial_block
-
-	b aes_gcm_out
-
-#
-# Write partial block
-# r9 - output
-# r12 - remaining bytes
-# v15 - partial input data
-#
-Write_partial_block:
-	li		10, 192
-	stxvb16x	15+32, 10, 1		# last block
-
-	#add		10, 9, 11		# Output
-	addi		10, 9, -1
-	addi		16, 1, 191
-
-        mtctr		12			# remaining bytes
-	li		15, 0
-
-Write_last_byte:
-        lbzu		14, 1(16)
-	stbu		14, 1(10)
-        bdnz		Write_last_byte
-	blr
-
-aes_gcm_out:
-	# out = state
-	stxvb16x	32, 0, 8		# write out Xi
-	add	3, 11, 12		# return count
-
-	li	9, 256
-	lvx	20, 9, 1
-	addi	9, 9, 16
-	lvx	21, 9, 1
-	addi	9, 9, 16
-	lvx	22, 9, 1
-	addi	9, 9, 16
-	lvx	23, 9, 1
-	addi	9, 9, 16
-	lvx	24, 9, 1
-	addi	9, 9, 16
-	lvx	25, 9, 1
-	addi	9, 9, 16
-	lvx	26, 9, 1
-	addi	9, 9, 16
-	lvx	27, 9, 1
-	addi	9, 9, 16
-	lvx	28, 9, 1
-	addi	9, 9, 16
-	lvx	29, 9, 1
-	addi	9, 9, 16
-	lvx	30, 9, 1
-	addi	9, 9, 16
-	lvx	31, 9, 1
-
-	ld	0, 528(1)
-	ld      14,112(1)
-	ld      15,120(1)
-	ld      16,128(1)
-	ld      17,136(1)
-	ld      18,144(1)
-	ld      19,152(1)
-	ld      20,160(1)
-	ld	21,168(1)
-
-	mtlr	0
-	addi	1, 1, 512
-	blr
-
-#
-# 8x Decrypt
-#
-.global ppc_aes_gcm_decrypt
-.align 5
-ppc_aes_gcm_decrypt:
-_ppc_aes_gcm_decrypt:
-
-	stdu 1,-512(1)
-	mflr 0
-
-	std	14,112(1)
-	std	15,120(1)
-	std	16,128(1)
-	std	17,136(1)
-	std	18,144(1)
-	std	19,152(1)
-	std	20,160(1)
-	std	21,168(1)
-	li	9, 256
-	stvx	20, 9, 1
-	addi	9, 9, 16
-	stvx	21, 9, 1
-	addi	9, 9, 16
-	stvx	22, 9, 1
-	addi	9, 9, 16
-	stvx	23, 9, 1
-	addi	9, 9, 16
-	stvx	24, 9, 1
-	addi	9, 9, 16
-	stvx	25, 9, 1
-	addi	9, 9, 16
-	stvx	26, 9, 1
-	addi	9, 9, 16
-	stvx	27, 9, 1
-	addi	9, 9, 16
-	stvx	28, 9, 1
-	addi	9, 9, 16
-	stvx	29, 9, 1
-	addi	9, 9, 16
-	stvx	30, 9, 1
-	addi	9, 9, 16
-	stvx	31, 9, 1
-	std	0, 528(1)
-
-	# Load Xi
-	lxvb16x	32, 0, 8	# load Xi
-
-	# load Hash - h^4, h^3, h^2, h
-	li	10, 32
-	lxvd2x	2+32, 10, 8	# H Poli
-	li	10, 48
-	lxvd2x	3+32, 10, 8	# Hl
-	li	10, 64
-	lxvd2x	4+32, 10, 8	# H
-	li	10, 80
-	lxvd2x	5+32, 10, 8	# Hh
-
-	li	10, 96
-	lxvd2x	6+32, 10, 8	# H^2l
-	li	10, 112
-	lxvd2x	7+32, 10, 8	# H^2
-	li	10, 128
-	lxvd2x	8+32, 10, 8	# H^2h
-
-	li	10, 144
-	lxvd2x	9+32, 10, 8	# H^3l
-	li	10, 160
-	lxvd2x	10+32, 10, 8	# H^3
-	li	10, 176
-	lxvd2x	11+32, 10, 8	# H^3h
-
-	li	10, 192
-	lxvd2x	12+32, 10, 8	# H^4l
-	li	10, 208
-	lxvd2x	13+32, 10, 8	# H^4
-	li	10, 224
-	lxvd2x	14+32, 10, 8	# H^4h
-
-	# initialize ICB: GHASH( IV ), IV - r7
-	lxvb16x	30+32, 0, 7	# load IV  - v30
-
-	mr	12, 5		# length
-	li	11, 0		# block index
-
-	# counter 1
-	vxor	31, 31, 31
-	vspltisb 22, 1
-	vsldoi	31, 31, 22,1	# counter 1
-
-	# load round key to VSR
-	lxv	0, 0(6)
-	lxv	1, 0x10(6)
-	lxv	2, 0x20(6)
-	lxv	3, 0x30(6)
-	lxv	4, 0x40(6)
-	lxv	5, 0x50(6)
-	lxv	6, 0x60(6)
-	lxv	7, 0x70(6)
-	lxv	8, 0x80(6)
-	lxv	9, 0x90(6)
-	lxv	10, 0xa0(6)
-
-	# load rounds - 10 (128), 12 (192), 14 (256)
-	lwz	9,240(6)
-
-	#
-	# vxor	state, state, w # addroundkey
-	xxlor	32+29, 0, 0
-	vxor	15, 30, 29	# IV + round key - add round key 0
-
-	cmpdi	9, 10
-	beq	Loop_aes_gcm_8x_dec
-
-	# load 2 more round keys (v11, v12)
-	lxv	11, 0xb0(6)
-	lxv	12, 0xc0(6)
-
-	cmpdi	9, 12
-	beq	Loop_aes_gcm_8x_dec
-
-	# load 2 more round keys (v11, v12, v13, v14)
-	lxv	13, 0xd0(6)
-	lxv	14, 0xe0(6)
-	cmpdi	9, 14
-	beq	Loop_aes_gcm_8x_dec
-
-	b	aes_gcm_out
-
-.align 5
-Loop_aes_gcm_8x_dec:
-	mr	14, 3
-	mr	9, 4
-
-	# n blocks
-	li	10, 128
-	divdu	10, 5, 10	# n 128 bytes-blocks
-	cmpdi	10, 0
-	beq	Loop_last_block_dec
-
-	vaddudm	30, 30, 31	# IV + counter
-	vxor	16, 30, 29
-	vaddudm	30, 30, 31
-	vxor	17, 30, 29
-	vaddudm	30, 30, 31
-	vxor	18, 30, 29
-	vaddudm	30, 30, 31
-	vxor	19, 30, 29
-	vaddudm	30, 30, 31
-	vxor	20, 30, 29
-	vaddudm	30, 30, 31
-	vxor	21, 30, 29
-	vaddudm	30, 30, 31
-	vxor	22, 30, 29
-
-	mtctr	10
-
-	li	15, 16
-	li	16, 32
-	li	17, 48
-	li	18, 64
-	li	19, 80
-	li	20, 96
-	li	21, 112
-
-	lwz	10, 240(6)
-
-Loop_8x_block_dec:
-
-	lxvb16x		15, 0, 14	# load block
-	lxvb16x		16, 15, 14	# load block
-	lxvb16x		17, 16, 14	# load block
-	lxvb16x		18, 17, 14	# load block
-	lxvb16x		19, 18, 14	# load block
-	lxvb16x		20, 19, 14	# load block
-	lxvb16x		21, 20, 14	# load block
-	lxvb16x		22, 21, 14	# load block
-	addi		14, 14, 128
-
-	Loop_aes_middle8x
-
-	xxlor	23+32, 10, 10
-
-	cmpdi	10, 10
-	beq	Do_last_aes_dec
-
-	# 192 bits
-	xxlor	24+32, 11, 11
-
-	vcipher	15, 15, 23
-	vcipher	16, 16, 23
-	vcipher	17, 17, 23
-	vcipher	18, 18, 23
-	vcipher	19, 19, 23
-	vcipher	20, 20, 23
-	vcipher	21, 21, 23
-	vcipher	22, 22, 23
-
-	vcipher	15, 15, 24
-	vcipher	16, 16, 24
-	vcipher	17, 17, 24
-	vcipher	18, 18, 24
-	vcipher	19, 19, 24
-	vcipher	20, 20, 24
-	vcipher	21, 21, 24
-	vcipher	22, 22, 24
-
-	xxlor	23+32, 12, 12
-
-	cmpdi	10, 12
-	beq	Do_last_aes_dec
-
-	# 256 bits
-	xxlor	24+32, 13, 13
-
-	vcipher	15, 15, 23
-	vcipher	16, 16, 23
-	vcipher	17, 17, 23
-	vcipher	18, 18, 23
-	vcipher	19, 19, 23
-	vcipher	20, 20, 23
-	vcipher	21, 21, 23
-	vcipher	22, 22, 23
-
-	vcipher	15, 15, 24
-	vcipher	16, 16, 24
-	vcipher	17, 17, 24
-	vcipher	18, 18, 24
-	vcipher	19, 19, 24
-	vcipher	20, 20, 24
-	vcipher	21, 21, 24
-	vcipher	22, 22, 24
-
-	xxlor	23+32, 14, 14
-
-	cmpdi	10, 14
-	beq	Do_last_aes_dec
-	b	aes_gcm_out
-
-Do_last_aes_dec:
-
-	#
-	# last round
-	vcipherlast     15, 15, 23
-	vcipherlast     16, 16, 23
-
-	xxlxor		47, 47, 15
-	stxvb16x        47, 0, 9	# store output
-	xxlxor		48, 48, 16
-	stxvb16x        48, 15, 9	# store output
-
-	vcipherlast     17, 17, 23
-	vcipherlast     18, 18, 23
-
-	xxlxor		49, 49, 17
-	stxvb16x        49, 16, 9	# store output
-	xxlxor		50, 50, 18
-	stxvb16x        50, 17, 9	# store output
-
-	vcipherlast     19, 19, 23
-	vcipherlast     20, 20, 23
-
-	xxlxor		51, 51, 19
-	stxvb16x        51, 18, 9	# store output
-	xxlxor		52, 52, 20
-	stxvb16x        52, 19, 9	# store output
-
-	vcipherlast     21, 21, 23
-	vcipherlast     22, 22, 23
-
-	xxlxor		53, 53, 21
-	stxvb16x        53, 20, 9	# store output
-	xxlxor		54, 54, 22
-	stxvb16x        54, 21, 9	# store output
-
-	addi		9, 9, 128
-
-	xxlor		15+32, 15, 15
-	xxlor		16+32, 16, 16
-	xxlor		17+32, 17, 17
-	xxlor		18+32, 18, 18
-	xxlor		19+32, 19, 19
-	xxlor		20+32, 20, 20
-	xxlor		21+32, 21, 21
-	xxlor		22+32, 22, 22
-
-	# ghash here
-	ppc_aes_gcm_ghash2_4x
-
-	xxlor	27+32, 0, 0
-	vaddudm 30, 30, 31		# IV + counter
-	vmr	29, 30
-	vxor    15, 30, 27		# add round key
-	vaddudm 30, 30, 31
-	vxor    16, 30, 27
-	vaddudm 30, 30, 31
-	vxor    17, 30, 27
-	vaddudm 30, 30, 31
-	vxor    18, 30, 27
-	vaddudm 30, 30, 31
-	vxor    19, 30, 27
-	vaddudm 30, 30, 31
-	vxor    20, 30, 27
-	vaddudm 30, 30, 31
-	vxor    21, 30, 27
-	vaddudm 30, 30, 31
-	vxor    22, 30, 27
-	addi    12, 12, -128
-	addi    11, 11, 128
-
-	bdnz	Loop_8x_block_dec
-
-	vmr	30, 29
-
-Loop_last_block_dec:
-	cmpdi   12, 0
-	beq     aes_gcm_out
-
-	# loop last few blocks
-	li      10, 16
-	divdu   10, 12, 10
-
-	mtctr   10
-
-	lwz	10,240(6)
-
-	cmpdi   12, 16
-	blt     Final_block_dec
-
-Next_rem_block_dec:
-	lxvb16x 15, 0, 14		# load block
-
-	Loop_aes_middle_1x
-
-	xxlor	23+32, 10, 10
-
-	cmpdi	10, 10
-	beq	Do_next_1x_dec
-
-	# 192 bits
-	xxlor	24+32, 11, 11
-
-	vcipher	15, 15, 23
-	vcipher	15, 15, 24
-
-	xxlor	23+32, 12, 12
-
-	cmpdi	10, 12
-	beq	Do_next_1x_dec
-
-	# 256 bits
-	xxlor	24+32, 13, 13
-
-	vcipher	15, 15, 23
-	vcipher	15, 15, 24
-
-	xxlor	23+32, 14, 14
-
-	cmpdi	10, 14
-	beq	Do_next_1x_dec
-
-Do_next_1x_dec:
-	vcipherlast     15, 15, 23
-
-	xxlxor  47, 47, 15
-	stxvb16x        47, 0, 9	# store output
-	addi	14, 14, 16
-	addi	9, 9, 16
-
-	xxlor	28+32, 15, 15
-	ppc_update_hash_1x
-
-	addi    12, 12, -16
-	addi    11, 11, 16
-	xxlor	19+32, 0, 0
-	vaddudm 30, 30, 31		# IV + counter
-	vxor	15, 30, 19		# add round key
-
-	bdnz	Next_rem_block_dec
-
-	cmpdi	12, 0
-	beq	aes_gcm_out
-
-Final_block_dec:
-	Loop_aes_middle_1x
-
-	xxlor	23+32, 10, 10
-
-	cmpdi	10, 10
-	beq	Do_final_1x_dec
-
-	# 192 bits
-	xxlor	24+32, 11, 11
-
-	vcipher	15, 15, 23
-	vcipher	15, 15, 24
-
-	xxlor	23+32, 12, 12
-
-	cmpdi	10, 12
-	beq	Do_final_1x_dec
-
-	# 256 bits
-	xxlor	24+32, 13, 13
-
-	vcipher	15, 15, 23
-	vcipher	15, 15, 24
-
-	xxlor	23+32, 14, 14
-
-	cmpdi	10, 14
-	beq	Do_final_1x_dec
-
-Do_final_1x_dec:
-	vcipherlast     15, 15, 23
-
-	lxvb16x	15, 0, 14		# load block
-	xxlxor	47, 47, 15
-
-	# create partial block mask
-	li	15, 16
-	sub	15, 15, 12		# index to the mask
-
-	vspltisb	16, -1		# first 16 bytes - 0xffff...ff
-	vspltisb	17, 0		# second 16 bytes - 0x0000...00
-	li	10, 192
-	stvx	16, 10, 1
-	addi	10, 10, 16
-	stvx	17, 10, 1
-
-	addi	10, 1, 192
-	lxvb16x	16, 15, 10		# load block mask
-	xxland	47, 47, 16
-
-	xxlor	28+32, 15, 15
-	ppc_update_hash_1x
-
-	# * should store only the remaining bytes.
-	bl	Write_partial_block
-
-	b aes_gcm_out
-
-
-___
-
-foreach (split("\n",$code)) {
-	s/\`([^\`]*)\`/eval $1/geo;
-
-	if ($flavour =~ /le$/o) {	# little-endian
-	    s/le\?//o		or
-	    s/be\?/#be#/o;
-	} else {
-	    s/le\?/#le#/o	or
-	    s/be\?//o;
-	}
-	print $_,"\n";
-}
-
-close STDOUT or die "error closing STDOUT: $!"; # enforce flush

libs/openssl/crypto/pem/pvkfmt.c

@@ -0,0 +1,1125 @@
+/*
+ * Copyright 2005-2021 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*
+ * Support for PVK format keys and related structures (such a PUBLICKEYBLOB
+ * and PRIVATEKEYBLOB).
+ */
+
+/*
+ * RSA and DSA low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
+#include <openssl/pem.h>
+#include <openssl/rand.h>
+#include <openssl/bn.h>
+#include <openssl/dsa.h>
+#include <openssl/rsa.h>
+#include "internal/cryptlib.h"
+#include "crypto/pem.h"
+#include "crypto/evp.h"
+
+/*
+ * Utility function: read a DWORD (4 byte unsigned integer) in little endian
+ * format
+ */
+
+static unsigned int read_ledword(const unsigned char **in)
+{
+    const unsigned char *p = *in;
+    unsigned int ret;
+
+    ret = (unsigned int)*p++;
+    ret |= (unsigned int)*p++ << 8;
+    ret |= (unsigned int)*p++ << 16;
+    ret |= (unsigned int)*p++ << 24;
+    *in = p;
+    return ret;
+}
+
+/*
+ * Read a BIGNUM in little endian format. The docs say that this should take
+ * up bitlen/8 bytes.
+ */
+
+static int read_lebn(const unsigned char **in, unsigned int nbyte, BIGNUM **r)
+{
+    *r = BN_lebin2bn(*in, nbyte, NULL);
+    if (*r == NULL)
+        return 0;
+    *in += nbyte;
+    return 1;
+}
+
+/*
+ * Create an EVP_PKEY from a type specific key.
+ * This takes ownership of |key|, as long as the |evp_type| is acceptable
+ * (EVP_PKEY_RSA or EVP_PKEY_DSA), even if the resulting EVP_PKEY wasn't
+ * created.
+ */
+#define isdss_to_evp_type(isdss)                                \
+    (isdss == 0 ? EVP_PKEY_RSA : isdss == 1 ? EVP_PKEY_DSA : EVP_PKEY_NONE)
+static EVP_PKEY *evp_pkey_new0_key(void *key, int evp_type)
+{
+    EVP_PKEY *pkey = NULL;
+
+    /*
+     * It's assumed that if |key| is NULL, something went wrong elsewhere
+     * and suitable errors are already reported.
+     */
+    if (key == NULL)
+        return NULL;
+
+    if (!ossl_assert(evp_type == EVP_PKEY_RSA || evp_type == EVP_PKEY_DSA)) {
+        ERR_raise(ERR_LIB_PEM, ERR_R_INTERNAL_ERROR);
+        return NULL;
+    }
+
+    if ((pkey = EVP_PKEY_new()) != NULL) {
+        switch (evp_type) {
+        case EVP_PKEY_RSA:
+            if (EVP_PKEY_set1_RSA(pkey, key))
+                break;
+            EVP_PKEY_free(pkey);
+            pkey = NULL;
+            break;
+#ifndef OPENSSL_NO_DSA
+        case EVP_PKEY_DSA:
+            if (EVP_PKEY_set1_DSA(pkey, key))
+                break;
+            EVP_PKEY_free(pkey);
+            pkey = NULL;
+            break;
+#endif
+        }
+    }
+
+    switch (evp_type) {
+    case EVP_PKEY_RSA:
+        RSA_free(key);
+        break;
+#ifndef OPENSSL_NO_DSA
+    case EVP_PKEY_DSA:
+        DSA_free(key);
+        break;
+#endif
+    }
+
+    if (pkey == NULL)
+        ERR_raise(ERR_LIB_PEM, ERR_R_MALLOC_FAILURE);
+    return pkey;
+}
+
+/* Convert private key blob to EVP_PKEY: RSA and DSA keys supported */
+
+# define MS_PUBLICKEYBLOB        0x6
+# define MS_PRIVATEKEYBLOB       0x7
+# define MS_RSA1MAGIC            0x31415352L
+# define MS_RSA2MAGIC            0x32415352L
+# define MS_DSS1MAGIC            0x31535344L
+# define MS_DSS2MAGIC            0x32535344L
+
+# define MS_KEYALG_RSA_KEYX      0xa400
+# define MS_KEYALG_DSS_SIGN      0x2200
+
+# define MS_KEYTYPE_KEYX         0x1
+# define MS_KEYTYPE_SIGN         0x2
+
+/* The PVK file magic number: seems to spell out "bobsfile", who is Bob? */
+# define MS_PVKMAGIC             0xb0b5f11eL
+/* Salt length for PVK files */
+# define PVK_SALTLEN             0x10
+/* Maximum length in PVK header */
+# define PVK_MAX_KEYLEN          102400
+/* Maximum salt length */
+# define PVK_MAX_SALTLEN         10240
+
+/*
+ * Read the MSBLOB header and get relevant data from it.
+ *
+ * |pisdss| and |pispub| have a double role, as they can be used for
+ * discovery as well as to check the the blob meets expectations.
+ * |*pisdss| is the indicator for whether the key is a DSA key or not.
+ * |*pispub| is the indicator for whether the key is public or not.
+ * In both cases, the following input values apply:
+ *
+ * 0    Expected to not be what the variable indicates.
+ * 1    Expected to be what the variable indicates.
+ * -1   No expectations, this function will assign 0 or 1 depending on
+ *      header data.
+ */
+int ossl_do_blob_header(const unsigned char **in, unsigned int length,
+                        unsigned int *pmagic, unsigned int *pbitlen,
+                        int *pisdss, int *pispub)
+{
+    const unsigned char *p = *in;
+
+    if (length < 16)
+        return 0;
+    /* bType */
+    switch (*p) {
+    case MS_PUBLICKEYBLOB:
+        if (*pispub == 0) {
+            ERR_raise(ERR_LIB_PEM, PEM_R_EXPECTING_PRIVATE_KEY_BLOB);
+            return 0;
+        }
+        *pispub = 1;
+        break;
+
+    case MS_PRIVATEKEYBLOB:
+        if (*pispub == 1) {
+            ERR_raise(ERR_LIB_PEM, PEM_R_EXPECTING_PUBLIC_KEY_BLOB);
+            return 0;
+        }
+        *pispub = 0;
+        break;
+
+    default:
+        return 0;
+    }
+    p++;
+    /* Version */
+    if (*p++ != 0x2) {
+        ERR_raise(ERR_LIB_PEM, PEM_R_BAD_VERSION_NUMBER);
+        return 0;
+    }
+    /* Ignore reserved, aiKeyAlg */
+    p += 6;
+    *pmagic = read_ledword(&p);
+    *pbitlen = read_ledword(&p);
+
+    /* Consistency check for private vs public */
+    switch (*pmagic) {
+    case MS_DSS1MAGIC:
+    case MS_RSA1MAGIC:
+        if (*pispub == 0) {
+            ERR_raise(ERR_LIB_PEM, PEM_R_EXPECTING_PRIVATE_KEY_BLOB);
+            return 0;
+        }
+        break;
+
+    case MS_DSS2MAGIC:
+    case MS_RSA2MAGIC:
+        if (*pispub == 1) {
+            ERR_raise(ERR_LIB_PEM, PEM_R_EXPECTING_PUBLIC_KEY_BLOB);
+            return 0;
+        }
+        break;
+
+    default:
+        ERR_raise(ERR_LIB_PEM, PEM_R_BAD_MAGIC_NUMBER);
+        return -1;
+    }
+
+    /* Check that we got the expected type */
+    switch (*pmagic) {
+    case MS_DSS1MAGIC:
+    case MS_DSS2MAGIC:
+        if (*pisdss == 0) {
+            ERR_raise(ERR_LIB_PEM, PEM_R_EXPECTING_DSS_KEY_BLOB);
+            return 0;
+        }
+        *pisdss = 1;
+        break;
+    case MS_RSA1MAGIC:
+    case MS_RSA2MAGIC:
+        if (*pisdss == 1) {
+            ERR_raise(ERR_LIB_PEM, PEM_R_EXPECTING_RSA_KEY_BLOB);
+            return 0;
+        }
+        *pisdss = 0;
+        break;
+
+    default:
+        ERR_raise(ERR_LIB_PEM, PEM_R_BAD_MAGIC_NUMBER);
+        return -1;
+    }
+    *in = p;
+    return 1;
+}
+
+unsigned int ossl_blob_length(unsigned bitlen, int isdss, int ispub)
+{
+    unsigned int nbyte = (bitlen + 7) >> 3;
+    unsigned int hnbyte = (bitlen + 15) >> 4;
+
+    if (isdss) {
+
+        /*
+         * Expected length: 20 for q + 3 components bitlen each + 24 for seed
+         * structure.
+         */
+        if (ispub)
+            return 44 + 3 * nbyte;
+        /*
+         * Expected length: 20 for q, priv, 2 bitlen components + 24 for seed
+         * structure.
+         */
+        else
+            return 64 + 2 * nbyte;
+    } else {
+        /* Expected length: 4 for 'e' + 'n' */
+        if (ispub)
+            return 4 + nbyte;
+        else
+            /*
+             * Expected length: 4 for 'e' and 7 other components. 2
+             * components are bitlen size, 5 are bitlen/2
+             */
+            return 4 + 2 * nbyte + 5 * hnbyte;
+    }
+
+}
+
+static void *do_b2i_key(const unsigned char **in, unsigned int length,
+                        int *isdss, int *ispub)
+{
+    const unsigned char *p = *in;
+    unsigned int bitlen, magic;
+    void *key = NULL;
+
+    if (ossl_do_blob_header(&p, length, &magic, &bitlen, isdss, ispub) <= 0) {
+        ERR_raise(ERR_LIB_PEM, PEM_R_KEYBLOB_HEADER_PARSE_ERROR);
+        return NULL;
+    }
+    length -= 16;
+    if (length < ossl_blob_length(bitlen, *isdss, *ispub)) {
+        ERR_raise(ERR_LIB_PEM, PEM_R_KEYBLOB_TOO_SHORT);
+        return NULL;
+    }
+    if (!*isdss)
+        key = ossl_b2i_RSA_after_header(&p, bitlen, *ispub);
+#ifndef OPENSSL_NO_DSA
+    else
+        key = ossl_b2i_DSA_after_header(&p, bitlen, *ispub);
+#endif
+
+    if (key == NULL) {
+        ERR_raise(ERR_LIB_PEM, PEM_R_UNSUPPORTED_PUBLIC_KEY_TYPE);
+        return NULL;
+    }
+
+    return key;
+}
+
+EVP_PKEY *ossl_b2i(const unsigned char **in, unsigned int length, int *ispub)
+{
+    int isdss = -1;
+    void *key = do_b2i_key(in, length, &isdss, ispub);
+
+    return evp_pkey_new0_key(key, isdss_to_evp_type(isdss));
+}
+
+EVP_PKEY *ossl_b2i_bio(BIO *in, int *ispub)
+{
+    const unsigned char *p;
+    unsigned char hdr_buf[16], *buf = NULL;
+    unsigned int bitlen, magic, length;
+    int isdss = -1;
+    void *key = NULL;
+    EVP_PKEY *pkey = NULL;
+
+    if (BIO_read(in, hdr_buf, 16) != 16) {
+        ERR_raise(ERR_LIB_PEM, PEM_R_KEYBLOB_TOO_SHORT);
+        return NULL;
+    }
+    p = hdr_buf;
+    if (ossl_do_blob_header(&p, 16, &magic, &bitlen, &isdss, ispub) <= 0)
+        return NULL;
+
+    length = ossl_blob_length(bitlen, isdss, *ispub);
+    if (length > BLOB_MAX_LENGTH) {
+        ERR_raise(ERR_LIB_PEM, PEM_R_HEADER_TOO_LONG);
+        return NULL;
+    }
+    buf = OPENSSL_malloc(length);
+    if (buf == NULL) {
+        ERR_raise(ERR_LIB_PEM, ERR_R_MALLOC_FAILURE);
+        goto err;
+    }
+    p = buf;
+    if (BIO_read(in, buf, length) != (int)length) {
+        ERR_raise(ERR_LIB_PEM, PEM_R_KEYBLOB_TOO_SHORT);
+        goto err;
+    }
+
+    if (!isdss)
+        key = ossl_b2i_RSA_after_header(&p, bitlen, *ispub);
+#ifndef OPENSSL_NO_DSA
+    else
+        key = ossl_b2i_DSA_after_header(&p, bitlen, *ispub);
+#endif
+
+    if (key == NULL) {
+        ERR_raise(ERR_LIB_PEM, PEM_R_UNSUPPORTED_PUBLIC_KEY_TYPE);
+        goto err;
+    }
+
+    pkey = evp_pkey_new0_key(key, isdss_to_evp_type(isdss));
+ err:
+    OPENSSL_free(buf);
+    return pkey;
+}
+
+#ifndef OPENSSL_NO_DSA
+DSA *ossl_b2i_DSA_after_header(const unsigned char **in, unsigned int bitlen,
+                               int ispub)
+{
+    const unsigned char *p = *in;
+    DSA *dsa = NULL;
+    BN_CTX *ctx = NULL;
+    BIGNUM *pbn = NULL, *qbn = NULL, *gbn = NULL, *priv_key = NULL;
+    BIGNUM *pub_key = NULL;
+    unsigned int nbyte = (bitlen + 7) >> 3;
+
+    dsa = DSA_new();
+    if (dsa == NULL)
+        goto memerr;
+    if (!read_lebn(&p, nbyte, &pbn))
+        goto memerr;
+
+    if (!read_lebn(&p, 20, &qbn))
+        goto memerr;
+
+    if (!read_lebn(&p, nbyte, &gbn))
+        goto memerr;
+
+    if (ispub) {
+        if (!read_lebn(&p, nbyte, &pub_key))
+            goto memerr;
+    } else {
+        if (!read_lebn(&p, 20, &priv_key))
+            goto memerr;
+
+        /* Set constant time flag before public key calculation */
+        BN_set_flags(priv_key, BN_FLG_CONSTTIME);
+
+        /* Calculate public key */
+        pub_key = BN_new();
+        if (pub_key == NULL)
+            goto memerr;
+        if ((ctx = BN_CTX_new()) == NULL)
+            goto memerr;
+
+        if (!BN_mod_exp(pub_key, gbn, priv_key, pbn, ctx))
+            goto memerr;
+
+        BN_CTX_free(ctx);
+        ctx = NULL;
+    }
+    if (!DSA_set0_pqg(dsa, pbn, qbn, gbn))
+        goto memerr;
+    pbn = qbn = gbn = NULL;
+    if (!DSA_set0_key(dsa, pub_key, priv_key))
+        goto memerr;
+    pub_key = priv_key = NULL;
+
+    *in = p;
+    return dsa;
+
+ memerr:
+    ERR_raise(ERR_LIB_PEM, ERR_R_MALLOC_FAILURE);
+    DSA_free(dsa);
+    BN_free(pbn);
+    BN_free(qbn);
+    BN_free(gbn);
+    BN_free(pub_key);
+    BN_free(priv_key);
+    BN_CTX_free(ctx);
+    return NULL;
+}
+#endif
+
+RSA *ossl_b2i_RSA_after_header(const unsigned char **in, unsigned int bitlen,
+                               int ispub)
+{
+    const unsigned char *pin = *in;
+    BIGNUM *e = NULL, *n = NULL, *d = NULL;
+    BIGNUM *p = NULL, *q = NULL, *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL;
+    RSA *rsa = NULL;
+    unsigned int nbyte = (bitlen + 7) >> 3;
+    unsigned int hnbyte = (bitlen + 15) >> 4;
+
+    rsa = RSA_new();
+    if (rsa == NULL)
+        goto memerr;
+    e = BN_new();
+    if (e == NULL)
+        goto memerr;
+    if (!BN_set_word(e, read_ledword(&pin)))
+        goto memerr;
+    if (!read_lebn(&pin, nbyte, &n))
+        goto memerr;
+    if (!ispub) {
+        if (!read_lebn(&pin, hnbyte, &p))
+            goto memerr;
+        if (!read_lebn(&pin, hnbyte, &q))
+            goto memerr;
+        if (!read_lebn(&pin, hnbyte, &dmp1))
+            goto memerr;
+        if (!read_lebn(&pin, hnbyte, &dmq1))
+            goto memerr;
+        if (!read_lebn(&pin, hnbyte, &iqmp))
+            goto memerr;
+        if (!read_lebn(&pin, nbyte, &d))
+            goto memerr;
+        if (!RSA_set0_factors(rsa, p, q))
+            goto memerr;
+        p = q = NULL;
+        if (!RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp))
+            goto memerr;
+        dmp1 = dmq1 = iqmp = NULL;
+    }
+    if (!RSA_set0_key(rsa, n, e, d))
+        goto memerr;
+    n = e = d = NULL;
+
+    *in = pin;
+    return rsa;
+ memerr:
+    ERR_raise(ERR_LIB_PEM, ERR_R_MALLOC_FAILURE);
+    BN_free(e);
+    BN_free(n);
+    BN_free(p);
+    BN_free(q);
+    BN_free(dmp1);
+    BN_free(dmq1);
+    BN_free(iqmp);
+    BN_free(d);
+    RSA_free(rsa);
+    return NULL;
+}
+
+EVP_PKEY *b2i_PrivateKey(const unsigned char **in, long length)
+{
+    int ispub = 0;
+
+    return ossl_b2i(in, length, &ispub);
+}
+
+EVP_PKEY *b2i_PublicKey(const unsigned char **in, long length)
+{
+    int ispub = 1;
+
+    return ossl_b2i(in, length, &ispub);
+}
+
+EVP_PKEY *b2i_PrivateKey_bio(BIO *in)
+{
+    int ispub = 0;
+
+    return ossl_b2i_bio(in, &ispub);
+}
+
+EVP_PKEY *b2i_PublicKey_bio(BIO *in)
+{
+    int ispub = 1;
+
+    return ossl_b2i_bio(in, &ispub);
+}
+
+static void write_ledword(unsigned char **out, unsigned int dw)
+{
+    unsigned char *p = *out;
+
+    *p++ = dw & 0xff;
+    *p++ = (dw >> 8) & 0xff;
+    *p++ = (dw >> 16) & 0xff;
+    *p++ = (dw >> 24) & 0xff;
+    *out = p;
+}
+
+static void write_lebn(unsigned char **out, const BIGNUM *bn, int len)
+{
+    BN_bn2lebinpad(bn, *out, len);
+    *out += len;
+}
+
+static int check_bitlen_rsa(const RSA *rsa, int ispub, unsigned int *magic);
+static void write_rsa(unsigned char **out, const RSA *rsa, int ispub);
+
+#ifndef OPENSSL_NO_DSA
+static int check_bitlen_dsa(const DSA *dsa, int ispub, unsigned int *magic);
+static void write_dsa(unsigned char **out, const DSA *dsa, int ispub);
+#endif
+
+static int do_i2b(unsigned char **out, const EVP_PKEY *pk, int ispub)
+{
+    unsigned char *p;
+    unsigned int bitlen = 0, magic = 0, keyalg = 0;
+    int outlen = -1, noinc = 0;
+
+    if (EVP_PKEY_is_a(pk, "RSA")) {
+        bitlen = check_bitlen_rsa(EVP_PKEY_get0_RSA(pk), ispub, &magic);
+        keyalg = MS_KEYALG_RSA_KEYX;
+#ifndef OPENSSL_NO_DSA
+    } else if (EVP_PKEY_is_a(pk, "DSA")) {
+        bitlen = check_bitlen_dsa(EVP_PKEY_get0_DSA(pk), ispub, &magic);
+        keyalg = MS_KEYALG_DSS_SIGN;
+#endif
+    }
+    if (bitlen == 0) {
+        goto end;
+    }
+    outlen = 16
+        + ossl_blob_length(bitlen, keyalg == MS_KEYALG_DSS_SIGN ? 1 : 0, ispub);
+    if (out == NULL)
+        goto end;
+    if (*out)
+        p = *out;
+    else {
+        if ((p = OPENSSL_malloc(outlen)) == NULL) {
+            ERR_raise(ERR_LIB_PEM, ERR_R_MALLOC_FAILURE);
+            outlen = -1;
+            goto end;
+        }
+        *out = p;
+        noinc = 1;
+    }
+    if (ispub)
+        *p++ = MS_PUBLICKEYBLOB;
+    else
+        *p++ = MS_PRIVATEKEYBLOB;
+    *p++ = 0x2;
+    *p++ = 0;
+    *p++ = 0;
+    write_ledword(&p, keyalg);
+    write_ledword(&p, magic);
+    write_ledword(&p, bitlen);
+    if (keyalg == MS_KEYALG_RSA_KEYX)
+        write_rsa(&p, EVP_PKEY_get0_RSA(pk), ispub);
+#ifndef OPENSSL_NO_DSA
+    else
+        write_dsa(&p, EVP_PKEY_get0_DSA(pk), ispub);
+#endif
+    if (!noinc)
+        *out += outlen;
+ end:
+    return outlen;
+}
+
+static int do_i2b_bio(BIO *out, const EVP_PKEY *pk, int ispub)
+{
+    unsigned char *tmp = NULL;
+    int outlen, wrlen;
+
+    outlen = do_i2b(&tmp, pk, ispub);
+    if (outlen < 0)
+        return -1;
+    wrlen = BIO_write(out, tmp, outlen);
+    OPENSSL_free(tmp);
+    if (wrlen == outlen)
+        return outlen;
+    return -1;
+}
+
+static int check_bitlen_rsa(const RSA *rsa, int ispub, unsigned int *pmagic)
+{
+    int nbyte, hnbyte, bitlen;
+    const BIGNUM *e;
+
+    RSA_get0_key(rsa, NULL, &e, NULL);
+    if (BN_num_bits(e) > 32)
+        goto badkey;
+    bitlen = RSA_bits(rsa);
+    nbyte = RSA_size(rsa);
+    hnbyte = (bitlen + 15) >> 4;
+    if (ispub) {
+        *pmagic = MS_RSA1MAGIC;
+        return bitlen;
+    } else {
+        const BIGNUM *d, *p, *q, *iqmp, *dmp1, *dmq1;
+
+        *pmagic = MS_RSA2MAGIC;
+
+        /*
+         * For private key each component must fit within nbyte or hnbyte.
+         */
+        RSA_get0_key(rsa, NULL, NULL, &d);
+        if (BN_num_bytes(d) > nbyte)
+            goto badkey;
+        RSA_get0_factors(rsa, &p, &q);
+        RSA_get0_crt_params(rsa, &dmp1, &dmq1, &iqmp);
+        if ((BN_num_bytes(iqmp) > hnbyte)
+            || (BN_num_bytes(p) > hnbyte)
+            || (BN_num_bytes(q) > hnbyte)
+            || (BN_num_bytes(dmp1) > hnbyte)
+            || (BN_num_bytes(dmq1) > hnbyte))
+            goto badkey;
+    }
+    return bitlen;
+ badkey:
+    ERR_raise(ERR_LIB_PEM, PEM_R_UNSUPPORTED_KEY_COMPONENTS);
+    return 0;
+}
+
+static void write_rsa(unsigned char **out, const RSA *rsa, int ispub)
+{
+    int nbyte, hnbyte;
+    const BIGNUM *n, *d, *e, *p, *q, *iqmp, *dmp1, *dmq1;
+
+    nbyte = RSA_size(rsa);
+    hnbyte = (RSA_bits(rsa) + 15) >> 4;
+    RSA_get0_key(rsa, &n, &e, &d);
+    write_lebn(out, e, 4);
+    write_lebn(out, n, nbyte);
+    if (ispub)
+        return;
+    RSA_get0_factors(rsa, &p, &q);
+    RSA_get0_crt_params(rsa, &dmp1, &dmq1, &iqmp);
+    write_lebn(out, p, hnbyte);
+    write_lebn(out, q, hnbyte);
+    write_lebn(out, dmp1, hnbyte);
+    write_lebn(out, dmq1, hnbyte);
+    write_lebn(out, iqmp, hnbyte);
+    write_lebn(out, d, nbyte);
+}
+
+#ifndef OPENSSL_NO_DSA
+static int check_bitlen_dsa(const DSA *dsa, int ispub, unsigned int *pmagic)
+{
+    int bitlen;
+    const BIGNUM *p = NULL, *q = NULL, *g = NULL;
+    const BIGNUM *pub_key = NULL, *priv_key = NULL;
+
+    DSA_get0_pqg(dsa, &p, &q, &g);
+    DSA_get0_key(dsa, &pub_key, &priv_key);
+    bitlen = BN_num_bits(p);
+    if ((bitlen & 7) || (BN_num_bits(q) != 160)
+        || (BN_num_bits(g) > bitlen))
+        goto badkey;
+    if (ispub) {
+        if (BN_num_bits(pub_key) > bitlen)
+            goto badkey;
+        *pmagic = MS_DSS1MAGIC;
+    } else {
+        if (BN_num_bits(priv_key) > 160)
+            goto badkey;
+        *pmagic = MS_DSS2MAGIC;
+    }
+
+    return bitlen;
+ badkey:
+    ERR_raise(ERR_LIB_PEM, PEM_R_UNSUPPORTED_KEY_COMPONENTS);
+    return 0;
+}
+
+static void write_dsa(unsigned char **out, const DSA *dsa, int ispub)
+{
+    int nbyte;
+    const BIGNUM *p = NULL, *q = NULL, *g = NULL;
+    const BIGNUM *pub_key = NULL, *priv_key = NULL;
+
+    DSA_get0_pqg(dsa, &p, &q, &g);
+    DSA_get0_key(dsa, &pub_key, &priv_key);
+    nbyte = BN_num_bytes(p);
+    write_lebn(out, p, nbyte);
+    write_lebn(out, q, 20);
+    write_lebn(out, g, nbyte);
+    if (ispub)
+        write_lebn(out, pub_key, nbyte);
+    else
+        write_lebn(out, priv_key, 20);
+    /* Set "invalid" for seed structure values */
+    memset(*out, 0xff, 24);
+    *out += 24;
+    return;
+}
+#endif
+
+int i2b_PrivateKey_bio(BIO *out, const EVP_PKEY *pk)
+{
+    return do_i2b_bio(out, pk, 0);
+}
+
+int i2b_PublicKey_bio(BIO *out, const EVP_PKEY *pk)
+{
+    return do_i2b_bio(out, pk, 1);
+}
+
+int ossl_do_PVK_header(const unsigned char **in, unsigned int length,
+                       int skip_magic,
+                       unsigned int *psaltlen, unsigned int *pkeylen)
+{
+    const unsigned char *p = *in;
+    unsigned int pvk_magic, is_encrypted;
+
+    if (skip_magic) {
+        if (length < 20) {
+            ERR_raise(ERR_LIB_PEM, PEM_R_PVK_TOO_SHORT);
+            return 0;
+        }
+    } else {
+        if (length < 24) {
+            ERR_raise(ERR_LIB_PEM, PEM_R_PVK_TOO_SHORT);
+            return 0;
+        }
+        pvk_magic = read_ledword(&p);
+        if (pvk_magic != MS_PVKMAGIC) {
+            ERR_raise(ERR_LIB_PEM, PEM_R_BAD_MAGIC_NUMBER);
+            return 0;
+        }
+    }
+    /* Skip reserved */
+    p += 4;
+    /*
+     * keytype =
+     */ read_ledword(&p);
+    is_encrypted = read_ledword(&p);
+    *psaltlen = read_ledword(&p);
+    *pkeylen = read_ledword(&p);
+
+    if (*pkeylen > PVK_MAX_KEYLEN || *psaltlen > PVK_MAX_SALTLEN)
+        return 0;
+
+    if (is_encrypted && *psaltlen == 0) {
+        ERR_raise(ERR_LIB_PEM, PEM_R_INCONSISTENT_HEADER);
+        return 0;
+    }
+
+    *in = p;
+    return 1;
+}
+
+#ifndef OPENSSL_NO_RC4
+static int derive_pvk_key(unsigned char *key,
+                          const unsigned char *salt, unsigned int saltlen,
+                          const unsigned char *pass, int passlen,
+                          OSSL_LIB_CTX *libctx, const char *propq)
+{
+    EVP_MD_CTX *mctx = EVP_MD_CTX_new();
+    int rv = 0;
+    EVP_MD *sha1 = NULL;
+
+    if ((sha1 = EVP_MD_fetch(libctx, SN_sha1, propq)) == NULL)
+        goto err;
+
+    if (mctx == NULL
+        || !EVP_DigestInit_ex(mctx, sha1, NULL)
+        || !EVP_DigestUpdate(mctx, salt, saltlen)
+        || !EVP_DigestUpdate(mctx, pass, passlen)
+        || !EVP_DigestFinal_ex(mctx, key, NULL))
+        goto err;
+
+    rv = 1;
+err:
+    EVP_MD_CTX_free(mctx);
+    EVP_MD_free(sha1);
+    return rv;
+}
+#endif
+
+static void *do_PVK_body_key(const unsigned char **in,
+                             unsigned int saltlen, unsigned int keylen,
+                             pem_password_cb *cb, void *u,
+                             int *isdss, int *ispub,
+                             OSSL_LIB_CTX *libctx, const char *propq)
+{
+    const unsigned char *p = *in;
+    unsigned char *enctmp = NULL;
+    unsigned char keybuf[20];
+    void *key = NULL;
+#ifndef OPENSSL_NO_RC4
+    EVP_CIPHER *rc4 = NULL;
+#endif
+    EVP_CIPHER_CTX *cctx = EVP_CIPHER_CTX_new();
+
+    if (cctx == NULL) {
+        ERR_raise(ERR_LIB_PEM, ERR_R_MALLOC_FAILURE);
+        goto err;
+    }
+
+    if (saltlen) {
+#ifndef OPENSSL_NO_RC4
+        unsigned int magic;
+        char psbuf[PEM_BUFSIZE];
+        int enctmplen, inlen;
+        unsigned char *q;
+
+        if (cb)
+            inlen = cb(psbuf, PEM_BUFSIZE, 0, u);
+        else
+            inlen = PEM_def_callback(psbuf, PEM_BUFSIZE, 0, u);
+        if (inlen < 0) {
+            ERR_raise(ERR_LIB_PEM, PEM_R_BAD_PASSWORD_READ);
+            goto err;
+        }
+        enctmp = OPENSSL_malloc(keylen + 8);
+        if (enctmp == NULL) {
+            ERR_raise(ERR_LIB_PEM, ERR_R_MALLOC_FAILURE);
+            goto err;
+        }
+        if (!derive_pvk_key(keybuf, p, saltlen,
+                            (unsigned char *)psbuf, inlen, libctx, propq))
+            goto err;
+        p += saltlen;
+        /* Copy BLOBHEADER across, decrypt rest */
+        memcpy(enctmp, p, 8);
+        p += 8;
+        if (keylen < 8) {
+            ERR_raise(ERR_LIB_PEM, PEM_R_PVK_TOO_SHORT);
+            goto err;
+        }
+        inlen = keylen - 8;
+        q = enctmp + 8;
+        if ((rc4 = EVP_CIPHER_fetch(libctx, "RC4", propq)) == NULL)
+            goto err;
+        if (!EVP_DecryptInit_ex(cctx, rc4, NULL, keybuf, NULL))
+            goto err;
+        if (!EVP_DecryptUpdate(cctx, q, &enctmplen, p, inlen))
+            goto err;
+        if (!EVP_DecryptFinal_ex(cctx, q + enctmplen, &enctmplen))
+            goto err;
+        magic = read_ledword((const unsigned char **)&q);
+        if (magic != MS_RSA2MAGIC && magic != MS_DSS2MAGIC) {
+            q = enctmp + 8;
+            memset(keybuf + 5, 0, 11);
+            if (!EVP_DecryptInit_ex(cctx, rc4, NULL, keybuf, NULL))
+                goto err;
+            if (!EVP_DecryptUpdate(cctx, q, &enctmplen, p, inlen))
+                goto err;
+            if (!EVP_DecryptFinal_ex(cctx, q + enctmplen, &enctmplen))
+                goto err;
+            magic = read_ledword((const unsigned char **)&q);
+            if (magic != MS_RSA2MAGIC && magic != MS_DSS2MAGIC) {
+                ERR_raise(ERR_LIB_PEM, PEM_R_BAD_DECRYPT);
+                goto err;
+            }
+        }
+        p = enctmp;
+#else
+        ERR_raise(ERR_LIB_PEM, PEM_R_UNSUPPORTED_CIPHER);
+        goto err;
+#endif
+    }
+
+    key = do_b2i_key(&p, keylen, isdss, ispub);
+ err:
+    EVP_CIPHER_CTX_free(cctx);
+#ifndef OPENSSL_NO_RC4
+    EVP_CIPHER_free(rc4);
+#endif
+    if (enctmp != NULL) {
+        OPENSSL_cleanse(keybuf, sizeof(keybuf));
+        OPENSSL_free(enctmp);
+    }
+    return key;
+}
+
+static void *do_PVK_key_bio(BIO *in, pem_password_cb *cb, void *u,
+                            int *isdss, int *ispub,
+                            OSSL_LIB_CTX *libctx, const char *propq)
+{
+    unsigned char pvk_hdr[24], *buf = NULL;
+    const unsigned char *p;
+    int buflen;
+    void *key = NULL;
+    unsigned int saltlen, keylen;
+
+    if (BIO_read(in, pvk_hdr, 24) != 24) {
+        ERR_raise(ERR_LIB_PEM, PEM_R_PVK_DATA_TOO_SHORT);
+        return NULL;
+    }
+    p = pvk_hdr;
+
+    if (!ossl_do_PVK_header(&p, 24, 0, &saltlen, &keylen))
+        return 0;
+    buflen = (int)keylen + saltlen;
+    buf = OPENSSL_malloc(buflen);
+    if (buf == NULL) {
+        ERR_raise(ERR_LIB_PEM, ERR_R_MALLOC_FAILURE);
+        return 0;
+    }
+    p = buf;
+    if (BIO_read(in, buf, buflen) != buflen) {
+        ERR_raise(ERR_LIB_PEM, PEM_R_PVK_DATA_TOO_SHORT);
+        goto err;
+    }
+    key = do_PVK_body_key(&p, saltlen, keylen, cb, u, isdss, ispub, libctx, propq);
+
+ err:
+    OPENSSL_clear_free(buf, buflen);
+    return key;
+}
+
+#ifndef OPENSSL_NO_DSA
+DSA *b2i_DSA_PVK_bio_ex(BIO *in, pem_password_cb *cb, void *u,
+                        OSSL_LIB_CTX *libctx, const char *propq)
+{
+    int isdss = 1;
+    int ispub = 0;               /* PVK keys are always private */
+
+    return do_PVK_key_bio(in, cb, u, &isdss, &ispub, libctx, propq);
+}
+
+DSA *b2i_DSA_PVK_bio(BIO *in, pem_password_cb *cb, void *u)
+{
+    return b2i_DSA_PVK_bio_ex(in, cb, u, NULL, NULL);
+}
+#endif
+
+RSA *b2i_RSA_PVK_bio_ex(BIO *in, pem_password_cb *cb, void *u,
+                        OSSL_LIB_CTX *libctx, const char *propq)
+{
+    int isdss = 0;
+    int ispub = 0;               /* PVK keys are always private */
+
+    return do_PVK_key_bio(in, cb, u, &isdss, &ispub, libctx, propq);
+}
+
+RSA *b2i_RSA_PVK_bio(BIO *in, pem_password_cb *cb, void *u)
+{
+    return b2i_RSA_PVK_bio_ex(in, cb, u, NULL, NULL);
+}
+
+EVP_PKEY *b2i_PVK_bio_ex(BIO *in, pem_password_cb *cb, void *u,
+                         OSSL_LIB_CTX *libctx, const char *propq)
+{
+    int isdss = -1;
+    int ispub = -1;
+    void *key = do_PVK_key_bio(in, cb, u, &isdss, &ispub, NULL, NULL);
+
+    return evp_pkey_new0_key(key, isdss_to_evp_type(isdss));
+}
+
+EVP_PKEY *b2i_PVK_bio(BIO *in, pem_password_cb *cb, void *u)
+{
+    return b2i_PVK_bio_ex(in, cb, u, NULL, NULL);
+}
+
+static int i2b_PVK(unsigned char **out, const EVP_PKEY *pk, int enclevel,
+                   pem_password_cb *cb, void *u, OSSL_LIB_CTX *libctx,
+                   const char *propq)
+{
+    int ret = -1;
+    int outlen = 24, pklen;
+    unsigned char *p = NULL, *start = NULL;
+    EVP_CIPHER_CTX *cctx = NULL;
+#ifndef OPENSSL_NO_RC4
+    unsigned char *salt = NULL;
+    EVP_CIPHER *rc4 = NULL;
+#endif
+
+    if (enclevel)
+        outlen += PVK_SALTLEN;
+    pklen = do_i2b(NULL, pk, 0);
+    if (pklen < 0)
+        return -1;
+    outlen += pklen;
+    if (out == NULL)
+        return outlen;
+    if (*out != NULL) {
+        p = *out;
+    } else {
+        start = p = OPENSSL_malloc(outlen);
+        if (p == NULL) {
+            ERR_raise(ERR_LIB_PEM, ERR_R_MALLOC_FAILURE);
+            return -1;
+        }
+    }
+
+    cctx = EVP_CIPHER_CTX_new();
+    if (cctx == NULL)
+        goto error;
+
+    write_ledword(&p, MS_PVKMAGIC);
+    write_ledword(&p, 0);
+    if (EVP_PKEY_get_id(pk) == EVP_PKEY_RSA)
+        write_ledword(&p, MS_KEYTYPE_KEYX);
+#ifndef OPENSSL_NO_DSA
+    else
+        write_ledword(&p, MS_KEYTYPE_SIGN);
+#endif
+    write_ledword(&p, enclevel ? 1 : 0);
+    write_ledword(&p, enclevel ? PVK_SALTLEN : 0);
+    write_ledword(&p, pklen);
+    if (enclevel) {
+#ifndef OPENSSL_NO_RC4
+        if (RAND_bytes_ex(libctx, p, PVK_SALTLEN, 0) <= 0)
+            goto error;
+        salt = p;
+        p += PVK_SALTLEN;
+#endif
+    }
+    do_i2b(&p, pk, 0);
+    if (enclevel != 0) {
+#ifndef OPENSSL_NO_RC4
+        char psbuf[PEM_BUFSIZE];
+        unsigned char keybuf[20];
+        int enctmplen, inlen;
+        if (cb)
+            inlen = cb(psbuf, PEM_BUFSIZE, 1, u);
+        else
+            inlen = PEM_def_callback(psbuf, PEM_BUFSIZE, 1, u);
+        if (inlen <= 0) {
+            ERR_raise(ERR_LIB_PEM, PEM_R_BAD_PASSWORD_READ);
+            goto error;
+        }
+        if (!derive_pvk_key(keybuf, salt, PVK_SALTLEN,
+                            (unsigned char *)psbuf, inlen, libctx, propq))
+            goto error;
+        if ((rc4 = EVP_CIPHER_fetch(libctx, "RC4", propq)) == NULL)
+            goto error;
+        if (enclevel == 1)
+            memset(keybuf + 5, 0, 11);
+        p = salt + PVK_SALTLEN + 8;
+        if (!EVP_EncryptInit_ex(cctx, rc4, NULL, keybuf, NULL))
+            goto error;
+        OPENSSL_cleanse(keybuf, 20);
+        if (!EVP_EncryptUpdate(cctx, p, &enctmplen, p, pklen - 8))
+            goto error;
+        if (!EVP_EncryptFinal_ex(cctx, p + enctmplen, &enctmplen))
+            goto error;
+#else
+        ERR_raise(ERR_LIB_PEM, PEM_R_UNSUPPORTED_CIPHER);
+        goto error;
+#endif
+    }
+
+    if (*out == NULL)
+        *out = start;
+    ret = outlen;
+ error:
+    EVP_CIPHER_CTX_free(cctx);
+#ifndef OPENSSL_NO_RC4
+    EVP_CIPHER_free(rc4);
+#endif
+    if (*out == NULL)
+        OPENSSL_free(start);
+
+    return ret;
+}
+
+int i2b_PVK_bio_ex(BIO *out, const EVP_PKEY *pk, int enclevel,
+                   pem_password_cb *cb, void *u, OSSL_LIB_CTX *libctx,
+                   const char *propq)
+{
+    unsigned char *tmp = NULL;
+    int outlen, wrlen;
+
+    outlen = i2b_PVK(&tmp, pk, enclevel, cb, u, libctx, propq);
+    if (outlen < 0)
+        return -1;
+    wrlen = BIO_write(out, tmp, outlen);
+    OPENSSL_free(tmp);
+    if (wrlen == outlen) {
+        return outlen;
+    }
+    ERR_raise(ERR_LIB_PEM, PEM_R_BIO_WRITE_FAILURE);
+    return -1;
+}
+
+int i2b_PVK_bio(BIO *out, const EVP_PKEY *pk, int enclevel,
+                pem_password_cb *cb, void *u)
+{
+    return i2b_PVK_bio_ex(out, pk, enclevel, cb, u, NULL, NULL);
+}
+

libs/openssl/crypto/perlasm/README.md

@@ -1,130 +0,0 @@
-Perl scripts for assembler sources
-==================================
-
-The perl scripts in this directory are my 'hack' to generate
-multiple different assembler formats via the one original script.
-
-The way to use this library is to start with adding the path to this directory
-and then include it.
-
-    push(@INC,"perlasm","../../perlasm");
-    require "x86asm.pl";
-
-The first thing we do is setup the file and type of assembler
-
-    &asm_init($ARGV[0]);
-
-The first argument is the 'type'.  Currently
-`cpp`, `sol`, `a.out`, `elf` or `win32`.
-The second argument is the file name.
-
-The reciprocal function is
-`&asm_finish()` which should be called at the end.
-
-There are two main 'packages'. `x86ms.pl`, which is the Microsoft assembler,
-and `x86unix.pl` which is the unix (gas) version.
-
-Functions of interest are:
-
-    &external_label("des_SPtrans");  declare and external variable
-    &LB(reg);                        Low byte for a register
-    &HB(reg);                        High byte for a register
-    &BP(off,base,index,scale)        Byte pointer addressing
-    &DWP(off,base,index,scale)       Word pointer addressing
-    &stack_push(num)                 Basically a 'sub esp, num*4' with extra
-    &stack_pop(num)                  inverse of stack_push
-    &function_begin(name,extra)      Start a function with pushing of
-                                     edi, esi, ebx and ebp. extra is extra win32
-                                     external info that may be required.
-    &function_begin_B(name,extra)    Same as normal function_begin but no
-                                     pushing.
-    &function_end(name)              Call at end of function.
-    &function_end_A(name)            Standard pop and ret, for use inside
-                                     functions.
-    &function_end_B(name)            Call at end but with pop or ret.
-    &swtmp(num)                      Address on stack temp word.
-    &wparam(num)                     Parameter number num, that was push in
-                                     C convention.  This all works over pushes
-                                     and pops.
-    &comment("hello there")          Put in a comment.
-    &label("loop")                   Refer to a label, normally a jmp target.
-    &set_label("loop")               Set a label at this point.
-    &data_word(word)                 Put in a word of data.
-
-So how does this all hold together?  Given
-
-    int calc(int len, int *data)
-    {
-        int i,j=0;
-
-        for (i=0; i<len; i++)
-        {
-            j+=other(data[i]);
-        }
-    }
-
-So a very simple version of this function could be coded as
-
-    push(@INC,"perlasm","../../perlasm");
-    require "x86asm.pl";
-
-    &asm_init($ARGV[0]);
-
-    &external_label("other");
-
-    $tmp1=   "eax";
-    $j=      "edi";
-    $data=   "esi";
-    $i=      "ebp";
-
-    &comment("a simple function");
-    &function_begin("calc");
-    &mov(    $data,     &wparam(1)); # data
-    &xor(    $j,        $j);
-    &xor(    $i,        $i);
-
-    &set_label("loop");
-    &cmp(    $i,        &wparam(0));
-    &jge(    &label("end"));
-
-    &mov(    $tmp1,     &DWP(0,$data,$i,4));
-    &push(   $tmp1);
-    &call(   "other");
-    &add(    $j,        "eax");
-    &pop(    $tmp1);
-    &inc(    $i);
-    &jmp(    &label("loop"));
-
-    &set_label("end");
-    &mov(    "eax",     $j);
-
-    &function_end("calc");
-
-    &asm_finish();
-
-The above example is very very unoptimised but gives an idea of how
-things work.
-
-There is also a cbc mode function generator in cbc.pl
-
-    &cbc($name,
-         $encrypt_function_name,
-         $decrypt_function_name,
-         $true_if_byte_swap_needed,
-         $parameter_number_for_iv,
-         $parameter_number_for_encrypt_flag,
-         $first_parameter_to_pass,
-         $second_parameter_to_pass,
-         $third_parameter_to_pass);
-
-So for example, given
-
-    void BF_encrypt(BF_LONG *data,BF_KEY *key);
-    void BF_decrypt(BF_LONG *data,BF_KEY *key);
-    void BF_cbc_encrypt(unsigned char *in, unsigned char *out, long length,
-                        BF_KEY *ks, unsigned char *iv, int enc);
-
-    &cbc("BF_cbc_encrypt","BF_encrypt","BF_encrypt",1,4,5,3,-1,-1);
-
-    &cbc("des_ncbc_encrypt","des_encrypt","des_encrypt",0,4,5,3,5,-1);
-    &cbc("des_ede3_cbc_encrypt","des_encrypt3","des_decrypt3",0,6,7,3,4,5);

