external/boringssl: Sync to 8459d0659920ab8c99bd300b8a989d4cda251118.
This includes the following changes:
https://boringssl.googlesource.com/boringssl/+log/f21650709a6f76e829ddcc77fe221c9d6a5c12de..8459d0659920ab8c99bd300b8a989d4cda251118
Test: BoringSSL CTS Presubmits.
Change-Id: I5745e86549d938f384e5de73a8fabb2405ed9b56
diff --git a/BORINGSSL_REVISION b/BORINGSSL_REVISION
index 70b9107..98a849e 100644
--- a/BORINGSSL_REVISION
+++ b/BORINGSSL_REVISION
@@ -1 +1 @@
-f21650709a6f76e829ddcc77fe221c9d6a5c12de
+8459d0659920ab8c99bd300b8a989d4cda251118
diff --git a/crypto_test_data.cc b/crypto_test_data.cc
index dd1dbd6..e499aec 100644
--- a/crypto_test_data.cc
+++ b/crypto_test_data.cc
@@ -2425,19 +2425,20 @@
"b664e990dcf0cfea0d94e2a8e6af9d0e58056e653104925b9fe6c9\n\n# The same as above, but with the curve explicitly spelled out.\nPublicKey = P-256-SPKI\nInput = 3082014b3082010306072a8648ce3d02013081f7020101302c06072a8648ce3d0101022100ffffffff00000001000000000000000000000000ffffffffffffffffffffffff305b0420ffffffff00000001000000000000000000000000fffffffffffffffffffffffc04205ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b031500c49d360886e704936a6678e1139d26b7819f7e900441046b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c2964fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5022100ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551020101034200042c150f429ce70f216c252cf5e062ce1f639cd5d165c7f89424072c27197d78b33b920e95cdb664e990dcf0cfea0d94e2a8e6af9d0e58056e653104925b9fe6c9\nError = DECODE_ERROR\n\n# The same as above, but with trailing data after the curve name.\nPublicKey = P-256-SPKI\nInput = 305b301506072a8648ce3d020106082a8648ce3d0301070500034200042c150f429ce70f216c252cf5e062ce1f639cd5d165c7f89424072c27197d78b33b920e95cdb664e990dcf0cfea0d94e2a8e6af9d0e58056e653104925b9fe6c9\nError = DECODE_ERROR\n\n# A DSA private key.\nPrivateKey = DSA-1024\nType = DSA\nInput = 308202650201003082023906072a8648ce3804013082022c02820101009e12fab3de12213501dd82aa10ca2d101d2d4ebfef4d2a3f8daa0fe0cedad8d6af85616aa2f3252c0a2b5a6db09e6f14900e0ddb8311876dd8f9669525f99ed65949e184d5064793271169a228680b95ec12f59a8e20b21f2b58eb2a2012d35bde2ee351822fe8f32d0a330565dcce5c672b7259c14b2433d0b5b2ca2b2db0ab626e8f13f47fe0345d904e7294bb038e9ce21a9e580b83356278706cfe768436c69de149ccff98b4aab8cb4f6385c9f102ce59346eaeef27e0ad222d53d6e89cc8cde5776dd00057b03f2d88ab3cedbafd7b585f0b7f7835e17a3728bbf25ea62572f245dc111f3ce39cb6ffacc31b0a2790e7bde90224ea9b09315362af3d2b022100f381dcf53ebf724f8b2e5ca82c010fb4b5eda9358d0fd88ed278589488b54fc3028201000c402a725dcc3a62e02bf4cf43cd17f4a493591220223669cf4193edab423ad08dfb552e308a6a57a5ffbc7cd0fb2087f81f8df0cb08ab2133287d2b6968714a94f633c940845a48a3e16708dde761cc6a8eab2d84db21b6ea5b07681493cc9c31fbc368b243f6ddf8c932a8b4038f44e7b15ca876344a147859f2b43b39458668ad5e0a1a9a669546dd2812e3b3617a0aef99d58e3bb4cc87fd94225e01d2dcc469a77268146c51918f18e8b4d70aa1f0c7623bcc52cf3731d38641b2d2830b7eecb2f09552ff137d046e494e7f33c3590002b16d1b97d936fda28f90c3ed3ca35338168ac16f77c3c57adc2e8f7c6c2256e41a5f65450590dbb5bcf06d66610423022100b0c768702743bc51242993a971a52889795444f7c6452203d0ce84fe6117d46e\n\n# A DSA public key.\nPublicKey = DSA-1024-SPKI\nType = DSA\nInput = 308201b73082012c06072a8648ce3804013082011f02818100b3429b8b128c9079f9b72e86857e98d265e5d91661ed8b5f4cc56e5eed1e571da30186983a9dd76297eab73ee13a1db841f8800d04a7cab478af6cde2ea4a2868531af169a24858c6268efa39ceb7ed0d4227eb5bbb01124a2a5a26038c7bcfb8cc827f68f5202345166e4718596799b65c9def82828ce44e62e38e41a0d24b1021500c5a56c81ddd87f47e676546c56d05706421624cf0281810094de40d27314fe929e47ff9b1ac65cfc73ef38c4d381c890be6217b15039ae18190e6b421af8c0bda35a5cfd050f58ae2644adce83e68c8e5ba11729df56bbb21e227a60b816cc033fa799a38fe1ba5b4aa1801b6f841ce3df99feb3b4fb96950c960af13fa2ce920aabc12dd24ad2044a35063ea0e25f67f560f4cfbdc5598303818400028180258c30ebbb7f34fdc873ce679f6cea373c7886d75d4421b90920db034daedd292c64d8edd8cdbdd7f3ad23d74cfa2135247d0cef6ecf2e14f99e19d22a8c1266bd8fb8719c0e5667c716c45c7adbdabe548085bdad2dfee636f8d52fd6adb2193df6c4f0520fbd171b91882e0e4f321f8250ffecf4dbea00e114427d3ef96c1a\n\n# The same key as above, but without the parameters.\nPublicKey = DSA-1024-SPKI-No-Params\nType = DSA\nInput = 308192300906072a8648ce38040103818400028180258c30ebbb7f34fdc873ce679f6cea373c7886d75d4421b90920db034daedd292c64d8edd8cdbdd7f3ad23d74cfa2135247d0cef6ecf2e14f99e19d22a8c1266bd8fb8719c0e5667c716c45c7adbdabe548085bdad2dfee636f8d52fd6adb2193df6c4f0520fbd171b91882e0e4f321f8250ffecf4dbea00e114427d3ef96c1a\n\n# Private keys from RFC 8032.\nPrivateKey = Ed25519\nType = Ed25519\nInput = 302e020100300506032b6570042204209d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60\n\nPrivateKey = Ed25519-2\nType = Ed25519\nInput = 302e020100300506032b6570042204204ccd089b28ff96da9db6c346ec114e0f5b8a319f35aba624da8cf6ed4fb8a6fb\n\nPrivateKey = Ed25519-3\nType = Ed25519\nInput = 302e020100300506032b657004220420c5aa8df43f9f837bedb7442f31dcb7b166d38535076f094b85ce3a2e0b4458f7\n\nPrivateKey = Ed25519-4\nType = Ed25519\nInput = 302e020100300506032b657004220420f5e5767cf153319517630f226876b86c8160cc583bc013744c6bf255f5cc0ee5\n\nPrivateKey = Ed25519-5\nType = Ed25519\nInput = 302e020100300506032b657004220420833fe62409237b9d62ec77587520911e9a759cec1d19755b7da901b96dca3d42\n\n# Public keys from RFC 8032.\nPublicKey = Ed25519-SPKI\nType = Ed25519\nInput = 302a300506032b6570032100d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a\n\nPublicKey = Ed25519-SPKI-2\nType = Ed25519\nInput = 302a300506032b65700321003d4017c3e843895a92b70aa74d1b7ebc9c982ccf2ec4968cc0cd55f12af4660c\n\nPublicKey = Ed25519-SPKI-3\nType = Ed25519\nInput = 302a300506032b6570032100fc51cd8e6218a1a38da47ed00230f0580816ed13ba3303ac5deb911548908025\n\nPublicKey = Ed25519-SPKI-4\nType = Ed25519\nInput = 302a300506032b6570032100278117fc144c72340f67d0f2316e8386ceffbf2b2428c9c51fef7c597f1d426e\n\nPublicKey = Ed25519-SPKI-5\nType = Ed25519\nInput = 302a300506032b6570032100ec172b93ad5e563bf4932c70e1245034c35467ef2efd4d64ebf819683467e2bf\n\n# The first key, private and public, with invalid NULL parameters.\nPrivateKey = Ed25519-NULL\nInput = 3030020100300706032b65700500042204209d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60\nError = DECODE_ERROR\n\nPublicKey = Ed25519-SPKI-NULL\nInput = 302c300706032b65700500032100d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a\nError = DECODE_ERROR\n\n# Sample public key from draft-ietf-curdle-pkix-04.\nPublicKey = Ed25519-SPKI-Spec\nType = Ed25519\nInput = 302a300506032b657003210019bf44096984cdfe8541bac167dc3b96c85086aa30b6b6cb0c5c38ad703166e1\n\n# Sample private key from draft-ietf-curdle-pkix-04.\nPrivateKey = Ed25519-Spec\nType = Ed25519\nInput = 302e020100300506032b657004220420d4ee72dbf913584ad5b6d8f1f769f8ad3afe7c28cbf1d4fbe097a88f44755842\n\n\n# RSA tests\n\nSign = RSA-2048\nDigest = SHA1\nInput = \"0123456789ABCDEF1234\"\nOutput = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad\n\nVerify = RSA-2048\nDigest = SHA1\nInput = \"0123456789ABCDEF1234\"\nOutput = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad\n\nVerify = RSA-2048-SPKI\nDigest = SHA1\nInput = \"0123456789ABCDEF1234\"\nOutput = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad\n\n# Digest too long\nSign = RSA-2048\nDigest = SHA1\nInput = \"0123456789ABCDEF12345\"\nError = INVALID_MESSAGE_LENGTH\n\nVerify = RSA-2048\nDigest = SHA1\nInput = \"0123456789ABCDEF12345\"\nOutput = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db1",
"5dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad\nError = INVALID_MESSAGE_LENGTH\n\n# Digest too short\nSign = RSA-2048\nDigest = SHA1\nInput = \"0123456789ABCDEF123\"\nError = INVALID_MESSAGE_LENGTH\n\nVerify = RSA-2048\nDigest = SHA1\nInput = \"0123456789ABCDEF123\"\nOutput = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad\nError = INVALID_MESSAGE_LENGTH\n\n# Digest too large for key.\nSign = RSA-512\nDigest = SHA512\nInput = \"0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF\"\nError = DIGEST_TOO_BIG_FOR_RSA_KEY\n\n# Mismatched digest\nVerify = RSA-2048\nDigest = SHA1\nInput = \"0123456789ABCDEF1233\"\nOutput = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad\nError = BAD_SIGNATURE\n\n# Corrupted signature\nVerify = RSA-2048\nDigest = SHA1\nInput = \"0123456789ABCDEF1233\"\nOutput = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ae\nError = BLOCK_TYPE_IS_NOT_01\n\n# parameter missing (NOTE: this differs from upstream)\nVerify = RSA-2048\nDigest = SHA1\nInput = \"0123456789ABCDEF1234\"\nOutput = 3ec3fc29eb6e122bd7aa361cd09fe1bcbe85311096a7b9e4799cedfb2351ce0ab7fe4e75b4f6b37f67edd9c60c800f9ab941c0c157d7d880ca9de40c951d60fd293ae220d4bc510b1572d6e85a1bbbd8605b52e05f1c64fafdae59a1c2fbed214b7844d0134619de62851d5a0522e32e556e5950f3f97b8150e3f0dffee612c924201c27cd9bc8b423a71533380c276d3d59fcba35a2e80a1a192ec266a6c2255012cd86a349fe90a542b355fa3355b04da6cdf1df77f0e7bd44a90e880e1760266d233e465226f5db1c68857847d82072861ee266ddfc2e596845b77e1803274a579835ab5e4975d81d20b7df9cec7795489e4a2bdb8c1cf6a6b359945ac92c\nError = BAD_SIGNATURE\n\n# embedded digest too long\nVerify = RSA-2048\nDigest = SHA1\nInput = \"0123456789ABCDEF1234\"\nOutput = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d\nError = BAD_SIGNATURE\n\n# embedded digest too short\nVerify = RSA-2048\nDigest = SHA1\nInput = \"0123456789ABCDEF1234\"\nOutput = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d\nError = BAD_SIGNATURE\n\n# Garbage after DigestInfo\nVerify = RSA-2048\nDigest = SHA1\nInput = \"0123456789ABCDEF1234\"\nOutput = 9ee34872d4271a7d8808af0a4052a145a6d6a8437d00da3ed14428c7f087cd39f4d43334c41af63e7fa1ba363fee7bcef401d9d36a662abbab55ce89a696e1be0dfa19a5d09ca617dd488787b6048baaefeb29bc8688b2fe3882de2b77c905b5a8b56cf9616041e5ec934ba6de863efe93acc4eef783fe7f72a00fa65d6093ed32bf98ce527e62ccb1d56317f4be18b7e0f55d7c36617d2d0678a306e3350956b662ac15df45215dd8f6b314babb9788e6c272fa461e4c9b512a11a4b92bc77c3a4c95c903fccb238794eca5c750477bf56ea6ee6a167367d881b485ae3889e7c489af8fdf38e0c0f2aed780831182e34abedd43c39281b290774bf35cc25274\nError = BAD_SIGNATURE\n\n# invalid tag for parameter\nVerify = RSA-2048\nDigest = SHA1\nInput = \"0123456789ABCDEF1234\"\nOutput = 49525db4d44c755e560cba980b1d85ea604b0e077fcadd4ba44072a3487bbddb835016200a7d8739cce2dc3223d9c20cbdd25059ab02277f1f21318efd18e21038ec89aa9d40680987129e8b41ba33bceb86518bdf47268b921cce2037acabca6575d832499538d6f40cdba0d40bd7f4d8ea6ca6e2eec87f294efc971407857f5d7db09f6a7b31e301f571c6d82a5e3d08d2bb3a36e673d28b910f5bec57f0fcc4d968fd7c94d0b9226dec17f5192ad8b42bcab6f26e1bea1fdc3b958199acb00f14ebcb2a352f3afcedd4c09000128a603bbeb9696dea13040445253972d46237a25c7845e3b464e6984c2348ea1f1210a9ff0b00d2d72b50db00c009bb39f9\nError = BAD_SIGNATURE\n\n\n# RSA-PSS tests.\n\n# Zero salt length makes the output deterministic\nSign = RSA-2048\nRSAPadding = PSS\nPSSSaltLength = 0\nDigest = SHA256\nInput = \"0123456789ABCDEF0123456789ABCDEF\"\nOutput = 4de433d5844043ef08d354da03cb29068780d52706d7d1e4d50efb7d58c9d547d83a747ddd0635a96b28f854e50145518482cb49e963054621b53c60c498d07c16e9c2789c893cf38d4d86900de71bde463bd2761d1271e358c7480a1ac0bab930ddf39602ad1bc165b5d7436b516b7a7858e8eb7ab1c420eeb482f4d207f0e462b1724959320a084e13848d11d10fb593e66bf680bf6d3f345fc3e9c3de60abbac37e1c6ec80a268c8d9fc49626c679097aa690bc1aa662b95eb8db70390861aa0898229f9349b4b5fdd030d4928c47084708a933144be23bd3c6e661b85b2c0ef9ed36d498d5b7320e8194d363d4ad478c059bae804181965e0b81b663158a\n\n# Verify of above signature\nVerify = RSA-2048-SPKI\nRSAPadding = PSS\nPSSSaltLength = 0\nDigest = SHA256\nInput = \"0123456789ABCDEF0123456789ABCDEF\"\nOutput = 4de433d5844043ef08d354da03cb29068780d52706d7d1e4d50efb7d58c9d547d83a747ddd0635a96b28f854e50145518482cb49e963054621b53c60c498d07c16e9c2789c893cf38d4d86900de71bde463bd2761d1271e358c7480a1ac0bab930ddf39602ad1bc165b5d7436b516b7a7858e8eb7ab1c420eeb482f4d207f0e462b1724959320a084e13848d11d10fb593e66bf680bf6d3f345fc3e9c3de60abbac37e1c6ec80a268c8d9fc49626c679097aa690bc1aa662b95eb8db70390861aa0898229f9349b4b5fdd030d4928c47084708a933144be23bd3c6e661b85b2c0ef9ed36d498d5b7320e8194d363d4ad478c059bae804181965e0b81b663158a\n\n# Auto-detected salt length\nVerify = RSA-2048-SPKI\nRSAPadding = PSS\nPSSSaltLength = -2\nDigest = SHA256\nInput = \"0123456789ABCDEF0123456789ABCDEF\"\nOutput = 4de433d5844043ef08d354da03cb29068780d52706d7d1e4d50efb7d58c9d547d83a747ddd0635a96b28f854e50145518482cb49e963054621b53c60c498d07c16e9c2789c893cf38d4d86900de71bde463bd2761d1271e358c7480a1ac0bab930ddf39602ad1bc165b5d7436b516b7a7858e8eb7ab1c420eeb482f4d207f0e462b1724959320a084e13848d11d10fb593e66bf680bf6d3f345fc3e9c3de60abbac37e1c6ec80a268c8d9fc49626c679097aa690bc1aa662b95eb8db70390861aa0898229f9349b4b5fdd030d4928c47084708a933144be23bd3c6e661b85b2c0ef9ed36d498d5b7320e8194d363d4ad478c059bae804181965e0b81b663158a\n\n# Wrong digest\nVerify = RSA-2048-SPKI\nRSAPadding = PSS\nPSSSaltLength = 0\nDigest = SHA256\nInput = \"00000000000000000000000000000000\"\nOutput = 4de433d5844043ef08d354da03cb29068780d52706d7d1e4d50efb7d58c9d547d83a747ddd0635a96b28f854e50145518482cb49e963054621b53c60c498d07c16e9c2789c893cf38d4d86900de71bde463bd2761d1271e358c7480a1ac0bab930ddf39602ad1bc165b5d7436b516b7a7858e8eb7ab1c420eeb482f4d207f0e462b1724959320a084e13",
"848d11d10fb593e66bf680bf6d3f345fc3e9c3de60abbac37e1c6ec80a268c8d9fc49626c679097aa690bc1aa662b95eb8db70390861aa0898229f9349b4b5fdd030d4928c47084708a933144be23bd3c6e661b85b2c0ef9ed36d498d5b7320e8194d363d4ad478c059bae804181965e0b81b663158a\nError = BAD_SIGNATURE\n\n# Digest too short\nVerify = RSA-2048-SPKI\nRSAPadding = PSS\nPSSSaltLength = 0\nDigest = SHA256\nInput = \"0123456789ABCDEF0123456789ABCDE\"\nOutput = 4de433d5844043ef08d354da03cb29068780d52706d7d1e4d50efb7d58c9d547d83a747ddd0635a96b28f854e50145518482cb49e963054621b53c60c498d07c16e9c2789c893cf38d4d86900de71bde463bd2761d1271e358c7480a1ac0bab930ddf39602ad1bc165b5d7436b516b7a7858e8eb7ab1c420eeb482f4d207f0e462b1724959320a084e13848d11d10fb593e66bf680bf6d3f345fc3e9c3de60abbac37e1c6ec80a268c8d9fc49626c679097aa690bc1aa662b95eb8db70390861aa0898229f9349b4b5fdd030d4928c47084708a933144be23bd3c6e661b85b2c0ef9ed36d498d5b7320e8194d363d4ad478c059bae804181965e0b81b663158a\nError = INVALID_MESSAGE_LENGTH\n\n# Digest too long\nVerify = RSA-2048-SPKI\nRSAPadding = PSS\nPSSSaltLength = 0\nDigest = SHA256\nInput = \"0123456789ABCDEF0123456789ABCDEF0\"\nOutput = 4de433d5844043ef08d354da03cb29068780d52706d7d1e4d50efb7d58c9d547d83a747ddd0635a96b28f854e50145518482cb49e963054621b53c60c498d07c16e9c2789c893cf38d4d86900de71bde463bd2761d1271e358c7480a1ac0bab930ddf39602ad1bc165b5d7436b516b7a7858e8eb7ab1c420eeb482f4d207f0e462b1724959320a084e13848d11d10fb593e66bf680bf6d3f345fc3e9c3de60abbac37e1c6ec80a268c8d9fc49626c679097aa690bc1aa662b95eb8db70390861aa0898229f9349b4b5fdd030d4928c47084708a933144be23bd3c6e661b85b2c0ef9ed36d498d5b7320e8194d363d4ad478c059bae804181965e0b81b663158a\nError = INVALID_MESSAGE_LENGTH\n\n# Wrong salt length\nVerify = RSA-2048\nRSAPadding = PSS\nPSSSaltLength = 2\nDigest = SHA256\nInput = \"0123456789ABCDEF0123456789ABCDEF\"\nOutput = 4de433d5844043ef08d354da03cb29068780d52706d7d1e4d50efb7d58c9d547d83a747ddd0635a96b28f854e50145518482cb49e963054621b53c60c498d07c16e9c2789c893cf38d4d86900de71bde463bd2761d1271e358c7480a1ac0bab930ddf39602ad1bc165b5d7436b516b7a7858e8eb7ab1c420eeb482f4d207f0e462b1724959320a084e13848d11d10fb593e66bf680bf6d3f345fc3e9c3de60abbac37e1c6ec80a268c8d9fc49626c679097aa690bc1aa662b95eb8db70390861aa0898229f9349b4b5fdd030d4928c47084708a933144be23bd3c6e661b85b2c0ef9ed36d498d5b7320e8194d363d4ad478c059bae804181965e0b81b663158a\nError = SLEN_CHECK_FAILED\n\n# Wrong salt length using implicit hash length\nVerify = RSA-2048\nRSAPadding = PSS\nPSSSaltLength = -1\nDigest = SHA256\nInput = \"0123456789ABCDEF0123456789ABCDEF\"\nOutput = 4de433d5844043ef08d354da03cb29068780d52706d7d1e4d50efb7d58c9d547d83a747ddd0635a96b28f854e50145518482cb49e963054621b53c60c498d07c16e9c2789c893cf38d4d86900de71bde463bd2761d1271e358c7480a1ac0bab930ddf39602ad1bc165b5d7436b516b7a7858e8eb7ab1c420eeb482f4d207f0e462b1724959320a084e13848d11d10fb593e66bf680bf6d3f345fc3e9c3de60abbac37e1c6ec80a268c8d9fc49626c679097aa690bc1aa662b95eb8db70390861aa0898229f9349b4b5fdd030d4928c47084708a933144be23bd3c6e661b85b2c0ef9ed36d498d5b7320e8194d363d4ad478c059bae804181965e0b81b663158a\nError = SLEN_CHECK_FAILED\n\n# Wrong MGF1 digest, SHA-1\nVerify = RSA-2048\nRSAPadding = PSS\nPSSSaltLength = 0\nDigest = SHA256\nMGF1Digest = SHA1\nInput = \"0123456789ABCDEF0123456789ABCDEF\"\nOutput = 4de433d5844043ef08d354da03cb29068780d52706d7d1e4d50efb7d58c9d547d83a747ddd0635a96b28f854e50145518482cb49e963054621b53c60c498d07c16e9c2789c893cf38d4d86900de71bde463bd2761d1271e358c7480a1ac0bab930ddf39602ad1bc165b5d7436b516b7a7858e8eb7ab1c420eeb482f4d207f0e462b1724959320a084e13848d11d10fb593e66bf680bf6d3f345fc3e9c3de60abbac37e1c6ec80a268c8d9fc49626c679097aa690bc1aa662b95eb8db70390861aa0898229f9349b4b5fdd030d4928c47084708a933144be23bd3c6e661b85b2c0ef9ed36d498d5b7320e8194d363d4ad478c059bae804181965e0b81b663158a\n# If SHA-1, this input happens to succeed recovering a salt length, but it does\n# not match.\nError = SLEN_CHECK_FAILED\n\n# Wrong MGF1 digest, SHA-384\nVerify = RSA-2048\nRSAPadding = PSS\nPSSSaltLength = 0\nDigest = SHA256\nMGF1Digest = SHA384\nInput = \"0123456789ABCDEF0123456789ABCDEF\"\nOutput = 4de433d5844043ef08d354da03cb29068780d52706d7d1e4d50efb7d58c9d547d83a747ddd0635a96b28f854e50145518482cb49e963054621b53c60c498d07c16e9c2789c893cf38d4d86900de71bde463bd2761d1271e358c7480a1ac0bab930ddf39602ad1bc165b5d7436b516b7a7858e8eb7ab1c420eeb482f4d207f0e462b1724959320a084e13848d11d10fb593e66bf680bf6d3f345fc3e9c3de60abbac37e1c6ec80a268c8d9fc49626c679097aa690bc1aa662b95eb8db70390861aa0898229f9349b4b5fdd030d4928c47084708a933144be23bd3c6e661b85b2c0ef9ed36d498d5b7320e8194d363d4ad478c059bae804181965e0b81b663158a\n# If SHA-384, this input happens fail to recover the salt length altogether.\nError = SLEN_RECOVERY_FAILED\n\n# The salt length is too large for the modulus (signing).\nSign = RSA-2048\nRSAPadding = PSS\nPSSSaltLength = 223\nDigest = SHA256\nInput = \"0123456789ABCDEF0123456789ABCDEF\"\nError = DATA_TOO_LARGE\n\n# The salt length is too large for the modulus (verifying).\nVerify = RSA-2048\nRSAPadding = PSS\nPSSSaltLength = 223\nDigest = SHA256\nInput = \"0123456789ABCDEF0123456789ABCDEF\"\nOutput = 4de433d5844043ef08d354da03cb29068780d52706d7d1e4d50efb7d58c9d547d83a747ddd0635a96b28f854e50145518482cb49e963054621b53c60c498d07c16e9c2789c893cf38d4d86900de71bde463bd2761d1271e358c7480a1ac0bab930ddf39602ad1bc165b5d7436b516b7a7858e8eb7ab1c420eeb482f4d207f0e462b1724959320a084e13848d11d10fb593e66bf680bf6d3f345fc3e9c3de60abbac37e1c6ec80a268c8d9fc49626c679097aa690bc1aa662b95eb8db70390861aa0898229f9349b4b5fdd030d4928c47084708a933144be23bd3c6e661b85b2c0ef9ed36d498d5b7320e8194d363d4ad478c059bae804181965e0b81b663158a\nError = DATA_TOO_LARGE\n\n# The hash is too large for the modulus (signing).\nSign = RSA-512\nRSAPadding = PSS\nPSSSaltLength = 0\nDigest = SHA512\nInput = \"0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF\"\nError = DATA_TOO_LARGE\n\nSign = RSA-512\nRSAPadding = PSS\nPSSSaltLength = -2\nDigest = SHA512\nInput = \"0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF\"\nError = DATA_TOO_LARGE\n\n# The hash is too large for the modulus (verifying).\nVerify = RSA-512\nRSAPadding = PSS\nPSSSaltLength = 0\nDigest = SHA512\nInput = \"0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF\"\nOutput = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\nError = DATA_TOO_LARGE\n\nVerify = RSA-512\nRSAPadding = PSS\nPSSSaltLength = -2\nDigest = SHA512\nInput = \"0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF\"\nOutput = 457001d9ca50a93385fc5ec721c9dbbe7a0f2e9e4a2f846a30a8811dde66347b83901c7492039243537c7a667fafffd69049bcbd36afd0010d9b425e2d8785c1\nError = DATA_TOO_LARGE\n\n# Sample RSA-515 signature.\nVerify = RSA-515\nRSAPadding = PSS\nPSSSaltLength = 0\nDigest = SHA256\nInput = \"0123456789ABCDEF0123456789ABCDEF\"\nOutput = 00c5926600f160f85e7fe950cfe123908384211cd8fe25c90cb8e8cc0593308e9aa2efe3acbf100ec1658ded8f72f506525fc2c44f06251b08d896e7bb3f05b135\n\n# The above, but with too few leading zeros.\nVerify = RSA-515\nRSAPadding = PSS\nPSSSaltLength = 0\nDigest = SHA256\nInput = \"0123456789ABCDEF0123456789ABCDEF\"\nOutput = c5926600f160f85e7fe950cfe123908384211cd8fe25c90cb8e8cc0593308e9aa2efe3acbf100ec1658ded8f72f506525fc2c44f06251b08d896e7bb3f05b135\nError = DATA_LEN_NOT_EQUAL_TO_MOD_LEN\n\n# The above, but with too many leading zeros.\nVerify = RSA-515\nRSAPadding = PSS\nPSSSaltLength = 0\nDigest = SHA256\nInput = \"0123456789ABCDEF0123456789ABCDEF\"\nOutput = 0000c5926600f160f85e7fe950cfe123908384211cd8fe25c90cb8e8cc0593308e9aa2efe3acbf100ec1658ded8f72f506525fc2c44f06251b08d896e7bb3f05b135\nError = DATA_LEN_NOT_EQUAL_TO_MOD_LEN\n\n# The above with an invalid leading byte. The top few bits of EM are required to\n# be cleared.\nVerify = RSA-515\nRSAPadding = PSS\nPSSSaltLength = 0\nDigest = SHA256\nInput = \"0123456789ABCDEF0123456789ABCDEF\"\nOutput = 007f803c832a2090aea04013d9fa9c1630732a1625232826d235f0950f7050d3fb0eb06ef9ea8b260fad68e1165a2d770a8c7fc7a8aaa68620b021fc19c97e0041\nError = FIRST_OCTET_INVALID\n\n# The above with an invalid trailing byte.\nVerify = RSA-515\nRSAPadding = PSS\nPSSSaltLength = 0\nDigest = SHA256\nInput = \"0123456789ABCDEF0123456789ABCDEF\"\nOutput = 03e68555035891eb08d96c0967db22328cd892ad2856d88516ecb946bfdba732bb029b5c0dfa2119ed7349897d2324e95e86d91d0c4afc82700a36db8933a",
- "bbf58\nError = LAST_OCTET_INVALID\n\n# Non-zero salt length.\nVerify = RSA-2048-SPKI\nRSAPadding = PSS\nPSSSaltLength = 32\nDigest = SHA256\nInput = \"0123456789ABCDEF0123456789ABCDEF\"\nOutput = 4065b284b0a6e98d4c41a8427007f878d8dd61599c87764fa79b8bf03f030c48127a4b1a5af5a6e0cf9055e57a1f47e5b0c0d8c600e78369cf1c39374899fac91a812692aa2216ba10900ce85a5cf7fddcafb726e4b83479c5bb7b3b84b08ffe183b4c2973aa3193ec7b7d4ea73bf1b579c6657b78ad7800e1975a4838c28ffe353fafef96be27b5c69677760a71b6f4df65ba6fe6b3565580a536f966928294c6e9ece807a90c1477779bcbfa3a250e98d685097c162c1c8c56ab02bd2e16eec7a019b51c067bdba7fa8cd5460796e22c607a8b6d12e1deb9be51c6943c46590f416800c48bb4cbb8c409d316573e59eadf7d3b9e6e5c2d0e570692e511e139\n\n# Non-zero salt length, wrong salt length.\nVerify = RSA-2048-SPKI\nRSAPadding = PSS\nPSSSaltLength = 31\nDigest = SHA256\nInput = \"0123456789ABCDEF0123456789ABCDEF\"\nOutput = 4065b284b0a6e98d4c41a8427007f878d8dd61599c87764fa79b8bf03f030c48127a4b1a5af5a6e0cf9055e57a1f47e5b0c0d8c600e78369cf1c39374899fac91a812692aa2216ba10900ce85a5cf7fddcafb726e4b83479c5bb7b3b84b08ffe183b4c2973aa3193ec7b7d4ea73bf1b579c6657b78ad7800e1975a4838c28ffe353fafef96be27b5c69677760a71b6f4df65ba6fe6b3565580a536f966928294c6e9ece807a90c1477779bcbfa3a250e98d685097c162c1c8c56ab02bd2e16eec7a019b51c067bdba7fa8cd5460796e22c607a8b6d12e1deb9be51c6943c46590f416800c48bb4cbb8c409d316573e59eadf7d3b9e6e5c2d0e570692e511e139\nError = SLEN_CHECK_FAILED\n\n# Non-zero salt length, match hash length.\nVerify = RSA-2048-SPKI\nRSAPadding = PSS\nPSSSaltLength = -1\nDigest = SHA256\nInput = \"0123456789ABCDEF0123456789ABCDEF\"\nOutput = 4065b284b0a6e98d4c41a8427007f878d8dd61599c87764fa79b8bf03f030c48127a4b1a5af5a6e0cf9055e57a1f47e5b0c0d8c600e78369cf1c39374899fac91a812692aa2216ba10900ce85a5cf7fddcafb726e4b83479c5bb7b3b84b08ffe183b4c2973aa3193ec7b7d4ea73bf1b579c6657b78ad7800e1975a4838c28ffe353fafef96be27b5c69677760a71b6f4df65ba6fe6b3565580a536f966928294c6e9ece807a90c1477779bcbfa3a250e98d685097c162c1c8c56ab02bd2e16eec7a019b51c067bdba7fa8cd5460796e22c607a8b6d12e1deb9be51c6943c46590f416800c48bb4cbb8c409d316573e59eadf7d3b9e6e5c2d0e570692e511e139\n\n# Non-zero salt length, auto-detected.\nVerify = RSA-2048-SPKI\nRSAPadding = PSS\nPSSSaltLength = -2\nDigest = SHA256\nInput = \"0123456789ABCDEF0123456789ABCDEF\"\nOutput = 4065b284b0a6e98d4c41a8427007f878d8dd61599c87764fa79b8bf03f030c48127a4b1a5af5a6e0cf9055e57a1f47e5b0c0d8c600e78369cf1c39374899fac91a812692aa2216ba10900ce85a5cf7fddcafb726e4b83479c5bb7b3b84b08ffe183b4c2973aa3193ec7b7d4ea73bf1b579c6657b78ad7800e1975a4838c28ffe353fafef96be27b5c69677760a71b6f4df65ba6fe6b3565580a536f966928294c6e9ece807a90c1477779bcbfa3a250e98d685097c162c1c8c56ab02bd2e16eec7a019b51c067bdba7fa8cd5460796e22c607a8b6d12e1deb9be51c6943c46590f416800c48bb4cbb8c409d316573e59eadf7d3b9e6e5c2d0e570692e511e139\n\n\n# RSA decrypt\n\nDecrypt = RSA-2048\nInput = 550af55a2904e7b9762352f8fb7fa235a9cb053aacb2d5fcb8ca48453cb2ee3619746c701abf2d4cc67003471a187900b05aa812bd25ed05c675dfc8c97a24a7bf49bd6214992cad766d05a9a2b57b74f26a737e0237b8b76c45f1f226a836d7cfbc75ba999bdbe48dbc09227aa46c88f21dccba7840141ad5a5d71fd122e6bd6ac3e564780dfe623fc1ca9b995a6037bf0bbd43b205a84ac5444f34202c05ce9113087176432476576de6ffff9a52ea57c08be3ec2f49676cb8e12f762ac71fa3c321e00ac988910c85ff52f93825666ce0d40ffaa0592078919d4493f46d95ccf76364c6d57760dd0b64805f9afc76a2365a5575ca301d5103f0ea76cb9a78\nOutput = \"Hello World\"\n\n# Corrupted ciphertext\nDecrypt = RSA-2048\nInput = 550af55a2904e7b9762352f8fb7fa235a9cb053aacb2d5fcb8ca48453cb2ee3619746c701abf2d4cc67003471a187900b05aa812bd25ed05c675dfc8c97a24a7bf49bd6214992cad766d05a9a2b57b74f26a737e0237b8b76c45f1f226a836d7cfbc75ba999bdbe48dbc09227aa46c88f21dccba7840141ad5a5d71fd122e6bd6ac3e564780dfe623fc1ca9b995a6037bf0bbd43b205a84ac5444f34202c05ce9113087176432476576de6ffff9a52ea57c08be3ec2f49676cb8e12f762ac71fa3c321e00ac988910c85ff52f93825666ce0d40ffaa0592078919d4493f46d95ccf76364c6d57760dd0b64805f9afc76a2365a5575ca301d5103f0ea76cb9a79\nError = PKCS_DECODING_ERROR\n\n# OAEP padding\nDecrypt = RSA-2048\nRSAPadding = OAEP\nInput = 458708dfbd42a1297ce7a9c86c7087ab80b1754810929b89c5107ca55368587686986fce94d86cc1595b3fb736223a656ec0f34d18ba1cc5665593610f56c58e26b272d584f3d983a5c91085700755aebd921fb280bba3eda7046ec07b43e7298e52d59edc92be4639a8ce08b2f85976ecf6d98cc469eeb9d5d8e2a32ea8a6626edafe1038b3df455668a9f3c77cad8b92fb872e00058c3d2a7ede1a1f03fc5622084ae04d9d24f6bf0995c58d35b93b699b9763595e123f2ab0863cc9229eb290e2ede7715c7a8f39e0b9a3e2e1b56ebb62f1cbfbb5986fb212ebd785b83d01d968b11d1756c7337f70c1f1a63bff03608e24f3a2fd44e67f832a8701c5d5af\nOutput = \"Hello World\"\n\n# OAEP padding, corrupted ciphertext\nDecrypt = RSA-2048\nRSAPadding = OAEP\nInput = 458708dfbd42a1297ce7a9c86c7087ab80b1754810929b89c5107ca55368587686986fce94d86cc1595b3fb736223a656ec0f34d18ba1cc5665593610f56c58e26b272d584f3d983a5c91085700755aebd921fb280bba3eda7046ec07b43e7298e52d59edc92be4639a8ce08b2f85976ecf6d98cc469eeb9d5d8e2a32ea8a6626edafe1038b3df455668a9f3c77cad8b92fb872e00058c3d2a7ede1a1f03fc5622084ae04d9d24f6bf0995c58d35b93b699b9763595e123f2ab0863cc9229eb290e2ede7715c7a8f39e0b9a3e2e1b56ebb62f1cbfbb5986fb212ebd785b83d01d968b11d1756c7337f70c1f1a63bff03608e24f3a2fd44e67f832a8701c5d5ac\nError = OAEP_DECODING_ERROR\n\n\n# EC tests\n\nVerify = P-256\nDigest = SHA1\nInput = \"0123456789ABCDEF1234\"\nOutput = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8\n\nVerify = P-256-SPKI\nDigest = SHA1\nInput = \"0123456789ABCDEF1234\"\nOutput = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8\n\n# Digest too long\nVerify = P-256\nDigest = SHA1\nInput = \"0123456789ABCDEF12345\"\nOutput = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8\nError = BAD_SIGNATURE\n\n# Digest too short\nVerify = P-256\nDigest = SHA1\nInput = \"0123456789ABCDEF123\"\nOutput = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8\nError = BAD_SIGNATURE\n\n# Digest invalid\nVerify = P-256\nDigest = SHA1\nInput = \"0123456789ABCDEF1235\"\nOutput = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8\nError = BAD_SIGNATURE\n\n# Invalid signature\nVerify = P-256\nDigest = SHA1\nInput = \"0123456789ABCDEF1234\"\nOutput = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec7\nError = BAD_SIGNATURE\n\n# Garbage after signature\nVerify = P-256\nDigest = SHA1\nInput = \"0123456789ABCDEF1234\"\nOutput = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec800\nError = BAD_SIGNATURE\n\n# BER signature\nVerify = P-256\nDigest = SHA1\nInput = \"0123456789ABCDEF1234\"\nOutput = 3080022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec80000\nError = BAD_SIGNATURE\n\n\n# Additional RSA-PSS and RSA-OAEP tests converted from\n# ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip\n\nPublicKey = RSA-PSS-1\nType = RSA\nInput = 30819f300d06092a864886f70d010101050003818d0030818902818100a56e4a0e701017589a5187dc7ea841d156f2ec0e36ad52a44dfeb1e61f7ad991d8c51056ffedb162b4c0f283a12a88a394dff526ab7291cbb307ceabfce0b1dfd5cd9508096d5b2b8b6df5d671ef6377c0921cb23c270a70e2598e6ff89d19f105acc2d3f0cb35f29280e1386b6f64c4ef22e1e1f20d0ce8cffb2249bd9a21370203010001\n\nVerify = RSA-PSS-1\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = cd8b6538cb8e8de566b68bd067569dbf1ee2718e\nOutput = 9074308fb598e9701b2294388e52f971faac2b60a5145af185df5287b5ed2887e57ce7fd44dc8634e407c8e0e4360bc226f3ec227f9d9e54638e8d31f5051215df6ebb9c2f9579aa77598a38f914b5b9c1bd83c4e2f9f382a0d0aa3542ffee65984a601bc69eb28deb27dca12c82c2d4c3f66cd500f1ff2b994d8a4e30cbb33c\n\nVerify = RSA-PSS-1\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = e35befc17a1d160b9ce35fbd8eb16e7ee491d3fd\nOutput = 3ef7f46e831bf92b32274142a585ffcefbdca7b32ae90d10fb0f0c729984f04ef29a9df0780775ce4",
- "3739b97838390db0a5505e63de927028d9d29b219ca2c4517832558a55d694a6d25b9dab66003c4cccd907802193be5170d26147d37b93590241be51c25055f47ef62752cfbe21418fafe98c22c4d4d47724fdb5669e843\n\nVerify = RSA-PSS-1\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 0652ec67bcee30f9d2699122b91c19abdba89f91\nOutput = 666026fba71bd3e7cf13157cc2c51a8e4aa684af9778f91849f34335d141c00154c4197621f9624a675b5abc22ee7d5baaffaae1c9baca2cc373b3f33e78e6143c395a91aa7faca664eb733afd14d8827259d99a7550faca501ef2b04e33c23aa51f4b9e8282efdb728cc0ab09405a91607c6369961bc8270d2d4f39fce612b1\n\nVerify = RSA-PSS-1\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 39c21c4cceda9c1adf839c744e1212a6437575ec\nOutput = 4609793b23e9d09362dc21bb47da0b4f3a7622649a47d464019b9aeafe53359c178c91cd58ba6bcb78be0346a7bc637f4b873d4bab38ee661f199634c547a1ad8442e03da015b136e543f7ab07c0c13e4225b8de8cce25d4f6eb8400f81f7e1833b7ee6e334d370964ca79fdb872b4d75223b5eeb08101591fb532d155a6de87\n\nVerify = RSA-PSS-1\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 36dae913b77bd17cae6e7b09453d24544cebb33c\nOutput = 1d2aad221ca4d31ddf13509239019398e3d14b32dc34dc5af4aeaea3c095af73479cf0a45e5629635a53a018377615b16cb9b13b3e09d671eb71e387b8545c5960da5a64776e768e82b2c93583bf104c3fdb23512b7b4e89f633dd0063a530db4524b01c3f384c09310e315a79dcd3d684022a7f31c865a664e316978b759fad\n\nVerify = RSA-PSS-1\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 45eef191f4f79c31fe5d2ede7e5098994e929d2d\nOutput = 2a34f6125e1f6b0bf971e84fbd41c632be8f2c2ace7de8b6926e31ff93e9af987fbc06e51e9be14f5198f91f3f953bd67da60a9df59764c3dc0fe08e1cbef0b75f868d10ad3fba749fef59fb6dac46a0d6e504369331586f58e4628f39aa278982543bc0eeb537dc61958019b394fb273f215858a0a01ac4d650b955c67f4c58\n\nPublicKey = RSA-PSS-2\nType = RSA\nInput = 30819f300d06092a864886f70d010101050003818d0030818902818101d40c1bcf97a68ae7cdbd8a7bf3e34fa19dcca4ef75a47454375f94514d88fed006fb829f8419ff87d6315da68a1ff3a0938e9abb3464011c303ad99199cf0c7c7a8b477dce829e8844f625b115e5e9c4a59cf8f8113b6834336a2fd2689b472cbb5e5cabe674350c59b6c17e176874fb42f8fc3d176a017edc61fd326c4b33c90203010001\n\nVerify = RSA-PSS-2\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 5c81a3e2a658246628cd0ee8b00bb4c012bc9739\nOutput = 014c5ba5338328ccc6e7a90bf1c0ab3fd606ff4796d3c12e4b639ed9136a5fec6c16d8884bdd99cfdc521456b0742b736868cf90de099adb8d5ffd1deff39ba4007ab746cefdb22d7df0e225f54627dc65466131721b90af445363a8358b9f607642f78fab0ab0f43b7168d64bae70d8827848d8ef1e421c5754ddf42c2589b5b3\n\nVerify = RSA-PSS-2\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 27f71611446aa6eabf037f7dedeede3203244991\nOutput = 010991656cca182b7f29d2dbc007e7ae0fec158eb6759cb9c45c5ff87c7635dd46d150882f4de1e9ae65e7f7d9018f6836954a47c0a81a8a6b6f83f2944d6081b1aa7c759b254b2c34b691da67cc0226e20b2f18b42212761dcd4b908a62b371b5918c5742af4b537e296917674fb914194761621cc19a41f6fb953fbcbb649dea\n\nVerify = RSA-PSS-2\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 03ecc2c33e93f05fc7224fcc0d461356cb897217\nOutput = 007f0030018f53cdc71f23d03659fde54d4241f758a750b42f185f87578520c30742afd84359b6e6e8d3ed959dc6fe486bedc8e2cf001f63a7abe16256a1b84df0d249fc05d3194ce5f0912742dbbf80dd174f6c51f6bad7f16cf3364eba095a06267dc3793803ac7526aebe0a475d38b8c2247ab51c4898df7047dc6adf52c6c4\n\nVerify = RSA-PSS-2\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 246c727b4b9494849dddb068d582e179ac20999c\nOutput = 009cd2f4edbe23e12346ae8c76dd9ad3230a62076141f16c152ba18513a48ef6f010e0e37fd3df10a1ec629a0cb5a3b5d2893007298c30936a95903b6ba85555d9ec3673a06108fd62a2fda56d1ce2e85c4db6b24a81ca3b496c36d4fd06eb7c9166d8e94877c42bea622b3bfe9251fdc21d8d5371badad78a488214796335b40b\n\nVerify = RSA-PSS-2\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = e8617ca3ea66ce6a58ede2d11af8c3ba8a6ba912\nOutput = 00ec430824931ebd3baa43034dae98ba646b8c36013d1671c3cf1cf8260c374b19f8e1cc8d965012405e7e9bf7378612dfcc85fce12cda11f950bd0ba8876740436c1d2595a64a1b32efcfb74a21c873b3cc33aaf4e3dc3953de67f0674c0453b4fd9f604406d441b816098cb106fe3472bc251f815f59db2e4378a3addc181ecf\n\nVerify = RSA-PSS-2\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 7a6fdc1a4e434ecbc35d657ad49a2f4fafd43bc8\nOutput = 00475b1648f814a8dc0abdc37b5527f543b666bb6e39d30e5b49d3b876dccc58eac14e32a2d55c2616014456ad2f246fc8e3d560da3ddf379a1c0bd200f10221df078c219a151bc8d4ec9d2fc2564467811014ef15d8ea01c2ebbff8c2c8efab38096e55fcbe3285c7aa558851254faffa92c1c72b78758663ef4582843139d7a6\n\nPublicKey = RSA-PSS-3\nType = RSA\nInput = 30819f300d06092a864886f70d010101050003818d0030818902818102f246ef451ed3eebb9a310200cc25859c048e4be798302991112eb68ce6db674e280da21feded1ae74880ca522b18db249385012827c515f0e466a1ffa691d98170574e9d0eadb087586ca48933da3cc953d95bd0ed50de10ddcb6736107d6c831c7f663e833ca4c097e700ce0fb945f88fb85fe8e5a773172565b914a471a4430203010001\n\nVerify = RSA-PSS-3\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 3552be69dd74bdc56d2cf8c38ef7bafe269040fe\nOutput = 0088b135fb1794b6b96c4a3e678197f8cac52b64b2fe907d6f27de761124964a99a01a882740ecfaed6c01a47464bb05182313c01338a8cd097214cd68ca103bd57d3bc9e816213e61d784f182467abf8a01cf253e99a156eaa8e3e1f90e3c6e4e3aa2d83ed0345b89fafc9c26077c14b6ac51454fa26e446e3a2f153b2b16797f\n\nVerify = RSA-PSS-3\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 609143ff7240e55c062aba8b9e4426a781919bc9\nOutput = 02a5f0a858a0864a4f65017a7d69454f3f973a2999839b7bbc48bf78641169179556f595fa41f6ff18e286c2783079bc0910ee9cc34f49ba681124f923dfa88f426141a368a5f5a930c628c2c3c200e18a7644721a0cbec6dd3f6279bde3e8f2be5e2d4ee56f97e7ceaf33054be7042bd91a63bb09f897bd41e81197dee99b11af\n\nVerify = RSA-PSS-3\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 0afd22f879a9cda7c584f4135f8f1c961db114c0\nOutput = 0244bcd1c8c16955736c803be401272e18cb990811b14f72db964124d5fa760649cbb57afb8755dbb62bf51f466cf23a0a1607576e983d778fceffa92df7548aea8ea4ecad2c29dd9f95bc07fe91ecf8bee255bfe8762fd7690aa9bfa4fa0849ef728c2c42c4532364522df2ab7f9f8a03b63f7a499175828668f5ef5a29e3802c\n\nVerify = RSA-PSS-3\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 405dd56d395ef0f01b555c48f748cc32b210650b\nOutput = 0196f12a005b98129c8df13c4cb16f8aa887d3c40d96df3a88e7532ef39cd992f273abc370bc1be6f097cfebbf0118fd9ef4b927155f3df22b904d90702d1f7ba7a52bed8b8942f412cd7bd676c9d18e170391dcd345c06a730964b3f30bcce0bb20ba106f9ab0eeb39cf8a6607f75c0347f0af79f16afa081d2c92d1ee6f836b8\n\nVerify = RSA-PSS-3\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = a2c313b0440c8a0c47233b87f0a160c61af3eae7\nOutput = 021eca3ab4892264ec22411a752d92221076d4e01c0e6f0dde9afd26ba5acf6d739ef987545d16683e5674c9e70f1de649d7e61d48d0caeb4fb4d8b24fba84a6e3108fee7d0705973266ac524b4ad280f7ae17dc59d96d3351586b5a3bdb895d1e1f7820ac6135d8753480998382ba32b7349559608c38745290a85ef4e9f9bd83\n\nVerify = RSA-PSS-3\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = f1bf6ca7b4bbdbb6bf20a4bf55728725d177154a\nOutput = 012fafec862f56e9e92f60ab0c77824f4299a0ca734ed26e0644d5d222c7f0bde03964f8e70a5cb65ed44e44d56ae0edf1ff86ca032cc5dd4404dbb76ab854586c44eed8336d08d457ce6c03693b45c0f1efef93624b95b8ec169c616d20e5538ebc0b6737a6f82b4bc0570924fc6b35759a3348426279f8b3d7744e2d222426ce\n\nPublicKey = RSA-PSS-4\nType = RSA\nInput = 30819f300d06092a864886f70d010101050003818d00308189028181054adb7886447efe6f57e0368f06cf52b0a3370760d161cef126b91be7f89c421b62a6ec1da3c311d75ed50e0ab5fff3fd338acc3aa8a4e77ee26369acb81ba900fa83f5300cf9bb6c53ad1dc8a178b815db4235a9a9da0c06de4e615ea1277ce559e9c108de58c14a81aa77f5a6f8d1335494498848c8b95940740be7bf7c37050203010001\n\nVerify = RSA-PSS-4\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = f8b0abf70fec0bca74f0accbc24f75e6e90d3bfd\nOutput = 0323d5b7bf20ba4539289ae452ae4297080feff4518423ff4811a817837e7d82f1836cdfab54514ff0887bddeebf40bf99b047abc3ecfa6a37a3ef00f4a0c4a88aae0904b745c846c4107e8797723e8ac810d9e3d95dfa30ff4966f4d75d13768d20857f2b1406f264cfe75e27d7652f4b5ed3575f28a702f8c4ed9cf9b2d44948\n\nVerify = RSA-PSS-4\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 04a10944bfe11ab801e77889f3fd3d7f4ff0b629\nOutput = 049d0185845a264d28feb1e69edaec090609e8e46d93abb38371ce51f4aa65a599bdaaa81d24fba66a08a116cb644f3f1e653d95c89db8bbd5daac2709c8984000178410a7c6aa8667ddc38c741f710ec8665aa9052be929d4e3b16782c1662114c5414bb0353455c392fc28f3db59054b5f365c49e1d156f876ee10cb4fd70598\n\nVerify = RSA-PSS-4\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = ba01243db223eb97fb86d746c3148adaaa0ca344\nOutput = 03fbc410a2ced59500fb99f9e2af2781ada74e13145624602782e2994813eefca0519ecd253b855fb626a90d771eae028b0c47a199cbd9f8e3",
- "269734af4163599090713a3fa910fa0960652721432b971036a7181a2bc0cab43b0b598bc6217461d7db305ff7e954c5b5bb231c39e791af6bcfa76b147b081321f72641482a2aad\n\nVerify = RSA-PSS-4\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 934bb0d38d6836daec9de82a9648d4593da67cd2\nOutput = 0486644bc66bf75d28335a6179b10851f43f09bded9fac1af33252bb9953ba4298cd6466b27539a70adaa3f89b3db3c74ab635d122f4ee7ce557a61e59b82ffb786630e5f9db53c77d9a0c12fab5958d4c2ce7daa807cd89ba2cc7fcd02ff470ca67b229fcce814c852c73cc93bea35be68459ce478e9d4655d121c8472f371d4f\n\nVerify = RSA-PSS-4\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = ec35d81abd1cceac425a935758b683465c8bd879\nOutput = 022a80045353904cb30cbb542d7d4990421a6eec16a8029a8422adfd22d6aff8c4cc0294af110a0c067ec86a7d364134459bb1ae8ff836d5a8a2579840996b320b19f13a13fad378d931a65625dae2739f0c53670b35d9d3cbac08e733e4ec2b83af4b9196d63e7c4ff1ddeae2a122791a125bfea8deb0de8ccf1f4ffaf6e6fb0a\n\nVerify = RSA-PSS-4\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 72ce251d17b04dd3970d6ff1fbe3624899e9e941\nOutput = 00938dcb6d583046065f69c78da7a1f1757066a7fa75125a9d2929f0b79a60b627b082f11f5b196f28eb9daa6f21c05e5140f6aef1737d2023075c05ecf04a028c686a2ab3e7d5a0664f295ce12995e890908b6ad21f0839eb65b70393a7b5afd9871de0caa0cedec5b819626756209d13ab1e7bb9546a26ff37e9a51af9fd562e\n\nPublicKey = RSA-PSS-5\nType = RSA\nInput = 30819f300d06092a864886f70d010101050003818d003081890281810d10f661f29940f5ed39aa260966deb47843679d2b6fb25b3de370f3ac7c19916391fd25fb527ebfa6a4b4df45a1759d996c4bb4ebd18828c44fc52d0191871740525f47a4b0cc8da325ed8aa676b0d0f626e0a77f07692170acac8082f42faa7dc7cd123e730e31a87985204cabcbe6670d43a2dd2b2ddef5e05392fc213bc5070203010001\n\nVerify = RSA-PSS-5\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = d98b7061943510bc3dd9162f7169aabdbdcd0222\nOutput = 0ba373f76e0921b70a8fbfe622f0bf77b28a3db98e361051c3d7cb92ad0452915a4de9c01722f6823eeb6adf7e0ca8290f5de3e549890ac2a3c5950ab217ba58590894952de96f8df111b2575215da6c161590c745be612476ee578ed384ab33e3ece97481a252f5c79a98b5532ae00cdd62f2ecc0cd1baefe80d80b962193ec1d\n\nVerify = RSA-PSS-5\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 7ae8e699f754988f4fd645e463302e49a2552072\nOutput = 08180de825e4b8b014a32da8ba761555921204f2f90d5f24b712908ff84f3e220ad17997c0dd6e706630ba3e84add4d5e7ab004e58074b549709565d43ad9e97b5a7a1a29e85b9f90f4aafcdf58321de8c5974ef9abf2d526f33c0f2f82e95d158ea6b81f1736db8d1af3d6ac6a83b32d18bae0ff1b2fe27de4c76ed8c7980a34e\n\nVerify = RSA-PSS-5\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 8d46c7c05534c1ba2cc7624500d48a4531604bff\nOutput = 05e0fdbdf6f756ef733185ccfa8ced2eb6d029d9d56e35561b5db8e70257ee6fd019d2f0bbf669fe9b9821e78df6d41e31608d58280f318ee34f559941c8df13287574bac000b7e58dc4f414ba49fb127f9d0f8936638c76e85356c994f79750f7fa3cf4fd482df75e3fb9978cd061f7abb17572e6e63e0bde12cbdcf18c68b979\n\nVerify = RSA-PSS-5\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = ee3de96783fd0a157c8b20bf5566124124dcfe65\nOutput = 0bc989853bc2ea86873271ce183a923ab65e8a53100e6df5d87a24c4194eb797813ee2a187c097dd872d591da60c568605dd7e742d5af4e33b11678ccb63903204a3d080b0902c89aba8868f009c0f1c0cb85810bbdd29121abb8471ff2d39e49fd92d56c655c8e037ad18fafbdc92c95863f7f61ea9efa28fea401369d19daea1\n\nVerify = RSA-PSS-5\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 1204df0b03c2724e2709c23fc71789a21b00ae4c\nOutput = 0aefa943b698b9609edf898ad22744ac28dc239497cea369cbbd84f65c95c0ad776b594740164b59a739c6ff7c2f07c7c077a86d95238fe51e1fcf33574a4ae0684b42a3f6bf677d91820ca89874467b2c23add77969c80717430d0efc1d3695892ce855cb7f7011630f4df26def8ddf36fc23905f57fa6243a485c770d5681fcd\n\nVerify = RSA-PSS-5\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 29926bc3280c841f601acd0d6f17ea38023eddbc\nOutput = 02802dccfa8dfaf5279bf0b4a29ba1b157611faeaaf419b8919d15941900c1339e7e92e6fae562c53e6cc8e84104b110bce03ad18525e3c49a0eadad5d3f28f244a8ed89edbafbb686277cfa8ae909714d6b28f4bf8e293aa04c41efe7c0a81266d5c061e2575be032aa464674ff71626219bd74cc45f0e7ed4e3ff96eee758e8f\n\nPublicKey = RSA-PSS-6\nType = RSA\nInput = 30819f300d06092a864886f70d010101050003818d00308189028181164ca31cff609f3a0e7101b039f2e4fe6dd37519ab98598d179e174996598071f47d3a04559158d7be373cf1aa53f0aa6ef09039e5678c2a4c63900514c8c4f8aaed5de12a5f10b09c311af8c0ffb5b7a297f2efc63b8d6b0510931f0b98e48bf5fc6ec4e7b8db1ffaeb08c38e02adb8f03a48229c99e969431f61cb8c4dc698d10203010001\n\nVerify = RSA-PSS-6\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = ab464e8cb65ae5fdea47a53fa84b234d6bfd52f6\nOutput = 04c0cfacec04e5badbece159a5a1103f69b3f32ba593cb4cc4b1b7ab455916a96a27cd2678ea0f46ba37f7fc9c86325f29733b389f1d97f43e7201c0f348fc45fe42892335362eee018b5b161f2f9393031225c713012a576bc88e23052489868d9010cbf033ecc568e8bc152bdc59d560e41291915d28565208e22aeec9ef85d1\n\nVerify = RSA-PSS-6\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 92d0bcae82b641f578f040f5151be8eda6d42299\nOutput = 0a2314250cf52b6e4e908de5b35646bcaa24361da8160fb0f9257590ab3ace42b0dc3e77ad2db7c203a20bd952fbb56b1567046ecfaa933d7b1000c3de9ff05b7d989ba46fd43bc4c2d0a3986b7ffa13471d37eb5b47d64707bd290cfd6a9f393ad08ec1e3bd71bb5792615035cdaf2d8929aed3be098379377e777ce79aaa4773\n\nVerify = RSA-PSS-6\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 3569bd8fd2e28f2443375efa94f186f6911ffc2b\nOutput = 086df6b500098c120f24ff8423f727d9c61a5c9007d3b6a31ce7cf8f3cbec1a26bb20e2bd4a046793299e03e37a21b40194fb045f90b18bf20a47992ccd799cf9c059c299c0526854954aade8a6ad9d97ec91a1145383f42468b231f4d72f23706d9853c3fa43ce8ace8bfe7484987a1ec6a16c8daf81f7c8bf42774707a9df456\n\nVerify = RSA-PSS-6\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 7abbb7b42de335730a0b641f1e314b6950b84f98\nOutput = 0b5b11ad549863ffa9c51a14a1106c2a72cc8b646e5c7262509786105a984776534ca9b54c1cc64bf2d5a44fd7e8a69db699d5ea52087a4748fd2abc1afed1e5d6f7c89025530bdaa2213d7e030fa55df6f34bcf1ce46d2edf4e3ae4f3b01891a068c9e3a44bbc43133edad6ecb9f35400c4252a5762d65744b99cb9f4c559329f\n\nVerify = RSA-PSS-6\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 55b7eb27be7a787a59eb7e5fac468db8917a7725\nOutput = 02d71fa9b53e4654fefb7f08385cf6b0ae3a817942ebf66c35ac67f0b069952a3ce9c7e1f1b02e480a9500836de5d64cdb7ecde04542f7a79988787e24c2ba05f5fd482c023ed5c30e04839dc44bed2a3a3a4fee01113c891a47d32eb8025c28cb050b5cdb576c70fe76ef523405c08417faf350b037a43c379339fcb18d3a356b\n\nVerify = RSA-PSS-6\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = de2fa0367ef49083ff89b9905d3fd646fcc12c38\nOutput = 0a40a16e2fe2b38d1df90546167cf9469c9e3c3681a3442b4b2c2f581deb385ce99fc6188bb02a841d56e76d301891e24560550fcc2a26b55f4ccb26d837d350a154bcaca8392d98fa67959e9727b78cad03269f56968fc56b68bd679926d83cc9cb215550645ccda31c760ff35888943d2d8a1d351e81e5d07b86182e751081ef\n\nPublicKey = RSA-PSS-7\nType = RSA\nInput = 30819f300d06092a864886f70d010101050003818d0030818902818137c9da4a66c8c408b8da27d0c9d79f8ccb1eafc1d2fe48746d940b7c4ef5dee18ad12647cefaa0c4b3188b221c515386759b93f02024b25ab9242f8357d8f3fd49640ee5e643eaf6c64deefa7089727c8ff03993333915c6ef21bf5975b6e50d118b51008ec33e9f01a0a545a10a836a43ddbca9d8b5c5d3548022d7064ea29ab30203010001\n\nVerify = RSA-PSS-7\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 8be4afbdd76bd8d142c5f4f46dba771ee5d6d29d\nOutput = 187f390723c8902591f0154bae6d4ecbffe067f0e8b795476ea4f4d51ccc810520bb3ca9bca7d0b1f2ea8a17d873fa27570acd642e3808561cb9e975ccfd80b23dc5771cdb3306a5f23159dacbd3aa2db93d46d766e09ed15d900ad897a8d274dc26b47e994a27e97e2268a766533ae4b5e42a2fcaf755c1c4794b294c60555823\n\nVerify = RSA-PSS-7\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 402140dc605b2f5c5ec0d15bce9f9ba8857fe117\nOutput = 10fd89768a60a67788abb5856a787c8561f3edcf9a83e898f7dc87ab8cce79429b43e56906941a886194f137e591fe7c339555361fbbe1f24feb2d4bcdb80601f3096bc9132deea60ae13082f44f9ad41cd628936a4d51176e42fc59cb76db815ce5ab4db99a104aafea68f5d330329ebf258d4ede16064bd1d00393d5e1570eb8\n\nVerify = RSA-PSS-7\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 3e885205892ff2b6b37c2c4eb486c4bf2f9e7f20\nOutput = 2b31fde99859b977aa09586d8e274662b25a2a640640b457f594051cb1e7f7a911865455242926cf88fe80dfa3a75ba9689844a11e634a82b075afbd69c12a0df9d25f84ad4945df3dc8fe90c3cefdf26e95f0534304b5bdba20d3e5640a2ebfb898aac35ae40f26fce5563c2f9f24f3042af76f3c7072d687bbfb959a88460af1\n\nVerify = RSA-PSS-7\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 1fc2201d0c442a4736cd8b2cd00c959c47a3bf42\nOutput = 32c7ca38ff26949a15000c4ba04b2b13b35a3810e568184d7ecabaa166b7ffabddf2b6cf4ba07124923790f2e5b1a5be040aea36fe132ec130e1f10567982d17ac3e89b8d",
- "26c3094034e762d2e031264f01170beecb3d1439e05846f25458367a7d9c02060444672671e64e877864559ca19b2074d588a281b5804d23772fbbe19\n\nVerify = RSA-PSS-7\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = e4351b66819e5a31501f89acc7faf57030e9aac5\nOutput = 07eb651d75f1b52bc263b2e198336e99fbebc4f332049a922a10815607ee2d989db3a4495b7dccd38f58a211fb7e193171a3d891132437ebca44f318b280509e52b5fa98fcce8205d9697c8ee4b7ff59d4c59c79038a1970bd2a0d451ecdc5ef11d9979c9d35f8c70a6163717607890d586a7c6dc01c79f86a8f28e85235f8c2f1\n\nVerify = RSA-PSS-7\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 49f6cc58365e514e1a3f301f4de16f9fb5347ff2\nOutput = 18da3cdcfe79bfb77fd9c32f377ad399146f0a8e810620233271a6e3ed3248903f5cdc92dc79b55d3e11615aa056a795853792a3998c349ca5c457e8ca7d29d796aa24f83491709befcfb1510ea513c92829a3f00b104f655634f320752e130ec0ccf6754ff893db302932bb025eb60e87822598fc619e0e981737a9a4c4152d33\n\nPublicKey = RSA-PSS-8\nType = RSA\nInput = 30819f300d06092a864886f70d010101050003818d00308189028181495370a1fb18543c16d3631e3163255df62be6eee890d5f25509e4f778a8ea6fbbbcdf85dff64e0d972003ab3681fbba6dd41fd541829b2e582de9f2a4a4e0a2d0900bef4753db3cee0ee06c7dfae8b1d53b5953218f9cceea695b08668edeaadced9463b1d790d5ebf27e9115b46cad4d9a2b8efab0561b0810344739ada0733f0203010001\n\nVerify = RSA-PSS-8\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = a1dd230d8ead860199b6277c2ecfe3d95f6d9160\nOutput = 0262ac254bfa77f3c1aca22c5179f8f040422b3c5bafd40a8f21cf0fa5a667ccd5993d42dbafb409c520e25fce2b1ee1e716577f1efa17f3da28052f40f0419b23106d7845aaf01125b698e7a4dfe92d3967bb00c4d0d35ba3552ab9a8b3eef07c7fecdbc5424ac4db1e20cb37d0b2744769940ea907e17fbbca673b20522380c5\n\nVerify = RSA-PSS-8\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = f6e68e53c602c5c65fa67b5aa6d786e5524b12ab\nOutput = 2707b9ad5115c58c94e932e8ec0a280f56339e44a1b58d4ddcff2f312e5f34dcfe39e89c6a94dcee86dbbdae5b79ba4e0819a9e7bfd9d982e7ee6c86ee68396e8b3a14c9c8f34b178eb741f9d3f121109bf5c8172fada2e768f9ea1433032c004a8aa07eb990000a48dc94c8bac8aabe2b09b1aa46c0a2aa0e12f63fbba775ba7e\n\nVerify = RSA-PSS-8\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = d6f9fcd3ae27f32bb2c7c93536782eba52af1f76\nOutput = 2ad20509d78cf26d1b6c406146086e4b0c91a91c2bd164c87b966b8faa42aa0ca446022323ba4b1a1b89706d7f4c3be57d7b69702d168ab5955ee290356b8c4a29ed467d547ec23cbadf286ccb5863c6679da467fc9324a151c7ec55aac6db4084f82726825cfe1aa421bc64049fb42f23148f9c25b2dc300437c38d428aa75f96\n\nVerify = RSA-PSS-8\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 7ff2a53ce2e2d900d468e498f230a5f5dd0020de\nOutput = 1e24e6e58628e5175044a9eb6d837d48af1260b0520e87327de7897ee4d5b9f0df0be3e09ed4dea8c1454ff3423bb08e1793245a9df8bf6ab3968c8eddc3b5328571c77f091cc578576912dfebd164b9de5454fe0be1c1f6385b328360ce67ec7a05f6e30eb45c17c48ac70041d2cab67f0a2ae7aafdcc8d245ea3442a6300ccc7\n\nVerify = RSA-PSS-8\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 4eb309f7022ba0b03bb78601b12931ec7c1be8d3\nOutput = 33341ba3576a130a50e2a5cf8679224388d5693f5accc235ac95add68e5eb1eec31666d0ca7a1cda6f70a1aa762c05752a51950cdb8af3c5379f18cfe6b5bc55a4648226a15e912ef19ad77adeea911d67cfefd69ba43fa4119135ff642117ba985a7e0100325e9519f1ca6a9216bda055b5785015291125e90dcd07a2ca9673ee\n\nVerify = RSA-PSS-8\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 65033bc2f67d6aba7d526acb873b8d9241e5e4d9\nOutput = 1ed1d848fb1edb44129bd9b354795af97a069a7a00d0151048593e0c72c3517ff9ff2a41d0cb5a0ac860d736a199704f7cb6a53986a88bbd8abcc0076a2ce847880031525d449da2ac78356374c536e343faa7cba42a5aaa6506087791c06a8e989335aed19bfab2d5e67e27fb0c2875af896c21b6e8e7309d04e4f6727e69463e\n\nPublicKey = RSA-PSS-9\nType = RSA\nInput = 3081df300d06092a864886f70d01010105000381cd003081c90281c100e6bd692ac96645790403fdd0f5beb8b9bf92ed10007fc365046419dd06c05c5b5b2f48ecf989e4ce269109979cbb40b4a0ad24d22483d1ee315ad4ccb1534268352691c524f6dd8e6c29d224cf246973aec86c5bf6b1401a850d1b9ad1bb8cbcec47b06f0f8c7f45d3fc8f319299c5433ddbc2b3053b47ded2ecd4a4caefd614833dc8bb622f317ed076b8057fe8de3f84480ad5e83e4a61904a4f248fb397027357e1d30e463139815c6fd4fd5ac5b8172a45230ecb6318a04f1455d84e5a8b0203010001\n\nVerify = RSA-PSS-9\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 2715a49b8b0012cd7aee84c116446e6dfe3faec0\nOutput = 586107226c3ce013a7c8f04d1a6a2959bb4b8e205ba43a27b50f124111bc35ef589b039f5932187cb696d7d9a32c0c38300a5cdda4834b62d2eb240af33f79d13dfbf095bf599e0d9686948c1964747b67e89c9aba5cd85016236f566cc5802cb13ead51bc7ca6bef3b94dcbdbb1d570469771df0e00b1a8a06777472d2316279edae86474668d4e1efff95f1de61c6020da32ae92bbf16520fef3cf4d88f61121f24bbd9fe91b59caf1235b2a93ff81fc403addf4ebdea84934a9cdaf8e1a9e\n\nVerify = RSA-PSS-9\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 2dac956d53964748ac364d06595827c6b4f143cd\nOutput = 80b6d643255209f0a456763897ac9ed259d459b49c2887e5882ecb4434cfd66dd7e1699375381e51cd7f554f2c271704b399d42b4be2540a0eca61951f55267f7c2878c122842dadb28b01bd5f8c025f7e228418a673c03d6bc0c736d0a29546bd67f786d9d692ccea778d71d98c2063b7a71092187a4d35af108111d83e83eae46c46aa34277e06044589903788f1d5e7cee25fb485e92949118814d6f2c3ee361489016f327fb5bc517eb50470bffa1afa5f4ce9aa0ce5b8ee19bf5501b958\n\nVerify = RSA-PSS-9\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 28d98c46cccafbd3bc04e72f967a54bd3ea12298\nOutput = 484408f3898cd5f53483f80819efbf2708c34d27a8b2a6fae8b322f9240237f981817aca1846f1084daa6d7c0795f6e5bf1af59c38e1858437ce1f7ec419b98c8736adf6dd9a00b1806d2bd3ad0a73775e05f52dfef3a59ab4b08143f0df05cd1ad9d04bececa6daa4a2129803e200cbc77787caf4c1d0663a6c5987b605952019782caf2ec1426d68fb94ed1d4be816a7ed081b77e6ab330b3ffc073820fecde3727fcbe295ee61a050a343658637c3fd659cfb63736de32d9f90d3c2f63eca\n\nVerify = RSA-PSS-9\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 0866d2ff5a79f25ef668cd6f31b42dee421e4c0e\nOutput = 84ebeb481be59845b46468bafb471c0112e02b235d84b5d911cbd1926ee5074ae0424495cb20e82308b8ebb65f419a03fb40e72b78981d88aad143053685172c97b29c8b7bf0ae73b5b2263c403da0ed2f80ff7450af7828eb8b86f0028bd2a8b176a4d228cccea18394f238b09ff758cc00bc04301152355742f282b54e663a919e709d8da24ade5500a7b9aa50226e0ca52923e6c2d860ec50ff480fa57477e82b0565f4379f79c772d5c2da80af9fbf325ece6fc20b00961614bee89a183e\n\nVerify = RSA-PSS-9\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 6a5b4be4cd36cc97dfde9995efbf8f097a4a991a\nOutput = 82102df8cb91e7179919a04d26d335d64fbc2f872c44833943241de8454810274cdf3db5f42d423db152af7135f701420e39b494a67cbfd19f9119da233a23da5c6439b5ba0d2bc373eee3507001378d4a4073856b7fe2aba0b5ee93b27f4afec7d4d120921c83f606765b02c19e4d6a1a3b95fa4c422951be4f52131077ef17179729cddfbdb56950dbaceefe78cb16640a099ea56d24389eef10f8fecb31ba3ea3b227c0a86698bb89e3e9363905bf22777b2a3aa521b65b4cef76d83bde4c\n\nVerify = RSA-PSS-9\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = b9dfd1df76a461c51e6576c6c8ed0a923d1c50e7\nOutput = a7fdb0d259165ca2c88d00bbf1028a867d337699d061193b17a9648e14ccbbaadeacaacdec815e7571294ebb8a117af205fa078b47b0712c199e3ad05135c504c24b81705115740802487992ffd511d4afc6b854491eb3f0dd523139542ff15c3101ee85543517c6a3c79417c67e2dd9aa741e9a29b06dcb593c2336b3670ae3afbac7c3e76e215473e866e338ca244de00b62624d6b9426822ceae9f8cc460895f41250073fd45c5a1e7b425c204a423a699159f6903e710b37a7bb2bc8049f\n\nPublicKey = RSA-PSS-10\nType = RSA\nInput = 30820122300d06092a864886f70d01010105000382010f003082010a0282010100a5dd867ac4cb02f90b9457d48c14a770ef991c56c39c0ec65fd11afa8937cea57b9be7ac73b45c0017615b82d622e318753b6027c0fd157be12f8090fee2a7adcd0eef759f88ba4997c7a42d58c9aa12cb99ae001fe521c13bb5431445a8d5ae4f5e4c7e948ac227d3604071f20e577e905fbeb15dfaf06d1de5ae6253d63a6a2120b31a5da5dabc9550600e20f27d3739e2627925fea3cc509f21dff04e6eea4549c540d6809ff9307eede91fff58733d8385a237d6d3705a33e391900992070df7adf1357cf7e3700ce3667de83f17b8df1778db381dce09cb4ad058a511001a738198ee27cf55a13b754539906582ec8b174bd58d5d1f3d767c613721ae050203010001\n\nVerify = RSA-PSS-10\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 9596bb630cf6a8d4ea4600422b9eba8b13675dd4\nOutput = 82c2b160093b8aa3c0f7522b19f87354066c77847abf2a9fce542d0e84e920c5afb49ffdfdace16560ee94a1369601148ebad7a0e151cf16331791a5727d05f21e74e7eb811440206935d744765a15e79f015cb66c532c87a6a05961c8bfad741a9a6657022894393e7223739796c02a77455d0f555b0ec01ddf259b6207fd0fd57614cef1a5573baaff4ec00069951659b85f24300a25160ca8522dc6e6727e57d019d7e63629b8fe5e89e25cc15beb3a647577559299280b9b28f79b0409000be25bbd96408ba3b43cc486184dd1c8e62553fa1af4040f60663de7f5e49c04388e257f1ce89c95dab48a315d9b66b1b7628233876ff23852",
- "30d070d07e1666\n\nVerify = RSA-PSS-10\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = b503319399277fd6c1c8f1033cbf04199ea21716\nOutput = 14ae35d9dd06ba92f7f3b897978aed7cd4bf5ff0b585a40bd46ce1b42cd2703053bb9044d64e813d8f96db2dd7007d10118f6f8f8496097ad75e1ff692341b2892ad55a633a1c55e7f0a0ad59a0e203a5b8278aec54dd8622e2831d87174f8caff43ee6c46445345d84a59659bfb92ecd4c818668695f34706f66828a89959637f2bf3e3251c24bdba4d4b7649da0022218b119c84e79a6527ec5b8a5f861c159952e23ec05e1e717346faefe8b1686825bd2b262fb2531066c0de09acde2e4231690728b5d85e115a2f6b92b79c25abc9bd9399ff8bcf825a52ea1f56ea76dd26f43baafa18bfa92a504cbd35699e26d1dcc5a2887385f3c63232f06f3244c3\n\nVerify = RSA-PSS-10\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 50aaede8536b2c307208b275a67ae2df196c7628\nOutput = 6e3e4d7b6b15d2fb46013b8900aa5bbb3939cf2c095717987042026ee62c74c54cffd5d7d57efbbf950a0f5c574fa09d3fc1c9f513b05b4ff50dd8df7edfa20102854c35e592180119a70ce5b085182aa02d9ea2aa90d1df03f2daae885ba2f5d05afdac97476f06b93b5bc94a1a80aa9116c4d615f333b098892b25fface266f5db5a5a3bcc10a824ed55aad35b727834fb8c07da28fcf416a5d9b2224f1f8b442b36f91e456fdea2d7cfe3367268de0307a4c74e924159ed33393d5e0655531c77327b89821bdedf880161c78cd4196b5419f7acc3f13e5ebf161b6e7c6724716ca33b85c2e25640192ac2859651d50bde7eb976e51cec828b98b6563b86bb\n\nVerify = RSA-PSS-10\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = aa0b72b8b371ddd10c8ae474425ccccf8842a294\nOutput = 34047ff96c4dc0dc90b2d4ff59a1a361a4754b255d2ee0af7d8bf87c9bc9e7ddeede33934c63ca1c0e3d262cb145ef932a1f2c0a997aa6a34f8eaee7477d82ccf09095a6b8acad38d4eec9fb7eab7ad02da1d11d8e54c1825e55bf58c2a23234b902be124f9e9038a8f68fa45dab72f66e0945bf1d8bacc9044c6f07098c9fcec58a3aab100c805178155f030a124c450e5acbda47d0e4f10b80a23f803e774d023b0015c20b9f9bbe7c91296338d5ecb471cafb032007b67a60be5f69504a9f01abb3cb467b260e2bce860be8d95bf92c0c8e1496ed1e528593a4abb6df462dde8a0968dffe4683116857a232f5ebf6c85be238745ad0f38f767a5fdbf486fb\n\nVerify = RSA-PSS-10\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = fad3902c9750622a2bc672622c48270cc57d3ea8\nOutput = 7e0935ea18f4d6c1d17ce82eb2b3836c55b384589ce19dfe743363ac9948d1f346b7bfddfe92efd78adb21faefc89ade42b10f374003fe122e67429a1cb8cbd1f8d9014564c44d120116f4990f1a6e38774c194bd1b8213286b077b0499d2e7b3f434ab12289c556684deed78131934bb3dd6537236f7c6f3dcb09d476be07721e37e1ceed9b2f7b406887bd53157305e1c8b4f84d733bc1e186fe06cc59b6edb8f4bd7ffefdf4f7ba9cfb9d570689b5a1a4109a746a690893db3799255a0cb9215d2d1cd490590e952e8c8786aa0011265252470c041dfbc3eec7c3cbf71c24869d115c0cb4a956f56d530b80ab589acfefc690751ddf36e8d383f83cedd2cc\n\nVerify = RSA-PSS-10\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 122196deb5d122bd8c6fc781ff6924d7c695aade\nOutput = 6d3b5b87f67ea657af21f75441977d2180f91b2c5f692de82955696a686730d9b9778d970758ccb26071c2209ffbd6125be2e96ea81b67cb9b9308239fda17f7b2b64ecda096b6b935640a5a1cb42a9155b1c9ef7a633a02c59f0d6ee59b852c43b35029e73c940ff0410e8f114eed46bbd0fae165e42be2528a401c3b28fd818ef3232dca9f4d2a0f5166ec59c42396d6c11dbc1215a56fa17169db9575343ef34f9de32a49cdc3174922f229c23e18e45df9353119ec4319cedce7a17c64088c1f6f52be29634100b3919d38f3d1ed94e6891e66a73b8fb849f5874df59459e298c7bbce2eee782a195aa66fe2d0732b25e595f57d3e061b1fc3e4063bf98f\n\nPrivateKey = RSA-OAEP-1\nType = RSA\nInput = 30820276020100300d06092a864886f70d0101010500048202603082025c02010002818100a8b3b284af8eb50b387034a860f146c4919f318763cd6c5598c8ae4811a1e0abc4c7e0b082d693a5e7fced675cf4668512772c0cbc64a742c6c630f533c8cc72f62ae833c40bf25842e984bb78bdbf97c0107d55bdb662f5c4e0fab9845cb5148ef7392dd3aaff93ae1e6b667bb3d4247616d4f5ba10d4cfd226de88d39f16fb020301000102818053339cfdb79fc8466a655c7316aca85c55fd8f6dd898fdaf119517ef4f52e8fd8e258df93fee180fa0e4ab29693cd83b152a553d4ac4d1812b8b9fa5af0e7f55fe7304df41570926f3311f15c4d65a732c483116ee3d3d2d0af3549ad9bf7cbfb78ad884f84d5beb04724dc7369b31def37d0cf539e9cfcdd3de653729ead5d1024100d32737e7267ffe1341b2d5c0d150a81b586fb3132bed2f8d5262864a9cb9f30af38be448598d413a172efb802c21acf1c11c520c2f26a471dcad212eac7ca39d024100cc8853d1d54da630fac004f471f281c7b8982d8224a490edbeb33d3e3d5cc93c4765703d1dd791642f1f116a0dd852be2419b2af72bfe9a030e860b0288b5d7702400e12bf1718e9cef5599ba1c3882fe8046a90874eefce8f2ccc20e4f2741fb0a33a3848aec9c9305fbecbd2d76819967d4671acc6431e4037968db37878e695c102410095297b0f95a2fa67d00707d609dfd4fc05c89dafc2ef6d6ea55bec771ea333734d9251e79082ecda866efef13c459e1a631386b7e354c899f5f112ca85d7158302404f456c502493bdc0ed2ab756a3a6ed4d67352a697d4216e93212b127a63d5411ce6fa98d5dbefd73263e3728142743818166ed7dd63687dd2a8ca1d2f4fbd8e1\n\nDecrypt = RSA-OAEP-1\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 354fe67b4a126d5d35fe36c777791a3f7ba13def484e2d3908aff722fad468fb21696de95d0be911c2d3174f8afcc201035f7b6d8e69402de5451618c21a535fa9d7bfc5b8dd9fc243f8cf927db31322d6e881eaa91a996170e657a05a266426d98c88003f8477c1227094a0d9fa1e8c4024309ce1ecccb5210035d47ac72e8a\nOutput = 6628194e12073db03ba94cda9ef9532397d50dba79b987004afefe34\n\nDecrypt = RSA-OAEP-1\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 640db1acc58e0568fe5407e5f9b701dff8c3c91e716c536fc7fcec6cb5b71c1165988d4a279e1577d730fc7a29932e3f00c81515236d8d8e31017a7a09df4352d904cdeb79aa583adcc31ea698a4c05283daba9089be5491f67c1a4ee48dc74bbbe6643aef846679b4cb395a352d5ed115912df696ffe0702932946d71492b44\nOutput = 750c4047f547e8e41411856523298ac9bae245efaf1397fbe56f9dd5\n\nDecrypt = RSA-OAEP-1\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 423736ed035f6026af276c35c0b3741b365e5f76ca091b4e8c29e2f0befee603595aa8322d602d2e625e95eb81b2f1c9724e822eca76db8618cf09c5343503a4360835b5903bc637e3879fb05e0ef32685d5aec5067cd7cc96fe4b2670b6eac3066b1fcf5686b68589aafb7d629b02d8f8625ca3833624d4800fb081b1cf94eb\nOutput = d94ae0832e6445ce42331cb06d531a82b1db4baad30f746dc916df24d4e3c2451fff59a6423eb0e1d02d4fe646cf699dfd818c6e97b051\n\nDecrypt = RSA-OAEP-1\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 45ead4ca551e662c9800f1aca8283b0525e6abae30be4b4aba762fa40fd3d38e22abefc69794f6ebbbc05ddbb11216247d2f412fd0fba87c6e3acd888813646fd0e48e785204f9c3f73d6d8239562722dddd8771fec48b83a31ee6f592c4cfd4bc88174f3b13a112aae3b9f7b80e0fc6f7255ba880dc7d8021e22ad6a85f0755\nOutput = 52e650d98e7f2a048b4f86852153b97e01dd316f346a19f67a85\n\nDecrypt = RSA-OAEP-1\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 36f6e34d94a8d34daacba33a2139d00ad85a9345a86051e73071620056b920e219005855a213a0f23897cdcd731b45257c777fe908202befdd0b58386b1244ea0cf539a05d5d10329da44e13030fd760dcd644cfef2094d1910d3f433e1c7c6dd18bc1f2df7f643d662fb9dd37ead9059190f4fa66ca39e869c4eb449cbdc439\nOutput = 8da89fd9e5f974a29feffb462b49180f6cf9e802\n\nDecrypt = RSA-OAEP-1\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 42cee2617b1ecea4db3f4829386fbd61dafbf038e180d837c96366df24c097b4ab0fac6bdf590d821c9f10642e681ad05b8d78b378c0f46ce2fad63f74e0ad3df06b075d7eb5f5636f8d403b9059ca761b5c62bb52aa45002ea70baace08ded243b9d8cbd62a68ade265832b56564e43a6fa42ed199a099769742df1539e8255\nOutput = 26521050844271\n\nPrivateKey = RSA-OAEP-2\nType = RSA\nInput = 30820276020100300d06092a864886f70d0101010500048202603082025c02010002818101947c7fce90425f47279e70851f25d5e62316fe8a1df19371e3e628e260543e4901ef6081f68c0b8141190d2ae8daba7d1250ec6db636e944ec3722877c7c1d0a67f14b1694c5f0379451a43e49a32dde83670b73da91a1c99bc23b436a60055c610f0baf99c1a079565b95a3f1526632d1d4da60f20eda25e653c4f002766f4502030100010281800823f20fadb5da89088a9d00893e21fa4a1b11fbc93c64a3be0baaea97fb3b93c3ff713704c19c963c1d107aae99054739f79e02e186de86f87a6ddefea6d8ccd1d3c81a47bfa7255be20601a4a4b2f08a167b5e279d715b1b455bdd7eab245941d9768b9acefb3ccda5952da3cee72525b4501663a8ee15c9e992d92462fe3902410159dbde04a33ef06fb608b80b190f4d3e22bcc13ac8e4a081033abfa416edb0b338aa08b57309ea5a5240e7dc6e54378c69414c31d97ddb1f406db3769cc41a430241012b652f30403b38b40995fd6ff41a1acc8ada70373236b7202d39b2ee30cfb46db09511f6f307cc61cc21606c18a75b8a62f822df031ba0df0dafd5506f568bd70240436ef508de736519c2da4c580d98c82cb7452a3fb5efadc3b9c7789a1bc6584f795addbbd32439c74686552ecb6c2c307a4d3af7f539eec157248c7b31f1a2550241012b15a89f3dfb2b39073e73f02bdd0c1a7b379dd435f05cdde2eff9e462948b7cec62ee9050d5e0816e0785a856b49108dcb75f3683874d1ca6329a19013066ff02400270db17d5914b018d76118b24389a7350ec836b0063a21721236fd8edb6d89b51e7eeb87b611b7132cb7ea7356c23151c1e7751507c786d9ee1794170a8c8e8\n\nDecrypt = RSA-OAEP-2\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 0181af8922b9fcb4d79d92eb",
- "e19815992fc0c1439d8bcd491398a0f4ad3a329a5bd9385560db532683c8b7da04e4b12aed6aacdf471c34c9cda891addcc2df3456653aa6382e9ae59b54455257eb099d562bbe10453f2b6d13c59c02e10f1f8abb5da0d0570932dacf2d0901db729d0fefcc054e70968ea540c81b04bcaefe720e\nOutput = 8ff00caa605c702830634d9a6c3d42c652b58cf1d92fec570beee7\n\nDecrypt = RSA-OAEP-2\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 018759ff1df63b2792410562314416a8aeaf2ac634b46f940ab82d64dbf165eee33011da749d4bab6e2fcd18129c9e49277d8453112b429a222a8471b070993998e758861c4d3f6d749d91c4290d332c7a4ab3f7ea35ff3a07d497c955ff0ffc95006b62c6d296810d9bfab024196c7934012c2df978ef299aba239940cba10245\nOutput = 2d\n\nDecrypt = RSA-OAEP-2\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 018802bab04c60325e81c4962311f2be7c2adce93041a00719c88f957575f2c79f1b7bc8ced115c706b311c08a2d986ca3b6a9336b147c29c6f229409ddec651bd1fdd5a0b7f610c9937fdb4a3a762364b8b3206b4ea485fd098d08f63d4aa8bb2697d027b750c32d7f74eaf5180d2e9b66b17cb2fa55523bc280da10d14be2053\nOutput = 74fc88c51bc90f77af9d5e9a4a70133d4b4e0b34da3c37c7ef8e\n\nDecrypt = RSA-OAEP-2\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 00a4578cbc176318a638fba7d01df15746af44d4f6cd96d7e7c495cbf425b09c649d32bf886da48fbaf989a2117187cafb1fb580317690e3ccd446920b7af82b31db5804d87d01514acbfa9156e782f867f6bed9449e0e9a2c09bcecc6aa087636965e34b3ec766f2fe2e43018a2fddeb140616a0e9d82e5331024ee0652fc7641\nOutput = a7eb2a5036931d27d4e891326d99692ffadda9bf7efd3e34e622c4adc085f721dfe885072c78a203b151739be540fa8c153a10f00a\n\nDecrypt = RSA-OAEP-2\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 00ebc5f5fda77cfdad3c83641a9025e77d72d8a6fb33a810f5950f8d74c73e8d931e8634d86ab1246256ae07b6005b71b7f2fb98351218331ce69b8ffbdc9da08bbc9c704f876deb9df9fc2ec065cad87f9090b07acc17aa7f997b27aca48806e897f771d95141fe4526d8a5301b678627efab707fd40fbebd6e792a25613e7aec\nOutput = 2ef2b066f854c33f3bdcbb5994a435e73d6c6c\n\nDecrypt = RSA-OAEP-2\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 010839ec20c27b9052e55befb9b77e6fc26e9075d7a54378c646abdf51e445bd5715de81789f56f1803d9170764a9e93cb78798694023ee7393ce04bc5d8f8c5a52c171d43837e3aca62f609eb0aa5ffb0960ef04198dd754f57f7fbe6abf765cf118b4ca443b23b5aab266f952326ac4581100644325f8b721acd5d04ff14ef3a\nOutput = 8a7fb344c8b6cb2cf2ef1f643f9a3218f6e19bba89c0\n\nPrivateKey = RSA-OAEP-3\nType = RSA\nInput = 30820277020100300d06092a864886f70d0101010500048202613082025d02010002818102b58fec039a860700a4d7b6462f93e6cdd491161ddd74f4e810b40e3c1652006a5c277b2774c11305a4cbab5a78efa57e17a86df7a3fa36fc4b1d2249f22ec7c2dd6a463232accea906d66ebe80b5704b10729da6f833234abb5efdd4a292cbfad33b4d33fa7a14b8c397b56e3acd21203428b77cdfa33a6da706b3d8b0fc43e9020301000102818015b48a5b5683a94670e23b5718f814fa0e13f85038f50711182cba61510581f3d22c7e232ef937e22e551d68b86e2f8cb1aad8be2e488f5df7efd279e3f568d4eaf36f80cf7141ace60fcc9113fb6c4a841fd50bbc7c512ffcbeff21487aa811eb3ca8c62005346a86de86bfa1d8a948fd3f348c22eaadf333c3ce6ce13208fd024101bf01d216d73595cf0270c2beb78d40a0d8447d31da919a983f7eea781b77d85fe371b3e9373e7b69217d3150a02d8958de7fad9d555160958b4454127e0e7eaf0241018d3399658166db3829816d7b295416759e9c91987f5b2d8aecd63b04b48bd7b2fcf229bb7f8a6dc88ba13dd2e39ad55b6d1a06160708f9700be80b8fd3744ce7024006c0a249d20a6f2ee75c88b494d53f6aae99aa427c88c28b163a769445e5f390cf40c274fd6ea6329a5ce7c7ce03a2158396ee2a7845786e09e2885a9728e4e5024100d1d27c29fedd92d86c348edd0ccbfac14f746e051ce1d1811df35d61f2ee1c97d4bf2804802f6427187ba8e90a8af44243b4079b03445e602e29fa5193e64fe90241008cb2f756bd8941b1d3b770e5ad31ee373b28acda69ff9b6f40fe578b9f1afb85836f9627d37acff73c2779e634bb26011c2c8f7f3361ae2a9ea65ed689e3639a\n\nDecrypt = RSA-OAEP-3\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 026a0485d96aebd96b4382085099b962e6a2bdec3d90c8db625e14372de85e2d5b7baab65c8faf91bb5504fb495afce5c988b3f6a52e20e1d6cbd3566c5cd1f2b8318bb542cc0ea25c4aab9932afa20760eaddec784396a07ea0ef24d4e6f4d37e5052a7a31e146aa480a111bbe926401307e00f410033842b6d82fe5ce4dfae80\nOutput = 087820b569e8fa8d\n\nDecrypt = RSA-OAEP-3\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 024db89c7802989be0783847863084941bf209d761987e38f97cb5f6f1bc88da72a50b73ebaf11c879c4f95df37b850b8f65d7622e25b1b889e80fe80baca2069d6e0e1d829953fc459069de98ea9798b451e557e99abf8fe3d9ccf9096ebbf3e5255d3b4e1c6d2ecadf067a359eea86405acd47d5e165517ccafd47d6dbee4bf5\nOutput = 4653acaf171960b01f52a7be63a3ab21dc368ec43b50d82ec3781e04\n\nDecrypt = RSA-OAEP-3\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 0239bce681032441528877d6d1c8bb28aa3bc97f1df584563618995797683844ca86664732f4bed7a0aab083aaabfb7238f582e30958c2024e44e57043b97950fd543da977c90cdde5337d618442f99e60d7783ab59ce6dd9d69c47ad1e962bec22d05895cff8d3f64ed5261d92b2678510393484990ba3f7f06818ae6ffce8a3a\nOutput = d94cd0e08fa404ed89\n\nDecrypt = RSA-OAEP-3\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 02994c62afd76f498ba1fd2cf642857fca81f4373cb08f1cbaee6f025c3b512b42c3e8779113476648039dbe0493f9246292fac28950600e7c0f32edf9c81b9dec45c3bde0cc8d8847590169907b7dc5991ceb29bb0714d613d96df0f12ec5d8d3507c8ee7ae78dd83f216fa61de100363aca48a7e914ae9f42ddfbe943b09d9a0\nOutput = 6cc641b6b61e6f963974dad23a9013284ef1\n\nDecrypt = RSA-OAEP-3\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 0162042ff6969592a6167031811a239834ce638abf54fec8b99478122afe2ee67f8c5b18b0339805bfdbc5a4e6720b37c59cfba942464c597ff532a119821545fd2e59b114e61daf71820529f5029cf524954327c34ec5e6f5ba7efcc4de943ab8ad4ed787b1454329f70db798a3a8f4d92f8274e2b2948ade627ce8ee33e43c60\nOutput = df5151832b61f4f25891fb4172f328d2eddf8371ffcfdbe997939295f30eca6918017cfda1153bf7a6af87593223\n\nDecrypt = RSA-OAEP-3\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 00112051e75d064943bc4478075e43482fd59cee0679de6893eec3a943daa490b9691c93dfc0464b6623b9f3dbd3e70083264f034b374f74164e1a00763725e574744ba0b9db83434f31df96f6e2a26f6d8eba348bd4686c2238ac07c37aac3785d1c7eea2f819fd91491798ed8e9cef5e43b781b0e0276e37c43ff9492d005730\nOutput = 3c3bad893c544a6d520ab022319188c8d504b7a788b850903b85972eaa18552e1134a7ad6098826254ff7ab672b3d8eb3158fac6d4cbaef1\n\nPrivateKey = RSA-OAEP-4\nType = RSA\nInput = 30820277020100300d06092a864886f70d0101010500048202613082025d020100028181051240b6cc0004fa48d0134671c078c7c8dec3b3e2f25bc2564467339db38853d06b85eea5b2de353bff42ac2e46bc97fae6ac9618da9537a5c8f553c1e357625991d6108dcd7885fb3a25413f53efcad948cb35cd9b9ae9c1c67626d113d57dde4c5bea76bb5bb7de96c00d07372e9685a6d75cf9d239fa148d70931b5f3fb03902030100010281800411ffca3b7ca5e9e9be7fe38a85105e353896db05c5796aecd2a725161eb3651c8629a9b862b904d7b0c7b37f8cb5a1c2b54001018a00a1eb2cafe4ee4e9492c348bc2bedab4b9ebbf064e8eff322b9009f8eec653905f40df88a3cdc49d4567f75627d41aca624129b46a0b7c698e5e65f2b7ba102c749a10135b6540d04010241027458c19ec1636919e736c9af25d609a51b8f561d19c6bf6943dd1ee1ab8a4a3f232100bd40b88decc6ba235548b6ef792a11c9de823d0a7922c7095b6eba570102410210ee9b33ab61716e27d251bd465f4b35a1a232e2da00901c294bf22350ce490d099f642b5375612db63ba1f20386492bf04d34b3c22bceb909d13441b53b5139024039fa028b826e88c1121b750a8b242fa9a35c5b66bdfd1fa637d3cc48a84a4f457a194e7727e49f7bcc6e5a5a412657fc470c7322ebc37416ef458c307a8c09010241015d99a84195943979fa9e1be2c3c1b69f432f46fd03e47d5befbbbfd6b1d1371d83efb330a3e020942b2fed115e5d02be24fd92c9019d1cecd6dd4cf1e54cc899024101f0b7015170b3f5e42223ba30301c41a6d87cbb70e30cb7d3c67d25473db1f6cbf03e3f9126e3e97968279a865b2c2b426524cfc52a683d31ed30eb984be412ba\n\nDecrypt = RSA-OAEP-4\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 04cce19614845e094152a3fe18e54e3330c44e5efbc64ae16886cb1869014cc5781b1f8f9e045384d0112a135ca0d12e9c88a8e4063416deaae3844f60d6e96fe155145f4525b9a34431ca3766180f70e15a5e5d8e8b1a516ff870609f13f896935ced188279a58ed13d07114277d75c6568607e0ab092fd803a223e4a8ee0b1a8\nOutput = 4a86609534ee434a6cbca3f7e962e76d455e3264c19f605f6e5ff6137c65c56d7fb344cd52bc93374f3d166c9f0c6f9c506bad19330972d2\n\nDecrypt = RSA-OAEP-4\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 0097b698c6165645b303486fbf5a2a4479c0ee85889b541a6f0b858d6b6597b13b854eb4f839af03399a80d79bda6578c841f90d645715b280d37143992dd186c80b949b775cae97370e4ec97443136c6da484e970ffdb1323a20847821d3b18381de13bb49aaea66530c4a4b8271f3eae172cd366e07e6636f1019d2a28aed15e\nOutput = b0adc4f3fe11da59ce992773d9059943c03046497ee9d9f9a06df1166db46d98f58d27ec074c02eee6cbe2449c8b9fc5080c5c3f4433092512ec46aa793743c8\n\nDecrypt = RSA-OAEP-4\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 0301f935e9c47abcb48acbbe09895d",
- "9f5971af14839da4ff95417ee453d1fd77319072bb7297e1b55d7561cd9d1bb24c1a9a37c619864308242804879d86ebd001dce5183975e1506989b70e5a83434154d5cbfd6a24787e60eb0c658d2ac193302d1192c6e622d4a12ad4b53923bca246df31c6395e37702c6a78ae081fb9d065\nOutput = bf6d42e701707b1d0206b0c8b45a1c72641ff12889219a82bdea965b5e79a96b0d0163ed9d578ec9ada20f2fbcf1ea3c4089d83419ba81b0c60f3606da99\n\nDecrypt = RSA-OAEP-4\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 02d110ad30afb727beb691dd0cf17d0af1a1e7fa0cc040ec1a4ba26a42c59d0a796a2e22c8f357ccc98b6519aceb682e945e62cb734614a529407cd452bee3e44fece8423cc19e55548b8b994b849c7ecde4933e76037e1d0ce44275b08710c68e430130b929730ed77e09b015642c5593f04e4ffb9410798102a8e96ffdfe11e4\nOutput = fb2ef112f5e766eb94019297934794f7be2f6fc1c58e\n\nDecrypt = RSA-OAEP-4\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 00dbb8a7439d90efd919a377c54fae8fe11ec58c3b858362e23ad1b8a44310799066b99347aa525691d2adc58d9b06e34f288c170390c5f0e11c0aa3645959f18ee79e8f2be8d7ac5c23d061f18dd74b8c5f2a58fcb5eb0c54f99f01a83247568292536583340948d7a8c97c4acd1e98d1e29dc320e97a260532a8aa7a758a1ec2\nOutput = 28ccd447bb9e85166dabb9e5b7d1adadc4b9d39f204e96d5e440ce9ad928bc1c2284\n\nDecrypt = RSA-OAEP-4\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 00a5ffa4768c8bbecaee2db77e8f2eec99595933545520835e5ba7db9493d3e17cddefe6a5f567624471908db4e2d83a0fbee60608fc84049503b2234a07dc83b27b22847ad8920ff42f674ef79b76280b00233d2b51b8cb2703a9d42bfbc8250c96ec32c051e57f1b4ba528db89c37e4c54e27e6e64ac69635ae887d9541619a9\nOutput = f22242751ec6b1\n\nPrivateKey = RSA-OAEP-5\nType = RSA\nInput = 30820279020100300d06092a864886f70d0101010500048202633082025f0201000281810aadf3f9c125e5d891f31ac448e993defe580f802b45f9d7f22ba5021e9c47576b5a1e68031ba9db4e6dabe4d96a1d6f3d267268cff408005f118efcadb99888d1c234467166b2a2b849a05a889c060ac0da0c5fae8b55f309ba62e703742fa0326f2d10b011021489ff497770190d895fd39f52293c39efd73a698bdab9f10ed902030100010281810256eb4cba7067f2d2be540dcdff4582a36b7d31d1c9099bb214b79848466a268f80f58a49ac04c0e3648934a0206c04537c19b236643a6082732144df75fa217588f794682be89168276dc726c5c0cbdb84d31bbf26d0a43af495717f7d528acfee341561f6ff3cae05c578f8470d9682f9c0d072f9f6068b56d5880f682be2c5024103b0d3962f6d17549cbfca11294348dcf0e7e39f8c2bc6824f2164b606d687860dae1e632393cfedf513228229069e2f60e4acd7e633a436063f82385f48993707024102e4c32e2f517269b7072309f00c0e31365f7ce28b236b82912df239abf39572cf0ed604b02982e53564c52d6a05397de5c052a2fddc141ef7189836346aeb331f024101e84b119d25161fa67b00256a5bd9b645d2b232ecb05b015180029a88622adc3f09b3aeacde6161ab7cde22c2ad26e7797df54e072cbd3b2673800b3e4338dbd5024100eb90aa1a40135b4cea07197cedc8819be1e7cbff2547662116f465a4a9f487ab12f3ba4fef13822265a65297d98b7bded9372e3ffe81a38b3e9600fed055754f0241012f7f8138f9404062eb85a42924520b38f5bb886a0196f48bb8dcea60fd92cc027f18e78158a34a5c5d5f860a0f6c04071a7d01312c065062f1eb48b79d1c83cb\n\nDecrypt = RSA-OAEP-5\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 036046a4a47d9ed3ba9a89139c105038eb7492b05a5d68bfd53accff4597f7a68651b47b4a4627d927e485eed7b4566420e8b409879e5d606eae251d22a5df799f7920bfc117b992572a53b1263146bcea03385cc5e853c9a101c8c3e1bda31a519807496c6cb5e5efb408823a352b8fa0661fb664efadd593deb99fff5ed000e5\nOutput = af71a901e3a61d3132f0fc1fdb474f9ea6579257ffc24d164170145b3dbde8\n\nDecrypt = RSA-OAEP-5\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 03d6eb654edce615bc59f455265ed4e5a18223cbb9be4e4069b473804d5de96f54dcaaa603d049c5d94aa1470dfcd2254066b7c7b61ff1f6f6770e3215c51399fd4e34ec5082bc48f089840ad04354ae66dc0f1bd18e461a33cc1258b443a2837a6df26759aa2302334986f87380c9cc9d53be9f99605d2c9a97da7b0915a4a7ad\nOutput = a3b844a08239a8ac41605af17a6cfda4d350136585903a417a79268760519a4b4ac3303ec73f0f87cfb32399\n\nDecrypt = RSA-OAEP-5\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 0770952181649f9f9f07ff626ff3a22c35c462443d905d456a9fd0bff43cac2ca7a9f554e9478b9acc3ac838b02040ffd3e1847de2e4253929f9dd9ee4044325a9b05cabb808b2ee840d34e15d105a3f1f7b27695a1a07a2d73fe08ecaaa3c9c9d4d5a89ff890d54727d7ae40c0ec1a8dd86165d8ee2c6368141016a48b55b6967\nOutput = 308b0ecbd2c76cb77fc6f70c5edd233fd2f20929d629f026953bb62a8f4a3a314bde195de85b5f816da2aab074d26cb6acddf323ae3b9c678ac3cf12fbdde7\n\nDecrypt = RSA-OAEP-5\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 0812b76768ebcb642d040258e5f4441a018521bd96687e6c5e899fcd6c17588ff59a82cc8ae03a4b45b31299af1788c329f7dcd285f8cf4ced82606b97612671a45bedca133442144d1617d114f802857f0f9d739751c57a3f9ee400912c61e2e6992be031a43dd48fa6ba14eef7c422b5edc4e7afa04fdd38f402d1c8bb719abf\nOutput = 15c5b9ee1185\n\nDecrypt = RSA-OAEP-5\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 07b60e14ec954bfd29e60d0047e789f51d57186c63589903306793ced3f68241c743529aba6a6374f92e19e0163efa33697e196f7661dfaaa47aac6bde5e51deb507c72c589a2ca1693d96b1460381249b2cdb9eac44769f2489c5d3d2f99f0ee3c7ee5bf64a5ac79c42bd433f149be8cb59548361640595513c97af7bc2509723\nOutput = 21026e6800c7fa728fcaaba0d196ae28d7a2ac4ffd8abce794f0985f60c8a6737277365d3fea11db8923a2029a\n\nDecrypt = RSA-OAEP-5\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 08c36d4dda33423b2ed6830d85f6411ba1dcf470a1fae0ebefee7c089f256cef74cb96ea69c38f60f39abee44129bcb4c92de7f797623b20074e3d9c2899701ed9071e1efa0bdd84d4c3e5130302d8f0240baba4b84a71cc032f2235a5ff0fae277c3e8f9112bef44c9ae20d175fc9a4058bfc930ba31b02e2e4f444483710f24a\nOutput = 541e37b68b6c8872b84c02\n\nPrivateKey = RSA-OAEP-6\nType = RSA\nInput = 30820279020100300d06092a864886f70d0101010500048202633082025f02010002818112b17f6dad2ecd19ff46dc13f7860f09e0e0cfb677b38a52592305ceaf022c166db90d04ac29e33f7dd12d9faf66e0816bb63ead267cc7d46c17c37be214bca2a22d723a64e44407436b6fc965729aefc2554f376cd5dcea68293780a62bf39d0029485a160bbb9e5dc0972d21a504f52e5ee028aa416332f510b2e9cff5f722af02030100010281810295eca3560618369559cecd303aa9cfdafc1d9f06959df75ffef929aa896961bcd190dc6997eda7f5963e724d07b4dc11f3065e5ae97d96835112280b9084bb14f2a21ebd4e889d41b9c4132ec1956fcab8bb2fed0575884936522c5ff7d33261904824e7cadee4e0bb372d2457cf78e2bd1286228ff83f10731ce63c90cff3f9024104a6ce8b7358dfa69bdcf742617005afb5385f5f3a58a24ef74a22a8c05cb7cc38ebd4cc9d9a9d789a62cd0f60f0cb941d3423c9692efa4fe3adff290c4749a38b02410404c9a803371fedb4c5be39f3c00b009e5e08a63be1e40035cdaca5011cc701cf7eebcb99f0ffe17cfd0a4bf7befd2dd536ac946db797fdbc4abe8f29349b91ed024103961c8f760aa2bd5154c7aafd77225b3bacd0139ae7b5948ea3311fccd86fb95c75afa767284b9b2de559572f15d8d044c7eb83a1be5fadf2cc377c0d8475294b0241022197e066742196aabc03fa2feeb4e70b15cb787d617acd31bb75c7bc234ad706f7c48d2182d1f0ff9c228dcf41967b6c0ba6d2c0ad110a1b857831ec245e2cb102410401c4c0c53d45dbdb5e9d96d0fecf4275df0974bc4a0736b4a74c3269053efb686ace2406e22c9e058ddb4ae540627ae2fdb08261e8e7e4bcbc994daafa305c45\n\nDecrypt = RSA-OAEP-6\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 0630eebcd2856c24f798806e41f9e67345eda9ceda386acc9facaea1eeed06ace583709718d9d169fadf414d5c76f92996833ef305b75b1e4b95f662a20faedc3bae0c4827a8bf8a88edbd57ec203a27a841f02e43a615bab1a8cac0701de34debdef62a088089b55ec36ea7522fd3ec8d06b6a073e6df833153bc0aefd93bd1a3\nOutput = 4046ca8baa3347ca27f49e0d81f9cc1d71be9ba517d4\n\nDecrypt = RSA-OAEP-6\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 0ebc37376173a4fd2f89cc55c2ca62b26b11d51c3c7ce49e8845f74e7607317c436bc8d23b9667dfeb9d087234b47bc6837175ae5c0559f6b81d7d22416d3e50f4ac533d8f0812f2db9e791fe9c775ac8b6ad0f535ad9ceb23a4a02014c58ab3f8d3161499a260f39348e714ae2a1d3443208fd8b722ccfdfb393e98011f99e63f\nOutput = 5cc72c60231df03b3d40f9b57931bc31109f972527f28b19e7480c7288cb3c92b22512214e4be6c914792ddabdf57faa8aa7\n\nDecrypt = RSA-OAEP-6\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 0a98bf1093619394436cf68d8f38e2f158fde8ea54f3435f239b8d06b8321844202476aeed96009492480ce3a8d705498c4c8c68f01501dc81db608f60087350c8c3b0bd2e9ef6a81458b7c801b89f2e4fe99d4900ba6a4b5e5a96d865dc676c7755928794130d6280a8160a190f2df3ea7cf9aa0271d88e9e6905ecf1c5152d65\nOutput = b20e651303092f4bccb43070c0f86d23049362ed96642fc5632c27db4a52e3d831f2ab068b23b149879c002f6bf3feee97591112562c\n\nDecrypt = RSA-OAEP-6\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 008e7a67cacfb5c4e24bec7dee149117f19598ce8c45808fef88c608ff9cd6e695263b9a3c0ad4b8ba4c95238e96a8422b8535629c8d5382374479ad13fa39974b242f9a759eeaf9c83ad5a8ca18940a0162ba755876df263f4bd50c6525c56090267c1f0e09ce0899a0cf359e88120abd9bf893445b3cae77d3607359ae9a52f8\nOutput = 684e3038c5c041f7\n\nDecrypt = RSA-OAEP-6\nRSAPadding = OAEP\nMG",
- "F1Digest = SHA1\nInput = 00003474416c7b68bdf961c385737944d7f1f40cb395343c693cc0b4fe63b31fedf1eaeeac9ccc0678b31dc32e0977489514c4f09085f6298a9653f01aea4045ff582ee887be26ae575b73eef7f3774921e375a3d19adda0ca31aa1849887c1f42cac9677f7a2f4e923f6e5a868b38c084ef187594dc9f7f048fea2e02955384ab\nOutput = 32488cb262d041d6e4dd35f987bf3ca696db1f06ac29a44693\n\nDecrypt = RSA-OAEP-6\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 0a026dda5fc8785f7bd9bf75327b63e85e2c0fdee5dadb65ebdcac9ae1de95c92c672ab433aa7a8e69ce6a6d8897fac4ac4a54de841ae5e5bbce7687879d79634cea7a30684065c714d52409b928256bbf53eabcd5231eb7259504537399bd29164b726d33a46da701360a4168a091ccab72d44a62fed246c0ffea5b1348ab5470\nOutput = 50ba14be8462720279c306ba\n\nPrivateKey = RSA-OAEP-7\nType = RSA\nInput = 30820278020100300d06092a864886f70d0101010500048202623082025e020100028181311179f0bcfc9b9d3ca315d00ef30d7bdd3a2cfae9911bfedcb948b3a4782d0732b6ab44aa4bf03741a644dc01bec3e69b01a033e675d8acd7c4925c6b1aec3119051dfd89762d215d45475ffcb59f908148623f37177156f6ae86dd7a7c5f43dc1e1f908254058a284a5f06c0021793a87f1ac5feff7dcaee69c5e51a3789e3730203010001028181070cfcff2feb8276e27432c45dfee48f49b7917d6530e1f0ca3460f32e0276174487c56e22a45d2500d7775495219d7d165a9cf3bd92c32af9a98d8dc9cc296800adc94a0a54fb40f34291bf84ee8ea12b6f109359c6d3542a50f9c767f5cfff05a681c2e656fb77caaadb4be9468d8abcd4df98f58e86d2053fa1349f748e21b102410749262c111cd470ec2566e6b3732fc09329469aa19071d3b9c01906514c6f1d26baa14beab0971c8b7e611a4f79009d6fea776928ca25285b0de3643d1a3f8c71024106bc1e50e96c02bf636e9eea8b899bbebf7651de77dd474c3e9bc23bad8182b61904c7d97dfbebfb1e00108878b6e67e415391d67942c2b2bf9b4435f88b0cb023024103bc7ea7f0aab143abc6ce8b97118636a30172e4cfe02c8fa0dda3b7baaf90f8092982985525f488bdfcb4bd726e22639ac64a3092ab7ffcbf1d5334cfa50b5bf102410262a6aa29c2a3c67dc5346c06381afd987aa3cc93cfbfecf54fdd9f9d787d7f59a523d398979da137a2f6381fe94801f7c94da21518dc34cb40870c4697994ad90240649d4c17b6ee1721e772d0389a559c3d3cdf9550d457c46b037b74641b1d52166af8a213c8396206cdfba4422f18d6f61dbcb5d214c971bf482aeb976a7370c2\n\nDecrypt = RSA-OAEP-7\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 1688e4ce7794bba6cb7014169ecd559cede2a30b56a52b68d9fe18cf1973ef97b2a03153951c755f6294aa49adbdb55845ab6875fb3986c93ecf927962840d282f9e54ce8b690f7c0cb8bbd73440d9571d1b16cd9260f9eab4783cc482e5223dc60973871783ec27b0ae0fd47732cbc286a173fc92b00fb4ba6824647cd93c85c1\nOutput = 47aae909\n\nDecrypt = RSA-OAEP-7\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 1052ed397b2e01e1d0ee1c50bf24363f95e504f4a03434a08fd822574ed6b9736edbb5f390db10321479a8a139350e2bd4977c3778ef331f3e78ae118b268451f20a2f01d471f5d53c566937171b2dbc2d4bde459a5799f0372d6574239b2323d245d0bb81c286b63c89a361017337e4902f88a467f4c7f244bfd5ab46437ff3b6\nOutput = 1d9b2e2223d9bc13bfb9f162ce735db48ba7c68f6822a0a1a7b6ae165834e7\n\nDecrypt = RSA-OAEP-7\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 2155cd843ff24a4ee8badb7694260028a490813ba8b369a4cbf106ec148e5298707f5965be7d101c1049ea8584c24cd63455ad9c104d686282d3fb803a4c11c1c2e9b91c7178801d1b6640f003f5728df007b8a4ccc92bce05e41a27278d7c85018c52414313a5077789001d4f01910b72aad05d220aa14a58733a7489bc54556b\nOutput = d976fc\n\nDecrypt = RSA-OAEP-7\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 0ab14c373aeb7d4328d0aaad8c094d88b9eb098b95f21054a29082522be7c27a312878b637917e3d819e6c3c568db5d843802b06d51d9e98a2be0bf40c031423b00edfbff8320efb9171bd2044653a4cb9c5122f6c65e83cda2ec3c126027a9c1a56ba874d0fea23f380b82cf240b8cf540004758c4c77d934157a74f3fc12bfac\nOutput = d4738623df223aa43843df8467534c41d013e0c803c624e263666b239bde40a5f29aeb8de79e3daa61dd0370f49bd4b013834b98212aef6b1c5ee373b3cb\n\nDecrypt = RSA-OAEP-7\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 028387a318277434798b4d97f460068df5298faba5041ba11761a1cb7316b24184114ec500257e2589ed3b607a1ebbe97a6cc2e02bf1b681f42312a33b7a77d8e7855c4a6de03e3c04643f786b91a264a0d6805e2cea91e68177eb7a64d9255e4f27e713b7ccec00dc200ebd21c2ea2bb890feae4942df941dc3f97890ed347478\nOutput = bb47231ca5ea1d3ad46c99345d9a8a61\n\nDecrypt = RSA-OAEP-7\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 14c678a94ad60525ef39e959b2f3ba5c097a94ff912b67dbace80535c187abd47d075420b1872152bba08f7fc31f313bbf9273c912fc4c0149a9b0cfb79807e346eb332069611bec0ff9bcd168f1f7c33e77313cea454b94e2549eecf002e2acf7f6f2d2845d4fe0aab2e5a92ddf68c480ae11247935d1f62574842216ae674115\nOutput = 2184827095d35c3f86f600e8e59754013296\n\nPrivateKey = RSA-OAEP-8\nType = RSA\nInput = 30820279020100300d06092a864886f70d0101010500048202633082025f0201000281815bdf0e30d321dda5147f882408fa69195480df8f80d3f6e8bf5818504f36427ca9b1f5540b9c65a8f6974cf8447a244d9280201bb49fcbbe6378d1944cd227e230f96e3d10f819dcef276c64a00b2a4b6701e7d01de5fabde3b1e9a0df82f4631359cd22669647fbb1717246134ed7b497cfffbdc42b59c73a96ed90166212dff702030100010281810f7d1e9e5aaa25fd13e4a0663ae144e0d15f5cd18bcdb09df2cc7e64e3c5e915ad62645304161d098c715bb7ab8bd01d07eaf3fed7c7ed08af2a8a62ef44ab16b320e14af72a48f96afe262a0ae4cf65e635e910790cd4ee5cea768a4b2639f7e6f677b3f0bb6be32b75747d8909036f0264f58d401cdba131716157a75ecf633102410a02ef8448d9fad8bbd0d004c8c2aa9751ef9721c1b0d03236a54b0df947cbaed5a255ee9e8e20d491ea1723fe094704a9762e88afd16ebb5994412ca966dc4f9f0241092d362e7ed3a0bfd9e9fd0e6c0301b6df29159cf50cc83b9b0cf4d6eea71a61e002b46e0ae9f2de62d25b5d7452d498b81c9ac6fc58593d4c3fb4f5d72dfbb0a9024107c71410af103962db367404e37ae850baa4e9c29dd92145815294a67c7d1c6ded263aa030a9b633ae50303e14035d1af014123eba687820308d8ebc85b6957d7d024100ae2c75380c02c016ad05891b3301de881f28ae1171182b6b2c83bea7c515eca9ca298c7b1cab5817a597068fc85060de4da8a016378aae43c7f967bcc37904b902410598d1059e3ada4f6320752c09d805ff7d1f1ae0d017aeeee9cefa0d7dd7ff775e44b578322f6405d6211da19519666aa87fdc4cd8c88f6b6e3d67e961dcbba3d0\n\nDecrypt = RSA-OAEP-8\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 09b3683d8a2eb0fb295b62ed1fb9290b714457b7825319f4647872af889b30409472020ad12912bf19b11d4819f49614824ffd84d09c0a17e7d17309d12919790410aa2995699f6a86dbe3242b5acc23af45691080d6b1ae810fb3e3057087f0970092ce00be9562ff4053b6262ce0caa93e13723d2e3a5ba075d45f0d61b54b61\nOutput = 050b755e5e6880f7b9e9d692a74c37aae449b31bfea6deff83747a897f6c2c825bb1adbf850a3c96994b5de5b33cbc7d4a17913a7967\n\nDecrypt = RSA-OAEP-8\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 2ecf15c97c5a15b1476ae986b371b57a24284f4a162a8d0c8182e7905e792256f1812ba5f83f1f7a130e42dcc02232844edc14a31a68ee97ae564a383a3411656424c5f62ddb646093c367be1fcda426cf00a06d8acb7e57776fbbd855ac3df506fc16b1d7c3f2110f3d8068e91e186363831c8409680d8da9ecd8cf1fa20ee39d\nOutput = 4eb68dcd93ca9b19df111bd43608f557026fe4aa1d5cfac227a3eb5ab9548c18a06dded23f81825986b2fcd71109ecef7eff88873f075c2aa0c469f69c92bc\n\nDecrypt = RSA-OAEP-8\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 4bc89130a5b2dabb7c2fcf90eb5d0eaf9e681b7146a38f3173a3d9cfec52ea9e0a41932e648a9d69344c50da763f51a03c95762131e8052254dcd2248cba40fd31667786ce05a2b7b531ac9dac9ed584a59b677c1a8aed8c5d15d68c05569e2be780bf7db638fd2bfd2a85ab276860f3777338fca989ffd743d13ee08e0ca9893f\nOutput = 8604ac56328c1ab5ad917861\n\nDecrypt = RSA-OAEP-8\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 2e456847d8fc36ff0147d6993594b9397227d577752c79d0f904fcb039d4d812fea605a7b574dd82ca786f93752348438ee9f5b5454985d5f0e1699e3e7ad175a32e15f03deb042ab9fe1dd9db1bb86f8c089ccb45e7ef0c5ee7ca9b7290ca6b15bed47039788a8a93ff83e0e8d6244c71006362deef69b6f416fb3c684383fbd0\nOutput = fdda5fbf6ec361a9d9a4ac68af216a0686f438b1e0e5c36b955f74e107f39c0dddcc\n\nDecrypt = RSA-OAEP-8\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 1fb9356fd5c4b1796db2ebf7d0d393cc810adf6145defc2fce714f79d93800d5e2ac211ea8bbecca4b654b94c3b18b30dd576ce34dc95436ef57a09415645923359a5d7b4171ef22c24670f1b229d3603e91f76671b7df97e7317c97734476d5f3d17d21cf82b5ba9f83df2e588d36984fd1b584468bd23b2e875f32f68953f7b2\nOutput = 4a5f4914bee25de3c69341de07\n\nDecrypt = RSA-OAEP-8\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 3afd9c6600147b21798d818c655a0f4c9212db26d0b0dfdc2a7594ccb3d22f5bf1d7c3e112cd73fc7d509c7a8bafdd3c274d1399009f9609ec4be6477e453f075aa33db382870c1c3409aef392d7386ae3a696b99a94b4da0589447e955d16c98b17602a59bd736279fcd8fb280c4462d590bfa9bf13fed570eafde97330a2c210\nOutput = 8e07d66f7b880a72563abcd3f35092bc33409fb7f88f2472be\n\nPrivateKey = RSA-OAEP-9\nType = RSA\nInput = 30820397020100300d06092a864886f70d0101010500048203813082037d0201000281c100cf2cd41e34ca3a728ea5cb8aff64c36d27bdef5364e336",
