Fix warnings.

Also, use the common Configure mechanism for enabling/disabling the 64-bit ECC code.
openssl · Oct 19, 2011 · 3d520f7 · 3d520f7
1 parent 9c37519
commit 3d520f7
Show file tree

Hide file tree

Showing 12 changed files with 119 additions and 99 deletions.
diff --git a/CHANGES b/CHANGES
@@ -7,11 +7,12 @@
   *) Add optional 64-bit optimized implementations of elliptic curves NIST-P224,
      NIST-P256, NIST-P521, with constant-time single point multiplication on
      typical inputs. Compiler support for the nonstandard type __uint128_t is
-     required to use this. Code made available under Apache License version 2.0.
+     required to use this (present in gcc 4.4 and later, for 64-bit builds).
+     Code made available under Apache License version 2.0.
 
-     To include this in your build of OpenSSL, use -DEC_NISTP_64_GCC_128 on
-     the Configure (or config) command line, and run "make depend" (or "make
-     update"). This enables the following EC_METHODs:
+     Specify "enable-ec_nistp_64_gcc_128" on the Configure (or config) command
+     line to include this in your build of OpenSSL, and run "make depend" (or
+     "make update"). This enables the following EC_METHODs:
 
          EC_GFp_nistp224_method()
          EC_GFp_nistp256_method()

diff --git a/Configure b/Configure
@@ -170,7 +170,7 @@ my %table=(
 "debug-ben-no-opt",	"gcc: -Wall -Wmissing-prototypes -Wstrict-prototypes -Wmissing-declarations -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG -Werror -DL_ENDIAN -DTERMIOS -Wall -g3::(unknown)::::::",
 "debug-ben-strict",	"gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe::(unknown)::::::",
 "debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
-"debug-bodo",	"gcc:-DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBIO_PAIR_DEBUG -DPEDANTIC -g -march=i486 -pedantic -Wshadow -Wall -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion::-D_REENTRANT:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
+"debug-bodo",	"gcc:$gcc_devteam_warn -DBN_DEBUG -DBN_DEBUG_RAND -DCONF_DEBUG -DBIO_PAIR_DEBUG -m64 -DL_ENDIAN -DTERMIO -g -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
 "debug-ulf", "gcc:-DTERMIOS -DL_ENDIAN -march=i486 -Wall -DBN_DEBUG -DBN_DEBUG_RAND -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -g -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations:::CYGWIN32:::${no_asm}:win32:cygwin-shared:::.dll",
 "debug-steve64", "gcc:$gcc_devteam_warn -m64 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -DDEBUG_SAFESTACK -g -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-steve32", "gcc:$gcc_devteam_warn -m32 -DL_ENDIAN -DCONF_DEBUG -DDEBUG_SAFESTACK -g -pipe::-D_REENTRANT::-rdynamic -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -680,7 +680,7 @@ if (exists $ENV{FIPSDIR})
 # All of the following is disabled by default (RC5 was enabled before 0.9.8):
 
 my %disabled = ( # "what"         => "comment" [or special keyword "experimental"]
-		 "ec-nistp224-64-gcc-128" => "default",
+      		 "ec_nistp_64_gcc_128" => "default",
 		 "gmp"		  => "default",
                  "jpake"          => "experimental",
                  "md2"            => "default",
@@ -695,7 +695,7 @@ my @experimental = ();
 
 # This is what $depflags will look like with the above defaults
 # (we need this to see if we should advise the user to run "make depend"):
-my $default_depflags = " -DOPENSSL_NO_EC_NISTP224_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_STORE";
+my $default_depflags = " -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_STORE";
 
 # Explicit "no-..." options will be collected in %disabled along with the defaults.
 # To remove something from %disabled, use "enable-foo" (unless it's experimental).

