external/boringssl: Sync to 171b54.
This includes the following changes:
https://boringssl.googlesource.com/boringssl/+log/8ca0b4127da11d766067ea6ec4122017ba0edb0e..171b5403ee767fa0f3aecd377867db6533c3eb8f
This also updates the build file to build as C99, so BoringSSL can use
variables in for loops.
Change-Id: I48ae985fd1bed244f7ed327aefc9a13e5b17b185
diff --git a/src/crypto/asn1/a_strnid.c b/src/crypto/asn1/a_strnid.c
index ba1224e..c558bce 100644
--- a/src/crypto/asn1/a_strnid.c
+++ b/src/crypto/asn1/a_strnid.c
@@ -247,6 +247,7 @@
}
tmp->flags = flags | STABLE_FLAGS_MALLOC;
tmp->nid = nid;
+ tmp->minsize = tmp->maxsize = -1;
new_nid = 1;
} else
tmp->flags = (tmp->flags & STABLE_FLAGS_MALLOC) | flags;
diff --git a/src/crypto/asn1/bio_asn1.c b/src/crypto/asn1/bio_asn1.c
index 03cc9a6..45ad7e5 100644
--- a/src/crypto/asn1/bio_asn1.c
+++ b/src/crypto/asn1/bio_asn1.c
@@ -165,10 +165,12 @@
ctx->copylen = 0;
ctx->asn1_class = V_ASN1_UNIVERSAL;
ctx->asn1_tag = V_ASN1_OCTET_STRING;
- ctx->ex_buf = 0;
- ctx->ex_pos = 0;
+ ctx->ex_buf = NULL;
ctx->ex_len = 0;
+ ctx->ex_pos = 0;
ctx->state = ASN1_STATE_START;
+ ctx->prefix = ctx->prefix_free = ctx->suffix = ctx->suffix_free = NULL;
+ ctx->ex_arg = NULL;
return 1;
}
diff --git a/src/crypto/asn1/bio_ndef.c b/src/crypto/asn1/bio_ndef.c
index 81a8aa7..488457b 100644
--- a/src/crypto/asn1/bio_ndef.c
+++ b/src/crypto/asn1/bio_ndef.c
@@ -139,6 +139,7 @@
ndef_aux->ndef_bio = sarg.ndef_bio;
ndef_aux->boundary = sarg.boundary;
ndef_aux->out = out;
+ ndef_aux->derbuf = NULL;
BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux);
diff --git a/src/crypto/bio/bio_test.cc b/src/crypto/bio/bio_test.cc
index 3615ab4..f2eb20b 100644
--- a/src/crypto/bio/bio_test.cc
+++ b/src/crypto/bio/bio_test.cc
@@ -27,10 +27,10 @@
#include <unistd.h>
#else
#include <io.h>
-#pragma warning(push, 3)
+OPENSSL_MSVC_PRAGMA(warning(push, 3))
#include <winsock2.h>
#include <ws2tcpip.h>
-#pragma warning(pop)
+OPENSSL_MSVC_PRAGMA(warning(pop))
#endif
#include <openssl/bio.h>
diff --git a/src/crypto/bio/connect.c b/src/crypto/bio/connect.c
index 01d49b1..7e54447 100644
--- a/src/crypto/bio/connect.c
+++ b/src/crypto/bio/connect.c
@@ -66,10 +66,10 @@
#include <arpa/inet.h>
#include <unistd.h>
#else
-#pragma warning(push, 3)
+OPENSSL_MSVC_PRAGMA(warning(push, 3))
#include <winsock2.h>
#include <ws2tcpip.h>
-#pragma warning(pop)
+OPENSSL_MSVC_PRAGMA(warning(pop))
#endif
#include <openssl/buf.h>
@@ -538,6 +538,12 @@
return BIO_ctrl(bio, BIO_C_SET_CONNECT, 1, (void*) port_str);
}
+int BIO_set_conn_int_port(BIO *bio, const int *port) {
+ char buf[DECIMAL_SIZE(int) + 1];
+ BIO_snprintf(buf, sizeof(buf), "%d", *port);
+ return BIO_set_conn_port(bio, buf);
+}
+
int BIO_set_nbio(BIO *bio, int on) {
return BIO_ctrl(bio, BIO_C_SET_NBIO, on, NULL);
}
diff --git a/src/crypto/bio/fd.c b/src/crypto/bio/fd.c
index 7d94843..13833df 100644
--- a/src/crypto/bio/fd.c
+++ b/src/crypto/bio/fd.c
@@ -63,9 +63,9 @@
#include <unistd.h>
#else
#include <io.h>
-#pragma warning(push, 3)
+OPENSSL_MSVC_PRAGMA(warning(push, 3))
#include <windows.h>
-#pragma warning(pop)
+OPENSSL_MSVC_PRAGMA(warning(pop))
#endif
#include <openssl/buf.h>
diff --git a/src/crypto/bio/internal.h b/src/crypto/bio/internal.h
index eb6b26f..4ec77fa 100644
--- a/src/crypto/bio/internal.h
+++ b/src/crypto/bio/internal.h
@@ -67,9 +67,9 @@
#include <sys/types.h>
#include <sys/socket.h>
#else
-#pragma warning(push, 3)
+OPENSSL_MSVC_PRAGMA(warning(push, 3))
#include <winsock2.h>
-#pragma warning(pop)
+OPENSSL_MSVC_PRAGMA(warning(pop))
typedef int socklen_t;
#endif
diff --git a/src/crypto/bio/socket.c b/src/crypto/bio/socket.c
index 3ef6967..0520c3e 100644
--- a/src/crypto/bio/socket.c
+++ b/src/crypto/bio/socket.c
@@ -63,9 +63,9 @@
#if !defined(OPENSSL_WINDOWS)
#include <unistd.h>
#else
-#pragma warning(push, 3)
+OPENSSL_MSVC_PRAGMA(warning(push, 3))
#include <winsock2.h>
-#pragma warning(pop)
+OPENSSL_MSVC_PRAGMA(warning(pop))
#pragma comment(lib, "Ws2_32.lib")
#endif
diff --git a/src/crypto/bio/socket_helper.c b/src/crypto/bio/socket_helper.c
index 4ddc094..9500788 100644
--- a/src/crypto/bio/socket_helper.c
+++ b/src/crypto/bio/socket_helper.c
@@ -26,10 +26,10 @@
#include <netdb.h>
#include <unistd.h>
#else
-#pragma warning(push, 3)
+OPENSSL_MSVC_PRAGMA(warning(push, 3))
#include <winsock2.h>
#include <ws2tcpip.h>
-#pragma warning(pop)
+OPENSSL_MSVC_PRAGMA(warning(pop))
#endif
#include "internal.h"
diff --git a/src/crypto/bn/bn_test.cc b/src/crypto/bn/bn_test.cc
index fe8cfd0..d909ee2 100644
--- a/src/crypto/bn/bn_test.cc
+++ b/src/crypto/bn/bn_test.cc
@@ -850,11 +850,17 @@
return false;
}
BN_ULONG s = b->d[0];
+ BN_ULONG rmod = BN_mod_word(b.get(), s);
BN_ULONG r = BN_div_word(b.get(), s);
if (r == (BN_ULONG)-1) {
return false;
}
+ if (rmod != r) {
+ fprintf(stderr, "Mod (word) test failed!\n");
+ return false;
+ }
+
if (fp != NULL) {
BN_print_fp(fp, a.get());
puts_fp(fp, " / ");
diff --git a/src/crypto/bn/div.c b/src/crypto/bn/div.c
index 6f67291..e824458 100644
--- a/src/crypto/bn/div.c
+++ b/src/crypto/bn/div.c
@@ -644,6 +644,20 @@
return (BN_ULONG) -1;
}
+#ifndef BN_ULLONG