- "fd68d3123c5a196a8c287013e853d5156d58d151954520fb4f6d7b17abb6817765909c576119659d902b1906ed8a2b10c155c24d124528dab9eeae379beac66e4a411786dcb8fd0062ebc030de1219a04c2a8c1b7dd3131e4d6b6caee2e31a5ed41ac1509b2ef1ee2ab18364be568ca941c25ecc84ff9d643b5ec1aaae102a20d73f479b780fd6da91075212d9eac03a0674d899eba2e431f4c44b615b6ba2232bd4b33baed73d625d02030100010281c0198c141e23715a92bccf6a119a5bc11389468d2811f548d727e17b4ab0eb986d6f211efb53b71f7ccbea87ee69c75ee615008c5332deb52bf390abdfbfe37d7205368159b2638c1de326e21d22251f0fb5848b3bf15005d2a74330f0afe916ee62ccc1344d1d83a709e60676273840f7f377424a5e0a4da75f01b31ff76819cf9cbfdd215243c3917c03ef38199312e567b3bf7aed3ab457f371ef8a1423f45b68c6e282ec111bba2833b987fd69fad83bc1b8c613c5e1ea16c11ed125ea7ec1026100fc8d6c04bec4eb9a8192ca7900cbe536e2e8b519decf33b2459798c6909df4f176db7d23190fc72b8865a718af895f1bcd9145298027423b605e70a47cf58390a8c3e88fc8c48e8b32e3da210dfbe3e881ea5674b6a348c21e93f9e55ea65efd026100d200d45e788aacea606a401d0460f87dd5c1027e12dc1a0d7586e8939d9cf789b40f51ac0442961de7d21cc21e05c83155c1f2aa9193387cfdf956cb48d153ba270406f9bbba537d4987d9e2f9942d7a14cbfffea74fecdda928d23e259f5ee1026100db16802f79a2f0d45f358d69fd33e44b81fae828622e93a54253e997d01b0743759da0e812b4aa4e6c8beab2328d5431955a418a67ff26a8c5c807a5da354e05ef31cc8cf758f463732950b03e265726fb94e39d6a572a26244ab08db75752ad026100a0a317cfe7df1423f87a6dee8451f4e2b4a67e5497f29b4f1e4e830b9fadd9401167026f5596e5a39c97817e0f5f16e27e19ec9902e01d7ea6fb9aa3c760afee1e381b69de6ac9c07585a06ad9c4ba00bf75c8ad2fa898a479e80ae294fed2a102600b21f335c353342eb44c3aa24445780c2d655b940174cae38c7c8a4e6493c0ba9fd303748267b083b9a7a6cb61e42db362b8c9896db7064e02ad5ae61587da15b4649c90594909feb37dbcb654beb7268ec801e5a8b4aa3911bebd88542f05be\n\nDecrypt = RSA-OAEP-9\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 267bcd118acab1fc8ba81c85d73003cb8610fa55c1d97da8d48a7c7f06896a4db751aa284255b9d36ad65f37653d829f1b37f97b8001942545b2fc2c55a7376ca7a1be4b1760c8e05a33e5aa2526b8d98e317088e7834c755b2a59b12631a182c05d5d43ab1779264f8456f515ce57dfdf512d5493dab7b7338dc4b7d78db9c091ac3baf537a69fc7f549d979f0eff9a94fda4169bd4d1d19a69c99e33c3b55490d501b39b1edae118ff6793a153261584d3a5f39f6e682e3d17c8cd1261fa72\nOutput = f735fd55ba92592c3b52b8f9c4f69aaa1cbef8fe88add095595412467f9cf4ec0b896c59eda16210e7549c8abb10cdbc21a12ec9b6b5b8fd2f10399eb6\n\nDecrypt = RSA-OAEP-9\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 93ac9f0671ec29acbb444effc1a5741351d60fdb0e393fbf754acf0de49761a14841df7772e9bc82773966a1584c4d72baea00118f83f35cca6e537cbd4d811f5583b29783d8a6d94cd31be70d6f526c10ff09c6fa7ce069795a3fcd0511fd5fcb564bcc80ea9c78f38b80012539d8a4ddf6fe81e9cddb7f50dbbbbcc7e5d86097ccf4ec49189fb8bf318be6d5a0715d516b49af191258cd32dc833ce6eb4673c03a19bbace88cc54895f636cc0c1ec89096d11ce235a265ca1764232a689ae8\nOutput = 81b906605015a63aabe42ddf11e1978912f5404c7474b26dce3ed482bf961ecc818bf420c54659\n\nDecrypt = RSA-OAEP-9\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 81ebdd95054b0c822ef9ad7693f5a87adfb4b4c4ce70df2df84ed49c04da58ba5fc20a19e1a6e8b7a3900b22796dc4e869ee6b42792d15a8eceb56c09c69914e813cea8f6931e4b8ed6f421af298d595c97f4789c7caa612c7ef360984c21b93edc5401068b5af4c78a8771b984d53b8ea8adf2f6a7d4a0ba76c75e1dd9f658f20ded4a46071d46d7791b56803d8fea7f0b0f8e41ae3f09383a6f9585fe7753eaaffd2bf94563108beecc207bbb535f5fcc705f0dde9f708c62f49a9c90371d3\nOutput = fd326429df9b890e09b54b18b8f34f1e24\n\nDecrypt = RSA-OAEP-9\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = bcc35f94cde66cb1136625d625b94432a35b22f3d2fa11a613ff0fca5bd57f87b902ccdc1cd0aebcb0715ee869d1d1fe395f6793003f5eca465059c88660d446ff5f0818552022557e38c08a67ead991262254f10682975ec56397768537f4977af6d5f6aaceb7fb25dec5937230231fd8978af49119a29f29e424ab8272b47562792d5c94f774b8829d0b0d9f1a8c9eddf37574d5fa248eefa9c5271fc5ec2579c81bdd61b410fa61fe36e424221c113addb275664c801d34ca8c6351e4a858\nOutput = f1459b5f0c92f01a0f723a2e5662484d8f8c0a20fc29dad6acd43bb5f3effdf4e1b63e07fdfe6628d0d74ca19bf2d69e4a0abf86d293925a796772f8088e\n\nDecrypt = RSA-OAEP-9\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 232afbc927fa08c2f6a27b87d4a5cb09c07dc26fae73d73a90558839f4fd66d281b87ec734bce237ba166698ed829106a7de6942cd6cdce78fed8d2e4d81428e66490d036264cef92af941d3e35055fe3981e14d29cbb9a4f67473063baec79a1179f5a17c9c1832f2838fd7d5e59bb9659d56dce8a019edef1bb3accc697cc6cc7a778f60a064c7f6f5d529c6210262e003de583e81e3167b89971fb8c0e15d44fffef89b53d8d64dd797d159b56d2b08ea5307ea12c241bd58d4ee278a1f2e\nOutput = 53e6e8c729d6f9c319dd317e74b0db8e4ccca25f3c8305746e137ac63a63ef3739e7b595abb96e8d55e54f7bd41ab433378ffb911d\n\nDecrypt = RSA-OAEP-9\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 438cc7dc08a68da249e42505f8573ba60e2c2773d5b290f4cf9dff718e842081c383e67024a0f29594ea987b9d25e4b738f285970d195abb3a8c8054e3d79d6b9c9a8327ba596f1259e27126674766907d8d582ff3a8476154929adb1e6d1235b2ccb4ec8f663ba9cc670a92bebd853c8dbf69c6436d016f61add836e94732450434207f9fd4c43dec2a12a958efa01efe2669899b5e604c255c55fb7166de5589e369597bb09168c06dd5db177e06a1740eb2d5c82faeca6d92fcee9931ba9f\nOutput = b6b28ea2198d0c1008bc64\n\nPrivateKey = RSA-OAEP-10\nType = RSA\nInput = 308204bd020100300d06092a864886f70d0101010500048204a7308204a30201000282010100ae45ed5601cec6b8cc05f803935c674ddbe0d75c4c09fd7951fc6b0caec313a8df39970c518bffba5ed68f3f0d7f22a4029d413f1ae07e4ebe9e4177ce23e7f5404b569e4ee1bdcf3c1fb03ef113802d4f855eb9b5134b5a7c8085adcae6fa2fa1417ec3763be171b0c62b760ede23c12ad92b980884c641f5a8fac26bdad4a03381a22fe1b754885094c82506d4019a535a286afeb271bb9ba592de18dcf600c2aeeae56e02f7cf79fc14cf3bdc7cd84febbbf950ca90304b2219a7aa063aefa2c3c1980e560cd64afe779585b6107657b957857efde6010988ab7de417fc88d8f384c4e6e72c3f943e0c31c0c4a5cc36f879d8a3ac9d7d59860eaada6b83bb020301000102820100056b04216fe5f354ac77250a4b6b0c8525a85c59b0bd80c56450a22d5f438e596a333aa875e291dd43f48cb88b9d5fc0d499f9fcd1c397f9afc070cd9e398c8d19e61db7c7410a6b2675dfbf5d345b804d201add502d5ce2dfcb091ce9997bbebe57306f383e4d588103f036f7e85d1934d152a323e4a8db451d6f4a5b1b0f102cc150e02feee2b88dea4ad4c1baccb24d84072d14e1d24a6771f7408ee30564fb86d4393a34bcf0b788501d193303f13a2284b001f0f649eaf79328d4ac5c430ab4414920a9460ed1b7bc40ec653e876d09abc509ae45b525190116a0c26101848298509c1c3bf3a483e7274054e15e97075036e989f60932807b5257751e7902818100ecf5aecd1e5515fffacbd75a2816c6ebf49018cdfb4638e185d66a7396b6f8090f8018c7fd95cc34b857dc17f0cc6516bb1346ab4d582cadad7b4103352387b70338d084047c9d9539b6496204b3dd6ea442499207bec01f964287ff6336c3984658336846f56e46861881c10233d2176bf15a5e96ddc780bc868aa77d3ce76902818100bc46c464fc6ac4ca783b0eb08a3c841b772f7e9b2f28babd588ae885e1a0c61e4858a0fb25ac299990f35be85164c259ba1175cdd7192707135184992b6c29b746dd0d2cabe142835f7d148cc161524b4a09946d48b828473f1ce76b6cb6886c345c03e05f41d51b5c3a90a3f24073c7d74a4fe25d9cf21c75960f3fc386318302818100c73564571d00fb15d08a3de9957a50915d7126e9442dacf42bc82e862e5673ff6a008ed4d2e374617df89f17a160b43b7fda9cb6b6b74218609815f7d45ca263c159aa32d272d127faf4bc8ca2d77378e8aeb19b0ad7da3cb3de0ae7314980f62b6d4b0a875d1df03c1bae39ccd833ef6cd7e2d9528bf084d1f969e794e9f6c10281802658b37f6df9c1030be1db68117fa9d87e39ea2b693b7e6d3a2f70947413eec6142e18fb8dfcb6ac545d7c86a0ad48f8457170f0efb26bc48126c53efd1d16920198dc2a1107dc282db6a80cd3062360ba3fa13f70e4312ff1a6cd6b8fc4cd9c5c3db17c6d6a57212f73ae29f619327bad59b153858585ba4e28b60a62a45e490281806f38526b3925085534ef3e415a836ede8b86158a2c7cbfeccb0bd834304fec683ba8d4f479c433d43416e63269623cea100776d85aff401d3fff610ee65411ce3b1363d63a9709eede42647cea561493d54570a879c18682cd97710b96205ec31117d73b5f36223fadd6e8ba90dd7c0ee61d44e163251e20c7f66eb305117cb8\n\nDecrypt = RSA-OAEP-10\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 53ea5dc08cd260fb3b858567287fa91552c30b2febfba213f0ae87702d068d19bab07fe574523dfb42139d68c3c5afeee0bfe4cb7969cbf382b804d6e61396144e2d0e60741f8993c3014b58b9b1957a8babcd23af854f4c356fb1662aa72bfcc7e586559dc4280d160c126785a723ebeebeff71f11594440aaef87d10793a8774a239d4a04c87fe1467b9daf85208ec6c7255794a96cc29142f9a8bd418e3c1fd67344b0cd0829df3b2bec60253196293c6b34d3f75d32f213dd45c6273d505adf4cced1057cb758fc26aeefa441255ed4e64c199ee075e7f16646182fdb464739b68ab5daff0e63e9552016824f054bf4d3c8c90a97bb6b6553284eb429fcc\nOutput = 8bba6bf82a6c0f86d5f1756e97956870b08953b06b4eb205bc1694ee\n\nDecrypt = RSA-OAEP-10\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = a2b1a430a9d657e2fa1c",
- "2bb5ed43ffb25c05a308fe9093c01031795f5874400110828ae58fb9b581ce9dddd3e549ae04a0985459bde6c626594e7b05dc4278b2a1465c1368408823c85e96dc66c3a30983c639664fc4569a37fe21e5a195b5776eed2df8d8d361af686e750229bbd663f161868a50615e0c337bec0ca35fec0bb19c36eb2e0bbcc0582fa1d93aacdb061063f59f2ce1ee43605e5d89eca183d2acdfe9f81011022ad3b43a3dd417dac94b4e11ea81b192966e966b182082e71964607b4f8002f36299844a11f2ae0faeac2eae70f8f4f98088acdcd0ac556e9fccc511521908fad26f04c64201450305778758b0538bf8b5bb144a828e629795\nOutput = e6ad181f053b58a904f2457510373e57\n\nDecrypt = RSA-OAEP-10\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 9886c3e6764a8b9a84e84148ebd8c3b1aa8050381a78f668714c16d9cfd2a6edc56979c535d9dee3b44b85c18be8928992371711472216d95dda98d2ee8347c9b14dffdff84aa48d25ac06f7d7e65398ac967b1ce90925f67dce049b7f812db0742997a74d44fe81dbe0e7a3feaf2e5c40af888d550ddbbe3bc20657a29543f8fc2913b9bd1a61b2ab2256ec409bbd7dc0d17717ea25c43f42ed27df8738bf4afc6766ff7aff0859555ee283920f4c8a63c4a7340cbafddc339ecdb4b0515002f96c932b5b79167af699c0ad3fccfdf0f44e85a70262bf2e18fe34b850589975e867ff969d48eabf212271546cdc05a69ecb526e52870c836f307bd798780ede\nOutput = 510a2cf60e866fa2340553c94ea39fbc256311e83e94454b4124\n\nDecrypt = RSA-OAEP-10\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 6318e9fb5c0d05e5307e1683436e903293ac4642358aaa223d7163013aba87e2dfda8e60c6860e29a1e92686163ea0b9175f329ca3b131a1edd3a77759a8b97bad6a4f8f4396f28cf6f39ca58112e48160d6e203daa5856f3aca5ffed577af499408e3dfd233e3e604dbe34a9c4c9082de65527cac6331d29dc80e0508a0fa7122e7f329f6cca5cfa34d4d1da417805457e008bec549e478ff9e12a763c477d15bbb78f5b69bd57830fc2c4ed686d79bc72a95d85f88134c6b0afe56a8ccfbc855828bb339bd17909cf1d70de3335ae07039093e606d655365de6550b872cd6de1d440ee031b61945f629ad8a353b0d40939e96a3c450d2a8d5eee9f678093c8\nOutput = bcdd190da3b7d300df9a06e22caae2a75f10c91ff667b7c16bde8b53064a2649a94045c9\n\nDecrypt = RSA-OAEP-10\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 75290872ccfd4a4505660d651f56da6daa09ca1301d890632f6a992f3d565cee464afded40ed3b5be9356714ea5aa7655f4a1366c2f17c728f6f2c5a5d1f8e28429bc4e6f8f2cff8da8dc0e0a9808e45fd09ea2fa40cb2b6ce6ffff5c0e159d11b68d90a85f7b84e103b09e682666480c657505c0929259468a314786d74eab131573cf234bf57db7d9e66cc6748192e002dc0deea930585f0831fdcd9bc33d51f79ed2ffc16bcf4d59812fcebcaa3f9069b0e445686d644c25ccf63b456ee5fa6ffe96f19cdf751fed9eaf35957754dbf4bfea5216aa1844dc507cb2d080e722eba150308c2b5ff1193620f1766ecf4481bafb943bd292877f2136ca494aba0\nOutput = a7dd6c7dc24b46f9dd5f1e91ada4c3b3df947e877232a9\n\nDecrypt = RSA-OAEP-10\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 2d207a73432a8fb4c03051b3f73b28a61764098dfa34c47a20995f8115aa6816679b557e82dbee584908c6e69782d7deb34dbd65af063d57fca76a5fd069492fd6068d9984d209350565a62e5c77f23038c12cb10c6634709b547c46f6b4a709bd85ca122d74465ef97762c29763e06dbc7a9e738c78bfca0102dc5e79d65b973f28240caab2e161a78b57d262457ed8195d53e3c7ae9da021883c6db7c24afdd2322eac972ad3c354c5fcef1e146c3a0290fb67adf007066e00428d2cec18ce58f9328698defef4b2eb5ec76918fde1c198cbb38b7afc67626a9aefec4322bfd90d2563481c9a221f78c8272c82d1b62ab914e1c69f6af6ef30ca5260db4a46\nOutput = eaf1a73a1b0c4609537de69cd9228bbcfb9a8ca8c6c3efaf056fe4a7f4634ed00b7c39ec6922d7b8ea2c04ebac\n\n\n# Single-shot signing tests.\n\nSignMessage = RSA-2048\nDigest = SHA256\nInput = \"Hello world\"\nOutput = 301894798b49d6ec55d32dcc74314f04230591a515781f3eb4492f5324b56046836c4bc3e25942af341e88558cb4c3814a849207575d343189147989b16e296b5138dbbc717116dc416f201dfa35943d15060493953cda1f04a13ff89845cf7fd69e1a78d5d38522a77bb234e5d0ba2ae17ada6e22fdae27a4052fdb8ac267507dfe06ed7a865e61a52b530bbbf65c7caa89739613df10ae3b0e62ff6831ee0770086aad39c329462aede9f1b29a501bc3d09e0fe4034aa5d6831d44491d508111d88a1d7ba50cee5ef7e701b3a589adc09a752a974a6805956f4a1a0582f66309a1e02e9fb6b10d2c820fe98bb2eb04f435bc8a649cc9ab6c5a4c03e83800d1\n\nVerifyMessage = RSA-2048\nDigest = SHA256\nInput = \"Hello world\"\nOutput = 301894798b49d6ec55d32dcc74314f04230591a515781f3eb4492f5324b56046836c4bc3e25942af341e88558cb4c3814a849207575d343189147989b16e296b5138dbbc717116dc416f201dfa35943d15060493953cda1f04a13ff89845cf7fd69e1a78d5d38522a77bb234e5d0ba2ae17ada6e22fdae27a4052fdb8ac267507dfe06ed7a865e61a52b530bbbf65c7caa89739613df10ae3b0e62ff6831ee0770086aad39c329462aede9f1b29a501bc3d09e0fe4034aa5d6831d44491d508111d88a1d7ba50cee5ef7e701b3a589adc09a752a974a6805956f4a1a0582f66309a1e02e9fb6b10d2c820fe98bb2eb04f435bc8a649cc9ab6c5a4c03e83800d1\n\nVerifyMessage = RSA-2048-SPKI\nDigest = SHA256\nInput = \"Hello world\"\nOutput = 301894798b49d6ec55d32dcc74314f04230591a515781f3eb4492f5324b56046836c4bc3e25942af341e88558cb4c3814a849207575d343189147989b16e296b5138dbbc717116dc416f201dfa35943d15060493953cda1f04a13ff89845cf7fd69e1a78d5d38522a77bb234e5d0ba2ae17ada6e22fdae27a4052fdb8ac267507dfe06ed7a865e61a52b530bbbf65c7caa89739613df10ae3b0e62ff6831ee0770086aad39c329462aede9f1b29a501bc3d09e0fe4034aa5d6831d44491d508111d88a1d7ba50cee5ef7e701b3a589adc09a752a974a6805956f4a1a0582f66309a1e02e9fb6b10d2c820fe98bb2eb04f435bc8a649cc9ab6c5a4c03e83800d1\n\nVerifyMessage = P-256\nDigest = SHA256\nInput = \"Hello world\"\nOutput = 304502204c66004635c267394bd6857c1e0b53b22a2bab1ca7dff9d5c1b42143858b3ea7022100ae81228510e03cd49a8863d2ebd1c05fe0c87eacd1150433132b909994cd0dbd\n\n# Digest can't be omitted in many algorithms.\nSignMessage = RSA-2048\nInput = \"Hello world\"\nError = NO_DEFAULT_DIGEST\n\nVerifyMessage = RSA-2048\nInput = \"Hello world\"\nOutput = 301894798b49d6ec55d32dcc74314f04230591a515781f3eb4492f5324b56046836c4bc3e25942af341e88558cb4c3814a849207575d343189147989b16e296b5138dbbc717116dc416f201dfa35943d15060493953cda1f04a13ff89845cf7fd69e1a78d5d38522a77bb234e5d0ba2ae17ada6e22fdae27a4052fdb8ac267507dfe06ed7a865e61a52b530bbbf65c7caa89739613df10ae3b0e62ff6831ee0770086aad39c329462aede9f1b29a501bc3d09e0fe4034aa5d6831d44491d508111d88a1d7ba50cee5ef7e701b3a589adc09a752a974a6805956f4a1a0582f66309a1e02e9fb6b10d2c820fe98bb2eb04f435bc8a649cc9ab6c5a4c03e83800d1\nError = NO_DEFAULT_DIGEST\n\n# Signing test vectors from RFC 8032.\nSignMessage = Ed25519\nInput = \"\"\nOutput = e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e065224901555fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b\n\nSignMessage = Ed25519-2\nInput = 72\nOutput = 92a009a9f0d4cab8720e820b5f642540a2b27b5416503f8fb3762223ebdb69da085ac1e43e15996e458f3613d0f11d8c387b2eaeb4302aeeb00d291612bb0c00\n\nSignMessage = Ed25519-3\nInput = af82\nOutput = 6291d657deec24024827e69c3abe01a30ce548a284743a445e3680d7db5ac3ac18ff9b538d16f290ae67f760984dc6594a7c15e9716ed28dc027beceea1ec40a\n\nSignMessage = Ed25519-4\nInput = 08b8b2b733424243760fe426a4b54908632110a66c2f6591eabd3345e3e4eb98fa6e264bf09efe12ee50f8f54e9f77b1e355f6c50544e23fb1433ddf73be84d879de7c0046dc4996d9e773f4bc9efe5738829adb26c81b37c93a1b270b20329d658675fc6ea534e0810a4432826bf58c941efb65d57a338bbd2e26640f89ffbc1a858efcb8550ee3a5e1998bd177e93a7363c344fe6b199ee5d02e82d522c4feba15452f80288a821a579116ec6dad2b3b310da903401aa62100ab5d1a36553e06203b33890cc9b832f79ef80560ccb9a39ce767967ed628c6ad573cb116dbefefd75499da96bd68a8a97b928a8bbc103b6621fcde2beca1231d206be6cd9ec7aff6f6c94fcd7204ed3455c68c83f4a41da4af2b74ef5c53f1d8ac70bdcb7ed185ce81bd84359d44254d95629e9855a94a7c1958d1f8ada5d0532ed8a5aa3fb2d17ba70eb6248e594e1a2297acbbb39d502f1a8c6eb6f1ce22b3de1a1f40cc24554119a831a9aad6079cad88425de6bde1a9187ebb6092cf67bf2b13fd65f27088d78b7e883c8759d2c4f5c65adb7553878ad575f9fad878e80a0c9ba63bcbcc2732e69485bbc9c90bfbd62481d9089beccf80cfe2df16a2cf65bd92dd597b0707e0917af48bbb75fed413d238f5555a7a569d80c3414a8d0859dc65a46128bab27af87a71314f318c782b23ebfe808b82b0ce26401d2e22f04d83d1255dc51addd3b75a2b1ae0784504df543af8969be3ea7082ff7fc9888c144da2af58429ec96031dbcad3dad9af0dcbaaaf268cb8fcffead94f3c7ca495e056a9b47acdb751fb73e666c6c655ade8297297d07ad1ba5e43f1bca32301651339e22904cc8c42f58c30c04aafdb038dda0847dd988dcda6f3bfd15c4b4c4525004aa06eeff8ca61783aacec57fb3d1f92b0fe2fd1a85f6724517b65e614ad6808d6f6ee34dff7310fdc82aebfd904b01e1dc54b2927094b2db68d6f903b68401adebf5a7e08d78ff4ef5d63653a65040cf9bfd4aca7984a74d37145986780fc0b16ac451649de6188a7dbdf191f64b5fc5e2ab47b57f7f7276cd419c17a3ca8e1b939ae49e488acba6b965610b5480109c8b17b80e1b7b750dfc7598d5d5011fd2dcc5600a32ef5b52a1ecc820e308aa342721aac0943bf6686b64b2579376504ccc493d97e6aed3fb0f9cd71a43dd497f01f17c0e2cb3797aa2a2f256656168e6c496af",
- "c5fb93246f6b1116398a346f1a641f3b041e989f7914f90cc2c7fff357876e506b50d334ba77c225bc307ba537152f3f1610e4eafe595f6d9d90d11faa933a15ef1369546868a7f3a45a96768d40fd9d03412c091c6315cf4fde7cb68606937380db2eaaa707b4c4185c32eddcdd306705e4dc1ffc872eeee475a64dfac86aba41c0618983f8741c5ef68d3a101e8a3b8cac60c905c15fc910840b94c00a0b9d0\nOutput = 0aab4c900501b3e24d7cdf4663326a3a87df5e4843b2cbdb67cbf6e460fec350aa5371b1508f9f4528ecea23c436d94b5e8fcd4f681e30a6ac00a9704a188a03\n\nSignMessage = Ed25519-5\nInput = ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f\nOutput = dc2a4459e7369633a52b1bf277839a00201009a3efbf3ecb69bea2186c26b58909351fc9ac90b3ecfdfbc7c66431e0303dca179c138ac17ad9bef1177331a704\n\n# Signing with public keys is not allowed.\nSignMessage = Ed25519-SPKI\nInput = \"\"\nError = NOT_A_PRIVATE_KEY\n\n# Verify test vectors from RFC 8032. Test verifying with both the public and\n# private key.\nVerifyMessage = Ed25519\nInput = \"\"\nOutput = e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e065224901555fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b\n\nVerifyMessage = Ed25519-SPKI\nInput = \"\"\nOutput = e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e065224901555fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b\n\nVerifyMessage = Ed25519-2\nInput = 72\nOutput = 92a009a9f0d4cab8720e820b5f642540a2b27b5416503f8fb3762223ebdb69da085ac1e43e15996e458f3613d0f11d8c387b2eaeb4302aeeb00d291612bb0c00\n\nVerifyMessage = Ed25519-SPKI-2\nInput = 72\nOutput = 92a009a9f0d4cab8720e820b5f642540a2b27b5416503f8fb3762223ebdb69da085ac1e43e15996e458f3613d0f11d8c387b2eaeb4302aeeb00d291612bb0c00\n\nVerifyMessage = Ed25519-3\nInput = af82\nOutput = 6291d657deec24024827e69c3abe01a30ce548a284743a445e3680d7db5ac3ac18ff9b538d16f290ae67f760984dc6594a7c15e9716ed28dc027beceea1ec40a\n\nVerifyMessage = Ed25519-SPKI-3\nInput = af82\nOutput = 6291d657deec24024827e69c3abe01a30ce548a284743a445e3680d7db5ac3ac18ff9b538d16f290ae67f760984dc6594a7c15e9716ed28dc027beceea1ec40a\n\nVerifyMessage = Ed25519-4\nInput = 08b8b2b733424243760fe426a4b54908632110a66c2f6591eabd3345e3e4eb98fa6e264bf09efe12ee50f8f54e9f77b1e355f6c50544e23fb1433ddf73be84d879de7c0046dc4996d9e773f4bc9efe5738829adb26c81b37c93a1b270b20329d658675fc6ea534e0810a4432826bf58c941efb65d57a338bbd2e26640f89ffbc1a858efcb8550ee3a5e1998bd177e93a7363c344fe6b199ee5d02e82d522c4feba15452f80288a821a579116ec6dad2b3b310da903401aa62100ab5d1a36553e06203b33890cc9b832f79ef80560ccb9a39ce767967ed628c6ad573cb116dbefefd75499da96bd68a8a97b928a8bbc103b6621fcde2beca1231d206be6cd9ec7aff6f6c94fcd7204ed3455c68c83f4a41da4af2b74ef5c53f1d8ac70bdcb7ed185ce81bd84359d44254d95629e9855a94a7c1958d1f8ada5d0532ed8a5aa3fb2d17ba70eb6248e594e1a2297acbbb39d502f1a8c6eb6f1ce22b3de1a1f40cc24554119a831a9aad6079cad88425de6bde1a9187ebb6092cf67bf2b13fd65f27088d78b7e883c8759d2c4f5c65adb7553878ad575f9fad878e80a0c9ba63bcbcc2732e69485bbc9c90bfbd62481d9089beccf80cfe2df16a2cf65bd92dd597b0707e0917af48bbb75fed413d238f5555a7a569d80c3414a8d0859dc65a46128bab27af87a71314f318c782b23ebfe808b82b0ce26401d2e22f04d83d1255dc51addd3b75a2b1ae0784504df543af8969be3ea7082ff7fc9888c144da2af58429ec96031dbcad3dad9af0dcbaaaf268cb8fcffead94f3c7ca495e056a9b47acdb751fb73e666c6c655ade8297297d07ad1ba5e43f1bca32301651339e22904cc8c42f58c30c04aafdb038dda0847dd988dcda6f3bfd15c4b4c4525004aa06eeff8ca61783aacec57fb3d1f92b0fe2fd1a85f6724517b65e614ad6808d6f6ee34dff7310fdc82aebfd904b01e1dc54b2927094b2db68d6f903b68401adebf5a7e08d78ff4ef5d63653a65040cf9bfd4aca7984a74d37145986780fc0b16ac451649de6188a7dbdf191f64b5fc5e2ab47b57f7f7276cd419c17a3ca8e1b939ae49e488acba6b965610b5480109c8b17b80e1b7b750dfc7598d5d5011fd2dcc5600a32ef5b52a1ecc820e308aa342721aac0943bf6686b64b2579376504ccc493d97e6aed3fb0f9cd71a43dd497f01f17c0e2cb3797aa2a2f256656168e6c496afc5fb93246f6b1116398a346f1a641f3b041e989f7914f90cc2c7fff357876e506b50d334ba77c225bc307ba537152f3f1610e4eafe595f6d9d90d11faa933a15ef1369546868a7f3a45a96768d40fd9d03412c091c6315cf4fde7cb68606937380db2eaaa707b4c4185c32eddcdd306705e4dc1ffc872eeee475a64dfac86aba41c0618983f8741c5ef68d3a101e8a3b8cac60c905c15fc910840b94c00a0b9d0\nOutput = 0aab4c900501b3e24d7cdf4663326a3a87df5e4843b2cbdb67cbf6e460fec350aa5371b1508f9f4528ecea23c436d94b5e8fcd4f681e30a6ac00a9704a188a03\n\nVerifyMessage = Ed25519-SPKI-4\nInput = 08b8b2b733424243760fe426a4b54908632110a66c2f6591eabd3345e3e4eb98fa6e264bf09efe12ee50f8f54e9f77b1e355f6c50544e23fb1433ddf73be84d879de7c0046dc4996d9e773f4bc9efe5738829adb26c81b37c93a1b270b20329d658675fc6ea534e0810a4432826bf58c941efb65d57a338bbd2e26640f89ffbc1a858efcb8550ee3a5e1998bd177e93a7363c344fe6b199ee5d02e82d522c4feba15452f80288a821a579116ec6dad2b3b310da903401aa62100ab5d1a36553e06203b33890cc9b832f79ef80560ccb9a39ce767967ed628c6ad573cb116dbefefd75499da96bd68a8a97b928a8bbc103b6621fcde2beca1231d206be6cd9ec7aff6f6c94fcd7204ed3455c68c83f4a41da4af2b74ef5c53f1d8ac70bdcb7ed185ce81bd84359d44254d95629e9855a94a7c1958d1f8ada5d0532ed8a5aa3fb2d17ba70eb6248e594e1a2297acbbb39d502f1a8c6eb6f1ce22b3de1a1f40cc24554119a831a9aad6079cad88425de6bde1a9187ebb6092cf67bf2b13fd65f27088d78b7e883c8759d2c4f5c65adb7553878ad575f9fad878e80a0c9ba63bcbcc2732e69485bbc9c90bfbd62481d9089beccf80cfe2df16a2cf65bd92dd597b0707e0917af48bbb75fed413d238f5555a7a569d80c3414a8d0859dc65a46128bab27af87a71314f318c782b23ebfe808b82b0ce26401d2e22f04d83d1255dc51addd3b75a2b1ae0784504df543af8969be3ea7082ff7fc9888c144da2af58429ec96031dbcad3dad9af0dcbaaaf268cb8fcffead94f3c7ca495e056a9b47acdb751fb73e666c6c655ade8297297d07ad1ba5e43f1bca32301651339e22904cc8c42f58c30c04aafdb038dda0847dd988dcda6f3bfd15c4b4c4525004aa06eeff8ca61783aacec57fb3d1f92b0fe2fd1a85f6724517b65e614ad6808d6f6ee34dff7310fdc82aebfd904b01e1dc54b2927094b2db68d6f903b68401adebf5a7e08d78ff4ef5d63653a65040cf9bfd4aca7984a74d37145986780fc0b16ac451649de6188a7dbdf191f64b5fc5e2ab47b57f7f7276cd419c17a3ca8e1b939ae49e488acba6b965610b5480109c8b17b80e1b7b750dfc7598d5d5011fd2dcc5600a32ef5b52a1ecc820e308aa342721aac0943bf6686b64b2579376504ccc493d97e6aed3fb0f9cd71a43dd497f01f17c0e2cb3797aa2a2f256656168e6c496afc5fb93246f6b1116398a346f1a641f3b041e989f7914f90cc2c7fff357876e506b50d334ba77c225bc307ba537152f3f1610e4eafe595f6d9d90d11faa933a15ef1369546868a7f3a45a96768d40fd9d03412c091c6315cf4fde7cb68606937380db2eaaa707b4c4185c32eddcdd306705e4dc1ffc872eeee475a64dfac86aba41c0618983f8741c5ef68d3a101e8a3b8cac60c905c15fc910840b94c00a0b9d0\nOutput = 0aab4c900501b3e24d7cdf4663326a3a87df5e4843b2cbdb67cbf6e460fec350aa5371b1508f9f4528ecea23c436d94b5e8fcd4f681e30a6ac00a9704a188a03\n\nVerifyMessage = Ed25519-5\nInput = ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f\nOutput = dc2a4459e7369633a52b1bf277839a00201009a3efbf3ecb69bea2186c26b58909351fc9ac90b3ecfdfbc7c66431e0303dca179c138ac17ad9bef1177331a704\n\nVerifyMessage = Ed25519-SPKI-5\nInput = ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f\nOutput = dc2a4459e7369633a52b1bf277839a00201009a3efbf3ecb69bea2186c26b58909351fc9ac90b3ecfdfbc7c66431e0303dca179c138ac17ad9bef1177331a704\n\n# Length is wrong.\nVerifyMessage = Ed25519-SPKI\nInput = \"\"\nOutput = e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e065224901555fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a10\nError = INVALID_SIGNATURE\n\n# Message is wrong.\nVerifyMessage = Ed25519-SPKI\nInput = \"Hello world\"\nOutput = e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e065224901555fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b\nError = INVALID_SIGNATURE\n\n# Ed25519 does not support configuring a digest.\nSignMessage = Ed25519\nInput = \"\"\nDigest = SHA256\nError = COMMAND_NOT_SUPPORTED\n\n# Ed25519 does not support signing a pre-hashed value.\nSign = Ed25519\nInput = \"0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef\"\nError = OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE\n\nVerify = Ed25519\nInput = \"0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef\"\nOutput = e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e065224901555fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b\nError = OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE\n",
+ "bbf58\nError = LAST_OCTET_INVALID\n\n# Non-zero salt length.\nVerify = RSA-2048-SPKI\nRSAPadding = PSS\nPSSSaltLength = 32\nDigest = SHA256\nInput = \"0123456789ABCDEF0123456789ABCDEF\"\nOutput = 4065b284b0a6e98d4c41a8427007f878d8dd61599c87764fa79b8bf03f030c48127a4b1a5af5a6e0cf9055e57a1f47e5b0c0d8c600e78369cf1c39374899fac91a812692aa2216ba10900ce85a5cf7fddcafb726e4b83479c5bb7b3b84b08ffe183b4c2973aa3193ec7b7d4ea73bf1b579c6657b78ad7800e1975a4838c28ffe353fafef96be27b5c69677760a71b6f4df65ba6fe6b3565580a536f966928294c6e9ece807a90c1477779bcbfa3a250e98d685097c162c1c8c56ab02bd2e16eec7a019b51c067bdba7fa8cd5460796e22c607a8b6d12e1deb9be51c6943c46590f416800c48bb4cbb8c409d316573e59eadf7d3b9e6e5c2d0e570692e511e139\n\n# Non-zero salt length, wrong salt length.\nVerify = RSA-2048-SPKI\nRSAPadding = PSS\nPSSSaltLength = 31\nDigest = SHA256\nInput = \"0123456789ABCDEF0123456789ABCDEF\"\nOutput = 4065b284b0a6e98d4c41a8427007f878d8dd61599c87764fa79b8bf03f030c48127a4b1a5af5a6e0cf9055e57a1f47e5b0c0d8c600e78369cf1c39374899fac91a812692aa2216ba10900ce85a5cf7fddcafb726e4b83479c5bb7b3b84b08ffe183b4c2973aa3193ec7b7d4ea73bf1b579c6657b78ad7800e1975a4838c28ffe353fafef96be27b5c69677760a71b6f4df65ba6fe6b3565580a536f966928294c6e9ece807a90c1477779bcbfa3a250e98d685097c162c1c8c56ab02bd2e16eec7a019b51c067bdba7fa8cd5460796e22c607a8b6d12e1deb9be51c6943c46590f416800c48bb4cbb8c409d316573e59eadf7d3b9e6e5c2d0e570692e511e139\nError = SLEN_CHECK_FAILED\n\n# Non-zero salt length, match hash length.\nVerify = RSA-2048-SPKI\nRSAPadding = PSS\nPSSSaltLength = -1\nDigest = SHA256\nInput = \"0123456789ABCDEF0123456789ABCDEF\"\nOutput = 4065b284b0a6e98d4c41a8427007f878d8dd61599c87764fa79b8bf03f030c48127a4b1a5af5a6e0cf9055e57a1f47e5b0c0d8c600e78369cf1c39374899fac91a812692aa2216ba10900ce85a5cf7fddcafb726e4b83479c5bb7b3b84b08ffe183b4c2973aa3193ec7b7d4ea73bf1b579c6657b78ad7800e1975a4838c28ffe353fafef96be27b5c69677760a71b6f4df65ba6fe6b3565580a536f966928294c6e9ece807a90c1477779bcbfa3a250e98d685097c162c1c8c56ab02bd2e16eec7a019b51c067bdba7fa8cd5460796e22c607a8b6d12e1deb9be51c6943c46590f416800c48bb4cbb8c409d316573e59eadf7d3b9e6e5c2d0e570692e511e139\n\n# Non-zero salt length, auto-detected.\nVerify = RSA-2048-SPKI\nRSAPadding = PSS\nPSSSaltLength = -2\nDigest = SHA256\nInput = \"0123456789ABCDEF0123456789ABCDEF\"\nOutput = 4065b284b0a6e98d4c41a8427007f878d8dd61599c87764fa79b8bf03f030c48127a4b1a5af5a6e0cf9055e57a1f47e5b0c0d8c600e78369cf1c39374899fac91a812692aa2216ba10900ce85a5cf7fddcafb726e4b83479c5bb7b3b84b08ffe183b4c2973aa3193ec7b7d4ea73bf1b579c6657b78ad7800e1975a4838c28ffe353fafef96be27b5c69677760a71b6f4df65ba6fe6b3565580a536f966928294c6e9ece807a90c1477779bcbfa3a250e98d685097c162c1c8c56ab02bd2e16eec7a019b51c067bdba7fa8cd5460796e22c607a8b6d12e1deb9be51c6943c46590f416800c48bb4cbb8c409d316573e59eadf7d3b9e6e5c2d0e570692e511e139\n\n\n# RSA decrypt\n\nDecrypt = RSA-2048\nInput = 550af55a2904e7b9762352f8fb7fa235a9cb053aacb2d5fcb8ca48453cb2ee3619746c701abf2d4cc67003471a187900b05aa812bd25ed05c675dfc8c97a24a7bf49bd6214992cad766d05a9a2b57b74f26a737e0237b8b76c45f1f226a836d7cfbc75ba999bdbe48dbc09227aa46c88f21dccba7840141ad5a5d71fd122e6bd6ac3e564780dfe623fc1ca9b995a6037bf0bbd43b205a84ac5444f34202c05ce9113087176432476576de6ffff9a52ea57c08be3ec2f49676cb8e12f762ac71fa3c321e00ac988910c85ff52f93825666ce0d40ffaa0592078919d4493f46d95ccf76364c6d57760dd0b64805f9afc76a2365a5575ca301d5103f0ea76cb9a78\nOutput = \"Hello World\"\n\n# Corrupted ciphertext\nDecrypt = RSA-2048\nInput = 550af55a2904e7b9762352f8fb7fa235a9cb053aacb2d5fcb8ca48453cb2ee3619746c701abf2d4cc67003471a187900b05aa812bd25ed05c675dfc8c97a24a7bf49bd6214992cad766d05a9a2b57b74f26a737e0237b8b76c45f1f226a836d7cfbc75ba999bdbe48dbc09227aa46c88f21dccba7840141ad5a5d71fd122e6bd6ac3e564780dfe623fc1ca9b995a6037bf0bbd43b205a84ac5444f34202c05ce9113087176432476576de6ffff9a52ea57c08be3ec2f49676cb8e12f762ac71fa3c321e00ac988910c85ff52f93825666ce0d40ffaa0592078919d4493f46d95ccf76364c6d57760dd0b64805f9afc76a2365a5575ca301d5103f0ea76cb9a79\nError = PKCS_DECODING_ERROR\n\n# OAEP padding\nDecrypt = RSA-2048\nRSAPadding = OAEP\nInput = 458708dfbd42a1297ce7a9c86c7087ab80b1754810929b89c5107ca55368587686986fce94d86cc1595b3fb736223a656ec0f34d18ba1cc5665593610f56c58e26b272d584f3d983a5c91085700755aebd921fb280bba3eda7046ec07b43e7298e52d59edc92be4639a8ce08b2f85976ecf6d98cc469eeb9d5d8e2a32ea8a6626edafe1038b3df455668a9f3c77cad8b92fb872e00058c3d2a7ede1a1f03fc5622084ae04d9d24f6bf0995c58d35b93b699b9763595e123f2ab0863cc9229eb290e2ede7715c7a8f39e0b9a3e2e1b56ebb62f1cbfbb5986fb212ebd785b83d01d968b11d1756c7337f70c1f1a63bff03608e24f3a2fd44e67f832a8701c5d5af\nOutput = \"Hello World\"\n\n# OAEP padding with label and custom hash.\nDecrypt = RSA-2048\nRSAPadding = OAEP\nOAEPDigest = SHA512\nOAEPLabel = 00112233445566778899aabbccddeeff\nInput = 48b956c22b8e40cc38f0893672ddf488fc806cf1fcc6239c66dd8345eb543d6b5cac589e6c7ae86dac1c2436c4d72c48009a737b2c649e6000dbab17203e4d9c078bd70b649700a0830d4ddc396af0c48973177a229e48259d93247f04f76474c7611b530c66f020c4da2cc861c2e4104831ecc0336e0cb10d6520fdefd0b33606f5cdd736dd439583b9b6011cce99623c93caf5f76e21e9fefab414795dd5ac12cba551be74ebf266834fcffab182c5e7c9b6c064df154cb26ddfd4fe2fd87590005f4bf45e776a0082803e9f68995b8eeb4c6802c67b5ef349e5b2dc0cf7a12fc097030f2bd28f0253f17129b04c82993a12957728b35880fdd2f8d0cc469f\nOutput = \"Hello World\"\n\n# OAEP padding, corrupted ciphertext\nDecrypt = RSA-2048\nRSAPadding = OAEP\nInput = 458708dfbd42a1297ce7a9c86c7087ab80b1754810929b89c5107ca55368587686986fce94d86cc1595b3fb736223a656ec0f34d18ba1cc5665593610f56c58e26b272d584f3d983a5c91085700755aebd921fb280bba3eda7046ec07b43e7298e52d59edc92be4639a8ce08b2f85976ecf6d98cc469eeb9d5d8e2a32ea8a6626edafe1038b3df455668a9f3c77cad8b92fb872e00058c3d2a7ede1a1f03fc5622084ae04d9d24f6bf0995c58d35b93b699b9763595e123f2ab0863cc9229eb290e2ede7715c7a8f39e0b9a3e2e1b56ebb62f1cbfbb5986fb212ebd785b83d01d968b11d1756c7337f70c1f1a63bff03608e24f3a2fd44e67f832a8701c5d5ac\nError = OAEP_DECODING_ERROR\n\n\n# EC tests\n\nVerify = P-256\nDigest = SHA1\nInput = \"0123456789ABCDEF1234\"\nOutput = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8\n\nVerify = P-256-SPKI\nDigest = SHA1\nInput = \"0123456789ABCDEF1234\"\nOutput = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8\n\n# Digest too long\nVerify = P-256\nDigest = SHA1\nInput = \"0123456789ABCDEF12345\"\nOutput = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8\nError = BAD_SIGNATURE\n\n# Digest too short\nVerify = P-256\nDigest = SHA1\nInput = \"0123456789ABCDEF123\"\nOutput = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8\nError = BAD_SIGNATURE\n\n# Digest invalid\nVerify = P-256\nDigest = SHA1\nInput = \"0123456789ABCDEF1235\"\nOutput = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8\nError = BAD_SIGNATURE\n\n# Invalid signature\nVerify = P-256\nDigest = SHA1\nInput = \"0123456789ABCDEF1234\"\nOutput = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec7\nError = BAD_SIGNATURE\n\n# Garbage after signature\nVerify = P-256\nDigest = SHA1\nInput = \"0123456789ABCDEF1234\"\nOutput = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec800\nError = BAD_SIGNATURE\n\n# BER signature\nVerify = P-256\nDigest = SHA1\nInput = \"0123456789ABCDEF1234\"\nOutput = 3080022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec80000\nError = BAD_SIGNATURE\n\n\n# Additional RSA-PSS and RSA-OAEP tests converted from\n# ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip\n\nPublicKey = RSA-PSS-1\nType = RSA\nInput = 30819f300d06092a864886f70d010101050003818d0030818902818100a56e4a0e701017589a5187dc7ea841d156f2ec0e36ad52a44dfeb1e61f7ad991d8c51056ffedb162b4c0f283a12a88a394dff526ab7291cbb307ceabfce0b1dfd5cd9508096d5",
+ "b2b8b6df5d671ef6377c0921cb23c270a70e2598e6ff89d19f105acc2d3f0cb35f29280e1386b6f64c4ef22e1e1f20d0ce8cffb2249bd9a21370203010001\n\nVerify = RSA-PSS-1\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = cd8b6538cb8e8de566b68bd067569dbf1ee2718e\nOutput = 9074308fb598e9701b2294388e52f971faac2b60a5145af185df5287b5ed2887e57ce7fd44dc8634e407c8e0e4360bc226f3ec227f9d9e54638e8d31f5051215df6ebb9c2f9579aa77598a38f914b5b9c1bd83c4e2f9f382a0d0aa3542ffee65984a601bc69eb28deb27dca12c82c2d4c3f66cd500f1ff2b994d8a4e30cbb33c\n\nVerify = RSA-PSS-1\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = e35befc17a1d160b9ce35fbd8eb16e7ee491d3fd\nOutput = 3ef7f46e831bf92b32274142a585ffcefbdca7b32ae90d10fb0f0c729984f04ef29a9df0780775ce43739b97838390db0a5505e63de927028d9d29b219ca2c4517832558a55d694a6d25b9dab66003c4cccd907802193be5170d26147d37b93590241be51c25055f47ef62752cfbe21418fafe98c22c4d4d47724fdb5669e843\n\nVerify = RSA-PSS-1\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 0652ec67bcee30f9d2699122b91c19abdba89f91\nOutput = 666026fba71bd3e7cf13157cc2c51a8e4aa684af9778f91849f34335d141c00154c4197621f9624a675b5abc22ee7d5baaffaae1c9baca2cc373b3f33e78e6143c395a91aa7faca664eb733afd14d8827259d99a7550faca501ef2b04e33c23aa51f4b9e8282efdb728cc0ab09405a91607c6369961bc8270d2d4f39fce612b1\n\nVerify = RSA-PSS-1\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 39c21c4cceda9c1adf839c744e1212a6437575ec\nOutput = 4609793b23e9d09362dc21bb47da0b4f3a7622649a47d464019b9aeafe53359c178c91cd58ba6bcb78be0346a7bc637f4b873d4bab38ee661f199634c547a1ad8442e03da015b136e543f7ab07c0c13e4225b8de8cce25d4f6eb8400f81f7e1833b7ee6e334d370964ca79fdb872b4d75223b5eeb08101591fb532d155a6de87\n\nVerify = RSA-PSS-1\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 36dae913b77bd17cae6e7b09453d24544cebb33c\nOutput = 1d2aad221ca4d31ddf13509239019398e3d14b32dc34dc5af4aeaea3c095af73479cf0a45e5629635a53a018377615b16cb9b13b3e09d671eb71e387b8545c5960da5a64776e768e82b2c93583bf104c3fdb23512b7b4e89f633dd0063a530db4524b01c3f384c09310e315a79dcd3d684022a7f31c865a664e316978b759fad\n\nVerify = RSA-PSS-1\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 45eef191f4f79c31fe5d2ede7e5098994e929d2d\nOutput = 2a34f6125e1f6b0bf971e84fbd41c632be8f2c2ace7de8b6926e31ff93e9af987fbc06e51e9be14f5198f91f3f953bd67da60a9df59764c3dc0fe08e1cbef0b75f868d10ad3fba749fef59fb6dac46a0d6e504369331586f58e4628f39aa278982543bc0eeb537dc61958019b394fb273f215858a0a01ac4d650b955c67f4c58\n\nPublicKey = RSA-PSS-2\nType = RSA\nInput = 30819f300d06092a864886f70d010101050003818d0030818902818101d40c1bcf97a68ae7cdbd8a7bf3e34fa19dcca4ef75a47454375f94514d88fed006fb829f8419ff87d6315da68a1ff3a0938e9abb3464011c303ad99199cf0c7c7a8b477dce829e8844f625b115e5e9c4a59cf8f8113b6834336a2fd2689b472cbb5e5cabe674350c59b6c17e176874fb42f8fc3d176a017edc61fd326c4b33c90203010001\n\nVerify = RSA-PSS-2\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 5c81a3e2a658246628cd0ee8b00bb4c012bc9739\nOutput = 014c5ba5338328ccc6e7a90bf1c0ab3fd606ff4796d3c12e4b639ed9136a5fec6c16d8884bdd99cfdc521456b0742b736868cf90de099adb8d5ffd1deff39ba4007ab746cefdb22d7df0e225f54627dc65466131721b90af445363a8358b9f607642f78fab0ab0f43b7168d64bae70d8827848d8ef1e421c5754ddf42c2589b5b3\n\nVerify = RSA-PSS-2\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 27f71611446aa6eabf037f7dedeede3203244991\nOutput = 010991656cca182b7f29d2dbc007e7ae0fec158eb6759cb9c45c5ff87c7635dd46d150882f4de1e9ae65e7f7d9018f6836954a47c0a81a8a6b6f83f2944d6081b1aa7c759b254b2c34b691da67cc0226e20b2f18b42212761dcd4b908a62b371b5918c5742af4b537e296917674fb914194761621cc19a41f6fb953fbcbb649dea\n\nVerify = RSA-PSS-2\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 03ecc2c33e93f05fc7224fcc0d461356cb897217\nOutput = 007f0030018f53cdc71f23d03659fde54d4241f758a750b42f185f87578520c30742afd84359b6e6e8d3ed959dc6fe486bedc8e2cf001f63a7abe16256a1b84df0d249fc05d3194ce5f0912742dbbf80dd174f6c51f6bad7f16cf3364eba095a06267dc3793803ac7526aebe0a475d38b8c2247ab51c4898df7047dc6adf52c6c4\n\nVerify = RSA-PSS-2\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 246c727b4b9494849dddb068d582e179ac20999c\nOutput = 009cd2f4edbe23e12346ae8c76dd9ad3230a62076141f16c152ba18513a48ef6f010e0e37fd3df10a1ec629a0cb5a3b5d2893007298c30936a95903b6ba85555d9ec3673a06108fd62a2fda56d1ce2e85c4db6b24a81ca3b496c36d4fd06eb7c9166d8e94877c42bea622b3bfe9251fdc21d8d5371badad78a488214796335b40b\n\nVerify = RSA-PSS-2\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = e8617ca3ea66ce6a58ede2d11af8c3ba8a6ba912\nOutput = 00ec430824931ebd3baa43034dae98ba646b8c36013d1671c3cf1cf8260c374b19f8e1cc8d965012405e7e9bf7378612dfcc85fce12cda11f950bd0ba8876740436c1d2595a64a1b32efcfb74a21c873b3cc33aaf4e3dc3953de67f0674c0453b4fd9f604406d441b816098cb106fe3472bc251f815f59db2e4378a3addc181ecf\n\nVerify = RSA-PSS-2\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 7a6fdc1a4e434ecbc35d657ad49a2f4fafd43bc8\nOutput = 00475b1648f814a8dc0abdc37b5527f543b666bb6e39d30e5b49d3b876dccc58eac14e32a2d55c2616014456ad2f246fc8e3d560da3ddf379a1c0bd200f10221df078c219a151bc8d4ec9d2fc2564467811014ef15d8ea01c2ebbff8c2c8efab38096e55fcbe3285c7aa558851254faffa92c1c72b78758663ef4582843139d7a6\n\nPublicKey = RSA-PSS-3\nType = RSA\nInput = 30819f300d06092a864886f70d010101050003818d0030818902818102f246ef451ed3eebb9a310200cc25859c048e4be798302991112eb68ce6db674e280da21feded1ae74880ca522b18db249385012827c515f0e466a1ffa691d98170574e9d0eadb087586ca48933da3cc953d95bd0ed50de10ddcb6736107d6c831c7f663e833ca4c097e700ce0fb945f88fb85fe8e5a773172565b914a471a4430203010001\n\nVerify = RSA-PSS-3\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 3552be69dd74bdc56d2cf8c38ef7bafe269040fe\nOutput = 0088b135fb1794b6b96c4a3e678197f8cac52b64b2fe907d6f27de761124964a99a01a882740ecfaed6c01a47464bb05182313c01338a8cd097214cd68ca103bd57d3bc9e816213e61d784f182467abf8a01cf253e99a156eaa8e3e1f90e3c6e4e3aa2d83ed0345b89fafc9c26077c14b6ac51454fa26e446e3a2f153b2b16797f\n\nVerify = RSA-PSS-3\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 609143ff7240e55c062aba8b9e4426a781919bc9\nOutput = 02a5f0a858a0864a4f65017a7d69454f3f973a2999839b7bbc48bf78641169179556f595fa41f6ff18e286c2783079bc0910ee9cc34f49ba681124f923dfa88f426141a368a5f5a930c628c2c3c200e18a7644721a0cbec6dd3f6279bde3e8f2be5e2d4ee56f97e7ceaf33054be7042bd91a63bb09f897bd41e81197dee99b11af\n\nVerify = RSA-PSS-3\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 0afd22f879a9cda7c584f4135f8f1c961db114c0\nOutput = 0244bcd1c8c16955736c803be401272e18cb990811b14f72db964124d5fa760649cbb57afb8755dbb62bf51f466cf23a0a1607576e983d778fceffa92df7548aea8ea4ecad2c29dd9f95bc07fe91ecf8bee255bfe8762fd7690aa9bfa4fa0849ef728c2c42c4532364522df2ab7f9f8a03b63f7a499175828668f5ef5a29e3802c\n\nVerify = RSA-PSS-3\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 405dd56d395ef0f01b555c48f748cc32b210650b\nOutput = 0196f12a005b98129c8df13c4cb16f8aa887d3c40d96df3a88e7532ef39cd992f273abc370bc1be6f097cfebbf0118fd9ef4b927155f3df22b904d90702d1f7ba7a52bed8b8942f412cd7bd676c9d18e170391dcd345c06a730964b3f30bcce0bb20ba106f9ab0eeb39cf8a6607f75c0347f0af79f16afa081d2c92d1ee6f836b8\n\nVerify = RSA-PSS-3\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = a2c313b0440c8a0c47233b87f0a160c61af3eae7\nOutput = 021eca3ab4892264ec22411a752d92221076d4e01c0e6f0dde9afd26ba5acf6d739ef987545d16683e5674c9e70f1de649d7e61d48d0caeb4fb4d8b24fba84a6e3108fee7d0705973266ac524b4ad280f7ae17dc59d96d3351586b5a3bdb895d1e1f7820ac6135d8753480998382ba32b7349559608c38745290a85ef4e9f9bd83\n\nVerify = RSA-PSS-3\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = f1bf6ca7b4bbdbb6bf20a4bf55728725d177154a\nOutput = 012fafec862f56e9e92f60ab0c77824f4299a0ca734ed26e0644d5d222c7f0bde03964f8e70a5cb65ed44e44d56ae0edf1ff86ca032cc5dd4404dbb76ab854586c44eed8336d08d457ce6c03693b45c0f1efef93624b95b8ec169c616d20e5538ebc0b6737a6f82b4bc0570924fc6b35759a3348426279f8b3d7744e2d222426ce\n\nPublicKey = RSA-PSS-4\nType = RSA\nInput = 30819f300d06092a864886f70d010101050003818d00308189028181054adb7886447efe6f57e0368f06cf52b0a3370760d161cef126b91be7f89c421b62a6ec1da3c311d75ed50e0ab5fff3fd338acc3aa8a4e77ee26369acb81ba900fa83f5300cf9bb6c53ad1dc8a178b815db4235a9a9da0c06de4e615ea1277ce559e9c108de58c14a81aa77f5a6f8d1335494498848c8b95940740be7bf7c37050203010001\n\nVerify = RSA-PSS-4\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = f8b0abf70fec0bca74f0accbc24f75e6e90d3bfd\nOutput = 0323d5b7bf20ba4539289ae452ae4297080feff4518423ff4811a817837e7d82f1836cdfab54514ff0887bddeebf40bf99b047abc3ecfa6a37a3ef00f4a0c4a88aae0904b745c846c4107e8797723e8ac810d9e3",
+ "d95dfa30ff4966f4d75d13768d20857f2b1406f264cfe75e27d7652f4b5ed3575f28a702f8c4ed9cf9b2d44948\n\nVerify = RSA-PSS-4\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 04a10944bfe11ab801e77889f3fd3d7f4ff0b629\nOutput = 049d0185845a264d28feb1e69edaec090609e8e46d93abb38371ce51f4aa65a599bdaaa81d24fba66a08a116cb644f3f1e653d95c89db8bbd5daac2709c8984000178410a7c6aa8667ddc38c741f710ec8665aa9052be929d4e3b16782c1662114c5414bb0353455c392fc28f3db59054b5f365c49e1d156f876ee10cb4fd70598\n\nVerify = RSA-PSS-4\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = ba01243db223eb97fb86d746c3148adaaa0ca344\nOutput = 03fbc410a2ced59500fb99f9e2af2781ada74e13145624602782e2994813eefca0519ecd253b855fb626a90d771eae028b0c47a199cbd9f8e3269734af4163599090713a3fa910fa0960652721432b971036a7181a2bc0cab43b0b598bc6217461d7db305ff7e954c5b5bb231c39e791af6bcfa76b147b081321f72641482a2aad\n\nVerify = RSA-PSS-4\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 934bb0d38d6836daec9de82a9648d4593da67cd2\nOutput = 0486644bc66bf75d28335a6179b10851f43f09bded9fac1af33252bb9953ba4298cd6466b27539a70adaa3f89b3db3c74ab635d122f4ee7ce557a61e59b82ffb786630e5f9db53c77d9a0c12fab5958d4c2ce7daa807cd89ba2cc7fcd02ff470ca67b229fcce814c852c73cc93bea35be68459ce478e9d4655d121c8472f371d4f\n\nVerify = RSA-PSS-4\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = ec35d81abd1cceac425a935758b683465c8bd879\nOutput = 022a80045353904cb30cbb542d7d4990421a6eec16a8029a8422adfd22d6aff8c4cc0294af110a0c067ec86a7d364134459bb1ae8ff836d5a8a2579840996b320b19f13a13fad378d931a65625dae2739f0c53670b35d9d3cbac08e733e4ec2b83af4b9196d63e7c4ff1ddeae2a122791a125bfea8deb0de8ccf1f4ffaf6e6fb0a\n\nVerify = RSA-PSS-4\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 72ce251d17b04dd3970d6ff1fbe3624899e9e941\nOutput = 00938dcb6d583046065f69c78da7a1f1757066a7fa75125a9d2929f0b79a60b627b082f11f5b196f28eb9daa6f21c05e5140f6aef1737d2023075c05ecf04a028c686a2ab3e7d5a0664f295ce12995e890908b6ad21f0839eb65b70393a7b5afd9871de0caa0cedec5b819626756209d13ab1e7bb9546a26ff37e9a51af9fd562e\n\nPublicKey = RSA-PSS-5\nType = RSA\nInput = 30819f300d06092a864886f70d010101050003818d003081890281810d10f661f29940f5ed39aa260966deb47843679d2b6fb25b3de370f3ac7c19916391fd25fb527ebfa6a4b4df45a1759d996c4bb4ebd18828c44fc52d0191871740525f47a4b0cc8da325ed8aa676b0d0f626e0a77f07692170acac8082f42faa7dc7cd123e730e31a87985204cabcbe6670d43a2dd2b2ddef5e05392fc213bc5070203010001\n\nVerify = RSA-PSS-5\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = d98b7061943510bc3dd9162f7169aabdbdcd0222\nOutput = 0ba373f76e0921b70a8fbfe622f0bf77b28a3db98e361051c3d7cb92ad0452915a4de9c01722f6823eeb6adf7e0ca8290f5de3e549890ac2a3c5950ab217ba58590894952de96f8df111b2575215da6c161590c745be612476ee578ed384ab33e3ece97481a252f5c79a98b5532ae00cdd62f2ecc0cd1baefe80d80b962193ec1d\n\nVerify = RSA-PSS-5\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 7ae8e699f754988f4fd645e463302e49a2552072\nOutput = 08180de825e4b8b014a32da8ba761555921204f2f90d5f24b712908ff84f3e220ad17997c0dd6e706630ba3e84add4d5e7ab004e58074b549709565d43ad9e97b5a7a1a29e85b9f90f4aafcdf58321de8c5974ef9abf2d526f33c0f2f82e95d158ea6b81f1736db8d1af3d6ac6a83b32d18bae0ff1b2fe27de4c76ed8c7980a34e\n\nVerify = RSA-PSS-5\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 8d46c7c05534c1ba2cc7624500d48a4531604bff\nOutput = 05e0fdbdf6f756ef733185ccfa8ced2eb6d029d9d56e35561b5db8e70257ee6fd019d2f0bbf669fe9b9821e78df6d41e31608d58280f318ee34f559941c8df13287574bac000b7e58dc4f414ba49fb127f9d0f8936638c76e85356c994f79750f7fa3cf4fd482df75e3fb9978cd061f7abb17572e6e63e0bde12cbdcf18c68b979\n\nVerify = RSA-PSS-5\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = ee3de96783fd0a157c8b20bf5566124124dcfe65\nOutput = 0bc989853bc2ea86873271ce183a923ab65e8a53100e6df5d87a24c4194eb797813ee2a187c097dd872d591da60c568605dd7e742d5af4e33b11678ccb63903204a3d080b0902c89aba8868f009c0f1c0cb85810bbdd29121abb8471ff2d39e49fd92d56c655c8e037ad18fafbdc92c95863f7f61ea9efa28fea401369d19daea1\n\nVerify = RSA-PSS-5\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 1204df0b03c2724e2709c23fc71789a21b00ae4c\nOutput = 0aefa943b698b9609edf898ad22744ac28dc239497cea369cbbd84f65c95c0ad776b594740164b59a739c6ff7c2f07c7c077a86d95238fe51e1fcf33574a4ae0684b42a3f6bf677d91820ca89874467b2c23add77969c80717430d0efc1d3695892ce855cb7f7011630f4df26def8ddf36fc23905f57fa6243a485c770d5681fcd\n\nVerify = RSA-PSS-5\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 29926bc3280c841f601acd0d6f17ea38023eddbc\nOutput = 02802dccfa8dfaf5279bf0b4a29ba1b157611faeaaf419b8919d15941900c1339e7e92e6fae562c53e6cc8e84104b110bce03ad18525e3c49a0eadad5d3f28f244a8ed89edbafbb686277cfa8ae909714d6b28f4bf8e293aa04c41efe7c0a81266d5c061e2575be032aa464674ff71626219bd74cc45f0e7ed4e3ff96eee758e8f\n\nPublicKey = RSA-PSS-6\nType = RSA\nInput = 30819f300d06092a864886f70d010101050003818d00308189028181164ca31cff609f3a0e7101b039f2e4fe6dd37519ab98598d179e174996598071f47d3a04559158d7be373cf1aa53f0aa6ef09039e5678c2a4c63900514c8c4f8aaed5de12a5f10b09c311af8c0ffb5b7a297f2efc63b8d6b0510931f0b98e48bf5fc6ec4e7b8db1ffaeb08c38e02adb8f03a48229c99e969431f61cb8c4dc698d10203010001\n\nVerify = RSA-PSS-6\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = ab464e8cb65ae5fdea47a53fa84b234d6bfd52f6\nOutput = 04c0cfacec04e5badbece159a5a1103f69b3f32ba593cb4cc4b1b7ab455916a96a27cd2678ea0f46ba37f7fc9c86325f29733b389f1d97f43e7201c0f348fc45fe42892335362eee018b5b161f2f9393031225c713012a576bc88e23052489868d9010cbf033ecc568e8bc152bdc59d560e41291915d28565208e22aeec9ef85d1\n\nVerify = RSA-PSS-6\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 92d0bcae82b641f578f040f5151be8eda6d42299\nOutput = 0a2314250cf52b6e4e908de5b35646bcaa24361da8160fb0f9257590ab3ace42b0dc3e77ad2db7c203a20bd952fbb56b1567046ecfaa933d7b1000c3de9ff05b7d989ba46fd43bc4c2d0a3986b7ffa13471d37eb5b47d64707bd290cfd6a9f393ad08ec1e3bd71bb5792615035cdaf2d8929aed3be098379377e777ce79aaa4773\n\nVerify = RSA-PSS-6\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 3569bd8fd2e28f2443375efa94f186f6911ffc2b\nOutput = 086df6b500098c120f24ff8423f727d9c61a5c9007d3b6a31ce7cf8f3cbec1a26bb20e2bd4a046793299e03e37a21b40194fb045f90b18bf20a47992ccd799cf9c059c299c0526854954aade8a6ad9d97ec91a1145383f42468b231f4d72f23706d9853c3fa43ce8ace8bfe7484987a1ec6a16c8daf81f7c8bf42774707a9df456\n\nVerify = RSA-PSS-6\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 7abbb7b42de335730a0b641f1e314b6950b84f98\nOutput = 0b5b11ad549863ffa9c51a14a1106c2a72cc8b646e5c7262509786105a984776534ca9b54c1cc64bf2d5a44fd7e8a69db699d5ea52087a4748fd2abc1afed1e5d6f7c89025530bdaa2213d7e030fa55df6f34bcf1ce46d2edf4e3ae4f3b01891a068c9e3a44bbc43133edad6ecb9f35400c4252a5762d65744b99cb9f4c559329f\n\nVerify = RSA-PSS-6\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 55b7eb27be7a787a59eb7e5fac468db8917a7725\nOutput = 02d71fa9b53e4654fefb7f08385cf6b0ae3a817942ebf66c35ac67f0b069952a3ce9c7e1f1b02e480a9500836de5d64cdb7ecde04542f7a79988787e24c2ba05f5fd482c023ed5c30e04839dc44bed2a3a3a4fee01113c891a47d32eb8025c28cb050b5cdb576c70fe76ef523405c08417faf350b037a43c379339fcb18d3a356b\n\nVerify = RSA-PSS-6\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = de2fa0367ef49083ff89b9905d3fd646fcc12c38\nOutput = 0a40a16e2fe2b38d1df90546167cf9469c9e3c3681a3442b4b2c2f581deb385ce99fc6188bb02a841d56e76d301891e24560550fcc2a26b55f4ccb26d837d350a154bcaca8392d98fa67959e9727b78cad03269f56968fc56b68bd679926d83cc9cb215550645ccda31c760ff35888943d2d8a1d351e81e5d07b86182e751081ef\n\nPublicKey = RSA-PSS-7\nType = RSA\nInput = 30819f300d06092a864886f70d010101050003818d0030818902818137c9da4a66c8c408b8da27d0c9d79f8ccb1eafc1d2fe48746d940b7c4ef5dee18ad12647cefaa0c4b3188b221c515386759b93f02024b25ab9242f8357d8f3fd49640ee5e643eaf6c64deefa7089727c8ff03993333915c6ef21bf5975b6e50d118b51008ec33e9f01a0a545a10a836a43ddbca9d8b5c5d3548022d7064ea29ab30203010001\n\nVerify = RSA-PSS-7\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 8be4afbdd76bd8d142c5f4f46dba771ee5d6d29d\nOutput = 187f390723c8902591f0154bae6d4ecbffe067f0e8b795476ea4f4d51ccc810520bb3ca9bca7d0b1f2ea8a17d873fa27570acd642e3808561cb9e975ccfd80b23dc5771cdb3306a5f23159dacbd3aa2db93d46d766e09ed15d900ad897a8d274dc26b47e994a27e97e2268a766533ae4b5e42a2fcaf755c1c4794b294c60555823\n\nVerify = RSA-PSS-7\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 402140dc605b2f5c5ec0d15bce9f9ba8857fe117\nOutput = 10fd89768a60a67788abb5856a787c8561f3edcf9a83e898f7dc87ab8cce79429b43e56906941a886194f137e591fe7c339555361fbbe1f24feb2d4bcdb80601f3096bc9132deea60ae13082f44f9ad41cd628936a4d51176e42fc59cb76db8",
+ "15ce5ab4db99a104aafea68f5d330329ebf258d4ede16064bd1d00393d5e1570eb8\n\nVerify = RSA-PSS-7\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 3e885205892ff2b6b37c2c4eb486c4bf2f9e7f20\nOutput = 2b31fde99859b977aa09586d8e274662b25a2a640640b457f594051cb1e7f7a911865455242926cf88fe80dfa3a75ba9689844a11e634a82b075afbd69c12a0df9d25f84ad4945df3dc8fe90c3cefdf26e95f0534304b5bdba20d3e5640a2ebfb898aac35ae40f26fce5563c2f9f24f3042af76f3c7072d687bbfb959a88460af1\n\nVerify = RSA-PSS-7\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 1fc2201d0c442a4736cd8b2cd00c959c47a3bf42\nOutput = 32c7ca38ff26949a15000c4ba04b2b13b35a3810e568184d7ecabaa166b7ffabddf2b6cf4ba07124923790f2e5b1a5be040aea36fe132ec130e1f10567982d17ac3e89b8d26c3094034e762d2e031264f01170beecb3d1439e05846f25458367a7d9c02060444672671e64e877864559ca19b2074d588a281b5804d23772fbbe19\n\nVerify = RSA-PSS-7\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = e4351b66819e5a31501f89acc7faf57030e9aac5\nOutput = 07eb651d75f1b52bc263b2e198336e99fbebc4f332049a922a10815607ee2d989db3a4495b7dccd38f58a211fb7e193171a3d891132437ebca44f318b280509e52b5fa98fcce8205d9697c8ee4b7ff59d4c59c79038a1970bd2a0d451ecdc5ef11d9979c9d35f8c70a6163717607890d586a7c6dc01c79f86a8f28e85235f8c2f1\n\nVerify = RSA-PSS-7\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 49f6cc58365e514e1a3f301f4de16f9fb5347ff2\nOutput = 18da3cdcfe79bfb77fd9c32f377ad399146f0a8e810620233271a6e3ed3248903f5cdc92dc79b55d3e11615aa056a795853792a3998c349ca5c457e8ca7d29d796aa24f83491709befcfb1510ea513c92829a3f00b104f655634f320752e130ec0ccf6754ff893db302932bb025eb60e87822598fc619e0e981737a9a4c4152d33\n\nPublicKey = RSA-PSS-8\nType = RSA\nInput = 30819f300d06092a864886f70d010101050003818d00308189028181495370a1fb18543c16d3631e3163255df62be6eee890d5f25509e4f778a8ea6fbbbcdf85dff64e0d972003ab3681fbba6dd41fd541829b2e582de9f2a4a4e0a2d0900bef4753db3cee0ee06c7dfae8b1d53b5953218f9cceea695b08668edeaadced9463b1d790d5ebf27e9115b46cad4d9a2b8efab0561b0810344739ada0733f0203010001\n\nVerify = RSA-PSS-8\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = a1dd230d8ead860199b6277c2ecfe3d95f6d9160\nOutput = 0262ac254bfa77f3c1aca22c5179f8f040422b3c5bafd40a8f21cf0fa5a667ccd5993d42dbafb409c520e25fce2b1ee1e716577f1efa17f3da28052f40f0419b23106d7845aaf01125b698e7a4dfe92d3967bb00c4d0d35ba3552ab9a8b3eef07c7fecdbc5424ac4db1e20cb37d0b2744769940ea907e17fbbca673b20522380c5\n\nVerify = RSA-PSS-8\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = f6e68e53c602c5c65fa67b5aa6d786e5524b12ab\nOutput = 2707b9ad5115c58c94e932e8ec0a280f56339e44a1b58d4ddcff2f312e5f34dcfe39e89c6a94dcee86dbbdae5b79ba4e0819a9e7bfd9d982e7ee6c86ee68396e8b3a14c9c8f34b178eb741f9d3f121109bf5c8172fada2e768f9ea1433032c004a8aa07eb990000a48dc94c8bac8aabe2b09b1aa46c0a2aa0e12f63fbba775ba7e\n\nVerify = RSA-PSS-8\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = d6f9fcd3ae27f32bb2c7c93536782eba52af1f76\nOutput = 2ad20509d78cf26d1b6c406146086e4b0c91a91c2bd164c87b966b8faa42aa0ca446022323ba4b1a1b89706d7f4c3be57d7b69702d168ab5955ee290356b8c4a29ed467d547ec23cbadf286ccb5863c6679da467fc9324a151c7ec55aac6db4084f82726825cfe1aa421bc64049fb42f23148f9c25b2dc300437c38d428aa75f96\n\nVerify = RSA-PSS-8\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 7ff2a53ce2e2d900d468e498f230a5f5dd0020de\nOutput = 1e24e6e58628e5175044a9eb6d837d48af1260b0520e87327de7897ee4d5b9f0df0be3e09ed4dea8c1454ff3423bb08e1793245a9df8bf6ab3968c8eddc3b5328571c77f091cc578576912dfebd164b9de5454fe0be1c1f6385b328360ce67ec7a05f6e30eb45c17c48ac70041d2cab67f0a2ae7aafdcc8d245ea3442a6300ccc7\n\nVerify = RSA-PSS-8\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 4eb309f7022ba0b03bb78601b12931ec7c1be8d3\nOutput = 33341ba3576a130a50e2a5cf8679224388d5693f5accc235ac95add68e5eb1eec31666d0ca7a1cda6f70a1aa762c05752a51950cdb8af3c5379f18cfe6b5bc55a4648226a15e912ef19ad77adeea911d67cfefd69ba43fa4119135ff642117ba985a7e0100325e9519f1ca6a9216bda055b5785015291125e90dcd07a2ca9673ee\n\nVerify = RSA-PSS-8\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 65033bc2f67d6aba7d526acb873b8d9241e5e4d9\nOutput = 1ed1d848fb1edb44129bd9b354795af97a069a7a00d0151048593e0c72c3517ff9ff2a41d0cb5a0ac860d736a199704f7cb6a53986a88bbd8abcc0076a2ce847880031525d449da2ac78356374c536e343faa7cba42a5aaa6506087791c06a8e989335aed19bfab2d5e67e27fb0c2875af896c21b6e8e7309d04e4f6727e69463e\n\nPublicKey = RSA-PSS-9\nType = RSA\nInput = 3081df300d06092a864886f70d01010105000381cd003081c90281c100e6bd692ac96645790403fdd0f5beb8b9bf92ed10007fc365046419dd06c05c5b5b2f48ecf989e4ce269109979cbb40b4a0ad24d22483d1ee315ad4ccb1534268352691c524f6dd8e6c29d224cf246973aec86c5bf6b1401a850d1b9ad1bb8cbcec47b06f0f8c7f45d3fc8f319299c5433ddbc2b3053b47ded2ecd4a4caefd614833dc8bb622f317ed076b8057fe8de3f84480ad5e83e4a61904a4f248fb397027357e1d30e463139815c6fd4fd5ac5b8172a45230ecb6318a04f1455d84e5a8b0203010001\n\nVerify = RSA-PSS-9\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 2715a49b8b0012cd7aee84c116446e6dfe3faec0\nOutput = 586107226c3ce013a7c8f04d1a6a2959bb4b8e205ba43a27b50f124111bc35ef589b039f5932187cb696d7d9a32c0c38300a5cdda4834b62d2eb240af33f79d13dfbf095bf599e0d9686948c1964747b67e89c9aba5cd85016236f566cc5802cb13ead51bc7ca6bef3b94dcbdbb1d570469771df0e00b1a8a06777472d2316279edae86474668d4e1efff95f1de61c6020da32ae92bbf16520fef3cf4d88f61121f24bbd9fe91b59caf1235b2a93ff81fc403addf4ebdea84934a9cdaf8e1a9e\n\nVerify = RSA-PSS-9\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 2dac956d53964748ac364d06595827c6b4f143cd\nOutput = 80b6d643255209f0a456763897ac9ed259d459b49c2887e5882ecb4434cfd66dd7e1699375381e51cd7f554f2c271704b399d42b4be2540a0eca61951f55267f7c2878c122842dadb28b01bd5f8c025f7e228418a673c03d6bc0c736d0a29546bd67f786d9d692ccea778d71d98c2063b7a71092187a4d35af108111d83e83eae46c46aa34277e06044589903788f1d5e7cee25fb485e92949118814d6f2c3ee361489016f327fb5bc517eb50470bffa1afa5f4ce9aa0ce5b8ee19bf5501b958\n\nVerify = RSA-PSS-9\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 28d98c46cccafbd3bc04e72f967a54bd3ea12298\nOutput = 484408f3898cd5f53483f80819efbf2708c34d27a8b2a6fae8b322f9240237f981817aca1846f1084daa6d7c0795f6e5bf1af59c38e1858437ce1f7ec419b98c8736adf6dd9a00b1806d2bd3ad0a73775e05f52dfef3a59ab4b08143f0df05cd1ad9d04bececa6daa4a2129803e200cbc77787caf4c1d0663a6c5987b605952019782caf2ec1426d68fb94ed1d4be816a7ed081b77e6ab330b3ffc073820fecde3727fcbe295ee61a050a343658637c3fd659cfb63736de32d9f90d3c2f63eca\n\nVerify = RSA-PSS-9\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 0866d2ff5a79f25ef668cd6f31b42dee421e4c0e\nOutput = 84ebeb481be59845b46468bafb471c0112e02b235d84b5d911cbd1926ee5074ae0424495cb20e82308b8ebb65f419a03fb40e72b78981d88aad143053685172c97b29c8b7bf0ae73b5b2263c403da0ed2f80ff7450af7828eb8b86f0028bd2a8b176a4d228cccea18394f238b09ff758cc00bc04301152355742f282b54e663a919e709d8da24ade5500a7b9aa50226e0ca52923e6c2d860ec50ff480fa57477e82b0565f4379f79c772d5c2da80af9fbf325ece6fc20b00961614bee89a183e\n\nVerify = RSA-PSS-9\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 6a5b4be4cd36cc97dfde9995efbf8f097a4a991a\nOutput = 82102df8cb91e7179919a04d26d335d64fbc2f872c44833943241de8454810274cdf3db5f42d423db152af7135f701420e39b494a67cbfd19f9119da233a23da5c6439b5ba0d2bc373eee3507001378d4a4073856b7fe2aba0b5ee93b27f4afec7d4d120921c83f606765b02c19e4d6a1a3b95fa4c422951be4f52131077ef17179729cddfbdb56950dbaceefe78cb16640a099ea56d24389eef10f8fecb31ba3ea3b227c0a86698bb89e3e9363905bf22777b2a3aa521b65b4cef76d83bde4c\n\nVerify = RSA-PSS-9\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = b9dfd1df76a461c51e6576c6c8ed0a923d1c50e7\nOutput = a7fdb0d259165ca2c88d00bbf1028a867d337699d061193b17a9648e14ccbbaadeacaacdec815e7571294ebb8a117af205fa078b47b0712c199e3ad05135c504c24b81705115740802487992ffd511d4afc6b854491eb3f0dd523139542ff15c3101ee85543517c6a3c79417c67e2dd9aa741e9a29b06dcb593c2336b3670ae3afbac7c3e76e215473e866e338ca244de00b62624d6b9426822ceae9f8cc460895f41250073fd45c5a1e7b425c204a423a699159f6903e710b37a7bb2bc8049f\n\nPublicKey = RSA-PSS-10\nType = RSA\nInput = 30820122300d06092a864886f70d01010105000382010f003082010a0282010100a5dd867ac4cb02f90b9457d48c14a770ef991c56c39c0ec65fd11afa8937cea57b9be7ac73b45c0017615b82d622e318753b6027c0fd157be12f8090fee2a7adcd0eef759f88ba4997c7a42d58c9aa12cb99ae001fe521c13bb5431445a8d5ae4f5e4c7e948ac227d3604071f20e577e905fbeb15dfaf06d1de5ae6253d63a6a2120b31a5da5dabc9550600e20f27d3739e2627925fea3cc509f21dff04e6eea4549c540d6809ff9307eede91fff58733d8385a237d6d3705a33e391900992070df7adf1357cf7e3700ce3667de83f17b8df1778db381dce09cb4ad058a51",
+ "1001a738198ee27cf55a13b754539906582ec8b174bd58d5d1f3d767c613721ae050203010001\n\nVerify = RSA-PSS-10\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 9596bb630cf6a8d4ea4600422b9eba8b13675dd4\nOutput = 82c2b160093b8aa3c0f7522b19f87354066c77847abf2a9fce542d0e84e920c5afb49ffdfdace16560ee94a1369601148ebad7a0e151cf16331791a5727d05f21e74e7eb811440206935d744765a15e79f015cb66c532c87a6a05961c8bfad741a9a6657022894393e7223739796c02a77455d0f555b0ec01ddf259b6207fd0fd57614cef1a5573baaff4ec00069951659b85f24300a25160ca8522dc6e6727e57d019d7e63629b8fe5e89e25cc15beb3a647577559299280b9b28f79b0409000be25bbd96408ba3b43cc486184dd1c8e62553fa1af4040f60663de7f5e49c04388e257f1ce89c95dab48a315d9b66b1b7628233876ff2385230d070d07e1666\n\nVerify = RSA-PSS-10\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = b503319399277fd6c1c8f1033cbf04199ea21716\nOutput = 14ae35d9dd06ba92f7f3b897978aed7cd4bf5ff0b585a40bd46ce1b42cd2703053bb9044d64e813d8f96db2dd7007d10118f6f8f8496097ad75e1ff692341b2892ad55a633a1c55e7f0a0ad59a0e203a5b8278aec54dd8622e2831d87174f8caff43ee6c46445345d84a59659bfb92ecd4c818668695f34706f66828a89959637f2bf3e3251c24bdba4d4b7649da0022218b119c84e79a6527ec5b8a5f861c159952e23ec05e1e717346faefe8b1686825bd2b262fb2531066c0de09acde2e4231690728b5d85e115a2f6b92b79c25abc9bd9399ff8bcf825a52ea1f56ea76dd26f43baafa18bfa92a504cbd35699e26d1dcc5a2887385f3c63232f06f3244c3\n\nVerify = RSA-PSS-10\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 50aaede8536b2c307208b275a67ae2df196c7628\nOutput = 6e3e4d7b6b15d2fb46013b8900aa5bbb3939cf2c095717987042026ee62c74c54cffd5d7d57efbbf950a0f5c574fa09d3fc1c9f513b05b4ff50dd8df7edfa20102854c35e592180119a70ce5b085182aa02d9ea2aa90d1df03f2daae885ba2f5d05afdac97476f06b93b5bc94a1a80aa9116c4d615f333b098892b25fface266f5db5a5a3bcc10a824ed55aad35b727834fb8c07da28fcf416a5d9b2224f1f8b442b36f91e456fdea2d7cfe3367268de0307a4c74e924159ed33393d5e0655531c77327b89821bdedf880161c78cd4196b5419f7acc3f13e5ebf161b6e7c6724716ca33b85c2e25640192ac2859651d50bde7eb976e51cec828b98b6563b86bb\n\nVerify = RSA-PSS-10\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = aa0b72b8b371ddd10c8ae474425ccccf8842a294\nOutput = 34047ff96c4dc0dc90b2d4ff59a1a361a4754b255d2ee0af7d8bf87c9bc9e7ddeede33934c63ca1c0e3d262cb145ef932a1f2c0a997aa6a34f8eaee7477d82ccf09095a6b8acad38d4eec9fb7eab7ad02da1d11d8e54c1825e55bf58c2a23234b902be124f9e9038a8f68fa45dab72f66e0945bf1d8bacc9044c6f07098c9fcec58a3aab100c805178155f030a124c450e5acbda47d0e4f10b80a23f803e774d023b0015c20b9f9bbe7c91296338d5ecb471cafb032007b67a60be5f69504a9f01abb3cb467b260e2bce860be8d95bf92c0c8e1496ed1e528593a4abb6df462dde8a0968dffe4683116857a232f5ebf6c85be238745ad0f38f767a5fdbf486fb\n\nVerify = RSA-PSS-10\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = fad3902c9750622a2bc672622c48270cc57d3ea8\nOutput = 7e0935ea18f4d6c1d17ce82eb2b3836c55b384589ce19dfe743363ac9948d1f346b7bfddfe92efd78adb21faefc89ade42b10f374003fe122e67429a1cb8cbd1f8d9014564c44d120116f4990f1a6e38774c194bd1b8213286b077b0499d2e7b3f434ab12289c556684deed78131934bb3dd6537236f7c6f3dcb09d476be07721e37e1ceed9b2f7b406887bd53157305e1c8b4f84d733bc1e186fe06cc59b6edb8f4bd7ffefdf4f7ba9cfb9d570689b5a1a4109a746a690893db3799255a0cb9215d2d1cd490590e952e8c8786aa0011265252470c041dfbc3eec7c3cbf71c24869d115c0cb4a956f56d530b80ab589acfefc690751ddf36e8d383f83cedd2cc\n\nVerify = RSA-PSS-10\nRSAPadding = PSS\nMGF1Digest = SHA1\nInput = 122196deb5d122bd8c6fc781ff6924d7c695aade\nOutput = 6d3b5b87f67ea657af21f75441977d2180f91b2c5f692de82955696a686730d9b9778d970758ccb26071c2209ffbd6125be2e96ea81b67cb9b9308239fda17f7b2b64ecda096b6b935640a5a1cb42a9155b1c9ef7a633a02c59f0d6ee59b852c43b35029e73c940ff0410e8f114eed46bbd0fae165e42be2528a401c3b28fd818ef3232dca9f4d2a0f5166ec59c42396d6c11dbc1215a56fa17169db9575343ef34f9de32a49cdc3174922f229c23e18e45df9353119ec4319cedce7a17c64088c1f6f52be29634100b3919d38f3d1ed94e6891e66a73b8fb849f5874df59459e298c7bbce2eee782a195aa66fe2d0732b25e595f57d3e061b1fc3e4063bf98f\n\nPrivateKey = RSA-OAEP-1\nType = RSA\nInput = 30820276020100300d06092a864886f70d0101010500048202603082025c02010002818100a8b3b284af8eb50b387034a860f146c4919f318763cd6c5598c8ae4811a1e0abc4c7e0b082d693a5e7fced675cf4668512772c0cbc64a742c6c630f533c8cc72f62ae833c40bf25842e984bb78bdbf97c0107d55bdb662f5c4e0fab9845cb5148ef7392dd3aaff93ae1e6b667bb3d4247616d4f5ba10d4cfd226de88d39f16fb020301000102818053339cfdb79fc8466a655c7316aca85c55fd8f6dd898fdaf119517ef4f52e8fd8e258df93fee180fa0e4ab29693cd83b152a553d4ac4d1812b8b9fa5af0e7f55fe7304df41570926f3311f15c4d65a732c483116ee3d3d2d0af3549ad9bf7cbfb78ad884f84d5beb04724dc7369b31def37d0cf539e9cfcdd3de653729ead5d1024100d32737e7267ffe1341b2d5c0d150a81b586fb3132bed2f8d5262864a9cb9f30af38be448598d413a172efb802c21acf1c11c520c2f26a471dcad212eac7ca39d024100cc8853d1d54da630fac004f471f281c7b8982d8224a490edbeb33d3e3d5cc93c4765703d1dd791642f1f116a0dd852be2419b2af72bfe9a030e860b0288b5d7702400e12bf1718e9cef5599ba1c3882fe8046a90874eefce8f2ccc20e4f2741fb0a33a3848aec9c9305fbecbd2d76819967d4671acc6431e4037968db37878e695c102410095297b0f95a2fa67d00707d609dfd4fc05c89dafc2ef6d6ea55bec771ea333734d9251e79082ecda866efef13c459e1a631386b7e354c899f5f112ca85d7158302404f456c502493bdc0ed2ab756a3a6ed4d67352a697d4216e93212b127a63d5411ce6fa98d5dbefd73263e3728142743818166ed7dd63687dd2a8ca1d2f4fbd8e1\n\nDecrypt = RSA-OAEP-1\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 354fe67b4a126d5d35fe36c777791a3f7ba13def484e2d3908aff722fad468fb21696de95d0be911c2d3174f8afcc201035f7b6d8e69402de5451618c21a535fa9d7bfc5b8dd9fc243f8cf927db31322d6e881eaa91a996170e657a05a266426d98c88003f8477c1227094a0d9fa1e8c4024309ce1ecccb5210035d47ac72e8a\nOutput = 6628194e12073db03ba94cda9ef9532397d50dba79b987004afefe34\n\nDecrypt = RSA-OAEP-1\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 640db1acc58e0568fe5407e5f9b701dff8c3c91e716c536fc7fcec6cb5b71c1165988d4a279e1577d730fc7a29932e3f00c81515236d8d8e31017a7a09df4352d904cdeb79aa583adcc31ea698a4c05283daba9089be5491f67c1a4ee48dc74bbbe6643aef846679b4cb395a352d5ed115912df696ffe0702932946d71492b44\nOutput = 750c4047f547e8e41411856523298ac9bae245efaf1397fbe56f9dd5\n\nDecrypt = RSA-OAEP-1\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 423736ed035f6026af276c35c0b3741b365e5f76ca091b4e8c29e2f0befee603595aa8322d602d2e625e95eb81b2f1c9724e822eca76db8618cf09c5343503a4360835b5903bc637e3879fb05e0ef32685d5aec5067cd7cc96fe4b2670b6eac3066b1fcf5686b68589aafb7d629b02d8f8625ca3833624d4800fb081b1cf94eb\nOutput = d94ae0832e6445ce42331cb06d531a82b1db4baad30f746dc916df24d4e3c2451fff59a6423eb0e1d02d4fe646cf699dfd818c6e97b051\n\nDecrypt = RSA-OAEP-1\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 45ead4ca551e662c9800f1aca8283b0525e6abae30be4b4aba762fa40fd3d38e22abefc69794f6ebbbc05ddbb11216247d2f412fd0fba87c6e3acd888813646fd0e48e785204f9c3f73d6d8239562722dddd8771fec48b83a31ee6f592c4cfd4bc88174f3b13a112aae3b9f7b80e0fc6f7255ba880dc7d8021e22ad6a85f0755\nOutput = 52e650d98e7f2a048b4f86852153b97e01dd316f346a19f67a85\n\nDecrypt = RSA-OAEP-1\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 36f6e34d94a8d34daacba33a2139d00ad85a9345a86051e73071620056b920e219005855a213a0f23897cdcd731b45257c777fe908202befdd0b58386b1244ea0cf539a05d5d10329da44e13030fd760dcd644cfef2094d1910d3f433e1c7c6dd18bc1f2df7f643d662fb9dd37ead9059190f4fa66ca39e869c4eb449cbdc439\nOutput = 8da89fd9e5f974a29feffb462b49180f6cf9e802\n\nDecrypt = RSA-OAEP-1\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 42cee2617b1ecea4db3f4829386fbd61dafbf038e180d837c96366df24c097b4ab0fac6bdf590d821c9f10642e681ad05b8d78b378c0f46ce2fad63f74e0ad3df06b075d7eb5f5636f8d403b9059ca761b5c62bb52aa45002ea70baace08ded243b9d8cbd62a68ade265832b56564e43a6fa42ed199a099769742df1539e8255\nOutput = 26521050844271\n\nPrivateKey = RSA-OAEP-2\nType = RSA\nInput = 30820276020100300d06092a864886f70d0101010500048202603082025c02010002818101947c7fce90425f47279e70851f25d5e62316fe8a1df19371e3e628e260543e4901ef6081f68c0b8141190d2ae8daba7d1250ec6db636e944ec3722877c7c1d0a67f14b1694c5f0379451a43e49a32dde83670b73da91a1c99bc23b436a60055c610f0baf99c1a079565b95a3f1526632d1d4da60f20eda25e653c4f002766f4502030100010281800823f20fadb5da89088a9d00893e21fa4a1b11fbc93c64a3be0baaea97fb3b93c3ff713704c19c963c1d107aae99054739f79e02e186de86f87a6ddefea6d8ccd1d3c81a47bfa7255be20601a4a4b2f08a167b5e279d715b1b455bdd7eab245941d9768b9acefb3ccda5952da3cee72525b4501663a8ee15c9e992d92462fe3902410159dbde04a33ef06fb608b80b190f4d3e22bcc13ac8e4a081033abfa416edb",
+ "0b338aa08b57309ea5a5240e7dc6e54378c69414c31d97ddb1f406db3769cc41a430241012b652f30403b38b40995fd6ff41a1acc8ada70373236b7202d39b2ee30cfb46db09511f6f307cc61cc21606c18a75b8a62f822df031ba0df0dafd5506f568bd70240436ef508de736519c2da4c580d98c82cb7452a3fb5efadc3b9c7789a1bc6584f795addbbd32439c74686552ecb6c2c307a4d3af7f539eec157248c7b31f1a2550241012b15a89f3dfb2b39073e73f02bdd0c1a7b379dd435f05cdde2eff9e462948b7cec62ee9050d5e0816e0785a856b49108dcb75f3683874d1ca6329a19013066ff02400270db17d5914b018d76118b24389a7350ec836b0063a21721236fd8edb6d89b51e7eeb87b611b7132cb7ea7356c23151c1e7751507c786d9ee1794170a8c8e8\n\nDecrypt = RSA-OAEP-2\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 0181af8922b9fcb4d79d92ebe19815992fc0c1439d8bcd491398a0f4ad3a329a5bd9385560db532683c8b7da04e4b12aed6aacdf471c34c9cda891addcc2df3456653aa6382e9ae59b54455257eb099d562bbe10453f2b6d13c59c02e10f1f8abb5da0d0570932dacf2d0901db729d0fefcc054e70968ea540c81b04bcaefe720e\nOutput = 8ff00caa605c702830634d9a6c3d42c652b58cf1d92fec570beee7\n\nDecrypt = RSA-OAEP-2\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 018759ff1df63b2792410562314416a8aeaf2ac634b46f940ab82d64dbf165eee33011da749d4bab6e2fcd18129c9e49277d8453112b429a222a8471b070993998e758861c4d3f6d749d91c4290d332c7a4ab3f7ea35ff3a07d497c955ff0ffc95006b62c6d296810d9bfab024196c7934012c2df978ef299aba239940cba10245\nOutput = 2d\n\nDecrypt = RSA-OAEP-2\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 018802bab04c60325e81c4962311f2be7c2adce93041a00719c88f957575f2c79f1b7bc8ced115c706b311c08a2d986ca3b6a9336b147c29c6f229409ddec651bd1fdd5a0b7f610c9937fdb4a3a762364b8b3206b4ea485fd098d08f63d4aa8bb2697d027b750c32d7f74eaf5180d2e9b66b17cb2fa55523bc280da10d14be2053\nOutput = 74fc88c51bc90f77af9d5e9a4a70133d4b4e0b34da3c37c7ef8e\n\nDecrypt = RSA-OAEP-2\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 00a4578cbc176318a638fba7d01df15746af44d4f6cd96d7e7c495cbf425b09c649d32bf886da48fbaf989a2117187cafb1fb580317690e3ccd446920b7af82b31db5804d87d01514acbfa9156e782f867f6bed9449e0e9a2c09bcecc6aa087636965e34b3ec766f2fe2e43018a2fddeb140616a0e9d82e5331024ee0652fc7641\nOutput = a7eb2a5036931d27d4e891326d99692ffadda9bf7efd3e34e622c4adc085f721dfe885072c78a203b151739be540fa8c153a10f00a\n\nDecrypt = RSA-OAEP-2\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 00ebc5f5fda77cfdad3c83641a9025e77d72d8a6fb33a810f5950f8d74c73e8d931e8634d86ab1246256ae07b6005b71b7f2fb98351218331ce69b8ffbdc9da08bbc9c704f876deb9df9fc2ec065cad87f9090b07acc17aa7f997b27aca48806e897f771d95141fe4526d8a5301b678627efab707fd40fbebd6e792a25613e7aec\nOutput = 2ef2b066f854c33f3bdcbb5994a435e73d6c6c\n\nDecrypt = RSA-OAEP-2\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 010839ec20c27b9052e55befb9b77e6fc26e9075d7a54378c646abdf51e445bd5715de81789f56f1803d9170764a9e93cb78798694023ee7393ce04bc5d8f8c5a52c171d43837e3aca62f609eb0aa5ffb0960ef04198dd754f57f7fbe6abf765cf118b4ca443b23b5aab266f952326ac4581100644325f8b721acd5d04ff14ef3a\nOutput = 8a7fb344c8b6cb2cf2ef1f643f9a3218f6e19bba89c0\n\nPrivateKey = RSA-OAEP-3\nType = RSA\nInput = 30820277020100300d06092a864886f70d0101010500048202613082025d02010002818102b58fec039a860700a4d7b6462f93e6cdd491161ddd74f4e810b40e3c1652006a5c277b2774c11305a4cbab5a78efa57e17a86df7a3fa36fc4b1d2249f22ec7c2dd6a463232accea906d66ebe80b5704b10729da6f833234abb5efdd4a292cbfad33b4d33fa7a14b8c397b56e3acd21203428b77cdfa33a6da706b3d8b0fc43e9020301000102818015b48a5b5683a94670e23b5718f814fa0e13f85038f50711182cba61510581f3d22c7e232ef937e22e551d68b86e2f8cb1aad8be2e488f5df7efd279e3f568d4eaf36f80cf7141ace60fcc9113fb6c4a841fd50bbc7c512ffcbeff21487aa811eb3ca8c62005346a86de86bfa1d8a948fd3f348c22eaadf333c3ce6ce13208fd024101bf01d216d73595cf0270c2beb78d40a0d8447d31da919a983f7eea781b77d85fe371b3e9373e7b69217d3150a02d8958de7fad9d555160958b4454127e0e7eaf0241018d3399658166db3829816d7b295416759e9c91987f5b2d8aecd63b04b48bd7b2fcf229bb7f8a6dc88ba13dd2e39ad55b6d1a06160708f9700be80b8fd3744ce7024006c0a249d20a6f2ee75c88b494d53f6aae99aa427c88c28b163a769445e5f390cf40c274fd6ea6329a5ce7c7ce03a2158396ee2a7845786e09e2885a9728e4e5024100d1d27c29fedd92d86c348edd0ccbfac14f746e051ce1d1811df35d61f2ee1c97d4bf2804802f6427187ba8e90a8af44243b4079b03445e602e29fa5193e64fe90241008cb2f756bd8941b1d3b770e5ad31ee373b28acda69ff9b6f40fe578b9f1afb85836f9627d37acff73c2779e634bb26011c2c8f7f3361ae2a9ea65ed689e3639a\n\nDecrypt = RSA-OAEP-3\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 026a0485d96aebd96b4382085099b962e6a2bdec3d90c8db625e14372de85e2d5b7baab65c8faf91bb5504fb495afce5c988b3f6a52e20e1d6cbd3566c5cd1f2b8318bb542cc0ea25c4aab9932afa20760eaddec784396a07ea0ef24d4e6f4d37e5052a7a31e146aa480a111bbe926401307e00f410033842b6d82fe5ce4dfae80\nOutput = 087820b569e8fa8d\n\nDecrypt = RSA-OAEP-3\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 024db89c7802989be0783847863084941bf209d761987e38f97cb5f6f1bc88da72a50b73ebaf11c879c4f95df37b850b8f65d7622e25b1b889e80fe80baca2069d6e0e1d829953fc459069de98ea9798b451e557e99abf8fe3d9ccf9096ebbf3e5255d3b4e1c6d2ecadf067a359eea86405acd47d5e165517ccafd47d6dbee4bf5\nOutput = 4653acaf171960b01f52a7be63a3ab21dc368ec43b50d82ec3781e04\n\nDecrypt = RSA-OAEP-3\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 0239bce681032441528877d6d1c8bb28aa3bc97f1df584563618995797683844ca86664732f4bed7a0aab083aaabfb7238f582e30958c2024e44e57043b97950fd543da977c90cdde5337d618442f99e60d7783ab59ce6dd9d69c47ad1e962bec22d05895cff8d3f64ed5261d92b2678510393484990ba3f7f06818ae6ffce8a3a\nOutput = d94cd0e08fa404ed89\n\nDecrypt = RSA-OAEP-3\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 02994c62afd76f498ba1fd2cf642857fca81f4373cb08f1cbaee6f025c3b512b42c3e8779113476648039dbe0493f9246292fac28950600e7c0f32edf9c81b9dec45c3bde0cc8d8847590169907b7dc5991ceb29bb0714d613d96df0f12ec5d8d3507c8ee7ae78dd83f216fa61de100363aca48a7e914ae9f42ddfbe943b09d9a0\nOutput = 6cc641b6b61e6f963974dad23a9013284ef1\n\nDecrypt = RSA-OAEP-3\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 0162042ff6969592a6167031811a239834ce638abf54fec8b99478122afe2ee67f8c5b18b0339805bfdbc5a4e6720b37c59cfba942464c597ff532a119821545fd2e59b114e61daf71820529f5029cf524954327c34ec5e6f5ba7efcc4de943ab8ad4ed787b1454329f70db798a3a8f4d92f8274e2b2948ade627ce8ee33e43c60\nOutput = df5151832b61f4f25891fb4172f328d2eddf8371ffcfdbe997939295f30eca6918017cfda1153bf7a6af87593223\n\nDecrypt = RSA-OAEP-3\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 00112051e75d064943bc4478075e43482fd59cee0679de6893eec3a943daa490b9691c93dfc0464b6623b9f3dbd3e70083264f034b374f74164e1a00763725e574744ba0b9db83434f31df96f6e2a26f6d8eba348bd4686c2238ac07c37aac3785d1c7eea2f819fd91491798ed8e9cef5e43b781b0e0276e37c43ff9492d005730\nOutput = 3c3bad893c544a6d520ab022319188c8d504b7a788b850903b85972eaa18552e1134a7ad6098826254ff7ab672b3d8eb3158fac6d4cbaef1\n\nPrivateKey = RSA-OAEP-4\nType = RSA\nInput = 30820277020100300d06092a864886f70d0101010500048202613082025d020100028181051240b6cc0004fa48d0134671c078c7c8dec3b3e2f25bc2564467339db38853d06b85eea5b2de353bff42ac2e46bc97fae6ac9618da9537a5c8f553c1e357625991d6108dcd7885fb3a25413f53efcad948cb35cd9b9ae9c1c67626d113d57dde4c5bea76bb5bb7de96c00d07372e9685a6d75cf9d239fa148d70931b5f3fb03902030100010281800411ffca3b7ca5e9e9be7fe38a85105e353896db05c5796aecd2a725161eb3651c8629a9b862b904d7b0c7b37f8cb5a1c2b54001018a00a1eb2cafe4ee4e9492c348bc2bedab4b9ebbf064e8eff322b9009f8eec653905f40df88a3cdc49d4567f75627d41aca624129b46a0b7c698e5e65f2b7ba102c749a10135b6540d04010241027458c19ec1636919e736c9af25d609a51b8f561d19c6bf6943dd1ee1ab8a4a3f232100bd40b88decc6ba235548b6ef792a11c9de823d0a7922c7095b6eba570102410210ee9b33ab61716e27d251bd465f4b35a1a232e2da00901c294bf22350ce490d099f642b5375612db63ba1f20386492bf04d34b3c22bceb909d13441b53b5139024039fa028b826e88c1121b750a8b242fa9a35c5b66bdfd1fa637d3cc48a84a4f457a194e7727e49f7bcc6e5a5a412657fc470c7322ebc37416ef458c307a8c09010241015d99a84195943979fa9e1be2c3c1b69f432f46fd03e47d5befbbbfd6b1d1371d83efb330a3e020942b2fed115e5d02be24fd92c9019d1cecd6dd4cf1e54cc899024101f0b7015170b3f5e42223ba30301c41a6d87cbb70e30cb7d3c67d25473db1f6cbf03e3f9126e3e97968279a865b2c2b426524cfc52a683d31ed30eb984be412ba\n\nDecrypt = RSA-OAEP-4\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 04cce19614845e094152a3fe18e54e3330c44e5efbc64ae16886cb1869014cc5781b1f8f9e045384d0112a135ca0d12e9c88a8e4063416deaae3844f60d6e96fe155145f4525b9a34431ca3766180f70e15a5e5d8e8b1a516ff870609f13f896935ced188279a58ed13d07114277d75c6568607e0ab092fd803a223e4a",
+ "8ee0b1a8\nOutput = 4a86609534ee434a6cbca3f7e962e76d455e3264c19f605f6e5ff6137c65c56d7fb344cd52bc93374f3d166c9f0c6f9c506bad19330972d2\n\nDecrypt = RSA-OAEP-4\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 0097b698c6165645b303486fbf5a2a4479c0ee85889b541a6f0b858d6b6597b13b854eb4f839af03399a80d79bda6578c841f90d645715b280d37143992dd186c80b949b775cae97370e4ec97443136c6da484e970ffdb1323a20847821d3b18381de13bb49aaea66530c4a4b8271f3eae172cd366e07e6636f1019d2a28aed15e\nOutput = b0adc4f3fe11da59ce992773d9059943c03046497ee9d9f9a06df1166db46d98f58d27ec074c02eee6cbe2449c8b9fc5080c5c3f4433092512ec46aa793743c8\n\nDecrypt = RSA-OAEP-4\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 0301f935e9c47abcb48acbbe09895d9f5971af14839da4ff95417ee453d1fd77319072bb7297e1b55d7561cd9d1bb24c1a9a37c619864308242804879d86ebd001dce5183975e1506989b70e5a83434154d5cbfd6a24787e60eb0c658d2ac193302d1192c6e622d4a12ad4b53923bca246df31c6395e37702c6a78ae081fb9d065\nOutput = bf6d42e701707b1d0206b0c8b45a1c72641ff12889219a82bdea965b5e79a96b0d0163ed9d578ec9ada20f2fbcf1ea3c4089d83419ba81b0c60f3606da99\n\nDecrypt = RSA-OAEP-4\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 02d110ad30afb727beb691dd0cf17d0af1a1e7fa0cc040ec1a4ba26a42c59d0a796a2e22c8f357ccc98b6519aceb682e945e62cb734614a529407cd452bee3e44fece8423cc19e55548b8b994b849c7ecde4933e76037e1d0ce44275b08710c68e430130b929730ed77e09b015642c5593f04e4ffb9410798102a8e96ffdfe11e4\nOutput = fb2ef112f5e766eb94019297934794f7be2f6fc1c58e\n\nDecrypt = RSA-OAEP-4\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 00dbb8a7439d90efd919a377c54fae8fe11ec58c3b858362e23ad1b8a44310799066b99347aa525691d2adc58d9b06e34f288c170390c5f0e11c0aa3645959f18ee79e8f2be8d7ac5c23d061f18dd74b8c5f2a58fcb5eb0c54f99f01a83247568292536583340948d7a8c97c4acd1e98d1e29dc320e97a260532a8aa7a758a1ec2\nOutput = 28ccd447bb9e85166dabb9e5b7d1adadc4b9d39f204e96d5e440ce9ad928bc1c2284\n\nDecrypt = RSA-OAEP-4\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 00a5ffa4768c8bbecaee2db77e8f2eec99595933545520835e5ba7db9493d3e17cddefe6a5f567624471908db4e2d83a0fbee60608fc84049503b2234a07dc83b27b22847ad8920ff42f674ef79b76280b00233d2b51b8cb2703a9d42bfbc8250c96ec32c051e57f1b4ba528db89c37e4c54e27e6e64ac69635ae887d9541619a9\nOutput = f22242751ec6b1\n\nPrivateKey = RSA-OAEP-5\nType = RSA\nInput = 30820279020100300d06092a864886f70d0101010500048202633082025f0201000281810aadf3f9c125e5d891f31ac448e993defe580f802b45f9d7f22ba5021e9c47576b5a1e68031ba9db4e6dabe4d96a1d6f3d267268cff408005f118efcadb99888d1c234467166b2a2b849a05a889c060ac0da0c5fae8b55f309ba62e703742fa0326f2d10b011021489ff497770190d895fd39f52293c39efd73a698bdab9f10ed902030100010281810256eb4cba7067f2d2be540dcdff4582a36b7d31d1c9099bb214b79848466a268f80f58a49ac04c0e3648934a0206c04537c19b236643a6082732144df75fa217588f794682be89168276dc726c5c0cbdb84d31bbf26d0a43af495717f7d528acfee341561f6ff3cae05c578f8470d9682f9c0d072f9f6068b56d5880f682be2c5024103b0d3962f6d17549cbfca11294348dcf0e7e39f8c2bc6824f2164b606d687860dae1e632393cfedf513228229069e2f60e4acd7e633a436063f82385f48993707024102e4c32e2f517269b7072309f00c0e31365f7ce28b236b82912df239abf39572cf0ed604b02982e53564c52d6a05397de5c052a2fddc141ef7189836346aeb331f024101e84b119d25161fa67b00256a5bd9b645d2b232ecb05b015180029a88622adc3f09b3aeacde6161ab7cde22c2ad26e7797df54e072cbd3b2673800b3e4338dbd5024100eb90aa1a40135b4cea07197cedc8819be1e7cbff2547662116f465a4a9f487ab12f3ba4fef13822265a65297d98b7bded9372e3ffe81a38b3e9600fed055754f0241012f7f8138f9404062eb85a42924520b38f5bb886a0196f48bb8dcea60fd92cc027f18e78158a34a5c5d5f860a0f6c04071a7d01312c065062f1eb48b79d1c83cb\n\nDecrypt = RSA-OAEP-5\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 036046a4a47d9ed3ba9a89139c105038eb7492b05a5d68bfd53accff4597f7a68651b47b4a4627d927e485eed7b4566420e8b409879e5d606eae251d22a5df799f7920bfc117b992572a53b1263146bcea03385cc5e853c9a101c8c3e1bda31a519807496c6cb5e5efb408823a352b8fa0661fb664efadd593deb99fff5ed000e5\nOutput = af71a901e3a61d3132f0fc1fdb474f9ea6579257ffc24d164170145b3dbde8\n\nDecrypt = RSA-OAEP-5\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 03d6eb654edce615bc59f455265ed4e5a18223cbb9be4e4069b473804d5de96f54dcaaa603d049c5d94aa1470dfcd2254066b7c7b61ff1f6f6770e3215c51399fd4e34ec5082bc48f089840ad04354ae66dc0f1bd18e461a33cc1258b443a2837a6df26759aa2302334986f87380c9cc9d53be9f99605d2c9a97da7b0915a4a7ad\nOutput = a3b844a08239a8ac41605af17a6cfda4d350136585903a417a79268760519a4b4ac3303ec73f0f87cfb32399\n\nDecrypt = RSA-OAEP-5\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 0770952181649f9f9f07ff626ff3a22c35c462443d905d456a9fd0bff43cac2ca7a9f554e9478b9acc3ac838b02040ffd3e1847de2e4253929f9dd9ee4044325a9b05cabb808b2ee840d34e15d105a3f1f7b27695a1a07a2d73fe08ecaaa3c9c9d4d5a89ff890d54727d7ae40c0ec1a8dd86165d8ee2c6368141016a48b55b6967\nOutput = 308b0ecbd2c76cb77fc6f70c5edd233fd2f20929d629f026953bb62a8f4a3a314bde195de85b5f816da2aab074d26cb6acddf323ae3b9c678ac3cf12fbdde7\n\nDecrypt = RSA-OAEP-5\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 0812b76768ebcb642d040258e5f4441a018521bd96687e6c5e899fcd6c17588ff59a82cc8ae03a4b45b31299af1788c329f7dcd285f8cf4ced82606b97612671a45bedca133442144d1617d114f802857f0f9d739751c57a3f9ee400912c61e2e6992be031a43dd48fa6ba14eef7c422b5edc4e7afa04fdd38f402d1c8bb719abf\nOutput = 15c5b9ee1185\n\nDecrypt = RSA-OAEP-5\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 07b60e14ec954bfd29e60d0047e789f51d57186c63589903306793ced3f68241c743529aba6a6374f92e19e0163efa33697e196f7661dfaaa47aac6bde5e51deb507c72c589a2ca1693d96b1460381249b2cdb9eac44769f2489c5d3d2f99f0ee3c7ee5bf64a5ac79c42bd433f149be8cb59548361640595513c97af7bc2509723\nOutput = 21026e6800c7fa728fcaaba0d196ae28d7a2ac4ffd8abce794f0985f60c8a6737277365d3fea11db8923a2029a\n\nDecrypt = RSA-OAEP-5\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 08c36d4dda33423b2ed6830d85f6411ba1dcf470a1fae0ebefee7c089f256cef74cb96ea69c38f60f39abee44129bcb4c92de7f797623b20074e3d9c2899701ed9071e1efa0bdd84d4c3e5130302d8f0240baba4b84a71cc032f2235a5ff0fae277c3e8f9112bef44c9ae20d175fc9a4058bfc930ba31b02e2e4f444483710f24a\nOutput = 541e37b68b6c8872b84c02\n\nPrivateKey = RSA-OAEP-6\nType = RSA\nInput = 30820279020100300d06092a864886f70d0101010500048202633082025f02010002818112b17f6dad2ecd19ff46dc13f7860f09e0e0cfb677b38a52592305ceaf022c166db90d04ac29e33f7dd12d9faf66e0816bb63ead267cc7d46c17c37be214bca2a22d723a64e44407436b6fc965729aefc2554f376cd5dcea68293780a62bf39d0029485a160bbb9e5dc0972d21a504f52e5ee028aa416332f510b2e9cff5f722af02030100010281810295eca3560618369559cecd303aa9cfdafc1d9f06959df75ffef929aa896961bcd190dc6997eda7f5963e724d07b4dc11f3065e5ae97d96835112280b9084bb14f2a21ebd4e889d41b9c4132ec1956fcab8bb2fed0575884936522c5ff7d33261904824e7cadee4e0bb372d2457cf78e2bd1286228ff83f10731ce63c90cff3f9024104a6ce8b7358dfa69bdcf742617005afb5385f5f3a58a24ef74a22a8c05cb7cc38ebd4cc9d9a9d789a62cd0f60f0cb941d3423c9692efa4fe3adff290c4749a38b02410404c9a803371fedb4c5be39f3c00b009e5e08a63be1e40035cdaca5011cc701cf7eebcb99f0ffe17cfd0a4bf7befd2dd536ac946db797fdbc4abe8f29349b91ed024103961c8f760aa2bd5154c7aafd77225b3bacd0139ae7b5948ea3311fccd86fb95c75afa767284b9b2de559572f15d8d044c7eb83a1be5fadf2cc377c0d8475294b0241022197e066742196aabc03fa2feeb4e70b15cb787d617acd31bb75c7bc234ad706f7c48d2182d1f0ff9c228dcf41967b6c0ba6d2c0ad110a1b857831ec245e2cb102410401c4c0c53d45dbdb5e9d96d0fecf4275df0974bc4a0736b4a74c3269053efb686ace2406e22c9e058ddb4ae540627ae2fdb08261e8e7e4bcbc994daafa305c45\n\nDecrypt = RSA-OAEP-6\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 0630eebcd2856c24f798806e41f9e67345eda9ceda386acc9facaea1eeed06ace583709718d9d169fadf414d5c76f92996833ef305b75b1e4b95f662a20faedc3bae0c4827a8bf8a88edbd57ec203a27a841f02e43a615bab1a8cac0701de34debdef62a088089b55ec36ea7522fd3ec8d06b6a073e6df833153bc0aefd93bd1a3\nOutput = 4046ca8baa3347ca27f49e0d81f9cc1d71be9ba517d4\n\nDecrypt = RSA-OAEP-6\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 0ebc37376173a4fd2f89cc55c2ca62b26b11d51c3c7ce49e8845f74e7607317c436bc8d23b9667dfeb9d087234b47bc6837175ae5c0559f6b81d7d22416d3e50f4ac533d8f0812f2db9e791fe9c775ac8b6ad0f535ad9ceb23a4a02014c58ab3f8d3161499a260f39348e714ae2a1d3443208fd8b722ccfdfb393e98011f99e63f\nOutput = 5cc72c60231df03b3d40f9b57931bc31109f972527f28b19e7480c7288cb3c92b22512214e4be6c914792ddabdf57faa8aa7\n\nDecrypt = RSA-OAEP-6\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 0a98bf1093619394436cf68d8f38e2f158fde8ea54f3435f239b8d06b8321844202476aeed960094",
+ "92480ce3a8d705498c4c8c68f01501dc81db608f60087350c8c3b0bd2e9ef6a81458b7c801b89f2e4fe99d4900ba6a4b5e5a96d865dc676c7755928794130d6280a8160a190f2df3ea7cf9aa0271d88e9e6905ecf1c5152d65\nOutput = b20e651303092f4bccb43070c0f86d23049362ed96642fc5632c27db4a52e3d831f2ab068b23b149879c002f6bf3feee97591112562c\n\nDecrypt = RSA-OAEP-6\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 008e7a67cacfb5c4e24bec7dee149117f19598ce8c45808fef88c608ff9cd6e695263b9a3c0ad4b8ba4c95238e96a8422b8535629c8d5382374479ad13fa39974b242f9a759eeaf9c83ad5a8ca18940a0162ba755876df263f4bd50c6525c56090267c1f0e09ce0899a0cf359e88120abd9bf893445b3cae77d3607359ae9a52f8\nOutput = 684e3038c5c041f7\n\nDecrypt = RSA-OAEP-6\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 00003474416c7b68bdf961c385737944d7f1f40cb395343c693cc0b4fe63b31fedf1eaeeac9ccc0678b31dc32e0977489514c4f09085f6298a9653f01aea4045ff582ee887be26ae575b73eef7f3774921e375a3d19adda0ca31aa1849887c1f42cac9677f7a2f4e923f6e5a868b38c084ef187594dc9f7f048fea2e02955384ab\nOutput = 32488cb262d041d6e4dd35f987bf3ca696db1f06ac29a44693\n\nDecrypt = RSA-OAEP-6\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 0a026dda5fc8785f7bd9bf75327b63e85e2c0fdee5dadb65ebdcac9ae1de95c92c672ab433aa7a8e69ce6a6d8897fac4ac4a54de841ae5e5bbce7687879d79634cea7a30684065c714d52409b928256bbf53eabcd5231eb7259504537399bd29164b726d33a46da701360a4168a091ccab72d44a62fed246c0ffea5b1348ab5470\nOutput = 50ba14be8462720279c306ba\n\nPrivateKey = RSA-OAEP-7\nType = RSA\nInput = 30820278020100300d06092a864886f70d0101010500048202623082025e020100028181311179f0bcfc9b9d3ca315d00ef30d7bdd3a2cfae9911bfedcb948b3a4782d0732b6ab44aa4bf03741a644dc01bec3e69b01a033e675d8acd7c4925c6b1aec3119051dfd89762d215d45475ffcb59f908148623f37177156f6ae86dd7a7c5f43dc1e1f908254058a284a5f06c0021793a87f1ac5feff7dcaee69c5e51a3789e3730203010001028181070cfcff2feb8276e27432c45dfee48f49b7917d6530e1f0ca3460f32e0276174487c56e22a45d2500d7775495219d7d165a9cf3bd92c32af9a98d8dc9cc296800adc94a0a54fb40f34291bf84ee8ea12b6f109359c6d3542a50f9c767f5cfff05a681c2e656fb77caaadb4be9468d8abcd4df98f58e86d2053fa1349f748e21b102410749262c111cd470ec2566e6b3732fc09329469aa19071d3b9c01906514c6f1d26baa14beab0971c8b7e611a4f79009d6fea776928ca25285b0de3643d1a3f8c71024106bc1e50e96c02bf636e9eea8b899bbebf7651de77dd474c3e9bc23bad8182b61904c7d97dfbebfb1e00108878b6e67e415391d67942c2b2bf9b4435f88b0cb023024103bc7ea7f0aab143abc6ce8b97118636a30172e4cfe02c8fa0dda3b7baaf90f8092982985525f488bdfcb4bd726e22639ac64a3092ab7ffcbf1d5334cfa50b5bf102410262a6aa29c2a3c67dc5346c06381afd987aa3cc93cfbfecf54fdd9f9d787d7f59a523d398979da137a2f6381fe94801f7c94da21518dc34cb40870c4697994ad90240649d4c17b6ee1721e772d0389a559c3d3cdf9550d457c46b037b74641b1d52166af8a213c8396206cdfba4422f18d6f61dbcb5d214c971bf482aeb976a7370c2\n\nDecrypt = RSA-OAEP-7\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 1688e4ce7794bba6cb7014169ecd559cede2a30b56a52b68d9fe18cf1973ef97b2a03153951c755f6294aa49adbdb55845ab6875fb3986c93ecf927962840d282f9e54ce8b690f7c0cb8bbd73440d9571d1b16cd9260f9eab4783cc482e5223dc60973871783ec27b0ae0fd47732cbc286a173fc92b00fb4ba6824647cd93c85c1\nOutput = 47aae909\n\nDecrypt = RSA-OAEP-7\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 1052ed397b2e01e1d0ee1c50bf24363f95e504f4a03434a08fd822574ed6b9736edbb5f390db10321479a8a139350e2bd4977c3778ef331f3e78ae118b268451f20a2f01d471f5d53c566937171b2dbc2d4bde459a5799f0372d6574239b2323d245d0bb81c286b63c89a361017337e4902f88a467f4c7f244bfd5ab46437ff3b6\nOutput = 1d9b2e2223d9bc13bfb9f162ce735db48ba7c68f6822a0a1a7b6ae165834e7\n\nDecrypt = RSA-OAEP-7\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 2155cd843ff24a4ee8badb7694260028a490813ba8b369a4cbf106ec148e5298707f5965be7d101c1049ea8584c24cd63455ad9c104d686282d3fb803a4c11c1c2e9b91c7178801d1b6640f003f5728df007b8a4ccc92bce05e41a27278d7c85018c52414313a5077789001d4f01910b72aad05d220aa14a58733a7489bc54556b\nOutput = d976fc\n\nDecrypt = RSA-OAEP-7\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 0ab14c373aeb7d4328d0aaad8c094d88b9eb098b95f21054a29082522be7c27a312878b637917e3d819e6c3c568db5d843802b06d51d9e98a2be0bf40c031423b00edfbff8320efb9171bd2044653a4cb9c5122f6c65e83cda2ec3c126027a9c1a56ba874d0fea23f380b82cf240b8cf540004758c4c77d934157a74f3fc12bfac\nOutput = d4738623df223aa43843df8467534c41d013e0c803c624e263666b239bde40a5f29aeb8de79e3daa61dd0370f49bd4b013834b98212aef6b1c5ee373b3cb\n\nDecrypt = RSA-OAEP-7\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 028387a318277434798b4d97f460068df5298faba5041ba11761a1cb7316b24184114ec500257e2589ed3b607a1ebbe97a6cc2e02bf1b681f42312a33b7a77d8e7855c4a6de03e3c04643f786b91a264a0d6805e2cea91e68177eb7a64d9255e4f27e713b7ccec00dc200ebd21c2ea2bb890feae4942df941dc3f97890ed347478\nOutput = bb47231ca5ea1d3ad46c99345d9a8a61\n\nDecrypt = RSA-OAEP-7\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 14c678a94ad60525ef39e959b2f3ba5c097a94ff912b67dbace80535c187abd47d075420b1872152bba08f7fc31f313bbf9273c912fc4c0149a9b0cfb79807e346eb332069611bec0ff9bcd168f1f7c33e77313cea454b94e2549eecf002e2acf7f6f2d2845d4fe0aab2e5a92ddf68c480ae11247935d1f62574842216ae674115\nOutput = 2184827095d35c3f86f600e8e59754013296\n\nPrivateKey = RSA-OAEP-8\nType = RSA\nInput = 30820279020100300d06092a864886f70d0101010500048202633082025f0201000281815bdf0e30d321dda5147f882408fa69195480df8f80d3f6e8bf5818504f36427ca9b1f5540b9c65a8f6974cf8447a244d9280201bb49fcbbe6378d1944cd227e230f96e3d10f819dcef276c64a00b2a4b6701e7d01de5fabde3b1e9a0df82f4631359cd22669647fbb1717246134ed7b497cfffbdc42b59c73a96ed90166212dff702030100010281810f7d1e9e5aaa25fd13e4a0663ae144e0d15f5cd18bcdb09df2cc7e64e3c5e915ad62645304161d098c715bb7ab8bd01d07eaf3fed7c7ed08af2a8a62ef44ab16b320e14af72a48f96afe262a0ae4cf65e635e910790cd4ee5cea768a4b2639f7e6f677b3f0bb6be32b75747d8909036f0264f58d401cdba131716157a75ecf633102410a02ef8448d9fad8bbd0d004c8c2aa9751ef9721c1b0d03236a54b0df947cbaed5a255ee9e8e20d491ea1723fe094704a9762e88afd16ebb5994412ca966dc4f9f0241092d362e7ed3a0bfd9e9fd0e6c0301b6df29159cf50cc83b9b0cf4d6eea71a61e002b46e0ae9f2de62d25b5d7452d498b81c9ac6fc58593d4c3fb4f5d72dfbb0a9024107c71410af103962db367404e37ae850baa4e9c29dd92145815294a67c7d1c6ded263aa030a9b633ae50303e14035d1af014123eba687820308d8ebc85b6957d7d024100ae2c75380c02c016ad05891b3301de881f28ae1171182b6b2c83bea7c515eca9ca298c7b1cab5817a597068fc85060de4da8a016378aae43c7f967bcc37904b902410598d1059e3ada4f6320752c09d805ff7d1f1ae0d017aeeee9cefa0d7dd7ff775e44b578322f6405d6211da19519666aa87fdc4cd8c88f6b6e3d67e961dcbba3d0\n\nDecrypt = RSA-OAEP-8\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 09b3683d8a2eb0fb295b62ed1fb9290b714457b7825319f4647872af889b30409472020ad12912bf19b11d4819f49614824ffd84d09c0a17e7d17309d12919790410aa2995699f6a86dbe3242b5acc23af45691080d6b1ae810fb3e3057087f0970092ce00be9562ff4053b6262ce0caa93e13723d2e3a5ba075d45f0d61b54b61\nOutput = 050b755e5e6880f7b9e9d692a74c37aae449b31bfea6deff83747a897f6c2c825bb1adbf850a3c96994b5de5b33cbc7d4a17913a7967\n\nDecrypt = RSA-OAEP-8\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 2ecf15c97c5a15b1476ae986b371b57a24284f4a162a8d0c8182e7905e792256f1812ba5f83f1f7a130e42dcc02232844edc14a31a68ee97ae564a383a3411656424c5f62ddb646093c367be1fcda426cf00a06d8acb7e57776fbbd855ac3df506fc16b1d7c3f2110f3d8068e91e186363831c8409680d8da9ecd8cf1fa20ee39d\nOutput = 4eb68dcd93ca9b19df111bd43608f557026fe4aa1d5cfac227a3eb5ab9548c18a06dded23f81825986b2fcd71109ecef7eff88873f075c2aa0c469f69c92bc\n\nDecrypt = RSA-OAEP-8\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 4bc89130a5b2dabb7c2fcf90eb5d0eaf9e681b7146a38f3173a3d9cfec52ea9e0a41932e648a9d69344c50da763f51a03c95762131e8052254dcd2248cba40fd31667786ce05a2b7b531ac9dac9ed584a59b677c1a8aed8c5d15d68c05569e2be780bf7db638fd2bfd2a85ab276860f3777338fca989ffd743d13ee08e0ca9893f\nOutput = 8604ac56328c1ab5ad917861\n\nDecrypt = RSA-OAEP-8\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 2e456847d8fc36ff0147d6993594b9397227d577752c79d0f904fcb039d4d812fea605a7b574dd82ca786f93752348438ee9f5b5454985d5f0e1699e3e7ad175a32e15f03deb042ab9fe1dd9db1bb86f8c089ccb45e7ef0c5ee7ca9b7290ca6b15bed47039788a8a93ff83e0e8d6244c71006362deef69b6f416fb3c684383fbd0\nOutput = fdda5fbf6ec361a9d9a4ac68af216a0686f438b1e0e5c36b955f74e107f39c0dddcc\n\nDecrypt = RSA-OAEP-8\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 1fb9356fd5c4b1796db2ebf7d0d393cc810adf6145defc2fce714f79d93800d5e2ac211ea8bbecca4b654b94c3b18b30dd576ce34dc95436ef57a09415645923359a5d7b4171ef22c24670f1b2",