diff --git a/TABLE b/TABLE
@@ -1738,34 +1738,34 @@ $multilib     =
 
 *** debug-bodo
 $cc           = gcc
-$cflags       = -DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBIO_PAIR_DEBUG -DPEDANTIC -g -march=i486 -pedantic -Wshadow -Wall -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion
+$cflags       = -Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DOPENSSL_NO_DEPRECATED -DBN_DEBUG -DBN_DEBUG_RAND -DCONF_DEBUG -DBIO_PAIR_DEBUG -m64 -DL_ENDIAN -DTERMIO -g -DMD32_REG_T=int
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
-$lflags       = 
-$bn_ops       = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT
-$cpuid_obj    = x86cpuid.o
-$bn_obj       = bn-586.o co-586.o x86-mont.o
-$des_obj      = des-586.o crypt586.o
-$aes_obj      = aes-586.o aesni-x86.o
-$bf_obj       = bf-586.o
-$md5_obj      = md5-586.o
-$sha1_obj     = sha1-586.o sha256-586.o sha512-586.o
-$cast_obj     = cast-586.o
-$rc4_obj      = rc4-586.o
-$rmd160_obj   = rmd-586.o
-$rc5_obj      = rc5-586.o
-$wp_obj       = wp_block.o wp-mmx.o
-$cmll_obj     = cmll-x86.o
+$lflags       = -ldl
+$bn_ops       = SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL
+$cpuid_obj    = x86_64cpuid.o
+$bn_obj       = x86_64-gcc.o x86_64-mont.o modexp512-x86_64.o
+$des_obj      = 
+$aes_obj      = aes-x86_64.o aesni-x86_64.o aesni-sha1-x86_64.o
+$bf_obj       = 
+$md5_obj      = md5-x86_64.o
+$sha1_obj     = sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o
+$cast_obj     = 
+$rc4_obj      = rc4-x86_64.o rc4-md5-x86_64.o
+$rmd160_obj   = 
+$rc5_obj      = 
+$wp_obj       = wp-x86_64.o
+$cmll_obj     = cmll-x86_64.o cmll_misc.o
 $perlasm_scheme = elf
-$dso_scheme   = 
-$shared_target= 
-$shared_cflag = 
-$shared_ldflag = 
-$shared_extension = 
+$dso_scheme   = dlfcn
+$shared_target= linux-shared
+$shared_cflag = -fPIC
+$shared_ldflag = -m64
+$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 $arflags      = 
-$multilib     = 
+$multilib     = 64
 
 *** debug-darwin-i386-cc
 $cc           = cc

diff --git a/crypto/ec/ec.h b/crypto/ec/ec.h
@@ -151,7 +151,7 @@ const EC_METHOD *EC_GFp_mont_method(void);
  */
 const EC_METHOD *EC_GFp_nist_method(void);
 
-#ifdef EC_NISTP_64_GCC_128
+#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
 /** Returns 64-bit optimized methods for nistp224
  *  \return  EC_METHOD object
  */

diff --git a/crypto/ec/ec_curve.c b/crypto/ec/ec_curve.c
@@ -72,6 +72,7 @@
 #include "ec_lcl.h"
 #include <openssl/err.h>
 #include <openssl/obj_mac.h>
+#include <openssl/opensslconf.h>
 
 typedef struct {
 	int	field_type,	/* either NID_X9_62_prime_field or
@@ -1841,15 +1842,15 @@ static const ec_list_element curve_list[] = {
 	/* SECG secp192r1 is the same as X9.62 prime192v1 and hence omitted */
 	{ NID_secp192k1, &_EC_SECG_PRIME_192K1.h, 0, "SECG curve over a 192 bit prime field" },
 	{ NID_secp224k1, &_EC_SECG_PRIME_224K1.h, 0, "SECG curve over a 224 bit prime field" },
-#ifdef EC_NISTP_64_GCC_128
+#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
 	{ NID_secp224r1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method, "NIST/SECG curve over a 224 bit prime field" },
 #else
 	{ NID_secp224r1, &_EC_NIST_PRIME_224.h, 0, "NIST/SECG curve over a 224 bit prime field" },
 #endif
 	{ NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0, "SECG curve over a 256 bit prime field" },
 	/* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
 	{ NID_secp384r1, &_EC_NIST_PRIME_384.h, 0, "NIST/SECG curve over a 384 bit prime field" },
-#ifdef EC_NISTP_64_GCC_128
+#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
 	{ NID_secp521r1, &_EC_NIST_PRIME_521.h, EC_GFp_nistp521_method, "NIST/SECG curve over a 521 bit prime field" },
 #else
 	{ NID_secp521r1, &_EC_NIST_PRIME_521.h, 0, "NIST/SECG curve over a 521 bit prime field" },
@@ -1861,7 +1862,7 @@ static const ec_list_element curve_list[] = {
 	{ NID_X9_62_prime239v1, &_EC_X9_62_PRIME_239V1.h, 0, "X9.62 curve over a 239 bit prime field" },
 	{ NID_X9_62_prime239v2, &_EC_X9_62_PRIME_239V2.h, 0, "X9.62 curve over a 239 bit prime field" },
 	{ NID_X9_62_prime239v3, &_EC_X9_62_PRIME_239V3.h, 0, "X9.62 curve over a 239 bit prime field" },
-#ifdef EC_NISTP_64_GCC_128
+#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
 	{ NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, EC_GFp_nistp256_method, "X9.62/SECG curve over a 256 bit prime field" },
 #else
 	{ NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, 0, "X9.62/SECG curve over a 256 bit prime field" },