+ /* If |w| is too long and we don't have |BN_ULLONG| then we need to fall back
+ * to using |BN_div_word|. */
+ if (w > ((BN_ULONG)1 << BN_BITS4)) {
+ BIGNUM *tmp = BN_dup(a);
+ if (tmp == NULL) {
+ return (BN_ULONG)-1;
+ }
+ ret = BN_div_word(tmp, w);
+ BN_free(tmp);
+ return ret;
+ }
+#endif
+
w &= BN_MASK2;
for (i = a->top - 1; i >= 0; i--) {
#ifndef BN_ULLONG
diff --git a/src/crypto/bn/internal.h b/src/crypto/bn/internal.h
index 0a2982c..8b1c866 100644
--- a/src/crypto/bn/internal.h
+++ b/src/crypto/bn/internal.h
@@ -126,9 +126,9 @@
#include <openssl/base.h>
#if defined(OPENSSL_X86_64) && defined(_MSC_VER)
-#pragma warning(push, 3)
+OPENSSL_MSVC_PRAGMA(warning(push, 3))
#include <intrin.h>
-#pragma warning(pop)
+OPENSSL_MSVC_PRAGMA(warning(pop))
#pragma intrinsic(__umulh, _umul128)
#endif
diff --git a/src/crypto/bytestring/bytestring_test.cc b/src/crypto/bytestring/bytestring_test.cc
index 84ecffc..e1d16f4 100644
--- a/src/crypto/bytestring/bytestring_test.cc
+++ b/src/crypto/bytestring/bytestring_test.cc
@@ -43,7 +43,7 @@
}
static bool TestGetUint() {
- static const uint8_t kData[] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10};
+ static const uint8_t kData[] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11};
uint8_t u8;
uint16_t u16;
uint32_t u32;
@@ -58,7 +58,10 @@
u32 == 0x40506 &&
CBS_get_u32(&data, &u32) &&
u32 == 0x708090a &&
- !CBS_get_u8(&data, &u8);
+ CBS_get_last_u8(&data, &u8) &&
+ u8 == 0xb &&
+ !CBS_get_u8(&data, &u8) &&
+ !CBS_get_last_u8(&data, &u8);
}
static bool TestGetPrefixed() {
diff --git a/src/crypto/bytestring/cbs.c b/src/crypto/bytestring/cbs.c
index ed54b49..c86afbd 100644
--- a/src/crypto/bytestring/cbs.c
+++ b/src/crypto/bytestring/cbs.c
@@ -128,6 +128,15 @@
return cbs_get_u(cbs, out, 4);
}
+int CBS_get_last_u8(CBS *cbs, uint8_t *out) {
+ if (cbs->len == 0) {
+ return 0;
+ }
+ *out = cbs->data[cbs->len - 1];
+ cbs->len--;
+ return 1;
+}
+
int CBS_get_bytes(CBS *cbs, CBS *out, size_t len) {
const uint8_t *v;
if (!cbs_get(cbs, &v, len)) {
diff --git a/src/crypto/chacha/asm/chacha-x86.pl b/src/crypto/chacha/asm/chacha-x86.pl
index e576029..edce43d 100755
--- a/src/crypto/chacha/asm/chacha-x86.pl
+++ b/src/crypto/chacha/asm/chacha-x86.pl
@@ -19,13 +19,13 @@
# P4 18.6/+84%
# Core2 9.56/+89% 4.83
# Westmere 9.50/+45% 3.35
-# Sandy Bridge 10.7/+47% 3.24
-# Haswell 8.22/+50% 2.89
-# Silvermont 17.8/+36% 8.53
+# Sandy Bridge 10.5/+47% 3.20
+# Haswell 8.15/+50% 2.83
+# Silvermont 17.4/+36% 8.35
# Sledgehammer 10.2/+54%
-# Bulldozer 13.5/+50% 4.39(*)
+# Bulldozer 13.4/+50% 4.38(*)
#
-# (*) Bulldozer actually executes 4xXOP code path that delivers 3.50;
+# (*) Bulldozer actually executes 4xXOP code path that delivers 3.55;
#
# Modified from upstream OpenSSL to remove the XOP code.
@@ -224,20 +224,18 @@
&xor ($a, &DWP(4*0,$b)); # xor with input
&xor ($b_,&DWP(4*4,$b));
- &mov (&DWP(4*0,"esp"),$a); # off-load for later write
+ &mov (&DWP(4*0,"esp"),$a);
&mov ($a,&wparam(0)); # load output pointer
&xor ($c, &DWP(4*8,$b));
&xor ($c_,&DWP(4*9,$b));
&xor ($d, &DWP(4*12,$b));
&xor ($d_,&DWP(4*14,$b));
- &mov (&DWP(4*4,"esp"),$b_);
- &mov ($b_,&DWP(4*0,"esp"));
- &mov (&DWP(4*8,"esp"),$c);
- &mov (&DWP(4*9,"esp"),$c_);
- &mov (&DWP(4*12,"esp"),$d);
- &mov (&DWP(4*14,"esp"),$d_);
+ &mov (&DWP(4*4,$a),$b_); # write output
+ &mov (&DWP(4*8,$a),$c);
+ &mov (&DWP(4*9,$a),$c_);
+ &mov (&DWP(4*12,$a),$d);
+ &mov (&DWP(4*14,$a),$d_);
- &mov (&DWP(4*0,$a),$b_); # write output in order
&mov ($b_,&DWP(4*1,"esp"));
&mov ($c, &DWP(4*2,"esp"));
&mov ($c_,&DWP(4*3,"esp"));
@@ -254,45 +252,35 @@
&xor ($d, &DWP(4*5,$b));
&xor ($d_,&DWP(4*6,$b));
&mov (&DWP(4*1,$a),$b_);
- &mov ($b_,&DWP(4*4,"esp"));
&mov (&DWP(4*2,$a),$c);
&mov (&DWP(4*3,$a),$c_);
- &mov (&DWP(4*4,$a),$b_);
&mov (&DWP(4*5,$a),$d);
&mov (&DWP(4*6,$a),$d_);
- &mov ($c,&DWP(4*7,"esp"));
- &mov ($d,&DWP(4*8,"esp"));
- &mov ($d_,&DWP(4*9,"esp"));
- &add ($c,&DWP(64+4*7,"esp"));
- &mov ($b_, &DWP(4*10,"esp"));
- &xor ($c,&DWP(4*7,$b));
+ &mov ($b_,&DWP(4*7,"esp"));
+ &mov ($c, &DWP(4*10,"esp"));
&mov ($c_,&DWP(4*11,"esp"));
- &mov (&DWP(4*7,$a),$c);
- &mov (&DWP(4*8,$a),$d);
- &mov (&DWP(4*9,$a),$d_);
-
- &add ($b_, &DWP(64+4*10,"esp"));
- &add ($c_,&DWP(64+4*11,"esp"));
- &xor ($b_, &DWP(4*10,$b));
- &xor ($c_,&DWP(4*11,$b));
- &mov (&DWP(4*10,$a),$b_);
- &mov (&DWP(4*11,$a),$c_);
-
- &mov ($c,&DWP(4*12,"esp"));
- &mov ($c_,&DWP(4*14,"esp"));
&mov ($d, &DWP(4*13,"esp"));
&mov ($d_,&DWP(4*15,"esp"));
+ &add ($b_,&DWP(64+4*7,"esp"));
+ &add ($c, &DWP(64+4*10,"esp"));
+ &add ($c_,&DWP(64+4*11,"esp"));
&add ($d, &DWP(64+4*13,"esp"));
&add ($d_,&DWP(64+4*15,"esp"));
+ &xor ($b_,&DWP(4*7,$b));
+ &xor ($c, &DWP(4*10,$b));
+ &xor ($c_,&DWP(4*11,$b));
&xor ($d, &DWP(4*13,$b));
&xor ($d_,&DWP(4*15,$b));
&lea ($b,&DWP(4*16,$b));
- &mov (&DWP(4*12,$a),$c);
+ &mov (&DWP(4*7,$a),$b_);
+ &mov ($b_,&DWP(4*0,"esp"));
+ &mov (&DWP(4*10,$a),$c);
&mov ($c,&wparam(2)); # len
+ &mov (&DWP(4*11,$a),$c_);
&mov (&DWP(4*13,$a),$d);
- &mov (&DWP(4*14,$a),$c_);
&mov (&DWP(4*15,$a),$d_);
+ &mov (&DWP(4*0,$a),$b_);
&lea ($a,&DWP(4*16,$a));
&sub ($c,64);
&jnz (&label("outer_loop"));
@@ -567,12 +555,12 @@
my ($xa0,$xa1,$xa2,$xa3,$xt0,$xt1,$xt2,$xt3)=map("xmm$_",(0..7));