+ "29d3603e91f76671b7df97e7317c97734476d5f3d17d21cf82b5ba9f83df2e588d36984fd1b584468bd23b2e875f32f68953f7b2\nOutput = 4a5f4914bee25de3c69341de07\n\nDecrypt = RSA-OAEP-8\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 3afd9c6600147b21798d818c655a0f4c9212db26d0b0dfdc2a7594ccb3d22f5bf1d7c3e112cd73fc7d509c7a8bafdd3c274d1399009f9609ec4be6477e453f075aa33db382870c1c3409aef392d7386ae3a696b99a94b4da0589447e955d16c98b17602a59bd736279fcd8fb280c4462d590bfa9bf13fed570eafde97330a2c210\nOutput = 8e07d66f7b880a72563abcd3f35092bc33409fb7f88f2472be\n\nPrivateKey = RSA-OAEP-9\nType = RSA\nInput = 30820397020100300d06092a864886f70d0101010500048203813082037d0201000281c100cf2cd41e34ca3a728ea5cb8aff64c36d27bdef5364e336fd68d3123c5a196a8c287013e853d5156d58d151954520fb4f6d7b17abb6817765909c576119659d902b1906ed8a2b10c155c24d124528dab9eeae379beac66e4a411786dcb8fd0062ebc030de1219a04c2a8c1b7dd3131e4d6b6caee2e31a5ed41ac1509b2ef1ee2ab18364be568ca941c25ecc84ff9d643b5ec1aaae102a20d73f479b780fd6da91075212d9eac03a0674d899eba2e431f4c44b615b6ba2232bd4b33baed73d625d02030100010281c0198c141e23715a92bccf6a119a5bc11389468d2811f548d727e17b4ab0eb986d6f211efb53b71f7ccbea87ee69c75ee615008c5332deb52bf390abdfbfe37d7205368159b2638c1de326e21d22251f0fb5848b3bf15005d2a74330f0afe916ee62ccc1344d1d83a709e60676273840f7f377424a5e0a4da75f01b31ff76819cf9cbfdd215243c3917c03ef38199312e567b3bf7aed3ab457f371ef8a1423f45b68c6e282ec111bba2833b987fd69fad83bc1b8c613c5e1ea16c11ed125ea7ec1026100fc8d6c04bec4eb9a8192ca7900cbe536e2e8b519decf33b2459798c6909df4f176db7d23190fc72b8865a718af895f1bcd9145298027423b605e70a47cf58390a8c3e88fc8c48e8b32e3da210dfbe3e881ea5674b6a348c21e93f9e55ea65efd026100d200d45e788aacea606a401d0460f87dd5c1027e12dc1a0d7586e8939d9cf789b40f51ac0442961de7d21cc21e05c83155c1f2aa9193387cfdf956cb48d153ba270406f9bbba537d4987d9e2f9942d7a14cbfffea74fecdda928d23e259f5ee1026100db16802f79a2f0d45f358d69fd33e44b81fae828622e93a54253e997d01b0743759da0e812b4aa4e6c8beab2328d5431955a418a67ff26a8c5c807a5da354e05ef31cc8cf758f463732950b03e265726fb94e39d6a572a26244ab08db75752ad026100a0a317cfe7df1423f87a6dee8451f4e2b4a67e5497f29b4f1e4e830b9fadd9401167026f5596e5a39c97817e0f5f16e27e19ec9902e01d7ea6fb9aa3c760afee1e381b69de6ac9c07585a06ad9c4ba00bf75c8ad2fa898a479e80ae294fed2a102600b21f335c353342eb44c3aa24445780c2d655b940174cae38c7c8a4e6493c0ba9fd303748267b083b9a7a6cb61e42db362b8c9896db7064e02ad5ae61587da15b4649c90594909feb37dbcb654beb7268ec801e5a8b4aa3911bebd88542f05be\n\nDecrypt = RSA-OAEP-9\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 267bcd118acab1fc8ba81c85d73003cb8610fa55c1d97da8d48a7c7f06896a4db751aa284255b9d36ad65f37653d829f1b37f97b8001942545b2fc2c55a7376ca7a1be4b1760c8e05a33e5aa2526b8d98e317088e7834c755b2a59b12631a182c05d5d43ab1779264f8456f515ce57dfdf512d5493dab7b7338dc4b7d78db9c091ac3baf537a69fc7f549d979f0eff9a94fda4169bd4d1d19a69c99e33c3b55490d501b39b1edae118ff6793a153261584d3a5f39f6e682e3d17c8cd1261fa72\nOutput = f735fd55ba92592c3b52b8f9c4f69aaa1cbef8fe88add095595412467f9cf4ec0b896c59eda16210e7549c8abb10cdbc21a12ec9b6b5b8fd2f10399eb6\n\nDecrypt = RSA-OAEP-9\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 93ac9f0671ec29acbb444effc1a5741351d60fdb0e393fbf754acf0de49761a14841df7772e9bc82773966a1584c4d72baea00118f83f35cca6e537cbd4d811f5583b29783d8a6d94cd31be70d6f526c10ff09c6fa7ce069795a3fcd0511fd5fcb564bcc80ea9c78f38b80012539d8a4ddf6fe81e9cddb7f50dbbbbcc7e5d86097ccf4ec49189fb8bf318be6d5a0715d516b49af191258cd32dc833ce6eb4673c03a19bbace88cc54895f636cc0c1ec89096d11ce235a265ca1764232a689ae8\nOutput = 81b906605015a63aabe42ddf11e1978912f5404c7474b26dce3ed482bf961ecc818bf420c54659\n\nDecrypt = RSA-OAEP-9\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 81ebdd95054b0c822ef9ad7693f5a87adfb4b4c4ce70df2df84ed49c04da58ba5fc20a19e1a6e8b7a3900b22796dc4e869ee6b42792d15a8eceb56c09c69914e813cea8f6931e4b8ed6f421af298d595c97f4789c7caa612c7ef360984c21b93edc5401068b5af4c78a8771b984d53b8ea8adf2f6a7d4a0ba76c75e1dd9f658f20ded4a46071d46d7791b56803d8fea7f0b0f8e41ae3f09383a6f9585fe7753eaaffd2bf94563108beecc207bbb535f5fcc705f0dde9f708c62f49a9c90371d3\nOutput = fd326429df9b890e09b54b18b8f34f1e24\n\nDecrypt = RSA-OAEP-9\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = bcc35f94cde66cb1136625d625b94432a35b22f3d2fa11a613ff0fca5bd57f87b902ccdc1cd0aebcb0715ee869d1d1fe395f6793003f5eca465059c88660d446ff5f0818552022557e38c08a67ead991262254f10682975ec56397768537f4977af6d5f6aaceb7fb25dec5937230231fd8978af49119a29f29e424ab8272b47562792d5c94f774b8829d0b0d9f1a8c9eddf37574d5fa248eefa9c5271fc5ec2579c81bdd61b410fa61fe36e424221c113addb275664c801d34ca8c6351e4a858\nOutput = f1459b5f0c92f01a0f723a2e5662484d8f8c0a20fc29dad6acd43bb5f3effdf4e1b63e07fdfe6628d0d74ca19bf2d69e4a0abf86d293925a796772f8088e\n\nDecrypt = RSA-OAEP-9\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 232afbc927fa08c2f6a27b87d4a5cb09c07dc26fae73d73a90558839f4fd66d281b87ec734bce237ba166698ed829106a7de6942cd6cdce78fed8d2e4d81428e66490d036264cef92af941d3e35055fe3981e14d29cbb9a4f67473063baec79a1179f5a17c9c1832f2838fd7d5e59bb9659d56dce8a019edef1bb3accc697cc6cc7a778f60a064c7f6f5d529c6210262e003de583e81e3167b89971fb8c0e15d44fffef89b53d8d64dd797d159b56d2b08ea5307ea12c241bd58d4ee278a1f2e\nOutput = 53e6e8c729d6f9c319dd317e74b0db8e4ccca25f3c8305746e137ac63a63ef3739e7b595abb96e8d55e54f7bd41ab433378ffb911d\n\nDecrypt = RSA-OAEP-9\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 438cc7dc08a68da249e42505f8573ba60e2c2773d5b290f4cf9dff718e842081c383e67024a0f29594ea987b9d25e4b738f285970d195abb3a8c8054e3d79d6b9c9a8327ba596f1259e27126674766907d8d582ff3a8476154929adb1e6d1235b2ccb4ec8f663ba9cc670a92bebd853c8dbf69c6436d016f61add836e94732450434207f9fd4c43dec2a12a958efa01efe2669899b5e604c255c55fb7166de5589e369597bb09168c06dd5db177e06a1740eb2d5c82faeca6d92fcee9931ba9f\nOutput = b6b28ea2198d0c1008bc64\n\nPrivateKey = RSA-OAEP-10\nType = RSA\nInput = 308204bd020100300d06092a864886f70d0101010500048204a7308204a30201000282010100ae45ed5601cec6b8cc05f803935c674ddbe0d75c4c09fd7951fc6b0caec313a8df39970c518bffba5ed68f3f0d7f22a4029d413f1ae07e4ebe9e4177ce23e7f5404b569e4ee1bdcf3c1fb03ef113802d4f855eb9b5134b5a7c8085adcae6fa2fa1417ec3763be171b0c62b760ede23c12ad92b980884c641f5a8fac26bdad4a03381a22fe1b754885094c82506d4019a535a286afeb271bb9ba592de18dcf600c2aeeae56e02f7cf79fc14cf3bdc7cd84febbbf950ca90304b2219a7aa063aefa2c3c1980e560cd64afe779585b6107657b957857efde6010988ab7de417fc88d8f384c4e6e72c3f943e0c31c0c4a5cc36f879d8a3ac9d7d59860eaada6b83bb020301000102820100056b04216fe5f354ac77250a4b6b0c8525a85c59b0bd80c56450a22d5f438e596a333aa875e291dd43f48cb88b9d5fc0d499f9fcd1c397f9afc070cd9e398c8d19e61db7c7410a6b2675dfbf5d345b804d201add502d5ce2dfcb091ce9997bbebe57306f383e4d588103f036f7e85d1934d152a323e4a8db451d6f4a5b1b0f102cc150e02feee2b88dea4ad4c1baccb24d84072d14e1d24a6771f7408ee30564fb86d4393a34bcf0b788501d193303f13a2284b001f0f649eaf79328d4ac5c430ab4414920a9460ed1b7bc40ec653e876d09abc509ae45b525190116a0c26101848298509c1c3bf3a483e7274054e15e97075036e989f60932807b5257751e7902818100ecf5aecd1e5515fffacbd75a2816c6ebf49018cdfb4638e185d66a7396b6f8090f8018c7fd95cc34b857dc17f0cc6516bb1346ab4d582cadad7b4103352387b70338d084047c9d9539b6496204b3dd6ea442499207bec01f964287ff6336c3984658336846f56e46861881c10233d2176bf15a5e96ddc780bc868aa77d3ce76902818100bc46c464fc6ac4ca783b0eb08a3c841b772f7e9b2f28babd588ae885e1a0c61e4858a0fb25ac299990f35be85164c259ba1175cdd7192707135184992b6c29b746dd0d2cabe142835f7d148cc161524b4a09946d48b828473f1ce76b6cb6886c345c03e05f41d51b5c3a90a3f24073c7d74a4fe25d9cf21c75960f3fc386318302818100c73564571d00fb15d08a3de9957a50915d7126e9442dacf42bc82e862e5673ff6a008ed4d2e374617df89f17a160b43b7fda9cb6b6b74218609815f7d45ca263c159aa32d272d127faf4bc8ca2d77378e8aeb19b0ad7da3cb3de0ae7314980f62b6d4b0a875d1df03c1bae39ccd833ef6cd7e2d9528bf084d1f969e794e9f6c10281802658b37f6df9c1030be1db68117fa9d87e39ea2b693b7e6d3a2f70947413eec6142e18fb8dfcb6ac545d7c86a0ad48f8457170f0efb26bc48126c53efd1d16920198dc2a1107dc282db6a80cd3062360ba3fa13f70e4312ff1a6cd6b8fc4cd9c5c3db17c6d6a57212f73ae29f619327bad59b153858585ba4e28b60a62a45e490281806f38526b3925085534ef3e415a836ede8b86158a2c7cbfeccb0bd834304fec683ba8d4f479c433d43416e63269623cea100776d85aff401d3fff610ee65411ce3b1363d63a9709eede42647cea561493d54570a879c18682cd97710b96205ec31117d73b5f36223fadd6e8ba90dd7c0ee61d44e163251e20c7f66eb305117cb8\n\nDecrypt = RSA-OAEP-10\nRSAPadding = OAEP\nMG",
+ "F1Digest = SHA1\nInput = 53ea5dc08cd260fb3b858567287fa91552c30b2febfba213f0ae87702d068d19bab07fe574523dfb42139d68c3c5afeee0bfe4cb7969cbf382b804d6e61396144e2d0e60741f8993c3014b58b9b1957a8babcd23af854f4c356fb1662aa72bfcc7e586559dc4280d160c126785a723ebeebeff71f11594440aaef87d10793a8774a239d4a04c87fe1467b9daf85208ec6c7255794a96cc29142f9a8bd418e3c1fd67344b0cd0829df3b2bec60253196293c6b34d3f75d32f213dd45c6273d505adf4cced1057cb758fc26aeefa441255ed4e64c199ee075e7f16646182fdb464739b68ab5daff0e63e9552016824f054bf4d3c8c90a97bb6b6553284eb429fcc\nOutput = 8bba6bf82a6c0f86d5f1756e97956870b08953b06b4eb205bc1694ee\n\nDecrypt = RSA-OAEP-10\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = a2b1a430a9d657e2fa1c2bb5ed43ffb25c05a308fe9093c01031795f5874400110828ae58fb9b581ce9dddd3e549ae04a0985459bde6c626594e7b05dc4278b2a1465c1368408823c85e96dc66c3a30983c639664fc4569a37fe21e5a195b5776eed2df8d8d361af686e750229bbd663f161868a50615e0c337bec0ca35fec0bb19c36eb2e0bbcc0582fa1d93aacdb061063f59f2ce1ee43605e5d89eca183d2acdfe9f81011022ad3b43a3dd417dac94b4e11ea81b192966e966b182082e71964607b4f8002f36299844a11f2ae0faeac2eae70f8f4f98088acdcd0ac556e9fccc511521908fad26f04c64201450305778758b0538bf8b5bb144a828e629795\nOutput = e6ad181f053b58a904f2457510373e57\n\nDecrypt = RSA-OAEP-10\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 9886c3e6764a8b9a84e84148ebd8c3b1aa8050381a78f668714c16d9cfd2a6edc56979c535d9dee3b44b85c18be8928992371711472216d95dda98d2ee8347c9b14dffdff84aa48d25ac06f7d7e65398ac967b1ce90925f67dce049b7f812db0742997a74d44fe81dbe0e7a3feaf2e5c40af888d550ddbbe3bc20657a29543f8fc2913b9bd1a61b2ab2256ec409bbd7dc0d17717ea25c43f42ed27df8738bf4afc6766ff7aff0859555ee283920f4c8a63c4a7340cbafddc339ecdb4b0515002f96c932b5b79167af699c0ad3fccfdf0f44e85a70262bf2e18fe34b850589975e867ff969d48eabf212271546cdc05a69ecb526e52870c836f307bd798780ede\nOutput = 510a2cf60e866fa2340553c94ea39fbc256311e83e94454b4124\n\nDecrypt = RSA-OAEP-10\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 6318e9fb5c0d05e5307e1683436e903293ac4642358aaa223d7163013aba87e2dfda8e60c6860e29a1e92686163ea0b9175f329ca3b131a1edd3a77759a8b97bad6a4f8f4396f28cf6f39ca58112e48160d6e203daa5856f3aca5ffed577af499408e3dfd233e3e604dbe34a9c4c9082de65527cac6331d29dc80e0508a0fa7122e7f329f6cca5cfa34d4d1da417805457e008bec549e478ff9e12a763c477d15bbb78f5b69bd57830fc2c4ed686d79bc72a95d85f88134c6b0afe56a8ccfbc855828bb339bd17909cf1d70de3335ae07039093e606d655365de6550b872cd6de1d440ee031b61945f629ad8a353b0d40939e96a3c450d2a8d5eee9f678093c8\nOutput = bcdd190da3b7d300df9a06e22caae2a75f10c91ff667b7c16bde8b53064a2649a94045c9\n\nDecrypt = RSA-OAEP-10\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 75290872ccfd4a4505660d651f56da6daa09ca1301d890632f6a992f3d565cee464afded40ed3b5be9356714ea5aa7655f4a1366c2f17c728f6f2c5a5d1f8e28429bc4e6f8f2cff8da8dc0e0a9808e45fd09ea2fa40cb2b6ce6ffff5c0e159d11b68d90a85f7b84e103b09e682666480c657505c0929259468a314786d74eab131573cf234bf57db7d9e66cc6748192e002dc0deea930585f0831fdcd9bc33d51f79ed2ffc16bcf4d59812fcebcaa3f9069b0e445686d644c25ccf63b456ee5fa6ffe96f19cdf751fed9eaf35957754dbf4bfea5216aa1844dc507cb2d080e722eba150308c2b5ff1193620f1766ecf4481bafb943bd292877f2136ca494aba0\nOutput = a7dd6c7dc24b46f9dd5f1e91ada4c3b3df947e877232a9\n\nDecrypt = RSA-OAEP-10\nRSAPadding = OAEP\nMGF1Digest = SHA1\nInput = 2d207a73432a8fb4c03051b3f73b28a61764098dfa34c47a20995f8115aa6816679b557e82dbee584908c6e69782d7deb34dbd65af063d57fca76a5fd069492fd6068d9984d209350565a62e5c77f23038c12cb10c6634709b547c46f6b4a709bd85ca122d74465ef97762c29763e06dbc7a9e738c78bfca0102dc5e79d65b973f28240caab2e161a78b57d262457ed8195d53e3c7ae9da021883c6db7c24afdd2322eac972ad3c354c5fcef1e146c3a0290fb67adf007066e00428d2cec18ce58f9328698defef4b2eb5ec76918fde1c198cbb38b7afc67626a9aefec4322bfd90d2563481c9a221f78c8272c82d1b62ab914e1c69f6af6ef30ca5260db4a46\nOutput = eaf1a73a1b0c4609537de69cd9228bbcfb9a8ca8c6c3efaf056fe4a7f4634ed00b7c39ec6922d7b8ea2c04ebac\n\n\n# Single-shot signing tests.\n\nSignMessage = RSA-2048\nDigest = SHA256\nInput = \"Hello world\"\nOutput = 301894798b49d6ec55d32dcc74314f04230591a515781f3eb4492f5324b56046836c4bc3e25942af341e88558cb4c3814a849207575d343189147989b16e296b5138dbbc717116dc416f201dfa35943d15060493953cda1f04a13ff89845cf7fd69e1a78d5d38522a77bb234e5d0ba2ae17ada6e22fdae27a4052fdb8ac267507dfe06ed7a865e61a52b530bbbf65c7caa89739613df10ae3b0e62ff6831ee0770086aad39c329462aede9f1b29a501bc3d09e0fe4034aa5d6831d44491d508111d88a1d7ba50cee5ef7e701b3a589adc09a752a974a6805956f4a1a0582f66309a1e02e9fb6b10d2c820fe98bb2eb04f435bc8a649cc9ab6c5a4c03e83800d1\n\nVerifyMessage = RSA-2048\nDigest = SHA256\nInput = \"Hello world\"\nOutput = 301894798b49d6ec55d32dcc74314f04230591a515781f3eb4492f5324b56046836c4bc3e25942af341e88558cb4c3814a849207575d343189147989b16e296b5138dbbc717116dc416f201dfa35943d15060493953cda1f04a13ff89845cf7fd69e1a78d5d38522a77bb234e5d0ba2ae17ada6e22fdae27a4052fdb8ac267507dfe06ed7a865e61a52b530bbbf65c7caa89739613df10ae3b0e62ff6831ee0770086aad39c329462aede9f1b29a501bc3d09e0fe4034aa5d6831d44491d508111d88a1d7ba50cee5ef7e701b3a589adc09a752a974a6805956f4a1a0582f66309a1e02e9fb6b10d2c820fe98bb2eb04f435bc8a649cc9ab6c5a4c03e83800d1\n\nVerifyMessage = RSA-2048-SPKI\nDigest = SHA256\nInput = \"Hello world\"\nOutput = 301894798b49d6ec55d32dcc74314f04230591a515781f3eb4492f5324b56046836c4bc3e25942af341e88558cb4c3814a849207575d343189147989b16e296b5138dbbc717116dc416f201dfa35943d15060493953cda1f04a13ff89845cf7fd69e1a78d5d38522a77bb234e5d0ba2ae17ada6e22fdae27a4052fdb8ac267507dfe06ed7a865e61a52b530bbbf65c7caa89739613df10ae3b0e62ff6831ee0770086aad39c329462aede9f1b29a501bc3d09e0fe4034aa5d6831d44491d508111d88a1d7ba50cee5ef7e701b3a589adc09a752a974a6805956f4a1a0582f66309a1e02e9fb6b10d2c820fe98bb2eb04f435bc8a649cc9ab6c5a4c03e83800d1\n\nVerifyMessage = P-256\nDigest = SHA256\nInput = \"Hello world\"\nOutput = 304502204c66004635c267394bd6857c1e0b53b22a2bab1ca7dff9d5c1b42143858b3ea7022100ae81228510e03cd49a8863d2ebd1c05fe0c87eacd1150433132b909994cd0dbd\n\n# Digest can't be omitted in many algorithms.\nSignMessage = RSA-2048\nInput = \"Hello world\"\nError = NO_DEFAULT_DIGEST\n\nVerifyMessage = RSA-2048\nInput = \"Hello world\"\nOutput = 301894798b49d6ec55d32dcc74314f04230591a515781f3eb4492f5324b56046836c4bc3e25942af341e88558cb4c3814a849207575d343189147989b16e296b5138dbbc717116dc416f201dfa35943d15060493953cda1f04a13ff89845cf7fd69e1a78d5d38522a77bb234e5d0ba2ae17ada6e22fdae27a4052fdb8ac267507dfe06ed7a865e61a52b530bbbf65c7caa89739613df10ae3b0e62ff6831ee0770086aad39c329462aede9f1b29a501bc3d09e0fe4034aa5d6831d44491d508111d88a1d7ba50cee5ef7e701b3a589adc09a752a974a6805956f4a1a0582f66309a1e02e9fb6b10d2c820fe98bb2eb04f435bc8a649cc9ab6c5a4c03e83800d1\nError = NO_DEFAULT_DIGEST\n\n# Signing test vectors from RFC 8032.\nSignMessage = Ed25519\nInput = \"\"\nOutput = e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e065224901555fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b\n\nSignMessage = Ed25519-2\nInput = 72\nOutput = 92a009a9f0d4cab8720e820b5f642540a2b27b5416503f8fb3762223ebdb69da085ac1e43e15996e458f3613d0f11d8c387b2eaeb4302aeeb00d291612bb0c00\n\nSignMessage = Ed25519-3\nInput = af82\nOutput = 6291d657deec24024827e69c3abe01a30ce548a284743a445e3680d7db5ac3ac18ff9b538d16f290ae67f760984dc6594a7c15e9716ed28dc027beceea1ec40a\n\nSignMessage = Ed25519-4\nInput = 08b8b2b733424243760fe426a4b54908632110a66c2f6591eabd3345e3e4eb98fa6e264bf09efe12ee50f8f54e9f77b1e355f6c50544e23fb1433ddf73be84d879de7c0046dc4996d9e773f4bc9efe5738829adb26c81b37c93a1b270b20329d658675fc6ea534e0810a4432826bf58c941efb65d57a338bbd2e26640f89ffbc1a858efcb8550ee3a5e1998bd177e93a7363c344fe6b199ee5d02e82d522c4feba15452f80288a821a579116ec6dad2b3b310da903401aa62100ab5d1a36553e06203b33890cc9b832f79ef80560ccb9a39ce767967ed628c6ad573cb116dbefefd75499da96bd68a8a97b928a8bbc103b6621fcde2beca1231d206be6cd9ec7aff6f6c94fcd7204ed3455c68c83f4a41da4af2b74ef5c53f1d8ac70bdcb7ed185ce81bd84359d44254d95629e9855a94a7c1958d1f8ada5d0532ed8a5aa3fb2d17ba70eb6248e594e1a2297acbbb39d502f1a8c6eb6f1ce22b3de1a1f40cc24554119a831a9aad6079cad88425de6bde1a9187ebb6092cf67bf2b13fd65f27088d78b7e883c8759d2c4f5c65adb7553878ad575f9fad878e80a0c9ba63bcbcc2732e69485bbc9c90bfbd62481d9089beccf80cfe2df16a2cf65bd92dd597b0707e0917af48bbb75fed413d238f5555a7a569d80c3414a8d0859dc65a46128bab27af87a71314f318c782b23ebfe808b82b0ce26401d2e22f04d83d1255dc51addd3b75a2b1",
+ "ae0784504df543af8969be3ea7082ff7fc9888c144da2af58429ec96031dbcad3dad9af0dcbaaaf268cb8fcffead94f3c7ca495e056a9b47acdb751fb73e666c6c655ade8297297d07ad1ba5e43f1bca32301651339e22904cc8c42f58c30c04aafdb038dda0847dd988dcda6f3bfd15c4b4c4525004aa06eeff8ca61783aacec57fb3d1f92b0fe2fd1a85f6724517b65e614ad6808d6f6ee34dff7310fdc82aebfd904b01e1dc54b2927094b2db68d6f903b68401adebf5a7e08d78ff4ef5d63653a65040cf9bfd4aca7984a74d37145986780fc0b16ac451649de6188a7dbdf191f64b5fc5e2ab47b57f7f7276cd419c17a3ca8e1b939ae49e488acba6b965610b5480109c8b17b80e1b7b750dfc7598d5d5011fd2dcc5600a32ef5b52a1ecc820e308aa342721aac0943bf6686b64b2579376504ccc493d97e6aed3fb0f9cd71a43dd497f01f17c0e2cb3797aa2a2f256656168e6c496afc5fb93246f6b1116398a346f1a641f3b041e989f7914f90cc2c7fff357876e506b50d334ba77c225bc307ba537152f3f1610e4eafe595f6d9d90d11faa933a15ef1369546868a7f3a45a96768d40fd9d03412c091c6315cf4fde7cb68606937380db2eaaa707b4c4185c32eddcdd306705e4dc1ffc872eeee475a64dfac86aba41c0618983f8741c5ef68d3a101e8a3b8cac60c905c15fc910840b94c00a0b9d0\nOutput = 0aab4c900501b3e24d7cdf4663326a3a87df5e4843b2cbdb67cbf6e460fec350aa5371b1508f9f4528ecea23c436d94b5e8fcd4f681e30a6ac00a9704a188a03\n\nSignMessage = Ed25519-5\nInput = ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f\nOutput = dc2a4459e7369633a52b1bf277839a00201009a3efbf3ecb69bea2186c26b58909351fc9ac90b3ecfdfbc7c66431e0303dca179c138ac17ad9bef1177331a704\n\n# Signing with public keys is not allowed.\nSignMessage = Ed25519-SPKI\nInput = \"\"\nError = NOT_A_PRIVATE_KEY\n\n# Verify test vectors from RFC 8032. Test verifying with both the public and\n# private key.\nVerifyMessage = Ed25519\nInput = \"\"\nOutput = e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e065224901555fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b\n\nVerifyMessage = Ed25519-SPKI\nInput = \"\"\nOutput = e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e065224901555fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b\n\nVerifyMessage = Ed25519-2\nInput = 72\nOutput = 92a009a9f0d4cab8720e820b5f642540a2b27b5416503f8fb3762223ebdb69da085ac1e43e15996e458f3613d0f11d8c387b2eaeb4302aeeb00d291612bb0c00\n\nVerifyMessage = Ed25519-SPKI-2\nInput = 72\nOutput = 92a009a9f0d4cab8720e820b5f642540a2b27b5416503f8fb3762223ebdb69da085ac1e43e15996e458f3613d0f11d8c387b2eaeb4302aeeb00d291612bb0c00\n\nVerifyMessage = Ed25519-3\nInput = af82\nOutput = 6291d657deec24024827e69c3abe01a30ce548a284743a445e3680d7db5ac3ac18ff9b538d16f290ae67f760984dc6594a7c15e9716ed28dc027beceea1ec40a\n\nVerifyMessage = Ed25519-SPKI-3\nInput = af82\nOutput = 6291d657deec24024827e69c3abe01a30ce548a284743a445e3680d7db5ac3ac18ff9b538d16f290ae67f760984dc6594a7c15e9716ed28dc027beceea1ec40a\n\nVerifyMessage = Ed25519-4\nInput = 08b8b2b733424243760fe426a4b54908632110a66c2f6591eabd3345e3e4eb98fa6e264bf09efe12ee50f8f54e9f77b1e355f6c50544e23fb1433ddf73be84d879de7c0046dc4996d9e773f4bc9efe5738829adb26c81b37c93a1b270b20329d658675fc6ea534e0810a4432826bf58c941efb65d57a338bbd2e26640f89ffbc1a858efcb8550ee3a5e1998bd177e93a7363c344fe6b199ee5d02e82d522c4feba15452f80288a821a579116ec6dad2b3b310da903401aa62100ab5d1a36553e06203b33890cc9b832f79ef80560ccb9a39ce767967ed628c6ad573cb116dbefefd75499da96bd68a8a97b928a8bbc103b6621fcde2beca1231d206be6cd9ec7aff6f6c94fcd7204ed3455c68c83f4a41da4af2b74ef5c53f1d8ac70bdcb7ed185ce81bd84359d44254d95629e9855a94a7c1958d1f8ada5d0532ed8a5aa3fb2d17ba70eb6248e594e1a2297acbbb39d502f1a8c6eb6f1ce22b3de1a1f40cc24554119a831a9aad6079cad88425de6bde1a9187ebb6092cf67bf2b13fd65f27088d78b7e883c8759d2c4f5c65adb7553878ad575f9fad878e80a0c9ba63bcbcc2732e69485bbc9c90bfbd62481d9089beccf80cfe2df16a2cf65bd92dd597b0707e0917af48bbb75fed413d238f5555a7a569d80c3414a8d0859dc65a46128bab27af87a71314f318c782b23ebfe808b82b0ce26401d2e22f04d83d1255dc51addd3b75a2b1ae0784504df543af8969be3ea7082ff7fc9888c144da2af58429ec96031dbcad3dad9af0dcbaaaf268cb8fcffead94f3c7ca495e056a9b47acdb751fb73e666c6c655ade8297297d07ad1ba5e43f1bca32301651339e22904cc8c42f58c30c04aafdb038dda0847dd988dcda6f3bfd15c4b4c4525004aa06eeff8ca61783aacec57fb3d1f92b0fe2fd1a85f6724517b65e614ad6808d6f6ee34dff7310fdc82aebfd904b01e1dc54b2927094b2db68d6f903b68401adebf5a7e08d78ff4ef5d63653a65040cf9bfd4aca7984a74d37145986780fc0b16ac451649de6188a7dbdf191f64b5fc5e2ab47b57f7f7276cd419c17a3ca8e1b939ae49e488acba6b965610b5480109c8b17b80e1b7b750dfc7598d5d5011fd2dcc5600a32ef5b52a1ecc820e308aa342721aac0943bf6686b64b2579376504ccc493d97e6aed3fb0f9cd71a43dd497f01f17c0e2cb3797aa2a2f256656168e6c496afc5fb93246f6b1116398a346f1a641f3b041e989f7914f90cc2c7fff357876e506b50d334ba77c225bc307ba537152f3f1610e4eafe595f6d9d90d11faa933a15ef1369546868a7f3a45a96768d40fd9d03412c091c6315cf4fde7cb68606937380db2eaaa707b4c4185c32eddcdd306705e4dc1ffc872eeee475a64dfac86aba41c0618983f8741c5ef68d3a101e8a3b8cac60c905c15fc910840b94c00a0b9d0\nOutput = 0aab4c900501b3e24d7cdf4663326a3a87df5e4843b2cbdb67cbf6e460fec350aa5371b1508f9f4528ecea23c436d94b5e8fcd4f681e30a6ac00a9704a188a03\n\nVerifyMessage = Ed25519-SPKI-4\nInput = 08b8b2b733424243760fe426a4b54908632110a66c2f6591eabd3345e3e4eb98fa6e264bf09efe12ee50f8f54e9f77b1e355f6c50544e23fb1433ddf73be84d879de7c0046dc4996d9e773f4bc9efe5738829adb26c81b37c93a1b270b20329d658675fc6ea534e0810a4432826bf58c941efb65d57a338bbd2e26640f89ffbc1a858efcb8550ee3a5e1998bd177e93a7363c344fe6b199ee5d02e82d522c4feba15452f80288a821a579116ec6dad2b3b310da903401aa62100ab5d1a36553e06203b33890cc9b832f79ef80560ccb9a39ce767967ed628c6ad573cb116dbefefd75499da96bd68a8a97b928a8bbc103b6621fcde2beca1231d206be6cd9ec7aff6f6c94fcd7204ed3455c68c83f4a41da4af2b74ef5c53f1d8ac70bdcb7ed185ce81bd84359d44254d95629e9855a94a7c1958d1f8ada5d0532ed8a5aa3fb2d17ba70eb6248e594e1a2297acbbb39d502f1a8c6eb6f1ce22b3de1a1f40cc24554119a831a9aad6079cad88425de6bde1a9187ebb6092cf67bf2b13fd65f27088d78b7e883c8759d2c4f5c65adb7553878ad575f9fad878e80a0c9ba63bcbcc2732e69485bbc9c90bfbd62481d9089beccf80cfe2df16a2cf65bd92dd597b0707e0917af48bbb75fed413d238f5555a7a569d80c3414a8d0859dc65a46128bab27af87a71314f318c782b23ebfe808b82b0ce26401d2e22f04d83d1255dc51addd3b75a2b1ae0784504df543af8969be3ea7082ff7fc9888c144da2af58429ec96031dbcad3dad9af0dcbaaaf268cb8fcffead94f3c7ca495e056a9b47acdb751fb73e666c6c655ade8297297d07ad1ba5e43f1bca32301651339e22904cc8c42f58c30c04aafdb038dda0847dd988dcda6f3bfd15c4b4c4525004aa06eeff8ca61783aacec57fb3d1f92b0fe2fd1a85f6724517b65e614ad6808d6f6ee34dff7310fdc82aebfd904b01e1dc54b2927094b2db68d6f903b68401adebf5a7e08d78ff4ef5d63653a65040cf9bfd4aca7984a74d37145986780fc0b16ac451649de6188a7dbdf191f64b5fc5e2ab47b57f7f7276cd419c17a3ca8e1b939ae49e488acba6b965610b5480109c8b17b80e1b7b750dfc7598d5d5011fd2dcc5600a32ef5b52a1ecc820e308aa342721aac0943bf6686b64b2579376504ccc493d97e6aed3fb0f9cd71a43dd497f01f17c0e2cb3797aa2a2f256656168e6c496afc5fb93246f6b1116398a346f1a641f3b041e989f7914f90cc2c7fff357876e506b50d334ba77c225bc307ba537152f3f1610e4eafe595f6d9d90d11faa933a15ef1369546868a7f3a45a96768d40fd9d03412c091c6315cf4fde7cb68606937380db2eaaa707b4c4185c32eddcdd306705e4dc1ffc872eeee475a64dfac86aba41c0618983f8741c5ef68d3a101e8a3b8cac60c905c15fc910840b94c00a0b9d0\nOutput = 0aab4c900501b3e24d7cdf4663326a3a87df5e4843b2cbdb67cbf6e460fec350aa5371b1508f9f4528ecea23c436d94b5e8fcd4f681e30a6ac00a9704a188a03\n\nVerifyMessage = Ed25519-5\nInput = ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f\nOutput = dc2a4459e7369633a52b1bf277839a00201009a3efbf3ecb69bea2186c26b58909351fc9ac90b3ecfdfbc7c66431e0303dca179c138ac17ad9bef1177331a704\n\nVerifyMessage = Ed25519-SPKI-5\nInput = ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f\nOutput = dc2a4459e7369633a52b1bf277839a00201009a3efbf3ecb69bea2186c26b58909351fc9ac90b3ecfdfbc7c66431e0303dca179c138ac17ad9bef1177331a704\n\n# Length is wrong.\nVerifyMessage = Ed25519-SPKI\nInput = \"\"\nOutput = e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e065224901555fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a10\nError = INVALID_SIGNATURE\n\n# Message is wrong.\nVerifyMessage = Ed25519-SPKI\nInput = \"Hello world\"\nOutput = e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e065224901555fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe2465",
+ "5141438e7a100b\nError = INVALID_SIGNATURE\n\n# Ed25519 does not support configuring a digest.\nSignMessage = Ed25519\nInput = \"\"\nDigest = SHA256\nError = COMMAND_NOT_SUPPORTED\n\n# Ed25519 does not support signing a pre-hashed value.\nSign = Ed25519\nInput = \"0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef\"\nError = OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE\n\nVerify = Ed25519\nInput = \"0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef\"\nOutput = e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e065224901555fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b\nError = OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE\n",
};
-static const size_t kLen32 = 122835;
+static const size_t kLen32 = 123525;
static const char *kData33[] = {
"#\n# Copyright 2001-2017 The OpenSSL Project Authors. All Rights Reserved.\n#\n# Licensed under the OpenSSL license (the \"License\"). You may not use\n# this file except in compliance with the License. You can obtain a copy\n# in the file LICENSE in the source distribution or at\n# https://www.openssl.org/source/license.html\n\nPassword = \"\"\nSalt = \"\"\nN = 16\nr = 1\np = 1\nKey = 77d6576238657b203b19ca42c18a0497f16b4844e3074ae8dfdffa3fede21442fcd0069ded0948f8326a753a0fc81f17e8d3e0fb2e0d3628cf35e20c38d18906\n\nPassword = \"password\"\nSalt = \"NaCl\"\nN = 1024\nr = 8\np = 16\nKey = fdbabe1c9d3472007856e7190d01e9fe7c6ad7cbc8237830e77376634b3731622eaf30d92e22a3886ff109279d9830dac727afb94a83ee6d8360cbdfa2cc0640\n\nPassword = \"pleaseletmein\"\nSalt = \"SodiumChloride\"\nN = 16384\nr = 8\np = 1\nKey = 7023bdcb3afd7348461c06cd81fd38ebfda8fbba904f8e3ea9b543f6545da1f2d5432955613f0fcf62d49705242a9af9e61e85dc0d651e40dfcf017b45575887\n\n# NB: this test requires more than 1GB of memory to run so it is disabled by\n# default. Uncomment it to run.\n# Password = \"pleaseletmein\"\n# Salt = \"SodiumChloride\"\n# N = 1048576\n# r = 8\n# p = 1\n# Key = 2101cb9b6a511aaeaddbbe09cf70f881ec568d574a2ffd4dabe5ee9820adaa478e56fd8f4ba5d09ffa1c6d927c40f4c337304049e8a952fbcbf45c6fa77a41a4\n# MaxMemory = 10000000000\n",
diff --git a/sources.bp b/sources.bp
index bfc2dc5..a1bafca 100644
--- a/sources.bp
+++ b/sources.bp
@@ -357,6 +357,7 @@
"src/ssl/d1_srtp.cc",
"src/ssl/dtls_method.cc",
"src/ssl/dtls_record.cc",
+ "src/ssl/handshake.cc",
"src/ssl/handshake_client.cc",
"src/ssl/handshake_server.cc",
"src/ssl/s3_both.cc",
diff --git a/src/STYLE.md b/src/STYLE.md
index 3c74b45..98a8159 100644
--- a/src/STYLE.md
+++ b/src/STYLE.md
@@ -31,10 +31,10 @@
allowed and preferred where possible. Note that the common `goto err` cleanup
pattern requires lifting some variable declarations.
-Comments should be `/* C-style */` for consistency.
+Comments should be `// C99-style` for consistency with C++.
-When declaration pointer types, `*` should be placed next to the variable
-name, not the type. So
+When declaring pointer types, `*` should be placed next to the variable name,
+not the type. So
uint8_t *ptr;
@@ -60,6 +60,19 @@
continue with `#define`.
+## libssl
+
+libssl was originally written in C but is being incrementally rewritten in
+C++11. As of writing, much of the style matches our C conventions rather than
+Google C++. Additionally, libssl on Linux currently may not depend on the C++
+runtime. See the C++ utilities in `ssl/internal.h` for replacements for
+problematic C++ constructs. The `util/check_imported_libraries.go` script may be
+used with a shared library build to check if a new construct is okay.
+
+If unsure, match surrounding code. Discrepancies between it and Google C++ style
+will be fixed over time.
+
+
## Formatting
Single-statement blocks are not allowed. All conditions and loops must
@@ -185,23 +198,23 @@
and caller obligations on object lifetimes. If this sacrifices
conciseness, consider simplifying the function's behavior.
- /* EVP_DigestVerifyUpdate appends |len| bytes from |data| to the data which
- * will be verified by |EVP_DigestVerifyFinal|. It returns one on success and
- * zero otherwise. */
+ // EVP_DigestVerifyUpdate appends |len| bytes from |data| to the data which
+ // will be verified by |EVP_DigestVerifyFinal|. It returns one on success and
+ // zero otherwise.
OPENSSL_EXPORT int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *data,
size_t len);
Explicitly mention any surprising edge cases or deviations from common
return value patterns in legacy functions.
- /* RSA_private_encrypt encrypts |flen| bytes from |from| with the private key in
- * |rsa| and writes the encrypted data to |to|. The |to| buffer must have at
- * least |RSA_size| bytes of space. It returns the number of bytes written, or
- * -1 on error. The |padding| argument must be one of the |RSA_*_PADDING|
- * values. If in doubt, |RSA_PKCS1_PADDING| is the most common.
- *
- * WARNING: this function is dangerous because it breaks the usual return value
- * convention. Use |RSA_sign_raw| instead. */
+ // RSA_private_encrypt encrypts |flen| bytes from |from| with the private key in
+ // |rsa| and writes the encrypted data to |to|. The |to| buffer must have at
+ // least |RSA_size| bytes of space. It returns the number of bytes written, or
+ // -1 on error. The |padding| argument must be one of the |RSA_*_PADDING|
+ // values. If in doubt, |RSA_PKCS1_PADDING| is the most common.
+ //
+ // WARNING: this function is dangerous because it breaks the usual return value
+ // convention. Use |RSA_sign_raw| instead.
OPENSSL_EXPORT int RSA_private_encrypt(int flen, const uint8_t *from,
uint8_t *to, RSA *rsa, int padding);
diff --git a/src/crypto/evp/evp_test.cc b/src/crypto/evp/evp_test.cc
index de72107..911c596 100644
--- a/src/crypto/evp/evp_test.cc
+++ b/src/crypto/evp/evp_test.cc
@@ -70,6 +70,7 @@
#include <gtest/gtest.h>
+#include <openssl/buf.h>
#include <openssl/bytestring.h>
#include <openssl/crypto.h>
#include <openssl/digest.h>
@@ -206,6 +207,27 @@
return false;
}
}
+ if (t->HasAttribute("OAEPDigest")) {
+ const EVP_MD *digest = GetDigest(t, t->GetAttributeOrDie("OAEPDigest"));
+ if (digest == nullptr || !EVP_PKEY_CTX_set_rsa_oaep_md(ctx, digest)) {
+ return false;
+ }
+ }
+ if (t->HasAttribute("OAEPLabel")) {
+ std::vector<uint8_t> label;
+ if (!t->GetBytes(&label, "OAEPLabel")) {
+ return false;
+ }
+ // For historical reasons, |EVP_PKEY_CTX_set0_rsa_oaep_label| expects to be
+ // take ownership of the input.
+ bssl::UniquePtr<uint8_t> buf(
+ reinterpret_cast<uint8_t *>(BUF_memdup(label.data(), label.size())));
+ if (!buf ||
+ !EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, buf.get(), label.size())) {
+ return false;
+ }
+ buf.release();
+ }
return true;
}
diff --git a/src/crypto/evp/evp_tests.txt b/src/crypto/evp/evp_tests.txt
index 5e69a4e..ed8dc42 100644
--- a/src/crypto/evp/evp_tests.txt
+++ b/src/crypto/evp/evp_tests.txt
@@ -482,6 +482,14 @@
Input = 458708dfbd42a1297ce7a9c86c7087ab80b1754810929b89c5107ca55368587686986fce94d86cc1595b3fb736223a656ec0f34d18ba1cc5665593610f56c58e26b272d584f3d983a5c91085700755aebd921fb280bba3eda7046ec07b43e7298e52d59edc92be4639a8ce08b2f85976ecf6d98cc469eeb9d5d8e2a32ea8a6626edafe1038b3df455668a9f3c77cad8b92fb872e00058c3d2a7ede1a1f03fc5622084ae04d9d24f6bf0995c58d35b93b699b9763595e123f2ab0863cc9229eb290e2ede7715c7a8f39e0b9a3e2e1b56ebb62f1cbfbb5986fb212ebd785b83d01d968b11d1756c7337f70c1f1a63bff03608e24f3a2fd44e67f832a8701c5d5af
Output = "Hello World"
+# OAEP padding with label and custom hash.
+Decrypt = RSA-2048
+RSAPadding = OAEP
+OAEPDigest = SHA512
+OAEPLabel = 00112233445566778899aabbccddeeff
+Input = 48b956c22b8e40cc38f0893672ddf488fc806cf1fcc6239c66dd8345eb543d6b5cac589e6c7ae86dac1c2436c4d72c48009a737b2c649e6000dbab17203e4d9c078bd70b649700a0830d4ddc396af0c48973177a229e48259d93247f04f76474c7611b530c66f020c4da2cc861c2e4104831ecc0336e0cb10d6520fdefd0b33606f5cdd736dd439583b9b6011cce99623c93caf5f76e21e9fefab414795dd5ac12cba551be74ebf266834fcffab182c5e7c9b6c064df154cb26ddfd4fe2fd87590005f4bf45e776a0082803e9f68995b8eeb4c6802c67b5ef349e5b2dc0cf7a12fc097030f2bd28f0253f17129b04c82993a12957728b35880fdd2f8d0cc469f
+Output = "Hello World"
+
# OAEP padding, corrupted ciphertext
Decrypt = RSA-2048
RSAPadding = OAEP
diff --git a/src/crypto/evp/p_rsa.c b/src/crypto/evp/p_rsa.c
index 08c01c2..cfc6bea 100644
--- a/src/crypto/evp/p_rsa.c
+++ b/src/crypto/evp/p_rsa.c
@@ -92,6 +92,11 @@
size_t oaep_labellen;
} RSA_PKEY_CTX;
+typedef struct {
+ uint8_t *data;
+ size_t len;
+} RSA_OAEP_LABEL_PARAMS;
+
static int pkey_rsa_init(EVP_PKEY_CTX *ctx) {
RSA_PKEY_CTX *rctx;
rctx = OPENSSL_malloc(sizeof(RSA_PKEY_CTX));
@@ -485,20 +490,17 @@
}
return 1;
- case EVP_PKEY_CTRL_RSA_OAEP_LABEL:
+ case EVP_PKEY_CTRL_RSA_OAEP_LABEL: {
if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PADDING_MODE);
return 0;
}
OPENSSL_free(rctx->oaep_label);
- if (p2 && p1 > 0) {
- rctx->oaep_label = p2;
- rctx->oaep_labellen = p1;
- } else {
- rctx->oaep_label = NULL;
- rctx->oaep_labellen = 0;
- }
+ RSA_OAEP_LABEL_PARAMS *params = p2;
+ rctx->oaep_label = params->data;
+ rctx->oaep_labellen = params->len;
return 1;
+ }
case EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL:
if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) {
@@ -611,13 +613,9 @@
int EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *ctx, uint8_t *label,
size_t label_len) {
- if (label_len > INT_MAX) {
- return 0;
- }
-
+ RSA_OAEP_LABEL_PARAMS params = {label, label_len};
return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,
- EVP_PKEY_CTRL_RSA_OAEP_LABEL, (int)label_len,
- (void *)label);
+ EVP_PKEY_CTRL_RSA_OAEP_LABEL, 0, ¶ms);
}
int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx,
diff --git a/src/include/openssl/ssl.h b/src/include/openssl/ssl.h
index 016c83c..269bc8b 100644
--- a/src/include/openssl/ssl.h
+++ b/src/include/openssl/ssl.h
@@ -3303,7 +3303,6 @@
#define SSL_ST_INIT (SSL_ST_CONNECT | SSL_ST_ACCEPT)
#define SSL_ST_OK 0x03
#define SSL_ST_RENEGOTIATE (0x04 | SSL_ST_INIT)
-#define SSL_ST_TLS13 (0x05 | SSL_ST_INIT)
// SSL_CB_* are possible values for the |type| parameter in the info
// callback and the bitmasks that make them up.
@@ -3817,6 +3816,10 @@
// instead.
OPENSSL_EXPORT const char *SSL_alert_desc_string(int value);
+// SSL_state_string returns "!!!!!!". Use |SSL_state_string_long| for a more
+// intelligible string.
+OPENSSL_EXPORT const char *SSL_state_string(const SSL *ssl);
+
// SSL_TXT_* expand to strings.
#define SSL_TXT_MEDIUM "MEDIUM"
#define SSL_TXT_HIGH "HIGH"
@@ -3869,11 +3872,6 @@
#define SSL_get_state(ssl) SSL_state(ssl)
-// SSL_state_string returns the current state of the handshake state machine as
-// a six-letter string. Use |SSL_state_string_long| for a more intelligible
-// string.
-OPENSSL_EXPORT const char *SSL_state_string(const SSL *ssl);
-
// SSL_set_shutdown causes |ssl| to behave as if the shutdown bitmask (see
// |SSL_get_shutdown|) were |mode|. This may be used to skip sending or
// receiving close_notify in |SSL_shutdown| by causing the implementation to
@@ -3967,64 +3965,6 @@
// the session.
OPENSSL_EXPORT SSL_SESSION *SSL_get1_session(SSL *ssl);
-// TODO(davidben): Convert all the callers of these old |SSL_CIPHER| functions
-// and remove them.
-
-// SSL_CIPHER_is_AEAD calls |SSL_CIPHER_is_aead|.
-OPENSSL_EXPORT int SSL_CIPHER_is_AEAD(const SSL_CIPHER *cipher);
-
-// SSL_CIPHER_is_AES returns one if |cipher| uses AES (either GCM or CBC
-// mode). Use |SSL_CIPHER_get_cipher_nid| instead.
-OPENSSL_EXPORT int SSL_CIPHER_is_AES(const SSL_CIPHER *cipher);
-
-// SSL_CIPHER_has_SHA1_HMAC returns one if |cipher| uses HMAC-SHA1. Use
-// |SSL_CIPHER_get_digest_nid| instead.
-OPENSSL_EXPORT int SSL_CIPHER_has_SHA1_HMAC(const SSL_CIPHER *cipher);
-
-// SSL_CIPHER_has_SHA256_HMAC returns one if |cipher| uses HMAC-SHA256. Use
-// |SSL_CIPHER_get_digest_nid| instead.
-OPENSSL_EXPORT int SSL_CIPHER_has_SHA256_HMAC(const SSL_CIPHER *cipher);
-
-// SSL_CIPHER_has_SHA384_HMAC returns one if |cipher| uses HMAC-SHA384. Use
-// |SSL_CIPHER_get_digest_nid| instead.
-OPENSSL_EXPORT int SSL_CIPHER_has_SHA384_HMAC(const SSL_CIPHER *cipher);
-
-// SSL_CIPHER_is_AESGCM returns one if |cipher| uses AES-GCM. Use
-// |SSL_CIPHER_get_cipher_nid| instead.
-OPENSSL_EXPORT int SSL_CIPHER_is_AESGCM(const SSL_CIPHER *cipher);
-
-// SSL_CIPHER_is_AES128GCM returns one if |cipher| uses 128-bit AES-GCM. Use
-// |SSL_CIPHER_get_cipher_nid| instead.
-OPENSSL_EXPORT int SSL_CIPHER_is_AES128GCM(const SSL_CIPHER *cipher);
-
-// SSL_CIPHER_is_AES128CBC returns one if |cipher| uses 128-bit AES in CBC
-// mode. Use |SSL_CIPHER_get_cipher_nid| instead.
-OPENSSL_EXPORT int SSL_CIPHER_is_AES128CBC(const SSL_CIPHER *cipher);
-
-// SSL_CIPHER_is_AES256CBC returns one if |cipher| uses 256-bit AES in CBC
-// mode. Use |SSL_CIPHER_get_cipher_nid| instead.
-OPENSSL_EXPORT int SSL_CIPHER_is_AES256CBC(const SSL_CIPHER *cipher);
-
-// SSL_CIPHER_is_CHACHA20POLY1305 returns one if |cipher| uses
-// CHACHA20_POLY1305. Use |SSL_CIPHER_get_cipher_nid| instead.
-OPENSSL_EXPORT int SSL_CIPHER_is_CHACHA20POLY1305(const SSL_CIPHER *cipher);
-
-// SSL_CIPHER_is_NULL returns one if |cipher| does not encrypt. Use
-// |SSL_CIPHER_get_cipher_nid| instead.
-OPENSSL_EXPORT int SSL_CIPHER_is_NULL(const SSL_CIPHER *cipher);
-
-// SSL_CIPHER_is_ECDSA returns one if |cipher| uses ECDSA. Use
-// |SSL_CIPHER_get_auth_nid| instead.
-OPENSSL_EXPORT int SSL_CIPHER_is_ECDSA(const SSL_CIPHER *cipher);
-
-// SSL_CIPHER_is_ECDHE returns one if |cipher| uses ECDHE. Use
-// |SSL_CIPHER_get_kx_nid| instead.
-OPENSSL_EXPORT int SSL_CIPHER_is_ECDHE(const SSL_CIPHER *cipher);
-
-// SSL_CIPHER_is_static_RSA returns one if |cipher| uses the static RSA key
-// exchange. Use |SSL_CIPHER_get_kx_nid| instead.
-OPENSSL_EXPORT int SSL_CIPHER_is_static_RSA(const SSL_CIPHER *cipher);
-
// Private structures.
//
diff --git a/src/include/openssl/ssl3.h b/src/include/openssl/ssl3.h
index 60eb7fc..343ea34 100644
--- a/src/include/openssl/ssl3.h
+++ b/src/include/openssl/ssl3.h
@@ -296,66 +296,6 @@
#define SSL3_CT_RSA_SIGN 1
-// SSLv3
-// client
-// extra state
-#define SSL3_ST_CW_FLUSH (0x100 | SSL_ST_CONNECT)
-#define SSL3_ST_FALSE_START (0x101 | SSL_ST_CONNECT)
-#define SSL3_ST_VERIFY_SERVER_CERT (0x102 | SSL_ST_CONNECT)
-#define SSL3_ST_FINISH_CLIENT_HANDSHAKE (0x103 | SSL_ST_CONNECT)
-#define SSL3_ST_WRITE_EARLY_DATA (0x104 | SSL_ST_CONNECT)
-// write to server
-#define SSL3_ST_CW_CLNT_HELLO_A (0x110 | SSL_ST_CONNECT)
-// read from server
-#define SSL3_ST_CR_SRVR_HELLO_A (0x120 | SSL_ST_CONNECT)
-#define DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A (0x126 | SSL_ST_CONNECT)
-#define SSL3_ST_CR_CERT_A (0x130 | SSL_ST_CONNECT)
-#define SSL3_ST_CR_KEY_EXCH_A (0x140 | SSL_ST_CONNECT)
-#define SSL3_ST_CR_CERT_REQ_A (0x150 | SSL_ST_CONNECT)
-#define SSL3_ST_CR_SRVR_DONE_A (0x160 | SSL_ST_CONNECT)
-// write to server
-#define SSL3_ST_CW_CERT_A (0x170 | SSL_ST_CONNECT)
-#define SSL3_ST_CW_KEY_EXCH_A (0x180 | SSL_ST_CONNECT)
-#define SSL3_ST_CW_CERT_VRFY_A (0x190 | SSL_ST_CONNECT)
-#define SSL3_ST_CW_CHANGE (0x1A0 | SSL_ST_CONNECT)
-#define SSL3_ST_CW_NEXT_PROTO_A (0x200 | SSL_ST_CONNECT)
-#define SSL3_ST_CW_CHANNEL_ID_A (0x220 | SSL_ST_CONNECT)
-#define SSL3_ST_CW_FINISHED_A (0x1B0 | SSL_ST_CONNECT)
-// read from server
-#define SSL3_ST_CR_CHANGE (0x1C0 | SSL_ST_CONNECT)
-#define SSL3_ST_CR_FINISHED_A (0x1D0 | SSL_ST_CONNECT)
-#define SSL3_ST_CR_SESSION_TICKET_A (0x1E0 | SSL_ST_CONNECT)
-#define SSL3_ST_CR_CERT_STATUS_A (0x1F0 | SSL_ST_CONNECT)
-
-// SSL3_ST_CR_SRVR_HELLO_B is a legacy alias for |SSL3_ST_CR_SRVR_HELLO_A| used
-// by some consumers which check |SSL_state|.
-#define SSL3_ST_CR_SRVR_HELLO_B SSL3_ST_CR_SRVR_HELLO_A
-
-// server
-// extra state
-#define SSL3_ST_SW_FLUSH (0x100 | SSL_ST_ACCEPT)
-#define SSL3_ST_VERIFY_CLIENT_CERT (0x101 | SSL_ST_ACCEPT)
-// read from client
-#define SSL3_ST_SR_CLNT_HELLO_A (0x110 | SSL_ST_ACCEPT)
-#define SSL3_ST_SR_CLNT_HELLO_B (0x111 | SSL_ST_ACCEPT)
-#define SSL3_ST_SR_CLNT_HELLO_C (0x112 | SSL_ST_ACCEPT)
-// write to client
-#define SSL3_ST_SW_SRVR_HELLO_A (0x130 | SSL_ST_ACCEPT)
-#define SSL3_ST_SW_CERT_A (0x140 | SSL_ST_ACCEPT)
-#define SSL3_ST_SW_KEY_EXCH_A (0x150 | SSL_ST_ACCEPT)
-#define SSL3_ST_SW_SRVR_DONE_A (0x170 | SSL_ST_ACCEPT)
-// read from client
-#define SSL3_ST_SR_CERT_A (0x180 | SSL_ST_ACCEPT)
-#define SSL3_ST_SR_KEY_EXCH_A (0x190 | SSL_ST_ACCEPT)
-#define SSL3_ST_SR_CERT_VRFY_A (0x1A0 | SSL_ST_ACCEPT)
-#define SSL3_ST_SR_CHANGE (0x1B0 | SSL_ST_ACCEPT)
-#define SSL3_ST_SR_NEXT_PROTO_A (0x210 | SSL_ST_ACCEPT)
-#define SSL3_ST_SR_CHANNEL_ID_A (0x230 | SSL_ST_ACCEPT)
-#define SSL3_ST_SR_FINISHED_A (0x1C0 | SSL_ST_ACCEPT)
-
-// write to client
-#define SSL3_ST_SW_FINISHED_A (0x1E0 | SSL_ST_ACCEPT)
-
#define SSL3_MT_HELLO_REQUEST 0
#define SSL3_MT_CLIENT_HELLO 1
#define SSL3_MT_SERVER_HELLO 2
diff --git a/src/include/openssl/x509.h b/src/include/openssl/x509.h
index 138c060..62bd5f8 100644
--- a/src/include/openssl/x509.h
+++ b/src/include/openssl/x509.h
@@ -1113,6 +1113,7 @@
BORINGSSL_MAKE_DELETER(X509_NAME_ENTRY, X509_NAME_ENTRY_free)
BORINGSSL_MAKE_DELETER(X509_PKEY, X509_PKEY_free)
BORINGSSL_MAKE_DELETER(X509_POLICY_TREE, X509_policy_tree_free)
+BORINGSSL_MAKE_DELETER(X509_PUBKEY, X509_PUBKEY_free)
BORINGSSL_MAKE_DELETER(X509_REQ, X509_REQ_free)
BORINGSSL_MAKE_DELETER(X509_REVOKED, X509_REVOKED_free)
BORINGSSL_MAKE_DELETER(X509_SIG, X509_SIG_free)
diff --git a/src/ssl/CMakeLists.txt b/src/ssl/CMakeLists.txt
index d9d2eb5..912327b 100644
--- a/src/ssl/CMakeLists.txt
+++ b/src/ssl/CMakeLists.txt
@@ -11,6 +11,7 @@
d1_srtp.cc
dtls_method.cc
dtls_record.cc
+ handshake.cc
handshake_client.cc
handshake_server.cc
s3_both.cc
diff --git a/src/ssl/custom_extensions.cc b/src/ssl/custom_extensions.cc
index dff7041..c22f4fe 100644
--- a/src/ssl/custom_extensions.cc
+++ b/src/ssl/custom_extensions.cc
@@ -47,9 +47,9 @@
return NULL;
}
-/* default_add_callback is used as the |add_callback| when the user doesn't
- * provide one. For servers, it does nothing while, for clients, it causes an
- * empty extension to be included. */
+// default_add_callback is used as the |add_callback| when the user doesn't
+// provide one. For servers, it does nothing while, for clients, it causes an
+// empty extension to be included.
static int default_add_callback(SSL *ssl, unsigned extension_value,
const uint8_t **out, size_t *out_len,
int *out_alert_value, void *add_arg) {
@@ -76,7 +76,7 @@
if (ssl->server &&
!(hs->custom_extensions.received & (1u << i))) {
- /* Servers cannot echo extensions that the client didn't send. */
+ // Servers cannot echo extensions that the client didn't send.
continue;
}
@@ -135,9 +135,9 @@
const SSL_CUSTOM_EXTENSION *ext =
custom_ext_find(ssl->ctx->client_custom_extensions, &index, value);
- if (/* Unknown extensions are not allowed in a ServerHello. */
+ if (// Unknown extensions are not allowed in a ServerHello.
ext == NULL ||
- /* Also, if we didn't send the extension, that's also unacceptable. */
+ // Also, if we didn't send the extension, that's also unacceptable.
!(hs->custom_extensions.sent & (1u << index))) {
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
ERR_add_error_dataf("extension %u", (unsigned)value);
@@ -185,9 +185,9 @@
return custom_ext_add_hello(hs, extensions);
}
-/* MAX_NUM_CUSTOM_EXTENSIONS is the maximum number of custom extensions that
- * can be set on an |SSL_CTX|. It's determined by the size of the bitset used
- * to track when an extension has been sent. */
+// MAX_NUM_CUSTOM_EXTENSIONS is the maximum number of custom extensions that
+// can be set on an |SSL_CTX|. It's determined by the size of the bitset used
+// to track when an extension has been sent.
#define MAX_NUM_CUSTOM_EXTENSIONS \
(sizeof(((SSL_HANDSHAKE *)NULL)->custom_extensions.sent) * 8)
@@ -200,8 +200,8 @@
if (add_cb == NULL ||
0xffff < extension_value ||
SSL_extension_supported(extension_value) ||
- /* Specifying a free callback without an add callback is nonsensical
- * and an error. */
+ // Specifying a free callback without an add callback is nonsensical
+ // and an error.
(*stack != NULL &&
(MAX_NUM_CUSTOM_EXTENSIONS <= sk_SSL_CUSTOM_EXTENSION_num(*stack) ||
custom_ext_find(*stack, NULL, extension_value) != NULL))) {
diff --git a/src/ssl/d1_both.cc b/src/ssl/d1_both.cc
index 71a7161..321e01d 100644
--- a/src/ssl/d1_both.cc
+++ b/src/ssl/d1_both.cc
@@ -129,20 +129,20 @@
namespace bssl {
-/* TODO(davidben): 28 comes from the size of IP + UDP header. Is this reasonable
- * for these values? Notably, why is kMinMTU a function of the transport
- * protocol's overhead rather than, say, what's needed to hold a minimally-sized
- * handshake fragment plus protocol overhead. */
+// TODO(davidben): 28 comes from the size of IP + UDP header. Is this reasonable
+// for these values? Notably, why is kMinMTU a function of the transport
+// protocol's overhead rather than, say, what's needed to hold a minimally-sized
+// handshake fragment plus protocol overhead.
-/* kMinMTU is the minimum acceptable MTU value. */
+// kMinMTU is the minimum acceptable MTU value.
static const unsigned int kMinMTU = 256 - 28;
-/* kDefaultMTU is the default MTU value to use if neither the user nor
- * the underlying BIO supplies one. */
+// kDefaultMTU is the default MTU value to use if neither the user nor
+// the underlying BIO supplies one.
static const unsigned int kDefaultMTU = 1500 - 28;
-/* Receiving handshake messages. */
+// Receiving handshake messages.
static void dtls1_hm_fragment_free(hm_fragment *frag) {
if (frag == NULL) {
@@ -165,7 +165,7 @@
frag->seq = msg_hdr->seq;
frag->msg_len = msg_hdr->msg_len;
- /* Allocate space for the reassembled message and fill in the header. */
+ // Allocate space for the reassembled message and fill in the header.
frag->data =
(uint8_t *)OPENSSL_malloc(DTLS1_HM_HEADER_LENGTH + msg_hdr->msg_len);
if (frag->data == NULL) {
@@ -184,9 +184,9 @@
goto err;
}
- /* If the handshake message is empty, |frag->reassembly| is NULL. */
+ // If the handshake message is empty, |frag->reassembly| is NULL.
if (msg_hdr->msg_len > 0) {
- /* Initialize reassembly bitmask. */
+ // Initialize reassembly bitmask.
if (msg_hdr->msg_len + 7 < msg_hdr->msg_len) {
OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
goto err;
@@ -207,16 +207,16 @@
return NULL;
}
-/* bit_range returns a |uint8_t| with bits |start|, inclusive, to |end|,
- * exclusive, set. */
+// bit_range returns a |uint8_t| with bits |start|, inclusive, to |end|,
+// exclusive, set.
static uint8_t bit_range(size_t start, size_t end) {
return (uint8_t)(~((1u << start) - 1) & ((1u << end) - 1));
}
-/* dtls1_hm_fragment_mark marks bytes |start|, inclusive, to |end|, exclusive,
- * as received in |frag|. If |frag| becomes complete, it clears
- * |frag->reassembly|. The range must be within the bounds of |frag|'s message
- * and |frag->reassembly| must not be NULL. */
+// dtls1_hm_fragment_mark marks bytes |start|, inclusive, to |end|, exclusive,
+// as received in |frag|. If |frag| becomes complete, it clears
+// |frag->reassembly|. The range must be within the bounds of |frag|'s message
+// and |frag->reassembly| must not be NULL.
static void dtls1_hm_fragment_mark(hm_fragment *frag, size_t start,
size_t end) {
size_t msg_len = frag->msg_len;
@@ -225,7 +225,7 @@
assert(0);
return;
}
- /* A zero-length message will never have a pending reassembly. */
+ // A zero-length message will never have a pending reassembly.
assert(msg_len > 0);
if ((start >> 3) == (end >> 3)) {
@@ -240,7 +240,7 @@
}
}
- /* Check if the fragment is complete. */
+ // Check if the fragment is complete.
for (size_t i = 0; i < (msg_len >> 3); i++) {
if (frag->reassembly[i] != 0xff) {
return;
@@ -255,18 +255,18 @@
frag->reassembly = NULL;
}
-/* dtls1_is_current_message_complete returns one if the current handshake
- * message is complete and zero otherwise. */
+// dtls1_is_current_message_complete returns one if the current handshake
+// message is complete and zero otherwise.
static int dtls1_is_current_message_complete(const SSL *ssl) {
hm_fragment *frag = ssl->d1->incoming_messages[ssl->d1->handshake_read_seq %
SSL_MAX_HANDSHAKE_FLIGHT];
return frag != NULL && frag->reassembly == NULL;
}
-/* dtls1_get_incoming_message returns the incoming message corresponding to
- * |msg_hdr|. If none exists, it creates a new one and inserts it in the
- * queue. Otherwise, it checks |msg_hdr| is consistent with the existing one. It
- * returns NULL on failure. The caller does not take ownership of the result. */
+// dtls1_get_incoming_message returns the incoming message corresponding to
+// |msg_hdr|. If none exists, it creates a new one and inserts it in the
+// queue. Otherwise, it checks |msg_hdr| is consistent with the existing one. It
+// returns NULL on failure. The caller does not take ownership of the result.
static hm_fragment *dtls1_get_incoming_message(
SSL *ssl, const struct hm_header_st *msg_hdr) {
if (msg_hdr->seq < ssl->d1->handshake_read_seq ||
@@ -278,8 +278,8 @@
hm_fragment *frag = ssl->d1->incoming_messages[idx];
if (frag != NULL) {
assert(frag->seq == msg_hdr->seq);
- /* The new fragment must be compatible with the previous fragments from this
- * message. */
+ // The new fragment must be compatible with the previous fragments from this
+ // message.
if (frag->type != msg_hdr->type ||
frag->msg_len != msg_hdr->msg_len) {
OPENSSL_PUT_ERROR(SSL, SSL_R_FRAGMENT_MISMATCH);
@@ -289,7 +289,7 @@
return frag;
}
- /* This is the first fragment from this message. */
+ // This is the first fragment from this message.
frag = dtls1_hm_fragment_new(msg_hdr);
if (frag == NULL) {
return NULL;
@@ -309,22 +309,22 @@
switch (rr->type) {
case SSL3_RT_APPLICATION_DATA:
- /* Unencrypted application data records are always illegal. */
+ // Unencrypted application data records are always illegal.
if (ssl->s3->aead_read_ctx->is_null_cipher()) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD);
return -1;
}
- /* Out-of-order application data may be received between ChangeCipherSpec
- * and finished. Discard it. */
+ // Out-of-order application data may be received between ChangeCipherSpec
+ // and finished. Discard it.
rr->length = 0;
ssl_read_buffer_discard(ssl);
return 1;
case SSL3_RT_CHANGE_CIPHER_SPEC:
- /* We do not support renegotiation, so encrypted ChangeCipherSpec records
- * are illegal. */
+ // We do not support renegotiation, so encrypted ChangeCipherSpec records
+ // are illegal.
if (!ssl->s3->aead_read_ctx->is_null_cipher()) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD);
@@ -337,7 +337,7 @@
return -1;
}
- /* Flag the ChangeCipherSpec for later. */
+ // Flag the ChangeCipherSpec for later.
ssl->d1->has_change_cipher_spec = true;
ssl_do_msg_callback(ssl, 0 /* read */, SSL3_RT_CHANGE_CIPHER_SPEC,
rr->data, rr->length);
@@ -347,7 +347,7 @@
return 1;
case SSL3_RT_HANDSHAKE:
- /* Break out to main processing. */
+ // Break out to main processing.
break;
default:
@@ -360,7 +360,7 @@
CBS_init(&cbs, rr->data, rr->length);
while (CBS_len(&cbs) > 0) {
- /* Read a handshake fragment. */
+ // Read a handshake fragment.
struct hm_header_st msg_hdr;
CBS body;
if (!dtls1_parse_fragment(&cbs, &msg_hdr, &body)) {
@@ -380,7 +380,7 @@
return -1;
}
- /* The encrypted epoch in DTLS has only one handshake message. */
+ // The encrypted epoch in DTLS has only one handshake message.
if (ssl->d1->r_epoch == 1 && msg_hdr.seq != ssl->d1->handshake_read_seq) {
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
@@ -390,7 +390,7 @@
if (msg_hdr.seq < ssl->d1->handshake_read_seq ||
msg_hdr.seq >
(unsigned)ssl->d1->handshake_read_seq + SSL_MAX_HANDSHAKE_FLIGHT) {
- /* Ignore fragments from the past, or ones too far in the future. */
+ // Ignore fragments from the past, or ones too far in the future.
continue;
}
@@ -401,12 +401,12 @@
assert(frag->msg_len == msg_len);
if (frag->reassembly == NULL) {
- /* The message is already assembled. */
+ // The message is already assembled.
continue;
}
assert(msg_len > 0);
- /* Copy the body into the fragment. */
+ // Copy the body into the fragment.
OPENSSL_memcpy(frag->data + DTLS1_HM_HEADER_LENGTH + frag_off,
CBS_data(&body), CBS_len(&body));
dtls1_hm_fragment_mark(frag, frag_off, frag_off + frag_len);
@@ -431,7 +431,7 @@
if (!ssl->s3->has_message) {
ssl_do_msg_callback(ssl, 0 /* read */, SSL3_RT_HANDSHAKE, frag->data,
frag->msg_len + DTLS1_HM_HEADER_LENGTH);
- ssl->s3->has_message = 1;
+ ssl->s3->has_message = true;
}
return true;
}
@@ -443,9 +443,9 @@
dtls1_hm_fragment_free(ssl->d1->incoming_messages[index]);
ssl->d1->incoming_messages[index] = NULL;
ssl->d1->handshake_read_seq++;
- ssl->s3->has_message = 0;
- /* If we previously sent a flight, mark it as having a reply, so
- * |on_handshake_complete| can manage post-handshake retransmission. */
+ ssl->s3->has_message = false;
+ // If we previously sent a flight, mark it as having a reply, so
+ // |on_handshake_complete| can manage post-handshake retransmission.
if (ssl->d1->outgoing_messages_complete) {
ssl->d1->flight_has_reply = true;
}
@@ -461,7 +461,7 @@
int dtls_has_incoming_messages(const SSL *ssl) {
size_t current = ssl->d1->handshake_read_seq % SSL_MAX_HANDSHAKE_FLIGHT;
for (size_t i = 0; i < SSL_MAX_HANDSHAKE_FLIGHT; i++) {
- /* Skip the current message. */
+ // Skip the current message.
if (ssl->s3->has_message && i == current) {
assert(dtls1_is_current_message_complete(ssl));
continue;
@@ -490,7 +490,7 @@
}
int dtls1_read_change_cipher_spec(SSL *ssl) {
- /* Process handshake records until there is a ChangeCipherSpec. */
+ // Process handshake records until there is a ChangeCipherSpec.
while (!ssl->d1->has_change_cipher_spec) {
int ret = dtls1_read_message(ssl);
if (ret <= 0) {
@@ -503,7 +503,7 @@
}
-/* Sending handshake messages. */
+// Sending handshake messages.
void dtls_clear_outgoing_messages(SSL *ssl) {
for (size_t i = 0; i < ssl->d1->outgoing_messages_len; i++) {
@@ -518,7 +518,7 @@
}
int dtls1_init_message(SSL *ssl, CBB *cbb, CBB *body, uint8_t type) {
- /* Pick a modest size hint to save most of the |realloc| calls. */
+ // Pick a modest size hint to save most of the |realloc| calls.
if (!CBB_init(cbb, 64) ||
!CBB_add_u8(cbb, type) ||
!CBB_add_u24(cbb, 0 /* length (filled in later) */) ||
@@ -541,20 +541,20 @@
return 0;
}
- /* Fix up the header. Copy the fragment length into the total message
- * length. */
+ // Fix up the header. Copy the fragment length into the total message
+ // length.
OPENSSL_memcpy(*out_msg + 1, *out_msg + DTLS1_HM_HEADER_LENGTH - 3, 3);
return 1;
}
-/* add_outgoing adds a new handshake message or ChangeCipherSpec to the current
- * outgoing flight. It returns one on success and zero on error. In both cases,
- * it takes ownership of |data| and releases it with |OPENSSL_free| when
- * done. */
+// add_outgoing adds a new handshake message or ChangeCipherSpec to the current
+// outgoing flight. It returns one on success and zero on error. In both cases,
+// it takes ownership of |data| and releases it with |OPENSSL_free| when
+// done.
static int add_outgoing(SSL *ssl, int is_ccs, uint8_t *data, size_t len) {
if (ssl->d1->outgoing_messages_complete) {
- /* If we've begun writing a new flight, we received the peer flight. Discard
- * the timer and the our flight. */
+ // If we've begun writing a new flight, we received the peer flight. Discard
+ // the timer and the our flight.
dtls1_stop_timer(ssl);
dtls_clear_outgoing_messages(ssl);
}
@@ -570,8 +570,8 @@
}
if (!is_ccs) {
- /* TODO(svaldez): Move this up a layer to fix abstraction for SSLTranscript
- * on hs. */
+ // TODO(svaldez): Move this up a layer to fix abstraction for SSLTranscript
+ // on hs.
if (ssl->s3->hs != NULL &&
!ssl->s3->hs->transcript.Update(data, len)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
@@ -601,20 +601,20 @@
}
int dtls1_add_alert(SSL *ssl, uint8_t level, uint8_t desc) {
- /* The |add_alert| path is only used for warning alerts for now, which DTLS
- * never sends. This will be implemented later once closure alerts are
- * converted. */
+ // The |add_alert| path is only used for warning alerts for now, which DTLS
+ // never sends. This will be implemented later once closure alerts are
+ // converted.
assert(0);
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
return 0;
}
-/* dtls1_update_mtu updates the current MTU from the BIO, ensuring it is above
- * the minimum. */
+// dtls1_update_mtu updates the current MTU from the BIO, ensuring it is above
+// the minimum.
static void dtls1_update_mtu(SSL *ssl) {
- /* TODO(davidben): No consumer implements |BIO_CTRL_DGRAM_SET_MTU| and the
- * only |BIO_CTRL_DGRAM_QUERY_MTU| implementation could use
- * |SSL_set_mtu|. Does this need to be so complex? */
+ // TODO(davidben): No consumer implements |BIO_CTRL_DGRAM_SET_MTU| and the
+ // only |BIO_CTRL_DGRAM_QUERY_MTU| implementation could use
+ // |SSL_set_mtu|. Does this need to be so complex?
if (ssl->d1->mtu < dtls1_min_mtu() &&
!(SSL_get_options(ssl) & SSL_OP_NO_QUERY_MTU)) {
long mtu = BIO_ctrl(ssl->wbio, BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL);
@@ -626,7 +626,7 @@
}
}
- /* The MTU should be above the minimum now. */
+ // The MTU should be above the minimum now.
assert(ssl->d1->mtu >= dtls1_min_mtu());
}
@@ -637,9 +637,9 @@
seal_success,
};
-/* seal_next_message seals |msg|, which must be the next message, to |out|. If
- * progress was made, it returns |seal_partial| or |seal_success| and sets
- * |*out_len| to the number of bytes written. */
+// seal_next_message seals |msg|, which must be the next message, to |out|. If
+// progress was made, it returns |seal_partial| or |seal_success| and sets
+// |*out_len| to the number of bytes written.
static enum seal_result_t seal_next_message(SSL *ssl, uint8_t *out,
size_t *out_len, size_t max_out,
const DTLS_OUTGOING_MESSAGE *msg) {
@@ -658,7 +658,7 @@
size_t prefix = dtls_seal_prefix_len(ssl, use_epoch);
if (msg->is_ccs) {
- /* Check there is room for the ChangeCipherSpec. */
+ // Check there is room for the ChangeCipherSpec.
static const uint8_t kChangeCipherSpec[1] = {SSL3_MT_CCS};
if (max_out < sizeof(kChangeCipherSpec) + overhead) {
return seal_no_progress;
@@ -675,7 +675,7 @@
return seal_success;
}
- /* DTLS messages are serialized as a single fragment in |msg|. */
+ // DTLS messages are serialized as a single fragment in |msg|.
CBS cbs, body;
struct hm_header_st hdr;
CBS_init(&cbs, msg->data, msg->len);
@@ -689,7 +689,7 @@
return seal_error;
}
- /* Determine how much progress can be made. */
+ // Determine how much progress can be made.
if (max_out < DTLS1_HM_HEADER_LENGTH + 1 + overhead || max_out < prefix) {
return seal_no_progress;
}
@@ -698,7 +698,7 @@
todo = max_out - DTLS1_HM_HEADER_LENGTH - overhead;
}
- /* Assemble a fragment, to be sealed in-place. */
+ // Assemble a fragment, to be sealed in-place.
ScopedCBB cbb;
uint8_t *frag = out + prefix;
size_t max_frag = max_out - prefix, frag_len;
@@ -722,7 +722,7 @@
}
if (todo == CBS_len(&body)) {
- /* The next message is complete. */
+ // The next message is complete.
ssl->d1->outgoing_offset = 0;
return seal_success;
}
@@ -731,9 +731,9 @@
return seal_partial;
}
-/* seal_next_packet writes as much of the next flight as possible to |out| and
- * advances |ssl->d1->outgoing_written| and |ssl->d1->outgoing_offset| as
- * appropriate. */
+// seal_next_packet writes as much of the next flight as possible to |out| and
+// advances |ssl->d1->outgoing_written| and |ssl->d1->outgoing_offset| as
+// appropriate.
static int seal_next_packet(SSL *ssl, uint8_t *out, size_t *out_len,
size_t max_out) {
int made_progress = 0;
@@ -767,7 +767,7 @@
}
packet_full:
- /* The MTU was too small to make any progress. */
+ // The MTU was too small to make any progress.
if (!made_progress) {
OPENSSL_PUT_ERROR(SSL, SSL_R_MTU_TOO_SMALL);
return 0;
@@ -798,7 +798,7 @@
int bio_ret = BIO_write(ssl->wbio, packet, packet_len);
if (bio_ret <= 0) {
- /* Retry this packet the next time around. */
+ // Retry this packet the next time around.
ssl->d1->outgoing_written = old_written;
ssl->d1->outgoing_offset = old_offset;
ssl->rwstate = SSL_WRITING;
@@ -821,16 +821,16 @@
int dtls1_flush_flight(SSL *ssl) {
ssl->d1->outgoing_messages_complete = true;
- /* Start the retransmission timer for the next flight (if any). */
+ // Start the retransmission timer for the next flight (if any).
dtls1_start_timer(ssl);
return send_flight(ssl);
}
int dtls1_retransmit_outgoing_messages(SSL *ssl) {
- /* Rewind to the start of the flight and write it again.
- *
- * TODO(davidben): This does not allow retransmits to be resumed on
- * non-blocking write. */
+ // Rewind to the start of the flight and write it again.
+ //
+ // TODO(davidben): This does not allow retransmits to be resumed on
+ // non-blocking write.
ssl->d1->outgoing_written = 0;
ssl->d1->outgoing_offset = 0;
diff --git a/src/ssl/d1_lib.cc b/src/ssl/d1_lib.cc
index 30110b4..ec5d470 100644
--- a/src/ssl/d1_lib.cc
+++ b/src/ssl/d1_lib.cc
@@ -70,12 +70,12 @@
namespace bssl {
-/* DTLS1_MTU_TIMEOUTS is the maximum number of timeouts to expire
- * before starting to decrease the MTU. */
+// DTLS1_MTU_TIMEOUTS is the maximum number of timeouts to expire
+// before starting to decrease the MTU.
#define DTLS1_MTU_TIMEOUTS 2
-/* DTLS1_MAX_TIMEOUTS is the maximum number of timeouts to expire
- * before failing the DTLS handshake. */
+// DTLS1_MAX_TIMEOUTS is the maximum number of timeouts to expire
+// before failing the DTLS handshake.
#define DTLS1_MAX_TIMEOUTS 12
int dtls1_new(SSL *ssl) {
@@ -91,11 +91,11 @@
ssl->d1 = d1;
- /* Set the version to the highest supported version.
- *
- * TODO(davidben): Move this field into |s3|, have it store the normalized
- * protocol version, and implement this pre-negotiation quirk in |SSL_version|
- * at the API boundary rather than in internal state. */
+ // Set the version to the highest supported version.
+ //
+ // TODO(davidben): Move this field into |s3|, have it store the normalized
+ // protocol version, and implement this pre-negotiation quirk in |SSL_version|
+ // at the API boundary rather than in internal state.
ssl->version = DTLS1_2_VERSION;
return 1;
}
@@ -116,15 +116,15 @@
}
void dtls1_start_timer(SSL *ssl) {
- /* If timer is not set, initialize duration (by default, 1 second) */
+ // If timer is not set, initialize duration (by default, 1 second)
if (ssl->d1->next_timeout.tv_sec == 0 && ssl->d1->next_timeout.tv_usec == 0) {
ssl->d1->timeout_duration_ms = ssl->initial_timeout_duration_ms;
}
- /* Set timeout to current time */
+ // Set timeout to current time
ssl_get_current_time(ssl, &ssl->d1->next_timeout);
- /* Add duration to current time */
+ // Add duration to current time
ssl->d1->next_timeout.tv_sec += ssl->d1->timeout_duration_ms / 1000;
ssl->d1->next_timeout.tv_usec += (ssl->d1->timeout_duration_ms % 1000) * 1000;
if (ssl->d1->next_timeout.tv_usec >= 1000000) {
@@ -136,17 +136,17 @@
int dtls1_is_timer_expired(SSL *ssl) {
struct timeval timeleft;
- /* Get time left until timeout, return false if no timer running */
+ // Get time left until timeout, return false if no timer running
if (!DTLSv1_get_timeout(ssl, &timeleft)) {
return 0;
}
- /* Return false if timer is not expired yet */
+ // Return false if timer is not expired yet
if (timeleft.tv_sec > 0 || timeleft.tv_usec > 0) {
return 0;
}
- /* Timer expired, so return true */
+ // Timer expired, so return true
return 1;
}
@@ -166,7 +166,7 @@
int dtls1_check_timeout_num(SSL *ssl) {
ssl->d1->num_timeouts++;
- /* Reduce MTU after 2 unsuccessful retransmissions */
+ // Reduce MTU after 2 unsuccessful retransmissions
if (ssl->d1->num_timeouts > DTLS1_MTU_TIMEOUTS &&
!(SSL_get_options(ssl) & SSL_OP_NO_QUERY_MTU)) {
long mtu = BIO_ctrl(ssl->wbio, BIO_CTRL_DGRAM_GET_FALLBACK_MTU, 0, NULL);
@@ -176,7 +176,7 @@
}
if (ssl->d1->num_timeouts > DTLS1_MAX_TIMEOUTS) {
- /* fail the connection, enough alerts have been sent */
+ // fail the connection, enough alerts have been sent
OPENSSL_PUT_ERROR(SSL, SSL_R_READ_TIMEOUT_EXPIRED);
return 0;
}
@@ -197,7 +197,7 @@
return 0;
}
- /* If no timeout is set, just return 0. */
+ // If no timeout is set, just return 0.
if (ssl->d1->next_timeout.tv_sec == 0 && ssl->d1->next_timeout.tv_usec == 0) {
return 0;
}
@@ -205,7 +205,7 @@
struct OPENSSL_timeval timenow;
ssl_get_current_time(ssl, &timenow);
- /* If timer already expired, set remaining time to 0. */
+ // If timer already expired, set remaining time to 0.
if (ssl->d1->next_timeout.tv_sec < timenow.tv_sec ||
(ssl->d1->next_timeout.tv_sec == timenow.tv_sec &&
ssl->d1->next_timeout.tv_usec <= timenow.tv_usec)) {
@@ -213,7 +213,7 @@
return 1;
}
- /* Calculate time left until timer expires. */
+ // Calculate time left until timer expires.
struct OPENSSL_timeval ret;
OPENSSL_memcpy(&ret, &ssl->d1->next_timeout, sizeof(ret));
ret.tv_sec -= timenow.tv_sec;
@@ -224,13 +224,13 @@
ret.tv_sec--;
}
- /* If remaining time is less than 15 ms, set it to 0 to prevent issues
- * because of small divergences with socket timeouts. */
+ // If remaining time is less than 15 ms, set it to 0 to prevent issues
+ // because of small divergences with socket timeouts.
if (ret.tv_sec == 0 && ret.tv_usec < 15000) {
OPENSSL_memset(&ret, 0, sizeof(ret));
}
- /* Clamp the result in case of overflow. */
+ // Clamp the result in case of overflow.
if (ret.tv_sec > INT_MAX) {
assert(0);
out->tv_sec = INT_MAX;
@@ -250,7 +250,7 @@
return -1;
}
- /* If no timer is expired, don't do anything. */
+ // If no timer is expired, don't do anything.
if (!dtls1_is_timer_expired(ssl)) {
return 0;
}
diff --git a/src/ssl/d1_pkt.cc b/src/ssl/d1_pkt.cc
index 3841232..a3095e1 100644
--- a/src/ssl/d1_pkt.cc
+++ b/src/ssl/d1_pkt.cc
@@ -140,15 +140,15 @@
return 0;
}
- /* Read a new packet if there is no unconsumed one. */
+ // Read a new packet if there is no unconsumed one.
if (ssl_read_buffer_len(ssl) == 0) {
int read_ret = ssl_read_buffer_extend_to(ssl, 0 /* unused */);
if (read_ret < 0 && dtls1_is_timer_expired(ssl)) {
- /* Historically, timeouts were handled implicitly if the caller did not
- * handle them.
- *
- * TODO(davidben): This was to support blocking sockets but affected
- * non-blocking sockets. Can it be removed? */
+ // Historically, timeouts were handled implicitly if the caller did not
+ // handle them.
+ //
+ // TODO(davidben): This was to support blocking sockets but affected
+ // non-blocking sockets. Can it be removed?
int timeout_ret = DTLSv1_handle_timeout(ssl);
if (timeout_ret <= 0) {
return timeout_ret;
@@ -170,7 +170,7 @@
ssl_read_buffer_consume(ssl, consumed);
switch (open_ret) {
case ssl_open_record_partial:
- /* Impossible in DTLS. */
+ // Impossible in DTLS.
break;
case ssl_open_record_success: {
@@ -205,11 +205,11 @@
return -1;
}
-int dtls1_read_app_data(SSL *ssl, int *out_got_handshake, uint8_t *buf, int len,
- int peek) {
+int dtls1_read_app_data(SSL *ssl, bool *out_got_handshake, uint8_t *buf,
+ int len, int peek) {
assert(!SSL_in_init(ssl));
- *out_got_handshake = 0;
+ *out_got_handshake = false;
SSL3_RECORD *rr = &ssl->s3->rrec;
again:
@@ -221,9 +221,9 @@
}
if (rr->type == SSL3_RT_HANDSHAKE) {
- /* Parse the first fragment header to determine if this is a pre-CCS or
- * post-CCS handshake record. DTLS resets handshake message numbers on each
- * handshake, so renegotiations and retransmissions are ambiguous. */
+ // Parse the first fragment header to determine if this is a pre-CCS or
+ // post-CCS handshake record. DTLS resets handshake message numbers on each
+ // handshake, so renegotiations and retransmissions are ambiguous.
CBS cbs, body;
struct hm_header_st msg_hdr;
CBS_init(&cbs, rr->data, rr->length);
@@ -236,9 +236,9 @@
if (msg_hdr.type == SSL3_MT_FINISHED &&
msg_hdr.seq == ssl->d1->handshake_read_seq - 1) {
if (msg_hdr.frag_off == 0) {
- /* Retransmit our last flight of messages. If the peer sends the second
- * Finished, they may not have received ours. Only do this for the
- * first fragment, in case the Finished was fragmented. */
+ // Retransmit our last flight of messages. If the peer sends the second
+ // Finished, they may not have received ours. Only do this for the
+ // first fragment, in case the Finished was fragmented.
if (!dtls1_check_timeout_num(ssl)) {
return -1;
}
@@ -250,8 +250,8 @@
goto again;
}
- /* Otherwise, this is a pre-CCS handshake message from an unsupported
- * renegotiation attempt. Fall through to the error path. */
+ // Otherwise, this is a pre-CCS handshake message from an unsupported
+ // renegotiation attempt. Fall through to the error path.
}
if (rr->type != SSL3_RT_APPLICATION_DATA) {
@@ -260,7 +260,7 @@
return -1;
}
- /* Discard empty records. */
+ // Discard empty records.
if (rr->length == 0) {
goto again;
}
@@ -275,12 +275,12 @@
OPENSSL_memcpy(buf, rr->data, len);
if (!peek) {
- /* TODO(davidben): Should the record be truncated instead? This is a
- * datagram transport. See https://crbug.com/boringssl/65. */
+ // TODO(davidben): Should the record be truncated instead? This is a
+ // datagram transport. See https://crbug.com/boringssl/65.
rr->length -= len;
rr->data += len;
if (rr->length == 0) {
- /* The record has been consumed, so we may now clear the buffer. */
+ // The record has been consumed, so we may now clear the buffer.
ssl_read_buffer_discard(ssl);
}
}
@@ -289,19 +289,19 @@
}
void dtls1_read_close_notify(SSL *ssl) {
- /* Bidirectional shutdown doesn't make sense for an unordered transport. DTLS
- * alerts also aren't delivered reliably, so we may even time out because the
- * peer never received our close_notify. Report to the caller that the channel
- * has fully shut down. */
+ // Bidirectional shutdown doesn't make sense for an unordered transport. DTLS
+ // alerts also aren't delivered reliably, so we may even time out because the
+ // peer never received our close_notify. Report to the caller that the channel
+ // has fully shut down.
if (ssl->s3->recv_shutdown == ssl_shutdown_none) {
ssl->s3->recv_shutdown = ssl_shutdown_close_notify;
}
}
-int dtls1_write_app_data(SSL *ssl, int *out_needs_handshake, const uint8_t *buf,
- int len) {
+int dtls1_write_app_data(SSL *ssl, bool *out_needs_handshake,
+ const uint8_t *buf, int len) {
assert(!SSL_in_init(ssl));
- *out_needs_handshake = 0;
+ *out_needs_handshake = false;
if (len > SSL3_RT_MAX_PLAIN_LENGTH) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DTLS_MESSAGE_TOO_BIG);
@@ -328,9 +328,9 @@
int dtls1_write_record(SSL *ssl, int type, const uint8_t *buf, size_t len,
enum dtls1_use_epoch_t use_epoch) {
assert(len <= SSL3_RT_MAX_PLAIN_LENGTH);
- /* There should never be a pending write buffer in DTLS. One can't write half
- * a datagram, so the write buffer is always dropped in
- * |ssl_write_buffer_flush|. */
+ // There should never be a pending write buffer in DTLS. One can't write half
+ // a datagram, so the write buffer is always dropped in
+ // |ssl_write_buffer_flush|.
assert(!ssl_write_buffer_is_pending(ssl));
if (len > SSL3_RT_MAX_PLAIN_LENGTH) {
@@ -364,7 +364,7 @@
}
ssl->s3->alert_dispatch = 0;
- /* If the alert is fatal, flush the BIO now. */
+ // If the alert is fatal, flush the BIO now.
if (ssl->s3->send_alert[0] == SSL3_AL_FATAL) {
BIO_flush(ssl->wbio);
}
diff --git a/src/ssl/d1_srtp.cc b/src/ssl/d1_srtp.cc
index 2d94bd2..30733ec 100644
--- a/src/ssl/d1_srtp.cc
+++ b/src/ssl/d1_srtp.cc
@@ -226,11 +226,11 @@
}
int SSL_CTX_set_tlsext_use_srtp(SSL_CTX *ctx, const char *profiles) {
- /* This API inverts its return value. */
+ // This API inverts its return value.
return !SSL_CTX_set_srtp_profiles(ctx, profiles);
}
int SSL_set_tlsext_use_srtp(SSL *ssl, const char *profiles) {
- /* This API inverts its return value. */
+ // This API inverts its return value.
return !SSL_set_srtp_profiles(ssl, profiles);
}
diff --git a/src/ssl/dtls_method.cc b/src/ssl/dtls_method.cc
index 1f95970..050246d 100644
--- a/src/ssl/dtls_method.cc
+++ b/src/ssl/dtls_method.cc
@@ -73,17 +73,17 @@
}
static void dtls1_on_handshake_complete(SSL *ssl) {
- /* Stop the reply timer left by the last flight we sent. */
+ // Stop the reply timer left by the last flight we sent.
dtls1_stop_timer(ssl);
- /* If the final flight had a reply, we know the peer has received it. If not,
- * we must leave the flight around for post-handshake retransmission. */
+ // If the final flight had a reply, we know the peer has received it. If not,
+ // we must leave the flight around for post-handshake retransmission.
if (ssl->d1->flight_has_reply) {
dtls_clear_outgoing_messages(ssl);
}
}
static int dtls1_set_read_state(SSL *ssl, UniquePtr<SSLAEADContext> aead_ctx) {
- /* Cipher changes are illegal when there are buffered incoming messages. */
+ // Cipher changes are illegal when there are buffered incoming messages.
if (dtls_has_incoming_messages(ssl) || ssl->d1->has_change_cipher_spec) {
OPENSSL_PUT_ERROR(SSL, SSL_R_BUFFERED_MESSAGES_ON_CIPHER_CHANGE);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
@@ -153,7 +153,7 @@
return &kMethod;
}
-/* Legacy version-locked methods. */
+// Legacy version-locked methods.
const SSL_METHOD *DTLSv1_2_method(void) {
static const SSL_METHOD kMethod = {
@@ -173,7 +173,7 @@
return &kMethod;
}
-/* Legacy side-specific methods. */
+// Legacy side-specific methods.
const SSL_METHOD *DTLSv1_2_server_method(void) {
return DTLSv1_2_method();
diff --git a/src/ssl/dtls_record.cc b/src/ssl/dtls_record.cc
index c7ee646..dbc8fa2 100644
--- a/src/ssl/dtls_record.cc
+++ b/src/ssl/dtls_record.cc
@@ -123,8 +123,8 @@
namespace bssl {
-/* to_u64_be treats |in| as a 8-byte big-endian integer and returns the value as
- * a |uint64_t|. */
+// to_u64_be treats |in| as a 8-byte big-endian integer and returns the value as
+// a |uint64_t|.
static uint64_t to_u64_be(const uint8_t in[8]) {
uint64_t ret = 0;
unsigned i;
@@ -135,8 +135,8 @@
return ret;
}
-/* dtls1_bitmap_should_discard returns one if |seq_num| has been seen in |bitmap|
- * or is stale. Otherwise it returns zero. */
+// dtls1_bitmap_should_discard returns one if |seq_num| has been seen in
+// |bitmap| or is stale. Otherwise it returns zero.
static int dtls1_bitmap_should_discard(DTLS1_BITMAP *bitmap,
const uint8_t seq_num[8]) {
const unsigned kWindowSize = sizeof(bitmap->map) * 8;
@@ -149,15 +149,15 @@
return idx >= kWindowSize || (bitmap->map & (((uint64_t)1) << idx));
}
-/* dtls1_bitmap_record updates |bitmap| to record receipt of sequence number
- * |seq_num|. It slides the window forward if needed. It is an error to call
- * this function on a stale sequence number. */
+// dtls1_bitmap_record updates |bitmap| to record receipt of sequence number
+// |seq_num|. It slides the window forward if needed. It is an error to call
+// this function on a stale sequence number.
static void dtls1_bitmap_record(DTLS1_BITMAP *bitmap,
const uint8_t seq_num[8]) {
const unsigned kWindowSize = sizeof(bitmap->map) * 8;
uint64_t seq_num_u = to_u64_be(seq_num);
- /* Shift the window if necessary. */
+ // Shift the window if necessary.
if (seq_num_u > bitmap->max_seq_num) {
uint64_t shift = seq_num_u - bitmap->max_seq_num;
if (shift >= kWindowSize) {
@@ -183,7 +183,7 @@
CBS cbs;
CBS_init(&cbs, in, in_len);
- /* Decode the record. */
+ // Decode the record.
uint8_t type;
uint16_t version;
uint8_t sequence[8];
@@ -195,7 +195,7 @@
(ssl->s3->have_version && version != ssl->version) ||
(version >> 8) != DTLS1_VERSION_MAJOR ||
CBS_len(&body) > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
- /* The record header was incomplete or malformed. Drop the entire packet. */
+ // The record header was incomplete or malformed. Drop the entire packet.
*out_consumed = in_len;
return ssl_open_record_discard;
}
@@ -206,31 +206,31 @@
uint16_t epoch = (((uint16_t)sequence[0]) << 8) | sequence[1];
if (epoch != ssl->d1->r_epoch ||
dtls1_bitmap_should_discard(&ssl->d1->bitmap, sequence)) {
- /* Drop this record. It's from the wrong epoch or is a replay. Note that if
- * |epoch| is the next epoch, the record could be buffered for later. For
- * simplicity, drop it and expect retransmit to handle it later; DTLS must
- * handle packet loss anyway. */
+ // Drop this record. It's from the wrong epoch or is a replay. Note that if
+ // |epoch| is the next epoch, the record could be buffered for later. For
+ // simplicity, drop it and expect retransmit to handle it later; DTLS must
+ // handle packet loss anyway.
*out_consumed = in_len - CBS_len(&cbs);
return ssl_open_record_discard;
}
- /* Decrypt the body in-place. */
+ // Decrypt the body in-place.
if (!ssl->s3->aead_read_ctx->Open(out, type, version, sequence,
(uint8_t *)CBS_data(&body),
CBS_len(&body))) {
- /* Bad packets are silently dropped in DTLS. See section 4.2.1 of RFC 6347.
- * Clear the error queue of any errors decryption may have added. Drop the
- * entire packet as it must not have come from the peer.
- *
- * TODO(davidben): This doesn't distinguish malloc failures from encryption
- * failures. */
+ // Bad packets are silently dropped in DTLS. See section 4.2.1 of RFC 6347.
+ // Clear the error queue of any errors decryption may have added. Drop the
+ // entire packet as it must not have come from the peer.
+ //
+ // TODO(davidben): This doesn't distinguish malloc failures from encryption
+ // failures.
ERR_clear_error();
*out_consumed = in_len - CBS_len(&cbs);
return ssl_open_record_discard;
}
*out_consumed = in_len - CBS_len(&cbs);
- /* Check the plaintext length. */
+ // Check the plaintext length.
if (CBS_len(out) > SSL3_RT_MAX_PLAIN_LENGTH) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG);
*out_alert = SSL_AD_RECORD_OVERFLOW;
@@ -239,8 +239,8 @@
dtls1_bitmap_record(&ssl->d1->bitmap, sequence);
- /* TODO(davidben): Limit the number of empty records as in TLS? This is only
- * useful if we also limit discarded packets. */
+ // TODO(davidben): Limit the number of empty records as in TLS? This is only
+ // useful if we also limit discarded packets.
if (type == SSL3_RT_ALERT) {
return ssl_process_alert(ssl, out_alert, CBS_data(out), CBS_len(out));
@@ -282,7 +282,7 @@
return 0;
}
- /* Determine the parameters for the current epoch. */
+ // Determine the parameters for the current epoch.
uint16_t epoch = ssl->d1->w_epoch;
SSLAEADContext *aead = ssl->s3->aead_write_ctx;
uint8_t *seq = ssl->s3->write_sequence;
diff --git a/src/ssl/handshake.cc b/src/ssl/handshake.cc
new file mode 100644
index 0000000..5770d6f
--- /dev/null
+++ b/src/ssl/handshake.cc
@@ -0,0 +1,567 @@
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to. The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ * must display the following acknowledgement:
+ * "This product includes cryptographic software written by
+ * Eric Young (eay@cryptsoft.com)"
+ * The word 'cryptographic' can be left out if the rouines from the library
+ * being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ * the apps directory (application code) you must include an acknowledgement:
+ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed. i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com). */
+/* ====================================================================
+ * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
+ * ECC cipher suite support in OpenSSL originally developed by
+ * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. */
+
+#include <openssl/ssl.h>
+
+#include <assert.h>
+
+#include "../crypto/internal.h"
+#include "internal.h"
+
+
+namespace bssl {
+
+SSL_HANDSHAKE::SSL_HANDSHAKE(SSL *ssl_arg)
+ : ssl(ssl_arg),
+ scts_requested(false),
+ needs_psk_binder(false),
+ received_hello_retry_request(false),
+ received_custom_extension(false),
+ handshake_finalized(false),
+ accept_psk_mode(false),
+ cert_request(false),
+ certificate_status_expected(false),
+ ocsp_stapling_requested(false),
+ should_ack_sni(false),
+ in_false_start(false),
+ in_early_data(false),
+ early_data_offered(false),
+ can_early_read(false),
+ can_early_write(false),
+ next_proto_neg_seen(false),
+ ticket_expected(false),
+ extended_master_secret(false),
+ pending_private_key_op(false) {
+}
+
+SSL_HANDSHAKE::~SSL_HANDSHAKE() {
+ OPENSSL_cleanse(secret, sizeof(secret));
+ OPENSSL_cleanse(early_traffic_secret, sizeof(early_traffic_secret));
+ OPENSSL_cleanse(client_handshake_secret, sizeof(client_handshake_secret));
+ OPENSSL_cleanse(server_handshake_secret, sizeof(server_handshake_secret));
+ OPENSSL_cleanse(client_traffic_secret_0, sizeof(client_traffic_secret_0));
+ OPENSSL_cleanse(server_traffic_secret_0, sizeof(server_traffic_secret_0));
+ OPENSSL_free(cookie);
+ OPENSSL_free(key_share_bytes);
+ OPENSSL_free(ecdh_public_key);
+ OPENSSL_free(peer_sigalgs);
+ OPENSSL_free(peer_supported_group_list);
+ OPENSSL_free(peer_key);
+ OPENSSL_free(server_params);
+ ssl->ctx->x509_method->hs_flush_cached_ca_names(this);
+ OPENSSL_free(certificate_types);
+
+ if (key_block != NULL) {
+ OPENSSL_cleanse(key_block, key_block_len);
+ OPENSSL_free(key_block);
+ }
+}
+
+SSL_HANDSHAKE *ssl_handshake_new(SSL *ssl) {
+ UniquePtr<SSL_HANDSHAKE> hs = MakeUnique<SSL_HANDSHAKE>(ssl);
+ if (!hs ||
+ !hs->transcript.Init()) {
+ return nullptr;
+ }
+ return hs.release();
+}
+
+void ssl_handshake_free(SSL_HANDSHAKE *hs) { Delete(hs); }
+
+int ssl_check_message_type(SSL *ssl, const SSLMessage &msg, int type) {
+ if (msg.type != type) {
+ ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
+ OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);
+ ERR_add_error_dataf("got type %d, wanted type %d", msg.type, type);
+ return 0;
+ }
+
+ return 1;
+}
+
+int ssl_add_message_cbb(SSL *ssl, CBB *cbb) {
+ uint8_t *msg;
+ size_t len;
+ if (!ssl->method->finish_message(ssl, cbb, &msg, &len) ||
+ !ssl->method->add_message(ssl, msg, len)) {
+ return 0;
+ }
+
+ return 1;
+}
+
+size_t ssl_max_handshake_message_len(const SSL *ssl) {
+ // kMaxMessageLen is the default maximum message size for handshakes which do
+ // not accept peer certificate chains.
+ static const size_t kMaxMessageLen = 16384;
+
+ if (SSL_in_init(ssl)) {
+ if ((!ssl->server || (ssl->verify_mode & SSL_VERIFY_PEER)) &&
+ kMaxMessageLen < ssl->max_cert_list) {
+ return ssl->max_cert_list;
+ }
+ return kMaxMessageLen;
+ }
+
+ if (ssl3_protocol_version(ssl) < TLS1_3_VERSION) {
+ // In TLS 1.2 and below, the largest acceptable post-handshake message is
+ // a HelloRequest.
+ return 0;
+ }
+
+ if (ssl->server) {
+ // The largest acceptable post-handshake message for a server is a
+ // KeyUpdate. We will never initiate post-handshake auth.
+ return 1;
+ }
+
+ // Clients must accept NewSessionTicket and CertificateRequest, so allow the
+ // default size.
+ return kMaxMessageLen;
+}
+
+bool ssl_hash_message(SSL_HANDSHAKE *hs, const SSLMessage &msg) {
+ // V2ClientHello messages are pre-hashed.
+ if (msg.is_v2_hello) {
+ return true;
+ }
+
+ return hs->transcript.Update(CBS_data(&msg.raw), CBS_len(&msg.raw));
+}
+
+int ssl_parse_extensions(const CBS *cbs, uint8_t *out_alert,
+ const SSL_EXTENSION_TYPE *ext_types,
+ size_t num_ext_types, int ignore_unknown) {
+ // Reset everything.
+ for (size_t i = 0; i < num_ext_types; i++) {
+ *ext_types[i].out_present = 0;
+ CBS_init(ext_types[i].out_data, NULL, 0);
+ }
+
+ CBS copy = *cbs;
+ while (CBS_len(©) != 0) {
+ uint16_t type;
+ CBS data;
+ if (!CBS_get_u16(©, &type) ||
+ !CBS_get_u16_length_prefixed(©, &data)) {
+ OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
+ *out_alert = SSL_AD_DECODE_ERROR;
+ return 0;
+ }
+
+ const SSL_EXTENSION_TYPE *ext_type = NULL;
+ for (size_t i = 0; i < num_ext_types; i++) {
+ if (type == ext_types[i].type) {
+ ext_type = &ext_types[i];
+ break;
+ }
+ }
+
+ if (ext_type == NULL) {
+ if (ignore_unknown) {
+ continue;
+ }
+ OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
+ *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
+ return 0;
+ }
+
+ // Duplicate ext_types are forbidden.
+ if (*ext_type->out_present) {
+ OPENSSL_PUT_ERROR(SSL, SSL_R_DUPLICATE_EXTENSION);
+ *out_alert = SSL_AD_ILLEGAL_PARAMETER;
+ return 0;
+ }
+
+ *ext_type->out_present = 1;
+ *ext_type->out_data = data;
+ }
+
+ return 1;
+}
+
+static void set_crypto_buffer(CRYPTO_BUFFER **dest, CRYPTO_BUFFER *src) {
+ // TODO(davidben): Remove this helper once |SSL_SESSION| can use |UniquePtr|
+ // and |UniquePtr| has up_ref helpers.
+ CRYPTO_BUFFER_free(*dest);
+ *dest = src;
+ if (src != nullptr) {
+ CRYPTO_BUFFER_up_ref(src);
+ }
+}
+
+enum ssl_verify_result_t ssl_verify_peer_cert(SSL_HANDSHAKE *hs) {
+ SSL *const ssl = hs->ssl;
+ const SSL_SESSION *prev_session = ssl->s3->established_session;
+ if (prev_session != NULL) {
+ // If renegotiating, the server must not change the server certificate. See
+ // https://mitls.org/pages/attacks/3SHAKE. We never resume on renegotiation,
+ // so this check is sufficient to ensure the reported peer certificate never
+ // changes on renegotiation.
+ assert(!ssl->server);
+ if (sk_CRYPTO_BUFFER_num(prev_session->certs) !=
+ sk_CRYPTO_BUFFER_num(hs->new_session->certs)) {
+ OPENSSL_PUT_ERROR(SSL, SSL_R_SERVER_CERT_CHANGED);
+ ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
+ return ssl_verify_invalid;
+ }
+
+ for (size_t i = 0; i < sk_CRYPTO_BUFFER_num(hs->new_session->certs); i++) {
+ const CRYPTO_BUFFER *old_cert =
+ sk_CRYPTO_BUFFER_value(prev_session->certs, i);
+ const CRYPTO_BUFFER *new_cert =
+ sk_CRYPTO_BUFFER_value(hs->new_session->certs, i);
+ if (CRYPTO_BUFFER_len(old_cert) != CRYPTO_BUFFER_len(new_cert) ||
+ OPENSSL_memcmp(CRYPTO_BUFFER_data(old_cert),
+ CRYPTO_BUFFER_data(new_cert),
+ CRYPTO_BUFFER_len(old_cert)) != 0) {
+ OPENSSL_PUT_ERROR(SSL, SSL_R_SERVER_CERT_CHANGED);
+ ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
+ return ssl_verify_invalid;
+ }
+ }
+
+ // The certificate is identical, so we may skip re-verifying the
+ // certificate. Since we only authenticated the previous one, copy other
+ // authentication from the established session and ignore what was newly
+ // received.
+ set_crypto_buffer(&hs->new_session->ocsp_response,
+ prev_session->ocsp_response);
+ set_crypto_buffer(&hs->new_session->signed_cert_timestamp_list,
+ prev_session->signed_cert_timestamp_list);
+ hs->new_session->verify_result = prev_session->verify_result;
+ return ssl_verify_ok;
+ }
+
+ uint8_t alert = SSL_AD_CERTIFICATE_UNKNOWN;
+ enum ssl_verify_result_t ret;
+ if (ssl->custom_verify_callback != nullptr) {
+ ret = ssl->custom_verify_callback(ssl, &alert);
+ switch (ret) {
+ case ssl_verify_ok:
+ hs->new_session->verify_result = X509_V_OK;
+ break;
+ case ssl_verify_invalid:
+ hs->new_session->verify_result = X509_V_ERR_APPLICATION_VERIFICATION;
+ break;
+ case ssl_verify_retry:
+ break;
+ }
+ } else {
+ ret = ssl->ctx->x509_method->session_verify_cert_chain(
+ hs->new_session.get(), ssl, &alert)
+ ? ssl_verify_ok
+ : ssl_verify_invalid;
+ }
+
+ if (ret == ssl_verify_invalid) {
+ OPENSSL_PUT_ERROR(SSL, SSL_R_CERTIFICATE_VERIFY_FAILED);
+ ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
+ }
+
+ return ret;
+}
+
+uint16_t ssl_get_grease_value(const SSL *ssl, enum ssl_grease_index_t index) {
+ // Use the client_random or server_random for entropy. This both avoids
+ // calling |RAND_bytes| on a single byte repeatedly and ensures the values are
+ // deterministic. This allows the same ClientHello be sent twice for a
+ // HelloRetryRequest or the same group be advertised in both supported_groups
+ // and key_shares.
+ uint16_t ret = ssl->server ? ssl->s3->server_random[index]
+ : ssl->s3->client_random[index];
+ // The first four bytes of server_random are a timestamp prior to TLS 1.3, but
+ // servers have no fields to GREASE until TLS 1.3.
+ assert(!ssl->server || ssl3_protocol_version(ssl) >= TLS1_3_VERSION);
+ // This generates a random value of the form 0xωaωa, for all 0 ≤ ω < 16.
+ ret = (ret & 0xf0) | 0x0a;
+ ret |= ret << 8;
+ return ret;
+}
+
+enum ssl_hs_wait_t ssl_get_finished(SSL_HANDSHAKE *hs) {
+ SSL *const ssl = hs->ssl;
+ SSLMessage msg;
+ if (!ssl->method->get_message(ssl, &msg)) {
+ return ssl_hs_read_message;
+ }
+
+ if (!ssl_check_message_type(ssl, msg, SSL3_MT_FINISHED)) {
+ return ssl_hs_error;
+ }
+
+ // Snapshot the finished hash before incorporating the new message.
+ uint8_t finished[EVP_MAX_MD_SIZE];
+ size_t finished_len;
+ if (!hs->transcript.GetFinishedMAC(finished, &finished_len,
+ SSL_get_session(ssl), !ssl->server) ||
+ !ssl_hash_message(hs, msg)) {
+ return ssl_hs_error;
+ }
+
+ int finished_ok = CBS_mem_equal(&msg.body, finished, finished_len);
+#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
+ finished_ok = 1;
+#endif
+ if (!finished_ok) {
+ ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
+ OPENSSL_PUT_ERROR(SSL, SSL_R_DIGEST_CHECK_FAILED);
+ return ssl_hs_error;
+ }
+
+ // Copy the Finished so we can use it for renegotiation checks.
+ if (ssl->version != SSL3_VERSION) {
+ if (finished_len > sizeof(ssl->s3->previous_client_finished) ||
+ finished_len > sizeof(ssl->s3->previous_server_finished)) {
+ OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
+ return ssl_hs_error;
+ }
+
+ if (ssl->server) {
+ OPENSSL_memcpy(ssl->s3->previous_client_finished, finished, finished_len);
+ ssl->s3->previous_client_finished_len = finished_len;
+ } else {
+ OPENSSL_memcpy(ssl->s3->previous_server_finished, finished, finished_len);
+ ssl->s3->previous_server_finished_len = finished_len;
+ }
+ }
+
+ ssl->method->next_message(ssl);
+ return ssl_hs_ok;
+}
+
+int ssl_run_handshake(SSL_HANDSHAKE *hs, bool *out_early_return) {
+ SSL *const ssl = hs->ssl;
+ for (;;) {
+ // Resolve the operation the handshake was waiting on.
+ switch (hs->wait) {
+ case ssl_hs_error:
+ OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_HANDSHAKE_FAILURE);
+ return -1;
+
+ case ssl_hs_flush: {
+ int ret = ssl->method->flush_flight(ssl);
+ if (ret <= 0) {
+ return ret;
+ }
+ break;
+ }
+
+ case ssl_hs_read_server_hello:
+ case ssl_hs_read_message: {
+ int ret = ssl->method->read_message(ssl);
+ if (ret <= 0) {
+ uint32_t err = ERR_peek_error();
+ if (hs->wait == ssl_hs_read_server_hello &&
+ ERR_GET_LIB(err) == ERR_LIB_SSL &&
+ ERR_GET_REASON(err) == SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE) {
+ // Add a dedicated error code to the queue for a handshake_failure
+ // alert in response to ClientHello. This matches NSS's client
+ // behavior and gives a better error on a (probable) failure to
+ // negotiate initial parameters. Note: this error code comes after
+ // the original one.
+ //
+ // See https://crbug.com/446505.
+ OPENSSL_PUT_ERROR(SSL, SSL_R_HANDSHAKE_FAILURE_ON_CLIENT_HELLO);
+ }
+ return ret;
+ }
+ break;
+ }
+
+ case ssl_hs_read_change_cipher_spec: {
+ int ret = ssl->method->read_change_cipher_spec(ssl);
+ if (ret <= 0) {
+ return ret;
+ }
+ break;
+ }
+
+ case ssl_hs_read_end_of_early_data: {
+ if (ssl->s3->hs->can_early_read) {
+ // While we are processing early data, the handshake returns early.
+ *out_early_return = true;
+ return 1;
+ }
+ hs->wait = ssl_hs_ok;
+ break;
+ }
+
+ case ssl_hs_certificate_selection_pending:
+ ssl->rwstate = SSL_CERTIFICATE_SELECTION_PENDING;
+ hs->wait = ssl_hs_ok;
+ return -1;
+
+ case ssl_hs_x509_lookup:
+ ssl->rwstate = SSL_X509_LOOKUP;
+ hs->wait = ssl_hs_ok;
+ return -1;
+
+ case ssl_hs_channel_id_lookup:
+ ssl->rwstate = SSL_CHANNEL_ID_LOOKUP;
+ hs->wait = ssl_hs_ok;
+ return -1;
+
+ case ssl_hs_private_key_operation:
+ ssl->rwstate = SSL_PRIVATE_KEY_OPERATION;
+ hs->wait = ssl_hs_ok;
+ return -1;
+
+ case ssl_hs_pending_session:
+ ssl->rwstate = SSL_PENDING_SESSION;
+ hs->wait = ssl_hs_ok;
+ return -1;
+
+ case ssl_hs_pending_ticket:
+ ssl->rwstate = SSL_PENDING_TICKET;
+ hs->wait = ssl_hs_ok;
+ return -1;
+
+ case ssl_hs_certificate_verify:
+ ssl->rwstate = SSL_CERTIFICATE_VERIFY;
+ hs->wait = ssl_hs_ok;
+ return -1;
+
+ case ssl_hs_early_data_rejected:
+ ssl->rwstate = SSL_EARLY_DATA_REJECTED;
+ // Cause |SSL_write| to start failing immediately.
+ hs->can_early_write = false;
+ return -1;
+
+ case ssl_hs_early_return:
+ *out_early_return = true;
+ hs->wait = ssl_hs_ok;
+ return 1;
+
+ case ssl_hs_ok:
+ break;
+ }
+
+ // Run the state machine again.
+ hs->wait = ssl->do_handshake(hs);
+ if (hs->wait == ssl_hs_error) {
+ // Don't loop around to avoid a stray |SSL_R_SSL_HANDSHAKE_FAILURE| the
+ // first time around.
+ return -1;
+ }
+ if (hs->wait == ssl_hs_ok) {
+ // The handshake has completed.
+ *out_early_return = false;
+ return 1;
+ }
+
+ // Otherwise, loop to the beginning and resolve what was blocking the
+ // handshake.