libs/openssl/crypto/perlasm/s390x.pm

@@ -1,3175 +0,0 @@
-#!/usr/bin/env perl
-# Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved.
-#
-# Licensed under the Apache License 2.0 (the "License").  You may not use
-# this file except in compliance with the License.  You can obtain a copy
-# in the file LICENSE in the source distribution or at
-# https://www.openssl.org/source/license.html
-
-# Copyright IBM Corp. 2018-2019
-# Author: Patrick Steuer <[email protected]>
-
-package perlasm::s390x;
-
-use strict;
-use warnings;
-use bigint;
-use Carp qw(confess);
-use Exporter qw(import);
-
-our @EXPORT=qw(PERLASM_BEGIN PERLASM_END);
-our @EXPORT_OK=qw(AUTOLOAD LABEL INCLUDE stfle stck);
-our %EXPORT_TAGS=(
-	# store-clock-fast facility
-	SCF => [qw(stckf)],
-	# general-instruction-extension facility
-	GE => [qw(risbg)],
-	# extended-immediate facility
-	EI => [qw(clfi clgfi lt)],
-	# miscellaneous-instruction-extensions facility 1
-	MI1 => [qw(risbgn)],
-	# message-security assist
-	MSA => [qw(kmac km kmc kimd klmd)],
-	# message-security-assist extension 4
-	MSA4 => [qw(kmf kmo pcc kmctr)],
-	# message-security-assist extension 5
-	MSA5 => [qw(ppno prno)],
-	# message-security-assist extension 8
-	MSA8 => [qw(kma)],
-	# message-security-assist extension 9
-	MSA9 => [qw(kdsa)],
-	# vector facility
-	VX => [qw(vgef vgeg vgbm vzero vone vgm vgmb vgmh vgmf vgmg
-	    vl vlr vlrep vlrepb vlreph vlrepf vlrepg vleb vleh vlef vleg vleib
-	    vleih vleif vleig vlgv vlgvb vlgvh vlgvf vlgvg vllez vllezb vllezh
-	    vllezf vllezg vlm vlbb vlvg vlvgb vlvgh vlvgf vlvgg vlvgp
-	    vll vmrh vmrhb vmrhh vmrhf vmrhg vmrl vmrlb vmrlh vmrlf vmrlg vpk
-	    vpkh vpkf vpkg vpks vpksh vpksf vpksg vpkshs vpksfs vpksgs vpkls
-	    vpklsh vpklsf vpklsg vpklshs vpklsfs vpklsgs vperm vpdi vrep vrepb
-	    vreph vrepf vrepg vrepi vrepib vrepih vrepif vrepig vscef vsceg
-	    vsel vseg vsegb vsegh vsegf vst vsteb vsteh vstef vsteg vstm vstl
-	    vuph vuphb vuphh vuphf vuplh vuplhb vuplhh vuplhf vupl vuplb vuplhw
-	    vuplf vupll vupllb vupllh vupllf va vab vah vaf vag vaq vacc vaccb
-	    vacch vaccf vaccg vaccq vac vacq vaccc vacccq vn vnc vavg vavgb
-	    vavgh vavgf vavgg vavgl vavglb vavglh vavglf vavglg vcksm vec_ vecb
-	    vech vecf vecg vecl veclb veclh veclf veclg vceq vceqb vceqh vceqf
-	    vceqg vceqbs vceqhs vceqfs vceqgs vch vchb vchh vchf vchg vchbs
-	    vchhs vchfs vchgs vchl vchlb vchlh vchlf vchlg vchlbs vchlhs vchlfs
-	    vchlgs vclz vclzb vclzh vclzf vclzg vctz vctzb vctzh vctzf vctzg
-	    vx vgfm vgfmb vgfmh vgfmf vgfmg vgfma vgfmab vgfmah vgfmaf vgfmag
-	    vlc vlcb vlch vlcf vlcg vlp vlpb vlph vlpf vlpg vmx vmxb vmxh vmxf
-	    vmxg vmxl vmxlb vmxlh vmxlf vmxlg vmn vmnb vmnh vmnf vmng vmnl
-	    vmnlb vmnlh vmnlf vmnlg vmal vmalb vmalhw vmalf vmah vmahb vmahh
-	    vmahf vmalh vmalhb vmalhh vmalhf vmae vmaeb vmaeh vmaef vmale
-	    vmaleb vmaleh vmalef vmao vmaob vmaoh vmaof vmalo vmalob vmaloh
-	    vmalof vmh vmhb vmhh vmhf vmlh vmlhb vmlhh vmlhf vml vmlb vmlhw
-	    vmlf vme vmeb vmeh vmef vmle vmleb vmleh vmlef vmo vmob vmoh vmof
-	    vmlo vmlob vmloh vmlof vno vnot vo vpopct verllv verllvb verllvh
-	    verllvf verllvg verll verllb verllh verllf verllg verim verimb
-	    verimh verimf verimg veslv veslvb veslvh veslvf veslvg vesl veslb
-	    veslh veslf veslg vesrav vesravb vesravh vesravf vesravg vesra
-	    vesrab vesrah vesraf vesrag vesrlv vesrlvb vesrlvh vesrlvf vesrlvg
-	    vesrl vesrlb vesrlh vesrlf vesrlg vsl vslb vsldb vsra vsrab vsrl
-	    vsrlb vs vsb vsh vsf vsg vsq vscbi vscbib vscbih vscbif vscbig
-	    vscbiq vsbi vsbiq vsbcbi vsbcbiq vsumg vsumgh vsumgf vsumq vsumqf
-	    vsumqg vsum vsumb vsumh vtm vfae vfaeb vfaeh vfaef vfaebs vfaehs
-	    vfaefs vfaezb vfaezh vfaezf vfaezbs vfaezhs vfaezfs vfee vfeeb
-	    vfeeh vfeef vfeebs vfeehs vfeefs vfeezb vfeezh vfeezf vfeezbs
-	    vfeezhs vfeezfs vfene vfeneb vfeneh vfenef vfenebs vfenehs vfenefs
-	    vfenezb vfenezh vfenezf vfenezbs vfenezhs vfenezfs vistr vistrb
-	    vistrh vistrf vistrbs vistrhs vistrfs vstrc vstrcb vstrch vstrcf
-	    vstrcbs vstrchs vstrcfs vstrczb vstrczh vstrczf vstrczbs vstrczhs
-	    vstrczfs vfa vfadb wfadb wfc wfcdb wfk wfkdb vfce vfcedb wfcedb
-	    vfcedbs wfcedbs vfch vfchdb wfchdb vfchdbs wfchdbs vfche vfchedb
-	    wfchedb vfchedbs wfchedbs vcdg vcdgb wcdgb vcdlg vcdlgb wcdlgb vcgd
-	    vcgdb wcgdb vclgd vclgdb wclgdb vfd vfddb wfddb vfi vfidb wfidb
-	    vlde vldeb wldeb vled vledb wledb vfm vfmdb wfmdb vfma vfmadb
-	    wfmadb vfms vfmsdb wfmsdb vfpso vfpsodb wfpsodb vflcdb wflcdb
-	    vflndb wflndb vflpdb wflpdb vfsq vfsqdb wfsqdb vfs vfsdb wfsdb
-	    vftci vftcidb wftcidb)],
-	# vector-enhancements facility 1
-	VXE => [qw(vbperm vllezlf vmsl vmslg vnx vnn voc vpopctb vpopcth
-	    vpopctf vpopctg vfasb wfasb wfaxb wfcsb wfcxb wfksb wfkxb vfcesb
-	    vfcesbs wfcesb wfcesbs wfcexb wfcexbs vfchsb vfchsbs wfchsb wfchsbs
-	    wfchxb wfchxbs vfchesb vfchesbs wfchesb wfchesbs wfchexb wfchexbs
-	    vfdsb wfdsb wfdxb vfisb wfisb wfixb vfll vflls wflls wflld vflr
-	    vflrd wflrd wflrx vfmax vfmaxsb vfmaxdb wfmaxsb wfmaxdb wfmaxxb
-	    vfmin vfminsb vfmindb wfminsb wfmindb wfminxb vfmsb wfmsb wfmxb
-	    vfnma vfnms vfmasb wfmasb wfmaxb vfmssb wfmssb wfmsxb vfnmasb
-	    vfnmadb wfnmasb wfnmadb wfnmaxb vfnmssb vfnmsdb wfnmssb wfnmsdb
-	    wfnmsxb vfpsosb wfpsosb vflcsb wflcsb vflnsb wflnsb vflpsb wflpsb
-	    vfpsoxb wfpsoxb vflcxb wflcxb vflnxb wflnxb vflpxb wflpxb vfsqsb
-	    wfsqsb wfsqxb vfssb wfssb wfsxb vftcisb wftcisb wftcixb)],
-	# vector-packed-decimal facility
-	VXD => [qw(vlrlr vlrl vstrlr vstrl vap vcp vcvb vcvbg vcvd vcvdg vdp
-	    vlip vmp vmsp vpkz vpsop vrp vsdp vsrp vsp vtp vupkz)],
-);
-Exporter::export_ok_tags(qw(SCF GE EI MI1 MSA MSA4 MSA5 MSA8 MSA9 VX VXE VXD));
-
-our $AUTOLOAD;
-
-my $GR='(?:%r)?([0-9]|1[0-5])';
-my $VR='(?:%v)?([0-9]|1[0-9]|2[0-9]|3[0-1])';
-
-my ($file,$out);
-
-sub PERLASM_BEGIN
-{
-	($file,$out)=(shift,"");
-}
-sub PERLASM_END
-{
-	if (defined($file)) {
-		open(my $fd,'>',$file)||die("can't open $file: $!");
-		print({$fd}$out);
-		close($fd);
-	} else {
-		print($out);
-	}
-}
-
-sub AUTOLOAD {
-	confess(err("PARSE")) if (grep(!defined($_),@_));
-	my $token;
-	for ($AUTOLOAD) {
-		$token=lc(".$1") if (/^.*::([A-Z_]+)$/);# uppercase: directive
-		$token="\t$1" if (/^.*::([a-z]+)$/);	# lowercase: mnemonic
-		confess(err("PARSE")) if (!defined($token));
-	}
-	$token.="\t" if ($#_>=0);
-	$out.=$token.join(',',@_)."\n";
-}
-
-sub LABEL {						# label directive
-	confess(err("ARGNUM")) if ($#_!=0);
-	my ($label)=@_;
-	$out.="$label:\n";
-}
-
-sub INCLUDE {
-	confess(err("ARGNUM")) if ($#_!=0);
-	my ($file)=@_;
-	$out.="#include \"$file\"\n";
-}
-
-#
-# Mnemonics
-#
-
-sub stfle {
-	confess(err("ARGNUM")) if ($#_!=0);
-	S(0xb2b0,@_);
-}
-
-sub stck {
-	confess(err("ARGNUM")) if ($#_!=0);
-	S(0xb205,@_);
-}
-
-# store-clock-fast facility
-
-sub stckf {
-	confess(err("ARGNUM")) if ($#_!=0);
-	S(0xb27c,@_);
-}
-
-# extended-immediate facility
-
-sub clfi {
-	confess(err("ARGNUM")) if ($#_!=1);
-	RILa(0xc2f,@_);
-}
-
-sub clgfi {
-	confess(err("ARGNUM")) if ($#_!=1);
-	RILa(0xc2e,@_);
-}
-
-sub lt {
-	confess(err("ARGNUM")) if ($#_!=1);
-	RXYa(0xe312,@_);
-}
-
-# general-instruction-extension facility
-
-sub risbg {
-	confess(err("ARGNUM")) if ($#_<3||$#_>4);
-	RIEf(0xec55,@_);
-}
-
-# miscellaneous-instruction-extensions facility 1
-
-sub risbgn {
-	confess(err("ARGNUM")) if ($#_<3||$#_>4);
-	RIEf(0xec59,@_);
-}
-
-# MSA
-
-sub kmac {
-	confess(err("ARGNUM")) if ($#_!=1);
-	RRE(0xb91e,@_);
-}
-
-sub km {
-	confess(err("ARGNUM")) if ($#_!=1);
-	RRE(0xb92e,@_);
-}
-
-sub kmc {
-	confess(err("ARGNUM")) if ($#_!=1);
-	RRE(0xb92f,@_);
-}
-
-sub kimd {
-	confess(err("ARGNUM")) if ($#_!=1);
-	RRE(0xb93e,@_);
-}
-
-sub klmd {
-	confess(err("ARGNUM")) if ($#_!=1);
-	RRE(0xb93f,@_);
-}
-
-# MSA4
-
-sub kmf {
-	confess(err("ARGNUM")) if ($#_!=1);
-	RRE(0xb92a,@_);
-}
-
-sub kmo {
-	confess(err("ARGNUM")) if ($#_!=1);
-	RRE(0xb92b,@_);
-}
-
-sub pcc {
-	confess(err("ARGNUM")) if ($#_!=-1);
-	RRE(0xb92c,@_);
-}
-
-sub kmctr {
-	confess(err("ARGNUM")) if ($#_!=2);
-	RRFb(0xb92d,@_);
-}
-
-# MSA5
-
-sub prno {
-	ppno(@_);
-}
-
-sub ppno {						# deprecated, use prno
-	confess(err("ARGNUM")) if ($#_!=1);
-	RRE(0xb93c,@_);
-}
-
-# MSA8
-
-sub kma {
-	confess(err("ARGNUM")) if ($#_!=2);
-	RRFb(0xb929,@_);
-}
-
-# MSA9
-
-sub kdsa {
-	confess(err("ARGNUM")) if ($#_!=1);
-	RRE(0xb93a,@_);
-}
-
-# VX - Support Instructions
-
-sub vgef {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VRV(0xe713,@_);
-}
-sub vgeg {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VRV(0xe712,@_);
-}
-
-sub vgbm {
-	confess(err("ARGNUM")) if ($#_!=1);
-	VRIa(0xe744,@_);
-}
-sub vzero {
-	vgbm(@_,0);
-}
-sub vone {
-	vgbm(@_,0xffff);
-}
-
-sub vgm {
-	confess(err("ARGNUM")) if ($#_!=3);
-	VRIb(0xe746,@_);
-}
-sub vgmb {
-	vgm(@_,0);
-}
-sub vgmh {
-	vgm(@_,1);
-}
-sub vgmf {
-	vgm(@_,2);
-}
-sub vgmg {
-	vgm(@_,3);
-}
-
-sub vl {
-	confess(err("ARGNUM")) if ($#_<1||$#_>2);
-	VRX(0xe706,@_);
-}
-
-sub vlr {
-	confess(err("ARGNUM")) if ($#_!=1);
-	VRRa(0xe756,@_);
-}
-
-sub vlrep {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VRX(0xe705,@_);
-}
-sub vlrepb {
-	vlrep(@_,0);
-}
-sub vlreph {
-	vlrep(@_,1);
-}
-sub vlrepf {
-	vlrep(@_,2);
-}
-sub vlrepg {
-	vlrep(@_,3);
-}
-
-sub vleb {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VRX(0xe700,@_);
-}
-sub vleh {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VRX(0xe701,@_);
-}
-sub vlef {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VRX(0xe703,@_);
-}
-sub vleg {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VRX(0xe702,@_);
-}
-
-sub vleib {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VRIa(0xe740,@_);
-}
-sub vleih {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VRIa(0xe741,@_);
-}
-sub vleif {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VRIa(0xe743,@_);
-}
-sub vleig {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VRIa(0xe742,@_);
-}
-
-sub vlgv {
-	confess(err("ARGNUM")) if ($#_!=3);
-	VRSc(0xe721,@_);
-}
-sub vlgvb {
-	vlgv(@_,0);
-}
-sub vlgvh {
-	vlgv(@_,1);
-}
-sub vlgvf {
-	vlgv(@_,2);
-}
-sub vlgvg {
-	vlgv(@_,3);
-}
-
-sub vllez {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VRX(0xe704,@_);
-}
-sub vllezb {
-	vllez(@_,0);
-}
-sub vllezh {
-	vllez(@_,1);
-}
-sub vllezf {
-	vllez(@_,2);
-}
-sub vllezg {
-	vllez(@_,3);
-}
-
-sub vlm {
-	confess(err("ARGNUM")) if ($#_<2||$#_>3);
-	VRSa(0xe736,@_);
-}
-
-sub vlbb {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VRX(0xe707,@_);
-}
-
-sub vlvg {
-	confess(err("ARGNUM")) if ($#_!=3);
-	VRSb(0xe722,@_);
-}
-sub vlvgb {
-	vlvg(@_,0);
-}
-sub vlvgh {
-	vlvg(@_,1);
-}
-sub vlvgf {
-	vlvg(@_,2);
-}
-sub vlvgg {
-	vlvg(@_,3);
-}
-
-sub vlvgp {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VRRf(0xe762,@_);
-}
-
-sub vll {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VRSb(0xe737,@_);
-}
-
-sub vmrh {
-	confess(err("ARGNUM")) if ($#_!=3);
-	VRRc(0xe761,@_);
-}
-sub vmrhb {
-	vmrh(@_,0);
-}
-sub vmrhh {
-	vmrh(@_,1);
-}
-sub vmrhf {
-	vmrh(@_,2);
-}
-sub vmrhg {
-	vmrh(@_,3);
-}
-
-sub vmrl {
-	confess(err("ARGNUM")) if ($#_!=3);
-	VRRc(0xe760,@_);
-}
-sub vmrlb {
-	vmrl(@_,0);
-}
-sub vmrlh {
-	vmrl(@_,1);
-}
-sub vmrlf {
-	vmrl(@_,2);
-}
-sub vmrlg {
-	vmrl(@_,3);
-}
-
-sub vpk {
-	confess(err("ARGNUM")) if ($#_!=3);
-	VRRc(0xe794,@_);
-}
-sub vpkh {
-	vpk(@_,1);
-}
-sub vpkf {
-	vpk(@_,2);
-}
-sub vpkg {
-	vpk(@_,3);
-}
-
-sub vpks {
-	confess(err("ARGNUM")) if ($#_!=4);
-	VRRb(0xe797,@_);
-}
-sub vpksh {
-	vpks(@_,1,0);
-}
-sub vpksf {
-	vpks(@_,2,0);
-}
-sub vpksg {
-	vpks(@_,3,0);
-}
-sub vpkshs {
-	vpks(@_,1,1);
-}
-sub vpksfs {
-	vpks(@_,2,1);
-}
-sub vpksgs {
-	vpks(@_,3,1);
-}
-
-sub vpkls {
-	confess(err("ARGNUM")) if ($#_!=4);
-	VRRb(0xe795,@_);
-}
-sub vpklsh {
-	vpkls(@_,1,0);
-}
-sub vpklsf {
-	vpkls(@_,2,0);
-}
-sub vpklsg {
-	vpkls(@_,3,0);
-}
-sub vpklshs {
-	vpkls(@_,1,1);
-}
-sub vpklsfs {
-	vpkls(@_,2,1);
-}
-sub vpklsgs {
-	vpkls(@_,3,1);
-}
-
-sub vperm {
-	confess(err("ARGNUM")) if ($#_!=3);
-	VRRe(0xe78c,@_);
-}
-
-sub vpdi {
-	confess(err("ARGNUM")) if ($#_!=3);
-	VRRc(0xe784,@_);
-}
-
-sub vrep {
-	confess(err("ARGNUM")) if ($#_!=3);
-	VRIc(0xe74d,@_);
-}
-sub vrepb {
-	vrep(@_,0);
-}
-sub vreph {
-	vrep(@_,1);
-}
-sub vrepf {
-	vrep(@_,2);
-}
-sub vrepg {
-	vrep(@_,3);
-}
-
-sub vrepi {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VRIa(0xe745,@_);
-}
-sub vrepib {
-	vrepi(@_,0);
-}
-sub vrepih {
-	vrepi(@_,1);
-}
-sub vrepif {
-	vrepi(@_,2);
-}
-sub vrepig {
-	vrepi(@_,3);
-}
-
-sub vscef {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VRV(0xe71b,@_);
-}
-sub vsceg {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VRV(0xe71a,@_);
-}
-
-sub vsel {
-	confess(err("ARGNUM")) if ($#_!=3);
-	VRRe(0xe78d,@_);
-}
-
-sub vseg {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VRRa(0xe75f,@_);
-}
-sub vsegb {
-	vseg(@_,0);
-}
-sub vsegh {
-	vseg(@_,1);
-}
-sub vsegf {
-	vseg(@_,2);
-}
-
-sub vst {
-	confess(err("ARGNUM")) if ($#_<1||$#_>2);
-	VRX(0xe70e,@_);
-}
-
-sub vsteb {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VRX(0xe708,@_);
-}
-sub vsteh {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VRX(0xe709,@_);
-}
-sub vstef {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VRX(0xe70b,@_);
-}
-sub vsteg {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VRX(0xe70a,@_);
-}
-
-sub vstm {
-	confess(err("ARGNUM")) if ($#_<2||$#_>3);
-	VRSa(0xe73e,@_);
-}
-
-sub vstl {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VRSb(0xe73f,@_);
-}
-
-sub vuph {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VRRa(0xe7d7,@_);
-}
-sub vuphb {
-	vuph(@_,0);
-}
-sub vuphh {
-	vuph(@_,1);
-}
-sub vuphf {
-	vuph(@_,2);
-}
-
-sub vuplh {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VRRa(0xe7d5,@_);
-}
-sub vuplhb {
-	vuplh(@_,0);
-}
-sub vuplhh {
-	vuplh(@_,1);
-}
-sub vuplhf {
-	vuplh(@_,2);
-}
-
-sub vupl {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VRRa(0xe7d6,@_);
-}
-sub vuplb {
-	vupl(@_,0);
-}
-sub vuplhw {
-	vupl(@_,1);
-}
-sub vuplf {
-	vupl(@_,2);
-}
-
-sub vupll {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VRRa(0xe7d4,@_);
-}
-sub vupllb {
-	vupll(@_,0);
-}
-sub vupllh {
-	vupll(@_,1);
-}
-sub vupllf {
-	vupll(@_,2);
-}
-
-# VX - Integer Instructions
-
-sub va {
-	confess(err("ARGNUM")) if ($#_!=3);
-	VRRc(0xe7f3,@_);
-}
-sub vab {
-	va(@_,0);
-}
-sub vah {
-	va(@_,1);
-}
-sub vaf {
-	va(@_,2);
-}
-sub vag {
-	va(@_,3);
-}
-sub vaq {
-	va(@_,4);
-}
-
-sub vacc {
-	confess(err("ARGNUM")) if ($#_!=3);
-	VRRc(0xe7f1,@_);
-}
-sub vaccb {
-	vacc(@_,0);
-}
-sub vacch {
-	vacc(@_,1);
-}
-sub vaccf {
-	vacc(@_,2);
-}
-sub vaccg {
-	vacc(@_,3);
-}
-sub vaccq {
-	vacc(@_,4);
-}
-
-sub vac {
-	confess(err("ARGNUM")) if ($#_!=4);
-	VRRd(0xe7bb,@_);
-}
-sub vacq {
-	vac(@_,4);
-}
-
-sub vaccc {
-	confess(err("ARGNUM")) if ($#_!=4);
-	VRRd(0xe7b9,@_);
-}
-sub vacccq {
-	vaccc(@_,4);
-}
-
-sub vn {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VRRc(0xe768,@_);
-}
-
-sub vnc {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VRRc(0xe769,@_);
-}
-
-sub vavg {
-	confess(err("ARGNUM")) if ($#_!=3);
-	VRRc(0xe7f2,@_);
-}
-sub vavgb {
-	vavg(@_,0);
-}
-sub vavgh {
-	vavg(@_,1);
-}
-sub vavgf {
-	vavg(@_,2);
-}
-sub vavgg {
-	vavg(@_,3);
-}
-
-sub vavgl {
-	confess(err("ARGNUM")) if ($#_!=3);
-	VRRc(0xe7f0,@_);
-}
-sub vavglb {
-	vavgl(@_,0);
-}
-sub vavglh {
-	vavgl(@_,1);
-}
-sub vavglf {
-	vavgl(@_,2);
-}
-sub vavglg {
-	vavgl(@_,3);
-}
-
-sub vcksm {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VRRc(0xe766,@_);
-}
-
-sub vec_ {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VRRa(0xe7db,@_);
-}
-sub vecb {
-	vec_(@_,0);
-}
-sub vech {
-	vec_(@_,1);
-}
-sub vecf {
-	vec_(@_,2);
-}
-sub vecg {
-	vec_(@_,3);
-}
-
-sub vecl {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VRRa(0xe7d9,@_);
-}
-sub veclb {
-	vecl(@_,0);
-}
-sub veclh {
-	vecl(@_,1);
-}
-sub veclf {
-	vecl(@_,2);
-}
-sub veclg {
-	vecl(@_,3);
-}
-
-sub vceq {
-	confess(err("ARGNUM")) if ($#_!=4);
-	VRRb(0xe7f8,@_);
-}
-sub vceqb {
-	vceq(@_,0,0);
-}
-sub vceqh {
-	vceq(@_,1,0);
-}
-sub vceqf {
-	vceq(@_,2,0);
-}
-sub vceqg {
-	vceq(@_,3,0);
-}
-sub vceqbs {
-	vceq(@_,0,1);
-}
-sub vceqhs {
-	vceq(@_,1,1);
-}
-sub vceqfs {
-	vceq(@_,2,1);
-}
-sub vceqgs {
-	vceq(@_,3,1);
-}
-
-sub vch {
-	confess(err("ARGNUM")) if ($#_!=4);
-	VRRb(0xe7fb,@_);
-}
-sub vchb {
-	vch(@_,0,0);
-}
-sub vchh {
-	vch(@_,1,0);
-}
-sub vchf {
-	vch(@_,2,0);
-}
-sub vchg {
-	vch(@_,3,0);
-}
-sub vchbs {
-	vch(@_,0,1);
-}
-sub vchhs {
-	vch(@_,1,1);
-}
-sub vchfs {
-	vch(@_,2,1);
-}
-sub vchgs {
-	vch(@_,3,1);
-}
-
-sub vchl {
-	confess(err("ARGNUM")) if ($#_!=4);
-	VRRb(0xe7f9,@_);
-}
-sub vchlb {
-	vchl(@_,0,0);
-}
-sub vchlh {
-	vchl(@_,1,0);
-}
-sub vchlf {
-	vchl(@_,2,0);
-}
-sub vchlg {
-	vchl(@_,3,0);
-}
-sub vchlbs {
-	vchl(@_,0,1);
-}
-sub vchlhs {
-	vchl(@_,1,1);
-}
-sub vchlfs {
-	vchl(@_,2,1);
-}
-sub vchlgs {
-	vchl(@_,3,1);
-}
-
-sub vclz {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VRRa(0xe753,@_);
-}
-sub vclzb {
-	vclz(@_,0);
-}
-sub vclzh {
-	vclz(@_,1);
-}
-sub vclzf {
-	vclz(@_,2);
-}
-sub vclzg {
-	vclz(@_,3);
-}
-
-sub vctz {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VRRa(0xe752,@_);
-}
-sub vctzb {
-	vctz(@_,0);
-}
-sub vctzh {
-	vctz(@_,1);
-}
-sub vctzf {
-	vctz(@_,2);
-}
-sub vctzg {
-	vctz(@_,3);
-}
-
-sub vx {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VRRc(0xe76d,@_);
-}
-
-sub vgfm {
-	confess(err("ARGNUM")) if ($#_!=3);
-	VRRc(0xe7b4,@_);
-}
-sub vgfmb {
-	vgfm(@_,0);
-}
-sub vgfmh {
-	vgfm(@_,1);
-}
-sub vgfmf {
-	vgfm(@_,2);
-}
-sub vgfmg {
-	vgfm(@_,3);
-}
-
-sub vgfma {
-	confess(err("ARGNUM")) if ($#_!=4);
-	VRRd(0xe7bc,@_);
-}
-sub vgfmab {
-	vgfma(@_,0);
-}
-sub vgfmah {
-	vgfma(@_,1);
-}
-sub vgfmaf {
-	vgfma(@_,2);
-}
-sub vgfmag {
-	vgfma(@_,3);
-}
-
-sub vlc {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VRRa(0xe7de,@_);
-}
-sub vlcb {
-	vlc(@_,0);
-}
-sub vlch {
-	vlc(@_,1);
-}
-sub vlcf {
-	vlc(@_,2);
-}
-sub vlcg {
-	vlc(@_,3);
-}
-
-sub vlp {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VRRa(0xe7df,@_);
-}
-sub vlpb {
-	vlp(@_,0);
-}
-sub vlph {
-	vlp(@_,1);
-}
-sub vlpf {
-	vlp(@_,2);
-}
-sub vlpg {
-	vlp(@_,3);
-}
-
-sub vmx {
-	confess(err("ARGNUM")) if ($#_!=3);
-	VRRc(0xe7ff,@_);
-}
-sub vmxb {
-	vmx(@_,0);
-}
-sub vmxh {
-	vmx(@_,1);
-}
-sub vmxf {
-	vmx(@_,2);
-}
-sub vmxg {
-	vmx(@_,3);
-}
-
-sub vmxl {
-	confess(err("ARGNUM")) if ($#_!=3);
-	VRRc(0xe7fd,@_);
-}
-sub vmxlb {
-	vmxl(@_,0);
-}
-sub vmxlh {
-	vmxl(@_,1);
-}
-sub vmxlf {
-	vmxl(@_,2);
-}
-sub vmxlg {
-	vmxl(@_,3);
-}
-
-sub vmn {
-	confess(err("ARGNUM")) if ($#_!=3);
-	VRRc(0xe7fe,@_);
-}
-sub vmnb {
-	vmn(@_,0);
-}
-sub vmnh {
-	vmn(@_,1);
-}
-sub vmnf {
-	vmn(@_,2);
-}
-sub vmng {
-	vmn(@_,3);
-}
-
-sub vmnl {
-	confess(err("ARGNUM")) if ($#_!=3);
-	VRRc(0xe7fc,@_);
-}
-sub vmnlb {
-	vmnl(@_,0);
-}
-sub vmnlh {
-	vmnl(@_,1);
-}
-sub vmnlf {
-	vmnl(@_,2);
-}
-sub vmnlg {
-	vmnl(@_,3);
-}
-
-sub vmal {
-	confess(err("ARGNUM")) if ($#_!=4);
-	VRRd(0xe7aa,@_);
-}
-sub vmalb {
-	vmal(@_,0);
-}
-sub vmalhw {
-	vmal(@_,1);
-}
-sub vmalf {
-	vmal(@_,2);
-}
-
-sub vmah {
-	confess(err("ARGNUM")) if ($#_!=4);
-	VRRd(0xe7ab,@_);
-}
-sub vmahb {
-	vmah(@_,0);
-}
-sub vmahh {
-	vmah(@_,1);
-}
-sub vmahf {
-	vmah(@_,2);
-}
-
-sub vmalh {
-	confess(err("ARGNUM")) if ($#_!=4);
-	VRRd(0xe7a9,@_);
-}
-sub vmalhb {
-	vmalh(@_,0);
-}
-sub vmalhh {
-	vmalh(@_,1);
-}
-sub vmalhf {
-	vmalh(@_,2);
-}
-
-sub vmae {
-	confess(err("ARGNUM")) if ($#_!=4);
-	VRRd(0xe7ae,@_);
-}
-sub vmaeb {
-	vmae(@_,0);
-}
-sub vmaeh {
-	vmae(@_,1);
-}
-sub vmaef {
-	vmae(@_,2);
-}
-
-sub vmale {
-	confess(err("ARGNUM")) if ($#_!=4);
-	VRRd(0xe7ac,@_);
-}
-sub vmaleb {
-	vmale(@_,0);
-}
-sub vmaleh {
-	vmale(@_,1);
-}
-sub vmalef {
-	vmale(@_,2);
-}
-
-sub vmao {
-	confess(err("ARGNUM")) if ($#_!=4);
-	VRRd(0xe7af,@_);
-}
-sub vmaob {
-	vmao(@_,0);
-}
-sub vmaoh {
-	vmao(@_,1);
-}
-sub vmaof {
-	vmao(@_,2);
-}
-
-sub vmalo {
-	confess(err("ARGNUM")) if ($#_!=4);
-	VRRd(0xe7ad,@_);
-}
-sub vmalob {
-	vmalo(@_,0);
-}
-sub vmaloh {
-	vmalo(@_,1);
-}
-sub vmalof {
-	vmalo(@_,2);
-}
-
-sub vmh {
-	confess(err("ARGNUM")) if ($#_!=3);
-	VRRc(0xe7a3,@_);
-}
-sub vmhb {
-	vmh(@_,0);
-}
-sub vmhh {
-	vmh(@_,1);
-}
-sub vmhf {
-	vmh(@_,2);
-}
-
-sub vmlh {
-	confess(err("ARGNUM")) if ($#_!=3);
-	VRRc(0xe7a1,@_);
-}
-sub vmlhb {
-	vmlh(@_,0);
-}
-sub vmlhh {
-	vmlh(@_,1);
-}
-sub vmlhf {
-	vmlh(@_,2);
-}
-
-sub vml {
-	confess(err("ARGNUM")) if ($#_!=3);
-	VRRc(0xe7a2,@_);
-}
-sub vmlb {
-	vml(@_,0);
-}
-sub vmlhw {
-	vml(@_,1);
-}
-sub vmlf {
-	vml(@_,2);
-}
-
-sub vme {
-	confess(err("ARGNUM")) if ($#_!=3);
-	VRRc(0xe7a6,@_);
-}
-sub vmeb {
-	vme(@_,0);
-}
-sub vmeh {
-	vme(@_,1);
-}
-sub vmef {
-	vme(@_,2);
-}
-
-sub vmle {
-	confess(err("ARGNUM")) if ($#_!=3);
-	VRRc(0xe7a4,@_);
-}
-sub vmleb {
-	vmle(@_,0);
-}
-sub vmleh {
-	vmle(@_,1);
-}
-sub vmlef {
-	vmle(@_,2);
-}
-
-sub vmo {
-	confess(err("ARGNUM")) if ($#_!=3);
-	VRRc(0xe7a7,@_);
-}
-sub vmob {
-	vmo(@_,0);
-}
-sub vmoh {
-	vmo(@_,1);
-}
-sub vmof {
-	vmo(@_,2);
-}
-
-sub vmlo {
-	confess(err("ARGNUM")) if ($#_!=3);
-	VRRc(0xe7a5,@_);
-}
-sub vmlob {
-	vmlo(@_,0);
-}
-sub vmloh {
-	vmlo(@_,1);
-}
-sub vmlof {
-	vmlo(@_,2);
-}
-
-sub vno {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VRRc(0xe76b,@_);
-}
-sub vnot {
-	vno(@_,$_[1]);
-}
-
-sub vo {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VRRc(0xe76a,@_);
-}
-
-sub vpopct {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VRRa(0xe750,@_);
-}
-
-sub verllv {
-	confess(err("ARGNUM")) if ($#_!=3);
-	VRRc(0xe773,@_);
-}
-sub verllvb {
-	verllv(@_,0);
-}
-sub verllvh {
-	verllv(@_,1);
-}
-sub verllvf {
-	verllv(@_,2);
-}
-sub verllvg {
-	verllv(@_,3);
-}
-
-sub verll {
-	confess(err("ARGNUM")) if ($#_!=3);
-	VRSa(0xe733,@_);
-}
-sub verllb {
-	verll(@_,0);
-}
-sub verllh {
-	verll(@_,1);
-}
-sub verllf {
-	verll(@_,2);
-}
-sub verllg {
-	verll(@_,3);
-}
-
-sub verim {
-	confess(err("ARGNUM")) if ($#_!=4);
-	VRId(0xe772,@_);
-}
-sub verimb {
-	verim(@_,0);
-}
-sub verimh {
-	verim(@_,1);
-}
-sub verimf {
-	verim(@_,2);
-}
-sub verimg {
-	verim(@_,3);
-}
-
-sub veslv {
-	confess(err("ARGNUM")) if ($#_!=3);
-	VRRc(0xe770,@_);
-}
-sub veslvb {
-	veslv(@_,0);
-}
-sub veslvh {
-	veslv(@_,1);
-}
-sub veslvf {
-	veslv(@_,2);
-}
-sub veslvg {
-	veslv(@_,3);
-}
-
-sub vesl {
-	confess(err("ARGNUM")) if ($#_!=3);
-	VRSa(0xe730,@_);
-}
-sub veslb {
-	vesl(@_,0);
-}
-sub veslh {
-	vesl(@_,1);
-}
-sub veslf {
-	vesl(@_,2);
-}
-sub veslg {
-	vesl(@_,3);
-}
-
-sub vesrav {
-	confess(err("ARGNUM")) if ($#_!=3);
-	VRRc(0xe77a,@_);
-}
-sub vesravb {
-	vesrav(@_,0);
-}
-sub vesravh {
-	vesrav(@_,1);
-}
-sub vesravf {
-	vesrav(@_,2);
-}
-sub vesravg {
-	vesrav(@_,3);
-}
-
-sub vesra {
-	confess(err("ARGNUM")) if ($#_!=3);
-	VRSa(0xe73a,@_);
-}
-sub vesrab {
-	vesra(@_,0);
-}
-sub vesrah {
-	vesra(@_,1);
-}
-sub vesraf {
-	vesra(@_,2);
-}
-sub vesrag {
-	vesra(@_,3);
-}
-
-sub vesrlv {
-	confess(err("ARGNUM")) if ($#_!=3);
-	VRRc(0xe778,@_);
-}
-sub vesrlvb {
-	vesrlv(@_,0);
-}
-sub vesrlvh {
-	vesrlv(@_,1);
-}
-sub vesrlvf {
-	vesrlv(@_,2);
-}
-sub vesrlvg {
-	vesrlv(@_,3);
-}
-
-sub vesrl {
-	confess(err("ARGNUM")) if ($#_!=3);
-	VRSa(0xe738,@_);
-}
-sub vesrlb {
-	vesrl(@_,0);
-}
-sub vesrlh {
-	vesrl(@_,1);
-}
-sub vesrlf {
-	vesrl(@_,2);
-}
-sub vesrlg {
-	vesrl(@_,3);
-}
-
-sub vsl {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VRRc(0xe774,@_);
-}
-
-sub vslb {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VRRc(0xe775,@_);
-}
-
-sub vsldb {
-	confess(err("ARGNUM")) if ($#_!=3);
-	VRId(0xe777,@_);
-}
-
-sub vsra {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VRRc(0xe77e,@_);
-}
-
-sub vsrab {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VRRc(0xe77f,@_);
-}
-
-sub vsrl {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VRRc(0xe77c,@_);
-}
-
-sub vsrlb {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VRRc(0xe77d,@_);
-}
-
-sub vs {
-	confess(err("ARGNUM")) if ($#_!=3);
-	VRRc(0xe7f7,@_);
-}
-sub vsb {
-	vs(@_,0);
-}
-sub vsh {
-	vs(@_,1);
-}
-sub vsf {
-	vs(@_,2);
-}
-sub vsg {
-	vs(@_,3);
-}
-sub vsq {
-	vs(@_,4);
-}
-
-sub vscbi {
-	confess(err("ARGNUM")) if ($#_!=3);
-	VRRc(0xe7f5,@_);
-}
-sub vscbib {
-	vscbi(@_,0);
-}
-sub vscbih {
-	vscbi(@_,1);
-}
-sub vscbif {
-	vscbi(@_,2);
-}
-sub vscbig {
-	vscbi(@_,3);
-}
-sub vscbiq {
-	vscbi(@_,4);
-}
-
-sub vsbi {
-	confess(err("ARGNUM")) if ($#_!=4);
-	VRRd(0xe7bf,@_);
-}
-sub vsbiq {
-	vsbi(@_,4);
-}
-
-sub vsbcbi {
-	confess(err("ARGNUM")) if ($#_!=4);
-	VRRd(0xe7bd,@_);
-}
-sub vsbcbiq {
-	vsbcbi(@_,4);
-}
-
-sub vsumg {
-	confess(err("ARGNUM")) if ($#_!=3);
-	VRRc(0xe765,@_);
-}
-sub vsumgh {
-	vsumg(@_,1);
-}
-sub vsumgf {
-	vsumg(@_,2);
-}
-
-sub vsumq {
-	confess(err("ARGNUM")) if ($#_!=3);
-	VRRc(0xe767,@_);
-}
-sub vsumqf {
-	vsumq(@_,2);
-}
-sub vsumqg {
-	vsumq(@_,3);
-}
-
-sub vsum {
-	confess(err("ARGNUM")) if ($#_!=3);
-	VRRc(0xe764,@_);
-}
-sub vsumb {
-	vsum(@_,0);
-}
-sub vsumh {
-	vsum(@_,1);
-}
-
-sub vtm {
-	confess(err("ARGNUM")) if ($#_!=1);
-	VRRa(0xe7d8,@_);
-}
-
-# VX - String Instructions
-
-sub vfae {
-	confess(err("ARGNUM")) if ($#_<3||$#_>4);
-	VRRb(0xe782,@_);
-}
-sub vfaeb {
-	vfae(@_[0..2],0,$_[3]);
-}
-sub vfaeh {
-	vfae(@_[0..2],1,$_[3]);
-}
-sub vfaef {
-	vfae(@_[0..2],2,$_[3]);
-}
-sub vfaebs {
-	$_[3]=0 if (!defined($_[3]));
-	vfae(@_[0..2],0,0x1|$_[3]);
-}
-sub vfaehs {
-	$_[3]=0 if (!defined($_[3]));
-	vfae(@_[0..2],1,0x1|$_[3]);
-}
-sub vfaefs {
-	$_[3]=0 if (!defined($_[3]));
-	vfae(@_[0..2],2,0x1|$_[3]);
-}
-sub vfaezb {
-	$_[3]=0 if (!defined($_[3]));
-	vfae(@_[0..2],0,0x2|$_[3]);
-}
-sub vfaezh {
-	$_[3]=0 if (!defined($_[3]));
-	vfae(@_[0..2],1,0x2|$_[3]);
-}
-sub vfaezf {
-	$_[3]=0 if (!defined($_[3]));
-	vfae(@_[0..2],2,0x2|$_[3]);
-}
-sub vfaezbs {
-	$_[3]=0 if (!defined($_[3]));
-	vfae(@_[0..2],0,0x3|$_[3]);
-}
-sub vfaezhs {
-	$_[3]=0 if (!defined($_[3]));
-	vfae(@_[0..2],1,0x3|$_[3]);
-}
-sub vfaezfs {
-	$_[3]=0 if (!defined($_[3]));
-	vfae(@_[0..2],2,0x3|$_[3]);
-}
-
-sub vfee {
-	confess(err("ARGNUM")) if ($#_<3||$#_>4);
-	VRRb(0xe780,@_);
-}
-sub vfeeb {
-	vfee(@_[0..2],0,$_[3]);
-}
-sub vfeeh {
-	vfee(@_[0..2],1,$_[3]);
-}
-sub vfeef {
-	vfee(@_[0..2],2,$_[3]);
-}
-sub vfeebs {
-	vfee(@_,0,1);
-}
-sub vfeehs {
-	vfee(@_,1,1);
-}
-sub vfeefs {
-	vfee(@_,2,1);
-}
-sub vfeezb {
-	vfee(@_,0,2);
-}
-sub vfeezh {
-	vfee(@_,1,2);
-}
-sub vfeezf {
-	vfee(@_,2,2);
-}
-sub vfeezbs {
-	vfee(@_,0,3);
-}
-sub vfeezhs {
-	vfee(@_,1,3);
-}
-sub vfeezfs {
-	vfee(@_,2,3);
-}
-
-sub vfene {
-	confess(err("ARGNUM")) if ($#_<3||$#_>4);
-	VRRb(0xe781,@_);
-}
-sub vfeneb {
-	vfene(@_[0..2],0,$_[3]);
-}
-sub vfeneh {
-	vfene(@_[0..2],1,$_[3]);
-}
-sub vfenef {
-	vfene(@_[0..2],2,$_[3]);
-}
-sub vfenebs {
-	vfene(@_,0,1);
-}
-sub vfenehs {
-	vfene(@_,1,1);
-}
-sub vfenefs {
-	vfene(@_,2,1);
-}
-sub vfenezb {
-	vfene(@_,0,2);
-}
-sub vfenezh {
-	vfene(@_,1,2);
-}
-sub vfenezf {
-	vfene(@_,2,2);
-}
-sub vfenezbs {
-	vfene(@_,0,3);
-}
-sub vfenezhs {
-	vfene(@_,1,3);
-}
-sub vfenezfs {
-	vfene(@_,2,3);
-}
-
-sub vistr {
-	confess(err("ARGNUM")) if ($#_<2||$#_>3);
-	VRRa(0xe75c,@_[0..2],0,$_[3]);
-}
-sub vistrb {
-	vistr(@_[0..1],0,$_[2]);
-}
-sub vistrh {
-	vistr(@_[0..1],1,$_[2]);
-}
-sub vistrf {
-	vistr(@_[0..1],2,$_[2]);
-}
-sub vistrbs {
-	vistr(@_,0,1);
-}
-sub vistrhs {
-	vistr(@_,1,1);
-}
-sub vistrfs {
-	vistr(@_,2,1);
-}
-
-sub vstrc {
-	confess(err("ARGNUM")) if ($#_<4||$#_>5);
-	VRRd(0xe78a,@_);
-}
-sub vstrcb {
-	vstrc(@_[0..3],0,$_[4]);
-}
-sub vstrch {
-	vstrc(@_[0..3],1,$_[4]);
-}
-sub vstrcf {
-	vstrc(@_[0..3],2,$_[4]);
-}
-sub vstrcbs {
-	$_[4]=0 if (!defined($_[4]));
-	vstrc(@_[0..3],0,0x1|$_[4]);
-}
-sub vstrchs {
-	$_[4]=0 if (!defined($_[4]));
-	vstrc(@_[0..3],1,0x1|$_[4]);
-}
-sub vstrcfs {
-	$_[4]=0 if (!defined($_[4]));
-	vstrc(@_[0..3],2,0x1|$_[4]);
-}
-sub vstrczb {
-	$_[4]=0 if (!defined($_[4]));
-	vstrc(@_[0..3],0,0x2|$_[4]);
-}
-sub vstrczh {
-	$_[4]=0 if (!defined($_[4]));
-	vstrc(@_[0..3],1,0x2|$_[4]);
-}
-sub vstrczf {
-	$_[4]=0 if (!defined($_[4]));
-	vstrc(@_[0..3],2,0x2|$_[4]);
-}
-sub vstrczbs {
-	$_[4]=0 if (!defined($_[4]));
-	vstrc(@_[0..3],0,0x3|$_[4]);
-}
-sub vstrczhs {
-	$_[4]=0 if (!defined($_[4]));
-	vstrc(@_[0..3],1,0x3|$_[4]);
-}
-sub vstrczfs {
-	$_[4]=0 if (!defined($_[4]));
-	vstrc(@_[0..3],2,0x3|$_[4]);
-}
-
-# VX - Floating-point Instructions
-
-sub vfa {
-	confess(err("ARGNUM")) if ($#_!=4);
-	VRRc(0xe7e3,@_);
-}
-sub vfadb {
-	vfa(@_,3,0);
-}
-sub wfadb {
-	vfa(@_,3,8);
-}
-
-sub wfc {
-	confess(err("ARGNUM")) if ($#_!=3);
-	VRRa(0xe7cb,@_);
-}
-sub wfcdb {
-	wfc(@_,3,0);
-}
-
-sub wfk {
-	confess(err("ARGNUM")) if ($#_!=3);
-	VRRa(0xe7ca,@_);
-}
-sub wfksb {
-	wfk(@_,2,0);
-}
-sub wfkdb {
-	wfk(@_,3,0);
-}
-sub wfkxb {
-	wfk(@_,4,0);
-}
-
-sub vfce {
-	confess(err("ARGNUM")) if ($#_!=5);
-	VRRc(0xe7e8,@_);
-}
-sub vfcedb {
-	vfce(@_,3,0,0);
-}
-sub vfcedbs {
-	vfce(@_,3,0,1);
-}
-sub wfcedb {
-	vfce(@_,3,8,0);
-}
-sub wfcedbs {
-	vfce(@_,3,8,1);
-}
-
-sub vfch {
-	confess(err("ARGNUM")) if ($#_!=5);
-	VRRc(0xe7eb,@_);
-}
-sub vfchdb {
-	vfch(@_,3,0,0);
-}
-sub vfchdbs {
-	vfch(@_,3,0,1);
-}
-sub wfchdb {
-	vfch(@_,3,8,0);
-}
-sub wfchdbs {
-	vfch(@_,3,8,1);
-}
-
-sub vfche {
-	confess(err("ARGNUM")) if ($#_!=5);
-	VRRc(0xe7ea,@_);
-}
-sub vfchedb {
-	vfche(@_,3,0,0);
-}
-sub vfchedbs {
-	vfche(@_,3,0,1);
-}
-sub wfchedb {
-	vfche(@_,3,8,0);
-}
-sub wfchedbs {
-	vfche(@_,3,8,1);
-}
-
-sub vcdg {
-	confess(err("ARGNUM")) if ($#_!=4);
-	VRRa(0xe7c3,@_);
-}
-sub vcdgb {
-	vcdg(@_[0..1],3,@_[2..3]);
-}
-sub wcdgb {
-	vcdg(@_[0..1],3,0x8|$_[2],$_[3]);
-}
-
-sub vcdlg {
-	confess(err("ARGNUM")) if ($#_!=4);
-	VRRa(0xe7c1,@_);
-}
-sub vcdlgb {
-	vcdlg(@_[0..1],3,@_[2..3]);
-}
-sub wcdlgb {
-	vcdlg(@_[0..1],3,0x8|$_[2],$_[3]);
-}
-
-sub vcgd {
-	confess(err("ARGNUM")) if ($#_!=4);
-	VRRa(0xe7c2,@_);
-}
-sub vcgdb {
-	vcgd(@_[0..1],3,@_[2..3]);
-}
-sub wcgdb {
-	vcgd(@_[0..1],3,0x8|$_[2],$_[3]);
-}
-
-sub vclgd {
-	confess(err("ARGNUM")) if ($#_!=4);
-	VRRa(0xe7c0,@_);
-}
-sub vclgdb {
-	vclgd(@_[0..1],3,@_[2..3]);
-}
-sub wclgdb {
-	vclgd(@_[0..1],3,0x8|$_[2],$_[3]);
-}
-
-sub vfd {
-	confess(err("ARGNUM")) if ($#_!=4);
-	VRRc(0xe7e5,@_);
-}
-sub vfddb {
-	vfd(@_,3,0);
-}
-sub wfddb {
-	vfd(@_,3,8);
-}
-
-sub vfi {
-	confess(err("ARGNUM")) if ($#_!=4);
-	VRRa(0xe7c7,@_);
-}
-sub vfidb {
-	vfi(@_[0..1],3,@_[2..3]);
-}
-sub wfidb {
-	vfi(@_[0..1],3,0x8|$_[2],$_[3]);
-}
-
-sub vlde {	# deprecated, use vfll
-	confess(err("ARGNUM")) if ($#_!=3);
-	VRRa(0xe7c4,@_);
-}
-sub vldeb {	# deprecated, use vflls
-	vlde(@_,2,0);
-}
-sub wldeb {	# deprecated, use wflls
-	vlde(@_,2,8);
-}
-
-sub vled {	# deprecated, use vflr
-	confess(err("ARGNUM")) if ($#_!=4);
-	VRRa(0xe7c5,@_);
-}
-sub vledb {	# deprecated, use vflrd
-	vled(@_[0..1],3,@_[2..3]);
-}
-sub wledb {	# deprecated, use wflrd
-	vled(@_[0..1],3,0x8|$_[2],$_[3]);
-}
-
-sub vfm {
-	confess(err("ARGNUM")) if ($#_!=4);
-	VRRc(0xe7e7,@_);
-}
-sub vfmdb {
-	vfm(@_,3,0);
-}
-sub wfmdb {
-	vfm(@_,3,8);
-}
-
-sub vfma {
-	confess(err("ARGNUM")) if ($#_!=5);
-	VRRe(0xe78f,@_);
-}
-sub vfmadb {
-	vfma(@_,0,3);
-}
-sub wfmadb {
-	vfma(@_,8,3);
-}
-
-sub vfms {
-	confess(err("ARGNUM")) if ($#_!=5);
-	VRRe(0xe78e,@_);
-}
-sub vfmsdb {
-	vfms(@_,0,3);
-}
-sub wfmsdb {
-	vfms(@_,8,3);
-}
-
-sub vfpso {
-	confess(err("ARGNUM")) if ($#_!=4);
-	VRRa(0xe7cc,@_);
-}
-sub vfpsodb {
-	vfpso(@_[0..1],3,0,$_[2]);
-}
-sub wfpsodb {
-	vfpso(@_[0..1],3,8,$_[2]);
-}
-sub vflcdb {
-	vfpso(@_,3,0,0);
-}
-sub wflcdb {
-	vfpso(@_,3,8,0);
-}
-sub vflndb {
-	vfpso(@_,3,0,1);
-}
-sub wflndb {
-	vfpso(@_,3,8,1);
-}
-sub vflpdb {
-	vfpso(@_,3,0,2);
-}
-sub wflpdb {
-	vfpso(@_,3,8,2);
-}
-
-sub vfsq {
-	confess(err("ARGNUM")) if ($#_!=3);
-	VRRa(0xe7ce,@_);
-}
-sub vfsqdb {
-	vfsq(@_,3,0);
-}
-sub wfsqdb {
-	vfsq(@_,3,8);
-}
-
-sub vfs {
-	confess(err("ARGNUM")) if ($#_!=4);
-	VRRc(0xe7e2,@_);
-}
-sub vfsdb {
-	vfs(@_,3,0);
-}
-sub wfsdb {
-	vfs(@_,3,8);
-}
-
-sub vftci {
-	confess(err("ARGNUM")) if ($#_!=4);
-	VRIe(0xe74a,@_);
-}
-sub vftcidb {
-	vftci(@_,3,0);
-}
-sub wftcidb {
-	vftci(@_,3,8);
-}
-
-# VXE - Support Instructions
-
-sub vbperm {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VRRc(0xe785,@_);
-}
-
-sub vllezlf {
-	vllez(@_,6);
-}
-
-# VXE - Integer Instructions
-
-sub vmsl {
-	confess(err("ARGNUM")) if ($#_!=5);
-	VRRd(0xe7b8,@_);
-}
-sub vmslg {
-	vmsl(@_[0..3],3,$_[4]);
-}
-
-sub vnx {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VRRc(0xe76c,@_);
-}
-
-sub vnn {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VRRc(0xe76e,@_);
-}
-
-sub voc {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VRRc(0xe76f,@_);
-}
-
-sub vpopctb {
-	vpopct(@_,0);
-}
-sub vpopcth {
-	vpopct(@_,1);
-}
-sub vpopctf {
-	vpopct(@_,2);
-}
-sub vpopctg {
-	vpopct(@_,3);
-}
-
-# VXE - Floating-Point Instructions
-
-sub vfasb {
-	vfa(@_,2,0);
-}
-sub wfasb {
-	vfa(@_,2,8);
-}
-sub wfaxb {
-	vfa(@_,4,8);
-}
-
-sub wfcsb {
-	wfc(@_,2,0);
-}
-sub wfcxb {
-	wfc(@_,4,0);
-}
-
-sub vfcesb {
-	vfce(@_,2,0,0);
-}
-sub vfcesbs {
-	vfce(@_,2,0,1);
-}
-sub wfcesb {
-	vfce(@_,2,8,0);
-}
-sub wfcesbs {
-	vfce(@_,2,8,1);
-}
-sub wfcexb {
-	vfce(@_,4,8,0);
-}
-sub wfcexbs {
-	vfce(@_,4,8,1);
-}
-
-sub vfchsb {
-	vfch(@_,2,0,0);
-}
-sub vfchsbs {
-	vfch(@_,2,0,1);
-}
-sub wfchsb {
-	vfch(@_,2,8,0);
-}
-sub wfchsbs {
-	vfch(@_,2,8,1);
-}
-sub wfchxb {
-	vfch(@_,4,8,0);
-}
-sub wfchxbs {
-	vfch(@_,4,8,1);
-}
-
-sub vfchesb {
-	vfche(@_,2,0,0);
-}
-sub vfchesbs {
-	vfche(@_,2,0,1);
-}
-sub wfchesb {
-	vfche(@_,2,8,0);
-}
-sub wfchesbs {
-	vfche(@_,2,8,1);
-}
-sub wfchexb {
-	vfche(@_,4,8,0);
-}
-sub wfchexbs {
-	vfche(@_,4,8,1);
-}
-
-sub vfdsb {
-	vfd(@_,2,0);
-}
-sub wfdsb {
-	vfd(@_,2,8);
-}
-sub wfdxb {
-	vfd(@_,4,8);
-}
-
-sub vfisb {
-	vfi(@_[0..1],2,@_[2..3]);
-}
-sub wfisb {
-	vfi(@_[0..1],2,0x8|$_[2],$_[3]);
-}
-sub wfixb {
-	vfi(@_[0..1],4,0x8|$_[2],$_[3]);
-}
-
-sub vfll {
-	vlde(@_);
-}
-sub vflls {
-	vfll(@_,2,0);
-}
-sub wflls {
-	vfll(@_,2,8);
-}
-sub wflld {
-	vfll(@_,3,8);
-}
-
-sub vflr {
-	vled(@_);
-}
-sub vflrd {
-	vflr(@_[0..1],3,@_[2..3]);
-}
-sub wflrd {
-	vflr(@_[0..1],3,0x8|$_[2],$_[3]);
-}
-sub wflrx {
-	vflr(@_[0..1],4,0x8|$_[2],$_[3]);
-}
-
-sub vfmax {
-	confess(err("ARGNUM")) if ($#_!=5);
-	VRRc(0xe7ef,@_);
-}
-sub vfmaxsb {
-	vfmax(@_[0..2],2,0,$_[3]);
-}
-sub vfmaxdb {
-	vfmax(@_[0..2],3,0,$_[3]);
-}
-sub wfmaxsb {
-	vfmax(@_[0..2],2,8,$_[3]);
-}
-sub wfmaxdb {
-	vfmax(@_[0..2],3,8,$_[3]);
-}
-sub wfmaxxb {
-	vfmax(@_[0..2],4,8,$_[3]);
-}
-
-sub vfmin {
-	confess(err("ARGNUM")) if ($#_!=5);
-	VRRc(0xe7ee,@_);
-}
-sub vfminsb {
-	vfmin(@_[0..2],2,0,$_[5]);
-}
-sub vfmindb {
-	vfmin(@_[0..2],3,0,$_[5]);
-}
-sub wfminsb {
-	vfmin(@_[0..2],2,8,$_[5]);
-}
-sub wfmindb {
-	vfmin(@_[0..2],3,8,$_[5]);
-}
-sub wfminxb {
-	vfmin(@_[0..2],4,8,$_[5]);
-}
-
-sub vfmsb {
-	vfm(@_,2,0);
-}
-sub wfmsb {
-	vfm(@_,2,8);
-}
-sub wfmxb {
-	vfm(@_,4,8);
-}
-
-sub vfmasb {
-	vfma(@_,0,2);
-}
-sub wfmasb {
-	vfma(@_,8,2);
-}
-sub wfmaxb {
-	vfma(@_,8,4);
-}
-
-sub vfmssb {
-	vfms(@_,0,2);
-}
-sub wfmssb {
-	vfms(@_,8,2);
-}
-sub wfmsxb {
-	vfms(@_,8,4);
-}
-
-sub vfnma {
-	confess(err("ARGNUM")) if ($#_!=5);
-	VRRe(0xe79f,@_);
-}
-sub vfnmasb {
-	vfnma(@_,0,2);
-}
-sub vfnmadb {
-	vfnma(@_,0,3);
-}
-sub wfnmasb {
-	vfnma(@_,8,2);
-}
-sub wfnmadb {
-	vfnma(@_,8,3);
-}
-sub wfnmaxb {
-	vfnma(@_,8,4);
-}
-
-sub vfnms {
-	confess(err("ARGNUM")) if ($#_!=5);
-	VRRe(0xe79e,@_);
-}
-sub vfnmssb {
-	vfnms(@_,0,2);
-}
-sub vfnmsdb {
-	vfnms(@_,0,3);
-}
-sub wfnmssb {
-	vfnms(@_,8,2);
-}
-sub wfnmsdb {
-	vfnms(@_,8,3);
-}
-sub wfnmsxb {
-	vfnms(@_,8,4);
-}
-
-sub vfpsosb {
-	vfpso(@_[0..1],2,0,$_[2]);
-}
-sub wfpsosb {
-	vfpso(@_[0..1],2,8,$_[2]);
-}
-sub vflcsb {
-	vfpso(@_,2,0,0);
-}
-sub wflcsb {
-	vfpso(@_,2,8,0);
-}
-sub vflnsb {
-	vfpso(@_,2,0,1);
-}
-sub wflnsb {
-	vfpso(@_,2,8,1);
-}
-sub vflpsb {
-	vfpso(@_,2,0,2);
-}
-sub wflpsb {
-	vfpso(@_,2,8,2);
-}
-sub vfpsoxb {
-	vfpso(@_[0..1],4,0,$_[2]);
-}
-sub wfpsoxb {
-	vfpso(@_[0..1],4,8,$_[2]);
-}
-sub vflcxb {
-	vfpso(@_,4,0,0);
-}
-sub wflcxb {
-	vfpso(@_,4,8,0);
-}
-sub vflnxb {
-	vfpso(@_,4,0,1);
-}
-sub wflnxb {
-	vfpso(@_,4,8,1);
-}
-sub vflpxb {
-	vfpso(@_,4,0,2);
-}
-sub wflpxb {
-	vfpso(@_,4,8,2);
-}
-
-sub vfsqsb {
-	vfsq(@_,2,0);
-}
-sub wfsqsb {
-	vfsq(@_,2,8);
-}
-sub wfsqxb {
-	vfsq(@_,4,8);
-}
-
-sub vfssb {
-	vfs(@_,2,0);
-}
-sub wfssb {
-	vfs(@_,2,8);
-}
-sub wfsxb {
-	vfs(@_,4,8);
-}
-
-sub vftcisb {
-	vftci(@_,2,0);
-}
-sub wftcisb {
-	vftci(@_,2,8);
-}
-sub wftcixb {
-	vftci(@_,4,8);
-}
-
-# VXD - Support Instructions
-
-sub vlrlr {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VRSd(0xe637,@_);
-}
-
-sub vlrl {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VSI(0xe635,@_);
-}
-
-sub vstrlr {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VRSd(0xe63f,@_);
-}
-
-sub vstrl {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VSI(0xe63d,@_);
-}
-
-sub vap {
-	confess(err("ARGNUM")) if ($#_!=4);
-	VRIf(0xe671,@_);
-}
-
-sub vcp {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VRRh(0xe677,@_);
-}
-
-sub vcvb {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VRRi(0xe650,@_);
-}
-
-sub vcvbg {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VRRi(0xe652,@_);
-}
-
-sub vcvd {
-	confess(err("ARGNUM")) if ($#_!=3);
-	VRIi(0xe658,@_);
-}
-
-sub vcvdg {
-	confess(err("ARGNUM")) if ($#_!=3);
-	VRIi(0xe65a,@_);
-}
-
-sub vdp {
-	confess(err("ARGNUM")) if ($#_!=4);
-	VRIf(0xe67a,@_);
-}
-
-sub vlip {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VRIh(0xe649,@_);
-}
-
-sub vmp {
-	confess(err("ARGNUM")) if ($#_!=4);
-	VRIf(0xe678,@_);
-}
-
-sub vmsp {
-	confess(err("ARGNUM")) if ($#_!=4);
-	VRIf(0xe679,@_);
-}
-
-sub vpkz {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VSI(0xe634,@_);
-}
-
-sub vpsop {
-	confess(err("ARGNUM")) if ($#_!=4);
-	VRIg(0xe65b,@_);
-}
-
-sub vrp {
-	confess(err("ARGNUM")) if ($#_!=4);
-	VRIf(0xe67b,@_);
-}
-
-sub vsdp {
-	confess(err("ARGNUM")) if ($#_!=4);
-	VRIf(0xe67e,@_);
-}
-
-sub vsrp {
-	confess(err("ARGNUM")) if ($#_!=4);
-	VRIg(0xe659,@_);
-}
-
-sub vsp {
-	confess(err("ARGNUM")) if ($#_!=4);
-	VRIf(0xe673,@_);
-}
-
-sub vtp {
-	confess(err("ARGNUM")) if ($#_!=0);
-	VRRg(0xe65f,@_);
-}
-
-sub vupkz {
-	confess(err("ARGNUM")) if ($#_!=2);
-	VSI(0xe63c,@_);
-}
-
-#
-# Instruction Formats
-#
-
-sub RIEf {
-	confess(err("ARGNUM")) if ($#_<4||5<$#_);
-	my $ops=join(',',@_[1..$#_]);
-	my $memn=(caller(1))[3];
-	$memn=~s/^.*:://;
-	my ($opcode,$r1,$r2,$i3,$i4,$i5)=(shift,get_R(shift),get_R(shift),
-					  get_I(shift,8),get_I(shift,8),
-					  get_I(shift,8));
-
-	$out.="\t.word\t";
-	$out.=sprintf("%#06x",(($opcode>>8)<<8|$r1<<4|$r2)).",";
-	$out.=sprintf("%#06x",($i3<<8)|$i4).",";
-	$out.=sprintf("%#06x",($i5<<8)|($opcode&0xff));
-	$out.="\t# $memn\t$ops\n";
-}
-
-sub RILa {
-	confess(err("ARGNUM")) if ($#_!=2);
-	my $ops=join(',',@_[1..$#_]);
-	my $memn=(caller(1))[3];
-	$memn=~s/^.*:://;
-	my ($opcode,$r1,$i2)=(shift,get_R(shift),get_I(shift,32));
-
-	$out.="\t.word\t";
-	$out.=sprintf("%#06x",(($opcode>>4)<<8|$r1<<4|($opcode&0xf))).",";
-	$out.=sprintf("%#06x",($i2>>16)).",";
-	$out.=sprintf("%#06x",($i2&0xffff));
-	$out.="\t# $memn\t$ops\n";
-}
-
-sub RRE {
-	confess(err("ARGNUM")) if ($#_<0||2<$#_);
-	my $ops=join(',',@_[1..$#_]);
-	my $memn=(caller(1))[3];
-	$memn=~s/^.*:://;
-	my ($opcode,$r1,$r2)=(shift,get_R(shift),get_R(shift));
-
-	$out.="\t.long\t".sprintf("%#010x",($opcode<<16|$r1<<4|$r2));
-	$out.="\t# $memn";
-	# RRE can have 0 ops e.g., pcc.
-	$out.="\t$ops" if ((defined($ops))&&($ops ne ''));
-	$out.="\n";
-}
-
-sub RRFb {
-	confess(err("ARGNUM")) if ($#_<3||4<$#_);
-	my $ops=join(',',@_[1..$#_]);
-	my $memn=(caller(1))[3];
-	$memn=~s/^.*:://;
-	my ($opcode,$r1,$r3,$r2,$m4)=(shift,get_R(shift),get_R(shift)
-	    ,get_R(shift),get_M(shift));
-
-	$out.="\t.long\t"
-	    .sprintf("%#010x",($opcode<<16|$r3<<12|$m4<<8|$r1<<4|$r2));
-	$out.="\t# $memn\t$ops\n";
-}
-
-sub RXYa {
-	confess(err("ARGNUM")) if ($#_!=2);
-	my $ops=join(',',@_[1..$#_]);
-	my $memn=(caller(1))[3];
-	$memn=~s/^.*:://;
-	my ($opcode,$r1,$d2,$x2,$b2)=(shift,get_R(shift),get_DXB(shift));
-
-	$out.="\t.word\t";
-	$out.=sprintf("%#06x",(($opcode>>8)<<8|$r1<<4|$x2)).",";
-	$out.=sprintf("%#06x",($b2<<12|($d2&0xfff))).",";
-	$out.=sprintf("%#06x",(($d2>>12)<<8|$opcode&0xff));
-	$out.="\t# $memn\t$ops\n";
-}
-
-sub S {
-	confess(err("ARGNUM")) if ($#_<0||1<$#_);
-	my $ops=join(',',@_[1..$#_]);
-	my $memn=(caller(1))[3];
-	$memn=~s/^.*:://;
-	my ($opcode,$d2,$b2)=(shift,get_DB(shift));
-
-	$out.="\t.long\t".sprintf("%#010x",($opcode<<16|$b2<<12|$d2));
-	$out.="\t# $memn\t$ops\n";
-}
-
-sub VRIa {
-	confess(err("ARGNUM")) if ($#_<2||3<$#_);
-	my $ops=join(',',@_[1..$#_]);
-	my $memn=(caller(1))[3];
-	$memn=~s/^.*:://;
-	my ($opcode,$v1,$i2,$m3)=(shift,get_V(shift),get_I(shift,16),
-	    get_M(shift));
-
-	$out.="\t.word\t";
-	$out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf)<<4)).",";
-	$out.=sprintf("%#06x",$i2).",";
-	$out.=sprintf("%#06x",($m3<<12|RXB($v1)<<8|$opcode&0xff));
-	$out.="\t# $memn\t$ops\n";
-}
-
-sub VRIb {
-	confess(err("ARGNUM")) if ($#_!=4);
-	my $ops=join(',',@_[1..$#_]);
-	my $memn=(caller(1))[3];
-	$memn=~s/^.*:://;
-	my ($opcode,$v1,$i2,$i3,$m4)=(shift,get_V(shift),get_I(shift,8),
-	    ,get_I(shift,8),get_M(shift));
-
-	$out.="\t.word\t";
-	$out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf)<<4)).",";
-	$out.=sprintf("%#06x",($i2<<8|$i3)).",";
-	$out.=sprintf("%#06x",($m4<<12|RXB($v1)<<8|$opcode&0xff));
-	$out.="\t# $memn\t$ops\n";
-}
-
-sub VRIc {
-	confess(err("ARGNUM")) if ($#_!=4);
-	my $ops=join(',',@_[1..$#_]);
-	my $memn=(caller(1))[3];
-	$memn=~s/^.*:://;
-	my ($opcode,$v1,$v3,$i2,$m4)=(shift,get_V(shift),get_V(shift),
-	    ,get_I(shift,16),get_M(shift));
-
-	$out.="\t.word\t";
-	$out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf)<<4)|($v3&0xf)).",";
-	$out.=sprintf("%#06x",$i2).",";
-	$out.=sprintf("%#06x",($m4<<12|RXB($v1,$v3)<<8|$opcode&0xff));
-	$out.="\t# $memn\t$ops\n";
-}
-
-sub VRId {
-	confess(err("ARGNUM")) if ($#_<4||$#_>5);
-	my $ops=join(',',@_[1..$#_]);
-	my $memn=(caller(1))[3];
-	$memn=~s/^.*:://;
-	my ($opcode,$v1,$v2,$v3,$i4,$m5)=(shift,get_V(shift),get_V(shift),
-	    ,get_V(shift),get_I(shift,8),get_M(shift));
-
-	$out.="\t.word\t";
-	$out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf)<<4)|($v2&0xf)).",";
-	$out.=sprintf("%#06x",(($v3&0xf)<<12|$i4)).",";
-	$out.=sprintf("%#06x",($m5<<12|RXB($v1,$v2,$v3)<<8|$opcode&0xff));
-	$out.="\t# $memn\t$ops\n";
-}
-
-sub VRIe {
-	confess(err("ARGNUM")) if ($#_!=5);
-	my $ops=join(',',@_[1..$#_]);
-	my $memn=(caller(1))[3];
-	$memn=~s/^.*:://;
-	my ($opcode,$v1,$v2,$i3,$m4,$m5)=(shift,get_V(shift),get_V(shift),
-	    ,get_I(shift,12),get_M(shift),get_M(shift));
-
-	$out.="\t.word\t";
-	$out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf)<<4)|($v2&0xf)).",";
-	$out.=sprintf("%#06x",($i3<<4|$m5)).",";
-	$out.=sprintf("%#06x",($m4<<12|RXB($v1,$v2)<<8|$opcode&0xff));
-	$out.="\t# $memn\t$ops\n";
-}
-
-sub VRIf {
-	confess(err("ARGNUM")) if ($#_!=5);
-	my $ops=join(',',@_[1..$#_]);
-	my $memn=(caller(1))[3];
-	$memn=~s/^.*:://;
-	my ($opcode,$v1,$v2,$v3,$i4,$m5)=(shift,get_V(shift),get_V(shift),
-	    ,get_V(shift),get_I(shift,8),get_M(shift));
-
-	$out.="\t.word\t";
-	$out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf)<<4)|($v2&0xf)).",";
-	$out.=sprintf("%#06x",(($v3&0xf)<<12|$m5<<4)|$i4>>4).",";
-	$out.=sprintf("%#06x",(($i4&0xf)<<12|RXB($v1,$v2,$v3)<<8|$opcode&0xff));
-	$out.="\t# $memn\t$ops\n";
-}
-
-sub VRIg {
-	confess(err("ARGNUM")) if ($#_!=5);
-	my $ops=join(',',@_[1..$#_]);
-	my $memn=(caller(1))[3];
-	$memn=~s/^.*:://;
-	my ($opcode,$v1,$v2,$i3,$i4,$m5)=(shift,get_V(shift),get_V(shift),
-	    ,get_I(shift,8),get_I(shift,8),get_M(shift));
-
-	$out.="\t.word\t";
-	$out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf)<<4)|($v2&0xf)).",";
-	$out.=sprintf("%#06x",($i4<<8|$m5<<4|$i3>>4)).",";
-	$out.=sprintf("%#06x",(($i3&0xf)<<12|RXB($v1,$v2)<<8|$opcode&0xff));
-	$out.="\t# $memn\t$ops\n";
-}
-
-sub VRIh {
-	confess(err("ARGNUM")) if ($#_!=3);
-	my $ops=join(',',@_[1..$#_]);
-	my $memn=(caller(1))[3];
-	$memn=~s/^.*:://;
-	my ($opcode,$v1,$i2,$i3)=(shift,get_V(shift),get_I(shift,16),
-	    get_I(shift,4));
-
-	$out.="\t.word\t";
-	$out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf)<<4)).",";
-	$out.=sprintf("%#06x",$i2).",";
-	$out.=sprintf("%#06x",($i3<<12|RXB($v1)<<8|$opcode&0xff));
-	$out.="\t# $memn\t$ops\n";
-}
-
-sub VRIi {
-	confess(err("ARGNUM")) if ($#_!=4);
-	my $ops=join(',',@_[1..$#_]);
-	my $memn=(caller(1))[3];
-	$memn=~s/^.*:://;
-	my ($opcode,$v1,$r2,$i3,$m4)=(shift,get_V(shift),get_R(shift),
-	    ,get_I(shift,8),get_M(shift));
-
-	$out.="\t.word\t";
-	$out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf)<<4)|$r2).",";
-	$out.=sprintf("%#06x",($m4<<4|$i3>>4)).",";
-	$out.=sprintf("%#06x",(($i3&0xf)<<12|RXB($v1)<<8|$opcode&0xff));
-	$out.="\t# $memn\t$ops\n";
-}
-
-sub VRRa {
-	confess(err("ARGNUM")) if ($#_<2||5<$#_);
-	my $ops=join(',',@_[1..$#_]);
-	my $memn=(caller(1))[3];
-	$memn=~s/^.*:://;
-	my ($opcode,$v1,$v2,$m3,$m4,$m5)=(shift,get_V(shift),get_V(shift),
-	    get_M(shift),get_M(shift),get_M(shift));
-
-	$out.="\t.word\t";
-	$out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf)<<4|($v2&0xf))).",";
-	$out.=sprintf("%#06x",($m5<<4|$m4)).",";
-	$out.=sprintf("%#06x",($m3<<12|RXB($v1,$v2)<<8|$opcode&0xff));
-	$out.="\t# $memn\t$ops\n";
-}
-
-sub VRRb {
-	confess(err("ARGNUM")) if ($#_<3||5<$#_);
-	my $ops=join(',',@_[1..$#_]);
-	my $memn=(caller(1))[3];
-	$memn=~s/^.*:://;
-	my ($opcode,$v1,$v2,$v3,$m4,$m5)=(shift,get_V(shift),get_V(shift),
-	    get_V(shift),get_M(shift),get_M(shift));
-
-	$out.="\t.word\t";
-	$out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf)<<4|($v2&0xf))).",";
-	$out.=sprintf("%#06x",(($v3&0xf)<<12|$m5<<4)).",";
-	$out.=sprintf("%#06x",($m4<<12|RXB($v1,$v2,$v3)<<8|$opcode&0xff));
-	$out.="\t# $memn\t$ops\n";
-}
-
-sub VRRc {
-	confess(err("ARGNUM")) if ($#_<3||6<$#_);
-	my $ops=join(',',@_[1..$#_]);
-	my $memn=(caller(1))[3];
-	$memn=~s/^.*:://;
-	my ($opcode,$v1,$v2,$v3,$m4,$m5,$m6)=(shift,get_V(shift),get_V(shift),
-	    get_V(shift),get_M(shift),get_M(shift),get_M(shift));
-
-	$out.="\t.word\t";
-	$out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf)<<4|($v2&0xf))).",";
-	$out.=sprintf("%#06x",(($v3&0xf)<<12|$m6<<4|$m5)).",";
-	$out.=sprintf("%#06x",($m4<<12|RXB($v1,$v2,$v3)<<8|$opcode&0xff));
-	$out.="\t# $memn\t$ops\n";
-}
-
-sub VRRd {
-	confess(err("ARGNUM")) if ($#_<4||6<$#_);
-	my $ops=join(',',@_[1..$#_]);
-	my $memn=(caller(1))[3];
-	$memn=~s/^.*:://;
-	my ($opcode,$v1,$v2,$v3,$v4,$m5,$m6)=(shift,get_V(shift),get_V(shift),
-	    get_V(shift),get_V(shift),get_M(shift),get_M(shift));
-
-	$out.="\t.word\t";
-	$out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf)<<4|($v2&0xf))).",";
-	$out.=sprintf("%#06x",(($v3&0xf)<<12|$m5<<8|$m6<<4)).",";
-	$out.=sprintf("%#06x",(($v4&0xf)<<12|RXB($v1,$v2,$v3,$v4)<<8|$opcode&0xff));
-	$out.="\t# $memn\t$ops\n";
-}
-
-sub VRRe {
-	confess(err("ARGNUM")) if ($#_<4||6<$#_);
-	my $ops=join(',',@_[1..$#_]);
-	my $memn=(caller(1))[3];
-	$memn=~s/^.*:://;
-	my ($opcode,$v1,$v2,$v3,$v4,$m5,$m6)=(shift,get_V(shift),get_V(shift),
-	    get_V(shift),get_V(shift),get_M(shift),get_M(shift));
-
-	$out.="\t.word\t";
-	$out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf)<<4|($v2&0xf))).",";
-	$out.=sprintf("%#06x",(($v3&0xf)<<12|$m6<<8|$m5)).",";
-	$out.=sprintf("%#06x",(($v4&0xf)<<12|RXB($v1,$v2,$v3,$v4)<<8|$opcode&0xff));
-	$out.="\t# $memn\t$ops\n";
-}
-
-sub VRRf {
-	confess(err("ARGNUM")) if ($#_!=3);
-	my $ops=join(',',@_[1..$#_]);
-	my $memn=(caller(1))[3];
-	$memn=~s/^.*:://;
-	my ($opcode,$v1,$r2,$r3)=(shift,get_V(shift),get_R(shift),
-	    get_R(shift));
-
-	$out.="\t.word\t";
-	$out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf)<<4|$r2)).",";
-	$out.=sprintf("%#06x",($r3<<12)).",";
-	$out.=sprintf("%#06x",(RXB($v1)<<8|$opcode&0xff));
-	$out.="\t# $memn\t$ops\n";
-}
-
-sub VRRg {
-	confess(err("ARGNUM")) if ($#_!=1);
-	my $ops=join(',',@_[1..$#_]);
-	my $memn=(caller(1))[3];
-	$memn=~s/^.*:://;
-	my ($opcode,$v1)=(shift,get_V(shift));
-
-	$out.="\t.word\t";
-	$out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf))).",";
-	$out.=sprintf("%#06x",0x0000).",";
-	$out.=sprintf("%#06x",(RXB(0,$v1)<<8|$opcode&0xff));
-	$out.="\t# $memn\t$ops\n";
-}
-
-sub VRRh {
-	confess(err("ARGNUM")) if ($#_<2||$#_>3);
-	my $ops=join(',',@_[1..$#_]);
-	my $memn=(caller(1))[3];
-	$memn=~s/^.*:://;
-	my ($opcode,$v1,$v2,$m3)=(shift,get_V(shift),get_V(shift),
-	    get_M(shift));
-
-	$out.="\t.word\t";
-	$out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf))).",";
-	$out.=sprintf("%#06x",(($v2&0xf)<<12|$m3<<4)).",";
-	$out.=sprintf("%#06x",(RXB(0,$v1,$v2)<<8|$opcode&0xff));
-	$out.="\t# $memn\t$ops\n";
-}
-
-sub VRRi {
-	confess(err("ARGNUM")) if ($#_!=3);
-	my $ops=join(',',@_[1..$#_]);
-	my $memn=(caller(1))[3];
-	$memn=~s/^.*:://;
-	my ($opcode,$r1,$v2,$m3)=(shift,get_R(shift),get_V(shift),
-	    get_M(shift));
-
-	$out.="\t.word\t";
-	$out.=sprintf("%#06x",($opcode&0xff00|$r1<<4|($v2&0xf))).",";
-	$out.=sprintf("%#06x",($m3<<4))."\,";
-	$out.=sprintf("%#06x",(RXB(0,$v2)<<8|$opcode&0xff));
-	$out.="\t# $memn\t$ops\n";
-}
-
-sub VRSa {
-	confess(err("ARGNUM")) if ($#_<3||$#_>4);
-	my $ops=join(',',@_[1..$#_]);
-	my $memn=(caller(1))[3];
-	$memn=~s/^.*:://;
-	my ($opcode,$v1,$v3,$d2,$b2,$m4)=(shift,get_V(shift),get_V(shift),
-	    get_DB(shift),get_M(shift));
-
-	$out.="\t.word\t";
-	$out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf)<<4|($v3&0xf))).",";
-	$out.=sprintf("%#06x",($b2<<12|$d2)).",";
-	$out.=sprintf("%#06x",($m4<<12|RXB($v1,$v3)<<8|$opcode&0xff));
-	$out.="\t# $memn\t$ops\n";
-}
-
-sub VRSb {
-	confess(err("ARGNUM")) if ($#_<3||$#_>4);
-	my $ops=join(',',@_[1..$#_]);
-	my $memn=(caller(1))[3];
-	$memn=~s/^.*:://;
-	my ($opcode,$v1,$r3,$d2,$b2,$m4)=(shift,get_V(shift),get_R(shift),
-	    get_DB(shift),get_M(shift));
-
-	$out.="\t.word\t";
-	$out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf)<<4|$r3)).",";
-	$out.=sprintf("%#06x",($b2<<12|$d2)).",";
-	$out.=sprintf("%#06x",($m4<<12|RXB($v1)<<8|$opcode&0xff));
-	$out.="\t# $memn\t$ops\n";
-}
-
-sub VRSc {
-	confess(err("ARGNUM")) if ($#_!=4);
-	my $ops=join(',',@_[1..$#_]);
-	my $memn=(caller(1))[3];
-	$memn=~s/^.*:://;
-	my ($opcode,$r1,$v3,$d2,$b2,$m4)=(shift,get_R(shift),get_V(shift),
-	    get_DB(shift),get_M(shift));
-
-	$out.="\t.word\t";
-	$out.=sprintf("%#06x",($opcode&0xff00|$r1<<4|($v3&0xf))).",";
-	$out.=sprintf("%#06x",($b2<<12|$d2)).",";
-	$out.=sprintf("%#06x",($m4<<12|RXB(0,$v3)<<8|$opcode&0xff));
-	$out.="\t# $memn\t$ops\n";
-}
-
-sub VRSd {
-	confess(err("ARGNUM")) if ($#_!=3);
-	my $ops=join(',',@_[1..$#_]);
-	my $memn=(caller(1))[3];
-	$memn=~s/^.*:://;
-	my ($opcode,$v1,$r3,$d2,$b2)=(shift,get_V(shift),get_R(shift),
-	    get_DB(shift));
-
-	$out.="\t.word\t";
-	$out.=sprintf("%#06x",($opcode&0xff00|$r3)).",";
-	$out.=sprintf("%#06x",($b2<<12|$d2)).",";
-	$out.=sprintf("%#06x",(($v1&0xf)<<12|RXB(0,0,0,$v1)<<8|$opcode&0xff));
-	$out.="\t# $memn\t$ops\n";
-}
-
-sub VRV {
-	confess(err("ARGNUM")) if ($#_<2||$#_>3);
-	my $ops=join(',',@_[1..$#_]);
-	my $memn=(caller(1))[3];
-	$memn=~s/^.*:://;
-	my ($opcode,$v1,$d2,$v2,$b2,$m3)=(shift,get_V(shift),get_DVB(shift),
-	    get_M(shift));
-
-	$out.="\t.word\t";
-	$out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf)<<4|($v2&0xf))).",";
-	$out.=sprintf("%#06x",($b2<<12|$d2)).",";
-	$out.=sprintf("%#06x",($m3<<12|RXB($v1,$v2)<<8|$opcode&0xff));
-	$out.="\t# $memn\t$ops\n";
-}
-
-sub VRX {
-	confess(err("ARGNUM")) if ($#_<2||$#_>3);
-	my $ops=join(',',@_[1..$#_]);
-	my $memn=(caller(1))[3];
-	$memn=~s/^.*:://;
-	my ($opcode,$v1,$d2,$x2,$b2,$m3)=(shift,get_V(shift),get_DXB(shift),
-	    get_M(shift));
-
-	$out.="\t.word\t";
-	$out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf)<<4|($x2))).",";
-	$out.=sprintf("%#06x",($b2<<12|$d2)).",";
-	$out.=sprintf("%#06x",($m3<<12|RXB($v1)<<8|$opcode&0xff));
-	$out.="\t# $memn\t$ops\n";
-}
-
-sub VSI {
-	confess(err("ARGNUM")) if ($#_!=3);
-	my $ops=join(',',@_[1..$#_]);
-	my $memn=(caller(1))[3];
-	$memn=~s/^.*:://;
-	my ($opcode,$v1,$d2,$b2,$i3)=(shift,get_V(shift),get_DB(shift),
-	    get_I(shift,8));
-
-	$out.="\t.word\t";
-	$out.=sprintf("%#06x",($opcode&0xff00|$i3)).",";
-	$out.=sprintf("%#06x",($b2<<12|$d2)).",";
-	$out.=sprintf("%#06x",(($v1&0xf)<<12|RXB(0,0,0,$v1)<<8|$opcode&0xff));
-	$out.="\t# $memn\t$ops\n";
-}
-
-#
-# Internal
-#
-
-sub get_R {
-	confess(err("ARGNUM")) if ($#_!=0);
-	my $r;
-
-	for (shift) {
-		if (!defined) {
-			$r=0;
-		} elsif (/^$GR$/) {
-			$r=$1;
-		} else {
-			confess(err("PARSE"));
-		}
-	}
-	confess(err("ARGRANGE")) if ($r&~0xf);
-
-	return $r;
-}
-
-sub get_V {
-	confess(err("ARGNUM")) if ($#_!=0);
-	my $v;
-
-	for (shift) {
-		if (!defined) {
-			$v=0;
-		} elsif (/^$VR$/) {
-			$v=$1;
-		} else {
-			confess(err("PARSE"));
-		}
-	}
-	confess(err("ARGRANGE")) if ($v&~0x1f);
-
-	return $v;
-}
-
-sub get_I {
-	confess(err("ARGNUM")) if ($#_!=1);
-	my ($i,$bits)=(shift,shift);
-
-	$i=defined($i)?(eval($i)):(0);
-	confess(err("PARSE")) if (!defined($i));
-	confess(err("ARGRANGE")) if (abs($i)&~(2**$bits-1));
-
-	return $i&(2**$bits-1);
-}
-
-sub get_M {
-	confess(err("ARGNUM")) if ($#_!=0);
-	my $m=shift;
-
-	$m=defined($m)?(eval($m)):(0);
-	confess(err("PARSE")) if (!defined($m));
-	confess(err("ARGRANGE")) if ($m&~0xf);
-
-	return $m;
-}
-
-sub get_DB
-{
-	confess(err("ARGNUM")) if ($#_!=0);
-	my ($d,$b);
-
-	for (shift) {
-		if (!defined) {
-			($d,$b)=(0,0);
-		} elsif (/^(.+)\($GR\)$/) {
-			($d,$b)=(eval($1),$2);
-			confess(err("PARSE")) if (!defined($d));
-		} elsif (/^(.+)$/) {
-			($d,$b)=(eval($1),0);
-			confess(err("PARSE")) if (!defined($d));
-		} else {
-			confess(err("PARSE"));
-		}
-	}
-	confess(err("ARGRANGE")) if ($d&~0xfff||$b&~0xf);
-
-	return ($d,$b);
-}
-
-sub get_DVB
-{
-	confess(err("ARGNUM")) if ($#_!=0);
-	my ($d,$v,$b);
-
-	for (shift) {
-		if (!defined) {
-			($d,$v,$b)=(0,0,0);
-		} elsif (/^(.+)\($VR,$GR\)$/) {
-			($d,$v,$b)=(eval($1),$2,$3);
-			confess(err("PARSE")) if (!defined($d));
-		} elsif (/^(.+)\($GR\)$/) {
-			($d,$v,$b)=(eval($1),0,$2);
-			confess(err("PARSE")) if (!defined($d));
-		} elsif (/^(.+)$/) {
-			($d,$v,$b)=(eval($1),0,0);
-			confess(err("PARSE")) if (!defined($d));
-		} else {
-			confess(err("PARSE"));
-		}
-	}
-	confess(err("ARGRANGE")) if ($d&~0xfff||$v&~0x1f||$b&~0xf);
-
-	return ($d,$v,$b);
-}
-
-sub get_DXB
-{
-	confess(err("ARGNUM")) if ($#_!=0);
-	my ($d,$x,$b);
-
-	for (shift) {
-		if (!defined) {
-			($d,$x,$b)=(0,0,0);
-		} elsif (/^(.+)\($GR,$GR\)$/) {
-			($d,$x,$b)=(eval($1),$2,$3);
-			confess(err("PARSE")) if (!defined($d));
-		} elsif (/^(.+)\($GR\)$/) {
-			($d,$x,$b)=(eval($1),0,$2);
-			confess(err("PARSE")) if (!defined($d));
-		} elsif (/^(.+)$/) {
-			($d,$x,$b)=(eval($1),0,0);
-			confess(err("PARSE")) if (!defined($d));
-		} else {
-			confess(err("PARSE"));
-		}
-	}
-	confess(err("ARGRANGE")) if ($d&~0xfff||$x&~0xf||$b&~0xf);
-
-	return ($d,$x,$b);
-}
-
-sub RXB
-{
-	confess(err("ARGNUM")) if ($#_<0||3<$#_);
-	my $rxb=0;
-
-	$rxb|=0x08 if (defined($_[0])&&($_[0]&0x10));
-	$rxb|=0x04 if (defined($_[1])&&($_[1]&0x10));
-	$rxb|=0x02 if (defined($_[2])&&($_[2]&0x10));
-	$rxb|=0x01 if (defined($_[3])&&($_[3]&0x10));
-
-	return $rxb;
-}
-
-sub err {
-	my %ERR		=
-	(
-		ARGNUM	=>	'Wrong number of arguments',
-		ARGRANGE=>	'Argument out of range',
-		PARSE	=>	'Parse error',
-	);
-	confess($ERR{ARGNUM}) if ($#_!=0);
-
-	return $ERR{$_[0]};
-}
-
-1;

libs/openssl/crypto/poly1305/asm/poly1305-ia64.S

@@ -1,365 +0,0 @@
-// ====================================================================
-// Written by Andy Polyakov, @dot-asm, initially for use in the OpenSSL
-// project.
-// ====================================================================
-//
-// Poly1305 for Itanium.
-//
-// January 2019
-//
-// Performance was reported to be ~2.1 cycles per byte on Itanium 2.
-// With exception for processors in 95xx family, which have higher
-// floating-point instructions' latencies and deliver ~2.6 cpb.
-// Comparison to compiler-generated code is not exactly fair, because
-// of different radixes. But just for reference, it was observed to be
-// >3x faster. Originally it was argued that floating-point base 2^32
-// implementation would be optimal. Upon closer look estimate for below
-// integer base 2^64 implementation turned to be approximately same on
-// Itanium 2. But floating-point code would be larger, and have higher
-// overhead, which would negatively affect small-block performance...
-
-#if defined(_HPUX_SOURCE)
-# if !defined(_LP64)
-#  define ADDP  addp4
-# else
-#  define ADDP  add
-# endif
-# define RUM    rum
-# define SUM    sum
-#else
-# define ADDP   add
-# define RUM    nop
-# define SUM    nop
-#endif
-
-.text
-.explicit
-
-.global	poly1305_init#
-.proc	poly1305_init#
-.align	64
-poly1305_init:
-	.prologue
-	.save		ar.pfs,r2
-{ .mmi;	alloc		r2=ar.pfs,2,0,0,0
-	cmp.eq		p6,p7=0,r33		}	// key == NULL?
-{ .mmi;	ADDP		r9=8,r32
-	ADDP		r10=16,r32
-	ADDP		r32=0,r32		};;
-	.body
-{ .mmi;	st8		[r32]=r0,24			// ctx->h0 = 0
-	st8		[r9]=r0				// ctx->h1 = 0
-(p7)	ADDP		r8=0,r33		}
-{ .mib;	st8		[r10]=r0			// ctx->h2 = 0
-(p6)	mov		r8=0
-(p6)	br.ret.spnt	b0			};;
-
-{ .mmi;	ADDP		r9=1,r33
-	ADDP		r10=2,r33
-	ADDP		r11=3,r33		};;
-{ .mmi;	ld1		r16=[r8],4			// load key, little-endian
-	ld1		r17=[r9],4		}
-{ .mmi;	ld1		r18=[r10],4
-	ld1		r19=[r11],4		};;
-{ .mmi;	ld1		r20=[r8],4
-	ld1		r21=[r9],4		}
-{ .mmi;	ld1		r22=[r10],4
-	ld1		r23=[r11],4
-	and		r19=15,r19		};;
-{ .mmi;	ld1		r24=[r8],4
-	ld1		r25=[r9],4
-	and		r20=-4,r20		}
-{ .mmi;	ld1		r26=[r10],4
-	ld1		r27=[r11],4
-	and		r23=15,r23		};;
-{ .mmi;	ld1		r28=[r8],4
-	ld1		r29=[r9],4
-	and		r24=-4,r24		}
-{ .mmi;	ld1		r30=[r10],4
-	ld1		r31=[r11],4
-	and		r27=15,r27		};;
-
-{ .mii;	and		r28=-4,r28
-	dep		r16=r17,r16,8,8
-	dep		r18=r19,r18,8,8		};;
-{ .mii;	and		r31=15,r31
-	dep		r16=r18,r16,16,16
-	dep		r20=r21,r20,8,8		};;
-{ .mii;	dep		r16=r20,r16,32,16
-	dep		r22=r23,r22,8,8		};;
-{ .mii;	dep		r16=r22,r16,48,16
-	dep		r24=r25,r24,8,8		};;
-{ .mii;	dep		r26=r27,r26,8,8
-	dep		r28=r29,r28,8,8		};;
-{ .mii;	dep		r24=r26,r24,16,16
-	dep		r30=r31,r30,8,8		};;
-{ .mii;	st8		[r32]=r16,8			// ctx->r0
-	dep		r24=r28,r24,32,16;;
-	dep		r24=r30,r24,48,16	};;
-{ .mii;	st8		[r32]=r24,8			// ctx->r1
-	shr.u		r25=r24,2;;
-	add		r25=r25,r24		};;
-{ .mib; st8		[r32]=r25			// ctx->s1
-	mov		r8=0
-	br.ret.sptk	b0			};;
-.endp	poly1305_init#
-
-h0=r17;  h1=r18;  h2=r19;
-i0=r20;  i1=r21;
-HF0=f8;  HF1=f9;  HF2=f10;
-RF0=f11; RF1=f12; SF1=f13;
-
-.global	poly1305_blocks#
-.proc	poly1305_blocks#
-.align	64
-poly1305_blocks:
-	.prologue
-	.save		ar.pfs,r2
-{ .mii;	alloc		r2=ar.pfs,4,1,0,0
-	.save		ar.lc,r3
-	mov		r3=ar.lc
-	.save		pr,r36
-	mov		r36=pr			}
-
-	.body
-{ .mmi;	ADDP		r8=0,r32
-	ADDP		r9=8,r32
-	and		r29=7,r33		};;
-{ .mmi;	ld8		h0=[r8],16
-	ld8		h1=[r9],16
-	and		r33=-8,r33		};;
-{ .mmi;	ld8		h2=[r8],16
-	ldf8		RF0=[r9],16
-	shr.u		r34=r34,4		};;
-{ .mmi;	ldf8		RF1=[r8],-32
-	ldf8		SF1=[r9],-32
-	cmp.ltu		p16,p17=1,r34		};;
-{ .mmi;
-(p16)	add		r34=-2,r34
-(p17)	mov		r34=0
-	ADDP		r10=0,r33		}
-{ .mii;	ADDP		r11=8,r33
-(p16)	mov		ar.ec=2
-(p17)	mov		ar.ec=1			};;
-{ .mib;	RUM		1<<1				// go little-endian
-	mov		ar.lc=r34
-	brp.loop.imp	.Loop,.Lcend-16		}
-
-{ .mmi;	cmp.eq		p8,p7=0,r29
-	cmp.eq		p9,p0=1,r29
-	cmp.eq		p10,p0=2,r29		}
-{ .mmi;	cmp.eq		p11,p0=3,r29
-	cmp.eq		p12,p0=4,r29
-	cmp.eq		p13,p0=5,r29		}
-{ .mmi;	cmp.eq		p14,p0=6,r29
-	cmp.eq		p15,p0=7,r29
-	add		r16=16,r10		};;
-
-{ .mmb;
-(p8)	ld8		i0=[r10],16			// aligned input
-(p8)	ld8		i1=[r11],16
-(p8)	br.cond.sptk	.Loop			};;
-
-	// align first block
-	.pred.rel	"mutex",p8,p9,p10,p11,p12,p13,p14,p15
-{ .mmi;	(p7)	ld8		r14=[r10],24
-	(p7)	ld8		r15=[r11],24		}
-
-{ .mii;	(p7)	ld8		r16=[r16]
-		nop.i		0;;
-	(p15)	shrp		i0=r15,r14,56		}
-{ .mii;	(p15)	shrp		i1=r16,r15,56
-	(p14)	shrp		i0=r15,r14,48		}
-{ .mii;	(p14)	shrp		i1=r16,r15,48
-	(p13)	shrp		i0=r15,r14,40		}
-{ .mii;	(p13)	shrp		i1=r16,r15,40
-	(p12)	shrp		i0=r15,r14,32		}
-{ .mii;	(p12)	shrp		i1=r16,r15,32
-	(p11)	shrp		i0=r15,r14,24		}
-{ .mii;	(p11)	shrp		i1=r16,r15,24
-	(p10)	shrp		i0=r15,r14,16		}
-{ .mii;	(p10)	shrp		i1=r16,r15,16
-	(p9)	shrp		i0=r15,r14,8		}
-{ .mii;	(p9)	shrp		i1=r16,r15,8
-		mov		r14=r16			};;
-
-.Loop:
-		.pred.rel	"mutex",p8,p9,p10,p11,p12,p13,p14,p15
-{ .mmi;		add		h0=h0,i0
-		add		h1=h1,i1
-		add		h2=h2,r35		};;
-{ .mmi;		setf.sig	HF0=h0
-		cmp.ltu		p6,p0=h0,i0
-		cmp.ltu		p7,p0=h1,i1		};;
-{ .mmi;	(p6)	add		h1=1,h1;;
-		setf.sig	HF1=h1
-	(p6)	cmp.eq.or	p7,p0=0,h1		};;
-{ .mmi;	(p7)	add		h2=1,h2;;
-		setf.sig	HF2=h2			};;
-
-{ .mfi;	(p16)	ld8		r15=[r10],16
-		xmpy.lu		f32=HF0,RF0		}
-{ .mfi;	(p16)	ld8		r16=[r11],16
-		xmpy.hu		f33=HF0,RF0		}
-{ .mfi;		xmpy.lu		f36=HF0,RF1		}
-{ .mfi;		xmpy.hu		f37=HF0,RF1		};;
-{ .mfi;		xmpy.lu		f34=HF1,SF1
-	(p15)	shrp		i0=r15,r14,56		}
-{ .mfi;		xmpy.hu		f35=HF1,SF1		}
-{ .mfi;		xmpy.lu		f38=HF1,RF0
-	(p15)	shrp		i1=r16,r15,56		}
-{ .mfi;		xmpy.hu		f39=HF1,RF0		}
-{ .mfi;		xmpy.lu		f40=HF2,SF1
-	(p14)	shrp		i0=r15,r14,48		}
-{ .mfi;		xmpy.lu		f41=HF2,RF0		};;
-
-{ .mmi;		getf.sig	r22=f32
-		getf.sig	r23=f33
-	(p14)	shrp		i1=r16,r15,48		}
-{ .mmi;		getf.sig	r24=f34
-		getf.sig	r25=f35
-	(p13)	shrp		i0=r15,r14,40		}
-{ .mmi;		getf.sig	r26=f36
-		getf.sig	r27=f37
-	(p13)	shrp		i1=r16,r15,40		}
-{ .mmi;		getf.sig	r28=f38
-		getf.sig	r29=f39
-	(p12)	shrp		i0=r15,r14,32		}
-{ .mmi;		getf.sig	r30=f40
-		getf.sig	r31=f41			};;
-
-{ .mmi;		add		h0=r22,r24
-		add		r23=r23,r25
-	(p12)	shrp		i1=r16,r15,32		}
-{ .mmi;		add		h1=r26,r28
-		add		r27=r27,r29
-	(p11)	shrp		i0=r15,r14,24		};;
-{ .mmi;		cmp.ltu		p6,p0=h0,r24
-		cmp.ltu		p7,p0=h1,r28
-		add		r23=r23,r30		};;
-{ .mmi;	(p6)	add		r23=1,r23
-	(p7)	add		r27=1,r27
-	(p11)	shrp		i1=r16,r15,24		};;
-{ .mmi;		add		h1=h1,r23;;
-		cmp.ltu		p6,p7=h1,r23
-	(p10)	shrp		i0=r15,r14,16		};;
-{ .mmi;	(p6)	add		h2=r31,r27,1
-	(p7)	add		h2=r31,r27
-	(p10)	shrp		i1=r16,r15,16		};;
-
-{ .mmi;	(p8)	mov		i0=r15
-		and		r22=-4,h2
-		shr.u		r23=h2,2		};;
-{ .mmi;		add		r22=r22,r23
-		and		h2=3,h2
-	(p9)	shrp		i0=r15,r14,8		};;
-
-{ .mmi;		add		h0=h0,r22;;
-		cmp.ltu		p6,p0=h0,r22
-	(p9)	shrp		i1=r16,r15,8		};;
-{ .mmi;	(p8)	mov		i1=r16
-	(p6)	cmp.eq.unc	p7,p0=-1,h1
-	(p6)	add		h1=1,h1			};;
-{ .mmb;	(p7)	add		h2=1,h2
-		mov		r14=r16
-		br.ctop.sptk	.Loop			};;
-.Lcend:
-
-{ .mii;	SUM		1<<1				// back to big-endian
-	mov		ar.lc=r3		};;
-
-{ .mmi;	st8		[r8]=h0,16
-	st8		[r9]=h1
-	mov		pr=r36,0x1ffff		};;
-{ .mmb;	st8		[r8]=h2
-	rum		1<<5
-	br.ret.sptk	b0			};;
-.endp	poly1305_blocks#
-
-.global	poly1305_emit#
-.proc	poly1305_emit#
-.align	64
-poly1305_emit:
-	.prologue
-	.save		ar.pfs,r2
-{ .mmi;	alloc		r2=ar.pfs,3,0,0,0
-	ADDP		r8=0,r32
-	ADDP		r9=8,r32		};;
-
-	.body
-{ .mmi;	ld8		r16=[r8],16			// load hash
-	ld8		r17=[r9]
-	ADDP		r10=0,r34		};;
-{ .mmi;	ld8		r18=[r8]
-	ld4		r24=[r10],8			// load nonce
-	ADDP		r11=4,r34		};;
-
-{ .mmi;	ld4		r25=[r11],8
-	ld4		r26=[r10]
-	add		r20=5,r16		};;
-
-{ .mmi;	ld4		r27=[r11]
-	cmp.ltu		p6,p7=r20,r16
-	shl		r25=r25,32		};;
-{ .mmi;
-(p6)	add		r21=1,r17
-(p7)	add		r21=0,r17
-(p6)	cmp.eq.or.andcm	p6,p7=-1,r17		};;
-{ .mmi;
-(p6)	add		r22=1,r18
-(p7)	add		r22=0,r18
-	shl		r27=r27,32		};;
-{ .mmi;	or		r24=r24,r25
-	or		r26=r26,r27
-	cmp.leu		p6,p7=4,r22		};;
-{ .mmi;
-(p6)	add		r16=r20,r24
-(p7)	add		r16=r16,r24
-(p6)	add		r17=r21,r26		};;
-{ .mii;
-(p7)	add		r17=r17,r26
-	cmp.ltu		p6,p7=r16,r24;;
-(p6)	add		r17=1,r17		};;
-
-{ .mmi;	ADDP		r8=0,r33
-	ADDP		r9=4,r33
-	shr.u		r20=r16,32		}
-{ .mmi;	ADDP		r10=8,r33
-	ADDP		r11=12,r33
-	shr.u		r21=r17,32		};;
-
-{ .mmi;	st1		[r8]=r16,1			// write mac, little-endian
-	st1		[r9]=r20,1
-	shr.u		r16=r16,8		}
-{ .mii;	st1		[r10]=r17,1
-	shr.u		r20=r20,8
-	shr.u		r17=r17,8		}
-{ .mmi;	st1		[r11]=r21,1
-	shr.u		r21=r21,8		};;
-
-{ .mmi;	st1		[r8]=r16,1
-	st1		[r9]=r20,1
-	shr.u		r16=r16,8		}
-{ .mii;	st1		[r10]=r17,1
-	shr.u		r20=r20,8
-	shr.u		r17=r17,8		}
-{ .mmi;	st1		[r11]=r21,1
-	shr.u		r21=r21,8		};;
-
-{ .mmi;	st1		[r8]=r16,1
-	st1		[r9]=r20,1
-	shr.u		r16=r16,8		}
-{ .mii;	st1		[r10]=r17,1
-	shr.u		r20=r20,8
-	shr.u		r17=r17,8		}
-{ .mmi;	st1		[r11]=r21,1
-	shr.u		r21=r21,8		};;
-
-{ .mmi;	st1		[r8]=r16
-	st1		[r9]=r20		}
-{ .mmb;	st1		[r10]=r17
-	st1		[r11]=r21
-	br.ret.sptk	b0			};;
-.endp	poly1305_emit#
-
-stringz	"Poly1305 for IA64, CRYPTOGAMS by \@dot-asm"

libs/openssl/crypto/poly1305/poly1305_ppc.c

@@ -1,47 +0,0 @@
-/*
- * Copyright 2009-2021 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <openssl/opensslconf.h>
-#include <openssl/types.h>
-#include "crypto/poly1305.h"
-#include "crypto/ppc_arch.h"
-
-void poly1305_init_int(void *ctx, const unsigned char key[16]);
-void poly1305_blocks(void *ctx, const unsigned char *inp, size_t len,
-                         unsigned int padbit);
-void poly1305_emit(void *ctx, unsigned char mac[16],
-                       const unsigned int nonce[4]);
-void poly1305_init_fpu(void *ctx, const unsigned char key[16]);
-void poly1305_blocks_fpu(void *ctx, const unsigned char *inp, size_t len,
-                         unsigned int padbit);
-void poly1305_emit_fpu(void *ctx, unsigned char mac[16],
-                       const unsigned int nonce[4]);
-void poly1305_init_vsx(void *ctx, const unsigned char key[16]);
-void poly1305_blocks_vsx(void *ctx, const unsigned char *inp, size_t len,
-                         unsigned int padbit);
-void poly1305_emit_vsx(void *ctx, unsigned char mac[16],
-                       const unsigned int nonce[4]);
-int poly1305_init(void *ctx, const unsigned char key[16], void *func[2]);
-int poly1305_init(void *ctx, const unsigned char key[16], void *func[2])
-{
-    if (OPENSSL_ppccap_P & PPC_CRYPTO207) {
-        poly1305_init_int(ctx, key);
-        func[0] = (void*)(uintptr_t)poly1305_blocks_vsx;
-        func[1] = (void*)(uintptr_t)poly1305_emit;
-    } else if (sizeof(size_t) == 4 && (OPENSSL_ppccap_P & PPC_FPU)) {
-        poly1305_init_fpu(ctx, key);
-        func[0] = (void*)(uintptr_t)poly1305_blocks_fpu;
-        func[1] = (void*)(uintptr_t)poly1305_emit_fpu;
-    } else {
-        poly1305_init_int(ctx, key);
-        func[0] = (void*)(uintptr_t)poly1305_blocks;
-        func[1] = (void*)(uintptr_t)poly1305_emit;
-    }
-    return 1;
-}

libs/openssl/crypto/rand/rand_deprecated.c

@@ -1,35 +0,0 @@
-/*
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include "internal/e_os.h"
-#include <openssl/macros.h>
-#include <openssl/rand.h>
-
-#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32)
-# include <windows.h>
-# if OPENSSL_API_COMPAT < 0x10100000L
-
-# define DEPRECATED_RAND_FUNCTIONS_DEFINED
-
-int RAND_event(UINT iMsg, WPARAM wParam, LPARAM lParam)
-{
-    RAND_poll();
-    return RAND_status();
-}
-
-void RAND_screen(void)
-{
-    RAND_poll();
-}
-# endif
-#endif
-
-#ifndef DEPRECATED_RAND_FUNCTIONS_DEFINED
-NON_EMPTY_TRANSLATION_UNIT
-#endif

libs/openssl/crypto/rand/rand_win.c

@@ -0,0 +1,163 @@
+/*
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include "internal/cryptlib.h"
+#include <openssl/rand.h>
+#include "crypto/rand_pool.h"
+#include "crypto/rand.h"
+#include "prov/seeding.h"
+
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32)
+
+# ifndef OPENSSL_RAND_SEED_OS
+#  error "Unsupported seeding method configured; must be os"
+# endif
+
+# include <windows.h>
+/* On Windows Vista or higher use BCrypt instead of the legacy CryptoAPI */
+# if defined(_MSC_VER) && _MSC_VER > 1500 /* 1500 = Visual Studio 2008 */ \
+     && defined(_WIN32_WINNT) && _WIN32_WINNT >= 0x0600
+#  define USE_BCRYPTGENRANDOM
+# endif
+
+# ifdef USE_BCRYPTGENRANDOM
+#  include <bcrypt.h>
+#  ifdef _MSC_VER
+#   pragma comment(lib, "bcrypt.lib")
+#  endif
+#  ifndef STATUS_SUCCESS
+#   define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
+#  endif
+# else
+#  include <wincrypt.h>
+/*
+ * Intel hardware RNG CSP -- available from
+ * http://developer.intel.com/design/security/rng/redist_license.htm
+ */
+#  define PROV_INTEL_SEC 22
+#  define INTEL_DEF_PROV L"Intel Hardware Cryptographic Service Provider"
+# endif
+
+size_t ossl_pool_acquire_entropy(RAND_POOL *pool)
+{
+# ifndef USE_BCRYPTGENRANDOM
+    HCRYPTPROV hProvider;
+# endif
+    unsigned char *buffer;
+    size_t bytes_needed;
+    size_t entropy_available = 0;
+
+
+# ifdef OPENSSL_RAND_SEED_RDTSC
+    entropy_available = ossl_prov_acquire_entropy_from_tsc(pool);
+    if (entropy_available > 0)
+        return entropy_available;
+# endif
+
+# ifdef OPENSSL_RAND_SEED_RDCPU
+    entropy_available = ossl_prov_acquire_entropy_from_cpu(pool);
+    if (entropy_available > 0)
+        return entropy_available;
+# endif
+
+# ifdef USE_BCRYPTGENRANDOM
+    bytes_needed = ossl_rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
+    buffer = ossl_rand_pool_add_begin(pool, bytes_needed);
+    if (buffer != NULL) {
+        size_t bytes = 0;
+        if (BCryptGenRandom(NULL, buffer, bytes_needed,
+                            BCRYPT_USE_SYSTEM_PREFERRED_RNG) == STATUS_SUCCESS)
+            bytes = bytes_needed;
+
+        ossl_rand_pool_add_end(pool, bytes, 8 * bytes);
+        entropy_available = ossl_rand_pool_entropy_available(pool);
+    }
+    if (entropy_available > 0)
+        return entropy_available;
+# else
+    bytes_needed = ossl_rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
+    buffer = ossl_rand_pool_add_begin(pool, bytes_needed);
+    if (buffer != NULL) {
+        size_t bytes = 0;
+        /* poll the CryptoAPI PRNG */
+        if (CryptAcquireContextW(&hProvider, NULL, NULL, PROV_RSA_FULL,
+                                 CRYPT_VERIFYCONTEXT | CRYPT_SILENT) != 0) {
+            if (CryptGenRandom(hProvider, bytes_needed, buffer) != 0)
+                bytes = bytes_needed;
+
+            CryptReleaseContext(hProvider, 0);
+        }
+
+        ossl_rand_pool_add_end(pool, bytes, 8 * bytes);
+        entropy_available = ossl_rand_pool_entropy_available(pool);
+    }
+    if (entropy_available > 0)
+        return entropy_available;
+
+    bytes_needed = ossl_rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
+    buffer = ossl_rand_pool_add_begin(pool, bytes_needed);
+    if (buffer != NULL) {
+        size_t bytes = 0;
+        /* poll the Pentium PRG with CryptoAPI */
+        if (CryptAcquireContextW(&hProvider, NULL,
+                                 INTEL_DEF_PROV, PROV_INTEL_SEC,
+                                 CRYPT_VERIFYCONTEXT | CRYPT_SILENT) != 0) {
+            if (CryptGenRandom(hProvider, bytes_needed, buffer) != 0)
+                bytes = bytes_needed;
+
+            CryptReleaseContext(hProvider, 0);
+        }
+        ossl_rand_pool_add_end(pool, bytes, 8 * bytes);
+        entropy_available = ossl_rand_pool_entropy_available(pool);
+    }
+    if (entropy_available > 0)
+        return entropy_available;
+# endif
+
+    return ossl_rand_pool_entropy_available(pool);
+}
+
+
+int ossl_pool_add_nonce_data(RAND_POOL *pool)
+{
+    struct {
+        DWORD pid;
+        DWORD tid;
+        FILETIME time;
+    } data;
+
+    /* Erase the entire structure including any padding */
+    memset(&data, 0, sizeof(data));
+
+    /*
+     * Add process id, thread id, and a high resolution timestamp to
+     * ensure that the nonce is unique with high probability for
+     * different process instances.
+     */
+    data.pid = GetCurrentProcessId();
+    data.tid = GetCurrentThreadId();
+    GetSystemTimeAsFileTime(&data.time);
+
+    return ossl_rand_pool_add(pool, (unsigned char *)&data, sizeof(data), 0);
+}
+
+int ossl_rand_pool_init(void)
+{
+    return 1;
+}
+
+void ossl_rand_pool_cleanup(void)
+{
+}
+
+void ossl_rand_pool_keep_random_devices_open(int keep)
+{
+}
+
+#endif

libs/openssl/crypto/riscv32cpuid.pl

@@ -1,88 +0,0 @@
-#! /usr/bin/env perl
-# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
-#
-# Licensed under the Apache License 2.0 (the "License").  You may not use
-# this file except in compliance with the License.  You can obtain a copy
-# in the file LICENSE in the source distribution or at
-# https://www.openssl.org/source/license.html
-
-
-# $output is the last argument if it looks like a file (it has an extension)
-# $flavour is the first argument if it doesn't look like a file
-$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef;
-$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef;
-
-$output and open STDOUT,">$output";
-
-{
-my ($in_a,$in_b,$len,$x,$temp1,$temp2) = ('a0','a1','a2','t0','t1','t2');
-$code.=<<___;
-################################################################################
-# int CRYPTO_memcmp(const void * in_a, const void * in_b, size_t len)
-################################################################################
-.text
-.balign 16
-.globl CRYPTO_memcmp
-.type   CRYPTO_memcmp,\@function
-CRYPTO_memcmp:
-    li      $x,0
-    beqz    $len,2f   # len == 0
-1:
-    lbu     $temp1,0($in_a)
-    lbu     $temp2,0($in_b)
-    addi    $in_a,$in_a,1
-    addi    $in_b,$in_b,1
-    addi    $len,$len,-1
-    xor     $temp1,$temp1,$temp2
-    or      $x,$x,$temp1
-    bgtz    $len,1b
-2:
-    mv      a0,$x
-    ret
-___
-}
-{
-my ($ptr,$len,$temp1,$temp2) = ('a0','a1','t0','t1');
-$code.=<<___;
-################################################################################
-# void OPENSSL_cleanse(void *ptr, size_t len)
-################################################################################
-.text
-.balign 16
-.globl OPENSSL_cleanse
-.type   OPENSSL_cleanse,\@function
-OPENSSL_cleanse:
-    beqz    $len,2f         # len == 0, return
-    srli    $temp1,$len,4
-    bnez    $temp1,3f       # len > 15
-
-1:  # Store <= 15 individual bytes
-    sb      x0,0($ptr)
-    addi    $ptr,$ptr,1
-    addi    $len,$len,-1
-    bnez    $len,1b
-2:
-    ret
-
-3:  # Store individual bytes until we are aligned
-    andi    $temp1,$ptr,0x3
-    beqz    $temp1,4f
-    sb      x0,0($ptr)
-    addi    $ptr,$ptr,1
-    addi    $len,$len,-1
-    j       3b
-
-4:  # Store aligned words
-    li      $temp2,4
-4:
-    sw      x0,0($ptr)
-    addi    $ptr,$ptr,4
-    addi    $len,$len,-4
-    bge     $len,$temp2,4b  # if len>=4 loop
-    bnez    $len,1b         # if len<4 and len != 0, store remaining bytes
-    ret
-___
-}
-
-print $code;
-close STDOUT or die "error closing STDOUT: $!";

libs/openssl/crypto/riscvcap.c

@@ -1,86 +0,0 @@
-/*
- * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <stdlib.h>
-#include <string.h>
-#include <ctype.h>
-#include <stdint.h>
-#include <openssl/crypto.h>
-#include "internal/cryptlib.h"
-
-#define OPENSSL_RISCVCAP_IMPL
-#include "crypto/riscv_arch.h"
-
-static void parse_env(const char *envstr);
-static void strtoupper(char *str);
-
-uint32_t OPENSSL_rdtsc(void)
-{
-    return 0;
-}
-
-size_t OPENSSL_instrument_bus(unsigned int *out, size_t cnt)
-{
-    return 0;
-}
-
-size_t OPENSSL_instrument_bus2(unsigned int *out, size_t cnt, size_t max)
-{
-    return 0;
-}
-
-static void strtoupper(char *str)
-{
-    for (char *x = str; *x; ++x)
-        *x = toupper(*x);
-}
-
-/* parse_env() parses a RISC-V architecture string. An example of such a string
- * is "rv64gc_zba_zbb_zbc_zbs". Currently, the rv64gc part is ignored
- * and we simply search for "_[extension]" in the arch string to see if we
- * should enable a given extension.
- */
-#define BUFLEN 256
-static void parse_env(const char *envstr)
-{
-    char envstrupper[BUFLEN];
-    char buf[BUFLEN];
-
-    /* Convert env str to all uppercase */
-    OPENSSL_strlcpy(envstrupper, envstr, sizeof(envstrupper));
-    strtoupper(envstrupper);
-
-    for (size_t i = 0; i < kRISCVNumCaps; ++i) {
-        /* Prefix capability with underscore in preparation for search */
-        BIO_snprintf(buf, BUFLEN, "_%s", RISCV_capabilities[i].name);
-        if (strstr(envstrupper, buf) != NULL) {
-            /* Match, set relevant bit in OPENSSL_riscvcap_P[] */
-            OPENSSL_riscvcap_P[RISCV_capabilities[i].index] |=
-                (1 << RISCV_capabilities[i].bit_offset);
-        }
-    }
-}
-
-# if defined(__GNUC__) && __GNUC__>=2
-__attribute__ ((constructor))
-# endif
-void OPENSSL_cpuid_setup(void)
-{
-    char *e;
-    static int trigger = 0;
-
-    if (trigger != 0)
-        return;
-    trigger = 1;
-
-    if ((e = getenv("OPENSSL_riscvcap"))) {
-        parse_env(e);
-        return;
-    }
-}

libs/openssl/crypto/rsa/rsa_acvp_test_params.c

@@ -1,167 +0,0 @@
-/*
- * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <string.h> /* memcpy */
-#include <openssl/core_names.h>
-#include <openssl/param_build.h>
-#include "crypto/rsa.h"
-#include "rsa_local.h"
-
-int ossl_rsa_acvp_test_gen_params_new(OSSL_PARAM **dst, const OSSL_PARAM src[])
-{
-    const OSSL_PARAM *p, *s;
-    OSSL_PARAM *d, *alloc = NULL;
-    int ret = 1;
-
-    static const OSSL_PARAM settable[] = {
-        OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_TEST_XP, NULL, 0),
-        OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_TEST_XP1, NULL, 0),
-        OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_TEST_XP2, NULL, 0),
-        OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_TEST_XQ, NULL, 0),
-        OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_TEST_XQ1, NULL, 0),
-        OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_TEST_XQ2, NULL, 0),
-        OSSL_PARAM_END
-    };
-
-    /* Assume the first element is a required field if this feature is used */
-    p = OSSL_PARAM_locate_const(src, settable[0].key);
-    if (p == NULL)
-        return 1;
-
-    /* Zeroing here means the terminator is always set at the end */
-    alloc = OPENSSL_zalloc(sizeof(settable));
-    if (alloc == NULL)
-        return 0;
-
-    d = alloc;
-    for (s = settable; s->key != NULL; ++s) {
-        /* If src contains a key from settable then copy the src to the dest */
-        p = OSSL_PARAM_locate_const(src, s->key);
-        if (p != NULL) {
-            *d = *s; /* shallow copy from the static settable[] */
-            d->data_size = p->data_size;
-            d->data = OPENSSL_memdup(p->data, p->data_size);
-            if (d->data == NULL)
-                ret = 0;
-            ++d;
-        }
-    }
-    if (ret == 0) {
-        ossl_rsa_acvp_test_gen_params_free(alloc);
-        alloc = NULL;
-    }
-    if (*dst != NULL)
-        ossl_rsa_acvp_test_gen_params_free(*dst);
-    *dst = alloc;
-    return ret;
-}
-
-void ossl_rsa_acvp_test_gen_params_free(OSSL_PARAM *dst)
-{
-    OSSL_PARAM *p;
-
-    if (dst == NULL)
-        return;
-
-    for (p = dst; p->key != NULL; ++p) {
-        OPENSSL_free(p->data);
-        p->data = NULL;
-    }
-    OPENSSL_free(dst);
-}
-
-int ossl_rsa_acvp_test_set_params(RSA *r, const OSSL_PARAM params[])
-{
-    RSA_ACVP_TEST *t;
-    const OSSL_PARAM *p;
-
-    if (r->acvp_test != NULL) {
-        ossl_rsa_acvp_test_free(r->acvp_test);
-        r->acvp_test = NULL;
-    }
-
-    t = OPENSSL_zalloc(sizeof(*t));
-    if (t == NULL)
-        return 0;
-
-    /* Set the input parameters */
-    if ((p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_TEST_XP1)) != NULL
-         && !OSSL_PARAM_get_BN(p, &t->Xp1))
-        goto err;
-    if ((p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_TEST_XP2)) != NULL
-         && !OSSL_PARAM_get_BN(p, &t->Xp2))
-        goto err;
-    if ((p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_TEST_XP)) != NULL
-         && !OSSL_PARAM_get_BN(p, &t->Xp))
-        goto err;
-    if ((p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_TEST_XQ1)) != NULL
-         && !OSSL_PARAM_get_BN(p, &t->Xq1))
-        goto err;
-    if ((p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_TEST_XQ2)) != NULL
-         && !OSSL_PARAM_get_BN(p, &t->Xq2))
-        goto err;
-    if ((p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_RSA_TEST_XQ)) != NULL
-         && !OSSL_PARAM_get_BN(p, &t->Xq))
-        goto err;
-
-    /* Setup the output parameters */
-    t->p1 = BN_new();
-    t->p2 = BN_new();
-    t->q1 = BN_new();
-    t->q2 = BN_new();
-    r->acvp_test = t;
-    return 1;
-err:
-    ossl_rsa_acvp_test_free(t);
-    return 0;
-}
-
-int ossl_rsa_acvp_test_get_params(RSA *r, OSSL_PARAM params[])
-{
-    RSA_ACVP_TEST *t;
-    OSSL_PARAM *p;
-
-    if (r == NULL)
-        return 0;
-
-    t = r->acvp_test;
-    if (t != NULL) {
-        if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_RSA_TEST_P1)) != NULL
-             && !OSSL_PARAM_set_BN(p, t->p1))
-                    return 0;
-        if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_RSA_TEST_P2)) != NULL
-             && !OSSL_PARAM_set_BN(p, t->p2))
-                    return 0;
-        if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_RSA_TEST_Q1)) != NULL
-             && !OSSL_PARAM_set_BN(p, t->q1))
-                    return 0;
-        if ((p = OSSL_PARAM_locate(params, OSSL_PKEY_PARAM_RSA_TEST_Q2)) != NULL
-             && !OSSL_PARAM_set_BN(p, t->q2))
-                    return 0;
-    }
-    return 1;
-}
-
-void ossl_rsa_acvp_test_free(RSA_ACVP_TEST *t)
-{
-    if (t != NULL) {
-        BN_free(t->Xp1);
-        BN_free(t->Xp2);
-        BN_free(t->Xp);
-        BN_free(t->Xq1);
-        BN_free(t->Xq2);
-        BN_free(t->Xq);
-        BN_free(t->p1);
-        BN_free(t->p2);
-        BN_free(t->q1);
-        BN_free(t->q2);
-        OPENSSL_free(t);
-    }
-}
-

libs/openssl/crypto/rsa/rsa_sp800_56b_check.c

@@ -12,6 +12,7 @@
 #include <openssl/bn.h>
 #include "crypto/bn.h"
 #include "rsa_local.h"
+#include "../bn/bn_local.h" // WINSCP
 