- for($i=0;$i<256;$i+=64) {
- #&movdqa ($xa0,&QWP($i+16*0-128,"ebx")); # it's there
- &movdqa ($xa1,&QWP($i+16*1-128,"ebx"));
- &movdqa ($xa2,&QWP($i+16*2-128,"ebx"));
- &movdqa ($xa3,&QWP($i+16*3-128,"ebx"));
+ #&movdqa ($xa0,&QWP(16*0-128,"ebx")); # it's there
+ &movdqa ($xa1,&QWP(16*1-128,"ebx"));
+ &movdqa ($xa2,&QWP(16*2-128,"ebx"));
+ &movdqa ($xa3,&QWP(16*3-128,"ebx"));
+ for($i=0;$i<256;$i+=64) {
&paddd ($xa0,&QWP($i+16*0-128,"ebp")); # accumulate key material
&paddd ($xa1,&QWP($i+16*1-128,"ebp"));
&paddd ($xa2,&QWP($i+16*2-128,"ebp"));
@@ -593,29 +581,25 @@
#($xa2,$xt2)=($xt2,$xa2);
- &movdqa (&QWP($i+16*0-128,"ebx"),$xa0);
+ &movdqu ($xt0,&QWP(64*0-128,$inp)); # load input
+ &movdqu ($xt1,&QWP(64*1-128,$inp));
+ &movdqu ($xa2,&QWP(64*2-128,$inp));
+ &movdqu ($xt3,&QWP(64*3-128,$inp));
+ &lea ($inp,&QWP($i<192?16:(64*4-16*3),$inp));
+ &pxor ($xt0,$xa0);
&movdqa ($xa0,&QWP($i+16*4-128,"ebx")) if ($i<192);
- &movdqa (&QWP($i+16*1-128,"ebx"),$xa1);
- &movdqa (&QWP($i+16*2-128,"ebx"),$xt2);
- &movdqa (&QWP($i+16*3-128,"ebx"),$xa3);
+ &pxor ($xt1,$xa1);
+ &movdqa ($xa1,&QWP($i+16*5-128,"ebx")) if ($i<192);
+ &pxor ($xt2,$xa2);
+ &movdqa ($xa2,&QWP($i+16*6-128,"ebx")) if ($i<192);
+ &pxor ($xt3,$xa3);
+ &movdqa ($xa3,&QWP($i+16*7-128,"ebx")) if ($i<192);
+ &movdqu (&QWP(64*0-128,$out),$xt0); # store output
+ &movdqu (&QWP(64*1-128,$out),$xt1);
+ &movdqu (&QWP(64*2-128,$out),$xt2);
+ &movdqu (&QWP(64*3-128,$out),$xt3);
+ &lea ($out,&QWP($i<192?16:(64*4-16*3),$out));
}
- for($i=0;$i<256;$i+=64) {
- my $j = 16*($i/64);
- &movdqu ($xa0,&QWP($i+16*0-128,$inp)); # load input
- &movdqu ($xa1,&QWP($i+16*1-128,$inp));
- &movdqu ($xa2,&QWP($i+16*2-128,$inp));
- &movdqu ($xa3,&QWP($i+16*3-128,$inp));
- &pxor ($xa0,&QWP($j+64*0-128,"ebx"));
- &pxor ($xa1,&QWP($j+64*1-128,"ebx"));
- &pxor ($xa2,&QWP($j+64*2-128,"ebx"));
- &pxor ($xa3,&QWP($j+64*3-128,"ebx"));
- &movdqu (&QWP($i+16*0-128,$out),$xa0); # write output
- &movdqu (&QWP($i+16*1-128,$out),$xa1);
- &movdqu (&QWP($i+16*2-128,$out),$xa2);
- &movdqu (&QWP($i+16*3-128,$out),$xa3);
- }
- &lea ($inp,&DWP(256,$inp));
- &lea ($out,&DWP(256,$out));
&sub ($len,64*4);
&jnc (&label("outer_loop"));
diff --git a/src/crypto/chacha/chacha.c b/src/crypto/chacha/chacha.c
index afe1b2a..1562089 100644
--- a/src/crypto/chacha/chacha.c
+++ b/src/crypto/chacha/chacha.c
@@ -16,10 +16,13 @@
#include <openssl/chacha.h>
+#include <assert.h>
#include <string.h>
#include <openssl/cpu.h>
+#include "../internal.h"
+
#define U8TO32_LITTLE(p) \
(((uint32_t)((p)[0])) | ((uint32_t)((p)[1]) << 8) | \
@@ -36,8 +39,9 @@
void CRYPTO_chacha_20(uint8_t *out, const uint8_t *in, size_t in_len,
const uint8_t key[32], const uint8_t nonce[12],
uint32_t counter) {
- uint32_t counter_nonce[4];
- counter_nonce[0] = counter;
+ assert(!buffers_alias(out, in_len, in, in_len) || in == out);
+
+ uint32_t counter_nonce[4]; counter_nonce[0] = counter;
counter_nonce[1] = U8TO32_LITTLE(nonce + 0);
counter_nonce[2] = U8TO32_LITTLE(nonce + 4);
counter_nonce[3] = U8TO32_LITTLE(nonce + 8);
@@ -118,6 +122,8 @@
void CRYPTO_chacha_20(uint8_t *out, const uint8_t *in, size_t in_len,
const uint8_t key[32], const uint8_t nonce[12],
uint32_t counter) {
+ assert(!buffers_alias(out, in_len, in, in_len) || in == out);
+
uint32_t input[16];
uint8_t buf[64];
size_t todo, i;
diff --git a/src/crypto/chacha/chacha_test.cc b/src/crypto/chacha/chacha_test.cc
index f364f98..0a5972f 100644
--- a/src/crypto/chacha/chacha_test.cc
+++ b/src/crypto/chacha/chacha_test.cc
@@ -218,25 +218,16 @@
std::unique_ptr<uint8_t[]> buf(new uint8_t[len]);
CRYPTO_chacha_20(buf.get(), kInput, len, kKey, kNonce, kCounter);
if (memcmp(buf.get(), kOutput, len) != 0) {
- fprintf(stderr, "Mismatch at length %u.\n", static_cast<unsigned>(len));
+ fprintf(stderr, "Mismatch at length %zu.\n", len);
return false;
}
- // Test in-place at various offsets.
- static const size_t kOffsets[] = {
- 0, 1, 2, 8, 15, 16, 17, 31, 32, 33, 63,
- 64, 65, 95, 96, 97, 127, 128, 129, 255, 256, 257,
- };
- for (size_t offset : kOffsets) {
- buf.reset(new uint8_t[len + offset]);
- memcpy(buf.get() + offset, kInput, len);
- CRYPTO_chacha_20(buf.get(), buf.get() + offset, len, kKey, kNonce,
- kCounter);
- if (memcmp(buf.get(), kOutput, len) != 0) {
- fprintf(stderr, "Mismatch at length %u with in-place offset %u.\n",
- static_cast<unsigned>(len), static_cast<unsigned>(offset));
- return false;
- }
+ // Test in-place.
+ memcpy(buf.get(), kInput, len);
+ CRYPTO_chacha_20(buf.get(), buf.get(), len, kKey, kNonce, kCounter);
+ if (memcmp(buf.get(), kOutput, len) != 0) {
+ fprintf(stderr, "Mismatch at length %zu, in-place.\n", len);
+ return false;
}
return true;
diff --git a/src/crypto/cipher/aead.c b/src/crypto/cipher/aead.c
index b1db83d..57eecc1 100644
--- a/src/crypto/cipher/aead.c
+++ b/src/crypto/cipher/aead.c
@@ -20,6 +20,7 @@
#include <openssl/err.h>
#include "internal.h"
+#include "../internal.h"
size_t EVP_AEAD_key_length(const EVP_AEAD *aead) { return aead->key_len; }
@@ -80,21 +81,15 @@
ctx->aead = NULL;
}
-/* check_alias returns 0 if |out| points within the buffer determined by |in|
- * and |in_len| and 1 otherwise.