+ }
+}
+
+} // namespace bssl
diff --git a/src/ssl/handshake_client.cc b/src/ssl/handshake_client.cc
index f018c0e..a779b8a 100644
--- a/src/ssl/handshake_client.cc
+++ b/src/ssl/handshake_client.cc
@@ -4,21 +4,21 @@
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
- *
+ *
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
+ *
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
- *
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -33,10 +33,10 @@
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
+ * 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
+ *
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -48,7 +48,7 @@
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
- *
+ *
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
@@ -62,7 +62,7 @@
* are met:
*
* 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
+ * notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
@@ -110,7 +110,7 @@
/* ====================================================================
* Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
*
- * Portions of the attached software ("Contribution") are developed by
+ * Portions of the attached software ("Contribution") are developed by
* SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
*
* The Contribution is licensed pursuant to the OpenSSL open source
@@ -150,6 +150,7 @@
#include <openssl/ssl.h>
#include <assert.h>
+#include <limits.h>
#include <string.h>
#include <utility>
@@ -172,386 +173,38 @@
namespace bssl {
-static int ssl3_send_client_hello(SSL_HANDSHAKE *hs);
-static int dtls1_get_hello_verify_request(SSL_HANDSHAKE *hs);
-static int ssl3_get_server_hello(SSL_HANDSHAKE *hs);
-static int ssl3_get_server_certificate(SSL_HANDSHAKE *hs);
-static int ssl3_get_cert_status(SSL_HANDSHAKE *hs);
-static int ssl3_get_server_key_exchange(SSL_HANDSHAKE *hs);
-static int ssl3_get_certificate_request(SSL_HANDSHAKE *hs);
-static int ssl3_get_server_hello_done(SSL_HANDSHAKE *hs);
-static int ssl3_send_client_certificate(SSL_HANDSHAKE *hs);
-static int ssl3_send_client_key_exchange(SSL_HANDSHAKE *hs);
-static int ssl3_send_cert_verify(SSL_HANDSHAKE *hs);
-static int ssl3_send_next_proto(SSL_HANDSHAKE *hs);
-static int ssl3_send_channel_id(SSL_HANDSHAKE *hs);
-static int ssl3_get_new_session_ticket(SSL_HANDSHAKE *hs);
+enum ssl_client_hs_state_t {
+ state_start_connect = 0,
+ state_enter_early_data,
+ state_read_hello_verify_request,
+ state_read_server_hello,
+ state_tls13,
+ state_read_server_certificate,
+ state_read_certificate_status,
+ state_verify_server_certificate,
+ state_read_server_key_exchange,
+ state_read_certificate_request,
+ state_read_server_hello_done,
+ state_send_client_certificate,
+ state_send_client_key_exchange,
+ state_send_client_certificate_verify,
+ state_send_client_finished,
+ state_finish_flight,
+ state_read_session_ticket,
+ state_process_change_cipher_spec,
+ state_read_server_finished,
+ state_finish_client_handshake,
+ state_done,
+};
-int ssl3_connect(SSL_HANDSHAKE *hs) {
- SSL *const ssl = hs->ssl;
- int ret = -1;
-
- assert(ssl->handshake_func == ssl3_connect);
- assert(!ssl->server);
-
- for (;;) {
- int state = hs->state;
-
- switch (hs->state) {
- case SSL_ST_INIT:
- ssl_do_info_callback(ssl, SSL_CB_HANDSHAKE_START, 1);
- hs->state = SSL3_ST_CW_CLNT_HELLO_A;
- break;
-
- case SSL3_ST_CW_CLNT_HELLO_A:
- ret = ssl3_send_client_hello(hs);
- if (ret <= 0) {
- goto end;
- }
-
- if (!SSL_is_dtls(ssl) || ssl->d1->send_cookie) {
- if (hs->early_data_offered) {
- if (!tls13_init_early_key_schedule(hs) ||
- !tls13_advance_key_schedule(hs, ssl->session->master_key,
- ssl->session->master_key_length) ||
- !tls13_derive_early_secrets(hs) ||
- !tls13_set_traffic_key(ssl, evp_aead_seal,
- hs->early_traffic_secret,
- hs->hash_len)) {
- ret = -1;
- goto end;
- }
- hs->next_state = SSL3_ST_WRITE_EARLY_DATA;
- } else {
- hs->next_state = SSL3_ST_CR_SRVR_HELLO_A;
- }
- } else {
- hs->next_state = DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A;
- }
- hs->state = SSL3_ST_CW_FLUSH;
- break;
-
- case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A:
- assert(SSL_is_dtls(ssl));
- ret = dtls1_get_hello_verify_request(hs);
- if (ret <= 0) {
- goto end;
- }
- if (ssl->d1->send_cookie) {
- hs->state = SSL3_ST_CW_CLNT_HELLO_A;
- } else {
- hs->state = SSL3_ST_CR_SRVR_HELLO_A;
- }
- break;
-
- case SSL3_ST_WRITE_EARLY_DATA:
- /* Stash the early data session, so connection properties may be queried
- * out of it. */
- hs->in_early_data = 1;
- SSL_SESSION_up_ref(ssl->session);
- hs->early_session.reset(ssl->session);
-
- hs->state = SSL3_ST_CR_SRVR_HELLO_A;
- hs->can_early_write = 1;
- ret = 1;
- goto end;
-
- case SSL3_ST_CR_SRVR_HELLO_A:
- ret = ssl3_get_server_hello(hs);
- if (hs->state == SSL_ST_TLS13) {
- break;
- }
- if (ret <= 0) {
- goto end;
- }
-
- if (ssl->session != NULL) {
- hs->state = SSL3_ST_CR_SESSION_TICKET_A;
- } else {
- hs->state = SSL3_ST_CR_CERT_A;
- }
- break;
-
- case SSL3_ST_CR_CERT_A:
- if (ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
- ret = ssl3_get_server_certificate(hs);
- if (ret <= 0) {
- goto end;
- }
- }
- hs->state = SSL3_ST_CR_CERT_STATUS_A;
- break;
-
- case SSL3_ST_CR_CERT_STATUS_A:
- if (hs->certificate_status_expected) {
- ret = ssl3_get_cert_status(hs);
- if (ret <= 0) {
- goto end;
- }
- }
- hs->state = SSL3_ST_VERIFY_SERVER_CERT;
- break;
-
- case SSL3_ST_VERIFY_SERVER_CERT:
- if (ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
- switch (ssl_verify_peer_cert(hs)) {
- case ssl_verify_ok:
- break;
- case ssl_verify_invalid:
- ret = -1;
- goto end;
- case ssl_verify_retry:
- ssl->rwstate = SSL_CERTIFICATE_VERIFY;
- ret = -1;
- goto end;
- }
- }
- hs->state = SSL3_ST_CR_KEY_EXCH_A;
- break;
-
- case SSL3_ST_CR_KEY_EXCH_A:
- ret = ssl3_get_server_key_exchange(hs);
- if (ret <= 0) {
- goto end;
- }
- hs->state = SSL3_ST_CR_CERT_REQ_A;
- break;
-
- case SSL3_ST_CR_CERT_REQ_A:
- if (ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
- ret = ssl3_get_certificate_request(hs);
- if (ret <= 0) {
- goto end;
- }
- }
- hs->state = SSL3_ST_CR_SRVR_DONE_A;
- break;
-
- case SSL3_ST_CR_SRVR_DONE_A:
- ret = ssl3_get_server_hello_done(hs);
- if (ret <= 0) {
- goto end;
- }
- hs->state = SSL3_ST_CW_CERT_A;
- break;
-
- case SSL3_ST_CW_CERT_A:
- if (hs->cert_request) {
- ret = ssl3_send_client_certificate(hs);
- if (ret <= 0) {
- goto end;
- }
- }
- hs->state = SSL3_ST_CW_KEY_EXCH_A;
- break;
-
- case SSL3_ST_CW_KEY_EXCH_A:
- ret = ssl3_send_client_key_exchange(hs);
- if (ret <= 0) {
- goto end;
- }
- hs->state = SSL3_ST_CW_CERT_VRFY_A;
- break;
-
- case SSL3_ST_CW_CERT_VRFY_A:
- if (hs->cert_request && ssl_has_certificate(ssl)) {
- ret = ssl3_send_cert_verify(hs);
- if (ret <= 0) {
- goto end;
- }
- }
- hs->state = SSL3_ST_CW_CHANGE;
- break;
-
- case SSL3_ST_CW_CHANGE:
- if (!ssl->method->add_change_cipher_spec(ssl) ||
- !tls1_change_cipher_state(hs, SSL3_CHANGE_CIPHER_CLIENT_WRITE)) {
- ret = -1;
- goto end;
- }
-
- hs->state = SSL3_ST_CW_NEXT_PROTO_A;
- break;
-
- case SSL3_ST_CW_NEXT_PROTO_A:
- if (hs->next_proto_neg_seen) {
- ret = ssl3_send_next_proto(hs);
- if (ret <= 0) {
- goto end;
- }
- }
- hs->state = SSL3_ST_CW_CHANNEL_ID_A;
- break;
-
- case SSL3_ST_CW_CHANNEL_ID_A:
- if (ssl->s3->tlsext_channel_id_valid) {
- ret = ssl3_send_channel_id(hs);
- if (ret <= 0) {
- goto end;
- }
- }
- hs->state = SSL3_ST_CW_FINISHED_A;
- break;
-
- case SSL3_ST_CW_FINISHED_A:
- ret = ssl3_send_finished(hs);
- if (ret <= 0) {
- goto end;
- }
- hs->state = SSL3_ST_CW_FLUSH;
-
- if (ssl->session != NULL) {
- hs->next_state = SSL3_ST_FINISH_CLIENT_HANDSHAKE;
- } else {
- /* This is a non-resumption handshake. If it involves ChannelID, then
- * record the handshake hashes at this point in the session so that
- * any resumption of this session with ChannelID can sign those
- * hashes. */
- ret = tls1_record_handshake_hashes_for_channel_id(hs);
- if (ret <= 0) {
- goto end;
- }
- if ((SSL_get_mode(ssl) & SSL_MODE_ENABLE_FALSE_START) &&
- ssl3_can_false_start(ssl) &&
- /* No False Start on renegotiation (would complicate the state
- * machine). */
- !ssl->s3->initial_handshake_complete) {
- hs->next_state = SSL3_ST_FALSE_START;
- } else {
- hs->next_state = SSL3_ST_CR_SESSION_TICKET_A;
- }
- }
- break;
-
- case SSL3_ST_FALSE_START:
- hs->state = SSL3_ST_CR_SESSION_TICKET_A;
- hs->in_false_start = 1;
- hs->can_early_write = 1;
- ret = 1;
- goto end;
-
- case SSL3_ST_CR_SESSION_TICKET_A:
- if (hs->ticket_expected) {
- ret = ssl3_get_new_session_ticket(hs);
- if (ret <= 0) {
- goto end;
- }
- }
- hs->state = SSL3_ST_CR_CHANGE;
- break;
-
- case SSL3_ST_CR_CHANGE:
- ret = ssl->method->read_change_cipher_spec(ssl);
- if (ret <= 0) {
- goto end;
- }
-
- if (!tls1_change_cipher_state(hs, SSL3_CHANGE_CIPHER_CLIENT_READ)) {
- ret = -1;
- goto end;
- }
- hs->state = SSL3_ST_CR_FINISHED_A;
- break;
-
- case SSL3_ST_CR_FINISHED_A:
- ret = ssl3_get_finished(hs);
- if (ret <= 0) {
- goto end;
- }
-
- if (ssl->session != NULL) {
- hs->state = SSL3_ST_CW_CHANGE;
- } else {
- hs->state = SSL3_ST_FINISH_CLIENT_HANDSHAKE;
- }
- break;
-
- case SSL3_ST_CW_FLUSH:
- ret = ssl->method->flush_flight(ssl);
- if (ret <= 0) {
- goto end;
- }
- hs->state = hs->next_state;
- break;
-
- case SSL_ST_TLS13: {
- int early_return = 0;
- ret = tls13_handshake(hs, &early_return);
- if (ret <= 0) {
- goto end;
- }
-
- if (early_return) {
- ret = 1;
- goto end;
- }
-
- hs->state = SSL3_ST_FINISH_CLIENT_HANDSHAKE;
- break;
- }
-
- case SSL3_ST_FINISH_CLIENT_HANDSHAKE:
- ssl->method->on_handshake_complete(ssl);
-
- SSL_SESSION_free(ssl->s3->established_session);
- if (ssl->session != NULL) {
- SSL_SESSION_up_ref(ssl->session);
- ssl->s3->established_session = ssl->session;
- } else {
- /* We make a copy of the session in order to maintain the immutability
- * of the new established_session due to False Start. The caller may
- * have taken a reference to the temporary session. */
- ssl->s3->established_session =
- SSL_SESSION_dup(hs->new_session.get(), SSL_SESSION_DUP_ALL)
- .release();
- if (ssl->s3->established_session == NULL) {
- ret = -1;
- goto end;
- }
- /* Renegotiations do not participate in session resumption. */
- if (!ssl->s3->initial_handshake_complete) {
- ssl->s3->established_session->not_resumable = 0;
- }
-
- hs->new_session.reset();
- }
-
- hs->state = SSL_ST_OK;
- break;
-
- case SSL_ST_OK: {
- ssl->s3->initial_handshake_complete = 1;
- ssl_update_cache(hs, SSL_SESS_CACHE_CLIENT);
-
- ret = 1;
- ssl_do_info_callback(ssl, SSL_CB_HANDSHAKE_DONE, 1);
- goto end;
- }
-
- default:
- OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_STATE);
- ret = -1;
- goto end;
- }
-
- if (hs->state != state) {
- ssl_do_info_callback(ssl, SSL_CB_CONNECT_LOOP, 1);
- }
- }
-
-end:
- ssl_do_info_callback(ssl, SSL_CB_CONNECT_EXIT, ret);
- return ret;
-}
-
-/* ssl_get_client_disabled sets |*out_mask_a| and |*out_mask_k| to masks of
- * disabled algorithms. */
+// ssl_get_client_disabled sets |*out_mask_a| and |*out_mask_k| to masks of
+// disabled algorithms.
static void ssl_get_client_disabled(SSL *ssl, uint32_t *out_mask_a,
uint32_t *out_mask_k) {
*out_mask_a = 0;
*out_mask_k = 0;
- /* PSK requires a client callback. */
+ // PSK requires a client callback.
if (ssl->psk_client_callback == NULL) {
*out_mask_a |= SSL_aPSK;
*out_mask_k |= SSL_kPSK;
@@ -568,14 +221,14 @@
return 0;
}
- /* Add a fake cipher suite. See draft-davidben-tls-grease-01. */
+ // Add a fake cipher suite. See draft-davidben-tls-grease-01.
if (ssl->ctx->grease_enabled &&
!CBB_add_u16(&child, ssl_get_grease_value(ssl, ssl_grease_cipher))) {
return 0;
}
- /* Add TLS 1.3 ciphers. Order ChaCha20-Poly1305 relative to AES-GCM based on
- * hardware support. */
+ // Add TLS 1.3 ciphers. Order ChaCha20-Poly1305 relative to AES-GCM based on
+ // hardware support.
if (hs->max_version >= TLS1_3_VERSION) {
if (!EVP_has_aes_hardware() &&
!CBB_add_u16(&child, TLS1_CK_CHACHA20_POLY1305_SHA256 & 0xffff)) {
@@ -594,7 +247,7 @@
if (hs->min_version < TLS1_3_VERSION) {
int any_enabled = 0;
for (const SSL_CIPHER *cipher : SSL_get_ciphers(ssl)) {
- /* Skip disabled ciphers */
+ // Skip disabled ciphers
if ((cipher->algorithm_mkey & mask_k) ||
(cipher->algorithm_auth & mask_a)) {
continue;
@@ -609,15 +262,15 @@
}
}
- /* If all ciphers were disabled, return the error to the caller. */
+ // If all ciphers were disabled, return the error to the caller.
if (!any_enabled && hs->max_version < TLS1_3_VERSION) {
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CIPHERS_AVAILABLE);
return 0;
}
}
- /* For SSLv3, the SCSV is added. Otherwise the renegotiation extension is
- * added. */
+ // For SSLv3, the SCSV is added. Otherwise the renegotiation extension is
+ // added.
if (hs->max_version == SSL3_VERSION &&
!ssl->s3->initial_handshake_complete) {
if (!CBB_add_u16(&child, SSL3_CK_SCSV & 0xffff)) {
@@ -642,7 +295,7 @@
return 0;
}
- /* Renegotiations do not participate in session resumption. */
+ // Renegotiations do not participate in session resumption.
int has_session_id = ssl->session != NULL &&
!ssl->s3->initial_handshake_complete &&
ssl->session->session_id_length > 0;
@@ -660,8 +313,8 @@
return 0;
}
} else {
- /* In TLS 1.3 experimental encodings, send a fake placeholder session ID
- * when we do not otherwise have one to send. */
+ // In TLS 1.3 experimental encodings, send a fake placeholder session ID
+ // when we do not otherwise have one to send.
if (hs->max_version >= TLS1_3_VERSION &&
ssl->tls13_variant == tls13_experiment &&
!CBB_add_bytes(&child, hs->session_id, hs->session_id_len)) {
@@ -691,8 +344,8 @@
return 0;
}
- /* Now that the length prefixes have been computed, fill in the placeholder
- * PSK binder. */
+ // Now that the length prefixes have been computed, fill in the placeholder
+ // PSK binder.
if (hs->needs_psk_binder &&
!tls13_write_psk_binder(hs, msg, len)) {
OPENSSL_free(msg);
@@ -702,99 +355,6 @@
return ssl->method->add_message(ssl, msg, len);
}
-static int ssl3_send_client_hello(SSL_HANDSHAKE *hs) {
- SSL *const ssl = hs->ssl;
- /* The handshake buffer is reset on every ClientHello. Notably, in DTLS, we
- * may send multiple ClientHellos if we receive HelloVerifyRequest. */
- if (!hs->transcript.Init()) {
- OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
- return -1;
- }
-
- /* Freeze the version range. */
- if (!ssl_get_version_range(ssl, &hs->min_version, &hs->max_version)) {
- return -1;
- }
-
- /* Always advertise the ClientHello version from the original maximum version,
- * even on renegotiation. The static RSA key exchange uses this field, and
- * some servers fail when it changes across handshakes. */
- if (SSL_is_dtls(hs->ssl)) {
- hs->client_version =
- hs->max_version >= TLS1_2_VERSION ? DTLS1_2_VERSION : DTLS1_VERSION;
- } else {
- hs->client_version =
- hs->max_version >= TLS1_2_VERSION ? TLS1_2_VERSION : hs->max_version;
- }
-
- /* If the configured session has expired or was created at a disabled
- * version, drop it. */
- if (ssl->session != NULL) {
- if (ssl->session->is_server ||
- !ssl_supports_version(hs, ssl->session->ssl_version) ||
- (ssl->session->session_id_length == 0 &&
- ssl->session->tlsext_ticklen == 0) ||
- ssl->session->not_resumable ||
- !ssl_session_is_time_valid(ssl, ssl->session)) {
- ssl_set_session(ssl, NULL);
- }
- }
-
- /* If resending the ClientHello in DTLS after a HelloVerifyRequest, don't
- * renegerate the client_random. The random must be reused. */
- if ((!SSL_is_dtls(ssl) || !ssl->d1->send_cookie) &&
- !RAND_bytes(ssl->s3->client_random, sizeof(ssl->s3->client_random))) {
- return -1;
- }
-
- /* Initialize a random session ID for the experimental TLS 1.3 variant
- * requiring a session id. */
- if (ssl->tls13_variant == tls13_experiment) {
- hs->session_id_len = sizeof(hs->session_id);
- if (!RAND_bytes(hs->session_id, hs->session_id_len)) {
- return -1;
- }
- }
-
- if (!ssl_write_client_hello(hs)) {
- return -1;
- }
-
- return 1;
-}
-
-static int dtls1_get_hello_verify_request(SSL_HANDSHAKE *hs) {
- SSL *const ssl = hs->ssl;
- SSLMessage msg;
- int ret = ssl_read_message(ssl, &msg);
- if (ret <= 0) {
- return ret;
- }
-
- if (msg.type != DTLS1_MT_HELLO_VERIFY_REQUEST) {
- ssl->d1->send_cookie = false;
- return 1;
- }
-
- CBS hello_verify_request = msg.body, cookie;
- uint16_t server_version;
- if (!CBS_get_u16(&hello_verify_request, &server_version) ||
- !CBS_get_u8_length_prefixed(&hello_verify_request, &cookie) ||
- CBS_len(&cookie) > sizeof(ssl->d1->cookie) ||
- CBS_len(&hello_verify_request) != 0) {
- OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
- ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
- return -1;
- }
-
- OPENSSL_memcpy(ssl->d1->cookie, CBS_data(&cookie), CBS_len(&cookie));
- ssl->d1->cookie_len = CBS_len(&cookie);
-
- ssl->d1->send_cookie = true;
- ssl->method->next_message(ssl);
- return 1;
-}
-
static int parse_server_version(SSL_HANDSHAKE *hs, uint16_t *out,
const SSLMessage &msg) {
SSL *const ssl = hs->ssl;
@@ -812,8 +372,8 @@
return 0;
}
- /* The server version may also be in the supported_versions extension if
- * applicable. */
+ // The server version may also be in the supported_versions extension if
+ // applicable.
if (msg.type != SSL3_MT_SERVER_HELLO || *out != TLS1_2_VERSION) {
return 1;
}
@@ -828,7 +388,7 @@
return 0;
}
- /* The extensions block may not be present. */
+ // The extensions block may not be present.
if (CBS_len(&server_hello) == 0) {
return 1;
}
@@ -841,7 +401,7 @@
return 0;
}
- int have_supported_versions;
+ bool have_supported_versions;
CBS supported_versions;
const SSL_EXTENSION_TYPE ext_types[] = {
{TLSEXT_TYPE_supported_versions, &have_supported_versions,
@@ -866,64 +426,183 @@
return 1;
}
-static int ssl3_get_server_hello(SSL_HANDSHAKE *hs) {
+static enum ssl_hs_wait_t do_start_connect(SSL_HANDSHAKE *hs) {
+ SSL *const ssl = hs->ssl;
+
+ ssl_do_info_callback(ssl, SSL_CB_HANDSHAKE_START, 1);
+
+ // Freeze the version range.
+ if (!ssl_get_version_range(ssl, &hs->min_version, &hs->max_version)) {
+ return ssl_hs_error;
+ }
+
+ // Always advertise the ClientHello version from the original maximum version,
+ // even on renegotiation. The static RSA key exchange uses this field, and
+ // some servers fail when it changes across handshakes.
+ if (SSL_is_dtls(hs->ssl)) {
+ hs->client_version =
+ hs->max_version >= TLS1_2_VERSION ? DTLS1_2_VERSION : DTLS1_VERSION;
+ } else {
+ hs->client_version =
+ hs->max_version >= TLS1_2_VERSION ? TLS1_2_VERSION : hs->max_version;
+ }
+
+ // If the configured session has expired or was created at a disabled
+ // version, drop it.
+ if (ssl->session != NULL) {
+ if (ssl->session->is_server ||
+ !ssl_supports_version(hs, ssl->session->ssl_version) ||
+ (ssl->session->session_id_length == 0 &&
+ ssl->session->tlsext_ticklen == 0) ||
+ ssl->session->not_resumable ||
+ !ssl_session_is_time_valid(ssl, ssl->session)) {
+ ssl_set_session(ssl, NULL);
+ }
+ }
+
+ if (!RAND_bytes(ssl->s3->client_random, sizeof(ssl->s3->client_random))) {
+ return ssl_hs_error;
+ }
+
+ // Initialize a random session ID for the experimental TLS 1.3 variant
+ // requiring a session id.
+ if (ssl->tls13_variant == tls13_experiment) {
+ hs->session_id_len = sizeof(hs->session_id);
+ if (!RAND_bytes(hs->session_id, hs->session_id_len)) {
+ return ssl_hs_error;
+ }
+ }
+
+ if (!ssl_write_client_hello(hs)) {
+ return ssl_hs_error;
+ }
+
+ hs->state = state_enter_early_data;
+ return ssl_hs_flush;
+}
+
+static enum ssl_hs_wait_t do_enter_early_data(SSL_HANDSHAKE *hs) {
+ SSL *const ssl = hs->ssl;
+
+ if (SSL_is_dtls(ssl)) {
+ hs->state = state_read_hello_verify_request;
+ return ssl_hs_ok;
+ }
+
+ if (!hs->early_data_offered) {
+ hs->state = state_read_server_hello;
+ return ssl_hs_ok;
+ }
+
+ if (!tls13_init_early_key_schedule(hs) ||
+ !tls13_advance_key_schedule(hs, ssl->session->master_key,
+ ssl->session->master_key_length) ||
+ !tls13_derive_early_secrets(hs) ||
+ !tls13_set_traffic_key(ssl, evp_aead_seal, hs->early_traffic_secret,
+ hs->hash_len)) {
+ return ssl_hs_error;
+ }
+
+ // Stash the early data session, so connection properties may be queried out
+ // of it.
+ hs->in_early_data = true;
+ SSL_SESSION_up_ref(ssl->session);
+ hs->early_session.reset(ssl->session);
+ hs->can_early_write = true;
+
+ hs->state = state_read_server_hello;
+ return ssl_hs_early_return;
+}
+
+static enum ssl_hs_wait_t do_read_hello_verify_request(SSL_HANDSHAKE *hs) {
+ SSL *const ssl = hs->ssl;
+
+ assert(SSL_is_dtls(ssl));
+
+ SSLMessage msg;
+ if (!ssl->method->get_message(ssl, &msg)) {
+ return ssl_hs_read_message;
+ }
+
+ if (msg.type != DTLS1_MT_HELLO_VERIFY_REQUEST) {
+ hs->state = state_read_server_hello;
+ return ssl_hs_ok;
+ }
+
+ CBS hello_verify_request = msg.body, cookie;
+ uint16_t server_version;
+ if (!CBS_get_u16(&hello_verify_request, &server_version) ||
+ !CBS_get_u8_length_prefixed(&hello_verify_request, &cookie) ||
+ CBS_len(&cookie) > sizeof(ssl->d1->cookie) ||
+ CBS_len(&hello_verify_request) != 0) {
+ OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
+ ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
+ return ssl_hs_error;
+ }
+
+ OPENSSL_memcpy(ssl->d1->cookie, CBS_data(&cookie), CBS_len(&cookie));
+ ssl->d1->cookie_len = CBS_len(&cookie);
+
+ ssl->method->next_message(ssl);
+
+ // DTLS resets the handshake buffer after HelloVerifyRequest.
+ if (!hs->transcript.Init()) {
+ return ssl_hs_error;
+ }
+
+ if (!ssl_write_client_hello(hs)) {
+ return ssl_hs_error;
+ }
+
+ hs->state = state_read_server_hello;
+ return ssl_hs_flush;
+}
+
+static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
SSLMessage msg;
- int ret = ssl_read_message(ssl, &msg);
- if (ret <= 0) {
- uint32_t err = ERR_peek_error();
- if (ERR_GET_LIB(err) == ERR_LIB_SSL &&
- ERR_GET_REASON(err) == SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE) {
- /* Add a dedicated error code to the queue for a handshake_failure alert
- * in response to ClientHello. This matches NSS's client behavior and
- * gives a better error on a (probable) failure to negotiate initial
- * parameters. Note: this error code comes after the original one.
- *
- * See https://crbug.com/446505. */
- OPENSSL_PUT_ERROR(SSL, SSL_R_HANDSHAKE_FAILURE_ON_CLIENT_HELLO);
- }
- return ret;
+ if (!ssl->method->get_message(ssl, &msg)) {
+ return ssl_hs_read_server_hello;
}
uint16_t server_version;
if (!parse_server_version(hs, &server_version, msg)) {
- return -1;
+ return ssl_hs_error;
}
if (!ssl_supports_version(hs, server_version)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_PROTOCOL);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_PROTOCOL_VERSION);
- return -1;
+ return ssl_hs_error;
}
assert(ssl->s3->have_version == ssl->s3->initial_handshake_complete);
if (!ssl->s3->have_version) {
ssl->version = server_version;
- /* At this point, the connection's version is known and ssl->version is
- * fixed. Begin enforcing the record-layer version. */
- ssl->s3->have_version = 1;
+ // At this point, the connection's version is known and ssl->version is
+ // fixed. Begin enforcing the record-layer version.
+ ssl->s3->have_version = true;
} else if (server_version != ssl->version) {
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SSL_VERSION);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_PROTOCOL_VERSION);
- return -1;
+ return ssl_hs_error;
}
if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
- hs->state = SSL_ST_TLS13;
- hs->do_tls13_handshake = tls13_client_handshake;
- return 1;
+ hs->state = state_tls13;
+ return ssl_hs_ok;
}
if (hs->early_data_offered) {
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_VERSION_ON_EARLY_DATA);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_PROTOCOL_VERSION);
- return -1;
+ return ssl_hs_error;
}
ssl_clear_tls13_state(hs);
if (!ssl_check_message_type(ssl, msg, SSL3_MT_SERVER_HELLO)) {
- return -1;
+ return ssl_hs_error;
}
CBS server_hello = msg.body, server_random, session_id;
@@ -937,30 +616,30 @@
!CBS_get_u8(&server_hello, &compression_method)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
- return -1;
+ return ssl_hs_error;
}
- /* Copy over the server random. */
+ // Copy over the server random.
OPENSSL_memcpy(ssl->s3->server_random, CBS_data(&server_random),
SSL3_RANDOM_SIZE);
- /* TODO(davidben): Implement the TLS 1.1 and 1.2 downgrade sentinels once TLS
- * 1.3 is finalized and we are not implementing a draft version. */
+ // TODO(davidben): Implement the TLS 1.1 and 1.2 downgrade sentinels once TLS
+ // 1.3 is finalized and we are not implementing a draft version.
if (!ssl->s3->initial_handshake_complete && ssl->session != NULL &&
ssl->session->session_id_length != 0 &&
CBS_mem_equal(&session_id, ssl->session->session_id,
ssl->session->session_id_length)) {
- ssl->s3->session_reused = 1;
+ ssl->s3->session_reused = true;
} else {
- /* The session wasn't resumed. Create a fresh SSL_SESSION to
- * fill out. */
+ // The session wasn't resumed. Create a fresh SSL_SESSION to
+ // fill out.
ssl_set_session(ssl, NULL);
if (!ssl_get_new_session(hs, 0 /* client */)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
- return -1;
+ return ssl_hs_error;
}
- /* Note: session_id could be empty. */
+ // Note: session_id could be empty.
hs->new_session->session_id_length = CBS_len(&session_id);
OPENSSL_memcpy(hs->new_session->session_id, CBS_data(&session_id),
CBS_len(&session_id));
@@ -968,13 +647,13 @@
const SSL_CIPHER *cipher = SSL_get_cipher_by_value(cipher_suite);
if (cipher == NULL) {
- /* unknown cipher */
+ // unknown cipher
OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CIPHER_RETURNED);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
- return -1;
+ return ssl_hs_error;
}
- /* The cipher must be allowed in the selected version and enabled. */
+ // The cipher must be allowed in the selected version and enabled.
uint32_t mask_a, mask_k;
ssl_get_client_disabled(ssl, &mask_a, &mask_k);
if ((cipher->algorithm_mkey & mask_k) || (cipher->algorithm_auth & mask_a) ||
@@ -983,67 +662,67 @@
!sk_SSL_CIPHER_find(SSL_get_ciphers(ssl), NULL, cipher)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
- return -1;
+ return ssl_hs_error;
}
if (ssl->session != NULL) {
if (ssl->session->ssl_version != ssl->version) {
OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_VERSION_NOT_RETURNED);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
- return -1;
+ return ssl_hs_error;
}
if (ssl->session->cipher != cipher) {
OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
- return -1;
+ return ssl_hs_error;
}
if (!ssl_session_is_context_valid(ssl, ssl->session)) {
- /* This is actually a client application bug. */
+ // This is actually a client application bug.
OPENSSL_PUT_ERROR(SSL,
SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
- return -1;
+ return ssl_hs_error;
}
} else {
hs->new_session->cipher = cipher;
}
hs->new_cipher = cipher;
- /* Now that the cipher is known, initialize the handshake hash and hash the
- * ServerHello. */
+ // Now that the cipher is known, initialize the handshake hash and hash the
+ // ServerHello.
if (!hs->transcript.InitHash(ssl3_protocol_version(ssl), hs->new_cipher) ||
!ssl_hash_message(hs, msg)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
- return -1;
+ return ssl_hs_error;
}
- /* If doing a full handshake, the server may request a client certificate
- * which requires hashing the handshake transcript. Otherwise, the handshake
- * buffer may be released. */
+ // If doing a full handshake, the server may request a client certificate
+ // which requires hashing the handshake transcript. Otherwise, the handshake
+ // buffer may be released.
if (ssl->session != NULL ||
!ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
hs->transcript.FreeBuffer();
}
- /* Only the NULL compression algorithm is supported. */
+ // Only the NULL compression algorithm is supported.
if (compression_method != 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
- return -1;
+ return ssl_hs_error;
}
- /* TLS extensions */
+ // TLS extensions
if (!ssl_parse_serverhello_tlsext(hs, &server_hello)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
- return -1;
+ return ssl_hs_error;
}
- /* There should be nothing left over in the record. */
+ // There should be nothing left over in the record.
if (CBS_len(&server_hello) != 0) {
- /* wrong packet length */
+ // wrong packet length
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
- return -1;
+ return ssl_hs_error;
}
if (ssl->session != NULL &&
@@ -1054,24 +733,46 @@
OPENSSL_PUT_ERROR(SSL, SSL_R_RESUMED_NON_EMS_SESSION_WITH_EMS_EXTENSION);
}
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
- return -1;
+ return ssl_hs_error;
}
ssl->method->next_message(ssl);
- return 1;
+
+ if (ssl->session != NULL) {
+ hs->state = state_read_session_ticket;
+ return ssl_hs_ok;
+ }
+
+ hs->state = state_read_server_certificate;
+ return ssl_hs_ok;
}
-static int ssl3_get_server_certificate(SSL_HANDSHAKE *hs) {
+static enum ssl_hs_wait_t do_tls13(SSL_HANDSHAKE *hs) {
+ enum ssl_hs_wait_t wait = tls13_client_handshake(hs);
+ if (wait == ssl_hs_ok) {
+ hs->state = state_finish_client_handshake;
+ return ssl_hs_ok;
+ }
+
+ return wait;
+}
+
+static enum ssl_hs_wait_t do_read_server_certificate(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
+
+ if (!ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
+ hs->state = state_read_certificate_status;
+ return ssl_hs_ok;
+ }
+
SSLMessage msg;
- int ret = ssl_read_message(ssl, &msg);
- if (ret <= 0) {
- return ret;
+ if (!ssl->method->get_message(ssl, &msg)) {
+ return ssl_hs_read_message;
}
if (!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE) ||
!ssl_hash_message(hs, msg)) {
- return -1;
+ return ssl_hs_error;
}
CBS body = msg.body;
@@ -1080,7 +781,7 @@
if (!ssl_parse_cert_chain(&alert, &chain, &hs->peer_pubkey, NULL, &body,
ssl->ctx->pool)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
- return -1;
+ return ssl_hs_error;
}
sk_CRYPTO_BUFFER_pop_free(hs->new_session->certs, CRYPTO_BUFFER_free);
hs->new_session->certs = chain.release();
@@ -1090,36 +791,44 @@
!ssl->ctx->x509_method->session_cache_objects(hs->new_session.get())) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
- return -1;
+ return ssl_hs_error;
}
if (!ssl_check_leaf_certificate(
hs, hs->peer_pubkey.get(),
sk_CRYPTO_BUFFER_value(hs->new_session->certs, 0))) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
- return -1;
+ return ssl_hs_error;
}
ssl->method->next_message(ssl);
- return 1;
+
+ hs->state = state_read_certificate_status;
+ return ssl_hs_ok;
}
-static int ssl3_get_cert_status(SSL_HANDSHAKE *hs) {
+static enum ssl_hs_wait_t do_read_certificate_status(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
+
+ if (!hs->certificate_status_expected) {
+ hs->state = state_verify_server_certificate;
+ return ssl_hs_ok;
+ }
+
SSLMessage msg;
- int ret = ssl_read_message(ssl, &msg);
- if (ret <= 0) {
- return ret;
+ if (!ssl->method->get_message(ssl, &msg)) {
+ return ssl_hs_read_message;
}
if (msg.type != SSL3_MT_CERTIFICATE_STATUS) {
- /* A server may send status_request in ServerHello and then change
- * its mind about sending CertificateStatus. */
- return 1;
+ // A server may send status_request in ServerHello and then change its mind
+ // about sending CertificateStatus.
+ hs->state = state_verify_server_certificate;
+ return ssl_hs_ok;
}
if (!ssl_hash_message(hs, msg)) {
- return -1;
+ return ssl_hs_error;
}
CBS certificate_status = msg.body, ocsp_response;
@@ -1131,7 +840,7 @@
CBS_len(&certificate_status) != 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
- return -1;
+ return ssl_hs_error;
}
CRYPTO_BUFFER_free(hs->new_session->ocsp_response);
@@ -1139,34 +848,56 @@
CRYPTO_BUFFER_new_from_CBS(&ocsp_response, ssl->ctx->pool);
if (hs->new_session->ocsp_response == nullptr) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
- return -1;
+ return ssl_hs_error;
}
ssl->method->next_message(ssl);
- return 1;
+
+ hs->state = state_verify_server_certificate;
+ return ssl_hs_ok;
}
-static int ssl3_get_server_key_exchange(SSL_HANDSHAKE *hs) {
+static enum ssl_hs_wait_t do_verify_server_certificate(SSL_HANDSHAKE *hs) {
+ if (!ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
+ hs->state = state_read_server_key_exchange;
+ return ssl_hs_ok;
+ }
+
+ switch (ssl_verify_peer_cert(hs)) {
+ case ssl_verify_ok:
+ break;
+ case ssl_verify_invalid:
+ return ssl_hs_error;
+ case ssl_verify_retry:
+ hs->state = state_verify_server_certificate;
+ return ssl_hs_certificate_verify;
+ }
+
+ hs->state = state_read_server_key_exchange;
+ return ssl_hs_ok;
+}
+
+static enum ssl_hs_wait_t do_read_server_key_exchange(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
SSLMessage msg;
- int ret = ssl_read_message(ssl, &msg);
- if (ret <= 0) {
- return ret;
+ if (!ssl->method->get_message(ssl, &msg)) {
+ return ssl_hs_read_message;
}
if (msg.type != SSL3_MT_SERVER_KEY_EXCHANGE) {
- /* Some ciphers (pure PSK) have an optional ServerKeyExchange message. */
+ // Some ciphers (pure PSK) have an optional ServerKeyExchange message.
if (ssl_cipher_requires_server_key_exchange(hs->new_cipher)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
- return -1;
+ return ssl_hs_error;
}
- return 1;
+ hs->state = state_read_certificate_request;
+ return ssl_hs_ok;
}
if (!ssl_hash_message(hs, msg)) {
- return -1;
+ return ssl_hs_error;
}
uint32_t alg_k = hs->new_cipher->algorithm_mkey;
@@ -1175,45 +906,45 @@
if (alg_a & SSL_aPSK) {
CBS psk_identity_hint;
- /* Each of the PSK key exchanges begins with a psk_identity_hint. */
+ // Each of the PSK key exchanges begins with a psk_identity_hint.
if (!CBS_get_u16_length_prefixed(&server_key_exchange,
&psk_identity_hint)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
- return -1;
+ return ssl_hs_error;
}
- /* Store PSK identity hint for later use, hint is used in
- * ssl3_send_client_key_exchange. Assume that the maximum length of a PSK
- * identity hint can be as long as the maximum length of a PSK identity.
- * Also do not allow NULL characters; identities are saved as C strings.
- *
- * TODO(davidben): Should invalid hints be ignored? It's a hint rather than
- * a specific identity. */
+ // Store PSK identity hint for later use, hint is used in
+ // ssl3_send_client_key_exchange. Assume that the maximum length of a PSK
+ // identity hint can be as long as the maximum length of a PSK identity.
+ // Also do not allow NULL characters; identities are saved as C strings.
+ //
+ // TODO(davidben): Should invalid hints be ignored? It's a hint rather than
+ // a specific identity.
if (CBS_len(&psk_identity_hint) > PSK_MAX_IDENTITY_LEN ||
CBS_contains_zero_byte(&psk_identity_hint)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
- return -1;
+ return ssl_hs_error;
}
- /* Save non-empty identity hints as a C string. Empty identity hints we
- * treat as missing. Plain PSK makes it possible to send either no hint
- * (omit ServerKeyExchange) or an empty hint, while ECDHE_PSK can only spell
- * empty hint. Having different capabilities is odd, so we interpret empty
- * and missing as identical. */
+ // Save non-empty identity hints as a C string. Empty identity hints we
+ // treat as missing. Plain PSK makes it possible to send either no hint
+ // (omit ServerKeyExchange) or an empty hint, while ECDHE_PSK can only spell
+ // empty hint. Having different capabilities is odd, so we interpret empty
+ // and missing as identical.
char *raw = nullptr;
if (CBS_len(&psk_identity_hint) != 0 &&
!CBS_strdup(&psk_identity_hint, &raw)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
- return -1;
+ return ssl_hs_error;
}
hs->peer_psk_identity_hint.reset(raw);
}
if (alg_k & SSL_kECDHE) {
- /* Parse the server parameters. */
+ // Parse the server parameters.
uint8_t group_type;
uint16_t group_id;
CBS point;
@@ -1223,65 +954,65 @@
!CBS_get_u8_length_prefixed(&server_key_exchange, &point)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
- return -1;
+ return ssl_hs_error;
}
hs->new_session->group_id = group_id;
- /* Ensure the group is consistent with preferences. */
+ // Ensure the group is consistent with preferences.
if (!tls1_check_group_id(ssl, group_id)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
- return -1;
+ return ssl_hs_error;
}
- /* Initialize ECDH and save the peer public key for later. */
+ // Initialize ECDH and save the peer public key for later.
hs->key_share = SSLKeyShare::Create(group_id);
if (!hs->key_share ||
!CBS_stow(&point, &hs->peer_key, &hs->peer_key_len)) {
- return -1;
+ return ssl_hs_error;
}
} else if (!(alg_k & SSL_kPSK)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
- return -1;
+ return ssl_hs_error;
}
- /* At this point, |server_key_exchange| contains the signature, if any, while
- * |msg.body| contains the entire message. From that, derive a CBS containing
- * just the parameter. */
+ // At this point, |server_key_exchange| contains the signature, if any, while
+ // |msg.body| contains the entire message. From that, derive a CBS containing
+ // just the parameter.
CBS parameter;
CBS_init(¶meter, CBS_data(&msg.body),
CBS_len(&msg.body) - CBS_len(&server_key_exchange));
- /* ServerKeyExchange should be signed by the server's public key. */
+ // ServerKeyExchange should be signed by the server's public key.
if (ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
uint16_t signature_algorithm = 0;
if (ssl3_protocol_version(ssl) >= TLS1_2_VERSION) {
if (!CBS_get_u16(&server_key_exchange, &signature_algorithm)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
- return -1;
+ return ssl_hs_error;
}
uint8_t alert = SSL_AD_DECODE_ERROR;
if (!tls12_check_peer_sigalg(ssl, &alert, signature_algorithm)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
- return -1;
+ return ssl_hs_error;
}
hs->new_session->peer_signature_algorithm = signature_algorithm;
} else if (!tls1_get_legacy_signature_algorithm(&signature_algorithm,
hs->peer_pubkey.get())) {
OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_CERTIFICATE);
- return -1;
+ return ssl_hs_error;
}
- /* The last field in |server_key_exchange| is the signature. */
+ // The last field in |server_key_exchange| is the signature.
CBS signature;
if (!CBS_get_u16_length_prefixed(&server_key_exchange, &signature) ||
CBS_len(&server_key_exchange) != 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
- return -1;
+ return ssl_hs_error;
}
ScopedCBB transcript;
@@ -1298,7 +1029,7 @@
!CBB_finish(transcript.get(), &transcript_data, &transcript_len)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
- return -1;
+ return ssl_hs_error;
}
int sig_ok = ssl_public_key_verify(
@@ -1311,58 +1042,65 @@
ERR_clear_error();
#endif
if (!sig_ok) {
- /* bad signature */
+ // bad signature
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SIGNATURE);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
- return -1;
+ return ssl_hs_error;
}
} else {
- /* PSK ciphers are the only supported certificate-less ciphers. */
+ // PSK ciphers are the only supported certificate-less ciphers.
assert(alg_a == SSL_aPSK);
if (CBS_len(&server_key_exchange) > 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_EXTRA_DATA_IN_MESSAGE);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
- return -1;
+ return ssl_hs_error;
}
}
ssl->method->next_message(ssl);
- return 1;
+ hs->state = state_read_certificate_request;
+ return ssl_hs_ok;
}
-static int ssl3_get_certificate_request(SSL_HANDSHAKE *hs) {
+static enum ssl_hs_wait_t do_read_certificate_request(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
+
+ if (!ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
+ hs->state = state_read_server_hello_done;
+ return ssl_hs_ok;
+ }
+
SSLMessage msg;
- int ret = ssl_read_message(ssl, &msg);
- if (ret <= 0) {
- return ret;
+ if (!ssl->method->get_message(ssl, &msg)) {
+ return ssl_hs_read_message;
}
if (msg.type == SSL3_MT_SERVER_HELLO_DONE) {
- /* If we get here we don't need the handshake buffer as we won't be doing
- * client auth. */
+ // If we get here we don't need the handshake buffer as we won't be doing
+ // client auth.
hs->transcript.FreeBuffer();
- return 1;
+ hs->state = state_read_server_hello_done;
+ return ssl_hs_ok;
}
if (!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE_REQUEST) ||
!ssl_hash_message(hs, msg)) {
- return -1;
+ return ssl_hs_error;
}
- /* Get the certificate types. */
+ // Get the certificate types.
CBS body = msg.body, certificate_types;
if (!CBS_get_u8_length_prefixed(&body, &certificate_types)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
- return -1;
+ return ssl_hs_error;
}
if (!CBS_stow(&certificate_types, &hs->certificate_types,
&hs->num_certificate_types)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
- return -1;
+ return ssl_hs_error;
}
if (ssl3_protocol_version(ssl) >= TLS1_2_VERSION) {
@@ -1371,7 +1109,7 @@
!tls1_parse_peer_sigalgs(hs, &supported_signature_algorithms)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
- return -1;
+ return ssl_hs_error;
}
}
@@ -1380,93 +1118,106 @@
ssl_parse_client_CA_list(ssl, &alert, &body);
if (!ca_names) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
- return -1;
+ return ssl_hs_error;
}
if (CBS_len(&body) != 0) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
- return -1;
+ return ssl_hs_error;
}
- hs->cert_request = 1;
+ hs->cert_request = true;
hs->ca_names = std::move(ca_names);
ssl->ctx->x509_method->hs_flush_cached_ca_names(hs);
+
ssl->method->next_message(ssl);
- return 1;
+ hs->state = state_read_server_hello_done;
+ return ssl_hs_ok;
}
-static int ssl3_get_server_hello_done(SSL_HANDSHAKE *hs) {
+static enum ssl_hs_wait_t do_read_server_hello_done(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
SSLMessage msg;
- int ret = ssl_read_message(ssl, &msg);
- if (ret <= 0) {
- return ret;
+ if (!ssl->method->get_message(ssl, &msg)) {
+ return ssl_hs_read_message;
}
if (!ssl_check_message_type(ssl, msg, SSL3_MT_SERVER_HELLO_DONE) ||
!ssl_hash_message(hs, msg)) {
- return -1;
+ return ssl_hs_error;
}
- /* ServerHelloDone is empty. */
+ // ServerHelloDone is empty.
if (CBS_len(&msg.body) != 0) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
- return -1;
+ return ssl_hs_error;
}
ssl->method->next_message(ssl);
- return 1;
+ hs->state = state_send_client_certificate;
+ return ssl_hs_ok;
}
-static int ssl3_send_client_certificate(SSL_HANDSHAKE *hs) {
+static enum ssl_hs_wait_t do_send_client_certificate(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
- /* Call cert_cb to update the certificate. */
- if (ssl->cert->cert_cb) {
- int ret = ssl->cert->cert_cb(ssl, ssl->cert->cert_cb_arg);
- if (ret < 0) {
- ssl->rwstate = SSL_X509_LOOKUP;
- return -1;
- }
- if (ret == 0) {
- OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_CB_ERROR);
+
+ // The peer didn't request a certificate.
+ if (!hs->cert_request) {
+ hs->state = state_send_client_key_exchange;
+ return ssl_hs_ok;
+ }
+
+ // Call cert_cb to update the certificate.
+ if (ssl->cert->cert_cb != NULL) {
+ int rv = ssl->cert->cert_cb(ssl, ssl->cert->cert_cb_arg);
+ if (rv == 0) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
- return -1;
+ OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_CB_ERROR);
+ return ssl_hs_error;
+ }
+ if (rv < 0) {
+ hs->state = state_send_client_certificate;
+ return ssl_hs_x509_lookup;
}
}
if (!ssl_has_certificate(ssl)) {
- /* Without a client certificate, the handshake buffer may be released. */
+ // Without a client certificate, the handshake buffer may be released.
hs->transcript.FreeBuffer();
- /* In SSL 3.0, the Certificate message is replaced with a warning alert. */
+ // In SSL 3.0, the Certificate message is replaced with a warning alert.
if (ssl->version == SSL3_VERSION) {
if (!ssl->method->add_alert(ssl, SSL3_AL_WARNING,
SSL_AD_NO_CERTIFICATE)) {
- return -1;
+ return ssl_hs_error;
}
- return 1;
+ hs->state = state_send_client_key_exchange;
+ return ssl_hs_ok;
}
}
if (!ssl_on_certificate_selected(hs) ||
!ssl3_output_cert_chain(ssl)) {
- return -1;
+ return ssl_hs_error;
}
- return 1;
+
+
+ hs->state = state_send_client_key_exchange;
+ return ssl_hs_ok;
}
static_assert(sizeof(size_t) >= sizeof(unsigned),
"size_t is smaller than unsigned");
-static int ssl3_send_client_key_exchange(SSL_HANDSHAKE *hs) {
+static enum ssl_hs_wait_t do_send_client_key_exchange(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
ScopedCBB cbb;
CBB body;
if (!ssl->method->init_message(ssl, cbb.get(), &body,
SSL3_MT_CLIENT_KEY_EXCHANGE)) {
- return -1;
+ return ssl_hs_error;
}
uint8_t *pms = NULL;
@@ -1474,7 +1225,7 @@
uint32_t alg_k = hs->new_cipher->algorithm_mkey;
uint32_t alg_a = hs->new_cipher->algorithm_auth;
- /* If using a PSK key exchange, prepare the pre-shared key. */
+ // If using a PSK key exchange, prepare the pre-shared key.
unsigned psk_len = 0;
uint8_t psk[PSK_MAX_PSK_LEN];
if (alg_a & SSL_aPSK) {
@@ -1502,7 +1253,7 @@
goto err;
}
- /* Write out psk_identity. */
+ // Write out psk_identity.
CBB child;
if (!CBB_add_u16_length_prefixed(&body, &child) ||
!CBB_add_bytes(&child, (const uint8_t *)identity,
@@ -1512,7 +1263,7 @@
}
}
- /* Depending on the key exchange method, compute |pms| and |pms_len|. */
+ // Depending on the key exchange method, compute |pms| and |pms_len|.
if (alg_k & SSL_kRSA) {
pms_len = SSL_MAX_MASTER_KEY_LENGTH;
pms = (uint8_t *)OPENSSL_malloc(pms_len);
@@ -1535,7 +1286,7 @@
CBB child, *enc_pms = &body;
size_t enc_pms_len;
- /* In TLS, there is a length prefix. */
+ // In TLS, there is a length prefix.
if (ssl->version > SSL3_VERSION) {
if (!CBB_add_u16_length_prefixed(&body, &child)) {
goto err;
@@ -1552,13 +1303,13 @@
goto err;
}
} else if (alg_k & SSL_kECDHE) {
- /* Generate a keypair and serialize the public half. */
+ // Generate a keypair and serialize the public half.
CBB child;
if (!CBB_add_u8_length_prefixed(&body, &child)) {
goto err;
}
- /* Compute the premaster. */
+ // Compute the premaster.
uint8_t alert = SSL_AD_DECODE_ERROR;
if (!hs->key_share->Accept(&child, &pms, &pms_len, &alert, hs->peer_key,
hs->peer_key_len)) {
@@ -1569,14 +1320,14 @@
goto err;
}
- /* The key exchange state may now be discarded. */
+ // The key exchange state may now be discarded.
hs->key_share.reset();
OPENSSL_free(hs->peer_key);
hs->peer_key = NULL;
hs->peer_key_len = 0;
} else if (alg_k & SSL_kPSK) {
- /* For plain PSK, other_secret is a block of 0s with the same length as
- * the pre-shared key. */
+ // For plain PSK, other_secret is a block of 0s with the same length as
+ // the pre-shared key.
pms_len = psk_len;
pms = (uint8_t *)OPENSSL_malloc(pms_len);
if (pms == NULL) {
@@ -1590,8 +1341,8 @@
goto err;
}
- /* For a PSK cipher suite, other_secret is combined with the pre-shared
- * key. */
+ // For a PSK cipher suite, other_secret is combined with the pre-shared
+ // key.
if (alg_a & SSL_aPSK) {
ScopedCBB pms_cbb;
CBB child;
@@ -1613,8 +1364,8 @@
pms_len = new_pms_len;
}
- /* The message must be added to the finished hash before calculating the
- * master secret. */
+ // The message must be added to the finished hash before calculating the
+ // master secret.
if (!ssl_add_message_cbb(ssl, cbb.get())) {
goto err;
}
@@ -1628,68 +1379,75 @@
OPENSSL_cleanse(pms, pms_len);
OPENSSL_free(pms);
- return 1;
+ hs->state = state_send_client_certificate_verify;
+ return ssl_hs_ok;
err:
if (pms != NULL) {
OPENSSL_cleanse(pms, pms_len);
OPENSSL_free(pms);
}
- return -1;
+ return ssl_hs_error;
+
}
-static int ssl3_send_cert_verify(SSL_HANDSHAKE *hs) {
+static enum ssl_hs_wait_t do_send_client_certificate_verify(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
- assert(ssl_has_private_key(ssl));
+ if (!hs->cert_request || !ssl_has_certificate(ssl)) {
+ hs->state = state_send_client_finished;
+ return ssl_hs_ok;
+ }
+
+ assert(ssl_has_private_key(ssl));
ScopedCBB cbb;
CBB body, child;
if (!ssl->method->init_message(ssl, cbb.get(), &body,
SSL3_MT_CERTIFICATE_VERIFY)) {
- return -1;
+ return ssl_hs_error;
}
uint16_t signature_algorithm;
if (!tls1_choose_signature_algorithm(hs, &signature_algorithm)) {
- return -1;
+ return ssl_hs_error;
}
if (ssl3_protocol_version(ssl) >= TLS1_2_VERSION) {
- /* Write out the digest type in TLS 1.2. */
+ // Write out the digest type in TLS 1.2.
if (!CBB_add_u16(&body, signature_algorithm)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
- return -1;
+ return ssl_hs_error;
}
}
- /* Set aside space for the signature. */
+ // Set aside space for the signature.
const size_t max_sig_len = EVP_PKEY_size(hs->local_pubkey.get());
uint8_t *ptr;
if (!CBB_add_u16_length_prefixed(&body, &child) ||
!CBB_reserve(&child, &ptr, max_sig_len)) {
- return -1;
+ return ssl_hs_error;
}
size_t sig_len = max_sig_len;
- /* The SSL3 construction for CertificateVerify does not decompose into a
- * single final digest and signature, and must be special-cased. */
+ // The SSL3 construction for CertificateVerify does not decompose into a
+ // single final digest and signature, and must be special-cased.
if (ssl3_protocol_version(ssl) == SSL3_VERSION) {
if (ssl->cert->key_method != NULL) {
OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_PROTOCOL_FOR_CUSTOM_KEY);
- return -1;
+ return ssl_hs_error;
}
uint8_t digest[EVP_MAX_MD_SIZE];
size_t digest_len;
if (!hs->transcript.GetSSL3CertVerifyHash(
digest, &digest_len, hs->new_session.get(), signature_algorithm)) {
- return -1;
+ return ssl_hs_error;
}
UniquePtr<EVP_PKEY_CTX> pctx(EVP_PKEY_CTX_new(ssl->cert->privatekey, NULL));
if (!pctx ||
!EVP_PKEY_sign_init(pctx.get()) ||
!EVP_PKEY_sign(pctx.get(), ptr, &sig_len, digest, digest_len)) {
- return -1;
+ return ssl_hs_error;
}
} else {
switch (ssl_private_key_sign(
@@ -1698,78 +1456,125 @@
case ssl_private_key_success:
break;
case ssl_private_key_failure:
- return -1;
+ return ssl_hs_error;
case ssl_private_key_retry:
- ssl->rwstate = SSL_PRIVATE_KEY_OPERATION;
- return -1;
+ hs->state = state_send_client_certificate_verify;
+ return ssl_hs_private_key_operation;
}
}
if (!CBB_did_write(&child, sig_len) ||
!ssl_add_message_cbb(ssl, cbb.get())) {
- return -1;
+ return ssl_hs_error;
}
- /* The handshake buffer is no longer necessary. */
+ // The handshake buffer is no longer necessary.
hs->transcript.FreeBuffer();
- return 1;
+
+ hs->state = state_send_client_finished;
+ return ssl_hs_ok;
}
-static int ssl3_send_next_proto(SSL_HANDSHAKE *hs) {
+static enum ssl_hs_wait_t do_send_client_finished(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
- static const uint8_t kZero[32] = {0};
- size_t padding_len = 32 - ((ssl->s3->next_proto_negotiated_len + 2) % 32);
+ // Resolve Channel ID first, before any non-idempotent operations.
+ if (ssl->s3->tlsext_channel_id_valid) {
+ if (!ssl_do_channel_id_callback(ssl)) {
+ return ssl_hs_error;
+ }
- ScopedCBB cbb;
- CBB body, child;
- if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_NEXT_PROTO) ||
- !CBB_add_u8_length_prefixed(&body, &child) ||
- !CBB_add_bytes(&child, ssl->s3->next_proto_negotiated,
- ssl->s3->next_proto_negotiated_len) ||
- !CBB_add_u8_length_prefixed(&body, &child) ||
- !CBB_add_bytes(&child, kZero, padding_len) ||
- !ssl_add_message_cbb(ssl, cbb.get())) {
- OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
- return -1;
+ if (ssl->tlsext_channel_id_private == NULL) {
+ hs->state = state_send_client_finished;
+ return ssl_hs_channel_id_lookup;
+ }
}
- return 1;
+ if (!ssl->method->add_change_cipher_spec(ssl) ||
+ !tls1_change_cipher_state(hs, SSL3_CHANGE_CIPHER_CLIENT_WRITE)) {
+ return ssl_hs_error;
+ }
+
+ if (hs->next_proto_neg_seen) {
+ static const uint8_t kZero[32] = {0};
+ size_t padding_len = 32 - ((ssl->s3->next_proto_negotiated_len + 2) % 32);
+
+ ScopedCBB cbb;
+ CBB body, child;
+ if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_NEXT_PROTO) ||
+ !CBB_add_u8_length_prefixed(&body, &child) ||
+ !CBB_add_bytes(&child, ssl->s3->next_proto_negotiated,
+ ssl->s3->next_proto_negotiated_len) ||
+ !CBB_add_u8_length_prefixed(&body, &child) ||
+ !CBB_add_bytes(&child, kZero, padding_len) ||
+ !ssl_add_message_cbb(ssl, cbb.get())) {
+ OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
+ return ssl_hs_error;
+ }
+ }
+
+ if (ssl->s3->tlsext_channel_id_valid) {
+ ScopedCBB cbb;
+ CBB body;
+ if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_CHANNEL_ID) ||
+ !tls1_write_channel_id(hs, &body) ||
+ !ssl_add_message_cbb(ssl, cbb.get())) {
+ OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
+ return ssl_hs_error;
+ }
+ }
+
+ if (!ssl3_send_finished(hs)) {
+ return ssl_hs_error;
+ }
+
+ hs->state = state_finish_flight;
+ return ssl_hs_flush;
}
-static int ssl3_send_channel_id(SSL_HANDSHAKE *hs) {
+static enum ssl_hs_wait_t do_finish_flight(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
- if (!ssl_do_channel_id_callback(ssl)) {
- return -1;
+ if (ssl->session != NULL) {
+ hs->state = state_finish_client_handshake;
+ return ssl_hs_ok;
}
- if (ssl->tlsext_channel_id_private == NULL) {
- ssl->rwstate = SSL_CHANNEL_ID_LOOKUP;
- return -1;
+ // This is a full handshake. If it involves ChannelID, then record the
+ // handshake hashes at this point in the session so that any resumption of
+ // this session with ChannelID can sign those hashes.
+ if (!tls1_record_handshake_hashes_for_channel_id(hs)) {
+ return ssl_hs_error;
}
- ScopedCBB cbb;
- CBB body;
- if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_CHANNEL_ID) ||
- !tls1_write_channel_id(hs, &body) ||
- !ssl_add_message_cbb(ssl, cbb.get())) {
- OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
- return -1;
+ hs->state = state_read_session_ticket;
+
+ if ((SSL_get_mode(ssl) & SSL_MODE_ENABLE_FALSE_START) &&
+ ssl3_can_false_start(ssl) &&
+ // No False Start on renegotiation (would complicate the state machine).
+ !ssl->s3->initial_handshake_complete) {
+ hs->in_false_start = true;
+ hs->can_early_write = true;
+ return ssl_hs_early_return;
}
- return 1;
+ return ssl_hs_ok;
}
-static int ssl3_get_new_session_ticket(SSL_HANDSHAKE *hs) {
+static enum ssl_hs_wait_t do_read_session_ticket(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
+
+ if (!hs->ticket_expected) {
+ hs->state = state_process_change_cipher_spec;
+ return ssl_hs_read_change_cipher_spec;
+ }
+
SSLMessage msg;
- int ret = ssl_read_message(ssl, &msg);
- if (ret <= 0) {
- return ret;
+ if (!ssl->method->get_message(ssl, &msg)) {
+ return ssl_hs_read_message;
}
if (!ssl_check_message_type(ssl, msg, SSL3_MT_NEW_SESSION_TICKET) ||
!ssl_hash_message(hs, msg)) {
- return -1;
+ return ssl_hs_error;
}
CBS new_session_ticket = msg.body, ticket;
@@ -1779,50 +1584,51 @@
CBS_len(&new_session_ticket) != 0) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
- return -1;
+ return ssl_hs_error;
}
if (CBS_len(&ticket) == 0) {
- /* RFC 5077 allows a server to change its mind and send no ticket after
- * negotiating the extension. The value of |ticket_expected| is checked in
- * |ssl_update_cache| so is cleared here to avoid an unnecessary update. */
- hs->ticket_expected = 0;
+ // RFC 5077 allows a server to change its mind and send no ticket after
+ // negotiating the extension. The value of |ticket_expected| is checked in
+ // |ssl_update_cache| so is cleared here to avoid an unnecessary update.
+ hs->ticket_expected = false;
ssl->method->next_message(ssl);
- return 1;
+ hs->state = state_process_change_cipher_spec;
+ return ssl_hs_read_change_cipher_spec;
}
SSL_SESSION *session = hs->new_session.get();
UniquePtr<SSL_SESSION> renewed_session;
if (ssl->session != NULL) {
- /* The server is sending a new ticket for an existing session. Sessions are
- * immutable once established, so duplicate all but the ticket of the
- * existing session. */
+ // The server is sending a new ticket for an existing session. Sessions are
+ // immutable once established, so duplicate all but the ticket of the
+ // existing session.
renewed_session =
SSL_SESSION_dup(ssl->session, SSL_SESSION_INCLUDE_NONAUTH);
if (!renewed_session) {
- /* This should never happen. */
+ // This should never happen.
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
- return -1;
+ return ssl_hs_error;
}
session = renewed_session.get();
}
- /* |tlsext_tick_lifetime_hint| is measured from when the ticket was issued. */
+ // |tlsext_tick_lifetime_hint| is measured from when the ticket was issued.
ssl_session_rebase_time(ssl, session);
if (!CBS_stow(&ticket, &session->tlsext_tick, &session->tlsext_ticklen)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
- return -1;
+ return ssl_hs_error;
}
session->tlsext_tick_lifetime_hint = tlsext_tick_lifetime_hint;
- /* Generate a session ID for this session based on the session ticket. We use
- * the session ID mechanism for detecting ticket resumption. This also fits in
- * with assumptions elsewhere in OpenSSL.*/
+ // Generate a session ID for this session based on the session ticket. We use
+ // the session ID mechanism for detecting ticket resumption. This also fits in
+ // with assumptions elsewhere in OpenSSL.
if (!EVP_Digest(CBS_data(&ticket), CBS_len(&ticket),
session->session_id, &session->session_id_length,
EVP_sha256(), NULL)) {
- return -1;
+ return ssl_hs_error;
}
if (renewed_session) {
@@ -1832,7 +1638,203 @@
}
ssl->method->next_message(ssl);
- return 1;
+ hs->state = state_process_change_cipher_spec;
+ return ssl_hs_read_change_cipher_spec;
}
-} // namespace bssl
+static enum ssl_hs_wait_t do_process_change_cipher_spec(SSL_HANDSHAKE *hs) {
+ if (!tls1_change_cipher_state(hs, SSL3_CHANGE_CIPHER_CLIENT_READ)) {
+ return ssl_hs_error;
+ }
+
+ hs->state = state_read_server_finished;
+ return ssl_hs_ok;
+}
+
+static enum ssl_hs_wait_t do_read_server_finished(SSL_HANDSHAKE *hs) {
+ SSL *const ssl = hs->ssl;
+ enum ssl_hs_wait_t wait = ssl_get_finished(hs);
+ if (wait != ssl_hs_ok) {
+ return wait;
+ }
+
+ if (ssl->session != NULL) {
+ hs->state = state_send_client_finished;
+ return ssl_hs_ok;
+ }
+
+ hs->state = state_finish_client_handshake;
+ return ssl_hs_ok;
+}
+
+static enum ssl_hs_wait_t do_finish_client_handshake(SSL_HANDSHAKE *hs) {
+ SSL *const ssl = hs->ssl;
+
+ ssl->method->on_handshake_complete(ssl);
+
+ SSL_SESSION_free(ssl->s3->established_session);
+ if (ssl->session != NULL) {
+ SSL_SESSION_up_ref(ssl->session);
+ ssl->s3->established_session = ssl->session;
+ } else {
+ // We make a copy of the session in order to maintain the immutability
+ // of the new established_session due to False Start. The caller may
+ // have taken a reference to the temporary session.
+ ssl->s3->established_session =
+ SSL_SESSION_dup(hs->new_session.get(), SSL_SESSION_DUP_ALL)
+ .release();
+ if (ssl->s3->established_session == NULL) {
+ return ssl_hs_error;
+ }
+ // Renegotiations do not participate in session resumption.
+ if (!ssl->s3->initial_handshake_complete) {
+ ssl->s3->established_session->not_resumable = 0;
+ }
+
+ hs->new_session.reset();
+ }
+
+ hs->handshake_finalized = true;
+ ssl->s3->initial_handshake_complete = true;
+ ssl_update_cache(hs, SSL_SESS_CACHE_CLIENT);
+
+ hs->state = state_done;
+ return ssl_hs_ok;
+}
+
+enum ssl_hs_wait_t ssl_client_handshake(SSL_HANDSHAKE *hs) {
+ while (hs->state != state_done) {
+ enum ssl_hs_wait_t ret = ssl_hs_error;
+ enum ssl_client_hs_state_t state =
+ static_cast<enum ssl_client_hs_state_t>(hs->state);
+ switch (state) {
+ case state_start_connect:
+ ret = do_start_connect(hs);
+ break;
+ case state_enter_early_data:
+ ret = do_enter_early_data(hs);
+ break;
+ case state_read_hello_verify_request:
+ ret = do_read_hello_verify_request(hs);
+ break;
+ case state_read_server_hello:
+ ret = do_read_server_hello(hs);
+ break;
+ case state_tls13:
+ ret = do_tls13(hs);
+ break;
+ case state_read_server_certificate:
+ ret = do_read_server_certificate(hs);
+ break;
+ case state_read_certificate_status:
+ ret = do_read_certificate_status(hs);
+ break;
+ case state_verify_server_certificate:
+ ret = do_verify_server_certificate(hs);
+ break;
+ case state_read_server_key_exchange:
+ ret = do_read_server_key_exchange(hs);
+ break;
+ case state_read_certificate_request:
+ ret = do_read_certificate_request(hs);
+ break;
+ case state_read_server_hello_done:
+ ret = do_read_server_hello_done(hs);
+ break;
+ case state_send_client_certificate:
+ ret = do_send_client_certificate(hs);
+ break;
+ case state_send_client_key_exchange:
+ ret = do_send_client_key_exchange(hs);
+ break;
+ case state_send_client_certificate_verify:
+ ret = do_send_client_certificate_verify(hs);
+ break;
+ case state_send_client_finished:
+ ret = do_send_client_finished(hs);
+ break;
+ case state_finish_flight:
+ ret = do_finish_flight(hs);
+ break;
+ case state_read_session_ticket:
+ ret = do_read_session_ticket(hs);
+ break;
+ case state_process_change_cipher_spec:
+ ret = do_process_change_cipher_spec(hs);
+ break;
+ case state_read_server_finished:
+ ret = do_read_server_finished(hs);
+ break;
+ case state_finish_client_handshake:
+ ret = do_finish_client_handshake(hs);
+ break;
+ case state_done:
+ ret = ssl_hs_ok;
+ break;
+ }
+
+ if (hs->state != state) {
+ ssl_do_info_callback(hs->ssl, SSL_CB_CONNECT_LOOP, 1);
+ }
+
+ if (ret != ssl_hs_ok) {
+ return ret;
+ }
+ }
+
+ ssl_do_info_callback(hs->ssl, SSL_CB_HANDSHAKE_DONE, 1);
+ return ssl_hs_ok;
+}
+
+const char *ssl_client_handshake_state(SSL_HANDSHAKE *hs) {
+ enum ssl_client_hs_state_t state =
+ static_cast<enum ssl_client_hs_state_t>(hs->state);
+ switch (state) {
+ case state_start_connect:
+ return "TLS client start_connect";
+ case state_enter_early_data:
+ return "TLS client enter_early_data";
+ case state_read_hello_verify_request:
+ return "TLS client read_hello_verify_request";
+ case state_read_server_hello:
+ return "TLS client read_server_hello";
+ case state_tls13:
+ return tls13_client_handshake_state(hs);
+ case state_read_server_certificate:
+ return "TLS client read_server_certificate";
+ case state_read_certificate_status:
+ return "TLS client read_certificate_status";
+ case state_verify_server_certificate:
+ return "TLS client verify_server_certificate";
+ case state_read_server_key_exchange:
+ return "TLS client read_server_key_exchange";
+ case state_read_certificate_request:
+ return "TLS client read_certificate_request";
+ case state_read_server_hello_done:
+ return "TLS client read_server_hello_done";
+ case state_send_client_certificate:
+ return "TLS client send_client_certificate";
+ case state_send_client_key_exchange:
+ return "TLS client send_client_key_exchange";
+ case state_send_client_certificate_verify:
+ return "TLS client send_client_certificate_verify";
+ case state_send_client_finished:
+ return "TLS client send_client_finished";
+ case state_finish_flight:
+ return "TLS client finish_flight";
+ case state_read_session_ticket:
+ return "TLS client read_session_ticket";
+ case state_process_change_cipher_spec:
+ return "TLS client process_change_cipher_spec";
+ case state_read_server_finished:
+ return "TLS client read_server_finished";
+ case state_finish_client_handshake:
+ return "TLS client finish_client_handshake";
+ case state_done:
+ return "TLS client done";
+ }
+
+ return "TLS client unknown";
+}
+
+}
diff --git a/src/ssl/handshake_server.cc b/src/ssl/handshake_server.cc
index 2d5b85e..f196db0 100644
--- a/src/ssl/handshake_server.cc
+++ b/src/ssl/handshake_server.cc
@@ -4,21 +4,21 @@
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
- *
+ *
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
+ *
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
- *
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -33,10 +33,10 @@
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
+ * 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
+ *
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -48,7 +48,7 @@
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
- *
+ *
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
@@ -62,7 +62,7 @@
* are met:
*
* 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
+ * notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
@@ -110,7 +110,7 @@
/* ====================================================================
* Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
*
- * Portions of the attached software ("Contribution") are developed by
+ * Portions of the attached software ("Contribution") are developed by
* SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
*
* The Contribution is licensed pursuant to the OpenSSL open source
@@ -172,284 +172,29 @@
namespace bssl {
-static int ssl3_read_client_hello(SSL_HANDSHAKE *hs);
-static int ssl3_select_certificate(SSL_HANDSHAKE *hs);
-static int ssl3_select_parameters(SSL_HANDSHAKE *hs);
-static int ssl3_send_server_hello(SSL_HANDSHAKE *hs);
-static int ssl3_send_server_certificate(SSL_HANDSHAKE *hs);
-static int ssl3_send_server_key_exchange(SSL_HANDSHAKE *hs);
-static int ssl3_send_server_hello_done(SSL_HANDSHAKE *hs);
-static int ssl3_get_client_certificate(SSL_HANDSHAKE *hs);
-static int ssl3_get_client_key_exchange(SSL_HANDSHAKE *hs);
-static int ssl3_get_cert_verify(SSL_HANDSHAKE *hs);
-static int ssl3_get_next_proto(SSL_HANDSHAKE *hs);
-static int ssl3_get_channel_id(SSL_HANDSHAKE *hs);
-static int ssl3_send_server_finished(SSL_HANDSHAKE *hs);
-
-int ssl3_accept(SSL_HANDSHAKE *hs) {
- SSL *const ssl = hs->ssl;
- int ret = -1;
-
- assert(ssl->handshake_func == ssl3_accept);
- assert(ssl->server);
-
- for (;;) {
- int state = hs->state;
-
- switch (hs->state) {
- case SSL_ST_INIT:
- ssl_do_info_callback(ssl, SSL_CB_HANDSHAKE_START, 1);
- hs->state = SSL3_ST_SR_CLNT_HELLO_A;
- break;
-
- case SSL3_ST_SR_CLNT_HELLO_A:
- ret = ssl3_read_client_hello(hs);
- if (ret <= 0) {
- goto end;
- }
- hs->state = SSL3_ST_SR_CLNT_HELLO_B;
- break;
-
- case SSL3_ST_SR_CLNT_HELLO_B:
- ret = ssl3_select_certificate(hs);
- if (ret <= 0) {
- goto end;
- }
- if (hs->state != SSL_ST_TLS13) {
- hs->state = SSL3_ST_SR_CLNT_HELLO_C;
- }
- break;
-
- case SSL3_ST_SR_CLNT_HELLO_C:
- ret = ssl3_select_parameters(hs);
- if (ret <= 0) {
- goto end;
- }
- hs->state = SSL3_ST_SW_SRVR_HELLO_A;
- break;
-
- case SSL3_ST_SW_SRVR_HELLO_A:
- ret = ssl3_send_server_hello(hs);
- if (ret <= 0) {
- goto end;
- }
- if (ssl->session != NULL) {
- hs->state = SSL3_ST_SW_FINISHED_A;
- } else {
- hs->state = SSL3_ST_SW_CERT_A;
- }
- break;
-
- case SSL3_ST_SW_CERT_A:
- ret = ssl3_send_server_certificate(hs);
- if (ret <= 0) {
- goto end;
- }
- hs->state = SSL3_ST_SW_KEY_EXCH_A;
- break;
-
- case SSL3_ST_SW_KEY_EXCH_A:
- if (hs->server_params_len > 0) {
- ret = ssl3_send_server_key_exchange(hs);
- if (ret <= 0) {
- goto end;
- }
- }
-
- hs->state = SSL3_ST_SW_SRVR_DONE_A;
- break;
-
- case SSL3_ST_SW_SRVR_DONE_A:
- ret = ssl3_send_server_hello_done(hs);
- if (ret <= 0) {
- goto end;
- }
- hs->next_state = SSL3_ST_SR_CERT_A;
- hs->state = SSL3_ST_SW_FLUSH;
- break;
-
- case SSL3_ST_SR_CERT_A:
- if (hs->cert_request) {
- ret = ssl3_get_client_certificate(hs);
- if (ret <= 0) {
- goto end;
- }
- }
- hs->state = SSL3_ST_VERIFY_CLIENT_CERT;
- break;
-
- case SSL3_ST_VERIFY_CLIENT_CERT:
- if (sk_CRYPTO_BUFFER_num(hs->new_session->certs) > 0) {
- switch (ssl_verify_peer_cert(hs)) {
- case ssl_verify_ok:
- break;
- case ssl_verify_invalid:
- ret = -1;
- goto end;
- case ssl_verify_retry:
- ssl->rwstate = SSL_CERTIFICATE_VERIFY;
- ret = -1;
- goto end;
- }
- }
- hs->state = SSL3_ST_SR_KEY_EXCH_A;
- break;
-
- case SSL3_ST_SR_KEY_EXCH_A:
- ret = ssl3_get_client_key_exchange(hs);
- if (ret <= 0) {
- goto end;
- }
- hs->state = SSL3_ST_SR_CERT_VRFY_A;
- break;
-
- case SSL3_ST_SR_CERT_VRFY_A:
- ret = ssl3_get_cert_verify(hs);
- if (ret <= 0) {
- goto end;
- }
-
- hs->state = SSL3_ST_SR_CHANGE;
- break;
-
- case SSL3_ST_SR_CHANGE:
- ret = ssl->method->read_change_cipher_spec(ssl);
- if (ret <= 0) {
- goto end;
- }
-
- if (!tls1_change_cipher_state(hs, SSL3_CHANGE_CIPHER_SERVER_READ)) {
- ret = -1;
- goto end;
- }
-
- hs->state = SSL3_ST_SR_NEXT_PROTO_A;
- break;
-
- case SSL3_ST_SR_NEXT_PROTO_A:
- if (hs->next_proto_neg_seen) {
- ret = ssl3_get_next_proto(hs);
- if (ret <= 0) {
- goto end;
- }
- }
- hs->state = SSL3_ST_SR_CHANNEL_ID_A;
- break;
-
- case SSL3_ST_SR_CHANNEL_ID_A:
- if (ssl->s3->tlsext_channel_id_valid) {
- ret = ssl3_get_channel_id(hs);
- if (ret <= 0) {
- goto end;
- }
- }
- hs->state = SSL3_ST_SR_FINISHED_A;
- break;
-
- case SSL3_ST_SR_FINISHED_A:
- ret = ssl3_get_finished(hs);
- if (ret <= 0) {
- goto end;
- }
-
- if (ssl->session != NULL) {
- hs->state = SSL_ST_OK;
- } else {
- hs->state = SSL3_ST_SW_FINISHED_A;
- }
-
- /* If this is a full handshake with ChannelID then record the handshake
- * hashes in |hs->new_session| in case we need them to verify a
- * ChannelID signature on a resumption of this session in the future. */
- if (ssl->session == NULL && ssl->s3->tlsext_channel_id_valid) {
- ret = tls1_record_handshake_hashes_for_channel_id(hs);
- if (ret <= 0) {
- goto end;
- }
- }
- break;
-
- case SSL3_ST_SW_FINISHED_A:
- ret = ssl3_send_server_finished(hs);
- if (ret <= 0) {
- goto end;
- }
- hs->state = SSL3_ST_SW_FLUSH;
- if (ssl->session != NULL) {
- hs->next_state = SSL3_ST_SR_CHANGE;
- } else {
- hs->next_state = SSL_ST_OK;
- }
- break;
-
- case SSL3_ST_SW_FLUSH:
- ret = ssl->method->flush_flight(ssl);
- if (ret <= 0) {
- goto end;
- }
-
- hs->state = hs->next_state;
- break;
-
- case SSL_ST_TLS13: {
- int early_return = 0;
- ret = tls13_handshake(hs, &early_return);
- if (ret <= 0) {
- goto end;
- }
-
- if (early_return) {
- ret = 1;
- goto end;
- }
-
- hs->state = SSL_ST_OK;
- break;
- }
-
- case SSL_ST_OK:
- ssl->method->on_handshake_complete(ssl);
-
- /* If we aren't retaining peer certificates then we can discard it
- * now. */
- if (hs->new_session != NULL &&
- ssl->retain_only_sha256_of_client_certs) {
- sk_CRYPTO_BUFFER_pop_free(hs->new_session->certs, CRYPTO_BUFFER_free);
- hs->new_session->certs = NULL;
- ssl->ctx->x509_method->session_clear(hs->new_session.get());
- }
-
- SSL_SESSION_free(ssl->s3->established_session);
- if (ssl->session != NULL) {
- SSL_SESSION_up_ref(ssl->session);
- ssl->s3->established_session = ssl->session;
- } else {
- ssl->s3->established_session = hs->new_session.release();
- ssl->s3->established_session->not_resumable = 0;
- }
-
- ssl->s3->initial_handshake_complete = 1;
- ssl_update_cache(hs, SSL_SESS_CACHE_SERVER);
-
- ssl_do_info_callback(ssl, SSL_CB_HANDSHAKE_DONE, 1);
- ret = 1;
- goto end;
-
- default:
- OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_STATE);
- ret = -1;
- goto end;
- }
-
- if (hs->state != state) {
- ssl_do_info_callback(ssl, SSL_CB_ACCEPT_LOOP, 1);
- }
- }
-
-end:
- ssl_do_info_callback(ssl, SSL_CB_ACCEPT_EXIT, ret);
- return ret;
-}
+enum ssl_server_hs_state_t {
+ state_start_accept = 0,
+ state_read_client_hello,
+ state_select_certificate,
+ state_tls13,
+ state_select_parameters,
+ state_send_server_hello,
+ state_send_server_certificate,
+ state_send_server_key_exchange,
+ state_send_server_hello_done,
+ state_read_client_certificate,
+ state_verify_client_certificate,
+ state_read_client_key_exchange,
+ state_read_client_certificate_verify,
+ state_read_change_cipher_spec,
+ state_process_change_cipher_spec,
+ state_read_next_proto,
+ state_read_channel_id,
+ state_read_client_finished,
+ state_send_server_finished,
+ state_finish_server_handshake,
+ state_done,
+};
int ssl_client_cipher_list_contains_cipher(const SSL_CLIENT_HELLO *client_hello,
uint16_t id) {
@@ -486,18 +231,18 @@
return 0;
}
} else {
- /* Convert the ClientHello version to an equivalent supported_versions
- * extension. */
+ // Convert the ClientHello version to an equivalent supported_versions
+ // extension.
static const uint8_t kTLSVersions[] = {
- 0x03, 0x03, /* TLS 1.2 */
- 0x03, 0x02, /* TLS 1.1 */
- 0x03, 0x01, /* TLS 1 */
- 0x03, 0x00, /* SSL 3 */
+ 0x03, 0x03, // TLS 1.2
+ 0x03, 0x02, // TLS 1.1
+ 0x03, 0x01, // TLS 1
+ 0x03, 0x00, // SSL 3
};
static const uint8_t kDTLSVersions[] = {
- 0xfe, 0xfd, /* DTLS 1.2 */
- 0xfe, 0xff, /* DTLS 1.0 */
+ 0xfe, 0xfd, // DTLS 1.2
+ 0xfe, 0xff, // DTLS 1.0
};
size_t versions_len = 0;
@@ -528,11 +273,11 @@
return 0;
}
- /* At this point, the connection's version is known and |ssl->version| is
- * fixed. Begin enforcing the record-layer version. */
- ssl->s3->have_version = 1;
+ // At this point, the connection's version is known and |ssl->version| is
+ // fixed. Begin enforcing the record-layer version.
+ ssl->s3->have_version = true;
- /* Handle FALLBACK_SCSV. */
+ // Handle FALLBACK_SCSV.
if (ssl_client_cipher_list_contains_cipher(client_hello,
SSL3_CK_FALLBACK_SCSV & 0xffff) &&
ssl3_protocol_version(ssl) < hs->max_version) {
@@ -574,10 +319,10 @@
return sk;
}
-/* ssl_get_compatible_server_ciphers determines the key exchange and
- * authentication cipher suite masks compatible with the server configuration
- * and current ClientHello parameters of |hs|. It sets |*out_mask_k| to the key
- * exchange mask and |*out_mask_a| to the authentication mask. */
+// ssl_get_compatible_server_ciphers determines the key exchange and
+// authentication cipher suite masks compatible with the server configuration
+// and current ClientHello parameters of |hs|. It sets |*out_mask_k| to the key
+// exchange mask and |*out_mask_a| to the authentication mask.
static void ssl_get_compatible_server_ciphers(SSL_HANDSHAKE *hs,
uint32_t *out_mask_k,
uint32_t *out_mask_a) {
@@ -592,13 +337,13 @@
}
}
- /* Check for a shared group to consider ECDHE ciphers. */
+ // Check for a shared group to consider ECDHE ciphers.
uint16_t unused;
if (tls1_get_shared_group(hs, &unused)) {
mask_k |= SSL_kECDHE;
}
- /* PSK requires a server callback. */
+ // PSK requires a server callback.
if (ssl->psk_server_callback != NULL) {
mask_k |= SSL_kPSK;
mask_a |= SSL_aPSK;
@@ -613,13 +358,13 @@
const struct ssl_cipher_preference_list_st *server_pref) {
SSL *const ssl = hs->ssl;
STACK_OF(SSL_CIPHER) *prio, *allow;
- /* in_group_flags will either be NULL, or will point to an array of bytes
- * which indicate equal-preference groups in the |prio| stack. See the
- * comment about |in_group_flags| in the |ssl_cipher_preference_list_st|
- * struct. */
+ // in_group_flags will either be NULL, or will point to an array of bytes
+ // which indicate equal-preference groups in the |prio| stack. See the
+ // comment about |in_group_flags| in the |ssl_cipher_preference_list_st|
+ // struct.
const uint8_t *in_group_flags;
- /* group_min contains the minimal index so far found in a group, or -1 if no
- * such value exists yet. */
+ // group_min contains the minimal index so far found in a group, or -1 if no
+ // such value exists yet.
int group_min = -1;
UniquePtr<STACK_OF(SSL_CIPHER)> client_pref =
@@ -645,17 +390,17 @@
const SSL_CIPHER *c = sk_SSL_CIPHER_value(prio, i);
size_t cipher_index;
- if (/* Check if the cipher is supported for the current version. */
+ if (// Check if the cipher is supported for the current version.
SSL_CIPHER_get_min_version(c) <= ssl3_protocol_version(ssl) &&
ssl3_protocol_version(ssl) <= SSL_CIPHER_get_max_version(c) &&
- /* Check the cipher is supported for the server configuration. */
+ // Check the cipher is supported for the server configuration.
(c->algorithm_mkey & mask_k) &&
(c->algorithm_auth & mask_a) &&
- /* Check the cipher is in the |allow| list. */
+ // Check the cipher is in the |allow| list.
sk_SSL_CIPHER_find(allow, &cipher_index, c)) {
if (in_group_flags != NULL && in_group_flags[i] == 1) {
- /* This element of |prio| is in a group. Update the minimum index found
- * so far and continue looking. */
+ // This element of |prio| is in a group. Update the minimum index found
+ // so far and continue looking.
if (group_min == -1 || (size_t)group_min > cipher_index) {
group_min = cipher_index;
}
@@ -668,8 +413,8 @@
}
if (in_group_flags != NULL && in_group_flags[i] == 0 && group_min != -1) {
- /* We are about to leave a group, but we found a match in it, so that's
- * our answer. */
+ // We are about to leave a group, but we found a match in it, so that's
+ // our answer.
return sk_SSL_CIPHER_value(allow, group_min);
}
}
@@ -677,191 +422,200 @@
return nullptr;
}
-static int ssl3_read_client_hello(SSL_HANDSHAKE *hs) {
+static enum ssl_hs_wait_t do_start_accept(SSL_HANDSHAKE *hs) {
+ ssl_do_info_callback(hs->ssl, SSL_CB_HANDSHAKE_START, 1);
+ hs->state = state_read_client_hello;
+ return ssl_hs_ok;
+}
+
+static enum ssl_hs_wait_t do_read_client_hello(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
+
SSLMessage msg;
- int ret = ssl_read_message(ssl, &msg);
- if (ret <= 0) {
- return ret;
+ if (!ssl->method->get_message(ssl, &msg)) {
+ return ssl_hs_read_message;
}
+
if (!ssl_check_message_type(ssl, msg, SSL3_MT_CLIENT_HELLO)) {
- return -1;
+ return ssl_hs_error;
}
SSL_CLIENT_HELLO client_hello;
if (!ssl_client_hello_init(ssl, &client_hello, msg)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
- return -1;
+ return ssl_hs_error;
}
- /* Run the early callback. */
+ // Run the early callback.
if (ssl->ctx->select_certificate_cb != NULL) {
switch (ssl->ctx->select_certificate_cb(&client_hello)) {
case ssl_select_cert_retry:
- ssl->rwstate = SSL_CERTIFICATE_SELECTION_PENDING;
- return -1;
+ return ssl_hs_certificate_selection_pending;
case ssl_select_cert_error:
- /* Connection rejected. */
+ // Connection rejected.
OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
- return -1;
+ return ssl_hs_error;
default:
/* fallthrough */;
}
}
- /* Freeze the version range after the early callback. */
+ // Freeze the version range after the early callback.
if (!ssl_get_version_range(ssl, &hs->min_version, &hs->max_version)) {
- return -1;
+ return ssl_hs_error;
}
uint8_t alert = SSL_AD_DECODE_ERROR;
if (!negotiate_version(hs, &alert, &client_hello)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
- return -1;
+ return ssl_hs_error;
}
hs->client_version = client_hello.version;
if (client_hello.random_len != SSL3_RANDOM_SIZE) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
- return -1;
+ return ssl_hs_error;
}
OPENSSL_memcpy(ssl->s3->client_random, client_hello.random,
client_hello.random_len);
- /* Only null compression is supported. TLS 1.3 further requires the peer
- * advertise no other compression. */
+ // Only null compression is supported. TLS 1.3 further requires the peer
+ // advertise no other compression.
if (OPENSSL_memchr(client_hello.compression_methods, 0,
client_hello.compression_methods_len) == NULL ||
(ssl3_protocol_version(ssl) >= TLS1_3_VERSION &&
client_hello.compression_methods_len != 1)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMPRESSION_LIST);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
- return -1;
+ return ssl_hs_error;
}
- /* TLS extensions. */
+ // TLS extensions.
if (!ssl_parse_clienthello_tlsext(hs, &client_hello)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
- return -1;
+ return ssl_hs_error;
}
- return 1;
+ hs->state = state_select_certificate;
+ return ssl_hs_ok;
}
-static int ssl3_select_certificate(SSL_HANDSHAKE *hs) {
+static enum ssl_hs_wait_t do_select_certificate(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
+
SSLMessage msg;
- int ret = ssl_read_message(ssl, &msg);
- if (ret <= 0) {
- return ret;
+ if (!ssl->method->get_message(ssl, &msg)) {
+ return ssl_hs_read_message;
}
- /* Call |cert_cb| to update server certificates if required. */
+ // Call |cert_cb| to update server certificates if required.
if (ssl->cert->cert_cb != NULL) {
int rv = ssl->cert->cert_cb(ssl, ssl->cert->cert_cb_arg);
if (rv == 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_CB_ERROR);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
- return -1;
+ return ssl_hs_error;
}
if (rv < 0) {
- ssl->rwstate = SSL_X509_LOOKUP;
- return -1;
+ return ssl_hs_x509_lookup;
}
}
if (!ssl_on_certificate_selected(hs)) {
- return -1;
+ return ssl_hs_error;
}
if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
- /* Jump to the TLS 1.3 state machine. */
- hs->state = SSL_ST_TLS13;
- hs->do_tls13_handshake = tls13_server_handshake;
- return 1;
+ // Jump to the TLS 1.3 state machine.
+ hs->state = state_tls13;
+ return ssl_hs_ok;
}
SSL_CLIENT_HELLO client_hello;
if (!ssl_client_hello_init(ssl, &client_hello, msg)) {
- return -1;
+ return ssl_hs_error;
}
- /* Negotiate the cipher suite. This must be done after |cert_cb| so the
- * certificate is finalized. */
+ // Negotiate the cipher suite. This must be done after |cert_cb| so the
+ // certificate is finalized.
hs->new_cipher =
ssl3_choose_cipher(hs, &client_hello, ssl_get_cipher_preferences(ssl));
if (hs->new_cipher == NULL) {
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
- return -1;
+ return ssl_hs_error;
}
- return 1;
+ hs->state = state_select_parameters;
+ return ssl_hs_ok;
}
-static int ssl3_select_parameters(SSL_HANDSHAKE *hs) {
- SSL *const ssl = hs->ssl;
- SSLMessage msg;
- int ret = ssl_read_message(ssl, &msg);
- if (ret <= 0) {
- return ret;
- }
- SSL_CLIENT_HELLO client_hello;
- if (!ssl_client_hello_init(ssl, &client_hello, msg)) {
- return -1;
+static enum ssl_hs_wait_t do_tls13(SSL_HANDSHAKE *hs) {
+ enum ssl_hs_wait_t wait = tls13_server_handshake(hs);
+ if (wait == ssl_hs_ok) {
+ hs->state = state_finish_server_handshake;
+ return ssl_hs_ok;
}
- /* Determine whether we are doing session resumption. */
+ return wait;
+}
+
+static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) {
+ SSL *const ssl = hs->ssl;
+
+ SSLMessage msg;
+ if (!ssl->method->get_message(ssl, &msg)) {
+ return ssl_hs_read_message;
+ }
+
+ SSL_CLIENT_HELLO client_hello;
+ if (!ssl_client_hello_init(ssl, &client_hello, msg)) {
+ return ssl_hs_error;
+ }
+
+ // Determine whether we are doing session resumption.
UniquePtr<SSL_SESSION> session;
- int tickets_supported = 0, renew_ticket = 0;
- switch (ssl_get_prev_session(ssl, &session, &tickets_supported, &renew_ticket,
- &client_hello)) {
- case ssl_session_success:
- break;
- case ssl_session_error:
- return -1;
- case ssl_session_retry:
- ssl->rwstate = SSL_PENDING_SESSION;
- return -1;
- case ssl_session_ticket_retry:
- ssl->rwstate = SSL_PENDING_TICKET;
- return -1;
+ bool tickets_supported = false, renew_ticket = false;
+ enum ssl_hs_wait_t wait = ssl_get_prev_session(
+ ssl, &session, &tickets_supported, &renew_ticket, &client_hello);
+ if (wait != ssl_hs_ok) {
+ return wait;
}
if (session) {
if (session->extended_master_secret && !hs->extended_master_secret) {
- /* A ClientHello without EMS that attempts to resume a session with EMS
- * is fatal to the connection. */
+ // A ClientHello without EMS that attempts to resume a session with EMS
+ // is fatal to the connection.
OPENSSL_PUT_ERROR(SSL, SSL_R_RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
- return -1;
+ return ssl_hs_error;
}
if (!ssl_session_is_resumable(hs, session.get()) ||
- /* If the client offers the EMS extension, but the previous session
- * didn't use it, then negotiate a new session. */
+ // If the client offers the EMS extension, but the previous session
+ // didn't use it, then negotiate a new session.
hs->extended_master_secret != session->extended_master_secret) {
session.reset();
}
}
if (session) {
- /* Use the old session. */
+ // Use the old session.
hs->ticket_expected = renew_ticket;
ssl->session = session.release();
- ssl->s3->session_reused = 1;
+ ssl->s3->session_reused = true;
} else {
hs->ticket_expected = tickets_supported;
ssl_set_session(ssl, NULL);
if (!ssl_get_new_session(hs, 1 /* server */)) {
- return -1;
+ return ssl_hs_error;
}
- /* Clear the session ID if we want the session to be single-use. */
+ // Clear the session ID if we want the session to be single-use.
if (!(ssl->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)) {
hs->new_session->session_id_length = 0;
}
@@ -869,85 +623,87 @@
if (ssl->ctx->dos_protection_cb != NULL &&
ssl->ctx->dos_protection_cb(&client_hello) == 0) {
- /* Connection rejected for DOS reasons. */
+ // Connection rejected for DOS reasons.
OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
- return -1;
+ return ssl_hs_error;
}
if (ssl->session == NULL) {
hs->new_session->cipher = hs->new_cipher;
- /* On new sessions, stash the SNI value in the session. */
+ // On new sessions, stash the SNI value in the session.
if (hs->hostname != NULL) {
OPENSSL_free(hs->new_session->tlsext_hostname);
hs->new_session->tlsext_hostname = BUF_strdup(hs->hostname.get());
if (hs->new_session->tlsext_hostname == NULL) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
- return -1;
+ return ssl_hs_error;
}
}
- /* Determine whether to request a client certificate. */
+ // Determine whether to request a client certificate.
hs->cert_request = !!(ssl->verify_mode & SSL_VERIFY_PEER);
- /* Only request a certificate if Channel ID isn't negotiated. */
+ // Only request a certificate if Channel ID isn't negotiated.
if ((ssl->verify_mode & SSL_VERIFY_PEER_IF_NO_OBC) &&
ssl->s3->tlsext_channel_id_valid) {
- hs->cert_request = 0;
+ hs->cert_request = false;
}
- /* CertificateRequest may only be sent in certificate-based ciphers. */
+ // CertificateRequest may only be sent in certificate-based ciphers.
if (!ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
- hs->cert_request = 0;
+ hs->cert_request = false;
}
if (!hs->cert_request) {
- /* OpenSSL returns X509_V_OK when no certificates are requested. This is
- * classed by them as a bug, but it's assumed by at least NGINX. */
+ // OpenSSL returns X509_V_OK when no certificates are requested. This is
+ // classed by them as a bug, but it's assumed by at least NGINX.
hs->new_session->verify_result = X509_V_OK;
}
}
- /* HTTP/2 negotiation depends on the cipher suite, so ALPN negotiation was
- * deferred. Complete it now. */
+ // HTTP/2 negotiation depends on the cipher suite, so ALPN negotiation was
+ // deferred. Complete it now.
uint8_t alert = SSL_AD_DECODE_ERROR;
if (!ssl_negotiate_alpn(hs, &alert, &client_hello)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
- return -1;
+ return ssl_hs_error;
}
- /* Now that all parameters are known, initialize the handshake hash and hash
- * the ClientHello. */
+ // Now that all parameters are known, initialize the handshake hash and hash
+ // the ClientHello.
if (!hs->transcript.InitHash(ssl3_protocol_version(ssl), hs->new_cipher) ||
!ssl_hash_message(hs, msg)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
- return -1;
+ return ssl_hs_error;
}
- /* Release the handshake buffer if client authentication isn't required. */
+ // Release the handshake buffer if client authentication isn't required.
if (!hs->cert_request) {
hs->transcript.FreeBuffer();
}
ssl->method->next_message(ssl);
- return 1;
+
+ hs->state = state_send_server_hello;
+ return ssl_hs_ok;
}
-static int ssl3_send_server_hello(SSL_HANDSHAKE *hs) {
+static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
- /* We only accept ChannelIDs on connections with ECDHE in order to avoid a
- * known attack while we fix ChannelID itself. */
+ // We only accept ChannelIDs on connections with ECDHE in order to avoid a
+ // known attack while we fix ChannelID itself.
if (ssl->s3->tlsext_channel_id_valid &&
(hs->new_cipher->algorithm_mkey & SSL_kECDHE) == 0) {
- ssl->s3->tlsext_channel_id_valid = 0;
+ ssl->s3->tlsext_channel_id_valid = false;
}
- /* If this is a resumption and the original handshake didn't support
- * ChannelID then we didn't record the original handshake hashes in the
- * session and so cannot resume with ChannelIDs. */
+ // If this is a resumption and the original handshake didn't support
+ // ChannelID then we didn't record the original handshake hashes in the
+ // session and so cannot resume with ChannelIDs.
if (ssl->session != NULL &&
ssl->session->original_handshake_hash_len == 0) {
- ssl->s3->tlsext_channel_id_valid = 0;
+ ssl->s3->tlsext_channel_id_valid = false;
}
struct OPENSSL_timeval now;
@@ -957,11 +713,11 @@
ssl->s3->server_random[2] = now.tv_sec >> 8;
ssl->s3->server_random[3] = now.tv_sec;
if (!RAND_bytes(ssl->s3->server_random + 4, SSL3_RANDOM_SIZE - 4)) {
- return -1;
+ return ssl_hs_error;
}
- /* TODO(davidben): Implement the TLS 1.1 and 1.2 downgrade sentinels once TLS
- * 1.3 is finalized and we are not implementing a draft version. */
+ // TODO(davidben): Implement the TLS 1.1 and 1.2 downgrade sentinels once TLS
+ // 1.3 is finalized and we are not implementing a draft version.
const SSL_SESSION *session = hs->new_session.get();
if (ssl->session != NULL) {
@@ -981,24 +737,29 @@
!ssl_add_serverhello_tlsext(hs, &body) ||
!ssl_add_message_cbb(ssl, cbb.get())) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
- return -1;
+ return ssl_hs_error;
}
- return 1;
+ if (ssl->session != NULL) {
+ hs->state = state_send_server_finished;
+ } else {
+ hs->state = state_send_server_certificate;
+ }
+ return ssl_hs_ok;
}
-static int ssl3_send_server_certificate(SSL_HANDSHAKE *hs) {
+static enum ssl_hs_wait_t do_send_server_certificate(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
ScopedCBB cbb;
if (ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
if (!ssl_has_certificate(ssl)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_SET);
- return -1;
+ return ssl_hs_error;
}
if (!ssl3_output_cert_chain(ssl)) {
- return -1;
+ return ssl_hs_error;
}
if (hs->certificate_status_expected) {
@@ -1012,107 +773,114 @@
CRYPTO_BUFFER_len(ssl->cert->ocsp_response)) ||
!ssl_add_message_cbb(ssl, cbb.get())) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
- return -1;
+ return ssl_hs_error;
}
}
}
- /* Assemble ServerKeyExchange parameters if needed. */
+ // Assemble ServerKeyExchange parameters if needed.
uint32_t alg_k = hs->new_cipher->algorithm_mkey;
uint32_t alg_a = hs->new_cipher->algorithm_auth;
if (ssl_cipher_requires_server_key_exchange(hs->new_cipher) ||
((alg_a & SSL_aPSK) && ssl->psk_identity_hint)) {
- /* Pre-allocate enough room to comfortably fit an ECDHE public key. Prepend
- * the client and server randoms for the signing transcript. */
+ // Pre-allocate enough room to comfortably fit an ECDHE public key. Prepend
+ // the client and server randoms for the signing transcript.
CBB child;
if (!CBB_init(cbb.get(), SSL3_RANDOM_SIZE * 2 + 128) ||
!CBB_add_bytes(cbb.get(), ssl->s3->client_random, SSL3_RANDOM_SIZE) ||
!CBB_add_bytes(cbb.get(), ssl->s3->server_random, SSL3_RANDOM_SIZE)) {
- return -1;
+ return ssl_hs_error;
}
- /* PSK ciphers begin with an identity hint. */
+ // PSK ciphers begin with an identity hint.
if (alg_a & SSL_aPSK) {
size_t len =
(ssl->psk_identity_hint == NULL) ? 0 : strlen(ssl->psk_identity_hint);
if (!CBB_add_u16_length_prefixed(cbb.get(), &child) ||
!CBB_add_bytes(&child, (const uint8_t *)ssl->psk_identity_hint,
len)) {
- return -1;
+ return ssl_hs_error;
}
}
if (alg_k & SSL_kECDHE) {
- /* Determine the group to use. */
+ // Determine the group to use.
uint16_t group_id;
if (!tls1_get_shared_group(hs, &group_id)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
- return -1;
+ return ssl_hs_error;
}
hs->new_session->group_id = group_id;
- /* Set up ECDH, generate a key, and emit the public half. */
+ // Set up ECDH, generate a key, and emit the public half.
hs->key_share = SSLKeyShare::Create(group_id);
if (!hs->key_share ||
!CBB_add_u8(cbb.get(), NAMED_CURVE_TYPE) ||
!CBB_add_u16(cbb.get(), group_id) ||
!CBB_add_u8_length_prefixed(cbb.get(), &child) ||
!hs->key_share->Offer(&child)) {
- return -1;
+ return ssl_hs_error;
}
} else {
assert(alg_k & SSL_kPSK);
}
if (!CBB_finish(cbb.get(), &hs->server_params, &hs->server_params_len)) {
- return -1;
+ return ssl_hs_error;
}
}
- return 1;
+ hs->state = state_send_server_key_exchange;
+ return ssl_hs_ok;
}
-static int ssl3_send_server_key_exchange(SSL_HANDSHAKE *hs) {
+static enum ssl_hs_wait_t do_send_server_key_exchange(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
+
+ if (hs->server_params_len == 0) {
+ hs->state = state_send_server_hello_done;
+ return ssl_hs_ok;
+ }
+
ScopedCBB cbb;
CBB body, child;
if (!ssl->method->init_message(ssl, cbb.get(), &body,
SSL3_MT_SERVER_KEY_EXCHANGE) ||
- /* |hs->server_params| contains a prefix for signing. */
+ // |hs->server_params| contains a prefix for signing.
hs->server_params_len < 2 * SSL3_RANDOM_SIZE ||
!CBB_add_bytes(&body, hs->server_params + 2 * SSL3_RANDOM_SIZE,
hs->server_params_len - 2 * SSL3_RANDOM_SIZE)) {
- return -1;
+ return ssl_hs_error;
}
- /* Add a signature. */
+ // Add a signature.
if (ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
if (!ssl_has_private_key(ssl)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
- return -1;
+ return ssl_hs_error;
}
- /* Determine the signature algorithm. */
+ // Determine the signature algorithm.
uint16_t signature_algorithm;
if (!tls1_choose_signature_algorithm(hs, &signature_algorithm)) {
- return -1;
+ return ssl_hs_error;
}
if (ssl3_protocol_version(ssl) >= TLS1_2_VERSION) {
if (!CBB_add_u16(&body, signature_algorithm)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
- return -1;
+ return ssl_hs_error;
}
}
- /* Add space for the signature. */
+ // Add space for the signature.
const size_t max_sig_len = EVP_PKEY_size(hs->local_pubkey.get());
uint8_t *ptr;
if (!CBB_add_u16_length_prefixed(&body, &child) ||
!CBB_reserve(&child, &ptr, max_sig_len)) {
- return -1;
+ return ssl_hs_error;
}
size_t sig_len;
@@ -1121,30 +889,31 @@
hs->server_params_len)) {
case ssl_private_key_success:
if (!CBB_did_write(&child, sig_len)) {
- return -1;
+ return ssl_hs_error;
}
break;
case ssl_private_key_failure:
- return -1;
+ return ssl_hs_error;
case ssl_private_key_retry:
- ssl->rwstate = SSL_PRIVATE_KEY_OPERATION;
- return -1;
+ return ssl_hs_private_key_operation;
}
}
if (!ssl_add_message_cbb(ssl, cbb.get())) {
- return -1;
+ return ssl_hs_error;
}
OPENSSL_free(hs->server_params);
hs->server_params = NULL;
hs->server_params_len = 0;
- return 1;
+ hs->state = state_send_server_hello_done;
+ return ssl_hs_ok;
}
-static int ssl3_send_server_hello_done(SSL_HANDSHAKE *hs) {
+static enum ssl_hs_wait_t do_send_server_hello_done(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
+
ScopedCBB cbb;
CBB body;
@@ -1162,7 +931,7 @@
!ssl_add_client_CA_list(ssl, &body) ||
!ssl_add_message_cbb(ssl, cbb.get())) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
- return -1;
+ return ssl_hs_error;
}
}
@@ -1170,46 +939,51 @@
SSL3_MT_SERVER_HELLO_DONE) ||
!ssl_add_message_cbb(ssl, cbb.get())) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
- return -1;
+ return ssl_hs_error;
}
- return 1;
+ hs->state = state_read_client_certificate;
+ return ssl_hs_flush;
}
-static int ssl3_get_client_certificate(SSL_HANDSHAKE *hs) {
+static enum ssl_hs_wait_t do_read_client_certificate(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
- assert(hs->cert_request);
+
+ if (!hs->cert_request) {
+ hs->state = state_verify_client_certificate;
+ return ssl_hs_ok;
+ }
SSLMessage msg;
- int ret = ssl_read_message(ssl, &msg);
- if (ret <= 0) {
- return ret;
+ if (!ssl->method->get_message(ssl, &msg)) {
+ return ssl_hs_read_message;
}
if (msg.type != SSL3_MT_CERTIFICATE) {
if (ssl->version == SSL3_VERSION &&
msg.type == SSL3_MT_CLIENT_KEY_EXCHANGE) {
- /* In SSL 3.0, the Certificate message is omitted to signal no
- * certificate. */
+ // In SSL 3.0, the Certificate message is omitted to signal no
+ // certificate.
if (ssl->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
- return -1;
+ return ssl_hs_error;
}
- /* OpenSSL returns X509_V_OK when no certificates are received. This is
- * classed by them as a bug, but it's assumed by at least NGINX. */
+ // OpenSSL returns X509_V_OK when no certificates are received. This is
+ // classed by them as a bug, but it's assumed by at least NGINX.
hs->new_session->verify_result = X509_V_OK;
- return 1;
+ hs->state = state_verify_client_certificate;
+ return ssl_hs_ok;
}
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
- return -1;
+ return ssl_hs_error;
}
if (!ssl_hash_message(hs, msg)) {
- return -1;
+ return ssl_hs_error;
}
CBS certificate_msg = msg.body;
@@ -1221,7 +995,7 @@
: NULL,
&certificate_msg, ssl->ctx->pool)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
- return -1;
+ return ssl_hs_error;
}
sk_CRYPTO_BUFFER_pop_free(hs->new_session->certs, CRYPTO_BUFFER_free);
hs->new_session->certs = chain.release();
@@ -1230,66 +1004,84 @@
!ssl->ctx->x509_method->session_cache_objects(hs->new_session.get())) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
- return -1;
+ return ssl_hs_error;
}
if (sk_CRYPTO_BUFFER_num(hs->new_session->certs) == 0) {
- /* No client certificate so the handshake buffer may be discarded. */
+ // No client certificate so the handshake buffer may be discarded.
hs->transcript.FreeBuffer();
- /* In SSL 3.0, sending no certificate is signaled by omitting the
- * Certificate message. */
+ // In SSL 3.0, sending no certificate is signaled by omitting the
+ // Certificate message.
if (ssl->version == SSL3_VERSION) {
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATES_RETURNED);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
- return -1;
+ return ssl_hs_error;
}
if (ssl->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
- /* Fail for TLS only if we required a certificate */
+ // Fail for TLS only if we required a certificate
OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
- return -1;
+ return ssl_hs_error;
}
- /* OpenSSL returns X509_V_OK when no certificates are received. This is
- * classed by them as a bug, but it's assumed by at least NGINX. */
+ // OpenSSL returns X509_V_OK when no certificates are received. This is
+ // classed by them as a bug, but it's assumed by at least NGINX.
hs->new_session->verify_result = X509_V_OK;
} else if (ssl->retain_only_sha256_of_client_certs) {
- /* The hash will have been filled in. */
+ // The hash will have been filled in.
hs->new_session->peer_sha256_valid = 1;
}
ssl->method->next_message(ssl);
- return 1;
+ hs->state = state_verify_client_certificate;
+ return ssl_hs_ok;
}
-static int ssl3_get_client_key_exchange(SSL_HANDSHAKE *hs) {
+static enum ssl_hs_wait_t do_verify_client_certificate(SSL_HANDSHAKE *hs) {
+ if (sk_CRYPTO_BUFFER_num(hs->new_session->certs) > 0) {
+ switch (ssl_verify_peer_cert(hs)) {
+ case ssl_verify_ok:
+ break;
+ case ssl_verify_invalid:
+ return ssl_hs_error;
+ case ssl_verify_retry:
+ return ssl_hs_certificate_verify;
+ }
+ }
+
+ hs->state = state_read_client_key_exchange;
+ return ssl_hs_ok;
+}
+
+static enum ssl_hs_wait_t do_read_client_key_exchange(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
+
+ ssl_hs_wait_t ret = ssl_hs_error;
uint8_t *premaster_secret = NULL;
size_t premaster_secret_len = 0;
uint8_t *decrypt_buf = NULL;
SSLMessage msg;
- int ret = ssl_read_message(ssl, &msg);
- if (ret <= 0) {
- return ret;
+ if (!ssl->method->get_message(ssl, &msg)) {
+ return ssl_hs_read_message;
}
if (!ssl_check_message_type(ssl, msg, SSL3_MT_CLIENT_KEY_EXCHANGE)) {
- return -1;
+ return ssl_hs_error;
}
CBS client_key_exchange = msg.body;
uint32_t alg_k = hs->new_cipher->algorithm_mkey;
uint32_t alg_a = hs->new_cipher->algorithm_auth;
- /* If using a PSK key exchange, parse the PSK identity. */
+ // If using a PSK key exchange, parse the PSK identity.
if (alg_a & SSL_aPSK) {
CBS psk_identity;
- /* If using PSK, the ClientKeyExchange contains a psk_identity. If PSK,
- * then this is the only field in the message. */
+ // If using PSK, the ClientKeyExchange contains a psk_identity. If PSK,
+ // then this is the only field in the message.
if (!CBS_get_u16_length_prefixed(&client_key_exchange, &psk_identity) ||
((alg_k & SSL_kPSK) && CBS_len(&client_key_exchange) != 0)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
@@ -1311,8 +1103,8 @@
}
}
- /* Depending on the key exchange method, compute |premaster_secret| and
- * |premaster_secret_len|. */
+ // Depending on the key exchange method, compute |premaster_secret| and
+ // |premaster_secret_len|.
if (alg_k & SSL_kRSA) {
CBS encrypted_premaster_secret;
if (ssl->version > SSL3_VERSION) {
@@ -1327,7 +1119,7 @@
encrypted_premaster_secret = client_key_exchange;
}
- /* Allocate a buffer large enough for an RSA decryption. */
+ // Allocate a buffer large enough for an RSA decryption.
const size_t rsa_size = EVP_PKEY_size(hs->local_pubkey.get());
decrypt_buf = (uint8_t *)OPENSSL_malloc(rsa_size);
if (decrypt_buf == NULL) {
@@ -1335,8 +1127,8 @@
goto err;
}
- /* Decrypt with no padding. PKCS#1 padding will be removed as part of the
- * timing-sensitive code below. */
+ // Decrypt with no padding. PKCS#1 padding will be removed as part of the
+ // timing-sensitive code below.
size_t decrypt_len;
switch (ssl_private_key_decrypt(hs, decrypt_buf, &decrypt_len, rsa_size,
CBS_data(&encrypted_premaster_secret),
@@ -1346,7 +1138,7 @@
case ssl_private_key_failure:
goto err;
case ssl_private_key_retry:
- ssl->rwstate = SSL_PRIVATE_KEY_OPERATION;
+ ret = ssl_hs_private_key_operation;
goto err;
}
@@ -1356,8 +1148,8 @@
goto err;
}
- /* Prepare a random premaster, to be used on invalid padding. See RFC 5246,
- * section 7.4.7.1. */
+ // Prepare a random premaster, to be used on invalid padding. See RFC 5246,
+ // section 7.4.7.1.
premaster_secret_len = SSL_MAX_MASTER_KEY_LENGTH;
premaster_secret = (uint8_t *)OPENSSL_malloc(premaster_secret_len);
if (premaster_secret == NULL) {
@@ -1368,15 +1160,15 @@
goto err;
}
- /* The smallest padded premaster is 11 bytes of overhead. Small keys are
- * publicly invalid. */
+ // The smallest padded premaster is 11 bytes of overhead. Small keys are
+ // publicly invalid.
if (decrypt_len < 11 + premaster_secret_len) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
goto err;
}
- /* Check the padding. See RFC 3447, section 7.2.2. */
+ // Check the padding. See RFC 3447, section 7.2.2.
size_t padding_len = decrypt_len - premaster_secret_len;
uint8_t good = constant_time_eq_int_8(decrypt_buf[0], 0) &
constant_time_eq_int_8(decrypt_buf[1], 2);
@@ -1385,15 +1177,15 @@
}
good &= constant_time_is_zero_8(decrypt_buf[padding_len - 1]);
- /* The premaster secret must begin with |client_version|. This too must be
- * checked in constant time (http://eprint.iacr.org/2003/052/). */
+ // The premaster secret must begin with |client_version|. This too must be
+ // checked in constant time (http://eprint.iacr.org/2003/052/).
good &= constant_time_eq_8(decrypt_buf[padding_len],
(unsigned)(hs->client_version >> 8));
good &= constant_time_eq_8(decrypt_buf[padding_len + 1],
(unsigned)(hs->client_version & 0xff));
- /* Select, in constant time, either the decrypted premaster or the random
- * premaster based on |good|. */
+ // Select, in constant time, either the decrypted premaster or the random
+ // premaster based on |good|.
for (size_t i = 0; i < premaster_secret_len; i++) {
premaster_secret[i] = constant_time_select_8(
good, decrypt_buf[padding_len + i], premaster_secret[i]);
@@ -1402,7 +1194,7 @@
OPENSSL_free(decrypt_buf);
decrypt_buf = NULL;
} else if (alg_k & SSL_kECDHE) {
- /* Parse the ClientKeyExchange. */
+ // Parse the ClientKeyExchange.
CBS peer_key;
if (!CBS_get_u8_length_prefixed(&client_key_exchange, &peer_key) ||
CBS_len(&client_key_exchange) != 0) {
@@ -1411,7 +1203,7 @@
goto err;
}
- /* Compute the premaster. */
+ // Compute the premaster.
uint8_t alert = SSL_AD_DECODE_ERROR;
if (!hs->key_share->Finish(&premaster_secret, &premaster_secret_len, &alert,
CBS_data(&peer_key), CBS_len(&peer_key))) {
@@ -1419,7 +1211,7 @@
goto err;
}
- /* The key exchange state may now be discarded. */
+ // The key exchange state may now be discarded.
hs->key_share.reset();
} else if (!(alg_k & SSL_kPSK)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
@@ -1427,8 +1219,8 @@
goto err;
}
- /* For a PSK cipher suite, the actual pre-master secret is combined with the
- * pre-shared key. */
+ // For a PSK cipher suite, the actual pre-master secret is combined with the
+ // pre-shared key.
if (alg_a & SSL_aPSK) {
if (ssl->psk_server_callback == NULL) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
@@ -1436,7 +1228,7 @@
goto err;
}
- /* Look up the key for the identity. */
+ // Look up the key for the identity.
uint8_t psk[PSK_MAX_PSK_LEN];
unsigned psk_len = ssl->psk_server_callback(
ssl, hs->new_session->psk_identity, psk, sizeof(psk));
@@ -1445,15 +1237,15 @@
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
goto err;
} else if (psk_len == 0) {
- /* PSK related to the given identity not found */
+ // PSK related to the given identity not found.
OPENSSL_PUT_ERROR(SSL, SSL_R_PSK_IDENTITY_NOT_FOUND);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNKNOWN_PSK_IDENTITY);
goto err;
}
if (alg_k & SSL_kPSK) {
- /* In plain PSK, other_secret is a block of 0s with the same length as the
- * pre-shared key. */
+ // In plain PSK, other_secret is a block of 0s with the same length as the
+ // pre-shared key.
premaster_secret_len = psk_len;
premaster_secret = (uint8_t *)OPENSSL_malloc(premaster_secret_len);
if (premaster_secret == NULL) {
@@ -1488,7 +1280,7 @@
goto err;
}
- /* Compute the master secret */
+ // Compute the master secret.
hs->new_session->master_key_length = tls1_generate_master_secret(
hs, hs->new_session->master_key, premaster_secret, premaster_secret_len);
if (hs->new_session->master_key_length == 0) {
@@ -1496,10 +1288,9 @@
}
hs->new_session->extended_master_secret = hs->extended_master_secret;
- OPENSSL_cleanse(premaster_secret, premaster_secret_len);
- OPENSSL_free(premaster_secret);
ssl->method->next_message(ssl);
- return 1;
+ hs->state = state_read_client_certificate_verify;
+ ret = ssl_hs_ok;
err:
if (premaster_secret != NULL) {
@@ -1508,70 +1299,70 @@
}
OPENSSL_free(decrypt_buf);
- return -1;
+ return ret;
+
}
-static int ssl3_get_cert_verify(SSL_HANDSHAKE *hs) {
+static enum ssl_hs_wait_t do_read_client_certificate_verify(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
- /* Only RSA and ECDSA client certificates are supported, so a
- * CertificateVerify is required if and only if there's a client certificate.
- * */
+ // Only RSA and ECDSA client certificates are supported, so a
+ // CertificateVerify is required if and only if there's a client certificate.
if (!hs->peer_pubkey) {
hs->transcript.FreeBuffer();
- return 1;
+ hs->state = state_read_change_cipher_spec;
+ return ssl_hs_ok;
}
SSLMessage msg;
- int ret = ssl_read_message(ssl, &msg);
- if (ret <= 0) {
- return ret;
+ if (!ssl->method->get_message(ssl, &msg)) {
+ return ssl_hs_read_message;
}
if (!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE_VERIFY)) {
- return -1;
+ return ssl_hs_error;
}
CBS certificate_verify = msg.body, signature;
- /* Determine the signature algorithm. */
+ // Determine the signature algorithm.
uint16_t signature_algorithm = 0;
if (ssl3_protocol_version(ssl) >= TLS1_2_VERSION) {
if (!CBS_get_u16(&certificate_verify, &signature_algorithm)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
- return -1;
+ return ssl_hs_error;
}
uint8_t alert = SSL_AD_DECODE_ERROR;
if (!tls12_check_peer_sigalg(ssl, &alert, signature_algorithm)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
- return -1;
+ return ssl_hs_error;
}
hs->new_session->peer_signature_algorithm = signature_algorithm;
} else if (!tls1_get_legacy_signature_algorithm(&signature_algorithm,
hs->peer_pubkey.get())) {
OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_CERTIFICATE);
- return -1;
+ return ssl_hs_error;
}
- /* Parse and verify the signature. */
+ // Parse and verify the signature.
if (!CBS_get_u16_length_prefixed(&certificate_verify, &signature) ||
CBS_len(&certificate_verify) != 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
- return -1;
+ return ssl_hs_error;
}
int sig_ok;
- /* The SSL3 construction for CertificateVerify does not decompose into a
- * single final digest and signature, and must be special-cased. */
+ // The SSL3 construction for CertificateVerify does not decompose into a
+ // single final digest and signature, and must be special-cased.
if (ssl3_protocol_version(ssl) == SSL3_VERSION) {
uint8_t digest[EVP_MAX_MD_SIZE];
size_t digest_len;
if (!hs->transcript.GetSSL3CertVerifyHash(
digest, &digest_len, hs->new_session.get(), signature_algorithm)) {
- return -1;
+ return ssl_hs_error;
}
UniquePtr<EVP_PKEY_CTX> pctx(
@@ -1594,33 +1385,51 @@
if (!sig_ok) {
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SIGNATURE);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
- return -1;
+ return ssl_hs_error;
}
- /* The handshake buffer is no longer necessary, and we may hash the current
- * message.*/
+ // The handshake buffer is no longer necessary, and we may hash the current
+ // message.
hs->transcript.FreeBuffer();
if (!ssl_hash_message(hs, msg)) {
- return -1;
+ return ssl_hs_error;
}
ssl->method->next_message(ssl);
- return 1;
+ hs->state = state_read_change_cipher_spec;
+ return ssl_hs_ok;
}
-/* ssl3_get_next_proto reads a Next Protocol Negotiation handshake message. It
- * sets the next_proto member in s if found */
-static int ssl3_get_next_proto(SSL_HANDSHAKE *hs) {
+static enum ssl_hs_wait_t do_read_change_cipher_spec(SSL_HANDSHAKE *hs) {
+ hs->state = state_process_change_cipher_spec;
+ return ssl_hs_read_change_cipher_spec;
+}
+
+static enum ssl_hs_wait_t do_process_change_cipher_spec(SSL_HANDSHAKE *hs) {
+ if (!tls1_change_cipher_state(hs, SSL3_CHANGE_CIPHER_SERVER_READ)) {
+ return ssl_hs_error;
+ }
+
+ hs->state = state_read_next_proto;
+ return ssl_hs_ok;
+}
+
+static enum ssl_hs_wait_t do_read_next_proto(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
+
+ if (!hs->next_proto_neg_seen) {
+ hs->state = state_read_channel_id;
+ return ssl_hs_ok;
+ }
+
SSLMessage msg;
- int ret = ssl_read_message(ssl, &msg);
- if (ret <= 0) {
- return ret;
+ if (!ssl->method->get_message(ssl, &msg)) {
+ return ssl_hs_read_message;
}
if (!ssl_check_message_type(ssl, msg, SSL3_MT_NEXT_PROTO) ||
!ssl_hash_message(hs, msg)) {
- return -1;
+ return ssl_hs_error;
}
CBS next_protocol = msg.body, selected_protocol, padding;
@@ -1629,52 +1438,83 @@
CBS_len(&next_protocol) != 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
- return -1;
+ return ssl_hs_error;
}
if (!CBS_stow(&selected_protocol, &ssl->s3->next_proto_negotiated,
&ssl->s3->next_proto_negotiated_len)) {
- return -1;
+ return ssl_hs_error;
}
ssl->method->next_message(ssl);
- return 1;
+ hs->state = state_read_channel_id;
+ return ssl_hs_ok;
}
-/* ssl3_get_channel_id reads and verifies a ClientID handshake message. */
-static int ssl3_get_channel_id(SSL_HANDSHAKE *hs) {
+static enum ssl_hs_wait_t do_read_channel_id(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
+
+ if (!ssl->s3->tlsext_channel_id_valid) {
+ hs->state = state_read_client_finished;
+ return ssl_hs_ok;
+ }
+
SSLMessage msg;
- int ret = ssl_read_message(ssl, &msg);
- if (ret <= 0) {
- return ret;
+ if (!ssl->method->get_message(ssl, &msg)) {
+ return ssl_hs_read_message;
}
if (!ssl_check_message_type(ssl, msg, SSL3_MT_CHANNEL_ID) ||
!tls1_verify_channel_id(hs, msg) ||
!ssl_hash_message(hs, msg)) {
- return -1;
+ return ssl_hs_error;
}
+
ssl->method->next_message(ssl);
- return 1;
+ hs->state = state_read_client_finished;
+ return ssl_hs_ok;
}
-static int ssl3_send_server_finished(SSL_HANDSHAKE *hs) {
+static enum ssl_hs_wait_t do_read_client_finished(SSL_HANDSHAKE *hs) {
+ SSL *const ssl = hs->ssl;
+ enum ssl_hs_wait_t wait = ssl_get_finished(hs);
+ if (wait != ssl_hs_ok) {
+ return wait;
+ }
+
+ if (ssl->session != NULL) {
+ hs->state = state_finish_server_handshake;
+ } else {
+ hs->state = state_send_server_finished;
+ }
+
+ // If this is a full handshake with ChannelID then record the handshake
+ // hashes in |hs->new_session| in case we need them to verify a
+ // ChannelID signature on a resumption of this session in the future.
+ if (ssl->session == NULL && ssl->s3->tlsext_channel_id_valid &&
+ !tls1_record_handshake_hashes_for_channel_id(hs)) {
+ return ssl_hs_error;
+ }
+
+ return ssl_hs_ok;
+}
+
+static enum ssl_hs_wait_t do_send_server_finished(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
if (hs->ticket_expected) {
const SSL_SESSION *session;
UniquePtr<SSL_SESSION> session_copy;
if (ssl->session == NULL) {
- /* Fix the timeout to measure from the ticket issuance time. */
+ // Fix the timeout to measure from the ticket issuance time.
ssl_session_rebase_time(ssl, hs->new_session.get());
session = hs->new_session.get();
} else {
- /* We are renewing an existing session. Duplicate the session to adjust
- * the timeout. */
+ // We are renewing an existing session. Duplicate the session to adjust
+ // the timeout.
session_copy = SSL_SESSION_dup(ssl->session, SSL_SESSION_INCLUDE_NONAUTH);
if (!session_copy) {
- return -1;
+ return ssl_hs_error;
}
ssl_session_rebase_time(ssl, session_copy.get());
@@ -1689,16 +1529,186 @@
!CBB_add_u16_length_prefixed(&body, &ticket) ||
!ssl_encrypt_ticket(ssl, &ticket, session) ||
!ssl_add_message_cbb(ssl, cbb.get())) {
- return -1;
+ return ssl_hs_error;
}
}
if (!ssl->method->add_change_cipher_spec(ssl) ||
- !tls1_change_cipher_state(hs, SSL3_CHANGE_CIPHER_SERVER_WRITE)) {
- return -1;
+ !tls1_change_cipher_state(hs, SSL3_CHANGE_CIPHER_SERVER_WRITE) ||
+ !ssl3_send_finished(hs)) {
+ return ssl_hs_error;
}
- return ssl3_send_finished(hs);
+ if (ssl->session != NULL) {
+ hs->state = state_read_change_cipher_spec;
+ } else {
+ hs->state = state_finish_server_handshake;
+ }
+ return ssl_hs_flush;
}
-} // namespace bssl
+static enum ssl_hs_wait_t do_finish_server_handshake(SSL_HANDSHAKE *hs) {
+ SSL *const ssl = hs->ssl;
+
+ ssl->method->on_handshake_complete(ssl);
+
+ // If we aren't retaining peer certificates then we can discard it now.
+ if (hs->new_session != NULL && ssl->retain_only_sha256_of_client_certs) {
+ sk_CRYPTO_BUFFER_pop_free(hs->new_session->certs, CRYPTO_BUFFER_free);
+ hs->new_session->certs = NULL;
+ ssl->ctx->x509_method->session_clear(hs->new_session.get());
+ }
+
+ SSL_SESSION_free(ssl->s3->established_session);
+ if (ssl->session != NULL) {
+ SSL_SESSION_up_ref(ssl->session);
+ ssl->s3->established_session = ssl->session;
+ } else {
+ ssl->s3->established_session = hs->new_session.release();
+ ssl->s3->established_session->not_resumable = 0;
+ }
+
+ hs->handshake_finalized = true;
+ ssl->s3->initial_handshake_complete = true;
+ ssl_update_cache(hs, SSL_SESS_CACHE_SERVER);
+
+ hs->state = state_done;
+ return ssl_hs_ok;
+}
+
+enum ssl_hs_wait_t ssl_server_handshake(SSL_HANDSHAKE *hs) {
+ while (hs->state != state_done) {
+ enum ssl_hs_wait_t ret = ssl_hs_error;
+ enum ssl_server_hs_state_t state =
+ static_cast<enum ssl_server_hs_state_t>(hs->state);
+ switch (state) {
+ case state_start_accept:
+ ret = do_start_accept(hs);
+ break;
+ case state_read_client_hello:
+ ret = do_read_client_hello(hs);
+ break;
+ case state_select_certificate:
+ ret = do_select_certificate(hs);
+ break;
+ case state_tls13:
+ ret = do_tls13(hs);
+ break;
+ case state_select_parameters:
+ ret = do_select_parameters(hs);
+ break;
+ case state_send_server_hello:
+ ret = do_send_server_hello(hs);
+ break;
+ case state_send_server_certificate:
+ ret = do_send_server_certificate(hs);
+ break;
+ case state_send_server_key_exchange:
+ ret = do_send_server_key_exchange(hs);
+ break;
+ case state_send_server_hello_done:
+ ret = do_send_server_hello_done(hs);
+ break;
+ case state_read_client_certificate:
+ ret = do_read_client_certificate(hs);
+ break;
+ case state_verify_client_certificate:
+ ret = do_verify_client_certificate(hs);
+ break;
+ case state_read_client_key_exchange:
+ ret = do_read_client_key_exchange(hs);
+ break;
+ case state_read_client_certificate_verify:
+ ret = do_read_client_certificate_verify(hs);
+ break;
+ case state_read_change_cipher_spec:
+ ret = do_read_change_cipher_spec(hs);
+ break;
+ case state_process_change_cipher_spec:
+ ret = do_process_change_cipher_spec(hs);
+ break;
+ case state_read_next_proto:
+ ret = do_read_next_proto(hs);
+ break;
+ case state_read_channel_id:
+ ret = do_read_channel_id(hs);
+ break;
+ case state_read_client_finished:
+ ret = do_read_client_finished(hs);
+ break;
+ case state_send_server_finished:
+ ret = do_send_server_finished(hs);
+ break;
+ case state_finish_server_handshake:
+ ret = do_finish_server_handshake(hs);
+ break;
+ case state_done:
+ ret = ssl_hs_ok;
+ break;
+ }
+
+ if (hs->state != state) {
+ ssl_do_info_callback(hs->ssl, SSL_CB_ACCEPT_LOOP, 1);
+ }
+
+ if (ret != ssl_hs_ok) {
+ return ret;
+ }
+ }
+
+ ssl_do_info_callback(hs->ssl, SSL_CB_HANDSHAKE_DONE, 1);
+ return ssl_hs_ok;
+}
+
+const char *ssl_server_handshake_state(SSL_HANDSHAKE *hs) {
+ enum ssl_server_hs_state_t state =
+ static_cast<enum ssl_server_hs_state_t>(hs->state);
+ switch (state) {
+ case state_start_accept:
+ return "TLS server start_accept";
+ case state_read_client_hello:
+ return "TLS server read_client_hello";
+ case state_select_certificate:
+ return "TLS server select_certificate";
+ case state_tls13:
+ return tls13_server_handshake_state(hs);
+ case state_select_parameters:
+ return "TLS server select_parameters";
+ case state_send_server_hello:
+ return "TLS server send_server_hello";
+ case state_send_server_certificate:
+ return "TLS server send_server_certificate";
+ case state_send_server_key_exchange:
+ return "TLS server send_server_key_exchange";
+ case state_send_server_hello_done:
+ return "TLS server send_server_hello_done";
+ case state_read_client_certificate:
+ return "TLS server read_client_certificate";
+ case state_verify_client_certificate:
+ return "TLS server verify_client_certificate";
+ case state_read_client_key_exchange:
+ return "TLS server read_client_key_exchange";
+ case state_read_client_certificate_verify:
+ return "TLS server read_client_certificate_verify";
+ case state_read_change_cipher_spec:
+ return "TLS server read_change_cipher_spec";
+ case state_process_change_cipher_spec:
+ return "TLS server process_change_cipher_spec";
+ case state_read_next_proto:
+ return "TLS server read_next_proto";
+ case state_read_channel_id:
+ return "TLS server read_channel_id";
+ case state_read_client_finished:
+ return "TLS server read_client_finished";
+ case state_send_server_finished:
+ return "TLS server send_server_finished";
+ case state_finish_server_handshake:
+ return "TLS server finish_server_handshake";
+ case state_done:
+ return "TLS server done";
+ }
+
+ return "TLS server unknown";
+}
+
+}
diff --git a/src/ssl/internal.h b/src/ssl/internal.h
index b9c3998..19968ac 100644
--- a/src/ssl/internal.h
+++ b/src/ssl/internal.h
@@ -158,7 +158,7 @@
#if defined(OPENSSL_WINDOWS)
-/* Windows defines struct timeval in winsock2.h. */
+// Windows defines struct timeval in winsock2.h.