diff --git a/crypto/ec/ec_lcl.h b/crypto/ec/ec_lcl.h
@@ -398,13 +398,13 @@ int ec_GF2m_simple_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
 int ec_GF2m_precompute_mult(EC_GROUP *group, BN_CTX *ctx);
 int ec_GF2m_have_precompute_mult(const EC_GROUP *group);
 
-#ifdef EC_NISTP_64_GCC_128
 /* method functions in ec2_mult.c */
 int ec_GF2m_simple_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
 	size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *);
 int ec_GF2m_precompute_mult(EC_GROUP *group, BN_CTX *ctx);
 int ec_GF2m_have_precompute_mult(const EC_GROUP *group);
 
+#ifndef OPENSSL_EC_NISTP_64_GCC_128
 /* method functions in ecp_nistp224.c */
 int ec_GFp_nistp224_group_init(EC_GROUP *group);
 int ec_GFp_nistp224_group_set_curve(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *n, BN_CTX *);

diff --git a/crypto/ec/ecp_nistp224.c b/crypto/ec/ecp_nistp224.c
@@ -24,7 +24,10 @@
  * Inspired by Daniel J. Bernstein's public domain nistp224 implementation
  * and Adam Langley's public domain 64-bit C implementation of curve25519
  */
-#ifdef EC_NISTP_64_GCC_128
+
+#include <openssl/opensslconf.h>
+#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
+
 #include <stdint.h>
 #include <string.h>
 #include <openssl/err.h>
@@ -247,9 +250,9 @@ const EC_METHOD *EC_GFp_nistp224_method(void)
 		ec_GFp_simple_get_Jprojective_coordinates_GFp,
 		ec_GFp_simple_point_set_affine_coordinates,
 		ec_GFp_nistp224_point_get_affine_coordinates,
-                0 /* point_set_compressed_coordinates */,
-                0 /* point2oct */,
-                0 /* oct2point */,
+		0 /* point_set_compressed_coordinates */,
+		0 /* point2oct */,
+		0 /* oct2point */,
 		ec_GFp_simple_add,
 		ec_GFp_simple_dbl,
 		ec_GFp_simple_invert,
@@ -1000,9 +1003,9 @@ static void point_add(felem x3, felem y3, felem z3,
 	felem_assign(z3, z_out);
 	}
 
-/* select_point selects the |index|th point from a precomputation table and
+/* select_point selects the |idx|th point from a precomputation table and
  * copies it to out. */
-static void select_point(const u64 index, unsigned int size, const felem pre_comp[/*size*/][3], felem out[3])
+static void select_point(const u64 idx, unsigned int size, const felem pre_comp[/*size*/][3], felem out[3])
 	{
 	unsigned i, j;
 	limb *outlimbs = &out[0][0];
@@ -1011,7 +1014,7 @@ static void select_point(const u64 index, unsigned int size, const felem pre_com
 	for (i = 0; i < size; i++)
 		{
 		const limb *inlimbs = &pre_comp[i][0][0];
-		u64 mask = i ^ index;
+		u64 mask = i ^ idx;
 		mask |= mask >> 4;
 		mask |= mask >> 2;
 		mask |= mask >> 1;

diff --git a/crypto/ec/ecp_nistp256.c b/crypto/ec/ecp_nistp256.c
@@ -26,7 +26,8 @@
  * work which got its smarts from Daniel J. Bernstein's work on the same.
  */
 