- *
- * When processing, there's only an issue if |out| points within in[:in_len]
- * and isn't equal to |in|. If that's the case then writing the output will
- * stomp input that hasn't been read yet.
- *
- * This function checks for that case. */
-static int check_alias(const uint8_t *in, size_t in_len, const uint8_t *out) {
- if (out <= in) {
- return 1;
- } else if (in + in_len <= out) {
+/* check_alias returns 1 if |out| is compatible with |in| and 0 otherwise. If
+ * |in| and |out| alias, we require that |in| == |out|. */
+static int check_alias(const uint8_t *in, size_t in_len, const uint8_t *out,
+ size_t out_len) {
+ if (!buffers_alias(in, in_len, out, out_len)) {
return 1;
}
- return 0;
+
+ return in == out;
}
int EVP_AEAD_CTX_seal(const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len,
@@ -108,7 +103,7 @@
goto error;
}
- if (!check_alias(in, in_len, out)) {
+ if (!check_alias(in, in_len, out, max_out_len)) {
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_OUTPUT_ALIASES_INPUT);
goto error;
}
@@ -130,7 +125,7 @@
size_t max_out_len, const uint8_t *nonce,
size_t nonce_len, const uint8_t *in, size_t in_len,
const uint8_t *ad, size_t ad_len) {
- if (!check_alias(in, in_len, out)) {
+ if (!check_alias(in, in_len, out, max_out_len)) {
OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_OUTPUT_ALIASES_INPUT);
goto error;
}
diff --git a/src/crypto/cipher/aead_test.cc b/src/crypto/cipher/aead_test.cc
index f21291e..8bad93f 100644
--- a/src/crypto/cipher/aead_test.cc
+++ b/src/crypto/cipher/aead_test.cc
@@ -225,84 +225,65 @@
return false;
}
- // First test with out > in, which we expect to fail.
- for (auto offset : offsets) {
- if (offset == 0) {
- // Will be tested in the next loop.
- continue;
- }
+ // Test with out != in which we expect to fail.
+ std::vector<uint8_t> buffer(2 + valid_encryption_len);
+ uint8_t *in = buffer.data() + 1;
+ uint8_t *out1 = buffer.data();
+ uint8_t *out2 = buffer.data() + 2;
- std::vector<uint8_t> buffer(offset + valid_encryption_len);
- memcpy(buffer.data(), kPlaintext, sizeof(kPlaintext));
- uint8_t *out = buffer.data() + offset;
+ memcpy(in, kPlaintext, sizeof(kPlaintext));
+ size_t out_len;
+ if (EVP_AEAD_CTX_seal(ctx.get(), out1, &out_len,
+ sizeof(kPlaintext) + max_overhead, nonce.data(),
+ nonce_len, in, sizeof(kPlaintext), nullptr, 0) ||
+ EVP_AEAD_CTX_seal(ctx.get(), out2, &out_len,
+ sizeof(kPlaintext) + max_overhead, nonce.data(),
+ nonce_len, in, sizeof(kPlaintext), nullptr, 0)) {
+ fprintf(stderr, "EVP_AEAD_CTX_seal unexpectedly succeeded.\n");
+ return false;
+ }
+ ERR_clear_error();
- size_t out_len;
- if (!EVP_AEAD_CTX_seal(ctx.get(), out, &out_len,
- sizeof(kPlaintext) + max_overhead, nonce.data(),
- nonce_len, buffer.data(), sizeof(kPlaintext),
- nullptr, 0)) {
- // We expect offsets where the output is greater than the input to fail.
- ERR_clear_error();
- } else {
- fprintf(stderr,
- "EVP_AEAD_CTX_seal unexpectedly succeeded for offset %u.\n",
- static_cast<unsigned>(offset));
- return false;
- }
+ memcpy(in, valid_encryption.data(), valid_encryption_len);
+ if (EVP_AEAD_CTX_open(ctx.get(), out1, &out_len, valid_encryption_len,
+ nonce.data(), nonce_len, in, valid_encryption_len,
+ nullptr, 0) ||
+ EVP_AEAD_CTX_open(ctx.get(), out2, &out_len, valid_encryption_len,
+ nonce.data(), nonce_len, in, valid_encryption_len,
+ nullptr, 0)) {
+ fprintf(stderr, "EVP_AEAD_CTX_open unexpectedly succeeded.\n");
+ return false;
+ }
+ ERR_clear_error();
- memcpy(buffer.data(), valid_encryption.data(), valid_encryption_len);
- if (!EVP_AEAD_CTX_open(ctx.get(), out, &out_len, valid_encryption_len,
- nonce.data(), nonce_len, buffer.data(),
- valid_encryption_len, nullptr, 0)) {
- // We expect offsets where the output is greater than the input to fail.
- ERR_clear_error();
- } else {
- fprintf(stderr,
- "EVP_AEAD_CTX_open unexpectedly succeeded for offset %u.\n",
- static_cast<unsigned>(offset));
- ERR_print_errors_fp(stderr);
- return false;
- }
+ // Test with out == in, which we expect to work.
+ memcpy(in, kPlaintext, sizeof(kPlaintext));
+
+ if (!EVP_AEAD_CTX_seal(ctx.get(), in, &out_len,
+ sizeof(kPlaintext) + max_overhead, nonce.data(),
+ nonce_len, in, sizeof(kPlaintext), nullptr, 0)) {
+ fprintf(stderr, "EVP_AEAD_CTX_seal failed in-place.\n");
+ return false;
}
- // Test with out <= in, which we expect to work.
- for (auto offset : offsets) {
- std::vector<uint8_t> buffer(offset + valid_encryption_len);
- uint8_t *const out = buffer.data();
- uint8_t *const in = buffer.data() + offset;
- memcpy(in, kPlaintext, sizeof(kPlaintext));
+ if (out_len != valid_encryption_len ||
+ memcmp(in, valid_encryption.data(), out_len) != 0) {
+ fprintf(stderr, "EVP_AEAD_CTX_seal produced bad output in-place.\n");
+ return false;
+ }
- size_t out_len;
- if (!EVP_AEAD_CTX_seal(ctx.get(), out, &out_len,
- sizeof(kPlaintext) + max_overhead, nonce.data(),
- nonce_len, in, sizeof(kPlaintext), nullptr, 0)) {
- fprintf(stderr, "EVP_AEAD_CTX_seal failed for offset -%u.\n",
- static_cast<unsigned>(offset));
- return false;
- }
+ memcpy(in, valid_encryption.data(), valid_encryption_len);
+ if (!EVP_AEAD_CTX_open(ctx.get(), in, &out_len, valid_encryption_len,
+ nonce.data(), nonce_len, in, valid_encryption_len,
+ nullptr, 0)) {
+ fprintf(stderr, "EVP_AEAD_CTX_open failed in-place.\n");
+ return false;
+ }
- if (out_len != valid_encryption_len ||
- memcmp(out, valid_encryption.data(), out_len) != 0) {
- fprintf(stderr, "EVP_AEAD_CTX_seal produced bad output for offset -%u.\n",
- static_cast<unsigned>(offset));
- return false;
- }
-
- memcpy(in, valid_encryption.data(), valid_encryption_len);
- if (!EVP_AEAD_CTX_open(ctx.get(), out, &out_len,
- offset + valid_encryption_len, nonce.data(),
- nonce_len, in, valid_encryption_len, nullptr, 0)) {
- fprintf(stderr, "EVP_AEAD_CTX_open failed for offset -%u.\n",
- static_cast<unsigned>(offset));
- return false;
- }
-
- if (out_len != sizeof(kPlaintext) ||
- memcmp(out, kPlaintext, out_len) != 0) {
- fprintf(stderr, "EVP_AEAD_CTX_open produced bad output for offset -%u.\n",
- static_cast<unsigned>(offset));
- return false;
- }
+ if (out_len != sizeof(kPlaintext) ||
+ memcmp(in, kPlaintext, out_len) != 0) {
+ fprintf(stderr, "EVP_AEAD_CTX_open produced bad output in-place.\n");
+ return false;
}
return true;
diff --git a/src/crypto/cipher/e_aes.c b/src/crypto/cipher/e_aes.c
index d61d048..24c4d8a 100644
--- a/src/crypto/cipher/e_aes.c
+++ b/src/crypto/cipher/e_aes.c
@@ -67,9 +67,7 @@
#endif
-#if defined(_MSC_VER)
-#pragma warning(disable: 4702) /* Unreachable code. */
-#endif
+OPENSSL_MSVC_PRAGMA(warning(disable: 4702)) /* Unreachable code. */
typedef struct {
union {
diff --git a/src/crypto/cipher/test/aes_128_gcm_tests.txt b/src/crypto/cipher/test/aes_128_gcm_tests.txt