OPENSSL_MSVC_PRAGMA(warning(push, 3))
#include <winsock2.h>
OPENSSL_MSVC_PRAGMA(warning(pop))
@@ -173,13 +173,13 @@
struct SSL_HANDSHAKE;
-/* C++ utilities. */
+// C++ utilities.
-/* New behaves like |new| but uses |OPENSSL_malloc| for memory allocation. It
- * returns nullptr on allocation error. It only implements single-object
- * allocation and not new T[n].
- *
- * Note: unlike |new|, this does not support non-public constructors. */
+// New behaves like |new| but uses |OPENSSL_malloc| for memory allocation. It
+// returns nullptr on allocation error. It only implements single-object
+// allocation and not new T[n].
+//
+// Note: unlike |new|, this does not support non-public constructors.
template <typename T, typename... Args>
T *New(Args &&... args) {
void *t = OPENSSL_malloc(sizeof(T));
@@ -190,9 +190,9 @@
return new (t) T(std::forward<Args>(args)...);
}
-/* Delete behaves like |delete| but uses |OPENSSL_free| to release memory.
- *
- * Note: unlike |delete| this does not support non-public destructors. */
+// Delete behaves like |delete| but uses |OPENSSL_free| to release memory.
+//
+// Note: unlike |delete| this does not support non-public destructors.
template <typename T>
void Delete(T *t) {
if (t != nullptr) {
@@ -201,8 +201,8 @@
}
}
-/* All types with kAllowUniquePtr set may be used with UniquePtr. Other types
- * may be C structs which require a |BORINGSSL_MAKE_DELETER| registration. */
+// All types with kAllowUniquePtr set may be used with UniquePtr. Other types
+// may be C structs which require a |BORINGSSL_MAKE_DELETER| registration.
namespace internal {
template <typename T>
struct DeleterImpl<T, typename std::enable_if<T::kAllowUniquePtr>::type> {
@@ -210,8 +210,8 @@
};
}
-/* MakeUnique behaves like |std::make_unique| but returns nullptr on allocation
- * error. */
+// MakeUnique behaves like |std::make_unique| but returns nullptr on allocation
+// error.
template <typename T, typename... Args>
UniquePtr<T> MakeUnique(Args &&... args) {
return UniquePtr<T>(New<T>(std::forward<Args>(args)...));
@@ -221,87 +221,87 @@
#define HAS_VIRTUAL_DESTRUCTOR
#define PURE_VIRTUAL = 0
#else
-/* HAS_VIRTUAL_DESTRUCTOR should be declared in any base clas ~s which defines a
- * virtual destructor. This avoids a dependency on |_ZdlPv| and prevents the
- * class from being used with |delete|. */
+// HAS_VIRTUAL_DESTRUCTOR should be declared in any base class which defines a
+// virtual destructor. This avoids a dependency on |_ZdlPv| and prevents the
+// class from being used with |delete|.
#define HAS_VIRTUAL_DESTRUCTOR \
void operator delete(void *) { abort(); }
-/* PURE_VIRTUAL should be used instead of = 0 when defining pure-virtual
- * functions. This avoids a dependency on |__cxa_pure_virtual| but loses
- * compile-time checking. */
+// PURE_VIRTUAL should be used instead of = 0 when defining pure-virtual
+// functions. This avoids a dependency on |__cxa_pure_virtual| but loses
+// compile-time checking.
#define PURE_VIRTUAL { abort(); }
#endif
-/* Protocol versions.
- *
- * Due to DTLS's historical wire version differences and to support multiple
- * variants of the same protocol during development, we maintain two notions of
- * version.
- *
- * The "version" or "wire version" is the actual 16-bit value that appears on
- * the wire. It uniquely identifies a version and is also used at API
- * boundaries. The set of supported versions differs between TLS and DTLS. Wire
- * versions are opaque values and may not be compared numerically.
- *
- * The "protocol version" identifies the high-level handshake variant being
- * used. DTLS versions map to the corresponding TLS versions. Draft TLS 1.3
- * variants all map to TLS 1.3. Protocol versions are sequential and may be
- * compared numerically. */
+// Protocol versions.
+//
+// Due to DTLS's historical wire version differences and to support multiple
+// variants of the same protocol during development, we maintain two notions of
+// version.
+//
+// The "version" or "wire version" is the actual 16-bit value that appears on
+// the wire. It uniquely identifies a version and is also used at API
+// boundaries. The set of supported versions differs between TLS and DTLS. Wire
+// versions are opaque values and may not be compared numerically.
+//
+// The "protocol version" identifies the high-level handshake variant being
+// used. DTLS versions map to the corresponding TLS versions. Draft TLS 1.3
+// variants all map to TLS 1.3. Protocol versions are sequential and may be
+// compared numerically.
-/* ssl_protocol_version_from_wire sets |*out| to the protocol version
- * corresponding to wire version |version| and returns one. If |version| is not
- * a valid TLS or DTLS version, it returns zero.
- *
- * Note this simultaneously handles both DTLS and TLS. Use one of the
- * higher-level functions below for most operations. */
+// ssl_protocol_version_from_wire sets |*out| to the protocol version
+// corresponding to wire version |version| and returns one. If |version| is not
+// a valid TLS or DTLS version, it returns zero.
+//
+// Note this simultaneously handles both DTLS and TLS. Use one of the
+// higher-level functions below for most operations.
int ssl_protocol_version_from_wire(uint16_t *out, uint16_t version);
-/* ssl_get_version_range sets |*out_min_version| and |*out_max_version| to the
- * minimum and maximum enabled protocol versions, respectively. */
+// ssl_get_version_range sets |*out_min_version| and |*out_max_version| to the
+// minimum and maximum enabled protocol versions, respectively.
int ssl_get_version_range(const SSL *ssl, uint16_t *out_min_version,
uint16_t *out_max_version);
-/* ssl_supports_version returns one if |hs| supports |version| and zero
- * otherwise. */
+// ssl_supports_version returns one if |hs| supports |version| and zero
+// otherwise.
int ssl_supports_version(SSL_HANDSHAKE *hs, uint16_t version);
-/* ssl_add_supported_versions writes the supported versions of |hs| to |cbb|, in
- * decreasing preference order. */
+// ssl_add_supported_versions writes the supported versions of |hs| to |cbb|, in
+// decreasing preference order.
int ssl_add_supported_versions(SSL_HANDSHAKE *hs, CBB *cbb);
-/* ssl_negotiate_version negotiates a common version based on |hs|'s preferences
- * and the peer preference list in |peer_versions|. On success, it returns one
- * and sets |*out_version| to the selected version. Otherwise, it returns zero
- * and sets |*out_alert| to an alert to send. */
+// ssl_negotiate_version negotiates a common version based on |hs|'s preferences
+// and the peer preference list in |peer_versions|. On success, it returns one
+// and sets |*out_version| to the selected version. Otherwise, it returns zero
+// and sets |*out_alert| to an alert to send.
int ssl_negotiate_version(SSL_HANDSHAKE *hs, uint8_t *out_alert,
uint16_t *out_version, const CBS *peer_versions);
-/* ssl3_protocol_version returns |ssl|'s protocol version. It is an error to
- * call this function before the version is determined. */
+// ssl3_protocol_version returns |ssl|'s protocol version. It is an error to
+// call this function before the version is determined.
uint16_t ssl3_protocol_version(const SSL *ssl);
-/* Cipher suites. */
+// Cipher suites.
-/* Bits for |algorithm_mkey| (key exchange algorithm). */
+// Bits for |algorithm_mkey| (key exchange algorithm).
#define SSL_kRSA 0x00000001u
#define SSL_kECDHE 0x00000002u
-/* SSL_kPSK is only set for plain PSK, not ECDHE_PSK. */
+// SSL_kPSK is only set for plain PSK, not ECDHE_PSK.
#define SSL_kPSK 0x00000004u
#define SSL_kGENERIC 0x00000008u
-/* Bits for |algorithm_auth| (server authentication). */
+// Bits for |algorithm_auth| (server authentication).
#define SSL_aRSA 0x00000001u
#define SSL_aECDSA 0x00000002u
-/* SSL_aPSK is set for both PSK and ECDHE_PSK. */
+// SSL_aPSK is set for both PSK and ECDHE_PSK.
#define SSL_aPSK 0x00000004u
#define SSL_aGENERIC 0x00000008u
#define SSL_aCERT (SSL_aRSA | SSL_aECDSA)
-/* Bits for |algorithm_enc| (symmetric encryption). */
+// Bits for |algorithm_enc| (symmetric encryption).
#define SSL_3DES 0x00000001u
#define SSL_AES128 0x00000002u
#define SSL_AES256 0x00000004u
@@ -312,91 +312,91 @@
#define SSL_AES (SSL_AES128 | SSL_AES256 | SSL_AES128GCM | SSL_AES256GCM)
-/* Bits for |algorithm_mac| (symmetric authentication). */
+// Bits for |algorithm_mac| (symmetric authentication).
#define SSL_SHA1 0x00000001u
#define SSL_SHA256 0x00000002u
#define SSL_SHA384 0x00000004u
-/* SSL_AEAD is set for all AEADs. */
+// SSL_AEAD is set for all AEADs.
#define SSL_AEAD 0x00000008u
-/* Bits for |algorithm_prf| (handshake digest). */
+// Bits for |algorithm_prf| (handshake digest).
#define SSL_HANDSHAKE_MAC_DEFAULT 0x1
#define SSL_HANDSHAKE_MAC_SHA256 0x2
#define SSL_HANDSHAKE_MAC_SHA384 0x4
-/* SSL_MAX_DIGEST is the number of digest types which exist. When adding a new
- * one, update the table in ssl_cipher.c. */
+// SSL_MAX_DIGEST is the number of digest types which exist. When adding a new
+// one, update the table in ssl_cipher.c.
#define SSL_MAX_DIGEST 4
-/* ssl_cipher_get_evp_aead sets |*out_aead| to point to the correct EVP_AEAD
- * object for |cipher| protocol version |version|. It sets |*out_mac_secret_len|
- * and |*out_fixed_iv_len| to the MAC key length and fixed IV length,
- * respectively. The MAC key length is zero except for legacy block and stream
- * ciphers. It returns 1 on success and 0 on error. */
+// ssl_cipher_get_evp_aead sets |*out_aead| to point to the correct EVP_AEAD
+// object for |cipher| protocol version |version|. It sets |*out_mac_secret_len|
+// and |*out_fixed_iv_len| to the MAC key length and fixed IV length,
+// respectively. The MAC key length is zero except for legacy block and stream
+// ciphers. It returns 1 on success and 0 on error.
int ssl_cipher_get_evp_aead(const EVP_AEAD **out_aead,
size_t *out_mac_secret_len,
size_t *out_fixed_iv_len, const SSL_CIPHER *cipher,
uint16_t version, int is_dtls);
-/* ssl_get_handshake_digest returns the |EVP_MD| corresponding to |version| and
- * |cipher|. */
+// ssl_get_handshake_digest returns the |EVP_MD| corresponding to |version| and
+// |cipher|.
const EVP_MD *ssl_get_handshake_digest(uint16_t version,
const SSL_CIPHER *cipher);
-/* ssl_create_cipher_list evaluates |rule_str| according to the ciphers in
- * |ssl_method|. It sets |*out_cipher_list| to a newly-allocated
- * |ssl_cipher_preference_list_st| containing the result. It returns 1 on
- * success and 0 on failure. If |strict| is true, nonsense will be rejected. If
- * false, nonsense will be silently ignored. An empty result is considered an
- * error regardless of |strict|. */
+// ssl_create_cipher_list evaluates |rule_str| according to the ciphers in
+// |ssl_method|. It sets |*out_cipher_list| to a newly-allocated
+// |ssl_cipher_preference_list_st| containing the result. It returns 1 on
+// success and 0 on failure. If |strict| is true, nonsense will be rejected. If
+// false, nonsense will be silently ignored. An empty result is considered an
+// error regardless of |strict|.
int ssl_create_cipher_list(
const SSL_PROTOCOL_METHOD *ssl_method,
struct ssl_cipher_preference_list_st **out_cipher_list,
const char *rule_str, int strict);
-/* ssl_cipher_get_value returns the cipher suite id of |cipher|. */
+// ssl_cipher_get_value returns the cipher suite id of |cipher|.
uint16_t ssl_cipher_get_value(const SSL_CIPHER *cipher);
-/* ssl_cipher_auth_mask_for_key returns the mask of cipher |algorithm_auth|
- * values suitable for use with |key| in TLS 1.2 and below. */
+// ssl_cipher_auth_mask_for_key returns the mask of cipher |algorithm_auth|
+// values suitable for use with |key| in TLS 1.2 and below.
uint32_t ssl_cipher_auth_mask_for_key(const EVP_PKEY *key);
-/* ssl_cipher_uses_certificate_auth returns one if |cipher| authenticates the
- * server and, optionally, the client with a certificate. Otherwise it returns
- * zero. */
+// ssl_cipher_uses_certificate_auth returns one if |cipher| authenticates the
+// server and, optionally, the client with a certificate. Otherwise it returns
+// zero.
int ssl_cipher_uses_certificate_auth(const SSL_CIPHER *cipher);
-/* ssl_cipher_requires_server_key_exchange returns 1 if |cipher| requires a
- * ServerKeyExchange message. Otherwise it returns 0.
- *
- * This function may return zero while still allowing |cipher| an optional
- * ServerKeyExchange. This is the case for plain PSK ciphers. */
+// ssl_cipher_requires_server_key_exchange returns 1 if |cipher| requires a
+// ServerKeyExchange message. Otherwise it returns 0.
+//
+// This function may return zero while still allowing |cipher| an optional
+// ServerKeyExchange. This is the case for plain PSK ciphers.
int ssl_cipher_requires_server_key_exchange(const SSL_CIPHER *cipher);
-/* ssl_cipher_get_record_split_len, for TLS 1.0 CBC mode ciphers, returns the
- * length of an encrypted 1-byte record, for use in record-splitting. Otherwise
- * it returns zero. */
+// ssl_cipher_get_record_split_len, for TLS 1.0 CBC mode ciphers, returns the
+// length of an encrypted 1-byte record, for use in record-splitting. Otherwise
+// it returns zero.
size_t ssl_cipher_get_record_split_len(const SSL_CIPHER *cipher);
-/* Transcript layer. */
+// Transcript layer.
-/* SSLTranscript maintains the handshake transcript as a combination of a
- * buffer and running hash. */
+// SSLTranscript maintains the handshake transcript as a combination of a
+// buffer and running hash.
class SSLTranscript {
public:
SSLTranscript();
~SSLTranscript();
- /* Init initializes the handshake transcript. If called on an existing
- * transcript, it resets the transcript and hash. It returns true on success
- * and false on failure. */
+ // Init initializes the handshake transcript. If called on an existing
+ // transcript, it resets the transcript and hash. It returns true on success
+ // and false on failure.
bool Init();
- /* InitHash initializes the handshake hash based on the PRF and contents of
- * the handshake transcript. Subsequent calls to |Update| will update the
- * rolling hash. It returns one on success and zero on failure. It is an error
- * to call this function after the handshake buffer is released. */
+ // InitHash initializes the handshake hash based on the PRF and contents of
+ // the handshake transcript. Subsequent calls to |Update| will update the
+ // rolling hash. It returns one on success and zero on failure. It is an error
+ // to call this function after the handshake buffer is released.
bool InitHash(uint16_t version, const SSL_CIPHER *cipher);
const uint8_t *buffer_data() const {
@@ -404,66 +404,66 @@
}
size_t buffer_len() const { return buffer_->length; }
- /* FreeBuffer releases the handshake buffer. Subsequent calls to
- * |Update| will not update the handshake buffer. */
+ // FreeBuffer releases the handshake buffer. Subsequent calls to
+ // |Update| will not update the handshake buffer.
void FreeBuffer();
- /* DigestLen returns the length of the PRF hash. */
+ // DigestLen returns the length of the PRF hash.
size_t DigestLen() const;
- /* Digest returns the PRF hash. For TLS 1.1 and below, this is
- * |EVP_md5_sha1|. */
+ // Digest returns the PRF hash. For TLS 1.1 and below, this is
+ // |EVP_md5_sha1|.
const EVP_MD *Digest() const;
- /* Update adds |in| to the handshake buffer and handshake hash, whichever is
- * enabled. It returns true on success and false on failure. */
+ // Update adds |in| to the handshake buffer and handshake hash, whichever is
+ // enabled. It returns true on success and false on failure.
bool Update(const uint8_t *in, size_t in_len);
- /* GetHash writes the handshake hash to |out| which must have room for at
- * least |DigestLen| bytes. On success, it returns true and sets |*out_len| to
- * the number of bytes written. Otherwise, it returns false. */
+ // GetHash writes the handshake hash to |out| which must have room for at
+ // least |DigestLen| bytes. On success, it returns true and sets |*out_len| to
+ // the number of bytes written. Otherwise, it returns false.
bool GetHash(uint8_t *out, size_t *out_len);
- /* GetSSL3CertVerifyHash writes the SSL 3.0 CertificateVerify hash into the
- * bytes pointed to by |out| and writes the number of bytes to
- * |*out_len|. |out| must have room for |EVP_MAX_MD_SIZE| bytes. It returns
- * one on success and zero on failure. */
+ // GetSSL3CertVerifyHash writes the SSL 3.0 CertificateVerify hash into the
+ // bytes pointed to by |out| and writes the number of bytes to
+ // |*out_len|. |out| must have room for |EVP_MAX_MD_SIZE| bytes. It returns
+ // one on success and zero on failure.
bool GetSSL3CertVerifyHash(uint8_t *out, size_t *out_len,
const SSL_SESSION *session,
uint16_t signature_algorithm);
- /* GetFinishedMAC computes the MAC for the Finished message into the bytes
- * pointed by |out| and writes the number of bytes to |*out_len|. |out| must
- * have room for |EVP_MAX_MD_SIZE| bytes. It returns true on success and false
- * on failure. */
+ // GetFinishedMAC computes the MAC for the Finished message into the bytes
+ // pointed by |out| and writes the number of bytes to |*out_len|. |out| must
+ // have room for |EVP_MAX_MD_SIZE| bytes. It returns true on success and false
+ // on failure.
bool GetFinishedMAC(uint8_t *out, size_t *out_len, const SSL_SESSION *session,
- bool from_server, uint16_t version);
+ bool from_server);
private:
- /* buffer_, if non-null, contains the handshake transcript. */
+ // buffer_, if non-null, contains the handshake transcript.
UniquePtr<BUF_MEM> buffer_;
- /* hash, if initialized with an |EVP_MD|, maintains the handshake hash. For
- * TLS 1.1 and below, it is the SHA-1 half. */
+ // hash, if initialized with an |EVP_MD|, maintains the handshake hash. For
+ // TLS 1.1 and below, it is the SHA-1 half.
ScopedEVP_MD_CTX hash_;
- /* md5, if initialized with an |EVP_MD|, maintains the MD5 half of the
- * handshake hash for TLS 1.1 and below. */
+ // md5, if initialized with an |EVP_MD|, maintains the MD5 half of the
+ // handshake hash for TLS 1.1 and below.
ScopedEVP_MD_CTX md5_;
};
-/* tls1_prf computes the PRF function for |ssl|. It writes |out_len| bytes to
- * |out|, using |secret| as the secret and |label| as the label. |seed1| and
- * |seed2| are concatenated to form the seed parameter. It returns one on
- * success and zero on failure. */
+// tls1_prf computes the PRF function for |ssl|. It writes |out_len| bytes to
+// |out|, using |secret| as the secret and |label| as the label. |seed1| and
+// |seed2| are concatenated to form the seed parameter. It returns one on
+// success and zero on failure.
int tls1_prf(const EVP_MD *digest, uint8_t *out, size_t out_len,
const uint8_t *secret, size_t secret_len, const char *label,
size_t label_len, const uint8_t *seed1, size_t seed1_len,
const uint8_t *seed2, size_t seed2_len);
-/* Encryption layer. */
+// Encryption layer.
-/* SSLAEADContext contains information about an AEAD that is being used to
- * encrypt an SSL connection. */
+// SSLAEADContext contains information about an AEAD that is being used to
+// encrypt an SSL connection.
class SSLAEADContext {
public:
SSLAEADContext(uint16_t version, const SSL_CIPHER *cipher);
@@ -473,13 +473,13 @@
SSLAEADContext(const SSLAEADContext &&) = delete;
SSLAEADContext &operator=(const SSLAEADContext &&) = delete;
- /* CreateNullCipher creates an |SSLAEADContext| for the null cipher. */
+ // CreateNullCipher creates an |SSLAEADContext| for the null cipher.
static UniquePtr<SSLAEADContext> CreateNullCipher();
- /* Create creates an |SSLAEADContext| using the supplied key material. It
- * returns nullptr on error. Only one of |Open| or |Seal| may be used with the
- * resulting object, depending on |direction|. |version| is the normalized
- * protocol version, so DTLS 1.0 is represented as 0x0301, not 0xffef. */
+ // Create creates an |SSLAEADContext| using the supplied key material. It
+ // returns nullptr on error. Only one of |Open| or |Seal| may be used with the
+ // resulting object, depending on |direction|. |version| is the normalized
+ // protocol version, so DTLS 1.0 is represented as 0x0301, not 0xffef.
static UniquePtr<SSLAEADContext> Create(
enum evp_aead_direction_t direction, uint16_t version, int is_dtls,
const SSL_CIPHER *cipher, const uint8_t *enc_key, size_t enc_key_len,
@@ -489,52 +489,52 @@
uint16_t version() const { return version_; }
const SSL_CIPHER *cipher() const { return cipher_; }
- /* is_null_cipher returns true if this is the null cipher. */
+ // is_null_cipher returns true if this is the null cipher.
bool is_null_cipher() const { return !cipher_; }
- /* ExplicitNonceLen returns the length of the explicit nonce. */
+ // ExplicitNonceLen returns the length of the explicit nonce.
size_t ExplicitNonceLen() const;
- /* MaxOverhead returns the maximum overhead of calling |Seal|. */
+ // MaxOverhead returns the maximum overhead of calling |Seal|.
size_t MaxOverhead() const;
- /* SuffixLen calculates the suffix length written by |SealScatter| and writes
- * it to |*out_suffix_len|. It returns true on success and false on error.
- * |in_len| and |extra_in_len| should equal the argument of the same names
- * passed to |SealScatter|. */
+ // SuffixLen calculates the suffix length written by |SealScatter| and writes
+ // it to |*out_suffix_len|. It returns true on success and false on error.
+ // |in_len| and |extra_in_len| should equal the argument of the same names
+ // passed to |SealScatter|.
bool SuffixLen(size_t *out_suffix_len, size_t in_len,
size_t extra_in_len) const;
- /* Open authenticates and decrypts |in_len| bytes from |in| in-place. On
- * success, it sets |*out| to the plaintext in |in| and returns true.
- * Otherwise, it returns false. The output will always be |ExplicitNonceLen|
- * bytes ahead of |in|. */
+ // Open authenticates and decrypts |in_len| bytes from |in| in-place. On
+ // success, it sets |*out| to the plaintext in |in| and returns true.
+ // Otherwise, it returns false. The output will always be |ExplicitNonceLen|
+ // bytes ahead of |in|.
bool Open(CBS *out, uint8_t type, uint16_t wire_version,
const uint8_t seqnum[8], uint8_t *in, size_t in_len);
- /* Seal encrypts and authenticates |in_len| bytes from |in| and writes the
- * result to |out|. It returns true on success and false on error.
- *
- * If |in| and |out| alias then |out| + |ExplicitNonceLen| must be == |in|. */
+ // Seal encrypts and authenticates |in_len| bytes from |in| and writes the
+ // result to |out|. It returns true on success and false on error.
+ //
+ // If |in| and |out| alias then |out| + |ExplicitNonceLen| must be == |in|.
bool Seal(uint8_t *out, size_t *out_len, size_t max_out, uint8_t type,
uint16_t wire_version, const uint8_t seqnum[8], const uint8_t *in,
size_t in_len);
- /* SealScatter encrypts and authenticates |in_len| bytes from |in| and splits
- * the result between |out_prefix|, |out| and |out_suffix|. It returns one on
- * success and zero on error.
- *
- * On successful return, exactly |ExplicitNonceLen| bytes are written to
- * |out_prefix|, |in_len| bytes to |out|, and |SuffixLen| bytes to
- * |out_suffix|.
- *
- * |extra_in| may point to an additional plaintext buffer. If present,
- * |extra_in_len| additional bytes are encrypted and authenticated, and the
- * ciphertext is written to the beginning of |out_suffix|. |SuffixLen| should
- * be used to size |out_suffix| accordingly.
- *
- * If |in| and |out| alias then |out| must be == |in|. Other arguments may not
- * alias anything. */
+ // SealScatter encrypts and authenticates |in_len| bytes from |in| and splits
+ // the result between |out_prefix|, |out| and |out_suffix|. It returns one on
+ // success and zero on error.
+ //
+ // On successful return, exactly |ExplicitNonceLen| bytes are written to
+ // |out_prefix|, |in_len| bytes to |out|, and |SuffixLen| bytes to
+ // |out_suffix|.
+ //
+ // |extra_in| may point to an additional plaintext buffer. If present,
+ // |extra_in_len| additional bytes are encrypted and authenticated, and the
+ // ciphertext is written to the beginning of |out_suffix|. |SuffixLen| should
+ // be used to size |out_suffix| accordingly.
+ //
+ // If |in| and |out| alias then |out| must be == |in|. Other arguments may not
+ // alias anything.
bool SealScatter(uint8_t *out_prefix, uint8_t *out, uint8_t *out_suffix,
uint8_t type, uint16_t wire_version, const uint8_t seqnum[8],
const uint8_t *in, size_t in_len, const uint8_t *extra_in,
@@ -543,65 +543,65 @@
bool GetIV(const uint8_t **out_iv, size_t *out_iv_len) const;
private:
- /* GetAdditionalData writes the additional data into |out| and returns the
- * number of bytes written. */
+ // GetAdditionalData writes the additional data into |out| and returns the
+ // number of bytes written.
size_t GetAdditionalData(uint8_t out[13], uint8_t type, uint16_t wire_version,
const uint8_t seqnum[8], size_t plaintext_len);
const SSL_CIPHER *cipher_;
ScopedEVP_AEAD_CTX ctx_;
- /* fixed_nonce_ contains any bytes of the nonce that are fixed for all
- * records. */
+ // fixed_nonce_ contains any bytes of the nonce that are fixed for all
+ // records.
uint8_t fixed_nonce_[12];
uint8_t fixed_nonce_len_ = 0, variable_nonce_len_ = 0;
- /* version_ is the protocol version that should be used with this AEAD. */
+ // version_ is the protocol version that should be used with this AEAD.
uint16_t version_;
- /* variable_nonce_included_in_record_ is true if the variable nonce
- * for a record is included as a prefix before the ciphertext. */
+ // variable_nonce_included_in_record_ is true if the variable nonce
+ // for a record is included as a prefix before the ciphertext.
bool variable_nonce_included_in_record_ : 1;
- /* random_variable_nonce_ is true if the variable nonce is
- * randomly generated, rather than derived from the sequence
- * number. */
+ // random_variable_nonce_ is true if the variable nonce is
+ // randomly generated, rather than derived from the sequence
+ // number.
bool random_variable_nonce_ : 1;
- /* omit_length_in_ad_ is true if the length should be omitted in the
- * AEAD's ad parameter. */
+ // omit_length_in_ad_ is true if the length should be omitted in the
+ // AEAD's ad parameter.
bool omit_length_in_ad_ : 1;
- /* omit_version_in_ad_ is true if the version should be omitted
- * in the AEAD's ad parameter. */
+ // omit_version_in_ad_ is true if the version should be omitted
+ // in the AEAD's ad parameter.
bool omit_version_in_ad_ : 1;
- /* omit_ad_ is true if the AEAD's ad parameter should be omitted. */
+ // omit_ad_ is true if the AEAD's ad parameter should be omitted.
bool omit_ad_ : 1;
- /* xor_fixed_nonce_ is true if the fixed nonce should be XOR'd into the
- * variable nonce rather than prepended. */
+ // xor_fixed_nonce_ is true if the fixed nonce should be XOR'd into the
+ // variable nonce rather than prepended.
bool xor_fixed_nonce_ : 1;
};
-/* DTLS replay bitmap. */
+// DTLS replay bitmap.
-/* DTLS1_BITMAP maintains a sliding window of 64 sequence numbers to detect
- * replayed packets. It should be initialized by zeroing every field. */
+// DTLS1_BITMAP maintains a sliding window of 64 sequence numbers to detect
+// replayed packets. It should be initialized by zeroing every field.
struct DTLS1_BITMAP {
- /* map is a bit mask of the last 64 sequence numbers. Bit
- * |1<<i| corresponds to |max_seq_num - i|. */
+ // map is a bit mask of the last 64 sequence numbers. Bit
+ // |1<<i| corresponds to |max_seq_num - i|.
uint64_t map;
- /* max_seq_num is the largest sequence number seen so far as a 64-bit
- * integer. */
+ // max_seq_num is the largest sequence number seen so far as a 64-bit
+ // integer.
uint64_t max_seq_num;
};
-/* Record layer. */
+// Record layer.
-/* ssl_record_sequence_update increments the sequence number in |seq|. It
- * returns one on success and zero on wraparound. */
+// ssl_record_sequence_update increments the sequence number in |seq|. It
+// returns one on success and zero on wraparound.
int ssl_record_sequence_update(uint8_t *seq, size_t seq_len);
-/* ssl_record_prefix_len returns the length of the prefix before the ciphertext
- * of a record for |ssl|.
- *
- * TODO(davidben): Expose this as part of public API once the high-level
- * buffer-free APIs are available. */
+// ssl_record_prefix_len returns the length of the prefix before the ciphertext
+// of a record for |ssl|.
+//
+// TODO(davidben): Expose this as part of public API once the high-level
+// buffer-free APIs are available.
size_t ssl_record_prefix_len(const SSL *ssl);
enum ssl_open_record_t {
@@ -613,63 +613,63 @@
ssl_open_record_error,
};
-/* tls_open_record decrypts a record from |in| in-place.
- *
- * If the input did not contain a complete record, it returns
- * |ssl_open_record_partial|. It sets |*out_consumed| to the total number of
- * bytes necessary. It is guaranteed that a successful call to |tls_open_record|
- * will consume at least that many bytes.
- *
- * Otherwise, it sets |*out_consumed| to the number of bytes of input
- * consumed. Note that input may be consumed on all return codes if a record was
- * decrypted.
- *
- * On success, it returns |ssl_open_record_success|. It sets |*out_type| to the
- * record type and |*out| to the record body in |in|. Note that |*out| may be
- * empty.
- *
- * If a record was successfully processed but should be discarded, it returns
- * |ssl_open_record_discard|.
- *
- * If a record was successfully processed but is a close_notify or fatal alert,
- * it returns |ssl_open_record_close_notify| or |ssl_open_record_fatal_alert|.
- *
- * On failure, it returns |ssl_open_record_error| and sets |*out_alert| to an
- * alert to emit. */
+// tls_open_record decrypts a record from |in| in-place.
+//
+// If the input did not contain a complete record, it returns
+// |ssl_open_record_partial|. It sets |*out_consumed| to the total number of
+// bytes necessary. It is guaranteed that a successful call to |tls_open_record|
+// will consume at least that many bytes.
+//
+// Otherwise, it sets |*out_consumed| to the number of bytes of input
+// consumed. Note that input may be consumed on all return codes if a record was
+// decrypted.
+//
+// On success, it returns |ssl_open_record_success|. It sets |*out_type| to the
+// record type and |*out| to the record body in |in|. Note that |*out| may be
+// empty.
+//
+// If a record was successfully processed but should be discarded, it returns
+// |ssl_open_record_discard|.
+//
+// If a record was successfully processed but is a close_notify or fatal alert,
+// it returns |ssl_open_record_close_notify| or |ssl_open_record_fatal_alert|.
+//
+// On failure, it returns |ssl_open_record_error| and sets |*out_alert| to an
+// alert to emit.
enum ssl_open_record_t tls_open_record(SSL *ssl, uint8_t *out_type, CBS *out,
size_t *out_consumed, uint8_t *out_alert,
uint8_t *in, size_t in_len);
-/* dtls_open_record implements |tls_open_record| for DTLS. It never returns
- * |ssl_open_record_partial| but otherwise behaves analogously. */
+// dtls_open_record implements |tls_open_record| for DTLS. It never returns
+// |ssl_open_record_partial| but otherwise behaves analogously.
enum ssl_open_record_t dtls_open_record(SSL *ssl, uint8_t *out_type, CBS *out,
size_t *out_consumed,
uint8_t *out_alert, uint8_t *in,
size_t in_len);
-/* ssl_seal_align_prefix_len returns the length of the prefix before the start
- * of the bulk of the ciphertext when sealing a record with |ssl|. Callers may
- * use this to align buffers.
- *
- * Note when TLS 1.0 CBC record-splitting is enabled, this includes the one byte
- * record and is the offset into second record's ciphertext. Thus sealing a
- * small record may result in a smaller output than this value.
- *
- * TODO(davidben): Is this alignment valuable? Record-splitting makes this a
- * mess. */
+// ssl_seal_align_prefix_len returns the length of the prefix before the start
+// of the bulk of the ciphertext when sealing a record with |ssl|. Callers may
+// use this to align buffers.
+//
+// Note when TLS 1.0 CBC record-splitting is enabled, this includes the one byte
+// record and is the offset into second record's ciphertext. Thus sealing a
+// small record may result in a smaller output than this value.
+//
+// TODO(davidben): Is this alignment valuable? Record-splitting makes this a
+// mess.
size_t ssl_seal_align_prefix_len(const SSL *ssl);
-/* tls_seal_record seals a new record of type |type| and body |in| and writes it
- * to |out|. At most |max_out| bytes will be written. It returns one on success
- * and zero on error. If enabled, |tls_seal_record| implements TLS 1.0 CBC 1/n-1
- * record splitting and may write two records concatenated.
- *
- * For a large record, the bulk of the ciphertext will begin
- * |ssl_seal_align_prefix_len| bytes into out. Aligning |out| appropriately may
- * improve performance. It writes at most |in_len| + |SSL_max_seal_overhead|
- * bytes to |out|.
- *
- * |in| and |out| may not alias. */
+// tls_seal_record seals a new record of type |type| and body |in| and writes it
+// to |out|. At most |max_out| bytes will be written. It returns one on success
+// and zero on error. If enabled, |tls_seal_record| implements TLS 1.0 CBC 1/n-1
+// record splitting and may write two records concatenated.
+//
+// For a large record, the bulk of the ciphertext will begin
+// |ssl_seal_align_prefix_len| bytes into out. Aligning |out| appropriately may
+// improve performance. It writes at most |in_len| + |SSL_max_seal_overhead|
+// bytes to |out|.
+//
+// |in| and |out| may not alias.
int tls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out,
uint8_t type, const uint8_t *in, size_t in_len);
@@ -678,41 +678,41 @@
dtls1_use_current_epoch,
};
-/* dtls_max_seal_overhead returns the maximum overhead, in bytes, of sealing a
- * record. */
+// dtls_max_seal_overhead returns the maximum overhead, in bytes, of sealing a
+// record.
size_t dtls_max_seal_overhead(const SSL *ssl, enum dtls1_use_epoch_t use_epoch);
-/* dtls_seal_prefix_len returns the number of bytes of prefix to reserve in
- * front of the plaintext when sealing a record in-place. */
+// dtls_seal_prefix_len returns the number of bytes of prefix to reserve in
+// front of the plaintext when sealing a record in-place.
size_t dtls_seal_prefix_len(const SSL *ssl, enum dtls1_use_epoch_t use_epoch);
-/* dtls_seal_record implements |tls_seal_record| for DTLS. |use_epoch| selects
- * which epoch's cipher state to use. Unlike |tls_seal_record|, |in| and |out|
- * may alias but, if they do, |in| must be exactly |dtls_seal_prefix_len| bytes
- * ahead of |out|. */
+// dtls_seal_record implements |tls_seal_record| for DTLS. |use_epoch| selects
+// which epoch's cipher state to use. Unlike |tls_seal_record|, |in| and |out|
+// may alias but, if they do, |in| must be exactly |dtls_seal_prefix_len| bytes
+// ahead of |out|.
int dtls_seal_record(SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out,
uint8_t type, const uint8_t *in, size_t in_len,
enum dtls1_use_epoch_t use_epoch);
-/* ssl_process_alert processes |in| as an alert and updates |ssl|'s shutdown
- * state. It returns one of |ssl_open_record_discard|, |ssl_open_record_error|,
- * |ssl_open_record_close_notify|, or |ssl_open_record_fatal_alert| as
- * appropriate. */
+// ssl_process_alert processes |in| as an alert and updates |ssl|'s shutdown
+// state. It returns one of |ssl_open_record_discard|, |ssl_open_record_error|,
+// |ssl_open_record_close_notify|, or |ssl_open_record_fatal_alert| as
+// appropriate.
enum ssl_open_record_t ssl_process_alert(SSL *ssl, uint8_t *out_alert,
const uint8_t *in, size_t in_len);
-/* Private key operations. */
+// Private key operations.
-/* ssl_has_private_key returns one if |ssl| has a private key
- * configured and zero otherwise. */
+// ssl_has_private_key returns one if |ssl| has a private key
+// configured and zero otherwise.
int ssl_has_private_key(const SSL *ssl);
-/* ssl_private_key_* perform the corresponding operation on
- * |SSL_PRIVATE_KEY_METHOD|. If there is a custom private key configured, they
- * call the corresponding function or |complete| depending on whether there is a
- * pending operation. Otherwise, they implement the operation with
- * |EVP_PKEY|. */
+// ssl_private_key_* perform the corresponding operation on
+// |SSL_PRIVATE_KEY_METHOD|. If there is a custom private key configured, they
+// call the corresponding function or |complete| depending on whether there is a
+// pending operation. Otherwise, they implement the operation with
+// |EVP_PKEY|.
enum ssl_private_key_result_t ssl_private_key_sign(
SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len, size_t max_out,
@@ -722,25 +722,25 @@
SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len, size_t max_out,
const uint8_t *in, size_t in_len);
-/* ssl_private_key_supports_signature_algorithm returns one if |hs|'s private
- * key supports |sigalg| and zero otherwise. */
+// ssl_private_key_supports_signature_algorithm returns one if |hs|'s private
+// key supports |sigalg| and zero otherwise.
int ssl_private_key_supports_signature_algorithm(SSL_HANDSHAKE *hs,
uint16_t sigalg);
-/* ssl_public_key_verify verifies that the |signature| is valid for the public
- * key |pkey| and input |in|, using the signature algorithm |sigalg|. */
+// ssl_public_key_verify verifies that the |signature| is valid for the public
+// key |pkey| and input |in|, using the signature algorithm |sigalg|.
int ssl_public_key_verify(SSL *ssl, const uint8_t *signature,
size_t signature_len, uint16_t sigalg, EVP_PKEY *pkey,
const uint8_t *in, size_t in_len);
-/* Custom extensions */
+// Custom extensions
} // namespace bssl
-/* |SSL_CUSTOM_EXTENSION| is a structure that contains information about
- * custom-extension callbacks. It is defined unnamespaced for compatibility with
- * |STACK_OF(SSL_CUSTOM_EXTENSION)|. */
+// |SSL_CUSTOM_EXTENSION| is a structure that contains information about
+// custom-extension callbacks. It is defined unnamespaced for compatibility with
+// |STACK_OF(SSL_CUSTOM_EXTENSION)|.
typedef struct ssl_custom_extension {
SSL_custom_ext_add_cb add_callback;
void *add_arg;
@@ -764,96 +764,91 @@
int custom_ext_add_serverhello(SSL_HANDSHAKE *hs, CBB *extensions);
-/* Key shares. */
+// Key shares.
-/* SSLKeyShare abstracts over Diffie-Hellman-like key exchanges. */
+// SSLKeyShare abstracts over Diffie-Hellman-like key exchanges.
class SSLKeyShare {
public:
virtual ~SSLKeyShare() {}
static constexpr bool kAllowUniquePtr = true;
HAS_VIRTUAL_DESTRUCTOR
- /* Create returns a SSLKeyShare instance for use with group |group_id| or
- * nullptr on error. */
+ // Create returns a SSLKeyShare instance for use with group |group_id| or
+ // nullptr on error.
static UniquePtr<SSLKeyShare> Create(uint16_t group_id);
- /* GroupID returns the group ID. */
+ // GroupID returns the group ID.
virtual uint16_t GroupID() const PURE_VIRTUAL;
- /* Offer generates a keypair and writes the public value to
- * |out_public_key|. It returns true on success and false on error. */
+ // Offer generates a keypair and writes the public value to
+ // |out_public_key|. It returns true on success and false on error.
virtual bool Offer(CBB *out_public_key) PURE_VIRTUAL;
- /* Accept performs a key exchange against the |peer_key| generated by |offer|.
- * On success, it returns true, writes the public value to |out_public_key|,
- * and sets |*out_secret| and |*out_secret_len| to a newly-allocated buffer
- * containing the shared secret. The caller must release this buffer with
- * |OPENSSL_free|. On failure, it returns false and sets |*out_alert| to an
- * alert to send to the peer.
- *
- * The default implementation calls |Offer| and then |Finish|, assuming a key
- * exchange protocol where the peers are symmetric.
- *
- * TODO(davidben): out_secret should be a smart pointer. */
+ // Accept performs a key exchange against the |peer_key| generated by |offer|.
+ // On success, it returns true, writes the public value to |out_public_key|,
+ // and sets |*out_secret| and |*out_secret_len| to a newly-allocated buffer
+ // containing the shared secret. The caller must release this buffer with
+ // |OPENSSL_free|. On failure, it returns false and sets |*out_alert| to an
+ // alert to send to the peer.
+ //
+ // The default implementation calls |Offer| and then |Finish|, assuming a key
+ // exchange protocol where the peers are symmetric.
+ //
+ // TODO(davidben): out_secret should be a smart pointer.
virtual bool Accept(CBB *out_public_key, uint8_t **out_secret,
size_t *out_secret_len, uint8_t *out_alert,
const uint8_t *peer_key, size_t peer_key_len);
- /* Finish performs a key exchange against the |peer_key| generated by
- * |Accept|. On success, it returns true and sets |*out_secret| and
- * |*out_secret_len| to a newly-allocated buffer containing the shared
- * secret. The caller must release this buffer with |OPENSSL_free|. On
- * failure, it returns zero and sets |*out_alert| to an alert to send to the
- * peer.
- *
- * TODO(davidben): out_secret should be a smart pointer. */
+ // Finish performs a key exchange against the |peer_key| generated by
+ // |Accept|. On success, it returns true and sets |*out_secret| and
+ // |*out_secret_len| to a newly-allocated buffer containing the shared
+ // secret. The caller must release this buffer with |OPENSSL_free|. On
+ // failure, it returns zero and sets |*out_alert| to an alert to send to the
+ // peer.
+ //
+ // TODO(davidben): out_secret should be a smart pointer.
virtual bool Finish(uint8_t **out_secret, size_t *out_secret_len,
uint8_t *out_alert, const uint8_t *peer_key,
size_t peer_key_len) PURE_VIRTUAL;
};
-/* ssl_nid_to_group_id looks up the group corresponding to |nid|. On success, it
- * sets |*out_group_id| to the group ID and returns one. Otherwise, it returns
- * zero. */
+// ssl_nid_to_group_id looks up the group corresponding to |nid|. On success, it
+// sets |*out_group_id| to the group ID and returns one. Otherwise, it returns
+// zero.
int ssl_nid_to_group_id(uint16_t *out_group_id, int nid);
-/* ssl_name_to_group_id looks up the group corresponding to the |name| string
- * of length |len|. On success, it sets |*out_group_id| to the group ID and
- * returns one. Otherwise, it returns zero. */
+// ssl_name_to_group_id looks up the group corresponding to the |name| string
+// of length |len|. On success, it sets |*out_group_id| to the group ID and
+// returns one. Otherwise, it returns zero.
int ssl_name_to_group_id(uint16_t *out_group_id, const char *name, size_t len);
-/* Handshake messages. */
+// Handshake messages.
struct SSLMessage {
bool is_v2_hello;
uint8_t type;
CBS body;
- /* raw is the entire serialized handshake message, including the TLS or DTLS
- * message header. */
+ // raw is the entire serialized handshake message, including the TLS or DTLS
+ // message header.
CBS raw;
};
-/* SSL_MAX_HANDSHAKE_FLIGHT is the number of messages, including
- * ChangeCipherSpec, in the longest handshake flight. Currently this is the
- * client's second leg in a full handshake when client certificates, NPN, and
- * Channel ID, are all enabled. */
+// SSL_MAX_HANDSHAKE_FLIGHT is the number of messages, including
+// ChangeCipherSpec, in the longest handshake flight. Currently this is the
+// client's second leg in a full handshake when client certificates, NPN, and
+// Channel ID, are all enabled.
#define SSL_MAX_HANDSHAKE_FLIGHT 7
-/* ssl_max_handshake_message_len returns the maximum number of bytes permitted
- * in a handshake message for |ssl|. */
+// ssl_max_handshake_message_len returns the maximum number of bytes permitted
+// in a handshake message for |ssl|.
size_t ssl_max_handshake_message_len(const SSL *ssl);
-/* ssl_read_message reads a message for the old |BIO|-based state machine. On
- * success, it returns one and sets |*out| to the current message. Otherwise, it
- * returns <= 0. */
-int ssl_read_message(SSL *ssl, SSLMessage *out);
-
-/* dtls_clear_incoming_messages releases all buffered incoming messages. */
+// dtls_clear_incoming_messages releases all buffered incoming messages.
void dtls_clear_incoming_messages(SSL *ssl);
-/* dtls_has_incoming_messages returns one if there are buffered incoming
- * messages ahead of the current message and zero otherwise. */
+// dtls_has_incoming_messages returns one if there are buffered incoming
+// messages ahead of the current message and zero otherwise.
int dtls_has_incoming_messages(const SSL *ssl);
struct DTLS_OUTGOING_MESSAGE {
@@ -863,219 +858,223 @@
char is_ccs;
};
-/* dtls_clear_outgoing_messages releases all buffered outgoing messages. */
+// dtls_clear_outgoing_messages releases all buffered outgoing messages.
void dtls_clear_outgoing_messages(SSL *ssl);
-/* Callbacks. */
+// Callbacks.
-/* ssl_do_info_callback calls |ssl|'s info callback, if set. */
+// ssl_do_info_callback calls |ssl|'s info callback, if set.
void ssl_do_info_callback(const SSL *ssl, int type, int value);
-/* ssl_do_msg_callback calls |ssl|'s message callback, if set. */
+// ssl_do_msg_callback calls |ssl|'s message callback, if set.
void ssl_do_msg_callback(SSL *ssl, int is_write, int content_type,
const void *buf, size_t len);
-/* Transport buffers. */
+// Transport buffers.
-/* ssl_read_buffer returns a pointer to contents of the read buffer. */
+// ssl_read_buffer returns a pointer to contents of the read buffer.
uint8_t *ssl_read_buffer(SSL *ssl);
-/* ssl_read_buffer_len returns the length of the read buffer. */
+// ssl_read_buffer_len returns the length of the read buffer.
size_t ssl_read_buffer_len(const SSL *ssl);
-/* ssl_read_buffer_extend_to extends the read buffer to the desired length. For
- * TLS, it reads to the end of the buffer until the buffer is |len| bytes
- * long. For DTLS, it reads a new packet and ignores |len|. It returns one on
- * success, zero on EOF, and a negative number on error.
- *
- * It is an error to call |ssl_read_buffer_extend_to| in DTLS when the buffer is
- * non-empty. */
+// ssl_read_buffer_extend_to extends the read buffer to the desired length. For
+// TLS, it reads to the end of the buffer until the buffer is |len| bytes
+// long. For DTLS, it reads a new packet and ignores |len|. It returns one on
+// success, zero on EOF, and a negative number on error.
+//
+// It is an error to call |ssl_read_buffer_extend_to| in DTLS when the buffer is
+// non-empty.
int ssl_read_buffer_extend_to(SSL *ssl, size_t len);
-/* ssl_read_buffer_consume consumes |len| bytes from the read buffer. It
- * advances the data pointer and decrements the length. The memory consumed will
- * remain valid until the next call to |ssl_read_buffer_extend| or it is
- * discarded with |ssl_read_buffer_discard|. */
+// ssl_read_buffer_consume consumes |len| bytes from the read buffer. It
+// advances the data pointer and decrements the length. The memory consumed will
+// remain valid until the next call to |ssl_read_buffer_extend| or it is
+// discarded with |ssl_read_buffer_discard|.
void ssl_read_buffer_consume(SSL *ssl, size_t len);
-/* ssl_read_buffer_discard discards the consumed bytes from the read buffer. If
- * the buffer is now empty, it releases memory used by it. */
+// ssl_read_buffer_discard discards the consumed bytes from the read buffer. If
+// the buffer is now empty, it releases memory used by it.
void ssl_read_buffer_discard(SSL *ssl);
-/* ssl_read_buffer_clear releases all memory associated with the read buffer and
- * zero-initializes it. */
+// ssl_read_buffer_clear releases all memory associated with the read buffer and
+// zero-initializes it.
void ssl_read_buffer_clear(SSL *ssl);
-/* ssl_write_buffer_is_pending returns one if the write buffer has pending data
- * and zero if is empty. */
+// ssl_write_buffer_is_pending returns one if the write buffer has pending data
+// and zero if is empty.
int ssl_write_buffer_is_pending(const SSL *ssl);
-/* ssl_write_buffer_init initializes the write buffer. On success, it sets
- * |*out_ptr| to the start of the write buffer with space for up to |max_len|
- * bytes. It returns one on success and zero on failure. Call
- * |ssl_write_buffer_set_len| to complete initialization. */
+// ssl_write_buffer_init initializes the write buffer. On success, it sets
+// |*out_ptr| to the start of the write buffer with space for up to |max_len|
+// bytes. It returns one on success and zero on failure. Call
+// |ssl_write_buffer_set_len| to complete initialization.
int ssl_write_buffer_init(SSL *ssl, uint8_t **out_ptr, size_t max_len);
-/* ssl_write_buffer_set_len is called after |ssl_write_buffer_init| to complete
- * initialization after |len| bytes are written to the buffer. */
+// ssl_write_buffer_set_len is called after |ssl_write_buffer_init| to complete
+// initialization after |len| bytes are written to the buffer.
void ssl_write_buffer_set_len(SSL *ssl, size_t len);
-/* ssl_write_buffer_flush flushes the write buffer to the transport. It returns
- * one on success and <= 0 on error. For DTLS, whether or not the write
- * succeeds, the write buffer will be cleared. */
+// ssl_write_buffer_flush flushes the write buffer to the transport. It returns
+// one on success and <= 0 on error. For DTLS, whether or not the write
+// succeeds, the write buffer will be cleared.
int ssl_write_buffer_flush(SSL *ssl);
-/* ssl_write_buffer_clear releases all memory associated with the write buffer
- * and zero-initializes it. */
+// ssl_write_buffer_clear releases all memory associated with the write buffer
+// and zero-initializes it.
void ssl_write_buffer_clear(SSL *ssl);
-/* Certificate functions. */
+// Certificate functions.
-/* ssl_has_certificate returns one if a certificate and private key are
- * configured and zero otherwise. */
+// ssl_has_certificate returns one if a certificate and private key are
+// configured and zero otherwise.
int ssl_has_certificate(const SSL *ssl);
-/* ssl_parse_cert_chain parses a certificate list from |cbs| in the format used
- * by a TLS Certificate message. On success, it advances |cbs| and returns
- * true. Otherwise, it returns false and sets |*out_alert| to an alert to send
- * to the peer.
- *
- * If the list is non-empty then |*out_chain| and |*out_pubkey| will be set to
- * the certificate chain and the leaf certificate's public key
- * respectively. Otherwise, both will be set to nullptr.
- *
- * If the list is non-empty and |out_leaf_sha256| is non-NULL, it writes the
- * SHA-256 hash of the leaf to |out_leaf_sha256|. */
+// ssl_parse_cert_chain parses a certificate list from |cbs| in the format used
+// by a TLS Certificate message. On success, it advances |cbs| and returns
+// true. Otherwise, it returns false and sets |*out_alert| to an alert to send
+// to the peer.
+//
+// If the list is non-empty then |*out_chain| and |*out_pubkey| will be set to
+// the certificate chain and the leaf certificate's public key
+// respectively. Otherwise, both will be set to nullptr.
+//
+// If the list is non-empty and |out_leaf_sha256| is non-NULL, it writes the
+// SHA-256 hash of the leaf to |out_leaf_sha256|.
bool ssl_parse_cert_chain(uint8_t *out_alert,
UniquePtr<STACK_OF(CRYPTO_BUFFER)> *out_chain,
UniquePtr<EVP_PKEY> *out_pubkey,
uint8_t *out_leaf_sha256, CBS *cbs,
CRYPTO_BUFFER_POOL *pool);
-/* ssl_add_cert_chain adds |ssl|'s certificate chain to |cbb| in the format used
- * by a TLS Certificate message. If there is no certificate chain, it emits an
- * empty certificate list. It returns one on success and zero on error. */
+// ssl_add_cert_chain adds |ssl|'s certificate chain to |cbb| in the format used
+// by a TLS Certificate message. If there is no certificate chain, it emits an
+// empty certificate list. It returns one on success and zero on error.
int ssl_add_cert_chain(SSL *ssl, CBB *cbb);
-/* ssl_cert_check_digital_signature_key_usage parses the DER-encoded, X.509
- * certificate in |in| and returns one if doesn't specify a key usage or, if it
- * does, if it includes digitalSignature. Otherwise it pushes to the error
- * queue and returns zero. */
+// ssl_cert_check_digital_signature_key_usage parses the DER-encoded, X.509
+// certificate in |in| and returns one if doesn't specify a key usage or, if it
+// does, if it includes digitalSignature. Otherwise it pushes to the error
+// queue and returns zero.
int ssl_cert_check_digital_signature_key_usage(const CBS *in);
-/* ssl_cert_parse_pubkey extracts the public key from the DER-encoded, X.509
- * certificate in |in|. It returns an allocated |EVP_PKEY| or else returns
- * nullptr and pushes to the error queue. */
+// ssl_cert_parse_pubkey extracts the public key from the DER-encoded, X.509
+// certificate in |in|. It returns an allocated |EVP_PKEY| or else returns
+// nullptr and pushes to the error queue.
UniquePtr<EVP_PKEY> ssl_cert_parse_pubkey(const CBS *in);
-/* ssl_parse_client_CA_list parses a CA list from |cbs| in the format used by a
- * TLS CertificateRequest message. On success, it returns a newly-allocated
- * |CRYPTO_BUFFER| list and advances |cbs|. Otherwise, it returns nullptr and
- * sets |*out_alert| to an alert to send to the peer. */
+// ssl_parse_client_CA_list parses a CA list from |cbs| in the format used by a
+// TLS CertificateRequest message. On success, it returns a newly-allocated
+// |CRYPTO_BUFFER| list and advances |cbs|. Otherwise, it returns nullptr and
+// sets |*out_alert| to an alert to send to the peer.
UniquePtr<STACK_OF(CRYPTO_BUFFER)> ssl_parse_client_CA_list(SSL *ssl,
uint8_t *out_alert,
CBS *cbs);
-/* ssl_add_client_CA_list adds the configured CA list to |cbb| in the format
- * used by a TLS CertificateRequest message. It returns one on success and zero
- * on error. */
+// ssl_add_client_CA_list adds the configured CA list to |cbb| in the format
+// used by a TLS CertificateRequest message. It returns one on success and zero
+// on error.
int ssl_add_client_CA_list(SSL *ssl, CBB *cbb);
-/* ssl_check_leaf_certificate returns one if |pkey| and |leaf| are suitable as
- * a server's leaf certificate for |hs|. Otherwise, it returns zero and pushes
- * an error on the error queue. */
+// ssl_check_leaf_certificate returns one if |pkey| and |leaf| are suitable as
+// a server's leaf certificate for |hs|. Otherwise, it returns zero and pushes
+// an error on the error queue.
int ssl_check_leaf_certificate(SSL_HANDSHAKE *hs, EVP_PKEY *pkey,
const CRYPTO_BUFFER *leaf);
-/* ssl_on_certificate_selected is called once the certificate has been selected.
- * It finalizes the certificate and initializes |hs->local_pubkey|. It returns
- * one on success and zero on error. */
+// ssl_on_certificate_selected is called once the certificate has been selected.
+// It finalizes the certificate and initializes |hs->local_pubkey|. It returns
+// one on success and zero on error.
int ssl_on_certificate_selected(SSL_HANDSHAKE *hs);
-/* TLS 1.3 key derivation. */
+// TLS 1.3 key derivation.
-/* tls13_init_key_schedule initializes the handshake hash and key derivation
- * state. The cipher suite and PRF hash must have been selected at this point.
- * It returns one on success and zero on error. */
+// tls13_init_key_schedule initializes the handshake hash and key derivation
+// state. The cipher suite and PRF hash must have been selected at this point.
+// It returns one on success and zero on error.
int tls13_init_key_schedule(SSL_HANDSHAKE *hs);
-/* tls13_init_early_key_schedule initializes the handshake hash and key
- * derivation state from the resumption secret to derive the early secrets. It
- * returns one on success and zero on error. */
+// tls13_init_early_key_schedule initializes the handshake hash and key
+// derivation state from the resumption secret to derive the early secrets. It
+// returns one on success and zero on error.
int tls13_init_early_key_schedule(SSL_HANDSHAKE *hs);
-/* tls13_advance_key_schedule incorporates |in| into the key schedule with
- * HKDF-Extract. It returns one on success and zero on error. */
+// tls13_advance_key_schedule incorporates |in| into the key schedule with
+// HKDF-Extract. It returns one on success and zero on error.
int tls13_advance_key_schedule(SSL_HANDSHAKE *hs, const uint8_t *in,
size_t len);
-/* tls13_set_traffic_key sets the read or write traffic keys to
- * |traffic_secret|. It returns one on success and zero on error. */
+// tls13_set_traffic_key sets the read or write traffic keys to
+// |traffic_secret|. It returns one on success and zero on error.
int tls13_set_traffic_key(SSL *ssl, enum evp_aead_direction_t direction,
const uint8_t *traffic_secret,
size_t traffic_secret_len);
-/* tls13_derive_early_secrets derives the early traffic secret. It returns one
- * on success and zero on error. */
+// tls13_derive_early_secrets derives the early traffic secret. It returns one
+// on success and zero on error.
int tls13_derive_early_secrets(SSL_HANDSHAKE *hs);
-/* tls13_derive_handshake_secrets derives the handshake traffic secret. It
- * returns one on success and zero on error. */
+// tls13_derive_handshake_secrets derives the handshake traffic secret. It
+// returns one on success and zero on error.
int tls13_derive_handshake_secrets(SSL_HANDSHAKE *hs);
-/* tls13_rotate_traffic_key derives the next read or write traffic secret. It
- * returns one on success and zero on error. */
+// tls13_rotate_traffic_key derives the next read or write traffic secret. It
+// returns one on success and zero on error.
int tls13_rotate_traffic_key(SSL *ssl, enum evp_aead_direction_t direction);
-/* tls13_derive_application_secrets derives the initial application data traffic
- * and exporter secrets based on the handshake transcripts and |master_secret|.
- * It returns one on success and zero on error. */
+// tls13_derive_application_secrets derives the initial application data traffic
+// and exporter secrets based on the handshake transcripts and |master_secret|.
+// It returns one on success and zero on error.
int tls13_derive_application_secrets(SSL_HANDSHAKE *hs);
-/* tls13_derive_resumption_secret derives the |resumption_secret|. */
+// tls13_derive_resumption_secret derives the |resumption_secret|.
int tls13_derive_resumption_secret(SSL_HANDSHAKE *hs);
-/* tls13_export_keying_material provides an exporter interface to use the
- * |exporter_secret|. */
+// tls13_export_keying_material provides an exporter interface to use the
+// |exporter_secret|.
int tls13_export_keying_material(SSL *ssl, uint8_t *out, size_t out_len,
const char *label, size_t label_len,
const uint8_t *context, size_t context_len,
int use_context);
-/* tls13_finished_mac calculates the MAC of the handshake transcript to verify
- * the integrity of the Finished message, and stores the result in |out| and
- * length in |out_len|. |is_server| is 1 if this is for the Server Finished and
- * 0 for the Client Finished. */
+// tls13_finished_mac calculates the MAC of the handshake transcript to verify
+// the integrity of the Finished message, and stores the result in |out| and
+// length in |out_len|. |is_server| is 1 if this is for the Server Finished and
+// 0 for the Client Finished.
int tls13_finished_mac(SSL_HANDSHAKE *hs, uint8_t *out,
size_t *out_len, int is_server);
-/* tls13_write_psk_binder calculates the PSK binder value and replaces the last
- * bytes of |msg| with the resulting value. It returns 1 on success, and 0 on
- * failure. */
+// tls13_write_psk_binder calculates the PSK binder value and replaces the last
+// bytes of |msg| with the resulting value. It returns 1 on success, and 0 on
+// failure.
int tls13_write_psk_binder(SSL_HANDSHAKE *hs, uint8_t *msg, size_t len);
-/* tls13_verify_psk_binder verifies that the handshake transcript, truncated
- * up to the binders has a valid signature using the value of |session|'s
- * resumption secret. It returns 1 on success, and 0 on failure. */
+// tls13_verify_psk_binder verifies that the handshake transcript, truncated
+// up to the binders has a valid signature using the value of |session|'s
+// resumption secret. It returns 1 on success, and 0 on failure.
int tls13_verify_psk_binder(SSL_HANDSHAKE *hs, SSL_SESSION *session,
const SSLMessage &msg, CBS *binders);
-/* Handshake functions. */
+// Handshake functions.
enum ssl_hs_wait_t {
ssl_hs_error,
ssl_hs_ok,
+ ssl_hs_read_server_hello,
ssl_hs_read_message,
ssl_hs_flush,
+ ssl_hs_certificate_selection_pending,
ssl_hs_x509_lookup,
ssl_hs_channel_id_lookup,
ssl_hs_private_key_operation,
+ ssl_hs_pending_session,
ssl_hs_pending_ticket,
+ ssl_hs_early_return,
ssl_hs_early_data_rejected,
ssl_hs_read_end_of_early_data,
ssl_hs_read_change_cipher_spec,
@@ -1087,38 +1086,31 @@
~SSL_HANDSHAKE();
static constexpr bool kAllowUniquePtr = true;
- /* ssl is a non-owning pointer to the parent |SSL| object. */
+ // ssl is a non-owning pointer to the parent |SSL| object.
SSL *ssl;
- /* do_tls13_handshake runs the TLS 1.3 handshake. On completion, it returns
- * |ssl_hs_ok|. Otherwise, it returns a value corresponding to what operation
- * is needed to progress. */
- enum ssl_hs_wait_t (*do_tls13_handshake)(SSL_HANDSHAKE *hs);
-
- /* wait contains the operation |do_tls13_handshake| is currently blocking on
- * or |ssl_hs_ok| if none. */
+ // wait contains the operation the handshake is currently blocking on or
+ // |ssl_hs_ok| if none.
enum ssl_hs_wait_t wait = ssl_hs_ok;
- /* state contains one of the SSL3_ST_* values. */
- int state = SSL_ST_INIT;
+ // state is the internal state for the TLS 1.2 and below handshake. Its
+ // values depend on |do_handshake| but the starting state is always zero.
+ int state = 0;
- /* next_state is used when SSL_ST_FLUSH_DATA is entered */
- int next_state = 0;
-
- /* tls13_state is the internal state for the TLS 1.3 handshake. Its values
- * depend on |do_tls13_handshake| but the starting state is always zero. */
+ // tls13_state is the internal state for the TLS 1.3 handshake. Its values
+ // depend on |do_handshake| but the starting state is always zero.
int tls13_state = 0;
- /* min_version is the minimum accepted protocol version, taking account both
- * |SSL_OP_NO_*| and |SSL_CTX_set_min_proto_version| APIs. */
+ // min_version is the minimum accepted protocol version, taking account both
+ // |SSL_OP_NO_*| and |SSL_CTX_set_min_proto_version| APIs.
uint16_t min_version = 0;
- /* max_version is the maximum accepted protocol version, taking account both
- * |SSL_OP_NO_*| and |SSL_CTX_set_max_proto_version| APIs. */
+ // max_version is the maximum accepted protocol version, taking account both
+ // |SSL_OP_NO_*| and |SSL_CTX_set_max_proto_version| APIs.
uint16_t max_version = 0;
- /* session_id is the session ID in the ClientHello, used for the experimental
- * TLS 1.3 variant. */
+ // session_id is the session ID in the ClientHello, used for the experimental
+ // TLS 1.3 variant.
uint8_t session_id[SSL_MAX_SSL_SESSION_ID_LENGTH] = {0};
uint8_t session_id_len = 0;
@@ -1132,234 +1124,241 @@
uint8_t expected_client_finished[EVP_MAX_MD_SIZE] = {0};
union {
- /* sent is a bitset where the bits correspond to elements of kExtensions
- * in t1_lib.c. Each bit is set if that extension was sent in a
- * ClientHello. It's not used by servers. */
+ // sent is a bitset where the bits correspond to elements of kExtensions
+ // in t1_lib.c. Each bit is set if that extension was sent in a
+ // ClientHello. It's not used by servers.
uint32_t sent = 0;
- /* received is a bitset, like |sent|, but is used by servers to record
- * which extensions were received from a client. */
+ // received is a bitset, like |sent|, but is used by servers to record
+ // which extensions were received from a client.
uint32_t received;
} extensions;
union {
- /* sent is a bitset where the bits correspond to elements of
- * |client_custom_extensions| in the |SSL_CTX|. Each bit is set if that
- * extension was sent in a ClientHello. It's not used by servers. */
+ // sent is a bitset where the bits correspond to elements of
+ // |client_custom_extensions| in the |SSL_CTX|. Each bit is set if that
+ // extension was sent in a ClientHello. It's not used by servers.
uint16_t sent = 0;
- /* received is a bitset, like |sent|, but is used by servers to record
- * which custom extensions were received from a client. The bits here
- * correspond to |server_custom_extensions|. */
+ // received is a bitset, like |sent|, but is used by servers to record
+ // which custom extensions were received from a client. The bits here
+ // correspond to |server_custom_extensions|.
uint16_t received;
} custom_extensions;
- /* retry_group is the group ID selected by the server in HelloRetryRequest in
- * TLS 1.3. */
+ // retry_group is the group ID selected by the server in HelloRetryRequest in
+ // TLS 1.3.
uint16_t retry_group = 0;
- /* key_share is the current key exchange instance. */
+ // key_share is the current key exchange instance.
UniquePtr<SSLKeyShare> key_share;
- /* transcript is the current handshake transcript. */
+ // transcript is the current handshake transcript.
SSLTranscript transcript;
- /* cookie is the value of the cookie received from the server, if any. */
+ // cookie is the value of the cookie received from the server, if any.
uint8_t *cookie = nullptr;
size_t cookie_len = 0;
- /* key_share_bytes is the value of the previously sent KeyShare extension by
- * the client in TLS 1.3. */
+ // key_share_bytes is the value of the previously sent KeyShare extension by
+ // the client in TLS 1.3.
uint8_t *key_share_bytes = nullptr;
size_t key_share_bytes_len = 0;
- /* ecdh_public_key, for servers, is the key share to be sent to the client in
- * TLS 1.3. */
+ // ecdh_public_key, for servers, is the key share to be sent to the client in
+ // TLS 1.3.
uint8_t *ecdh_public_key = nullptr;
size_t ecdh_public_key_len = 0;
- /* peer_sigalgs are the signature algorithms that the peer supports. These are
- * taken from the contents of the signature algorithms extension for a server
- * or from the CertificateRequest for a client. */
+ // peer_sigalgs are the signature algorithms that the peer supports. These are
+ // taken from the contents of the signature algorithms extension for a server
+ // or from the CertificateRequest for a client.
uint16_t *peer_sigalgs = nullptr;
- /* num_peer_sigalgs is the number of entries in |peer_sigalgs|. */
+ // num_peer_sigalgs is the number of entries in |peer_sigalgs|.
size_t num_peer_sigalgs = 0;
- /* peer_supported_group_list contains the supported group IDs advertised by
- * the peer. This is only set on the server's end. The server does not
- * advertise this extension to the client. */
+ // peer_supported_group_list contains the supported group IDs advertised by
+ // the peer. This is only set on the server's end. The server does not
+ // advertise this extension to the client.
uint16_t *peer_supported_group_list = nullptr;
size_t peer_supported_group_list_len = 0;
- /* peer_key is the peer's ECDH key for a TLS 1.2 client. */
+ // peer_key is the peer's ECDH key for a TLS 1.2 client.
uint8_t *peer_key = nullptr;
size_t peer_key_len = 0;
- /* server_params, in a TLS 1.2 server, stores the ServerKeyExchange
- * parameters. It has client and server randoms prepended for signing
- * convenience. */
+ // server_params, in a TLS 1.2 server, stores the ServerKeyExchange
+ // parameters. It has client and server randoms prepended for signing
+ // convenience.
uint8_t *server_params = nullptr;
size_t server_params_len = 0;
- /* peer_psk_identity_hint, on the client, is the psk_identity_hint sent by the
- * server when using a TLS 1.2 PSK key exchange. */
+ // peer_psk_identity_hint, on the client, is the psk_identity_hint sent by the
+ // server when using a TLS 1.2 PSK key exchange.
UniquePtr<char> peer_psk_identity_hint;
- /* ca_names, on the client, contains the list of CAs received in a
- * CertificateRequest message. */
+ // ca_names, on the client, contains the list of CAs received in a
+ // CertificateRequest message.
UniquePtr<STACK_OF(CRYPTO_BUFFER)> ca_names;
- /* cached_x509_ca_names contains a cache of parsed versions of the elements
- * of |ca_names|. */
+ // cached_x509_ca_names contains a cache of parsed versions of the elements
+ // of |ca_names|.
STACK_OF(X509_NAME) *cached_x509_ca_names = nullptr;
- /* certificate_types, on the client, contains the set of certificate types
- * received in a CertificateRequest message. */
+ // certificate_types, on the client, contains the set of certificate types
+ // received in a CertificateRequest message.
uint8_t *certificate_types = nullptr;
size_t num_certificate_types = 0;
- /* hostname, on the server, is the value of the SNI extension. */
+ // hostname, on the server, is the value of the SNI extension.
UniquePtr<char> hostname;
- /* local_pubkey is the public key we are authenticating as. */
+ // local_pubkey is the public key we are authenticating as.
UniquePtr<EVP_PKEY> local_pubkey;
- /* peer_pubkey is the public key parsed from the peer's leaf certificate. */
+ // peer_pubkey is the public key parsed from the peer's leaf certificate.
UniquePtr<EVP_PKEY> peer_pubkey;
- /* new_session is the new mutable session being established by the current
- * handshake. It should not be cached. */
+ // new_session is the new mutable session being established by the current
+ // handshake. It should not be cached.
UniquePtr<SSL_SESSION> new_session;
- /* early_session is the session corresponding to the current 0-RTT state on
- * the client if |in_early_data| is true. */
+ // early_session is the session corresponding to the current 0-RTT state on
+ // the client if |in_early_data| is true.
UniquePtr<SSL_SESSION> early_session;
- /* new_cipher is the cipher being negotiated in this handshake. */
+ // new_cipher is the cipher being negotiated in this handshake.
const SSL_CIPHER *new_cipher = nullptr;
- /* key_block is the record-layer key block for TLS 1.2 and earlier. */
+ // key_block is the record-layer key block for TLS 1.2 and earlier.
uint8_t *key_block = nullptr;
uint8_t key_block_len = 0;
- /* scts_requested is one if the SCT extension is in the ClientHello. */
- unsigned scts_requested:1;
+ // scts_requested is true if the SCT extension is in the ClientHello.
+ bool scts_requested:1;
- /* needs_psk_binder if the ClientHello has a placeholder PSK binder to be
- * filled in. */
- unsigned needs_psk_binder:1;
+ // needs_psk_binder is true if the ClientHello has a placeholder PSK binder to
+ // be filled in.
+ bool needs_psk_binder:1;
- unsigned received_hello_retry_request:1;
+ bool received_hello_retry_request:1;
- unsigned received_custom_extension:1;
+ bool received_custom_extension:1;
- /* accept_psk_mode stores whether the client's PSK mode is compatible with our
- * preferences. */
- unsigned accept_psk_mode:1;
+ // handshake_finalized is true once the handshake has completed, at which
+ // point accessors should use the established state.
+ bool handshake_finalized:1;
- /* cert_request is one if a client certificate was requested and zero
- * otherwise. */
- unsigned cert_request:1;
+ // accept_psk_mode stores whether the client's PSK mode is compatible with our
+ // preferences.
+ bool accept_psk_mode:1;
- /* certificate_status_expected is one if OCSP stapling was negotiated and the
- * server is expected to send a CertificateStatus message. (This is used on
- * both the client and server sides.) */
- unsigned certificate_status_expected:1;
+ // cert_request is true if a client certificate was requested.
+ bool cert_request:1;
- /* ocsp_stapling_requested is one if a client requested OCSP stapling. */
- unsigned ocsp_stapling_requested:1;
+ // certificate_status_expected is true if OCSP stapling was negotiated and the
+ // server is expected to send a CertificateStatus message. (This is used on
+ // both the client and server sides.)
+ bool certificate_status_expected:1;
- /* should_ack_sni is used by a server and indicates that the SNI extension
- * should be echoed in the ServerHello. */
- unsigned should_ack_sni:1;
+ // ocsp_stapling_requested is true if a client requested OCSP stapling.
+ bool ocsp_stapling_requested:1;
- /* in_false_start is one if there is a pending client handshake in False
- * Start. The client may write data at this point. */
- unsigned in_false_start:1;
+ // should_ack_sni is used by a server and indicates that the SNI extension
+ // should be echoed in the ServerHello.
+ bool should_ack_sni:1;
- /* in_early_data is one if there is a pending handshake that has progressed
- * enough to send and receive early data. */
- unsigned in_early_data:1;
+ // in_false_start is true if there is a pending client handshake in False
+ // Start. The client may write data at this point.
+ bool in_false_start:1;
- /* early_data_offered is one if the client sent the early_data extension. */
- unsigned early_data_offered:1;
+ // in_early_data is true if there is a pending handshake that has progressed
+ // enough to send and receive early data.
+ bool in_early_data:1;
- /* can_early_read is one if application data may be read at this point in the
- * handshake. */
- unsigned can_early_read:1;
+ // early_data_offered is true if the client sent the early_data extension.
+ bool early_data_offered:1;
- /* can_early_write is one if application data may be written at this point in
- * the handshake. */
- unsigned can_early_write:1;
+ // can_early_read is true if application data may be read at this point in the
+ // handshake.
+ bool can_early_read:1;
- /* next_proto_neg_seen is one of NPN was negotiated. */
- unsigned next_proto_neg_seen:1;
+ // can_early_write is true if application data may be written at this point in
+ // the handshake.
+ bool can_early_write:1;
- /* ticket_expected is one if a TLS 1.2 NewSessionTicket message is to be sent
- * or received. */
- unsigned ticket_expected:1;
+ // next_proto_neg_seen is one of NPN was negotiated.
+ bool next_proto_neg_seen:1;
- /* extended_master_secret is one if the extended master secret extension is
- * negotiated in this handshake. */
- unsigned extended_master_secret:1;
+ // ticket_expected is true if a TLS 1.2 NewSessionTicket message is to be sent
+ // or received.
+ bool ticket_expected:1;
- /* pending_private_key_op is one if there is a pending private key operation
- * in progress. */
- unsigned pending_private_key_op:1;
+ // extended_master_secret is true if the extended master secret extension is
+ // negotiated in this handshake.
+ bool extended_master_secret:1;
- /* client_version is the value sent or received in the ClientHello version. */
+ // pending_private_key_op is true if there is a pending private key operation
+ // in progress.
+ bool pending_private_key_op:1;
+
+ // client_version is the value sent or received in the ClientHello version.
uint16_t client_version = 0;
- /* early_data_read is the amount of early data that has been read by the
- * record layer. */
+ // early_data_read is the amount of early data that has been read by the
+ // record layer.
uint16_t early_data_read = 0;
- /* early_data_written is the amount of early data that has been written by the
- * record layer. */
+ // early_data_written is the amount of early data that has been written by the
+ // record layer.
uint16_t early_data_written = 0;
};
SSL_HANDSHAKE *ssl_handshake_new(SSL *ssl);
-/* ssl_handshake_free releases all memory associated with |hs|. */
+// ssl_handshake_free releases all memory associated with |hs|.
void ssl_handshake_free(SSL_HANDSHAKE *hs);
-/* ssl_check_message_type checks if |msg| has type |type|. If so it returns
- * one. Otherwise, it sends an alert and returns zero. */
+// ssl_check_message_type checks if |msg| has type |type|. If so it returns
+// one. Otherwise, it sends an alert and returns zero.
int ssl_check_message_type(SSL *ssl, const SSLMessage &msg, int type);
-/* tls13_handshake runs the TLS 1.3 handshake. It returns one on success and <=
- * 0 on error. It sets |out_early_return| to one if we've completed the
- * handshake early. */
-int tls13_handshake(SSL_HANDSHAKE *hs, int *out_early_return);
+// ssl_run_handshake runs the TLS handshake. It returns one on success and <= 0
+// on error. It sets |out_early_return| to one if we've completed the handshake
+// early.
+int ssl_run_handshake(SSL_HANDSHAKE *hs, bool *out_early_return);
-/* The following are implementations of |do_tls13_handshake| for the client and
- * server. */
+// The following are implementations of |do_handshake| for the client and
+// server.
+enum ssl_hs_wait_t ssl_client_handshake(SSL_HANDSHAKE *hs);
+enum ssl_hs_wait_t ssl_server_handshake(SSL_HANDSHAKE *hs);
enum ssl_hs_wait_t tls13_client_handshake(SSL_HANDSHAKE *hs);
enum ssl_hs_wait_t tls13_server_handshake(SSL_HANDSHAKE *hs);
-/* The following functions return human-readable representations of the TLS 1.3
- * handshake states for debugging. */
+// The following functions return human-readable representations of the TLS
+// handshake states for debugging.
+const char *ssl_client_handshake_state(SSL_HANDSHAKE *hs);
+const char *ssl_server_handshake_state(SSL_HANDSHAKE *hs);
const char *tls13_client_handshake_state(SSL_HANDSHAKE *hs);
const char *tls13_server_handshake_state(SSL_HANDSHAKE *hs);
-/* tls13_post_handshake processes a post-handshake message. It returns one on
- * success and zero on failure. */
+// tls13_post_handshake processes a post-handshake message. It returns one on
+// success and zero on failure.
int tls13_post_handshake(SSL *ssl, const SSLMessage &msg);
int tls13_process_certificate(SSL_HANDSHAKE *hs, const SSLMessage &msg,
int allow_anonymous);
int tls13_process_certificate_verify(SSL_HANDSHAKE *hs, const SSLMessage &msg);
-/* tls13_process_finished processes |msg| as a Finished message from the
- * peer. If |use_saved_value| is one, the verify_data is compared against
- * |hs->expected_client_finished| rather than computed fresh. */
+// tls13_process_finished processes |msg| as a Finished message from the
+// peer. If |use_saved_value| is one, the verify_data is compared against
+// |hs->expected_client_finished| rather than computed fresh.
int tls13_process_finished(SSL_HANDSHAKE *hs, const SSLMessage &msg,
int use_saved_value);
int tls13_add_certificate(SSL_HANDSHAKE *hs);
-/* tls13_add_certificate_verify adds a TLS 1.3 CertificateVerify message to the
- * handshake. If it returns |ssl_private_key_retry|, it should be called again
- * to retry when the signing operation is completed. */
+// tls13_add_certificate_verify adds a TLS 1.3 CertificateVerify message to the
+// handshake. If it returns |ssl_private_key_retry|, it should be called again
+// to retry when the signing operation is completed.
enum ssl_private_key_result_t tls13_add_certificate_verify(SSL_HANDSHAKE *hs);
int tls13_add_finished(SSL_HANDSHAKE *hs);
@@ -1368,7 +1367,7 @@
int ssl_ext_key_share_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t **out_secret,
size_t *out_secret_len,
uint8_t *out_alert, CBS *contents);
-int ssl_ext_key_share_parse_clienthello(SSL_HANDSHAKE *hs, int *out_found,
+int ssl_ext_key_share_parse_clienthello(SSL_HANDSHAKE *hs, bool *out_found,
uint8_t **out_secret,
size_t *out_secret_len,
uint8_t *out_alert, CBS *contents);
@@ -1381,14 +1380,14 @@
uint32_t *out_obfuscated_ticket_age, uint8_t *out_alert, CBS *contents);
int ssl_ext_pre_shared_key_add_serverhello(SSL_HANDSHAKE *hs, CBB *out);
-/* ssl_is_sct_list_valid does a shallow parse of the SCT list in |contents| and
- * returns one iff it's valid. */
+// ssl_is_sct_list_valid does a shallow parse of the SCT list in |contents| and
+// returns one iff it's valid.
int ssl_is_sct_list_valid(const CBS *contents);
int ssl_write_client_hello(SSL_HANDSHAKE *hs);
-/* ssl_clear_tls13_state releases client state only needed for TLS 1.3. It
- * should be called once the version is known to be TLS 1.2 or earlier. */
+// ssl_clear_tls13_state releases client state only needed for TLS 1.3. It
+// should be called once the version is known to be TLS 1.2 or earlier.
void ssl_clear_tls13_state(SSL_HANDSHAKE *hs);
enum ssl_cert_verify_context_t {
@@ -1397,49 +1396,49 @@
ssl_cert_verify_channel_id,
};
-/* tls13_get_cert_verify_signature_input generates the message to be signed for
- * TLS 1.3's CertificateVerify message. |cert_verify_context| determines the
- * type of signature. It sets |*out| and |*out_len| to a newly allocated buffer
- * containing the result. The caller must free it with |OPENSSL_free| to release
- * it. This function returns one on success and zero on failure. */
+// tls13_get_cert_verify_signature_input generates the message to be signed for
+// TLS 1.3's CertificateVerify message. |cert_verify_context| determines the
+// type of signature. It sets |*out| and |*out_len| to a newly allocated buffer
+// containing the result. The caller must free it with |OPENSSL_free| to release
+// it. This function returns one on success and zero on failure.
int tls13_get_cert_verify_signature_input(
SSL_HANDSHAKE *hs, uint8_t **out, size_t *out_len,
enum ssl_cert_verify_context_t cert_verify_context);
-/* ssl_negotiate_alpn negotiates the ALPN extension, if applicable. It returns
- * one on successful negotiation or if nothing was negotiated. It returns zero
- * and sets |*out_alert| to an alert on error. */
+// ssl_negotiate_alpn negotiates the ALPN extension, if applicable. It returns
+// one on successful negotiation or if nothing was negotiated. It returns zero
+// and sets |*out_alert| to an alert on error.
int ssl_negotiate_alpn(SSL_HANDSHAKE *hs, uint8_t *out_alert,
const SSL_CLIENT_HELLO *client_hello);
struct SSL_EXTENSION_TYPE {
uint16_t type;
- int *out_present;
+ bool *out_present;
CBS *out_data;
};
-/* ssl_parse_extensions parses a TLS extensions block out of |cbs| and advances
- * it. It writes the parsed extensions to pointers denoted by |ext_types|. On
- * success, it fills in the |out_present| and |out_data| fields and returns one.
- * Otherwise, it sets |*out_alert| to an alert to send and returns zero. Unknown
- * extensions are rejected unless |ignore_unknown| is 1. */
+// ssl_parse_extensions parses a TLS extensions block out of |cbs| and advances
+// it. It writes the parsed extensions to pointers denoted by |ext_types|. On
+// success, it fills in the |out_present| and |out_data| fields and returns one.
+// Otherwise, it sets |*out_alert| to an alert to send and returns zero. Unknown
+// extensions are rejected unless |ignore_unknown| is 1.
int ssl_parse_extensions(const CBS *cbs, uint8_t *out_alert,
const SSL_EXTENSION_TYPE *ext_types,
size_t num_ext_types, int ignore_unknown);
-/* ssl_verify_peer_cert verifies the peer certificate for |hs|. */
+// ssl_verify_peer_cert verifies the peer certificate for |hs|.
enum ssl_verify_result_t ssl_verify_peer_cert(SSL_HANDSHAKE *hs);
-/* SSLKEYLOGFILE functions. */
+// SSLKEYLOGFILE functions.
-/* ssl_log_secret logs |secret| with label |label|, if logging is enabled for
- * |ssl|. It returns one on success and zero on failure. */
+// ssl_log_secret logs |secret| with label |label|, if logging is enabled for
+// |ssl|. It returns one on success and zero on failure.
int ssl_log_secret(const SSL *ssl, const char *label, const uint8_t *secret,
size_t secret_len);
-/* ClientHello functions. */
+// ClientHello functions.
int ssl_client_hello_init(SSL *ssl, SSL_CLIENT_HELLO *out,
const SSLMessage &msg);
@@ -1451,7 +1450,7 @@
uint16_t id);
-/* GREASE. */
+// GREASE.
enum ssl_grease_index_t {
ssl_grease_cipher = 0,
@@ -1462,146 +1461,146 @@
ssl_grease_ticket_extension,
};
-/* ssl_get_grease_value returns a GREASE value for |ssl|. For a given
- * connection, the values for each index will be deterministic. This allows the
- * same ClientHello be sent twice for a HelloRetryRequest or the same group be
- * advertised in both supported_groups and key_shares. */
+// ssl_get_grease_value returns a GREASE value for |ssl|. For a given
+// connection, the values for each index will be deterministic. This allows the
+// same ClientHello be sent twice for a HelloRetryRequest or the same group be
+// advertised in both supported_groups and key_shares.
uint16_t ssl_get_grease_value(const SSL *ssl, enum ssl_grease_index_t index);
-/* Signature algorithms. */
+// Signature algorithms.
-/* tls1_parse_peer_sigalgs parses |sigalgs| as the list of peer signature
- * algorithms and saves them on |hs|. It returns one on success and zero on
- * error. */
+// tls1_parse_peer_sigalgs parses |sigalgs| as the list of peer signature
+// algorithms and saves them on |hs|. It returns one on success and zero on
+// error.
int tls1_parse_peer_sigalgs(SSL_HANDSHAKE *hs, const CBS *sigalgs);
-/* tls1_get_legacy_signature_algorithm sets |*out| to the signature algorithm
- * that should be used with |pkey| in TLS 1.1 and earlier. It returns one on
- * success and zero if |pkey| may not be used at those versions. */
+// tls1_get_legacy_signature_algorithm sets |*out| to the signature algorithm
+// that should be used with |pkey| in TLS 1.1 and earlier. It returns one on
+// success and zero if |pkey| may not be used at those versions.
int tls1_get_legacy_signature_algorithm(uint16_t *out, const EVP_PKEY *pkey);
-/* tls1_choose_signature_algorithm sets |*out| to a signature algorithm for use
- * with |hs|'s private key based on the peer's preferences and the algorithms
- * supported. It returns one on success and zero on error. */
+// tls1_choose_signature_algorithm sets |*out| to a signature algorithm for use
+// with |hs|'s private key based on the peer's preferences and the algorithms
+// supported. It returns one on success and zero on error.
int tls1_choose_signature_algorithm(SSL_HANDSHAKE *hs, uint16_t *out);
-/* tls12_add_verify_sigalgs adds the signature algorithms acceptable for the
- * peer signature to |out|. It returns one on success and zero on error. */
+// tls12_add_verify_sigalgs adds the signature algorithms acceptable for the
+// peer signature to |out|. It returns one on success and zero on error.
int tls12_add_verify_sigalgs(const SSL *ssl, CBB *out);
-/* tls12_check_peer_sigalg checks if |sigalg| is acceptable for the peer
- * signature. It returns one on success and zero on error, setting |*out_alert|
- * to an alert to send. */
+// tls12_check_peer_sigalg checks if |sigalg| is acceptable for the peer
+// signature. It returns one on success and zero on error, setting |*out_alert|
+// to an alert to send.
int tls12_check_peer_sigalg(SSL *ssl, uint8_t *out_alert, uint16_t sigalg);
-/* Underdocumented functions.
- *
- * Functions below here haven't been touched up and may be underdocumented. */
+// Underdocumented functions.
+//
+// Functions below here haven't been touched up and may be underdocumented.
#define TLSEXT_CHANNEL_ID_SIZE 128
-/* From RFC4492, used in encoding the curve type in ECParameters */
+// From RFC4492, used in encoding the curve type in ECParameters
#define NAMED_CURVE_TYPE 3
struct SSLCertConfig {
EVP_PKEY *privatekey;
- /* chain contains the certificate chain, with the leaf at the beginning. The
- * first element of |chain| may be NULL to indicate that the leaf certificate
- * has not yet been set.
- * If |chain| != NULL -> len(chain) >= 1
- * If |chain[0]| == NULL -> len(chain) >= 2.
- * |chain[1..]| != NULL */
+ // chain contains the certificate chain, with the leaf at the beginning. The
+ // first element of |chain| may be NULL to indicate that the leaf certificate
+ // has not yet been set.
+ // If |chain| != NULL -> len(chain) >= 1
+ // If |chain[0]| == NULL -> len(chain) >= 2.
+ // |chain[1..]| != NULL
STACK_OF(CRYPTO_BUFFER) *chain;
- /* x509_chain may contain a parsed copy of |chain[1..]|. This is only used as
- * a cache in order to implement “get0” functions that return a non-owning
- * pointer to the certificate chain. */
+ // x509_chain may contain a parsed copy of |chain[1..]|. This is only used as
+ // a cache in order to implement “get0” functions that return a non-owning
+ // pointer to the certificate chain.
STACK_OF(X509) *x509_chain;
- /* x509_leaf may contain a parsed copy of the first element of |chain|. This
- * is only used as a cache in order to implement “get0” functions that return
- * a non-owning pointer to the certificate chain. */
+ // x509_leaf may contain a parsed copy of the first element of |chain|. This
+ // is only used as a cache in order to implement “get0” functions that return
+ // a non-owning pointer to the certificate chain.
X509 *x509_leaf;
- /* x509_stash contains the last |X509| object append to the chain. This is a
- * workaround for some third-party code that continue to use an |X509| object
- * even after passing ownership with an “add0” function. */
+ // x509_stash contains the last |X509| object append to the chain. This is a
+ // workaround for some third-party code that continue to use an |X509| object
+ // even after passing ownership with an “add0” function.
X509 *x509_stash;
- /* key_method, if non-NULL, is a set of callbacks to call for private key
- * operations. */
+ // key_method, if non-NULL, is a set of callbacks to call for private key
+ // operations.
const SSL_PRIVATE_KEY_METHOD *key_method;
- /* x509_method contains pointers to functions that might deal with |X509|
- * compatibility, or might be a no-op, depending on the application. */
+ // x509_method contains pointers to functions that might deal with |X509|
+ // compatibility, or might be a no-op, depending on the application.
const SSL_X509_METHOD *x509_method;
- /* sigalgs, if non-NULL, is the set of signature algorithms supported by
- * |privatekey| in decreasing order of preference. */
+ // sigalgs, if non-NULL, is the set of signature algorithms supported by
+ // |privatekey| in decreasing order of preference.
uint16_t *sigalgs;
size_t num_sigalgs;
- /* Certificate setup callback: if set is called whenever a
- * certificate may be required (client or server). the callback
- * can then examine any appropriate parameters and setup any
- * certificates required. This allows advanced applications
- * to select certificates on the fly: for example based on
- * supported signature algorithms or curves. */
+ // Certificate setup callback: if set is called whenever a
+ // certificate may be required (client or server). the callback
+ // can then examine any appropriate parameters and setup any
+ // certificates required. This allows advanced applications
+ // to select certificates on the fly: for example based on
+ // supported signature algorithms or curves.
int (*cert_cb)(SSL *ssl, void *arg);
void *cert_cb_arg;
- /* Optional X509_STORE for certificate validation. If NULL the parent SSL_CTX
- * store is used instead. */
+ // Optional X509_STORE for certificate validation. If NULL the parent SSL_CTX
+ // store is used instead.
X509_STORE *verify_store;
- /* Signed certificate timestamp list to be sent to the client, if requested */
+ // Signed certificate timestamp list to be sent to the client, if requested
CRYPTO_BUFFER *signed_cert_timestamp_list;
- /* OCSP response to be sent to the client, if requested. */
+ // OCSP response to be sent to the client, if requested.
CRYPTO_BUFFER *ocsp_response;
- /* sid_ctx partitions the session space within a shared session cache or
- * ticket key. Only sessions with a matching value will be accepted. */
+ // sid_ctx partitions the session space within a shared session cache or
+ // ticket key. Only sessions with a matching value will be accepted.
uint8_t sid_ctx_length;
uint8_t sid_ctx[SSL_MAX_SID_CTX_LENGTH];
- /* If enable_early_data is non-zero, early data can be sent and accepted. */
- unsigned enable_early_data:1;
+ // If enable_early_data is true, early data can be sent and accepted.
+ bool enable_early_data:1;
};
-/* ssl_crypto_x509_method provides the |SSL_X509_METHOD| functions using
- * crypto/x509. */
+// ssl_crypto_x509_method provides the |SSL_X509_METHOD| functions using
+// crypto/x509.
extern const SSL_X509_METHOD ssl_crypto_x509_method;
-/* ssl_noop_x509_method provides the |SSL_X509_METHOD| functions that avoid
- * crypto/x509. */
+// ssl_noop_x509_method provides the |SSL_X509_METHOD| functions that avoid
+// crypto/x509.
extern const SSL_X509_METHOD ssl_noop_x509_method;
struct SSL3_RECORD {
- /* type is the record type. */
+ // type is the record type.
uint8_t type;
- /* length is the number of unconsumed bytes in the record. */
+ // length is the number of unconsumed bytes in the record.
uint16_t length;
- /* data is a non-owning pointer to the first unconsumed byte of the record. */
+ // data is a non-owning pointer to the first unconsumed byte of the record.
uint8_t *data;
};
struct SSL3_BUFFER {
- /* buf is the memory allocated for this buffer. */
+ // buf is the memory allocated for this buffer.
uint8_t *buf;
- /* offset is the offset into |buf| which the buffer contents start at. */
+ // offset is the offset into |buf| which the buffer contents start at.
uint16_t offset;
- /* len is the length of the buffer contents from |buf| + |offset|. */
+ // len is the length of the buffer contents from |buf| + |offset|.
uint16_t len;
- /* cap is how much memory beyond |buf| + |offset| is available. */
+ // cap is how much memory beyond |buf| + |offset| is available.
uint16_t cap;
};
-/* An ssl_shutdown_t describes the shutdown state of one end of the connection,
- * whether it is alive or has been shutdown via close_notify or fatal alert. */
+// An ssl_shutdown_t describes the shutdown state of one end of the connection,
+// whether it is alive or has been shutdown via close_notify or fatal alert.
enum ssl_shutdown_t {
ssl_shutdown_none = 0,
ssl_shutdown_close_notify = 1,
@@ -1615,106 +1614,106 @@
uint8_t server_random[SSL3_RANDOM_SIZE];
uint8_t client_random[SSL3_RANDOM_SIZE];
- /* read_buffer holds data from the transport to be processed. */
+ // read_buffer holds data from the transport to be processed.
SSL3_BUFFER read_buffer;
- /* write_buffer holds data to be written to the transport. */
+ // write_buffer holds data to be written to the transport.
SSL3_BUFFER write_buffer;
- SSL3_RECORD rrec; /* each decoded record goes in here */
+ SSL3_RECORD rrec; // each decoded record goes in here
- /* partial write - check the numbers match */
- unsigned int wnum; /* number of bytes sent so far */
- int wpend_tot; /* number bytes written */
+ // partial write - check the numbers match
+ unsigned int wnum; // number of bytes sent so far
+ int wpend_tot; // number bytes written
int wpend_type;
- int wpend_ret; /* number of bytes submitted */
+ int wpend_ret; // number of bytes submitted
const uint8_t *wpend_buf;
- /* recv_shutdown is the shutdown state for the receive half of the
- * connection. */
+ // recv_shutdown is the shutdown state for the receive half of the
+ // connection.
enum ssl_shutdown_t recv_shutdown;
- /* recv_shutdown is the shutdown state for the send half of the connection. */
+ // recv_shutdown is the shutdown state for the send half of the connection.
enum ssl_shutdown_t send_shutdown;
int alert_dispatch;
int total_renegotiations;
- /* early_data_skipped is the amount of early data that has been skipped by the
- * record layer. */
+ // early_data_skipped is the amount of early data that has been skipped by the
+ // record layer.
uint16_t early_data_skipped;
- /* empty_record_count is the number of consecutive empty records received. */
+ // empty_record_count is the number of consecutive empty records received.
uint8_t empty_record_count;
- /* warning_alert_count is the number of consecutive warning alerts
- * received. */
+ // warning_alert_count is the number of consecutive warning alerts
+ // received.
uint8_t warning_alert_count;
- /* key_update_count is the number of consecutive KeyUpdates received. */
+ // key_update_count is the number of consecutive KeyUpdates received.
uint8_t key_update_count;
- /* skip_early_data instructs the record layer to skip unexpected early data
- * messages when 0RTT is rejected. */
- unsigned skip_early_data:1;
+ // skip_early_data instructs the record layer to skip unexpected early data
+ // messages when 0RTT is rejected.
+ bool skip_early_data:1;
- /* have_version is true if the connection's final version is known. Otherwise
- * the version has not been negotiated yet. */
- unsigned have_version:1;
+ // have_version is true if the connection's final version is known. Otherwise
+ // the version has not been negotiated yet.
+ bool have_version:1;
- /* v2_hello_done is true if the peer's V2ClientHello, if any, has been handled
- * and future messages should use the record layer. */
- unsigned v2_hello_done:1;
+ // v2_hello_done is true if the peer's V2ClientHello, if any, has been handled
+ // and future messages should use the record layer.
+ bool v2_hello_done:1;
- /* is_v2_hello is true if the current handshake message was derived from a
- * V2ClientHello rather than received from the peer directly. */
- unsigned is_v2_hello:1;
+ // is_v2_hello is true if the current handshake message was derived from a
+ // V2ClientHello rather than received from the peer directly.
+ bool is_v2_hello:1;
- /* has_message is true if the current handshake message has been returned
- * at least once by |get_message| and false otherwise. */
- unsigned has_message:1;
+ // has_message is true if the current handshake message has been returned
+ // at least once by |get_message| and false otherwise.
+ bool has_message:1;
- /* initial_handshake_complete is true if the initial handshake has
- * completed. */
- unsigned initial_handshake_complete:1;
+ // initial_handshake_complete is true if the initial handshake has
+ // completed.
+ bool initial_handshake_complete:1;
- /* session_reused indicates whether a session was resumed. */
- unsigned session_reused:1;
+ // session_reused indicates whether a session was resumed.
+ bool session_reused:1;
- unsigned send_connection_binding:1;
+ bool send_connection_binding:1;
- /* In a client, this means that the server supported Channel ID and that a
- * Channel ID was sent. In a server it means that we echoed support for
- * Channel IDs and that tlsext_channel_id will be valid after the
- * handshake. */
- unsigned tlsext_channel_id_valid:1;
+ // In a client, this means that the server supported Channel ID and that a
+ // Channel ID was sent. In a server it means that we echoed support for
+ // Channel IDs and that tlsext_channel_id will be valid after the
+ // handshake.
+ bool tlsext_channel_id_valid:1;
- /* key_update_pending is one if we have a KeyUpdate acknowledgment
- * outstanding. */
- unsigned key_update_pending:1;
+ // key_update_pending is true if we have a KeyUpdate acknowledgment
+ // outstanding.
+ bool key_update_pending:1;
- /* wpend_pending is one if we have a pending write outstanding. */
- unsigned wpend_pending:1;
+ // wpend_pending is true if we have a pending write outstanding.
+ bool wpend_pending:1;
uint8_t send_alert[2];
- /* pending_flight is the pending outgoing flight. This is used to flush each
- * handshake flight in a single write. |write_buffer| must be written out
- * before this data. */
+ // pending_flight is the pending outgoing flight. This is used to flush each
+ // handshake flight in a single write. |write_buffer| must be written out
+ // before this data.
BUF_MEM *pending_flight;
- /* pending_flight_offset is the number of bytes of |pending_flight| which have
- * been successfully written. */
+ // pending_flight_offset is the number of bytes of |pending_flight| which have
+ // been successfully written.
uint32_t pending_flight_offset;
- /* aead_read_ctx is the current read cipher state. */
+ // aead_read_ctx is the current read cipher state.
SSLAEADContext *aead_read_ctx;
- /* aead_write_ctx is the current write cipher state. */
+ // aead_write_ctx is the current write cipher state.
SSLAEADContext *aead_write_ctx;
- /* hs is the handshake state for the current handshake or NULL if there isn't
- * one. */
+ // hs is the handshake state for the current handshake or NULL if there isn't
+ // one.
SSL_HANDSHAKE *hs;
uint8_t write_traffic_secret[EVP_MAX_MD_SIZE];
@@ -1726,58 +1725,58 @@
uint8_t exporter_secret_len;
uint8_t early_exporter_secret_len;
- /* Connection binding to prevent renegotiation attacks */
+ // Connection binding to prevent renegotiation attacks
uint8_t previous_client_finished[12];
uint8_t previous_client_finished_len;
uint8_t previous_server_finished_len;
uint8_t previous_server_finished[12];
- /* State pertaining to the pending handshake.
- *
- * TODO(davidben): Move everything not needed after the handshake completes to
- * |hs| and remove this. */
+ // State pertaining to the pending handshake.
+ //
+ // TODO(davidben): Move everything not needed after the handshake completes to
+ // |hs| and remove this.
struct {
uint8_t new_mac_secret_len;
uint8_t new_key_len;
uint8_t new_fixed_iv_len;
} tmp;
- /* established_session is the session established by the connection. This
- * session is only filled upon the completion of the handshake and is
- * immutable. */
+ // established_session is the session established by the connection. This
+ // session is only filled upon the completion of the handshake and is
+ // immutable.
SSL_SESSION *established_session;
- /* Next protocol negotiation. For the client, this is the protocol that we
- * sent in NextProtocol and is set when handling ServerHello extensions.
- *
- * For a server, this is the client's selected_protocol from NextProtocol and
- * is set when handling the NextProtocol message, before the Finished
- * message. */
+ // Next protocol negotiation. For the client, this is the protocol that we
+ // sent in NextProtocol and is set when handling ServerHello extensions.
+ //
+ // For a server, this is the client's selected_protocol from NextProtocol and
+ // is set when handling the NextProtocol message, before the Finished
+ // message.
uint8_t *next_proto_negotiated;
size_t next_proto_negotiated_len;
- /* ALPN information
- * (we are in the process of transitioning from NPN to ALPN.) */
+ // ALPN information
+ // (we are in the process of transitioning from NPN to ALPN.)
- /* In a server these point to the selected ALPN protocol after the
- * ClientHello has been processed. In a client these contain the protocol
- * that the server selected once the ServerHello has been processed. */
+ // In a server these point to the selected ALPN protocol after the
+ // ClientHello has been processed. In a client these contain the protocol
+ // that the server selected once the ServerHello has been processed.
uint8_t *alpn_selected;
size_t alpn_selected_len;
- /* For a server:
- * If |tlsext_channel_id_valid| is true, then this contains the
- * verified Channel ID from the client: a P256 point, (x,y), where
- * each are big-endian values. */
+ // For a server:
+ // If |tlsext_channel_id_valid| is true, then this contains the
+ // verified Channel ID from the client: a P256 point, (x,y), where
+ // each are big-endian values.
uint8_t tlsext_channel_id[64];
- /* ticket_age_skew is the difference, in seconds, between the client-sent
- * ticket age and the server-computed value in TLS 1.3 server connections
- * which resumed a session. */
+ // ticket_age_skew is the difference, in seconds, between the client-sent
+ // ticket age and the server-computed value in TLS 1.3 server connections
+ // which resumed a session.
int32_t ticket_age_skew;
};
-/* lengths of messages */
+// lengths of messages
#define DTLS1_COOKIE_LENGTH 256
#define DTLS1_RT_HEADER_LENGTH 13
@@ -1796,19 +1795,19 @@
uint32_t frag_len;
};
-/* An hm_fragment is an incoming DTLS message, possibly not yet assembled. */
+// An hm_fragment is an incoming DTLS message, possibly not yet assembled.
struct hm_fragment {
- /* type is the type of the message. */
+ // type is the type of the message.
uint8_t type;
- /* seq is the sequence number of this message. */
+ // seq is the sequence number of this message.
uint16_t seq;
- /* msg_len is the length of the message body. */
+ // msg_len is the length of the message body.
uint32_t msg_len;
- /* data is a pointer to the message, including message header. It has length
- * |DTLS1_HM_HEADER_LENGTH| + |msg_len|. */
+ // data is a pointer to the message, including message header. It has length
+ // |DTLS1_HM_HEADER_LENGTH| + |msg_len|.
uint8_t *data;
- /* reassembly is a bitmask of |msg_len| bits corresponding to which parts of
- * the message have been received. It is NULL if the message is complete. */
+ // reassembly is a bitmask of |msg_len| bits corresponding to which parts of
+ // the message have been received. It is NULL if the message is complete.
uint8_t *reassembly;
};
@@ -1818,152 +1817,151 @@
};
struct DTLS1_STATE {
- /* send_cookie is true if we are resending the ClientHello with a cookie from
- * a HelloVerifyRequest. */
- bool send_cookie:1;
-
- /* has_change_cipher_spec is true if we have received a ChangeCipherSpec from
- * the peer in this epoch. */
+ // has_change_cipher_spec is true if we have received a ChangeCipherSpec from
+ // the peer in this epoch.
bool has_change_cipher_spec:1;
- /* outgoing_messages_complete is true if |outgoing_messages| has been
- * completed by an attempt to flush it. Future calls to |add_message| and
- * |add_change_cipher_spec| will start a new flight. */
+ // outgoing_messages_complete is true if |outgoing_messages| has been
+ // completed by an attempt to flush it. Future calls to |add_message| and
+ // |add_change_cipher_spec| will start a new flight.
bool outgoing_messages_complete:1;
- /* flight_has_reply is true if the current outgoing flight is complete and has
- * processed at least one message. This is used to detect whether we or the
- * peer sent the final flight. */
+ // flight_has_reply is true if the current outgoing flight is complete and has
+ // processed at least one message. This is used to detect whether we or the
+ // peer sent the final flight.
bool flight_has_reply:1;
uint8_t cookie[DTLS1_COOKIE_LENGTH];
size_t cookie_len;
- /* The current data and handshake epoch. This is initially undefined, and
- * starts at zero once the initial handshake is completed. */
+ // The current data and handshake epoch. This is initially undefined, and
+ // starts at zero once the initial handshake is completed.
uint16_t r_epoch;
uint16_t w_epoch;
- /* records being received in the current epoch */
+ // records being received in the current epoch
DTLS1_BITMAP bitmap;
uint16_t handshake_write_seq;
uint16_t handshake_read_seq;
- /* save last sequence number for retransmissions */
+ // save last sequence number for retransmissions
uint8_t last_write_sequence[8];
SSLAEADContext *last_aead_write_ctx;
- /* incoming_messages is a ring buffer of incoming handshake messages that have
- * yet to be processed. The front of the ring buffer is message number
- * |handshake_read_seq|, at position |handshake_read_seq| %
- * |SSL_MAX_HANDSHAKE_FLIGHT|. */
+ // incoming_messages is a ring buffer of incoming handshake messages that have
+ // yet to be processed. The front of the ring buffer is message number
+ // |handshake_read_seq|, at position |handshake_read_seq| %
+ // |SSL_MAX_HANDSHAKE_FLIGHT|.
hm_fragment *incoming_messages[SSL_MAX_HANDSHAKE_FLIGHT];
- /* outgoing_messages is the queue of outgoing messages from the last handshake
- * flight. */
+ // outgoing_messages is the queue of outgoing messages from the last handshake
+ // flight.
DTLS_OUTGOING_MESSAGE outgoing_messages[SSL_MAX_HANDSHAKE_FLIGHT];
uint8_t outgoing_messages_len;
- /* outgoing_written is the number of outgoing messages that have been
- * written. */
+ // outgoing_written is the number of outgoing messages that have been
+ // written.
uint8_t outgoing_written;
- /* outgoing_offset is the number of bytes of the next outgoing message have
- * been written. */
+ // outgoing_offset is the number of bytes of the next outgoing message have
+ // been written.
uint32_t outgoing_offset;
- unsigned int mtu; /* max DTLS packet size */
+ unsigned int mtu; // max DTLS packet size
- /* num_timeouts is the number of times the retransmit timer has fired since
- * the last time it was reset. */
+ // num_timeouts is the number of times the retransmit timer has fired since
+ // the last time it was reset.
unsigned int num_timeouts;
- /* Indicates when the last handshake msg or heartbeat sent will
- * timeout. */
+ // Indicates when the last handshake msg or heartbeat sent will
+ // timeout.
struct OPENSSL_timeval next_timeout;
- /* timeout_duration_ms is the timeout duration in milliseconds. */
+ // timeout_duration_ms is the timeout duration in milliseconds.
unsigned timeout_duration_ms;
};
-/* SSLConnection backs the public |SSL| type. Due to compatibility constraints,
- * it is a base class for |ssl_st|. */
+// SSLConnection backs the public |SSL| type. Due to compatibility constraints,
+// it is a base class for |ssl_st|.
struct SSLConnection {
- /* method is the method table corresponding to the current protocol (DTLS or
- * TLS). */
+ // method is the method table corresponding to the current protocol (DTLS or
+ // TLS).
const SSL_PROTOCOL_METHOD *method;
- /* version is the protocol version. */
+ // version is the protocol version.
uint16_t version;
- /* conf_max_version is the maximum acceptable protocol version configured by
- * |SSL_set_max_proto_version|. Note this version is normalized in DTLS and is
- * further constrainted by |SSL_OP_NO_*|. */
+ // conf_max_version is the maximum acceptable protocol version configured by
+ // |SSL_set_max_proto_version|. Note this version is normalized in DTLS and is
+ // further constrainted by |SSL_OP_NO_*|.
uint16_t conf_max_version;
- /* conf_min_version is the minimum acceptable protocol version configured by
- * |SSL_set_min_proto_version|. Note this version is normalized in DTLS and is
- * further constrainted by |SSL_OP_NO_*|. */
+ // conf_min_version is the minimum acceptable protocol version configured by
+ // |SSL_set_min_proto_version|. Note this version is normalized in DTLS and is
+ // further constrainted by |SSL_OP_NO_*|.
uint16_t conf_min_version;
- /* tls13_variant is the variant of TLS 1.3 we are using for this
- * configuration. */
+ // tls13_variant is the variant of TLS 1.3 we are using for this
+ // configuration.
enum tls13_variant_t tls13_variant;
uint16_t max_send_fragment;
- /* There are 2 BIO's even though they are normally both the same. This is so
- * data can be read and written to different handlers */
+ // There are 2 BIO's even though they are normally both the same. This is so
+ // data can be read and written to different handlers
- BIO *rbio; /* used by SSL_read */
- BIO *wbio; /* used by SSL_write */
+ BIO *rbio; // used by SSL_read
+ BIO *wbio; // used by SSL_write
- int (*handshake_func)(SSL_HANDSHAKE *hs);
+ // do_handshake runs the handshake. On completion, it returns |ssl_hs_ok|.
+ // Otherwise, it returns a value corresponding to what operation is needed to
+ // progress.
+ enum ssl_hs_wait_t (*do_handshake)(SSL_HANDSHAKE *hs);
- BUF_MEM *init_buf; /* buffer used during init */
+ BUF_MEM *init_buf; // buffer used during init
- SSL3_STATE *s3; /* SSLv3 variables */
- DTLS1_STATE *d1; /* DTLSv1 variables */
+ SSL3_STATE *s3; // SSLv3 variables
+ DTLS1_STATE *d1; // DTLSv1 variables
- /* callback that allows applications to peek at protocol messages */
+ // callback that allows applications to peek at protocol messages
void (*msg_callback)(int write_p, int version, int content_type,
const void *buf, size_t len, SSL *ssl, void *arg);
void *msg_callback_arg;
X509_VERIFY_PARAM *param;
- /* crypto */
+ // crypto
struct ssl_cipher_preference_list_st *cipher_list;
- /* session info */
+ // session info
- /* client cert? */
- /* This is used to hold the server certificate used */
+ // client cert?
+ // This is used to hold the server certificate used
CERT *cert;
- /* This holds a variable that indicates what we were doing when a 0 or -1 is
- * returned. This is needed for non-blocking IO so we know what request
- * needs re-doing when in SSL_accept or SSL_connect */
+ // This holds a variable that indicates what we were doing when a 0 or -1 is
+ // returned. This is needed for non-blocking IO so we know what request
+ // needs re-doing when in SSL_accept or SSL_connect
int rwstate;
- /* initial_timeout_duration_ms is the default DTLS timeout duration in
- * milliseconds. It's used to initialize the timer any time it's restarted. */
+ // initial_timeout_duration_ms is the default DTLS timeout duration in
+ // milliseconds. It's used to initialize the timer any time it's restarted.
unsigned initial_timeout_duration_ms;
- /* session is the configured session to be offered by the client. This session
- * is immutable. */
+ // session is the configured session to be offered by the client. This session
+ // is immutable.
SSL_SESSION *session;
int (*verify_callback)(int ok,
- X509_STORE_CTX *ctx); /* fail if callback returns 0 */
+ X509_STORE_CTX *ctx); // fail if callback returns 0
enum ssl_verify_result_t (*custom_verify_callback)(SSL *ssl,
uint8_t *out_alert);
void (*info_callback)(const SSL *ssl, int type, int value);
- /* Server-only: psk_identity_hint is the identity hint to send in
- * PSK-based key exchanges. */
+ // Server-only: psk_identity_hint is the identity hint to send in
+ // PSK-based key exchanges.
char *psk_identity_hint;
unsigned int (*psk_client_callback)(SSL *ssl, const char *hint,
@@ -1975,91 +1973,91 @@
SSL_CTX *ctx;
- /* extra application data */
+ // extra application data
CRYPTO_EX_DATA ex_data;
- /* for server side, keep the list of CA_dn we can use */
+ // for server side, keep the list of CA_dn we can use
STACK_OF(CRYPTO_BUFFER) *client_CA;
- /* cached_x509_client_CA is a cache of parsed versions of the elements of
- * |client_CA|. */
+ // cached_x509_client_CA is a cache of parsed versions of the elements of
+ // |client_CA|.
STACK_OF(X509_NAME) *cached_x509_client_CA;
- uint32_t options; /* protocol behaviour */
- uint32_t mode; /* API behaviour */
+ uint32_t options; // protocol behaviour
+ uint32_t mode; // API behaviour
uint32_t max_cert_list;
char *tlsext_hostname;
size_t supported_group_list_len;
- uint16_t *supported_group_list; /* our list */
+ uint16_t *supported_group_list; // our list
- /* session_ctx is the |SSL_CTX| used for the session cache and related
- * settings. */
+ // session_ctx is the |SSL_CTX| used for the session cache and related
+ // settings.
SSL_CTX *session_ctx;
- /* srtp_profiles is the list of configured SRTP protection profiles for
- * DTLS-SRTP. */
+ // srtp_profiles is the list of configured SRTP protection profiles for
+ // DTLS-SRTP.
STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;
- /* srtp_profile is the selected SRTP protection profile for
- * DTLS-SRTP. */
+ // srtp_profile is the selected SRTP protection profile for
+ // DTLS-SRTP.
const SRTP_PROTECTION_PROFILE *srtp_profile;
- /* The client's Channel ID private key. */
+ // The client's Channel ID private key.
EVP_PKEY *tlsext_channel_id_private;
- /* For a client, this contains the list of supported protocols in wire
- * format. */
+ // For a client, this contains the list of supported protocols in wire
+ // format.
uint8_t *alpn_client_proto_list;
unsigned alpn_client_proto_list_len;
- /* renegotiate_mode controls how peer renegotiation attempts are handled. */
+ // renegotiate_mode controls how peer renegotiation attempts are handled.
enum ssl_renegotiate_mode_t renegotiate_mode;
- /* verify_mode is a bitmask of |SSL_VERIFY_*| values. */
+ // verify_mode is a bitmask of |SSL_VERIFY_*| values.
uint8_t verify_mode;
- /* server is true iff the this SSL* is the server half. Note: before the SSL*
- * is initialized by either SSL_set_accept_state or SSL_set_connect_state,
- * the side is not determined. In this state, server is always false. */
+ // server is true iff the this SSL* is the server half. Note: before the SSL*
+ // is initialized by either SSL_set_accept_state or SSL_set_connect_state,
+ // the side is not determined. In this state, server is always false.
unsigned server:1;
- /* quiet_shutdown is true if the connection should not send a close_notify on
- * shutdown. */
+ // quiet_shutdown is true if the connection should not send a close_notify on
+ // shutdown.
unsigned quiet_shutdown:1;
- /* Enable signed certificate time stamps. Currently client only. */
+ // Enable signed certificate time stamps. Currently client only.
unsigned signed_cert_timestamps_enabled:1;
- /* ocsp_stapling_enabled is only used by client connections and indicates
- * whether OCSP stapling will be requested. */
+ // ocsp_stapling_enabled is only used by client connections and indicates
+ // whether OCSP stapling will be requested.
unsigned ocsp_stapling_enabled:1;
- /* tlsext_channel_id_enabled is copied from the |SSL_CTX|. For a server,
- * means that we'll accept Channel IDs from clients. For a client, means that
- * we'll advertise support. */
+ // tlsext_channel_id_enabled is copied from the |SSL_CTX|. For a server,
+ // means that we'll accept Channel IDs from clients. For a client, means that
+ // we'll advertise support.
unsigned tlsext_channel_id_enabled:1;
- /* retain_only_sha256_of_client_certs is true if we should compute the SHA256
- * hash of the peer's certificate and then discard it to save memory and
- * session space. Only effective on the server side. */
+ // retain_only_sha256_of_client_certs is true if we should compute the SHA256
+ // hash of the peer's certificate and then discard it to save memory and
+ // session space. Only effective on the server side.
unsigned retain_only_sha256_of_client_certs:1;
- /* early_data_accepted is true if early data was accepted by the server. */
+ // early_data_accepted is true if early data was accepted by the server.
unsigned early_data_accepted:1;
};
-/* From draft-ietf-tls-tls13-18, used in determining PSK modes. */
+// From draft-ietf-tls-tls13-18, used in determining PSK modes.
#define SSL_PSK_KE 0x0
#define SSL_PSK_DHE_KE 0x1
-/* From draft-ietf-tls-tls13-16, used in determining whether to respond with a
- * KeyUpdate. */
+// From draft-ietf-tls-tls13-16, used in determining whether to respond with a
+// KeyUpdate.
#define SSL_KEY_UPDATE_NOT_REQUESTED 0
#define SSL_KEY_UPDATE_REQUESTED 1
-/* kMaxEarlyDataAccepted is the advertised number of plaintext bytes of early
- * data that will be accepted. This value should be slightly below
- * kMaxEarlyDataSkipped in tls_record.c, which is measured in ciphertext. */
+// kMaxEarlyDataAccepted is the advertised number of plaintext bytes of early
+// data that will be accepted. This value should be slightly below
+// kMaxEarlyDataSkipped in tls_record.c, which is measured in ciphertext.
static const size_t kMaxEarlyDataAccepted = 14336;
CERT *ssl_cert_new(const SSL_X509_METHOD *x509_method);
@@ -2068,9 +2066,9 @@
void ssl_cert_free(CERT *cert);
int ssl_set_cert(CERT *cert, UniquePtr<CRYPTO_BUFFER> buffer);
int ssl_is_key_type_supported(int key_type);
-/* ssl_compare_public_and_private_key returns one if |pubkey| is the public
- * counterpart to |privkey|. Otherwise it returns zero and pushes a helpful
- * message on the error queue. */
+// ssl_compare_public_and_private_key returns one if |pubkey| is the public
+// counterpart to |privkey|. Otherwise it returns zero and pushes a helpful
+// message on the error queue.
int ssl_compare_public_and_private_key(const EVP_PKEY *pubkey,
const EVP_PKEY *privkey);
int ssl_cert_check_private_key(const CERT *cert, const EVP_PKEY *privkey);
@@ -2078,89 +2076,84 @@
int ssl_encrypt_ticket(SSL *ssl, CBB *out, const SSL_SESSION *session);
int ssl_ctx_rotate_ticket_encryption_key(SSL_CTX *ctx);
-/* ssl_session_new returns a newly-allocated blank |SSL_SESSION| or nullptr on
- * error. */
+// ssl_session_new returns a newly-allocated blank |SSL_SESSION| or nullptr on
+// error.
UniquePtr<SSL_SESSION> ssl_session_new(const SSL_X509_METHOD *x509_method);
-/* SSL_SESSION_parse parses an |SSL_SESSION| from |cbs| and advances |cbs| over
- * the parsed data. */
+// SSL_SESSION_parse parses an |SSL_SESSION| from |cbs| and advances |cbs| over
+// the parsed data.
UniquePtr<SSL_SESSION> SSL_SESSION_parse(CBS *cbs,
const SSL_X509_METHOD *x509_method,
CRYPTO_BUFFER_POOL *pool);
-/* ssl_session_is_context_valid returns one if |session|'s session ID context
- * matches the one set on |ssl| and zero otherwise. */
+// ssl_session_is_context_valid returns one if |session|'s session ID context
+// matches the one set on |ssl| and zero otherwise.
int ssl_session_is_context_valid(const SSL *ssl, const SSL_SESSION *session);
-/* ssl_session_is_time_valid returns one if |session| is still valid and zero if
- * it has expired. */
+// ssl_session_is_time_valid returns one if |session| is still valid and zero if
+// it has expired.
int ssl_session_is_time_valid(const SSL *ssl, const SSL_SESSION *session);
-/* ssl_session_is_resumable returns one if |session| is resumable for |hs| and
- * zero otherwise. */
+// ssl_session_is_resumable returns one if |session| is resumable for |hs| and
+// zero otherwise.
int ssl_session_is_resumable(const SSL_HANDSHAKE *hs,
const SSL_SESSION *session);
-/* SSL_SESSION_protocol_version returns the protocol version associated with
- * |session|. */
+// SSL_SESSION_protocol_version returns the protocol version associated with
+// |session|.
uint16_t SSL_SESSION_protocol_version(const SSL_SESSION *session);
-/* SSL_SESSION_get_digest returns the digest used in |session|. */
+// SSL_SESSION_get_digest returns the digest used in |session|.
const EVP_MD *SSL_SESSION_get_digest(const SSL_SESSION *session);
void ssl_set_session(SSL *ssl, SSL_SESSION *session);
-enum ssl_session_result_t {
- ssl_session_success,
- ssl_session_error,
- ssl_session_retry,
- ssl_session_ticket_retry,
-};
+// ssl_get_prev_session looks up the previous session based on |client_hello|.
+// On success, it sets |*out_session| to the session or nullptr if none was
+// found. If the session could not be looked up synchronously, it returns
+// |ssl_hs_pending_session| and should be called again. If a ticket could not be
+// decrypted immediately it returns |ssl_hs_pending_ticket| and should also
+// be called again. Otherwise, it returns |ssl_hs_error|.
+enum ssl_hs_wait_t ssl_get_prev_session(SSL *ssl,
+ UniquePtr<SSL_SESSION> *out_session,
+ bool *out_tickets_supported,
+ bool *out_renew_ticket,
+ const SSL_CLIENT_HELLO *client_hello);
-/* ssl_get_prev_session looks up the previous session based on |client_hello|.
- * On success, it sets |*out_session| to the session or nullptr if none was
- * found. If the session could not be looked up synchronously, it returns
- * |ssl_session_retry| and should be called again. If a ticket could not be
- * decrypted immediately it returns |ssl_session_ticket_retry| and should also
- * be called again. Otherwise, it returns |ssl_session_error|. */
-enum ssl_session_result_t ssl_get_prev_session(
- SSL *ssl, UniquePtr<SSL_SESSION> *out_session, int *out_tickets_supported,
- int *out_renew_ticket, const SSL_CLIENT_HELLO *client_hello);
-
-/* The following flags determine which parts of the session are duplicated. */
+// The following flags determine which parts of the session are duplicated.
#define SSL_SESSION_DUP_AUTH_ONLY 0x0
#define SSL_SESSION_INCLUDE_TICKET 0x1
#define SSL_SESSION_INCLUDE_NONAUTH 0x2
#define SSL_SESSION_DUP_ALL \
(SSL_SESSION_INCLUDE_TICKET | SSL_SESSION_INCLUDE_NONAUTH)
-/* SSL_SESSION_dup returns a newly-allocated |SSL_SESSION| with a copy of the
- * fields in |session| or nullptr on error. The new session is non-resumable and
- * must be explicitly marked resumable once it has been filled in. */
+// SSL_SESSION_dup returns a newly-allocated |SSL_SESSION| with a copy of the
+// fields in |session| or nullptr on error. The new session is non-resumable and
+// must be explicitly marked resumable once it has been filled in.