 /*
  * Part of the RSA keypair test.

libs/openssl/crypto/self_test_core.c

@@ -0,0 +1,166 @@
+/*
+ * Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/self_test.h>
+#include <openssl/core_names.h>
+#include <openssl/params.h>
+#include "internal/cryptlib.h"
+#include "crypto/context.h"
+
+typedef struct self_test_cb_st
+{
+    OSSL_CALLBACK *cb;
+    void *cbarg;
+} SELF_TEST_CB;
+
+struct ossl_self_test_st
+{
+    /* local state variables */
+    const char *phase;
+    const char *type;
+    const char *desc;
+    OSSL_CALLBACK *cb;
+
+    /* callback related variables used to pass the state back to the user */
+    OSSL_PARAM params[4];
+    void *cb_arg;
+};
+
+#ifndef FIPS_MODULE
+void *ossl_self_test_set_callback_new(OSSL_LIB_CTX *ctx)
+{
+    SELF_TEST_CB *stcb;
+
+    stcb = OPENSSL_zalloc(sizeof(*stcb));
+    return stcb;
+}
+
+void ossl_self_test_set_callback_free(void *stcb)
+{
+    OPENSSL_free(stcb);
+}
+
+static SELF_TEST_CB *get_self_test_callback(OSSL_LIB_CTX *libctx)
+{
+    return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_SELF_TEST_CB_INDEX);
+}
+
+void OSSL_SELF_TEST_set_callback(OSSL_LIB_CTX *libctx, OSSL_CALLBACK *cb,
+                                 void *cbarg)
+{
+    SELF_TEST_CB *stcb = get_self_test_callback(libctx);
+
+    if (stcb != NULL) {
+        stcb->cb = cb;
+        stcb->cbarg = cbarg;
+    }
+}
+
+void OSSL_SELF_TEST_get_callback(OSSL_LIB_CTX *libctx, OSSL_CALLBACK **cb,
+                                 void **cbarg)
+{
+    SELF_TEST_CB *stcb = get_self_test_callback(libctx);
+
+    if (cb != NULL)
+        *cb = (stcb != NULL ? stcb->cb : NULL);
+    if (cbarg != NULL)
+        *cbarg = (stcb != NULL ? stcb->cbarg : NULL);
+}
+#endif /* FIPS_MODULE */
+
+static void self_test_setparams(OSSL_SELF_TEST *st)
+{
+    size_t n = 0;
+
+    if (st->cb != NULL) {
+        st->params[n++] =
+            OSSL_PARAM_construct_utf8_string(OSSL_PROV_PARAM_SELF_TEST_PHASE,
+                                             (char *)st->phase, 0);
+        st->params[n++] =
+            OSSL_PARAM_construct_utf8_string(OSSL_PROV_PARAM_SELF_TEST_TYPE,
+                                             (char *)st->type, 0);
+        st->params[n++] =
+            OSSL_PARAM_construct_utf8_string(OSSL_PROV_PARAM_SELF_TEST_DESC,
+                                             (char *)st->desc, 0);
+    }
+    st->params[n++] = OSSL_PARAM_construct_end();
+}
+
+OSSL_SELF_TEST *OSSL_SELF_TEST_new(OSSL_CALLBACK *cb, void *cbarg)
+{
+    OSSL_SELF_TEST *ret = OPENSSL_zalloc(sizeof(*ret));
+
+    if (ret == NULL)
+        return NULL;
+
+    ret->cb = cb;
+    ret->cb_arg = cbarg;
+    ret->phase = "";
+    ret->type = "";
+    ret->desc = "";
+    self_test_setparams(ret);
+    return ret;
+}
+
+void OSSL_SELF_TEST_free(OSSL_SELF_TEST *st)
+{
+    OPENSSL_free(st);
+}
+
+/* Can be used during application testing to log that a test has started. */
+void OSSL_SELF_TEST_onbegin(OSSL_SELF_TEST *st, const char *type,
+                            const char *desc)
+{
+    if (st != NULL && st->cb != NULL) {
+        st->phase = OSSL_SELF_TEST_PHASE_START;
+        st->type = type;
+        st->desc = desc;
+        self_test_setparams(st);
+        (void)st->cb(st->params, st->cb_arg);
+    }
+}
+
+/*
+ * Can be used during application testing to log that a test has either
+ * passed or failed.
+ */
+void OSSL_SELF_TEST_onend(OSSL_SELF_TEST *st, int ret)
+{
+    if (st != NULL && st->cb != NULL) {
+        st->phase =
+            (ret == 1 ? OSSL_SELF_TEST_PHASE_PASS : OSSL_SELF_TEST_PHASE_FAIL);
+        self_test_setparams(st);
+        (void)st->cb(st->params, st->cb_arg);
+
+        st->phase = OSSL_SELF_TEST_PHASE_NONE;
+        st->type = OSSL_SELF_TEST_TYPE_NONE;
+        st->desc = OSSL_SELF_TEST_DESC_NONE;
+    }
+}
+
+/*
+ * Used for failure testing.
+ *
+ * Call the applications SELF_TEST_cb() if it exists.
+ * If the application callback decides to return 0 then the first byte of 'bytes'
+ * is modified (corrupted). This is used to modify output signatures or
+ * ciphertext before they are verified or decrypted.
+ */
+int OSSL_SELF_TEST_oncorrupt_byte(OSSL_SELF_TEST *st, unsigned char *bytes)
+{
+    if (st != NULL && st->cb != NULL) {
+        st->phase = OSSL_SELF_TEST_PHASE_CORRUPT;
+        self_test_setparams(st);
+        if (!st->cb(st->params, st->cb_arg)) {
+            bytes[0] ^= 1;
+            return 1;
+        }
+    }
+    return 0;
+}

libs/openssl/crypto/sha/asm/sha1_586.asm

@@ -1,3 +1,4 @@
+
 %ifidn __OUTPUT_FORMAT__,obj
 section	code	use32 class=code align=256
 %elifidn __OUTPUT_FORMAT__,win32

libs/openssl/crypto/sha/sha_ppc.c

@@ -1,33 +0,0 @@
-/*
- * Copyright 2009-2021 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#include <stdlib.h>
-#include <string.h>
-
-#include <openssl/opensslconf.h>
-#include <openssl/sha.h>
-#include "crypto/ppc_arch.h"
-
-void sha256_block_p8(void *ctx, const void *inp, size_t len);
-void sha256_block_ppc(void *ctx, const void *inp, size_t len);
-void sha256_block_data_order(void *ctx, const void *inp, size_t len);
-void sha256_block_data_order(void *ctx, const void *inp, size_t len)
-{
-    OPENSSL_ppccap_P & PPC_CRYPTO207 ? sha256_block_p8(ctx, inp, len) :
-        sha256_block_ppc(ctx, inp, len);
-}
-
-void sha512_block_p8(void *ctx, const void *inp, size_t len);
-void sha512_block_ppc(void *ctx, const void *inp, size_t len);
-void sha512_block_data_order(void *ctx, const void *inp, size_t len);
-void sha512_block_data_order(void *ctx, const void *inp, size_t len)
-{
-    OPENSSL_ppccap_P & PPC_CRYPTO207 ? sha512_block_p8(ctx, inp, len) :
-        sha512_block_ppc(ctx, inp, len);
-}

libs/openssl/crypto/sm3/asm/sm3-armv8.pl

@@ -1,281 +0,0 @@
-#! /usr/bin/env perl
-# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved.
-#
-# Licensed under the Apache License 2.0 (the "License").  You may not use
-# this file except in compliance with the License.  You can obtain a copy
-# in the file LICENSE in the source distribution or at
-# https://www.openssl.org/source/license.html
-#
-# This module implements support for Armv8 SM3 instructions
-
-# $output is the last argument if it looks like a file (it has an extension)
-# $flavour is the first argument if it doesn't look like a file
-$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef;
-$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef;
-
-$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
-( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
-( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
-die "can't locate arm-xlate.pl";
-
-open OUT,"| \"$^X\" $xlate $flavour \"$output\""
-    or die "can't call $xlate: $!";
-*STDOUT=*OUT;
-
-# Message expanding:
-#	Wj <- P1(W[j-16]^W[j-9]^(W[j-3]<<<15))^(W[j-13]<<<7)^W[j-6]
-# Input: s0, s1, s2, s3
-#	s0 = w0  | w1  | w2  | w3
-#	s1 = w4  | w5  | w6  | w7
-#	s2 = w8  | w9  | w10 | w11
-#	s3 = w12 | w13 | w14 | w15
-# Output: s4
-sub msg_exp () {
-my $s0 = shift;
-my $s1 = shift;
-my $s2 = shift;
-my $s3 = shift;
-my $s4 = shift;
-my $vtmp1 = shift;
-my $vtmp2 = shift;
-$code.=<<___;
-	// s4 = w7  | w8  | w9  | w10
-	ext     $s4.16b, $s1.16b, $s2.16b, #12
-	// vtmp1 = w3  | w4  | w5  | w6
-	ext	$vtmp1.16b, $s0.16b, $s1.16b, #12
-	// vtmp2 = w10 | w11 | w12 | w13
-	ext     $vtmp2.16b, $s2.16b, $s3.16b, #8
-	sm3partw1       $s4.4s, $s0.4s, $s3.4s
-	sm3partw2       $s4.4s, $vtmp2.4s, $vtmp1.4s
-___
-}
-
-# A round of compresson function
-# Input:
-# 	ab - choose instruction among sm3tt1a, sm3tt1b, sm3tt2a, sm3tt2b
-# 	vstate0 - vstate1, store digest status(A - H)
-# 	vconst0 - vconst1, interleaved used to store Tj <<< j
-# 	vtmp - temporary register
-# 	vw - for sm3tt1ab, vw = s0 eor s1
-# 	s0 - for sm3tt2ab, just be s0
-# 	i, choose wj' or wj from vw
-sub round () {
-my $ab = shift;
-my $vstate0 = shift;
-my $vstate1 = shift;
-my $vconst0 = shift;
-my $vconst1 = shift;
-my $vtmp = shift;
-my $vw = shift;
-my $s0 = shift;
-my $i = shift;
-$code.=<<___;
-	sm3ss1  $vtmp.4s, $vstate0.4s, $vconst0.4s, $vstate1.4s
-	shl     $vconst1.4s, $vconst0.4s, #1
-	sri     $vconst1.4s, $vconst0.4s, #31
-	sm3tt1$ab       $vstate0.4s, $vtmp.4s, $vw.4s[$i]
-	sm3tt2$ab       $vstate1.4s, $vtmp.4s, $s0.4s[$i]
-___
-}
-
-sub qround () {
-my $ab = shift;
-my $vstate0 = shift;
-my $vstate1 = shift;
-my $vconst0 = shift;
-my $vconst1 = shift;
-my $vtmp1 = shift;
-my $vtmp2 = shift;
-my $s0 = shift;
-my $s1 = shift;
-my $s2 = shift;
-my $s3 = shift;
-my $s4 = shift;
-	if($s4) {
-		&msg_exp($s0, $s1, $s2, $s3, $s4, $vtmp1, $vtmp2);
-	}
-$code.=<<___;
-	eor     $vtmp1.16b, $s0.16b, $s1.16b
-___
-	&round($ab, $vstate0, $vstate1, $vconst0, $vconst1, $vtmp2,
-               $vtmp1, $s0, 0);
-	&round($ab, $vstate0, $vstate1, $vconst1, $vconst0, $vtmp2,
-               $vtmp1, $s0, 1);
-	&round($ab, $vstate0, $vstate1, $vconst0, $vconst1, $vtmp2,
-               $vtmp1, $s0, 2);
-	&round($ab, $vstate0, $vstate1, $vconst1, $vconst0, $vtmp2,
-               $vtmp1, $s0, 3);
-}
-
-$code=<<___;
-#include "arm_arch.h"
-.arch	armv8.2-a
-.text
-___
-
-{{{
-my ($pstate,$pdata,$num)=("x0","x1","w2");
-my ($state1,$state2)=("v5","v6");
-my ($sconst1, $sconst2)=("s16","s17");
-my ($vconst1, $vconst2)=("v16","v17");
-my ($s0,$s1,$s2,$s3,$s4)=map("v$_",(0..4));
-my ($bkstate1,$bkstate2)=("v18","v19");
-my ($vconst_tmp1,$vconst_tmp2)=("v20","v21");
-my ($vtmp1,$vtmp2)=("v22","v23");
-my $constaddr="x8";
-# void ossl_hwsm3_block_data_order(SM3_CTX *c, const void *p, size_t num)
-$code.=<<___;
-.globl	ossl_hwsm3_block_data_order
-.type	ossl_hwsm3_block_data_order,%function
-.align	5
-ossl_hwsm3_block_data_order:
-	AARCH64_VALID_CALL_TARGET
-	// load state
-	ld1     {$state1.4s-$state2.4s}, [$pstate]
-	rev64   $state1.4s, $state1.4s
-	rev64   $state2.4s, $state2.4s
-	ext     $state1.16b, $state1.16b, $state1.16b, #8
-	ext     $state2.16b, $state2.16b, $state2.16b, #8
-
-	adr     $constaddr, .Tj
-	ldp     $sconst1, $sconst2, [$constaddr]
-
-.Loop:
-	// load input
-	ld1     {$s0.16b-$s3.16b}, [$pdata], #64
-	sub     $num, $num, #1
-
-	mov     $bkstate1.16b, $state1.16b
-	mov     $bkstate2.16b, $state2.16b
-
-#ifndef __ARMEB__
-	rev32   $s0.16b, $s0.16b
-	rev32   $s1.16b, $s1.16b
-	rev32   $s2.16b, $s2.16b
-	rev32   $s3.16b, $s3.16b
-#endif
-
-	ext     $vconst_tmp1.16b, $vconst1.16b, $vconst1.16b, #4
-___
-	&qround("a",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2,
-                $s0,$s1,$s2,$s3,$s4);
-	&qround("a",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2,
-                $s1,$s2,$s3,$s4,$s0);
-	&qround("a",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2,
-                $s2,$s3,$s4,$s0,$s1);
-	&qround("a",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2,
-                $s3,$s4,$s0,$s1,$s2);
-
-$code.=<<___;
-	ext     $vconst_tmp1.16b, $vconst2.16b, $vconst2.16b, #4
-___
-
-	&qround("b",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2,
-                $s4,$s0,$s1,$s2,$s3);
-	&qround("b",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2,
-                $s0,$s1,$s2,$s3,$s4);
-	&qround("b",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2,
-                $s1,$s2,$s3,$s4,$s0);
-	&qround("b",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2,
-                $s2,$s3,$s4,$s0,$s1);
-	&qround("b",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2,
-                $s3,$s4,$s0,$s1,$s2);
-	&qround("b",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2,
-                $s4,$s0,$s1,$s2,$s3);
-	&qround("b",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2,
-                $s0,$s1,$s2,$s3,$s4);
-	&qround("b",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2,
-                $s1,$s2,$s3,$s4,$s0);
-	&qround("b",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2,
-                $s2,$s3,$s4,$s0,$s1);
-	&qround("b",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2,
-                $s3,$s4);
-	&qround("b",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2,
-                $s4,$s0);
-	&qround("b",$state1,$state2,$vconst_tmp1,$vconst_tmp2,$vtmp1,$vtmp2,
-                $s0,$s1);
-
-$code.=<<___;
-	eor     $state1.16b, $state1.16b, $bkstate1.16b
-	eor     $state2.16b, $state2.16b, $bkstate2.16b
-
-	// any remained blocks?
-	cbnz    $num, .Loop
-
-	// save state
-	rev64   $state1.4s, $state1.4s
-	rev64   $state2.4s, $state2.4s
-	ext     $state1.16b, $state1.16b, $state1.16b, #8
-	ext     $state2.16b, $state2.16b, $state2.16b, #8
-	st1     {$state1.4s-$state2.4s}, [$pstate]
-	ret
-.size	ossl_hwsm3_block_data_order,.-ossl_hwsm3_block_data_order
-
-.align	3
-.Tj:
-.word	0x79cc4519, 0x9d8a7a87
-___
-}}}
-
-#########################################
-my %sm3partopcode = (
-	"sm3partw1"         =>   0xce60C000,
-        "sm3partw2"         =>   0xce60C400);
-
-my %sm3ss1opcode = (
-	"sm3ss1"            =>   0xce400000);
-
-my %sm3ttopcode = (
-	"sm3tt1a"           =>   0xce408000,
-	"sm3tt1b"           =>   0xce408400,
-	"sm3tt2a"           =>   0xce408800,
-	"sm3tt2b"           =>   0xce408C00);
-
-sub unsm3part {
-	my ($mnemonic,$arg)=@_;
-
-	$arg=~ m/[qv](\d+)[^,]*,\s*[qv](\d+)[^,]*,\s*[qv](\d+)/o
-	&&
-	sprintf ".inst\t0x%08x\t//%s %s",
-			$sm3partopcode{$mnemonic}|$1|($2<<5)|($3<<16),
-			$mnemonic,$arg;
-}
-
-sub unsm3ss1 {
-	my ($mnemonic,$arg)=@_;
-
-	$arg=~ m/[qv](\d+)[^,]*,\s*[qv](\d+)[^,]*,\s*[qv](\d+)[^,]*,\s*[qv](\d+)/o
-	&&
-	sprintf ".inst\t0x%08x\t//%s %s",
-			$sm3ss1opcode{$mnemonic}|$1|($2<<5)|($3<<16)|($4<<10),
-			$mnemonic,$arg;
-}
-
-sub unsm3tt {
-	my ($mnemonic,$arg)=@_;
-
-	$arg=~ m/[qv](\d+)[^,]*,\s*[qv](\d+)[^,]*,\s*[qv](\d+)[^,]*\[([0-3])\]/o
-	&&
-	sprintf ".inst\t0x%08x\t//%s %s",
-			$sm3ttopcode{$mnemonic}|$1|($2<<5)|($3<<16)|($4<<12),
-			$mnemonic,$arg;
-}
-
-open SELF,$0;
-while(<SELF>) {
-        next if (/^#!/);
-        last if (!s/^#/\/\// and !/^$/);
-        print;
-}
-close SELF;
-
-foreach(split("\n",$code)) {
-	s/\`([^\`]*)\`/eval($1)/ge;
-
-	s/\b(sm3partw[1-2])\s+([qv].*)/unsm3part($1,$2)/ge;
-	s/\b(sm3ss1)\s+([qv].*)/unsm3ss1($1,$2)/ge;
-	s/\b(sm3tt[1-2][a-b])\s+([qv].*)/unsm3tt($1,$2)/ge;
-	print $_,"\n";
-}
-
-close STDOUT or die "error closing STDOUT: $!";

libs/openssl/crypto/sm4/asm/sm4-armv8.pl

@@ -1,635 +0,0 @@
-#! /usr/bin/env perl
-# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved.
-#
-# Licensed under the Apache License 2.0 (the "License").  You may not use
-# this file except in compliance with the License.  You can obtain a copy
-# in the file LICENSE in the source distribution or at
-# https://www.openssl.org/source/license.html
-
-#
-# This module implements support for SM4 hw support on aarch64
-# Oct 2021
-#
-
-# $output is the last argument if it looks like a file (it has an extension)
-# $flavour is the first argument if it doesn't look like a file
-$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef;
-$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef;
-
-$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
-( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
-( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
-die "can't locate arm-xlate.pl";
-
-open OUT,"| \"$^X\" $xlate $flavour \"$output\""
-    or die "can't call $xlate: $!";
-*STDOUT=*OUT;
-
-$prefix="sm4_v8";
-my @rks=map("v$_",(0..7));
-
-sub rev32() {
-my $dst = shift;
-my $src = shift;
-$code.=<<___;
-#ifndef __ARMEB__
-	rev32	$dst.16b,$src.16b
-#endif
-___
-}
-
-sub enc_blk () {
-my $data = shift;
-$code.=<<___;
-	sm4e	$data.4s,@rks[0].4s
-	sm4e	$data.4s,@rks[1].4s
-	sm4e	$data.4s,@rks[2].4s
-	sm4e	$data.4s,@rks[3].4s
-	sm4e	$data.4s,@rks[4].4s
-	sm4e	$data.4s,@rks[5].4s
-	sm4e	$data.4s,@rks[6].4s
-	sm4e	$data.4s,@rks[7].4s
-	rev64	$data.4S,$data.4S
-	ext	$data.16b,$data.16b,$data.16b,#8
-___
-}
-
-sub enc_4blks () {
-my $data0 = shift;
-my $data1 = shift;
-my $data2 = shift;
-my $data3 = shift;
-$code.=<<___;
-	sm4e	$data0.4s,@rks[0].4s
-	sm4e	$data1.4s,@rks[0].4s
-	sm4e	$data2.4s,@rks[0].4s
-	sm4e	$data3.4s,@rks[0].4s
-
-	sm4e	$data0.4s,@rks[1].4s
-	sm4e	$data1.4s,@rks[1].4s
-	sm4e	$data2.4s,@rks[1].4s
-	sm4e	$data3.4s,@rks[1].4s
-
-	sm4e	$data0.4s,@rks[2].4s
-	sm4e	$data1.4s,@rks[2].4s
-	sm4e	$data2.4s,@rks[2].4s
-	sm4e	$data3.4s,@rks[2].4s
-
-	sm4e	$data0.4s,@rks[3].4s
-	sm4e	$data1.4s,@rks[3].4s
-	sm4e	$data2.4s,@rks[3].4s
-	sm4e	$data3.4s,@rks[3].4s
-
-	sm4e	$data0.4s,@rks[4].4s
-	sm4e	$data1.4s,@rks[4].4s
-	sm4e	$data2.4s,@rks[4].4s
-	sm4e	$data3.4s,@rks[4].4s
-
-	sm4e	$data0.4s,@rks[5].4s
-	sm4e	$data1.4s,@rks[5].4s
-	sm4e	$data2.4s,@rks[5].4s
-	sm4e	$data3.4s,@rks[5].4s
-
-	sm4e	$data0.4s,@rks[6].4s
-	sm4e	$data1.4s,@rks[6].4s
-	sm4e	$data2.4s,@rks[6].4s
-	sm4e	$data3.4s,@rks[6].4s
-
-	sm4e	$data0.4s,@rks[7].4s
-	rev64	$data0.4S,$data0.4S
-	sm4e	$data1.4s,@rks[7].4s
-	ext	$data0.16b,$data0.16b,$data0.16b,#8
-	rev64	$data1.4S,$data1.4S
-	sm4e	$data2.4s,@rks[7].4s
-	ext	$data1.16b,$data1.16b,$data1.16b,#8
-	rev64	$data2.4S,$data2.4S
-	sm4e	$data3.4s,@rks[7].4s
-	ext	$data2.16b,$data2.16b,$data2.16b,#8
-	rev64	$data3.4S,$data3.4S
-	ext	$data3.16b,$data3.16b,$data3.16b,#8
-___
-}
-
-$code=<<___;
-#include "arm_arch.h"
-.arch	armv8-a+crypto
-.text
-___
-
-{{{
-$code.=<<___;
-.align	6
-.Lck:
-	.long 0x00070E15, 0x1C232A31, 0x383F464D, 0x545B6269
-	.long 0x70777E85, 0x8C939AA1, 0xA8AFB6BD, 0xC4CBD2D9
-	.long 0xE0E7EEF5, 0xFC030A11, 0x181F262D, 0x343B4249
-	.long 0x50575E65, 0x6C737A81, 0x888F969D, 0xA4ABB2B9
-	.long 0xC0C7CED5, 0xDCE3EAF1, 0xF8FF060D, 0x141B2229
-	.long 0x30373E45, 0x4C535A61, 0x686F767D, 0x848B9299
-	.long 0xA0A7AEB5, 0xBCC3CAD1, 0xD8DFE6ED, 0xF4FB0209
-	.long 0x10171E25, 0x2C333A41, 0x484F565D, 0x646B7279
-.Lfk:
-	.long 0xa3b1bac6, 0x56aa3350, 0x677d9197, 0xb27022dc
-___
-}}}
-
-{{{
-my ($key,$keys)=("x0","x1");
-my ($tmp)=("x2");
-my ($key0,$key1,$key2,$key3,$key4,$key5,$key6,$key7)=map("v$_",(0..7));
-my ($const0,$const1,$const2,$const3,$const4,$const5,$const6,$const7)=map("v$_",(16..23));
-my ($fkconst) = ("v24");
-$code.=<<___;
-.globl	${prefix}_set_encrypt_key
-.type	${prefix}_set_encrypt_key,%function
-.align	5
-${prefix}_set_encrypt_key:
-	AARCH64_VALID_CALL_TARGET
-	ld1	{$key0.4s},[$key]
-	adr	$tmp,.Lfk
-	ld1	{$fkconst.4s},[$tmp]
-	adr	$tmp,.Lck
-	ld1	{$const0.4s,$const1.4s,$const2.4s,$const3.4s},[$tmp],64
-___
-	&rev32($key0, $key0);
-$code.=<<___;
-	ld1	{$const4.4s,$const5.4s,$const6.4s,$const7.4s},[$tmp]
-	eor	$key0.16b,$key0.16b,$fkconst.16b;
-	sm4ekey	$key0.4S,$key0.4S,$const0.4S
-	sm4ekey	$key1.4S,$key0.4S,$const1.4S
-	sm4ekey	$key2.4S,$key1.4S,$const2.4S
-	sm4ekey	$key3.4S,$key2.4S,$const3.4S
-	sm4ekey	$key4.4S,$key3.4S,$const4.4S
-	st1	{$key0.4s,$key1.4s,$key2.4s,$key3.4s},[$keys],64
-	sm4ekey	$key5.4S,$key4.4S,$const5.4S
-	sm4ekey	$key6.4S,$key5.4S,$const6.4S
-	sm4ekey	$key7.4S,$key6.4S,$const7.4S
-	st1	{$key4.4s,$key5.4s,$key6.4s,$key7.4s},[$keys]
-	ret
-.size	${prefix}_set_encrypt_key,.-${prefix}_set_encrypt_key
-___
-}}}
-
-{{{
-my ($key,$keys)=("x0","x1");
-my ($tmp)=("x2");
-my ($key7,$key6,$key5,$key4,$key3,$key2,$key1,$key0)=map("v$_",(0..7));
-my ($const0,$const1,$const2,$const3,$const4,$const5,$const6,$const7)=map("v$_",(16..23));
-my ($fkconst) = ("v24");
-$code.=<<___;
-.globl	${prefix}_set_decrypt_key
-.type	${prefix}_set_decrypt_key,%function
-.align	5
-${prefix}_set_decrypt_key:
-	AARCH64_VALID_CALL_TARGET
-	ld1	{$key0.4s},[$key]
-	adr	$tmp,.Lfk
-	ld1	{$fkconst.4s},[$tmp]
-	adr	$tmp, .Lck
-	ld1	{$const0.4s,$const1.4s,$const2.4s,$const3.4s},[$tmp],64
-___
-	&rev32($key0, $key0);
-$code.=<<___;
-	ld1	{$const4.4s,$const5.4s,$const6.4s,$const7.4s},[$tmp]
-	eor	$key0.16b, $key0.16b,$fkconst.16b;
-	sm4ekey	$key0.4S,$key0.4S,$const0.4S
-	sm4ekey	$key1.4S,$key0.4S,$const1.4S
-	sm4ekey	$key2.4S,$key1.4S,$const2.4S
-	rev64	$key0.4s,$key0.4s
-	rev64	$key1.4s,$key1.4s
-	ext	$key0.16b,$key0.16b,$key0.16b,#8
-	ext	$key1.16b,$key1.16b,$key1.16b,#8
-	sm4ekey	$key3.4S,$key2.4S,$const3.4S
-	sm4ekey	$key4.4S,$key3.4S,$const4.4S
-	rev64	$key2.4s,$key2.4s
-	rev64	$key3.4s,$key3.4s
-	ext	$key2.16b,$key2.16b,$key2.16b,#8
-	ext	$key3.16b,$key3.16b,$key3.16b,#8
-	sm4ekey	$key5.4S,$key4.4S,$const5.4S
-	sm4ekey	$key6.4S,$key5.4S,$const6.4S
-	rev64	$key4.4s,$key4.4s
-	rev64	$key5.4s,$key5.4s
-	ext	$key4.16b,$key4.16b,$key4.16b,#8
-	ext	$key5.16b,$key5.16b,$key5.16b,#8
-	sm4ekey	$key7.4S,$key6.4S,$const7.4S
-	rev64	$key6.4s, $key6.4s
-	rev64	$key7.4s, $key7.4s
-	ext	$key6.16b,$key6.16b,$key6.16b,#8
-	ext	$key7.16b,$key7.16b,$key7.16b,#8
-	st1	{$key7.4s,$key6.4s,$key5.4s,$key4.4s},[$keys],64
-	st1	{$key3.4s,$key2.4s,$key1.4s,$key0.4s},[$keys]
-	ret
-.size	${prefix}_set_decrypt_key,.-${prefix}_set_decrypt_key
-___
-}}}
-
-{{{
-sub gen_block () {
-my $dir = shift;
-my ($inp,$out,$rk)=map("x$_",(0..2));
-my ($data)=("v16");
-$code.=<<___;
-.globl	${prefix}_${dir}crypt
-.type	${prefix}_${dir}crypt,%function
-.align	5
-${prefix}_${dir}crypt:
-	AARCH64_VALID_CALL_TARGET
-	ld1	{$data.4s},[$inp]
-	ld1	{@rks[0].4s,@rks[1].4s,@rks[2].4s,@rks[3].4s},[$rk],64
-	ld1	{@rks[4].4s,@rks[5].4s,@rks[6].4s,@rks[7].4s},[$rk]
-___
-	&rev32($data,$data);
-	&enc_blk($data);
-	&rev32($data,$data);
-$code.=<<___;
-	st1	{$data.4s},[$out]
-	ret
-.size	${prefix}_${dir}crypt,.-${prefix}_${dir}crypt
-___
-}
-
-&gen_block("en");
-&gen_block("de");
-}}}
-
-{{{
-my ($inp,$out,$len,$rk)=map("x$_",(0..3));
-my ($enc) = ("w4");
-my @dat=map("v$_",(16..23));
-$code.=<<___;
-.globl	${prefix}_ecb_encrypt
-.type	${prefix}_ecb_encrypt,%function
-.align	5
-${prefix}_ecb_encrypt:
-	AARCH64_VALID_CALL_TARGET
-	ld1	{@rks[0].4s,@rks[1].4s,@rks[2].4s,@rks[3].4s},[$rk],#64
-	ld1	{@rks[4].4s,@rks[5].4s,@rks[6].4s,@rks[7].4s},[$rk]
-1:
-	cmp	$len,#64
-	b.lt	1f
-	ld1	{@dat[0].4s,@dat[1].4s,@dat[2].4s,@dat[3].4s},[$inp],#64
-	cmp	$len,#128
-	b.lt	2f
-	ld1	{@dat[4].4s,@dat[5].4s,@dat[6].4s,@dat[7].4s},[$inp],#64
-	// 8 blocks
-___
-	&rev32(@dat[0],@dat[0]);
-	&rev32(@dat[1],@dat[1]);
-	&rev32(@dat[2],@dat[2]);
-	&rev32(@dat[3],@dat[3]);
-	&rev32(@dat[4],@dat[4]);
-	&rev32(@dat[5],@dat[5]);
-	&rev32(@dat[6],@dat[6]);
-	&rev32(@dat[7],@dat[7]);
-	&enc_4blks(@dat[0],@dat[1],@dat[2],@dat[3]);
-	&enc_4blks(@dat[4],@dat[5],@dat[6],@dat[7]);
-	&rev32(@dat[0],@dat[0]);
-	&rev32(@dat[1],@dat[1]);
-	&rev32(@dat[2],@dat[2]);
-	&rev32(@dat[3],@dat[3]);
-	&rev32(@dat[4],@dat[4]);
-	&rev32(@dat[5],@dat[5]);
-$code.=<<___;
-	st1	{@dat[0].4s,@dat[1].4s,@dat[2].4s,@dat[3].4s},[$out],#64
-___
-	&rev32(@dat[6],@dat[6]);
-	&rev32(@dat[7],@dat[7]);
-$code.=<<___;
-	st1	{@dat[4].4s,@dat[5].4s,@dat[6].4s,@dat[7].4s},[$out],#64
-	subs	$len,$len,#128
-	b.gt	1b
-	ret
-	// 4 blocks
-2:
-___
-	&rev32(@dat[0],@dat[0]);
-	&rev32(@dat[1],@dat[1]);
-	&rev32(@dat[2],@dat[2]);
-	&rev32(@dat[3],@dat[3]);
-	&enc_4blks(@dat[0],@dat[1],@dat[2],@dat[3]);
-	&rev32(@dat[0],@dat[0]);
-	&rev32(@dat[1],@dat[1]);
-	&rev32(@dat[2],@dat[2]);
-	&rev32(@dat[3],@dat[3]);
-$code.=<<___;
-	st1	{@dat[0].4s,@dat[1].4s,@dat[2].4s,@dat[3].4s},[$out],#64
-	subs	$len,$len,#64
-	b.gt	1b
-1:
-	subs	$len,$len,#16
-	b.lt	1f
-	ld1	{@dat[0].4s},[$inp],#16
-___
-	&rev32(@dat[0],@dat[0]);
-	&enc_blk(@dat[0]);
-	&rev32(@dat[0],@dat[0]);
-$code.=<<___;
-	st1	{@dat[0].4s},[$out],#16
-	b.ne	1b
-1:
-	ret
-.size	${prefix}_ecb_encrypt,.-${prefix}_ecb_encrypt
-___
-}}}
-
-{{{
-my ($inp,$out,$len,$rk,$ivp)=map("x$_",(0..4));
-my ($enc) = ("w5");
-my @dat=map("v$_",(16..23));
-my @in=map("v$_",(24..31));
-my ($ivec) = ("v8");
-$code.=<<___;
-.globl	${prefix}_cbc_encrypt
-.type	${prefix}_cbc_encrypt,%function
-.align	5
-${prefix}_cbc_encrypt:
-	AARCH64_VALID_CALL_TARGET
-	stp	d8,d9,[sp, #-16]!
-
-	ld1	{@rks[0].4s,@rks[1].4s,@rks[2].4s,@rks[3].4s},[$rk],#64
-	ld1	{@rks[4].4s,@rks[5].4s,@rks[6].4s,@rks[7].4s},[$rk]
-	ld1	{$ivec.4s},[$ivp]
-	cmp	$enc,#0
-	b.eq	.Ldec
-1:
-	cmp	$len, #64
-	b.lt	1f
-	ld1	{@dat[0].4s,@dat[1].4s,@dat[2].4s,@dat[3].4s},[$inp],#64
-	eor	@dat[0].16b,@dat[0].16b,$ivec.16b
-___
-	&rev32(@dat[1],@dat[1]);
-	&rev32(@dat[0],@dat[0]);
-	&rev32(@dat[2],@dat[2]);
-	&rev32(@dat[3],@dat[3]);
-	&enc_blk(@dat[0]);
-$code.=<<___;
-	eor	@dat[1].16b,@dat[1].16b,@dat[0].16b
-___
-	&enc_blk(@dat[1]);
-	&rev32(@dat[0],@dat[0]);
-$code.=<<___;
-	eor	@dat[2].16b,@dat[2].16b,@dat[1].16b
-___
-	&enc_blk(@dat[2]);
-	&rev32(@dat[1],@dat[1]);
-$code.=<<___;
-	eor	@dat[3].16b,@dat[3].16b,@dat[2].16b
-___
-	&enc_blk(@dat[3]);
-	&rev32(@dat[2],@dat[2]);
-	&rev32(@dat[3],@dat[3]);
-$code.=<<___;
-	mov	$ivec.16b,@dat[3].16b
-	st1	{@dat[0].4s,@dat[1].4s,@dat[2].4s,@dat[3].4s},[$out],#64
-	subs	$len,$len,#64
-	b.ne	1b
-1:
-	subs	$len,$len,#16
-	b.lt	3f
-	ld1	{@dat[0].4s},[$inp],#16
-	eor	$ivec.16b,$ivec.16b,@dat[0].16b
-___
-	&rev32($ivec,$ivec);
-	&enc_blk($ivec);
-	&rev32($ivec,$ivec);
-$code.=<<___;
-	st1	{$ivec.16b},[$out],#16
-	b.ne	1b
-	b	3f
-.Ldec:
-1:
-	cmp	$len, #64
-	b.lt	1f
-	ld1	{@dat[0].4s,@dat[1].4s,@dat[2].4s,@dat[3].4s},[$inp]
-	ld1	{@in[0].4s,@in[1].4s,@in[2].4s,@in[3].4s},[$inp],#64
-	cmp	$len,#128
-	b.lt	2f
-	// 8 blocks mode
-	ld1	{@dat[4].4s,@dat[5].4s,@dat[6].4s,@dat[7].4s},[$inp]
-	ld1	{@in[4].4s,@in[5].4s,@in[6].4s,@in[7].4s},[$inp],#64
-___
-	&rev32(@dat[0],@dat[0]);
-	&rev32(@dat[1],@dat[1]);
-	&rev32(@dat[2],@dat[2]);
-	&rev32(@dat[3],$dat[3]);
-	&rev32(@dat[4],@dat[4]);
-	&rev32(@dat[5],@dat[5]);
-	&rev32(@dat[6],@dat[6]);
-	&rev32(@dat[7],$dat[7]);
-	&enc_4blks(@dat[0],@dat[1],@dat[2],@dat[3]);
-	&enc_4blks(@dat[4],@dat[5],@dat[6],@dat[7]);
-	&rev32(@dat[0],@dat[0]);
-	&rev32(@dat[1],@dat[1]);
-	&rev32(@dat[2],@dat[2]);
-	&rev32(@dat[3],@dat[3]);
-	&rev32(@dat[4],@dat[4]);
-	&rev32(@dat[5],@dat[5]);
-	&rev32(@dat[6],@dat[6]);
-	&rev32(@dat[7],@dat[7]);
-$code.=<<___;
-	eor	@dat[0].16b,@dat[0].16b,$ivec.16b
-	eor	@dat[1].16b,@dat[1].16b,@in[0].16b
-	eor	@dat[2].16b,@dat[2].16b,@in[1].16b
-	mov	$ivec.16b,@in[7].16b
-	eor	@dat[3].16b,$dat[3].16b,@in[2].16b
-	eor	@dat[4].16b,$dat[4].16b,@in[3].16b
-	eor	@dat[5].16b,$dat[5].16b,@in[4].16b
-	eor	@dat[6].16b,$dat[6].16b,@in[5].16b
-	eor	@dat[7].16b,$dat[7].16b,@in[6].16b
-	st1	{@dat[0].4s,@dat[1].4s,@dat[2].4s,@dat[3].4s},[$out],#64
-	st1	{@dat[4].4s,@dat[5].4s,@dat[6].4s,@dat[7].4s},[$out],#64
-	subs	$len,$len,128
-	b.gt	1b
-	b	3f
-	// 4 blocks mode
-2:
-___
-	&rev32(@dat[0],@dat[0]);
-	&rev32(@dat[1],@dat[1]);
-	&rev32(@dat[2],@dat[2]);
-	&rev32(@dat[3],$dat[3]);
-	&enc_4blks(@dat[0],@dat[1],@dat[2],@dat[3]);
-	&rev32(@dat[0],@dat[0]);
-	&rev32(@dat[1],@dat[1]);
-	&rev32(@dat[2],@dat[2]);
-	&rev32(@dat[3],@dat[3]);
-$code.=<<___;
-	eor	@dat[0].16b,@dat[0].16b,$ivec.16b
-	eor	@dat[1].16b,@dat[1].16b,@in[0].16b
-	mov	$ivec.16b,@in[3].16b
-	eor	@dat[2].16b,@dat[2].16b,@in[1].16b
-	eor	@dat[3].16b,$dat[3].16b,@in[2].16b
-	st1	{@dat[0].4s,@dat[1].4s,@dat[2].4s,@dat[3].4s},[$out],#64
-	subs	$len,$len,#64
-	b.gt	1b
-1:
-	subs	$len,$len,#16
-	b.lt	3f
-	ld1	{@dat[0].4s},[$inp],#16
-	mov	@in[0].16b,@dat[0].16b
-___
-	&rev32(@dat[0],@dat[0]);
-	&enc_blk(@dat[0]);
-	&rev32(@dat[0],@dat[0]);
-$code.=<<___;
-	eor	@dat[0].16b,@dat[0].16b,$ivec.16b
-	mov	$ivec.16b,@in[0].16b
-	st1	{@dat[0].16b},[$out],#16
-	b.ne	1b
-3:
-	// save back IV
-	st1	{$ivec.16b},[$ivp]
-	ldp	d8,d9,[sp],#16
-	ret
-.size	${prefix}_cbc_encrypt,.-${prefix}_cbc_encrypt
-___
-}}}
-
-{{{
-my ($inp,$out,$len,$rk,$ivp)=map("x$_",(0..4));
-my ($ctr)=("w5");
-my @dat=map("v$_",(16..23));
-my @in=map("v$_",(24..31));
-my ($ivec)=("v8");
-$code.=<<___;
-.globl	${prefix}_ctr32_encrypt_blocks
-.type	${prefix}_ctr32_encrypt_blocks,%function
-.align	5
-${prefix}_ctr32_encrypt_blocks:
-	AARCH64_VALID_CALL_TARGET
-	stp	d8,d9,[sp, #-16]!
-
-	ld1	{$ivec.4s},[$ivp]
-	ld1	{@rks[0].4s,@rks[1].4s,@rks[2].4s,@rks[3].4s},[$rk],64
-	ld1	{@rks[4].4s,@rks[5].4s,@rks[6].4s,@rks[7].4s},[$rk]
-___
-	&rev32($ivec,$ivec);
-$code.=<<___;
-	mov	$ctr,$ivec.s[3]
-1:
-	cmp	$len,#4
-	b.lt	1f
-	ld1	{@in[0].4s,@in[1].4s,@in[2].4s,@in[3].4s},[$inp],#64
-	mov	@dat[0].16b,$ivec.16b
-	mov	@dat[1].16b,$ivec.16b
-	mov	@dat[2].16b,$ivec.16b
-	mov	@dat[3].16b,$ivec.16b
-	add	$ctr,$ctr,#1
-	mov	$dat[1].s[3],$ctr
-	add	$ctr,$ctr,#1
-	mov	@dat[2].s[3],$ctr
-	add	$ctr,$ctr,#1
-	mov	@dat[3].s[3],$ctr
-	cmp	$len,#8
-	b.lt	2f
-	ld1	{@in[4].4s,@in[5].4s,@in[6].4s,@in[7].4s},[$inp],#64
-	mov	@dat[4].16b,$ivec.16b
-	mov	@dat[5].16b,$ivec.16b
-	mov	@dat[6].16b,$ivec.16b
-	mov	@dat[7].16b,$ivec.16b
-	add	$ctr,$ctr,#1
-	mov	$dat[4].s[3],$ctr
-	add	$ctr,$ctr,#1
-	mov	@dat[5].s[3],$ctr
-	add	$ctr,$ctr,#1
-	mov	@dat[6].s[3],$ctr
-	add	$ctr,$ctr,#1
-	mov	@dat[7].s[3],$ctr
-___
-	&enc_4blks(@dat[0],@dat[1],@dat[2],@dat[3]);
-	&enc_4blks(@dat[4],@dat[5],@dat[6],@dat[7]);
-	&rev32(@dat[0],@dat[0]);
-	&rev32(@dat[1],@dat[1]);
-	&rev32(@dat[2],@dat[2]);
-	&rev32(@dat[3],@dat[3]);
-	&rev32(@dat[4],@dat[4]);
-	&rev32(@dat[5],@dat[5]);
-	&rev32(@dat[6],@dat[6]);
-	&rev32(@dat[7],@dat[7]);
-$code.=<<___;
-	eor	@dat[0].16b,@dat[0].16b,@in[0].16b
-	eor	@dat[1].16b,@dat[1].16b,@in[1].16b
-	eor	@dat[2].16b,@dat[2].16b,@in[2].16b
-	eor	@dat[3].16b,@dat[3].16b,@in[3].16b
-	eor	@dat[4].16b,@dat[4].16b,@in[4].16b
-	eor	@dat[5].16b,@dat[5].16b,@in[5].16b
-	eor	@dat[6].16b,@dat[6].16b,@in[6].16b
-	eor	@dat[7].16b,@dat[7].16b,@in[7].16b
-	st1	{@dat[0].4s,@dat[1].4s,@dat[2].4s,@dat[3].4s},[$out],#64
-	st1	{@dat[4].4s,@dat[5].4s,@dat[6].4s,@dat[7].4s},[$out],#64
-	subs	$len,$len,#8
-	b.eq	3f
-	add	$ctr,$ctr,#1
-	mov	$ivec.s[3],$ctr
-	b	1b
-2:
-___
-	&enc_4blks(@dat[0],@dat[1],@dat[2],@dat[3]);
-	&rev32(@dat[0],@dat[0]);
-	&rev32(@dat[1],@dat[1]);
-	&rev32(@dat[2],@dat[2]);
-	&rev32(@dat[3],@dat[3]);
-$code.=<<___;
-	eor	@dat[0].16b,@dat[0].16b,@in[0].16b
-	eor	@dat[1].16b,@dat[1].16b,@in[1].16b
-	eor	@dat[2].16b,@dat[2].16b,@in[2].16b
-	eor	@dat[3].16b,@dat[3].16b,@in[3].16b
-	st1	{@dat[0].4s,@dat[1].4s,@dat[2].4s,@dat[3].4s},[$out],#64
-	subs	$len,$len,#4
-	b.eq	3f
-	add	$ctr,$ctr,#1
-	mov	$ivec.s[3],$ctr
-	b	1b
-1:
-	subs	$len,$len,#1
-	b.lt	3f
-	mov	$dat[0].16b,$ivec.16b
-	ld1	{@in[0].4s},[$inp],#16
-___
-	&enc_blk(@dat[0]);
-	&rev32(@dat[0],@dat[0]);
-$code.=<<___;
-	eor	$dat[0].16b,$dat[0].16b,@in[0].16b
-	st1	{$dat[0].4s},[$out],#16
-	b.eq	3f
-	add	$ctr,$ctr,#1
-	mov	$ivec.s[3],$ctr
-	b	1b
-3:
-	ldp	d8,d9,[sp],#16
-	ret
-.size	${prefix}_ctr32_encrypt_blocks,.-${prefix}_ctr32_encrypt_blocks
-___
-}}}
-########################################
-{   my  %opcode = (
-        "sm4e"          => 0xcec08400,
-        "sm4ekey"       => 0xce60c800);
-
-    sub unsm4 {
-        my ($mnemonic,$arg)=@_;
-
-        $arg =~ m/[qv]([0-9]+)[^,]*,\s*[qv]([0-9]+)[^,]*(?:,\s*[qv]([0-9]+))?/o
-        &&
-        sprintf ".inst\t0x%08x\t//%s %s",
-                        $opcode{$mnemonic}|$1|($2<<5)|($3<<16),
-                        $mnemonic,$arg;
-    }
-}
-
-open SELF,$0;
-while(<SELF>) {
-        next if (/^#!/);
-        last if (!s/^#/\/\// and !/^$/);
-        print;
-}
-close SELF;
-
-foreach(split("\n",$code)) {
-	s/\`([^\`]*)\`/eval($1)/ge;
-
-	s/\b(sm4\w+)\s+([qv].*)/unsm4($1,$2)/ge;
-	print $_,"\n";
-}
-
-close STDOUT or die "error closing STDOUT: $!";

libs/openssl/crypto/sm4/asm/vpsm4-armv8.pl

@@ -1,1118 +0,0 @@
-#! /usr/bin/env perl
-# Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
-#
-# Licensed under the Apache License 2.0 (the "License").  You may not use
-# this file except in compliance with the License.  You can obtain a copy
-# in the file LICENSE in the source distribution or at
-# https://www.openssl.org/source/license.html
-
-#
-# This module implements SM4 with ASIMD on aarch64
-#
-# Feb 2022
-#
-
-# $output is the last argument if it looks like a file (it has an extension)
-# $flavour is the first argument if it doesn't look like a file
-$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef;
-$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef;
-
-$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
-( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
-( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
-die "can't locate arm-xlate.pl";
-
-open OUT,"| \"$^X\" $xlate $flavour \"$output\""
-    or die "can't call $xlate: $!";
-*STDOUT=*OUT;
-
-$prefix="vpsm4";
-my @vtmp=map("v$_",(0..3));
-my @data=map("v$_",(4..7));
-my @datax=map("v$_",(8..11));
-my ($rk0,$rk1)=("v12","v13");
-my ($rka,$rkb)=("v14","v15");
-my @vtmpx=map("v$_",(12..15));
-my @sbox=map("v$_",(16..31));
-my ($inp,$outp,$blocks,$rks)=("x0","x1","w2","x3");
-my ($tmpw,$tmp,$wtmp0,$wtmp1,$wtmp2)=("w6","x6","w7","w8","w9");
-my ($ptr,$counter)=("x10","w11");
-my ($word0,$word1,$word2,$word3)=("w12","w13","w14","w15");
-
-sub rev32() {
-	my $dst = shift;
-	my $src = shift;
-
-	if ($src and ("$src" ne "$dst")) {
-$code.=<<___;
-#ifndef __AARCH64EB__
-	rev32	$dst.16b,$src.16b
-#else
-	mov	$dst.16b,$src.16b
-#endif
-___
-	} else {
-$code.=<<___;
-#ifndef __AARCH64EB__
-	rev32	$dst.16b,$dst.16b
-#endif
-___
-	}
-}
-
-sub transpose() {
-	my ($dat0,$dat1,$dat2,$dat3,$vt0,$vt1,$vt2,$vt3) = @_;
-
-$code.=<<___;
-	zip1	$vt0.4s,$dat0.4s,$dat1.4s
-	zip2	$vt1.4s,$dat0.4s,$dat1.4s
-	zip1	$vt2.4s,$dat2.4s,$dat3.4s
-	zip2	$vt3.4s,$dat2.4s,$dat3.4s
-	zip1	$dat0.2d,$vt0.2d,$vt2.2d
-	zip2	$dat1.2d,$vt0.2d,$vt2.2d
-	zip1	$dat2.2d,$vt1.2d,$vt3.2d
-	zip2	$dat3.2d,$vt1.2d,$vt3.2d
-___
-}
-
-# sbox operations for 4-lane of words
-sub sbox() {
-	my $dat = shift;
-
-$code.=<<___;
-	movi	@vtmp[0].16b,#64
-	movi	@vtmp[1].16b,#128
-	movi	@vtmp[2].16b,#192
-	sub	@vtmp[0].16b,$dat.16b,@vtmp[0].16b
-	sub	@vtmp[1].16b,$dat.16b,@vtmp[1].16b
-	sub	@vtmp[2].16b,$dat.16b,@vtmp[2].16b
-	tbl	$dat.16b,{@sbox[0].16b,@sbox[1].16b,@sbox[2].16b,@sbox[3].16b},$dat.16b
-	tbl	@vtmp[0].16b,{@sbox[4].16b,@sbox[5].16b,@sbox[6].16b,@sbox[7].16b},@vtmp[0].16b
-	tbl	@vtmp[1].16b,{@sbox[8].16b,@sbox[9].16b,@sbox[10].16b,@sbox[11].16b},@vtmp[1].16b
-	tbl	@vtmp[2].16b,{@sbox[12].16b,@sbox[13].16b,@sbox[14].16b,@sbox[15].16b},@vtmp[2].16b
-	add	@vtmp[0].2d,@vtmp[0].2d,@vtmp[1].2d
-	add	@vtmp[2].2d,@vtmp[2].2d,$dat.2d
-	add	$dat.2d,@vtmp[0].2d,@vtmp[2].2d
-
-	ushr	@vtmp[0].4s,$dat.4s,32-2
-	sli	@vtmp[0].4s,$dat.4s,2
-	ushr	@vtmp[2].4s,$dat.4s,32-10
-	eor	@vtmp[1].16b,@vtmp[0].16b,$dat.16b
-	sli	@vtmp[2].4s,$dat.4s,10
-	eor	@vtmp[1].16b,@vtmp[2].16b,$vtmp[1].16b
-	ushr	@vtmp[0].4s,$dat.4s,32-18
-	sli	@vtmp[0].4s,$dat.4s,18
-	ushr	@vtmp[2].4s,$dat.4s,32-24
-	eor	@vtmp[1].16b,@vtmp[0].16b,$vtmp[1].16b
-	sli	@vtmp[2].4s,$dat.4s,24
-	eor	$dat.16b,@vtmp[2].16b,@vtmp[1].16b
-___
-}
-
-# sbox operation for 8-lane of words
-sub sbox_double() {
-	my $dat = shift;
-	my $datx = shift;
-
-$code.=<<___;
-	movi	@vtmp[3].16b,#64
-	sub	@vtmp[0].16b,$dat.16b,@vtmp[3].16b
-	sub	@vtmp[1].16b,@vtmp[0].16b,@vtmp[3].16b
-	sub	@vtmp[2].16b,@vtmp[1].16b,@vtmp[3].16b
-	tbl	$dat.16b,{@sbox[0].16b,@sbox[1].16b,@sbox[2].16b,@sbox[3].16b},$dat.16b
-	tbl	@vtmp[0].16b,{@sbox[4].16b,@sbox[5].16b,@sbox[6].16b,@sbox[7].16b},@vtmp[0].16b
-	tbl	@vtmp[1].16b,{@sbox[8].16b,@sbox[9].16b,@sbox[10].16b,@sbox[11].16b},@vtmp[1].16b
-	tbl	@vtmp[2].16b,{@sbox[12].16b,@sbox[13].16b,@sbox[14].16b,@sbox[15].16b},@vtmp[2].16b
-	add	@vtmp[1].2d,@vtmp[0].2d,@vtmp[1].2d
-	add	$dat.2d,@vtmp[2].2d,$dat.2d
-	add	$dat.2d,@vtmp[1].2d,$dat.2d
-
-	sub	@vtmp[0].16b,$datx.16b,@vtmp[3].16b
-	sub	@vtmp[1].16b,@vtmp[0].16b,@vtmp[3].16b
-	sub	@vtmp[2].16b,@vtmp[1].16b,@vtmp[3].16b
-	tbl	$datx.16b,{@sbox[0].16b,@sbox[1].16b,@sbox[2].16b,@sbox[3].16b},$datx.16b
-	tbl	@vtmp[0].16b,{@sbox[4].16b,@sbox[5].16b,@sbox[6].16b,@sbox[7].16b},@vtmp[0].16b
-	tbl	@vtmp[1].16b,{@sbox[8].16b,@sbox[9].16b,@sbox[10].16b,@sbox[11].16b},@vtmp[1].16b
-	tbl	@vtmp[2].16b,{@sbox[12].16b,@sbox[13].16b,@sbox[14].16b,@sbox[15].16b},@vtmp[2].16b
-	add	@vtmp[1].2d,@vtmp[0].2d,@vtmp[1].2d
-	add	$datx.2d,@vtmp[2].2d,$datx.2d
-	add	$datx.2d,@vtmp[1].2d,$datx.2d
-
-	ushr	@vtmp[0].4s,$dat.4s,32-2
-	sli	@vtmp[0].4s,$dat.4s,2
-	ushr	@vtmp[2].4s,$datx.4s,32-2
-	eor	@vtmp[1].16b,@vtmp[0].16b,$dat.16b
-	sli	@vtmp[2].4s,$datx.4s,2
-
-	ushr	@vtmp[0].4s,$dat.4s,32-10
-	eor	@vtmp[3].16b,@vtmp[2].16b,$datx.16b
-	sli	@vtmp[0].4s,$dat.4s,10
-	ushr	@vtmp[2].4s,$datx.4s,32-10
-	eor	@vtmp[1].16b,@vtmp[0].16b,$vtmp[1].16b
-	sli	@vtmp[2].4s,$datx.4s,10
-
-	ushr	@vtmp[0].4s,$dat.4s,32-18
-	eor	@vtmp[3].16b,@vtmp[2].16b,$vtmp[3].16b
-	sli	@vtmp[0].4s,$dat.4s,18
-	ushr	@vtmp[2].4s,$datx.4s,32-18
-	eor	@vtmp[1].16b,@vtmp[0].16b,$vtmp[1].16b
-	sli	@vtmp[2].4s,$datx.4s,18
-
-	ushr	@vtmp[0].4s,$dat.4s,32-24
-	eor	@vtmp[3].16b,@vtmp[2].16b,$vtmp[3].16b
-	sli	@vtmp[0].4s,$dat.4s,24
-	ushr	@vtmp[2].4s,$datx.4s,32-24
-	eor	$dat.16b,@vtmp[0].16b,@vtmp[1].16b
-	sli	@vtmp[2].4s,$datx.4s,24
-	eor	$datx.16b,@vtmp[2].16b,@vtmp[3].16b
-___
-}
-
-# sbox operation for one single word
-sub sbox_1word () {
-	my $word = shift;
-
-$code.=<<___;
-	movi	@vtmp[1].16b,#64
-	movi	@vtmp[2].16b,#128
-	movi	@vtmp[3].16b,#192
-	mov	@vtmp[0].s[0],$word
-
-	sub	@vtmp[1].16b,@vtmp[0].16b,@vtmp[1].16b
-	sub	@vtmp[2].16b,@vtmp[0].16b,@vtmp[2].16b
-	sub	@vtmp[3].16b,@vtmp[0].16b,@vtmp[3].16b
-
-	tbl	@vtmp[0].16b,{@sbox[0].16b,@sbox[1].16b,@sbox[2].16b,@sbox[3].16b},@vtmp[0].16b
-	tbl	@vtmp[1].16b,{@sbox[4].16b,@sbox[5].16b,@sbox[6].16b,@sbox[7].16b},@vtmp[1].16b
-	tbl	@vtmp[2].16b,{@sbox[8].16b,@sbox[9].16b,@sbox[10].16b,@sbox[11].16b},@vtmp[2].16b
-	tbl	@vtmp[3].16b,{@sbox[12].16b,@sbox[13].16b,@sbox[14].16b,@sbox[15].16b},@vtmp[3].16b
-
-	mov	$word,@vtmp[0].s[0]
-	mov	$wtmp0,@vtmp[1].s[0]
-	mov	$wtmp2,@vtmp[2].s[0]
-	add	$wtmp0,$word,$wtmp0
-	mov	$word,@vtmp[3].s[0]
-	add	$wtmp0,$wtmp0,$wtmp2
-	add	$wtmp0,$wtmp0,$word
-
-	eor	$word,$wtmp0,$wtmp0,ror #32-2
-	eor	$word,$word,$wtmp0,ror #32-10
-	eor	$word,$word,$wtmp0,ror #32-18
-	eor	$word,$word,$wtmp0,ror #32-24
-___
-}
-
-# sm4 for one block of data, in scalar registers word0/word1/word2/word3
-sub sm4_1blk () {
-	my $kptr = shift;
-
-$code.=<<___;
-	ldp	$wtmp0,$wtmp1,[$kptr],8
-	// B0 ^= SBOX(B1 ^ B2 ^ B3 ^ RK0)
-	eor	$tmpw,$word2,$word3
-	eor	$wtmp2,$wtmp0,$word1
-	eor	$tmpw,$tmpw,$wtmp2
-___
-	&sbox_1word($tmpw);
-$code.=<<___;
-	eor	$word0,$word0,$tmpw
-	// B1 ^= SBOX(B0 ^ B2 ^ B3 ^ RK1)
-	eor	$tmpw,$word2,$word3
-	eor	$wtmp2,$word0,$wtmp1
-	eor	$tmpw,$tmpw,$wtmp2
-___
-	&sbox_1word($tmpw);
-$code.=<<___;
-	ldp	$wtmp0,$wtmp1,[$kptr],8
-	eor	$word1,$word1,$tmpw
-	// B2 ^= SBOX(B0 ^ B1 ^ B3 ^ RK2)
-	eor	$tmpw,$word0,$word1
-	eor	$wtmp2,$wtmp0,$word3
-	eor	$tmpw,$tmpw,$wtmp2
-___
-	&sbox_1word($tmpw);
-$code.=<<___;
-	eor	$word2,$word2,$tmpw
-	// B3 ^= SBOX(B0 ^ B1 ^ B2 ^ RK3)
-	eor	$tmpw,$word0,$word1
-	eor	$wtmp2,$word2,$wtmp1
-	eor	$tmpw,$tmpw,$wtmp2
-___
-	&sbox_1word($tmpw);
-$code.=<<___;
-	eor	$word3,$word3,$tmpw
-___
-}
-
-# sm4 for 4-lanes of data, in neon registers data0/data1/data2/data3
-sub sm4_4blks () {
-	my $kptr = shift;
-
-$code.=<<___;
-	ldp	$wtmp0,$wtmp1,[$kptr],8
-	dup	$rk0.4s,$wtmp0
-	dup	$rk1.4s,$wtmp1
-
-	// B0 ^= SBOX(B1 ^ B2 ^ B3 ^ RK0)
-	eor	$rka.16b,@data[2].16b,@data[3].16b
-	eor	$rk0.16b,@data[1].16b,$rk0.16b
-	eor	$rk0.16b,$rka.16b,$rk0.16b
-___
-	&sbox($rk0);
-$code.=<<___;
-	eor	@data[0].16b,@data[0].16b,$rk0.16b
-
-	// B1 ^= SBOX(B0 ^ B2 ^ B3 ^ RK1)
-	eor	$rka.16b,$rka.16b,@data[0].16b
-	eor	$rk1.16b,$rka.16b,$rk1.16b
-___
-	&sbox($rk1);
-$code.=<<___;
-	ldp	$wtmp0,$wtmp1,[$kptr],8
-	eor	@data[1].16b,@data[1].16b,$rk1.16b
-
-	dup	$rk0.4s,$wtmp0
-	dup	$rk1.4s,$wtmp1
-
-	// B2 ^= SBOX(B0 ^ B1 ^ B3 ^ RK2)
-	eor	$rka.16b,@data[0].16b,@data[1].16b
-	eor	$rk0.16b,@data[3].16b,$rk0.16b
-	eor	$rk0.16b,$rka.16b,$rk0.16b
-___
-	&sbox($rk0);
-$code.=<<___;
-	eor	@data[2].16b,@data[2].16b,$rk0.16b
-
-	// B3 ^= SBOX(B0 ^ B1 ^ B2 ^ RK3)
-	eor	$rka.16b,$rka.16b,@data[2].16b
-	eor	$rk1.16b,$rka.16b,$rk1.16b
-___
-	&sbox($rk1);
-$code.=<<___;
-	eor	@data[3].16b,@data[3].16b,$rk1.16b
-___
-}
-
-# sm4 for 8 lanes of data, in neon registers
-# data0/data1/data2/data3 datax0/datax1/datax2/datax3
-sub sm4_8blks () {
-	my $kptr = shift;
-
-$code.=<<___;
-	ldp	$wtmp0,$wtmp1,[$kptr],8
-	// B0 ^= SBOX(B1 ^ B2 ^ B3 ^ RK0)
-	dup	$rk0.4s,$wtmp0
-	eor	$rka.16b,@data[2].16b,@data[3].16b
-	eor	$rkb.16b,@datax[2].16b,@datax[3].16b
-	eor	@vtmp[0].16b,@data[1].16b,$rk0.16b
-	eor	@vtmp[1].16b,@datax[1].16b,$rk0.16b
-	eor	$rk0.16b,$rka.16b,@vtmp[0].16b
-	eor	$rk1.16b,$rkb.16b,@vtmp[1].16b
-___
-	&sbox_double($rk0,$rk1);
-$code.=<<___;
-	eor	@data[0].16b,@data[0].16b,$rk0.16b
-	eor	@datax[0].16b,@datax[0].16b,$rk1.16b
-
-	// B1 ^= SBOX(B0 ^ B2 ^ B3 ^ RK1)
-	dup	$rk1.4s,$wtmp1
-	eor	$rka.16b,$rka.16b,@data[0].16b
-	eor	$rkb.16b,$rkb.16b,@datax[0].16b
-	eor	$rk0.16b,$rka.16b,$rk1.16b
-	eor	$rk1.16b,$rkb.16b,$rk1.16b
-___
-	&sbox_double($rk0,$rk1);
-$code.=<<___;
-	ldp	$wtmp0,$wtmp1,[$kptr],8
-	eor	@data[1].16b,@data[1].16b,$rk0.16b
-	eor	@datax[1].16b,@datax[1].16b,$rk1.16b
-
-	// B2 ^= SBOX(B0 ^ B1 ^ B3 ^ RK2)
-	dup	$rk0.4s,$wtmp0
-	eor	$rka.16b,@data[0].16b,@data[1].16b
-	eor	$rkb.16b,@datax[0].16b,@datax[1].16b
-	eor	@vtmp[0].16b,@data[3].16b,$rk0.16b
-	eor	@vtmp[1].16b,@datax[3].16b,$rk0.16b
-	eor	$rk0.16b,$rka.16b,@vtmp[0].16b
-	eor	$rk1.16b,$rkb.16b,@vtmp[1].16b
-___
-	&sbox_double($rk0,$rk1);
-$code.=<<___;
-	eor	@data[2].16b,@data[2].16b,$rk0.16b
-	eor	@datax[2].16b,@datax[2].16b,$rk1.16b
-
-	// B3 ^= SBOX(B0 ^ B1 ^ B2 ^ RK3)
-	dup	$rk1.4s,$wtmp1
-	eor	$rka.16b,$rka.16b,@data[2].16b
-	eor	$rkb.16b,$rkb.16b,@datax[2].16b
-	eor	$rk0.16b,$rka.16b,$rk1.16b
-	eor	$rk1.16b,$rkb.16b,$rk1.16b
-___
-	&sbox_double($rk0,$rk1);
-$code.=<<___;
-	eor	@data[3].16b,@data[3].16b,$rk0.16b
-	eor	@datax[3].16b,@datax[3].16b,$rk1.16b
-___
-}
-
-sub encrypt_1blk_norev() {
-	my $dat = shift;
-
-$code.=<<___;
-	mov	$ptr,$rks
-	mov	$counter,#8
-	mov	$word0,$dat.s[0]
-	mov	$word1,$dat.s[1]
-	mov	$word2,$dat.s[2]
-	mov	$word3,$dat.s[3]
-10:
-___
-	&sm4_1blk($ptr);
-$code.=<<___;
-	subs	$counter,$counter,#1
-	b.ne	10b
-	mov	$dat.s[0],$word3
-	mov	$dat.s[1],$word2
-	mov	$dat.s[2],$word1
-	mov	$dat.s[3],$word0
-___
-}
-
-sub encrypt_1blk() {
-	my $dat = shift;
-
-	&encrypt_1blk_norev($dat);
-	&rev32($dat,$dat);
-}
-
-sub encrypt_4blks() {
-$code.=<<___;
-	mov	$ptr,$rks
-	mov	$counter,#8
-10:
-___
-	&sm4_4blks($ptr);
-$code.=<<___;
-	subs	$counter,$counter,#1
-	b.ne	10b
-___
-	&rev32(@vtmp[3],@data[0]);
-	&rev32(@vtmp[2],@data[1]);
-	&rev32(@vtmp[1],@data[2]);
-	&rev32(@vtmp[0],@data[3]);
-}
-
-sub encrypt_8blks() {
-$code.=<<___;
-	mov	$ptr,$rks
-	mov	$counter,#8
-10:
-___
-	&sm4_8blks($ptr);
-$code.=<<___;
-	subs	$counter,$counter,#1
-	b.ne	10b
-___
-	&rev32(@vtmp[3],@data[0]);
-	&rev32(@vtmp[2],@data[1]);
-	&rev32(@vtmp[1],@data[2]);
-	&rev32(@vtmp[0],@data[3]);
-	&rev32(@data[3],@datax[0]);
-	&rev32(@data[2],@datax[1]);
-	&rev32(@data[1],@datax[2]);
-	&rev32(@data[0],@datax[3]);
-}
-
-sub load_sbox () {
-	my $data = shift;
-
-$code.=<<___;
-	adr	$ptr,.Lsbox
-	ld1	{@sbox[0].16b,@sbox[1].16b,@sbox[2].16b,@sbox[3].16b},[$ptr],#64
-	ld1	{@sbox[4].16b,@sbox[5].16b,@sbox[6].16b,@sbox[7].16b},[$ptr],#64
-	ld1	{@sbox[8].16b,@sbox[9].16b,@sbox[10].16b,@sbox[11].16b},[$ptr],#64
-	ld1	{@sbox[12].16b,@sbox[13].16b,@sbox[14].16b,@sbox[15].16b},[$ptr]
-___
-}
-
-$code=<<___;
-#include "arm_arch.h"
-.arch	armv8-a
-.text
-
-.type	_vpsm4_consts,%object
-.align	7
-_vpsm4_consts:
-.Lsbox:
-	.byte 0xD6,0x90,0xE9,0xFE,0xCC,0xE1,0x3D,0xB7,0x16,0xB6,0x14,0xC2,0x28,0xFB,0x2C,0x05
-	.byte 0x2B,0x67,0x9A,0x76,0x2A,0xBE,0x04,0xC3,0xAA,0x44,0x13,0x26,0x49,0x86,0x06,0x99
-	.byte 0x9C,0x42,0x50,0xF4,0x91,0xEF,0x98,0x7A,0x33,0x54,0x0B,0x43,0xED,0xCF,0xAC,0x62
-	.byte 0xE4,0xB3,0x1C,0xA9,0xC9,0x08,0xE8,0x95,0x80,0xDF,0x94,0xFA,0x75,0x8F,0x3F,0xA6
-	.byte 0x47,0x07,0xA7,0xFC,0xF3,0x73,0x17,0xBA,0x83,0x59,0x3C,0x19,0xE6,0x85,0x4F,0xA8
-	.byte 0x68,0x6B,0x81,0xB2,0x71,0x64,0xDA,0x8B,0xF8,0xEB,0x0F,0x4B,0x70,0x56,0x9D,0x35
-	.byte 0x1E,0x24,0x0E,0x5E,0x63,0x58,0xD1,0xA2,0x25,0x22,0x7C,0x3B,0x01,0x21,0x78,0x87
-	.byte 0xD4,0x00,0x46,0x57,0x9F,0xD3,0x27,0x52,0x4C,0x36,0x02,0xE7,0xA0,0xC4,0xC8,0x9E
-	.byte 0xEA,0xBF,0x8A,0xD2,0x40,0xC7,0x38,0xB5,0xA3,0xF7,0xF2,0xCE,0xF9,0x61,0x15,0xA1
-	.byte 0xE0,0xAE,0x5D,0xA4,0x9B,0x34,0x1A,0x55,0xAD,0x93,0x32,0x30,0xF5,0x8C,0xB1,0xE3
-	.byte 0x1D,0xF6,0xE2,0x2E,0x82,0x66,0xCA,0x60,0xC0,0x29,0x23,0xAB,0x0D,0x53,0x4E,0x6F
-	.byte 0xD5,0xDB,0x37,0x45,0xDE,0xFD,0x8E,0x2F,0x03,0xFF,0x6A,0x72,0x6D,0x6C,0x5B,0x51
-	.byte 0x8D,0x1B,0xAF,0x92,0xBB,0xDD,0xBC,0x7F,0x11,0xD9,0x5C,0x41,0x1F,0x10,0x5A,0xD8
-	.byte 0x0A,0xC1,0x31,0x88,0xA5,0xCD,0x7B,0xBD,0x2D,0x74,0xD0,0x12,0xB8,0xE5,0xB4,0xB0
-	.byte 0x89,0x69,0x97,0x4A,0x0C,0x96,0x77,0x7E,0x65,0xB9,0xF1,0x09,0xC5,0x6E,0xC6,0x84
-	.byte 0x18,0xF0,0x7D,0xEC,0x3A,0xDC,0x4D,0x20,0x79,0xEE,0x5F,0x3E,0xD7,0xCB,0x39,0x48
-.Lck:
-	.long 0x00070E15, 0x1C232A31, 0x383F464D, 0x545B6269
-	.long 0x70777E85, 0x8C939AA1, 0xA8AFB6BD, 0xC4CBD2D9
-	.long 0xE0E7EEF5, 0xFC030A11, 0x181F262D, 0x343B4249
-	.long 0x50575E65, 0x6C737A81, 0x888F969D, 0xA4ABB2B9
-	.long 0xC0C7CED5, 0xDCE3EAF1, 0xF8FF060D, 0x141B2229
-	.long 0x30373E45, 0x4C535A61, 0x686F767D, 0x848B9299
-	.long 0xA0A7AEB5, 0xBCC3CAD1, 0xD8DFE6ED, 0xF4FB0209
-	.long 0x10171E25, 0x2C333A41, 0x484F565D, 0x646B7279
-.Lfk:
-	.dword 0x56aa3350a3b1bac6,0xb27022dc677d9197
-.Lshuffles:
-	.dword 0x0B0A090807060504,0x030201000F0E0D0C
-
-.size	_vpsm4_consts,.-_vpsm4_consts
-___
-
-{{{
-my ($key,$keys,$enc)=("x0","x1","w2");
-my ($pointer,$schedules,$wtmp,$roundkey)=("x5","x6","w7","w8");
-my ($vkey,$vfk,$vmap)=("v5","v6","v7");
-$code.=<<___;
-.type	_vpsm4_set_key,%function
-.align	4
-_vpsm4_set_key:
-	AARCH64_VALID_CALL_TARGET
-	ld1	{$vkey.4s},[$key]
-___
-	&load_sbox();
-	&rev32($vkey,$vkey);
-$code.=<<___;
-	adr	$pointer,.Lshuffles
-	ld1	{$vmap.2d},[$pointer]
-	adr	$pointer,.Lfk
-	ld1	{$vfk.2d},[$pointer]
-	eor	$vkey.16b,$vkey.16b,$vfk.16b
-	mov	$schedules,#32
-	adr	$pointer,.Lck
-	movi	@vtmp[0].16b,#64
-	cbnz	$enc,1f
-	add	$keys,$keys,124
-1:
-	mov	$wtmp,$vkey.s[1]
-	ldr	$roundkey,[$pointer],#4
-	eor	$roundkey,$roundkey,$wtmp
-	mov	$wtmp,$vkey.s[2]
-	eor	$roundkey,$roundkey,$wtmp
-	mov	$wtmp,$vkey.s[3]
-	eor	$roundkey,$roundkey,$wtmp
-	// sbox lookup
-	mov	@data[0].s[0],$roundkey
-	tbl	@vtmp[1].16b,{@sbox[0].16b,@sbox[1].16b,@sbox[2].16b,@sbox[3].16b},@data[0].16b
-	sub	@data[0].16b,@data[0].16b,@vtmp[0].16b
-	tbx	@vtmp[1].16b,{@sbox[4].16b,@sbox[5].16b,@sbox[6].16b,@sbox[7].16b},@data[0].16b
-	sub	@data[0].16b,@data[0].16b,@vtmp[0].16b
-	tbx	@vtmp[1].16b,{@sbox[8].16b,@sbox[9].16b,@sbox[10].16b,@sbox[11].16b},@data[0].16b
-	sub	@data[0].16b,@data[0].16b,@vtmp[0].16b
-	tbx	@vtmp[1].16b,{@sbox[12].16b,@sbox[13].16b,@sbox[14].16b,@sbox[15].16b},@data[0].16b
-	mov	$wtmp,@vtmp[1].s[0]
-	eor	$roundkey,$wtmp,$wtmp,ror #19
-	eor	$roundkey,$roundkey,$wtmp,ror #9
-	mov	$wtmp,$vkey.s[0]
-	eor	$roundkey,$roundkey,$wtmp
-	mov	$vkey.s[0],$roundkey
-	cbz	$enc,2f
-	str	$roundkey,[$keys],#4
-	b	3f
-2:
-	str	$roundkey,[$keys],#-4
-3:
-	tbl	$vkey.16b,{$vkey.16b},$vmap.16b
-	subs	$schedules,$schedules,#1
-	b.ne	1b
-	ret
-.size	_vpsm4_set_key,.-_vpsm4_set_key
-___
-}}}
-
-
-{{{
-$code.=<<___;
-.type	_vpsm4_enc_4blks,%function
-.align	4
-_vpsm4_enc_4blks:
-	AARCH64_VALID_CALL_TARGET
-___
-	&encrypt_4blks();
-$code.=<<___;
-	ret
-.size	_vpsm4_enc_4blks,.-_vpsm4_enc_4blks
-___
-}}}
-
-{{{
-$code.=<<___;
-.type	_vpsm4_enc_8blks,%function
-.align	4
-_vpsm4_enc_8blks:
-	AARCH64_VALID_CALL_TARGET
-___
-	&encrypt_8blks();
-$code.=<<___;
-	ret
-.size	_vpsm4_enc_8blks,.-_vpsm4_enc_8blks
-___
-}}}
-
-
-{{{
-my ($key,$keys)=("x0","x1");
-$code.=<<___;
-.globl	${prefix}_set_encrypt_key
-.type	${prefix}_set_encrypt_key,%function
-.align	5
-${prefix}_set_encrypt_key:
-	AARCH64_SIGN_LINK_REGISTER
-	stp	x29,x30,[sp,#-16]!
-	mov	w2,1
-	bl	_vpsm4_set_key
-	ldp	x29,x30,[sp],#16
-	AARCH64_VALIDATE_LINK_REGISTER
-	ret
-.size	${prefix}_set_encrypt_key,.-${prefix}_set_encrypt_key
-___
-}}}
-
-{{{
-my ($key,$keys)=("x0","x1");
-$code.=<<___;
-.globl	${prefix}_set_decrypt_key
-.type	${prefix}_set_decrypt_key,%function
-.align	5
-${prefix}_set_decrypt_key:
-	AARCH64_SIGN_LINK_REGISTER
-	stp	x29,x30,[sp,#-16]!
-	mov	w2,0
-	bl	_vpsm4_set_key
-	ldp	x29,x30,[sp],#16
-	AARCH64_VALIDATE_LINK_REGISTER
-	ret
-.size	${prefix}_set_decrypt_key,.-${prefix}_set_decrypt_key
-___
-}}}
-
-{{{
-sub gen_block () {
-	my $dir = shift;
-	my ($inp,$outp,$rk)=map("x$_",(0..2));
-
-$code.=<<___;
-.globl	${prefix}_${dir}crypt
-.type	${prefix}_${dir}crypt,%function
-.align	5
-${prefix}_${dir}crypt:
-	AARCH64_VALID_CALL_TARGET
-	ld1	{@data[0].4s},[$inp]
-___
-	&load_sbox();
-	&rev32(@data[0],@data[0]);
-$code.=<<___;
-	mov	$rks,x2
-___
-	&encrypt_1blk(@data[0]);
-$code.=<<___;
-	st1	{@data[0].4s},[$outp]
-	ret
-.size	${prefix}_${dir}crypt,.-${prefix}_${dir}crypt
-___
-}
-&gen_block("en");
-&gen_block("de");
-}}}
-
-{{{
-my ($enc) = ("w4");
-my @dat=map("v$_",(16..23));
-
-$code.=<<___;
-.globl	${prefix}_ecb_encrypt
-.type	${prefix}_ecb_encrypt,%function
-.align	5
-${prefix}_ecb_encrypt:
-	AARCH64_SIGN_LINK_REGISTER
-	// convert length into blocks
-	lsr	x2,x2,4
-	stp	d8,d9,[sp,#-80]!
-	stp	d10,d11,[sp,#16]
-	stp	d12,d13,[sp,#32]
-	stp	d14,d15,[sp,#48]
-	stp	x29,x30,[sp,#64]
-___
-	&load_sbox();
-$code.=<<___;
-.Lecb_8_blocks_process:
-	cmp	$blocks,#8
-	b.lt	.Lecb_4_blocks_process
-	ld4	{@data[0].4s,@data[1].4s,@data[2].4s,@data[3].4s},[$inp],#64
-	ld4	{@datax[0].4s,$datax[1].4s,@datax[2].4s,@datax[3].4s},[$inp],#64
-___
-	&rev32(@data[0],@data[0]);
-	&rev32(@data[1],@data[1]);
-	&rev32(@data[2],@data[2]);
-	&rev32(@data[3],@data[3]);
-	&rev32(@datax[0],@datax[0]);
-	&rev32(@datax[1],@datax[1]);
-	&rev32(@datax[2],@datax[2]);
-	&rev32(@datax[3],@datax[3]);
-$code.=<<___;
-	bl	_vpsm4_enc_8blks
-	st4	{@vtmp[0].4s,@vtmp[1].4s,@vtmp[2].4s,@vtmp[3].4s},[$outp],#64
-	st4	{@data[0].4s,@data[1].4s,@data[2].4s,@data[3].4s},[$outp],#64
-	subs	$blocks,$blocks,#8
-	b.gt	.Lecb_8_blocks_process
-	b	100f
-.Lecb_4_blocks_process:
-	cmp	$blocks,#4
-	b.lt	1f
-	ld4	{@data[0].4s,@data[1].4s,@data[2].4s,@data[3].4s},[$inp],#64
-___
-	&rev32(@data[0],@data[0]);
-	&rev32(@data[1],@data[1]);
-	&rev32(@data[2],@data[2]);
-	&rev32(@data[3],@data[3]);
-$code.=<<___;
-	bl	_vpsm4_enc_4blks
-	st4	{@vtmp[0].4s,@vtmp[1].4s,@vtmp[2].4s,@vtmp[3].4s},[$outp],#64
-	sub	$blocks,$blocks,#4
-1:
-	// process last block
-	cmp	$blocks,#1
-	b.lt	100f
-	b.gt	1f
-	ld1	{@data[0].4s},[$inp]
-___
-	&rev32(@data[0],@data[0]);
-	&encrypt_1blk(@data[0]);
-$code.=<<___;
-	st1	{@data[0].4s},[$outp]
-	b	100f
-1:	// process last 2 blocks
-	ld4	{@data[0].s,@data[1].s,@data[2].s,@data[3].s}[0],[$inp],#16
-	ld4	{@data[0].s,@data[1].s,@data[2].s,@data[3].s}[1],[$inp],#16
-	cmp	$blocks,#2
-	b.gt	1f
-___
-	&rev32(@data[0],@data[0]);
-	&rev32(@data[1],@data[1]);
-	&rev32(@data[2],@data[2]);
-	&rev32(@data[3],@data[3]);
-$code.=<<___;
-	bl	_vpsm4_enc_4blks
-	st4	{@vtmp[0].s-@vtmp[3].s}[0],[$outp],#16
-	st4	{@vtmp[0].s-@vtmp[3].s}[1],[$outp]
-	b	100f
-1:	// process last 3 blocks
-	ld4	{@data[0].s,@data[1].s,@data[2].s,@data[3].s}[2],[$inp],#16
-___
-	&rev32(@data[0],@data[0]);
-	&rev32(@data[1],@data[1]);
-	&rev32(@data[2],@data[2]);
-	&rev32(@data[3],@data[3]);
-$code.=<<___;
-	bl	_vpsm4_enc_4blks
-	st4	{@vtmp[0].s-@vtmp[3].s}[0],[$outp],#16
-	st4	{@vtmp[0].s-@vtmp[3].s}[1],[$outp],#16
-	st4	{@vtmp[0].s-@vtmp[3].s}[2],[$outp]
-100:
-	ldp	d10,d11,[sp,#16]
-	ldp	d12,d13,[sp,#32]
-	ldp	d14,d15,[sp,#48]
-	ldp	x29,x30,[sp,#64]
-	ldp	d8,d9,[sp],#80
-	AARCH64_VALIDATE_LINK_REGISTER
-	ret
-.size	${prefix}_ecb_encrypt,.-${prefix}_ecb_encrypt
-___
-}}}
-
-{{{
-my ($len,$ivp,$enc)=("x2","x4","w5");
-my $ivec0=("v3");
-my $ivec1=("v15");
-
-$code.=<<___;
-.globl	${prefix}_cbc_encrypt
-.type	${prefix}_cbc_encrypt,%function
-.align	5
-${prefix}_cbc_encrypt:
-	AARCH64_VALID_CALL_TARGET
-	lsr	$len,$len,4
-___
-	&load_sbox();
-$code.=<<___;
-	cbz	$enc,.Ldec
-	ld1	{$ivec0.4s},[$ivp]
-.Lcbc_4_blocks_enc:
-	cmp	$blocks,#4
-	b.lt	1f
-	ld1	{@data[0].4s,@data[1].4s,@data[2].4s,@data[3].4s},[$inp],#64
-	eor	@data[0].16b,@data[0].16b,$ivec0.16b
-___
-	&rev32(@data[1],@data[1]);
-	&rev32(@data[0],@data[0]);
-	&rev32(@data[2],@data[2]);
-	&rev32(@data[3],@data[3]);
-	&encrypt_1blk_norev(@data[0]);
-$code.=<<___;
-	eor	@data[1].16b,@data[1].16b,@data[0].16b
-___
-	&encrypt_1blk_norev(@data[1]);
-	&rev32(@data[0],@data[0]);
-
-$code.=<<___;
-	eor	@data[2].16b,@data[2].16b,@data[1].16b
-___
-	&encrypt_1blk_norev(@data[2]);
-	&rev32(@data[1],@data[1]);
-$code.=<<___;
-	eor	@data[3].16b,@data[3].16b,@data[2].16b
-___
-	&encrypt_1blk_norev(@data[3]);
-	&rev32(@data[2],@data[2]);
-	&rev32(@data[3],@data[3]);
-$code.=<<___;
-	orr	$ivec0.16b,@data[3].16b,@data[3].16b
-	st1	{@data[0].4s,@data[1].4s,@data[2].4s,@data[3].4s},[$outp],#64
-	subs	$blocks,$blocks,#4
-	b.ne	.Lcbc_4_blocks_enc
-	b	2f
-1:
-	subs	$blocks,$blocks,#1
-	b.lt	2f
-	ld1	{@data[0].4s},[$inp],#16
-	eor	$ivec0.16b,$ivec0.16b,@data[0].16b
-___
-	&rev32($ivec0,$ivec0);
-	&encrypt_1blk($ivec0);
-$code.=<<___;
-	st1	{$ivec0.4s},[$outp],#16
-	b	1b
-2:
-	// save back IV
-	st1	{$ivec0.4s},[$ivp]
-	ret
-
-.Ldec:
-	// decryption mode starts
-	AARCH64_SIGN_LINK_REGISTER
-	stp	d8,d9,[sp,#-80]!
-	stp	d10,d11,[sp,#16]
-	stp	d12,d13,[sp,#32]
-	stp	d14,d15,[sp,#48]
-	stp	x29,x30,[sp,#64]
-.Lcbc_8_blocks_dec:
-	cmp	$blocks,#8
-	b.lt	1f
-	ld4	{@data[0].4s,@data[1].4s,@data[2].4s,@data[3].4s},[$inp]
-	add	$ptr,$inp,#64
-	ld4	{@datax[0].4s,@datax[1].4s,@datax[2].4s,@datax[3].4s},[$ptr]
-___
-	&rev32(@data[0],@data[0]);
-	&rev32(@data[1],@data[1]);
-	&rev32(@data[2],@data[2]);
-	&rev32(@data[3],$data[3]);
-	&rev32(@datax[0],@datax[0]);
-	&rev32(@datax[1],@datax[1]);
-	&rev32(@datax[2],@datax[2]);
-	&rev32(@datax[3],$datax[3]);
-$code.=<<___;
-	bl	_vpsm4_enc_8blks
-___
-	&transpose(@vtmp,@datax);
-	&transpose(@data,@datax);
-$code.=<<___;
-	ld1	{$ivec1.4s},[$ivp]
-	ld1	{@datax[0].4s,@datax[1].4s,@datax[2].4s,@datax[3].4s},[$inp],#64
-	// note ivec1 and vtmpx[3] are resuing the same register
-	// care needs to be taken to avoid conflict
-	eor	@vtmp[0].16b,@vtmp[0].16b,$ivec1.16b
-	ld1	{@vtmpx[0].4s,@vtmpx[1].4s,@vtmpx[2].4s,@vtmpx[3].4s},[$inp],#64
-	eor	@vtmp[1].16b,@vtmp[1].16b,@datax[0].16b
-	eor	@vtmp[2].16b,@vtmp[2].16b,@datax[1].16b
-	eor	@vtmp[3].16b,$vtmp[3].16b,@datax[2].16b
-	// save back IV
-	st1	{$vtmpx[3].4s}, [$ivp]
-	eor	@data[0].16b,@data[0].16b,$datax[3].16b
-	eor	@data[1].16b,@data[1].16b,@vtmpx[0].16b
-	eor	@data[2].16b,@data[2].16b,@vtmpx[1].16b
-	eor	@data[3].16b,$data[3].16b,@vtmpx[2].16b
-	st1	{@vtmp[0].4s,@vtmp[1].4s,@vtmp[2].4s,@vtmp[3].4s},[$outp],#64
-	st1	{@data[0].4s,@data[1].4s,@data[2].4s,@data[3].4s},[$outp],#64
-	subs	$blocks,$blocks,#8
-	b.gt	.Lcbc_8_blocks_dec
-	b.eq	100f
-1:
-	ld1	{$ivec1.4s},[$ivp]
-.Lcbc_4_blocks_dec:
-	cmp	$blocks,#4
-	b.lt	1f
-	ld4	{@data[0].4s,@data[1].4s,@data[2].4s,@data[3].4s},[$inp]
-___
-	&rev32(@data[0],@data[0]);
-	&rev32(@data[1],@data[1]);
-	&rev32(@data[2],@data[2]);
-	&rev32(@data[3],$data[3]);
-$code.=<<___;
-	bl	_vpsm4_enc_4blks
-	ld1	{@data[0].4s,@data[1].4s,@data[2].4s,@data[3].4s},[$inp],#64
-___
-	&transpose(@vtmp,@datax);
-$code.=<<___;
-	eor	@vtmp[0].16b,@vtmp[0].16b,$ivec1.16b
-	eor	@vtmp[1].16b,@vtmp[1].16b,@data[0].16b
-	orr	$ivec1.16b,@data[3].16b,@data[3].16b
-	eor	@vtmp[2].16b,@vtmp[2].16b,@data[1].16b
-	eor	@vtmp[3].16b,$vtmp[3].16b,@data[2].16b
-	st1	{@vtmp[0].4s,@vtmp[1].4s,@vtmp[2].4s,@vtmp[3].4s},[$outp],#64
-	subs	$blocks,$blocks,#4
-	b.gt	.Lcbc_4_blocks_dec
-	// save back IV
-	st1	{@data[3].4s}, [$ivp]
-	b	100f
-1:	// last block
-	subs	$blocks,$blocks,#1
-	b.lt	100f
-	b.gt	1f
-	ld1	{@data[0].4s},[$inp],#16
-	// save back IV
-	st1	{$data[0].4s}, [$ivp]
-___
-	&rev32(@datax[0],@data[0]);
-	&encrypt_1blk(@datax[0]);
-$code.=<<___;
-	eor	@datax[0].16b,@datax[0].16b,$ivec1.16b
-	st1	{@datax[0].4s},[$outp],#16
-	b	100f
-1:	// last two blocks
-	ld4	{@data[0].s,@data[1].s,@data[2].s,@data[3].s}[0],[$inp]
-	add	$ptr,$inp,#16
-	ld4	{@data[0].s,@data[1].s,@data[2].s,@data[3].s}[1],[$ptr],#16
-	subs	$blocks,$blocks,1
-	b.gt	1f
-___
-	&rev32(@data[0],@data[0]);
-	&rev32(@data[1],@data[1]);
-	&rev32(@data[2],@data[2]);
-	&rev32(@data[3],@data[3]);
-$code.=<<___;
-	bl	_vpsm4_enc_4blks
-	ld1	{@data[0].4s,@data[1].4s},[$inp],#32
-___
-	&transpose(@vtmp,@datax);
-$code.=<<___;
-	eor	@vtmp[0].16b,@vtmp[0].16b,$ivec1.16b
-	eor	@vtmp[1].16b,@vtmp[1].16b,@data[0].16b
-	st1	{@vtmp[0].4s,@vtmp[1].4s},[$outp],#32
-	// save back IV
-	st1	{@data[1].4s}, [$ivp]
-	b	100f
-1:	// last 3 blocks
-	ld4	{@data[0].s,@data[1].s,@data[2].s,@data[3].s}[2],[$ptr]
-___
-	&rev32(@data[0],@data[0]);
-	&rev32(@data[1],@data[1]);
-	&rev32(@data[2],@data[2]);
-	&rev32(@data[3],@data[3]);
-$code.=<<___;
-	bl	_vpsm4_enc_4blks
-	ld1	{@data[0].4s,@data[1].4s,@data[2].4s},[$inp],#48
-___
-	&transpose(@vtmp,@datax);
-$code.=<<___;
-	eor	@vtmp[0].16b,@vtmp[0].16b,$ivec1.16b
-	eor	@vtmp[1].16b,@vtmp[1].16b,@data[0].16b
-	eor	@vtmp[2].16b,@vtmp[2].16b,@data[1].16b
-	st1	{@vtmp[0].4s,@vtmp[1].4s,@vtmp[2].4s},[$outp],#48
-	// save back IV
-	st1	{@data[2].4s}, [$ivp]
-100:
-	ldp	d10,d11,[sp,#16]
-	ldp	d12,d13,[sp,#32]
-	ldp	d14,d15,[sp,#48]
-	ldp	x29,x30,[sp,#64]
-	ldp	d8,d9,[sp],#80
-	AARCH64_VALIDATE_LINK_REGISTER
-	ret
-.size	${prefix}_cbc_encrypt,.-${prefix}_cbc_encrypt
-___
-}}}
-
-{{{
-my ($ivp)=("x4");
-my ($ctr)=("w5");
-my $ivec=("v3");
-
-$code.=<<___;
-.globl	${prefix}_ctr32_encrypt_blocks
-.type	${prefix}_ctr32_encrypt_blocks,%function
-.align	5
-${prefix}_ctr32_encrypt_blocks:
-	AARCH64_VALID_CALL_TARGET
-	ld1	{$ivec.4s},[$ivp]
-___
-	&rev32($ivec,$ivec);
-	&load_sbox();
-$code.=<<___;
-	cmp	$blocks,#1
-	b.ne	1f
-	// fast processing for one single block without
-	// context saving overhead
-___
-	&encrypt_1blk($ivec);
-$code.=<<___;
-	ld1	{@data[0].4s},[$inp]
-	eor	@data[0].16b,@data[0].16b,$ivec.16b
-	st1	{@data[0].4s},[$outp]
-	ret
-1:
-	AARCH64_SIGN_LINK_REGISTER
-	stp	d8,d9,[sp,#-80]!
-	stp	d10,d11,[sp,#16]
-	stp	d12,d13,[sp,#32]
-	stp	d14,d15,[sp,#48]
-	stp	x29,x30,[sp,#64]
-	mov	$word0,$ivec.s[0]
-	mov	$word1,$ivec.s[1]
-	mov	$word2,$ivec.s[2]
-	mov	$ctr,$ivec.s[3]
-.Lctr32_4_blocks_process:
-	cmp	$blocks,#4
-	b.lt	1f
-	dup	@data[0].4s,$word0
-	dup	@data[1].4s,$word1
-	dup	@data[2].4s,$word2
-	mov	@data[3].s[0],$ctr
-	add	$ctr,$ctr,#1
-	mov	$data[3].s[1],$ctr
-	add	$ctr,$ctr,#1
-	mov	@data[3].s[2],$ctr
-	add	$ctr,$ctr,#1
-	mov	@data[3].s[3],$ctr
-	add	$ctr,$ctr,#1
-	cmp	$blocks,#8
-	b.ge	.Lctr32_8_blocks_process
-	bl	_vpsm4_enc_4blks
-	ld4	{@vtmpx[0].4s,@vtmpx[1].4s,@vtmpx[2].4s,@vtmpx[3].4s},[$inp],#64
-	eor	@vtmp[0].16b,@vtmp[0].16b,@vtmpx[0].16b
-	eor	@vtmp[1].16b,@vtmp[1].16b,@vtmpx[1].16b
-	eor	@vtmp[2].16b,@vtmp[2].16b,@vtmpx[2].16b
-	eor	@vtmp[3].16b,@vtmp[3].16b,@vtmpx[3].16b
-	st4	{@vtmp[0].4s,@vtmp[1].4s,@vtmp[2].4s,@vtmp[3].4s},[$outp],#64
-	subs	$blocks,$blocks,#4
-	b.ne	.Lctr32_4_blocks_process
-	b	100f
-.Lctr32_8_blocks_process:
-	dup	@datax[0].4s,$word0
-	dup	@datax[1].4s,$word1
-	dup	@datax[2].4s,$word2
-	mov	@datax[3].s[0],$ctr
-	add	$ctr,$ctr,#1
-	mov	$datax[3].s[1],$ctr
-	add	$ctr,$ctr,#1
-	mov	@datax[3].s[2],$ctr
-	add	$ctr,$ctr,#1
-	mov	@datax[3].s[3],$ctr
-	add	$ctr,$ctr,#1
-	bl	_vpsm4_enc_8blks
-	ld4	{@vtmpx[0].4s,@vtmpx[1].4s,@vtmpx[2].4s,@vtmpx[3].4s},[$inp],#64
-	ld4	{@datax[0].4s,@datax[1].4s,@datax[2].4s,@datax[3].4s},[$inp],#64
-	eor	@vtmp[0].16b,@vtmp[0].16b,@vtmpx[0].16b
-	eor	@vtmp[1].16b,@vtmp[1].16b,@vtmpx[1].16b
-	eor	@vtmp[2].16b,@vtmp[2].16b,@vtmpx[2].16b
-	eor	@vtmp[3].16b,@vtmp[3].16b,@vtmpx[3].16b
-	eor	@data[0].16b,@data[0].16b,@datax[0].16b
-	eor	@data[1].16b,@data[1].16b,@datax[1].16b
-	eor	@data[2].16b,@data[2].16b,@datax[2].16b
-	eor	@data[3].16b,@data[3].16b,@datax[3].16b
-	st4	{@vtmp[0].4s,@vtmp[1].4s,@vtmp[2].4s,@vtmp[3].4s},[$outp],#64
-	st4	{@data[0].4s,@data[1].4s,@data[2].4s,@data[3].4s},[$outp],#64
-	subs	$blocks,$blocks,#8
-	b.ne	.Lctr32_4_blocks_process
-	b	100f
-1:	// last block processing
-	subs	$blocks,$blocks,#1
-	b.lt	100f
-	b.gt	1f
-	mov	$ivec.s[0],$word0
-	mov	$ivec.s[1],$word1
-	mov	$ivec.s[2],$word2
-	mov	$ivec.s[3],$ctr
-___
-	&encrypt_1blk($ivec);
-$code.=<<___;
-	ld1	{@data[0].4s},[$inp]
-	eor	@data[0].16b,@data[0].16b,$ivec.16b
-	st1	{@data[0].4s},[$outp]
-	b	100f
-1:	// last 2 blocks processing
-	dup	@data[0].4s,$word0
-	dup	@data[1].4s,$word1
-	dup	@data[2].4s,$word2
-	mov	@data[3].s[0],$ctr
-	add	$ctr,$ctr,#1
-	mov	@data[3].s[1],$ctr
-	subs	$blocks,$blocks,#1
-	b.ne	1f
-	bl	_vpsm4_enc_4blks
-	ld4	{@vtmpx[0].s,@vtmpx[1].s,@vtmpx[2].s,@vtmpx[3].s}[0],[$inp],#16
-	ld4	{@vtmpx[0].s,@vtmpx[1].s,@vtmpx[2].s,@vtmpx[3].s}[1],[$inp],#16
-	eor	@vtmp[0].16b,@vtmp[0].16b,@vtmpx[0].16b
-	eor	@vtmp[1].16b,@vtmp[1].16b,@vtmpx[1].16b
-	eor	@vtmp[2].16b,@vtmp[2].16b,@vtmpx[2].16b
-	eor	@vtmp[3].16b,@vtmp[3].16b,@vtmpx[3].16b
-	st4	{@vtmp[0].s,@vtmp[1].s,@vtmp[2].s,@vtmp[3].s}[0],[$outp],#16
-	st4	{@vtmp[0].s,@vtmp[1].s,@vtmp[2].s,@vtmp[3].s}[1],[$outp],#16
-	b	100f
-1:	// last 3 blocks processing
-	add	$ctr,$ctr,#1
-	mov	@data[3].s[2],$ctr
-	bl	_vpsm4_enc_4blks
-	ld4	{@vtmpx[0].s,@vtmpx[1].s,@vtmpx[2].s,@vtmpx[3].s}[0],[$inp],#16
-	ld4	{@vtmpx[0].s,@vtmpx[1].s,@vtmpx[2].s,@vtmpx[3].s}[1],[$inp],#16
-	ld4	{@vtmpx[0].s,@vtmpx[1].s,@vtmpx[2].s,@vtmpx[3].s}[2],[$inp],#16
-	eor	@vtmp[0].16b,@vtmp[0].16b,@vtmpx[0].16b
-	eor	@vtmp[1].16b,@vtmp[1].16b,@vtmpx[1].16b
-	eor	@vtmp[2].16b,@vtmp[2].16b,@vtmpx[2].16b
-	eor	@vtmp[3].16b,@vtmp[3].16b,@vtmpx[3].16b
-	st4	{@vtmp[0].s,@vtmp[1].s,@vtmp[2].s,@vtmp[3].s}[0],[$outp],#16
-	st4	{@vtmp[0].s,@vtmp[1].s,@vtmp[2].s,@vtmp[3].s}[1],[$outp],#16
-	st4	{@vtmp[0].s,@vtmp[1].s,@vtmp[2].s,@vtmp[3].s}[2],[$outp],#16
-100:
-	ldp	d10,d11,[sp,#16]
-	ldp	d12,d13,[sp,#32]
-	ldp	d14,d15,[sp,#48]
-	ldp	x29,x30,[sp,#64]
-	ldp	d8,d9,[sp],#80
-	AARCH64_VALIDATE_LINK_REGISTER
-	ret
-.size	${prefix}_ctr32_encrypt_blocks,.-${prefix}_ctr32_encrypt_blocks
-___
-}}}
-########################################
-open SELF,$0;
-while(<SELF>) {
-        next if (/^#!/);
-        last if (!s/^#/\/\// and !/^$/);
-        print;
-}
-close SELF;
-
-foreach(split("\n",$code)) {
-	s/\`([^\`]*)\`/eval($1)/ge;
-	print $_,"\n";
-}
-
-close STDOUT or die "error closing STDOUT: $!";