index 0e33c91..eac9aa9 100644
--- a/src/crypto/cipher/test/aes_128_gcm_tests.txt
+++ b/src/crypto/cipher/test/aes_128_gcm_tests.txt
@@ -1,4 +1,4 @@
-# The AES-128-GCM test cases from cipher_test.txt have been merged into this
+# The AES-128-GCM test cases from cipher_tests.txt have been merged into this
# file.
KEY: d480429666d48b400633921c5407d1d1
diff --git a/src/crypto/cipher/test/aes_256_gcm_tests.txt b/src/crypto/cipher/test/aes_256_gcm_tests.txt
index dbcee81..30fd422 100644
--- a/src/crypto/cipher/test/aes_256_gcm_tests.txt
+++ b/src/crypto/cipher/test/aes_256_gcm_tests.txt
@@ -1,4 +1,4 @@
-# The AES-256-GCM test cases from cipher_test.txt have been merged into this
+# The AES-256-GCM test cases from cipher_tests.txt have been merged into this
# file.
KEY: e5ac4a32c67e425ac4b143c83c6f161312a97d88d634afdf9f4da5bd35223f01
diff --git a/src/crypto/cipher/test/cipher_test.txt b/src/crypto/cipher/test/cipher_tests.txt
similarity index 100%
rename from src/crypto/cipher/test/cipher_test.txt
rename to src/crypto/cipher/test/cipher_tests.txt
diff --git a/src/crypto/cpu-intel.c b/src/crypto/cpu-intel.c
index 431e1e1..f2e0c4c 100644
--- a/src/crypto/cpu-intel.c
+++ b/src/crypto/cpu-intel.c
@@ -69,10 +69,10 @@
#include <string.h>
#if defined(OPENSSL_WINDOWS)
-#pragma warning(push, 3)
+OPENSSL_MSVC_PRAGMA(warning(push, 3))
#include <immintrin.h>
#include <intrin.h>
-#pragma warning(pop)
+OPENSSL_MSVC_PRAGMA(warning(pop))
#endif
#include "internal.h"
diff --git a/src/crypto/curve25519/x25519-x86_64.c b/src/crypto/curve25519/x25519-x86_64.c
index 9776c75..1bd86a0 100644
--- a/src/crypto/curve25519/x25519-x86_64.c
+++ b/src/crypto/curve25519/x25519-x86_64.c
@@ -1,3 +1,24 @@
+/* Copyright (c) 2015, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+/* This code is mostly taken from the ref10 version of Ed25519 in SUPERCOP
+ * 20141124 (http://bench.cr.yp.to/supercop.html). That code is released as
+ * public domain but this file has the ISC license just to keep licencing
+ * simple.
+ *
+ * The field functions are shared by Ed25519 and X25519 where possible. */
+
#include <openssl/curve25519.h>
#include <string.h>
diff --git a/src/crypto/dsa/dsa.c b/src/crypto/dsa/dsa.c
index fe29aa0..1de0071 100644
--- a/src/crypto/dsa/dsa.c
+++ b/src/crypto/dsa/dsa.c
@@ -845,6 +845,7 @@
goto err;
}
+ BN_set_flags(&kq, BN_FLG_CONSTTIME);
K = &kq;
if (!BN_mod_exp_mont(r, dsa->g, K, dsa->p, ctx, dsa->method_mont_p)) {
diff --git a/src/crypto/err/err.c b/src/crypto/err/err.c
index c4e4b13..48d631f 100644
--- a/src/crypto/err/err.c
+++ b/src/crypto/err/err.c
@@ -114,9 +114,9 @@
#include <string.h>
#if defined(OPENSSL_WINDOWS)
-#pragma warning(push, 3)
+OPENSSL_MSVC_PRAGMA(warning(push, 3))
#include <windows.h>
-#pragma warning(pop)
+OPENSSL_MSVC_PRAGMA(warning(pop))
#endif
#include <openssl/mem.h>
diff --git a/src/crypto/evp/evp.c b/src/crypto/evp/evp.c
index 79993aa..bc1585e 100644
--- a/src/crypto/evp/evp.c
+++ b/src/crypto/evp/evp.c
@@ -356,6 +356,8 @@
void OpenSSL_add_all_algorithms(void) {}
+void OpenSSL_add_all_algorithms_conf(void) {}
+
void OpenSSL_add_all_ciphers(void) {}
void OpenSSL_add_all_digests(void) {}
diff --git a/src/crypto/evp/evp_test.cc b/src/crypto/evp/evp_test.cc
index a7dac2b..b01d1e4 100644
--- a/src/crypto/evp/evp_test.cc
+++ b/src/crypto/evp/evp_test.cc
@@ -51,30 +51,27 @@
* ====================================================================
*/
+#include <openssl/evp.h>
+
#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
-#if defined(_MSC_VER)
-#pragma warning(push)
-#pragma warning(disable: 4702)
-#endif
+OPENSSL_MSVC_PRAGMA(warning(push))
+OPENSSL_MSVC_PRAGMA(warning(disable: 4702))
#include <map>
#include <string>
#include <utility>
#include <vector>
-#if defined(_MSC_VER)
-#pragma warning(pop)
-#endif
+OPENSSL_MSVC_PRAGMA(warning(pop))
#include <openssl/bytestring.h>
#include <openssl/crypto.h>
#include <openssl/digest.h>
#include <openssl/err.h>
-#include <openssl/evp.h>
#include "../test/file_test.h"
#include "../test/scoped_types.h"
diff --git a/src/crypto/internal.h b/src/crypto/internal.h
index 433072c..e35fb7b 100644
--- a/src/crypto/internal.h
+++ b/src/crypto/internal.h
@@ -123,9 +123,9 @@
#if defined(OPENSSL_NO_THREADS)
#elif defined(OPENSSL_WINDOWS)
-#pragma warning(push, 3)
+OPENSSL_MSVC_PRAGMA(warning(push, 3))
#include <windows.h>
-#pragma warning(pop)
+OPENSSL_MSVC_PRAGMA(warning(pop))
#else
#include <pthread.h>
#endif
@@ -152,6 +152,19 @@
#endif
+/* buffers_alias returns one if |a| and |b| alias and zero otherwise. */
+static inline int buffers_alias(const uint8_t *a, size_t a_len,
+ const uint8_t *b, size_t b_len) {
+ /* Cast |a| and |b| to integers. In C, pointer comparisons between unrelated
+ * objects are undefined whereas pointer to integer conversions are merely
+ * implementation-defined. We assume the implementation defined it in a sane
+ * way. */
+ uintptr_t a_u = (uintptr_t)a;
+ uintptr_t b_u = (uintptr_t)b;
+ return a_u + a_len > b_u && b_u + b_len > a_u;
+}
+
+
/* Constant-time utility functions.