OPENSSL_EXPORT UniquePtr<SSL_SESSION> SSL_SESSION_dup(SSL_SESSION *session,
int dup_flags);
-/* ssl_session_rebase_time updates |session|'s start time to the current time,
- * adjusting the timeout so the expiration time is unchanged. */
+// ssl_session_rebase_time updates |session|'s start time to the current time,
+// adjusting the timeout so the expiration time is unchanged.
void ssl_session_rebase_time(SSL *ssl, SSL_SESSION *session);
-/* ssl_session_renew_timeout calls |ssl_session_rebase_time| and renews
- * |session|'s timeout to |timeout| (measured from the current time). The
- * renewal is clamped to the session's auth_timeout. */
+// ssl_session_renew_timeout calls |ssl_session_rebase_time| and renews
+// |session|'s timeout to |timeout| (measured from the current time). The
+// renewal is clamped to the session's auth_timeout.
void ssl_session_renew_timeout(SSL *ssl, SSL_SESSION *session,
uint32_t timeout);
void ssl_cipher_preference_list_free(
struct ssl_cipher_preference_list_st *cipher_list);
-/* ssl_get_cipher_preferences returns the cipher preference list for TLS 1.2 and
- * below. */
+// ssl_get_cipher_preferences returns the cipher preference list for TLS 1.2 and
+// below.
const struct ssl_cipher_preference_list_st *ssl_get_cipher_preferences(
const SSL *ssl);
void ssl_update_cache(SSL_HANDSHAKE *hs, int mode);
-int ssl3_get_finished(SSL_HANDSHAKE *hs);
+enum ssl_hs_wait_t ssl_get_finished(SSL_HANDSHAKE *hs);
int ssl3_send_alert(SSL *ssl, int level, int desc);
bool ssl3_get_message(SSL *ssl, SSLMessage *out);
int ssl3_read_message(SSL *ssl);
@@ -2168,19 +2161,17 @@
int ssl3_send_finished(SSL_HANDSHAKE *hs);
int ssl3_dispatch_alert(SSL *ssl);
-int ssl3_read_app_data(SSL *ssl, int *out_got_handshake, uint8_t *buf, int len,
+int ssl3_read_app_data(SSL *ssl, bool *out_got_handshake, uint8_t *buf, int len,
int peek);
int ssl3_read_change_cipher_spec(SSL *ssl);
void ssl3_read_close_notify(SSL *ssl);
int ssl3_read_handshake_bytes(SSL *ssl, uint8_t *buf, int len);
-int ssl3_write_app_data(SSL *ssl, int *out_needs_handshake, const uint8_t *buf,
+int ssl3_write_app_data(SSL *ssl, bool *out_needs_handshake, const uint8_t *buf,
int len);
int ssl3_output_cert_chain(SSL *ssl);
int ssl3_new(SSL *ssl);
void ssl3_free(SSL *ssl);
-int ssl3_accept(SSL_HANDSHAKE *hs);
-int ssl3_connect(SSL_HANDSHAKE *hs);
int ssl3_init_message(SSL *ssl, CBB *cbb, CBB *body, uint8_t type);
int ssl3_finish_message(SSL *ssl, CBB *cbb, uint8_t **out_msg, size_t *out_len);
@@ -2197,29 +2188,29 @@
int dtls1_add_alert(SSL *ssl, uint8_t level, uint8_t desc);
int dtls1_flush_flight(SSL *ssl);
-/* ssl_add_message_cbb finishes the handshake message in |cbb| and adds it to
- * the pending flight. It returns one on success and zero on error. */
+// ssl_add_message_cbb finishes the handshake message in |cbb| and adds it to
+// the pending flight. It returns one on success and zero on error.
int ssl_add_message_cbb(SSL *ssl, CBB *cbb);
-/* ssl_hash_message incorporates |msg| into the handshake hash. It returns one
- * on success and zero on allocation failure. */
+// ssl_hash_message incorporates |msg| into the handshake hash. It returns one
+// on success and zero on allocation failure.
bool ssl_hash_message(SSL_HANDSHAKE *hs, const SSLMessage &msg);
-/* dtls1_get_record reads a new input record. On success, it places it in
- * |ssl->s3->rrec| and returns one. Otherwise it returns <= 0 on error or if
- * more data is needed. */
+// dtls1_get_record reads a new input record. On success, it places it in
+// |ssl->s3->rrec| and returns one. Otherwise it returns <= 0 on error or if
+// more data is needed.
int dtls1_get_record(SSL *ssl);
-int dtls1_read_app_data(SSL *ssl, int *out_got_handshake, uint8_t *buf, int len,
- int peek);
+int dtls1_read_app_data(SSL *ssl, bool *out_got_handshake, uint8_t *buf,
+ int len, int peek);
int dtls1_read_change_cipher_spec(SSL *ssl);
void dtls1_read_close_notify(SSL *ssl);
-int dtls1_write_app_data(SSL *ssl, int *out_needs_handshake, const uint8_t *buf,
- int len);
+int dtls1_write_app_data(SSL *ssl, bool *out_needs_handshake,
+ const uint8_t *buf, int len);
-/* dtls1_write_record sends a record. It returns one on success and <= 0 on
- * error. */
+// dtls1_write_record sends a record. It returns one on success and <= 0 on
+// error.
int dtls1_write_record(SSL *ssl, int type, const uint8_t *buf, size_t len,
enum dtls1_use_epoch_t use_epoch);
@@ -2250,38 +2241,38 @@
int tls1_generate_master_secret(SSL_HANDSHAKE *hs, uint8_t *out,
const uint8_t *premaster, size_t premaster_len);
-/* tls1_get_grouplist sets |*out_group_ids| and |*out_group_ids_len| to the
- * locally-configured group preference list. */
+// tls1_get_grouplist sets |*out_group_ids| and |*out_group_ids_len| to the
+// locally-configured group preference list.
void tls1_get_grouplist(SSL *ssl, const uint16_t **out_group_ids,
size_t *out_group_ids_len);
-/* tls1_check_group_id returns one if |group_id| is consistent with
- * locally-configured group preferences. */
+// tls1_check_group_id returns one if |group_id| is consistent with
+// locally-configured group preferences.
int tls1_check_group_id(SSL *ssl, uint16_t group_id);
-/* tls1_get_shared_group sets |*out_group_id| to the first preferred shared
- * group between client and server preferences and returns one. If none may be
- * found, it returns zero. */
+// tls1_get_shared_group sets |*out_group_id| to the first preferred shared
+// group between client and server preferences and returns one. If none may be
+// found, it returns zero.
int tls1_get_shared_group(SSL_HANDSHAKE *hs, uint16_t *out_group_id);
-/* tls1_set_curves converts the array of |ncurves| NIDs pointed to by |curves|
- * into a newly allocated array of TLS group IDs. On success, the function
- * returns one and writes the array to |*out_group_ids| and its size to
- * |*out_group_ids_len|. Otherwise, it returns zero. */
+// tls1_set_curves converts the array of |ncurves| NIDs pointed to by |curves|
+// into a newly allocated array of TLS group IDs. On success, the function
+// returns one and writes the array to |*out_group_ids| and its size to
+// |*out_group_ids_len|. Otherwise, it returns zero.
int tls1_set_curves(uint16_t **out_group_ids, size_t *out_group_ids_len,
const int *curves, size_t ncurves);
-/* tls1_set_curves_list converts the string of curves pointed to by |curves|
- * into a newly allocated array of TLS group IDs. On success, the function
- * returns one and writes the array to |*out_group_ids| and its size to
- * |*out_group_ids_len|. Otherwise, it returns zero. */
+// tls1_set_curves_list converts the string of curves pointed to by |curves|
+// into a newly allocated array of TLS group IDs. On success, the function
+// returns one and writes the array to |*out_group_ids| and its size to
+// |*out_group_ids_len|. Otherwise, it returns zero.
int tls1_set_curves_list(uint16_t **out_group_ids, size_t *out_group_ids_len,
const char *curves);
-/* ssl_add_clienthello_tlsext writes ClientHello extensions to |out|. It
- * returns one on success and zero on failure. The |header_len| argument is the
- * length of the ClientHello written so far and is used to compute the padding
- * length. (It does not include the record header.) */
+// ssl_add_clienthello_tlsext writes ClientHello extensions to |out|. It
+// returns one on success and zero on failure. The |header_len| argument is the
+// length of the ClientHello written so far and is used to compute the padding
+// length. (It does not include the record header.)
int ssl_add_clienthello_tlsext(SSL_HANDSHAKE *hs, CBB *out, size_t header_len);
int ssl_add_serverhello_tlsext(SSL_HANDSHAKE *hs, CBB *out);
@@ -2291,65 +2282,65 @@
#define tlsext_tick_md EVP_sha256
-/* ssl_process_ticket processes a session ticket from the client. It returns
- * one of:
- * |ssl_ticket_aead_success|: |*out_session| is set to the parsed session and
- * |*out_renew_ticket| is set to whether the ticket should be renewed.
- * |ssl_ticket_aead_ignore_ticket|: |*out_renew_ticket| is set to whether a
- * fresh ticket should be sent, but the given ticket cannot be used.
- * |ssl_ticket_aead_retry|: the ticket could not be immediately decrypted.
- * Retry later.
- * |ssl_ticket_aead_error|: an error occured that is fatal to the connection. */
+// ssl_process_ticket processes a session ticket from the client. It returns
+// one of:
+// |ssl_ticket_aead_success|: |*out_session| is set to the parsed session and
+// |*out_renew_ticket| is set to whether the ticket should be renewed.
+// |ssl_ticket_aead_ignore_ticket|: |*out_renew_ticket| is set to whether a
+// fresh ticket should be sent, but the given ticket cannot be used.
+// |ssl_ticket_aead_retry|: the ticket could not be immediately decrypted.
+// Retry later.
+// |ssl_ticket_aead_error|: an error occured that is fatal to the connection.
enum ssl_ticket_aead_result_t ssl_process_ticket(
- SSL *ssl, UniquePtr<SSL_SESSION> *out_session, int *out_renew_ticket,
+ SSL *ssl, UniquePtr<SSL_SESSION> *out_session, bool *out_renew_ticket,
const uint8_t *ticket, size_t ticket_len, const uint8_t *session_id,
size_t session_id_len);
-/* tls1_verify_channel_id processes |msg| as a Channel ID message, and verifies
- * the signature. If the key is valid, it saves the Channel ID and returns
- * one. Otherwise, it returns zero. */
+// tls1_verify_channel_id processes |msg| as a Channel ID message, and verifies
+// the signature. If the key is valid, it saves the Channel ID and returns
+// one. Otherwise, it returns zero.
int tls1_verify_channel_id(SSL_HANDSHAKE *hs, const SSLMessage &msg);
-/* tls1_write_channel_id generates a Channel ID message and puts the output in
- * |cbb|. |ssl->tlsext_channel_id_private| must already be set before calling.
- * This function returns one on success and zero on error. */
+// tls1_write_channel_id generates a Channel ID message and puts the output in
+// |cbb|. |ssl->tlsext_channel_id_private| must already be set before calling.
+// This function returns one on success and zero on error.
int tls1_write_channel_id(SSL_HANDSHAKE *hs, CBB *cbb);
-/* tls1_channel_id_hash computes the hash to be signed by Channel ID and writes
- * it to |out|, which must contain at least |EVP_MAX_MD_SIZE| bytes. It returns
- * one on success and zero on failure. */
+// tls1_channel_id_hash computes the hash to be signed by Channel ID and writes
+// it to |out|, which must contain at least |EVP_MAX_MD_SIZE| bytes. It returns
+// one on success and zero on failure.
int tls1_channel_id_hash(SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len);
int tls1_record_handshake_hashes_for_channel_id(SSL_HANDSHAKE *hs);
-/* ssl_do_channel_id_callback checks runs |ssl->ctx->channel_id_cb| if
- * necessary. It returns one on success and zero on fatal error. Note that, on
- * success, |ssl->tlsext_channel_id_private| may be unset, in which case the
- * operation should be retried later. */
+// ssl_do_channel_id_callback checks runs |ssl->ctx->channel_id_cb| if
+// necessary. It returns one on success and zero on fatal error. Note that, on
+// success, |ssl->tlsext_channel_id_private| may be unset, in which case the
+// operation should be retried later.
int ssl_do_channel_id_callback(SSL *ssl);
-/* ssl3_can_false_start returns one if |ssl| is allowed to False Start and zero
- * otherwise. */
+// ssl3_can_false_start returns one if |ssl| is allowed to False Start and zero
+// otherwise.
int ssl3_can_false_start(const SSL *ssl);
-/* ssl_can_write returns one if |ssl| is allowed to write and zero otherwise. */
+// ssl_can_write returns one if |ssl| is allowed to write and zero otherwise.
int ssl_can_write(const SSL *ssl);
-/* ssl_can_read returns one if |ssl| is allowed to read and zero otherwise. */
+// ssl_can_read returns one if |ssl| is allowed to read and zero otherwise.
int ssl_can_read(const SSL *ssl);
void ssl_get_current_time(const SSL *ssl, struct OPENSSL_timeval *out_clock);
void ssl_ctx_get_current_time(const SSL_CTX *ctx,
struct OPENSSL_timeval *out_clock);
-/* ssl_reset_error_state resets state for |SSL_get_error|. */
+// ssl_reset_error_state resets state for |SSL_get_error|.
void ssl_reset_error_state(SSL *ssl);
-/* Utility macros */
+// Utility macros
#if defined(__clang__)
-/* SSL_FALLTHROUGH annotates a fallthough case in a switch statement. */
+// SSL_FALLTHROUGH annotates a fallthough case in a switch statement.
#define SSL_FALLTHROUGH [[clang::fallthrough]]
#else
#define SSL_FALLTHROUGH
@@ -2358,153 +2349,153 @@
} // namespace bssl
-/* Opaque C types.
- *
- * The following types are exported to C code as public typedefs, so they must
- * be defined outside of the namespace. */
+// Opaque C types.
+//
+// The following types are exported to C code as public typedefs, so they must
+// be defined outside of the namespace.
-/* ssl_method_st backs the public |SSL_METHOD| type. It is a compatibility
- * structure to support the legacy version-locked methods. */
+// ssl_method_st backs the public |SSL_METHOD| type. It is a compatibility
+// structure to support the legacy version-locked methods.
struct ssl_method_st {
- /* version, if non-zero, is the only protocol version acceptable to an
- * SSL_CTX initialized from this method. */
+ // version, if non-zero, is the only protocol version acceptable to an
+ // SSL_CTX initialized from this method.
uint16_t version;
- /* method is the underlying SSL_PROTOCOL_METHOD that initializes the
- * SSL_CTX. */
+ // method is the underlying SSL_PROTOCOL_METHOD that initializes the
+ // SSL_CTX.
const SSL_PROTOCOL_METHOD *method;
- /* x509_method contains pointers to functions that might deal with |X509|
- * compatibility, or might be a no-op, depending on the application. */
+ // x509_method contains pointers to functions that might deal with |X509|
+ // compatibility, or might be a no-op, depending on the application.
const SSL_X509_METHOD *x509_method;
};
-/* ssl_protocol_method_st, aka |SSL_PROTOCOL_METHOD| abstracts between TLS and
- * DTLS. */
+// ssl_protocol_method_st, aka |SSL_PROTOCOL_METHOD| abstracts between TLS and
+// DTLS.
struct ssl_protocol_method_st {
- /* is_dtls is one if the protocol is DTLS and zero otherwise. */
+ // is_dtls is one if the protocol is DTLS and zero otherwise.
char is_dtls;
int (*ssl_new)(SSL *ssl);
void (*ssl_free)(SSL *ssl);
- /* get_message sets |*out| to the current handshake message and returns true
- * if one has been received. It returns false if more input is needed. */
+ // get_message sets |*out| to the current handshake message and returns true
+ // if one has been received. It returns false if more input is needed.
bool (*get_message)(SSL *ssl, bssl::SSLMessage *out);
- /* read_message reads additional handshake data for |get_message|. On success,
- * it returns one. Otherwise, it returns <= 0. */
+ // read_message reads additional handshake data for |get_message|. On success,
+ // it returns one. Otherwise, it returns <= 0.
int (*read_message)(SSL *ssl);
- /* next_message is called to release the current handshake message. */
+ // next_message is called to release the current handshake message.
void (*next_message)(SSL *ssl);
- /* read_app_data reads up to |len| bytes of application data into |buf|. On
- * success, it returns the number of bytes read. Otherwise, it returns <= 0
- * and sets |*out_got_handshake| to whether the failure was due to a
- * post-handshake handshake message. If so, any handshake messages consumed
- * may be read with |get_message|. */
- int (*read_app_data)(SSL *ssl, int *out_got_handshake, uint8_t *buf, int len,
+ // read_app_data reads up to |len| bytes of application data into |buf|. On
+ // success, it returns the number of bytes read. Otherwise, it returns <= 0
+ // and sets |*out_got_handshake| to whether the failure was due to a
+ // post-handshake handshake message. If so, any handshake messages consumed
+ // may be read with |get_message|.
+ int (*read_app_data)(SSL *ssl, bool *out_got_handshake, uint8_t *buf, int len,
int peek);
int (*read_change_cipher_spec)(SSL *ssl);
void (*read_close_notify)(SSL *ssl);
- int (*write_app_data)(SSL *ssl, int *out_needs_handshake, const uint8_t *buf,
+ int (*write_app_data)(SSL *ssl, bool *out_needs_handshake, const uint8_t *buf,
int len);
int (*dispatch_alert)(SSL *ssl);
- /* supports_cipher returns one if |cipher| is supported by this protocol and
- * zero otherwise. */
+ // supports_cipher returns one if |cipher| is supported by this protocol and
+ // zero otherwise.
int (*supports_cipher)(const SSL_CIPHER *cipher);
- /* init_message begins a new handshake message of type |type|. |cbb| is the
- * root CBB to be passed into |finish_message|. |*body| is set to a child CBB
- * the caller should write to. It returns one on success and zero on error. */
+ // init_message begins a new handshake message of type |type|. |cbb| is the
+ // root CBB to be passed into |finish_message|. |*body| is set to a child CBB
+ // the caller should write to. It returns one on success and zero on error.
int (*init_message)(SSL *ssl, CBB *cbb, CBB *body, uint8_t type);
- /* finish_message finishes a handshake message. It sets |*out_msg| to a
- * newly-allocated buffer with the serialized message. The caller must
- * release it with |OPENSSL_free| when done. It returns one on success and
- * zero on error. */
+ // finish_message finishes a handshake message. It sets |*out_msg| to a
+ // newly-allocated buffer with the serialized message. The caller must
+ // release it with |OPENSSL_free| when done. It returns one on success and
+ // zero on error.
int (*finish_message)(SSL *ssl, CBB *cbb, uint8_t **out_msg, size_t *out_len);
- /* add_message adds a handshake message to the pending flight. It returns one
- * on success and zero on error. In either case, it takes ownership of |msg|
- * and releases it with |OPENSSL_free| when done. */
+ // add_message adds a handshake message to the pending flight. It returns one
+ // on success and zero on error. In either case, it takes ownership of |msg|
+ // and releases it with |OPENSSL_free| when done.
int (*add_message)(SSL *ssl, uint8_t *msg, size_t len);
- /* add_change_cipher_spec adds a ChangeCipherSpec record to the pending
- * flight. It returns one on success and zero on error. */
+ // add_change_cipher_spec adds a ChangeCipherSpec record to the pending
+ // flight. It returns one on success and zero on error.
int (*add_change_cipher_spec)(SSL *ssl);
- /* add_alert adds an alert to the pending flight. It returns one on success
- * and zero on error. */
+ // add_alert adds an alert to the pending flight. It returns one on success
+ // and zero on error.
int (*add_alert)(SSL *ssl, uint8_t level, uint8_t desc);
- /* flush_flight flushes the pending flight to the transport. It returns one on
- * success and <= 0 on error. */
+ // flush_flight flushes the pending flight to the transport. It returns one on
+ // success and <= 0 on error.
int (*flush_flight)(SSL *ssl);
- /* on_handshake_complete is called when the handshake is complete. */
+ // on_handshake_complete is called when the handshake is complete.
void (*on_handshake_complete)(SSL *ssl);
- /* set_read_state sets |ssl|'s read cipher state to |aead_ctx|. It returns
- * one on success and zero if changing the read state is forbidden at this
- * point. */
+ // set_read_state sets |ssl|'s read cipher state to |aead_ctx|. It returns
+ // one on success and zero if changing the read state is forbidden at this
+ // point.
int (*set_read_state)(SSL *ssl,
bssl::UniquePtr<bssl::SSLAEADContext> aead_ctx);
- /* set_write_state sets |ssl|'s write cipher state to |aead_ctx|. It returns
- * one on success and zero if changing the write state is forbidden at this
- * point. */
+ // set_write_state sets |ssl|'s write cipher state to |aead_ctx|. It returns
+ // one on success and zero if changing the write state is forbidden at this
+ // point.
int (*set_write_state)(SSL *ssl,
bssl::UniquePtr<bssl::SSLAEADContext> aead_ctx);
};
struct ssl_x509_method_st {
- /* check_client_CA_list returns one if |names| is a good list of X.509
- * distinguished names and zero otherwise. This is used to ensure that we can
- * reject unparsable values at handshake time when using crypto/x509. */
+ // check_client_CA_list returns one if |names| is a good list of X.509
+ // distinguished names and zero otherwise. This is used to ensure that we can
+ // reject unparsable values at handshake time when using crypto/x509.
int (*check_client_CA_list)(STACK_OF(CRYPTO_BUFFER) *names);
- /* cert_clear frees and NULLs all X509 certificate-related state. */
+ // cert_clear frees and NULLs all X509 certificate-related state.
void (*cert_clear)(CERT *cert);
- /* cert_free frees all X509-related state. */
+ // cert_free frees all X509-related state.
void (*cert_free)(CERT *cert);
- /* cert_flush_cached_chain drops any cached |X509|-based certificate chain
- * from |cert|. */
- /* cert_dup duplicates any needed fields from |cert| to |new_cert|. */
+ // cert_flush_cached_chain drops any cached |X509|-based certificate chain
+ // from |cert|.
+ // cert_dup duplicates any needed fields from |cert| to |new_cert|.
void (*cert_dup)(CERT *new_cert, const CERT *cert);
void (*cert_flush_cached_chain)(CERT *cert);
- /* cert_flush_cached_chain drops any cached |X509|-based leaf certificate
- * from |cert|. */
+ // cert_flush_cached_chain drops any cached |X509|-based leaf certificate
+ // from |cert|.
void (*cert_flush_cached_leaf)(CERT *cert);
- /* session_cache_objects fills out |sess->x509_peer| and |sess->x509_chain|
- * from |sess->certs| and erases |sess->x509_chain_without_leaf|. It returns
- * one on success or zero on error. */
+ // session_cache_objects fills out |sess->x509_peer| and |sess->x509_chain|
+ // from |sess->certs| and erases |sess->x509_chain_without_leaf|. It returns
+ // one on success or zero on error.
int (*session_cache_objects)(SSL_SESSION *session);
- /* session_dup duplicates any needed fields from |session| to |new_session|.
- * It returns one on success or zero on error. */
+ // session_dup duplicates any needed fields from |session| to |new_session|.
+ // It returns one on success or zero on error.
int (*session_dup)(SSL_SESSION *new_session, const SSL_SESSION *session);
- /* session_clear frees any X509-related state from |session|. */
+ // session_clear frees any X509-related state from |session|.
void (*session_clear)(SSL_SESSION *session);
- /* session_verify_cert_chain verifies the certificate chain in |session|,
- * sets |session->verify_result| and returns one on success or zero on
- * error. */
+ // session_verify_cert_chain verifies the certificate chain in |session|,
+ // sets |session->verify_result| and returns one on success or zero on
+ // error.
int (*session_verify_cert_chain)(SSL_SESSION *session, SSL *ssl,
uint8_t *out_alert);
- /* hs_flush_cached_ca_names drops any cached |X509_NAME|s from |hs|. */
+ // hs_flush_cached_ca_names drops any cached |X509_NAME|s from |hs|.
void (*hs_flush_cached_ca_names)(bssl::SSL_HANDSHAKE *hs);
- /* ssl_new does any neccessary initialisation of |ssl|. It returns one on
- * success or zero on error. */
+ // ssl_new does any neccessary initialisation of |ssl|. It returns one on
+ // success or zero on error.
int (*ssl_new)(SSL *ssl);
- /* ssl_free frees anything created by |ssl_new|. */
+ // ssl_free frees anything created by |ssl_new|.
void (*ssl_free)(SSL *ssl);
- /* ssl_flush_cached_client_CA drops any cached |X509_NAME|s from |ssl|. */
+ // ssl_flush_cached_client_CA drops any cached |X509_NAME|s from |ssl|.
void (*ssl_flush_cached_client_CA)(SSL *ssl);
- /* ssl_auto_chain_if_needed runs the deprecated auto-chaining logic if
- * necessary. On success, it updates |ssl|'s certificate configuration as
- * needed and returns one. Otherwise, it returns zero. */
+ // ssl_auto_chain_if_needed runs the deprecated auto-chaining logic if
+ // necessary. On success, it updates |ssl|'s certificate configuration as
+ // needed and returns one. Otherwise, it returns zero.
int (*ssl_auto_chain_if_needed)(SSL *ssl);
- /* ssl_ctx_new does any neccessary initialisation of |ctx|. It returns one on
- * success or zero on error. */
+ // ssl_ctx_new does any neccessary initialisation of |ctx|. It returns one on
+ // success or zero on error.
int (*ssl_ctx_new)(SSL_CTX *ctx);
- /* ssl_ctx_free frees anything created by |ssl_ctx_new|. */
+ // ssl_ctx_free frees anything created by |ssl_ctx_new|.
void (*ssl_ctx_free)(SSL_CTX *ctx);
- /* ssl_ctx_flush_cached_client_CA drops any cached |X509_NAME|s from |ctx|. */
+ // ssl_ctx_flush_cached_client_CA drops any cached |X509_NAME|s from |ctx|.
void (*ssl_ctx_flush_cached_client_CA)(SSL_CTX *ssl);
};
-/* ssl_st backs the public |SSL| type. It subclasses the true type so that
- * SSLConnection may be a C++ type with methods and destructor without
- * polluting the global namespace. */
+// ssl_st backs the public |SSL| type. It subclasses the true type so that
+// SSLConnection may be a C++ type with methods and destructor without
+// polluting the global namespace.
struct ssl_st : public bssl::SSLConnection {};
struct cert_st : public bssl::SSLCertConfig {};
-#endif /* OPENSSL_HEADER_SSL_INTERNAL_H */
+#endif // OPENSSL_HEADER_SSL_INTERNAL_H
diff --git a/src/ssl/s3_both.cc b/src/ssl/s3_both.cc
index f51af69..dfa8bfa 100644
--- a/src/ssl/s3_both.cc
+++ b/src/ssl/s3_both.cc
@@ -132,76 +132,9 @@
namespace bssl {
-SSL_HANDSHAKE::SSL_HANDSHAKE(SSL *ssl_arg)
- : ssl(ssl_arg),
- scts_requested(0),
- needs_psk_binder(0),
- received_hello_retry_request(0),
- received_custom_extension(0),
- accept_psk_mode(0),
- cert_request(0),
- certificate_status_expected(0),
- ocsp_stapling_requested(0),
- should_ack_sni(0),
- in_false_start(0),
- in_early_data(0),
- early_data_offered(0),
- can_early_read(0),
- can_early_write(0),
- next_proto_neg_seen(0),
- ticket_expected(0),
- extended_master_secret(0),
- pending_private_key_op(0) {
-}
-
-SSL_HANDSHAKE::~SSL_HANDSHAKE() {
- OPENSSL_cleanse(secret, sizeof(secret));
- OPENSSL_cleanse(early_traffic_secret, sizeof(early_traffic_secret));
- OPENSSL_cleanse(client_handshake_secret, sizeof(client_handshake_secret));
- OPENSSL_cleanse(server_handshake_secret, sizeof(server_handshake_secret));
- OPENSSL_cleanse(client_traffic_secret_0, sizeof(client_traffic_secret_0));
- OPENSSL_cleanse(server_traffic_secret_0, sizeof(server_traffic_secret_0));
- OPENSSL_free(cookie);
- OPENSSL_free(key_share_bytes);
- OPENSSL_free(ecdh_public_key);
- OPENSSL_free(peer_sigalgs);
- OPENSSL_free(peer_supported_group_list);
- OPENSSL_free(peer_key);
- OPENSSL_free(server_params);
- ssl->ctx->x509_method->hs_flush_cached_ca_names(this);
- OPENSSL_free(certificate_types);
-
- if (key_block != NULL) {
- OPENSSL_cleanse(key_block, key_block_len);
- OPENSSL_free(key_block);
- }
-}
-
-SSL_HANDSHAKE *ssl_handshake_new(SSL *ssl) {
- UniquePtr<SSL_HANDSHAKE> hs = MakeUnique<SSL_HANDSHAKE>(ssl);
- if (!hs ||
- !hs->transcript.Init()) {
- return nullptr;
- }
- return hs.release();
-}
-
-void ssl_handshake_free(SSL_HANDSHAKE *hs) { Delete(hs); }
-
-int ssl_check_message_type(SSL *ssl, const SSLMessage &msg, int type) {
- if (msg.type != type) {
- ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
- OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);
- ERR_add_error_dataf("got type %d, wanted type %d", msg.type, type);
- return 0;
- }
-
- return 1;
-}
-
static int add_record_to_flight(SSL *ssl, uint8_t type, const uint8_t *in,
size_t in_len) {
- /* We'll never add a flight while in the process of writing it out. */
+ // We'll never add a flight while in the process of writing it out.
assert(ssl->s3->pending_flight_offset == 0);
if (ssl->s3->pending_flight == NULL) {
@@ -231,7 +164,7 @@
}
int ssl3_init_message(SSL *ssl, CBB *cbb, CBB *body, uint8_t type) {
- /* Pick a modest size hint to save most of the |realloc| calls. */
+ // Pick a modest size hint to save most of the |realloc| calls.
if (!CBB_init(cbb, 64) ||
!CBB_add_u8(cbb, type) ||
!CBB_add_u24_length_prefixed(cbb, body)) {
@@ -254,8 +187,8 @@
}
int ssl3_add_message(SSL *ssl, uint8_t *msg, size_t len) {
- /* Add the message to the current flight, splitting into several records if
- * needed. */
+ // Add the message to the current flight, splitting into several records if
+ // needed.
int ret = 0;
size_t added = 0;
do {
@@ -279,8 +212,8 @@
} while (added < len);
ssl_do_msg_callback(ssl, 1 /* write */, SSL3_RT_HANDSHAKE, msg, len);
- /* TODO(svaldez): Move this up a layer to fix abstraction for SSLTranscript on
- * hs. */
+ // TODO(svaldez): Move this up a layer to fix abstraction for SSLTranscript on
+ // hs.
if (ssl->s3->hs != NULL &&
!ssl->s3->hs->transcript.Update(msg, len)) {
goto err;
@@ -316,17 +249,6 @@
return 1;
}
-int ssl_add_message_cbb(SSL *ssl, CBB *cbb) {
- uint8_t *msg;
- size_t len;
- if (!ssl->method->finish_message(ssl, cbb, &msg, &len) ||
- !ssl->method->add_message(ssl, msg, len)) {
- return 0;
- }
-
- return 1;
-}
-
int ssl3_flush_flight(SSL *ssl) {
if (ssl->s3->pending_flight == NULL) {
return 1;
@@ -338,8 +260,8 @@
return -1;
}
- /* If there is pending data in the write buffer, it must be flushed out before
- * any new data in pending_flight. */
+ // If there is pending data in the write buffer, it must be flushed out before
+ // any new data in pending_flight.
if (ssl_write_buffer_is_pending(ssl)) {
int ret = ssl_write_buffer_flush(ssl);
if (ret <= 0) {
@@ -348,7 +270,7 @@
}
}
- /* Write the pending flight. */
+ // Write the pending flight.
while (ssl->s3->pending_flight_offset < ssl->s3->pending_flight->length) {
int ret = BIO_write(
ssl->wbio,
@@ -380,23 +302,23 @@
uint8_t finished[EVP_MAX_MD_SIZE];
size_t finished_len;
if (!hs->transcript.GetFinishedMAC(finished, &finished_len, session,
- ssl->server, ssl3_protocol_version(ssl))) {
+ ssl->server)) {
return 0;
}
- /* Log the master secret, if logging is enabled. */
+ // Log the master secret, if logging is enabled.
if (!ssl_log_secret(ssl, "CLIENT_RANDOM",
session->master_key,
session->master_key_length)) {
return 0;
}
- /* Copy the Finished so we can use it for renegotiation checks. */
+ // Copy the Finished so we can use it for renegotiation checks.
if (ssl->version != SSL3_VERSION) {
if (finished_len > sizeof(ssl->s3->previous_client_finished) ||
finished_len > sizeof(ssl->s3->previous_server_finished)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
- return -1;
+ return 0;
}
if (ssl->server) {
@@ -414,65 +336,12 @@
!CBB_add_bytes(&body, finished, finished_len) ||
!ssl_add_message_cbb(ssl, cbb.get())) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
- return -1;
+ return 0;
}
return 1;
}
-int ssl3_get_finished(SSL_HANDSHAKE *hs) {
- SSL *const ssl = hs->ssl;
- SSLMessage msg;
- int ret = ssl_read_message(ssl, &msg);
- if (ret <= 0) {
- return ret;
- }
-
- if (!ssl_check_message_type(ssl, msg, SSL3_MT_FINISHED)) {
- return -1;
- }
-
- /* Snapshot the finished hash before incorporating the new message. */
- uint8_t finished[EVP_MAX_MD_SIZE];
- size_t finished_len;
- if (!hs->transcript.GetFinishedMAC(finished, &finished_len,
- SSL_get_session(ssl), !ssl->server,
- ssl3_protocol_version(ssl)) ||
- !ssl_hash_message(hs, msg)) {
- return -1;
- }
-
- int finished_ok = CBS_mem_equal(&msg.body, finished, finished_len);
-#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
- finished_ok = 1;
-#endif
- if (!finished_ok) {
- ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
- OPENSSL_PUT_ERROR(SSL, SSL_R_DIGEST_CHECK_FAILED);
- return -1;
- }
-
- /* Copy the Finished so we can use it for renegotiation checks. */
- if (ssl->version != SSL3_VERSION) {
- if (finished_len > sizeof(ssl->s3->previous_client_finished) ||
- finished_len > sizeof(ssl->s3->previous_server_finished)) {
- OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
- return -1;
- }
-
- if (ssl->server) {
- OPENSSL_memcpy(ssl->s3->previous_client_finished, finished, finished_len);
- ssl->s3->previous_client_finished_len = finished_len;
- } else {
- OPENSSL_memcpy(ssl->s3->previous_server_finished, finished, finished_len);
- ssl->s3->previous_server_finished_len = finished_len;
- }
- }
-
- ssl->method->next_message(ssl);
- return 1;
-}
-
int ssl3_output_cert_chain(SSL *ssl) {
ScopedCBB cbb;
CBB body;
@@ -486,46 +355,6 @@
return 1;
}
-size_t ssl_max_handshake_message_len(const SSL *ssl) {
- /* kMaxMessageLen is the default maximum message size for handshakes which do
- * not accept peer certificate chains. */
- static const size_t kMaxMessageLen = 16384;
-
- if (SSL_in_init(ssl)) {
- if ((!ssl->server || (ssl->verify_mode & SSL_VERIFY_PEER)) &&
- kMaxMessageLen < ssl->max_cert_list) {
- return ssl->max_cert_list;
- }
- return kMaxMessageLen;
- }
-
- if (ssl3_protocol_version(ssl) < TLS1_3_VERSION) {
- /* In TLS 1.2 and below, the largest acceptable post-handshake message is
- * a HelloRequest. */
- return 0;
- }
-
- if (ssl->server) {
- /* The largest acceptable post-handshake message for a server is a
- * KeyUpdate. We will never initiate post-handshake auth. */
- return 1;
- }
-
- /* Clients must accept NewSessionTicket and CertificateRequest, so allow the
- * default size. */
- return kMaxMessageLen;
-}
-
-int ssl_read_message(SSL *ssl, SSLMessage *out) {
- while (!ssl->method->get_message(ssl, out)) {
- int ret = ssl->method->read_message(ssl);
- if (ret <= 0) {
- return ret;
- }
- }
- return 1;
-}
-
static int extend_handshake_buffer(SSL *ssl, size_t length) {
if (!BUF_MEM_reserve(ssl->init_buf, length)) {
return -1;
@@ -543,18 +372,18 @@
}
static int read_v2_client_hello(SSL *ssl) {
- /* Read the first 5 bytes, the size of the TLS record header. This is
- * sufficient to detect a V2ClientHello and ensures that we never read beyond
- * the first record. */
+ // Read the first 5 bytes, the size of the TLS record header. This is
+ // sufficient to detect a V2ClientHello and ensures that we never read beyond
+ // the first record.
int ret = ssl_read_buffer_extend_to(ssl, SSL3_RT_HEADER_LENGTH);
if (ret <= 0) {
return ret;
}
const uint8_t *p = ssl_read_buffer(ssl);
- /* Some dedicated error codes for protocol mixups should the application wish
- * to interpret them differently. (These do not overlap with ClientHello or
- * V2ClientHello.) */
+ // Some dedicated error codes for protocol mixups should the application wish
+ // to interpret them differently. (These do not overlap with ClientHello or
+ // V2ClientHello.)
if (strncmp("GET ", (const char *)p, 4) == 0 ||
strncmp("POST ", (const char *)p, 5) == 0 ||
strncmp("HEAD ", (const char *)p, 5) == 0 ||
@@ -569,25 +398,25 @@
if ((p[0] & 0x80) == 0 || p[2] != SSL2_MT_CLIENT_HELLO ||
p[3] != SSL3_VERSION_MAJOR) {
- /* Not a V2ClientHello. */
+ // Not a V2ClientHello.
return 1;
}
- /* Determine the length of the V2ClientHello. */
+ // Determine the length of the V2ClientHello.
size_t msg_length = ((p[0] & 0x7f) << 8) | p[1];
if (msg_length > (1024 * 4)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_TOO_LARGE);
return -1;
}
if (msg_length < SSL3_RT_HEADER_LENGTH - 2) {
- /* Reject lengths that are too short early. We have already read
- * |SSL3_RT_HEADER_LENGTH| bytes, so we should not attempt to process an
- * (invalid) V2ClientHello which would be shorter than that. */
+ // Reject lengths that are too short early. We have already read
+ // |SSL3_RT_HEADER_LENGTH| bytes, so we should not attempt to process an
+ // (invalid) V2ClientHello which would be shorter than that.
OPENSSL_PUT_ERROR(SSL, SSL_R_RECORD_LENGTH_MISMATCH);
return -1;
}
- /* Read the remainder of the V2ClientHello. */
+ // Read the remainder of the V2ClientHello.
ret = ssl_read_buffer_extend_to(ssl, 2 + msg_length);
if (ret <= 0) {
return ret;
@@ -596,9 +425,9 @@
CBS v2_client_hello;
CBS_init(&v2_client_hello, ssl_read_buffer(ssl) + 2, msg_length);
- /* The V2ClientHello without the length is incorporated into the handshake
- * hash. This is only ever called at the start of the handshake, so hs is
- * guaranteed to be non-NULL. */
+ // The V2ClientHello without the length is incorporated into the handshake
+ // hash. This is only ever called at the start of the handshake, so hs is
+ // guaranteed to be non-NULL.
if (!ssl->s3->hs->transcript.Update(CBS_data(&v2_client_hello),
CBS_len(&v2_client_hello))) {
return -1;
@@ -623,11 +452,11 @@
return -1;
}
- /* msg_type has already been checked. */
+ // msg_type has already been checked.
assert(msg_type == SSL2_MT_CLIENT_HELLO);
- /* The client_random is the V2ClientHello challenge. Truncate or
- * left-pad with zeros as needed. */
+ // The client_random is the V2ClientHello challenge. Truncate or left-pad with
+ // zeros as needed.
size_t rand_len = CBS_len(&challenge);
if (rand_len > SSL3_RANDOM_SIZE) {
rand_len = SSL3_RANDOM_SIZE;
@@ -637,7 +466,7 @@
OPENSSL_memcpy(random + (SSL3_RANDOM_SIZE - rand_len), CBS_data(&challenge),
rand_len);
- /* Write out an equivalent SSLv3 ClientHello. */
+ // Write out an equivalent SSLv3 ClientHello.
size_t max_v3_client_hello = SSL3_HM_HEADER_LENGTH + 2 /* version */ +
SSL3_RANDOM_SIZE + 1 /* session ID length */ +
2 /* cipher list length */ +
@@ -652,14 +481,14 @@
!CBB_add_u24_length_prefixed(client_hello.get(), &hello_body) ||
!CBB_add_u16(&hello_body, version) ||
!CBB_add_bytes(&hello_body, random, SSL3_RANDOM_SIZE) ||
- /* No session id. */
+ // No session id.
!CBB_add_u8(&hello_body, 0) ||
!CBB_add_u16_length_prefixed(&hello_body, &cipher_suites)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
return -1;
}
- /* Copy the cipher suites. */
+ // Copy the cipher suites.
while (CBS_len(&cipher_specs) > 0) {
uint32_t cipher_spec;
if (!CBS_get_u24(&cipher_specs, &cipher_spec)) {
@@ -667,7 +496,7 @@
return -1;
}
- /* Skip SSLv2 ciphers. */
+ // Skip SSLv2 ciphers.
if ((cipher_spec & 0xff0000) != 0) {
continue;
}
@@ -677,7 +506,7 @@
}
}
- /* Add the null compression scheme and finish. */
+ // Add the null compression scheme and finish.
if (!CBB_add_u8(&hello_body, 1) ||
!CBB_add_u8(&hello_body, 0) ||
!CBB_finish(client_hello.get(), NULL, &ssl->init_buf->length)) {
@@ -685,16 +514,16 @@
return -1;
}
- /* Consume and discard the V2ClientHello. */
+ // Consume and discard the V2ClientHello.
ssl_read_buffer_consume(ssl, 2 + msg_length);
ssl_read_buffer_discard(ssl);
- ssl->s3->is_v2_hello = 1;
+ ssl->s3->is_v2_hello = true;
return 1;
}
-/* TODO(davidben): Remove |out_bytes_needed| and inline into |ssl3_get_message|
- * when the entire record is copied into |init_buf|. */
+// TODO(davidben): Remove |out_bytes_needed| and inline into |ssl3_get_message|
+// when the entire record is copied into |init_buf|.
static bool parse_message(SSL *ssl, SSLMessage *out, size_t *out_bytes_needed) {
if (ssl->init_buf == NULL) {
*out_bytes_needed = 4;
@@ -724,7 +553,7 @@
ssl_do_msg_callback(ssl, 0 /* read */, SSL3_RT_HANDSHAKE,
CBS_data(&out->raw), CBS_len(&out->raw));
}
- ssl->s3->has_message = 1;
+ ssl->s3->has_message = true;
}
return true;
}
@@ -742,14 +571,14 @@
return -1;
}
- /* Enforce the limit so the peer cannot force us to buffer 16MB. */
+ // Enforce the limit so the peer cannot force us to buffer 16MB.
if (bytes_needed > 4 + ssl_max_handshake_message_len(ssl)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESSIVE_MESSAGE_SIZE);
return -1;
}
- /* Re-create the handshake buffer if needed. */
+ // Re-create the handshake buffer if needed.
if (ssl->init_buf == NULL) {
ssl->init_buf = BUF_MEM_new();
if (ssl->init_buf == NULL) {
@@ -757,11 +586,11 @@
}
}
- /* Bypass the record layer for the first message to handle V2ClientHello. */
+ // Bypass the record layer for the first message to handle V2ClientHello.
if (ssl->server && !ssl->s3->v2_hello_done) {
int ret = read_v2_client_hello(ssl);
if (ret > 0) {
- ssl->s3->v2_hello_done = 1;
+ ssl->s3->v2_hello_done = true;
}
return ret;
}
@@ -769,15 +598,6 @@
return extend_handshake_buffer(ssl, bytes_needed);
}
-bool ssl_hash_message(SSL_HANDSHAKE *hs, const SSLMessage &msg) {
- /* V2ClientHello messages are pre-hashed. */
- if (msg.is_v2_hello) {
- return true;
- }
-
- return hs->transcript.Update(CBS_data(&msg.raw), CBS_len(&msg.raw));
-}
-
void ssl3_next_message(SSL *ssl) {
SSLMessage msg;
if (!ssl3_get_message(ssl, &msg) ||
@@ -790,165 +610,15 @@
OPENSSL_memmove(ssl->init_buf->data, ssl->init_buf->data + CBS_len(&msg.raw),
ssl->init_buf->length - CBS_len(&msg.raw));
ssl->init_buf->length -= CBS_len(&msg.raw);
- ssl->s3->is_v2_hello = 0;
- ssl->s3->has_message = 0;
+ ssl->s3->is_v2_hello = false;
+ ssl->s3->has_message = false;
- /* Post-handshake messages are rare, so release the buffer after every
- * message. During the handshake, |on_handshake_complete| will release it. */
+ // Post-handshake messages are rare, so release the buffer after every
+ // message. During the handshake, |on_handshake_complete| will release it.
if (!SSL_in_init(ssl) && ssl->init_buf->length == 0) {
BUF_MEM_free(ssl->init_buf);
ssl->init_buf = NULL;
}
}
-int ssl_parse_extensions(const CBS *cbs, uint8_t *out_alert,
- const SSL_EXTENSION_TYPE *ext_types,
- size_t num_ext_types, int ignore_unknown) {
- /* Reset everything. */
- for (size_t i = 0; i < num_ext_types; i++) {
- *ext_types[i].out_present = 0;
- CBS_init(ext_types[i].out_data, NULL, 0);
- }
-
- CBS copy = *cbs;
- while (CBS_len(©) != 0) {
- uint16_t type;
- CBS data;
- if (!CBS_get_u16(©, &type) ||
- !CBS_get_u16_length_prefixed(©, &data)) {
- OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
- *out_alert = SSL_AD_DECODE_ERROR;
- return 0;
- }
-
- const SSL_EXTENSION_TYPE *ext_type = NULL;
- for (size_t i = 0; i < num_ext_types; i++) {
- if (type == ext_types[i].type) {
- ext_type = &ext_types[i];
- break;
- }
- }
-
- if (ext_type == NULL) {
- if (ignore_unknown) {
- continue;
- }
- OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
- *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
- return 0;
- }
-
- /* Duplicate ext_types are forbidden. */
- if (*ext_type->out_present) {
- OPENSSL_PUT_ERROR(SSL, SSL_R_DUPLICATE_EXTENSION);
- *out_alert = SSL_AD_ILLEGAL_PARAMETER;
- return 0;
- }
-
- *ext_type->out_present = 1;
- *ext_type->out_data = data;
- }
-
- return 1;
-}
-
-static void set_crypto_buffer(CRYPTO_BUFFER **dest, CRYPTO_BUFFER *src) {
- /* TODO(davidben): Remove this helper once |SSL_SESSION| can use |UniquePtr|
- * and |UniquePtr| has up_ref helpers. */
- CRYPTO_BUFFER_free(*dest);
- *dest = src;
- if (src != nullptr) {
- CRYPTO_BUFFER_up_ref(src);
- }
-}
-
-enum ssl_verify_result_t ssl_verify_peer_cert(SSL_HANDSHAKE *hs) {
- SSL *const ssl = hs->ssl;
- const SSL_SESSION *prev_session = ssl->s3->established_session;
- if (prev_session != NULL) {
- /* If renegotiating, the server must not change the server certificate. See
- * https://mitls.org/pages/attacks/3SHAKE. We never resume on renegotiation,
- * so this check is sufficient to ensure the reported peer certificate never
- * changes on renegotiation. */
- assert(!ssl->server);
- if (sk_CRYPTO_BUFFER_num(prev_session->certs) !=
- sk_CRYPTO_BUFFER_num(hs->new_session->certs)) {
- OPENSSL_PUT_ERROR(SSL, SSL_R_SERVER_CERT_CHANGED);
- ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
- return ssl_verify_invalid;
- }
-
- for (size_t i = 0; i < sk_CRYPTO_BUFFER_num(hs->new_session->certs); i++) {
- const CRYPTO_BUFFER *old_cert =
- sk_CRYPTO_BUFFER_value(prev_session->certs, i);
- const CRYPTO_BUFFER *new_cert =
- sk_CRYPTO_BUFFER_value(hs->new_session->certs, i);
- if (CRYPTO_BUFFER_len(old_cert) != CRYPTO_BUFFER_len(new_cert) ||
- OPENSSL_memcmp(CRYPTO_BUFFER_data(old_cert),
- CRYPTO_BUFFER_data(new_cert),
- CRYPTO_BUFFER_len(old_cert)) != 0) {
- OPENSSL_PUT_ERROR(SSL, SSL_R_SERVER_CERT_CHANGED);
- ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
- return ssl_verify_invalid;
- }
- }
-
- /* The certificate is identical, so we may skip re-verifying the
- * certificate. Since we only authenticated the previous one, copy other
- * authentication from the established session and ignore what was newly
- * received. */
- set_crypto_buffer(&hs->new_session->ocsp_response,
- prev_session->ocsp_response);
- set_crypto_buffer(&hs->new_session->signed_cert_timestamp_list,
- prev_session->signed_cert_timestamp_list);
- hs->new_session->verify_result = prev_session->verify_result;
- return ssl_verify_ok;
- }
-
- uint8_t alert = SSL_AD_CERTIFICATE_UNKNOWN;
- enum ssl_verify_result_t ret;
- if (ssl->custom_verify_callback != nullptr) {
- ret = ssl->custom_verify_callback(ssl, &alert);
- switch (ret) {
- case ssl_verify_ok:
- hs->new_session->verify_result = X509_V_OK;
- break;
- case ssl_verify_invalid:
- hs->new_session->verify_result = X509_V_ERR_APPLICATION_VERIFICATION;
- break;
- case ssl_verify_retry:
- break;
- }
- } else {
- ret = ssl->ctx->x509_method->session_verify_cert_chain(
- hs->new_session.get(), ssl, &alert)
- ? ssl_verify_ok
- : ssl_verify_invalid;
- }
-
- if (ret == ssl_verify_invalid) {
- OPENSSL_PUT_ERROR(SSL, SSL_R_CERTIFICATE_VERIFY_FAILED);
- ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
- }
-
- return ret;
-}
-
-uint16_t ssl_get_grease_value(const SSL *ssl, enum ssl_grease_index_t index) {
- /* Use the client_random or server_random for entropy. This both avoids
- * calling |RAND_bytes| on a single byte repeatedly and ensures the values are
- * deterministic. This allows the same ClientHello be sent twice for a
- * HelloRetryRequest or the same group be advertised in both supported_groups
- * and key_shares. */
- uint16_t ret = ssl->server ? ssl->s3->server_random[index]
- : ssl->s3->client_random[index];
- /* The first four bytes of server_random are a timestamp prior to TLS 1.3, but
- * servers have no fields to GREASE until TLS 1.3. */
- assert(!ssl->server || ssl3_protocol_version(ssl) >= TLS1_3_VERSION);
- /* This generates a random value of the form 0xωaωa, for all 0 ≤ ω < 16. */
- ret = (ret & 0xf0) | 0x0a;
- ret |= ret << 8;
- return ret;
-}
-
} // namespace bssl
diff --git a/src/ssl/s3_lib.cc b/src/ssl/s3_lib.cc
index cc9be2d..fb705aa 100644
--- a/src/ssl/s3_lib.cc
+++ b/src/ssl/s3_lib.cc
@@ -187,11 +187,11 @@
s3->aead_write_ctx = aead_write_ctx.release();
ssl->s3 = s3;
- /* Set the version to the highest supported version.
- *
- * TODO(davidben): Move this field into |s3|, have it store the normalized
- * protocol version, and implement this pre-negotiation quirk in |SSL_version|
- * at the API boundary rather than in internal state. */
+ // Set the version to the highest supported version.
+ //
+ // TODO(davidben): Move this field into |s3|, have it store the normalized
+ // protocol version, and implement this pre-negotiation quirk in |SSL_version|
+ // at the API boundary rather than in internal state.
ssl->version = TLS1_2_VERSION;
return 1;
}
diff --git a/src/ssl/s3_pkt.cc b/src/ssl/s3_pkt.cc
index 4f802df..b9eebf3 100644
--- a/src/ssl/s3_pkt.cc
+++ b/src/ssl/s3_pkt.cc
@@ -126,9 +126,9 @@
static int do_ssl3_write(SSL *ssl, int type, const uint8_t *buf, unsigned len);
-/* ssl3_get_record reads a new input record. On success, it places it in
- * |ssl->s3->rrec| and returns one. Otherwise it returns <= 0 on error or if
- * more data is needed. */
+// ssl3_get_record reads a new input record. On success, it places it in
+// |ssl->s3->rrec| and returns one. Otherwise it returns <= 0 on error or if
+// more data is needed.
static int ssl3_get_record(SSL *ssl) {
again:
switch (ssl->s3->recv_shutdown) {
@@ -191,12 +191,12 @@
return -1;
}
-int ssl3_write_app_data(SSL *ssl, int *out_needs_handshake, const uint8_t *buf,
+int ssl3_write_app_data(SSL *ssl, bool *out_needs_handshake, const uint8_t *buf,
int len) {
assert(ssl_can_write(ssl));
assert(!ssl->s3->aead_write_ctx->is_null_cipher());
- *out_needs_handshake = 0;
+ *out_needs_handshake = false;
unsigned tot, n, nw;
@@ -204,13 +204,13 @@
tot = ssl->s3->wnum;
ssl->s3->wnum = 0;
- /* Ensure that if we end up with a smaller value of data to write out than
- * the the original len from a write which didn't complete for non-blocking
- * I/O and also somehow ended up avoiding the check for this in
- * ssl3_write_pending/SSL_R_BAD_WRITE_RETRY as it must never be possible to
- * end up with (len-tot) as a large number that will then promptly send
- * beyond the end of the users buffer ... so we trap and report the error in
- * a way the user will notice. */
+ // Ensure that if we end up with a smaller value of data to write out than
+ // the the original len from a write which didn't complete for non-blocking
+ // I/O and also somehow ended up avoiding the check for this in
+ // ssl3_write_pending/SSL_R_BAD_WRITE_RETRY as it must never be possible to
+ // end up with (len-tot) as a large number that will then promptly send
+ // beyond the end of the users buffer ... so we trap and report the error in
+ // a way the user will notice.
if (len < 0 || (size_t)len < tot) {
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_LENGTH);
return -1;
@@ -221,16 +221,15 @@
n = len - tot;
for (;;) {
- /* max contains the maximum number of bytes that we can put into a
- * record. */
+ // max contains the maximum number of bytes that we can put into a record.
unsigned max = ssl->max_send_fragment;
if (is_early_data_write && max > ssl->session->ticket_max_early_data -
ssl->s3->hs->early_data_written) {
max = ssl->session->ticket_max_early_data - ssl->s3->hs->early_data_written;
if (max == 0) {
ssl->s3->wnum = tot;
- ssl->s3->hs->can_early_write = 0;
- *out_needs_handshake = 1;
+ ssl->s3->hs->can_early_write = false;
+ *out_needs_handshake = true;
return -1;
}
}
@@ -274,13 +273,13 @@
if (ret <= 0) {
return ret;
}
- ssl->s3->wpend_pending = 0;
+ ssl->s3->wpend_pending = false;
return ssl->s3->wpend_ret;
}
-/* do_ssl3_write writes an SSL record of the given type. */
+// do_ssl3_write writes an SSL record of the given type.
static int do_ssl3_write(SSL *ssl, int type, const uint8_t *buf, unsigned len) {
- /* If there is still data from the previous record, flush it. */
+ // If there is still data from the previous record, flush it.
if (ssl->s3->wpend_pending) {
return ssl3_write_pending(ssl, type, buf, len);
}
@@ -313,10 +312,10 @@
return -1;
}
- /* Add any unflushed handshake data as a prefix. This may be a KeyUpdate
- * acknowledgment or 0-RTT key change messages. |pending_flight| must be clear
- * when data is added to |write_buffer| or it will be written in the wrong
- * order. */
+ // Add any unflushed handshake data as a prefix. This may be a KeyUpdate
+ // acknowledgment or 0-RTT key change messages. |pending_flight| must be clear
+ // when data is added to |write_buffer| or it will be written in the wrong
+ // order.
if (ssl->s3->pending_flight != NULL) {
OPENSSL_memcpy(
out, ssl->s3->pending_flight->data + ssl->s3->pending_flight_offset,
@@ -332,19 +331,19 @@
}
ssl_write_buffer_set_len(ssl, flight_len + ciphertext_len);
- /* Now that we've made progress on the connection, uncork KeyUpdate
- * acknowledgments. */
- ssl->s3->key_update_pending = 0;
+ // Now that we've made progress on the connection, uncork KeyUpdate
+ // acknowledgments.
+ ssl->s3->key_update_pending = false;
- /* memorize arguments so that ssl3_write_pending can detect bad write retries
- * later */
+ // Memorize arguments so that ssl3_write_pending can detect bad write retries
+ // later.
ssl->s3->wpend_tot = len;
ssl->s3->wpend_buf = buf;
ssl->s3->wpend_type = type;
ssl->s3->wpend_ret = len;
- ssl->s3->wpend_pending = 1;
+ ssl->s3->wpend_pending = true;
- /* we now just need to write the buffer */
+ // We now just need to write the buffer.
return ssl3_write_pending(ssl, type, buf, len);
}
@@ -364,27 +363,27 @@
rr->length -= len;
rr->data += len;
if (rr->length == 0) {
- /* The record has been consumed, so we may now clear the buffer. */
+ // The record has been consumed, so we may now clear the buffer.
ssl_read_buffer_discard(ssl);
}
}
return len;
}
-int ssl3_read_app_data(SSL *ssl, int *out_got_handshake, uint8_t *buf, int len,
+int ssl3_read_app_data(SSL *ssl, bool *out_got_handshake, uint8_t *buf, int len,
int peek) {
assert(ssl_can_read(ssl));
assert(!ssl->s3->aead_read_ctx->is_null_cipher());
- *out_got_handshake = 0;
+ *out_got_handshake = false;
SSL3_RECORD *rr = &ssl->s3->rrec;
for (;;) {
- /* A previous iteration may have read a partial handshake message. Do not
- * allow more app data in that case. */
+ // A previous iteration may have read a partial handshake message. Do not
+ // allow more app data in that case.
int has_hs_data = ssl->init_buf != NULL && ssl->init_buf->length > 0;
- /* Get new packet if necessary. */
+ // Get new packet if necessary.
if (rr->length == 0 && !has_hs_data) {
int ret = ssl3_get_record(ssl);
if (ret <= 0) {
@@ -393,29 +392,29 @@
}
if (has_hs_data || rr->type == SSL3_RT_HANDSHAKE) {
- /* If reading 0-RTT data, reject handshake data. 0-RTT data is terminated
- * by an alert. */
+ // If reading 0-RTT data, reject handshake data. 0-RTT data is terminated
+ // by an alert.
if (SSL_in_init(ssl)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_RECORD);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
return -1;
}
- /* Post-handshake data prior to TLS 1.3 is always renegotiation, which we
- * never accept as a server. Otherwise |ssl3_get_message| will send
- * |SSL_R_EXCESSIVE_MESSAGE_SIZE|. */
+ // Post-handshake data prior to TLS 1.3 is always renegotiation, which we
+ // never accept as a server. Otherwise |ssl3_get_message| will send
+ // |SSL_R_EXCESSIVE_MESSAGE_SIZE|.
if (ssl->server && ssl3_protocol_version(ssl) < TLS1_3_VERSION) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_NO_RENEGOTIATION);
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_RENEGOTIATION);
return -1;
}
- /* Parse post-handshake handshake messages. */
+ // Parse post-handshake handshake messages.
int ret = ssl3_read_message(ssl);
if (ret <= 0) {
return ret;
}
- *out_got_handshake = 1;
+ *out_got_handshake = true;
return -1;
}
@@ -424,18 +423,18 @@
ssl->s3->hs->can_early_read &&
ssl3_protocol_version(ssl) >= TLS1_3_VERSION;
- /* Handle the end_of_early_data alert. */
+ // Handle the end_of_early_data alert.
if (rr->type == SSL3_RT_ALERT &&
rr->length == 2 &&
rr->data[0] == SSL3_AL_WARNING &&
rr->data[1] == TLS1_AD_END_OF_EARLY_DATA &&
is_early_data_read) {
- /* Consume the record. */
+ // Consume the record.
rr->length = 0;
ssl_read_buffer_discard(ssl);
- /* Stop accepting early data. */
- ssl->s3->hs->can_early_read = 0;
- *out_got_handshake = 1;
+ // Stop accepting early data.
+ ssl->s3->hs->can_early_read = false;
+ *out_got_handshake = true;
return -1;
}
@@ -459,7 +458,7 @@
return consume_record(ssl, buf, len, peek);
}
- /* Discard empty records and loop again. */
+ // Discard empty records and loop again.
}
}
@@ -494,7 +493,7 @@
}
void ssl3_read_close_notify(SSL *ssl) {
- /* Read records until an error or close_notify. */
+ // Read records until an error or close_notify.
while (ssl3_get_record(ssl) > 0) {
;
}
@@ -504,7 +503,7 @@
SSL3_RECORD *rr = &ssl->s3->rrec;
for (;;) {
- /* Get new packet if necessary. */
+ // Get new packet if necessary.
if (rr->length == 0) {
int ret = ssl3_get_record(ssl);
if (ret <= 0) {
@@ -512,10 +511,10 @@
}
}
- /* WatchGuard's TLS 1.3 interference bug is very distinctive: they drop the
- * ServerHello and send the remaining encrypted application data records
- * as-is. This manifests as an application data record when we expect
- * handshake. Report a dedicated error code for this case. */
+ // WatchGuard's TLS 1.3 interference bug is very distinctive: they drop the
+ // ServerHello and send the remaining encrypted application data records
+ // as-is. This manifests as an application data record when we expect
+ // handshake. Report a dedicated error code for this case.
if (!ssl->server && rr->type == SSL3_RT_APPLICATION_DATA &&
ssl->s3->aead_read_ctx->is_null_cipher()) {
OPENSSL_PUT_ERROR(SSL, SSL_R_APPLICATION_DATA_INSTEAD_OF_HANDSHAKE);
@@ -523,8 +522,8 @@
return -1;
}
- /* Accept server_plaintext_handshake records when the content type TLS 1.3
- * variant is enabled. */
+ // Accept server_plaintext_handshake records when the content type TLS 1.3
+ // variant is enabled.
if (rr->type != SSL3_RT_HANDSHAKE &&
!(!ssl->server &&
ssl->tls13_variant == tls13_record_type_experiment &&
@@ -539,12 +538,12 @@
return consume_record(ssl, buf, len, 0 /* consume data */);
}
- /* Discard empty records and loop again. */
+ // Discard empty records and loop again.
}
}
int ssl3_send_alert(SSL *ssl, int level, int desc) {
- /* It is illegal to send an alert when we've already sent a closing one. */
+ // It is illegal to send an alert when we've already sent a closing one.
if (ssl->s3->send_shutdown != ssl_shutdown_none) {
OPENSSL_PUT_ERROR(SSL, SSL_R_PROTOCOL_IS_SHUTDOWN);
return -1;
@@ -561,12 +560,12 @@
ssl->s3->send_alert[0] = level;
ssl->s3->send_alert[1] = desc;
if (!ssl_write_buffer_is_pending(ssl)) {
- /* Nothing is being written out, so the alert may be dispatched
- * immediately. */
+ // Nothing is being written out, so the alert may be dispatched
+ // immediately.
return ssl->method->dispatch_alert(ssl);
}
- /* The alert will be dispatched later. */
+ // The alert will be dispatched later.
return -1;
}
@@ -577,7 +576,7 @@
}
ssl->s3->alert_dispatch = 0;
- /* If the alert is fatal, flush the BIO now. */
+ // If the alert is fatal, flush the BIO now.
if (ssl->s3->send_alert[0] == SSL3_AL_FATAL) {
BIO_flush(ssl->wbio);
}
diff --git a/src/ssl/ssl_aead_ctx.cc b/src/ssl/ssl_aead_ctx.cc
index 53dff78..69129af 100644
--- a/src/ssl/ssl_aead_ctx.cc
+++ b/src/ssl/ssl_aead_ctx.cc
@@ -62,7 +62,7 @@
if (!ssl_cipher_get_evp_aead(&aead, &expected_mac_key_len,
&expected_fixed_iv_len, cipher, version,
is_dtls) ||
- /* Ensure the caller returned correct key sizes. */
+ // Ensure the caller returned correct key sizes.
expected_fixed_iv_len != fixed_iv_len ||
expected_mac_key_len != mac_key_len) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
@@ -71,8 +71,8 @@
uint8_t merged_key[EVP_AEAD_MAX_KEY_LENGTH];
if (mac_key_len > 0) {
- /* This is a "stateful" AEAD (for compatibility with pre-AEAD cipher
- * suites). */
+ // This is a "stateful" AEAD (for compatibility with pre-AEAD cipher
+ // suites).
if (mac_key_len + enc_key_len + fixed_iv_len > sizeof(merged_key)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
return nullptr;
@@ -109,22 +109,22 @@
aead_ctx->fixed_nonce_len_ = fixed_iv_len;
if (cipher->algorithm_enc & SSL_CHACHA20POLY1305) {
- /* The fixed nonce into the actual nonce (the sequence number). */
+ // The fixed nonce into the actual nonce (the sequence number).
aead_ctx->xor_fixed_nonce_ = true;
aead_ctx->variable_nonce_len_ = 8;
} else {
- /* The fixed IV is prepended to the nonce. */
+ // The fixed IV is prepended to the nonce.
assert(fixed_iv_len <= aead_ctx->variable_nonce_len_);
aead_ctx->variable_nonce_len_ -= fixed_iv_len;
}
- /* AES-GCM uses an explicit nonce. */
+ // AES-GCM uses an explicit nonce.
if (cipher->algorithm_enc & (SSL_AES128GCM | SSL_AES256GCM)) {
aead_ctx->variable_nonce_included_in_record_ = true;
}
- /* The TLS 1.3 construction XORs the fixed nonce into the sequence number
- * and omits the additional data. */
+ // The TLS 1.3 construction XORs the fixed nonce into the sequence number
+ // and omits the additional data.
if (version >= TLS1_3_VERSION) {
aead_ctx->xor_fixed_nonce_ = true;
aead_ctx->variable_nonce_len_ = 8;
@@ -192,18 +192,18 @@
bool SSLAEADContext::Open(CBS *out, uint8_t type, uint16_t wire_version,
const uint8_t seqnum[8], uint8_t *in, size_t in_len) {
if (is_null_cipher() || FUZZER_MODE) {
- /* Handle the initial NULL cipher. */
+ // Handle the initial NULL cipher.
CBS_init(out, in, in_len);
return true;
}
- /* TLS 1.2 AEADs include the length in the AD and are assumed to have fixed
- * overhead. Otherwise the parameter is unused. */
+ // TLS 1.2 AEADs include the length in the AD and are assumed to have fixed
+ // overhead. Otherwise the parameter is unused.
size_t plaintext_len = 0;
if (!omit_length_in_ad_) {
size_t overhead = MaxOverhead();
if (in_len < overhead) {
- /* Publicly invalid. */
+ // Publicly invalid.
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_PACKET_LENGTH);
return false;
}
@@ -213,11 +213,11 @@
size_t ad_len =
GetAdditionalData(ad, type, wire_version, seqnum, plaintext_len);
- /* Assemble the nonce. */
+ // Assemble the nonce.
uint8_t nonce[EVP_AEAD_MAX_NONCE_LENGTH];
size_t nonce_len = 0;
- /* Prepend the fixed nonce, or left-pad with zeros if XORing. */
+ // Prepend the fixed nonce, or left-pad with zeros if XORing.
if (xor_fixed_nonce_) {
nonce_len = fixed_nonce_len_ - variable_nonce_len_;
OPENSSL_memset(nonce, 0, nonce_len);
@@ -226,10 +226,10 @@
nonce_len += fixed_nonce_len_;
}
- /* Add the variable nonce. */
+ // Add the variable nonce.
if (variable_nonce_included_in_record_) {
if (in_len < variable_nonce_len_) {
- /* Publicly invalid. */
+ // Publicly invalid.
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_PACKET_LENGTH);
return false;
}
@@ -242,7 +242,7 @@
}
nonce_len += variable_nonce_len_;
- /* XOR the fixed nonce, if necessary. */
+ // XOR the fixed nonce, if necessary.
if (xor_fixed_nonce_) {
assert(nonce_len == fixed_nonce_len_);
for (size_t i = 0; i < fixed_nonce_len_; i++) {
@@ -250,7 +250,7 @@
}
}
- /* Decrypt in-place. */
+ // Decrypt in-place.
size_t len;
if (!EVP_AEAD_CTX_open(ctx_.get(), in, &len, in_len, nonce, nonce_len, in,
in_len, ad, ad_len)) {
@@ -279,7 +279,7 @@
}
if (is_null_cipher() || FUZZER_MODE) {
- /* Handle the initial NULL cipher. */
+ // Handle the initial NULL cipher.
OPENSSL_memmove(out, in, in_len);
OPENSSL_memmove(out_suffix, extra_in, extra_in_len);
return true;
@@ -288,11 +288,11 @@
uint8_t ad[13];
size_t ad_len = GetAdditionalData(ad, type, wire_version, seqnum, in_len);
- /* Assemble the nonce. */
+ // Assemble the nonce.
uint8_t nonce[EVP_AEAD_MAX_NONCE_LENGTH];
size_t nonce_len = 0;
- /* Prepend the fixed nonce, or left-pad with zeros if XORing. */
+ // Prepend the fixed nonce, or left-pad with zeros if XORing.
if (xor_fixed_nonce_) {
nonce_len = fixed_nonce_len_ - variable_nonce_len_;
OPENSSL_memset(nonce, 0, nonce_len);
@@ -301,21 +301,21 @@
nonce_len += fixed_nonce_len_;
}
- /* Select the variable nonce. */
+ // Select the variable nonce.
if (random_variable_nonce_) {
assert(variable_nonce_included_in_record_);
if (!RAND_bytes(nonce + nonce_len, variable_nonce_len_)) {
return false;
}
} else {
- /* When sending we use the sequence number as the variable part of the
- * nonce. */
+ // When sending we use the sequence number as the variable part of the
+ // nonce.
assert(variable_nonce_len_ == 8);
OPENSSL_memcpy(nonce + nonce_len, seqnum, variable_nonce_len_);
}
nonce_len += variable_nonce_len_;
- /* Emit the variable nonce if included in the record. */
+ // Emit the variable nonce if included in the record.
if (variable_nonce_included_in_record_) {
assert(!xor_fixed_nonce_);
if (buffers_alias(in, in_len, out_prefix, variable_nonce_len_)) {
@@ -326,7 +326,7 @@
variable_nonce_len_);
}
- /* XOR the fixed nonce, if necessary. */
+ // XOR the fixed nonce, if necessary.
if (xor_fixed_nonce_) {
assert(nonce_len == fixed_nonce_len_);
for (size_t i = 0; i < fixed_nonce_len_; i++) {
diff --git a/src/ssl/ssl_asn1.cc b/src/ssl/ssl_asn1.cc
index b87c795..73908db 100644
--- a/src/ssl/ssl_asn1.cc
+++ b/src/ssl/ssl_asn1.cc
@@ -80,9 +80,9 @@
* OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
* OTHERWISE. */
-/* Per C99, various stdint.h macros are unavailable in C++ unless some macros
- * are defined. C++11 overruled this decision, but older Android NDKs still
- * require it. */
+// Per C99, various stdint.h macros are unavailable in C++ unless some macros
+// are defined. C++11 overruled this decision, but older Android NDKs still
+// require it.
#if !defined(__STDC_LIMIT_MACROS)
#define __STDC_LIMIT_MACROS
#endif
@@ -106,50 +106,49 @@
namespace bssl {
-/* An SSL_SESSION is serialized as the following ASN.1 structure:
- *
- * SSLSession ::= SEQUENCE {
- * version INTEGER (1), -- session structure version
- * sslVersion INTEGER, -- protocol version number
- * cipher OCTET STRING, -- two bytes long
- * sessionID OCTET STRING,
- * masterKey OCTET STRING,
- * time [1] INTEGER, -- seconds since UNIX epoch
- * timeout [2] INTEGER, -- in seconds
- * peer [3] Certificate OPTIONAL,
- * sessionIDContext [4] OCTET STRING OPTIONAL,
- * verifyResult [5] INTEGER OPTIONAL, -- one of X509_V_* codes
- * hostName [6] OCTET STRING OPTIONAL,
- * -- from server_name extension
- * pskIdentity [8] OCTET STRING OPTIONAL,
- * ticketLifetimeHint [9] INTEGER OPTIONAL, -- client-only
- * ticket [10] OCTET STRING OPTIONAL, -- client-only
- * peerSHA256 [13] OCTET STRING OPTIONAL,
- * originalHandshakeHash [14] OCTET STRING OPTIONAL,
- * signedCertTimestampList [15] OCTET STRING OPTIONAL,
- * -- contents of SCT extension
- * ocspResponse [16] OCTET STRING OPTIONAL,
- * -- stapled OCSP response from the server
- * extendedMasterSecret [17] BOOLEAN OPTIONAL,
- * groupID [18] INTEGER OPTIONAL,
- * certChain [19] SEQUENCE OF Certificate OPTIONAL,
- * ticketAgeAdd [21] OCTET STRING OPTIONAL,
- * isServer [22] BOOLEAN DEFAULT TRUE,
- * peerSignatureAlgorithm [23] INTEGER OPTIONAL,
- * ticketMaxEarlyData [24] INTEGER OPTIONAL,
- * authTimeout [25] INTEGER OPTIONAL, -- defaults to timeout
- * earlyALPN [26] OCTET STRING OPTIONAL,
- * }
- *
- * Note: historically this serialization has included other optional
- * fields. Their presence is currently treated as a parse error:
- *
- * keyArg [0] IMPLICIT OCTET STRING OPTIONAL,
- * pskIdentityHint [7] OCTET STRING OPTIONAL,
- * compressionMethod [11] OCTET STRING OPTIONAL,
- * srpUsername [12] OCTET STRING OPTIONAL,
- * ticketFlags [20] INTEGER OPTIONAL,
- */
+// An SSL_SESSION is serialized as the following ASN.1 structure:
+//
+// SSLSession ::= SEQUENCE {
+// version INTEGER (1), -- session structure version
+// sslVersion INTEGER, -- protocol version number
+// cipher OCTET STRING, -- two bytes long
+// sessionID OCTET STRING,
+// masterKey OCTET STRING,
+// time [1] INTEGER, -- seconds since UNIX epoch
+// timeout [2] INTEGER, -- in seconds
+// peer [3] Certificate OPTIONAL,
+// sessionIDContext [4] OCTET STRING OPTIONAL,
+// verifyResult [5] INTEGER OPTIONAL, -- one of X509_V_* codes
+// hostName [6] OCTET STRING OPTIONAL,
+// -- from server_name extension
+// pskIdentity [8] OCTET STRING OPTIONAL,
+// ticketLifetimeHint [9] INTEGER OPTIONAL, -- client-only
+// ticket [10] OCTET STRING OPTIONAL, -- client-only
+// peerSHA256 [13] OCTET STRING OPTIONAL,
+// originalHandshakeHash [14] OCTET STRING OPTIONAL,
+// signedCertTimestampList [15] OCTET STRING OPTIONAL,
+// -- contents of SCT extension
+// ocspResponse [16] OCTET STRING OPTIONAL,
+// -- stapled OCSP response from the server
+// extendedMasterSecret [17] BOOLEAN OPTIONAL,
+// groupID [18] INTEGER OPTIONAL,
+// certChain [19] SEQUENCE OF Certificate OPTIONAL,
+// ticketAgeAdd [21] OCTET STRING OPTIONAL,
+// isServer [22] BOOLEAN DEFAULT TRUE,
+// peerSignatureAlgorithm [23] INTEGER OPTIONAL,
+// ticketMaxEarlyData [24] INTEGER OPTIONAL,
+// authTimeout [25] INTEGER OPTIONAL, -- defaults to timeout
+// earlyALPN [26] OCTET STRING OPTIONAL,
+// }
+//
+// Note: historically this serialization has included other optional
+// fields. Their presence is currently treated as a parse error:
+//
+// keyArg [0] IMPLICIT OCTET STRING OPTIONAL,
+// pskIdentityHint [7] OCTET STRING OPTIONAL,
+// compressionMethod [11] OCTET STRING OPTIONAL,
+// srpUsername [12] OCTET STRING OPTIONAL,
+// ticketFlags [20] INTEGER OPTIONAL,
static const unsigned kVersion = 1;
@@ -213,7 +212,7 @@
!CBB_add_asn1(&session, &child, CBS_ASN1_OCTETSTRING) ||
!CBB_add_u16(&child, (uint16_t)(in->cipher->id & 0xffff)) ||
!CBB_add_asn1(&session, &child, CBS_ASN1_OCTETSTRING) ||
- /* The session ID is irrelevant for a session ticket. */
+ // The session ID is irrelevant for a session ticket.
!CBB_add_bytes(&child, in->session_id,
for_ticket ? 0 : in->session_id_length) ||
!CBB_add_asn1(&session, &child, CBS_ASN1_OCTETSTRING) ||
@@ -226,8 +225,8 @@
return 0;
}
- /* The peer certificate is only serialized if the SHA-256 isn't
- * serialized instead. */
+ // The peer certificate is only serialized if the SHA-256 isn't
+ // serialized instead.
if (sk_CRYPTO_BUFFER_num(in->certs) > 0 && !in->peer_sha256_valid) {
const CRYPTO_BUFFER *buffer = sk_CRYPTO_BUFFER_value(in->certs, 0);
if (!CBB_add_asn1(&session, &child, kPeerTag) ||
@@ -238,8 +237,8 @@
}
}
- /* Although it is OPTIONAL and usually empty, OpenSSL has
- * historically always encoded the sid_ctx. */
+ // Although it is OPTIONAL and usually empty, OpenSSL has
+ // historically always encoded the sid_ctx.
if (!CBB_add_asn1(&session, &child, kSessionIDContextTag) ||
!CBB_add_asn1(&child, &child2, CBS_ASN1_OCTETSTRING) ||
!CBB_add_bytes(&child2, in->sid_ctx, in->sid_ctx_length)) {
@@ -348,8 +347,8 @@
return 0;
}
- /* The certificate chain is only serialized if the leaf's SHA-256 isn't
- * serialized instead. */
+ // The certificate chain is only serialized if the leaf's SHA-256 isn't
+ // serialized instead.
if (in->certs != NULL &&
!in->peer_sha256_valid &&
sk_CRYPTO_BUFFER_num(in->certs) >= 2) {
@@ -423,12 +422,12 @@
return 1;
}
-/* SSL_SESSION_parse_string gets an optional ASN.1 OCTET STRING
- * explicitly tagged with |tag| from |cbs| and saves it in |*out|. On
- * entry, if |*out| is not NULL, it frees the existing contents. If
- * the element was not found, it sets |*out| to NULL. It returns one
- * on success, whether or not the element was found, and zero on
- * decode error. */
+// SSL_SESSION_parse_string gets an optional ASN.1 OCTET STRING
+// explicitly tagged with |tag| from |cbs| and saves it in |*out|. On
+// entry, if |*out| is not NULL, it frees the existing contents. If
+// the element was not found, it sets |*out| to NULL. It returns one
+// on success, whether or not the element was found, and zero on
+// decode error.
static int SSL_SESSION_parse_string(CBS *cbs, char **out, unsigned tag) {
CBS value;
int present;
@@ -452,12 +451,12 @@
return 1;
}
-/* SSL_SESSION_parse_string gets an optional ASN.1 OCTET STRING
- * explicitly tagged with |tag| from |cbs| and stows it in |*out_ptr|
- * and |*out_len|. If |*out_ptr| is not NULL, it frees the existing
- * contents. On entry, if the element was not found, it sets
- * |*out_ptr| to NULL. It returns one on success, whether or not the
- * element was found, and zero on decode error. */
+// SSL_SESSION_parse_string gets an optional ASN.1 OCTET STRING
+// explicitly tagged with |tag| from |cbs| and stows it in |*out_ptr|
+// and |*out_len|. If |*out_ptr| is not NULL, it frees the existing
+// contents. On entry, if the element was not found, it sets
+// |*out_ptr| to NULL. It returns one on success, whether or not the
+// element was found, and zero on decode error.
static int SSL_SESSION_parse_octet_string(CBS *cbs, uint8_t **out_ptr,
size_t *out_len, unsigned tag) {
CBS value;
@@ -495,8 +494,8 @@
return 1;
}
-/* SSL_SESSION_parse_bounded_octet_string parses an optional ASN.1 OCTET STRING
- * explicitly tagged with |tag| of size at most |max_out|. */
+// SSL_SESSION_parse_bounded_octet_string parses an optional ASN.1 OCTET STRING
+// explicitly tagged with |tag| of size at most |max_out|.
static int SSL_SESSION_parse_bounded_octet_string(
CBS *cbs, uint8_t *out, uint8_t *out_len, uint8_t max_out, unsigned tag) {
CBS value;
@@ -564,10 +563,10 @@
!CBS_get_asn1_uint64(&session, &version) ||
version != kVersion ||
!CBS_get_asn1_uint64(&session, &ssl_version) ||
- /* Require sessions have versions valid in either TLS or DTLS. The session
- * will not be used by the handshake if not applicable, but, for
- * simplicity, never parse a session that does not pass
- * |ssl_protocol_version_from_wire|. */
+ // Require sessions have versions valid in either TLS or DTLS. The session
+ // will not be used by the handshake if not applicable, but, for
+ // simplicity, never parse a session that does not pass
+ // |ssl_protocol_version_from_wire|.
ssl_version > UINT16_MAX ||
!ssl_protocol_version_from_wire(&unused, ssl_version)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
@@ -622,7 +621,7 @@
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SSL_SESSION);
return nullptr;
}
- /* |peer| is processed with the certificate chain. */
+ // |peer| is processed with the certificate chain.
if (!SSL_SESSION_parse_bounded_octet_string(
&session, ret->sid_ctx, &ret->sid_ctx_length, sizeof(ret->sid_ctx),
@@ -779,10 +778,10 @@
int SSL_SESSION_to_bytes(const SSL_SESSION *in, uint8_t **out_data,
size_t *out_len) {
if (in->not_resumable) {
- /* If the caller has an unresumable session, e.g. if |SSL_get_session| were
- * called on a TLS 1.3 or False Started connection, serialize with a
- * placeholder value so it is not accidentally deserialized into a resumable
- * one. */
+ // If the caller has an unresumable session, e.g. if |SSL_get_session| were
+ // called on a TLS 1.3 or False Started connection, serialize with a
+ // placeholder value so it is not accidentally deserialized into a resumable
+ // one.
static const char kNotResumableSession[] = "NOT RESUMABLE";
*out_len = strlen(kNotResumableSession);
diff --git a/src/ssl/ssl_buffer.cc b/src/ssl/ssl_buffer.cc
index 7f11b6f..d74278e 100644
--- a/src/ssl/ssl_buffer.cc
+++ b/src/ssl/ssl_buffer.cc
@@ -29,16 +29,16 @@
namespace bssl {
-/* BIO uses int instead of size_t. No lengths will exceed uint16_t, so this will
- * not overflow. */
+// BIO uses int instead of size_t. No lengths will exceed uint16_t, so this will
+// not overflow.
static_assert(0xffff <= INT_MAX, "uint16_t does not fit in int");
static_assert((SSL3_ALIGN_PAYLOAD & (SSL3_ALIGN_PAYLOAD - 1)) == 0,
"SSL3_ALIGN_PAYLOAD must be a power of 2");
-/* ensure_buffer ensures |buf| has capacity at least |cap|, aligned such that
- * data written after |header_len| is aligned to a |SSL3_ALIGN_PAYLOAD|-byte
- * boundary. It returns one on success and zero on error. */
+// ensure_buffer ensures |buf| has capacity at least |cap|, aligned such that
+// data written after |header_len| is aligned to a |SSL3_ALIGN_PAYLOAD|-byte
+// boundary. It returns one on success and zero on error.
static int ensure_buffer(SSL3_BUFFER *buf, size_t header_len, size_t cap) {
if (cap > 0xffff) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
@@ -49,14 +49,14 @@
return 1;
}
- /* Add up to |SSL3_ALIGN_PAYLOAD| - 1 bytes of slack for alignment. */
+ // Add up to |SSL3_ALIGN_PAYLOAD| - 1 bytes of slack for alignment.
uint8_t *new_buf = (uint8_t *)OPENSSL_malloc(cap + SSL3_ALIGN_PAYLOAD - 1);
if (new_buf == NULL) {
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
return 0;
}
- /* Offset the buffer such that the record body is aligned. */
+ // Offset the buffer such that the record body is aligned.
size_t new_offset =
(0 - header_len - (uintptr_t)new_buf) & (SSL3_ALIGN_PAYLOAD - 1);
@@ -97,19 +97,19 @@
SSL3_BUFFER *buf = &ssl->s3->read_buffer;
if (buf->len > 0) {
- /* It is an error to call |dtls_read_buffer_extend| when the read buffer is
- * not empty. */
+ // It is an error to call |dtls_read_buffer_extend| when the read buffer is
+ // not empty.
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
return -1;
}
- /* Read a single packet from |ssl->rbio|. |buf->cap| must fit in an int. */
+ // Read a single packet from |ssl->rbio|. |buf->cap| must fit in an int.
int ret = BIO_read(ssl->rbio, buf->buf + buf->offset, (int)buf->cap);
if (ret <= 0) {
ssl->rwstate = SSL_READING;
return ret;
}
- /* |BIO_read| was bound by |buf->cap|, so this cannot overflow. */
+ // |BIO_read| was bound by |buf->cap|, so this cannot overflow.
buf->len = (uint16_t)ret;
return 1;
}
@@ -122,18 +122,18 @@
return -1;
}
- /* Read until the target length is reached. */
+ // Read until the target length is reached.
while (buf->len < len) {
- /* The amount of data to read is bounded by |buf->cap|, which must fit in an
- * int. */
+ // The amount of data to read is bounded by |buf->cap|, which must fit in an
+ // int.
int ret = BIO_read(ssl->rbio, buf->buf + buf->offset + buf->len,
(int)(len - buf->len));
if (ret <= 0) {
ssl->rwstate = SSL_READING;
return ret;
}
- /* |BIO_read| was bound by |buf->cap - buf->len|, so this cannot
- * overflow. */
+ // |BIO_read| was bound by |buf->cap - buf->len|, so this cannot
+ // overflow.
buf->len += (uint16_t)ret;
}
@@ -141,7 +141,7 @@
}
int ssl_read_buffer_extend_to(SSL *ssl, size_t len) {
- /* |ssl_read_buffer_extend_to| implicitly discards any consumed data. */
+ // |ssl_read_buffer_extend_to| implicitly discards any consumed data.
ssl_read_buffer_discard(ssl);
if (SSL_is_dtls(ssl)) {
@@ -149,7 +149,7 @@
DTLS1_RT_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH <= 0xffff,
"DTLS read buffer is too large");
- /* The |len| parameter is ignored in DTLS. */
+ // The |len| parameter is ignored in DTLS.
len = DTLS1_RT_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH;
}
@@ -164,15 +164,15 @@
int ret;
if (SSL_is_dtls(ssl)) {
- /* |len| is ignored for a datagram transport. */
+ // |len| is ignored for a datagram transport.
ret = dtls_read_buffer_next_packet(ssl);
} else {
ret = tls_read_buffer_extend_to(ssl, len);
}
if (ret <= 0) {
- /* If the buffer was empty originally and remained empty after attempting to
- * extend it, release the buffer until the next attempt. */
+ // If the buffer was empty originally and remained empty after attempting to
+ // extend it, release the buffer until the next attempt.
ssl_read_buffer_discard(ssl);
}
return ret;
@@ -183,11 +183,11 @@
consume_buffer(buf, len);
- /* The TLS stack never reads beyond the current record, so there will never be
- * unconsumed data. If read-ahead is ever reimplemented,
- * |ssl_read_buffer_discard| will require a |memcpy| to shift the excess back
- * to the front of the buffer, to ensure there is enough space for the next
- * record. */
+ // The TLS stack never reads beyond the current record, so there will never be
+ // unconsumed data. If read-ahead is ever reimplemented,
+ // |ssl_read_buffer_discard| will require a |memcpy| to shift the excess back
+ // to the front of the buffer, to ensure there is enough space for the next
+ // record.
assert(SSL_is_dtls(ssl) || len == 0 || buf->len == 0);
}
@@ -265,9 +265,9 @@
int ret = BIO_write(ssl->wbio, buf->buf + buf->offset, buf->len);
if (ret <= 0) {
ssl->rwstate = SSL_WRITING;
- /* If the write failed, drop the write buffer anyway. Datagram transports
- * can't write half a packet, so the caller is expected to retry from the
- * top. */
+ // If the write failed, drop the write buffer anyway. Datagram transports
+ // can't write half a packet, so the caller is expected to retry from the
+ // top.
ssl_write_buffer_clear(ssl);
return ret;
}
diff --git a/src/ssl/ssl_cert.cc b/src/ssl/ssl_cert.cc
index 76af31e..094d85a 100644
--- a/src/ssl/ssl_cert.cc
+++ b/src/ssl/ssl_cert.cc
@@ -207,7 +207,7 @@
return NULL;
}
-/* Free up and clear all certificates and chains */
+// Free up and clear all certificates and chains
void ssl_cert_clear_certs(CERT *cert) {
if (cert == NULL) {
return;
@@ -248,12 +248,12 @@
leaf_cert_and_privkey_mismatch,
};
-/* check_leaf_cert_and_privkey checks whether the certificate in |leaf_buffer|
- * and the private key in |privkey| are suitable and coherent. It returns
- * |leaf_cert_and_privkey_error| and pushes to the error queue if a problem is
- * found. If the certificate and private key are valid, but incoherent, it
- * returns |leaf_cert_and_privkey_mismatch|. Otherwise it returns
- * |leaf_cert_and_privkey_ok|. */
+// check_leaf_cert_and_privkey checks whether the certificate in |leaf_buffer|
+// and the private key in |privkey| are suitable and coherent. It returns
+// |leaf_cert_and_privkey_error| and pushes to the error queue if a problem is
+// found. If the certificate and private key are valid, but incoherent, it
+// returns |leaf_cert_and_privkey_mismatch|. Otherwise it returns
+// |leaf_cert_and_privkey_ok|.
static enum leaf_cert_and_privkey_result_t check_leaf_cert_and_privkey(
CRYPTO_BUFFER *leaf_buffer, EVP_PKEY *privkey) {
CBS cert_cbs;
@@ -269,8 +269,8 @@
return leaf_cert_and_privkey_error;
}
- /* An ECC certificate may be usable for ECDH or ECDSA. We only support ECDSA
- * certificates, so sanity-check the key usage extension. */
+ // An ECC certificate may be usable for ECDH or ECDSA. We only support ECDSA
+ // certificates, so sanity-check the key usage extension.
if (pubkey->type == EVP_PKEY_EC &&
!ssl_cert_check_digital_signature_key_usage(&cert_cbs)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
@@ -278,7 +278,7 @@
}
if (privkey != NULL &&
- /* Sanity-check that the private key and the certificate match. */
+ // Sanity-check that the private key and the certificate match.
!ssl_compare_public_and_private_key(pubkey.get(), privkey)) {
ERR_clear_error();
return leaf_cert_and_privkey_mismatch;
@@ -342,9 +342,9 @@
case leaf_cert_and_privkey_error:
return 0;
case leaf_cert_and_privkey_mismatch:
- /* don't fail for a cert/key mismatch, just free current private key
- * (when switching to a different cert & key, first this function should
- * be used, then |ssl_set_pkey|. */
+ // don't fail for a cert/key mismatch, just free current private key
+ // (when switching to a different cert & key, first this function should
+ // be used, then |ssl_set_pkey|.
EVP_PKEY_free(cert->privatekey);
cert->privatekey = NULL;
break;
@@ -423,7 +423,7 @@
return false;
}
- /* Retain the hash of the leaf certificate if requested. */
+ // Retain the hash of the leaf certificate if requested.
if (out_leaf_sha256 != NULL) {
SHA256(CBS_data(&certificate), CBS_len(&certificate), out_leaf_sha256);
}
@@ -471,9 +471,9 @@
return CBB_flush(cbb);
}
-/* ssl_cert_skip_to_spki parses a DER-encoded, X.509 certificate from |in| and
- * positions |*out_tbs_cert| to cover the TBSCertificate, starting at the
- * subjectPublicKeyInfo. */
+// ssl_cert_skip_to_spki parses a DER-encoded, X.509 certificate from |in| and
+// positions |*out_tbs_cert| to cover the TBSCertificate, starting at the
+// subjectPublicKeyInfo.
static int ssl_cert_skip_to_spki(const CBS *in, CBS *out_tbs_cert) {
/* From RFC 5280, section 4.1
* Certificate ::= SEQUENCE {
@@ -496,19 +496,19 @@
if (!CBS_get_asn1(&buf, &toplevel, CBS_ASN1_SEQUENCE) ||
CBS_len(&buf) != 0 ||
!CBS_get_asn1(&toplevel, out_tbs_cert, CBS_ASN1_SEQUENCE) ||
- /* version */
+ // version
!CBS_get_optional_asn1(
out_tbs_cert, NULL, NULL,
CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 0) ||
- /* serialNumber */
+ // serialNumber
!CBS_get_asn1(out_tbs_cert, NULL, CBS_ASN1_INTEGER) ||
- /* signature algorithm */
+ // signature algorithm
!CBS_get_asn1(out_tbs_cert, NULL, CBS_ASN1_SEQUENCE) ||
- /* issuer */
+ // issuer
!CBS_get_asn1(out_tbs_cert, NULL, CBS_ASN1_SEQUENCE) ||
- /* validity */
+ // validity
!CBS_get_asn1(out_tbs_cert, NULL, CBS_ASN1_SEQUENCE) ||
- /* subject */
+ // subject
!CBS_get_asn1(out_tbs_cert, NULL, CBS_ASN1_SEQUENCE)) {
return 0;
}
@@ -529,8 +529,8 @@
int ssl_compare_public_and_private_key(const EVP_PKEY *pubkey,
const EVP_PKEY *privkey) {
if (EVP_PKEY_is_opaque(privkey)) {
- /* We cannot check an opaque private key and have to trust that it
- * matches. */
+ // We cannot check an opaque private key and have to trust that it
+ // matches.
return 1;
}
@@ -586,13 +586,13 @@
CBS tbs_cert, outer_extensions;
int has_extensions;
if (!ssl_cert_skip_to_spki(&buf, &tbs_cert) ||
- /* subjectPublicKeyInfo */
+ // subjectPublicKeyInfo
!CBS_get_asn1(&tbs_cert, NULL, CBS_ASN1_SEQUENCE) ||
- /* issuerUniqueID */
+ // issuerUniqueID
!CBS_get_optional_asn1(
&tbs_cert, NULL, NULL,
CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 1) ||
- /* subjectUniqueID */
+ // subjectUniqueID
!CBS_get_optional_asn1(
&tbs_cert, NULL, NULL,
CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 2) ||
@@ -635,8 +635,8 @@
goto parse_err;
}
- /* This is the KeyUsage extension. See
- * https://tools.ietf.org/html/rfc5280#section-4.2.1.3 */
+ // This is the KeyUsage extension. See
+ // https://tools.ietf.org/html/rfc5280#section-4.2.1.3
if (!CBS_is_valid_asn1_bitstring(&bit_string)) {
goto parse_err;
}
@@ -649,7 +649,7 @@
return 1;
}
- /* No KeyUsage extension found. */
+ // No KeyUsage extension found.
return 1;
parse_err:
@@ -733,18 +733,18 @@
SSL *const ssl = hs->ssl;
assert(ssl3_protocol_version(ssl) < TLS1_3_VERSION);
- /* Check the certificate's type matches the cipher. */
+ // Check the certificate's type matches the cipher.
if (!(hs->new_cipher->algorithm_auth & ssl_cipher_auth_mask_for_key(pkey))) {
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CERTIFICATE_TYPE);
return 0;
}
- /* Check key usages for all key types but RSA. This is needed to distinguish
- * ECDH certificates, which we do not support, from ECDSA certificates. In
- * principle, we should check RSA key usages based on cipher, but this breaks
- * buggy antivirus deployments. Other key types are always used for signing.
- *
- * TODO(davidben): Get more recent data on RSA key usages. */
+ // Check key usages for all key types but RSA. This is needed to distinguish
+ // ECDH certificates, which we do not support, from ECDSA certificates. In
+ // principle, we should check RSA key usages based on cipher, but this breaks
+ // buggy antivirus deployments. Other key types are always used for signing.
+ //
+ // TODO(davidben): Get more recent data on RSA key usages.
if (EVP_PKEY_id(pkey) != EVP_PKEY_RSA) {
CBS leaf_cbs;
CBS_init(&leaf_cbs, CRYPTO_BUFFER_data(leaf), CRYPTO_BUFFER_len(leaf));
@@ -754,7 +754,7 @@
}
if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
- /* Check the key's group and point format are acceptable. */
+ // Check the key's group and point format are acceptable.
EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(pkey);
uint16_t group_id;
if (!ssl_nid_to_group_id(
@@ -772,7 +772,7 @@
int ssl_on_certificate_selected(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
if (!ssl_has_certificate(ssl)) {
- /* Nothing to do. */
+ // Nothing to do.
return 1;
}
diff --git a/src/ssl/ssl_cipher.cc b/src/ssl/ssl_cipher.cc
index de4a4b4..e7a81a3 100644
--- a/src/ssl/ssl_cipher.cc
+++ b/src/ssl/ssl_cipher.cc
@@ -156,10 +156,10 @@
namespace bssl {
-/* kCiphers is an array of all supported ciphers, sorted by id. */
+// kCiphers is an array of all supported ciphers, sorted by id.
static const SSL_CIPHER kCiphers[] = {
- /* The RSA ciphers */
- /* Cipher 02 */
+ // The RSA ciphers
+ // Cipher 02
{
SSL3_TXT_RSA_NULL_SHA,
"TLS_RSA_WITH_NULL_SHA",
@@ -171,7 +171,7 @@
SSL_HANDSHAKE_MAC_DEFAULT,
},
- /* Cipher 0A */
+ // Cipher 0A
{
SSL3_TXT_RSA_DES_192_CBC3_SHA,
"TLS_RSA_WITH_3DES_EDE_CBC_SHA",
@@ -184,9 +184,9 @@
},
- /* New AES ciphersuites */
+ // New AES ciphersuites
- /* Cipher 2F */
+ // Cipher 2F
{
TLS1_TXT_RSA_WITH_AES_128_SHA,
"TLS_RSA_WITH_AES_128_CBC_SHA",
@@ -198,7 +198,7 @@
SSL_HANDSHAKE_MAC_DEFAULT,
},
- /* Cipher 35 */
+ // Cipher 35
{
TLS1_TXT_RSA_WITH_AES_256_SHA,
"TLS_RSA_WITH_AES_256_CBC_SHA",
@@ -211,9 +211,9 @@
},
- /* TLS v1.2 ciphersuites */
+ // TLS v1.2 ciphersuites
- /* Cipher 3C */
+ // Cipher 3C
{
TLS1_TXT_RSA_WITH_AES_128_SHA256,
"TLS_RSA_WITH_AES_128_CBC_SHA256",
@@ -225,7 +225,7 @@
SSL_HANDSHAKE_MAC_SHA256,
},
- /* Cipher 3D */
+ // Cipher 3D
{
TLS1_TXT_RSA_WITH_AES_256_SHA256,
"TLS_RSA_WITH_AES_256_CBC_SHA256",
@@ -237,9 +237,9 @@
SSL_HANDSHAKE_MAC_SHA256,
},
- /* PSK cipher suites. */
+ // PSK cipher suites.
- /* Cipher 8C */
+ // Cipher 8C
{
TLS1_TXT_PSK_WITH_AES_128_CBC_SHA,
"TLS_PSK_WITH_AES_128_CBC_SHA",
@@ -251,7 +251,7 @@
SSL_HANDSHAKE_MAC_DEFAULT,
},
- /* Cipher 8D */
+ // Cipher 8D
{
TLS1_TXT_PSK_WITH_AES_256_CBC_SHA,
"TLS_PSK_WITH_AES_256_CBC_SHA",
@@ -263,9 +263,9 @@
SSL_HANDSHAKE_MAC_DEFAULT,
},
- /* GCM ciphersuites from RFC5288 */
+ // GCM ciphersuites from RFC5288
- /* Cipher 9C */
+ // Cipher 9C
{
TLS1_TXT_RSA_WITH_AES_128_GCM_SHA256,
"TLS_RSA_WITH_AES_128_GCM_SHA256",
@@ -277,7 +277,7 @@
SSL_HANDSHAKE_MAC_SHA256,
},
- /* Cipher 9D */
+ // Cipher 9D
{
TLS1_TXT_RSA_WITH_AES_256_GCM_SHA384,
"TLS_RSA_WITH_AES_256_GCM_SHA384",
@@ -289,9 +289,9 @@
SSL_HANDSHAKE_MAC_SHA384,
},
- /* TLS 1.3 suites. */
+ // TLS 1.3 suites.
- /* Cipher 1301 */
+ // Cipher 1301
{
TLS1_TXT_AES_128_GCM_SHA256,
"TLS_AES_128_GCM_SHA256",
@@ -303,7 +303,7 @@
SSL_HANDSHAKE_MAC_SHA256,
},
- /* Cipher 1302 */
+ // Cipher 1302
{
TLS1_TXT_AES_256_GCM_SHA384,
"TLS_AES_256_GCM_SHA384",
@@ -315,7 +315,7 @@
SSL_HANDSHAKE_MAC_SHA384,
},
- /* Cipher 1303 */
+ // Cipher 1303
{
TLS1_TXT_CHACHA20_POLY1305_SHA256,
"TLS_CHACHA20_POLY1305_SHA256",
@@ -327,7 +327,7 @@
SSL_HANDSHAKE_MAC_SHA256,
},
- /* Cipher C009 */
+ // Cipher C009
{
TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
@@ -339,7 +339,7 @@
SSL_HANDSHAKE_MAC_DEFAULT,
},
- /* Cipher C00A */
+ // Cipher C00A
{
TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
@@ -351,7 +351,7 @@
SSL_HANDSHAKE_MAC_DEFAULT,
},
- /* Cipher C013 */
+ // Cipher C013
{
TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA,
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
@@ -363,7 +363,7 @@
SSL_HANDSHAKE_MAC_DEFAULT,
},
- /* Cipher C014 */
+ // Cipher C014
{
TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA,
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
@@ -376,9 +376,9 @@
},
- /* HMAC based TLS v1.2 ciphersuites from RFC5289 */
+ // HMAC based TLS v1.2 ciphersuites from RFC5289
- /* Cipher C023 */
+ // Cipher C023
{
TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256,
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
@@ -390,7 +390,7 @@
SSL_HANDSHAKE_MAC_SHA256,
},
- /* Cipher C024 */
+ // Cipher C024
{
TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384,
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
@@ -402,7 +402,7 @@
SSL_HANDSHAKE_MAC_SHA384,
},
- /* Cipher C027 */
+ // Cipher C027
{
TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256,
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
@@ -414,7 +414,7 @@
SSL_HANDSHAKE_MAC_SHA256,
},
- /* Cipher C028 */
+ // Cipher C028
{
TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384,
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
@@ -427,9 +427,9 @@
},
- /* GCM based TLS v1.2 ciphersuites from RFC5289 */
+ // GCM based TLS v1.2 ciphersuites from RFC5289
- /* Cipher C02B */
+ // Cipher C02B
{
TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
@@ -441,7 +441,7 @@
SSL_HANDSHAKE_MAC_SHA256,
},
- /* Cipher C02C */
+ // Cipher C02C
{
TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
@@ -453,7 +453,7 @@
SSL_HANDSHAKE_MAC_SHA384,
},
- /* Cipher C02F */
+ // Cipher C02F
{
TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
@@ -465,7 +465,7 @@
SSL_HANDSHAKE_MAC_SHA256,
},
- /* Cipher C030 */
+ // Cipher C030
{
TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
@@ -477,9 +477,9 @@
SSL_HANDSHAKE_MAC_SHA384,
},
- /* ECDHE-PSK cipher suites. */
+ // ECDHE-PSK cipher suites.
- /* Cipher C035 */
+ // Cipher C035
{
TLS1_TXT_ECDHE_PSK_WITH_AES_128_CBC_SHA,
"TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",
@@ -491,7 +491,7 @@
SSL_HANDSHAKE_MAC_DEFAULT,
},
- /* Cipher C036 */
+ // Cipher C036
{
TLS1_TXT_ECDHE_PSK_WITH_AES_256_CBC_SHA,
"TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",
@@ -503,9 +503,9 @@
SSL_HANDSHAKE_MAC_DEFAULT,
},
- /* ChaCha20-Poly1305 cipher suites. */
+ // ChaCha20-Poly1305 cipher suites.
- /* Cipher CCA8 */
+ // Cipher CCA8
{
TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
@@ -517,7 +517,7 @@
SSL_HANDSHAKE_MAC_SHA256,
},
- /* Cipher CCA9 */
+ // Cipher CCA9
{
TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
@@ -529,7 +529,7 @@
SSL_HANDSHAKE_MAC_SHA256,
},
- /* Cipher CCAB */
+ // Cipher CCAB
{
TLS1_TXT_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,
"TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256",
@@ -559,32 +559,32 @@
} CIPHER_ORDER;
typedef struct cipher_alias_st {
- /* name is the name of the cipher alias. */
+ // name is the name of the cipher alias.
const char *name;
- /* The following fields are bitmasks for the corresponding fields on
- * |SSL_CIPHER|. A cipher matches a cipher alias iff, for each bitmask, the
- * bit corresponding to the cipher's value is set to 1. If any bitmask is
- * all zeroes, the alias matches nothing. Use |~0u| for the default value. */
+ // The following fields are bitmasks for the corresponding fields on
+ // |SSL_CIPHER|. A cipher matches a cipher alias iff, for each bitmask, the
+ // bit corresponding to the cipher's value is set to 1. If any bitmask is
+ // all zeroes, the alias matches nothing. Use |~0u| for the default value.
uint32_t algorithm_mkey;
uint32_t algorithm_auth;
uint32_t algorithm_enc;
uint32_t algorithm_mac;
- /* min_version, if non-zero, matches all ciphers which were added in that
- * particular protocol version. */
+ // min_version, if non-zero, matches all ciphers which were added in that
+ // particular protocol version.
uint16_t min_version;
} CIPHER_ALIAS;
static const CIPHER_ALIAS kCipherAliases[] = {
- /* "ALL" doesn't include eNULL. It must be explicitly enabled. */
+ // "ALL" doesn't include eNULL. It must be explicitly enabled.
{"ALL", ~0u, ~0u, ~SSL_eNULL, ~0u, 0},
- /* The "COMPLEMENTOFDEFAULT" rule is omitted. It matches nothing. */
+ // The "COMPLEMENTOFDEFAULT" rule is omitted. It matches nothing.
- /* key exchange aliases
- * (some of those using only a single bit here combine
- * multiple key exchange algs according to the RFCs. */
+ // key exchange aliases
+ // (some of those using only a single bit here combine
+ // multiple key exchange algs according to the RFCs.
{"kRSA", SSL_kRSA, ~0u, ~0u, ~0u, 0},
{"kECDHE", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
@@ -593,19 +593,19 @@
{"kPSK", SSL_kPSK, ~0u, ~0u, ~0u, 0},
- /* server authentication aliases */
+ // server authentication aliases
{"aRSA", ~0u, SSL_aRSA, ~SSL_eNULL, ~0u, 0},
{"aECDSA", ~0u, SSL_aECDSA, ~0u, ~0u, 0},
{"ECDSA", ~0u, SSL_aECDSA, ~0u, ~0u, 0},
{"aPSK", ~0u, SSL_aPSK, ~0u, ~0u, 0},
- /* aliases combining key exchange and server authentication */
+ // aliases combining key exchange and server authentication
{"ECDHE", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
{"EECDH", SSL_kECDHE, ~0u, ~0u, ~0u, 0},
{"RSA", SSL_kRSA, SSL_aRSA, ~SSL_eNULL, ~0u, 0},
{"PSK", SSL_kPSK, SSL_aPSK, ~0u, ~0u, 0},
- /* symmetric encryption aliases */
+ // symmetric encryption aliases
{"3DES", ~0u, ~0u, SSL_3DES, ~0u, 0},
{"AES128", ~0u, ~0u, SSL_AES128 | SSL_AES128GCM, ~0u, 0},
{"AES256", ~0u, ~0u, SSL_AES256 | SSL_AES256GCM, ~0u, 0},
@@ -613,19 +613,19 @@
{"AESGCM", ~0u, ~0u, SSL_AES128GCM | SSL_AES256GCM, ~0u, 0},
{"CHACHA20", ~0u, ~0u, SSL_CHACHA20POLY1305, ~0u, 0},
- /* MAC aliases */
+ // MAC aliases
{"SHA1", ~0u, ~0u, ~SSL_eNULL, SSL_SHA1, 0},
{"SHA", ~0u, ~0u, ~SSL_eNULL, SSL_SHA1, 0},
{"SHA256", ~0u, ~0u, ~0u, SSL_SHA256, 0},
{"SHA384", ~0u, ~0u, ~0u, SSL_SHA384, 0},
- /* Legacy protocol minimum version aliases. "TLSv1" is intentionally the
- * same as "SSLv3". */
+ // Legacy protocol minimum version aliases. "TLSv1" is intentionally the
+ // same as "SSLv3".
{"SSLv3", ~0u, ~0u, ~SSL_eNULL, ~0u, SSL3_VERSION},
{"TLSv1", ~0u, ~0u, ~SSL_eNULL, ~0u, SSL3_VERSION},
{"TLSv1.2", ~0u, ~0u, ~SSL_eNULL, ~0u, TLS1_2_VERSION},
- /* Legacy strength classes. */
+ // Legacy strength classes.
{"HIGH", ~0u, ~0u, ~SSL_eNULL, ~0u, 0},
{"FIPS", ~0u, ~0u, ~SSL_eNULL, ~0u, 0},
};
@@ -671,8 +671,8 @@
return 0;
}
- /* In TLS 1.3, the iv_len is equal to the AEAD nonce length whereas the code
- * above computes the TLS 1.2 construction. */
+ // In TLS 1.3, the iv_len is equal to the AEAD nonce length whereas the code
+ // above computes the TLS 1.2 construction.
if (version >= TLS1_3_VERSION) {
*out_fixed_iv_len = EVP_AEAD_nonce_length(*out_aead);
}
@@ -764,10 +764,10 @@
return !is_strict && (c == ' ' || c == ';' || c == ',');
}
-/* rule_equals returns one iff the NUL-terminated string |rule| is equal to the
- * |buf_len| bytes at |buf|. */
+// rule_equals returns one iff the NUL-terminated string |rule| is equal to the
+// |buf_len| bytes at |buf|.
static int rule_equals(const char *rule, const char *buf, size_t buf_len) {
- /* |strncmp| alone only checks that |buf| is a prefix of |rule|. */
+ // |strncmp| alone only checks that |buf| is a prefix of |rule|.
return strncmp(rule, buf, buf_len) == 0 && rule[buf_len] == '\0';
}
@@ -815,13 +815,13 @@
CIPHER_ORDER *co_list,
CIPHER_ORDER **head_p,
CIPHER_ORDER **tail_p) {
- /* The set of ciphers is static, but some subset may be unsupported by
- * |ssl_method|, so the list may be smaller. */
+ // The set of ciphers is static, but some subset may be unsupported by
+ // |ssl_method|, so the list may be smaller.
size_t co_list_num = 0;
for (size_t i = 0; i < kCiphersLen; i++) {
const SSL_CIPHER *cipher = &kCiphers[i];
if (ssl_method->supports_cipher(cipher) &&
- /* TLS 1.3 ciphers do not participate in this mechanism. */
+ // TLS 1.3 ciphers do not participate in this mechanism.
cipher->algorithm_mkey != SSL_kGENERIC) {
co_list[co_list_num].cipher = cipher;
co_list[co_list_num].next = NULL;
@@ -832,7 +832,7 @@
}
}
- /* Prepare linked list from list entries. */
+ // Prepare linked list from list entries.
if (co_list_num > 0) {
co_list[0].prev = NULL;
@@ -854,15 +854,15 @@
}
}
-/* ssl_cipher_apply_rule applies the rule type |rule| to ciphers matching its
- * parameters in the linked list from |*head_p| to |*tail_p|. It writes the new
- * head and tail of the list to |*head_p| and |*tail_p|, respectively.
- *
- * - If |cipher_id| is non-zero, only that cipher is selected.
- * - Otherwise, if |strength_bits| is non-negative, it selects ciphers
- * of that strength.
- * - Otherwise, it selects ciphers that match each bitmasks in |alg_*| and
- * |min_version|. */
+// ssl_cipher_apply_rule applies the rule type |rule| to ciphers matching its
+// parameters in the linked list from |*head_p| to |*tail_p|. It writes the new
+// head and tail of the list to |*head_p| and |*tail_p|, respectively.
+//
+// - If |cipher_id| is non-zero, only that cipher is selected.
+// - Otherwise, if |strength_bits| is non-negative, it selects ciphers
+// of that strength.
+// - Otherwise, it selects ciphers that match each bitmasks in |alg_*| and
+// |min_version|.
static void ssl_cipher_apply_rule(
uint32_t cipher_id, uint32_t alg_mkey, uint32_t alg_auth,
uint32_t alg_enc, uint32_t alg_mac, uint16_t min_version, int rule,
@@ -874,12 +874,12 @@
if (cipher_id == 0 && strength_bits == -1 && min_version == 0 &&
(alg_mkey == 0 || alg_auth == 0 || alg_enc == 0 || alg_mac == 0)) {
- /* The rule matches nothing, so bail early. */
+ // The rule matches nothing, so bail early.
return;
}
if (rule == CIPHER_DEL) {
- /* needed to maintain sorting between currently deleted ciphers */
+ // needed to maintain sorting between currently deleted ciphers
reverse = 1;
}
@@ -908,8 +908,8 @@
next = reverse ? curr->prev : curr->next;
cp = curr->cipher;
- /* Selection criteria is either a specific cipher, the value of
- * |strength_bits|, or the algorithms used. */
+ // Selection criteria is either a specific cipher, the value of
+ // |strength_bits|, or the algorithms used.
if (cipher_id != 0) {
if (cipher_id != cp->id) {
continue;
@@ -928,9 +928,9 @@
}
}
- /* add the cipher if it has not been added yet. */
+ // add the cipher if it has not been added yet.
if (rule == CIPHER_ADD) {
- /* reverse == 0 */
+ // reverse == 0
if (!curr->active) {
ll_append_tail(&head, curr, &tail);
curr->active = 1;
@@ -938,25 +938,25 @@
}
}
- /* Move the added cipher to this location */
+ // Move the added cipher to this location
else if (rule == CIPHER_ORD) {
- /* reverse == 0 */
+ // reverse == 0
if (curr->active) {
ll_append_tail(&head, curr, &tail);
curr->in_group = 0;
}
} else if (rule == CIPHER_DEL) {
- /* reverse == 1 */
+ // reverse == 1
if (curr->active) {
- /* most recently deleted ciphersuites get best positions
- * for any future CIPHER_ADD (note that the CIPHER_DEL loop
- * works in reverse to maintain the order) */
+ // most recently deleted ciphersuites get best positions
+ // for any future CIPHER_ADD (note that the CIPHER_DEL loop
+ // works in reverse to maintain the order)
ll_append_head(&head, curr, &tail);
curr->active = 0;
curr->in_group = 0;
}
} else if (rule == CIPHER_KILL) {
- /* reverse == 0 */
+ // reverse == 0
if (head == curr) {
head = curr->next;
} else {
@@ -987,9 +987,9 @@
int max_strength_bits, i, *number_uses;
CIPHER_ORDER *curr;
- /* This routine sorts the ciphers with descending strength. The sorting must
- * keep the pre-sorted sequence, so we apply the normal sorting routine as
- * '+' movement to the end of the list. */
+ // This routine sorts the ciphers with descending strength. The sorting must
+ // keep the pre-sorted sequence, so we apply the normal sorting routine as
+ // '+' movement to the end of the list.
max_strength_bits = 0;
curr = *head_p;
while (curr != NULL) {
@@ -1007,7 +1007,7 @@
}
OPENSSL_memset(number_uses, 0, (max_strength_bits + 1) * sizeof(int));
- /* Now find the strength_bits values actually used. */
+ // Now find the strength_bits values actually used.
curr = *head_p;
while (curr != NULL) {
if (curr->active) {
@@ -1016,7 +1016,7 @@
curr = curr->next;
}
- /* Go through the list of used strength_bits values in descending order. */
+ // Go through the list of used strength_bits values in descending order.
for (i = max_strength_bits; i >= 0; i--) {
if (number_uses[i] > 0) {
ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, CIPHER_ORD, i, 0, head_p, tail_p);
@@ -1044,7 +1044,7 @@
ch = *l;
if (ch == '\0') {
- break; /* done */
+ break; // done
}
if (in_group) {
@@ -1090,8 +1090,8 @@
rule = CIPHER_ADD;
}
- /* If preference groups are enabled, the only legal operator is +.
- * Otherwise the in_group bits will get mixed up. */
+ // If preference groups are enabled, the only legal operator is +.
+ // Otherwise the in_group bits will get mixed up.
if (has_group && rule != CIPHER_ADD) {
OPENSSL_PUT_ERROR(SSL, SSL_R_MIXED_SPECIAL_OPERATOR_WITH_GROUPS);
return 0;
@@ -1122,8 +1122,8 @@
}
if (buf_len == 0) {
- /* We hit something we cannot deal with, it is no command or separator
- * nor alphanumeric, so we call this an error. */
+ // We hit something we cannot deal with, it is no command or separator
+ // nor alphanumeric, so we call this an error.
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
return 0;
}
@@ -1132,8 +1132,8 @@
break;
}
- /* Look for a matching exact cipher. These aren't allowed in multipart
- * rules. */
+ // Look for a matching exact cipher. These aren't allowed in multipart
+ // rules.
if (!multi && ch != '+') {
for (j = 0; j < kCiphersLen; j++) {
const SSL_CIPHER *cipher = &kCiphers[j];
@@ -1145,7 +1145,7 @@
}
}
if (cipher_id == 0) {
- /* If not an exact cipher, look for a matching cipher alias. */
+ // If not an exact cipher, look for a matching cipher alias.
for (j = 0; j < kCipherAliasesLen; j++) {
if (rule_equals(kCipherAliases[j].name, buf, buf_len)) {
alg_mkey &= kCipherAliases[j].algorithm_mkey;
@@ -1171,7 +1171,7 @@
}
}
- /* Check for a multipart rule. */
+ // Check for a multipart rule.
if (ch != '+') {
break;
}
@@ -1179,7 +1179,7 @@
multi = 1;
}
- /* Ok, we have the rule, now apply it. */
+ // Ok, we have the rule, now apply it.
if (rule == CIPHER_SPECIAL) {
if (buf_len != 8 || strncmp(buf, "STRENGTH", 8) != 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
@@ -1189,8 +1189,8 @@
return 0;
}
- /* We do not support any "multi" options together with "@", so throw away
- * the rest of the command, if any left, until end or ':' is found. */
+ // We do not support any "multi" options together with "@", so throw away
+ // the rest of the command, if any left, until end or ':' is found.
while (*l != '\0' && !is_cipher_list_separator(*l, strict)) {
l++;
}
@@ -1218,14 +1218,14 @@
unsigned int num_in_group_flags = 0;
struct ssl_cipher_preference_list_st *pref_list = NULL;
- /* Return with error if nothing to do. */
+ // Return with error if nothing to do.
if (rule_str == NULL || out_cipher_list == NULL) {
return 0;
}
- /* Now we have to collect the available ciphers from the compiled in ciphers.
- * We cannot get more than the number compiled in, so it is used for
- * allocation. */
+ // Now we have to collect the available ciphers from the compiled in ciphers.
+ // We cannot get more than the number compiled in, so it is used for
+ // allocation.
co_list = (CIPHER_ORDER *)OPENSSL_malloc(sizeof(CIPHER_ORDER) * kCiphersLen);
if (co_list == NULL) {
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
@@ -1234,11 +1234,11 @@
ssl_cipher_collect_ciphers(ssl_method, co_list, &head, &tail);
- /* Now arrange all ciphers by preference:
- * TODO(davidben): Compute this order once and copy it. */
+ // Now arrange all ciphers by preference:
+ // TODO(davidben): Compute this order once and copy it.
- /* Everything else being equal, prefer ECDHE_ECDSA and ECDHE_RSA over other
- * key exchange mechanisms */
+ // Everything else being equal, prefer ECDHE_ECDSA and ECDHE_RSA over other
+ // key exchange mechanisms
ssl_cipher_apply_rule(0, SSL_kECDHE, SSL_aECDSA, ~0u, ~0u, 0, CIPHER_ADD, -1,
0, &head, &tail);
ssl_cipher_apply_rule(0, SSL_kECDHE, ~0u, ~0u, ~0u, 0, CIPHER_ADD, -1, 0,
@@ -1246,10 +1246,10 @@
ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_DEL, -1, 0, &head,
&tail);
- /* Order the bulk ciphers. First the preferred AEAD ciphers. We prefer
- * CHACHA20 unless there is hardware support for fast and constant-time
- * AES_GCM. Of the two CHACHA20 variants, the new one is preferred over the
- * old one. */
+ // Order the bulk ciphers. First the preferred AEAD ciphers. We prefer
+ // CHACHA20 unless there is hardware support for fast and constant-time
+ // AES_GCM. Of the two CHACHA20 variants, the new one is preferred over the
+ // old one.
if (EVP_has_aes_hardware()) {
ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128GCM, ~0u, 0, CIPHER_ADD, -1, 0,
&head, &tail);
@@ -1266,8 +1266,8 @@
&head, &tail);
}
- /* Then the legacy non-AEAD ciphers: AES_128_CBC, AES_256_CBC,
- * 3DES_EDE_CBC_SHA. */
+ // Then the legacy non-AEAD ciphers: AES_128_CBC, AES_256_CBC,
+ // 3DES_EDE_CBC_SHA.
ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES128, ~0u, 0, CIPHER_ADD, -1, 0,
&head, &tail);
ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_AES256, ~0u, 0, CIPHER_ADD, -1, 0,
@@ -1275,20 +1275,20 @@
ssl_cipher_apply_rule(0, ~0u, ~0u, SSL_3DES, ~0u, 0, CIPHER_ADD, -1, 0, &head,
&tail);
- /* Temporarily enable everything else for sorting */
+ // Temporarily enable everything else for sorting
ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_ADD, -1, 0, &head,
&tail);
- /* Move ciphers without forward secrecy to the end. */
+ // Move ciphers without forward secrecy to the end.
ssl_cipher_apply_rule(0, (SSL_kRSA | SSL_kPSK), ~0u, ~0u, ~0u, 0,
CIPHER_ORD, -1, 0, &head, &tail);
- /* Now disable everything (maintaining the ordering!) */
+ // Now disable everything (maintaining the ordering!)
ssl_cipher_apply_rule(0, ~0u, ~0u, ~0u, ~0u, 0, CIPHER_DEL, -1, 0, &head,
&tail);
- /* If the rule_string begins with DEFAULT, apply the default rule before
- * using the (possibly available) additional rules. */
+ // If the rule_string begins with DEFAULT, apply the default rule before
+ // using the (possibly available) additional rules.
const char *rule_p = rule_str;
if (strncmp(rule_str, "DEFAULT", 7) == 0) {
if (!ssl_cipher_process_rulestr(ssl_method, SSL_DEFAULT_CIPHER_LIST, &head,
@@ -1306,8 +1306,8 @@
goto err;
}
- /* Allocate new "cipherstack" for the result, return with error
- * if we cannot get one. */
+ // Allocate new "cipherstack" for the result, return with error
+ // if we cannot get one.
cipherstack = sk_SSL_CIPHER_new_null();
if (cipherstack == NULL) {
goto err;
@@ -1318,8 +1318,8 @@
goto err;
}
- /* The cipher selection for the list is done. The ciphers are added
- * to the resulting precedence to the STACK_OF(SSL_CIPHER). */
+ // The cipher selection for the list is done. The ciphers are added
+ // to the resulting precedence to the STACK_OF(SSL_CIPHER).
for (curr = head; curr != NULL; curr = curr->next) {
if (curr->active) {
if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) {
@@ -1328,7 +1328,7 @@
in_group_flags[num_in_group_flags++] = curr->in_group;
}
}
- OPENSSL_free(co_list); /* Not needed any longer */
+ OPENSSL_free(co_list); // Not needed any longer
co_list = NULL;
pref_list = (ssl_cipher_preference_list_st *)OPENSSL_malloc(
@@ -1350,8 +1350,8 @@
*out_cipher_list = pref_list;
pref_list = NULL;
- /* Configuring an empty cipher list is an error but still updates the
- * output. */
+ // Configuring an empty cipher list is an error but still updates the
+ // output.
if (sk_SSL_CIPHER_num((*out_cipher_list)->ciphers) == 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CIPHER_MATCH);
return 0;
@@ -1372,7 +1372,7 @@
uint16_t ssl_cipher_get_value(const SSL_CIPHER *cipher) {
uint32_t id = cipher->id;
- /* All ciphers are SSLv3. */
+ // All ciphers are SSLv3.
assert((id & 0xff000000) == 0x03000000);
return id & 0xffff;
}
@@ -1383,7 +1383,7 @@
return SSL_aRSA;
case EVP_PKEY_EC:
case EVP_PKEY_ED25519:
- /* Ed25519 keys in TLS 1.2 repurpose the ECDSA ciphers. */
+ // Ed25519 keys in TLS 1.2 repurpose the ECDSA ciphers.
return SSL_aECDSA;
default:
return 0;
@@ -1395,12 +1395,12 @@
}
int ssl_cipher_requires_server_key_exchange(const SSL_CIPHER *cipher) {
- /* Ephemeral Diffie-Hellman key exchanges require a ServerKeyExchange. */
+ // Ephemeral Diffie-Hellman key exchanges require a ServerKeyExchange.
if (cipher->algorithm_mkey & SSL_kECDHE) {
return 1;
}
- /* It is optional in all others. */
+ // It is optional in all others.
return 0;
}
@@ -1418,7 +1418,7 @@
return 0;
}
- /* All supported TLS 1.0 ciphers use SHA-1. */
+ // All supported TLS 1.0 ciphers use SHA-1.
assert(cipher->algorithm_mac == SSL_SHA1);
size_t ret = 1 + SHA_DIGEST_LENGTH;
ret += block_size - (ret % block_size);
@@ -1439,22 +1439,6 @@
uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *cipher) { return cipher->id; }
-int SSL_CIPHER_is_AES(const SSL_CIPHER *cipher) {
- return (cipher->algorithm_enc & SSL_AES) != 0;
-}
-
-int SSL_CIPHER_has_SHA1_HMAC(const SSL_CIPHER *cipher) {
- return (cipher->algorithm_mac & SSL_SHA1) != 0;
-}
-
-int SSL_CIPHER_has_SHA256_HMAC(const SSL_CIPHER *cipher) {
- return (cipher->algorithm_mac & SSL_SHA256) != 0;
-}
-
-int SSL_CIPHER_has_SHA384_HMAC(const SSL_CIPHER *cipher) {
- return (cipher->algorithm_mac & SSL_SHA384) != 0;
-}
-
int SSL_CIPHER_is_aead(const SSL_CIPHER *cipher) {
return (cipher->algorithm_mac & SSL_AEAD) != 0;
}
@@ -1525,51 +1509,11 @@
return NID_undef;
}
-int SSL_CIPHER_is_AEAD(const SSL_CIPHER *cipher) {
- return SSL_CIPHER_is_aead(cipher);
-}
-
-int SSL_CIPHER_is_AESGCM(const SSL_CIPHER *cipher) {
- return (cipher->algorithm_enc & (SSL_AES128GCM | SSL_AES256GCM)) != 0;
-}
-
-int SSL_CIPHER_is_AES128GCM(const SSL_CIPHER *cipher) {
- return (cipher->algorithm_enc & SSL_AES128GCM) != 0;
-}
-
-int SSL_CIPHER_is_AES128CBC(const SSL_CIPHER *cipher) {
- return (cipher->algorithm_enc & SSL_AES128) != 0;
-}
-
-int SSL_CIPHER_is_AES256CBC(const SSL_CIPHER *cipher) {
- return (cipher->algorithm_enc & SSL_AES256) != 0;
-}
-
-int SSL_CIPHER_is_CHACHA20POLY1305(const SSL_CIPHER *cipher) {
- return (cipher->algorithm_enc & SSL_CHACHA20POLY1305) != 0;
-}
-
-int SSL_CIPHER_is_NULL(const SSL_CIPHER *cipher) {
- return (cipher->algorithm_enc & SSL_eNULL) != 0;
-}
-
int SSL_CIPHER_is_block_cipher(const SSL_CIPHER *cipher) {
return (cipher->algorithm_enc & SSL_eNULL) == 0 &&
cipher->algorithm_mac != SSL_AEAD;
}
-int SSL_CIPHER_is_ECDSA(const SSL_CIPHER *cipher) {
- return (cipher->algorithm_auth & SSL_aECDSA) != 0;
-}
-
-int SSL_CIPHER_is_ECDHE(const SSL_CIPHER *cipher) {
- return (cipher->algorithm_mkey & SSL_kECDHE) != 0;
-}
-
-int SSL_CIPHER_is_static_RSA(const SSL_CIPHER *cipher) {
- return (cipher->algorithm_mkey & SSL_kRSA) != 0;
-}
-
uint16_t SSL_CIPHER_get_min_version(const SSL_CIPHER *cipher) {
if (cipher->algorithm_mkey == SSL_kGENERIC ||
cipher->algorithm_auth == SSL_aGENERIC) {
@@ -1577,8 +1521,8 @@
}
if (cipher->algorithm_prf != SSL_HANDSHAKE_MAC_DEFAULT) {
- /* Cipher suites before TLS 1.2 use the default PRF, while all those added
- * afterwards specify a particular hash. */
+ // Cipher suites before TLS 1.2 use the default PRF, while all those added
+ // afterwards specify a particular hash.
return TLS1_2_VERSION;
}
return SSL3_VERSION;
@@ -1592,7 +1536,7 @@
return TLS1_2_VERSION;
}
-/* return the actual cipher being used */
+// return the actual cipher being used
const char *SSL_CIPHER_get_name(const SSL_CIPHER *cipher) {
if (cipher != NULL) {
return cipher->name;
diff --git a/src/ssl/ssl_file.cc b/src/ssl/ssl_file.cc
index 59351a3..1bdc14f 100644
--- a/src/ssl/ssl_file.cc
+++ b/src/ssl/ssl_file.cc
@@ -128,8 +128,8 @@
return X509_NAME_cmp(*a, *b);
}
-/* TODO(davidben): Is there any reason this doesn't call
- * |SSL_add_file_cert_subjects_to_stack|? */
+// TODO(davidben): Is there any reason this doesn't call
+// |SSL_add_file_cert_subjects_to_stack|?
STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file) {
BIO *in;
X509 *x = NULL;
@@ -164,7 +164,7 @@
goto err;
}
- /* Check for duplicates. */
+ // Check for duplicates.
if (sk_X509_NAME_find(sk, NULL, xn)) {
continue;
}
@@ -222,7 +222,7 @@
goto err;
}
- /* Check for duplicates. */
+ // Check for duplicates.
if (sk_X509_NAME_find(stack, NULL, xn)) {
continue;
}
@@ -493,15 +493,15 @@
return ret;
}
-/* Read a file that contains our certificate in "PEM" format, possibly followed
- * by a sequence of CA certificates that should be sent to the peer in the
- * Certificate message. */
+// Read a file that contains our certificate in "PEM" format, possibly followed
+// by a sequence of CA certificates that should be sent to the peer in the
+// Certificate message.
int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) {
BIO *in;
int ret = 0;
X509 *x = NULL;
- ERR_clear_error(); /* clear error stack for SSL_CTX_use_certificate() */
+ ERR_clear_error(); // clear error stack for SSL_CTX_use_certificate()
in = BIO_new(BIO_s_file());
if (in == NULL) {
@@ -524,12 +524,12 @@
ret = SSL_CTX_use_certificate(ctx, x);
if (ERR_peek_error() != 0) {
- ret = 0; /* Key/certificate mismatch doesn't imply ret==0 ... */
+ ret = 0; // Key/certificate mismatch doesn't imply ret==0 ...
}
if (ret) {
- /* If we could set up our certificate, now proceed to the CA
- * certificates. */
+ // If we could set up our certificate, now proceed to the CA
+ // certificates.
X509 *ca;
int r;
uint32_t err;
@@ -545,18 +545,18 @@
ret = 0;
goto end;
}
- /* Note that we must not free r if it was successfully added to the chain
- * (while we must free the main certificate, since its reference count is
- * increased by SSL_CTX_use_certificate). */
+ // Note that we must not free r if it was successfully added to the chain
+ // (while we must free the main certificate, since its reference count is
+ // increased by SSL_CTX_use_certificate).
}
- /* When the while loop ends, it's usually just EOF. */
+ // When the while loop ends, it's usually just EOF.
err = ERR_peek_last_error();
if (ERR_GET_LIB(err) == ERR_LIB_PEM &&
ERR_GET_REASON(err) == PEM_R_NO_START_LINE) {
ERR_clear_error();
} else {
- ret = 0; /* some real error */
+ ret = 0; // some real error
}
}
diff --git a/src/ssl/ssl_key_share.cc b/src/ssl/ssl_key_share.cc
index eb61535..207f11e 100644
--- a/src/ssl/ssl_key_share.cc
+++ b/src/ssl/ssl_key_share.cc
@@ -42,14 +42,14 @@
bool Offer(CBB *out) override {
assert(!private_key_);
- /* Set up a shared |BN_CTX| for all operations. */
+ // Set up a shared |BN_CTX| for all operations.
UniquePtr<BN_CTX> bn_ctx(BN_CTX_new());
if (!bn_ctx) {
return false;
}
BN_CTXScope scope(bn_ctx.get());
- /* Generate a private key. */
+ // Generate a private key.
UniquePtr<EC_GROUP> group(EC_GROUP_new_by_curve_name(nid_));
private_key_.reset(BN_new());
if (!group || !private_key_ ||
@@ -58,7 +58,7 @@
return false;
}
- /* Compute the corresponding public key and serialize it. */
+ // Compute the corresponding public key and serialize it.
UniquePtr<EC_POINT> public_key(EC_POINT_new(group.get()));
if (!public_key ||
!EC_POINT_mul(group.get(), public_key.get(), private_key_.get(), NULL,
@@ -76,7 +76,7 @@
assert(private_key_);
*out_alert = SSL_AD_INTERNAL_ERROR;
- /* Set up a shared |BN_CTX| for all operations. */
+ // Set up a shared |BN_CTX| for all operations.
UniquePtr<BN_CTX> bn_ctx(BN_CTX_new());
if (!bn_ctx) {
return false;
@@ -101,7 +101,7 @@
return false;
}
- /* Compute the x-coordinate of |peer_key| * |private_key_|. */
+ // Compute the x-coordinate of |peer_key| * |private_key_|.
if (!EC_POINT_mul(group.get(), result.get(), NULL, peer_point.get(),
private_key_.get(), bn_ctx.get()) ||
!EC_POINT_get_affine_coordinates_GFp(group.get(), result.get(), x, NULL,
@@ -109,7 +109,7 @@
return false;
}
- /* Encode the x-coordinate left-padded with zeros. */
+ // Encode the x-coordinate left-padded with zeros.
size_t secret_len = (EC_GROUP_get_degree(group.get()) + 7) / 8;
UniquePtr<uint8_t> secret((uint8_t *)OPENSSL_malloc(secret_len));
if (!secret || !BN_bn2bin_padded(secret.get(), secret_len, x)) {
diff --git a/src/ssl/ssl_lib.cc b/src/ssl/ssl_lib.cc
index 9ecd7df..853994b 100644
--- a/src/ssl/ssl_lib.cc
+++ b/src/ssl/ssl_lib.cc
@@ -164,22 +164,22 @@
namespace bssl {
-/* |SSL_R_UNKNOWN_PROTOCOL| is no longer emitted, but continue to define it
- * to avoid downstream churn. */
+// |SSL_R_UNKNOWN_PROTOCOL| is no longer emitted, but continue to define it
+// to avoid downstream churn.
OPENSSL_DECLARE_ERROR_REASON(SSL, UNKNOWN_PROTOCOL)
-/* The following errors are no longer emitted, but are used in nginx without
- * #ifdefs. */
+// The following errors are no longer emitted, but are used in nginx without
+// #ifdefs.
OPENSSL_DECLARE_ERROR_REASON(SSL, BLOCK_CIPHER_PAD_IS_WRONG)
OPENSSL_DECLARE_ERROR_REASON(SSL, NO_CIPHERS_SPECIFIED)
-/* Some error codes are special. Ensure the make_errors.go script never
- * regresses this. */
+// Some error codes are special. Ensure the make_errors.go script never
+// regresses this.
static_assert(SSL_R_TLSV1_ALERT_NO_RENEGOTIATION ==
SSL_AD_NO_RENEGOTIATION + SSL_AD_REASON_OFFSET,
"alert reason code mismatch");
-/* kMaxHandshakeSize is the maximum size, in bytes, of a handshake message. */
+// kMaxHandshakeSize is the maximum size, in bytes, of a handshake message.
static const size_t kMaxHandshakeSize = (1u << 24) - 1;
static CRYPTO_EX_DATA_CLASS g_ex_data_class_ssl =
@@ -188,8 +188,8 @@
CRYPTO_EX_DATA_CLASS_INIT_WITH_APP_DATA;
void ssl_reset_error_state(SSL *ssl) {
- /* Functions which use |SSL_get_error| must reset I/O and error state on
- * entry. */
+ // Functions which use |SSL_get_error| must reset I/O and error state on
+ // entry.
ssl->rwstate = SSL_NOTHING;
ERR_clear_error();
ERR_clear_system_error();
@@ -216,20 +216,20 @@
void ssl_update_cache(SSL_HANDSHAKE *hs, int mode) {
SSL *const ssl = hs->ssl;
SSL_CTX *ctx = ssl->session_ctx;
- /* Never cache sessions with empty session IDs. */
+ // Never cache sessions with empty session IDs.
if (ssl->s3->established_session->session_id_length == 0 ||
ssl->s3->established_session->not_resumable ||
(ctx->session_cache_mode & mode) != mode) {
return;
}
- /* Clients never use the internal session cache. */
+ // Clients never use the internal session cache.
int use_internal_cache = ssl->server && !(ctx->session_cache_mode &
SSL_SESS_CACHE_NO_INTERNAL_STORE);
- /* A client may see new sessions on abbreviated handshakes if the server
- * decides to renew the ticket. Once the handshake is completed, it should be
- * inserted into the cache. */
+ // A client may see new sessions on abbreviated handshakes if the server
+ // decides to renew the ticket. Once the handshake is completed, it should be
+ // inserted into the cache.
if (ssl->s3->established_session != ssl->session ||
(!ssl->server && hs->ticket_expected)) {
if (use_internal_cache) {
@@ -238,7 +238,7 @@
if (ctx->new_session_cb != NULL) {
SSL_SESSION_up_ref(ssl->s3->established_session);
if (!ctx->new_session_cb(ssl, ssl->s3->established_session)) {
- /* |new_session_cb|'s return value signals whether it took ownership. */
+ // |new_session_cb|'s return value signals whether it took ownership.
SSL_SESSION_free(ssl->s3->established_session);
}
}
@@ -246,7 +246,7 @@
if (use_internal_cache &&
!(ctx->session_cache_mode & SSL_SESS_CACHE_NO_AUTO_CLEAR)) {
- /* Automatically flush the internal session cache every 255 connections. */
+ // Automatically flush the internal session cache every 255 connections.
int flush_cache = 0;
CRYPTO_MUTEX_lock_write(&ctx->lock);
ctx->handshakes_since_cache_flush++;
@@ -309,7 +309,7 @@
int ssl3_can_false_start(const SSL *ssl) {
const SSL_CIPHER *const cipher = SSL_get_current_cipher(ssl);
- /* False Start only for TLS 1.2 with an ECDHE+AEAD cipher and ALPN or NPN. */
+ // False Start only for TLS 1.2 with an ECDHE+AEAD cipher and ALPN or NPN.
return !SSL_is_dtls(ssl) &&
SSL_version(ssl) == TLS1_2_VERSION &&
(ssl->s3->alpn_selected != NULL ||
@@ -338,12 +338,12 @@
return;
}
- /* |version| is zero when calling for |SSL3_RT_HEADER| and |SSL2_VERSION| for
- * a V2ClientHello. */
+ // |version| is zero when calling for |SSL3_RT_HEADER| and |SSL2_VERSION| for
+ // a V2ClientHello.
int version;
switch (content_type) {
case 0:
- /* V2ClientHello */
+ // V2ClientHello
version = SSL2_VERSION;
break;
case SSL3_RT_HEADER:
@@ -358,16 +358,16 @@
}
void ssl_get_current_time(const SSL *ssl, struct OPENSSL_timeval *out_clock) {
- /* TODO(martinkr): Change callers to |ssl_ctx_get_current_time| and drop the
- * |ssl| arg from |current_time_cb| if possible. */
+ // TODO(martinkr): Change callers to |ssl_ctx_get_current_time| and drop the
+ // |ssl| arg from |current_time_cb| if possible.
ssl_ctx_get_current_time(ssl->ctx, out_clock);
}
void ssl_ctx_get_current_time(const SSL_CTX *ctx,
struct OPENSSL_timeval *out_clock) {
if (ctx->current_time_cb != NULL) {
- /* TODO(davidben): Update current_time_cb to use OPENSSL_timeval. See
- * https://crbug.com/boringssl/155. */
+ // TODO(davidben): Update current_time_cb to use OPENSSL_timeval. See
+ // https://crbug.com/boringssl/155.
struct timeval clock;
ctx->current_time_cb(nullptr /* ssl */, &clock);
if (clock.tv_sec < 0) {
@@ -437,11 +437,11 @@
return hash;
}
-/* NB: If this function (or indeed the hash function which uses a sort of
- * coarser function than this one) is changed, ensure
- * SSL_CTX_has_matching_session_id() is checked accordingly. It relies on being
- * able to construct an SSL_SESSION that will collide with any existing session
- * with a matching session ID. */
+// NB: If this function (or indeed the hash function which uses a sort of
+// coarser function than this one) is changed, ensure
+// SSL_CTX_has_matching_session_id() is checked accordingly. It relies on being
+// able to construct an SSL_SESSION that will collide with any existing session
+// with a matching session ID.
static int ssl_session_cmp(const SSL_SESSION *a, const SSL_SESSION *b) {
if (a->ssl_version != b->ssl_version) {
return 1;
@@ -511,16 +511,16 @@
ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
- /* Disable the auto-chaining feature by default. Once this has stuck without
- * problems, the feature will be removed entirely. */
+ // Disable the auto-chaining feature by default. Once this has stuck without
+ // problems, the feature will be removed entirely.
ret->mode = SSL_MODE_NO_AUTO_CHAIN;
- /* Lock the SSL_CTX to the specified version, for compatibility with legacy
- * uses of SSL_METHOD, but we do not set the minimum version for
- * |SSLv3_method|. */
+ // Lock the SSL_CTX to the specified version, for compatibility with legacy
+ // uses of SSL_METHOD, but we do not set the minimum version for
+ // |SSLv3_method|.
if (!SSL_CTX_set_max_proto_version(ret, method->version) ||
!SSL_CTX_set_min_proto_version(ret, method->version == SSL3_VERSION
- ? 0 /* default */
+ ? 0 // default
: method->version)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
goto err2;
@@ -546,12 +546,12 @@
return;
}
- /* Free internal session cache. However: the remove_cb() may reference the
- * ex_data of SSL_CTX, thus the ex_data store can only be removed after the
- * sessions were flushed. As the ex_data handling routines might also touch
- * the session cache, the most secure solution seems to be: empty (flush) the
- * cache, then free ex_data, then finally free the cache. (See ticket
- * [openssl.org #212].) */
+ // Free internal session cache. However: the remove_cb() may reference the
+ // ex_data of SSL_CTX, thus the ex_data store can only be removed after the
+ // sessions were flushed. As the ex_data handling routines might also touch
+ // the session cache, the most secure solution seems to be: empty (flush) the
+ // cache, then free ex_data, then finally free the cache. (See ticket
+ // [openssl.org #212].)
SSL_CTX_flush_sessions(ctx, 0);
CRYPTO_free_ex_data(&g_ex_data_class_ssl_ctx, ctx, &ctx->ex_data);
@@ -598,8 +598,8 @@
ssl->conf_max_version = ctx->conf_max_version;
ssl->tls13_variant = ctx->tls13_variant;
- /* RFC 6347 states that implementations SHOULD use an initial timer value of
- * 1 second. */
+ // RFC 6347 states that implementations SHOULD use an initial timer value of
+ // 1 second.
ssl->initial_timeout_duration_ms = 1000;
ssl->options = ctx->options;
@@ -703,7 +703,7 @@
BUF_MEM_free(ssl->init_buf);
- /* add extra stuff */
+ // add extra stuff
ssl_cipher_preference_list_free(ssl->cipher_list);
SSL_SESSION_free(ssl->session);
@@ -729,12 +729,12 @@
void SSL_set_connect_state(SSL *ssl) {
ssl->server = 0;
- ssl->handshake_func = ssl3_connect;
+ ssl->do_handshake = ssl_client_handshake;
}
void SSL_set_accept_state(SSL *ssl) {
ssl->server = 1;
- ssl->handshake_func = ssl3_accept;
+ ssl->do_handshake = ssl_server_handshake;
}
void SSL_set0_rbio(SSL *ssl, BIO *rbio) {
@@ -748,35 +748,35 @@
}
void SSL_set_bio(SSL *ssl, BIO *rbio, BIO *wbio) {
- /* For historical reasons, this function has many different cases in ownership
- * handling. */
+ // For historical reasons, this function has many different cases in ownership
+ // handling.
- /* If nothing has changed, do nothing */
+ // If nothing has changed, do nothing
if (rbio == SSL_get_rbio(ssl) && wbio == SSL_get_wbio(ssl)) {
return;
}
- /* If the two arguments are equal, one fewer reference is granted than
- * taken. */
+ // If the two arguments are equal, one fewer reference is granted than
+ // taken.
if (rbio != NULL && rbio == wbio) {
BIO_up_ref(rbio);
}
- /* If only the wbio is changed, adopt only one reference. */
+ // If only the wbio is changed, adopt only one reference.
if (rbio == SSL_get_rbio(ssl)) {
SSL_set0_wbio(ssl, wbio);
return;
}
- /* There is an asymmetry here for historical reasons. If only the rbio is
- * changed AND the rbio and wbio were originally different, then we only adopt
- * one reference. */
+ // There is an asymmetry here for historical reasons. If only the rbio is
+ // changed AND the rbio and wbio were originally different, then we only adopt
+ // one reference.
if (wbio == SSL_get_wbio(ssl) && SSL_get_rbio(ssl) != SSL_get_wbio(ssl)) {
SSL_set0_rbio(ssl, rbio);
return;
}
- /* Otherwise, adopt both references. */
+ // Otherwise, adopt both references.
SSL_set0_rbio(ssl, rbio);
SSL_set0_wbio(ssl, wbio);
}
@@ -788,7 +788,7 @@
int SSL_do_handshake(SSL *ssl) {
ssl_reset_error_state(ssl);
- if (ssl->handshake_func == NULL) {
+ if (ssl->do_handshake == NULL) {
OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_TYPE_NOT_SET);
return -1;
}
@@ -797,20 +797,19 @@
return 1;
}
- if (ssl->s3->hs == NULL) {
- OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
- return -1;
- }
+ // Run the handshake.
+ SSL_HANDSHAKE *hs = ssl->s3->hs;
- /* Run the handshake. */
- assert(ssl->s3->hs != NULL);
- int ret = ssl->handshake_func(ssl->s3->hs);
+ bool early_return = false;
+ int ret = ssl_run_handshake(hs, &early_return);
+ ssl_do_info_callback(
+ ssl, ssl->server ? SSL_CB_ACCEPT_EXIT : SSL_CB_CONNECT_EXIT, ret);
if (ret <= 0) {
return ret;
}
- /* Destroy the handshake object if the handshake has completely finished. */
- if (!SSL_in_init(ssl)) {
+ // Destroy the handshake object if the handshake has completely finished.
+ if (!early_return) {
ssl_handshake_free(ssl->s3->hs);
ssl->s3->hs = NULL;
}
@@ -819,8 +818,8 @@
}
int SSL_connect(SSL *ssl) {
- if (ssl->handshake_func == NULL) {
- /* Not properly initialized yet */
+ if (ssl->do_handshake == NULL) {
+ // Not properly initialized yet
SSL_set_connect_state(ssl);
}
@@ -828,8 +827,8 @@
}
int SSL_accept(SSL *ssl) {
- if (ssl->handshake_func == NULL) {
- /* Not properly initialized yet */
+ if (ssl->do_handshake == NULL) {
+ // Not properly initialized yet
SSL_set_accept_state(ssl);
}
@@ -841,9 +840,9 @@
return tls13_post_handshake(ssl, msg);
}
- /* We do not accept renegotiations as a server or SSL 3.0. SSL 3.0 will be
- * removed entirely in the future and requires retaining more data for
- * renegotiation_info. */
+ // We do not accept renegotiations as a server or SSL 3.0. SSL 3.0 will be
+ // removed entirely in the future and requires retaining more data for
+ // renegotiation_info.
if (ssl->server || ssl->version == SSL3_VERSION) {
goto no_renegotiation;
}
@@ -856,7 +855,7 @@
switch (ssl->renegotiate_mode) {
case ssl_renegotiate_ignore:
- /* Ignore the HelloRequest. */
+ // Ignore the HelloRequest.
return 1;
case ssl_renegotiate_once:
@@ -872,15 +871,15 @@
break;
}
- /* Renegotiation is only supported at quiescent points in the application
- * protocol, namely in HTTPS, just before reading the HTTP response. Require
- * the record-layer be idle and avoid complexities of sending a handshake
- * record while an application_data record is being written. */
+ // Renegotiation is only supported at quiescent points in the application
+ // protocol, namely in HTTPS, just before reading the HTTP response. Require
+ // the record-layer be idle and avoid complexities of sending a handshake
+ // record while an application_data record is being written.
if (ssl_write_buffer_is_pending(ssl)) {
goto no_renegotiation;
}
- /* Begin a new handshake. */
+ // Begin a new handshake.
if (ssl->s3->hs != NULL) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
return 0;
@@ -902,15 +901,15 @@
static int ssl_read_impl(SSL *ssl, void *buf, int num, int peek) {
ssl_reset_error_state(ssl);
- if (ssl->handshake_func == NULL) {
+ if (ssl->do_handshake == NULL) {
OPENSSL_PUT_ERROR(SSL, SSL_R_UNINITIALIZED);
return -1;
}
for (;;) {
- /* Complete the current handshake, if any. False Start will cause
- * |SSL_do_handshake| to return mid-handshake, so this may require multiple
- * iterations. */
+ // Complete the current handshake, if any. False Start will cause
+ // |SSL_do_handshake| to return mid-handshake, so this may require multiple
+ // iterations.
while (!ssl_can_read(ssl)) {
int ret = SSL_do_handshake(ssl);
if (ret < 0) {
@@ -922,7 +921,7 @@
}
}
- int got_handshake;
+ bool got_handshake = false;
int ret = ssl->method->read_app_data(ssl, &got_handshake, (uint8_t *)buf,
num, peek);
if (ret > 0 || !got_handshake) {
@@ -930,15 +929,15 @@
return ret;
}
- /* If we received an interrupt in early read (the end_of_early_data alert),
- * loop again for the handshake to process it. */
+ // If we received an interrupt in early read (the end_of_early_data alert),
+ // loop again for the handshake to process it.
if (SSL_in_init(ssl)) {
continue;
}
SSLMessage msg;
while (ssl->method->get_message(ssl, &msg)) {
- /* Handle the post-handshake message and try again. */
+ // Handle the post-handshake message and try again.
if (!ssl_do_post_handshake(ssl, msg)) {
return -1;
}
@@ -958,7 +957,7 @@
int SSL_write(SSL *ssl, const void *buf, int num) {
ssl_reset_error_state(ssl);
- if (ssl->handshake_func == NULL) {
+ if (ssl->do_handshake == NULL) {
OPENSSL_PUT_ERROR(SSL, SSL_R_UNINITIALIZED);
return -1;
}
@@ -968,9 +967,10 @@
return -1;
}
- int ret = 0, needs_handshake = 0;
+ int ret = 0;
+ bool needs_handshake = false;
do {
- /* If necessary, complete the handshake implicitly. */
+ // If necessary, complete the handshake implicitly.
if (!ssl_can_write(ssl)) {
ret = SSL_do_handshake(ssl);
if (ret < 0) {
@@ -991,48 +991,48 @@
int SSL_shutdown(SSL *ssl) {
ssl_reset_error_state(ssl);
- if (ssl->handshake_func == NULL) {
+ if (ssl->do_handshake == NULL) {
OPENSSL_PUT_ERROR(SSL, SSL_R_UNINITIALIZED);
return -1;
}
- /* If we are in the middle of a handshake, silently succeed. Consumers often
- * call this function before |SSL_free|, whether the handshake succeeded or
- * not. We assume the caller has already handled failed handshakes. */
+ // If we are in the middle of a handshake, silently succeed. Consumers often
+ // call this function before |SSL_free|, whether the handshake succeeded or
+ // not. We assume the caller has already handled failed handshakes.
if (SSL_in_init(ssl)) {
return 1;
}
if (ssl->quiet_shutdown) {
- /* Do nothing if configured not to send a close_notify. */
+ // Do nothing if configured not to send a close_notify.
ssl->s3->send_shutdown = ssl_shutdown_close_notify;
ssl->s3->recv_shutdown = ssl_shutdown_close_notify;
return 1;
}
- /* This function completes in two stages. It sends a close_notify and then it
- * waits for a close_notify to come in. Perform exactly one action and return
- * whether or not it succeeds. */
+ // This function completes in two stages. It sends a close_notify and then it
+ // waits for a close_notify to come in. Perform exactly one action and return
+ // whether or not it succeeds.
if (ssl->s3->send_shutdown != ssl_shutdown_close_notify) {
- /* Send a close_notify. */
+ // Send a close_notify.
if (ssl3_send_alert(ssl, SSL3_AL_WARNING, SSL_AD_CLOSE_NOTIFY) <= 0) {
return -1;
}
} else if (ssl->s3->alert_dispatch) {
- /* Finish sending the close_notify. */
+ // Finish sending the close_notify.
if (ssl->method->dispatch_alert(ssl) <= 0) {
return -1;
}
} else if (ssl->s3->recv_shutdown != ssl_shutdown_close_notify) {
- /* Wait for the peer's close_notify. */
+ // Wait for the peer's close_notify.
ssl->method->read_close_notify(ssl);
if (ssl->s3->recv_shutdown != ssl_shutdown_close_notify) {
return -1;
}
}
- /* Return 0 for unidirectional shutdown and 1 for bidirectional shutdown. */
+ // Return 0 for unidirectional shutdown and 1 for bidirectional shutdown.
return ssl->s3->recv_shutdown == ssl_shutdown_close_notify;
}
@@ -1040,7 +1040,7 @@
if (ssl->s3->alert_dispatch) {
if (ssl->s3->send_alert[0] != SSL3_AL_FATAL ||
ssl->s3->send_alert[1] != alert) {
- /* We are already attempting to write a different alert. */
+ // We are already attempting to write a different alert.
OPENSSL_PUT_ERROR(SSL, SSL_R_PROTOCOL_IS_SHUTDOWN);
return -1;
}
@@ -1085,13 +1085,13 @@
}
hs->wait = ssl_hs_ok;
- hs->in_early_data = 0;
+ hs->in_early_data = false;
hs->early_session.reset();
- /* Discard any unfinished writes from the perspective of |SSL_write|'s
- * retry. The handshake will transparently flush out the pending record
- * (discarded by the server) to keep the framing correct. */
- ssl->s3->wpend_pending = 0;
+ // Discard any unfinished writes from the perspective of |SSL_write|'s
+ // retry. The handshake will transparently flush out the pending record
+ // (discarded by the server) to keep the framing correct.
+ ssl->s3->wpend_pending = false;
}
static int bio_retry_reason_to_error(int reason) {
@@ -1110,8 +1110,8 @@
return SSL_ERROR_NONE;
}
- /* Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake etc,
- * where we do encode the error */
+ // Make things return SSL_ERROR_SYSCALL when doing SSL_do_handshake etc,
+ // where we do encode the error
uint32_t err = ERR_peek_error();
if (err != 0) {
if (ERR_GET_LIB(err) == ERR_LIB_SYS) {
@@ -1124,9 +1124,9 @@
if (ssl->s3->recv_shutdown == ssl_shutdown_close_notify) {
return SSL_ERROR_ZERO_RETURN;
}
- /* An EOF was observed which violates the protocol, and the underlying
- * transport does not participate in the error queue. Bubble up to the
- * caller. */
+ // An EOF was observed which violates the protocol, and the underlying
+ // transport does not participate in the error queue. Bubble up to the
+ // caller.
return SSL_ERROR_SYSCALL;
}
@@ -1144,8 +1144,8 @@
}
if (BIO_should_write(bio)) {
- /* TODO(davidben): OpenSSL historically checked for writes on the read
- * BIO. Can this be removed? */
+ // TODO(davidben): OpenSSL historically checked for writes on the read
+ // BIO. Can this be removed?
return SSL_ERROR_WANT_WRITE;
}
@@ -1163,8 +1163,8 @@
}
if (BIO_should_read(bio)) {
- /* TODO(davidben): OpenSSL historically checked for reads on the write
- * BIO. Can this be removed? */
+ // TODO(davidben): OpenSSL historically checked for reads on the write
+ // BIO. Can this be removed?
return SSL_ERROR_WANT_READ;
}
@@ -1254,20 +1254,20 @@
*out_len = 0;
OPENSSL_memset(out, 0, max_out);
- /* tls-unique is not defined for SSL 3.0 or TLS 1.3. */
+ // tls-unique is not defined for SSL 3.0 or TLS 1.3.
if (!ssl->s3->initial_handshake_complete ||
ssl3_protocol_version(ssl) < TLS1_VERSION ||
ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
return 0;
}
- /* The tls-unique value is the first Finished message in the handshake, which
- * is the client's in a full handshake and the server's for a resumption. See
- * https://tools.ietf.org/html/rfc5929#section-3.1. */
+ // The tls-unique value is the first Finished message in the handshake, which
+ // is the client's in a full handshake and the server's for a resumption. See
+ // https://tools.ietf.org/html/rfc5929#section-3.1.
const uint8_t *finished = ssl->s3->previous_client_finished;
size_t finished_len = ssl->s3->previous_client_finished_len;
if (ssl->session != NULL) {
- /* tls-unique is broken for resumed sessions unless EMS is used. */
+ // tls-unique is broken for resumed sessions unless EMS is used.
if (!ssl->session->extended_master_secret) {
return 0;
}
@@ -1357,7 +1357,7 @@
BIO_set_fd(bio, fd, BIO_NOCLOSE);
SSL_set0_wbio(ssl, bio);
} else {
- /* Copy the rbio over to the wbio. */
+ // Copy the rbio over to the wbio.
BIO_up_ref(rbio);
SSL_set0_wbio(ssl, rbio);
}
@@ -1377,7 +1377,7 @@
BIO_set_fd(bio, fd, BIO_NOCLOSE);
SSL_set0_rbio(ssl, bio);
} else {
- /* Copy the wbio over to the rbio. */
+ // Copy the wbio over to the rbio.
BIO_up_ref(wbio);
SSL_set0_rbio(ssl, wbio);
}
@@ -1428,8 +1428,8 @@
int SSL_get_verify_mode(const SSL *ssl) { return ssl->verify_mode; }
int SSL_get_extms_support(const SSL *ssl) {
- /* TLS 1.3 does not require extended master secret and always reports as
- * supporting it. */
+ // TLS 1.3 does not require extended master secret and always reports as
+ // supporting it.
if (!ssl->s3->have_version) {
return 0;
}
@@ -1437,12 +1437,12 @@
return 1;
}
- /* If the initial handshake completed, query the established session. */
+ // If the initial handshake completed, query the established session.
if (ssl->s3->established_session != NULL) {
return ssl->s3->established_session->extended_master_secret;
}
- /* Otherwise, query the in-progress handshake. */
+ // Otherwise, query the in-progress handshake.
if (ssl->s3->hs != NULL) {
return ssl->s3->hs->extended_master_secret;
}
@@ -1465,12 +1465,12 @@
return ssl->s3->rrec.length;
}
-/* Fix this so it checks all the valid key/cert options */
+// Fix this so it checks all the valid key/cert options
int SSL_CTX_check_private_key(const SSL_CTX *ctx) {
return ssl_cert_check_private_key(ctx->cert, ctx->cert->privatekey);
}
-/* Fix this function so that it takes an optional type parameter */
+// Fix this function so that it takes an optional type parameter
int SSL_check_private_key(const SSL *ssl) {
return ssl_cert_check_private_key(ssl->cert, ssl->cert->privatekey);
}
@@ -1480,7 +1480,7 @@
}
int SSL_renegotiate(SSL *ssl) {
- /* Caller-initiated renegotiation is not supported. */
+ // Caller-initiated renegotiation is not supported.
OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return 0;
}
@@ -1591,8 +1591,8 @@
return 0;
}
- /* The default ticket keys are initialized lazily. Trigger a key
- * rotation to initialize them. */
+ // The default ticket keys are initialized lazily. Trigger a key
+ // rotation to initialize them.
if (!ssl_ctx_rotate_ticket_encryption_key(ctx)) {
return 0;
}
@@ -1627,7 +1627,7 @@
OPENSSL_memcpy(ctx->tlsext_ticket_key_current->aes_key, in_bytes + 32, 16);
OPENSSL_free(ctx->tlsext_ticket_key_prev);
ctx->tlsext_ticket_key_prev = nullptr;
- /* Disable automatic key rotation. */
+ // Disable automatic key rotation.
ctx->tlsext_ticket_key_current->next_rotation_tv_sec = 0;
return 1;
}
@@ -1663,8 +1663,8 @@
}
uint16_t SSL_get_curve_id(const SSL *ssl) {
- /* TODO(davidben): This checks the wrong session if there is a renegotiation in
- * progress. */
+ // TODO(davidben): This checks the wrong session if there is a renegotiation
+ // in progress.
SSL_SESSION *session = SSL_get_session(ssl);
if (session == NULL) {
return 0;
@@ -1749,21 +1749,21 @@
return NULL;
}
- /* Historically, |SSL_get_servername| was also the configuration getter
- * corresponding to |SSL_set_tlsext_host_name|. */
+ // Historically, |SSL_get_servername| was also the configuration getter
+ // corresponding to |SSL_set_tlsext_host_name|.
if (ssl->tlsext_hostname != NULL) {
return ssl->tlsext_hostname;
}
- /* During the handshake, report the handshake value. */
+ // During the handshake, report the handshake value.
if (ssl->s3->hs != NULL) {
return ssl->s3->hs->hostname.get();
}
- /* SSL_get_servername may also be called after the handshake to look up the
- * SNI value.
- *
- * TODO(davidben): This is almost unused. Can we remove it? */
+ // SSL_get_servername may also be called after the handshake to look up the
+ // SNI value.
+ //
+ // TODO(davidben): This is almost unused. Can we remove it?
SSL_SESSION *session = SSL_get_session(ssl);
if (session == NULL) {
return NULL;
@@ -1873,12 +1873,12 @@
const uint8_t *result;
int status;
- /* For each protocol in peer preference order, see if we support it. */
+ // For each protocol in peer preference order, see if we support it.
for (unsigned i = 0; i < peer_len;) {
for (unsigned j = 0; j < supported_len;) {
if (peer[i] == supported[j] &&
OPENSSL_memcmp(&peer[i + 1], &supported[j + 1], peer[i]) == 0) {
- /* We found a match */
+ // We found a match
result = &peer[i];
status = OPENSSL_NPN_NEGOTIATED;
goto found;
@@ -1890,7 +1890,7 @@
i++;
}
- /* There's no overlap between our protocols and the peer's list. */
+ // There's no overlap between our protocols and the peer's list.
result = supported;
status = OPENSSL_NPN_NO_OVERLAP;
@@ -2085,8 +2085,8 @@
int SSL_get_quiet_shutdown(const SSL *ssl) { return ssl->quiet_shutdown; }
void SSL_set_shutdown(SSL *ssl, int mode) {
- /* It is an error to clear any bits that have already been set. (We can't try
- * to get a second close_notify or send two.) */
+ // It is an error to clear any bits that have already been set. (We can't try
+ // to get a second close_notify or send two.)
assert((SSL_get_shutdown(ssl) & mode) == SSL_get_shutdown(ssl));
if (mode & SSL_RECEIVED_SHUTDOWN &&
@@ -2103,12 +2103,12 @@
int SSL_get_shutdown(const SSL *ssl) {
int ret = 0;
if (ssl->s3->recv_shutdown != ssl_shutdown_none) {
- /* Historically, OpenSSL set |SSL_RECEIVED_SHUTDOWN| on both close_notify
- * and fatal alert. */
+ // Historically, OpenSSL set |SSL_RECEIVED_SHUTDOWN| on both close_notify
+ // and fatal alert.
ret |= SSL_RECEIVED_SHUTDOWN;
}
if (ssl->s3->send_shutdown == ssl_shutdown_close_notify) {
- /* Historically, OpenSSL set |SSL_SENT_SHUTDOWN| on only close_notify. */
+ // Historically, OpenSSL set |SSL_SENT_SHUTDOWN| on only close_notify.
ret |= SSL_SENT_SHUTDOWN;
}
return ret;
@@ -2121,7 +2121,7 @@
return ssl->ctx;
}
- /* One cannot change the X.509 callbacks during a connection. */
+ // One cannot change the X.509 callbacks during a connection.
if (ssl->ctx->x509_method != ctx->x509_method) {
assert(0);
return NULL;
@@ -2224,14 +2224,14 @@
return 0;
}
- /* Clear currently configured hint, if any. */
+ // Clear currently configured hint, if any.
OPENSSL_free(*out);
*out = NULL;
- /* Treat the empty hint as not supplying one. Plain PSK makes it possible to
- * send either no hint (omit ServerKeyExchange) or an empty hint, while
- * ECDHE_PSK can only spell empty hint. Having different capabilities is odd,
- * so we interpret empty and missing as identical. */
+ // Treat the empty hint as not supplying one. Plain PSK makes it possible to
+ // send either no hint (omit ServerKeyExchange) or an empty hint, while
+ // ECDHE_PSK can only spell empty hint. Having different capabilities is odd,
+ // so we interpret empty and missing as identical.
if (identity_hint != NULL && identity_hint[0] != '\0') {
*out = BUF_strdup(identity_hint);
if (*out == NULL) {
@@ -2337,8 +2337,11 @@
}
int SSL_in_init(const SSL *ssl) {
+ // This returns false once all the handshake state has been finalized, to
+ // allow callbacks and getters based on SSL_in_init to return the correct
+ // values.
SSL_HANDSHAKE *hs = ssl->s3->hs;
- return hs != NULL && hs->state != SSL_ST_OK;
+ return hs != nullptr && !hs->handshake_finalized;
}
int SSL_in_false_start(const SSL *ssl) {
@@ -2398,9 +2401,9 @@
}
uint64_t SSL_get_read_sequence(const SSL *ssl) {
- /* TODO(davidben): Internally represent sequence numbers as uint64_t. */
+ // TODO(davidben): Internally represent sequence numbers as uint64_t.
if (SSL_is_dtls(ssl)) {
- /* max_seq_num already includes the epoch. */
+ // max_seq_num already includes the epoch.
assert(ssl->d1->r_epoch == (ssl->d1->bitmap.max_seq_num >> 48));
return ssl->d1->bitmap.max_seq_num;
}
@@ -2417,8 +2420,8 @@
}
uint16_t SSL_get_peer_signature_algorithm(const SSL *ssl) {
- /* TODO(davidben): This checks the wrong session if there is a renegotiation
- * in progress. */
+ // TODO(davidben): This checks the wrong session if there is a renegotiation
+ // in progress.
SSL_SESSION *session = SSL_get_session(ssl);
if (session == NULL) {
return 0;
@@ -2474,30 +2477,30 @@
}
int SSL_clear(SSL *ssl) {
- /* In OpenSSL, reusing a client |SSL| with |SSL_clear| causes the previously
- * established session to be offered the next time around. wpa_supplicant
- * depends on this behavior, so emulate it. */
+ // In OpenSSL, reusing a client |SSL| with |SSL_clear| causes the previously
+ // established session to be offered the next time around. wpa_supplicant
+ // depends on this behavior, so emulate it.
SSL_SESSION *session = NULL;
if (!ssl->server && ssl->s3->established_session != NULL) {
session = ssl->s3->established_session;
SSL_SESSION_up_ref(session);
}
- /* TODO(davidben): Some state on |ssl| is reset both in |SSL_new| and
- * |SSL_clear| because it is per-connection state rather than configuration
- * state. Per-connection state should be on |ssl->s3| and |ssl->d1| so it is
- * naturally reset at the right points between |SSL_new|, |SSL_clear|, and
- * |ssl3_new|. */
+ // TODO(davidben): Some state on |ssl| is reset both in |SSL_new| and
+ // |SSL_clear| because it is per-connection state rather than configuration
+ // state. Per-connection state should be on |ssl->s3| and |ssl->d1| so it is
+ // naturally reset at the right points between |SSL_new|, |SSL_clear|, and
+ // |ssl3_new|.
ssl->rwstate = SSL_NOTHING;
BUF_MEM_free(ssl->init_buf);
ssl->init_buf = NULL;
- /* The ssl->d1->mtu is simultaneously configuration (preserved across
- * clear) and connection-specific state (gets reset).
- *
- * TODO(davidben): Avoid this. */
+ // The ssl->d1->mtu is simultaneously configuration (preserved across
+ // clear) and connection-specific state (gets reset).
+ //
+ // TODO(davidben): Avoid this.
unsigned mtu = 0;
if (ssl->d1 != NULL) {
mtu = ssl->d1->mtu;
diff --git a/src/ssl/ssl_privkey.cc b/src/ssl/ssl_privkey.cc
index ecdf48f..d275561 100644
--- a/src/ssl/ssl_privkey.cc
+++ b/src/ssl/ssl_privkey.cc
@@ -84,7 +84,7 @@
if (cert->chain != NULL &&
sk_CRYPTO_BUFFER_value(cert->chain, 0) != NULL &&
- /* Sanity-check that the private key and the certificate match. */
+ // Sanity-check that the private key and the certificate match.
!ssl_cert_check_private_key(cert, pkey)) {
return 0;
}
@@ -148,12 +148,12 @@
}
if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
- /* RSA keys may only be used with RSA-PSS. */
+ // RSA keys may only be used with RSA-PSS.
if (alg->pkey_type == EVP_PKEY_RSA && !alg->is_rsa_pss) {
return 0;
}
- /* EC keys have a curve requirement. */
+ // EC keys have a curve requirement.
if (alg->pkey_type == EVP_PKEY_EC &&
(alg->curve == NID_undef ||
EC_GROUP_get_curve_name(
@@ -201,8 +201,8 @@
static enum ssl_private_key_result_t legacy_sign(
SSL *ssl, uint8_t *out, size_t *out_len, size_t max_out, uint16_t sigalg,
const uint8_t *in, size_t in_len) {
- /* TODO(davidben): Remove support for |sign_digest|-only
- * |SSL_PRIVATE_KEY_METHOD|s. */
+ // TODO(davidben): Remove support for |sign_digest|-only
+ // |SSL_PRIVATE_KEY_METHOD|s.
const SSL_SIGNATURE_ALGORITHM *alg = get_signature_algorithm(sigalg);
if (alg == NULL || !legacy_sign_digest_supported(alg)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_PROTOCOL_FOR_CUSTOM_KEY);
@@ -272,13 +272,13 @@
RSA *rsa = EVP_PKEY_get0_RSA(ssl->cert->privatekey);
if (rsa == NULL) {
- /* Decrypt operations are only supported for RSA keys. */
+ // Decrypt operations are only supported for RSA keys.
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
return ssl_private_key_failure;
}
- /* Decrypt with no padding. PKCS#1 padding will be removed as part
- * of the timing-sensitive code by the caller. */
+ // Decrypt with no padding. PKCS#1 padding will be removed as part of the
+ // timing-sensitive code by the caller.
if (!RSA_decrypt(rsa, out_len, out, max_out, in, in_len, RSA_NO_PADDING)) {
return ssl_private_key_failure;
}
@@ -292,20 +292,20 @@
return 0;
}
- /* Ensure the RSA key is large enough for the hash. RSASSA-PSS requires that
- * emLen be at least hLen + sLen + 2. Both hLen and sLen are the size of the
- * hash in TLS. Reasonable RSA key sizes are large enough for the largest
- * defined RSASSA-PSS algorithm, but 1024-bit RSA is slightly too small for
- * SHA-512. 1024-bit RSA is sometimes used for test credentials, so check the
- * size so that we can fall back to another algorithm in that case. */
+ // Ensure the RSA key is large enough for the hash. RSASSA-PSS requires that
+ // emLen be at least hLen + sLen + 2. Both hLen and sLen are the size of the
+ // hash in TLS. Reasonable RSA key sizes are large enough for the largest
+ // defined RSASSA-PSS algorithm, but 1024-bit RSA is slightly too small for
+ // SHA-512. 1024-bit RSA is sometimes used for test credentials, so check the
+ // size so that we can fall back to another algorithm in that case.
const SSL_SIGNATURE_ALGORITHM *alg = get_signature_algorithm(sigalg);
if (alg->is_rsa_pss && (size_t)EVP_PKEY_size(hs->local_pubkey.get()) <
2 * EVP_MD_size(alg->digest_func()) + 2) {
return 0;
}
- /* Newer algorithms require message-based private keys.
- * TODO(davidben): Remove this check when sign_digest is gone. */
+ // Newer algorithms require message-based private keys.
+ // TODO(davidben): Remove this check when sign_digest is gone.
if (ssl->cert->key_method != NULL &&
ssl->cert->key_method->sign == NULL &&
!legacy_sign_digest_supported(alg)) {
@@ -483,9 +483,9 @@
return 0;
}
- /* Convert the digest list to a signature algorithms list.
- *
- * TODO(davidben): Replace this API with one that can express RSA-PSS, etc. */
+ // Convert the digest list to a signature algorithms list.
+ //
+ // TODO(davidben): Replace this API with one that can express RSA-PSS, etc.
for (size_t i = 0; i < num_digests; i++) {
switch (digest_nids[i]) {
case NID_sha1:
diff --git a/src/ssl/ssl_session.cc b/src/ssl/ssl_session.cc
index 6bacc80..32d3b35 100644
--- a/src/ssl/ssl_session.cc
+++ b/src/ssl/ssl_session.cc
@@ -152,9 +152,9 @@
namespace bssl {
-/* The address of this is a magic value, a pointer to which is returned by
- * SSL_magic_pending_session_ptr(). It allows a session callback to indicate
- * that it needs to asynchronously fetch session information. */
+// The address of this is a magic value, a pointer to which is returned by
+// SSL_magic_pending_session_ptr(). It allows a session callback to indicate
+// that it needs to asynchronously fetch session information.
static const char g_pending_session_magic = 0;
static CRYPTO_EX_DATA_CLASS g_ex_data_class =
@@ -194,13 +194,13 @@
new_session->sid_ctx_length = session->sid_ctx_length;
OPENSSL_memcpy(new_session->sid_ctx, session->sid_ctx, session->sid_ctx_length);
- /* Copy the key material. */
+ // Copy the key material.
new_session->master_key_length = session->master_key_length;
OPENSSL_memcpy(new_session->master_key, session->master_key,
session->master_key_length);
new_session->cipher = session->cipher;
- /* Copy authentication state. */
+ // Copy authentication state.
if (session->psk_identity != NULL) {
new_session->psk_identity = BUF_strdup(session->psk_identity);
if (new_session->psk_identity == NULL) {
@@ -255,7 +255,7 @@
new_session->auth_timeout = session->auth_timeout;
new_session->time = session->time;
- /* Copy non-authentication connection properties. */
+ // Copy non-authentication connection properties.
if (dup_flags & SSL_SESSION_INCLUDE_NONAUTH) {
new_session->session_id_length = session->session_id_length;
OPENSSL_memcpy(new_session->session_id, session->session_id,
@@ -283,7 +283,7 @@
new_session->early_alpn_len = session->early_alpn_len;
}
- /* Copy the ticket. */
+ // Copy the ticket.
if (dup_flags & SSL_SESSION_INCLUDE_TICKET) {
if (session->tlsext_tick != NULL) {
new_session->tlsext_tick =
@@ -295,7 +295,7 @@
new_session->tlsext_ticklen = session->tlsext_ticklen;
}
- /* The new_session does not get a copy of the ex_data. */
+ // The new_session does not get a copy of the ex_data.
new_session->not_resumable = 1;
return new_session;
@@ -305,8 +305,8 @@
struct OPENSSL_timeval now;
ssl_get_current_time(ssl, &now);
- /* To avoid overflows and underflows, if we've gone back in time, update the
- * time, but mark the session expired. */
+ // To avoid overflows and underflows, if we've gone back in time, update the
+ // time, but mark the session expired.
if (session->time > now.tv_sec) {
session->time = now.tv_sec;
session->timeout = 0;
@@ -314,8 +314,8 @@
return;
}
- /* Adjust the session time and timeouts. If the session has already expired,
- * clamp the timeouts at zero. */
+ // Adjust the session time and timeouts. If the session has already expired,
+ // clamp the timeouts at zero.
uint64_t delta = now.tv_sec - session->time;
session->time = now.tv_sec;
if (session->timeout < delta) {
@@ -332,8 +332,8 @@
void ssl_session_renew_timeout(SSL *ssl, SSL_SESSION *session,
uint32_t timeout) {
- /* Rebase the timestamp relative to the current time so |timeout| is measured
- * correctly. */
+ // Rebase the timestamp relative to the current time so |timeout| is measured
+ // correctly.
ssl_session_rebase_time(ssl, session);
if (session->timeout > timeout) {
@@ -349,8 +349,8 @@
uint16_t SSL_SESSION_protocol_version(const SSL_SESSION *session) {
uint16_t ret;
if (!ssl_protocol_version_from_wire(&ret, session->ssl_version)) {
- /* An |SSL_SESSION| will never have an invalid version. This is enforced by
- * the parser. */
+ // An |SSL_SESSION| will never have an invalid version. This is enforced by
+ // the parser.
assert(0);
return 0;
}
@@ -378,28 +378,28 @@
session->is_server = is_server;
session->ssl_version = ssl->version;
- /* Fill in the time from the |SSL_CTX|'s clock. */
+ // Fill in the time from the |SSL_CTX|'s clock.
struct OPENSSL_timeval now;
ssl_get_current_time(ssl, &now);
session->time = now.tv_sec;
uint16_t version = ssl3_protocol_version(ssl);
if (version >= TLS1_3_VERSION) {
- /* TLS 1.3 uses tickets as authenticators, so we are willing to use them for
- * longer. */
+ // TLS 1.3 uses tickets as authenticators, so we are willing to use them for
+ // longer.
session->timeout = ssl->session_ctx->session_psk_dhe_timeout;
session->auth_timeout = SSL_DEFAULT_SESSION_AUTH_TIMEOUT;
} else {
- /* TLS 1.2 resumption does not incorporate new key material, so we use a
- * much shorter timeout. */
+ // TLS 1.2 resumption does not incorporate new key material, so we use a
+ // much shorter timeout.
session->timeout = ssl->session_ctx->session_timeout;
session->auth_timeout = ssl->session_ctx->session_timeout;
}
if (is_server) {
if (hs->ticket_expected || version >= TLS1_3_VERSION) {
- /* Don't set session IDs for sessions resumed with tickets. This will keep
- * them out of the session cache. */
+ // Don't set session IDs for sessions resumed with tickets. This will keep
+ // them out of the session cache.
session->session_id_length = 0;
} else {
session->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
@@ -419,7 +419,7 @@
ssl->cert->sid_ctx_length);
session->sid_ctx_length = ssl->cert->sid_ctx_length;
- /* The session is marked not resumable until it is completely filled in. */
+ // The session is marked not resumable until it is completely filled in.
session->not_resumable = 1;
session->verify_result = X509_V_ERR_INVALID_CALL;
@@ -432,8 +432,8 @@
OPENSSL_timeval now;
ssl_ctx_get_current_time(ctx, &now);
{
- /* Avoid acquiring a write lock in the common case (i.e. a non-default key
- * is used or the default keys have not expired yet). */
+ // Avoid acquiring a write lock in the common case (i.e. a non-default key
+ // is used or the default keys have not expired yet).
MutexReadLock lock(&ctx->lock);
if (ctx->tlsext_ticket_key_current &&
(ctx->tlsext_ticket_key_current->next_rotation_tv_sec == 0 ||
@@ -448,16 +448,16 @@
if (!ctx->tlsext_ticket_key_current ||
(ctx->tlsext_ticket_key_current->next_rotation_tv_sec != 0 &&
ctx->tlsext_ticket_key_current->next_rotation_tv_sec <= now.tv_sec)) {
- /* The current key has not been initialized or it is expired. */
+ // The current key has not been initialized or it is expired.
auto new_key = bssl::MakeUnique<struct tlsext_ticket_key>();
if (!new_key) {
return 0;
}
OPENSSL_memset(new_key.get(), 0, sizeof(struct tlsext_ticket_key));
if (ctx->tlsext_ticket_key_current) {
- /* The current key expired. Rotate it to prev and bump up its rotation
- * timestamp. Note that even with the new rotation time it may still be
- * expired and get droppped below. */
+ // The current key expired. Rotate it to prev and bump up its rotation
+ // timestamp. Note that even with the new rotation time it may still be
+ // expired and get droppped below.
ctx->tlsext_ticket_key_current->next_rotation_tv_sec +=
SSL_DEFAULT_TICKET_KEY_ROTATION_INTERVAL;
OPENSSL_free(ctx->tlsext_ticket_key_prev);
@@ -471,7 +471,7 @@
now.tv_sec + SSL_DEFAULT_TICKET_KEY_ROTATION_INTERVAL;
}
- /* Drop an expired prev key. */
+ // Drop an expired prev key.
if (ctx->tlsext_ticket_key_prev &&
ctx->tlsext_ticket_key_prev->next_rotation_tv_sec <= now.tv_sec) {
OPENSSL_free(ctx->tlsext_ticket_key_prev);
@@ -487,8 +487,8 @@
ScopedEVP_CIPHER_CTX ctx;
ScopedHMAC_CTX hctx;
- /* If the session is too long, emit a dummy value rather than abort the
- * connection. */
+ // If the session is too long, emit a dummy value rather than abort the
+ // connection.
static const size_t kMaxTicketOverhead =
16 + EVP_MAX_IV_LENGTH + EVP_MAX_BLOCK_LENGTH + EVP_MAX_MD_SIZE;
if (session_len > 0xffff - kMaxTicketOverhead) {
@@ -497,8 +497,8 @@
strlen(kTicketPlaceholder));
}
- /* Initialize HMAC and cipher contexts. If callback present it does all the
- * work otherwise use generated values from parent ctx. */
+ // Initialize HMAC and cipher contexts. If callback present it does all the
+ // work otherwise use generated values from parent ctx.
SSL_CTX *tctx = ssl->session_ctx;
uint8_t iv[EVP_MAX_IV_LENGTH];
uint8_t key_name[16];
@@ -508,7 +508,7 @@
return 0;
}
} else {
- /* Rotate ticket key if necessary. */
+ // Rotate ticket key if necessary.
if (!ssl_ctx_rotate_ticket_encryption_key(tctx)) {
return 0;
}
@@ -590,7 +590,7 @@
}
int ssl_encrypt_ticket(SSL *ssl, CBB *out, const SSL_SESSION *session) {
- /* Serialize the SSL_SESSION to be encoded into the ticket. */
+ // Serialize the SSL_SESSION to be encoded into the ticket.
uint8_t *session_buf = NULL;
size_t session_len;
if (!SSL_SESSION_to_bytes_for_ticket(session, &session_buf, &session_len)) {
@@ -627,7 +627,7 @@
struct OPENSSL_timeval now;
ssl_get_current_time(ssl, &now);
- /* Reject tickets from the future to avoid underflow. */
+ // Reject tickets from the future to avoid underflow.
if (now.tv_sec < session->time) {
return 0;
}
@@ -639,38 +639,38 @@
const SSL_SESSION *session) {
const SSL *const ssl = hs->ssl;
return ssl_session_is_context_valid(ssl, session) &&
- /* The session must have been created by the same type of end point as
- * we're now using it with. */
+ // The session must have been created by the same type of end point as
+ // we're now using it with.
ssl->server == session->is_server &&
- /* The session must not be expired. */
+ // The session must not be expired.
ssl_session_is_time_valid(ssl, session) &&
/* Only resume if the session's version matches the negotiated
* version. */
ssl->version == session->ssl_version &&
- /* Only resume if the session's cipher matches the negotiated one. */
+ // Only resume if the session's cipher matches the negotiated one.
hs->new_cipher == session->cipher &&
- /* If the session contains a client certificate (either the full
- * certificate or just the hash) then require that the form of the
- * certificate matches the current configuration. */
+ // If the session contains a client certificate (either the full
+ // certificate or just the hash) then require that the form of the
+ // certificate matches the current configuration.
((sk_CRYPTO_BUFFER_num(session->certs) == 0 &&
!session->peer_sha256_valid) ||
session->peer_sha256_valid ==
ssl->retain_only_sha256_of_client_certs);
}
-/* ssl_lookup_session looks up |session_id| in the session cache and sets
- * |*out_session| to an |SSL_SESSION| object if found. */
-static enum ssl_session_result_t ssl_lookup_session(
+// ssl_lookup_session looks up |session_id| in the session cache and sets
+// |*out_session| to an |SSL_SESSION| object if found.
+static enum ssl_hs_wait_t ssl_lookup_session(
SSL *ssl, UniquePtr<SSL_SESSION> *out_session, const uint8_t *session_id,
size_t session_id_len) {
out_session->reset();
if (session_id_len == 0 || session_id_len > SSL_MAX_SSL_SESSION_ID_LENGTH) {
- return ssl_session_success;
+ return ssl_hs_ok;
}
UniquePtr<SSL_SESSION> session;
- /* Try the internal cache, if it exists. */
+ // Try the internal cache, if it exists.
if (!(ssl->session_ctx->session_cache_mode &
SSL_SESS_CACHE_NO_INTERNAL_LOOKUP)) {
SSL_SESSION data;
@@ -681,37 +681,37 @@
CRYPTO_MUTEX_lock_read(&ssl->session_ctx->lock);
session.reset(lh_SSL_SESSION_retrieve(ssl->session_ctx->sessions, &data));
if (session) {
- /* |lh_SSL_SESSION_retrieve| returns a non-owning pointer. */
+ // |lh_SSL_SESSION_retrieve| returns a non-owning pointer.
SSL_SESSION_up_ref(session.get());
}
- /* TODO(davidben): This should probably move it to the front of the list. */
+ // TODO(davidben): This should probably move it to the front of the list.
CRYPTO_MUTEX_unlock_read(&ssl->session_ctx->lock);
}
- /* Fall back to the external cache, if it exists. */
+ // Fall back to the external cache, if it exists.
if (!session && ssl->session_ctx->get_session_cb != NULL) {
int copy = 1;
session.reset(ssl->session_ctx->get_session_cb(ssl, (uint8_t *)session_id,
session_id_len, ©));
if (!session) {
- return ssl_session_success;
+ return ssl_hs_ok;
}
if (session.get() == SSL_magic_pending_session_ptr()) {
session.release(); // This pointer is not actually owned.
- return ssl_session_retry;
+ return ssl_hs_pending_session;
}
- /* Increment reference count now if the session callback asks us to do so
- * (note that if the session structures returned by the callback are shared
- * between threads, it must handle the reference count itself [i.e. copy ==
- * 0], or things won't be thread-safe). */
+ // Increment reference count now if the session callback asks us to do so
+ // (note that if the session structures returned by the callback are shared
+ // between threads, it must handle the reference count itself [i.e. copy ==
+ // 0], or things won't be thread-safe).
if (copy) {
SSL_SESSION_up_ref(session.get());
}
- /* Add the externally cached session to the internal cache if necessary. */
+ // Add the externally cached session to the internal cache if necessary.
if (!(ssl->session_ctx->session_cache_mode &
SSL_SESS_CACHE_NO_INTERNAL_STORE)) {
SSL_CTX_add_session(ssl->session_ctx, session.get());
@@ -719,27 +719,29 @@
}
if (session && !ssl_session_is_time_valid(ssl, session.get())) {
- /* The session was from the cache, so remove it. */
+ // The session was from the cache, so remove it.
SSL_CTX_remove_session(ssl->session_ctx, session.get());
session.reset();
}
*out_session = std::move(session);
- return ssl_session_success;
+ return ssl_hs_ok;
}
-enum ssl_session_result_t ssl_get_prev_session(
- SSL *ssl, UniquePtr<SSL_SESSION> *out_session, int *out_tickets_supported,
- int *out_renew_ticket, const SSL_CLIENT_HELLO *client_hello) {
- /* This is used only by servers. */
+enum ssl_hs_wait_t ssl_get_prev_session(SSL *ssl,
+ UniquePtr<SSL_SESSION> *out_session,
+ bool *out_tickets_supported,
+ bool *out_renew_ticket,
+ const SSL_CLIENT_HELLO *client_hello) {
+ // This is used only by servers.
assert(ssl->server);
UniquePtr<SSL_SESSION> session;
- int renew_ticket = 0;
+ bool renew_ticket = false;
- /* If tickets are disabled, always behave as if no tickets are present. */
+ // If tickets are disabled, always behave as if no tickets are present.
const uint8_t *ticket = NULL;
size_t ticket_len = 0;
- const int tickets_supported =
+ const bool tickets_supported =
!(SSL_get_options(ssl) & SSL_OP_NO_TICKET) &&
ssl->version > SSL3_VERSION &&
SSL_early_callback_ctx_extension_get(
@@ -754,15 +756,15 @@
assert(!session);
break;
case ssl_ticket_aead_error:
- return ssl_session_error;
+ return ssl_hs_error;
case ssl_ticket_aead_retry:
- return ssl_session_ticket_retry;
+ return ssl_hs_pending_ticket;
}
} else {
- /* The client didn't send a ticket, so the session ID is a real ID. */
- enum ssl_session_result_t lookup_ret = ssl_lookup_session(
+ // The client didn't send a ticket, so the session ID is a real ID.
+ enum ssl_hs_wait_t lookup_ret = ssl_lookup_session(
ssl, &session, client_hello->session_id, client_hello->session_id_len);
- if (lookup_ret != ssl_session_success) {
+ if (lookup_ret != ssl_hs_ok) {
return lookup_ret;
}
}
@@ -770,7 +772,7 @@
*out_session = std::move(session);
*out_tickets_supported = tickets_supported;
*out_renew_ticket = renew_ticket;
- return ssl_session_success;
+ return ssl_hs_ok;
}
static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *session, int lock) {
@@ -815,16 +817,16 @@
}
}
-/* locked by SSL_CTX in the calling function */
+// locked by SSL_CTX in the calling function
static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *session) {
if (session->next == NULL || session->prev == NULL) {
return;
}
if (session->next == (SSL_SESSION *)&ctx->session_cache_tail) {
- /* last element in list */
+ // last element in list
if (session->prev == (SSL_SESSION *)&ctx->session_cache_head) {
- /* only one element in list */
+ // only one element in list
ctx->session_cache_head = NULL;
ctx->session_cache_tail = NULL;
} else {
@@ -833,10 +835,10 @@
}
} else {
if (session->prev == (SSL_SESSION *)&ctx->session_cache_head) {
- /* first element in list */
+ // first element in list
ctx->session_cache_head = session->next;
session->next->prev = (SSL_SESSION *)&(ctx->session_cache_head);
- } else { /* middle of list */
+ } else { // middle of list
session->next->prev = session->prev;
session->prev->next = session->next;
}
@@ -911,7 +913,7 @@
uint64_t SSL_SESSION_get_time(const SSL_SESSION *session) {
if (session == NULL) {
- /* NULL should crash, but silently accept it here for compatibility. */
+ // NULL should crash, but silently accept it here for compatibility.
return 0;
}
return session->time;
@@ -923,7 +925,7 @@
size_t SSL_SESSION_get_master_key(const SSL_SESSION *session, uint8_t *out,
size_t max_out) {
- /* TODO(davidben): Fix master_key_length's type and remove these casts. */
+ // TODO(davidben): Fix master_key_length's type and remove these casts.
if (max_out == 0) {
return (size_t)session->master_key_length;
}
@@ -972,9 +974,9 @@
}
SSL_SESSION *SSL_get_session(const SSL *ssl) {
- /* Once the handshake completes we return the established session. Otherwise
- * we return the intermediate session, either |session| (for resumption) or
- * |new_session| if doing a full handshake. */
+ // Once the handshake completes we return the established session. Otherwise
+ // we return the intermediate session, either |session| (for resumption) or
+ // |new_session| if doing a full handshake.
if (!SSL_in_init(ssl)) {
return ssl->s3->established_session;
}
@@ -1017,8 +1019,8 @@
}
int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *session) {
- /* Although |session| is inserted into two structures (a doubly-linked list
- * and the hash table), |ctx| only takes one reference. */
+ // Although |session| is inserted into two structures (a doubly-linked list
+ // and the hash table), |ctx| only takes one reference.
SSL_SESSION_up_ref(session);
SSL_SESSION *old_session;
@@ -1031,21 +1033,21 @@
if (old_session != NULL) {
if (old_session == session) {
- /* |session| was already in the cache. */
+ // |session| was already in the cache.
CRYPTO_MUTEX_unlock_write(&ctx->lock);
SSL_SESSION_free(old_session);
return 0;
}
- /* There was a session ID collision. |old_session| must be removed from
- * the linked list and released. */
+ // There was a session ID collision. |old_session| must be removed from
+ // the linked list and released.
SSL_SESSION_list_remove(ctx, old_session);
SSL_SESSION_free(old_session);
}
SSL_SESSION_list_add(ctx, session);
- /* Enforce any cache size limits. */
+ // Enforce any cache size limits.
if (SSL_CTX_sess_get_cache_size(ctx) > 0) {
while (SSL_CTX_sess_number(ctx) > SSL_CTX_sess_get_cache_size(ctx)) {
if (!remove_session_lock(ctx, ctx->session_cache_tail, 0)) {
@@ -1063,10 +1065,10 @@
}
int SSL_set_session(SSL *ssl, SSL_SESSION *session) {
- /* SSL_set_session may only be called before the handshake has started. */
+ // SSL_set_session may only be called before the handshake has started.
if (ssl->s3->initial_handshake_complete ||
ssl->s3->hs == NULL ||
- ssl->s3->hs->state != SSL_ST_INIT) {
+ ssl->s3->hs->state != 0) {
abort();
}
@@ -1079,7 +1081,7 @@
return 0;
}
- /* Historically, zero was treated as |SSL_DEFAULT_SESSION_TIMEOUT|. */
+ // Historically, zero was treated as |SSL_DEFAULT_SESSION_TIMEOUT|.
if (timeout == 0) {
timeout = SSL_DEFAULT_SESSION_TIMEOUT;
}
@@ -1113,9 +1115,8 @@
if (param->time == 0 ||
session->time + session->timeout < session->time ||
param->time > (session->time + session->timeout)) {
- /* timeout */
- /* The reason we don't call SSL_CTX_remove_session() is to
- * save on locking overhead */
+ // The reason we don't call SSL_CTX_remove_session() is to
+ // save on locking overhead
(void) lh_SSL_SESSION_delete(param->cache, session);
SSL_SESSION_list_remove(param->ctx, session);
if (param->ctx->remove_session_cb != NULL) {
diff --git a/src/ssl/ssl_stat.cc b/src/ssl/ssl_stat.cc
index 31cce4d..37e0324 100644
--- a/src/ssl/ssl_stat.cc
+++ b/src/ssl/ssl_stat.cc
@@ -88,217 +88,17 @@
#include "internal.h"
-static int ssl_state(const SSL *ssl) {
- if (ssl->s3->hs == NULL) {
- assert(ssl->s3->initial_handshake_complete);
- return SSL_ST_OK;
- }
-
- return ssl->s3->hs->state;
-}
-
const char *SSL_state_string_long(const SSL *ssl) {
- switch (ssl_state(ssl)) {
- case SSL_ST_ACCEPT:
- return "before accept initialization";
-
- case SSL_ST_CONNECT:
- return "before connect initialization";
-
- case SSL_ST_OK:
- return "SSL negotiation finished successfully";
-
- case SSL_ST_RENEGOTIATE:
- return "SSL renegotiate ciphers";
-
- /* SSLv3 additions */
- case SSL3_ST_CW_CLNT_HELLO_A:
- return "SSLv3 write client hello A";
-
- case SSL3_ST_CR_SRVR_HELLO_A:
- return "SSLv3 read server hello A";
-
- case SSL3_ST_CR_CERT_A:
- return "SSLv3 read server certificate A";
-
- case SSL3_ST_CR_KEY_EXCH_A:
- return "SSLv3 read server key exchange A";
-
- case SSL3_ST_CR_CERT_REQ_A:
- return "SSLv3 read server certificate request A";
-
- case SSL3_ST_CR_SESSION_TICKET_A:
- return "SSLv3 read server session ticket A";
-
- case SSL3_ST_CR_SRVR_DONE_A:
- return "SSLv3 read server done A";
-
- case SSL3_ST_CW_CERT_A:
- return "SSLv3 write client certificate A";
-
- case SSL3_ST_CW_KEY_EXCH_A:
- return "SSLv3 write client key exchange A";
-
- case SSL3_ST_CW_CERT_VRFY_A:
- return "SSLv3 write certificate verify A";
-
- case SSL3_ST_CW_CHANGE:
- return "SSLv3 write change cipher spec";
-
- case SSL3_ST_CW_FINISHED_A:
- case SSL3_ST_SW_FINISHED_A:
- return "SSLv3 write finished A";
-
- case SSL3_ST_CR_CHANGE:
- case SSL3_ST_SR_CHANGE:
- return "SSLv3 read change cipher spec";
-
- case SSL3_ST_CR_FINISHED_A:
- case SSL3_ST_SR_FINISHED_A:
- return "SSLv3 read finished A";
-
- case SSL3_ST_CW_FLUSH:
- case SSL3_ST_SW_FLUSH:
- return "SSLv3 flush data";
-
- case SSL3_ST_SR_CLNT_HELLO_A:
- return "SSLv3 read client hello A";
-
- case SSL3_ST_SR_CLNT_HELLO_B:
- return "SSLv3 read client hello B";
-
- case SSL3_ST_SR_CLNT_HELLO_C:
- return "SSLv3 read client hello C";
-
- case SSL3_ST_SW_SRVR_HELLO_A:
- return "SSLv3 write server hello A";
-
- case SSL3_ST_SW_CERT_A:
- return "SSLv3 write certificate A";
-
- case SSL3_ST_SW_KEY_EXCH_A:
- return "SSLv3 write key exchange A";
-
- case SSL3_ST_SW_SRVR_DONE_A:
- return "SSLv3 write server done A";
-
- case SSL3_ST_SR_CERT_A:
- return "SSLv3 read client certificate A";
-
- case SSL3_ST_SR_KEY_EXCH_A:
- return "SSLv3 read client key exchange A";
-
- case SSL3_ST_SR_CERT_VRFY_A:
- return "SSLv3 read certificate verify A";
-
- /* DTLS */
- case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A:
- return "DTLS1 read hello verify request A";
-
- case SSL_ST_TLS13:
- return ssl->server ? tls13_server_handshake_state(ssl->s3->hs)
- : tls13_client_handshake_state(ssl->s3->hs);
-
- default:
- return "unknown state";
+ if (ssl->s3->hs == NULL) {
+ return "SSL negotiation finished successfully";
}
+
+ return ssl->server ? ssl_server_handshake_state(ssl->s3->hs)
+ : ssl_client_handshake_state(ssl->s3->hs);
}
const char *SSL_state_string(const SSL *ssl) {
- switch (ssl_state(ssl)) {
- case SSL_ST_ACCEPT:
- return "AINIT ";
-
- case SSL_ST_CONNECT:
- return "CINIT ";
-
- case SSL_ST_OK:
- return "SSLOK ";
-
- /* SSLv3 additions */
- case SSL3_ST_SW_FLUSH:
- case SSL3_ST_CW_FLUSH:
- return "3FLUSH";
-
- case SSL3_ST_CW_CLNT_HELLO_A:
- return "3WCH_A";
-
- case SSL3_ST_CR_SRVR_HELLO_A:
- return "3RSH_A";
-
- case SSL3_ST_CR_CERT_A:
- return "3RSC_A";
-
- case SSL3_ST_CR_KEY_EXCH_A:
- return "3RSKEA";
-
- case SSL3_ST_CR_CERT_REQ_A:
- return "3RCR_A";
-
- case SSL3_ST_CR_SRVR_DONE_A:
- return "3RSD_A";
-
- case SSL3_ST_CW_CERT_A:
- return "3WCC_A";
-
- case SSL3_ST_CW_KEY_EXCH_A:
- return "3WCKEA";
-
- case SSL3_ST_CW_CERT_VRFY_A:
- return "3WCV_A";
-
- case SSL3_ST_CW_CHANGE:
- return "3WCCS_";
-
- case SSL3_ST_SW_FINISHED_A:
- case SSL3_ST_CW_FINISHED_A:
- return "3WFINA";
-
- case SSL3_ST_CR_CHANGE:
- case SSL3_ST_SR_CHANGE:
- return "3RCCS_";
-
- case SSL3_ST_SR_FINISHED_A:
- case SSL3_ST_CR_FINISHED_A:
- return "3RFINA";
-
- case SSL3_ST_SR_CLNT_HELLO_A:
- return "3RCH_A";
-
- case SSL3_ST_SR_CLNT_HELLO_B:
- return "3RCH_B";
-
- case SSL3_ST_SR_CLNT_HELLO_C:
- return "3RCH_C";
-
- case SSL3_ST_SW_SRVR_HELLO_A:
- return "3WSH_A";
-
- case SSL3_ST_SW_CERT_A:
- return "3WSC_A";
-
- case SSL3_ST_SW_KEY_EXCH_A:
- return "3WSKEA";
-
- case SSL3_ST_SW_SRVR_DONE_A:
- return "3WSD_A";
-
- case SSL3_ST_SR_CERT_A:
- return "3RCC_A";
-
- case SSL3_ST_SR_KEY_EXCH_A:
- return "3RCKEA";
-
- case SSL3_ST_SR_CERT_VRFY_A:
- return "3RCV_A";
-
- /* DTLS */
- case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A:
- return "DRCHVA";
-
- default:
- return "UNKWN ";
- }
+ return "!!!!!!";
}
const char *SSL_alert_type_string_long(int value) {
diff --git a/src/ssl/ssl_test.cc b/src/ssl/ssl_test.cc
index bc89202..dd795a6 100644
--- a/src/ssl/ssl_test.cc
+++ b/src/ssl/ssl_test.cc
@@ -40,7 +40,7 @@
#include "../crypto/test/test_util.h"
#if defined(OPENSSL_WINDOWS)
-/* Windows defines struct timeval in winsock2.h. */
+// Windows defines struct timeval in winsock2.h.
OPENSSL_MSVC_PRAGMA(warning(push, 3))
#include <winsock2.h>
OPENSSL_MSVC_PRAGMA(warning(pop))
@@ -476,7 +476,7 @@
ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(ctx.get(), rule));
for (const SSL_CIPHER *cipher : SSL_CTX_get_ciphers(ctx.get())) {
- EXPECT_FALSE(SSL_CIPHER_is_NULL(cipher));
+ EXPECT_NE(NID_undef, SSL_CIPHER_get_cipher_nid(cipher));
}
}
}
@@ -1104,149 +1104,6 @@
return true;
}
-// Test that |SSL_get_client_CA_list| echoes back the configured parameter even
-// before configuring as a server.
-TEST(SSLTest, ClientCAList) {
- bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
- ASSERT_TRUE(ctx);
- bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
- ASSERT_TRUE(ssl);
-
- bssl::UniquePtr<X509_NAME> name(X509_NAME_new());
- ASSERT_TRUE(name);
-
- bssl::UniquePtr<X509_NAME> name_dup(X509_NAME_dup(name.get()));
- ASSERT_TRUE(name_dup);
-
- bssl::UniquePtr<STACK_OF(X509_NAME)> stack(sk_X509_NAME_new_null());
- ASSERT_TRUE(stack);
-
- ASSERT_TRUE(sk_X509_NAME_push(stack.get(), name_dup.get()));
- name_dup.release();
-
- // |SSL_set_client_CA_list| takes ownership.
- SSL_set_client_CA_list(ssl.get(), stack.release());
-
- STACK_OF(X509_NAME) *result = SSL_get_client_CA_list(ssl.get());
- ASSERT_TRUE(result);
- ASSERT_EQ(1u, sk_X509_NAME_num(result));
- EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(result, 0), name.get()));
-}
-
-static void AppendSession(SSL_SESSION *session, void *arg) {
- std::vector<SSL_SESSION*> *out =
- reinterpret_cast<std::vector<SSL_SESSION*>*>(arg);
- out->push_back(session);
-}
-
-// CacheEquals returns true if |ctx|'s session cache consists of |expected|, in
-// order.
-static bool CacheEquals(SSL_CTX *ctx,
- const std::vector<SSL_SESSION*> &expected) {
- // Check the linked list.
- SSL_SESSION *ptr = ctx->session_cache_head;
- for (SSL_SESSION *session : expected) {
- if (ptr != session) {
- return false;
- }
- // TODO(davidben): This is an absurd way to denote the end of the list.
- if (ptr->next ==
- reinterpret_cast<SSL_SESSION *>(&ctx->session_cache_tail)) {
- ptr = nullptr;
- } else {
- ptr = ptr->next;
- }
- }
- if (ptr != nullptr) {
- return false;
- }
-
- // Check the hash table.
- std::vector<SSL_SESSION*> actual, expected_copy;
- lh_SSL_SESSION_doall_arg(SSL_CTX_sessions(ctx), AppendSession, &actual);
- expected_copy = expected;
-
- std::sort(actual.begin(), actual.end());
- std::sort(expected_copy.begin(), expected_copy.end());
-
- return actual == expected_copy;
-}
-
-static bssl::UniquePtr<SSL_SESSION> CreateTestSession(uint32_t number) {
- bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
- if (!ssl_ctx) {
- return nullptr;
- }
- bssl::UniquePtr<SSL_SESSION> ret(SSL_SESSION_new(ssl_ctx.get()));
- if (!ret) {
- return nullptr;
- }
-
- ret->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
- OPENSSL_memset(ret->session_id, 0, ret->session_id_length);
- OPENSSL_memcpy(ret->session_id, &number, sizeof(number));
- return ret;
-}
-
-// Test that the internal session cache behaves as expected.
-TEST(SSLTest, InternalSessionCache) {
- bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
- ASSERT_TRUE(ctx);
-
- // Prepare 10 test sessions.
- std::vector<bssl::UniquePtr<SSL_SESSION>> sessions;
- for (int i = 0; i < 10; i++) {
- bssl::UniquePtr<SSL_SESSION> session = CreateTestSession(i);
- ASSERT_TRUE(session);
- sessions.push_back(std::move(session));
- }
-
- SSL_CTX_sess_set_cache_size(ctx.get(), 5);
-
- // Insert all the test sessions.
- for (const auto &session : sessions) {
- ASSERT_TRUE(SSL_CTX_add_session(ctx.get(), session.get()));
- }
-
- // Only the last five should be in the list.
- ASSERT_TRUE(CacheEquals(
- ctx.get(), {sessions[9].get(), sessions[8].get(), sessions[7].get(),
- sessions[6].get(), sessions[5].get()}));
-
- // Inserting an element already in the cache should fail and leave the cache
- // unchanged.
- ASSERT_FALSE(SSL_CTX_add_session(ctx.get(), sessions[7].get()));
- ASSERT_TRUE(CacheEquals(
- ctx.get(), {sessions[9].get(), sessions[8].get(), sessions[7].get(),
- sessions[6].get(), sessions[5].get()}));
-
- // Although collisions should be impossible (256-bit session IDs), the cache
- // must handle them gracefully.
- bssl::UniquePtr<SSL_SESSION> collision(CreateTestSession(7));
- ASSERT_TRUE(collision);
- ASSERT_TRUE(SSL_CTX_add_session(ctx.get(), collision.get()));
- ASSERT_TRUE(CacheEquals(
- ctx.get(), {collision.get(), sessions[9].get(), sessions[8].get(),
- sessions[6].get(), sessions[5].get()}));
-
- // Removing sessions behaves correctly.
- ASSERT_TRUE(SSL_CTX_remove_session(ctx.get(), sessions[6].get()));
- ASSERT_TRUE(CacheEquals(ctx.get(), {collision.get(), sessions[9].get(),
- sessions[8].get(), sessions[5].get()}));
-
- // Removing sessions requires an exact match.
- ASSERT_FALSE(SSL_CTX_remove_session(ctx.get(), sessions[0].get()));
- ASSERT_FALSE(SSL_CTX_remove_session(ctx.get(), sessions[7].get()));
-
- // The cache remains unchanged.
- ASSERT_TRUE(CacheEquals(ctx.get(), {collision.get(), sessions[9].get(),
- sessions[8].get(), sessions[5].get()}));
-}
-
-static uint16_t EpochFromSequence(uint64_t seq) {
- return static_cast<uint16_t>(seq >> 48);
-}
-
static bssl::UniquePtr<X509> GetTestCertificate() {
static const char kCertPEM[] =
"-----BEGIN CERTIFICATE-----\n"
@@ -1437,6 +1294,180 @@
PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr, nullptr));
}
+// Test that |SSL_get_client_CA_list| echoes back the configured parameter even
+// before configuring as a server.
+TEST(SSLTest, ClientCAList) {
+ bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
+ ASSERT_TRUE(ctx);
+ bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
+ ASSERT_TRUE(ssl);
+
+ bssl::UniquePtr<X509_NAME> name(X509_NAME_new());
+ ASSERT_TRUE(name);
+
+ bssl::UniquePtr<X509_NAME> name_dup(X509_NAME_dup(name.get()));
+ ASSERT_TRUE(name_dup);
+
+ bssl::UniquePtr<STACK_OF(X509_NAME)> stack(sk_X509_NAME_new_null());
+ ASSERT_TRUE(stack);
+
+ ASSERT_TRUE(sk_X509_NAME_push(stack.get(), name_dup.get()));
+ name_dup.release();
+
+ // |SSL_set_client_CA_list| takes ownership.
+ SSL_set_client_CA_list(ssl.get(), stack.release());
+
+ STACK_OF(X509_NAME) *result = SSL_get_client_CA_list(ssl.get());
+ ASSERT_TRUE(result);
+ ASSERT_EQ(1u, sk_X509_NAME_num(result));
+ EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(result, 0), name.get()));
+}
+
+TEST(SSLTest, AddClientCA) {
+ bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
+ ASSERT_TRUE(ctx);
+ bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
+ ASSERT_TRUE(ssl);
+
+ bssl::UniquePtr<X509> cert1 = GetTestCertificate();
+ bssl::UniquePtr<X509> cert2 = GetChainTestCertificate();
+ ASSERT_TRUE(cert1 && cert2);
+ X509_NAME *name1 = X509_get_subject_name(cert1.get());
+ X509_NAME *name2 = X509_get_subject_name(cert2.get());
+
+ EXPECT_EQ(0u, sk_X509_NAME_num(SSL_get_client_CA_list(ssl.get())));
+
+ ASSERT_TRUE(SSL_add_client_CA(ssl.get(), cert1.get()));
+ ASSERT_TRUE(SSL_add_client_CA(ssl.get(), cert2.get()));
+
+ STACK_OF(X509_NAME) *list = SSL_get_client_CA_list(ssl.get());
+ ASSERT_EQ(2u, sk_X509_NAME_num(list));
+ EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 0), name1));
+ EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 1), name2));
+
+ ASSERT_TRUE(SSL_add_client_CA(ssl.get(), cert1.get()));
+
+ list = SSL_get_client_CA_list(ssl.get());
+ ASSERT_EQ(3u, sk_X509_NAME_num(list));
+ EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 0), name1));
+ EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 1), name2));
+ EXPECT_EQ(0, X509_NAME_cmp(sk_X509_NAME_value(list, 2), name1));
+}
+
+static void AppendSession(SSL_SESSION *session, void *arg) {
+ std::vector<SSL_SESSION*> *out =
+ reinterpret_cast<std::vector<SSL_SESSION*>*>(arg);
+ out->push_back(session);
+}
+
+// CacheEquals returns true if |ctx|'s session cache consists of |expected|, in
+// order.
+static bool CacheEquals(SSL_CTX *ctx,
+ const std::vector<SSL_SESSION*> &expected) {
+ // Check the linked list.
+ SSL_SESSION *ptr = ctx->session_cache_head;
+ for (SSL_SESSION *session : expected) {
+ if (ptr != session) {
+ return false;
+ }
+ // TODO(davidben): This is an absurd way to denote the end of the list.
+ if (ptr->next ==
+ reinterpret_cast<SSL_SESSION *>(&ctx->session_cache_tail)) {
+ ptr = nullptr;
+ } else {
+ ptr = ptr->next;
+ }
+ }
+ if (ptr != nullptr) {
+ return false;
+ }
+
+ // Check the hash table.
+ std::vector<SSL_SESSION*> actual, expected_copy;
+ lh_SSL_SESSION_doall_arg(SSL_CTX_sessions(ctx), AppendSession, &actual);
+ expected_copy = expected;
+
+ std::sort(actual.begin(), actual.end());
+ std::sort(expected_copy.begin(), expected_copy.end());
+
+ return actual == expected_copy;
+}
+
+static bssl::UniquePtr<SSL_SESSION> CreateTestSession(uint32_t number) {
+ bssl::UniquePtr<SSL_CTX> ssl_ctx(SSL_CTX_new(TLS_method()));
+ if (!ssl_ctx) {
+ return nullptr;
+ }
+ bssl::UniquePtr<SSL_SESSION> ret(SSL_SESSION_new(ssl_ctx.get()));
+ if (!ret) {
+ return nullptr;
+ }
+
+ ret->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
+ OPENSSL_memset(ret->session_id, 0, ret->session_id_length);
+ OPENSSL_memcpy(ret->session_id, &number, sizeof(number));
+ return ret;
+}
+
+// Test that the internal session cache behaves as expected.
+TEST(SSLTest, InternalSessionCache) {
+ bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
+ ASSERT_TRUE(ctx);
+
+ // Prepare 10 test sessions.
+ std::vector<bssl::UniquePtr<SSL_SESSION>> sessions;
+ for (int i = 0; i < 10; i++) {
+ bssl::UniquePtr<SSL_SESSION> session = CreateTestSession(i);
+ ASSERT_TRUE(session);
+ sessions.push_back(std::move(session));
+ }
+
+ SSL_CTX_sess_set_cache_size(ctx.get(), 5);
+
+ // Insert all the test sessions.
+ for (const auto &session : sessions) {
+ ASSERT_TRUE(SSL_CTX_add_session(ctx.get(), session.get()));
+ }
+
+ // Only the last five should be in the list.
+ ASSERT_TRUE(CacheEquals(
+ ctx.get(), {sessions[9].get(), sessions[8].get(), sessions[7].get(),
+ sessions[6].get(), sessions[5].get()}));
+
+ // Inserting an element already in the cache should fail and leave the cache
+ // unchanged.
+ ASSERT_FALSE(SSL_CTX_add_session(ctx.get(), sessions[7].get()));
+ ASSERT_TRUE(CacheEquals(
+ ctx.get(), {sessions[9].get(), sessions[8].get(), sessions[7].get(),
+ sessions[6].get(), sessions[5].get()}));
+
+ // Although collisions should be impossible (256-bit session IDs), the cache
+ // must handle them gracefully.
+ bssl::UniquePtr<SSL_SESSION> collision(CreateTestSession(7));
+ ASSERT_TRUE(collision);
+ ASSERT_TRUE(SSL_CTX_add_session(ctx.get(), collision.get()));
+ ASSERT_TRUE(CacheEquals(
+ ctx.get(), {collision.get(), sessions[9].get(), sessions[8].get(),
+ sessions[6].get(), sessions[5].get()}));
+
+ // Removing sessions behaves correctly.
+ ASSERT_TRUE(SSL_CTX_remove_session(ctx.get(), sessions[6].get()));
+ ASSERT_TRUE(CacheEquals(ctx.get(), {collision.get(), sessions[9].get(),
+ sessions[8].get(), sessions[5].get()}));
+
+ // Removing sessions requires an exact match.
+ ASSERT_FALSE(SSL_CTX_remove_session(ctx.get(), sessions[0].get()));
+ ASSERT_FALSE(SSL_CTX_remove_session(ctx.get(), sessions[7].get()));
+
+ // The cache remains unchanged.
+ ASSERT_TRUE(CacheEquals(ctx.get(), {collision.get(), sessions[9].get(),
+ sessions[8].get(), sessions[5].get()}));
+}
+
+static uint16_t EpochFromSequence(uint64_t seq) {
+ return static_cast<uint16_t>(seq >> 48);
+}
+
static const uint8_t kTestName[] = {
0x30, 0x45, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
0x02, 0x41, 0x55, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
@@ -1507,9 +1538,9 @@
return true;
}
-/* SSLVersionTest executes its test cases under all available protocol versions.
- * Test cases call |Connect| to create a connection using context objects with
- * the protocol version fixed to the current version under test. */
+// SSLVersionTest executes its test cases under all available protocol versions.
+// Test cases call |Connect| to create a connection using context objects with
+// the protocol version fixed to the current version under test.
class SSLVersionTest : public ::testing::TestWithParam<VersionParam> {
protected:
SSLVersionTest() : cert_(GetTestCertificate()), key_(GetTestKey()) {}
@@ -2161,7 +2192,7 @@
static void ExpectTicketKeyChanged(SSL_CTX *ctx, uint8_t *inout_key,
bool changed) {
uint8_t new_key[kTicketKeyLen];
- /* May return 0, 1 or 48. */
+ // May return 0, 1 or 48.
ASSERT_EQ(SSL_CTX_get_tlsext_ticket_keys(ctx, new_key, kTicketKeyLen), 1);
if (changed) {
ASSERT_NE(Bytes(inout_key, kTicketKeyLen), Bytes(new_key));
@@ -2462,8 +2493,8 @@
g_current_time.tv_sec = kStartTime;
uint8_t ticket_key[kTicketKeyLen];
- /* We use session reuse as a proxy for ticket decryption success, hence
- * disable session timeouts. */
+ // We use session reuse as a proxy for ticket decryption success, hence
+ // disable session timeouts.
SSL_CTX_set_timeout(server_ctx_.get(), std::numeric_limits<uint32_t>::max());
SSL_CTX_set_session_psk_dhe_timeout(server_ctx_.get(),
std::numeric_limits<uint32_t>::max());
@@ -2474,11 +2505,11 @@
SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
SSL_CTX_set_session_cache_mode(server_ctx_.get(), SSL_SESS_CACHE_OFF);
- /* Initialize ticket_key with the current key. */
+ // Initialize ticket_key with the current key.
TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
true /* changed */));
- /* Verify ticket resumption actually works. */
+ // Verify ticket resumption actually works.
bssl::UniquePtr<SSL> client, server;
bssl::UniquePtr<SSL_SESSION> session =
CreateClientSession(client_ctx_.get(), server_ctx_.get());
@@ -2486,21 +2517,21 @@
TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
session.get(), true /* reused */));
- /* Advance time to just before key rotation. */
+ // Advance time to just before key rotation.
g_current_time.tv_sec += SSL_DEFAULT_TICKET_KEY_ROTATION_INTERVAL - 1;
TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
session.get(), true /* reused */));
TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
false /* NOT changed */));
- /* Force key rotation. */
+ // Force key rotation.
g_current_time.tv_sec += 1;
bssl::UniquePtr<SSL_SESSION> new_session =
CreateClientSession(client_ctx_.get(), server_ctx_.get());
TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
true /* changed */));
- /* Resumption with both old and new ticket should work. */
+ // Resumption with both old and new ticket should work.
TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
session.get(), true /* reused */));
TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
@@ -2508,14 +2539,14 @@
TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
false /* NOT changed */));
- /* Force key rotation again. Resumption with the old ticket now fails. */
+ // Force key rotation again. Resumption with the old ticket now fails.
g_current_time.tv_sec += SSL_DEFAULT_TICKET_KEY_ROTATION_INTERVAL;
TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
session.get(), false /* NOT reused */));
TRACED_CALL(ExpectTicketKeyChanged(server_ctx_.get(), ticket_key,
true /* changed */));
- /* But resumption with the newer session still works. */
+ // But resumption with the newer session still works.
TRACED_CALL(ExpectSessionReused(client_ctx_.get(), server_ctx_.get(),
new_session.get(), true /* reused */));
}
@@ -3697,6 +3728,35 @@
expect_err();
}
+// The client should gracefully handle no suitable ciphers being enabled.
+TEST(SSLTest, NoCiphersAvailable) {
+ bssl::UniquePtr<SSL_CTX> ctx(SSL_CTX_new(TLS_method()));
+ ASSERT_TRUE(ctx);
+
+ // Configure |client_ctx| with a cipher list that does not intersect with its
+ // version configuration.
+ ASSERT_TRUE(SSL_CTX_set_strict_cipher_list(
+ ctx.get(), "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"));
+ ASSERT_TRUE(SSL_CTX_set_max_proto_version(ctx.get(), TLS1_1_VERSION));
+
+ bssl::UniquePtr<SSL> ssl(SSL_new(ctx.get()));
+ ASSERT_TRUE(ssl);
+ SSL_set_connect_state(ssl.get());
+
+ UniquePtr<BIO> rbio(BIO_new(BIO_s_mem())), wbio(BIO_new(BIO_s_mem()));
+ ASSERT_TRUE(rbio);
+ ASSERT_TRUE(wbio);
+ SSL_set0_rbio(ssl.get(), rbio.release());
+ SSL_set0_wbio(ssl.get(), wbio.release());
+
+ int ret = SSL_do_handshake(ssl.get());
+ EXPECT_EQ(-1, ret);
+ EXPECT_EQ(SSL_ERROR_SSL, SSL_get_error(ssl.get(), ret));
+ uint32_t err = ERR_get_error();
+ EXPECT_EQ(ERR_LIB_SSL, ERR_GET_LIB(err));
+ EXPECT_EQ(SSL_R_NO_CIPHERS_AVAILABLE, ERR_GET_REASON(err));
+}
+
// TODO(davidben): Convert this file to GTest properly.
TEST(SSLTest, AllTests) {
if (!TestSSL_SESSIONEncoding(kOpenSSLSession) ||
diff --git a/src/ssl/ssl_transcript.cc b/src/ssl/ssl_transcript.cc
index 2dfaf76..b9c1713 100644
--- a/src/ssl/ssl_transcript.cc
+++ b/src/ssl/ssl_transcript.cc
@@ -167,8 +167,8 @@
return true;
}
-/* InitDigestWithData calls |EVP_DigestInit_ex| on |ctx| with |md| and then
- * writes the data in |buf| to it. */
+// InitDigestWithData calls |EVP_DigestInit_ex| on |ctx| with |md| and then
+// writes the data in |buf| to it.
static bool InitDigestWithData(EVP_MD_CTX *ctx, const EVP_MD *md,
const BUF_MEM *buf) {
if (!EVP_DigestInit_ex(ctx, md, NULL)) {
@@ -181,9 +181,9 @@
bool SSLTranscript::InitHash(uint16_t version, const SSL_CIPHER *cipher) {
const EVP_MD *md = ssl_get_handshake_digest(version, cipher);
- /* To support SSL 3.0's Finished and CertificateVerify constructions,
- * EVP_md5_sha1() is split into MD5 and SHA-1 halves. When SSL 3.0 is removed,
- * we can simplify this. */
+ // To support SSL 3.0's Finished and CertificateVerify constructions,
+ // EVP_md5_sha1() is split into MD5 and SHA-1 halves. When SSL 3.0 is removed,
+ // we can simplify this.
if (md == EVP_md5_sha1()) {
if (!InitDigestWithData(md5_.get(), EVP_md5(), buffer_.get())) {
return false;
@@ -210,8 +210,8 @@
}
bool SSLTranscript::Update(const uint8_t *in, size_t in_len) {
- /* Depending on the state of the handshake, either the handshake buffer may be
- * active, the rolling hash, or both. */
+ // Depending on the state of the handshake, either the handshake buffer may be
+ // active, the rolling hash, or both.
if (buffer_) {
size_t new_len = buffer_->length + in_len;
if (new_len < in_len) {
@@ -328,9 +328,9 @@
}
bool SSLTranscript::GetFinishedMAC(uint8_t *out, size_t *out_len,
- const SSL_SESSION *session, bool from_server,
- uint16_t version) {
- if (version == SSL3_VERSION) {
+ const SSL_SESSION *session,
+ bool from_server) {
+ if (session->ssl_version == SSL3_VERSION) {
if (Digest() != EVP_md5_sha1()) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
return false;
@@ -351,8 +351,8 @@
return true;
}
- /* At this point, the handshake should have released the handshake buffer on
- * its own. */
+ // At this point, the handshake should have released the handshake buffer on
+ // its own.
assert(!buffer_);
const char *label = TLS_MD_CLIENT_FINISH_CONST;
diff --git a/src/ssl/ssl_versions.cc b/src/ssl/ssl_versions.cc
index 0b13781..184eb44 100644
--- a/src/ssl/ssl_versions.cc
+++ b/src/ssl/ssl_versions.cc
@@ -41,7 +41,7 @@
return 1;
case DTLS1_VERSION:
- /* DTLS 1.0 is analogous to TLS 1.1, not TLS 1.0. */
+ // DTLS 1.0 is analogous to TLS 1.1, not TLS 1.0.
*out = TLS1_1_VERSION;
return 1;
@@ -54,8 +54,8 @@
}
}
-/* The follow arrays are the supported versions for TLS and DTLS, in order of
- * decreasing preference. */
+// The follow arrays are the supported versions for TLS and DTLS, in order of
+// decreasing preference.
static const uint16_t kTLSVersions[] = {
TLS1_3_EXPERIMENT_VERSION,
@@ -98,9 +98,9 @@
static int set_version_bound(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
uint16_t version) {
- /* The public API uses wire versions, except we use |TLS1_3_VERSION|
- * everywhere to refer to any draft TLS 1.3 versions. In this direction, we
- * map it to some representative TLS 1.3 draft version. */
+ // The public API uses wire versions, except we use |TLS1_3_VERSION|
+ // everywhere to refer to any draft TLS 1.3 versions. In this direction, we
+ // map it to some representative TLS 1.3 draft version.
if (version == TLS1_3_DRAFT_VERSION ||
version == TLS1_3_EXPERIMENT_VERSION ||
version == TLS1_3_RECORD_TYPE_EXPERIMENT_VERSION) {
@@ -122,9 +122,9 @@
static int set_min_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
uint16_t version) {
- /* Zero is interpreted as the default minimum version. */
+ // Zero is interpreted as the default minimum version.
if (version == 0) {
- /* SSL 3.0 is disabled by default and TLS 1.0 does not exist in DTLS. */
+ // SSL 3.0 is disabled by default and TLS 1.0 does not exist in DTLS.
*out = method->is_dtls ? TLS1_1_VERSION : TLS1_VERSION;
return 1;
}
@@ -134,7 +134,7 @@
static int set_max_version(const SSL_PROTOCOL_METHOD *method, uint16_t *out,
uint16_t version) {
- /* Zero is interpreted as the default maximum version. */
+ // Zero is interpreted as the default maximum version.
if (version == 0) {
*out = TLS1_2_VERSION;
return 1;
@@ -156,8 +156,8 @@
int ssl_get_version_range(const SSL *ssl, uint16_t *out_min_version,
uint16_t *out_max_version) {
- /* For historical reasons, |SSL_OP_NO_DTLSv1| aliases |SSL_OP_NO_TLSv1|, but
- * DTLS 1.0 should be mapped to TLS 1.1. */
+ // For historical reasons, |SSL_OP_NO_DTLSv1| aliases |SSL_OP_NO_TLSv1|, but
+ // DTLS 1.0 should be mapped to TLS 1.1.
uint32_t options = ssl->options;
if (SSL_is_dtls(ssl)) {
options &= ~SSL_OP_NO_TLSv1_1;
@@ -169,19 +169,19 @@
uint16_t min_version = ssl->conf_min_version;
uint16_t max_version = ssl->conf_max_version;
- /* OpenSSL's API for controlling versions entails blacklisting individual
- * protocols. This has two problems. First, on the client, the protocol can
- * only express a contiguous range of versions. Second, a library consumer
- * trying to set a maximum version cannot disable protocol versions that get
- * added in a future version of the library.
- *
- * To account for both of these, OpenSSL interprets the client-side bitmask
- * as a min/max range by picking the lowest contiguous non-empty range of
- * enabled protocols. Note that this means it is impossible to set a maximum
- * version of the higest supported TLS version in a future-proof way. */
+ // OpenSSL's API for controlling versions entails blacklisting individual
+ // protocols. This has two problems. First, on the client, the protocol can
+ // only express a contiguous range of versions. Second, a library consumer
+ // trying to set a maximum version cannot disable protocol versions that get
+ // added in a future version of the library.
+ //
+ // To account for both of these, OpenSSL interprets the client-side bitmask
+ // as a min/max range by picking the lowest contiguous non-empty range of
+ // enabled protocols. Note that this means it is impossible to set a maximum
+ // version of the higest supported TLS version in a future-proof way.
int any_enabled = 0;
for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kProtocolVersions); i++) {
- /* Only look at the versions already enabled. */
+ // Only look at the versions already enabled.
if (min_version > kProtocolVersions[i].version) {
continue;
}
@@ -190,7 +190,7 @@
}
if (!(options & kProtocolVersions[i].flag)) {
- /* The minimum version is the first enabled version. */
+ // The minimum version is the first enabled version.
if (!any_enabled) {
any_enabled = 1;
min_version = kProtocolVersions[i].version;
@@ -198,8 +198,8 @@
continue;
}
- /* If there is a disabled version after the first enabled one, all versions
- * after it are implicitly disabled. */
+ // If there is a disabled version after the first enabled one, all versions
+ // after it are implicitly disabled.
if (any_enabled) {
max_version = kProtocolVersions[i-1].version;
break;
@@ -217,7 +217,7 @@
}
static uint16_t ssl_version(const SSL *ssl) {
- /* In early data, we report the predicted version. */
+ // In early data, we report the predicted version.
if (SSL_in_early_data(ssl) && !ssl->server) {
return ssl->s3->hs->early_session->ssl_version;
}
@@ -226,7 +226,7 @@
static const char *ssl_version_to_string(uint16_t version) {
switch (version) {
- /* Report TLS 1.3 draft version as TLS 1.3 in the public API. */
+ // Report TLS 1.3 draft version as TLS 1.3 in the public API.
case TLS1_3_DRAFT_VERSION:
case TLS1_3_EXPERIMENT_VERSION:
case TLS1_3_RECORD_TYPE_EXPERIMENT_VERSION:
@@ -259,7 +259,7 @@
assert(ssl->s3->have_version);
uint16_t version;
if (!ssl_protocol_version_from_wire(&version, ssl->version)) {
- /* |ssl->version| will always be set to a valid version. */
+ // |ssl->version| will always be set to a valid version.
assert(0);
return 0;
}
@@ -269,9 +269,9 @@
int ssl_supports_version(SSL_HANDSHAKE *hs, uint16_t version) {
SSL *const ssl = hs->ssl;
- /* As a client, only allow the configured TLS 1.3 variant. As a server,
- * support all TLS 1.3 variants as long as tls13_variant is set to a
- * non-default value. */
+ // As a client, only allow the configured TLS 1.3 variant. As a server,
+ // support all TLS 1.3 variants as long as tls13_variant is set to a
+ // non-default value.
if (ssl->server) {
if (ssl->tls13_variant == tls13_default &&
(version == TLS1_3_EXPERIMENT_VERSION ||
@@ -363,7 +363,7 @@
int SSL_version(const SSL *ssl) {
uint16_t ret = ssl_version(ssl);
- /* Report TLS 1.3 draft version as TLS 1.3 in the public API. */
+ // Report TLS 1.3 draft version as TLS 1.3 in the public API.
if (ret == TLS1_3_DRAFT_VERSION || ret == TLS1_3_EXPERIMENT_VERSION ||
ret == TLS1_3_RECORD_TYPE_EXPERIMENT_VERSION) {
return TLS1_3_VERSION;
diff --git a/src/ssl/ssl_x509.cc b/src/ssl/ssl_x509.cc
index 98a5b8c..7ff6a89 100644
--- a/src/ssl/ssl_x509.cc
+++ b/src/ssl/ssl_x509.cc
@@ -157,21 +157,21 @@
namespace bssl {
-/* check_ssl_x509_method asserts that |ssl| has the X509-based method
- * installed. Calling an X509-based method on an |ssl| with a different method
- * will likely misbehave and possibly crash or leak memory. */
+// check_ssl_x509_method asserts that |ssl| has the X509-based method
+// installed. Calling an X509-based method on an |ssl| with a different method
+// will likely misbehave and possibly crash or leak memory.
static void check_ssl_x509_method(const SSL *ssl) {
assert(ssl == NULL || ssl->ctx->x509_method == &ssl_crypto_x509_method);
}
-/* check_ssl_ctx_x509_method acts like |check_ssl_x509_method|, but for an
- * |SSL_CTX|. */
+// check_ssl_ctx_x509_method acts like |check_ssl_x509_method|, but for an
+// |SSL_CTX|.
static void check_ssl_ctx_x509_method(const SSL_CTX *ctx) {
assert(ctx == NULL || ctx->x509_method == &ssl_crypto_x509_method);
}
-/* x509_to_buffer returns a |CRYPTO_BUFFER| that contains the serialised
- * contents of |x509|. */
+// x509_to_buffer returns a |CRYPTO_BUFFER| that contains the serialised
+// contents of |x509|.
static UniquePtr<CRYPTO_BUFFER> x509_to_buffer(X509 *x509) {
uint8_t *buf = NULL;
int cert_len = i2d_X509(x509, &buf);
@@ -185,7 +185,7 @@
return buffer;
}
-/* new_leafless_chain returns a fresh stack of buffers set to {NULL}. */
+// new_leafless_chain returns a fresh stack of buffers set to {NULL}.
static STACK_OF(CRYPTO_BUFFER) *new_leafless_chain(void) {
STACK_OF(CRYPTO_BUFFER) *chain = sk_CRYPTO_BUFFER_new_null();
if (chain == NULL) {
@@ -200,10 +200,10 @@
return chain;
}
-/* ssl_cert_set_chain sets elements 1.. of |cert->chain| to the serialised
- * forms of elements of |chain|. It returns one on success or zero on error, in
- * which case no change to |cert->chain| is made. It preverses the existing
- * leaf from |cert->chain|, if any. */
+// ssl_cert_set_chain sets elements 1.. of |cert->chain| to the serialised
+// forms of elements of |chain|. It returns one on success or zero on error, in
+// which case no change to |cert->chain| is made. It preverses the existing
+// leaf from |cert->chain|, if any.
static int ssl_cert_set_chain(CERT *cert, STACK_OF(X509) *chain) {
UniquePtr<STACK_OF(CRYPTO_BUFFER)> new_chain;
@@ -217,7 +217,7 @@
if (!sk_CRYPTO_BUFFER_push(new_chain.get(), leaf)) {
return 0;
}
- /* |leaf| might be NULL if it's a “leafless” chain. */
+ // |leaf| might be NULL if it's a “leafless” chain.
if (leaf != NULL) {
CRYPTO_BUFFER_up_ref(leaf);
}
@@ -439,13 +439,13 @@
return 0;
}
- /* We need to inherit the verify parameters. These can be determined by the
- * context: if its a server it will verify SSL client certificates or vice
- * versa. */
+ // We need to inherit the verify parameters. These can be determined by the
+ // context: if its a server it will verify SSL client certificates or vice
+ // versa.
X509_STORE_CTX_set_default(ctx.get(),
ssl->server ? "ssl_client" : "ssl_server");
- /* Anything non-default in "param" should overwrite anything in the ctx. */
+ // Anything non-default in "param" should overwrite anything in the ctx.
X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(ctx.get()), ssl->param);
if (ssl->verify_callback) {
@@ -462,7 +462,7 @@
session->verify_result = ctx->error;
- /* If |SSL_VERIFY_NONE|, the error is non-fatal, but we keep the result. */
+ // If |SSL_VERIFY_NONE|, the error is non-fatal, but we keep the result.
if (verify_ret <= 0 && ssl->verify_mode != SSL_VERIFY_NONE) {
*out_alert = ssl_verify_alarm_type(ctx->error);
return 0;
@@ -497,8 +497,8 @@
}
static int ssl_crypto_x509_ssl_auto_chain_if_needed(SSL *ssl) {
- /* Only build a chain if there are no intermediates configured and the feature
- * isn't disabled. */
+ // Only build a chain if there are no intermediates configured and the feature
+ // isn't disabled.
if ((ssl->mode & SSL_MODE_NO_AUTO_CHAIN) ||
!ssl_has_certificate(ssl) ||
ssl->cert->chain == NULL ||
@@ -519,11 +519,11 @@
return 0;
}
- /* Attempt to build a chain, ignoring the result. */
+ // Attempt to build a chain, ignoring the result.
X509_verify_cert(ctx.get());
ERR_clear_error();
- /* Remove the leaf from the generated chain. */
+ // Remove the leaf from the generated chain.
X509_free(sk_X509_shift(ctx->chain));
if (!ssl_cert_set_chain(ssl->cert, ctx->chain)) {
@@ -605,8 +605,8 @@
return session->x509_chain;
}
- /* OpenSSL historically didn't include the leaf certificate in the returned
- * certificate chain, but only for servers. */
+ // OpenSSL historically didn't include the leaf certificate in the returned
+ // certificate chain, but only for servers.
if (session->x509_chain_without_leaf == NULL) {
session->x509_chain_without_leaf = sk_X509_new_null();
if (session->x509_chain_without_leaf == NULL) {
@@ -800,8 +800,8 @@
return ssl_use_certificate(ctx->cert, x);
}
-/* ssl_cert_cache_leaf_cert sets |cert->x509_leaf|, if currently NULL, from the
- * first element of |cert->chain|. */
+// ssl_cert_cache_leaf_cert sets |cert->x509_leaf|, if currently NULL, from the
+// first element of |cert->chain|.
static int ssl_cert_cache_leaf_cert(CERT *cert) {
assert(cert->x509_method);
@@ -963,8 +963,8 @@
return SSL_set0_chain(ssl, NULL);
}
-/* ssl_cert_cache_chain_certs fills in |cert->x509_chain| from elements 1.. of
- * |cert->chain|. */
+// ssl_cert_cache_chain_certs fills in |cert->x509_chain| from elements 1.. of
+// |cert->chain|.
static int ssl_cert_cache_chain_certs(CERT *cert) {
assert(cert->x509_method);
@@ -1140,12 +1140,12 @@
STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *ssl) {
check_ssl_x509_method(ssl);
- /* For historical reasons, this function is used both to query configuration
- * state on a server as well as handshake state on a client. However, whether
- * |ssl| is a client or server is not known until explicitly configured with
- * |SSL_set_connect_state|. If |handshake_func| is NULL, |ssl| is in an
- * indeterminate mode and |ssl->server| is unset. */
- if (ssl->handshake_func != NULL && !ssl->server) {
+ // For historical reasons, this function is used both to query configuration
+ // state on a server as well as handshake state on a client. However, whether
+ // |ssl| is a client or server is not known until explicitly configured with
+ // |SSL_set_connect_state|. If |do_handshake| is NULL, |ssl| is in an
+ // indeterminate mode and |ssl->server| is unset.
+ if (ssl->do_handshake != NULL && !ssl->server) {
if (ssl->s3->hs != NULL) {
return buffer_names_to_x509(ssl->s3->hs->ca_names.get(),
&ssl->s3->hs->cached_x509_ca_names);
@@ -1158,12 +1158,13 @@
return buffer_names_to_x509(
ssl->client_CA, (STACK_OF(X509_NAME) **)&ssl->cached_x509_client_CA);
}
- return buffer_names_to_x509(ssl->ctx->client_CA,
- &ssl->ctx->cached_x509_client_CA);
+ return SSL_CTX_get_client_CA_list(ssl->ctx);
}
STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx) {
check_ssl_ctx_x509_method(ctx);
+ // This is a logically const operation that may be called on multiple threads,
+ // so it needs to lock around updating |cached_x509_client_CA|.
CRYPTO_MUTEX_lock_write((CRYPTO_MUTEX *) &ctx->lock);
STACK_OF(X509_NAME) *ret = buffer_names_to_x509(
ctx->client_CA, (STACK_OF(X509_NAME) **)&ctx->cached_x509_client_CA);
@@ -1258,7 +1259,7 @@
X509 **out_x509,
EVP_PKEY **out_pkey)) {
check_ssl_ctx_x509_method(ctx);
- /* Emulate the old client certificate callback with the new one. */
+ // Emulate the old client certificate callback with the new one.
SSL_CTX_set_cert_cb(ctx, do_client_cert_cb, NULL);
ctx->client_cert_cb = cb;
}
@@ -1276,10 +1277,10 @@
}
int SSL_get_ex_data_X509_STORE_CTX_idx(void) {
- /* The ex_data index to go from |X509_STORE_CTX| to |SSL| always uses the
- * reserved app_data slot. Before ex_data was introduced, app_data was used.
- * Avoid breaking any software which assumes |X509_STORE_CTX_get_app_data|
- * works. */
+ // The ex_data index to go from |X509_STORE_CTX| to |SSL| always uses the
+ // reserved app_data slot. Before ex_data was introduced, app_data was used.
+ // Avoid breaking any software which assumes |X509_STORE_CTX_get_app_data|
+ // works.
return 0;
}
diff --git a/src/ssl/t1_enc.cc b/src/ssl/t1_enc.cc
index d4a6ee9..f917ed7 100644
--- a/src/ssl/t1_enc.cc
+++ b/src/ssl/t1_enc.cc
@@ -154,10 +154,10 @@
namespace bssl {
-/* tls1_P_hash computes the TLS P_<hash> function as described in RFC 5246,
- * section 5. It XORs |out_len| bytes to |out|, using |md| as the hash and
- * |secret| as the secret. |seed1| through |seed3| are concatenated to form the
- * seed parameter. It returns one on success and zero on failure. */
+// tls1_P_hash computes the TLS P_<hash> function as described in RFC 5246,
+// section 5. It XORs |out_len| bytes to |out|, using |md| as the hash and
+// |secret| as the secret. |seed1| through |seed3| are concatenated to form the
+// seed parameter. It returns one on success and zero on failure.
static int tls1_P_hash(uint8_t *out, size_t out_len, const EVP_MD *md,
const uint8_t *secret, size_t secret_len,
const uint8_t *seed1, size_t seed1_len,
@@ -184,7 +184,7 @@
uint8_t hmac[EVP_MAX_MD_SIZE];
if (!HMAC_CTX_copy_ex(ctx.get(), ctx_init.get()) ||
!HMAC_Update(ctx.get(), A1, A1_len) ||
- /* Save a copy of |ctx| to compute the next A1 value below. */
+ // Save a copy of |ctx| to compute the next A1 value below.
(out_len > chunk && !HMAC_CTX_copy_ex(ctx_tmp.get(), ctx.get())) ||
!HMAC_Update(ctx.get(), seed1, seed1_len) ||
!HMAC_Update(ctx.get(), seed2, seed2_len) ||
@@ -194,7 +194,7 @@
}
assert(len == chunk);
- /* XOR the result into |out|. */
+ // XOR the result into |out|.
if (len > out_len) {
len = out_len;
}
@@ -209,7 +209,7 @@
break;
}
- /* Calculate the next A1 value. */
+ // Calculate the next A1 value.
if (!HMAC_Final(ctx_tmp.get(), A1, &A1_len)) {
goto err;
}
@@ -233,8 +233,8 @@
OPENSSL_memset(out, 0, out_len);
if (digest == EVP_md5_sha1()) {
- /* If using the MD5/SHA1 PRF, |secret| is partitioned between SHA-1 and
- * MD5, MD5 first. */
+ // If using the MD5/SHA1 PRF, |secret| is partitioned between SHA-1 and
+ // MD5, MD5 first.
size_t secret_half = secret_len - (secret_len / 2);
if (!tls1_P_hash(out, out_len, EVP_md5(), secret, secret_half,
(const uint8_t *)label, label_len, seed1, seed1_len, seed2,
@@ -242,7 +242,7 @@
return 0;
}
- /* Note that, if |secret_len| is odd, the two halves share a byte. */
+ // Note that, if |secret_len| is odd, the two halves share a byte.
secret = secret + (secret_len - secret_half);
secret_len = secret_half;
@@ -272,7 +272,7 @@
for (i = 0; i < out_len; i += MD5_DIGEST_LENGTH) {
k++;
if (k > sizeof(buf)) {
- /* bug: 'buf' is too small for this ciphersuite */
+ // bug: 'buf' is too small for this ciphersuite
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
return 0;
}
@@ -287,7 +287,7 @@
}
EVP_DigestUpdate(sha1.get(), buf, k);
EVP_DigestUpdate(sha1.get(), secret, secret_len);
- /* |label| is ignored for SSLv3. */
+ // |label| is ignored for SSLv3.
if (seed1_len) {
EVP_DigestUpdate(sha1.get(), seed1, seed1_len);
}
@@ -338,9 +338,9 @@
}
size_t key_len = EVP_AEAD_key_length(aead);
if (mac_secret_len > 0) {
- /* For "stateful" AEADs (i.e. compatibility with pre-AEAD cipher suites) the
- * key length reported by |EVP_AEAD_key_length| will include the MAC key
- * bytes and initial implicit IV. */
+ // For "stateful" AEADs (i.e. compatibility with pre-AEAD cipher suites) the
+ // key length reported by |EVP_AEAD_key_length| will include the MAC key
+ // bytes and initial implicit IV.
if (key_len < mac_secret_len + fixed_iv_len) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
return 0;
@@ -377,17 +377,17 @@
int tls1_change_cipher_state(SSL_HANDSHAKE *hs, int which) {
SSL *const ssl = hs->ssl;
- /* Ensure the key block is set up. */
+ // Ensure the key block is set up.
if (!tls1_setup_key_block(hs)) {
return 0;
}
- /* is_read is true if we have just read a ChangeCipherSpec message - i.e. we
- * need to update the read cipherspec. Otherwise we have just written one. */
+ // is_read is true if we have just read a ChangeCipherSpec message - i.e. we
+ // need to update the read cipherspec. Otherwise we have just written one.
const char is_read = (which & SSL3_CC_READ) != 0;
- /* use_client_keys is true if we wish to use the keys for the "client write"
- * direction. This is the case if we're a client sending a ChangeCipherSpec,
- * or a server reading a client's ChangeCipherSpec. */
+ // use_client_keys is true if we wish to use the keys for the "client write"
+ // direction. This is the case if we're a client sending a ChangeCipherSpec,
+ // or a server reading a client's ChangeCipherSpec.
const char use_client_keys = which == SSL3_CHANGE_CIPHER_CLIENT_WRITE ||
which == SSL3_CHANGE_CIPHER_SERVER_READ;
@@ -506,7 +506,7 @@
return 0;
}
- /* Exporters may not be used in the middle of a renegotiation. */
+ // Exporters may not be used in the middle of a renegotiation.
if (SSL_in_init(ssl) && !SSL_in_false_start(ssl)) {
return 0;
}
diff --git a/src/ssl/t1_lib.cc b/src/ssl/t1_lib.cc
index e50710a..481c9f8 100644
--- a/src/ssl/t1_lib.cc
+++ b/src/ssl/t1_lib.cc
@@ -142,17 +142,17 @@
}
}
-/* Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be
- * more than one extension of the same type in a ClientHello or ServerHello.
- * This function does an initial scan over the extensions block to filter those
- * out. */
+// Per http://tools.ietf.org/html/rfc5246#section-7.4.1.4, there may not be
+// more than one extension of the same type in a ClientHello or ServerHello.
+// This function does an initial scan over the extensions block to filter those
+// out.
static int tls1_check_duplicate_extensions(const CBS *cbs) {
CBS extensions = *cbs;
size_t num_extensions = 0, i = 0;
uint16_t *extension_types = NULL;
int ret = 0;
- /* First pass: count the extensions. */
+ // First pass: count the extensions.
while (CBS_len(&extensions) > 0) {
uint16_t type;
CBS extension;
@@ -176,20 +176,20 @@
goto done;
}
- /* Second pass: gather the extension types. */
+ // Second pass: gather the extension types.
extensions = *cbs;
for (i = 0; i < num_extensions; i++) {
CBS extension;
if (!CBS_get_u16(&extensions, &extension_types[i]) ||
!CBS_get_u16_length_prefixed(&extensions, &extension)) {
- /* This should not happen. */
+ // This should not happen.
goto done;
}
}
assert(CBS_len(&extensions) == 0);
- /* Sort the extensions and make sure there are no duplicates. */
+ // Sort the extensions and make sure there are no duplicates.
qsort(extension_types, num_extensions, sizeof(uint16_t), compare_uint16_t);
for (i = 1; i < num_extensions; i++) {
if (extension_types[i - 1] == extension_types[i]) {
@@ -225,7 +225,7 @@
out->session_id = CBS_data(&session_id);
out->session_id_len = CBS_len(&session_id);
- /* Skip past DTLS cookie */
+ // Skip past DTLS cookie
if (SSL_is_dtls(out->ssl)) {
CBS cookie;
if (!CBS_get_u8_length_prefixed(&client_hello, &cookie) ||
@@ -247,15 +247,15 @@
out->compression_methods = CBS_data(&compression_methods);
out->compression_methods_len = CBS_len(&compression_methods);
- /* If the ClientHello ends here then it's valid, but doesn't have any
- * extensions. (E.g. SSLv3.) */
+ // If the ClientHello ends here then it's valid, but doesn't have any
+ // extensions. (E.g. SSLv3.)
if (CBS_len(&client_hello) == 0) {
out->extensions = NULL;
out->extensions_len = 0;
return 1;
}
- /* Extract extensions and check it is valid. */
+ // Extract extensions and check it is valid.
CBS extensions;
if (!CBS_get_u16_length_prefixed(&client_hello, &extensions) ||
!tls1_check_duplicate_extensions(&extensions) ||
@@ -274,7 +274,7 @@
CBS extensions;
CBS_init(&extensions, client_hello->extensions, client_hello->extensions_len);
while (CBS_len(&extensions) != 0) {
- /* Decode the next extension. */
+ // Decode the next extension.
uint16_t type;
CBS extension;
if (!CBS_get_u16(&extensions, &type) ||
@@ -315,14 +315,14 @@
size_t groups_len, pref_len, supp_len;
tls1_get_grouplist(ssl, &groups, &groups_len);
- /* Clients are not required to send a supported_groups extension. In this
- * case, the server is free to pick any group it likes. See RFC 4492,
- * section 4, paragraph 3.
- *
- * However, in the interests of compatibility, we will skip ECDH if the
- * client didn't send an extension because we can't be sure that they'll
- * support our favoured group. Thus we do not special-case an emtpy
- * |peer_supported_group_list|. */
+ // Clients are not required to send a supported_groups extension. In this
+ // case, the server is free to pick any group it likes. See RFC 4492,
+ // section 4, paragraph 3.
+ //
+ // However, in the interests of compatibility, we will skip ECDH if the
+ // client didn't send an extension because we can't be sure that they'll
+ // support our favoured group. Thus we do not special-case an emtpy
+ // |peer_supported_group_list|.
if (ssl->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
pref = groups;
@@ -425,14 +425,14 @@
return 0;
}
-/* kVerifySignatureAlgorithms is the default list of accepted signature
- * algorithms for verifying.
- *
- * For now, RSA-PSS signature algorithms are not enabled on Android's system
- * BoringSSL. Once the change in Chrome has stuck and the values are finalized,
- * restore them. */
+// kVerifySignatureAlgorithms is the default list of accepted signature
+// algorithms for verifying.
+//
+// For now, RSA-PSS signature algorithms are not enabled on Android's system
+// BoringSSL. Once the change in Chrome has stuck and the values are finalized,
+// restore them.
static const uint16_t kVerifySignatureAlgorithms[] = {
- /* List our preferred algorithms first. */
+ // List our preferred algorithms first.
SSL_SIGN_ED25519,
SSL_SIGN_ECDSA_SECP256R1_SHA256,
#if !defined(BORINGSSL_ANDROID_SYSTEM)
@@ -440,14 +440,14 @@
#endif
SSL_SIGN_RSA_PKCS1_SHA256,
- /* Larger hashes are acceptable. */
+ // Larger hashes are acceptable.
SSL_SIGN_ECDSA_SECP384R1_SHA384,
#if !defined(BORINGSSL_ANDROID_SYSTEM)
SSL_SIGN_RSA_PSS_SHA384,
#endif
SSL_SIGN_RSA_PKCS1_SHA384,
- /* TODO(davidben): Remove this. */
+ // TODO(davidben): Remove this.
#if defined(BORINGSSL_ANDROID_SYSTEM)
SSL_SIGN_ECDSA_SECP521R1_SHA512,
#endif
@@ -456,19 +456,19 @@
#endif
SSL_SIGN_RSA_PKCS1_SHA512,
- /* For now, SHA-1 is still accepted but least preferable. */
+ // For now, SHA-1 is still accepted but least preferable.
SSL_SIGN_RSA_PKCS1_SHA1,
};
-/* kSignSignatureAlgorithms is the default list of supported signature
- * algorithms for signing.
- *
- * For now, RSA-PSS signature algorithms are not enabled on Android's system
- * BoringSSL. Once the change in Chrome has stuck and the values are finalized,
- * restore them. */
+// kSignSignatureAlgorithms is the default list of supported signature
+// algorithms for signing.