libs/openssl/crypto/threads_lib.c

@@ -1,27 +0,0 @@
-/*
- * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-#include <openssl/crypto.h>
-
-#ifdef OPENSSL_SYS_UNIX
-# ifndef OPENSSL_NO_DEPRECATED_3_0
-
-void OPENSSL_fork_prepare(void)
-{
-}
-
-void OPENSSL_fork_parent(void)
-{
-}
-
-void OPENSSL_fork_child(void)
-{
-}
-
-# endif
-#endif

libs/openssl/include/crypto/asn1.h.in

@@ -1,964 +0,0 @@
-/*
- * {- join("\n * ", @autowarntext) -}
- *
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-{-
-use OpenSSL::stackhash qw(generate_stack_macros);
--}
-
-#ifndef OPENSSL_ASN1_H
-# define OPENSSL_ASN1_H
-# pragma once
-
-# include <openssl/macros.h>
-# ifndef OPENSSL_NO_DEPRECATED_3_0
-#  define HEADER_ASN1_H
-# endif
-
-# ifndef OPENSSL_NO_STDIO
-#  include <stdio.h>
-# endif
-# include <time.h>
-# include <openssl/e_os2.h>
-# include <openssl/opensslconf.h>
-# include <openssl/bio.h>
-# include <openssl/safestack.h>
-# include <openssl/asn1err.h>
-# include <openssl/symhacks.h>
-
-# include <openssl/types.h>
-# include <openssl/bn.h>
-
-# ifdef OPENSSL_BUILD_SHLIBCRYPTO
-#  undef OPENSSL_EXTERN
-#  define OPENSSL_EXTERN OPENSSL_EXPORT
-# endif
-
-#ifdef  __cplusplus
-extern "C" {
-#endif
-
-# define V_ASN1_UNIVERSAL                0x00
-# define V_ASN1_APPLICATION              0x40
-# define V_ASN1_CONTEXT_SPECIFIC         0x80
-# define V_ASN1_PRIVATE                  0xc0
-
-# define V_ASN1_CONSTRUCTED              0x20
-# define V_ASN1_PRIMITIVE_TAG            0x1f
-# define V_ASN1_PRIMATIVE_TAG /*compat*/ V_ASN1_PRIMITIVE_TAG
-
-# define V_ASN1_APP_CHOOSE               -2/* let the recipient choose */
-# define V_ASN1_OTHER                    -3/* used in ASN1_TYPE */
-# define V_ASN1_ANY                      -4/* used in ASN1 template code */
-
-# define V_ASN1_UNDEF                    -1
-/* ASN.1 tag values */
-# define V_ASN1_EOC                      0
-# define V_ASN1_BOOLEAN                  1 /**/
-# define V_ASN1_INTEGER                  2
-# define V_ASN1_BIT_STRING               3
-# define V_ASN1_OCTET_STRING             4
-# define V_ASN1_NULL                     5
-# define V_ASN1_OBJECT                   6
-# define V_ASN1_OBJECT_DESCRIPTOR        7
-# define V_ASN1_EXTERNAL                 8
-# define V_ASN1_REAL                     9
-# define V_ASN1_ENUMERATED               10
-# define V_ASN1_UTF8STRING               12
-# define V_ASN1_SEQUENCE                 16
-# define V_ASN1_SET                      17
-# define V_ASN1_NUMERICSTRING            18 /**/
-# define V_ASN1_PRINTABLESTRING          19
-# define V_ASN1_T61STRING                20
-# define V_ASN1_TELETEXSTRING            20/* alias */
-# define V_ASN1_VIDEOTEXSTRING           21 /**/
-# define V_ASN1_IA5STRING                22
-# define V_ASN1_UTCTIME                  23
-# define V_ASN1_GENERALIZEDTIME          24 /**/
-# define V_ASN1_GRAPHICSTRING            25 /**/
-# define V_ASN1_ISO64STRING              26 /**/
-# define V_ASN1_VISIBLESTRING            26/* alias */
-# define V_ASN1_GENERALSTRING            27 /**/
-# define V_ASN1_UNIVERSALSTRING          28 /**/
-# define V_ASN1_BMPSTRING                30
-
-/*
- * NB the constants below are used internally by ASN1_INTEGER
- * and ASN1_ENUMERATED to indicate the sign. They are *not* on
- * the wire tag values.
- */
-
-# define V_ASN1_NEG                      0x100
-# define V_ASN1_NEG_INTEGER              (2 | V_ASN1_NEG)
-# define V_ASN1_NEG_ENUMERATED           (10 | V_ASN1_NEG)
-
-/* For use with d2i_ASN1_type_bytes() */
-# define B_ASN1_NUMERICSTRING    0x0001
-# define B_ASN1_PRINTABLESTRING  0x0002
-# define B_ASN1_T61STRING        0x0004
-# define B_ASN1_TELETEXSTRING    0x0004
-# define B_ASN1_VIDEOTEXSTRING   0x0008
-# define B_ASN1_IA5STRING        0x0010
-# define B_ASN1_GRAPHICSTRING    0x0020
-# define B_ASN1_ISO64STRING      0x0040
-# define B_ASN1_VISIBLESTRING    0x0040
-# define B_ASN1_GENERALSTRING    0x0080
-# define B_ASN1_UNIVERSALSTRING  0x0100
-# define B_ASN1_OCTET_STRING     0x0200
-# define B_ASN1_BIT_STRING       0x0400
-# define B_ASN1_BMPSTRING        0x0800
-# define B_ASN1_UNKNOWN          0x1000
-# define B_ASN1_UTF8STRING       0x2000
-# define B_ASN1_UTCTIME          0x4000
-# define B_ASN1_GENERALIZEDTIME  0x8000
-# define B_ASN1_SEQUENCE         0x10000
-/* For use with ASN1_mbstring_copy() */
-# define MBSTRING_FLAG           0x1000
-# define MBSTRING_UTF8           (MBSTRING_FLAG)
-# define MBSTRING_ASC            (MBSTRING_FLAG|1)
-# define MBSTRING_BMP            (MBSTRING_FLAG|2)
-# define MBSTRING_UNIV           (MBSTRING_FLAG|4)
-# define SMIME_OLDMIME           0x400
-# define SMIME_CRLFEOL           0x800
-# define SMIME_STREAM            0x1000
-
-/* Stacks for types not otherwise defined in this header */
-{-
-    generate_stack_macros("X509_ALGOR");
--}
-
-
-# define ASN1_STRING_FLAG_BITS_LEFT 0x08/* Set if 0x07 has bits left value */
-/*
- * This indicates that the ASN1_STRING is not a real value but just a place
- * holder for the location where indefinite length constructed data should be
- * inserted in the memory buffer
- */
-# define ASN1_STRING_FLAG_NDEF 0x010
-
-/*
- * This flag is used by the CMS code to indicate that a string is not
- * complete and is a place holder for content when it had all been accessed.
- * The flag will be reset when content has been written to it.
- */
-
-# define ASN1_STRING_FLAG_CONT 0x020
-/*
- * This flag is used by ASN1 code to indicate an ASN1_STRING is an MSTRING
- * type.
- */
-# define ASN1_STRING_FLAG_MSTRING 0x040
-/* String is embedded and only content should be freed */
-# define ASN1_STRING_FLAG_EMBED 0x080
-/* String should be parsed in RFC 5280's time format */
-# define ASN1_STRING_FLAG_X509_TIME 0x100
-/* This is the base type that holds just about everything :-) */
-struct asn1_string_st {
-    int length;
-    int type;
-    unsigned char *data;
-    /*
-     * The value of the following field depends on the type being held.  It
-     * is mostly being used for BIT_STRING so if the input data has a
-     * non-zero 'unused bits' value, it will be handled correctly
-     */
-    long flags;
-};
-
-/*
- * ASN1_ENCODING structure: this is used to save the received encoding of an
- * ASN1 type. This is useful to get round problems with invalid encodings
- * which can break signatures.
- */
-
-typedef struct ASN1_ENCODING_st {
-    unsigned char *enc;         /* DER encoding */
-    long len;                   /* Length of encoding */
-    int modified;               /* set to 1 if 'enc' is invalid */
-} ASN1_ENCODING;
-
-/* Used with ASN1 LONG type: if a long is set to this it is omitted */
-# define ASN1_LONG_UNDEF 0x7fffffffL
-
-# define STABLE_FLAGS_MALLOC     0x01
-/*
- * A zero passed to ASN1_STRING_TABLE_new_add for the flags is interpreted
- * as "don't change" and STABLE_FLAGS_MALLOC is always set. By setting
- * STABLE_FLAGS_MALLOC only we can clear the existing value. Use the alias
- * STABLE_FLAGS_CLEAR to reflect this.
- */
-# define STABLE_FLAGS_CLEAR      STABLE_FLAGS_MALLOC
-# define STABLE_NO_MASK          0x02
-# define DIRSTRING_TYPE  \
- (B_ASN1_PRINTABLESTRING|B_ASN1_T61STRING|B_ASN1_BMPSTRING|B_ASN1_UTF8STRING)
-# define PKCS9STRING_TYPE (DIRSTRING_TYPE|B_ASN1_IA5STRING)
-
-struct asn1_string_table_st {
-    int nid;
-    long minsize;
-    long maxsize;
-    unsigned long mask;
-    unsigned long flags;
-};
-
-{-
-    generate_stack_macros("ASN1_STRING_TABLE");
--}
-
-/* size limits: this stuff is taken straight from RFC2459 */
-
-# define ub_name                         32768
-# define ub_common_name                  64
-# define ub_locality_name                128
-# define ub_state_name                   128
-# define ub_organization_name            64
-# define ub_organization_unit_name       64
-# define ub_title                        64
-# define ub_email_address                128
-
-/*
- * Declarations for template structures: for full definitions see asn1t.h
- */
-typedef struct ASN1_TEMPLATE_st ASN1_TEMPLATE;
-typedef struct ASN1_TLC_st ASN1_TLC;
-/* This is just an opaque pointer */
-typedef struct ASN1_VALUE_st ASN1_VALUE;
-
-/* Declare ASN1 functions: the implement macro in in asn1t.h */
-
-/*
- * The mysterious 'extern' that's passed to some macros is innocuous,
- * and is there to quiet pre-C99 compilers that may complain about empty
- * arguments in macro calls.
- */
-
-# define DECLARE_ASN1_FUNCTIONS_attr(attr, type)                            \
-    DECLARE_ASN1_FUNCTIONS_name_attr(attr, type, type)
-# define DECLARE_ASN1_FUNCTIONS(type)                                       \
-    DECLARE_ASN1_FUNCTIONS_attr(extern, type)
-
-# define DECLARE_ASN1_ALLOC_FUNCTIONS_attr(attr, type)                      \
-    DECLARE_ASN1_ALLOC_FUNCTIONS_name_attr(attr, type, type)
-# define DECLARE_ASN1_ALLOC_FUNCTIONS(type)                                 \
-    DECLARE_ASN1_ALLOC_FUNCTIONS_attr(extern, type)
-
-# define DECLARE_ASN1_FUNCTIONS_name_attr(attr, type, name)                 \
-    DECLARE_ASN1_ALLOC_FUNCTIONS_name_attr(attr, type, name)                \
-    DECLARE_ASN1_ENCODE_FUNCTIONS_name_attr(attr, type, name)
-# define DECLARE_ASN1_FUNCTIONS_name(type, name)                            \
-    DECLARE_ASN1_FUNCTIONS_name_attr(extern, type, name)
-
-# define DECLARE_ASN1_ENCODE_FUNCTIONS_attr(attr, type, itname, name)       \
-    DECLARE_ASN1_ENCODE_FUNCTIONS_only_attr(attr, type, name)               \
-    DECLARE_ASN1_ITEM_attr(attr, itname)
-# define DECLARE_ASN1_ENCODE_FUNCTIONS(type, itname, name)                  \
-    DECLARE_ASN1_ENCODE_FUNCTIONS_attr(extern, type, itname, name)
-
-# define DECLARE_ASN1_ENCODE_FUNCTIONS_name_attr(attr, type, name)          \
-    DECLARE_ASN1_ENCODE_FUNCTIONS_attr(attr, type, name, name)
-# define DECLARE_ASN1_ENCODE_FUNCTIONS_name(type, name) \
-    DECLARE_ASN1_ENCODE_FUNCTIONS_name_attr(extern, type, name)
-
-# define DECLARE_ASN1_ENCODE_FUNCTIONS_only_attr(attr, type, name)          \
-    attr type *d2i_##name(type **a, const unsigned char **in, long len);    \
-    attr int i2d_##name(const type *a, unsigned char **out);
-# define DECLARE_ASN1_ENCODE_FUNCTIONS_only(type, name)                     \
-    DECLARE_ASN1_ENCODE_FUNCTIONS_only_attr(extern, type, name)
-
-# define DECLARE_ASN1_NDEF_FUNCTION_attr(attr, name)                        \
-    attr int i2d_##name##_NDEF(const name *a, unsigned char **out);
-# define DECLARE_ASN1_NDEF_FUNCTION(name)                                   \
-    DECLARE_ASN1_NDEF_FUNCTION_attr(extern, name)
-
-# define DECLARE_ASN1_ALLOC_FUNCTIONS_name_attr(attr, type, name)           \
-    attr type *name##_new(void);                                            \
-    attr void name##_free(type *a);
-# define DECLARE_ASN1_ALLOC_FUNCTIONS_name(type, name)                      \
-    DECLARE_ASN1_ALLOC_FUNCTIONS_name_attr(extern, type, name)
-
-# define DECLARE_ASN1_DUP_FUNCTION_attr(attr, type)                         \
-    DECLARE_ASN1_DUP_FUNCTION_name_attr(attr, type, type)
-# define DECLARE_ASN1_DUP_FUNCTION(type)                                    \
-    DECLARE_ASN1_DUP_FUNCTION_attr(extern, type)
-
-# define DECLARE_ASN1_DUP_FUNCTION_name_attr(attr, type, name)              \
-    attr type *name##_dup(const type *a);
-# define DECLARE_ASN1_DUP_FUNCTION_name(type, name)                         \
-    DECLARE_ASN1_DUP_FUNCTION_name_attr(extern, type, name)
-
-# define DECLARE_ASN1_PRINT_FUNCTION_attr(attr, stname)                     \
-    DECLARE_ASN1_PRINT_FUNCTION_fname_attr(attr, stname, stname)
-# define DECLARE_ASN1_PRINT_FUNCTION(stname)                                \
-    DECLARE_ASN1_PRINT_FUNCTION_attr(extern, stname)
-
-# define DECLARE_ASN1_PRINT_FUNCTION_fname_attr(attr, stname, fname)        \
-    attr int fname##_print_ctx(BIO *out, const stname *x, int indent,       \
-                               const ASN1_PCTX *pctx);
-# define DECLARE_ASN1_PRINT_FUNCTION_fname(stname, fname)                   \
-    DECLARE_ASN1_PRINT_FUNCTION_fname_attr(extern, stname, fname)
-
-# define D2I_OF(type) type *(*)(type **,const unsigned char **,long)
-# define I2D_OF(type) int (*)(const type *,unsigned char **)
-
-# define CHECKED_D2I_OF(type, d2i) \
-    ((d2i_of_void*) (1 ? d2i : ((D2I_OF(type))0)))
-# define CHECKED_I2D_OF(type, i2d) \
-    ((i2d_of_void*) (1 ? i2d : ((I2D_OF(type))0)))
-# define CHECKED_NEW_OF(type, xnew) \
-    ((void *(*)(void)) (1 ? xnew : ((type *(*)(void))0)))
-# define CHECKED_PTR_OF(type, p) \
-    ((void*) (1 ? p : (type*)0))
-# define CHECKED_PPTR_OF(type, p) \
-    ((void**) (1 ? p : (type**)0))
-
-# define TYPEDEF_D2I_OF(type) typedef type *d2i_of_##type(type **,const unsigned char **,long)
-# define TYPEDEF_I2D_OF(type) typedef int i2d_of_##type(const type *,unsigned char **)
-# define TYPEDEF_D2I2D_OF(type) TYPEDEF_D2I_OF(type); TYPEDEF_I2D_OF(type)
-
-typedef void *d2i_of_void(void **, const unsigned char **, long);
-typedef int i2d_of_void(const void *, unsigned char **);
-
-/*-
- * The following macros and typedefs allow an ASN1_ITEM
- * to be embedded in a structure and referenced. Since
- * the ASN1_ITEM pointers need to be globally accessible
- * (possibly from shared libraries) they may exist in
- * different forms. On platforms that support it the
- * ASN1_ITEM structure itself will be globally exported.
- * Other platforms will export a function that returns
- * an ASN1_ITEM pointer.
- *
- * To handle both cases transparently the macros below
- * should be used instead of hard coding an ASN1_ITEM
- * pointer in a structure.
- *
- * The structure will look like this:
- *
- * typedef struct SOMETHING_st {
- *      ...
- *      ASN1_ITEM_EXP *iptr;
- *      ...
- * } SOMETHING;
- *
- * It would be initialised as e.g.:
- *
- * SOMETHING somevar = {...,ASN1_ITEM_ref(X509),...};
- *
- * and the actual pointer extracted with:
- *
- * const ASN1_ITEM *it = ASN1_ITEM_ptr(somevar.iptr);
- *
- * Finally an ASN1_ITEM pointer can be extracted from an
- * appropriate reference with: ASN1_ITEM_rptr(X509). This
- * would be used when a function takes an ASN1_ITEM * argument.
- *
- */
-
-
-/*
- * Platforms that can't easily handle shared global variables are declared as
- * functions returning ASN1_ITEM pointers.
- */
-
-/* ASN1_ITEM pointer exported type */
-typedef const ASN1_ITEM *ASN1_ITEM_EXP (void);
-
-/* Macro to obtain ASN1_ITEM pointer from exported type */
-# define ASN1_ITEM_ptr(iptr) (iptr())
-
-/* Macro to include ASN1_ITEM pointer from base type */
-# define ASN1_ITEM_ref(iptr) (iptr##_it)
-
-# define ASN1_ITEM_rptr(ref) (ref##_it())
-
-# define DECLARE_ASN1_ITEM_attr(attr, name)                                 \
-    attr const ASN1_ITEM * name##_it(void);
-# define DECLARE_ASN1_ITEM(name)                                            \
-    DECLARE_ASN1_ITEM_attr(extern, name)
-
-/* Parameters used by ASN1_STRING_print_ex() */
-
-/*
- * These determine which characters to escape: RFC2253 special characters,
- * control characters and MSB set characters
- */
-
-# define ASN1_STRFLGS_ESC_2253           1
-# define ASN1_STRFLGS_ESC_CTRL           2
-# define ASN1_STRFLGS_ESC_MSB            4
-
-/* Lower 8 bits are reserved as an output type specifier */
-# define ASN1_DTFLGS_TYPE_MASK    0x0FUL
-# define ASN1_DTFLGS_RFC822       0x00UL
-# define ASN1_DTFLGS_ISO8601      0x01UL
-
-/*
- * This flag determines how we do escaping: normally RC2253 backslash only,
- * set this to use backslash and quote.
- */
-
-# define ASN1_STRFLGS_ESC_QUOTE          8
-
-/* These three flags are internal use only. */
-
-/* Character is a valid PrintableString character */
-# define CHARTYPE_PRINTABLESTRING        0x10
-/* Character needs escaping if it is the first character */
-# define CHARTYPE_FIRST_ESC_2253         0x20
-/* Character needs escaping if it is the last character */
-# define CHARTYPE_LAST_ESC_2253          0x40
-
-/*
- * NB the internal flags are safely reused below by flags handled at the top
- * level.
- */
-
-/*
- * If this is set we convert all character strings to UTF8 first
- */
-
-# define ASN1_STRFLGS_UTF8_CONVERT       0x10
-
-/*
- * If this is set we don't attempt to interpret content: just assume all
- * strings are 1 byte per character. This will produce some pretty odd
- * looking output!
- */
-
-# define ASN1_STRFLGS_IGNORE_TYPE        0x20
-
-/* If this is set we include the string type in the output */
-# define ASN1_STRFLGS_SHOW_TYPE          0x40
-
-/*
- * This determines which strings to display and which to 'dump' (hex dump of
- * content octets or DER encoding). We can only dump non character strings or
- * everything. If we don't dump 'unknown' they are interpreted as character
- * strings with 1 octet per character and are subject to the usual escaping
- * options.
- */
-
-# define ASN1_STRFLGS_DUMP_ALL           0x80
-# define ASN1_STRFLGS_DUMP_UNKNOWN       0x100
-
-/*
- * These determine what 'dumping' does, we can dump the content octets or the
- * DER encoding: both use the RFC2253 #XXXXX notation.
- */
-
-# define ASN1_STRFLGS_DUMP_DER           0x200
-
-/*
- * This flag specifies that RC2254 escaping shall be performed.
- */
-#define ASN1_STRFLGS_ESC_2254           0x400
-
-/*
- * All the string flags consistent with RFC2253, escaping control characters
- * isn't essential in RFC2253 but it is advisable anyway.
- */
-
-# define ASN1_STRFLGS_RFC2253    (ASN1_STRFLGS_ESC_2253 | \
-                                ASN1_STRFLGS_ESC_CTRL | \
-                                ASN1_STRFLGS_ESC_MSB | \
-                                ASN1_STRFLGS_UTF8_CONVERT | \
-                                ASN1_STRFLGS_DUMP_UNKNOWN | \
-                                ASN1_STRFLGS_DUMP_DER)
-
-
-struct asn1_type_st {
-    int type;
-    union {
-        char *ptr;
-        ASN1_BOOLEAN boolean;
-        ASN1_STRING *asn1_string;
-        ASN1_OBJECT *object;
-        ASN1_INTEGER *integer;
-        ASN1_ENUMERATED *enumerated;
-        ASN1_BIT_STRING *bit_string;
-        ASN1_OCTET_STRING *octet_string;
-        ASN1_PRINTABLESTRING *printablestring;
-        ASN1_T61STRING *t61string;
-        ASN1_IA5STRING *ia5string;
-        ASN1_GENERALSTRING *generalstring;
-        ASN1_BMPSTRING *bmpstring;
-        ASN1_UNIVERSALSTRING *universalstring;
-        ASN1_UTCTIME *utctime;
-        ASN1_GENERALIZEDTIME *generalizedtime;
-        ASN1_VISIBLESTRING *visiblestring;
-        ASN1_UTF8STRING *utf8string;
-        /*
-         * set and sequence are left complete and still contain the set or
-         * sequence bytes
-         */
-        ASN1_STRING *set;
-        ASN1_STRING *sequence;
-        ASN1_VALUE *asn1_value;
-    } value;
-};
-
-{-
-    generate_stack_macros("ASN1_TYPE");
--}
-
-typedef STACK_OF(ASN1_TYPE) ASN1_SEQUENCE_ANY;
-
-DECLARE_ASN1_ENCODE_FUNCTIONS_name(ASN1_SEQUENCE_ANY, ASN1_SEQUENCE_ANY)
-DECLARE_ASN1_ENCODE_FUNCTIONS_name(ASN1_SEQUENCE_ANY, ASN1_SET_ANY)
-
-/* This is used to contain a list of bit names */
-typedef struct BIT_STRING_BITNAME_st {
-    int bitnum;
-    const char *lname;
-    const char *sname;
-} BIT_STRING_BITNAME;
-
-# define B_ASN1_TIME \
-                        B_ASN1_UTCTIME | \
-                        B_ASN1_GENERALIZEDTIME
-
-# define B_ASN1_PRINTABLE \
-                        B_ASN1_NUMERICSTRING| \
-                        B_ASN1_PRINTABLESTRING| \
-                        B_ASN1_T61STRING| \
-                        B_ASN1_IA5STRING| \
-                        B_ASN1_BIT_STRING| \
-                        B_ASN1_UNIVERSALSTRING|\
-                        B_ASN1_BMPSTRING|\
-                        B_ASN1_UTF8STRING|\
-                        B_ASN1_SEQUENCE|\
-                        B_ASN1_UNKNOWN
-
-# define B_ASN1_DIRECTORYSTRING \
-                        B_ASN1_PRINTABLESTRING| \
-                        B_ASN1_TELETEXSTRING|\
-                        B_ASN1_BMPSTRING|\
-                        B_ASN1_UNIVERSALSTRING|\
-                        B_ASN1_UTF8STRING
-
-# define B_ASN1_DISPLAYTEXT \
-                        B_ASN1_IA5STRING| \
-                        B_ASN1_VISIBLESTRING| \
-                        B_ASN1_BMPSTRING|\
-                        B_ASN1_UTF8STRING
-
-DECLARE_ASN1_ALLOC_FUNCTIONS_name(ASN1_TYPE, ASN1_TYPE)
-DECLARE_ASN1_ENCODE_FUNCTIONS(ASN1_TYPE, ASN1_ANY, ASN1_TYPE)
-
-int ASN1_TYPE_get(const ASN1_TYPE *a);
-void ASN1_TYPE_set(ASN1_TYPE *a, int type, void *value);
-int ASN1_TYPE_set1(ASN1_TYPE *a, int type, const void *value);
-int ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b);
-
-ASN1_TYPE *ASN1_TYPE_pack_sequence(const ASN1_ITEM *it, void *s, ASN1_TYPE **t);
-void *ASN1_TYPE_unpack_sequence(const ASN1_ITEM *it, const ASN1_TYPE *t);
-
-{-
-    generate_stack_macros("ASN1_OBJECT");
--}
-
-DECLARE_ASN1_FUNCTIONS(ASN1_OBJECT)
-
-ASN1_STRING *ASN1_STRING_new(void);
-void ASN1_STRING_free(ASN1_STRING *a);
-void ASN1_STRING_clear_free(ASN1_STRING *a);
-int ASN1_STRING_copy(ASN1_STRING *dst, const ASN1_STRING *str);
-DECLARE_ASN1_DUP_FUNCTION(ASN1_STRING)
-ASN1_STRING *ASN1_STRING_type_new(int type);
-int ASN1_STRING_cmp(const ASN1_STRING *a, const ASN1_STRING *b);
-  /*
-   * Since this is used to store all sorts of things, via macros, for now,
-   * make its data void *
-   */
-int ASN1_STRING_set(ASN1_STRING *str, const void *data, int len);
-void ASN1_STRING_set0(ASN1_STRING *str, void *data, int len);
-int ASN1_STRING_length(const ASN1_STRING *x);
-# ifndef OPENSSL_NO_DEPRECATED_3_0
-OSSL_DEPRECATEDIN_3_0 void ASN1_STRING_length_set(ASN1_STRING *x, int n);
-# endif
-int ASN1_STRING_type(const ASN1_STRING *x);
-# ifndef OPENSSL_NO_DEPRECATED_1_1_0
-OSSL_DEPRECATEDIN_1_1_0 unsigned char *ASN1_STRING_data(ASN1_STRING *x);
-# endif
-const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *x);
-
-DECLARE_ASN1_FUNCTIONS(ASN1_BIT_STRING)
-int ASN1_BIT_STRING_set(ASN1_BIT_STRING *a, unsigned char *d, int length);
-int ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value);
-int ASN1_BIT_STRING_get_bit(const ASN1_BIT_STRING *a, int n);
-int ASN1_BIT_STRING_check(const ASN1_BIT_STRING *a,
-                          const unsigned char *flags, int flags_len);
-
-int ASN1_BIT_STRING_name_print(BIO *out, ASN1_BIT_STRING *bs,
-                               BIT_STRING_BITNAME *tbl, int indent);
-int ASN1_BIT_STRING_num_asc(const char *name, BIT_STRING_BITNAME *tbl);
-int ASN1_BIT_STRING_set_asc(ASN1_BIT_STRING *bs, const char *name, int value,
-                            BIT_STRING_BITNAME *tbl);
-
-{-
-    generate_stack_macros("ASN1_INTEGER");
--}
-
-
-DECLARE_ASN1_FUNCTIONS(ASN1_INTEGER)
-ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a, const unsigned char **pp,
-                                long length);
-DECLARE_ASN1_DUP_FUNCTION(ASN1_INTEGER)
-int ASN1_INTEGER_cmp(const ASN1_INTEGER *x, const ASN1_INTEGER *y);
-
-DECLARE_ASN1_FUNCTIONS(ASN1_ENUMERATED)
-
-int ASN1_UTCTIME_check(const ASN1_UTCTIME *a);
-ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s, time_t t);
-ASN1_UTCTIME *ASN1_UTCTIME_adj(ASN1_UTCTIME *s, time_t t,
-                               int offset_day, long offset_sec);
-int ASN1_UTCTIME_set_string(ASN1_UTCTIME *s, const char *str);
-int ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *s, time_t t);
-
-int ASN1_GENERALIZEDTIME_check(const ASN1_GENERALIZEDTIME *a);
-ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_set(ASN1_GENERALIZEDTIME *s,
-                                               time_t t);
-ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_adj(ASN1_GENERALIZEDTIME *s,
-                                               time_t t, int offset_day,
-                                               long offset_sec);
-int ASN1_GENERALIZEDTIME_set_string(ASN1_GENERALIZEDTIME *s, const char *str);
-
-int ASN1_TIME_diff(int *pday, int *psec,
-                   const ASN1_TIME *from, const ASN1_TIME *to);
-
-DECLARE_ASN1_FUNCTIONS(ASN1_OCTET_STRING)
-DECLARE_ASN1_DUP_FUNCTION(ASN1_OCTET_STRING)
-int ASN1_OCTET_STRING_cmp(const ASN1_OCTET_STRING *a,
-                          const ASN1_OCTET_STRING *b);
-int ASN1_OCTET_STRING_set(ASN1_OCTET_STRING *str, const unsigned char *data,
-                          int len);
-
-{-
-    generate_stack_macros("ASN1_UTF8STRING");
--}
-
-DECLARE_ASN1_FUNCTIONS(ASN1_VISIBLESTRING)
-DECLARE_ASN1_FUNCTIONS(ASN1_UNIVERSALSTRING)
-DECLARE_ASN1_FUNCTIONS(ASN1_UTF8STRING)
-DECLARE_ASN1_FUNCTIONS(ASN1_NULL)
-DECLARE_ASN1_FUNCTIONS(ASN1_BMPSTRING)
-
-int UTF8_getc(const unsigned char *str, int len, unsigned long *val);
-int UTF8_putc(unsigned char *str, int len, unsigned long value);
-
-{-
-    generate_stack_macros("ASN1_GENERALSTRING");
--}
-
-DECLARE_ASN1_FUNCTIONS_name(ASN1_STRING, ASN1_PRINTABLE)
-
-DECLARE_ASN1_FUNCTIONS_name(ASN1_STRING, DIRECTORYSTRING)
-DECLARE_ASN1_FUNCTIONS_name(ASN1_STRING, DISPLAYTEXT)
-DECLARE_ASN1_FUNCTIONS(ASN1_PRINTABLESTRING)
-DECLARE_ASN1_FUNCTIONS(ASN1_T61STRING)
-DECLARE_ASN1_FUNCTIONS(ASN1_IA5STRING)
-DECLARE_ASN1_FUNCTIONS(ASN1_GENERALSTRING)
-DECLARE_ASN1_FUNCTIONS(ASN1_UTCTIME)
-DECLARE_ASN1_FUNCTIONS(ASN1_GENERALIZEDTIME)
-DECLARE_ASN1_FUNCTIONS(ASN1_TIME)
-
-DECLARE_ASN1_DUP_FUNCTION(ASN1_TIME)
-DECLARE_ASN1_DUP_FUNCTION(ASN1_UTCTIME)
-DECLARE_ASN1_DUP_FUNCTION(ASN1_GENERALIZEDTIME)
-
-DECLARE_ASN1_ITEM(ASN1_OCTET_STRING_NDEF)
-
-ASN1_TIME *ASN1_TIME_set(ASN1_TIME *s, time_t t);
-ASN1_TIME *ASN1_TIME_adj(ASN1_TIME *s, time_t t,
-                         int offset_day, long offset_sec);
-int ASN1_TIME_check(const ASN1_TIME *t);
-ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(const ASN1_TIME *t,
-                                                   ASN1_GENERALIZEDTIME **out);
-int ASN1_TIME_set_string(ASN1_TIME *s, const char *str);
-int ASN1_TIME_set_string_X509(ASN1_TIME *s, const char *str);
-int ASN1_TIME_to_tm(const ASN1_TIME *s, struct tm *tm);
-int ASN1_TIME_normalize(ASN1_TIME *s);
-int ASN1_TIME_cmp_time_t(const ASN1_TIME *s, time_t t);
-int ASN1_TIME_compare(const ASN1_TIME *a, const ASN1_TIME *b);
-
-int i2a_ASN1_INTEGER(BIO *bp, const ASN1_INTEGER *a);
-int a2i_ASN1_INTEGER(BIO *bp, ASN1_INTEGER *bs, char *buf, int size);
-int i2a_ASN1_ENUMERATED(BIO *bp, const ASN1_ENUMERATED *a);
-int a2i_ASN1_ENUMERATED(BIO *bp, ASN1_ENUMERATED *bs, char *buf, int size);
-int i2a_ASN1_OBJECT(BIO *bp, const ASN1_OBJECT *a);
-int a2i_ASN1_STRING(BIO *bp, ASN1_STRING *bs, char *buf, int size);
-int i2a_ASN1_STRING(BIO *bp, const ASN1_STRING *a, int type);
-int i2t_ASN1_OBJECT(char *buf, int buf_len, const ASN1_OBJECT *a);
-
-int a2d_ASN1_OBJECT(unsigned char *out, int olen, const char *buf, int num);
-ASN1_OBJECT *ASN1_OBJECT_create(int nid, unsigned char *data, int len,
-                                const char *sn, const char *ln);
-
-int ASN1_INTEGER_get_int64(int64_t *pr, const ASN1_INTEGER *a);
-int ASN1_INTEGER_set_int64(ASN1_INTEGER *a, int64_t r);
-int ASN1_INTEGER_get_uint64(uint64_t *pr, const ASN1_INTEGER *a);
-int ASN1_INTEGER_set_uint64(ASN1_INTEGER *a, uint64_t r);
-
-int ASN1_INTEGER_set(ASN1_INTEGER *a, long v);
-long ASN1_INTEGER_get(const ASN1_INTEGER *a);
-ASN1_INTEGER *BN_to_ASN1_INTEGER(const BIGNUM *bn, ASN1_INTEGER *ai);
-BIGNUM *ASN1_INTEGER_to_BN(const ASN1_INTEGER *ai, BIGNUM *bn);
-
-int ASN1_ENUMERATED_get_int64(int64_t *pr, const ASN1_ENUMERATED *a);
-int ASN1_ENUMERATED_set_int64(ASN1_ENUMERATED *a, int64_t r);
-
-
-int ASN1_ENUMERATED_set(ASN1_ENUMERATED *a, long v);
-long ASN1_ENUMERATED_get(const ASN1_ENUMERATED *a);
-ASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(const BIGNUM *bn, ASN1_ENUMERATED *ai);
-BIGNUM *ASN1_ENUMERATED_to_BN(const ASN1_ENUMERATED *ai, BIGNUM *bn);
-
-/* General */
-/* given a string, return the correct type, max is the maximum length */
-int ASN1_PRINTABLE_type(const unsigned char *s, int max);
-
-unsigned long ASN1_tag2bit(int tag);
-
-/* SPECIALS */
-int ASN1_get_object(const unsigned char **pp, long *plength, int *ptag,
-                    int *pclass, long omax);
-int ASN1_check_infinite_end(unsigned char **p, long len);
-int ASN1_const_check_infinite_end(const unsigned char **p, long len);
-void ASN1_put_object(unsigned char **pp, int constructed, int length,
-                     int tag, int xclass);
-int ASN1_put_eoc(unsigned char **pp);
-int ASN1_object_size(int constructed, int length, int tag);
-
-/* Used to implement other functions */
-void *ASN1_dup(i2d_of_void *i2d, d2i_of_void *d2i, const void *x);
-
-# define ASN1_dup_of(type,i2d,d2i,x) \
-    ((type*)ASN1_dup(CHECKED_I2D_OF(type, i2d), \
-                     CHECKED_D2I_OF(type, d2i), \
-                     CHECKED_PTR_OF(const type, x)))
-
-void *ASN1_item_dup(const ASN1_ITEM *it, const void *x);
-int ASN1_item_sign_ex(const ASN1_ITEM *it, X509_ALGOR *algor1,
-                      X509_ALGOR *algor2, ASN1_BIT_STRING *signature,
-                      const void *data, const ASN1_OCTET_STRING *id,
-                      EVP_PKEY *pkey, const EVP_MD *md, OSSL_LIB_CTX *libctx,
-                      const char *propq);
-int ASN1_item_verify_ex(const ASN1_ITEM *it, const X509_ALGOR *alg,
-                        const ASN1_BIT_STRING *signature, const void *data,
-                        const ASN1_OCTET_STRING *id, EVP_PKEY *pkey,
-                        OSSL_LIB_CTX *libctx, const char *propq);
-
-/* ASN1 alloc/free macros for when a type is only used internally */
-
-# define M_ASN1_new_of(type) (type *)ASN1_item_new(ASN1_ITEM_rptr(type))
-# define M_ASN1_free_of(x, type) \
-                ASN1_item_free(CHECKED_PTR_OF(type, x), ASN1_ITEM_rptr(type))
-
-# ifndef OPENSSL_NO_STDIO
-void *ASN1_d2i_fp(void *(*xnew) (void), d2i_of_void *d2i, FILE *in, void **x);
-
-#  define ASN1_d2i_fp_of(type,xnew,d2i,in,x) \
-    ((type*)ASN1_d2i_fp(CHECKED_NEW_OF(type, xnew), \
-                        CHECKED_D2I_OF(type, d2i), \
-                        in, \
-                        CHECKED_PPTR_OF(type, x)))
-
-void *ASN1_item_d2i_fp_ex(const ASN1_ITEM *it, FILE *in, void *x,
-                          OSSL_LIB_CTX *libctx, const char *propq);
-void *ASN1_item_d2i_fp(const ASN1_ITEM *it, FILE *in, void *x);
-int ASN1_i2d_fp(i2d_of_void *i2d, FILE *out, const void *x);
-
-#  define ASN1_i2d_fp_of(type,i2d,out,x) \
-    (ASN1_i2d_fp(CHECKED_I2D_OF(type, i2d), \
-                 out, \
-                 CHECKED_PTR_OF(const type, x)))
-
-int ASN1_item_i2d_fp(const ASN1_ITEM *it, FILE *out, const void *x);
-int ASN1_STRING_print_ex_fp(FILE *fp, const ASN1_STRING *str, unsigned long flags);
-# endif
-
-int ASN1_STRING_to_UTF8(unsigned char **out, const ASN1_STRING *in);
-
-void *ASN1_d2i_bio(void *(*xnew) (void), d2i_of_void *d2i, BIO *in, void **x);
-
-#  define ASN1_d2i_bio_of(type,xnew,d2i,in,x) \
-    ((type*)ASN1_d2i_bio( CHECKED_NEW_OF(type, xnew), \
-                          CHECKED_D2I_OF(type, d2i), \
-                          in, \
-                          CHECKED_PPTR_OF(type, x)))
-
-void *ASN1_item_d2i_bio_ex(const ASN1_ITEM *it, BIO *in, void *pval,
-                           OSSL_LIB_CTX *libctx, const char *propq);
-void *ASN1_item_d2i_bio(const ASN1_ITEM *it, BIO *in, void *pval);
-int ASN1_i2d_bio(i2d_of_void *i2d, BIO *out, const void *x);
-
-#  define ASN1_i2d_bio_of(type,i2d,out,x) \
-    (ASN1_i2d_bio(CHECKED_I2D_OF(type, i2d), \
-                  out, \
-                  CHECKED_PTR_OF(const type, x)))
-
-int ASN1_item_i2d_bio(const ASN1_ITEM *it, BIO *out, const void *x);
-BIO *ASN1_item_i2d_mem_bio(const ASN1_ITEM *it, const ASN1_VALUE *val);
-int ASN1_UTCTIME_print(BIO *fp, const ASN1_UTCTIME *a);
-int ASN1_GENERALIZEDTIME_print(BIO *fp, const ASN1_GENERALIZEDTIME *a);
-int ASN1_TIME_print(BIO *bp, const ASN1_TIME *tm);
-int ASN1_TIME_print_ex(BIO *bp, const ASN1_TIME *tm, unsigned long flags);
-int ASN1_STRING_print(BIO *bp, const ASN1_STRING *v);
-int ASN1_STRING_print_ex(BIO *out, const ASN1_STRING *str, unsigned long flags);
-int ASN1_buf_print(BIO *bp, const unsigned char *buf, size_t buflen, int off);
-int ASN1_bn_print(BIO *bp, const char *number, const BIGNUM *num,
-                  unsigned char *buf, int off);
-int ASN1_parse(BIO *bp, const unsigned char *pp, long len, int indent);
-int ASN1_parse_dump(BIO *bp, const unsigned char *pp, long len, int indent,
-                    int dump);
-const char *ASN1_tag2str(int tag);
-
-/* Used to load and write Netscape format cert */
-
-int ASN1_UNIVERSALSTRING_to_string(ASN1_UNIVERSALSTRING *s);
-
-int ASN1_TYPE_set_octetstring(ASN1_TYPE *a, unsigned char *data, int len);
-int ASN1_TYPE_get_octetstring(const ASN1_TYPE *a, unsigned char *data, int max_len);
-int ASN1_TYPE_set_int_octetstring(ASN1_TYPE *a, long num,
-                                  unsigned char *data, int len);
-int ASN1_TYPE_get_int_octetstring(const ASN1_TYPE *a, long *num,
-                                  unsigned char *data, int max_len);
-
-void *ASN1_item_unpack(const ASN1_STRING *oct, const ASN1_ITEM *it);
-
-ASN1_STRING *ASN1_item_pack(void *obj, const ASN1_ITEM *it,
-                            ASN1_OCTET_STRING **oct);
-
-void ASN1_STRING_set_default_mask(unsigned long mask);
-int ASN1_STRING_set_default_mask_asc(const char *p);
-unsigned long ASN1_STRING_get_default_mask(void);
-int ASN1_mbstring_copy(ASN1_STRING **out, const unsigned char *in, int len,
-                       int inform, unsigned long mask);
-int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
-                        int inform, unsigned long mask,
-                        long minsize, long maxsize);
-
-ASN1_STRING *ASN1_STRING_set_by_NID(ASN1_STRING **out,
-                                    const unsigned char *in, int inlen,
-                                    int inform, int nid);
-ASN1_STRING_TABLE *ASN1_STRING_TABLE_get(int nid);
-int ASN1_STRING_TABLE_add(int, long, long, unsigned long, unsigned long);
-void ASN1_STRING_TABLE_cleanup(void);
-
-/* ASN1 template functions */
-
-/* Old API compatible functions */
-ASN1_VALUE *ASN1_item_new(const ASN1_ITEM *it);
-ASN1_VALUE *ASN1_item_new_ex(const ASN1_ITEM *it, OSSL_LIB_CTX *libctx,
-                             const char *propq);
-void ASN1_item_free(ASN1_VALUE *val, const ASN1_ITEM *it);
-ASN1_VALUE *ASN1_item_d2i_ex(ASN1_VALUE **val, const unsigned char **in,
-                             long len, const ASN1_ITEM *it,
-                             OSSL_LIB_CTX *libctx, const char *propq);
-ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **val, const unsigned char **in,
-                          long len, const ASN1_ITEM *it);
-int ASN1_item_i2d(const ASN1_VALUE *val, unsigned char **out, const ASN1_ITEM *it);
-int ASN1_item_ndef_i2d(const ASN1_VALUE *val, unsigned char **out,
-                       const ASN1_ITEM *it);
-
-void ASN1_add_oid_module(void);
-void ASN1_add_stable_module(void);
-
-ASN1_TYPE *ASN1_generate_nconf(const char *str, CONF *nconf);
-ASN1_TYPE *ASN1_generate_v3(const char *str, X509V3_CTX *cnf);
-int ASN1_str2mask(const char *str, unsigned long *pmask);
-
-/* ASN1 Print flags */
-
-/* Indicate missing OPTIONAL fields */
-# define ASN1_PCTX_FLAGS_SHOW_ABSENT             0x001
-/* Mark start and end of SEQUENCE */
-# define ASN1_PCTX_FLAGS_SHOW_SEQUENCE           0x002
-/* Mark start and end of SEQUENCE/SET OF */
-# define ASN1_PCTX_FLAGS_SHOW_SSOF               0x004
-/* Show the ASN1 type of primitives */
-# define ASN1_PCTX_FLAGS_SHOW_TYPE               0x008
-/* Don't show ASN1 type of ANY */
-# define ASN1_PCTX_FLAGS_NO_ANY_TYPE             0x010
-/* Don't show ASN1 type of MSTRINGs */
-# define ASN1_PCTX_FLAGS_NO_MSTRING_TYPE         0x020
-/* Don't show field names in SEQUENCE */
-# define ASN1_PCTX_FLAGS_NO_FIELD_NAME           0x040
-/* Show structure names of each SEQUENCE field */
-# define ASN1_PCTX_FLAGS_SHOW_FIELD_STRUCT_NAME  0x080
-/* Don't show structure name even at top level */
-# define ASN1_PCTX_FLAGS_NO_STRUCT_NAME          0x100
-
-int ASN1_item_print(BIO *out, const ASN1_VALUE *ifld, int indent,
-                    const ASN1_ITEM *it, const ASN1_PCTX *pctx);
-ASN1_PCTX *ASN1_PCTX_new(void);
-void ASN1_PCTX_free(ASN1_PCTX *p);
-unsigned long ASN1_PCTX_get_flags(const ASN1_PCTX *p);
-void ASN1_PCTX_set_flags(ASN1_PCTX *p, unsigned long flags);
-unsigned long ASN1_PCTX_get_nm_flags(const ASN1_PCTX *p);
-void ASN1_PCTX_set_nm_flags(ASN1_PCTX *p, unsigned long flags);
-unsigned long ASN1_PCTX_get_cert_flags(const ASN1_PCTX *p);
-void ASN1_PCTX_set_cert_flags(ASN1_PCTX *p, unsigned long flags);
-unsigned long ASN1_PCTX_get_oid_flags(const ASN1_PCTX *p);
-void ASN1_PCTX_set_oid_flags(ASN1_PCTX *p, unsigned long flags);
-unsigned long ASN1_PCTX_get_str_flags(const ASN1_PCTX *p);
-void ASN1_PCTX_set_str_flags(ASN1_PCTX *p, unsigned long flags);
-
-ASN1_SCTX *ASN1_SCTX_new(int (*scan_cb) (ASN1_SCTX *ctx));
-void ASN1_SCTX_free(ASN1_SCTX *p);
-const ASN1_ITEM *ASN1_SCTX_get_item(ASN1_SCTX *p);
-const ASN1_TEMPLATE *ASN1_SCTX_get_template(ASN1_SCTX *p);
-unsigned long ASN1_SCTX_get_flags(ASN1_SCTX *p);
-void ASN1_SCTX_set_app_data(ASN1_SCTX *p, void *data);
-void *ASN1_SCTX_get_app_data(ASN1_SCTX *p);
-
-const BIO_METHOD *BIO_f_asn1(void);
-
-/* cannot constify val because of CMS_stream() */
-BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it);
-
-int i2d_ASN1_bio_stream(BIO *out, ASN1_VALUE *val, BIO *in, int flags,
-                        const ASN1_ITEM *it);
-int PEM_write_bio_ASN1_stream(BIO *out, ASN1_VALUE *val, BIO *in, int flags,
-                              const char *hdr, const ASN1_ITEM *it);
-/* cannot constify val because of CMS_dataFinal() */
-int SMIME_write_ASN1(BIO *bio, ASN1_VALUE *val, BIO *data, int flags,
-                     int ctype_nid, int econt_nid,
-                     STACK_OF(X509_ALGOR) *mdalgs, const ASN1_ITEM *it);
-int SMIME_write_ASN1_ex(BIO *bio, ASN1_VALUE *val, BIO *data, int flags,
-                        int ctype_nid, int econt_nid,
-                        STACK_OF(X509_ALGOR) *mdalgs, const ASN1_ITEM *it,
-                        OSSL_LIB_CTX *libctx, const char *propq);
-ASN1_VALUE *SMIME_read_ASN1(BIO *bio, BIO **bcont, const ASN1_ITEM *it);
-ASN1_VALUE *SMIME_read_ASN1_ex(BIO *bio, int flags, BIO **bcont,
-                               const ASN1_ITEM *it, ASN1_VALUE **x,
-                               OSSL_LIB_CTX *libctx, const char *propq);
-int SMIME_crlf_copy(BIO *in, BIO *out, int flags);
-int SMIME_text(BIO *in, BIO *out);
-
-const ASN1_ITEM *ASN1_ITEM_lookup(const char *name);
-const ASN1_ITEM *ASN1_ITEM_get(size_t i);
-
-/* Legacy compatibility */
-# define DECLARE_ASN1_FUNCTIONS_fname(type, itname, name) \
-         DECLARE_ASN1_ALLOC_FUNCTIONS_name(type, name) \
-         DECLARE_ASN1_ENCODE_FUNCTIONS(type, itname, name)
-# define DECLARE_ASN1_FUNCTIONS_const(type) DECLARE_ASN1_FUNCTIONS(type)
-# define DECLARE_ASN1_ENCODE_FUNCTIONS_const(type, name) \
-         DECLARE_ASN1_ENCODE_FUNCTIONS(type, name)
-# define I2D_OF_const(type) I2D_OF(type)
-# define ASN1_dup_of_const(type,i2d,d2i,x) ASN1_dup_of(type,i2d,d2i,x)
-# define ASN1_i2d_fp_of_const(type,i2d,out,x) ASN1_i2d_fp_of(type,i2d,out,x)
-# define ASN1_i2d_bio_of_const(type,i2d,out,x) ASN1_i2d_bio_of(type,i2d,out,x)
-
-# ifdef  __cplusplus
-}
-# endif
-#endif

libs/openssl/include/crypto/bn_conf.h

@@ -0,0 +1,29 @@
+/* WARNING: do not edit! */
+/* Generated by makefile from include\crypto\bn_conf.h.in */
+/*
+ * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OSSL_CRYPTO_BN_CONF_H
+# define OSSL_CRYPTO_BN_CONF_H
+# pragma once
+
+/*
+ * The contents of this file are not used in the UEFI build, as
+ * both 32-bit and 64-bit builds are supported from a single run
+ * of the Configure script.
+ */
+
+/* Should we define BN_DIV2W here? */
+
+/* Only one for the following should be defined */
+#undef SIXTY_FOUR_BIT_LONG
+#undef SIXTY_FOUR_BIT
+#define THIRTY_TWO_BIT
+
+#endif

libs/openssl/include/crypto/bn_conf.h.in

@@ -1,28 +0,0 @@
-{- join("\n",map { "/* $_ */" } @autowarntext) -}
-/*
- * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#ifndef OSSL_CRYPTO_BN_CONF_H
-# define OSSL_CRYPTO_BN_CONF_H
-# pragma once
-
-/*
- * The contents of this file are not used in the UEFI build, as
- * both 32-bit and 64-bit builds are supported from a single run
- * of the Configure script.
- */
-
-/* Should we define BN_DIV2W here? */
-
-/* Only one for the following should be defined */
-{- $config{b64l} ? "#define" : "#undef" -} SIXTY_FOUR_BIT_LONG
-{- $config{b64}  ? "#define" : "#undef" -} SIXTY_FOUR_BIT
-{- $config{b32}  ? "#define" : "#undef" -} THIRTY_TWO_BIT
-
-#endif

libs/openssl/include/crypto/conf.h.in

@@ -1,177 +0,0 @@
-/*
- * {- join("\n * ", @autowarntext) -}
- *
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-{-
-use OpenSSL::stackhash qw(generate_stack_macros generate_lhash_macros);
--}
-
-#ifndef  OPENSSL_CONF_H
-# define OPENSSL_CONF_H
-# pragma once
-
-# include <openssl/macros.h>
-# ifndef OPENSSL_NO_DEPRECATED_3_0
-#  define HEADER_CONF_H
-# endif
-
-# include <openssl/bio.h>
-# include <openssl/lhash.h>
-# include <openssl/safestack.h>
-# include <openssl/e_os2.h>
-# include <openssl/types.h>
-# include <openssl/conferr.h>
-# ifndef OPENSSL_NO_STDIO
-#  include <stdio.h>
-# endif
-
-#ifdef  __cplusplus
-extern "C" {
-#endif
-
-typedef struct {
-    char *section;
-    char *name;
-    char *value;
-} CONF_VALUE;
-
-{-
-    generate_stack_macros("CONF_VALUE")
-    .generate_lhash_macros("CONF_VALUE");
--}
-
-struct conf_st;
-struct conf_method_st;
-typedef struct conf_method_st CONF_METHOD;
-
-# ifndef OPENSSL_NO_DEPRECATED_3_0
-#  include <openssl/conftypes.h>
-# endif
-
-/* Module definitions */
-typedef struct conf_imodule_st CONF_IMODULE;
-typedef struct conf_module_st CONF_MODULE;
-
-STACK_OF(CONF_MODULE);
-STACK_OF(CONF_IMODULE);
-
-/* DSO module function typedefs */
-typedef int conf_init_func (CONF_IMODULE *md, const CONF *cnf);
-typedef void conf_finish_func (CONF_IMODULE *md);
-
-# define CONF_MFLAGS_IGNORE_ERRORS       0x1
-# define CONF_MFLAGS_IGNORE_RETURN_CODES 0x2
-# define CONF_MFLAGS_SILENT              0x4
-# define CONF_MFLAGS_NO_DSO              0x8
-# define CONF_MFLAGS_IGNORE_MISSING_FILE 0x10
-# define CONF_MFLAGS_DEFAULT_SECTION     0x20
-
-int CONF_set_default_method(CONF_METHOD *meth);
-void CONF_set_nconf(CONF *conf, LHASH_OF(CONF_VALUE) *hash);
-LHASH_OF(CONF_VALUE) *CONF_load(LHASH_OF(CONF_VALUE) *conf, const char *file,
-                                long *eline);
-# ifndef OPENSSL_NO_STDIO
-LHASH_OF(CONF_VALUE) *CONF_load_fp(LHASH_OF(CONF_VALUE) *conf, FILE *fp,
-                                   long *eline);
-# endif
-LHASH_OF(CONF_VALUE) *CONF_load_bio(LHASH_OF(CONF_VALUE) *conf, BIO *bp,
-                                    long *eline);
-STACK_OF(CONF_VALUE) *CONF_get_section(LHASH_OF(CONF_VALUE) *conf,
-                                       const char *section);
-char *CONF_get_string(LHASH_OF(CONF_VALUE) *conf, const char *group,
-                      const char *name);
-long CONF_get_number(LHASH_OF(CONF_VALUE) *conf, const char *group,
-                     const char *name);
-void CONF_free(LHASH_OF(CONF_VALUE) *conf);
-#ifndef OPENSSL_NO_STDIO
-int CONF_dump_fp(LHASH_OF(CONF_VALUE) *conf, FILE *out);
-#endif
-int CONF_dump_bio(LHASH_OF(CONF_VALUE) *conf, BIO *out);
-#ifndef OPENSSL_NO_DEPRECATED_1_1_0
-OSSL_DEPRECATEDIN_1_1_0 void OPENSSL_config(const char *config_name);
-#endif
-
-#ifndef OPENSSL_NO_DEPRECATED_1_1_0
-# define OPENSSL_no_config() \
-    OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG, NULL)
-#endif
-
-/*
- * New conf code.  The semantics are different from the functions above. If
- * that wasn't the case, the above functions would have been replaced
- */
-
-CONF *NCONF_new_ex(OSSL_LIB_CTX *libctx, CONF_METHOD *meth);
-OSSL_LIB_CTX *NCONF_get0_libctx(const CONF *conf);
-CONF *NCONF_new(CONF_METHOD *meth);
-CONF_METHOD *NCONF_default(void);
-#ifndef OPENSSL_NO_DEPRECATED_3_0
-OSSL_DEPRECATEDIN_3_0 CONF_METHOD *NCONF_WIN32(void);
-#endif
-void NCONF_free(CONF *conf);
-void NCONF_free_data(CONF *conf);
-
-int NCONF_load(CONF *conf, const char *file, long *eline);
-# ifndef OPENSSL_NO_STDIO
-int NCONF_load_fp(CONF *conf, FILE *fp, long *eline);
-# endif
-int NCONF_load_bio(CONF *conf, BIO *bp, long *eline);
-STACK_OF(OPENSSL_CSTRING) *NCONF_get_section_names(const CONF *conf);
-STACK_OF(CONF_VALUE) *NCONF_get_section(const CONF *conf,
-                                        const char *section);
-char *NCONF_get_string(const CONF *conf, const char *group, const char *name);
-int NCONF_get_number_e(const CONF *conf, const char *group, const char *name,
-                       long *result);
-#ifndef OPENSSL_NO_STDIO
-int NCONF_dump_fp(const CONF *conf, FILE *out);
-#endif
-int NCONF_dump_bio(const CONF *conf, BIO *out);
-
-#define NCONF_get_number(c,g,n,r) NCONF_get_number_e(c,g,n,r)
-
-/* Module functions */
-
-int CONF_modules_load(const CONF *cnf, const char *appname,
-                      unsigned long flags);
-int CONF_modules_load_file_ex(OSSL_LIB_CTX *libctx, const char *filename,
-                              const char *appname, unsigned long flags);
-int CONF_modules_load_file(const char *filename, const char *appname,
-                           unsigned long flags);
-void CONF_modules_unload(int all);
-void CONF_modules_finish(void);
-#ifndef OPENSSL_NO_DEPRECATED_1_1_0
-# define CONF_modules_free() while(0) continue
-#endif
-int CONF_module_add(const char *name, conf_init_func *ifunc,
-                    conf_finish_func *ffunc);
-
-const char *CONF_imodule_get_name(const CONF_IMODULE *md);
-const char *CONF_imodule_get_value(const CONF_IMODULE *md);
-void *CONF_imodule_get_usr_data(const CONF_IMODULE *md);
-void CONF_imodule_set_usr_data(CONF_IMODULE *md, void *usr_data);
-CONF_MODULE *CONF_imodule_get_module(const CONF_IMODULE *md);
-unsigned long CONF_imodule_get_flags(const CONF_IMODULE *md);
-void CONF_imodule_set_flags(CONF_IMODULE *md, unsigned long flags);
-void *CONF_module_get_usr_data(CONF_MODULE *pmod);
-void CONF_module_set_usr_data(CONF_MODULE *pmod, void *usr_data);
-
-char *CONF_get1_default_config_file(void);
-
-int CONF_parse_list(const char *list, int sep, int nospc,
-                    int (*list_cb) (const char *elem, int len, void *usr),
-                    void *arg);
-
-void OPENSSL_load_builtin_modules(void);
-
-
-# ifdef  __cplusplus
-}
-# endif
-#endif

libs/openssl/include/crypto/configuration.h.in

@@ -1,69 +0,0 @@
-/*
- * {- join("\n * ", @autowarntext) -}
- *
- * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#ifndef OPENSSL_CONFIGURATION_H
-# define OPENSSL_CONFIGURATION_H
-# pragma once
-
-# ifdef  __cplusplus
-extern "C" {
-# endif
-
-# ifdef OPENSSL_ALGORITHM_DEFINES
-#  error OPENSSL_ALGORITHM_DEFINES no longer supported
-# endif
-
-/*
- * OpenSSL was configured with the following options:
- */
-
-{- if (@{$config{openssl_sys_defines}}) {
-      foreach (@{$config{openssl_sys_defines}}) {
-        $OUT .= "# ifndef $_\n";
-        $OUT .= "#  define $_ 1\n";
-        $OUT .= "# endif\n";
-      }
-    }
-    foreach (@{$config{openssl_api_defines}}) {
-        (my $macro, my $value) = $_ =~ /^(.*?)=(.*?)$/;
-        $OUT .= "# define $macro $value\n";
-    }
-    if (@{$config{openssl_feature_defines}}) {
-      foreach (@{$config{openssl_feature_defines}}) {
-        $OUT .= "# ifndef $_\n";
-        $OUT .= "#  define $_\n";
-        $OUT .= "# endif\n";
-      }
-    }
-    "";
--}
-
-/* Generate 80386 code? */
-{- $config{processor} eq "386" ? "# define" : "# undef" -} I386_ONLY
-
-/*
- * The following are cipher-specific, but are part of the public API.
- */
-# if !defined(OPENSSL_SYS_UEFI)
-{- $config{bn_ll} ? "#  define" : "#  undef" -} BN_LLONG
-/* Only one for the following should be defined */
-{- $config{b64l} ? "#  define" : "#  undef" -} SIXTY_FOUR_BIT_LONG
-{- $config{b64}  ? "#  define" : "#  undef" -} SIXTY_FOUR_BIT
-{- $config{b32}  ? "#  define" : "#  undef" -} THIRTY_TWO_BIT
-# endif
-
-# define RC4_INT {- $config{rc4_int} -}
-
-# ifdef  __cplusplus
-}
-# endif
-
-#endif                          /* OPENSSL_CONFIGURATION_H */

libs/openssl/include/crypto/dso_conf.h

@@ -0,0 +1,18 @@
+/* WARNING: do not edit! */
+/* Generated by makefile from include\crypto\dso_conf.h.in */
+/*
+ * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OSSL_CRYPTO_DSO_CONF_H
+# define OSSL_CRYPTO_DSO_CONF_H
+# pragma once
+
+# define DSO_WIN32
+# define DSO_EXTENSION ".dll"
+#endif

libs/openssl/include/crypto/dso_conf.h.in

@@ -1,33 +0,0 @@
-{- join("\n",map { "/* $_ */" } @autowarntext) -}
-/*
- * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#ifndef OSSL_CRYPTO_DSO_CONF_H
-# define OSSL_CRYPTO_DSO_CONF_H
-# pragma once
-
-{-  # The DSO code currently always implements all functions so that no
-    # applications will have to worry about that from a compilation point
-    # of view. However, the "method"s may return zero unless that platform
-    # has support compiled in for them. Currently each method is enabled
-    # by a define "DSO_<name>" ... we translate the "dso_scheme" config
-    # string entry into using the following logic;
-    my $scheme = $disabled{dso} ? undef : uc $target{dso_scheme};
-    if (!$scheme) {
-        $scheme = "NONE";
-    }
-    my @macros = ( "DSO_$scheme" );
-    if ($scheme eq 'DLFCN') {
-        @macros = ( "DSO_DLFCN", "HAVE_DLFCN_H" );
-    } elsif ($scheme eq "DLFCN_NO_H") {
-        @macros = ( "DSO_DLFCN" );
-    }
-    join("\n", map { "# define $_" } @macros); -}
-# define DSO_EXTENSION "{- platform->dsoext() -}"
-#endif