*
* The following methods return a bitmask of all ones (0xff...f) for true and 0
diff --git a/src/crypto/mem.c b/src/crypto/mem.c
index 7d73c73..ca4c559 100644
--- a/src/crypto/mem.c
+++ b/src/crypto/mem.c
@@ -66,9 +66,9 @@
#include <string.h>
#if defined(OPENSSL_WINDOWS)
-#pragma warning(push, 3)
+OPENSSL_MSVC_PRAGMA(warning(push, 3))
#include <windows.h>
-#pragma warning(pop)
+OPENSSL_MSVC_PRAGMA(warning(pop))
#else
#include <strings.h>
#endif
@@ -118,12 +118,11 @@
}
int CRYPTO_memcmp(const void *in_a, const void *in_b, size_t len) {
- size_t i;
const uint8_t *a = in_a;
const uint8_t *b = in_b;
uint8_t x = 0;
- for (i = 0; i < len; i++) {
+ for (size_t i = 0; i < len; i++) {
x |= a[i] ^ b[i];
}
diff --git a/src/crypto/modes/internal.h b/src/crypto/modes/internal.h
index b46e836..430d040 100644
--- a/src/crypto/modes/internal.h
+++ b/src/crypto/modes/internal.h
@@ -121,9 +121,9 @@
#endif
#elif defined(_MSC_VER)
#if _MSC_VER >= 1300
-#pragma warning(push, 3)
+OPENSSL_MSVC_PRAGMA(warning(push, 3))
#include <intrin.h>
-#pragma warning(pop)
+OPENSSL_MSVC_PRAGMA(warning(pop))
#pragma intrinsic(_byteswap_uint64, _byteswap_ulong)
#define BSWAP8(x) _byteswap_uint64((uint64_t)(x))
#define BSWAP4(x) _byteswap_ulong((uint32_t)(x))
diff --git a/src/crypto/newhope/CMakeLists.txt b/src/crypto/newhope/CMakeLists.txt
index 5d339ba..7787cce 100644
--- a/src/crypto/newhope/CMakeLists.txt
+++ b/src/crypto/newhope/CMakeLists.txt
@@ -19,6 +19,13 @@
)
add_executable(
+ newhope_statistical_test
+
+ newhope_statistical_test.cc
+ $<TARGET_OBJECTS:test_support>
+)
+
+add_executable(
newhope_vectors_test
newhope_vectors_test.cc
@@ -26,6 +33,8 @@
)
target_link_libraries(newhope_test crypto)
+target_link_libraries(newhope_statistical_test crypto)
target_link_libraries(newhope_vectors_test crypto)
add_dependencies(all_tests newhope_test)
+add_dependencies(all_tests newhope_statistical_test)
add_dependencies(all_tests newhope_vectors_test)
diff --git a/src/crypto/newhope/internal.h b/src/crypto/newhope/internal.h
index 5c82d68..efc5adf 100644
--- a/src/crypto/newhope/internal.h
+++ b/src/crypto/newhope/internal.h
@@ -43,12 +43,6 @@
* |seed|. (In the reference implementation this was done with SHAKE-128.) */
void newhope_poly_uniform(NEWHOPE_POLY* a, const uint8_t* seed);
-/* newhope_poly_getnoise sets |r| to a random polynomial where the coefficients
- * are
- * sampled from the noise distribution. (In the reference implementation, this
- * is given a random seed and a nonce.)*/
-void newhope_poly_getnoise(NEWHOPE_POLY* r);
-
void newhope_helprec(NEWHOPE_POLY* c, const NEWHOPE_POLY* v,
const uint8_t rbits[32]);
@@ -58,9 +52,6 @@
void newhope_reconcile(uint8_t* key, const NEWHOPE_POLY* v,
const NEWHOPE_POLY* c);
-/* newhope_poly_ntt performs NTT(r) in-place. */
-void newhope_poly_ntt(NEWHOPE_POLY* r);
-
/* newhope_poly_invntt performs the inverse of NTT(r) in-place. */
void newhope_poly_invntt(NEWHOPE_POLY* r);
diff --git a/src/crypto/newhope/newhope.c b/src/crypto/newhope/newhope.c
index c590cfa..7edb7eb 100644
--- a/src/crypto/newhope/newhope.c
+++ b/src/crypto/newhope/newhope.c
@@ -47,8 +47,7 @@
}
void NEWHOPE_offer(uint8_t *offermsg, NEWHOPE_POLY *s) {
- newhope_poly_getnoise(s);
- newhope_poly_ntt(s);
+ NEWHOPE_POLY_noise_ntt(s);
/* The first part of the offer message is the seed, which compactly encodes
* a. */
@@ -58,8 +57,7 @@
newhope_poly_uniform(&a, seed);
NEWHOPE_POLY e;
- newhope_poly_getnoise(&e);
- newhope_poly_ntt(&e);
+ NEWHOPE_POLY_noise_ntt(&e);
/* The second part of the offer message is the polynomial pk = a*s+e */
NEWHOPE_POLY pk;
@@ -78,17 +76,13 @@
/* Decode the |offermsg|, generating the same |a| as the peer, from the peer's
* seed. */
NEWHOPE_POLY pk, a;
- const uint8_t *seed = &offermsg[NEWHOPE_POLY_LENGTH];
- newhope_poly_uniform(&a, seed);
- NEWHOPE_POLY_frombytes(&pk, offermsg);
+ NEWHOPE_offer_frommsg(&pk, &a, offermsg);
/* Generate noise polynomials used to generate our key. */
NEWHOPE_POLY sp, ep, epp;
- newhope_poly_getnoise(&sp);
- newhope_poly_ntt(&sp);
- newhope_poly_getnoise(&ep);
- newhope_poly_ntt(&ep);
- newhope_poly_getnoise(&epp); /* intentionally not NTT */
+ NEWHOPE_POLY_noise_ntt(&sp);
+ NEWHOPE_POLY_noise_ntt(&ep);
+ NEWHOPE_POLY_noise(&epp); /* intentionally not NTT */
/* Generate random bytes used for reconciliation. (The reference
* implementation calls ChaCha20 here.) */
@@ -171,3 +165,10 @@
newhope_poly_invntt(&v);
newhope_reconcile(k, &v, reconciliation);
}
+
+void NEWHOPE_offer_frommsg(NEWHOPE_POLY *out_pk, NEWHOPE_POLY *out_a,
+ const uint8_t offermsg[NEWHOPE_OFFERMSG_LENGTH]) {
+ NEWHOPE_POLY_frombytes(out_pk, offermsg);
+ const uint8_t *seed = offermsg + NEWHOPE_POLY_LENGTH;
+ newhope_poly_uniform(out_a, seed);
+}
diff --git a/src/crypto/newhope/newhope_statistical_test.cc b/src/crypto/newhope/newhope_statistical_test.cc
new file mode 100644
index 0000000..44fac48
--- /dev/null
+++ b/src/crypto/newhope/newhope_statistical_test.cc
@@ -0,0 +1,156 @@
+/* Copyright (c) 2016, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <string>
+
+#include <math.h>
+#include <stdio.h>
+#include <string.h>
+
+#include <openssl/crypto.h>
+#include <openssl/rand.h>
+
+#include "../test/scoped_types.h"
+#include "internal.h"
+
+
+static const unsigned kNumTests = 1000;
+
+static bool TestNoise(void) {
+ printf("noise distribution:\n");
+
+ size_t buckets[1 + 2 * PARAM_K];
+ memset(buckets, 0, sizeof(buckets));
+ for (size_t i = 0; i < kNumTests; i++) {
+ NEWHOPE_POLY s;
+ NEWHOPE_POLY_noise(&s);
+ for (int j = 0; j < PARAM_N; j++) {
+ uint16_t value = (s.coeffs[j] + PARAM_K) % PARAM_Q;
+ buckets[value]++;
+ }
+ }
+
+ int64_t sum = 0, square_sum = 0;
+ for (int64_t i = 0; i < 1 + 2 * PARAM_K; i++) {
+ sum += (i - PARAM_K) * (int64_t) buckets[i];