-#ifdef EC_NISTP_64_GCC_128
+#include <openssl/opensslconf.h>
+#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
 
 #include <stdint.h>
 #include <string.h>
@@ -363,6 +364,10 @@ static const felem zero110 = { two64m0, two110p32m0, two64m46, two64m32 };
 static void felem_shrink(smallfelem out, const felem in)
 	{
 	felem tmp;
+	u64 a, b, mask;
+	s64 high, low;
+	static const u64 kPrime3Test = 0x7fffffff00000001ul; /* 2^63 - 2^32 + 1 */
+
 	/* Carry 2->3 */
 	tmp[3] = zero110[3] + in[3] + ((u64) (in[2] >> 64));
 	/* tmp[3] < 2^110 */
@@ -375,13 +380,13 @@ static void felem_shrink(smallfelem out, const felem in)
 	/* We perform two partial reductions where we eliminate the
 	 * high-word of tmp[3]. We don't update the other words till the end.
 	 */
-	u64 a = tmp[3] >> 64; /* a < 2^46 */
+	a = tmp[3] >> 64; /* a < 2^46 */
 	tmp[3] = (u64) tmp[3];
 	tmp[3] -= a;
 	tmp[3] += ((limb)a) << 32;
 	/* tmp[3] < 2^79 */
 
-	u64 b = a;
+	b = a;
 	a = tmp[3] >> 64; /* a < 2^15 */
 	b += a; /* b < 2^46 + 2^15 < 2^47 */
 	tmp[3] = (u64) tmp[3];
@@ -396,16 +401,15 @@ static void felem_shrink(smallfelem out, const felem in)
 
 	/* In order to make space in tmp[3] for the carry from 2 -> 3, we
 	 * conditionally subtract kPrime if tmp[3] is large enough. */
-	static const u64 kPrime3Test = 0x7fffffff00000001ul; /* 2^63 - 2^32 + 1 */
-	s64 high = tmp[3] >> 64;
+	high = tmp[3] >> 64;
 	/* As tmp[3] < 2^65, high is either 1 or 0 */
 	high <<= 63;
 	high >>= 63;
 	/* high is:
 	 *   all ones   if the high word of tmp[3] is 1
 	 *   all zeros  if the high word of tmp[3] if 0 */
-	s64 low = tmp[3];
-	u64 mask = low >> 63;
+	low = tmp[3];
+	mask = low >> 63;
 	/* mask is:
 	 *   all ones   if the MSB of low is 1
 	 *   all zeros  if the MSB of low if 0 */
@@ -815,15 +819,17 @@ static void felem_contract(smallfelem out, const felem in)
 	 * compare each u64, from most-significant to least significant. For
 	 * each one, if all words so far have been equal (m is all ones) then a
 	 * non-equal result is the answer. Otherwise we continue. */
-	for (i = 3; i < 4; i--) {
+	for (i = 3; i < 4; i--)
+		{
+		u64 equal;
 		uint128_t a = ((uint128_t) kPrime[i]) - out[i];
 		/* if out[i] > kPrime[i] then a will underflow and the high
 		 * 64-bits will all be set. */
 		result |= all_equal_so_far & ((u64) (a >> 64));
 