libs/openssl/include/crypto/ess.h.in

@@ -1,81 +0,0 @@
-/*
- * {- join("\n * ", @autowarntext) -}
- *
- * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-{-
-use OpenSSL::stackhash qw(generate_stack_macros);
--}
-
-#ifndef OPENSSL_ESS_H
-# define OPENSSL_ESS_H
-# pragma once
-
-# include <openssl/opensslconf.h>
-
-# include <openssl/safestack.h>
-# include <openssl/x509.h>
-# include <openssl/esserr.h>
-
-# ifdef  __cplusplus
-extern "C" {
-# endif
-
-
-typedef struct ESS_issuer_serial ESS_ISSUER_SERIAL;
-typedef struct ESS_cert_id ESS_CERT_ID;
-typedef struct ESS_signing_cert ESS_SIGNING_CERT;
-
-{-
-    generate_stack_macros("ESS_CERT_ID");
--}
-
-
-typedef struct ESS_signing_cert_v2_st ESS_SIGNING_CERT_V2;
-typedef struct ESS_cert_id_v2_st ESS_CERT_ID_V2;
-
-{-
-    generate_stack_macros("ESS_CERT_ID_V2");
--}
-
-DECLARE_ASN1_ALLOC_FUNCTIONS(ESS_ISSUER_SERIAL)
-DECLARE_ASN1_ENCODE_FUNCTIONS_only(ESS_ISSUER_SERIAL, ESS_ISSUER_SERIAL)
-DECLARE_ASN1_DUP_FUNCTION(ESS_ISSUER_SERIAL)
-
-DECLARE_ASN1_ALLOC_FUNCTIONS(ESS_CERT_ID)
-DECLARE_ASN1_ENCODE_FUNCTIONS_only(ESS_CERT_ID, ESS_CERT_ID)
-DECLARE_ASN1_DUP_FUNCTION(ESS_CERT_ID)
-
-DECLARE_ASN1_FUNCTIONS(ESS_SIGNING_CERT)
-DECLARE_ASN1_DUP_FUNCTION(ESS_SIGNING_CERT)
-
-DECLARE_ASN1_ALLOC_FUNCTIONS(ESS_CERT_ID_V2)
-DECLARE_ASN1_ENCODE_FUNCTIONS_only(ESS_CERT_ID_V2, ESS_CERT_ID_V2)
-DECLARE_ASN1_DUP_FUNCTION(ESS_CERT_ID_V2)
-
-DECLARE_ASN1_FUNCTIONS(ESS_SIGNING_CERT_V2)
-DECLARE_ASN1_DUP_FUNCTION(ESS_SIGNING_CERT_V2)
-
-ESS_SIGNING_CERT *OSSL_ESS_signing_cert_new_init(const X509 *signcert,
-                                                 const STACK_OF(X509) *certs,
-                                                 int set_issuer_serial);
-ESS_SIGNING_CERT_V2 *OSSL_ESS_signing_cert_v2_new_init(const EVP_MD *hash_alg,
-                                                       const X509 *signcert,
-                                                       const
-                                                       STACK_OF(X509) *certs,
-                                                       int set_issuer_serial);
-int OSSL_ESS_check_signing_certs(const ESS_SIGNING_CERT *ss,
-                                 const ESS_SIGNING_CERT_V2 *ssv2,
-                                 const STACK_OF(X509) *chain,
-                                 int require_signing_cert);
-
-# ifdef  __cplusplus
-}
-# endif
-#endif

libs/openssl/include/crypto/fipskey.h.in

@@ -1,35 +0,0 @@
-/*
- * {- join("\n * ", @autowarntext) -}
- *
- * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#ifndef OPENSSL_FIPSKEY_H
-# define OPENSSL_FIPSKEY_H
-# pragma once
-
-# ifdef  __cplusplus
-extern "C" {
-# endif
-
-/*
- * The FIPS validation HMAC key, usable as an array initializer.
- */
-#define FIPS_KEY_ELEMENTS \
-    {- join(', ', map { "0x$_" } unpack("(A2)*", $config{FIPSKEY})) -}
-
-/*
- * The FIPS validation key, as a string.
- */
-#define FIPS_KEY_STRING "{- $config{FIPSKEY} -}"
-
-# ifdef  __cplusplus
-}
-# endif
-
-#endif

libs/openssl/include/crypto/ocsp.h.in

@@ -1,387 +0,0 @@
-/*
- * {- join("\n * ", @autowarntext) -}
- *
- * Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-{-
-use OpenSSL::stackhash qw(generate_stack_macros);
--}
-
-#ifndef OPENSSL_OCSP_H
-# define OPENSSL_OCSP_H
-# pragma once
-
-# include <openssl/macros.h>
-# ifndef OPENSSL_NO_DEPRECATED_3_0
-#  define HEADER_OCSP_H
-# endif
-
-# include <openssl/opensslconf.h>
-# include <openssl/http.h>
-# include <openssl/asn1.h>
-
-/*
- * These definitions are outside the OPENSSL_NO_OCSP guard because although for
- * historical reasons they have OCSP_* names, they can actually be used
- * independently of OCSP. E.g. see RFC5280
- */
-/*-
- *   CRLReason ::= ENUMERATED {
- *        unspecified             (0),
- *        keyCompromise           (1),
- *        cACompromise            (2),
- *        affiliationChanged      (3),
- *        superseded              (4),
- *        cessationOfOperation    (5),
- *        certificateHold         (6),
- *        -- value 7 is not used
- *        removeFromCRL           (8),
- *        privilegeWithdrawn      (9),
- *        aACompromise           (10) }
- */
-# define OCSP_REVOKED_STATUS_NOSTATUS                -1
-# define OCSP_REVOKED_STATUS_UNSPECIFIED             0
-# define OCSP_REVOKED_STATUS_KEYCOMPROMISE           1
-# define OCSP_REVOKED_STATUS_CACOMPROMISE            2
-# define OCSP_REVOKED_STATUS_AFFILIATIONCHANGED      3
-# define OCSP_REVOKED_STATUS_SUPERSEDED              4
-# define OCSP_REVOKED_STATUS_CESSATIONOFOPERATION    5
-# define OCSP_REVOKED_STATUS_CERTIFICATEHOLD         6
-# define OCSP_REVOKED_STATUS_REMOVEFROMCRL           8
-# define OCSP_REVOKED_STATUS_PRIVILEGEWITHDRAWN      9
-# define OCSP_REVOKED_STATUS_AACOMPROMISE            10
-
-
-# ifndef OPENSSL_NO_OCSP
-
-#  include <openssl/x509.h>
-#  include <openssl/x509v3.h>
-#  include <openssl/safestack.h>
-#  include <openssl/ocsperr.h>
-
-#  ifdef __cplusplus
-extern "C" {
-#  endif
-
-/* Various flags and values */
-
-#  define OCSP_DEFAULT_NONCE_LENGTH       16
-
-#  define OCSP_NOCERTS                    0x1
-#  define OCSP_NOINTERN                   0x2
-#  define OCSP_NOSIGS                     0x4
-#  define OCSP_NOCHAIN                    0x8
-#  define OCSP_NOVERIFY                   0x10
-#  define OCSP_NOEXPLICIT                 0x20
-#  define OCSP_NOCASIGN                   0x40
-#  define OCSP_NODELEGATED                0x80
-#  define OCSP_NOCHECKS                   0x100
-#  define OCSP_TRUSTOTHER                 0x200
-#  define OCSP_RESPID_KEY                 0x400
-#  define OCSP_NOTIME                     0x800
-#  define OCSP_PARTIAL_CHAIN              0x1000
-
-typedef struct ocsp_cert_id_st OCSP_CERTID;
-typedef struct ocsp_one_request_st OCSP_ONEREQ;
-typedef struct ocsp_req_info_st OCSP_REQINFO;
-typedef struct ocsp_signature_st OCSP_SIGNATURE;
-typedef struct ocsp_request_st OCSP_REQUEST;
-
-{-
-    generate_stack_macros("OCSP_CERTID")
-    .generate_stack_macros("OCSP_ONEREQ");
--}
-
-#  define OCSP_RESPONSE_STATUS_SUCCESSFUL           0
-#  define OCSP_RESPONSE_STATUS_MALFORMEDREQUEST     1
-#  define OCSP_RESPONSE_STATUS_INTERNALERROR        2
-#  define OCSP_RESPONSE_STATUS_TRYLATER             3
-#  define OCSP_RESPONSE_STATUS_SIGREQUIRED          5
-#  define OCSP_RESPONSE_STATUS_UNAUTHORIZED         6
-
-typedef struct ocsp_resp_bytes_st OCSP_RESPBYTES;
-
-#  define V_OCSP_RESPID_NAME 0
-#  define V_OCSP_RESPID_KEY  1
-
-{-
-    generate_stack_macros("OCSP_RESPID");
--}
-
-typedef struct ocsp_revoked_info_st OCSP_REVOKEDINFO;
-
-#  define V_OCSP_CERTSTATUS_GOOD    0
-#  define V_OCSP_CERTSTATUS_REVOKED 1
-#  define V_OCSP_CERTSTATUS_UNKNOWN 2
-
-typedef struct ocsp_cert_status_st OCSP_CERTSTATUS;
-typedef struct ocsp_single_response_st OCSP_SINGLERESP;
-
-{-
-    generate_stack_macros("OCSP_SINGLERESP");
--}
-
-typedef struct ocsp_response_data_st OCSP_RESPDATA;
-
-typedef struct ocsp_basic_response_st OCSP_BASICRESP;
-
-typedef struct ocsp_crl_id_st OCSP_CRLID;
-typedef struct ocsp_service_locator_st OCSP_SERVICELOC;
-
-#  define PEM_STRING_OCSP_REQUEST "OCSP REQUEST"
-#  define PEM_STRING_OCSP_RESPONSE "OCSP RESPONSE"
-
-#  define d2i_OCSP_REQUEST_bio(bp,p) ASN1_d2i_bio_of(OCSP_REQUEST,OCSP_REQUEST_new,d2i_OCSP_REQUEST,bp,p)
-
-#  define d2i_OCSP_RESPONSE_bio(bp,p) ASN1_d2i_bio_of(OCSP_RESPONSE,OCSP_RESPONSE_new,d2i_OCSP_RESPONSE,bp,p)
-
-#  define PEM_read_bio_OCSP_REQUEST(bp,x,cb) (OCSP_REQUEST *)PEM_ASN1_read_bio( \
-     (char *(*)())d2i_OCSP_REQUEST,PEM_STRING_OCSP_REQUEST, \
-     bp,(char **)(x),cb,NULL)
-
-#  define PEM_read_bio_OCSP_RESPONSE(bp,x,cb) (OCSP_RESPONSE *)PEM_ASN1_read_bio(\
-     (char *(*)())d2i_OCSP_RESPONSE,PEM_STRING_OCSP_RESPONSE, \
-     bp,(char **)(x),cb,NULL)
-
-#  define PEM_write_bio_OCSP_REQUEST(bp,o) \
-    PEM_ASN1_write_bio((int (*)())i2d_OCSP_REQUEST,PEM_STRING_OCSP_REQUEST,\
-                        bp,(char *)(o), NULL,NULL,0,NULL,NULL)
-
-#  define PEM_write_bio_OCSP_RESPONSE(bp,o) \
-    PEM_ASN1_write_bio((int (*)())i2d_OCSP_RESPONSE,PEM_STRING_OCSP_RESPONSE,\
-                        bp,(char *)(o), NULL,NULL,0,NULL,NULL)
-
-#  define i2d_OCSP_RESPONSE_bio(bp,o) ASN1_i2d_bio_of(OCSP_RESPONSE,i2d_OCSP_RESPONSE,bp,o)
-
-#  define i2d_OCSP_REQUEST_bio(bp,o) ASN1_i2d_bio_of(OCSP_REQUEST,i2d_OCSP_REQUEST,bp,o)
-
-#  define ASN1_BIT_STRING_digest(data,type,md,len) \
-        ASN1_item_digest(ASN1_ITEM_rptr(ASN1_BIT_STRING),type,data,md,len)
-
-#  define OCSP_CERTSTATUS_dup(cs)\
-                (OCSP_CERTSTATUS*)ASN1_dup((i2d_of_void *)i2d_OCSP_CERTSTATUS,\
-                (d2i_of_void *)d2i_OCSP_CERTSTATUS,(char *)(cs))
-
-DECLARE_ASN1_DUP_FUNCTION(OCSP_CERTID)
-
-OSSL_HTTP_REQ_CTX *OCSP_sendreq_new(BIO *io, const char *path,
-                                    const OCSP_REQUEST *req, int buf_size);
-OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, const char *path, OCSP_REQUEST *req);
-
-#  ifndef OPENSSL_NO_DEPRECATED_3_0
-typedef OSSL_HTTP_REQ_CTX OCSP_REQ_CTX;
-#   define OCSP_REQ_CTX_new(io, buf_size) \
-        OSSL_HTTP_REQ_CTX_new(io, io, buf_size)
-#   define OCSP_REQ_CTX_free OSSL_HTTP_REQ_CTX_free
-#   define OCSP_REQ_CTX_http(rctx, op, path) \
-        (OSSL_HTTP_REQ_CTX_set_expected(rctx, NULL, 1 /* asn1 */, 0, 0) && \
-         OSSL_HTTP_REQ_CTX_set_request_line(rctx, strcmp(op, "POST") == 0, \
-                                            NULL, NULL, path))
-#   define OCSP_REQ_CTX_add1_header OSSL_HTTP_REQ_CTX_add1_header
-#   define OCSP_REQ_CTX_i2d(r, it, req) \
-        OSSL_HTTP_REQ_CTX_set1_req(r, "application/ocsp-request", it, req)
-#   define OCSP_REQ_CTX_set1_req(r, req) \
-        OCSP_REQ_CTX_i2d(r, ASN1_ITEM_rptr(OCSP_REQUEST), (ASN1_VALUE *)(req))
-#   define OCSP_REQ_CTX_nbio OSSL_HTTP_REQ_CTX_nbio
-#   define OCSP_REQ_CTX_nbio_d2i OSSL_HTTP_REQ_CTX_nbio_d2i
-#   define OCSP_sendreq_nbio(p, r) \
-        OSSL_HTTP_REQ_CTX_nbio_d2i(r, (ASN1_VALUE **)(p), \
-                                   ASN1_ITEM_rptr(OCSP_RESPONSE))
-#   define OCSP_REQ_CTX_get0_mem_bio OSSL_HTTP_REQ_CTX_get0_mem_bio
-#   define OCSP_set_max_response_length OSSL_HTTP_REQ_CTX_set_max_response_length
-#  endif
-
-OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, const X509 *subject,
-                             const X509 *issuer);
-
-OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst,
-                              const X509_NAME *issuerName,
-                              const ASN1_BIT_STRING *issuerKey,
-                              const ASN1_INTEGER *serialNumber);
-
-OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid);
-
-int OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len);
-int OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len);
-int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs);
-int OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req);
-
-int OCSP_request_set1_name(OCSP_REQUEST *req, const X509_NAME *nm);
-int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert);
-
-int OCSP_request_sign(OCSP_REQUEST *req,
-                      X509 *signer,
-                      EVP_PKEY *key,
-                      const EVP_MD *dgst,
-                      STACK_OF(X509) *certs, unsigned long flags);
-
-int OCSP_response_status(OCSP_RESPONSE *resp);
-OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp);
-
-const ASN1_OCTET_STRING *OCSP_resp_get0_signature(const OCSP_BASICRESP *bs);
-const X509_ALGOR *OCSP_resp_get0_tbs_sigalg(const OCSP_BASICRESP *bs);
-const OCSP_RESPDATA *OCSP_resp_get0_respdata(const OCSP_BASICRESP *bs);
-int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, X509 **signer,
-                          STACK_OF(X509) *extra_certs);
-
-int OCSP_resp_count(OCSP_BASICRESP *bs);
-OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx);
-const ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at(const OCSP_BASICRESP* bs);
-const STACK_OF(X509) *OCSP_resp_get0_certs(const OCSP_BASICRESP *bs);
-int OCSP_resp_get0_id(const OCSP_BASICRESP *bs,
-                      const ASN1_OCTET_STRING **pid,
-                      const X509_NAME **pname);
-int OCSP_resp_get1_id(const OCSP_BASICRESP *bs,
-                      ASN1_OCTET_STRING **pid,
-                      X509_NAME **pname);
-
-int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last);
-int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
-                            ASN1_GENERALIZEDTIME **revtime,
-                            ASN1_GENERALIZEDTIME **thisupd,
-                            ASN1_GENERALIZEDTIME **nextupd);
-int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
-                          int *reason,
-                          ASN1_GENERALIZEDTIME **revtime,
-                          ASN1_GENERALIZEDTIME **thisupd,
-                          ASN1_GENERALIZEDTIME **nextupd);
-int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
-                        ASN1_GENERALIZEDTIME *nextupd, long sec, long maxsec);
-
-int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs,
-                        X509_STORE *store, unsigned long flags);
-
-#  define OCSP_parse_url(url, host, port, path, ssl) \
-    OSSL_HTTP_parse_url(url, ssl, NULL, host, port, NULL, path, NULL, NULL)
-
-int OCSP_id_issuer_cmp(const OCSP_CERTID *a, const OCSP_CERTID *b);
-int OCSP_id_cmp(const OCSP_CERTID *a, const OCSP_CERTID *b);
-
-int OCSP_request_onereq_count(OCSP_REQUEST *req);
-OCSP_ONEREQ *OCSP_request_onereq_get0(OCSP_REQUEST *req, int i);
-OCSP_CERTID *OCSP_onereq_get0_id(OCSP_ONEREQ *one);
-int OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd,
-                      ASN1_OCTET_STRING **pikeyHash,
-                      ASN1_INTEGER **pserial, OCSP_CERTID *cid);
-int OCSP_request_is_signed(OCSP_REQUEST *req);
-OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs);
-OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp,
-                                        OCSP_CERTID *cid,
-                                        int status, int reason,
-                                        ASN1_TIME *revtime,
-                                        ASN1_TIME *thisupd,
-                                        ASN1_TIME *nextupd);
-int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert);
-int OCSP_basic_sign(OCSP_BASICRESP *brsp,
-                    X509 *signer, EVP_PKEY *key, const EVP_MD *dgst,
-                    STACK_OF(X509) *certs, unsigned long flags);
-int OCSP_basic_sign_ctx(OCSP_BASICRESP *brsp,
-                        X509 *signer, EVP_MD_CTX *ctx,
-                        STACK_OF(X509) *certs, unsigned long flags);
-int OCSP_RESPID_set_by_name(OCSP_RESPID *respid, X509 *cert);
-int OCSP_RESPID_set_by_key_ex(OCSP_RESPID *respid, X509 *cert,
-                              OSSL_LIB_CTX *libctx, const char *propq);
-int OCSP_RESPID_set_by_key(OCSP_RESPID *respid, X509 *cert);
-int OCSP_RESPID_match_ex(OCSP_RESPID *respid, X509 *cert, OSSL_LIB_CTX *libctx,
-                         const char *propq);
-int OCSP_RESPID_match(OCSP_RESPID *respid, X509 *cert);
-
-X509_EXTENSION *OCSP_crlID_new(const char *url, long *n, char *tim);
-
-X509_EXTENSION *OCSP_accept_responses_new(char **oids);
-
-X509_EXTENSION *OCSP_archive_cutoff_new(char *tim);
-
-X509_EXTENSION *OCSP_url_svcloc_new(const X509_NAME *issuer, const char **urls);
-
-int OCSP_REQUEST_get_ext_count(OCSP_REQUEST *x);
-int OCSP_REQUEST_get_ext_by_NID(OCSP_REQUEST *x, int nid, int lastpos);
-int OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST *x, const ASN1_OBJECT *obj,
-                                int lastpos);
-int OCSP_REQUEST_get_ext_by_critical(OCSP_REQUEST *x, int crit, int lastpos);
-X509_EXTENSION *OCSP_REQUEST_get_ext(OCSP_REQUEST *x, int loc);
-X509_EXTENSION *OCSP_REQUEST_delete_ext(OCSP_REQUEST *x, int loc);
-void *OCSP_REQUEST_get1_ext_d2i(OCSP_REQUEST *x, int nid, int *crit,
-                                int *idx);
-int OCSP_REQUEST_add1_ext_i2d(OCSP_REQUEST *x, int nid, void *value, int crit,
-                              unsigned long flags);
-int OCSP_REQUEST_add_ext(OCSP_REQUEST *x, X509_EXTENSION *ex, int loc);
-
-int OCSP_ONEREQ_get_ext_count(OCSP_ONEREQ *x);
-int OCSP_ONEREQ_get_ext_by_NID(OCSP_ONEREQ *x, int nid, int lastpos);
-int OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ *x, const ASN1_OBJECT *obj, int lastpos);
-int OCSP_ONEREQ_get_ext_by_critical(OCSP_ONEREQ *x, int crit, int lastpos);
-X509_EXTENSION *OCSP_ONEREQ_get_ext(OCSP_ONEREQ *x, int loc);
-X509_EXTENSION *OCSP_ONEREQ_delete_ext(OCSP_ONEREQ *x, int loc);
-void *OCSP_ONEREQ_get1_ext_d2i(OCSP_ONEREQ *x, int nid, int *crit, int *idx);
-int OCSP_ONEREQ_add1_ext_i2d(OCSP_ONEREQ *x, int nid, void *value, int crit,
-                             unsigned long flags);
-int OCSP_ONEREQ_add_ext(OCSP_ONEREQ *x, X509_EXTENSION *ex, int loc);
-
-int OCSP_BASICRESP_get_ext_count(OCSP_BASICRESP *x);
-int OCSP_BASICRESP_get_ext_by_NID(OCSP_BASICRESP *x, int nid, int lastpos);
-int OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP *x, const ASN1_OBJECT *obj,
-                                  int lastpos);
-int OCSP_BASICRESP_get_ext_by_critical(OCSP_BASICRESP *x, int crit,
-                                       int lastpos);
-X509_EXTENSION *OCSP_BASICRESP_get_ext(OCSP_BASICRESP *x, int loc);
-X509_EXTENSION *OCSP_BASICRESP_delete_ext(OCSP_BASICRESP *x, int loc);
-void *OCSP_BASICRESP_get1_ext_d2i(OCSP_BASICRESP *x, int nid, int *crit,
-                                  int *idx);
-int OCSP_BASICRESP_add1_ext_i2d(OCSP_BASICRESP *x, int nid, void *value,
-                                int crit, unsigned long flags);
-int OCSP_BASICRESP_add_ext(OCSP_BASICRESP *x, X509_EXTENSION *ex, int loc);
-
-int OCSP_SINGLERESP_get_ext_count(OCSP_SINGLERESP *x);
-int OCSP_SINGLERESP_get_ext_by_NID(OCSP_SINGLERESP *x, int nid, int lastpos);
-int OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP *x, const ASN1_OBJECT *obj,
-                                   int lastpos);
-int OCSP_SINGLERESP_get_ext_by_critical(OCSP_SINGLERESP *x, int crit,
-                                        int lastpos);
-X509_EXTENSION *OCSP_SINGLERESP_get_ext(OCSP_SINGLERESP *x, int loc);
-X509_EXTENSION *OCSP_SINGLERESP_delete_ext(OCSP_SINGLERESP *x, int loc);
-void *OCSP_SINGLERESP_get1_ext_d2i(OCSP_SINGLERESP *x, int nid, int *crit,
-                                   int *idx);
-int OCSP_SINGLERESP_add1_ext_i2d(OCSP_SINGLERESP *x, int nid, void *value,
-                                 int crit, unsigned long flags);
-int OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex, int loc);
-const OCSP_CERTID *OCSP_SINGLERESP_get0_id(const OCSP_SINGLERESP *x);
-
-DECLARE_ASN1_FUNCTIONS(OCSP_SINGLERESP)
-DECLARE_ASN1_FUNCTIONS(OCSP_CERTSTATUS)
-DECLARE_ASN1_FUNCTIONS(OCSP_REVOKEDINFO)
-DECLARE_ASN1_FUNCTIONS(OCSP_BASICRESP)
-DECLARE_ASN1_FUNCTIONS(OCSP_RESPDATA)
-DECLARE_ASN1_FUNCTIONS(OCSP_RESPID)
-DECLARE_ASN1_FUNCTIONS(OCSP_RESPONSE)
-DECLARE_ASN1_FUNCTIONS(OCSP_RESPBYTES)
-DECLARE_ASN1_FUNCTIONS(OCSP_ONEREQ)
-DECLARE_ASN1_FUNCTIONS(OCSP_CERTID)
-DECLARE_ASN1_FUNCTIONS(OCSP_REQUEST)
-DECLARE_ASN1_FUNCTIONS(OCSP_SIGNATURE)
-DECLARE_ASN1_FUNCTIONS(OCSP_REQINFO)
-DECLARE_ASN1_FUNCTIONS(OCSP_CRLID)
-DECLARE_ASN1_FUNCTIONS(OCSP_SERVICELOC)
-
-const char *OCSP_response_status_str(long s);
-const char *OCSP_cert_status_str(long s);
-const char *OCSP_crl_reason_str(long s);
-
-int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST *a, unsigned long flags);
-int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE *o, unsigned long flags);
-
-int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
-                      X509_STORE *st, unsigned long flags);
-
-
-#  ifdef  __cplusplus
-}
-#  endif
-# endif /* !defined(OPENSSL_NO_OCSP) */
-#endif

libs/openssl/include/crypto/opensslv.h.in

@@ -1,113 +0,0 @@
-/*
- * {- join("\n * ", @autowarntext) -}
- *
- * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#ifndef OPENSSL_OPENSSLV_H
-# define OPENSSL_OPENSSLV_H
-# pragma once
-
-# ifdef  __cplusplus
-extern "C" {
-# endif
-
-/*
- * SECTION 1: VERSION DATA.  These will change for each release
- */
-
-/*
- * Base version macros
- *
- * These macros express version number MAJOR.MINOR.PATCH exactly
- */
-# define OPENSSL_VERSION_MAJOR  {- $config{major} -}
-# define OPENSSL_VERSION_MINOR  {- $config{minor} -}
-# define OPENSSL_VERSION_PATCH  {- $config{patch} -}
-
-/*
- * Additional version information
- *
- * These are also part of the new version scheme, but aren't part
- * of the version number itself.
- */
-
-/* Could be: #define OPENSSL_VERSION_PRE_RELEASE "-alpha.1" */
-# define OPENSSL_VERSION_PRE_RELEASE "{- $config{prerelease} -}"
-/* Could be: #define OPENSSL_VERSION_BUILD_METADATA "+fips" */
-/* Could be: #define OPENSSL_VERSION_BUILD_METADATA "+vendor.1" */
-# define OPENSSL_VERSION_BUILD_METADATA "{- $config{build_metadata} -}"
-
-/*
- * Note: The OpenSSL Project will never define OPENSSL_VERSION_BUILD_METADATA
- * to be anything but the empty string.  Its use is entirely reserved for
- * others
- */
-
-/*
- * Shared library version
- *
- * This is strictly to express ABI version, which may or may not
- * be related to the API version expressed with the macros above.
- * This is defined in free form.
- */
-# define OPENSSL_SHLIB_VERSION {- $config{shlib_version} -}
-
-/*
- * SECTION 2: USEFUL MACROS
- */
-
-/* For checking general API compatibility when preprocessing */
-# define OPENSSL_VERSION_PREREQ(maj,min)                                \
-    ((OPENSSL_VERSION_MAJOR << 16) + OPENSSL_VERSION_MINOR >= ((maj) << 16) + (min))
-
-/*
- * Macros to get the version in easily digested string form, both the short
- * "MAJOR.MINOR.PATCH" variant (where MAJOR, MINOR and PATCH are replaced
- * with the values from the corresponding OPENSSL_VERSION_ macros) and the
- * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
- * OPENSSL_VERSION_BUILD_METADATA_STR appended.
- */
-# define OPENSSL_VERSION_STR "{- $config{version} -}"
-# define OPENSSL_FULL_VERSION_STR "{- $config{full_version} -}"
-
-/*
- * SECTION 3: ADDITIONAL METADATA
- *
- * These strings are defined separately to allow them to be parsable.
- */
-# define OPENSSL_RELEASE_DATE "{- $config{release_date} -}"
-
-/*
- * SECTION 4: BACKWARD COMPATIBILITY
- */
-
-# define OPENSSL_VERSION_TEXT "OpenSSL {- "$config{full_version} $config{release_date}" -}"
-
-/* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
-# ifdef OPENSSL_VERSION_PRE_RELEASE
-#  define _OPENSSL_VERSION_PRE_RELEASE 0x0L
-# else
-#  define _OPENSSL_VERSION_PRE_RELEASE 0xfL
-# endif
-# define OPENSSL_VERSION_NUMBER          \
-    ( (OPENSSL_VERSION_MAJOR<<28)        \
-      |(OPENSSL_VERSION_MINOR<<20)       \
-      |(OPENSSL_VERSION_PATCH<<4)        \
-      |_OPENSSL_VERSION_PRE_RELEASE )
-
-# ifdef  __cplusplus
-}
-# endif
-
-# include <openssl/macros.h>
-# ifndef OPENSSL_NO_DEPRECATED_3_0
-#  define HEADER_OPENSSLV_H
-# endif
-
-#endif                          /* OPENSSL_OPENSSLV_H */

libs/openssl/include/crypto/pkcs7.h.in

@@ -1,359 +0,0 @@
-/*
- * {- join("\n * ", @autowarntext) -}
- *
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-{-
-use OpenSSL::stackhash qw(generate_stack_macros);
--}
-
-#ifndef OPENSSL_PKCS7_H
-# define OPENSSL_PKCS7_H
-# pragma once
-
-# include <openssl/macros.h>
-# ifndef OPENSSL_NO_DEPRECATED_3_0
-#  define HEADER_PKCS7_H
-# endif
-
-# include <openssl/asn1.h>
-# include <openssl/bio.h>
-# include <openssl/e_os2.h>
-
-# include <openssl/symhacks.h>
-# include <openssl/types.h>
-# include <openssl/pkcs7err.h>
-# ifndef OPENSSL_NO_STDIO
-#  include <stdio.h>
-# endif
-
-#ifdef  __cplusplus
-extern "C" {
-#endif
-
-
-/*-
-Encryption_ID           DES-CBC
-Digest_ID               MD5
-Digest_Encryption_ID    rsaEncryption
-Key_Encryption_ID       rsaEncryption
-*/
-
-typedef struct PKCS7_CTX_st {
-    OSSL_LIB_CTX *libctx;
-    char *propq;
-} PKCS7_CTX;
-
-typedef struct pkcs7_issuer_and_serial_st {
-    X509_NAME *issuer;
-    ASN1_INTEGER *serial;
-} PKCS7_ISSUER_AND_SERIAL;
-
-typedef struct pkcs7_signer_info_st {
-    ASN1_INTEGER *version;      /* version 1 */
-    PKCS7_ISSUER_AND_SERIAL *issuer_and_serial;
-    X509_ALGOR *digest_alg;
-    STACK_OF(X509_ATTRIBUTE) *auth_attr; /* [ 0 ] */
-    X509_ALGOR *digest_enc_alg;
-    ASN1_OCTET_STRING *enc_digest;
-    STACK_OF(X509_ATTRIBUTE) *unauth_attr; /* [ 1 ] */
-    /* The private key to sign with */
-    EVP_PKEY *pkey;
-    const PKCS7_CTX *ctx;
-} PKCS7_SIGNER_INFO;
-{-
-    generate_stack_macros("PKCS7_SIGNER_INFO");
--}
-
-typedef struct pkcs7_recip_info_st {
-    ASN1_INTEGER *version;      /* version 0 */
-    PKCS7_ISSUER_AND_SERIAL *issuer_and_serial;
-    X509_ALGOR *key_enc_algor;
-    ASN1_OCTET_STRING *enc_key;
-    X509 *cert;                 /* get the pub-key from this */
-    const PKCS7_CTX *ctx;
-} PKCS7_RECIP_INFO;
-{-
-    generate_stack_macros("PKCS7_RECIP_INFO");
--}
-
-
-typedef struct pkcs7_signed_st {
-    ASN1_INTEGER *version;      /* version 1 */
-    STACK_OF(X509_ALGOR) *md_algs; /* md used */
-    STACK_OF(X509) *cert;       /* [ 0 ] */
-    STACK_OF(X509_CRL) *crl;    /* [ 1 ] */
-    STACK_OF(PKCS7_SIGNER_INFO) *signer_info;
-    struct pkcs7_st *contents;
-} PKCS7_SIGNED;
-/*
- * The above structure is very very similar to PKCS7_SIGN_ENVELOPE. How about
- * merging the two
- */
-
-typedef struct pkcs7_enc_content_st {
-    ASN1_OBJECT *content_type;
-    X509_ALGOR *algorithm;
-    ASN1_OCTET_STRING *enc_data; /* [ 0 ] */
-    const EVP_CIPHER *cipher;
-    const PKCS7_CTX *ctx;
-} PKCS7_ENC_CONTENT;
-
-typedef struct pkcs7_enveloped_st {
-    ASN1_INTEGER *version;      /* version 0 */
-    STACK_OF(PKCS7_RECIP_INFO) *recipientinfo;
-    PKCS7_ENC_CONTENT *enc_data;
-} PKCS7_ENVELOPE;
-
-typedef struct pkcs7_signedandenveloped_st {
-    ASN1_INTEGER *version;      /* version 1 */
-    STACK_OF(X509_ALGOR) *md_algs; /* md used */
-    STACK_OF(X509) *cert;       /* [ 0 ] */
-    STACK_OF(X509_CRL) *crl;    /* [ 1 ] */
-    STACK_OF(PKCS7_SIGNER_INFO) *signer_info;
-    PKCS7_ENC_CONTENT *enc_data;
-    STACK_OF(PKCS7_RECIP_INFO) *recipientinfo;
-} PKCS7_SIGN_ENVELOPE;
-
-typedef struct pkcs7_digest_st {
-    ASN1_INTEGER *version;      /* version 0 */
-    X509_ALGOR *md;             /* md used */
-    struct pkcs7_st *contents;
-    ASN1_OCTET_STRING *digest;
-} PKCS7_DIGEST;
-
-typedef struct pkcs7_encrypted_st {
-    ASN1_INTEGER *version;      /* version 0 */
-    PKCS7_ENC_CONTENT *enc_data;
-} PKCS7_ENCRYPT;
-
-typedef struct pkcs7_st {
-    /*
-     * The following is non NULL if it contains ASN1 encoding of this
-     * structure
-     */
-    unsigned char *asn1;
-    long length;
-# define PKCS7_S_HEADER  0
-# define PKCS7_S_BODY    1
-# define PKCS7_S_TAIL    2
-    int state;                  /* used during processing */
-    int detached;
-    ASN1_OBJECT *type;
-    /* content as defined by the type */
-    /*
-     * all encryption/message digests are applied to the 'contents', leaving
-     * out the 'type' field.
-     */
-    union {
-        char *ptr;
-        /* NID_pkcs7_data */
-        ASN1_OCTET_STRING *data;
-        /* NID_pkcs7_signed */
-        PKCS7_SIGNED *sign;
-        /* NID_pkcs7_enveloped */
-        PKCS7_ENVELOPE *enveloped;
-        /* NID_pkcs7_signedAndEnveloped */
-        PKCS7_SIGN_ENVELOPE *signed_and_enveloped;
-        /* NID_pkcs7_digest */
-        PKCS7_DIGEST *digest;
-        /* NID_pkcs7_encrypted */
-        PKCS7_ENCRYPT *encrypted;
-        /* Anything else */
-        ASN1_TYPE *other;
-    } d;
-    PKCS7_CTX ctx;
-} PKCS7;
-{-
-    generate_stack_macros("PKCS7");
--}
-
-
-# define PKCS7_OP_SET_DETACHED_SIGNATURE 1
-# define PKCS7_OP_GET_DETACHED_SIGNATURE 2
-
-# define PKCS7_get_signed_attributes(si) ((si)->auth_attr)
-# define PKCS7_get_attributes(si)        ((si)->unauth_attr)
-
-# define PKCS7_type_is_signed(a) (OBJ_obj2nid((a)->type) == NID_pkcs7_signed)
-# define PKCS7_type_is_encrypted(a) (OBJ_obj2nid((a)->type) == NID_pkcs7_encrypted)
-# define PKCS7_type_is_enveloped(a) (OBJ_obj2nid((a)->type) == NID_pkcs7_enveloped)
-# define PKCS7_type_is_signedAndEnveloped(a) \
-                (OBJ_obj2nid((a)->type) == NID_pkcs7_signedAndEnveloped)
-# define PKCS7_type_is_data(a)   (OBJ_obj2nid((a)->type) == NID_pkcs7_data)
-# define PKCS7_type_is_digest(a)   (OBJ_obj2nid((a)->type) == NID_pkcs7_digest)
-
-# define PKCS7_set_detached(p,v) \
-                PKCS7_ctrl(p,PKCS7_OP_SET_DETACHED_SIGNATURE,v,NULL)
-# define PKCS7_get_detached(p) \
-                PKCS7_ctrl(p,PKCS7_OP_GET_DETACHED_SIGNATURE,0,NULL)
-
-# define PKCS7_is_detached(p7) (PKCS7_type_is_signed(p7) && PKCS7_get_detached(p7))
-
-/* S/MIME related flags */
-
-# define PKCS7_TEXT              0x1
-# define PKCS7_NOCERTS           0x2
-# define PKCS7_NOSIGS            0x4
-# define PKCS7_NOCHAIN           0x8
-# define PKCS7_NOINTERN          0x10
-# define PKCS7_NOVERIFY          0x20
-# define PKCS7_DETACHED          0x40
-# define PKCS7_BINARY            0x80
-# define PKCS7_NOATTR            0x100
-# define PKCS7_NOSMIMECAP        0x200
-# define PKCS7_NOOLDMIMETYPE     0x400
-# define PKCS7_CRLFEOL           0x800
-# define PKCS7_STREAM            0x1000
-# define PKCS7_NOCRL             0x2000
-# define PKCS7_PARTIAL           0x4000
-# define PKCS7_REUSE_DIGEST      0x8000
-# define PKCS7_NO_DUAL_CONTENT   0x10000
-
-/* Flags: for compatibility with older code */
-
-# define SMIME_TEXT      PKCS7_TEXT
-# define SMIME_NOCERTS   PKCS7_NOCERTS
-# define SMIME_NOSIGS    PKCS7_NOSIGS
-# define SMIME_NOCHAIN   PKCS7_NOCHAIN
-# define SMIME_NOINTERN  PKCS7_NOINTERN
-# define SMIME_NOVERIFY  PKCS7_NOVERIFY
-# define SMIME_DETACHED  PKCS7_DETACHED
-# define SMIME_BINARY    PKCS7_BINARY
-# define SMIME_NOATTR    PKCS7_NOATTR
-
-/* CRLF ASCII canonicalisation */
-# define SMIME_ASCIICRLF         0x80000
-
-DECLARE_ASN1_FUNCTIONS(PKCS7_ISSUER_AND_SERIAL)
-
-int PKCS7_ISSUER_AND_SERIAL_digest(PKCS7_ISSUER_AND_SERIAL *data,
-                                   const EVP_MD *type, unsigned char *md,
-                                   unsigned int *len);
-# ifndef OPENSSL_NO_STDIO
-PKCS7 *d2i_PKCS7_fp(FILE *fp, PKCS7 **p7);
-int i2d_PKCS7_fp(FILE *fp, const PKCS7 *p7);
-# endif
-DECLARE_ASN1_DUP_FUNCTION(PKCS7)
-PKCS7 *d2i_PKCS7_bio(BIO *bp, PKCS7 **p7);
-int i2d_PKCS7_bio(BIO *bp, const PKCS7 *p7);
-int i2d_PKCS7_bio_stream(BIO *out, PKCS7 *p7, BIO *in, int flags);
-int PEM_write_bio_PKCS7_stream(BIO *out, PKCS7 *p7, BIO *in, int flags);
-
-DECLARE_ASN1_FUNCTIONS(PKCS7_SIGNER_INFO)
-DECLARE_ASN1_FUNCTIONS(PKCS7_RECIP_INFO)
-DECLARE_ASN1_FUNCTIONS(PKCS7_SIGNED)
-DECLARE_ASN1_FUNCTIONS(PKCS7_ENC_CONTENT)
-DECLARE_ASN1_FUNCTIONS(PKCS7_ENVELOPE)
-DECLARE_ASN1_FUNCTIONS(PKCS7_SIGN_ENVELOPE)
-DECLARE_ASN1_FUNCTIONS(PKCS7_DIGEST)
-DECLARE_ASN1_FUNCTIONS(PKCS7_ENCRYPT)
-DECLARE_ASN1_FUNCTIONS(PKCS7)
-PKCS7 *PKCS7_new_ex(OSSL_LIB_CTX *libctx, const char *propq);
-
-DECLARE_ASN1_ITEM(PKCS7_ATTR_SIGN)
-DECLARE_ASN1_ITEM(PKCS7_ATTR_VERIFY)
-
-DECLARE_ASN1_NDEF_FUNCTION(PKCS7)
-DECLARE_ASN1_PRINT_FUNCTION(PKCS7)
-
-long PKCS7_ctrl(PKCS7 *p7, int cmd, long larg, char *parg);
-
-int PKCS7_type_is_other(PKCS7 *p7);
-int PKCS7_set_type(PKCS7 *p7, int type);
-int PKCS7_set0_type_other(PKCS7 *p7, int type, ASN1_TYPE *other);
-int PKCS7_set_content(PKCS7 *p7, PKCS7 *p7_data);
-int PKCS7_SIGNER_INFO_set(PKCS7_SIGNER_INFO *p7i, X509 *x509, EVP_PKEY *pkey,
-                          const EVP_MD *dgst);
-int PKCS7_SIGNER_INFO_sign(PKCS7_SIGNER_INFO *si);
-int PKCS7_add_signer(PKCS7 *p7, PKCS7_SIGNER_INFO *p7i);
-int PKCS7_add_certificate(PKCS7 *p7, X509 *x509);
-int PKCS7_add_crl(PKCS7 *p7, X509_CRL *x509);
-int PKCS7_content_new(PKCS7 *p7, int nid);
-int PKCS7_dataVerify(X509_STORE *cert_store, X509_STORE_CTX *ctx,
-                     BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si);
-int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si,
-                          X509 *x509);
-
-BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio);
-int PKCS7_dataFinal(PKCS7 *p7, BIO *bio);
-BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert);
-
-PKCS7_SIGNER_INFO *PKCS7_add_signature(PKCS7 *p7, X509 *x509,
-                                       EVP_PKEY *pkey, const EVP_MD *dgst);
-X509 *PKCS7_cert_from_signer_info(PKCS7 *p7, PKCS7_SIGNER_INFO *si);
-int PKCS7_set_digest(PKCS7 *p7, const EVP_MD *md);
-STACK_OF(PKCS7_SIGNER_INFO) *PKCS7_get_signer_info(PKCS7 *p7);
-
-PKCS7_RECIP_INFO *PKCS7_add_recipient(PKCS7 *p7, X509 *x509);
-void PKCS7_SIGNER_INFO_get0_algs(PKCS7_SIGNER_INFO *si, EVP_PKEY **pk,
-                                 X509_ALGOR **pdig, X509_ALGOR **psig);
-void PKCS7_RECIP_INFO_get0_alg(PKCS7_RECIP_INFO *ri, X509_ALGOR **penc);
-int PKCS7_add_recipient_info(PKCS7 *p7, PKCS7_RECIP_INFO *ri);
-int PKCS7_RECIP_INFO_set(PKCS7_RECIP_INFO *p7i, X509 *x509);
-int PKCS7_set_cipher(PKCS7 *p7, const EVP_CIPHER *cipher);
-int PKCS7_stream(unsigned char ***boundary, PKCS7 *p7);
-
-PKCS7_ISSUER_AND_SERIAL *PKCS7_get_issuer_and_serial(PKCS7 *p7, int idx);
-ASN1_OCTET_STRING *PKCS7_get_octet_string(PKCS7 *p7);
-ASN1_OCTET_STRING *PKCS7_digest_from_attributes(STACK_OF(X509_ATTRIBUTE) *sk);
-int PKCS7_add_signed_attribute(PKCS7_SIGNER_INFO *p7si, int nid, int type,
-                               void *data);
-int PKCS7_add_attribute(PKCS7_SIGNER_INFO *p7si, int nid, int atrtype,
-                        void *value);
-ASN1_TYPE *PKCS7_get_attribute(const PKCS7_SIGNER_INFO *si, int nid);
-ASN1_TYPE *PKCS7_get_signed_attribute(const PKCS7_SIGNER_INFO *si, int nid);
-int PKCS7_set_signed_attributes(PKCS7_SIGNER_INFO *p7si,
-                                STACK_OF(X509_ATTRIBUTE) *sk);
-int PKCS7_set_attributes(PKCS7_SIGNER_INFO *p7si,
-                         STACK_OF(X509_ATTRIBUTE) *sk);
-
-PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs,
-                  BIO *data, int flags);
-PKCS7 *PKCS7_sign_ex(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs,
-                     BIO *data, int flags, OSSL_LIB_CTX *libctx,
-                     const char *propq);
-
-PKCS7_SIGNER_INFO *PKCS7_sign_add_signer(PKCS7 *p7,
-                                         X509 *signcert, EVP_PKEY *pkey,
-                                         const EVP_MD *md, int flags);
-
-int PKCS7_final(PKCS7 *p7, BIO *data, int flags);
-int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
-                 BIO *indata, BIO *out, int flags);
-STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs,
-                                   int flags);
-PKCS7 *PKCS7_encrypt(STACK_OF(X509) *certs, BIO *in, const EVP_CIPHER *cipher,
-                     int flags);
-PKCS7 *PKCS7_encrypt_ex(STACK_OF(X509) *certs, BIO *in,
-                        const EVP_CIPHER *cipher, int flags,
-                        OSSL_LIB_CTX *libctx, const char *propq);
-int PKCS7_decrypt(PKCS7 *p7, EVP_PKEY *pkey, X509 *cert, BIO *data,
-                  int flags);
-
-int PKCS7_add_attrib_smimecap(PKCS7_SIGNER_INFO *si,
-                              STACK_OF(X509_ALGOR) *cap);
-STACK_OF(X509_ALGOR) *PKCS7_get_smimecap(PKCS7_SIGNER_INFO *si);
-int PKCS7_simple_smimecap(STACK_OF(X509_ALGOR) *sk, int nid, int arg);
-
-int PKCS7_add_attrib_content_type(PKCS7_SIGNER_INFO *si, ASN1_OBJECT *coid);
-int PKCS7_add0_attrib_signing_time(PKCS7_SIGNER_INFO *si, ASN1_TIME *t);
-int PKCS7_add1_attrib_digest(PKCS7_SIGNER_INFO *si,
-                             const unsigned char *md, int mdlen);
-
-int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags);
-PKCS7 *SMIME_read_PKCS7_ex(BIO *bio, BIO **bcont, PKCS7 **p7);
-PKCS7 *SMIME_read_PKCS7(BIO *bio, BIO **bcont);
-
-BIO *BIO_new_PKCS7(BIO *out, PKCS7 *p7);
-
-# ifdef  __cplusplus
-}
-# endif
-#endif

libs/openssl/include/crypto/ppc_arch.h

@@ -1,29 +0,0 @@
-/*
- * Copyright 2014-2022 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#ifndef OSSL_CRYPTO_PPC_ARCH_H
-# define OSSL_CRYPTO_PPC_ARCH_H
-
-extern unsigned int OPENSSL_ppccap_P;
-
-/*
- * Flags' usage can appear ambiguous, because they are set rather
- * to reflect OpenSSL performance preferences than actual processor
- * capabilities.
- */
-# define PPC_FPU64       (1<<0)
-# define PPC_ALTIVEC     (1<<1)
-# define PPC_CRYPTO207   (1<<2)
-# define PPC_FPU         (1<<3)
-# define PPC_MADD300     (1<<4)
-# define PPC_MFTB        (1<<5)
-# define PPC_MFSPR268    (1<<6)
-# define PPC_BRD31       (1<<7)
-
-#endif

libs/openssl/include/crypto/safestack.h.in

@@ -1,227 +0,0 @@
-/*
- * {- join("\n * ", @autowarntext) -}
- *
- * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-{-
-use OpenSSL::stackhash qw(generate_stack_string_macros
-                          generate_stack_const_string_macros
-                          generate_stack_block_macros);
--}
-
-#ifndef OPENSSL_SAFESTACK_H
-# define OPENSSL_SAFESTACK_H
-# pragma once
-
-# include <openssl/macros.h>
-# ifndef OPENSSL_NO_DEPRECATED_3_0
-#  define HEADER_SAFESTACK_H
-# endif
-
-# include <openssl/stack.h>
-# include <openssl/e_os2.h>
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-# define STACK_OF(type) struct stack_st_##type
-
-/* Helper macro for internal use */
-# define SKM_DEFINE_STACK_OF_INTERNAL(t1, t2, t3) \
-    STACK_OF(t1); \
-    typedef int (*sk_##t1##_compfunc)(const t3 * const *a, const t3 *const *b); \
-    typedef void (*sk_##t1##_freefunc)(t3 *a); \
-    typedef t3 * (*sk_##t1##_copyfunc)(const t3 *a); \
-    static ossl_unused ossl_inline t2 *ossl_check_##t1##_type(t2 *ptr) \
-    { \
-        return ptr; \
-    } \
-    static ossl_unused ossl_inline const OPENSSL_STACK *ossl_check_const_##t1##_sk_type(const STACK_OF(t1) *sk) \
-    { \
-        return (const OPENSSL_STACK *)sk; \
-    } \
-    static ossl_unused ossl_inline OPENSSL_STACK *ossl_check_##t1##_sk_type(STACK_OF(t1) *sk) \
-    { \
-        return (OPENSSL_STACK *)sk; \
-    } \
-    static ossl_unused ossl_inline OPENSSL_sk_compfunc ossl_check_##t1##_compfunc_type(sk_##t1##_compfunc cmp) \
-    { \
-        return (OPENSSL_sk_compfunc)cmp; \
-    } \
-    static ossl_unused ossl_inline OPENSSL_sk_copyfunc ossl_check_##t1##_copyfunc_type(sk_##t1##_copyfunc cpy) \
-    { \
-        return (OPENSSL_sk_copyfunc)cpy; \
-    } \
-    static ossl_unused ossl_inline OPENSSL_sk_freefunc ossl_check_##t1##_freefunc_type(sk_##t1##_freefunc fr) \
-    { \
-        return (OPENSSL_sk_freefunc)fr; \
-    }
-
-# define SKM_DEFINE_STACK_OF(t1, t2, t3) \
-    STACK_OF(t1); \
-    typedef int (*sk_##t1##_compfunc)(const t3 * const *a, const t3 *const *b); \
-    typedef void (*sk_##t1##_freefunc)(t3 *a); \
-    typedef t3 * (*sk_##t1##_copyfunc)(const t3 *a); \
-    static ossl_unused ossl_inline int sk_##t1##_num(const STACK_OF(t1) *sk) \
-    { \
-        return OPENSSL_sk_num((const OPENSSL_STACK *)sk); \
-    } \
-    static ossl_unused ossl_inline t2 *sk_##t1##_value(const STACK_OF(t1) *sk, int idx) \
-    { \
-        return (t2 *)OPENSSL_sk_value((const OPENSSL_STACK *)sk, idx); \
-    } \
-    static ossl_unused ossl_inline STACK_OF(t1) *sk_##t1##_new(sk_##t1##_compfunc compare) \
-    { \
-        return (STACK_OF(t1) *)OPENSSL_sk_new((OPENSSL_sk_compfunc)compare); \
-    } \
-    static ossl_unused ossl_inline STACK_OF(t1) *sk_##t1##_new_null(void) \
-    { \
-        return (STACK_OF(t1) *)OPENSSL_sk_new_null(); \
-    } \
-    static ossl_unused ossl_inline STACK_OF(t1) *sk_##t1##_new_reserve(sk_##t1##_compfunc compare, int n) \
-    { \
-        return (STACK_OF(t1) *)OPENSSL_sk_new_reserve((OPENSSL_sk_compfunc)compare, n); \
-    } \
-    static ossl_unused ossl_inline int sk_##t1##_reserve(STACK_OF(t1) *sk, int n) \
-    { \
-        return OPENSSL_sk_reserve((OPENSSL_STACK *)sk, n); \
-    } \
-    static ossl_unused ossl_inline void sk_##t1##_free(STACK_OF(t1) *sk) \
-    { \
-        OPENSSL_sk_free((OPENSSL_STACK *)sk); \
-    } \
-    static ossl_unused ossl_inline void sk_##t1##_zero(STACK_OF(t1) *sk) \
-    { \
-        OPENSSL_sk_zero((OPENSSL_STACK *)sk); \
-    } \
-    static ossl_unused ossl_inline t2 *sk_##t1##_delete(STACK_OF(t1) *sk, int i) \
-    { \
-        return (t2 *)OPENSSL_sk_delete((OPENSSL_STACK *)sk, i); \
-    } \
-    static ossl_unused ossl_inline t2 *sk_##t1##_delete_ptr(STACK_OF(t1) *sk, t2 *ptr) \
-    { \
-        return (t2 *)OPENSSL_sk_delete_ptr((OPENSSL_STACK *)sk, \
-                                           (const void *)ptr); \
-    } \
-    static ossl_unused ossl_inline int sk_##t1##_push(STACK_OF(t1) *sk, t2 *ptr) \
-    { \
-        return OPENSSL_sk_push((OPENSSL_STACK *)sk, (const void *)ptr); \
-    } \
-    static ossl_unused ossl_inline int sk_##t1##_unshift(STACK_OF(t1) *sk, t2 *ptr) \
-    { \
-        return OPENSSL_sk_unshift((OPENSSL_STACK *)sk, (const void *)ptr); \
-    } \
-    static ossl_unused ossl_inline t2 *sk_##t1##_pop(STACK_OF(t1) *sk) \
-    { \
-        return (t2 *)OPENSSL_sk_pop((OPENSSL_STACK *)sk); \
-    } \
-    static ossl_unused ossl_inline t2 *sk_##t1##_shift(STACK_OF(t1) *sk) \
-    { \
-        return (t2 *)OPENSSL_sk_shift((OPENSSL_STACK *)sk); \
-    } \
-    static ossl_unused ossl_inline void sk_##t1##_pop_free(STACK_OF(t1) *sk, sk_##t1##_freefunc freefunc) \
-    { \
-        OPENSSL_sk_pop_free((OPENSSL_STACK *)sk, (OPENSSL_sk_freefunc)freefunc); \
-    } \
-    static ossl_unused ossl_inline int sk_##t1##_insert(STACK_OF(t1) *sk, t2 *ptr, int idx) \
-    { \
-        return OPENSSL_sk_insert((OPENSSL_STACK *)sk, (const void *)ptr, idx); \
-    } \
-    static ossl_unused ossl_inline t2 *sk_##t1##_set(STACK_OF(t1) *sk, int idx, t2 *ptr) \
-    { \
-        return (t2 *)OPENSSL_sk_set((OPENSSL_STACK *)sk, idx, (const void *)ptr); \
-    } \
-    static ossl_unused ossl_inline int sk_##t1##_find(STACK_OF(t1) *sk, t2 *ptr) \
-    { \
-        return OPENSSL_sk_find((OPENSSL_STACK *)sk, (const void *)ptr); \
-    } \
-    static ossl_unused ossl_inline int sk_##t1##_find_ex(STACK_OF(t1) *sk, t2 *ptr) \
-    { \
-        return OPENSSL_sk_find_ex((OPENSSL_STACK *)sk, (const void *)ptr); \
-    } \
-    static ossl_unused ossl_inline int sk_##t1##_find_all(STACK_OF(t1) *sk, t2 *ptr, int *pnum) \
-    { \
-        return OPENSSL_sk_find_all((OPENSSL_STACK *)sk, (const void *)ptr, pnum); \
-    } \
-    static ossl_unused ossl_inline void sk_##t1##_sort(STACK_OF(t1) *sk) \
-    { \
-        OPENSSL_sk_sort((OPENSSL_STACK *)sk); \
-    } \
-    static ossl_unused ossl_inline int sk_##t1##_is_sorted(const STACK_OF(t1) *sk) \
-    { \
-        return OPENSSL_sk_is_sorted((const OPENSSL_STACK *)sk); \
-    } \
-    static ossl_unused ossl_inline STACK_OF(t1) * sk_##t1##_dup(const STACK_OF(t1) *sk) \
-    { \
-        return (STACK_OF(t1) *)OPENSSL_sk_dup((const OPENSSL_STACK *)sk); \
-    } \
-    static ossl_unused ossl_inline STACK_OF(t1) *sk_##t1##_deep_copy(const STACK_OF(t1) *sk, \
-                                                    sk_##t1##_copyfunc copyfunc, \
-                                                    sk_##t1##_freefunc freefunc) \
-    { \
-        return (STACK_OF(t1) *)OPENSSL_sk_deep_copy((const OPENSSL_STACK *)sk, \
-                                            (OPENSSL_sk_copyfunc)copyfunc, \
-                                            (OPENSSL_sk_freefunc)freefunc); \
-    } \
-    static ossl_unused ossl_inline sk_##t1##_compfunc sk_##t1##_set_cmp_func(STACK_OF(t1) *sk, sk_##t1##_compfunc compare) \
-    { \
-        return (sk_##t1##_compfunc)OPENSSL_sk_set_cmp_func((OPENSSL_STACK *)sk, (OPENSSL_sk_compfunc)compare); \
-    }
-
-# define DEFINE_STACK_OF(t) SKM_DEFINE_STACK_OF(t, t, t)
-# define DEFINE_STACK_OF_CONST(t) SKM_DEFINE_STACK_OF(t, const t, t)
-# define DEFINE_SPECIAL_STACK_OF(t1, t2) SKM_DEFINE_STACK_OF(t1, t2, t2)
-# define DEFINE_SPECIAL_STACK_OF_CONST(t1, t2) \
-            SKM_DEFINE_STACK_OF(t1, const t2, t2)
-
-/*-
- * Strings are special: normally an lhash entry will point to a single
- * (somewhat) mutable object. In the case of strings:
- *
- * a) Instead of a single char, there is an array of chars, NUL-terminated.
- * b) The string may have be immutable.
- *
- * So, they need their own declarations. Especially important for
- * type-checking tools, such as Deputy.
- *
- * In practice, however, it appears to be hard to have a const
- * string. For now, I'm settling for dealing with the fact it is a
- * string at all.
- */
-typedef char *OPENSSL_STRING;
-typedef const char *OPENSSL_CSTRING;
-
-/*-
- * Confusingly, LHASH_OF(STRING) deals with char ** throughout, but
- * STACK_OF(STRING) is really more like STACK_OF(char), only, as mentioned
- * above, instead of a single char each entry is a NUL-terminated array of
- * chars. So, we have to implement STRING specially for STACK_OF. This is
- * dealt with in the autogenerated macros below.
- */
-{-
-    generate_stack_string_macros()
-    .generate_stack_const_string_macros();
--}
-
-#if !defined(OPENSSL_NO_DEPRECATED_3_0)
-/*
- * This is not used by OpenSSL.  A block of bytes,  NOT nul-terminated.
- * These should also be distinguished from "normal" stacks.
- */
-typedef void *OPENSSL_BLOCK;
-{-
-    generate_stack_block_macros();
--}
-#endif
-
-# ifdef  __cplusplus
-}
-# endif
-#endif

libs/openssl/include/crypto/srp.h.in

@@ -1,214 +0,0 @@
-/*
- * {- join("\n * ", @autowarntext) -}
- *
- * Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved.
- * Copyright (c) 2004, EdelKey Project. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- *
- * Originally written by Christophe Renou and Peter Sylvester,
- * for the EdelKey project.
- */
-
-{-
-use OpenSSL::stackhash qw(generate_stack_macros);
--}
-
-#ifndef OPENSSL_SRP_H
-# define OPENSSL_SRP_H
-# pragma once
-
-# include <openssl/macros.h>
-# ifndef OPENSSL_NO_DEPRECATED_3_0
-#  define HEADER_SRP_H
-# endif
-
-#include <openssl/opensslconf.h>
-
-#ifndef OPENSSL_NO_SRP
-# include <stdio.h>
-# include <string.h>
-# include <openssl/safestack.h>
-# include <openssl/bn.h>
-# include <openssl/crypto.h>
-
-# ifdef  __cplusplus
-extern "C" {
-# endif
-
-# ifndef OPENSSL_NO_DEPRECATED_3_0
-
-typedef struct SRP_gN_cache_st {
-    char *b64_bn;
-    BIGNUM *bn;
-} SRP_gN_cache;
-{-
-    generate_stack_macros("SRP_gN_cache");
--}
-
-
-typedef struct SRP_user_pwd_st {
-    /* Owned by us. */
-    char *id;
-    BIGNUM *s;
-    BIGNUM *v;
-    /* Not owned by us. */
-    const BIGNUM *g;
-    const BIGNUM *N;
-    /* Owned by us. */
-    char *info;
-} SRP_user_pwd;
-{-
-    generate_stack_macros("SRP_user_pwd");
--}
-
-OSSL_DEPRECATEDIN_3_0
-SRP_user_pwd *SRP_user_pwd_new(void);
-OSSL_DEPRECATEDIN_3_0
-void SRP_user_pwd_free(SRP_user_pwd *user_pwd);
-
-OSSL_DEPRECATEDIN_3_0
-void SRP_user_pwd_set_gN(SRP_user_pwd *user_pwd, const BIGNUM *g,
-                         const BIGNUM *N);
-OSSL_DEPRECATEDIN_3_0
-int SRP_user_pwd_set1_ids(SRP_user_pwd *user_pwd, const char *id,
-                          const char *info);
-OSSL_DEPRECATEDIN_3_0
-int SRP_user_pwd_set0_sv(SRP_user_pwd *user_pwd, BIGNUM *s, BIGNUM *v);
-
-typedef struct SRP_VBASE_st {
-    STACK_OF(SRP_user_pwd) *users_pwd;
-    STACK_OF(SRP_gN_cache) *gN_cache;
-/* to simulate a user */
-    char *seed_key;
-    const BIGNUM *default_g;
-    const BIGNUM *default_N;
-} SRP_VBASE;
-
-/*
- * Internal structure storing N and g pair
- */
-typedef struct SRP_gN_st {
-    char *id;
-    const BIGNUM *g;
-    const BIGNUM *N;
-} SRP_gN;
-{-
-    generate_stack_macros("SRP_gN");
--}
-
-
-OSSL_DEPRECATEDIN_3_0
-SRP_VBASE *SRP_VBASE_new(char *seed_key);
-OSSL_DEPRECATEDIN_3_0
-void SRP_VBASE_free(SRP_VBASE *vb);
-OSSL_DEPRECATEDIN_3_0
-int SRP_VBASE_init(SRP_VBASE *vb, char *verifier_file);
-
-OSSL_DEPRECATEDIN_3_0
-int SRP_VBASE_add0_user(SRP_VBASE *vb, SRP_user_pwd *user_pwd);
-
-/* NOTE: unlike in SRP_VBASE_get_by_user, caller owns the returned pointer.*/
-OSSL_DEPRECATEDIN_3_0
-SRP_user_pwd *SRP_VBASE_get1_by_user(SRP_VBASE *vb, char *username);
-
-OSSL_DEPRECATEDIN_3_0
-char *SRP_create_verifier_ex(const char *user, const char *pass, char **salt,
-                             char **verifier, const char *N, const char *g,
-                             OSSL_LIB_CTX *libctx, const char *propq);
-OSSL_DEPRECATEDIN_3_0
-char *SRP_create_verifier(const char *user, const char *pass, char **salt,
-                          char **verifier, const char *N, const char *g);
-OSSL_DEPRECATEDIN_3_0
-int SRP_create_verifier_BN_ex(const char *user, const char *pass, BIGNUM **salt,
-                              BIGNUM **verifier, const BIGNUM *N,
-                              const BIGNUM *g, OSSL_LIB_CTX *libctx,
-                              const char *propq);
-OSSL_DEPRECATEDIN_3_0
-int SRP_create_verifier_BN(const char *user, const char *pass, BIGNUM **salt,
-                           BIGNUM **verifier, const BIGNUM *N,
-                           const BIGNUM *g);
-
-#  define SRP_NO_ERROR 0
-#  define SRP_ERR_VBASE_INCOMPLETE_FILE 1
-#  define SRP_ERR_VBASE_BN_LIB 2
-#  define SRP_ERR_OPEN_FILE 3
-#  define SRP_ERR_MEMORY 4
-
-#  define DB_srptype      0
-#  define DB_srpverifier  1
-#  define DB_srpsalt      2
-#  define DB_srpid        3
-#  define DB_srpgN        4
-#  define DB_srpinfo      5
-#  undef  DB_NUMBER
-#  define DB_NUMBER       6
-
-#  define DB_SRP_INDEX    'I'
-#  define DB_SRP_VALID    'V'
-#  define DB_SRP_REVOKED  'R'
-#  define DB_SRP_MODIF    'v'
-
-/* see srp.c */
-OSSL_DEPRECATEDIN_3_0
-char *SRP_check_known_gN_param(const BIGNUM *g, const BIGNUM *N);
-OSSL_DEPRECATEDIN_3_0
-SRP_gN *SRP_get_default_gN(const char *id);
-
-/* server side .... */
-OSSL_DEPRECATEDIN_3_0
-BIGNUM *SRP_Calc_server_key(const BIGNUM *A, const BIGNUM *v, const BIGNUM *u,
-                            const BIGNUM *b, const BIGNUM *N);
-OSSL_DEPRECATEDIN_3_0
-BIGNUM *SRP_Calc_B_ex(const BIGNUM *b, const BIGNUM *N, const BIGNUM *g,
-                      const BIGNUM *v, OSSL_LIB_CTX *libctx, const char *propq);
-OSSL_DEPRECATEDIN_3_0
-BIGNUM *SRP_Calc_B(const BIGNUM *b, const BIGNUM *N, const BIGNUM *g,
-                   const BIGNUM *v);
-
-OSSL_DEPRECATEDIN_3_0
-int SRP_Verify_A_mod_N(const BIGNUM *A, const BIGNUM *N);
-OSSL_DEPRECATEDIN_3_0
-BIGNUM *SRP_Calc_u_ex(const BIGNUM *A, const BIGNUM *B, const BIGNUM *N,
-                      OSSL_LIB_CTX *libctx, const char *propq);
-OSSL_DEPRECATEDIN_3_0
-BIGNUM *SRP_Calc_u(const BIGNUM *A, const BIGNUM *B, const BIGNUM *N);
-
-/* client side .... */
-
-OSSL_DEPRECATEDIN_3_0
-BIGNUM *SRP_Calc_x_ex(const BIGNUM *s, const char *user, const char *pass,
-                      OSSL_LIB_CTX *libctx, const char *propq);
-OSSL_DEPRECATEDIN_3_0
-BIGNUM *SRP_Calc_x(const BIGNUM *s, const char *user, const char *pass);
-OSSL_DEPRECATEDIN_3_0
-BIGNUM *SRP_Calc_A(const BIGNUM *a, const BIGNUM *N, const BIGNUM *g);
-OSSL_DEPRECATEDIN_3_0
-BIGNUM *SRP_Calc_client_key_ex(const BIGNUM *N, const BIGNUM *B, const BIGNUM *g,
-                            const BIGNUM *x, const BIGNUM *a, const BIGNUM *u,
-                            OSSL_LIB_CTX *libctx, const char *propq);
-OSSL_DEPRECATEDIN_3_0
-BIGNUM *SRP_Calc_client_key(const BIGNUM *N, const BIGNUM *B, const BIGNUM *g,
-                            const BIGNUM *x, const BIGNUM *a, const BIGNUM *u);
-OSSL_DEPRECATEDIN_3_0
-int SRP_Verify_B_mod_N(const BIGNUM *B, const BIGNUM *N);
-
-#  define SRP_MINIMAL_N 1024
-
-# endif /* OPENSSL_NO_DEPRECATED_3_0 */
-
-/* This method ignores the configured seed and fails for an unknown user. */
-# ifndef OPENSSL_NO_DEPRECATED_1_1_0
-OSSL_DEPRECATEDIN_1_1_0
-SRP_user_pwd *SRP_VBASE_get_by_user(SRP_VBASE *vb, char *username);
-# endif
-
-# ifdef  __cplusplus
-}
-# endif
-# endif
-
-#endif