+ square_sum += (i - PARAM_K) * (i - PARAM_K) * (int64_t) buckets[i];
+ }
+ double mean = double(sum) / double(PARAM_N * kNumTests);
+
+ double expected_variance = 0.5 * 0.5 * double(PARAM_K * 2);
+ double variance = double(square_sum) / double(PARAM_N * kNumTests) - mean * mean;
+
+ for (size_t i = 0; i < 1 + 2 * PARAM_K; i++) {
+ std::string dots;
+ for (size_t j = 0; j < 79 * buckets[i] / buckets[PARAM_K]; j++) {
+ dots += "+";
+ }
+ printf("%+zd\t%zd\t%s\n", i - PARAM_K, buckets[i], dots.c_str());
+ }
+ printf("mean: got %f, want %f\n", mean, 0.0);
+ printf("variance: got %f, want %f\n", variance, expected_variance);
+ printf("\n");
+
+ if (mean < -0.5 || 0.5 < mean) {
+ fprintf(stderr, "mean out of range: %f\n", mean);
+ return false;
+ }
+
+ if (variance < expected_variance - 1.0 || expected_variance + 1.0 < variance) {
+ fprintf(stderr, "variance out of range: got %f, want %f\n", variance,
+ expected_variance);
+ return false;
+ }
+ return true;
+}
+
+static int Hamming32(const uint8_t key[NEWHOPE_KEY_LENGTH]) {
+ static int kHamming[256] = {
+ 0, 1, 1, 2, 1, 2, 2, 3, 1, 2, 2, 3, 2, 3, 3, 4,
+ 1, 2, 2, 3, 2, 3, 3, 4, 2, 3, 3, 4, 3, 4, 4, 5,
+ 1, 2, 2, 3, 2, 3, 3, 4, 2, 3, 3, 4, 3, 4, 4, 5,
+ 2, 3, 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, 6,
+ 1, 2, 2, 3, 2, 3, 3, 4, 2, 3, 3, 4, 3, 4, 4, 5,
+ 2, 3, 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, 6,
+ 2, 3, 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, 6,
+ 3, 4, 4, 5, 4, 5, 5, 6, 4, 5, 5, 6, 5, 6, 6, 7,
+ 1, 2, 2, 3, 2, 3, 3, 4, 2, 3, 3, 4, 3, 4, 4, 5,
+ 2, 3, 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, 6,
+ 2, 3, 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, 6,
+ 3, 4, 4, 5, 4, 5, 5, 6, 4, 5, 5, 6, 5, 6, 6, 7,
+ 2, 3, 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, 6,
+ 3, 4, 4, 5, 4, 5, 5, 6, 4, 5, 5, 6, 5, 6, 6, 7,
+ 3, 4, 4, 5, 4, 5, 5, 6, 4, 5, 5, 6, 5, 6, 6, 7,
+ 4, 5, 5, 6, 5, 6, 6, 7, 5, 6, 6, 7, 6, 7, 7, 8,
+ };
+
+ int r = 0;
+ for(int i = 0; i < NEWHOPE_KEY_LENGTH; i++) {
+ r += kHamming[key[i]];
+ }
+ return r;
+}
+
+static bool TestKeys(void) {
+ printf("keys (prior to whitening):\n");
+
+ uint8_t key[NEWHOPE_KEY_LENGTH];
+ uint8_t offermsg[NEWHOPE_OFFERMSG_LENGTH];
+
+ ScopedNEWHOPE_POLY sk(NEWHOPE_POLY_new()), pk(NEWHOPE_POLY_new()),
+ sp(NEWHOPE_POLY_new()), ep(NEWHOPE_POLY_new()), epp(NEWHOPE_POLY_new()),
+ a(NEWHOPE_POLY_new()), bp(NEWHOPE_POLY_new()), rec(NEWHOPE_POLY_new());
+
+ int ones = 0;
+ for (size_t i = 0; i < kNumTests; i++) {
+ NEWHOPE_offer(offermsg, sk.get());
+ NEWHOPE_offer_frommsg(pk.get(), a.get(), offermsg);
+
+ NEWHOPE_POLY_noise_ntt(sp.get());
+ NEWHOPE_POLY_noise_ntt(ep.get());
+ NEWHOPE_POLY_noise(epp.get()); /* intentionally not NTT */
+
+ uint8_t rand[32];
+ RAND_bytes(rand, 32);
+
+ NEWHOPE_accept_computation(key, bp.get(), rec.get(),
+ sp.get(), ep.get(), epp.get(), rand,
+ pk.get(), a.get());
+ ones += Hamming32(key);
+ }
+
+ int bits = NEWHOPE_KEY_LENGTH * 8 * kNumTests;
+ int diff = bits - 2 * ones;
+ double fraction = (double) abs(diff) / bits;
+ printf("ones: %d\n", ones);
+ printf("zeroes: %d\n", (bits - ones));
+ printf("diff: got %d (%f), want 0\n", diff, fraction);
+ printf("\n");
+
+ if (fraction > 0.01) {
+ fprintf(stderr, "key bias is too high (%f)\n", fraction);
+ return false;
+ }
+
+ return true;
+}
+
+int main(void) {
+ if (!TestKeys() ||
+ !TestNoise()) {
+ return 1;
+ }
+ printf("PASS\n");
+ return 0;
+}
diff --git a/src/crypto/newhope/newhope_test.txt b/src/crypto/newhope/newhope_tests.txt
similarity index 100%
rename from src/crypto/newhope/newhope_test.txt
rename to src/crypto/newhope/newhope_tests.txt
diff --git a/src/crypto/newhope/poly.c b/src/crypto/newhope/poly.c
index a84bdeb..44cd383 100644
--- a/src/crypto/newhope/poly.c
+++ b/src/crypto/newhope/poly.c
@@ -126,7 +126,7 @@
}
}
-void newhope_poly_getnoise(NEWHOPE_POLY* r) {
+void NEWHOPE_POLY_noise(NEWHOPE_POLY* r) {
#if PARAM_K != 16
#error "poly_getnoise in poly.c only supports k=16"
#endif
@@ -171,7 +171,13 @@
}
}
-void newhope_poly_ntt(NEWHOPE_POLY* r) {
+void NEWHOPE_POLY_noise_ntt(NEWHOPE_POLY* r) {
+ NEWHOPE_POLY_noise(r);
+ /* Forward NTT transformation. Because we're operating on a noise polynomial,
+ * we can regard the bits as already reversed and skip the bit-reversal
+ * step:
+ *
+ * newhope_bitrev_vector(r->coeffs); */
newhope_mul_coefficients(r->coeffs, newhope_psis_bitrev_montgomery);
newhope_ntt((uint16_t *) r->coeffs, newhope_omegas_montgomery);
}
diff --git a/src/crypto/poly1305/poly1305_test.txt b/src/crypto/poly1305/poly1305_tests.txt
similarity index 100%
rename from src/crypto/poly1305/poly1305_test.txt
rename to src/crypto/poly1305/poly1305_tests.txt
diff --git a/src/crypto/rand/windows.c b/src/crypto/rand/windows.c
index 9d7dd78..5a9a96b 100644
--- a/src/crypto/rand/windows.c
+++ b/src/crypto/rand/windows.c
@@ -19,7 +19,7 @@
#include <limits.h>
#include <stdlib.h>
-#pragma warning(push, 3)
+OPENSSL_MSVC_PRAGMA(warning(push, 3))
#include <windows.h>
@@ -30,7 +30,7 @@
#include <ntsecapi.h>
#undef SystemFunction036
-#pragma warning(pop)
+OPENSSL_MSVC_PRAGMA(warning(pop))
#include "internal.h"
diff --git a/src/crypto/test/file_test.h b/src/crypto/test/file_test.h
index e90cc86..a859127 100644
--- a/src/crypto/test/file_test.h
+++ b/src/crypto/test/file_test.h
@@ -20,19 +20,15 @@
#include <stdint.h>
#include <stdio.h>
-#if defined(_MSC_VER)
-#pragma warning(push)
-#pragma warning(disable: 4702)
-#endif
+OPENSSL_MSVC_PRAGMA(warning(push))
+OPENSSL_MSVC_PRAGMA(warning(disable: 4702))
#include <string>
#include <map>
#include <set>
#include <vector>
-#if defined(_MSC_VER)
-#pragma warning(pop)
-#endif
+OPENSSL_MSVC_PRAGMA(warning(pop))
// File-based test framework.