+//
+// For now, RSA-PSS signature algorithms are not enabled on Android's system
+// BoringSSL. Once the change in Chrome has stuck and the values are finalized,
+// restore them.
static const uint16_t kSignSignatureAlgorithms[] = {
- /* List our preferred algorithms first. */
+ // List our preferred algorithms first.
SSL_SIGN_ED25519,
SSL_SIGN_ECDSA_SECP256R1_SHA256,
#if !defined(BORINGSSL_ANDROID_SYSTEM)
@@ -476,9 +476,9 @@
#endif
SSL_SIGN_RSA_PKCS1_SHA256,
- /* If needed, sign larger hashes.
- *
- * TODO(davidben): Determine which of these may be pruned. */
+ // If needed, sign larger hashes.
+ //
+ // TODO(davidben): Determine which of these may be pruned.
SSL_SIGN_ECDSA_SECP384R1_SHA384,
#if !defined(BORINGSSL_ANDROID_SYSTEM)
SSL_SIGN_RSA_PSS_SHA384,
@@ -491,7 +491,7 @@
#endif
SSL_SIGN_RSA_PKCS1_SHA512,
- /* If the peer supports nothing else, sign with SHA-1. */
+ // If the peer supports nothing else, sign with SHA-1.
SSL_SIGN_ECDSA_SHA1,
SSL_SIGN_RSA_PKCS1_SHA1,
};
@@ -542,21 +542,21 @@
return 0;
}
-/* tls_extension represents a TLS extension that is handled internally. The
- * |init| function is called for each handshake, before any other functions of
- * the extension. Then the add and parse callbacks are called as needed.
- *
- * The parse callbacks receive a |CBS| that contains the contents of the
- * extension (i.e. not including the type and length bytes). If an extension is
- * not received then the parse callbacks will be called with a NULL CBS so that
- * they can do any processing needed to handle the absence of an extension.
- *
- * The add callbacks receive a |CBB| to which the extension can be appended but
- * the function is responsible for appending the type and length bytes too.
- *
- * All callbacks return one for success and zero for error. If a parse function
- * returns zero then a fatal alert with value |*out_alert| will be sent. If
- * |*out_alert| isn't set, then a |decode_error| alert will be sent. */
+// tls_extension represents a TLS extension that is handled internally. The
+// |init| function is called for each handshake, before any other functions of
+// the extension. Then the add and parse callbacks are called as needed.
+//
+// The parse callbacks receive a |CBS| that contains the contents of the
+// extension (i.e. not including the type and length bytes). If an extension is
+// not received then the parse callbacks will be called with a NULL CBS so that
+// they can do any processing needed to handle the absence of an extension.
+//
+// The add callbacks receive a |CBB| to which the extension can be appended but
+// the function is responsible for appending the type and length bytes too.
+//
+// All callbacks return one for success and zero for error. If a parse function
+// returns zero then a fatal alert with value |*out_alert| will be sent. If
+// |*out_alert| isn't set, then a |decode_error| alert will be sent.
struct tls_extension {
uint16_t value;
void (*init)(SSL_HANDSHAKE *hs);
@@ -573,7 +573,7 @@
static int forbid_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
CBS *contents) {
if (contents != NULL) {
- /* Servers MUST NOT send this extension. */
+ // Servers MUST NOT send this extension.
*out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
return 0;
@@ -584,7 +584,7 @@
static int ignore_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
CBS *contents) {
- /* This extension from the client is handled elsewhere. */
+ // This extension from the client is handled elsewhere.
return 1;
}
@@ -592,9 +592,9 @@
return 1;
}
-/* Server name indication (SNI).
- *
- * https://tools.ietf.org/html/rfc6066#section-3. */
+// Server name indication (SNI).
+//
+// https://tools.ietf.org/html/rfc6066#section-3.
static int ext_sni_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
SSL *const ssl = hs->ssl;
@@ -652,13 +652,13 @@
uint8_t name_type;
if (!CBS_get_u16_length_prefixed(contents, &server_name_list) ||
!CBS_get_u8(&server_name_list, &name_type) ||
- /* Although the server_name extension was intended to be extensible to
- * new name types and multiple names, OpenSSL 1.0.x had a bug which meant
- * different name types will cause an error. Further, RFC 4366 originally
- * defined syntax inextensibly. RFC 6066 corrected this mistake, but
- * adding new name types is no longer feasible.
- *
- * Act as if the extensibility does not exist to simplify parsing. */
+ // Although the server_name extension was intended to be extensible to
+ // new name types and multiple names, OpenSSL 1.0.x had a bug which meant
+ // different name types will cause an error. Further, RFC 4366 originally
+ // defined syntax inextensibly. RFC 6066 corrected this mistake, but
+ // adding new name types is no longer feasible.
+ //
+ // Act as if the extensibility does not exist to simplify parsing.
!CBS_get_u16_length_prefixed(&server_name_list, &host_name) ||
CBS_len(&server_name_list) != 0 ||
CBS_len(contents) != 0) {
@@ -673,7 +673,7 @@
return 0;
}
- /* Copy the hostname as a string. */
+ // Copy the hostname as a string.
char *hostname_raw = nullptr;
if (!CBS_strdup(&host_name, &hostname_raw)) {
*out_alert = SSL_AD_INTERNAL_ERROR;
@@ -681,7 +681,7 @@
}
hs->hostname.reset(hostname_raw);
- hs->should_ack_sni = 1;
+ hs->should_ack_sni = true;
return 1;
}
@@ -700,13 +700,13 @@
}
-/* Renegotiation indication.
- *
- * https://tools.ietf.org/html/rfc5746 */
+// Renegotiation indication.
+//
+// https://tools.ietf.org/html/rfc5746
static int ext_ri_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
SSL *const ssl = hs->ssl;
- /* Renegotiation indication is not necessary in TLS 1.3. */
+ // Renegotiation indication is not necessary in TLS 1.3.
if (hs->min_version >= TLS1_3_VERSION) {
return 1;
}
@@ -735,8 +735,8 @@
return 0;
}
- /* Servers may not switch between omitting the extension and supporting it.
- * See RFC 5746, sections 3.5 and 4.2. */
+ // Servers may not switch between omitting the extension and supporting it.
+ // See RFC 5746, sections 3.5 and 4.2.
if (ssl->s3->initial_handshake_complete &&
(contents != NULL) != ssl->s3->send_connection_binding) {
*out_alert = SSL_AD_HANDSHAKE_FAILURE;
@@ -745,20 +745,20 @@
}
if (contents == NULL) {
- /* Strictly speaking, if we want to avoid an attack we should *always* see
- * RI even on initial ServerHello because the client doesn't see any
- * renegotiation during an attack. However this would mean we could not
- * connect to any server which doesn't support RI.
- *
- * OpenSSL has |SSL_OP_LEGACY_SERVER_CONNECT| to control this, but in
- * practical terms every client sets it so it's just assumed here. */
+ // Strictly speaking, if we want to avoid an attack we should *always* see
+ // RI even on initial ServerHello because the client doesn't see any
+ // renegotiation during an attack. However this would mean we could not
+ // connect to any server which doesn't support RI.
+ //
+ // OpenSSL has |SSL_OP_LEGACY_SERVER_CONNECT| to control this, but in
+ // practical terms every client sets it so it's just assumed here.
return 1;
}
const size_t expected_len = ssl->s3->previous_client_finished_len +
ssl->s3->previous_server_finished_len;
- /* Check for logic errors */
+ // Check for logic errors
assert(!expected_len || ssl->s3->previous_client_finished_len);
assert(!expected_len || ssl->s3->previous_server_finished_len);
assert(ssl->s3->initial_handshake_complete ==
@@ -766,7 +766,7 @@
assert(ssl->s3->initial_handshake_complete ==
(ssl->s3->previous_server_finished_len != 0));
- /* Parse out the extension contents. */
+ // Parse out the extension contents.
CBS renegotiated_connection;
if (!CBS_get_u8_length_prefixed(contents, &renegotiated_connection) ||
CBS_len(contents) != 0) {
@@ -775,7 +775,7 @@
return 0;
}
- /* Check that the extension matches. */
+ // Check that the extension matches.
if (CBS_len(&renegotiated_connection) != expected_len) {
OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
*out_alert = SSL_AD_HANDSHAKE_FAILURE;
@@ -805,7 +805,7 @@
*out_alert = SSL_AD_HANDSHAKE_FAILURE;
return 0;
}
- ssl->s3->send_connection_binding = 1;
+ ssl->s3->send_connection_binding = true;
return 1;
}
@@ -813,8 +813,8 @@
static int ext_ri_parse_clienthello(SSL_HANDSHAKE *hs, uint8_t *out_alert,
CBS *contents) {
SSL *const ssl = hs->ssl;
- /* Renegotiation isn't supported as a server so this function should never be
- * called after the initial handshake. */
+ // Renegotiation isn't supported as a server so this function should never be
+ // called after the initial handshake.
assert(!ssl->s3->initial_handshake_complete);
if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
@@ -832,23 +832,23 @@
return 0;
}
- /* Check that the extension matches. We do not support renegotiation as a
- * server, so this must be empty. */
+ // Check that the extension matches. We do not support renegotiation as a
+ // server, so this must be empty.
if (CBS_len(&renegotiated_connection) != 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_MISMATCH);
*out_alert = SSL_AD_HANDSHAKE_FAILURE;
return 0;
}
- ssl->s3->send_connection_binding = 1;
+ ssl->s3->send_connection_binding = true;
return 1;
}
static int ext_ri_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
SSL *const ssl = hs->ssl;
- /* Renegotiation isn't supported as a server so this function should never be
- * called after the initial handshake. */
+ // Renegotiation isn't supported as a server so this function should never be
+ // called after the initial handshake.
assert(!ssl->s3->initial_handshake_complete);
if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
@@ -865,12 +865,12 @@
}
-/* Extended Master Secret.
- *
- * https://tools.ietf.org/html/rfc7627 */
+// Extended Master Secret.
+//
+// https://tools.ietf.org/html/rfc7627
static int ext_ems_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
- /* Extended master secret is not necessary in TLS 1.3. */
+ // Extended master secret is not necessary in TLS 1.3.
if (hs->min_version >= TLS1_3_VERSION || hs->max_version <= SSL3_VERSION) {
return 1;
}
@@ -894,13 +894,13 @@
return 0;
}
- hs->extended_master_secret = 1;
+ hs->extended_master_secret = true;
}
- /* Whether EMS is negotiated may not change on renegotiation. */
+ // Whether EMS is negotiated may not change on renegotiation.
if (ssl->s3->established_session != NULL &&
hs->extended_master_secret !=
- ssl->s3->established_session->extended_master_secret) {
+ !!ssl->s3->established_session->extended_master_secret) {
OPENSSL_PUT_ERROR(SSL, SSL_R_RENEGOTIATION_EMS_MISMATCH);
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
return 0;
@@ -925,7 +925,7 @@
return 0;
}
- hs->extended_master_secret = 1;
+ hs->extended_master_secret = true;
return 1;
}
@@ -943,13 +943,13 @@
}
-/* Session tickets.
- *
- * https://tools.ietf.org/html/rfc5077 */
+// Session tickets.
+//
+// https://tools.ietf.org/html/rfc5077
static int ext_ticket_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
SSL *const ssl = hs->ssl;
- /* TLS 1.3 uses a different ticket extension. */
+ // TLS 1.3 uses a different ticket extension.
if (hs->min_version >= TLS1_3_VERSION ||
SSL_get_options(ssl) & SSL_OP_NO_TICKET) {
return 1;
@@ -958,14 +958,14 @@
const uint8_t *ticket_data = NULL;
int ticket_len = 0;
- /* Renegotiation does not participate in session resumption. However, still
- * advertise the extension to avoid potentially breaking servers which carry
- * over the state from the previous handshake, such as OpenSSL servers
- * without upstream's 3c3f0259238594d77264a78944d409f2127642c4. */
+ // Renegotiation does not participate in session resumption. However, still
+ // advertise the extension to avoid potentially breaking servers which carry
+ // over the state from the previous handshake, such as OpenSSL servers
+ // without upstream's 3c3f0259238594d77264a78944d409f2127642c4.
if (!ssl->s3->initial_handshake_complete &&
ssl->session != NULL &&
ssl->session->tlsext_tick != NULL &&
- /* Don't send TLS 1.3 session tickets in the ticket extension. */
+ // Don't send TLS 1.3 session tickets in the ticket extension.
SSL_SESSION_protocol_version(ssl->session) < TLS1_3_VERSION) {
ticket_data = ssl->session->tlsext_tick;
ticket_len = ssl->session->tlsext_ticklen;
@@ -993,16 +993,16 @@
return 0;
}
- /* If |SSL_OP_NO_TICKET| is set then no extension will have been sent and
- * this function should never be called, even if the server tries to send the
- * extension. */
+ // If |SSL_OP_NO_TICKET| is set then no extension will have been sent and
+ // this function should never be called, even if the server tries to send the
+ // extension.
assert((SSL_get_options(ssl) & SSL_OP_NO_TICKET) == 0);
if (CBS_len(contents) != 0) {
return 0;
}
- hs->ticket_expected = 1;
+ hs->ticket_expected = true;
return 1;
}
@@ -1011,7 +1011,7 @@
return 1;
}
- /* If |SSL_OP_NO_TICKET| is set, |ticket_expected| should never be true. */
+ // If |SSL_OP_NO_TICKET| is set, |ticket_expected| should never be true.
assert((SSL_get_options(hs->ssl) & SSL_OP_NO_TICKET) == 0);
if (!CBB_add_u16(out, TLSEXT_TYPE_session_ticket) ||
@@ -1023,9 +1023,9 @@
}
-/* Signature Algorithms.
- *
- * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
+// Signature Algorithms.
+//
+// https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
static int ext_sigalgs_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
SSL *const ssl = hs->ssl;
@@ -1067,9 +1067,9 @@
}
-/* OCSP Stapling.
- *
- * https://tools.ietf.org/html/rfc6066#section-8 */
+// OCSP Stapling.
+//
+// https://tools.ietf.org/html/rfc6066#section-8
static int ext_ocsp_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
SSL *const ssl = hs->ssl;
@@ -1097,22 +1097,22 @@
return 1;
}
- /* TLS 1.3 OCSP responses are included in the Certificate extensions. */
+ // TLS 1.3 OCSP responses are included in the Certificate extensions.
if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
return 0;
}
- /* OCSP stapling is forbidden on non-certificate ciphers. */
+ // OCSP stapling is forbidden on non-certificate ciphers.
if (CBS_len(contents) != 0 ||
!ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
return 0;
}
- /* Note this does not check for resumption in TLS 1.2. Sending
- * status_request here does not make sense, but OpenSSL does so and the
- * specification does not say anything. Tolerate it but ignore it. */
+ // Note this does not check for resumption in TLS 1.2. Sending
+ // status_request here does not make sense, but OpenSSL does so and the
+ // specification does not say anything. Tolerate it but ignore it.
- hs->certificate_status_expected = 1;
+ hs->certificate_status_expected = true;
return 1;
}
@@ -1127,8 +1127,8 @@
return 0;
}
- /* We cannot decide whether OCSP stapling will occur yet because the correct
- * SSL_CTX might not have been selected. */
+ // We cannot decide whether OCSP stapling will occur yet because the correct
+ // SSL_CTX might not have been selected.
hs->ocsp_stapling_requested = status_type == TLSEXT_STATUSTYPE_ocsp;
return 1;
@@ -1144,16 +1144,16 @@
return 1;
}
- hs->certificate_status_expected = 1;
+ hs->certificate_status_expected = true;
return CBB_add_u16(out, TLSEXT_TYPE_status_request) &&
CBB_add_u16(out, 0 /* length */);
}
-/* Next protocol negotiation.
- *
- * https://htmlpreview.github.io/?https://github.com/agl/technotes/blob/master/nextprotoneg.html */
+// Next protocol negotiation.
+//
+// https://htmlpreview.github.io/?https://github.com/agl/technotes/blob/master/nextprotoneg.html
static int ext_npn_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
SSL *const ssl = hs->ssl;
@@ -1182,15 +1182,15 @@
return 0;
}
- /* If any of these are false then we should never have sent the NPN
- * extension in the ClientHello and thus this function should never have been
- * called. */
+ // If any of these are false then we should never have sent the NPN
+ // extension in the ClientHello and thus this function should never have been
+ // called.
assert(!ssl->s3->initial_handshake_complete);
assert(!SSL_is_dtls(ssl));
assert(ssl->ctx->next_proto_select_cb != NULL);
if (ssl->s3->alpn_selected != NULL) {
- /* NPN and ALPN may not be negotiated in the same connection. */
+ // NPN and ALPN may not be negotiated in the same connection.
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
OPENSSL_PUT_ERROR(SSL, SSL_R_NEGOTIATED_BOTH_NPN_AND_ALPN);
return 0;
@@ -1225,7 +1225,7 @@
}
ssl->s3->next_proto_negotiated_len = selected_len;
- hs->next_proto_neg_seen = 1;
+ hs->next_proto_neg_seen = true;
return 1;
}
@@ -1248,14 +1248,14 @@
return 1;
}
- hs->next_proto_neg_seen = 1;
+ hs->next_proto_neg_seen = true;
return 1;
}
static int ext_npn_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
SSL *const ssl = hs->ssl;
- /* |next_proto_neg_seen| might have been cleared when an ALPN extension was
- * parsed. */
+ // |next_proto_neg_seen| might have been cleared when an ALPN extension was
+ // parsed.
if (!hs->next_proto_neg_seen) {
return 1;
}
@@ -1266,7 +1266,7 @@
if (ssl->ctx->next_protos_advertised_cb(
ssl, &npa, &npa_len, ssl->ctx->next_protos_advertised_cb_arg) !=
SSL_TLSEXT_ERR_OK) {
- hs->next_proto_neg_seen = 0;
+ hs->next_proto_neg_seen = false;
return 1;
}
@@ -1282,9 +1282,9 @@
}
-/* Signed certificate timestamps.
- *
- * https://tools.ietf.org/html/rfc6962#section-3.3.1 */
+// Signed certificate timestamps.
+//
+// https://tools.ietf.org/html/rfc6962#section-3.3.1
static int ext_sct_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
SSL *const ssl = hs->ssl;
@@ -1307,14 +1307,14 @@
return 1;
}
- /* TLS 1.3 SCTs are included in the Certificate extensions. */
+ // TLS 1.3 SCTs are included in the Certificate extensions.
if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
*out_alert = SSL_AD_DECODE_ERROR;
return 0;
}
- /* If this is false then we should never have sent the SCT extension in the
- * ClientHello and thus this function should never have been called. */
+ // If this is false then we should never have sent the SCT extension in the
+ // ClientHello and thus this function should never have been called.
assert(ssl->signed_cert_timestamps_enabled);
if (!ssl_is_sct_list_valid(contents)) {
@@ -1322,11 +1322,11 @@
return 0;
}
- /* Session resumption uses the original session information. The extension
- * should not be sent on resumption, but RFC 6962 did not make it a
- * requirement, so tolerate this.
- *
- * TODO(davidben): Enforce this anyway. */
+ // Session resumption uses the original session information. The extension
+ // should not be sent on resumption, but RFC 6962 did not make it a
+ // requirement, so tolerate this.
+ //
+ // TODO(davidben): Enforce this anyway.
if (!ssl->s3->session_reused) {
CRYPTO_BUFFER_free(hs->new_session->signed_cert_timestamp_list);
hs->new_session->signed_cert_timestamp_list =
@@ -1350,13 +1350,13 @@
return 0;
}
- hs->scts_requested = 1;
+ hs->scts_requested = true;
return 1;
}
static int ext_sct_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
SSL *const ssl = hs->ssl;
- /* The extension shouldn't be sent when resuming sessions. */
+ // The extension shouldn't be sent when resuming sessions.
if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION ||
ssl->s3->session_reused ||
ssl->cert->signed_cert_timestamp_list == NULL) {
@@ -1374,9 +1374,9 @@
}
-/* Application-level Protocol Negotiation.
- *
- * https://tools.ietf.org/html/rfc7301 */
+// Application-level Protocol Negotiation.
+//
+// https://tools.ietf.org/html/rfc7301
static int ext_alpn_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
SSL *const ssl = hs->ssl;
@@ -1409,26 +1409,26 @@
assert(ssl->alpn_client_proto_list != NULL);
if (hs->next_proto_neg_seen) {
- /* NPN and ALPN may not be negotiated in the same connection. */
+ // NPN and ALPN may not be negotiated in the same connection.
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
OPENSSL_PUT_ERROR(SSL, SSL_R_NEGOTIATED_BOTH_NPN_AND_ALPN);
return 0;
}
- /* The extension data consists of a ProtocolNameList which must have
- * exactly one ProtocolName. Each of these is length-prefixed. */
+ // The extension data consists of a ProtocolNameList which must have
+ // exactly one ProtocolName. Each of these is length-prefixed.
CBS protocol_name_list, protocol_name;
if (!CBS_get_u16_length_prefixed(contents, &protocol_name_list) ||
CBS_len(contents) != 0 ||
!CBS_get_u8_length_prefixed(&protocol_name_list, &protocol_name) ||
- /* Empty protocol names are forbidden. */
+ // Empty protocol names are forbidden.
CBS_len(&protocol_name) == 0 ||
CBS_len(&protocol_name_list) != 0) {
return 0;
}
if (!ssl->ctx->allow_unknown_alpn_protos) {
- /* Check that the protocol name is one of the ones we advertised. */
+ // Check that the protocol name is one of the ones we advertised.
int protocol_ok = 0;
CBS client_protocol_name_list, client_protocol_name;
CBS_init(&client_protocol_name_list, ssl->alpn_client_proto_list,
@@ -1473,12 +1473,12 @@
!ssl_client_hello_get_extension(
client_hello, &contents,
TLSEXT_TYPE_application_layer_protocol_negotiation)) {
- /* Ignore ALPN if not configured or no extension was supplied. */
+ // Ignore ALPN if not configured or no extension was supplied.
return 1;
}
- /* ALPN takes precedence over NPN. */
- hs->next_proto_neg_seen = 0;
+ // ALPN takes precedence over NPN.
+ hs->next_proto_neg_seen = false;
CBS protocol_name_list;
if (!CBS_get_u16_length_prefixed(&contents, &protocol_name_list) ||
@@ -1489,13 +1489,13 @@
return 0;
}
- /* Validate the protocol list. */
+ // Validate the protocol list.
CBS protocol_name_list_copy = protocol_name_list;
while (CBS_len(&protocol_name_list_copy) > 0) {
CBS protocol_name;
if (!CBS_get_u8_length_prefixed(&protocol_name_list_copy, &protocol_name) ||
- /* Empty protocol names are forbidden. */
+ // Empty protocol names are forbidden.
CBS_len(&protocol_name) == 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
*out_alert = SSL_AD_DECODE_ERROR;
@@ -1542,12 +1542,12 @@
}
-/* Channel ID.
- *
- * https://tools.ietf.org/html/draft-balfanz-tls-channelid-01 */
+// Channel ID.
+//
+// https://tools.ietf.org/html/draft-balfanz-tls-channelid-01
static void ext_channel_id_init(SSL_HANDSHAKE *hs) {
- hs->ssl->s3->tlsext_channel_id_valid = 0;
+ hs->ssl->s3->tlsext_channel_id_valid = false;
}
static int ext_channel_id_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
@@ -1579,7 +1579,7 @@
return 0;
}
- ssl->s3->tlsext_channel_id_valid = 1;
+ ssl->s3->tlsext_channel_id_valid = true;
return 1;
}
@@ -1596,7 +1596,7 @@
return 0;
}
- ssl->s3->tlsext_channel_id_valid = 1;
+ ssl->s3->tlsext_channel_id_valid = true;
return 1;
}
@@ -1615,9 +1615,9 @@
}
-/* Secure Real-time Transport Protocol (SRTP) extension.
- *
- * https://tools.ietf.org/html/rfc5764 */
+// Secure Real-time Transport Protocol (SRTP) extension.
+//
+// https://tools.ietf.org/html/rfc5764
static void ext_srtp_init(SSL_HANDSHAKE *hs) {
@@ -1660,10 +1660,10 @@
return 1;
}
- /* The extension consists of a u16-prefixed profile ID list containing a
- * single uint16_t profile ID, then followed by a u8-prefixed srtp_mki field.
- *
- * See https://tools.ietf.org/html/rfc5764#section-4.1.1 */
+ // The extension consists of a u16-prefixed profile ID list containing a
+ // single uint16_t profile ID, then followed by a u8-prefixed srtp_mki field.
+ //
+ // See https://tools.ietf.org/html/rfc5764#section-4.1.1
CBS profile_ids, srtp_mki;
uint16_t profile_id;
if (!CBS_get_u16_length_prefixed(contents, &profile_ids) ||
@@ -1676,7 +1676,7 @@
}
if (CBS_len(&srtp_mki) != 0) {
- /* Must be no MKI, since we never offer one. */
+ // Must be no MKI, since we never offer one.
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_MKI_VALUE);
*out_alert = SSL_AD_ILLEGAL_PARAMETER;
return 0;
@@ -1684,8 +1684,8 @@
STACK_OF(SRTP_PROTECTION_PROFILE) *profiles = SSL_get_srtp_profiles(ssl);
- /* Check to see if the server gave us something we support (and presumably
- * offered). */
+ // Check to see if the server gave us something we support (and presumably
+ // offered).
for (const SRTP_PROTECTION_PROFILE *profile : profiles) {
if (profile->id == profile_id) {
ssl->srtp_profile = profile;
@@ -1713,12 +1713,12 @@
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
return 0;
}
- /* Discard the MKI value for now. */
+ // Discard the MKI value for now.
const STACK_OF(SRTP_PROTECTION_PROFILE) *server_profiles =
SSL_get_srtp_profiles(ssl);
- /* Pick the server's most preferred profile. */
+ // Pick the server's most preferred profile.
for (const SRTP_PROTECTION_PROFILE *server_profile : server_profiles) {
CBS profile_ids_tmp;
CBS_init(&profile_ids_tmp, CBS_data(&profile_ids), CBS_len(&profile_ids));
@@ -1759,9 +1759,9 @@
}
-/* EC point formats.
- *
- * https://tools.ietf.org/html/rfc4492#section-5.1.2 */
+// EC point formats.
+//
+// https://tools.ietf.org/html/rfc4492#section-5.1.2
static int ext_ec_point_add_extension(SSL_HANDSHAKE *hs, CBB *out) {
CBB contents, formats;
@@ -1777,7 +1777,7 @@
}
static int ext_ec_point_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
- /* The point format extension is unneccessary in TLS 1.3. */
+ // The point format extension is unneccessary in TLS 1.3.
if (hs->min_version >= TLS1_3_VERSION) {
return 1;
}
@@ -1801,8 +1801,8 @@
return 0;
}
- /* Per RFC 4492, section 5.1.2, implementations MUST support the uncompressed
- * point format. */
+ // Per RFC 4492, section 5.1.2, implementations MUST support the uncompressed
+ // point format.
if (OPENSSL_memchr(CBS_data(&ec_point_format_list),
TLSEXT_ECPOINTFORMAT_uncompressed,
CBS_len(&ec_point_format_list)) == NULL) {
@@ -1840,9 +1840,9 @@
}
-/* Pre Shared Key
- *
- * https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.6 */
+// Pre Shared Key
+//
+// https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.6
static size_t ext_pre_shared_key_clienthello_length(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
@@ -1867,8 +1867,8 @@
uint32_t ticket_age = 1000 * (now.tv_sec - ssl->session->time);
uint32_t obfuscated_ticket_age = ticket_age + ssl->session->ticket_age_add;
- /* Fill in a placeholder zero binder of the appropriate length. It will be
- * computed and filled in later after length prefixes are computed. */
+ // Fill in a placeholder zero binder of the appropriate length. It will be
+ // computed and filled in later after length prefixes are computed.
uint8_t zero_binder[EVP_MAX_MD_SIZE] = {0};
size_t binder_len = EVP_MD_size(SSL_SESSION_get_digest(ssl->session));
@@ -1886,7 +1886,7 @@
return 0;
}
- hs->needs_psk_binder = 1;
+ hs->needs_psk_binder = true;
return CBB_flush(out);
}
@@ -1901,7 +1901,7 @@
return 0;
}
- /* We only advertise one PSK identity, so the only legal index is zero. */
+ // We only advertise one PSK identity, so the only legal index is zero.
if (psk_id != 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_PSK_IDENTITY_NOT_FOUND);
*out_alert = SSL_AD_UNKNOWN_PSK_IDENTITY;
@@ -1914,7 +1914,7 @@
int ssl_ext_pre_shared_key_parse_clienthello(
SSL_HANDSHAKE *hs, CBS *out_ticket, CBS *out_binders,
uint32_t *out_obfuscated_ticket_age, uint8_t *out_alert, CBS *contents) {
- /* We only process the first PSK identity since we don't support pure PSK. */
+ // We only process the first PSK identity since we don't support pure PSK.
CBS identities, binders;
if (!CBS_get_u16_length_prefixed(contents, &identities) ||
!CBS_get_u16_length_prefixed(&identities, out_ticket) ||
@@ -1929,7 +1929,7 @@
*out_binders = binders;
- /* Check the syntax of the remaining identities, but do not process them. */
+ // Check the syntax of the remaining identities, but do not process them.
size_t num_identities = 1;
while (CBS_len(&identities) != 0) {
CBS unused_ticket;
@@ -1944,8 +1944,8 @@
num_identities++;
}
- /* Check the syntax of the binders. The value will be checked later if
- * resuming. */
+ // Check the syntax of the binders. The value will be checked later if
+ // resuming.
size_t num_binders = 0;
while (CBS_len(&binders) != 0) {
CBS binder;
@@ -1975,7 +1975,7 @@
CBB contents;
if (!CBB_add_u16(out, TLSEXT_TYPE_pre_shared_key) ||
!CBB_add_u16_length_prefixed(out, &contents) ||
- /* We only consider the first identity for resumption */
+ // We only consider the first identity for resumption
!CBB_add_u16(&contents, 0) ||
!CBB_flush(out)) {
return 0;
@@ -1985,9 +1985,9 @@
}
-/* Pre-Shared Key Exchange Modes
- *
- * https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.7 */
+// Pre-Shared Key Exchange Modes
+//
+// https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.7
static int ext_psk_key_exchange_modes_add_clienthello(SSL_HANDSHAKE *hs,
CBB *out) {
@@ -2021,7 +2021,7 @@
return 0;
}
- /* We only support tickets with PSK_DHE_KE. */
+ // We only support tickets with PSK_DHE_KE.
hs->accept_psk_mode = OPENSSL_memchr(CBS_data(&ke_modes), SSL_PSK_DHE_KE,
CBS_len(&ke_modes)) != NULL;
@@ -2029,9 +2029,9 @@
}
-/* Early Data Indication
- *
- * https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.8 */
+// Early Data Indication
+//
+// https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.8
static int ext_early_data_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
SSL *const ssl = hs->ssl;
@@ -2043,7 +2043,7 @@
return 1;
}
- hs->early_data_offered = 1;
+ hs->early_data_offered = true;
if (!CBB_add_u16(out, TLSEXT_TYPE_early_data) ||
!CBB_add_u16(out, 0) ||
@@ -2089,7 +2089,7 @@
return 0;
}
- hs->early_data_offered = 1;
+ hs->early_data_offered = true;
return 1;
}
@@ -2108,9 +2108,9 @@
}
-/* Key Share
- *
- * https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.5 */
+// Key Share
+//
+// https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.5
static int ext_key_share_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
SSL *const ssl = hs->ssl;
@@ -2127,8 +2127,8 @@
uint16_t group_id = hs->retry_group;
if (hs->received_hello_retry_request) {
- /* We received a HelloRetryRequest without a new curve, so there is no new
- * share to append. Leave |hs->key_share| as-is. */
+ // We received a HelloRetryRequest without a new curve, so there is no new
+ // share to append. Leave |hs->key_share| as-is.
if (group_id == 0 &&
!CBB_add_bytes(&kse_bytes, hs->key_share_bytes,
hs->key_share_bytes_len)) {
@@ -2141,7 +2141,7 @@
return CBB_flush(out);
}
} else {
- /* Add a fake group. See draft-davidben-tls-grease-01. */
+ // Add a fake group. See draft-davidben-tls-grease-01.
if (ssl->ctx->grease_enabled &&
(!CBB_add_u16(&kse_bytes,
ssl_get_grease_value(ssl, ssl_grease_group)) ||
@@ -2150,7 +2150,7 @@
return 0;
}
- /* Predict the most preferred group. */
+ // Predict the most preferred group.
const uint16_t *groups;
size_t groups_len;
tls1_get_grouplist(ssl, &groups, &groups_len);
@@ -2173,8 +2173,8 @@
}
if (!hs->received_hello_retry_request) {
- /* Save the contents of the extension to repeat it in the second
- * ClientHello. */
+ // Save the contents of the extension to repeat it in the second
+ // ClientHello.
hs->key_share_bytes_len = CBB_len(&kse_bytes);
hs->key_share_bytes =
(uint8_t *)BUF_memdup(CBB_data(&kse_bytes), CBB_len(&kse_bytes));
@@ -2215,7 +2215,7 @@
return 1;
}
-int ssl_ext_key_share_parse_clienthello(SSL_HANDSHAKE *hs, int *out_found,
+int ssl_ext_key_share_parse_clienthello(SSL_HANDSHAKE *hs, bool *out_found,
uint8_t **out_secret,
size_t *out_secret_len,
uint8_t *out_alert, CBS *contents) {
@@ -2233,8 +2233,8 @@
return 0;
}
- /* Find the corresponding key share. */
- int found = 0;
+ // Find the corresponding key share.
+ bool found = false;
CBS peer_key;
while (CBS_len(&key_shares) > 0) {
uint16_t id;
@@ -2252,20 +2252,20 @@
return 0;
}
- found = 1;
+ found = true;
peer_key = peer_key_tmp;
- /* Continue parsing the structure to keep peers honest. */
+ // Continue parsing the structure to keep peers honest.
}
}
if (!found) {
- *out_found = 0;
+ *out_found = false;
*out_secret = NULL;
*out_secret_len = 0;
return 1;
}
- /* Compute the DH secret. */
+ // Compute the DH secret.
uint8_t *secret = NULL;
size_t secret_len;
ScopedCBB public_key;
@@ -2283,7 +2283,7 @@
*out_secret = secret;
*out_secret_len = secret_len;
- *out_found = 1;
+ *out_found = true;
return 1;
}
@@ -2310,9 +2310,9 @@
}
-/* Supported Versions
- *
- * https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.1 */
+// Supported Versions
+//
+// https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.1
static int ext_supported_versions_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
SSL *const ssl = hs->ssl;
@@ -2327,7 +2327,7 @@
return 0;
}
- /* Add a fake version. See draft-davidben-tls-grease-01. */
+ // Add a fake version. See draft-davidben-tls-grease-01.
if (ssl->ctx->grease_enabled &&
!CBB_add_u16(&versions, ssl_get_grease_value(ssl, ssl_grease_version))) {
return 0;
@@ -2342,9 +2342,9 @@
}
-/* Cookie
- *
- * https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.2 */
+// Cookie
+//
+// https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.2
static int ext_cookie_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
if (hs->cookie == NULL) {
@@ -2360,7 +2360,7 @@
return 0;
}
- /* The cookie is no longer needed in memory. */
+ // The cookie is no longer needed in memory.
OPENSSL_free(hs->cookie);
hs->cookie = NULL;
hs->cookie_len = 0;
@@ -2368,10 +2368,10 @@
}
-/* Negotiated Groups
- *
- * https://tools.ietf.org/html/rfc4492#section-5.1.2
- * https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.4 */
+// Negotiated Groups
+//
+// https://tools.ietf.org/html/rfc4492#section-5.1.2
+// https://tools.ietf.org/html/draft-ietf-tls-tls13-16#section-4.2.4
static int ext_supported_groups_add_clienthello(SSL_HANDSHAKE *hs, CBB *out) {
SSL *const ssl = hs->ssl;
@@ -2382,7 +2382,7 @@
return 0;
}
- /* Add a fake group. See draft-davidben-tls-grease-01. */
+ // Add a fake group. See draft-davidben-tls-grease-01.
if (ssl->ctx->grease_enabled &&
!CBB_add_u16(&groups_bytes,
ssl_get_grease_value(ssl, ssl_grease_group))) {
@@ -2405,8 +2405,8 @@
static int ext_supported_groups_parse_serverhello(SSL_HANDSHAKE *hs,
uint8_t *out_alert,
CBS *contents) {
- /* This extension is not expected to be echoed by servers in TLS 1.2, but some
- * BigIP servers send it nonetheless, so do not enforce this. */
+ // This extension is not expected to be echoed by servers in TLS 1.2, but some
+ // BigIP servers send it nonetheless, so do not enforce this.
return 1;
}
@@ -2453,12 +2453,12 @@
}
static int ext_supported_groups_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) {
- /* Servers don't echo this extension. */
+ // Servers don't echo this extension.
return 1;
}
-/* kExtensions contains all the supported extensions. */
+// kExtensions contains all the supported extensions.
static const struct tls_extension kExtensions[] = {
{
TLSEXT_TYPE_renegotiate,
@@ -2489,7 +2489,7 @@
NULL,
ext_ticket_add_clienthello,
ext_ticket_parse_serverhello,
- /* Ticket extension client parsing is handled in ssl_session.c */
+ // Ticket extension client parsing is handled in ssl_session.c
ignore_parse_clienthello,
ext_ticket_add_serverhello,
},
@@ -2530,7 +2530,7 @@
NULL,
ext_alpn_add_clienthello,
ext_alpn_parse_serverhello,
- /* ALPN is negotiated late in |ssl_negotiate_alpn|. */
+ // ALPN is negotiated late in |ssl_negotiate_alpn|.
ignore_parse_clienthello,
ext_alpn_add_serverhello,
},
@@ -2598,9 +2598,9 @@
ignore_parse_clienthello,
dont_add_serverhello,
},
- /* The final extension must be non-empty. WebSphere Application Server 7.0 is
- * intolerant to the last extension being zero-length. See
- * https://crbug.com/363583. */
+ // The final extension must be non-empty. WebSphere Application Server 7.0 is
+ // intolerant to the last extension being zero-length. See
+ // https://crbug.com/363583.
{
TLSEXT_TYPE_supported_groups,
NULL,
@@ -2635,7 +2635,7 @@
int ssl_add_clienthello_tlsext(SSL_HANDSHAKE *hs, CBB *out, size_t header_len) {
SSL *const ssl = hs->ssl;
- /* Don't add extensions for SSLv3 unless doing secure renegotiation. */
+ // Don't add extensions for SSLv3 unless doing secure renegotiation.
if (hs->client_version == SSL3_VERSION &&
!ssl->s3->send_connection_binding) {
return 1;
@@ -2658,7 +2658,7 @@
uint16_t grease_ext1 = 0;
if (ssl->ctx->grease_enabled) {
- /* Add a fake empty extension. See draft-davidben-tls-grease-01. */
+ // Add a fake empty extension. See draft-davidben-tls-grease-01.
grease_ext1 = ssl_get_grease_value(ssl, ssl_grease_extension1);
if (!CBB_add_u16(&extensions, grease_ext1) ||
!CBB_add_u16(&extensions, 0 /* zero length */)) {
@@ -2686,12 +2686,12 @@
}
if (ssl->ctx->grease_enabled) {
- /* Add a fake non-empty extension. See draft-davidben-tls-grease-01. */
+ // Add a fake non-empty extension. See draft-davidben-tls-grease-01.
uint16_t grease_ext2 = ssl_get_grease_value(ssl, ssl_grease_extension2);
- /* The two fake extensions must not have the same value. GREASE values are
- * of the form 0x1a1a, 0x2a2a, 0x3a3a, etc., so XOR to generate a different
- * one. */
+ // The two fake extensions must not have the same value. GREASE values are
+ // of the form 0x1a1a, 0x2a2a, 0x3a3a, etc., so XOR to generate a different
+ // one.
if (grease_ext1 == grease_ext2) {
grease_ext2 ^= 0x1010;
}
@@ -2708,15 +2708,15 @@
size_t psk_extension_len = ext_pre_shared_key_clienthello_length(hs);
header_len += 2 + CBB_len(&extensions) + psk_extension_len;
if (header_len > 0xff && header_len < 0x200) {
- /* Add padding to workaround bugs in F5 terminators. See RFC 7685.
- *
- * NB: because this code works out the length of all existing extensions
- * it MUST always appear last. */
+ // Add padding to workaround bugs in F5 terminators. See RFC 7685.
+ //
+ // NB: because this code works out the length of all existing extensions
+ // it MUST always appear last.
size_t padding_len = 0x200 - header_len;
- /* Extensions take at least four bytes to encode. Always include at least
- * one byte of data if including the extension. WebSphere Application
- * Server 7.0 is intolerant to the last extension being zero-length. See
- * https://crbug.com/363583. */
+ // Extensions take at least four bytes to encode. Always include at least
+ // one byte of data if including the extension. WebSphere Application
+ // Server 7.0 is intolerant to the last extension being zero-length. See
+ // https://crbug.com/363583.
if (padding_len >= 4 + 1) {
padding_len -= 4;
} else {
@@ -2735,13 +2735,13 @@
}
}
- /* The PSK extension must be last, including after the padding. */
+ // The PSK extension must be last, including after the padding.
if (!ext_pre_shared_key_add_clienthello(hs, &extensions)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
return 0;
}
- /* Discard empty extensions blocks. */
+ // Discard empty extensions blocks.
if (CBB_len(&extensions) == 0) {
CBB_discard_child(out);
}
@@ -2758,7 +2758,7 @@
for (unsigned i = 0; i < kNumExtensions; i++) {
if (!(hs->extensions.received & (1u << i))) {
- /* Don't send extensions that were not received. */
+ // Don't send extensions that were not received.
continue;
}
@@ -2773,7 +2773,7 @@
goto err;
}
- /* Discard empty extensions blocks before TLS 1.3. */
+ // Discard empty extensions blocks before TLS 1.3.
if (ssl3_protocol_version(ssl) < TLS1_3_VERSION &&
CBB_len(&extensions) == 0) {
CBB_discard_child(out);
@@ -2804,15 +2804,15 @@
uint16_t type;
CBS extension;
- /* Decode the next extension. */
+ // Decode the next extension.
if (!CBS_get_u16(&extensions, &type) ||
!CBS_get_u16_length_prefixed(&extensions, &extension)) {
*out_alert = SSL_AD_DECODE_ERROR;
return 0;
}
- /* RFC 5746 made the existence of extensions in SSL 3.0 somewhat
- * ambiguous. Ignore all but the renegotiation_info extension. */
+ // RFC 5746 made the existence of extensions in SSL 3.0 somewhat
+ // ambiguous. Ignore all but the renegotiation_info extension.
if (ssl->version == SSL3_VERSION && type != TLSEXT_TYPE_renegotiate) {
continue;
}
@@ -2849,16 +2849,16 @@
if (kExtensions[i].value == TLSEXT_TYPE_renegotiate &&
ssl_client_cipher_list_contains_cipher(client_hello,
SSL3_CK_SCSV & 0xffff)) {
- /* The renegotiation SCSV was received so pretend that we received a
- * renegotiation extension. */
+ // The renegotiation SCSV was received so pretend that we received a
+ // renegotiation extension.
CBS_init(&fake_contents, kFakeRenegotiateExtension,
sizeof(kFakeRenegotiateExtension));
contents = &fake_contents;
hs->extensions.received |= (1u << i);
}
- /* Extension wasn't observed so call the callback with a NULL
- * parameter. */
+ // Extension wasn't observed so call the callback with a NULL
+ // parameter.
uint8_t alert = SSL_AD_DECODE_ERROR;
if (!kExtensions[i].parse_clienthello(hs, &alert, contents)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_EXTENSION);
@@ -2891,12 +2891,12 @@
static int ssl_scan_serverhello_tlsext(SSL_HANDSHAKE *hs, CBS *cbs,
int *out_alert) {
SSL *const ssl = hs->ssl;
- /* Before TLS 1.3, ServerHello extensions blocks may be omitted if empty. */
+ // Before TLS 1.3, ServerHello extensions blocks may be omitted if empty.
if (CBS_len(cbs) == 0 && ssl3_protocol_version(ssl) < TLS1_3_VERSION) {
return 1;
}
- /* Decode the extensions block and check it is valid. */
+ // Decode the extensions block and check it is valid.
CBS extensions;
if (!CBS_get_u16_length_prefixed(cbs, &extensions) ||
!tls1_check_duplicate_extensions(&extensions)) {
@@ -2909,7 +2909,7 @@
uint16_t type;
CBS extension;
- /* Decode the next extension. */
+ // Decode the next extension.
if (!CBS_get_u16(&extensions, &type) ||
!CBS_get_u16_length_prefixed(&extensions, &extension)) {
*out_alert = SSL_AD_DECODE_ERROR;
@@ -2921,7 +2921,7 @@
tls_extension_find(&ext_index, type);
if (ext == NULL) {
- hs->received_custom_extension = 1;
+ hs->received_custom_extension = true;
if (!custom_ext_parse_serverhello(hs, out_alert, type, &extension)) {
return 0;
}
@@ -2933,8 +2933,8 @@
if (!(hs->extensions.sent & (1u << ext_index)) &&
type != TLSEXT_TYPE_renegotiate) {
- /* If the extension was never sent then it is illegal, except for the
- * renegotiation extension which, in SSL 3.0, is signaled via SCSV. */
+ // If the extension was never sent then it is illegal, except for the
+ // renegotiation extension which, in SSL 3.0, is signaled via SCSV.
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
ERR_add_error_dataf("extension :%u", (unsigned)type);
*out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
@@ -2954,8 +2954,8 @@
for (size_t i = 0; i < kNumExtensions; i++) {
if (!(received & (1u << i))) {
- /* Extension wasn't observed so call the callback with a NULL
- * parameter. */
+ // Extension wasn't observed so call the callback with a NULL
+ // parameter.
uint8_t alert = SSL_AD_DECODE_ERROR;
if (!kExtensions[i].parse_serverhello(hs, &alert, NULL)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_EXTENSION);
@@ -2988,7 +2988,7 @@
return -1;
case SSL_TLSEXT_ERR_NOACK:
- hs->should_ack_sni = 0;
+ hs->should_ack_sni = false;
return 1;
default:
@@ -3012,11 +3012,11 @@
HMAC_CTX *hmac_ctx, const uint8_t *ticket, size_t ticket_len) {
size_t iv_len = EVP_CIPHER_CTX_iv_length(cipher_ctx);
- /* Check the MAC at the end of the ticket. */
+ // Check the MAC at the end of the ticket.
uint8_t mac[EVP_MAX_MD_SIZE];
size_t mac_len = HMAC_size(hmac_ctx);
if (ticket_len < SSL_TICKET_KEY_NAME_LEN + iv_len + 1 + mac_len) {
- /* The ticket must be large enough for key name, IV, data, and MAC. */
+ // The ticket must be large enough for key name, IV, data, and MAC.
return ssl_ticket_aead_ignore_ticket;
}
HMAC_Update(hmac_ctx, ticket, ticket_len - mac_len);
@@ -3030,7 +3030,7 @@
return ssl_ticket_aead_ignore_ticket;
}
- /* Decrypt the session data. */
+ // Decrypt the session data.
const uint8_t *ciphertext = ticket + SSL_TICKET_KEY_NAME_LEN + iv_len;
size_t ciphertext_len = ticket_len - SSL_TICKET_KEY_NAME_LEN - iv_len -
mac_len;
@@ -3062,7 +3062,7 @@
}
static enum ssl_ticket_aead_result_t ssl_decrypt_ticket_with_cb(
- SSL *ssl, uint8_t **out, size_t *out_len, int *out_renew_ticket,
+ SSL *ssl, uint8_t **out, size_t *out_len, bool *out_renew_ticket,
const uint8_t *ticket, size_t ticket_len) {
assert(ticket_len >= SSL_TICKET_KEY_NAME_LEN + EVP_MAX_IV_LENGTH);
ScopedEVP_CIPHER_CTX cipher_ctx;
@@ -3076,7 +3076,7 @@
} else if (cb_ret == 0) {
return ssl_ticket_aead_ignore_ticket;
} else if (cb_ret == 2) {
- *out_renew_ticket = 1;
+ *out_renew_ticket = true;
} else {
assert(cb_ret == 1);
}
@@ -3090,12 +3090,12 @@
assert(ticket_len >= SSL_TICKET_KEY_NAME_LEN + EVP_MAX_IV_LENGTH);
SSL_CTX *ctx = ssl->session_ctx;
- /* Rotate the ticket key if necessary. */
+ // Rotate the ticket key if necessary.
if (!ssl_ctx_rotate_ticket_encryption_key(ctx)) {
return ssl_ticket_aead_error;
}
- /* Pick the matching ticket key and decrypt. */
+ // Pick the matching ticket key and decrypt.
ScopedEVP_CIPHER_CTX cipher_ctx;
ScopedHMAC_CTX hmac_ctx;
{
@@ -3125,7 +3125,7 @@
}
static enum ssl_ticket_aead_result_t ssl_decrypt_ticket_with_method(
- SSL *ssl, uint8_t **out, size_t *out_len, int *out_renew_ticket,
+ SSL *ssl, uint8_t **out, size_t *out_len, bool *out_renew_ticket,
const uint8_t *ticket, size_t ticket_len) {
uint8_t *plaintext = (uint8_t *)OPENSSL_malloc(ticket_len);
if (plaintext == NULL) {
@@ -3149,10 +3149,10 @@
}
enum ssl_ticket_aead_result_t ssl_process_ticket(
- SSL *ssl, UniquePtr<SSL_SESSION> *out_session, int *out_renew_ticket,
+ SSL *ssl, UniquePtr<SSL_SESSION> *out_session, bool *out_renew_ticket,
const uint8_t *ticket, size_t ticket_len, const uint8_t *session_id,
size_t session_id_len) {
- *out_renew_ticket = 0;
+ *out_renew_ticket = false;
out_session->reset();
if ((SSL_get_options(ssl) & SSL_OP_NO_TICKET) ||
@@ -3167,10 +3167,10 @@
result = ssl_decrypt_ticket_with_method(
ssl, &plaintext, &plaintext_len, out_renew_ticket, ticket, ticket_len);
} else {
- /* Ensure there is room for the key name and the largest IV
- * |tlsext_ticket_key_cb| may try to consume. The real limit may be lower,
- * but the maximum IV length should be well under the minimum size for the
- * session material and HMAC. */
+ // Ensure there is room for the key name and the largest IV
+ // |tlsext_ticket_key_cb| may try to consume. The real limit may be lower,
+ // but the maximum IV length should be well under the minimum size for the
+ // session material and HMAC.
if (ticket_len < SSL_TICKET_KEY_NAME_LEN + EVP_MAX_IV_LENGTH) {
return ssl_ticket_aead_ignore_ticket;
}
@@ -3187,18 +3187,18 @@
return result;
}
- /* Decode the session. */
+ // Decode the session.
UniquePtr<SSL_SESSION> session(
SSL_SESSION_from_bytes(plaintext, plaintext_len, ssl->ctx));
OPENSSL_free(plaintext);
if (!session) {
- ERR_clear_error(); /* Don't leave an error on the queue. */
+ ERR_clear_error(); // Don't leave an error on the queue.
return ssl_ticket_aead_ignore_ticket;
}
- /* Copy the client's session ID into the new session, to denote the ticket has
- * been accepted. */
+ // Copy the client's session ID into the new session, to denote the ticket has
+ // been accepted.
OPENSSL_memcpy(session->session_id, session_id, session_id_len);
session->session_id_length = session_id_len;
@@ -3207,7 +3207,7 @@
}
int tls1_parse_peer_sigalgs(SSL_HANDSHAKE *hs, const CBS *in_sigalgs) {
- /* Extension ignored for inappropriate versions */
+ // Extension ignored for inappropriate versions
if (ssl3_protocol_version(hs->ssl) < TLS1_2_VERSION) {
return 1;
}
@@ -3222,14 +3222,14 @@
}
num_sigalgs /= 2;
- /* supported_signature_algorithms in the certificate request is
- * allowed to be empty. */
+ // supported_signature_algorithms in the certificate request is
+ // allowed to be empty.
if (num_sigalgs == 0) {
return 1;
}
- /* This multiplication doesn't overflow because sizeof(uint16_t) is two
- * and we just divided |num_sigalgs| by two. */
+ // This multiplication doesn't overflow because sizeof(uint16_t) is two
+ // and we just divided |num_sigalgs| by two.
hs->peer_sigalgs = (uint16_t *)OPENSSL_malloc(num_sigalgs * sizeof(uint16_t));
if (hs->peer_sigalgs == NULL) {
return 0;
@@ -3264,8 +3264,8 @@
SSL *const ssl = hs->ssl;
CERT *cert = ssl->cert;
- /* Before TLS 1.2, the signature algorithm isn't negotiated as part of the
- * handshake. */
+ // Before TLS 1.2, the signature algorithm isn't negotiated as part of the
+ // handshake.
if (ssl3_protocol_version(ssl) < TLS1_2_VERSION) {
if (!tls1_get_legacy_signature_algorithm(out, hs->local_pubkey.get())) {
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS);
@@ -3284,9 +3284,9 @@
const uint16_t *peer_sigalgs = hs->peer_sigalgs;
size_t num_peer_sigalgs = hs->num_peer_sigalgs;
if (num_peer_sigalgs == 0 && ssl3_protocol_version(ssl) < TLS1_3_VERSION) {
- /* If the client didn't specify any signature_algorithms extension then
- * we can assume that it supports SHA1. See
- * http://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
+ // If the client didn't specify any signature_algorithms extension then
+ // we can assume that it supports SHA1. See
+ // http://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
static const uint16_t kDefaultPeerAlgorithms[] = {SSL_SIGN_RSA_PKCS1_SHA1,
SSL_SIGN_ECDSA_SHA1};
peer_sigalgs = kDefaultPeerAlgorithms;
@@ -3295,8 +3295,8 @@
for (size_t i = 0; i < num_sigalgs; i++) {
uint16_t sigalg = sigalgs[i];
- /* SSL_SIGN_RSA_PKCS1_MD5_SHA1 is an internal value and should never be
- * negotiated. */
+ // SSL_SIGN_RSA_PKCS1_MD5_SHA1 is an internal value and should never be
+ // negotiated.
if (sigalg == SSL_SIGN_RSA_PKCS1_MD5_SHA1 ||
!ssl_private_key_supports_signature_algorithm(hs, sigalgs[i])) {
continue;
@@ -3316,8 +3316,8 @@
int tls1_verify_channel_id(SSL_HANDSHAKE *hs, const SSLMessage &msg) {
SSL *const ssl = hs->ssl;
- /* A Channel ID handshake message is structured to contain multiple
- * extensions, but the only one that can be present is Channel ID. */
+ // A Channel ID handshake message is structured to contain multiple
+ // extensions, but the only one that can be present is Channel ID.
uint16_t extension_type;
CBS channel_id = msg.body, extension;
if (!CBS_get_u16(&channel_id, &extension_type) ||
@@ -3373,7 +3373,7 @@
if (!sig_ok) {
OPENSSL_PUT_ERROR(SSL, SSL_R_CHANNEL_ID_SIGNATURE_INVALID);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
- ssl->s3->tlsext_channel_id_valid = 0;
+ ssl->s3->tlsext_channel_id_valid = false;
return 0;
}
@@ -3474,16 +3474,16 @@
return 1;
}
-/* tls1_record_handshake_hashes_for_channel_id records the current handshake
- * hashes in |hs->new_session| so that Channel ID resumptions can sign that
- * data. */
+// tls1_record_handshake_hashes_for_channel_id records the current handshake
+// hashes in |hs->new_session| so that Channel ID resumptions can sign that
+// data.
int tls1_record_handshake_hashes_for_channel_id(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
- /* This function should never be called for a resumed session because the
- * handshake hashes that we wish to record are for the original, full
- * handshake. */
+ // This function should never be called for a resumed session because the
+ // handshake hashes that we wish to record are for the original, full
+ // handshake.
if (ssl->session != NULL) {
- return -1;
+ return 0;
}
static_assert(
@@ -3493,7 +3493,7 @@
size_t digest_len;
if (!hs->transcript.GetHash(hs->new_session->original_handshake_hash,
&digest_len)) {
- return -1;
+ return 0;
}
static_assert(EVP_MAX_MD_SIZE <= 0xff,
@@ -3512,7 +3512,7 @@
EVP_PKEY *key = NULL;
ssl->ctx->channel_id_cb(ssl, &key);
if (key == NULL) {
- /* The caller should try again later. */
+ // The caller should try again later.
return 1;
}
@@ -3522,9 +3522,9 @@
}
int ssl_is_sct_list_valid(const CBS *contents) {
- /* Shallow parse the SCT list for sanity. By the RFC
- * (https://tools.ietf.org/html/rfc6962#section-3.3) neither the list nor any
- * of the SCTs may be empty. */
+ // Shallow parse the SCT list for sanity. By the RFC
+ // (https://tools.ietf.org/html/rfc6962#section-3.3) neither the list nor any
+ // of the SCTs may be empty.
CBS copy = *contents;
CBS sct_list;
if (!CBS_get_u16_length_prefixed(©, &sct_list) ||
diff --git a/src/ssl/test/bssl_shim.cc b/src/ssl/test/bssl_shim.cc
index 7179832..0c97438 100644
--- a/src/ssl/test/bssl_shim.cc
+++ b/src/ssl/test/bssl_shim.cc
@@ -115,6 +115,8 @@
bool custom_verify_ready = false;
std::string msg_callback_text;
bool msg_callback_ok = true;
+ // cert_verified is true if certificate verification has been driven to
+ // completion. This tests that the callback is not called again after this.
bool cert_verified = false;
};
@@ -716,12 +718,12 @@
return 0;
}
+ GetTestState(ssl)->cert_verified = true;
if (config->verify_fail) {
store_ctx->error = X509_V_ERR_APPLICATION_VERIFICATION;
return 0;
}
- GetTestState(ssl)->cert_verified = true;
return 1;
}
@@ -735,11 +737,11 @@
return ssl_verify_retry;
}
+ GetTestState(ssl)->cert_verified = true;
if (config->verify_fail) {
return ssl_verify_invalid;
}
- GetTestState(ssl)->cert_verified = true;
return ssl_verify_ok;
}
@@ -885,6 +887,12 @@
// test fails.
abort();
}
+ // This callback is called when the handshake completes. |SSL_get_session|
+ // must continue to work and |SSL_in_init| must return false.
+ if (SSL_in_init(ssl) || SSL_get_session(ssl) == nullptr) {
+ fprintf(stderr, "Invalid state for SSL_CB_HANDSHAKE_DONE.\n");
+ abort();
+ }
GetTestState(ssl)->handshake_done = true;
// Callbacks may be called again on a new handshake.
@@ -894,6 +902,14 @@
}
static int NewSessionCallback(SSL *ssl, SSL_SESSION *session) {
+ // This callback is called as the handshake completes. |SSL_get_session|
+ // must continue to work and, historically, |SSL_in_init| returned false at
+ // this point.
+ if (SSL_in_init(ssl) || SSL_get_session(ssl) == nullptr) {
+ fprintf(stderr, "Invalid state for NewSessionCallback.\n");
+ abort();
+ }
+
GetTestState(ssl)->got_new_session = true;
GetTestState(ssl)->new_session.reset(session);
return 1;
@@ -1038,8 +1054,8 @@
uint8_t type;
uint32_t msg_len;
if (!CBS_get_u8(&cbs, &type) ||
- /* TODO(davidben): Reporting on entire messages would be more
- * consistent than fragments. */
+ // TODO(davidben): Reporting on entire messages would be more
+ // consistent than fragments.
(config->is_dtls &&
!CBS_skip(&cbs, 3 /* total */ + 2 /* seq */ + 3 /* frag_off */)) ||
!CBS_get_u24(&cbs, &msg_len) ||
@@ -2419,7 +2435,7 @@
StderrDelimiter delimiter;
#if defined(OPENSSL_WINDOWS)
- /* Initialize Winsock. */
+ // Initialize Winsock.
WORD wsa_version = MAKEWORD(2, 2);
WSADATA wsa_data;
int wsa_err = WSAStartup(wsa_version, &wsa_data);
diff --git a/src/ssl/test/runner/common.go b/src/ssl/test/runner/common.go
index b2f5277..7244527 100644
--- a/src/ssl/test/runner/common.go
+++ b/src/ssl/test/runner/common.go
@@ -1427,6 +1427,10 @@
// and ServerHello messages to be present, but empty.
EmptyExtensions bool
+ // ExpectOmitExtensions, if true, causes the client to reject
+ // ServerHello messages that do not omit extensions.
+ ExpectOmitExtensions bool
+
// ExpectRecordSplitting, if true, causes application records to only be
// accepted if they follow a 1/n-1 record split.
ExpectRecordSplitting bool
diff --git a/src/ssl/test/runner/handshake_client.go b/src/ssl/test/runner/handshake_client.go
index 7423726..83f2d7d 100644
--- a/src/ssl/test/runner/handshake_client.go
+++ b/src/ssl/test/runner/handshake_client.go
@@ -17,7 +17,6 @@
"io"
"math/big"
"net"
- "strconv"
"time"
"./ed25519"
@@ -580,6 +579,10 @@
return errors.New("tls: ServerHello parameters did not match HelloRetryRequest")
}
+ if c.config.Bugs.ExpectOmitExtensions && !serverHello.omitExtensions {
+ return errors.New("tls: ServerHello did not omit extensions")
+ }
+
hs := &clientHandshakeState{
c: c,
serverHello: serverHello,
@@ -1678,78 +1681,17 @@
// certificate, or none if none match. It may return a particular certificate or
// nil on success, or an error on internal error.
func selectClientCertificate(c *Conn, certReq *certificateRequestMsg) (*Certificate, error) {
- // RFC 4346 on the certificateAuthorities field:
- // A list of the distinguished names of acceptable certificate
- // authorities. These distinguished names may specify a desired
- // distinguished name for a root CA or for a subordinate CA; thus, this
- // message can be used to describe both known roots and a desired
- // authorization space. If the certificate_authorities list is empty
- // then the client MAY send any certificate of the appropriate
- // ClientCertificateType, unless there is some external arrangement to
- // the contrary.
-
- var rsaAvail, ecdsaAvail bool
- if !certReq.hasRequestContext {
- for _, certType := range certReq.certificateTypes {
- switch certType {
- case CertTypeRSASign:
- rsaAvail = true
- case CertTypeECDSASign:
- ecdsaAvail = true
- }
- }
+ if len(c.config.Certificates) == 0 {
+ return nil, nil
}
- // We need to search our list of client certs for one
- // where SignatureAlgorithm is RSA and the Issuer is in
- // certReq.certificateAuthorities
-findCert:
- for i, chain := range c.config.Certificates {
- if !certReq.hasRequestContext && !rsaAvail && !ecdsaAvail {
- continue
- }
-
- // Ensure the private key supports one of the advertised
- // signature algorithms.
- if certReq.hasSignatureAlgorithm {
- if _, err := selectSignatureAlgorithm(c.vers, chain.PrivateKey, c.config, certReq.signatureAlgorithms); err != nil {
- continue
- }
- }
-
- for j, cert := range chain.Certificate {
- x509Cert := chain.Leaf
- // parse the certificate if this isn't the leaf
- // node, or if chain.Leaf was nil
- if j != 0 || x509Cert == nil {
- var err error
- if x509Cert, err = x509.ParseCertificate(cert); err != nil {
- c.sendAlert(alertInternalError)
- return nil, errors.New("tls: failed to parse client certificate #" + strconv.Itoa(i) + ": " + err.Error())
- }
- }
-
- if !certReq.hasRequestContext {
- switch {
- case rsaAvail && x509Cert.PublicKeyAlgorithm == x509.RSA:
- case ecdsaAvail && x509Cert.PublicKeyAlgorithm == x509.ECDSA:
- case ecdsaAvail && isEd25519Certificate(x509Cert):
- default:
- continue findCert
- }
- }
-
- if expected := c.config.Bugs.ExpectCertificateReqNames; expected != nil {
- if !eqByteSlices(expected, certReq.certificateAuthorities) {
- return nil, fmt.Errorf("tls: CertificateRequest names differed, got %#v but expected %#v", certReq.certificateAuthorities, expected)
- }
- }
-
- return &chain, nil
- }
+ // The test is assumed to have configured the certificate it meant to
+ // send.
+ if len(c.config.Certificates) > 1 {
+ return nil, errors.New("tls: multiple certificates configured")
}
- return nil, nil
+ return &c.config.Certificates[0], nil
}
// clientSessionCacheKey returns a key used to cache sessionTickets that could
diff --git a/src/ssl/test/runner/handshake_messages.go b/src/ssl/test/runner/handshake_messages.go
index 4be873d..7da08d8 100644
--- a/src/ssl/test/runner/handshake_messages.go
+++ b/src/ssl/test/runner/handshake_messages.go
@@ -974,6 +974,7 @@
if len(data) == 0 && m.vers < VersionTLS13 {
// Extension data is optional before TLS 1.3.
m.extensions = serverExtensions{}
+ m.omitExtensions = true
return true
}
if len(data) < 2 {
diff --git a/src/ssl/test/runner/runner.go b/src/ssl/test/runner/runner.go
index 56814d3..0ce6849 100644
--- a/src/ssl/test/runner/runner.go
+++ b/src/ssl/test/runner/runner.go
@@ -138,6 +138,7 @@
ecdsaP384Certificate Certificate
ecdsaP521Certificate Certificate
ed25519Certificate Certificate
+ garbageCertificate Certificate
)
var testCerts = []struct {
@@ -236,6 +237,9 @@
channelIDBytes = make([]byte, 64)
writeIntPadded(channelIDBytes[:32], channelIDKey.X)
writeIntPadded(channelIDBytes[32:], channelIDKey.Y)
+
+ garbageCertificate.Certificate = [][]byte{[]byte("GARBAGE")}
+ garbageCertificate.PrivateKey = rsaCertificate.PrivateKey
}
func getRunnerCertificate(t testCert) Certificate {
@@ -12241,9 +12245,9 @@
}
func addCertificateTests() {
- // Test that a certificate chain with intermediate may be sent and
- // received as both client and server.
for _, ver := range tlsVersions {
+ // Test that a certificate chain with intermediate may be sent
+ // and received as both client and server.
testCases = append(testCases, testCase{
testType: clientTest,
name: "SendReceiveIntermediate-Client-" + ver.name,
@@ -12279,6 +12283,36 @@
"-expect-peer-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
},
})
+
+ // Test that garbage leaf certificates are properly rejected.
+ testCases = append(testCases, testCase{
+ testType: clientTest,
+ name: "GarbageCertificate-Client-" + ver.name,
+ config: Config{
+ MinVersion: ver.version,
+ MaxVersion: ver.version,
+ Certificates: []Certificate{garbageCertificate},
+ },
+ tls13Variant: ver.tls13Variant,
+ shouldFail: true,
+ expectedError: ":CANNOT_PARSE_LEAF_CERT:",
+ expectedLocalError: "remote error: error decoding message",
+ })
+
+ testCases = append(testCases, testCase{
+ testType: serverTest,
+ name: "GarbageCertificate-Server-" + ver.name,
+ config: Config{
+ MinVersion: ver.version,
+ MaxVersion: ver.version,
+ Certificates: []Certificate{garbageCertificate},
+ },
+ tls13Variant: ver.tls13Variant,
+ flags: []string{"-require-any-client-certificate"},
+ shouldFail: true,
+ expectedError: ":CANNOT_PARSE_LEAF_CERT:",
+ expectedLocalError: "remote error: error decoding message",
+ })
}
}
@@ -12531,6 +12565,21 @@
// Test that omitted and empty extensions blocks are tolerated.
func addOmitExtensionsTests() {
+ // Check the ExpectOmitExtensions setting works.
+ testCases = append(testCases, testCase{
+ testType: serverTest,
+ name: "ExpectOmitExtensions",
+ config: Config{
+ MinVersion: VersionTLS12,
+ MaxVersion: VersionTLS12,
+ Bugs: ProtocolBugs{
+ ExpectOmitExtensions: true,
+ },
+ },
+ shouldFail: true,
+ expectedLocalError: "tls: ServerHello did not omit extensions",
+ })
+
for _, ver := range tlsVersions {
if ver.version > VersionTLS12 {
continue
@@ -12545,6 +12594,9 @@
SessionTicketsDisabled: true,
Bugs: ProtocolBugs{
OmitExtensions: true,
+ // With no client extensions, the ServerHello must not have
+ // extensions. It should then omit the extensions field.
+ ExpectOmitExtensions: true,
},
},
})
@@ -12558,6 +12610,9 @@
SessionTicketsDisabled: true,
Bugs: ProtocolBugs{
EmptyExtensions: true,
+ // With no client extensions, the ServerHello must not have
+ // extensions. It should then omit the extensions field.
+ ExpectOmitExtensions: true,
},
},
})
diff --git a/src/ssl/tls13_both.cc b/src/ssl/tls13_both.cc
index 6e7260e..e0fefe3 100644
--- a/src/ssl/tls13_both.cc
+++ b/src/ssl/tls13_both.cc
@@ -32,106 +32,11 @@
namespace bssl {
-/* kMaxKeyUpdates is the number of consecutive KeyUpdates that will be
- * processed. Without this limit an attacker could force unbounded processing
- * without being able to return application data. */
+// kMaxKeyUpdates is the number of consecutive KeyUpdates that will be
+// processed. Without this limit an attacker could force unbounded processing
+// without being able to return application data.
static const uint8_t kMaxKeyUpdates = 32;
-int tls13_handshake(SSL_HANDSHAKE *hs, int *out_early_return) {
- SSL *const ssl = hs->ssl;
- for (;;) {
- /* Resolve the operation the handshake was waiting on. */
- switch (hs->wait) {
- case ssl_hs_error:
- OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_HANDSHAKE_FAILURE);
- return -1;
-
- case ssl_hs_flush: {
- int ret = ssl->method->flush_flight(ssl);
- if (ret <= 0) {
- return ret;
- }
- break;
- }
-
- case ssl_hs_read_message: {
- int ret = ssl->method->read_message(ssl);
- if (ret <= 0) {
- return ret;
- }
- break;
- }
-
- case ssl_hs_read_change_cipher_spec: {
- int ret = ssl->method->read_change_cipher_spec(ssl);
- if (ret <= 0) {
- return ret;
- }
- break;
- }
-
- case ssl_hs_read_end_of_early_data: {
- if (ssl->s3->hs->can_early_read) {
- /* While we are processing early data, the handshake returns early. */
- *out_early_return = 1;
- return 1;
- }
- hs->wait = ssl_hs_ok;
- break;
- }
-
- case ssl_hs_x509_lookup:
- ssl->rwstate = SSL_X509_LOOKUP;
- hs->wait = ssl_hs_ok;
- return -1;
-
- case ssl_hs_channel_id_lookup:
- ssl->rwstate = SSL_CHANNEL_ID_LOOKUP;
- hs->wait = ssl_hs_ok;
- return -1;
-
- case ssl_hs_private_key_operation:
- ssl->rwstate = SSL_PRIVATE_KEY_OPERATION;
- hs->wait = ssl_hs_ok;
- return -1;
-
- case ssl_hs_pending_ticket:
- ssl->rwstate = SSL_PENDING_TICKET;
- hs->wait = ssl_hs_ok;
- return -1;
-
- case ssl_hs_certificate_verify:
- ssl->rwstate = SSL_CERTIFICATE_VERIFY;
- hs->wait = ssl_hs_ok;
- return -1;
-
- case ssl_hs_early_data_rejected:
- ssl->rwstate = SSL_EARLY_DATA_REJECTED;
- /* Cause |SSL_write| to start failing immediately. */
- hs->can_early_write = 0;
- return -1;
-
- case ssl_hs_ok:
- break;
- }
-
- /* Run the state machine again. */
- hs->wait = hs->do_tls13_handshake(hs);
- if (hs->wait == ssl_hs_error) {
- /* Don't loop around to avoid a stray |SSL_R_SSL_HANDSHAKE_FAILURE| the
- * first time around. */
- return -1;
- }
- if (hs->wait == ssl_hs_ok) {
- /* The handshake has completed. */
- return 1;
- }
-
- /* Otherwise, loop to the beginning and resolve what was blocking the
- * handshake. */
- }
-}
-
int tls13_get_cert_verify_signature_input(
SSL_HANDSHAKE *hs, uint8_t **out, size_t *out_len,
enum ssl_cert_verify_context_t cert_verify_context) {
@@ -151,7 +56,7 @@
const uint8_t *context;
size_t context_len;
if (cert_verify_context == ssl_cert_verify_server) {
- /* Include the NUL byte. */
+ // Include the NUL byte.
static const char kContext[] = "TLS 1.3, server CertificateVerify";
context = (const uint8_t *)kContext;
context_len = sizeof(kContext);
@@ -225,15 +130,15 @@
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
return 0;
}
- /* TLS 1.3 always uses certificate keys for signing thus the correct
- * keyUsage is enforced. */
+ // TLS 1.3 always uses certificate keys for signing thus the correct
+ // keyUsage is enforced.
if (!ssl_cert_check_digital_signature_key_usage(&certificate)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
return 0;
}
if (retain_sha256) {
- /* Retain the hash of the leaf certificate if requested. */
+ // Retain the hash of the leaf certificate if requested.
SHA256(CBS_data(&certificate), CBS_len(&certificate),
hs->new_session->peer_sha256);
}
@@ -248,8 +153,8 @@
return 0;
}
- /* Parse out the extensions. */
- int have_status_request = 0, have_sct = 0;
+ // Parse out the extensions.
+ bool have_status_request = false, have_sct = false;
CBS status_request, sct;
const SSL_EXTENSION_TYPE ext_types[] = {
{TLSEXT_TYPE_status_request, &have_status_request, &status_request},
@@ -264,8 +169,8 @@
return 0;
}
- /* All Certificate extensions are parsed, but only the leaf extensions are
- * stored. */
+ // All Certificate extensions are parsed, but only the leaf extensions are
+ // stored.
if (have_status_request) {
if (ssl->server || !ssl->ocsp_stapling_enabled) {
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
@@ -320,8 +225,8 @@
}
}
- /* Store a null certificate list rather than an empty one if the peer didn't
- * send certificates. */
+ // Store a null certificate list rather than an empty one if the peer didn't
+ // send certificates.
if (sk_CRYPTO_BUFFER_num(certs.get()) == 0) {
certs.reset();
}
@@ -344,11 +249,11 @@
return 0;
}
- /* OpenSSL returns X509_V_OK when no certificates are requested. This is
- * classed by them as a bug, but it's assumed by at least NGINX. */
+ // OpenSSL returns X509_V_OK when no certificates are requested. This is
+ // classed by them as a bug, but it's assumed by at least NGINX.
hs->new_session->verify_result = X509_V_OK;
- /* No certificate, so nothing more to do. */
+ // No certificate, so nothing more to do.
return 1;
}
@@ -442,7 +347,7 @@
ScopedCBB cbb;
CBB body, certificate_list;
if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_CERTIFICATE) ||
- /* The request context is always empty in the handshake. */
+ // The request context is always empty in the handshake.
!CBB_add_u8(&body, 0) ||
!CBB_add_u24_length_prefixed(&body, &certificate_list)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
@@ -525,7 +430,7 @@
return ssl_private_key_failure;
}
- /* Sign the digest. */
+ // Sign the digest.
CBB child;
const size_t max_sig_len = EVP_PKEY_size(hs->local_pubkey.get());
uint8_t *sig;
@@ -598,7 +503,7 @@
return 0;
}
- /* Acknowledge the KeyUpdate */
+ // Acknowledge the KeyUpdate
if (key_update_request == SSL_KEY_UPDATE_REQUESTED &&
!ssl->s3->key_update_pending) {
ScopedCBB cbb;
@@ -611,11 +516,11 @@
return 0;
}
- /* Suppress KeyUpdate acknowledgments until this change is written to the
- * wire. This prevents us from accumulating write obligations when read and
- * write progress at different rates. See draft-ietf-tls-tls13-18, section
- * 4.5.3. */
- ssl->s3->key_update_pending = 1;
+ // Suppress KeyUpdate acknowledgments until this change is written to the
+ // wire. This prevents us from accumulating write obligations when read and
+ // write progress at different rates. See draft-ietf-tls-tls13-18, section
+ // 4.5.3.
+ ssl->s3->key_update_pending = true;
}
return 1;
diff --git a/src/ssl/tls13_client.cc b/src/ssl/tls13_client.cc
index 6608404..f91da26 100644
--- a/src/ssl/tls13_client.cc
+++ b/src/ssl/tls13_client.cc
@@ -66,7 +66,7 @@
uint16_t server_version;
if (!CBS_get_u16(&body, &server_version) ||
!CBS_get_u16_length_prefixed(&body, &extensions) ||
- /* HelloRetryRequest may not be empty. */
+ // HelloRetryRequest may not be empty.
CBS_len(&extensions) == 0 ||
CBS_len(&body) != 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
@@ -74,7 +74,7 @@
return ssl_hs_error;
}
- int have_cookie, have_key_share;
+ bool have_cookie, have_key_share;
CBS cookie, key_share;
const SSL_EXTENSION_TYPE ext_types[] = {
{TLSEXT_TYPE_key_share, &have_key_share, &key_share},
@@ -112,7 +112,7 @@
return ssl_hs_error;
}
- /* The group must be supported. */
+ // The group must be supported.
const uint16_t *groups;
size_t groups_len;
tls1_get_grouplist(ssl, &groups, &groups_len);
@@ -130,8 +130,8 @@
return ssl_hs_error;
}
- /* Check that the HelloRetryRequest does not request the key share that
- * was provided in the initial ClientHello. */
+ // Check that the HelloRetryRequest does not request the key share that
+ // was provided in the initial ClientHello.
if (hs->key_share->GroupID() == group_id) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
@@ -147,9 +147,9 @@
}
ssl->method->next_message(ssl);
- hs->received_hello_retry_request = 1;
+ hs->received_hello_retry_request = true;
hs->tls13_state = state_send_second_client_hello;
- /* 0-RTT is rejected if we receive a HelloRetryRequest. */
+ // 0-RTT is rejected if we receive a HelloRetryRequest.
if (hs->in_early_data) {
return ssl_hs_early_data_rejected;
}
@@ -158,7 +158,7 @@
static enum ssl_hs_wait_t do_send_second_client_hello(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
- /* Restore the null cipher. We may have switched due to 0-RTT. */
+ // Restore the null cipher. We may have switched due to 0-RTT.
bssl::UniquePtr<SSLAEADContext> null_ctx = SSLAEADContext::CreateNullCipher();
if (!null_ctx ||
!ssl->method->set_write_state(ssl, std::move(null_ctx)) ||
@@ -217,7 +217,7 @@
return ssl_hs_error;
}
- /* Check if the cipher is a TLS 1.3 cipher. */
+ // Check if the cipher is a TLS 1.3 cipher.
if (SSL_CIPHER_get_min_version(cipher) > ssl3_protocol_version(ssl) ||
SSL_CIPHER_get_max_version(cipher) < ssl3_protocol_version(ssl)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);
@@ -225,8 +225,9 @@
return ssl_hs_error;
}
- /* Parse out the extensions. */
- int have_key_share = 0, have_pre_shared_key = 0, have_supported_versions = 0;
+ // Parse out the extensions.
+ bool have_key_share = false, have_pre_shared_key = false,
+ have_supported_versions = false;
CBS key_share, pre_shared_key, supported_versions;
const SSL_EXTENSION_TYPE ext_types[] = {
{TLSEXT_TYPE_key_share, &have_key_share, &key_share},
@@ -243,8 +244,8 @@
return ssl_hs_error;
}
- /* supported_versions is parsed in handshake_client to select the experimental
- * TLS 1.3 version. */
+ // supported_versions is parsed in handshake_client to select the experimental
+ // TLS 1.3 version.
if (have_supported_versions && ssl->version != TLS1_3_EXPERIMENT_VERSION) {
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);
@@ -278,15 +279,15 @@
}
if (!ssl_session_is_context_valid(ssl, ssl->session)) {
- /* This is actually a client application bug. */
+ // This is actually a client application bug.
OPENSSL_PUT_ERROR(SSL,
SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
return ssl_hs_error;
}
- ssl->s3->session_reused = 1;
- /* Only authentication information carries over in TLS 1.3. */
+ ssl->s3->session_reused = true;
+ // Only authentication information carries over in TLS 1.3.
hs->new_session = SSL_SESSION_dup(ssl->session, SSL_SESSION_DUP_AUTH_ONLY);
if (!hs->new_session) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
@@ -294,7 +295,7 @@
}
ssl_set_session(ssl, NULL);
- /* Resumption incorporates fresh key material, so refresh the timeout. */
+ // Resumption incorporates fresh key material, so refresh the timeout.
ssl_session_renew_timeout(ssl, hs->new_session.get(),
ssl->session_ctx->session_psk_dhe_timeout);
} else if (!ssl_get_new_session(hs, 0)) {
@@ -305,12 +306,12 @@
hs->new_session->cipher = cipher;
hs->new_cipher = cipher;
- /* The PRF hash is now known. Set up the key schedule. */
+ // The PRF hash is now known. Set up the key schedule.
if (!tls13_init_key_schedule(hs)) {
return ssl_hs_error;
}
- /* Incorporate the PSK into the running secret. */
+ // Incorporate the PSK into the running secret.
if (ssl->s3->session_reused) {
if (!tls13_advance_key_schedule(hs, hs->new_session->master_key,
hs->new_session->master_key_length)) {
@@ -321,13 +322,13 @@
}
if (!have_key_share) {
- /* We do not support psk_ke and thus always require a key share. */
+ // We do not support psk_ke and thus always require a key share.
OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_KEY_SHARE);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION);
return ssl_hs_error;
}
- /* Resolve ECDHE and incorporate it into the secret. */
+ // Resolve ECDHE and incorporate it into the secret.
uint8_t *dhe_secret;
size_t dhe_secret_len;
alert = SSL_AD_DECODE_ERROR;
@@ -363,8 +364,8 @@
}
if (!hs->early_data_offered) {
- /* If not sending early data, set client traffic keys now so that alerts are
- * encrypted. */
+ // If not sending early data, set client traffic keys now so that alerts are
+ // encrypted.
if ((ssl->version == TLS1_3_EXPERIMENT_VERSION &&
!ssl3_add_change_cipher_spec(ssl)) ||
!tls13_set_traffic_key(ssl, evp_aead_seal, hs->client_handshake_secret,
@@ -398,7 +399,7 @@
return ssl_hs_error;
}
- /* Store the negotiated ALPN in the session. */
+ // Store the negotiated ALPN in the session.
if (ssl->s3->alpn_selected != NULL) {
hs->new_session->early_alpn = (uint8_t *)BUF_memdup(
ssl->s3->alpn_selected, ssl->s3->alpn_selected_len);
@@ -437,7 +438,7 @@
static enum ssl_hs_wait_t do_read_certificate_request(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
- /* CertificateRequest may only be sent in non-resumption handshakes. */
+ // CertificateRequest may only be sent in non-resumption handshakes.
if (ssl->s3->session_reused) {
hs->tls13_state = state_read_server_finished;
return ssl_hs_ok;
@@ -448,7 +449,7 @@
return ssl_hs_read_message;
}
- /* CertificateRequest is optional. */
+ // CertificateRequest is optional.
if (msg.type != SSL3_MT_CERTIFICATE_REQUEST) {
hs->tls13_state = state_read_server_certificate;
return ssl_hs_ok;
@@ -456,7 +457,7 @@
CBS body = msg.body, context, supported_signature_algorithms;
if (!CBS_get_u8_length_prefixed(&body, &context) ||
- /* The request context is always empty during the handshake. */
+ // The request context is always empty during the handshake.
CBS_len(&context) != 0 ||
!CBS_get_u16_length_prefixed(&body, &supported_signature_algorithms) ||
CBS_len(&supported_signature_algorithms) == 0 ||
@@ -474,7 +475,7 @@
return ssl_hs_error;
}
- /* Ignore extensions. */
+ // Ignore extensions.
CBS extensions;
if (!CBS_get_u16_length_prefixed(&body, &extensions) ||
CBS_len(&body) != 0) {
@@ -483,7 +484,7 @@
return ssl_hs_error;
}
- hs->cert_request = 1;
+ hs->cert_request = true;
hs->ca_names = std::move(ca_names);
ssl->ctx->x509_method->hs_flush_cached_ca_names(hs);
@@ -550,7 +551,7 @@
if (!ssl_check_message_type(ssl, msg, SSL3_MT_FINISHED) ||
!tls13_process_finished(hs, msg, 0 /* don't use saved value */) ||
!ssl_hash_message(hs, msg) ||
- /* Update the secret to the master secret and derive traffic keys. */
+ // Update the secret to the master secret and derive traffic keys.
!tls13_advance_key_schedule(hs, kZeroes, hs->hash_len) ||
!tls13_derive_application_secrets(hs)) {
return ssl_hs_error;
@@ -565,7 +566,7 @@
SSL *const ssl = hs->ssl;
if (ssl->early_data_accepted) {
- hs->can_early_write = 0;
+ hs->can_early_write = false;
if (!ssl->method->add_alert(ssl, SSL3_AL_WARNING,
TLS1_AD_END_OF_EARLY_DATA)) {
return ssl_hs_error;
@@ -588,13 +589,13 @@
static enum ssl_hs_wait_t do_send_client_certificate(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
- /* The peer didn't request a certificate. */
+ // The peer didn't request a certificate.
if (!hs->cert_request) {
hs->tls13_state = state_complete_second_flight;
return ssl_hs_ok;
}
- /* Call cert_cb to update the certificate. */
+ // Call cert_cb to update the certificate.
if (ssl->cert->cert_cb != NULL) {
int rv = ssl->cert->cert_cb(ssl, ssl->cert->cert_cb_arg);
if (rv == 0) {
@@ -619,7 +620,7 @@
static enum ssl_hs_wait_t do_send_client_certificate_verify(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
- /* Don't send CertificateVerify if there is no certificate. */
+ // Don't send CertificateVerify if there is no certificate.
if (!ssl_has_certificate(ssl)) {
hs->tls13_state = state_complete_second_flight;
return ssl_hs_ok;
@@ -645,7 +646,7 @@
static enum ssl_hs_wait_t do_complete_second_flight(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
- /* Send a Channel ID assertion if necessary. */
+ // Send a Channel ID assertion if necessary.
if (ssl->s3->tlsext_channel_id_valid) {
if (!ssl_do_channel_id_callback(ssl)) {
hs->tls13_state = state_complete_second_flight;
@@ -665,12 +666,12 @@
}
}
- /* Send a Finished message. */
+ // Send a Finished message.
if (!tls13_add_finished(hs)) {
return ssl_hs_error;
}
- /* Derive the final keys and enable them. */
+ // Derive the final keys and enable them.
if (!tls13_set_traffic_key(ssl, evp_aead_open, hs->server_traffic_secret_0,
hs->hash_len) ||
!tls13_set_traffic_key(ssl, evp_aead_seal, hs->client_traffic_secret_0,
@@ -733,7 +734,7 @@
break;
}
- if (hs->state != state) {
+ if (hs->tls13_state != state) {
ssl_do_info_callback(hs->ssl, SSL_CB_CONNECT_LOOP, 1);
}
@@ -804,14 +805,14 @@
return 0;
}
- /* Cap the renewable lifetime by the server advertised value. This avoids
- * wasting bandwidth on 0-RTT when we know the server will reject it. */
+ // Cap the renewable lifetime by the server advertised value. This avoids
+ // wasting bandwidth on 0-RTT when we know the server will reject it.
if (session->timeout > server_timeout) {
session->timeout = server_timeout;
}
- /* Parse out the extensions. */
- int have_early_data_info = 0;
+ // Parse out the extensions.
+ bool have_early_data_info = false;
CBS early_data_info;
const SSL_EXTENSION_TYPE ext_types[] = {
{TLSEXT_TYPE_ticket_early_data_info, &have_early_data_info,
@@ -840,7 +841,7 @@
if (ssl->ctx->new_session_cb != NULL &&
ssl->ctx->new_session_cb(ssl, session.get())) {
- /* |new_session_cb|'s return value signals that it took ownership. */
+ // |new_session_cb|'s return value signals that it took ownership.
session.release();
}
diff --git a/src/ssl/tls13_enc.cc b/src/ssl/tls13_enc.cc
index 39e80be..7bd87c5 100644
--- a/src/ssl/tls13_enc.cc
+++ b/src/ssl/tls13_enc.cc
@@ -40,7 +40,7 @@
hs->hash_len = hs->transcript.DigestLen();
- /* Initialize the secret to the zero key. */
+ // Initialize the secret to the zero key.
OPENSSL_memset(hs->secret, 0, hs->hash_len);
return 1;
@@ -96,9 +96,9 @@
return ret;
}
-/* derive_secret derives a secret of length |len| and writes the result in |out|
- * with the given label and the current base secret and most recently-saved
- * handshake context. It returns one on success and zero on error. */
+// derive_secret derives a secret of length |len| and writes the result in |out|
+// with the given label and the current base secret and most recently-saved
+// handshake context. It returns one on success and zero on error.
static int derive_secret(SSL_HANDSHAKE *hs, uint8_t *out, size_t len,
const uint8_t *label, size_t label_len) {
uint8_t context_hash[EVP_MAX_MD_SIZE];
@@ -123,7 +123,7 @@
return 0;
}
- /* Look up cipher suite properties. */
+ // Look up cipher suite properties.
const EVP_AEAD *aead;
size_t discard;
if (!ssl_cipher_get_evp_aead(&aead, &discard, &discard, session->cipher,
@@ -133,7 +133,7 @@
const EVP_MD *digest = SSL_SESSION_get_digest(session);
- /* Derive the key. */
+ // Derive the key.
size_t key_len = EVP_AEAD_key_length(aead);
uint8_t key[EVP_AEAD_MAX_KEY_LENGTH];
if (!hkdf_expand_label(key, digest, traffic_secret, traffic_secret_len,
@@ -141,7 +141,7 @@
return 0;
}
- /* Derive the IV. */
+ // Derive the IV.
size_t iv_len = EVP_AEAD_nonce_length(aead);
uint8_t iv[EVP_AEAD_MAX_NONCE_LENGTH];
if (!hkdf_expand_label(iv, digest, traffic_secret, traffic_secret_len,
@@ -166,7 +166,7 @@
}
}
- /* Save the traffic secret. */
+ // Save the traffic secret.
if (direction == evp_aead_open) {
OPENSSL_memmove(ssl->s3->read_traffic_secret, traffic_secret,
traffic_secret_len);
@@ -279,8 +279,8 @@
static const char kTLS13LabelFinished[] = "finished";
-/* tls13_verify_data sets |out| to be the HMAC of |context| using a derived
- * Finished key for both Finished messages and the PSK binder. */
+// tls13_verify_data sets |out| to be the HMAC of |context| using a derived
+// Finished key for both Finished messages and the PSK binder.
static int tls13_verify_data(const EVP_MD *digest, uint8_t *out,
size_t *out_len, const uint8_t *secret,
size_t hash_len, uint8_t *context,
@@ -401,15 +401,15 @@
const SSLMessage &msg, CBS *binders) {
size_t hash_len = hs->transcript.DigestLen();
- /* The message must be large enough to exclude the binders. */
+ // The message must be large enough to exclude the binders.
if (CBS_len(&msg.raw) < CBS_len(binders) + 2) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
return 0;
}
- /* Hash a ClientHello prefix up to the binders. This includes the header. For
- * now, this assumes we only ever verify PSK binders on initial
- * ClientHellos. */
+ // Hash a ClientHello prefix up to the binders. This includes the header. For
+ // now, this assumes we only ever verify PSK binders on initial
+ // ClientHellos.
uint8_t context[EVP_MAX_MD_SIZE];
unsigned context_len;
if (!EVP_Digest(CBS_data(&msg.raw), CBS_len(&msg.raw) - CBS_len(binders) - 2,
@@ -422,7 +422,7 @@
if (!tls13_psk_binder(verify_data, hs->transcript.Digest(),
session->master_key, session->master_key_length,
context, context_len, hash_len) ||
- /* We only consider the first PSK, so compare against the first binder. */
+ // We only consider the first PSK, so compare against the first binder.
!CBS_get_u8_length_prefixed(binders, &binder)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
return 0;
diff --git a/src/ssl/tls13_server.cc b/src/ssl/tls13_server.cc
index 894fa87..65c2f11 100644
--- a/src/ssl/tls13_server.cc
+++ b/src/ssl/tls13_server.cc
@@ -12,9 +12,9 @@
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
-/* Per C99, various stdint.h macros are unavailable in C++ unless some macros
- * are defined. C++11 overruled this decision, but older Android NDKs still
- * require it. */
+// Per C99, various stdint.h macros are unavailable in C++ unless some macros
+// are defined. C++11 overruled this decision, but older Android NDKs still
+// require it.
#if !defined(__STDC_LIMIT_MACROS)
#define __STDC_LIMIT_MACROS
#endif
@@ -59,12 +59,12 @@
static const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {0};
-static int resolve_ecdhe_secret(SSL_HANDSHAKE *hs, int *out_need_retry,
+static int resolve_ecdhe_secret(SSL_HANDSHAKE *hs, bool *out_need_retry,
SSL_CLIENT_HELLO *client_hello) {
SSL *const ssl = hs->ssl;
- *out_need_retry = 0;
+ *out_need_retry = false;
- /* We only support connections that include an ECDHE key exchange. */
+ // We only support connections that include an ECDHE key exchange.
CBS key_share;
if (!ssl_client_hello_get_extension(client_hello, &key_share,
TLSEXT_TYPE_key_share)) {
@@ -73,7 +73,7 @@
return 0;
}
- int found_key_share;
+ bool found_key_share;
uint8_t *dhe_secret;
size_t dhe_secret_len;
uint8_t alert = SSL_AD_DECODE_ERROR;
@@ -85,7 +85,7 @@
}
if (!found_key_share) {
- *out_need_retry = 1;
+ *out_need_retry = true;
return 0;
}
@@ -127,7 +127,7 @@
return NULL;
}
- /* Limit to TLS 1.3 ciphers we know about. */
+ // Limit to TLS 1.3 ciphers we know about.
const SSL_CIPHER *candidate = SSL_get_cipher_by_value(cipher_suite);
if (candidate == NULL ||
SSL_CIPHER_get_min_version(candidate) > version ||
@@ -135,8 +135,8 @@
continue;
}
- /* TLS 1.3 removes legacy ciphers, so honor the client order, but prefer
- * ChaCha20 if we do not have AES hardware. */
+ // TLS 1.3 removes legacy ciphers, so honor the client order, but prefer
+ // ChaCha20 if we do not have AES hardware.
if (aes_is_fine) {
return candidate;
}
@@ -155,12 +155,12 @@
static int add_new_session_tickets(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
- /* TLS 1.3 recommends single-use tickets, so issue multiple tickets in case
- * the client makes several connections before getting a renewal. */
+ // TLS 1.3 recommends single-use tickets, so issue multiple tickets in case
+ // the client makes several connections before getting a renewal.
static const int kNumTickets = 2;
- /* Rebase the session timestamp so that it is measured from ticket
- * issuance. */
+ // Rebase the session timestamp so that it is measured from ticket
+ // issuance.
ssl_session_rebase_time(ssl, hs->new_session.get());
for (int i = 0; i < kNumTickets; i++) {
@@ -194,7 +194,7 @@
}
}
- /* Add a fake extension. See draft-davidben-tls-grease-01. */
+ // Add a fake extension. See draft-davidben-tls-grease-01.
if (!CBB_add_u16(&extensions,
ssl_get_grease_value(ssl, ssl_grease_ticket_extension)) ||
!CBB_add_u16(&extensions, 0 /* empty */)) {
@@ -210,8 +210,8 @@
}
static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) {
- /* At this point, most ClientHello extensions have already been processed by
- * the common handshake logic. Resolve the remaining non-PSK parameters. */
+ // At this point, most ClientHello extensions have already been processed by
+ // the common handshake logic. Resolve the remaining non-PSK parameters.
SSL *const ssl = hs->ssl;
SSLMessage msg;
if (!ssl->method->get_message(ssl, &msg)) {
@@ -228,7 +228,7 @@
client_hello.session_id_len);
hs->session_id_len = client_hello.session_id_len;
- /* Negotiate the cipher suite. */
+ // Negotiate the cipher suite.
hs->new_cipher = choose_tls13_cipher(ssl, &client_hello);
if (hs->new_cipher == NULL) {
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER);
@@ -236,16 +236,16 @@
return ssl_hs_error;
}
- /* HTTP/2 negotiation depends on the cipher suite, so ALPN negotiation was
- * deferred. Complete it now. */
+ // HTTP/2 negotiation depends on the cipher suite, so ALPN negotiation was
+ // deferred. Complete it now.
uint8_t alert = SSL_AD_DECODE_ERROR;
if (!ssl_negotiate_alpn(hs, &alert, &client_hello)) {
ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
return ssl_hs_error;
}
- /* The PRF hash is now known. Set up the key schedule and hash the
- * ClientHello. */
+ // The PRF hash is now known. Set up the key schedule and hash the
+ // ClientHello.
if (!tls13_init_key_schedule(hs) ||
!ssl_hash_message(hs, msg)) {
return ssl_hs_error;
@@ -262,7 +262,7 @@
SSL *const ssl = hs->ssl;
*out_session = NULL;
- /* Decode the ticket if we agreed on a PSK key exchange mode. */
+ // Decode the ticket if we agreed on a PSK key exchange mode.
CBS pre_shared_key;
if (!hs->accept_psk_mode ||
!ssl_client_hello_get_extension(client_hello, &pre_shared_key,
@@ -270,8 +270,8 @@
return ssl_ticket_aead_ignore_ticket;
}
- /* Verify that the pre_shared_key extension is the last extension in
- * ClientHello. */
+ // Verify that the pre_shared_key extension is the last extension in
+ // ClientHello.
if (CBS_data(&pre_shared_key) + CBS_len(&pre_shared_key) !=
client_hello->extensions + client_hello->extensions_len) {
OPENSSL_PUT_ERROR(SSL, SSL_R_PRE_SHARED_KEY_MUST_BE_LAST);
@@ -287,9 +287,9 @@
return ssl_ticket_aead_error;
}
- /* TLS 1.3 session tickets are renewed separately as part of the
- * NewSessionTicket. */
- int unused_renew;
+ // TLS 1.3 session tickets are renewed separately as part of the
+ // NewSessionTicket.
+ bool unused_renew;
UniquePtr<SSL_SESSION> session;
enum ssl_ticket_aead_result_t ret =
ssl_process_ticket(ssl, &session, &unused_renew, CBS_data(&ticket),
@@ -305,34 +305,34 @@
}
if (!ssl_session_is_resumable(hs, session.get()) ||
- /* Historically, some TLS 1.3 tickets were missing ticket_age_add. */
+ // Historically, some TLS 1.3 tickets were missing ticket_age_add.
!session->ticket_age_add_valid) {
return ssl_ticket_aead_ignore_ticket;
}
- /* Recover the client ticket age and convert to seconds. */
+ // Recover the client ticket age and convert to seconds.
client_ticket_age -= session->ticket_age_add;
client_ticket_age /= 1000;
struct OPENSSL_timeval now;
ssl_get_current_time(ssl, &now);
- /* Compute the server ticket age in seconds. */
+ // Compute the server ticket age in seconds.
assert(now.tv_sec >= session->time);
uint64_t server_ticket_age = now.tv_sec - session->time;
- /* To avoid overflowing |hs->ticket_age_skew|, we will not resume
- * 68-year-old sessions. */
+ // To avoid overflowing |hs->ticket_age_skew|, we will not resume
+ // 68-year-old sessions.
if (server_ticket_age > INT32_MAX) {
return ssl_ticket_aead_ignore_ticket;
}
- /* TODO(davidben,svaldez): Measure this value to decide on tolerance. For
- * now, accept all values. https://crbug.com/boringssl/113. */
+ // TODO(davidben,svaldez): Measure this value to decide on tolerance. For
+ // now, accept all values. https://crbug.com/boringssl/113.
*out_ticket_age_skew =
(int32_t)client_ticket_age - (int32_t)server_ticket_age;
- /* Check the PSK binder. */
+ // Check the PSK binder.
if (!tls13_verify_psk_binder(hs, session.get(), msg, &binders)) {
*out_alert = SSL_AD_DECRYPT_ERROR;
return ssl_ticket_aead_error;
@@ -368,21 +368,21 @@
break;
case ssl_ticket_aead_success:
- /* Carry over authentication information from the previous handshake into
- * a fresh session. */
+ // Carry over authentication information from the previous handshake into
+ // a fresh session.
hs->new_session =
SSL_SESSION_dup(session.get(), SSL_SESSION_DUP_AUTH_ONLY);
- if (/* Early data must be acceptable for this ticket. */
+ if (// Early data must be acceptable for this ticket.
ssl->cert->enable_early_data &&
session->ticket_max_early_data != 0 &&
- /* The client must have offered early data. */
+ // The client must have offered early data.
hs->early_data_offered &&
- /* Channel ID is incompatible with 0-RTT. */
+ // Channel ID is incompatible with 0-RTT.
!ssl->s3->tlsext_channel_id_valid &&
- /* Custom extensions is incompatible with 0-RTT. */
+ // Custom extensions is incompatible with 0-RTT.
hs->custom_extensions.received == 0 &&
- /* The negotiated ALPN must match the one in the ticket. */
+ // The negotiated ALPN must match the one in the ticket.
ssl->s3->alpn_selected_len == session->early_alpn_len &&
OPENSSL_memcmp(ssl->s3->alpn_selected, session->early_alpn,
ssl->s3->alpn_selected_len) == 0) {
@@ -394,9 +394,9 @@
return ssl_hs_error;
}
- ssl->s3->session_reused = 1;
+ ssl->s3->session_reused = true;
- /* Resumption incorporates fresh key material, so refresh the timeout. */
+ // Resumption incorporates fresh key material, so refresh the timeout.
ssl_session_renew_timeout(ssl, hs->new_session.get(),
ssl->session_ctx->session_psk_dhe_timeout);
break;
@@ -410,7 +410,7 @@
return ssl_hs_pending_ticket;
}
- /* Record connection properties in the new session. */
+ // Record connection properties in the new session.
hs->new_session->cipher = hs->new_cipher;
if (hs->hostname != NULL) {
@@ -422,7 +422,7 @@
}
}
- /* Store the initial negotiated ALPN in the session. */
+ // Store the initial negotiated ALPN in the session.
if (ssl->s3->alpn_selected != NULL) {
hs->new_session->early_alpn = (uint8_t *)BUF_memdup(
ssl->s3->alpn_selected, ssl->s3->alpn_selected_len);
@@ -435,13 +435,13 @@
if (ssl->ctx->dos_protection_cb != NULL &&
ssl->ctx->dos_protection_cb(&client_hello) == 0) {
- /* Connection rejected for DOS reasons. */
+ // Connection rejected for DOS reasons.
OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
return ssl_hs_error;
}
- /* Incorporate the PSK into the running secret. */
+ // Incorporate the PSK into the running secret.
if (ssl->s3->session_reused) {
if (!tls13_advance_key_schedule(hs, hs->new_session->master_key,
hs->new_session->master_key_length)) {
@@ -456,15 +456,15 @@
return ssl_hs_error;
}
} else if (hs->early_data_offered) {
- ssl->s3->skip_early_data = 1;
+ ssl->s3->skip_early_data = true;
}
- /* Resolve ECDHE and incorporate it into the secret. */
- int need_retry;
+ // Resolve ECDHE and incorporate it into the secret.
+ bool need_retry;
if (!resolve_ecdhe_secret(hs, &need_retry, &client_hello)) {
if (need_retry) {
ssl->early_data_accepted = 0;
- ssl->s3->skip_early_data = 1;
+ ssl->s3->skip_early_data = true;
ssl->method->next_message(ssl);
hs->tls13_state = state_send_hello_retry_request;
return ssl_hs_ok;
@@ -514,10 +514,10 @@
return ssl_hs_error;
}
- int need_retry;
+ bool need_retry;
if (!resolve_ecdhe_secret(hs, &need_retry, &client_hello)) {
if (need_retry) {
- /* Only send one HelloRetryRequest. */
+ // Only send one HelloRetryRequest.
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
}
@@ -541,7 +541,7 @@
version = TLS1_2_VERSION;
}
- /* Send a ServerHello. */
+ // Send a ServerHello.
ScopedCBB cbb;
CBB body, extensions, session_id;
if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_SERVER_HELLO) ||
@@ -567,14 +567,14 @@
return ssl_hs_error;
}
- /* Derive and enable the handshake traffic secrets. */
+ // Derive and enable the handshake traffic secrets.
if (!tls13_derive_handshake_secrets(hs) ||
!tls13_set_traffic_key(ssl, evp_aead_seal, hs->server_handshake_secret,
hs->hash_len)) {
return ssl_hs_error;
}
- /* Send EncryptedExtensions. */
+ // Send EncryptedExtensions.
if (!ssl->method->init_message(ssl, cbb.get(), &body,
SSL3_MT_ENCRYPTED_EXTENSIONS) ||
!ssl_add_serverhello_tlsext(hs, &body) ||
@@ -583,16 +583,16 @@
}
if (!ssl->s3->session_reused) {
- /* Determine whether to request a client certificate. */
+ // Determine whether to request a client certificate.
hs->cert_request = !!(ssl->verify_mode & SSL_VERIFY_PEER);
- /* Only request a certificate if Channel ID isn't negotiated. */
+ // Only request a certificate if Channel ID isn't negotiated.
if ((ssl->verify_mode & SSL_VERIFY_PEER_IF_NO_OBC) &&
ssl->s3->tlsext_channel_id_valid) {
- hs->cert_request = 0;
+ hs->cert_request = false;
}
}
- /* Send a CertificateRequest, if necessary. */
+ // Send a CertificateRequest, if necessary.
if (hs->cert_request) {
CBB sigalgs_cbb;
if (!ssl->method->init_message(ssl, cbb.get(), &body,
@@ -607,7 +607,7 @@
}
}
- /* Send the server Certificate message, if necessary. */
+ // Send the server Certificate message, if necessary.
if (!ssl->s3->session_reused) {
if (!ssl_has_certificate(ssl)) {
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_SET);
@@ -647,7 +647,7 @@
static enum ssl_hs_wait_t do_send_server_finished(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
if (!tls13_add_finished(hs) ||
- /* Update the secret to the master secret and derive traffic keys. */
+ // Update the secret to the master secret and derive traffic keys.
!tls13_advance_key_schedule(hs, kZeroes, hs->hash_len) ||
!tls13_derive_application_secrets(hs) ||
!tls13_set_traffic_key(ssl, evp_aead_seal, hs->server_traffic_secret_0,
@@ -656,10 +656,10 @@
}
if (ssl->early_data_accepted) {
- /* If accepting 0-RTT, we send tickets half-RTT. This gets the tickets on
- * the wire sooner and also avoids triggering a write on |SSL_read| when
- * processing the client Finished. This requires computing the client
- * Finished early. See draft-ietf-tls-tls13-18, section 4.5.1. */
+ // If accepting 0-RTT, we send tickets half-RTT. This gets the tickets on
+ // the wire sooner and also avoids triggering a write on |SSL_read| when
+ // processing the client Finished. This requires computing the client
+ // Finished early. See draft-ietf-tls-tls13-18, section 4.5.1.
size_t finished_len;
if (!tls13_finished_mac(hs, hs->expected_client_finished, &finished_len,
0 /* client */)) {
@@ -671,10 +671,10 @@
return ssl_hs_error;
}
- /* Feed the predicted Finished into the transcript. This allows us to derive
- * the resumption secret early and send half-RTT tickets.
- *
- * TODO(davidben): This will need to be updated for DTLS 1.3. */
+ // Feed the predicted Finished into the transcript. This allows us to derive
+ // the resumption secret early and send half-RTT tickets.
+ //
+ // TODO(davidben): This will need to be updated for DTLS 1.3.
assert(!SSL_is_dtls(hs->ssl));
assert(hs->hash_len <= 0xff);
uint8_t header[4] = {SSL3_MT_FINISHED, 0, 0,
@@ -698,9 +698,9 @@
hs->hash_len)) {
return ssl_hs_error;
}
- hs->can_early_write = 1;
- hs->can_early_read = 1;
- hs->in_early_data = 1;
+ hs->can_early_write = true;
+ hs->can_early_read = true;
+ hs->in_early_data = true;
hs->tls13_state = state_process_end_of_early_data;
return ssl_hs_read_end_of_early_data;
}
@@ -710,8 +710,8 @@
static enum ssl_hs_wait_t do_process_end_of_early_data(SSL_HANDSHAKE *hs) {
hs->tls13_state = state_process_change_cipher_spec;
- /* If early data was accepted, the ChangeCipherSpec message will be in the
- * discarded early data. */
+ // If early data was accepted, the ChangeCipherSpec message will be in the
+ // discarded early data.
if (hs->early_data_offered && !hs->ssl->early_data_accepted) {
return ssl_hs_ok;
}
@@ -734,11 +734,11 @@
static enum ssl_hs_wait_t do_read_client_certificate(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
if (!hs->cert_request) {
- /* OpenSSL returns X509_V_OK when no certificates are requested. This is
- * classed by them as a bug, but it's assumed by at least NGINX. */
+ // OpenSSL returns X509_V_OK when no certificates are requested. This is
+ // classed by them as a bug, but it's assumed by at least NGINX.
hs->new_session->verify_result = X509_V_OK;
- /* Skip this state. */
+ // Skip this state.
hs->tls13_state = state_read_channel_id;
return ssl_hs_ok;
}
@@ -764,7 +764,7 @@
SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
if (sk_CRYPTO_BUFFER_num(hs->new_session->certs) == 0) {
- /* Skip this state. */
+ // Skip this state.
hs->tls13_state = state_read_channel_id;
return ssl_hs_ok;
}
@@ -824,10 +824,10 @@
return ssl_hs_read_message;
}
if (!ssl_check_message_type(ssl, msg, SSL3_MT_FINISHED) ||
- /* If early data was accepted, we've already computed the client Finished
- * and derived the resumption secret. */
+ // If early data was accepted, we've already computed the client Finished
+ // and derived the resumption secret.
!tls13_process_finished(hs, msg, ssl->early_data_accepted) ||
- /* evp_aead_seal keys have already been switched. */
+ // evp_aead_seal keys have already been switched.
!tls13_set_traffic_key(ssl, evp_aead_open, hs->client_traffic_secret_0,
hs->hash_len)) {
return ssl_hs_error;
@@ -839,10 +839,10 @@
return ssl_hs_error;
}
- /* We send post-handshake tickets as part of the handshake in 1-RTT. */
+ // We send post-handshake tickets as part of the handshake in 1-RTT.
hs->tls13_state = state_send_new_session_ticket;
} else {
- /* We already sent half-RTT tickets. */
+ // We already sent half-RTT tickets.
hs->tls13_state = state_done;
}
@@ -851,8 +851,8 @@
}
static enum ssl_hs_wait_t do_send_new_session_ticket(SSL_HANDSHAKE *hs) {
- /* If the client doesn't accept resumption with PSK_DHE_KE, don't send a
- * session ticket. */
+ // If the client doesn't accept resumption with PSK_DHE_KE, don't send a
+ // session ticket.
if (!hs->accept_psk_mode) {
hs->tls13_state = state_done;
return ssl_hs_ok;
@@ -922,7 +922,7 @@
break;
}
- if (hs->state != state) {
+ if (hs->tls13_state != state) {
ssl_do_info_callback(hs->ssl, SSL_CB_ACCEPT_LOOP, 1);
}
diff --git a/src/ssl/tls_method.cc b/src/ssl/tls_method.cc
index 2fe4be3..286bf03 100644
--- a/src/ssl/tls_method.cc
+++ b/src/ssl/tls_method.cc
@@ -70,15 +70,15 @@
static int ssl3_supports_cipher(const SSL_CIPHER *cipher) { return 1; }
static void ssl3_on_handshake_complete(SSL *ssl) {
- /* The handshake should have released its final message. */
+ // The handshake should have released its final message.
assert(!ssl->s3->has_message);
- /* During the handshake, |init_buf| is retained. Release if it there is no
- * excess in it.
- *
- * TODO(davidben): The second check is always true but will not be once we
- * switch to copying the entire handshake record. Replace this comment with an
- * explanation when that happens and a TODO to reject it. */
+ // During the handshake, |init_buf| is retained. Release if it there is no
+ // excess in it.
+ //
+ // TODO(davidben): The second check is always true but will not be once we
+ // switch to copying the entire handshake record. Replace this comment with an
+ // explanation when that happens and a TODO to reject it.
if (ssl->init_buf != NULL && ssl->init_buf->length == 0) {
BUF_MEM_free(ssl->init_buf);
ssl->init_buf = NULL;
@@ -87,7 +87,7 @@
static int ssl3_set_read_state(SSL *ssl, UniquePtr<SSLAEADContext> aead_ctx) {
if (ssl->s3->rrec.length != 0) {
- /* There may not be unprocessed record data at a cipher change. */
+ // There may not be unprocessed record data at a cipher change.
OPENSSL_PUT_ERROR(SSL, SSL_R_BUFFERED_MESSAGES_ON_CIPHER_CHANGE);
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
return 0;
@@ -212,7 +212,7 @@
return &kMethod;
}
-/* Legacy version-locked methods. */
+// Legacy version-locked methods.
const SSL_METHOD *TLSv1_2_method(void) {
static const SSL_METHOD kMethod = {
@@ -250,7 +250,7 @@
return &kMethod;
}
-/* Legacy side-specific methods. */
+// Legacy side-specific methods.
const SSL_METHOD *TLSv1_2_server_method(void) {
return TLSv1_2_method();
diff --git a/src/ssl/tls_record.cc b/src/ssl/tls_record.cc
index f8bb521..043ec62 100644
--- a/src/ssl/tls_record.cc
+++ b/src/ssl/tls_record.cc
@@ -121,25 +121,25 @@
namespace bssl {
-/* kMaxEmptyRecords is the number of consecutive, empty records that will be
- * processed. Without this limit an attacker could send empty records at a
- * faster rate than we can process and cause record processing to loop
- * forever. */
+// kMaxEmptyRecords is the number of consecutive, empty records that will be
+// processed. Without this limit an attacker could send empty records at a
+// faster rate than we can process and cause record processing to loop
+// forever.
static const uint8_t kMaxEmptyRecords = 32;
-/* kMaxEarlyDataSkipped is the maximum number of rejected early data bytes that
- * will be skipped. Without this limit an attacker could send records at a
- * faster rate than we can process and cause trial decryption to loop forever.
- * This value should be slightly above kMaxEarlyDataAccepted, which is measured
- * in plaintext. */
+// kMaxEarlyDataSkipped is the maximum number of rejected early data bytes that
+// will be skipped. Without this limit an attacker could send records at a
+// faster rate than we can process and cause trial decryption to loop forever.
+// This value should be slightly above kMaxEarlyDataAccepted, which is measured
+// in plaintext.
static const size_t kMaxEarlyDataSkipped = 16384;
-/* kMaxWarningAlerts is the number of consecutive warning alerts that will be
- * processed. */
+// kMaxWarningAlerts is the number of consecutive warning alerts that will be
+// processed.
static const uint8_t kMaxWarningAlerts = 4;
-/* ssl_needs_record_splitting returns one if |ssl|'s current outgoing cipher
- * state needs record-splitting and zero otherwise. */
+// ssl_needs_record_splitting returns one if |ssl|'s current outgoing cipher
+// state needs record-splitting and zero otherwise.
static int ssl_needs_record_splitting(const SSL *ssl) {
#if !defined(BORINGSSL_UNSAFE_FUZZER_MODE)
return !ssl->s3->aead_write_ctx->is_null_cipher() &&
@@ -195,7 +195,7 @@
CBS cbs;
CBS_init(&cbs, in, in_len);
- /* Decode the record header. */
+ // Decode the record header.
uint8_t type;
uint16_t version, ciphertext_len;
if (!CBS_get_u8(&cbs, &type) ||
@@ -207,14 +207,14 @@
int version_ok;
if (ssl->s3->aead_read_ctx->is_null_cipher()) {
- /* Only check the first byte. Enforcing beyond that can prevent decoding
- * version negotiation failure alerts. */
+ // Only check the first byte. Enforcing beyond that can prevent decoding
+ // version negotiation failure alerts.
version_ok = (version >> 8) == SSL3_VERSION_MAJOR;
} else if (ssl3_protocol_version(ssl) < TLS1_3_VERSION) {
- /* Earlier versions of TLS switch the record version. */
+ // Earlier versions of TLS switch the record version.
version_ok = version == ssl->version;
} else {
- /* Starting TLS 1.3, the version field is frozen at {3, 1}. */
+ // Starting TLS 1.3, the version field is frozen at {3, 1}.
version_ok = version == TLS1_VERSION;
}
@@ -224,14 +224,14 @@
return ssl_open_record_error;
}
- /* Check the ciphertext length. */
+ // Check the ciphertext length.
if (ciphertext_len > SSL3_RT_MAX_ENCRYPTED_LENGTH) {
OPENSSL_PUT_ERROR(SSL, SSL_R_ENCRYPTED_LENGTH_TOO_LONG);
*out_alert = SSL_AD_RECORD_OVERFLOW;
return ssl_open_record_error;
}
- /* Extract the body. */
+ // Extract the body.
CBS body;
if (!CBS_get_bytes(&cbs, &body, ciphertext_len)) {
*out_consumed = SSL3_RT_HEADER_LENGTH + (size_t)ciphertext_len;
@@ -243,15 +243,15 @@
*out_consumed = in_len - CBS_len(&cbs);
- /* Skip early data received when expecting a second ClientHello if we rejected
- * 0RTT. */
+ // Skip early data received when expecting a second ClientHello if we rejected
+ // 0RTT.
if (ssl->s3->skip_early_data &&
ssl->s3->aead_read_ctx->is_null_cipher() &&
type == SSL3_RT_APPLICATION_DATA) {
goto skipped_data;
}
- /* Decrypt the body in-place. */
+ // Decrypt the body in-place.
if (!ssl->s3->aead_read_ctx->Open(out, type, version, ssl->s3->read_sequence,
(uint8_t *)CBS_data(&body),
CBS_len(&body))) {
@@ -265,17 +265,17 @@
return ssl_open_record_error;
}
- ssl->s3->skip_early_data = 0;
+ ssl->s3->skip_early_data = false;
if (!ssl_record_sequence_update(ssl->s3->read_sequence, 8)) {
*out_alert = SSL_AD_INTERNAL_ERROR;
return ssl_open_record_error;
}
- /* TLS 1.3 hides the record type inside the encrypted data. */
+ // TLS 1.3 hides the record type inside the encrypted data.
if (!ssl->s3->aead_read_ctx->is_null_cipher() &&
ssl->s3->aead_read_ctx->version() >= TLS1_3_VERSION) {
- /* The outer record type is always application_data. */
+ // The outer record type is always application_data.
if (type != SSL3_RT_APPLICATION_DATA) {
OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_OUTER_RECORD_TYPE);
*out_alert = SSL_AD_DECODE_ERROR;
@@ -291,14 +291,14 @@
} while (type == 0);
}
- /* Check the plaintext length. */
+ // Check the plaintext length.
if (CBS_len(out) > SSL3_RT_MAX_PLAIN_LENGTH) {
OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG);
*out_alert = SSL_AD_RECORD_OVERFLOW;
return ssl_open_record_error;
}
- /* Limit the number of consecutive empty records. */
+ // Limit the number of consecutive empty records.
if (CBS_len(out) == 0) {
ssl->s3->empty_record_count++;
if (ssl->s3->empty_record_count > kMaxEmptyRecords) {
@@ -306,14 +306,14 @@
*out_alert = SSL_AD_UNEXPECTED_MESSAGE;
return ssl_open_record_error;
}
- /* Apart from the limit, empty records are returned up to the caller. This
- * allows the caller to reject records of the wrong type. */
+ // Apart from the limit, empty records are returned up to the caller. This
+ // allows the caller to reject records of the wrong type.
} else {
ssl->s3->empty_record_count = 0;
}
if (type == SSL3_RT_ALERT) {
- /* Return end_of_early_data alerts as-is for the caller to process. */
+ // Return end_of_early_data alerts as-is for the caller to process.
if (CBS_len(out) == 2 &&
CBS_data(out)[0] == SSL3_AL_WARNING &&
CBS_data(out)[1] == TLS1_AD_END_OF_EARLY_DATA) {
@@ -351,7 +351,7 @@
size_t extra_in_len = 0;
if (!ssl->s3->aead_write_ctx->is_null_cipher() &&
ssl->s3->aead_write_ctx->version() >= TLS1_3_VERSION) {
- /* TLS 1.3 hides the actual record type inside the encrypted data. */
+ // TLS 1.3 hides the actual record type inside the encrypted data.
extra_in = &type;
extra_in_len = 1;
}
@@ -379,10 +379,10 @@
out_prefix[0] = type;
}
- /* The TLS record-layer version number is meaningless and, starting in
- * TLS 1.3, is frozen at TLS 1.0. But for historical reasons, SSL 3.0
- * ClientHellos should use SSL 3.0 and pre-TLS-1.3 expects the version
- * to change after version negotiation. */
+ // The TLS record-layer version number is meaningless and, starting in
+ // TLS 1.3, is frozen at TLS 1.0. But for historical reasons, SSL 3.0
+ // ClientHellos should use SSL 3.0 and pre-TLS-1.3 expects the version
+ // to change after version negotiation.
uint16_t wire_version = TLS1_VERSION;
if (ssl->s3->hs != NULL && ssl->s3->hs->max_version == SSL3_VERSION) {
wire_version = SSL3_VERSION;
@@ -413,10 +413,10 @@
size_t ret = SSL3_RT_HEADER_LENGTH;
if (type == SSL3_RT_APPLICATION_DATA && in_len > 1 &&
ssl_needs_record_splitting(ssl)) {
- /* In the case of record splitting, the 1-byte record (of the 1/n-1 split)
- * will be placed in the prefix, as will four of the five bytes of the
- * record header for the main record. The final byte will replace the first
- * byte of the plaintext that was used in the small record. */
+ // In the case of record splitting, the 1-byte record (of the 1/n-1 split)
+ // will be placed in the prefix, as will four of the five bytes of the
+ // record header for the main record. The final byte will replace the first
+ // byte of the plaintext that was used in the small record.
ret += ssl_cipher_get_record_split_len(ssl->s3->aead_write_ctx->cipher());
ret += SSL3_RT_HEADER_LENGTH - 1;
} else {
@@ -430,26 +430,26 @@
size_t extra_in_len = 0;
if (!ssl->s3->aead_write_ctx->is_null_cipher() &&
ssl->s3->aead_write_ctx->version() >= TLS1_3_VERSION) {
- /* TLS 1.3 adds an extra byte for encrypted record type. */
+ // TLS 1.3 adds an extra byte for encrypted record type.
extra_in_len = 1;
}
if (type == SSL3_RT_APPLICATION_DATA && // clang-format off
in_len > 1 &&
ssl_needs_record_splitting(ssl)) {
- /* With record splitting enabled, the first byte gets sealed into a separate
- * record which is written into the prefix. */
+ // With record splitting enabled, the first byte gets sealed into a separate
+ // record which is written into the prefix.
in_len -= 1;
}
return ssl->s3->aead_write_ctx->SuffixLen(out_suffix_len, in_len, extra_in_len);
}
-/* tls_seal_scatter_record seals a new record of type |type| and body |in| and
- * splits it between |out_prefix|, |out|, and |out_suffix|. Exactly
- * |tls_seal_scatter_prefix_len| bytes are written to |out_prefix|, |in_len|
- * bytes to |out|, and |tls_seal_scatter_suffix_len| bytes to |out_suffix|. It
- * returns one on success and zero on error. If enabled,
- * |tls_seal_scatter_record| implements TLS 1.0 CBC 1/n-1 record splitting and
- * may write two records concatenated. */
+// tls_seal_scatter_record seals a new record of type |type| and body |in| and
+// splits it between |out_prefix|, |out|, and |out_suffix|. Exactly
+// |tls_seal_scatter_prefix_len| bytes are written to |out_prefix|, |in_len|
+// bytes to |out|, and |tls_seal_scatter_suffix_len| bytes to |out_suffix|. It
+// returns one on success and zero on error. If enabled,
+// |tls_seal_scatter_record| implements TLS 1.0 CBC 1/n-1 record splitting and
+// may write two records concatenated.
static int tls_seal_scatter_record(SSL *ssl, uint8_t *out_prefix, uint8_t *out,
uint8_t *out_suffix, uint8_t type,
const uint8_t *in, size_t in_len) {
@@ -458,7 +458,7 @@
assert(ssl->s3->aead_write_ctx->ExplicitNonceLen() == 0);
const size_t prefix_len = SSL3_RT_HEADER_LENGTH;
- /* Write the 1-byte fragment into |out_prefix|. */
+ // Write the 1-byte fragment into |out_prefix|.
uint8_t *split_body = out_prefix + prefix_len;
uint8_t *split_suffix = split_body + 1;
@@ -477,8 +477,8 @@
ssl->s3->aead_write_ctx->cipher()) ==
split_record_len);
- /* Write the n-1-byte fragment. The header gets split between |out_prefix|
- * (header[:-1]) and |out| (header[-1:]). */
+ // Write the n-1-byte fragment. The header gets split between |out_prefix|
+ // (header[:-1]) and |out| (header[-1:]).
uint8_t tmp_prefix[SSL3_RT_HEADER_LENGTH];
if (!do_seal_record(ssl, tmp_prefix, out + 1, out_suffix, type, in + 1,
in_len - 1)) {
@@ -530,7 +530,7 @@
enum ssl_open_record_t ssl_process_alert(SSL *ssl, uint8_t *out_alert,
const uint8_t *in, size_t in_len) {
- /* Alerts records may not contain fragmented or multiple alerts. */
+ // Alerts records may not contain fragmented or multiple alerts.
if (in_len != 2) {
*out_alert = SSL_AD_DECODE_ERROR;
OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ALERT);
@@ -551,7 +551,7 @@
return ssl_open_record_close_notify;
}
- /* Warning alerts do not exist in TLS 1.3. */
+ // Warning alerts do not exist in TLS 1.3.
if (ssl->s3->have_version &&
ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
*out_alert = SSL_AD_DECODE_ERROR;
@@ -677,7 +677,7 @@
size_t ret = SSL3_RT_HEADER_LENGTH;
ret += ssl->s3->aead_write_ctx->MaxOverhead();
- /* TLS 1.3 needs an extra byte for the encrypted record type. */
+ // TLS 1.3 needs an extra byte for the encrypted record type.
if (!ssl->s3->aead_write_ctx->is_null_cipher() &&
ssl->s3->aead_write_ctx->version() >= TLS1_3_VERSION) {
ret += 1;
diff --git a/src/util/bot/go/bootstrap.py b/src/util/bot/go/bootstrap.py
index 407d306..75bacf3 100755
--- a/src/util/bot/go/bootstrap.py
+++ b/src/util/bot/go/bootstrap.py
@@ -45,7 +45,7 @@
EXE_SFX = '.exe' if sys.platform == 'win32' else ''
# Pinned version of Go toolset to download.
-TOOLSET_VERSION = 'go1.8.3'
+TOOLSET_VERSION = 'go1.9'
# Platform dependent portion of a download URL. See http://golang.org/dl/.
TOOLSET_VARIANTS = {