 		/* if kPrime[i] == out[i] then |equal| will be all zeros and
 		 * the decrement will make it all ones. */
-		u64 equal = kPrime[i] ^ out[i];
+		equal = kPrime[i] ^ out[i];
 		equal--;
 		equal &= equal << 32;
 		equal &= equal << 16;
@@ -834,7 +840,7 @@ static void felem_contract(smallfelem out, const felem in)
 		equal = ((s64) equal) >> 63;
 
 		all_equal_so_far &= equal;
-	}
+		}
 
 	/* if all_equal_so_far is still all ones then the two values are equal
 	 * and so out >= kPrime is true. */
@@ -884,6 +890,7 @@ static void smallfelem_mul_contract(smallfelem out, const smallfelem in1, const
 static limb smallfelem_is_zero(const smallfelem small)
 	{
 	limb result;
+	u64 is_p;
 
 	u64 is_zero = small[0] | small[1] | small[2] | small[3];
 	is_zero--;
@@ -895,10 +902,10 @@ static limb smallfelem_is_zero(const smallfelem small)
 	is_zero &= is_zero << 1;
 	is_zero = ((s64) is_zero) >> 63;
 
-	u64 is_p = (small[0] ^ kPrime[0]) |
-		   (small[1] ^ kPrime[1]) |
-		   (small[2] ^ kPrime[2]) |
-		   (small[3] ^ kPrime[3]);
+	is_p = (small[0] ^ kPrime[0]) |
+	       (small[1] ^ kPrime[1]) |
+	       (small[2] ^ kPrime[2]) |
+	       (small[3] ^ kPrime[3]);
 	is_p--;
 	is_p &= is_p << 32;
 	is_p &= is_p << 16;
@@ -1457,9 +1464,9 @@ static const smallfelem gmul[2][16][3] =
    {0x501e82885bc98cda, 0x41ef80e5d046ac04, 0x557d9f49461210fb, 0x4ab5b6b2b8753f81},
    {1, 0, 0, 0}}}};
 
-/* select_point selects the |index|th point from a precomputation table and
+/* select_point selects the |idx|th point from a precomputation table and
  * copies it to out. */
-static void select_point(const u64 index, unsigned int size, const smallfelem pre_comp[16][3], smallfelem out[3])
+static void select_point(const u64 idx, unsigned int size, const smallfelem pre_comp[16][3], smallfelem out[3])
 	{
 	unsigned i, j;
 	u64 *outlimbs = &out[0][0];
@@ -1468,7 +1475,7 @@ static void select_point(const u64 index, unsigned int size, const smallfelem pr
 	for (i = 0; i < size; i++)
 		{
 		const u64 *inlimbs = (u64*) &pre_comp[i][0][0];
-		u64 mask = i ^ index;
+		u64 mask = i ^ idx;
 		mask |= mask >> 4;
 		mask |= mask >> 2;
 		mask |= mask >> 1;
@@ -1623,9 +1630,9 @@ const EC_METHOD *EC_GFp_nistp256_method(void)
 		ec_GFp_simple_get_Jprojective_coordinates_GFp,
 		ec_GFp_simple_point_set_affine_coordinates,
 		ec_GFp_nistp256_point_get_affine_coordinates,
-                0 /* point_set_compressed_coordinates */,
-                0 /* point2oct */,
-                0 /* oct2point */,
+		0 /* point_set_compressed_coordinates */,
+		0 /* point2oct */,
+		0 /* oct2point */,
 		ec_GFp_simple_add,
 		ec_GFp_simple_dbl,
 		ec_GFp_simple_invert,
@@ -1784,16 +1791,17 @@ int ec_GFp_nistp256_point_get_affine_coordinates(const EC_GROUP *group,
 	felem_contract(y_out, y_in);
 	if (y != NULL)
 		{
-		if (!smallfelem_to_BN(y, y_out)) {
-		ECerr(EC_F_EC_GFP_NISTP256_POINT_GET_AFFINE_COORDINATES,
-			ERR_R_BN_LIB);
-		return 0;
-		}
+		if (!smallfelem_to_BN(y, y_out))
+			{
+			ECerr(EC_F_EC_GFP_NISTP256_POINT_GET_AFFINE_COORDINATES,
+				ERR_R_BN_LIB);
+			return 0;
+			}
 		}
 	return 1;
 	}
 
-static void make_points_affine(size_t num, smallfelem points[num][3], smallfelem tmp_smallfelems[num+1])
+static void make_points_affine(size_t num, smallfelem points[/* num */][3], smallfelem tmp_smallfelems[/* num+1 */])
 	{
 	/* Runs in constant time, unless an input is the point at infinity
 	 * (which normally shouldn't happen). */