//
diff --git a/src/crypto/thread.c b/src/crypto/thread.c
index 8837115..373f8db 100644
--- a/src/crypto/thread.c
+++ b/src/crypto/thread.c
@@ -61,9 +61,9 @@
#if !defined(OPENSSL_WINDOWS)
#include <errno.h>
#else
-#pragma warning(push, 3)
+OPENSSL_MSVC_PRAGMA(warning(push, 3))
#include <windows.h>
-#pragma warning(pop)
+OPENSSL_MSVC_PRAGMA(warning(pop))
#endif
#include <openssl/mem.h>
@@ -74,6 +74,11 @@
void CRYPTO_set_locking_callback(void (*func)(int mode, int lock_num,
const char *file, int line)) {}
+void (*CRYPTO_get_locking_callback(void))(int mode, int lock_num,
+ const char *file, int line) {
+ return NULL;
+}
+
void CRYPTO_set_add_lock_callback(int (*func)(int *num, int mount, int lock_num,
const char *file, int line)) {}
@@ -99,3 +104,19 @@
void CRYPTO_set_dynlock_destroy_callback(void (*dyn_destroy_function)(
struct CRYPTO_dynlock_value *l, const char *file, int line)) {}
+
+struct CRYPTO_dynlock_value *(*CRYPTO_get_dynlock_create_callback(void))(
+ const char *file, int line) {
+ return NULL;
+}
+
+void (*CRYPTO_get_dynlock_lock_callback(void))(int mode,
+ struct CRYPTO_dynlock_value *l,
+ const char *file, int line) {
+ return NULL;
+}
+
+void (*CRYPTO_get_dynlock_destroy_callback(void))(
+ struct CRYPTO_dynlock_value *l, const char *file, int line) {
+ return NULL;
+}
diff --git a/src/crypto/thread_test.c b/src/crypto/thread_test.c
index 92a5373..12ca2ec 100644
--- a/src/crypto/thread_test.c
+++ b/src/crypto/thread_test.c
@@ -21,9 +21,9 @@
#if defined(OPENSSL_WINDOWS)
-#pragma warning(push, 3)
+OPENSSL_MSVC_PRAGMA(warning(push, 3))
#include <windows.h>
-#pragma warning(pop)
+OPENSSL_MSVC_PRAGMA(warning(pop))
typedef HANDLE thread_t;
diff --git a/src/crypto/thread_win.c b/src/crypto/thread_win.c
index 9f7d82b..c7a90f7 100644
--- a/src/crypto/thread_win.c
+++ b/src/crypto/thread_win.c
@@ -16,9 +16,9 @@
#if defined(OPENSSL_WINDOWS) && !defined(OPENSSL_NO_THREADS)
-#pragma warning(push, 3)
+OPENSSL_MSVC_PRAGMA(warning(push, 3))
#include <windows.h>
-#pragma warning(pop)
+OPENSSL_MSVC_PRAGMA(warning(pop))
#include <stdlib.h>
#include <string.h>
diff --git a/src/crypto/x509/x509_txt.c b/src/crypto/x509/x509_txt.c
index 86af3fe..17e6cdb 100644
--- a/src/crypto/x509/x509_txt.c
+++ b/src/crypto/x509/x509_txt.c
@@ -199,6 +199,11 @@
case X509_V_ERR_IP_ADDRESS_MISMATCH:
return ("IP address mismatch");
+ case X509_V_ERR_INVALID_CALL:
+ return ("Invalid certificate verification context");
+ case X509_V_ERR_STORE_LOOKUP:
+ return ("Issuer certificate lookup error");
+
default:
BIO_snprintf(buf, sizeof buf, "error number %ld", n);
return (buf);
diff --git a/src/crypto/x509/x509_vfy.c b/src/crypto/x509/x509_vfy.c
index 2ed2f03..520408f 100644
--- a/src/crypto/x509/x509_vfy.c
+++ b/src/crypto/x509/x509_vfy.c
@@ -198,6 +198,7 @@
STACK_OF(X509) *sktmp = NULL;
if (ctx->cert == NULL) {
OPENSSL_PUT_ERROR(X509, X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
+ ctx->error = X509_V_ERR_INVALID_CALL;
return -1;
}
if (ctx->chain != NULL) {
@@ -206,6 +207,7 @@
* cannot do another one.
*/
OPENSSL_PUT_ERROR(X509, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+ ctx->error = X509_V_ERR_INVALID_CALL;
return -1;
}
@@ -218,6 +220,7 @@
ctx->chain = sk_X509_new_null();
if (ctx->chain == NULL || !sk_X509_push(ctx->chain, ctx->cert)) {
OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
+ ctx->error = X509_V_ERR_OUT_OF_MEM;
goto end;
}
X509_up_ref(ctx->cert);
@@ -227,6 +230,7 @@
if (ctx->untrusted != NULL
&& (sktmp = sk_X509_dup(ctx->untrusted)) == NULL) {
OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
+ ctx->error = X509_V_ERR_OUT_OF_MEM;
goto end;
}
@@ -250,8 +254,10 @@
*/
if (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) {
ok = ctx->get_issuer(&xtmp, ctx, x);
- if (ok < 0)
+ if (ok < 0) {
+ ctx->error = X509_V_ERR_STORE_LOOKUP;
goto end;
+ }
/*
* If successful for now free up cert so it will be picked up
* again later.
@@ -268,6 +274,7 @@
if (xtmp != NULL) {
if (!sk_X509_push(ctx->chain, xtmp)) {
OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
+ ctx->error = X509_V_ERR_OUT_OF_MEM;
ok = 0;
goto end;
}
@@ -349,14 +356,17 @@
break;
ok = ctx->get_issuer(&xtmp, ctx, x);
- if (ok < 0)
+ if (ok < 0) {
+ ctx->error = X509_V_ERR_STORE_LOOKUP;
goto end;
+ }
if (ok == 0)
break;
x = xtmp;
if (!sk_X509_push(ctx->chain, x)) {
X509_free(xtmp);
OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
+ ctx->error = X509_V_ERR_OUT_OF_MEM;
ok = 0;
goto end;
}
@@ -493,6 +503,10 @@
sk_X509_free(sktmp);
if (chain_ss != NULL)
X509_free(chain_ss);
+
+ /* Safety net, error returns must set ctx->error */
+ if (ok <= 0 && ctx->error == X509_V_OK)
+ ctx->error = X509_V_ERR_UNSPECIFIED;
return ok;
}
@@ -709,12 +723,19 @@
NAME_CONSTRAINTS *nc = sk_X509_value(ctx->chain, j)->nc;
if (nc) {
rv = NAME_CONSTRAINTS_check(x, nc);
- if (rv != X509_V_OK) {
+ switch (rv) {
+ case X509_V_OK:
+ continue;
+ case X509_V_ERR_OUT_OF_MEM:
+ ctx->error = rv;
+ return 0;
+ default:
ctx->error = rv;
ctx->error_depth = i;
ctx->current_cert = x;
if (!ctx->verify_cb(0, ctx))
return 0;
+ break;
}
}
}
@@ -1605,6 +1626,7 @@
ctx->param->policies, ctx->param->flags);
if (ret == 0) {
OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
+ ctx->error = X509_V_ERR_OUT_OF_MEM;
return 0;
}
/* Invalid or inconsistent extensions */
@@ -1633,7 +1655,12 @@
if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY) {
ctx->current_cert = NULL;
- ctx->error = X509_V_OK;
+ /*
+ * Verification errors need to be "sticky", a callback may have allowed
+ * an SSL handshake to continue despite an error, and we must then
+ * remain in an error state. Therefore, we MUST NOT clear earlier
+ * verification errors by setting the error to X509_V_OK.
+ */
if (!ctx->verify_cb(2, ctx))
return 0;
}