libs/openssl/include/crypto/ssl.h.in

@@ -1,2530 +0,0 @@
-/*
- * {- join("\n * ", @autowarntext) -}
- *
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
- * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
- * Copyright 2005 Nokia. All rights reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-{-
-use OpenSSL::stackhash qw(generate_stack_macros generate_const_stack_macros);
--}
-
-#ifndef OPENSSL_SSL_H
-# define OPENSSL_SSL_H
-# pragma once
-
-# include <openssl/macros.h>
-# ifndef OPENSSL_NO_DEPRECATED_3_0
-#  define HEADER_SSL_H
-# endif
-
-# include <openssl/e_os2.h>
-# include <openssl/opensslconf.h>
-# include <openssl/comp.h>
-# include <openssl/bio.h>
-# ifndef OPENSSL_NO_DEPRECATED_1_1_0
-#  include <openssl/x509.h>
-#  include <openssl/crypto.h>
-#  include <openssl/buffer.h>
-# endif
-# include <openssl/lhash.h>
-# include <openssl/pem.h>
-# include <openssl/hmac.h>
-# include <openssl/async.h>
-
-# include <openssl/safestack.h>
-# include <openssl/symhacks.h>
-# include <openssl/ct.h>
-# include <openssl/sslerr.h>
-# include <openssl/prov_ssl.h>
-# ifndef OPENSSL_NO_STDIO
-#  include <stdio.h>
-# endif
-
-#ifdef  __cplusplus
-extern "C" {
-#endif
-
-/* OpenSSL version number for ASN.1 encoding of the session information */
-/*-
- * Version 0 - initial version
- * Version 1 - added the optional peer certificate
- */
-# define SSL_SESSION_ASN1_VERSION 0x0001
-
-# define SSL_MAX_SSL_SESSION_ID_LENGTH           32
-# define SSL_MAX_SID_CTX_LENGTH                  32
-
-# define SSL_MIN_RSA_MODULUS_LENGTH_IN_BYTES     (512/8)
-# define SSL_MAX_KEY_ARG_LENGTH                  8
-/* SSL_MAX_MASTER_KEY_LENGTH is defined in prov_ssl.h */
-
-/* The maximum number of encrypt/decrypt pipelines we can support */
-# define SSL_MAX_PIPELINES  32
-
-/* text strings for the ciphers */
-
-/* These are used to specify which ciphers to use and not to use */
-
-# define SSL_TXT_LOW             "LOW"
-# define SSL_TXT_MEDIUM          "MEDIUM"
-# define SSL_TXT_HIGH            "HIGH"
-# define SSL_TXT_FIPS            "FIPS"
-
-# define SSL_TXT_aNULL           "aNULL"
-# define SSL_TXT_eNULL           "eNULL"
-# define SSL_TXT_NULL            "NULL"
-
-# define SSL_TXT_kRSA            "kRSA"
-# define SSL_TXT_kDHr            "kDHr"/* this cipher class has been removed */
-# define SSL_TXT_kDHd            "kDHd"/* this cipher class has been removed */
-# define SSL_TXT_kDH             "kDH"/* this cipher class has been removed */
-# define SSL_TXT_kEDH            "kEDH"/* alias for kDHE */
-# define SSL_TXT_kDHE            "kDHE"
-# define SSL_TXT_kECDHr          "kECDHr"/* this cipher class has been removed */
-# define SSL_TXT_kECDHe          "kECDHe"/* this cipher class has been removed */
-# define SSL_TXT_kECDH           "kECDH"/* this cipher class has been removed */
-# define SSL_TXT_kEECDH          "kEECDH"/* alias for kECDHE */
-# define SSL_TXT_kECDHE          "kECDHE"
-# define SSL_TXT_kPSK            "kPSK"
-# define SSL_TXT_kRSAPSK         "kRSAPSK"
-# define SSL_TXT_kECDHEPSK       "kECDHEPSK"
-# define SSL_TXT_kDHEPSK         "kDHEPSK"
-# define SSL_TXT_kGOST           "kGOST"
-# define SSL_TXT_kGOST18         "kGOST18"
-# define SSL_TXT_kSRP            "kSRP"
-
-# define SSL_TXT_aRSA            "aRSA"
-# define SSL_TXT_aDSS            "aDSS"
-# define SSL_TXT_aDH             "aDH"/* this cipher class has been removed */
-# define SSL_TXT_aECDH           "aECDH"/* this cipher class has been removed */
-# define SSL_TXT_aECDSA          "aECDSA"
-# define SSL_TXT_aPSK            "aPSK"
-# define SSL_TXT_aGOST94         "aGOST94"
-# define SSL_TXT_aGOST01         "aGOST01"
-# define SSL_TXT_aGOST12         "aGOST12"
-# define SSL_TXT_aGOST           "aGOST"
-# define SSL_TXT_aSRP            "aSRP"
-
-# define SSL_TXT_DSS             "DSS"
-# define SSL_TXT_DH              "DH"
-# define SSL_TXT_DHE             "DHE"/* same as "kDHE:-ADH" */
-# define SSL_TXT_EDH             "EDH"/* alias for DHE */
-# define SSL_TXT_ADH             "ADH"
-# define SSL_TXT_RSA             "RSA"
-# define SSL_TXT_ECDH            "ECDH"
-# define SSL_TXT_EECDH           "EECDH"/* alias for ECDHE" */
-# define SSL_TXT_ECDHE           "ECDHE"/* same as "kECDHE:-AECDH" */
-# define SSL_TXT_AECDH           "AECDH"
-# define SSL_TXT_ECDSA           "ECDSA"
-# define SSL_TXT_PSK             "PSK"
-# define SSL_TXT_SRP             "SRP"
-
-# define SSL_TXT_DES             "DES"
-# define SSL_TXT_3DES            "3DES"
-# define SSL_TXT_RC4             "RC4"
-# define SSL_TXT_RC2             "RC2"
-# define SSL_TXT_IDEA            "IDEA"
-# define SSL_TXT_SEED            "SEED"
-# define SSL_TXT_AES128          "AES128"
-# define SSL_TXT_AES256          "AES256"
-# define SSL_TXT_AES             "AES"
-# define SSL_TXT_AES_GCM         "AESGCM"
-# define SSL_TXT_AES_CCM         "AESCCM"
-# define SSL_TXT_AES_CCM_8       "AESCCM8"
-# define SSL_TXT_CAMELLIA128     "CAMELLIA128"
-# define SSL_TXT_CAMELLIA256     "CAMELLIA256"
-# define SSL_TXT_CAMELLIA        "CAMELLIA"
-# define SSL_TXT_CHACHA20        "CHACHA20"
-# define SSL_TXT_GOST            "GOST89"
-# define SSL_TXT_ARIA            "ARIA"
-# define SSL_TXT_ARIA_GCM        "ARIAGCM"
-# define SSL_TXT_ARIA128         "ARIA128"
-# define SSL_TXT_ARIA256         "ARIA256"
-# define SSL_TXT_GOST2012_GOST8912_GOST8912 "GOST2012-GOST8912-GOST8912"
-# define SSL_TXT_CBC             "CBC"
-
-# define SSL_TXT_MD5             "MD5"
-# define SSL_TXT_SHA1            "SHA1"
-# define SSL_TXT_SHA             "SHA"/* same as "SHA1" */
-# define SSL_TXT_GOST94          "GOST94"
-# define SSL_TXT_GOST89MAC       "GOST89MAC"
-# define SSL_TXT_GOST12          "GOST12"
-# define SSL_TXT_GOST89MAC12     "GOST89MAC12"
-# define SSL_TXT_SHA256          "SHA256"
-# define SSL_TXT_SHA384          "SHA384"
-
-# define SSL_TXT_SSLV3           "SSLv3"
-# define SSL_TXT_TLSV1           "TLSv1"
-# define SSL_TXT_TLSV1_1         "TLSv1.1"
-# define SSL_TXT_TLSV1_2         "TLSv1.2"
-
-# define SSL_TXT_ALL             "ALL"
-
-/*-
- * COMPLEMENTOF* definitions. These identifiers are used to (de-select)
- * ciphers normally not being used.
- * Example: "RC4" will activate all ciphers using RC4 including ciphers
- * without authentication, which would normally disabled by DEFAULT (due
- * the "!ADH" being part of default). Therefore "RC4:!COMPLEMENTOFDEFAULT"
- * will make sure that it is also disabled in the specific selection.
- * COMPLEMENTOF* identifiers are portable between version, as adjustments
- * to the default cipher setup will also be included here.
- *
- * COMPLEMENTOFDEFAULT does not experience the same special treatment that
- * DEFAULT gets, as only selection is being done and no sorting as needed
- * for DEFAULT.
- */
-# define SSL_TXT_CMPALL          "COMPLEMENTOFALL"
-# define SSL_TXT_CMPDEF          "COMPLEMENTOFDEFAULT"
-
-/*
- * The following cipher list is used by default. It also is substituted when
- * an application-defined cipher list string starts with 'DEFAULT'.
- * This applies to ciphersuites for TLSv1.2 and below.
- * DEPRECATED IN 3.0.0, in favor of OSSL_default_cipher_list()
- * Update both macro and function simultaneously
- */
-# ifndef OPENSSL_NO_DEPRECATED_3_0
-#  define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
-/*
- * This is the default set of TLSv1.3 ciphersuites
- * DEPRECATED IN 3.0.0, in favor of OSSL_default_ciphersuites()
- * Update both macro and function simultaneously
- */
-#  define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
-                                   "TLS_CHACHA20_POLY1305_SHA256:" \
-                                   "TLS_AES_128_GCM_SHA256"
-# endif
-/*
- * As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
- * starts with a reasonable order, and all we have to do for DEFAULT is
- * throwing out anonymous and unencrypted ciphersuites! (The latter are not
- * actually enabled by ALL, but "ALL:RSA" would enable some of them.)
- */
-
-/* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
-# define SSL_SENT_SHUTDOWN       1
-# define SSL_RECEIVED_SHUTDOWN   2
-
-#ifdef __cplusplus
-}
-#endif
-
-#ifdef  __cplusplus
-extern "C" {
-#endif
-
-# define SSL_FILETYPE_ASN1       X509_FILETYPE_ASN1
-# define SSL_FILETYPE_PEM        X509_FILETYPE_PEM
-
-/*
- * This is needed to stop compilers complaining about the 'struct ssl_st *'
- * function parameters used to prototype callbacks in SSL_CTX.
- */
-typedef struct ssl_st *ssl_crock_st;
-typedef struct tls_session_ticket_ext_st TLS_SESSION_TICKET_EXT;
-typedef struct ssl_method_st SSL_METHOD;
-typedef struct ssl_cipher_st SSL_CIPHER;
-typedef struct ssl_session_st SSL_SESSION;
-typedef struct tls_sigalgs_st TLS_SIGALGS;
-typedef struct ssl_conf_ctx_st SSL_CONF_CTX;
-typedef struct ssl_comp_st SSL_COMP;
-
-STACK_OF(SSL_CIPHER);
-STACK_OF(SSL_COMP);
-
-/* SRTP protection profiles for use with the use_srtp extension (RFC 5764)*/
-typedef struct srtp_protection_profile_st {
-    const char *name;
-    unsigned long id;
-} SRTP_PROTECTION_PROFILE;
-{-
-    generate_stack_macros("SRTP_PROTECTION_PROFILE");
--}
-
-
-typedef int (*tls_session_ticket_ext_cb_fn)(SSL *s, const unsigned char *data,
-                                            int len, void *arg);
-typedef int (*tls_session_secret_cb_fn)(SSL *s, void *secret, int *secret_len,
-                                        STACK_OF(SSL_CIPHER) *peer_ciphers,
-                                        const SSL_CIPHER **cipher, void *arg);
-
-/* Extension context codes */
-/* This extension is only allowed in TLS */
-#define SSL_EXT_TLS_ONLY                        0x0001
-/* This extension is only allowed in DTLS */
-#define SSL_EXT_DTLS_ONLY                       0x0002
-/* Some extensions may be allowed in DTLS but we don't implement them for it */
-#define SSL_EXT_TLS_IMPLEMENTATION_ONLY         0x0004
-/* Most extensions are not defined for SSLv3 but EXT_TYPE_renegotiate is */
-#define SSL_EXT_SSL3_ALLOWED                    0x0008
-/* Extension is only defined for TLS1.2 and below */
-#define SSL_EXT_TLS1_2_AND_BELOW_ONLY           0x0010
-/* Extension is only defined for TLS1.3 and above */
-#define SSL_EXT_TLS1_3_ONLY                     0x0020
-/* Ignore this extension during parsing if we are resuming */
-#define SSL_EXT_IGNORE_ON_RESUMPTION            0x0040
-#define SSL_EXT_CLIENT_HELLO                    0x0080
-/* Really means TLS1.2 or below */
-#define SSL_EXT_TLS1_2_SERVER_HELLO             0x0100
-#define SSL_EXT_TLS1_3_SERVER_HELLO             0x0200
-#define SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS     0x0400
-#define SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST      0x0800
-#define SSL_EXT_TLS1_3_CERTIFICATE              0x1000
-#define SSL_EXT_TLS1_3_NEW_SESSION_TICKET       0x2000
-#define SSL_EXT_TLS1_3_CERTIFICATE_REQUEST      0x4000
-
-/* Typedefs for handling custom extensions */
-
-typedef int (*custom_ext_add_cb)(SSL *s, unsigned int ext_type,
-                                 const unsigned char **out, size_t *outlen,
-                                 int *al, void *add_arg);
-
-typedef void (*custom_ext_free_cb)(SSL *s, unsigned int ext_type,
-                                   const unsigned char *out, void *add_arg);
-
-typedef int (*custom_ext_parse_cb)(SSL *s, unsigned int ext_type,
-                                   const unsigned char *in, size_t inlen,
-                                   int *al, void *parse_arg);
-
-
-typedef int (*SSL_custom_ext_add_cb_ex)(SSL *s, unsigned int ext_type,
-                                        unsigned int context,
-                                        const unsigned char **out,
-                                        size_t *outlen, X509 *x,
-                                        size_t chainidx,
-                                        int *al, void *add_arg);
-
-typedef void (*SSL_custom_ext_free_cb_ex)(SSL *s, unsigned int ext_type,
-                                          unsigned int context,
-                                          const unsigned char *out,
-                                          void *add_arg);
-
-typedef int (*SSL_custom_ext_parse_cb_ex)(SSL *s, unsigned int ext_type,
-                                          unsigned int context,
-                                          const unsigned char *in,
-                                          size_t inlen, X509 *x,
-                                          size_t chainidx,
-                                          int *al, void *parse_arg);
-
-/* Typedef for verification callback */
-typedef int (*SSL_verify_cb)(int preverify_ok, X509_STORE_CTX *x509_ctx);
-
-/* Typedef for SSL async callback */
-typedef int (*SSL_async_callback_fn)(SSL *s, void *arg);
-
-#define SSL_OP_BIT(n)  ((uint64_t)1 << (uint64_t)n)
-
-/*
- * SSL/TLS connection options.
- */
-    /* Disable Extended master secret */
-# define SSL_OP_NO_EXTENDED_MASTER_SECRET                SSL_OP_BIT(0)
-    /* Cleanse plaintext copies of data delivered to the application */
-# define SSL_OP_CLEANSE_PLAINTEXT                        SSL_OP_BIT(1)
-    /* Allow initial connection to servers that don't support RI */
-# define SSL_OP_LEGACY_SERVER_CONNECT                    SSL_OP_BIT(2)
-    /* Enable support for Kernel TLS */
-# define SSL_OP_ENABLE_KTLS                              SSL_OP_BIT(3)
-# define SSL_OP_TLSEXT_PADDING                           SSL_OP_BIT(4)
-# define SSL_OP_SAFARI_ECDHE_ECDSA_BUG                   SSL_OP_BIT(6)
-# define SSL_OP_IGNORE_UNEXPECTED_EOF                    SSL_OP_BIT(7)
-# define SSL_OP_ALLOW_CLIENT_RENEGOTIATION               SSL_OP_BIT(8)
-# define SSL_OP_DISABLE_TLSEXT_CA_NAMES                  SSL_OP_BIT(9)
-    /* In TLSv1.3 allow a non-(ec)dhe based kex_mode */
-# define SSL_OP_ALLOW_NO_DHE_KEX                         SSL_OP_BIT(10)
-    /*
-     * Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added
-     * in OpenSSL 0.9.6d.  Usually (depending on the application protocol)
-     * the workaround is not needed.  Unfortunately some broken SSL/TLS
-     * implementations cannot handle it at all, which is why we include it
-     * in SSL_OP_ALL. Added in 0.9.6e
-     */
-# define SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS              SSL_OP_BIT(11)
-    /* DTLS options */
-# define SSL_OP_NO_QUERY_MTU                             SSL_OP_BIT(12)
-    /* Turn on Cookie Exchange (on relevant for servers) */
-# define SSL_OP_COOKIE_EXCHANGE                          SSL_OP_BIT(13)
-    /* Don't use RFC4507 ticket extension */
-# define SSL_OP_NO_TICKET                                SSL_OP_BIT(14)
-# ifndef OPENSSL_NO_DTLS1_METHOD
-    /*
-     * Use Cisco's version identifier of DTLS_BAD_VER
-     * (only with deprecated DTLSv1_client_method())
-     */
-#  define SSL_OP_CISCO_ANYCONNECT                        SSL_OP_BIT(15)
-# endif
-    /* As server, disallow session resumption on renegotiation */
-# define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION   SSL_OP_BIT(16)
-    /* Don't use compression even if supported */
-# define SSL_OP_NO_COMPRESSION                           SSL_OP_BIT(17)
-    /* Permit unsafe legacy renegotiation */
-# define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION        SSL_OP_BIT(18)
-    /* Disable encrypt-then-mac */
-# define SSL_OP_NO_ENCRYPT_THEN_MAC                      SSL_OP_BIT(19)
-    /*
-     * Enable TLSv1.3 Compatibility mode. This is on by default. A future
-     * version of OpenSSL may have this disabled by default.
-     */
-# define SSL_OP_ENABLE_MIDDLEBOX_COMPAT                  SSL_OP_BIT(20)
-    /*
-     * Prioritize Chacha20Poly1305 when client does.
-     * Modifies SSL_OP_CIPHER_SERVER_PREFERENCE
-     */
-# define SSL_OP_PRIORITIZE_CHACHA                        SSL_OP_BIT(21)
-    /*
-     * Set on servers to choose the cipher according to server's preferences.
-     */
-# define SSL_OP_CIPHER_SERVER_PREFERENCE                 SSL_OP_BIT(22)
-    /*
-     * If set, a server will allow a client to issue a SSLv3.0 version
-     * number as latest version supported in the premaster secret, even when
-     * TLSv1.0 (version 3.1) was announced in the client hello. Normally
-     * this is forbidden to prevent version rollback attacks.
-     */
-# define SSL_OP_TLS_ROLLBACK_BUG                         SSL_OP_BIT(23)
-    /*
-     * Switches off automatic TLSv1.3 anti-replay protection for early data.
-     * This is a server-side option only (no effect on the client).
-     */
-# define SSL_OP_NO_ANTI_REPLAY                           SSL_OP_BIT(24)
-# define SSL_OP_NO_SSLv3                                 SSL_OP_BIT(25)
-# define SSL_OP_NO_TLSv1                                 SSL_OP_BIT(26)
-# define SSL_OP_NO_TLSv1_2                               SSL_OP_BIT(27)
-# define SSL_OP_NO_TLSv1_1                               SSL_OP_BIT(28)
-# define SSL_OP_NO_TLSv1_3                               SSL_OP_BIT(29)
-# define SSL_OP_NO_DTLSv1                                SSL_OP_BIT(26)
-# define SSL_OP_NO_DTLSv1_2                              SSL_OP_BIT(27)
-    /* Disallow all renegotiation */
-# define SSL_OP_NO_RENEGOTIATION                         SSL_OP_BIT(30)
-    /*
-     * Make server add server-hello extension from early version of
-     * cryptopro draft, when GOST ciphersuite is negotiated. Required for
-     * interoperability with CryptoPro CSP 3.x
-     */
-# define SSL_OP_CRYPTOPRO_TLSEXT_BUG                     SSL_OP_BIT(31)
-
-/*
- * Option "collections."
- */
-# define SSL_OP_NO_SSL_MASK \
-        ( SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 \
-          | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_3 )
-# define SSL_OP_NO_DTLS_MASK \
-        ( SSL_OP_NO_DTLSv1 | SSL_OP_NO_DTLSv1_2 )
-
-/* Various bug workarounds that should be rather harmless. */
-# define SSL_OP_ALL \
-        ( SSL_OP_CRYPTOPRO_TLSEXT_BUG | SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS \
-          | SSL_OP_TLSEXT_PADDING | SSL_OP_SAFARI_ECDHE_ECDSA_BUG )
-
-/*
- * OBSOLETE OPTIONS retained for compatibility
- */
-
-# define SSL_OP_MICROSOFT_SESS_ID_BUG                    0x0
-# define SSL_OP_NETSCAPE_CHALLENGE_BUG                   0x0
-# define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG         0x0
-# define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG              0x0
-# define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER               0x0
-# define SSL_OP_MSIE_SSLV2_RSA_PADDING                   0x0
-# define SSL_OP_SSLEAY_080_CLIENT_DH_BUG                 0x0
-# define SSL_OP_TLS_D5_BUG                               0x0
-# define SSL_OP_TLS_BLOCK_PADDING_BUG                    0x0
-# define SSL_OP_SINGLE_ECDH_USE                          0x0
-# define SSL_OP_SINGLE_DH_USE                            0x0
-# define SSL_OP_EPHEMERAL_RSA                            0x0
-# define SSL_OP_NO_SSLv2                                 0x0
-# define SSL_OP_PKCS1_CHECK_1                            0x0
-# define SSL_OP_PKCS1_CHECK_2                            0x0
-# define SSL_OP_NETSCAPE_CA_DN_BUG                       0x0
-# define SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG          0x0
-
-/*
- * Allow SSL_write(..., n) to return r with 0 < r < n (i.e. report success
- * when just a single record has been written):
- */
-# define SSL_MODE_ENABLE_PARTIAL_WRITE       0x00000001U
-/*
- * Make it possible to retry SSL_write() with changed buffer location (buffer
- * contents must stay the same!); this is not the default to avoid the
- * misconception that non-blocking SSL_write() behaves like non-blocking
- * write():
- */
-# define SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER 0x00000002U
-/*
- * Never bother the application with retries if the transport is blocking:
- */
-# define SSL_MODE_AUTO_RETRY 0x00000004U
-/* Don't attempt to automatically build certificate chain */
-# define SSL_MODE_NO_AUTO_CHAIN 0x00000008U
-/*
- * Save RAM by releasing read and write buffers when they're empty. (SSL3 and
- * TLS only.) Released buffers are freed.
- */
-# define SSL_MODE_RELEASE_BUFFERS 0x00000010U
-/*
- * Send the current time in the Random fields of the ClientHello and
- * ServerHello records for compatibility with hypothetical implementations
- * that require it.
- */
-# define SSL_MODE_SEND_CLIENTHELLO_TIME 0x00000020U
-# define SSL_MODE_SEND_SERVERHELLO_TIME 0x00000040U
-/*
- * Send TLS_FALLBACK_SCSV in the ClientHello. To be set only by applications
- * that reconnect with a downgraded protocol version; see
- * draft-ietf-tls-downgrade-scsv-00 for details. DO NOT ENABLE THIS if your
- * application attempts a normal handshake. Only use this in explicit
- * fallback retries, following the guidance in
- * draft-ietf-tls-downgrade-scsv-00.
- */
-# define SSL_MODE_SEND_FALLBACK_SCSV 0x00000080U
-/*
- * Support Asynchronous operation
- */
-# define SSL_MODE_ASYNC 0x00000100U
-
-/*
- * When using DTLS/SCTP, include the terminating zero in the label
- * used for computing the endpoint-pair shared secret. Required for
- * interoperability with implementations having this bug like these
- * older version of OpenSSL:
- * - OpenSSL 1.0.0 series
- * - OpenSSL 1.0.1 series
- * - OpenSSL 1.0.2 series
- * - OpenSSL 1.1.0 series
- * - OpenSSL 1.1.1 and 1.1.1a
- */
-# define SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG 0x00000400U
-
-/* Cert related flags */
-/*
- * Many implementations ignore some aspects of the TLS standards such as
- * enforcing certificate chain algorithms. When this is set we enforce them.
- */
-# define SSL_CERT_FLAG_TLS_STRICT                0x00000001U
-
-/* Suite B modes, takes same values as certificate verify flags */
-# define SSL_CERT_FLAG_SUITEB_128_LOS_ONLY       0x10000
-/* Suite B 192 bit only mode */
-# define SSL_CERT_FLAG_SUITEB_192_LOS            0x20000
-/* Suite B 128 bit mode allowing 192 bit algorithms */
-# define SSL_CERT_FLAG_SUITEB_128_LOS            0x30000
-
-/* Perform all sorts of protocol violations for testing purposes */
-# define SSL_CERT_FLAG_BROKEN_PROTOCOL           0x10000000
-
-/* Flags for building certificate chains */
-/* Treat any existing certificates as untrusted CAs */
-# define SSL_BUILD_CHAIN_FLAG_UNTRUSTED          0x1
-/* Don't include root CA in chain */
-# define SSL_BUILD_CHAIN_FLAG_NO_ROOT            0x2
-/* Just check certificates already there */
-# define SSL_BUILD_CHAIN_FLAG_CHECK              0x4
-/* Ignore verification errors */
-# define SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR       0x8
-/* Clear verification errors from queue */
-# define SSL_BUILD_CHAIN_FLAG_CLEAR_ERROR        0x10
-
-/* Flags returned by SSL_check_chain */
-/* Certificate can be used with this session */
-# define CERT_PKEY_VALID         0x1
-/* Certificate can also be used for signing */
-# define CERT_PKEY_SIGN          0x2
-/* EE certificate signing algorithm OK */
-# define CERT_PKEY_EE_SIGNATURE  0x10
-/* CA signature algorithms OK */
-# define CERT_PKEY_CA_SIGNATURE  0x20
-/* EE certificate parameters OK */
-# define CERT_PKEY_EE_PARAM      0x40
-/* CA certificate parameters OK */
-# define CERT_PKEY_CA_PARAM      0x80
-/* Signing explicitly allowed as opposed to SHA1 fallback */
-# define CERT_PKEY_EXPLICIT_SIGN 0x100
-/* Client CA issuer names match (always set for server cert) */
-# define CERT_PKEY_ISSUER_NAME   0x200
-/* Cert type matches client types (always set for server cert) */
-# define CERT_PKEY_CERT_TYPE     0x400
-/* Cert chain suitable to Suite B */
-# define CERT_PKEY_SUITEB        0x800
-
-# define SSL_CONF_FLAG_CMDLINE           0x1
-# define SSL_CONF_FLAG_FILE              0x2
-# define SSL_CONF_FLAG_CLIENT            0x4
-# define SSL_CONF_FLAG_SERVER            0x8
-# define SSL_CONF_FLAG_SHOW_ERRORS       0x10
-# define SSL_CONF_FLAG_CERTIFICATE       0x20
-# define SSL_CONF_FLAG_REQUIRE_PRIVATE   0x40
-/* Configuration value types */
-# define SSL_CONF_TYPE_UNKNOWN           0x0
-# define SSL_CONF_TYPE_STRING            0x1
-# define SSL_CONF_TYPE_FILE              0x2
-# define SSL_CONF_TYPE_DIR               0x3
-# define SSL_CONF_TYPE_NONE              0x4
-# define SSL_CONF_TYPE_STORE             0x5
-
-/* Maximum length of the application-controlled segment of a a TLSv1.3 cookie */
-# define SSL_COOKIE_LENGTH                       4096
-
-/*
- * Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value, they
- * cannot be used to clear bits.
- */
-
-uint64_t SSL_CTX_get_options(const SSL_CTX *ctx);
-uint64_t SSL_get_options(const SSL *s);
-uint64_t SSL_CTX_clear_options(SSL_CTX *ctx, uint64_t op);
-uint64_t SSL_clear_options(SSL *s, uint64_t op);
-uint64_t SSL_CTX_set_options(SSL_CTX *ctx, uint64_t op);
-uint64_t SSL_set_options(SSL *s, uint64_t op);
-
-# define SSL_CTX_set_mode(ctx,op) \
-        SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,(op),NULL)
-# define SSL_CTX_clear_mode(ctx,op) \
-        SSL_CTX_ctrl((ctx),SSL_CTRL_CLEAR_MODE,(op),NULL)
-# define SSL_CTX_get_mode(ctx) \
-        SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,0,NULL)
-# define SSL_clear_mode(ssl,op) \
-        SSL_ctrl((ssl),SSL_CTRL_CLEAR_MODE,(op),NULL)
-# define SSL_set_mode(ssl,op) \
-        SSL_ctrl((ssl),SSL_CTRL_MODE,(op),NULL)
-# define SSL_get_mode(ssl) \
-        SSL_ctrl((ssl),SSL_CTRL_MODE,0,NULL)
-# define SSL_set_mtu(ssl, mtu) \
-        SSL_ctrl((ssl),SSL_CTRL_SET_MTU,(mtu),NULL)
-# define DTLS_set_link_mtu(ssl, mtu) \
-        SSL_ctrl((ssl),DTLS_CTRL_SET_LINK_MTU,(mtu),NULL)
-# define DTLS_get_link_min_mtu(ssl) \
-        SSL_ctrl((ssl),DTLS_CTRL_GET_LINK_MIN_MTU,0,NULL)
-
-# define SSL_get_secure_renegotiation_support(ssl) \
-        SSL_ctrl((ssl), SSL_CTRL_GET_RI_SUPPORT, 0, NULL)
-
-# define SSL_CTX_set_cert_flags(ctx,op) \
-        SSL_CTX_ctrl((ctx),SSL_CTRL_CERT_FLAGS,(op),NULL)
-# define SSL_set_cert_flags(s,op) \
-        SSL_ctrl((s),SSL_CTRL_CERT_FLAGS,(op),NULL)
-# define SSL_CTX_clear_cert_flags(ctx,op) \
-        SSL_CTX_ctrl((ctx),SSL_CTRL_CLEAR_CERT_FLAGS,(op),NULL)
-# define SSL_clear_cert_flags(s,op) \
-        SSL_ctrl((s),SSL_CTRL_CLEAR_CERT_FLAGS,(op),NULL)
-
-void SSL_CTX_set_msg_callback(SSL_CTX *ctx,
-                              void (*cb) (int write_p, int version,
-                                          int content_type, const void *buf,
-                                          size_t len, SSL *ssl, void *arg));
-void SSL_set_msg_callback(SSL *ssl,
-                          void (*cb) (int write_p, int version,
-                                      int content_type, const void *buf,
-                                      size_t len, SSL *ssl, void *arg));
-# define SSL_CTX_set_msg_callback_arg(ctx, arg) SSL_CTX_ctrl((ctx), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))
-# define SSL_set_msg_callback_arg(ssl, arg) SSL_ctrl((ssl), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))
-
-# define SSL_get_extms_support(s) \
-        SSL_ctrl((s),SSL_CTRL_GET_EXTMS_SUPPORT,0,NULL)
-
-# ifndef OPENSSL_NO_SRP
-/* see tls_srp.c */
-#  ifndef OPENSSL_NO_DEPRECATED_3_0
-OSSL_DEPRECATEDIN_3_0 __owur int SSL_SRP_CTX_init(SSL *s);
-OSSL_DEPRECATEDIN_3_0 __owur int SSL_CTX_SRP_CTX_init(SSL_CTX *ctx);
-OSSL_DEPRECATEDIN_3_0 int SSL_SRP_CTX_free(SSL *ctx);
-OSSL_DEPRECATEDIN_3_0 int SSL_CTX_SRP_CTX_free(SSL_CTX *ctx);
-OSSL_DEPRECATEDIN_3_0 __owur int SSL_srp_server_param_with_username(SSL *s,
-                                                                    int *ad);
-OSSL_DEPRECATEDIN_3_0 __owur int SRP_Calc_A_param(SSL *s);
-#  endif
-# endif
-
-/* 100k max cert list */
-# define SSL_MAX_CERT_LIST_DEFAULT (1024*100)
-
-# define SSL_SESSION_CACHE_MAX_SIZE_DEFAULT      (1024*20)
-
-/*
- * This callback type is used inside SSL_CTX, SSL, and in the functions that
- * set them. It is used to override the generation of SSL/TLS session IDs in
- * a server. Return value should be zero on an error, non-zero to proceed.
- * Also, callbacks should themselves check if the id they generate is unique
- * otherwise the SSL handshake will fail with an error - callbacks can do
- * this using the 'ssl' value they're passed by;
- * SSL_has_matching_session_id(ssl, id, *id_len) The length value passed in
- * is set at the maximum size the session ID can be. In SSLv3/TLSv1 it is 32
- * bytes. The callback can alter this length to be less if desired. It is
- * also an error for the callback to set the size to zero.
- */
-typedef int (*GEN_SESSION_CB) (SSL *ssl, unsigned char *id,
-                               unsigned int *id_len);
-
-# define SSL_SESS_CACHE_OFF                      0x0000
-# define SSL_SESS_CACHE_CLIENT                   0x0001
-# define SSL_SESS_CACHE_SERVER                   0x0002
-# define SSL_SESS_CACHE_BOTH     (SSL_SESS_CACHE_CLIENT|SSL_SESS_CACHE_SERVER)
-# define SSL_SESS_CACHE_NO_AUTO_CLEAR            0x0080
-/* enough comments already ... see SSL_CTX_set_session_cache_mode(3) */
-# define SSL_SESS_CACHE_NO_INTERNAL_LOOKUP       0x0100
-# define SSL_SESS_CACHE_NO_INTERNAL_STORE        0x0200
-# define SSL_SESS_CACHE_NO_INTERNAL \
-        (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP|SSL_SESS_CACHE_NO_INTERNAL_STORE)
-# define SSL_SESS_CACHE_UPDATE_TIME              0x0400
-
-LHASH_OF(SSL_SESSION) *SSL_CTX_sessions(SSL_CTX *ctx);
-# define SSL_CTX_sess_number(ctx) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_NUMBER,0,NULL)
-# define SSL_CTX_sess_connect(ctx) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT,0,NULL)
-# define SSL_CTX_sess_connect_good(ctx) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT_GOOD,0,NULL)
-# define SSL_CTX_sess_connect_renegotiate(ctx) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CONNECT_RENEGOTIATE,0,NULL)
-# define SSL_CTX_sess_accept(ctx) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT,0,NULL)
-# define SSL_CTX_sess_accept_renegotiate(ctx) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT_RENEGOTIATE,0,NULL)
-# define SSL_CTX_sess_accept_good(ctx) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_ACCEPT_GOOD,0,NULL)
-# define SSL_CTX_sess_hits(ctx) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_HIT,0,NULL)
-# define SSL_CTX_sess_cb_hits(ctx) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CB_HIT,0,NULL)
-# define SSL_CTX_sess_misses(ctx) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_MISSES,0,NULL)
-# define SSL_CTX_sess_timeouts(ctx) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_TIMEOUTS,0,NULL)
-# define SSL_CTX_sess_cache_full(ctx) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SESS_CACHE_FULL,0,NULL)
-
-void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx,
-                             int (*new_session_cb) (struct ssl_st *ssl,
-                                                    SSL_SESSION *sess));
-int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx)) (struct ssl_st *ssl,
-                                              SSL_SESSION *sess);
-void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx,
-                                void (*remove_session_cb) (struct ssl_ctx_st
-                                                           *ctx,
-                                                           SSL_SESSION *sess));
-void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx)) (struct ssl_ctx_st *ctx,
-                                                  SSL_SESSION *sess);
-void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx,
-                             SSL_SESSION *(*get_session_cb) (struct ssl_st
-                                                             *ssl,
-                                                             const unsigned char
-                                                             *data, int len,
-                                                             int *copy));
-SSL_SESSION *(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx)) (struct ssl_st *ssl,
-                                                       const unsigned char *data,
-                                                       int len, int *copy);
-void SSL_CTX_set_info_callback(SSL_CTX *ctx,
-                               void (*cb) (const SSL *ssl, int type, int val));
-void (*SSL_CTX_get_info_callback(SSL_CTX *ctx)) (const SSL *ssl, int type,
-                                                 int val);
-void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx,
-                                int (*client_cert_cb) (SSL *ssl, X509 **x509,
-                                                       EVP_PKEY **pkey));
-int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx)) (SSL *ssl, X509 **x509,
-                                                 EVP_PKEY **pkey);
-# ifndef OPENSSL_NO_ENGINE
-__owur int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e);
-# endif
-void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx,
-                                    int (*app_gen_cookie_cb) (SSL *ssl,
-                                                              unsigned char
-                                                              *cookie,
-                                                              unsigned int
-                                                              *cookie_len));
-void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx,
-                                  int (*app_verify_cookie_cb) (SSL *ssl,
-                                                               const unsigned
-                                                               char *cookie,
-                                                               unsigned int
-                                                               cookie_len));
-
-void SSL_CTX_set_stateless_cookie_generate_cb(
-    SSL_CTX *ctx,
-    int (*gen_stateless_cookie_cb) (SSL *ssl,
-                                    unsigned char *cookie,
-                                    size_t *cookie_len));
-void SSL_CTX_set_stateless_cookie_verify_cb(
-    SSL_CTX *ctx,
-    int (*verify_stateless_cookie_cb) (SSL *ssl,
-                                       const unsigned char *cookie,
-                                       size_t cookie_len));
-# ifndef OPENSSL_NO_NEXTPROTONEG
-
-typedef int (*SSL_CTX_npn_advertised_cb_func)(SSL *ssl,
-                                              const unsigned char **out,
-                                              unsigned int *outlen,
-                                              void *arg);
-void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *s,
-                                           SSL_CTX_npn_advertised_cb_func cb,
-                                           void *arg);
-#  define SSL_CTX_set_npn_advertised_cb SSL_CTX_set_next_protos_advertised_cb
-
-typedef int (*SSL_CTX_npn_select_cb_func)(SSL *s,
-                                          unsigned char **out,
-                                          unsigned char *outlen,
-                                          const unsigned char *in,
-                                          unsigned int inlen,
-                                          void *arg);
-void SSL_CTX_set_next_proto_select_cb(SSL_CTX *s,
-                                      SSL_CTX_npn_select_cb_func cb,
-                                      void *arg);
-#  define SSL_CTX_set_npn_select_cb SSL_CTX_set_next_proto_select_cb
-
-void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data,
-                                    unsigned *len);
-#  define SSL_get0_npn_negotiated SSL_get0_next_proto_negotiated
-# endif
-
-__owur int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
-                                 const unsigned char *in, unsigned int inlen,
-                                 const unsigned char *client,
-                                 unsigned int client_len);
-
-# define OPENSSL_NPN_UNSUPPORTED 0
-# define OPENSSL_NPN_NEGOTIATED  1
-# define OPENSSL_NPN_NO_OVERLAP  2
-
-__owur int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos,
-                                   unsigned int protos_len);
-__owur int SSL_set_alpn_protos(SSL *ssl, const unsigned char *protos,
-                               unsigned int protos_len);
-typedef int (*SSL_CTX_alpn_select_cb_func)(SSL *ssl,
-                                           const unsigned char **out,
-                                           unsigned char *outlen,
-                                           const unsigned char *in,
-                                           unsigned int inlen,
-                                           void *arg);
-void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx,
-                                SSL_CTX_alpn_select_cb_func cb,
-                                void *arg);
-void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data,
-                            unsigned int *len);
-
-# ifndef OPENSSL_NO_PSK
-/*
- * the maximum length of the buffer given to callbacks containing the
- * resulting identity/psk
- */
-#  define PSK_MAX_IDENTITY_LEN 256
-#  define PSK_MAX_PSK_LEN 512
-typedef unsigned int (*SSL_psk_client_cb_func)(SSL *ssl,
-                                               const char *hint,
-                                               char *identity,
-                                               unsigned int max_identity_len,
-                                               unsigned char *psk,
-                                               unsigned int max_psk_len);
-void SSL_CTX_set_psk_client_callback(SSL_CTX *ctx, SSL_psk_client_cb_func cb);
-void SSL_set_psk_client_callback(SSL *ssl, SSL_psk_client_cb_func cb);
-
-typedef unsigned int (*SSL_psk_server_cb_func)(SSL *ssl,
-                                               const char *identity,
-                                               unsigned char *psk,
-                                               unsigned int max_psk_len);
-void SSL_CTX_set_psk_server_callback(SSL_CTX *ctx, SSL_psk_server_cb_func cb);
-void SSL_set_psk_server_callback(SSL *ssl, SSL_psk_server_cb_func cb);
-
-__owur int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *identity_hint);
-__owur int SSL_use_psk_identity_hint(SSL *s, const char *identity_hint);
-const char *SSL_get_psk_identity_hint(const SSL *s);
-const char *SSL_get_psk_identity(const SSL *s);
-# endif
-
-typedef int (*SSL_psk_find_session_cb_func)(SSL *ssl,
-                                            const unsigned char *identity,
-                                            size_t identity_len,
-                                            SSL_SESSION **sess);
-typedef int (*SSL_psk_use_session_cb_func)(SSL *ssl, const EVP_MD *md,
-                                           const unsigned char **id,
-                                           size_t *idlen,
-                                           SSL_SESSION **sess);
-
-void SSL_set_psk_find_session_callback(SSL *s, SSL_psk_find_session_cb_func cb);
-void SSL_CTX_set_psk_find_session_callback(SSL_CTX *ctx,
-                                           SSL_psk_find_session_cb_func cb);
-void SSL_set_psk_use_session_callback(SSL *s, SSL_psk_use_session_cb_func cb);
-void SSL_CTX_set_psk_use_session_callback(SSL_CTX *ctx,
-                                          SSL_psk_use_session_cb_func cb);
-
-/* Register callbacks to handle custom TLS Extensions for client or server. */
-
-__owur int SSL_CTX_has_client_custom_ext(const SSL_CTX *ctx,
-                                         unsigned int ext_type);
-
-__owur int SSL_CTX_add_client_custom_ext(SSL_CTX *ctx,
-                                         unsigned int ext_type,
-                                         custom_ext_add_cb add_cb,
-                                         custom_ext_free_cb free_cb,
-                                         void *add_arg,
-                                         custom_ext_parse_cb parse_cb,
-                                         void *parse_arg);
-
-__owur int SSL_CTX_add_server_custom_ext(SSL_CTX *ctx,
-                                         unsigned int ext_type,
-                                         custom_ext_add_cb add_cb,
-                                         custom_ext_free_cb free_cb,
-                                         void *add_arg,
-                                         custom_ext_parse_cb parse_cb,
-                                         void *parse_arg);
-
-__owur int SSL_CTX_add_custom_ext(SSL_CTX *ctx, unsigned int ext_type,
-                                  unsigned int context,
-                                  SSL_custom_ext_add_cb_ex add_cb,
-                                  SSL_custom_ext_free_cb_ex free_cb,
-                                  void *add_arg,
-                                  SSL_custom_ext_parse_cb_ex parse_cb,
-                                  void *parse_arg);
-
-__owur int SSL_extension_supported(unsigned int ext_type);
-
-# define SSL_NOTHING            1
-# define SSL_WRITING            2
-# define SSL_READING            3
-# define SSL_X509_LOOKUP        4
-# define SSL_ASYNC_PAUSED       5
-# define SSL_ASYNC_NO_JOBS      6
-# define SSL_CLIENT_HELLO_CB    7
-# define SSL_RETRY_VERIFY       8
-
-/* These will only be used when doing non-blocking IO */
-# define SSL_want_nothing(s)         (SSL_want(s) == SSL_NOTHING)
-# define SSL_want_read(s)            (SSL_want(s) == SSL_READING)
-# define SSL_want_write(s)           (SSL_want(s) == SSL_WRITING)
-# define SSL_want_x509_lookup(s)     (SSL_want(s) == SSL_X509_LOOKUP)
-# define SSL_want_retry_verify(s)    (SSL_want(s) == SSL_RETRY_VERIFY)
-# define SSL_want_async(s)           (SSL_want(s) == SSL_ASYNC_PAUSED)
-# define SSL_want_async_job(s)       (SSL_want(s) == SSL_ASYNC_NO_JOBS)
-# define SSL_want_client_hello_cb(s) (SSL_want(s) == SSL_CLIENT_HELLO_CB)
-
-# define SSL_MAC_FLAG_READ_MAC_STREAM 1
-# define SSL_MAC_FLAG_WRITE_MAC_STREAM 2
-# define SSL_MAC_FLAG_READ_MAC_TLSTREE 4
-# define SSL_MAC_FLAG_WRITE_MAC_TLSTREE 8
-
-/*
- * A callback for logging out TLS key material. This callback should log out
- * |line| followed by a newline.
- */
-typedef void (*SSL_CTX_keylog_cb_func)(const SSL *ssl, const char *line);
-
-/*
- * SSL_CTX_set_keylog_callback configures a callback to log key material. This
- * is intended for debugging use with tools like Wireshark. The cb function
- * should log line followed by a newline.
- */
-void SSL_CTX_set_keylog_callback(SSL_CTX *ctx, SSL_CTX_keylog_cb_func cb);
-
-/*
- * SSL_CTX_get_keylog_callback returns the callback configured by
- * SSL_CTX_set_keylog_callback.
- */
-SSL_CTX_keylog_cb_func SSL_CTX_get_keylog_callback(const SSL_CTX *ctx);
-
-int SSL_CTX_set_max_early_data(SSL_CTX *ctx, uint32_t max_early_data);
-uint32_t SSL_CTX_get_max_early_data(const SSL_CTX *ctx);
-int SSL_set_max_early_data(SSL *s, uint32_t max_early_data);
-uint32_t SSL_get_max_early_data(const SSL *s);
-int SSL_CTX_set_recv_max_early_data(SSL_CTX *ctx, uint32_t recv_max_early_data);
-uint32_t SSL_CTX_get_recv_max_early_data(const SSL_CTX *ctx);
-int SSL_set_recv_max_early_data(SSL *s, uint32_t recv_max_early_data);
-uint32_t SSL_get_recv_max_early_data(const SSL *s);
-
-#ifdef __cplusplus
-}
-#endif
-
-# include <openssl/ssl2.h>
-# include <openssl/ssl3.h>
-# include <openssl/tls1.h>      /* This is mostly sslv3 with a few tweaks */
-# include <openssl/dtls1.h>     /* Datagram TLS */
-# include <openssl/srtp.h>      /* Support for the use_srtp extension */
-
-#ifdef  __cplusplus
-extern "C" {
-#endif
-
-/*
- * These need to be after the above set of includes due to a compiler bug
- * in VisualStudio 2015
- */
-{-
-    generate_const_stack_macros("SSL_CIPHER")
-    .generate_stack_macros("SSL_COMP");
--}
-
-/* compatibility */
-# define SSL_set_app_data(s,arg)         (SSL_set_ex_data(s,0,(char *)(arg)))
-# define SSL_get_app_data(s)             (SSL_get_ex_data(s,0))
-# define SSL_SESSION_set_app_data(s,a)   (SSL_SESSION_set_ex_data(s,0, \
-                                                                  (char *)(a)))
-# define SSL_SESSION_get_app_data(s)     (SSL_SESSION_get_ex_data(s,0))
-# define SSL_CTX_get_app_data(ctx)       (SSL_CTX_get_ex_data(ctx,0))
-# define SSL_CTX_set_app_data(ctx,arg)   (SSL_CTX_set_ex_data(ctx,0, \
-                                                              (char *)(arg)))
-# ifndef OPENSSL_NO_DEPRECATED_1_1_0
-OSSL_DEPRECATEDIN_1_1_0 void SSL_set_debug(SSL *s, int debug);
-# endif
-
-/* TLSv1.3 KeyUpdate message types */
-/* -1 used so that this is an invalid value for the on-the-wire protocol */
-#define SSL_KEY_UPDATE_NONE             -1
-/* Values as defined for the on-the-wire protocol */
-#define SSL_KEY_UPDATE_NOT_REQUESTED     0
-#define SSL_KEY_UPDATE_REQUESTED         1
-
-/*
- * The valid handshake states (one for each type message sent and one for each
- * type of message received). There are also two "special" states:
- * TLS = TLS or DTLS state
- * DTLS = DTLS specific state
- * CR/SR = Client Read/Server Read
- * CW/SW = Client Write/Server Write
- *
- * The "special" states are:
- * TLS_ST_BEFORE = No handshake has been initiated yet
- * TLS_ST_OK = A handshake has been successfully completed
- */
-typedef enum {
-    TLS_ST_BEFORE,
-    TLS_ST_OK,
-    DTLS_ST_CR_HELLO_VERIFY_REQUEST,
-    TLS_ST_CR_SRVR_HELLO,
-    TLS_ST_CR_CERT,
-    TLS_ST_CR_CERT_STATUS,
-    TLS_ST_CR_KEY_EXCH,
-    TLS_ST_CR_CERT_REQ,
-    TLS_ST_CR_SRVR_DONE,
-    TLS_ST_CR_SESSION_TICKET,
-    TLS_ST_CR_CHANGE,
-    TLS_ST_CR_FINISHED,
-    TLS_ST_CW_CLNT_HELLO,
-    TLS_ST_CW_CERT,
-    TLS_ST_CW_KEY_EXCH,
-    TLS_ST_CW_CERT_VRFY,
-    TLS_ST_CW_CHANGE,
-    TLS_ST_CW_NEXT_PROTO,
-    TLS_ST_CW_FINISHED,
-    TLS_ST_SW_HELLO_REQ,
-    TLS_ST_SR_CLNT_HELLO,
-    DTLS_ST_SW_HELLO_VERIFY_REQUEST,
-    TLS_ST_SW_SRVR_HELLO,
-    TLS_ST_SW_CERT,
-    TLS_ST_SW_KEY_EXCH,
-    TLS_ST_SW_CERT_REQ,
-    TLS_ST_SW_SRVR_DONE,
-    TLS_ST_SR_CERT,
-    TLS_ST_SR_KEY_EXCH,
-    TLS_ST_SR_CERT_VRFY,
-    TLS_ST_SR_NEXT_PROTO,
-    TLS_ST_SR_CHANGE,
-    TLS_ST_SR_FINISHED,
-    TLS_ST_SW_SESSION_TICKET,
-    TLS_ST_SW_CERT_STATUS,
-    TLS_ST_SW_CHANGE,
-    TLS_ST_SW_FINISHED,
-    TLS_ST_SW_ENCRYPTED_EXTENSIONS,
-    TLS_ST_CR_ENCRYPTED_EXTENSIONS,
-    TLS_ST_CR_CERT_VRFY,
-    TLS_ST_SW_CERT_VRFY,
-    TLS_ST_CR_HELLO_REQ,
-    TLS_ST_SW_KEY_UPDATE,
-    TLS_ST_CW_KEY_UPDATE,
-    TLS_ST_SR_KEY_UPDATE,
-    TLS_ST_CR_KEY_UPDATE,
-    TLS_ST_EARLY_DATA,
-    TLS_ST_PENDING_EARLY_DATA_END,
-    TLS_ST_CW_END_OF_EARLY_DATA,
-    TLS_ST_SR_END_OF_EARLY_DATA
-} OSSL_HANDSHAKE_STATE;
-
-/*
- * Most of the following state values are no longer used and are defined to be
- * the closest equivalent value in the current state machine code. Not all
- * defines have an equivalent and are set to a dummy value (-1). SSL_ST_CONNECT
- * and SSL_ST_ACCEPT are still in use in the definition of SSL_CB_ACCEPT_LOOP,
- * SSL_CB_ACCEPT_EXIT, SSL_CB_CONNECT_LOOP and SSL_CB_CONNECT_EXIT.
- */
-
-# define SSL_ST_CONNECT                  0x1000
-# define SSL_ST_ACCEPT                   0x2000
-
-# define SSL_ST_MASK                     0x0FFF
-
-# define SSL_CB_LOOP                     0x01
-# define SSL_CB_EXIT                     0x02
-# define SSL_CB_READ                     0x04
-# define SSL_CB_WRITE                    0x08
-# define SSL_CB_ALERT                    0x4000/* used in callback */
-# define SSL_CB_READ_ALERT               (SSL_CB_ALERT|SSL_CB_READ)
-# define SSL_CB_WRITE_ALERT              (SSL_CB_ALERT|SSL_CB_WRITE)
-# define SSL_CB_ACCEPT_LOOP              (SSL_ST_ACCEPT|SSL_CB_LOOP)
-# define SSL_CB_ACCEPT_EXIT              (SSL_ST_ACCEPT|SSL_CB_EXIT)
-# define SSL_CB_CONNECT_LOOP             (SSL_ST_CONNECT|SSL_CB_LOOP)
-# define SSL_CB_CONNECT_EXIT             (SSL_ST_CONNECT|SSL_CB_EXIT)
-# define SSL_CB_HANDSHAKE_START          0x10
-# define SSL_CB_HANDSHAKE_DONE           0x20
-
-/* Is the SSL_connection established? */
-# define SSL_in_connect_init(a)          (SSL_in_init(a) && !SSL_is_server(a))
-# define SSL_in_accept_init(a)           (SSL_in_init(a) && SSL_is_server(a))
-int SSL_in_init(const SSL *s);
-int SSL_in_before(const SSL *s);
-int SSL_is_init_finished(const SSL *s);
-
-/*
- * The following 3 states are kept in ssl->rlayer.rstate when reads fail, you
- * should not need these
- */
-# define SSL_ST_READ_HEADER                      0xF0
-# define SSL_ST_READ_BODY                        0xF1
-# define SSL_ST_READ_DONE                        0xF2
-
-/*-
- * Obtain latest Finished message
- *   -- that we sent (SSL_get_finished)
- *   -- that we expected from peer (SSL_get_peer_finished).
- * Returns length (0 == no Finished so far), copies up to 'count' bytes.
- */
-size_t SSL_get_finished(const SSL *s, void *buf, size_t count);
-size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count);
-
-/*
- * use either SSL_VERIFY_NONE or SSL_VERIFY_PEER, the last 3 options are
- * 'ored' with SSL_VERIFY_PEER if they are desired
- */
-# define SSL_VERIFY_NONE                 0x00
-# define SSL_VERIFY_PEER                 0x01
-# define SSL_VERIFY_FAIL_IF_NO_PEER_CERT 0x02
-# define SSL_VERIFY_CLIENT_ONCE          0x04
-# define SSL_VERIFY_POST_HANDSHAKE       0x08
-
-# ifndef OPENSSL_NO_DEPRECATED_1_1_0
-#  define OpenSSL_add_ssl_algorithms()   SSL_library_init()
-#  define SSLeay_add_ssl_algorithms()    SSL_library_init()
-# endif
-
-/* More backward compatibility */
-# define SSL_get_cipher(s) \
-                SSL_CIPHER_get_name(SSL_get_current_cipher(s))
-# define SSL_get_cipher_bits(s,np) \
-                SSL_CIPHER_get_bits(SSL_get_current_cipher(s),np)
-# define SSL_get_cipher_version(s) \
-                SSL_CIPHER_get_version(SSL_get_current_cipher(s))
-# define SSL_get_cipher_name(s) \
-                SSL_CIPHER_get_name(SSL_get_current_cipher(s))
-# define SSL_get_time(a)         SSL_SESSION_get_time(a)
-# define SSL_set_time(a,b)       SSL_SESSION_set_time((a),(b))
-# define SSL_get_timeout(a)      SSL_SESSION_get_timeout(a)
-# define SSL_set_timeout(a,b)    SSL_SESSION_set_timeout((a),(b))
-
-# define d2i_SSL_SESSION_bio(bp,s_id) ASN1_d2i_bio_of(SSL_SESSION,SSL_SESSION_new,d2i_SSL_SESSION,bp,s_id)
-# define i2d_SSL_SESSION_bio(bp,s_id) ASN1_i2d_bio_of(SSL_SESSION,i2d_SSL_SESSION,bp,s_id)
-
-DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
-# define SSL_AD_REASON_OFFSET            1000/* offset to get SSL_R_... value
-                                              * from SSL_AD_... */
-/* These alert types are for SSLv3 and TLSv1 */
-# define SSL_AD_CLOSE_NOTIFY             SSL3_AD_CLOSE_NOTIFY
-/* fatal */
-# define SSL_AD_UNEXPECTED_MESSAGE       SSL3_AD_UNEXPECTED_MESSAGE
-/* fatal */
-# define SSL_AD_BAD_RECORD_MAC           SSL3_AD_BAD_RECORD_MAC
-# define SSL_AD_DECRYPTION_FAILED        TLS1_AD_DECRYPTION_FAILED
-# define SSL_AD_RECORD_OVERFLOW          TLS1_AD_RECORD_OVERFLOW
-/* fatal */
-# define SSL_AD_DECOMPRESSION_FAILURE    SSL3_AD_DECOMPRESSION_FAILURE
-/* fatal */
-# define SSL_AD_HANDSHAKE_FAILURE        SSL3_AD_HANDSHAKE_FAILURE
-/* Not for TLS */
-# define SSL_AD_NO_CERTIFICATE           SSL3_AD_NO_CERTIFICATE
-# define SSL_AD_BAD_CERTIFICATE          SSL3_AD_BAD_CERTIFICATE
-# define SSL_AD_UNSUPPORTED_CERTIFICATE  SSL3_AD_UNSUPPORTED_CERTIFICATE
-# define SSL_AD_CERTIFICATE_REVOKED      SSL3_AD_CERTIFICATE_REVOKED
-# define SSL_AD_CERTIFICATE_EXPIRED      SSL3_AD_CERTIFICATE_EXPIRED
-# define SSL_AD_CERTIFICATE_UNKNOWN      SSL3_AD_CERTIFICATE_UNKNOWN
-/* fatal */
-# define SSL_AD_ILLEGAL_PARAMETER        SSL3_AD_ILLEGAL_PARAMETER
-/* fatal */
-# define SSL_AD_UNKNOWN_CA               TLS1_AD_UNKNOWN_CA
-/* fatal */
-# define SSL_AD_ACCESS_DENIED            TLS1_AD_ACCESS_DENIED
-/* fatal */
-# define SSL_AD_DECODE_ERROR             TLS1_AD_DECODE_ERROR
-# define SSL_AD_DECRYPT_ERROR            TLS1_AD_DECRYPT_ERROR
-/* fatal */
-# define SSL_AD_EXPORT_RESTRICTION       TLS1_AD_EXPORT_RESTRICTION
-/* fatal */
-# define SSL_AD_PROTOCOL_VERSION         TLS1_AD_PROTOCOL_VERSION
-/* fatal */
-# define SSL_AD_INSUFFICIENT_SECURITY    TLS1_AD_INSUFFICIENT_SECURITY
-/* fatal */
-# define SSL_AD_INTERNAL_ERROR           TLS1_AD_INTERNAL_ERROR
-# define SSL_AD_USER_CANCELLED           TLS1_AD_USER_CANCELLED
-# define SSL_AD_NO_RENEGOTIATION         TLS1_AD_NO_RENEGOTIATION
-# define SSL_AD_MISSING_EXTENSION        TLS13_AD_MISSING_EXTENSION
-# define SSL_AD_CERTIFICATE_REQUIRED     TLS13_AD_CERTIFICATE_REQUIRED
-# define SSL_AD_UNSUPPORTED_EXTENSION    TLS1_AD_UNSUPPORTED_EXTENSION
-# define SSL_AD_CERTIFICATE_UNOBTAINABLE TLS1_AD_CERTIFICATE_UNOBTAINABLE
-# define SSL_AD_UNRECOGNIZED_NAME        TLS1_AD_UNRECOGNIZED_NAME
-# define SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE
-# define SSL_AD_BAD_CERTIFICATE_HASH_VALUE TLS1_AD_BAD_CERTIFICATE_HASH_VALUE
-/* fatal */
-# define SSL_AD_UNKNOWN_PSK_IDENTITY     TLS1_AD_UNKNOWN_PSK_IDENTITY
-/* fatal */
-# define SSL_AD_INAPPROPRIATE_FALLBACK   TLS1_AD_INAPPROPRIATE_FALLBACK
-# define SSL_AD_NO_APPLICATION_PROTOCOL  TLS1_AD_NO_APPLICATION_PROTOCOL
-# define SSL_ERROR_NONE                  0
-# define SSL_ERROR_SSL                   1
-# define SSL_ERROR_WANT_READ             2
-# define SSL_ERROR_WANT_WRITE            3
-# define SSL_ERROR_WANT_X509_LOOKUP      4
-# define SSL_ERROR_SYSCALL               5/* look at error stack/return
-                                           * value/errno */
-# define SSL_ERROR_ZERO_RETURN           6
-# define SSL_ERROR_WANT_CONNECT          7
-# define SSL_ERROR_WANT_ACCEPT           8
-# define SSL_ERROR_WANT_ASYNC            9
-# define SSL_ERROR_WANT_ASYNC_JOB       10
-# define SSL_ERROR_WANT_CLIENT_HELLO_CB 11
-# define SSL_ERROR_WANT_RETRY_VERIFY    12
-
-# ifndef OPENSSL_NO_DEPRECATED_3_0
-#  define SSL_CTRL_SET_TMP_DH                    3
-#  define SSL_CTRL_SET_TMP_ECDH                  4
-#  define SSL_CTRL_SET_TMP_DH_CB                 6
-# endif
-
-# define SSL_CTRL_GET_CLIENT_CERT_REQUEST        9
-# define SSL_CTRL_GET_NUM_RENEGOTIATIONS         10
-# define SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS       11
-# define SSL_CTRL_GET_TOTAL_RENEGOTIATIONS       12
-# define SSL_CTRL_GET_FLAGS                      13
-# define SSL_CTRL_EXTRA_CHAIN_CERT               14
-# define SSL_CTRL_SET_MSG_CALLBACK               15
-# define SSL_CTRL_SET_MSG_CALLBACK_ARG           16
-/* only applies to datagram connections */
-# define SSL_CTRL_SET_MTU                17
-/* Stats */
-# define SSL_CTRL_SESS_NUMBER                    20
-# define SSL_CTRL_SESS_CONNECT                   21
-# define SSL_CTRL_SESS_CONNECT_GOOD              22
-# define SSL_CTRL_SESS_CONNECT_RENEGOTIATE       23
-# define SSL_CTRL_SESS_ACCEPT                    24
-# define SSL_CTRL_SESS_ACCEPT_GOOD               25
-# define SSL_CTRL_SESS_ACCEPT_RENEGOTIATE        26
-# define SSL_CTRL_SESS_HIT                       27
-# define SSL_CTRL_SESS_CB_HIT                    28
-# define SSL_CTRL_SESS_MISSES                    29
-# define SSL_CTRL_SESS_TIMEOUTS                  30
-# define SSL_CTRL_SESS_CACHE_FULL                31
-# define SSL_CTRL_MODE                           33
-# define SSL_CTRL_GET_READ_AHEAD                 40
-# define SSL_CTRL_SET_READ_AHEAD                 41
-# define SSL_CTRL_SET_SESS_CACHE_SIZE            42
-# define SSL_CTRL_GET_SESS_CACHE_SIZE            43
-# define SSL_CTRL_SET_SESS_CACHE_MODE            44
-# define SSL_CTRL_GET_SESS_CACHE_MODE            45
-# define SSL_CTRL_GET_MAX_CERT_LIST              50
-# define SSL_CTRL_SET_MAX_CERT_LIST              51
-# define SSL_CTRL_SET_MAX_SEND_FRAGMENT          52
-/* see tls1.h for macros based on these */
-# define SSL_CTRL_SET_TLSEXT_SERVERNAME_CB       53
-# define SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG      54
-# define SSL_CTRL_SET_TLSEXT_HOSTNAME            55
-# define SSL_CTRL_SET_TLSEXT_DEBUG_CB            56
-# define SSL_CTRL_SET_TLSEXT_DEBUG_ARG           57
-# define SSL_CTRL_GET_TLSEXT_TICKET_KEYS         58
-# define SSL_CTRL_SET_TLSEXT_TICKET_KEYS         59
-/*# define SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT    60 */
-/*# define SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT_CB 61 */
-/*# define SSL_CTRL_SET_TLSEXT_OPAQUE_PRF_INPUT_CB_ARG 62 */
-# define SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB       63
-# define SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG   64
-# define SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE     65
-# define SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS     66
-# define SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS     67
-# define SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS      68
-# define SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS      69
-# define SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP        70
-# define SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP        71
-# ifndef OPENSSL_NO_DEPRECATED_3_0
-#  define SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB      72
-# endif
-# define SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB    75
-# define SSL_CTRL_SET_SRP_VERIFY_PARAM_CB                76
-# define SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB             77
-# define SSL_CTRL_SET_SRP_ARG            78
-# define SSL_CTRL_SET_TLS_EXT_SRP_USERNAME               79
-# define SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH               80
-# define SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD               81
-# define DTLS_CTRL_GET_TIMEOUT           73
-# define DTLS_CTRL_HANDLE_TIMEOUT        74
-# define SSL_CTRL_GET_RI_SUPPORT                 76
-# define SSL_CTRL_CLEAR_MODE                     78
-# define SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB      79
-# define SSL_CTRL_GET_EXTRA_CHAIN_CERTS          82
-# define SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS        83
-# define SSL_CTRL_CHAIN                          88
-# define SSL_CTRL_CHAIN_CERT                     89
-# define SSL_CTRL_GET_GROUPS                     90
-# define SSL_CTRL_SET_GROUPS                     91
-# define SSL_CTRL_SET_GROUPS_LIST                92
-# define SSL_CTRL_GET_SHARED_GROUP               93
-# define SSL_CTRL_SET_SIGALGS                    97
-# define SSL_CTRL_SET_SIGALGS_LIST               98
-# define SSL_CTRL_CERT_FLAGS                     99
-# define SSL_CTRL_CLEAR_CERT_FLAGS               100
-# define SSL_CTRL_SET_CLIENT_SIGALGS             101
-# define SSL_CTRL_SET_CLIENT_SIGALGS_LIST        102
-# define SSL_CTRL_GET_CLIENT_CERT_TYPES          103
-# define SSL_CTRL_SET_CLIENT_CERT_TYPES          104
-# define SSL_CTRL_BUILD_CERT_CHAIN               105
-# define SSL_CTRL_SET_VERIFY_CERT_STORE          106
-# define SSL_CTRL_SET_CHAIN_CERT_STORE           107
-# define SSL_CTRL_GET_PEER_SIGNATURE_NID         108
-# define SSL_CTRL_GET_PEER_TMP_KEY               109
-# define SSL_CTRL_GET_RAW_CIPHERLIST             110
-# define SSL_CTRL_GET_EC_POINT_FORMATS           111
-# define SSL_CTRL_GET_CHAIN_CERTS                115
-# define SSL_CTRL_SELECT_CURRENT_CERT            116
-# define SSL_CTRL_SET_CURRENT_CERT               117
-# define SSL_CTRL_SET_DH_AUTO                    118
-# define DTLS_CTRL_SET_LINK_MTU                  120
-# define DTLS_CTRL_GET_LINK_MIN_MTU              121
-# define SSL_CTRL_GET_EXTMS_SUPPORT              122
-# define SSL_CTRL_SET_MIN_PROTO_VERSION          123
-# define SSL_CTRL_SET_MAX_PROTO_VERSION          124
-# define SSL_CTRL_SET_SPLIT_SEND_FRAGMENT        125
-# define SSL_CTRL_SET_MAX_PIPELINES              126
-# define SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE     127
-# define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB       128
-# define SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG   129
-# define SSL_CTRL_GET_MIN_PROTO_VERSION          130
-# define SSL_CTRL_GET_MAX_PROTO_VERSION          131
-# define SSL_CTRL_GET_SIGNATURE_NID              132
-# define SSL_CTRL_GET_TMP_KEY                    133
-# define SSL_CTRL_GET_NEGOTIATED_GROUP           134
-# define SSL_CTRL_SET_RETRY_VERIFY               136
-# define SSL_CTRL_GET_VERIFY_CERT_STORE          137
-# define SSL_CTRL_GET_CHAIN_CERT_STORE           138
-# define SSL_CERT_SET_FIRST                      1
-# define SSL_CERT_SET_NEXT                       2
-# define SSL_CERT_SET_SERVER                     3
-# define DTLSv1_get_timeout(ssl, arg) \
-        SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)(arg))
-# define DTLSv1_handle_timeout(ssl) \
-        SSL_ctrl(ssl,DTLS_CTRL_HANDLE_TIMEOUT,0, NULL)
-# define SSL_num_renegotiations(ssl) \
-        SSL_ctrl((ssl),SSL_CTRL_GET_NUM_RENEGOTIATIONS,0,NULL)
-# define SSL_clear_num_renegotiations(ssl) \
-        SSL_ctrl((ssl),SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS,0,NULL)
-# define SSL_total_renegotiations(ssl) \
-        SSL_ctrl((ssl),SSL_CTRL_GET_TOTAL_RENEGOTIATIONS,0,NULL)
-# ifndef OPENSSL_NO_DEPRECATED_3_0
-#  define SSL_CTX_set_tmp_dh(ctx,dh) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_DH,0,(char *)(dh))
-# endif
-# define SSL_CTX_set_dh_auto(ctx, onoff) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SET_DH_AUTO,onoff,NULL)
-# define SSL_set_dh_auto(s, onoff) \
-        SSL_ctrl(s,SSL_CTRL_SET_DH_AUTO,onoff,NULL)
-# ifndef OPENSSL_NO_DEPRECATED_3_0
-#  define SSL_set_tmp_dh(ssl,dh) \
-        SSL_ctrl(ssl,SSL_CTRL_SET_TMP_DH,0,(char *)(dh))
-# endif
-# ifndef OPENSSL_NO_DEPRECATED_3_0
-#  define SSL_CTX_set_tmp_ecdh(ctx,ecdh) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SET_TMP_ECDH,0,(char *)(ecdh))
-#  define SSL_set_tmp_ecdh(ssl,ecdh) \
-        SSL_ctrl(ssl,SSL_CTRL_SET_TMP_ECDH,0,(char *)(ecdh))
-# endif
-# define SSL_CTX_add_extra_chain_cert(ctx,x509) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)(x509))
-# define SSL_CTX_get_extra_chain_certs(ctx,px509) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_GET_EXTRA_CHAIN_CERTS,0,px509)
-# define SSL_CTX_get_extra_chain_certs_only(ctx,px509) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_GET_EXTRA_CHAIN_CERTS,1,px509)
-# define SSL_CTX_clear_extra_chain_certs(ctx) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS,0,NULL)
-# define SSL_CTX_set0_chain(ctx,sk) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_CHAIN,0,(char *)(sk))
-# define SSL_CTX_set1_chain(ctx,sk) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_CHAIN,1,(char *)(sk))
-# define SSL_CTX_add0_chain_cert(ctx,x509) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_CHAIN_CERT,0,(char *)(x509))
-# define SSL_CTX_add1_chain_cert(ctx,x509) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_CHAIN_CERT,1,(char *)(x509))
-# define SSL_CTX_get0_chain_certs(ctx,px509) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_GET_CHAIN_CERTS,0,px509)
-# define SSL_CTX_clear_chain_certs(ctx) \
-        SSL_CTX_set0_chain(ctx,NULL)
-# define SSL_CTX_build_cert_chain(ctx, flags) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_BUILD_CERT_CHAIN, flags, NULL)
-# define SSL_CTX_select_current_cert(ctx,x509) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SELECT_CURRENT_CERT,0,(char *)(x509))
-# define SSL_CTX_set_current_cert(ctx, op) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CURRENT_CERT, op, NULL)
-# define SSL_CTX_set0_verify_cert_store(ctx,st) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SET_VERIFY_CERT_STORE,0,(char *)(st))
-# define SSL_CTX_set1_verify_cert_store(ctx,st) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SET_VERIFY_CERT_STORE,1,(char *)(st))
-# define SSL_CTX_get0_verify_cert_store(ctx,st) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_GET_VERIFY_CERT_STORE,0,(char *)(st))
-# define SSL_CTX_set0_chain_cert_store(ctx,st) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CHAIN_CERT_STORE,0,(char *)(st))
-# define SSL_CTX_set1_chain_cert_store(ctx,st) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CHAIN_CERT_STORE,1,(char *)(st))
-# define SSL_CTX_get0_chain_cert_store(ctx,st) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_GET_CHAIN_CERT_STORE,0,(char *)(st))
-# define SSL_set0_chain(s,sk) \
-        SSL_ctrl(s,SSL_CTRL_CHAIN,0,(char *)(sk))
-# define SSL_set1_chain(s,sk) \
-        SSL_ctrl(s,SSL_CTRL_CHAIN,1,(char *)(sk))
-# define SSL_add0_chain_cert(s,x509) \
-        SSL_ctrl(s,SSL_CTRL_CHAIN_CERT,0,(char *)(x509))
-# define SSL_add1_chain_cert(s,x509) \
-        SSL_ctrl(s,SSL_CTRL_CHAIN_CERT,1,(char *)(x509))
-# define SSL_get0_chain_certs(s,px509) \
-        SSL_ctrl(s,SSL_CTRL_GET_CHAIN_CERTS,0,px509)
-# define SSL_clear_chain_certs(s) \
-        SSL_set0_chain(s,NULL)
-# define SSL_build_cert_chain(s, flags) \
-        SSL_ctrl(s,SSL_CTRL_BUILD_CERT_CHAIN, flags, NULL)
-# define SSL_select_current_cert(s,x509) \
-        SSL_ctrl(s,SSL_CTRL_SELECT_CURRENT_CERT,0,(char *)(x509))
-# define SSL_set_current_cert(s,op) \
-        SSL_ctrl(s,SSL_CTRL_SET_CURRENT_CERT, op, NULL)
-# define SSL_set0_verify_cert_store(s,st) \
-        SSL_ctrl(s,SSL_CTRL_SET_VERIFY_CERT_STORE,0,(char *)(st))
-# define SSL_set1_verify_cert_store(s,st) \
-        SSL_ctrl(s,SSL_CTRL_SET_VERIFY_CERT_STORE,1,(char *)(st))
-#define SSL_get0_verify_cert_store(s,st) \
-        SSL_ctrl(s,SSL_CTRL_GET_VERIFY_CERT_STORE,0,(char *)(st))
-# define SSL_set0_chain_cert_store(s,st) \
-        SSL_ctrl(s,SSL_CTRL_SET_CHAIN_CERT_STORE,0,(char *)(st))
-# define SSL_set1_chain_cert_store(s,st) \
-        SSL_ctrl(s,SSL_CTRL_SET_CHAIN_CERT_STORE,1,(char *)(st))
-#define SSL_get0_chain_cert_store(s,st) \
-        SSL_ctrl(s,SSL_CTRL_GET_CHAIN_CERT_STORE,0,(char *)(st))
-
-# define SSL_get1_groups(s, glist) \
-        SSL_ctrl(s,SSL_CTRL_GET_GROUPS,0,(int*)(glist))
-# define SSL_CTX_set1_groups(ctx, glist, glistlen) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SET_GROUPS,glistlen,(int *)(glist))
-# define SSL_CTX_set1_groups_list(ctx, s) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SET_GROUPS_LIST,0,(char *)(s))
-# define SSL_set1_groups(s, glist, glistlen) \
-        SSL_ctrl(s,SSL_CTRL_SET_GROUPS,glistlen,(char *)(glist))
-# define SSL_set1_groups_list(s, str) \
-        SSL_ctrl(s,SSL_CTRL_SET_GROUPS_LIST,0,(char *)(str))
-# define SSL_get_shared_group(s, n) \
-        SSL_ctrl(s,SSL_CTRL_GET_SHARED_GROUP,n,NULL)
-# define SSL_get_negotiated_group(s) \
-        SSL_ctrl(s,SSL_CTRL_GET_NEGOTIATED_GROUP,0,NULL)
-# define SSL_CTX_set1_sigalgs(ctx, slist, slistlen) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SIGALGS,slistlen,(int *)(slist))
-# define SSL_CTX_set1_sigalgs_list(ctx, s) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SIGALGS_LIST,0,(char *)(s))
-# define SSL_set1_sigalgs(s, slist, slistlen) \
-        SSL_ctrl(s,SSL_CTRL_SET_SIGALGS,slistlen,(int *)(slist))
-# define SSL_set1_sigalgs_list(s, str) \
-        SSL_ctrl(s,SSL_CTRL_SET_SIGALGS_LIST,0,(char *)(str))
-# define SSL_CTX_set1_client_sigalgs(ctx, slist, slistlen) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CLIENT_SIGALGS,slistlen,(int *)(slist))
-# define SSL_CTX_set1_client_sigalgs_list(ctx, s) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CLIENT_SIGALGS_LIST,0,(char *)(s))
-# define SSL_set1_client_sigalgs(s, slist, slistlen) \
-        SSL_ctrl(s,SSL_CTRL_SET_CLIENT_SIGALGS,slistlen,(int *)(slist))
-# define SSL_set1_client_sigalgs_list(s, str) \
-        SSL_ctrl(s,SSL_CTRL_SET_CLIENT_SIGALGS_LIST,0,(char *)(str))
-# define SSL_get0_certificate_types(s, clist) \
-        SSL_ctrl(s, SSL_CTRL_GET_CLIENT_CERT_TYPES, 0, (char *)(clist))
-# define SSL_CTX_set1_client_certificate_types(ctx, clist, clistlen) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SET_CLIENT_CERT_TYPES,clistlen, \
-                     (char *)(clist))
-# define SSL_set1_client_certificate_types(s, clist, clistlen) \
-        SSL_ctrl(s,SSL_CTRL_SET_CLIENT_CERT_TYPES,clistlen,(char *)(clist))
-# define SSL_get_signature_nid(s, pn) \
-        SSL_ctrl(s,SSL_CTRL_GET_SIGNATURE_NID,0,pn)
-# define SSL_get_peer_signature_nid(s, pn) \
-        SSL_ctrl(s,SSL_CTRL_GET_PEER_SIGNATURE_NID,0,pn)
-# define SSL_get_peer_tmp_key(s, pk) \
-        SSL_ctrl(s,SSL_CTRL_GET_PEER_TMP_KEY,0,pk)
-# define SSL_get_tmp_key(s, pk) \
-        SSL_ctrl(s,SSL_CTRL_GET_TMP_KEY,0,pk)
-# define SSL_get0_raw_cipherlist(s, plst) \
-        SSL_ctrl(s,SSL_CTRL_GET_RAW_CIPHERLIST,0,plst)
-# define SSL_get0_ec_point_formats(s, plst) \
-        SSL_ctrl(s,SSL_CTRL_GET_EC_POINT_FORMATS,0,plst)
-# define SSL_CTX_set_min_proto_version(ctx, version) \
-        SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL)
-# define SSL_CTX_set_max_proto_version(ctx, version) \
-        SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL)
-# define SSL_CTX_get_min_proto_version(ctx) \
-        SSL_CTX_ctrl(ctx, SSL_CTRL_GET_MIN_PROTO_VERSION, 0, NULL)
-# define SSL_CTX_get_max_proto_version(ctx) \
-        SSL_CTX_ctrl(ctx, SSL_CTRL_GET_MAX_PROTO_VERSION, 0, NULL)
-# define SSL_set_min_proto_version(s, version) \
-        SSL_ctrl(s, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL)
-# define SSL_set_max_proto_version(s, version) \
-        SSL_ctrl(s, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL)
-# define SSL_get_min_proto_version(s) \
-        SSL_ctrl(s, SSL_CTRL_GET_MIN_PROTO_VERSION, 0, NULL)
-# define SSL_get_max_proto_version(s) \
-        SSL_ctrl(s, SSL_CTRL_GET_MAX_PROTO_VERSION, 0, NULL)
-
-const char *SSL_group_to_name(SSL *s, int id);
-
-/* Backwards compatibility, original 1.1.0 names */
-# define SSL_CTRL_GET_SERVER_TMP_KEY \
-         SSL_CTRL_GET_PEER_TMP_KEY
-# define SSL_get_server_tmp_key(s, pk) \
-         SSL_get_peer_tmp_key(s, pk)
-
-int SSL_set0_tmp_dh_pkey(SSL *s, EVP_PKEY *dhpkey);
-int SSL_CTX_set0_tmp_dh_pkey(SSL_CTX *ctx, EVP_PKEY *dhpkey);
-
-/*
- * The following symbol names are old and obsolete. They are kept
- * for compatibility reasons only and should not be used anymore.
- */
-# define SSL_CTRL_GET_CURVES           SSL_CTRL_GET_GROUPS
-# define SSL_CTRL_SET_CURVES           SSL_CTRL_SET_GROUPS
-# define SSL_CTRL_SET_CURVES_LIST      SSL_CTRL_SET_GROUPS_LIST
-# define SSL_CTRL_GET_SHARED_CURVE     SSL_CTRL_GET_SHARED_GROUP
-
-# define SSL_get1_curves               SSL_get1_groups
-# define SSL_CTX_set1_curves           SSL_CTX_set1_groups
-# define SSL_CTX_set1_curves_list      SSL_CTX_set1_groups_list
-# define SSL_set1_curves               SSL_set1_groups
-# define SSL_set1_curves_list          SSL_set1_groups_list
-# define SSL_get_shared_curve          SSL_get_shared_group
-
-
-# ifndef OPENSSL_NO_DEPRECATED_1_1_0
-/* Provide some compatibility macros for removed functionality. */
-#  define SSL_CTX_need_tmp_RSA(ctx)                0
-#  define SSL_CTX_set_tmp_rsa(ctx,rsa)             1
-#  define SSL_need_tmp_RSA(ssl)                    0
-#  define SSL_set_tmp_rsa(ssl,rsa)                 1
-#  define SSL_CTX_set_ecdh_auto(dummy, onoff)      ((onoff) != 0)
-#  define SSL_set_ecdh_auto(dummy, onoff)          ((onoff) != 0)
-/*
- * We "pretend" to call the callback to avoid warnings about unused static
- * functions.
- */
-#  define SSL_CTX_set_tmp_rsa_callback(ctx, cb)    while(0) (cb)(NULL, 0, 0)
-#  define SSL_set_tmp_rsa_callback(ssl, cb)        while(0) (cb)(NULL, 0, 0)
-# endif
-__owur const BIO_METHOD *BIO_f_ssl(void);
-__owur BIO *BIO_new_ssl(SSL_CTX *ctx, int client);
-__owur BIO *BIO_new_ssl_connect(SSL_CTX *ctx);
-__owur BIO *BIO_new_buffer_ssl_connect(SSL_CTX *ctx);
-__owur int BIO_ssl_copy_session_id(BIO *to, BIO *from);
-void BIO_ssl_shutdown(BIO *ssl_bio);
-
-__owur int SSL_CTX_set_cipher_list(SSL_CTX *, const char *str);
-__owur SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth);
-__owur SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq,
-                               const SSL_METHOD *meth);
-int SSL_CTX_up_ref(SSL_CTX *ctx);
-void SSL_CTX_free(SSL_CTX *);
-__owur long SSL_CTX_set_timeout(SSL_CTX *ctx, long t);
-__owur long SSL_CTX_get_timeout(const SSL_CTX *ctx);
-__owur X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *);
-void SSL_CTX_set_cert_store(SSL_CTX *, X509_STORE *);
-void SSL_CTX_set1_cert_store(SSL_CTX *, X509_STORE *);
-__owur int SSL_want(const SSL *s);
-__owur int SSL_clear(SSL *s);
-
-void SSL_CTX_flush_sessions(SSL_CTX *ctx, long tm);
-
-__owur const SSL_CIPHER *SSL_get_current_cipher(const SSL *s);
-__owur const SSL_CIPHER *SSL_get_pending_cipher(const SSL *s);
-__owur int SSL_CIPHER_get_bits(const SSL_CIPHER *c, int *alg_bits);
-__owur const char *SSL_CIPHER_get_version(const SSL_CIPHER *c);
-__owur const char *SSL_CIPHER_get_name(const SSL_CIPHER *c);
-__owur const char *SSL_CIPHER_standard_name(const SSL_CIPHER *c);
-__owur const char *OPENSSL_cipher_name(const char *rfc_name);
-__owur uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *c);
-__owur uint16_t SSL_CIPHER_get_protocol_id(const SSL_CIPHER *c);
-__owur int SSL_CIPHER_get_kx_nid(const SSL_CIPHER *c);
-__owur int SSL_CIPHER_get_auth_nid(const SSL_CIPHER *c);
-__owur const EVP_MD *SSL_CIPHER_get_handshake_digest(const SSL_CIPHER *c);
-__owur int SSL_CIPHER_is_aead(const SSL_CIPHER *c);
-
-__owur int SSL_get_fd(const SSL *s);
-__owur int SSL_get_rfd(const SSL *s);
-__owur int SSL_get_wfd(const SSL *s);
-__owur const char *SSL_get_cipher_list(const SSL *s, int n);
-__owur char *SSL_get_shared_ciphers(const SSL *s, char *buf, int size);
-__owur int SSL_get_read_ahead(const SSL *s);
-__owur int SSL_pending(const SSL *s);
-__owur int SSL_has_pending(const SSL *s);
-# ifndef OPENSSL_NO_SOCK
-__owur int SSL_set_fd(SSL *s, int fd);
-__owur int SSL_set_rfd(SSL *s, int fd);
-__owur int SSL_set_wfd(SSL *s, int fd);
-# endif
-void SSL_set0_rbio(SSL *s, BIO *rbio);
-void SSL_set0_wbio(SSL *s, BIO *wbio);
-void SSL_set_bio(SSL *s, BIO *rbio, BIO *wbio);
-__owur BIO *SSL_get_rbio(const SSL *s);
-__owur BIO *SSL_get_wbio(const SSL *s);
-__owur int SSL_set_cipher_list(SSL *s, const char *str);
-__owur int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str);
-__owur int SSL_set_ciphersuites(SSL *s, const char *str);
-void SSL_set_read_ahead(SSL *s, int yes);
-__owur int SSL_get_verify_mode(const SSL *s);
-__owur int SSL_get_verify_depth(const SSL *s);
-__owur SSL_verify_cb SSL_get_verify_callback(const SSL *s);
-void SSL_set_verify(SSL *s, int mode, SSL_verify_cb callback);
-void SSL_set_verify_depth(SSL *s, int depth);
-void SSL_set_cert_cb(SSL *s, int (*cb) (SSL *ssl, void *arg), void *arg);
-# ifndef OPENSSL_NO_DEPRECATED_3_0
-OSSL_DEPRECATEDIN_3_0 __owur int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa);
-OSSL_DEPRECATEDIN_3_0
-__owur int SSL_use_RSAPrivateKey_ASN1(SSL *ssl,
-                                      const unsigned char *d, long len);
-# endif
-__owur int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey);
-__owur int SSL_use_PrivateKey_ASN1(int pk, SSL *ssl, const unsigned char *d,
-                                   long len);
-__owur int SSL_use_certificate(SSL *ssl, X509 *x);
-__owur int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len);
-__owur int SSL_use_cert_and_key(SSL *ssl, X509 *x509, EVP_PKEY *privatekey,
-                                STACK_OF(X509) *chain, int override);
-
-
-/* serverinfo file format versions */
-# define SSL_SERVERINFOV1   1
-# define SSL_SERVERINFOV2   2
-
-/* Set serverinfo data for the current active cert. */
-__owur int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo,
-                                  size_t serverinfo_length);
-__owur int SSL_CTX_use_serverinfo_ex(SSL_CTX *ctx, unsigned int version,
-                                     const unsigned char *serverinfo,
-                                     size_t serverinfo_length);
-__owur int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file);
-
-#ifndef OPENSSL_NO_DEPRECATED_3_0
-OSSL_DEPRECATEDIN_3_0
-__owur int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type);
-#endif
-
-__owur int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type);
-__owur int SSL_use_certificate_file(SSL *ssl, const char *file, int type);
-
-#ifndef OPENSSL_NO_DEPRECATED_3_0
-OSSL_DEPRECATEDIN_3_0
-__owur int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file,
-                                          int type);
-#endif
-__owur int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file,
-                                       int type);
-__owur int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file,
-                                        int type);
-/* PEM type */
-__owur int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file);
-__owur int SSL_use_certificate_chain_file(SSL *ssl, const char *file);
-__owur STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file);
-__owur STACK_OF(X509_NAME)
-*SSL_load_client_CA_file_ex(const char *file, OSSL_LIB_CTX *libctx,
-                            const char *propq);
-__owur int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs,
-                                               const char *file);
-int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs,
-                                       const char *dir);
-int SSL_add_store_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs,
-                                       const char *uri);
-
-# ifndef OPENSSL_NO_DEPRECATED_1_1_0
-#  define SSL_load_error_strings() \
-    OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS \
-                     | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL)
-# endif
-
-__owur const char *SSL_state_string(const SSL *s);
-__owur const char *SSL_rstate_string(const SSL *s);
-__owur const char *SSL_state_string_long(const SSL *s);
-__owur const char *SSL_rstate_string_long(const SSL *s);
-__owur long SSL_SESSION_get_time(const SSL_SESSION *s);
-__owur long SSL_SESSION_set_time(SSL_SESSION *s, long t);
-__owur long SSL_SESSION_get_timeout(const SSL_SESSION *s);
-__owur long SSL_SESSION_set_timeout(SSL_SESSION *s, long t);
-__owur int SSL_SESSION_get_protocol_version(const SSL_SESSION *s);
-__owur int SSL_SESSION_set_protocol_version(SSL_SESSION *s, int version);
-
-__owur const char *SSL_SESSION_get0_hostname(const SSL_SESSION *s);
-__owur int SSL_SESSION_set1_hostname(SSL_SESSION *s, const char *hostname);
-void SSL_SESSION_get0_alpn_selected(const SSL_SESSION *s,
-                                    const unsigned char **alpn,
-                                    size_t *len);
-__owur int SSL_SESSION_set1_alpn_selected(SSL_SESSION *s,
-                                          const unsigned char *alpn,
-                                          size_t len);
-__owur const SSL_CIPHER *SSL_SESSION_get0_cipher(const SSL_SESSION *s);
-__owur int SSL_SESSION_set_cipher(SSL_SESSION *s, const SSL_CIPHER *cipher);
-__owur int SSL_SESSION_has_ticket(const SSL_SESSION *s);
-__owur unsigned long SSL_SESSION_get_ticket_lifetime_hint(const SSL_SESSION *s);
-void SSL_SESSION_get0_ticket(const SSL_SESSION *s, const unsigned char **tick,
-                             size_t *len);
-__owur uint32_t SSL_SESSION_get_max_early_data(const SSL_SESSION *s);
-__owur int SSL_SESSION_set_max_early_data(SSL_SESSION *s,
-                                          uint32_t max_early_data);
-__owur int SSL_copy_session_id(SSL *to, const SSL *from);
-__owur X509 *SSL_SESSION_get0_peer(SSL_SESSION *s);
-__owur int SSL_SESSION_set1_id_context(SSL_SESSION *s,
-                                       const unsigned char *sid_ctx,
-                                       unsigned int sid_ctx_len);
-__owur int SSL_SESSION_set1_id(SSL_SESSION *s, const unsigned char *sid,
-                               unsigned int sid_len);
-__owur int SSL_SESSION_is_resumable(const SSL_SESSION *s);
-
-__owur SSL_SESSION *SSL_SESSION_new(void);
-__owur SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src);
-const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s,
-                                        unsigned int *len);
-const unsigned char *SSL_SESSION_get0_id_context(const SSL_SESSION *s,
-                                                 unsigned int *len);
-__owur unsigned int SSL_SESSION_get_compress_id(const SSL_SESSION *s);
-# ifndef OPENSSL_NO_STDIO
-int SSL_SESSION_print_fp(FILE *fp, const SSL_SESSION *ses);
-# endif
-int SSL_SESSION_print(BIO *fp, const SSL_SESSION *ses);
-int SSL_SESSION_print_keylog(BIO *bp, const SSL_SESSION *x);
-int SSL_SESSION_up_ref(SSL_SESSION *ses);
-void SSL_SESSION_free(SSL_SESSION *ses);
-__owur int i2d_SSL_SESSION(const SSL_SESSION *in, unsigned char **pp);
-__owur int SSL_set_session(SSL *to, SSL_SESSION *session);
-int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *session);
-int SSL_CTX_remove_session(SSL_CTX *ctx, SSL_SESSION *session);
-__owur int SSL_CTX_set_generate_session_id(SSL_CTX *ctx, GEN_SESSION_CB cb);
-__owur int SSL_set_generate_session_id(SSL *s, GEN_SESSION_CB cb);
-__owur int SSL_has_matching_session_id(const SSL *s,
-                                       const unsigned char *id,
-                                       unsigned int id_len);
-SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
-                             long length);
-
-# ifdef OPENSSL_X509_H
-__owur X509 *SSL_get0_peer_certificate(const SSL *s);
-__owur X509 *SSL_get1_peer_certificate(const SSL *s);
-/* Deprecated in 3.0.0 */
-#  ifndef OPENSSL_NO_DEPRECATED_3_0
-#   define SSL_get_peer_certificate SSL_get1_peer_certificate
-#  endif
-# endif
-
-__owur STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s);
-
-__owur int SSL_CTX_get_verify_mode(const SSL_CTX *ctx);
-__owur int SSL_CTX_get_verify_depth(const SSL_CTX *ctx);
-__owur SSL_verify_cb SSL_CTX_get_verify_callback(const SSL_CTX *ctx);
-void SSL_CTX_set_verify(SSL_CTX *ctx, int mode, SSL_verify_cb callback);
-void SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth);
-void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx,
-                                      int (*cb) (X509_STORE_CTX *, void *),
-                                      void *arg);
-void SSL_CTX_set_cert_cb(SSL_CTX *c, int (*cb) (SSL *ssl, void *arg),
-                         void *arg);
-# ifndef OPENSSL_NO_DEPRECATED_3_0
-OSSL_DEPRECATEDIN_3_0
-__owur int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa);
-OSSL_DEPRECATEDIN_3_0
-__owur int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d,
-                                          long len);
-# endif
-__owur int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey);
-__owur int SSL_CTX_use_PrivateKey_ASN1(int pk, SSL_CTX *ctx,
-                                       const unsigned char *d, long len);
-__owur int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x);
-__owur int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len,
-                                        const unsigned char *d);
-__owur int SSL_CTX_use_cert_and_key(SSL_CTX *ctx, X509 *x509, EVP_PKEY *privatekey,
-                                    STACK_OF(X509) *chain, int override);
-
-void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb);
-void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u);
-pem_password_cb *SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx);
-void *SSL_CTX_get_default_passwd_cb_userdata(SSL_CTX *ctx);
-void SSL_set_default_passwd_cb(SSL *s, pem_password_cb *cb);
-void SSL_set_default_passwd_cb_userdata(SSL *s, void *u);
-pem_password_cb *SSL_get_default_passwd_cb(SSL *s);
-void *SSL_get_default_passwd_cb_userdata(SSL *s);
-
-__owur int SSL_CTX_check_private_key(const SSL_CTX *ctx);
-__owur int SSL_check_private_key(const SSL *ctx);
-
-__owur int SSL_CTX_set_session_id_context(SSL_CTX *ctx,
-                                          const unsigned char *sid_ctx,
-                                          unsigned int sid_ctx_len);
-
-SSL *SSL_new(SSL_CTX *ctx);
-int SSL_up_ref(SSL *s);
-int SSL_is_dtls(const SSL *s);
-__owur int SSL_set_session_id_context(SSL *ssl, const unsigned char *sid_ctx,
-                                      unsigned int sid_ctx_len);
-
-__owur int SSL_CTX_set_purpose(SSL_CTX *ctx, int purpose);
-__owur int SSL_set_purpose(SSL *ssl, int purpose);
-__owur int SSL_CTX_set_trust(SSL_CTX *ctx, int trust);
-__owur int SSL_set_trust(SSL *ssl, int trust);
-
-__owur int SSL_set1_host(SSL *s, const char *hostname);
-__owur int SSL_add1_host(SSL *s, const char *hostname);
-__owur const char *SSL_get0_peername(SSL *s);
-void SSL_set_hostflags(SSL *s, unsigned int flags);
-
-__owur int SSL_CTX_dane_enable(SSL_CTX *ctx);
-__owur int SSL_CTX_dane_mtype_set(SSL_CTX *ctx, const EVP_MD *md,
-                                  uint8_t mtype, uint8_t ord);
-__owur int SSL_dane_enable(SSL *s, const char *basedomain);
-__owur int SSL_dane_tlsa_add(SSL *s, uint8_t usage, uint8_t selector,
-                             uint8_t mtype, const unsigned char *data, size_t dlen);
-__owur int SSL_get0_dane_authority(SSL *s, X509 **mcert, EVP_PKEY **mspki);
-__owur int SSL_get0_dane_tlsa(SSL *s, uint8_t *usage, uint8_t *selector,
-                              uint8_t *mtype, const unsigned char **data,
-                              size_t *dlen);
-/*
- * Bridge opacity barrier between libcrypt and libssl, also needed to support
- * offline testing in test/danetest.c
- */
-SSL_DANE *SSL_get0_dane(SSL *ssl);
-/*
- * DANE flags
- */
-unsigned long SSL_CTX_dane_set_flags(SSL_CTX *ctx, unsigned long flags);
-unsigned long SSL_CTX_dane_clear_flags(SSL_CTX *ctx, unsigned long flags);
-unsigned long SSL_dane_set_flags(SSL *ssl, unsigned long flags);
-unsigned long SSL_dane_clear_flags(SSL *ssl, unsigned long flags);
-
-__owur int SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm);
-__owur int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm);
-
-__owur X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx);
-__owur X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl);
-
-# ifndef OPENSSL_NO_SRP
-#  ifndef OPENSSL_NO_DEPRECATED_3_0
-OSSL_DEPRECATEDIN_3_0 int SSL_CTX_set_srp_username(SSL_CTX *ctx, char *name);
-OSSL_DEPRECATEDIN_3_0 int SSL_CTX_set_srp_password(SSL_CTX *ctx, char *password);
-OSSL_DEPRECATEDIN_3_0 int SSL_CTX_set_srp_strength(SSL_CTX *ctx, int strength);
-OSSL_DEPRECATEDIN_3_0
-int SSL_CTX_set_srp_client_pwd_callback(SSL_CTX *ctx,
-                                        char *(*cb) (SSL *, void *));
-OSSL_DEPRECATEDIN_3_0
-int SSL_CTX_set_srp_verify_param_callback(SSL_CTX *ctx,
-                                          int (*cb) (SSL *, void *));
-OSSL_DEPRECATEDIN_3_0
-int SSL_CTX_set_srp_username_callback(SSL_CTX *ctx,
-                                      int (*cb) (SSL *, int *, void *));
-OSSL_DEPRECATEDIN_3_0 int SSL_CTX_set_srp_cb_arg(SSL_CTX *ctx, void *arg);
-
-OSSL_DEPRECATEDIN_3_0
-int SSL_set_srp_server_param(SSL *s, const BIGNUM *N, const BIGNUM *g,
-                             BIGNUM *sa, BIGNUM *v, char *info);
-OSSL_DEPRECATEDIN_3_0
-int SSL_set_srp_server_param_pw(SSL *s, const char *user, const char *pass,
-                                const char *grp);
-
-OSSL_DEPRECATEDIN_3_0 __owur BIGNUM *SSL_get_srp_g(SSL *s);
-OSSL_DEPRECATEDIN_3_0 __owur BIGNUM *SSL_get_srp_N(SSL *s);
-
-OSSL_DEPRECATEDIN_3_0 __owur char *SSL_get_srp_username(SSL *s);
-OSSL_DEPRECATEDIN_3_0 __owur char *SSL_get_srp_userinfo(SSL *s);
-#  endif
-# endif
-
-/*
- * ClientHello callback and helpers.
- */
-
-# define SSL_CLIENT_HELLO_SUCCESS 1
-# define SSL_CLIENT_HELLO_ERROR   0
-# define SSL_CLIENT_HELLO_RETRY   (-1)
-
-typedef int (*SSL_client_hello_cb_fn) (SSL *s, int *al, void *arg);
-void SSL_CTX_set_client_hello_cb(SSL_CTX *c, SSL_client_hello_cb_fn cb,
-                                 void *arg);
-int SSL_client_hello_isv2(SSL *s);
-unsigned int SSL_client_hello_get0_legacy_version(SSL *s);
-size_t SSL_client_hello_get0_random(SSL *s, const unsigned char **out);
-size_t SSL_client_hello_get0_session_id(SSL *s, const unsigned char **out);
-size_t SSL_client_hello_get0_ciphers(SSL *s, const unsigned char **out);
-size_t SSL_client_hello_get0_compression_methods(SSL *s,
-                                                 const unsigned char **out);
-int SSL_client_hello_get1_extensions_present(SSL *s, int **out, size_t *outlen);
-int SSL_client_hello_get0_ext(SSL *s, unsigned int type,
-                              const unsigned char **out, size_t *outlen);
-
-void SSL_certs_clear(SSL *s);
-void SSL_free(SSL *ssl);
-# ifdef OSSL_ASYNC_FD
-/*
- * Windows application developer has to include windows.h to use these.
- */
-__owur int SSL_waiting_for_async(SSL *s);
-__owur int SSL_get_all_async_fds(SSL *s, OSSL_ASYNC_FD *fds, size_t *numfds);
-__owur int SSL_get_changed_async_fds(SSL *s, OSSL_ASYNC_FD *addfd,
-                                     size_t *numaddfds, OSSL_ASYNC_FD *delfd,
-                                     size_t *numdelfds);
-__owur int SSL_CTX_set_async_callback(SSL_CTX *ctx, SSL_async_callback_fn callback);
-__owur int SSL_CTX_set_async_callback_arg(SSL_CTX *ctx, void *arg);
-__owur int SSL_set_async_callback(SSL *s, SSL_async_callback_fn callback);
-__owur int SSL_set_async_callback_arg(SSL *s, void *arg);
-__owur int SSL_get_async_status(SSL *s, int *status);
-
-# endif
-__owur int SSL_accept(SSL *ssl);
-__owur int SSL_stateless(SSL *s);
-__owur int SSL_connect(SSL *ssl);
-__owur int SSL_read(SSL *ssl, void *buf, int num);
-__owur int SSL_read_ex(SSL *ssl, void *buf, size_t num, size_t *readbytes);
-
-# define SSL_READ_EARLY_DATA_ERROR   0
-# define SSL_READ_EARLY_DATA_SUCCESS 1
-# define SSL_READ_EARLY_DATA_FINISH  2
-
-__owur int SSL_read_early_data(SSL *s, void *buf, size_t num,
-                               size_t *readbytes);
-__owur int SSL_peek(SSL *ssl, void *buf, int num);
-__owur int SSL_peek_ex(SSL *ssl, void *buf, size_t num, size_t *readbytes);
-__owur ossl_ssize_t SSL_sendfile(SSL *s, int fd, off_t offset, size_t size,
-                                 int flags);
-__owur int SSL_write(SSL *ssl, const void *buf, int num);
-__owur int SSL_write_ex(SSL *s, const void *buf, size_t num, size_t *written);
-__owur int SSL_write_early_data(SSL *s, const void *buf, size_t num,
-                                size_t *written);
-long SSL_ctrl(SSL *ssl, int cmd, long larg, void *parg);
-long SSL_callback_ctrl(SSL *, int, void (*)(void));
-long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg);
-long SSL_CTX_callback_ctrl(SSL_CTX *, int, void (*)(void));
-
-# define SSL_EARLY_DATA_NOT_SENT    0
-# define SSL_EARLY_DATA_REJECTED    1
-# define SSL_EARLY_DATA_ACCEPTED    2
-
-__owur int SSL_get_early_data_status(const SSL *s);
-
-__owur int SSL_get_error(const SSL *s, int ret_code);
-__owur const char *SSL_get_version(const SSL *s);
-
-/* This sets the 'default' SSL version that SSL_new() will create */
-# ifndef OPENSSL_NO_DEPRECATED_3_0
-OSSL_DEPRECATEDIN_3_0
-__owur int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth);
-# endif
-
-# ifndef OPENSSL_NO_SSL3_METHOD
-#  ifndef OPENSSL_NO_DEPRECATED_1_1_0
-OSSL_DEPRECATEDIN_1_1_0 __owur const SSL_METHOD *SSLv3_method(void); /* SSLv3 */
-OSSL_DEPRECATEDIN_1_1_0 __owur const SSL_METHOD *SSLv3_server_method(void);
-OSSL_DEPRECATEDIN_1_1_0 __owur const SSL_METHOD *SSLv3_client_method(void);
-#  endif
-# endif
-
-#define SSLv23_method           TLS_method
-#define SSLv23_server_method    TLS_server_method
-#define SSLv23_client_method    TLS_client_method
-
-/* Negotiate highest available SSL/TLS version */
-__owur const SSL_METHOD *TLS_method(void);
-__owur const SSL_METHOD *TLS_server_method(void);
-__owur const SSL_METHOD *TLS_client_method(void);
-
-# ifndef OPENSSL_NO_TLS1_METHOD
-#  ifndef OPENSSL_NO_DEPRECATED_1_1_0
-OSSL_DEPRECATEDIN_1_1_0 __owur const SSL_METHOD *TLSv1_method(void); /* TLSv1.0 */
-OSSL_DEPRECATEDIN_1_1_0 __owur const SSL_METHOD *TLSv1_server_method(void);
-OSSL_DEPRECATEDIN_1_1_0 __owur const SSL_METHOD *TLSv1_client_method(void);
-#  endif
-# endif
-
-# ifndef OPENSSL_NO_TLS1_1_METHOD
-#  ifndef OPENSSL_NO_DEPRECATED_1_1_0
-OSSL_DEPRECATEDIN_1_1_0 __owur const SSL_METHOD *TLSv1_1_method(void); /* TLSv1.1 */
-OSSL_DEPRECATEDIN_1_1_0 __owur const SSL_METHOD *TLSv1_1_server_method(void);
-OSSL_DEPRECATEDIN_1_1_0 __owur const SSL_METHOD *TLSv1_1_client_method(void);
-#  endif
-# endif
-
-# ifndef OPENSSL_NO_TLS1_2_METHOD
-#  ifndef OPENSSL_NO_DEPRECATED_1_1_0
-OSSL_DEPRECATEDIN_1_1_0 __owur const SSL_METHOD *TLSv1_2_method(void); /* TLSv1.2 */
-OSSL_DEPRECATEDIN_1_1_0 __owur const SSL_METHOD *TLSv1_2_server_method(void);
-OSSL_DEPRECATEDIN_1_1_0 __owur const SSL_METHOD *TLSv1_2_client_method(void);
-#  endif
-# endif
-
-# ifndef OPENSSL_NO_DTLS1_METHOD
-#  ifndef OPENSSL_NO_DEPRECATED_1_1_0
-OSSL_DEPRECATEDIN_1_1_0 __owur const SSL_METHOD *DTLSv1_method(void); /* DTLSv1.0 */
-OSSL_DEPRECATEDIN_1_1_0 __owur const SSL_METHOD *DTLSv1_server_method(void);
-OSSL_DEPRECATEDIN_1_1_0 __owur const SSL_METHOD *DTLSv1_client_method(void);
-#  endif
-# endif
-
-# ifndef OPENSSL_NO_DTLS1_2_METHOD
-/* DTLSv1.2 */
-#  ifndef OPENSSL_NO_DEPRECATED_1_1_0
-OSSL_DEPRECATEDIN_1_1_0 __owur const SSL_METHOD *DTLSv1_2_method(void);
-OSSL_DEPRECATEDIN_1_1_0 __owur const SSL_METHOD *DTLSv1_2_server_method(void);
-OSSL_DEPRECATEDIN_1_1_0 __owur const SSL_METHOD *DTLSv1_2_client_method(void);
-#  endif
-# endif
-
-__owur const SSL_METHOD *DTLS_method(void); /* DTLS 1.0 and 1.2 */
-__owur const SSL_METHOD *DTLS_server_method(void); /* DTLS 1.0 and 1.2 */
-__owur const SSL_METHOD *DTLS_client_method(void); /* DTLS 1.0 and 1.2 */
-
-__owur size_t DTLS_get_data_mtu(const SSL *s);
-
-__owur STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s);
-__owur STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx);
-__owur STACK_OF(SSL_CIPHER) *SSL_get_client_ciphers(const SSL *s);
-__owur STACK_OF(SSL_CIPHER) *SSL_get1_supported_ciphers(SSL *s);
-
-__owur int SSL_do_handshake(SSL *s);
-int SSL_key_update(SSL *s, int updatetype);
-int SSL_get_key_update_type(const SSL *s);
-int SSL_renegotiate(SSL *s);
-int SSL_renegotiate_abbreviated(SSL *s);
-__owur int SSL_renegotiate_pending(const SSL *s);
-int SSL_new_session_ticket(SSL *s);
-int SSL_shutdown(SSL *s);
-__owur int SSL_verify_client_post_handshake(SSL *s);
-void SSL_CTX_set_post_handshake_auth(SSL_CTX *ctx, int val);
-void SSL_set_post_handshake_auth(SSL *s, int val);
-
-__owur const SSL_METHOD *SSL_CTX_get_ssl_method(const SSL_CTX *ctx);
-__owur const SSL_METHOD *SSL_get_ssl_method(const SSL *s);
-__owur int SSL_set_ssl_method(SSL *s, const SSL_METHOD *method);
-__owur const char *SSL_alert_type_string_long(int value);
-__owur const char *SSL_alert_type_string(int value);
-__owur const char *SSL_alert_desc_string_long(int value);
-__owur const char *SSL_alert_desc_string(int value);
-
-void SSL_set0_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list);
-void SSL_CTX_set0_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list);
-__owur const STACK_OF(X509_NAME) *SSL_get0_CA_list(const SSL *s);
-__owur const STACK_OF(X509_NAME) *SSL_CTX_get0_CA_list(const SSL_CTX *ctx);
-__owur int SSL_add1_to_CA_list(SSL *ssl, const X509 *x);
-__owur int SSL_CTX_add1_to_CA_list(SSL_CTX *ctx, const X509 *x);
-__owur const STACK_OF(X509_NAME) *SSL_get0_peer_CA_list(const SSL *s);
-
-void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list);
-void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list);
-__owur STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s);
-__owur STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *s);
-__owur int SSL_add_client_CA(SSL *ssl, X509 *x);
-__owur int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x);
-
-void SSL_set_connect_state(SSL *s);
-void SSL_set_accept_state(SSL *s);
-
-__owur long SSL_get_default_timeout(const SSL *s);
-
-# ifndef OPENSSL_NO_DEPRECATED_1_1_0
-#  define SSL_library_init() OPENSSL_init_ssl(0, NULL)
-# endif
-
-__owur char *SSL_CIPHER_description(const SSL_CIPHER *, char *buf, int size);
-__owur STACK_OF(X509_NAME) *SSL_dup_CA_list(const STACK_OF(X509_NAME) *sk);
-
-__owur SSL *SSL_dup(SSL *ssl);
-
-__owur X509 *SSL_get_certificate(const SSL *ssl);
-/*
- * EVP_PKEY
- */
-struct evp_pkey_st *SSL_get_privatekey(const SSL *ssl);
-
-__owur X509 *SSL_CTX_get0_certificate(const SSL_CTX *ctx);
-__owur EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx);
-
-void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx, int mode);
-__owur int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx);
-void SSL_set_quiet_shutdown(SSL *ssl, int mode);
-__owur int SSL_get_quiet_shutdown(const SSL *ssl);
-void SSL_set_shutdown(SSL *ssl, int mode);
-__owur int SSL_get_shutdown(const SSL *ssl);
-__owur int SSL_version(const SSL *ssl);
-__owur int SSL_client_version(const SSL *s);
-__owur int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx);
-__owur int SSL_CTX_set_default_verify_dir(SSL_CTX *ctx);
-__owur int SSL_CTX_set_default_verify_file(SSL_CTX *ctx);
-__owur int SSL_CTX_set_default_verify_store(SSL_CTX *ctx);
-__owur int SSL_CTX_load_verify_file(SSL_CTX *ctx, const char *CAfile);
-__owur int SSL_CTX_load_verify_dir(SSL_CTX *ctx, const char *CApath);
-__owur int SSL_CTX_load_verify_store(SSL_CTX *ctx, const char *CAstore);
-__owur int SSL_CTX_load_verify_locations(SSL_CTX *ctx,
-                                                        const char *CAfile,
-                                                        const char *CApath);
-# define SSL_get0_session SSL_get_session/* just peek at pointer */
-__owur SSL_SESSION *SSL_get_session(const SSL *ssl);
-__owur SSL_SESSION *SSL_get1_session(SSL *ssl); /* obtain a reference count */
-__owur SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl);
-SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx);
-void SSL_set_info_callback(SSL *ssl,
-                           void (*cb) (const SSL *ssl, int type, int val));
-void (*SSL_get_info_callback(const SSL *ssl)) (const SSL *ssl, int type,
-                                               int val);
-__owur OSSL_HANDSHAKE_STATE SSL_get_state(const SSL *ssl);
-
-void SSL_set_verify_result(SSL *ssl, long v);
-__owur long SSL_get_verify_result(const SSL *ssl);
-__owur STACK_OF(X509) *SSL_get0_verified_chain(const SSL *s);
-
-__owur size_t SSL_get_client_random(const SSL *ssl, unsigned char *out,
-                                    size_t outlen);
-__owur size_t SSL_get_server_random(const SSL *ssl, unsigned char *out,
-                                    size_t outlen);
-__owur size_t SSL_SESSION_get_master_key(const SSL_SESSION *sess,
-                                         unsigned char *out, size_t outlen);
-__owur int SSL_SESSION_set1_master_key(SSL_SESSION *sess,
-                                       const unsigned char *in, size_t len);
-uint8_t SSL_SESSION_get_max_fragment_length(const SSL_SESSION *sess);
-
-#define SSL_get_ex_new_index(l, p, newf, dupf, freef) \
-    CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL, l, p, newf, dupf, freef)
-__owur int SSL_set_ex_data(SSL *ssl, int idx, void *data);
-void *SSL_get_ex_data(const SSL *ssl, int idx);
-#define SSL_SESSION_get_ex_new_index(l, p, newf, dupf, freef) \
-    CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_SESSION, l, p, newf, dupf, freef)
-__owur int SSL_SESSION_set_ex_data(SSL_SESSION *ss, int idx, void *data);
-void *SSL_SESSION_get_ex_data(const SSL_SESSION *ss, int idx);
-#define SSL_CTX_get_ex_new_index(l, p, newf, dupf, freef) \
-    CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_SSL_CTX, l, p, newf, dupf, freef)
-__owur int SSL_CTX_set_ex_data(SSL_CTX *ssl, int idx, void *data);
-void *SSL_CTX_get_ex_data(const SSL_CTX *ssl, int idx);
-
-__owur int SSL_get_ex_data_X509_STORE_CTX_idx(void);
-
-# define SSL_CTX_sess_set_cache_size(ctx,t) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SESS_CACHE_SIZE,t,NULL)
-# define SSL_CTX_sess_get_cache_size(ctx) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_GET_SESS_CACHE_SIZE,0,NULL)
-# define SSL_CTX_set_session_cache_mode(ctx,m) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SESS_CACHE_MODE,m,NULL)
-# define SSL_CTX_get_session_cache_mode(ctx) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_GET_SESS_CACHE_MODE,0,NULL)
-
-# define SSL_CTX_get_default_read_ahead(ctx) SSL_CTX_get_read_ahead(ctx)
-# define SSL_CTX_set_default_read_ahead(ctx,m) SSL_CTX_set_read_ahead(ctx,m)
-# define SSL_CTX_get_read_ahead(ctx) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_GET_READ_AHEAD,0,NULL)
-# define SSL_CTX_set_read_ahead(ctx,m) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SET_READ_AHEAD,m,NULL)
-# define SSL_CTX_get_max_cert_list(ctx) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_GET_MAX_CERT_LIST,0,NULL)
-# define SSL_CTX_set_max_cert_list(ctx,m) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SET_MAX_CERT_LIST,m,NULL)
-# define SSL_get_max_cert_list(ssl) \
-        SSL_ctrl(ssl,SSL_CTRL_GET_MAX_CERT_LIST,0,NULL)
-# define SSL_set_max_cert_list(ssl,m) \
-        SSL_ctrl(ssl,SSL_CTRL_SET_MAX_CERT_LIST,m,NULL)
-
-# define SSL_CTX_set_max_send_fragment(ctx,m) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SET_MAX_SEND_FRAGMENT,m,NULL)
-# define SSL_set_max_send_fragment(ssl,m) \
-        SSL_ctrl(ssl,SSL_CTRL_SET_MAX_SEND_FRAGMENT,m,NULL)
-# define SSL_CTX_set_split_send_fragment(ctx,m) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SPLIT_SEND_FRAGMENT,m,NULL)
-# define SSL_set_split_send_fragment(ssl,m) \
-        SSL_ctrl(ssl,SSL_CTRL_SET_SPLIT_SEND_FRAGMENT,m,NULL)
-# define SSL_CTX_set_max_pipelines(ctx,m) \
-        SSL_CTX_ctrl(ctx,SSL_CTRL_SET_MAX_PIPELINES,m,NULL)
-# define SSL_set_max_pipelines(ssl,m) \
-        SSL_ctrl(ssl,SSL_CTRL_SET_MAX_PIPELINES,m,NULL)
-# define SSL_set_retry_verify(ssl) \
-        (SSL_ctrl(ssl,SSL_CTRL_SET_RETRY_VERIFY,0,NULL) > 0)
-
-void SSL_CTX_set_default_read_buffer_len(SSL_CTX *ctx, size_t len);
-void SSL_set_default_read_buffer_len(SSL *s, size_t len);
-
-# ifndef OPENSSL_NO_DH
-#  ifndef OPENSSL_NO_DEPRECATED_3_0
-/* NB: the |keylength| is only applicable when is_export is true */
-OSSL_DEPRECATEDIN_3_0
-void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx,
-                                 DH *(*dh) (SSL *ssl, int is_export,
-                                            int keylength));
-OSSL_DEPRECATEDIN_3_0
-void SSL_set_tmp_dh_callback(SSL *ssl,
-                             DH *(*dh) (SSL *ssl, int is_export,
-                                        int keylength));
-#  endif
-# endif
-
-__owur const COMP_METHOD *SSL_get_current_compression(const SSL *s);
-__owur const COMP_METHOD *SSL_get_current_expansion(const SSL *s);
-__owur const char *SSL_COMP_get_name(const COMP_METHOD *comp);
-__owur const char *SSL_COMP_get0_name(const SSL_COMP *comp);
-__owur int SSL_COMP_get_id(const SSL_COMP *comp);
-STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void);
-__owur STACK_OF(SSL_COMP) *SSL_COMP_set0_compression_methods(STACK_OF(SSL_COMP)
-                                                             *meths);
-# ifndef OPENSSL_NO_DEPRECATED_1_1_0
-#  define SSL_COMP_free_compression_methods() while(0) continue
-# endif
-__owur int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm);
-
-const SSL_CIPHER *SSL_CIPHER_find(SSL *ssl, const unsigned char *ptr);
-int SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *c);
-int SSL_CIPHER_get_digest_nid(const SSL_CIPHER *c);
-int SSL_bytes_to_cipher_list(SSL *s, const unsigned char *bytes, size_t len,
-                             int isv2format, STACK_OF(SSL_CIPHER) **sk,
-                             STACK_OF(SSL_CIPHER) **scsvs);
-
-/* TLS extensions functions */
-__owur int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len);
-
-__owur int SSL_set_session_ticket_ext_cb(SSL *s,
-                                         tls_session_ticket_ext_cb_fn cb,
-                                         void *arg);
-
-/* Pre-shared secret session resumption functions */
-__owur int SSL_set_session_secret_cb(SSL *s,
-                                     tls_session_secret_cb_fn session_secret_cb,
-                                     void *arg);
-
-void SSL_CTX_set_not_resumable_session_callback(SSL_CTX *ctx,
-                                                int (*cb) (SSL *ssl,
-                                                           int
-                                                           is_forward_secure));
-
-void SSL_set_not_resumable_session_callback(SSL *ssl,
-                                            int (*cb) (SSL *ssl,
-                                                       int is_forward_secure));
-
-void SSL_CTX_set_record_padding_callback(SSL_CTX *ctx,
-                                         size_t (*cb) (SSL *ssl, int type,
-                                                       size_t len, void *arg));
-void SSL_CTX_set_record_padding_callback_arg(SSL_CTX *ctx, void *arg);
-void *SSL_CTX_get_record_padding_callback_arg(const SSL_CTX *ctx);
-int SSL_CTX_set_block_padding(SSL_CTX *ctx, size_t block_size);
-
-int SSL_set_record_padding_callback(SSL *ssl,
-                                    size_t (*cb) (SSL *ssl, int type,
-                                                  size_t len, void *arg));
-void SSL_set_record_padding_callback_arg(SSL *ssl, void *arg);
-void *SSL_get_record_padding_callback_arg(const SSL *ssl);
-int SSL_set_block_padding(SSL *ssl, size_t block_size);
-
-int SSL_set_num_tickets(SSL *s, size_t num_tickets);
-size_t SSL_get_num_tickets(const SSL *s);
-int SSL_CTX_set_num_tickets(SSL_CTX *ctx, size_t num_tickets);
-size_t SSL_CTX_get_num_tickets(const SSL_CTX *ctx);
-
-# ifndef OPENSSL_NO_DEPRECATED_1_1_0
-#  define SSL_cache_hit(s) SSL_session_reused(s)
-# endif
-
-__owur int SSL_session_reused(const SSL *s);
-__owur int SSL_is_server(const SSL *s);
-
-__owur __owur SSL_CONF_CTX *SSL_CONF_CTX_new(void);
-int SSL_CONF_CTX_finish(SSL_CONF_CTX *cctx);
-void SSL_CONF_CTX_free(SSL_CONF_CTX *cctx);
-unsigned int SSL_CONF_CTX_set_flags(SSL_CONF_CTX *cctx, unsigned int flags);
-__owur unsigned int SSL_CONF_CTX_clear_flags(SSL_CONF_CTX *cctx,
-                                             unsigned int flags);
-__owur int SSL_CONF_CTX_set1_prefix(SSL_CONF_CTX *cctx, const char *pre);
-
-void SSL_CONF_CTX_set_ssl(SSL_CONF_CTX *cctx, SSL *ssl);
-void SSL_CONF_CTX_set_ssl_ctx(SSL_CONF_CTX *cctx, SSL_CTX *ctx);
-
-__owur int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value);
-__owur int SSL_CONF_cmd_argv(SSL_CONF_CTX *cctx, int *pargc, char ***pargv);
-__owur int SSL_CONF_cmd_value_type(SSL_CONF_CTX *cctx, const char *cmd);
-
-void SSL_add_ssl_module(void);
-int SSL_config(SSL *s, const char *name);
-int SSL_CTX_config(SSL_CTX *ctx, const char *name);
-
-# ifndef OPENSSL_NO_SSL_TRACE
-void SSL_trace(int write_p, int version, int content_type,
-               const void *buf, size_t len, SSL *ssl, void *arg);
-# endif
-
-# ifndef OPENSSL_NO_SOCK
-int DTLSv1_listen(SSL *s, BIO_ADDR *client);
-# endif
-
-# ifndef OPENSSL_NO_CT
-
-/*
- * A callback for verifying that the received SCTs are sufficient.
- * Expected to return 1 if they are sufficient, otherwise 0.
- * May return a negative integer if an error occurs.
- * A connection should be aborted if the SCTs are deemed insufficient.
- */
-typedef int (*ssl_ct_validation_cb)(const CT_POLICY_EVAL_CTX *ctx,
-                                    const STACK_OF(SCT) *scts, void *arg);
-
-/*
- * Sets a |callback| that is invoked upon receipt of ServerHelloDone to validate
- * the received SCTs.
- * If the callback returns a non-positive result, the connection is terminated.
- * Call this function before beginning a handshake.
- * If a NULL |callback| is provided, SCT validation is disabled.
- * |arg| is arbitrary userdata that will be passed to the callback whenever it
- * is invoked. Ownership of |arg| remains with the caller.
- *
- * NOTE: A side-effect of setting a CT callback is that an OCSP stapled response
- *       will be requested.
- */
-int SSL_set_ct_validation_callback(SSL *s, ssl_ct_validation_cb callback,
-                                   void *arg);
-int SSL_CTX_set_ct_validation_callback(SSL_CTX *ctx,
-                                       ssl_ct_validation_cb callback,
-                                       void *arg);
-#define SSL_disable_ct(s) \
-        ((void) SSL_set_validation_callback((s), NULL, NULL))
-#define SSL_CTX_disable_ct(ctx) \
-        ((void) SSL_CTX_set_validation_callback((ctx), NULL, NULL))
-
-/*
- * The validation type enumerates the available behaviours of the built-in SSL
- * CT validation callback selected via SSL_enable_ct() and SSL_CTX_enable_ct().
- * The underlying callback is a static function in libssl.
- */
-enum {
-    SSL_CT_VALIDATION_PERMISSIVE = 0,
-    SSL_CT_VALIDATION_STRICT
-};
-
-/*
- * Enable CT by setting up a callback that implements one of the built-in
- * validation variants.  The SSL_CT_VALIDATION_PERMISSIVE variant always
- * continues the handshake, the application can make appropriate decisions at
- * handshake completion.  The SSL_CT_VALIDATION_STRICT variant requires at
- * least one valid SCT, or else handshake termination will be requested.  The
- * handshake may continue anyway if SSL_VERIFY_NONE is in effect.
- */
-int SSL_enable_ct(SSL *s, int validation_mode);
-int SSL_CTX_enable_ct(SSL_CTX *ctx, int validation_mode);
-
-/*
- * Report whether a non-NULL callback is enabled.
- */
-int SSL_ct_is_enabled(const SSL *s);
-int SSL_CTX_ct_is_enabled(const SSL_CTX *ctx);
-
-/* Gets the SCTs received from a connection */
-const STACK_OF(SCT) *SSL_get0_peer_scts(SSL *s);
-
-/*
- * Loads the CT log list from the default location.
- * If a CTLOG_STORE has previously been set using SSL_CTX_set_ctlog_store,
- * the log information loaded from this file will be appended to the
- * CTLOG_STORE.
- * Returns 1 on success, 0 otherwise.
- */
-int SSL_CTX_set_default_ctlog_list_file(SSL_CTX *ctx);
-
-/*
- * Loads the CT log list from the specified file path.
- * If a CTLOG_STORE has previously been set using SSL_CTX_set_ctlog_store,
- * the log information loaded from this file will be appended to the
- * CTLOG_STORE.
- * Returns 1 on success, 0 otherwise.
- */
-int SSL_CTX_set_ctlog_list_file(SSL_CTX *ctx, const char *path);
-
-/*
- * Sets the CT log list used by all SSL connections created from this SSL_CTX.
- * Ownership of the CTLOG_STORE is transferred to the SSL_CTX.
- */
-void SSL_CTX_set0_ctlog_store(SSL_CTX *ctx, CTLOG_STORE *logs);
-
-/*
- * Gets the CT log list used by all SSL connections created from this SSL_CTX.
- * This will be NULL unless one of the following functions has been called:
- * - SSL_CTX_set_default_ctlog_list_file
- * - SSL_CTX_set_ctlog_list_file
- * - SSL_CTX_set_ctlog_store
- */
-const CTLOG_STORE *SSL_CTX_get0_ctlog_store(const SSL_CTX *ctx);
-
-# endif /* OPENSSL_NO_CT */
-
-/* What the "other" parameter contains in security callback */
-/* Mask for type */
-# define SSL_SECOP_OTHER_TYPE    0xffff0000
-# define SSL_SECOP_OTHER_NONE    0
-# define SSL_SECOP_OTHER_CIPHER  (1 << 16)
-# define SSL_SECOP_OTHER_CURVE   (2 << 16)
-# define SSL_SECOP_OTHER_DH      (3 << 16)
-# define SSL_SECOP_OTHER_PKEY    (4 << 16)
-# define SSL_SECOP_OTHER_SIGALG  (5 << 16)
-# define SSL_SECOP_OTHER_CERT    (6 << 16)
-
-/* Indicated operation refers to peer key or certificate */
-# define SSL_SECOP_PEER          0x1000
-
-/* Values for "op" parameter in security callback */
-
-/* Called to filter ciphers */
-/* Ciphers client supports */
-# define SSL_SECOP_CIPHER_SUPPORTED      (1 | SSL_SECOP_OTHER_CIPHER)
-/* Cipher shared by client/server */
-# define SSL_SECOP_CIPHER_SHARED         (2 | SSL_SECOP_OTHER_CIPHER)
-/* Sanity check of cipher server selects */
-# define SSL_SECOP_CIPHER_CHECK          (3 | SSL_SECOP_OTHER_CIPHER)
-/* Curves supported by client */
-# define SSL_SECOP_CURVE_SUPPORTED       (4 | SSL_SECOP_OTHER_CURVE)
-/* Curves shared by client/server */
-# define SSL_SECOP_CURVE_SHARED          (5 | SSL_SECOP_OTHER_CURVE)
-/* Sanity check of curve server selects */
-# define SSL_SECOP_CURVE_CHECK           (6 | SSL_SECOP_OTHER_CURVE)
-/* Temporary DH key */
-# define SSL_SECOP_TMP_DH                (7 | SSL_SECOP_OTHER_PKEY)
-/* SSL/TLS version */
-# define SSL_SECOP_VERSION               (9 | SSL_SECOP_OTHER_NONE)
-/* Session tickets */
-# define SSL_SECOP_TICKET                (10 | SSL_SECOP_OTHER_NONE)
-/* Supported signature algorithms sent to peer */
-# define SSL_SECOP_SIGALG_SUPPORTED      (11 | SSL_SECOP_OTHER_SIGALG)
-/* Shared signature algorithm */
-# define SSL_SECOP_SIGALG_SHARED         (12 | SSL_SECOP_OTHER_SIGALG)
-/* Sanity check signature algorithm allowed */
-# define SSL_SECOP_SIGALG_CHECK          (13 | SSL_SECOP_OTHER_SIGALG)
-/* Used to get mask of supported public key signature algorithms */
-# define SSL_SECOP_SIGALG_MASK           (14 | SSL_SECOP_OTHER_SIGALG)
-/* Use to see if compression is allowed */
-# define SSL_SECOP_COMPRESSION           (15 | SSL_SECOP_OTHER_NONE)
-/* EE key in certificate */
-# define SSL_SECOP_EE_KEY                (16 | SSL_SECOP_OTHER_CERT)
-/* CA key in certificate */
-# define SSL_SECOP_CA_KEY                (17 | SSL_SECOP_OTHER_CERT)
-/* CA digest algorithm in certificate */
-# define SSL_SECOP_CA_MD                 (18 | SSL_SECOP_OTHER_CERT)
-/* Peer EE key in certificate */
-# define SSL_SECOP_PEER_EE_KEY           (SSL_SECOP_EE_KEY | SSL_SECOP_PEER)
-/* Peer CA key in certificate */
-# define SSL_SECOP_PEER_CA_KEY           (SSL_SECOP_CA_KEY | SSL_SECOP_PEER)
-/* Peer CA digest algorithm in certificate */
-# define SSL_SECOP_PEER_CA_MD            (SSL_SECOP_CA_MD | SSL_SECOP_PEER)
-
-void SSL_set_security_level(SSL *s, int level);
-__owur int SSL_get_security_level(const SSL *s);
-void SSL_set_security_callback(SSL *s,
-                               int (*cb) (const SSL *s, const SSL_CTX *ctx,
-                                          int op, int bits, int nid,
-                                          void *other, void *ex));
-int (*SSL_get_security_callback(const SSL *s)) (const SSL *s,
-                                                const SSL_CTX *ctx, int op,
-                                                int bits, int nid, void *other,
-                                                void *ex);
-void SSL_set0_security_ex_data(SSL *s, void *ex);
-__owur void *SSL_get0_security_ex_data(const SSL *s);
-
-void SSL_CTX_set_security_level(SSL_CTX *ctx, int level);
-__owur int SSL_CTX_get_security_level(const SSL_CTX *ctx);
-void SSL_CTX_set_security_callback(SSL_CTX *ctx,
-                                   int (*cb) (const SSL *s, const SSL_CTX *ctx,
-                                              int op, int bits, int nid,
-                                              void *other, void *ex));
-int (*SSL_CTX_get_security_callback(const SSL_CTX *ctx)) (const SSL *s,
-                                                          const SSL_CTX *ctx,
-                                                          int op, int bits,
-                                                          int nid,
-                                                          void *other,
-                                                          void *ex);
-void SSL_CTX_set0_security_ex_data(SSL_CTX *ctx, void *ex);
-__owur void *SSL_CTX_get0_security_ex_data(const SSL_CTX *ctx);
-
-/* OPENSSL_INIT flag 0x010000 reserved for internal use */
-# define OPENSSL_INIT_NO_LOAD_SSL_STRINGS    0x00100000L
-# define OPENSSL_INIT_LOAD_SSL_STRINGS       0x00200000L
-
-# define OPENSSL_INIT_SSL_DEFAULT \
-        (OPENSSL_INIT_LOAD_SSL_STRINGS | OPENSSL_INIT_LOAD_CRYPTO_STRINGS)
-
-int OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings);
-
-# ifndef OPENSSL_NO_UNIT_TEST
-__owur const struct openssl_ssl_test_functions *SSL_test_functions(void);
-# endif
-
-__owur int SSL_free_buffers(SSL *ssl);
-__owur int SSL_alloc_buffers(SSL *ssl);
-
-/* Status codes passed to the decrypt session ticket callback. Some of these
- * are for internal use only and are never passed to the callback. */
-typedef int SSL_TICKET_STATUS;
-
-/* Support for ticket appdata */
-/* fatal error, malloc failure */
-# define SSL_TICKET_FATAL_ERR_MALLOC 0
-/* fatal error, either from parsing or decrypting the ticket */
-# define SSL_TICKET_FATAL_ERR_OTHER  1
-/* No ticket present */
-# define SSL_TICKET_NONE             2
-/* Empty ticket present */
-# define SSL_TICKET_EMPTY            3
-/* the ticket couldn't be decrypted */
-# define SSL_TICKET_NO_DECRYPT       4
-/* a ticket was successfully decrypted */
-# define SSL_TICKET_SUCCESS          5
-/* same as above but the ticket needs to be renewed */
-# define SSL_TICKET_SUCCESS_RENEW    6
-
-/* Return codes for the decrypt session ticket callback */
-typedef int SSL_TICKET_RETURN;
-
-/* An error occurred */
-#define SSL_TICKET_RETURN_ABORT             0
-/* Do not use the ticket, do not send a renewed ticket to the client */
-#define SSL_TICKET_RETURN_IGNORE            1
-/* Do not use the ticket, send a renewed ticket to the client */
-#define SSL_TICKET_RETURN_IGNORE_RENEW      2
-/* Use the ticket, do not send a renewed ticket to the client */
-#define SSL_TICKET_RETURN_USE               3
-/* Use the ticket, send a renewed ticket to the client */
-#define SSL_TICKET_RETURN_USE_RENEW         4
-
-typedef int (*SSL_CTX_generate_session_ticket_fn)(SSL *s, void *arg);
-typedef SSL_TICKET_RETURN (*SSL_CTX_decrypt_session_ticket_fn)(SSL *s, SSL_SESSION *ss,
-                                                               const unsigned char *keyname,
-                                                               size_t keyname_length,
-                                                               SSL_TICKET_STATUS status,
-                                                               void *arg);
-int SSL_CTX_set_session_ticket_cb(SSL_CTX *ctx,
-                                  SSL_CTX_generate_session_ticket_fn gen_cb,
-                                  SSL_CTX_decrypt_session_ticket_fn dec_cb,
-                                  void *arg);
-int SSL_SESSION_set1_ticket_appdata(SSL_SESSION *ss, const void *data, size_t len);
-int SSL_SESSION_get0_ticket_appdata(SSL_SESSION *ss, void **data, size_t *len);
-
-typedef unsigned int (*DTLS_timer_cb)(SSL *s, unsigned int timer_us);
-
-void DTLS_set_timer_cb(SSL *s, DTLS_timer_cb cb);
-
-
-typedef int (*SSL_allow_early_data_cb_fn)(SSL *s, void *arg);
-void SSL_CTX_set_allow_early_data_cb(SSL_CTX *ctx,
-                                     SSL_allow_early_data_cb_fn cb,
-                                     void *arg);
-void SSL_set_allow_early_data_cb(SSL *s,
-                                 SSL_allow_early_data_cb_fn cb,
-                                 void *arg);
-
-/* store the default cipher strings inside the library */
-const char *OSSL_default_cipher_list(void);
-const char *OSSL_default_ciphersuites(void);
-
-# ifdef  __cplusplus
-}
-# endif
-#endif

libs/openssl/include/crypto/x509.h.in

@@ -1,1085 +0,0 @@
-/*
- * {- join("\n * ", @autowarntext) -}
- *
- * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
- * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-{-
-use OpenSSL::stackhash qw(generate_stack_macros);
--}
-
-#ifndef OPENSSL_X509_H
-# define OPENSSL_X509_H
-# pragma once
-
-# include <openssl/macros.h>
-# ifndef OPENSSL_NO_DEPRECATED_3_0
-#  define HEADER_X509_H
-# endif
-
-# include <openssl/e_os2.h>
-# include <openssl/types.h>
-# include <openssl/symhacks.h>
-# include <openssl/buffer.h>
-# include <openssl/evp.h>
-# include <openssl/bio.h>
-# include <openssl/asn1.h>
-# include <openssl/safestack.h>
-# include <openssl/ec.h>
-
-# ifndef OPENSSL_NO_DEPRECATED_1_1_0
-#  include <openssl/rsa.h>
-#  include <openssl/dsa.h>
-#  include <openssl/dh.h>
-# endif
-
-# include <openssl/sha.h>
-# include <openssl/x509err.h>
-# ifndef OPENSSL_NO_STDIO
-#  include <stdio.h>
-# endif
-
-#ifdef  __cplusplus
-extern "C" {
-#endif
-
-/* Needed stacks for types defined in other headers */
-{-
-    generate_stack_macros("X509_NAME")
-    .generate_stack_macros("X509")
-    .generate_stack_macros("X509_REVOKED")
-    .generate_stack_macros("X509_CRL");
--}
-
-/* Flags for X509_get_signature_info() */
-/* Signature info is valid */
-# define X509_SIG_INFO_VALID     0x1
-/* Signature is suitable for TLS use */
-# define X509_SIG_INFO_TLS       0x2
-
-# define X509_FILETYPE_PEM       1
-# define X509_FILETYPE_ASN1      2
-# define X509_FILETYPE_DEFAULT   3
-
-# define X509v3_KU_DIGITAL_SIGNATURE     0x0080
-# define X509v3_KU_NON_REPUDIATION       0x0040
-# define X509v3_KU_KEY_ENCIPHERMENT      0x0020
-# define X509v3_KU_DATA_ENCIPHERMENT     0x0010
-# define X509v3_KU_KEY_AGREEMENT         0x0008
-# define X509v3_KU_KEY_CERT_SIGN         0x0004
-# define X509v3_KU_CRL_SIGN              0x0002
-# define X509v3_KU_ENCIPHER_ONLY         0x0001
-# define X509v3_KU_DECIPHER_ONLY         0x8000
-# define X509v3_KU_UNDEF                 0xffff
-
-struct X509_algor_st {
-    ASN1_OBJECT *algorithm;
-    ASN1_TYPE *parameter;
-} /* X509_ALGOR */ ;
-
-typedef STACK_OF(X509_ALGOR) X509_ALGORS;
-
-typedef struct X509_val_st {
-    ASN1_TIME *notBefore;
-    ASN1_TIME *notAfter;
-} X509_VAL;
-
-typedef struct X509_sig_st X509_SIG;
-
-typedef struct X509_name_entry_st X509_NAME_ENTRY;
-
-{-
-    generate_stack_macros("X509_NAME_ENTRY");
--}
-
-# define X509_EX_V_NETSCAPE_HACK         0x8000
-# define X509_EX_V_INIT                  0x0001
-typedef struct X509_extension_st X509_EXTENSION;
-{-
-    generate_stack_macros("X509_EXTENSION");
--}
-typedef STACK_OF(X509_EXTENSION) X509_EXTENSIONS;
-typedef struct x509_attributes_st X509_ATTRIBUTE;
-{-
-    generate_stack_macros("X509_ATTRIBUTE");
--}
-typedef struct X509_req_info_st X509_REQ_INFO;
-typedef struct X509_req_st X509_REQ;
-typedef struct x509_cert_aux_st X509_CERT_AUX;
-typedef struct x509_cinf_st X509_CINF;
-
-/* Flags for X509_print_ex() */
-
-# define X509_FLAG_COMPAT                0
-# define X509_FLAG_NO_HEADER             1L
-# define X509_FLAG_NO_VERSION            (1L << 1)
-# define X509_FLAG_NO_SERIAL             (1L << 2)
-# define X509_FLAG_NO_SIGNAME            (1L << 3)
-# define X509_FLAG_NO_ISSUER             (1L << 4)
-# define X509_FLAG_NO_VALIDITY           (1L << 5)
-# define X509_FLAG_NO_SUBJECT            (1L << 6)
-# define X509_FLAG_NO_PUBKEY             (1L << 7)
-# define X509_FLAG_NO_EXTENSIONS         (1L << 8)
-# define X509_FLAG_NO_SIGDUMP            (1L << 9)
-# define X509_FLAG_NO_AUX                (1L << 10)
-# define X509_FLAG_NO_ATTRIBUTES         (1L << 11)
-# define X509_FLAG_NO_IDS                (1L << 12)
-# define X509_FLAG_EXTENSIONS_ONLY_KID   (1L << 13)
-
-/* Flags specific to X509_NAME_print_ex() */
-
-/* The field separator information */
-
-# define XN_FLAG_SEP_MASK        (0xf << 16)
-
-# define XN_FLAG_COMPAT          0/* Traditional; use old X509_NAME_print */
-# define XN_FLAG_SEP_COMMA_PLUS  (1 << 16)/* RFC2253 ,+ */
-# define XN_FLAG_SEP_CPLUS_SPC   (2 << 16)/* ,+ spaced: more readable */
-# define XN_FLAG_SEP_SPLUS_SPC   (3 << 16)/* ;+ spaced */
-# define XN_FLAG_SEP_MULTILINE   (4 << 16)/* One line per field */
-
-# define XN_FLAG_DN_REV          (1 << 20)/* Reverse DN order */
-
-/* How the field name is shown */
-
-# define XN_FLAG_FN_MASK         (0x3 << 21)
-
-# define XN_FLAG_FN_SN           0/* Object short name */
-# define XN_FLAG_FN_LN           (1 << 21)/* Object long name */
-# define XN_FLAG_FN_OID          (2 << 21)/* Always use OIDs */
-# define XN_FLAG_FN_NONE         (3 << 21)/* No field names */
-
-# define XN_FLAG_SPC_EQ          (1 << 23)/* Put spaces round '=' */
-
-/*
- * This determines if we dump fields we don't recognise: RFC2253 requires
- * this.
- */
-
-# define XN_FLAG_DUMP_UNKNOWN_FIELDS (1 << 24)
-
-# define XN_FLAG_FN_ALIGN        (1 << 25)/* Align field names to 20
-                                           * characters */
-
-/* Complete set of RFC2253 flags */
-
-# define XN_FLAG_RFC2253 (ASN1_STRFLGS_RFC2253 | \
-                        XN_FLAG_SEP_COMMA_PLUS | \
-                        XN_FLAG_DN_REV | \
-                        XN_FLAG_FN_SN | \
-                        XN_FLAG_DUMP_UNKNOWN_FIELDS)
-
-/* readable oneline form */
-
-# define XN_FLAG_ONELINE (ASN1_STRFLGS_RFC2253 | \
-                        ASN1_STRFLGS_ESC_QUOTE | \
-                        XN_FLAG_SEP_CPLUS_SPC | \
-                        XN_FLAG_SPC_EQ | \
-                        XN_FLAG_FN_SN)
-
-/* readable multiline form */
-
-# define XN_FLAG_MULTILINE (ASN1_STRFLGS_ESC_CTRL | \
-                        ASN1_STRFLGS_ESC_MSB | \
-                        XN_FLAG_SEP_MULTILINE | \
-                        XN_FLAG_SPC_EQ | \
-                        XN_FLAG_FN_LN | \
-                        XN_FLAG_FN_ALIGN)
-
-typedef struct X509_crl_info_st X509_CRL_INFO;
-
-typedef struct private_key_st {
-    int version;
-    /* The PKCS#8 data types */
-    X509_ALGOR *enc_algor;
-    ASN1_OCTET_STRING *enc_pkey; /* encrypted pub key */
-    /* When decrypted, the following will not be NULL */
-    EVP_PKEY *dec_pkey;
-    /* used to encrypt and decrypt */
-    int key_length;
-    char *key_data;
-    int key_free;               /* true if we should auto free key_data */
-    /* expanded version of 'enc_algor' */
-    EVP_CIPHER_INFO cipher;
-} X509_PKEY;
-
-typedef struct X509_info_st {
-    X509 *x509;
-    X509_CRL *crl;
-    X509_PKEY *x_pkey;
-    EVP_CIPHER_INFO enc_cipher;
-    int enc_len;
-    char *enc_data;
-} X509_INFO;
-{-
-    generate_stack_macros("X509_INFO");
--}
-
-/*
- * The next 2 structures and their 8 routines are used to manipulate Netscape's
- * spki structures - useful if you are writing a CA web page
- */
-typedef struct Netscape_spkac_st {
-    X509_PUBKEY *pubkey;
-    ASN1_IA5STRING *challenge;  /* challenge sent in atlas >= PR2 */
-} NETSCAPE_SPKAC;
-
-typedef struct Netscape_spki_st {
-    NETSCAPE_SPKAC *spkac;      /* signed public key and challenge */
-    X509_ALGOR sig_algor;
-    ASN1_BIT_STRING *signature;
-} NETSCAPE_SPKI;
-
-/* Netscape certificate sequence structure */
-typedef struct Netscape_certificate_sequence {
-    ASN1_OBJECT *type;
-    STACK_OF(X509) *certs;
-} NETSCAPE_CERT_SEQUENCE;
-
-/*- Unused (and iv length is wrong)
-typedef struct CBCParameter_st
-        {
-        unsigned char iv[8];
-        } CBC_PARAM;
-*/
-
-/* Password based encryption structure */
-
-typedef struct PBEPARAM_st {
-    ASN1_OCTET_STRING *salt;
-    ASN1_INTEGER *iter;
-} PBEPARAM;
-
-/* Password based encryption V2 structures */
-
-typedef struct PBE2PARAM_st {
-    X509_ALGOR *keyfunc;
-    X509_ALGOR *encryption;
-} PBE2PARAM;
-
-typedef struct PBKDF2PARAM_st {
-/* Usually OCTET STRING but could be anything */
-    ASN1_TYPE *salt;
-    ASN1_INTEGER *iter;
-    ASN1_INTEGER *keylength;
-    X509_ALGOR *prf;
-} PBKDF2PARAM;
-
-#ifndef OPENSSL_NO_SCRYPT
-typedef struct SCRYPT_PARAMS_st {
-    ASN1_OCTET_STRING *salt;
-    ASN1_INTEGER *costParameter;
-    ASN1_INTEGER *blockSize;
-    ASN1_INTEGER *parallelizationParameter;
-    ASN1_INTEGER *keyLength;
-} SCRYPT_PARAMS;
-#endif
-
-#ifdef  __cplusplus
-}
-#endif
-
-# include <openssl/x509_vfy.h>
-# include <openssl/pkcs7.h>
-
-#ifdef  __cplusplus
-extern "C" {
-#endif
-
-# define X509_EXT_PACK_UNKNOWN   1
-# define X509_EXT_PACK_STRING    2
-
-# define         X509_extract_key(x)     X509_get_pubkey(x)/*****/
-# define         X509_REQ_extract_key(a) X509_REQ_get_pubkey(a)
-# define         X509_name_cmp(a,b)      X509_NAME_cmp((a),(b))
-
-void X509_CRL_set_default_method(const X509_CRL_METHOD *meth);
-X509_CRL_METHOD *X509_CRL_METHOD_new(int (*crl_init) (X509_CRL *crl),
-                                     int (*crl_free) (X509_CRL *crl),
-                                     int (*crl_lookup) (X509_CRL *crl,
-                                                        X509_REVOKED **ret,
-                                                        const
-                                                        ASN1_INTEGER *serial,
-                                                        const
-                                                        X509_NAME *issuer),
-                                     int (*crl_verify) (X509_CRL *crl,
-                                                        EVP_PKEY *pk));
-void X509_CRL_METHOD_free(X509_CRL_METHOD *m);
-
-void X509_CRL_set_meth_data(X509_CRL *crl, void *dat);
-void *X509_CRL_get_meth_data(X509_CRL *crl);
-
-const char *X509_verify_cert_error_string(long n);
-
-int X509_verify(X509 *a, EVP_PKEY *r);
-int X509_self_signed(X509 *cert, int verify_signature);
-
-int X509_REQ_verify_ex(X509_REQ *a, EVP_PKEY *r, OSSL_LIB_CTX *libctx,
-                       const char *propq);
-int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r);
-int X509_CRL_verify(X509_CRL *a, EVP_PKEY *r);
-int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *a, EVP_PKEY *r);
-
-NETSCAPE_SPKI *NETSCAPE_SPKI_b64_decode(const char *str, int len);
-char *NETSCAPE_SPKI_b64_encode(NETSCAPE_SPKI *x);
-EVP_PKEY *NETSCAPE_SPKI_get_pubkey(NETSCAPE_SPKI *x);
-int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *x, EVP_PKEY *pkey);
-
-int NETSCAPE_SPKI_print(BIO *out, NETSCAPE_SPKI *spki);
-
-int X509_signature_dump(BIO *bp, const ASN1_STRING *sig, int indent);
-int X509_signature_print(BIO *bp, const X509_ALGOR *alg,
-                         const ASN1_STRING *sig);
-
-int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md);
-int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx);
-int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md);
-int X509_REQ_sign_ctx(X509_REQ *x, EVP_MD_CTX *ctx);
-int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md);
-int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx);
-int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md);
-
-int X509_pubkey_digest(const X509 *data, const EVP_MD *type,
-                       unsigned char *md, unsigned int *len);
-int X509_digest(const X509 *data, const EVP_MD *type,
-                unsigned char *md, unsigned int *len);
-ASN1_OCTET_STRING *X509_digest_sig(const X509 *cert,
-                                   EVP_MD **md_used, int *md_is_fallback);
-int X509_CRL_digest(const X509_CRL *data, const EVP_MD *type,
-                    unsigned char *md, unsigned int *len);
-int X509_REQ_digest(const X509_REQ *data, const EVP_MD *type,
-                    unsigned char *md, unsigned int *len);
-int X509_NAME_digest(const X509_NAME *data, const EVP_MD *type,
-                     unsigned char *md, unsigned int *len);
-
-X509 *X509_load_http(const char *url, BIO *bio, BIO *rbio, int timeout);
-X509_CRL *X509_CRL_load_http(const char *url, BIO *bio, BIO *rbio, int timeout);
-# ifndef OPENSSL_NO_DEPRECATED_3_0
-#  include <openssl/http.h> /* OSSL_HTTP_REQ_CTX_nbio_d2i */
-#  define X509_http_nbio(rctx, pcert) \
-      OSSL_HTTP_REQ_CTX_nbio_d2i(rctx, pcert, ASN1_ITEM_rptr(X509))
-#  define X509_CRL_http_nbio(rctx, pcrl) \
-      OSSL_HTTP_REQ_CTX_nbio_d2i(rctx, pcrl, ASN1_ITEM_rptr(X509_CRL))
-# endif
-
-# ifndef OPENSSL_NO_STDIO
-X509 *d2i_X509_fp(FILE *fp, X509 **x509);
-int i2d_X509_fp(FILE *fp, const X509 *x509);
-X509_CRL *d2i_X509_CRL_fp(FILE *fp, X509_CRL **crl);
-int i2d_X509_CRL_fp(FILE *fp, const X509_CRL *crl);
-X509_REQ *d2i_X509_REQ_fp(FILE *fp, X509_REQ **req);
-int i2d_X509_REQ_fp(FILE *fp, const X509_REQ *req);
-#  ifndef OPENSSL_NO_DEPRECATED_3_0
-OSSL_DEPRECATEDIN_3_0 RSA *d2i_RSAPrivateKey_fp(FILE *fp, RSA **rsa);
-OSSL_DEPRECATEDIN_3_0 int i2d_RSAPrivateKey_fp(FILE *fp, const RSA *rsa);
-OSSL_DEPRECATEDIN_3_0 RSA *d2i_RSAPublicKey_fp(FILE *fp, RSA **rsa);
-OSSL_DEPRECATEDIN_3_0 int i2d_RSAPublicKey_fp(FILE *fp, const RSA *rsa);
-OSSL_DEPRECATEDIN_3_0 RSA *d2i_RSA_PUBKEY_fp(FILE *fp, RSA **rsa);
-OSSL_DEPRECATEDIN_3_0 int i2d_RSA_PUBKEY_fp(FILE *fp, const RSA *rsa);
-#  endif
-#  ifndef OPENSSL_NO_DEPRECATED_3_0
-#   ifndef OPENSSL_NO_DSA
-OSSL_DEPRECATEDIN_3_0 DSA *d2i_DSA_PUBKEY_fp(FILE *fp, DSA **dsa);
-OSSL_DEPRECATEDIN_3_0 int i2d_DSA_PUBKEY_fp(FILE *fp, const DSA *dsa);
-OSSL_DEPRECATEDIN_3_0 DSA *d2i_DSAPrivateKey_fp(FILE *fp, DSA **dsa);
-OSSL_DEPRECATEDIN_3_0 int i2d_DSAPrivateKey_fp(FILE *fp, const DSA *dsa);
-#   endif
-#  endif
-#  ifndef OPENSSL_NO_DEPRECATED_3_0
-#   ifndef OPENSSL_NO_EC
-OSSL_DEPRECATEDIN_3_0 EC_KEY *d2i_EC_PUBKEY_fp(FILE *fp, EC_KEY **eckey);
-OSSL_DEPRECATEDIN_3_0 int i2d_EC_PUBKEY_fp(FILE *fp, const EC_KEY *eckey);
-OSSL_DEPRECATEDIN_3_0 EC_KEY *d2i_ECPrivateKey_fp(FILE *fp, EC_KEY **eckey);
-OSSL_DEPRECATEDIN_3_0 int i2d_ECPrivateKey_fp(FILE *fp, const EC_KEY *eckey);
-#   endif /* OPENSSL_NO_EC */
-#  endif /* OPENSSL_NO_DEPRECATED_3_0 */
-X509_SIG *d2i_PKCS8_fp(FILE *fp, X509_SIG **p8);
-int i2d_PKCS8_fp(FILE *fp, const X509_SIG *p8);
-X509_PUBKEY *d2i_X509_PUBKEY_fp(FILE *fp, X509_PUBKEY **xpk);
-int i2d_X509_PUBKEY_fp(FILE *fp, const X509_PUBKEY *xpk);
-PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_fp(FILE *fp,
-                                                PKCS8_PRIV_KEY_INFO **p8inf);
-int i2d_PKCS8_PRIV_KEY_INFO_fp(FILE *fp, const PKCS8_PRIV_KEY_INFO *p8inf);
-int i2d_PKCS8PrivateKeyInfo_fp(FILE *fp, const EVP_PKEY *key);
-int i2d_PrivateKey_fp(FILE *fp, const EVP_PKEY *pkey);
-EVP_PKEY *d2i_PrivateKey_ex_fp(FILE *fp, EVP_PKEY **a, OSSL_LIB_CTX *libctx,
-                               const char *propq);
-EVP_PKEY *d2i_PrivateKey_fp(FILE *fp, EVP_PKEY **a);
-int i2d_PUBKEY_fp(FILE *fp, const EVP_PKEY *pkey);
-EVP_PKEY *d2i_PUBKEY_fp(FILE *fp, EVP_PKEY **a);
-# endif
-
-X509 *d2i_X509_bio(BIO *bp, X509 **x509);
-int i2d_X509_bio(BIO *bp, const X509 *x509);
-X509_CRL *d2i_X509_CRL_bio(BIO *bp, X509_CRL **crl);
-int i2d_X509_CRL_bio(BIO *bp, const X509_CRL *crl);
-X509_REQ *d2i_X509_REQ_bio(BIO *bp, X509_REQ **req);
-int i2d_X509_REQ_bio(BIO *bp, const X509_REQ *req);
-#  ifndef OPENSSL_NO_DEPRECATED_3_0
-OSSL_DEPRECATEDIN_3_0 RSA *d2i_RSAPrivateKey_bio(BIO *bp, RSA **rsa);
-OSSL_DEPRECATEDIN_3_0 int i2d_RSAPrivateKey_bio(BIO *bp, const RSA *rsa);
-OSSL_DEPRECATEDIN_3_0 RSA *d2i_RSAPublicKey_bio(BIO *bp, RSA **rsa);
-OSSL_DEPRECATEDIN_3_0 int i2d_RSAPublicKey_bio(BIO *bp, const RSA *rsa);
-OSSL_DEPRECATEDIN_3_0 RSA *d2i_RSA_PUBKEY_bio(BIO *bp, RSA **rsa);
-OSSL_DEPRECATEDIN_3_0 int i2d_RSA_PUBKEY_bio(BIO *bp, const RSA *rsa);
-#  endif
-#  ifndef OPENSSL_NO_DEPRECATED_3_0
-#   ifndef OPENSSL_NO_DSA
-OSSL_DEPRECATEDIN_3_0 DSA *d2i_DSA_PUBKEY_bio(BIO *bp, DSA **dsa);
-OSSL_DEPRECATEDIN_3_0 int i2d_DSA_PUBKEY_bio(BIO *bp, const DSA *dsa);
-OSSL_DEPRECATEDIN_3_0 DSA *d2i_DSAPrivateKey_bio(BIO *bp, DSA **dsa);
-OSSL_DEPRECATEDIN_3_0 int i2d_DSAPrivateKey_bio(BIO *bp, const DSA *dsa);
-#   endif
-#  endif
-
-#  ifndef OPENSSL_NO_DEPRECATED_3_0
-#   ifndef OPENSSL_NO_EC
-OSSL_DEPRECATEDIN_3_0 EC_KEY *d2i_EC_PUBKEY_bio(BIO *bp, EC_KEY **eckey);
-OSSL_DEPRECATEDIN_3_0 int i2d_EC_PUBKEY_bio(BIO *bp, const EC_KEY *eckey);
-OSSL_DEPRECATEDIN_3_0 EC_KEY *d2i_ECPrivateKey_bio(BIO *bp, EC_KEY **eckey);
-OSSL_DEPRECATEDIN_3_0 int i2d_ECPrivateKey_bio(BIO *bp, const EC_KEY *eckey);
-#   endif /* OPENSSL_NO_EC */
-#  endif /* OPENSSL_NO_DEPRECATED_3_0 */
-
-X509_SIG *d2i_PKCS8_bio(BIO *bp, X509_SIG **p8);
-int i2d_PKCS8_bio(BIO *bp, const X509_SIG *p8);
-X509_PUBKEY *d2i_X509_PUBKEY_bio(BIO *bp, X509_PUBKEY **xpk);
-int i2d_X509_PUBKEY_bio(BIO *bp, const X509_PUBKEY *xpk);
-PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_bio(BIO *bp,
-                                                 PKCS8_PRIV_KEY_INFO **p8inf);
-int i2d_PKCS8_PRIV_KEY_INFO_bio(BIO *bp, const PKCS8_PRIV_KEY_INFO *p8inf);
-int i2d_PKCS8PrivateKeyInfo_bio(BIO *bp, const EVP_PKEY *key);
-int i2d_PrivateKey_bio(BIO *bp, const EVP_PKEY *pkey);
-EVP_PKEY *d2i_PrivateKey_ex_bio(BIO *bp, EVP_PKEY **a, OSSL_LIB_CTX *libctx,
-                                const char *propq);
-EVP_PKEY *d2i_PrivateKey_bio(BIO *bp, EVP_PKEY **a);
-int i2d_PUBKEY_bio(BIO *bp, const EVP_PKEY *pkey);
-EVP_PKEY *d2i_PUBKEY_bio(BIO *bp, EVP_PKEY **a);
-
-DECLARE_ASN1_DUP_FUNCTION(X509)
-DECLARE_ASN1_DUP_FUNCTION(X509_ALGOR)
-DECLARE_ASN1_DUP_FUNCTION(X509_ATTRIBUTE)
-DECLARE_ASN1_DUP_FUNCTION(X509_CRL)
-DECLARE_ASN1_DUP_FUNCTION(X509_EXTENSION)
-DECLARE_ASN1_DUP_FUNCTION(X509_PUBKEY)
-DECLARE_ASN1_DUP_FUNCTION(X509_REQ)
-DECLARE_ASN1_DUP_FUNCTION(X509_REVOKED)
-int X509_ALGOR_set0(X509_ALGOR *alg, ASN1_OBJECT *aobj, int ptype,
-                    void *pval);
-void X509_ALGOR_get0(const ASN1_OBJECT **paobj, int *pptype,
-                     const void **ppval, const X509_ALGOR *algor);
-void X509_ALGOR_set_md(X509_ALGOR *alg, const EVP_MD *md);
-int X509_ALGOR_cmp(const X509_ALGOR *a, const X509_ALGOR *b);
-int X509_ALGOR_copy(X509_ALGOR *dest, const X509_ALGOR *src);
-
-DECLARE_ASN1_DUP_FUNCTION(X509_NAME)
-DECLARE_ASN1_DUP_FUNCTION(X509_NAME_ENTRY)
-
-int X509_cmp_time(const ASN1_TIME *s, time_t *t);
-int X509_cmp_current_time(const ASN1_TIME *s);
-int X509_cmp_timeframe(const X509_VERIFY_PARAM *vpm,
-                       const ASN1_TIME *start, const ASN1_TIME *end);
-ASN1_TIME *X509_time_adj(ASN1_TIME *s, long adj, time_t *t);
-ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s,
-                            int offset_day, long offset_sec, time_t *t);
-ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj);
-
-const char *X509_get_default_cert_area(void);
-const char *X509_get_default_cert_dir(void);
-const char *X509_get_default_cert_file(void);
-const char *X509_get_default_cert_dir_env(void);
-const char *X509_get_default_cert_file_env(void);
-const char *X509_get_default_private_dir(void);
-
-X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md);
-X509 *X509_REQ_to_X509(X509_REQ *r, int days, EVP_PKEY *pkey);
-
-DECLARE_ASN1_FUNCTIONS(X509_ALGOR)
-DECLARE_ASN1_ENCODE_FUNCTIONS(X509_ALGORS, X509_ALGORS, X509_ALGORS)
-DECLARE_ASN1_FUNCTIONS(X509_VAL)
-
-DECLARE_ASN1_FUNCTIONS(X509_PUBKEY)
-
-X509_PUBKEY *X509_PUBKEY_new_ex(OSSL_LIB_CTX *libctx, const char *propq);
-int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey);
-EVP_PKEY *X509_PUBKEY_get0(const X509_PUBKEY *key);
-EVP_PKEY *X509_PUBKEY_get(const X509_PUBKEY *key);
-int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain);
-long X509_get_pathlen(X509 *x);
-DECLARE_ASN1_ENCODE_FUNCTIONS_only(EVP_PKEY, PUBKEY)
-EVP_PKEY *d2i_PUBKEY_ex(EVP_PKEY **a, const unsigned char **pp, long length,
-                        OSSL_LIB_CTX *libctx, const char *propq);
-# ifndef OPENSSL_NO_DEPRECATED_3_0
-DECLARE_ASN1_ENCODE_FUNCTIONS_only_attr(OSSL_DEPRECATEDIN_3_0,RSA, RSA_PUBKEY)
-# endif
-# ifndef OPENSSL_NO_DEPRECATED_3_0
-#  ifndef OPENSSL_NO_DSA
-DECLARE_ASN1_ENCODE_FUNCTIONS_only_attr(OSSL_DEPRECATEDIN_3_0,DSA, DSA_PUBKEY)
-#  endif
-# endif
-# ifndef OPENSSL_NO_DEPRECATED_3_0
-#  ifndef OPENSSL_NO_EC
-DECLARE_ASN1_ENCODE_FUNCTIONS_only_attr(OSSL_DEPRECATEDIN_3_0, EC_KEY, EC_PUBKEY)
-#  endif
-# endif
-
-DECLARE_ASN1_FUNCTIONS(X509_SIG)
-void X509_SIG_get0(const X509_SIG *sig, const X509_ALGOR **palg,
-                   const ASN1_OCTET_STRING **pdigest);
-void X509_SIG_getm(X509_SIG *sig, X509_ALGOR **palg,
-                   ASN1_OCTET_STRING **pdigest);
-
-DECLARE_ASN1_FUNCTIONS(X509_REQ_INFO)
-DECLARE_ASN1_FUNCTIONS(X509_REQ)
-X509_REQ *X509_REQ_new_ex(OSSL_LIB_CTX *libctx, const char *propq);
-
-DECLARE_ASN1_FUNCTIONS(X509_ATTRIBUTE)
-X509_ATTRIBUTE *X509_ATTRIBUTE_create(int nid, int atrtype, void *value);
-
-DECLARE_ASN1_FUNCTIONS(X509_EXTENSION)
-DECLARE_ASN1_ENCODE_FUNCTIONS(X509_EXTENSIONS, X509_EXTENSIONS, X509_EXTENSIONS)
-
-DECLARE_ASN1_FUNCTIONS(X509_NAME_ENTRY)
-
-DECLARE_ASN1_FUNCTIONS(X509_NAME)
-
-int X509_NAME_set(X509_NAME **xn, const X509_NAME *name);
-
-DECLARE_ASN1_FUNCTIONS(X509_CINF)
-DECLARE_ASN1_FUNCTIONS(X509)
-X509 *X509_new_ex(OSSL_LIB_CTX *libctx, const char *propq);
-DECLARE_ASN1_FUNCTIONS(X509_CERT_AUX)
-
-#define X509_get_ex_new_index(l, p, newf, dupf, freef) \
-    CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509, l, p, newf, dupf, freef)
-int X509_set_ex_data(X509 *r, int idx, void *arg);
-void *X509_get_ex_data(const X509 *r, int idx);
-DECLARE_ASN1_ENCODE_FUNCTIONS_only(X509,X509_AUX)
-
-int i2d_re_X509_tbs(X509 *x, unsigned char **pp);
-
-int X509_SIG_INFO_get(const X509_SIG_INFO *siginf, int *mdnid, int *pknid,
-                      int *secbits, uint32_t *flags);
-void X509_SIG_INFO_set(X509_SIG_INFO *siginf, int mdnid, int pknid,
-                       int secbits, uint32_t flags);
-
-int X509_get_signature_info(X509 *x, int *mdnid, int *pknid, int *secbits,
-                            uint32_t *flags);
-
-void X509_get0_signature(const ASN1_BIT_STRING **psig,
-                         const X509_ALGOR **palg, const X509 *x);
-int X509_get_signature_nid(const X509 *x);
-
-void X509_set0_distinguishing_id(X509 *x, ASN1_OCTET_STRING *d_id);
-ASN1_OCTET_STRING *X509_get0_distinguishing_id(X509 *x);
-void X509_REQ_set0_distinguishing_id(X509_REQ *x, ASN1_OCTET_STRING *d_id);
-ASN1_OCTET_STRING *X509_REQ_get0_distinguishing_id(X509_REQ *x);
-
-int X509_alias_set1(X509 *x, const unsigned char *name, int len);
-int X509_keyid_set1(X509 *x, const unsigned char *id, int len);
-unsigned char *X509_alias_get0(X509 *x, int *len);
-unsigned char *X509_keyid_get0(X509 *x, int *len);
-
-DECLARE_ASN1_FUNCTIONS(X509_REVOKED)
-DECLARE_ASN1_FUNCTIONS(X509_CRL_INFO)
-DECLARE_ASN1_FUNCTIONS(X509_CRL)
-X509_CRL *X509_CRL_new_ex(OSSL_LIB_CTX *libctx, const char *propq);
-
-int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev);
-int X509_CRL_get0_by_serial(X509_CRL *crl,
-                            X509_REVOKED **ret, const ASN1_INTEGER *serial);
-int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, X509 *x);
-
-X509_PKEY *X509_PKEY_new(void);
-void X509_PKEY_free(X509_PKEY *a);
-
-DECLARE_ASN1_FUNCTIONS(NETSCAPE_SPKI)
-DECLARE_ASN1_FUNCTIONS(NETSCAPE_SPKAC)
-DECLARE_ASN1_FUNCTIONS(NETSCAPE_CERT_SEQUENCE)
-
-X509_INFO *X509_INFO_new(void);
-void X509_INFO_free(X509_INFO *a);
-char *X509_NAME_oneline(const X509_NAME *a, char *buf, int size);
-
-#ifndef OPENSSL_NO_DEPRECATED_3_0
-OSSL_DEPRECATEDIN_3_0
-int ASN1_verify(i2d_of_void *i2d, X509_ALGOR *algor1,
-                ASN1_BIT_STRING *signature, char *data, EVP_PKEY *pkey);
-OSSL_DEPRECATEDIN_3_0
-int ASN1_digest(i2d_of_void *i2d, const EVP_MD *type, char *data,
-                unsigned char *md, unsigned int *len);
-OSSL_DEPRECATEDIN_3_0
-int ASN1_sign(i2d_of_void *i2d, X509_ALGOR *algor1, X509_ALGOR *algor2,
-              ASN1_BIT_STRING *signature, char *data, EVP_PKEY *pkey,
-              const EVP_MD *type);
-#endif
-int ASN1_item_digest(const ASN1_ITEM *it, const EVP_MD *type, void *data,
-                     unsigned char *md, unsigned int *len);
-int ASN1_item_verify(const ASN1_ITEM *it, const X509_ALGOR *alg,
-                     const ASN1_BIT_STRING *signature, const void *data,
-                     EVP_PKEY *pkey);
-int ASN1_item_verify_ctx(const ASN1_ITEM *it, const X509_ALGOR *alg,
-                         const ASN1_BIT_STRING *signature, const void *data,
-                         EVP_MD_CTX *ctx);
-int ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2,
-                   ASN1_BIT_STRING *signature, const void *data,
-                   EVP_PKEY *pkey, const EVP_MD *md);
-int ASN1_item_sign_ctx(const ASN1_ITEM *it, X509_ALGOR *algor1,
-                       X509_ALGOR *algor2, ASN1_BIT_STRING *signature,
-                       const void *data, EVP_MD_CTX *ctx);
-
-#define X509_VERSION_1 0
-#define X509_VERSION_2 1
-#define X509_VERSION_3 2
-
-long X509_get_version(const X509 *x);
-int X509_set_version(X509 *x, long version);
-int X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial);
-ASN1_INTEGER *X509_get_serialNumber(X509 *x);
-const ASN1_INTEGER *X509_get0_serialNumber(const X509 *x);
-int X509_set_issuer_name(X509 *x, const X509_NAME *name);
-X509_NAME *X509_get_issuer_name(const X509 *a);
-int X509_set_subject_name(X509 *x, const X509_NAME *name);
-X509_NAME *X509_get_subject_name(const X509 *a);
-const ASN1_TIME * X509_get0_notBefore(const X509 *x);
-ASN1_TIME *X509_getm_notBefore(const X509 *x);
-int X509_set1_notBefore(X509 *x, const ASN1_TIME *tm);
-const ASN1_TIME *X509_get0_notAfter(const X509 *x);
-ASN1_TIME *X509_getm_notAfter(const X509 *x);
-int X509_set1_notAfter(X509 *x, const ASN1_TIME *tm);
-int X509_set_pubkey(X509 *x, EVP_PKEY *pkey);
-int X509_up_ref(X509 *x);
-int X509_get_signature_type(const X509 *x);
-
-# ifndef OPENSSL_NO_DEPRECATED_1_1_0
-#  define X509_get_notBefore X509_getm_notBefore
-#  define X509_get_notAfter X509_getm_notAfter
-#  define X509_set_notBefore X509_set1_notBefore
-#  define X509_set_notAfter X509_set1_notAfter
-#endif
-
-
-/*
- * This one is only used so that a binary form can output, as in
- * i2d_X509_PUBKEY(X509_get_X509_PUBKEY(x), &buf)
- */
-X509_PUBKEY *X509_get_X509_PUBKEY(const X509 *x);
-const STACK_OF(X509_EXTENSION) *X509_get0_extensions(const X509 *x);
-void X509_get0_uids(const X509 *x, const ASN1_BIT_STRING **piuid,
-                    const ASN1_BIT_STRING **psuid);
-const X509_ALGOR *X509_get0_tbs_sigalg(const X509 *x);
-
-EVP_PKEY *X509_get0_pubkey(const X509 *x);
-EVP_PKEY *X509_get_pubkey(X509 *x);
-ASN1_BIT_STRING *X509_get0_pubkey_bitstr(const X509 *x);
-
-#define X509_REQ_VERSION_1 0
-
-long X509_REQ_get_version(const X509_REQ *req);
-int X509_REQ_set_version(X509_REQ *x, long version);
-X509_NAME *X509_REQ_get_subject_name(const X509_REQ *req);
-int X509_REQ_set_subject_name(X509_REQ *req, const X509_NAME *name);
-void X509_REQ_get0_signature(const X509_REQ *req, const ASN1_BIT_STRING **psig,
-                             const X509_ALGOR **palg);
-void X509_REQ_set0_signature(X509_REQ *req, ASN1_BIT_STRING *psig);
-int X509_REQ_set1_signature_algo(X509_REQ *req, X509_ALGOR *palg);
-int X509_REQ_get_signature_nid(const X509_REQ *req);
-int i2d_re_X509_REQ_tbs(X509_REQ *req, unsigned char **pp);
-int X509_REQ_set_pubkey(X509_REQ *x, EVP_PKEY *pkey);
-EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req);
-EVP_PKEY *X509_REQ_get0_pubkey(X509_REQ *req);
-X509_PUBKEY *X509_REQ_get_X509_PUBKEY(X509_REQ *req);
-int X509_REQ_extension_nid(int nid);
-int *X509_REQ_get_extension_nids(void);
-void X509_REQ_set_extension_nids(int *nids);
-STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req);
-int X509_REQ_add_extensions_nid(X509_REQ *req,
-                                const STACK_OF(X509_EXTENSION) *exts, int nid);
-int X509_REQ_add_extensions(X509_REQ *req, const STACK_OF(X509_EXTENSION) *ext);
-int X509_REQ_get_attr_count(const X509_REQ *req);
-int X509_REQ_get_attr_by_NID(const X509_REQ *req, int nid, int lastpos);
-int X509_REQ_get_attr_by_OBJ(const X509_REQ *req, const ASN1_OBJECT *obj,
-                             int lastpos);
-X509_ATTRIBUTE *X509_REQ_get_attr(const X509_REQ *req, int loc);
-X509_ATTRIBUTE *X509_REQ_delete_attr(X509_REQ *req, int loc);
-int X509_REQ_add1_attr(X509_REQ *req, X509_ATTRIBUTE *attr);
-int X509_REQ_add1_attr_by_OBJ(X509_REQ *req,
-                              const ASN1_OBJECT *obj, int type,
-                              const unsigned char *bytes, int len);
-int X509_REQ_add1_attr_by_NID(X509_REQ *req,
-                              int nid, int type,
-                              const unsigned char *bytes, int len);
-int X509_REQ_add1_attr_by_txt(X509_REQ *req,
-                              const char *attrname, int type,
-                              const unsigned char *bytes, int len);
-
-#define X509_CRL_VERSION_1 0
-#define X509_CRL_VERSION_2 1
-
-int X509_CRL_set_version(X509_CRL *x, long version);
-int X509_CRL_set_issuer_name(X509_CRL *x, const X509_NAME *name);
-int X509_CRL_set1_lastUpdate(X509_CRL *x, const ASN1_TIME *tm);
-int X509_CRL_set1_nextUpdate(X509_CRL *x, const ASN1_TIME *tm);
-int X509_CRL_sort(X509_CRL *crl);
-int X509_CRL_up_ref(X509_CRL *crl);
-
-# ifndef OPENSSL_NO_DEPRECATED_1_1_0
-#  define X509_CRL_set_lastUpdate X509_CRL_set1_lastUpdate
-#  define X509_CRL_set_nextUpdate X509_CRL_set1_nextUpdate
-#endif
-
-long X509_CRL_get_version(const X509_CRL *crl);
-const ASN1_TIME *X509_CRL_get0_lastUpdate(const X509_CRL *crl);
-const ASN1_TIME *X509_CRL_get0_nextUpdate(const X509_CRL *crl);
-#ifndef OPENSSL_NO_DEPRECATED_1_1_0
-OSSL_DEPRECATEDIN_1_1_0 ASN1_TIME *X509_CRL_get_lastUpdate(X509_CRL *crl);
-OSSL_DEPRECATEDIN_1_1_0 ASN1_TIME *X509_CRL_get_nextUpdate(X509_CRL *crl);
-#endif
-X509_NAME *X509_CRL_get_issuer(const X509_CRL *crl);
-const STACK_OF(X509_EXTENSION) *X509_CRL_get0_extensions(const X509_CRL *crl);
-STACK_OF(X509_REVOKED) *X509_CRL_get_REVOKED(X509_CRL *crl);
-void X509_CRL_get0_signature(const X509_CRL *crl, const ASN1_BIT_STRING **psig,
-                             const X509_ALGOR **palg);
-int X509_CRL_get_signature_nid(const X509_CRL *crl);
-int i2d_re_X509_CRL_tbs(X509_CRL *req, unsigned char **pp);
-
-const ASN1_INTEGER *X509_REVOKED_get0_serialNumber(const X509_REVOKED *x);
-int X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial);
-const ASN1_TIME *X509_REVOKED_get0_revocationDate(const X509_REVOKED *x);
-int X509_REVOKED_set_revocationDate(X509_REVOKED *r, ASN1_TIME *tm);
-const STACK_OF(X509_EXTENSION) *
-X509_REVOKED_get0_extensions(const X509_REVOKED *r);
-
-X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer,
-                        EVP_PKEY *skey, const EVP_MD *md, unsigned int flags);
-
-int X509_REQ_check_private_key(X509_REQ *x509, EVP_PKEY *pkey);
-
-int X509_check_private_key(const X509 *x509, const EVP_PKEY *pkey);
-int X509_chain_check_suiteb(int *perror_depth,
-                            X509 *x, STACK_OF(X509) *chain,
-                            unsigned long flags);
-int X509_CRL_check_suiteb(X509_CRL *crl, EVP_PKEY *pk, unsigned long flags);
-STACK_OF(X509) *X509_chain_up_ref(STACK_OF(X509) *chain);
-
-int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b);
-unsigned long X509_issuer_and_serial_hash(X509 *a);
-
-int X509_issuer_name_cmp(const X509 *a, const X509 *b);
-unsigned long X509_issuer_name_hash(X509 *a);
-
-int X509_subject_name_cmp(const X509 *a, const X509 *b);
-unsigned long X509_subject_name_hash(X509 *x);
-
-# ifndef OPENSSL_NO_MD5
-unsigned long X509_issuer_name_hash_old(X509 *a);
-unsigned long X509_subject_name_hash_old(X509 *x);
-# endif
-
-# define X509_ADD_FLAG_DEFAULT  0
-# define X509_ADD_FLAG_UP_REF   0x1
-# define X509_ADD_FLAG_PREPEND  0x2
-# define X509_ADD_FLAG_NO_DUP   0x4
-# define X509_ADD_FLAG_NO_SS    0x8
-int X509_add_cert(STACK_OF(X509) *sk, X509 *cert, int flags);
-int X509_add_certs(STACK_OF(X509) *sk, STACK_OF(X509) *certs, int flags);
-
-int X509_cmp(const X509 *a, const X509 *b);
-int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b);
-#ifndef OPENSSL_NO_DEPRECATED_3_0
-# define X509_NAME_hash(x) X509_NAME_hash_ex(x, NULL, NULL, NULL)
-OSSL_DEPRECATEDIN_3_0 int X509_certificate_type(const X509 *x,
-                                                const EVP_PKEY *pubkey);
-#endif
-unsigned long X509_NAME_hash_ex(const X509_NAME *x, OSSL_LIB_CTX *libctx,
-                                const char *propq, int *ok);
-unsigned long X509_NAME_hash_old(const X509_NAME *x);
-
-int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b);
-int X509_CRL_match(const X509_CRL *a, const X509_CRL *b);
-int X509_aux_print(BIO *out, X509 *x, int indent);
-# ifndef OPENSSL_NO_STDIO
-int X509_print_ex_fp(FILE *bp, X509 *x, unsigned long nmflag,
-                     unsigned long cflag);
-int X509_print_fp(FILE *bp, X509 *x);
-int X509_CRL_print_fp(FILE *bp, X509_CRL *x);
-int X509_REQ_print_fp(FILE *bp, X509_REQ *req);
-int X509_NAME_print_ex_fp(FILE *fp, const X509_NAME *nm, int indent,
-                          unsigned long flags);
-# endif
-
-int X509_NAME_print(BIO *bp, const X509_NAME *name, int obase);
-int X509_NAME_print_ex(BIO *out, const X509_NAME *nm, int indent,
-                       unsigned long flags);
-int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflag,
-                  unsigned long cflag);
-int X509_print(BIO *bp, X509 *x);
-int X509_ocspid_print(BIO *bp, X509 *x);
-int X509_CRL_print_ex(BIO *out, X509_CRL *x, unsigned long nmflag);
-int X509_CRL_print(BIO *bp, X509_CRL *x);
-int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflag,
-                      unsigned long cflag);
-int X509_REQ_print(BIO *bp, X509_REQ *req);
-
-int X509_NAME_entry_count(const X509_NAME *name);
-int X509_NAME_get_text_by_NID(const X509_NAME *name, int nid,
-                              char *buf, int len);
-int X509_NAME_get_text_by_OBJ(const X509_NAME *name, const ASN1_OBJECT *obj,
-                              char *buf, int len);
-
-/*
- * NOTE: you should be passing -1, not 0 as lastpos. The functions that use
- * lastpos, search after that position on.
- */
-int X509_NAME_get_index_by_NID(const X509_NAME *name, int nid, int lastpos);
-int X509_NAME_get_index_by_OBJ(const X509_NAME *name, const ASN1_OBJECT *obj,
-                               int lastpos);
-X509_NAME_ENTRY *X509_NAME_get_entry(const X509_NAME *name, int loc);
-X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name, int loc);
-int X509_NAME_add_entry(X509_NAME *name, const X509_NAME_ENTRY *ne,
-                        int loc, int set);
-int X509_NAME_add_entry_by_OBJ(X509_NAME *name, const ASN1_OBJECT *obj, int type,
-                               const unsigned char *bytes, int len, int loc,
-                               int set);
-int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type,
-                               const unsigned char *bytes, int len, int loc,
-                               int set);
-X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne,
-                                               const char *field, int type,
-                                               const unsigned char *bytes,
-                                               int len);
-X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid,
-                                               int type,
-                                               const unsigned char *bytes,
-                                               int len);
-int X509_NAME_add_entry_by_txt(X509_NAME *name, const char *field, int type,
-                               const unsigned char *bytes, int len, int loc,
-                               int set);
-X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne,
-                                               const ASN1_OBJECT *obj, int type,
-                                               const unsigned char *bytes,
-                                               int len);
-int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne, const ASN1_OBJECT *obj);
-int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type,
-                             const unsigned char *bytes, int len);
-ASN1_OBJECT *X509_NAME_ENTRY_get_object(const X509_NAME_ENTRY *ne);
-ASN1_STRING * X509_NAME_ENTRY_get_data(const X509_NAME_ENTRY *ne);
-int X509_NAME_ENTRY_set(const X509_NAME_ENTRY *ne);
-
-int X509_NAME_get0_der(const X509_NAME *nm, const unsigned char **pder,
-                       size_t *pderlen);
-
-int X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x);
-int X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x,
-                          int nid, int lastpos);
-int X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *x,
-                          const ASN1_OBJECT *obj, int lastpos);
-int X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *x,
-                               int crit, int lastpos);
-X509_EXTENSION *X509v3_get_ext(const STACK_OF(X509_EXTENSION) *x, int loc);
-X509_EXTENSION *X509v3_delete_ext(STACK_OF(X509_EXTENSION) *x, int loc);
-STACK_OF(X509_EXTENSION) *X509v3_add_ext(STACK_OF(X509_EXTENSION) **x,
-                                         X509_EXTENSION *ex, int loc);
-
-int X509_get_ext_count(const X509 *x);
-int X509_get_ext_by_NID(const X509 *x, int nid, int lastpos);
-int X509_get_ext_by_OBJ(const X509 *x, const ASN1_OBJECT *obj, int lastpos);
-int X509_get_ext_by_critical(const X509 *x, int crit, int lastpos);
-X509_EXTENSION *X509_get_ext(const X509 *x, int loc);
-X509_EXTENSION *X509_delete_ext(X509 *x, int loc);
-int X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc);
-void *X509_get_ext_d2i(const X509 *x, int nid, int *crit, int *idx);
-int X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit,
-                      unsigned long flags);
-
-int X509_CRL_get_ext_count(const X509_CRL *x);
-int X509_CRL_get_ext_by_NID(const X509_CRL *x, int nid, int lastpos);
-int X509_CRL_get_ext_by_OBJ(const X509_CRL *x, const ASN1_OBJECT *obj,
-                            int lastpos);
-int X509_CRL_get_ext_by_critical(const X509_CRL *x, int crit, int lastpos);
-X509_EXTENSION *X509_CRL_get_ext(const X509_CRL *x, int loc);
-X509_EXTENSION *X509_CRL_delete_ext(X509_CRL *x, int loc);
-int X509_CRL_add_ext(X509_CRL *x, X509_EXTENSION *ex, int loc);
-void *X509_CRL_get_ext_d2i(const X509_CRL *x, int nid, int *crit, int *idx);
-int X509_CRL_add1_ext_i2d(X509_CRL *x, int nid, void *value, int crit,
-                          unsigned long flags);
-
-int X509_REVOKED_get_ext_count(const X509_REVOKED *x);
-int X509_REVOKED_get_ext_by_NID(const X509_REVOKED *x, int nid, int lastpos);
-int X509_REVOKED_get_ext_by_OBJ(const X509_REVOKED *x, const ASN1_OBJECT *obj,
-                                int lastpos);
-int X509_REVOKED_get_ext_by_critical(const X509_REVOKED *x, int crit,
-                                     int lastpos);
-X509_EXTENSION *X509_REVOKED_get_ext(const X509_REVOKED *x, int loc);
-X509_EXTENSION *X509_REVOKED_delete_ext(X509_REVOKED *x, int loc);
-int X509_REVOKED_add_ext(X509_REVOKED *x, X509_EXTENSION *ex, int loc);
-void *X509_REVOKED_get_ext_d2i(const X509_REVOKED *x, int nid, int *crit,
-                               int *idx);
-int X509_REVOKED_add1_ext_i2d(X509_REVOKED *x, int nid, void *value, int crit,
-                              unsigned long flags);
-
-X509_EXTENSION *X509_EXTENSION_create_by_NID(X509_EXTENSION **ex,
-                                             int nid, int crit,
-                                             ASN1_OCTET_STRING *data);
-X509_EXTENSION *X509_EXTENSION_create_by_OBJ(X509_EXTENSION **ex,
-                                             const ASN1_OBJECT *obj, int crit,
-                                             ASN1_OCTET_STRING *data);
-int X509_EXTENSION_set_object(X509_EXTENSION *ex, const ASN1_OBJECT *obj);
-int X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit);
-int X509_EXTENSION_set_data(X509_EXTENSION *ex, ASN1_OCTET_STRING *data);
-ASN1_OBJECT *X509_EXTENSION_get_object(X509_EXTENSION *ex);
-ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *ne);
-int X509_EXTENSION_get_critical(const X509_EXTENSION *ex);
-
-int X509at_get_attr_count(const STACK_OF(X509_ATTRIBUTE) *x);
-int X509at_get_attr_by_NID(const STACK_OF(X509_ATTRIBUTE) *x, int nid,
-                           int lastpos);
-int X509at_get_attr_by_OBJ(const STACK_OF(X509_ATTRIBUTE) *sk,
-                           const ASN1_OBJECT *obj, int lastpos);
-X509_ATTRIBUTE *X509at_get_attr(const STACK_OF(X509_ATTRIBUTE) *x, int loc);
-X509_ATTRIBUTE *X509at_delete_attr(STACK_OF(X509_ATTRIBUTE) *x, int loc);
-STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr(STACK_OF(X509_ATTRIBUTE) **x,
-                                           X509_ATTRIBUTE *attr);
-STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_OBJ(STACK_OF(X509_ATTRIBUTE)
-                                                  **x, const ASN1_OBJECT *obj,
-                                                  int type,
-                                                  const unsigned char *bytes,
-                                                  int len);
-STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_NID(STACK_OF(X509_ATTRIBUTE)
-                                                  **x, int nid, int type,
-                                                  const unsigned char *bytes,
-                                                  int len);
-STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_txt(STACK_OF(X509_ATTRIBUTE)
-                                                  **x, const char *attrname,
-                                                  int type,
-                                                  const unsigned char *bytes,
-                                                  int len);
-void *X509at_get0_data_by_OBJ(const STACK_OF(X509_ATTRIBUTE) *x,
-                              const ASN1_OBJECT *obj, int lastpos, int type);
-X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_NID(X509_ATTRIBUTE **attr, int nid,
-                                             int atrtype, const void *data,
-                                             int len);
-X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_OBJ(X509_ATTRIBUTE **attr,
-                                             const ASN1_OBJECT *obj,
-                                             int atrtype, const void *data,
-                                             int len);
-X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_txt(X509_ATTRIBUTE **attr,
-                                             const char *atrname, int type,
-                                             const unsigned char *bytes,
-                                             int len);
-int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, const ASN1_OBJECT *obj);
-int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype,
-                             const void *data, int len);
-void *X509_ATTRIBUTE_get0_data(X509_ATTRIBUTE *attr, int idx, int atrtype,
-                               void *data);
-int X509_ATTRIBUTE_count(const X509_ATTRIBUTE *attr);
-ASN1_OBJECT *X509_ATTRIBUTE_get0_object(X509_ATTRIBUTE *attr);
-ASN1_TYPE *X509_ATTRIBUTE_get0_type(X509_ATTRIBUTE *attr, int idx);
-
-int EVP_PKEY_get_attr_count(const EVP_PKEY *key);
-int EVP_PKEY_get_attr_by_NID(const EVP_PKEY *key, int nid, int lastpos);
-int EVP_PKEY_get_attr_by_OBJ(const EVP_PKEY *key, const ASN1_OBJECT *obj,
-                             int lastpos);
-X509_ATTRIBUTE *EVP_PKEY_get_attr(const EVP_PKEY *key, int loc);
-X509_ATTRIBUTE *EVP_PKEY_delete_attr(EVP_PKEY *key, int loc);
-int EVP_PKEY_add1_attr(EVP_PKEY *key, X509_ATTRIBUTE *attr);
-int EVP_PKEY_add1_attr_by_OBJ(EVP_PKEY *key,
-                              const ASN1_OBJECT *obj, int type,
-                              const unsigned char *bytes, int len);
-int EVP_PKEY_add1_attr_by_NID(EVP_PKEY *key,
-                              int nid, int type,
-                              const unsigned char *bytes, int len);
-int EVP_PKEY_add1_attr_by_txt(EVP_PKEY *key,
-                              const char *attrname, int type,
-                              const unsigned char *bytes, int len);
-
-/* lookup a cert from a X509 STACK */
-X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk, const X509_NAME *name,
-                                     const ASN1_INTEGER *serial);
-X509 *X509_find_by_subject(STACK_OF(X509) *sk, const X509_NAME *name);
-
-DECLARE_ASN1_FUNCTIONS(PBEPARAM)
-DECLARE_ASN1_FUNCTIONS(PBE2PARAM)
-DECLARE_ASN1_FUNCTIONS(PBKDF2PARAM)
-#ifndef OPENSSL_NO_SCRYPT
-DECLARE_ASN1_FUNCTIONS(SCRYPT_PARAMS)
-#endif
-
-int PKCS5_pbe_set0_algor(X509_ALGOR *algor, int alg, int iter,
-                         const unsigned char *salt, int saltlen);
-int PKCS5_pbe_set0_algor_ex(X509_ALGOR *algor, int alg, int iter,
-                            const unsigned char *salt, int saltlen,
-                            OSSL_LIB_CTX *libctx);
-
-X509_ALGOR *PKCS5_pbe_set(int alg, int iter,
-                          const unsigned char *salt, int saltlen);
-X509_ALGOR *PKCS5_pbe_set_ex(int alg, int iter,
-                             const unsigned char *salt, int saltlen,
-                             OSSL_LIB_CTX *libctx);
-
-X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter,
-                           unsigned char *salt, int saltlen);
-X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter,
-                              unsigned char *salt, int saltlen,
-                              unsigned char *aiv, int prf_nid);
-X509_ALGOR *PKCS5_pbe2_set_iv_ex(const EVP_CIPHER *cipher, int iter,
-                                 unsigned char *salt, int saltlen,
-                                 unsigned char *aiv, int prf_nid,
-                                 OSSL_LIB_CTX *libctx);
-
-#ifndef OPENSSL_NO_SCRYPT
-X509_ALGOR *PKCS5_pbe2_set_scrypt(const EVP_CIPHER *cipher,
-                                  const unsigned char *salt, int saltlen,
-                                  unsigned char *aiv, uint64_t N, uint64_t r,
-                                  uint64_t p);
-#endif
-
-X509_ALGOR *PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen,
-                             int prf_nid, int keylen);
-X509_ALGOR *PKCS5_pbkdf2_set_ex(int iter, unsigned char *salt, int saltlen,
-                                int prf_nid, int keylen,
-                                OSSL_LIB_CTX *libctx);
-
-/* PKCS#8 utilities */
-
-DECLARE_ASN1_FUNCTIONS(PKCS8_PRIV_KEY_INFO)
-
-EVP_PKEY *EVP_PKCS82PKEY(const PKCS8_PRIV_KEY_INFO *p8);
-EVP_PKEY *EVP_PKCS82PKEY_ex(const PKCS8_PRIV_KEY_INFO *p8, OSSL_LIB_CTX *libctx,
-                            const char *propq);
-PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(const EVP_PKEY *pkey);
-
-int PKCS8_pkey_set0(PKCS8_PRIV_KEY_INFO *priv, ASN1_OBJECT *aobj,
-                    int version, int ptype, void *pval,
-                    unsigned char *penc, int penclen);
-int PKCS8_pkey_get0(const ASN1_OBJECT **ppkalg,
-                    const unsigned char **pk, int *ppklen,
-                    const X509_ALGOR **pa, const PKCS8_PRIV_KEY_INFO *p8);
-
-const STACK_OF(X509_ATTRIBUTE) *
-PKCS8_pkey_get0_attrs(const PKCS8_PRIV_KEY_INFO *p8);
-int PKCS8_pkey_add1_attr(PKCS8_PRIV_KEY_INFO *p8, X509_ATTRIBUTE *attr);
-int PKCS8_pkey_add1_attr_by_NID(PKCS8_PRIV_KEY_INFO *p8, int nid, int type,
-                                const unsigned char *bytes, int len);
-int PKCS8_pkey_add1_attr_by_OBJ(PKCS8_PRIV_KEY_INFO *p8, const ASN1_OBJECT *obj,
-                                int type, const unsigned char *bytes, int len);
-
-
-int X509_PUBKEY_set0_param(X509_PUBKEY *pub, ASN1_OBJECT *aobj,
-                           int ptype, void *pval,
-                           unsigned char *penc, int penclen);
-int X509_PUBKEY_get0_param(ASN1_OBJECT **ppkalg,
-                           const unsigned char **pk, int *ppklen,
-                           X509_ALGOR **pa, const X509_PUBKEY *pub);
-int X509_PUBKEY_eq(const X509_PUBKEY *a, const X509_PUBKEY *b);
-
-# ifdef  __cplusplus
-}
-# endif
-#endif

libs/openssl/include/crypto/x509_vfy.h.in

@@ -1,797 +0,0 @@
-/*
- * {- join("\n * ", @autowarntext) -}
- *
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-{-
-use OpenSSL::stackhash qw(generate_stack_macros);
--}
-
-#ifndef OPENSSL_X509_VFY_H
-# define OPENSSL_X509_VFY_H
-# pragma once
-
-# include <openssl/macros.h>
-# ifndef OPENSSL_NO_DEPRECATED_3_0
-#  define HEADER_X509_VFY_H
-# endif
-
-/*
- * Protect against recursion, x509.h and x509_vfy.h each include the other.
- */
-# ifndef OPENSSL_X509_H
-#  include <openssl/x509.h>
-# endif
-
-# include <openssl/opensslconf.h>
-# include <openssl/lhash.h>
-# include <openssl/bio.h>
-# include <openssl/crypto.h>
-# include <openssl/symhacks.h>
-
-#ifdef  __cplusplus
-extern "C" {
-#endif
-
-/*-
-SSL_CTX -> X509_STORE
-                -> X509_LOOKUP
-                        ->X509_LOOKUP_METHOD
-                -> X509_LOOKUP
-                        ->X509_LOOKUP_METHOD
-
-SSL     -> X509_STORE_CTX
-                ->X509_STORE
-
-The X509_STORE holds the tables etc for verification stuff.
-A X509_STORE_CTX is used while validating a single certificate.
-The X509_STORE has X509_LOOKUPs for looking up certs.
-The X509_STORE then calls a function to actually verify the
-certificate chain.
-*/
-
-typedef enum {
-    X509_LU_NONE = 0,
-    X509_LU_X509, X509_LU_CRL
-} X509_LOOKUP_TYPE;
-
-#ifndef OPENSSL_NO_DEPRECATED_1_1_0
-#define X509_LU_RETRY   -1
-#define X509_LU_FAIL    0
-#endif
-
-{-
-    generate_stack_macros("X509_LOOKUP")
-    .generate_stack_macros("X509_OBJECT")
-    .generate_stack_macros("X509_VERIFY_PARAM");
--}
-
-/* This is used for a table of trust checking functions */
-typedef struct x509_trust_st {
-    int trust;
-    int flags;
-    int (*check_trust) (struct x509_trust_st *, X509 *, int);
-    char *name;
-    int arg1;
-    void *arg2;
-} X509_TRUST;
-{-
-    generate_stack_macros("X509_TRUST");
--}
-
-/* standard trust ids */
-# define X509_TRUST_DEFAULT      0 /* Only valid in purpose settings */
-# define X509_TRUST_COMPAT       1
-# define X509_TRUST_SSL_CLIENT   2
-# define X509_TRUST_SSL_SERVER   3
-# define X509_TRUST_EMAIL        4
-# define X509_TRUST_OBJECT_SIGN  5
-# define X509_TRUST_OCSP_SIGN    6
-# define X509_TRUST_OCSP_REQUEST 7
-# define X509_TRUST_TSA          8
-/* Keep these up to date! */
-# define X509_TRUST_MIN          1
-# define X509_TRUST_MAX          8
-
-/* trust_flags values */
-# define X509_TRUST_DYNAMIC      (1U << 0)
-# define X509_TRUST_DYNAMIC_NAME (1U << 1)
-/* No compat trust if self-signed, preempts "DO_SS" */
-# define X509_TRUST_NO_SS_COMPAT (1U << 2)
-/* Compat trust if no explicit accepted trust EKUs */
-# define X509_TRUST_DO_SS_COMPAT (1U << 3)
-/* Accept "anyEKU" as a wildcard rejection OID and as a wildcard trust OID */
-# define X509_TRUST_OK_ANY_EKU   (1U << 4)
-
-/* check_trust return codes */
-# define X509_TRUST_TRUSTED      1
-# define X509_TRUST_REJECTED     2
-# define X509_TRUST_UNTRUSTED    3
-
-int X509_TRUST_set(int *t, int trust);
-int X509_TRUST_get_count(void);
-X509_TRUST *X509_TRUST_get0(int idx);
-int X509_TRUST_get_by_id(int id);
-int X509_TRUST_add(int id, int flags, int (*ck) (X509_TRUST *, X509 *, int),
-                   const char *name, int arg1, void *arg2);
-void X509_TRUST_cleanup(void);
-int X509_TRUST_get_flags(const X509_TRUST *xp);
-char *X509_TRUST_get0_name(const X509_TRUST *xp);
-int X509_TRUST_get_trust(const X509_TRUST *xp);
-
-int X509_trusted(const X509 *x);
-int X509_add1_trust_object(X509 *x, const ASN1_OBJECT *obj);
-int X509_add1_reject_object(X509 *x, const ASN1_OBJECT *obj);
-void X509_trust_clear(X509 *x);
-void X509_reject_clear(X509 *x);
-STACK_OF(ASN1_OBJECT) *X509_get0_trust_objects(X509 *x);
-STACK_OF(ASN1_OBJECT) *X509_get0_reject_objects(X509 *x);
-
-int (*X509_TRUST_set_default(int (*trust) (int, X509 *, int))) (int, X509 *,
-                                                                int);
-int X509_check_trust(X509 *x, int id, int flags);
-
-int X509_verify_cert(X509_STORE_CTX *ctx);
-int X509_STORE_CTX_verify(X509_STORE_CTX *ctx);
-STACK_OF(X509) *X509_build_chain(X509 *target, STACK_OF(X509) *certs,
-                                 X509_STORE *store, int with_self_signed,
-                                 OSSL_LIB_CTX *libctx, const char *propq);
-
-int X509_STORE_set_depth(X509_STORE *store, int depth);
-
-typedef int (*X509_STORE_CTX_verify_cb)(int, X509_STORE_CTX *);
-int X509_STORE_CTX_print_verify_cb(int ok, X509_STORE_CTX *ctx);
-typedef int (*X509_STORE_CTX_verify_fn)(X509_STORE_CTX *);
-typedef int (*X509_STORE_CTX_get_issuer_fn)(X509 **issuer,
-                                            X509_STORE_CTX *ctx, X509 *x);
-typedef int (*X509_STORE_CTX_check_issued_fn)(X509_STORE_CTX *ctx,
-                                              X509 *x, X509 *issuer);
-typedef int (*X509_STORE_CTX_check_revocation_fn)(X509_STORE_CTX *ctx);
-typedef int (*X509_STORE_CTX_get_crl_fn)(X509_STORE_CTX *ctx,
-                                         X509_CRL **crl, X509 *x);
-typedef int (*X509_STORE_CTX_check_crl_fn)(X509_STORE_CTX *ctx, X509_CRL *crl);
-typedef int (*X509_STORE_CTX_cert_crl_fn)(X509_STORE_CTX *ctx,
-                                          X509_CRL *crl, X509 *x);
-typedef int (*X509_STORE_CTX_check_policy_fn)(X509_STORE_CTX *ctx);
-typedef STACK_OF(X509)
-    *(*X509_STORE_CTX_lookup_certs_fn)(X509_STORE_CTX *ctx,
-                                       const X509_NAME *nm);
-typedef STACK_OF(X509_CRL)
-    *(*X509_STORE_CTX_lookup_crls_fn)(const X509_STORE_CTX *ctx,
-                                      const X509_NAME *nm);
-typedef int (*X509_STORE_CTX_cleanup_fn)(X509_STORE_CTX *ctx);
-
-void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
-
-# define X509_STORE_CTX_set_app_data(ctx,data) \
-        X509_STORE_CTX_set_ex_data(ctx,0,data)
-# define X509_STORE_CTX_get_app_data(ctx) \
-        X509_STORE_CTX_get_ex_data(ctx,0)
-
-# define X509_L_FILE_LOAD        1
-# define X509_L_ADD_DIR          2
-# define X509_L_ADD_STORE        3
-# define X509_L_LOAD_STORE       4
-
-# define X509_LOOKUP_load_file(x,name,type) \
-                X509_LOOKUP_ctrl((x),X509_L_FILE_LOAD,(name),(long)(type),NULL)
-
-# define X509_LOOKUP_add_dir(x,name,type) \
-                X509_LOOKUP_ctrl((x),X509_L_ADD_DIR,(name),(long)(type),NULL)
-
-# define X509_LOOKUP_add_store(x,name) \
-                X509_LOOKUP_ctrl((x),X509_L_ADD_STORE,(name),0,NULL)
-
-# define X509_LOOKUP_load_store(x,name) \
-                X509_LOOKUP_ctrl((x),X509_L_LOAD_STORE,(name),0,NULL)
-
-# define X509_LOOKUP_load_file_ex(x, name, type, libctx, propq)       \
-X509_LOOKUP_ctrl_ex((x), X509_L_FILE_LOAD, (name), (long)(type), NULL,\
-                    (libctx), (propq))
-
-# define X509_LOOKUP_load_store_ex(x, name, libctx, propq)            \
-X509_LOOKUP_ctrl_ex((x), X509_L_LOAD_STORE, (name), 0, NULL,          \
-                    (libctx), (propq))
-
-# define X509_LOOKUP_add_store_ex(x, name, libctx, propq)             \
-X509_LOOKUP_ctrl_ex((x), X509_L_ADD_STORE, (name), 0, NULL,           \
-                    (libctx), (propq))
-
-# define X509_V_OK                                       0
-# define X509_V_ERR_UNSPECIFIED                          1
-# define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT            2
-# define X509_V_ERR_UNABLE_TO_GET_CRL                    3
-# define X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE     4
-# define X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE      5
-# define X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY   6
-# define X509_V_ERR_CERT_SIGNATURE_FAILURE               7
-# define X509_V_ERR_CRL_SIGNATURE_FAILURE                8
-# define X509_V_ERR_CERT_NOT_YET_VALID                   9
-# define X509_V_ERR_CERT_HAS_EXPIRED                     10
-# define X509_V_ERR_CRL_NOT_YET_VALID                    11
-# define X509_V_ERR_CRL_HAS_EXPIRED                      12
-# define X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD       13
-# define X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD        14
-# define X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD       15
-# define X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD       16
-# define X509_V_ERR_OUT_OF_MEM                           17
-# define X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT          18
-# define X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN            19
-# define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY    20
-# define X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE      21
-# define X509_V_ERR_CERT_CHAIN_TOO_LONG                  22
-# define X509_V_ERR_CERT_REVOKED                         23
-# define X509_V_ERR_NO_ISSUER_PUBLIC_KEY                 24
-# define X509_V_ERR_PATH_LENGTH_EXCEEDED                 25
-# define X509_V_ERR_INVALID_PURPOSE                      26
-# define X509_V_ERR_CERT_UNTRUSTED                       27
-# define X509_V_ERR_CERT_REJECTED                        28
-
-/* These are 'informational' when looking for issuer cert */
-# define X509_V_ERR_SUBJECT_ISSUER_MISMATCH              29
-# define X509_V_ERR_AKID_SKID_MISMATCH                   30
-# define X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH          31
-# define X509_V_ERR_KEYUSAGE_NO_CERTSIGN                 32
-# define X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER             33
-# define X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION         34
-# define X509_V_ERR_KEYUSAGE_NO_CRL_SIGN                 35
-# define X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION     36
-# define X509_V_ERR_INVALID_NON_CA                       37
-# define X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED           38
-# define X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE        39
-# define X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED       40
-# define X509_V_ERR_INVALID_EXTENSION                    41
-# define X509_V_ERR_INVALID_POLICY_EXTENSION             42
-# define X509_V_ERR_NO_EXPLICIT_POLICY                   43
-# define X509_V_ERR_DIFFERENT_CRL_SCOPE                  44
-# define X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE        45
-# define X509_V_ERR_UNNESTED_RESOURCE                    46
-# define X509_V_ERR_PERMITTED_VIOLATION                  47
-# define X509_V_ERR_EXCLUDED_VIOLATION                   48
-# define X509_V_ERR_SUBTREE_MINMAX                       49
-/* The application is not happy */
-# define X509_V_ERR_APPLICATION_VERIFICATION             50
-# define X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE          51
-# define X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX        52
-# define X509_V_ERR_UNSUPPORTED_NAME_SYNTAX              53
-# define X509_V_ERR_CRL_PATH_VALIDATION_ERROR            54
-/* Another issuer check debug option */
-# define X509_V_ERR_PATH_LOOP                            55
-/* Suite B mode algorithm violation */
-# define X509_V_ERR_SUITE_B_INVALID_VERSION              56
-# define X509_V_ERR_SUITE_B_INVALID_ALGORITHM            57
-# define X509_V_ERR_SUITE_B_INVALID_CURVE                58
-# define X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM  59
-# define X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED              60
-# define X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256 61
-/* Host, email and IP check errors */
-# define X509_V_ERR_HOSTNAME_MISMATCH                    62
-# define X509_V_ERR_EMAIL_MISMATCH                       63
-# define X509_V_ERR_IP_ADDRESS_MISMATCH                  64
-/* DANE TLSA errors */
-# define X509_V_ERR_DANE_NO_MATCH                        65
-/* security level errors */
-# define X509_V_ERR_EE_KEY_TOO_SMALL                     66
-# define X509_V_ERR_CA_KEY_TOO_SMALL                     67
-# define X509_V_ERR_CA_MD_TOO_WEAK                       68
-/* Caller error */
-# define X509_V_ERR_INVALID_CALL                         69
-/* Issuer lookup error */
-# define X509_V_ERR_STORE_LOOKUP                         70
-/* Certificate transparency */
-# define X509_V_ERR_NO_VALID_SCTS                        71
-
-# define X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION         72
-/* OCSP status errors */
-# define X509_V_ERR_OCSP_VERIFY_NEEDED                   73  /* Need OCSP verification */
-# define X509_V_ERR_OCSP_VERIFY_FAILED                   74  /* Couldn't verify cert through OCSP */
-# define X509_V_ERR_OCSP_CERT_UNKNOWN                    75  /* Certificate wasn't recognized by the OCSP responder */
-
-# define X509_V_ERR_UNSUPPORTED_SIGNATURE_ALGORITHM      76
-# define X509_V_ERR_SIGNATURE_ALGORITHM_MISMATCH         77
-
-/* Errors in case a check in X509_V_FLAG_X509_STRICT mode fails */
-# define X509_V_ERR_SIGNATURE_ALGORITHM_INCONSISTENCY    78
-# define X509_V_ERR_INVALID_CA                           79
-# define X509_V_ERR_PATHLEN_INVALID_FOR_NON_CA           80
-# define X509_V_ERR_PATHLEN_WITHOUT_KU_KEY_CERT_SIGN     81
-# define X509_V_ERR_KU_KEY_CERT_SIGN_INVALID_FOR_NON_CA  82
-# define X509_V_ERR_ISSUER_NAME_EMPTY                    83
-# define X509_V_ERR_SUBJECT_NAME_EMPTY                   84
-# define X509_V_ERR_MISSING_AUTHORITY_KEY_IDENTIFIER     85
-# define X509_V_ERR_MISSING_SUBJECT_KEY_IDENTIFIER       86
-# define X509_V_ERR_EMPTY_SUBJECT_ALT_NAME               87
-# define X509_V_ERR_EMPTY_SUBJECT_SAN_NOT_CRITICAL       88
-# define X509_V_ERR_CA_BCONS_NOT_CRITICAL                89
-# define X509_V_ERR_AUTHORITY_KEY_IDENTIFIER_CRITICAL    90
-# define X509_V_ERR_SUBJECT_KEY_IDENTIFIER_CRITICAL      91
-# define X509_V_ERR_CA_CERT_MISSING_KEY_USAGE            92
-# define X509_V_ERR_EXTENSIONS_REQUIRE_VERSION_3         93
-# define X509_V_ERR_EC_KEY_EXPLICIT_PARAMS               94
-
-/* Certificate verify flags */
-# ifndef OPENSSL_NO_DEPRECATED_1_1_0
-#  define X509_V_FLAG_CB_ISSUER_CHECK             0x0   /* Deprecated */
-# endif
-/* Use check time instead of current time */
-# define X509_V_FLAG_USE_CHECK_TIME              0x2
-/* Lookup CRLs */
-# define X509_V_FLAG_CRL_CHECK                   0x4
-/* Lookup CRLs for whole chain */
-# define X509_V_FLAG_CRL_CHECK_ALL               0x8
-/* Ignore unhandled critical extensions */
-# define X509_V_FLAG_IGNORE_CRITICAL             0x10
-/* Disable workarounds for broken certificates */
-# define X509_V_FLAG_X509_STRICT                 0x20
-/* Enable proxy certificate validation */
-# define X509_V_FLAG_ALLOW_PROXY_CERTS           0x40
-/* Enable policy checking */
-# define X509_V_FLAG_POLICY_CHECK                0x80
-/* Policy variable require-explicit-policy */
-# define X509_V_FLAG_EXPLICIT_POLICY             0x100
-/* Policy variable inhibit-any-policy */
-# define X509_V_FLAG_INHIBIT_ANY                 0x200
-/* Policy variable inhibit-policy-mapping */
-# define X509_V_FLAG_INHIBIT_MAP                 0x400
-/* Notify callback that policy is OK */
-# define X509_V_FLAG_NOTIFY_POLICY               0x800
-/* Extended CRL features such as indirect CRLs, alternate CRL signing keys */
-# define X509_V_FLAG_EXTENDED_CRL_SUPPORT        0x1000
-/* Delta CRL support */
-# define X509_V_FLAG_USE_DELTAS                  0x2000
-/* Check self-signed CA signature */
-# define X509_V_FLAG_CHECK_SS_SIGNATURE          0x4000
-/* Use trusted store first */
-# define X509_V_FLAG_TRUSTED_FIRST               0x8000
-/* Suite B 128 bit only mode: not normally used */
-# define X509_V_FLAG_SUITEB_128_LOS_ONLY         0x10000
-/* Suite B 192 bit only mode */
-# define X509_V_FLAG_SUITEB_192_LOS              0x20000
-/* Suite B 128 bit mode allowing 192 bit algorithms */
-# define X509_V_FLAG_SUITEB_128_LOS              0x30000
-/* Allow partial chains if at least one certificate is in trusted store */
-# define X509_V_FLAG_PARTIAL_CHAIN               0x80000
-/*
- * If the initial chain is not trusted, do not attempt to build an alternative
- * chain. Alternate chain checking was introduced in 1.1.0. Setting this flag
- * will force the behaviour to match that of previous versions.
- */
-# define X509_V_FLAG_NO_ALT_CHAINS               0x100000
-/* Do not check certificate/CRL validity against current time */
-# define X509_V_FLAG_NO_CHECK_TIME               0x200000
-
-# define X509_VP_FLAG_DEFAULT                    0x1
-# define X509_VP_FLAG_OVERWRITE                  0x2
-# define X509_VP_FLAG_RESET_FLAGS                0x4
-# define X509_VP_FLAG_LOCKED                     0x8
-# define X509_VP_FLAG_ONCE                       0x10
-
-/* Internal use: mask of policy related options */
-# define X509_V_FLAG_POLICY_MASK (X509_V_FLAG_POLICY_CHECK \
-                                | X509_V_FLAG_EXPLICIT_POLICY \
-                                | X509_V_FLAG_INHIBIT_ANY \
-                                | X509_V_FLAG_INHIBIT_MAP)
-
-int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, X509_LOOKUP_TYPE type,
-                               const X509_NAME *name);
-X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h,
-                                             X509_LOOKUP_TYPE type,
-                                             const X509_NAME *name);
-X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h,
-                                        X509_OBJECT *x);
-int X509_OBJECT_up_ref_count(X509_OBJECT *a);
-X509_OBJECT *X509_OBJECT_new(void);
-void X509_OBJECT_free(X509_OBJECT *a);
-X509_LOOKUP_TYPE X509_OBJECT_get_type(const X509_OBJECT *a);
-X509 *X509_OBJECT_get0_X509(const X509_OBJECT *a);
-int X509_OBJECT_set1_X509(X509_OBJECT *a, X509 *obj);
-X509_CRL *X509_OBJECT_get0_X509_CRL(const X509_OBJECT *a);
-int X509_OBJECT_set1_X509_CRL(X509_OBJECT *a, X509_CRL *obj);
-X509_STORE *X509_STORE_new(void);
-void X509_STORE_free(X509_STORE *v);
-int X509_STORE_lock(X509_STORE *ctx);
-int X509_STORE_unlock(X509_STORE *ctx);
-int X509_STORE_up_ref(X509_STORE *v);
-STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(const X509_STORE *v);
-STACK_OF(X509) *X509_STORE_get1_all_certs(X509_STORE *st);
-STACK_OF(X509) *X509_STORE_CTX_get1_certs(X509_STORE_CTX *st,
-                                          const X509_NAME *nm);
-STACK_OF(X509_CRL) *X509_STORE_CTX_get1_crls(const X509_STORE_CTX *st,
-                                             const X509_NAME *nm);
-int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags);
-int X509_STORE_set_purpose(X509_STORE *ctx, int purpose);
-int X509_STORE_set_trust(X509_STORE *ctx, int trust);
-int X509_STORE_set1_param(X509_STORE *ctx, const X509_VERIFY_PARAM *pm);
-X509_VERIFY_PARAM *X509_STORE_get0_param(const X509_STORE *ctx);
-
-void X509_STORE_set_verify(X509_STORE *ctx, X509_STORE_CTX_verify_fn verify);
-#define X509_STORE_set_verify_func(ctx, func) \
-            X509_STORE_set_verify((ctx),(func))
-void X509_STORE_CTX_set_verify(X509_STORE_CTX *ctx,
-                               X509_STORE_CTX_verify_fn verify);
-X509_STORE_CTX_verify_fn X509_STORE_get_verify(const X509_STORE *ctx);
-void X509_STORE_set_verify_cb(X509_STORE *ctx,
-                              X509_STORE_CTX_verify_cb verify_cb);
-# define X509_STORE_set_verify_cb_func(ctx,func) \
-            X509_STORE_set_verify_cb((ctx),(func))
-X509_STORE_CTX_verify_cb X509_STORE_get_verify_cb(const X509_STORE *ctx);
-void X509_STORE_set_get_issuer(X509_STORE *ctx,
-                               X509_STORE_CTX_get_issuer_fn get_issuer);
-X509_STORE_CTX_get_issuer_fn X509_STORE_get_get_issuer(const X509_STORE *ctx);
-void X509_STORE_set_check_issued(X509_STORE *ctx,
-                                 X509_STORE_CTX_check_issued_fn check_issued);
-X509_STORE_CTX_check_issued_fn X509_STORE_get_check_issued(const X509_STORE *ctx);
-void X509_STORE_set_check_revocation(X509_STORE *ctx,
-                                     X509_STORE_CTX_check_revocation_fn check_revocation);
-X509_STORE_CTX_check_revocation_fn
-    X509_STORE_get_check_revocation(const X509_STORE *ctx);
-void X509_STORE_set_get_crl(X509_STORE *ctx,
-                            X509_STORE_CTX_get_crl_fn get_crl);
-X509_STORE_CTX_get_crl_fn X509_STORE_get_get_crl(const X509_STORE *ctx);
-void X509_STORE_set_check_crl(X509_STORE *ctx,
-                              X509_STORE_CTX_check_crl_fn check_crl);
-X509_STORE_CTX_check_crl_fn X509_STORE_get_check_crl(const X509_STORE *ctx);
-void X509_STORE_set_cert_crl(X509_STORE *ctx,
-                             X509_STORE_CTX_cert_crl_fn cert_crl);
-X509_STORE_CTX_cert_crl_fn X509_STORE_get_cert_crl(const X509_STORE *ctx);
-void X509_STORE_set_check_policy(X509_STORE *ctx,
-                                 X509_STORE_CTX_check_policy_fn check_policy);
-X509_STORE_CTX_check_policy_fn X509_STORE_get_check_policy(const X509_STORE *ctx);
-void X509_STORE_set_lookup_certs(X509_STORE *ctx,
-                                 X509_STORE_CTX_lookup_certs_fn lookup_certs);
-X509_STORE_CTX_lookup_certs_fn X509_STORE_get_lookup_certs(const X509_STORE *ctx);
-void X509_STORE_set_lookup_crls(X509_STORE *ctx,
-                                X509_STORE_CTX_lookup_crls_fn lookup_crls);
-#define X509_STORE_set_lookup_crls_cb(ctx, func) \
-    X509_STORE_set_lookup_crls((ctx), (func))
-X509_STORE_CTX_lookup_crls_fn X509_STORE_get_lookup_crls(const X509_STORE *ctx);
-void X509_STORE_set_cleanup(X509_STORE *ctx,
-                            X509_STORE_CTX_cleanup_fn cleanup);
-X509_STORE_CTX_cleanup_fn X509_STORE_get_cleanup(const X509_STORE *ctx);
-
-#define X509_STORE_get_ex_new_index(l, p, newf, dupf, freef) \
-    CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE, l, p, newf, dupf, freef)
-int X509_STORE_set_ex_data(X509_STORE *ctx, int idx, void *data);
-void *X509_STORE_get_ex_data(const X509_STORE *ctx, int idx);
-
-X509_STORE_CTX *X509_STORE_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq);
-X509_STORE_CTX *X509_STORE_CTX_new(void);
-
-int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x);
-
-void X509_STORE_CTX_free(X509_STORE_CTX *ctx);
-int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *trust_store,
-                        X509 *target, STACK_OF(X509) *untrusted);
-void X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk);
-void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx);
-
-X509_STORE *X509_STORE_CTX_get0_store(const X509_STORE_CTX *ctx);
-X509 *X509_STORE_CTX_get0_cert(const X509_STORE_CTX *ctx);
-STACK_OF(X509)* X509_STORE_CTX_get0_untrusted(const X509_STORE_CTX *ctx);
-void X509_STORE_CTX_set0_untrusted(X509_STORE_CTX *ctx, STACK_OF(X509) *sk);
-void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
-                                  X509_STORE_CTX_verify_cb verify);
-X509_STORE_CTX_verify_cb X509_STORE_CTX_get_verify_cb(const X509_STORE_CTX *ctx);
-X509_STORE_CTX_verify_fn X509_STORE_CTX_get_verify(const X509_STORE_CTX *ctx);
-X509_STORE_CTX_get_issuer_fn X509_STORE_CTX_get_get_issuer(const X509_STORE_CTX *ctx);
-X509_STORE_CTX_check_issued_fn X509_STORE_CTX_get_check_issued(const X509_STORE_CTX *ctx);
-X509_STORE_CTX_check_revocation_fn X509_STORE_CTX_get_check_revocation(const X509_STORE_CTX *ctx);
-X509_STORE_CTX_get_crl_fn X509_STORE_CTX_get_get_crl(const X509_STORE_CTX *ctx);
-X509_STORE_CTX_check_crl_fn X509_STORE_CTX_get_check_crl(const X509_STORE_CTX *ctx);
-X509_STORE_CTX_cert_crl_fn X509_STORE_CTX_get_cert_crl(const X509_STORE_CTX *ctx);
-X509_STORE_CTX_check_policy_fn X509_STORE_CTX_get_check_policy(const X509_STORE_CTX *ctx);
-X509_STORE_CTX_lookup_certs_fn X509_STORE_CTX_get_lookup_certs(const X509_STORE_CTX *ctx);
-X509_STORE_CTX_lookup_crls_fn X509_STORE_CTX_get_lookup_crls(const X509_STORE_CTX *ctx);
-X509_STORE_CTX_cleanup_fn X509_STORE_CTX_get_cleanup(const X509_STORE_CTX *ctx);
-
-#ifndef OPENSSL_NO_DEPRECATED_1_1_0
-# define X509_STORE_CTX_get_chain X509_STORE_CTX_get0_chain
-# define X509_STORE_CTX_set_chain X509_STORE_CTX_set0_untrusted
-# define X509_STORE_CTX_trusted_stack X509_STORE_CTX_set0_trusted_stack
-# define X509_STORE_get_by_subject X509_STORE_CTX_get_by_subject
-# define X509_STORE_get1_certs X509_STORE_CTX_get1_certs
-# define X509_STORE_get1_crls X509_STORE_CTX_get1_crls
-/* the following macro is misspelled; use X509_STORE_get1_certs instead */
-# define X509_STORE_get1_cert X509_STORE_CTX_get1_certs
-/* the following macro is misspelled; use X509_STORE_get1_crls instead */
-# define X509_STORE_get1_crl X509_STORE_CTX_get1_crls
-#endif
-
-X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m);
-X509_LOOKUP_METHOD *X509_LOOKUP_hash_dir(void);
-X509_LOOKUP_METHOD *X509_LOOKUP_file(void);
-X509_LOOKUP_METHOD *X509_LOOKUP_store(void);
-
-typedef int (*X509_LOOKUP_ctrl_fn)(X509_LOOKUP *ctx, int cmd, const char *argc,
-                                   long argl, char **ret);
-typedef int (*X509_LOOKUP_ctrl_ex_fn)(
-    X509_LOOKUP *ctx, int cmd, const char *argc, long argl, char **ret,
-    OSSL_LIB_CTX *libctx, const char *propq);
-
-typedef int (*X509_LOOKUP_get_by_subject_fn)(X509_LOOKUP *ctx,
-                                             X509_LOOKUP_TYPE type,
-                                             const X509_NAME *name,
-                                             X509_OBJECT *ret);
-typedef int (*X509_LOOKUP_get_by_subject_ex_fn)(X509_LOOKUP *ctx,
-                                                         X509_LOOKUP_TYPE type,
-                                                         const X509_NAME *name,
-                                                         X509_OBJECT *ret,
-                                                         OSSL_LIB_CTX *libctx,
-                                                         const char *propq);
-typedef int (*X509_LOOKUP_get_by_issuer_serial_fn)(X509_LOOKUP *ctx,
-                                                   X509_LOOKUP_TYPE type,
-                                                   const X509_NAME *name,
-                                                   const ASN1_INTEGER *serial,
-                                                   X509_OBJECT *ret);
-typedef int (*X509_LOOKUP_get_by_fingerprint_fn)(X509_LOOKUP *ctx,
-                                                 X509_LOOKUP_TYPE type,
-                                                 const unsigned char* bytes,
-                                                 int len,
-                                                 X509_OBJECT *ret);
-typedef int (*X509_LOOKUP_get_by_alias_fn)(X509_LOOKUP *ctx,
-                                           X509_LOOKUP_TYPE type,
-                                           const char *str,
-                                           int len,
-                                           X509_OBJECT *ret);
-
-X509_LOOKUP_METHOD *X509_LOOKUP_meth_new(const char *name);
-void X509_LOOKUP_meth_free(X509_LOOKUP_METHOD *method);
-
-int X509_LOOKUP_meth_set_new_item(X509_LOOKUP_METHOD *method,
-                                  int (*new_item) (X509_LOOKUP *ctx));
-int (*X509_LOOKUP_meth_get_new_item(const X509_LOOKUP_METHOD* method))
-    (X509_LOOKUP *ctx);
-
-int X509_LOOKUP_meth_set_free(X509_LOOKUP_METHOD *method,
-                              void (*free_fn) (X509_LOOKUP *ctx));
-void (*X509_LOOKUP_meth_get_free(const X509_LOOKUP_METHOD* method))
-    (X509_LOOKUP *ctx);
-
-int X509_LOOKUP_meth_set_init(X509_LOOKUP_METHOD *method,
-                              int (*init) (X509_LOOKUP *ctx));
-int (*X509_LOOKUP_meth_get_init(const X509_LOOKUP_METHOD* method))
-    (X509_LOOKUP *ctx);
-
-int X509_LOOKUP_meth_set_shutdown(X509_LOOKUP_METHOD *method,
-                                  int (*shutdown) (X509_LOOKUP *ctx));
-int (*X509_LOOKUP_meth_get_shutdown(const X509_LOOKUP_METHOD* method))
-    (X509_LOOKUP *ctx);
-
-int X509_LOOKUP_meth_set_ctrl(X509_LOOKUP_METHOD *method,
-                              X509_LOOKUP_ctrl_fn ctrl_fn);
-X509_LOOKUP_ctrl_fn X509_LOOKUP_meth_get_ctrl(const X509_LOOKUP_METHOD *method);
-
-int X509_LOOKUP_meth_set_get_by_subject(X509_LOOKUP_METHOD *method,
-                                        X509_LOOKUP_get_by_subject_fn fn);
-X509_LOOKUP_get_by_subject_fn X509_LOOKUP_meth_get_get_by_subject(
-    const X509_LOOKUP_METHOD *method);
-
-int X509_LOOKUP_meth_set_get_by_issuer_serial(X509_LOOKUP_METHOD *method,
-    X509_LOOKUP_get_by_issuer_serial_fn fn);
-X509_LOOKUP_get_by_issuer_serial_fn X509_LOOKUP_meth_get_get_by_issuer_serial(
-    const X509_LOOKUP_METHOD *method);
-
-int X509_LOOKUP_meth_set_get_by_fingerprint(X509_LOOKUP_METHOD *method,
-    X509_LOOKUP_get_by_fingerprint_fn fn);
-X509_LOOKUP_get_by_fingerprint_fn X509_LOOKUP_meth_get_get_by_fingerprint(
-    const X509_LOOKUP_METHOD *method);
-
-int X509_LOOKUP_meth_set_get_by_alias(X509_LOOKUP_METHOD *method,
-                                      X509_LOOKUP_get_by_alias_fn fn);
-X509_LOOKUP_get_by_alias_fn X509_LOOKUP_meth_get_get_by_alias(
-    const X509_LOOKUP_METHOD *method);
-
-
-int X509_STORE_add_cert(X509_STORE *ctx, X509 *x);
-int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x);
-
-int X509_STORE_CTX_get_by_subject(const X509_STORE_CTX *vs,
-                                  X509_LOOKUP_TYPE type,
-                                  const X509_NAME *name, X509_OBJECT *ret);
-X509_OBJECT *X509_STORE_CTX_get_obj_by_subject(X509_STORE_CTX *vs,
-                                               X509_LOOKUP_TYPE type,
-                                               const X509_NAME *name);
-
-int X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc,
-                     long argl, char **ret);
-int X509_LOOKUP_ctrl_ex(X509_LOOKUP *ctx, int cmd, const char *argc, long argl,
-                        char **ret, OSSL_LIB_CTX *libctx, const char *propq);
-
-int X509_load_cert_file(X509_LOOKUP *ctx, const char *file, int type);
-int X509_load_cert_file_ex(X509_LOOKUP *ctx, const char *file, int type,
-                           OSSL_LIB_CTX *libctx, const char *propq);
-int X509_load_crl_file(X509_LOOKUP *ctx, const char *file, int type);
-int X509_load_cert_crl_file(X509_LOOKUP *ctx, const char *file, int type);
-int X509_load_cert_crl_file_ex(X509_LOOKUP *ctx, const char *file, int type,
-                               OSSL_LIB_CTX *libctx, const char *propq);
-
-X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method);
-void X509_LOOKUP_free(X509_LOOKUP *ctx);
-int X509_LOOKUP_init(X509_LOOKUP *ctx);
-int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
-                           const X509_NAME *name, X509_OBJECT *ret);
-int X509_LOOKUP_by_subject_ex(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
-                              const X509_NAME *name, X509_OBJECT *ret,
-                              OSSL_LIB_CTX *libctx, const char *propq);
-int X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
-                                 const X509_NAME *name,
-                                 const ASN1_INTEGER *serial,
-                                 X509_OBJECT *ret);
-int X509_LOOKUP_by_fingerprint(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
-                               const unsigned char *bytes, int len,
-                               X509_OBJECT *ret);
-int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
-                         const char *str, int len, X509_OBJECT *ret);
-int X509_LOOKUP_set_method_data(X509_LOOKUP *ctx, void *data);
-void *X509_LOOKUP_get_method_data(const X509_LOOKUP *ctx);
-X509_STORE *X509_LOOKUP_get_store(const X509_LOOKUP *ctx);
-int X509_LOOKUP_shutdown(X509_LOOKUP *ctx);
-
-int X509_STORE_load_file(X509_STORE *ctx, const char *file);
-int X509_STORE_load_path(X509_STORE *ctx, const char *path);
-int X509_STORE_load_store(X509_STORE *ctx, const char *store);
-int X509_STORE_load_locations(X509_STORE *ctx,
-                                               const char *file,
-                                               const char *dir);
-int X509_STORE_set_default_paths(X509_STORE *ctx);
-
-int X509_STORE_load_file_ex(X509_STORE *ctx, const char *file,
-                            OSSL_LIB_CTX *libctx, const char *propq);
-int X509_STORE_load_store_ex(X509_STORE *ctx, const char *store,
-                             OSSL_LIB_CTX *libctx, const char *propq);
-int X509_STORE_load_locations_ex(X509_STORE *ctx, const char *file,
-                                 const char *dir, OSSL_LIB_CTX *libctx,
-                                 const char *propq);
-int X509_STORE_set_default_paths_ex(X509_STORE *ctx, OSSL_LIB_CTX *libctx,
-                                    const char *propq);
-
-#define X509_STORE_CTX_get_ex_new_index(l, p, newf, dupf, freef) \
-    CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE_CTX, l, p, newf, dupf, freef)
-int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data);
-void *X509_STORE_CTX_get_ex_data(const X509_STORE_CTX *ctx, int idx);
-int X509_STORE_CTX_get_error(const X509_STORE_CTX *ctx);
-void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int s);
-int X509_STORE_CTX_get_error_depth(const X509_STORE_CTX *ctx);
-void X509_STORE_CTX_set_error_depth(X509_STORE_CTX *ctx, int depth);
-X509 *X509_STORE_CTX_get_current_cert(const X509_STORE_CTX *ctx);
-void X509_STORE_CTX_set_current_cert(X509_STORE_CTX *ctx, X509 *x);
-X509 *X509_STORE_CTX_get0_current_issuer(const X509_STORE_CTX *ctx);
-X509_CRL *X509_STORE_CTX_get0_current_crl(const X509_STORE_CTX *ctx);
-X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(const X509_STORE_CTX *ctx);
-STACK_OF(X509) *X509_STORE_CTX_get0_chain(const X509_STORE_CTX *ctx);
-STACK_OF(X509) *X509_STORE_CTX_get1_chain(const X509_STORE_CTX *ctx);
-void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *target);
-void X509_STORE_CTX_set0_verified_chain(X509_STORE_CTX *c, STACK_OF(X509) *sk);
-void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk);
-int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose);
-int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust);
-int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
-                                   int purpose, int trust);
-void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags);
-void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags,
-                             time_t t);
-
-X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(const X509_STORE_CTX *ctx);
-int X509_STORE_CTX_get_explicit_policy(const X509_STORE_CTX *ctx);
-int X509_STORE_CTX_get_num_untrusted(const X509_STORE_CTX *ctx);
-
-X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(const X509_STORE_CTX *ctx);
-void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param);
-int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name);
-
-/*
- * Bridge opacity barrier between libcrypt and libssl, also needed to support
- * offline testing in test/danetest.c
- */
-void X509_STORE_CTX_set0_dane(X509_STORE_CTX *ctx, SSL_DANE *dane);
-#define DANE_FLAG_NO_DANE_EE_NAMECHECKS (1L << 0)
-
-/* X509_VERIFY_PARAM functions */
-
-X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void);
-void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param);
-int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *to,
-                              const X509_VERIFY_PARAM *from);
-int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to,
-                           const X509_VERIFY_PARAM *from);
-int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name);
-int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param,
-                                unsigned long flags);
-int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param,
-                                  unsigned long flags);
-unsigned long X509_VERIFY_PARAM_get_flags(const X509_VERIFY_PARAM *param);
-int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose);
-int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust);
-void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth);
-void X509_VERIFY_PARAM_set_auth_level(X509_VERIFY_PARAM *param, int auth_level);
-time_t X509_VERIFY_PARAM_get_time(const X509_VERIFY_PARAM *param);
-void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t);
-int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param,
-                                  ASN1_OBJECT *policy);
-int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param,
-                                    STACK_OF(ASN1_OBJECT) *policies);
-
-int X509_VERIFY_PARAM_set_inh_flags(X509_VERIFY_PARAM *param,
-                                    uint32_t flags);
-uint32_t X509_VERIFY_PARAM_get_inh_flags(const X509_VERIFY_PARAM *param);
-
-char *X509_VERIFY_PARAM_get0_host(X509_VERIFY_PARAM *param, int idx);
-int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param,
-                                const char *name, size_t namelen);
-int X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param,
-                                const char *name, size_t namelen);
-void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param,
-                                     unsigned int flags);
-unsigned int X509_VERIFY_PARAM_get_hostflags(const X509_VERIFY_PARAM *param);
-char *X509_VERIFY_PARAM_get0_peername(const X509_VERIFY_PARAM *param);
-void X509_VERIFY_PARAM_move_peername(X509_VERIFY_PARAM *, X509_VERIFY_PARAM *);
-char *X509_VERIFY_PARAM_get0_email(X509_VERIFY_PARAM *param);
-int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param,
-                                 const char *email, size_t emaillen);
-char *X509_VERIFY_PARAM_get1_ip_asc(X509_VERIFY_PARAM *param);
-int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param,
-                              const unsigned char *ip, size_t iplen);
-int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *param,
-                                  const char *ipasc);
-
-int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param);
-int X509_VERIFY_PARAM_get_auth_level(const X509_VERIFY_PARAM *param);
-const char *X509_VERIFY_PARAM_get0_name(const X509_VERIFY_PARAM *param);
-
-int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param);
-int X509_VERIFY_PARAM_get_count(void);
-const X509_VERIFY_PARAM *X509_VERIFY_PARAM_get0(int id);
-const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name);
-void X509_VERIFY_PARAM_table_cleanup(void);
-
-/* Non positive return values are errors */
-#define X509_PCY_TREE_FAILURE  -2 /* Failure to satisfy explicit policy */
-#define X509_PCY_TREE_INVALID  -1 /* Inconsistent or invalid extensions */
-#define X509_PCY_TREE_INTERNAL  0 /* Internal error, most likely malloc */
-
-/*
- * Positive return values form a bit mask, all but the first are internal to
- * the library and don't appear in results from X509_policy_check().
- */
-#define X509_PCY_TREE_VALID     1 /* The policy tree is valid */
-#define X509_PCY_TREE_EMPTY     2 /* The policy tree is empty */
-#define X509_PCY_TREE_EXPLICIT  4 /* Explicit policy required */
-
-int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
-                      STACK_OF(X509) *certs,
-                      STACK_OF(ASN1_OBJECT) *policy_oids, unsigned int flags);
-
-void X509_policy_tree_free(X509_POLICY_TREE *tree);
-
-int X509_policy_tree_level_count(const X509_POLICY_TREE *tree);
-X509_POLICY_LEVEL *X509_policy_tree_get0_level(const X509_POLICY_TREE *tree,
-                                               int i);
-
-STACK_OF(X509_POLICY_NODE)
-    *X509_policy_tree_get0_policies(const X509_POLICY_TREE *tree);
-
-STACK_OF(X509_POLICY_NODE)
-    *X509_policy_tree_get0_user_policies(const X509_POLICY_TREE *tree);
-
-int X509_policy_level_node_count(X509_POLICY_LEVEL *level);
-
-X509_POLICY_NODE *X509_policy_level_get0_node(const X509_POLICY_LEVEL *level,
-                                              int i);
-
-const ASN1_OBJECT *X509_policy_node_get0_policy(const X509_POLICY_NODE *node);
-
-STACK_OF(POLICYQUALINFO)
-    *X509_policy_node_get0_qualifiers(const X509_POLICY_NODE *node);
-const X509_POLICY_NODE
-    *X509_policy_node_get0_parent(const X509_POLICY_NODE *node);
-
-#ifdef  __cplusplus
-}
-#endif
-#endif

libs/openssl/include/crypto/x509v3.h.in

@@ -1,1020 +0,0 @@
-/*
- * {- join("\n * ", @autowarntext) -}
- *
- * Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-{-
-use OpenSSL::stackhash qw(generate_stack_macros);
--}
-
-#ifndef OPENSSL_X509V3_H
-# define OPENSSL_X509V3_H
-# pragma once
-
-# include <openssl/macros.h>
-# ifndef OPENSSL_NO_DEPRECATED_3_0
-#  define HEADER_X509V3_H
-# endif
-
-# include <openssl/bio.h>
-# include <openssl/x509.h>
-# include <openssl/conf.h>
-# include <openssl/x509v3err.h>
-# ifndef OPENSSL_NO_STDIO
-#  include <stdio.h>
-# endif
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/* Forward reference */
-struct v3_ext_method;
-struct v3_ext_ctx;
-
-/* Useful typedefs */
-
-typedef void *(*X509V3_EXT_NEW)(void);
-typedef void (*X509V3_EXT_FREE) (void *);
-typedef void *(*X509V3_EXT_D2I)(void *, const unsigned char **, long);
-typedef int (*X509V3_EXT_I2D) (const void *, unsigned char **);
-typedef STACK_OF(CONF_VALUE) *
-    (*X509V3_EXT_I2V) (const struct v3_ext_method *method, void *ext,
-                       STACK_OF(CONF_VALUE) *extlist);
-typedef void *(*X509V3_EXT_V2I)(const struct v3_ext_method *method,
-                                struct v3_ext_ctx *ctx,
-                                STACK_OF(CONF_VALUE) *values);
-typedef char *(*X509V3_EXT_I2S)(const struct v3_ext_method *method,
-                                void *ext);
-typedef void *(*X509V3_EXT_S2I)(const struct v3_ext_method *method,
-                                struct v3_ext_ctx *ctx, const char *str);
-typedef int (*X509V3_EXT_I2R) (const struct v3_ext_method *method, void *ext,
-                               BIO *out, int indent);
-typedef void *(*X509V3_EXT_R2I)(const struct v3_ext_method *method,
-                                struct v3_ext_ctx *ctx, const char *str);
-
-/* V3 extension structure */
-
-struct v3_ext_method {
-    int ext_nid;
-    int ext_flags;
-/* If this is set the following four fields are ignored */
-    ASN1_ITEM_EXP *it;
-/* Old style ASN1 calls */
-    X509V3_EXT_NEW ext_new;
-    X509V3_EXT_FREE ext_free;
-    X509V3_EXT_D2I d2i;
-    X509V3_EXT_I2D i2d;
-/* The following pair is used for string extensions */
-    X509V3_EXT_I2S i2s;
-    X509V3_EXT_S2I s2i;
-/* The following pair is used for multi-valued extensions */
-    X509V3_EXT_I2V i2v;
-    X509V3_EXT_V2I v2i;
-/* The following are used for raw extensions */
-    X509V3_EXT_I2R i2r;
-    X509V3_EXT_R2I r2i;
-    void *usr_data;             /* Any extension specific data */
-};
-
-typedef struct X509V3_CONF_METHOD_st {
-    char *(*get_string) (void *db, const char *section, const char *value);
-    STACK_OF(CONF_VALUE) *(*get_section) (void *db, const char *section);
-    void (*free_string) (void *db, char *string);
-    void (*free_section) (void *db, STACK_OF(CONF_VALUE) *section);
-} X509V3_CONF_METHOD;
-
-/* Context specific info for producing X509 v3 extensions*/
-struct v3_ext_ctx {
-# define X509V3_CTX_TEST 0x1
-# ifndef OPENSSL_NO_DEPRECATED_3_0
-#  define CTX_TEST X509V3_CTX_TEST
-# endif
-# define X509V3_CTX_REPLACE 0x2
-    int flags;
-    X509 *issuer_cert;
-    X509 *subject_cert;
-    X509_REQ *subject_req;
-    X509_CRL *crl;
-    X509V3_CONF_METHOD *db_meth;
-    void *db;
-    EVP_PKEY *issuer_pkey;
-/* Maybe more here */
-};
-
-typedef struct v3_ext_method X509V3_EXT_METHOD;
-
-{-
-    generate_stack_macros("X509V3_EXT_METHOD");
--}
-
-/* ext_flags values */
-# define X509V3_EXT_DYNAMIC      0x1
-# define X509V3_EXT_CTX_DEP      0x2
-# define X509V3_EXT_MULTILINE    0x4
-
-typedef BIT_STRING_BITNAME ENUMERATED_NAMES;
-
-typedef struct BASIC_CONSTRAINTS_st {
-    int ca;
-    ASN1_INTEGER *pathlen;
-} BASIC_CONSTRAINTS;
-
-typedef struct PKEY_USAGE_PERIOD_st {
-    ASN1_GENERALIZEDTIME *notBefore;
-    ASN1_GENERALIZEDTIME *notAfter;
-} PKEY_USAGE_PERIOD;
-
-typedef struct otherName_st {
-    ASN1_OBJECT *type_id;
-    ASN1_TYPE *value;
-} OTHERNAME;
-
-typedef struct EDIPartyName_st {
-    ASN1_STRING *nameAssigner;
-    ASN1_STRING *partyName;
-} EDIPARTYNAME;
-
-typedef struct GENERAL_NAME_st {
-# define GEN_OTHERNAME   0
-# define GEN_EMAIL       1
-# define GEN_DNS         2
-# define GEN_X400        3
-# define GEN_DIRNAME     4
-# define GEN_EDIPARTY    5
-# define GEN_URI         6
-# define GEN_IPADD       7
-# define GEN_RID         8
-    int type;
-    union {
-        char *ptr;
-        OTHERNAME *otherName;   /* otherName */
-        ASN1_IA5STRING *rfc822Name;
-        ASN1_IA5STRING *dNSName;
-        ASN1_STRING *x400Address;
-        X509_NAME *directoryName;
-        EDIPARTYNAME *ediPartyName;
-        ASN1_IA5STRING *uniformResourceIdentifier;
-        ASN1_OCTET_STRING *iPAddress;
-        ASN1_OBJECT *registeredID;
-        /* Old names */
-        ASN1_OCTET_STRING *ip;  /* iPAddress */
-        X509_NAME *dirn;        /* dirn */
-        ASN1_IA5STRING *ia5;    /* rfc822Name, dNSName,
-                                 * uniformResourceIdentifier */
-        ASN1_OBJECT *rid;       /* registeredID */
-        ASN1_TYPE *other;       /* x400Address */
-    } d;
-} GENERAL_NAME;
-
-typedef struct ACCESS_DESCRIPTION_st {
-    ASN1_OBJECT *method;
-    GENERAL_NAME *location;
-} ACCESS_DESCRIPTION;
-
-{-
-    generate_stack_macros("ACCESS_DESCRIPTION")
-    .generate_stack_macros("GENERAL_NAME");
--}
-
-typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS;
-typedef STACK_OF(ASN1_OBJECT) EXTENDED_KEY_USAGE;
-typedef STACK_OF(ASN1_INTEGER) TLS_FEATURE;
-typedef STACK_OF(GENERAL_NAME) GENERAL_NAMES;
-
-{-
-    generate_stack_macros("GENERAL_NAMES");
--}
-
-typedef struct DIST_POINT_NAME_st {
-    int type;
-    union {
-        GENERAL_NAMES *fullname;
-        STACK_OF(X509_NAME_ENTRY) *relativename;
-    } name;
-/* If relativename then this contains the full distribution point name */
-    X509_NAME *dpname;
-} DIST_POINT_NAME;
-/* All existing reasons */
-# define CRLDP_ALL_REASONS       0x807f
-
-# define CRL_REASON_NONE                         -1
-# define CRL_REASON_UNSPECIFIED                  0
-# define CRL_REASON_KEY_COMPROMISE               1
-# define CRL_REASON_CA_COMPROMISE                2
-# define CRL_REASON_AFFILIATION_CHANGED          3
-# define CRL_REASON_SUPERSEDED                   4
-# define CRL_REASON_CESSATION_OF_OPERATION       5
-# define CRL_REASON_CERTIFICATE_HOLD             6
-# define CRL_REASON_REMOVE_FROM_CRL              8
-# define CRL_REASON_PRIVILEGE_WITHDRAWN          9
-# define CRL_REASON_AA_COMPROMISE                10
-
-struct DIST_POINT_st {
-    DIST_POINT_NAME *distpoint;
-    ASN1_BIT_STRING *reasons;
-    GENERAL_NAMES *CRLissuer;
-    int dp_reasons;
-};
-
-{-
-    generate_stack_macros("DIST_POINT");
--}
-
-typedef STACK_OF(DIST_POINT) CRL_DIST_POINTS;
-
-struct AUTHORITY_KEYID_st {
-    ASN1_OCTET_STRING *keyid;
-    GENERAL_NAMES *issuer;
-    ASN1_INTEGER *serial;
-};
-
-/* Strong extranet structures */
-
-typedef struct SXNET_ID_st {
-    ASN1_INTEGER *zone;
-    ASN1_OCTET_STRING *user;
-} SXNETID;
-
-{-
-    generate_stack_macros("SXNETID");
--}
-
-
-typedef struct SXNET_st {
-    ASN1_INTEGER *version;
-    STACK_OF(SXNETID) *ids;
-} SXNET;
-
-typedef struct ISSUER_SIGN_TOOL_st {
-    ASN1_UTF8STRING *signTool;
-    ASN1_UTF8STRING *cATool;
-    ASN1_UTF8STRING *signToolCert;
-    ASN1_UTF8STRING *cAToolCert;
-} ISSUER_SIGN_TOOL;
-
-typedef struct NOTICEREF_st {
-    ASN1_STRING *organization;
-    STACK_OF(ASN1_INTEGER) *noticenos;
-} NOTICEREF;
-
-typedef struct USERNOTICE_st {
-    NOTICEREF *noticeref;
-    ASN1_STRING *exptext;
-} USERNOTICE;
-
-typedef struct POLICYQUALINFO_st {
-    ASN1_OBJECT *pqualid;
-    union {
-        ASN1_IA5STRING *cpsuri;
-        USERNOTICE *usernotice;
-        ASN1_TYPE *other;
-    } d;
-} POLICYQUALINFO;
-
-{-
-    generate_stack_macros("POLICYQUALINFO");
--}
-
-
-typedef struct POLICYINFO_st {
-    ASN1_OBJECT *policyid;
-    STACK_OF(POLICYQUALINFO) *qualifiers;
-} POLICYINFO;
-
-{-
-    generate_stack_macros("POLICYINFO");
--}
-
-typedef STACK_OF(POLICYINFO) CERTIFICATEPOLICIES;
-
-typedef struct POLICY_MAPPING_st {
-    ASN1_OBJECT *issuerDomainPolicy;
-    ASN1_OBJECT *subjectDomainPolicy;
-} POLICY_MAPPING;
-
-{-
-    generate_stack_macros("POLICY_MAPPING");
--}
-
-typedef STACK_OF(POLICY_MAPPING) POLICY_MAPPINGS;
-
-typedef struct GENERAL_SUBTREE_st {
-    GENERAL_NAME *base;
-    ASN1_INTEGER *minimum;
-    ASN1_INTEGER *maximum;
-} GENERAL_SUBTREE;
-
-{-
-    generate_stack_macros("GENERAL_SUBTREE");
--}
-
-struct NAME_CONSTRAINTS_st {
-    STACK_OF(GENERAL_SUBTREE) *permittedSubtrees;
-    STACK_OF(GENERAL_SUBTREE) *excludedSubtrees;
-};
-
-typedef struct POLICY_CONSTRAINTS_st {
-    ASN1_INTEGER *requireExplicitPolicy;
-    ASN1_INTEGER *inhibitPolicyMapping;
-} POLICY_CONSTRAINTS;
-
-/* Proxy certificate structures, see RFC 3820 */
-typedef struct PROXY_POLICY_st {
-    ASN1_OBJECT *policyLanguage;
-    ASN1_OCTET_STRING *policy;
-} PROXY_POLICY;
-
-typedef struct PROXY_CERT_INFO_EXTENSION_st {
-    ASN1_INTEGER *pcPathLengthConstraint;
-    PROXY_POLICY *proxyPolicy;
-} PROXY_CERT_INFO_EXTENSION;
-
-DECLARE_ASN1_FUNCTIONS(PROXY_POLICY)
-DECLARE_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION)
-
-struct ISSUING_DIST_POINT_st {
-    DIST_POINT_NAME *distpoint;
-    int onlyuser;
-    int onlyCA;
-    ASN1_BIT_STRING *onlysomereasons;
-    int indirectCRL;
-    int onlyattr;
-};
-
-/* Values in idp_flags field */
-/* IDP present */
-# define IDP_PRESENT     0x1
-/* IDP values inconsistent */
-# define IDP_INVALID     0x2
-/* onlyuser true */
-# define IDP_ONLYUSER    0x4
-/* onlyCA true */
-# define IDP_ONLYCA      0x8
-/* onlyattr true */
-# define IDP_ONLYATTR    0x10
-/* indirectCRL true */
-# define IDP_INDIRECT    0x20
-/* onlysomereasons present */
-# define IDP_REASONS     0x40
-
-# define X509V3_conf_err(val) ERR_add_error_data(6, \
-                        "section:", (val)->section, \
-                        ",name:", (val)->name, ",value:", (val)->value)
-
-# define X509V3_set_ctx_test(ctx) \
-    X509V3_set_ctx(ctx, NULL, NULL, NULL, NULL, X509V3_CTX_TEST)
-# define X509V3_set_ctx_nodb(ctx) (ctx)->db = NULL;
-
-# define EXT_BITSTRING(nid, table) { nid, 0, ASN1_ITEM_ref(ASN1_BIT_STRING), \
-                        0,0,0,0, \
-                        0,0, \
-                        (X509V3_EXT_I2V)i2v_ASN1_BIT_STRING, \
-                        (X509V3_EXT_V2I)v2i_ASN1_BIT_STRING, \
-                        NULL, NULL, \
-                        table}
-
-# define EXT_IA5STRING(nid) { nid, 0, ASN1_ITEM_ref(ASN1_IA5STRING), \
-                        0,0,0,0, \
-                        (X509V3_EXT_I2S)i2s_ASN1_IA5STRING, \
-                        (X509V3_EXT_S2I)s2i_ASN1_IA5STRING, \
-                        0,0,0,0, \
-                        NULL}
-
-#define EXT_UTF8STRING(nid) { nid, 0, ASN1_ITEM_ref(ASN1_UTF8STRING), \
-                        0,0,0,0, \
-                        (X509V3_EXT_I2S)i2s_ASN1_UTF8STRING, \
-                        (X509V3_EXT_S2I)s2i_ASN1_UTF8STRING, \
-                        0,0,0,0, \
-                        NULL}
-
-# define EXT_END { -1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}
-
-/* X509_PURPOSE stuff */
-
-# define EXFLAG_BCONS            0x1
-# define EXFLAG_KUSAGE           0x2
-# define EXFLAG_XKUSAGE          0x4
-# define EXFLAG_NSCERT           0x8
-
-# define EXFLAG_CA               0x10
-# define EXFLAG_SI               0x20 /* self-issued, maybe not self-signed */
-# define EXFLAG_V1               0x40
-# define EXFLAG_INVALID          0x80
-/* EXFLAG_SET is set to indicate that some values have been precomputed */
-# define EXFLAG_SET              0x100
-# define EXFLAG_CRITICAL         0x200
-# define EXFLAG_PROXY            0x400
-
-# define EXFLAG_INVALID_POLICY   0x800
-# define EXFLAG_FRESHEST         0x1000
-# define EXFLAG_SS               0x2000 /* cert is apparently self-signed */
-
-# define EXFLAG_BCONS_CRITICAL   0x10000
-# define EXFLAG_AKID_CRITICAL    0x20000
-# define EXFLAG_SKID_CRITICAL    0x40000
-# define EXFLAG_SAN_CRITICAL     0x80000
-# define EXFLAG_NO_FINGERPRINT   0x100000
-
-# define KU_DIGITAL_SIGNATURE    0x0080
-# define KU_NON_REPUDIATION      0x0040
-# define KU_KEY_ENCIPHERMENT     0x0020
-# define KU_DATA_ENCIPHERMENT    0x0010
-# define KU_KEY_AGREEMENT        0x0008
-# define KU_KEY_CERT_SIGN        0x0004
-# define KU_CRL_SIGN             0x0002
-# define KU_ENCIPHER_ONLY        0x0001
-# define KU_DECIPHER_ONLY        0x8000
-
-# define NS_SSL_CLIENT           0x80
-# define NS_SSL_SERVER           0x40
-# define NS_SMIME                0x20
-# define NS_OBJSIGN              0x10
-# define NS_SSL_CA               0x04
-# define NS_SMIME_CA             0x02
-# define NS_OBJSIGN_CA           0x01
-# define NS_ANY_CA               (NS_SSL_CA|NS_SMIME_CA|NS_OBJSIGN_CA)
-
-# define XKU_SSL_SERVER          0x1
-# define XKU_SSL_CLIENT          0x2
-# define XKU_SMIME               0x4
-# define XKU_CODE_SIGN           0x8
-# define XKU_SGC                 0x10 /* Netscape or MS Server-Gated Crypto */
-# define XKU_OCSP_SIGN           0x20
-# define XKU_TIMESTAMP           0x40
-# define XKU_DVCS                0x80
-# define XKU_ANYEKU              0x100
-
-# define X509_PURPOSE_DYNAMIC    0x1
-# define X509_PURPOSE_DYNAMIC_NAME       0x2
-
-typedef struct x509_purpose_st {
-    int purpose;
-    int trust;                  /* Default trust ID */
-    int flags;
-    int (*check_purpose) (const struct x509_purpose_st *, const X509 *, int);
-    char *name;
-    char *sname;
-    void *usr_data;
-} X509_PURPOSE;
-
-{-
-    generate_stack_macros("X509_PURPOSE");
--}
-
-
-# define X509_PURPOSE_SSL_CLIENT         1
-# define X509_PURPOSE_SSL_SERVER         2
-# define X509_PURPOSE_NS_SSL_SERVER      3
-# define X509_PURPOSE_SMIME_SIGN         4
-# define X509_PURPOSE_SMIME_ENCRYPT      5
-# define X509_PURPOSE_CRL_SIGN           6
-# define X509_PURPOSE_ANY                7
-# define X509_PURPOSE_OCSP_HELPER        8
-# define X509_PURPOSE_TIMESTAMP_SIGN     9
-
-# define X509_PURPOSE_MIN                1
-# define X509_PURPOSE_MAX                9
-
-/* Flags for X509V3_EXT_print() */
-
-# define X509V3_EXT_UNKNOWN_MASK         (0xfL << 16)
-/* Return error for unknown extensions */
-# define X509V3_EXT_DEFAULT              0
-/* Print error for unknown extensions */
-# define X509V3_EXT_ERROR_UNKNOWN        (1L << 16)
-/* ASN1 parse unknown extensions */
-# define X509V3_EXT_PARSE_UNKNOWN        (2L << 16)
-/* BIO_dump unknown extensions */
-# define X509V3_EXT_DUMP_UNKNOWN         (3L << 16)
-
-/* Flags for X509V3_add1_i2d */
-
-# define X509V3_ADD_OP_MASK              0xfL
-# define X509V3_ADD_DEFAULT              0L
-# define X509V3_ADD_APPEND               1L
-# define X509V3_ADD_REPLACE              2L
-# define X509V3_ADD_REPLACE_EXISTING     3L
-# define X509V3_ADD_KEEP_EXISTING        4L
-# define X509V3_ADD_DELETE               5L
-# define X509V3_ADD_SILENT               0x10
-
-DECLARE_ASN1_FUNCTIONS(BASIC_CONSTRAINTS)
-
-DECLARE_ASN1_FUNCTIONS(SXNET)
-DECLARE_ASN1_FUNCTIONS(SXNETID)
-
-DECLARE_ASN1_FUNCTIONS(ISSUER_SIGN_TOOL)
-
-int SXNET_add_id_asc(SXNET **psx, const char *zone, const char *user, int userlen);
-int SXNET_add_id_ulong(SXNET **psx, unsigned long lzone, const char *user,
-                       int userlen);
-int SXNET_add_id_INTEGER(SXNET **psx, ASN1_INTEGER *izone, const char *user,
-                         int userlen);
-
-ASN1_OCTET_STRING *SXNET_get_id_asc(SXNET *sx, const char *zone);
-ASN1_OCTET_STRING *SXNET_get_id_ulong(SXNET *sx, unsigned long lzone);
-ASN1_OCTET_STRING *SXNET_get_id_INTEGER(SXNET *sx, ASN1_INTEGER *zone);
-
-DECLARE_ASN1_FUNCTIONS(AUTHORITY_KEYID)
-
-DECLARE_ASN1_FUNCTIONS(PKEY_USAGE_PERIOD)
-
-DECLARE_ASN1_FUNCTIONS(GENERAL_NAME)
-DECLARE_ASN1_DUP_FUNCTION(GENERAL_NAME)
-int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b);
-
-ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
-                                     X509V3_CTX *ctx,
-                                     STACK_OF(CONF_VALUE) *nval);
-STACK_OF(CONF_VALUE) *i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
-                                          ASN1_BIT_STRING *bits,
-                                          STACK_OF(CONF_VALUE) *extlist);
-char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method, ASN1_IA5STRING *ia5);
-ASN1_IA5STRING *s2i_ASN1_IA5STRING(X509V3_EXT_METHOD *method,
-                                   X509V3_CTX *ctx, const char *str);
-char *i2s_ASN1_UTF8STRING(X509V3_EXT_METHOD *method, ASN1_UTF8STRING *utf8);
-ASN1_UTF8STRING *s2i_ASN1_UTF8STRING(X509V3_EXT_METHOD *method,
-                                   X509V3_CTX *ctx, const char *str);
-
-STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method,
-                                       GENERAL_NAME *gen,
-                                       STACK_OF(CONF_VALUE) *ret);
-int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen);
-
-DECLARE_ASN1_FUNCTIONS(GENERAL_NAMES)
-
-STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method,
-                                        GENERAL_NAMES *gen,
-                                        STACK_OF(CONF_VALUE) *extlist);
-GENERAL_NAMES *v2i_GENERAL_NAMES(const X509V3_EXT_METHOD *method,
-                                 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
-
-DECLARE_ASN1_FUNCTIONS(OTHERNAME)
-DECLARE_ASN1_FUNCTIONS(EDIPARTYNAME)
-int OTHERNAME_cmp(OTHERNAME *a, OTHERNAME *b);
-void GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, void *value);
-void *GENERAL_NAME_get0_value(const GENERAL_NAME *a, int *ptype);
-int GENERAL_NAME_set0_othername(GENERAL_NAME *gen,
-                                ASN1_OBJECT *oid, ASN1_TYPE *value);
-int GENERAL_NAME_get0_otherName(const GENERAL_NAME *gen,
-                                ASN1_OBJECT **poid, ASN1_TYPE **pvalue);
-
-char *i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method,
-                            const ASN1_OCTET_STRING *ia5);
-ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method,
-                                         X509V3_CTX *ctx, const char *str);
-
-DECLARE_ASN1_FUNCTIONS(EXTENDED_KEY_USAGE)
-int i2a_ACCESS_DESCRIPTION(BIO *bp, const ACCESS_DESCRIPTION *a);
-
-DECLARE_ASN1_ALLOC_FUNCTIONS(TLS_FEATURE)
-
-DECLARE_ASN1_FUNCTIONS(CERTIFICATEPOLICIES)
-DECLARE_ASN1_FUNCTIONS(POLICYINFO)
-DECLARE_ASN1_FUNCTIONS(POLICYQUALINFO)
-DECLARE_ASN1_FUNCTIONS(USERNOTICE)
-DECLARE_ASN1_FUNCTIONS(NOTICEREF)
-
-DECLARE_ASN1_FUNCTIONS(CRL_DIST_POINTS)
-DECLARE_ASN1_FUNCTIONS(DIST_POINT)
-DECLARE_ASN1_FUNCTIONS(DIST_POINT_NAME)
-DECLARE_ASN1_FUNCTIONS(ISSUING_DIST_POINT)
-
-int DIST_POINT_set_dpname(DIST_POINT_NAME *dpn, const X509_NAME *iname);
-
-int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc);
-int NAME_CONSTRAINTS_check_CN(X509 *x, NAME_CONSTRAINTS *nc);
-
-DECLARE_ASN1_FUNCTIONS(ACCESS_DESCRIPTION)
-DECLARE_ASN1_FUNCTIONS(AUTHORITY_INFO_ACCESS)
-
-DECLARE_ASN1_ITEM(POLICY_MAPPING)
-DECLARE_ASN1_ALLOC_FUNCTIONS(POLICY_MAPPING)
-DECLARE_ASN1_ITEM(POLICY_MAPPINGS)
-
-DECLARE_ASN1_ITEM(GENERAL_SUBTREE)
-DECLARE_ASN1_ALLOC_FUNCTIONS(GENERAL_SUBTREE)
-
-DECLARE_ASN1_ITEM(NAME_CONSTRAINTS)
-DECLARE_ASN1_ALLOC_FUNCTIONS(NAME_CONSTRAINTS)
-
-DECLARE_ASN1_ALLOC_FUNCTIONS(POLICY_CONSTRAINTS)
-DECLARE_ASN1_ITEM(POLICY_CONSTRAINTS)
-
-GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out,
-                               const X509V3_EXT_METHOD *method,
-                               X509V3_CTX *ctx, int gen_type,
-                               const char *value, int is_nc);
-
-# ifdef OPENSSL_CONF_H
-GENERAL_NAME *v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method,
-                               X509V3_CTX *ctx, CONF_VALUE *cnf);
-GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out,
-                                  const X509V3_EXT_METHOD *method,
-                                  X509V3_CTX *ctx, CONF_VALUE *cnf,
-                                  int is_nc);
-
-void X509V3_conf_free(CONF_VALUE *val);
-
-X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid,
-                                     const char *value);
-X509_EXTENSION *X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, const char *name,
-                                 const char *value);
-int X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, const char *section,
-                            STACK_OF(X509_EXTENSION) **sk);
-int X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section,
-                         X509 *cert);
-int X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section,
-                             X509_REQ *req);
-int X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section,
-                             X509_CRL *crl);
-
-X509_EXTENSION *X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf,
-                                    X509V3_CTX *ctx, int ext_nid,
-                                    const char *value);
-X509_EXTENSION *X509V3_EXT_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
-                                const char *name, const char *value);
-int X509V3_EXT_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
-                        const char *section, X509 *cert);
-int X509V3_EXT_REQ_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
-                            const char *section, X509_REQ *req);
-int X509V3_EXT_CRL_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
-                            const char *section, X509_CRL *crl);
-
-int X509V3_add_value_bool_nf(const char *name, int asn1_bool,
-                             STACK_OF(CONF_VALUE) **extlist);
-int X509V3_get_value_bool(const CONF_VALUE *value, int *asn1_bool);
-int X509V3_get_value_int(const CONF_VALUE *value, ASN1_INTEGER **aint);
-void X509V3_set_nconf(X509V3_CTX *ctx, CONF *conf);
-void X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH_OF(CONF_VALUE) *lhash);
-# endif
-
-char *X509V3_get_string(X509V3_CTX *ctx, const char *name, const char *section);
-STACK_OF(CONF_VALUE) *X509V3_get_section(X509V3_CTX *ctx, const char *section);
-void X509V3_string_free(X509V3_CTX *ctx, char *str);
-void X509V3_section_free(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *section);
-void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subject,
-                    X509_REQ *req, X509_CRL *crl, int flags);
-/* For API backward compatibility, this is separate from X509V3_set_ctx(): */
-int X509V3_set_issuer_pkey(X509V3_CTX *ctx, EVP_PKEY *pkey);
-
-int X509V3_add_value(const char *name, const char *value,
-                     STACK_OF(CONF_VALUE) **extlist);
-int X509V3_add_value_uchar(const char *name, const unsigned char *value,
-                           STACK_OF(CONF_VALUE) **extlist);
-int X509V3_add_value_bool(const char *name, int asn1_bool,
-                          STACK_OF(CONF_VALUE) **extlist);
-int X509V3_add_value_int(const char *name, const ASN1_INTEGER *aint,
-                         STACK_OF(CONF_VALUE) **extlist);
-char *i2s_ASN1_INTEGER(X509V3_EXT_METHOD *meth, const ASN1_INTEGER *aint);
-ASN1_INTEGER *s2i_ASN1_INTEGER(X509V3_EXT_METHOD *meth, const char *value);
-char *i2s_ASN1_ENUMERATED(X509V3_EXT_METHOD *meth, const ASN1_ENUMERATED *aint);
-char *i2s_ASN1_ENUMERATED_TABLE(X509V3_EXT_METHOD *meth,
-                                const ASN1_ENUMERATED *aint);
-int X509V3_EXT_add(X509V3_EXT_METHOD *ext);
-int X509V3_EXT_add_list(X509V3_EXT_METHOD *extlist);
-int X509V3_EXT_add_alias(int nid_to, int nid_from);
-void X509V3_EXT_cleanup(void);
-
-const X509V3_EXT_METHOD *X509V3_EXT_get(X509_EXTENSION *ext);
-const X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid);
-int X509V3_add_standard_extensions(void);
-STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line);
-void *X509V3_EXT_d2i(X509_EXTENSION *ext);
-void *X509V3_get_d2i(const STACK_OF(X509_EXTENSION) *x, int nid, int *crit,
-                     int *idx);
-
-X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc);
-int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value,
-                    int crit, unsigned long flags);
-
-#ifndef OPENSSL_NO_DEPRECATED_1_1_0
-/* The new declarations are in crypto.h, but the old ones were here. */
-# define hex_to_string OPENSSL_buf2hexstr
-# define string_to_hex OPENSSL_hexstr2buf
-#endif
-
-void X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent,
-                        int ml);
-int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag,
-                     int indent);
-#ifndef OPENSSL_NO_STDIO
-int X509V3_EXT_print_fp(FILE *out, X509_EXTENSION *ext, int flag, int indent);
-#endif
-int X509V3_extensions_print(BIO *out, const char *title,
-                            const STACK_OF(X509_EXTENSION) *exts,
-                            unsigned long flag, int indent);
-
-int X509_check_ca(X509 *x);
-int X509_check_purpose(X509 *x, int id, int ca);
-int X509_supported_extension(X509_EXTENSION *ex);
-int X509_PURPOSE_set(int *p, int purpose);
-int X509_check_issued(X509 *issuer, X509 *subject);
-int X509_check_akid(const X509 *issuer, const AUTHORITY_KEYID *akid);
-void X509_set_proxy_flag(X509 *x);
-void X509_set_proxy_pathlen(X509 *x, long l);
-long X509_get_proxy_pathlen(X509 *x);
-
-uint32_t X509_get_extension_flags(X509 *x);
-uint32_t X509_get_key_usage(X509 *x);
-uint32_t X509_get_extended_key_usage(X509 *x);
-const ASN1_OCTET_STRING *X509_get0_subject_key_id(X509 *x);
-const ASN1_OCTET_STRING *X509_get0_authority_key_id(X509 *x);
-const GENERAL_NAMES *X509_get0_authority_issuer(X509 *x);
-const ASN1_INTEGER *X509_get0_authority_serial(X509 *x);
-
-int X509_PURPOSE_get_count(void);
-X509_PURPOSE *X509_PURPOSE_get0(int idx);
-int X509_PURPOSE_get_by_sname(const char *sname);
-int X509_PURPOSE_get_by_id(int id);
-int X509_PURPOSE_add(int id, int trust, int flags,
-                     int (*ck) (const X509_PURPOSE *, const X509 *, int),
-                     const char *name, const char *sname, void *arg);
-char *X509_PURPOSE_get0_name(const X509_PURPOSE *xp);
-char *X509_PURPOSE_get0_sname(const X509_PURPOSE *xp);
-int X509_PURPOSE_get_trust(const X509_PURPOSE *xp);
-void X509_PURPOSE_cleanup(void);
-int X509_PURPOSE_get_id(const X509_PURPOSE *);
-
-STACK_OF(OPENSSL_STRING) *X509_get1_email(X509 *x);
-STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email(X509_REQ *x);
-void X509_email_free(STACK_OF(OPENSSL_STRING) *sk);
-STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x);
-/* Flags for X509_check_* functions */
-
-/*
- * Always check subject name for host match even if subject alt names present
- */
-# define X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT    0x1
-/* Disable wildcard matching for dnsName fields and common name. */
-# define X509_CHECK_FLAG_NO_WILDCARDS    0x2
-/* Wildcards must not match a partial label. */
-# define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0x4
-/* Allow (non-partial) wildcards to match multiple labels. */
-# define X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS 0x8
-/* Constraint verifier subdomain patterns to match a single labels. */
-# define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0x10
-/* Never check the subject CN */
-# define X509_CHECK_FLAG_NEVER_CHECK_SUBJECT    0x20
-/*
- * Match reference identifiers starting with "." to any sub-domain.
- * This is a non-public flag, turned on implicitly when the subject
- * reference identity is a DNS name.
- */
-# define _X509_CHECK_FLAG_DOT_SUBDOMAINS 0x8000
-
-int X509_check_host(X509 *x, const char *chk, size_t chklen,
-                    unsigned int flags, char **peername);
-int X509_check_email(X509 *x, const char *chk, size_t chklen,
-                     unsigned int flags);
-int X509_check_ip(X509 *x, const unsigned char *chk, size_t chklen,
-                  unsigned int flags);
-int X509_check_ip_asc(X509 *x, const char *ipasc, unsigned int flags);
-
-ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc);
-ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc);
-int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE) *dn_sk,
-                             unsigned long chtype);
-
-void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent);
-{-
-    generate_stack_macros("X509_POLICY_NODE");
--}
-
-
-#ifndef OPENSSL_NO_RFC3779
-typedef struct ASRange_st {
-    ASN1_INTEGER *min, *max;
-} ASRange;
-
-# define ASIdOrRange_id          0
-# define ASIdOrRange_range       1
-
-typedef struct ASIdOrRange_st {
-    int type;
-    union {
-        ASN1_INTEGER *id;
-        ASRange *range;
-    } u;
-} ASIdOrRange;
-
-{-
-    generate_stack_macros("ASIdOrRange");
--}
-
-typedef STACK_OF(ASIdOrRange) ASIdOrRanges;
-
-# define ASIdentifierChoice_inherit              0
-# define ASIdentifierChoice_asIdsOrRanges        1
-
-typedef struct ASIdentifierChoice_st {
-    int type;
-    union {
-        ASN1_NULL *inherit;
-        ASIdOrRanges *asIdsOrRanges;
-    } u;
-} ASIdentifierChoice;
-
-typedef struct ASIdentifiers_st {
-    ASIdentifierChoice *asnum, *rdi;
-} ASIdentifiers;
-
-DECLARE_ASN1_FUNCTIONS(ASRange)
-DECLARE_ASN1_FUNCTIONS(ASIdOrRange)
-DECLARE_ASN1_FUNCTIONS(ASIdentifierChoice)
-DECLARE_ASN1_FUNCTIONS(ASIdentifiers)
-
-typedef struct IPAddressRange_st {
-    ASN1_BIT_STRING *min, *max;
-} IPAddressRange;
-
-# define IPAddressOrRange_addressPrefix  0
-# define IPAddressOrRange_addressRange   1
-
-typedef struct IPAddressOrRange_st {
-    int type;
-    union {
-        ASN1_BIT_STRING *addressPrefix;
-        IPAddressRange *addressRange;
-    } u;
-} IPAddressOrRange;
-
-{-
-    generate_stack_macros("IPAddressOrRange");
--}
-
-typedef STACK_OF(IPAddressOrRange) IPAddressOrRanges;
-
-# define IPAddressChoice_inherit                 0
-# define IPAddressChoice_addressesOrRanges       1
-
-typedef struct IPAddressChoice_st {
-    int type;
-    union {
-        ASN1_NULL *inherit;
-        IPAddressOrRanges *addressesOrRanges;
-    } u;
-} IPAddressChoice;
-
-typedef struct IPAddressFamily_st {
-    ASN1_OCTET_STRING *addressFamily;
-    IPAddressChoice *ipAddressChoice;
-} IPAddressFamily;
-
-{-
-    generate_stack_macros("IPAddressFamily");
--}
-
-
-typedef STACK_OF(IPAddressFamily) IPAddrBlocks;
-
-DECLARE_ASN1_FUNCTIONS(IPAddressRange)
-DECLARE_ASN1_FUNCTIONS(IPAddressOrRange)
-DECLARE_ASN1_FUNCTIONS(IPAddressChoice)
-DECLARE_ASN1_FUNCTIONS(IPAddressFamily)
-
-/*
- * API tag for elements of the ASIdentifer SEQUENCE.
- */
-# define V3_ASID_ASNUM   0
-# define V3_ASID_RDI     1
-
-/*
- * AFI values, assigned by IANA.  It'd be nice to make the AFI
- * handling code totally generic, but there are too many little things
- * that would need to be defined for other address families for it to
- * be worth the trouble.
- */
-# define IANA_AFI_IPV4   1
-# define IANA_AFI_IPV6   2
-
-/*
- * Utilities to construct and extract values from RFC3779 extensions,
- * since some of the encodings (particularly for IP address prefixes
- * and ranges) are a bit tedious to work with directly.
- */
-int X509v3_asid_add_inherit(ASIdentifiers *asid, int which);
-int X509v3_asid_add_id_or_range(ASIdentifiers *asid, int which,
-                                ASN1_INTEGER *min, ASN1_INTEGER *max);
-int X509v3_addr_add_inherit(IPAddrBlocks *addr,
-                            const unsigned afi, const unsigned *safi);
-int X509v3_addr_add_prefix(IPAddrBlocks *addr,
-                           const unsigned afi, const unsigned *safi,
-                           unsigned char *a, const int prefixlen);
-int X509v3_addr_add_range(IPAddrBlocks *addr,
-                          const unsigned afi, const unsigned *safi,
-                          unsigned char *min, unsigned char *max);
-unsigned X509v3_addr_get_afi(const IPAddressFamily *f);
-int X509v3_addr_get_range(IPAddressOrRange *aor, const unsigned afi,
-                          unsigned char *min, unsigned char *max,
-                          const int length);
-
-/*
- * Canonical forms.
- */
-int X509v3_asid_is_canonical(ASIdentifiers *asid);
-int X509v3_addr_is_canonical(IPAddrBlocks *addr);
-int X509v3_asid_canonize(ASIdentifiers *asid);
-int X509v3_addr_canonize(IPAddrBlocks *addr);
-
-/*
- * Tests for inheritance and containment.
- */
-int X509v3_asid_inherits(ASIdentifiers *asid);
-int X509v3_addr_inherits(IPAddrBlocks *addr);
-int X509v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b);
-int X509v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b);
-
-/*
- * Check whether RFC 3779 extensions nest properly in chains.
- */
-int X509v3_asid_validate_path(X509_STORE_CTX *);
-int X509v3_addr_validate_path(X509_STORE_CTX *);
-int X509v3_asid_validate_resource_set(STACK_OF(X509) *chain,
-                                      ASIdentifiers *ext,
-                                      int allow_inheritance);
-int X509v3_addr_validate_resource_set(STACK_OF(X509) *chain,
-                                      IPAddrBlocks *ext, int allow_inheritance);
-
-#endif                         /* OPENSSL_NO_RFC3779 */
-
-{-
-    generate_stack_macros("ASN1_STRING");
--}
-
-/*
- * Admission Syntax
- */
-typedef struct NamingAuthority_st NAMING_AUTHORITY;
-typedef struct ProfessionInfo_st PROFESSION_INFO;
-typedef struct Admissions_st ADMISSIONS;
-typedef struct AdmissionSyntax_st ADMISSION_SYNTAX;
-DECLARE_ASN1_FUNCTIONS(NAMING_AUTHORITY)
-DECLARE_ASN1_FUNCTIONS(PROFESSION_INFO)
-DECLARE_ASN1_FUNCTIONS(ADMISSIONS)
-DECLARE_ASN1_FUNCTIONS(ADMISSION_SYNTAX)
-{-
-    generate_stack_macros("PROFESSION_INFO")
-    .generate_stack_macros("ADMISSIONS");
--}
-typedef STACK_OF(PROFESSION_INFO) PROFESSION_INFOS;
-
-const ASN1_OBJECT *NAMING_AUTHORITY_get0_authorityId(
-    const NAMING_AUTHORITY *n);
-const ASN1_IA5STRING *NAMING_AUTHORITY_get0_authorityURL(
-    const NAMING_AUTHORITY *n);
-const ASN1_STRING *NAMING_AUTHORITY_get0_authorityText(
-    const NAMING_AUTHORITY *n);
-void NAMING_AUTHORITY_set0_authorityId(NAMING_AUTHORITY *n,
-    ASN1_OBJECT* namingAuthorityId);
-void NAMING_AUTHORITY_set0_authorityURL(NAMING_AUTHORITY *n,
-    ASN1_IA5STRING* namingAuthorityUrl);
-void NAMING_AUTHORITY_set0_authorityText(NAMING_AUTHORITY *n,
-    ASN1_STRING* namingAuthorityText);
-
-const GENERAL_NAME *ADMISSION_SYNTAX_get0_admissionAuthority(
-    const ADMISSION_SYNTAX *as);
-void ADMISSION_SYNTAX_set0_admissionAuthority(
-    ADMISSION_SYNTAX *as, GENERAL_NAME *aa);
-const STACK_OF(ADMISSIONS) *ADMISSION_SYNTAX_get0_contentsOfAdmissions(
-    const ADMISSION_SYNTAX *as);
-void ADMISSION_SYNTAX_set0_contentsOfAdmissions(
-    ADMISSION_SYNTAX *as, STACK_OF(ADMISSIONS) *a);
-const GENERAL_NAME *ADMISSIONS_get0_admissionAuthority(const ADMISSIONS *a);
-void ADMISSIONS_set0_admissionAuthority(ADMISSIONS *a, GENERAL_NAME *aa);
-const NAMING_AUTHORITY *ADMISSIONS_get0_namingAuthority(const ADMISSIONS *a);
-void ADMISSIONS_set0_namingAuthority(ADMISSIONS *a, NAMING_AUTHORITY *na);
-const PROFESSION_INFOS *ADMISSIONS_get0_professionInfos(const ADMISSIONS *a);
-void ADMISSIONS_set0_professionInfos(ADMISSIONS *a, PROFESSION_INFOS *pi);
-const ASN1_OCTET_STRING *PROFESSION_INFO_get0_addProfessionInfo(
-    const PROFESSION_INFO *pi);
-void PROFESSION_INFO_set0_addProfessionInfo(
-    PROFESSION_INFO *pi, ASN1_OCTET_STRING *aos);
-const NAMING_AUTHORITY *PROFESSION_INFO_get0_namingAuthority(
-    const PROFESSION_INFO *pi);
-void PROFESSION_INFO_set0_namingAuthority(
-    PROFESSION_INFO *pi, NAMING_AUTHORITY *na);
-const STACK_OF(ASN1_STRING) *PROFESSION_INFO_get0_professionItems(
-    const PROFESSION_INFO *pi);
-void PROFESSION_INFO_set0_professionItems(
-    PROFESSION_INFO *pi, STACK_OF(ASN1_STRING) *as);
-const STACK_OF(ASN1_OBJECT) *PROFESSION_INFO_get0_professionOIDs(
-    const PROFESSION_INFO *pi);
-void PROFESSION_INFO_set0_professionOIDs(
-    PROFESSION_INFO *pi, STACK_OF(ASN1_OBJECT) *po);
-const ASN1_PRINTABLESTRING *PROFESSION_INFO_get0_registrationNumber(
-    const PROFESSION_INFO *pi);
-void PROFESSION_INFO_set0_registrationNumber(
-    PROFESSION_INFO *pi, ASN1_PRINTABLESTRING *rn);
-
-# ifdef  __cplusplus
-}
-# endif
-#endif